2390 files changed, 615247 insertions, 1506 deletions

diff --git a/crypto/README b/crypto/README
new file mode 100644
index 0000000..2d6b4e6
--- /dev/null
+++ b/crypto/README
@@ -0,0 +1,5 @@
+$FreeBSD$
+
+This directory is for the EXACT same use as src/contrib, except it
+holds crypto sources.  It is the result of an old USA law, which
+made these sources export controlled, so they had to be kept seperate.
diff --git a/crypto/heimdal/ChangeLog b/crypto/heimdal/ChangeLog
new file mode 100644
index 0000000..b5d265e
--- /dev/null
+++ b/crypto/heimdal/ChangeLog
@@ -0,0 +1,5608 @@
+2000-02-20  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2p
+
+2000-02-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:1:0
+	
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure
+	that realms is filled in even when getaddrinfo fails or does not
+	return any canonical name
+
+	* kdc/connect.c (descr): add sockaddr and string representation
+	(*): re-write to use the above mentioned
+
+2000-02-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (krb5_parse_address): use
+	krb5_sockaddr2address to copy the result from getaddrinfo.
+
+2000-02-14  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2o
+
+2000-02-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:0:0
+
+	* kdc/kaserver.c (do_authenticate): return the kvno of the server
+	and not the client.  Thanks to Brandon S. Allbery KF8NH
+	<allbery@kf8nh.apk.net> and Chaskiel M Grundman
+	<cg2v@andrew.cmu.edu> for debugging.
+
+	* kdc/kerberos4.c (do_version4): if an tgs-req is received with an
+	old kvno, return an error reply and write a message in the log.
+	
+2000-02-12  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/gssapi_server.c (proto): with `--fork', create a child
+	and send over/receive creds with export/import_sec_context
+	* appl/test/gssapi_client.c (proto): with `--fork', create a child
+	and send over/receive creds with export/import_sec_context
+	* appl/test/common.c: add `--fork' / `-f' (only used by gssapi)
+
+2000-02-11  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kdc_locl.h: remove keyfile add explicit_addresses
+	* kdc/connect.c (init_sockets): pay attention to
+	explicit_addresses some more comments.  better error messages.
+	* kdc/config.c: add some comments.
+	remove --key-file.
+	add --addresses.
+
+	* lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use
+	proper abstraction
+
+2000-02-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/changepw.c: use roken_getaddrinfo_hostspec
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2n
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 8:0:0
+	* lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy
+	(krb5_kt_add_entry): set timestamp
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h: add macros for accessing krb5_realm
+	* lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead
+	of `int32_t'
+
+	* lib/krb5/replay.c (checksum_authenticator): update to new API
+	for md5
+
+	* lib/krb5/krb5.h: remove des.h, it's not needed and applications
+	should not have to make sure to find it.
+
+2000-02-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to
+	`out_key' to avoid conflicting with label.  reported by Sean Doran
+	<smd@ebone.net>
+
+2000-02-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/expand_hostname.c: remember to lower-case host names.
+	bug reported by <amu@mit.edu>
+
+	* kdc/kerberos4.c (do_version4): look at check_ticket_addresses
+	and emulate that by setting krb_ignore_ip_address (not a great
+	interface but it doesn't seem like the time to go around fixing
+	libkrb stuff now)
+
+2000-02-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: change --noaddresses into --no-addresses
+
+2000-01-28  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c (main): make sure the ticket is not
+	forwardable and not proxiable
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c: update to pseudo-standard APIs for
+	md4,md5,sha.  some changes to libdes calls to make them more
+	portable.
+
+2000-01-21  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to
+ 	clean up the correct creds.
+
+2000-01-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (append_component): change parameter to
+	`const char *'.  check malloc
+	* lib/krb5/principal.c (append_component, va_ext_princ, va_princ):
+	const-ize
+	* lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname'
+	const
+	* lib/krb5/principal.c (replace_chars): also add space here
+	* lib/krb5/principal.c: (quotable_chars): add space
+
+2000-01-12  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (do_version4): check if preauth was required and
+	bail-out if so since there's no way that could be done in v4.
+	Return NULL_KEY as an error to the client (which is non-obvious,
+	but what can you do?)
+
+2000-01-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+	krb5_expand_hostname_realms
+	* lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new
+	variant of krb5_expand_hostname that tries until it expands into
+	something that's digestable by krb5_get_host_realm, returning also
+	the result from that function.
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2m
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN
+
+	* lib/krb5/Makefile.am: bump version to 7:1:0
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+	krb5_expand_hostname
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
+	ai_canonname being set in any of the addresses returnedby
+	getaddrinfo.  glibc apparently returns the reverse lookup of every
+	address in ai_canonname.
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2l
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 7:0:0
+	* lib/krb5/principal.c (krb5_sname_to_principal): remove `hp'
+
+	* lib/hdb/Makefile.am: set version to 4:1:1
+
+	* kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms'
+	* lib/krb5/get_in_tkt.c (add_padata): change types to make
+	everything work out
+	(krb5_get_in_cred): remove const to make types match
+	* lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature
+	* lib/krb5/principal.c (krb5_sname_to_principal): handle not
+	getting back a canonname
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2k
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that
+	we actually parse the port number.  based on a patch from Leif
+	Johansson <leifj@it.su.se>
+
+2000-01-02  Assar Westerlund  <assar@sics.se>
+
+	* admin/purge.c: remove all non-current and old entries from a
+	keytab
+
+	* admin: break up ktutil.c into files
+
+	* admin/ktutil.c (list): support --verbose (also listning time
+	stamps)
+	(kt_add, kt_get): set timestamp in newly created entries
+	(kt_change): add `change' command
+
+	* admin/srvconvert.c (srvconv): set timestamp in newly created
+	entries
+	* lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp,
+	always go the a predicatble position on error
+	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp
+	* lib/krb5/keytab_file.c (fkt_add_entry): store timestamp
+	(fkt_next_entry_int): return timestamp
+	* lib/krb5/krb5.h (krb5_keytab_entry): add timestamp
+
+1999-12-30  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (krb4): use `-ldes' in tests
+
+1999-12-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/print.c (event2string): handle events without principal.
+  	From Luke Howard <lukeh@PADL.COM>
+
+1999-12-25  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2j
+
+Tue Dec 21 18:03:17 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
+ 	related systems
+
+	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
+ 	related systems
+
+	* include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and
+ 	related systems
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2i
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1
+
+	* lib/krb5/send_to_kdc.c (send_via_proxy): free data
+	* lib/krb5/send_to_kdc.c (send_via_proxy): new function use
+	getaddrinfo instead of gethostbyname{,2}
+	* lib/krb5/get_for_creds.c: use getaddrinfo instead of
+	getnodebyname{,2}
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2h
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2g
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 6:2:1
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): handle
+	ai_canonname not being set
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
+	ai_canonname not being set
+
+	* appl/test/uu_server.c: print messages to stderr
+	* appl/test/tcp_server.c: print messages to stderr
+	* appl/test/nt_gss_server.c: print messages to stderr
+	* appl/test/gssapi_server.c: print messages to stderr
+
+	* appl/test/tcp_client.c (proto): remove shadowing `context'
+	* appl/test/common.c (client_doit): add forgotten ntohs
+
+1999-12-13  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (VERISON): bump to 0.2g-pre
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): be more
+ 	robust and handle extra dot at the beginning of default_domain
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2f
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 6:1:1
+	
+	* lib/krb5/changepw.c (get_kdc_address): use
+ 	`krb5_get_krb_changepw_hst'
+
+	* lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add
+
+	* lib/krb5/get_host_realm.c: add support for _kerberos.domain
+ 	(according to draft-ietf-cat-krb-dns-locate-01.txt)
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2e
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/changepw.c (krb5_change_password): use the correct
+ 	address
+
+	* lib/krb5/Makefile.am: bump version to 6:0:1
+
+	* lib/asn1/Makefile.am: bump version to 1:4:0
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: move AC_KRB_IPv6 to make sure it's performed
+ 	before AC_BROKEN
+	(el_init): use new feature of AC_FIND_FUNC_NO_LIBS
+
+	* appl/test/uu_client.c: use client_doit
+	* appl/test/test_locl.h (client_doit): add prototype
+	* appl/test/tcp_client.c: use client_doit
+	* appl/test/nt_gss_client.c: use client_doit
+	* appl/test/gssapi_client.c: use client_doit
+	* appl/test/common.c (client_doit): move identical code here and
+	start using getaddrinfo
+
+	* appl/kf/kf.c (doit): rewrite to use getaddrinfo
+	* kdc/hprop.c: re-write to use getaddrinfo
+	* lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): use
+	getaddrinfo
+	* lib/krb5/changepw.c: re-write to use getaddrinfo
+	* lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo
+
+1999-12-03  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (BROKEN): check for freeaddrinfo, getaddrinfo,
+	getnameinfo, gai_strerror
+	(socklen_t): check for
+
+1999-12-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key
+
+1999-11-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes
+ 	within unicode characters.  this should probably be done in some
+ 	arbitrarly complex way to do it properly and you would have to
+ 	know what character encoding was used for the password and salt
+ 	string.
+
+	* lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0
+	(INADDR_ANY)
+	(ipv6_uninteresting): remove unused macro
+
+1999-11-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.h: rc4->arcfour
+
+	* lib/krb5/crypto.c: rc4->arcfour
+
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_locl.h: add <rc4.h>
+	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4
+	* lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might
+	not be totally different from some small company up in the
+	north-west corner of the US
+
+	* lib/krb5/get_addrs.c (find_all_addresses): change code to
+ 	actually increment buf_size
+
+1999-11-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces'
+	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces
+ 	scanning optional
+	* lib/krb5/context.c (init_context_from_config_file): set
+ 	`scan_interfaces'
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c
+	* lib/krb5/add_et_list.c (krb5_add_et_list): new function
+
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_realm.c (krb5_get_default_realm,
+	krb5_get_default_realms): set realms if they were unset
+	* lib/krb5/context.c (init_context_from_config_file): don't
+	initialize default realms here.  it's done lazily instead.
+	
+	* lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned
+	* lib/asn1/gen_glue.c (generate_2int, generate_units): make sure
+	bit constants are unsigned
+	* lib/asn1/gen.c (define_type): make length in sequences be
+	unsigned.
+
+	* configure.in: remove duplicate test for setsockopt test for
+	struct tm.tm_isdst
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate
+	preauthentication information if we get back ERR_PREAUTH_REQUIRED
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove
+	preauthentication generation code.  it's now in krb5_get_in_cred
+	
+	* configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct
+	tm.tm_gmtoff and timezone
+	
+1999-11-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/main.c: make this work with multi-db
+
+	* kdc/kdc_locl.h: make this work with multi-db
+
+	* kdc/config.c: make this work with multi-db
+
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/misc.c: update for multi-database code
+
+	* kdc/main.c: update for multi-database code
+
+	* kdc/kdc_locl.h: update
+
+	* kdc/config.c: allow us to have more than one database
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2d
+
+	* lib/krb5/Makefile.am: bump version to 5:0:0 to be safe
+ 	(krb5_context_data has changed and some code do (might) access
+ 	fields directly)
+
+	* lib/krb5/krb5.h (krb5_context_data): add `etypes_des'
+
+	* lib/krb5/get_cred.c (init_tgs_req): use
+ 	krb5_keytype_to_enctypes_default
+
+	* lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new
+ 	function
+
+	* lib/krb5/context.c (set_etypes): new function
+	(init_context_from_config_file): set both `etypes' and `etypes_des'
+
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (VERSION): bump to 0.2d-pre
+
+1999-10-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_parse_name): check memory allocations
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2c
+
+	* lib/krb5/dump_config.c (print_tree): check for empty tree
+
+	* lib/krb5/string-to-key-test.c (tests): update the test cases
+ 	with empty principals so that they actually use an empty realm and
+ 	not the default.  use the correct etype for 3DES
+
+	* lib/krb5/Makefile.am: bump version to 4:1:0
+
+	* kdc/config.c (configure): more careful with the port string
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2b
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 4:0:0
+ 	(krb524_convert_creds_kdc and potentially some other functions
+ 	have changed prototypes)
+
+	* lib/hdb/Makefile.am: bump version to 4:0:1
+
+	* lib/asn1/Makefile.am: bump version to 1:3:0
+
+	* configure.in (LIB_roken): add dbopen.  getcap in roken
+ 	references dbopen and with shared libraries we need to add this
+ 	dependency.
+
+	* lib/krb5/verify_krb5_conf.c (main): support speicifying the
+ 	configuration file to test on the command line
+
+	* lib/krb5/config_file.c (parse_binding): handle line with no
+ 	whitespace before =
+	(krb5_config_parse_file_debug): set lineno earlier so that we don't
+	use it unitialized
+
+	* configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need
+ 	more include files for these tests
+
+	* lib/krb5/set_default_realm.c (krb5_set_default_realm): use
+ 	krb5_config_get_strings, which means that your configuration file
+ 	should look like:
+	
+	[libdefaults]
+	  default_realm = realm1 realm2 realm3
+
+	* lib/krb5/set_default_realm.c (config_binding_to_list): fix
+ 	copy-o.  From Michal Vocu <michal@karlin.mff.cuni.cz>
+
+	* kdc/config.c (configure): add a missing strdup.  From Michal
+ 	Vocu <michal@karlin.mff.cuni.cz>
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2a
+
+	* configure.in: only test for db.h with using berkeley_db. remember
+ 	to link with LIB_tgetent when checking for el_init. add xnlock
+
+	* appl/Makefile.am: add xnlock
+
+	* kdc/kerberos5.c (find_etype): support null keys
+
+	* kdc/kerberos4.c (get_des_key): support null keys
+
+	* lib/krb5/crypto.c (krb5_get_wrapped_length): more correct
+ 	calculation
+
+1999-10-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc
+
+1999-10-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm
+
+	* lib/krb5/krb5.h (krb5_ccache_data): make `ops' const
+
+	* lib/krb5/crypto.c (krb5_string_to_salttype): new function
+
+	* **/*.[ch]: const-ize
+
+1999-10-06  Assar Westerlund  <assar@sics.se>
+	
+	* lib/krb5/creds.c (krb5_compare_creds): const-ify
+	
+	* lib/krb5/cache.c: clean-up and comment-up
+
+	* lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the
+ 	strings
+
+	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the
+ 	correct realm part
+
+	* kdc/connect.c (handle_tcp): things work much better when ret is
+ 	initialized
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the
+ 	type of the session key
+
+	* lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell
+ 	correctly
+
+	* lib/krb5/creds.c (krb5_compare_creds): fix spelling of
+ 	krb5_enctypes_compatible_keys
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new
+ 	credentials from the KDC if the existing one doesn't have a DES
+ 	session key.
+
+	* lib/45/get_ad_tkt.c (get_ad_tkt): update to new
+ 	krb524_convert_creds_kdc
+
+1999-10-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab_keyfile.c: make krb5_akf_ops const
+
+	* lib/krb5/keytab_memory.c: make krb5_mkt_ops const
+
+	* lib/krb5/keytab_file.c: make krb5_fkt_ops const
+
+1999-10-01  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c: rewritten to allow error messages
+
+	* lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf
+	(libkrb5_la_SOURCES): add config_file_netinfo.c
+
+	* lib/krb5/verify_krb5_conf.c: new program for verifying that
+	krb5.conf is corret
+
+	* lib/krb5/config_file_netinfo.c: moved netinfo code here from
+ 	config_file.c
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (dump_krb4): kludge default_realm
+
+	* lib/asn1/check-der.c: add test cases for Generalized time and
+ 	make sure we return the correct value
+
+	* lib/asn1/der_put.c: simplify by using der_put_length_and_tag
+
+	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of
+ 	krb5_verify_user that tries in all the local realms
+
+	* lib/krb5/set_default_realm.c: add support for having several
+ 	default realms
+
+	* lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms'
+
+	* lib/krb5/get_default_realm.c (krb5_get_default_realms): add
+
+	* lib/krb5/krb5.h (krb5_context_data): change `default_realm' to
+ 	`default_realms'
+
+	* lib/krb5/context.c: change from `default_realm' to
+ 	`default_realms'
+
+	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
+ 	krb5_get_default_realms
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c
+
+	* lib/krb5/copy_host_realm.c: new file
+
+1999-09-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/asn1/der_put.c (encode_generalized_time): encode length
+
+	* lib/krb5/recvauth.c: new function `krb5_recvauth_match_version'
+	that allows more intelligent matching of the application version
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c: add err.h
+
+	* kdc/config.c (configure): use parse_bytes
+
+	* appl/test/nt_gss_common.c: use the correct header file
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.c: add a `--cache' flag
+
+	* kuser/kinit.c (main): only get default value for `get_v4_tgt' if
+	it's explicitly set in krb5.conf
+
+1999-09-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (tag_names); add another univeral tag
+
+	* lib/asn1/der.h: update universal tags
+
+1999-09-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (loop): print length of octet string
+
+1999-09-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/ktutil.c (kt_get): add `--help'
+
+1999-09-21  Assar Westerlund  <assar@sics.se>
+
+	* kuser/Makefile.am: add kdecode_ticket
+
+	* kuser/kdecode_ticket.c: new debug program
+
+	* appl/test/nt_gss_server.c: new program to test against `Sample *
+ 	SSPI Code' in Windows 2000 RC1 SDK.
+
+	* appl/test/Makefile.am: add nt_gss_client and nt_gss_server
+
+	* lib/asn1/der_get.c (decode_general_string): remember to advance
+ 	ret over the length-len
+
+	* lib/asn1/Makefile.am: add asn1_print
+
+	* lib/asn1/asn1_print.c: new program for printing DER-structures
+
+	* lib/asn1/der_put.c: make functions more consistent
+
+	* lib/asn1/der_get.c: make functions more consistent
+
+1999-09-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: be more informative in pa-data error messages
+
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: test for strlcpy, strlcat
+
+1999-09-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return
+ 	KRB5_LIBOS_PWDINTR when interrupted
+
+	* lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return
+ 	value from des_read_pw_string
+
+	* kuser/kinit.c (main): don't print any error if reading the
+ 	password was interrupted
+
+	* kpasswd/kpasswd.c (main): don't print any error if reading the
+ 	password was interrupted
+
+	* kdc/string2key.c (main): check the return value from fgets
+
+	* kdc/kstash.c (main): check return value from des_read_pw_string
+
+	* admin/ktutil.c (kt_add): check the return-value from fgets and
+ 	overwrite the password for paranoid reasons
+
+	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the
+ 	newline if it's there
+
+1999-09-13  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (main): remove bogus error with `--print'.  remove
+ 	sysloging of number of principals transferred
+
+	* kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL
+ 	principals
+	(main): get rid of bogus opening of hdb database when propagating
+	ka-server database
+
+1999-09-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_locl.h (O_BINARY): add fallback definition
+
+	* lib/krb5/krb5.h (krb5_context_data): add keytab types
+
+	* configure.in: revert back awk test, not worked around in
+ 	roken.awk
+
+	* lib/krb5/keytab_krb4.c: remove O_BINARY
+
+	* lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's.  From
+	Love <lha@e.kth.se>
+
+	* lib/krb5/keytab_file.c: remove O_BINARY
+
+	* lib/krb5/keytab.c: move the list of keytab types to the context
+
+	* lib/krb5/fcache.c: remove O_BINARY
+
+	* lib/krb5/context.c (init_context_from_config_file): register all
+ 	standard cache and keytab types
+	(krb5_free_context): free `kt_types'
+
+	* lib/krb5/cache.c (krb5_cc_resolve): move the registration of the
+ 	standard types of credential caches to context
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c
+
+1999-09-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c: add comments and clean-up
+
+	* admin/ktutil.c: add `ktutil copy'
+
+	* lib/krb5/keytab_krb4.c: new file
+
+	* lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field
+
+	* lib/krb5/Makefile.am: add keytab_krb4.c
+
+	* lib/krb5/keytab.c: add krb4 and correct some if's
+
+	* admin/srvconvert.c (srvconv): move common code
+
+	* lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables
+
+	* lib/krb5/keytab.c: move out file and memory functions
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c,
+ 	keytab_memory.c
+
+	* lib/krb5/keytab_memory.c: new file
+
+	* lib/krb5/keytab_file.c: new file
+
+	* kpasswd/kpasswdd.c: move out password quality functions
+
+1999-09-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c.  From
+ 	Love <lha@e.kth.se>
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check
+ 	return value from `krb5_sendto_kdc'
+
+1999-09-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and
+ 	remove the sending of data.  add a parameter `limit'.  let callers
+ 	send the date themselves (and preferably with net_write on tcp
+ 	sockets)
+	(send_and_recv_tcp): read first the length field and then only that
+	many bytes
+
+1999-09-05  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_tcp): try to print warning `TCP data of
+ 	strange type' less often
+
+	* lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly.
+  	return on EOF.  always free data.  check return value from
+ 	realloc.
+	(send_and_recv_tcp, send_and_recv_http): check advertised length
+	against actual length
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for sgi capabilities
+
+1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return
+	extra addresses
+
+	* kpasswd/kpasswdd.c: use HDB keytabs; change some error messages;
+	add --realm flag
+
+	* lib/krb5/address.c (krb5_append_addresses): remove duplicates
+
+1999-08-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/keytab.c: HDB keytab backend
+
+1999-08-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab.c
+	(krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL
+	pointer
+
+1999-08-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: add `--keytab' flag
+
+1999-08-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr'
+ 	instead of the non-standard `s6_addr32'.  From Yoshinobu Inoue
+ 	<shin@kame.net> by way of the KAME repository
+
+1999-08-18  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (--enable-new-des3-code): remove check for `struct
+ 	addrinfo'
+
+	* lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable
+ 	des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards
+ 	compatability
+
+	* lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key
+ 	derivation) just got assigned etype 16 by <bcn@isi.edu>.  keep the
+ 	old etype at 7.
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sendauth.c (krb5_sendauth): only look at errno if
+ 	krb5_net_read actually returns -1
+
+	* lib/krb5/recvauth.c (krb5_recvauth): only look at errno if
+ 	krb5_net_read actually returns -1
+
+	* appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't
+ 	returned -1
+
+	* appl/test/tcp_server.c (proto): only trust errno if
+ 	krb5_net_read actually returns -1
+
+	* appl/kf/kfd.c (proto): be more careful with the return value
+ 	from krb5_net_read
+
+1999-08-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (get_addrs_int): try the different ways
+ 	sequentially instead of just one.  this helps if your heimdal was
+ 	built with v6-support but your kernel doesn't have it, for
+ 	example.
+
+1999-08-12  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c: add inetd flag.  default means try to figure out
+ 	if stdin is a socket or not.
+
+	* Makefile.am (ACLOCAL): just use `cf', this variable is only used
+ 	when the current directory is $(top_srcdir) anyways and having
+ 	$(top_srcdir) there breaks if it's a relative path
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for setproctitle
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): remember to call
+ 	freehostent
+
+	* appl/test/tcp_client.c: call freehostent
+
+	* appl/kf/kf.c (doit): call freehostent
+
+	* appl/kf/kf.c: make v6 friendly and simplify
+
+	* appl/kf/kfd.c: make v6 friendly and simplify
+
+	* appl/test/tcp_server.c: simplify by using krb5_err instead of
+ 	errx
+	
+	* appl/test/tcp_client.c: simplify by using krb5_err instead of
+ 	errx
+
+	* appl/test/tcp_server.c: make v6 friendly and simplify
+
+	* appl/test/tcp_client.c: make v6 friendly and simplify
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1m
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c (main): some more KRB4-conditionalizing
+
+	* lib/krb5/get_in_tkt.c: type correctness
+
+	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in
+ 	flags.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kuser/kinit.c (main): add config file support for forwardable
+ 	and krb4 support.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/kerberos5.c (as_rep): add an empty X500-compress string as
+ 	transited.
+	(fix_transited_encoding): check length.
+	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/hpropd.c (dump_krb4): check the realm so that we don't dump
+ 	principals in some other realm. From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+	(main): rename sa_len -> sin_len, sa_lan is a define on some
+	platforms.
+
+	* appl/kf/kfd.c: add regpag support. From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* appl/kf/kf.c: add `-G' and forwardable option in krb5.conf.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* lib/krb5/config_file.c (parse_list): don't run past end of line
+
+	* appl/test/gss_common.h: new prototypes
+
+	* appl/test/gssapi_client.c: use gss_err instead of abort
+
+	* appl/test/gss_common.c (gss_verr, gss_err): add
+
+1999-08-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this
+ 	otherwise it doesn't build with shared libraries
+
+	* kdc/hpropd.c: v6-ify
+
+	* kdc/hprop.c: v6-ify
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname
+
+1999-07-31  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new
+ 	function that takes a FQDN
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c
+
+	* lib/krb5/expand_hostname.c: new file
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1l
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/Makefile.am: bump version to 1:2:0
+
+	* lib/krb5/Makefile.am: bump version to 3:1:0
+
+	* configure.in: more inet_pton to roken
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+ 	getipnodebyname
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1k
+
+1999-07-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: bump version number (changed function
+	signatures)
+
+	* lib/hdb/Makefile.am: bump version number (changes to some
+	function signatures)
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 3:0:2
+
+	* lib/hdb/Makefile.am: bump version to 2:1:0
+
+	* lib/asn1/Makefile.am: bump version to 1:1:0
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1j
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: rokenize inet_ntop
+
+	* lib/krb5/store_fd.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store_mem.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store_emem.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store.c: lots of changes from size_t to ssize_t
+	(krb5_ret_stringz): check return value from realloc
+
+	* lib/krb5/mk_safe.c: some type correctness
+	
+	* lib/krb5/mk_priv.c: some type correctness
+	
+	* lib/krb5/krb5.h (krb5_storage): change return values of
+	functions from size_t to ssize_t
+	
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1i
+
+	* configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \#
+ 	in lib/roken/roken.awk
+
+	* lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to
+ 	step over addresses if there's no `sa_lan' field
+
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by
+ 	using `struct sockaddr_storage'
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using
+ 	`struct sockaddr_storage'
+
+	* lib/krb5/changepw.c (krb5_change_password): simplify by using
+ 	`struct sockaddr_storage'
+
+	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd):
+ 	simplify by using `struct sockaddr_storage'
+
+	* kpasswd/kpasswdd.c (*): simplify by using `struct
+ 	sockaddr_storage'
+
+	* kdc/connect.c (*): simplify by using `struct sockaddr_storage'
+
+	* configure.in (sa_family_t): just test for existence
+	(sockaddr_storage): also specify include file
+
+	* configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i
+	(sa_family_t): test for
+	(struct	sockaddr_storage): test for
+
+	* kdc/hprop.c (propagate_database): typo, NULL should be
+ 	auth_context
+
+	* lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of
+ 	AF_INET6
+
+	* appl/kf/kf.c (main): use warnx
+
+	* appl/kf/kf.c (proto): remove shadowing context
+
+	* lib/krb5/get_addrs.c (find_all_addresses): try to handle the
+ 	case of getting back an `sockaddr_in6' address when sizeof(struct
+ 	sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to
+ 	tell us how large the address is.  This obviously doesn't work
+ 	with unknown protocol types.
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1h
+
+1999-07-23  Assar Westerlund  <assar@sics.se>
+
+	* appl/kf/kfd.c: clean-up and more paranoia
+
+	* etc/services.append: add kf
+
+	* appl/kf/kf.c: rename tk_file to ccache for consistency.  clean-up
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/n-fold-test.c (main): print the correct data
+
+	* appl/Makefile.am (SUBDIRS): add kf
+
+	* appl/kf: new program.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/hprop.c: declare some variables unconditionally to simplify
+ 	things
+
+	* kpasswd/kpasswdd.c: initialize kadm5 connection for every change
+ 	(otherwise the modifier in the database doesn't get set)
+
+	* kdc/hpropd.c: clean-up and re-organize
+
+	* kdc/hprop.c: clean-up and re-organize
+
+ 	* configure.in (SunOS): define to xy for SunOS x.y
+
+1999-07-19  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (AC_BROKEN): test for copyhostent, freehostent,
+ 	getipnodebyaddr, getipnodebyname
+
+1999-07-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/check-der.c: more test cases for integers
+
+	* lib/asn1/der_length.c (length_int): handle the case of the
+ 	largest negative integer by not calling abs
+
+1999-07-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/check-der.c (generic_test): check malloc return value
+ 	properly
+
+	* lib/krb5/Makefile.am: add string_to_key_test
+
+	* lib/krb5/prog_setup.c (krb5_program_setup): always initialize
+ 	the context
+
+	* lib/krb5/n-fold-test.c (main): return a relevant return value
+
+	* lib/krb5/krbhst.c: do SRV lookups for admin server as well.
+  	some clean-up.
+
+1999-07-12  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: handle not building X programs
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate
+ 	variable
+	(ipv6_sockaddr2port): fix typo
+
+	* etc/services.append: beginning of a file with services
+
+	* lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if
+ 	there's no prefix.  also clean-up a little bit.
+
+	* kdc/hprop.c (--kaspecials): new flag for handling special KA
+ 	server entries.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+1999-07-05  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_tcp): make sure we have data before
+ 	starting to look for HTTP
+
+	* kdc/connect.c (handle_tcp): always do getpeername, we can't
+ 	trust recvfrom to return anything sensible
+
+1999-07-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with
+ 	all enctypes
+
+	* kpasswd/kpasswdd.c (change): fetch the salt-type from the entry
+
+	* admin/srvconvert.c (srvconv): better error messages
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (unparse_name): error check malloc properly
+
+	* lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc
+ 	properly
+
+	* lib/krb5/crypto.c (*): do some malloc return-value checks
+ 	properly
+
+	* lib/hdb/hdb.c (hdb_process_master_key): simplify by using
+ 	krb5_data_alloc
+
+	* lib/hdb/hdb.c (hdb_process_master_key): check return value from
+ 	malloc
+
+	* lib/asn1/gen_decode.c (decode_type): fix generation of decoding
+ 	information for TSequenceOf.
+
+	* kdc/kerberos5.c (get_pa_etype_info): check return value from
+ 	malloc
+
+1999-07-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/der_copy.c (copy_octet_string): don't fail if length ==
+ 	0 and malloc returns NULL
+
+1999-06-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_parse_addr): implement
+
+1999-06-24  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address
+ 	as an addrport one
+
+	* lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT):
+ 	add
+	(krb5_auth_context): add local and remote port
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the
+ 	local and remote address and add them to the krb-cred packet
+
+	* lib/krb5/auth_context.c: save the local and remove ports in the
+ 	auth_context
+
+	* lib/krb5/address.c (krb5_make_addrport): create an address of
+ 	type KRB5_ADDRESS_ADDRPORT from (addr, port)
+
+	* lib/krb5/addr_families.c (krb5_sockaddr2port): new function for
+ 	grabbing the port number out of the sockaddr
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key.
+  	increase possible verbosity.
+
+	* lib/krb5/config_file.c (parse_list): handle blank lines at
+ 	another place
+	
+	* kdc/connect.c (add_port_string): don't return a value
+
+ 	* lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred
+ 	cache if the principals are different.  close and NULL the old one
+ 	so that we create a new one.
+
+	* configure.in: move around cgywin et al
+	(LIB_kdb): set at the end of krb4-block
+	(krb4): test for krb_enable_debug and krb_disable_debug
+
+1999-06-16  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kdestroy.c (main): try to destroy v4 ticket even if the
+ 	destruction of the v5 one fails
+
+	* lib/krb5/crypto.c (DES3_postproc): new version that does the
+ 	right thing
+	(*): don't put and recover length in 3DES encoding
+	other small fixes
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_principal.c: rewrite to use
+ 	get_default_username
+
+	* lib/krb5/Makefile.am: add n-fold-test
+
+	* kdc/connect.c: add fallbacks for all lookups by service name
+	(handle_tcp): break-up and clean-up
+
+1999-06-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_uninteresting): don't consider
+ 	the loopback address as uninteresting
+
+	* lib/krb5/get_addrs.c: new magic flag to get loopback address if
+ 	there are no other addresses.
+	(krb5_get_all_client_addrs): use that flag
+
+1999-06-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the
+ 	length
+	(checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64
+	(encrypt_internal_derived): don't include the length and don't
+	decrease by the checksum size twice
+	(_get_derived_key): the constant should be 5 bytes
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: use KRB_CHECK_X
+	
+	* configure.in: check for netinet/ip.h
+	
+1999-05-31  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize
+ 	on RTLD_NOW
+
+1999-05-23  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/uu_server.c: removed unused stuff
+
+	* appl/test/uu_client.c: removed unused stuff
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kgetcred.c (main): correct error message
+
+	* lib/krb5/crypto.c (verify_checksum): call (*ct->checksum)
+ 	directly, avoiding redundant lookups and memory leaks
+
+	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free
+ 	local and remote addresses
+
+	* lib/krb5/get_default_principal.c (get_logname): also try
+ 	$USERNAME
+	
+	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT)
+
+	* lib/krb5/principal.c (USE_RESOLVER): try to define only if we
+	have a libresolv (currently by checking for res_search)
+
+1999-05-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/connect.c (handle_tcp): remove %-escapes in request
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1g
+
+	* admin/ktutil.c (kt_remove): -t should be -e
+
+	* configure.in (CHECK_NETINET_IP_AND_TCP): use
+
+	* kdc/hpropd.c: support for dumping to krb4.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* admin/ktutil.c (kt_add): new option `--no-salt'.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* configure.in: add cygwin and DOS tests replace sendmsg, recvmsg,
+ 	and innetgr with roken versions
+
+	* kuser/kgetcred.c: new program
+
+Tue May 11 14:09:33 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/mcache.c: fix paste-o
+	
+1999-05-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: don't use uname
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four
+	arguments :-)
+
+	* appl/test/uu_server.c (setsockopt): cast to get rid of a warning
+	
+	* appl/test/tcp_server.c (setsockopt): cast to get rid of a
+	warning
+
+	* appl/test/tcp_client.c (proto): call krb5_sendauth with ccache
+	== NULL
+
+	* appl/test/gssapi_server.c (setsockopt): cast to get rid of a
+	warning
+
+	* lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by
+	setting the default ccache.
+
+	* configure.in (getsockopt, setsockopt): test for
+	(AM_INIT_AUTOMAKE): bump version to 0.1g
+
+	* appl/Makefile.am (SUBDIRS): add kx
+	
+	* lib/hdb/convert_db.c (main): handle the case of no master key
+	
+1999-05-09  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1f
+
+	* kuser/kinit.c: add --noaddresses
+	
+	* lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an
+	empty sit of list as to not ask for any addresses.
+	
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h (_GNU_SOURCE): define this to enable (used)
+ 	extensions on glibc-based systems such as linux
+
+1999-05-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free
+	`*out_creds' properly
+
+	* lib/krb5/creds.c (krb5_compare_creds): just verify that the
+	keytypes/enctypes are compatible, not that they are the same
+
+	* kuser/kdestroy.c (cache): const-correctness
+
+1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/hdb.c (hdb_set_master_key): initialise master key
+	version
+
+	* lib/hdb/convert_db.c: add support for upgrading database
+	versions
+
+	* kdc/misc.c: add flags to fetch
+
+	* kdc/kstash.c: unlink keyfile on failure, chmod to 400
+
+	* kdc/hpropd.c: add --print option
+
+	* kdc/hprop.c: pass flags to hdb_foreach
+
+	* lib/hdb/convert_db.c: add some flags
+
+	* lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2;
+	build prototype headers
+	
+	* lib/hdb/hdb_locl.h: update prototypes
+
+	* lib/hdb/print.c: move printable version of entry from kadmin
+
+	* lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is
+	sealed or not; add flags to hdb_foreach
+
+	* lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and
+	NDBM_nextkey
+
+	* lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey
+
+	* lib/hdb/common.c: add flags to _hdb_{fetch,store}
+
+	* lib/hdb/hdb.h: add master_key_version to struct hdb, update
+	prototypes
+
+	* lib/hdb/hdb.asn1: make mkvno optional, update version to 2
+
+	* configure.in: --enable-netinfo
+
+	* lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO
+
+	* config.sub: fix for crays
+
+	* config.guess: new version from automake 1.4
+	
+	* config.sub: new version from automake 1.4
+
+Wed Apr 28 00:21:17 1999  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1e
+
+	* lib/krb5/mcache.c (mcc_get_next): get the current cursor
+ 	correctly
+
+	* acconfig.h: correct definition of KRB_PUT_INT for old krb4 code.
+  	From Ake Sandgren <ake@cs.umu.se>
+
+1999-04-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: fix arguments to decrypt_ticket
+	
+1999-04-25  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old
+	DCE secd's that are not able to handle MD5 checksums by defaulting
+	to MD4 if the keytype was DES-CBC-CRC
+	
+	* lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype
+	
+	* lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and
+	`cksumtype'
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for
+	secd
+	(init_tgs_req): add all supported enctypes for the keytype in
+	`in_creds->session.keytype' if it's set
+
+	* lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol
+	encryption types
+	(do_checksum): new function
+	(verify_checksum): take the checksum to use from the checksum message
+	and not from the crypto struct
+	(etypes): add F_PSEUDO flags
+	(krb5_keytype_to_enctypes): new function
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype
+	and cksumtype
+	(krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement
+	(krb5_auth_setkeytype, krb5_auth_getkeytype): implement
+	(krb5_auth_setenctype): comment out, it's rather bogus anyway
+
+Sun Apr 25 16:55:50 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5_locl.h: fix for stupid aix warnings
+
+	* lib/krb5/fcache.c (erase_file): don't malloc
+	
+Sat Apr 24 18:35:21 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/config.c: pass context to krb5_config_file_free
+
+	* kuser/kinit.c: add `--fcache-version' to set cache version to
+	create
+
+	* kuser/klist.c: print cache version if verbose
+
+	* lib/krb5/transited.c (krb5_domain_x500_decode): don't abort
+
+	* lib/krb5/principal.c: abort -> krb5_abortx
+
+	* lib/krb5/mk_rep.c: abort -> krb5_abortx
+
+	* lib/krb5/config_file.c: abort -> krb5_abortx
+
+	* lib/krb5/context.c (init_context_from_config_file): init
+	fcache_version; add krb5_{get,set}_fcache_version
+
+	* lib/krb5/keytab.c: add support for reading (and writing?) old
+	version keytabs
+
+	* lib/krb5/cache.c: add krb5_cc_get_version
+
+	* lib/krb5/fcache.c: add support for reading and writing old
+	version cache files
+
+	* lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags
+
+	* lib/krb5/store_emem.c (krb5_storage_emem): zero flags
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags
+
+	* lib/krb5/store.c: add flags to change how various fields are
+	stored, used for old cache version support
+	
+	* lib/krb5/krb5.h: add support for reading and writing old version
+	cache files, and keytabs
+	
+Wed Apr 21 00:09:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: fix test for readline.h remember to link with
+ 	$LIB_tgetent when trying linking with readline
+
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time
+ 	is given, request a postdated ticket.
+
+	* lib/krb5/data.c (krb5_data_free): free data as long as it's not
+ 	NULL
+
+Tue Apr 20 20:18:14 1999  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen
+
+	* lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add
+
+	* lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and
+ 	KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is
+ 	invalid
+
+Tue Apr 20 12:42:08 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: don't try to load library by default; get
+ 	library and function name from krb5.conf
+
+	* kpasswd/sample_passwd_check.c: sample password checking
+ 	functions
+
+Mon Apr 19 22:22:19 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use
+ 	krb5_data_alloc and be careful with checking allocation and sizes.
+
+	* kuser/klist.c (--tokens): conditionalize on KRB4
+
+	* kuser/kinit.c (renew_validate): set all flags
+	(main): fix cut-n-paste error when setting start-time
+
+	* kdc/kerberos5.c (check_tgs_flags): starttime of a validate
+ 	ticket should be > than current time
+	(*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket
+
+	* kuser/kinit.c (renew_validate): use the client realm instead of
+ 	the local realm when renewing tickets.
+
+	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function
+	(krb5_get_forwarded_creds): correct freeing of out_creds
+
+	* kuser/kinit.c (renew_validate): hopefully fix up freeing of
+ 	memory
+
+	* configure.in: do all the krb4 tests with "$krb4" != "no"
+
+	* lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero
+ 	keyvalue if it's NULL.  noticed by Ake Sandgren <ake@cs.umu.se>
+
+	* lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes
+ 	instead of just taking the first one.  fix all callers.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+	* kdc/kdc_locl.h (enable_kaserver): declaration
+	
+	* kdc/hprop.c (ka_convert): print the failing principal.  AFS 3.4a
+ 	creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+	* kdc/hpropd.c (open_socket): stupid cast to get rid of a warning
+
+	* kdc/connect.c (add_standard_ports, process_request): look at
+ 	enable_kaserver.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+	* kdc/config.c: new flag --kaserver and config file option
+ 	enable-kaserver.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+Mon Apr 19 12:32:04 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: check for dlopen, and dlfcn.h
+
+	* kpasswd/kpasswdd.c: add support for dlopen:ing password quality
+ 	check library
+
+	* configure.in: add appl/su
+
+Sun Apr 18 15:46:53 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/cache.c: add krb5_cc_get_type that returns type of a
+ 	cache
+
+Fri Apr 16 17:58:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: LIB_kdb: -L should be before -lkdb
+	test for prototype of strsep
+	
+Thu Apr 15 11:34:38 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/Makefile.am: update version
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
+ 	ALLOC_SEQ
+
+	* lib/krb5/fcache.c: add some support for reading and writing old
+ 	cache formats;
+	(fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use
+	krb5_ret_creds
+
+	* lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc,
+ 	initialize host_byteorder
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): initialize
+ 	host_byteorder
+
+	* lib/krb5/store_emem.c (krb5_storage_emem): initialize
+ 	host_byteorder
+
+	* lib/krb5/store.c (krb5_storage_set_host_byteorder): add;
+	(krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16):
+ 	check host_byteorder flag; (krb5_store_creds): add;
+ 	(krb5_ret_creds): add
+
+	* lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for
+ 	storage of numbers
+
+	* lib/krb5/heim_err.et: add `host not found' error
+
+	* kdc/connect.c: don't use data after clearing decriptor
+
+	* lib/krb5/auth_context.c: abort -> krb5_abortx
+
+	* lib/krb5/warn.c: add __attribute__; add *abort functions
+
+	* configure.in: check for __attribute__
+
+	* kdc/connect.c: log bogus requests
+
+Tue Apr 13 18:38:05 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts
+ 	for all DES keys
+
+1999-04-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit
+
+	* lib/krb5/get_cred.c (init_tgs_req): some more error checking
+
+	* lib/krb5/generate_subkey.c (krb5_generate_subkey): check return
+	value from malloc
+
+Sun Apr 11 03:47:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/krb5.conf.5: update to reality
+
+	* lib/krb5/krb5_425_conv_principal.3: update to reality
+
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c: handle more than one realm for a host
+
+	* kpasswd/kpasswd.c (main): use krb5_program_setup and
+	print_version
+
+	* kdc/string2key.c (main): use krb5_program_setup and
+	print_version
+
+Sun Apr 11 02:35:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/principal.c (krb5_524_conv_principal): make it actually
+ 	work, and check built-in list of host-type first-components
+
+	* lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm
+
+	* lib/krb5/context.c: add srv_* flags to context
+
+	* lib/krb5/principal.c: add default v4_name_convert entries
+
+	* lib/krb5/krb5.h: add srv_* flags to context
+
+Sat Apr 10 22:52:28 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kadmin/kadmin.c: complain about un-recognised commands
+
+	* admin/ktutil.c: complain about un-recognised commands
+
+Sat Apr 10 15:41:49 1999  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/load.c (doit): fix error message
+
+	* lib/krb5/crypto.c (encrypt_internal): free checksum if lengths
+ 	fail to match.
+	(krb5_get_wrapped_length): new function
+
+	* configure.in: security/pam_modules.h: check for
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge
+ 	around `ret_as_reply' semantics by only freeing it when ret == 0
+
+Fri Apr  9 20:24:04 1999  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c (print_cred_verbose): handle the case of a bad
+ 	enctype
+
+	* configure.in: test for more header files
+	(LIB_roken): set
+
+Thu Apr  8 15:01:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: fixes for building w/o krb4
+
+	* ltmain.sh: update to libtool 1.2d
+
+	* ltconfig: update to libtool 1.2d
+
+Wed Apr  7 23:37:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c: fix some error messages to be more understandable.
+
+	* kdc/hprop.c (ka_dump): remove unused variables
+
+	* appl/test/tcp_server.c: remove unused variables
+
+	* appl/test/gssapi_server.c: remove unused variables
+
+	* appl/test/gssapi_client.c: remove unused variables
+
+Wed Apr  7 14:05:15 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code
+
+	* kuser/klist.c: make it compile w/o krb4
+
+	* kuser/kdestroy.c: make it compile w/o krb4
+
+	* admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help
+ 	strings
+
+Mon Apr  5 16:13:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: test for MIPS ABI; new test_package
+
+Thu Apr  1 11:00:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/Makefile.am: clean krb5-private.h
+
+	* Release 0.1d
+
+	* kpasswd/kpasswdd.c (doit): pass context to
+ 	krb5_get_all_client_addrs
+
+	* kdc/connect.c (init_sockets): pass context to
+ 	krb5_get_all_server_addrs
+
+	* lib/krb5/get_in_tkt.c (init_as_req): pass context to
+ 	krb5_get_all_client_addrs
+
+	* lib/krb5/get_cred.c (get_cred_kdc_la): pass context to
+ 	krb5_get_all_client_addrs
+
+	* lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses
+
+	* lib/krb5/krb5.h: add support for adding an extra set of
+ 	addresses
+
+	* lib/krb5/context.c: add support for adding an extra set of
+ 	addresses
+
+	* lib/krb5/addr_families.c: add krb5_parse_address
+
+	* lib/krb5/address.c: krb5_append_addresses
+
+	* lib/krb5/config_file.c (parse_binding): don't zap everything
+ 	after first whitespace
+
+	* kuser/kinit.c (renew_validate): don't allocate out
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't
+ 	allocate out_creds
+
+	* lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make
+ 	out_creds pointer;
+	(krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags):
+	free more memory
+
+	* lib/krb5/crypto.c (encrypt_internal): free checksum
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply,
+ 	and ticket
+
+	* kuser/Makefile.am: remove kfoo
+
+	* lib/Makefile.am: add auth
+
+	* lib/kadm5/iprop.h: getarg.h
+
+	* lib/kadm5/replay_log.c: use getarg
+
+	* lib/kadm5/ipropd_slave.c: use getarg
+
+	* lib/kadm5/ipropd_master.c: use getarg
+
+	* lib/kadm5/dump_log.c: use getarg
+
+	* kpasswd/kpasswdd.c: use getarg
+
+	* Makefile.am.common: make a more working check-local target
+
+	* lib/asn1/main.c: use getargs
+
+Mon Mar 29 20:19:57 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kuser/klist.c (print_cred_verbose): use krb5_print_address
+
+	* lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/addr_families.c (krb5_print_address): handle unknown
+ 	address types; (ipv6_print_addr): print in 16-bit groups (as it
+ 	should)
+
+	* lib/krb5/crc.c: crc_{init_table,update} ->
+ 	_krb5_crc_{init_table,update}
+
+	* lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int
+ 	crc_{init_table,update} -> _krb5_crc_{init_table,update}
+
+	* lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/krb5_locl.h: include krb5-private.h
+
+	* kdc/connect.c (addr_to_string): use krb5_print_address
+
+	* lib/krb5/addr_families.c (krb5_print_address): int -> size_t
+
+	* lib/krb5/addr_families.c: add support for printing ipv6
+ 	addresses, either with inet_ntop, or ugly for-loop
+
+	* kdc/524.c: check that the ticket came from a valid address; use
+ 	the address of the connection as the address to put in the v4
+ 	ticket (if this address is AF_INET)
+
+	* kdc/connect.c: pass addr to do_524
+
+	* kdc/kdc_locl.h: prototype for do_524
+
+Sat Mar 27 17:48:31 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: check for OSF C2; bind/bitypes.h, getudbnam,
+ 	setlim; check for auth modules; siad.h, getpwnam_r;
+ 	lib/auth/Makefile, lib/auth/sia/Makefile
+
+	* lib/krb5/crypto.c: n_fold -> _krb5_n_fold
+
+	* lib/krb5/n-fold.c: n_fold -> _krb5_n_fold
+
+Thu Mar 25 04:35:21 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping
+ 	it
+
+	* lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data'
+
+	* lib/hdb/ndbm.c (NDBM_destroy): clear master key
+
+	* lib/hdb/db.c (DB_destroy): clear master key
+	(DB_open): check malloc
+
+	* kdc/connect.c (init_sockets): free addresses
+
+	* kadmin/kadmin.c (main): make code more consistent.  always free
+ 	configuration information.
+
+	* kadmin/init.c (create_random_entry): free the entry
+
+Wed Mar 24 04:02:03 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
+ 	re-organize the code to always free `kdc_reply'
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about
+ 	freeing memory
+
+	* lib/krb5/fcache.c (fcc_destroy): don't call fcc_close
+
+	* lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto'
+
+	* lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0
+ 	header
+
+	* configure.in (db_185.h): check for
+
+	* admin/srvcreate.c: new file. contributed by Daniel Kouril
+ 	<kouril@informatics.muni.cz>
+
+	* admin/ktutil.c: srvcreate: new command
+
+	* kuser/klist.c: add support for printing AFS tokens
+
+	* kuser/kdestroy.c: add support for destroying v4 tickets and AFS
+ 	tokens.  based on code by Love <lha@stacken.kth.se>
+
+	* kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries
+
+	* configure.in: sys/ioccom.h: test for
+
+	* kuser/klist.c (main): don't print `no ticket file' with --test.
+  	From: Love <lha@e.kth.se>
+
+	* kpasswd/kpasswdd.c (doit): more braces to make gcc happy
+
+	* kdc/connect.c (init_socket): get rid of a stupid warning
+
+	* include/bits.c (my_strupr): cast away some stupid warnings
+
+Tue Mar 23 14:34:44 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite
+ 	loops, please
+
+Tue Mar 23 00:00:45 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/Makefile.am (install_build_headers): recover from make
+ 	rewriting the names of the headers kludge to help solaris make
+
+	* lib/krb5/Makefile.am: kludge to help solaris make
+
+	* lib/hdb/Makefile.am: kludge to help solaris make
+
+	* configure.in (LIB_kdb): make sure there's a -L option in here by
+ 	adding $(LIB_krb4)
+
+	* lib/asn1/gen_glue.c (generate_2int, generate_int2): int ->
+ 	unsigned
+
+	* configure.in (SunOS): set to a number KRB4, KRB5 conditionals:
+ 	remove the `dnl' to work around an automake flaw
+
+Sun Mar 21 15:08:49 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_default_realm.c: char* -> krb5_realm
+
+Sun Mar 21 14:08:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/bits.c: <bind/bitypes.h>
+
+	* lib/krb5/Makefile.am: create krb5-private.h
+
+Sat Mar 20 00:08:59 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (gethostname): remove duplicate
+
+Fri Mar 19 14:48:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/hdb/Makefile.am: add version-info
+
+	* lib/gssapi/Makefile.am: add version-info
+
+	* lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der
+ 	to check_PROGRAMS
+
+	* lib/Makefile.am: add 45
+
+	* lib/kadm5/Makefile.am: split in client and server libraries
+ 	(breaks shared libraries otherwise)
+
+Thu Mar 18 11:33:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/kadm5/Makefile.am: clean a lot of header files (since
+ 	automake lacks a clean-hook)
+
+	* include/Makefile.am: clean a lot of header files (since automake
+ 	lacks a clean-hook)
+
+	* lib/kadm5/Makefile.am: fix build-installation of headers
+
+	* lib/krb5/Makefile.am: remove include_dir hack
+
+	* lib/hdb/Makefile.am: remove include_dir hack
+
+	* lib/asn1/Makefile.am: remove include_dir hack
+
+	* include/Makefile.am: remove include_dir hack
+
+	* doc/whatis.texi: define sub for html
+
+	* configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h
+
+	* lib/asn1/Makefile.am: der.h
+
+	* kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h
+
+	* kdc/Makefile.am: remove junk
+
+	* kadmin/Makefile.am: sl.a -> sl.la
+
+	* appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS
+
+	* admin/Makefile.am: sl.a -> sl.la
+
+	* configure.in: condition KRB5; AC_CHECK_XAU
+
+	* Makefile.am: include Makefile.am.common
+
+	* include/kadm5/Makefile.am: include Makefile.am.common; don't
+ 	install headers from here
+
+	* include/Makefile.am: include Makefile.am.common; don't install
+ 	headers from here
+
+	* doc/Makefile.am: include Makefile.am.common
+
+	* lib/krb5/Makefile.am: include Makefile.am.common
+
+	* lib/kadm5/Makefile.am: include Makefile.am.common
+
+	* lib/hdb/Makefile.am: include Makefile.am.common
+
+	* lib/gssapi/Makefile.am: include Makefile.am.common
+
+	* lib/asn1/Makefile.am: include Makefile.am.common
+
+	* lib/Makefile.am: include Makefile.am.common
+
+	* lib/45/Makefile.am: include Makefile.am.common
+
+	* kuser/Makefile.am: include Makefile.am.common
+
+	* kpasswd/Makefile.am: include Makefile.am.common
+
+	* kdc/Makefile.am: include Makefile.am.common
+
+	* kadmin/Makefile.am: include Makefile.am.common
+
+	* appl/test/Makefile.am: include Makefile.am.common
+
+	* appl/afsutil/Makefile.am: include Makefile.am.common
+
+	* appl/Makefile.am: include Makefile.am.common
+
+	* admin/Makefile.am: include Makefile.am.common
+
+Wed Mar 17 03:04:38 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store.c (krb5_store_stringz): braces fix
+
+	* lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix
+
+	* lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix
+
+	* kdc/connect.c (loop): braces fix
+
+	* lib/krb5/config_file.c: cast to unsigned char to make is* happy
+
+	* lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy
+
+	* lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to
+ 	be consistent
+
+	* kadmin/util.c (timeval2str): more braces to make gcc happy
+
+	* kadmin/load.c: cast in is* to get rid of stupid warning
+
+	* kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid
+ 	warning
+
+	* kdc/kaserver.c: malloc checks and fixes
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading
+ 	dot (if any) when looking up realms.
+
+Fri Mar 12 13:57:56 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_host_realm.c: add dns support
+
+	* lib/krb5/set_default_realm.c: use krb5_free_host_realm
+
+	* lib/krb5/free_host_realm.c: check for NULL realmlist
+
+	* lib/krb5/context.c: don't print warning if there is no krb5.conf
+
+Wed Mar 10 19:29:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: use AC_WFLAGS
+
+Mon Mar  8 11:49:43 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Release 0.1c
+
+	* kuser/klist.c: use print_version
+
+	* kuser/kdestroy.c: use print_version
+
+	* kdc/hpropd.c: use print_version
+
+	* kdc/hprop.c: use print_version
+
+	* kdc/config.c: use print_version
+
+	* kadmin/kadmind.c: use print_version
+
+	* kadmin/kadmin.c: use print_version
+
+	* appl/test/common.c: use print_version
+
+	* appl/afsutil/afslog.c: use print_version
+
+Mon Mar  1 10:49:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN ->
+ 	HAVE_STRUCT_SOCKADDR_SA_LEN
+
+	* configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13
+
+Sun Feb 28 18:19:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/asn1/gen.c: make `BIT STRING's unsigned
+
+	* lib/asn1/{symbol.h,gen.c}: add TUInteger type
+
+	* lib/krb5/verify_user.c (krb5_verify_user): pass prompter to
+ 	krb5_get_init_creds_password
+
+	* lib/krb5/fcache.c (fcc_gen_new): implement
+
+Sat Feb 27 22:41:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* doc/install.texi: krb4 is now automatically detected
+
+	* doc/misc.texi: update procedure to set supported encryption
+ 	types
+
+	* doc/setup.texi: change some silly wordings
+
+Sat Feb 27 22:17:30 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/keytab.c (fkt_remove_entry): make this work
+
+	* admin/ktutil.c: add minimally working `get' command
+
+Sat Feb 27 19:44:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/hdb/convert_db.c: more typos
+
+	* include/Makefile.am: remove EXTRA_DATA (as of autoconf
+ 	2.13/automake 1.4)
+
+	* appl/Makefile.am: OTP_dir
+
+Fri Feb 26 17:37:00 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* doc/setup.texi: add kadmin section
+
+	* lib/asn1/check-der.c: fix printf warnings
+
+Thu Feb 25 11:16:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: -O does not belong in WFLAGS
+
+Thu Feb 25 11:05:57 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/der_put.c: fix der_put_int
+
+Tue Feb 23 20:35:12 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: use AC_BROKEN_GLOB
+
+Mon Feb 22 15:12:44 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* configure.in: check for glob
+
+Mon Feb 22 11:32:42 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Release 0.1b
+
+Sat Feb 20 15:48:06 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and
+ 	des3-cbc-md5
+
+	* lib/krb5/crypto.c (DES3_string_to_key): make this actually do
+ 	what the draft said it should
+
+	* lib/hdb/convert_db.c: little program for database conversion
+
+	* lib/hdb/db.c (DB_open): try to open database w/o .db extension
+
+	* lib/hdb/ndbm.c (NDBM_open): add test for database format
+
+	* lib/hdb/db.c (DB_open): add test for database format
+
+	* lib/asn1/gen_glue.c (generate_2int): don't depend on flags being
+ 	unsigned
+
+	* lib/hdb/hdb.c: change `hdb_set_master_key' to take an
+ 	EncryptionKey, and add a new function `hdb_set_master_keyfile' to
+ 	do what `hdb_set_master_key' used to do
+
+	* kdc/kstash.c: add `--convert-file' option to change keytype of
+ 	existing master key file
+
+Fri Feb 19 07:04:14 1999  Assar Westerlund  <assar@squid.pdc.kth.se>
+
+	* Release 0.1a
+
+Sat Feb 13 17:12:53 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf
+ 	is now a `u_char *'
+
+	* lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int'
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): constize
+ 	orig_host
+
+ 	(krb5_salttype_to_string): new function (RSA_MD5_DES_verify,
+ 	RSA_MD5_DES3_verify): initialize ret
+
+	* lib/gssapi/init_sec_context.c (init_auth): remove unnecessary
+ 	gssapi_krb5_init.  ask for KEYTYPE_DES credentials
+
+	* kadmin/get.c (print_entry_long): print the keytypes and salts
+ 	available for the principal
+
+	* configure.in (WFLAGS): add `-O' to catch unitialized variables
+ 	and such
+	(gethostname, mkstemp, getusershell, inet_aton): more tests
+
+	* lib/hdb/hdb.h: update prototypes
+
+	* configure.in: homogenize broken detection with krb4
+
+	* lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused
+ 	`error'
+
+	* lib/asn1/Makefile.am (check-der): add
+
+	* lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead
+ 	of `unsigned'
+
+	* lib/asn1/der_length.c (length_unsigned): new function
+	(length_int): handle signed integers
+
+	* lib/asn1/der_put.c (der_put_unsigned): new function
+	(der_put_int): handle signed integers
+
+ 	* lib/asn1/der_get.c (der_get_unsigned): new function
+ 	(der_get_int): handle signed integers
+
+	* lib/asn1/der.h: all integer functions take `int' instead of
+ 	`unsigned'
+
+	* lib/asn1/lex.l (filename): unused. remove.
+
+	* lib/asn1/check-der.c: new test program for der encoding and
+ 	decoding.
+
+Mon Feb  1 04:09:06 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call
+ 	gethostbyname2 with AF_INET6 if we actually have IPv6.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+ 	* lib/krb5/changepw.c (get_kdc_address): dito
+
+Sun Jan 31 06:26:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (parse_prots): always bind to AF_INET, there are
+ 	v6-implementations without support for `mapped V4 addresses'.
+  	From Jun-ichiro itojun Hagino <itojun@kame.net>
+
+Sat Jan 30 22:38:27 1999  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.0u
+
+Sat Jan 30 13:43:02 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: explicit rules for *.et files
+
+ 	* lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if
+ 	krb5_get_credentials was succesful.
+ 	(get_new_cache): return better error codes and return earlier.
+ 	(get_cred_cache): only delete default_client if it's different
+ 	from client
+ 	(kadm5_c_init_with_context): return a more descriptive error.
+
+	* kdc/kerberos5.c (check_flags): handle NULL client or server
+
+	* lib/krb5/sendauth.c (krb5_sendauth): return the error in
+ 	`ret_error' iff != NULL
+
+	* lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents):
+ 	new functions
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more
+ 	type-correctness
+
+	* lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR
+
+	* lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use
+
+	* lib/krb5/get_cred.c: KRB5_TGS_NAME: use
+
+ 	* lib/kafs/afskrb5.c (afslog_uid_int): update to changes
+
+	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove
+ 	instead of rename, but shouldn't this just call rename?
+
+ 	* lib/kadm5/get_s.c (kadm5_s_get_principal): always return an
+ 	error if the principal wasn't found.
+
+	* lib/hdb/ndbm.c (NDBM_seq): unseal key
+
+	* lib/hdb/db.c (DB_seq): unseal key
+
+	* lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch]
+
+	* kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when
+ 	finding cross-realm tgts in the v4 database
+
+	* kadmin/mod.c (mod_entry): check the number of arguments.  check
+ 	that kadm5_get_principal worked.
+
+	* lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if
+ 	we weren't able to remove it.
+
+	* admin/ktutil.c: less drive-by-deleting.  From Love
+ 	<lha@e.kth.se>
+
+	* kdc/connect.c (parse_ports): copy the string before mishandling
+ 	it with strtok_r
+
+	* kdc/kerberos5.c (tgs_rep2): print the principal with mismatching
+ 	kvnos
+
+	* kadmin/kadmind.c (main): convert `debug_port' to network byte
+ 	order
+
+	* kadmin/kadmin.c: allow specification of port number.
+
+	* lib/kadm5/kadm5_locl.h (kadm5_client_context): add
+ 	`kadmind_port'.
+
+	* lib/kadm5/init_c.c (_kadm5_c_init_context): move up
+ 	initalize_kadm5_error_table_r.
+	allow specification of port number.
+	
+  	From Love <lha@stacken.kth.se>
+
+	* kuser/klist.c: add option -t | --test
+
+Sat Dec  5 19:49:34 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/context.c: remove ktype_is_etype
+
+	* lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE
+
+	* configure.in: fix for AIX install; better tests for AIX dynamic
+ 	AFS libs; `--enable-new-des3-code'
+
+Tue Dec  1 14:44:44 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* appl/afsutil/Makefile.am: link with extra libs for aix
+
+	* kuser/Makefile.am: link with extra libs for aix
+
+Sun Nov 29 01:56:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add.  almost
+ 	the same as krb5_get_all_client_addrs except that it includes
+ 	loopback addresses
+
+	* kdc/connect.c (init_socket): bind to a particular address
+	(init_sockets): get all local addresses and bind to them all
+
+	* lib/krb5/addr_families.c (addr2sockaddr, print_addr): new
+ 	methods
+	(find_af, find_atype): new functions.  use them.
+
+	* configure.in: add hesiod
+
+Wed Nov 25 11:37:48 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03
+
+Mon Nov 23 12:53:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/log.c: rename delete -> remove
+
+	* lib/kadm5/delete_s.c: rename delete -> remove
+
+	* lib/hdb/common.c: rename delete -> remove
+
+Sun Nov 22 12:26:26 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: check for environ and `struct spwd'
+
+Sun Nov 22 11:42:45 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c (as_rep): set keytype to sess_ktype if
+ 	ktype_is_etype
+
+	* lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate
+ 	etypes
+	(em): sort entries
+
+Sun Nov 22 06:54:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c: more type correctness
+
+	* lib/krb5/get_cred.c: re-structure code.  remove limits on ASN1
+ 	generated bits.
+
+Sun Nov 22 01:49:50 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kdc/hprop.c (v4_prop): fix bogus indexing
+
+Sat Nov 21 21:39:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c (fail_verify_is_ok): new function
+	(krb5_verify_init_creds): if we cannot get a ticket for
+	host/`hostname` and fail_verify_is_ok just return.  use
+ 	krb5_rd_req
+
+Sat Nov 21 23:12:27 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/free.c (krb5_xfree): new function
+
+	* lib/krb5/creds.c (krb5_free_creds_contents): new function
+
+	* lib/krb5/context.c: more type correctness
+
+	* lib/krb5/checksum.c: more type correctness
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): more type
+ 	correctness
+
+	* lib/asn1/der_get.c (der_get_length): fix test of len
+	(der_get_tag): more type correctness
+
+	* kuser/klist.c (usage): void-ize
+
+	* admin/ktutil.c (kt_remove): some more type correctness.
+
+Sat Nov 21 16:49:20 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kuser/klist.c: try to list enctypes as keytypes
+
+	* kuser/kinit.c: remove extra `--cache' option, add `--enctypes'
+ 	to set list of enctypes to use
+
+	* kadmin/load.c: load strings as hex
+
+	* kadmin/dump.c: dump hex as string is possible
+
+	* admin/ktutil.c: use print_version()
+
+	* configure.in, acconfig.h: test for hesiod
+
+Sun Nov 15 17:28:19 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/crypto.c: add some crypto debug code
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed
+ 	buffer when encoding ticket
+
+	* lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype'
+
+	* kdc/kerberos5.c: allow mis-match of tgt session key, and service
+ 	session key
+
+	* admin/ktutil.c: keytype -> enctype
+
+Fri Nov 13 05:35:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added
+	
+Sat Nov  7 19:56:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (add_cred): add termination NULL pointer
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c: adapt to new crypto api
+
+	* lib/krb5/rd_rep.c: adapt to new crypto api
+
+	* lib/krb5/rd_priv.c: adopt to new crypto api
+
+	* lib/krb5/rd_cred.c: adopt to new crypto api
+
+	* lib/krb5/principal.c: ENOMEM -> ERANGE
+
+	* lib/krb5/mk_safe.c: cleanup and adopt to new crypto api
+
+	* lib/krb5/mk_req_ext.c: adopt to new crypto api
+
+	* lib/krb5/mk_req.c: get enctype from auth_context keyblock
+
+	* lib/krb5/mk_rep.c: cleanup and adopt to new crypto api
+
+	* lib/krb5/mk_priv.c: adopt to new crypto api
+
+	* lib/krb5/keytab.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_pw.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt.c: adopt to new crypto api
+
+	* lib/krb5/get_cred.c: adopt to new crypto api
+
+	* lib/krb5/generate_subkey.c: use new crypto api
+
+	* lib/krb5/context.c: rename etype functions to enctype ditto
+
+	* lib/krb5/build_auth.c: use new crypto api
+
+	* lib/krb5/auth_context.c: remove enctype and cksumtype from
+ 	auth_context
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_udp, handle_tcp): correct type of `n'
+
+Tue Sep 15 18:41:38 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* admin/ktutil.c: fix printing of unrecognized keytypes
+
+Tue Sep 15 17:02:33 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if
+ 	using AFS3 salt
+
+Tue Aug 25 23:30:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about
+ 	`use_admin_kdc'
+
+	* lib/krb5/changepw.c (get_kdc_address): use
+ 	krb5_get_krb_admin_hst
+
+	* lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function
+
+	* lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc'
+
+	* lib/krb5/context.c (krb5_get_use_admin_kdc,
+ 	krb5_set_use_admin_kdc): new functions
+
+Tue Aug 18 22:24:12 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/crypto.c: remove all calls to abort(); check return
+ 	value from _key_schedule;
+	(RSA_MD[45]_DES_verify): zero tmp and res;
+	(RSA_MD5_DES3_{verify,checksum}): implement
+
+Mon Aug 17 20:18:46 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (swap32): conditionalize
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname
+ 	returned from gethostby*() isn't a FQDN, try with the original
+ 	hostname
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal
+ 	and correct key usage
+
+	* lib/krb5/crypto.c (verify_checksum): make static
+
+	* admin/ktutil.c (kt_list): use krb5_enctype_to_string
+
+Sun Aug 16 20:57:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt
+
+	* kadmin/ank.c (ank): print principal name in prompt
+
+	* lib/krb5/crypto.c (hmac): always allocate space for checksum.
+  	never trust c.checksum.length
+	(_get_derived_key): try to return the derived key
+
+Sun Aug 16 19:48:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/crypto.c (hmac): fix some peculiarities and bugs
+	(get_checksum_key): assume usage is `formatted'
+	(create_checksum,verify_checksum): moved the guts of the krb5_*
+	functions here, both take `formatted' key-usages
+	(encrypt_internal_derived): fix various bogosities
+	(derive_key): drop key_type parameter (already given by the
+	encryption_type)
+
+	* kdc/kerberos5.c (check_flags): handle case where client is NULL
+
+	* kdc/connect.c (process_request): return zero after processing
+ 	kerberos 4 request
+
+Sun Aug 16 18:38:15 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/crypto.c: merge x-*.[ch] into one file
+
+	* lib/krb5/cache.c: remove residual from krb5_ccache_data
+
+Fri Aug 14 16:28:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/x-crypto.c (derive_key): move DES3 specific code to
+ 	separate function (will eventually end up someplace else)
+
+	* lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key
+
+	* configure.in, acconfig.h: test for four valued krb_put_int
+
+Thu Aug 13 23:46:29 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
+
+	* Release 0.0t
+
+Thu Aug 13 22:40:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c (parse_binding): remove trailing
+ 	whitespace
+
+Wed Aug 12 20:15:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type
+ 	to krb5_create_checksum
+
+	* lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a
+ 	few typos
+
+Wed Aug  5 12:39:54 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
+
+	* Release 0.0s
+
+Thu Jul 30 23:12:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_error.c (krb5_mk_error): realloc until you die
+
+Thu Jul 23 19:49:03 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kdc_locl.h: proto for `get_des_key'
+
+	* configure.in: test for four valued el_init
+
+	* kuser/klist.c: keytype -> enctype
+
+	* kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*'
+
+	* kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys
+
+	* kdc/kaserver.c: use `get_des_key'
+
+	* kdc/524.c: use new crypto api
+
+	* kdc/kerberos4.c: use new crypto api
+
+	* kdc/kerberos5.c: always treat keytypes as enctypes; use new
+ 	crypto api
+
+	* kdc/kstash.c: adapt to new crypto api
+
+	* kdc/string2key.c: adapt to new crypto api
+
+	* admin/srvconvert.c: add keys for all possible enctypes
+
+	* admin/ktutil.c: keytype -> enctype
+
+	* lib/gssapi/init_sec_context.c: get enctype from auth_context
+ 	keyblock
+
+	* lib/hdb/hdb.c: remove hdb_*_keytype2key
+
+	* lib/kadm5/set_keys.c: adapt to new crypto api
+
+	* lib/kadm5/rename_s.c: adapt to new crypto api
+
+	* lib/kadm5/get_s.c: adapt to new crypto api
+
+	* lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4,
+ 	des-cbc-md5, and des3-cbc-sha1
+
+	* lib/krb5/heim_err.et: error message for unsupported salt
+
+	* lib/krb5/codec.c: short-circuit these functions, since they are
+ 	not needed any more
+
+	* lib/krb5/rd_safe.c: cleanup and adapt to new crypto api
+
+Mon Jul 13 23:00:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance
+ 	hostent->h_addr_list, use a copy instead
+
+Mon Jul 13 15:00:31 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/config_file.c (parse_binding, parse_section): make sure
+ 	everything is ok before adding to linked list
+
+	* lib/krb5/config_file.c: skip ws before checking for comment
+
+Wed Jul  8 10:45:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: hmac-sha1-des3 = 12
+
+Tue Jun 30 18:08:05 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the
+ 	unopened file
+
+	* lib/krb5/mk_priv.c: realloc correctly
+
+	* lib/krb5/get_addrs.c (find_all_addresses): init j
+
+	* lib/krb5/context.c (krb5_init_context): print error if parsing
+ 	of config file produced an error.
+
+	* lib/krb5/config_file.c (parse_list, krb5_config_parse_file):
+ 	ignore more spaces
+
+	* lib/krb5/codec.c (krb5_encode_EncKrbCredPart,
+ 	krb5_encode_ETYPE_INFO): initialize `ret'
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): realloc
+ 	correctly
+
+	* lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret'
+
+	* lib/kadm5/init_c.c (get_cred_cache): try to do the right thing
+ 	with default_client
+
+	* kuser/kinit.c (main): initialize `ticket_life'
+
+	* kdc/kerberos5.c (get_pa_etype_info): initialize `ret'
+	(tgs_rep2): initialize `krbtgt'
+
+	* kdc/connect.c (do_request): check for errors from `sendto'
+
+	* kdc/524.c (do_524): initialize `ret'
+
+	* kadmin/util.c (foreach_principal): don't clobber `ret'
+
+	* kadmin/del.c (del_entry): don't apply on zeroth argument
+
+	* kadmin/cpw.c (do_cpw_entry): initialize `ret'
+
+Sat Jun 13 04:14:01 1998  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.0r
+
+Sun Jun  7 04:13:14 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c: fall-back definition of
+ 	IN6_ADDR_V6_TO_V4
+
+	* configure.in: only set CFLAGS if it wasn't set look for
+ 	dn_expand and res_search
+
+Mon Jun  1 21:28:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: remove duplicate seteuid
+
+Sat May 30 00:19:51 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid
+ 	runtime dependencies on libkrb with some shared library
+ 	implementations
+
+Fri May 29 00:09:02 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/kinit_options.c: Default options for kinit.
+
+	* kuser/kauth_options.c: Default options for kauth.
+
+	* kuser/kinit.c: Implement lots a new options.
+
+	* kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime
+ 	is not NULL; set endtime to min of new starttime + old_life, and
+ 	requested endtime
+
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): if the
+ 	forwardable or proxiable flags are set in options, set the
+ 	kdc-flags to the value specified, and not always to one
+
+Thu May 28 21:28:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Optionally compare client address to addresses
+ 	in ticket.
+
+	* kdc/connect.c: Pass client address to as_rep() and tgs_rep().
+
+	* kdc/config.c: Add check_ticket_addresses, and
+ 	allow_null_ticket_addresses variables.
+
+Tue May 26 14:03:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/create_s.c: possibly make DES keys version 4 salted
+
+	* lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt
+ 	before zapping version 4 salts
+
+Sun May 24 05:22:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0q
+
+	* lib/krb5/aname_to_localname.c: new file
+
+	* lib/gssapi/init_sec_context.c (repl_mutual): no output token
+
+	* lib/gssapi/display_name.c (gss_display_name): zero terminate
+ 	output.
+
+Sat May 23 19:11:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/display_status.c: new file
+
+	* Makefile.am: send -I to aclocal
+
+	* configure.in: remove duplicate setenv
+
+Sat May 23 04:55:19 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/util.c (foreach_principal): Check for expression before
+ 	wading through the whole database.
+
+	* kadmin/kadmin.c: Pass NULL password to
+ 	kadm5_*_init_with_password.
+
+	* lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use
+ 	of `password' parameter to init_with_password.
+
+	* lib/kadm5/init_s.c: implement init_with_{skey,creds}*
+
+	* lib/kadm5/server.c: Better arguments for
+ 	kadm5_init_with_password.
+
+Sat May 16 07:10:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c: conditionalize ka-server reading support on
+ 	KASERVER_DB
+
+	* configure.in: new option `--enable-kaserver-db'
+
+Fri May 15 19:39:18 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Better error if local tgt couldn't be
+ 	found.
+
+Tue May 12 21:11:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0p
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set
+ 	encryption type in auth_context if it's compatible with the type
+ 	of the session key
+
+Mon May 11 21:11:14 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: add support for ka-server databases
+
+	* appl/ftp/ftpd: link with -lcrypt, if needed
+
+Fri May  1 07:29:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: don't test for winsock.h
+
+Sat Apr 18 21:43:11 1998  Johan Danielsson  <joda@puffer.pdc.kth.se>
+
+	* Release 0.0o
+
+Sat Apr 18 00:31:11 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/sock_principal.c: Save hostname.
+
+Sun Apr  5 11:29:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/mk_req_ext.c: Use same enctype as in ticket.
+
+	* kdc/hprop.c (v4_prop): Check for null key.
+
+Fri Apr  3 03:54:54 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/str2key.c: Fix DES3 string-to-key.
+
+	* lib/krb5/keytab.c: Get default keytab name from context.
+
+	* lib/krb5/context.c: Get `default_keytab_name' value.
+
+	* kadmin/util.c (foreach_principal): Print error message if
+ 	`kadm5_get_principals' fails.
+
+	* kadmin/kadmind.c: Use `kadmind_loop'.
+
+	* lib/kadm5/server.c: Replace several other functions with
+ 	`kadmind_loop'.
+
+Sat Mar 28 09:49:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead
+ 	of O_APPEND
+
+	* configure.in: generate ftp Makefiles
+
+	* kuser/klist.c (print_cred_verbose): print IPv4-address in a
+ 	portable way.
+
+	* admin/srvconvert.c (srvconv): return 0 if successful
+
+Tue Mar 24 00:40:33 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keytab.c: MIT compatible changes: add and use sizes to
+ 	keytab entries, and change default keytab to `/etc/krb5.keytab'.
+
+Mon Mar 23 23:43:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'.
+
+	* lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'.
+  	Fix bug in checking of pad.
+
+	* lib/gssapi/{un,}wrap.c: Add support for just integrity
+ 	protecting data.
+ 	
+	* lib/gssapi/accept_sec_context.c: Use
+ 	`gssapi_krb5_verify_8003_checksum'.
+
+	* lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'.
+
+	* lib/gssapi/init_sec_context.c: Zero cred, and store session key
+ 	properly in auth-context.
+
+Sun Mar 22 00:47:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/delete_s.c: Check immutable bit.
+
+	* kadmin/kadmin.c: Pass client name to kadm5_init.
+
+	* lib/kadm5/init_c.c: Get creds for client name passed in.
+
+	* kdc/hprop.c (v4_prop): Check for `changepw.kerberos'.
+
+Sat Mar 21 22:57:13 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/mk_error.c: Verify that error_code is in the range
+ 	[0,127].
+
+	* kdc/kerberos5.c: Move checking of principal flags to new
+ 	function `check_flags'.
+
+Sat Mar 21 14:38:51 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt
+
+	* configure.in: define SunOS if running solaris
+
+Sat Mar 21 00:26:34 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/server.c: Unifdef test for same principal when
+ 	changing password.
+
+	* kadmin/util.c: If kadm5_get_principals failes, we might still be
+ 	able to perform the requested opreration (for instance someone if
+ 	trying to change his own password).
+
+	* lib/kadm5/init_c.c: Try to get ticket via initial request, if
+ 	not possible via tgt.
+
+	* lib/kadm5/server.c: Check for principals changing their own
+ 	passwords.
+
+	* kdc/kerberos5.c (tgs_rep2): check for interesting flags on
+ 	involved principals.
+
+	* kadmin/util.c: Fix order of flags.
+
+Thu Mar 19 16:54:10 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos4.c: Return sane error code if krb_rd_req fails.
+
+Wed Mar 18 17:11:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6
+
+Wed Mar 18 09:58:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't
+ 	free keyseed; use correct keytab
+
+Tue Mar 10 09:56:16 1998  Assar Westerlund  <assar@sics.se>
+
+	* acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives
+
+Mon Mar 16 23:58:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0n
+
+Fri Mar  6 00:41:30 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/gssapi/{accept_sec_context,release_cred}.c: Use
+	krb5_kt_close/krb5_kt_resolve.
+	
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver
+ 	to lookup hosts, so CNAMEs can be ignored.
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http):
+ 	Add support for using proxy.
+
+	* lib/krb5/context.c: Initialize `http_proxy' from
+ 	`libdefaults/http_proxy'.
+
+	* lib/krb5/krb5.h: Add `http_proxy' to context.
+
+	* lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol
+ 	specifications.
+
+Wed Mar  4 01:47:29 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil.c: Implement `add' and `remove' functions. Make
+ 	`--keytab' a global option.
+
+	* lib/krb5/keytab.c: Implement remove with files. Add memory
+ 	operations.
+
+Tue Mar  3 20:09:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keytab.c: Use function pointers.
+
+	* admin: Remove kdb_edit.
+
+Sun Mar  1 03:28:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/dump_log.c: print operation names
+
+Sun Mar  1 03:04:12 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth}
+	
+	* lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c:
+ 	remove arbitrary limit
+
+	* kdc/hprop-common.c: use krb5_{read,write}_message
+
+	* lib/kadm5/ipropd_master.c (send_diffs): more careful use
+ 	krb5_{write,read}_message
+
+	* lib/kadm5/ipropd_slave.c (get_creds): get credentials for
+ 	`iprop/master' directly.
+	(main): use `krb5_read_message'
+
+Sun Mar  1 02:05:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Cleanup commands list, and add help strings.
+
+	* kadmin/get.c: Add long, short, and terse (equivalent to `list')
+ 	output formats. Short is the default.
+
+	* kadmin/util.c: Add `include_time' flag to timeval2str.
+
+	* kadmin/init.c: Max-life and max-renew can, infact, be zero.
+
+	* kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'.
+
+	* kadmin/util.c: Add function `foreach_principal', that loops over
+ 	all principals matching an expression.
+
+	* kadmin/kadmin.c: Add usage string to `privileges'.
+
+	* lib/kadm5/get_princs_s.c: Also try to match aganist the
+ 	expression appended with `@default-realm'.
+
+	* lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that
+ 	excludes the realm if it's the same as the default realm.
+
+Fri Feb 27 05:02:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing
+ 	headers and functions error -> com_err
+
+ 	(krb5_get_init_creds_keytab): use krb5_keytab_key_proc
+
+	* lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc'
+ 	global
+
+	* lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data'
+
+	* lib/hdb/ndbm.c: use `struct ndbm_db' everywhere.
+
+Fri Feb 27 04:49:24 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240.
+  	This should be fixed the correct way.
+
+	* lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly
+	(send_diffs): compare versions correctly
+	(main): reorder handling of events
+
+	* lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion
+
+Thu Feb 26 02:22:35 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/ipropd_{slave,master}.c: new files
+
+	* lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as
+ 	argument
+
+	* lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct
+ 	et_list *'
+
+	* aux/make-proto.pl: Should work with perl4
+
+Mon Feb 16 17:20:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/krb5_locl.h: Remove <error.h> (it gets included via
+ 	{asn1,krb5}_err.h).
+
+Thu Feb 12 03:28:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference
+ 	is larger than max_skew, return KRB5KRB_AP_ERR_SKEW
+
+	* lib/kadm5/log.c (get_version): globalize
+
+	* lib/kadm5/kadm5_locl.h: include <sys/file.h>
+
+	* lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY
+
+	* kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of
+ 	initializing local struct in declaration.
+
+Sat Jan 31 17:28:58 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/524.c: Use krb5_decode_EncTicketPart.
+
+	* kdc/kerberos5.c: Check at runtime whether to use enctypes
+ 	instead of keytypes. If so use the same value to encrypt ticket,
+ 	and kdc-rep as well as `keytype' for session key. Fix some obvious
+ 	bugs with the handling of additional tickets.
+
+	* lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and
+ 	krb5_decode_Authenticator.
+
+	* lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart.
+
+	* lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart.
+
+	* lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption
+ 	type, and not a key type.  Use krb5_encode_EncAPRepPart.
+
+	* lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO.
+
+	* lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart.
+
+	* lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart.
+
+	* lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart.
+
+	* lib/krb5/build_auth.c: Use krb5_encode_Authenticator.
+
+	* lib/krb5/codec.c: Enctype conversion stuff.
+
+	* lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running
+ 	setuid. Get configuration for libdefaults ktype_is_etype, and
+ 	default_etypes.
+
+	* lib/krb5/encrypt.c: Add krb5_string_to_etype, rename
+ 	krb5_convert_etype to krb5_decode_keytype, and add
+ 	krb5_decode_keyblock.
+
+Fri Jan 23 00:32:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype.
+
+	* lib/krb5/encrypt.c: Add krb5_convert_etype function - converts
+ 	from protocol keytypes (that really are enctypes) to internal
+ 	representation.
+
+Thu Jan 22 21:24:36 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information
+ 	on keys in the database; and also a new `pa-key-info' padata-type.
+
+	* kdc/kerberos5.c: If pre-authentication fails, return a list of
+ 	keytypes, salttypes, and salts.
+
+	* lib/krb5/init_creds_pw.c: Add better support for
+ 	pre-authentication, by looking at hints from the KDC.
+
+	* lib/krb5/get_in_tkt.c: Add better support for specifying what
+ 	pre-authentication to use.
+
+	* lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and
+ 	KEYTYPE_DES_AFS3.
+
+	* lib/krb5/krb5.h: Add pre-authentication structures.
+
+	* kdc/connect.c: Don't fail if realloc(X, 0) returns NULL.
+
+Wed Jan 21 06:20:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
+ 	`log_context.socket_name' and `log_context.socket_fd'
+
+	* lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram
+ 	to inform the possible running ipropd of an update.
+
+Wed Jan 21 01:34:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Return error-packet to caller.
+
+	* lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error.
+
+	* kdc/kerberos5.c: Add some support for using enctypes instead of
+ 	keytypes.
+
+	* lib/krb5/get_cred.c: Fixes to send authorization-data to the
+ 	KDC.
+
+	* lib/krb5/build_auth.c: Only generate local subkey if there is
+ 	none.
+
+	* lib/krb5/krb5.h: Add krb5_authdata type.
+
+	* lib/krb5/auth_context.c: Add
+ 	krb5_auth_con_set{,localsub,remotesub}key.
+
+	* lib/krb5/init_creds_pw.c: Return some error if prompter
+ 	functions return failure.
+
+Wed Jan 21 01:16:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c: detect bad password.  use krb5_err.
+
+	* kadmin/util.c (edit_entry): remove unused variables
+
+Tue Jan 20 22:58:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible.
+
+	* lib/kadm5/kadm5_locl.h: add kadm5_log_context and
+ 	kadm5_log*-functions
+
+	* lib/kadm5/create_s.c (kadm5_s_create_principal): add change to
+ 	log
+
+	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to
+ 	log
+
+	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
+ 	log_context
+
+	* lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to
+ 	log
+
+	* lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to
+ 	log
+
+	* lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to
+ 	log
+
+	* lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to
+ 	log
+
+	* lib/kadm5/Makefile.am: add log.c, dump_log and replay_log
+
+	* lib/kadm5/replay_log.c: new file
+
+	* lib/kadm5/dump_log.c: new file
+
+	* lib/kadm5/log.c: new file
+
+	* lib/krb5/str2key.c (get_str): initialize pad space to zero
+
+	* lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL
+
+	* kpasswd/kpasswdd.c: rewritten to use the kadm5 API
+
+	* kpasswd/Makefile.am: link with kadm5srv
+
+	* kdc/kerberos5.c (tgs_rep): initialize `i'
+
+	* kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp
+
+	* include/Makefile.am: added admin.h
+
+Sun Jan 18 01:41:34 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes.
+
+	* lib/krb5/mcache.c (mcc_store_cred): restore linked list if
+ 	copy_creds fails.
+
+Tue Jan  6 04:17:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp}
+
+	* lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask.
+
+	* lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use
+ 	krb5_getportbyname
+
+	* kadmin/kadmind.c (main): htons correctly.
+	moved kadm5_server_{recv,send}
+
+	* kadmin/kadmin.c (main): only set admin_server if explicitly
+ 	given
+
+Mon Jan  5 23:34:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/ndbm.c: Implement locking of database.
+
+	* kdc/kerberos5.c: Process AuthorizationData.
+
+Sat Jan  3 22:07:07 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/string2key.c: Use AFS string-to-key from libkrb5.
+
+	* lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case.
+
+	* lib/krb5/krb5.h: Add value for AFS salts.
+
+	* lib/krb5/str2key.c: Add support for AFS string-to-key.
+
+	* lib/kadm5/rename_s.c: Use correct salt.
+
+	* lib/kadm5/ent_setup.c: Always enable client. Only set max-life
+ 	and max-renew if != 0.
+
+	* lib/krb5/config_file.c: Add context to all krb5_config_*get_*.
+
+Thu Dec 25 17:03:25 1997  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/ank.c (ank): don't zero password if --random-key was
+ 	given.
+
+Tue Dec 23 01:56:45 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0m
+
+	* lib/kadm5/ent_setup.c (attr_to_flags): try to set `client'
+
+	* kadmin/util.c (edit_time): only set mask if != 0
+	(edit_attributes): only set mask if != 0
+
+	* kadmin/init.c (init): create `default'
+
+Sun Dec 21 09:44:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/util.c (str2deltat, str2attr, get_deltat): return value
+ 	as pointer and have return value indicate success.
+	
+	(get_response): check NULL from fgets
+	
+	(edit_time, edit_attributes): new functions for reading values and
+	offering list of answers on '?'
+	
+	(edit_entry): use edit_time and edit_attributes
+
+	* kadmin/ank.c (add_new_key): test the return value of
+ 	`krb5_parse_name'
+
+	* kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say
+ 	that the checksum has to be keyed, even though later drafts do.
+  	Accept unkeyed checksums to be compatible with MIT.
+
+	* kadmin/kadmin_locl.h: add some prototypes.
+
+	* kadmin/util.c (edit_entry): return a value
+
+	* appl/afsutil/afslog.c (main): return a exit code.
+
+	* lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes
+
+	* lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function.
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): use
+ 	krb5_{free,copy}_keyblock instead of the _contents versions
+
+Fri Dec 12 14:20:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey
+
+Mon Dec  8 08:48:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid
+
+Sat Dec  6 10:09:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL
+	keyblock
+
+Sat Dec  6 08:26:10 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0l
+
+Thu Dec  4 03:38:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/send_to_kdc.c: Add TCP client support.
+
+	* lib/krb5/store.c: Add k_{put,get}_int.
+
+	* kadmin/ank.c: Set initial kvno to 1.
+
+	* kdc/connect.c: Send version 5 TCP-reply as length+data.
+
+Sat Nov 29 07:10:11 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug
+
+	* kdc/kaserver.c (create_reply_ticket): use a random nonce in the
+ 	reply packet.
+
+	* kdc/connect.c (init_sockets): less reallocing.
+
+	* **/*.c: changed `struct fd_set' to `fd_set'
+
+Sat Nov 29 05:12:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_default_principal.c: More guessing.
+
+Thu Nov 20 02:55:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/rd_req.c: Use principal from ticket if no server is
+ 	given.
+
+Tue Nov 18 02:58:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/klist.c: Use krb5_err*().
+
+Sun Nov 16 11:57:43 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Add local `init', `load', `dump', and `merge'
+ 	commands.
+
+Sun Nov 16 02:52:20 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct
+ 	`enctype'
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype'
+ 	if set.
+
+	* lib/krb5/get_cred.c: handle the case of a specific keytype
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a
+ 	parameter instead of guessing it.
+
+	* lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter
+ 	`enctype'
+
+	* appl/test/common.c (common_setup): don't use `optarg'
+
+	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function
+	(krb5_kt_get_entry): retrieve the latest version if kvno == 0
+
+	* lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE
+
+	* lib/krb5/creds.c (krb5_compare_creds): check for
+ 	KRB5_TC_MATCH_KEYTYPE
+
+	* lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove
+ 	unused variable
+
+	* lib/krb5/creds.c (krb5_copy_creds_contents): only free the
+ 	contents if we fail.
+
+Sun Nov 16 00:32:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: Get password expiration time from config
+ 	file.
+
+	* lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size.
+
+Wed Nov 12 02:35:57 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
+ 	restructured and fixed.
+
+	* lib/krb5/addr_families.c (krb5_h_addr2addr): new function.
+
+Wed Nov 12 01:36:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fall back to hostname's addresses if other
+ 	methods fail.
+
+Tue Nov 11 22:22:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Add `-l' flag to use local database.
+
+	* lib/kadm5/acl.c: Use KADM5_PRIV_ALL.
+
+	* lib/kadm5: Use function pointer trampoline for easier dual use
+ 	(without radiation-hardening capability).
+
+Tue Nov 11 05:15:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c (krb5_etype_valid): new function
+
+	* lib/krb5/creds.c (krb5_copy_creds_contents): zero target
+
+	* lib/krb5/context.c (valid_etype): remove
+
+	* lib/krb5/checksum.c: remove dead code
+
+	* lib/krb5/changepw.c (send_request): free memory on error.
+
+	* lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value
+ 	from malloc.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): free memory on
+ 	failure correctly.
+	(krb5_auth_con_setaddrs_from_fd): return error correctly.
+
+	* lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files
+
+Tue Nov 11 02:53:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/auth_context.c: Implement auth_con_setuserkey.
+
+	* lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey.
+
+	* lib/krb5/keyblock.c: Rename krb5_free_keyblock to
+ 	krb5_free_keyblock_contents, and reimplement krb5_free_keyblock.
+
+	* lib/krb5/rd_req.c: Use auth_context->keyblock if
+ 	ap_options.use_session_key.
+
+Tue Nov 11 02:35:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'.
+	fix callers.
+
+	* lib/krb5/krb5_locl.h: include <asn1.h> and <der.h>
+
+	* include/Makefile.am: add xdbm.h
+
+Tue Nov 11 01:58:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc.
+
+Mon Nov 10 22:41:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/ticket.c: Implement copy_ticket.
+
+	* lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible.
+
+	* lib/krb5/data.c: Implement free_data and copy_data.
+
+Sun Nov  9 02:17:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals.
+
+	* kadmin/kadmin.c: Add get_privileges function.
+
+	* lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with
+ 	specification.
+
+	* kdc/connect.c: Exit if no sockets could be bound.
+
+	* kadmin/kadmind.c: Check return value from krb5_net_read().
+
+	* lib/kadm5,kadmin: Fix memory leaks.
+
+Fri Nov  7 02:45:26 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/create_s.c: Get some default values from `default'
+ 	principal.
+
+	* lib/kadm5/ent_setup.c: Add optional default entry to get some
+ 	values from.
+
+Thu Nov  6 00:20:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Remove generated destroy_*_error_table
+ 	prototype
+
+	* kadmin/kadmind.c: Crude admin server.
+
+	* kadmin/kadmin.c: Update to use remote protocol.
+
+	* kadmin/get.c: Fix principal formatting.
+
+	* lib/kadm5: Add client support.
+
+	* lib/kadm5/error.c: Error code mapping.
+
+	* lib/kadm5/server.c: Kadmind support function.
+
+	* lib/kadm5/marshall.c: Kadm5 marshalling.
+
+	* lib/kadm5/acl.c: Simple acl system.
+
+	* lib/kadm5/kadm5_locl.h: Add client stuff.
+
+	* lib/kadm5/init_s.c: Initialize acl.
+
+	* lib/kadm5/*:  Return values.
+
+	* lib/kadm5/create_s.c: Correct kvno.
+
+Wed Nov  5 22:06:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: Fix parsing of log destinations.
+
+Mon Nov  3 20:33:55 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/principal.c: Reduce number of reallocs in unparse_name.
+
+Sat Nov  1 01:40:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin: Simple kadmin utility.
+
+	* admin/ktutil.c: Print keytype.
+
+	* lib/kadm5/get_s.c: Set correct n_key_data.
+
+	* lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use
+ 	master key.
+
+	* lib/kadm5/destroy_s.c: Check for allocated context.
+
+	* lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys().
+
+Sat Nov  1 00:21:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: test for readv, writev
+
+Wed Oct 29 23:41:26 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/warn.c (_warnerr): handle the case of an illegal error
+ 	code
+
+	* kdc/kerberos5.c (encode_reply): return success
+
+Wed Oct 29 18:01:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (find_etype) Return correct index of selected
+ 	etype.
+
+Wed Oct 29 04:07:06 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0k
+
+	* lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG'
+ 	environment variable
+
+	* *: use the roken_get*-macros from roken.h for the benefit of
+ 	Crays.
+
+	* configure.in: add --{enable,disable}-otp.  check for compatible
+ 	prototypes for gethostbyname, gethostbyaddr, getservbyname, and
+ 	openlog (they have strange prototypes on Crays)
+
+	* acinclude.m4: new macro `AC_PROTO_COMPAT'
+
+Tue Oct 28 00:11:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Log bad requests.
+
+	* kdc/kerberos5.c: Move stuff that's in common between as_rep and
+ 	tgs_rep to separate functions.
+
+	* kdc/kerberos5.c: Fix user-to-user authentication.
+
+	* lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials:
+ 	  - add a kdc-options argument to krb5_get_credentials, and rename
+	    it to krb5_get_credentials_with_flags
+	  - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options
+	  - add some more user-to-user glue
+
+	* lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new
+ 	function, krb5_decrypt_ticket, so it is easier to decrypt and
+ 	check a ticket without having an ap-req.
+
+	* lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER
+ 	flags.
+
+	* lib/krb5/crc.c (crc_init_table): Check if table is already
+ 	inited.
+
+Sun Oct 26 04:51:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/der_get.c (der_get_length, fix_dce): Special-case
+ 	indefinite encoding.
+
+	* lib/asn1/gen_glue.c (generate_units): Check for empty
+ 	member-list.
+
+Sat Oct 25 07:24:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Allow specifying table-base.
+
+Tue Oct 21 20:21:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Check version number of krbtgt.
+
+Mon Oct 20 01:14:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the
+ 	case of unhidden prompts.
+
+	* lib/krb5/str2key.c (string_to_key_internal): return error
+ 	instead of aborting.  always free memory
+
+	* admin/ktutil.c: add `help' command
+
+	* admin/kdb_edit.c: implement new commands: add_random_key(ark),
+ 	change_password(cpw), change_random_key(crk)
+
+Thu Oct 16 05:16:36 1997  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c: change all the keys in the database
+
+	* kdc: removed all unsealing, now done by the hdb layer
+
+	* lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key'
+ 	and `hdb_clear_master_key'
+
+	* admin/misc.c: removed
+
+Wed Oct 15 22:47:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c: print year as YYYY iff verbose
+
+Wed Oct 15 20:02:13 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/klist.c: print etype from ticket
+
+Mon Oct 13 17:18:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0j
+
+	* lib/krb5/get_cred.c: Get the subkey from mk_req so it can be
+ 	used to decrypt the reply from DCE secds.
+
+	* lib/krb5/auth_context.c: Add {get,set}enctype.
+
+	* lib/krb5/get_cred.c: Fix for DCE secd.
+
+	* lib/krb5/store.c: Store keytype twice, as MIT does.
+
+	* lib/krb5/get_in_tkt.c: Use etype from reply.
+
+Fri Oct 10 00:39:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: check for leading '/' in http request
+
+Tue Sep 30 21:50:18 1997  Assar Westerlund  <assar@assaris.pdc.kth.se>
+
+	* Release 0.0i
+
+Mon Sep 29 15:58:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know
+ 	the kvno or keytype before receiving the AP-REQ
+
+	* lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to
+ 	use from the keytype.
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what
+ 	cksumtype to use from the keytype.
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use
+ 	from the keytype.
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out
+ 	what etype to use from the keytype.
+
+	* lib/krb5/generate_seq_number.c (krb5_generate_seq_number):
+ 	handle other key types than DES
+
+	* lib/krb5/encrypt.c (key_type): add `best_cksumtype'
+	(krb5_keytype_to_cksumtype): new function
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): figure out
+ 	what etype to use from the keytype.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype'
+ 	and `enctype' to 0
+
+	* admin/extkeytab.c (ext_keytab): extract all keys
+
+	* appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge
+
+	* configure.in: check for <netinet6/in6.h>. check for -linet6
+	
+Tue Sep 23 03:00:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1
+
+	* lib/krb5/rd_safe.c: fix check for keyed and collision-proof
+ 	checksum
+
+	* lib/krb5/context.c (valid_etype): remove hard-coded constants
+	(default_etypes): include DES3
+
+	* kdc/kerberos5.c: fix check for keyed and collision-proof
+ 	checksum
+
+	* admin/util.c (init_des_key, set_password): DES3 keys also
+
+ 	* lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means
+ 	no contact?
+
+	* lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr'
+
+Mon Sep 22 11:44:27 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by
+ 	the client is used to select wich key to encrypt the kdc rep with
+ 	(in case of as-req), and with the server info to select the
+ 	session key type. The server key the ticket is encrypted is based
+ 	purely on the keys in the database.
+
+	* kdc/string2key.c: Add keytype support. Default to version 5
+ 	keys.
+
+	* lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse.
+
+	* lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add
+ 	many *_to_* functions.
+
+	* lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument
+ 	to krb5_string_to_key().
+
+	* lib/krb5/checksum.c: Some cleanup, and added: 
+	  - rsa-md5-des3 
+	  - hmac-sha1-des3 
+	  - keyed and collision proof flags to each checksum method
+	  - checksum<->string functions.
+
+	* lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock.
+
+Sun Sep 21 15:19:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c: use new addr_families functions
+
+	* kpasswd/kpasswdd.c: use new addr_families functions.  Now works
+ 	over IPv6
+
+	* kuser/klist.c: use correct symbols for address families
+
+	* lib/krb5/sock_principal.c: use new addr_families functions
+
+	* lib/krb5/send_to_kdc.c: use new addr_families functions
+
+	* lib/krb5/krb5.h: add KRB5_ADDRESS_INET6
+
+	* lib/krb5/get_addrs.c: use new addr_families functions
+
+	* lib/krb5/changepw.c: use new addr_families functions.  Now works
+ 	over IPv6
+
+	* lib/krb5/auth_context.c: use new addr_families functions
+
+	* lib/krb5/addr_families.c: new file
+
+	* acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6.  Updated
+ 	uses.
+
+	* acinclude.m4: new macro `AC_KRB_IPV6'.  Use it.
+
+Sat Sep 13 23:04:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: Don't encrypt twice. Complain on non-convertable
+ 	principals.
+
+Sat Sep 13 00:59:36 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0h
+	
+	* appl/telnet/telnet/commands.c: AF_INET6 support
+
+	* admin/misc.c: new file
+
+	* lib/krb5/context.c: new configuration variable `max_retries'
+
+	* lib/krb5/get_addrs.c: fixes and better #ifdef's
+
+	* lib/krb5/config_file.c: implement krb5_config_get_int
+
+	* lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c:
+ 	AF_INET6 support
+
+	* kuser/klist.c: support for printing IPv6-addresses
+
+	* kdc/connect.c: support AF_INET6
+
+	* configure.in: test for gethostbyname2 and struct sockaddr_in6
+
+Thu Sep 11 07:25:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF
+ 	PA-DATA'
+
+Wed Sep 10 21:20:17 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Fixes for cross-realm, including (but not
+ 	limited to):
+	  - allow client to be non-existant (should probably check for
+	    "local realm")
+	  - if server isn't found and it is a request for a krbtgt, try to
+ 	    find a realm on the way to the requested realm
+	  - update the transited encoding iff 
+	    client-realm != server-realm != tgt-realm
+
+	* lib/krb5/get_cred.c: Several fixes for cross-realm.
+
+Tue Sep  9 15:59:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/string2key.c: Fix password handling.
+
+	* lib/krb5/encrypt.c: krb5_key_to_string
+
+Tue Sep  9 07:46:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c: rewrote.  Now should be able to handle
+ 	aliases and IPv6 addresses
+
+	* kuser/klist.c: try printing IPv6 addresses
+
+	* kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192
+
+	* configure.in: check for <netinet/in6_var.h>
+
+Mon Sep  8 02:57:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* doc: fixes
+
+	* admin/util.c (init_des_key): increase kvno
+	(set_password): return -1 if `des_read_pw_string' failed
+
+	* admin/mod.c (doit2): check the return value from `set_password'
+
+	* admin/ank.c (doit): don't add a new entry if `set_password'
+ 	failed
+
+Mon Sep  8 02:20:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/verify_init.c: fix ap_req_nofail semantics
+
+	* lib/krb5/transited.c: something that might resemble
+ 	domain-x500-compress
+
+Mon Sep  8 01:24:42 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (main): check number of arguments
+
+	* appl/popper/pop_init.c (pop_init): check number of arguments
+
+	* kpasswd/kpasswd.c (main): check number of arguments
+
+	* kdc/string2key.c (main): check number of arguments
+
+	* kuser/kdestroy.c (main): check number of arguments
+
+	* kuser/kinit.c (main): check number of arguments
+
+	* kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to
+ 	break out of select when a signal arrives
+
+	* kdc/main.c (main): use sigaction without SA_RESTART to break out
+ 	of select when a signal arrives
+
+	* kdc/kstash.c: default to HDB_DB_DIR "/m-key"
+
+	* kdc/config.c (configure): add `--version'.  Check the number of
+ 	arguments. Handle the case of there being no specification of port
+ 	numbers.
+
+	* admin/util.c: seal and unseal key at appropriate places
+
+	* admin/kdb_edit.c (main): parse arguments, config file and read
+ 	master key iff there's one.
+
+	* admin/extkeytab.c (ext_keytab): unseal key while extracting
+
+Sun Sep  7 20:41:01 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: include <fcntl.h>
+
+	* kdc/kerberos5.c (set_salt_padata): new function
+
+	* appl/telnet/telnetd/telnetd.c: Rename some variables that
+ 	conflict with cpp symbols on HP-UX 10.20
+
+	* change all calls of `gethostbyaddr' to cast argument 1 to `const
+ 	char *'
+
+	* acconfig.h: only use SGTTY on nextstep
+
+Sun Sep  7 14:33:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Check invalid flag.
+
+Fri Sep  5 14:19:38 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds.
+
+	* lib/kafs: Move functions common to krb/krb5 modules to new file,
+ 	and make things more modular.
+
+	* lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST
+ 	-> krb5_config_list
+
+Thu Sep  4 23:39:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix loopback test.
+
+Thu Sep  4 04:45:49 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: fallback definition of `O_ACCMODE'
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when
+ 	checking for a v4 reply
+
+Wed Sep  3 18:20:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: Add `--decrypt' and `--encrypt' flags.
+
+	* lib/hdb/hdb.c: new {seal,unseal}_keys functions
+
+	* kdc/{hprop,hpropd}.c: Add support to dump database to stdout.
+
+	* kdc/hprop.c: Don't use same master key as version 4.
+
+	* admin/util.c: Don't dump core if no `default' is found.
+
+Wed Sep  3 16:01:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/connect.c: Allow run time port specification.
+
+	* kdc/config.c: Add flags for http support, and port
+ 	specifications.
+
+Tue Sep  2 02:00:03 1997  Assar Westerlund  <assar@sics.se>
+
+	* include/bits.c: Don't generate ifndef's in bits.h.  Instead, use
+ 	them when building the program.  This makes it possible to include
+ 	bits.h without having defined all HAVE_INT17_T symbols.
+	
+	* configure.in: test for sigaction
+
+	* doc: updated documentation.
+	
+Tue Sep  2 00:20:31 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0g
+
+Mon Sep  1 17:42:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/data.c: don't return ENOMEM if len == 0
+
+Sun Aug 31 17:15:49 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/hdb.asn1: Include salt type in salt.
+
+	* kdc/hprop.h: Change port to 754.
+
+	* kdc/hpropd.c: Verify who tries to transmit a database.
+
+	* appl/popper: Use getarg and krb5_log.
+
+	* lib/krb5/get_port.c: Add context parameter. Now takes port in
+ 	host byte order.
+
+Sat Aug 30 18:48:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Add timeout to select, and log about expired tcp
+ 	connections.
+
+	* kdc/config.c: Add `database' option.
+
+	* kdc/hpropd.c: Log about duplicate entries.
+
+	* lib/hdb/{db,ndbm}.c: Use common routines.
+
+	* lib/hdb/common.c: Implement more generic fetch/store/delete
+ 	functions.
+
+	* lib/hdb/hdb.h: Add `replace' parameter to store.
+	
+	* kdc/connect.c: Set filedecriptor to -1 on allocated decriptor
+ 	entries.
+
+Fri Aug 29 03:13:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket
+
+	* aux/make-proto.pl: fix __P for stone age mode
+
+Fri Aug 29 02:45:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/45/mk_req.c: implementation of krb_mk_req that uses 524
+ 	protocol
+
+	* lib/krb5/init_creds_pw.c: make change_password and
+ 	get_init_creds_common static
+
+	* lib/krb5/krb5.h: Merge stuff from removed headerfiles.
+
+	* lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops
+
+	* lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops
+
+Fri Aug 29 01:45:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Remove all prototypes.
+
+	* lib/krb5/convert_creds.c: Use `struct credentials' instead of
+ 	`CREDENTIALS'.
+
+Fri Aug 29 00:08:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen_glue.c: new file. generates 2int and int2 functions
+	and units for bit strings.
+
+	* admin/util.c: flags2int, int2flags, and flag_units are now
+ 	generated by asn1_compile
+
+	* lib/roken/parse_units.c: generalised `parse_units' and
+ 	`unparse_units' and added new functions `parse_flags' and
+ 	`unparse_flags' that use these
+
+	* lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h
+
+	* admin/util.c: Use {un,}parse_flags for printing and parsing
+ 	hdbflags.
+
+Thu Aug 28 03:26:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c: restructured
+
+	* lib/krb5/warn.c (_warnerr): leak less memory
+
+	* lib/hdb/hdb.c (hdb_free_entry): zero keys
+	(hdb_check_db_format): leak less memory
+
+	* lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement
+ 	NDBM__get, NDBM__put
+
+	* lib/hdb/db.c (DB_seq): check for valid hdb_entries
+
+Thu Aug 28 02:06:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets.
+
+Thu Aug 28 01:13:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.1, klist.1, kdestroy.1: new man pages
+
+	* kpasswd/kpasswd.1, kpasswdd.8: new man pages
+
+	* kdc/kstash.8, hprop.8, hpropd.8: new man pages
+
+	* admin/ktutil.8, admin/kdb_edit.8: new man pages
+
+	* admin/mod.c: new file
+
+	* admin/life.c: renamed gettime and puttime to getlife and putlife
+	and moved them to life.c
+
+	* admin/util.c: add print_flags, parse_flags, init_entry,
+ 	set_created_by, set_modified_by, edit_entry, set_password.  Use
+ 	them.
+
+	* admin/get.c: use print_flags
+
+	* admin: removed unused stuff.  use krb5_{warn,err}*
+
+	* admin/ank.c: re-organized and abstracted.
+
+	* admin/gettime.c: removed
+
+Thu Aug 28 00:37:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply.
+
+	* lib/roken/base64.c: Add base64 functions.
+
+	* kdc/connect.c lib/krb5/send_to_kdc.c: Add http support.
+
+Wed Aug 27 00:29:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* include/Makefile.am: Don't make links to built files.
+
+	* admin/kdb_edit.c: Add command to set the database path.
+
+	* lib/hdb: Include version number in database.
+
+Tue Aug 26 20:14:54 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil: Merged v4 srvtab conversion.
+
+Mon Aug 25 23:02:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: add F_OK
+
+	* lib/gssapi/acquire_creds.c: fix typo
+
+	* configure.in: call AC_TYPE_MODE_T
+
+	* acinclude.m4: Add AC_TYPE_MODE_T
+
+Sun Aug 24 16:46:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0f
+
+Sun Aug 24 08:06:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/popper/pop_pass.c: log poppers
+
+	* kdc/kaserver.c: some more checks
+
+	* kpasswd/kpasswd.c: removed `-p'
+
+	* kuser/kinit.c: removed `-p'
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If
+ 	KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again.
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out
+ 	krb-error text
+
+	* lib/gssapi/import_name.c (input_name): more names types.
+
+	* admin/load.c (parse_keys): handle the case of an empty salt
+
+	* kdc/kaserver.c: fix up memory deallocation
+
+	* kdc/kaserver.c: quick hack at talking kaserver protocol
+
+	* kdc/kerberos4.c: Make `db-fetch4' global
+
+	* configure.in: add --enable-kaserver
+
+	* kdc/rx.h, kdc/kerberos4.h: new header files
+
+	* lib/krb5/principal.c: fix krb5_build_principal_ext & c:o
+
+Sun Aug 24 03:52:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific
+ 	type conflicts.
+
+	* lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits.
+
+	* lib/des/{md4,md5,sha}.c: Now works on Crays.
+
+Sat Aug 23 18:15:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* appl/afsutil/afslog.c: If no cells or files specified, get
+ 	tokens for all local cells. Better test for files.
+
+Thu Aug 21 23:33:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/v1.c: new file with v1 compatibility functions.
+
+Thu Aug 21 20:36:13 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/kafs/afskrb5.c: Don't check ticket file for afs ticket.
+
+	* kdc/kerberos4.c: Check database when converting v4 principals.
+
+	* kdc/kerberos5.c: Include kvno in Ticket.
+
+	* lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData.
+
+	* kuser/klist.c: Print version number of ticket, include more
+ 	flags.
+
+Wed Aug 20 21:26:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for
+ 	expiration.
+
+Wed Aug 20 17:40:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff
+ 	there's an error.
+
+	* lib/krb5/sendauth.c (krb5_sendauth): correct the protocol
+ 	documentation and process KRB-ERROR's
+
+Tue Aug 19 20:41:30 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos4.c: Fix memory leak in v4 protocol handler.
+
+Mon Aug 18 05:15:09 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/accept_sec_context.c: Added
+ 	`gsskrb5_register_acceptor_identity'
+
+Sun Aug 17 01:40:20 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't
+ 	always pass server == NULL to krb5_rd_req.
+
+	* lib/gssapi: new files: canonicalize_name.c export_name.c
+ 	context_time.c compare_name.c release_cred.c acquire_cred.c
+ 	inquire_cred.c, from Luke Howard <lukeh@xedoc.com.au>
+
+	* lib/krb5/config_file.c: Add netinfo support from Luke Howard
+ 	<lukeh@xedoc.com.au>
+
+	* lib/editline/sysunix.c: sgtty-support from Luke Howard
+ 	<lukeh@xedoc.com.au>
+
+	* lib/krb5/principal.c: krb5_sname_to_principal fix from Luke
+ 	Howard <lukeh@xedoc.com.au>
+
+Sat Aug 16 00:44:47 1997  Assar Westerlund  <assar@koi.pdc.kth.se>
+
+	* Release 0.0e
+
+Sat Aug 16 00:23:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* appl/afsutil/afslog.c: Use new libkafs.
+
+	* lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol.
+
+	* lib/krb5/warn.c: Fix format string for *x type.
+
+Fri Aug 15 22:15:01 1997  Assar Westerlund  <assar@sics.se>
+
+	* admin/get.c (get_entry): print more information about the entry
+
+	* lib/des/Makefile.am: build destest, mdtest, des, rpw, speed
+
+	* lib/krb5/config_file.c: new functions `krb5_config_get_time' and
+ 	`krb5_config_vget_time'.  Use them.
+
+Fri Aug 15 00:09:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil.c: Keytab manipulation program.
+
+	* lib/krb5/keytab.c: Return sane values from resolve and
+ 	start_seq_get.
+
+	* kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'.
+
+	* lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using
+ 	krb524_convert_creds_kdc.
+
+	* lib/krb5/convert_creds.c: Implementation of
+ 	krb524_convert_creds_kdc.
+
+	* lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL
+
+	* kdc/524.c: A somewhat working 524-protocol module.
+
+	* kdc/kerberos4.c: Add version 4 ticket encoding and encryption
+ 	functions.
+
+	* lib/krb5/context.c: Fix kdc_timeout.
+
+	* lib/hdb/{ndbm,db}.c: Free name in close.
+
+	* kdc/kerberos5.c (tgs_check_autenticator): Return error code
+
+Thu Aug 14 21:29:03 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply.
+
+	* lib/krb5/store_emem.c: Fix reallocation bug.
+
+Tue Aug 12 01:29:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use
+ 	`krb5_sock_to_principal'.  Send server parameter to
+ 	krb5_rd_req/krb5_recvauth.  Set addresses in auth_context.
+
+	* lib/krb5/recvauth.c: Set addresses in auth_context if there
+ 	aren't any
+
+	* lib/krb5/auth_context.c: New function
+ 	`krb5_auth_con_setaddrs_from_fd'
+
+	* lib/krb5/sock_principal.c: new function
+	`krb5_sock_to_principal'
+	
+	* lib/krb5/time.c: new file with `krb5_timeofday' and
+ 	`krb5_us_timeofday'.  Use these functions.
+
+	* kuser/klist.c: print KDC offset iff verbose
+
+	* lib/krb5/get_in_tkt.c: implement KDC time offset and use it if
+ 	[libdefaults]kdc_timesync is set.
+	
+	* lib/krb5/fcache.c: Implement version 4 of the ccache format.
+
+Mon Aug 11 05:34:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory
+
+	* lib/krb5/principal.c (krb5_unparse_name): allocate memory
+ 	properly
+
+	* kpasswd/kpasswd.c: Use `krb5_change_password'
+
+	* lib/krb5/init_creds_pw.c (init_cred): set realm of server
+ 	correctly.
+
+	* lib/krb5/init_creds_pw.c: support changing of password when it
+ 	has expired
+
+	* lib/krb5/changepw.c: new file
+
+	* kuser/klist.c: use getarg
+
+	* admin/init.c (init): add `kadmin/changepw'
+
+Mon Aug 11 04:30:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Make get_credentials handle cross-realm.
+
+Mon Aug 11 00:03:24 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c: implement support for #-comments
+
+Sat Aug  9 02:21:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop*.c: Add database propagation programs.
+
+	* kdc/connect.c: Max request size.
+
+Sat Aug  9 00:47:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/otp: resurrected from krb4
+
+	* appl/push: new program for fetching mail with POP.
+
+	* appl/popper/popper.h: new include files.  new fields in `POP'
+
+	* appl/popper/pop_pass.c: Implement both v4 and v5.
+
+	* appl/popper/pop_init.c: Implement both v4 and v5.
+
+	* appl/popper/pop_debug.c: use getarg.  Talk both v4 and v5
+
+	* appl/popper: Popper from krb4.
+
+	* configure.in: check for inline and <netinet/tcp.h> generate
+ 	files in appl/popper, appl/push, and lib/otp
+
+Fri Aug  8 05:51:02 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c: clean-up and try to free memory even when
+ 	there're errors
+
+	* lib/krb5/get_cred.c: adapt to new `extract_ticket'
+
+	* lib/krb5/get_in_tkt.c: reorganize.  check everything and try to
+ 	return memory even if there are errors.
+
+	* kuser/kverify.c: new file
+
+	* lib/krb5/free_host_realm.c: new file
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): implement
+ 	different nametypes.  Also free memory.
+
+	* lib/krb5/verify_init.c: more functionality
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum
+
+	* lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the
+ 	principals in creds.  Should also compare them with that received
+ 	from the KDC
+
+	* lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated
+ 	krb5_ccache
+	(krb5_cc_destroy): call krb5_cc_close
+	(krb5_cc_retrieve_cred): delete the unused creds
+
+Fri Aug  8 02:30:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: Allow better control of destinations of logging
+ 	(like passing explicit destinations, and log-functions).
+
+Fri Aug  8 01:20:39 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_principal.c: new file
+
+	* kpasswd/kpasswdd.c: use krb5_log*
+
+Fri Aug  8 00:37:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab.
+
+Fri Aug  8 00:37:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'.
+  	Print password expire information.
+
+	* kdc/config.c: new variable `kdc_warn_pwexpire'
+
+	* kpasswd/kpasswd.c: converted to getarg and get_init_creds
+
+Thu Aug  7 22:17:09 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mcache.c: new file
+
+	* admin/gettime.c: new function puttime.  Use it.
+
+	* lib/krb5/keyblock.c: Added krb5_free_keyblock and
+ 	krb5_copy_keyblock
+
+	* lib/krb5/init_creds_pw.c: more functionality
+
+	* lib/krb5/creds.c: Added krb5_free_creds_contents and
+ 	krb5_copy_creds.  Changed callers.
+
+	* lib/krb5/config_file.c: new functions krb5_config_get and
+ 	krb5_config_vget
+
+	* lib/krb5/cache.c: cleanup added mcache
+	
+	* kdc/kerberos5.c: include last-req's of type 6 and 7, if
+ 	applicable
+
+Wed Aug  6 20:38:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'.
+
+Tue Aug  5 22:53:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c,
+	prompter_posix.c: the beginning of an implementation of the cygnus
+	initial-ticket API.
+
+	* lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is
+ 	almost krb5_get_in_tkt but doesn't write the creds to the ccache.
+  	Small fixes in krb5_get_in_tkt
+
+	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include
+ 	loopback.
+
+Mon Aug  4 20:20:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc: Make context global.
+
+Fri Aug  1 17:23:56 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0d
+
+	* lib/roken/flock.c: new file
+
+	* kuser/kinit.c: check for and print expiry information in the
+ 	`kdc_rep'
+
+	* lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL
+
+	* kdc/kerberos5.c: Check the valid times on client and server.
+  	Check the password expiration.
+	Check the require_preauth flag.
+  	Send an lr_type == 6 with pw_end.
+	Set key.expiration to min(valid_end, pw_end)
+	
+	* lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw'
+
+	* admin/util.c, admin/load.c: handle the new flags.
+
+Fri Aug  1 16:56:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb: Add some simple locking.
+
+Sun Jul 27 04:44:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/log.c: Add some general logging functions.
+
+	* kdc/kerberos4.c: Add version 4 protocol handler. The requrement
+ 	for this to work is that all involved principals has a des key in
+ 	the database, and that the client has a version 4 (un-)salted
+ 	key. Furthermore krb5_425_conv_principal has to do it's job, as
+ 	present it's not very clever.
+
+	* lib/krb5/principal.c: Quick patch to make 425_conv work
+ 	somewhat.
+
+	* lib/hdb/hdb.c: Add keytype->key and next key functions.
+
+Fri Jul 25 17:32:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): don't free
+ 	`cksum'.  It's allocated and freed by the caller
+
+	* lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'.
+
+	* kdc/kerberos5.c (tgs_rep2): make sure we also have an defined
+ 	`client' to return as part of the KRB-ERROR
+
+Thu Jul 24 08:13:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Unseal keys from database before use.
+
+	* kdc/misc.c: New functions set_master_key, unseal_key and
+ 	free_key.
+
+	* lib/roken/getarg.c: Handle `-f arg' correctly.
+
+Thu Jul 24 01:54:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: implement `-l' aka `--lifetime'
+
+	* lib/roken/parse_units.c, parse_time.c: new files
+
+	* admin/gettime.c (gettime): use `parse_time'
+
+	* kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending
+ 	KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA.
+
+	* kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set
+ 	addresses in auth_context bind one socket per interface.
+	
+	* kpasswd/kpasswd.c: use sequence numbers
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying
+ 	the timestamps
+
+	* lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key
+ 	from auth_context
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key
+ 	from auth_context
+
+	* lib/krb5/mk_error.c (krb5_mk_error): return an error number and
+ 	not a comerr'd number.
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error
+ 	number in KRB-ERROR correctly.
+
+	* lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error
+ 	number in KRB-ERROR correctly.
+
+	* lib/asn1/k5.asn1: Add `METHOD-DATA'
+
+	* removed some memory leaks.
+
+Wed Jul 23 07:53:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0c
+
+	* lib/krb5/rd_cred.c, get_for_creds.c: new files
+
+	* lib/krb5/get_host_realm.c: try default realm as last chance
+
+	* kpasswd/kpasswdd.c: updated to hdb changes
+
+	* appl/telnet/libtelnet/kerberos5.c: Implement forwarding
+
+	* appl/telnet/libtelnet: removed totally unused files
+
+	* admin/ank.c: fix prompts and generation of random keys
+
+Wed Jul 23 04:02:32 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/dump.c: Include salt in dump.
+
+	* admin: Mostly updated for new db-format.
+
+	* kdc/kerberos5.c: Update to use new db format. Better checking of
+ 	flags and such. More logging.
+
+	* lib/hdb/hdb.c: Use generated encode and decode functions.
+
+	* lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code.
+
+	* lib/krb5/get_cred.c: Get addresses from krbtgt if there are none
+ 	in the reply.
+
+Sun Jul 20 16:22:30 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: break if des_read_pw_string() != 0
+
+	* kpasswd/kpasswdd.c: send a reply
+
+	* kpasswd/kpasswd.c: restructured code.  better report on
+ 	krb-error break if des_read_pw_string() != 0
+
+	* kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for
+ 	starttime and renew_till
+
+	* appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a
+ 	keyblock to krb5_verify_chekcsum
+
+Sun Jul 20 06:35:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0b
+
+	* kpasswd/kpasswd.c: Avoid using non-standard struct names.
+
+Sat Jul 19 19:26:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): check return from
+ 	`krb5_kt_start_seq_get'.  From <map@stacken.kth.se>
+
+Sat Jul 19 04:07:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: Update with more pa-data types from
+ 	draft-ietf-cat-kerberos-revisions-00.txt
+
+	* admin/load.c: Update to match current db-format.
+
+	* kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving
+ 	up. Send back an empty pa-data if the client has the v4 flag set.
+
+	* lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted
+ 	pa-data. DTRT if there is any pa-data in the reply.
+
+	* lib/krb5/str2key.c: XOR with some sane value.
+
+	* lib/hdb/hdb.h: Add `version 4 salted key' flag.
+
+	* kuser/kinit.c: Ask for password before calling get_in_tkt. This
+ 	makes it possible to call key_proc more than once.
+
+	* kdc/string2key.c: Add flags to output version 5 (DES only),
+ 	version 4, and AFS string-to-key of a password.
+
+	* lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or
+ 	ENOMEM).
+
+Fri Jul 18 02:54:58 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): do the
+ 	name2name thing
+
+	* kdc/misc.c: check result of hdb_open
+
+	* admin/kdb_edit: updated to new sl
+
+	* lib/sl: sl_func now returns an int. != 0 means to exit.
+
+	* kpasswd/kpasswdd: A crude (but somewhat working) implementation
+ 	of `draft-ietf-cat-kerb-chg-password-00.txt'
+
+Fri Jul 18 00:55:39 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kuser/krenew.c: Crude ticket renewing program.
+
+	* kdc/kerberos5.c: Rewritten flags parsing, it now might work to
+ 	get forwarded and renewed tickets.
+
+	* kuser/kinit.c: Add `-r' flag.
+
+	* lib/krb5/get_cred.c: Move most of contents of get_creds to new
+ 	function get_kdc_cred, that always contacts the kdc and doesn't
+ 	save in the cache. This is a hack.
+
+	* lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request
+ 	(a bit kludgy).
+
+	* lib/krb5/mk_req_ext.c: Make an auth_context if none passed in.
+
+	* lib/krb5/send_to_kdc.c: Get timeout from context.
+
+	* lib/krb5/context.c: Add kdc_timeout to context struct.
+
+Thu Jul 17 20:35:45 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kuser/klist.c: Print start time of ticket if available.
+
+	* lib/krb5/get_host_realm.c: Return error if no realm was found.
+
+Thu Jul 17 20:28:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd: non-working kpasswd added
+
+Thu Jul 17 00:21:22 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* Release 0.0a
+
+	* kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement.
+
+Wed Jul 16 03:37:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_free): Free remote
+ 	subkey.
+
+	* lib/krb5/principal.c (krb5_free_principal): Check for NULL.
+
+	* lib/krb5/send_to_kdc.c: Check for NULL return from
+ 	gethostbyname.
+
+	* lib/krb5/set_default_realm.c: Try to get realm of local host if
+ 	no default realm is available.
+
+	* Remove non ASN.1 principal code.
+
+Wed Jul 16 03:17:30 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better
+ 	error handing. Do some logging.
+
+	* kdc/log.c: Some simple logging facilities.
+
+	* kdc/misc.c (db_fetch): Take a krb5_principal.
+
+	* kdc/connect.c: Pass address of request to as_rep and
+ 	tgs_rep. Send KRB-ERROR.
+
+	* lib/krb5/mk_error.c: Add more fields.
+
+	* lib/krb5/get_cred.c: Print normal error code if no e_text is
+ 	available.
+
+Wed Jul 16 03:07:50 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c: implement `krb5_init_etype'.
+ 	Change encryption type of pa_enc_timestamp to DES-CBC-MD5
+
+	* lib/krb5/context.c: recognize all encryption types actually
+ 	implemented
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): Change default
+ 	encryption type to `DES_CBC_MD5'
+
+	*  lib/krb5/read_message.c, write_message.c: new files
+
+Tue Jul 15 17:14:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'.
+
+	* lib/error/compile_et.awk: generate a prototype for the
+ 	`destroy_foo_error_table' function.
+
+Mon Jul 14 12:24:40 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also
+ 	with `kerberos.REALM'
+
+	* kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use
+ 	`max_skew'
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator
+ 	subkey
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): always
+ 	generate a subkey.
+
+	* lib/krb5/address.c: implement `krb5_address_order'
+
+	* lib/gssapi/import_name.c: Implement `gss_import_name'
+
+	* lib/gssapi/external.c: Use new OID
+
+	* lib/gssapi/encapsulate.c: New functions
+ 	`gssapi_krb5_encap_length' and `gssapi_krb5_make_header'.  Changed
+	callers.
+
+	* lib/gssapi/decapsulate.c: New function
+ 	`gssaspi_krb5_verify_header'.  Changed callers.
+
+	* lib/asn1/gen*.c: Give tags to generated structs.
+	Use `err' and `asprintf'
+
+	* appl/test/gss_common.c: new file
+
+	* appl/test/gssapi_server.c: removed all krb5 calls
+
+	* appl/telnet/libtelnet/kerberos5.c: Add support for genering and
+ 	verifying checksums.  Also start using session subkeys.
+
+Mon Jul 14 12:08:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up.
+
+Sun Jul 13 03:07:44 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT
+
+	* lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and
+ 	`DES_encrypt_key_ivec'
+
+	* lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des
+
+	* kdc/kerberos5.c (tgs_rep): support keyed checksums
+
+	* lib/krb5/creds.c: new file
+
+	* lib/krb5/get_in_tkt.c: better freeing
+
+	* lib/krb5/context.c (krb5_free_context): more freeing
+
+	* lib/krb5/config_file.c: New function `krb5_config_file_free'
+
+	* lib/error/compile_et.awk: Generate a `destroy_' function.
+
+	* kuser/kinit.c, klist.c: Don't leak memory.
+
+Sun Jul 13 02:46:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Check filedescriptor in select.
+
+	* kdc/kerberos5.c: Remove most of the most common memory leaks.
+
+	* lib/krb5/rd_req.c: Free allocated data.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of
+ 	fields.
+
+Sun Jul 13 00:32:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet: Conditionalize the krb4-support.
+
+	* configure.in: Test for krb4
+
+Sat Jul 12 17:14:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: check if the pre-auth was decrypted properly.
+  	set the `pre_authent' flag
+
+	* lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce.
+
+	* lib/krb5/encrypt.c: Made `generate_random_block' global.
+
+	* appl/test: Added gssapi_client and gssapi_server.
+
+	* lib/krb5/data.c: Add `krb5_data_zero'
+
+	* appl/test/tcp_client.c: try `mk_safe' and `mk_priv'
+
+	* appl/test/tcp_server.c: try `rd_safe' and `rd_priv'
+
+Sat Jul 12 16:45:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix for systems that has sa_len, but
+ 	returns zero length from SIOCGIFCONF.
+
+Sat Jul 12 16:38:34 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/test: new programs
+	
+	* lib/krb5/rd_req.c: add address compare
+
+	* lib/krb5/mk_req_ext.c: allow no checksum
+
+	* lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string
+
+	* lib/krb5/address.c: fix `krb5_address_compare'
+
+Sat Jul 12 15:03:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix ip4 address extraction.
+
+	* kuser/klist.c: Add verbose flag, and split main into smaller
+ 	pieces.
+
+	* lib/krb5/fcache.c: Save ticket flags.
+
+	* lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and
+ 	flags.
+
+	* lib/krb5/krb5.h: Add ticket_flags to krb5_creds.
+
+Sat Jul 12 13:12:48 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: Call `AC_KRB_PROG_LN_S'
+
+	* acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4
+
+Sat Jul 12 00:57:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to
+ 	pass options.
+
+Fri Jul 11 15:04:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet: telnet & telnetd seems to be working.
+	
+	* lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed
+ 	krb5_config_vget_next
+
+	* appl/telnet/libtelnet/kerberos5.c: update to current API
+
+Thu Jul 10 14:54:39 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call
+ 	`krb5_kuserok'
+
+	* appl/telnet: Added.
+
+Thu Jul 10 05:09:25 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Remove usage of sub, gsub, and
+ 	functions for compatibility with awk.
+
+	* include/bits.c: Must use signed char.
+
+	* lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets
+ 	here.
+
+	* lib/error/error.c: Replace krb5_get_err_text with new function
+ 	com_right.
+
+	* lib/error/compile_et.awk: Avoid using static variables.
+
+	* lib/error/error.c: Don't use krb5_locl.h
+
+	* lib/error/error.h: Move definitions of error_table and
+ 	error_list from krb5.h.
+
+	* lib/error: Moved from lib/krb5.
+
+Wed Jul  9 07:42:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data.
+
+Wed Jul  9 06:58:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff
+	according to pseudocode from 1510
+
+Wed Jul  9 06:06:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/hdb.c: Add hdb_etype2key.
+
+	* kdc/kerberos5.c: Check authenticator. Use more general etype
+ 	functions.
+	
+Wed Jul  9 03:51:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to
+ 	draft-ietf-cat-kerberos-r-00.txt
+
+	* lib/krb5/principal.c (krb5_parse_name): default to local realm
+ 	if none given
+	
+	* kuser/kinit.c: New option `-p' and prompt
+
+Wed Jul  9 02:30:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/keyblock.c: Keyblock generation functions.
+
+	* lib/krb5/encrypt.c: Use functions from checksum.c.
+
+	* lib/krb5/checksum.c: Move checksum functions here. Add
+ 	krb5_cksumsize function.
+
+Wed Jul  9 01:15:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c: implemented
+
+	* lib/krb5/config_file.c: Redid part.  New functions:
+ 	krb5_config_v?get_next
+
+	* kuser/kdestroy.c: new program
+
+	* kuser/kinit.c: new flag `-f'
+
+	* lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress
+
+	* acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN
+
+	* lib/krb5/krb5.h: krb5_addresses == HostAddresses.  Changed all
+ 	users.
+
+	* lib/krb5/get_addrs.c: figure out all local addresses, possibly
+ 	even IPv6!
+
+	* lib/krb5/checksum.c: table-driven checksum
+
+Mon Jul  7 21:13:28 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as
+ 	krb5_encrypt.
+
+Mon Jul  7 11:15:51 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/vsyslog.c: new file
+
+	* lib/krb5/encrypt.c: add des-cbc-md4.
+	adjust krb5_encrypt and krb5_decrypt to reality
+
+Mon Jul  7 02:46:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Implement as a vector of function pointers.
+
+	* lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and
+ 	des-cbc-md5 in separate functions.
+
+	* lib/krb5/krb5.h: Add more checksum and encryption types.
+
+	* lib/krb5/krb5_locl.h: Add etype to krb5_decrypt.
+
+Sun Jul  6 23:02:59 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/[gs]et_default_realm.c, kuserok.c: new files
+
+	* lib/krb5/config_file.[ch]: new c-based configuration reading
+ 	stuff
+
+Wed Jul  2 23:12:56 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: Set WFLAGS if using gcc
+
+Wed Jul  2 17:47:03 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/der_put.c (der_put_int): Return size correctly.
+
+	* admin/ank.c: Be compatible with the asn1 principal format.
+
+Wed Jul  1 23:52:20 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1: Now all decode_* and encode_* functions now take a
+ 	final size_t* argument, that they return the size in. Return
+ 	values are zero for success, and anything else (such as some
+ 	ASN1_* constant) for error.
+
+Mon Jun 30 06:08:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to
+ 	O_WRONLY | O_APPEND
+
+	* lib/krb5/get_cred.c: removed stale prototype for
+ 	`extract_ticket' and corrected call.
+
+	* lib/asn1/gen_length.c (length_type): Make the length functions
+ 	for SequenceOf non-destructive
+
+	* admin/ank.c (doit): Fix reading of `y/n'.
+
+Mon Jun 16 05:41:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number
+
+	* lib/gssapi/get_mic.c, verify_mic.c: Add sequence number.
+
+	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set
+ 	KRB5_AUTH_CONTEXT_DO_SEQUENCE.  Verify 8003 checksum.
+
+	* lib/gssapi/8003.c: New file.
+
+	* lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1
+ 	Authenticator.
+
+	* lib/krb5/auth_context.c: New functions
+ 	`krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber'
+
+Tue Jun 10 00:35:54 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5: Preapre for use of some asn1-types.
+
+	* lib/asn1/*.c (copy_*): Constness.
+
+	* lib/krb5/krb5.h: Include asn1.h; krb5_data is now an
+ 	octet_string.
+
+	* lib/asn1/der*,gen.c: krb5_data -> octet_string, char * ->
+ 	general_string
+
+	* lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't
+ 	have anything to do with asn1_compile.
+
+	* lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes.
+
+Sun Jun  8 03:51:55 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: Fix PA-ENC-TS-ENC
+
+ 	* kdc/connect.c(process_request): Set `new'
+	
+	* lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way.
+
+	* lib: Added editline,sl,roken.
+
+Mon Jun  2 00:37:48 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/fcache.c: Move file cache from cache.c.
+
+	* lib/krb5/cache.c: Allow more than one cache type.
+
+Sun Jun  1 23:45:33 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* admin/extkeytab.c: Merged with kdb_edit.
+
+Sun Jun  1 23:23:08 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kdc.c: more support for ENC-TS-ENC
+
+	* lib/krb5/get_in_tkt.c: redone to enable pre-authentication
+
+Sun Jun  1 22:45:11 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/db.c: Merge fetch and store.
+
+	* admin: Merge to one program.
+
+	* lib/krb5/str2key.c: Fill in keytype and length.
+
+Sun Jun  1 16:31:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c,
+ 	lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for
+ 	KRB5_AUTH_CONTEXT_DO_SEQUENCE
+
+	* lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an
+ 	KRB_ERROR.  Some support for PA_ENC_TS_ENC.
+
+	* lib/krb5/auth_context.c: implemented seq_number functions
+
+	* lib/krb5/generate_subkey.c, generate_seq_number.c: new files
+
+	* lib/gssapi/gssapi.h: avoid including <krb5.h>
+
+	* lib/asn1/Makefile.am: SUFFIXES as a variable to make automake
+ 	happy
+
+	* kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP
+
+	* configure.in: adapted to automake 1.1p
+
+Mon May 26 22:26:21 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/principal.c: Add contexts to many functions.
+
+Thu May 15 20:25:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/verify_user.c: First stab at a verify user.
+
+	* lib/auth/sia/sia5.c: SIA module for Kerberos 5.
+
+Mon Apr 14 00:09:03 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi: Enough of a gssapi-over-krb5 implementation to be
+	able to (mostly) run gss-client and gss-server.
+	
+	* lib/krb5/keytab.c: implemented krb5_kt_add_entry,
+ 	krb5_kt_store_principal, krb5_kt_store_keyblock
+
+	* lib/des/md5.[ch], sha.[ch]: new files
+
+	* lib/asn1/der_get.c (generalizedtime2time): use `timegm'
+
+	* lib/asn1/timegm.c: new file
+
+	* admin/extkeytab.c: new program
+
+	* admin/admin_locl.h: new file
+
+	* admin/Makefile.am: Added extkeytab
+
+	* configure.in: moved config to include
+	removed timezone garbage
+	added lib/gssapi and admin
+
+	* Makefile.am: Added admin
+
+Mon Mar 17 11:34:05 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kdc.c: Use new copying functions, and free some data.
+
+	* lib/asn1/Makefile.am: Try to not always rebuild generated files.
+
+	* lib/asn1/der_put.c: Add fix_dce().
+
+	* lib/asn1/der_{get,length,put}.c: Fix include files.
+
+	* lib/asn1/der_free.c: Remove unused functions.
+	
+	* lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free,
+ 	gen_length, and gen_copy.
+
+Sun Mar 16 18:13:52 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sendauth.c: implemented functionality
+
+	* lib/krb5/rd_rep.c: Use `krb5_decrypt'
+
+	* lib/krb5/cache.c (krb5_cc_get_name): return default if `id' ==
+ 	NULL
+
+	* lib/krb5/principal.c (krb5_free_principal): added `context'
+ 	argument.  Changed all callers.
+	
+	(krb5_sname_to_principal): new function
+
+	* lib/krb5/auth_context.c (krb5_free_authenticator): add `context'
+ 	argument.  Changed all callers
+
+	* lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files
+
+	* lib/asn1/gen.c: Fix encoding and decoding of BitStrings
+
+Fri Mar 14 11:29:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: look for *dbm?
+
+	* lib/asn1/gen.c: Fix filename in generated files. Check fopens.
+  	Put trailing newline in asn1_files.
+
+Fri Mar 14 05:06:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Fix some memory leaks.
+
+	* lib/krb5/krbhst.c: Properly free hostlist.
+
+	* lib/krb5/decrypt.c: CRCs are 32 bits.
+
+Fri Mar 14 04:39:15 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/gen.c: Generate one file for each type.
+
+Fri Mar 14 04:13:47 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen.c: Generate `length_FOO' functions
+
+	* lib/asn1/der_length.c: new file
+
+	* kuser/klist.c: renamed stime -> printable_time to avoid conflict
+ 	on HP/UX
+
+Fri Mar 14 03:37:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free
+ 	datums. Don't add .db to filename.
+
+Fri Mar 14 02:49:51 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/dump.c: Database dump program.
+
+	* kdc/ank.c: Trivial database editing program.
+
+	* kdc/{kdc.c, load.c}: Use libhdb.
+
+	* lib/hdb: New database routine library.
+
+	* lib/krb5/error/Makefile.am: Add hdb_err.
+
+Wed Mar 12 17:41:14 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kdc.c: Rewritten AS, and somewhat more working TGS support.
+
+	* lib/asn1/gen.c: Generate free functions.
+
+	* Some specific free functions.
+
+Wed Mar 12 12:30:13 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_mk_req_ext.c: new file
+
+	* lib/asn1/gen.c: optimize the case with a simple type
+
+	* lib/krb5/get_cred.c (krb5_get_credentials): Use
+ 	`mk_req_extended' and remove old code.
+
+	* lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an
+ 	EncASRepPart, then with an EncTGSRepPart.
+
+Wed Mar 12 08:26:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/store_emem.c: New resizable memory storage.
+
+	* lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c
+
+	* lib/krb5/krb5.h: Add free entry to krb5_storage.
+
+	* lib/krb5/decrypt.c: Make keyblock const.
+
+Tue Mar 11 20:22:17 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket.
+
+	* lib/krb5/rd_req.c: Return whole asn.1 ticket in
+ 	krb5_ticket->tkt.
+
+	* lib/krb5/get_in_tkt.c: TGS -> AS
+
+	* kuser/kfoo.c: Print error string rather than number.
+
+	* kdc/kdc.c: Some kind of non-working TGS support.
+
+Mon Mar 10 01:43:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen.c: reduced generated code by 1/5
+
+ 	* lib/asn1/der_put.c: (der_put_length_and_tag): new function
+
+	* lib/asn1/der_get.c (der_match_tag_and_length): new function
+
+	* lib/asn1/der.h: added prototypes
+
+Mon Mar 10 01:15:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Include <asn1_err.h>. Add prototype for
+ 	krb5_rd_req_with_keyblock.
+
+	* lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that
+ 	takes a precomputed keyblock.
+
+	* lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code.
+
+	* lib/krb5/mk_req.c: Calculate checksum of in_data.
+
+Sun Mar  9 21:17:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/error/compile_et.awk: Add a declaration of struct
+ 	error_list, and multiple inclusion block to header files.
+
+Sun Mar  9 21:01:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c: do some checks on times
+
+	* lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c,
+	address.c}: new files
+
+	* lib/krb5/auth_context.c: more code
+
+	* configure.in: try to figure out timezone
+
+Sat Mar  8 11:41:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/error/error.c: Try strerror if error code wasn't found.
+
+	* lib/krb5/get_in_tkt.c: Remove realm parameter from
+ 	krb5_get_salt.
+
+	* lib/krb5/context.c: Initialize error table.
+
+	* kdc: The beginnings of a kdc.
+
+Sat Mar  8 08:16:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c: new file
+
+	* lib/krb5/checksum.c (krb5_verify_checksum): New function
+
+	* lib/krb5/get_cred.c: use krb5_create_checksum
+
+	* lib/krb5/checksum.c: new file
+
+	* lib/krb5/store.c: no more arithmetic with void*
+
+	* lib/krb5/cache.c: now seems to work again
+
+Sat Mar  8 06:58:09 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5.
+
+	* lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c.
+
+	* lib/krb5/asn1_glue.c: Moved some asn1-stuff here.
+	
+	* lib/krb5/{cache,keytab}.c: Use new storage functions.
+
+	* lib/krb5/krb5.h: Protypes for new storage functions.
+
+	* lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write
+ 	data to more than file descriptors.
+
+Sat Mar  8 01:01:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c: New file.
+
+	* lib/krb5/Makefile.am: More -I
+
+	* configure.in: Test for big endian, random, rand, setitimer
+
+	* lib/asn1/gen.c: perhaps even decodes bitstrings
+
+Thu Mar  6 19:05:29 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/config_file.y: Better return values on error.
+
+Sat Feb  8 15:59:56 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/asn1/parse.y: ifdef HAVE_STRDUP
+
+	* lib/asn1/lex.l: ifdef strdup
+	brange-dead version of list of special characters to make stupid
+ 	lex accept it.
+
+	* lib/asn1/gen.c: A DER integer should really be a `unsigned'
+
+	* lib/asn1/der_put.c: A DER integer should really be a `unsigned'
+
+	* lib/asn1/der_get.c: A DER integer should really be a `unsigned'
+
+	* lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is
+ 	needed.
+
+	* lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c,
+ 	lib/krb/store.h: new files.
+
+	* lib/krb5/keytab.c: now even with some functionality.
+
+	* lib/asn1/gen.c: changed paramater from void * to Foo *
+
+	* lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty
+ 	string.
+
+Sun Jan 19 06:17:39 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in
+ 	cc before getting new ones.
+
+	* lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype.
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): It seems the
+ 	CRC should be stored LSW first. (?)
+
+	* lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and
+ 	`krb5_free_keyblock'
+
+	* lib/**/Makefile.am: Rename foo libfoo.a
+
+	* include/Makefile.in: Use test instead of [
+	-e does not work with /bin/sh on psoriasis
+
+	* configure.in: Search for awk
+	create lib/krb/error/compile_et
+	
+Tue Jan 14 03:46:26 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: replaced mit-crc.c by crc.c
+
+Wed Dec 18 00:53:55 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/kinit.c: Guess principal.
+
+	* lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some
+ 	warnings.
+
+	* lib/krb5/error/asn1_err.et: Add ASN.1 error messages.
+
+	* lib/krb5/mk_req.c: Get client from cache.
+
+	* lib/krb5/cache.c: Add better error checking some useful return
+ 	values.
+
+	* lib/krb5/krb5.h: Fix krb5_auth_context.
+
+	* lib/asn1/der.h: Make krb5_data compatible with krb5.h
+
+Tue Dec 17 01:32:36 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/error: Add primitive error library.
+
+Mon Dec 16 16:30:20 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/cache.c: Get correct address type from cache.
+
+	* lib/krb5/krb5.h: Change int16 to int to be compatible with asn1.
+
diff --git a/crypto/heimdal/Makefile.am b/crypto/heimdal/Makefile.am
new file mode 100644
index 0000000..919d69c
--- /dev/null
+++ b/crypto/heimdal/Makefile.am
@@ -0,0 +1,9 @@
+# $Id: Makefile.am,v 1.14 1999/08/12 02:21:43 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS	= include lib kuser kdc admin kadmin kpasswd appl doc
+
+ACLOCAL = @ACLOCAL@ -I cf
+
+EXTRA_DIST = Makefile.am.common krb5.conf
diff --git a/crypto/heimdal/Makefile.am.common b/crypto/heimdal/Makefile.am.common
new file mode 100644
index 0000000..d8452bd
--- /dev/null
+++ b/crypto/heimdal/Makefile.am.common
@@ -0,0 +1,35 @@
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+include $(top_srcdir)/cf/Makefile.am.common
+
+SUFFIXES += .x
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+CHECK_LOCAL = $(PROGRAMS)
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
diff --git a/crypto/heimdal/Makefile.in b/crypto/heimdal/Makefile.in
new file mode 100644
index 0000000..28684cb
--- /dev/null
+++ b/crypto/heimdal/Makefile.in
@@ -0,0 +1,645 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.14 1999/08/12 02:21:43 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = .
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc
+
+ACLOCAL = @ACLOCAL@ -I cf
+
+EXTRA_DIST = Makefile.am.common krb5.conf
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ./include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in NEWS TODO acinclude.m4 \
+aclocal.m4 config.guess config.sub configure configure.in install-sh \
+ltconfig ltmain.sh missing mkinstalldirs
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+$(ACLOCAL_M4):  configure.in  acinclude.m4
+	cd $(srcdir) && $(ACLOCAL)
+
+config.status: $(srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	$(SHELL) ./config.status --recheck
+$(srcdir)/configure: $(srcdir)/configure.in $(ACLOCAL_M4) $(CONFIGURE_DEPENDENCIES)
+	cd $(srcdir) && $(AUTOCONF)
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+@SET_MAKE@
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
+	  rev="$$subdir $$rev"; \
+	  test "$$subdir" = "." && dot_seen=yes; \
+	done; \
+	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(PACKAGE)-$(VERSION)
+top_distdir = $(distdir)
+
+# This target untars the dist file and tries a VPATH configuration.  Then
+# it guarantees that the distribution is self-contained by making another
+# tarfile.
+distcheck: dist
+	-rm -rf $(distdir)
+	GZIP=$(GZIP_ENV) $(TAR) zxf $(distdir).tar.gz
+	mkdir $(distdir)/=build
+	mkdir $(distdir)/=inst
+	dc_install_base=`cd $(distdir)/=inst && pwd`; \
+	cd $(distdir)/=build \
+	  && ../configure --srcdir=.. --prefix=$$dc_install_base \
+	  && $(MAKE) $(AM_MAKEFLAGS) \
+	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
+	  && $(MAKE) $(AM_MAKEFLAGS) check \
+	  && $(MAKE) $(AM_MAKEFLAGS) install \
+	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
+	  && $(MAKE) $(AM_MAKEFLAGS) dist
+	-rm -rf $(distdir)
+	@banner="$(distdir).tar.gz is ready for distribution"; \
+	dashes=`echo "$$banner" | sed s/./=/g`; \
+	echo "$$dashes"; \
+	echo "$$banner"; \
+	echo "$$dashes"
+dist: distdir
+	-chmod -R a+r $(distdir)
+	GZIP=$(GZIP_ENV) $(TAR) chozf $(distdir).tar.gz $(distdir)
+	-rm -rf $(distdir)
+dist-all: distdir
+	-chmod -R a+r $(distdir)
+	GZIP=$(GZIP_ENV) $(TAR) chozf $(distdir).tar.gz $(distdir)
+	-rm -rf $(distdir)
+distdir: $(DISTFILES)
+	-rm -rf $(distdir)
+	mkdir $(distdir)
+	-chmod 777 $(distdir)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    chmod 777 $(distdir)/$$subdir; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+	-rm -f config.status
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f config.status
+
+.PHONY: install-data-recursive uninstall-data-recursive \
+install-exec-recursive uninstall-exec-recursive installdirs-recursive \
+uninstalldirs-recursive all-recursive check-recursive \
+installcheck-recursive info-recursive dvi-recursive \
+mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/NEWS b/crypto/heimdal/NEWS
new file mode 100644
index 0000000..ead7269f
--- /dev/null
+++ b/crypto/heimdal/NEWS
@@ -0,0 +1,299 @@
+Changes in release 0.2p:
+
+ * bug fix in `kadmin load/merge'
+
+ * bug fix in krb5_parse_address
+
+Changes in release 0.2o:
+
+ * gss_{import,export}_sec_context added to libgssapi
+
+ * new option --addresses to kdc (for listening on an explicit set of
+   addresses)
+
+ * bug fixes in the krb4 and kaserver emulation part of the kdc
+
+ * other bug fixes
+
+Changes in release 0.2n:
+
+ * more robust parsing of dump files in kadmin
+ * changed default timestamp format for log messages to extended ISO
+   8601 format (Y-M-DTH:M:S)
+ * changed md4/md5/sha1 APIes to be de-facto `standard'
+ * always make hostname into lower-case before creating principal
+ * small bits of more MIT-compatability
+ * bug fixes
+
+Changes in release 0.2m:
+
+ * handle glibc's getaddrinfo() that returns several ai_canonname
+
+ * new endian test
+
+ * man pages fixes
+
+Changes in release 0.2l:
+
+ * bug fixes
+
+Changes in release 0.2k:
+
+ * better IPv6 test
+
+ * make struct sockaddr_storage in roken work better on alphas
+
+ * some missing [hn]to[hn]s fixed.
+
+ * allow users to change their own passwords with kadmin (with initial
+   tickets)
+
+ * fix stupid bug in parsing KDC specification
+
+ * add `ktutil change' and `ktutil purge'
+
+Changes in release 0.2j:
+
+ * builds on Irix
+
+ * ftpd works in passive mode
+
+ * should build on cygwin
+
+ * work around broken IPv6-code on OpenBSD 2.6, also add configure
+   option --disable-ipv6
+
+Changes in release 0.2i:
+
+ * use getaddrinfo in the missing places.
+
+ * fix SRV lookup for admin server
+
+ * use get{addr,name}info everywhere.  and implement it in terms of
+   getipnodeby{name,addr} (which uses gethostbyname{,2} and
+   gethostbyaddr)
+
+Changes in release 0.2h:
+
+ * fix typo in kx (now compiles)
+
+Changes in release 0.2g:
+
+ * lots of bug fixes:
+   * push works
+   * repair appl/test programs
+   * sockaddr_storage works on solaris (alignment issues)
+   * works better with non-roken getaddrinfo
+   * rsh works
+   * some non standard C constructs removed
+
+Changes in release 0.2f:
+
+ * support SRV records for kpasswd
+ * look for both _kerberos and krb5-realm when doing host -> realm mapping
+
+Changes in release 0.2e:
+
+ * changed copyright notices to remove `advertising'-clause.
+ * get{addr,name}info added to roken and used in the other code
+   (this makes things work much better with hosts with both v4 and v6
+    addresses, among other things)
+ * do pre-auth for both password and key-based get_in_tkt
+ * support for having several databases
+ * new command `del_enctype' in kadmin
+ * strptime (and new strftime) add to roken
+ * more paranoia about finding libdb
+ * bug fixes
+
+Changes in release 0.2d:
+
+ * new configuration option [libdefaults]default_etypes_des
+ * internal ls in ftpd builds without KRB4
+ * kx/rsh/push/pop_debug tries v5 and v4 consistenly
+ * build bug fixes
+ * other bug fixes
+
+Changes in release 0.2c:
+
+ * bug fixes (see ChangeLog's for details)
+
+Changes in release 0.2b:
+
+ * bug fixes
+ * actually bump shared library versions
+
+Changes in release 0.2a:
+
+ * a new program verify_krb5_conf for checking your /etc/krb5.conf
+ * add 3DES keys when changing password
+ * support null keys in database
+ * support multiple local realms
+ * implement a keytab backend for AFS KeyFile's
+ * implement a keytab backend for v4 srvtabs
+ * implement `ktutil copy'
+ * support password quality control in v4 kadmind
+ * improvements in v4 compat kadmind
+ * handle the case of having the correct cred in the ccache but with
+   the wrong encryption type better
+ * v6-ify the remaining programs.
+ * internal ls in ftpd
+ * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
+ * add `ank --random-password' and `cpw --random-password' in kadmin
+ * some programs and documentation for trying to talk to a W2K KDC
+ * bug fixes
+
+Changes in release 0.1m:
+
+ * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
+   From Miroslav Ruda <ruda@ics.muni.cz>
+ * v6-ify hprop and hpropd
+ * support numeric addresses in krb5_mk_req
+ * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
+ * make rsh/rshd IPv6-aware
+ * make the gssapi sample applications better at reporting errors
+ * lots of bug fixes
+ * handle systems with v6-aware libc and non-v6 kernels (like Linux
+   with glibc 2.1) better
+ * hide failure of ERPT in ftp
+ * lots of bug fixes
+
+Changes in release 0.1l:
+
+ * make ftp and ftpd IPv6-aware
+ * add inet_pton to roken
+ * more IPv6-awareness
+ * make mini_inetd v6 aware
+
+Changes in release 0.1k:
+
+ * bump shared libraries versions
+ * add roken version of inet_ntop
+ * merge more changes to rshd
+
+Changes in release 0.1j:
+
+ * restore back to the `old' 3DES code.  This was supposed to be done
+   in 0.1h and 0.1i but I did a CVS screw-up.
+ * make telnetd handle v6 connections
+
+Changes in release 0.1i:
+
+ * start using `struct sockaddr_storage' which simplifies the code
+   (with a fallback definition if it's not defined)
+ * bug fixes (including in hprop and kf)
+ * don't use mawk which seems to mishandle roken.awk
+ * get_addrs should be able to handle v6 addresses on Linux (with the
+   required patch to the Linux kernel -- ask within)
+ * rshd builds with shadow passwords
+
+Changes in release 0.1h:
+
+ * kf: new program for forwarding credentials
+ * portability fixes
+ * make forwarding credentials work with MIT code
+ * better conversion of ka database
+ * add etc/services.append
+ * correct `modified by' from kpasswdd
+ * lots of bug fixes
+
+Changes in release 0.1g:
+
+ * kgetcred: new program for explicitly obtaining tickets
+ * configure fixes
+ * krb5-aware kx
+ * bug fixes
+
+Changes in release 0.1f;
+
+ * experimental support for v4 kadmin protokoll in kadmind
+ * bug fixes
+
+Changes in release 0.1e:
+
+ * try to handle old DCE and MIT kdcs
+ * support for older versions of credential cache files and keytabs
+ * postdated tickets work
+ * support for password quality checks in kpasswdd
+ * new flag --enable-kaserver for kdc
+ * renew fixes
+ * prototype su program
+ * updated (some) manpages
+ * support for KDC resource records
+ * should build with --without-krb4
+ * bug fixes
+
+Changes in release 0.1d:
+
+ * Support building with DB2 (uses 1.85-compat API)
+ * Support krb5-realm.DOMAIN in DNS
+ * new `ktutil srvcreate'
+ * v4/kafs support in klist/kdestroy
+ * bug fixes
+
+Changes in release 0.1c:
+
+ * fix ASN.1 encoding of signed integers
+ * somewhat working `ktutil get'
+ * some documentation updates
+ * update to Autoconf 2.13 and Automake 1.4
+ * the usual bug fixes
+
+Changes in release 0.1b:
+
+ * some old -> new crypto conversion utils
+ * bug fixes
+
+Changes in release 0.1a:
+
+ * new crypto code
+ * more bug fixes
+ * make sure we ask for DES keys in gssapi
+ * support signed ints in ASN1
+ * IPv6-bug fixes
+
+Changes in release 0.0u:
+
+ * lots of bug fixes
+
+Changes in release 0.0t:
+
+ * more robust parsing of krb5.conf
+ * include net{read,write} in lib/roken
+ * bug fixes
+
+Changes in release 0.0s:
+
+ * kludges for parsing options to rsh
+ * more robust parsing of krb5.conf
+ * removed some arbitrary limits
+ * bug fixes
+
+Changes in release 0.0r:
+
+ * default options for some programs
+ * bug fixes
+
+Changes in release 0.0q:
+
+ * support for building shared libraries with libtool
+ * bug fixes
+
+Changes in release 0.0p:
+
+ * keytab moved to /etc/krb5.keytab
+ * avoid false detection of IPv6 on Linux
+ * Lots of more functionality in the gssapi-library
+ * hprop can now read ka-server databases
+ * bug fixes
+
+Changes in release 0.0o:
+
+ * FTP with GSSAPI support.
+ * Bug fixes.
+
+Changes in release 0.0n:
+
+ * Incremental database propagation.
+ * Somewhat improved kadmin ui; the stuff in admin is now removed.
+ * Some support for using enctypes instead of keytypes.
+ * Lots of other improvement and bug fixes, see ChangeLog for details.
diff --git a/crypto/heimdal/TODO b/crypto/heimdal/TODO
new file mode 100644
index 0000000..e222951
--- /dev/null
+++ b/crypto/heimdal/TODO
@@ -0,0 +1,107 @@
+-*- indented-text -*-
+
+$Id: TODO,v 1.40 2000/01/28 04:10:56 assar Exp $
+
+* configure
+
+use more careful checking before starting to use berkeley db.  it only
+makes sense to do so if we have the appropriate library and the header
+file.
+
+* appl
+
+more programs here
+
+** appl/login
+
+/etc/environment etc.
+
+** appl/popper
+
+Implement RFC1731 and 1734, pop over GSS-API
+
+** appl/test
+
+should test more stuff
+
+** appl/rsh
+
+add rcp program
+
+** appl/ftp
+
+* doc
+
+there's some room for improvement here.
+
+* kdc
+
+* kadmin
+
+is in need of a major cleanup
+
+* lib
+
+** lib/asn1
+
+prepend a prefix on all generated symbols
+
+make asn1_compile use enum types where applicable
+
+** lib/auth
+
+PAM
+
+** lib/des
+
+** lib/gssapi
+
+process_context_token, display_status, add_cred, inquire_cred_by_mech,
+export_sec_context, import_sec_context, inquire_names_for_mech, and
+inquire_mechs_for_name not implemented.
+
+only DES MAC MD5 and DES implemented.
+
+set minor_status in all functions
+
+init_sec_context: `initiator_cred_handle' and `time_req' ignored.
+
+input channel bindings are not supported
+
+delegation not implemented
+
+anonymous credentials not implemented
+
+** lib/hdb
+
+** lib/kadm5
+
+add policies?
+
+fix to use rpc?
+
+** lib/krb5
+
+rewrite the lookup of KDCs to handle kerberos-<n> and not do any DNS
+requests if the information can be found locally.  this requires stop
+using krb5_get_krbhst.
+
+the replay cache is, in its current state, not very useful
+
+the following encryption types have been implemented: DES-CBC-CRC,
+DES-CBC-MD4, DES-CBC-MD5, DES3-CBC-MD5, DES3-CBC-SHA1
+
+supports the following checksums: CRC32, RSA-MD4, RSA-MD5,
+RSA-MD4-DES, RSA-MD5-DES, RSA-MD5-DES3, SHA1, HMAC-SHA1-DES3
+
+always generates a new subkey in an authenticator
+
+should the sequence numbers be XORed?
+
+fix pre-authentication with pa-afs3-salt
+
+OTP?
+
+** lib/roken
+
+** lib/sl
diff --git a/crypto/heimdal/acconfig.h b/crypto/heimdal/acconfig.h
new file mode 100644
index 0000000..c94b363
--- /dev/null
+++ b/crypto/heimdal/acconfig.h
@@ -0,0 +1,96 @@
+@BOTTOM@
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+
+#undef PROTOTYPES
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+#if defined(HAVE_SGTTY_H) && defined(__NeXT__)
+#define SGTTY
+#endif
+
+/*
+ * Define NDBM if you are using the 4.3 ndbm library (which is part of
+ * libc).  If not defined, 4.2 dbm will be assumed.
+ */
+#if defined(HAVE_DBM_FIRSTKEY)
+#define NDBM
+#endif
+
+/* telnet stuff ----------------------------------------------- */
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
+/* random defines */
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
+
+/*
+ * this assumes that KRB_C_BIGENDIAN is used.
+ * if we can find out endianess at compile-time, do so,
+ * otherwise WORDS_BIGENDIAN should already have been defined
+ */
+
+#if ENDIANESS_IN_SYS_PARAM_H
+#  include <sys/types.h>
+#  include <sys/param.h>
+#  if BYTE_ORDER == BIG_ENDIAN
+#  define WORDS_BIGENDIAN 1
+#  endif
+#endif
diff --git a/crypto/heimdal/acinclude.m4 b/crypto/heimdal/acinclude.m4
new file mode 100644
index 0000000..ff87042
--- /dev/null
+++ b/crypto/heimdal/acinclude.m4
@@ -0,0 +1,9 @@
+dnl $Id: acinclude.m4,v 1.15 1998/05/23 14:54:53 joda Exp $
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
diff --git a/crypto/heimdal/aclocal.m4 b/crypto/heimdal/aclocal.m4
new file mode 100644
index 0000000..3435fec
--- /dev/null
+++ b/crypto/heimdal/aclocal.m4
@@ -0,0 +1,1615 @@
+dnl aclocal.m4 generated automatically by aclocal 1.4
+
+dnl Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+dnl This program is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+dnl even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+dnl PARTICULAR PURPOSE.
+
+dnl $Id: acinclude.m4,v 1.15 1998/05/23 14:54:53 joda Exp $
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
+
+# Like AC_CONFIG_HEADER, but automatically create stamp file.
+
+AC_DEFUN(AM_CONFIG_HEADER,
+[AC_PREREQ([2.12])
+AC_CONFIG_HEADER([$1])
+dnl When config.status generates a header, we must update the stamp-h file.
+dnl This file resides in the same directory as the config header
+dnl that is generated.  We must strip everything past the first ":",
+dnl and everything past the last "/".
+AC_OUTPUT_COMMANDS(changequote(<<,>>)dnl
+ifelse(patsubst(<<$1>>, <<[^ ]>>, <<>>), <<>>,
+<<test -z "<<$>>CONFIG_HEADERS" || echo timestamp > patsubst(<<$1>>, <<^\([^:]*/\)?.*>>, <<\1>>)stamp-h<<>>dnl>>,
+<<am_indx=1
+for am_file in <<$1>>; do
+  case " <<$>>CONFIG_HEADERS " in
+  *" <<$>>am_file "*<<)>>
+    echo timestamp > `echo <<$>>am_file | sed -e 's%:.*%%' -e 's%[^/]*$%%'`stamp-h$am_indx
+    ;;
+  esac
+  am_indx=`expr "<<$>>am_indx" + 1`
+done<<>>dnl>>)
+changequote([,]))])
+
+# Do all the work for Automake.  This macro actually does too much --
+# some checks are only needed if your package does certain things.
+# But this isn't really a big deal.
+
+# serial 1
+
+dnl Usage:
+dnl AM_INIT_AUTOMAKE(package,version, [no-define])
+
+AC_DEFUN(AM_INIT_AUTOMAKE,
+[AC_REQUIRE([AC_PROG_INSTALL])
+PACKAGE=[$1]
+AC_SUBST(PACKAGE)
+VERSION=[$2]
+AC_SUBST(VERSION)
+dnl test to see if srcdir already configured
+if test "`cd $srcdir && pwd`" != "`pwd`" && test -f $srcdir/config.status; then
+  AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
+fi
+ifelse([$3],,
+AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
+AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package]))
+AC_REQUIRE([AM_SANITY_CHECK])
+AC_REQUIRE([AC_ARG_PROGRAM])
+dnl FIXME This is truly gross.
+missing_dir=`cd $ac_aux_dir && pwd`
+AM_MISSING_PROG(ACLOCAL, aclocal, $missing_dir)
+AM_MISSING_PROG(AUTOCONF, autoconf, $missing_dir)
+AM_MISSING_PROG(AUTOMAKE, automake, $missing_dir)
+AM_MISSING_PROG(AUTOHEADER, autoheader, $missing_dir)
+AM_MISSING_PROG(MAKEINFO, makeinfo, $missing_dir)
+AC_REQUIRE([AC_PROG_MAKE_SET])])
+
+#
+# Check to make sure that the build environment is sane.
+#
+
+AC_DEFUN(AM_SANITY_CHECK,
+[AC_MSG_CHECKING([whether build environment is sane])
+# Just in case
+sleep 1
+echo timestamp > conftestfile
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftestfile 2> /dev/null`
+   if test "[$]*" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftestfile`
+   fi
+   if test "[$]*" != "X $srcdir/configure conftestfile" \
+      && test "[$]*" != "X conftestfile $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      AC_MSG_ERROR([ls -t appears to fail.  Make sure there is not a broken
+alias in your environment])
+   fi
+
+   test "[$]2" = conftestfile
+   )
+then
+   # Ok.
+   :
+else
+   AC_MSG_ERROR([newly created file is older than distributed files!
+Check your system clock])
+fi
+rm -f conftest*
+AC_MSG_RESULT(yes)])
+
+dnl AM_MISSING_PROG(NAME, PROGRAM, DIRECTORY)
+dnl The program must properly implement --version.
+AC_DEFUN(AM_MISSING_PROG,
+[AC_MSG_CHECKING(for working $2)
+# Run test in a subshell; some versions of sh will print an error if
+# an executable is not found, even if stderr is redirected.
+# Redirect stdin to placate older versions of autoconf.  Sigh.
+if ($2 --version) < /dev/null > /dev/null 2>&1; then
+   $1=$2
+   AC_MSG_RESULT(found)
+else
+   $1="$3/missing $2"
+   AC_MSG_RESULT(missing)
+fi
+AC_SUBST($1)])
+
+
+dnl AM_PROG_LEX
+dnl Look for flex, lex or missing, then run AC_PROG_LEX and AC_DECL_YYTEXT
+AC_DEFUN(AM_PROG_LEX,
+[missing_dir=ifelse([$1],,`cd $ac_aux_dir && pwd`,$1)
+AC_CHECK_PROGS(LEX, flex lex, "$missing_dir/missing flex")
+AC_PROG_LEX
+AC_DECL_YYTEXT])
+
+dnl $Id: krb-prog-ln-s.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Better test for ln -s, ln or cp
+dnl
+
+AC_DEFUN(AC_KRB_PROG_LN_S,
+[AC_MSG_CHECKING(for ln -s or something else)
+AC_CACHE_VAL(ac_cv_prog_LN_S,
+[rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi])dnl
+LN_S="$ac_cv_prog_LN_S"
+AC_MSG_RESULT($ac_cv_prog_LN_S)
+AC_SUBST(LN_S)dnl
+])
+
+
+dnl $Id: mips-abi.m4,v 1.4 1998/05/16 20:44:15 joda Exp $
+dnl
+dnl
+dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
+dnl value.
+
+AC_DEFUN(AC_MIPS_ABI, [
+AC_ARG_WITH(mips_abi,
+[  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)])
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+dnl
+dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to
+dnl AC_MSG_RESULT
+dnl
+AC_MSG_CHECKING([if $CC supports the $abi option])
+AC_CACHE_VAL($ac_foo, [
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no)
+CFLAGS="$save_CFLAGS"
+])
+ac_res=`eval echo \\\$$ac_foo`
+AC_MSG_RESULT($ac_res)
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no)
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		AC_ERROR([$CC does not support the $with_mips_abi ABI])
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			AC_ERROR([$CC does not support the $with_mips_abi ABI])
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+])
+
+dnl
+dnl $Id: c-attribute.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __attribute__
+dnl
+
+AC_DEFUN(AC_C___ATTRIBUTE__, [
+AC_MSG_CHECKING(for __attribute__)
+AC_CACHE_VAL(ac_cv___attribute__, [
+AC_TRY_COMPILE([
+#include <stdlib.h>
+],
+[
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+],
+ac_cv___attribute__=yes,
+ac_cv___attribute__=no)])
+if test "$ac_cv___attribute__" = "yes"; then
+  AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__])
+fi
+AC_MSG_RESULT($ac_cv___attribute__)
+])
+
+
+
+# serial 25 AM_PROG_LIBTOOL
+AC_DEFUN(AM_PROG_LIBTOOL,
+[AC_REQUIRE([AM_ENABLE_SHARED])dnl
+AC_REQUIRE([AM_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_PROG_RANLIB])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AM_PROG_LD])dnl
+AC_REQUIRE([AM_PROG_NM])dnl
+AC_REQUIRE([AC_PROG_LN_S])dnl
+dnl
+# Always use our own libtool.
+LIBTOOL='$(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Check for any special flags to pass to ltconfig.
+libtool_flags=
+test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
+test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
+test "$silent" = yes && libtool_flags="$libtool_flags --silent"
+test "$ac_cv_prog_gcc" = yes && libtool_flags="$libtool_flags --with-gcc"
+test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case "$host" in
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  CFLAGS="$CFLAGS -belf"
+  ;;
+esac
+
+# Actually configure libtool.  ac_aux_dir is where install-sh is found.
+CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
+LD="$LD" NM="$NM" RANLIB="$RANLIB" LN_S="$LN_S" \
+${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
+$libtool_flags --no-verify $ac_aux_dir/ltmain.sh $host \
+|| AC_MSG_ERROR([libtool configure failed])
+
+# Redirect the config.log output again, so that the ltconfig log is not
+# clobbered by the next message.
+exec 5>>./config.log
+])
+
+# AM_ENABLE_SHARED - implement the --enable-shared flag
+# Usage: AM_ENABLE_SHARED[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AM_ENABLE_SHARED,
+[define([AM_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(shared,
+changequote(<<, >>)dnl
+<<  --enable-shared[=PKGS]  build shared libraries [default=>>AM_ENABLE_SHARED_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_shared=yes ;;
+no) enable_shared=no ;;
+*)
+  enable_shared=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_shared=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_shared=AM_ENABLE_SHARED_DEFAULT)dnl
+])
+
+# AM_DISABLE_SHARED - set the default shared flag to --disable-shared
+AC_DEFUN(AM_DISABLE_SHARED,
+[AM_ENABLE_SHARED(no)])
+
+# AM_DISABLE_STATIC - set the default static flag to --disable-static
+AC_DEFUN(AM_DISABLE_STATIC,
+[AM_ENABLE_STATIC(no)])
+
+# AM_ENABLE_STATIC - implement the --enable-static flag
+# Usage: AM_ENABLE_STATIC[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AM_ENABLE_STATIC,
+[define([AM_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(static,
+changequote(<<, >>)dnl
+<<  --enable-static[=PKGS]  build static libraries [default=>>AM_ENABLE_STATIC_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_static=yes ;;
+no) enable_static=no ;;
+*)
+  enable_static=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_static=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_static=AM_ENABLE_STATIC_DEFAULT)dnl
+])
+
+
+# AM_PROG_LD - find the path to the GNU or non-GNU linker
+AC_DEFUN(AM_PROG_LD,
+[AC_ARG_WITH(gnu-ld,
+[  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]],
+test "$withval" = no || with_gnu_ld=yes, with_gnu_ld=no)
+AC_REQUIRE([AC_PROG_CC])
+ac_prog=ld
+if test "$ac_cv_prog_gcc" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by GCC])
+  ac_prog=`($CC -print-prog-name=ld) 2>&5`
+  case "$ac_prog" in
+  # Accept absolute paths.
+changequote(,)dnl
+  /* | [A-Za-z]:\\*)
+changequote([,])dnl
+    test -z "$LD" && LD="$ac_prog"
+    ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(ac_cv_path_LD,
+[if test -z "$LD"; then
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  for ac_dir in $PATH; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog"; then
+      ac_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
+	test "$with_gnu_ld" != no && break
+      else
+        test "$with_gnu_ld" != yes && break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+else
+  ac_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$ac_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_SUBST(LD)
+AM_PROG_LD_GNU
+])
+
+AC_DEFUN(AM_PROG_LD_GNU,
+[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], ac_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
+  ac_cv_prog_gnu_ld=yes
+else
+  ac_cv_prog_gnu_ld=no
+fi])
+])
+
+# AM_PROG_NM - find the path to a BSD-compatible name lister
+AC_DEFUN(AM_PROG_NM,
+[AC_MSG_CHECKING([for BSD-compatible nm])
+AC_CACHE_VAL(ac_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  ac_cv_path_NM="$NM"
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  for ac_dir in /usr/ucb /usr/ccs/bin $PATH /bin; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/nm; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+        ac_cv_path_NM="$ac_dir/nm -B"
+      elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+        ac_cv_path_NM="$ac_dir/nm -p"
+      else
+        ac_cv_path_NM="$ac_dir/nm"
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_path_NM" && ac_cv_path_NM=nm
+fi])
+NM="$ac_cv_path_NM"
+AC_MSG_RESULT([$NM])
+AC_SUBST(NM)
+])
+
+dnl $Id: wflags.m4,v 1.3 1999/03/11 12:11:41 joda Exp $
+dnl
+dnl set WFLAGS
+
+AC_DEFUN(AC_WFLAGS,[
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="ifelse($#, 0,-Wall, $1)"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+AC_SUBST(WFLAGS)dnl
+AC_SUBST(WFLAGS_NOUNUSED)dnl
+AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
+])
+
+dnl $Id: test-package.m4,v 1.7 1999/04/19 13:33:05 assar Exp $
+dnl
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations)
+
+AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
+
+AC_DEFUN(AC_TEST_PACKAGE_NEW,[
+AC_ARG_WITH($1,
+[  --with-$1=dir                use $1 in dir])
+AC_ARG_WITH($1-lib,
+[  --with-$1-lib=dir            use $1 libraries in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+AC_ARG_WITH($1-include,
+[  --with-$1-include=dir        use $1 headers in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_MSG_CHECKING(for $1)
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='$5'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_$1_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_$1_include $header_dirs";;
+esac
+case "$with_$1_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_$1_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	AC_TRY_COMPILE([$2],,ires=$i;break)
+done
+for i in $lib_dirs; do
+	LIBS="-L$i $3 $4 $save_LIBS"
+	AC_TRY_LINK([$2],,lres=$i;break)
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
+	$1_includedir="$ires"
+	$1_libdir="$lres"
+	INCLUDE_$1="-I$$1_includedir"
+	LIB_$1="-L$$1_libdir $3"
+	AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.])
+	with_$1=yes
+	AC_MSG_RESULT([headers $ires, libraries $lres])
+else
+	INCLUDE_$1=
+	LIB_$1=
+	with_$1=no
+	AC_MSG_RESULT($with_$1)
+fi
+AC_SUBST(INCLUDE_$1)
+AC_SUBST(LIB_$1)
+])
+
+dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
+dnl
+dnl AC_FIND_FUNC(func, libraries, includes, arguments)
+AC_DEFUN(AC_FIND_FUNC, [
+AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
+if test -n "$LIB_$1"; then
+	LIBS="$LIB_$1 $LIBS"
+fi
+])
+
+dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
+AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
+
+dnl $Id: find-func-no-libs2.m4,v 1.3 1999/10/30 21:09:53 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS2, [
+
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(ac_cv_funclib_$1,
+[
+if eval "test \"\$ac_cv_func_$1\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $2; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
+		AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break)
+	done
+	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
+	LIBS="$ac_save_LIBS"
+fi
+])
+
+eval "ac_res=\$ac_cv_funclib_$1"
+
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+@@@libs="$libs $2"@@@
+END
+
+# $1
+eval "ac_tr_func=HAVE_[]upcase($1)"
+eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
+eval "LIB_$1=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_$1=yes"
+	eval "LIB_$1="
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_MSG_RESULT([yes])
+	;;
+	no)
+	eval "ac_cv_func_$1=no"
+	eval "LIB_$1="
+	AC_MSG_RESULT([no])
+	;;
+	*)
+	eval "ac_cv_func_$1=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_DEFINE_UNQUOTED($ac_tr_lib)
+	AC_MSG_RESULT([yes, in $ac_res])
+	;;
+esac
+AC_SUBST(LIB_$1)
+])
+
+# Define a conditional.
+
+AC_DEFUN(AM_CONDITIONAL,
+[AC_SUBST($1_TRUE)
+AC_SUBST($1_FALSE)
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi])
+
+dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl
+dnl enable OSF C2 stuff
+
+AC_DEFUN(AC_CHECK_OSFC2,[
+AC_ARG_ENABLE(osfc2,
+[  --enable-osfc2          enable some OSF C2 support])
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
+	LIB_security=-lsecurity
+fi
+AC_SUBST(LIB_security)
+])
+
+dnl $Id: check-man.m4,v 1.2 1999/03/21 14:30:50 joda Exp $
+dnl check how to format manual pages
+dnl
+
+AC_DEFUN(AC_CHECK_MAN,
+[AC_PATH_PROG(NROFF, nroff)
+AC_PATH_PROG(GROFF, groff)
+AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
+[cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@"
+fi
+])
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+	AC_SUBST(CATMAN)
+fi
+AM_CONDITIONAL(CATMAN, test "$CATMAN")
+AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext,
+[if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+])
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$ext'
+else
+	CATMANEXT=0
+fi
+AC_SUBST(CATMANEXT)
+
+])
+dnl
+dnl $Id: krb-bigendian.m4,v 1.5 2000/01/08 10:34:44 assar Exp $
+dnl
+
+dnl check if this computer is little or big-endian
+dnl if we can figure it out at compile-time then don't define the cpp symbol
+dnl otherwise test for it and define it.  also allow options for overriding
+dnl it when cross-compiling
+
+AC_DEFUN(KRB_C_BIGENDIAN, [
+AC_ARG_ENABLE(bigendian,
+[  --enable-bigendian	the target is big endian],
+krb_cv_c_bigendian=yes)
+AC_ARG_ENABLE(littleendian,
+[  --enable-littleendian	the target is little endian],
+krb_cv_c_bigendian=no)
+AC_CACHE_CHECK(whether byte order is known at compile time,
+krb_cv_c_bigendian_compile,
+[AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
+if test "$krb_cv_c_bigendian_compile" = "no"; then
+  AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
+  if test "$krb_cv_c_bigendian" = ""; then
+    krb_cv_c_bigendian=unknown
+  fi
+  AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if BYTE_ORDER != BIG_ENDIAN
+  not big endian
+#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
+  if test "$krb_cv_c_bigendian" = "unknown"; then
+    AC_TRY_RUN([main () {
+      /* Are we little or big endian?  From Harbison&Steele.  */
+      union
+      {
+	long l;
+	char c[sizeof (long)];
+      } u;
+      u.l = 1;
+      exit (u.c[sizeof (long) - 1] == 1);
+    }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
+    AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
+  fi
+  ])
+  if test "$krb_cv_c_bigendian" = "yes"; then
+    AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
+  fi
+fi
+if test "$krb_cv_c_bigendian_compile" = "yes"; then
+  AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
+fi
+])
+
+dnl 
+dnl See if there is any X11 present
+dnl
+dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+
+AC_DEFUN(KRB_CHECK_X,[
+AC_PATH_XTRA
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		AC_TRY_RUN([
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	])
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+])
+
+dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
+dnl
+dnl check for Xau{Read,Write}Auth and XauFileName
+dnl
+AC_DEFUN(AC_CHECK_XAU,[
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+LIBS="$LIB_XauReadAauth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+LIBS="$ac_xxx"
+
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
+else
+	AC_SUBST(NEED_WRITEAUTH_TRUE)
+	AC_SUBST(NEED_WRITEAUTH_FALSE)
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+])
+
+dnl $Id: check-type-extra.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl ac_check_type + extra headers
+
+dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS)
+AC_DEFUN(AC_CHECK_TYPE_EXTRA,
+[AC_REQUIRE([AC_HEADER_STDC])dnl
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_type_$1,
+[AC_EGREP_CPP(dnl
+changequote(<<,>>)dnl
+<<$1[^a-zA-Z_0-9]>>dnl
+changequote([,]), [#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl
+AC_MSG_RESULT($ac_cv_type_$1)
+if test $ac_cv_type_$1 = no; then
+  AC_DEFINE($1, $2, [Define this to what the type $1 should be.])
+fi
+])
+
+dnl $Id: have-type.m4,v 1.5 1999/12/31 03:10:22 assar Exp $
+dnl
+dnl check for existance of a type
+
+dnl AC_HAVE_TYPE(TYPE,INCLUDES)
+AC_DEFUN(AC_HAVE_TYPE, [
+AC_REQUIRE([AC_HEADER_STDC])
+cv=`echo "$1" | sed 'y%./+- %__p__%'`
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL([ac_cv_type_$cv],
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$2],
+[$1 foo;],
+eval "ac_cv_type_$cv=yes",
+eval "ac_cv_type_$cv=no"))dnl
+AC_MSG_RESULT(`eval echo \\$ac_cv_type_$cv`)
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+dnl autoheader tricks *sigh*
+define(foo,translit($1, [ ], [_]))
+: << END
+@@@funcs="$funcs foo"@@@
+END
+undefine([foo])
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+])
+
+dnl
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.2 1999/05/14 13:15:40 assar Exp $
+dnl
+
+dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
+dnl you have to include standards.h before including these files
+
+AC_DEFUN(CHECK_NETINET_IP_AND_TCP,
+[
+AC_CHECK_HEADERS(standards.h)
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+AC_MSG_CHECKING([for $i])
+AC_CACHE_VAL([ac_cv_header_$cv],
+[AC_TRY_CPP([\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+],
+eval "ac_cv_header_$cv=yes",
+eval "ac_cv_header_$cv=no")])
+AC_MSG_RESULT(`eval echo \\$ac_cv_header_$cv`)
+changequote(, )dnl
+if test `eval echo \\$ac_cv_header_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+changequote([, ])dnl
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+done
+dnl autoheader tricks *sigh*
+: << END
+@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
+END
+
+])
+
+dnl $Id: krb-ipv6.m4,v 1.8 2000/01/01 11:44:45 assar Exp $
+dnl
+dnl test for IPv6
+dnl
+AC_DEFUN(AC_KRB_IPV6, [
+AC_ARG_WITH(ipv6,
+[  --without-ipv6	do not enable IPv6 support],[
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi])
+AC_CACHE_VAL(ac_cv_lib_ipv6,
+[dnl check for different v6 implementations (by itojun)
+v6type=unknown
+v6lib=none
+
+AC_MSG_CHECKING([ipv6 stack type])
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		AC_EGREP_CPP(yes, [dnl
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif],
+			[v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"])
+		;;
+	toshiba)
+		AC_EGREP_CPP(yes, [dnl
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	kame)
+		AC_EGREP_CPP(yes, [dnl
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	inria)
+		AC_EGREP_CPP(yes, [dnl
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif],
+			[v6type=$i; CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	zeta)
+		AC_EGREP_CPP(yes, [dnl
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+AC_MSG_RESULT($v6type)
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+AC_TRY_LINK([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+],
+[
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+],
+ac_cv_lib_ipv6=yes,
+ac_cv_lib_ipv6=no)])
+AC_MSG_CHECKING(for IPv6)
+AC_MSG_RESULT($ac_cv_lib_ipv6)
+if test "$ac_cv_lib_ipv6" = yes; then
+  AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.])
+fi
+])
+
+dnl $Id: broken-snprintf.m4,v 1.3 1999/03/01 09:52:22 joda Exp $
+dnl
+AC_DEFUN(AC_BROKEN_SNPRINTF, [
+AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working,
+ac_cv_func_snprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+changequote(`,')dnl
+	char foo[3];
+changequote([,])dnl
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}],:,ac_cv_func_snprintf_working=no,:))
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf])
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],snprintf)
+fi
+])
+
+AC_DEFUN(AC_BROKEN_VSNPRINTF,[
+AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working,
+ac_cv_func_vsnprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+changequote(`,')dnl
+	char bar[3];
+changequote([,])dnl
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+
+int main()
+{
+	return foo(0, "12");
+}],:,ac_cv_func_vsnprintf_working=no,:))
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf])
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],vsnprintf)
+fi
+])
+
+dnl $Id: need-proto.m4,v 1.2 1999/03/01 09:52:24 joda Exp $
+dnl
+dnl
+dnl Check if we need the prototype for a function
+dnl
+
+dnl AC_NEED_PROTO(includes, function)
+
+AC_DEFUN(AC_NEED_PROTO, [
+if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then
+AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto,
+AC_TRY_COMPILE([$1],
+[struct foo { int foo; } xx;
+extern int $2 (struct foo*);
+$2(&xx);
+],
+eval "ac_cv_func_$2_noproto=yes",
+eval "ac_cv_func_$2_noproto=no"))
+define([foo], [NEED_]translit($2, [a-z], [A-Z])[_PROTO])
+if test "$ac_cv_func_$2_noproto" = yes; then
+	AC_DEFINE(foo, 1, [define if the system is missing a prototype for $2()])
+fi
+undefine([foo])
+fi
+])
+
+dnl $Id: broken-glob.m4,v 1.2 1999/03/01 09:52:15 joda Exp $
+dnl
+dnl check for glob(3)
+dnl
+AC_DEFUN(AC_BROKEN_GLOB,[
+AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working,
+ac_cv_func_glob_working=yes
+AC_TRY_LINK([
+#include <stdio.h>
+#include <glob.h>],[
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
+],:,ac_cv_func_glob_working=no,:))
+
+if test "$ac_cv_func_glob_working" = yes; then
+	AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE])
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>
+#include <glob.h>],glob)
+fi
+])
+
+dnl
+dnl $Id: krb-func-getlogin.m4,v 1.1 1999/07/13 17:45:30 assar Exp $
+dnl
+dnl test for POSIX (broken) getlogin
+dnl
+
+
+AC_DEFUN(AC_FUNC_GETLOGIN, [
+AC_CHECK_FUNCS(getlogin setlogin)
+if test "$ac_cv_func_getlogin" = yes; then
+AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+])
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).])
+fi
+fi
+])
+
+dnl
+dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
+dnl
+
+dnl
+dnl Test SGI capabilities
+dnl
+
+AC_DEFUN(KRB_CAPABILITIES,[
+
+AC_CHECK_HEADERS(capability.h sys/capability.h)
+
+AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
+])
+
+dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
+dnl
+dnl check for getpwnam_r, and if it's posix or not
+
+AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
+AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
+	ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	AC_TRY_RUN([
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+LIBS="$ac_libs")
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
+fi
+fi
+])
+dnl $Id: find-if-not-broken.m4,v 1.2 1998/03/16 22:16:27 joda Exp $
+dnl
+dnl
+dnl Mix between AC_FIND_FUNC and AC_BROKEN
+dnl
+
+AC_DEFUN(AC_FIND_IF_NOT_BROKEN,
+[AC_FIND_FUNC([$1], [$2], [$3], [$4])
+if eval "test \"$ac_cv_func_$1\" != yes"; then
+LIBOBJS[]="$LIBOBJS $1.o"
+fi
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: broken.m4,v 1.3 1998/03/16 22:16:19 joda Exp $
+dnl
+dnl
+dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
+dnl libraries 
+
+AC_DEFUN(AC_BROKEN,
+[for ac_func in $1
+do
+AC_CHECK_FUNC($ac_func, [
+ac_tr_func=HAVE_[]upcase($ac_func)
+AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+END
+done
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: proto-compat.m4,v 1.3 1999/03/01 13:03:48 joda Exp $
+dnl
+dnl
+dnl Check if the prototype of a function is compatible with another one
+dnl
+
+dnl AC_PROTO_COMPAT(includes, function, prototype)
+
+AC_DEFUN(AC_PROTO_COMPAT, [
+AC_CACHE_CHECK([if $2 is compatible with system prototype],
+ac_cv_func_$2_proto_compat,
+AC_TRY_COMPILE([$1],
+[$3;],
+eval "ac_cv_func_$2_proto_compat=yes",
+eval "ac_cv_func_$2_proto_compat=no"))
+define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE])
+if test "$ac_cv_func_$2_proto_compat" = yes; then
+	AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with
+	$3])
+fi
+undefine([foo])
+])
+dnl $Id: check-var.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl AC_CHECK_VAR(includes, variable)
+AC_DEFUN(AC_CHECK_VAR, [
+AC_MSG_CHECKING(for $2)
+AC_CACHE_VAL(ac_cv_var_$2, [
+AC_TRY_LINK([extern int $2;
+int foo() { return $2; }],
+	    [foo()],
+	    ac_cv_var_$2=yes, ac_cv_var_$2=no)
+])
+define([foo], [HAVE_]translit($2, [a-z], [A-Z]))
+
+AC_MSG_RESULT(`eval echo \\$ac_cv_var_$2`)
+if test `eval echo \\$ac_cv_var_$2` = yes; then
+	AC_DEFINE_UNQUOTED(foo, 1, [define if you have $2])
+	AC_CHECK_DECLARATION([$1],[$2])
+fi
+undefine([foo])
+])
+
+dnl $Id: check-declaration.m4,v 1.3 1999/03/01 13:03:08 joda Exp $
+dnl
+dnl
+dnl Check if we need the declaration of a variable
+dnl
+
+dnl AC_HAVE_DECLARATION(includes, variable)
+AC_DEFUN(AC_CHECK_DECLARATION, [
+AC_MSG_CHECKING([if $2 is properly declared])
+AC_CACHE_VAL(ac_cv_var_$2_declaration, [
+AC_TRY_COMPILE([$1
+extern struct { int foo; } $2;],
+[$2.foo = 1;],
+eval "ac_cv_var_$2_declaration=no",
+eval "ac_cv_var_$2_declaration=yes")
+])
+
+define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION])
+
+AC_MSG_RESULT($ac_cv_var_$2_declaration)
+if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then
+	AC_DEFINE(foo, 1, [define if your system declares $2])
+fi
+undefine([foo])
+])
+
+dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
+dnl
+dnl check for fields in a structure
+dnl
+dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+
+AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
+define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+AC_CACHE_CHECK([for $2 in $1], cache_val,[
+AC_TRY_COMPILE([$3],[$1 x; x.$2;],
+cache_val=yes,
+cache_val=no)])
+if test "$cache_val" = yes; then
+	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
+	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
+	undefine([foo])
+fi
+undefine([cache_val])
+])
+
+dnl $Id: krb-struct-winsize.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl
+dnl Search for struct winsize
+dnl
+
+AC_DEFUN(AC_KRB_STRUCT_WINSIZE, [
+AC_MSG_CHECKING(for struct winsize)
+AC_CACHE_VAL(ac_cv_struct_winsize, [
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+AC_EGREP_HEADER(
+changequote(, )dnl
+struct[ 	]*winsize,dnl
+changequote([,])dnl
+$i, ac_cv_struct_winsize=yes; break)dnl
+done
+])
+if test "$ac_cv_struct_winsize" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h])
+fi
+AC_MSG_RESULT($ac_cv_struct_winsize)
+AC_EGREP_HEADER(ws_xpixel, termios.h, 
+	AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel]))
+AC_EGREP_HEADER(ws_ypixel, termios.h, 
+	AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel]))
+])
+
+dnl $Id: krb-struct-spwd.m4,v 1.3 1999/07/13 21:04:11 assar Exp $
+dnl
+dnl Test for `struct spwd'
+
+AC_DEFUN(AC_KRB_STRUCT_SPWD, [
+AC_MSG_CHECKING(for struct spwd)
+AC_CACHE_VAL(ac_cv_struct_spwd, [
+AC_TRY_COMPILE(
+[#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif],
+[struct spwd foo;],
+ac_cv_struct_spwd=yes,
+ac_cv_struct_spwd=no)
+])
+AC_MSG_RESULT($ac_cv_struct_spwd)
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd])
+fi
+])
+
+dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $
+dnl
+AC_DEFUN(AC_GROK_TYPE, [
+AC_CACHE_VAL(ac_cv_type_$1, 
+AC_TRY_COMPILE([
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+],
+$i x;
+,
+eval ac_cv_type_$1=yes,
+eval ac_cv_type_$1=no))])
+
+AC_DEFUN(AC_GROK_TYPES, [
+for i in $1; do
+	AC_MSG_CHECKING(for $i)
+	AC_GROK_TYPE($i)
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_[]upcase($i)
+		AC_DEFINE_UNQUOTED($type)
+	fi
+	AC_MSG_RESULT($ac_res)
+done
+])
+
+dnl $Id: auth-modules.m4,v 1.1 1999/03/21 13:48:00 joda Exp $
+dnl
+dnl Figure what authentication modules should be built
+
+AC_DEFUN(AC_AUTH_MODULES,[
+AC_MSG_CHECKING(which authentication modules should be built)
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+changequote(,)dnl
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+changequote([,])dnl
+esac
+
+AC_MSG_RESULT($LIB_AUTH_SUBDIRS)
+
+AC_SUBST(LIB_AUTH_SUBDIRS)dnl
+])
+
diff --git a/crypto/heimdal/admin/Makefile.am b/crypto/heimdal/admin/Makefile.am
new file mode 100644
index 0000000..2b9d5b9
--- /dev/null
+++ b/crypto/heimdal/admin/Makefile.am
@@ -0,0 +1,29 @@
+# $Id: Makefile.am,v 1.30 2000/01/06 08:02:37 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_readline)
+
+man_MANS = ktutil.8
+
+sbin_PROGRAMS = ktutil
+
+ktutil_SOURCES = add.c				\
+		 change.c			\
+		 copy.c				\
+		 get.c				\
+		 ktutil.c			\
+		 list.c				\
+		 purge.c			\
+		 remove.c			\
+		 srvconvert.c			\
+		 srvcreate.c
+
+LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(LIB_roken)
diff --git a/crypto/heimdal/admin/Makefile.in b/crypto/heimdal/admin/Makefile.in
new file mode 100644
index 0000000..52665a5
--- /dev/null
+++ b/crypto/heimdal/admin/Makefile.in
@@ -0,0 +1,680 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.30 2000/01/06 08:02:37 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_readline)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+man_MANS = ktutil.8
+
+sbin_PROGRAMS = ktutil
+
+ktutil_SOURCES = add.c						 change.c					 copy.c						 get.c						 ktutil.c					 list.c						 purge.c					 remove.c					 srvconvert.c					 srvcreate.c
+
+
+LDADD =  	$(top_builddir)/lib/kadm5/libkadm5clnt.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(top_builddir)/lib/sl/libsl.la 	$(LIB_readline) 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+sbin_PROGRAMS =  ktutil$(EXEEXT)
+PROGRAMS =  $(sbin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+ktutil_OBJECTS =  add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \
+get.$(OBJEXT) ktutil.$(OBJEXT) list.$(OBJEXT) purge.$(OBJEXT) \
+remove.$(OBJEXT) srvconvert.$(OBJEXT) srvcreate.$(OBJEXT)
+ktutil_LDADD = $(LDADD)
+ktutil_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5clnt.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/sl/libsl.la
+ktutil_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(ktutil_SOURCES)
+OBJECTS = $(ktutil_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign admin/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+ktutil$(EXEEXT): $(ktutil_OBJECTS) $(ktutil_DEPENDENCIES)
+	@rm -f ktutil$(EXEEXT)
+	$(LINK) $(ktutil_LDFLAGS) $(ktutil_OBJECTS) $(ktutil_LDADD) $(LIBS)
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = admin
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-sbinPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(sbindir) $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-sbinPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-sbinPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-sbinPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-sbinPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS \
+clean-sbinPROGRAMS maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/admin/add.c b/crypto/heimdal/admin/add.c
new file mode 100644
index 0000000..954b5f8
--- /dev/null
+++ b/crypto/heimdal/admin/add.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: add.c,v 1.1 2000/01/02 04:41:00 assar Exp $");
+
+int
+kt_add(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_keytab_entry entry;
+    char buf[128];
+    char *principal_string = NULL;
+    int kvno = -1;
+    char *enctype_string = NULL;
+    krb5_enctype enctype;
+    char *password_string = NULL;
+    int salt_flag = 1;
+    int random_flag = 0;
+    int help_flag = 0;
+    struct getargs args[] = {
+	{ "principal", 'p', arg_string, NULL, "principal of key", "principal"},
+	{ "kvno", 'V', arg_integer, NULL, "key version of key" },
+	{ "enctype", 'e', arg_string, NULL, "encryption type of key" },
+	{ "password", 'w', arg_string, NULL, "password for key"},
+	{ "salt", 's',	arg_negative_flag, NULL, "no salt" },
+	{ "random",  'r', arg_flag, NULL, "generate random key" },
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+    args[i++].value = &principal_string;
+    args[i++].value = &kvno;
+    args[i++].value = &enctype_string;
+    args[i++].value = &password_string;
+    args[i++].value = &salt_flag;
+    args[i++].value = &random_flag;
+    args[i++].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil add", "");
+	return 0;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil add", "");
+	return 0;
+    }
+    if(principal_string == NULL) {
+	printf("Principal: ");
+	if (fgets(buf, sizeof(buf), stdin) == NULL)
+	    return 0;
+	buf[strcspn(buf, "\r\n")] = '\0';
+	principal_string = buf;
+    }
+    ret = krb5_parse_name(context, principal_string, &entry.principal);
+    if(ret) {
+	krb5_warn(context, ret, "%s", principal_string);
+	return 0;
+    }
+    if(enctype_string == NULL) {
+	printf("Encryption type: ");
+	if (fgets(buf, sizeof(buf), stdin) == NULL) {
+	    krb5_free_principal (context, entry.principal);
+	    return 0;
+	}
+	buf[strcspn(buf, "\r\n")] = '\0';
+	enctype_string = buf;
+    }
+    ret = krb5_string_to_enctype(context, enctype_string, &enctype);
+    if(ret) {
+	int t;
+	if(sscanf(enctype_string, "%d", &t) == 1)
+	    enctype = t;
+	else {
+	    krb5_warn(context, ret, "%s", enctype_string);
+	    krb5_free_principal(context, entry.principal);
+	    return 0;
+	}
+    }
+    if(kvno == -1) {
+	printf("Key version: ");
+	if (fgets(buf, sizeof(buf), stdin) == NULL) {
+	    krb5_free_principal (context, entry.principal);
+	    return 0;
+	}
+	buf[strcspn(buf, "\r\n")] = '\0';
+	kvno = atoi(buf);
+    }
+    if(password_string == NULL && random_flag == 0) {
+	if(des_read_pw_string(buf, sizeof(buf), "Password: ", 1)) {
+	    krb5_free_principal (context, entry.principal);
+	    return 0;
+	}
+	password_string = buf;
+    }
+    if(password_string) {
+	if (!salt_flag) {
+	    krb5_salt salt;
+	    krb5_data pw;
+
+	    salt.salttype         = KRB5_PW_SALT;
+	    salt.saltvalue.data   = NULL;
+	    salt.saltvalue.length = 0;
+	    pw.data = (void*)password_string;
+	    pw.length = strlen(password_string);
+	    krb5_string_to_key_data_salt(context, enctype, pw, salt,
+					 &entry.keyblock);
+        } else {
+	    krb5_string_to_key(context, enctype, password_string, 
+			       entry.principal, &entry.keyblock);
+	}
+	memset (password_string, 0, strlen(password_string));
+    } else {
+	krb5_generate_random_keyblock(context, enctype, &entry.keyblock);
+    }
+    entry.vno = kvno;
+    entry.timestamp = time (NULL);
+    ret = krb5_kt_add_entry(context, keytab, &entry);
+    if(ret)
+	krb5_warn(context, ret, "add");
+    krb5_kt_free_entry(context, &entry);
+    return 0;
+}
diff --git a/crypto/heimdal/admin/change.c b/crypto/heimdal/admin/change.c
new file mode 100644
index 0000000..3de4f86
--- /dev/null
+++ b/crypto/heimdal/admin/change.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: change.c,v 1.1 2000/01/02 04:41:00 assar Exp $");
+
+static void
+change_entry (krb5_context context, krb5_keytab_entry *entry,
+	      const char *realm, const char *admin_server, int server_port)
+{
+    krb5_error_code ret;
+    kadm5_config_params conf;
+    void *kadm_handle;
+    char *client_name;
+    krb5_keyblock *keys;
+    int num_keys;
+    int i;
+
+    ret = krb5_unparse_name (context, entry->principal, &client_name);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_c_init_with_skey_ctx");
+	return;
+    }
+
+    memset (&conf, 0, sizeof(conf));
+
+    if(realm)
+	conf.realm = (char *)realm;
+    else
+	conf.realm = *krb5_princ_realm (context, entry->principal);
+    conf.mask |= KADM5_CONFIG_REALM;
+    
+    if (admin_server) {
+	conf.admin_server = (char *)admin_server;
+	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    }
+
+    if (server_port) {
+	conf.kadmind_port = htons(server_port);
+	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
+    }
+
+    ret = kadm5_init_with_skey_ctx (context,
+				    client_name,
+				    keytab_string,
+				    KADM5_ADMIN_SERVICE,
+				    &conf, 0, 0,
+				    &kadm_handle);
+    free (client_name);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_c_init_with_skey_ctx");
+	return;
+    }
+    ret = kadm5_randkey_principal (kadm_handle, entry->principal,
+				   &keys, &num_keys);
+    kadm5_destroy (kadm_handle);
+    if (ret) {
+	krb5_warn(context, ret, "kadm5_randkey_principal");
+	return;
+    }
+    for (i = 0; i < num_keys; ++i) {
+	krb5_keytab_entry new_entry;
+
+	new_entry = *entry;
+	new_entry.timestamp = time (NULL);
+	++new_entry.vno;
+	new_entry.keyblock  = keys[i];
+
+	ret = krb5_kt_add_entry (context, keytab, &new_entry);
+	if (ret)
+	    krb5_warn (context, ret, "krb5_kt_add_entry");
+	krb5_free_keyblock_contents (context, &keys[i]);
+    }
+}
+
+/*
+ * loop over all the entries in the keytab (or those given) and change
+ * their keys, writing the new keys
+ */
+
+int
+kt_change (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    char *realm = NULL;
+    char *admin_server = NULL;
+    int server_port = 0;
+    int help_flag = 0;
+    int optind = 0;
+    int j, max;
+    krb5_principal *princs;
+    
+    struct getargs args[] = {
+	{ "realm",	'r',	arg_string,   NULL, 
+	  "realm to use", "realm" 
+	},
+	{ "admin-server",	'a',	arg_string, NULL,
+	  "server to contact", "host" 
+	},
+	{ "server-port",	's',	arg_integer, NULL,
+	  "port to contact", "port number" 
+	},
+	{ "help",		'h',	arg_flag,    NULL }
+    };
+
+    args[0].value = &realm;
+    args[1].value = &admin_server;
+    args[2].value = &server_port;
+    args[3].value = &help_flag;
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)
+       || help_flag) {
+	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
+		       "ktutil change", "principal...");
+	return 0;
+    }
+    
+    j = 0;
+    max = 10;
+    princs = malloc (max * sizeof(*princs));
+    if (princs == NULL) {
+	krb5_warnx (context, "malloc: out of memory");
+	return 1;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	return 1;
+    }
+
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+	int i;
+	int done = 0;
+
+	for (i = 0; i < j; ++i)
+	    if (krb5_principal_compare (context, princs[i],
+					entry.principal))
+		break;
+	if (i < j)
+	    continue;
+
+	if (optind == argc) {
+	    change_entry (context, &entry, realm, admin_server, server_port);
+	    done = 1;
+	} else {
+	    for (i = optind; i < argc; ++i) {
+		krb5_principal princ;
+
+		ret = krb5_parse_name (context, argv[i], &princ);
+		if (ret) {
+		    krb5_warn (context, ret, "krb5_parse_name %s", argv[i]);
+		    continue;
+		}
+		if (krb5_principal_compare (context, princ, entry.principal)) {
+		    change_entry (context, &entry,
+				  realm, admin_server, server_port);
+		    done = 1;
+		}
+		krb5_free_principal (context, princ);
+	    }
+	}
+	if (done) {
+	    if (j >= max) {
+		void *tmp;
+
+		max *= 2;
+		tmp = realloc (princs, max * sizeof(*princs));
+		if (tmp == NULL) {
+		    krb5_kt_free_entry (context, &entry);
+		    krb5_warnx (context, "realloc: out of memory");
+		    break;
+		}
+		princs = tmp;
+	    }
+	    ret = krb5_copy_principal (context, entry.principal, &princs[j]);
+	    if (ret) {
+		krb5_warn (context, ret, "krb5_copy_principal");
+		krb5_kt_free_entry (context, &entry);
+		break;
+	    }
+	    ++j;
+	}
+	krb5_kt_free_entry (context, &entry);
+    }
+    while (j-- > 0)
+	krb5_free_principal (context, princs[j]);
+    free (princs);
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+    return 0;
+}
diff --git a/crypto/heimdal/admin/copy.c b/crypto/heimdal/admin/copy.c
new file mode 100644
index 0000000..d846610
--- /dev/null
+++ b/crypto/heimdal/admin/copy.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: copy.c,v 1.1 2000/01/02 04:41:01 assar Exp $");
+
+int
+kt_copy (int argc, char **argv)
+{
+    krb5_error_code ret;
+    int help_flag = 0;
+    int optind = 0;
+    krb5_keytab src_keytab, dst_keytab;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+
+    struct getargs args[] = {
+	{ "help", 'h', arg_flag, NULL}
+    };
+
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int i = 0;
+
+    args[i++].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil copy",
+		       "keytab-src keytab-dest");
+	return 0;
+    }
+    if (help_flag) {
+	arg_printusage(args, num_args, "ktutil copy",
+		       "keytab-src keytab-dest");
+	return 0;
+    }
+
+    argv += optind;
+    argc -= optind;
+
+    if (argc != 2) {
+	arg_printusage(args, num_args, "ktutil copy",
+		       "keytab-src keytab-dest");
+	return 0;
+    }
+
+    ret = krb5_kt_resolve (context, argv[0], &src_keytab);
+    if (ret) {
+	krb5_warn (context, ret, "resolving src keytab `%s'", argv[0]);
+	return 0;
+    }
+
+    ret = krb5_kt_resolve (context, argv[1], &dst_keytab);
+    if (ret) {
+	krb5_kt_close (context, src_keytab);
+	krb5_warn (context, ret, "resolving dst keytab `%s'", argv[1]);
+	return 0;
+    }
+
+    ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_kt_start_seq_get");
+	goto fail;
+    }
+
+    while((ret = krb5_kt_next_entry(context, src_keytab,
+				    &entry, &cursor)) == 0) {
+	ret = krb5_kt_add_entry (context, dst_keytab, &entry);
+	if (verbose_flag) {
+	    char *name_str;
+
+	    krb5_unparse_name (context, entry.principal, &name_str);
+	    printf ("copying %s\n", name_str);
+	    free (name_str);
+	}
+
+	krb5_kt_free_entry (context, &entry);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_kt_add_entry");
+	    break;
+	}
+    }
+    krb5_kt_end_seq_get (context, src_keytab, &cursor);
+
+fail:
+    krb5_kt_close (context, src_keytab);
+    krb5_kt_close (context, dst_keytab);
+    return 0;
+}
diff --git a/crypto/heimdal/admin/get.c b/crypto/heimdal/admin/get.c
new file mode 100644
index 0000000..143ffa2
--- /dev/null
+++ b/crypto/heimdal/admin/get.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: get.c,v 1.15 2000/01/02 04:41:01 assar Exp $");
+
+int
+kt_get(int argc, char **argv)
+{
+    krb5_error_code ret;
+    kadm5_config_params conf;
+    void *kadm_handle;
+    char *principal = NULL;
+    char *realm = NULL;
+    char *admin_server = NULL;
+    int server_port = 0;
+    int help_flag = 0;
+    int optind = 0;
+    int i, j;
+    
+    struct getargs args[] = {
+	{ "principal",	'p',	arg_string,   NULL, 
+	  "admin principal", "principal" 
+	},
+	{ "realm",	'r',	arg_string,   NULL, 
+	  "realm to use", "realm" 
+	},
+	{ "admin-server",	'a',	arg_string, NULL,
+	  "server to contact", "host" 
+	},
+	{ "server-port",	's',	arg_integer, NULL,
+	  "port to contact", "port number" 
+	},
+	{ "help",		'h',	arg_flag,    NULL }
+    };
+
+    args[0].value = &principal;
+    args[1].value = &realm;
+    args[2].value = &admin_server;
+    args[3].value = &server_port;
+    args[4].value = &help_flag;
+
+    memset(&conf, 0, sizeof(conf));
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)
+       || help_flag) {
+	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
+		       "ktutil get", "principal...");
+	return 0;
+    }
+    
+    if(realm) {
+	krb5_set_default_realm(context, realm); /* XXX should be fixed
+						   some other way */
+	conf.realm = realm;
+	conf.mask |= KADM5_CONFIG_REALM;
+    }
+    
+    if (admin_server) {
+	conf.admin_server = admin_server;
+	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    }
+
+    if (server_port) {
+	conf.kadmind_port = htons(server_port);
+	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
+    }
+
+    ret = kadm5_init_with_password_ctx(context, 
+				       principal,
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       &conf, 0, 0, 
+				       &kadm_handle);
+    if(ret) {
+	krb5_warn(context, ret, "kadm5_init_with_password");
+	return 0;
+    }
+    
+    
+    for(i = optind; i < argc; i++){
+	krb5_principal princ_ent;
+	kadm5_principal_ent_rec princ;
+	int mask = 0;
+	krb5_keyblock *keys;
+	int n_keys;
+	int created = 0;
+	krb5_keytab_entry entry;
+
+	ret = krb5_parse_name(context, argv[i], &princ_ent);
+	memset(&princ, 0, sizeof(princ));
+	princ.principal = princ_ent;
+	mask |= KADM5_PRINCIPAL;
+	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+	mask |= KADM5_ATTRIBUTES;
+	princ.princ_expire_time = 0;
+	mask |= KADM5_PRINC_EXPIRE_TIME;
+	
+	ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
+	if(ret == 0)
+	    created++;
+	else if(ret != KADM5_DUP) {
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
+	ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
+	
+	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+			      KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
+	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+	mask = KADM5_ATTRIBUTES;
+	if(created) {
+	    princ.kvno = 1;
+	    mask |= KADM5_KVNO;
+	}
+	ret = kadm5_modify_principal(kadm_handle, &princ, mask);
+	for(j = 0; j < n_keys; j++) {
+	    entry.principal = princ_ent;
+	    entry.vno = princ.kvno;
+	    entry.keyblock = keys[j];
+	    entry.timestamp = time (NULL);
+	    ret = krb5_kt_add_entry(context, keytab, &entry);
+	    krb5_free_keyblock_contents(context, &keys[j]);
+	}
+	
+	kadm5_free_principal_ent(kadm_handle, &princ);
+	krb5_free_principal(context, princ_ent);
+    }
+    kadm5_destroy(kadm_handle);
+    return 0;
+}
diff --git a/crypto/heimdal/admin/ktutil.8 b/crypto/heimdal/admin/ktutil.8
new file mode 100644
index 0000000..b70fc93
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil.8
@@ -0,0 +1,119 @@
+.\" $Id: ktutil.8,v 1.6 2000/01/02 05:07:50 assar Exp $
+.\"
+.Dd Aug 27, 1997
+.Dt KTUTIL 8
+.Os HEIMDAL
+.Sh NAME
+.Nm ktutil
+.Ar command
+.Nd
+handle a keytab
+.Sh SYNOPSIS
+.Nm
+.Op Fl k Ar keytab
+.Op Fl -keytab= Ns Ar keytab
+.Op Fl v
+.Op Fl -version
+.Op Fl h
+.Op Fl -help
+.Ar command
+.Sh DESCRIPTION
+.Nm
+is a program for managing keytabs.
+.Ar command
+can be one of the following:
+.Bl -tag -width Ds
+.It add Xo
+.Op Fl p Ar principal
+.Op Fl -principal= Ns Ar principal
+.Op Fl V Ar kvno
+.Op Fl -kvno= Ns Ar kvno
+.Op Fl e Ar encype
+.Op Fl -enctype= Ns Ar enctype
+.Op Fl w Ar password
+.Op Fl -password= Ns Ar password
+.Op Fl r
+.Op Fl -random
+.Op Fl s
+.Op Fl -no-salt
+.Xc
+Adds a key to the keytab. Options that are not specified will be
+prompted for.
+.It change Xo
+.Op Fl r Ar realm
+.Op Fl -realm= Ns Ar realm
+.Op Fl -a Ar host
+.Op Fl -admin-server= Ns Ar hots
+.Op Fl -s Ar port
+.Op Fl -server-port= Ns Ar port
+.Xc
+Update one or several keys to new versions.  By default, use the admin
+server for the realm of an keytab entry.  Otherwise it will use the
+values specified by the options.
+.Pp
+If no principals are given, all the ones in the keytab are updated.
+.It copy Xo
+.Ar keytab-src
+.Ar keytab-dest
+.Xc
+Copies all the entries from
+.Ar keytab-src
+to
+.Ar keytab-dest .
+.It get Xo
+.Op Fl p Ar admin principal
+.Op Fl -principal= Ns Ar admin principal
+.Op Fl r Ar realm
+.Op Fl -realm= Ns Ar realm
+.Op Fl a Ar admin server
+.Op Fl -admin-server= Ns Ar admin server
+.Op Fl s Ar server port
+.Op Fl -server-port= Ns Ar server port
+.Ar principal
+.Xc
+Get a key for
+.Nm principal
+and store it in a keytab.
+.It list
+List the keys stored in the keytab.
+.It remove Xo
+.Op Fl p Ar principal
+.Op Fl -principal= Ns Ar principal
+.Op Fl V kvno
+.Op Fl -kvno= Ns Ar kvno
+.Op Fl e enctype
+.Op Fl -enctype= Ns Ar enctype
+.Xc
+Removes the specified key or keys. Not specifying a
+.Ar kvno
+removes keys with any version number. Not specifying a
+.Ar enctype
+removes keys of any type.
+.It purge Xo
+.Op Fl -age= Ns Ar age
+.Xc
+Removes all old entries (for which there is a newer version) that are
+older than
+.Ar age
+seconds.
+.It srvconvert
+.It srv2keytab Xo
+.Op Fl s Ar srvtab
+.Op Fl -srvtab= Ns Ar srvtab
+.Xc
+Converts the version 4 srvtab in
+.Ar srvtab
+to a version 5 keytab and stores it in
+.Ar keytab .
+.It srvcreate
+.It key2srvtab Xo
+.Op Fl s Ar srvtab
+.Op Fl -srvtab= Ns Ar srvtab
+.Xc
+Converts the version 5 keytab in
+.Ar keytab
+to a version 4 srvtab and stores it in
+.Ar srvtab .
+.El
+.Sh SEE ALSO
+.Xr kadmin 8
diff --git a/crypto/heimdal/admin/ktutil.c b/crypto/heimdal/admin/ktutil.c
new file mode 100644
index 0000000..205bd89
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: ktutil.c,v 1.26 2000/02/07 04:29:25 assar Exp $");
+
+static int help_flag;
+static int version_flag;
+int verbose_flag;
+char *keytab_string; 
+
+static int help(int argc, char **argv);
+
+static SL_cmd cmds[] = {
+    { "add", 		kt_add,		"add",
+      "adds key to keytab" },
+    { "change",		kt_change,	"change [principal...]",
+      "get new key for principals (all)" },
+    { "copy",		kt_copy,	"copy src dst",
+      "copy one keytab to another" },
+    { "get", 		kt_get,		"get [principal...]",
+      "create key in database and add to keytab" },
+    { "list",		kt_list,	"list",
+      "shows contents of a keytab" },
+    { "purge",		kt_purge,	"purge",
+      "remove old and superceeded entries" },
+    { "remove", 	kt_remove,	"remove",
+      "remove key from keytab" },
+    { "srvconvert",	srvconv,	"srvconvert [flags]",
+      "convert v4 srvtab to keytab" },
+    { "srv2keytab" },
+    { "srvcreate",	srvcreate,	"srvcreate [flags]",
+      "convert keytab to v4 srvtab" },
+    { "key2srvtab" },
+    { "help",		help,		"help",			"" },
+    { NULL, 	NULL,		NULL, 			NULL }
+};
+
+static struct getargs args[] = {
+    { 
+	"version",
+	0,
+	arg_flag,
+	&version_flag,
+	NULL,
+	NULL 
+    },
+    { 
+	"help",	    
+	'h',   
+	arg_flag, 
+	&help_flag, 
+	NULL, 
+	NULL
+    },
+    { 
+	"keytab",	    
+	'k',   
+	arg_string, 
+	&keytab_string, 
+	"keytab", 
+	"keytab to operate on" 
+    },
+    {
+	"verbose",
+	'v',
+	arg_flag,
+	&verbose_flag,
+	"verbose",
+	"run verbosely"
+    }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+krb5_context context;
+krb5_keytab keytab;
+
+static int
+help(int argc, char **argv)
+{
+    sl_help(cmds, argc, argv);
+    return 0;
+}
+
+static void
+usage(int status)
+{
+    arg_printusage(args, num_args, NULL, "command");
+    exit(status);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    krb5_error_code ret;
+    set_progname(argv[0]);
+    krb5_init_context(&context);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argc -= optind;
+    argv += optind;
+    if(argc == 0)
+	usage(1);
+    if(keytab_string) {
+	ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    } else {
+	ret = krb5_kt_default(context, &keytab);
+    }
+    if(ret)
+	krb5_err(context, 1, ret, "resolving keytab");
+    ret = sl_command(cmds, argc, argv);
+    if(ret == -1)
+	krb5_warnx (context, "unrecognized command: %s", argv[0]);
+    krb5_kt_close(context, keytab);
+    return ret;
+}
diff --git a/crypto/heimdal/admin/ktutil_locl.h b/crypto/heimdal/admin/ktutil_locl.h
new file mode 100644
index 0000000..030ec1f
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil_locl.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: ktutil_locl.h,v 1.11 2000/02/07 04:26:37 assar Exp $
+ * $FreeBSD$
+ */
+
+#ifndef __KTUTIL_LOCL_H__
+#define __KTUTIL_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <roken.h>
+
+#include <openssl/des.h>
+
+#include <krb5.h>
+#include <kadm5/admin.h>
+#include <kadm5/kadm5_err.h>
+
+#include <sl.h>
+#include <getarg.h>
+
+extern krb5_context context;
+extern krb5_keytab keytab;
+
+extern int verbose_flag;
+extern char *keytab_string; 
+
+int kt_add (int argc, char **argv);
+int kt_change (int argc, char **argv);
+int kt_copy (int argc, char **argv);
+int kt_get (int argc, char **argv);
+int kt_list(int argc, char **argv);
+int kt_purge(int argc, char **argv);
+int kt_remove(int argc, char **argv);
+int srvconv(int argc, char **argv);
+int srvcreate(int argc, char **argv);
+
+#endif /* __KTUTIL_LOCL_H__ */
diff --git a/crypto/heimdal/admin/list.c b/crypto/heimdal/admin/list.c
new file mode 100644
index 0000000..1924a21
--- /dev/null
+++ b/crypto/heimdal/admin/list.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: list.c,v 1.1 2000/01/02 04:41:02 assar Exp $");
+
+int
+kt_list(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	return 1;
+    }
+    printf("%s", "Version");
+    printf("  ");
+    printf("%-15s", "Type");
+    printf("  ");
+    printf("%s", "Principal");
+    printf("\n");
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+	char *p;
+	printf("   %3d ", entry.vno);
+	printf("  ");
+	ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &p);
+	if (ret != 0) 
+	    asprintf(&p, "unknown (%d)", entry.keyblock.keytype);
+	printf("%-15s", p);
+	free(p);
+	printf("  ");
+	krb5_unparse_name(context, entry.principal, &p);
+	printf("%s ", p);
+	free(p);
+	printf("\n");
+	if (verbose_flag) {
+	    char tstamp[256];
+	    struct tm *tm;
+	    time_t ts = entry.timestamp;
+
+	    tm = gmtime (&ts);
+	    strftime (tstamp, sizeof(tstamp), "%Y-%m-%d %H:%M:%S UTC", tm);
+	    printf("   Timestamp: %s\n", tstamp);
+	}
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+    return 0;
+}
diff --git a/crypto/heimdal/admin/purge.c b/crypto/heimdal/admin/purge.c
new file mode 100644
index 0000000..3e262c5
--- /dev/null
+++ b/crypto/heimdal/admin/purge.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: purge.c,v 1.1 2000/01/02 05:06:50 assar Exp $");
+
+/*
+ * keep track of the highest version for every principal.
+ */
+
+struct e {
+    krb5_principal principal;
+    int max_vno;
+    struct e *next;
+};
+
+static struct e *
+get_entry (krb5_principal princ, struct e *head)
+{
+    struct e *e;
+
+    for (e = head; e != NULL; e = e->next)
+	if (krb5_principal_compare (context, princ, e->principal))
+	    return e;
+    return NULL;
+}
+
+static void
+add_entry (krb5_principal princ, int vno, struct e **head)
+{
+    krb5_error_code ret;
+    struct e *e;
+
+    e = get_entry (princ, *head);
+    if (e != NULL) {
+	e->max_vno = max (e->max_vno, vno);
+	return;
+    }
+    e = malloc (sizeof (*e));
+    if (e == NULL)
+	krb5_errx (context, 1, "malloc: out of memory");
+    ret = krb5_copy_principal (context, princ, &e->principal);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_copy_principal");
+    e->max_vno = vno;
+    e->next    = *head;
+    *head      = e;
+}
+
+static void
+delete_list (struct e *head)
+{
+    while (head != NULL) {
+	struct e *next = head->next;
+	krb5_free_principal (context, head->principal);
+	free (head);
+	head = next;
+    }
+}
+
+/*
+ * Remove all entries that have newer versions and that are older
+ * than `age'
+ */
+
+int
+kt_purge(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    int help_flag = 0;
+    int age = 7 * 24 * 60 * 60;
+    struct getargs args[] = {
+	{ "age",   0,  arg_integer, NULL, "age to retire" },
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+    struct e *head = NULL;
+    time_t judgement_day;
+
+    args[i++].value = &age;
+    args[i++].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil remove", "");
+	return 0;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil remove", "");
+	return 0;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	return 1;
+    }
+
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+	add_entry (entry.principal, entry.vno, &head);
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    judgement_day = time (NULL);
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get");
+	return 1;
+    }
+
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+	struct e *e = get_entry (entry.principal, head);
+
+	if (e == NULL) {
+	    krb5_warnx (context, "ignoring extra entry");
+	    continue;
+	}
+
+	if (entry.vno < e->max_vno
+	    && judgement_day - entry.timestamp > age) {
+	    if (verbose_flag) {
+		char *name_str;
+
+		krb5_unparse_name (context, entry.principal, &name_str);
+		printf ("removing %s vno %d\n", name_str, entry.vno);
+		free (name_str);
+	    }
+	    ret = krb5_kt_remove_entry (context, keytab, &entry);
+	    if (ret)
+		krb5_warn (context, ret, "remove");
+	}
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    delete_list (head);
+
+    return 0;
+}
diff --git a/crypto/heimdal/admin/remove.c b/crypto/heimdal/admin/remove.c
new file mode 100644
index 0000000..e19de0a
--- /dev/null
+++ b/crypto/heimdal/admin/remove.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: remove.c,v 1.1 2000/01/02 04:41:02 assar Exp $");
+
+int
+kt_remove(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_keytab_entry entry;
+    char *principal_string = NULL;
+    krb5_principal principal = NULL;
+    int kvno = 0;
+    char *keytype_string = NULL;
+    krb5_enctype enctype = 0;
+    int help_flag = 0;
+    struct getargs args[] = {
+	{ "principal", 'p', arg_string, NULL, "principal to remove" },
+	{ "kvno", 'V', arg_integer, NULL, "key version to remove" },
+	{ "enctype", 'e', arg_string, NULL, "enctype to remove" },
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+    args[i++].value = &principal_string;
+    args[i++].value = &kvno;
+    args[i++].value = &keytype_string;
+    args[i++].value = &help_flag;
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil remove", "");
+	return 0;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil remove", "");
+	return 0;
+    }
+    if(principal_string) {
+	ret = krb5_parse_name(context, principal_string, &principal);
+	if(ret) {
+	    krb5_warn(context, ret, "%s", principal_string);
+	    return 0;
+	}
+    }
+    if(keytype_string) {
+	ret = krb5_string_to_enctype(context, keytype_string, &enctype);
+	if(ret) {
+	    int t;
+	    if(sscanf(keytype_string, "%d", &t) == 1)
+		enctype = t;
+	    else {
+		krb5_warn(context, ret, "%s", keytype_string);
+		if(principal)
+		    krb5_free_principal(context, principal);
+		return 0;
+	    }
+	}
+    }
+    if (!principal && !enctype && !kvno) {
+	krb5_warnx(context, 
+		   "You must give at least one of "
+		   "principal, enctype or kvno.");
+	return 0;
+    }
+    entry.principal = principal;
+    entry.keyblock.keytype = enctype;
+    entry.vno = kvno;
+    ret = krb5_kt_remove_entry(context, keytab, &entry);
+    if(ret)
+	krb5_warn(context, ret, "remove");
+    if(principal)
+	krb5_free_principal(context, principal);
+    return 0;
+}
+
diff --git a/crypto/heimdal/admin/srvconvert.c b/crypto/heimdal/admin/srvconvert.c
new file mode 100644
index 0000000..e4a2b11
--- /dev/null
+++ b/crypto/heimdal/admin/srvconvert.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: srvconvert.c,v 1.11 2000/01/02 03:56:21 assar Exp $");
+
+/* convert a version 4 srvtab to a version 5 keytab */
+
+#ifndef KEYFILE
+#define KEYFILE "/etc/srvtab"
+#endif
+
+static char *srvtab = KEYFILE;
+static int help_flag;
+static int verbose;
+
+static struct getargs args[] = {
+    { "srvtab", 's', arg_string, &srvtab, "srvtab to convert", "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "verbose", 'v', arg_flag, &verbose },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+srvconv(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int optind = 0;
+    int fd;
+    krb5_storage *sp;
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, "ktutil srvconvert", "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, "ktutil srvconvert", "");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0) {
+	arg_printusage(args, num_args, "ktutil srvconvert", "");
+	return 1;
+    }
+
+    fd = open(srvtab, O_RDONLY);
+    if(fd < 0){
+	krb5_warn(context, errno, "%s", srvtab);
+	return 1;
+    }
+    sp = krb5_storage_from_fd(fd);
+    if(sp == NULL){
+	close(fd);
+	return 1;
+    }
+    while(1){
+	char *service, *instance, *realm;
+	int8_t kvno;
+	des_cblock key;
+	krb5_keytab_entry entry;
+	
+	ret = krb5_ret_stringz(sp, &service);
+	if(ret == KRB5_CC_END) {
+	    ret = 0;
+	    break;
+	}
+	if(ret) {
+	    krb5_warn(context, ret, "reading service");
+	    break;
+	}
+	ret = krb5_ret_stringz(sp, &instance);
+	if(ret) {
+	    krb5_warn(context, ret, "reading instance");
+	    free(service);
+	    break;
+	}
+	ret = krb5_ret_stringz(sp, &realm);
+	if(ret) {
+	    krb5_warn(context, ret, "reading realm");
+	    free(service);
+	    free(instance);
+	    break;
+	}
+	ret = krb5_425_conv_principal(context, service, instance, realm,
+				      &entry.principal);
+	free(service);
+	free(instance);
+	free(realm);
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_425_conv_principal (%s.%s@%s)",
+		      service, instance, realm);
+	    break;
+	}
+	
+	ret = krb5_ret_int8(sp, &kvno);
+	if(ret) {
+	    krb5_warn(context, ret, "reading kvno");
+	    krb5_free_principal(context, entry.principal);
+	    break;
+	}
+	ret = sp->fetch(sp, key, 8);
+	if(ret < 0){
+	    krb5_warn(context, errno, "reading key");
+	    krb5_free_principal(context, entry.principal);
+	    break;
+	}
+	if(ret < 8) {
+	    krb5_warn(context, errno, "end of file while reading key");
+	    krb5_free_principal(context, entry.principal);
+	    break;
+	}
+	
+	entry.vno = kvno;
+	entry.timestamp = time (NULL);
+	entry.keyblock.keyvalue.data = key;
+	entry.keyblock.keyvalue.length = 8;
+	
+	if(verbose){
+	    char *p;
+	    ret = krb5_unparse_name(context, entry.principal, &p);
+	    if(ret){
+		krb5_warn(context, ret, "krb5_unparse_name");
+		krb5_free_principal(context, entry.principal);
+		break;
+	    } else{
+		fprintf(stderr, "Storing keytab for %s\n", p);
+		free(p);
+	    }
+				    
+	}
+	entry.keyblock.keytype = ETYPE_DES_CBC_MD5;
+	ret = krb5_kt_add_entry(context, keytab, &entry);
+	entry.keyblock.keytype = ETYPE_DES_CBC_MD4;
+	ret = krb5_kt_add_entry(context, keytab, &entry);
+	entry.keyblock.keytype = ETYPE_DES_CBC_CRC;
+	ret = krb5_kt_add_entry(context, keytab, &entry);
+	krb5_free_principal(context, entry.principal);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_kt_add_entry");
+	    break;
+	}
+    }
+    krb5_storage_free(sp);
+    close(fd);
+    return ret;
+}
diff --git a/crypto/heimdal/admin/srvcreate.c b/crypto/heimdal/admin/srvcreate.c
new file mode 100644
index 0000000..bc86bc8
--- /dev/null
+++ b/crypto/heimdal/admin/srvcreate.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: srvcreate.c,v 1.3 1999/12/02 17:04:53 joda Exp $");
+
+/* convert a version 5 keytab to a version 4 srvtab */
+
+#ifndef KEYFILE
+#define KEYFILE "/etc/srvtab"
+#endif
+
+static char *srvtab = KEYFILE;
+static int help_flag;
+static int verbose;
+
+static struct getargs args[] = {
+    { "srvtab", 's', arg_string, &srvtab, "srvtab to create", "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "verbose", 'v', arg_flag, &verbose },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+srvcreate(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int optind = 0;
+    int fd;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    char service[100], instance[100], realm[100];
+    int8_t kvno;
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, "ktutil srvcreate", "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, "ktutil srvcreate", "");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0) {
+	arg_printusage(args, num_args, "ktutil srvcreate", "");
+	return 1;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+        krb5_warn(context, ret, "krb5_kt_start_seq_get");
+        return 1;
+    }
+
+    fd = open(srvtab, O_WRONLY |O_APPEND |O_CREAT, 0600);
+    if(fd < 0){
+	krb5_warn(context, errno, "%s", srvtab);
+	return 1;
+    }
+
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+      ret = krb5_524_conv_principal(context, entry.principal,
+				    service, instance, realm);
+      if(ret) {
+        krb5_warn(context, ret, "krb5_524_conv_principal");
+        close(fd);
+        return 1;
+      }
+      if ( (entry.keyblock.keyvalue.length == 8) && 
+           (entry.keyblock.keytype == ETYPE_DES_CBC_MD5) ) {
+	  if (verbose) {
+	      printf ("%s.%s@%s vno %d\n", service, instance, realm,
+		      entry.vno);
+	  }
+
+	  write(fd, service, strlen(service)+1);
+          write(fd, instance, strlen(instance)+1);
+          write(fd, realm, strlen(realm)+1);
+          kvno = entry.vno;
+          write(fd, &kvno, sizeof(kvno));
+          write(fd, entry.keyblock. keyvalue.data, 8);
+      }
+      krb5_kt_free_entry(context, &entry);
+    }
+
+    close(fd);
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+    return ret;
+}
diff --git a/crypto/heimdal/appl/Makefile.am b/crypto/heimdal/appl/Makefile.am
new file mode 100644
index 0000000..307f450
--- /dev/null
+++ b/crypto/heimdal/appl/Makefile.am
@@ -0,0 +1,22 @@
+# $Id: Makefile.am,v 1.19 1999/10/17 10:51:26 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+if OTP
+dir_otp = otp
+endif
+SUBDIRS = 					\
+	  afsutil				\
+	  ftp					\
+	  login					\
+	  $(dir_otp)				\
+	  popper				\
+	  push					\
+	  rsh					\
+	  su					\
+	  xnlock				\
+	  telnet				\
+	  test					\
+	  kx					\
+	  kf					\
+	  # kauth
diff --git a/crypto/heimdal/appl/Makefile.in b/crypto/heimdal/appl/Makefile.in
new file mode 100644
index 0000000..f78cfa3
--- /dev/null
+++ b/crypto/heimdal/appl/Makefile.in
@@ -0,0 +1,602 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.19 1999/10/17 10:51:26 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@OTP_TRUE@dir_otp = otp
+SUBDIRS =  	  afsutil					  ftp						  login						  $(dir_otp)					  popper					  push						  rsh						  su						  xnlock					  telnet					  test						  kx						  kf						  # kauth
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+DIST_SUBDIRS =  afsutil ftp login otp popper push rsh su xnlock telnet \
+test kx kf
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+@SET_MAKE@
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
+	  rev="$$subdir $$rev"; \
+	  test "$$subdir" = "." && dot_seen=yes; \
+	done; \
+	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	for subdir in $(DIST_SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    chmod 777 $(distdir)/$$subdir; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-data-recursive uninstall-data-recursive \
+install-exec-recursive uninstall-exec-recursive installdirs-recursive \
+uninstalldirs-recursive all-recursive check-recursive \
+installcheck-recursive info-recursive dvi-recursive \
+mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/afsutil/ChangeLog b/crypto/heimdal/appl/afsutil/ChangeLog
new file mode 100644
index 0000000..5cdc960
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/ChangeLog
@@ -0,0 +1,23 @@
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* pagsh.c (main): use mkstemp to generate temporary file names.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-07-04  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (expand_cell_name): terminate on #.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+1999-06-27  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (bin_PROGRAMS): only include pagsh if KRB4
+
+1999-06-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add pagsh
+
+	* pagsh.c: new file.  contributed by Miroslav Ruda <ruda@ics.muni.cz>
+
+Sat Mar 27 12:49:43 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* afslog.c: cleanup option parsing
diff --git a/crypto/heimdal/appl/afsutil/Makefile.am b/crypto/heimdal/appl/afsutil/Makefile.am
new file mode 100644
index 0000000..6d94758
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/Makefile.am
@@ -0,0 +1,21 @@
+# $Id: Makefile.am,v 1.11 1999/06/27 00:45:26 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+if KRB4
+AFSPROGS = afslog pagsh
+endif
+bin_PROGRAMS = $(AFSPROGS)
+
+afslog_SOURCES = afslog.c
+
+pagsh_SOURCES  = pagsh.c
+
+LDADD = $(LIB_kafs) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/afsutil/Makefile.in b/crypto/heimdal/appl/afsutil/Makefile.in
new file mode 100644
index 0000000..bf33ad1
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/Makefile.in
@@ -0,0 +1,654 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.11 1999/06/27 00:45:26 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@KRB4_TRUE@AFSPROGS = afslog pagsh
+bin_PROGRAMS = $(AFSPROGS)
+
+afslog_SOURCES = afslog.c
+
+pagsh_SOURCES = pagsh.c
+
+LDADD = $(LIB_kafs) 	$(LIB_krb4) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@KRB4_TRUE@bin_PROGRAMS =  afslog$(EXEEXT) pagsh$(EXEEXT)
+@KRB4_FALSE@bin_PROGRAMS = 
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+afslog_OBJECTS =  afslog.$(OBJEXT)
+afslog_LDADD = $(LDADD)
+@KRB4_TRUE@afslog_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@afslog_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la
+afslog_LDFLAGS = 
+pagsh_OBJECTS =  pagsh.$(OBJEXT)
+pagsh_LDADD = $(LDADD)
+@KRB4_TRUE@pagsh_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@pagsh_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la
+pagsh_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES)
+OBJECTS = $(afslog_OBJECTS) $(pagsh_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/afsutil/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+afslog$(EXEEXT): $(afslog_OBJECTS) $(afslog_DEPENDENCIES)
+	@rm -f afslog$(EXEEXT)
+	$(LINK) $(afslog_LDFLAGS) $(afslog_OBJECTS) $(afslog_LDADD) $(LIBS)
+
+pagsh$(EXEEXT): $(pagsh_OBJECTS) $(pagsh_DEPENDENCIES)
+	@rm -f pagsh$(EXEEXT)
+	$(LINK) $(pagsh_LDFLAGS) $(pagsh_OBJECTS) $(pagsh_LDADD) $(LIBS)
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/afsutil
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/afsutil/afslog.c b/crypto/heimdal/appl/afsutil/afslog.c
new file mode 100644
index 0000000..431231f
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/afslog.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: afslog.c,v 1.11 1999/07/04 23:50:39 assar Exp $");
+#endif
+#include <ctype.h>
+#include <krb5.h>
+#include <kafs.h>
+#include <roken.h>
+#include <getarg.h>
+
+
+static int help_flag;
+static int version_flag;
+#if 0
+static int create_user;
+#endif
+static getarg_strings cells;
+static char *realm;
+static getarg_strings files;
+static int unlog_flag;
+static int verbose;
+
+struct getargs args[] = {
+    { "cell",	'c', arg_strings, &cells, "cell to get tokens for", "cell" },
+    { "file",	'p', arg_strings, &files, "file to get tokens for", "path" },
+    { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
+    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens" },
+#if 0
+    { "create-user", 0, arg_flag, &create_user, "create user if not found" },
+#endif
+    { "verbose",'v', arg_flag, &verbose },
+    { "version", 0,  arg_flag, &version_flag },
+    { "help",	'h', arg_flag, &help_flag },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static const char *
+expand_cell_name(const char *cell)
+{
+    FILE *f;
+    static char buf[128];
+    char *p;
+
+    f = fopen(_PATH_CELLSERVDB, "r");
+    if(f == NULL)
+	return cell;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if(buf[0] == '>'){
+	    for(p=buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++)
+		;
+	    *p = '\0';
+	    if(strstr(buf, cell)){
+		fclose(f);
+		return buf + 1;
+	    }
+	}
+	buf[0] = 0;
+    }
+    fclose(f);
+    return cell;
+}
+
+#if 0
+static int
+createuser (char *cell)
+{
+    char cellbuf[64];
+    char name[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+    char cmd[1024];
+
+    if (cell == NULL) {
+	FILE *f;
+	int len;
+
+	f = fopen (_PATH_THISCELL, "r");
+	if (f == NULL)
+	    err (1, "open(%s)", _PATH_THISCELL);
+	if (fgets (cellbuf, sizeof(cellbuf), f) == NULL)
+	    err (1, "read cellname from %s", _PATH_THISCELL);
+	len = strlen(cellbuf);
+	if (cellbuf[len-1] == '\n')
+	    cellbuf[len-1] = '\0';
+	cell = cellbuf;
+    }
+
+    if(krb_get_default_principal(name, instance, realm))
+	errx (1, "Could not even figure out who you are");
+
+    snprintf (cmd, sizeof(cmd),
+	      "pts createuser %s%s%s@%s -cell %s",
+	      name, *instance ? "." : "", instance, strlwr(realm),
+	      cell);
+    DEBUG("Executing %s", cmd);
+    return system(cmd);
+}
+#endif
+
+static void
+usage(int ecode)
+{
+    arg_printusage(args, num_args, NULL, "[cell]... [path]...");
+    exit(ecode);
+}
+
+static int
+afslog_cell(krb5_context context, krb5_ccache id,
+	    const char *cell, int expand)
+{
+    const char *c = cell;
+    if(expand){
+	c = expand_cell_name(cell);
+	if(c == NULL){
+	    krb5_warnx(context, "No cell matching \"%s\" found.", cell);
+	    return -1;
+	}
+	if(verbose)
+	    krb5_warnx(context, "Cell \"%s\" expanded to \"%s\"", cell, c);
+    }
+    return krb5_afslog(context, id, c, realm);
+}
+
+static int
+afslog_file(krb5_context context, krb5_ccache id,
+	    const char *path)
+{
+    char cell[64];
+    if(k_afs_cell_of_file(path, cell, sizeof(cell))){
+	krb5_warnx(context, "No cell found for file \"%s\".", path);
+	return -1;
+    }
+    if(verbose)
+	krb5_warnx(context, "File \"%s\" lives in cell \"%s\"", path, cell);
+    return afslog_cell(context, id, cell, 0);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    krb5_context context;
+    krb5_ccache id;
+    int i;
+    int num;
+    int ret = 0;
+    
+    set_progname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    krb5_init_context(&context);
+    if(!k_hasafs())
+	krb5_errx(context, 1, 
+		  "AFS doesn't seem to be present on this machine");
+
+    if(unlog_flag){
+	k_unlog();
+	exit(0);
+    }
+    krb5_cc_default(context, &id);
+    num = 0;
+    for(i = 0; i < files.num_strings; i++){
+	afslog_file(context, id, files.strings[i]);
+	num++;
+    }
+    for(i = 0; i < cells.num_strings; i++){
+	afslog_cell(context, id, cells.strings[i], 1);
+	num++;
+    }
+    for(i = optind; i < argc; i++){
+	num++;
+	if(strcmp(argv[i], ".") == 0 ||
+	   strcmp(argv[i], "..") == 0 ||
+	   strchr(argv[i], '/') ||
+	   access(argv[i], F_OK) == 0)
+	    afslog_file(context, id, argv[i]);
+	else
+	    afslog_cell(context, id, argv[i], 1);
+    }    
+    if(num == 0) {
+	krb5_afslog(context, id, NULL, NULL);
+    }
+
+    return ret;
+}
diff --git a/crypto/heimdal/appl/afsutil/pagsh.c b/crypto/heimdal/appl/afsutil/pagsh.c
new file mode 100644
index 0000000..6bddb40
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/pagsh.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: pagsh.c,v 1.3 1999/12/02 17:04:55 joda Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <time.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#endif
+#include <kafs.h>
+
+#include <err.h>
+#include <roken.h>
+
+/*
+ * Run command with a new ticket file / credentials cache / token
+ */
+
+int
+main(int argc, char **argv)
+{
+  int f;
+  char tf[1024];
+  char *p;
+
+  char *path;
+  char **args;
+  int i;
+
+#ifdef KRB5
+  snprintf (tf, sizeof(tf), "%sXXXXXX", KRB5_DEFAULT_CCROOT);
+  f = mkstemp (tf + 5);
+  close (f);
+  unlink (tf + 5);
+  setenv("KRB5CCNAME", tf, 1);
+#endif
+
+#ifdef KRB4
+  snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
+  f = mkstemp (tf);
+  close (f);
+  unlink (tf);
+  setenv("KRBTKFILE", tf, 1);
+#endif
+
+  i = 0;
+
+  args = (char **) malloc((argc + 10)*sizeof(char *));
+  if (args == NULL)
+      errx (1, "Out of memory allocating %lu bytes",
+	    (unsigned long)((argc + 10)*sizeof(char *)));
+  
+  argv++;
+
+  if(*argv == NULL) {
+    path = getenv("SHELL");
+    if(path == NULL){
+      struct passwd *pw = k_getpwuid(geteuid());
+      path = strdup(pw->pw_shell);
+    }
+  } else {
+    if(strcmp(*argv, "-c") ==  0) argv++;
+    path = strdup(*argv++);
+  }
+  if (path == NULL)
+      errx (1, "Out of memory copying path");
+  
+  p=strrchr(path, '/');
+  if(p)
+    args[i] = strdup(p+1);
+  else
+    args[i] = strdup(path);
+
+  if (args[i++] == NULL)
+      errx (1, "Out of memory copying arguments");
+  
+  while(*argv)
+    args[i++] = *argv++;
+
+  args[i++] = NULL;
+
+  if(k_hasafs())
+    k_setpag();
+
+  unsetenv("PAGPID");
+  execvp(path, args);
+  if (errno == ENOENT) {
+      char **sh_args = malloc ((i + 2) * sizeof(char *));
+      int j;
+
+      if (sh_args == NULL)
+	  errx (1, "Out of memory copying sh arguments");
+      for (j = 1; j < i; ++j)
+	  sh_args[j + 2] = args[j];
+      sh_args[0] = "sh";
+      sh_args[1] = "-c";
+      sh_args[2] = path;
+      execv ("/bin/sh", sh_args);
+  }
+  err (1, "execvp");
+}
diff --git a/crypto/heimdal/appl/ftp/ChangeLog b/crypto/heimdal/appl/ftp/ChangeLog
new file mode 100644
index 0000000..bcf72a7
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ChangeLog
@@ -0,0 +1,419 @@
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (sec_read): more paranoia with return value from
+	sec_get_data
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (hookup): handle ai_canonname being set in any of the
+	addresses returnedby getaddrinfo.  glibc apparently returns the
+	reverse lookup of every address in ai_canonname.
+	* ftp/ruserpass.c (guess_domain): dito
+
+1999-12-21  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c: don't use sa_len as a parameter, it's defined on
+ 	Irix
+
+1999-12-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (dataconn): make sure from points to actual data
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ruserpass.c (guess_domain): handle ai_canonname not being
+	set
+	* ftp/ftp.c (hookup): handle ai_canonname not being set
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): the nat-IP address might not be realm
+	bounded.
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (dolog): update prototype
+	* ftpd/ftpd.c (dolog): use getnameinfo_verified
+	* ftpd/ftpd.c: replace inaddr2str by getnameinfo
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ruserpass.c (guess_domain): re-write to use getaddrinfo
+	* ftp/ftp.c (hookup): re-write to use getaddrinfo
+	
+1999-11-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (getdatasock): make sure to keep the port-number of
+ 	the outgoing connections.  It has to be `ftp-data' or some people
+ 	might get upset.
+
+	* ftpd/ftpd.c (args): set correct variable when `-l' so that
+ 	logging actually works
+
+1999-11-29  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (sec_login): check return value from realloc
+	(sec_end): set app_data to NULL
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): obtain the `local' address when doing
+	NAT.  also turn on passive mode.  From <thn@stacken.kth.se>
+
+1999-11-20  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (make_fileinfo): cast to allow for non-const
+ 	prototypes of readlink
+
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (args): use arg_counter for `l'
+	
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (S_ISSOCK, S_ISLNK): fallback definitions for systems
+ 	that don't have them (such as ultrix)
+
+1999-10-29  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (make_fileinfo): cast uid's and gid's to unsigned in
+ 	printf, we don't know what types they might be.
+	(lstat_file): conditionalize the kafs part on KRB4
+
+	* ftpd/ftpd_locl.h: <sys/ioccom.h> is needed for kafs.h
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (lstat_file): don't set st_mode, it should already be
+ 	correct
+
+	* ftpd/ls.c: don't use warnx to print errors
+
+	* ftpd/ls.c (builtin_ls): fix typo, 'd' shouldn't imply 'f'
+
+	* ftpd/ls.c (lstat_file): new function for avoiding stating AFS
+ 	mount points.  From Love <lha@s3.kth.se>
+	(list_files): use `lstat_file'
+
+	* ftpd/ftpd.c: some const-poisoning
+
+	* ftpd/ftpd.c (args): add `-B' as an alias for `--builtin-ls' to
+ 	allow for stupid inetds that only support two arguments.  From
+ 	Love <lha@s3.kth.se>
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y (help): it's unnecessary to interpret help strings
+ 	as printf commands
+
+	* ftpd/ftpd.c (show_issue): don't interpret contents of
+ 	/etc/issue* as printf commands.  From Brian A May
+ 	<bmay@dgs.monash.edu.au>
+
+1999-10-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/kauth.c (kauth): complain if protection level isn't
+	`private'
+
+	* ftp/krb4.c (krb4_decode): syslog failure reason
+
+	* ftp/kauth.c (kauth): set private level earlier
+
+	* ftp/security.c: get_command_prot; (sec_prot): partially match
+	`command' and `data'
+
+1999-10-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: change `-l' flag to use arg_collect (this makes
+	`-ll' work again)
+
+	* ftpd/ftpd.c (list_file): pass filename to ls
+
+1999-10-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: FEAT
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c: fall-back definitions for constans and casts for
+ 	printfs
+
+1999-10-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (main): make this use getarg; add `list_file'
+
+	* ftpd/ftpcmd.y (LIST): call list_file
+
+	* ftpd/ls.c: add simple built-in ls
+
+	* ftp/security.c: add `sec_vfprintf2' and `sec_fprintf2' that
+	prints to the data stream
+
+	* ftp/kauth.c (kauth): make sure we're using private protection
+	level
+
+	* ftp/security.c (set_command_prot): set command protection level
+
+	* ftp/security.c: make it possible to set the command protection
+	level with `prot'
+
+1999-09-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: add prototype for fclose to make sunos happy
+
+1999-08-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (do_login): show issue-file
+	(send_data): change handling of zero-byte files
+
+1999-08-18  Assar Westerlund  <assar@sics.se>
+
+	* ftp/cmds.c (getit): be more suspicious when parsing the result
+ 	of MDTM.  Do the comparison of timestamps correctly.
+
+1999-08-13  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (send_data): avoid calling mmap with `len == 0'.
+  	Some mmap:s rather dislike that (Solaris) and some munmap (Linux)
+ 	get grumpy later.
+
+	* ftp/ftp.c (copy_stream): avoid calling mmap with `len == 0'.
+  	Some mmap:s rather dislike that (Solaris) and some munmap (Linux)
+ 	get grumpy later.
+
+1999-08-03  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (active_mode): hide failure of EPRT by setting verbose
+
+	* ftp/gssapi.c (gss_auth): initialize application_data in bindings
+
+1999-08-02  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: save file names when doing commands that might
+ 	get aborted (and longjmp:ed out of) to avoid overwriting them also
+ 	remove extra closing brace
+
+1999-08-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: change `site find' to `site locate' (to match
+	what it does, and other implementations) keep find as an alias
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* common/socket.c: moved to roken
+
+	* common/socket.c: new file with generic socket functions
+
+	* ftpd/ftpd.c: make it more AF-neutral and v6-capable
+
+	* ftpd/ftpcmd.y: add EPRT and EPSV
+
+	* ftpd/extern.h: update prototypes and variables
+
+	* ftp/krb4.c: update to new types of addresses
+
+	* ftp/gssapi.c: add support for both AF_INET and AF_INET6
+ 	addresses
+
+	* ftp/ftp.c: make it more AF-neutral and v6-capable
+
+	* ftp/extern.h (hookup): change prototype
+
+	* common/common.h: add prototypes for functions in socket.c
+
+	* common/Makefile.am (libcommon_a_SOURCES): add socket.c
+
+	* ftp/gssapi.c (gss_auth): check return value from
+ 	`gss_import_name' and print error messages if it fails
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): type correctness
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/ftp.c (sendrequest): lmode != rmode
+	
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* ftp/extern.h (sendrequest): update prototype
+
+	* ftp/cmds.c: update calls to sendrequest and recvrequest to send
+ 	"b" when appropriate
+
+	* ftp/ftp.c (sendrequest): add argument for mode to open file in.
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: rename getline -> ftpd_getline
+
+	* ftp/main.c (makeargv): fill in unused slots with NULL
+
+Thu Apr  8 15:06:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+Wed Apr  7 16:15:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftp/gssapi.c (gss_auth): call gss_display_status to get a sane
+ 	error message; return AUTH_{CONTINUE,ERROR}, where appropriate
+
+	* ftp/krb4.c: return AUTH_{CONTINUE,ERROR}, where appropriate
+
+	* ftp/security.c (sec_login): if mechanism returns AUTH_CONTINUE,
+ 	just continue with the next mechanism, this fixes the case of
+ 	having GSSAPI fail because of non-existant of expired tickets
+
+	* ftp/security.h: add AUTH_{OK,CONTINUE,ERROR}
+
+Thu Apr  1 16:59:04 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: don't run check-local
+
+	* ftp/Makefile.am: don't run check-local
+
+Mon Mar 22 22:15:18 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (pass): fall-back for KRB_VERIFY_SECURE
+
+	* ftpd/ftpd.c (pass): 1 -> KRB_VERIFY_SECURE
+
+Thu Mar 18 12:07:09 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: clean ftpcmd.c
+
+	* ftpd/ftpd_locl.h: remove krb5.h (breaks in ftpcmd.y)
+
+	* ftpd/ftpd.c: move include of krb5.h here
+
+	* ftpd/Makefile.am: include Makefile.am.common
+
+	* Makefile.am: include Makefile.am.common
+
+	* ftp/Makefile.am: include Makefile.am.common
+
+	* common/Makefile.am: include Makefile.am.common
+
+Tue Mar 16 22:28:37 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: add krb5.h to get heimdal_version
+
+	* ftpd/ftpd.c: krb_verify_user_multiple -> krb_verify_user
+
+Thu Mar 11 14:54:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftp/Makefile.in: WFLAGS
+
+	* ftp/ruserpass.c: add some if-braces
+
+Wed Mar 10 20:02:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd_locl.h: remove ifdef HAVE_FNMATCH
+
+Mon Mar  8 21:29:24 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd.c: re-add version in greeting message
+
+Mon Mar  1 10:49:38 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/logwtmp.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+Mon Feb 22 19:20:51 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* common/Makefile.in: remove glob
+
+Sat Feb 13 17:19:35 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (match): remove #ifdef HAVE_FNMATCH.  We have a
+ 	fnmatch implementation in roken and therefore always have it.
+
+	* ftp/ftp.c (copy_stream): initialize `werr'
+
+Wed Jan 13 23:52:57 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: moved all check_login and check_login_no_guest to
+ 	the end of the rules to ensure we don't generate several
+ 	(independent) error messages.  once again, having a yacc-grammar
+ 	for FTP with embedded actions doesn't strike me as the most
+ 	optimal way of doing it.
+
+Tue Dec  1 14:44:29 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: link with extra libs for aix
+
+Sun Nov 22 10:28:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (retrying): support on-the-fly decompression
+
+	* ftpd/Makefile.in (WFLAGS): set
+
+	* ftp/ruserpass.c (guess_domain): new function
+	(ruserpass): use it
+
+	* common/Makefile.in (WFLAGS): set
+
+	* Makefile.in (WFLAGS): set
+
+Sat Nov 21 23:13:03 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c: some more type correctness.
+
+	* ftp/gssapi.c (gss_adat): more braces to shut up warnings
+
+Wed Nov 18 21:47:55 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/main.c (main): new option `-p' for enable passive mode.
+
+Mon Nov  2 01:57:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (getreply): remove extra `break'
+
+	* ftp/gssapi.c (gss_auth): fixo typo(copyo?)
+
+	* ftp/security.c (sec_login): fix loop and return value
+
+Tue Sep  1 16:56:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/cmds.c (quote1): fix % quoting bug
+
+Fri Aug 14 17:10:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/krb4.c: krb_put_int -> KRB_PUT_INT
+
+Tue Jun 30 18:07:15 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (auth): free `app_data'
+	(sec_end): only destroy if it was initialized
+
+Tue Jun  9 21:01:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/krb4.c: pass client address to krb_rd_req
+
+Sat May 16 00:02:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/Makefile.am: link with DBLIB
+
+Tue May 12 14:15:32 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/gssapi.c: Save client name for userok().
+
+	* ftpd/gss_userok.c: Userok for gssapi.
+
+Fri May  1 07:15:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c: unifdef -DHAVE_H_ERRNO
+
+Fri Mar 27 00:46:07 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Make compile w/o krb4.
+
+Thu Mar 26 03:49:12 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/*, ftpd/*: Changes for new framework.
+
+	* ftp/gssapi.c: GSS-API backend for the new security framework.
+
+	* ftp/krb4.c: Updated for new framework.
+
+	* ftp/security.{c,h}: New unified security framework.
diff --git a/crypto/heimdal/appl/ftp/Makefile.am b/crypto/heimdal/appl/ftp/Makefile.am
new file mode 100644
index 0000000..f8831a3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/Makefile.am
@@ -0,0 +1,5 @@
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = common ftp ftpd
diff --git a/crypto/heimdal/appl/ftp/Makefile.in b/crypto/heimdal/appl/ftp/Makefile.in
new file mode 100644
index 0000000..9c0d09d
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/Makefile.in
@@ -0,0 +1,598 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = common ftp ftpd
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+@SET_MAKE@
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
+	  rev="$$subdir $$rev"; \
+	  test "$$subdir" = "." && dot_seen=yes; \
+	done; \
+	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/ftp
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    chmod 777 $(distdir)/$$subdir; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-data-recursive uninstall-data-recursive \
+install-exec-recursive uninstall-exec-recursive installdirs-recursive \
+uninstalldirs-recursive all-recursive check-recursive \
+installcheck-recursive info-recursive dvi-recursive \
+mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.am b/crypto/heimdal/appl/ftp/common/Makefile.am
new file mode 100644
index 0000000..4fab07b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/Makefile.am
@@ -0,0 +1,12 @@
+# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) 
+
+noinst_LIBRARIES = libcommon.a
+
+libcommon_a_SOURCES = \
+	sockbuf.c \
+	buffer.c \
+	common.h
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.in b/crypto/heimdal/appl/ftp/common/Makefile.in
new file mode 100644
index 0000000..1dc613c
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/Makefile.in
@@ -0,0 +1,611 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) 
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_LIBRARIES = libcommon.a
+
+libcommon_a_SOURCES =  	sockbuf.c 	buffer.c 	common.h
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+LIBRARIES =  $(noinst_LIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libcommon_a_LIBADD = 
+libcommon_a_OBJECTS =  sockbuf.$(OBJEXT) buffer.$(OBJEXT)
+AR = ar
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libcommon_a_SOURCES)
+OBJECTS = $(libcommon_a_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/common/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstLIBRARIES:
+
+clean-noinstLIBRARIES:
+	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
+
+distclean-noinstLIBRARIES:
+
+maintainer-clean-noinstLIBRARIES:
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libcommon.a: $(libcommon_a_OBJECTS) $(libcommon_a_DEPENDENCIES)
+	-rm -f libcommon.a
+	$(AR) cru libcommon.a $(libcommon_a_OBJECTS) $(libcommon_a_LIBADD)
+	$(RANLIB) libcommon.a
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/ftp/common
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(LIBRARIES) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-noinstLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstLIBRARIES distclean-noinstLIBRARIES \
+clean-noinstLIBRARIES maintainer-clean-noinstLIBRARIES \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/common/buffer.c b/crypto/heimdal/appl/ftp/common/buffer.c
new file mode 100644
index 0000000..0385d49
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/buffer.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "common.h"
+#include <stdio.h>
+#include <err.h>
+#include "roken.h"
+
+RCSID("$Id: buffer.c,v 1.3 1999/12/02 16:58:29 joda Exp $");
+
+/*
+ * Allocate a buffer enough to handle st->st_blksize, if
+ * there is such a field, otherwise BUFSIZ.
+ */
+
+void *
+alloc_buffer (void *oldbuf, size_t *sz, struct stat *st)
+{
+    size_t new_sz;
+
+    new_sz = BUFSIZ;
+#ifdef HAVE_ST_BLKSIZE
+    if (st)
+	new_sz = max(BUFSIZ, st->st_blksize);
+#endif
+    if(new_sz > *sz) {
+	if (oldbuf)
+	    free (oldbuf);
+	oldbuf = malloc (new_sz);
+	if (oldbuf == NULL) {
+	    warn ("malloc");
+	    *sz = 0;
+	    return NULL;
+	}
+	*sz = new_sz;
+    }
+    return oldbuf;
+}
+
diff --git a/crypto/heimdal/appl/ftp/common/common.h b/crypto/heimdal/appl/ftp/common/common.h
new file mode 100644
index 0000000..5949b25
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/common.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: common.h,v 1.12 1999/12/02 16:58:29 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifndef __COMMON_H__
+#define __COMMON_H__
+
+#include "base64.h"
+
+void set_buffer_size(int, int);
+
+#include <stdlib.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+void *alloc_buffer (void *oldbuf, size_t *sz, struct stat *st);
+
+#endif /* __COMMON_H__ */
diff --git a/crypto/heimdal/appl/ftp/common/sockbuf.c b/crypto/heimdal/appl/ftp/common/sockbuf.c
new file mode 100644
index 0000000..460cc6f
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/sockbuf.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "common.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+RCSID("$Id: sockbuf.c,v 1.3 1999/12/02 16:58:29 joda Exp $");
+
+void
+set_buffer_size(int fd, int read)
+{
+#if defined(SO_RCVBUF) && defined(SO_SNDBUF) && defined(HAVE_SETSOCKOPT)
+    size_t size = 4194304;
+    while(size >= 131072 && 
+	  setsockopt(fd, SOL_SOCKET, read ? SO_RCVBUF : SO_SNDBUF, 
+		     (void *)&size, sizeof(size)) < 0)
+	size /= 2;
+#endif
+}
+
+
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.am b/crypto/heimdal/appl/ftp/ftp/Makefile.am
new file mode 100644
index 0000000..e24025c
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.am
@@ -0,0 +1,46 @@
+# $Id: Makefile.am,v 1.13 2000/01/06 15:11:43 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4)
+
+bin_PROGRAMS = ftp
+
+CHECK_LOCAL = 
+
+if KRB4
+krb4_sources = krb4.c kauth.c
+endif
+if KRB5
+krb5_sources = gssapi.c
+endif
+
+ftp_SOURCES = \
+	cmds.c \
+	cmdtab.c \
+	extern.h \
+	ftp.c \
+	ftp_locl.h \
+	ftp_var.h \
+	main.c \
+	pathnames.h \
+	ruserpass.c \
+	domacro.c \
+	globals.c \
+	security.c \
+	security.h \
+	$(krb4_sources) \
+	$(krb5_sources)
+
+EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
+
+man_MANS = ftp.1
+
+LDADD = \
+	../common/libcommon.a \
+	$(LIB_gssapi) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken) \
+	$(LIB_readline)
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.in b/crypto/heimdal/appl/ftp/ftp/Makefile.in
new file mode 100644
index 0000000..6f8603d
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.in
@@ -0,0 +1,702 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.13 2000/01/06 15:11:43 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = 
+
+bin_PROGRAMS = ftp
+
+@KRB4_TRUE@krb4_sources = krb4.c kauth.c
+@KRB5_TRUE@krb5_sources = gssapi.c
+
+ftp_SOURCES =  	cmds.c 	cmdtab.c 	extern.h 	ftp.c 	ftp_locl.h 	ftp_var.h 	main.c 	pathnames.h 	ruserpass.c 	domacro.c 	globals.c 	security.c 	security.h 	$(krb4_sources) 	$(krb5_sources)
+
+
+EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
+
+man_MANS = ftp.1
+
+LDADD =  	../common/libcommon.a 	$(LIB_gssapi) 	$(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(LIB_readline)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  ftp$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+@KRB4_TRUE@@KRB5_FALSE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@domacro.$(OBJEXT) globals.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@security.$(OBJEXT) krb4.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@kauth.$(OBJEXT)
+@KRB4_FALSE@@KRB5_TRUE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@domacro.$(OBJEXT) globals.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@security.$(OBJEXT) gssapi.$(OBJEXT)
+@KRB4_FALSE@@KRB5_FALSE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@ftp.$(OBJEXT) main.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@ruserpass.$(OBJEXT) domacro.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@globals.$(OBJEXT) security.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@domacro.$(OBJEXT) globals.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@security.$(OBJEXT) krb4.$(OBJEXT) kauth.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@gssapi.$(OBJEXT)
+ftp_LDADD = $(LDADD)
+@KRB5_TRUE@ftp_DEPENDENCIES =  ../common/libcommon.a \
+@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
+@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB5_FALSE@ftp_DEPENDENCIES =  ../common/libcommon.a \
+@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+ftp_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES)
+OBJECTS = $(ftp_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+ftp$(EXEEXT): $(ftp_OBJECTS) $(ftp_DEPENDENCIES)
+	@rm -f ftp$(EXEEXT)
+	$(LINK) $(ftp_LDFLAGS) $(ftp_OBJECTS) $(ftp_LDADD) $(LIBS)
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/ftp/ftp
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/ftp/cmds.c b/crypto/heimdal/appl/ftp/ftp/cmds.c
new file mode 100644
index 0000000..7698313
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/cmds.c
@@ -0,0 +1,2116 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FTP User Program -- Command Routines.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: cmds.c,v 1.36 1999/09/16 20:37:28 assar Exp $");
+
+typedef void (*sighand)(int);
+
+jmp_buf	jabort;
+char   *mname;
+char   *home = "/";
+
+/*
+ * `Another' gets another argument, and stores the new argc and argv.
+ * It reverts to the top level (via main.c's intr()) on EOF/error.
+ *
+ * Returns false if no new arguments have been added.
+ */
+int
+another(int *pargc, char ***pargv, char *prompt)
+{
+	int len = strlen(line), ret;
+
+	if (len >= sizeof(line) - 3) {
+		printf("sorry, arguments too long\n");
+		intr(0);
+	}
+	printf("(%s) ", prompt);
+	line[len++] = ' ';
+	if (fgets(&line[len], sizeof(line) - len, stdin) == NULL)
+		intr(0);
+	len += strlen(&line[len]);
+	if (len > 0 && line[len - 1] == '\n')
+		line[len - 1] = '\0';
+	makeargv();
+	ret = margc > *pargc;
+	*pargc = margc;
+	*pargv = margv;
+	return (ret);
+}
+
+/*
+ * Connect to peer server and
+ * auto-login, if possible.
+ */
+void
+setpeer(int argc, char **argv)
+{
+	char *host;
+	short port;
+	struct servent *sp;
+
+	if (connected) {
+		printf("Already connected to %s, use close first.\n",
+			hostname);
+		code = -1;
+		return;
+	}
+	if (argc < 2)
+		another(&argc, &argv, "to");
+	if (argc < 2 || argc > 3) {
+		printf("usage: %s host-name [port]\n", argv[0]);
+		code = -1;
+		return;
+	}
+	sp = getservbyname("ftp", "tcp");
+	if (sp == NULL)
+		errx(1, "You bastard. You removed ftp/tcp from services");
+	port = sp->s_port;
+	if (argc > 2) {
+		port = atoi(argv[2]);
+		if (port <= 0) {
+			printf("%s: bad port number-- %s\n", argv[1], argv[2]);
+			printf ("usage: %s host-name [port]\n", argv[0]);
+			code = -1;
+			return;
+		}
+		port = htons(port);
+	}
+	host = hookup(argv[1], port);
+	if (host) {
+		int overbose;
+
+		connected = 1;
+		/*
+		 * Set up defaults for FTP.
+		 */
+		strlcpy(typename, "ascii", sizeof(typename));
+		type = TYPE_A;
+		curtype = TYPE_A;
+		strlcpy(formname, "non-print", sizeof(formname));
+		form = FORM_N;
+		strlcpy(modename, "stream", sizeof(modename));
+		mode = MODE_S;
+		strlcpy(structname, "file", sizeof(structname));
+		stru = STRU_F;
+		strlcpy(bytename, "8", sizeof(bytename));
+		bytesize = 8;
+		if (autologin)
+			login(argv[1]);
+
+#if (defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY)) && NBBY == 8
+/*
+ * this ifdef is to keep someone form "porting" this to an incompatible
+ * system and not checking this out. This way they have to think about it.
+ */
+		overbose = verbose;
+		if (debug == 0)
+			verbose = -1;
+		if (command("SYST") == COMPLETE && overbose) {
+			char *cp, c;
+			cp = strchr(reply_string+4, ' ');
+			if (cp == NULL)
+				cp = strchr(reply_string+4, '\r');
+			if (cp) {
+				if (cp[-1] == '.')
+					cp--;
+				c = *cp;
+				*cp = '\0';
+			}
+
+			printf("Remote system type is %s.\n",
+				reply_string+4);
+			if (cp)
+				*cp = c;
+		}
+		if (!strncmp(reply_string, "215 UNIX Type: L8", 17)) {
+			if (proxy)
+				unix_proxy = 1;
+			else
+				unix_server = 1;
+			/*
+			 * Set type to 0 (not specified by user),
+			 * meaning binary by default, but don't bother
+			 * telling server.  We can use binary
+			 * for text files unless changed by the user.
+			 */
+			type = 0;
+			strlcpy(typename, "binary", sizeof(typename));
+			if (overbose)
+			    printf("Using %s mode to transfer files.\n",
+				typename);
+		} else {
+			if (proxy)
+				unix_proxy = 0;
+			else
+				unix_server = 0;
+			if (overbose && 
+			    !strncmp(reply_string, "215 TOPS20", 10))
+				printf(
+"Remember to set tenex mode when transfering binary files from this machine.\n");
+		}
+		verbose = overbose;
+#endif /* unix */
+	}
+}
+
+struct	types {
+	char	*t_name;
+	char	*t_mode;
+	int	t_type;
+	char	*t_arg;
+} types[] = {
+	{ "ascii",	"A",	TYPE_A,	0 },
+	{ "binary",	"I",	TYPE_I,	0 },
+	{ "image",	"I",	TYPE_I,	0 },
+	{ "ebcdic",	"E",	TYPE_E,	0 },
+	{ "tenex",	"L",	TYPE_L,	bytename },
+	{ NULL }
+};
+
+/*
+ * Set transfer type.
+ */
+void
+settype(int argc, char **argv)
+{
+	struct types *p;
+	int comret;
+
+	if (argc > 2) {
+		char *sep;
+
+		printf("usage: %s [", argv[0]);
+		sep = " ";
+		for (p = types; p->t_name; p++) {
+			printf("%s%s", sep, p->t_name);
+			sep = " | ";
+		}
+		printf(" ]\n");
+		code = -1;
+		return;
+	}
+	if (argc < 2) {
+		printf("Using %s mode to transfer files.\n", typename);
+		code = 0;
+		return;
+	}
+	for (p = types; p->t_name; p++)
+		if (strcmp(argv[1], p->t_name) == 0)
+			break;
+	if (p->t_name == 0) {
+		printf("%s: unknown mode\n", argv[1]);
+		code = -1;
+		return;
+	}
+	if ((p->t_arg != NULL) && (*(p->t_arg) != '\0'))
+		comret = command ("TYPE %s %s", p->t_mode, p->t_arg);
+	else
+		comret = command("TYPE %s", p->t_mode);
+	if (comret == COMPLETE) {
+		strlcpy(typename, p->t_name, sizeof(typename));
+		curtype = type = p->t_type;
+	}
+}
+
+/*
+ * Internal form of settype; changes current type in use with server
+ * without changing our notion of the type for data transfers.
+ * Used to change to and from ascii for listings.
+ */
+void
+changetype(int newtype, int show)
+{
+	struct types *p;
+	int comret, oldverbose = verbose;
+
+	if (newtype == 0)
+		newtype = TYPE_I;
+	if (newtype == curtype)
+		return;
+	if (debug == 0 && show == 0)
+		verbose = 0;
+	for (p = types; p->t_name; p++)
+		if (newtype == p->t_type)
+			break;
+	if (p->t_name == 0) {
+		printf("ftp: internal error: unknown type %d\n", newtype);
+		return;
+	}
+	if (newtype == TYPE_L && bytename[0] != '\0')
+		comret = command("TYPE %s %s", p->t_mode, bytename);
+	else
+		comret = command("TYPE %s", p->t_mode);
+	if (comret == COMPLETE)
+		curtype = newtype;
+	verbose = oldverbose;
+}
+
+char *stype[] = {
+	"type",
+	"",
+	0
+};
+
+/*
+ * Set binary transfer type.
+ */
+/*VARARGS*/
+void
+setbinary(int argc, char **argv)
+{
+
+	stype[1] = "binary";
+	settype(2, stype);
+}
+
+/*
+ * Set ascii transfer type.
+ */
+/*VARARGS*/
+void
+setascii(int argc, char **argv)
+{
+
+	stype[1] = "ascii";
+	settype(2, stype);
+}
+
+/*
+ * Set tenex transfer type.
+ */
+/*VARARGS*/
+void
+settenex(int argc, char **argv)
+{
+
+	stype[1] = "tenex";
+	settype(2, stype);
+}
+
+/*
+ * Set file transfer mode.
+ */
+/*ARGSUSED*/
+void
+setftmode(int argc, char **argv)
+{
+
+	printf("We only support %s mode, sorry.\n", modename);
+	code = -1;
+}
+
+/*
+ * Set file transfer format.
+ */
+/*ARGSUSED*/
+void
+setform(int argc, char **argv)
+{
+
+	printf("We only support %s format, sorry.\n", formname);
+	code = -1;
+}
+
+/*
+ * Set file transfer structure.
+ */
+/*ARGSUSED*/
+void
+setstruct(int argc, char **argv)
+{
+
+	printf("We only support %s structure, sorry.\n", structname);
+	code = -1;
+}
+
+/*
+ * Send a single file.
+ */
+void
+put(int argc, char **argv)
+{
+	char *cmd;
+	int loc = 0;
+	char *oldargv1, *oldargv2;
+
+	if (argc == 2) {
+		argc++;
+		argv[2] = argv[1];
+		loc++;
+	}
+	if (argc < 2 && !another(&argc, &argv, "local-file"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "remote-file")) {
+usage:
+		printf("usage: %s local-file remote-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	oldargv1 = argv[1];
+	oldargv2 = argv[2];
+	if (!globulize(&argv[1])) {
+		code = -1;
+		return;
+	}
+	/*
+	 * If "globulize" modifies argv[1], and argv[2] is a copy of
+	 * the old argv[1], make it a copy of the new argv[1].
+	 */
+	if (argv[1] != oldargv1 && argv[2] == oldargv1) {
+		argv[2] = argv[1];
+	}
+	cmd = (argv[0][0] == 'a') ? "APPE" : ((sunique) ? "STOU" : "STOR");
+	if (loc && ntflag) {
+		argv[2] = dotrans(argv[2]);
+	}
+	if (loc && mapflag) {
+		argv[2] = domap(argv[2]);
+	}
+	sendrequest(cmd, argv[1], argv[2],
+		    curtype == TYPE_I ? "rb" : "r",
+		    argv[1] != oldargv1 || argv[2] != oldargv2);
+}
+
+/* ARGSUSED */
+static RETSIGTYPE
+mabort(int signo)
+{
+	int ointer;
+
+	printf("\n");
+	fflush(stdout);
+	if (mflag && fromatty) {
+		ointer = interactive;
+		interactive = 1;
+		if (confirm("Continue with", mname)) {
+			interactive = ointer;
+			longjmp(jabort,0);
+		}
+		interactive = ointer;
+	}
+	mflag = 0;
+	longjmp(jabort,0);
+}
+
+/*
+ * Send multiple files.
+ */
+void
+mput(int argc, char **argv)
+{
+    int i;
+    RETSIGTYPE (*oldintr)();
+    int ointer;
+    char *tp;
+
+    if (argc < 2 && !another(&argc, &argv, "local-files")) {
+	printf("usage: %s local-files\n", argv[0]);
+	code = -1;
+	return;
+    }
+    mname = argv[0];
+    mflag = 1;
+    oldintr = signal(SIGINT, mabort);
+    setjmp(jabort);
+    if (proxy) {
+	char *cp, *tp2, tmpbuf[MaxPathLen];
+
+	while ((cp = remglob(argv,0)) != NULL) {
+	    if (*cp == 0) {
+		mflag = 0;
+		continue;
+	    }
+	    if (mflag && confirm(argv[0], cp)) {
+		tp = cp;
+		if (mcase) {
+		    while (*tp && !islower(*tp)) {
+			tp++;
+		    }
+		    if (!*tp) {
+			tp = cp;
+			tp2 = tmpbuf;
+			while ((*tp2 = *tp) != '\0') {
+			    if (isupper(*tp2)) {
+				*tp2 = 'a' + *tp2 - 'A';
+			    }
+			    tp++;
+			    tp2++;
+			}
+		    }
+		    tp = tmpbuf;
+		}
+		if (ntflag) {
+		    tp = dotrans(tp);
+		}
+		if (mapflag) {
+		    tp = domap(tp);
+		}
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    cp, tp,
+			    curtype == TYPE_I ? "rb" : "r",
+			    cp != tp || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	}
+	signal(SIGINT, oldintr);
+	mflag = 0;
+	return;
+    }
+    for (i = 1; i < argc; i++) {
+	char **cpp;
+	glob_t gl;
+	int flags;
+
+	if (!doglob) {
+	    if (mflag && confirm(argv[0], argv[i])) {
+		tp = (ntflag) ? dotrans(argv[i]) : argv[i];
+		tp = (mapflag) ? domap(tp) : tp;
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    argv[i],
+			    curtype == TYPE_I ? "rb" : "r",
+			    tp, tp != argv[i] || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	    continue;
+	}
+
+	memset(&gl, 0, sizeof(gl));
+	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+	if (glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) {
+	    warnx("%s: not found", argv[i]);
+	    globfree(&gl);
+	    continue;
+	}
+	for (cpp = gl.gl_pathv; cpp && *cpp != NULL; cpp++) {
+	    if (mflag && confirm(argv[0], *cpp)) {
+		tp = (ntflag) ? dotrans(*cpp) : *cpp;
+		tp = (mapflag) ? domap(tp) : tp;
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    *cpp, tp,
+			    curtype == TYPE_I ? "rb" : "r",
+			    *cpp != tp || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	}
+	globfree(&gl);
+    }
+    signal(SIGINT, oldintr);
+    mflag = 0;
+}
+
+void
+reget(int argc, char **argv)
+{
+    getit(argc, argv, 1, curtype == TYPE_I ? "r+wb" : "r+w");
+}
+
+void
+get(int argc, char **argv)
+{
+    char *mode;
+
+    if (restart_point)
+	if (curtype == TYPE_I)
+	    mode = "r+wb";
+	else
+	    mode = "r+w";
+    else
+	if (curtype == TYPE_I)
+	    mode = "wb";
+	else
+	    mode = "w";
+
+    getit(argc, argv, 0, mode);
+}
+
+/*
+ * Receive one file.
+ */
+int
+getit(int argc, char **argv, int restartit, char *mode)
+{
+	int loc = 0;
+	int local_given = 1;
+	char *oldargv1, *oldargv2;
+
+	if (argc == 2) {
+		argc++;
+		local_given = 0;
+		argv[2] = argv[1];
+		loc++;
+	}
+	if ((argc < 2 && !another(&argc, &argv, "remote-file")) ||
+	    (argc < 3 && !another(&argc, &argv, "local-file"))) {
+		printf("usage: %s remote-file [ local-file ]\n", argv[0]);
+		code = -1;
+		return (0);
+	}
+	oldargv1 = argv[1];
+	oldargv2 = argv[2];
+	if (!globulize(&argv[2])) {
+		code = -1;
+		return (0);
+	}
+	if (loc && mcase) {
+		char *tp = argv[1], *tp2, tmpbuf[MaxPathLen];
+
+		while (*tp && !islower(*tp)) {
+			tp++;
+		}
+		if (!*tp) {
+			tp = argv[2];
+			tp2 = tmpbuf;
+			while ((*tp2 = *tp) != '\0') {
+				if (isupper(*tp2)) {
+					*tp2 = 'a' + *tp2 - 'A';
+				}
+				tp++;
+				tp2++;
+			}
+			argv[2] = tmpbuf;
+		}
+	}
+	if (loc && ntflag)
+		argv[2] = dotrans(argv[2]);
+	if (loc && mapflag)
+		argv[2] = domap(argv[2]);
+	if (restartit) {
+		struct stat stbuf;
+		int ret;
+
+		ret = stat(argv[2], &stbuf);
+		if (restartit == 1) {
+			if (ret < 0) {
+				warn("local: %s", argv[2]);
+				return (0);
+			}
+			restart_point = stbuf.st_size;
+		} else if (ret == 0) {
+			int overbose;
+			int cmdret;
+			int yy, mo, day, hour, min, sec;
+			struct tm *tm;
+
+			overbose = verbose;
+			if (debug == 0)
+				verbose = -1;
+			cmdret = command("MDTM %s", argv[1]);
+			verbose = overbose;
+			if (cmdret != COMPLETE) {
+				printf("%s\n", reply_string);
+				return (0);
+			}
+			if (sscanf(reply_string,
+				   "%*s %04d%02d%02d%02d%02d%02d",
+				   &yy, &mo, &day, &hour, &min, &sec)
+			    != 6) {
+				printf ("bad MDTM result\n");
+				return (0);
+			}
+
+			tm = gmtime(&stbuf.st_mtime);
+			tm->tm_mon++;
+			tm->tm_year += 1900;
+
+			if ((tm->tm_year > yy) ||
+			    (tm->tm_year == yy && 
+			     tm->tm_mon > mo) ||
+			    (tm->tm_mon == mo && 
+			     tm->tm_mday > day) ||
+			    (tm->tm_mday == day && 
+			     tm->tm_hour > hour) ||
+			    (tm->tm_hour == hour && 
+			     tm->tm_min > min) ||
+			    (tm->tm_min == min && 
+			     tm->tm_sec > sec))
+				return (1);
+		}
+	}
+
+	recvrequest("RETR", argv[2], argv[1], mode,
+		    argv[1] != oldargv1 || argv[2] != oldargv2, local_given);
+	restart_point = 0;
+	return (0);
+}
+
+static int
+suspicious_filename(const char *fn)
+{
+    return strstr(fn, "../") != NULL || *fn == '/';
+}
+
+/*
+ * Get multiple files.
+ */
+void
+mget(int argc, char **argv)
+{
+	sighand oldintr;
+	int ch, ointer;
+	char *cp, *tp, *tp2, tmpbuf[MaxPathLen];
+
+	if (argc < 2 && !another(&argc, &argv, "remote-files")) {
+		printf("usage: %s remote-files\n", argv[0]);
+		code = -1;
+		return;
+	}
+	mname = argv[0];
+	mflag = 1;
+	oldintr = signal(SIGINT, mabort);
+	setjmp(jabort);
+	while ((cp = remglob(argv,proxy)) != NULL) {
+		if (*cp == '\0') {
+			mflag = 0;
+			continue;
+		}
+		if (mflag && suspicious_filename(cp))
+		    printf("*** Suspicious filename: %s\n", cp);
+		if (mflag && confirm(argv[0], cp)) {
+			tp = cp;
+			if (mcase) {
+				for (tp2 = tmpbuf; (ch = *tp++);)
+					*tp2++ = isupper(ch) ? tolower(ch) : ch;
+				*tp2 = '\0';
+				tp = tmpbuf;
+			}
+			if (ntflag) {
+				tp = dotrans(tp);
+			}
+			if (mapflag) {
+				tp = domap(tp);
+			}
+			recvrequest("RETR", tp, cp,
+				    curtype == TYPE_I ? "wb" : "w",
+				    tp != cp || !interactive, 0);
+			if (!mflag && fromatty) {
+				ointer = interactive;
+				interactive = 1;
+				if (confirm("Continue with","mget")) {
+					mflag++;
+				}
+				interactive = ointer;
+			}
+		}
+	}
+	signal(SIGINT,oldintr);
+	mflag = 0;
+}
+
+char *
+remglob(char **argv, int doswitch)
+{
+    char temp[16];
+    static char buf[MaxPathLen];
+    static FILE *ftemp = NULL;
+    static char **args;
+    int oldverbose, oldhash;
+    char *cp, *mode;
+
+    if (!mflag) {
+	if (!doglob) {
+	    args = NULL;
+	}
+	else {
+	    if (ftemp) {
+		fclose(ftemp);
+		ftemp = NULL;
+	    }
+	}
+	return (NULL);
+    }
+    if (!doglob) {
+	if (args == NULL)
+	    args = argv;
+	if ((cp = *++args) == NULL)
+	    args = NULL;
+	return (cp);
+    }
+    if (ftemp == NULL) {
+	int fd;
+	strlcpy(temp, _PATH_TMP_XXX, sizeof(temp));
+	fd = mkstemp(temp);
+	if(fd < 0){
+	    warn("unable to create temporary file %s", temp);
+	    return NULL;
+	}
+	close(fd);
+	oldverbose = verbose, verbose = 0;
+	oldhash = hash, hash = 0;
+	if (doswitch) {
+	    pswitch(!proxy);
+	}
+	for (mode = "w"; *++argv != NULL; mode = "a")
+	    recvrequest ("NLST", temp, *argv, mode, 0, 0);
+	if (doswitch) {
+	    pswitch(!proxy);
+	}
+	verbose = oldverbose; hash = oldhash;
+	ftemp = fopen(temp, "r");
+	unlink(temp);
+	if (ftemp == NULL) {
+	    printf("can't find list of remote files, oops\n");
+	    return (NULL);
+	}
+    }
+    while(fgets(buf, sizeof (buf), ftemp)) {
+	if ((cp = strchr(buf, '\n')) != NULL)
+	    *cp = '\0';
+	if(!interactive && suspicious_filename(buf)){
+	    printf("Ignoring remote globbed file `%s'\n", buf);
+	    continue;
+	}
+	return buf;
+    }
+    fclose(ftemp);
+    ftemp = NULL;
+    return (NULL);
+}
+
+char *
+onoff(int bool)
+{
+
+	return (bool ? "on" : "off");
+}
+
+/*
+ * Show status.
+ */
+/*ARGSUSED*/
+void
+status(int argc, char **argv)
+{
+	int i;
+
+	if (connected)
+		printf("Connected to %s.\n", hostname);
+	else
+		printf("Not connected.\n");
+	if (!proxy) {
+		pswitch(1);
+		if (connected) {
+			printf("Connected for proxy commands to %s.\n", hostname);
+		}
+		else {
+			printf("No proxy connection.\n");
+		}
+		pswitch(0);
+	}
+	sec_status();
+	printf("Mode: %s; Type: %s; Form: %s; Structure: %s\n",
+		modename, typename, formname, structname);
+	printf("Verbose: %s; Bell: %s; Prompting: %s; Globbing: %s\n", 
+		onoff(verbose), onoff(bell), onoff(interactive),
+		onoff(doglob));
+	printf("Store unique: %s; Receive unique: %s\n", onoff(sunique),
+		onoff(runique));
+	printf("Case: %s; CR stripping: %s\n",onoff(mcase),onoff(crflag));
+	if (ntflag) {
+		printf("Ntrans: (in) %s (out) %s\n", ntin,ntout);
+	}
+	else {
+		printf("Ntrans: off\n");
+	}
+	if (mapflag) {
+		printf("Nmap: (in) %s (out) %s\n", mapin, mapout);
+	}
+	else {
+		printf("Nmap: off\n");
+	}
+	printf("Hash mark printing: %s; Use of PORT cmds: %s\n",
+		onoff(hash), onoff(sendport));
+	if (macnum > 0) {
+		printf("Macros:\n");
+		for (i=0; i<macnum; i++) {
+			printf("\t%s\n",macros[i].mac_name);
+		}
+	}
+	code = 0;
+}
+
+/*
+ * Set beep on cmd completed mode.
+ */
+/*VARARGS*/
+void
+setbell(int argc, char **argv)
+{
+
+	bell = !bell;
+	printf("Bell mode %s.\n", onoff(bell));
+	code = bell;
+}
+
+/*
+ * Turn on packet tracing.
+ */
+/*VARARGS*/
+void
+settrace(int argc, char **argv)
+{
+
+	trace = !trace;
+	printf("Packet tracing %s.\n", onoff(trace));
+	code = trace;
+}
+
+/*
+ * Toggle hash mark printing during transfers.
+ */
+/*VARARGS*/
+void
+sethash(int argc, char **argv)
+{
+
+	hash = !hash;
+	printf("Hash mark printing %s", onoff(hash));
+	code = hash;
+	if (hash)
+		printf(" (%d bytes/hash mark)", 1024);
+	printf(".\n");
+}
+
+/*
+ * Turn on printing of server echo's.
+ */
+/*VARARGS*/
+void
+setverbose(int argc, char **argv)
+{
+
+	verbose = !verbose;
+	printf("Verbose mode %s.\n", onoff(verbose));
+	code = verbose;
+}
+
+/*
+ * Toggle PORT cmd use before each data connection.
+ */
+/*VARARGS*/
+void
+setport(int argc, char **argv)
+{
+
+	sendport = !sendport;
+	printf("Use of PORT cmds %s.\n", onoff(sendport));
+	code = sendport;
+}
+
+/*
+ * Turn on interactive prompting
+ * during mget, mput, and mdelete.
+ */
+/*VARARGS*/
+void
+setprompt(int argc, char **argv)
+{
+
+	interactive = !interactive;
+	printf("Interactive mode %s.\n", onoff(interactive));
+	code = interactive;
+}
+
+/*
+ * Toggle metacharacter interpretation
+ * on local file names.
+ */
+/*VARARGS*/
+void
+setglob(int argc, char **argv)
+{
+	
+	doglob = !doglob;
+	printf("Globbing %s.\n", onoff(doglob));
+	code = doglob;
+}
+
+/*
+ * Set debugging mode on/off and/or
+ * set level of debugging.
+ */
+/*VARARGS*/
+void
+setdebug(int argc, char **argv)
+{
+	int val;
+
+	if (argc > 1) {
+		val = atoi(argv[1]);
+		if (val < 0) {
+			printf("%s: bad debugging value.\n", argv[1]);
+			code = -1;
+			return;
+		}
+	} else
+		val = !debug;
+	debug = val;
+	if (debug)
+		options |= SO_DEBUG;
+	else
+		options &= ~SO_DEBUG;
+	printf("Debugging %s (debug=%d).\n", onoff(debug), debug);
+	code = debug > 0;
+}
+
+/*
+ * Set current working directory
+ * on remote machine.
+ */
+void
+cd(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "remote-directory")) {
+		printf("usage: %s remote-directory\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("CWD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("CWD command not recognized, trying XCWD\n");
+		command("XCWD %s", argv[1]);
+	}
+}
+
+/*
+ * Set current working directory
+ * on local machine.
+ */
+void
+lcd(int argc, char **argv)
+{
+	char buf[MaxPathLen];
+
+	if (argc < 2)
+		argc++, argv[1] = home;
+	if (argc != 2) {
+		printf("usage: %s local-directory\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (!globulize(&argv[1])) {
+		code = -1;
+		return;
+	}
+	if (chdir(argv[1]) < 0) {
+		warn("local: %s", argv[1]);
+		code = -1;
+		return;
+	}
+	if (getcwd(buf, sizeof(buf)) != NULL)
+		printf("Local directory now %s\n", buf);
+	else
+		warnx("getwd: %s", buf);
+	code = 0;
+}
+
+/*
+ * Delete a single file.
+ */
+void
+delete(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "remote-file")) {
+		printf("usage: %s remote-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("DELE %s", argv[1]);
+}
+
+/*
+ * Delete multiple files.
+ */
+void
+mdelete(int argc, char **argv)
+{
+    sighand oldintr;
+    int ointer;
+    char *cp;
+
+    if (argc < 2 && !another(&argc, &argv, "remote-files")) {
+	printf("usage: %s remote-files\n", argv[0]);
+	code = -1;
+	return;
+    }
+    mname = argv[0];
+    mflag = 1;
+    oldintr = signal(SIGINT, mabort);
+    setjmp(jabort);
+    while ((cp = remglob(argv,0)) != NULL) {
+	if (*cp == '\0') {
+	    mflag = 0;
+	    continue;
+	}
+	if (mflag && confirm(argv[0], cp)) {
+	    command("DELE %s", cp);
+	    if (!mflag && fromatty) {
+		ointer = interactive;
+		interactive = 1;
+		if (confirm("Continue with", "mdelete")) {
+		    mflag++;
+		}
+		interactive = ointer;
+	    }
+	}
+    }
+    signal(SIGINT, oldintr);
+    mflag = 0;
+}
+
+/*
+ * Rename a remote file.
+ */
+void
+renamefile(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "from-name"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "to-name")) {
+usage:
+		printf("%s from-name to-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("RNFR %s", argv[1]) == CONTINUE)
+		command("RNTO %s", argv[2]);
+}
+
+/*
+ * Get a directory listing
+ * of remote files.
+ */
+void
+ls(int argc, char **argv)
+{
+	char *cmd;
+
+	if (argc < 2)
+		argc++, argv[1] = NULL;
+	if (argc < 3)
+		argc++, argv[2] = "-";
+	if (argc > 3) {
+		printf("usage: %s remote-directory local-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	cmd = argv[0][0] == 'n' ? "NLST" : "LIST";
+	if (strcmp(argv[2], "-") && !globulize(&argv[2])) {
+		code = -1;
+		return;
+	}
+	if (strcmp(argv[2], "-") && *argv[2] != '|')
+	    if (!globulize(&argv[2]) || !confirm("output to local-file:", 
+						 argv[2])) {
+		code = -1;
+		return;
+	    }
+	recvrequest(cmd, argv[2], argv[1], "w", 0, 1);
+}
+
+/*
+ * Get a directory listing
+ * of multiple remote files.
+ */
+void
+mls(int argc, char **argv)
+{
+	sighand oldintr;
+	int ointer, i;
+	char *cmd, mode[1], *dest;
+
+	if (argc < 2 && !another(&argc, &argv, "remote-files"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "local-file")) {
+usage:
+		printf("usage: %s remote-files local-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	dest = argv[argc - 1];
+	argv[argc - 1] = NULL;
+	if (strcmp(dest, "-") && *dest != '|')
+		if (!globulize(&dest) ||
+		    !confirm("output to local-file:", dest)) {
+			code = -1;
+			return;
+	}
+	cmd = argv[0][1] == 'l' ? "NLST" : "LIST";
+	mname = argv[0];
+	mflag = 1;
+	oldintr = signal(SIGINT, mabort);
+	setjmp(jabort);
+	for (i = 1; mflag && i < argc-1; ++i) {
+		*mode = (i == 1) ? 'w' : 'a';
+		recvrequest(cmd, dest, argv[i], mode, 0, 1);
+		if (!mflag && fromatty) {
+			ointer = interactive;
+			interactive = 1;
+			if (confirm("Continue with", argv[0])) {
+				mflag ++;
+			}
+			interactive = ointer;
+		}
+	}
+	signal(SIGINT, oldintr);
+	mflag = 0;
+}
+
+/*
+ * Do a shell escape
+ */
+/*ARGSUSED*/
+void
+shell(int argc, char **argv)
+{
+	pid_t pid;
+	RETSIGTYPE (*old1)(), (*old2)();
+	char shellnam[40], *shell, *namep; 
+	int status;
+
+	old1 = signal (SIGINT, SIG_IGN);
+	old2 = signal (SIGQUIT, SIG_IGN);
+	if ((pid = fork()) == 0) {
+		for (pid = 3; pid < 20; pid++)
+			close(pid);
+		signal(SIGINT, SIG_DFL);
+		signal(SIGQUIT, SIG_DFL);
+		shell = getenv("SHELL");
+		if (shell == NULL)
+			shell = _PATH_BSHELL;
+		namep = strrchr(shell,'/');
+		if (namep == NULL)
+			namep = shell;
+		snprintf (shellnam, sizeof(shellnam),
+			  "-%s", ++namep);
+		if (strcmp(namep, "sh") != 0)
+			shellnam[0] = '+';
+		if (debug) {
+			printf ("%s\n", shell);
+			fflush (stdout);
+		}
+		if (argc > 1) {
+			execl(shell,shellnam,"-c",altarg,(char *)0);
+		}
+		else {
+			execl(shell,shellnam,(char *)0);
+		}
+		warn("%s", shell);
+		code = -1;
+		exit(1);
+	}
+	if (pid > 0)
+		while (waitpid(-1, &status, 0) != pid)
+			;
+	signal(SIGINT, old1);
+	signal(SIGQUIT, old2);
+	if (pid == -1) {
+		warn("%s", "Try again later");
+		code = -1;
+	}
+	else {
+		code = 0;
+	}
+}
+
+/*
+ * Send new user information (re-login)
+ */
+void
+user(int argc, char **argv)
+{
+	char acct[80];
+	int n, aflag = 0;
+	char tmp[256];
+
+	if (argc < 2)
+		another(&argc, &argv, "username");
+	if (argc < 2 || argc > 4) {
+		printf("usage: %s username [password] [account]\n", argv[0]);
+		code = -1;
+		return;
+	}
+	n = command("USER %s", argv[1]);
+	if (n == CONTINUE) {
+	    if (argc < 3 ) {
+		des_read_pw_string (tmp,
+				    sizeof(tmp),
+				    "Password: ", 0);
+		argv[2] = tmp;
+		argc++;
+	    }
+	    n = command("PASS %s", argv[2]);
+	}
+	if (n == CONTINUE) {
+		if (argc < 4) {
+			printf("Account: "); fflush(stdout);
+			fgets(acct, sizeof(acct) - 1, stdin);
+			acct[strlen(acct) - 1] = '\0';
+			argv[3] = acct; argc++;
+		}
+		n = command("ACCT %s", argv[3]);
+		aflag++;
+	}
+	if (n != COMPLETE) {
+		fprintf(stdout, "Login failed.\n");
+		return;
+	}
+	if (!aflag && argc == 4) {
+		command("ACCT %s", argv[3]);
+	}
+}
+
+/*
+ * Print working directory.
+ */
+/*VARARGS*/
+void
+pwd(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	/*
+	 * If we aren't verbose, this doesn't do anything!
+	 */
+	verbose = 1;
+	if (command("PWD") == ERROR && code == 500) {
+		printf("PWD command not recognized, trying XPWD\n");
+		command("XPWD");
+	}
+	verbose = oldverbose;
+}
+
+/*
+ * Make a directory.
+ */
+void
+makedir(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "directory-name")) {
+		printf("usage: %s directory-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("MKD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("MKD command not recognized, trying XMKD\n");
+		command("XMKD %s", argv[1]);
+	}
+}
+
+/*
+ * Remove a directory.
+ */
+void
+removedir(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "directory-name")) {
+		printf("usage: %s directory-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("RMD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("RMD command not recognized, trying XRMD\n");
+		command("XRMD %s", argv[1]);
+	}
+}
+
+/*
+ * Send a line, verbatim, to the remote machine.
+ */
+void
+quote(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "command line to send")) {
+		printf("usage: %s line-to-send\n", argv[0]);
+		code = -1;
+		return;
+	}
+	quote1("", argc, argv);
+}
+
+/*
+ * Send a SITE command to the remote machine.  The line
+ * is sent verbatim to the remote machine, except that the
+ * word "SITE" is added at the front.
+ */
+void
+site(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "arguments to SITE command")) {
+		printf("usage: %s line-to-send\n", argv[0]);
+		code = -1;
+		return;
+	}
+	quote1("SITE ", argc, argv);
+}
+
+/*
+ * Turn argv[1..argc) into a space-separated string, then prepend initial text.
+ * Send the result as a one-line command and get response.
+ */
+void
+quote1(char *initial, int argc, char **argv)
+{
+    int i;
+    char buf[BUFSIZ];		/* must be >= sizeof(line) */
+
+    strlcpy(buf, initial, sizeof(buf));
+    for(i = 1; i < argc; i++) {
+	if(i > 1)
+	    strlcat(buf, " ", sizeof(buf));
+	strlcat(buf, argv[i], sizeof(buf));
+    }
+    if (command("%s", buf) == PRELIM) {
+	while (getreply(0) == PRELIM)
+	    continue;
+    }
+}
+
+void
+do_chmod(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "mode"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "file-name")) {
+usage:
+		printf("usage: %s mode file-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("SITE CHMOD %s %s", argv[1], argv[2]);
+}
+
+void
+do_umask(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "SITE UMASK" : "SITE UMASK %s", argv[1]);
+	verbose = oldverbose;
+}
+
+void
+ftp_idle(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "SITE IDLE" : "SITE IDLE %s", argv[1]);
+	verbose = oldverbose;
+}
+
+/*
+ * Ask the other side for help.
+ */
+void
+rmthelp(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "HELP" : "HELP %s", argv[1]);
+	verbose = oldverbose;
+}
+
+/*
+ * Terminate session and exit.
+ */
+/*VARARGS*/
+void
+quit(int argc, char **argv)
+{
+
+	if (connected)
+		disconnect(0, 0);
+	pswitch(1);
+	if (connected) {
+		disconnect(0, 0);
+	}
+	exit(0);
+}
+
+/*
+ * Terminate session, but don't exit.
+ */
+void
+disconnect(int argc, char **argv)
+{
+
+	if (!connected)
+		return;
+	command("QUIT");
+	if (cout) {
+		fclose(cout);
+	}
+	cout = NULL;
+	connected = 0;
+	sec_end();
+	data = -1;
+	if (!proxy) {
+		macnum = 0;
+	}
+}
+
+int
+confirm(char *cmd, char *file)
+{
+	char line[BUFSIZ];
+
+	if (!interactive)
+		return (1);
+	printf("%s %s? ", cmd, file);
+	fflush(stdout);
+	if (fgets(line, sizeof line, stdin) == NULL)
+		return (0);
+	return (*line == 'y' || *line == 'Y');
+}
+
+void
+fatal(char *msg)
+{
+
+	errx(1, "%s", msg);
+}
+
+/*
+ * Glob a local file name specification with
+ * the expectation of a single return value.
+ * Can't control multiple values being expanded
+ * from the expression, we return only the first.
+ */
+int
+globulize(char **cpp)
+{
+	glob_t gl;
+	int flags;
+
+	if (!doglob)
+		return (1);
+
+	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+	memset(&gl, 0, sizeof(gl));
+	if (glob(*cpp, flags, NULL, &gl) ||
+	    gl.gl_pathc == 0) {
+		warnx("%s: not found", *cpp);
+		globfree(&gl);
+		return (0);
+	}
+	*cpp = strdup(gl.gl_pathv[0]);	/* XXX - wasted memory */
+	globfree(&gl);
+	return (1);
+}
+
+void
+account(int argc, char **argv)
+{
+	char acct[50];
+
+	if (argc > 1) {
+		++argv;
+		--argc;
+		strlcpy (acct, *argv, sizeof(acct));
+		while (argc > 1) {
+			--argc;
+			++argv;
+			strlcat(acct, *argv, sizeof(acct));
+		}
+	}
+	else {
+	    des_read_pw_string(acct, sizeof(acct), "Account:", 0);
+	}
+	command("ACCT %s", acct);
+}
+
+jmp_buf abortprox;
+
+static RETSIGTYPE
+proxabort(int sig)
+{
+
+	if (!proxy) {
+		pswitch(1);
+	}
+	if (connected) {
+		proxflag = 1;
+	}
+	else {
+		proxflag = 0;
+	}
+	pswitch(0);
+	longjmp(abortprox,1);
+}
+
+void
+doproxy(int argc, char **argv)
+{
+	struct cmd *c;
+	RETSIGTYPE (*oldintr)();
+
+	if (argc < 2 && !another(&argc, &argv, "command")) {
+		printf("usage: %s command\n", argv[0]);
+		code = -1;
+		return;
+	}
+	c = getcmd(argv[1]);
+	if (c == (struct cmd *) -1) {
+		printf("?Ambiguous command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (c == 0) {
+		printf("?Invalid command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (!c->c_proxy) {
+		printf("?Invalid proxy command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (setjmp(abortprox)) {
+		code = -1;
+		return;
+	}
+	oldintr = signal(SIGINT, proxabort);
+	pswitch(1);
+	if (c->c_conn && !connected) {
+		printf("Not connected\n");
+		fflush(stdout);
+		pswitch(0);
+		signal(SIGINT, oldintr);
+		code = -1;
+		return;
+	}
+	(*c->c_handler)(argc-1, argv+1);
+	if (connected) {
+		proxflag = 1;
+	}
+	else {
+		proxflag = 0;
+	}
+	pswitch(0);
+	signal(SIGINT, oldintr);
+}
+
+void
+setcase(int argc, char **argv)
+{
+
+	mcase = !mcase;
+	printf("Case mapping %s.\n", onoff(mcase));
+	code = mcase;
+}
+
+void
+setcr(int argc, char **argv)
+{
+
+	crflag = !crflag;
+	printf("Carriage Return stripping %s.\n", onoff(crflag));
+	code = crflag;
+}
+
+void
+setntrans(int argc, char **argv)
+{
+	if (argc == 1) {
+		ntflag = 0;
+		printf("Ntrans off.\n");
+		code = ntflag;
+		return;
+	}
+	ntflag++;
+	code = ntflag;
+	strlcpy (ntin, argv[1], 17);
+	if (argc == 2) {
+		ntout[0] = '\0';
+		return;
+	}
+	strlcpy (ntout, argv[2], 17);
+}
+
+char *
+dotrans(char *name)
+{
+	static char new[MaxPathLen];
+	char *cp1, *cp2 = new;
+	int i, ostop, found;
+
+	for (ostop = 0; *(ntout + ostop) && ostop < 16; ostop++)
+		continue;
+	for (cp1 = name; *cp1; cp1++) {
+		found = 0;
+		for (i = 0; *(ntin + i) && i < 16; i++) {
+			if (*cp1 == *(ntin + i)) {
+				found++;
+				if (i < ostop) {
+					*cp2++ = *(ntout + i);
+				}
+				break;
+			}
+		}
+		if (!found) {
+			*cp2++ = *cp1;
+		}
+	}
+	*cp2 = '\0';
+	return (new);
+}
+
+void
+setnmap(int argc, char **argv)
+{
+	char *cp;
+
+	if (argc == 1) {
+		mapflag = 0;
+		printf("Nmap off.\n");
+		code = mapflag;
+		return;
+	}
+	if (argc < 3 && !another(&argc, &argv, "mapout")) {
+		printf("Usage: %s [mapin mapout]\n",argv[0]);
+		code = -1;
+		return;
+	}
+	mapflag = 1;
+	code = 1;
+	cp = strchr(altarg, ' ');
+	if (proxy) {
+		while(*++cp == ' ')
+			continue;
+		altarg = cp;
+		cp = strchr(altarg, ' ');
+	}
+	*cp = '\0';
+	strlcpy(mapin, altarg, MaxPathLen);
+	while (*++cp == ' ')
+		continue;
+	strlcpy(mapout, cp, MaxPathLen);
+}
+
+char *
+domap(char *name)
+{
+	static char new[MaxPathLen];
+	char *cp1 = name, *cp2 = mapin;
+	char *tp[9], *te[9];
+	int i, toks[9], toknum = 0, match = 1;
+
+	for (i=0; i < 9; ++i) {
+		toks[i] = 0;
+	}
+	while (match && *cp1 && *cp2) {
+		switch (*cp2) {
+			case '\\':
+				if (*++cp2 != *cp1) {
+					match = 0;
+				}
+				break;
+			case '$':
+				if (*(cp2+1) >= '1' && (*cp2+1) <= '9') {
+					if (*cp1 != *(++cp2+1)) {
+						toks[toknum = *cp2 - '1']++;
+						tp[toknum] = cp1;
+						while (*++cp1 && *(cp2+1)
+							!= *cp1);
+						te[toknum] = cp1;
+					}
+					cp2++;
+					break;
+				}
+				/* FALLTHROUGH */
+			default:
+				if (*cp2 != *cp1) {
+					match = 0;
+				}
+				break;
+		}
+		if (match && *cp1) {
+			cp1++;
+		}
+		if (match && *cp2) {
+			cp2++;
+		}
+	}
+	if (!match && *cp1) /* last token mismatch */
+	{
+		toks[toknum] = 0;
+	}
+	cp1 = new;
+	*cp1 = '\0';
+	cp2 = mapout;
+	while (*cp2) {
+		match = 0;
+		switch (*cp2) {
+			case '\\':
+				if (*(cp2 + 1)) {
+					*cp1++ = *++cp2;
+				}
+				break;
+			case '[':
+LOOP:
+				if (*++cp2 == '$' && isdigit(*(cp2+1))) { 
+					if (*++cp2 == '0') {
+						char *cp3 = name;
+
+						while (*cp3) {
+							*cp1++ = *cp3++;
+						}
+						match = 1;
+					}
+					else if (toks[toknum = *cp2 - '1']) {
+						char *cp3 = tp[toknum];
+
+						while (cp3 != te[toknum]) {
+							*cp1++ = *cp3++;
+						}
+						match = 1;
+					}
+				}
+				else {
+					while (*cp2 && *cp2 != ',' && 
+					    *cp2 != ']') {
+						if (*cp2 == '\\') {
+							cp2++;
+						}
+						else if (*cp2 == '$' &&
+   						        isdigit(*(cp2+1))) {
+							if (*++cp2 == '0') {
+							   char *cp3 = name;
+
+							   while (*cp3) {
+								*cp1++ = *cp3++;
+							   }
+							}
+							else if (toks[toknum =
+							    *cp2 - '1']) {
+							   char *cp3=tp[toknum];
+
+							   while (cp3 !=
+								  te[toknum]) {
+								*cp1++ = *cp3++;
+							   }
+							}
+						}
+						else if (*cp2) {
+							*cp1++ = *cp2++;
+						}
+					}
+					if (!*cp2) {
+						printf("nmap: unbalanced brackets\n");
+						return (name);
+					}
+					match = 1;
+					cp2--;
+				}
+				if (match) {
+					while (*++cp2 && *cp2 != ']') {
+					      if (*cp2 == '\\' && *(cp2 + 1)) {
+							cp2++;
+					      }
+					}
+					if (!*cp2) {
+						printf("nmap: unbalanced brackets\n");
+						return (name);
+					}
+					break;
+				}
+				switch (*++cp2) {
+					case ',':
+						goto LOOP;
+					case ']':
+						break;
+					default:
+						cp2--;
+						goto LOOP;
+				}
+				break;
+			case '$':
+				if (isdigit(*(cp2 + 1))) {
+					if (*++cp2 == '0') {
+						char *cp3 = name;
+
+						while (*cp3) {
+							*cp1++ = *cp3++;
+						}
+					}
+					else if (toks[toknum = *cp2 - '1']) {
+						char *cp3 = tp[toknum];
+
+						while (cp3 != te[toknum]) {
+							*cp1++ = *cp3++;
+						}
+					}
+					break;
+				}
+				/* intentional drop through */
+			default:
+				*cp1++ = *cp2;
+				break;
+		}
+		cp2++;
+	}
+	*cp1 = '\0';
+	if (!*new) {
+		return (name);
+	}
+	return (new);
+}
+
+void
+setpassive(int argc, char **argv)
+{
+
+	passivemode = !passivemode;
+	printf("Passive mode %s.\n", onoff(passivemode));
+	code = passivemode;
+}
+
+void
+setsunique(int argc, char **argv)
+{
+
+	sunique = !sunique;
+	printf("Store unique %s.\n", onoff(sunique));
+	code = sunique;
+}
+
+void
+setrunique(int argc, char **argv)
+{
+
+	runique = !runique;
+	printf("Receive unique %s.\n", onoff(runique));
+	code = runique;
+}
+
+/* change directory to perent directory */
+void
+cdup(int argc, char **argv)
+{
+
+	if (command("CDUP") == ERROR && code == 500) {
+		if (verbose)
+			printf("CDUP command not recognized, trying XCUP\n");
+		command("XCUP");
+	}
+}
+
+/* restart transfer at specific point */
+void
+restart(int argc, char **argv)
+{
+
+    if (argc != 2)
+	printf("restart: offset not specified\n");
+    else {
+	restart_point = atol(argv[1]);
+	printf("restarting at %ld. %s\n", (long)restart_point,
+	       "execute get, put or append to initiate transfer");
+    }
+}
+
+/* show remote system type */
+void
+syst(int argc, char **argv)
+{
+
+	command("SYST");
+}
+
+void
+macdef(int argc, char **argv)
+{
+	char *tmp;
+	int c;
+
+	if (macnum == 16) {
+		printf("Limit of 16 macros have already been defined\n");
+		code = -1;
+		return;
+	}
+	if (argc < 2 && !another(&argc, &argv, "macro name")) {
+		printf("Usage: %s macro_name\n",argv[0]);
+		code = -1;
+		return;
+	}
+	if (interactive) {
+		printf("Enter macro line by line, terminating it with a null line\n");
+	}
+	strlcpy(macros[macnum].mac_name,
+			argv[1],
+			sizeof(macros[macnum].mac_name));
+	if (macnum == 0) {
+		macros[macnum].mac_start = macbuf;
+	}
+	else {
+		macros[macnum].mac_start = macros[macnum - 1].mac_end + 1;
+	}
+	tmp = macros[macnum].mac_start;
+	while (tmp != macbuf+4096) {
+		if ((c = getchar()) == EOF) {
+			printf("macdef:end of file encountered\n");
+			code = -1;
+			return;
+		}
+		if ((*tmp = c) == '\n') {
+			if (tmp == macros[macnum].mac_start) {
+				macros[macnum++].mac_end = tmp;
+				code = 0;
+				return;
+			}
+			if (*(tmp-1) == '\0') {
+				macros[macnum++].mac_end = tmp - 1;
+				code = 0;
+				return;
+			}
+			*tmp = '\0';
+		}
+		tmp++;
+	}
+	while (1) {
+		while ((c = getchar()) != '\n' && c != EOF)
+			/* LOOP */;
+		if (c == EOF || getchar() == '\n') {
+			printf("Macro not defined - 4k buffer exceeded\n");
+			code = -1;
+			return;
+		}
+	}
+}
+
+/*
+ * get size of file on remote machine
+ */
+void
+sizecmd(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "filename")) {
+		printf("usage: %s filename\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("SIZE %s", argv[1]);
+}
+
+/*
+ * get last modification time of file on remote machine
+ */
+void
+modtime(int argc, char **argv)
+{
+	int overbose;
+
+	if (argc < 2 && !another(&argc, &argv, "filename")) {
+		printf("usage: %s filename\n", argv[0]);
+		code = -1;
+		return;
+	}
+	overbose = verbose;
+	if (debug == 0)
+		verbose = -1;
+	if (command("MDTM %s", argv[1]) == COMPLETE) {
+		int yy, mo, day, hour, min, sec;
+		sscanf(reply_string, "%*s %04d%02d%02d%02d%02d%02d", &yy, &mo,
+			&day, &hour, &min, &sec);
+		/* might want to print this in local time */
+		printf("%s\t%02d/%02d/%04d %02d:%02d:%02d GMT\n", argv[1],
+			mo, day, yy, hour, min, sec);
+	} else
+		printf("%s\n", reply_string);
+	verbose = overbose;
+}
+
+/*
+ * show status on reomte machine
+ */
+void
+rmtstatus(int argc, char **argv)
+{
+
+	command(argc > 1 ? "STAT %s" : "STAT" , argv[1]);
+}
+
+/*
+ * get file if modtime is more recent than current file
+ */
+void
+newer(int argc, char **argv)
+{
+
+	if (getit(argc, argv, -1, curtype == TYPE_I ? "wb" : "w"))
+		printf("Local file \"%s\" is newer than remote file \"%s\"\n",
+			argv[2], argv[1]);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/cmdtab.c b/crypto/heimdal/appl/ftp/ftp/cmdtab.c
new file mode 100644
index 0000000..5dc96ef
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/cmdtab.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+
+/*
+ * User FTP -- Command Tables.
+ */
+
+char	accounthelp[] =	"send account command to remote server";
+char	appendhelp[] =	"append to a file";
+char	asciihelp[] =	"set ascii transfer type";
+char	beephelp[] =	"beep when command completed";
+char	binaryhelp[] =	"set binary transfer type";
+char	casehelp[] =	"toggle mget upper/lower case id mapping";
+char	cdhelp[] =	"change remote working directory";
+char	cduphelp[] = 	"change remote working directory to parent directory";
+char	chmodhelp[] =	"change file permissions of remote file";
+char	connecthelp[] =	"connect to remote tftp";
+char	crhelp[] =	"toggle carriage return stripping on ascii gets";
+char	deletehelp[] =	"delete remote file";
+char	debughelp[] =	"toggle/set debugging mode";
+char	dirhelp[] =	"list contents of remote directory";
+char	disconhelp[] =	"terminate ftp session";
+char	domachelp[] = 	"execute macro";
+char	formhelp[] =	"set file transfer format";
+char	globhelp[] =	"toggle metacharacter expansion of local file names";
+char	hashhelp[] =	"toggle printing `#' for each buffer transferred";
+char	helphelp[] =	"print local help information";
+char	idlehelp[] =	"get (set) idle timer on remote side";
+char	lcdhelp[] =	"change local working directory";
+char	lshelp[] =	"list contents of remote directory";
+char	macdefhelp[] =  "define a macro";
+char	mdeletehelp[] =	"delete multiple files";
+char	mdirhelp[] =	"list contents of multiple remote directories";
+char	mgethelp[] =	"get multiple files";
+char	mkdirhelp[] =	"make directory on the remote machine";
+char	mlshelp[] =	"list contents of multiple remote directories";
+char	modtimehelp[] = "show last modification time of remote file";
+char	modehelp[] =	"set file transfer mode";
+char	mputhelp[] =	"send multiple files";
+char	newerhelp[] =	"get file if remote file is newer than local file ";
+char	nlisthelp[] =	"nlist contents of remote directory";
+char	nmaphelp[] =	"set templates for default file name mapping";
+char	ntranshelp[] =	"set translation table for default file name mapping";
+char	porthelp[] =	"toggle use of PORT cmd for each data connection";
+char	prompthelp[] =	"force interactive prompting on multiple commands";
+char	proxyhelp[] =	"issue command on alternate connection";
+char	pwdhelp[] =	"print working directory on remote machine";
+char	quithelp[] =	"terminate ftp session and exit";
+char	quotehelp[] =	"send arbitrary ftp command";
+char	receivehelp[] =	"receive file";
+char	regethelp[] =	"get file restarting at end of local file";
+char	remotehelp[] =	"get help from remote server";
+char	renamehelp[] =	"rename file";
+char	restarthelp[]=	"restart file transfer at bytecount";
+char	rmdirhelp[] =	"remove directory on the remote machine";
+char	rmtstatushelp[]="show status of remote machine";
+char	runiquehelp[] = "toggle store unique for local files";
+char	resethelp[] =	"clear queued command replies";
+char	sendhelp[] =	"send one file";
+char	passivehelp[] =	"enter passive transfer mode";
+char	sitehelp[] =	"send site specific command to remote server\n\t\tTry \"rhelp site\" or \"site help\" for more information";
+char	shellhelp[] =	"escape to the shell";
+char	sizecmdhelp[] = "show size of remote file";
+char	statushelp[] =	"show current status";
+char	structhelp[] =	"set file transfer structure";
+char	suniquehelp[] = "toggle store unique on remote machine";
+char	systemhelp[] =  "show remote system type";
+char	tenexhelp[] =	"set tenex file transfer type";
+char	tracehelp[] =	"toggle packet tracing";
+char	typehelp[] =	"set file transfer type";
+char	umaskhelp[] =	"get (set) umask on remote side";
+char	userhelp[] =	"send new user information";
+char	verbosehelp[] =	"toggle verbose mode";
+
+char	prothelp[] = 	"set protection level";
+#ifdef KRB4
+char	kauthhelp[] = 	"get remote tokens";
+char	klisthelp[] =	"show remote tickets";
+char	kdestroyhelp[] = "destroy remote tickets";
+char	krbtkfilehelp[] = "set filename of remote tickets";
+char	afsloghelp[] = 	"obtain remote AFS tokens";
+#endif
+
+struct cmd cmdtab[] = {
+	{ "!",		shellhelp,	0,	0,	0,	shell },
+	{ "$",		domachelp,	1,	0,	0,	domacro },
+	{ "account",	accounthelp,	0,	1,	1,	account},
+	{ "append",	appendhelp,	1,	1,	1,	put },
+	{ "ascii",	asciihelp,	0,	1,	1,	setascii },
+	{ "bell",	beephelp,	0,	0,	0,	setbell },
+	{ "binary",	binaryhelp,	0,	1,	1,	setbinary },
+	{ "bye",	quithelp,	0,	0,	0,	quit },
+	{ "case",	casehelp,	0,	0,	1,	setcase },
+	{ "cd",		cdhelp,		0,	1,	1,	cd },
+	{ "cdup",	cduphelp,	0,	1,	1,	cdup },
+	{ "chmod",	chmodhelp,	0,	1,	1,	do_chmod },
+	{ "close",	disconhelp,	0,	1,	1,	disconnect },
+	{ "cr",		crhelp,		0,	0,	0,	setcr },
+	{ "delete",	deletehelp,	0,	1,	1,	delete },
+	{ "debug",	debughelp,	0,	0,	0,	setdebug },
+	{ "dir",	dirhelp,	1,	1,	1,	ls },
+	{ "disconnect",	disconhelp,	0,	1,	1,	disconnect },
+	{ "form",	formhelp,	0,	1,	1,	setform },
+	{ "get",	receivehelp,	1,	1,	1,	get },
+	{ "glob",	globhelp,	0,	0,	0,	setglob },
+	{ "hash",	hashhelp,	0,	0,	0,	sethash },
+	{ "help",	helphelp,	0,	0,	1,	help },
+	{ "idle",	idlehelp,	0,	1,	1,	ftp_idle },
+	{ "image",	binaryhelp,	0,	1,	1,	setbinary },
+	{ "lcd",	lcdhelp,	0,	0,	0,	lcd },
+	{ "ls",		lshelp,		1,	1,	1,	ls },
+	{ "macdef",	macdefhelp,	0,	0,	0,	macdef },
+	{ "mdelete",	mdeletehelp,	1,	1,	1,	mdelete },
+	{ "mdir",	mdirhelp,	1,	1,	1,	mls },
+	{ "mget",	mgethelp,	1,	1,	1,	mget },
+	{ "mkdir",	mkdirhelp,	0,	1,	1,	makedir },
+	{ "mls",	mlshelp,	1,	1,	1,	mls },
+	{ "mode",	modehelp,	0,	1,	1,	setftmode },
+	{ "modtime",	modtimehelp,	0,	1,	1,	modtime },
+	{ "mput",	mputhelp,	1,	1,	1,	mput },
+	{ "newer",	newerhelp,	1,	1,	1,	newer },
+	{ "nmap",	nmaphelp,	0,	0,	1,	setnmap },
+	{ "nlist",	nlisthelp,	1,	1,	1,	ls },
+	{ "ntrans",	ntranshelp,	0,	0,	1,	setntrans },
+	{ "open",	connecthelp,	0,	0,	1,	setpeer },
+	{ "passive",	passivehelp,	0,	0,	0,	setpassive },
+	{ "prompt",	prompthelp,	0,	0,	0,	setprompt },
+	{ "proxy",	proxyhelp,	0,	0,	1,	doproxy },
+	{ "sendport",	porthelp,	0,	0,	0,	setport },
+	{ "put",	sendhelp,	1,	1,	1,	put },
+	{ "pwd",	pwdhelp,	0,	1,	1,	pwd },
+	{ "quit",	quithelp,	0,	0,	0,	quit },
+	{ "quote",	quotehelp,	1,	1,	1,	quote },
+	{ "recv",	receivehelp,	1,	1,	1,	get },
+	{ "reget",	regethelp,	1,	1,	1,	reget },
+	{ "rstatus",	rmtstatushelp,	0,	1,	1,	rmtstatus },
+	{ "rhelp",	remotehelp,	0,	1,	1,	rmthelp },
+	{ "rename",	renamehelp,	0,	1,	1,	renamefile },
+	{ "reset",	resethelp,	0,	1,	1,	reset },
+	{ "restart",	restarthelp,	1,	1,	1,	restart },
+	{ "rmdir",	rmdirhelp,	0,	1,	1,	removedir },
+	{ "runique",	runiquehelp,	0,	0,	1,	setrunique },
+	{ "send",	sendhelp,	1,	1,	1,	put },
+	{ "site",	sitehelp,	0,	1,	1,	site },
+	{ "size",	sizecmdhelp,	1,	1,	1,	sizecmd },
+	{ "status",	statushelp,	0,	0,	1,	status },
+	{ "struct",	structhelp,	0,	1,	1,	setstruct },
+	{ "system",	systemhelp,	0,	1,	1,	syst },
+	{ "sunique",	suniquehelp,	0,	0,	1,	setsunique },
+	{ "tenex",	tenexhelp,	0,	1,	1,	settenex },
+	{ "trace",	tracehelp,	0,	0,	0,	settrace },
+	{ "type",	typehelp,	0,	1,	1,	settype },
+	{ "user",	userhelp,	0,	1,	1,	user },
+	{ "umask",	umaskhelp,	0,	1,	1,	do_umask },
+	{ "verbose",	verbosehelp,	0,	0,	0,	setverbose },
+	{ "?",		helphelp,	0,	0,	1,	help },
+
+	{ "prot", 	prothelp, 	0, 	1, 	0,	sec_prot },
+#ifdef KRB4
+	{ "kauth", 	kauthhelp, 	0, 	1, 	0,	kauth },
+	{ "klist", 	klisthelp, 	0, 	1, 	0,	klist },
+	{ "kdestroy",	kdestroyhelp,	0,	1,	0,	kdestroy },
+	{ "krbtkfile",	krbtkfilehelp,	0,	1,	0,	krbtkfile },
+	{ "afslog",	afsloghelp,	0,	1,	0,	afslog },
+#endif
+	
+	{ 0 },
+};
+
+int	NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1;
diff --git a/crypto/heimdal/appl/ftp/ftp/domacro.c b/crypto/heimdal/appl/ftp/ftp/domacro.c
new file mode 100644
index 0000000..d91660d
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/domacro.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 1985, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: domacro.c,v 1.7 1999/09/16 20:37:29 assar Exp $");
+
+void
+domacro(int argc, char **argv)
+{
+	int i, j, count = 2, loopflg = 0;
+	char *cp1, *cp2, line2[200];
+	struct cmd *c;
+
+	if (argc < 2 && !another(&argc, &argv, "macro name")) {
+		printf("Usage: %s macro_name.\n", argv[0]);
+		code = -1;
+		return;
+	}
+	for (i = 0; i < macnum; ++i) {
+		if (!strncmp(argv[1], macros[i].mac_name, 9)) {
+			break;
+		}
+	}
+	if (i == macnum) {
+		printf("'%s' macro not found.\n", argv[1]);
+		code = -1;
+		return;
+	}
+	strlcpy(line2, line, sizeof(line2));
+TOP:
+	cp1 = macros[i].mac_start;
+	while (cp1 != macros[i].mac_end) {
+		while (isspace(*cp1)) {
+			cp1++;
+		}
+		cp2 = line;
+		while (*cp1 != '\0') {
+		      switch(*cp1) {
+		   	    case '\\':
+				 *cp2++ = *++cp1;
+				 break;
+			    case '$':
+				 if (isdigit(*(cp1+1))) {
+				    j = 0;
+				    while (isdigit(*++cp1)) {
+					  j = 10*j +  *cp1 - '0';
+				    }
+				    cp1--;
+				    if (argc - 2 >= j) {
+					strcpy(cp2, argv[j+1]);
+					cp2 += strlen(argv[j+1]);
+				    }
+				    break;
+				 }
+				 if (*(cp1+1) == 'i') {
+					loopflg = 1;
+					cp1++;
+					if (count < argc) {
+					   strcpy(cp2, argv[count]);
+					   cp2 += strlen(argv[count]);
+					}
+					break;
+				}
+				/* intentional drop through */
+			    default:
+				*cp2++ = *cp1;
+				break;
+		      }
+		      if (*cp1 != '\0') {
+			 cp1++;
+		      }
+		}
+		*cp2 = '\0';
+		makeargv();
+		c = getcmd(margv[0]);
+		if (c == (struct cmd *)-1) {
+			printf("?Ambiguous command\n");
+			code = -1;
+		}
+		else if (c == 0) {
+			printf("?Invalid command\n");
+			code = -1;
+		}
+		else if (c->c_conn && !connected) {
+			printf("Not connected.\n");
+			code = -1;
+		}
+		else {
+			if (verbose) {
+				printf("%s\n",line);
+			}
+			(*c->c_handler)(margc, margv);
+			if (bell && c->c_bell) {
+				putchar('\007');
+			}
+			strcpy(line, line2);
+			makeargv();
+			argc = margc;
+			argv = margv;
+		}
+		if (cp1 != macros[i].mac_end) {
+			cp1++;
+		}
+	}
+	if (loopflg && ++count < argc) {
+		goto TOP;
+	}
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/extern.h b/crypto/heimdal/appl/ftp/ftp/extern.h
new file mode 100644
index 0000000..d488ecd
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/extern.h
@@ -0,0 +1,173 @@
+/*-
+ * Copyright (c) 1994 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.3 (Berkeley) 10/9/94
+ */
+
+/* $Id: extern.h,v 1.18 1999/10/28 20:49:10 assar Exp $ */
+
+#include <setjmp.h>
+#include <stdlib.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+void    abort_remote (FILE *);
+void    abortpt (int);
+void    abortrecv (int);
+void	account (int, char **);
+int	another (int *, char ***, char *);
+void	blkfree (char **);
+void	cd (int, char **);
+void	cdup (int, char **);
+void	changetype (int, int);
+void	cmdabort (int);
+void	cmdscanner (int);
+int	command (char *fmt, ...);
+int	confirm (char *, char *);
+FILE   *dataconn (const char *);
+void	delete (int, char **);
+void	disconnect (int, char **);
+void	do_chmod (int, char **);
+void	do_umask (int, char **);
+void	domacro (int, char **);
+char   *domap (char *);
+void	doproxy (int, char **);
+char   *dotrans (char *);
+int     empty (fd_set *, int);
+void	fatal (char *);
+void	get (int, char **);
+struct cmd *getcmd (char *);
+int	getit (int, char **, int, char *);
+int	getreply (int);
+int	globulize (char **);
+char   *gunique (char *);
+void	help (int, char **);
+char   *hookup (const char *, int);
+void	ftp_idle (int, char **);
+int     initconn (void);
+void	intr (int);
+void	lcd (int, char **);
+int	login (char *);
+RETSIGTYPE	lostpeer (int);
+void	ls (int, char **);
+void	macdef (int, char **);
+void	makeargv (void);
+void	makedir (int, char **);
+void	mdelete (int, char **);
+void	mget (int, char **);
+void	mls (int, char **);
+void	modtime (int, char **);
+void	mput (int, char **);
+char   *onoff (int);
+void	newer (int, char **);
+void    proxtrans (char *, char *, char *);
+void    psabort (int);
+void    pswitch (int);
+void    ptransfer (char *, long, struct timeval *, struct timeval *);
+void	put (int, char **);
+void	pwd (int, char **);
+void	quit (int, char **);
+void	quote (int, char **);
+void	quote1 (char *, int, char **);
+void    recvrequest (char *, char *, char *, char *, int, int);
+void	reget (int, char **);
+char   *remglob (char **, int);
+void	removedir (int, char **);
+void	renamefile (int, char **);
+void    reset (int, char **);
+void	restart (int, char **);
+void	rmthelp (int, char **);
+void	rmtstatus (int, char **);
+int	ruserpass (char *, char **, char **, char **);
+void    sendrequest (char *, char *, char *, char *, int);
+void	setascii (int, char **);
+void	setbell (int, char **);
+void	setbinary (int, char **);
+void	setcase (int, char **);
+void	setcr (int, char **);
+void	setdebug (int, char **);
+void	setform (int, char **);
+void	setftmode (int, char **);
+void	setglob (int, char **);
+void	sethash (int, char **);
+void	setnmap (int, char **);
+void	setntrans (int, char **);
+void	setpassive (int, char **);
+void	setpeer (int, char **);
+void	setport (int, char **);
+void	setprompt (int, char **);
+void	setrunique (int, char **);
+void	setstruct (int, char **);
+void	setsunique (int, char **);
+void	settenex (int, char **);
+void	settrace (int, char **);
+void	settype (int, char **);
+void	setverbose (int, char **);
+void	shell (int, char **);
+void	site (int, char **);
+void	sizecmd (int, char **);
+char   *slurpstring (void);
+void	status (int, char **);
+void	syst (int, char **);
+void    tvsub (struct timeval *, struct timeval *, struct timeval *);
+void	user (int, char **);
+
+extern jmp_buf	abortprox;
+extern int	abrtflag;
+extern struct	cmd cmdtab[];
+extern FILE	*cout;
+extern int	data;
+extern char    *home;
+extern jmp_buf	jabort;
+extern int	proxy;
+extern char	reply_string[];
+extern off_t	restart_point;
+extern int	NCMDS;
+
+extern char 	username[32];
+extern char	myhostname[];
+extern char	*mydomain;
+
+void afslog (int, char **);
+void kauth (int, char **);
+void kdestroy (int, char **);
+void klist (int, char **);
+void krbtkfile (int, char **);
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.1 b/crypto/heimdal/appl/ftp/ftp/ftp.1
new file mode 100644
index 0000000..e5c21f0
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.1
@@ -0,0 +1,1193 @@
+.\" 	$NetBSD: ftp.1,v 1.11 1995/09/08 01:06:24 tls Exp $
+.\"
+.\" Copyright (c) 1985, 1989, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)ftp.1	8.3 (Berkeley) 10/9/94
+.\"
+.Dd April 27, 1996
+.Dt FTP 1
+.Os BSD 4.2
+.Sh NAME
+.Nm ftp
+.Nd
+.Tn ARPANET
+file transfer program
+.Sh SYNOPSIS
+.Nm ftp
+.Op Fl t
+.Op Fl v
+.Op Fl d
+.Op Fl i
+.Op Fl n
+.Op Fl g
+.Op Fl p
+.Op Ar host
+.Sh DESCRIPTION
+.Nm Ftp
+is the user interface to the
+.Tn ARPANET
+standard File Transfer Protocol.
+The program allows a user to transfer files to and from a
+remote network site.
+.Pp
+Modifications has been made so that it almost follows the ftpsec
+Internet draft.
+.Pp
+Options may be specified at the command line, or to the
+command interpreter.
+.Bl -tag -width flag
+.It Fl t
+Enables packet tracing.
+.It Fl v
+Verbose option forces
+.Nm ftp
+to show all responses from the remote server, as well
+as report on data transfer statistics.
+.It Fl n
+Restrains
+.Nm ftp
+from attempting \*(Lqauto-login\*(Rq upon initial connection.
+If auto-login is enabled,
+.Nm ftp
+will check the
+.Pa .netrc
+(see below) file in the user's home directory for an entry describing
+an account on the remote machine.
+If no entry exists,
+.Nm ftp
+will prompt for the remote machine login name (default is the user
+identity on the local machine), and, if necessary, prompt for a password
+and an account with which to login.
+.It Fl i
+Turns off interactive prompting during
+multiple file transfers.
+.It Fl p
+Turn on passive mode.
+.It Fl d
+Enables debugging.
+.It Fl g
+Disables file name globbing.
+.El
+.Pp
+The client host with which
+.Nm ftp
+is to communicate may be specified on the command line.
+If this is done,
+.Nm ftp
+will immediately attempt to establish a connection to an
+.Tn FTP
+server on that host; otherwise,
+.Nm ftp
+will enter its command interpreter and await instructions
+from the user.
+When
+.Nm ftp
+is awaiting commands from the user the prompt
+.Ql ftp>
+is provided to the user.
+The following commands are recognized
+by
+.Nm ftp  :
+.Bl -tag -width Fl
+.It Ic \&! Op Ar command Op Ar args
+Invoke an interactive shell on the local machine.
+If there are arguments, the first is taken to be a command to execute
+directly, with the rest of the arguments as its arguments.
+.It Ic \&$ Ar macro-name Op Ar args
+Execute the macro
+.Ar macro-name
+that was defined with the
+.Ic macdef
+command.
+Arguments are passed to the macro unglobbed.
+.It Ic account Op Ar passwd
+Supply a supplemental password required by a remote system for access
+to resources once a login has been successfully completed.
+If no argument is included, the user will be prompted for an account
+password in a non-echoing input mode.
+.It Ic append Ar local-file Op Ar remote-file
+Append a local file to a file on the remote machine.
+If
+.Ar remote-file
+is left unspecified, the local file name is used in naming the
+remote file after being altered by any
+.Ic ntrans
+or
+.Ic nmap
+setting.
+File transfer uses the current settings for
+.Ic type  ,
+.Ic format ,
+.Ic mode  ,
+and
+.Ic structure .
+.It Ic ascii
+Set the file transfer
+.Ic type
+to network
+.Tn ASCII .
+This is the default type.
+.It Ic bell
+Arrange that a bell be sounded after each file transfer
+command is completed.
+.It Ic binary
+Set the file transfer
+.Ic type
+to support binary image transfer.
+.It Ic bye
+Terminate the
+.Tn FTP
+session with the remote server
+and exit
+.Nm ftp  .
+An end of file will also terminate the session and exit.
+.It Ic case
+Toggle remote computer file name case mapping during
+.Ic mget
+commands.
+When
+.Ic case
+is on (default is off), remote computer file names with all letters in
+upper case are written in the local directory with the letters mapped
+to lower case.
+.It Ic \&cd Ar remote-directory
+Change the working directory on the remote machine
+to
+.Ar remote-directory  .
+.It Ic cdup
+Change the remote machine working directory to the parent of the
+current remote machine working directory.
+.It Ic chmod Ar mode file-name
+Change the permission modes of the file
+.Ar file-name
+on the remote
+sytem to
+.Ar mode  .
+.It Ic close
+Terminate the
+.Tn FTP
+session with the remote server, and
+return to the command interpreter.
+Any defined macros are erased.
+.It Ic \&cr
+Toggle carriage return stripping during
+ascii type file retrieval.
+Records are denoted by a carriage return/linefeed sequence
+during ascii type file transfer.
+When
+.Ic \&cr
+is on (the default), carriage returns are stripped from this
+sequence to conform with the
+.Ux
+single linefeed record
+delimiter.
+Records on
+.Pf non\- Ns Ux
+remote systems may contain single linefeeds;
+when an ascii type transfer is made, these linefeeds may be
+distinguished from a record delimiter only when
+.Ic \&cr
+is off.
+.It Ic delete Ar remote-file
+Delete the file
+.Ar remote-file
+on the remote machine.
+.It Ic debug Op Ar debug-value
+Toggle debugging mode.
+If an optional
+.Ar debug-value
+is specified it is used to set the debugging level.
+When debugging is on,
+.Nm ftp
+prints each command sent to the remote machine, preceded
+by the string
+.Ql \-\->
+.It Xo
+.Ic dir
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a listing of the directory contents in the
+directory,
+.Ar remote-directory  ,
+and, optionally, placing the output in
+.Ar local-file  .
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic dir
+output.
+If no directory is specified, the current working
+directory on the remote machine is used.
+If no local
+file is specified, or
+.Ar local-file
+is
+.Fl  ,
+output comes to the terminal.
+.It Ic disconnect
+A synonym for
+.Ar close  .
+.It Ic form Ar format
+Set the file transfer
+.Ic form
+to
+.Ar format  .
+The default format is \*(Lqfile\*(Rq.
+.It Ic get Ar remote-file Op Ar local-file
+Retrieve the
+.Ar remote-file
+and store it on the local machine.
+If the local
+file name is not specified, it is given the same
+name it has on the remote machine, subject to
+alteration by the current
+.Ic case  ,
+.Ic ntrans ,
+and
+.Ic nmap
+settings.
+The current settings for
+.Ic type  ,
+.Ic form ,
+.Ic mode  ,
+and
+.Ic structure
+are used while transferring the file.
+.It Ic glob
+Toggle filename expansion for
+.Ic mdelete  ,
+.Ic mget
+and
+.Ic mput  .
+If globbing is turned off with
+.Ic glob  ,
+the file name arguments
+are taken literally and not expanded.
+Globbing for
+.Ic mput
+is done as in
+.Xr csh 1 .
+For
+.Ic mdelete
+and
+.Ic mget  ,
+each remote file name is expanded
+separately on the remote machine and the lists are not merged.
+Expansion of a directory name is likely to be
+different from expansion of the name of an ordinary file:
+the exact result depends on the foreign operating system and ftp server,
+and can be previewed by doing
+.Ql mls remote-files \- .
+As a security measure, remotely globbed files that starts with
+.Sq /
+or contains
+.Sq ../ ,
+will not be automatically received. If you have interactive prompting
+turned off, these filenames will be ignored.  Note:
+.Ic mget
+and
+.Ic mput
+are not meant to transfer
+entire directory subtrees of files.
+That can be done by
+transferring a
+.Xr tar 1
+archive of the subtree (in binary mode).
+.It Ic hash
+Toggle hash-sign (``#'') printing for each data block
+transferred.
+The size of a data block is 1024 bytes.
+.It Ic help Op Ar command
+Print an informative message about the meaning of
+.Ar command  .
+If no argument is given,
+.Nm ftp
+prints a list of the known commands.
+.It Ic idle Op Ar seconds
+Set the inactivity timer on the remote server to
+.Ar seconds
+seconds.
+If
+.Ar seconds
+is omitted, the current inactivity timer is printed.
+.It Ic lcd Op Ar directory
+Change the working directory on the local machine.
+If
+no
+.Ar directory
+is specified, the user's home directory is used.
+.It Xo
+.Ic \&ls
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a listing of the contents of a
+directory on the remote machine.
+The listing includes any system-dependent information that the server
+chooses to include; for example, most
+.Ux
+systems will produce
+output from the command
+.Ql ls \-l .
+(See also
+.Ic nlist . )
+If
+.Ar remote-directory
+is left unspecified, the current working directory is used.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic \&ls
+output.
+If no local file is specified, or if
+.Ar local-file
+is
+.Sq Fl ,
+the output is sent to the terminal.
+.It Ic macdef Ar macro-name
+Define a macro.
+Subsequent lines are stored as the macro
+.Ar macro-name  ;
+a null line (consecutive newline characters
+in a file or
+carriage returns from the terminal) terminates macro input mode.
+There is a limit of 16 macros and 4096 total characters in all
+defined macros.
+Macros remain defined until a
+.Ic close
+command is executed.
+The macro processor interprets `$' and `\e' as special characters.
+A `$' followed by a number (or numbers) is replaced by the
+corresponding argument on the macro invocation command line.
+A `$' followed by an `i' signals that macro processor that the
+executing macro is to be looped.
+On the first pass `$i' is
+replaced by the first argument on the macro invocation command line,
+on the second pass it is replaced by the second argument, and so on.
+A `\e' followed by any character is replaced by that character.
+Use the `\e' to prevent special treatment of the `$'.
+.It Ic mdelete Op Ar remote-files
+Delete the
+.Ar remote-files
+on the remote machine.
+.It Ic mdir Ar remote-files local-file
+Like
+.Ic dir  ,
+except multiple remote files may be specified.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic mdir
+output.
+.It Ic mget Ar remote-files
+Expand the
+.Ar remote-files
+on the remote machine
+and do a
+.Ic get
+for each file name thus produced.
+See
+.Ic glob
+for details on the filename expansion.
+Resulting file names will then be processed according to
+.Ic case  ,
+.Ic ntrans ,
+and
+.Ic nmap
+settings.
+Files are transferred into the local working directory,
+which can be changed with
+.Ql lcd directory ;
+new local directories can be created with
+.Ql "\&! mkdir directory" .
+.It Ic mkdir Ar directory-name
+Make a directory on the remote machine.
+.It Ic mls Ar remote-files local-file
+Like
+.Ic nlist  ,
+except multiple remote files may be specified,
+and the
+.Ar local-file
+must be specified.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic mls
+output.
+.It Ic mode Op Ar mode-name
+Set the file transfer
+.Ic mode
+to
+.Ar mode-name  .
+The default mode is \*(Lqstream\*(Rq mode.
+.It Ic modtime Ar file-name
+Show the last modification time of the file on the remote machine.
+.It Ic mput Ar local-files
+Expand wild cards in the list of local files given as arguments
+and do a
+.Ic put
+for each file in the resulting list.
+See
+.Ic glob
+for details of filename expansion.
+Resulting file names will then be processed according to
+.Ic ntrans
+and
+.Ic nmap
+settings.
+.It Ic newer Ar file-name
+Get the file only if the modification time of the remote file is more
+recent that the file on the current system.
+If the file does not
+exist on the current system, the remote file is considered
+.Ic newer  .
+Otherwise, this command is identical to
+.Ar get  .
+.It Xo
+.Ic nlist
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a  list of the files in a
+directory on the remote machine.
+If
+.Ar remote-directory
+is left unspecified, the current working directory is used.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic nlist
+output.
+If no local file is specified, or if
+.Ar local-file
+is
+.Fl  ,
+the output is sent to the terminal.
+.It Ic nmap Op Ar inpattern outpattern
+Set or unset the filename mapping mechanism.
+If no arguments are specified, the filename mapping mechanism is unset.
+If arguments are specified, remote filenames are mapped during
+.Ic mput
+commands and
+.Ic put
+commands issued without a specified remote target filename.
+If arguments are specified, local filenames are mapped during
+.Ic mget
+commands and
+.Ic get
+commands issued without a specified local target filename.
+This command is useful when connecting to a
+.No non\- Ns Ux
+remote computer
+with different file naming conventions or practices.
+The mapping follows the pattern set by
+.Ar inpattern
+and
+.Ar outpattern  .
+.Op Ar Inpattern
+is a template for incoming filenames (which may have already been
+processed according to the
+.Ic ntrans
+and
+.Ic case
+settings).
+Variable templating is accomplished by including the
+sequences `$1', `$2', ..., `$9' in
+.Ar inpattern  .
+Use `\\' to prevent this special treatment of the `$' character.
+All other characters are treated literally, and are used to determine the
+.Ic nmap
+.Op Ar inpattern
+variable values.
+For example, given
+.Ar inpattern
+$1.$2 and the remote file name "mydata.data", $1 would have the value
+"mydata", and $2 would have the value "data".
+The
+.Ar outpattern
+determines the resulting mapped filename.
+The sequences `$1', `$2', ...., `$9' are replaced by any value resulting
+from the
+.Ar inpattern
+template.
+The sequence `$0' is replace by the original filename.
+Additionally, the sequence
+.Ql Op Ar seq1 , Ar seq2
+is replaced by
+.Op Ar seq1
+if
+.Ar seq1
+is not a null string; otherwise it is replaced by
+.Ar seq2 .
+For example, the command
+.Pp
+.Bd -literal -offset indent -compact
+nmap $1.$2.$3 [$1,$2].[$2,file]
+.Ed
+.Pp
+would yield
+the output filename "myfile.data" for input filenames "myfile.data" and
+"myfile.data.old", "myfile.file" for the input filename "myfile", and
+"myfile.myfile" for the input filename ".myfile".
+Spaces may be included in
+.Ar outpattern  ,
+as in the example: `nmap $1 sed "s/  *$//" > $1' .
+Use the `\e' character to prevent special treatment
+of the `$','[','[', and `,' characters.
+.It Ic ntrans Op Ar inchars Op Ar outchars
+Set or unset the filename character translation mechanism.
+If no arguments are specified, the filename character
+translation mechanism is unset.
+If arguments are specified, characters in
+remote filenames are translated during
+.Ic mput
+commands and
+.Ic put
+commands issued without a specified remote target filename.
+If arguments are specified, characters in
+local filenames are translated during
+.Ic mget
+commands and
+.Ic get
+commands issued without a specified local target filename.
+This command is useful when connecting to a
+.No non\- Ns Ux
+remote computer
+with different file naming conventions or practices.
+Characters in a filename matching a character in
+.Ar inchars
+are replaced with the corresponding character in
+.Ar outchars  .
+If the character's position in
+.Ar inchars
+is longer than the length of
+.Ar outchars  ,
+the character is deleted from the file name.
+.It Ic open Ar host Op Ar port
+Establish a connection to the specified
+.Ar host
+.Tn FTP
+server.
+An optional port number may be supplied,
+in which case,
+.Nm ftp
+will attempt to contact an
+.Tn FTP
+server at that port.
+If the
+.Ic auto-login
+option is on (default),
+.Nm ftp
+will also attempt to automatically log the user in to
+the
+.Tn FTP
+server (see below).
+.It Ic passive
+Toggle passive mode.  If passive mode is turned on
+(default is off), the ftp client will
+send a
+.Dv PASV
+command for all data connections instead of the usual
+.Dv PORT
+command.  The
+.Dv PASV
+command requests that the remote server open a port for the data connection
+and return the address of that port.  The remote server listens on that
+port and the client connects to it.  When using the more traditional
+.Dv PORT
+command, the client listens on a port and sends that address to the remote
+server, who connects back to it.  Passive mode is useful when using
+.Nm ftp
+through a gateway router or host that controls the directionality of
+traffic.
+(Note that though ftp servers are required to support the
+.Dv PASV
+command by RFC 1123, some do not.)
+.It Ic prompt
+Toggle interactive prompting.
+Interactive prompting
+occurs during multiple file transfers to allow the
+user to selectively retrieve or store files.
+If prompting is turned off (default is on), any
+.Ic mget
+or
+.Ic mput
+will transfer all files, and any
+.Ic mdelete
+will delete all files.
+.It Ic proxy Ar ftp-command
+Execute an ftp command on a secondary control connection.
+This command allows simultaneous connection to two remote ftp
+servers for transferring files between the two servers.
+The first
+.Ic proxy
+command should be an
+.Ic open  ,
+to establish the secondary control connection.
+Enter the command "proxy ?" to see other ftp commands executable on the
+secondary connection.
+The following commands behave differently when prefaced by
+.Ic proxy  :
+.Ic open
+will not define new macros during the auto-login process,
+.Ic close
+will not erase existing macro definitions,
+.Ic get
+and
+.Ic mget
+transfer files from the host on the primary control connection
+to the host on the secondary control connection, and
+.Ic put  ,
+.Ic mput ,
+and
+.Ic append
+transfer files from the host on the secondary control connection
+to the host on the primary control connection.
+Third party file transfers depend upon support of the ftp protocol
+.Dv PASV
+command by the server on the secondary control connection.
+.It Ic put Ar local-file Op Ar remote-file
+Store a local file on the remote machine.
+If
+.Ar remote-file
+is left unspecified, the local file name is used
+after processing according to any
+.Ic ntrans
+or
+.Ic nmap
+settings
+in naming the remote file.
+File transfer uses the
+current settings for
+.Ic type  ,
+.Ic format ,
+.Ic mode  ,
+and
+.Ic structure  .
+.It Ic pwd
+Print the name of the current working directory on the remote
+machine.
+.It Ic quit
+A synonym for
+.Ic bye  .
+.It Ic quote Ar arg1 arg2 ...
+The arguments specified are sent, verbatim, to the remote
+.Tn FTP
+server.
+.It Ic recv Ar remote-file Op Ar local-file
+A synonym for get.
+.It Ic reget Ar remote-file Op Ar local-file
+Reget acts like get, except that if
+.Ar local-file
+exists and is
+smaller than
+.Ar remote-file  ,
+.Ar local-file
+is presumed to be
+a partially transferred copy of
+.Ar remote-file
+and the transfer
+is continued from the apparent point of failure.
+This command
+is useful when transferring very large files over networks that
+are prone to dropping connections.
+.It Ic remotehelp Op Ar command-name
+Request help from the remote
+.Tn FTP
+server.
+If a
+.Ar command-name
+is specified it is supplied to the server as well.
+.It Ic remotestatus Op Ar file-name
+With no arguments, show status of remote machine.
+If
+.Ar file-name
+is specified, show status of
+.Ar file-name
+on remote machine.
+.It Xo
+.Ic rename
+.Op Ar from
+.Op Ar to
+.Xc
+Rename the file
+.Ar from
+on the remote machine, to the file
+.Ar to  .
+.It Ic reset
+Clear reply queue.
+This command re-synchronizes command/reply sequencing with the remote
+ftp server.
+Resynchronization may be necessary following a violation of the ftp protocol
+by the remote server.
+.It Ic restart Ar marker
+Restart the immediately following
+.Ic get
+or
+.Ic put
+at the
+indicated
+.Ar marker  .
+On
+.Ux
+systems, marker is usually a byte
+offset into the file.
+.It Ic rmdir Ar directory-name
+Delete a directory on the remote machine.
+.It Ic runique
+Toggle storing of files on the local system with unique filenames.
+If a file already exists with a name equal to the target
+local filename for a
+.Ic get
+or
+.Ic mget
+command, a ".1" is appended to the name.
+If the resulting name matches another existing file,
+a ".2" is appended to the original name.
+If this process continues up to ".99", an error
+message is printed, and the transfer does not take place.
+The generated unique filename will be reported.
+Note that
+.Ic runique
+will not affect local files generated from a shell command
+(see below).
+The default value is off.
+.It Ic send Ar local-file Op Ar remote-file
+A synonym for put.
+.It Ic sendport
+Toggle the use of
+.Dv PORT
+commands.
+By default,
+.Nm ftp
+will attempt to use a
+.Dv PORT
+command when establishing
+a connection for each data transfer.
+The use of
+.Dv PORT
+commands can prevent delays
+when performing multiple file transfers.
+If the
+.Dv PORT
+command fails,
+.Nm ftp
+will use the default data port.
+When the use of
+.Dv PORT
+commands is disabled, no attempt will be made to use
+.Dv PORT
+commands for each data transfer.
+This is useful
+for certain
+.Tn FTP
+implementations which do ignore
+.Dv PORT
+commands but, incorrectly, indicate they've been accepted.
+.It Ic site Ar arg1 arg2 ...
+The arguments specified are sent, verbatim, to the remote
+.Tn FTP
+server as a
+.Dv SITE
+command.
+.It Ic size Ar file-name
+Return size of
+.Ar file-name
+on remote machine.
+.It Ic status
+Show the current status of
+.Nm ftp  .
+.It Ic struct Op Ar struct-name
+Set the file transfer
+.Ar structure
+to
+.Ar struct-name .
+By default \*(Lqstream\*(Rq structure is used.
+.It Ic sunique
+Toggle storing of files on remote machine under unique file names.
+Remote ftp server must support ftp protocol
+.Dv STOU
+command for
+successful completion.
+The remote server will report unique name.
+Default value is off.
+.It Ic system
+Show the type of operating system running on the remote machine.
+.It Ic tenex
+Set the file transfer type to that needed to
+talk to
+.Tn TENEX
+machines.
+.It Ic trace
+Toggle packet tracing.
+.It Ic type Op Ar type-name
+Set the file transfer
+.Ic type
+to
+.Ar type-name  .
+If no type is specified, the current type
+is printed.
+The default type is network
+.Tn ASCII .
+.It Ic umask Op Ar newmask
+Set the default umask on the remote server to
+.Ar newmask  .
+If
+.Ar newmask
+is omitted, the current umask is printed.
+.It Xo
+.Ic user Ar user-name
+.Op Ar password
+.Op Ar account
+.Xc
+Identify yourself to the remote
+.Tn FTP
+server.
+If the
+.Ar password
+is not specified and the server requires it,
+.Nm ftp
+will prompt the user for it (after disabling local echo).
+If an
+.Ar account
+field is not specified, and the
+.Tn FTP
+server
+requires it, the user will be prompted for it.
+If an
+.Ar account
+field is specified, an account command will
+be relayed to the remote server after the login sequence
+is completed if the remote server did not require it
+for logging in.
+Unless
+.Nm ftp
+is invoked with \*(Lqauto-login\*(Rq disabled, this
+process is done automatically on initial connection to
+the
+.Tn FTP
+server.
+.It Ic verbose
+Toggle verbose mode.
+In verbose mode, all responses from
+the
+.Tn FTP
+server are displayed to the user.
+In addition,
+if verbose is on, when a file transfer completes, statistics
+regarding the efficiency of the transfer are reported.
+By default,
+verbose is on.
+.It Ic ? Op Ar command
+A synonym for help.
+.El
+.Pp
+The following command can be used with ftpsec-aware servers.
+.Bl -tag -width Fl
+.It Xo
+.Ic prot 
+.Ar clear | 
+.Ar safe | 
+.Ar confidential | 
+.Ar private
+.Xc
+Set the data protection level to the requested level.
+.El
+.Pp
+The following command can be used with ftp servers that has
+implemented the KAUTH site command.
+.Bl -tag -width Fl
+.It Ic kauth Op Ar principal
+Obtain remote tickets.
+.El
+.Pp
+Command arguments which have embedded spaces may be quoted with
+quote `"' marks.
+.Sh ABORTING A FILE TRANSFER
+To abort a file transfer, use the terminal interrupt key
+(usually Ctrl-C).
+Sending transfers will be immediately halted.
+Receiving transfers will be halted by sending a ftp protocol
+.Dv ABOR
+command to the remote server, and discarding any further data received.
+The speed at which this is accomplished depends upon the remote
+server's support for
+.Dv ABOR
+processing.
+If the remote server does not support the
+.Dv ABOR
+command, an
+.Ql ftp>
+prompt will not appear until the remote server has completed
+sending the requested file.
+.Pp
+The terminal interrupt key sequence will be ignored when
+.Nm ftp
+has completed any local processing and is awaiting a reply
+from the remote server.
+A long delay in this mode may result from the ABOR processing described
+above, or from unexpected behavior by the remote server, including
+violations of the ftp protocol.
+If the delay results from unexpected remote server behavior, the local
+.Nm ftp
+program must be killed by hand.
+.Sh FILE NAMING CONVENTIONS
+Files specified as arguments to
+.Nm ftp
+commands are processed according to the following rules.
+.Bl -enum
+.It
+If the file name
+.Sq Fl
+is specified, the
+.Ar stdin
+(for reading) or
+.Ar stdout
+(for writing) is used.
+.It
+If the first character of the file name is
+.Sq \&| ,
+the
+remainder of the argument is interpreted as a shell command.
+.Nm Ftp
+then forks a shell, using
+.Xr popen 3
+with the argument supplied, and reads (writes) from the stdout
+(stdin).
+If the shell command includes spaces, the argument
+must be quoted; e.g.
+\*(Lq" ls -lt"\*(Rq.
+A particularly
+useful example of this mechanism is: \*(Lqdir more\*(Rq.
+.It
+Failing the above checks, if ``globbing'' is enabled,
+local file names are expanded
+according to the rules used in the
+.Xr csh  1  ;
+c.f. the
+.Ic glob
+command.
+If the
+.Nm ftp
+command expects a single local file (.e.g.
+.Ic put  ) ,
+only the first filename generated by the "globbing" operation is used.
+.It
+For
+.Ic mget
+commands and
+.Ic get
+commands with unspecified local file names, the local filename is
+the remote filename, which may be altered by a
+.Ic case  ,
+.Ic ntrans ,
+or
+.Ic nmap
+setting.
+The resulting filename may then be altered if
+.Ic runique
+is on.
+.It
+For
+.Ic mput
+commands and
+.Ic put
+commands with unspecified remote file names, the remote filename is
+the local filename, which may be altered by a
+.Ic ntrans
+or
+.Ic nmap
+setting.
+The resulting filename may then be altered by the remote server if
+.Ic sunique
+is on.
+.El
+.Sh FILE TRANSFER PARAMETERS
+The FTP specification specifies many parameters which may
+affect a file transfer.
+The
+.Ic type
+may be one of \*(Lqascii\*(Rq, \*(Lqimage\*(Rq (binary),
+\*(Lqebcdic\*(Rq, and \*(Lqlocal byte size\*(Rq (for
+.Tn PDP Ns -10's
+and
+.Tn PDP Ns -20's
+mostly).
+.Nm Ftp
+supports the ascii and image types of file transfer,
+plus local byte size 8 for
+.Ic tenex
+mode transfers.
+.Pp
+.Nm Ftp
+supports only the default values for the remaining
+file transfer parameters:
+.Ic mode  ,
+.Ic form ,
+and
+.Ic struct  .
+.Sh THE .netrc FILE
+The
+.Pa .netrc
+file contains login and initialization information
+used by the auto-login process.
+It resides in the user's home directory.
+The following tokens are recognized; they may be separated by spaces,
+tabs, or new-lines:
+.Bl -tag -width password
+.It Ic machine Ar name
+Identify a remote machine
+.Ar name .
+The auto-login process searches the
+.Pa .netrc
+file for a
+.Ic machine
+token that matches the remote machine specified on the
+.Nm ftp
+command line or as an
+.Ic open
+command argument.
+Once a match is made, the subsequent
+.Pa .netrc
+tokens are processed,
+stopping when the end of file is reached or another
+.Ic machine
+or a
+.Ic default
+token is encountered.
+.It Ic default
+This is the same as
+.Ic machine
+.Ar name
+except that
+.Ic default
+matches any name.
+There can be only one
+.Ic default
+token, and it must be after all
+.Ic machine
+tokens.
+This is normally used as:
+.Pp
+.Dl default login anonymous password user@site
+.Pp
+thereby giving the user
+.Ar automatic
+anonymous ftp login to
+machines not specified in
+.Pa .netrc .
+This can be overridden
+by using the
+.Fl n
+flag to disable auto-login.
+.It Ic login Ar name
+Identify a user on the remote machine.
+If this token is present, the auto-login process will initiate
+a login using the specified
+.Ar name .
+.It Ic password Ar string
+Supply a password.
+If this token is present, the auto-login process will supply the
+specified string if the remote server requires a password as part
+of the login process.
+Note that if this token is present in the
+.Pa .netrc
+file for any user other
+than
+.Ar anonymous  ,
+.Nm ftp
+will abort the auto-login process if the
+.Pa .netrc
+is readable by
+anyone besides the user.
+.It Ic account Ar string
+Supply an additional account password.
+If this token is present, the auto-login process will supply the
+specified string if the remote server requires an additional
+account password, or the auto-login process will initiate an
+.Dv ACCT
+command if it does not.
+.It Ic macdef Ar name
+Define a macro.
+This token functions like the
+.Nm ftp
+.Ic macdef
+command functions.
+A macro is defined with the specified name; its contents begin with the
+next
+.Pa .netrc
+line and continue until a null line (consecutive new-line
+characters) is encountered.
+If a macro named
+.Ic init
+is defined, it is automatically executed as the last step in the
+auto-login process.
+.El
+.Sh ENVIRONMENT
+.Nm Ftp
+utilizes the following environment variables.
+.Bl -tag -width Fl
+.It Ev HOME
+For default location of a
+.Pa .netrc
+file, if one exists.
+.It Ev SHELL
+For default shell.
+.El
+.Sh SEE ALSO
+.Xr ftpd 8 ,
+.%T RFC2228
+.Sh HISTORY
+The
+.Nm ftp
+command appeared in
+.Bx 4.2 .
+.Sh BUGS
+Correct execution of many commands depends upon proper behavior
+by the remote server.
+.Pp
+An error in the treatment of carriage returns
+in the
+.Bx 4.2
+ascii-mode transfer code
+has been corrected.
+This correction may result in incorrect transfers of binary files
+to and from
+.Bx 4.2
+servers using the ascii type.
+Avoid this problem by using the binary image type.
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.c b/crypto/heimdal/appl/ftp/ftp/ftp.c
new file mode 100644
index 0000000..2e7a9dd
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.c
@@ -0,0 +1,1746 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID ("$Id: ftp.c,v 1.63 2000/01/08 07:43:47 assar Exp $");
+
+struct sockaddr_storage hisctladdr_ss;
+struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss;
+struct sockaddr_storage data_addr_ss;
+struct sockaddr *data_addr  = (struct sockaddr *)&data_addr_ss;
+struct sockaddr_storage myctladdr_ss;
+struct sockaddr *myctladdr = (struct sockaddr *)&myctladdr_ss;
+int data = -1;
+int abrtflag = 0;
+jmp_buf ptabort;
+int ptabflg;
+int ptflag = 0;
+off_t restart_point = 0;
+
+
+FILE *cin, *cout;
+
+typedef void (*sighand) (int);
+
+char *
+hookup (const char *host, int port)
+{
+    static char hostnamebuf[MaxHostNameLen];
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    int len;
+    int s;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+    hints.ai_flags    = AI_CANONNAME;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (host, portstr, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", host, gai_strerror(error));
+	code = -1;
+	return NULL;
+    }
+    strlcpy (hostnamebuf, host, sizeof(hostnamebuf));
+    hostname = hostnamebuf;
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+
+	if (a->ai_canonname != NULL)
+	    strlcpy (hostnamebuf, a->ai_canonname, sizeof(hostnamebuf));
+
+	memcpy (hisctladdr, a->ai_addr, a->ai_addrlen);
+	
+	error = connect (s, a->ai_addr, a->ai_addrlen);
+	if (error < 0) {
+	    char addrstr[256];
+
+	    if (getnameinfo (a->ai_addr, a->ai_addrlen,
+			     addrstr, sizeof(addrstr),
+			     NULL, 0, NI_NUMERICHOST) != 0)
+		strlcpy (addrstr, "unknown address", sizeof(addrstr));
+			     
+	    warn ("connect %s", addrstr);
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+    freeaddrinfo (ai);
+    if (error < 0) {
+	warnx ("failed to contact %s", host);
+	code = -1;
+	return NULL;
+    }
+
+    len = sizeof(myctladdr_ss);
+    if (getsockname (s, myctladdr, &len) < 0) {
+	warn ("getsockname");
+	code = -1;
+	close (s);
+	return NULL;
+    }
+#ifdef IPTOS_LOWDELAY
+    socket_set_tos (s, IPTOS_LOWDELAY);
+#endif
+    cin = fdopen (s, "r");
+    cout = fdopen (s, "w");
+    if (cin == NULL || cout == NULL) {
+	warnx ("fdopen failed.");
+	if (cin)
+	    fclose (cin);
+	if (cout)
+	    fclose (cout);
+	code = -1;
+	goto bad;
+    }
+    if (verbose)
+	printf ("Connected to %s.\n", hostname);
+    if (getreply (0) > 2) {	/* read startup message from server */
+	if (cin)
+	    fclose (cin);
+	if (cout)
+	    fclose (cout);
+	code = -1;
+	goto bad;
+    }
+#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    {
+	int on = 1;
+
+	if (setsockopt (s, SOL_SOCKET, SO_OOBINLINE, (char *) &on, sizeof (on))
+	    < 0 && debug) {
+	    warn ("setsockopt");
+	}
+    }
+#endif				/* SO_OOBINLINE */
+
+    return (hostname);
+bad:
+    close (s);
+    return NULL;
+}
+
+int
+login (char *host)
+{
+    char tmp[80];
+    char defaultpass[128];
+    char *user, *pass, *acct;
+    int n, aflag = 0;
+
+    char *myname = NULL;
+    struct passwd *pw = k_getpwuid(getuid());
+
+    if (pw != NULL)
+	myname = pw->pw_name;
+
+    user = pass = acct = 0;
+
+    if(sec_login(host))
+	printf("\n*** Using plaintext user and password ***\n\n");
+    else{
+	printf("Authentication successful.\n\n");
+    }
+
+    if (ruserpass (host, &user, &pass, &acct) < 0) {
+	code = -1;
+	return (0);
+    }
+    while (user == NULL) {
+	if (myname)
+	    printf ("Name (%s:%s): ", host, myname);
+	else
+	    printf ("Name (%s): ", host);
+	fgets (tmp, sizeof (tmp) - 1, stdin);
+	tmp[strlen (tmp) - 1] = '\0';
+	if (*tmp == '\0')
+	    user = myname;
+	else
+	    user = tmp;
+    }
+    strlcpy(username, user, sizeof(username));
+    n = command("USER %s", user);
+    if (n == CONTINUE) {
+	if(sec_complete)
+	    pass = myname;
+	else if (pass == NULL) {
+	    char prompt[128];
+	    if(myname && 
+	       (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))){
+		snprintf(defaultpass, sizeof(defaultpass), 
+			 "%s@%s", myname, mydomain);
+		snprintf(prompt, sizeof(prompt), 
+			 "Password (%s): ", defaultpass);
+	    }else{
+		*defaultpass = '\0';
+		snprintf(prompt, sizeof(prompt), "Password: ");
+	    }
+	    pass = defaultpass;
+	    des_read_pw_string (tmp, sizeof (tmp), prompt, 0);
+	    if (tmp[0])
+		pass = tmp;
+	}
+	n = command ("PASS %s", pass);
+    }
+    if (n == CONTINUE) {
+	aflag++;
+	acct = tmp;
+	des_read_pw_string (acct, 128, "Account:", 0);
+	n = command ("ACCT %s", acct);
+    }
+    if (n != COMPLETE) {
+	warnx ("Login failed.");
+	return (0);
+    }
+    if (!aflag && acct != NULL)
+	command ("ACCT %s", acct);
+    if (proxy)
+	return (1);
+    for (n = 0; n < macnum; ++n) {
+	if (!strcmp("init", macros[n].mac_name)) {
+	    strlcpy (line, "$init", sizeof (line));
+	    makeargv();
+	    domacro(margc, margv);
+	    break;
+	}
+    }
+    sec_set_protection_level ();
+    return (1);
+}
+
+void
+cmdabort (int sig)
+{
+
+    printf ("\n");
+    fflush (stdout);
+    abrtflag++;
+    if (ptflag)
+	longjmp (ptabort, 1);
+}
+
+int
+command (char *fmt,...)
+{
+    va_list ap;
+    int r;
+    sighand oldintr;
+
+    abrtflag = 0;
+    if (cout == NULL) {
+	warn ("No control connection for command");
+	code = -1;
+	return (0);
+    }
+    oldintr = signal(SIGINT, cmdabort);
+    va_start(ap, fmt);
+    if(debug){
+	printf("---> ");
+	if (strncmp("PASS ", fmt, 5) == 0)
+	    printf("PASS XXXX");
+	else 
+	    vfprintf(stdout, fmt, ap);
+	va_start(ap, fmt);
+    }
+    sec_vfprintf(cout, fmt, ap);
+    va_end(ap);
+    if(debug){
+	printf("\n");
+	fflush(stdout);
+    }
+    fprintf (cout, "\r\n");
+    fflush (cout);
+    cpend = 1;
+    r = getreply (!strcmp (fmt, "QUIT"));
+    if (abrtflag && oldintr != SIG_IGN)
+	(*oldintr) (SIGINT);
+    signal (SIGINT, oldintr);
+    return (r);
+}
+
+char reply_string[BUFSIZ];	/* last line of previous reply */
+
+int
+getreply (int expecteof)
+{
+    char *p;
+    char *lead_string;
+    int c;
+    struct sigaction sa, osa;
+    char buf[1024];
+
+    sigemptyset (&sa.sa_mask);
+    sa.sa_flags = 0;
+    sa.sa_handler = cmdabort;
+    sigaction (SIGINT, &sa, &osa);
+
+    p = buf;
+
+    while (1) {
+	c = getc (cin);
+	switch (c) {
+	case EOF:
+	    if (expecteof) {
+		sigaction (SIGINT, &osa, NULL);
+		code = 221;
+		return 0;
+	    }
+	    lostpeer (0);
+	    if (verbose) {
+		printf ("421 Service not available, "
+			"remote server has closed connection\n");
+		fflush (stdout);
+	    }
+	    code = 421;
+	    return (4);
+	case IAC:
+	    c = getc (cin);
+	    if (c == WILL || c == WONT)
+		fprintf (cout, "%c%c%c", IAC, DONT, getc (cin));
+	    if (c == DO || c == DONT)
+		fprintf (cout, "%c%c%c", IAC, WONT, getc (cin));
+	    continue;
+	case '\n':
+	    *p++ = '\0';
+	    if(isdigit(buf[0])){
+		sscanf(buf, "%d", &code);
+		if(code == 631){
+		    sec_read_msg(buf, prot_safe);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "S:";
+		} else if(code == 632){
+		    sec_read_msg(buf, prot_private);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "P:";
+		}else if(code == 633){
+		    sec_read_msg(buf, prot_confidential);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "C:";
+		}else if(sec_complete)
+		    lead_string = "!!";
+		else
+		    lead_string = "";
+		if (verbose > 0 || (verbose > -1 && code > 499))
+		    fprintf (stdout, "%s%s\n", lead_string, buf);
+		if (buf[3] == ' ') {
+		    strcpy (reply_string, buf);
+		    if (code >= 200)
+			cpend = 0;
+		    sigaction (SIGINT, &osa, NULL);
+		    if (code == 421)
+			lostpeer (0);
+#if 1
+		    if (abrtflag &&
+			osa.sa_handler != cmdabort &&
+			osa.sa_handler != SIG_IGN)
+			osa.sa_handler (SIGINT);
+#endif
+		    if (code == 227 || code == 229) {
+			char *p, *q;
+
+			pasv[0] = 0;
+			p = strchr (reply_string, '(');
+			if (p) {
+			    p++;
+			    q = strchr(p, ')');
+			    if(q){
+				memcpy (pasv, p, q - p);
+				pasv[q - p] = 0;
+			    }
+			}
+		    }
+		    return code / 100;
+		}
+	    }else{
+		if(verbose > 0 || (verbose > -1 && code > 499)){
+		    if(sec_complete)
+			fprintf(stdout, "!!");
+		    fprintf(stdout, "%s\n", buf);
+		}
+	    }
+	    p = buf;
+	    continue;
+	default:
+	    *p++ = c;
+	}
+    }
+
+}
+
+
+#if 0
+int
+getreply (int expecteof)
+{
+    int c, n;
+    int dig;
+    int originalcode = 0, continuation = 0;
+    sighand oldintr;
+    int pflag = 0;
+    char *cp, *pt = pasv;
+
+    oldintr = signal (SIGINT, cmdabort);
+    for (;;) {
+	dig = n = code = 0;
+	cp = reply_string;
+	while ((c = getc (cin)) != '\n') {
+	    if (c == IAC) {	/* handle telnet commands */
+		switch (c = getc (cin)) {
+		case WILL:
+		case WONT:
+		    c = getc (cin);
+		    fprintf (cout, "%c%c%c", IAC, DONT, c);
+		    fflush (cout);
+		    break;
+		case DO:
+		case DONT:
+		    c = getc (cin);
+		    fprintf (cout, "%c%c%c", IAC, WONT, c);
+		    fflush (cout);
+		    break;
+		default:
+		    break;
+		}
+		continue;
+	    }
+	    dig++;
+	    if (c == EOF) {
+		if (expecteof) {
+		    signal (SIGINT, oldintr);
+		    code = 221;
+		    return (0);
+		}
+		lostpeer (0);
+		if (verbose) {
+		    printf ("421 Service not available, remote server has closed connection\n");
+		    fflush (stdout);
+		}
+		code = 421;
+		return (4);
+	    }
+	    if (c != '\r' && (verbose > 0 ||
+			      (verbose > -1 && n == '5' && dig > 4))) {
+		if (proxflag &&
+		    (dig == 1 || dig == 5 && verbose == 0))
+		    printf ("%s:", hostname);
+		putchar (c);
+	    }
+	    if (dig < 4 && isdigit (c))
+		code = code * 10 + (c - '0');
+	    if (!pflag && code == 227)
+		pflag = 1;
+	    if (dig > 4 && pflag == 1 && isdigit (c))
+		pflag = 2;
+	    if (pflag == 2) {
+		if (c != '\r' && c != ')')
+		    *pt++ = c;
+		else {
+		    *pt = '\0';
+		    pflag = 3;
+		}
+	    }
+	    if (dig == 4 && c == '-') {
+		if (continuation)
+		    code = 0;
+		continuation++;
+	    }
+	    if (n == 0)
+		n = c;
+	    if (cp < &reply_string[sizeof (reply_string) - 1])
+		*cp++ = c;
+	}
+	if (verbose > 0 || verbose > -1 && n == '5') {
+	    putchar (c);
+	    fflush (stdout);
+	}
+	if (continuation && code != originalcode) {
+	    if (originalcode == 0)
+		originalcode = code;
+	    continue;
+	}
+	*cp = '\0';
+	if(sec_complete){
+	    if(code == 631)
+		sec_read_msg(reply_string, prot_safe);
+	    else if(code == 632)
+		sec_read_msg(reply_string, prot_private);
+	    else if(code == 633)
+		sec_read_msg(reply_string, prot_confidential);
+	    n = code / 100 + '0';
+	}
+	if (n != '1')
+	    cpend = 0;
+	signal (SIGINT, oldintr);
+	if (code == 421 || originalcode == 421)
+	    lostpeer (0);
+	if (abrtflag && oldintr != cmdabort && oldintr != SIG_IGN)
+	    (*oldintr) (SIGINT);
+	return (n - '0');
+    }
+}
+
+#endif
+
+int
+empty (fd_set * mask, int sec)
+{
+    struct timeval t;
+
+    t.tv_sec = (long) sec;
+    t.tv_usec = 0;
+    return (select (32, mask, NULL, NULL, &t));
+}
+
+jmp_buf sendabort;
+
+static RETSIGTYPE
+abortsend (int sig)
+{
+
+    mflag = 0;
+    abrtflag = 0;
+    printf ("\nsend aborted\nwaiting for remote to finish abort\n");
+    fflush (stdout);
+    longjmp (sendabort, 1);
+}
+
+#define HASHBYTES 1024
+
+static int
+copy_stream (FILE * from, FILE * to)
+{
+    static size_t bufsize;
+    static char *buf;
+    int n;
+    int bytes = 0;
+    int werr = 0;
+    int hashbytes = HASHBYTES;
+    struct stat st;
+
+#if defined(HAVE_MMAP) && !defined(NO_MMAP)
+    void *chunk;
+
+#ifndef MAP_FAILED
+#define MAP_FAILED (-1)
+#endif
+
+    if (fstat (fileno (from), &st) == 0 && S_ISREG (st.st_mode)) {
+	/*
+	 * mmap zero bytes has potential of loosing, don't do it.
+	 */
+	if (st.st_size == 0)
+	    return 0;
+	chunk = mmap (0, st.st_size, PROT_READ, MAP_SHARED, fileno (from), 0);
+	if (chunk != (void *) MAP_FAILED) {
+	    int res;
+
+	    res = sec_write (fileno (to), chunk, st.st_size);
+	    if (munmap (chunk, st.st_size) < 0)
+		warn ("munmap");
+	    sec_fflush (to);
+	    return res;
+	}
+    }
+#endif
+
+    buf = alloc_buffer (buf, &bufsize,
+			fstat (fileno (from), &st) >= 0 ? &st : NULL);
+    if (buf == NULL)
+	return -1;
+
+    while ((n = read (fileno (from), buf, bufsize)) > 0) {
+	werr = sec_write (fileno (to), buf, n);
+	if (werr < 0)
+	    break;
+	bytes += werr;
+	while (hash && bytes > hashbytes) {
+	    putchar ('#');
+	    hashbytes += HASHBYTES;
+	}
+    }
+    sec_fflush (to);
+    if (n < 0)
+	warn ("local");
+
+    if (werr < 0) {
+	if (errno != EPIPE)
+	    warn ("netout");
+	bytes = -1;
+    }
+    return bytes;
+}
+
+void
+sendrequest (char *cmd, char *local, char *remote, char *lmode, int printnames)
+{
+    struct stat st;
+    struct timeval start, stop;
+    int c, d;
+    FILE *fin, *dout = 0;
+    int (*closefunc) (FILE *);
+    RETSIGTYPE (*oldintr)(), (*oldintp)();
+    long bytes = 0, hashbytes = HASHBYTES;
+    char *rmode = "w";
+
+    if (verbose && printnames) {
+	if (local && strcmp (local, "-") != 0)
+	    printf ("local: %s ", local);
+	if (remote)
+	    printf ("remote: %s\n", remote);
+    }
+    if (proxy) {
+	proxtrans (cmd, local, remote);
+	return;
+    }
+    if (curtype != type)
+	changetype (type, 0);
+    closefunc = NULL;
+    oldintr = NULL;
+    oldintp = NULL;
+
+    if (setjmp (sendabort)) {
+	while (cpend) {
+	    getreply (0);
+	}
+	if (data >= 0) {
+	    close (data);
+	    data = -1;
+	}
+	if (oldintr)
+	    signal (SIGINT, oldintr);
+	if (oldintp)
+	    signal (SIGPIPE, oldintp);
+	code = -1;
+	return;
+    }
+    oldintr = signal (SIGINT, abortsend);
+    if (strcmp (local, "-") == 0)
+	fin = stdin;
+    else if (*local == '|') {
+	oldintp = signal (SIGPIPE, SIG_IGN);
+	fin = popen (local + 1, lmode);
+	if (fin == NULL) {
+	    warn ("%s", local + 1);
+	    signal (SIGINT, oldintr);
+	    signal (SIGPIPE, oldintp);
+	    code = -1;
+	    return;
+	}
+	closefunc = pclose;
+    } else {
+	fin = fopen (local, lmode);
+	if (fin == NULL) {
+	    warn ("local: %s", local);
+	    signal (SIGINT, oldintr);
+	    code = -1;
+	    return;
+	}
+	closefunc = fclose;
+	if (fstat (fileno (fin), &st) < 0 ||
+	    (st.st_mode & S_IFMT) != S_IFREG) {
+	    fprintf (stdout, "%s: not a plain file.\n", local);
+	    signal (SIGINT, oldintr);
+	    fclose (fin);
+	    code = -1;
+	    return;
+	}
+    }
+    if (initconn ()) {
+	signal (SIGINT, oldintr);
+	if (oldintp)
+	    signal (SIGPIPE, oldintp);
+	code = -1;
+	if (closefunc != NULL)
+	    (*closefunc) (fin);
+	return;
+    }
+    if (setjmp (sendabort))
+	goto abort;
+
+    if (restart_point &&
+	(strcmp (cmd, "STOR") == 0 || strcmp (cmd, "APPE") == 0)) {
+	int rc;
+
+	switch (curtype) {
+	case TYPE_A:
+	    rc = fseek (fin, (long) restart_point, SEEK_SET);
+	    break;
+	case TYPE_I:
+	case TYPE_L:
+	    rc = lseek (fileno (fin), restart_point, SEEK_SET);
+	    break;
+	}
+	if (rc < 0) {
+	    warn ("local: %s", local);
+	    restart_point = 0;
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+	if (command ("REST %ld", (long) restart_point)
+	    != CONTINUE) {
+	    restart_point = 0;
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+	restart_point = 0;
+	rmode = "r+w";
+    }
+    if (remote) {
+	if (command ("%s %s", cmd, remote) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    if (oldintp)
+		signal (SIGPIPE, oldintp);
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+    } else if (command ("%s", cmd) != PRELIM) {
+	    signal(SIGINT, oldintr);
+	    if (oldintp)
+		signal(SIGPIPE, oldintp);
+	    if (closefunc != NULL)
+		(*closefunc)(fin);
+	    return;
+	}
+    dout = dataconn(rmode);
+    if (dout == NULL)
+	goto abort;
+    set_buffer_size (fileno (dout), 0);
+    gettimeofday (&start, (struct timezone *) 0);
+    oldintp = signal (SIGPIPE, SIG_IGN);
+    switch (curtype) {
+
+    case TYPE_I:
+    case TYPE_L:
+	errno = d = c = 0;
+	bytes = copy_stream (fin, dout);
+	break;
+
+    case TYPE_A:
+	while ((c = getc (fin)) != EOF) {
+	    if (c == '\n') {
+		while (hash && (bytes >= hashbytes)) {
+		    putchar ('#');
+		    fflush (stdout);
+		    hashbytes += HASHBYTES;
+		}
+		if (ferror (dout))
+		    break;
+		sec_putc ('\r', dout);
+		bytes++;
+	    }
+	    sec_putc (c, dout);
+	    bytes++;
+	}
+	sec_fflush (dout);
+	if (hash) {
+	    if (bytes < hashbytes)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (ferror (fin))
+	    warn ("local: %s", local);
+	if (ferror (dout)) {
+	    if (errno != EPIPE)
+		warn ("netout");
+	    bytes = -1;
+	}
+	break;
+    }
+    if (closefunc != NULL)
+	(*closefunc) (fin);
+    fclose (dout);
+    gettimeofday (&stop, (struct timezone *) 0);
+    getreply (0);
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    if (bytes > 0)
+	ptransfer ("sent", bytes, &start, &stop);
+    return;
+abort:
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    if (!cpend) {
+	code = -1;
+	return;
+    }
+    if (data >= 0) {
+	close (data);
+	data = -1;
+    }
+    if (dout)
+	fclose (dout);
+    getreply (0);
+    code = -1;
+    if (closefunc != NULL && fin != NULL)
+	(*closefunc) (fin);
+    gettimeofday (&stop, (struct timezone *) 0);
+    if (bytes > 0)
+	ptransfer ("sent", bytes, &start, &stop);
+}
+
+jmp_buf recvabort;
+
+void
+abortrecv (int sig)
+{
+
+    mflag = 0;
+    abrtflag = 0;
+    printf ("\nreceive aborted\nwaiting for remote to finish abort\n");
+    fflush (stdout);
+    longjmp (recvabort, 1);
+}
+
+void
+recvrequest (char *cmd, char *local, char *remote,
+	     char *lmode, int printnames, int local_given)
+{
+    FILE *fout, *din = 0;
+    int (*closefunc) (FILE *);
+    sighand oldintr, oldintp;
+    int c, d, is_retr, tcrflag, bare_lfs = 0;
+    static size_t bufsize;
+    static char *buf;
+    long bytes = 0, hashbytes = HASHBYTES;
+    struct timeval start, stop;
+    struct stat st;
+
+    is_retr = strcmp (cmd, "RETR") == 0;
+    if (is_retr && verbose && printnames) {
+	if (local && strcmp (local, "-") != 0)
+	    printf ("local: %s ", local);
+	if (remote)
+	    printf ("remote: %s\n", remote);
+    }
+    if (proxy && is_retr) {
+	proxtrans (cmd, local, remote);
+	return;
+    }
+    closefunc = NULL;
+    oldintr = NULL;
+    oldintp = NULL;
+    tcrflag = !crflag && is_retr;
+    if (setjmp (recvabort)) {
+	while (cpend) {
+	    getreply (0);
+	}
+	if (data >= 0) {
+	    close (data);
+	    data = -1;
+	}
+	if (oldintr)
+	    signal (SIGINT, oldintr);
+	code = -1;
+	return;
+    }
+    oldintr = signal (SIGINT, abortrecv);
+    if (!local_given || (strcmp (local, "-") && *local != '|')) {
+	if (access (local, 2) < 0) {
+	    char *dir = strrchr (local, '/');
+
+	    if (errno != ENOENT && errno != EACCES) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (dir != NULL)
+		*dir = 0;
+	    d = access (dir ? local : ".", 2);
+	    if (dir != NULL)
+		*dir = '/';
+	    if (d < 0) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (!runique && errno == EACCES &&
+		chmod (local, 0600) < 0) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (runique && errno == EACCES &&
+		(local = gunique (local)) == NULL) {
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	} else if (runique && (local = gunique (local)) == NULL) {
+	    signal(SIGINT, oldintr);
+	    code = -1;
+	    return;
+	}
+    }
+    if (!is_retr) {
+	if (curtype != TYPE_A)
+	    changetype (TYPE_A, 0);
+    } else if (curtype != type)
+	changetype (type, 0);
+    if (initconn ()) {
+	signal (SIGINT, oldintr);
+	code = -1;
+	return;
+    }
+    if (setjmp (recvabort))
+	goto abort;
+    if (is_retr && restart_point &&
+	command ("REST %ld", (long) restart_point) != CONTINUE)
+	return;
+    if (remote) {
+	if (command ("%s %s", cmd, remote) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    } else {
+	if (command ("%s", cmd) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    }
+    din = dataconn ("r");
+    if (din == NULL)
+	goto abort;
+    set_buffer_size (fileno (din), 1);
+    if (local_given && strcmp (local, "-") == 0)
+	fout = stdout;
+    else if (local_given && *local == '|') {
+	oldintp = signal (SIGPIPE, SIG_IGN);
+	fout = popen (local + 1, "w");
+	if (fout == NULL) {
+	    warn ("%s", local + 1);
+	    goto abort;
+	}
+	closefunc = pclose;
+    } else {
+	fout = fopen (local, lmode);
+	if (fout == NULL) {
+	    warn ("local: %s", local);
+	    goto abort;
+	}
+	closefunc = fclose;
+    }
+    buf = alloc_buffer (buf, &bufsize,
+			fstat (fileno (fout), &st) >= 0 ? &st : NULL);
+    if (buf == NULL)
+	goto abort;
+
+    gettimeofday (&start, (struct timezone *) 0);
+    switch (curtype) {
+
+    case TYPE_I:
+    case TYPE_L:
+	if (restart_point &&
+	    lseek (fileno (fout), restart_point, SEEK_SET) < 0) {
+	    warn ("local: %s", local);
+	    if (closefunc != NULL)
+		(*closefunc) (fout);
+	    return;
+	}
+	errno = d = 0;
+	while ((c = sec_read (fileno (din), buf, bufsize)) > 0) {
+	    if ((d = write (fileno (fout), buf, c)) != c)
+		break;
+	    bytes += c;
+	    if (hash) {
+		while (bytes >= hashbytes) {
+		    putchar ('#');
+		    hashbytes += HASHBYTES;
+		}
+		fflush (stdout);
+	    }
+	}
+	if (hash && bytes > 0) {
+	    if (bytes < HASHBYTES)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (c < 0) {
+	    if (errno != EPIPE)
+		warn ("netin");
+	    bytes = -1;
+	}
+	if (d < c) {
+	    if (d < 0)
+		warn ("local: %s", local);
+	    else
+		warnx ("%s: short write", local);
+	}
+	break;
+
+    case TYPE_A:
+	if (restart_point) {
+	    int i, n, ch;
+
+	    if (fseek (fout, 0L, SEEK_SET) < 0)
+		goto done;
+	    n = restart_point;
+	    for (i = 0; i++ < n;) {
+		if ((ch = sec_getc (fout)) == EOF)
+		    goto done;
+		if (ch == '\n')
+		    i++;
+	    }
+	    if (fseek (fout, 0L, SEEK_CUR) < 0) {
+	done:
+		warn ("local: %s", local);
+		if (closefunc != NULL)
+		    (*closefunc) (fout);
+		return;
+	    }
+	}
+	while ((c = sec_getc(din)) != EOF) {
+	    if (c == '\n')
+		bare_lfs++;
+	    while (c == '\r') {
+		while (hash && (bytes >= hashbytes)) {
+		    putchar ('#');
+		    fflush (stdout);
+		    hashbytes += HASHBYTES;
+		}
+		bytes++;
+		if ((c = sec_getc (din)) != '\n' || tcrflag) {
+		    if (ferror (fout))
+			goto break2;
+		    putc ('\r', fout);
+		    if (c == '\0') {
+			bytes++;
+			goto contin2;
+		    }
+		    if (c == EOF)
+			goto contin2;
+		}
+	    }
+	    putc (c, fout);
+	    bytes++;
+    contin2:;
+	}
+break2:
+	if (bare_lfs) {
+	    printf ("WARNING! %d bare linefeeds received in ASCII mode\n",
+		    bare_lfs);
+	    printf ("File may not have transferred correctly.\n");
+	}
+	if (hash) {
+	    if (bytes < hashbytes)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (ferror (din)) {
+	    if (errno != EPIPE)
+		warn ("netin");
+	    bytes = -1;
+	}
+	if (ferror (fout))
+	    warn ("local: %s", local);
+	break;
+    }
+    if (closefunc != NULL)
+	(*closefunc) (fout);
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    fclose (din);
+    gettimeofday (&stop, (struct timezone *) 0);
+    getreply (0);
+    if (bytes > 0 && is_retr)
+	ptransfer ("received", bytes, &start, &stop);
+    return;
+abort:
+
+    /* abort using RFC959 recommended IP,SYNC sequence  */
+
+    if (oldintp)
+	signal (SIGPIPE, oldintr);
+    signal (SIGINT, SIG_IGN);
+    if (!cpend) {
+	code = -1;
+	signal (SIGINT, oldintr);
+	return;
+    }
+    abort_remote(din);
+    code = -1;
+    if (data >= 0) {
+	close (data);
+	data = -1;
+    }
+    if (closefunc != NULL && fout != NULL)
+	(*closefunc) (fout);
+    if (din)
+	fclose (din);
+    gettimeofday (&stop, (struct timezone *) 0);
+    if (bytes > 0)
+	ptransfer ("received", bytes, &start, &stop);
+    signal (SIGINT, oldintr);
+}
+
+static int
+parse_epsv (const char *str)
+{
+    char sep;
+    char *end;
+    int port;
+
+    if (*str == '\0')
+	return -1;
+    sep = *str++;
+    if (sep != *str++)
+	return -1;
+    if (sep != *str++)
+	return -1;
+    port = strtol (str, &end, 0);
+    if (str == end)
+	return -1;
+    if (end[0] != sep || end[1] != '\0')
+	return -1;
+    return htons(port);
+}
+
+static int
+parse_pasv (struct sockaddr_in *sin, const char *str)
+{
+    int a0, a1, a2, a3, p0, p1;
+
+    /*
+     * What we've got at this point is a string of comma separated
+     * one-byte unsigned integer values. The first four are the an IP
+     * address. The fifth is the MSB of the port number, the sixth is the
+     * LSB. From that we'll prepare a sockaddr_in.
+     */
+
+    if (sscanf (str, "%d,%d,%d,%d,%d,%d",
+		&a0, &a1, &a2, &a3, &p0, &p1) != 6) {
+	printf ("Passive mode address scan failure. "
+		"Shouldn't happen!\n");
+	return -1;
+    }
+    if (a0 < 0 || a0 > 255 ||
+	a1 < 0 || a1 > 255 ||
+	a2 < 0 || a2 > 255 ||
+	a3 < 0 || a3 > 255 ||
+	p0 < 0 || p0 > 255 ||
+	p1 < 0 || p1 > 255) {
+	printf ("Can't parse passive mode string.\n");
+	return -1;
+    }
+    memset (sin, 0, sizeof(*sin));
+    sin->sin_family      = AF_INET;
+    sin->sin_addr.s_addr = htonl ((a0 << 24) | (a1 << 16) |
+				  (a2 << 8) | a3);
+    sin->sin_port = htons ((p0 << 8) | p1);
+    return 0;
+}
+
+static int
+passive_mode (void)
+{
+    int port;
+
+    data = socket (myctladdr->sa_family, SOCK_STREAM, 0);
+    if (data < 0) {
+	warn ("socket");
+	return (1);
+    }
+    if (options & SO_DEBUG)
+	socket_set_debug (data);
+    if (command ("EPSV") != COMPLETE) {
+	if (command ("PASV") != COMPLETE) {
+	    printf ("Passive mode refused.\n");
+	    goto bad;
+	}
+    }
+
+    /*
+     * Parse the reply to EPSV or PASV
+     */
+
+    port = parse_epsv (pasv);
+    if (port > 0) {
+	data_addr->sa_family = myctladdr->sa_family;
+	socket_set_address_and_port (data_addr,
+				     socket_get_address (hisctladdr),
+				     port);
+    } else {
+	if (parse_pasv ((struct sockaddr_in *)data_addr, pasv) < 0)
+	    goto bad;
+    }
+
+    if (connect (data, data_addr, socket_sockaddr_size (data_addr)) < 0) {
+	warn ("connect");
+	goto bad;
+    }
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (data, IPTOS_THROUGHPUT);
+#endif
+    return (0);
+bad:
+    close (data);
+    data = -1;
+    sendport = 1;
+    return (1);
+}
+
+
+static int
+active_mode (void)
+{
+    int tmpno = 0;
+    int len;
+    int result;
+
+noport:
+    data_addr->sa_family = myctladdr->sa_family;
+    socket_set_address_and_port (data_addr, socket_get_address (myctladdr),
+				 sendport ? 0 : socket_get_port (myctladdr));
+
+    if (data != -1)
+	close (data);
+    data = socket (data_addr->sa_family, SOCK_STREAM, 0);
+    if (data < 0) {
+	warn ("socket");
+	if (tmpno)
+	    sendport = 1;
+	return (1);
+    }
+    if (!sendport)
+	socket_set_reuseaddr (data, 1);
+    if (bind (data, data_addr, socket_sockaddr_size (data_addr)) < 0) {
+	warn ("bind");
+	goto bad;
+    }
+    if (options & SO_DEBUG)
+	socket_set_debug (data);
+    len = sizeof (data_addr_ss);
+    if (getsockname (data, data_addr, &len) < 0) {
+	warn ("getsockname");
+	goto bad;
+    }
+    if (listen (data, 1) < 0)
+	warn ("listen");
+    if (sendport) {
+	char *cmd;
+	char addr_str[256];
+	int inet_af;
+	int overbose;
+
+	if (inet_ntop (data_addr->sa_family, socket_get_address (data_addr),
+		       addr_str, sizeof(addr_str)) == NULL)
+	    errx (1, "inet_ntop failed");
+	switch (data_addr->sa_family) {
+	case AF_INET :
+	    inet_af = 1;
+	    break;
+#ifdef HAVE_IPV6
+	case AF_INET6 :
+	    inet_af = 2;
+	    break;
+#endif
+	default :
+	    errx (1, "bad address family %d", data_addr->sa_family);
+	}
+
+	asprintf (&cmd, "EPRT |%d|%s|%d|",
+		  inet_af, addr_str, ntohs(socket_get_port (data_addr)));
+
+	overbose = verbose;
+	if (debug == 0)
+	    verbose  = -1;
+
+	result = command (cmd);
+
+	verbose = overbose;
+
+	if (result == ERROR) {
+	    struct sockaddr_in *sin = (struct sockaddr_in *)data_addr;
+
+	    unsigned int a = ntohl(sin->sin_addr.s_addr);
+	    unsigned int p = ntohs(sin->sin_port);
+
+	    if (data_addr->sa_family != AF_INET) {
+		warnx ("remote server doesn't support EPRT");
+		goto bad;
+	    }
+
+	    result = command("PORT %d,%d,%d,%d,%d,%d", 
+			     (a >> 24) & 0xff,
+			     (a >> 16) & 0xff,
+			     (a >> 8) & 0xff,
+			     a & 0xff,
+			     (p >> 8) & 0xff,
+			     p & 0xff);
+	    if (result == ERROR && sendport == -1) {
+		sendport = 0;
+		tmpno = 1;
+		goto noport;
+	    }
+	    return (result != COMPLETE);
+	}
+	return result != COMPLETE;
+    }
+    if (tmpno)
+	sendport = 1;
+
+
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (data, IPTOS_THROUGHPUT);
+#endif
+    return (0);
+bad:
+    close (data);
+    data = -1;
+    if (tmpno)
+	sendport = 1;
+    return (1);
+}
+
+/*
+ * Need to start a listen on the data channel before we send the command,
+ * otherwise the server's connect may fail.
+ */
+int
+initconn (void)
+{
+    if (passivemode) 
+	return passive_mode ();
+    else
+	return active_mode ();
+}
+
+FILE *
+dataconn (const char *lmode)
+{
+    struct sockaddr_storage from_ss;
+    struct sockaddr *from = (struct sockaddr *)&from_ss;
+    int s, fromlen = sizeof (from_ss);
+
+    if (passivemode)
+	return (fdopen (data, lmode));
+
+    s = accept (data, from, &fromlen);
+    if (s < 0) {
+	warn ("accept");
+	close (data), data = -1;
+	return (NULL);
+    }
+    close (data);
+    data = s;
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (s, IPTOS_THROUGHPUT);
+#endif
+    return (fdopen (data, lmode));
+}
+
+void
+ptransfer (char *direction, long int bytes,
+	   struct timeval * t0, struct timeval * t1)
+{
+    struct timeval td;
+    float s;
+    float bs;
+    int prec;
+    char *unit;
+
+    if (verbose) {
+	td.tv_sec = t1->tv_sec - t0->tv_sec;
+	td.tv_usec = t1->tv_usec - t0->tv_usec;
+	if (td.tv_usec < 0) {
+	    td.tv_sec--;
+	    td.tv_usec += 1000000;
+	}
+	s = td.tv_sec + (td.tv_usec / 1000000.);
+	bs = bytes / (s ? s : 1);
+	if (bs >= 1048576) {
+	    bs /= 1048576;
+	    unit = "M";
+	    prec = 2;
+	} else if (bs >= 1024) {
+	    bs /= 1024;
+	    unit = "k";
+	    prec = 1;
+	} else {
+	    unit = "";
+	    prec = 0;
+	}
+
+	printf ("%ld bytes %s in %.3g seconds (%.*f %sbyte/s)\n",
+		bytes, direction, s, prec, bs, unit);
+    }
+}
+
+void
+psabort (int sig)
+{
+
+    abrtflag++;
+}
+
+void
+pswitch (int flag)
+{
+    sighand oldintr;
+    static struct comvars {
+	int connect;
+	char name[MaxHostNameLen];
+	struct sockaddr_storage mctl;
+	struct sockaddr_storage hctl;
+	FILE *in;
+	FILE *out;
+	int tpe;
+	int curtpe;
+	int cpnd;
+	int sunqe;
+	int runqe;
+	int mcse;
+	int ntflg;
+	char nti[17];
+	char nto[17];
+	int mapflg;
+	char mi[MaxPathLen];
+	char mo[MaxPathLen];
+    } proxstruct, tmpstruct;
+    struct comvars *ip, *op;
+
+    abrtflag = 0;
+    oldintr = signal (SIGINT, psabort);
+    if (flag) {
+	if (proxy)
+	    return;
+	ip = &tmpstruct;
+	op = &proxstruct;
+	proxy++;
+    } else {
+	if (!proxy)
+	    return;
+	ip = &proxstruct;
+	op = &tmpstruct;
+	proxy = 0;
+    }
+    ip->connect = connected;
+    connected = op->connect;
+    if (hostname) {
+	strlcpy (ip->name, hostname, sizeof (ip->name));
+    } else
+	ip->name[0] = 0;
+    hostname = op->name;
+    ip->hctl = hisctladdr_ss;
+    hisctladdr_ss = op->hctl;
+    ip->mctl = myctladdr_ss;
+    myctladdr_ss = op->mctl;
+    ip->in = cin;
+    cin = op->in;
+    ip->out = cout;
+    cout = op->out;
+    ip->tpe = type;
+    type = op->tpe;
+    ip->curtpe = curtype;
+    curtype = op->curtpe;
+    ip->cpnd = cpend;
+    cpend = op->cpnd;
+    ip->sunqe = sunique;
+    sunique = op->sunqe;
+    ip->runqe = runique;
+    runique = op->runqe;
+    ip->mcse = mcase;
+    mcase = op->mcse;
+    ip->ntflg = ntflag;
+    ntflag = op->ntflg;
+    strlcpy (ip->nti, ntin, sizeof (ip->nti));
+    strlcpy (ntin, op->nti, 17);
+    strlcpy (ip->nto, ntout, sizeof (ip->nto));
+    strlcpy (ntout, op->nto, 17);
+    ip->mapflg = mapflag;
+    mapflag = op->mapflg;
+    strlcpy (ip->mi, mapin, MaxPathLen);
+    strlcpy (mapin, op->mi, MaxPathLen);
+    strlcpy (ip->mo, mapout, MaxPathLen);
+    strlcpy (mapout, op->mo, MaxPathLen);
+    signal(SIGINT, oldintr);
+    if (abrtflag) {
+	abrtflag = 0;
+	(*oldintr) (SIGINT);
+    }
+}
+
+void
+abortpt (int sig)
+{
+
+    printf ("\n");
+    fflush (stdout);
+    ptabflg++;
+    mflag = 0;
+    abrtflag = 0;
+    longjmp (ptabort, 1);
+}
+
+void
+proxtrans (char *cmd, char *local, char *remote)
+{
+    sighand oldintr;
+    int secndflag = 0, prox_type, nfnd;
+    char *cmd2;
+    fd_set mask;
+
+    if (strcmp (cmd, "RETR"))
+	cmd2 = "RETR";
+    else
+	cmd2 = runique ? "STOU" : "STOR";
+    if ((prox_type = type) == 0) {
+	if (unix_server && unix_proxy)
+	    prox_type = TYPE_I;
+	else
+	    prox_type = TYPE_A;
+    }
+    if (curtype != prox_type)
+	changetype (prox_type, 1);
+    if (command ("PASV") != COMPLETE) {
+	printf ("proxy server does not support third party transfers.\n");
+	return;
+    }
+    pswitch (0);
+    if (!connected) {
+	printf ("No primary connection\n");
+	pswitch (1);
+	code = -1;
+	return;
+    }
+    if (curtype != prox_type)
+	changetype (prox_type, 1);
+    if (command ("PORT %s", pasv) != COMPLETE) {
+	pswitch (1);
+	return;
+    }
+    if (setjmp (ptabort))
+	goto abort;
+    oldintr = signal (SIGINT, abortpt);
+    if (command ("%s %s", cmd, remote) != PRELIM) {
+	signal (SIGINT, oldintr);
+	pswitch (1);
+	return;
+    }
+    sleep (2);
+    pswitch (1);
+    secndflag++;
+    if (command ("%s %s", cmd2, local) != PRELIM)
+	goto abort;
+    ptflag++;
+    getreply (0);
+    pswitch (0);
+    getreply (0);
+    signal (SIGINT, oldintr);
+    pswitch (1);
+    ptflag = 0;
+    printf ("local: %s remote: %s\n", local, remote);
+    return;
+abort:
+    signal (SIGINT, SIG_IGN);
+    ptflag = 0;
+    if (strcmp (cmd, "RETR") && !proxy)
+	pswitch (1);
+    else if (!strcmp (cmd, "RETR") && proxy)
+	pswitch (0);
+    if (!cpend && !secndflag) {	/* only here if cmd = "STOR" (proxy=1) */
+	if (command ("%s %s", cmd2, local) != PRELIM) {
+	    pswitch (0);
+	    if (cpend)
+		abort_remote ((FILE *) NULL);
+	}
+	pswitch (1);
+	if (ptabflg)
+	    code = -1;
+	signal (SIGINT, oldintr);
+	return;
+    }
+    if (cpend)
+	abort_remote ((FILE *) NULL);
+    pswitch (!proxy);
+    if (!cpend && !secndflag) {	/* only if cmd = "RETR" (proxy=1) */
+	if (command ("%s %s", cmd2, local) != PRELIM) {
+	    pswitch (0);
+	    if (cpend)
+		abort_remote ((FILE *) NULL);
+	    pswitch (1);
+	    if (ptabflg)
+		code = -1;
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    }
+    if (cpend)
+	abort_remote ((FILE *) NULL);
+    pswitch (!proxy);
+    if (cpend) {
+	FD_ZERO (&mask);
+	FD_SET (fileno (cin), &mask);
+	if ((nfnd = empty (&mask, 10)) <= 0) {
+	    if (nfnd < 0) {
+		warn ("abort");
+	    }
+	    if (ptabflg)
+		code = -1;
+	    lostpeer (0);
+	}
+	getreply (0);
+	getreply (0);
+    }
+    if (proxy)
+	pswitch (0);
+    pswitch (1);
+    if (ptabflg)
+	code = -1;
+    signal (SIGINT, oldintr);
+}
+
+void
+reset (int argc, char **argv)
+{
+    fd_set mask;
+    int nfnd = 1;
+
+    FD_ZERO (&mask);
+    while (nfnd > 0) {
+	FD_SET (fileno (cin), &mask);
+	if ((nfnd = empty (&mask, 0)) < 0) {
+	    warn ("reset");
+	    code = -1;
+	    lostpeer(0);
+	} else if (nfnd) {
+	    getreply(0);
+	}
+    }
+}
+
+char *
+gunique (char *local)
+{
+    static char new[MaxPathLen];
+    char *cp = strrchr (local, '/');
+    int d, count = 0;
+    char ext = '1';
+
+    if (cp)
+	*cp = '\0';
+    d = access (cp ? local : ".", 2);
+    if (cp)
+	*cp = '/';
+    if (d < 0) {
+	warn ("local: %s", local);
+	return NULL;
+    }
+    strlcpy (new, local, sizeof(new));
+    cp = new + strlen(new);
+    *cp++ = '.';
+    while (!d) {
+	if (++count == 100) {
+	    printf ("runique: can't find unique file name.\n");
+	    return NULL;
+	}
+	*cp++ = ext;
+	*cp = '\0';
+	if (ext == '9')
+	    ext = '0';
+	else
+	    ext++;
+	if ((d = access (new, 0)) < 0)
+	    break;
+	if (ext != '0')
+	    cp--;
+	else if (*(cp - 2) == '.')
+	    *(cp - 1) = '1';
+	else {
+	    *(cp - 2) = *(cp - 2) + 1;
+	    cp--;
+	}
+    }
+    return (new);
+}
+
+void
+abort_remote (FILE * din)
+{
+    char buf[BUFSIZ];
+    int nfnd;
+    fd_set mask;
+
+    /*
+     * send IAC in urgent mode instead of DM because 4.3BSD places oob mark
+     * after urgent byte rather than before as is protocol now
+     */
+    snprintf (buf, sizeof (buf), "%c%c%c", IAC, IP, IAC);
+    if (send (fileno (cout), buf, 3, MSG_OOB) != 3)
+	warn ("abort");
+    fprintf (cout, "%cABOR\r\n", DM);
+    fflush (cout);
+    FD_ZERO (&mask);
+    FD_SET (fileno (cin), &mask);
+    if (din) {
+	FD_SET (fileno (din), &mask);
+    }
+    if ((nfnd = empty (&mask, 10)) <= 0) {
+	if (nfnd < 0) {
+	    warn ("abort");
+	}
+	if (ptabflg)
+	    code = -1;
+	lostpeer (0);
+    }
+    if (din && FD_ISSET (fileno (din), &mask)) {
+	while (read (fileno (din), buf, BUFSIZ) > 0)
+	     /* LOOP */ ;
+    }
+    if (getreply (0) == ERROR && code == 552) {
+	/* 552 needed for nic style abort */
+	getreply (0);
+    }
+    getreply (0);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_locl.h b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h
new file mode 100644
index 0000000..c0d6cae
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: ftp_locl.h,v 1.34 1999/12/02 16:58:29 joda Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __FTP_LOCL_H__
+#define __FTP_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#ifdef HAVE_ARPA_FTP_H
+#include <arpa/ftp.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include <errno.h>
+#include <ctype.h>
+#include <glob.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#include <err.h>
+
+#ifdef SOCKS
+#include <socks.h>
+extern int LIBPREFIX(fclose)      (FILE *);
+
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+
+#endif
+
+#include "ftp_var.h"
+#include "extern.h"
+#include "common.h"
+#include "pathnames.h"
+
+#include "roken.h"
+#include "security.h"
+#include <openssl/des.h> /* for des_read_pw_string */
+
+#if defined(__sun__) && !defined(__svr4)
+int fclose(FILE*);
+int pclose(FILE*);
+#endif
+
+#endif /* __FTP_LOCL_H__ */
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_var.h b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
new file mode 100644
index 0000000..ffac59a
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ftp_var.h	8.4 (Berkeley) 10/9/94
+ */
+
+/*
+ * FTP global variables.
+ */
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <setjmp.h>
+
+/*
+ * Options and other state info.
+ */
+extern int	trace;			/* trace packets exchanged */
+extern int	hash;			/* print # for each buffer transferred */
+extern int	sendport;		/* use PORT cmd for each data connection */
+extern int	verbose;		/* print messages coming back from server */
+extern int	connected;		/* connected to server */
+extern int	fromatty;		/* input is from a terminal */
+extern int	interactive;		/* interactively prompt on m* cmds */
+extern int	debug;			/* debugging level */
+extern int	bell;			/* ring bell on cmd completion */
+extern int	doglob;			/* glob local file names */
+extern int	autologin;		/* establish user account on connection */
+extern int	proxy;			/* proxy server connection active */
+extern int	proxflag;		/* proxy connection exists */
+extern int	sunique;		/* store files on server with unique name */
+extern int	runique;		/* store local files with unique name */
+extern int	mcase;			/* map upper to lower case for mget names */
+extern int	ntflag;			/* use ntin ntout tables for name translation */
+extern int	mapflag;		/* use mapin mapout templates on file names */
+extern int	code;			/* return/reply code for ftp command */
+extern int	crflag;			/* if 1, strip car. rets. on ascii gets */
+extern char	pasv[64];		/* passive port for proxy data connection */
+extern int	passivemode;		/* passive mode enabled */
+extern char	*altarg;		/* argv[1] with no shell-like preprocessing  */
+extern char	ntin[17];		/* input translation table */
+extern char	ntout[17];		/* output translation table */
+extern char	mapin[MaxPathLen];	/* input map template */
+extern char	mapout[MaxPathLen];	/* output map template */
+extern char	typename[32];		/* name of file transfer type */
+extern int	type;			/* requested file transfer type */
+extern int	curtype;		/* current file transfer type */
+extern char	structname[32];		/* name of file transfer structure */
+extern int	stru;			/* file transfer structure */
+extern char	formname[32];		/* name of file transfer format */
+extern int	form;			/* file transfer format */
+extern char	modename[32];		/* name of file transfer mode */
+extern int	mode;			/* file transfer mode */
+extern char	bytename[32];		/* local byte size in ascii */
+extern int	bytesize;		/* local byte size in binary */
+
+extern char	*hostname;		/* name of host connected to */
+extern int	unix_server;		/* server is unix, can use binary for ascii */
+extern int	unix_proxy;		/* proxy is unix, can use binary for ascii */
+
+extern jmp_buf	toplevel;		/* non-local goto stuff for cmd scanner */
+
+extern char	line[200];		/* input line buffer */
+extern char	*stringbase;		/* current scan point in line buffer */
+extern char	argbuf[200];		/* argument storage buffer */
+extern char	*argbase;		/* current storage point in arg buffer */
+extern int	margc;			/* count of arguments on input line */
+extern char	**margv;		/* args parsed from input line */
+extern int	margvlen;		/* how large margv is currently */
+extern int     cpend;                  /* flag: if != 0, then pending server reply */
+extern int	mflag;			/* flag: if != 0, then active multi command */
+
+extern int	options;		/* used during socket creation */
+
+/*
+ * Format of command table.
+ */
+struct cmd {
+	char	*c_name;	/* name of command */
+	char	*c_help;	/* help string */
+	char	c_bell;		/* give bell when command completes */
+	char	c_conn;		/* must be connected to use command */
+	char	c_proxy;	/* proxy server may execute */
+	void	(*c_handler) (int, char **); /* function to call */
+};
+
+struct macel {
+	char mac_name[9];	/* macro name */
+	char *mac_start;	/* start of macro in macbuf */
+	char *mac_end;		/* end of macro in macbuf */
+};
+
+extern int macnum;			/* number of defined macros */
+extern struct macel macros[16];
+extern char macbuf[4096];
+
+
diff --git a/crypto/heimdal/appl/ftp/ftp/globals.c b/crypto/heimdal/appl/ftp/ftp/globals.c
new file mode 100644
index 0000000..7199e65
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/globals.c
@@ -0,0 +1,76 @@
+#include "ftp_locl.h"
+RCSID("$Id: globals.c,v 1.6 1996/08/26 22:46:26 assar Exp $");
+
+/*
+ * Options and other state info.
+ */
+int	trace;			/* trace packets exchanged */
+int	hash;			/* print # for each buffer transferred */
+int	sendport;		/* use PORT cmd for each data connection */
+int	verbose;		/* print messages coming back from server */
+int	connected;		/* connected to server */
+int	fromatty;		/* input is from a terminal */
+int	interactive;		/* interactively prompt on m* cmds */
+int	debug;			/* debugging level */
+int	bell;			/* ring bell on cmd completion */
+int	doglob;			/* glob local file names */
+int	autologin;		/* establish user account on connection */
+int	proxy;			/* proxy server connection active */
+int	proxflag;		/* proxy connection exists */
+int	sunique;		/* store files on server with unique name */
+int	runique;		/* store local files with unique name */
+int	mcase;			/* map upper to lower case for mget names */
+int	ntflag;			/* use ntin ntout tables for name translation */
+int	mapflag;		/* use mapin mapout templates on file names */
+int	code;			/* return/reply code for ftp command */
+int	crflag;			/* if 1, strip car. rets. on ascii gets */
+char	pasv[64];		/* passive port for proxy data connection */
+int	passivemode;		/* passive mode enabled */
+char	*altarg;		/* argv[1] with no shell-like preprocessing  */
+char	ntin[17];		/* input translation table */
+char	ntout[17];		/* output translation table */
+char	mapin[MaxPathLen];	/* input map template */
+char	mapout[MaxPathLen];	/* output map template */
+char	typename[32];		/* name of file transfer type */
+int	type;			/* requested file transfer type */
+int	curtype;		/* current file transfer type */
+char	structname[32];		/* name of file transfer structure */
+int	stru;			/* file transfer structure */
+char	formname[32];		/* name of file transfer format */
+int	form;			/* file transfer format */
+char	modename[32];		/* name of file transfer mode */
+int	mode;			/* file transfer mode */
+char	bytename[32];		/* local byte size in ascii */
+int	bytesize;		/* local byte size in binary */
+
+char	*hostname;		/* name of host connected to */
+int	unix_server;		/* server is unix, can use binary for ascii */
+int	unix_proxy;		/* proxy is unix, can use binary for ascii */
+
+jmp_buf	toplevel;		/* non-local goto stuff for cmd scanner */
+
+char	line[200];		/* input line buffer */
+char	*stringbase;		/* current scan point in line buffer */
+char	argbuf[200];		/* argument storage buffer */
+char	*argbase;		/* current storage point in arg buffer */
+int	margc;			/* count of arguments on input line */
+char	**margv;		/* args parsed from input line */
+int	margvlen;		/* how large margv is currently */
+int     cpend;                  /* flag: if != 0, then pending server reply */
+int	mflag;			/* flag: if != 0, then active multi command */
+
+int	options;		/* used during socket creation */
+
+/*
+ * Format of command table.
+ */
+
+int macnum;			/* number of defined macros */
+struct macel macros[16];
+char macbuf[4096];
+
+char username[32];
+
+/* these are set in ruserpass */
+char myhostname[MaxHostNameLen];
+char *mydomain;
diff --git a/crypto/heimdal/appl/ftp/ftp/gssapi.c b/crypto/heimdal/appl/ftp/ftp/gssapi.c
new file mode 100644
index 0000000..d06b5d6
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/gssapi.c
@@ -0,0 +1,379 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <gssapi.h>
+
+RCSID("$Id: gssapi.c,v 1.13 1999/12/02 16:58:29 joda Exp $");
+
+struct gss_data {
+    gss_ctx_id_t context_hdl;
+    char *client_name;
+};
+
+static int
+gss_init(void *app_data)
+{
+    struct gss_data *d = app_data;
+    d->context_hdl = GSS_C_NO_CONTEXT;
+    return 0;
+}
+
+static int
+gss_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+gss_decode(void *app_data, void *buf, int len, int level)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    gss_qop_t qop_state;
+    int conf_state;
+    struct gss_data *d = app_data;
+
+    input.length = len;
+    input.value = buf;
+    maj_stat = gss_unwrap (&min_stat,
+			   d->context_hdl,
+			   &input,
+			   &output,
+			   &conf_state,
+			   &qop_state);
+    if(GSS_ERROR(maj_stat))
+	return -1;
+    memmove(buf, output.value, output.length);
+    return output.length;
+}
+
+static int
+gss_overhead(void *app_data, int level, int len)
+{
+    return 100; /* dunno? */
+}
+
+
+static int
+gss_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    int conf_state;
+    struct gss_data *d = app_data;
+
+    input.length = length;
+    input.value = from;
+    maj_stat = gss_wrap (&min_stat,
+			 d->context_hdl,
+			 level == prot_private,
+			 GSS_C_QOP_DEFAULT,
+			 &input,
+			 &conf_state,
+			 &output);
+    *to = output.value;
+    return output.length;
+}
+
+static void
+sockaddr_to_gss_address (const struct sockaddr *sa,
+			 OM_uint32 *addr_type,
+			 gss_buffer_desc *gss_addr)
+{
+    switch (sa->sa_family) {
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	gss_addr->length = 16;
+	gss_addr->value  = &sin6->sin6_addr;
+	*addr_type       = GSS_C_AF_INET6;
+	break;
+    }
+#endif
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	gss_addr->length = 4;
+	gss_addr->value  = &sin->sin_addr;
+	*addr_type       = GSS_C_AF_INET;
+	break;
+    }
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	
+    }
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+static int
+gss_adat(void *app_data, void *buf, size_t len)
+{
+    char *p = NULL;
+    gss_buffer_desc input_token, output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+    struct gss_data *d = app_data;
+
+    gss_channel_bindings_t bindings = malloc(sizeof(*bindings));
+    sockaddr_to_gss_address (his_addr,
+			     &bindings->initiator_addrtype,
+			     &bindings->initiator_address);
+    sockaddr_to_gss_address (ctrl_addr,
+			     &bindings->acceptor_addrtype,
+			     &bindings->acceptor_address);
+
+    bindings->application_data.length = 0;
+    bindings->application_data.value = NULL;
+
+    input_token.value = buf;
+    input_token.length = len;
+    
+    maj_stat = gss_accept_sec_context (&min_stat,
+				       &d->context_hdl,
+				       GSS_C_NO_CREDENTIAL,
+				       &input_token,
+				       bindings,
+				       &client_name,
+				       NULL,
+				       &output_token,
+				       NULL,
+				       NULL,
+				       NULL);
+
+    if(output_token.length) {
+	if(base64_encode(output_token.value, output_token.length, &p) < 0) {
+	    reply(535, "Out of memory base64-encoding.");
+	    return -1;
+	}
+    }
+    if(maj_stat == GSS_S_COMPLETE){
+	char *name;
+	gss_buffer_desc export_name;
+	maj_stat = gss_export_name(&min_stat, client_name, &export_name);
+	if(maj_stat != 0) {
+	    reply(500, "Error exporting name");
+	    goto out;
+	}
+	name = realloc(export_name.value, export_name.length + 1);
+	if(name == NULL) {
+	    reply(500, "Out of memory");
+	    free(export_name.value);
+	    goto out;
+	}
+	name[export_name.length] = '\0';
+	d->client_name = name;
+	if(p)
+	    reply(235, "ADAT=%s", p);
+	else
+	    reply(235, "ADAT Complete");
+	sec_complete = 1;
+
+    } else if(maj_stat == GSS_S_CONTINUE_NEEDED) {
+	if(p)
+	    reply(335, "ADAT=%s", p);
+	else
+	    reply(335, "OK, need more data");
+    } else
+	reply(535, "foo?");
+out:
+    free(p);
+    return 0;
+}
+
+int gss_userok(void*, char*);
+
+struct sec_server_mech gss_server_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init, /* init */
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+    /* */
+    NULL,
+    gss_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    gss_userok
+};
+
+#else /* FTP_SERVER */
+
+extern struct sockaddr *hisctladdr, *myctladdr;
+
+static int
+gss_auth(void *app_data, char *host)
+{
+    
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc name;
+    gss_name_t target_name;
+    gss_buffer_desc input, output_token;
+    int context_established = 0;
+    char *p;
+    int n;
+    gss_channel_bindings_t bindings;
+    struct gss_data *d = app_data;
+	    
+    name.length = asprintf((char**)&name.value, "ftp@%s", host);
+    maj_stat = gss_import_name(&min_stat,
+			       &name,
+			       GSS_C_NT_HOSTBASED_SERVICE,
+			       &target_name);
+    if (GSS_ERROR(maj_stat)) {
+	OM_uint32 new_stat;
+	OM_uint32 msg_ctx = 0;
+	gss_buffer_desc status_string;
+	    
+	gss_display_status(&new_stat,
+			   min_stat,
+			   GSS_C_MECH_CODE,
+			   GSS_C_NO_OID,
+			   &msg_ctx,
+			   &status_string);
+	printf("Error importing name %s: %s\n", 
+	       (char *)name.value,
+	       (char *)status_string.value);
+	gss_release_buffer(&new_stat, &status_string);
+	return AUTH_ERROR;
+    }
+    free(name.value);
+    
+
+    input.length = 0;
+    input.value = NULL;
+
+    bindings = malloc(sizeof(*bindings));
+
+    sockaddr_to_gss_address (myctladdr,
+			     &bindings->initiator_addrtype,
+			     &bindings->initiator_address);
+    sockaddr_to_gss_address (hisctladdr,
+			     &bindings->acceptor_addrtype,
+			     &bindings->acceptor_address);
+
+    bindings->application_data.length = 0;
+    bindings->application_data.value = NULL;
+
+    while(!context_established) {
+	maj_stat = gss_init_sec_context(&min_stat,
+					GSS_C_NO_CREDENTIAL,
+					&d->context_hdl,
+					target_name,
+					GSS_C_NO_OID,
+					GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+					0,
+					bindings,
+					&input,
+					NULL,
+					&output_token,
+					NULL,
+					NULL);
+	if (GSS_ERROR(maj_stat)) {
+	    OM_uint32 new_stat;
+	    OM_uint32 msg_ctx = 0;
+	    gss_buffer_desc status_string;
+	    
+	    gss_display_status(&new_stat,
+			       min_stat,
+			       GSS_C_MECH_CODE,
+			       GSS_C_NO_OID,
+			       &msg_ctx,
+			       &status_string);
+	    printf("Error initializing security context: %s\n", 
+		   (char*)status_string.value);
+	    gss_release_buffer(&new_stat, &status_string);
+	    return AUTH_CONTINUE;
+	}
+
+	gss_release_buffer(&min_stat, &input);
+	if (output_token.length != 0) {
+	    base64_encode(output_token.value, output_token.length, &p);
+	    gss_release_buffer(&min_stat, &output_token);
+	    n = command("ADAT %s", p);
+	    free(p);
+	}
+	if (GSS_ERROR(maj_stat)) {
+	    if (d->context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&d->context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    p = strstr(reply_string, "ADAT=");
+	    if(p == NULL){
+		printf("Error: expected ADAT in reply.\n");
+		return AUTH_ERROR;
+	    } else {
+		p+=5;
+		input.value = malloc(strlen(p));
+		input.length = base64_decode(p, input.value);
+	    }
+	} else {
+	    if(code != 235) {
+		printf("Unrecognized response code: %d\n", code);
+		return AUTH_ERROR;
+	    }
+	    context_established = 1;
+	}
+    }
+    return AUTH_OK;
+}
+
+struct sec_client_mech gss_client_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init,
+    gss_auth,
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/heimdal/appl/ftp/ftp/kauth.c b/crypto/heimdal/appl/ftp/ftp/kauth.c
new file mode 100644
index 0000000..613593a
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/kauth.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+#include <krb.h>
+RCSID("$Id: kauth.c,v 1.20 1999/12/02 16:58:29 joda Exp $");
+
+void
+kauth(int argc, char **argv)
+{
+    int ret;
+    char buf[1024];
+    des_cblock key;
+    des_key_schedule schedule;
+    KTEXT_ST tkt, tktcopy;
+    char *name;
+    char *p;
+    int overbose;
+    char passwd[100];
+    int tmp;
+	
+    int save;
+
+    if(argc > 2){
+	printf("usage: %s [principal]\n", argv[0]);
+	code = -1;
+	return;
+    }
+    if(argc == 2)
+	name = argv[1];
+    else
+	name = username;
+
+    overbose = verbose;
+    verbose = 0;
+
+    save = set_command_prot(prot_private);
+    ret = command("SITE KAUTH %s", name);
+    if(ret != CONTINUE){
+	verbose = overbose;
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    verbose = overbose;
+    p = strstr(reply_string, "T=");
+    if(!p){
+	printf("Bad reply from server.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    p += 2;
+    tmp = base64_decode(p, &tkt.dat);
+    if(tmp < 0){
+	printf("Failed to decode base64 in reply.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    tkt.length = tmp;
+    tktcopy.length = tkt.length;
+    
+    p = strstr(reply_string, "P=");
+    if(!p){
+	printf("Bad reply from server.\n");
+	verbose = overbose;
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    name = p + 2;
+    for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
+    *p = 0;
+    
+    snprintf(buf, sizeof(buf), "Password for %s:", name);
+    if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
+        *passwd = '\0';
+    des_string_to_key (passwd, &key);
+
+    des_key_sched(&key, schedule);
+    
+    des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
+		     tkt.length,
+		     schedule, &key, DES_DECRYPT);
+    if (strcmp ((char*)tktcopy.dat + 8,
+		KRB_TICKET_GRANTING_TICKET) != 0) {
+        afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
+	des_key_sched (&key, schedule);
+	des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
+			 tkt.length,
+			 schedule, &key, DES_DECRYPT);
+    }
+    memset(key, 0, sizeof(key));
+    memset(schedule, 0, sizeof(schedule));
+    memset(passwd, 0, sizeof(passwd));
+    if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
+	printf("Out of memory base64-encoding.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    memset (tktcopy.dat, 0, tktcopy.length);
+    ret = command("SITE KAUTH %s %s", name, p);
+    free(p);
+    set_command_prot(save);
+    if(ret != COMPLETE){
+	code = -1;
+	return;
+    }
+    code = 0;
+}
+
+void
+klist(int argc, char **argv)
+{
+    int ret;
+    if(argc != 1){
+	printf("usage: %s\n", argv[0]);
+	code = -1;
+	return;
+    }
+    
+    ret = command("SITE KLIST");
+    code = (ret == COMPLETE);
+}
+
+void
+kdestroy(int argc, char **argv)
+{
+    int ret;
+    if (argc != 1) {
+	printf("usage: %s\n", argv[0]);
+	code = -1;
+	return;
+    }
+    ret = command("SITE KDESTROY");
+    code = (ret == COMPLETE);
+}
+
+void
+krbtkfile(int argc, char **argv)
+{
+    int ret;
+    if(argc != 2) {
+	printf("usage: %s tktfile\n", argv[0]);
+	code = -1;
+	return;
+    }
+    ret = command("SITE KRBTKFILE %s", argv[1]);
+    code = (ret == COMPLETE);
+}
+
+void
+afslog(int argc, char **argv)
+{
+    int ret;
+    if(argc > 2) {
+	printf("usage: %s [cell]\n", argv[0]);
+	code = -1;
+	return;
+    }
+    if(argc == 2)
+	ret = command("SITE AFSLOG %s", argv[1]);
+    else
+	ret = command("SITE AFSLOG");
+    code = (ret == COMPLETE);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/krb4.c b/crypto/heimdal/appl/ftp/ftp/krb4.c
new file mode 100644
index 0000000..c89ba95
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/krb4.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <krb.h>
+
+RCSID("$Id: krb4.c,v 1.37 1999/12/06 17:10:13 assar Exp $");
+
+#ifdef FTP_SERVER
+#define LOCAL_ADDR ctrl_addr
+#define REMOTE_ADDR his_addr
+#else
+#define LOCAL_ADDR myctladdr
+#define REMOTE_ADDR hisctladdr
+#endif
+
+extern struct sockaddr *LOCAL_ADDR, *REMOTE_ADDR;
+
+struct krb4_data {
+    des_cblock key;
+    des_key_schedule schedule;
+    char name[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+};
+
+static int
+krb4_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+krb4_decode(void *app_data, void *buf, int len, int level)
+{
+    MSG_DAT m;
+    int e;
+    struct krb4_data *d = app_data;
+    
+    if(level == prot_safe)
+	e = krb_rd_safe(buf, len, &d->key,
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    else
+	e = krb_rd_priv(buf, len, d->schedule, &d->key, 
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    if(e){
+	syslog(LOG_ERR, "krb4_decode: %s", krb_get_err_text(e));
+	return -1;
+    }
+    memmove(buf, m.app_data, m.app_length);
+    return m.app_length;
+}
+
+static int
+krb4_overhead(void *app_data, int level, int len)
+{
+    return 31;
+}
+
+static int
+krb4_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    struct krb4_data *d = app_data;
+    *to = malloc(length + 31);
+    if(level == prot_safe)
+	return krb_mk_safe(from, *to, length, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else if(level == prot_private)
+	return krb_mk_priv(from, *to, length, d->schedule, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else
+	return -1;
+}
+
+#ifdef FTP_SERVER
+
+static int
+krb4_adat(void *app_data, void *buf, size_t len)
+{
+    KTEXT_ST tkt;
+    AUTH_DAT auth_dat;
+    char *p;
+    int kerror;
+    u_int32_t cs;
+    char msg[35]; /* size of encrypted block */
+    int tmp_len;
+    struct krb4_data *d = app_data;
+    char inst[INST_SZ];
+    struct sockaddr_in *his_addr_sin = (struct sockaddr_in *)his_addr;
+
+    memcpy(tkt.dat, buf, len);
+    tkt.length = len;
+
+    k_getsockinst(0, inst, sizeof(inst));
+    kerror = krb_rd_req(&tkt, "ftp", inst, 
+			his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    if(kerror == RD_AP_UNDEC){
+	k_getsockinst(0, inst, sizeof(inst));
+	kerror = krb_rd_req(&tkt, "rcmd", inst, 
+			    his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    }
+
+    if(kerror){
+	reply(535, "Error reading request: %s.", krb_get_err_text(kerror));
+	return -1;
+    }
+    
+    memcpy(d->key, auth_dat.session, sizeof(d->key));
+    des_set_key(&d->key, d->schedule);
+
+    strlcpy(d->name, auth_dat.pname, sizeof(d->name));
+    strlcpy(d->instance, auth_dat.pinst, sizeof(d->instance));
+    strlcpy(d->realm, auth_dat.prealm, sizeof(d->instance));
+
+    cs = auth_dat.checksum + 1;
+    {
+	unsigned char tmp[4];
+	KRB_PUT_INT(cs, tmp, 4, sizeof(tmp));
+	tmp_len = krb_mk_safe(tmp, msg, 4, &d->key,
+			      (struct sockaddr_in *)LOCAL_ADDR,
+			      (struct sockaddr_in *)REMOTE_ADDR);
+    }
+    if(tmp_len < 0){
+	reply(535, "Error creating reply: %s.", strerror(errno));
+	return -1;
+    }
+    len = tmp_len;
+    if(base64_encode(msg, len, &p) < 0) {
+	reply(535, "Out of memory base64-encoding.");
+	return -1;
+    }
+    reply(235, "ADAT=%s", p);
+    sec_complete = 1;
+    free(p);
+    return 0;
+}
+
+static int
+krb4_userok(void *app_data, char *user)
+{
+    struct krb4_data *d = app_data;
+    return krb_kuserok(d->name, d->instance, d->realm, user);
+}
+
+struct sec_server_mech krb4_server_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    NULL, /* init */
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode,
+    /* */
+    NULL,
+    krb4_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    krb4_userok
+};
+
+#else /* FTP_SERVER */
+
+static int
+mk_auth(struct krb4_data *d, KTEXT adat, 
+	char *service, char *host, int checksum)
+{
+    int ret;
+    CREDENTIALS cred;
+    char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_mk_req(adat, sname, inst, realm, checksum);
+    if(ret)
+	return ret;
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_get_cred(sname, inst, realm, &cred);
+    memmove(&d->key, &cred.session, sizeof(des_cblock));
+    des_key_sched(&d->key, d->schedule);
+    memset(&cred, 0, sizeof(cred));
+    return ret;
+}
+
+static int
+krb4_auth(void *app_data, char *host)
+{
+    int ret;
+    char *p;
+    int len;
+    KTEXT_ST adat;
+    MSG_DAT msg_data;
+    int checksum;
+    u_int32_t cs;
+    struct krb4_data *d = app_data;
+    struct sockaddr_in *localaddr  = (struct sockaddr_in *)LOCAL_ADDR;
+    struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;
+
+    checksum = getpid();
+    ret = mk_auth(d, &adat, "ftp", host, checksum);
+    if(ret == KDC_PR_UNKNOWN)
+	ret = mk_auth(d, &adat, "rcmd", host, checksum);
+    if(ret){
+	printf("%s\n", krb_get_err_text(ret));
+	return AUTH_CONTINUE;
+    }
+
+#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
+    if (krb_get_config_bool("nat_in_use")) {
+      struct in_addr natAddr;
+
+      if (krb_get_our_ip_for_realm(krb_realmofhost(host),
+				   &natAddr) != KSUCCESS
+	  && krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
+	printf("Can't get address for realm %s\n",
+	       krb_realmofhost(host));
+      else {
+	if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
+	  printf("Using NAT IP address (%s) for kerberos 4\n",
+		 inet_ntoa(natAddr));
+	  localaddr->sin_addr = natAddr;
+	  
+	  /*
+	   * This not the best place to do this, but it
+	   * is here we know that (probably) NAT is in
+	   * use!
+	   */
+
+	  passivemode = 1;
+	  printf("Setting: Passive mode on.\n");
+	}
+      }
+    }
+#endif
+
+    printf("Local address is %s\n", inet_ntoa(localaddr->sin_addr));
+    printf("Remote address is %s\n", inet_ntoa(remoteaddr->sin_addr));
+
+   if(base64_encode(adat.dat, adat.length, &p) < 0) {
+	printf("Out of memory base64-encoding.\n");
+	return AUTH_CONTINUE;
+    }
+    ret = command("ADAT %s", p);
+    free(p);
+
+    if(ret != COMPLETE){
+	printf("Server didn't accept auth data.\n");
+	return AUTH_ERROR;
+    }
+
+    p = strstr(reply_string, "ADAT=");
+    if(!p){
+	printf("Remote host didn't send adat reply.\n");
+	return AUTH_ERROR;
+    }
+    p += 5;
+    len = base64_decode(p, adat.dat);
+    if(len < 0){
+	printf("Failed to decode base64 from server.\n");
+	return AUTH_ERROR;
+    }
+    adat.length = len;
+    ret = krb_rd_safe(adat.dat, adat.length, &d->key, 
+		      (struct sockaddr_in *)hisctladdr, 
+		      (struct sockaddr_in *)myctladdr, &msg_data);
+    if(ret){
+	printf("Error reading reply from server: %s.\n", 
+	       krb_get_err_text(ret));
+	return AUTH_ERROR;
+    }
+    krb_get_int(msg_data.app_data, &cs, 4, 0);
+    if(cs - checksum != 1){
+	printf("Bad checksum returned from server.\n");
+	return AUTH_ERROR;
+    }
+    return AUTH_OK;
+}
+
+struct sec_client_mech krb4_client_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    NULL, /* init */
+    krb4_auth,
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/heimdal/appl/ftp/ftp/main.c b/crypto/heimdal/appl/ftp/ftp/main.c
new file mode 100644
index 0000000..dfe9e88
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/main.c
@@ -0,0 +1,549 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FTP User Program -- Command Interface.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: main.c,v 1.27 1999/11/13 06:18:02 assar Exp $");
+
+int
+main(int argc, char **argv)
+{
+	int ch, top;
+	struct passwd *pw = NULL;
+	char homedir[MaxPathLen];
+	struct servent *sp;
+
+	set_progname(argv[0]);
+
+	sp = getservbyname("ftp", "tcp");
+	if (sp == 0)
+		errx(1, "ftp/tcp: unknown service");
+	doglob = 1;
+	interactive = 1;
+	autologin = 1;
+	passivemode = 0; /* passive mode not active */
+
+	while ((ch = getopt(argc, argv, "dginptv")) != -1) {
+		switch (ch) {
+		case 'd':
+			options |= SO_DEBUG;
+			debug++;
+			break;
+			
+		case 'g':
+			doglob = 0;
+			break;
+
+		case 'i':
+			interactive = 0;
+			break;
+
+		case 'n':
+			autologin = 0;
+			break;
+
+		case 'p':
+		        passivemode = 1;
+			break;
+		case 't':
+			trace++;
+			break;
+
+		case 'v':
+			verbose++;
+			break;
+
+		default:
+		    fprintf(stderr,
+			    "usage: ftp [-dginptv] [host [port]]\n");
+		    exit(1);
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	fromatty = isatty(fileno(stdin));
+	if (fromatty)
+		verbose++;
+	cpend = 0;	/* no pending replies */
+	proxy = 0;	/* proxy not active */
+	crflag = 1;	/* strip c.r. on ascii gets */
+	sendport = -1;	/* not using ports */
+	/*
+	 * Set up the home directory in case we're globbing.
+	 */
+	pw = k_getpwuid(getuid());
+	if (pw != NULL) {
+		strlcpy(homedir, pw->pw_dir, sizeof(homedir));
+		home = homedir;
+	}
+	if (argc > 0) {
+	    char *xargv[5];
+	    
+	    if (setjmp(toplevel))
+		exit(0);
+	    signal(SIGINT, intr);
+	    signal(SIGPIPE, lostpeer);
+	    xargv[0] = (char*)__progname;
+	    xargv[1] = argv[0];
+	    xargv[2] = argv[1];
+	    xargv[3] = argv[2];
+	    xargv[4] = NULL;
+	    setpeer(argc+1, xargv);
+	}
+	if(setjmp(toplevel) == 0)
+	    top = 1;
+	else
+	    top = 0;
+	if (top) {
+	    signal(SIGINT, intr);
+	    signal(SIGPIPE, lostpeer);
+	}
+	for (;;) {
+	    cmdscanner(top);
+	    top = 1;
+	}
+}
+
+void
+intr(int sig)
+{
+
+	longjmp(toplevel, 1);
+}
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 2
+#endif
+
+RETSIGTYPE
+lostpeer(int sig)
+{
+
+    if (connected) {
+	if (cout != NULL) {
+	    shutdown(fileno(cout), SHUT_RDWR);
+	    fclose(cout);
+	    cout = NULL;
+	}
+	if (data >= 0) {
+	    shutdown(data, SHUT_RDWR);
+	    close(data);
+	    data = -1;
+	}
+	connected = 0;
+    }
+    pswitch(1);
+    if (connected) {
+	if (cout != NULL) {
+	    shutdown(fileno(cout), SHUT_RDWR);
+	    fclose(cout);
+	    cout = NULL;
+	}
+	connected = 0;
+    }
+    proxflag = 0;
+    pswitch(0);
+    sec_end();
+    SIGRETURN(0);
+}
+
+/*
+char *
+tail(filename)
+	char *filename;
+{
+	char *s;
+	
+	while (*filename) {
+		s = strrchr(filename, '/');
+		if (s == NULL)
+			break;
+		if (s[1])
+			return (s + 1);
+		*s = '\0';
+	}
+	return (filename);
+}
+*/
+
+#ifndef HAVE_READLINE
+
+static char *
+readline(char *prompt)
+{
+    char buf[BUFSIZ];
+    printf ("%s", prompt);
+    fflush (stdout);
+    if(fgets(buf, sizeof(buf), stdin) == NULL)
+	return NULL;
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    return strdup(buf);
+}
+
+static void
+add_history(char *p)
+{
+}
+
+#else
+
+/* These should not really be here */
+
+char *readline(char *);
+void add_history(char *);
+
+#endif
+
+/*
+ * Command parser.
+ */
+void
+cmdscanner(int top)
+{
+    struct cmd *c;
+    int l;
+
+    if (!top)
+	putchar('\n');
+    for (;;) {
+	if (fromatty) {
+	    char *p;
+	    p = readline("ftp> ");
+	    if(p == NULL)
+		quit(0, 0);
+	    strlcpy(line, p, sizeof(line));
+	    add_history(p);
+	    free(p);
+	} else{
+	    if (fgets(line, sizeof line, stdin) == NULL)
+		quit(0, 0);
+	}
+	/* XXX will break on long lines */
+	l = strlen(line);
+	if (l == 0)
+	    break;
+	if (line[--l] == '\n') {
+	    if (l == 0)
+		break;
+	    line[l] = '\0';
+	} else if (l == sizeof(line) - 2) {
+	    printf("sorry, input line too long\n");
+	    while ((l = getchar()) != '\n' && l != EOF)
+		/* void */;
+	    break;
+	} /* else it was a line without a newline */
+	makeargv();
+	if (margc == 0) {
+	    continue;
+	}
+	c = getcmd(margv[0]);
+	if (c == (struct cmd *)-1) {
+	    printf("?Ambiguous command\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\n");
+	    continue;
+	}
+	if (c->c_conn && !connected) {
+	    printf("Not connected.\n");
+	    continue;
+	}
+	(*c->c_handler)(margc, margv);
+	if (bell && c->c_bell)
+	    putchar('\007');
+	if (c->c_handler != help)
+	    break;
+    }
+    signal(SIGINT, intr);
+    signal(SIGPIPE, lostpeer);
+}
+
+struct cmd *
+getcmd(char *name)
+{
+	char *p, *q;
+	struct cmd *c, *found;
+	int nmatches, longest;
+
+	longest = 0;
+	nmatches = 0;
+	found = 0;
+	for (c = cmdtab; (p = c->c_name); c++) {
+		for (q = name; *q == *p++; q++)
+			if (*q == 0)		/* exact match? */
+				return (c);
+		if (!*q) {			/* the name was a prefix */
+			if (q - name > longest) {
+				longest = q - name;
+				nmatches = 1;
+				found = c;
+			} else if (q - name == longest)
+				nmatches++;
+		}
+	}
+	if (nmatches > 1)
+		return ((struct cmd *)-1);
+	return (found);
+}
+
+/*
+ * Slice a string up into argc/argv.
+ */
+
+int slrflag;
+
+void
+makeargv(void)
+{
+	char **argp;
+
+	argp = margv;
+	stringbase = line;		/* scan from first of buffer */
+	argbase = argbuf;		/* store from first of buffer */
+	slrflag = 0;
+	for (margc = 0; ; margc++) {
+		/* Expand array if necessary */
+		if (margc == margvlen) {
+			int i;
+
+			margv = (margvlen == 0)
+				? (char **)malloc(20 * sizeof(char *))
+				: (char **)realloc(margv,
+					(margvlen + 20)*sizeof(char *));
+			if (margv == NULL)
+				errx(1, "cannot realloc argv array");
+			for(i = margvlen; i < margvlen + 20; ++i)
+				margv[i] = NULL;
+			margvlen += 20;
+			argp = margv + margc;
+		}
+
+		if ((*argp++ = slurpstring()) == NULL)
+			break;
+	}
+
+}
+
+/*
+ * Parse string into argbuf;
+ * implemented with FSM to
+ * handle quoting and strings
+ */
+char *
+slurpstring(void)
+{
+	int got_one = 0;
+	char *sb = stringbase;
+	char *ap = argbase;
+	char *tmp = argbase;		/* will return this if token found */
+
+	if (*sb == '!' || *sb == '$') {	/* recognize ! as a token for shell */
+		switch (slrflag) {	/* and $ as token for macro invoke */
+			case 0:
+				slrflag++;
+				stringbase++;
+				return ((*sb == '!') ? "!" : "$");
+				/* NOTREACHED */
+			case 1:
+				slrflag++;
+				altarg = stringbase;
+				break;
+			default:
+				break;
+		}
+	}
+
+S0:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	case ' ':
+	case '\t':
+		sb++; goto S0;
+
+	default:
+		switch (slrflag) {
+			case 0:
+				slrflag++;
+				break;
+			case 1:
+				slrflag++;
+				altarg = sb;
+				break;
+			default:
+				break;
+		}
+		goto S1;
+	}
+
+S1:
+	switch (*sb) {
+
+	case ' ':
+	case '\t':
+	case '\0':
+		goto OUT;	/* end of token */
+
+	case '\\':
+		sb++; goto S2;	/* slurp next character */
+
+	case '"':
+		sb++; goto S3;	/* slurp quoted string */
+
+	default:
+		*ap++ = *sb++;	/* add character to token */
+		got_one = 1;
+		goto S1;
+	}
+
+S2:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	default:
+		*ap++ = *sb++;
+		got_one = 1;
+		goto S1;
+	}
+
+S3:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	case '"':
+		sb++; goto S1;
+
+	default:
+		*ap++ = *sb++;
+		got_one = 1;
+		goto S3;
+	}
+
+OUT:
+	if (got_one)
+		*ap++ = '\0';
+	argbase = ap;			/* update storage pointer */
+	stringbase = sb;		/* update scan pointer */
+	if (got_one) {
+		return (tmp);
+	}
+	switch (slrflag) {
+		case 0:
+			slrflag++;
+			break;
+		case 1:
+			slrflag++;
+			altarg = (char *) 0;
+			break;
+		default:
+			break;
+	}
+	return NULL;
+}
+
+#define HELPINDENT ((int) sizeof ("directory"))
+
+/*
+ * Help command.
+ * Call each command handler with argc == 0 and argv[0] == name.
+ */
+void
+help(int argc, char **argv)
+{
+	struct cmd *c;
+
+	if (argc == 1) {
+		int i, j, w, k;
+		int columns, width = 0, lines;
+
+		printf("Commands may be abbreviated.  Commands are:\n\n");
+		for (c = cmdtab; c < &cmdtab[NCMDS]; c++) {
+			int len = strlen(c->c_name);
+
+			if (len > width)
+				width = len;
+		}
+		width = (width + 8) &~ 7;
+		columns = 80 / width;
+		if (columns == 0)
+			columns = 1;
+		lines = (NCMDS + columns - 1) / columns;
+		for (i = 0; i < lines; i++) {
+			for (j = 0; j < columns; j++) {
+				c = cmdtab + j * lines + i;
+				if (c->c_name && (!proxy || c->c_proxy)) {
+					printf("%s", c->c_name);
+				}
+				else if (c->c_name) {
+					for (k=0; k < strlen(c->c_name); k++) {
+						putchar(' ');
+					}
+				}
+				if (c + lines >= &cmdtab[NCMDS]) {
+					printf("\n");
+					break;
+				}
+				w = strlen(c->c_name);
+				while (w < width) {
+					w = (w + 8) &~ 7;
+					putchar('\t');
+				}
+			}
+		}
+		return;
+	}
+	while (--argc > 0) {
+		char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (c == (struct cmd *)-1)
+			printf("?Ambiguous help command %s\n", arg);
+		else if (c == (struct cmd *)0)
+			printf("?Invalid help command %s\n", arg);
+		else
+			printf("%-*s\t%s\n", HELPINDENT,
+				c->c_name, c->c_help);
+	}
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/pathnames.h b/crypto/heimdal/appl/ftp/ftp/pathnames.h
new file mode 100644
index 0000000..f7c1fb3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/pathnames.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/6/93
+ */
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#define	_PATH_TMP_XXX	"/tmp/ftpXXXXXX"
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL	"/bin/sh"
+#endif
diff --git a/crypto/heimdal/appl/ftp/ftp/ruserpass.c b/crypto/heimdal/appl/ftp/ftp/ruserpass.c
new file mode 100644
index 0000000..b22f699
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ruserpass.c
@@ -0,0 +1,313 @@
+/*
+ * Copyright (c) 1985, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: ruserpass.c,v 1.19 2000/01/08 07:45:11 assar Exp $");
+
+static	int token (void);
+static	FILE *cfile;
+
+#define	DEFAULT	1
+#define	LOGIN	2
+#define	PASSWD	3
+#define	ACCOUNT 4
+#define MACDEF  5
+#define PROT	6
+#define	ID	10
+#define	MACH	11
+
+static char tokval[100];
+
+static struct toktab {
+	char *tokstr;
+	int tval;
+} toktab[]= {
+	{ "default",	DEFAULT },
+	{ "login",	LOGIN },
+	{ "password",	PASSWD },
+	{ "passwd",	PASSWD },
+	{ "account",	ACCOUNT },
+	{ "machine",	MACH },
+	{ "macdef",	MACDEF },
+	{ "prot", 	PROT }, 
+	{ NULL,		0 }
+};
+
+/*
+ * Write a copy of the hostname into `hostname, sz' and return a guess
+ * as to the `domain' of that hostname.
+ */
+
+static char *
+guess_domain (char *hostname, size_t sz)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char *dot;
+
+    if (gethostname (hostname, sz) < 0) {
+	strlcpy (hostname, "", sz);
+	return "";
+    }
+    dot = strchr (hostname, '.');
+    if (dot != NULL)
+	return dot + 1;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_CANONNAME;
+
+    error = getaddrinfo (hostname, NULL, &hints, &ai);
+    if (error)
+	return hostname;
+
+    for (a = ai; a != NULL; a = a->ai_next)
+	if (a->ai_canonname != NULL) {
+	    strlcpy (hostname, ai->ai_canonname, sz);
+	    break;
+	}
+    freeaddrinfo (ai);
+    dot = strchr (hostname, '.');
+    if (dot != NULL)
+	return dot + 1;
+    else
+	return hostname;
+}
+
+int
+ruserpass(char *host, char **aname, char **apass, char **aacct)
+{
+    char *hdir, buf[BUFSIZ], *tmp;
+    int t, i, c, usedefault = 0;
+    struct stat stb;
+
+    mydomain = guess_domain (myhostname, MaxHostNameLen);
+
+    hdir = getenv("HOME");
+    if (hdir == NULL)
+	hdir = ".";
+    snprintf(buf, sizeof(buf), "%s/.netrc", hdir);
+    cfile = fopen(buf, "r");
+    if (cfile == NULL) {
+	if (errno != ENOENT)
+	    warn("%s", buf);
+	return (0);
+    }
+
+next:
+    while ((t = token())) switch(t) {
+
+    case DEFAULT:
+	usedefault = 1;
+	/* FALL THROUGH */
+
+    case MACH:
+	if (!usedefault) {
+	    if (token() != ID)
+		continue;
+	    /*
+	     * Allow match either for user's input host name
+	     * or official hostname.  Also allow match of 
+	     * incompletely-specified host in local domain.
+	     */
+	    if (strcasecmp(host, tokval) == 0)
+		goto match;
+	    if (strcasecmp(hostname, tokval) == 0)
+		goto match;
+	    if ((tmp = strchr(hostname, '.')) != NULL &&
+		tmp++ &&
+		strcasecmp(tmp, mydomain) == 0 &&
+		strncasecmp(hostname, tokval, tmp-hostname) == 0 &&
+		tokval[tmp - hostname] == '\0')
+		goto match;
+	    if ((tmp = strchr(host, '.')) != NULL &&
+		tmp++ &&
+		strcasecmp(tmp, mydomain) == 0 &&
+		strncasecmp(host, tokval, tmp - host) == 0 &&
+		tokval[tmp - host] == '\0')
+		goto match;
+	    continue;
+	}
+    match:
+	while ((t = token()) && t != MACH && t != DEFAULT) switch(t) {
+
+	case LOGIN:
+	    if (token()) {
+		if (*aname == 0) { 
+		    *aname = strdup(tokval);
+		} else {
+		    if (strcmp(*aname, tokval))
+			goto next;
+		}
+	    }
+	    break;
+	case PASSWD:
+	    if ((*aname == NULL || strcmp(*aname, "anonymous")) &&
+		fstat(fileno(cfile), &stb) >= 0 &&
+		(stb.st_mode & 077) != 0) {
+		warnx("Error: .netrc file is readable by others.");
+		warnx("Remove password or make file unreadable by others.");
+		goto bad;
+	    }
+	    if (token() && *apass == 0) {
+		*apass = strdup(tokval);
+	    }
+	    break;
+	case ACCOUNT:
+	    if (fstat(fileno(cfile), &stb) >= 0
+		&& (stb.st_mode & 077) != 0) {
+		warnx("Error: .netrc file is readable by others.");
+		warnx("Remove account or make file unreadable by others.");
+		goto bad;
+	    }
+	    if (token() && *aacct == 0) {
+		*aacct = strdup(tokval);
+	    }
+	    break;
+	case MACDEF:
+	    if (proxy) {
+		fclose(cfile);
+		return (0);
+	    }
+	    while ((c=getc(cfile)) != EOF && 
+		   (c == ' ' || c == '\t'));
+	    if (c == EOF || c == '\n') {
+		printf("Missing macdef name argument.\n");
+		goto bad;
+	    }
+	    if (macnum == 16) {
+		printf("Limit of 16 macros have already been defined\n");
+		goto bad;
+	    }
+	    tmp = macros[macnum].mac_name;
+	    *tmp++ = c;
+	    for (i=0; i < 8 && (c=getc(cfile)) != EOF &&
+		     !isspace(c); ++i) {
+		*tmp++ = c;
+	    }
+	    if (c == EOF) {
+		printf("Macro definition missing null line terminator.\n");
+		goto bad;
+	    }
+	    *tmp = '\0';
+	    if (c != '\n') {
+		while ((c=getc(cfile)) != EOF && c != '\n');
+	    }
+	    if (c == EOF) {
+		printf("Macro definition missing null line terminator.\n");
+		goto bad;
+	    }
+	    if (macnum == 0) {
+		macros[macnum].mac_start = macbuf;
+	    }
+	    else {
+		macros[macnum].mac_start = macros[macnum-1].mac_end + 1;
+	    }
+	    tmp = macros[macnum].mac_start;
+	    while (tmp != macbuf + 4096) {
+		if ((c=getc(cfile)) == EOF) {
+		    printf("Macro definition missing null line terminator.\n");
+		    goto bad;
+		}
+		*tmp = c;
+		if (*tmp == '\n') {
+		    if (*(tmp-1) == '\0') {
+			macros[macnum++].mac_end = tmp - 1;
+			break;
+		    }
+		    *tmp = '\0';
+		}
+		tmp++;
+	    }
+	    if (tmp == macbuf + 4096) {
+		printf("4K macro buffer exceeded\n");
+		goto bad;
+	    }
+	    break;
+	case PROT:
+	    token();
+	    if(sec_request_prot(tokval) < 0)
+		warnx("Unknown protection level \"%s\"", tokval);
+	    break;
+	default:
+	    warnx("Unknown .netrc keyword %s", tokval);
+	    break;
+	}
+	goto done;
+    }
+done:
+    fclose(cfile);
+    return (0);
+bad:
+    fclose(cfile);
+    return (-1);
+}
+
+static int
+token(void)
+{
+	char *cp;
+	int c;
+	struct toktab *t;
+
+	if (feof(cfile) || ferror(cfile))
+		return (0);
+	while ((c = getc(cfile)) != EOF &&
+	    (c == '\n' || c == '\t' || c == ' ' || c == ','))
+		continue;
+	if (c == EOF)
+		return (0);
+	cp = tokval;
+	if (c == '"') {
+		while ((c = getc(cfile)) != EOF && c != '"') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	} else {
+		*cp++ = c;
+		while ((c = getc(cfile)) != EOF
+		    && c != '\n' && c != '\t' && c != ' ' && c != ',') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	}
+	*cp = 0;
+	if (tokval[0] == 0)
+		return (0);
+	for (t = toktab; t->tokstr; t++)
+		if (!strcmp(t->tokstr, tokval))
+			return (t->tval);
+	return (ID);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/security.c b/crypto/heimdal/appl/ftp/ftp/security.c
new file mode 100644
index 0000000..8c90f5e
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/security.c
@@ -0,0 +1,788 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+
+RCSID("$Id: security.c,v 1.16 2000/02/07 03:11:43 assar Exp $");
+
+static enum protection_level command_prot;
+static enum protection_level data_prot;
+static size_t buffer_size;
+
+struct buffer {
+    void *data;
+    size_t size;
+    size_t index;
+    int eof_flag;
+};
+
+static struct buffer in_buffer, out_buffer;
+int sec_complete;
+
+static struct {
+    enum protection_level level;
+    const char *name;
+} level_names[] = {
+    { prot_clear, "clear" },
+    { prot_safe, "safe" },
+    { prot_confidential, "confidential" },
+    { prot_private, "private" }
+};
+
+static const char *
+level_to_name(enum protection_level level)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(level_names[i].level == level)
+	    return level_names[i].name;
+    return "unknown";
+}
+
+#ifndef FTP_SERVER /* not used in server */
+static enum protection_level 
+name_to_level(const char *name)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(!strncasecmp(level_names[i].name, name, strlen(name)))
+	    return level_names[i].level;
+    return (enum protection_level)-1;
+}
+#endif
+
+#ifdef FTP_SERVER
+
+static struct sec_server_mech *mechs[] = {
+#ifdef KRB5
+    &gss_server_mech,
+#endif
+#ifdef KRB4
+    &krb4_server_mech,
+#endif
+    NULL
+};
+
+static struct sec_server_mech *mech;
+
+#else
+
+static struct sec_client_mech *mechs[] = {
+#ifdef KRB5
+    &gss_client_mech,
+#endif
+#ifdef KRB4
+    &krb4_client_mech,
+#endif
+    NULL
+};
+
+static struct sec_client_mech *mech;
+
+#endif
+
+static void *app_data;
+
+int
+sec_getc(FILE *F)
+{
+    if(sec_complete && data_prot) {
+	char c;
+	if(sec_read(fileno(F), &c, 1) <= 0)
+	    return EOF;
+	return c;
+    } else
+	return getc(F);
+}
+
+static int
+block_read(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = read(fd, p, len);
+	if (b == 0)
+	    return 0;
+	else if (b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+block_write(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = write(fd, p, len);
+	if(b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+sec_get_data(int fd, struct buffer *buf, int level)
+{
+    int len;
+    int b;
+
+    b = block_read(fd, &len, sizeof(len));
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    len = ntohl(len);
+    buf->data = realloc(buf->data, len);
+    b = block_read(fd, buf->data, len);
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    buf->size = (*mech->decode)(app_data, buf->data, len, data_prot);
+    buf->index = 0;
+    return 0;
+}
+
+static size_t
+buffer_read(struct buffer *buf, void *data, size_t len)
+{
+    len = min(len, buf->size - buf->index);
+    memcpy(data, (char*)buf->data + buf->index, len);
+    buf->index += len;
+    return len;
+}
+
+static size_t
+buffer_write(struct buffer *buf, void *data, size_t len)
+{
+    if(buf->index + len > buf->size) {
+	void *tmp;
+	if(buf->data == NULL)
+	    tmp = malloc(1024);
+	else
+	    tmp = realloc(buf->data, buf->index + len);
+	if(tmp == NULL)
+	    return -1;
+	buf->data = tmp;
+	buf->size = buf->index + len;
+    }
+    memcpy((char*)buf->data + buf->index, data, len);
+    buf->index += len;
+    return len;
+}
+
+int
+sec_read(int fd, void *data, int length)
+{
+    size_t len;
+    int rx = 0;
+
+    if(sec_complete == 0 || data_prot == 0)
+	return read(fd, data, length);
+
+    if(in_buffer.eof_flag){
+	in_buffer.eof_flag = 0;
+	return 0;
+    }
+    
+    len = buffer_read(&in_buffer, data, length);
+    length -= len;
+    rx += len;
+    data = (char*)data + len;
+    
+    while(length){
+	int ret;
+
+	ret = sec_get_data(fd, &in_buffer, data_prot);
+	if (ret < 0)
+	    return -1;
+	if(ret == 0 || in_buffer.size == 0) {
+	    if(rx)
+		in_buffer.eof_flag = 1;
+	    return rx;
+	}
+	len = buffer_read(&in_buffer, data, length);
+	length -= len;
+	rx += len;
+	data = (char*)data + len;
+    }
+    return rx;
+}
+
+static int
+sec_send(int fd, char *from, int length)
+{
+    int bytes;
+    void *buf;
+    bytes = (*mech->encode)(app_data, from, length, data_prot, &buf);
+    bytes = htonl(bytes);
+    block_write(fd, &bytes, sizeof(bytes));
+    block_write(fd, buf, ntohl(bytes));
+    free(buf);
+    return length;
+}
+
+int
+sec_fflush(FILE *F)
+{
+    if(data_prot != prot_clear) {
+	if(out_buffer.index > 0){
+	    sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	    out_buffer.index = 0;
+	}
+	sec_send(fileno(F), NULL, 0);
+    }
+    fflush(F);
+    return 0;
+}
+
+int
+sec_write(int fd, char *data, int length)
+{
+    int len = buffer_size;
+    int tx = 0;
+      
+    if(data_prot == prot_clear)
+	return write(fd, data, length);
+
+    len -= (*mech->overhead)(app_data, data_prot, len);
+    while(length){
+	if(length < len)
+	    len = length;
+	sec_send(fd, data, len);
+	length -= len;
+	data += len;
+	tx += len;
+    }
+    return tx;
+}
+
+int
+sec_vfprintf2(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    int ret;
+    if(data_prot == prot_clear)
+	return vfprintf(f, fmt, ap);
+    else {
+	vasprintf(&buf, fmt, ap);
+	ret = buffer_write(&out_buffer, buf, strlen(buf));
+	free(buf);
+	return ret;
+    }
+}
+
+int
+sec_fprintf2(FILE *f, const char *fmt, ...)
+{
+    int ret;
+    va_list ap;
+    va_start(ap, fmt);
+    ret = sec_vfprintf2(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+sec_putc(int c, FILE *F)
+{
+    char ch = c;
+    if(data_prot == prot_clear)
+	return putc(c, F);
+    
+    buffer_write(&out_buffer, &ch, 1);
+    if(c == '\n' || out_buffer.index >= 1024 /* XXX */) {
+	sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	out_buffer.index = 0;
+    }
+    return c;
+}
+
+int
+sec_read_msg(char *s, int level)
+{
+    int len;
+    char *buf;
+    int code;
+    
+    buf = malloc(strlen(s));
+    len = base64_decode(s + 4, buf); /* XXX */
+    
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len < 0)
+	return -1;
+    
+    buf[len] = '\0';
+
+    if(buf[3] == '-')
+	code = 0;
+    else
+	sscanf(buf, "%d", &code);
+    if(buf[len-1] == '\n')
+	buf[len-1] = '\0';
+    strcpy(s, buf);
+    free(buf);
+    return code;
+}
+
+int
+sec_vfprintf(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    void *enc;
+    int len;
+    if(!sec_complete)
+	return vfprintf(f, fmt, ap);
+    
+    vasprintf(&buf, fmt, ap);
+    len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc);
+    free(buf);
+    if(len < 0) {
+	printf("Failed to encode command.\n");
+	return -1;
+    }
+    if(base64_encode(enc, len, &buf) < 0){
+	printf("Out of memory base64-encoding.\n");
+	return -1;
+    }
+#ifdef FTP_SERVER
+    if(command_prot == prot_safe)
+	fprintf(f, "631 %s\r\n", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "632 %s\r\n", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "633 %s\r\n", buf);
+#else
+    if(command_prot == prot_safe)
+	fprintf(f, "MIC %s", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "ENC %s", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "CONF %s", buf);
+#endif
+    free(buf);
+    return 0;
+}
+
+int
+sec_fprintf(FILE *f, const char *fmt, ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, fmt);
+    ret = sec_vfprintf(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+void
+auth(char *auth_name)
+{
+    int i;
+    for(i = 0; (mech = mechs[i]) != NULL; i++){
+	if(!strcasecmp(auth_name, mech->name)){
+	    app_data = realloc(app_data, mech->size);
+	    if(mech->init && (*mech->init)(app_data) != 0) {
+		reply(431, "Unable to accept %s at this time", mech->name);
+		return;
+	    }
+	    if(mech->auth) {
+		(*mech->auth)(app_data);
+		return;
+	    }
+	    if(mech->adat)
+		reply(334, "Send authorization data.");
+	    else
+		reply(234, "Authorization complete.");
+	    return;
+	}
+    }
+    free (app_data);
+    reply(504, "%s is unknown to me", auth_name);
+}
+
+void
+adat(char *auth_data)
+{
+    if(mech && !sec_complete) {
+	void *buf = malloc(strlen(auth_data));
+	size_t len;
+	len = base64_decode(auth_data, buf);
+	(*mech->adat)(app_data, buf, len);
+	free(buf);
+    } else
+	reply(503, "You must %sissue an AUTH first.", mech ? "re-" : "");
+}
+
+void pbsz(int size)
+{
+    size_t new = size;
+    if(!sec_complete)
+	reply(503, "Incomplete security data exchange.");
+    if(mech->pbsz)
+	new = (*mech->pbsz)(app_data, size);
+    if(buffer_size != new){
+	buffer_size = size;
+    }
+    if(new != size)
+	reply(200, "PBSZ=%lu", (unsigned long)new);
+    else
+	reply(200, "OK");
+}
+
+void
+prot(char *pl)
+{
+    int p = -1;
+
+    if(buffer_size == 0){
+	reply(503, "No protection buffer size negotiated.");
+	return;
+    }
+
+    if(!strcasecmp(pl, "C"))
+	p = prot_clear;
+    else if(!strcasecmp(pl, "S"))
+	p = prot_safe;
+    else if(!strcasecmp(pl, "E"))
+	p = prot_confidential;
+    else if(!strcasecmp(pl, "P"))
+	p = prot_private;
+    else {
+	reply(504, "Unrecognized protection level.");
+	return;
+    }
+    
+    if(sec_complete){
+	if((*mech->check_prot)(app_data, p)){
+	    reply(536, "%s does not support %s protection.", 
+		  mech->name, level_to_name(p));
+	}else{
+	    data_prot = (enum protection_level)p;
+	    reply(200, "Data protection is %s.", level_to_name(p));
+	}
+    }else{
+	reply(503, "Incomplete security data exchange.");
+    }
+}
+
+void ccc(void)
+{
+    if(sec_complete){
+	if(mech->ccc && (*mech->ccc)(app_data) == 0)
+	    command_prot = data_prot = prot_clear;
+	else
+	    reply(534, "You must be joking.");
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+void mec(char *msg, enum protection_level level)
+{
+    void *buf;
+    size_t len;
+    if(!sec_complete) {
+	reply(503, "Incomplete security data exchange.");
+	return;
+    }
+    buf = malloc(strlen(msg) + 2); /* XXX go figure out where that 2
+				      comes from :-) */
+    len = base64_decode(msg, buf);
+    command_prot = level;
+    if(len == (size_t)-1) {
+	reply(501, "Failed to base64-decode command");
+	return;
+    }
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len == (size_t)-1) {
+	reply(535, "Failed to decode command");
+	return;
+    }
+    ((char*)buf)[len] = '\0';
+    if(strstr((char*)buf, "\r\n") == NULL)
+	strcat((char*)buf, "\r\n");
+    new_ftp_command(buf);
+}
+
+/* ------------------------------------------------------------ */
+
+int
+sec_userok(char *user)
+{
+    if(sec_complete)
+	return (*mech->userok)(app_data, user);
+    return 0;
+}
+
+char *ftp_command;
+
+void
+new_ftp_command(char *command)
+{
+    ftp_command = command;
+}
+
+void
+delete_ftp_command(void)
+{
+    free(ftp_command);
+    ftp_command = NULL;
+}
+
+int
+secure_command(void)
+{
+    return ftp_command != NULL;
+}
+
+enum protection_level
+get_command_prot(void)
+{
+    return command_prot;
+}
+
+#else /* FTP_SERVER */
+
+void
+sec_status(void)
+{
+    if(sec_complete){
+	printf("Using %s for authentication.\n", mech->name);
+	printf("Using %s command channel.\n", level_to_name(command_prot));
+	printf("Using %s data channel.\n", level_to_name(data_prot));
+	if(buffer_size > 0)
+	    printf("Protection buffer size: %lu.\n", 
+		   (unsigned long)buffer_size);
+    }else{
+	printf("Not using any security mechanism.\n");
+    }
+}
+
+static int
+sec_prot_internal(int level)
+{
+    int ret;
+    char *p;
+    unsigned int s = 1048576;
+
+    int old_verbose = verbose;
+    verbose = 0;
+
+    if(!sec_complete){
+	printf("No security data exchange has taken place.\n");
+	return -1;
+    }
+
+    if(level){
+	ret = command("PBSZ %u", s);
+	if(ret != COMPLETE){
+	    printf("Failed to set protection buffer size.\n");
+	    return -1;
+	}
+	buffer_size = s;
+	p = strstr(reply_string, "PBSZ=");
+	if(p)
+	    sscanf(p, "PBSZ=%u", &s);
+	if(s < buffer_size)
+	    buffer_size = s;
+    }
+    verbose = old_verbose;
+    ret = command("PROT %c", level["CSEP"]); /* XXX :-) */
+    if(ret != COMPLETE){
+	printf("Failed to set protection level.\n");
+	return -1;
+    }
+    
+    data_prot = (enum protection_level)level;
+    return 0;
+}
+
+enum protection_level
+set_command_prot(enum protection_level level)
+{
+    enum protection_level old = command_prot;
+    command_prot = level;
+    return old;
+}
+
+void
+sec_prot(int argc, char **argv)
+{
+    int level = -1;
+
+    if(argc < 2 || argc > 3)
+	goto usage;
+    if(!sec_complete) {
+	printf("No security data exchange has taken place.\n");
+	code = -1;
+	return;
+    }
+    level = name_to_level(argv[argc - 1]);
+    
+    if(level == -1)
+	goto usage;
+    
+    if((*mech->check_prot)(app_data, level)) {
+	printf("%s does not implement %s protection.\n", 
+	       mech->name, level_to_name(level));
+	code = -1;
+	return;
+    }
+    
+    if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) {
+	if(sec_prot_internal(level) < 0){
+	    code = -1;
+	    return;
+	}
+    } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0)
+	set_command_prot(level);
+    else
+	goto usage;
+    code = 0;
+    return;
+ usage:
+    printf("usage: %s [command|data] [clear|safe|confidential|private]\n",
+	   argv[0]);
+    code = -1;
+}
+
+static enum protection_level request_data_prot;
+
+void
+sec_set_protection_level(void)
+{
+    if(sec_complete && data_prot != request_data_prot)
+	sec_prot_internal(request_data_prot);
+}
+
+
+int
+sec_request_prot(char *level)
+{
+    int l = name_to_level(level);
+    if(l == -1)
+	return -1;
+    request_data_prot = (enum protection_level)l;
+    return 0;
+}
+
+int
+sec_login(char *host)
+{
+    int ret;
+    struct sec_client_mech **m;
+    int old_verbose = verbose;
+
+    verbose = -1; /* shut up all messages this will produce (they
+		     are usually not very user friendly) */
+    
+    for(m = mechs; *m && (*m)->name; m++) {
+	void *tmp;
+
+	tmp = realloc(app_data, (*m)->size);
+	if (tmp == NULL) {
+	    warnx ("realloc %u failed", (*m)->size);
+	    return -1;
+	}
+	app_data = tmp;
+	    
+	if((*m)->init && (*(*m)->init)(app_data) != 0) {
+	    printf("Skipping %s...\n", (*m)->name);
+	    continue;
+	}
+	printf("Trying %s...\n", (*m)->name);
+	ret = command("AUTH %s", (*m)->name);
+	if(ret != CONTINUE){
+	    if(code == 504){
+		printf("%s is not supported by the server.\n", (*m)->name);
+	    }else if(code == 534){
+		printf("%s rejected as security mechanism.\n", (*m)->name);
+	    }else if(ret == ERROR) {
+		printf("The server doesn't support the FTP "
+		       "security extensions.\n");
+		verbose = old_verbose;
+		return -1;
+	    }
+	    continue;
+	}
+
+	ret = (*(*m)->auth)(app_data, host);
+	
+	if(ret == AUTH_CONTINUE)
+	    continue;
+	else if(ret != AUTH_OK){
+	    /* mechanism is supposed to output error string */
+	    verbose = old_verbose;
+	    return -1;
+	}
+	mech = *m;
+	sec_complete = 1;
+	command_prot = prot_safe;
+	break;
+    }
+    
+    verbose = old_verbose;
+    return *m == NULL;
+}
+
+void
+sec_end(void)
+{
+    if (mech != NULL) {
+	if(mech->end)
+	    (*mech->end)(app_data);
+	memset(app_data, 0, mech->size);
+	free(app_data);
+	app_data = NULL;
+    }
+    sec_complete = 0;
+    data_prot = (enum protection_level)0;
+}
+
+#endif /* FTP_SERVER */
+
diff --git a/crypto/heimdal/appl/ftp/ftp/security.h b/crypto/heimdal/appl/ftp/ftp/security.h
new file mode 100644
index 0000000..6fe0694
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/security.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: security.h,v 1.7 1999/12/02 16:58:30 joda Exp $ */
+
+#ifndef __security_h__
+#define __security_h__
+
+enum protection_level { 
+    prot_clear, 
+    prot_safe, 
+    prot_confidential, 
+    prot_private 
+};
+
+struct sec_client_mech {
+    char *name;
+    size_t size;
+    int (*init)(void *);
+    int (*auth)(void *, char*);
+    void (*end)(void *);
+    int (*check_prot)(void *, int);
+    int (*overhead)(void *, int, int);
+    int (*encode)(void *, void*, int, int, void**);
+    int (*decode)(void *, void*, int, int);
+};
+
+struct sec_server_mech {
+    char *name;
+    size_t size;
+    int (*init)(void *);
+    void (*end)(void *);
+    int (*check_prot)(void *, int);
+    int (*overhead)(void *, int, int);
+    int (*encode)(void *, void*, int, int, void**);
+    int (*decode)(void *, void*, int, int);
+
+    int (*auth)(void *);
+    int (*adat)(void *, void*, size_t);
+    size_t (*pbsz)(void *, size_t);
+    int (*ccc)(void*);
+    int (*userok)(void*, char*);
+};
+
+#define AUTH_OK		0
+#define AUTH_CONTINUE	1
+#define AUTH_ERROR	2
+
+#ifdef FTP_SERVER
+extern struct sec_server_mech krb4_server_mech, gss_server_mech;
+#else
+extern struct sec_client_mech krb4_client_mech, gss_client_mech;
+#endif
+
+extern int sec_complete;
+
+#ifdef FTP_SERVER
+extern char *ftp_command;
+void new_ftp_command(char*);
+void delete_ftp_command(void);
+#endif
+
+/* ---- */
+
+
+int sec_fflush (FILE *);
+int sec_fprintf (FILE *, const char *, ...);
+int sec_getc (FILE *);
+int sec_putc (int, FILE *);
+int sec_read (int, void *, int);
+int sec_read_msg (char *, int);
+int sec_vfprintf (FILE *, const char *, va_list);
+int sec_fprintf2(FILE *f, const char *fmt, ...);
+int sec_vfprintf2(FILE *, const char *, va_list);
+int sec_write (int, char *, int);
+
+#ifdef FTP_SERVER
+void adat (char *);
+void auth (char *);
+void ccc (void);
+void mec (char *, enum protection_level);
+void pbsz (int);
+void prot (char *);
+void delete_ftp_command (void);
+void new_ftp_command (char *);
+int sec_userok (char *);
+int secure_command (void);
+enum protection_level get_command_prot(void);
+#else
+void sec_end (void);
+int sec_login (char *);
+void sec_prot (int, char **);
+int sec_request_prot (char *);
+void sec_set_protection_level (void);
+void sec_status (void);
+
+enum protection_level set_command_prot(enum protection_level);
+
+#endif
+
+#endif /* __security_h__ */  
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.am b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
new file mode 100644
index 0000000..92d8e7c
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
@@ -0,0 +1,56 @@
+# $Id: Makefile.am,v 1.21 2000/01/06 15:10:57 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+
+libexec_PROGRAMS = ftpd
+
+CHECK_LOCAL = 
+
+if KRB4
+krb4_sources = krb4.c kauth.c
+endif
+if KRB5
+krb5_sources = gssapi.c gss_userok.c
+endif
+
+ftpd_SOURCES =		\
+	extern.h	\
+	ftpcmd.y	\
+	ftpd.c		\
+	ftpd_locl.h	\
+	logwtmp.c	\
+	ls.c		\
+	pathnames.h	\
+	popen.c		\
+	security.c	\
+	$(krb4_sources) \
+	$(krb5_sources)
+
+EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
+
+$(ftpd_OBJECTS): security.h
+
+security.c:
+	@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
+security.h:
+	@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
+krb4.c:
+	@test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c .
+gssapi.c:
+	@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
+
+CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
+
+man_MANS = ftpd.8 ftpusers.5
+
+LDADD = ../common/libcommon.a \
+	$(LIB_kafs) \
+	$(LIB_gssapi) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_otp) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken) \
+	$(DBLIB)
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.in b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
new file mode 100644
index 0000000..1cd211b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
@@ -0,0 +1,768 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.21 2000/01/06 15:10:57 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = 
+
+libexec_PROGRAMS = ftpd
+
+@KRB4_TRUE@krb4_sources = krb4.c kauth.c
+@KRB5_TRUE@krb5_sources = gssapi.c gss_userok.c
+
+ftpd_SOURCES =  	extern.h		ftpcmd.y		ftpd.c			ftpd_locl.h		logwtmp.c		ls.c			pathnames.h		popen.c			security.c		$(krb4_sources) 	$(krb5_sources)
+
+
+EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
+
+CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
+
+man_MANS = ftpd.8 ftpusers.5
+
+LDADD = ../common/libcommon.a 	$(LIB_kafs) 	$(LIB_gssapi) 	$(LIB_krb5) 	$(LIB_krb4) 	$(LIB_otp) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(DBLIB)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  ftpd$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+@KRB4_TRUE@@KRB5_FALSE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@security.$(OBJEXT) krb4.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@kauth.$(OBJEXT)
+@KRB4_FALSE@@KRB5_TRUE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@security.$(OBJEXT) gssapi.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@gss_userok.$(OBJEXT)
+@KRB4_FALSE@@KRB5_FALSE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@security.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@security.$(OBJEXT) krb4.$(OBJEXT) kauth.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@gssapi.$(OBJEXT) gss_userok.$(OBJEXT)
+ftpd_LDADD = $(LDADD)
+@KRB4_TRUE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+ftpd_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in ftpcmd.c
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES)
+OBJECTS = $(ftpd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftpd/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+ftpd$(EXEEXT): $(ftpd_OBJECTS) $(ftpd_DEPENDENCIES)
+	@rm -f ftpd$(EXEEXT)
+	$(LINK) $(ftpd_LDFLAGS) $(ftpd_OBJECTS) $(ftpd_LDADD) $(LIBS)
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+ftpcmd.h: ftpcmd.c
+
+
+install-man5:
+	$(mkinstalldirs) $(DESTDIR)$(man5dir)
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \
+	done
+
+uninstall-man5:
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man5dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man5 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man5 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/ftp/ftpd
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(mandir)/man5 \
+		$(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-test -z "ftpcmdhftpcmdc" || rm -f ftpcmdh ftpcmdc
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man5 uninstall-man5 install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(ftpd_OBJECTS): security.h
+
+security.c:
+	@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
+security.h:
+	@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
+krb4.c:
+	@test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c .
+gssapi.c:
+	@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/ftpd/extern.h b/crypto/heimdal/appl/ftp/ftpd/extern.h
new file mode 100644
index 0000000..2e1e0d0
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/extern.h
@@ -0,0 +1,160 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.2 (Berkeley) 4/4/94
+ */
+
+#ifndef _EXTERN_H_
+#define _EXTERN_H_
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
+#ifndef NBBY
+#define NBBY CHAR_BIT
+#endif
+
+void	abor(void);
+void	blkfree(char **);
+char  **copyblk(char **);
+void	cwd(char *);
+void	do_delete(char *);
+void	dologout(int);
+void	eprt(char *);
+void	epsv(char *);
+void	fatal(char *);
+int	filename_check(char *);
+int	ftpd_pclose(FILE *);
+FILE   *ftpd_popen(char *, char *, int, int);
+char   *ftpd_getline(char *, int);
+void	ftpd_logwtmp(char *, char *, char *);
+void	lreply(int, const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 2, 3)))
+#endif
+;
+void	makedir(char *);
+void	nack(char *);
+void	nreply(const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+void	pass(char *);
+void	pasv(void);
+void	perror_reply(int, const char *);
+void	pwd(void);
+void	removedir(char *);
+void	renamecmd(char *, char *);
+char   *renamefrom(char *);
+void	reply(int, const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 2, 3)))
+#endif
+;
+void	retrieve(const char *, char *);
+void	send_file_list(char *);
+void	setproctitle(const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+void	statcmd(void);
+void	statfilecmd(char *);
+void	do_store(char *, char *, int);
+void	upper(char *);
+void	user(char *);
+void	yyerror(char *);
+
+void	list_file(char*);
+
+void	kauth(char *, char*);
+void	klist(void);
+void	cond_kdestroy(void);
+void	kdestroy(void);
+void	krbtkfile(const char *tkfile);
+void	afslog(const char *cell);
+void	afsunlog(void);
+
+int	find(char *);
+
+void	builtin_ls(FILE*, const char*);
+
+int	do_login(int code, char *passwd);
+int	klogin(char *name, char *password);
+
+const char *ftp_rooted(const char *path);
+
+extern struct sockaddr *ctrl_addr, *his_addr;
+extern char hostname[];
+
+extern	struct sockaddr *data_dest;
+extern	int logged_in;
+extern	struct passwd *pw;
+extern	int guest;
+extern	int logging;
+extern	int type;
+extern	int oobflag;
+extern off_t file_size;
+extern off_t byte_count;
+extern jmp_buf urgcatch;
+
+extern	int form;
+extern	int debug;
+extern	int ftpd_timeout;
+extern	int maxtimeout;
+extern  int pdata;
+extern	char hostname[], remotehost[];
+extern	char proctitle[];
+extern	int usedefault;
+extern  int transflag;
+extern  char tmpline[];
+
+#endif /* _EXTERN_H_ */
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
new file mode 100644
index 0000000..07ff9a5
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
@@ -0,0 +1,1455 @@
+/*	$NetBSD: ftpcmd.y,v 1.6 1995/06/03 22:46:45 mycroft Exp $	*/
+
+/*
+ * Copyright (c) 1985, 1988, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ftpcmd.y	8.3 (Berkeley) 4/6/94
+ */
+
+/*
+ * Grammar for FTP commands.
+ * See RFC 959.
+ */
+
+%{
+
+#include "ftpd_locl.h"
+RCSID("$Id: ftpcmd.y,v 1.56 1999/10/26 11:56:23 assar Exp $");
+
+off_t	restart_point;
+
+static	int cmd_type;
+static	int cmd_form;
+static	int cmd_bytesz;
+char	cbuf[2048];
+char	*fromname;
+
+struct tab {
+	char	*name;
+	short	token;
+	short	state;
+	short	implemented;	/* 1 if command is implemented */
+	char	*help;
+};
+
+extern struct tab cmdtab[];
+extern struct tab sitetab[];
+
+static char		*copy (char *);
+static void		 help (struct tab *, char *);
+static struct tab *
+			 lookup (struct tab *, char *);
+static void		 sizecmd (char *);
+static RETSIGTYPE	 toolong (int);
+static int		 yylex (void);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+	int	i;
+	char   *s;
+}
+
+%token
+	A	B	C	E	F	I
+	L	N	P	R	S	T
+
+	SP	CRLF	COMMA
+
+	USER	PASS	ACCT	REIN	QUIT	PORT
+	PASV	TYPE	STRU	MODE	RETR	STOR
+	APPE	MLFL	MAIL	MSND	MSOM	MSAM
+	MRSQ	MRCP	ALLO	REST	RNFR	RNTO
+	ABOR	DELE	CWD	LIST	NLST	SITE
+	sTAT	HELP	NOOP	MKD	RMD	PWD
+	CDUP	STOU	SMNT	SYST	SIZE	MDTM
+	EPRT	EPSV
+
+	UMASK	IDLE	CHMOD
+
+	AUTH	ADAT	PROT	PBSZ	CCC	MIC
+	CONF	ENC
+
+	KAUTH	KLIST	KDESTROY KRBTKFILE AFSLOG
+	LOCATE	URL
+
+	FEAT	OPTS
+
+	LEXERR
+
+%token	<s> STRING
+%token	<i> NUMBER
+
+%type	<i> check_login check_login_no_guest check_secure octal_number byte_size
+%type	<i> struct_code mode_code type_code form_code
+%type	<s> pathstring pathname password username
+
+%start	cmd_list
+
+%%
+
+cmd_list
+	: /* empty */
+	| cmd_list cmd
+		{
+			fromname = (char *) 0;
+			restart_point = (off_t) 0;
+		}
+	| cmd_list rcmd
+	;
+
+cmd
+	: USER SP username CRLF
+		{
+			user($3);
+			free($3);
+		}
+	| PASS SP password CRLF
+		{
+			pass($3);
+			memset ($3, 0, strlen($3));
+			free($3);
+		}
+	| PORT SP host_port CRLF
+		{
+			usedefault = 0;
+			if (pdata >= 0) {
+				close(pdata);
+				pdata = -1;
+			}
+			reply(200, "PORT command successful.");
+		}
+	| EPRT SP STRING CRLF
+		{
+			eprt ($3);
+			free ($3);
+		}
+	| PASV CRLF
+		{
+			pasv ();
+		}
+	| EPSV CRLF
+		{
+			epsv (NULL);
+		}
+	| EPSV SP STRING CRLF
+		{
+			epsv ($3);
+			free ($3);
+		}
+	| TYPE SP type_code CRLF
+		{
+			switch (cmd_type) {
+
+			case TYPE_A:
+				if (cmd_form == FORM_N) {
+					reply(200, "Type set to A.");
+					type = cmd_type;
+					form = cmd_form;
+				} else
+					reply(504, "Form must be N.");
+				break;
+
+			case TYPE_E:
+				reply(504, "Type E not implemented.");
+				break;
+
+			case TYPE_I:
+				reply(200, "Type set to I.");
+				type = cmd_type;
+				break;
+
+			case TYPE_L:
+#if NBBY == 8
+				if (cmd_bytesz == 8) {
+					reply(200,
+					    "Type set to L (byte size 8).");
+					type = cmd_type;
+				} else
+					reply(504, "Byte size must be 8.");
+#else /* NBBY == 8 */
+				UNIMPLEMENTED for NBBY != 8
+#endif /* NBBY == 8 */
+			}
+		}
+	| STRU SP struct_code CRLF
+		{
+			switch ($3) {
+
+			case STRU_F:
+				reply(200, "STRU F ok.");
+				break;
+
+			default:
+				reply(504, "Unimplemented STRU type.");
+			}
+		}
+	| MODE SP mode_code CRLF
+		{
+			switch ($3) {
+
+			case MODE_S:
+				reply(200, "MODE S ok.");
+				break;
+
+			default:
+				reply(502, "Unimplemented MODE type.");
+			}
+		}
+	| ALLO SP NUMBER CRLF
+		{
+			reply(202, "ALLO command ignored.");
+		}
+	| ALLO SP NUMBER SP R SP NUMBER CRLF
+		{
+			reply(202, "ALLO command ignored.");
+		}
+	| RETR SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				retrieve(0, name);
+			if (name != NULL)
+				free(name);
+		}
+	| STOR SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				do_store(name, "w", 0);
+			if (name != NULL)
+				free(name);
+		}
+	| APPE SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				do_store(name, "a", 0);
+			if (name != NULL)
+				free(name);
+		}
+	| NLST CRLF check_login
+		{
+			if ($3)
+				send_file_list(".");
+		}
+	| NLST SP STRING CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				send_file_list(name);
+			if (name != NULL)
+				free(name);
+		}
+	| LIST CRLF check_login
+		{
+		    if($3)
+			list_file(".");
+		}
+	| LIST SP pathname CRLF check_login
+		{
+		    if($5)
+			list_file($3);
+		    free($3);
+		}
+	| sTAT SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				statfilecmd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| sTAT CRLF
+		{
+		    if(oobflag){
+			if (file_size != (off_t) -1)
+			    reply(213, "Status: %lu of %lu bytes transferred",
+				  (unsigned long)byte_count, 
+				  (unsigned long)file_size);
+			else
+			    reply(213, "Status: %lu bytes transferred", 
+				  (unsigned long)byte_count);
+		    }else
+			statcmd();
+	}
+	| DELE SP pathname CRLF check_login_no_guest
+		{
+			if ($5 && $3 != NULL)
+				do_delete($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| RNTO SP pathname CRLF check_login_no_guest
+		{
+			if($5){
+				if (fromname) {
+					renamecmd(fromname, $3);
+					free(fromname);
+					fromname = (char *) 0;
+				} else {
+					reply(503, "Bad sequence of commands.");
+				}
+			}
+			if ($3 != NULL)
+				free($3);
+		}
+	| ABOR CRLF
+		{
+			if(oobflag){
+				reply(426, "Transfer aborted. Data connection closed.");
+				reply(226, "Abort successful");
+				oobflag = 0;
+				longjmp(urgcatch, 1);
+			}else
+				reply(225, "ABOR command successful.");
+		}
+	| CWD CRLF check_login
+		{
+			if ($3)
+				cwd(pw->pw_dir);
+		}
+	| CWD SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				cwd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| HELP CRLF
+		{
+			help(cmdtab, (char *) 0);
+		}
+	| HELP SP STRING CRLF
+		{
+			char *cp = $3;
+
+			if (strncasecmp(cp, "SITE", 4) == 0) {
+				cp = $3 + 4;
+				if (*cp == ' ')
+					cp++;
+				if (*cp)
+					help(sitetab, cp);
+				else
+					help(sitetab, (char *) 0);
+			} else
+				help(cmdtab, $3);
+		}
+	| NOOP CRLF
+		{
+			reply(200, "NOOP command successful.");
+		}
+	| MKD SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				makedir($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| RMD SP pathname CRLF check_login_no_guest
+		{
+			if ($5 && $3 != NULL)
+				removedir($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| PWD CRLF check_login
+		{
+			if ($3)
+				pwd();
+		}
+	| CDUP CRLF check_login
+		{
+			if ($3)
+				cwd("..");
+		}
+	| FEAT CRLF
+		{
+			lreply(211, "Supported features:");
+			lreply(0, " MDTM");
+			lreply(0, " REST STREAM");
+			lreply(0, " SIZE");
+			reply(211, "End");
+		}
+	| OPTS SP STRING CRLF
+		{
+			free ($3);
+			reply(501, "Bad options");
+		}
+
+	| SITE SP HELP CRLF
+		{
+			help(sitetab, (char *) 0);
+		}
+	| SITE SP HELP SP STRING CRLF
+		{
+			help(sitetab, $5);
+		}
+	| SITE SP UMASK CRLF check_login
+		{
+			if ($5) {
+				int oldmask = umask(0);
+				umask(oldmask);
+				reply(200, "Current UMASK is %03o", oldmask);
+			}
+		}
+	| SITE SP UMASK SP octal_number CRLF check_login_no_guest
+		{
+			if ($7) {
+				if (($5 == -1) || ($5 > 0777)) {
+					reply(501, "Bad UMASK value");
+				} else {
+					int oldmask = umask($5);
+					reply(200,
+					      "UMASK set to %03o (was %03o)",
+					      $5, oldmask);
+				}
+			}
+		}
+	| SITE SP CHMOD SP octal_number SP pathname CRLF check_login_no_guest
+		{
+			if ($9 && $7 != NULL) {
+				if ($5 > 0777)
+					reply(501,
+				"CHMOD: Mode value must be between 0 and 0777");
+				else if (chmod($7, $5) < 0)
+					perror_reply(550, $7);
+				else
+					reply(200, "CHMOD command successful.");
+			}
+			if ($7 != NULL)
+				free($7);
+		}
+	| SITE SP IDLE CRLF
+		{
+			reply(200,
+			    "Current IDLE time limit is %d seconds; max %d",
+				ftpd_timeout, maxtimeout);
+		}
+	| SITE SP IDLE SP NUMBER CRLF
+		{
+			if ($5 < 30 || $5 > maxtimeout) {
+				reply(501,
+			"Maximum IDLE time must be between 30 and %d seconds",
+				    maxtimeout);
+			} else {
+				ftpd_timeout = $5;
+				alarm((unsigned) ftpd_timeout);
+				reply(200,
+				    "Maximum IDLE time set to %d seconds",
+				    ftpd_timeout);
+			}
+		}
+
+	| SITE SP KAUTH SP STRING CRLF check_login
+		{
+#ifdef KRB4
+			char *p;
+			
+			if(guest)
+				reply(500, "Can't be done as guest.");
+			else{
+				if($7 && $5 != NULL){
+				    p = strpbrk($5, " \t");
+				    if(p){
+					*p++ = 0;
+					kauth($5, p + strspn(p, " \t"));
+				    }else
+					kauth($5, NULL);
+				}
+			}
+			if($5 != NULL)
+			    free($5);
+#else
+			reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KLIST CRLF check_login
+		{
+#ifdef KRB4
+		    if($5)
+			klist();
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KDESTROY CRLF check_login
+		{
+#ifdef KRB4
+		    if($5)
+			kdestroy();
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KRBTKFILE SP STRING CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($7 && $5)
+			krbtkfile($5);
+		    if($5)
+			free($5);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP AFSLOG CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($5)
+			afslog(NULL);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP AFSLOG SP STRING CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($7)
+			afslog($5);
+		    if($5)
+			free($5);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP LOCATE SP STRING CRLF check_login
+		{
+		    if($7 && $5 != NULL)
+			find($5);
+		    if($5 != NULL)
+			free($5);
+		}
+	| SITE SP URL CRLF
+		{
+			reply(200, "http://www.pdc.kth.se/kth-krb/");
+		}
+	| STOU SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				do_store($3, "w", 1);
+			if ($3 != NULL)
+				free($3);
+		}
+	| SYST CRLF
+		{
+#if defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY)
+		    reply(215, "UNIX Type: L%d", NBBY);
+#else
+		    reply(215, "UNKNOWN Type: L%d", NBBY);
+#endif
+		}
+
+		/*
+		 * SIZE is not in RFC959, but Postel has blessed it and
+		 * it will be in the updated RFC.
+		 *
+		 * Return size of file in a format suitable for
+		 * using with RESTART (we just count bytes).
+		 */
+	| SIZE SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				sizecmd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+
+		/*
+		 * MDTM is not in RFC959, but Postel has blessed it and
+		 * it will be in the updated RFC.
+		 *
+		 * Return modification time of file as an ISO 3307
+		 * style time. E.g. YYYYMMDDHHMMSS or YYYYMMDDHHMMSS.xxx
+		 * where xxx is the fractional second (of any precision,
+		 * not necessarily 3 digits)
+		 */
+	| MDTM SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL) {
+				struct stat stbuf;
+				if (stat($3, &stbuf) < 0)
+					reply(550, "%s: %s",
+					    $3, strerror(errno));
+				else if (!S_ISREG(stbuf.st_mode)) {
+					reply(550,
+					      "%s: not a plain file.", $3);
+				} else {
+					struct tm *t;
+					t = gmtime(&stbuf.st_mtime);
+					reply(213,
+					      "%04d%02d%02d%02d%02d%02d",
+					      t->tm_year + 1900,
+					      t->tm_mon + 1,
+					      t->tm_mday,
+					      t->tm_hour,
+					      t->tm_min,
+					      t->tm_sec);
+				}
+			}
+			if ($3 != NULL)
+				free($3);
+		}
+	| QUIT CRLF
+		{
+			reply(221, "Goodbye.");
+			dologout(0);
+		}
+	| error CRLF
+		{
+			yyerrok;
+		}
+	;
+rcmd
+	: RNFR SP pathname CRLF check_login_no_guest
+		{
+			restart_point = (off_t) 0;
+			if ($5 && $3) {
+				fromname = renamefrom($3);
+				if (fromname == (char *) 0 && $3) {
+					free($3);
+				}
+			}
+		}
+	| REST SP byte_size CRLF
+		{
+			fromname = (char *) 0;
+			restart_point = $3;	/* XXX $3 is only "int" */
+			reply(350, "Restarting at %ld. %s",
+			      (long)restart_point,
+			      "Send STORE or RETRIEVE to initiate transfer.");
+		}
+	| AUTH SP STRING CRLF
+		{
+			auth($3);
+			free($3);
+		}
+	| ADAT SP STRING CRLF
+		{
+			adat($3);
+			free($3);
+		}
+	| PBSZ SP NUMBER CRLF
+		{
+			pbsz($3);
+		}
+	| PROT SP STRING CRLF
+		{
+			prot($3);
+		}
+	| CCC CRLF
+		{
+			ccc();
+		}
+	| MIC SP STRING CRLF
+		{
+			mec($3, prot_safe);
+			free($3);
+		}
+	| CONF SP STRING CRLF
+		{
+			mec($3, prot_confidential);
+			free($3);
+		}
+	| ENC SP STRING CRLF
+		{
+			mec($3, prot_private);
+			free($3);
+		}
+	;
+
+username
+	: STRING
+	;
+
+password
+	: /* empty */
+		{
+			$$ = (char *)calloc(1, sizeof(char));
+		}
+	| STRING
+	;
+
+byte_size
+	: NUMBER
+	;
+
+host_port
+	: NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA
+		NUMBER COMMA NUMBER
+		{
+			struct sockaddr_in *sin = (struct sockaddr_in *)data_dest;
+
+			sin->sin_family = AF_INET;
+			sin->sin_port = htons($9 * 256 + $11);
+			sin->sin_addr.s_addr = 
+			    htonl(($1 << 24) | ($3 << 16) | ($5 << 8) | $7);
+		}
+	;
+
+form_code
+	: N
+		{
+			$$ = FORM_N;
+		}
+	| T
+		{
+			$$ = FORM_T;
+		}
+	| C
+		{
+			$$ = FORM_C;
+		}
+	;
+
+type_code
+	: A
+		{
+			cmd_type = TYPE_A;
+			cmd_form = FORM_N;
+		}
+	| A SP form_code
+		{
+			cmd_type = TYPE_A;
+			cmd_form = $3;
+		}
+	| E
+		{
+			cmd_type = TYPE_E;
+			cmd_form = FORM_N;
+		}
+	| E SP form_code
+		{
+			cmd_type = TYPE_E;
+			cmd_form = $3;
+		}
+	| I
+		{
+			cmd_type = TYPE_I;
+		}
+	| L
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = NBBY;
+		}
+	| L SP byte_size
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = $3;
+		}
+		/* this is for a bug in the BBN ftp */
+	| L byte_size
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = $2;
+		}
+	;
+
+struct_code
+	: F
+		{
+			$$ = STRU_F;
+		}
+	| R
+		{
+			$$ = STRU_R;
+		}
+	| P
+		{
+			$$ = STRU_P;
+		}
+	;
+
+mode_code
+	: S
+		{
+			$$ = MODE_S;
+		}
+	| B
+		{
+			$$ = MODE_B;
+		}
+	| C
+		{
+			$$ = MODE_C;
+		}
+	;
+
+pathname
+	: pathstring
+		{
+			/*
+			 * Problem: this production is used for all pathname
+			 * processing, but only gives a 550 error reply.
+			 * This is a valid reply in some cases but not in others.
+			 */
+			if (logged_in && $1 && *$1 == '~') {
+				glob_t gl;
+				int flags =
+				 GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+				memset(&gl, 0, sizeof(gl));
+				if (glob($1, flags, NULL, &gl) ||
+				    gl.gl_pathc == 0) {
+					reply(550, "not found");
+					$$ = NULL;
+				} else {
+					$$ = strdup(gl.gl_pathv[0]);
+				}
+				globfree(&gl);
+				free($1);
+			} else
+				$$ = $1;
+		}
+	;
+
+pathstring
+	: STRING
+	;
+
+octal_number
+	: NUMBER
+		{
+			int ret, dec, multby, digit;
+
+			/*
+			 * Convert a number that was read as decimal number
+			 * to what it would be if it had been read as octal.
+			 */
+			dec = $1;
+			multby = 1;
+			ret = 0;
+			while (dec) {
+				digit = dec%10;
+				if (digit > 7) {
+					ret = -1;
+					break;
+				}
+				ret += digit * multby;
+				multby *= 8;
+				dec /= 10;
+			}
+			$$ = ret;
+		}
+	;
+
+
+check_login_no_guest : check_login
+		{
+			$$ = $1 && !guest;
+			if($1 && !$$)
+				reply(550, "Permission denied");
+		}
+	;
+
+check_login : check_secure
+		{
+		    if($1) {
+			if(($$ = logged_in) == 0)
+			    reply(530, "Please login with USER and PASS.");
+		    } else
+			$$ = 0;
+		}
+	;
+
+check_secure : /* empty */
+		{
+		    $$ = 1;
+		    if(sec_complete && !secure_command()) {
+			$$ = 0;
+			reply(533, "Command protection level denied "
+			      "for paranoid reasons.");
+		    }
+		}
+	;
+
+%%
+
+extern jmp_buf errcatch;
+
+#define	CMD	0	/* beginning of command */
+#define	ARGS	1	/* expect miscellaneous arguments */
+#define	STR1	2	/* expect SP followed by STRING */
+#define	STR2	3	/* expect STRING */
+#define	OSTR	4	/* optional SP then STRING */
+#define	ZSTR1	5	/* SP then optional STRING */
+#define	ZSTR2	6	/* optional STRING after SP */
+#define	SITECMD	7	/* SITE command */
+#define	NSTR	8	/* Number followed by a string */
+
+struct tab cmdtab[] = {		/* In order defined in RFC 765 */
+	{ "USER", USER, STR1, 1,	"<sp> username" },
+	{ "PASS", PASS, ZSTR1, 1,	"<sp> password" },
+	{ "ACCT", ACCT, STR1, 0,	"(specify account)" },
+	{ "SMNT", SMNT, ARGS, 0,	"(structure mount)" },
+	{ "REIN", REIN, ARGS, 0,	"(reinitialize server state)" },
+	{ "QUIT", QUIT, ARGS, 1,	"(terminate service)", },
+	{ "PORT", PORT, ARGS, 1,	"<sp> b0, b1, b2, b3, b4" },
+	{ "EPRT", EPRT, STR1, 1,	"<sp> string" },
+	{ "PASV", PASV, ARGS, 1,	"(set server in passive mode)" },
+	{ "EPSV", EPSV, OSTR, 1,	"[<sp> foo]" },
+	{ "TYPE", TYPE, ARGS, 1,	"<sp> [ A | E | I | L ]" },
+	{ "STRU", STRU, ARGS, 1,	"(specify file structure)" },
+	{ "MODE", MODE, ARGS, 1,	"(specify transfer mode)" },
+	{ "RETR", RETR, STR1, 1,	"<sp> file-name" },
+	{ "STOR", STOR, STR1, 1,	"<sp> file-name" },
+	{ "APPE", APPE, STR1, 1,	"<sp> file-name" },
+	{ "MLFL", MLFL, OSTR, 0,	"(mail file)" },
+	{ "MAIL", MAIL, OSTR, 0,	"(mail to user)" },
+	{ "MSND", MSND, OSTR, 0,	"(mail send to terminal)" },
+	{ "MSOM", MSOM, OSTR, 0,	"(mail send to terminal or mailbox)" },
+	{ "MSAM", MSAM, OSTR, 0,	"(mail send to terminal and mailbox)" },
+	{ "MRSQ", MRSQ, OSTR, 0,	"(mail recipient scheme question)" },
+	{ "MRCP", MRCP, STR1, 0,	"(mail recipient)" },
+	{ "ALLO", ALLO, ARGS, 1,	"allocate storage (vacuously)" },
+	{ "REST", REST, ARGS, 1,	"<sp> offset (restart command)" },
+	{ "RNFR", RNFR, STR1, 1,	"<sp> file-name" },
+	{ "RNTO", RNTO, STR1, 1,	"<sp> file-name" },
+	{ "ABOR", ABOR, ARGS, 1,	"(abort operation)" },
+	{ "DELE", DELE, STR1, 1,	"<sp> file-name" },
+	{ "CWD",  CWD,  OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "XCWD", CWD,	OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "LIST", LIST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "NLST", NLST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "SITE", SITE, SITECMD, 1,	"site-cmd [ <sp> arguments ]" },
+	{ "SYST", SYST, ARGS, 1,	"(get type of operating system)" },
+	{ "STAT", sTAT, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+	{ "NOOP", NOOP, ARGS, 1,	"" },
+	{ "MKD",  MKD,  STR1, 1,	"<sp> path-name" },
+	{ "XMKD", MKD,  STR1, 1,	"<sp> path-name" },
+	{ "RMD",  RMD,  STR1, 1,	"<sp> path-name" },
+	{ "XRMD", RMD,  STR1, 1,	"<sp> path-name" },
+	{ "PWD",  PWD,  ARGS, 1,	"(return current directory)" },
+	{ "XPWD", PWD,  ARGS, 1,	"(return current directory)" },
+	{ "CDUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "XCUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "STOU", STOU, STR1, 1,	"<sp> file-name" },
+	{ "SIZE", SIZE, OSTR, 1,	"<sp> path-name" },
+	{ "MDTM", MDTM, OSTR, 1,	"<sp> path-name" },
+
+	/* extensions from RFC2228 */
+	{ "AUTH", AUTH,	STR1, 1,	"<sp> auth-type" },
+	{ "ADAT", ADAT,	STR1, 1,	"<sp> auth-data" },
+	{ "PBSZ", PBSZ,	ARGS, 1,	"<sp> buffer-size" },
+	{ "PROT", PROT,	STR1, 1,	"<sp> prot-level" },
+	{ "CCC",  CCC,	ARGS, 1,	"" },
+	{ "MIC",  MIC,	STR1, 1,	"<sp> integrity command" },
+	{ "CONF", CONF,	STR1, 1,	"<sp> confidentiality command" },
+	{ "ENC",  ENC,	STR1, 1,	"<sp> privacy command" },
+
+	/* RFC2389 */
+	{ "FEAT", FEAT, ARGS, 1,	"" },
+	{ "OPTS", OPTS, ARGS, 1,	"<sp> command [<sp> options]" },
+
+	{ NULL,   0,    0,    0,	0 }
+};
+
+struct tab sitetab[] = {
+	{ "UMASK", UMASK, ARGS, 1,	"[ <sp> umask ]" },
+	{ "IDLE", IDLE, ARGS, 1,	"[ <sp> maximum-idle-time ]" },
+	{ "CHMOD", CHMOD, NSTR, 1,	"<sp> mode <sp> file-name" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+
+	{ "KAUTH", KAUTH, STR1, 1,	"<sp> principal [ <sp> ticket ]" },
+	{ "KLIST", KLIST, ARGS, 1,	"(show ticket file)" },
+	{ "KDESTROY", KDESTROY, ARGS, 1, "(destroy tickets)" },
+	{ "KRBTKFILE", KRBTKFILE, STR1, 1, "<sp> ticket-file" },
+	{ "AFSLOG", AFSLOG, OSTR, 1,	"[<sp> cell]" },
+
+	{ "LOCATE", LOCATE, STR1, 1,	"<sp> globexpr" },
+	{ "FIND", LOCATE, STR1, 1,	"<sp> globexpr" },
+
+	{ "URL",  URL,  ARGS, 1,	"?" },
+	
+	{ NULL,   0,    0,    0,	0 }
+};
+
+static struct tab *
+lookup(struct tab *p, char *cmd)
+{
+
+	for (; p->name != NULL; p++)
+		if (strcmp(cmd, p->name) == 0)
+			return (p);
+	return (0);
+}
+
+/*
+ * ftpd_getline - a hacked up version of fgets to ignore TELNET escape codes.
+ */
+char *
+ftpd_getline(char *s, int n)
+{
+	int c;
+	char *cs;
+
+	cs = s;
+/* tmpline may contain saved command from urgent mode interruption */
+	if(ftp_command){
+	  strlcpy(s, ftp_command, n);
+	  if (debug)
+	    syslog(LOG_DEBUG, "command: %s", s);
+#ifdef XXX
+	  fprintf(stderr, "%s\n", s);
+#endif
+	  return s;
+	}
+	while ((c = getc(stdin)) != EOF) {
+		c &= 0377;
+		if (c == IAC) {
+		    if ((c = getc(stdin)) != EOF) {
+			c &= 0377;
+			switch (c) {
+			case WILL:
+			case WONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, DONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case DO:
+			case DONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, WONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case IAC:
+				break;
+			default:
+				continue;	/* ignore command */
+			}
+		    }
+		}
+		*cs++ = c;
+		if (--n <= 0 || c == '\n')
+			break;
+	}
+	if (c == EOF && cs == s)
+		return (NULL);
+	*cs++ = '\0';
+	if (debug) {
+		if (!guest && strncasecmp("pass ", s, 5) == 0) {
+			/* Don't syslog passwords */
+			syslog(LOG_DEBUG, "command: %.5s ???", s);
+		} else {
+			char *cp;
+			int len;
+
+			/* Don't syslog trailing CR-LF */
+			len = strlen(s);
+			cp = s + len - 1;
+			while (cp >= s && (*cp == '\n' || *cp == '\r')) {
+				--cp;
+				--len;
+			}
+			syslog(LOG_DEBUG, "command: %.*s", len, s);
+		}
+	}
+#ifdef XXX
+	fprintf(stderr, "%s\n", s);
+#endif
+	return (s);
+}
+
+static RETSIGTYPE
+toolong(int signo)
+{
+
+	reply(421,
+	    "Timeout (%d seconds): closing control connection.",
+	      ftpd_timeout);
+	if (logging)
+		syslog(LOG_INFO, "User %s timed out after %d seconds",
+		    (pw ? pw -> pw_name : "unknown"), ftpd_timeout);
+	dologout(1);
+	SIGRETURN(0);
+}
+
+static int
+yylex(void)
+{
+	static int cpos, state;
+	char *cp, *cp2;
+	struct tab *p;
+	int n;
+	char c;
+
+	for (;;) {
+		switch (state) {
+
+		case CMD:
+			signal(SIGALRM, toolong);
+			alarm((unsigned) ftpd_timeout);
+			if (ftpd_getline(cbuf, sizeof(cbuf)-1) == NULL) {
+				reply(221, "You could at least say goodbye.");
+				dologout(0);
+			}
+			alarm(0);
+#ifdef HAVE_SETPROCTITLE
+			if (strncasecmp(cbuf, "PASS", 4) != NULL)
+				setproctitle("%s: %s", proctitle, cbuf);
+#endif /* HAVE_SETPROCTITLE */
+			if ((cp = strchr(cbuf, '\r'))) {
+				*cp++ = '\n';
+				*cp = '\0';
+			}
+			if ((cp = strpbrk(cbuf, " \n")))
+				cpos = cp - cbuf;
+			if (cpos == 0)
+				cpos = 4;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cbuf);
+			p = lookup(cmdtab, cbuf);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					nack(p->name);
+					longjmp(errcatch,0);
+					/* NOTREACHED */
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			break;
+
+		case SITECMD:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			cp = &cbuf[cpos];
+			if ((cp2 = strpbrk(cp, " \n")))
+				cpos = cp2 - cbuf;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cp);
+			p = lookup(sitetab, cp);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					state = CMD;
+					nack(p->name);
+					longjmp(errcatch,0);
+					/* NOTREACHED */
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			state = CMD;
+			break;
+
+		case OSTR:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR1:
+		case ZSTR1:
+		dostr1:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				if(state == OSTR)
+				    state = STR2;
+				else
+				    state++;
+				return (SP);
+			}
+			break;
+
+		case ZSTR2:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR2:
+			cp = &cbuf[cpos];
+			n = strlen(cp);
+			cpos += n - 1;
+			/*
+			 * Make sure the string is nonempty and \n terminated.
+			 */
+			if (n > 1 && cbuf[cpos] == '\n') {
+				cbuf[cpos] = '\0';
+				yylval.s = copy(cp);
+				cbuf[cpos] = '\n';
+				state = ARGS;
+				return (STRING);
+			}
+			break;
+
+		case NSTR:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			if (isdigit(cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit(cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				state = STR1;
+				return (NUMBER);
+			}
+			state = STR1;
+			goto dostr1;
+
+		case ARGS:
+			if (isdigit(cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit(cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				return (NUMBER);
+			}
+			switch (cbuf[cpos++]) {
+
+			case '\n':
+				state = CMD;
+				return (CRLF);
+
+			case ' ':
+				return (SP);
+
+			case ',':
+				return (COMMA);
+
+			case 'A':
+			case 'a':
+				return (A);
+
+			case 'B':
+			case 'b':
+				return (B);
+
+			case 'C':
+			case 'c':
+				return (C);
+
+			case 'E':
+			case 'e':
+				return (E);
+
+			case 'F':
+			case 'f':
+				return (F);
+
+			case 'I':
+			case 'i':
+				return (I);
+
+			case 'L':
+			case 'l':
+				return (L);
+
+			case 'N':
+			case 'n':
+				return (N);
+
+			case 'P':
+			case 'p':
+				return (P);
+
+			case 'R':
+			case 'r':
+				return (R);
+
+			case 'S':
+			case 's':
+				return (S);
+
+			case 'T':
+			case 't':
+				return (T);
+
+			}
+			break;
+
+		default:
+			fatal("Unknown state in scanner.");
+		}
+		yyerror((char *) 0);
+		state = CMD;
+		longjmp(errcatch,0);
+	}
+}
+
+static char *
+copy(char *s)
+{
+	char *p;
+
+	p = strdup(s);
+	if (p == NULL)
+		fatal("Ran out of memory.");
+	return p;
+}
+
+static void
+help(struct tab *ctab, char *s)
+{
+	struct tab *c;
+	int width, NCMDS;
+	char *type;
+	char buf[1024];
+
+	if (ctab == sitetab)
+		type = "SITE ";
+	else
+		type = "";
+	width = 0, NCMDS = 0;
+	for (c = ctab; c->name != NULL; c++) {
+		int len = strlen(c->name);
+
+		if (len > width)
+			width = len;
+		NCMDS++;
+	}
+	width = (width + 8) &~ 7;
+	if (s == 0) {
+		int i, j, w;
+		int columns, lines;
+
+		lreply(214, "The following %scommands are recognized %s.",
+		    type, "(* =>'s unimplemented)");
+		columns = 76 / width;
+		if (columns == 0)
+			columns = 1;
+		lines = (NCMDS + columns - 1) / columns;
+		for (i = 0; i < lines; i++) {
+		    strlcpy (buf, "   ", sizeof(buf));
+		    for (j = 0; j < columns; j++) {
+			c = ctab + j * lines + i;
+			snprintf (buf + strlen(buf),
+				  sizeof(buf) - strlen(buf),
+				  "%s%c",
+				  c->name,
+				  c->implemented ? ' ' : '*');
+			if (c + lines >= &ctab[NCMDS])
+			    break;
+			w = strlen(c->name) + 1;
+			while (w < width) {
+			    strlcat (buf,
+					     " ",
+					     sizeof(buf));
+			    w++;
+			}
+		    }
+		    lreply(214, "%s", buf);
+		}
+		reply(214, "Direct comments to kth-krb-bugs@pdc.kth.se");
+		return;
+	}
+	strupr(s);
+	c = lookup(ctab, s);
+	if (c == (struct tab *)0) {
+		reply(502, "Unknown command %s.", s);
+		return;
+	}
+	if (c->implemented)
+		reply(214, "Syntax: %s%s %s", type, c->name, c->help);
+	else
+		reply(214, "%s%-*s\t%s; unimplemented.", type, width,
+		    c->name, c->help);
+}
+
+static void
+sizecmd(char *filename)
+{
+	switch (type) {
+	case TYPE_L:
+	case TYPE_I: {
+		struct stat stbuf;
+		if (stat(filename, &stbuf) < 0 || !S_ISREG(stbuf.st_mode))
+			reply(550, "%s: not a plain file.", filename);
+		else
+			reply(213, "%lu", (unsigned long)stbuf.st_size);
+		break;
+	}
+	case TYPE_A: {
+		FILE *fin;
+		int c;
+		size_t count;
+		struct stat stbuf;
+		fin = fopen(filename, "r");
+		if (fin == NULL) {
+			perror_reply(550, filename);
+			return;
+		}
+		if (fstat(fileno(fin), &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
+			reply(550, "%s: not a plain file.", filename);
+			fclose(fin);
+			return;
+		}
+
+		count = 0;
+		while((c=getc(fin)) != EOF) {
+			if (c == '\n')	/* will get expanded to \r\n */
+				count++;
+			count++;
+		}
+		fclose(fin);
+
+		reply(213, "%lu", (unsigned long)count);
+		break;
+	}
+	default:
+		reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
+	}
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
new file mode 100644
index 0000000..c51de1c
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
@@ -0,0 +1,473 @@
+.\"	$NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $
+.\"
+.\" Copyright (c) 1985, 1988, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)ftpd.8	8.2 (Berkeley) 4/19/94
+.\"
+.Dd April 19, 1997
+.Dt FTPD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm ftpd
+.Nd
+Internet File Transfer Protocol server
+.Sh SYNOPSIS
+.Nm ftpd
+.Op Fl a Ar authmode
+.Op Fl dilv
+.Op Fl g Ar umask
+.Op Fl p Ar port 
+.Op Fl T Ar maxtimeout
+.Op Fl t Ar timeout
+.Op Fl u Ar default umask
+.Sh DESCRIPTION
+.Nm Ftpd
+is the
+Internet File Transfer Protocol
+server process.  The server uses the
+.Tn TCP
+protocol
+and listens at the port specified in the
+.Dq ftp
+service specification; see
+.Xr services 5 .
+.Pp
+Available options:
+.Bl -tag -width Ds
+.It Fl a
+Select the level of authentication required.  Kerberised login can not
+be turned off. The default is to only allow kerberised login.  Other
+possibilities can be turned on by giving a string of comma separated
+flags as argument to
+.Fl a .
+Recognised flags are:
+.Bl -tag -width plain
+.It Ar plain
+Allow logging in with plaintext password. The password can be a(n) OTP
+or an ordinary password.
+.It Ar otp
+Same as
+.Ar plain ,
+but only OTP is allowed.
+.It Ar ftp
+Allow anonymous login.
+.El
+
+The following combination modes exists for backwards compatibility:
+.Bl -tag -width plain
+.It Ar none
+Same as
+.Ar plain,ftp .
+.It Ar safe
+Same as 
+.Ar ftp .
+.It Ar user
+Ignored.
+.El
+.It Fl d
+Debugging information is written to the syslog using LOG_FTP.
+.It Fl g
+Anonymous users will get a umask of
+.Ar umask .
+.It Fl i
+Open a socket and wait for a connection. This is mainly used for
+debugging when ftpd isn't started by inetd.
+.It Fl l
+Each successful and failed 
+.Xr ftp 1
+session is logged using syslog with a facility of LOG_FTP.
+If this option is specified twice, the retrieve (get), store (put), append,
+delete, make directory, remove directory and rename operations and
+their filename arguments are also logged.
+.It Fl p
+Use
+.Ar port
+(a service name or number) instead of the default 
+.Ar ftp/tcp .
+.It Fl T
+A client may also request a different timeout period;
+the maximum period allowed may be set to
+.Ar timeout
+seconds with the
+.Fl T
+option.
+The default limit is 2 hours.
+.It Fl t
+The inactivity timeout period is set to
+.Ar timeout
+seconds (the default is 15 minutes).
+.It Fl u
+Set the initial umask to something else than the default 027.
+.It Fl v
+Verbose mode.
+.El
+.Pp
+The file
+.Pa /etc/nologin
+can be used to disable ftp access.
+If the file exists,
+.Nm
+displays it and exits.
+If the file
+.Pa /etc/ftpwelcome
+exists,
+.Nm
+prints it before issuing the 
+.Dq ready
+message.
+If the file
+.Pa /etc/motd
+exists,
+.Nm
+prints it after a successful login.
+.Pp
+The ftp server currently supports the following ftp requests.
+The case of the requests is ignored.
+.Bl -column "Request" -offset indent
+.It Request Ta "Description"
+.It ABOR Ta "abort previous command"
+.It ACCT Ta "specify account (ignored)"
+.It ALLO Ta "allocate storage (vacuously)"
+.It APPE Ta "append to a file"
+.It CDUP Ta "change to parent of current working directory"
+.It CWD Ta "change working directory"
+.It DELE Ta "delete a file"
+.It HELP Ta "give help information"
+.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA"
+.It MKD Ta "make a directory"
+.It MDTM Ta "show last modification time of file"
+.It MODE Ta "specify data transfer" Em mode
+.It NLST Ta "give name list of files in directory"
+.It NOOP Ta "do nothing"
+.It PASS Ta "specify password"
+.It PASV Ta "prepare for server-to-server transfer"
+.It PORT Ta "specify data connection port"
+.It PWD Ta "print the current working directory"
+.It QUIT Ta "terminate session"
+.It REST Ta "restart incomplete transfer"
+.It RETR Ta "retrieve a file"
+.It RMD Ta "remove a directory"
+.It RNFR Ta "specify rename-from file name"
+.It RNTO Ta "specify rename-to file name"
+.It SITE Ta "non-standard commands (see next section)"
+.It SIZE Ta "return size of file"
+.It STAT Ta "return status of server"
+.It STOR Ta "store a file"
+.It STOU Ta "store a file with a unique name"
+.It STRU Ta "specify data transfer" Em structure
+.It SYST Ta "show operating system type of server system"
+.It TYPE Ta "specify data transfer" Em type
+.It USER Ta "specify user name"
+.It XCUP Ta "change to parent of current working directory (deprecated)"
+.It XCWD Ta "change working directory (deprecated)"
+.It XMKD Ta "make a directory (deprecated)"
+.It XPWD Ta "print the current working directory (deprecated)"
+.It XRMD Ta "remove a directory (deprecated)"
+.El
+.Pp
+The following commands are specified by RFC2228.
+.Bl -column Request -offset indent
+.It AUTH Ta "authentication/security mechanism"
+.It ADAT Ta "authentication/security data"
+.It PROT Ta "data channel protection level"
+.It PBSZ Ta "protection buffer size"
+.It MIC Ta "integrity protected command"
+.It CONF Ta "confidentiality protected command"
+.It ENC Ta "privacy protected command"
+.It CCC Ta "clear command channel"
+.El
+.Pp
+The following non-standard or
+.Tn UNIX
+specific commands are supported
+by the
+SITE request.
+.Pp
+.Bl -column Request -offset indent
+.It UMASK Ta change umask, (e.g. 
+.Ic "SITE UMASK 002" )
+.It IDLE Ta set idle-timer, (e.g. 
+.Ic "SITE IDLE 60" )
+.It CHMOD Ta change mode of a file (e.g. 
+.Ic "SITE CHMOD 755 filename" )
+.It FIND Ta quickly find a specific file with GNU 
+.Xr locate 1 .
+.It HELP Ta give help information.
+.El
+.Pp
+The following Kerberos related site commands are understood.
+.Bl -column Request -offset indent
+.It KAUTH Ta obtain remote tickets.
+.It KLIST Ta show remote tickets
+.El
+.Pp
+The remaining ftp requests specified in Internet RFC 959
+are
+recognized, but not implemented.
+MDTM and SIZE are not specified in RFC 959, but will appear in the
+next updated FTP RFC.
+.Pp
+The ftp server will abort an active file transfer only when the
+ABOR
+command is preceded by a Telnet "Interrupt Process" (IP)
+signal and a Telnet "Synch" signal in the command Telnet stream,
+as described in Internet RFC 959.
+If a
+STAT
+command is received during a data transfer, preceded by a Telnet IP
+and Synch, transfer status will be returned.
+.Pp
+.Nm Ftpd
+interprets file names according to the
+.Dq globbing
+conventions used by
+.Xr csh 1 .
+This allows users to utilize the metacharacters
+.Dq Li \&*?[]{}~ .
+.Pp
+.Nm Ftpd
+authenticates users according to these rules. 
+.Pp
+.Bl -enum -offset indent
+.It
+If Kerberos authentication is used, the user must pass valid tickets
+and the principal must be allowed to login as the remote user.
+.It
+The login name must be in the password data base, and not have a null
+password (if kerberos is used the password field is not checked).  In
+this case a password must be provided by the client before any file
+operations may be performed.  If the user has an OTP key, the response
+from a successful USER command will include an OTP challenge. The
+client may choose to respond with a PASS command giving either a
+standard password or an OTP one-time password. The server will
+automatically determine which type of password it has been given and
+attempt to authenticate accordingly. See
+.Xr otp 1
+for more information on OTP authentication.
+.It
+The login name must not appear in the file
+.Pa /etc/ftpusers .
+.It
+The user must have a standard shell returned by 
+.Xr getusershell 3 .
+.It
+If the user name appears in the file
+.Pa /etc/ftpchroot
+the session's root will be changed to the user's login directory by
+.Xr chroot 2
+as for an
+.Dq anonymous
+or
+.Dq ftp
+account (see next item).  However, the user must still supply a password.
+This feature is intended as a compromise between a fully anonymous account 
+and a fully privileged account.  The account should also be set up as for an
+anonymous account.
+.It
+If the user name is
+.Dq anonymous
+or
+.Dq ftp ,
+an
+anonymous ftp account must be present in the password
+file (user
+.Dq ftp ) .
+In this case the user is allowed
+to log in by specifying any password (by convention an email address for
+the user should be used as the password).
+.El
+.Pp
+In the last case, 
+.Nm ftpd
+takes special measures to restrict the client's access privileges.
+The server performs a 
+.Xr chroot 2
+to the home directory of the
+.Dq ftp
+user.
+In order that system security is not breached, it is recommended
+that the
+.Dq ftp
+subtree be constructed with care, consider following these guidelines
+for anonymous ftp.
+
+In general all files should be owned by
+.Dq root ,
+and have non-write permissions (644 or 755 depending on the kind of
+file). No files should be owned or writable by
+.Dq ftp
+(possibly with exception for the
+.Pa ~ftp/incoming ,
+as specified below).
+.Bl -tag -width "~ftp/pub" -offset indent
+.It Pa ~ftp
+The 
+.Dq ftp
+homedirectory should be owned by root.
+.It Pa ~ftp/bin
+The directory for external programs (such as 
+.Xr ls 1 ) .
+These programs must either be statically linked, or you must setup an
+environment for dynamic linking when running chrooted.  
+These programs will be used if present:
+.Bl -tag -width "locate" -offset indent
+.It ls
+Used when listing files.
+.It compress
+When retrieving a filename that ends in
+.Pa .Z ,
+and that file isn't present,
+.Nm
+will try to find the filename without
+.Pa .Z
+and compress it on the fly.
+.It gzip
+Same as compress, just with files ending in
+.Pa .gz .
+.It gtar
+Enables retrieval of whole directories as files ending in
+.Pa .tar .
+Can also be combined with compression. You must use GNU Tar (or some
+other that supports the
+.Fl z 
+and
+.Fl Z
+flags).
+.It locate
+Will enable ``fast find'' with the 
+.Ic SITE FIND
+command. You must also create a 
+.Pa locatedb
+file in 
+.Pa ~ftp/etc .
+.El
+.It Pa ~ftp/etc
+If you put copies of the
+.Xr passwd 5
+and 
+.Xr group 5
+files here, ls will be able to produce owner names rather than
+numbers. Remember to remove any passwords from these files.  
+
+The file
+.Pa motd ,
+if present, will be printed after a successful login.
+.It Pa ~ftp/dev 
+Put a copy of
+.Xr /dev/null 7
+here.
+.It Pa ~ftp/pub
+Traditional place to put whatever you want to make public.
+.El
+
+If you want guests to be able to upload files, create a
+.Pa ~ftp/incoming
+directory owned by 
+.Dq root ,
+and group
+.Dq ftp
+with mode 730 (make sure 
+.Dq ftp 
+is member of group
+.Dq ftp ) .
+The following restrictions apply to anonymous users:
+.Bl -bullet
+.It
+Directories created will have mode 700.
+.It
+Uploaded files will be created with an umask of 777, if not changed
+with the
+.Fl g
+option.
+.It
+These command are not accessible: 
+.Ic DELE , RMD , RNTO , RNFR , 
+.Ic SITE UMASK ,
+and
+.Ic SITE CHMOD .
+.It
+Filenames must start with an alpha-numeric character, and consist of
+alpha-numeric characters or any of the following: 
+.Li \&+  
+(plus),
+.Li \&-  
+(minus),
+.Li \&=  
+(equal),
+.Li \&_  
+(underscore),
+.Li \&.  
+(period), and
+.Li \&,  
+(comma).
+.El
+.Sh FILES
+.Bl -tag -width /etc/ftpwelcome -compact
+.It Pa /etc/ftpusers
+Access list for users.
+.It Pa /etc/ftpchroot
+List of normal users who should be chroot'd.
+.It Pa /etc/ftpwelcome
+Welcome notice.
+.It Pa /etc/motd
+Welcome notice after login.
+.It Pa /etc/nologin
+Displayed and access refused.
+.It Pa ~/.klogin
+Login access for Kerberos.
+.El
+.Sh SEE ALSO
+.Xr ftp 1 ,
+.Xr otp 1 ,
+.Xr getusershell 3 ,
+.Xr ftpusers 5 ,
+.Xr syslogd 8 ,
+.Sh STANDARDS
+.Bl -tag -compact -width "RFC 1938"
+.It Cm RFC 959
+FTP PROTOCOL SPECIFICATION
+.It Cm RFC 1938
+OTP Specification
+.It Cm RFC 2228
+FTP Security Extensions.
+.Sh BUGS
+The server must run as the super-user
+to create sockets with privileged port numbers.  It maintains
+an effective user id of the logged in user, reverting to
+the super-user only when binding addresses to sockets.  The
+possible security holes have been extensively
+scrutinized, but are possibly incomplete.
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.c b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
new file mode 100644
index 0000000..8c5ddf3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
@@ -0,0 +1,2249 @@
+/*
+ * Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define	FTP_NAMES
+#include "ftpd_locl.h"
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#include "getarg.h"
+
+RCSID("$Id: ftpd.c,v 1.137 2000/01/05 13:46:04 joda Exp $");
+
+static char version[] = "Version 6.00";
+
+extern	off_t restart_point;
+extern	char cbuf[];
+
+struct  sockaddr_storage ctrl_addr_ss;
+struct  sockaddr *ctrl_addr = (struct sockaddr *)&ctrl_addr_ss;
+
+struct  sockaddr_storage data_source_ss;
+struct  sockaddr *data_source = (struct sockaddr *)&data_source_ss;
+
+struct  sockaddr_storage data_dest_ss;
+struct  sockaddr *data_dest = (struct sockaddr *)&data_dest_ss;
+
+struct  sockaddr_storage his_addr_ss;
+struct  sockaddr *his_addr = (struct sockaddr *)&his_addr_ss;
+
+struct  sockaddr_storage pasv_addr_ss;
+struct  sockaddr *pasv_addr = (struct sockaddr *)&pasv_addr_ss;
+
+int	data;
+jmp_buf	errcatch, urgcatch;
+int	oobflag;
+int	logged_in;
+struct	passwd *pw;
+int	debug = 0;
+int	ftpd_timeout = 900;    /* timeout after 15 minutes of inactivity */
+int	maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */
+int	logging;
+int	guest;
+int	dochroot;
+int	type;
+int	form;
+int	stru;			/* avoid C keyword */
+int	mode;
+int	usedefault = 1;		/* for data transfers */
+int	pdata = -1;		/* for passive mode */
+int	transflag;
+off_t	file_size;
+off_t	byte_count;
+#if !defined(CMASK) || CMASK == 0
+#undef CMASK
+#define CMASK 027
+#endif
+int	defumask = CMASK;		/* default umask value */
+int	guest_umask = 0777;	/* Paranoia for anonymous users */
+char	tmpline[10240];
+char	hostname[MaxHostNameLen];
+char	remotehost[MaxHostNameLen];
+static char ttyline[20];
+
+#define AUTH_PLAIN	(1 << 0) /* allow sending passwords */
+#define AUTH_OTP	(1 << 1) /* passwords are one-time */
+#define AUTH_FTP	(1 << 2) /* allow anonymous login */
+
+static int auth_level = 0; /* Only allow kerberos login by default */
+
+/*
+ * Timeout intervals for retrying connections
+ * to hosts that don't accept PORT cmds.  This
+ * is a kludge, but given the problems with TCP...
+ */
+#define	SWAITMAX	90	/* wait at most 90 seconds */
+#define	SWAITINT	5	/* interval between retries */
+
+int	swaitmax = SWAITMAX;
+int	swaitint = SWAITINT;
+
+#ifdef HAVE_SETPROCTITLE
+char	proctitle[BUFSIZ];	/* initial part of title */
+#endif /* HAVE_SETPROCTITLE */
+
+#define LOGCMD(cmd, file) \
+	if (logging > 1) \
+	    syslog(LOG_INFO,"%s %s%s", cmd, \
+		*(file) == '/' ? "" : curdir(), file);
+#define LOGCMD2(cmd, file1, file2) \
+	 if (logging > 1) \
+	    syslog(LOG_INFO,"%s %s%s %s%s", cmd, \
+		*(file1) == '/' ? "" : curdir(), file1, \
+		*(file2) == '/' ? "" : curdir(), file2);
+#define LOGBYTES(cmd, file, cnt) \
+	if (logging > 1) { \
+		if (cnt == (off_t)-1) \
+		    syslog(LOG_INFO,"%s %s%s", cmd, \
+			*(file) == '/' ? "" : curdir(), file); \
+		else \
+		    syslog(LOG_INFO, "%s %s%s = %ld bytes", \
+			cmd, (*(file) == '/') ? "" : curdir(), file, (long)cnt); \
+	}
+
+static void	 ack (char *);
+static void	 myoob (int);
+static int	 checkuser (char *, char *);
+static int	 checkaccess (char *);
+static FILE	*dataconn (const char *, off_t, const char *);
+static void	 dolog (struct sockaddr *sa, int len);
+static void	 end_login (void);
+static FILE	*getdatasock (const char *);
+static char	*gunique (char *);
+static RETSIGTYPE	 lostconn (int);
+static int	 receive_data (FILE *, FILE *);
+static void	 send_data (FILE *, FILE *);
+static struct passwd * sgetpwnam (char *);
+
+static char *
+curdir(void)
+{
+	static char path[MaxPathLen+1];	/* path + '/' + '\0' */
+
+	if (getcwd(path, sizeof(path)-1) == NULL)
+		return ("");
+	if (path[1] != '\0')		/* special case for root dir. */
+		strlcat(path, "/", sizeof(path));
+	/* For guest account, skip / since it's chrooted */
+	return (guest ? path+1 : path);
+}
+
+#ifndef LINE_MAX
+#define LINE_MAX 1024
+#endif
+
+static int
+parse_auth_level(char *str)
+{
+    char *p;
+    int ret = 0;
+    char *foo = NULL;
+
+    for(p = strtok_r(str, ",", &foo);
+	p;
+	p = strtok_r(NULL, ",", &foo)) {
+	if(strcmp(p, "user") == 0)
+	    ;
+#ifdef OTP
+	else if(strcmp(p, "otp") == 0)
+	    ret |= AUTH_PLAIN|AUTH_OTP;
+#endif
+	else if(strcmp(p, "ftp") == 0 ||
+		strcmp(p, "safe") == 0)
+	    ret |= AUTH_FTP;
+	else if(strcmp(p, "plain") == 0)
+	    ret |= AUTH_PLAIN;
+	else if(strcmp(p, "none") == 0)
+	    ret |= AUTH_PLAIN|AUTH_FTP;
+	else
+	    warnx("bad value for -a: `%s'", p);
+    }
+    return ret;	    
+}
+
+/*
+ * Print usage and die.
+ */
+
+static int debug_flag;
+static int interactive_flag;
+static char *guest_umask_string;
+static char *port_string;
+static char *umask_string;
+static char *auth_string;
+
+int use_builtin_ls = -1;
+
+static int help_flag;
+static int version_flag;
+
+struct getargs args[] = {
+    { NULL, 'a', arg_string, &auth_string, "required authentication" },
+    { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket" },
+    { NULL, 'p', arg_string, &port_string, "what port to listen to" },
+    { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins" },
+    { NULL, 'l', arg_counter, &logging, "log more stuff", "" },
+    { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" },
+    { NULL, 'T', arg_integer, &maxtimeout, "max timeout" },
+    { NULL, 'u', arg_string, &umask_string, "umask for user logins" },
+    { NULL, 'd', arg_flag, &debug_flag, "enable debugging" },
+    { NULL, 'v', arg_flag, &debug_flag, "enable debugging" },
+    { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 'h', arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage (int code)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit (code);
+}
+
+/* output contents of a file */
+static int
+show_file(const char *file, int code)
+{
+    FILE *f;
+    char buf[128];
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return -1;
+    while(fgets(buf, sizeof(buf), f)){
+	buf[strcspn(buf, "\r\n")] = '\0';
+	lreply(code, "%s", buf);
+    }
+    fclose(f);
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int his_addr_len, ctrl_addr_len, on = 1, tos;
+    char *cp, line[LINE_MAX];
+    FILE *fd;
+    int port;
+    struct servent *sp;
+
+    int optind = 0;
+
+    set_progname (argv[0]);
+
+#ifdef KRB4
+    /* detach from any tickets and tokens */
+    {
+	char tkfile[1024];
+	snprintf(tkfile, sizeof(tkfile),
+		 "/tmp/ftp_%u", (unsigned)getpid());
+	krb_set_tkt_string(tkfile);
+	if(k_hasafs())
+	    k_setpag();
+    }
+#endif
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+    if(help_flag)
+	usage(0);
+	
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(auth_string)
+	auth_level = parse_auth_level(auth_string);
+    {
+	char *p;
+	long val = 0;
+	    
+	if(guest_umask_string) {
+	    val = strtol(guest_umask_string, &p, 8);
+	    if (*p != '\0' || val < 0)
+		warnx("bad value for -g");
+	    else
+		guest_umask = val;
+	}
+	if(umask_string) {
+	    val = strtol(umask_string, &p, 8);
+	    if (*p != '\0' || val < 0)
+		warnx("bad value for -u");
+	    else
+		defumask = val;
+	}
+    }
+    if(port_string) {
+	sp = getservbyname(port_string, "tcp");
+	if(sp)
+	    port = sp->s_port;
+	else
+	    if(isdigit(port_string[0]))
+		port = htons(atoi(port_string));
+	    else
+		warnx("bad value for -p");
+    } else {
+	sp = getservbyname("ftp", "tcp");
+	if(sp)
+	    port = sp->s_port;
+	else
+	    port = htons(21);
+    }
+		    
+    if (maxtimeout < ftpd_timeout)
+	maxtimeout = ftpd_timeout;
+
+#if 0
+    if (ftpd_timeout > maxtimeout)
+	ftpd_timeout = maxtimeout;
+#endif
+
+    if(interactive_flag)
+	mini_inetd (port);
+
+    /*
+     * LOG_NDELAY sets up the logging connection immediately,
+     * necessary for anonymous ftp's that chroot and can't do it later.
+     */
+    openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
+    his_addr_len = sizeof(his_addr_ss);
+    if (getpeername(STDIN_FILENO, his_addr, &his_addr_len) < 0) {
+	syslog(LOG_ERR, "getpeername (%s): %m",argv[0]);
+	exit(1);
+    }
+    ctrl_addr_len = sizeof(ctrl_addr_ss);
+    if (getsockname(STDIN_FILENO, ctrl_addr, &ctrl_addr_len) < 0) {
+	syslog(LOG_ERR, "getsockname (%s): %m",argv[0]);
+	exit(1);
+    }
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    tos = IPTOS_LOWDELAY;
+    if (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
+		   (void *)&tos, sizeof(int)) < 0)
+	syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+#endif
+    data_source->sa_family = ctrl_addr->sa_family;
+    socket_set_port (data_source,
+		     htons(ntohs(socket_get_port(ctrl_addr)) - 1));
+
+    /* set this here so it can be put in wtmp */
+    snprintf(ttyline, sizeof(ttyline), "ftp%u", (unsigned)getpid());
+
+
+    /*	freopen(_PATH_DEVNULL, "w", stderr); */
+    signal(SIGPIPE, lostconn);
+    signal(SIGCHLD, SIG_IGN);
+#ifdef SIGURG
+    if (signal(SIGURG, myoob) == SIG_ERR)
+	syslog(LOG_ERR, "signal: %m");
+#endif
+
+    /* Try to handle urgent data inline */
+#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt(0, SOL_SOCKET, SO_OOBINLINE, (void *)&on,
+		   sizeof(on)) < 0)
+	syslog(LOG_ERR, "setsockopt: %m");
+#endif
+
+#ifdef	F_SETOWN
+    if (fcntl(fileno(stdin), F_SETOWN, getpid()) == -1)
+	syslog(LOG_ERR, "fcntl F_SETOWN: %m");
+#endif
+    dolog(his_addr, his_addr_len);
+    /*
+     * Set up default state
+     */
+    data = -1;
+    type = TYPE_A;
+    form = FORM_N;
+    stru = STRU_F;
+    mode = MODE_S;
+    tmpline[0] = '\0';
+
+    /* If logins are disabled, print out the message. */
+    if(show_file(_PATH_NOLOGIN, 530) == 0) {
+	reply(530, "System not available.");
+	exit(0);
+    }
+    show_file(_PATH_FTPWELCOME, 220);
+    /* reply(220,) must follow */
+    gethostname(hostname, sizeof(hostname));
+	
+    reply(220, "%s FTP server (%s"
+#ifdef KRB5
+	  "+%s"
+#endif
+#ifdef KRB4
+	  "+%s"
+#endif
+	  ") ready.", hostname, version
+#ifdef KRB5
+	  ,heimdal_version
+#endif
+#ifdef KRB4
+	  ,krb4_version
+#endif
+	  );
+
+    setjmp(errcatch);
+    for (;;)
+	yyparse();
+    /* NOTREACHED */
+}
+
+static RETSIGTYPE
+lostconn(int signo)
+{
+
+	if (debug)
+		syslog(LOG_DEBUG, "lost connection");
+	dologout(-1);
+}
+
+/*
+ * Helper function for sgetpwnam().
+ */
+static char *
+sgetsave(char *s)
+{
+	char *new = strdup(s);
+
+	if (new == NULL) {
+		perror_reply(421, "Local resource failure: malloc");
+		dologout(1);
+		/* NOTREACHED */
+	}
+	return new;
+}
+
+/*
+ * Save the result of a getpwnam.  Used for USER command, since
+ * the data returned must not be clobbered by any other command
+ * (e.g., globbing).
+ */
+static struct passwd *
+sgetpwnam(char *name)
+{
+	static struct passwd save;
+	struct passwd *p;
+
+	if ((p = k_getpwnam(name)) == NULL)
+		return (p);
+	if (save.pw_name) {
+		free(save.pw_name);
+		free(save.pw_passwd);
+		free(save.pw_gecos);
+		free(save.pw_dir);
+		free(save.pw_shell);
+	}
+	save = *p;
+	save.pw_name = sgetsave(p->pw_name);
+	save.pw_passwd = sgetsave(p->pw_passwd);
+	save.pw_gecos = sgetsave(p->pw_gecos);
+	save.pw_dir = sgetsave(p->pw_dir);
+	save.pw_shell = sgetsave(p->pw_shell);
+	return (&save);
+}
+
+static int login_attempts;	/* number of failed login attempts */
+static int askpasswd;		/* had user command, ask for passwd */
+static char curname[10];	/* current USER name */
+#ifdef OTP
+OtpContext otp_ctx;
+#endif
+
+/*
+ * USER command.
+ * Sets global passwd pointer pw if named account exists and is acceptable;
+ * sets askpasswd if a PASS command is expected.  If logged in previously,
+ * need to reset state.  If name is "ftp" or "anonymous", the name is not in
+ * _PATH_FTPUSERS, and ftp account exists, set guest and pw, then just return.
+ * If account doesn't exist, ask for passwd anyway.  Otherwise, check user
+ * requesting login privileges.  Disallow anyone who does not have a standard
+ * shell as returned by getusershell().  Disallow anyone mentioned in the file
+ * _PATH_FTPUSERS to allow people such as root and uucp to be avoided.
+ */
+void
+user(char *name)
+{
+	char *cp, *shell;
+
+	if(auth_level == 0 && !sec_complete){
+	    reply(530, "No login allowed without authorization.");
+	    return;
+	}
+
+	if (logged_in) {
+		if (guest) {
+			reply(530, "Can't change user from guest login.");
+			return;
+		} else if (dochroot) {
+			reply(530, "Can't change user from chroot user.");
+			return;
+		}
+		end_login();
+	}
+
+	guest = 0;
+	if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) {
+	    if ((auth_level & AUTH_FTP) == 0 ||
+		checkaccess("ftp") || 
+		checkaccess("anonymous"))
+		reply(530, "User %s access denied.", name);
+	    else if ((pw = sgetpwnam("ftp")) != NULL) {
+		guest = 1;
+		defumask = guest_umask;	/* paranoia for incoming */
+		askpasswd = 1;
+		reply(331, "Guest login ok, type your name as password.");
+	    } else
+		reply(530, "User %s unknown.", name);
+	    if (!askpasswd && logging) {
+		char data_addr[256];
+
+		if (inet_ntop (his_addr->sa_family,
+			       socket_get_address(his_addr),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+		syslog(LOG_NOTICE,
+		       "ANONYMOUS FTP LOGIN REFUSED FROM %s(%s)",
+		       remotehost, data_addr);
+	    }
+	    return;
+	}
+	if((auth_level & AUTH_PLAIN) == 0 && !sec_complete){
+	    reply(530, "Only authorized and anonymous login allowed.");
+	    return;
+	}
+	if ((pw = sgetpwnam(name))) {
+		if ((shell = pw->pw_shell) == NULL || *shell == 0)
+			shell = _PATH_BSHELL;
+		while ((cp = getusershell()) != NULL)
+			if (strcmp(cp, shell) == 0)
+				break;
+		endusershell();
+
+		if (cp == NULL || checkaccess(name)) {
+			reply(530, "User %s access denied.", name);
+			if (logging) {
+				char data_addr[256];
+
+				if (inet_ntop (his_addr->sa_family,
+					       socket_get_address(his_addr),
+					       data_addr,
+					       sizeof(data_addr)) == NULL)
+					strlcpy (data_addr,
+							 "unknown address",
+							 sizeof(data_addr));
+
+				syslog(LOG_NOTICE,
+				       "FTP LOGIN REFUSED FROM %s(%s), %s",
+				       remotehost,
+				       data_addr,
+				       name);
+			}
+			pw = (struct passwd *) NULL;
+			return;
+		}
+	}
+	if (logging)
+	    strlcpy(curname, name, sizeof(curname));
+	if(sec_complete) {
+	    if(sec_userok(name) == 0)
+		do_login(232, name);
+	    else
+		reply(530, "User %s access denied.", name);
+	} else {
+		char ss[256];
+
+#ifdef OTP
+		if (otp_challenge(&otp_ctx, name, ss, sizeof(ss)) == 0) {
+			reply(331, "Password %s for %s required.",
+			      ss, name);
+			askpasswd = 1;
+		} else
+#endif
+		if ((auth_level & AUTH_OTP) == 0) {
+		    reply(331, "Password required for %s.", name);
+		    askpasswd = 1;
+		} else {
+		    char *s;
+		    
+#ifdef OTP
+		    if ((s = otp_error (&otp_ctx)) != NULL)
+			lreply(530, "OTP: %s", s);
+#endif
+		    reply(530,
+			  "Only authorized, anonymous"
+#ifdef OTP
+			  " and OTP "
+#endif
+			  "login allowed.");
+		}
+
+	}
+	/*
+	 * Delay before reading passwd after first failed
+	 * attempt to slow down passwd-guessing programs.
+	 */
+	if (login_attempts)
+		sleep(login_attempts);
+}
+
+/*
+ * Check if a user is in the file "fname"
+ */
+static int
+checkuser(char *fname, char *name)
+{
+	FILE *fd;
+	int found = 0;
+	char *p, line[BUFSIZ];
+
+	if ((fd = fopen(fname, "r")) != NULL) {
+		while (fgets(line, sizeof(line), fd) != NULL)
+			if ((p = strchr(line, '\n')) != NULL) {
+				*p = '\0';
+				if (line[0] == '#')
+					continue;
+				if (strcmp(line, name) == 0) {
+					found = 1;
+					break;
+				}
+			}
+		fclose(fd);
+	}
+	return (found);
+}
+
+
+/*
+ * Determine whether a user has access, based on information in 
+ * _PATH_FTPUSERS. The users are listed one per line, with `allow'
+ * or `deny' after the username. If anything other than `allow', or
+ * just nothing, is given after the username, `deny' is assumed.
+ *
+ * If the user is not found in the file, but the pseudo-user `*' is,
+ * the permission is taken from that line.
+ *
+ * This preserves the old semantics where if a user was listed in the
+ * file he was denied, otherwise he was allowed.
+ *
+ * Return 1 if the user is denied, or 0 if he is allowed.  */
+
+static int
+match(const char *pattern, const char *string)
+{
+    return fnmatch(pattern, string, FNM_NOESCAPE);
+}
+
+static int
+checkaccess(char *name)
+{
+#define ALLOWED		0
+#define	NOT_ALLOWED	1
+    FILE *fd;
+    int allowed = ALLOWED;
+    char *user, *perm, line[BUFSIZ];
+    char *foo;
+    
+    fd = fopen(_PATH_FTPUSERS, "r");
+    
+    if(fd == NULL)
+	return allowed;
+
+    while (fgets(line, sizeof(line), fd) != NULL)  {
+	foo = NULL;
+	user = strtok_r(line, " \t\n", &foo);
+	if (user == NULL || user[0] == '#')
+	    continue;
+	perm = strtok_r(NULL, " \t\n", &foo);
+	if (match(user, name) == 0){
+	    if(perm && strcmp(perm, "allow") == 0)
+		allowed = ALLOWED;
+	    else
+		allowed = NOT_ALLOWED;
+	    break;
+	}
+    }
+    fclose(fd);
+    return allowed;
+}
+#undef	ALLOWED
+#undef	NOT_ALLOWED
+
+
+int do_login(int code, char *passwd)
+{
+    FILE *fd;
+    login_attempts = 0;		/* this time successful */
+    if (setegid((gid_t)pw->pw_gid) < 0) {
+	reply(550, "Can't set gid.");
+	return -1;
+    }
+    initgroups(pw->pw_name, pw->pw_gid);
+
+    /* open wtmp before chroot */
+    ftpd_logwtmp(ttyline, pw->pw_name, remotehost);
+    logged_in = 1;
+
+    dochroot = checkuser(_PATH_FTPCHROOT, pw->pw_name);
+    if (guest) {
+	/*
+	 * We MUST do a chdir() after the chroot. Otherwise
+	 * the old current directory will be accessible as "."
+	 * outside the new root!
+	 */
+	if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
+	    reply(550, "Can't set guest privileges.");
+	    return -1;
+	}
+    } else if (dochroot) {
+	if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
+	    reply(550, "Can't change root.");
+	    return -1;
+	}
+    } else if (chdir(pw->pw_dir) < 0) {
+	if (chdir("/") < 0) {
+	    reply(530, "User %s: can't change directory to %s.",
+		  pw->pw_name, pw->pw_dir);
+	    return -1;
+	} else
+	    lreply(code, "No directory! Logging in with home=/");
+    }
+    if (seteuid((uid_t)pw->pw_uid) < 0) {
+	reply(550, "Can't set uid.");
+	return -1;
+    }
+
+    if(use_builtin_ls == -1) {
+	struct stat st;
+	/* if /bin/ls exist and is a regular file, use it, otherwise
+           use built-in ls */
+	if(stat("/bin/ls", &st) == 0 &&
+	   S_ISREG(st.st_mode))
+	    use_builtin_ls = 0;
+	else
+	    use_builtin_ls = 1;
+    }
+
+    /*
+     * Display a login message, if it exists.
+     * N.B. reply(code,) must follow the message.
+     */
+    show_file(_PATH_FTPLOGINMESG, code);
+    if(show_file(_PATH_ISSUE_NET, code) != 0)
+	show_file(_PATH_ISSUE, code);
+    if (guest) {
+	reply(code, "Guest login ok, access restrictions apply.");
+#ifdef HAVE_SETPROCTITLE
+	snprintf (proctitle, sizeof(proctitle),
+		  "%s: anonymous/%s",
+		  remotehost,
+		  passwd);
+	setproctitle(proctitle);
+#endif /* HAVE_SETPROCTITLE */
+	if (logging) {
+	    char data_addr[256];
+
+	    if (inet_ntop (his_addr->sa_family,
+			   socket_get_address(his_addr),
+			   data_addr, sizeof(data_addr)) == NULL)
+		strlcpy (data_addr, "unknown address",
+				 sizeof(data_addr));
+
+	    syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s(%s), %s",
+		   remotehost, 
+		   data_addr,
+		   passwd);
+	}
+    } else {
+	reply(code, "User %s logged in.", pw->pw_name);
+#ifdef HAVE_SETPROCTITLE
+	snprintf(proctitle, sizeof(proctitle), "%s: %s", remotehost, pw->pw_name);
+	setproctitle(proctitle);
+#endif /* HAVE_SETPROCTITLE */
+	if (logging) {
+	    char data_addr[256];
+
+	    if (inet_ntop (his_addr->sa_family,
+			   socket_get_address(his_addr),
+			   data_addr, sizeof(data_addr)) == NULL)
+		strlcpy (data_addr, "unknown address",
+				 sizeof(data_addr));
+
+	    syslog(LOG_INFO, "FTP LOGIN FROM %s(%s) as %s",
+		   remotehost,
+		   data_addr,
+		   pw->pw_name);
+	}
+    }
+    umask(defumask);
+    return 0;
+}
+
+/*
+ * Terminate login as previous user, if any, resetting state;
+ * used when USER command is given or login fails.
+ */
+static void
+end_login(void)
+{
+
+	seteuid((uid_t)0);
+	if (logged_in)
+		ftpd_logwtmp(ttyline, "", "");
+	pw = NULL;
+	logged_in = 0;
+	guest = 0;
+	dochroot = 0;
+}
+
+void
+pass(char *passwd)
+{
+	int rval;
+
+	/* some clients insists on sending a password */
+	if (logged_in && askpasswd == 0){
+	     reply(230, "Dumpucko!");
+	     return;
+	}
+
+	if (logged_in || askpasswd == 0) {
+		reply(503, "Login with USER first.");
+		return;
+	}
+	askpasswd = 0;
+	rval = 1;
+	if (!guest) {		/* "ftp" is only account allowed no password */
+		if (pw == NULL)
+			rval = 1;	/* failure below */
+#ifdef OTP
+		else if (otp_verify_user (&otp_ctx, passwd) == 0) {
+		    rval = 0;
+		}
+#endif
+		else if((auth_level & AUTH_OTP) == 0) {
+#ifdef KRB4
+		    char realm[REALM_SZ];
+		    if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS)
+			rval = krb_verify_user(pw->pw_name,
+					       "", realm, 
+					       passwd, 
+					       KRB_VERIFY_SECURE, NULL);
+		    if (rval == KSUCCESS ) {
+			chown (tkt_string(), pw->pw_uid, pw->pw_gid);
+			if(k_hasafs())
+			    krb_afslog(0, 0);
+		    } else 
+#endif
+			rval = unix_verify_user(pw->pw_name, passwd);
+		} else {
+		    char *s;
+		    
+#ifdef OTP
+		    if ((s = otp_error(&otp_ctx)) != NULL)
+			lreply(530, "OTP: %s", s);
+#endif
+		}
+		memset (passwd, 0, strlen(passwd));
+
+		/*
+		 * If rval == 1, the user failed the authentication
+		 * check above.  If rval == 0, either Kerberos or
+		 * local authentication succeeded.
+		 */
+		if (rval) {
+			char data_addr[256];
+
+			if (inet_ntop (his_addr->sa_family,
+				       socket_get_address(his_addr),
+				       data_addr, sizeof(data_addr)) == NULL)
+				strlcpy (data_addr, "unknown address",
+						 sizeof(data_addr));
+
+			reply(530, "Login incorrect.");
+			if (logging)
+				syslog(LOG_NOTICE,
+				    "FTP LOGIN FAILED FROM %s(%s), %s",
+				       remotehost,
+				       data_addr,
+				       curname);
+			pw = NULL;
+			if (login_attempts++ >= 5) {
+				syslog(LOG_NOTICE,
+				       "repeated login failures from %s(%s)",
+				       remotehost,
+				       data_addr);
+				exit(0);
+			}
+			return;
+		}
+	}
+	if(!do_login(230, passwd))
+	  return;
+	
+	/* Forget all about it... */
+	end_login();
+}
+
+void
+retrieve(const char *cmd, char *name)
+{
+	FILE *fin = NULL, *dout;
+	struct stat st;
+	int (*closefunc) (FILE *);
+	char line[BUFSIZ];
+
+
+	if (cmd == 0) {
+		fin = fopen(name, "r");
+		closefunc = fclose;
+		st.st_size = 0;
+		if(fin == NULL){
+		    int save_errno = errno;
+		    struct cmds {
+			const char *ext;
+			const char *cmd;
+		        const char *rev_cmd;
+		    } cmds[] = {
+			{".tar", "/bin/gtar cPf - %s", NULL},
+			{".tar.gz", "/bin/gtar zcPf - %s", NULL},
+			{".tar.Z", "/bin/gtar ZcPf - %s", NULL},
+			{".gz", "/bin/gzip -c -- %s", "/bin/gzip -c -d -- %s"},
+			{".Z", "/bin/compress -c -- %s", "/bin/uncompress -c -- %s"},
+			{NULL, NULL}
+		    };
+		    struct cmds *p;
+		    for(p = cmds; p->ext; p++){
+			char *tail = name + strlen(name) - strlen(p->ext);
+			char c = *tail;
+			
+			if(strcmp(tail, p->ext) == 0 &&
+			   (*tail  = 0) == 0 &&
+			   access(name, R_OK) == 0){
+			    snprintf (line, sizeof(line), p->cmd, name);
+			    *tail  = c;
+			    break;
+			}
+			*tail = c;
+			if (p->rev_cmd != NULL) {
+			    char *ext;
+
+			    asprintf(&ext, "%s%s", name, p->ext);
+			    if (ext != NULL) { 
+  			        if (access(ext, R_OK) == 0) {
+				    snprintf (line, sizeof(line),
+					      p->rev_cmd, ext);
+				    free(ext);
+				    break;
+				}
+			        free(ext);
+			    }
+			}
+			
+		    }
+		    if(p->ext){
+			fin = ftpd_popen(line, "r", 0, 0);
+			closefunc = ftpd_pclose;
+			st.st_size = -1;
+			cmd = line;
+		    } else
+			errno = save_errno;
+		}
+	} else {
+		snprintf(line, sizeof(line), cmd, name);
+		name = line;
+		fin = ftpd_popen(line, "r", 1, 0);
+		closefunc = ftpd_pclose;
+		st.st_size = -1;
+	}
+	if (fin == NULL) {
+		if (errno != 0) {
+			perror_reply(550, name);
+			if (cmd == 0) {
+				LOGCMD("get", name);
+			}
+		}
+		return;
+	}
+	byte_count = -1;
+	if (cmd == 0){
+	    if(fstat(fileno(fin), &st) < 0 || !S_ISREG(st.st_mode)) {
+		reply(550, "%s: not a plain file.", name);
+		goto done;
+	    }
+	}
+	if (restart_point) {
+		if (type == TYPE_A) {
+			off_t i, n;
+			int c;
+
+			n = restart_point;
+			i = 0;
+			while (i++ < n) {
+				if ((c=getc(fin)) == EOF) {
+					perror_reply(550, name);
+					goto done;
+				}
+				if (c == '\n')
+					i++;
+			}
+		} else if (lseek(fileno(fin), restart_point, SEEK_SET) < 0) {
+			perror_reply(550, name);
+			goto done;
+		}
+	}
+	dout = dataconn(name, st.st_size, "w");
+	if (dout == NULL)
+		goto done;
+	set_buffer_size(fileno(dout), 0);
+	send_data(fin, dout);
+	fclose(dout);
+	data = -1;
+	pdata = -1;
+done:
+	if (cmd == 0)
+		LOGBYTES("get", name, byte_count);
+	(*closefunc)(fin);
+}
+
+/* filename sanity check */
+
+int 
+filename_check(char *filename)
+{
+  static const char good_chars[] = "+-=_,.";
+    char *p;
+
+    p = strrchr(filename, '/');
+    if(p)
+	filename = p + 1;
+
+    p = filename;
+
+    if(isalnum(*p)){
+	p++;
+	while(*p && (isalnum(*p) || strchr(good_chars, *p)))
+	    p++;
+	if(*p == '\0')
+	    return 0;
+    }
+    lreply(553, "\"%s\" is an illegal filename.", filename);
+    lreply(553, "The filename must start with an alphanumeric "
+	   "character and must only");
+    reply(553, "consist of alphanumeric characters or any of the following: %s", 
+	  good_chars);
+    return 1;
+}
+
+void
+do_store(char *name, char *mode, int unique)
+{
+	FILE *fout, *din;
+	struct stat st;
+	int (*closefunc) (FILE *);
+
+	if(guest && filename_check(name))
+	    return;
+	if (unique && stat(name, &st) == 0 &&
+	    (name = gunique(name)) == NULL) {
+		LOGCMD(*mode == 'w' ? "put" : "append", name);
+		return;
+	}
+
+	if (restart_point)
+		mode = "r+";
+	fout = fopen(name, mode);
+	closefunc = fclose;
+	if (fout == NULL) {
+		perror_reply(553, name);
+		LOGCMD(*mode == 'w' ? "put" : "append", name);
+		return;
+	}
+	byte_count = -1;
+	if (restart_point) {
+		if (type == TYPE_A) {
+			off_t i, n;
+			int c;
+
+			n = restart_point;
+			i = 0;
+			while (i++ < n) {
+				if ((c=getc(fout)) == EOF) {
+					perror_reply(550, name);
+					goto done;
+				}
+				if (c == '\n')
+					i++;
+			}
+			/*
+			 * We must do this seek to "current" position
+			 * because we are changing from reading to
+			 * writing.
+			 */
+			if (fseek(fout, 0L, SEEK_CUR) < 0) {
+				perror_reply(550, name);
+				goto done;
+			}
+		} else if (lseek(fileno(fout), restart_point, SEEK_SET) < 0) {
+			perror_reply(550, name);
+			goto done;
+		}
+	}
+	din = dataconn(name, (off_t)-1, "r");
+	if (din == NULL)
+		goto done;
+	set_buffer_size(fileno(din), 1);
+	if (receive_data(din, fout) == 0) {
+		if (unique)
+			reply(226, "Transfer complete (unique file name:%s).",
+			    name);
+		else
+			reply(226, "Transfer complete.");
+	}
+	fclose(din);
+	data = -1;
+	pdata = -1;
+done:
+	LOGBYTES(*mode == 'w' ? "put" : "append", name, byte_count);
+	(*closefunc)(fout);
+}
+
+static FILE *
+getdatasock(const char *mode)
+{
+	int s, t, tries;
+
+	if (data >= 0)
+		return (fdopen(data, mode));
+	seteuid(0);
+	s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (s < 0)
+		goto bad;
+	socket_set_reuseaddr (s, 1);
+	/* anchor socket to avoid multi-homing problems */
+	socket_set_address_and_port (data_source,
+				     socket_get_address (ctrl_addr),
+				     socket_get_port (data_source));
+
+	for (tries = 1; ; tries++) {
+		if (bind(s, data_source,
+			 socket_sockaddr_size (data_source)) >= 0)
+			break;
+		if (errno != EADDRINUSE || tries > 10)
+			goto bad;
+		sleep(tries);
+	}
+	seteuid(pw->pw_uid);
+#ifdef IPTOS_THROUGHPUT
+	socket_set_tos (s, IPTOS_THROUGHPUT);
+#endif
+	return (fdopen(s, mode));
+bad:
+	/* Return the real value of errno (close may change it) */
+	t = errno;
+	seteuid((uid_t)pw->pw_uid);
+	close(s);
+	errno = t;
+	return (NULL);
+}
+
+static FILE *
+dataconn(const char *name, off_t size, const char *mode)
+{
+	char sizebuf[32];
+	FILE *file;
+	int retry = 0;
+
+	file_size = size;
+	byte_count = 0;
+	if (size >= 0)
+	    snprintf(sizebuf, sizeof(sizebuf), " (%ld bytes)", (long)size);
+	else
+	    *sizebuf = '\0';
+	if (pdata >= 0) {
+		struct sockaddr_storage from_ss;
+		struct sockaddr *from = (struct sockaddr *)&from_ss;
+		int s;
+		int fromlen = sizeof(from_ss);
+
+		s = accept(pdata, from, &fromlen);
+		if (s < 0) {
+			reply(425, "Can't open data connection.");
+			close(pdata);
+			pdata = -1;
+			return (NULL);
+		}
+		close(pdata);
+		pdata = s;
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+		{
+		    int tos = IPTOS_THROUGHPUT;
+		    
+		    setsockopt(s, IPPROTO_IP, IP_TOS, (void *)&tos,
+			       sizeof(tos));
+		}
+#endif
+		reply(150, "Opening %s mode data connection for '%s'%s.",
+		     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
+		return (fdopen(pdata, mode));
+	}
+	if (data >= 0) {
+		reply(125, "Using existing data connection for '%s'%s.",
+		    name, sizebuf);
+		usedefault = 1;
+		return (fdopen(data, mode));
+	}
+	if (usedefault)
+		data_dest = his_addr;
+	usedefault = 1;
+	file = getdatasock(mode);
+	if (file == NULL) {
+		char data_addr[256];
+
+		if (inet_ntop (data_source->sa_family,
+			       socket_get_address(data_source),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+		reply(425, "Can't create data socket (%s,%d): %s.",
+		      data_addr,
+		      socket_get_port (data_source),
+		      strerror(errno));
+		return (NULL);
+	}
+	data = fileno(file);
+	while (connect(data, data_dest,
+		       socket_sockaddr_size(data_dest)) < 0) {
+		if (errno == EADDRINUSE && retry < swaitmax) {
+			sleep(swaitint);
+			retry += swaitint;
+			continue;
+		}
+		perror_reply(425, "Can't build data connection");
+		fclose(file);
+		data = -1;
+		return (NULL);
+	}
+	reply(150, "Opening %s mode data connection for '%s'%s.",
+	     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
+	return (file);
+}
+
+/*
+ * Tranfer the contents of "instr" to "outstr" peer using the appropriate
+ * encapsulation of the data subject * to Mode, Structure, and Type.
+ *
+ * NB: Form isn't handled.
+ */
+static void
+send_data(FILE *instr, FILE *outstr)
+{
+	int c, cnt, filefd, netfd;
+	static char *buf;
+	static size_t bufsize;
+
+	transflag++;
+	if (setjmp(urgcatch)) {
+		transflag = 0;
+		return;
+	}
+	switch (type) {
+
+	case TYPE_A:
+	    while ((c = getc(instr)) != EOF) {
+		byte_count++;
+		if(c == '\n')
+		    sec_putc('\r', outstr);
+		sec_putc(c, outstr);
+	    }
+	    sec_fflush(outstr);
+	    transflag = 0;
+	    if (ferror(instr))
+		goto file_err;
+	    if (ferror(outstr))
+		goto data_err;
+	    reply(226, "Transfer complete.");
+	    return;
+		
+	case TYPE_I:
+	case TYPE_L:
+#if defined(HAVE_MMAP) && !defined(NO_MMAP)
+#ifndef MAP_FAILED
+#define MAP_FAILED (-1)
+#endif
+	    {
+		struct stat st;
+		char *chunk;
+		int in = fileno(instr);
+		if(fstat(in, &st) == 0 && S_ISREG(st.st_mode) 
+		   && st.st_size > 0) {
+		    /*
+		     * mmap zero bytes has potential of loosing, don't do it.
+		     */
+		    chunk = mmap(0, st.st_size, PROT_READ,
+				 MAP_SHARED, in, 0);
+		    if((void *)chunk != (void *)MAP_FAILED) {
+			cnt = st.st_size - restart_point;
+			sec_write(fileno(outstr), chunk + restart_point, cnt);
+			if (munmap(chunk, st.st_size) < 0)
+			    warn ("munmap");
+			sec_fflush(outstr);
+			byte_count = cnt;
+			transflag = 0;
+		    }
+		}
+	    }
+#endif
+	if(transflag) {
+	    struct stat st;
+
+	    netfd = fileno(outstr);
+	    filefd = fileno(instr);
+	    buf = alloc_buffer (buf, &bufsize,
+				fstat(filefd, &st) >= 0 ? &st : NULL);
+	    if (buf == NULL) {
+		transflag = 0;
+		perror_reply(451, "Local resource failure: malloc");
+		return;
+	    }
+	    while ((cnt = read(filefd, buf, bufsize)) > 0 &&
+		   sec_write(netfd, buf, cnt) == cnt)
+		byte_count += cnt;
+	    sec_fflush(outstr); /* to end an encrypted stream */
+	    transflag = 0;
+	    if (cnt != 0) {
+		if (cnt < 0)
+		    goto file_err;
+		goto data_err;
+	    }
+	}
+	reply(226, "Transfer complete.");
+	return;
+	default:
+	    transflag = 0;
+	    reply(550, "Unimplemented TYPE %d in send_data", type);
+	    return;
+	}
+
+data_err:
+	transflag = 0;
+	perror_reply(426, "Data connection");
+	return;
+
+file_err:
+	transflag = 0;
+	perror_reply(551, "Error on input file");
+}
+
+/*
+ * Transfer data from peer to "outstr" using the appropriate encapulation of
+ * the data subject to Mode, Structure, and Type.
+ *
+ * N.B.: Form isn't handled.
+ */
+static int
+receive_data(FILE *instr, FILE *outstr)
+{
+    int cnt, bare_lfs = 0;
+    static char *buf;
+    static size_t bufsize;
+    struct stat st;
+
+    transflag++;
+    if (setjmp(urgcatch)) {
+	transflag = 0;
+	return (-1);
+    }
+
+    buf = alloc_buffer (buf, &bufsize,
+			fstat(fileno(outstr), &st) >= 0 ? &st : NULL);
+    if (buf == NULL) {
+	transflag = 0;
+	perror_reply(451, "Local resource failure: malloc");
+	return -1;
+    }
+    
+    switch (type) {
+
+    case TYPE_I:
+    case TYPE_L:
+	while ((cnt = sec_read(fileno(instr), buf, bufsize)) > 0) {
+	    if (write(fileno(outstr), buf, cnt) != cnt)
+		goto file_err;
+	    byte_count += cnt;
+	}
+	if (cnt < 0)
+	    goto data_err;
+	transflag = 0;
+	return (0);
+
+    case TYPE_E:
+	reply(553, "TYPE E not implemented.");
+	transflag = 0;
+	return (-1);
+
+    case TYPE_A:
+    {
+	char *p, *q;
+	int cr_flag = 0;
+	while ((cnt = sec_read(fileno(instr),
+				buf + cr_flag, 
+				bufsize - cr_flag)) > 0){
+	    byte_count += cnt;
+	    cnt += cr_flag;
+	    cr_flag = 0;
+	    for(p = buf, q = buf; p < buf + cnt;) {
+		if(*p == '\n')
+		    bare_lfs++;
+		if(*p == '\r') {
+		    if(p == buf + cnt - 1){
+			cr_flag = 1;
+			p++;
+			continue;
+		    }else if(p[1] == '\n'){
+			*q++ = '\n';
+			p += 2;
+			continue;
+		    }
+		}
+		*q++ = *p++;
+	    }
+	    fwrite(buf, q - buf, 1, outstr);
+	    if(cr_flag)
+		buf[0] = '\r';
+	}
+	if(cr_flag)
+	    putc('\r', outstr);
+	fflush(outstr);
+	if (ferror(instr))
+	    goto data_err;
+	if (ferror(outstr))
+	    goto file_err;
+	transflag = 0;
+	if (bare_lfs) {
+	    lreply(226, "WARNING! %d bare linefeeds received in ASCII mode\r\n"
+		   "    File may not have transferred correctly.\r\n",
+		   bare_lfs);
+	}
+	return (0);
+    }
+    default:
+	reply(550, "Unimplemented TYPE %d in receive_data", type);
+	transflag = 0;
+	return (-1);
+    }
+	
+data_err:
+    transflag = 0;
+    perror_reply(426, "Data Connection");
+    return (-1);
+	
+file_err:
+    transflag = 0;
+    perror_reply(452, "Error writing file");
+    return (-1);
+}
+
+void
+statfilecmd(char *filename)
+{
+	FILE *fin;
+	int c;
+	char line[LINE_MAX];
+
+	snprintf(line, sizeof(line), "/bin/ls -la -- %s", filename);
+	fin = ftpd_popen(line, "r", 1, 0);
+	lreply(211, "status of %s:", filename);
+	while ((c = getc(fin)) != EOF) {
+		if (c == '\n') {
+			if (ferror(stdout)){
+				perror_reply(421, "control connection");
+				ftpd_pclose(fin);
+				dologout(1);
+				/* NOTREACHED */
+			}
+			if (ferror(fin)) {
+				perror_reply(551, filename);
+				ftpd_pclose(fin);
+				return;
+			}
+			putc('\r', stdout);
+		}
+		putc(c, stdout);
+	}
+	ftpd_pclose(fin);
+	reply(211, "End of Status");
+}
+
+void
+statcmd(void)
+{
+#if 0
+	struct sockaddr_in *sin;
+	u_char *a, *p;
+
+	lreply(211, "%s FTP server (%s) status:", hostname, version);
+	printf("     %s\r\n", version);
+	printf("     Connected to %s", remotehost);
+	if (!isdigit(remotehost[0]))
+		printf(" (%s)", inet_ntoa(his_addr.sin_addr));
+	printf("\r\n");
+	if (logged_in) {
+		if (guest)
+			printf("     Logged in anonymously\r\n");
+		else
+			printf("     Logged in as %s\r\n", pw->pw_name);
+	} else if (askpasswd)
+		printf("     Waiting for password\r\n");
+	else
+		printf("     Waiting for user name\r\n");
+	printf("     TYPE: %s", typenames[type]);
+	if (type == TYPE_A || type == TYPE_E)
+		printf(", FORM: %s", formnames[form]);
+	if (type == TYPE_L)
+#if NBBY == 8
+		printf(" %d", NBBY);
+#else
+		printf(" %d", bytesize);	/* need definition! */
+#endif
+	printf("; STRUcture: %s; transfer MODE: %s\r\n",
+	    strunames[stru], modenames[mode]);
+	if (data != -1)
+		printf("     Data connection open\r\n");
+	else if (pdata != -1) {
+		printf("     in Passive mode");
+		sin = &pasv_addr;
+		goto printaddr;
+	} else if (usedefault == 0) {
+		printf("     PORT");
+		sin = &data_dest;
+printaddr:
+		a = (u_char *) &sin->sin_addr;
+		p = (u_char *) &sin->sin_port;
+#define UC(b) (((int) b) & 0xff)
+		printf(" (%d,%d,%d,%d,%d,%d)\r\n", UC(a[0]),
+			UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1]));
+#undef UC
+	} else
+		printf("     No data connection\r\n");
+#endif
+	reply(211, "End of status");
+}
+
+void
+fatal(char *s)
+{
+
+	reply(451, "Error in server: %s\n", s);
+	reply(221, "Closing connection due to server error.");
+	dologout(0);
+	/* NOTREACHED */
+}
+
+static void
+int_reply(int, char *, const char *, va_list)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 0)))
+#endif
+;
+
+static void
+int_reply(int n, char *c, const char *fmt, va_list ap)
+{
+    char buf[10240];
+    char *p;
+    p=buf;
+    if(n){
+	snprintf(p, sizeof(buf), "%d%s", n, c);
+	p+=strlen(p);
+    }
+    vsnprintf(p, sizeof(buf) - strlen(p), fmt, ap);
+    p+=strlen(p);
+    snprintf(p, sizeof(buf) - strlen(p), "\r\n");
+    p+=strlen(p);
+    sec_fprintf(stdout, "%s", buf);
+    fflush(stdout);
+    if (debug)
+	syslog(LOG_DEBUG, "<--- %s- ", buf);
+}
+
+void
+reply(int n, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(n, " ", fmt, ap);
+  delete_ftp_command();
+  va_end(ap);
+}
+
+void
+lreply(int n, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(n, "-", fmt, ap);
+  va_end(ap);
+}
+
+void
+nreply(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(0, NULL, fmt, ap);
+  va_end(ap);
+}
+
+static void
+ack(char *s)
+{
+
+	reply(250, "%s command successful.", s);
+}
+
+void
+nack(char *s)
+{
+
+	reply(502, "%s command not implemented.", s);
+}
+
+/* ARGSUSED */
+void
+yyerror(char *s)
+{
+	char *cp;
+
+	if ((cp = strchr(cbuf,'\n')))
+		*cp = '\0';
+	reply(500, "'%s': command not understood.", cbuf);
+}
+
+void
+do_delete(char *name)
+{
+	struct stat st;
+
+	LOGCMD("delete", name);
+	if (stat(name, &st) < 0) {
+		perror_reply(550, name);
+		return;
+	}
+	if ((st.st_mode&S_IFMT) == S_IFDIR) {
+		if (rmdir(name) < 0) {
+			perror_reply(550, name);
+			return;
+		}
+		goto done;
+	}
+	if (unlink(name) < 0) {
+		perror_reply(550, name);
+		return;
+	}
+done:
+	ack("DELE");
+}
+
+void
+cwd(char *path)
+{
+
+	if (chdir(path) < 0)
+		perror_reply(550, path);
+	else
+		ack("CWD");
+}
+
+void
+makedir(char *name)
+{
+
+	LOGCMD("mkdir", name);
+	if(guest && filename_check(name))
+	    return;
+	if (mkdir(name, 0777) < 0)
+		perror_reply(550, name);
+	else{
+	    if(guest)
+		chmod(name, 0700); /* guest has umask 777 */
+	    reply(257, "MKD command successful.");
+	}
+}
+
+void
+removedir(char *name)
+{
+
+	LOGCMD("rmdir", name);
+	if (rmdir(name) < 0)
+		perror_reply(550, name);
+	else
+		ack("RMD");
+}
+
+void
+pwd(void)
+{
+    char path[MaxPathLen];
+    char *ret;
+
+    /* SunOS has a broken getcwd that does popen(pwd) (!!!), this
+     * failes miserably when running chroot 
+     */
+    ret = getcwd(path, sizeof(path));
+    if (ret == NULL)
+	reply(550, "%s.", strerror(errno));
+    else
+	reply(257, "\"%s\" is current directory.", path);
+}
+
+char *
+renamefrom(char *name)
+{
+	struct stat st;
+
+	if (stat(name, &st) < 0) {
+		perror_reply(550, name);
+		return NULL;
+	}
+	reply(350, "File exists, ready for destination name");
+	return (name);
+}
+
+void
+renamecmd(char *from, char *to)
+{
+
+	LOGCMD2("rename", from, to);
+	if(guest && filename_check(to))
+	    return;
+	if (rename(from, to) < 0)
+		perror_reply(550, "rename");
+	else
+		ack("RNTO");
+}
+
+static void
+dolog(struct sockaddr *sa, int len)
+{
+	getnameinfo_verified (sa, len, remotehost, sizeof(remotehost),
+			      NULL, 0, 0);
+#ifdef HAVE_SETPROCTITLE
+	snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost);
+	setproctitle(proctitle);
+#endif /* HAVE_SETPROCTITLE */
+
+	if (logging) {
+		char data_addr[256];
+
+		if (inet_ntop (his_addr->sa_family,
+			       socket_get_address(his_addr),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+
+		syslog(LOG_INFO, "connection from %s(%s)",
+		       remotehost,
+		       data_addr);
+	}
+}
+
+/*
+ * Record logout in wtmp file
+ * and exit with supplied status.
+ */
+void
+dologout(int status)
+{
+    transflag = 0;
+    if (logged_in) {
+	seteuid((uid_t)0);
+	ftpd_logwtmp(ttyline, "", "");
+#ifdef KRB4
+	cond_kdestroy();
+#endif
+    }
+    /* beware of flushing buffers after a SIGPIPE */
+#ifdef XXX
+    exit(status);
+#else
+    _exit(status);
+#endif	
+}
+
+void abor(void)
+{
+}
+
+static void
+myoob(int signo)
+{
+#if 0
+	char *cp;
+#endif
+
+	/* only process if transfer occurring */
+	if (!transflag)
+		return;
+
+	/* This is all XXX */
+	oobflag = 1;
+	/* if the command resulted in a new command, 
+	   parse that as well */
+	do{
+	    yyparse();
+	} while(ftp_command);
+	oobflag = 0;
+
+#if 0 
+	cp = tmpline;
+	if (ftpd_getline(cp, 7) == NULL) {
+		reply(221, "You could at least say goodbye.");
+		dologout(0);
+	}
+	upper(cp);
+	if (strcmp(cp, "ABOR\r\n") == 0) {
+		tmpline[0] = '\0';
+		reply(426, "Transfer aborted. Data connection closed.");
+		reply(226, "Abort successful");
+		longjmp(urgcatch, 1);
+	}
+	if (strcmp(cp, "STAT\r\n") == 0) {
+		if (file_size != (off_t) -1)
+			reply(213, "Status: %ld of %ld bytes transferred",
+			      (long)byte_count,
+			      (long)file_size);
+		else
+			reply(213, "Status: %ld bytes transferred"
+			      (long)byte_count);
+	}
+#endif
+}
+
+/*
+ * Note: a response of 425 is not mentioned as a possible response to
+ *	the PASV command in RFC959. However, it has been blessed as
+ *	a legitimate response by Jon Postel in a telephone conversation
+ *	with Rick Adams on 25 Jan 89.
+ */
+void
+pasv(void)
+{
+	int len;
+	char *p, *a;
+	struct sockaddr_in *sin;
+
+	if (ctrl_addr->sa_family != AF_INET) {
+		reply(425,
+		      "You cannot do PASV with something that's not IPv4");
+		return;
+	}
+
+	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (pdata < 0) {
+		perror_reply(425, "Can't open passive connection");
+		return;
+	}
+	pasv_addr->sa_family = ctrl_addr->sa_family;
+	socket_set_address_and_port (pasv_addr,
+				     socket_get_address (ctrl_addr),
+				     0);
+	seteuid(0);
+	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+		seteuid(pw->pw_uid);
+		goto pasv_error;
+	}
+	seteuid(pw->pw_uid);
+	len = sizeof(pasv_addr_ss);
+	if (getsockname(pdata, pasv_addr, &len) < 0)
+		goto pasv_error;
+	if (listen(pdata, 1) < 0)
+		goto pasv_error;
+	sin = (struct sockaddr_in *)pasv_addr;
+	a = (char *) &sin->sin_addr;
+	p = (char *) &sin->sin_port;
+
+#define UC(b) (((int) b) & 0xff)
+
+	reply(227, "Entering Passive Mode (%d,%d,%d,%d,%d,%d)", UC(a[0]),
+		UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1]));
+	return;
+
+pasv_error:
+	close(pdata);
+	pdata = -1;
+	perror_reply(425, "Can't open passive connection");
+	return;
+}
+
+void
+epsv(char *proto)
+{
+	int len;
+
+	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (pdata < 0) {
+		perror_reply(425, "Can't open passive connection");
+		return;
+	}
+	pasv_addr->sa_family = ctrl_addr->sa_family;
+	socket_set_address_and_port (pasv_addr,
+				     socket_get_address (ctrl_addr),
+				     0);
+	seteuid(0);
+	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+		seteuid(pw->pw_uid);
+		goto pasv_error;
+	}
+	seteuid(pw->pw_uid);
+	len = sizeof(pasv_addr_ss);
+	if (getsockname(pdata, pasv_addr, &len) < 0)
+		goto pasv_error;
+	if (listen(pdata, 1) < 0)
+		goto pasv_error;
+
+	reply(229, "Entering Extended Passive Mode (|||%d|)",
+	      ntohs(socket_get_port (pasv_addr)));
+	return;
+
+pasv_error:
+	close(pdata);
+	pdata = -1;
+	perror_reply(425, "Can't open passive connection");
+	return;
+}
+
+void
+eprt(char *str)
+{
+	char *end;
+	char sep;
+	int af;
+	int ret;
+	int port;
+
+	usedefault = 0;
+	if (pdata >= 0) {
+	    close(pdata);
+	    pdata = -1;
+	}
+
+	sep = *str++;
+	if (sep == '\0') {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	af = strtol (str, &end, 0);
+	if (af == 0 || *end != sep) {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	str = end + 1;
+	switch (af) {
+#ifdef HAVE_IPV6
+	case 2 :
+	    data_dest->sa_family = AF_INET6;
+	    break;
+#endif		
+	case 1 :
+	    data_dest->sa_family = AF_INET;
+		break;
+	default :
+		reply(522, "Network protocol %d not supported, use (1"
+#ifdef HAVE_IPV6
+		      ",2"
+#endif
+		      ")", af);
+		return;
+	}
+	end = strchr (str, sep);
+	if (end == NULL) {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	*end = '\0';
+	ret = inet_pton (data_dest->sa_family, str,
+			 socket_get_address (data_dest));
+
+	if (ret != 1) {
+		reply(500, "Bad address syntax in EPRT");
+		return;
+	}
+	str = end + 1;
+	port = strtol (str, &end, 0);
+	if (port == 0 || *end != sep) {
+		reply(500, "Bad port syntax in EPRT");
+		return;
+	}
+	socket_set_port (data_dest, htons(port));
+	reply(200, "EPRT command successful.");
+}
+
+/*
+ * Generate unique name for file with basename "local".
+ * The file named "local" is already known to exist.
+ * Generates failure reply on error.
+ */
+static char *
+gunique(char *local)
+{
+	static char new[MaxPathLen];
+	struct stat st;
+	int count;
+	char *cp;
+
+	cp = strrchr(local, '/');
+	if (cp)
+		*cp = '\0';
+	if (stat(cp ? local : ".", &st) < 0) {
+		perror_reply(553, cp ? local : ".");
+		return NULL;
+	}
+	if (cp)
+		*cp = '/';
+	for (count = 1; count < 100; count++) {
+		snprintf (new, sizeof(new), "%s.%d", local, count);
+		if (stat(new, &st) < 0)
+			return (new);
+	}
+	reply(452, "Unique file name cannot be created.");
+	return (NULL);
+}
+
+/*
+ * Format and send reply containing system error number.
+ */
+void
+perror_reply(int code, const char *string)
+{
+	reply(code, "%s: %s.", string, strerror(errno));
+}
+
+static char *onefile[] = {
+	"",
+	0
+};
+
+void
+list_file(char *file)
+{
+    if(use_builtin_ls) {
+	FILE *dout;
+	dout = dataconn(file, -1, "w");
+	if (dout == NULL)
+	    return;
+	set_buffer_size(fileno(dout), 0);
+	builtin_ls(dout, file);
+	reply(226, "Transfer complete.");
+	fclose(dout);
+	data = -1;
+	pdata = -1;
+    } else {
+#ifdef HAVE_LS_A
+	const char *cmd = "/bin/ls -lA -- %s";
+#else
+	const char *cmd = "/bin/ls -la -- %s";
+#endif
+	retrieve(cmd, file);
+    }
+}
+
+void
+send_file_list(char *whichf)
+{
+  struct stat st;
+  DIR *dirp = NULL;
+  struct dirent *dir;
+  FILE *dout = NULL;
+  char **dirlist, *dirname;
+  int simple = 0;
+  int freeglob = 0;
+  glob_t gl;
+  char buf[MaxPathLen];
+
+  if (strpbrk(whichf, "~{[*?") != NULL) {
+    int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+    memset(&gl, 0, sizeof(gl));
+    freeglob = 1;
+    if (glob(whichf, flags, 0, &gl)) {
+      reply(550, "not found");
+      goto out;
+    } else if (gl.gl_pathc == 0) {
+      errno = ENOENT;
+      perror_reply(550, whichf);
+      goto out;
+    }
+    dirlist = gl.gl_pathv;
+  } else {
+    onefile[0] = whichf;
+    dirlist = onefile;
+    simple = 1;
+  }
+
+  if (setjmp(urgcatch)) {
+    transflag = 0;
+    goto out;
+  }
+  while ((dirname = *dirlist++)) {
+    if (stat(dirname, &st) < 0) {
+      /*
+       * If user typed "ls -l", etc, and the client
+       * used NLST, do what the user meant.
+       */
+      if (dirname[0] == '-' && *dirlist == NULL &&
+	  transflag == 0) {
+	retrieve("/bin/ls -- %s", dirname);
+	goto out;
+      }
+      perror_reply(550, whichf);
+      if (dout != NULL) {
+	fclose(dout);
+	transflag = 0;
+	data = -1;
+	pdata = -1;
+      }
+      goto out;
+    }
+
+    if (S_ISREG(st.st_mode)) {
+      if (dout == NULL) {
+	dout = dataconn("file list", (off_t)-1, "w");
+	if (dout == NULL)
+	  goto out;
+	transflag++;
+      }
+      snprintf(buf, sizeof(buf), "%s%s\n", dirname,
+	      type == TYPE_A ? "\r" : "");
+      sec_write(fileno(dout), buf, strlen(buf));
+      byte_count += strlen(dirname) + 1;
+      continue;
+    } else if (!S_ISDIR(st.st_mode))
+      continue;
+
+    if ((dirp = opendir(dirname)) == NULL)
+      continue;
+
+    while ((dir = readdir(dirp)) != NULL) {
+      char nbuf[MaxPathLen];
+
+      if (!strcmp(dir->d_name, "."))
+	continue;
+      if (!strcmp(dir->d_name, ".."))
+	continue;
+
+      snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name);
+
+      /*
+       * We have to do a stat to insure it's
+       * not a directory or special file.
+       */
+      if (simple || (stat(nbuf, &st) == 0 &&
+		     S_ISREG(st.st_mode))) {
+	if (dout == NULL) {
+	  dout = dataconn("file list", (off_t)-1, "w");
+	  if (dout == NULL)
+	    goto out;
+	  transflag++;
+	}
+	if(strncmp(nbuf, "./", 2) == 0)
+	  snprintf(buf, sizeof(buf), "%s%s\n", nbuf +2,
+		   type == TYPE_A ? "\r" : "");
+	else
+	  snprintf(buf, sizeof(buf), "%s%s\n", nbuf,
+		   type == TYPE_A ? "\r" : "");
+	sec_write(fileno(dout), buf, strlen(buf));
+	byte_count += strlen(nbuf) + 1;
+      }
+    }
+    closedir(dirp);
+  }
+  if (dout == NULL)
+    reply(550, "No files found.");
+  else if (ferror(dout) != 0)
+    perror_reply(550, "Data connection");
+  else
+    reply(226, "Transfer complete.");
+
+  transflag = 0;
+  if (dout != NULL){
+    sec_write(fileno(dout), buf, 0); /* XXX flush */
+	    
+    fclose(dout);
+  }
+  data = -1;
+  pdata = -1;
+out:
+  if (freeglob) {
+    freeglob = 0;
+    globfree(&gl);
+  }
+}
+
+
+int
+find(char *pattern)
+{
+    char line[1024];
+    FILE *f;
+
+    snprintf(line, sizeof(line),
+	     "/bin/locate -d %s -- %s",
+	     ftp_rooted("/etc/locatedb"),
+	     pattern);
+    f = ftpd_popen(line, "r", 1, 1);
+    if(f == NULL){
+	perror_reply(550, "/bin/locate");
+	return 1;
+    }
+    lreply(200, "Output from find.");
+    while(fgets(line, sizeof(line), f)){
+	if(line[strlen(line)-1] == '\n')
+	    line[strlen(line)-1] = 0;
+	nreply("%s", line);
+    }
+    reply(200, "Done");
+    ftpd_pclose(f);
+    return 0;
+}
+
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
new file mode 100644
index 0000000..5cb4904
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: ftpd_locl.h,v 1.9 1999/12/02 16:58:30 joda Exp $ */
+
+#ifndef __ftpd_locl_h__
+#define __ftpd_locl_h__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+/*
+ * FTP server.
+ */
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#include <arpa/ftp.h>
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include <ctype.h>
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <glob.h>
+#include <limits.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <setjmp.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#include <time.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#include <fnmatch.h>
+
+#ifdef HAVE_BSD_BSD_H
+#include <bsd/bsd.h>
+#endif
+
+#include <err.h>
+
+#include "pathnames.h"
+#include "extern.h"
+#include "common.h"
+
+#include "security.h"
+
+#include "roken.h"
+
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+
+#ifdef OTP
+#include <otp.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+extern int LIBPREFIX(fclose)      (FILE *);
+#endif
+
+/* SunOS doesn't have any declaration of fclose */
+
+int fclose(FILE *stream);
+
+int yyparse();
+
+#ifndef LOG_FTP
+#define LOG_FTP LOG_DAEMON
+#endif
+
+#endif /* __ftpd_locl_h__ */
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
new file mode 100644
index 0000000..dfd66f9
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
@@ -0,0 +1,38 @@
+.\"	$Id: ftpusers.5,v 1.2 1997/05/07 20:11:11 joda Exp $
+.\"
+.Dd May 7, 1997
+.Dt FTPUSERS 5
+.Os KTH-KRB
+.Sh NAME
+.Pa /etc/ftpusers
+.Nd
+FTP access list file.
+.Sh DESCRIPTION
+.Pa /etc/ftpusers
+contains a list of users that should be allowed or denied FTP
+access. Each line contains a user, optionally followed by
+.Dq allow 
+(anything but
+.Dq allow
+is ignored).  The semi-user
+.Dq *
+matches any user.  Users that has an explicit
+.Dq allow ,
+or that does not match any line, are allowed access. Anyone else is
+denied access.
+
+Note that this is compatible with the old format, where this file
+contained a list of users that should be denied access.
+.Sh EXAMPLES
+This will deny anyone but
+.Dq foo
+and
+.Dq bar
+to use FTP:
+.Bd -literal
+foo allow
+bar allow
+*
+.Ed
+.Sh SEE ALSO
+.Xr ftpd 8
diff --git a/crypto/heimdal/appl/ftp/ftpd/gss_userok.c b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
new file mode 100644
index 0000000..28e3596
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ftpd_locl.h"
+#include <gssapi.h>
+#include <krb5.h>
+
+RCSID("$Id: gss_userok.c,v 1.2 1999/12/02 16:58:31 joda Exp $");
+
+/* XXX a bit too much of krb5 dependency here... 
+   What is the correct way to do this? 
+   */
+
+extern krb5_context gssapi_krb5_context;
+
+/* XXX sync with gssapi.c */
+struct gss_data {
+    gss_ctx_id_t context_hdl;
+    char *client_name;
+};
+
+int gss_userok(void*, char*); /* to keep gcc happy */
+
+int
+gss_userok(void *app_data, char *username)
+{
+    struct gss_data *data = app_data;
+    if(gssapi_krb5_context) {
+	krb5_principal client;
+	krb5_error_code ret;
+	ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client);
+	if(ret)
+	    return 1;
+	ret = krb5_kuserok(gssapi_krb5_context, client, username);
+	krb5_free_principal(gssapi_krb5_context, client);
+	return !ret;
+    }
+    return 1;
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/kauth.c b/crypto/heimdal/appl/ftp/ftpd/kauth.c
new file mode 100644
index 0000000..dad4de5
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/kauth.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftpd_locl.h"
+
+RCSID("$Id: kauth.c,v 1.25 1999/12/02 16:58:31 joda Exp $");
+
+static KTEXT_ST cip;
+static unsigned int lifetime;
+static time_t local_time;
+
+static krb_principal pr;
+
+static int do_destroy_tickets = 1;
+
+static int
+save_tkt(const char *user,
+	 const char *instance,
+	 const char *realm,
+	 const void *arg, 
+	 key_proc_t key_proc,
+	 KTEXT *cipp)
+{
+    local_time = time(0);
+    memmove(&cip, *cipp, sizeof(cip));
+    return -1;
+}
+
+static int
+store_ticket(KTEXT cip)
+{
+    char *ptr;
+    des_cblock session;
+    krb_principal sp;
+    unsigned char kvno;
+    KTEXT_ST tkt;
+    int left = cip->length;
+    int len;
+    int kerror;
+    
+    ptr = (char *) cip->dat;
+
+    /* extract session key */
+    memmove(session, ptr, 8);
+    ptr += 8;
+    left -= 8;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's name */
+    strlcpy(sp.name, ptr, sizeof(sp.name));
+    ptr += len + 1;
+    left -= len + 1;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's instance */
+    strlcpy(sp.instance, ptr, sizeof(sp.instance));
+    ptr += len + 1;
+    left -= len + 1;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's realm */
+    strlcpy(sp.realm, ptr, sizeof(sp.realm));
+    ptr += len + 1;
+    left -= len + 1;
+
+    if(left < 3)
+	return INTK_BADPW;
+    /* extract ticket lifetime, server key version, ticket length */
+    /* be sure to avoid sign extension on lifetime! */
+    lifetime = (unsigned char) ptr[0];
+    kvno = (unsigned char) ptr[1];
+    tkt.length = (unsigned char) ptr[2];
+    ptr += 3;
+    left -= 3;
+    
+    if (tkt.length > left)
+	return(INTK_BADPW);
+
+    /* extract ticket itself */
+    memmove(tkt.dat, ptr, tkt.length);
+    ptr += tkt.length;
+    left -= tkt.length;
+
+    /* Here is where the time should be verified against the KDC.
+     * Unfortunately everything is sent in host byte order (receiver
+     * makes wrong) , and at this stage there is no way for us to know
+     * which byteorder the KDC has. So we simply ignore the time,
+     * there are no security risks with this, the only thing that can
+     * happen is that we might receive a replayed ticket, which could
+     * at most be useless.
+     */
+    
+#if 0
+    /* check KDC time stamp */
+    {
+	time_t kdc_time;
+
+	memmove(&kdc_time, ptr, sizeof(kdc_time));
+	if (swap_bytes) swap_u_long(kdc_time);
+
+	ptr += 4;
+    
+	if (abs((int)(local_time - kdc_time)) > CLOCK_SKEW) {
+	    return(RD_AP_TIME);		/* XXX should probably be better
+					   code */
+	}
+    }
+#endif
+
+    /* initialize ticket cache */
+
+    if (tf_create(TKT_FILE) != KSUCCESS)
+	return(INTK_ERR);
+
+    if (tf_put_pname(pr.name) != KSUCCESS ||
+	tf_put_pinst(pr.instance) != KSUCCESS) {
+	tf_close();
+	return(INTK_ERR);
+    }
+
+    
+    kerror = tf_save_cred(sp.name, sp.instance, sp.realm, session, 
+			  lifetime, kvno, &tkt, local_time);
+    tf_close();
+
+    return(kerror);
+}
+
+void
+kauth(char *principal, char *ticket)
+{
+    char *p;
+    int ret;
+  
+    if(get_command_prot() != prot_private) {
+	reply(500, "Request denied (bad protection level)");
+	return;
+    }
+    ret = krb_parse_name(principal, &pr);
+    if(ret){
+	reply(500, "Bad principal: %s.", krb_get_err_text(ret));
+	return;
+    }
+    if(pr.realm[0] == 0)
+	krb_get_lrealm(pr.realm, 1);
+
+    if(ticket){
+	cip.length = base64_decode(ticket, &cip.dat);
+	if(cip.length == -1){
+	    reply(500, "Failed to decode data.");
+	    return;
+	}
+	ret = store_ticket(&cip);
+	if(ret){
+	    reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
+	    memset(&cip, 0, sizeof(cip));
+	    return;
+	}
+	do_destroy_tickets = 1;
+
+	if(k_hasafs())
+	    krb_afslog(0, 0);
+	reply(200, "Tickets will be destroyed on exit.");
+	return;
+    }
+    
+    ret = krb_get_in_tkt (pr.name,
+			  pr.instance,
+			  pr.realm,
+			  KRB_TICKET_GRANTING_TICKET,
+			  pr.realm,
+			  DEFAULT_TKT_LIFE,
+			  NULL, save_tkt, NULL);
+    if(ret != INTK_BADPW){
+	reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
+	return;
+    }
+    if(base64_encode(cip.dat, cip.length, &p) < 0) {
+	reply(500, "Out of memory while base64-encoding.");
+	return;
+    }
+    reply(300, "P=%s T=%s", krb_unparse_name(&pr), p);
+    free(p);
+    memset(&cip, 0, sizeof(cip));
+}
+
+
+static char *
+short_date(int32_t dp)
+{
+    char *cp;
+    time_t t = (time_t)dp;
+
+    if (t == (time_t)(-1L)) return "***  Never  *** ";
+    cp = ctime(&t) + 4;
+    cp[15] = '\0';
+    return (cp);
+}
+
+void
+klist(void)
+{
+    int err;
+
+    char *file = tkt_string();
+
+    krb_principal pr;
+    
+    char buf1[128], buf2[128];
+    int header = 1;
+    CREDENTIALS c;
+
+    
+
+    err = tf_init(file, R_TKT_FIL);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+    tf_close();
+
+    /* 
+     * We must find the realm of the ticket file here before calling
+     * tf_init because since the realm of the ticket file is not
+     * really stored in the principal section of the file, the
+     * routine we use must itself call tf_init and tf_close.
+     */
+    err = krb_get_tf_realm(file, pr.realm);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    err = tf_init(file, R_TKT_FIL);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    err = tf_get_pname(pr.name);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+    err = tf_get_pinst(pr.instance);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    /* 
+     * You may think that this is the obvious place to get the
+     * realm of the ticket file, but it can't be done here as the
+     * routine to do this must open the ticket file.  This is why 
+     * it was done before tf_init.
+     */
+       
+    lreply(200, "Ticket file: %s", tkt_string());
+
+    lreply(200, "Principal: %s", krb_unparse_name(&pr));
+    while ((err = tf_get_cred(&c)) == KSUCCESS) {
+	if (header) {
+	    lreply(200, "%-15s  %-15s  %s",
+		   "  Issued", "  Expires", "  Principal (kvno)");
+	    header = 0;
+	}
+	strlcpy(buf1, short_date(c.issue_date), sizeof(buf1));
+	c.issue_date = krb_life_to_time(c.issue_date, c.lifetime);
+	if (time(0) < (unsigned long) c.issue_date)
+	    strlcpy(buf2, short_date(c.issue_date), sizeof(buf2));
+	else
+	    strlcpy(buf2, ">>> Expired <<< ", sizeof(buf2));
+	lreply(200, "%s  %s  %s (%d)", buf1, buf2,
+	       krb_unparse_name_long(c.service, c.instance, c.realm), c.kvno); 
+    }
+    if (header && err == EOF) {
+	lreply(200, "No tickets in file.");
+    }
+    reply(200, " ");
+}
+
+/*
+ * Only destroy if we created the tickets
+ */
+
+void
+cond_kdestroy(void)
+{
+    if (do_destroy_tickets)
+	dest_tkt();
+    afsunlog();
+}
+
+void
+kdestroy(void)
+{
+    dest_tkt();
+    afsunlog();
+    reply(200, "Tickets destroyed");
+}
+
+void
+krbtkfile(const char *tkfile)
+{
+    do_destroy_tickets = 0;
+    krb_set_tkt_string(tkfile);
+    reply(200, "Using ticket file %s", tkfile);
+}
+
+void
+afslog(const char *cell)
+{
+    if(k_hasafs()) {
+	krb_afslog(cell, 0);
+	reply(200, "afslog done");
+    } else {
+	reply(200, "no AFS present");
+    }
+}
+
+void
+afsunlog(void)
+{
+    if(k_hasafs())
+	k_unlog();
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/logwtmp.c b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
new file mode 100644
index 0000000..019cc2d
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: logwtmp.c,v 1.14 1999/12/02 16:58:31 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+#include "extern.h"
+
+#ifndef WTMP_FILE
+#ifdef _PATH_WTMP
+#define WTMP_FILE _PATH_WTMP
+#else
+#define WTMP_FILE "/var/adm/wtmp"
+#endif
+#endif
+
+void
+ftpd_logwtmp(char *line, char *name, char *host)
+{
+    static int init = 0;
+    static int fd;
+#ifdef WTMPX_FILE
+    static int fdx;
+#endif
+    struct utmp ut;
+#ifdef WTMPX_FILE
+    struct utmpx utx;
+#endif
+
+    memset(&ut, 0, sizeof(struct utmp));
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    if(name[0])
+	ut.ut_type = USER_PROCESS;
+    else
+	ut.ut_type = DEAD_PROCESS;
+#endif
+    strncpy(ut.ut_line, line, sizeof(ut.ut_line));
+    strncpy(ut.ut_name, name, sizeof(ut.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_PID
+    ut.ut_pid = getpid();
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+    strncpy(ut.ut_host, host, sizeof(ut.ut_host));
+#endif
+    ut.ut_time = time(NULL);
+
+#ifdef WTMPX_FILE
+    strncpy(utx.ut_line, line, sizeof(utx.ut_line));
+    strncpy(utx.ut_user, name, sizeof(utx.ut_user));
+    strncpy(utx.ut_host, host, sizeof(utx.ut_host));
+#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
+    utx.ut_syslen = strlen(host) + 1;
+    if (utx.ut_syslen > sizeof(utx.ut_host))
+        utx.ut_syslen = sizeof(utx.ut_host);
+#endif
+    {
+	struct timeval tv;
+
+	gettimeofday (&tv, 0);
+	utx.ut_tv.tv_sec = tv.tv_sec;
+	utx.ut_tv.tv_usec = tv.tv_usec;
+    }
+
+    if(name[0])
+	utx.ut_type = USER_PROCESS;
+    else
+	utx.ut_type = DEAD_PROCESS;
+#endif
+
+    if(!init){
+	fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0);
+#ifdef WTMPX_FILE
+	fdx = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0);
+#endif
+	init = 1;
+    }
+    if(fd >= 0) {
+	write(fd, &ut, sizeof(struct utmp)); /* XXX */
+#ifdef WTMPX_FILE
+	write(fdx, &utx, sizeof(struct utmpx));
+#endif	
+    }
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/ls.c b/crypto/heimdal/appl/ftp/ftpd/ls.c
new file mode 100644
index 0000000..2c85487
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ls.c
@@ -0,0 +1,588 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "ftpd_locl.h"
+
+RCSID("$Id: ls.c,v 1.14 2000/01/05 13:48:58 joda Exp $");
+
+struct fileinfo {
+    struct stat st;
+    int inode;
+    int bsize;
+    char mode[11];
+    int n_link;
+    char *user;
+    char *group;
+    char *size;
+    char *major;
+    char *minor;
+    char *date;
+    char *filename;
+    char *link;
+};
+
+static void
+free_fileinfo(struct fileinfo *f)
+{
+    free(f->user);
+    free(f->group);
+    free(f->size);
+    free(f->major);
+    free(f->minor);
+    free(f->date);
+    free(f->filename);
+    free(f->link);
+}
+
+#define LS_DIRS		 1
+#define LS_IGNORE_DOT	 2
+#define LS_SORT_MODE	 12
+#define SORT_MODE(f) ((f) & LS_SORT_MODE)
+#define LS_SORT_NAME	 4
+#define LS_SORT_MTIME	 8
+#define LS_SORT_SIZE	12
+#define LS_SORT_REVERSE	16
+
+#define LS_SIZE		32
+#define LS_INODE	64
+
+#ifndef S_ISTXT
+#define S_ISTXT S_ISVTX
+#endif
+
+#ifndef S_ISSOCK
+#define S_ISSOCK(mode)  (((mode) & _S_IFMT) == S_IFSOCK)
+#endif
+
+#ifndef S_ISLNK
+#define S_ISLNK(mode)   (((mode) & _S_IFMT) == S_IFLNK)
+#endif
+
+static void
+make_fileinfo(const char *filename, struct fileinfo *file, int flags)
+{
+    char buf[128];
+    struct stat *st = &file->st;
+
+    file->inode = st->st_ino;
+#ifdef S_BLKSIZE
+    file->bsize = st->st_blocks * S_BLKSIZE / 1024;
+#else
+    file->bsize = st->st_blocks * 512 / 1024;
+#endif
+
+    if(S_ISDIR(st->st_mode))
+	file->mode[0] = 'd';
+    else if(S_ISCHR(st->st_mode))
+	file->mode[0] = 'c';
+    else if(S_ISBLK(st->st_mode))
+	file->mode[0] = 'b';
+    else if(S_ISREG(st->st_mode))
+	file->mode[0] = '-';
+    else if(S_ISFIFO(st->st_mode))
+	file->mode[0] = 'p';
+    else if(S_ISLNK(st->st_mode))
+	file->mode[0] = 'l';
+    else if(S_ISSOCK(st->st_mode))
+	file->mode[0] = 's';
+#ifdef S_ISWHT
+    else if(S_ISWHT(st->st_mode))
+	file->mode[0] = 'w';
+#endif
+    else 
+	file->mode[0] = '?';
+    {
+	char *x[] = { "---", "--x", "-w-", "-wx", 
+		      "r--", "r-x", "rw-", "rwx" };
+	strcpy(file->mode + 1, x[(st->st_mode & S_IRWXU) >> 6]);
+	strcpy(file->mode + 4, x[(st->st_mode & S_IRWXG) >> 3]);
+	strcpy(file->mode + 7, x[(st->st_mode & S_IRWXO) >> 0]);
+	if((st->st_mode & S_ISUID)) {
+	    if((st->st_mode & S_IXUSR))
+		file->mode[3] = 's';
+	    else
+		file->mode[3] = 'S';
+	}
+	if((st->st_mode & S_ISGID)) {
+	    if((st->st_mode & S_IXGRP))
+		file->mode[6] = 's';
+	    else
+		file->mode[6] = 'S';
+	}
+	if((st->st_mode & S_ISTXT)) {
+	    if((st->st_mode & S_IXOTH))
+		file->mode[9] = 't';
+	    else
+		file->mode[9] = 'T';
+	}
+    }
+    file->n_link = st->st_nlink;
+    {
+	struct passwd *pwd;
+	pwd = getpwuid(st->st_uid);
+	if(pwd == NULL)
+	    asprintf(&file->user, "%u", (unsigned)st->st_uid);
+	else
+	    file->user = strdup(pwd->pw_name);
+    }
+    {
+	struct group *grp;
+	grp = getgrgid(st->st_gid);
+	if(grp == NULL)
+	    asprintf(&file->group, "%u", (unsigned)st->st_gid);
+	else
+	    file->group = strdup(grp->gr_name);
+    }
+    
+    if(S_ISCHR(st->st_mode) || S_ISBLK(st->st_mode)) {
+#if defined(major) && defined(minor)
+	asprintf(&file->major, "%u", (unsigned)major(st->st_rdev));
+	asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev));
+#else
+	/* Don't want to use the DDI/DKI crap. */
+	asprintf(&file->major, "%u", (unsigned)st->st_rdev);
+	asprintf(&file->minor, "%u", 0);
+#endif
+    } else
+	asprintf(&file->size, "%lu", (unsigned long)st->st_size);
+
+    {
+	time_t t = time(NULL);
+	struct tm *tm = localtime(&st->st_mtime);
+	if((t - st->st_mtime > 6*30*24*60*60) ||
+	   (st->st_mtime - t > 6*30*24*60*60))
+	    strftime(buf, sizeof(buf), "%b %e  %Y", tm);
+	else
+	    strftime(buf, sizeof(buf), "%b %e %H:%M", tm);
+	file->date = strdup(buf);
+    }
+    {
+	const char *p = strrchr(filename, '/');
+	if(p)
+	    p++;
+	else
+	    p = filename;
+	file->filename = strdup(p);
+    }
+    if(S_ISLNK(st->st_mode)) {
+	int n;
+	n = readlink((char *)filename, buf, sizeof(buf));
+	if(n >= 0) {
+	    buf[n] = '\0';
+	    file->link = strdup(buf);
+	} else
+	    warn("%s: readlink", filename);
+    }
+}
+
+static void
+print_file(FILE *out,
+	   int flags,
+	   struct fileinfo *f,
+	   int max_inode,
+	   int max_bsize,
+	   int max_n_link,
+	   int max_user,
+	   int max_group,
+	   int max_size,
+	   int max_major,
+	   int max_minor,
+	   int max_date)
+{
+    if(f->filename == NULL)
+	return;
+
+    if(flags & LS_INODE) {
+	sec_fprintf2(out, "%*d", max_inode, f->inode);
+	sec_fprintf2(out, "  ");
+    }
+    if(flags & LS_SIZE) {
+	sec_fprintf2(out, "%*d", max_bsize, f->bsize);
+	sec_fprintf2(out, "  ");
+    }
+    sec_fprintf2(out, "%s", f->mode);
+    sec_fprintf2(out, "  ");
+    sec_fprintf2(out, "%*d", max_n_link, f->n_link);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%-*s", max_user, f->user);
+    sec_fprintf2(out, "  ");
+    sec_fprintf2(out, "%-*s", max_group, f->group);
+    sec_fprintf2(out, "  ");
+    if(f->major != NULL && f->minor != NULL)
+	sec_fprintf2(out, "%*s, %*s", max_major, f->major, max_minor, f->minor);
+    else
+	sec_fprintf2(out, "%*s", max_size, f->size);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%*s", max_date, f->date);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%s", f->filename);
+    if(f->link)
+	sec_fprintf2(out, " -> %s", f->link);
+    sec_fprintf2(out, "\r\n");
+}
+
+static int
+compare_filename(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return strcmp(a->filename, b->filename);
+}
+
+static int
+compare_mtime(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return a->st.st_mtime - b->st.st_mtime;
+}
+
+static int
+compare_size(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return a->st.st_size - b->st.st_size;
+}
+
+static void
+list_dir(FILE *out, const char *directory, int flags);
+
+static int
+log10(int num)
+{
+    int i = 1;
+    while(num > 10) {
+	i++;
+	num /= 10;
+    }
+    return i;
+}
+
+/*
+ * Operate as lstat but fake up entries for AFS mount points so we don't
+ * have to fetch them.
+ */
+
+static int
+lstat_file (const char *file, struct stat *sb)
+{
+#ifdef KRB4
+    if (k_hasafs() 
+	&& strcmp(file, ".")
+	&& strcmp(file, "..")) 
+    {
+	struct ViceIoctl    a_params;
+	char               *last;
+	char               *path_bkp;
+	static ino_t	   ino_counter = 0, ino_last = 0;
+	int		   ret;
+	const int	   maxsize = 2048;
+	
+	path_bkp = strdup (file);
+	if (path_bkp == NULL)
+	    return -1;
+	
+	a_params.out = malloc (maxsize);
+	if (a_params.out == NULL) { 
+	    free (path_bkp);
+	    return -1;
+	}
+	
+	/* If path contains more than the filename alone - split it */
+	
+	last = strrchr (path_bkp, '/');
+	if (last != NULL) {
+	    *last = '\0';
+	    a_params.in = last + 1;
+	} else
+	    a_params.in = (char *)file;
+	
+	a_params.in_size  = strlen (a_params.in) + 1;
+	a_params.out_size = maxsize;
+	
+	ret = k_pioctl (last ? path_bkp : "." ,
+			VIOC_AFS_STAT_MT_PT, &a_params, 0);
+	free (a_params.out);
+	if (ret < 0) {
+	    free (path_bkp);
+
+	    if (errno != EINVAL)
+		return ret;
+	    else
+		/* if we get EINVAL this is probably not a mountpoint */
+		return lstat (file, sb);
+	}
+
+	/* 
+	 * wow this was a mountpoint, lets cook the struct stat
+	 * use . as a prototype
+	 */
+
+	ret = lstat (path_bkp, sb);
+	free (path_bkp);
+	if (ret < 0)
+	    return ret;
+
+	if (ino_last == sb->st_ino)
+	    ino_counter++;
+	else {
+	    ino_last    = sb->st_ino;
+	    ino_counter = 0;
+	}
+	sb->st_ino += ino_counter;
+	sb->st_nlink = 3;
+
+	return 0;
+    }
+#endif /* KRB4 */
+    return lstat (file, sb);
+}
+
+static void
+list_files(FILE *out, const char **files, int n_files, int flags)
+{
+    struct fileinfo *fi;
+    int i;
+
+    fi = calloc(n_files, sizeof(*fi));
+    if (fi == NULL) {
+	sec_fprintf2(out, "ouf of memory\r\n");
+	return;
+    }
+    for(i = 0; i < n_files; i++) {
+	if(lstat_file(files[i], &fi[i].st) < 0) {
+	    sec_fprintf2(out, "%s: %s\r\n", files[i], strerror(errno));
+	    fi[i].filename = NULL;
+	} else {
+	    if((flags & LS_DIRS) == 0 && S_ISDIR(fi[i].st.st_mode)) {
+		if(n_files > 1)
+		    sec_fprintf2(out, "%s:\r\n", files[i]);
+		list_dir(out, files[i], flags);
+	    } else {
+		make_fileinfo(files[i], &fi[i], flags);
+	    }
+	}
+    }
+    switch(SORT_MODE(flags)) {
+    case LS_SORT_NAME:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_filename);
+	break;
+    case LS_SORT_MTIME:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_mtime);
+	break;
+    case LS_SORT_SIZE:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_size);
+	break;
+    }
+    {
+	int max_inode = 0;
+	int max_bsize = 0;
+	int max_n_link = 0;
+	int max_user = 0;
+	int max_group = 0;
+	int max_size = 0;
+	int max_major = 0;
+	int max_minor = 0;
+	int max_date = 0;
+	for(i = 0; i < n_files; i++) {
+	    if(fi[i].filename == NULL)
+		continue;
+	    if(fi[i].inode > max_inode)
+		max_inode = fi[i].inode;
+	    if(fi[i].bsize > max_bsize)
+		max_bsize = fi[i].bsize;
+	    if(fi[i].n_link > max_n_link)
+		max_n_link = fi[i].n_link;
+	    if(strlen(fi[i].user) > max_user)
+		max_user = strlen(fi[i].user);
+	    if(strlen(fi[i].group) > max_group)
+		max_group = strlen(fi[i].group);
+	    if(fi[i].major != NULL && strlen(fi[i].major) > max_major)
+		max_major = strlen(fi[i].major);
+	    if(fi[i].minor != NULL && strlen(fi[i].minor) > max_minor)
+		max_minor = strlen(fi[i].minor);
+	    if(fi[i].size != NULL && strlen(fi[i].size) > max_size)
+		max_size = strlen(fi[i].size);
+	    if(strlen(fi[i].date) > max_date)
+		max_date = strlen(fi[i].date);
+	}
+	if(max_size < max_major + max_minor + 2)
+	    max_size = max_major + max_minor + 2;
+	else if(max_size - max_minor - 2 > max_major)
+	    max_major = max_size - max_minor - 2;
+	max_inode = log10(max_inode);
+	max_bsize = log10(max_bsize);
+	max_n_link = log10(max_n_link);
+
+	if(flags & LS_SORT_REVERSE)
+	    for(i = n_files - 1; i >= 0; i--)
+		print_file(out,
+			   flags,
+			   &fi[i],
+			   max_inode,
+			   max_bsize,
+			   max_n_link,
+			   max_user,
+			   max_group,
+			   max_size,
+			   max_major,
+			   max_minor,
+			   max_date);
+	else
+	    for(i = 0; i < n_files; i++)
+		print_file(out,
+			   flags,
+			   &fi[i],
+			   max_inode,
+			   max_bsize,
+			   max_n_link,
+			   max_user,
+			   max_group,
+			   max_size,
+			   max_major,
+			   max_minor,
+			   max_date);
+	for(i = 0; i < n_files; i++)
+	    free_fileinfo(&fi[i]);
+	free(fi);
+    }
+}
+
+static void
+free_files (char **files, int n)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	free (files[i]);
+    free (files);
+}
+
+static void
+list_dir(FILE *out, const char *directory, int flags)
+{
+    DIR *d = opendir(directory);
+    struct dirent *ent;
+    char **files = NULL;
+    int n_files = 0;
+
+    if(d == NULL) {
+	sec_fprintf2(out, "%s: %s\r\n", directory, strerror(errno));
+	return;
+    }
+    while((ent = readdir(d)) != NULL) {
+	void *tmp;
+
+	if(ent->d_name[0] == '.') {
+	    if (flags & LS_IGNORE_DOT)
+	        continue;
+	    if (ent->d_name[1] == 0) /* Ignore . */
+	        continue;
+	    if (ent->d_name[1] == '.' && ent->d_name[2] == 0) /* Ignore .. */
+	        continue;
+	}
+	tmp = realloc(files, (n_files + 1) * sizeof(*files));
+	if (tmp == NULL) {
+	    sec_fprintf2(out, "%s: out of memory\r\n", directory);
+	    free_files (files, n_files);
+	    closedir (d);
+	    return;
+	}
+	files = tmp;
+	asprintf(&files[n_files], "%s/%s", directory, ent->d_name);
+	if (files[n_files] == NULL) {
+	    sec_fprintf2(out, "%s: out of memory\r\n", directory);
+	    free_files (files, n_files);
+	    closedir (d);
+	    return;
+	}
+	++n_files;
+    }
+    closedir(d);
+    list_files(out, (const char**)files, n_files, flags | LS_DIRS);
+}
+
+void
+builtin_ls(FILE *out, const char *file)
+{
+    int flags = LS_SORT_NAME;
+
+    if(*file == '-') {
+	const char *p;
+	for(p = file + 1; *p; p++) {
+	    switch(*p) {
+	    case 'a':
+	    case 'A':
+		flags &= ~LS_IGNORE_DOT;
+		break;
+	    case 'C':
+		break;
+	    case 'd':
+		flags |= LS_DIRS;
+		break;
+	    case 'f':
+		flags = (flags & ~LS_SORT_MODE);
+		break;
+	    case 'i':
+		flags |= flags | LS_INODE;
+		break;
+	    case 'l':
+		break;
+	    case 't':
+		flags = (flags & ~LS_SORT_MODE) | LS_SORT_MTIME;
+		break;
+	    case 's':
+		flags |= LS_SIZE;
+		break;
+	    case 'S':
+		flags = (flags & ~LS_SORT_MODE) | LS_SORT_SIZE;
+		break;
+	    case 'r':
+		flags |= LS_SORT_REVERSE;
+		break;
+	    }
+	}
+	file = ".";
+    }
+    list_files(out, &file, 1, flags);
+    sec_fflush(out);
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/pathnames.h b/crypto/heimdal/appl/ftp/ftpd/pathnames.h
new file mode 100644
index 0000000..ff2041b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/pathnames.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/4/93
+ */
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif
+
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN "/etc/nologin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#define	_PATH_FTPUSERS		"/etc/ftpusers"
+#define	_PATH_FTPCHROOT		"/etc/ftpchroot"
+#define	_PATH_FTPWELCOME	"/etc/ftpwelcome"
+#define	_PATH_FTPLOGINMESG	"/etc/motd"
+
+#define _PATH_ISSUE		"/etc/issue"
+#define _PATH_ISSUE_NET		"/etc/issue.net"
diff --git a/crypto/heimdal/appl/ftp/ftpd/popen.c b/crypto/heimdal/appl/ftp/ftpd/popen.c
new file mode 100644
index 0000000..5f36813
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/popen.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 1988, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software written by Ken Arnold and
+ * published in UNIX Review, Vol. 6, No. 8.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: popen.c,v 1.19 1999/09/16 20:38:45 assar Exp $");
+#endif
+
+#include <sys/types.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <glob.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "extern.h"
+
+#include <roken.h>
+
+/* 
+ * Special version of popen which avoids call to shell.  This ensures
+ * no one may create a pipe to a hidden program as a side effect of a
+ * list or dir command.
+ */
+static int *pids;
+static int fds;
+
+extern int dochroot;
+
+/* return path prepended with ~ftp if that file exists, otherwise
+ * return path unchanged
+ */
+
+const char *
+ftp_rooted(const char *path)
+{
+    static char home[MaxPathLen] = "";
+    static char newpath[MaxPathLen];
+    struct passwd *pwd;
+
+    if(!home[0])
+	if((pwd = k_getpwnam("ftp")))
+	    strlcpy(home, pwd->pw_dir, sizeof(home));
+    snprintf(newpath, sizeof(newpath), "%s/%s", home, path);
+    if(access(newpath, X_OK))
+	strlcpy(newpath, path, sizeof(newpath));
+    return newpath;
+}
+
+
+FILE *
+ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
+{
+	char *cp;
+	FILE *iop;
+	int argc, gargc, pdes[2], pid;
+	char **pop, *argv[100], *gargv[1000];
+	char *foo;
+
+	if (strcmp(type, "r") && strcmp(type, "w"))
+		return (NULL);
+
+	if (!pids) {
+
+	    /* This function is ugly and should be rewritten, in
+	     * modern unices there is no such thing as a maximum
+	     * filedescriptor.
+	     */
+
+	    fds = getdtablesize();
+	    pids = (int*)calloc(fds, sizeof(int));
+	    if(!pids)
+		return NULL;
+	}
+	if (pipe(pdes) < 0)
+		return (NULL);
+
+	/* break up string into pieces */
+	foo = NULL;
+	for (argc = 0, cp = program;; cp = NULL) {
+		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
+			break;
+	}
+
+	gargv[0] = (char*)ftp_rooted(argv[0]);
+	/* glob each piece */
+	for (gargc = argc = 1; argv[argc]; argc++) {
+		glob_t gl;
+		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+		memset(&gl, 0, sizeof(gl));
+		if (no_glob || glob(argv[argc], flags, NULL, &gl))
+			gargv[gargc++] = strdup(argv[argc]);
+		else
+			for (pop = gl.gl_pathv; *pop; pop++)
+				gargv[gargc++] = strdup(*pop);
+		globfree(&gl);
+	}
+	gargv[gargc] = NULL;
+
+	iop = NULL;
+	switch(pid = fork()) {
+	case -1:			/* error */
+		close(pdes[0]);
+		close(pdes[1]);
+		goto pfree;
+		/* NOTREACHED */
+	case 0:				/* child */
+		if (*type == 'r') {
+			if (pdes[1] != STDOUT_FILENO) {
+				dup2(pdes[1], STDOUT_FILENO);
+				close(pdes[1]);
+			}
+			if(do_stderr)
+			    dup2(STDOUT_FILENO, STDERR_FILENO);
+			close(pdes[0]);
+		} else {
+			if (pdes[0] != STDIN_FILENO) {
+				dup2(pdes[0], STDIN_FILENO);
+				close(pdes[0]);
+			}
+			close(pdes[1]);
+		}
+		execv(gargv[0], gargv);
+		gargv[0] = argv[0];
+		execv(gargv[0], gargv);
+		_exit(1);
+	}
+	/* parent; assume fdopen can't fail...  */
+	if (*type == 'r') {
+		iop = fdopen(pdes[0], type);
+		close(pdes[1]);
+	} else {
+		iop = fdopen(pdes[1], type);
+		close(pdes[0]);
+	}
+	pids[fileno(iop)] = pid;
+	
+pfree:	
+	for (argc = 1; gargv[argc] != NULL; argc++)
+	    free(gargv[argc]);
+
+
+	return (iop);
+}
+
+int
+ftpd_pclose(FILE *iop)
+{
+	int fdes, status;
+	pid_t pid;
+	sigset_t sigset, osigset;
+
+	/*
+	 * pclose returns -1 if stream is not associated with a
+	 * `popened' command, or, if already `pclosed'.
+	 */
+	if (pids == 0 || pids[fdes = fileno(iop)] == 0)
+		return (-1);
+	fclose(iop);
+	sigemptyset(&sigset);
+	sigaddset(&sigset, SIGINT);
+	sigaddset(&sigset, SIGQUIT);
+	sigaddset(&sigset, SIGHUP);
+	sigprocmask(SIG_BLOCK, &sigset, &osigset);
+	while ((pid = waitpid(pids[fdes], &status, 0)) < 0 && errno == EINTR)
+		continue;
+	sigprocmask(SIG_SETMASK, &osigset, NULL);
+	pids[fdes] = 0;
+	if (pid < 0)
+		return (pid);
+	if (WIFEXITED(status))
+		return (WEXITSTATUS(status));
+	return (1);
+}
diff --git a/crypto/heimdal/appl/kauth/ChangeLog b/crypto/heimdal/appl/kauth/ChangeLog
new file mode 100644
index 0000000..ac0491f
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/ChangeLog
@@ -0,0 +1,39 @@
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* rkinit.c (doit_host): NAT work-around
+	* kauthd.c (doit): type correctness
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* kauthd.c: use getnameinfo instead of inaddr2str and inet_ntoa
+
+1999-08-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kauth.c: cleanup usage string; handle `kauth -h' gracefully
+	(print usage); add `-a' flag to get the ticket address (useful for
+	firewall configurations)
+
+Thu Apr 15 15:05:33 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kauth.c: add `-v'
+
+Thu Mar 18 11:17:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Sun Nov 22 10:30:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Tue May 26 17:41:47 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kauth.c: use krb_enable_debug
+
+Fri May  1 07:15:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* rkinit.c: unifdef -DHAVE_H_ERRNO
+
+Thu Mar 19 16:07:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kauth.c: Check for negative return value from krb_afslog().
+
diff --git a/crypto/heimdal/appl/kauth/Makefile.am b/crypto/heimdal/appl/kauth/Makefile.am
new file mode 100644
index 0000000..a5bf0fdaca
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/Makefile.am
@@ -0,0 +1,42 @@
+# $Id: Makefile.am,v 1.7 1999/04/09 18:22:45 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = kauth
+bin_SCRIPTS = ksrvtgt
+libexec_PROGRAMS = kauthd
+
+EXTRA_DIST = zrefresh ksrvtgt.in
+
+kauth_SOURCES = \
+	kauth.c \
+	kauth.h \
+	rkinit.c \
+	marshall.c \
+	encdata.c
+
+kauthd_SOURCES = \
+	kauthd.c \
+	kauth.h \
+	marshall.c \
+	encdata.c
+
+ksrvtgt: ksrvtgt.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@
+	chmod +x $@
+
+install-exec-local:
+	if test -f $(bindir)/zrefresh -o -r  $(bindir)/zrefresh; then \
+	  true; \
+	else \
+	  $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(bindir)/`echo zrefresh | sed '$(transform)'`; \
+	fi
+
+LDADD = \
+	$(LIB_kafs)				\
+	$(LIB_krb5)				\
+	$(LIB_krb4)				\
+	$(top_builddir)/lib/des/libdes.la	\
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/kauth/Makefile.in b/crypto/heimdal/appl/kauth/Makefile.in
new file mode 100644
index 0000000..f9c005f
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/Makefile.in
@@ -0,0 +1,739 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.7 1999/04/09 18:22:45 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = kauth
+bin_SCRIPTS = ksrvtgt
+libexec_PROGRAMS = kauthd
+
+EXTRA_DIST = zrefresh ksrvtgt.in
+
+kauth_SOURCES =  	kauth.c 	kauth.h 	rkinit.c 	marshall.c 	encdata.c
+
+
+kauthd_SOURCES =  	kauthd.c 	kauth.h 	marshall.c 	encdata.c
+
+
+LDADD =  	$(LIB_kafs)					$(LIB_krb5)					$(LIB_krb4)					$(top_builddir)/lib/des/libdes.la		$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  kauth$(EXEEXT)
+libexec_PROGRAMS =  kauthd$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+kauth_OBJECTS =  kauth.$(OBJEXT) rkinit.$(OBJEXT) marshall.$(OBJEXT) \
+encdata.$(OBJEXT)
+kauth_LDADD = $(LDADD)
+@KRB4_TRUE@@KRB5_FALSE@kauth_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@kauth_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@kauth_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@kauth_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+kauth_LDFLAGS = 
+kauthd_OBJECTS =  kauthd.$(OBJEXT) marshall.$(OBJEXT) encdata.$(OBJEXT)
+kauthd_LDADD = $(LDADD)
+@KRB4_TRUE@@KRB5_FALSE@kauthd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@kauthd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@kauthd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@kauthd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+kauthd_LDFLAGS = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(kauth_SOURCES) $(kauthd_SOURCES)
+OBJECTS = $(kauth_OBJECTS) $(kauthd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kauth/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kauth$(EXEEXT): $(kauth_OBJECTS) $(kauth_DEPENDENCIES)
+	@rm -f kauth$(EXEEXT)
+	$(LINK) $(kauth_LDFLAGS) $(kauth_OBJECTS) $(kauth_LDADD) $(LIBS)
+
+kauthd$(EXEEXT): $(kauthd_OBJECTS) $(kauthd_DEPENDENCIES)
+	@rm -f kauthd$(EXEEXT)
+	$(LINK) $(kauthd_LDFLAGS) $(kauthd_OBJECTS) $(kauthd_LDADD) $(LIBS)
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	  else if test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	  else :; fi; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/kauth
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
+		install-binSCRIPTS install-exec-local
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-binSCRIPTS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(SCRIPTS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-local install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+ksrvtgt: ksrvtgt.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@
+	chmod +x $@
+
+install-exec-local:
+	if test -f $(bindir)/zrefresh -o -r  $(bindir)/zrefresh; then \
+	  true; \
+	else \
+	  $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(bindir)/`echo zrefresh | sed '$(transform)'`; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/kauth/encdata.c b/crypto/heimdal/appl/kauth/encdata.c
new file mode 100644
index 0000000..886f549
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/encdata.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: encdata.c,v 1.10 1999/12/02 16:58:31 joda Exp $");
+
+int
+write_encrypted (int fd, void *buf, size_t len, des_key_schedule schedule,
+		 des_cblock *session, struct sockaddr_in *me,
+		 struct sockaddr_in *him)
+{
+     void *outbuf;
+     int32_t outlen, l;
+     int i;
+     unsigned char tmp[4];
+
+     outbuf = malloc(len + 30);
+     if (outbuf == NULL)
+	  return -1;
+     outlen = krb_mk_priv (buf, outbuf, len, schedule, session, me, him);
+     if (outlen < 0) {
+	  free(outbuf);
+	  return -1;
+     }
+     l = outlen;
+     for(i = 3; i >= 0; i--, l = l >> 8)
+	 tmp[i] = l & 0xff;
+     if (krb_net_write (fd, tmp, 4) != 4 ||
+	 krb_net_write (fd, outbuf, outlen) != outlen) {
+	  free(outbuf);
+	  return -1;
+     }
+     
+     free(outbuf);
+     return 0;
+}
+
+
+int
+read_encrypted (int fd, void *buf, size_t len, void **ret,
+		des_key_schedule schedule, des_cblock *session,
+		struct sockaddr_in *him, struct sockaddr_in *me)
+{
+     int status;
+     int32_t l;
+     MSG_DAT msg;
+     unsigned char tmp[4];
+
+     l = krb_net_read (fd, tmp, 4);
+     if (l != 4)
+	 return l;
+     l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+     if (l > len)
+	  return -1;
+     if (krb_net_read (fd, buf, l) != l)
+	  return -1;
+     status = krb_rd_priv (buf, l, schedule, session, him, me, &msg);
+     if (status != RD_AP_OK) {
+	  fprintf (stderr, "read_encrypted: %s\n",
+		   krb_get_err_text(status));
+	  return -1;
+     }
+     *ret  = msg.app_data;
+     return  msg.app_length;
+}
diff --git a/crypto/heimdal/appl/kauth/kauth.c b/crypto/heimdal/appl/kauth/kauth.c
new file mode 100644
index 0000000..13448a0
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/kauth.c
@@ -0,0 +1,385 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Little program that reads an srvtab or password and
+ * creates a suitable ticketfile and associated AFS tokens.
+ *
+ * If an optional command is given the command is executed in a
+ * new PAG and when the command exits the tickets are destroyed.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: kauth.c,v 1.97 1999/12/02 16:58:31 joda Exp $");
+
+krb_principal princ;
+static char srvtab[MaxPathLen];
+static int lifetime = DEFAULT_TKT_LIFE;
+static char remote_tktfile[MaxPathLen];
+static char remoteuser[100];
+static char *cell = 0;
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	    "Usage:\n"
+	    "  %s [name]\n"
+	    "or\n"
+	    "  %s [-ad] [-n name] [-r remoteuser] [-t remote ticketfile]\n"
+	    "        [-l lifetime (in minutes) ] [-f srvtab ] [-c AFS cell name ]\n"
+	    "        [-h hosts... [--]] [command ... ]\n\n",
+	    __progname, __progname);
+    fprintf(stderr, 
+	    "A fully qualified name can be given: user[.instance][@realm]\n"
+	    "Realm is converted to uppercase!\n");
+    exit(1);
+}
+
+#define EX_NOEXEC	126
+#define EX_NOTFOUND	127
+
+static int
+doexec(int argc, char **argv)
+{
+    int ret = simple_execvp(argv[0], argv);
+    if(ret == -2)
+	warn ("fork");
+    if(ret == -3)
+	warn("waitpid");
+    if(ret < 0)
+	return EX_NOEXEC;
+    if(ret == EX_NOEXEC || ret == EX_NOTFOUND)
+	warnx("Can't exec program ``%s''", argv[0]);
+	
+    return ret;
+}
+
+static RETSIGTYPE
+renew(int sig)
+{
+    int code;
+
+    signal(SIGALRM, renew);
+
+    code = krb_get_svc_in_tkt(princ.name, princ.instance, princ.realm,
+			      KRB_TICKET_GRANTING_TICKET,
+			      princ.realm, lifetime, srvtab);
+    if (code)
+	warnx ("%s", krb_get_err_text(code));
+    else if (k_hasafs())
+	{
+	    if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) {
+		warnx ("%s", krb_get_err_text(code));
+	    }
+	}
+
+    alarm(krb_life_to_time(0, lifetime)/2 - 60);
+    SIGRETURN(0);
+}
+
+static int
+zrefresh(void)
+{
+    switch (fork()) {
+    case -1:
+	err (1, "Warning: Failed to fork zrefresh");
+	return -1;
+    case 0:
+	/* Child */
+	execlp("zrefresh", "zrefresh", 0);
+	execl(BINDIR "/zrefresh", "zrefresh", 0);
+	exit(1);
+    default:
+	/* Parent */
+	break;
+    }
+    return 0;
+}
+
+static int
+key_to_key(const char *user,
+	   char *instance,
+	   const char *realm,
+	   const void *arg,
+	   des_cblock *key)
+{
+    memcpy(key, arg, sizeof(des_cblock));
+    return 0;
+}
+
+static int
+get_ticket_address(krb_principal *princ, des_cblock *key)
+{
+    int code;
+    unsigned char flags;
+    krb_principal service;
+    u_int32_t addr;
+    struct in_addr addr2;
+    des_cblock session;
+    int life;
+    u_int32_t time_sec;
+    des_key_schedule schedule;
+    CREDENTIALS c;
+	
+    code = get_ad_tkt(princ->name, princ->instance, princ->realm, 0);
+    if(code) {
+	warnx("get_ad_tkt: %s\n", krb_get_err_text(code));
+	return code;
+    }
+    code = krb_get_cred(princ->name, princ->instance, princ->realm, &c);
+    if(code) {
+	warnx("krb_get_cred: %s\n", krb_get_err_text(code));
+	return code;
+    }
+
+    des_set_key(key, schedule);
+    code = decomp_ticket(&c.ticket_st, 
+			 &flags,
+			 princ->name,
+			 princ->instance,
+			 princ->realm,
+			 &addr,
+			 session,
+			 &life,
+			 &time_sec,
+			 service.name,
+			 service.instance,
+			 key,
+			 schedule);
+    if(code) {
+	warnx("decomp_ticket: %s\n", krb_get_err_text(code));
+	return code;
+    }
+    memset(&session, 0, sizeof(session));
+    memset(schedule, 0, sizeof(schedule));
+    addr2.s_addr = addr;
+    fprintf(stdout, "ticket address = %s\n", inet_ntoa(addr2));
+} 
+
+
+int
+main(int argc, char **argv)
+{
+    int code, more_args;
+    int ret;
+    int c;
+    char *file;
+    int pflag = 0;
+    int aflag = 0;
+    int version_flag = 0;
+    char passwd[100];
+    des_cblock key;
+    char **host;
+    int nhost;
+    char tf[MaxPathLen];
+
+    set_progname (argv[0]);
+
+    if ((file =  getenv("KRBTKFILE")) == 0)
+	file = TKT_FILE;  
+
+    memset(&princ, 0, sizeof(princ));
+    memset(srvtab, 0, sizeof(srvtab));
+    *remoteuser = '\0';
+    nhost = 0;
+    host = NULL;
+  
+    /* Look for kerberos name */
+    if (argc > 1 &&
+	argv[1][0] != '-' &&
+	krb_parse_name(argv[1], &princ) == 0)
+      {
+	argc--; argv++;
+	strupr(princ.realm);
+      }
+
+    while ((c = getopt(argc, argv, "ar:t:f:hdl:n:c:v")) != -1)
+	switch (c) {
+	case 'a':
+	    aflag++;
+	    break;
+	case 'd':
+	    krb_enable_debug();
+	    _kafs_debug = 1;
+	    aflag++;
+	    break;
+	case 'f':
+	    strlcpy(srvtab, optarg, sizeof(srvtab));
+	    break;
+	case 't':
+	    strlcpy(remote_tktfile, optarg, sizeof(remote_tktfile));
+	    break;
+	case 'r':
+	    strlcpy(remoteuser, optarg, sizeof(remoteuser));
+	    break;
+	case 'l':
+	    lifetime = atoi(optarg);
+	    if (lifetime == -1)
+		lifetime = 255;
+	    else if (lifetime < 5)
+		lifetime = 1;
+	    else
+		lifetime = krb_time_to_life(0, lifetime*60);
+	    if (lifetime > 255)
+		lifetime = 255;
+	    break;
+	case 'n':
+	    if ((code = krb_parse_name(optarg, &princ)) != 0) {
+		warnx ("%s", krb_get_err_text(code));
+		usage();
+	    }
+	    strupr(princ.realm);
+	    pflag = 1;
+	    break;
+	case 'c':
+	    cell = optarg;
+	    break;
+	case 'h':
+	    host = argv + optind;
+	    for(nhost = 0; optind < argc && *argv[optind] != '-'; ++optind)
+		++nhost;
+	    if(nhost == 0)
+		usage();
+	    break;
+	case 'v':
+	    version_flag++;
+	    print_version(NULL);
+	    break;
+	case '?':
+	default:
+	    usage();
+	    break;
+	}
+  
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    if (princ.name[0] == '\0' && krb_get_default_principal (princ.name, 
+							    princ.instance, 
+							    princ.realm) < 0)
+	errx (1, "Could not get default principal");
+  
+    /* With root tickets assume remote user is root */
+    if (*remoteuser == '\0') {
+      if (strcmp(princ.instance, "root") == 0)
+	strlcpy(remoteuser, princ.instance, sizeof(remoteuser));
+      else
+	strlcpy(remoteuser, princ.name, sizeof(remoteuser));
+    }
+
+    more_args = argc - optind;
+  
+    if (princ.realm[0] == '\0')
+	if (krb_get_lrealm(princ.realm, 1) != KSUCCESS)
+	    strlcpy(princ.realm, KRB_REALM, REALM_SZ);
+  
+    if (more_args) {
+	int f;
+      
+	do{
+	    snprintf(tf, sizeof(tf), "%s%u_%u", TKT_ROOT, (unsigned)getuid(),
+		     (unsigned)(getpid()*time(0)));
+	    f = open(tf, O_CREAT|O_EXCL|O_RDWR);
+	}while(f < 0);
+	close(f);
+	unlink(tf);
+	setenv("KRBTKFILE", tf, 1);
+	krb_set_tkt_string (tf);
+    }
+    
+    if (srvtab[0])
+	{
+	    signal(SIGALRM, renew);
+
+	    code = read_service_key (princ.name, princ.instance, princ.realm, 0, 
+				     srvtab, (char *)&key);
+	    if (code == KSUCCESS)
+		code = krb_get_in_tkt(princ.name, princ.instance, princ.realm,
+				      KRB_TICKET_GRANTING_TICKET,
+				      princ.realm, lifetime,
+				      key_to_key, NULL, key);
+	    alarm(krb_life_to_time(0, lifetime)/2 - 60);
+	}
+    else {
+	char prompt[128];
+	  
+	snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&princ));
+	if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
+	    memset(passwd, 0, sizeof(passwd));
+	    exit(1);
+	}
+	code = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, 
+				  KRB_TICKET_GRANTING_TICKET, princ.realm, 
+				  lifetime, passwd, &key);
+	
+	memset(passwd, 0, sizeof(passwd));
+    }
+    if (code) {
+	memset (key, 0, sizeof(key));
+	errx (1, "%s", krb_get_err_text(code));
+    }
+
+    if(aflag)
+	get_ticket_address(&princ, &key);
+
+    if (k_hasafs()) {
+	if (more_args)
+	    k_setpag();
+	if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) {
+	    if(code > 0)
+		warnx ("%s", krb_get_err_text(code));
+	    else
+		warnx ("failed to store AFS token");
+	}
+    }
+
+    for(ret = 0; nhost-- > 0; host++)
+	ret += rkinit(&princ, lifetime, remoteuser, remote_tktfile, &key, *host);
+  
+    if (ret)
+	return ret;
+
+    if (more_args) {
+	ret = doexec(more_args, &argv[optind]);
+	dest_tkt();
+	if (k_hasafs())
+	    k_unlog();	 
+    }
+    else
+	zrefresh();
+  
+    return ret;
+}
diff --git a/crypto/heimdal/appl/kauth/kauth.h b/crypto/heimdal/appl/kauth/kauth.h
new file mode 100644
index 0000000..32243c7
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/kauth.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kauth.h,v 1.21 1999/12/02 16:58:31 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif /* HAVE_CONFIG_H */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <signal.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <err.h>
+
+#include <krb.h>
+#include <kafs.h>
+
+#include <roken.h>
+
+#define KAUTH_PORT 2120
+
+#define KAUTH_VERSION "RKINIT.0"
+
+int rkinit (krb_principal*, int, char*, char*, des_cblock*, char*);
+
+int write_encrypted (int, void*, size_t, des_key_schedule,
+		     des_cblock*, struct sockaddr_in*, struct sockaddr_in*);
+
+int read_encrypted (int, void*, size_t, void **, des_key_schedule,
+		    des_cblock*, struct sockaddr_in*, struct sockaddr_in*);
+
+int pack_args (char *, size_t, krb_principal*, int, const char*, const char*);
+
+int unpack_args (const char*, krb_principal*, int*, char*, char*);
diff --git a/crypto/heimdal/appl/kauth/kauthd.c b/crypto/heimdal/appl/kauth/kauthd.c
new file mode 100644
index 0000000..520730a
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/kauthd.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: kauthd.c,v 1.27 1999/12/06 16:46:05 assar Exp $");
+
+krb_principal princ;
+static char locuser[SNAME_SZ];
+static int  lifetime;
+static char tktfile[MaxPathLen];
+
+struct remote_args {
+     int sock;
+     des_key_schedule *schedule;
+     des_cblock *session;
+     struct sockaddr_in *me, *her;
+};
+
+static int
+decrypt_remote_tkt (const char *user,
+		    const char *inst,
+		    const char *realm,
+		    const void *varg,
+		    key_proc_t key_proc,
+		    KTEXT *cipp)
+{
+     char buf[BUFSIZ];
+     void *ptr;
+     int len;
+     KTEXT cip  = *cipp;
+     struct remote_args *args = (struct remote_args *)varg;
+
+     write_encrypted (args->sock, cip->dat, cip->length,
+		      *args->schedule, args->session, args->me,
+		      args->her);
+     len = read_encrypted (args->sock, buf, sizeof(buf), &ptr, *args->schedule,
+			   args->session, args->her, args->me);
+     memcpy(cip->dat, ptr, cip->length);
+	  
+     return 0;
+}
+
+static int
+doit(int sock)
+{
+     int status;
+     KTEXT_ST ticket;
+     AUTH_DAT auth;
+     char instance[INST_SZ];
+     des_key_schedule schedule;
+     struct sockaddr_in thisaddr, thataddr;
+     int addrlen;
+     int len;
+     char buf[BUFSIZ];
+     void *data;
+     struct passwd *passwd;
+     char version[KRB_SENDAUTH_VLEN + 1];
+     char remotehost[MaxHostNameLen];
+
+     addrlen = sizeof(thisaddr);
+     if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thisaddr)) {
+	  return 1;
+     }
+     addrlen = sizeof(thataddr);
+     if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thataddr)) {
+	  return 1;
+     }
+
+     getnameinfo_verified ((struct sockaddr *)&thataddr, sizeof(thataddr),
+			   remotehost, sizeof(remotehost),
+			   NULL, 0, 0);
+
+     k_getsockinst (sock, instance, sizeof(instance));
+     status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance,
+			    &thataddr, &thisaddr, &auth, "", schedule,
+			    version);
+     if (status != KSUCCESS ||
+	 strncmp(version, KAUTH_VERSION, KRB_SENDAUTH_VLEN) != 0) {
+	  return 1;
+     }
+     len = read_encrypted (sock, buf, sizeof(buf), &data, schedule,
+			   &auth.session, &thataddr, &thisaddr);
+     if (len < 0) {
+	  write_encrypted (sock, "read_enc failed",
+			   sizeof("read_enc failed") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     if (unpack_args(data, &princ, &lifetime, locuser,
+		     tktfile)) {
+	  write_encrypted (sock, "unpack_args failed",
+			   sizeof("unpack_args failed") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+
+     if( kuserok(&auth, locuser) != 0) {
+	 snprintf(buf, sizeof(buf), "%s cannot get tickets for %s",
+		  locuser, krb_unparse_name(&princ));
+	 syslog (LOG_ERR, buf);
+	 write_encrypted (sock, buf, strlen(buf), schedule,
+			  &auth.session, &thisaddr, &thataddr);
+	 return 1;
+     }
+     passwd = k_getpwnam (locuser);
+     if (passwd == NULL) {
+	  snprintf (buf, sizeof(buf), "No user '%s'", locuser);
+	  syslog (LOG_ERR, buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     if (setgid (passwd->pw_gid) ||
+	 initgroups(passwd->pw_name, passwd->pw_gid) ||
+	 setuid(passwd->pw_uid)) {
+	  snprintf (buf, sizeof(buf), "Could not change user");
+	  syslog (LOG_ERR, buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+		      &auth.session, &thisaddr, &thataddr);
+
+     if (*tktfile == 0)
+	 snprintf(tktfile, sizeof(tktfile), "%s%u", TKT_ROOT, (unsigned)getuid());
+     krb_set_tkt_string (tktfile);
+
+     {
+	  struct remote_args arg;
+
+	  arg.sock     = sock;
+	  arg.schedule = &schedule;
+	  arg.session  = &auth.session;
+	  arg.me       = &thisaddr;
+	  arg.her      = &thataddr;
+
+	  status = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
+				   KRB_TICKET_GRANTING_TICKET,
+				   princ.realm,
+				   lifetime, NULL, decrypt_remote_tkt, &arg);
+     }
+     if (status == KSUCCESS) {
+	 char remoteaddr[INET6_ADDRSTRLEN];
+
+	 getnameinfo ((struct sockaddr *)&thataddr, sizeof(thataddr),
+		      remoteaddr, sizeof(remoteaddr),
+		      NULL, 0, NI_NUMERICHOST);
+
+	 syslog (LOG_INFO, "from %s(%s): %s -> %s",
+		 remotehost, remoteaddr,
+		 locuser,
+		 krb_unparse_name (&princ));
+	  write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 0;
+     } else {
+	  snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status));
+	  syslog (LOG_NOTICE, buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+}
+
+int
+main (int argc, char **argv)
+{
+    openlog ("kauthd", LOG_ODELAY, LOG_AUTH);
+
+    if(argc > 1 && strcmp(argv[1], "-i") == 0)
+	mini_inetd (k_getportbyname("kauth", "tcp", htons(KAUTH_PORT)));
+    return doit(STDIN_FILENO);
+}
diff --git a/crypto/heimdal/appl/kauth/ksrvtgt.in b/crypto/heimdal/appl/kauth/ksrvtgt.in
new file mode 100755
index 0000000..c2f33bb
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/ksrvtgt.in
@@ -0,0 +1,14 @@
+#! /bin/sh
+# $Id: ksrvtgt.in,v 1.3 1997/09/13 03:39:03 joda Exp $
+
+usage="Usage: `basename $0` name instance [[realm] srvtab]"
+
+if [ $# -lt 2 -o $# -gt 4 ]; then
+	echo "$usage"
+	exit 1
+fi
+
+srvtab="${4-${3-/etc/srvtab}}"
+realm="${4+@$3}"
+
+%bindir%/kauth -n "$1.$2$realm" -l 5 -f "$srvtab"
diff --git a/crypto/heimdal/appl/kauth/marshall.c b/crypto/heimdal/appl/kauth/marshall.c
new file mode 100644
index 0000000..e37b8c9
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/marshall.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: marshall.c,v 1.10 1999/12/02 16:58:31 joda Exp $");
+
+int
+pack_args (char *buf,
+	   size_t sz,
+	   krb_principal *pr,
+	   int lifetime,
+	   const char *locuser,
+	   const char *tktfile)
+{
+    char *p = buf;
+    int len;
+
+    p = buf;
+
+    len = strlen(pr->name);
+    if (len >= sz)
+	return -1;
+    memcpy (p, pr->name, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(pr->instance);
+    if (len >= sz)
+	return -1;
+    memcpy (p, pr->instance, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(pr->realm);
+    if (len >= sz)
+	return -1;
+    memcpy(p, pr->realm, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    if (sz < 1)
+	return -1;
+    *p++ = (unsigned char)lifetime;
+
+    len = strlen(locuser);
+    if (len >= sz)
+	return -1;
+    memcpy (p, locuser, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(tktfile);
+    if (len >= sz)
+	return -1;
+    memcpy (p, tktfile, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    return p - buf;
+}
+
+int
+unpack_args (const char *buf, krb_principal *pr, int *lifetime,
+	     char *locuser, char *tktfile)
+{
+    int len;
+
+    len = strlen(buf);
+    if (len >= SNAME_SZ)
+	return -1;
+    strlcpy (pr->name, buf, ANAME_SZ);
+    buf += len + 1;
+    len = strlen (buf);
+    if (len >= INST_SZ)
+	return -1;
+    strlcpy (pr->instance, buf, INST_SZ);
+    buf += len + 1;
+    len = strlen (buf);
+    if (len >= REALM_SZ)
+	return -1;
+    strlcpy (pr->realm, buf, REALM_SZ);
+    buf += len + 1;
+    *lifetime = (unsigned char)*buf++;
+    len = strlen(buf);
+    if (len >= SNAME_SZ)
+	return -1;
+    strlcpy (locuser, buf, SNAME_SZ);
+    buf += len + 1;
+    len = strlen(buf);
+    if (len >= MaxPathLen)
+	return -1;
+    strlcpy (tktfile, buf, MaxPathLen);
+    buf += len + 1;
+    return 0;
+}
diff --git a/crypto/heimdal/appl/kauth/rkinit.c b/crypto/heimdal/appl/kauth/rkinit.c
new file mode 100644
index 0000000..d4b07c6
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/rkinit.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: rkinit.c,v 1.23 1999/12/06 17:07:20 assar Exp $");
+
+static struct in_addr *
+getalladdrs (char *hostname, unsigned *count)
+{
+    struct hostent *hostent;
+    struct in_addr **h;
+    struct in_addr *addr;
+    unsigned naddr;
+    unsigned maxaddr;
+
+    hostent = gethostbyname (hostname);
+    if (hostent == NULL) {
+	warnx ("gethostbyname '%s' failed: %s\n",
+	       hostname,
+	       hstrerror(h_errno));
+	return NULL;
+    }
+    maxaddr = 1;
+    naddr = 0;
+    addr = malloc(sizeof(*addr) * maxaddr);
+    if (addr == NULL) {
+	warnx ("out of memory");
+	return NULL;
+    }
+    for (h = (struct in_addr **)(hostent->h_addr_list);
+	 *h != NULL;
+	 h++) {
+	if (naddr >= maxaddr) {
+	    maxaddr *= 2;
+	    addr = realloc (addr, sizeof(*addr) * maxaddr);
+	    if (addr == NULL) {
+		warnx ("out of memory");
+		return NULL;
+	    }
+	}
+	addr[naddr++] = **h;
+    }
+    addr = realloc (addr, sizeof(*addr) * naddr);
+    if (addr == NULL) {
+	warnx ("out of memory");
+	return NULL;
+    }
+    *count = naddr;
+    return addr;
+}
+
+static int
+doit_host (krb_principal *princ, int lifetime, char *locuser, 
+	   char *tktfile, des_cblock *key, int s, char *hostname)
+{
+    char buf[BUFSIZ];
+    int inlen;
+    KTEXT_ST text;
+    CREDENTIALS cred;
+    MSG_DAT msg;
+    int status;
+    des_key_schedule schedule;
+    struct sockaddr_in thisaddr, thataddr;
+    int addrlen;
+    void *ret;
+
+    addrlen = sizeof(thisaddr);
+    if (getsockname (s, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	addrlen != sizeof(thisaddr)) {
+	warn ("getsockname(%s)", hostname);
+	return 1;
+    }
+    addrlen = sizeof(thataddr);
+    if (getpeername (s, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	addrlen != sizeof(thataddr)) {
+	warn ("getpeername(%s)", hostname);
+	return 1;
+    }
+
+    if (krb_get_config_bool("nat_in_use")) {
+	struct in_addr natAddr;
+
+	if (krb_get_our_ip_for_realm(krb_realmofhost(hostname),
+				     &natAddr) == KSUCCESS
+	    || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS)
+	    thisaddr.sin_addr = natAddr;
+    }
+
+    status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd",
+			   hostname, krb_realmofhost (hostname),
+			   getpid(), &msg, &cred, schedule,
+			   &thisaddr, &thataddr, KAUTH_VERSION);
+    if (status != KSUCCESS) {
+	warnx ("%s: %s\n", hostname, krb_get_err_text(status));
+	return 1;
+    }
+    inlen = pack_args (buf, sizeof(buf),
+		       princ, lifetime, locuser, tktfile);
+    if (inlen < 0) {
+	warn ("cannot marshall arguments to %s", hostname);
+	return 1;
+    }
+
+    if (write_encrypted(s, buf, inlen, schedule, &cred.session,
+			&thisaddr, &thataddr) < 0) {
+	warn ("write to %s", hostname);
+	return 1;
+    }
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s failed", hostname);
+	return 1;
+    }
+
+    if (strncmp(ret, "ok", inlen) != 0) {
+	warnx ("error from %s: %.*s\n",
+	       hostname, inlen, (char *)ret);
+	return 1;
+    }
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s", hostname);
+	return 1;
+    }
+     
+    {
+	des_key_schedule key_s;
+
+	des_key_sched(key, key_s);
+	des_pcbc_encrypt(ret, ret, inlen, key_s, key, DES_DECRYPT);
+	memset(key_s, 0, sizeof(key_s));
+    }
+    write_encrypted (s, ret, inlen, schedule, &cred.session,
+		     &thisaddr, &thataddr);
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s", hostname);
+	return 1;
+    }
+
+    if (strncmp(ret, "ok", inlen) != 0) {
+	warnx ("error from %s: %.*s\n",
+	       hostname, inlen, (char *)ret);
+	return 1;
+    }
+    return 0;
+}
+
+int
+rkinit (krb_principal *princ, int lifetime, char *locuser, 
+	char *tktfile, des_cblock *key, char *hostname)
+{
+    struct in_addr *addr;
+    unsigned naddr;
+    unsigned i;
+    int port;
+    int success;
+
+    addr = getalladdrs (hostname, &naddr);
+    if (addr == NULL)
+	return 1;
+    port = k_getportbyname ("kauth", "tcp", htons(KAUTH_PORT));
+    success = 0;
+    for (i = 0; !success && i < naddr; ++i) {
+	struct sockaddr_in a;
+	int s;
+
+	memset(&a, 0, sizeof(a));
+	a.sin_family = AF_INET;
+	a.sin_port   = port;
+	a.sin_addr   = addr[i];
+
+	s = socket (AF_INET, SOCK_STREAM, 0);
+	if (s < 0) {
+	    warn("socket");
+	    return 1;
+	}
+	if (connect(s, (struct sockaddr *)&a, sizeof(a)) < 0) {
+	    warn("connect(%s)", hostname);
+	    continue;
+	}
+
+	success = success || !doit_host (princ, lifetime,
+					 locuser, tktfile, key,
+					 s, hostname);
+	close (s);
+    }
+    return !success;
+}
diff --git a/crypto/heimdal/appl/kauth/zrefresh b/crypto/heimdal/appl/kauth/zrefresh
new file mode 100755
index 0000000..8347a1b
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/zrefresh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# 
+# @(#) $Id: zrefresh,v 1.3 1996/06/09 19:21:59 joda Exp $
+#
+# Substitute this script with a real zrefresh if running Zephyr. For
+# instance:
+#
+# if [ -f "$WGFILE" ] ; then
+#     zctl load
+# fi
+
+exit 0
diff --git a/crypto/heimdal/appl/kf/Makefile.am b/crypto/heimdal/appl/kf/Makefile.am
new file mode 100644
index 0000000..44b7069
--- /dev/null
+++ b/crypto/heimdal/appl/kf/Makefile.am
@@ -0,0 +1,14 @@
+# $Id: Makefile.am,v 1.1 1999/07/22 11:36:26 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_PROGRAMS = kf kfd
+
+kf_SOURCES = kf.c kf_locl.h
+
+kfd_SOURCES = kfd.c kf_locl.h
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/kf/Makefile.in b/crypto/heimdal/appl/kf/Makefile.in
new file mode 100644
index 0000000..5c60810
--- /dev/null
+++ b/crypto/heimdal/appl/kf/Makefile.in
@@ -0,0 +1,626 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.1 1999/07/22 11:36:26 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_PROGRAMS = kf kfd
+
+kf_SOURCES = kf.c kf_locl.h
+
+kfd_SOURCES = kfd.c kf_locl.h
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+noinst_PROGRAMS =  kf$(EXEEXT) kfd$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+kf_OBJECTS =  kf.$(OBJEXT)
+kf_LDADD = $(LDADD)
+kf_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+kf_LDFLAGS = 
+kfd_OBJECTS =  kfd.$(OBJEXT)
+kfd_LDADD = $(LDADD)
+kfd_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+kfd_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(kf_SOURCES) $(kfd_SOURCES)
+OBJECTS = $(kf_OBJECTS) $(kfd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kf/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kf$(EXEEXT): $(kf_OBJECTS) $(kf_DEPENDENCIES)
+	@rm -f kf$(EXEEXT)
+	$(LINK) $(kf_LDFLAGS) $(kf_OBJECTS) $(kf_LDADD) $(LIBS)
+
+kfd$(EXEEXT): $(kfd_OBJECTS) $(kfd_DEPENDENCIES)
+	@rm -f kfd$(EXEEXT)
+	$(LINK) $(kfd_LDFLAGS) $(kfd_OBJECTS) $(kfd_LDADD) $(LIBS)
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/kf
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-noinstPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/kf/kf.c b/crypto/heimdal/appl/kf/kf.c
new file mode 100644
index 0000000..1e85f94
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kf_locl.h"
+RCSID("$Id: kf.c,v 1.13 1999/12/04 18:04:09 assar Exp $");
+
+krb5_context context;
+static int help_flag;
+static int version_flag;
+static char *port_str;
+const char *service     = SERVICE;
+const char *remote_name = NULL;
+int forwardable   = 0;
+const char *ccache_name = NULL;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to connect to", "port" },
+    { "login", 'l',arg_string, &remote_name,"remote login name","login"},
+    { "ccache", 'c',arg_string, &ccache_name, "remote cred cache","ccache"},
+    { "forwardable",'F',arg_flag,&forwardable,
+       "Forward forwardable credentials", NULL },
+    { "forwardable",'G',arg_negative_flag,&forwardable,
+       "Don't forward forwardable credentials", NULL },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "hosts");
+    exit(code);
+}
+
+static int
+client_setup(krb5_context *context, int *argc, char **argv)
+{
+    int optind = 0;
+    int port = 0;
+    int status;
+
+    set_progname (argv[0]);
+ 
+    status = krb5_init_context (context);
+    if (status)
+	errx(1, "krb5_init_context failed: %u", status);
+ 
+    forwardable = krb5_config_get_bool (*context, NULL,
+					"libdefaults",
+					"forwardable",
+					NULL); 
+ 
+    if (getarg (args, num_args, *argc, argv, &optind))
+	usage(1, args, num_args);
+
+    if(help_flag)
+	usage (0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str) {
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM);
+   
+    if(*argc - optind < 1)
+        usage(1, args, num_args);
+    *argc = optind;
+
+    return port;
+}
+
+/*
+ * forward creds to `hostname'/`service' over `sock'
+ * return 0 iff OK
+ */
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_data data;
+    krb5_data packet;
+    krb5_data data_send;
+    u_int32_t len, net_len;
+
+    krb5_ccache     ccache;
+    krb5_creds      creds;
+    krb5_kdc_flags  flags;
+    krb5_principal  principal;
+    char	    ret_string[10];
+    ssize_t	    n;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status) {
+	krb5_warn (context, status, "krb5_auth_con_init");
+	return 1;
+    }
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+    if (status) {
+	krb5_warn (context, status, "krb5_auth_con_setaddr");
+	return 1;
+    }
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status) {
+	krb5_warn (context, status, "krb5_sname_to_principal");
+	return 1;
+    }
+
+    status = krb5_sendauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    NULL,
+			    server,
+			    AP_OPTS_MUTUAL_REQUIRED,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL);
+    if (status) {
+	krb5_warn(context, status, "krb5_sendauth");
+	return 1;
+    }
+
+    if (remote_name == NULL) {
+	remote_name = get_default_username ();
+	if (remote_name == NULL)
+	    errx (1, "who are you?");
+    }
+
+    krb5_data_zero(&data_send);
+    data_send.data   = (void *)remote_name;
+    data_send.length = strlen(remote_name) + 1;
+    status = krb5_write_message(context, &sock, &data_send);
+    if (status) {
+	krb5_warn (context, status, "krb5_write_message");
+	return 1;
+    }
+  
+    if (ccache_name == NULL)
+	ccache_name = "";
+
+    data_send.data   = (void *)ccache_name;
+    data_send.length = strlen(ccache_name)+1;
+    status = krb5_write_message(context, &sock, &data_send);
+    if (status) {
+	krb5_warn (context, status, "krb5_write_message");
+	return 1;
+    }
+
+    memset (&creds, 0, sizeof(creds));
+
+    status = krb5_cc_default (context, &ccache);
+    if (status) {
+	krb5_warn (context, status, "krb5_cc_default");
+	return 1;
+    }
+
+    status = krb5_cc_get_principal (context, ccache, &principal);
+    if (status) {
+	krb5_warn (context, status, "krb5_cc_get_principal");
+	return 1;
+    }
+
+    creds.client = principal;
+    
+    status = krb5_build_principal (context,
+				   &creds.server,
+				   strlen(principal->realm),
+				   principal->realm,
+				   KRB5_TGS_NAME,
+				   principal->realm,
+				   NULL);
+
+    if (status) {
+	krb5_warn (context, status, "krb5_build_principal");
+	return 1;
+    }
+
+    creds.times.endtime = 0;
+
+    flags.i = 0;
+    flags.b.forwarded   = 1;
+    flags.b.forwardable = forwardable;
+
+    status = krb5_get_forwarded_creds (context,
+				       auth_context,
+				       ccache,
+				       flags.i,
+				       hostname,
+				       &creds,
+				       &data);
+    if (status) {
+	krb5_warn (context, status, "krb5_get_forwarded_creds");
+	return 1;
+    }
+
+    status = krb5_mk_priv (context,
+                           auth_context,
+                           &data,
+                           &packet,
+                           NULL);
+    if (status) {
+	krb5_warn (context, status, "krb5_mk_priv");
+	return 1;
+    }
+    
+    len = packet.length;
+    net_len = htonl(len);
+
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4) {
+	krb5_warn (context, errno, "krb5_net_write");
+	return 1;
+    }
+    if (krb5_net_write (context, &sock, packet.data, len) != len) {
+	krb5_warn (context, errno, "krb5_net_write");
+	return 1;
+    }
+
+    krb5_data_free (&data);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n == 0) {
+	krb5_warnx (context, "EOF in krb5_net_read");
+	return 1;
+    }
+    if (n < 0) {
+	krb5_warn (context, errno, "krb5_net_read");
+	return 1;
+    }
+    len = ntohl(net_len);
+    if (len >= sizeof(ret_string)) {
+	krb5_warnx (context, "too long string back from %s", hostname);
+	return 1;
+    }
+    n = krb5_net_read (context, &sock, ret_string, len);
+    if (n == 0) {
+	krb5_warnx (context, "EOF in krb5_net_read");
+	return 1;
+    }
+    if (n < 0) {
+	krb5_warn (context, errno, "krb5_net_read");
+	return 1;
+    }
+    ret_string[sizeof(ret_string) - 1] = '\0';
+
+    return(strcmp(ret_string,"ok"));
+}
+
+static int
+doit (const char *hostname, int port, const char *service)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) {
+	errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error));
+    }
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return proto (s, hostname, service);
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return 1;
+}
+
+int
+main(int argc, char **argv)
+{
+    int argcc,port,i;
+    int ret=0;
+ 
+    argcc = argc;
+    port = client_setup(&context, &argcc, argv);
+
+    for (i = argcc;i < argc; i++) {
+	ret = doit (argv[i], port, service);
+	warnx ("%s %s", argv[i], ret ? "failed" : "ok");
+    }
+    return(ret);
+}
diff --git a/crypto/heimdal/appl/kf/kf_locl.h b/crypto/heimdal/appl/kf/kf_locl.h
new file mode 100644
index 0000000..29f5941
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf_locl.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kf_locl.h,v 1.2 1999/12/02 17:04:55 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <errno.h>
+#include <roken.h>
+#include <getarg.h>
+#include <err.h>
+#include <krb5.h>
+
+#define SERVICE "host"
+
+#define PORT "kf"
+#define PORT_NUM 2110
diff --git a/crypto/heimdal/appl/kf/kfd.c b/crypto/heimdal/appl/kf/kfd.c
new file mode 100644
index 0000000..9ad434f
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kfd.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kf_locl.h"
+RCSID("$Id: kfd.c,v 1.7 1999/12/02 17:04:55 joda Exp $");
+
+krb5_context context;
+char krb5_tkfile[MAXPATHLEN];
+
+static int help_flag;
+static int version_flag;
+static char *port_str;
+char *service = SERVICE;
+int do_inetd = 0;
+static char *regpag_str=NULL;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "inetd",'i',arg_flag, &do_inetd,
+       "Not started from inetd", NULL },
+    { "regpag",'R',arg_string,&regpag_str,"path to regpag binary","regpag"},
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+static int
+server_setup(krb5_context *context, int argc, char **argv)
+{
+    int port = 0;
+    int local_argc;
+
+    local_argc = krb5_program_setup(context, argc, argv, args, num_args, usage);
+
+    if(help_flag)
+	(*usage)(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str){
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM);
+
+    if(argv[local_argc] != NULL)
+        usage(1, args, num_args);
+    
+    return port;
+}
+
+static void
+syslog_and_die (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    exit (1);
+}
+
+static void
+syslog_and_cont (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    return; 
+}
+
+static int
+proto (int sock, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_ticket *ticket;
+    char *name;
+    char ret_string[10];
+    char hostname[MAXHOSTNAMELEN];
+    krb5_data packet;
+    krb5_data data;
+    krb5_data remotename;
+    krb5_data tk_file;
+
+    u_int32_t len, net_len;
+    krb5_ccache ccache;
+    char ccname[MAXPATHLEN];
+    struct passwd *pwd;
+    ssize_t n;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	syslog_and_die("krb5_auth_con_init: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+    if (status)
+	syslog_and_die("krb5_auth_con_setaddr: %s",
+	      krb5_get_err_text(context, status));
+
+    if(gethostname (hostname, sizeof(hostname)) < 0)
+	syslog_and_die("gethostname: %s",strerror(errno));
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status)
+	syslog_and_die("krb5_sname_to_principal: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_recvauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    server,
+			    0,
+			    NULL,
+			    &ticket);
+    if (status)
+	syslog_and_die("krb5_recvauth: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_unparse_name (context,
+				ticket->client,
+				&name);
+    if (status)
+	syslog_and_die("krb5_unparse_name: %s",
+	      krb5_get_err_text(context, status));
+
+    status=krb5_read_message (context, &sock, &remotename);
+    if (status) {
+	syslog_and_die("krb5_read_message: %s",
+		       krb5_get_err_text(context, status));
+    }
+    status=krb5_read_message (context, &sock, &tk_file);
+    if (status) {
+	syslog_and_die("krb5_read_message: %s",
+		       krb5_get_err_text(context, status));
+    }
+
+    krb5_data_zero (&data);
+    krb5_data_zero (&packet);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n < 0)
+        syslog_and_die("krb5_net_read: %s", strerror(errno));
+    if (n == 0)
+        syslog_and_die("EOF in krb5_net_read");
+
+    len = ntohl(net_len);
+    krb5_data_alloc (&packet, len);
+    n = krb5_net_read (context, &sock, packet.data, len);
+    if (n < 0)
+        syslog_and_die("krb5_net_read: %s", strerror(errno));
+    if (n == 0)
+        syslog_and_die("EOF in krb5_net_read");
+
+    status = krb5_rd_priv (context,
+                           auth_context,
+                           &packet,
+                           &data,
+                           NULL);
+    if (status) {
+	syslog_and_cont("krb5_rd_priv: %s",
+			krb5_get_err_text(context, status));
+	goto out;
+    }
+
+    pwd = getpwnam ((char *)(remotename.data));
+    if (pwd == NULL) {
+	status=1;
+	syslog_and_cont("getpwnam: %s failed",(char *)(remotename.data));
+	goto out;
+    }
+
+    if(!krb5_kuserok (context,
+                     ticket->client,
+                     (char *)(remotename.data))) {
+	status=1;
+	syslog_and_cont("krb5_kuserok: permission denied");
+	goto out;
+    }
+
+    if (setgid(pwd->pw_gid) < 0) {
+	syslog_and_cont ("setgid: %s", strerror(errno));
+	goto out;
+    }
+    if (setuid(pwd->pw_uid) < 0) {
+	syslog_and_cont ("setuid: %s", strerror(errno));
+	goto out;
+    }
+
+    if (tk_file.length != 1)
+	snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data));
+    else
+	snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%u",pwd->pw_uid);
+
+    status = krb5_cc_resolve (context, ccname, &ccache);
+    if (status) {
+	syslog_and_cont("krb5_cc_resolve: %s",
+			krb5_get_err_text(context, status));
+        goto out;
+    }
+    status = krb5_cc_initialize (context, ccache, ticket->client);
+    if (status) {
+	syslog_and_cont("krb5_cc_initialize: %s",
+			krb5_get_err_text(context, status));
+        goto out;
+    }
+    status = krb5_rd_cred (context, auth_context, ccache, &data);
+    krb5_cc_close (context, ccache);
+    if (status) {
+	syslog_and_cont("krb5_rd_cred: %s",
+			krb5_get_err_text(context, status));
+        goto out;
+
+    }
+    strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile));
+    syslog_and_cont("%s forwarded ticket to %s,%s",
+		    name,
+		    (char *)(remotename.data),ccname);
+out:
+    if (status) {
+	strcpy(ret_string, "no");
+	syslog_and_cont("failed");
+    } else  {
+	strcpy(ret_string, "ok");
+    }
+
+    krb5_data_free (&tk_file);
+    krb5_data_free (&remotename);
+    krb5_data_free (&packet);
+    krb5_data_free (&data);
+    free(name);
+
+    len = strlen(ret_string) + 1;
+    net_len = htonl(len);
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+         return 1;
+    if (krb5_net_write (context, &sock, ret_string, len) != len)
+         return 1;
+    return status;
+}
+
+static int
+doit (int port, const char *service)
+{
+    if (do_inetd)
+	mini_inetd(port);
+    return proto (STDIN_FILENO, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port;
+    int ret;
+
+    set_progname (argv[0]);
+    roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH);
+    port = server_setup(&context, argc, argv);
+    ret = doit (port, service);
+    closelog();
+    if (ret == 0 && regpag_str != NULL)
+        ret = execl(regpag_str, "regpag", "-t", krb5_tkfile, "-r", NULL);
+    return ret;
+}
diff --git a/crypto/heimdal/appl/login/ChangeLog b/crypto/heimdal/appl/login/ChangeLog
new file mode 100644
index 0000000..a751cae
--- /dev/null
+++ b/crypto/heimdal/appl/login/ChangeLog
@@ -0,0 +1,162 @@
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* conf.c: remove case for not having cgetent, since it's in roken
+
+1999-11-05  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): conditionalize shadow stuff on getspnam
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (login_DEPENDENCIES): remove, it's not entirely
+ 	correct and was causing problems with non-GNU make
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* login.c (start_logout_proceess): don't examine `prog' before
+ 	setting it.
+
+1999-10-27  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): chown and chmod the tty.  some clean-up.
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_start_session): correct the ccache to
+ 	krb524_convert_creds_kdc
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_verify): use krb5_verify_user_lrealm
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c: SGI capability mumbo-jumbo
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c (start_logout_process): call setproctitle
+
+	* login_locl.h: declare struct spwd
+
+	* login.c: add support for starting extra processes at login and
+	logout; always preserve TERM and TZ
+
+	* conf.c: add configuration file support
+
+1999-08-07  Assar Westerlund  <assar@sics.se>
+
+	* shadow.c (check_shadow): check for a NULL sp
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): move down login incorrect to disallow account
+ 	guessing
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* utmpx_login.c (utmpx_login): fix for Solaris.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* login_locl.h: add <shadow.h> and some prototypes
+
+	* login.c: fixes with v4 and shadow support.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* shadow.c: new file with functions for handling shadow passwords
+
+	* Makefile.am: add shadow
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): generate a better tty name
+
+1999-05-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c (do_login): set $SHELL
+
+1999-05-18  Assar Westerlund  <assar@sics.se>
+
+	* add login-access
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* login.c: copy the v5 ccache to a file after having done setuid
+
+1999-05-09  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_verify): check seteuid for errors
+	
+Mon Apr 19 22:30:55 1999  Assar Westerlund  <assar@sics.se>
+
+	* login.c: conditionalize the kafs calls on KRB4
+
+	* Makefile.am (LDADD): add kafs
+
+	* login.c: add support for getting afs tokens with v4 and v5
+
+Sun Apr 18 14:12:28 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* login.c: check _PATH_NOLOGIN
+
+	* login_locl.h: _PATH_NOLOGIN
+
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): use print_version
+
+Thu Apr  8 15:03:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* login.c: remove definition of KRB_VERIFY_USER et.al. (moved to
+ 	config.h)
+
+	* login_locl.h: include udb.h, sys/resource.h, and sys/category.h
+
+Sat Mar 27 17:58:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: osfc2.c
+
+	* login.c: magic for OSF C2, and Crays
+
+	* login_locl.h: do_osfc2_magic proto
+
+	* osfc2.c: bsd_locl -> login_locl
+
+	* osfc2.c: OSF C2 magic
+
+Tue Mar 23 14:17:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* login_locl.h: _PATH_UTMP
+
+Sun Mar 21 15:02:31 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* login.c: `-h' is host, not help
+
+Sat Mar 20 00:11:13 1999  Assar Westerlund  <assar@sics.se>
+
+	* login_locl.h: krb.h: add
+
+	* login.c: static-size
+	(krb4_verify): add
+
+Thu Mar 18 11:36:10 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar 11 17:53:36 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* utmpx_login.c: add some consts
+
+	* utmp_login.c: add some consts
+
+	* login.c: staticize
+
+	* login_locl.h: add prototypes, and defaults for
+ 	_PATH_*
+
+Mon Mar  1 10:49:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* utmpx_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+	* utmp_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
diff --git a/crypto/heimdal/appl/login/Makefile.am b/crypto/heimdal/appl/login/Makefile.am
new file mode 100644
index 0000000..22b4b62
--- /dev/null
+++ b/crypto/heimdal/appl/login/Makefile.am
@@ -0,0 +1,34 @@
+# $Id: Makefile.am,v 1.16 1999/10/30 08:51:45 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = login
+
+login_SOURCES = \
+		login.c				\
+		osfc2.c				\
+		read_string.c			\
+		utmp_login.c			\
+		utmpx_login.c			\
+		tty.c				\
+		stty_default.c			\
+		login_access.c			\
+		login_locl.h			\
+		login_proto.h			\
+		conf.c				\
+		shadow.c
+
+LDADD = $(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(LIB_security)
+
+$(srcdir)/login_protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h $(login_SOURCES) || rm -f login_protos.h
+
+$(login_OBJECTS): $(srcdir)/login_protos.h
diff --git a/crypto/heimdal/appl/login/Makefile.in b/crypto/heimdal/appl/login/Makefile.in
new file mode 100644
index 0000000..10b75e8
--- /dev/null
+++ b/crypto/heimdal/appl/login/Makefile.in
@@ -0,0 +1,645 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.16 1999/10/30 08:51:45 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = login
+
+login_SOURCES =  		login.c						osfc2.c						read_string.c					utmp_login.c					utmpx_login.c					tty.c						stty_default.c					login_access.c					login_locl.h					login_proto.h					conf.c						shadow.c
+
+
+LDADD = $(LIB_kafs) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(LIB_security)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  login$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+login_OBJECTS =  login.$(OBJEXT) osfc2.$(OBJEXT) read_string.$(OBJEXT) \
+utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT) tty.$(OBJEXT) \
+stty_default.$(OBJEXT) login_access.$(OBJEXT) conf.$(OBJEXT) \
+shadow.$(OBJEXT)
+login_LDADD = $(LDADD)
+@KRB4_TRUE@login_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@login_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+login_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(login_SOURCES)
+OBJECTS = $(login_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/login/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+login$(EXEEXT): $(login_OBJECTS) $(login_DEPENDENCIES)
+	@rm -f login$(EXEEXT)
+	$(LINK) $(login_LDFLAGS) $(login_OBJECTS) $(login_LDADD) $(LIBS)
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/login
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(srcdir)/login_protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h $(login_SOURCES) || rm -f login_protos.h
+
+$(login_OBJECTS): $(srcdir)/login_protos.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/login/conf.c b/crypto/heimdal/appl/login/conf.c
new file mode 100644
index 0000000..6a4b2a8
--- /dev/null
+++ b/crypto/heimdal/appl/login/conf.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "login_locl.h"
+
+RCSID("$Id: conf.c,v 1.2 1999/11/09 18:05:49 joda Exp $");
+
+static char *confbuf;
+
+static int
+login_conf_init(void)
+{
+    char *files[] = { _PATH_LOGIN_CONF, NULL };
+    return cgetent(&confbuf, files, "default");
+}
+
+char *
+login_conf_get_string(const char *str)
+{
+    char *value;
+    if(login_conf_init() != 0)
+	return NULL;
+    if(cgetstr(confbuf, str, &value) < 0)
+	return NULL;
+    return value;
+}
diff --git a/crypto/heimdal/appl/login/login.c b/crypto/heimdal/appl/login/login.c
new file mode 100644
index 0000000..a149449
--- /dev/null
+++ b/crypto/heimdal/appl/login/login.c
@@ -0,0 +1,730 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+#ifdef HAVE_CAPABILITY_H
+#include <capability.h>
+#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+
+RCSID("$Id: login.c,v 1.33 1999/12/02 17:04:55 joda Exp $");
+
+/*
+ * the environment we will send to execle and the shell.
+ */
+
+static char **env;
+static int num_env;
+
+static void
+extend_env(char *str)
+{
+    env = realloc(env, (num_env + 1) * sizeof(*env));
+    if(env == NULL)
+	errx(1, "Out of memory!");
+    env[num_env++] = str;
+}
+
+static void
+add_env(const char *var, const char *value)
+{
+    int i;
+    char *str;
+    asprintf(&str, "%s=%s", var, value);
+    if(str == NULL)
+	errx(1, "Out of memory!");
+    for(i = 0; i < num_env; i++)
+	if(strncmp(env[i], var, strlen(var)) == 0 && 
+	   env[i][strlen(var)] == '='){
+	    free(env[i]);
+	    env[i] = str;
+	    return;
+	}
+    
+    extend_env(str);
+}
+
+static void
+copy_env(void)
+{
+    char **p;
+    for(p = environ; *p; p++)
+	extend_env(*p);
+}
+
+static int
+start_login_process(void)
+{
+    char *prog, *argv0;
+    prog = login_conf_get_string("login_program");
+    if(prog == NULL)
+	return 0;
+    argv0 = strrchr(prog, '/');
+
+    if(argv0)
+	argv0++;
+    else
+	argv0 = prog;
+
+    return simple_execle(prog, argv0, NULL, env);
+}
+
+static int
+start_logout_process(void)
+{
+    char *prog, *argv0;
+    pid_t pid;
+
+    prog = login_conf_get_string("logout_program");
+    if(prog == NULL)
+	return 0;
+    argv0 = strrchr(prog, '/');
+
+    if(argv0)
+	argv0++;
+    else
+	argv0 = prog;
+
+    pid = fork();
+    if(pid == 0)
+	return 0;
+    if(pid == -1)
+	err(1, "fork");
+    /* wait for the real login process to exit */
+#ifdef HAVE_SETPROCTITLE
+    setproctitle("waitpid %d", pid);
+#endif
+    while(1) {
+	int status;
+	int ret;
+	ret = waitpid(pid, &status, 0);
+	if(ret > 0) {
+	    if(WIFEXITED(status) || WIFSIGNALED(status)) {
+		execle(prog, argv0, NULL, env);
+		err(1, "exec %s", prog);
+	    }
+	} else if(ret < 0) 
+	    err(1, "waitpid");
+    }
+}
+
+static void
+exec_shell(const char *shell, int fallback)
+{
+    char *sh;
+    const char *p;
+    
+    extend_env(NULL);
+    if(start_login_process() < 0)
+	warn("login process");
+    start_logout_process();
+
+    p = strrchr(shell, '/');
+    if(p)
+	p++;
+    else
+	p = shell;
+    asprintf(&sh, "-%s", p);
+    execle(shell, sh, NULL, env);
+    if(fallback){
+	warnx("Can't exec %s, trying %s", 
+	      shell, _PATH_BSHELL);
+	execle(_PATH_BSHELL, "-sh", NULL, env);
+	err(1, "%s", _PATH_BSHELL);
+    }
+    err(1, "%s", shell);
+}
+
+static enum { AUTH_KRB4, AUTH_KRB5 } auth;
+
+#ifdef KRB5
+static krb5_context context;
+static krb5_ccache  id, id2;
+
+static int
+krb5_verify(struct passwd *pwd, const char *password)
+{
+    krb5_error_code ret;
+    krb5_principal princ;
+
+    ret = krb5_init_context(&context);
+    if(ret)
+	return 1;
+	    
+    ret = krb5_parse_name(context, pwd->pw_name, &princ);
+    if(ret){
+	krb5_free_context(context);
+	return 1;
+    }
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+    if(ret){
+	krb5_free_principal(context, princ);
+	krb5_free_context(context);
+	return 1;
+    }
+    ret = krb5_verify_user_lrealm(context,
+				  princ, 
+				  id,
+				  password, 
+				  1,
+				  NULL);
+    krb5_free_principal(context, princ);
+    if (ret)
+	krb5_free_context (context);
+    return ret;
+}
+
+static int
+krb5_start_session (const struct passwd *pwd)
+{
+    krb5_error_code ret;
+    char residual[64];
+
+    /* copy credentials to file cache */
+    snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", 
+	     (unsigned)pwd->pw_uid);
+    krb5_cc_resolve(context, residual, &id2);
+    ret = krb5_cc_copy_cache(context, id, id2);
+    if (ret == 0)
+	add_env("KRB5CCNAME", residual);
+    else {
+	krb5_cc_destroy (context, id2);
+	return ret;
+    }
+#ifdef KRB4
+    if (krb5_config_get_bool(context, NULL,
+			     "libdefaults",
+			     "krb4_get_tickets",
+			     NULL)) {
+        CREDENTIALS c;
+        krb5_creds mcred, cred;
+        krb5_realm realm;
+        char krb4tkfile[MAXPATHLEN];
+
+        krb5_get_default_realm(context, &realm);
+	krb5_make_principal(context, &mcred.server, realm,
+			    "krbtgt",
+			    realm,
+			    NULL);
+	free (realm);
+	ret = krb5_cc_retrieve_cred(context, id2, 0, &mcred, &cred);
+	if(ret == 0) {
+	    ret = krb524_convert_creds_kdc(context, id2, &cred, &c);
+	    if(ret == 0) {
+		snprintf(krb4tkfile,sizeof(krb4tkfile),"%s%d",TKT_ROOT,
+			 getuid());
+		krb_set_tkt_string(krb4tkfile);
+		tf_setup(&c, c.pname, c.pinst);
+	    }
+	    memset(&c, 0, sizeof(c));
+	    krb5_free_creds_contents(context, &cred);
+	}
+	krb5_free_principal(context, mcred.server);
+    }
+#endif
+    krb5_cc_close(context, id2);
+    krb5_cc_destroy(context, id);
+    return 0;
+}
+
+static void
+krb5_finish (void)
+{
+    krb5_free_context(context);
+}
+
+#ifdef KRB4
+
+static int pag_set = 0;
+
+static void
+krb5_get_afs_tokens (const struct passwd *pwd)
+{
+    char cell[64];
+    char *pw_dir;
+    krb5_error_code ret;
+
+    if (!k_hasafs ())
+	return;
+
+    ret = krb5_init_context(&context);
+    if(ret)
+	return;
+    ret = krb5_cc_default(context, &id2);
+ 
+    if (ret == 0) {
+	pw_dir = pwd->pw_dir;
+
+	if (!pag_set) {
+	    k_setpag();
+	    pag_set = 1;
+	}
+
+	if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0)
+	    krb5_afslog_uid_home (context, id2,
+				  cell, NULL, pwd->pw_uid, pwd->pw_dir);
+	krb5_afslog_uid_home (context, id2, NULL, NULL,
+			      pwd->pw_uid, pwd->pw_dir);
+	krb5_cc_close (context, id2);
+    }
+    krb5_free_context (context);
+}
+
+#endif /* KRB4 */
+
+#endif /* KRB5 */
+
+#ifdef KRB4
+
+static int
+krb4_verify(struct passwd *pwd, const char *password)
+{
+    char lrealm[REALM_SZ];
+    int ret;
+    char ticket_file[MaxPathLen];
+
+    ret = krb_get_lrealm (lrealm, 1);
+    if (ret)
+	return 1;
+
+    snprintf (ticket_file, sizeof(ticket_file),
+	      "%s%u_%u",
+	      TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid());
+
+    krb_set_tkt_string (ticket_file);
+
+    ret = krb_verify_user (pwd->pw_name, "", lrealm, (char *)password,
+			   KRB_VERIFY_SECURE_FAIL, NULL);
+    if (ret)
+	return 1;
+
+    if (chown (ticket_file, pwd->pw_uid, pwd->pw_gid) < 0) {
+	dest_tkt();
+	return 1;
+    }
+	
+    add_env ("KRBTKFILE", ticket_file);
+    return 0;
+}
+
+static void
+krb4_get_afs_tokens (const struct passwd *pwd)
+{
+    char cell[64];
+    char *pw_dir;
+
+    if (!k_hasafs ())
+	return;
+
+    pw_dir = pwd->pw_dir;
+
+    if (!pag_set) {
+	k_setpag();
+	pag_set = 1;
+    }
+
+    if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0)
+	krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir);
+
+    krb_afslog_uid_home (NULL, NULL, pwd->pw_uid, pwd->pw_dir);
+}
+
+#endif /* KRB4 */
+
+static int f_flag;
+static int p_flag;
+static int r_flag;
+static int version_flag;
+static int help_flag;
+static char *remote_host;
+
+struct getargs args[] = {
+#if 0
+    { NULL, 'a' },
+    { NULL, 'd' },
+#endif
+    { NULL, 'f', arg_flag,	&f_flag,	"pre-authenticated" },
+    { NULL, 'h', arg_string,	&remote_host,	"remote host", "hostname" },
+    { NULL, 'p', arg_flag,	&p_flag,	"don't purge environment" },
+#if 0
+    { NULL, 'r', arg_flag,	&r_flag,	"rlogin protocol" },
+#endif
+    { "version", 0,  arg_flag,	&version_flag },
+    { "help",	 0,  arg_flag,&help_flag, }
+};
+
+int nargs = sizeof(args) / sizeof(args[0]);
+
+static void
+update_utmp(const char *username, const char *hostname,
+	    char *tty, char *ttyn)
+{
+    /*
+     * Update the utmp files, both BSD and SYSV style.
+     */
+    if (utmpx_login(tty, username, hostname) != 0 && !f_flag) {
+	printf("No utmpx entry.  You must exec \"login\" from the "
+	       "lowest level shell.\n");
+	exit(1);
+    }
+    utmp_login(ttyn, username, hostname);
+}
+
+static void
+checknologin(void)
+{
+    FILE *f;
+    char buf[1024];
+
+    f = fopen(_PATH_NOLOGIN, "r");
+    if(f == NULL)
+	return;
+    while(fgets(buf, sizeof(buf), f))
+	fputs(buf, stdout);
+    fclose(f);
+    exit(0);
+}
+
+/* 
+ * Actually log in the user.  `pwd' contains all the relevant
+ * information about the user.  `ttyn' is the complete name of the tty
+ * and `tty' the short name.
+ */
+
+static void
+do_login(const struct passwd *pwd, char *tty, char *ttyn)
+{
+#ifdef HAVE_GETSPNAM
+    struct spwd *sp;
+#endif
+    int rootlogin = (pwd->pw_uid == 0);
+    gid_t tty_gid;
+    struct group *gr;
+    const char *home_dir;
+
+    if(!rootlogin)
+	checknologin();
+    
+#ifdef HAVE_GETSPNAM
+    sp = getspnam(pwd->pw_name);
+#endif
+
+    update_utmp(pwd->pw_name, remote_host ? remote_host : "",
+		tty, ttyn);
+
+    gr = getgrnam ("tty");
+    if (gr != NULL)
+	tty_gid = gr->gr_gid;
+    else
+	tty_gid = pwd->pw_gid;
+
+    if (chown (ttyn, pwd->pw_uid, pwd->pw_gid) < 0) {
+	warn("chown %s", ttyn);
+	if (rootlogin == 0)
+	    exit (1);
+    }
+
+    if (chmod (ttyn, S_IRUSR | S_IWUSR | S_IWGRP) < 0) {
+	warn("chmod %s", ttyn);
+	if (rootlogin == 0)
+	    exit (1);
+    }
+
+#ifdef HAVE_SETLOGIN
+    if(setlogin(pwd->pw_name)){
+	warn("setlogin(%s)", pwd->pw_name);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+#endif
+#ifdef HAVE_INITGROUPS
+    if(initgroups(pwd->pw_name, pwd->pw_gid)){
+	warn("initgroups(%s, %u)", pwd->pw_name, (unsigned)pwd->pw_gid);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+#endif
+    if(setgid(pwd->pw_gid)){
+	warn("setgid(%u)", (unsigned)pwd->pw_gid);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+    if(setuid(pwd->pw_uid)){
+	warn("setuid(%u)", (unsigned)pwd->pw_uid);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+    /* all kinds of different magic */
+
+#ifdef HAVE_GETSPNAM
+    check_shadow(pwd, sp);
+#endif
+
+    if(do_osfc2_magic(pwd->pw_uid))
+	exit(1);
+#if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM)
+    {
+	struct udb *udb;
+	long t;
+	const long maxcpu = 46116860184; /* some random constant */
+	udb = getudbnam(pwd->pw_name);
+	if(udb == UDB_NULL)
+	    errx(1, "Failed to get UDB entry.");
+	t = udb->ue_pcpulim[UDBRC_INTER];
+	if(t == 0 || t > maxcpu)
+	    t = CPUUNLIM;
+	else
+	    t *= 100 * CLOCKS_PER_SEC;
+
+	if(limit(C_PROC, 0, L_CPU, t) < 0)
+	    warn("limit C_PROC");
+
+	t = udb->ue_jcpulim[UDBRC_INTER];
+	if(t == 0 || t > maxcpu)
+	    t = CPUUNLIM;
+	else
+	    t *= 100 * CLOCKS_PER_SEC;
+
+	if(limit(C_JOBPROCS, 0, L_CPU, t) < 0)
+	    warn("limit C_JOBPROCS");
+
+	nice(udb->ue_nice[UDBRC_INTER]);
+    }
+#endif
+#if defined(HAVE_SGI_GETCAPABILITYBYNAME) && defined(HAVE_CAP_SET_PROC)
+	/* XXX SGI capability hack IRIX 6.x (x >= 0?) has something
+	   called capabilities, that allow you to give away
+	   permissions (such as chown) to specific processes. From 6.5
+	   this is default on, and the default capability set seems to
+	   not always be the empty set. The problem is that the
+	   runtime linker refuses to do just about anything if the
+	   process has *any* capabilities set, so we have to remove
+	   them here (unless otherwise instructed by /etc/capability).
+	   In IRIX < 6.5, these functions was called sgi_cap_setproc,
+	   etc, but we ignore this fact (it works anyway). */
+	{
+	    struct user_cap *ucap = sgi_getcapabilitybyname(pwd->pw_name);
+	    cap_t cap;
+	    if(ucap == NULL)
+		cap = cap_from_text("all=");
+	    else
+		cap = cap_from_text(ucap->ca_default);
+	    if(cap == NULL)
+		err(1, "cap_from_text");
+	    if(cap_set_proc(cap) < 0)
+		err(1, "cap_set_proc");
+	    cap_free(cap);
+	    free(ucap);
+	}
+#endif
+    home_dir = pwd->pw_dir;
+    if (chdir(home_dir) < 0) {
+	fprintf(stderr, "No home directory \"%s\"!\n", pwd->pw_dir);
+	if (chdir("/"))
+	    exit(0);
+	home_dir = "/";
+	fprintf(stderr, "Logging in with home = \"/\".\n");
+    }
+#ifdef KRB5
+    if (auth == AUTH_KRB5) {
+	krb5_start_session (pwd);
+	krb5_finish ();
+    }
+#ifdef KRB4
+    krb5_get_afs_tokens (pwd);
+#endif /* KRB4 */
+#endif /* KRB5 */
+
+#ifdef KRB4
+    krb4_get_afs_tokens (pwd);
+#endif /* KRB4 */
+
+    add_env("HOME", home_dir);
+    add_env("USER", pwd->pw_name);
+    add_env("LOGNAME", pwd->pw_name);
+    add_env("SHELL", pwd->pw_shell);
+    exec_shell(pwd->pw_shell, rootlogin);
+}
+
+static int
+check_password(struct passwd *pwd, const char *password)
+{
+    if(pwd->pw_passwd == NULL)
+	return 1;
+    if(pwd->pw_passwd[0] == '\0'){
+#ifdef ALLOW_NULL_PASSWORD
+	return password[0] != '\0';
+#else
+	return 1;
+#endif
+    }
+    if(strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) == 0)
+	return 0;
+#ifdef KRB5
+    if(krb5_verify(pwd, password) == 0) {
+	auth = AUTH_KRB5;
+	return 0;
+    }
+#endif
+#ifdef KRB4
+    if (krb4_verify (pwd, password) == 0) {
+	auth = AUTH_KRB4;
+	return 0;
+    }
+#endif
+    return 1;
+}
+
+static void
+usage(int status)
+{
+    arg_printusage(args, nargs, NULL, "[username]");
+    exit(status);
+}
+
+int
+main(int argc, char **argv)
+{
+    int max_tries = 5;
+    int try;
+
+    char username[32];
+    int optind = 0;
+
+    int ask = 1;
+    
+    set_progname(argv[0]);
+
+    openlog("login", LOG_ODELAY, LOG_AUTH);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+    argc -= optind;
+    argv += optind;
+
+    if(help_flag)
+	usage(0);
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+	
+    if (geteuid() != 0)
+	errx(1, "only root may use login, use su");
+
+    /* Default tty settings. */
+    stty_default();
+
+    if(p_flag)
+	copy_env();
+    else {
+	/* this set of variables is always preserved by BSD login */
+	if(getenv("TERM"))
+	    add_env("TERM", getenv("TERM"));
+	if(getenv("TZ"))
+	    add_env("TZ", getenv("TZ"));
+    }
+
+    if(*argv){
+	if(strchr(*argv, '=') == NULL && strcmp(*argv, "-") != 0){
+	    strlcpy (username, *argv, sizeof(username));
+	    ask = 0;
+	}
+    }
+    /* XXX should we care about environment on the command line? */
+    for(try = 0; try < max_tries; try++){
+	struct passwd *pwd;
+	char password[128];
+	int ret;
+	char ttname[32];
+	char *tty, *ttyn;
+
+	if(ask){
+	    f_flag = r_flag = 0;
+	    ret = read_string("login: ", username, sizeof(username), 1);
+	    if(ret == -3)
+		exit(0);
+	    if(ret == -2)
+		continue;
+	}
+        pwd = k_getpwnam(username);
+#ifdef ALLOW_NULL_PASSWORD
+        if (pwd != NULL && (pwd->pw_passwd[0] == '\0')) {
+            strcpy(password,"");
+        }
+        else
+#endif
+	if(f_flag == 0) {
+	    ret = read_string("Password: ", password, sizeof(password), 0);
+	    if(ret == -3 || ret == -2)
+		continue;
+	}
+	
+	if(pwd == NULL){
+	    fprintf(stderr, "Login incorrect.\n");
+	    ask = 1;
+	    continue;
+	}
+
+	if(f_flag == 0 && check_password(pwd, password)){
+	    fprintf(stderr, "Login incorrect.\n");
+            ask = 1;
+	    continue;
+	}
+	ttyn = ttyname(STDIN_FILENO);
+	if(ttyn == NULL){
+	    snprintf(ttname, sizeof(ttname), "%s??", _PATH_TTY);
+	    ttyn = ttname;
+	}
+	if (strncmp (ttyn, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+	    tty = ttyn + strlen(_PATH_DEV);
+	else
+	    tty = ttyn;
+    
+	if (login_access (pwd, remote_host ? remote_host : tty) == 0) {
+	    fprintf(stderr, "Permission denied\n");
+	    if (remote_host)
+		syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s",
+		       pwd->pw_name, remote_host);
+	    else
+		syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s",
+		       pwd->pw_name, tty);
+	    exit (1);
+	}
+	do_login(pwd, tty, ttyn);
+    }
+    exit(1);
+}
diff --git a/crypto/heimdal/appl/login/login_access.c b/crypto/heimdal/appl/login/login_access.c
new file mode 100644
index 0000000..86d691e
--- /dev/null
+++ b/crypto/heimdal/appl/login/login_access.c
@@ -0,0 +1,261 @@
+ /*
+  * This module implements a simple but effective form of login access
+  * control based on login names and on host (or domain) names, internet
+  * addresses (or network numbers), or on terminal line names in case of
+  * non-networked logins. Diagnostics are reported through syslog(3).
+  *
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#include "login_locl.h"
+
+RCSID("$Id: login_access.c,v 1.1 1999/05/17 22:40:05 assar Exp $");
+
+ /* Delimiters for fields and for lists of users, ttys or hosts. */
+
+static char fs[] = ":";			/* field separator */
+static char sep[] = ", \t";		/* list-element separator */
+
+ /* Constants to be used in assignments only, not in comparisons... */
+
+#define YES             1
+#define NO              0
+
+ /*
+  * A structure to bundle up all login-related information to keep the
+  * functional interfaces as generic as possible.
+  */
+struct login_info {
+    struct passwd *user;
+    char   *from;
+};
+
+static int list_match(char *list, struct login_info *item,
+		      int (*match_fn)(char *, struct login_info *));
+static int user_match(char *tok, struct login_info *item);
+static int from_match(char *tok, struct login_info *item);
+static int string_match(char *tok, char *string);
+
+/* login_access - match username/group and host/tty with access control file */
+
+int login_access(struct passwd *user, char *from)
+{
+    struct login_info item;
+    FILE   *fp;
+    char    line[BUFSIZ];
+    char   *perm;			/* becomes permission field */
+    char   *users;			/* becomes list of login names */
+    char   *froms;			/* becomes list of terminals or hosts */
+    int     match = NO;
+    int     end;
+    int     lineno = 0;			/* for diagnostics */
+    char   *foo;
+
+    /*
+     * Bundle up the arguments to avoid unnecessary clumsiness lateron.
+     */
+    item.user = user;
+    item.from = from;
+
+    /*
+     * Process the table one line at a time and stop at the first match.
+     * Blank lines and lines that begin with a '#' character are ignored.
+     * Non-comment lines are broken at the ':' character. All fields are
+     * mandatory. The first field should be a "+" or "-" character. A
+     * non-existing table means no access control.
+     */
+
+    if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) {
+	while (!match && fgets(line, sizeof(line), fp)) {
+	    lineno++;
+	    if (line[end = strlen(line) - 1] != '\n') {
+		syslog(LOG_ERR, "%s: line %d: missing newline or line too long",
+		       _PATH_LOGACCESS, lineno);
+		continue;
+	    }
+	    if (line[0] == '#')
+		continue;			/* comment line */
+	    while (end > 0 && isspace((unsigned char)line[end - 1]))
+		end--;
+	    line[end] = 0;			/* strip trailing whitespace */
+	    if (line[0] == 0)			/* skip blank lines */
+		continue;
+	    foo = NULL;
+	    if (!(perm = strtok_r(line, fs, &foo))
+		|| !(users = strtok_r(NULL, fs, &foo))
+		|| !(froms = strtok_r(NULL, fs, &foo))
+		|| strtok_r(NULL, fs, &foo)) {
+		syslog(LOG_ERR, "%s: line %d: bad field count", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    if (perm[0] != '+' && perm[0] != '-') {
+		syslog(LOG_ERR, "%s: line %d: bad first field", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    match = (list_match(froms, &item, from_match)
+		     && list_match(users, &item, user_match));
+	}
+	fclose(fp);
+    } else if (errno != ENOENT) {
+	syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS);
+    }
+    return (match == 0 || (line[0] == '+'));
+}
+
+/* list_match - match an item against a list of tokens with exceptions */
+
+static int
+list_match(char *list,
+	   struct login_info *item,
+	   int (*match_fn)(char *, struct login_info *))
+{
+    char   *tok;
+    int     match = NO;
+    char   *foo = NULL;
+
+    /*
+     * Process tokens one at a time. We have exhausted all possible matches
+     * when we reach an "EXCEPT" token or the end of the list. If we do find
+     * a match, look for an "EXCEPT" list and recurse to determine whether
+     * the match is affected by any exceptions.
+     */
+
+    for (tok = strtok_r(list, sep, &foo);
+	 tok != NULL;
+	 tok = strtok_r(NULL, sep, &foo)) {
+	if (strcasecmp(tok, "EXCEPT") == 0)	/* EXCEPT: give up */
+	    break;
+	if ((match = (*match_fn) (tok, item)) != 0)	/* YES */
+	    break;
+    }
+    /* Process exceptions to matches. */
+
+    if (match != NO) {
+	while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT"))
+	     /* VOID */ ;
+	if (tok == 0 || list_match(NULL, item, match_fn) == NO)
+	    return (match);
+    }
+    return (NO);
+}
+
+/* myhostname - figure out local machine name */
+
+static char *myhostname(void)
+{
+    static char name[MAXHOSTNAMELEN + 1] = "";
+
+    if (name[0] == 0) {
+	gethostname(name, sizeof(name));
+	name[MAXHOSTNAMELEN] = 0;
+    }
+    return (name);
+}
+
+/* netgroup_match - match group against machine or user */
+
+static int netgroup_match(char *group, char *machine, char *user)
+{
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
+    static char *mydomain = 0;
+
+    if (mydomain == 0)
+	yp_get_default_domain(&mydomain);
+    return (innetgr(group, machine, user, mydomain));
+#else
+    syslog(LOG_ERR, "NIS netgroup support not configured");
+    return 0;
+#endif
+}
+
+/* user_match - match a username against one token */
+
+static int user_match(char *tok, struct login_info *item)
+{
+    char   *string = item->user->pw_name;
+    struct login_info fake_item;
+    struct group *group;
+    int     i;
+    char   *at;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the username, if the
+     * token is a group that contains the username, or if the token is the
+     * name of the user's primary group.
+     */
+
+    if ((at = strchr(tok + 1, '@')) != 0) {	/* split user@host pattern */
+	*at = 0;
+	fake_item.from = myhostname();
+	return (user_match(tok, item) && from_match(at + 1, &fake_item));
+    } else if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, (char *) 0, string));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if ((group = getgrnam(tok)) != 0) { /* try group membership */
+	if (item->user->pw_gid == group->gr_gid)
+	    return (YES);
+	for (i = 0; group->gr_mem[i]; i++)
+	    if (strcasecmp(string, group->gr_mem[i]) == 0)
+		return (YES);
+    }
+    return (NO);
+}
+
+/* from_match - match a host or tty against a list of tokens */
+
+static int from_match(char *tok, struct login_info *item)
+{
+    char   *string = item->from;
+    int     tok_len;
+    int     str_len;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds. Return
+     * YES if the token fully matches the string. If the token is a domain
+     * name, return YES if it matches the last fields of the string. If the
+     * token has the magic value "LOCAL", return YES if the string does not
+     * contain a "." character. If the token is a network number, return YES
+     * if it matches the head of the string.
+     */
+
+    if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, string, (char *) 0));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if (tok[0] == '.') {			/* domain: match last fields */
+	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
+	    && strcasecmp(tok, string + str_len - tok_len) == 0)
+	    return (YES);
+    } else if (strcasecmp(tok, "LOCAL") == 0) {	/* local: no dots */
+	if (strchr(string, '.') == 0)
+	    return (YES);
+    } else if (tok[(tok_len = strlen(tok)) - 1] == '.'	/* network */
+	       && strncmp(tok, string, tok_len) == 0) {
+	return (YES);
+    }
+    return (NO);
+}
+
+/* string_match - match a string against one token */
+
+static int string_match(char *tok, char *string)
+{
+
+    /*
+     * If the token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the string.
+     */
+
+    if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
+	return (YES);
+    } else if (strcasecmp(tok, string) == 0) {	/* try exact match */
+	return (YES);
+    }
+    return (NO);
+}
diff --git a/crypto/heimdal/appl/login/login_locl.h b/crypto/heimdal/appl/login/login_locl.h
new file mode 100644
index 0000000..2d2f7fd
--- /dev/null
+++ b/crypto/heimdal/appl/login/login_locl.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: login_locl.h,v 1.17 1999/12/02 17:04:55 joda Exp $ */
+
+#ifndef __LOGIN_LOCL_H__
+#define __LOGIN_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <signal.h>
+#include <termios.h>
+#include <err.h>
+#include <pwd.h>
+#include <roken.h>
+#include <getarg.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+#ifdef HAVE_UDB_H
+#include <udb.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_CATEGORY_H
+#include <sys/category.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#endif
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#include <kafs.h>
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+#ifndef _PATH_TTY
+#define _PATH_TTY "/dev/tty"
+#endif
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN "/etc/nologin"
+#endif
+#ifndef _PATH_WTMP
+#ifdef WTMP_FILE
+#define _PATH_WTMP WTMP_FILE
+#else
+#define _PATH_WTMP "/var/adm/wtmp"
+#endif
+#endif
+#ifndef _PATH_UTMP
+#ifdef UTMP_FILE
+#define _PATH_UTMP UTMP_FILE
+#else
+#define _PATH_UTMP "/var/adm/utmp"
+#endif
+#endif
+
+#ifndef _PATH_LOGACCESS
+#define _PATH_LOGACCESS "/etc/login.access"
+#endif /* _PATH_LOGACCESS */
+
+#ifndef _PATH_LOGIN_CONF
+#define _PATH_LOGIN_CONF "/etc/login.conf"
+#endif /* _PATH_LOGIN_CONF */
+
+struct spwd;
+
+#include "login_protos.h"
+
+#endif /* __LOGIN_LOCL_H__ */
diff --git a/crypto/heimdal/appl/login/login_protos.h b/crypto/heimdal/appl/login/login_protos.h
new file mode 100644
index 0000000..173acc5
--- /dev/null
+++ b/crypto/heimdal/appl/login/login_protos.h
@@ -0,0 +1,67 @@
+/* This is a generated file */
+#ifndef __login_protos_h__
+#define __login_protos_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+void
+check_shadow __P((
+	const struct passwd *pw,
+	const struct spwd *sp));
+
+char *
+clean_ttyname __P((char *tty));
+
+int
+do_osfc2_magic __P((uid_t uid));
+
+int
+login_access __P((
+	struct passwd *user,
+	char *from));
+
+char *
+login_conf_get_string __P((const char *str));
+
+char *
+make_id __P((char *tty));
+
+void
+prepare_utmp __P((
+	struct utmp *utmp,
+	char *tty,
+	const char *username,
+	const char *hostname));
+
+int
+read_string __P((
+	const char *prompt,
+	char *buf,
+	size_t len,
+	int echo));
+
+void
+stty_default __P((void));
+
+void
+utmp_login __P((
+	char *tty,
+	const char *username,
+	const char *hostname));
+
+int
+utmpx_login __P((
+	char *line,
+	const char *user,
+	const char *host));
+
+#endif /* __login_protos_h__ */
diff --git a/crypto/heimdal/appl/login/osfc2.c b/crypto/heimdal/appl/login/osfc2.c
new file mode 100644
index 0000000..5d4d087
--- /dev/null
+++ b/crypto/heimdal/appl/login/osfc2.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+RCSID("$Id: osfc2.c,v 1.3 1999/12/02 17:04:56 joda Exp $");
+
+int
+do_osfc2_magic(uid_t uid)
+{
+#ifdef HAVE_OSFC2
+    struct es_passwd *epw;
+    char *argv[2];
+    
+    /* fake */
+    argv[0] = (char*)__progname;
+    argv[1] = NULL;
+    set_auth_parameters(1, argv);
+    
+    epw = getespwuid(uid);
+    if(epw == NULL) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "getespwuid failed for %d", uid);
+	printf("Sorry.\n");
+	return 1;
+    }
+    /* We don't check for auto-retired, foo-retired,
+       bar-retired, or any other kind of retired accounts
+       here; neither do we check for time-locked accounts, or
+       any other kind of serious C2 mumbo-jumbo. We do,
+       however, call setluid, since failing to do so is not
+       very good (take my word for it). */
+    
+    if(!epw->uflg->fg_uid) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "attempted login by %s (has no uid)", epw->ufld->fd_name);
+	printf("Sorry.\n");
+	return 1;
+    }
+    setluid(epw->ufld->fd_uid);
+    if(getluid() != epw->ufld->fd_uid) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "failed to set LUID for %s (%d)", 
+	       epw->ufld->fd_name, epw->ufld->fd_uid);
+	printf("Sorry.\n");
+	return 1;
+    }
+#endif /* HAVE_OSFC2 */
+    return 0;
+}
diff --git a/crypto/heimdal/appl/login/read_string.c b/crypto/heimdal/appl/login/read_string.c
new file mode 100644
index 0000000..2c4b66b
--- /dev/null
+++ b/crypto/heimdal/appl/login/read_string.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: read_string.c,v 1.3 1999/12/02 17:04:56 joda Exp $");
+
+static sig_atomic_t intr_flag;
+
+static void
+intr(int sig)
+{
+    intr_flag++;
+}
+
+int
+read_string(const char *prompt, char *buf, size_t len, int echo)
+{
+    struct sigaction sigs[47];
+    struct sigaction sa;
+    FILE *tty;
+    int ret = 0;
+    int of = 0;
+    int i;
+    int c;
+    char *p;
+
+    struct termios t_new, t_old;
+
+    memset(&sa, 0, sizeof(sa));
+    sa.sa_handler = intr;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = 0;
+    for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
+	sigaction(i, &sa, &sigs[i]);
+
+    if((tty = fopen("/dev/tty", "r")) == NULL)
+	tty = stdin;
+       
+    fprintf(stderr, "%s", prompt);
+    fflush(stderr);
+
+    if(echo == 0){
+	tcgetattr(fileno(tty), &t_old);
+	memcpy(&t_new, &t_old, sizeof(t_new));
+	t_new.c_lflag &= ~ECHO;
+	tcsetattr(fileno(tty), TCSANOW, &t_new);
+    }
+    intr_flag = 0;
+    p = buf;
+    while(intr_flag == 0){
+	c = getc(tty);
+	if(c == EOF){
+	    if(!ferror(tty))
+		ret = 1;
+	    break;
+	}
+	if(c == '\n')
+	    break;
+	if(of == 0)
+	    *p++ = c;
+	of = (p == buf + len);
+    }
+    if(of)
+	p--;
+    *p = 0;
+    
+    if(echo == 0){
+	printf("\n");
+	tcsetattr(fileno(tty), TCSANOW, &t_old);
+    }
+    
+    if(tty != stdin)
+	fclose(tty);
+
+    for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
+	sigaction(i, &sigs[i], NULL);
+    
+    if(ret)
+	return -3;
+    if(intr_flag)
+	return -2;
+    if(of)
+	return -1;
+    return 0;
+}
+
+
+#if 0
+int main()
+{
+    char s[128];
+    int ret;
+    ret = read_string("foo: ", s, sizeof(s), 0);
+    printf("%d ->%s<-\n", ret, s);
+}
+#endif
diff --git a/crypto/heimdal/appl/login/shadow.c b/crypto/heimdal/appl/login/shadow.c
new file mode 100644
index 0000000..0923831
--- /dev/null
+++ b/crypto/heimdal/appl/login/shadow.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: shadow.c,v 1.5 1999/12/02 17:04:56 joda Exp $");
+
+#ifdef HAVE_SHADOW_H
+
+#ifndef _PATH_CHPASS
+#define _PATH_CHPASS "/usr/bin/passwd"
+#endif
+
+static int
+change_passwd(const struct passwd *who)
+{
+    int status;
+    pid_t pid;
+
+    switch (pid = fork()) {
+    case -1:
+        printf("fork /bin/passwd");
+        exit(1);
+    case 0:
+        execlp(_PATH_CHPASS, "passwd", who->pw_name, (char *) 0);
+        exit(1);
+    default:
+        waitpid(pid, &status, 0);
+        return (status);
+    }
+}
+
+void 
+check_shadow(const struct passwd *pw, const struct spwd *sp)
+{
+  long today;
+
+  today = time(0)/(24L * 60 * 60);
+  
+  if (sp == NULL)
+      return;
+
+  if (sp->sp_expire > 0) {
+        if (today >= sp->sp_expire) {
+            printf("Your account has expired.\n");
+            sleep(1);
+            exit(0);
+        } else if (sp->sp_expire - today < 14) {
+            printf("Your account will expire in %d days.\n",
+                   (int)(sp->sp_expire - today));
+        }
+  }
+
+  if (sp->sp_max > 0) {
+        if (today >= (sp->sp_lstchg + sp->sp_max)) {
+            printf("Your password has expired. Choose a new one.\n");
+            change_passwd(pw);
+        } else if (sp->sp_warn > 0
+            && (today > (sp->sp_lstchg + sp->sp_max - sp->sp_warn))) {
+            printf("Your password will expire in %d days.\n",
+                   (int)(sp->sp_lstchg + sp->sp_max - today));
+        }
+  }
+}
+#endif /* HAVE_SHADOW_H */
diff --git a/crypto/heimdal/appl/login/stty_default.c b/crypto/heimdal/appl/login/stty_default.c
new file mode 100644
index 0000000..5e38566
--- /dev/null
+++ b/crypto/heimdal/appl/login/stty_default.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: stty_default.c,v 1.8 1999/12/02 17:04:56 joda Exp $");
+
+#include <termios.h>
+
+/* HP-UX 9.0 termios doesn't define these */
+#ifndef FLUSHO
+#define	FLUSHO	0
+#endif
+
+#ifndef XTABS
+#define	XTABS	0
+#endif
+
+#ifndef OXTABS
+#define OXTABS	XTABS
+#endif
+
+/* Ultrix... */
+#ifndef ECHOPRT
+#define ECHOPRT	0
+#endif
+
+#ifndef ECHOCTL
+#define ECHOCTL	0
+#endif
+
+#ifndef ECHOKE
+#define ECHOKE	0
+#endif
+
+#ifndef IMAXBEL
+#define IMAXBEL	0
+#endif
+
+#define Ctl(x) ((x) ^ 0100)
+
+void
+stty_default(void)
+{
+    struct	termios termios;
+
+    /*
+     * Finalize the terminal settings. Some systems default to 8 bits,
+     * others to 7, so we should leave that alone.
+     */
+    tcgetattr(0, &termios);
+
+    termios.c_iflag |= (BRKINT|IGNPAR|ICRNL|IXON|IMAXBEL);
+    termios.c_iflag &= ~IXANY;
+
+    termios.c_lflag |= (ISIG|IEXTEN|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE);
+    termios.c_lflag &= ~(ECHOPRT|TOSTOP|FLUSHO);
+
+    termios.c_oflag |= (OPOST|ONLCR);
+    termios.c_oflag &= ~OXTABS;
+
+    termios.c_cc[VINTR] = Ctl('C');
+    termios.c_cc[VERASE] = Ctl('H');
+    termios.c_cc[VKILL] = Ctl('U');
+    termios.c_cc[VEOF] = Ctl('D');
+
+    termios.c_cc[VSUSP] = Ctl('Z');
+    
+    tcsetattr(0, TCSANOW, &termios);
+}
diff --git a/crypto/heimdal/appl/login/tty.c b/crypto/heimdal/appl/login/tty.c
new file mode 100644
index 0000000..0ffea72
--- /dev/null
+++ b/crypto/heimdal/appl/login/tty.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: tty.c,v 1.4 1999/12/02 17:04:56 joda Exp $");
+
+/*
+ * Clean the tty name.  Return a pointer to the cleaned version.
+ */
+
+char *
+clean_ttyname (char *tty)
+{
+  char *res = tty;
+
+  if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+    res += strlen(_PATH_DEV);
+  if (strncmp (res, "pty/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "ptym/", 5) == 0)
+    res += 5;
+  return res;
+}
+
+/*
+ * Generate a name usable as an `ut_id', typically without `tty'.
+ */
+
+char *
+make_id (char *tty)
+{
+  char *res = tty;
+  
+  if (strncmp (res, "pts/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "tty", 3) == 0)
+    res += 3;
+  return res;
+}
diff --git a/crypto/heimdal/appl/login/utmp_login.c b/crypto/heimdal/appl/login/utmp_login.c
new file mode 100644
index 0000000..b584326b
--- /dev/null
+++ b/crypto/heimdal/appl/login/utmp_login.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: utmp_login.c,v 1.17 1999/12/02 17:04:56 joda Exp $");
+
+void
+prepare_utmp (struct utmp *utmp, char *tty, 
+	      const char *username, const char *hostname)
+{
+    char *ttyx = clean_ttyname (tty);
+
+    memset(utmp, 0, sizeof(*utmp));
+    utmp->ut_time = time(NULL);
+    strncpy(utmp->ut_line, ttyx, sizeof(utmp->ut_line));
+    strncpy(utmp->ut_name, username, sizeof(utmp->ut_name));
+
+# ifdef HAVE_STRUCT_UTMP_UT_USER
+    strncpy(utmp->ut_user, username, sizeof(utmp->ut_user));
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_ADDR
+    if (hostname[0]) {
+        struct hostent *he;
+	if ((he = gethostbyname(hostname)))
+	    memcpy(&utmp->ut_addr, he->h_addr_list[0],
+		   sizeof(utmp->ut_addr));
+    }
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_HOST
+    strncpy(utmp->ut_host, hostname, sizeof(utmp->ut_host));
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    utmp->ut_type = USER_PROCESS;
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_PID
+    utmp->ut_pid = getpid();
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_ID
+    strncpy(utmp->ut_id, make_id(ttyx), sizeof(utmp->ut_id));
+# endif
+}
+
+#ifdef HAVE_UTMPX_H
+void utmp_login(char *tty, const char *username, const char *hostname)
+{ 
+    return;
+}
+#else
+
+/* update utmp and wtmp - the BSD way */
+
+void utmp_login(char *tty, const char *username, const char *hostname)
+{
+    struct utmp utmp;
+    int fd;
+
+    prepare_utmp (&utmp, tty, username, hostname);
+
+#ifdef HAVE_SETUTENT
+    utmpname(_PATH_UTMP);
+    setutent();
+    pututline(&utmp);
+    endutent();
+#else
+
+#ifdef HAVE_TTYSLOT
+    {
+      int ttyno;
+      ttyno = ttyslot();
+      if (ttyno > 0 && (fd = open(_PATH_UTMP, O_WRONLY, 0)) >= 0) {
+	lseek(fd, (long)(ttyno * sizeof(struct utmp)), SEEK_SET);
+	write(fd, &utmp, sizeof(struct utmp));
+	close(fd);
+      }
+    }
+#endif /* HAVE_TTYSLOT */
+#endif /* HAVE_SETUTENT */
+
+    if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
+	write(fd, &utmp, sizeof(struct utmp));
+	close(fd);
+    }
+}
+#endif /* !HAVE_UTMPX_H */
diff --git a/crypto/heimdal/appl/login/utmpx_login.c b/crypto/heimdal/appl/login/utmpx_login.c
new file mode 100644
index 0000000..745d64c
--- /dev/null
+++ b/crypto/heimdal/appl/login/utmpx_login.c
@@ -0,0 +1,89 @@
+/* Author: Wietse Venema <wietse@wzv.win.tue.nl> */
+
+#include "login_locl.h"
+
+RCSID("$Id: utmpx_login.c,v 1.24 1999/08/04 17:03:15 assar Exp $");
+
+/* utmpx_login - update utmp and wtmp after login */
+
+#ifndef HAVE_UTMPX_H
+int utmpx_login(char *line, const char *user, const char *host) { return 0; }
+#else
+
+static void
+utmpx_update(struct utmpx *ut, char *line, const char *user, const char *host)
+{
+    struct timeval tmp;
+    char *clean_tty = clean_ttyname(line);
+
+    strncpy(ut->ut_line, clean_tty, sizeof(ut->ut_line));
+#ifdef HAVE_STRUCT_UTMPX_UT_ID
+    strncpy(ut->ut_id, make_id(clean_tty), sizeof(ut->ut_id));
+#endif
+    strncpy(ut->ut_user, user, sizeof(ut->ut_user));
+    strncpy(ut->ut_host, host, sizeof(ut->ut_host));
+#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
+    ut->ut_syslen = strlen(host) + 1;
+    if (ut->ut_syslen > sizeof(ut->ut_host))
+        ut->ut_syslen = sizeof(ut->ut_host);
+#endif
+    ut->ut_type = USER_PROCESS;
+    gettimeofday (&tmp, 0);
+    ut->ut_tv.tv_sec = tmp.tv_sec;
+    ut->ut_tv.tv_usec = tmp.tv_usec;
+    pututxline(ut);
+#ifdef WTMPX_FILE
+    updwtmpx(WTMPX_FILE, ut);
+#elif defined(WTMP_FILE)
+    {
+	struct utmp utmp;
+	int fd;
+
+	prepare_utmp (&utmp, line, user, host);
+	if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
+	    write(fd, &utmp, sizeof(struct utmp));
+	    close(fd);
+	}
+    }
+#endif
+}
+
+int
+utmpx_login(char *line, const char *user, const char *host)
+{
+    struct utmpx *ut, save_ut;
+    pid_t   mypid = getpid();
+    int     ret = (-1);
+
+    /*
+     * SYSV4 ttymon and login use tty port names with the "/dev/" prefix
+     * stripped off. Rlogind and telnetd, on the other hand, make utmpx
+     * entries with device names like /dev/pts/nnn. We therefore cannot use
+     * getutxline(). Return nonzero if no utmp entry was found with our own
+     * process ID for a login or user process.
+     */
+
+    while ((ut = getutxent())) {
+        /* Try to find a reusable entry */
+	if (ut->ut_pid == mypid
+	    && (   ut->ut_type == INIT_PROCESS
+		|| ut->ut_type == LOGIN_PROCESS
+		|| ut->ut_type == USER_PROCESS)) {
+	    save_ut = *ut;
+	    utmpx_update(&save_ut, line, user, host);
+	    ret = 0;
+	    break;
+	}
+    }
+    if (ret == -1) {
+        /* Grow utmpx file by one record. */
+        struct utmpx newut;
+	memset(&newut, 0, sizeof(newut));
+	newut.ut_pid = mypid;
+        utmpx_update(&newut, line, user, host);
+	ret = 0;
+    }
+    endutxent();
+    return (ret);
+}
+#endif /* HAVE_UTMPX_H */
diff --git a/crypto/heimdal/appl/push/ChangeLog b/crypto/heimdal/appl/push/ChangeLog
new file mode 100644
index 0000000..f013090
--- /dev/null
+++ b/crypto/heimdal/appl/push/ChangeLog
@@ -0,0 +1,150 @@
+1999-12-28  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): call k_getportbyname with port number in
+ 	network-byte-order
+
+1999-12-14  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_connect): remove bogus local block variable
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_connect): use `getaddrinfo'
+	* push.c: add --count (print number of messages and bytes at
+	beginning)
+
+1999-11-13  Assar Westerlund  <assar@sics.se>
+
+	* push.c: make `-v' a arg_counter
+	
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): redo the v4/v5 selection for consistency.  -4 ->
+ 	try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-08-19  Assar Westerlund  <assar@sics.se>
+
+	* push.c (doit): remember to step over the error message when we
+ 	discover that XDELE is not supported
+
+1999-08-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* push.c: use XDELE
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_connect): v6-ify
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* push.c: get_default_username and the resulting const propagation
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* push.c (parse_pobox): try $USERNAME
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_v5): remove unused and non-working code
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_v5): call krb5_sendauth with ccache == NULL
+	
+Wed Apr  7 23:40:00 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: fix names of hesiod variables
+
+Wed Mar 24 04:37:04 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (pfrom): fix typo
+
+	* push.c (get_pobox): try to handle old and new hesiod APIs
+
+Mon Mar 22 22:19:40 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: hesoid -> hesiod
+
+Sun Mar 21 18:02:10 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: bindir -> libexecdir
+
+Sat Mar 20 00:12:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: LDADD: add missing backslash
+
+Thu Mar 18 15:28:35 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: clean pfrom
+
+	* Makefile.am: include Makefile.am.common
+
+Mon Mar 15 18:26:16 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* push.c: strncasecmp headers
+
+Mon Feb 15 22:22:09 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (pfrom): use libexecdir
+
+	* Makefile.am: build and install pfrom
+
+	* push.c (do_connect): init `s'
+	(pop_state): spell-check enums
+
+Tue Nov 24 23:20:54 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: build and install pfrom
+
+	* pfrom.in: bindir -> libexecdir
+
+Sun Nov 22 15:33:52 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* push.c: eliminate some warnings
+
+Sun Nov 22 10:34:54 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Thu Nov 19 01:17:33 1998  Assar Westerlund  <assar@sics.se>
+
+	* push_locl.h: add <hesiod.h>
+
+	* Makefile.am, Makefile.in: link and include hesiod
+
+	* push.c (get_pobox): new function. add hesiod support.
+
+1998-11-07  Assar Westerlund  <assar@sics.se>
+
+	* push.8: updated
+
+	* push.c: --from implementation from <lha@stacken.kth.se>
+
+Fri Jul 10 01:14:45 1998  Assar Westerlund  <assar@sics.se>
+
+	* push.c (net_{read,write}): remove
+
+Wed Jun 24 14:41:41 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* push.c: allow `po:user@host' mailbox syntax
+
+Tue Jun  2 17:35:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* push.c: quote '^From ' properly
+
+Mon May 25 05:22:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): PROGS -> PROGRAMS
+
+Sun Apr 26 11:42:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): better default for v4 and v5
+
+	* push.c (main): init context correctly
+
+	* push.c: should work with krb4
+
+	* push_locl.h: krb4 compat
+
+	* Makefile.in: new file
+
diff --git a/crypto/heimdal/appl/push/Makefile.am b/crypto/heimdal/appl/push/Makefile.am
new file mode 100644
index 0000000..07ecd0a
--- /dev/null
+++ b/crypto/heimdal/appl/push/Makefile.am
@@ -0,0 +1,27 @@
+# $Id: Makefile.am,v 1.15 1999/04/09 18:29:48 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(INCLUDE_hesiod)
+
+bin_SCRIPTS		= pfrom
+
+libexec_PROGRAMS	= push
+
+push_SOURCES = push.c push_locl.h
+
+pfrom: pfrom.in
+	sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@
+	chmod +x $@
+
+man_MANS = push.8
+
+CLEANFILES = pfrom
+
+EXTRA_DIST = pfrom.in $(man_MANS)
+
+LDADD = $(LIB_krb5) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken) \
+	$(LIB_hesiod)
diff --git a/crypto/heimdal/appl/push/Makefile.in b/crypto/heimdal/appl/push/Makefile.in
new file mode 100644
index 0000000..6e9fef1
--- /dev/null
+++ b/crypto/heimdal/appl/push/Makefile.in
@@ -0,0 +1,713 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.15 1999/04/09 18:29:48 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) $(INCLUDE_hesiod)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_SCRIPTS = pfrom
+
+libexec_PROGRAMS = push
+
+push_SOURCES = push.c push_locl.h
+
+man_MANS = push.8
+
+CLEANFILES = pfrom
+
+EXTRA_DIST = pfrom.in $(man_MANS)
+
+LDADD = $(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(LIB_hesiod)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  push$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+push_OBJECTS =  push.$(OBJEXT)
+push_LDADD = $(LDADD)
+@KRB5_TRUE@push_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB5_FALSE@push_DEPENDENCIES =  $(top_builddir)/lib/des/libdes.la
+push_LDFLAGS = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(push_SOURCES)
+OBJECTS = $(push_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/push/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+push$(EXEEXT): $(push_OBJECTS) $(push_DEPENDENCIES)
+	@rm -f push$(EXEEXT)
+	$(LINK) $(push_LDFLAGS) $(push_OBJECTS) $(push_LDADD) $(LIBS)
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	  else if test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	  else :; fi; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/push
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS install-binSCRIPTS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-binSCRIPTS \
+		uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS \
+install-man8 uninstall-man8 install-man uninstall-man tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+pfrom: pfrom.in
+	sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@
+	chmod +x $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/push/pfrom.in b/crypto/heimdal/appl/push/pfrom.in
new file mode 100644
index 0000000..6adf4f0
--- /dev/null
+++ b/crypto/heimdal/appl/push/pfrom.in
@@ -0,0 +1,6 @@
+#!/bin/sh
+# $Id: pfrom.in,v 1.2 1998/11/24 13:25:47 assar Exp $
+libexecdir=%libexecdir%
+PATH=$libexecdir:$PATH
+export PATH
+push --from $*
diff --git a/crypto/heimdal/appl/push/push.8 b/crypto/heimdal/appl/push/push.8
new file mode 100644
index 0000000..d8f4401
--- /dev/null
+++ b/crypto/heimdal/appl/push/push.8
@@ -0,0 +1,138 @@
+.\" $Id: push.8,v 1.4 1999/12/05 13:00:56 assar Exp $
+.\"
+.Dd May 31, 1998
+.Dt PUSH 8
+.Os HEIMDAL
+.Sh NAME
+.Nm push
+.Nd
+fetch mail via POP
+.Sh SYNOPSIS
+.Nm
+.Op Fl 4 | Fl -krb4
+.Op Fl 5 | Fl -krb5
+.Op Fl v | Fl -verbose
+.Op Fl f | Fl -fork
+.Op Fl l | -leave
+.Op Fl -from
+.Op Fl c | -count
+.Op Fl -header
+.Oo Fl p Ar port-spec  \*(Ba Xo
+.Fl -port= Ns Ar port-spec Oc
+.Xc
+.Ar po-box
+.Pa filename
+.Sh DESCRIPTION
+.Nm
+retrieves mail from the post office box
+.Ar po-box ,
+and stores the mail in mbox format in
+.Pa filename .
+The
+.Ar po-box
+can have any of the following formats:
+.Bl -hang -compact -offset indent
+.It Ql hostname:username
+.It Ql po:hostname:username
+.It Ql username@hostname
+.It Ql po:username@hostname
+.It Ql hostname
+.It Ql po:username
+.El
+
+If no username is specified,
+.Nm
+assumes that it's the same as on the local machine; 
+.Ar hostname
+defaults to the value of the
+.Ev MAILHOST
+environment variable.
+
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl 4 Ns ,
+.Fl -krb4
+.Xc
+use Kerberos 4 (if compiled with support for Kerberos 4)
+.It Xo
+.Fl 5 Ns ,
+.Fl -krb5
+.Xc
+use Kerberos 5 (if compiled with support for Kerberos 5)
+.It Xo
+.Fl f Ns ,
+.Fl -fork
+.Xc
+fork before starting to delete messages
+.It Xo
+.Fl l Ns ,
+.Fl -leave
+.Xc
+don't delete fetched mail
+.It Xo
+.Fl -from
+.Xc
+behave like from.
+.It Xo
+.Fl c Ns ,
+.Fl -count
+.Xc
+first print how many messages and bytes there are.
+.It Xo
+.Fl -header
+.Xc
+which header from should print.
+.It Xo
+.Fl p Ar port-spec Ns ,
+.Fl -port= Ns Ar port-spec
+.Xc
+use this port instead of the default
+.Ql kpop 
+or
+.Ql 1109 .
+.El
+
+The default is to first try Kerberos 5 authentication and then, if
+that fails, Kerberos 4.
+.Sh ENVIRONMENT
+
+.Bl -tag -width Ds
+.It Ev MAILHOST
+points to the post office, if no other hostname is specified.
+.El
+.\".Sh FILES
+.Sh EXAMPLES
+.Bd -literal -offset indent
+$ push cornfield:roosta ~/.gnus-crash-box
+.Ed
+
+tries to fetch mail for the user
+.Ar roosta
+from the post office at
+.Dq cornfield ,
+and stores the mail in
+.Pa ~/.gnus-crash-box  
+(you are using Gnus, aren't you?)
+.Bd -literal -offset indent
+$ push --from -5 havregryn
+.Ed
+
+tries to fetch 
+.Nm From: 
+lines for current user at post office
+.Dq havregryn
+using Kerberos 5.
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr movemail 8 ,
+.Xr popper 8 ,
+.Xr from 1
+.\".Sh STANDARDS
+.Sh HISTORY
+.Nm
+was written while waiting for
+.Nm movemail
+to finish getting the mail.
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/appl/push/push.c b/crypto/heimdal/appl/push/push.c
new file mode 100644
index 0000000..1689a83
--- /dev/null
+++ b/crypto/heimdal/appl/push/push.c
@@ -0,0 +1,790 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "push_locl.h"
+RCSID("$Id: push.c,v 1.38 1999/12/28 03:46:06 assar Exp $");
+
+#ifdef KRB4
+static int use_v4 = -1;
+#endif
+
+#ifdef KRB5
+static int use_v5 = -1;
+static krb5_context context;
+#endif
+
+static char *port_str;
+static int verbose_level;
+static int do_fork;
+static int do_leave;
+static int do_version;
+static int do_help;
+static int do_from;
+static int do_count;
+static char *header_str;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#endif    
+#ifdef KRB5
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+#endif
+    { "verbose",'v', arg_counter,	&verbose_level,	"Verbose",
+      NULL },
+    { "fork",	'f', arg_flag,		&do_fork,	"Fork deleting proc",
+      NULL },
+    { "leave",	'l', arg_flag,		&do_leave,	"Leave mail on server",
+      NULL },
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-or-service" },
+    { "from",	 0,  arg_flag,		&do_from,	"Behave like from",
+      NULL },
+    { "header",	 0,  arg_string,	&header_str,	"Header string to print", NULL },
+    { "count", 'c',  arg_flag,		&do_count,	"Print number of messages", NULL},
+    { "version", 0,  arg_flag,		&do_version,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&do_help,	NULL,
+      NULL }
+
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "[[{po:username[@hostname] | hostname[:username]}] ...]"
+		    "filename");
+    exit (ret);
+}
+
+static int
+do_connect (const char *hostname, int port, int nodelay)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    int s;
+    char portstr[NI_MAXSERV];
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error)
+	errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error));
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+ 	    close (s);
+ 	    continue;
+	}
+	break;
+    }
+    freeaddrinfo (ai);
+    if (a == NULL) {
+	warnx ("failed to contact %s", hostname);
+	return -1;
+    }
+
+    if(setsockopt(s, IPPROTO_TCP, TCP_NODELAY,
+		  (void *)&nodelay, sizeof(nodelay)) < 0)
+	err (1, "setsockopt TCP_NODELAY");
+    return s;
+}
+
+typedef enum { INIT = 0, GREET, USER, PASS, STAT, RETR, TOP, 
+	       DELE, XDELE, QUIT} pop_state;
+
+#define PUSH_BUFSIZ 65536
+
+#define STEP 16
+
+struct write_state {
+    struct iovec *iovecs;
+    size_t niovecs, maxiovecs, allociovecs;
+    int fd;
+};
+
+static void
+write_state_init (struct write_state *w, int fd)
+{
+#ifdef UIO_MAXIOV
+    w->maxiovecs = UIO_MAXIOV;
+#else
+    w->maxiovecs = 16;
+#endif
+    w->allociovecs = min(STEP, w->maxiovecs);
+    w->niovecs = 0;
+    w->iovecs = malloc(w->allociovecs * sizeof(*w->iovecs));
+    if (w->iovecs == NULL)
+	err (1, "malloc");
+    w->fd = fd;
+}
+
+static void
+write_state_add (struct write_state *w, void *v, size_t len)
+{
+    if(w->niovecs == w->allociovecs) {				
+	if(w->niovecs == w->maxiovecs) {				
+	    if(writev (w->fd, w->iovecs, w->niovecs) < 0)		
+		err(1, "writev");				
+	    w->niovecs = 0;					
+	} else {						
+	    w->allociovecs = min(w->allociovecs + STEP, w->maxiovecs);	
+	    w->iovecs = realloc (w->iovecs,				
+				 w->allociovecs * sizeof(*w->iovecs));	
+	    if (w->iovecs == NULL)					
+		errx (1, "realloc");				
+	}							
+    }								
+    w->iovecs[w->niovecs].iov_base = v;				
+    w->iovecs[w->niovecs].iov_len  = len;				
+    ++w->niovecs;							
+}
+
+static void
+write_state_flush (struct write_state *w)
+{
+    if (w->niovecs) {
+	if (writev (w->fd, w->iovecs, w->niovecs) < 0)
+	    err (1, "writev");
+	w->niovecs = 0;
+    }
+}
+
+static void
+write_state_destroy (struct write_state *w)
+{
+    free (w->iovecs);
+}
+
+static int
+doit(int s,
+     const char *host,
+     const char *user,
+     const char *outfilename,
+     const char *header_str,
+     int leavep,
+     int verbose,
+     int forkp)
+{
+    int ret;
+    char out_buf[PUSH_BUFSIZ];
+    size_t out_len = 0;
+    char in_buf[PUSH_BUFSIZ + 1];	/* sentinel */
+    size_t in_len = 0;
+    char *in_ptr = in_buf;
+    pop_state state = INIT;
+    unsigned count, bytes;
+    unsigned asked_for = 0, retrieved = 0, asked_deleted = 0, deleted = 0;
+    unsigned sent_xdele = 0;
+    int out_fd;
+    char from_line[128];
+    size_t from_line_length;
+    time_t now;
+    struct write_state write_state;
+
+    if (do_from) {
+	out_fd = -1;
+	if (verbose)
+	    fprintf (stderr, "%s@%s\n", user, host);
+    } else {
+	out_fd = open(outfilename, O_WRONLY | O_APPEND | O_CREAT, 0666);
+	if (out_fd < 0)
+	    err (1, "open %s", outfilename);
+	if (verbose)
+	    fprintf (stderr, "%s@%s -> %s\n", user, host, outfilename);
+    }
+
+    now = time(NULL);
+    from_line_length = snprintf (from_line, sizeof(from_line),
+				 "From %s %s", "push", ctime(&now));
+
+    out_len = snprintf (out_buf, sizeof(out_buf),
+			"USER %s\r\nPASS hej\r\nSTAT\r\n",
+			user);
+    if (net_write (s, out_buf, out_len) != out_len)
+	err (1, "write");
+    if (verbose > 1)
+	write (STDERR_FILENO, out_buf, out_len);
+
+    if (!do_from)
+	write_state_init (&write_state, out_fd);
+
+    while(state != QUIT) {
+	fd_set readset, writeset;
+
+	FD_ZERO(&readset);
+	FD_ZERO(&writeset);
+	FD_SET(s,&readset);
+	if (((state == STAT || state == RETR || state == TOP)
+	     && asked_for < count)
+	    || (state == XDELE && !sent_xdele)
+	    || (state == DELE && asked_deleted < count))
+	    FD_SET(s,&writeset);
+	ret = select (s + 1, &readset, &writeset, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EAGAIN)
+		continue;
+	    else
+		err (1, "select");
+	}
+	
+	if (FD_ISSET(s, &readset)) {
+	    char *beg, *p;
+	    size_t rem;
+	    int blank_line = 0;
+	    
+	    ret = read (s, in_ptr, sizeof(in_buf) - in_len - 1);
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0)
+		errx (1, "EOF during read");
+	    
+	    in_len += ret;
+	    in_ptr += ret;
+	    *in_ptr = '\0';
+	    
+	    beg = in_buf;
+	    rem = in_len;
+	    while(rem > 1
+		  && (p = strstr(beg, "\r\n")) != NULL) {
+		if (state == TOP) {
+		    char *copy = beg;
+
+		    if (strncasecmp(copy,
+				    header_str,
+				    min(p - copy + 1, strlen(header_str))) == 0) {
+			fprintf (stdout, "%.*s\n", (int)(p - copy), copy);
+		    }
+		    if (beg[0] == '.' && beg[1] == '\r' && beg[2] == '\n') {
+			state = STAT;
+			if (++retrieved == count) {
+			    state = QUIT;
+			    net_write (s, "QUIT\r\n", 6);
+			    if (verbose > 1)
+				net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			}
+		    }
+		    rem -= p - beg + 2;
+		    beg = p + 2;
+		} else if (state == RETR) {
+		    char *copy = beg;
+		    if (beg[0] == '.') {
+			if (beg[1] == '\r' && beg[2] == '\n') {
+			    if(!blank_line)
+				write_state_add(&write_state, "\n", 1);
+			    state = STAT;
+			    rem -= p - beg + 2;
+			    beg = p + 2;
+			    if (++retrieved == count) {
+				write_state_flush (&write_state);
+				if (fsync (out_fd) < 0)
+				    err (1, "fsync");
+				close(out_fd);
+				if (leavep) {
+				    state = QUIT;
+				    net_write (s, "QUIT\r\n", 6);
+				    if (verbose > 1)
+					net_write (STDERR_FILENO, "QUIT\r\n", 6);
+				} else {
+				    if (forkp) {
+					pid_t pid;
+
+					pid = fork();
+					if (pid < 0)
+					    warn ("fork");
+					else if(pid != 0) {
+					    if(verbose)
+						fprintf (stderr,
+							 "(exiting)");
+					    return 0;
+					}
+				    }
+
+				    state = XDELE;
+				    if (verbose)
+					fprintf (stderr, "deleting... ");
+				}
+			    }
+			    continue;
+			} else
+			    ++copy;
+		    }
+		    *p = '\n';
+		    if(blank_line && 
+		       strncmp(copy, "From ", min(p - copy + 1, 5)) == 0)
+			write_state_add(&write_state, ">", 1);
+		    write_state_add(&write_state, copy, p - copy + 1);
+		    blank_line = (*copy == '\n');
+		    rem -= p - beg + 2;
+		    beg = p + 2;
+		} else if (rem >= 3 && strncmp (beg, "+OK", 3) == 0) {
+		    if (state == STAT) {
+			if (!do_from)
+			    write_state_add(&write_state,
+					    from_line, from_line_length);
+			blank_line = 0;
+			if (do_from) 
+			    state = TOP;
+			else
+			    state = RETR;
+		    } else if (state == XDELE) {
+			state = QUIT;
+			net_write (s, "QUIT\r\n", 6);
+			if (verbose > 1)
+			    net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			break;
+		    } else if (state == DELE) {
+			if (++deleted == count) {
+			    state = QUIT;
+			    net_write (s, "QUIT\r\n", 6);
+			    if (verbose > 1)
+				net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			    break;
+			}
+		    } else if (++state == STAT) {
+			if(sscanf (beg + 4, "%u %u", &count, &bytes) != 2)
+			    errx(1, "Bad STAT-line: %.*s", (int)(p - beg), beg);
+			if (verbose) {
+			    fprintf (stderr, "%u message(s) (%u bytes). "
+				     "fetching... ",
+				     count, bytes);
+			    if (do_from)
+				fprintf (stderr, "\n");
+			} else if (do_count) {
+			    fprintf (stderr, "%u message(s) (%u bytes).\n",
+				     count, bytes);
+			}
+			if (count == 0) {
+			    state = QUIT;
+			    net_write (s, "QUIT\r\n", 6);
+			    if (verbose > 1)
+				net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			    break;
+			}
+		    }
+
+		    rem -= p - beg + 2;
+		    beg = p + 2;
+		} else {
+		    if(state == XDELE) {
+			state = DELE;
+			rem -= p - beg + 2;
+			beg = p + 2;
+		    } else
+			errx (1, "Bad response: %.*s", (int)(p - beg), beg);
+		}
+	    }
+	    if (!do_from)
+		write_state_flush (&write_state);
+
+	    memmove (in_buf, beg, rem);
+	    in_len = rem;
+	    in_ptr = in_buf + rem;
+	}
+	if (FD_ISSET(s, &writeset)) {
+	    if ((state == STAT && !do_from) || state == RETR)
+		out_len = snprintf (out_buf, sizeof(out_buf),
+				    "RETR %u\r\n", ++asked_for);
+	    else if ((state == STAT && do_from) || state == TOP)
+		out_len = snprintf (out_buf, sizeof(out_buf),
+				    "TOP %u 0\r\n", ++asked_for);
+	    else if(state == XDELE) {
+		out_len = snprintf(out_buf, sizeof(out_buf),
+				   "XDELE %u %u\r\n", 1, count);
+		sent_xdele++;
+	    }
+	    else if(state == DELE)
+		out_len = snprintf (out_buf, sizeof(out_buf),
+				    "DELE %u\r\n", ++asked_deleted);
+	    if (net_write (s, out_buf, out_len) != out_len)
+		err (1, "write");
+	    if (verbose > 1)
+		write (STDERR_FILENO, out_buf, out_len);
+	}
+    }
+    if (verbose)
+	fprintf (stderr, "Done\n");
+    if (!do_from)
+	write_state_destroy (&write_state);
+    return 0;
+}
+
+#ifdef KRB5
+static int
+do_v5 (const char *host,
+       int port,
+       const char *user,
+       const char *filename,
+       const char *header_str,
+       int leavep,
+       int verbose,
+       int forkp)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    krb5_principal server;
+    int s;
+
+    s = do_connect (host, port, 1);
+    if (s < 0)
+	return 1;
+
+    ret = krb5_sname_to_principal (context,
+				   host,
+				   "pop",
+				   KRB5_NT_SRV_HST,
+				   &server);
+    if (ret) {
+	warnx ("krb5_sname_to_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    ret = krb5_sendauth (context,
+			 &auth_context,
+			 &s,
+			 "KPOPV1.0",
+			 NULL,
+			 server,
+			 0,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL);
+    krb5_free_principal (context, server);
+    if (ret) {
+	warnx ("krb5_sendauth: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+    return doit (s, host, user, filename, header_str, leavep, verbose, forkp);
+}
+#endif
+
+#ifdef KRB4
+static int
+do_v4 (const char *host,
+       int port,
+       const char *user,
+       const char *filename,
+       const char *header_str,
+       int leavep,
+       int verbose,
+       int forkp)
+{
+    KTEXT_ST ticket;
+    MSG_DAT msg_data;
+    CREDENTIALS cred;
+    des_key_schedule sched;
+    int s;
+    int ret;
+
+    s = do_connect (host, port, 1);
+    if (s < 0)
+	return 1;
+    ret = krb_sendauth(0,
+		       s,
+		       &ticket, 
+		       "pop",
+		       (char *)host,
+		       krb_realmofhost(host),
+		       getpid(),
+		       &msg_data,
+		       &cred,
+		       sched,
+		       NULL,
+		       NULL,
+		       "KPOPV0.1");
+    if(ret) {
+	warnx("krb_sendauth: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    return doit (s, host, user, filename, header_str, leavep, verbose, forkp);
+}
+#endif /* KRB4 */
+
+#ifdef HESIOD
+
+#ifdef HESIOD_INTERFACES
+
+static char *
+hesiod_get_pobox (const char **user)
+{
+    void *context;
+    struct hesiod_postoffice *hpo;
+    char *ret = NULL;
+
+    if(hesiod_init (&context) != 0)
+	err (1, "hesiod_init");
+
+    hpo = hesiod_getmailhost (context, *user);
+    if (hpo == NULL) {
+	warn ("hesiod_getmailhost %s", *user);
+    } else {
+	if (strcasecmp(hpo->hesiod_po_type, "pop") != 0)
+	    errx (1, "Unsupported po type %s", hpo->hesiod_po_type);
+
+	ret = strdup(hpo->hesiod_po_host);
+	if(ret == NULL)
+	    errx (1, "strdup: out of memory");
+	*user = strdup(hpo->hesiod_po_name);
+	if (*user == NULL)
+	    errx (1, "strdup: out of memory");
+	hesiod_free_postoffice (context, hpo);
+    }
+    hesiod_end (context);
+    return ret;
+}
+
+#else /* !HESIOD_INTERFACES */
+
+static char *
+hesiod_get_pobox (const char **user)
+{
+    char *ret = NULL;
+    struct hes_postoffice *hpo;
+
+    hpo = hes_getmailhost (*user);
+    if (hpo == NULL) {
+	warn ("hes_getmailhost %s", *user);
+    } else {
+	if (strcasecmp(hpo->po_type, "pop") != 0)
+	    errx (1, "Unsupported po type %s", hpo->po_type);
+
+	ret = strdup(hpo->po_host);
+	if(ret == NULL)
+	    errx (1, "strdup: out of memory");
+	*user = strdup(hpo->po_name);
+	if (*user == NULL)
+	    errx (1, "strdup: out of memory");
+    }
+    return ret;
+}
+
+#endif /* HESIOD_INTERFACES */
+
+#endif /* HESIOD */
+
+static char *
+get_pobox (const char **user)
+{
+    char *ret = NULL;
+
+#ifdef HESIOD
+    ret = hesiod_get_pobox (user);
+#endif
+
+    if (ret == NULL)
+	ret = getenv("MAILHOST");
+    if (ret == NULL)
+	errx (1, "MAILHOST not set");
+    return ret;
+}
+
+static void
+parse_pobox (char *a0, const char **host, const char **user)
+{
+    const char *h, *u;
+    char *p;
+    int po = 0;
+
+    if (a0 == NULL) {
+
+	*user = getenv ("USERNAME");
+	if (*user == NULL) {
+	    struct passwd *pwd = getpwuid (getuid ());
+
+	    if (pwd == NULL)
+		errx (1, "Who are you?");
+	    *user = strdup (pwd->pw_name);
+	    if (*user == NULL)
+		errx (1, "strdup: out of memory");
+	}
+	*host = get_pobox (user);
+	return;
+    }
+
+    /* if the specification starts with po:, remember this information */
+    if(strncmp(a0, "po:", 3) == 0) {
+	a0 += 3;
+	po++;
+    }
+    /* if there is an `@', the hostname is after it, otherwise at the
+       beginning of the string */
+    p = strchr(a0, '@');
+    if(p != NULL) {
+	*p++ = '\0';
+	h = p;
+    } else {
+	h = a0;
+    }
+    /* if there is a `:', the username comes before it, otherwise at
+       the beginning of the string */
+    p = strchr(a0, ':');
+    if(p != NULL) {
+	*p++ = '\0';
+	u = p;
+    } else {
+	u = a0;
+    }
+    if(h == u) {
+	/* some inconsistent compatibility with various mailers */
+	if(po) {
+	    h = get_pobox (&u);
+	} else {
+	    u = get_default_username ();
+	    if (u == NULL)
+		errx (1, "Who are you?");
+	}
+    }
+    *host = h;
+    *user = u;
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = 0;
+    int optind = 0;
+    int ret = 1;
+    const char *host, *user, *filename = NULL;
+    char *pobox = NULL;
+
+    set_progname (argv[0]);
+
+#ifdef KRB5
+    krb5_init_context (&context);
+#endif
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    argc -= optind;
+    argv += optind;
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+    if (do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version(NULL);
+	return 0;
+    }
+	
+    if (do_from && header_str == NULL)
+	header_str = "From:";
+    else if (header_str != NULL)
+	do_from = 1;
+
+    if (do_from) {
+	if (argc == 0)
+	    pobox = NULL;
+	else if (argc == 1)
+	    pobox = argv[0];
+	else
+	    usage (1);
+    } else {
+	if (argc == 1) {
+	    filename = argv[0];
+	    pobox    = NULL;
+	} else if (argc == 2) {
+	    filename = argv[1];
+	    pobox    = argv[0];
+	} else
+	    usage (1);
+    }
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+    if (port == 0) {
+#ifdef KRB5
+	port = krb5_getportbyname (context, "kpop", "tcp", 1109);
+#elif defined(KRB4)
+	port = k_getportbyname ("kpop", "tcp", htons(1109));
+#else
+#error must define KRB4 or KRB5
+#endif
+    }
+
+    parse_pobox (pobox, &host, &user);
+
+#ifdef KRB5
+    if (ret && use_v5) {
+	ret = do_v5 (host, port, user, filename, header_str,
+		     do_leave, verbose_level, do_fork);
+    }
+#endif
+
+#ifdef KRB4
+    if (ret && use_v4) {
+	ret = do_v4 (host, port, user, filename, header_str,
+		     do_leave, verbose_level, do_fork);
+    }
+#endif /* KRB4 */
+    return ret;
+}
diff --git a/crypto/heimdal/appl/push/push_locl.h b/crypto/heimdal/appl/push/push_locl.h
new file mode 100644
index 0000000..1e5ca78
--- /dev/null
+++ b/crypto/heimdal/appl/push/push_locl.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: push_locl.h,v 1.6 1999/12/02 16:58:33 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HESIOD
+#include <hesiod.h>
+#endif
+
+#include <roken.h>
+#include <err.h>
+#include <getarg.h>
+#ifdef KRB5
+#include <krb5.h>
+#endif
+
+#ifdef KRB4
+#include <krb.h>
+#endif
diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog
new file mode 100644
index 0000000..869bc88
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/ChangeLog
@@ -0,0 +1,245 @@
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (LDADD): make sure we use the heimdal libdes
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* *: conditionalize des stuff on KRB4
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (doit): addrinfo returned from getaddrinfo() is not usable
+	directly as hints.  copy it and set AI_PASSIVE.
+
+1999-11-20  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): remember to close the priviledged sockets before
+ 	calling rlogin
+
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): redo the v4/v5 selection for consistency.  -4 ->
+ 	try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (main): ignore SIGPIPE
+
+	* common.c (do_read): the encoded length can be longer than the
+ 	buffer being used, allocate memory for it dynamically.  From Brian
+ 	A May <bmay@dgs.monash.edu.au>
+
+1999-10-14  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (proto): be more careful and don't print errno when read()
+ 	returns 0
+
+1999-09-20  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (recv_krb4_auth): set `iv'
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* common.c (do_read): be careful with the return value from
+ 	krb5_net_read
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: call freehostent
+
+	* rsh.c: remove some dead code
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c: re-write the handling of forwarded credentials and
+ 	stuff.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* rsh_locl.h: always include kafs.h
+
+	* rsh.c: add `-z' and `-G' options
+
+	* rsh.c (loop): shutdown one side of the TCP connection on EOF.
+  	From Brian A May <bmay@dgs.monash.edu.au>
+
+	* common.c (do_read): handle EOF.  From Brian A May
+ 	<bmay@dgs.monash.edu.au>
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: const fixes
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c: v6-ify
+
+	* rsh.c: v6-ify
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* rsh_locl.h: move around kafs.h
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* rsh_locl.h: <shadow.h>
+
+	* rsh.c, rshd.c: improve forwarding and implement unique ccache on
+ 	server.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (construct_command): handle argc == 0 for generality
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: new option `-e' for not trying to open an stderr socket
+
+1999-06-17  Assar Westerlund  <assar@sics.se>
+
+	* rsh_locl.h (RSH_BUFSIZ): bump to 16 * 1024 to be sure that we
+ 	don't leave any data inside des_enc_read.  (that constant should
+ 	really be exported in some way...)
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: use get_default_username and resulting const pollution
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): try $USERNAME
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (doit): afslog correctly
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): add fallback to rlogin
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (send_krb5_auth): call krb5_sendauth with ccache == NULL.
+	check return value from krb5_crypto_init
+	
+	* common.c (do_write, do_read): always return -1 for failure
+	(net_write, net_read): remove.  they already exist in libroken
+
+1999-05-09  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: make sure it tries with all other authentication methods
+	after one has failed
+	* rsh.c (main): detect the case of no command given.
+	
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: new option --forwardable. use print_version
+	
+Sat Apr 10 17:10:55 1999  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (setup_copier): use `socketpair' instead of `pipe'.  Some
+ 	shells don't think it's a rsh session if they find a pipe at the
+ 	other end.
+	(setup_environment): add SSH_CLIENT just to make bash happy
+
+	* common.c (do_read): use krb5_get_wrapped_length
+
+Wed Mar 24 03:59:42 1999  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (loop): more braces to make gcc happy
+
+Tue Mar 23 17:08:32 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* rsh_locl.h: kafs.h
+
+	* rshd.c: add `-P', `-v', and `-L' flags
+
+Thu Mar 18 11:37:24 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Tue Dec  1 14:44:44 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* appl/rsh/rshd.c: update to new crypto framework
+
+	* appl/rsh/rsh_locl.h: update to new crypto framework
+
+	* appl/rsh/rsh.c: update to new crypto framework
+
+	* appl/rsh/common.c: update to new crypto framework
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh.c (main): initialize host
+
+	* appl/rsh/rshd.c (recv_krb5_auth): disable `do_encrypt' if not
+ 	encrypting.
+
+Thu Jul 30 23:12:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh.c: kludges for parsing `rsh hostname -l user'
+
+Thu Jul 23 19:49:03 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* appl/rsh/rshd.c: use krb5_verify_authenticator_checksum
+
+Sat Apr 18 21:13:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* appl/rsh/rsh.c: Don't try v5 if (only) `-4' is specified.
+
+Sun Dec 21 09:44:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c (recv_krb5_auth): swap the order of the
+ 	`local_user' and the `remote_user'
+
+	* appl/rsh/rsh.c (send_krb5_auth): swap the order of the
+ 	`local_user' and the `remote_user'
+
+Sat Nov 29 07:10:11 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: updated to use getarg.
+	changed `struct fd_set' to `fd_set'.
+	implemented broken/BSD authentication (requires iruserok)
+
+Wed Nov 12 02:35:57 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh_locl.h: add AUTH_BROKEN and PATH_RSH
+
+	* appl/rsh/Makefile.am: set BINDIR
+
+	* appl/rsh/rsh.c: implemented BSD-style reserved port
+ 	`authentication'
+
+Sun Aug 24 08:06:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: syslog remote shells
+
+Tue Aug 12 01:29:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rshd/rshd.c: Use `krb5_sock_to_principal'.  Send server
+ 	parameter to krb5_rd_req/krb5_recvauth.  Set addresses in
+ 	auth_context.
+
+Fri Jul 25 17:32:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: implement forwarding
+
+	* appl/rsh/rsh.c: Use getarg.  Implement forwarding.
+
+Sun Jul 13 00:32:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh: Conditionalize the krb4-support.
+
+Wed Jul  9 06:58:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh.c: use the correct user for the checksum
+
+Mon Jul  7 11:15:51 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: Now works.  Also implementd encryption and
+ 	`-p'.
+	
+	* appl/rsh/common.c: new file
+
+Mon Jun 30 06:08:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh: New program.
+
diff --git a/crypto/heimdal/appl/rsh/Makefile.am b/crypto/heimdal/appl/rsh/Makefile.am
new file mode 100644
index 0000000..c005b9e
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/Makefile.am
@@ -0,0 +1,20 @@
+# $Id: Makefile.am,v 1.14 2000/02/07 03:13:00 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = rsh
+
+libexec_PROGRAMS = rshd
+
+rsh_SOURCES  = rsh.c common.c rsh_locl.h
+
+rshd_SOURCES = rshd.c common.c rsh_locl.h
+
+LDADD = $(LIB_kafs) \
+	$(LIB_krb5) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/rsh/Makefile.in b/crypto/heimdal/appl/rsh/Makefile.in
new file mode 100644
index 0000000..75c989d
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/Makefile.in
@@ -0,0 +1,706 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.14 2000/02/07 03:13:00 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = rsh
+
+libexec_PROGRAMS = rshd
+
+rsh_SOURCES = rsh.c common.c rsh_locl.h
+
+rshd_SOURCES = rshd.c common.c rsh_locl.h
+
+LDADD = $(LIB_kafs) 	$(LIB_krb5) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  rsh$(EXEEXT)
+libexec_PROGRAMS =  rshd$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+rsh_OBJECTS =  rsh.$(OBJEXT) common.$(OBJEXT)
+rsh_LDADD = $(LDADD)
+@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+rsh_LDFLAGS = 
+rshd_OBJECTS =  rshd.$(OBJEXT) common.$(OBJEXT)
+rshd_LDADD = $(LDADD)
+@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+rshd_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(rsh_SOURCES) $(rshd_SOURCES)
+OBJECTS = $(rsh_OBJECTS) $(rshd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/rsh/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+rsh$(EXEEXT): $(rsh_OBJECTS) $(rsh_DEPENDENCIES)
+	@rm -f rsh$(EXEEXT)
+	$(LINK) $(rsh_LDFLAGS) $(rsh_OBJECTS) $(rsh_LDADD) $(LIBS)
+
+rshd$(EXEEXT): $(rshd_OBJECTS) $(rshd_DEPENDENCIES)
+	@rm -f rshd$(EXEEXT)
+	$(LINK) $(rshd_LDFLAGS) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS)
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/rsh
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/rsh/common.c b/crypto/heimdal/appl/rsh/common.c
new file mode 100644
index 0000000..6614137
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/common.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "rsh_locl.h"
+RCSID("$Id: common.c,v 1.12 1999/12/02 17:04:56 joda Exp $");
+
+ssize_t
+do_read (int fd,
+	 void *buf,
+	 size_t sz)
+{
+    int ret;
+
+    if (do_encrypt) {
+#ifdef KRB4
+	if (auth_method == AUTH_KRB4) {
+	    return des_enc_read (fd, buf, sz, schedule, &iv);
+	} else
+#endif /* KRB4 */
+        if(auth_method == AUTH_KRB5) {
+	    u_int32_t len, outer_len;
+	    int status;
+	    krb5_data data;
+	    void *edata;
+
+	    ret = krb5_net_read (context, &fd, &len, 4);
+	    if (ret <= 0)
+		return ret;
+	    len = ntohl(len);
+	    if (len > sz)
+		abort ();
+	    outer_len = krb5_get_wrapped_length (context, crypto, len);
+	    edata = malloc (outer_len);
+	    if (edata == NULL)
+		errx (1, "malloc: cannot allocate %u bytes", outer_len);
+	    ret = krb5_net_read (context, &fd, edata, outer_len);
+	    if (ret <= 0)
+		return ret;
+
+	    status = krb5_decrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED, 
+				  edata, outer_len, &data);
+	    free (edata);
+	    
+	    if (status)
+		errx (1, "%s", krb5_get_err_text (context, status));
+	    memcpy (buf, data.data, len);
+	    krb5_data_free (&data);
+	    return len;
+	} else {
+	    abort ();
+	}
+    } else
+	return read (fd, buf, sz);
+}
+
+ssize_t
+do_write (int fd, void *buf, size_t sz)
+{
+    if (do_encrypt) {
+#ifdef KRB4
+	if(auth_method == AUTH_KRB4) {
+	    return des_enc_write (fd, buf, sz, schedule, &iv);
+	} else
+#endif /* KRB4 */
+	if(auth_method == AUTH_KRB5) {
+	    krb5_error_code status;
+	    krb5_data data;
+	    u_int32_t len;
+	    int ret;
+
+	    status = krb5_encrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED,
+				  buf, sz, &data);
+	    
+	    if (status)
+		errx (1, "%s", krb5_get_err_text(context, status));
+
+	    assert (krb5_get_wrapped_length (context, crypto,
+					     sz) == data.length);
+
+	    len = htonl(sz);
+	    ret = krb5_net_write (context, &fd, &len, 4);
+	    if (ret != 4)
+		return ret;
+	    ret = krb5_net_write (context, &fd, data.data, data.length);
+	    if (ret != data.length)
+		return ret;
+	    free (data.data);
+	    return sz;
+	} else {
+	    abort();
+	}
+    } else
+	return write (fd, buf, sz);
+}
diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c
new file mode 100644
index 0000000..5033c4f
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rsh.c
@@ -0,0 +1,950 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "rsh_locl.h"
+RCSID("$Id: rsh.c,v 1.47 2000/02/06 05:58:55 assar Exp $");
+
+enum auth_method auth_method;
+int do_encrypt;
+int do_forward;
+int do_forwardable;
+int do_unique_tkfile = 0;
+char *unique_tkfile  = NULL;
+char tkfile[MAXPATHLEN];
+krb5_context context;
+krb5_keyblock *keyblock;
+krb5_crypto crypto;
+#ifdef KRB4
+des_key_schedule schedule;
+des_cblock iv;
+#endif
+
+
+/*
+ *
+ */
+
+static int input = 1;		/* Read from stdin */
+
+static int
+loop (int s, int errsock)
+{
+    fd_set real_readset;
+    int count = 1;
+
+    FD_ZERO(&real_readset);
+    FD_SET(s, &real_readset);
+    if (errsock != -1) {
+	FD_SET(errsock, &real_readset);
+	++count;
+    }
+    if(input)
+	FD_SET(STDIN_FILENO, &real_readset);
+
+    for (;;) {
+	int ret;
+	fd_set readset;
+	char buf[RSH_BUFSIZ];
+
+	readset = real_readset;
+	ret = select (max(s, errsock) + 1, &readset, NULL, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		err (1, "select");
+	}
+	if (FD_ISSET(s, &readset)) {
+	    ret = do_read (s, buf, sizeof(buf));
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0) {
+		close (s);
+		FD_CLR(s, &real_readset);
+		if (--count == 0)
+		    return 0;
+	    } else
+		net_write (STDOUT_FILENO, buf, ret);
+	}
+	if (errsock != -1 && FD_ISSET(errsock, &readset)) {
+	    ret = do_read (errsock, buf, sizeof(buf));
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0) {
+		close (errsock);
+		FD_CLR(errsock, &real_readset);
+		if (--count == 0)
+		    return 0;
+	    } else
+		net_write (STDERR_FILENO, buf, ret);
+	}
+	if (FD_ISSET(STDIN_FILENO, &readset)) {
+	    ret = read (STDIN_FILENO, buf, sizeof(buf));
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0) {
+		close (STDIN_FILENO);
+		FD_CLR(STDIN_FILENO, &real_readset);
+		shutdown (s, SHUT_WR);
+	    } else
+		do_write (s, buf, ret);
+	}
+    }
+}
+
+#ifdef KRB4
+static int
+send_krb4_auth(int s,
+	       struct sockaddr *thisaddr,
+	       struct sockaddr *thataddr,
+	       const char *hostname,
+	       const char *remote_user,
+	       const char *local_user,
+	       size_t cmd_len,
+	       const char *cmd)
+{
+    KTEXT_ST text;
+    CREDENTIALS cred;
+    MSG_DAT msg;
+    int status;
+    size_t len;
+
+    status = krb_sendauth (do_encrypt ? KOPT_DO_MUTUAL : 0,
+			   s, &text, "rcmd",
+			   (char *)hostname, krb_realmofhost (hostname),
+			   getpid(), &msg, &cred, schedule,
+			   (struct sockaddr_in *)thisaddr,
+			   (struct sockaddr_in *)thataddr,
+			   KCMD_VERSION);
+    if (status != KSUCCESS) {
+	warnx ("%s: %s", hostname, krb_get_err_text(status));
+	return 1;
+    }
+    memcpy (iv, cred.session, sizeof(iv));
+
+    len = strlen(remote_user) + 1;
+    if (net_write (s, remote_user, len) != len) {
+	warn("write");
+	return 1;
+    }
+    if (net_write (s, cmd, cmd_len) != cmd_len) {
+	warn("write");
+	return 1;
+    }
+    return 0;
+}
+#endif /* KRB4 */
+
+/*
+ * Send forward information on `s' for host `hostname', them being
+ * forwardable themselves if `forwardable'
+ */
+
+static int
+krb5_forward_cred (krb5_auth_context auth_context,
+		   int s,
+		   const char *hostname,
+		   int forwardable)
+{
+    krb5_error_code ret;
+    krb5_ccache     ccache;
+    krb5_creds      creds;
+    krb5_kdc_flags  flags;
+    krb5_data       out_data;
+    krb5_principal  principal;
+
+    memset (&creds, 0, sizeof(creds));
+
+    ret = krb5_cc_default (context, &ccache);
+    if (ret) {
+	warnx ("could not forward creds: krb5_cc_default: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	warnx ("could not forward creds: krb5_cc_get_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    creds.client = principal;
+    
+    ret = krb5_build_principal (context,
+				&creds.server,
+				strlen(principal->realm),
+				principal->realm,
+				"krbtgt",
+				principal->realm,
+				NULL);
+
+    if (ret) {
+	warnx ("could not forward creds: krb5_build_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    creds.times.endtime = 0;
+
+    flags.i = 0;
+    flags.b.forwarded   = 1;
+    flags.b.forwardable = forwardable;
+
+    ret = krb5_get_forwarded_creds (context,
+				    auth_context,
+				    ccache,
+				    flags.i,
+				    hostname,
+				    &creds,
+				    &out_data);
+    if (ret) {
+	warnx ("could not forward creds: krb5_get_forwarded_creds: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    ret = krb5_write_message (context,
+			      (void *)&s,
+			      &out_data);
+    krb5_data_free (&out_data);
+
+    if (ret)
+	warnx ("could not forward creds: krb5_write_message: %s",
+	       krb5_get_err_text (context, ret));
+    return 0;
+}
+
+static int
+send_krb5_auth(int s,
+	       struct sockaddr *thisaddr,
+	       struct sockaddr *thataddr,
+	       const char *hostname,
+	       const char *remote_user,
+	       const char *local_user,
+	       size_t cmd_len,
+	       const char *cmd)
+{
+    krb5_principal server;
+    krb5_data cksum_data;
+    int status;
+    size_t len;
+    krb5_auth_context auth_context = NULL;
+
+    status = krb5_sname_to_principal(context,
+				     hostname,
+				     "host",
+				     KRB5_NT_SRV_HST,
+				     &server);
+    if (status) {
+	warnx ("%s: %s", hostname, krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    cksum_data.length = asprintf ((char **)&cksum_data.data,
+				  "%u:%s%s%s",
+				  ntohs(socket_get_port(thataddr)),
+				  do_encrypt ? "-x " : "",
+				  cmd,
+				  remote_user);
+
+    status = krb5_sendauth (context,
+			    &auth_context,
+			    &s,
+			    KCMD_VERSION,
+			    NULL,
+			    server,
+			    do_encrypt ? AP_OPTS_MUTUAL_REQUIRED : 0,
+			    &cksum_data,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL);
+    if (status) {
+	warnx ("%s: %s", hostname, krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    status = krb5_auth_con_getkey (context, auth_context, &keyblock);
+    if (status) {
+	warnx ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &s);
+    if (status) {
+        warnx("krb5_auth_con_setaddrs_from_fd: %s",
+	      krb5_get_err_text(context, status));
+        return(1);
+    }
+
+    status = krb5_crypto_init(context, keyblock, 0, &crypto);
+    if(status) {
+	warnx ("krb5_crypto_init: %s", krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    len = strlen(remote_user) + 1;
+    if (net_write (s, remote_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+    if (do_encrypt && net_write (s, "-x ", 3) != 3) {
+	warn ("write");
+	return 1;
+    }
+    if (net_write (s, cmd, cmd_len) != cmd_len) {
+	warn ("write");
+	return 1;
+    }
+
+    if (do_unique_tkfile) {
+	if (net_write (s, tkfile, strlen(tkfile)) != strlen(tkfile)) {
+	    warn ("write");
+	    return 1;
+	}
+    }
+    len = strlen(local_user) + 1;
+    if (net_write (s, local_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+
+    if (!do_forward
+	|| krb5_forward_cred (auth_context, s, hostname, do_forwardable)) {
+	/* Empty forwarding info */
+
+	u_char zero[4] = {0, 0, 0, 0};
+	write (s, &zero, 4);
+    }
+    krb5_auth_con_free (context, auth_context);
+    return 0;
+}
+
+static int
+send_broken_auth(int s,
+		 struct sockaddr *thisaddr,
+		 struct sockaddr *thataddr,
+		 const char *hostname,
+		 const char *remote_user,
+		 const char *local_user,
+		 size_t cmd_len,
+		 const char *cmd)
+{
+    size_t len;
+
+    len = strlen(local_user) + 1;
+    if (net_write (s, local_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+    len = strlen(remote_user) + 1;
+    if (net_write (s, remote_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+    if (net_write (s, cmd, cmd_len) != cmd_len) {
+	warn ("write");
+	return 1;
+    }
+    return 0;
+}
+
+static int
+proto (int s, int errsock,
+       const char *hostname, const char *local_user, const char *remote_user,
+       const char *cmd, size_t cmd_len,
+       int (*auth_func)(int s,
+			struct sockaddr *this, struct sockaddr *that,
+			const char *hostname, const char *remote_user,
+			const char *local_user, size_t cmd_len,
+			const char *cmd))
+{
+    int errsock2;
+    char buf[BUFSIZ];
+    char *p;
+    size_t len;
+    char reply;
+    struct sockaddr_storage thisaddr_ss;
+    struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
+    struct sockaddr_storage thataddr_ss;
+    struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
+    struct sockaddr_storage erraddr_ss;
+    struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
+    int addrlen;
+    int ret;
+
+    addrlen = sizeof(thisaddr_ss);
+    if (getsockname (s, thisaddr, &addrlen) < 0) {
+	warn ("getsockname(%s)", hostname);
+	return 1;
+    }
+    addrlen = sizeof(thataddr_ss);
+    if (getpeername (s, thataddr, &addrlen) < 0) {
+	warn ("getpeername(%s)", hostname);
+	return 1;
+    }
+
+    if (errsock != -1) {
+
+	addrlen = sizeof(erraddr_ss);
+	if (getsockname (errsock, erraddr, &addrlen) < 0) {
+	    warn ("getsockname");
+	    return 1;
+	}
+
+	if (listen (errsock, 1) < 0) {
+	    warn ("listen");
+	    return 1;
+	}
+
+	p = buf;
+	snprintf (p, sizeof(buf), "%u",
+		  ntohs(socket_get_port(erraddr)));
+	len = strlen(buf) + 1;
+	if(net_write (s, buf, len) != len) {
+	    warn ("write");
+	    close (errsock);
+	    return 1;
+	}
+
+	errsock2 = accept (errsock, NULL, NULL);
+	if (errsock2 < 0) {
+	    warn ("accept");
+	    close (errsock);
+	    return 1;
+	}
+	close (errsock);
+
+    } else {
+	if (net_write (s, "0", 2) != 2) {
+	    warn ("write");
+	    return 1;
+	}
+	errsock2 = -1;
+    }
+
+    if ((*auth_func)(s, thisaddr, thataddr, hostname,
+		     remote_user, local_user,
+		     cmd_len, cmd)) {
+	close (errsock2);
+	return 1;
+    } 
+
+    ret = net_read (s, &reply, 1);
+    if (ret < 0) {
+	warn ("read");
+	close (errsock2);
+	return 1;
+    } else if (ret == 0) {
+	warnx ("unexpected EOF from %s", hostname);
+	close (errsock2);
+	return 1;
+    }
+    if (reply != 0) {
+
+	warnx ("Error from rshd at %s:", hostname);
+
+	while ((ret = read (s, buf, sizeof(buf))) > 0)
+	    write (STDOUT_FILENO, buf, ret);
+        write (STDOUT_FILENO,"\n",1);
+	close (errsock2);
+	return 1;
+    }
+
+    return loop (s, errsock2);
+}
+
+/*
+ * Return in `res' a copy of the concatenation of `argc, argv' into
+ * malloced space.
+ */
+
+static size_t
+construct_command (char **res, int argc, char **argv)
+{
+    int i;
+    size_t len = 0;
+    char *tmp;
+
+    for (i = 0; i < argc; ++i)
+	len += strlen(argv[i]) + 1;
+    len = max (1, len);
+    tmp = malloc (len);
+    if (tmp == NULL)
+	errx (1, "malloc %u failed", len);
+
+    *tmp = '\0';
+    for (i = 0; i < argc - 1; ++i) {
+	strcat (tmp, argv[i]);
+	strcat (tmp, " ");
+    }
+    if (argc > 0)
+	strcat (tmp, argv[argc-1]);
+    *res = tmp;
+    return len;
+}
+
+static char *
+print_addr (const struct sockaddr_in *sin)
+{
+    char addr_str[256];
+    char *res;
+
+    inet_ntop (AF_INET, &sin->sin_addr, addr_str, sizeof(addr_str));
+    res = strdup(addr_str);
+    if (res == NULL)
+	errx (1, "malloc: out of memory");
+    return res;
+}
+
+static int
+doit_broken (int argc,
+	     char **argv,
+	     int optind,
+	     const char *host,
+	     const char *remote_user,
+	     const char *local_user,
+	     int port,
+	     int priv_socket1,
+	     int priv_socket2,
+	     const char *cmd,
+	     size_t cmd_len)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+
+    if (priv_socket1 < 0) {
+	warnx ("unable to bind reserved port: is rsh setuid root?");
+	return 1;
+    }
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+    hints.ai_family   = AF_INET;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (host, portstr, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", host, gai_strerror(error));
+	return 1;
+    }
+    
+    if (connect (priv_socket1, ai->ai_addr, ai->ai_addrlen) < 0) {
+	if (ai->ai_next == NULL) {
+	    freeaddrinfo (ai);
+	    return 1;
+	}
+
+	close(priv_socket1);
+	close(priv_socket2);
+
+	for (a = ai->ai_next; a != NULL; a = a->ai_next) {
+	    pid_t pid;
+
+	    pid = fork();
+	    if (pid < 0)
+		err (1, "fork");
+	    else if(pid == 0) {
+		char **new_argv;
+		int i = 0;
+		struct sockaddr_in *sin = (struct sockaddr_in *)a->ai_addr;
+
+		new_argv = malloc((argc + 2) * sizeof(*new_argv));
+		if (new_argv == NULL)
+		    errx (1, "malloc: out of memory");
+		new_argv[i] = argv[i];
+		++i;
+		if (optind == i)
+		    new_argv[i++] = print_addr (sin);
+		new_argv[i++] = "-K";
+		for(; i <= argc; ++i)
+		    new_argv[i] = argv[i - 1];
+		if (optind > 1)
+		    new_argv[optind + 1] = print_addr(sin);
+		new_argv[argc + 1] = NULL;
+		execv(PATH_RSH, new_argv);
+		err(1, "execv(%s)", PATH_RSH);
+	    } else {
+		int status;
+
+		freeaddrinfo (ai);
+
+		while(waitpid(pid, &status, 0) < 0)
+		    ;
+		if(WIFEXITED(status) && WEXITSTATUS(status) == 0)
+		    return 0;
+	    }
+	}
+	return 1;
+    } else {
+	int ret;
+
+	freeaddrinfo (ai);
+
+	ret = proto (priv_socket1, priv_socket2,
+		     argv[optind],
+		     local_user, remote_user,
+		     cmd, cmd_len,
+		     send_broken_auth);
+	return ret;
+    }
+}
+
+static int
+doit (const char *hostname,
+      const char *remote_user,
+      const char *local_user,
+      int port,
+      const char *cmd,
+      size_t cmd_len,
+      int do_errsock,
+      int (*auth_func)(int s,
+		       struct sockaddr *this, struct sockaddr *that,
+		       const char *hostname, const char *remote_user,
+		       const char *local_user, size_t cmd_len,
+		       const char *cmd))
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    int ret;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) {
+	errx (1, "%s: %s", hostname, gai_strerror(error));
+	return -1;
+    }
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+	int errsock;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	if (do_errsock) {
+	    struct addrinfo *ea;
+	    struct addrinfo hints;
+
+	    memset (&hints, 0, sizeof(hints));
+	    hints.ai_socktype = a->ai_socktype;
+	    hints.ai_protocol = a->ai_protocol;
+	    hints.ai_family   = a->ai_family;
+	    hints.ai_flags    = AI_PASSIVE;
+
+	    error = getaddrinfo (NULL, "0", &hints, &ea);
+	    if (error)
+		errx (1, "getaddrinfo: %s", gai_strerror(error));
+	    errsock = socket (ea->ai_family, ea->ai_socktype, ea->ai_protocol);
+	    if (errsock < 0)
+		err (1, "socket");
+	    if (bind (errsock, ea->ai_addr, ea->ai_addrlen) < 0)
+		err (1, "bind");
+	    freeaddrinfo (ea);
+	} else
+	    errsock = -1;
+    
+	freeaddrinfo (ai);
+	ret = proto (s, errsock,
+		     hostname,
+		     local_user, remote_user,
+		     cmd, cmd_len, auth_func);
+	close (s);
+	return ret;
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return -1;
+}
+
+#ifdef KRB4
+static int use_v4 = -1;
+#endif
+static int use_v5 = -1;
+static int use_only_broken = 0;
+static int use_broken = 1;
+static char *port_str;
+static const char *user;
+static int do_version;
+static int do_help;
+static int do_errsock = 1;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#endif
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+    { "broken", 'K', arg_flag,		&use_only_broken, "Use priv port",
+      NULL },
+    { "input",	'n', arg_negative_flag,	&input,		"Close stdin",
+      NULL },
+    { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection",
+      NULL },
+    { "encrypt", 'z', arg_negative_flag,      &do_encrypt,
+      "Don't encrypt connection", NULL },
+    { "forward", 'f', arg_flag,		&do_forward,	"Forward credentials",
+      NULL },
+    { "forward", 'G', arg_negative_flag,&do_forward,	"Forward credentials",
+      NULL },
+    { "forwardable", 'F', arg_flag,	&do_forwardable,
+      "Forward forwardable credentials", NULL },
+    { "unique", 'u', arg_flag,	&do_unique_tkfile,
+      "Use unique remote tkfile", NULL },
+    { "tkfile", 'U', arg_string,  &unique_tkfile,
+      "Use that remote tkfile", NULL },
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-or-service" },
+    { "user",	'l', arg_string,	&user,		"Run as this user",
+      NULL },
+    { "stderr", 'e', arg_negative_flag, &do_errsock,	"don't open stderr"},
+    { "version", 0,  arg_flag,		&do_version,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&do_help,	NULL,
+      NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "host [command]");
+    exit (ret);
+}
+
+/*
+ *
+ */
+
+int
+main(int argc, char **argv)
+{
+    int priv_port1, priv_port2;
+    int priv_socket1, priv_socket2;
+    int port = 0;
+    int optind = 0;
+    int ret = 1;
+    char *cmd;
+    size_t cmd_len;
+    const char *local_user;
+    char *host = NULL;
+    int host_index = -1;
+    int status; 
+
+    priv_port1 = priv_port2 = IPPORT_RESERVED-1;
+    priv_socket1 = rresvport(&priv_port1);
+    priv_socket2 = rresvport(&priv_port2);
+    setuid(getuid());
+    
+    set_progname (argv[0]);
+
+    if (argc >= 2 && argv[1][0] != '-') {
+	host = argv[host_index = 1];
+	optind = 1;
+    }
+    
+    status = krb5_init_context (&context);
+    if (status)
+        errx(1, "krb5_init_context failed: %u", status);
+      
+    do_forwardable = krb5_config_get_bool (context, NULL,
+					   "libdefaults",
+					   "forwardable",
+					   NULL);
+	
+    do_forward = krb5_config_get_bool (context, NULL,
+				       "libdefaults",
+				       "forward",
+				       NULL);
+
+    do_encrypt = krb5_config_get_bool (context, NULL,
+				       "libdefaults",
+				       "encrypt",
+				       NULL);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (do_forwardable)
+	do_forward = 1;
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+    if (use_only_broken) {
+#ifdef KRB4
+	use_v4 = 0;
+#endif
+	use_v5 = 0;
+    }
+
+    if (do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version (NULL);
+	return 0;
+    }
+	
+    if (do_unique_tkfile && unique_tkfile != NULL)
+	errx (1, "Only one of -u and -U allowed.");
+
+    if (do_unique_tkfile)
+	strcpy(tkfile,"-u ");
+    else if (unique_tkfile != NULL) {
+	if (strchr(unique_tkfile,' ') != NULL) {
+	    warnx("Space is not allowed in tkfilename");
+	    usage(1);
+	}
+	do_unique_tkfile = 1;
+	snprintf (tkfile, sizeof(tkfile), "-U %s ", unique_tkfile);
+    }
+
+    if (host == NULL) {
+	if (argc - optind < 1)
+	    usage (1);
+	else
+	    host = argv[host_index = optind++];
+    }
+
+    if (optind == argc) {
+	close (priv_socket1);
+	close (priv_socket2);
+	argv[0] = "rlogin";
+	execvp ("rlogin", argv);
+	err (1, "execvp rlogin");
+    }
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    local_user = get_default_username ();
+    if (local_user == NULL)
+	errx (1, "who are you?");
+
+    if (user == NULL)
+	user = local_user;
+
+    cmd_len = construct_command(&cmd, argc - optind, argv + optind);
+
+    /*
+     * Try all different authentication methods
+     */
+
+    if (ret && use_v5) {
+	int tmp_port;
+
+	if (port)
+	    tmp_port = port;
+	else
+	    tmp_port = krb5_getportbyname (context, "kshell", "tcp", 544);
+
+	auth_method = AUTH_KRB5;
+	ret = doit (host, user, local_user, tmp_port, cmd, cmd_len,
+		    do_errsock,
+		    send_krb5_auth);
+    }
+#ifdef KRB4
+    if (ret && use_v4) {
+	int tmp_port;
+
+	if (port)
+	    tmp_port = port;
+	else if (do_encrypt)
+	    tmp_port = krb5_getportbyname (context, "ekshell", "tcp", 545);
+	else
+	    tmp_port = krb5_getportbyname (context, "kshell", "tcp", 544);
+
+	auth_method = AUTH_KRB4;
+	ret = doit (host, user, local_user, tmp_port, cmd, cmd_len,
+		    do_errsock,
+		    send_krb4_auth);
+    }
+#endif
+    if (ret && use_broken) {
+	int tmp_port;
+
+	if(port)
+	    tmp_port = port;
+	else
+	    tmp_port = krb5_getportbyname(context, "shell", "tcp", 514);
+	auth_method = AUTH_BROKEN;
+	ret = doit_broken (argc, argv, host_index, host,
+			   user, local_user,
+			   tmp_port,
+			   priv_socket1,
+			   do_errsock ? priv_socket2 : -1,
+			   cmd, cmd_len);
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/appl/rsh/rsh_locl.h b/crypto/heimdal/appl/rsh/rsh_locl.h
new file mode 100644
index 0000000..7eb1f68
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rsh_locl.h
@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: rsh_locl.h,v 1.23 2000/02/06 05:58:55 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <errno.h>
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#endif
+#include <krb5.h>
+#include <kafs.h>
+
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN   "/etc/nologin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL	"/bin/sh"
+#endif
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH	"/usr/bin:/bin"
+#endif
+
+/*
+ *
+ */
+
+enum auth_method { AUTH_KRB4, AUTH_KRB5, AUTH_BROKEN };
+
+extern enum auth_method auth_method;
+extern int do_encrypt;
+extern krb5_context context;
+extern krb5_keyblock *keyblock;
+extern krb5_crypto crypto;
+#ifdef KRB4
+extern des_key_schedule schedule;
+extern des_cblock iv;
+#endif
+
+#define KCMD_VERSION "KCMDV0.1"
+
+#define USERNAME_SZ 16
+#define COMMAND_SZ 1024
+
+#define RSH_BUFSIZ (16 * 1024)
+
+#define PATH_RSH BINDIR "/rsh"
+
+ssize_t do_read (int fd, void *buf, size_t sz);
+ssize_t do_write (int fd, void *buf, size_t sz);
diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c
new file mode 100644
index 0000000..d018856
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rshd.c
@@ -0,0 +1,853 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "rsh_locl.h"
+RCSID("$Id: rshd.c,v 1.30 2000/02/06 05:58:56 assar Exp $");
+
+enum auth_method auth_method;
+
+krb5_context context;
+krb5_keyblock *keyblock;
+krb5_crypto crypto;
+
+#ifdef KRB4
+des_key_schedule schedule;
+des_cblock iv;
+#endif
+
+krb5_ccache ccache, ccache2;
+int kerberos_status = 0;
+
+int do_encrypt = 0;
+
+static int do_unique_tkfile           = 0;
+static char tkfile[MAXPATHLEN] = "";
+
+static int do_inetd = 1;
+static char *port_str;
+static int do_rhosts;
+static int do_kerberos = 0;
+static int do_vacuous = 0;
+static int do_log = 1;
+static int do_newpag = 1;
+static int do_version;
+static int do_help = 0;
+
+static void
+syslog_and_die (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    exit (1);
+}
+
+static void
+fatal (int sock, const char *m, ...)
+{
+    va_list args;
+    char buf[BUFSIZ];
+    size_t len;
+
+    *buf = 1;
+    va_start(args, m);
+    len = vsnprintf (buf + 1, sizeof(buf) - 1, m, args);
+    va_end(args);
+    syslog (LOG_ERR, buf + 1);
+    net_write (sock, buf, len + 1);
+    exit (1);
+}
+
+static void
+read_str (int s, char *str, size_t sz, char *expl)
+{
+    while (sz > 0) {
+	if (net_read (s, str, 1) != 1)
+	    syslog_and_die ("read: %m");
+	if (*str == '\0')
+	    return;
+	--sz;
+	++str;
+    }
+    fatal (s, "%s too long", expl);
+}
+
+static int
+recv_bsd_auth (int s, u_char *buf,
+	       struct sockaddr_in *thisaddr,
+	       struct sockaddr_in *thataddr,
+	       char *client_username,
+	       char *server_username,
+	       char *cmd)
+{
+    struct passwd *pwd;
+
+    read_str (s, client_username, USERNAME_SZ, "local username");
+    read_str (s, server_username, USERNAME_SZ, "remote username");
+    read_str (s, cmd, COMMAND_SZ, "command");
+    pwd = getpwnam(server_username);
+    if (pwd == NULL)
+	fatal(s, "Login incorrect.");
+    if (iruserok(thataddr->sin_addr.s_addr, pwd->pw_uid == 0,
+		 client_username, server_username))
+	fatal(s, "Login incorrect.");
+    return 0;
+}
+
+#ifdef KRB4
+static int
+recv_krb4_auth (int s, u_char *buf,
+		struct sockaddr *thisaddr,
+		struct sockaddr *thataddr,
+		char *client_username,
+		char *server_username,
+		char *cmd)
+{
+    int status;
+    int32_t options;
+    KTEXT_ST ticket;
+    AUTH_DAT auth;
+    char instance[INST_SZ + 1];
+    char version[KRB_SENDAUTH_VLEN + 1];
+
+    if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
+	return -1;
+    if (net_read (s, buf + 4, KRB_SENDAUTH_VLEN - 4) !=
+	KRB_SENDAUTH_VLEN - 4)
+	syslog_and_die ("reading auth info: %m");
+    if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0)
+	syslog_and_die("unrecognized auth protocol: %.8s", buf);
+
+    options = KOPT_IGNORE_PROTOCOL;
+    if (do_encrypt)
+	options |= KOPT_DO_MUTUAL;
+    k_getsockinst (s, instance, sizeof(instance));
+    status = krb_recvauth (options,
+			   s,
+			   &ticket,
+			   "rcmd",
+			   instance,
+			   (struct sockaddr_in *)thataddr,
+			   (struct sockaddr_in *)thisaddr,
+			   &auth,
+			   "",
+			   schedule,
+			   version);
+    if (status != KSUCCESS)
+	syslog_and_die ("recvauth: %s", krb_get_err_text(status));
+    if (strncmp (version, KCMD_VERSION, KRB_SENDAUTH_VLEN) != 0)
+	syslog_and_die ("bad version: %s", version);
+
+    read_str (s, server_username, USERNAME_SZ, "remote username");
+    if (kuserok (&auth, server_username) != 0)
+	fatal (s, "Permission denied");
+    read_str (s, cmd, COMMAND_SZ, "command");
+
+    syslog(LOG_INFO|LOG_AUTH,
+	   "kerberos v4 shell from %s on %s as %s, cmd '%.80s'",
+	   krb_unparse_name_long(auth.pname, auth.pinst, auth.prealm),
+
+	   inet_ntoa(((struct sockaddr_in *)thataddr)->sin_addr),
+	   server_username,
+	   cmd);
+
+    memcpy (iv, auth.session, sizeof(iv));
+
+    return 0;
+}
+
+#endif /* KRB4 */
+
+static int 
+save_krb5_creds (int s,
+                 krb5_auth_context auth_context,
+                 krb5_principal client)
+
+{
+    int ret;
+    krb5_data remote_cred;
+ 
+    krb5_data_zero (&remote_cred);
+    ret= krb5_read_message (context, (void *)&s, &remote_cred);
+    if (ret) {
+	krb5_data_free(&remote_cred);
+	return 0;
+    }
+    if (remote_cred.length == 0)
+	return 0;
+ 
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
+    if (ret) {
+	krb5_data_free(&remote_cred);
+	return 0;
+    }
+  
+    krb5_cc_initialize(context,ccache,client);
+    ret = krb5_rd_cred(context, auth_context, ccache,&remote_cred);
+    krb5_data_free (&remote_cred);
+    if (ret)
+	return 0;
+    return 1;
+}
+
+static void
+krb5_start_session (void)
+{
+    krb5_error_code ret;
+
+    ret = krb5_cc_resolve (context, tkfile, &ccache2);
+    if (ret) {
+	krb5_cc_destroy(context, ccache);
+	return;
+    }
+
+    ret = krb5_cc_copy_cache (context, ccache, ccache2);
+    if (ret) {
+	krb5_cc_destroy(context, ccache);
+	return ;
+    }
+
+    krb5_cc_close(context, ccache2);
+    krb5_cc_destroy(context, ccache);
+    return;
+}
+
+static int
+recv_krb5_auth (int s, u_char *buf,
+		struct sockaddr *thisaddr,
+		struct sockaddr *thataddr,
+		char *client_username,
+		char *server_username,
+		char *cmd)
+{
+    u_int32_t len;
+    krb5_auth_context auth_context = NULL;
+    krb5_ticket *ticket;
+    krb5_error_code status;
+    krb5_data cksum_data;
+    krb5_principal server;
+
+    if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
+	return -1;
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
+	
+    if (net_read(s, buf, len) != len)
+	syslog_and_die ("reading auth info: %m");
+    if (len != sizeof(KRB5_SENDAUTH_VERSION)
+	|| memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0)
+	syslog_and_die ("bad sendauth version: %.8s", buf);
+    
+    status = krb5_sock_to_principal (context,
+				     s,
+				     "host",
+				     KRB5_NT_SRV_HST,
+				     &server);
+    if (status)
+	syslog_and_die ("krb5_sock_to_principal: %s",
+			krb5_get_err_text(context, status));
+
+    status = krb5_recvauth(context,
+			   &auth_context,
+			   &s,
+			   KCMD_VERSION,
+			   server,
+			   KRB5_RECVAUTH_IGNORE_VERSION,
+			   NULL,
+			   &ticket);
+    krb5_free_principal (context, server);
+    if (status)
+	syslog_and_die ("krb5_recvauth: %s",
+			krb5_get_err_text(context, status));
+
+    read_str (s, server_username, USERNAME_SZ, "remote username");
+    read_str (s, cmd, COMMAND_SZ, "command");
+    read_str (s, client_username, COMMAND_SZ, "local username");
+
+    status = krb5_auth_con_getkey (context, auth_context, &keyblock);
+    if (status)
+       syslog_and_die ("krb5_auth_con_getkey: %s",
+                       krb5_get_err_text(context, status));
+
+    status = krb5_crypto_init(context, keyblock, 0, &crypto);
+    if(status)
+	syslog_and_die("krb5_crypto_init: %s", 
+		       krb5_get_err_text(context, status));
+
+    
+    cksum_data.length = asprintf ((char **)&cksum_data.data,
+				  "%u:%s%s",
+				  ntohs(socket_get_port (thisaddr)),
+				  cmd,
+				  server_username);
+
+    status = krb5_verify_authenticator_checksum(context, 
+						auth_context,
+						cksum_data.data, 
+						cksum_data.length);
+
+    if (status)
+	syslog_and_die ("krb5_verify_authenticator_checksum: %s",
+			krb5_get_err_text(context, status));
+
+    free (cksum_data.data);
+
+    if (strncmp (client_username, "-u ", 3) == 0) {
+	do_unique_tkfile = 1;
+	memmove (client_username, client_username + 3,
+		 strlen(client_username) - 2);
+    }
+
+    if (strncmp (client_username, "-U ", 3) == 0) {
+	char *end, *temp_tkfile;
+
+	do_unique_tkfile = 1;
+	if (strncmp (server_username + 3, "FILE:", 5) == 0) {
+	    temp_tkfile = tkfile;
+	} else {
+	    strcpy (tkfile, "FILE:");
+	    temp_tkfile = tkfile + 5;
+	}
+	end = strchr(client_username + 3,' ');
+	strncpy(temp_tkfile, client_username + 3, end - client_username - 3);
+	temp_tkfile[end - client_username - 3] = '\0';
+	memmove (client_username, end +1, strlen(end+1)+1);
+    }
+
+    kerberos_status = save_krb5_creds (s, auth_context, ticket->client);
+
+    if(!krb5_kuserok (context,
+		     ticket->client,
+		     server_username))
+	fatal (s, "Permission denied");
+
+    if (strncmp (cmd, "-x ", 3) == 0) {
+	do_encrypt = 1;
+	memmove (cmd, cmd + 3, strlen(cmd) - 2);
+    } else {
+	do_encrypt = 0;
+    }
+
+    {
+	char *name;
+
+	if (krb5_unparse_name (context, ticket->client, &name) == 0) {
+	    char addr_str[256];
+
+	    if (inet_ntop (thataddr->sa_family,
+			   socket_get_address (thataddr),
+			   addr_str, sizeof(addr_str)) == NULL)
+		strlcpy (addr_str, "unknown address",
+				 sizeof(addr_str));
+
+	    syslog(LOG_INFO|LOG_AUTH,
+		   "kerberos v5 shell from %s on %s as %s, cmd '%.80s'",
+		   name,
+		   addr_str,
+		   server_username,
+		   cmd);
+	    free (name);
+	}
+    }	   
+
+    return 0;
+}
+
+static void
+loop (int from0, int to0,
+      int to1,   int from1,
+      int to2,   int from2)
+{
+    fd_set real_readset;
+    int max_fd;
+    int count = 2;
+
+    FD_ZERO(&real_readset);
+    FD_SET(from0, &real_readset);
+    FD_SET(from1, &real_readset);
+    FD_SET(from2, &real_readset);
+    max_fd = max(from0, max(from1, from2)) + 1;
+    for (;;) {
+	int ret;
+	fd_set readset = real_readset;
+	char buf[RSH_BUFSIZ];
+
+	ret = select (max_fd, &readset, NULL, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		syslog_and_die ("select: %m");
+	}
+	if (FD_ISSET(from0, &readset)) {
+	    ret = do_read (from0, buf, sizeof(buf));
+	    if (ret < 0)
+		syslog_and_die ("read: %m");
+	    else if (ret == 0) {
+		close (from0);
+		close (to0);
+		FD_CLR(from0, &real_readset);
+	    } else
+		net_write (to0, buf, ret);
+	}
+	if (FD_ISSET(from1, &readset)) {
+	    ret = read (from1, buf, sizeof(buf));
+	    if (ret < 0)
+		syslog_and_die ("read: %m");
+	    else if (ret == 0) {
+		close (from1);
+		close (to1);
+		FD_CLR(from1, &real_readset);
+		if (--count == 0)
+		    exit (0);
+	    } else
+		do_write (to1, buf, ret);
+	}
+	if (FD_ISSET(from2, &readset)) {
+	    ret = read (from2, buf, sizeof(buf));
+	    if (ret < 0)
+		syslog_and_die ("read: %m");
+	    else if (ret == 0) {
+		close (from2);
+		close (to2);
+		FD_CLR(from2, &real_readset);
+		if (--count == 0)
+		    exit (0);
+	    } else
+		do_write (to2, buf, ret);
+	}
+   }
+}
+
+/*
+ * Used by `setup_copier' to create some pipe-like means of
+ * communcation.  Real pipes would probably be the best thing, but
+ * then the shell doesn't understand it's talking to rshd.  If
+ * socketpair doesn't work everywhere, some autoconf magic would have
+ * to be added here.
+ *
+ * If it fails creating the `pipe', it aborts by calling fatal.
+ */
+
+static void
+pipe_a_like (int fd[2])
+{
+    if (socketpair (AF_UNIX, SOCK_STREAM, 0, fd) < 0)
+	fatal (STDOUT_FILENO, "socketpair: %m");
+}
+
+/*
+ * Start a child process and leave the parent copying data to and from it.  */
+
+static void
+setup_copier (void)
+{
+    int p0[2], p1[2], p2[2];
+    pid_t pid;
+
+    pipe_a_like(p0);
+    pipe_a_like(p1);
+    pipe_a_like(p2);
+    pid = fork ();
+    if (pid < 0)
+	fatal (STDOUT_FILENO, "fork: %m");
+    if (pid == 0) { /* child */
+	close (p0[1]);
+	close (p1[0]);
+	close (p2[0]);
+	dup2 (p0[0], STDIN_FILENO);
+	dup2 (p1[1], STDOUT_FILENO);
+	dup2 (p2[1], STDERR_FILENO);
+	close (p0[0]);
+	close (p1[1]);
+	close (p2[1]);
+    } else { /* parent */
+	close (p0[0]);
+	close (p1[1]);
+	close (p2[1]);
+
+	if (net_write (STDOUT_FILENO, "", 1) != 1)
+	    fatal (STDOUT_FILENO, "write failed");
+
+	loop (STDIN_FILENO, p0[1],
+	      STDOUT_FILENO, p1[0],
+	      STDERR_FILENO, p2[0]);
+    }
+}
+
+/*
+ * Is `port' a ``reserverd'' port?
+ */
+
+static int
+is_reserved(u_short port)
+{
+    return ntohs(port) < IPPORT_RESERVED;
+}
+
+/*
+ * Set the necessary part of the environment in `env'.
+ */
+
+static void
+setup_environment (char *env[7], struct passwd *pwd)
+{
+    asprintf (&env[0], "USER=%s",  pwd->pw_name);
+    asprintf (&env[1], "HOME=%s",  pwd->pw_dir);
+    asprintf (&env[2], "SHELL=%s", pwd->pw_shell);
+    asprintf (&env[3], "PATH=%s",  _PATH_DEFPATH);
+    asprintf (&env[4], "SSH_CLIENT=only_to_make_bash_happy");
+    if (do_unique_tkfile)
+       asprintf (&env[5], "KRB5CCNAME=%s", tkfile);
+       else env[5] = NULL;
+    env[6] = NULL;
+}
+
+static void
+doit (int do_kerberos, int check_rhosts)
+{
+    u_char buf[BUFSIZ];
+    u_char *p;
+    struct sockaddr_storage thisaddr_ss;
+    struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
+    struct sockaddr_storage thataddr_ss;
+    struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
+    struct sockaddr_storage erraddr_ss;
+    struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
+    int addrlen;
+    int port;
+    int errsock = -1;
+    char client_user[COMMAND_SZ], server_user[USERNAME_SZ];
+    char cmd[COMMAND_SZ];
+    struct passwd *pwd;
+    int s = STDIN_FILENO;
+    char *env[7];
+
+    addrlen = sizeof(thisaddr_ss);
+    if (getsockname (s, thisaddr, &addrlen) < 0)
+	syslog_and_die("getsockname: %m");
+    addrlen = sizeof(thataddr_ss);
+    if (getpeername (s, thataddr, &addrlen) < 0)
+	syslog_and_die ("getpeername: %m");
+
+    if (!do_kerberos && !is_reserved(socket_get_port(thataddr)))
+	fatal(s, "Permission denied");
+
+    p = buf;
+    port = 0;
+    for(;;) {
+	if (net_read (s, p, 1) != 1)
+	    syslog_and_die ("reading port number: %m");
+	if (*p == '\0')
+	    break;
+	else if (isdigit(*p))
+	    port = port * 10 + *p - '0';
+	else
+	    syslog_and_die ("non-digit in port number: %c", *p);
+    }
+
+    if (!do_kerberos && !is_reserved(htons(port)))
+	fatal(s, "Permission denied");
+
+    if (port) {
+	int priv_port = IPPORT_RESERVED - 1;
+
+	/* 
+	 * There's no reason to require a ``privileged'' port number
+	 * here, but for some reason the brain dead rsh clients
+	 * do... :-(
+	 */
+
+	erraddr->sa_family = thataddr->sa_family;
+	socket_set_address_and_port (erraddr,
+				     socket_get_address (thataddr),
+				     htons(port));
+
+	/*
+	 * we only do reserved port for IPv4
+	 */
+
+	if (erraddr->sa_family == AF_INET)
+	    errsock = rresvport (&priv_port);
+	else
+	    errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
+	if (errsock < 0)
+	    syslog_and_die ("socket: %m");
+	if (connect (errsock,
+		     erraddr,
+		     socket_sockaddr_size (erraddr)) < 0)
+	    syslog_and_die ("connect: %m");
+    }
+    
+    if(do_kerberos) {
+	if (net_read (s, buf, 4) != 4)
+	    syslog_and_die ("reading auth info: %m");
+    
+#ifdef KRB4
+	if (recv_krb4_auth (s, buf, thisaddr, thataddr,
+			    client_user,
+			    server_user,
+			    cmd) == 0)
+	    auth_method = AUTH_KRB4;
+	else
+#endif /* KRB4 */
+	    if(recv_krb5_auth (s, buf, thisaddr, thataddr,
+			       client_user,
+			       server_user,
+			       cmd) == 0)
+		auth_method = AUTH_KRB5;
+	    else
+		syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
+				buf[0], buf[1], buf[2], buf[3]);
+    } else {
+	if(recv_bsd_auth (s, buf,
+			  (struct sockaddr_in *)thisaddr,
+			  (struct sockaddr_in *)thataddr,
+			  client_user,
+			  server_user,
+			  cmd) == 0) {
+	    auth_method = AUTH_BROKEN;
+	    if(do_vacuous) {
+		printf("Remote host requires Kerberos authentication\n");
+		exit(0);
+	    }
+	} else
+	    syslog_and_die("recv_bsd_auth failed");
+    }
+
+    pwd = getpwnam (server_user);
+    if (pwd == NULL)
+	fatal (s, "Login incorrect.");
+
+    if (*pwd->pw_shell == '\0')
+	pwd->pw_shell = _PATH_BSHELL;
+
+    if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0)
+	fatal (s, "Login disabled.");
+
+#ifdef HAVE_GETSPNAM
+    {
+	struct spwd *sp;
+	long    today;
+    
+	sp = getspnam(server_user);
+	today = time(0)/(24L * 60 * 60);
+	if (sp->sp_expire > 0) 
+	    if (today > sp->sp_expire) 
+		fatal(s, "Account has expired.");
+    }
+#endif
+    
+#ifdef HAVE_SETLOGIN
+    if (setlogin(pwd->pw_name) < 0)
+	syslog(LOG_ERR, "setlogin() failed: %m");
+#endif
+
+#ifdef HAVE_SETPCRED
+    if (setpcred (pwd->pw_name, NULL) == -1)
+	syslog(LOG_ERR, "setpcred() failure: %m");
+#endif /* HAVE_SETPCRED */
+    if (initgroups (pwd->pw_name, pwd->pw_gid) < 0)
+	fatal (s, "Login incorrect.");
+
+    if (setgid(pwd->pw_gid) < 0)
+	fatal (s, "Login incorrect.");
+
+    if (setuid (pwd->pw_uid) < 0)
+	fatal (s, "Login incorrect.");
+
+#ifdef KRB5
+    {
+	int fd;
+ 
+	if (!do_unique_tkfile)
+	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%u",pwd->pw_uid);
+	else if (*tkfile=='\0') {
+	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
+	    fd = mkstemp(tkfile+5);
+	    close(fd);
+	    unlink(tkfile+5);
+	}
+ 
+	if (kerberos_status)
+	    krb5_start_session();
+    }
+#endif
+
+    if (chdir (pwd->pw_dir) < 0)
+	fatal (s, "Remote directory.");
+
+    if (errsock >= 0) {
+	if (dup2 (errsock, STDERR_FILENO) < 0)
+	    fatal (s, "Dup2 failed.");
+	close (errsock);
+    }
+
+    setup_environment (env, pwd);
+
+    if (do_encrypt) {
+	setup_copier ();
+    } else {
+	if (net_write (s, "", 1) != 1)
+	    fatal (s, "write failed");
+    }
+
+#ifdef KRB4
+    if(k_hasafs()) {
+	char cell[64];
+
+	if(do_newpag)
+	    k_setpag();
+	if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0)
+	    krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir);
+
+	krb_afslog_uid_home(NULL, NULL, pwd->pw_uid, pwd->pw_dir);
+
+#ifdef KRB5
+	/* XXX */
+       {
+	   krb5_ccache ccache;
+	   krb5_error_code status;
+
+	   status = krb5_cc_resolve (context, tkfile, &ccache);
+	   if (!status) {
+	       krb5_afslog_uid_home(context,ccache,NULL,NULL,
+				    pwd->pw_uid, pwd->pw_dir);
+	       krb5_cc_close (context, ccache);
+	   }
+       }
+#endif /* KRB5 */
+    }
+#endif /* KRB4 */
+    execle (pwd->pw_shell, pwd->pw_shell, "-c", cmd, NULL, env);
+    err(1, "exec %s", pwd->pw_shell);
+}
+
+struct getargs args[] = {
+    { "inetd",		'i',	arg_negative_flag,	&do_inetd,
+      "Not started from inetd" },
+    { "kerberos",	'k',	arg_flag,	&do_kerberos,
+      "Implement kerberised services" },
+    { "encrypt",	'x',	arg_flag,		&do_encrypt,
+      "Implement encrypted service" },
+    { "rhosts",		'l',	arg_flag, &do_rhosts,
+      "Check users .rhosts" },
+    { "port",		'p',	arg_string,	&port_str,	"Use this port",
+      "port" },
+    { "vacuous",	'v',	arg_flag, &do_vacuous,
+      "Don't accept non-kerberised connections" },
+    { NULL,		'P',	arg_negative_flag, &do_newpag,
+      "Don't put process in new PAG" },
+    /* compatibility flag: */
+    { NULL,		'L',	arg_flag, &do_log },
+    { "version",	0, 	arg_flag,		&do_version },
+    { "help",		0, 	arg_flag,		&do_help }
+};
+
+static void
+usage (int ret)
+{
+    if(isatty(STDIN_FILENO))
+	arg_printusage (args,
+			sizeof(args) / sizeof(args[0]),
+			NULL,
+			"");
+    else
+	syslog (LOG_ERR, "Usage: %s [-ikxlvPL] [-p port]", __progname);
+    exit (ret);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int port = 0;
+
+    set_progname (argv[0]);
+    roken_openlog ("rshd", LOG_ODELAY | LOG_PID, LOG_AUTH);
+
+    if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv,
+	       &optind))
+	usage(1);
+
+    if(do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version(NULL);
+	exit(0);
+    }
+
+#ifdef KRB5
+    krb5_init_context (&context);
+#endif
+
+    if(port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		syslog_and_die("Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (do_encrypt)
+	do_kerberos = 1;
+
+    if (!do_inetd) {
+	if (port == 0) {
+	    if (do_kerberos) {
+		if (do_encrypt)
+		    port = krb5_getportbyname (context, "ekshell", "tcp", 545);
+		else
+		    port = krb5_getportbyname (context, "kshell",  "tcp", 544);
+	    } else {
+		port = krb5_getportbyname(context, "shell", "tcp", 514);
+	    }
+	}
+	mini_inetd (port);
+    }
+
+    signal (SIGPIPE, SIG_IGN);
+
+    doit (do_kerberos, do_rhosts);
+    return 0;
+}
diff --git a/crypto/heimdal/appl/su/ChangeLog b/crypto/heimdal/appl/su/ChangeLog
new file mode 100644
index 0000000..030808d
--- /dev/null
+++ b/crypto/heimdal/appl/su/ChangeLog
@@ -0,0 +1,39 @@
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: use LIB_roken
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* su.c (krb5_verify): use krb5_verify_user_lrealm
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* su.c: add support for shadow passwords and rewrite some logic.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* Makefile.am: add libkafs
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* su.c (main): conditionalize `getlogin'
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* su.c (verfiy_krb5): get the name out of the ccache before
+ 	closing it
+
+1999-05-05  Assar Westerlund  <assar@sics.se>
+
+	* su.c: some more error checking
+
+Wed Apr 21 21:04:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* su.c (-f): implement
+
+	* su.c: implement -i
+	(verify_krb5): correct the ownership on the credential cache
+
+Tue Apr 20 13:26:13 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* su.c: don't depend on paths.h
+
diff --git a/crypto/heimdal/appl/su/Makefile.am b/crypto/heimdal/appl/su/Makefile.am
new file mode 100644
index 0000000..b0fe379
--- /dev/null
+++ b/crypto/heimdal/appl/su/Makefile.am
@@ -0,0 +1,16 @@
+# $Id: Makefile.am,v 1.3 1999/10/19 23:00:37 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+noinst_PROGRAMS = su
+#bin_SUIDS = su
+su_SOURCES = su.c
+
+LDADD = $(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/su/Makefile.in b/crypto/heimdal/appl/su/Makefile.in
new file mode 100644
index 0000000..72b8198
--- /dev/null
+++ b/crypto/heimdal/appl/su/Makefile.in
@@ -0,0 +1,620 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.3 1999/10/19 23:00:37 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_PROGRAMS = su
+#bin_SUIDS = su
+su_SOURCES = su.c
+
+LDADD = $(LIB_kafs) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+noinst_PROGRAMS =  su$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+su_OBJECTS =  su.$(OBJEXT)
+su_LDADD = $(LDADD)
+@KRB4_TRUE@su_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@su_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+su_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(su_SOURCES)
+OBJECTS = $(su_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/su/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES)
+	@rm -f su$(EXEEXT)
+	$(LINK) $(su_LDFLAGS) $(su_OBJECTS) $(su_LDADD) $(LIBS)
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/su
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-noinstPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/su/su.c b/crypto/heimdal/appl/su/su.c
new file mode 100644
index 0000000..049a4d7
--- /dev/null
+++ b/crypto/heimdal/appl/su/su.c
@@ -0,0 +1,418 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include <config.h>
+
+RCSID("$Id: su.c,v 1.10 1999/09/28 02:34:17 assar Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <syslog.h>
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+#include <pwd.h>
+
+#include <krb5.h>
+#include <kafs.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <kafs.h>
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH "/usr/bin:/bin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+int kerberos_flag = 1;
+int csh_f_flag;
+int full_login;
+int env_flag;
+char *kerberos_instance = "root";
+int help_flag;
+int version_flag;
+char *cmd;
+
+struct getargs args[] = {
+    { "kerberos", 'K', arg_negative_flag, &kerberos_flag,
+      "don't use kerberos" },
+    { NULL,	  'f', arg_flag,	  &csh_f_flag,
+      "don't read .cshrc" },
+    { "full",	  'l', arg_flag,          &full_login,
+      "simulate full login" },
+    { NULL,	  'm', arg_flag,          &env_flag,
+      "leave environment unmodified" },
+    { "instance", 'i', arg_string,        &kerberos_instance,
+      "root instance to use" },
+    { "command",  'c', arg_string,        &cmd,
+      "command to execute" },
+    { "help", 	  'h', arg_flag,          &help_flag },
+    { "version",  0,   arg_flag,          &version_flag },
+};
+
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[login [shell arguments]]");
+    exit (ret);
+}
+
+static struct passwd*
+make_info(struct passwd *pwd)
+{
+    struct passwd *info;
+    info = malloc(sizeof(*info));
+    if(info == NULL)
+	return NULL;
+    info->pw_name = strdup(pwd->pw_name);
+    info->pw_passwd = strdup(pwd->pw_passwd);
+    info->pw_uid = pwd->pw_uid;
+    info->pw_gid = pwd->pw_gid;
+    info->pw_dir = strdup(pwd->pw_dir);
+    info->pw_shell = strdup(pwd->pw_shell);
+    if(info->pw_name == NULL || info->pw_passwd == NULL ||
+       info->pw_dir == NULL || info->pw_shell == NULL)
+	return NULL;
+    return info;
+}
+
+#ifdef KRB5
+static krb5_context context;
+static krb5_ccache ccache;
+#endif
+
+static int
+krb5_verify(struct passwd *login_info, struct passwd *su_info,
+	    const char *kerberos_instance)
+{
+#ifdef KRB5
+    krb5_error_code ret;
+    krb5_principal p;
+	
+    ret = krb5_init_context (&context);
+    if (ret) {
+#if 0
+	warnx("krb5_init_context failed: %u", ret);
+#endif
+	return 1;
+    }
+	
+    if (strcmp (su_info->pw_name, "root") == 0)
+	ret = krb5_make_principal(context, &p, NULL, 
+				  login_info->pw_name,
+				  kerberos_instance,
+				  NULL);
+    else
+	ret = krb5_make_principal(context, &p, NULL, 
+				  su_info->pw_name,
+				  NULL);
+    if(ret)
+	return 1;
+	
+    if(su_info->pw_uid != 0 || krb5_kuserok(context, p, su_info->pw_name)) {
+	ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
+	if(ret) {
+#if 1
+	    krb5_warn(context, ret, "krb5_cc_gen_new");
+#endif
+	    return 1;
+	}
+	ret = krb5_verify_user_lrealm(context, p, ccache, NULL, TRUE, NULL);
+	if(ret) {
+	    krb5_free_principal (context, p);
+	    krb5_cc_destroy(context, ccache);
+	    switch (ret) {
+	    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+	    case KRB5KRB_AP_ERR_MODIFIED:
+		krb5_warnx(context, "Password incorrect");
+		break;
+	    default :
+		krb5_warn(context, ret, "krb5_verify_user");
+		break;
+	    }
+	    return 1;
+	}
+	return 0;
+    }
+#endif
+    return 1;
+}
+
+#ifdef KRB5
+static int
+krb5_start_session(void)
+{
+    krb5_ccache ccache2;
+    char *cc_name;
+    int ret;
+
+    ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache2);
+    if (ret) {
+	krb5_cc_destroy(context, ccache);
+	return 1;
+    }
+
+    ret = krb5_cc_copy_cache(context, ccache, ccache2);
+
+    asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
+	     krb5_cc_get_name(context, ccache2));
+    setenv("KRB5CCNAME", cc_name, 1);
+            
+#ifdef KRB4
+    if(k_hasafs()) {
+	if (k_setpag() == 0)
+	    krb5_afslog(context, ccache2, NULL, NULL);
+    }
+#endif
+            
+    krb5_cc_close(context, ccache2);
+    krb5_cc_destroy(context, ccache);
+    return 0;
+}
+#endif
+
+static int
+verify_unix(struct passwd *su)
+{
+    char prompt[128];
+    char pw_buf[1024];
+    char *pw;
+    int r;
+    if(su->pw_passwd != NULL && *su->pw_passwd != '\0') {
+	sprintf(prompt, "%s's password: ", su->pw_name);
+	r = des_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0);
+	if(r != 0)
+	    exit(0);
+	pw = crypt(pw_buf, su->pw_passwd);
+	memset(pw_buf, 0, sizeof(pw_buf));
+	if(strcmp(pw, su->pw_passwd) != 0)
+	    return 1;
+    }
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int i, optind = 0;
+    char *su_user;
+    struct passwd *su_info;
+    char *login_user = NULL;
+    struct passwd *login_info;
+
+    struct passwd *pwd;
+
+    char *shell;
+
+    int ok = 0;
+    int kerberos_error=1;
+
+    set_progname (argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+
+    for (i=0; i < optind; i++)
+      if (strcmp(argv[i], "-") == 0) {
+	 full_login = 1;
+	 break;
+      }
+	
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    if(optind >= argc)
+	su_user = "root";
+    else
+	su_user = argv[optind++];
+
+    pwd = k_getpwnam(su_user);
+    if(pwd == NULL)
+	errx (1, "unknown login %s", su_user);
+    if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) {
+	syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user);
+	errx (1, "unknown login %s", su_user);
+    }
+    su_info = make_info(pwd);
+    
+#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
+    login_user = getlogin();
+#endif
+    if(login_user == NULL || (pwd = getpwnam(login_user)) == NULL)
+	pwd = getpwuid(getuid());
+    if(pwd == NULL)
+	errx(1, "who are you?");
+    login_info = make_info(pwd);
+    if(env_flag)
+	shell = login_info->pw_shell;
+    else
+	shell = su_info->pw_shell;
+    if(shell == NULL || *shell == '\0')
+	shell = _PATH_BSHELL;
+    
+    if(kerberos_flag && ok == 0 &&
+      (kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0)
+	ok++;
+
+    if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) {
+	printf("Sorry!\n");
+	exit(1);
+    }
+
+#ifdef HAVE_GETSPNAM
+   {  struct spwd *sp;
+      long    today;
+    
+    sp=getspnam(su_info->pw_name);
+    if (sp==NULL)
+        errx(1,"Have not rights to read shadow passwords!");
+    today = time(0)/(24L * 60 * 60);
+    if (sp->sp_expire > 0) {
+        if (today >= sp->sp_expire) {
+            if (login_info->pw_uid) 
+                errx(1,"Your account has expired.");
+            else
+                 printf("Your account has expired.");
+            }
+            else if (sp->sp_expire - today < 14) 
+                printf("Your account will expire in %d days.\n",
+                   (int)(sp->sp_expire - today));
+    } 
+    if (sp->sp_max > 0) {
+       if (today >= sp->sp_lstchg + sp->sp_max) {
+           if (login_info->pw_uid)    
+               errx(1,"Your password has expired. Choose a new one.");
+           else
+               printf("Your password has expired. Choose a new one.");
+           }
+         else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
+             printf("Your account will expire in %d days.\n",
+                   (int)(sp->sp_lstchg + sp->sp_max -today));
+    }
+    }
+#endif
+    {
+	char *tty = ttyname (STDERR_FILENO);
+	syslog (LOG_NOTICE | LOG_AUTH, tty ? "%s to %s" : "%s to %s on %s",
+		login_info->pw_name, su_info->pw_name, tty);
+    }
+
+
+    if(!env_flag) {
+	if(full_login) {
+	    char *t = getenv ("TERM");
+	    
+	    environ = malloc (10 * sizeof (char *));
+	    if (environ == NULL)
+		err (1, "malloc");
+	    environ[0] = NULL;
+	    setenv ("PATH", _PATH_DEFPATH, 1);
+	    if (t)
+		setenv ("TERM", t, 1);
+	    if (chdir (su_info->pw_dir) < 0)
+		errx (1, "no directory");
+	}
+	if (full_login || su_info->pw_uid)
+	    setenv ("USER", su_info->pw_name, 1);
+	setenv("HOME", su_info->pw_dir, 1);
+	setenv("SHELL", shell, 1);
+    }
+
+    {
+	int i;
+	char **args;
+	char *p;
+
+	p = strrchr(shell, '/');
+	if(p)
+	    p++;
+	else
+	    p = shell;
+
+	if (strcmp(p, "csh") != 0)
+	    csh_f_flag = 0;
+
+        args = malloc(((cmd ? 2 : 0) + 1 + argc - optind + 1 + csh_f_flag) * sizeof(*args));
+	if (args == NULL)
+	    err (1, "malloc");
+	i = 0;
+	if(full_login)
+	    asprintf(&args[i++], "-%s", p);
+	else
+	    args[i++] = p;
+	if (cmd) {
+	   args[i++] = "-c";
+	   args[i++] = cmd;
+	}  
+	   
+	if (csh_f_flag)
+	    args[i++] = "-f";
+
+	for (argv += optind; *argv; ++argv)
+	   args[i++] = *argv;
+	args[i] = NULL;
+	
+	if(setgid(su_info->pw_gid) < 0)
+	    err(1, "setgid");
+	if (initgroups (su_info->pw_name, su_info->pw_gid) < 0)
+	    err (1, "initgroups");
+	if(setuid(su_info->pw_uid) < 0)
+	    err(1, "setuid");
+
+#ifdef KRB5
+        if (!kerberos_error)
+           krb5_start_session();
+#endif
+	execv(shell, args);
+    }
+    
+    exit(1);
+}
diff --git a/crypto/heimdal/appl/telnet/ChangeLog b/crypto/heimdal/appl/telnet/ChangeLog
new file mode 100644
index 0000000..b38f16d
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/ChangeLog
@@ -0,0 +1,333 @@
+2000-02-12  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): only set tos for AF_INET.  From
+	itojun@iijlab.net
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c (kerberos4_is): send a reject back to the
+	client when we're not authorized
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* telnet/ring.h (ring_encrypt): better proto
+	* telnet/ring.c (ring_encrypt): better proto
+
+2000-02-04  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: klduge-around KLUDGELINEMODE
+
+2000-01-18  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/misc.c (auth_encrypt_user): const-ify
+	* libtelnet/misc.h (RemoteHostName, LocalHostName): const-ify
+	* libtelnet/misc.c (auth_encrypt_init, RemoteHostName,
+	LocalHostName): const-ify
+	* libtelnet/misc-proto.h (auth_encrypt_init, auth_encrypt_user):
+	const-ify
+	* libtelnet/encrypt.c (encrypt_init, Name): const-ify
+	* libtelnet/enc-proto.h (encrypt_init): const-ify
+	* libtelnet/auth.c (auth_init, Name): const-ify
+	* libtelnet/auth-proto.h (auth_init): const-ify
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): handle ai_canonname being set in any of
+	the addresses returnedby getaddrinfo.  glibc apparently returns
+	the reverse lookup of every address in ai_canonname.  remove some
+	unused variables.
+
+2000-01-01  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (addarg): make void (return value isn't check
+	anyway).  fatal error when malloc fails
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (*): handle ai_canonname not being set
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): use getnameinfo_verified
+	* telnetd/telnetd.c: use getnameinfo
+	* telnet/commands.c: re-write to using getaddrinfo.  disable
+	source-routing for the moment, it doesn't seem to be used anyways.
+	
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: revert 1.54, get_default_username should DTRT
+ 	now
+
+1999-09-05  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/utility.c (ttloop): make it return 1 if interrupted by a
+ 	signal, which must have been what was meant from the beginning
+
+	* telnetd/ext.h (ttloop): update prototype
+
+	* telnetd/authenc.c (telnet_spin): actually return the value from
+ 	ttloop (otherwise it's kind of bogus)
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (rmut): free utxp
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c: add -G and config file support.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* telnetd/sys_term.c (rmut): work around utmpx strangness.  From
+ 	Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-08-02  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): only free hp if != NULL.  From: Jonas
+ 	Oberg <jonas@coyote.org>
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): remove unused variable mapped_sin
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/ext.h: update prototypes
+	
+	* telnetd/telnetd.c: make it handle v4 and v6 sockets.  (it
+	doesn't handle being given a v6 socket that's really talking to an
+	v4 adress (mapped) because the rest of the code in telnetd is not
+	able to handle it anyway).  please run two telnetd from your
+	inetd, one for v4 and one for v6.
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): extra bogus const-cast
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (start_login): print a different warning with
+ 	`-a otp'
+
+1999-06-24  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): set the addresses in the
+ 	auth_context
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* telnet/Makefile.am (INCLUDES): add $(INCLUDE_krb4)
+
+	* telnet/commands.c (togkrbdebug): conditionalize on
+ 	krb_disable_debug
+
+1999-06-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* telnet/commands.c: add kerberos debugging option
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): use get_default_username
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/state.c (telrcv): magic patch to make it work against
+ 	DOS Clarkson Telnet.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-04-25  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): use
+	`krb5_auth_setkeytype' instead of `krb5_auth_setenctype' to make
+	sure we get a DES session key.
+
+Thu Apr  1 16:59:27 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.am: don't run check-local
+
+	* telnet/Makefile.am: don't run check-local
+
+Mon Mar 29 16:11:33 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c: _CRAY -> HAVE_STRUCT_UTMP_UT_ID
+
+Sat Mar 20 00:12:54 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnet/authenc.c (telnet_gets): remove old extern declarations
+
+Thu Mar 18 11:20:16 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.am: include Makefile.am.common
+
+	* telnet/Makefile.am: include Makefile.am.common
+
+	* libtelnet/Makefile.am: include Makefile.am.common
+
+	* Makefile.am: include Makefile.am.common
+
+Mon Mar 15 17:40:53 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/telnetd.c: replace perror/exit with fatalperror
+
+Sat Mar 13 22:18:57 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (main): 0 -> STDIN_FILENO.  remove abs
+
+	* libtelnet/kerberos.c (kerberos4_is): syslog root logins
+
+Thu Mar 11 14:48:54 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.in: add WFLAGS
+
+	* telnet/Makefile.in: add WFLAGS
+
+	* libtelnet/Makefile.in: add WFLAGS
+
+	* telnetd/sys_term.c: remove unused variables
+
+	* telnet/telnet.c: fix some warnings
+
+	* telnet/main.c: fix some warnings
+
+	* telnet/commands.c: fix types in format string
+
+	* libtelnet/auth.c: fix types in format string
+
+Mon Mar  1 10:50:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+Mon Feb  1 04:08:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): only call gethostbyname2 with AF_INET6
+ 	if we actually have IPv6.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+Sat Nov 21 16:51:00 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c (cleanup): don't call vhangup() on sgi:s
+
+Fri Aug 14 16:29:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* libtelnet/kerberos.c: krb_put_int -> KRB_PUT_INT
+
+Thu Jul 23 20:29:05 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* libtelnet/kerberos5.c: use krb5_verify_authenticator_checksum
+
+Mon Jul 13 22:00:09 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): don't advance hostent->h_addr_list, use
+ 	a copy instead
+
+Wed May 27 04:19:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/sys_bsd.c (process_rings): correct call to `stilloob'
+
+Fri May 15 19:38:19 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* libtelnet/kerberos5.c: Always print errors from mk_req.
+
+Fri May  1 07:16:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: unifdef -DHAVE_H_ERRNO
+
+Sat Apr  4 15:00:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): moved the printing of `trying...' to the
+ 	loop
+
+Thu Mar 12 02:33:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: include <term.h>. From Gregory S. Stark
+ 	<gsstark@mit.edu>
+
+Sat Feb 21 15:12:38 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/ext.h: add prototype for login_tty
+
+	* telnet/utilities.c (printsub): `direction' is now an int.
+
+	* libtelnet/misc-proto.h: add prototype for `printsub'
+
+Tue Feb 17 02:45:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c (kerberos4_is): cred.pname should be
+ 	cred.pinst.  From <art@stacken.kth.se>
+
+Sun Feb 15 02:46:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/*/*.c: renamed `telnet' to `my_telnet' to avoid
+ 	conflicts with system header files on mklinux.
+
+Tue Feb 10 02:09:03 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c: new signature for `getterminaltype' and
+ 	`auth_wait'
+
+	* libtelnet: changed the signature of the authentication method
+ 	`status'
+
+Sat Feb  7 07:21:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* */*.c: replace HAS_GETTOS by HAVE_PARSETOS and HAVE_GETTOSBYNAME
+
+Fri Dec 26 16:17:10 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): repair support for numeric addresses
+
+Sun Dec 21 09:40:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c: fix up lots of stuff related to the
+ 	forwarding of v4 tickets.
+
+	* libtelnet/kerberos5.c (kerberos5_forward): zero out `creds'.
+
+Mon Dec 15 20:53:13 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnet/sys_bsd.c: Don't turn off OPOST in 8bit-mode.
+
+Tue Dec  9 19:26:50 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c (main): add 'b' to getopt
+
+Sat Nov 29 03:28:54 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnet/telnet.c: Change binary mode to do just that, and add a
+ 	eight-bit mode for just passing all characters.
+
+Sun Nov 16 04:37:02 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): always ask for a session
+ 	key of type DES
+
+	* libtelnet/kerberos5.c: remove old garbage and fix call to
+ 	krb5_auth_con_setaddrs_from_fd
+
+Fri Nov 14 20:35:18 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnetd/telnetd.c: Output contents of /etc/issue.
+
+Mon Nov  3 07:09:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: only include <sys/termio.h> iff
+ 	!defined(HAVE_TERMIOS_H)
+
+	* libtelnet/kerberos.c (kerberos4_is): send the peer address to
+ 	krb_rd_req
+
+	* telnetd/telnetd.c (terminaltypeok): always return OK.  It used
+ 	to call `tgetent' to figure if it was a defined terminal type.
+  	It's possible to overflow tgetent so that's a bad idea.  The worst
+ 	that could happen by saying yes to all terminals is that the user
+ 	ends up with a terminal that has no definition on the local
+ 	system.  And besides, most telnet client has no support for
+ 	falling back to a different terminal type.
+
+Mon Oct 20 05:47:19 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c: remove lots of old junk.  clean-up.
+  	better error checking and reporting.  tell the user permission
+ 	denied much earlier.
+
+	* libtelnet/kerberos.c (kerberos4_is): only print
+ 	UserNameRequested if != NULL
+
diff --git a/crypto/heimdal/appl/telnet/Makefile.am b/crypto/heimdal/appl/telnet/Makefile.am
new file mode 100644
index 0000000..eec013b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = libtelnet telnet telnetd
+
+dist-hook:
+	$(mkinstalldirs) $(distdir)/arpa
+	$(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa
+
+EXTRA_DIST = README.ORIG telnet.state
diff --git a/crypto/heimdal/appl/telnet/Makefile.in b/crypto/heimdal/appl/telnet/Makefile.in
new file mode 100644
index 0000000..5a74558
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/Makefile.in
@@ -0,0 +1,604 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = libtelnet telnet telnetd
+
+EXTRA_DIST = README.ORIG telnet.state
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+@SET_MAKE@
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
+	  rev="$$subdir $$rev"; \
+	  test "$$subdir" = "." && dot_seen=yes; \
+	done; \
+	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/telnet
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    chmod 777 $(distdir)/$$subdir; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-data-recursive uninstall-data-recursive \
+install-exec-recursive uninstall-exec-recursive installdirs-recursive \
+uninstalldirs-recursive all-recursive check-recursive \
+installcheck-recursive info-recursive dvi-recursive \
+mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+dist-hook:
+	$(mkinstalldirs) $(distdir)/arpa
+	$(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/README.ORIG b/crypto/heimdal/appl/telnet/README.ORIG
new file mode 100644
index 0000000..37b588f
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/README.ORIG
@@ -0,0 +1,743 @@
+
+This is a distribution of both client and server telnet.  These programs
+have been compiled on:
+			telnet	telnetd
+	4.4 BSD-Lite	  x	  x
+	4.3 BSD Reno	  X	  X
+	UNICOS 9.1	  X	  X
+	UNICOS 9.0	  X	  X
+	UNICOS 8.0	  X	  X
+	BSDI 2.0	  X	  X
+	Solaris 2.4       x       x (no linemode in server)
+	SunOs 4.1.4	  X	  X (no linemode in server)
+	Ultrix 4.3	  X	  X (no linemode in server)
+	Ultrix 4.1	  X	  X (no linemode in server)
+
+In addition, previous versions have been compiled on the following
+machines, but were not available for testing this version.
+			telnet	telnetd
+	Next1.0		  X	  X
+	UNICOS 8.3	  X	  X
+	UNICOS 7.C	  X	  X
+	UNICOS 7.0	  X	  X
+	SunOs 4.0.3c	  X	  X (no linemode in server)
+	4.3 BSD		  X  	  X (no linemode in server)
+	DYNIX V3.0.12	  X	  X (no linemode in server)
+	Ultrix 3.1	  X	  X (no linemode in server)
+	Ultrix 4.0	  X	  X (no linemode in server)
+	SunOs 3.5	  X	  X (no linemode in server)
+	SunOs 4.1.3	  X	  X (no linemode in server)
+	Solaris 2.2       x       x (no linemode in server)
+	Solaris 2.3       x       x (no linemode in server)
+	BSDI 1.0	  X	  X
+	BSDI 1.1	  X	  X
+	DYNIX V3.0.17.9	  X	  X (no linemode in server)
+	HP-UX 8.0	  x       x (no linemode in server)
+
+This code should work, but there are no guarantees.
+
+May 30, 1995
+
+This release represents what is on the 4.4BSD-Lite2 release, which
+should be the final BSD release.  I will continue to support of
+telnet, The code (without encryption) is available via anonymous ftp
+from ftp.cray.com, in src/telnet/telnet.YY.MM.DD.NE.tar.Z, where
+YY.MM.DD is replaced with the year, month and day of the release.
+If you can't find it at one of these places, at some point in the
+near future information about the latest releases should be available
+from ftp.borman.com.
+
+In addition, the version with the encryption code is available via
+ftp from net-dist.mit.edu, in the directory /pub/telnet.  There
+is a README file there that gives further information on how
+to get the distribution.
+
+Questions, comments, bug reports and bug fixes can be sent to
+one of these addresses:
+		dab@borman.com
+		dab@cray.com
+		dab@bsdi.com
+
+This release is mainly bug fixes and code cleanup.
+
+	Replace all calls to bcopy()/bzero() with calls to
+	memmove()/memset() and all calls to index()/rindex()
+	with calls to strchr()/strrchr().
+
+	Add some missing diagnostics for option tracing
+	to telnetd.
+
+	Add support for BSDI 2.0 and Solaris 2.4.
+
+	Add support for UNICOS 8.0
+
+	Get rid of expanded tabs and trailing white spaces.
+
+	From Paul Vixie:
+		Fix for telnet going into an endless spin
+		when the session dies abnormally.
+
+	From Jef Poskanzer:
+		Changes to allow telnet to compile
+		under SunOS 3.5.
+
+	From Philip Guenther:
+		makeutx() doesn't expand utmpx,
+		use pututxline() instead.
+
+	From Chris Torek:
+		Add a sleep(1) before execing login
+		to avoid race condition that can eat
+		up the login prompt.
+		Use terminal speed directly if it is
+		not an encoded value.
+
+	From Steve Parker:
+		Fix to realloc() call.  Fix for execing
+		login on solaris with no user name.
+
+January 19, 1994
+
+This is a list of some of the changes since the last tar release
+of telnet/telnetd.  There are probably other changes that aren't
+listed here, but this should hit a lot of the main ones.
+
+   General:
+	Changed #define for AUTHENTICATE to AUTHENTICATION
+	Changed #define for ENCRYPT to ENCRYPTION
+	Changed #define for DES_ENCRYPT to DES_ENCRYPTION
+
+	Added support for SPX authentication: -DSPX
+
+	Added support for Kerberos Version 5 authentication: -DKRB5
+
+	Added support for ANSI C function prototypes
+
+	Added support for the NEW-ENVIRON option (RFC-1572)
+	including support for USERVAR.
+
+	Made support for the old Environment Option (RFC-1408)
+	conditional on -DOLD_ENVIRON
+
+	Added #define ENV_HACK - support for RFC 1571
+
+	The encryption code is removed from the public distributions.
+	Domestic 4.4 BSD distributions contain the encryption code.
+
+	ENV_HACK: Code to deal with systems that only implement
+		the old ENVIRON option, and have reversed definitions
+		of ENV_VAR and ENV_VAL.  Also fixes ENV processing in
+		client to handle things besides just the default set...
+
+	NO_BSD_SETJMP: UNICOS configuration for
+		UNICOS 6.1/6.0/5.1/5.0 systems.
+
+	STREAMSPTY: Use /dev/ptmx to get a clean pty.  This
+		is for SVr4 derivatives (Like Solaris)
+
+	UTMPX: For systems that have /etc/utmpx. This is for
+		SVr4 derivatives (Like Solaris)
+
+	Definitions for BSDI 1.0
+
+	Definitions for 4.3 Reno and 4.4 BSD.
+
+	Definitions for UNICOS 8.0 and UNICOS 7.C
+
+	Definitions for Solaris 2.0
+
+	Definitions for HP-UX 8.0
+
+	Latest Copyright notices from Berkeley.
+
+	FLOW-CONTROL: support for RFC-XXXx
+
+
+   Client Specific:
+
+	Fix the "send" command to not send garbage...
+
+	Fix status message for "skiprc"
+
+	Make sure to send NAWS after telnet has been suspended
+	or an external command has been run, if the window size
+	has changed.
+
+	sysV88 support.
+
+   Server Specific:
+
+	Support flowcontrol option in non-linemode servers.
+
+	-k Server supports Kludge Linemode, but will default to
+	   either single character mode or real Linemode support.
+	   The user will have to explicitly ask to switch into
+	   kludge linemode. ("stty extproc", or escape back to
+	   to telnet and say "mode line".)
+
+	-u Specify the length of the hostname field in the utmp
+	   file.  Hostname longer than this length will be put
+	   into the utmp file in dotted decimal notation, rather
+	   than putting in a truncated hostname.
+	
+	-U Registered hosts only.  If a reverse hostname lookup
+	   fails, the connection will be refused.
+
+	-f/-F
+	   Allows forwarding of credentials for KRB5.
+
+Februrary 22, 1991:
+
+    Features:
+
+	This version of telnet/telnetd has support for both
+	the AUTHENTICATION and ENCRYPTION options.  The
+	AUTHENTICATION option is fairly well defined, and
+	an option number has been assigned to it.  The
+	ENCRYPTION option is still in a state of flux; an
+	option number has been assigned to, but it is still
+	subject to change.  The code is provided in this release
+	for experimental and testing purposes.
+
+	The telnet "send" command can now be used to send
+	do/dont/will/wont commands, with any telnet option
+	name.  The rules for when do/dont/will/wont are sent
+	are still followed, so just because the user requests
+	that one of these be sent doesn't mean that it will
+	be sent...
+
+	The telnet "getstatus" command no longer requires
+	that option printing be enabled to see the response
+	to the "DO STATUS" command.
+
+	A -n flag has been added to telnetd to disable
+	keepalives.
+
+	A new telnet command, "auth" has been added (if
+	AUTHENTICATE is defined).  It has four sub-commands,
+	"status", "disable", "enable" and "help".
+
+	A new telnet command, "encrypt" has been added (if
+	ENCRYPT is defined).  It has many sub-commands:
+	"enable", "type", "start", "stop", "input",
+	"-input", "output", "-output", "status", and "help".
+
+	The LOGOUT option is now supported by both telnet
+	and telnetd, a new command, "logout", was added
+	to support this.
+
+	Several new toggle options were added:
+	    "autoencrypt", "autodecrypt", "autologin", "authdebug",
+	    "encdebug", "skiprc", "verbose_encrypt"
+
+	An "rlogin" interface has been added.  If the program
+	is named "rlogin", or the "-r" flag is given, then
+	an rlogin type of interface will be used.
+		~.	Terminates the session
+		~<susp> Suspend the session
+		~^]	Escape to telnet command mode
+		~~	Pass through the ~.
+	    BUG: If you type the rlogin escape character
+		 in the middle of a line while in rlogin
+		 mode, you cannot erase it or any characters
+		 before it.  Hopefully this can be fixed
+		 in a future release...
+
+    General changes:
+
+	A "libtelnet.a" has now been created.  This libraray
+	contains code that is common to both telnet and
+	telnetd.  This is also where library routines that
+	are needed, but are not in the standard C library,
+	are placed.
+
+	The makefiles have been re-done.  All of the site
+	specific configuration information has now been put
+	into a single "Config.generic" file, in the top level
+	directory.  Changing this one file will take care of
+	all three subdirectories.  Also, to add a new/local
+	definition, a "Config.local" file may be created
+	at the top level; if that file exists, the subdirectories
+	will use that file instead of "Config.generic".
+
+	Many 1-2 line functions in commands.c have been
+	removed, and just inserted in-line, or replaced
+	with a macro.
+
+    Bug Fixes:
+
+	The non-termio code in both telnet and telnetd was
+	setting/clearing CTLECH in the sg_flags word.  This
+	was incorrect, and has been changed to set/clear the
+	LCTLECH bit in the local mode word.
+
+	The SRCRT #define has been removed.  If IP_OPTIONS
+	and IPPROTO_IP are defined on the system, then the
+	source route code is automatically enabled.
+
+	The NO_GETTYTAB #define has been removed; there
+	is a compatability routine that can be built into
+	libtelnet to achive the same results.
+
+	The server, telnetd, has been switched to use getopt()
+	for parsing the argument list.
+
+	The code for getting the input/output speeds via
+	cfgetispeed()/cfgetospeed() was still not quite
+	right in telnet.  Posix says if the ispeed is 0,
+	then it is really equal to the ospeed.
+
+	The suboption processing code in telnet now has
+	explicit checks to make sure that we received
+	the entire suboption (telnetd was already doing this).
+
+	The telnet code for processing the terminal type
+	could cause a core dump if an existing connection
+	was closed, and a new connection opened without
+	exiting telnet.
+
+	Telnetd was doing a TCSADRAIN when setting the new
+	terminal settings;  This is not good, because it means
+	that the tcsetattr() will hang waiting for output to
+	drain, and telnetd is the only one that will drain
+	the output...  The fix is to use TCSANOW which does
+	not wait.
+
+	Telnetd was improperly setting/clearing the ISTRIP
+	flag in the c_lflag field, it should be using the
+	c_iflag field. 
+
+	When the child process of telnetd was opening the
+	slave side of the pty, it was re-setting the EXTPROC
+	bit too early, and some of the other initialization
+	code was wiping it out.  This would cause telnetd
+	to go out of linemode and into single character mode.
+
+	One instance of leaving linemode in telnetd forgot
+	to send a WILL ECHO to the client, the net result
+	would be that the user would see double character
+	echo.
+
+	If the MODE was being changed several times very
+	quickly, telnetd could get out of sync with the
+	state changes and the returning acks; and wind up
+	being left in the wrong state.
+
+September 14, 1990:
+
+	Switch the client to use getopt() for parsing the
+	argument list.  The 4.3Reno getopt.c is included for
+	systems that don't have getopt().
+
+	Use the posix _POSIX_VDISABLE value for what value
+	to use when disabling special characters.  If this
+	is undefined, it defaults to 0x3ff.
+
+	For non-termio systems, TIOCSETP was being used to
+	change the state of the terminal.  This causes the
+	input queue to be flushed, which we don't want.  This
+	is now changed to TIOCSETN.
+
+	Take out the "#ifdef notdef" around the code in the
+	server that generates a "sync" when the pty oputput
+	is flushed.  The potential problem is that some older
+	telnet clients may go into an infinate loop when they
+	receive a "sync", if so, the server can be compiled
+	with "NO_URGENT" defined.
+
+	Fix the client where it was setting/clearing the OPOST
+	bit in the c_lflag field, not the c_oflag field.
+
+	Fix the client where it was setting/clearing the ISTRIP
+	bit in the c_lflag field, not the c_iflag field.  (On
+	4.3Reno, this is the ECHOPRT bit in the c_lflag field.)
+	The client also had its interpretation of WILL BINARY
+	and DO BINARY reversed.
+
+	Fix a bug in client that would cause a core dump when
+	attempting to remove the last environment variable.
+
+	In the client, there were a few places were switch()
+	was being passed a character, and if it was a negative
+	value, it could get sign extended, and not match
+	the 8 bit case statements.  The fix is to and the
+	switch value with 0xff.
+
+	Add a couple more printoption() calls in the client, I
+	don't think there are any more places were a telnet
+	command can be received and not printed out when
+	"options" is on.
+
+	A new flag has been added to the client, "-a".  Currently,
+	this just causes the USER name to be sent across, in
+	the future this may be used to signify that automatic
+	authentication is requested.
+
+	The USER variable is now only sent by the client if
+	the "-a" or "-l user" options are explicity used, or
+	if the user explicitly asks for the "USER" environment
+	variable to be exported.  In the server, if it receives
+	the "USER" environment variable, it won't print out the
+	banner message, so that only "Password:" will be printed.
+	This makes the symantics more like rlogin, and should be
+	more familiar to the user.  (People are not used to
+	getting a banner message, and then getting just a
+	"Password:" prompt.)
+
+	Re-vamp the code for starting up the child login
+	process.  The code was getting ugly, and it was
+	hard to tell what was really going on.  What we
+	do now is after the fork(), in the child:
+		1) make sure we have no controlling tty
+		2) open and initialize the tty
+		3) do a setsid()/setpgrp()
+		4) makes the tty our controlling tty.
+	On some systems, #2 makes the tty our controlling
+	tty, and #4 is a no-op.  The parent process does
+	a gets rid of any controlling tty after the child
+	is fork()ed.
+
+	Use the strdup() library routine in telnet, instead
+	of the local savestr() routine.  If you don't have
+	strdup(), you need to define NO_STRDUP.
+
+	Add support for ^T (SIGINFO/VSTATUS), found in the
+	4.3Reno distribution.  This maps to the AYT character.
+	You need a 4-line bugfix in the kernel to get this
+	to work properly:
+
+	> *** tty_pty.c.ORG	Tue Sep 11 09:41:53 1990
+	> --- tty_pty.c	Tue Sep 11 17:48:03 1990
+	> ***************
+	> *** 609,613 ****
+	> 			if ((tp->t_lflag&NOFLSH) == 0)
+	> 				ttyflush(tp, FREAD|FWRITE);
+	> ! 			pgsignal(tp->t_pgrp, *(unsigned int *)data);
+	> 			return(0);
+	> 		}
+	> --- 609,616 ----
+	> 			if ((tp->t_lflag&NOFLSH) == 0)
+	> 				ttyflush(tp, FREAD|FWRITE);
+	> ! 			pgsignal(tp->t_pgrp, *(unsigned int *)data, 1);
+	> ! 			if ((*(unsigned int *)data == SIGINFO) &&
+	> ! 			    ((tp->t_lflag&NOKERNINFO) == 0))
+	> ! 				ttyinfo(tp);
+	> 			return(0);
+	> 		}
+
+	The client is now smarter when setting the telnet escape
+	character; it only sets it to one of VEOL and VEOL2 if
+	one of them is undefined, and the other one is not already
+	defined to the telnet escape character.
+
+	Handle TERMIOS systems that have seperate input and output
+	line speed settings imbedded in the flags.
+
+	Many other minor bug fixes.
+
+June 20, 1990:
+	Re-organize makefiles and source tree.  The telnet/Source
+	directory is now gone, and all the source that was in
+	telnet/Source is now just in the telnet directory.
+
+	Seperate makefile for each system are now gone.  There
+	are two makefiles, Makefile and Makefile.generic.
+	The "Makefile" has the definitions for the various
+	system, and "Makefile.generic" does all the work.
+	There is a variable called "WHAT" that is used to
+	specify what to make.  For example, in the telnet
+	directory, you might say:
+		make 4.4bsd WHAT=clean
+	to clean out the directory.
+
+	Add support for the ENVIRON and XDISPLOC options.
+	In order for the server to work, login has to have
+	the "-p" option to preserve environment variables.
+
+	Add the SOFT_TAB and LIT_ECHO modes in the LINEMODE support.
+
+	Add the "-l user" option to command line and open command
+	(This is passed through the ENVIRON option).
+
+	Add the "-e" command line option, for setting the escape
+	character.
+
+	Add the "-D", diagnostic, option to the server.  This allows
+	the server to print out debug information, which is very
+	useful when trying to debug a telnet that doesn't have any
+	debugging ability.
+
+	Turn off the literal next character when not in LINEMODE.
+
+	Don't recognize ^Y locally, just pass it through.
+
+	Make minor modifications for Sun4.0 and Sun4.1
+
+	Add support for both FORW1 and FORW2 characters.  The
+	telnet escpape character is set to whichever of the
+	two is not being used.  If both are in use, the escape
+	character is not set, so when in linemode the user will
+	have to follow the escape character with a <CR> or <EOF)
+	to get it passed through.
+
+	Commands can now be put in single and double quotes, and
+	a backslash is now an escape character.  This is needed
+	for allowing arbitrary strings to be assigned to environment
+	variables.
+
+	Switch telnetd to use macros like telnet for keeping
+	track of the state of all the options.
+
+	Fix telnetd's processing of options so that we always do
+	the right processing of the LINEMODE option, regardless
+	of who initiates the request to turn it on.  Also, make
+	sure that if the other side went "WILL ECHO" in response
+	to our "DO ECHO", that we send a "DONT ECHO" to get the
+	option turned back off!
+
+	Fix the TERMIOS setting of the terminal speed to handle both
+	BSD's seperate fields, and the SYSV method of CBAUD bits.
+
+	Change how we deal with the other side refusing to enable
+	an option.  The sequence used to be: send DO option; receive
+	WONT option; send DONT option.  Now, the sequence is: send
+	DO option; receive WONT option.  Both should be valid
+	according to the spec, but there has been at least one
+	client implementation of telnet identified that can get
+	really confused by this.  (The exact sequence, from a trace
+	on the server side, is (numbers are number of responses that
+	we expect to get after that line...):
+
+		send WILL ECHO	1 (initial request)
+		send WONT ECHO	2 (server is changing state)
+		recv DO ECHO	1 (first reply, ok.  expect DONT ECHO next)
+		send WILL ECHO	2 (server changes state again)
+		recv DONT ECHO	1 (second reply, ok.  expect DO ECHO next)
+		recv DONT ECHO	0 (third reply, wrong answer. got DONT!!!)
+	***	send WONT ECHO	  (send WONT to acknowledge the DONT)
+		send WILL ECHO	1 (ask again to enable option)
+		recv DO ECHO	0
+
+		recv DONT ECHO	0
+		send WONT ECHO	1
+		recv DONT ECHO	0
+		recv DO ECHO	1
+		send WILL ECHO	0
+		(and the last 5 lines loop forever)
+
+	The line with the "***" is last of the WILL/DONT/WONT sequence.
+	The change to the server to not generate that makes this same
+	example become:
+
+		send will ECHO	1
+		send wont ECHO	2
+		recv do ECHO	1
+		send will ECHO	2
+		recv dont ECHO	1
+		recv dont ECHO	0
+		recv do ECHO	1
+		send will ECHO	0
+
+	There is other option negotiation going on, and not sending
+	the third part changes some of the timings, but this specific
+	example no longer gets stuck in a loop.  The "telnet.state"
+	file has been modified to reflect this change to the algorithm.
+
+	A bunch of miscellaneous bug fixes and changes to make
+	lint happier.
+
+	This version of telnet also has some KERBEROS stuff in
+	it. This has not been tested, it uses an un-authorized
+	telnet option number, and uses an out-of-date version
+	of the (still being defined) AUTHENTICATION option.
+	There is no support for this code, do not enable it.
+
+
+March 1, 1990:
+CHANGES/BUGFIXES SINCE LAST RELEASE:
+	Some support for IP TOS has been added.  Requires that the
+	kernel support the IP_TOS socket option (currently this
+	is only in UNICOS 6.0).
+
+	Both telnet and telnetd now use the cc_t typedef.  typedefs are
+	included for systems that don't have it (in termios.h).
+
+	SLC_SUSP was not supported properly before.  It is now.
+
+	IAC EOF was not translated  properly in telnetd for SYSV_TERMIO
+	when not in linemode.  It now saves a copy of the VEOF character,
+	so that when ICANON is turned off and we can't trust it anymore
+	(because it is now the VMIN character) we use the saved value.
+
+	There were two missing "break" commands in the linemode
+	processing code in telnetd.
+
+	Telnetd wasn't setting the kernel window size information
+	properly.  It was using the rows for both rows and columns...
+
+Questions/comments go to
+		David Borman
+		Cray Research, Inc.
+		655F Lone Oak Drive
+		Eagan, MN 55123
+		dab@cray.com.
+
+README:	You are reading it.
+
+Config.generic:
+	This file contains all the OS specific definitions.  It
+	has pre-definitions for many common system types, and is
+	in standard makefile fromat.  See the comments at the top
+	of the file for more information.
+
+Config.local:
+	This is not part of the distribution, but if this file exists,
+	it is used instead of "Config.generic".  This allows site
+	specific configuration without having to modify the distributed
+	"Config.generic" file.
+
+kern.diff:
+	This file contains the diffs for the changes needed for the
+	kernel to support LINEMODE is the server.  These changes are
+	for a 4.3BSD system.  You may need to make some changes for
+	your particular system.
+
+	There is a new bit in the terminal state word, TS_EXTPROC.
+	When this bit is set, several aspects of the terminal driver
+	are disabled.  Input line editing, character echo, and
+	mapping of signals are all disabled.  This allows the telnetd
+	to turn of these functions when in linemode, but still keep
+	track of what state the user wants the terminal to be in.
+
+	New ioctl()s:
+
+		TIOCEXT		Turn on/off the TS_EXTPROC bit
+		TIOCGSTATE	Get t_state of tty to look at TS_EXTPROC bit
+		TIOCSIG		Generate a signal to processes in the
+				current process group of the pty.
+
+	There is a new mode for packet driver, the TIOCPKT_IOCTL bit.
+	When packet mode is turned on in the pty, and the TS_EXTPROC
+	bit is set, then whenever the state of the pty is changed, the
+	next read on the master side of the pty will have the TIOCPKT_IOCTL
+	bit set, and the data will contain the following:
+		struct xx {
+			struct sgttyb a;
+			struct tchars b;
+			struct ltchars c;
+			int t_state;
+			int t_flags;
+		}
+	This allows the process on the server side of the pty to know
+	when the state of the terminal has changed, and what the new
+	state is.
+
+	However, if you define USE_TERMIO or SYSV_TERMIO, the code will
+	expect that the structure returned in the TIOCPKT_IOCTL is
+	the termio/termios structure.
+
+stty.diff:
+	This file contains the changes needed for the stty(1) program
+	to report on the current status of the TS_EXTPROC bit.  It also
+	allows the user to turn on/off the TS_EXTPROC bit.  This is useful
+	because it allows the user to say "stty -extproc", and the
+	LINEMODE option will be automatically disabled, and saying "stty
+	extproc" will re-enable the LINEMODE option.
+
+telnet.state:
+	Both the client and server have code in them to deal
+	with option negotiation loops.  The algorithm that is
+	used is described in this file.
+
+telnet:
+	This directory contains the client code.  No kernel changes are
+	needed to use this code.
+
+telnetd:
+	This directory contains the server code.  If LINEMODE or KLUDGELINEMODE
+	are defined, then the kernel modifications listed above are needed.
+
+libtelnet:
+	This directory contains code that is common to both the client
+	and the server.
+
+arpa:
+	This directory has a new <arpa/telnet.h>
+
+libtelnet/Makefile.4.4:
+telnet/Makefile.4.4:
+telnetd/Makefile.4.4:
+	These are the makefiles that can be used on a 4.3Reno
+	system when this software is installed in /usr/src/lib/libtelnet,
+	/usr/src/libexec/telnetd, and /usr/src/usr.bin/telnet.
+
+
+The following TELNET options are supported:
+	
+	LINEMODE:
+		The LINEMODE option is supported as per RFC1116.  The
+		FORWARDMASK option is not currently supported.
+
+	BINARY: The client has the ability to turn on/off the BINARY
+		option in each direction.  Turning on BINARY from
+		server to client causes the LITOUT bit to get set in
+		the terminal driver on both ends,  turning on BINARY
+		from the client to the server causes the PASS8 bit
+		to get set in the terminal driver on both ends.
+
+	TERMINAL-TYPE:
+		This is supported as per RFC1091.  On the server side,
+		when a terminal type is received, termcap/terminfo
+		is consulted to determine if it is a known terminal
+		type.  It keeps requesting terminal types until it
+		gets one that it recongnizes, or hits the end of the
+		list.  The server side looks up the entry in the
+		termcap/terminfo data base, and generates a list of
+		names which it then passes one at a time to each
+		request for a terminal type, duplicating the last
+		entry in the list before cycling back to the beginning.
+
+	NAWS:	The Negotiate about Window Size, as per RFC 1073.
+
+	TERMINAL-SPEED:
+		Implemented as per RFC 1079
+
+	TOGGLE-FLOW-CONTROL:
+		Implemented as per RFC 1080
+
+	TIMING-MARK:
+		As per RFC 860
+
+	SGA:	As per RFC 858
+
+	ECHO:	As per RFC 857
+
+	LOGOUT: As per RFC 727
+
+	STATUS:
+		The server will send its current status upon
+		request.  It does not ask for the clients status.
+		The client will request the servers current status
+		from the "send getstatus" command.
+
+	ENVIRON:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued, but should be in the near future...
+
+	X-DISPLAY-LOCATION:
+		This functionality can be done through the ENVIRON
+		option, it is added here for completeness.
+
+	AUTHENTICATION:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued.  The basic framework is pretty much decided,
+		but the definitions for the specific authentication
+		schemes is still in a state of flux.
+
+	ENCRYPTION:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued.  The draft RFC is still in a state of flux,
+		so this code may change in the future.
diff --git a/crypto/heimdal/appl/telnet/arpa/telnet.h b/crypto/heimdal/appl/telnet/arpa/telnet.h
new file mode 100644
index 0000000..5d9ef60
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/arpa/telnet.h
@@ -0,0 +1,323 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnet.h	8.2 (Berkeley) 12/15/93
+ */
+
+#ifndef _TELNET_H_
+#define	_TELNET_H_
+
+/*
+ * Definitions for the TELNET protocol.
+ */
+#define	IAC	255		/* interpret as command: */
+#define	DONT	254		/* you are not to use option */
+#define	DO	253		/* please, you use option */
+#define	WONT	252		/* I won't use option */
+#define	WILL	251		/* I will use option */
+#define	SB	250		/* interpret as subnegotiation */
+#define	GA	249		/* you may reverse the line */
+#define	EL	248		/* erase the current line */
+#define	EC	247		/* erase the current character */
+#define	AYT	246		/* are you there */
+#define	AO	245		/* abort output--but let prog finish */
+#define	IP	244		/* interrupt process--permanently */
+#define	BREAK	243		/* break */
+#define	DM	242		/* data mark--for connect. cleaning */
+#define	NOP	241		/* nop */
+#define	SE	240		/* end sub negotiation */
+#define EOR     239             /* end of record (transparent mode) */
+#define	ABORT	238		/* Abort process */
+#define	SUSP	237		/* Suspend process */
+#define	xEOF	236		/* End of file: EOF is already used... */
+
+#define SYNCH	242		/* for telfunc calls */
+
+#ifdef TELCMDS
+char *telcmds[] = {
+	"EOF", "SUSP", "ABORT", "EOR",
+	"SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
+	"EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
+};
+#else
+extern char *telcmds[];
+#endif
+
+#define	TELCMD_FIRST	xEOF
+#define	TELCMD_LAST	IAC
+#define	TELCMD_OK(x)	((unsigned int)(x) <= TELCMD_LAST && \
+			 (unsigned int)(x) >= TELCMD_FIRST)
+#define	TELCMD(x)	telcmds[(x)-TELCMD_FIRST]
+
+/* telnet options */
+#define TELOPT_BINARY	0	/* 8-bit data path */
+#define TELOPT_ECHO	1	/* echo */
+#define	TELOPT_RCP	2	/* prepare to reconnect */
+#define	TELOPT_SGA	3	/* suppress go ahead */
+#define	TELOPT_NAMS	4	/* approximate message size */
+#define	TELOPT_STATUS	5	/* give status */
+#define	TELOPT_TM	6	/* timing mark */
+#define	TELOPT_RCTE	7	/* remote controlled transmission and echo */
+#define TELOPT_NAOL 	8	/* negotiate about output line width */
+#define TELOPT_NAOP 	9	/* negotiate about output page size */
+#define TELOPT_NAOCRD	10	/* negotiate about CR disposition */
+#define TELOPT_NAOHTS	11	/* negotiate about horizontal tabstops */
+#define TELOPT_NAOHTD	12	/* negotiate about horizontal tab disposition */
+#define TELOPT_NAOFFD	13	/* negotiate about formfeed disposition */
+#define TELOPT_NAOVTS	14	/* negotiate about vertical tab stops */
+#define TELOPT_NAOVTD	15	/* negotiate about vertical tab disposition */
+#define TELOPT_NAOLFD	16	/* negotiate about output LF disposition */
+#define TELOPT_XASCII	17	/* extended ascic character set */
+#define	TELOPT_LOGOUT	18	/* force logout */
+#define	TELOPT_BM	19	/* byte macro */
+#define	TELOPT_DET	20	/* data entry terminal */
+#define	TELOPT_SUPDUP	21	/* supdup protocol */
+#define	TELOPT_SUPDUPOUTPUT 22	/* supdup output */
+#define	TELOPT_SNDLOC	23	/* send location */
+#define	TELOPT_TTYPE	24	/* terminal type */
+#define	TELOPT_EOR	25	/* end or record */
+#define	TELOPT_TUID	26	/* TACACS user identification */
+#define	TELOPT_OUTMRK	27	/* output marking */
+#define	TELOPT_TTYLOC	28	/* terminal location number */
+#define	TELOPT_3270REGIME 29	/* 3270 regime */
+#define	TELOPT_X3PAD	30	/* X.3 PAD */
+#define	TELOPT_NAWS	31	/* window size */
+#define	TELOPT_TSPEED	32	/* terminal speed */
+#define	TELOPT_LFLOW	33	/* remote flow control */
+#define TELOPT_LINEMODE	34	/* Linemode option */
+#define TELOPT_XDISPLOC	35	/* X Display Location */
+#define TELOPT_OLD_ENVIRON 36	/* Old - Environment variables */
+#define	TELOPT_AUTHENTICATION 37/* Authenticate */
+#define	TELOPT_ENCRYPT	38	/* Encryption option */
+#define TELOPT_NEW_ENVIRON 39	/* New - Environment variables */
+#define	TELOPT_EXOPL	255	/* extended-options-list */
+
+
+#define	NTELOPTS	(1+TELOPT_NEW_ENVIRON)
+#ifdef TELOPTS
+char *telopts[NTELOPTS+1] = {
+	"BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
+	"STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
+	"NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
+	"NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO",
+	"DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT",
+	"SEND LOCATION", "TERMINAL TYPE", "END OF RECORD",
+	"TACACS UID", "OUTPUT MARKING", "TTYLOC",
+	"3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW",
+	"LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION",
+	"ENCRYPT", "NEW-ENVIRON",
+	0,
+};
+#define	TELOPT_FIRST	TELOPT_BINARY
+#define	TELOPT_LAST	TELOPT_NEW_ENVIRON
+#define	TELOPT_OK(x)	((unsigned int)(x) <= TELOPT_LAST)
+#define	TELOPT(x)	telopts[(x)-TELOPT_FIRST]
+#endif
+
+/* sub-option qualifiers */
+#define	TELQUAL_IS	0	/* option is... */
+#define	TELQUAL_SEND	1	/* send option */
+#define	TELQUAL_INFO	2	/* ENVIRON: informational version of IS */
+#define	TELQUAL_REPLY	2	/* AUTHENTICATION: client version of IS */
+#define	TELQUAL_NAME	3	/* AUTHENTICATION: client version of IS */
+
+#define	LFLOW_OFF		0	/* Disable remote flow control */
+#define	LFLOW_ON		1	/* Enable remote flow control */
+#define	LFLOW_RESTART_ANY	2	/* Restart output on any char */
+#define	LFLOW_RESTART_XON	3	/* Restart output only on XON */
+
+/*
+ * LINEMODE suboptions
+ */
+
+#define	LM_MODE		1
+#define	LM_FORWARDMASK	2
+#define	LM_SLC		3
+
+#define	MODE_EDIT	0x01
+#define	MODE_TRAPSIG	0x02
+#define	MODE_ACK	0x04
+#define MODE_SOFT_TAB	0x08
+#define MODE_LIT_ECHO	0x10
+
+#define	MODE_MASK	0x1f
+
+/* Not part of protocol, but needed to simplify things... */
+#define MODE_FLOW		0x0100
+#define MODE_ECHO		0x0200
+#define MODE_INBIN		0x0400
+#define MODE_OUTBIN		0x0800
+#define MODE_FORCE		0x1000
+
+#define	SLC_SYNCH	1
+#define	SLC_BRK		2
+#define	SLC_IP		3
+#define	SLC_AO		4
+#define	SLC_AYT		5
+#define	SLC_EOR		6
+#define	SLC_ABORT	7
+#define	SLC_EOF		8
+#define	SLC_SUSP	9
+#define	SLC_EC		10
+#define	SLC_EL		11
+#define	SLC_EW		12
+#define	SLC_RP		13
+#define	SLC_LNEXT	14
+#define	SLC_XON		15
+#define	SLC_XOFF	16
+#define	SLC_FORW1	17
+#define	SLC_FORW2	18
+
+#define	NSLC		18
+
+/*
+ * For backwards compatability, we define SLC_NAMES to be the
+ * list of names if SLC_NAMES is not defined.
+ */
+#define	SLC_NAMELIST	"0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \
+			"ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \
+			"LNEXT", "XON", "XOFF", "FORW1", "FORW2", 0,
+#ifdef	SLC_NAMES
+char *slc_names[] = {
+	SLC_NAMELIST
+};
+#else
+extern char *slc_names[];
+#define	SLC_NAMES SLC_NAMELIST
+#endif
+
+#define	SLC_NAME_OK(x)	((unsigned int)(x) <= NSLC)
+#define SLC_NAME(x)	slc_names[x]
+
+#define	SLC_NOSUPPORT	0
+#define	SLC_CANTCHANGE	1
+#define	SLC_VARIABLE	2
+#define	SLC_DEFAULT	3
+#define	SLC_LEVELBITS	0x03
+
+#define	SLC_FUNC	0
+#define	SLC_FLAGS	1
+#define	SLC_VALUE	2
+
+#define	SLC_ACK		0x80
+#define	SLC_FLUSHIN	0x40
+#define	SLC_FLUSHOUT	0x20
+
+#define	OLD_ENV_VAR	1
+#define	OLD_ENV_VALUE	0
+#define	NEW_ENV_VAR	0
+#define	NEW_ENV_VALUE	1
+#define	ENV_ESC		2
+#define ENV_USERVAR	3
+
+/*
+ * AUTHENTICATION suboptions
+ */
+
+/*
+ * Who is authenticating who ...
+ */
+#define	AUTH_WHO_CLIENT		0	/* Client authenticating server */
+#define	AUTH_WHO_SERVER		1	/* Server authenticating client */
+#define	AUTH_WHO_MASK		1
+
+/*
+ * amount of authentication done
+ */
+#define	AUTH_HOW_ONE_WAY	0
+#define	AUTH_HOW_MUTUAL		2
+#define	AUTH_HOW_MASK		2
+
+#define	AUTHTYPE_NULL		0
+#define	AUTHTYPE_KERBEROS_V4	1
+#define	AUTHTYPE_KERBEROS_V5	2
+#define	AUTHTYPE_SPX		3
+#define	AUTHTYPE_MINK		4
+#define	AUTHTYPE_SRA		5
+#define	AUTHTYPE_CNT		6
+/* #define	AUTHTYPE_UNSECURE 6 */
+
+#define	AUTHTYPE_TEST		99
+
+#ifdef	AUTH_NAMES
+char *authtype_names[] = {
+	"NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK",
+	"SRA", 0,
+};
+#else
+extern char *authtype_names[];
+#endif
+
+#define	AUTHTYPE_NAME_OK(x)	((unsigned int)(x) < AUTHTYPE_CNT)
+#define	AUTHTYPE_NAME(x)	authtype_names[x]
+
+/*
+ * ENCRYPTion suboptions
+ */
+#define	ENCRYPT_IS		0	/* I pick encryption type ... */
+#define	ENCRYPT_SUPPORT		1	/* I support encryption types ... */
+#define	ENCRYPT_REPLY		2	/* Initial setup response */
+#define	ENCRYPT_START		3	/* Am starting to send encrypted */
+#define	ENCRYPT_END		4	/* Am ending encrypted */
+#define	ENCRYPT_REQSTART	5	/* Request you start encrypting */
+#define	ENCRYPT_REQEND		6	/* Request you send encrypting */
+#define	ENCRYPT_ENC_KEYID	7
+#define	ENCRYPT_DEC_KEYID	8
+#define	ENCRYPT_CNT		9
+
+#define	ENCTYPE_ANY		0
+#define	ENCTYPE_DES_CFB64	1
+#define	ENCTYPE_DES_OFB64	2
+#define	ENCTYPE_CNT		3
+
+#ifdef	ENCRYPT_NAMES
+char *encrypt_names[] = {
+	"IS", "SUPPORT", "REPLY", "START", "END",
+	"REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID",
+	0,
+};
+char *enctype_names[] = {
+	"ANY", "DES_CFB64",  "DES_OFB64",  0,
+};
+#else
+extern char *encrypt_names[];
+extern char *enctype_names[];
+#endif
+
+
+#define	ENCRYPT_NAME_OK(x)	((unsigned int)(x) < ENCRYPT_CNT)
+#define	ENCRYPT_NAME(x)		encrypt_names[x]
+
+#define	ENCTYPE_NAME_OK(x)	((unsigned int)(x) < ENCTYPE_CNT)
+#define	ENCTYPE_NAME(x)		enctype_names[x]
+
+#endif /* !_TELNET_H_ */
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.am b/crypto/heimdal/appl/telnet/libtelnet/Makefile.am
new file mode 100644
index 0000000..8806f88
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.am
@@ -0,0 +1,24 @@
+# $Id: Makefile.am,v 1.8 1999/03/20 13:58:15 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+noinst_LIBRARIES = libtelnet.a
+
+libtelnet_a_SOURCES = \
+	auth-proto.h	\
+	auth.c		\
+	auth.h		\
+	enc-proto.h	\
+	enc_des.c	\
+	encrypt.c	\
+	encrypt.h	\
+	genget.c	\
+	kerberos.c	\
+	kerberos5.c	\
+	misc-proto.h	\
+	misc.c		\
+	misc.h
+
+EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
new file mode 100644
index 0000000..f38a68d
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
@@ -0,0 +1,615 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.8 1999/03/20 13:58:15 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include -I$(srcdir)/.. $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_LIBRARIES = libtelnet.a
+
+libtelnet_a_SOURCES =  	auth-proto.h		auth.c			auth.h			enc-proto.h		enc_des.c		encrypt.c		encrypt.h		genget.c		kerberos.c		kerberos5.c		misc-proto.h		misc.c			misc.h
+
+
+EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+LIBRARIES =  $(noinst_LIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libtelnet_a_LIBADD = 
+libtelnet_a_OBJECTS =  auth.$(OBJEXT) enc_des.$(OBJEXT) \
+encrypt.$(OBJEXT) genget.$(OBJEXT) kerberos.$(OBJEXT) \
+kerberos5.$(OBJEXT) misc.$(OBJEXT)
+AR = ar
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libtelnet_a_SOURCES)
+OBJECTS = $(libtelnet_a_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/libtelnet/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstLIBRARIES:
+
+clean-noinstLIBRARIES:
+	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
+
+distclean-noinstLIBRARIES:
+
+maintainer-clean-noinstLIBRARIES:
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libtelnet.a: $(libtelnet_a_OBJECTS) $(libtelnet_a_DEPENDENCIES)
+	-rm -f libtelnet.a
+	$(AR) cru libtelnet.a $(libtelnet_a_OBJECTS) $(libtelnet_a_LIBADD)
+	$(RANLIB) libtelnet.a
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/telnet/libtelnet
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(LIBRARIES) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-noinstLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstLIBRARIES distclean-noinstLIBRARIES \
+clean-noinstLIBRARIES maintainer-clean-noinstLIBRARIES \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h b/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h
new file mode 100644
index 0000000..51fdf6a
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h
@@ -0,0 +1,122 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: auth-proto.h,v 1.10 2000/01/18 03:08:55 assar Exp $ */
+
+#ifdef AUTHENTICATION
+Authenticator *findauthenticator (int, int);
+
+int auth_wait (char *, size_t);
+void auth_disable_name (char *);
+void auth_finished (Authenticator *, int);
+void auth_gen_printsub (unsigned char *, int, unsigned char *, int);
+void auth_init (const char *, int);
+void auth_is (unsigned char *, int);
+void auth_name(unsigned char*, int);
+void auth_reply (unsigned char *, int);
+void auth_request (void);
+void auth_send (unsigned char *, int);
+void auth_send_retry (void);
+void auth_printsub(unsigned char*, int, unsigned char*, int);
+int getauthmask(char *type, int *maskp);
+int auth_enable(char *type);
+int auth_disable(char *type);
+int auth_onoff(char *type, int on);
+int auth_togdebug(int on);
+int auth_status(void);
+int auth_sendname(unsigned char *cp, int len);
+void auth_debug(int mode);
+void auth_gen_printsub(unsigned char *data, int cnt,
+		       unsigned char *buf, int buflen);
+
+#ifdef UNSAFE
+int unsafe_init (Authenticator *, int);
+int unsafe_send (Authenticator *);
+void unsafe_is (Authenticator *, unsigned char *, int);
+void unsafe_reply (Authenticator *, unsigned char *, int);
+int unsafe_status (Authenticator *, char *, int);
+void unsafe_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+
+#ifdef SRA
+int sra_init (Authenticator *, int);
+int sra_send (Authenticator *);
+void sra_is (Authenticator *, unsigned char *, int);
+void sra_reply (Authenticator *, unsigned char *, int);
+int sra_status (Authenticator *, char *, int);
+void sra_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+
+#ifdef	KRB4
+int kerberos4_init (Authenticator *, int);
+int kerberos4_send_mutual (Authenticator *);
+int kerberos4_send_oneway (Authenticator *);
+void kerberos4_is (Authenticator *, unsigned char *, int);
+void kerberos4_reply (Authenticator *, unsigned char *, int);
+int kerberos4_status (Authenticator *, char *, size_t, int);
+void kerberos4_printsub (unsigned char *, int, unsigned char *, int);
+int kerberos4_forward(Authenticator *ap, void *);
+#endif
+
+#ifdef	KRB5
+int kerberos5_init (Authenticator *, int);
+int kerberos5_send_mutual (Authenticator *);
+int kerberos5_send_oneway (Authenticator *);
+void kerberos5_is (Authenticator *, unsigned char *, int);
+void kerberos5_reply (Authenticator *, unsigned char *, int);
+int kerberos5_status (Authenticator *, char *, size_t, int);
+void kerberos5_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth.c b/crypto/heimdal/appl/telnet/libtelnet/auth.c
new file mode 100644
index 0000000..d791128
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth.c
@@ -0,0 +1,657 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <config.h>
+
+RCSID("$Id: auth.c,v 1.23 2000/01/18 03:09:34 assar Exp $");
+
+#if	defined(AUTHENTICATION)
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <signal.h>
+#define	AUTH_NAMES
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <roken.h>
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc-proto.h"
+#include "auth-proto.h"
+
+#define	typemask(x)		(1<<((x)-1))
+
+#ifdef	KRB4_ENCPWD
+extern krb4encpwd_init();
+extern krb4encpwd_send();
+extern krb4encpwd_is();
+extern krb4encpwd_reply();
+extern krb4encpwd_status();
+extern krb4encpwd_printsub();
+#endif
+
+#ifdef	RSA_ENCPWD
+extern rsaencpwd_init();
+extern rsaencpwd_send();
+extern rsaencpwd_is();
+extern rsaencpwd_reply();
+extern rsaencpwd_status();
+extern rsaencpwd_printsub();
+#endif
+
+int auth_debug_mode = 0;
+static 	const	char	*Name = "Noname";
+static	int	Server = 0;
+static	Authenticator	*authenticated = 0;
+static	int	authenticating = 0;
+static	int	validuser = 0;
+static	unsigned char	_auth_send_data[256];
+static	unsigned char	*auth_send_data;
+static	int	auth_send_cnt = 0;
+
+/*
+ * Authentication types supported.  Plese note that these are stored
+ * in priority order, i.e. try the first one first.
+ */
+Authenticator authenticators[] = {
+#ifdef UNSAFE
+    { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      unsafe_init,
+      unsafe_send,
+      unsafe_is,
+      unsafe_reply,
+      unsafe_status,
+      unsafe_printsub },
+#endif
+#ifdef SRA
+    { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      sra_init,
+      sra_send,
+      sra_is,
+      sra_reply,
+      sra_status,
+      sra_printsub },
+#endif
+#ifdef	SPX
+    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      spx_init,
+      spx_send,
+      spx_is,
+      spx_reply,
+      spx_status,
+      spx_printsub },
+    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      spx_init,
+      spx_send,
+      spx_is,
+      spx_reply,
+      spx_status,
+      spx_printsub },
+#endif
+#ifdef	KRB5
+    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      kerberos5_init,
+      kerberos5_send_mutual,
+      kerberos5_is,
+      kerberos5_reply,
+      kerberos5_status,
+      kerberos5_printsub },
+    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      kerberos5_init,
+      kerberos5_send_oneway,
+      kerberos5_is,
+      kerberos5_reply,
+      kerberos5_status,
+      kerberos5_printsub },
+#endif
+#ifdef	KRB4
+    { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      kerberos4_init,
+      kerberos4_send_mutual,
+      kerberos4_is,
+      kerberos4_reply,
+      kerberos4_status,
+      kerberos4_printsub },
+    { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      kerberos4_init,
+      kerberos4_send_oneway,
+      kerberos4_is,
+      kerberos4_reply,
+      kerberos4_status,
+      kerberos4_printsub },
+#endif
+#ifdef	KRB4_ENCPWD
+    { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      krb4encpwd_init,
+      krb4encpwd_send,
+      krb4encpwd_is,
+      krb4encpwd_reply,
+      krb4encpwd_status,
+      krb4encpwd_printsub },
+#endif
+#ifdef	RSA_ENCPWD
+    { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      rsaencpwd_init,
+      rsaencpwd_send,
+      rsaencpwd_is,
+      rsaencpwd_reply,
+      rsaencpwd_status,
+      rsaencpwd_printsub },
+#endif
+    { 0, },
+};
+
+static Authenticator NoAuth = { 0 };
+
+static int	i_support = 0;
+static int	i_wont_support = 0;
+
+Authenticator *
+findauthenticator(int type, int way)
+{
+    Authenticator *ap = authenticators;
+
+    while (ap->type && (ap->type != type || ap->way != way))
+	++ap;
+    return(ap->type ? ap : 0);
+}
+
+void
+auth_init(const char *name, int server)
+{
+    Authenticator *ap = authenticators;
+
+    Server = server;
+    Name = name;
+
+    i_support = 0;
+    authenticated = 0;
+    authenticating = 0;
+    while (ap->type) {
+	if (!ap->init || (*ap->init)(ap, server)) {
+	    i_support |= typemask(ap->type);
+	    if (auth_debug_mode)
+		printf(">>>%s: I support auth type %d %d\r\n",
+		       Name,
+		       ap->type, ap->way);
+	}
+	else if (auth_debug_mode)
+	    printf(">>>%s: Init failed: auth type %d %d\r\n",
+		   Name, ap->type, ap->way);
+	++ap;
+    }
+}
+
+void
+auth_disable_name(char *name)
+{
+    int x;
+    for (x = 0; x < AUTHTYPE_CNT; ++x) {
+	if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
+	    i_wont_support |= typemask(x);
+	    break;
+	}
+    }
+}
+
+int
+getauthmask(char *type, int *maskp)
+{
+    int x;
+
+    if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
+	*maskp = -1;
+	return(1);
+    }
+
+    for (x = 1; x < AUTHTYPE_CNT; ++x) {
+	if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
+	    *maskp = typemask(x);
+	    return(1);
+	}
+    }
+    return(0);
+}
+
+int
+auth_enable(char *type)
+{
+    return(auth_onoff(type, 1));
+}
+
+int
+auth_disable(char *type)
+{
+    return(auth_onoff(type, 0));
+}
+
+int
+auth_onoff(char *type, int on)
+{
+    int i, mask = -1;
+    Authenticator *ap;
+
+    if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
+	printf("auth %s 'type'\n", on ? "enable" : "disable");
+	printf("Where 'type' is one of:\n");
+	printf("\t%s\n", AUTHTYPE_NAME(0));
+	mask = 0;
+	for (ap = authenticators; ap->type; ap++) {
+	    if ((mask & (i = typemask(ap->type))) != 0)
+		continue;
+	    mask |= i;
+	    printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+	}
+	return(0);
+    }
+
+    if (!getauthmask(type, &mask)) {
+	printf("%s: invalid authentication type\n", type);
+	return(0);
+    }
+    if (on)
+	i_wont_support &= ~mask;
+    else
+	i_wont_support |= mask;
+    return(1);
+}
+
+int
+auth_togdebug(int on)
+{
+    if (on < 0)
+	auth_debug_mode ^= 1;
+    else
+	auth_debug_mode = on;
+    printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
+    return(1);
+}
+
+int
+auth_status(void)
+{
+    Authenticator *ap;
+    int i, mask;
+
+    if (i_wont_support == -1)
+	printf("Authentication disabled\n");
+    else
+	printf("Authentication enabled\n");
+
+    mask = 0;
+    for (ap = authenticators; ap->type; ap++) {
+	if ((mask & (i = typemask(ap->type))) != 0)
+	    continue;
+	mask |= i;
+	printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
+	       (i_wont_support & typemask(ap->type)) ?
+	       "disabled" : "enabled");
+    }
+    return(1);
+}
+
+/*
+ * This routine is called by the server to start authentication
+ * negotiation.
+ */
+void
+auth_request(void)
+{
+    static unsigned char str_request[64] = { IAC, SB,
+					     TELOPT_AUTHENTICATION,
+					     TELQUAL_SEND, };
+    Authenticator *ap = authenticators;
+    unsigned char *e = str_request + 4;
+
+    if (!authenticating) {
+	authenticating = 1;
+	while (ap->type) {
+	    if (i_support & ~i_wont_support & typemask(ap->type)) {
+		if (auth_debug_mode) {
+		    printf(">>>%s: Sending type %d %d\r\n",
+			   Name, ap->type, ap->way);
+		}
+		*e++ = ap->type;
+		*e++ = ap->way;
+	    }
+	    ++ap;
+	}
+	*e++ = IAC;
+	*e++ = SE;
+	telnet_net_write(str_request, e - str_request);
+	printsub('>', &str_request[2], e - str_request - 2);
+    }
+}
+
+/*
+ * This is called when an AUTH SEND is received.
+ * It should never arrive on the server side (as only the server can
+ * send an AUTH SEND).
+ * You should probably respond to it if you can...
+ *
+ * If you want to respond to the types out of order (i.e. even
+ * if he sends  LOGIN KERBEROS and you support both, you respond
+ * with KERBEROS instead of LOGIN (which is against what the
+ * protocol says)) you will have to hack this code...
+ */
+void
+auth_send(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+    static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_IS, AUTHTYPE_NULL, 0,
+					IAC, SE };
+    if (Server) {
+	if (auth_debug_mode) {
+	    printf(">>>%s: auth_send called!\r\n", Name);
+	}
+	return;
+    }
+
+    if (auth_debug_mode) {
+	printf(">>>%s: auth_send got:", Name);
+	printd(data, cnt); printf("\r\n");
+    }
+
+    /*
+     * Save the data, if it is new, so that we can continue looking
+     * at it if the authorization we try doesn't work
+     */
+    if (data < _auth_send_data ||
+	data > _auth_send_data + sizeof(_auth_send_data)) {
+	auth_send_cnt = cnt > sizeof(_auth_send_data)
+	    ? sizeof(_auth_send_data)
+	    : cnt;
+	memmove(_auth_send_data, data, auth_send_cnt);
+	auth_send_data = _auth_send_data;
+    } else {
+	/*
+	 * This is probably a no-op, but we just make sure
+	 */
+	auth_send_data = data;
+	auth_send_cnt = cnt;
+    }
+    while ((auth_send_cnt -= 2) >= 0) {
+	if (auth_debug_mode)
+	    printf(">>>%s: He supports %d\r\n",
+		   Name, *auth_send_data);
+	if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
+	    ap = findauthenticator(auth_send_data[0],
+				   auth_send_data[1]);
+	    if (ap && ap->send) {
+		if (auth_debug_mode)
+		    printf(">>>%s: Trying %d %d\r\n",
+			   Name, auth_send_data[0],
+			   auth_send_data[1]);
+		if ((*ap->send)(ap)) {
+		    /*
+		     * Okay, we found one we like
+		     * and did it.
+		     * we can go home now.
+		     */
+		    if (auth_debug_mode)
+			printf(">>>%s: Using type %d\r\n",
+			       Name, *auth_send_data);
+		    auth_send_data += 2;
+		    return;
+		}
+	    }
+	    /* else
+	     *	just continue on and look for the
+	     *	next one if we didn't do anything.
+	     */
+	}
+	auth_send_data += 2;
+    }
+    telnet_net_write(str_none, sizeof(str_none));
+    printsub('>', &str_none[2], sizeof(str_none) - 2);
+    if (auth_debug_mode)
+	printf(">>>%s: Sent failure message\r\n", Name);
+    auth_finished(0, AUTH_REJECT);
+#ifdef KANNAN
+    /*
+     *  We requested strong authentication, however no mechanisms worked.
+     *  Therefore, exit on client end.
+     */
+    printf("Unable to securely authenticate user ... exit\n");
+    exit(0);
+#endif /* KANNAN */
+}
+
+void
+auth_send_retry(void)
+{
+    /*
+     * if auth_send_cnt <= 0 then auth_send will end up rejecting
+     * the authentication and informing the other side of this.
+	 */
+    auth_send(auth_send_data, auth_send_cnt);
+}
+
+void
+auth_is(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+
+    if (cnt < 2)
+	return;
+
+    if (data[0] == AUTHTYPE_NULL) {
+	auth_finished(0, AUTH_REJECT);
+	return;
+    }
+
+    if ((ap = findauthenticator(data[0], data[1]))) {
+	if (ap->is)
+	    (*ap->is)(ap, data+2, cnt-2);
+    } else if (auth_debug_mode)
+	printf(">>>%s: Invalid authentication in IS: %d\r\n",
+	       Name, *data);
+}
+
+void
+auth_reply(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+
+    if (cnt < 2)
+	return;
+
+    if ((ap = findauthenticator(data[0], data[1]))) {
+	if (ap->reply)
+	    (*ap->reply)(ap, data+2, cnt-2);
+    } else if (auth_debug_mode)
+	printf(">>>%s: Invalid authentication in SEND: %d\r\n",
+	       Name, *data);
+}
+
+void
+auth_name(unsigned char *data, int cnt)
+{
+    char savename[256];
+
+    if (cnt < 1) {
+	if (auth_debug_mode)
+	    printf(">>>%s: Empty name in NAME\r\n", Name);
+	return;
+    }
+    if (cnt > sizeof(savename) - 1) {
+	if (auth_debug_mode)
+	    printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
+		   Name, cnt, (unsigned long)(sizeof(savename)-1));
+	return;
+    }
+    memmove(savename, data, cnt);
+    savename[cnt] = '\0';	/* Null terminate */
+    if (auth_debug_mode)
+	printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
+    auth_encrypt_user(savename);
+}
+
+int
+auth_sendname(unsigned char *cp, int len)
+{
+    static unsigned char str_request[256+6]
+	= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
+    unsigned char *e = str_request + 4;
+    unsigned char *ee = &str_request[sizeof(str_request)-2];
+
+    while (--len >= 0) {
+	if ((*e++ = *cp++) == IAC)
+	    *e++ = IAC;
+	if (e >= ee)
+	    return(0);
+    }
+    *e++ = IAC;
+    *e++ = SE;
+    telnet_net_write(str_request, e - str_request);
+    printsub('>', &str_request[2], e - &str_request[2]);
+    return(1);
+}
+
+void
+auth_finished(Authenticator *ap, int result)
+{
+    if (!(authenticated = ap))
+	authenticated = &NoAuth;
+    validuser = result;
+}
+
+/* ARGSUSED */
+static void
+auth_intr(int sig)
+{
+    auth_finished(0, AUTH_REJECT);
+}
+
+int
+auth_wait(char *name, size_t name_sz)
+{
+    if (auth_debug_mode)
+	printf(">>>%s: in auth_wait.\r\n", Name);
+
+    if (Server && !authenticating)
+	return(0);
+
+    signal(SIGALRM, auth_intr);
+    alarm(30);
+    while (!authenticated)
+	if (telnet_spin())
+	    break;
+    alarm(0);
+    signal(SIGALRM, SIG_DFL);
+
+    /*
+     * Now check to see if the user is valid or not
+     */
+    if (!authenticated || authenticated == &NoAuth)
+	return(AUTH_REJECT);
+
+    if (validuser == AUTH_VALID)
+	validuser = AUTH_USER;
+
+    if (authenticated->status)
+	validuser = (*authenticated->status)(authenticated,
+					     name, name_sz,
+					     validuser);
+    return(validuser);
+}
+
+void
+auth_debug(int mode)
+{
+    auth_debug_mode = mode;
+}
+
+void
+auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    Authenticator *ap;
+
+    if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
+	(*ap->printsub)(data, cnt, buf, buflen);
+    else
+	auth_gen_printsub(data, cnt, buf, buflen);
+}
+
+void
+auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    unsigned char *cp;
+    unsigned char tbuf[16];
+
+    cnt -= 3;
+    data += 3;
+    buf[buflen-1] = '\0';
+    buf[buflen-2] = '*';
+    buflen -= 2;
+    for (; cnt > 0; cnt--, data++) {
+	snprintf(tbuf, sizeof(tbuf), " %d", *data);
+	for (cp = tbuf; *cp && buflen > 0; --buflen)
+	    *buf++ = *cp++;
+	if (buflen <= 0)
+	    return;
+    }
+    *buf = '\0';
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth.h b/crypto/heimdal/appl/telnet/libtelnet/auth.h
new file mode 100644
index 0000000..83dd701
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth.h
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: auth.h,v 1.4 1998/06/09 19:24:41 joda Exp $ */
+
+#ifndef	__AUTH__
+#define	__AUTH__
+
+#define	AUTH_REJECT	0	/* Rejected */
+#define	AUTH_UNKNOWN	1	/* We don't know who he is, but he's okay */
+#define	AUTH_OTHER	2	/* We know him, but not his name */
+#define	AUTH_USER	3	/* We know he name */
+#define	AUTH_VALID	4	/* We know him, and he needs no password */
+
+typedef struct XauthP {
+	int	type;
+	int	way;
+	int	(*init) (struct XauthP *, int);
+	int	(*send) (struct XauthP *);
+	void	(*is) (struct XauthP *, unsigned char *, int);
+	void	(*reply) (struct XauthP *, unsigned char *, int);
+	int	(*status) (struct XauthP *, char *, size_t, int);
+	void	(*printsub) (unsigned char *, int, unsigned char *, int);
+} Authenticator;
+
+#include "auth-proto.h"
+
+extern int auth_debug_mode;
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h b/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h
new file mode 100644
index 0000000..d32b096
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h
@@ -0,0 +1,132 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)enc-proto.h	8.1 (Berkeley) 6/4/93
+ *
+ *	@(#)enc-proto.h	5.2 (Berkeley) 3/22/91
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: enc-proto.h,v 1.10 2000/01/18 03:09:56 assar Exp $ */
+
+#if	defined(ENCRYPTION)
+Encryptions *findencryption (int);
+Encryptions *finddecryption(int);
+int EncryptAutoDec(int);
+int EncryptAutoEnc(int);
+int EncryptDebug(int);
+int EncryptDisable(char*, char*);
+int EncryptEnable(char*, char*);
+int EncryptStart(char*);
+int EncryptStartInput(void);
+int EncryptStartOutput(void);
+int EncryptStatus(void);
+int EncryptStop(char*);
+int EncryptStopInput(void);
+int EncryptStopOutput(void);
+int EncryptType(char*, char*);
+int EncryptVerbose(int);
+void decrypt_auto(int);
+void encrypt_auto(int);
+void encrypt_debug(int);
+void encrypt_dec_keyid(unsigned char*, int);
+void encrypt_display(void);
+void encrypt_enc_keyid(unsigned char*, int);
+void encrypt_end(void);
+void encrypt_gen_printsub(unsigned char*, int, unsigned char*, int);
+void encrypt_init(const char*, int);
+void encrypt_is(unsigned char*, int);
+void encrypt_list_types(void);
+void encrypt_not(void);
+void encrypt_printsub(unsigned char*, int, unsigned char*, int);
+void encrypt_reply(unsigned char*, int);
+void encrypt_request_end(void);
+void encrypt_request_start(unsigned char*, int);
+void encrypt_send_end(void);
+void encrypt_send_keyid(int, unsigned char*, int, int);
+void encrypt_send_request_end(void);
+void encrypt_send_request_start(void);
+void encrypt_send_support(void);
+void encrypt_session_key(Session_Key*, int);
+void encrypt_start(unsigned char*, int);
+void encrypt_start_output(int);
+void encrypt_support(unsigned char*, int);
+void encrypt_verbose_quiet(int);
+void encrypt_wait(void);
+int encrypt_delay(void);
+
+#ifdef	TELENTD
+void encrypt_wait (void);
+#else
+void encrypt_display (void);
+#endif
+
+void cfb64_encrypt (unsigned char *, int);
+int cfb64_decrypt (int);
+void cfb64_init (int);
+int cfb64_start (int, int);
+int cfb64_is (unsigned char *, int);
+int cfb64_reply (unsigned char *, int);
+void cfb64_session (Session_Key *, int);
+int cfb64_keyid (int, unsigned char *, int *);
+void cfb64_printsub (unsigned char *, int, unsigned char *, int);
+
+void ofb64_encrypt (unsigned char *, int);
+int ofb64_decrypt (int);
+void ofb64_init (int);
+int ofb64_start (int, int);
+int ofb64_is (unsigned char *, int);
+int ofb64_reply (unsigned char *, int);
+void ofb64_session (Session_Key *, int);
+int ofb64_keyid (int, unsigned char *, int *);
+void ofb64_printsub (unsigned char *, int, unsigned char *, int);
+
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
new file mode 100644
index 0000000..a24bfa7
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
@@ -0,0 +1,671 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: enc_des.c,v 1.16 1998/07/09 23:16:23 assar Exp $");
+
+#if	defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION)
+#include <arpa/telnet.h>
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#include <string.h>
+#endif
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "misc-proto.h"
+
+#include <des.h>
+
+extern int encrypt_debug_mode;
+
+#define	CFB	0
+#define	OFB	1
+
+#define	NO_SEND_IV	1
+#define	NO_RECV_IV	2
+#define	NO_KEYID	4
+#define	IN_PROGRESS	(NO_SEND_IV|NO_RECV_IV|NO_KEYID)
+#define	SUCCESS		0
+#define	FAILED		-1
+
+
+struct stinfo {
+  des_cblock	str_output;
+  des_cblock	str_feed;
+  des_cblock	str_iv;
+  des_cblock	str_ikey;
+  des_key_schedule str_sched;
+  int		str_index;
+  int		str_flagshift;
+};
+
+struct fb {
+	des_cblock krbdes_key;
+	des_key_schedule krbdes_sched;
+	des_cblock temp_feed;
+	unsigned char fb_feed[64];
+	int need_start;
+	int state[2];
+	int keyid[2];
+	int once;
+	struct stinfo streams[2];
+};
+
+static struct fb fb[2];
+
+struct keyidlist {
+	char	*keyid;
+	int	keyidlen;
+	char	*key;
+	int	keylen;
+	int	flags;
+} keyidlist [] = {
+	{ "\0", 1, 0, 0, 0 },		/* default key of zero */
+	{ 0, 0, 0, 0, 0 }
+};
+
+#define	KEYFLAG_MASK	03
+
+#define	KEYFLAG_NOINIT	00
+#define	KEYFLAG_INIT	01
+#define	KEYFLAG_OK	02
+#define	KEYFLAG_BAD	03
+
+#define	KEYFLAG_SHIFT	2
+
+#define	SHIFT_VAL(a,b)	(KEYFLAG_SHIFT*((a)+((b)*2)))
+
+#define	FB64_IV		1
+#define	FB64_IV_OK	2
+#define	FB64_IV_BAD	3
+
+
+void fb64_stream_iv (des_cblock, struct stinfo *);
+void fb64_init (struct fb *);
+static int fb64_start (struct fb *, int, int);
+int fb64_is (unsigned char *, int, struct fb *);
+int fb64_reply (unsigned char *, int, struct fb *);
+static void fb64_session (Session_Key *, int, struct fb *);
+void fb64_stream_key (des_cblock, struct stinfo *);
+int fb64_keyid (int, unsigned char *, int *, struct fb *);
+
+void cfb64_init(int server)
+{
+	fb64_init(&fb[CFB]);
+	fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB);
+}
+
+
+void ofb64_init(int server)
+{
+	fb64_init(&fb[OFB]);
+	fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB);
+}
+
+void fb64_init(struct fb *fbp)
+{
+	memset(fbp,0, sizeof(*fbp));
+	fbp->state[0] = fbp->state[1] = FAILED;
+	fbp->fb_feed[0] = IAC;
+	fbp->fb_feed[1] = SB;
+	fbp->fb_feed[2] = TELOPT_ENCRYPT;
+	fbp->fb_feed[3] = ENCRYPT_IS;
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ *	 2: Not yet.  Other things (like getting the key from
+ *	    Kerberos) have to happen before we can continue.
+ */
+int cfb64_start(int dir, int server)
+{
+	return(fb64_start(&fb[CFB], dir, server));
+}
+
+int ofb64_start(int dir, int server)
+{
+	return(fb64_start(&fb[OFB], dir, server));
+}
+
+static int fb64_start(struct fb *fbp, int dir, int server)
+{
+	int x;
+	unsigned char *p;
+	int state;
+
+	switch (dir) {
+	case DIR_DECRYPT:
+		/*
+		 * This is simply a request to have the other side
+		 * start output (our input).  He will negotiate an
+		 * IV so we need not look for it.
+		 */
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		break;
+
+	case DIR_ENCRYPT:
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		else if ((state & NO_SEND_IV) == 0) {
+			break;
+		}
+
+		if (!VALIDKEY(fbp->krbdes_key)) {
+		        fbp->need_start = 1;
+			break;
+		}
+
+		state &= ~NO_SEND_IV;
+		state |= NO_RECV_IV;
+		if (encrypt_debug_mode)
+			printf("Creating new feed\r\n");
+		/*
+		 * Create a random feed and send it over.
+		 */
+#ifndef OLD_DES_RANDOM_KEY
+		des_new_random_key(&fbp->temp_feed);
+#else
+		/*
+		 * From des_cryp.man "If the des_check_key flag is non-zero,
+		 *  des_set_key will check that the key passed is
+		 *  of odd parity and is not a week or semi-weak key."
+		 */
+		do {
+			des_random_key(fbp->temp_feed);
+			des_set_odd_parity(fbp->temp_feed);
+		} while (des_is_weak_key(fbp->temp_feed));
+#endif
+		des_ecb_encrypt(&fbp->temp_feed,
+				&fbp->temp_feed,
+				fbp->krbdes_sched, 1);
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_IS;
+		p++;
+		*p++ = FB64_IV;
+		for (x = 0; x < sizeof(des_cblock); ++x) {
+			if ((*p++ = fbp->temp_feed[x]) == IAC)
+				*p++ = IAC;
+		}
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+		break;
+	default:
+		return(FAILED);
+	}
+	return(fbp->state[dir-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+
+int cfb64_is(unsigned char *data, int cnt)
+{
+	return(fb64_is(data, cnt, &fb[CFB]));
+}
+
+int ofb64_is(unsigned char *data, int cnt)
+{
+	return(fb64_is(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_is(unsigned char *data, int cnt, struct fb *fbp)
+{
+	unsigned char *p;
+	int state = fbp->state[DIR_DECRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV:
+		if (cnt != sizeof(des_cblock)) {
+			if (encrypt_debug_mode)
+				printf("CFB64: initial vector failed on size\r\n");
+			state = FAILED;
+			goto failure;
+		}
+
+		if (encrypt_debug_mode)
+			printf("CFB64: initial vector received\r\n");
+
+		if (encrypt_debug_mode)
+			printf("Initializing Decrypt stream\r\n");
+
+		fb64_stream_iv(data, &fbp->streams[DIR_DECRYPT-1]);
+
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_OK;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", *(data-1));
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		/*
+		 * We failed.  Send an FB64_IV_BAD option
+		 * to the other side so it will know that
+		 * things failed.
+		 */
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_BAD;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		break;
+	}
+	return(fbp->state[DIR_DECRYPT-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+
+int cfb64_reply(unsigned char *data, int cnt)
+{
+	return(fb64_reply(data, cnt, &fb[CFB]));
+}
+
+int ofb64_reply(unsigned char *data, int cnt)
+{
+	return(fb64_reply(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_reply(unsigned char *data, int cnt, struct fb *fbp)
+{
+	int state = fbp->state[DIR_ENCRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV_OK:
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		state &= ~NO_RECV_IV;
+		encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1);
+		break;
+
+	case FB64_IV_BAD:
+		memset(fbp->temp_feed, 0, sizeof(des_cblock));
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		state = FAILED;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", data[-1]);
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		state = FAILED;
+		break;
+	}
+	return(fbp->state[DIR_ENCRYPT-1] = state);
+}
+
+void cfb64_session(Session_Key *key, int server)
+{
+	fb64_session(key, server, &fb[CFB]);
+}
+
+void ofb64_session(Session_Key *key, int server)
+{
+	fb64_session(key, server, &fb[OFB]);
+}
+
+static void fb64_session(Session_Key *key, int server, struct fb *fbp)
+{
+
+	if (!key || key->type != SK_DES) {
+		if (encrypt_debug_mode)
+			printf("Can't set krbdes's session key (%d != %d)\r\n",
+				key ? key->type : -1, SK_DES);
+		return;
+	}
+	memcpy(fbp->krbdes_key, key->data, sizeof(des_cblock));
+
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]);
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
+
+	if (fbp->once == 0) {
+#ifndef OLD_DES_RANDOM_KEY
+		des_init_random_number_generator(&fbp->krbdes_key);
+#endif
+		fbp->once = 1;
+	}
+	des_key_sched(&fbp->krbdes_key, fbp->krbdes_sched);
+	/*
+	 * Now look to see if krbdes_start() was was waiting for
+	 * the key to show up.  If so, go ahead an call it now
+	 * that we have the key.
+	 */
+	if (fbp->need_start) {
+		fbp->need_start = 0;
+		fb64_start(fbp, DIR_ENCRYPT, server);
+	}
+}
+
+/*
+ * We only accept a keyid of 0.  If we get a keyid of
+ * 0, then mark the state as SUCCESS.
+ */
+
+int cfb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[CFB]));
+}
+
+int ofb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[OFB]));
+}
+
+int fb64_keyid(int dir, unsigned char *kp, int *lenp, struct fb *fbp)
+{
+	int state = fbp->state[dir-1];
+
+	if (*lenp != 1 || (*kp != '\0')) {
+		*lenp = 0;
+		return(state);
+	}
+
+	if (state == FAILED)
+		state = IN_PROGRESS;
+
+	state &= ~NO_KEYID;
+
+	return(fbp->state[dir-1] = state);
+}
+
+void fb64_printsub(unsigned char *data, int cnt, 
+		   unsigned char *buf, int buflen, char *type)
+{
+	char lbuf[32];
+	int i;
+	char *cp;
+
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
+	buflen -= 1;
+
+	switch(data[2]) {
+	case FB64_IV:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_OK:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV_OK", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_BAD:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV_BAD", type);
+		cp = lbuf;
+		goto common;
+
+	default:
+		snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[2]);
+		cp = lbuf;
+	common:
+		for (; (buflen > 0) && (*buf = *cp++); buf++)
+			buflen--;
+		for (i = 3; i < cnt; i++) {
+			snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
+			for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++)
+				buflen--;
+		}
+		break;
+	}
+}
+
+void cfb64_printsub(unsigned char *data, int cnt, 
+		    unsigned char *buf, int buflen)
+{
+	fb64_printsub(data, cnt, buf, buflen, "CFB64");
+}
+
+void ofb64_printsub(unsigned char *data, int cnt,
+		    unsigned char *buf, int buflen)
+{
+	fb64_printsub(data, cnt, buf, buflen, "OFB64");
+}
+
+void fb64_stream_iv(des_cblock seed, struct stinfo *stp)
+{
+
+	memcpy(stp->str_iv, seed,sizeof(des_cblock));
+	memcpy(stp->str_output, seed, sizeof(des_cblock));
+
+	des_key_sched(&stp->str_ikey, stp->str_sched);
+
+	stp->str_index = sizeof(des_cblock);
+}
+
+void fb64_stream_key(des_cblock key, struct stinfo *stp)
+{
+	memcpy(stp->str_ikey, key, sizeof(des_cblock));
+	des_key_sched((des_cblock*)key, stp->str_sched);
+
+	memcpy(stp->str_output, stp->str_iv, sizeof(des_cblock));
+
+	stp->str_index = sizeof(des_cblock);
+}
+
+/*
+ * DES 64 bit Cipher Feedback
+ *
+ *     key --->+-----+
+ *          +->| DES |--+
+ *          |  +-----+  |
+ *	    |           v
+ *  INPUT --(--------->(+)+---> DATA
+ *          |             |
+ *	    +-------------+
+ *         
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	On = Dn ^ Vn
+ *	V(n+1) = DES(On, key)
+ */
+
+void cfb64_encrypt(unsigned char *s, int c)
+{
+	struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1];
+	int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(des_cblock)) {
+			des_cblock b;
+			des_ecb_encrypt(&stp->str_output, &b,stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(des_cblock));
+			index = 0;
+		}
+
+		/* On encryption, we store (feed ^ data) which is cypher */
+		*s = stp->str_output[index] = (stp->str_feed[index] ^ *s);
+		s++;
+		index++;
+	}
+	stp->str_index = index;
+}
+
+int cfb64_decrypt(int data)
+{
+	struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(des_cblock)) {
+		des_cblock b;
+		des_ecb_encrypt(&stp->str_output,&b, stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(des_cblock));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */ 
+	}
+
+	/* On decryption we store (data) which is cypher. */
+	stp->str_output[index] = data;
+	return(data ^ stp->str_feed[index]);
+}
+
+/*
+ * DES 64 bit Output Feedback
+ *
+ * key --->+-----+
+ *	+->| DES |--+
+ *	|  +-----+  |
+ *	+-----------+
+ *	            v
+ *  INPUT -------->(+) ----> DATA
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	V(n+1) = DES(Vn, key)
+ *	On = Dn ^ Vn
+ */
+
+void ofb64_encrypt(unsigned char *s, int c)
+{
+	struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1];
+	int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(des_cblock)) {
+			des_cblock b;
+			des_ecb_encrypt(&stp->str_feed,&b, stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(des_cblock));
+			index = 0;
+		}
+		*s++ ^= stp->str_feed[index];
+		index++;
+	}
+	stp->str_index = index;
+}
+
+int ofb64_decrypt(int data)
+{
+	struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(des_cblock)) {
+		des_cblock b;
+		des_ecb_encrypt(&stp->str_feed,&b,stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(des_cblock));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */ 
+	}
+
+	return(data ^ stp->str_feed[index]);
+}
+#endif
+
diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.c b/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
new file mode 100644
index 0000000..b6d26ab
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
@@ -0,0 +1,995 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include <config.h>
+
+RCSID("$Id: encrypt.c,v 1.22 2000/01/18 03:10:35 assar Exp $");
+
+#if	defined(ENCRYPTION)
+
+#define	ENCRYPT_NAMES
+#include <arpa/telnet.h>
+
+#include "encrypt.h"
+#include "misc.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+/*
+ * These functions pointers point to the current routines
+ * for encrypting and decrypting data.
+ */
+void	(*encrypt_output) (unsigned char *, int);
+int	(*decrypt_input) (int);
+char	*nclearto;
+
+int encrypt_debug_mode = 0;
+static int decrypt_mode = 0;
+static int encrypt_mode = 0;
+static int encrypt_verbose = 0;
+static int autoencrypt = 0;
+static int autodecrypt = 0;
+static int havesessionkey = 0;
+static int Server = 0;
+static const char *Name = "Noname";
+
+#define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
+
+static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64)
+     | typemask(ENCTYPE_DES_OFB64);
+     static long i_support_decrypt = typemask(ENCTYPE_DES_CFB64)
+     | typemask(ENCTYPE_DES_OFB64);
+     static long i_wont_support_encrypt = 0;
+     static long i_wont_support_decrypt = 0;
+#define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
+#define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
+
+     static long remote_supports_encrypt = 0;
+     static long remote_supports_decrypt = 0;
+
+     static Encryptions encryptions[] = {
+#if	defined(DES_ENCRYPTION)
+	 { "DES_CFB64",	ENCTYPE_DES_CFB64,
+	   cfb64_encrypt,	
+	   cfb64_decrypt,
+	   cfb64_init,
+	   cfb64_start,
+	   cfb64_is,
+	   cfb64_reply,
+	   cfb64_session,
+	   cfb64_keyid,
+	   cfb64_printsub },
+	 { "DES_OFB64",	ENCTYPE_DES_OFB64,
+	   ofb64_encrypt,	
+	   ofb64_decrypt,
+	   ofb64_init,
+	   ofb64_start,
+	   ofb64_is,
+	   ofb64_reply,
+	   ofb64_session,
+	   ofb64_keyid,
+	   ofb64_printsub },
+#endif
+	 { 0, },
+     };
+
+static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
+				      ENCRYPT_SUPPORT };
+static unsigned char str_suplen = 0;
+static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
+static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
+
+Encryptions *
+findencryption(int type)
+{
+    Encryptions *ep = encryptions;
+
+    if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
+	return(0);
+    while (ep->type && ep->type != type)
+	++ep;
+    return(ep->type ? ep : 0);
+}
+
+Encryptions *
+finddecryption(int type)
+{
+    Encryptions *ep = encryptions;
+
+    if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
+	return(0);
+    while (ep->type && ep->type != type)
+	++ep;
+    return(ep->type ? ep : 0);
+}
+
+#define	MAXKEYLEN 64
+
+static struct key_info {
+    unsigned char keyid[MAXKEYLEN];
+    int keylen;
+    int dir;
+    int *modep;
+    Encryptions *(*getcrypt)();
+} ki[2] = {
+    { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
+    { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
+};
+
+void
+encrypt_init(const char *name, int server)
+{
+    Encryptions *ep = encryptions;
+
+    Name = name;
+    Server = server;
+    i_support_encrypt = i_support_decrypt = 0;
+    remote_supports_encrypt = remote_supports_decrypt = 0;
+    encrypt_mode = 0;
+    decrypt_mode = 0;
+    encrypt_output = 0;
+    decrypt_input = 0;
+#ifdef notdef
+    encrypt_verbose = !server;
+#endif
+
+    str_suplen = 4;
+
+    while (ep->type) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: I will support %s\r\n",
+		   Name, ENCTYPE_NAME(ep->type));
+	i_support_encrypt |= typemask(ep->type);
+	i_support_decrypt |= typemask(ep->type);
+	if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
+	    if ((str_send[str_suplen++] = ep->type) == IAC)
+		str_send[str_suplen++] = IAC;
+	if (ep->init)
+	    (*ep->init)(Server);
+	++ep;
+    }
+    str_send[str_suplen++] = IAC;
+    str_send[str_suplen++] = SE;
+}
+
+void
+encrypt_list_types(void)
+{
+    Encryptions *ep = encryptions;
+
+    printf("Valid encryption types:\n");
+    while (ep->type) {
+	printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
+	++ep;
+    }
+}
+
+int
+EncryptEnable(char *type, char *mode)
+{
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt enable <type> [input|output]\n");
+	encrypt_list_types();
+	return(0);
+    }
+    if (EncryptType(type, mode))
+	return(EncryptStart(mode));
+    return(0);
+}
+
+int
+EncryptDisable(char *type, char *mode)
+{
+    Encryptions *ep;
+    int ret = 0;
+
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt disable <type> [input|output]\n");
+	encrypt_list_types();
+    } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+					   sizeof(Encryptions))) == 0) {
+	printf("%s: invalid encryption type\n", type);
+    } else if (Ambiguous(ep)) {
+	printf("Ambiguous type '%s'\n", type);
+    } else {
+	if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
+	    if (decrypt_mode == ep->type)
+		EncryptStopInput();
+	    i_wont_support_decrypt |= typemask(ep->type);
+	    ret = 1;
+	}
+	if ((mode == 0) || (isprefix(mode, "output"))) {
+	    if (encrypt_mode == ep->type)
+		EncryptStopOutput();
+	    i_wont_support_encrypt |= typemask(ep->type);
+	    ret = 1;
+	}
+	if (ret == 0)
+	    printf("%s: invalid encryption mode\n", mode);
+    }
+    return(ret);
+}
+
+int
+EncryptType(char *type, char *mode)
+{
+    Encryptions *ep;
+    int ret = 0;
+
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt type <type> [input|output]\n");
+	encrypt_list_types();
+    } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+					   sizeof(Encryptions))) == 0) {
+	printf("%s: invalid encryption type\n", type);
+    } else if (Ambiguous(ep)) {
+	printf("Ambiguous type '%s'\n", type);
+    } else {
+	if ((mode == 0) || isprefix(mode, "input")) {
+	    decrypt_mode = ep->type;
+	    i_wont_support_decrypt &= ~typemask(ep->type);
+	    ret = 1;
+	}
+	if ((mode == 0) || isprefix(mode, "output")) {
+	    encrypt_mode = ep->type;
+	    i_wont_support_encrypt &= ~typemask(ep->type);
+	    ret = 1;
+	}
+	if (ret == 0)
+	    printf("%s: invalid encryption mode\n", mode);
+    }
+    return(ret);
+}
+
+int
+EncryptStart(char *mode)
+{
+    int ret = 0;
+    if (mode) {
+	if (isprefix(mode, "input"))
+	    return(EncryptStartInput());
+	if (isprefix(mode, "output"))
+	    return(EncryptStartOutput());
+	if (isprefix(mode, "help") || isprefix(mode, "?")) {
+	    printf("Usage: encrypt start [input|output]\n");
+	    return(0);
+	}
+	printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
+	return(0);
+    }
+    ret += EncryptStartInput();
+    ret += EncryptStartOutput();
+    return(ret);
+}
+
+int
+EncryptStartInput(void)
+{
+    if (decrypt_mode) {
+	encrypt_send_request_start();
+	return(1);
+    }
+    printf("No previous decryption mode, decryption not enabled\r\n");
+    return(0);
+}
+
+int
+EncryptStartOutput(void)
+{
+    if (encrypt_mode) {
+	encrypt_start_output(encrypt_mode);
+	return(1);
+    }
+    printf("No previous encryption mode, encryption not enabled\r\n");
+    return(0);
+}
+
+int
+EncryptStop(char *mode)
+{
+    int ret = 0;
+    if (mode) {
+	if (isprefix(mode, "input"))
+	    return(EncryptStopInput());
+	if (isprefix(mode, "output"))
+	    return(EncryptStopOutput());
+	if (isprefix(mode, "help") || isprefix(mode, "?")) {
+	    printf("Usage: encrypt stop [input|output]\n");
+	    return(0);
+	}
+	printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
+	return(0);
+    }
+    ret += EncryptStopInput();
+    ret += EncryptStopOutput();
+    return(ret);
+}
+
+int
+EncryptStopInput(void)
+{
+    encrypt_send_request_end();
+    return(1);
+}
+
+int
+EncryptStopOutput(void)
+{
+    encrypt_send_end();
+    return(1);
+}
+
+void
+encrypt_display(void)
+{
+    printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+	   autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+    if (encrypt_output)
+	printf("Currently encrypting output with %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    else
+	printf("Currently not encrypting output\r\n");
+	
+    if (decrypt_input)
+	printf("Currently decrypting input with %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    else
+	printf("Currently not decrypting input\r\n");
+}
+
+int
+EncryptStatus(void)
+{
+    printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+	   autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+    if (encrypt_output)
+	printf("Currently encrypting output with %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    else if (encrypt_mode) {
+	printf("Currently output is clear text.\r\n");
+	printf("Last encryption mode was %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    } else
+	printf("Currently not encrypting output\r\n");
+	
+    if (decrypt_input) {
+	printf("Currently decrypting input with %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    } else if (decrypt_mode) {
+	printf("Currently input is clear text.\r\n");
+	printf("Last decryption mode was %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    } else
+	printf("Currently not decrypting input\r\n");
+
+    return 1;
+}
+
+void
+encrypt_send_support(void)
+{
+    if (str_suplen) {
+	/*
+	 * If the user has requested that decryption start
+	 * immediatly, then send a "REQUEST START" before
+	 * we negotiate the type.
+	 */
+	if (!Server && autodecrypt)
+	    encrypt_send_request_start();
+	telnet_net_write(str_send, str_suplen);
+	printsub('>', &str_send[2], str_suplen - 2);
+	str_suplen = 0;
+    }
+}
+
+int
+EncryptDebug(int on)
+{
+    if (on < 0)
+	encrypt_debug_mode ^= 1;
+    else
+	encrypt_debug_mode = on;
+    printf("Encryption debugging %s\r\n",
+	   encrypt_debug_mode ? "enabled" : "disabled");
+    return(1);
+}
+
+/* turn on verbose encryption, but dont keep telling the whole world
+ */
+void encrypt_verbose_quiet(int on)
+{
+    if(on < 0)
+	encrypt_verbose ^= 1;
+    else
+	encrypt_verbose = on ? 1 : 0;
+}
+
+int
+EncryptVerbose(int on)
+{
+    encrypt_verbose_quiet(on);
+    printf("Encryption %s verbose\r\n",
+	   encrypt_verbose ? "is" : "is not");
+    return(1);
+}
+
+int
+EncryptAutoEnc(int on)
+{
+    encrypt_auto(on);
+    printf("Automatic encryption of output is %s\r\n",
+	   autoencrypt ? "enabled" : "disabled");
+    return(1);
+}
+
+int
+EncryptAutoDec(int on)
+{
+    decrypt_auto(on);
+    printf("Automatic decryption of input is %s\r\n",
+	   autodecrypt ? "enabled" : "disabled");
+    return(1);
+}
+
+/* Called when we receive a WONT or a DONT ENCRYPT after we sent a DO
+   encrypt */
+void
+encrypt_not(void)
+{
+    if (encrypt_verbose)
+  	printf("[ Connection is NOT encrypted ]\r\n");
+    else
+  	printf("\r\n*** Connection not encrypted! "
+	       "Communication may be eavesdropped. ***\r\n");
+}
+
+/*
+ * Called when ENCRYPT SUPPORT is received.
+ */
+void
+encrypt_support(unsigned char *typelist, int cnt)
+{
+    int type, use_type = 0;
+    Encryptions *ep;
+
+    /*
+     * Forget anything the other side has previously told us.
+     */
+    remote_supports_decrypt = 0;
+
+    while (cnt-- > 0) {
+	type = *typelist++;
+	if (encrypt_debug_mode)
+	    printf(">>>%s: He is supporting %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME(type), type);
+	if ((type < ENCTYPE_CNT) &&
+	    (I_SUPPORT_ENCRYPT & typemask(type))) {
+	    remote_supports_decrypt |= typemask(type);
+	    if (use_type == 0)
+		use_type = type;
+	}
+    }
+    if (use_type) {
+	ep = findencryption(use_type);
+	if (!ep)
+	    return;
+	type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
+	if (encrypt_debug_mode)
+	    printf(">>>%s: (*ep->start)() returned %d\r\n",
+		   Name, type);
+	if (type < 0)
+	    return;
+	encrypt_mode = use_type;
+	if (type == 0)
+	    encrypt_start_output(use_type);
+    }
+}
+
+void
+encrypt_is(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+    int type, ret;
+
+    if (--cnt < 0)
+	return;
+    type = *data++;
+    if (type < ENCTYPE_CNT)
+	remote_supports_encrypt |= typemask(type);
+    if (!(ep = finddecryption(type))) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	return;
+    }
+    if (!ep->is) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	ret = 0;
+    } else {
+	ret = (*ep->is)(data, cnt);
+	if (encrypt_debug_mode)
+	    printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
+		   (ret < 0) ? "FAIL " :
+		   (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+    }
+    if (ret < 0) {
+	autodecrypt = 0;
+    } else {
+	decrypt_mode = type;
+	if (ret == 0 && autodecrypt)
+	    encrypt_send_request_start();
+    }
+}
+
+void
+encrypt_reply(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+    int ret, type;
+
+    if (--cnt < 0)
+	return;
+    type = *data++;
+    if (!(ep = findencryption(type))) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	return;
+    }
+    if (!ep->reply) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	ret = 0;
+    } else {
+	ret = (*ep->reply)(data, cnt);
+	if (encrypt_debug_mode)
+	    printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
+		   data, cnt,
+		   (ret < 0) ? "FAIL " :
+		   (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+    }
+    if (encrypt_debug_mode)
+	printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
+    if (ret < 0) {
+	autoencrypt = 0;
+    } else {
+	encrypt_mode = type;
+	if (ret == 0 && autoencrypt)
+	    encrypt_start_output(type);
+    }
+}
+
+/*
+ * Called when a ENCRYPT START command is received.
+ */
+void
+encrypt_start(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+
+    if (!decrypt_mode) {
+	/*
+	 * Something is wrong.  We should not get a START
+	 * command without having already picked our
+	 * decryption scheme.  Send a REQUEST-END to
+	 * attempt to clear the channel...
+	 */
+	printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
+	encrypt_send_request_end();
+	return;
+    }
+
+    if ((ep = finddecryption(decrypt_mode))) {
+	decrypt_input = ep->input;
+	if (encrypt_verbose)
+	    printf("[ Input is now decrypted with type %s ]\r\n",
+		   ENCTYPE_NAME(decrypt_mode));
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Start to decrypt input with type %s\r\n",
+		   Name, ENCTYPE_NAME(decrypt_mode));
+    } else {
+	printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
+	       Name,
+	       ENCTYPE_NAME_OK(decrypt_mode)
+	       ? ENCTYPE_NAME(decrypt_mode)
+	       : "(unknown)",
+	       decrypt_mode);
+	encrypt_send_request_end();
+    }
+}
+
+void
+encrypt_session_key(Session_Key *key, int server)
+{
+    Encryptions *ep = encryptions;
+
+    havesessionkey = 1;
+
+    while (ep->type) {
+	if (ep->session)
+	    (*ep->session)(key, server);
+	++ep;
+    }
+}
+
+/*
+ * Called when ENCRYPT END is received.
+ */
+void
+encrypt_end(void)
+{
+    decrypt_input = 0;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Input is back to clear text\r\n", Name);
+    if (encrypt_verbose)
+	printf("[ Input is now clear text ]\r\n");
+}
+
+/*
+ * Called when ENCRYPT REQUEST-END is received.
+ */
+void
+encrypt_request_end(void)
+{
+    encrypt_send_end();
+}
+
+/*
+ * Called when ENCRYPT REQUEST-START is received.  If we receive
+ * this before a type is picked, then that indicates that the
+ * other side wants us to start encrypting data as soon as we
+ * can. 
+ */
+void
+encrypt_request_start(unsigned char *data, int cnt)
+{
+    if (encrypt_mode == 0)  {
+	if (Server)
+	    autoencrypt = 1;
+	return;
+    }
+    encrypt_start_output(encrypt_mode);
+}
+
+static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
+
+static void
+encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
+{
+    Encryptions *ep;
+    int dir = kp->dir;
+    int ret = 0;
+
+    if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+	if (len == 0)
+	    return;
+	kp->keylen = 0;
+    } else if (len == 0) {
+	/*
+	 * Empty option, indicates a failure.
+	 */
+	if (kp->keylen == 0)
+	    return;
+	kp->keylen = 0;
+	if (ep->keyid)
+	    (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+
+    } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) {
+	/*
+	 * Length or contents are different
+	 */
+	kp->keylen = len;
+	memcpy(kp->keyid,keyid, len);
+	if (ep->keyid)
+	    (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+    } else {
+	if (ep->keyid)
+	    ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
+	if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
+	    encrypt_start_output(*kp->modep);
+	return;
+    }
+
+    encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
+}
+
+void encrypt_enc_keyid(unsigned char *keyid, int len)
+{
+    encrypt_keyid(&ki[1], keyid, len);
+}
+
+void encrypt_dec_keyid(unsigned char *keyid, int len)
+{
+    encrypt_keyid(&ki[0], keyid, len);
+}
+
+
+void encrypt_send_keyid(int dir, unsigned char *keyid, int keylen, int saveit)
+{
+    unsigned char *strp;
+
+    str_keyid[3] = (dir == DIR_ENCRYPT)
+	? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
+    if (saveit) {
+	struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
+	memcpy(kp->keyid,keyid, keylen);
+	kp->keylen = keylen;
+    }
+
+    for (strp = &str_keyid[4]; keylen > 0; --keylen) {
+	if ((*strp++ = *keyid++) == IAC)
+	    *strp++ = IAC;
+    }
+    *strp++ = IAC;
+    *strp++ = SE;
+    telnet_net_write(str_keyid, strp - str_keyid);
+    printsub('>', &str_keyid[2], strp - str_keyid - 2);
+}
+
+void
+encrypt_auto(int on)
+{
+    if (on < 0)
+	autoencrypt ^= 1;
+    else
+	autoencrypt = on ? 1 : 0;
+}
+
+void
+decrypt_auto(int on)
+{
+    if (on < 0)
+	autodecrypt ^= 1;
+    else
+	autodecrypt = on ? 1 : 0;
+}
+
+void
+encrypt_start_output(int type)
+{
+    Encryptions *ep;
+    unsigned char *p;
+    int i;
+
+    if (!(ep = findencryption(type))) {
+	if (encrypt_debug_mode) {
+	    printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	}
+	return;
+    }
+    if (ep->start) {
+	i = (*ep->start)(DIR_ENCRYPT, Server);
+	if (encrypt_debug_mode) {
+	    printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
+		   Name, 
+		   (i < 0) ? "failed" :
+		   "initial negotiation in progress",
+		   i, ENCTYPE_NAME(type));
+	}
+	if (i)
+	    return;
+    }
+    p = str_start + 3;
+    *p++ = ENCRYPT_START;
+    for (i = 0; i < ki[0].keylen; ++i) {
+	if ((*p++ = ki[0].keyid[i]) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    telnet_net_write(str_start, p - str_start);
+    net_encrypt();
+    printsub('>', &str_start[2], p - &str_start[2]);
+    /*
+     * If we are already encrypting in some mode, then
+     * encrypt the ring (which includes our request) in
+     * the old mode, mark it all as "clear text" and then
+     * switch to the new mode.
+     */
+    encrypt_output = ep->output;
+    encrypt_mode = type;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Started to encrypt output with type %s\r\n",
+	       Name, ENCTYPE_NAME(type));
+    if (encrypt_verbose)
+	printf("[ Output is now encrypted with type %s ]\r\n",
+	       ENCTYPE_NAME(type));
+}
+
+void
+encrypt_send_end(void)
+{
+    if (!encrypt_output)
+	return;
+
+    str_end[3] = ENCRYPT_END;
+    telnet_net_write(str_end, sizeof(str_end));
+    net_encrypt();
+    printsub('>', &str_end[2], sizeof(str_end) - 2);
+    /*
+     * Encrypt the output buffer now because it will not be done by
+     * netflush...
+     */
+    encrypt_output = 0;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Output is back to clear text\r\n", Name);
+    if (encrypt_verbose)
+	printf("[ Output is now clear text ]\r\n");
+}
+
+void
+encrypt_send_request_start(void)
+{
+    unsigned char *p;
+    int i;
+
+    p = &str_start[3];
+    *p++ = ENCRYPT_REQSTART;
+    for (i = 0; i < ki[1].keylen; ++i) {
+	if ((*p++ = ki[1].keyid[i]) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    telnet_net_write(str_start, p - str_start);
+    printsub('>', &str_start[2], p - &str_start[2]);
+    if (encrypt_debug_mode)
+	printf(">>>%s: Request input to be encrypted\r\n", Name);
+}
+
+void
+encrypt_send_request_end(void)
+{
+    str_end[3] = ENCRYPT_REQEND;
+    telnet_net_write(str_end, sizeof(str_end));
+    printsub('>', &str_end[2], sizeof(str_end) - 2);
+
+    if (encrypt_debug_mode)
+	printf(">>>%s: Request input to be clear text\r\n", Name);
+}
+
+
+void encrypt_wait(void)
+{
+    if (encrypt_debug_mode)
+	printf(">>>%s: in encrypt_wait\r\n", Name);
+    if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
+	return;
+    while (autoencrypt && !encrypt_output)
+	if (telnet_spin())
+	    return;
+}
+
+int
+encrypt_delay(void)
+{
+    if(!havesessionkey ||
+       (I_SUPPORT_ENCRYPT & remote_supports_decrypt) == 0 ||
+       (I_SUPPORT_DECRYPT & remote_supports_encrypt) == 0)
+	return 0;
+    if(!(encrypt_output && decrypt_input))
+	return 1;
+    return 0;
+}
+
+void
+encrypt_debug(int mode)
+{
+    encrypt_debug_mode = mode;
+}
+
+void encrypt_gen_printsub(unsigned char *data, int cnt, 
+			  unsigned char *buf, int buflen)
+{
+    char tbuf[16], *cp;
+
+    cnt -= 2;
+    data += 2;
+    buf[buflen-1] = '\0';
+    buf[buflen-2] = '*';
+    buflen -= 2;;
+    for (; cnt > 0; cnt--, data++) {
+	snprintf(tbuf, sizeof(tbuf), " %d", *data);
+	for (cp = tbuf; *cp && buflen > 0; --buflen)
+	    *buf++ = *cp++;
+	if (buflen <= 0)
+	    return;
+    }
+    *buf = '\0';
+}
+
+void
+encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    Encryptions *ep;
+    int type = data[1];
+
+    for (ep = encryptions; ep->type && ep->type != type; ep++)
+	;
+
+    if (ep->printsub)
+	(*ep->printsub)(data, cnt, buf, buflen);
+    else
+	encrypt_gen_printsub(data, cnt, buf, buflen);
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
new file mode 100644
index 0000000..5919db5
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
@@ -0,0 +1,98 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)encrypt.h	8.1 (Berkeley) 6/4/93
+ *
+ *	@(#)encrypt.h	5.2 (Berkeley) 3/22/91
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: encrypt.h,v 1.4 1997/01/24 23:10:56 assar Exp $ */
+
+#ifndef	__ENCRYPT__
+#define	__ENCRYPT__
+
+#define	DIR_DECRYPT		1
+#define	DIR_ENCRYPT		2
+
+#define	VALIDKEY(key)	( key[0] | key[1] | key[2] | key[3] | \
+			  key[4] | key[5] | key[6] | key[7])
+
+#define	SAMEKEY(k1, k2)	(!memcmp(k1, k2, sizeof(des_cblock)))
+
+typedef	struct {
+	short		type;
+	int		length;
+	unsigned char	*data;
+} Session_Key;
+
+typedef struct {
+	char	*name;
+	int	type;
+	void	(*output) (unsigned char *, int);
+	int	(*input) (int);
+	void	(*init) (int);
+	int	(*start) (int, int);
+	int	(*is) (unsigned char *, int);
+	int	(*reply) (unsigned char *, int);
+	void	(*session) (Session_Key *, int);
+	int	(*keyid) (int, unsigned char *, int *);
+	void	(*printsub) (unsigned char *, int, unsigned char *, int);
+} Encryptions;
+
+#define	SK_DES		1	/* Matched Kerberos v5 KEYTYPE_DES */
+
+#include "enc-proto.h"
+
+extern int encrypt_debug_mode;
+extern int (*decrypt_input) (int);
+extern void (*encrypt_output) (unsigned char *, int);
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/genget.c b/crypto/heimdal/appl/telnet/libtelnet/genget.c
new file mode 100644
index 0000000..c17a7bd
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/genget.c
@@ -0,0 +1,103 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+#include "misc-proto.h"
+
+RCSID("$Id: genget.c,v 1.6 1997/05/04 09:01:34 assar Exp $");
+
+#include <ctype.h>
+
+#define	LOWER(x) (isupper(x) ? tolower(x) : (x))
+/*
+ * The prefix function returns 0 if *s1 is not a prefix
+ * of *s2.  If *s1 exactly matches *s2, the negative of
+ * the length is returned.  If *s1 is a prefix of *s2,
+ * the length of *s1 is returned.
+ */
+
+int
+isprefix(char *s1, char *s2)
+{
+    char *os1;
+    char c1, c2;
+
+    if (*s1 == '\0')
+	return(-1);
+    os1 = s1;
+    c1 = *s1;
+    c2 = *s2;
+    while (LOWER(c1) == LOWER(c2)) {
+	if (c1 == '\0')
+	    break;
+	c1 = *++s1;
+	c2 = *++s2;
+    }
+    return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1)));
+}
+
+static char *ambiguous;		/* special return value for command routines */
+
+char **
+genget(char *name, char **table, int stlen)
+     /* name to match */
+     /* name entry in table */
+	   	      
+{
+    char **c, **found;
+    int n;
+
+    if (name == 0)
+	return 0;
+
+    found = 0;
+    for (c = table; *c != 0; c = (char **)((char *)c + stlen)) {
+	if ((n = isprefix(name, *c)) == 0)
+	    continue;
+	if (n < 0)		/* exact match */
+	    return(c);
+	if (found)
+	    return(&ambiguous);
+	found = c;
+    }
+    return(found);
+}
+
+/*
+ * Function call version of Ambiguous()
+ */
+int
+Ambiguous(void *s)
+{
+    return((char **)s == &ambiguous);
+}
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
new file mode 100644
index 0000000..c6b02de
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
@@ -0,0 +1,719 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: kerberos.c,v 1.47 2000/02/07 03:14:19 assar Exp $");
+
+#ifdef	KRB4
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdio.h>
+#include <des.h>	/* BSD wont include this in krb.h, so we do it here */
+#include <krb.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int kerberos4_cksum (unsigned char *, int);
+extern int auth_debug_mode;
+
+static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V4, };
+
+#define	KRB_AUTH	0		/* Authentication data follows */
+#define	KRB_REJECT	1		/* Rejected (reason might follow) */
+#define	KRB_ACCEPT	2		/* Accepted */
+#define	KRB_CHALLENGE	3		/* Challenge for mutual auth. */
+#define	KRB_RESPONSE	4		/* Response for mutual auth. */
+
+#define KRB_FORWARD		5	/* */
+#define KRB_FORWARD_ACCEPT	6	/* */
+#define KRB_FORWARD_REJECT	7	/* */
+
+#define KRB_SERVICE_NAME   "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	AUTH_DAT adat;
+static des_cblock session_key;
+static des_cblock cred_session;
+static des_key_schedule sched;
+static des_cblock challenge;
+static int auth_done; /* XXX */
+
+static int pack_cred(CREDENTIALS *cred, unsigned char *buf);
+static int unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred);
+
+
+static int
+Data(Authenticator *ap, int type, const void *d, int c)
+{
+    unsigned char *p = str_data + 4;
+    const unsigned char *cd = (const unsigned char *)d;
+
+    if (c == -1)
+	c = strlen((const char *)cd);
+
+    if (auth_debug_mode) {
+	printf("%s:%d: [%d] (%d)",
+	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+	       str_data[3],
+	       type, c);
+	printd(d, c);
+	printf("\r\n");
+    }
+    *p++ = ap->type;
+    *p++ = ap->way;
+    *p++ = type;
+    while (c-- > 0) {
+	if ((*p++ = *cd++) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    if (str_data[3] == TELQUAL_IS)
+	printsub('>', &str_data[2], p - (&str_data[2]));
+    return(telnet_net_write(str_data, p - str_data));
+}
+
+int
+kerberos4_init(Authenticator *ap, int server)
+{
+    FILE *fp;
+
+    if (server) {
+	str_data[3] = TELQUAL_REPLY;
+	if ((fp = fopen(KEYFILE, "r")) == NULL)
+	    return(0);
+	fclose(fp);
+    } else {
+	str_data[3] = TELQUAL_IS;
+    }
+    return(1);
+}
+
+char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
+int dst_realm_sz = REALM_SZ;
+
+static int
+kerberos4_send(char *name, Authenticator *ap)
+{
+    KTEXT_ST auth;
+    char instance[INST_SZ];
+    char *realm;
+    CREDENTIALS cred;
+    int r;
+
+    printf("[ Trying %s ... ]\r\n", name);
+    if (!UserNameRequested) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V4: no user name supplied\r\n");
+	}
+	return(0);
+    }
+
+    memset(instance, 0, sizeof(instance));
+
+    strlcpy (instance,
+		     krb_get_phost(RemoteHostName),
+		     INST_SZ);
+
+    realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
+
+    if (!realm) {
+	printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
+	return(0);
+    }
+    r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L);
+    if (r) {
+	printf("mk_req failed: %s\r\n", krb_get_err_text(r));
+	return(0);
+    }
+    r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred);
+    if (r) {
+	printf("get_cred failed: %s\r\n", krb_get_err_text(r));
+	return(0);
+    }
+    if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+	if (auth_debug_mode)
+	    printf("Not enough room for user name\r\n");
+	return(0);
+    }
+    if (auth_debug_mode)
+	printf("Sent %d bytes of authentication data\r\n", auth.length);
+    if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+	return(0);
+    }
+#ifdef ENCRYPTION
+    /* create challenge */
+    if ((ap->way & AUTH_HOW_MASK)==AUTH_HOW_MUTUAL) {
+	int i;
+
+	des_key_sched(&cred.session, sched);
+	memcpy (&cred_session, &cred.session, sizeof(cred_session));
+	des_init_random_number_generator(&cred.session);
+	des_new_random_key(&session_key);
+	des_ecb_encrypt(&session_key, &session_key, sched, 0);
+	des_ecb_encrypt(&session_key, &challenge, sched, 0);
+
+	/*
+	  old code
+	  Some CERT Advisory thinks this is a bad thing...
+	    
+	  des_init_random_number_generator(&cred.session);
+	  des_new_random_key(&challenge);
+	  des_ecb_encrypt(&challenge, &session_key, sched, 1);
+	  */
+	  
+	/*
+	 * Increment the challenge by 1, and encrypt it for
+	 * later comparison.
+	 */
+	for (i = 7; i >= 0; --i) 
+	    if(++challenge[i] != 0) /* No carry! */
+		break;
+	des_ecb_encrypt(&challenge, &challenge, sched, 1);
+    }
+
+#endif
+
+    if (auth_debug_mode) {
+	printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+	printd(auth.dat, auth.length);
+	printf("\r\n");
+	printf("Sent Kerberos V4 credentials to server\r\n");
+    }
+    return(1);
+}
+int
+kerberos4_send_mutual(Authenticator *ap)
+{
+    return kerberos4_send("mutual KERBEROS4", ap);
+}
+
+int
+kerberos4_send_oneway(Authenticator *ap)
+{
+    return kerberos4_send("KERBEROS4", ap);
+}
+
+void
+kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+    struct sockaddr_in addr;
+    char realm[REALM_SZ];
+    char instance[INST_SZ];
+    int r;
+    int addr_len;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_AUTH:
+	if (krb_get_lrealm(realm, 1) != KSUCCESS) {
+	    Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("No local realm\r\n");
+	    return;
+	}
+	memmove(auth.dat, data, auth.length = cnt);
+	if (auth_debug_mode) {
+	    printf("Got %d bytes of authentication data\r\n", cnt);
+	    printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+	    printd(auth.dat, auth.length);
+	    printf("\r\n");
+	}
+	k_getsockinst(0, instance, sizeof(instance));
+	addr_len = sizeof(addr);
+	if(getpeername(0, (struct sockaddr *)&addr, &addr_len) < 0) {
+	    if(auth_debug_mode)
+		printf("getpeername failed\r\n");
+	    Data(ap, KRB_REJECT, "getpeername failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+	if (addr.sin_family != AF_INET) {
+	    if (auth_debug_mode)
+		printf("unknown address family: %d\r\n", addr.sin_family);
+	    Data(ap, KRB_REJECT, "bad address family", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+
+	r = krb_rd_req(&auth, KRB_SERVICE_NAME,
+		       instance, addr.sin_addr.s_addr, &adat, "");
+	if (r) {
+	    if (auth_debug_mode)
+		printf("Kerberos failed him as %s\r\n", name);
+	    Data(ap, KRB_REJECT, (void *)krb_get_err_text(r), -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+	/* save the session key */
+	memmove(session_key, adat.session, sizeof(adat.session));
+	krb_kntoln(&adat, name);
+
+	if (UserNameRequested && !kuserok(&adat, UserNameRequested)){
+	    char ts[MaxPathLen];
+	    struct passwd *pw = getpwnam(UserNameRequested);
+
+	    if(pw){
+		snprintf(ts, sizeof(ts),
+			 "%s%u",
+			 TKT_ROOT,
+			 (unsigned)pw->pw_uid);
+		setenv("KRBTKFILE", ts, 1);
+
+		if (pw->pw_uid == 0)
+		    syslog(LOG_INFO|LOG_AUTH,
+			   "ROOT Kerberos login from %s on %s\n",
+			   krb_unparse_name_long(adat.pname,
+						 adat.pinst,
+						 adat.prealm),
+			   RemoteHostName);
+	    }
+	    Data(ap, KRB_ACCEPT, NULL, 0);
+	} else {
+	    char *msg;
+
+	    asprintf (&msg, "user `%s' is not authorized to "
+		      "login as `%s'", 
+		      krb_unparse_name_long(adat.pname, 
+					    adat.pinst, 
+					    adat.prealm), 
+		      UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (msg == NULL)
+		Data(ap, KRB_REJECT, NULL, 0);
+	    else {
+		Data(ap, KRB_REJECT, (void *)msg, -1);
+		free(msg);
+	    }
+	    auth_finished(ap, AUTH_REJECT);
+	    break;
+	}
+	auth_finished(ap, AUTH_USER);
+	break;
+	
+    case KRB_CHALLENGE:
+#ifndef ENCRYPTION
+	Data(ap, KRB_RESPONSE, NULL, 0);
+#else
+	if(!VALIDKEY(session_key)){
+	    Data(ap, KRB_RESPONSE, NULL, 0);
+	    break;
+	}
+	des_key_sched(&session_key, sched);
+	{
+	    des_cblock d_block;
+	    int i;
+	    Session_Key skey;
+
+	    memmove(d_block, data, sizeof(d_block));
+
+	    /* make a session key for encryption */
+	    des_ecb_encrypt(&d_block, &session_key, sched, 1);
+	    skey.type=SK_DES;
+	    skey.length=8;
+	    skey.data=session_key;
+	    encrypt_session_key(&skey, 1);
+
+	    /* decrypt challenge, add one and encrypt it */
+	    des_ecb_encrypt(&d_block, &challenge, sched, 0);
+	    for (i = 7; i >= 0; i--)
+		if(++challenge[i] != 0)
+		    break;
+	    des_ecb_encrypt(&challenge, &challenge, sched, 1);
+	    Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
+	}
+#endif
+	break;
+
+    case KRB_FORWARD:
+	{
+	    des_key_schedule ks;
+	    unsigned char netcred[sizeof(CREDENTIALS)];
+	    CREDENTIALS cred;
+	    int ret;
+	    if(cnt > sizeof(cred))
+		abort();
+
+	    memcpy (session_key, adat.session, sizeof(session_key));
+	    des_set_key(&session_key, ks);
+	    des_pcbc_encrypt((void*)data, (void*)netcred, cnt, 
+			     ks, &session_key, DES_DECRYPT);
+	    unpack_cred(netcred, cnt, &cred);
+	    {
+		if(strcmp(cred.service, KRB_TICKET_GRANTING_TICKET) ||
+		   strncmp(cred.instance, cred.realm, sizeof(cred.instance)) ||
+		   cred.lifetime < 0 || cred.lifetime > 255 ||
+		   cred.kvno < 0 || cred.kvno > 255 ||
+		   cred.issue_date < 0 || 
+		   cred.issue_date > time(0) + CLOCK_SKEW ||
+		   strncmp(cred.pname, adat.pname, sizeof(cred.pname)) ||
+		   strncmp(cred.pinst, adat.pinst, sizeof(cred.pinst))){
+		    Data(ap, KRB_FORWARD_REJECT, "Bad credentials", -1);
+		}else{
+		    if((ret = tf_setup(&cred,
+				       cred.pname,
+				       cred.pinst)) == KSUCCESS){
+		        struct passwd *pw = getpwnam(UserNameRequested);
+
+			if (pw)
+			  chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+			Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+		    } else{
+			Data(ap, KRB_FORWARD_REJECT, 
+			     krb_get_err_text(ret), -1);
+		    }
+		}
+	    }
+	    memset(data, 0, cnt);
+	    memset(ks, 0, sizeof(ks));
+	    memset(&cred, 0, sizeof(cred));
+	}
+	
+	break;
+
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	Data(ap, KRB_REJECT, 0, 0);
+	break;
+    }
+}
+
+void
+kerberos4_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+    Session_Key skey;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_REJECT:
+	if(auth_done){ /* XXX Ick! */
+	    printf("[ Kerberos V4 received unknown opcode ]\r\n");
+	}else{
+	    printf("[ Kerberos V4 refuses authentication ");
+	    if (cnt > 0) 
+		printf("because %.*s ", cnt, data);
+	    printf("]\r\n");
+	    auth_send_retry();
+	}
+	return;
+    case KRB_ACCEPT:
+	printf("[ Kerberos V4 accepts you ]\r\n");
+	auth_done = 1;
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    /*
+	     * Send over the encrypted challenge.
+	     */
+	    Data(ap, KRB_CHALLENGE, session_key, 
+		 sizeof(session_key));
+	    des_ecb_encrypt(&session_key, &session_key, sched, 1);
+	    skey.type = SK_DES;
+	    skey.length = 8;
+	    skey.data = session_key;
+	    encrypt_session_key(&skey, 0);
+#if 0
+	    kerberos4_forward(ap, &cred_session);
+#endif
+	    return;
+	}
+	auth_finished(ap, AUTH_USER);
+	return;
+    case KRB_RESPONSE:
+	/* make sure the response is correct */
+	if ((cnt != sizeof(des_cblock)) ||
+	    (memcmp(data, challenge, sizeof(challenge)))){
+	    printf("[ Kerberos V4 challenge failed!!! ]\r\n");
+	    auth_send_retry();
+	    return;
+	}
+	printf("[ Kerberos V4 challenge successful ]\r\n");
+	auth_finished(ap, AUTH_USER);
+	break;
+    case KRB_FORWARD_ACCEPT:
+	printf("[ Kerberos V4 accepted forwarded credentials ]\r\n");
+	break;
+    case KRB_FORWARD_REJECT:
+	printf("[ Kerberos V4 rejected forwarded credentials: `%.*s']\r\n",
+	       cnt, data);
+	break;
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	return;
+    }
+}
+
+int
+kerberos4_status(Authenticator *ap, char *name, size_t name_sz, int level)
+{
+    if (level < AUTH_USER)
+	return(level);
+
+    if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+	strlcpy(name, UserNameRequested, name_sz);
+	return(AUTH_VALID);
+    } else
+	return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    int i;
+
+    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buflen -= 1;
+
+    switch(data[3]) {
+    case KRB_REJECT:		/* Rejected (reason might follow) */
+	strlcpy((char *)buf, " REJECT ", buflen);
+	goto common;
+
+    case KRB_ACCEPT:		/* Accepted (name might follow) */
+	strlcpy((char *)buf, " ACCEPT ", buflen);
+    common:
+	BUMP(buf, buflen);
+	if (cnt <= 4)
+	    break;
+	ADDC(buf, buflen, '"');
+	for (i = 4; i < cnt; i++)
+	    ADDC(buf, buflen, data[i]);
+	ADDC(buf, buflen, '"');
+	ADDC(buf, buflen, '\0');
+	break;
+
+    case KRB_AUTH:			/* Authentication data follows */
+	strlcpy((char *)buf, " AUTH", buflen);
+	goto common2;
+
+    case KRB_CHALLENGE:
+	strlcpy((char *)buf, " CHALLENGE", buflen);
+	goto common2;
+
+    case KRB_RESPONSE:
+	strlcpy((char *)buf, " RESPONSE", buflen);
+	goto common2;
+
+    default:
+	snprintf(buf, buflen, " %d (unknown)", data[3]);
+    common2:
+	BUMP(buf, buflen);
+	for (i = 4; i < cnt; i++) {
+	    snprintf(buf, buflen, " %d", data[i]);
+	    BUMP(buf, buflen);
+	}
+	break;
+    }
+}
+
+int
+kerberos4_cksum(unsigned char *d, int n)
+{
+    int ck = 0;
+
+    /*
+     * A comment is probably needed here for those not
+     * well versed in the "C" language.  Yes, this is
+     * supposed to be a "switch" with the body of the
+     * "switch" being a "while" statement.  The whole
+     * purpose of the switch is to allow us to jump into
+     * the middle of the while() loop, and then not have
+     * to do any more switch()s.
+     *
+     * Some compilers will spit out a warning message
+     * about the loop not being entered at the top.
+     */
+    switch (n&03)
+	while (n > 0) {
+	case 0:
+	    ck ^= (int)*d++ << 24;
+	    --n;
+	case 3:
+	    ck ^= (int)*d++ << 16;
+	    --n;
+	case 2:
+	    ck ^= (int)*d++ << 8;
+	    --n;
+	case 1:
+	    ck ^= (int)*d++;
+	    --n;
+	}
+    return(ck);
+}
+
+static int
+pack_cred(CREDENTIALS *cred, unsigned char *buf)
+{
+    unsigned char *p = buf;
+    
+    memcpy (p, cred->service, ANAME_SZ);
+    p += ANAME_SZ;
+    memcpy (p, cred->instance, INST_SZ);
+    p += INST_SZ;
+    memcpy (p, cred->realm, REALM_SZ);
+    p += REALM_SZ;
+    memcpy(p, cred->session, 8);
+    p += 8;
+    p += KRB_PUT_INT(cred->lifetime, p, 4, 4);
+    p += KRB_PUT_INT(cred->kvno, p, 4, 4);
+    p += KRB_PUT_INT(cred->ticket_st.length, p, 4, 4);
+    memcpy(p, cred->ticket_st.dat, cred->ticket_st.length);
+    p += cred->ticket_st.length;
+    p += KRB_PUT_INT(0, p, 4, 4);
+    p += KRB_PUT_INT(cred->issue_date, p, 4, 4);
+    memcpy (p, cred->pname, ANAME_SZ);
+    p += ANAME_SZ;
+    memcpy (p, cred->pinst, INST_SZ);
+    p += INST_SZ;
+    return p - buf;
+}
+
+static int
+unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred)
+{
+    unsigned char *p = buf;
+    u_int32_t tmp;
+
+    strncpy (cred->service, p, ANAME_SZ);
+    cred->service[ANAME_SZ - 1] = '\0';
+    p += ANAME_SZ;
+    strncpy (cred->instance, p, INST_SZ);
+    cred->instance[INST_SZ - 1] = '\0';
+    p += INST_SZ;
+    strncpy (cred->realm, p, REALM_SZ);
+    cred->realm[REALM_SZ - 1] = '\0';
+    p += REALM_SZ;
+
+    memcpy(cred->session, p, 8);
+    p += 8;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->lifetime = tmp;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->kvno = tmp;
+
+    p += krb_get_int(p, &cred->ticket_st.length, 4, 0);
+    memcpy(cred->ticket_st.dat, p, cred->ticket_st.length);
+    p += cred->ticket_st.length;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->ticket_st.mbz = 0;
+    p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0);
+
+    strncpy (cred->pname, p, ANAME_SZ);
+    cred->pname[ANAME_SZ - 1] = '\0';
+    p += ANAME_SZ;
+    strncpy (cred->pinst, p, INST_SZ);
+    cred->pinst[INST_SZ - 1] = '\0';
+    p += INST_SZ;
+    return 0;
+}
+
+
+int
+kerberos4_forward(Authenticator *ap, void *v)
+{
+    des_cblock *key = (des_cblock *)v;
+    CREDENTIALS cred;
+    char *realm;
+    des_key_schedule ks;
+    int len;
+    unsigned char netcred[sizeof(CREDENTIALS)];
+    int ret;
+
+    realm = krb_realmofhost(RemoteHostName);
+    if(realm == NULL)
+	return -1;
+    memset(&cred, 0, sizeof(cred));
+    ret = krb_get_cred(KRB_TICKET_GRANTING_TICKET,
+		       realm,
+		       realm, 
+		       &cred);
+    if(ret)
+	return ret;
+    des_set_key(key, ks);
+    len = pack_cred(&cred, netcred);
+    des_pcbc_encrypt((void*)netcred, (void*)netcred, len,
+		     ks, key, DES_ENCRYPT);
+    memset(ks, 0, sizeof(ks));
+    Data(ap, KRB_FORWARD, netcred, len);
+    memset(netcred, 0, sizeof(netcred));
+    return 0;
+}
+
+#endif /* KRB4 */
+
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
new file mode 100644
index 0000000..2e6e2e5
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
@@ -0,0 +1,736 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <config.h>
+
+RCSID("$Id: kerberos5.c,v 1.39 2000/02/01 00:32:05 assar Exp $");
+
+#ifdef	KRB5
+
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#define Authenticator k5_Authenticator
+#include <krb5.h>
+#undef Authenticator
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
+
+/* These values need to be the same as those defined in telnet/main.c. */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+void kerberos5_forward (Authenticator *);
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V5, };
+
+#define	KRB_AUTH		0	/* Authentication data follows */
+#define	KRB_REJECT		1	/* Rejected (reason might follow) */
+#define	KRB_ACCEPT		2	/* Accepted */
+#define	KRB_RESPONSE		3	/* Response for mutual auth. */
+
+#define KRB_FORWARD     	4       /* Forwarded credentials follow */
+#define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
+#define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
+
+static	krb5_data auth;
+static  krb5_ticket *ticket;
+
+static krb5_context context;
+static krb5_auth_context auth_context;
+
+static int
+Data(Authenticator *ap, int type, void *d, int c)
+{
+    unsigned char *p = str_data + 4;
+    unsigned char *cd = (unsigned char *)d;
+
+    if (c == -1)
+	c = strlen(cd);
+
+    if (auth_debug_mode) {
+	printf("%s:%d: [%d] (%d)",
+	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+	       str_data[3],
+	       type, c);
+	printd(d, c);
+	printf("\r\n");
+    }
+    *p++ = ap->type;
+    *p++ = ap->way;
+    *p++ = type;
+    while (c-- > 0) {
+	if ((*p++ = *cd++) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    if (str_data[3] == TELQUAL_IS)
+	printsub('>', &str_data[2], p - &str_data[2]);
+    return(telnet_net_write(str_data, p - str_data));
+}
+
+int
+kerberos5_init(Authenticator *ap, int server)
+{
+    if (server)
+	str_data[3] = TELQUAL_REPLY;
+    else
+	str_data[3] = TELQUAL_IS;
+    krb5_init_context(&context);
+    return(1);
+}
+
+static int
+kerberos5_send(char *name, Authenticator *ap)
+{
+    krb5_error_code ret;
+    krb5_ccache ccache;
+    int ap_opts;
+    krb5_data cksum_data;
+    char foo[2];
+    extern int net;
+    
+    printf("[ Trying %s ... ]\r\n", name);
+    if (!UserNameRequested) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: no user name supplied\r\n");
+	}
+	return(0);
+    }
+    
+    ret = krb5_cc_default(context, &ccache);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: could not get default ccache: %s\r\n",
+		   krb5_get_err_text (context, ret));
+	}
+	return 0;
+    }
+	
+    if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+	ap_opts = AP_OPTS_MUTUAL_REQUIRED;
+    else
+	ap_opts = 0;
+    
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+		   krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    ret = krb5_auth_con_setaddrs_from_fd (context,
+					  auth_context,
+					  &net);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf ("Kerberos V5:"
+		    " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
+		    krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    krb5_auth_setkeytype (context, auth_context, KEYTYPE_DES);
+
+    foo[0] = ap->type;
+    foo[1] = ap->way;
+
+    cksum_data.length = sizeof(foo);
+    cksum_data.data   = foo;
+    ret = krb5_mk_req(context, &auth_context, ap_opts,
+		      "host", RemoteHostName, 
+		      &cksum_data, ccache, &auth);
+
+    if (ret) {
+	if (1 || auth_debug_mode) {
+	    printf("Kerberos V5: mk_req failed (%s)\r\n",
+		   krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    if (!auth_sendname((unsigned char *)UserNameRequested,
+		       strlen(UserNameRequested))) {
+	if (auth_debug_mode)
+	    printf("Not enough room for user name\r\n");
+	return(0);
+    }
+    if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+	return(0);
+    }
+    if (auth_debug_mode) {
+	printf("Sent Kerberos V5 credentials to server\r\n");
+    }
+    return(1);
+}
+
+int
+kerberos5_send_mutual(Authenticator *ap)
+{
+    return kerberos5_send("mutual KERBEROS5", ap);
+}
+
+int
+kerberos5_send_oneway(Authenticator *ap)
+{
+    return kerberos5_send("KERBEROS5", ap);
+}
+
+void
+kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+    krb5_error_code ret;
+    krb5_data outbuf;
+    krb5_keyblock *key_block;
+    char *name;
+    krb5_principal server;
+    int zero = 0;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_AUTH:
+	auth.data = (char *)data;
+	auth.length = cnt;
+
+	auth_context = NULL;
+
+	ret = krb5_auth_con_init (context, &auth_context);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_auth_con_setaddrs_from_fd (context,
+					      auth_context,
+					      &zero);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_sock_to_principal (context,
+				      0,
+				      "host",
+				      KRB5_NT_SRV_HST,
+				      &server);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_sock_to_principal failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_rd_req(context,
+			  &auth_context,
+			  &auth, 
+			  server,
+			  NULL,
+			  NULL,
+			  &ticket);
+	krb5_free_principal (context, server);
+
+	if (ret) {
+	    char *errbuf;
+
+	    asprintf(&errbuf,
+		     "Read req failed: %s",
+		     krb5_get_err_text(context, ret));
+	    Data(ap, KRB_REJECT, errbuf, -1);
+	    if (auth_debug_mode)
+		printf("%s\r\n", errbuf);
+	    free (errbuf);
+	    return;
+	}
+	
+	{
+	    char foo[2];
+	    
+	    foo[0] = ap->type;
+	    foo[1] = ap->way;
+	    
+	    ret = krb5_verify_authenticator_checksum(context,
+						     auth_context,
+						     foo, 
+						     sizeof(foo));
+
+	    if (ret) {
+		char *errbuf;
+		asprintf(&errbuf, "Bad checksum: %s", 
+			 krb5_get_err_text(context, ret));
+		Data(ap, KRB_REJECT, errbuf, -1);
+		if (auth_debug_mode)
+		    printf ("%s\r\n", errbuf);
+		free(errbuf);
+		return;
+	    }
+	}
+	ret = krb5_auth_con_getremotesubkey (context,
+					     auth_context,
+					     &key_block);
+
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_auth_con_getremotesubkey failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    ret = krb5_mk_rep(context, &auth_context, &outbuf);
+	    if (ret) {
+		Data(ap, KRB_REJECT,
+		     "krb5_mk_rep failed", -1);
+		auth_finished(ap, AUTH_REJECT);
+		if (auth_debug_mode)
+		    printf("Kerberos V5: "
+			   "krb5_mk_rep failed (%s)\r\n",
+			   krb5_get_err_text(context, ret));
+		return;
+	    }
+	    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
+	}
+	if (krb5_unparse_name(context, ticket->client, &name))
+	    name = 0;
+
+	if(UserNameRequested && krb5_kuserok(context,
+					     ticket->client,
+					     UserNameRequested)) {
+	    Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
+	    if (auth_debug_mode) {
+		printf("Kerberos5 identifies him as ``%s''\r\n",
+		       name ? name : "");
+	    }
+
+	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
+	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
+	       key_block->keytype == ETYPE_DES_CBC_CRC) {
+		Session_Key skey;
+
+		skey.type = SK_DES;
+		skey.length = 8;
+		skey.data = key_block->keyvalue.data;
+		encrypt_session_key(&skey, 0);
+	    }
+
+	} else {
+	    char *msg;
+
+	    asprintf (&msg, "user `%s' is not authorized to "
+		      "login as `%s'", 
+		      name ? name : "<unknown>",
+		      UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (msg == NULL)
+		Data(ap, KRB_REJECT, NULL, 0);
+	    else {
+		Data(ap, KRB_REJECT, (void *)msg, -1);
+		free(msg);
+	    }
+	    auth_finished (ap, AUTH_REJECT);
+	    krb5_free_keyblock_contents(context, key_block);
+	    break;
+	}
+	auth_finished(ap, AUTH_USER);
+	krb5_free_keyblock_contents(context, key_block);
+	
+	break;
+    case KRB_FORWARD: {
+	struct passwd *pwd;
+	char ccname[1024];	/* XXX */
+	krb5_data inbuf;
+	krb5_ccache ccache;
+	inbuf.data = (char *)data;
+	inbuf.length = cnt;
+
+	pwd = getpwnam (UserNameRequested);
+	if (pwd == NULL)
+	    break;
+
+	snprintf (ccname, sizeof(ccname),
+		  "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
+
+	ret = krb5_cc_resolve (context, ccname, &ccache);
+	if (ret) {
+	    if (auth_debug_mode)
+		printf ("Kerberos V5: could not get ccache: %s\r\n",
+			krb5_get_err_text(context, ret));
+	    break;
+	}
+
+	ret = krb5_cc_initialize (context,
+				  ccache,
+				  ticket->client);
+	if (ret) {
+	    if (auth_debug_mode)
+		printf ("Kerberos V5: could not init ccache: %s\r\n",
+			krb5_get_err_text(context, ret));
+	    break;
+	}
+
+	ret = krb5_rd_cred (context,
+			    auth_context,
+			    ccache,
+			    &inbuf);
+	if(ret) {
+	    char *errbuf;
+
+	    asprintf (&errbuf,
+		      "Read forwarded creds failed: %s",
+		      krb5_get_err_text (context, ret));
+	    if(errbuf == NULL)
+		Data(ap, KRB_FORWARD_REJECT, NULL, 0);
+	    else
+		Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
+	    if (auth_debug_mode)
+		printf("Could not read forwarded credentials: %s\r\n",
+		       errbuf);
+	    free (errbuf);
+	} else
+	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+	chown (ccname + 5, pwd->pw_uid, -1);
+	if (auth_debug_mode)
+	    printf("Forwarded credentials obtained\r\n");
+	break;
+    }
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	Data(ap, KRB_REJECT, 0, 0);
+	break;
+    }
+}
+
+void
+kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+    static int mutual_complete = 0;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_REJECT:
+	if (cnt > 0) {
+	    printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+		   cnt, data);
+	} else
+	    printf("[ Kerberos V5 refuses authentication ]\r\n");
+	auth_send_retry();
+	return;
+    case KRB_ACCEPT: {
+	krb5_error_code ret;
+	Session_Key skey;
+	krb5_keyblock *keyblock;
+	
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
+	    !mutual_complete) {
+	    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
+	    auth_send_retry();
+	    return;
+	}
+	if (cnt)
+	    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
+	else
+	    printf("[ Kerberos V5 accepts you ]\r\n");
+	      
+	ret = krb5_auth_con_getlocalsubkey (context,
+					    auth_context,
+					    &keyblock);
+	if (ret)
+	    ret = krb5_auth_con_getkey (context,
+					auth_context,
+					&keyblock);
+	if(ret) {
+	    printf("[ krb5_auth_con_getkey: %s ]\r\n",
+		   krb5_get_err_text(context, ret));
+	    auth_send_retry();
+	    return;
+	}
+	      
+	skey.type = SK_DES;
+	skey.length = 8;
+	skey.data = keyblock->keyvalue.data;
+	encrypt_session_key(&skey, 0);
+	krb5_free_keyblock_contents (context, keyblock);
+	auth_finished(ap, AUTH_USER);
+	if (forward_flags & OPTS_FORWARD_CREDS)
+	    kerberos5_forward(ap);
+	break;
+    }
+    case KRB_RESPONSE:
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    /* the rest of the reply should contain a krb_ap_rep */
+	  krb5_ap_rep_enc_part *reply;
+	  krb5_data inbuf;
+	  krb5_error_code ret;
+	    
+	  inbuf.length = cnt;
+	  inbuf.data = (char *)data;
+
+	  ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
+	  if (ret) {
+	      printf("[ Mutual authentication failed: %s ]\r\n",
+		     krb5_get_err_text (context, ret));
+	      auth_send_retry();
+	      return;
+	  }
+	  krb5_free_ap_rep_enc_part(context, reply);
+	  mutual_complete = 1;
+	}
+	return;
+    case KRB_FORWARD_ACCEPT:
+	printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
+	return;
+    case KRB_FORWARD_REJECT:
+	printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
+	       cnt, data);
+	return;
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	return;
+    }
+}
+
+int
+kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
+{
+    if (level < AUTH_USER)
+	return(level);
+
+    if (UserNameRequested &&
+	krb5_kuserok(context,
+		     ticket->client,
+		     UserNameRequested))
+	{
+	    strlcpy(name, UserNameRequested, name_sz);
+	    return(AUTH_VALID);
+	} else
+	    return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    int i;
+
+    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buflen -= 1;
+
+    switch(data[3]) {
+    case KRB_REJECT:		/* Rejected (reason might follow) */
+	strlcpy((char *)buf, " REJECT ", buflen);
+	goto common;
+
+    case KRB_ACCEPT:		/* Accepted (name might follow) */
+	strlcpy((char *)buf, " ACCEPT ", buflen);
+    common:
+	BUMP(buf, buflen);
+	if (cnt <= 4)
+	    break;
+	ADDC(buf, buflen, '"');
+	for (i = 4; i < cnt; i++)
+	    ADDC(buf, buflen, data[i]);
+	ADDC(buf, buflen, '"');
+	ADDC(buf, buflen, '\0');
+	break;
+
+
+    case KRB_AUTH:			/* Authentication data follows */
+	strlcpy((char *)buf, " AUTH", buflen);
+	goto common2;
+
+    case KRB_RESPONSE:
+	strlcpy((char *)buf, " RESPONSE", buflen);
+	goto common2;
+
+    case KRB_FORWARD:		/* Forwarded credentials follow */
+	strlcpy((char *)buf, " FORWARD", buflen);
+	goto common2;
+
+    case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
+	strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
+	goto common2;
+
+    case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
+	/* (reason might follow) */
+	strlcpy((char *)buf, " FORWARD_REJECT", buflen);
+	goto common2;
+
+    default:
+	snprintf(buf, buflen, " %d (unknown)", data[3]);
+    common2:
+	BUMP(buf, buflen);
+	for (i = 4; i < cnt; i++) {
+	    snprintf(buf, buflen, " %d", data[i]);
+	    BUMP(buf, buflen);
+	}
+	break;
+    }
+}
+
+void
+kerberos5_forward(Authenticator *ap)
+{
+    krb5_error_code ret;
+    krb5_ccache     ccache;
+    krb5_creds      creds;
+    krb5_kdc_flags  flags;
+    krb5_data       out_data;
+    krb5_principal  principal;
+
+    ret = krb5_cc_default (context, &ccache);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get default ccache: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get principal: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    memset (&creds, 0, sizeof(creds));
+
+    creds.client = principal;
+    
+    ret = krb5_build_principal (context,
+				&creds.server,
+				strlen(principal->realm),
+				principal->realm,
+				"krbtgt",
+				principal->realm,
+				NULL);
+
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get principal: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    creds.times.endtime = 0;
+
+    flags.i = 0;
+    flags.b.forwarded = 1;
+    if (forward_flags & OPTS_FORWARDABLE_CREDS)
+	flags.b.forwardable = 1;
+
+    ret = krb5_get_forwarded_creds (context,
+				    auth_context,
+				    ccache,
+				    flags.i,
+				    RemoteHostName,
+				    &creds,
+				    &out_data);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+    } else {
+	if (auth_debug_mode)
+	    printf("Forwarded local Kerberos V5 credentials to server\r\n");
+    }
+}
+
+#endif /* KRB5 */
diff --git a/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
new file mode 100644
index 0000000..a85d562c
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
@@ -0,0 +1,437 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: krb4encpwd.c,v 1.18 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	KRB4_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <pwd.h>
+#include <stdio.h>
+
+#include <des.h>
+#include <krb.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int krb_mk_encpwd_req (KTEXT, char *, char *, char *, char *, char *, char *);
+int krb_rd_encpwd_req (KTEXT, char *, char *, u_long, AUTH_DAT *, char *, char *, char *, char *);
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KRB4_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	KRB4_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	KRB4_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define KRB4_ENCPWD_ACCEPT	2	/* Accepted */
+#define	KRB4_ENCPWD_CHALLENGE	3	/* Challenge for mutual auth. */
+#define	KRB4_ENCPWD_ACK		4	/* Acknowledge */
+
+#define KRB_SERVICE_NAME    "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	char user_passwd[ANAME_SZ];
+static	AUTH_DAT adat = { 0 };
+static des_key_schedule sched;
+static char  challenge[REALM_SZ];
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen(cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+krb4encpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char hostname[80], *cp, *realm;
+	des_clock skey;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+	} else {
+		str_data[3] = TELQUAL_IS;
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		cp = strchr(hostname, '.');
+		if (*cp != NULL) *cp = NULL;
+		if (read_service_key(KRB_SERVICE_NAME, hostname, realm, 0,
+					KEYFILE, (char *)skey)) {
+		  return(0);
+		}
+	}
+	return(1);
+}
+
+	int
+krb4encpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying KRB4ENCPWD ... ]\r\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, KRB4_ENCPWD_ACK, NULL, 0)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+krb4encpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	char  r_passwd[ANAME_SZ], r_user[ANAME_SZ];
+	char  lhostname[ANAME_SZ], *cp;
+	int r;
+	time_t now;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_AUTH:
+		memmove(auth.dat, data, auth.length = cnt);
+
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_rd_encpwd_req(&auth, KRB_SERVICE_NAME, lhostname, 0, &adat, NULL, challenge, r_user, r_passwd)) {
+			Data(ap, KRB4_ENCPWD_REJECT, "Auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, KRB4_ENCPWD_REJECT, "Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		memmove(session_key, adat.session, sizeof(des_cblock));
+		Data(ap, KRB4_ENCPWD_ACCEPT, 0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 *  Take the received random challenge text and save
+		 *  for future authentication.
+		 */
+		memmove(challenge, data, sizeof(des_cblock));
+		break;
+
+
+	case KRB4_ENCPWD_ACK:
+		/*
+		 *  Receive ack, if mutual then send random challenge
+		 */
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		  int i;
+
+		  time(&now);
+		  snprintf(challenge, sizeof(challenge), "%x", now);
+		  Data(ap, KRB4_ENCPWD_CHALLENGE, challenge, strlen(challenge));
+		}
+		break;
+
+	default:
+		Data(ap, KRB4_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+krb4encpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST krb_token;
+	des_cblock enckey;
+	CREDENTIALS cred;
+	int r;
+	char	randchal[REALM_SZ], instance[ANAME_SZ], *cp;
+	char	hostname[80], *realm;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ KRB4_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ KRB4_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB4_ENCPWD_ACCEPT:
+		printf("[ KRB4_ENCPWD accepts you ]\r\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		memmove(challenge, data, cnt);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		strlcpy(instance, RemoteHostName, sizeof(instance));
+		if ((cp = strchr(instance, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_mk_encpwd_req(&krb_token, KRB_SERVICE_NAME, instance, realm, Challenge, UserNameRequested, user_passwd)) {
+		  krb_token.length = 0;
+		}
+
+		if (!Data(ap, KRB4_ENCPWD_AUTH, krb_token.dat, krb_token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+krb4encpwd_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && passwdok(UserNameRequested, UserPassword)) {
+		strlcpy(name, UserNameRequested, name_sz);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+krb4encpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB4_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB4_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case KRB4_ENCPWD_AUTH:		/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		strlcpy((char *)buf, " CHALLENGE", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_ACK:
+		strlcpy((char *)buf, " ACK", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = k_getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
new file mode 100644
index 0000000..71d91b6
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: misc-proto.h,v 1.8 2000/01/18 03:11:07 assar Exp $ */
+
+#ifndef	__MISC_PROTO__
+#define	__MISC_PROTO__
+
+void auth_encrypt_init (const char *, const char *, const char *, int);
+void auth_encrypt_user(const char *name);
+void auth_encrypt_connect (int);
+void printd (const unsigned char *, int);
+
+char** genget (char *name, char **table, int stlen);
+int isprefix(char *s1, char *s2);
+int Ambiguous(void *s);
+
+/*
+ * These functions are imported from the application
+ */
+int telnet_net_write (unsigned char *, int);
+void net_encrypt (void);
+int telnet_spin (void);
+char *telnet_getenv (char *);
+char *telnet_gets (char *, char *, int, int);
+void printsub(int direction, unsigned char *pointer, int length);
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc.c b/crypto/heimdal/appl/telnet/libtelnet/misc.c
new file mode 100644
index 0000000..b7af237
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc.c
@@ -0,0 +1,95 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: misc.c,v 1.15 2000/01/25 23:24:58 assar Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+#include "misc.h"
+#include "auth.h"
+#include "encrypt.h"
+
+
+const char *RemoteHostName;
+const char *LocalHostName;
+char *UserNameRequested = 0;
+int ConnectedCount = 0;
+
+void
+auth_encrypt_init(const char *local, const char *remote, const char *name,
+		  int server)
+{
+    RemoteHostName = remote;
+    LocalHostName = local;
+#ifdef AUTHENTICATION
+    auth_init(name, server);
+#endif
+#ifdef ENCRYPTION
+    encrypt_init(name, server);
+#endif
+    if (UserNameRequested) {
+	free(UserNameRequested);
+	UserNameRequested = 0;
+    }
+}
+
+void
+auth_encrypt_user(const char *name)
+{
+    if (UserNameRequested)
+	free(UserNameRequested);
+    UserNameRequested = name ? strdup(name) : 0;
+}
+
+void
+auth_encrypt_connect(int cnt)
+{
+}
+
+void
+printd(const unsigned char *data, int cnt)
+{
+    if (cnt > 16)
+	cnt = 16;
+    while (cnt-- > 0) {
+	printf(" %02x", *data);
+	++data;
+    }
+}
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc.h b/crypto/heimdal/appl/telnet/libtelnet/misc.h
new file mode 100644
index 0000000..e315565
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc.h
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc.h	8.1 (Berkeley) 6/4/93
+ */
+
+extern char *UserNameRequested;
+extern const char *LocalHostName;
+extern const char *RemoteHostName;
+extern int ConnectedCount;
+extern int ReservedPort;
+
+#include "misc-proto.h"
diff --git a/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c b/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c
new file mode 100644
index 0000000..dafb448
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c
@@ -0,0 +1,487 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: rsaencpwd.c,v 1.18 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	RSA_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <pwd.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+#include "cdc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_RSA_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	RSA_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	RSA_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define RSA_ENCPWD_ACCEPT	2	/* Accepted */
+#define	RSA_ENCPWD_CHALLENGEKEY	3	/* Challenge and public key */
+
+#define NAME_SZ   40
+#define CHAL_SZ   20
+#define PWD_SZ    40
+
+static	KTEXT_ST auth;
+static	char name[NAME_SZ];
+static	char user_passwd[PWD_SZ];
+static  char key_file[2*NAME_SZ];
+static  char lhostname[NAME_SZ];
+static char  challenge[CHAL_SZ];
+static int   challenge_len;
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	if (type != NULL) *p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+rsaencpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char  *cp;
+	FILE  *fp;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		memset(key_file, 0, sizeof(key_file));
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+		snprintf(key_file, sizeof(key_file),
+			 "/etc/.%s_privkey", lhostname);
+		if ((fp=fopen(key_file, "r"))==NULL) return(0);
+		fclose(fp);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+rsaencpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying RSAENCPWD ... ]\r\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+	if (!Data(ap, NULL, NULL, 0)) {
+		return(0);
+	}
+
+
+	return(1);
+}
+
+	void
+rsaencpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	char  r_passwd[PWD_SZ], r_user[NAME_SZ];
+	char  *cp, key[160];
+	char  chalkey[160], *ptr;
+	FILE  *fp;
+	int r, i, j, chalkey_len, len;
+	time_t now;
+
+	cnt--;
+	switch (*data++) {
+	case RSA_ENCPWD_AUTH:
+		memmove(auth.dat, data, auth.length = cnt);
+
+		if ((fp=fopen(key_file, "r"))==NULL) {
+		  Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		/*
+		 *  get privkey
+		 */
+		fscanf(fp, "%x;", &len);
+		for (i=0;i<len;i++) {
+		  j = getc(fp);  key[i]=j;
+		}
+		fclose(fp);
+
+		r = accept_rsa_encpwd(&auth, key, challenge,
+				      challenge_len, r_passwd);
+		if (r < 0) {
+		  Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (rsaencpwd_passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, RSA_ENCPWD_REJECT, "Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		Data(ap, RSA_ENCPWD_ACCEPT, 0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+
+	case IAC:
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) {
+		  int i;
+
+
+		  time(&now);
+		  if ((now % 2) == 0) {
+		    snprintf(challenge, sizeof(challenge), "%x", now);
+		    challenge_len = strlen(challenge);
+		  } else {
+		    strlcpy(challenge, "randchal", sizeof(challenge));
+		    challenge_len = 8;
+		  }
+
+		  if ((fp=fopen(key_file, "r"))==NULL) {
+		    Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		    auth_finished(ap, AUTH_REJECT);
+		    return;
+		  }
+		  /*
+		   *  skip privkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);
+		  }
+		  /*
+		   * get pubkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);  key[i]=j;
+		  }
+		  fclose(fp);
+		  chalkey[0] = 0x30;
+		  ptr = (char *) &chalkey[1];
+		  chalkey_len = 1+NumEncodeLengthOctets(i)+i+1+NumEncodeLengthOctets(challenge_len)+challenge_len;
+		  EncodeLength(ptr, chalkey_len);
+		  ptr +=NumEncodeLengthOctets(chalkey_len);
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  *ptr++ = challenge_len;
+		  memmove(ptr, challenge, challenge_len);
+		  ptr += challenge_len;
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  EncodeLength(ptr, i);
+		  ptr += NumEncodeLengthOctets(i);
+		  memmove(ptr, key, i);
+		  chalkey_len = 1+NumEncodeLengthOctets(chalkey_len)+chalkey_len;
+		  Data(ap, RSA_ENCPWD_CHALLENGEKEY, chalkey, chalkey_len);
+		}
+		break;
+
+	default:
+		Data(ap, RSA_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+rsaencpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST token;
+	des_cblock enckey;
+	int r, pubkey_len;
+	char	randchal[CHAL_SZ], *cp;
+	char	chalkey[160], pubkey[128], *ptr;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case RSA_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ RSA_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ RSA_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case RSA_ENCPWD_ACCEPT:
+		printf("[ RSA_ENCPWD accepts you ]\r\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case RSA_ENCPWD_CHALLENGEKEY:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		memmove(chalkey, data, cnt);
+		ptr = (char *) &chalkey[0];
+		ptr += DecodeHeaderLength(chalkey);
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		challenge_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(challenge_len);
+		memmove(challenge, ptr, challenge_len);
+		ptr += challenge_len;
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		pubkey_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(pubkey_len);
+		memmove(pubkey, ptr, pubkey_len);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		r = init_rsa_encpwd(&token, user_passwd, challenge, challenge_len, pubkey);
+		if (r < 0) {
+		  token.length = 1;
+		}
+
+		if (!Data(ap, RSA_ENCPWD_AUTH, token.dat, token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+rsaencpwd_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && rsaencpwd_passwdok(UserNameRequested, UserPassword)) {
+		strlcpy(name, UserNameRequested, name_sz);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+rsaencpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case RSA_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case RSA_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case RSA_ENCPWD_AUTH:		/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case RSA_ENCPWD_CHALLENGEKEY:
+		strlcpy((char *)buf, " CHALLENGEKEY", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int rsaencpwd_passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = k_getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/spx.c b/crypto/heimdal/appl/telnet/libtelnet/spx.c
new file mode 100644
index 0000000..9155ef2
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/spx.c
@@ -0,0 +1,586 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: spx.c,v 1.17 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	SPX
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdio.h>
+#include "gssapi_defs.h"
+#include <stdlib.h>
+#include <string.h>
+
+#include <pwd.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_SPX, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	SPX_AUTH	0		/* Authentication data follows */
+#define	SPX_REJECT	1		/* Rejected (reason might follow) */
+#define SPX_ACCEPT	2		/* Accepted */
+
+static des_key_schedule sched;
+static des_cblock	challenge	= { 0 };
+
+
+/*******************************************************************/
+
+gss_OID_set		actual_mechs;
+gss_OID			actual_mech_type, output_name_type;
+int			major_status, status, msg_ctx = 0, new_status;
+int			req_flags = 0, ret_flags, lifetime_rec;
+gss_cred_id_t		gss_cred_handle;
+gss_ctx_id_t		actual_ctxhandle, context_handle;
+gss_buffer_desc		output_token, input_token, input_name_buffer;
+gss_buffer_desc		status_string;
+gss_name_t		desired_targname, src_name;
+gss_channel_bindings	input_chan_bindings;
+char			lhostname[GSS_C_MAX_PRINTABLE_NAME];
+char			targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+int			to_addr=0, from_addr=0;
+char			*address;
+gss_buffer_desc		fullname_buffer;
+gss_OID			fullname_type;
+gss_cred_id_t		gss_delegated_cred_handle;
+
+/*******************************************************************/
+
+
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+spx_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	gss_cred_id_t	tmp_cred_handle;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		gethostname(lhostname, sizeof(lhostname));
+		snprintf (targ_printable, sizeof(targ_printable),
+			  "SERVICE:rcmd@%s", lhostname);
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&tmp_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+		if (major_status != GSS_S_COMPLETE) return(0);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+spx_send(ap)
+	Authenticator *ap;
+{
+	des_cblock enckey;
+	int r;
+
+	gss_OID	actual_mech_type, output_name_type;
+	int	msg_ctx = 0, new_status, status;
+	int	req_flags = 0, ret_flags, lifetime_rec, major_status;
+	gss_buffer_desc  output_token, input_token, input_name_buffer;
+	gss_buffer_desc  output_name_buffer, status_string;
+	gss_name_t    desired_targname;
+	gss_channel_bindings  input_chan_bindings;
+	char targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+	int  from_addr=0, to_addr=0, myhostlen, j;
+	int  deleg_flag=1, mutual_flag=0, replay_flag=0, seq_flag=0;
+	char *address;
+
+	printf("[ Trying SPX ... ]\r\n");
+	snprintf (targ_printable, sizeof(targ_printable),
+		  "SERVICE:rcmd@%s", RemoteHostName);
+
+	input_name_buffer.length = strlen(targ_printable);
+	input_name_buffer.value = targ_printable;
+
+	if (!UserNameRequested) {
+		return(0);
+	}
+
+	major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+
+	major_status = gss_display_name(&status,
+					desired_targname,
+					&output_name_buffer,
+					&output_name_type);
+
+	printf("target is '%s'\n", output_name_buffer.value); fflush(stdout);
+
+	major_status = gss_release_buffer(&status, &output_name_buffer);
+
+	input_chan_bindings = (gss_channel_bindings)
+	  malloc(sizeof(gss_channel_bindings_desc));
+
+	input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->initiator_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->initiator_address.value = (char *) address;
+	address[0] = ((from_addr & 0xff000000) >> 24);
+	address[1] = ((from_addr & 0xff0000) >> 16);
+	address[2] = ((from_addr & 0xff00) >> 8);
+	address[3] = (from_addr & 0xff);
+	input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->acceptor_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->acceptor_address.value = (char *) address;
+	address[0] = ((to_addr & 0xff000000) >> 24);
+	address[1] = ((to_addr & 0xff0000) >> 16);
+	address[2] = ((to_addr & 0xff00) >> 8);
+	address[3] = (to_addr & 0xff);
+	input_chan_bindings->application_data.length = 0;
+
+	req_flags = 0;
+	if (deleg_flag)  req_flags = req_flags | 1;
+	if (mutual_flag) req_flags = req_flags | 2;
+	if (replay_flag) req_flags = req_flags | 4;
+	if (seq_flag)    req_flags = req_flags | 8;
+
+	major_status = gss_init_sec_context(&status,         /* minor status */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					GSS_C_NO_BUFFER,     /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+	if ((major_status != GSS_S_COMPLETE) &&
+	    (major_status != GSS_S_CONTINUE_NEEDED)) {
+	  gss_display_status(&new_status,
+				status,
+				GSS_C_MECH_CODE,
+				GSS_C_NULL_OID,
+				&msg_ctx,
+				&status_string);
+	  printf("%s\n", status_string.value);
+	  return(0);
+	}
+
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, SPX_AUTH, output_token.value, output_token.length)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+spx_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	int r;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_AUTH:
+		input_token.length = cnt;
+		input_token.value = (char *) data;
+
+		gethostname(lhostname, sizeof(lhostname));
+
+		snprintf(targ_printable, sizeof(targ_printable),
+			 "SERVICE:rcmd@%s", lhostname);
+
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&gss_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+
+		major_status = gss_release_name(&status, desired_targname);
+
+		input_chan_bindings = (gss_channel_bindings)
+		  malloc(sizeof(gss_channel_bindings_desc));
+
+		input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->initiator_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->initiator_address.value = (char *) address;
+		address[0] = ((from_addr & 0xff000000) >> 24);
+		address[1] = ((from_addr & 0xff0000) >> 16);
+		address[2] = ((from_addr & 0xff00) >> 8);
+		address[3] = (from_addr & 0xff);
+		input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->acceptor_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->acceptor_address.value = (char *) address;
+		address[0] = ((to_addr & 0xff000000) >> 24);
+		address[1] = ((to_addr & 0xff0000) >> 16);
+		address[2] = ((to_addr & 0xff00) >> 8);
+		address[3] = (to_addr & 0xff);
+		input_chan_bindings->application_data.length = 0;
+
+		major_status = gss_accept_sec_context(&status,
+						&context_handle,
+						gss_cred_handle,
+						&input_token,
+						input_chan_bindings,
+						&src_name,
+						&actual_mech_type,
+						&output_token,
+						&ret_flags,
+						&lifetime_rec,
+						&gss_delegated_cred_handle);
+
+
+		if (major_status != GSS_S_COMPLETE) {
+
+		  major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+			Data(ap, SPX_REJECT, "auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+
+		Data(ap, SPX_ACCEPT, output_token.value, output_token.length);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	default:
+		Data(ap, SPX_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+spx_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_REJECT:
+		if (cnt > 0) {
+			printf("[ SPX refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ SPX refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case SPX_ACCEPT:
+		printf("[ SPX accepts you ]\r\n");
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+			/*
+			 * Send over the encrypted challenge.
+		 	 */
+		  input_token.value = (char *) data;
+		  input_token.length = cnt;
+
+		  major_status = gss_init_sec_context(&status, /* minor stat */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					&input_token,        /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+		  if (major_status != GSS_S_COMPLETE) {
+		    gss_display_status(&new_status,
+					status,
+					GSS_C_MECH_CODE,
+					GSS_C_NULL_OID,
+					&msg_ctx,
+					&status_string);
+		    printf("[ SPX mutual response fails ... '%s' ]\r\n",
+			 status_string.value);
+		    auth_send_retry();
+		    return;
+		  }
+		}
+		auth_finished(ap, AUTH_USER);
+		return;
+
+	default:
+		return;
+	}
+}
+
+	int
+spx_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	gss_buffer_desc  fullname_buffer, acl_file_buffer;
+	gss_OID          fullname_type;
+	char acl_file[160], fullname[160];
+	int major_status, status = 0;
+	struct passwd  *pwd;
+
+	/*
+	 * hard code fullname to
+	 *   "SPX:/C=US/O=Digital/OU=LKG/OU=Sphinx/OU=Users/CN=Kannan Alagappan"
+	 * and acl_file to "~kannan/.sphinx"
+	 */
+
+	pwd = k_getpwnam(UserNameRequested);
+	if (pwd == NULL) {
+	  return(AUTH_USER);   /*  not authenticated  */
+	}
+
+	snprintf (acl_file, sizeof(acl_file),
+		  "%s/.sphinx", pwd->pw_dir);
+
+	acl_file_buffer.value = acl_file;
+	acl_file_buffer.length = strlen(acl_file);
+
+	major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+	if (level < AUTH_USER)
+		return(level);
+
+	major_status = gss__check_acl(&status, &fullname_buffer,
+					&acl_file_buffer);
+
+	if (major_status == GSS_S_COMPLETE) {
+	  strlcpy(name, UserNameRequested, name_sz);
+	  return(AUTH_VALID);
+	} else {
+	   return(AUTH_USER);
+	}
+
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+spx_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case SPX_REJECT:		/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case SPX_ACCEPT:		/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case SPX_AUTH:			/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet.state b/crypto/heimdal/appl/telnet/telnet.state
new file mode 100644
index 0000000..1927a2b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet.state
@@ -0,0 +1,80 @@
+
+   Three pieces of state need to be kept for each side of each option.
+   (You need the localside, sending WILL/WONT & receiving DO/DONT, and
+   the remoteside, sending DO/DONT and receiving WILL/WONT)
+
+	MY_STATE:	What state am I in?
+	WANT_STATE:	What state do I want?
+	WANT_RESP:	How many requests have I initiated?
+
+   Default values:
+	MY_STATE = WANT_STATE = DONT
+	WANT_RESP = 0
+
+   The local setup will change based on the state of the Telnet
+   variables.  When we are the originator, we can either make the
+   local setup changes at option request time (in which case if
+   the option is denied we need to change things back) or when
+   the option is acknowledged.
+
+   To initiate a switch to NEW_STATE:
+
+	if ((WANT_RESP == 0 && NEW_STATE == MY_STATE) ||
+			WANT_STATE == NEW_STATE) {
+	    do nothing;
+	} else {
+	    /*
+	     * This is where the logic goes to change the local setup
+	     * if we are doing so at request initiation
+	     */
+	    WANT_STATE = NEW_STATE;
+	    send NEW_STATE;
+	    WANT_RESP += 1;
+	}
+
+   When receiving NEW_STATE:
+
+	if (WANT_RESP) {
+	    --WANT_RESP;
+	    if (WANT_RESP && (NEW_STATE == MY_STATE))
+		--WANT_RESP;
+	}
+	if (WANT_RESP == 0) {
+	    if (NEW_STATE != WANT_STATE) {
+		/*
+		 * This is where the logic goes to decide if it is ok
+		 * to switch to NEW_STATE, and if so, do any necessary
+		 * local setup changes.
+		 */
+		if (ok_to_switch_to NEW_STATE)
+		    WANT_STATE = NEW_STATE;
+		else
+		    WANT_RESP++;
+*		if (MY_STATE != WANT_STATE)
+		    reply with WANT_STATE;
+	    } else {
+		/*
+		 * This is where the logic goes to change the local setup
+		 * if we are doing so at request acknowledgment
+		 */
+	    }
+	}
+	MY_STATE = NEW_STATE;
+
+* This if() line is not needed, it should be ok to always do the
+  "reply with WANT_STATE".  With the if() line, asking to turn on
+  an option that the other side doesn't understand is:
+		Send DO option
+		Recv WONT option
+  Without the if() line, it is:
+		Send DO option
+		Recv WONT option
+		Send DONT option
+  If the other side does not expect to receive the latter case,
+  but generates the latter case, then there is a potential for
+  option negotiation loops.  An implementation that does not expect
+  to get the second case should not generate it, an implementation
+  that does expect to get it may or may not generate it, and things
+  will still work.  Being conservative in what we send, we have the
+  if() statement in, but we expect the other side to generate the
+  last response.
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.am b/crypto/heimdal/appl/telnet/telnet/Makefile.am
new file mode 100644
index 0000000..73f3a99
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.am
@@ -0,0 +1,22 @@
+# $Id: Makefile.am,v 1.13 2000/01/06 15:12:11 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+bin_PROGRAMS = telnet
+
+CHECK_LOCAL = 
+
+telnet_SOURCES  = authenc.c commands.c main.c network.c ring.c \
+		  sys_bsd.c telnet.c terminal.c \
+		  utilities.c defines.h externs.h ring.h telnet_locl.h types.h
+
+man_MANS = telnet.1
+
+LDADD = ../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_tgetent) \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.in b/crypto/heimdal/appl/telnet/telnet/Makefile.in
new file mode 100644
index 0000000..25a3814
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.in
@@ -0,0 +1,681 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.13 2000/01/06 15:12:11 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include -I$(srcdir)/.. $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = 
+
+bin_PROGRAMS = telnet
+
+telnet_SOURCES = authenc.c commands.c main.c network.c ring.c 		  sys_bsd.c telnet.c terminal.c 		  utilities.c defines.h externs.h ring.h telnet_locl.h types.h
+
+
+man_MANS = telnet.1
+
+LDADD = ../libtelnet/libtelnet.a 	$(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_tgetent) 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  telnet$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+telnet_OBJECTS =  authenc.$(OBJEXT) commands.$(OBJEXT) main.$(OBJEXT) \
+network.$(OBJEXT) ring.$(OBJEXT) sys_bsd.$(OBJEXT) telnet.$(OBJEXT) \
+terminal.$(OBJEXT) utilities.$(OBJEXT)
+telnet_LDADD = $(LDADD)
+@KRB5_TRUE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+telnet_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(telnet_SOURCES)
+OBJECTS = $(telnet_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnet/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+telnet$(EXEEXT): $(telnet_OBJECTS) $(telnet_DEPENDENCIES)
+	@rm -f telnet$(EXEEXT)
+	$(LINK) $(telnet_LDFLAGS) $(telnet_OBJECTS) $(telnet_LDADD) $(LIBS)
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/telnet/telnet
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/telnet/authenc.c b/crypto/heimdal/appl/telnet/telnet/authenc.c
new file mode 100644
index 0000000..6150fc7
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/authenc.c
@@ -0,0 +1,91 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: authenc.c,v 1.10 1999/09/16 20:41:35 assar Exp $");
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+int
+telnet_net_write(unsigned char *str, int len)
+{
+	if (NETROOM() > len) {
+		ring_supply_data(&netoring, str, len);
+		if (str[0] == IAC && str[1] == SE)
+			printsub('>', &str[2], len-2);
+		return(len);
+	}
+	return(0);
+}
+
+void
+net_encrypt(void)
+{
+#if	defined(ENCRYPTION)
+	if (encrypt_output)
+		ring_encrypt(&netoring, encrypt_output);
+	else
+		ring_clearto(&netoring);
+#endif
+}
+
+int
+telnet_spin(void)
+{
+	return(-1);
+}
+
+char *
+telnet_getenv(char *val)
+{
+	return((char *)env_getvalue((unsigned char *)val));
+}
+
+char *
+telnet_gets(char *prompt, char *result, int length, int echo)
+{
+	int om = globalmode;
+	char *res;
+
+	TerminalNewMode(-1);
+	if (echo) {
+		printf("%s", prompt);
+		res = fgets(result, length, stdin);
+	} else if ((res = getpass(prompt))) {
+		strlcpy(result, res, length);
+		res = result;
+	}
+	TerminalNewMode(om);
+	return(res);
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet/commands.c b/crypto/heimdal/appl/telnet/telnet/commands.c
new file mode 100644
index 0000000..dd78636
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/commands.c
@@ -0,0 +1,2598 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: commands.c,v 1.60 2000/02/12 16:00:07 assar Exp $");
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+int tos = -1;
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+char	*hostname;
+static char _hostname[MaxHostNameLen];
+
+typedef int (*intrtn_t)(int, char**);
+static int call(intrtn_t, ...);
+
+typedef struct {
+	char	*name;		/* command name */
+	char	*help;		/* help string (NULL for no help) */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+} Command;
+
+static char line[256];
+static char saveline[256];
+static int margc;
+static char *margv[20];
+
+static void
+makeargv()
+{
+    char *cp, *cp2, c;
+    char **argp = margv;
+
+    margc = 0;
+    cp = line;
+    if (*cp == '!') {		/* Special case shell escape */
+	/* save for shell command */
+	strlcpy(saveline, line, sizeof(saveline));
+	*argp++ = "!";		/* No room in string to get this */
+	margc++;
+	cp++;
+    }
+    while ((c = *cp)) {
+	int inquote = 0;
+	while (isspace(c))
+	    c = *++cp;
+	if (c == '\0')
+	    break;
+	*argp++ = cp;
+	margc += 1;
+	for (cp2 = cp; c != '\0'; c = *++cp) {
+	    if (inquote) {
+		if (c == inquote) {
+		    inquote = 0;
+		    continue;
+		}
+	    } else {
+		if (c == '\\') {
+		    if ((c = *++cp) == '\0')
+			break;
+		} else if (c == '"') {
+		    inquote = '"';
+		    continue;
+		} else if (c == '\'') {
+		    inquote = '\'';
+		    continue;
+		} else if (isspace(c))
+		    break;
+	    }
+	    *cp2++ = c;
+	}
+	*cp2 = '\0';
+	if (c == '\0')
+	    break;
+	cp++;
+    }
+    *argp++ = 0;
+}
+
+/*
+ * Make a character string into a number.
+ *
+ * Todo:  1.  Could take random integers (12, 0x12, 012, 0b1).
+ */
+
+static char
+special(char *s)
+{
+	char c;
+	char b;
+
+	switch (*s) {
+	case '^':
+		b = *++s;
+		if (b == '?') {
+		    c = b | 0x40;		/* DEL */
+		} else {
+		    c = b & 0x1f;
+		}
+		break;
+	default:
+		c = *s;
+		break;
+	}
+	return c;
+}
+
+/*
+ * Construct a control character sequence
+ * for a special character.
+ */
+static char *
+control(cc_t c)
+{
+	static char buf[5];
+	/*
+	 * The only way I could get the Sun 3.5 compiler
+	 * to shut up about
+	 *	if ((unsigned int)c >= 0x80)
+	 * was to assign "c" to an unsigned int variable...
+	 * Arggg....
+	 */
+	unsigned int uic = (unsigned int)c;
+
+	if (uic == 0x7f)
+		return ("^?");
+	if (c == (cc_t)_POSIX_VDISABLE) {
+		return "off";
+	}
+	if (uic >= 0x80) {
+		buf[0] = '\\';
+		buf[1] = ((c>>6)&07) + '0';
+		buf[2] = ((c>>3)&07) + '0';
+		buf[3] = (c&07) + '0';
+		buf[4] = 0;
+	} else if (uic >= 0x20) {
+		buf[0] = c;
+		buf[1] = 0;
+	} else {
+		buf[0] = '^';
+		buf[1] = '@'+c;
+		buf[2] = 0;
+	}
+	return (buf);
+}
+
+
+
+/*
+ *	The following are data structures and routines for
+ *	the "send" command.
+ *
+ */
+
+struct sendlist {
+    char	*name;		/* How user refers to it (case independent) */
+    char	*help;		/* Help information (0 ==> no help) */
+    int		needconnect;	/* Need to be connected */
+    int		narg;		/* Number of arguments */
+    int		(*handler)();	/* Routine to perform (for special ops) */
+    int		nbyte;		/* Number of bytes to send this command */
+    int		what;		/* Character to be sent (<0 ==> special) */
+};
+
+
+static int
+	send_esc (void),
+	send_help (void),
+	send_docmd (char *),
+	send_dontcmd (char *),
+	send_willcmd (char *),
+	send_wontcmd (char *);
+
+static struct sendlist Sendlist[] = {
+    { "ao",	"Send Telnet Abort output",		1, 0, 0, 2, AO },
+    { "ayt",	"Send Telnet 'Are You There'",		1, 0, 0, 2, AYT },
+    { "brk",	"Send Telnet Break",			1, 0, 0, 2, BREAK },
+    { "break",	0,					1, 0, 0, 2, BREAK },
+    { "ec",	"Send Telnet Erase Character",		1, 0, 0, 2, EC },
+    { "el",	"Send Telnet Erase Line",		1, 0, 0, 2, EL },
+    { "escape",	"Send current escape character",	1, 0, send_esc, 1, 0 },
+    { "ga",	"Send Telnet 'Go Ahead' sequence",	1, 0, 0, 2, GA },
+    { "ip",	"Send Telnet Interrupt Process",	1, 0, 0, 2, IP },
+    { "intp",	0,					1, 0, 0, 2, IP },
+    { "interrupt", 0,					1, 0, 0, 2, IP },
+    { "intr",	0,					1, 0, 0, 2, IP },
+    { "nop",	"Send Telnet 'No operation'",		1, 0, 0, 2, NOP },
+    { "eor",	"Send Telnet 'End of Record'",		1, 0, 0, 2, EOR },
+    { "abort",	"Send Telnet 'Abort Process'",		1, 0, 0, 2, ABORT },
+    { "susp",	"Send Telnet 'Suspend Process'",	1, 0, 0, 2, SUSP },
+    { "eof",	"Send Telnet End of File Character",	1, 0, 0, 2, xEOF },
+    { "synch",	"Perform Telnet 'Synch operation'",	1, 0, dosynch, 2, 0 },
+    { "getstatus", "Send request for STATUS",		1, 0, get_status, 6, 0 },
+    { "?",	"Display send options",			0, 0, send_help, 0, 0 },
+    { "help",	0,					0, 0, send_help, 0, 0 },
+    { "do",	0,					0, 1, send_docmd, 3, 0 },
+    { "dont",	0,					0, 1, send_dontcmd, 3, 0 },
+    { "will",	0,					0, 1, send_willcmd, 3, 0 },
+    { "wont",	0,					0, 1, send_wontcmd, 3, 0 },
+    { 0 }
+};
+
+#define	GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \
+				sizeof(struct sendlist)))
+
+static int
+sendcmd(int argc, char **argv)
+{
+    int count;		/* how many bytes we are going to need to send */
+    int i;
+    struct sendlist *s;	/* pointer to current command */
+    int success = 0;
+    int needconnect = 0;
+
+    if (argc < 2) {
+	printf("need at least one argument for 'send' command\r\n");
+	printf("'send ?' for help\r\n");
+	return 0;
+    }
+    /*
+     * First, validate all the send arguments.
+     * In addition, we see how much space we are going to need, and
+     * whether or not we will be doing a "SYNCH" operation (which
+     * flushes the network queue).
+     */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	s = GETSEND(argv[i]);
+	if (s == 0) {
+	    printf("Unknown send argument '%s'\r\n'send ?' for help.\r\n",
+			argv[i]);
+	    return 0;
+	} else if (Ambiguous(s)) {
+	    printf("Ambiguous send argument '%s'\r\n'send ?' for help.\r\n",
+			argv[i]);
+	    return 0;
+	}
+	if (i + s->narg >= argc) {
+	    fprintf(stderr,
+	    "Need %d argument%s to 'send %s' command.  'send %s ?' for help.\r\n",
+		s->narg, s->narg == 1 ? "" : "s", s->name, s->name);
+	    return 0;
+	}
+	count += s->nbyte;
+	if (s->handler == send_help) {
+	    send_help();
+	    return 0;
+	}
+
+	i += s->narg;
+	needconnect += s->needconnect;
+    }
+    if (!connected && needconnect) {
+	printf("?Need to be connected first.\r\n");
+	printf("'send ?' for help\r\n");
+	return 0;
+    }
+    /* Now, do we have enough room? */
+    if (NETROOM() < count) {
+	printf("There is not enough room in the buffer TO the network\r\n");
+	printf("to process your request.  Nothing will be done.\r\n");
+	printf("('send synch' will throw away most data in the network\r\n");
+	printf("buffer, if this might help.)\r\n");
+	return 0;
+    }
+    /* OK, they are all OK, now go through again and actually send */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	if ((s = GETSEND(argv[i])) == 0) {
+	    fprintf(stderr, "Telnet 'send' error - argument disappeared!\r\n");
+	    quit();
+	    /*NOTREACHED*/
+	}
+	if (s->handler) {
+	    count++;
+	    success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0,
+				  (s->narg > 1) ? argv[i+2] : 0);
+	    i += s->narg;
+	} else {
+	    NET2ADD(IAC, s->what);
+	    printoption("SENT", IAC, s->what);
+	}
+    }
+    return (count == success);
+}
+
+static int
+send_tncmd(void (*func)(), char *cmd, char *name);
+
+static int
+send_esc()
+{
+    NETADD(escape);
+    return 1;
+}
+
+static int
+send_docmd(char *name)
+{
+    return(send_tncmd(send_do, "do", name));
+}
+
+static int
+send_dontcmd(char *name)
+{
+    return(send_tncmd(send_dont, "dont", name));
+}
+
+static int
+send_willcmd(char *name)
+{
+    return(send_tncmd(send_will, "will", name));
+}
+
+static int
+send_wontcmd(char *name)
+{
+    return(send_tncmd(send_wont, "wont", name));
+}
+
+static int
+send_tncmd(void (*func)(), char *cmd, char *name)
+{
+    char **cpp;
+    extern char *telopts[];
+    int val = 0;
+
+    if (isprefix(name, "help") || isprefix(name, "?")) {
+	int col, len;
+
+	printf("Usage: send %s <value|option>\r\n", cmd);
+	printf("\"value\" must be from 0 to 255\r\n");
+	printf("Valid options are:\r\n\t");
+
+	col = 8;
+	for (cpp = telopts; *cpp; cpp++) {
+	    len = strlen(*cpp) + 3;
+	    if (col + len > 65) {
+		printf("\r\n\t");
+		col = 8;
+	    }
+	    printf(" \"%s\"", *cpp);
+	    col += len;
+	}
+	printf("\r\n");
+	return 0;
+    }
+    cpp = genget(name, telopts, sizeof(char *));
+    if (Ambiguous(cpp)) {
+	fprintf(stderr,"'%s': ambiguous argument ('send %s ?' for help).\r\n",
+					name, cmd);
+	return 0;
+    }
+    if (cpp) {
+	val = cpp - telopts;
+    } else {
+	char *cp = name;
+
+	while (*cp >= '0' && *cp <= '9') {
+	    val *= 10;
+	    val += *cp - '0';
+	    cp++;
+	}
+	if (*cp != 0) {
+	    fprintf(stderr, "'%s': unknown argument ('send %s ?' for help).\r\n",
+					name, cmd);
+	    return 0;
+	} else if (val < 0 || val > 255) {
+	    fprintf(stderr, "'%s': bad value ('send %s ?' for help).\r\n",
+					name, cmd);
+	    return 0;
+	}
+    }
+    if (!connected) {
+	printf("?Need to be connected first.\r\n");
+	return 0;
+    }
+    (*func)(val, 1);
+    return 1;
+}
+
+static int
+send_help()
+{
+    struct sendlist *s;	/* pointer to current command */
+    for (s = Sendlist; s->name; s++) {
+	if (s->help)
+	    printf("%-15s %s\r\n", s->name, s->help);
+    }
+    return(0);
+}
+
+/*
+ * The following are the routines and data structures referred
+ * to by the arguments to the "toggle" command.
+ */
+
+static int
+lclchars()
+{
+    donelclchars = 1;
+    return 1;
+}
+
+static int
+togdebug()
+{
+#ifndef	NOT43
+    if (net > 0 &&
+	(SetSockOpt(net, SOL_SOCKET, SO_DEBUG, debug)) < 0) {
+	    perror("setsockopt (SO_DEBUG)");
+    }
+#else	/* NOT43 */
+    if (debug) {
+	if (net > 0 && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 0, 0) < 0)
+	    perror("setsockopt (SO_DEBUG)");
+    } else
+	printf("Cannot turn off socket debugging\r\n");
+#endif	/* NOT43 */
+    return 1;
+}
+
+#if defined(KRB4) && defined(HAVE_KRB_DISABLE_DEBUG)
+#include <krb.h>
+
+static int
+togkrbdebug(void)
+{
+    if(krb_debug)
+	krb_enable_debug();
+    else
+	krb_disable_debug();
+    return 1;
+}
+#endif
+
+static int
+togcrlf()
+{
+    if (crlf) {
+	printf("Will send carriage returns as telnet <CR><LF>.\r\n");
+    } else {
+	printf("Will send carriage returns as telnet <CR><NUL>.\r\n");
+    }
+    return 1;
+}
+
+int binmode;
+
+static int
+togbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val >= 0) {
+	binmode = val;
+    } else {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+				my_want_state_is_do(TELOPT_BINARY)) {
+	    binmode = 1;
+	} else if (my_want_state_is_wont(TELOPT_BINARY) &&
+				my_want_state_is_dont(TELOPT_BINARY)) {
+	    binmode = 0;
+	}
+	val = binmode ? 0 : 1;
+    }
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+					my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already operating in binary mode with remote host.\r\n");
+	} else {
+	    printf("Negotiating binary mode with remote host.\r\n");
+	    tel_enter_binary(3);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY) &&
+					my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already in network ascii mode with remote host.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode with remote host.\r\n");
+	    tel_leave_binary(3);
+	}
+    }
+    return 1;
+}
+
+static int
+togrbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_do(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already receiving in binary mode.\r\n");
+	} else {
+	    printf("Negotiating binary mode on input.\r\n");
+	    tel_enter_binary(1);
+	}
+    } else {
+	if (my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already receiving in network ascii mode.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode on input.\r\n");
+	    tel_leave_binary(1);
+	}
+    }
+    return 1;
+}
+
+static int
+togxbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_will(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY)) {
+	    printf("Already transmitting in binary mode.\r\n");
+	} else {
+	    printf("Negotiating binary mode on output.\r\n");
+	    tel_enter_binary(2);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    printf("Already transmitting in network ascii mode.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode on output.\r\n");
+	    tel_leave_binary(2);
+	}
+    }
+    return 1;
+}
+
+
+static int togglehelp (void);
+#if	defined(AUTHENTICATION)
+extern int auth_togdebug (int);
+#endif
+#if	defined(ENCRYPTION)
+extern int EncryptAutoEnc (int);
+extern int EncryptAutoDec (int);
+extern int EncryptDebug (int);
+extern int EncryptVerbose (int);
+#endif
+
+struct togglelist {
+    char	*name;		/* name of toggle */
+    char	*help;		/* help message */
+    int		(*handler)();	/* routine to do actual setting */
+    int		*variable;
+    char	*actionexplanation;
+};
+
+static struct togglelist Togglelist[] = {
+    { "autoflush",
+	"flushing of output when sending interrupt characters",
+	    0,
+		&autoflush,
+		    "flush output when sending interrupt characters" },
+    { "autosynch",
+	"automatic sending of interrupt characters in urgent mode",
+	    0,
+		&autosynch,
+		    "send interrupt characters in urgent mode" },
+#if	defined(AUTHENTICATION)
+    { "autologin",
+	"automatic sending of login and/or authentication info",
+	    0,
+		&autologin,
+		    "send login name and/or authentication information" },
+    { "authdebug",
+	"Toggle authentication debugging",
+	    auth_togdebug,
+		0,
+		     "print authentication debugging information" },
+#endif
+#if	defined(ENCRYPTION)
+    { "autoencrypt",
+	"automatic encryption of data stream",
+	    EncryptAutoEnc,
+		0,
+		    "automatically encrypt output" },
+    { "autodecrypt",
+	"automatic decryption of data stream",
+	    EncryptAutoDec,
+		0,
+		    "automatically decrypt input" },
+    { "verbose_encrypt",
+	"Toggle verbose encryption output",
+	    EncryptVerbose,
+		0,
+		    "print verbose encryption output" },
+    { "encdebug",
+	"Toggle encryption debugging",
+	    EncryptDebug,
+		0,
+		    "print encryption debugging information" },
+#endif
+    { "skiprc",
+	"don't read ~/.telnetrc file",
+	    0,
+		&skiprc,
+		    "skip reading of ~/.telnetrc file" },
+    { "binary",
+	"sending and receiving of binary data",
+	    togbinary,
+		0,
+		    0 },
+    { "inbinary",
+	"receiving of binary data",
+	    togrbinary,
+		0,
+		    0 },
+    { "outbinary",
+	"sending of binary data",
+	    togxbinary,
+		0,
+		    0 },
+    { "crlf",
+	"sending carriage returns as telnet <CR><LF>",
+	    togcrlf,
+		&crlf,
+		    0 },
+    { "crmod",
+	"mapping of received carriage returns",
+	    0,
+		&crmod,
+		    "map carriage return on output" },
+    { "localchars",
+	"local recognition of certain control characters",
+	    lclchars,
+		&localchars,
+		    "recognize certain control characters" },
+    { " ", "", 0 },		/* empty line */
+    { "debug",
+	"debugging",
+	    togdebug,
+		&debug,
+		    "turn on socket level debugging" },
+#if defined(KRB4) && defined(HAVE_KRB_DISABLE_DEBUG)
+    { "krb_debug",
+      "kerberos 4 debugging",
+      togkrbdebug,
+      &krb_debug,
+      "turn on kerberos 4 debugging" },
+#endif
+    { "netdata",
+	"printing of hexadecimal network data (debugging)",
+	    0,
+		&netdata,
+		    "print hexadecimal representation of network traffic" },
+    { "prettydump",
+	"output of \"netdata\" to user readable format (debugging)",
+	    0,
+		&prettydump,
+		    "print user readable output for \"netdata\"" },
+    { "options",
+	"viewing of options processing (debugging)",
+	    0,
+		&showoptions,
+		    "show option processing" },
+    { "termdata",
+	"(debugging) toggle printing of hexadecimal terminal data",
+	    0,
+		&termdata,
+		    "print hexadecimal representation of terminal traffic" },
+    { "?",
+	0,
+	    togglehelp },
+    { "help",
+	0,
+	    togglehelp },
+    { 0 }
+};
+
+static int
+togglehelp()
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s toggle %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    printf("\r\n");
+    printf("%-15s %s\r\n", "?", "display help information");
+    return 0;
+}
+
+static void
+settogglehelp(int set)
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s %s\r\n", c->name, set ? "enable" : "disable",
+						c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+#define	GETTOGGLE(name) (struct togglelist *) \
+		genget(name, (char **) Togglelist, sizeof(struct togglelist))
+
+static int
+toggle(int argc, char *argv[])
+{
+    int retval = 1;
+    char *name;
+    struct togglelist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'toggle' command.  'toggle ?' for help.\r\n");
+	return 0;
+    }
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	c = GETTOGGLE(name);
+	if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('toggle ?' for help).\r\n",
+					name);
+	    return 0;
+	} else if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('toggle ?' for help).\r\n",
+					name);
+	    return 0;
+	} else {
+	    if (c->variable) {
+		*c->variable = !*c->variable;		/* invert it */
+		if (c->actionexplanation) {
+		    printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler) {
+		retval &= (*c->handler)(-1);
+	    }
+	}
+    }
+    return retval;
+}
+
+/*
+ * The following perform the "set" command.
+ */
+
+struct termios new_tc = { 0 };
+
+struct setlist {
+    char *name;				/* name */
+    char *help;				/* help information */
+    void (*handler)();
+    cc_t *charp;			/* where it is located at */
+};
+
+static struct setlist Setlist[] = {
+#ifdef	KLUDGELINEMODE
+    { "echo", 	"character to toggle local echoing on/off", 0, &echoc },
+#endif
+    { "escape",	"character to escape back to telnet command mode", 0, &escape },
+    { "rlogin", "rlogin escape character", 0, &rlogin },
+    { "tracefile", "file to write trace information to", SetNetTrace, (cc_t *)NetTraceFile},
+    { " ", "" },
+    { " ", "The following need 'localchars' to be toggled true", 0, 0 },
+    { "flushoutput", "character to cause an Abort Output", 0, &termFlushChar },
+    { "interrupt", "character to cause an Interrupt Process", 0, &termIntChar },
+    { "quit",	"character to cause an Abort process", 0, &termQuitChar },
+    { "eof",	"character to cause an EOF ", 0, &termEofChar },
+    { " ", "" },
+    { " ", "The following are for local editing in linemode", 0, 0 },
+    { "erase",	"character to use to erase a character", 0, &termEraseChar },
+    { "kill",	"character to use to erase a line", 0, &termKillChar },
+    { "lnext",	"character to use for literal next", 0, &termLiteralNextChar },
+    { "susp",	"character to cause a Suspend Process", 0, &termSuspChar },
+    { "reprint", "character to use for line reprint", 0, &termRprntChar },
+    { "worderase", "character to use to erase a word", 0, &termWerasChar },
+    { "start",	"character to use for XON", 0, &termStartChar },
+    { "stop",	"character to use for XOFF", 0, &termStopChar },
+    { "forw1",	"alternate end of line character", 0, &termForw1Char },
+    { "forw2",	"alternate end of line character", 0, &termForw2Char },
+    { "ayt",	"alternate AYT character", 0, &termAytChar },
+    { 0 }
+};
+
+static struct setlist *
+getset(char *name)
+{
+    return (struct setlist *)
+		genget(name, (char **) Setlist, sizeof(struct setlist));
+}
+
+void
+set_escape_char(char *s)
+{
+	if (rlogin != _POSIX_VDISABLE) {
+		rlogin = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet rlogin escape character is '%s'.\r\n",
+					control(rlogin));
+	} else {
+		escape = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet escape character is '%s'.\r\n", control(escape));
+	}
+}
+
+static int
+setcmd(int argc, char *argv[])
+{
+    int value;
+    struct setlist *ct;
+    struct togglelist *c;
+
+    if (argc < 2 || argc > 3) {
+	printf("Format is 'set Name Value'\r\n'set ?' for help.\r\n");
+	return 0;
+    }
+    if ((argc == 2) && (isprefix(argv[1], "?") || isprefix(argv[1], "help"))) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\r\n", ct->name, ct->help);
+	printf("\r\n");
+	settogglehelp(1);
+	printf("%-15s %s\r\n", "?", "display help information");
+	return 0;
+    }
+
+    ct = getset(argv[1]);
+    if (ct == 0) {
+	c = GETTOGGLE(argv[1]);
+	if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('set ?' for help).\r\n",
+			argv[1]);
+	    return 0;
+	} else if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\r\n",
+			argv[1]);
+	    return 0;
+	}
+	if (c->variable) {
+	    if ((argc == 2) || (strcmp("on", argv[2]) == 0))
+		*c->variable = 1;
+	    else if (strcmp("off", argv[2]) == 0)
+		*c->variable = 0;
+	    else {
+		printf("Format is 'set togglename [on|off]'\r\n'set ?' for help.\r\n");
+		return 0;
+	    }
+	    if (c->actionexplanation) {
+		printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+	    }
+	}
+	if (c->handler)
+	    (*c->handler)(1);
+    } else if (argc != 3) {
+	printf("Format is 'set Name Value'\r\n'set ?' for help.\r\n");
+	return 0;
+    } else if (Ambiguous(ct)) {
+	fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\r\n",
+			argv[1]);
+	return 0;
+    } else if (ct->handler) {
+	(*ct->handler)(argv[2]);
+	printf("%s set to \"%s\".\r\n", ct->name, (char *)ct->charp);
+    } else {
+	if (strcmp("off", argv[2])) {
+	    value = special(argv[2]);
+	} else {
+	    value = _POSIX_VDISABLE;
+	}
+	*(ct->charp) = (cc_t)value;
+	printf("%s character is '%s'.\r\n", ct->name, control(*(ct->charp)));
+    }
+    slc_check();
+    return 1;
+}
+
+static int
+unsetcmd(int argc, char *argv[])
+{
+    struct setlist *ct;
+    struct togglelist *c;
+    char *name;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'unset' command.  'unset ?' for help.\r\n");
+	return 0;
+    }
+    if (isprefix(argv[1], "?") || isprefix(argv[1], "help")) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\r\n", ct->name, ct->help);
+	printf("\r\n");
+	settogglehelp(0);
+	printf("%-15s %s\r\n", "?", "display help information");
+	return 0;
+    }
+
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	ct = getset(name);
+	if (ct == 0) {
+	    c = GETTOGGLE(name);
+	    if (c == 0) {
+		fprintf(stderr, "'%s': unknown argument ('unset ?' for help).\r\n",
+			name);
+		return 0;
+	    } else if (Ambiguous(c)) {
+		fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\r\n",
+			name);
+		return 0;
+	    }
+	    if (c->variable) {
+		*c->variable = 0;
+		if (c->actionexplanation) {
+		    printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler)
+		(*c->handler)(0);
+	} else if (Ambiguous(ct)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\r\n",
+			name);
+	    return 0;
+	} else if (ct->handler) {
+	    (*ct->handler)(0);
+	    printf("%s reset to \"%s\".\r\n", ct->name, (char *)ct->charp);
+	} else {
+	    *(ct->charp) = _POSIX_VDISABLE;
+	    printf("%s character is '%s'.\r\n", ct->name, control(*(ct->charp)));
+	}
+    }
+    return 1;
+}
+
+/*
+ * The following are the data structures and routines for the
+ * 'mode' command.
+ */
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+
+static int
+dokludgemode(void)
+{
+    kludgelinemode = 1;
+    send_wont(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_SGA, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+#endif
+
+static int
+dolinemode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_dont(TELOPT_SGA, 1);
+#endif
+    send_will(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int
+docharmode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_do(TELOPT_SGA, 1);
+    else
+#endif
+    send_wont(TELOPT_LINEMODE, 1);
+    send_do(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int
+dolmmode(int bit, int on)
+{
+    unsigned char c;
+    extern int linemode;
+
+    if (my_want_state_is_wont(TELOPT_LINEMODE)) {
+	printf("?Need to have LINEMODE option enabled first.\r\n");
+	printf("'mode ?' for help.\r\n");
+ 	return 0;
+    }
+
+    if (on)
+	c = (linemode | bit);
+    else
+	c = (linemode & ~bit);
+    lm_mode(&c, 1, 1);
+    return 1;
+}
+
+static int
+tn_setmode(int bit)
+{
+    return dolmmode(bit, 1);
+}
+
+static int
+tn_clearmode(int bit)
+{
+    return dolmmode(bit, 0);
+}
+
+struct modelist {
+	char	*name;		/* command name */
+	char	*help;		/* help string */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+	int	arg1;
+};
+
+static int modehelp(void);
+
+static struct modelist ModeList[] = {
+    { "character", "Disable LINEMODE option",	docharmode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or disable obsolete line-by-line mode)", 0 },
+#endif
+    { "line",	"Enable LINEMODE option",	dolinemode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or enable obsolete line-by-line mode)", 0 },
+#endif
+    { "", "", 0 },
+    { "",	"These require the LINEMODE option to be enabled", 0 },
+    { "isig",	"Enable signal trapping",	tn_setmode, 1, MODE_TRAPSIG },
+    { "+isig",	0,				tn_setmode, 1, MODE_TRAPSIG },
+    { "-isig",	"Disable signal trapping",	tn_clearmode, 1, MODE_TRAPSIG },
+    { "edit",	"Enable character editing",	tn_setmode, 1, MODE_EDIT },
+    { "+edit",	0,				tn_setmode, 1, MODE_EDIT },
+    { "-edit",	"Disable character editing",	tn_clearmode, 1, MODE_EDIT },
+    { "softtabs", "Enable tab expansion",	tn_setmode, 1, MODE_SOFT_TAB },
+    { "+softtabs", 0,				tn_setmode, 1, MODE_SOFT_TAB },
+    { "-softtabs", "Disable character editing",	tn_clearmode, 1, MODE_SOFT_TAB },
+    { "litecho", "Enable literal character echo", tn_setmode, 1, MODE_LIT_ECHO },
+    { "+litecho", 0,				tn_setmode, 1, MODE_LIT_ECHO },
+    { "-litecho", "Disable literal character echo", tn_clearmode, 1, MODE_LIT_ECHO },
+    { "help",	0,				modehelp, 0 },
+#ifdef	KLUDGELINEMODE
+    { "kludgeline", 0,				dokludgemode, 1 },
+#endif
+    { "", "", 0 },
+    { "?",	"Print help information",	modehelp, 0 },
+    { 0 },
+};
+
+
+static int
+modehelp(void)
+{
+    struct modelist *mt;
+
+    printf("format is:  'mode Mode', where 'Mode' is one of:\r\n\r\n");
+    for (mt = ModeList; mt->name; mt++) {
+	if (mt->help) {
+	    if (*mt->help)
+		printf("%-15s %s\r\n", mt->name, mt->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+#define	GETMODECMD(name) (struct modelist *) \
+		genget(name, (char **) ModeList, sizeof(struct modelist))
+
+static int
+modecmd(int argc, char **argv)
+{
+    struct modelist *mt;
+
+    if (argc != 2) {
+	printf("'mode' command requires an argument\r\n");
+	printf("'mode ?' for help.\r\n");
+    } else if ((mt = GETMODECMD(argv[1])) == 0) {
+	fprintf(stderr, "Unknown mode '%s' ('mode ?' for help).\r\n", argv[1]);
+    } else if (Ambiguous(mt)) {
+	fprintf(stderr, "Ambiguous mode '%s' ('mode ?' for help).\r\n", argv[1]);
+    } else if (mt->needconnect && !connected) {
+	printf("?Need to be connected first.\r\n");
+	printf("'mode ?' for help.\r\n");
+    } else if (mt->handler) {
+	return (*mt->handler)(mt->arg1);
+    }
+    return 0;
+}
+
+/*
+ * The following data structures and routines implement the
+ * "display" command.
+ */
+
+static int
+display(int argc, char *argv[])
+{
+    struct togglelist *tl;
+    struct setlist *sl;
+
+#define	dotog(tl)	if (tl->variable && tl->actionexplanation) { \
+			    if (*tl->variable) { \
+				printf("will"); \
+			    } else { \
+				printf("won't"); \
+			    } \
+			    printf(" %s.\r\n", tl->actionexplanation); \
+			}
+
+#define	doset(sl)   if (sl->name && *sl->name != ' ') { \
+			if (sl->handler == 0) \
+			    printf("%-15s [%s]\r\n", sl->name, control(*sl->charp)); \
+			else \
+			    printf("%-15s \"%s\"\r\n", sl->name, (char *)sl->charp); \
+		    }
+
+    if (argc == 1) {
+	for (tl = Togglelist; tl->name; tl++) {
+	    dotog(tl);
+	}
+	printf("\r\n");
+	for (sl = Setlist; sl->name; sl++) {
+	    doset(sl);
+	}
+    } else {
+	int i;
+
+	for (i = 1; i < argc; i++) {
+	    sl = getset(argv[i]);
+	    tl = GETTOGGLE(argv[i]);
+	    if (Ambiguous(sl) || Ambiguous(tl)) {
+		printf("?Ambiguous argument '%s'.\r\n", argv[i]);
+		return 0;
+	    } else if (!sl && !tl) {
+		printf("?Unknown argument '%s'.\r\n", argv[i]);
+		return 0;
+	    } else {
+		if (tl) {
+		    dotog(tl);
+		}
+		if (sl) {
+		    doset(sl);
+		}
+	    }
+	}
+    }
+/*@*/optionstatus();
+#if	defined(ENCRYPTION)
+    EncryptStatus();
+#endif
+    return 1;
+#undef	doset
+#undef	dotog
+}
+
+/*
+ * The following are the data structures, and many of the routines,
+ * relating to command processing.
+ */
+
+/*
+ * Set the escape character.
+ */
+static int
+setescape(int argc, char *argv[])
+{
+	char *arg;
+	char buf[50];
+
+	printf(
+	    "Deprecated usage - please use 'set escape%s%s' in the future.\r\n",
+				(argc > 2)? " ":"", (argc > 2)? argv[1]: "");
+	if (argc > 2)
+		arg = argv[1];
+	else {
+		printf("new escape character: ");
+		fgets(buf, sizeof(buf), stdin);
+		arg = buf;
+	}
+	if (arg[0] != '\0')
+		escape = arg[0];
+	printf("Escape character is '%s'.\r\n", control(escape));
+
+	fflush(stdout);
+	return 1;
+}
+
+static int
+togcrmod()
+{
+    crmod = !crmod;
+    printf("Deprecated usage - please use 'toggle crmod' in the future.\r\n");
+    printf("%s map carriage return on output.\r\n", crmod ? "Will" : "Won't");
+    fflush(stdout);
+    return 1;
+}
+
+static int
+telnetsuspend()
+{
+#ifdef	SIGTSTP
+    setcommandmode();
+    {
+	long oldrows, oldcols, newrows, newcols, err;
+
+	err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+	kill(0, SIGTSTP);
+	/*
+	 * If we didn't get the window size before the SUSPEND, but we
+	 * can get them now (?), then send the NAWS to make sure that
+	 * we are set up for the right window size.
+	 */
+	if (TerminalWindowSize(&newrows, &newcols) && connected &&
+	    (err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		sendnaws();
+	}
+    }
+    /* reget parameters in case they were changed */
+    TerminalSaveState();
+    setconnmode(0);
+#else
+    printf("Suspend is not supported.  Try the '!' command instead\r\n");
+#endif
+    return 1;
+}
+
+static int
+shell(int argc, char **argv)
+{
+    long oldrows, oldcols, newrows, newcols, err;
+
+    setcommandmode();
+
+    err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+    switch(fork()) {
+    case -1:
+	perror("Fork failed\r\n");
+	break;
+
+    case 0:
+	{
+	    /*
+	     * Fire up the shell in the child.
+	     */
+	    char *shellp, *shellname;
+
+	    shellp = getenv("SHELL");
+	    if (shellp == NULL)
+		shellp = "/bin/sh";
+	    if ((shellname = strrchr(shellp, '/')) == 0)
+		shellname = shellp;
+	    else
+		shellname++;
+	    if (argc > 1)
+		execl(shellp, shellname, "-c", &saveline[1], 0);
+	    else
+		execl(shellp, shellname, 0);
+	    perror("Execl");
+	    _exit(1);
+	}
+    default:
+	    wait((int *)0);	/* Wait for the shell to complete */
+
+	    if (TerminalWindowSize(&newrows, &newcols) && connected &&
+		(err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		    sendnaws();
+	    }
+	    break;
+    }
+    return 1;
+}
+
+static int
+bye(int argc, char **argv)
+{
+    extern int resettermname;
+
+    if (connected) {
+	shutdown(net, 2);
+	printf("Connection closed.\r\n");
+	NetClose(net);
+	connected = 0;
+	resettermname = 1;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif
+	/* reset options */
+	tninit();
+    }
+    if ((argc != 2) || (strcmp(argv[1], "fromquit") != 0)) 
+	longjmp(toplevel, 1);
+    return 0;	/* NOTREACHED */
+}
+
+int
+quit(void)
+{
+	call(bye, "bye", "fromquit", 0);
+	Exit(0);
+	return 0; /*NOTREACHED*/
+}
+
+static int
+logout()
+{
+	send_do(TELOPT_LOGOUT, 1);
+	netflush();
+	return 1;
+}
+
+
+/*
+ * The SLC command.
+ */
+
+struct slclist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	arg;
+};
+
+static void slc_help(void);
+
+struct slclist SlcList[] = {
+    { "export",	"Use local special character definitions",
+						slc_mode_export,	0 },
+    { "import",	"Use remote special character definitions",
+						slc_mode_import,	1 },
+    { "check",	"Verify remote special character definitions",
+						slc_mode_import,	0 },
+    { "help",	0,				slc_help,		0 },
+    { "?",	"Print help information",	slc_help,		0 },
+    { 0 },
+};
+
+static void
+slc_help(void)
+{
+    struct slclist *c;
+
+    for (c = SlcList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+static struct slclist *
+getslc(char *name)
+{
+    return (struct slclist *)
+		genget(name, (char **) SlcList, sizeof(struct slclist));
+}
+
+static int
+slccmd(int argc, char **argv)
+{
+    struct slclist *c;
+
+    if (argc != 2) {
+	fprintf(stderr,
+	    "Need an argument to 'slc' command.  'slc ?' for help.\r\n");
+	return 0;
+    }
+    c = getslc(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('slc ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('slc ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    (*c->handler)(c->arg);
+    slcstate();
+    return 1;
+}
+
+/*
+ * The ENVIRON command.
+ */
+
+struct envlist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	narg;
+};
+
+static void env_help (void);
+
+struct envlist EnvList[] = {
+    { "define",	"Define an environment variable",
+						(void (*)())env_define,	2 },
+    { "undefine", "Undefine an environment variable",
+						env_undefine,	1 },
+    { "export",	"Mark an environment variable for automatic export",
+						env_export,	1 },
+    { "unexport", "Don't mark an environment variable for automatic export",
+						env_unexport,	1 },
+    { "send",	"Send an environment variable", env_send,	1 },
+    { "list",	"List the current environment variables",
+						env_list,	0 },
+    { "help",	0,				env_help,		0 },
+    { "?",	"Print help information",	env_help,		0 },
+    { 0 },
+};
+
+static void
+env_help()
+{
+    struct envlist *c;
+
+    for (c = EnvList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+static struct envlist *
+getenvcmd(char *name)
+{
+    return (struct envlist *)
+		genget(name, (char **) EnvList, sizeof(struct envlist));
+}
+
+static int
+env_cmd(int argc, char **argv)
+{
+    struct envlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'environ' command.  'environ ?' for help.\r\n");
+	return 0;
+    }
+    c = getenvcmd(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('environ ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('environ ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'environ %s' command.  'environ ?' for help.\r\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    (*c->handler)(argv[2], argv[3]);
+    return 1;
+}
+
+struct env_lst {
+	struct env_lst *next;	/* pointer to next structure */
+	struct env_lst *prev;	/* pointer to previous structure */
+	unsigned char *var;	/* pointer to variable name */
+	unsigned char *value;	/* pointer to variable value */
+	int export;		/* 1 -> export with default list of variables */
+	int welldefined;	/* A well defined variable */
+};
+
+struct env_lst envlisthead;
+
+struct env_lst *
+env_find(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		if (strcmp((char *)ep->var, (char *)var) == 0)
+			return(ep);
+	}
+	return(NULL);
+}
+
+#if IRIX == 4
+#define environ _environ
+#endif
+
+void
+env_init(void)
+{
+	extern char **environ;
+	char **epp, *cp;
+	struct env_lst *ep;
+
+	for (epp = environ; *epp; epp++) {
+		if ((cp = strchr(*epp, '='))) {
+			*cp = '\0';
+			ep = env_define((unsigned char *)*epp,
+					(unsigned char *)cp+1);
+			ep->export = 0;
+			*cp = '=';
+		}
+	}
+	/*
+	 * Special case for DISPLAY variable.  If it is ":0.0" or
+	 * "unix:0.0", we have to get rid of "unix" and insert our
+	 * hostname.
+	 */
+	if ((ep = env_find("DISPLAY"))
+	    && (*ep->value == ':'
+	    || strncmp((char *)ep->value, "unix:", 5) == 0)) {
+		char hbuf[256+1];
+		char *cp2 = strchr((char *)ep->value, ':');
+
+		/* XXX - should be k_gethostname? */
+		gethostname(hbuf, 256);
+		hbuf[256] = '\0';
+
+		/* If this is not the full name, try to get it via DNS */
+		if (strchr(hbuf, '.') == 0) {
+			struct addrinfo hints, *ai, *a;
+			int error;
+
+			memset (&hints, 0, sizeof(hints));
+			hints.ai_flags = AI_CANONNAME;
+
+			error = getaddrinfo (hbuf, NULL, &hints, &ai);
+			if (error == 0) {
+				for (a = ai; a != NULL; a = a->ai_next)
+					if (a->ai_canonname != NULL) {
+						strlcpy (hbuf,
+							 ai->ai_canonname,
+							 256);
+						break;
+					}
+				freeaddrinfo (ai);
+			}
+		}
+
+		asprintf (&cp, "%s%s", hbuf, cp2);
+		free (ep->value);
+		ep->value = (unsigned char *)cp;
+	}
+	/*
+	 * If USER is not defined, but LOGNAME is, then add
+	 * USER with the value from LOGNAME.  By default, we
+	 * don't export the USER variable.
+	 */
+	if ((env_find("USER") == NULL) && (ep = env_find("LOGNAME"))) {
+		env_define((unsigned char *)"USER", ep->value);
+		env_unexport((unsigned char *)"USER");
+	}
+	env_export((unsigned char *)"DISPLAY");
+	env_export((unsigned char *)"PRINTER");
+	env_export((unsigned char *)"XAUTHORITY");
+}
+
+struct env_lst *
+env_define(unsigned char *var, unsigned char *value)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+	} else {
+		ep = (struct env_lst *)malloc(sizeof(struct env_lst));
+		ep->next = envlisthead.next;
+		envlisthead.next = ep;
+		ep->prev = &envlisthead;
+		if (ep->next)
+			ep->next->prev = ep;
+	}
+	ep->welldefined = opt_welldefined((char *)var);
+	ep->export = 1;
+	ep->var = (unsigned char *)strdup((char *)var);
+	ep->value = (unsigned char *)strdup((char *)value);
+	return(ep);
+}
+
+void
+env_undefine(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		ep->prev->next = ep->next;
+		if (ep->next)
+			ep->next->prev = ep->prev;
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+		free(ep);
+	}
+}
+
+void
+env_export(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 1;
+}
+
+void
+env_unexport(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 0;
+}
+
+void
+env_send(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if (my_state_is_wont(TELOPT_NEW_ENVIRON)
+#ifdef	OLD_ENVIRON
+	    && my_state_is_wont(TELOPT_OLD_ENVIRON)
+#endif
+		) {
+		fprintf(stderr,
+		    "Cannot send '%s': Telnet ENVIRON option not enabled\r\n",
+									var);
+		return;
+	}
+	ep = env_find(var);
+	if (ep == 0) {
+		fprintf(stderr, "Cannot send '%s': variable not defined\r\n",
+									var);
+		return;
+	}
+	env_opt_start_info();
+	env_opt_add(ep->var);
+	env_opt_end(0);
+}
+
+void
+env_list(void)
+{
+	struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		printf("%c %-20s %s\r\n", ep->export ? '*' : ' ',
+					ep->var, ep->value);
+	}
+}
+
+unsigned char *
+env_default(int init, int welldefined)
+{
+	static struct env_lst *nep = NULL;
+
+	if (init) {
+		nep = &envlisthead;
+		return NULL;
+	}
+	if (nep) {
+		while ((nep = nep->next)) {
+			if (nep->export && (nep->welldefined == welldefined))
+				return(nep->var);
+		}
+	}
+	return(NULL);
+}
+
+unsigned char *
+env_getvalue(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		return(ep->value);
+	return(NULL);
+}
+
+
+#if	defined(AUTHENTICATION)
+/*
+ * The AUTHENTICATE command.
+ */
+
+struct authlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	narg;
+};
+
+static int
+	auth_help (void);
+
+struct authlist AuthList[] = {
+    { "status",	"Display current status of authentication information",
+						auth_status,	0 },
+    { "disable", "Disable an authentication type ('auth disable ?' for more)",
+						auth_disable,	1 },
+    { "enable", "Enable an authentication type ('auth enable ?' for more)",
+						auth_enable,	1 },
+    { "help",	0,				auth_help,		0 },
+    { "?",	"Print help information",	auth_help,		0 },
+    { 0 },
+};
+
+static int
+auth_help()
+{
+    struct authlist *c;
+
+    for (c = AuthList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+static int
+auth_cmd(int argc, char **argv)
+{
+    struct authlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'auth' command.  'auth ?' for help.\r\n");
+	return 0;
+    }
+
+    c = (struct authlist *)
+		genget(argv[1], (char **) AuthList, sizeof(struct authlist));
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('auth ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('auth ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'auth %s' command.  'auth ?' for help.\r\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    return((*c->handler)(argv[2], argv[3]));
+}
+#endif
+
+
+#if	defined(ENCRYPTION)
+/*
+ * The ENCRYPT command.
+ */
+
+struct encryptlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	needconnect;
+	int	minarg;
+	int	maxarg;
+};
+
+static int
+	EncryptHelp (void);
+
+struct encryptlist EncryptList[] = {
+    { "enable", "Enable encryption. ('encrypt enable ?' for more)",
+						EncryptEnable, 1, 1, 2 },
+    { "disable", "Disable encryption. ('encrypt enable ?' for more)",
+						EncryptDisable, 0, 1, 2 },
+    { "type", "Set encryptiong type. ('encrypt type ?' for more)",
+						EncryptType, 0, 1, 1 },
+    { "start", "Start encryption. ('encrypt start ?' for more)",
+						EncryptStart, 1, 0, 1 },
+    { "stop", "Stop encryption. ('encrypt stop ?' for more)",
+						EncryptStop, 1, 0, 1 },
+    { "input", "Start encrypting the input stream",
+						EncryptStartInput, 1, 0, 0 },
+    { "-input", "Stop encrypting the input stream",
+						EncryptStopInput, 1, 0, 0 },
+    { "output", "Start encrypting the output stream",
+						EncryptStartOutput, 1, 0, 0 },
+    { "-output", "Stop encrypting the output stream",
+						EncryptStopOutput, 1, 0, 0 },
+
+    { "status",	"Display current status of authentication information",
+						EncryptStatus,	0, 0, 0 },
+    { "help",	0,				EncryptHelp,	0, 0, 0 },
+    { "?",	"Print help information",	EncryptHelp,	0, 0, 0 },
+    { 0 },
+};
+
+static int
+EncryptHelp()
+{
+    struct encryptlist *c;
+
+    for (c = EncryptList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+static int
+encrypt_cmd(int argc, char **argv)
+{
+    struct encryptlist *c;
+
+    c = (struct encryptlist *)
+		genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist));
+    if (c == 0) {
+        fprintf(stderr, "'%s': unknown argument ('encrypt ?' for help).\r\n",
+    				argv[1]);
+        return 0;
+    }
+    if (Ambiguous(c)) {
+        fprintf(stderr, "'%s': ambiguous argument ('encrypt ?' for help).\r\n",
+    				argv[1]);
+        return 0;
+    }
+    argc -= 2;
+    if (argc < c->minarg || argc > c->maxarg) {
+	if (c->minarg == c->maxarg) {
+	    fprintf(stderr, "Need %s%d argument%s ",
+		c->minarg < argc ? "only " : "", c->minarg,
+		c->minarg == 1 ? "" : "s");
+	} else {
+	    fprintf(stderr, "Need %s%d-%d arguments ",
+		c->maxarg < argc ? "only " : "", c->minarg, c->maxarg);
+	}
+	fprintf(stderr, "to 'encrypt %s' command.  'encrypt ?' for help.\r\n",
+		c->name);
+	return 0;
+    }
+    if (c->needconnect && !connected) {
+	if (!(argc && (isprefix(argv[2], "help") || isprefix(argv[2], "?")))) {
+	    printf("?Need to be connected first.\r\n");
+	    return 0;
+	}
+    }
+    return ((*c->handler)(argc > 0 ? argv[2] : 0,
+			argc > 1 ? argv[3] : 0,
+			argc > 2 ? argv[4] : 0));
+}
+#endif
+
+
+/*
+ * Print status about the connection.
+ */
+
+static int
+status(int argc, char **argv)
+{
+    if (connected) {
+	printf("Connected to %s.\r\n", hostname);
+	if ((argc < 2) || strcmp(argv[1], "notmuch")) {
+	    int mode = getconnmode();
+
+	    if (my_want_state_is_will(TELOPT_LINEMODE)) {
+		printf("Operating with LINEMODE option\r\n");
+		printf("%s line editing\r\n", (mode&MODE_EDIT) ? "Local" : "No");
+		printf("%s catching of signals\r\n",
+					(mode&MODE_TRAPSIG) ? "Local" : "No");
+		slcstate();
+#ifdef	KLUDGELINEMODE
+	    } else if (kludgelinemode && my_want_state_is_dont(TELOPT_SGA)) {
+		printf("Operating in obsolete linemode\r\n");
+#endif
+	    } else {
+		printf("Operating in single character mode\r\n");
+		if (localchars)
+		    printf("Catching signals locally\r\n");
+	    }
+	    printf("%s character echo\r\n", (mode&MODE_ECHO) ? "Local" : "Remote");
+	    if (my_want_state_is_will(TELOPT_LFLOW))
+		printf("%s flow control\r\n", (mode&MODE_FLOW) ? "Local" : "No");
+#if	defined(ENCRYPTION)
+	    encrypt_display();
+#endif
+	}
+    } else {
+	printf("No connection.\r\n");
+    }
+    printf("Escape character is '%s'.\r\n", control(escape));
+    fflush(stdout);
+    return 1;
+}
+
+#ifdef	SIGINFO
+/*
+ * Function that gets called when SIGINFO is received.
+ */
+void
+ayt_status(int ignore)
+{
+    call(status, "status", "notmuch", 0);
+}
+#endif
+
+static Command *getcmd(char *name);
+
+static void
+cmdrc(char *m1, char *m2)
+{
+    static char rcname[128];
+    Command *c;
+    FILE *rcfile;
+    int gotmachine = 0;
+    int l1 = strlen(m1);
+    int l2 = strlen(m2);
+    char m1save[64];
+
+    if (skiprc)
+	return;
+
+    strlcpy(m1save, m1, sizeof(m1save));
+    m1 = m1save;
+
+    if (rcname[0] == 0) {
+	char *home = getenv("HOME");
+
+	snprintf (rcname, sizeof(rcname), "%s/.telnetrc",
+		  home ? home : "");
+    }
+
+    if ((rcfile = fopen(rcname, "r")) == 0) {
+	return;
+    }
+
+    for (;;) {
+	if (fgets(line, sizeof(line), rcfile) == NULL)
+	    break;
+	if (line[0] == 0)
+	    break;
+	if (line[0] == '#')
+	    continue;
+	if (gotmachine) {
+	    if (!isspace(line[0]))
+		gotmachine = 0;
+	}
+	if (gotmachine == 0) {
+	    if (isspace(line[0]))
+		continue;
+	    if (strncasecmp(line, m1, l1) == 0)
+		strncpy(line, &line[l1], sizeof(line) - l1);
+	    else if (strncasecmp(line, m2, l2) == 0)
+		strncpy(line, &line[l2], sizeof(line) - l2);
+	    else if (strncasecmp(line, "DEFAULT", 7) == 0)
+		strncpy(line, &line[7], sizeof(line) - 7);
+	    else
+		continue;
+	    if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
+		continue;
+	    gotmachine = 1;
+	}
+	makeargv();
+	if (margv[0] == 0)
+	    continue;
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command: %s\r\n", margv[0]);
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command: %s\r\n", margv[0]);
+	    continue;
+	}
+	/*
+	 * This should never happen...
+	 */
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first for %s.\r\n", margv[0]);
+	    continue;
+	}
+	(*c->handler)(margc, margv);
+    }
+    fclose(rcfile);
+}
+
+int
+tn(int argc, char **argv)
+{
+    struct servent *sp = 0;
+    extern char *inet_ntoa();
+#if defined(IP_OPTIONS) && defined(IPPROTO_IP)
+    char *srp = 0;
+    int srlen;
+#endif
+    char *cmd, *hostp = 0, *portp = 0;
+    char *user = 0;
+    int port = 0;
+
+    /* clear the socket address prior to use */
+
+    if (connected) {
+	printf("?Already connected to %s\r\n", hostname);
+	setuid(getuid());
+	return 0;
+    }
+    if (argc < 2) {
+	strlcpy(line, "open ", sizeof(line));
+	printf("(to) ");
+	fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
+	makeargv();
+	argc = margc;
+	argv = margv;
+    }
+    cmd = *argv;
+    --argc; ++argv;
+    while (argc) {
+	if (strcmp(*argv, "help") == 0 || isprefix(*argv, "?"))
+	    goto usage;
+	if (strcmp(*argv, "-l") == 0) {
+	    --argc; ++argv;
+	    if (argc == 0)
+		goto usage;
+	    user = strdup(*argv++);
+	    --argc;
+	    continue;
+	}
+	if (strcmp(*argv, "-a") == 0) {
+	    --argc; ++argv;
+	    autologin = 1;
+	    continue;
+	}
+	if (hostp == 0) {
+	    hostp = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (portp == 0) {
+	    portp = *argv++;
+	    --argc;
+	    continue;
+	}
+    usage:
+	printf("usage: %s [-l user] [-a] host-name [port]\r\n", cmd);
+	setuid(getuid());
+	return 0;
+    }
+    if (hostp == 0)
+	goto usage;
+
+    if (portp) {
+	if (*portp == '-') {
+	    portp++;
+	    telnetport = 1;
+	} else
+	    telnetport = 0;
+	port = atoi(portp);
+	if (port == 0) {
+	    sp = roken_getservbyname(portp, "tcp");
+	    if (sp)
+		port = sp->s_port;
+	    else {
+		printf("%s: bad port number\r\n", portp);
+		setuid(getuid());
+		return 0;
+	    }
+	} else {
+	    port = htons(port);
+	}
+    } else {
+	if (sp == 0) {
+	    sp = roken_getservbyname("telnet", "tcp");
+	    if (sp == 0) {
+		fprintf(stderr, "telnet: tcp/telnet: unknown service\r\n");
+		setuid(getuid());
+		return 0;
+	    }
+	    port = sp->s_port;
+	}
+	telnetport = 1;
+    }
+
+    {
+	struct addrinfo *ai, *a, hints;
+	int error;
+	char portstr[NI_MAXSERV];
+
+	memset (&hints, 0, sizeof(hints));
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+	hints.ai_flags    = AI_CANONNAME;
+
+	snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+	error = getaddrinfo (hostp, portstr, &hints, &ai);
+	if (error) {
+	    fprintf (stderr, "%s: %s\r\n", hostp, gai_strerror (error));
+	    setuid (getuid ());
+	    return 0;
+	}
+	strlcpy (_hostname, hostp, sizeof(_hostname));
+	hostname = _hostname;
+
+	for (a = ai; a != NULL && connected == 0; a = a->ai_next) {
+	    char addrstr[256];
+
+	    if (a->ai_canonname != NULL)
+		strlcpy (_hostname, a->ai_canonname, sizeof(_hostname));
+
+	    if (getnameinfo (a->ai_addr, a->ai_addrlen,
+			     addrstr, sizeof(addrstr),
+			     NULL, 0, NI_NUMERICHOST) != 0)
+		strlcpy (addrstr, "unknown address", sizeof(addrstr));
+			     
+	    printf("Trying %s...\r\n", addrstr);
+
+	    net = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	    setuid (getuid ());
+	    if (net < 0) {
+		warn ("telnet: socket");
+		continue;
+	    }
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP) && defined(HAVE_SETSOCKOPT)
+	    if (srp && setsockopt(net, IPPROTO_IP, IP_OPTIONS,
+				      (void *)srp, srlen) < 0)
+		perror("setsockopt (IP_OPTIONS)");
+#endif
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	    if (a->ai_family == AF_INET) {
+# if	defined(HAVE_GETTOSBYNAME)
+		struct tosent *tp;
+		if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+		    tos = tp->t_tos;
+# endif
+		if (tos < 0)
+		    tos = 020;	/* Low Delay bit */
+		if (tos
+		    && (setsockopt(net, IPPROTO_IP, IP_TOS,
+				   (void *)&tos, sizeof(int)) < 0)
+		    && (errno != ENOPROTOOPT))
+		    perror("telnet: setsockopt (IP_TOS) (ignored)");
+	    }
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+	    if (debug && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0) {
+		perror("setsockopt (SO_DEBUG)");
+	    }
+
+	    if (connect (net, a->ai_addr, a->ai_addrlen) < 0) {
+		fprintf (stderr, "telnet: connect to address %s: %s\n",
+			 addrstr, strerror(errno));
+		NetClose(net);
+		if (a->ai_next != NULL) {
+		    continue;
+		} else {
+		    freeaddrinfo (ai);
+		    return 0;
+		}
+	    }
+	    ++connected;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	    auth_encrypt_connect(connected);
+#endif
+	}
+    }
+    cmdrc(hostp, hostname);
+    if (autologin && user == NULL)
+	user = (char *)get_default_username ();
+    if (user) {
+	env_define((unsigned char *)"USER", (unsigned char *)user);
+	env_export((unsigned char *)"USER");
+    }
+    call(status, "status", "notmuch", 0);
+    if (setjmp(peerdied) == 0)
+	my_telnet((char *)user);
+    NetClose(net);
+    ExitString("Connection closed by foreign host.\r\n",1);
+    /*NOTREACHED*/
+    return 0;
+}
+
+#define HELPINDENT ((int)sizeof ("connect"))
+
+static char
+	openhelp[] =	"connect to a site",
+	closehelp[] =	"close current connection",
+	logouthelp[] =	"forcibly logout remote user and close the connection",
+	quithelp[] =	"exit telnet",
+	statushelp[] =	"print status information",
+	helphelp[] =	"print help information",
+	sendhelp[] =	"transmit special characters ('send ?' for more)",
+	sethelp[] = 	"set operating parameters ('set ?' for more)",
+	unsethelp[] = 	"unset operating parameters ('unset ?' for more)",
+	togglestring[] ="toggle operating parameters ('toggle ?' for more)",
+	slchelp[] =	"change state of special charaters ('slc ?' for more)",
+	displayhelp[] =	"display operating parameters",
+#if	defined(AUTHENTICATION)
+	authhelp[] =	"turn on (off) authentication ('auth ?' for more)",
+#endif
+#if	defined(ENCRYPTION)
+	encrypthelp[] =	"turn on (off) encryption ('encrypt ?' for more)",
+#endif
+	zhelp[] =	"suspend telnet",
+	shellhelp[] =	"invoke a subshell",
+	envhelp[] =	"change environment variables ('environ ?' for more)",
+	modestring[] = "try to enter line or character mode ('mode ?' for more)";
+
+static int help(int argc, char **argv);
+
+static Command cmdtab[] = {
+	{ "close",	closehelp,	bye,		1 },
+	{ "logout",	logouthelp,	logout,		1 },
+	{ "display",	displayhelp,	display,	0 },
+	{ "mode",	modestring,	modecmd,	0 },
+	{ "open",	openhelp,	tn,		0 },
+	{ "quit",	quithelp,	quit,		0 },
+	{ "send",	sendhelp,	sendcmd,	0 },
+	{ "set",	sethelp,	setcmd,		0 },
+	{ "unset",	unsethelp,	unsetcmd,	0 },
+	{ "status",	statushelp,	status,		0 },
+	{ "toggle",	togglestring,	toggle,		0 },
+	{ "slc",	slchelp,	slccmd,		0 },
+#if	defined(AUTHENTICATION)
+	{ "auth",	authhelp,	auth_cmd,	0 },
+#endif
+#if	defined(ENCRYPTION)
+	{ "encrypt",	encrypthelp,	encrypt_cmd,	0 },
+#endif
+	{ "z",		zhelp,		telnetsuspend,	0 },
+	{ "!",		shellhelp,	shell,		0 },
+	{ "environ",	envhelp,	env_cmd,	0 },
+	{ "?",		helphelp,	help,		0 },
+	{ 0,            0,              0,              0 }
+};
+
+static char	crmodhelp[] =	"deprecated command -- use 'toggle crmod' instead";
+static char	escapehelp[] =	"deprecated command -- use 'set escape' instead";
+
+static Command cmdtab2[] = {
+	{ "help",	0,		help,		0 },
+	{ "escape",	escapehelp,	setescape,	0 },
+	{ "crmod",	crmodhelp,	togcrmod,	0 },
+	{ 0,            0,		0, 		0 }
+};
+
+
+/*
+ * Call routine with argc, argv set from args (terminated by 0).
+ */
+
+static int
+call(intrtn_t routine, ...)
+{
+    va_list ap;
+    char *args[100];
+    int argno = 0;
+
+    va_start(ap, routine);
+    while ((args[argno++] = va_arg(ap, char *)) != 0);
+    va_end(ap);
+    return (*routine)(argno-1, args);
+}
+
+
+static Command
+*getcmd(char *name)
+{
+    Command *cm;
+
+    if ((cm = (Command *) genget(name, (char **) cmdtab, sizeof(Command))))
+	return cm;
+    return (Command *) genget(name, (char **) cmdtab2, sizeof(Command));
+}
+
+void
+command(int top, char *tbuf, int cnt)
+{
+    Command *c;
+
+    setcommandmode();
+    if (!top) {
+	putchar('\n');
+    } else {
+	signal(SIGINT, SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+    }
+    for (;;) {
+	if (rlogin == _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	if (tbuf) {
+	    char *cp;
+	    cp = line;
+	    while (cnt > 0 && (*cp++ = *tbuf++) != '\n')
+		cnt--;
+	    tbuf = 0;
+	    if (cp == line || *--cp != '\n' || cp == line)
+		goto getline;
+	    *cp = '\0';
+	    if (rlogin == _POSIX_VDISABLE)
+		printf("%s\r\n", line);
+	} else {
+	getline:
+	    if (rlogin != _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	    if (fgets(line, sizeof(line), stdin) == NULL) {
+		if (feof(stdin) || ferror(stdin)) {
+		    quit();
+		    /*NOTREACHED*/
+		}
+		break;
+	    }
+	}
+	if (line[0] == 0)
+	    break;
+	makeargv();
+	if (margv[0] == 0) {
+	    break;
+	}
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command\r\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\r\n");
+	    continue;
+	}
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first.\r\n");
+	    continue;
+	}
+	if ((*c->handler)(margc, margv)) {
+	    break;
+	}
+    }
+    if (!top) {
+	if (!connected) {
+	    longjmp(toplevel, 1);
+	    /*NOTREACHED*/
+	}
+	setconnmode(0);
+    }
+}
+
+/*
+ * Help command.
+ */
+static int
+help(int argc, char **argv)
+{
+	Command *c;
+
+	if (argc == 1) {
+		printf("Commands may be abbreviated.  Commands are:\r\n\r\n");
+		for (c = cmdtab; c->name; c++)
+			if (c->help) {
+				printf("%-*s\t%s\r\n", HELPINDENT, c->name,
+								    c->help);
+			}
+		return 0;
+	}
+	while (--argc > 0) {
+		char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (Ambiguous(c))
+			printf("?Ambiguous help command %s\r\n", arg);
+		else if (c == (Command *)0)
+			printf("?Invalid help command %s\r\n", arg);
+		else
+			printf("%s\r\n", c->help);
+	}
+	return 0;
+}
+
+
+#if 0 /* XXX - broken */
+
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP)
+
+/*
+ * Source route is handed in as
+ *	[!]@hop1@hop2...[@|:]dst
+ * If the leading ! is present, it is a
+ * strict source route, otherwise it is
+ * assmed to be a loose source route.
+ *
+ * We fill in the source route option as
+ *	hop1,hop2,hop3...dest
+ * and return a pointer to hop1, which will
+ * be the address to connect() to.
+ *
+ * Arguments:
+ *	arg:	pointer to route list to decipher
+ *
+ *	cpp: 	If *cpp is not equal to NULL, this is a
+ *		pointer to a pointer to a character array
+ *		that should be filled in with the option.
+ *
+ *	lenp:	pointer to an integer that contains the
+ *		length of *cpp if *cpp != NULL.
+ *
+ * Return values:
+ *
+ *	Returns the address of the host to connect to.  If the
+ *	return value is -1, there was a syntax error in the
+ *	option, either unknown characters, or too many hosts.
+ *	If the return value is 0, one of the hostnames in the
+ *	path is unknown, and *cpp is set to point to the bad
+ *	hostname.
+ *
+ *	*cpp:	If *cpp was equal to NULL, it will be filled
+ *		in with a pointer to our static area that has
+ *		the option filled in.  This will be 32bit aligned.
+ *
+ *	*lenp:	This will be filled in with how long the option
+ *		pointed to by *cpp is.
+ *
+ */
+unsigned long
+sourceroute(char *arg, char **cpp, int *lenp)
+{
+	static char lsr[44];
+	char *cp, *cp2, *lsrp, *lsrep;
+	int tmp;
+	struct in_addr sin_addr;
+	struct hostent *host = 0;
+	char c;
+
+	/*
+	 * Verify the arguments, and make sure we have
+	 * at least 7 bytes for the option.
+	 */
+	if (cpp == NULL || lenp == NULL)
+		return((unsigned long)-1);
+	if (*cpp != NULL && *lenp < 7)
+		return((unsigned long)-1);
+	/*
+	 * Decide whether we have a buffer passed to us,
+	 * or if we need to use our own static buffer.
+	 */
+	if (*cpp) {
+		lsrp = *cpp;
+		lsrep = lsrp + *lenp;
+	} else {
+		*cpp = lsrp = lsr;
+		lsrep = lsrp + 44;
+	}
+
+	cp = arg;
+
+	/*
+	 * Next, decide whether we have a loose source
+	 * route or a strict source route, and fill in
+	 * the begining of the option.
+	 */
+	if (*cp == '!') {
+		cp++;
+		*lsrp++ = IPOPT_SSRR;
+	} else
+		*lsrp++ = IPOPT_LSRR;
+
+	if (*cp != '@')
+		return((unsigned long)-1);
+
+	lsrp++;		/* skip over length, we'll fill it in later */
+	*lsrp++ = 4;
+
+	cp++;
+
+	sin_addr.s_addr = 0;
+
+	for (c = 0;;) {
+		if (c == ':')
+			cp2 = 0;
+		else for (cp2 = cp; (c = *cp2); cp2++) {
+			if (c == ',') {
+				*cp2++ = '\0';
+				if (*cp2 == '@')
+					cp2++;
+			} else if (c == '@') {
+				*cp2++ = '\0';
+			} else if (c == ':') {
+				*cp2++ = '\0';
+			} else
+				continue;
+			break;
+		}
+		if (!c)
+			cp2 = 0;
+
+		if ((tmp = inet_addr(cp)) != -1) {
+			sin_addr.s_addr = tmp;
+		} else if ((host = roken_gethostbyname(cp))) {
+			memmove(&sin_addr,
+				host->h_addr_list[0],
+				sizeof(sin_addr));
+		} else {
+			*cpp = cp;
+			return(0);
+		}
+		memmove(lsrp, &sin_addr, 4);
+		lsrp += 4;
+		if (cp2)
+			cp = cp2;
+		else
+			break;
+		/*
+		 * Check to make sure there is space for next address
+		 */
+		if (lsrp + 4 > lsrep)
+			return((unsigned long)-1);
+	}
+	if ((*(*cpp+IPOPT_OLEN) = lsrp - *cpp) <= 7) {
+		*cpp = 0;
+		*lenp = 0;
+		return((unsigned long)-1);
+	}
+	*lsrp++ = IPOPT_NOP; /* 32 bit word align it */
+	*lenp = lsrp - *cpp;
+	return(sin_addr.s_addr);
+}
+#endif
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet/defines.h b/crypto/heimdal/appl/telnet/telnet/defines.h
new file mode 100644
index 0000000..5c1ac2b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/defines.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defines.h	8.1 (Berkeley) 6/6/93
+ */
+
+#define	settimer(x)	clocks.x = clocks.system++
+
+#define	NETADD(c)	{ *netoring.supply = c; ring_supplied(&netoring, 1); }
+#define	NET2ADD(c1,c2)	{ NETADD(c1); NETADD(c2); }
+#define	NETBYTES()	(ring_full_count(&netoring))
+#define	NETROOM()	(ring_empty_count(&netoring))
+
+#define	TTYADD(c)	if (!(SYNCHing||flushout)) { \
+				*ttyoring.supply = c; \
+				ring_supplied(&ttyoring, 1); \
+			}
+#define	TTYBYTES()	(ring_full_count(&ttyoring))
+#define	TTYROOM()	(ring_empty_count(&ttyoring))
+
+/*	Various modes */
+#define	MODE_LOCAL_CHARS(m)	((m)&(MODE_EDIT|MODE_TRAPSIG))
+#define	MODE_LOCAL_ECHO(m)	((m)&MODE_ECHO)
+#define	MODE_COMMAND_LINE(m)	((m)==-1)
+
+#define	CONTROL(x)	((x)&0x1f)		/* CTRL(x) is not portable */
+
+
+/* XXX extra mode bits, these should be synced with <arpa/telnet.h> */
+
+#define MODE_OUT8	0x8000 /* binary mode sans -opost */
diff --git a/crypto/heimdal/appl/telnet/telnet/externs.h b/crypto/heimdal/appl/telnet/telnet/externs.h
new file mode 100644
index 0000000..f8b1668
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/externs.h
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)externs.h	8.3 (Berkeley) 5/30/95
+ */
+
+/* $Id: externs.h,v 1.18 1998/07/09 23:16:36 assar Exp $ */
+
+#ifndef	BSD
+# define BSD 43
+#endif
+
+#ifndef	_POSIX_VDISABLE
+# ifdef sun
+#  include <sys/param.h>	/* pick up VDISABLE definition, mayby */
+# endif
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((cc_t)'\377')
+# endif
+#endif
+
+#define	SUBBUFSIZE	256
+
+extern int
+    autologin,		/* Autologin enabled */
+    skiprc,		/* Don't process the ~/.telnetrc file */
+    eight,		/* use eight bit mode (binary in and/or out */
+    binary,
+    flushout,		/* flush output */
+    connected,		/* Are we connected to the other side? */
+    globalmode,		/* Mode tty should be in */
+    telnetport,		/* Are we connected to the telnet port? */
+    localflow,		/* Flow control handled locally */
+    restartany,		/* If flow control, restart output on any character */
+    localchars,		/* we recognize interrupt/quit */
+    donelclchars,	/* the user has set "localchars" */
+    showoptions,
+    net,		/* Network file descriptor */
+    tin,		/* Terminal input file descriptor */
+    tout,		/* Terminal output file descriptor */
+    crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+    autoflush,		/* flush output when interrupting? */
+    autosynch,		/* send interrupt characters with SYNCH? */
+    SYNCHing,		/* Is the stream in telnet SYNCH mode? */
+    donebinarytoggle,	/* the user has put us in binary */
+    dontlecho,		/* do we suppress local echoing right now? */
+    crmod,
+    netdata,		/* Print out network data flow */
+    prettydump,		/* Print "netdata" output in user readable format */
+    termdata,		/* Print out terminal data flow */
+    debug;		/* Debug level */
+
+extern cc_t escape;	/* Escape to command mode */
+extern cc_t rlogin;	/* Rlogin mode escape character */
+#ifdef	KLUDGELINEMODE
+extern cc_t echoc;	/* Toggle local echoing */
+#endif
+
+extern char
+    *prompt;		/* Prompt for command. */
+
+extern char
+    doopt[],
+    dont[],
+    will[],
+    wont[],
+    options[],		/* All the little options */
+    *hostname;		/* Who are we connected to? */
+#if	defined(ENCRYPTION)
+extern void (*encrypt_output) (unsigned char *, int);
+extern int (*decrypt_input) (int);
+#endif
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		{options[opt] |= MY_STATE_DO;}
+#define	set_my_state_will(opt)		{options[opt] |= MY_STATE_WILL;}
+#define	set_my_want_state_do(opt)	{options[opt] |= MY_WANT_STATE_DO;}
+#define	set_my_want_state_will(opt)	{options[opt] |= MY_WANT_STATE_WILL;}
+
+#define	set_my_state_dont(opt)		{options[opt] &= ~MY_STATE_DO;}
+#define	set_my_state_wont(opt)		{options[opt] &= ~MY_STATE_WILL;}
+#define	set_my_want_state_dont(opt)	{options[opt] &= ~MY_WANT_STATE_DO;}
+#define	set_my_want_state_wont(opt)	{options[opt] &= ~MY_WANT_STATE_WILL;}
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+
+extern FILE
+    *NetTrace;		/* Where debugging output goes */
+extern char
+    NetTraceFile[];	/* Name of file where debugging output goes */
+extern void
+    SetNetTrace (char *);	/* Function to change where debugging goes */
+
+extern jmp_buf
+    peerdied,
+    toplevel;		/* For error conditions. */
+
+/* authenc.c */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+int telnet_net_write(unsigned char *str, int len);
+void net_encrypt(void);
+int telnet_spin(void);
+char *telnet_getenv(char *val);
+char *telnet_gets(char *prompt, char *result, int length, int echo);
+#endif
+
+/* commands.c */
+
+struct env_lst *env_define (unsigned char *, unsigned char *);
+struct env_lst *env_find(unsigned char *var);
+void env_init (void);
+void env_undefine (unsigned char *);
+void env_export (unsigned char *);
+void env_unexport (unsigned char *);
+void env_send (unsigned char *);
+void env_list (void);
+unsigned char * env_default(int init, int welldefined);
+unsigned char * env_getvalue(unsigned char *var);
+
+void set_escape_char(char *s);
+unsigned long sourceroute(char *arg, char **cpp, int *lenp);
+
+#if	defined(AUTHENTICATION)
+int auth_enable (char *);
+int auth_disable (char *);
+int auth_status (void);
+#endif
+
+#if defined(ENCRYPTION)
+int 	EncryptEnable (char *, char *);
+int 	EncryptDisable (char *, char *);
+int 	EncryptType (char *, char *);
+int 	EncryptStart (char *);
+int 	EncryptStartInput (void);
+int 	EncryptStartOutput (void);
+int 	EncryptStop (char *);
+int 	EncryptStopInput (void);
+int 	EncryptStopOutput (void);
+int 	EncryptStatus (void);
+#endif
+
+#ifdef SIGINFO
+void ayt_status(int);
+#endif
+int tn(int argc, char **argv);
+void command(int top, char *tbuf, int cnt);
+
+/* main.c */
+
+void tninit(void);
+void usage(void);
+
+/* network.c */
+
+void init_network(void);
+int stilloob(void);
+void setneturg(void);
+int netflush(void);
+
+/* sys_bsd.c */
+
+void init_sys(void);
+int TerminalWrite(char *buf, int n);
+int TerminalRead(unsigned char *buf, int n);
+int TerminalAutoFlush(void);
+int TerminalSpecialChars(int c);
+void TerminalFlushOutput(void);
+void TerminalSaveState(void);
+void TerminalDefaultChars(void);
+void TerminalNewMode(int f);
+cc_t *tcval(int func);
+void TerminalSpeeds(long *input_speed, long *output_speed);
+int TerminalWindowSize(long *rows, long *cols);
+int NetClose(int fd);
+void NetNonblockingIO(int fd, int onoff);
+int process_rings(int netin, int netout, int netex, int ttyin, int ttyout,
+		  int poll);
+
+/* telnet.c */
+
+void init_telnet(void);
+
+void tel_leave_binary(int rw);
+void tel_enter_binary(int rw);
+int opt_welldefined(char *ep);
+int telrcv(void);
+int rlogin_susp(void);
+void intp(void);
+void sendbrk(void);
+void sendabort(void);
+void sendsusp(void);
+void sendeof(void);
+void sendayt(void);
+
+void xmitAO(void);
+void xmitEL(void);
+void xmitEC(void);
+
+
+void     Dump (char, unsigned char *, int);
+void     printoption (char *, int, int);
+void     printsub (int, unsigned char *, int);
+void     sendnaws (void);
+void     setconnmode (int);
+void     setcommandmode (void);
+void     setneturg (void);
+void     sys_telnet_init (void);
+void     my_telnet (char *);
+void     tel_enter_binary (int);
+void     TerminalFlushOutput (void);
+void     TerminalNewMode (int);
+void     TerminalRestoreState (void);
+void     TerminalSaveState (void);
+void     tninit (void);
+void     willoption (int);
+void     wontoption (int);
+
+
+void     send_do (int, int);
+void     send_dont (int, int);
+void     send_will (int, int);
+void     send_wont (int, int);
+
+void     lm_will (unsigned char *, int);
+void     lm_wont (unsigned char *, int);
+void     lm_do (unsigned char *, int);
+void     lm_dont (unsigned char *, int);
+void     lm_mode (unsigned char *, int, int);
+
+void     slc_init (void);
+void     slcstate (void);
+void     slc_mode_export (void);
+void     slc_mode_import (int);
+void     slc_import (int);
+void     slc_export (void);
+void     slc (unsigned char *, int);
+void     slc_check (void);
+void     slc_start_reply (void);
+void     slc_add_reply (unsigned char, unsigned char, cc_t);
+void     slc_end_reply (void);
+int	 slc_update (void);
+
+void     env_opt (unsigned char *, int);
+void     env_opt_start (void);
+void     env_opt_start_info (void);
+void     env_opt_add (unsigned char *);
+void     env_opt_end (int);
+
+unsigned char     *env_default (int, int);
+unsigned char     *env_getvalue (unsigned char *);
+
+int get_status (void);
+int dosynch (void);
+
+cc_t *tcval (int);
+
+int quit (void);
+
+/* terminal.c */
+
+void init_terminal(void);
+int ttyflush(int drop);
+int getconnmode(void);
+
+/* utilities.c */
+
+int SetSockOpt(int fd, int level, int option, int yesno);
+void SetNetTrace(char *file);
+void Dump(char direction, unsigned char *buffer, int length);
+void printoption(char *direction, int cmd, int option);
+void optionstatus(void);
+void printsub(int direction, unsigned char *pointer, int length);
+void EmptyTerminal(void);
+void SetForExit(void);
+void Exit(int returnCode);
+void ExitString(char *string, int returnCode);
+
+extern struct	termios new_tc;
+
+# define termEofChar		new_tc.c_cc[VEOF]
+# define termEraseChar		new_tc.c_cc[VERASE]
+# define termIntChar		new_tc.c_cc[VINTR]
+# define termKillChar		new_tc.c_cc[VKILL]
+# define termQuitChar		new_tc.c_cc[VQUIT]
+
+# ifndef	VSUSP
+extern cc_t termSuspChar;
+# else
+#  define termSuspChar		new_tc.c_cc[VSUSP]
+# endif
+# if	defined(VFLUSHO) && !defined(VDISCARD)
+#  define VDISCARD VFLUSHO
+# endif
+# ifndef	VDISCARD
+extern cc_t termFlushChar;
+# else
+#  define termFlushChar		new_tc.c_cc[VDISCARD]
+# endif
+# ifndef VWERASE
+extern cc_t termWerasChar;
+# else
+#  define termWerasChar		new_tc.c_cc[VWERASE]
+# endif
+# ifndef	VREPRINT
+extern cc_t termRprntChar;
+# else
+#  define termRprntChar		new_tc.c_cc[VREPRINT]
+# endif
+# ifndef	VLNEXT
+extern cc_t termLiteralNextChar;
+# else
+#  define termLiteralNextChar	new_tc.c_cc[VLNEXT]
+# endif
+# ifndef	VSTART
+extern cc_t termStartChar;
+# else
+#  define termStartChar		new_tc.c_cc[VSTART]
+# endif
+# ifndef	VSTOP
+extern cc_t termStopChar;
+# else
+#  define termStopChar		new_tc.c_cc[VSTOP]
+# endif
+# ifndef	VEOL
+extern cc_t termForw1Char;
+# else
+#  define termForw1Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VEOL2
+extern cc_t termForw2Char;
+# else
+#  define termForw2Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VSTATUS
+extern cc_t termAytChar;
+#else
+#  define termAytChar		new_tc.c_cc[VSTATUS]
+#endif
+
+/* Ring buffer structures which are shared */
+
+extern Ring
+    netoring,
+    netiring,
+    ttyoring,
+    ttyiring;
+
diff --git a/crypto/heimdal/appl/telnet/telnet/main.c b/crypto/heimdal/appl/telnet/telnet/main.c
new file mode 100644
index 0000000..ea60ae9
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/main.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+static char *copyright[] = {
+    "@(#) Copyright (c) 1988, 1990, 1993\n"
+    "\tThe Regents of the University of California.  All rights reserved.\n",
+    (char*)copyright
+};
+
+#include "telnet_locl.h"
+RCSID("$Id: main.c,v 1.30 1999/11/13 06:30:11 assar Exp $");
+
+/* These values need to be the same as defined in libtelnet/kerberos5.c */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+#if KRB5
+#define FORWARD
+#endif
+
+/*
+ * Initialize variables.
+ */
+void
+tninit(void)
+{
+    init_terminal();
+
+    init_network();
+
+    init_telnet();
+
+    init_sys();
+}
+
+void
+usage(void)
+{
+  fprintf(stderr, "Usage: %s %s%s%s%s\n", prompt,
+#ifdef	AUTHENTICATION
+	  "[-8] [-E] [-K] [-L] [-G] [-S tos] [-X atype] [-a] [-c] [-d] [-e char]",
+	  "\n\t[-k realm] [-l user] [-f/-F] [-n tracefile] ",
+#else
+	  "[-8] [-E] [-L] [-S tos] [-a] [-c] [-d] [-e char] [-l user]",
+	  "\n\t[-n tracefile]",
+#endif
+	  "[-r] ",
+#ifdef	ENCRYPTION
+	  "[-x] [host-name [port]]"
+#else
+	  "[host-name [port]]"
+#endif
+    );
+  exit(1);
+}
+
+/*
+ * main.  Parse arguments, invoke the protocol or command parser.
+ */
+
+
+#ifdef	FORWARD
+extern int forward_flags;
+static int default_forward=0;
+#endif	/* FORWARD */
+
+#ifdef KRB5
+/* XXX ugly hack to setup dns-proxy stuff */
+#define Authenticator asn1_Authenticator
+#include <krb5.h>
+static void
+krb5_init(void)
+{
+    krb5_context context;
+    krb5_init_context(&context);
+
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+    if (krb5_config_get_bool (context, NULL,
+         "libdefaults", "forward", NULL)) {
+           forward_flags |= OPTS_FORWARD_CREDS;
+           default_forward=1;
+    }
+    if (krb5_config_get_bool (context, NULL,
+         "libdefaults", "forwardable", NULL)) {
+           forward_flags |= OPTS_FORWARDABLE_CREDS;
+           default_forward=1;
+    }
+#endif
+#ifdef  ENCRYPTION
+    if (krb5_config_get_bool (context, NULL,
+        "libdefaults", "encrypt", NULL)) {
+          encrypt_auto(1);
+          decrypt_auto(1); 
+          EncryptVerbose(1);
+        }
+#endif
+
+    krb5_free_context(context);
+}
+#endif
+
+int
+main(int argc, char **argv)
+{
+	int ch;
+	char *user;
+
+#ifdef KRB5
+	krb5_init();
+#endif
+	
+	tninit();		/* Clear out things */
+
+	TerminalSaveState();
+
+	if ((prompt = strrchr(argv[0], '/')))
+		++prompt;
+	else
+		prompt = argv[0];
+
+	user = NULL;
+
+	rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
+
+	/* 
+	 * if AUTHENTICATION and ENCRYPTION is set autologin will be
+	 * se to true after the getopt switch; unless the -K option is
+	 * passed 
+	 */
+	autologin = -1;
+
+	while((ch = getopt(argc, argv,
+			   "78DEKLS:X:abcde:fFk:l:n:rxG")) != -1) {
+		switch(ch) {
+		case '8':
+			eight = 3;	/* binary output and input */
+			break;
+		case '7':
+			eight = 0;
+			break;
+		case 'b':
+		    binary = 3;
+		    break;
+		case 'D': {
+		    /* sometimes we don't want a mangled display */
+		    char *p;
+		    if((p = getenv("DISPLAY")))
+			env_define("DISPLAY", (unsigned char*)p);
+		    break;
+		}
+		case 'E':
+			rlogin = escape = _POSIX_VDISABLE;
+			break;
+		case 'K':
+#ifdef	AUTHENTICATION
+			autologin = 0;
+#endif
+			break;
+		case 'L':
+			eight |= 2;	/* binary output only */
+			break;
+		case 'S':
+		    {
+#ifdef	HAVE_PARSETOS
+			extern int tos;
+
+			if ((tos = parsetos(optarg, "tcp")) < 0)
+				fprintf(stderr, "%s%s%s%s\n",
+					prompt, ": Bad TOS argument '",
+					optarg,
+					"; will try to use default TOS");
+#else
+			fprintf(stderr,
+			   "%s: Warning: -S ignored, no parsetos() support.\n",
+								prompt);
+#endif
+		    }
+			break;
+		case 'X':
+#ifdef	AUTHENTICATION
+			auth_disable_name(optarg);
+#endif
+			break;
+		case 'a':
+			autologin = 1;
+			break;
+		case 'c':
+			skiprc = 1;
+			break;
+		case 'd':
+			debug = 1;
+			break;
+		case 'e':
+			set_escape_char(optarg);
+			break;
+		case 'f':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if ((forward_flags & OPTS_FORWARD_CREDS) &&
+			    !default_forward) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -f ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'F':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if ((forward_flags & OPTS_FORWARD_CREDS) &&
+			    !default_forward) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+			forward_flags |= OPTS_FORWARDABLE_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -F ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'k':
+#if defined(AUTHENTICATION) && defined(KRB4)
+		    {
+			extern char *dest_realm, dst_realm_buf[];
+			extern int dst_realm_sz;
+			dest_realm = dst_realm_buf;
+			strlcpy(dest_realm, optarg, dst_realm_sz);
+		    }
+#else
+			fprintf(stderr,
+			   "%s: Warning: -k ignored, no Kerberos V4 support.\n",
+								prompt);
+#endif
+			break;
+		case 'l':
+		  if(autologin == 0){
+		    fprintf(stderr, "%s: Warning: -K ignored\n", prompt);
+		    autologin = -1;
+		  }
+			user = optarg;
+			break;
+		case 'n':
+				SetNetTrace(optarg);
+			break;
+		case 'r':
+			rlogin = '~';
+			break;
+		case 'x':
+#ifdef	ENCRYPTION
+			encrypt_auto(1);
+			decrypt_auto(1);
+			EncryptVerbose(1);
+#else
+			fprintf(stderr,
+			    "%s: Warning: -x ignored, no ENCRYPT support.\n",
+								prompt);
+#endif
+			break;
+		case 'G':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+                        forward_flags ^= OPTS_FORWARD_CREDS;
+                        forward_flags ^= OPTS_FORWARDABLE_CREDS;
+#else
+                        fprintf(stderr,
+                         "%s: Warning: -G ignored, no Kerberos V5 support.\n",
+                                prompt);
+#endif
+                        break;
+
+		case '?':
+		default:
+			usage();
+			/* NOTREACHED */
+		}
+	}
+
+	if (autologin == -1) {		/* esc@magic.fi; force  */
+#if defined(AUTHENTICATION)
+		autologin = 1;
+#endif
+#if defined(ENCRYPTION)
+		encrypt_auto(1);
+		decrypt_auto(1);
+#endif
+	}
+
+	if (autologin == -1)
+		autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc) {
+		char *args[7], **argp = args;
+
+		if (argc > 2)
+			usage();
+		*argp++ = prompt;
+		if (user) {
+			*argp++ = "-l";
+			*argp++ = user;
+		}
+		*argp++ = argv[0];		/* host */
+		if (argc > 1)
+			*argp++ = argv[1];	/* port */
+		*argp = 0;
+
+		if (setjmp(toplevel) != 0)
+			Exit(0);
+		if (tn(argp - args, args) == 1)
+			return (0);
+		else
+			return (1);
+	}
+	setjmp(toplevel);
+	for (;;) {
+			command(1, 0, 0);
+	}
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/network.c b/crypto/heimdal/appl/telnet/telnet/network.c
new file mode 100644
index 0000000..faacc30
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/network.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: network.c,v 1.10 1997/05/04 04:01:08 assar Exp $");
+
+Ring		netoring, netiring;
+unsigned char	netobuf[2*BUFSIZ], netibuf[BUFSIZ];
+
+/*
+ * Initialize internal network data structures.
+ */
+
+void
+init_network(void)
+{
+    if (ring_init(&netoring, netobuf, sizeof netobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&netiring, netibuf, sizeof netibuf) != 1) {
+	exit(1);
+    }
+    NetTrace = stdout;
+}
+
+
+/*
+ * Check to see if any out-of-band data exists on a socket (for
+ * Telnet "synch" processing).
+ */
+
+int
+stilloob(void)
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(net, &excepts);
+	value = select(net+1, 0, 0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	perror("select");
+	quit();
+	/* NOTREACHED */
+    }
+    if (FD_ISSET(net, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+
+/*
+ *  setneturg()
+ *
+ *	Sets "neturg" to the current location.
+ */
+
+void
+setneturg(void)
+{
+    ring_mark(&netoring);
+}
+
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ *
+ *		The return value indicates whether we did any
+ *	useful work.
+ */
+
+
+int
+netflush(void)
+{
+    int n, n1;
+
+#if	defined(ENCRYPTION)
+    if (encrypt_output)
+	ring_encrypt(&netoring, encrypt_output);
+#endif
+    if ((n1 = n = ring_full_consecutive(&netoring)) > 0) {
+	if (!ring_at_mark(&netoring)) {
+	    n = send(net, (char *)netoring.consume, n, 0); /* normal write */
+	} else {
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    n = send(net, (char *)netoring.consume, 1, MSG_OOB);/* URGENT data */
+	}
+    }
+    if (n < 0) {
+	if (errno != ENOBUFS && errno != EWOULDBLOCK) {
+	    setcommandmode();
+	    perror(hostname);
+	    NetClose(net);
+	    ring_clear_mark(&netoring);
+	    longjmp(peerdied, -1);
+	    /*NOTREACHED*/
+	}
+	n = 0;
+    }
+    if (netdata && n) {
+	Dump('>', netoring.consume, n);
+    }
+    if (n) {
+	ring_consumed(&netoring, n);
+	/*
+	 * If we sent all, and more to send, then recurse to pick
+	 * up the other half.
+	 */
+	if ((n1 == n) && ring_full_consecutive(&netoring)) {
+	    netflush();
+	}
+	return 1;
+    } else {
+	return 0;
+    }
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/ring.c b/crypto/heimdal/appl/telnet/telnet/ring.c
new file mode 100644
index 0000000..597c79a
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/ring.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: ring.c,v 1.11 2000/02/06 05:15:21 assar Exp $");
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+
+/* Internal macros */
+
+#define	ring_subtract(d,a,b)	(((a)-(b) >= 0)? \
+					(a)-(b): (((a)-(b))+(d)->size))
+
+#define	ring_increment(d,a,c)	(((a)+(c) < (d)->top)? \
+					(a)+(c) : (((a)+(c))-(d)->size))
+
+#define	ring_decrement(d,a,c)	(((a)-(c) >= (d)->bottom)? \
+					(a)-(c) : (((a)-(c))-(d)->size))
+
+
+/*
+ * The following is a clock, used to determine full, empty, etc.
+ *
+ * There is some trickiness here.  Since the ring buffers are initialized
+ * to ZERO on allocation, we need to make sure, when interpreting the
+ * clock, that when the times are EQUAL, then the buffer is FULL.
+ */
+static u_long ring_clock = 0;
+
+
+#define	ring_empty(d) (((d)->consume == (d)->supply) && \
+				((d)->consumetime >= (d)->supplytime))
+#define	ring_full(d) (((d)->supply == (d)->consume) && \
+				((d)->supplytime > (d)->consumetime))
+
+
+
+
+
+/* Buffer state transition routines */
+
+int
+ring_init(Ring *ring, unsigned char *buffer, int count)
+{
+    memset(ring, 0, sizeof *ring);
+
+    ring->size = count;
+
+    ring->supply = ring->consume = ring->bottom = buffer;
+
+    ring->top = ring->bottom+ring->size;
+
+#if	defined(ENCRYPTION)
+    ring->clearto = 0;
+#endif
+
+    return 1;
+}
+
+/* Mark routines */
+
+/*
+ * Mark the most recently supplied byte.
+ */
+
+void
+ring_mark(Ring *ring)
+{
+    ring->mark = ring_decrement(ring, ring->supply, 1);
+}
+
+/*
+ * Is the ring pointing to the mark?
+ */
+
+int
+ring_at_mark(Ring *ring)
+{
+    if (ring->mark == ring->consume) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+/*
+ * Clear any mark set on the ring.
+ */
+
+void
+ring_clear_mark(Ring *ring)
+{
+    ring->mark = 0;
+}
+
+/*
+ * Add characters from current segment to ring buffer.
+ */
+void
+ring_supplied(Ring *ring, int count)
+{
+    ring->supply = ring_increment(ring, ring->supply, count);
+    ring->supplytime = ++ring_clock;
+}
+
+/*
+ * We have just consumed "c" bytes.
+ */
+void
+ring_consumed(Ring *ring, int count)
+{
+    if (count == 0)	/* don't update anything */
+	return;
+
+    if (ring->mark &&
+		(ring_subtract(ring, ring->mark, ring->consume) < count)) {
+	ring->mark = 0;
+    }
+#if	defined(ENCRYPTION)
+    if (ring->consume < ring->clearto &&
+		ring->clearto <= ring->consume + count)
+	ring->clearto = 0;
+    else if (ring->consume + count > ring->top &&
+		ring->bottom <= ring->clearto &&
+		ring->bottom + ((ring->consume + count) - ring->top))
+	ring->clearto = 0;
+#endif
+    ring->consume = ring_increment(ring, ring->consume, count);
+    ring->consumetime = ++ring_clock;
+    /*
+     * Try to encourage "ring_empty_consecutive()" to be large.
+     */
+    if (ring_empty(ring)) {
+	ring->consume = ring->supply = ring->bottom;
+    }
+}
+
+
+
+/* Buffer state query routines */
+
+
+/* Number of bytes that may be supplied */
+int
+ring_empty_count(Ring *ring)
+{
+    if (ring_empty(ring)) {	/* if empty */
+	    return ring->size;
+    } else {
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* number of CONSECUTIVE bytes that may be supplied */
+int
+ring_empty_consecutive(Ring *ring)
+{
+    if ((ring->consume < ring->supply) || ring_empty(ring)) {
+			    /*
+			     * if consume is "below" supply, or empty, then
+			     * return distance to the top
+			     */
+	return ring_subtract(ring, ring->top, ring->supply);
+    } else {
+				    /*
+				     * else, return what we may.
+				     */
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* Return the number of bytes that are available for consuming
+ * (but don't give more than enough to get to cross over set mark)
+ */
+
+int
+ring_full_count(Ring *ring)
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if (ring_full(ring)) {
+	    return ring->size;	/* nothing consumed, but full */
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	return ring_subtract(ring, ring->mark, ring->consume);
+    }
+}
+
+/*
+ * Return the number of CONSECUTIVE bytes available for consuming.
+ * However, don't return more than enough to cross over set mark.
+ */
+int
+ring_full_consecutive(Ring *ring)
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if ((ring->supply < ring->consume) || ring_full(ring)) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	if (ring->mark < ring->consume) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {	/* Else, distance to mark */
+	    return ring_subtract(ring, ring->mark, ring->consume);
+	}
+    }
+}
+
+/*
+ * Move data into the "supply" portion of of the ring buffer.
+ */
+void
+ring_supply_data(Ring *ring, unsigned char *buffer, int count)
+{
+    int i;
+
+    while (count) {
+	i = min(count, ring_empty_consecutive(ring));
+	memmove(ring->supply, buffer, i);
+	ring_supplied(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+
+#ifdef notdef
+
+/*
+ * Move data from the "consume" portion of the ring buffer
+ */
+void
+ring_consume_data(Ring *ring, unsigned char *buffer, int count)
+{
+    int i;
+
+    while (count) {
+	i = min(count, ring_full_consecutive(ring));
+	memmove(buffer, ring->consume, i);
+	ring_consumed(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+#endif
+
+#if	defined(ENCRYPTION)
+void
+ring_encrypt(Ring *ring, void (*encryptor)(unsigned char *, int))
+{
+    unsigned char *s, *c;
+
+    if (ring_empty(ring) || ring->clearto == ring->supply)
+	return;
+
+    if (!(c = ring->clearto))
+	c = ring->consume;
+
+    s = ring->supply;
+
+    if (s <= c) {
+	(*encryptor)(c, ring->top - c);
+	(*encryptor)(ring->bottom, s - ring->bottom);
+    } else
+	(*encryptor)(c, s - c);
+
+    ring->clearto = ring->supply;
+}
+
+void
+ring_clearto(Ring *ring)
+{
+    if (!ring_empty(ring))
+	ring->clearto = ring->supply;
+    else
+	ring->clearto = 0;
+}
+#endif
+
diff --git a/crypto/heimdal/appl/telnet/telnet/ring.h b/crypto/heimdal/appl/telnet/telnet/ring.h
new file mode 100644
index 0000000..1644a96
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/ring.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ring.h	8.1 (Berkeley) 6/6/93
+ */
+
+/* $Id: ring.h,v 1.4 2000/02/06 05:15:47 assar Exp $ */
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+typedef struct {
+    unsigned char	*consume,	/* where data comes out of */
+			*supply,	/* where data comes in to */
+			*bottom,	/* lowest address in buffer */
+			*top,		/* highest address+1 in buffer */
+			*mark;		/* marker (user defined) */
+#if	defined(ENCRYPTION)
+    unsigned char	*clearto;	/* Data to this point is clear text */
+    unsigned char	*encryyptedto;	/* Data is encrypted to here */
+#endif
+    int		size;		/* size in bytes of buffer */
+    u_long	consumetime,	/* help us keep straight full, empty, etc. */
+		supplytime;
+} Ring;
+
+/* Here are some functions and macros to deal with the ring buffer */
+
+/* Initialization routine */
+extern int
+	ring_init (Ring *ring, unsigned char *buffer, int count);
+
+/* Data movement routines */
+extern void
+	ring_supply_data (Ring *ring, unsigned char *buffer, int count);
+#ifdef notdef
+extern void
+	ring_consume_data (Ring *ring, unsigned char *buffer, int count);
+#endif
+
+/* Buffer state transition routines */
+extern void
+	ring_supplied (Ring *ring, int count),
+	ring_consumed (Ring *ring, int count);
+
+/* Buffer state query routines */
+extern int
+	ring_empty_count (Ring *ring),
+	ring_empty_consecutive (Ring *ring),
+	ring_full_count (Ring *ring),
+	ring_full_consecutive (Ring *ring);
+
+#if	defined(ENCRYPTION)
+extern void
+	ring_encrypt (Ring *ring, void (*func)(unsigned char *, int)),
+	ring_clearto (Ring *ring);
+#endif
+
+extern int ring_at_mark(Ring *ring);
+
+extern void
+    ring_clear_mark(Ring *ring),
+    ring_mark(Ring *ring);
diff --git a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
new file mode 100644
index 0000000..334ef04
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
@@ -0,0 +1,972 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: sys_bsd.c,v 1.23 1998/06/09 19:24:46 joda Exp $");
+
+/*
+ * The following routines try to encapsulate what is system dependent
+ * (at least between 4.x and dos) which is used in telnet.c.
+ */
+
+int
+	tout,			/* Output file descriptor */
+	tin,			/* Input file descriptor */
+	net;
+
+struct	termios old_tc = { 0 };
+extern struct termios new_tc;
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t) ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t) ioctl(f, a, (char *)t)
+#  define	cfgetospeed(ptr)	((ptr)->c_cflag&CBAUD)
+#  ifdef CIBAUD
+#   define	cfgetispeed(ptr)	(((ptr)->c_cflag&CIBAUD) >> IBSHIFT)
+#  else
+#   define	cfgetispeed(ptr)	cfgetospeed(ptr)
+#  endif
+# endif /* TCSANOW */
+
+static fd_set ibits, obits, xbits;
+
+
+void
+init_sys(void)
+{
+    tout = fileno(stdout);
+    tin = fileno(stdin);
+    FD_ZERO(&ibits);
+    FD_ZERO(&obits);
+    FD_ZERO(&xbits);
+
+    errno = 0;
+}
+
+
+int
+TerminalWrite(char *buf, int n)
+{
+    return write(tout, buf, n);
+}
+
+int
+TerminalRead(unsigned char *buf, int n)
+{
+    return read(tin, buf, n);
+}
+
+/*
+ *
+ */
+
+int
+TerminalAutoFlush(void)
+{
+#if	defined(LNOFLSH)
+    int flush;
+
+    ioctl(0, TIOCLGET, (char *)&flush);
+    return !(flush&LNOFLSH);	/* if LNOFLSH, no autoflush */
+#else	/* LNOFLSH */
+    return 1;
+#endif	/* LNOFLSH */
+}
+
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
+/*
+ * TerminalSpecialChars()
+ *
+ * Look at an input character to see if it is a special character
+ * and decide what to do.
+ *
+ * Output:
+ *
+ *	0	Don't add this character.
+ *	1	Do add this character
+ */
+
+int
+TerminalSpecialChars(int c)
+{
+    if (c == termIntChar) {
+	intp();
+	return 0;
+    } else if (c == termQuitChar) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return 0;
+    } else if (c == termEofChar) {
+	if (my_want_state_is_will(TELOPT_LINEMODE)) {
+	    sendeof();
+	    return 0;
+	}
+	return 1;
+    } else if (c == termSuspChar) {
+	sendsusp();
+	return(0);
+    } else if (c == termFlushChar) {
+	xmitAO();		/* Transmit Abort Output */
+	return 0;
+    } else if (!MODE_LOCAL_CHARS(globalmode)) {
+	if (c == termKillChar) {
+	    xmitEL();
+	    return 0;
+	} else if (c == termEraseChar) {
+	    xmitEC();		/* Transmit Erase Character */
+	    return 0;
+	}
+    }
+    return 1;
+}
+
+
+/*
+ * Flush output to the terminal
+ */
+
+void
+TerminalFlushOutput(void)
+{
+#ifdef	TIOCFLUSH
+    ioctl(fileno(stdout), TIOCFLUSH, (char *) 0);
+#else
+    ioctl(fileno(stdout), TCFLSH, (char *) 0);
+#endif
+}
+
+void
+TerminalSaveState(void)
+{
+    tcgetattr(0, &old_tc);
+
+    new_tc = old_tc;
+
+#ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef	VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef	VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+}
+
+cc_t*
+tcval(int func)
+{
+    switch(func) {
+    case SLC_IP:	return(&termIntChar);
+    case SLC_ABORT:	return(&termQuitChar);
+    case SLC_EOF:	return(&termEofChar);
+    case SLC_EC:	return(&termEraseChar);
+    case SLC_EL:	return(&termKillChar);
+    case SLC_XON:	return(&termStartChar);
+    case SLC_XOFF:	return(&termStopChar);
+    case SLC_FORW1:	return(&termForw1Char);
+    case SLC_FORW2:	return(&termForw2Char);
+# ifdef	VDISCARD
+    case SLC_AO:	return(&termFlushChar);
+# endif
+# ifdef	VSUSP
+    case SLC_SUSP:	return(&termSuspChar);
+# endif
+# ifdef	VWERASE
+    case SLC_EW:	return(&termWerasChar);
+# endif
+# ifdef	VREPRINT
+    case SLC_RP:	return(&termRprntChar);
+# endif
+# ifdef	VLNEXT
+    case SLC_LNEXT:	return(&termLiteralNextChar);
+# endif
+# ifdef	VSTATUS
+    case SLC_AYT:	return(&termAytChar);
+# endif
+
+    case SLC_SYNCH:
+    case SLC_BRK:
+    case SLC_EOR:
+    default:
+	return((cc_t *)0);
+    }
+}
+
+void
+TerminalDefaultChars(void)
+{
+    memmove(new_tc.c_cc, old_tc.c_cc, sizeof(old_tc.c_cc));
+# ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+# endif
+# ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+# endif
+# ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+# endif
+# ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+# endif
+# ifndef	VSTART
+    termStartChar = CONTROL('Q');
+# endif
+# ifndef	VSTOP
+    termStopChar = CONTROL('S');
+# endif
+# ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+# endif
+}
+
+#ifdef notdef
+void
+TerminalRestoreState()
+{
+}
+#endif
+
+/*
+ * TerminalNewMode - set up terminal to a specific mode.
+ *	MODE_ECHO: do local terminal echo
+ *	MODE_FLOW: do local flow control
+ *	MODE_TRAPSIG: do local mapping to TELNET IAC sequences
+ *	MODE_EDIT: do local line editing
+ *
+ *	Command mode:
+ *		MODE_ECHO|MODE_EDIT|MODE_FLOW|MODE_TRAPSIG
+ *		local echo
+ *		local editing
+ *		local xon/xoff
+ *		local signal mapping
+ *
+ *	Linemode:
+ *		local/no editing
+ *	Both Linemode and Single Character mode:
+ *		local/remote echo
+ *		local/no xon/xoff
+ *		local/no signal mapping
+ */
+
+
+#ifdef	SIGTSTP
+static RETSIGTYPE susp();
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+static RETSIGTYPE ayt();
+#endif
+
+void
+TerminalNewMode(int f)
+{
+    static int prevmode = 0;
+    struct termios tmp_tc;
+    int onoff;
+    int old;
+    cc_t esc;
+
+    globalmode = f&~MODE_FORCE;
+    if (prevmode == f)
+	return;
+
+    /*
+     * Write any outstanding data before switching modes
+     * ttyflush() returns 0 only when there is no more data
+     * left to write out, it returns -1 if it couldn't do
+     * anything at all, otherwise it returns 1 + the number
+     * of characters left to write.
+     */
+    old = ttyflush(SYNCHing|flushout);
+    if (old < 0 || old > 1) {
+	tcgetattr(tin, &tmp_tc);
+	do {
+	    /*
+	     * Wait for data to drain, then flush again.
+	     */
+	    tcsetattr(tin, TCSADRAIN, &tmp_tc);
+	    old = ttyflush(SYNCHing|flushout);
+	} while (old < 0 || old > 1);
+    }
+
+    old = prevmode;
+    prevmode = f&~MODE_FORCE;
+    tmp_tc = new_tc;
+
+    if (f&MODE_ECHO) {
+	tmp_tc.c_lflag |= ECHO;
+	tmp_tc.c_oflag |= ONLCR;
+	if (crlf)
+		tmp_tc.c_iflag |= ICRNL;
+    } else {
+	tmp_tc.c_lflag &= ~ECHO;
+	tmp_tc.c_oflag &= ~ONLCR;
+# ifdef notdef
+	if (crlf)
+		tmp_tc.c_iflag &= ~ICRNL;
+# endif
+    }
+
+    if ((f&MODE_FLOW) == 0) {
+	tmp_tc.c_iflag &= ~(IXOFF|IXON);	/* Leave the IXANY bit alone */
+    } else {
+	if (restartany < 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON;	/* Leave the IXANY bit alone */
+	} else if (restartany > 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON|IXANY;
+	} else {
+		tmp_tc.c_iflag |= IXOFF|IXON;
+		tmp_tc.c_iflag &= ~IXANY;
+	}
+    }
+
+    if ((f&MODE_TRAPSIG) == 0) {
+	tmp_tc.c_lflag &= ~ISIG;
+	localchars = 0;
+    } else {
+	tmp_tc.c_lflag |= ISIG;
+	localchars = 1;
+    }
+
+    if (f&MODE_EDIT) {
+	tmp_tc.c_lflag |= ICANON;
+    } else {
+	tmp_tc.c_lflag &= ~ICANON;
+	tmp_tc.c_iflag &= ~ICRNL;
+	tmp_tc.c_cc[VMIN] = 1;
+	tmp_tc.c_cc[VTIME] = 0;
+    }
+
+    if ((f&(MODE_EDIT|MODE_TRAPSIG)) == 0) {
+# ifdef VLNEXT
+	tmp_tc.c_cc[VLNEXT] = (cc_t)(_POSIX_VDISABLE);
+# endif
+    }
+
+    if (f&MODE_SOFT_TAB) {
+# ifdef	OXTABS
+	tmp_tc.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+	tmp_tc.c_oflag |= TAB3;
+# endif
+    } else {
+# ifdef	OXTABS
+	tmp_tc.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+# endif
+    }
+
+    if (f&MODE_LIT_ECHO) {
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag &= ~ECHOCTL;
+# endif
+    } else {
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag |= ECHOCTL;
+# endif
+    }
+
+    if (f == -1) {
+	onoff = 0;
+    } else {
+	if (f & MODE_INBIN)
+		tmp_tc.c_iflag &= ~ISTRIP;
+	else
+		tmp_tc.c_iflag |= ISTRIP;
+	if ((f & MODE_OUTBIN) || (f & MODE_OUT8)) {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= CS8;
+		if(f & MODE_OUTBIN)
+		    tmp_tc.c_oflag &= ~OPOST;
+		else
+		    tmp_tc.c_oflag |= OPOST;
+	} else {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= old_tc.c_cflag & (CSIZE|PARENB);
+		tmp_tc.c_oflag |= OPOST;
+	}
+	onoff = 1;
+    }
+
+    if (f != -1) {
+
+#ifdef	SIGTSTP
+	signal(SIGTSTP, susp);
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+	signal(SIGINFO, ayt);
+#endif
+#ifdef NOKERNINFO
+	tmp_tc.c_lflag |= NOKERNINFO;
+#endif
+	/*
+	 * We don't want to process ^Y here.  It's just another
+	 * character that we'll pass on to the back end.  It has
+	 * to process it because it will be processed when the
+	 * user attempts to read it, not when we send it.
+	 */
+# ifdef	VDSUSP
+	tmp_tc.c_cc[VDSUSP] = (cc_t)(_POSIX_VDISABLE);
+# endif
+	/*
+	 * If the VEOL character is already set, then use VEOL2,
+	 * otherwise use VEOL.
+	 */
+	esc = (rlogin != _POSIX_VDISABLE) ? rlogin : escape;
+	if ((tmp_tc.c_cc[VEOL] != esc)
+# ifdef	VEOL2
+	    && (tmp_tc.c_cc[VEOL2] != esc)
+# endif
+	    ) {
+		if (tmp_tc.c_cc[VEOL] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL] = esc;
+# ifdef	VEOL2
+		else if (tmp_tc.c_cc[VEOL2] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL2] = esc;
+# endif
+	}
+    } else {
+        sigset_t sm;
+#ifdef	SIGINFO
+	RETSIGTYPE ayt_status();
+
+	signal(SIGINFO, ayt_status);
+#endif
+#ifdef	SIGTSTP
+	signal(SIGTSTP, SIG_DFL);
+	sigemptyset(&sm);
+	sigaddset(&sm, SIGTSTP);
+	sigprocmask(SIG_UNBLOCK, &sm, NULL);
+#endif	/* SIGTSTP */
+	tmp_tc = old_tc;
+    }
+    if (tcsetattr(tin, TCSADRAIN, &tmp_tc) < 0)
+	tcsetattr(tin, TCSANOW, &tmp_tc);
+
+    ioctl(tin, FIONBIO, (char *)&onoff);
+    ioctl(tout, FIONBIO, (char *)&onoff);
+
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+#ifndef	B7200
+#define B7200   B4800
+#endif
+
+#ifndef	B14400
+#define B14400  B9600
+#endif
+
+#ifndef	B19200
+# define B19200 B14400
+#endif
+
+#ifndef	B28800
+#define B28800  B19200
+#endif
+
+#ifndef	B38400
+# define B38400 B28800
+#endif
+
+#ifndef B57600
+#define B57600  B38400
+#endif
+
+#ifndef B76800
+#define B76800  B57600
+#endif
+
+#ifndef B115200
+#define B115200 B76800
+#endif
+
+#ifndef B230400
+#define B230400 B115200
+#endif
+
+
+/*
+ * This code assumes that the values B0, B50, B75...
+ * are in ascending order.  They do not have to be
+ * contiguous.
+ */
+struct termspeeds {
+	long speed;
+	long value;
+} termspeeds[] = {
+	{ 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+	{ 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+	{ 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+	{ 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+	{ 4800,   B4800 },   { 7200,  B7200 },  { 9600,   B9600 },
+	{ 14400,  B14400 },  { 19200, B19200 }, { 28800,  B28800 },
+	{ 38400,  B38400 },  { 57600, B57600 }, { 115200, B115200 },
+	{ 230400, B230400 }, { -1,    B230400 }
+};
+#endif	/* DECODE_BAUD */
+
+void
+TerminalSpeeds(long *input_speed, long *output_speed)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+#endif	/* DECODE_BAUD */
+    long in, out;
+
+    out = cfgetospeed(&old_tc);
+    in = cfgetispeed(&old_tc);
+    if (in == 0)
+	in = out;
+
+#ifdef	DECODE_BAUD
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < in))
+	tp++;
+    *input_speed = tp->speed;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < out))
+	tp++;
+    *output_speed = tp->speed;
+#else	/* DECODE_BAUD */
+	*input_speed = in;
+	*output_speed = out;
+#endif	/* DECODE_BAUD */
+}
+
+int
+TerminalWindowSize(long *rows, long *cols)
+{
+    struct winsize ws;
+
+    if (get_window_size (STDIN_FILENO, &ws) == 0) {
+	*rows = ws.ws_row;
+	*cols = ws.ws_col;
+	return 1;
+    } else
+	return 0;
+}
+
+int
+NetClose(int fd)
+{
+    return close(fd);
+}
+
+
+void
+NetNonblockingIO(int fd, int onoff)
+{
+    ioctl(fd, FIONBIO, (char *)&onoff);
+}
+
+
+/*
+ * Various signal handling routines.
+ */
+
+static RETSIGTYPE deadpeer(int),
+  intr(int), intr2(int), susp(int), sendwin(int);
+#ifdef SIGINFO
+static RETSIGTYPE ayt(int);
+#endif
+  
+
+    /* ARGSUSED */
+static RETSIGTYPE
+deadpeer(int sig)
+{
+	setcommandmode();
+	longjmp(peerdied, -1);
+}
+
+    /* ARGSUSED */
+static RETSIGTYPE
+intr(int sig)
+{
+    if (localchars) {
+	intp();
+	return;
+    }
+    setcommandmode();
+    longjmp(toplevel, -1);
+}
+
+    /* ARGSUSED */
+static RETSIGTYPE
+intr2(int sig)
+{
+    if (localchars) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return;
+    }
+}
+
+#ifdef	SIGTSTP
+    /* ARGSUSED */
+static RETSIGTYPE
+susp(int sig)
+{
+    if ((rlogin != _POSIX_VDISABLE) && rlogin_susp())
+	return;
+    if (localchars)
+	sendsusp();
+}
+#endif
+
+#ifdef	SIGWINCH
+    /* ARGSUSED */
+static RETSIGTYPE
+sendwin(int sig)
+{
+    if (connected) {
+	sendnaws();
+    }
+}
+#endif
+
+#ifdef	SIGINFO
+    /* ARGSUSED */
+static RETSIGTYPE
+ayt(int sig)
+{
+    if (connected)
+	sendayt();
+    else
+	ayt_status(sig);
+}
+#endif
+
+
+void
+sys_telnet_init(void)
+{
+    signal(SIGINT, intr);
+    signal(SIGQUIT, intr2);
+    signal(SIGPIPE, deadpeer);
+#ifdef	SIGWINCH
+    signal(SIGWINCH, sendwin);
+#endif
+#ifdef	SIGTSTP
+    signal(SIGTSTP, susp);
+#endif
+#ifdef	SIGINFO
+    signal(SIGINFO, ayt);
+#endif
+
+    setconnmode(0);
+
+    NetNonblockingIO(net, 1);
+
+
+#if	defined(SO_OOBINLINE)
+    if (SetSockOpt(net, SOL_SOCKET, SO_OOBINLINE, 1) == -1) {
+	perror("SetSockOpt");
+    }
+#endif	/* defined(SO_OOBINLINE) */
+}
+
+/*
+ * Process rings -
+ *
+ *	This routine tries to fill up/empty our various rings.
+ *
+ *	The parameter specifies whether this is a poll operation,
+ *	or a block-until-something-happens operation.
+ *
+ *	The return value is 1 if something happened, 0 if not.
+ */
+
+int
+process_rings(int netin,
+	      int netout,
+	      int netex,
+	      int ttyin,
+	      int ttyout,
+	      int poll) /* If 0, then block until something to do */
+{
+    int c;
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue = 0;
+    static struct timeval TimeValue = { 0 };
+
+    if (netout) {
+	FD_SET(net, &obits);
+    }
+    if (ttyout) {
+	FD_SET(tout, &obits);
+    }
+    if (ttyin) {
+	FD_SET(tin, &ibits);
+    }
+    if (netin) {
+	FD_SET(net, &ibits);
+    }
+#if !defined(SO_OOBINLINE)
+    if (netex) {
+	FD_SET(net, &xbits);
+    }
+#endif
+    if ((c = select(16, &ibits, &obits, &xbits,
+			(poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
+	if (c == -1) {
+		    /*
+		     * we can get EINTR if we are in line mode,
+		     * and the user does an escape (TSTP), or
+		     * some other signal generator.
+		     */
+	    if (errno == EINTR) {
+		return 0;
+	    }
+		    /* I don't like this, does it ever happen? */
+	    printf("sleep(5) from telnet, after select\r\n");
+	    sleep(5);
+	}
+	return 0;
+    }
+
+    /*
+     * Any urgent data?
+     */
+    if (FD_ISSET(net, &xbits)) {
+	FD_CLR(net, &xbits);
+	SYNCHing = 1;
+	ttyflush(1);	/* flush already enqueued data */
+    }
+
+    /*
+     * Something to read from the network...
+     */
+    if (FD_ISSET(net, &ibits)) {
+	int canread;
+
+	FD_CLR(net, &ibits);
+	canread = ring_empty_consecutive(&netiring);
+#if	!defined(SO_OOBINLINE)
+	    /*
+	     * In 4.2 (and some early 4.3) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	if (SYNCHing) {
+	    int atmark;
+	    static int bogus_oob = 0, first = 1;
+
+	    ioctl(net, SIOCATMARK, (char *)&atmark);
+	    if (atmark) {
+		c = recv(net, netiring.supply, canread, MSG_OOB);
+		if ((c == -1) && (errno == EINVAL)) {
+		    c = recv(net, netiring.supply, canread, 0);
+		    if (clocks.didnetreceive < clocks.gotDM) {
+			SYNCHing = stilloob();
+		    }
+		} else if (first && c > 0) {
+		    /*
+		     * Bogosity check.  Systems based on 4.2BSD
+		     * do not return an error if you do a second
+		     * recv(MSG_OOB).  So, we do one.  If it
+		     * succeeds and returns exactly the same
+		     * data, then assume that we are running
+		     * on a broken system and set the bogus_oob
+		     * flag.  (If the data was different, then
+		     * we probably got some valid new data, so
+		     * increment the count...)
+		     */
+		    int i;
+		    i = recv(net, netiring.supply + c, canread - c, MSG_OOB);
+		    if (i == c &&
+			 memcmp(netiring.supply, netiring.supply + c, i) == 0) {
+			bogus_oob = 1;
+			first = 0;
+		    } else if (i < 0) {
+			bogus_oob = 0;
+			first = 0;
+		    } else
+			c += i;
+		}
+		if (bogus_oob && c > 0) {
+		    int i;
+		    /*
+		     * Bogosity.  We have to do the read
+		     * to clear the atmark to get out of
+		     * an infinate loop.
+		     */
+		    i = read(net, netiring.supply + c, canread - c);
+		    if (i > 0)
+			c += i;
+		}
+	    } else {
+		c = recv(net, netiring.supply, canread, 0);
+	    }
+	} else {
+	    c = recv(net, netiring.supply, canread, 0);
+	}
+	settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE) */
+	c = recv(net, (char *)netiring.supply, canread, 0);
+#endif	/* !defined(SO_OOBINLINE) */
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else if (c <= 0) {
+	    return -1;
+	}
+	if (netdata) {
+	    Dump('<', netiring.supply, c);
+	}
+	if (c)
+	    ring_supplied(&netiring, c);
+	returnValue = 1;
+    }
+
+    /*
+     * Something to read from the tty...
+     */
+    if (FD_ISSET(tin, &ibits)) {
+	FD_CLR(tin, &ibits);
+	c = TerminalRead(ttyiring.supply, ring_empty_consecutive(&ttyiring));
+	if (c < 0 && errno == EIO)
+	    c = 0;
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else {
+	    /* EOF detection for line mode!!!! */
+	    if ((c == 0) && MODE_LOCAL_CHARS(globalmode) && isatty(tin)) {
+			/* must be an EOF... */
+		*ttyiring.supply = termEofChar;
+		c = 1;
+	    }
+	    if (c <= 0) {
+		return -1;
+	    }
+	    if (termdata) {
+		Dump('<', ttyiring.supply, c);
+	    }
+	    ring_supplied(&ttyiring, c);
+	}
+	returnValue = 1;		/* did something useful */
+    }
+
+    if (FD_ISSET(net, &obits)) {
+	FD_CLR(net, &obits);
+	returnValue |= netflush();
+    }
+    if (FD_ISSET(tout, &obits)) {
+	FD_CLR(tout, &obits);
+	returnValue |= (ttyflush(SYNCHing|flushout) > 0);
+    }
+
+    return returnValue;
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.1 b/crypto/heimdal/appl/telnet/telnet/telnet.1
new file mode 100644
index 0000000..2b3198e
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.1
@@ -0,0 +1,1369 @@
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnet.1	8.6 (Berkeley) 6/1/94
+.\"
+.Dd June 1, 1994
+.Dt TELNET 1
+.Os BSD 4.2
+.Sh NAME
+.Nm telnet
+.Nd user interface to the 
+.Tn TELNET
+protocol
+.Sh SYNOPSIS
+.Nm telnet
+.Op Fl 78EFKLacdfrx
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl e Ar escapechar
+.Op Fl k Ar realm
+.Op Fl l Ar user
+.Op Fl n Ar tracefile
+.Oo
+.Ar host
+.Op port
+.Oc
+.Sh DESCRIPTION
+The
+.Nm telnet
+command
+is used to communicate with another host using the 
+.Tn TELNET
+protocol.
+If
+.Nm telnet
+is invoked without the
+.Ar host
+argument, it enters command mode,
+indicated by its prompt
+.Pq Nm telnet\&> .
+In this mode, it accepts and executes the commands listed below.
+If it is invoked with arguments, it performs an
+.Ic open
+command with those arguments.
+.Pp
+Options:
+.Bl -tag -width indent
+.It Fl 8
+Specifies an 8-bit data path.  This causes an attempt to
+negotiate the
+.Dv TELNET BINARY
+option on both input and output.
+.It Fl 7
+Do not try to negotiate
+.Dv TELNET BINARY
+option.
+.It Fl E
+Stops any character from being recognized as an escape character.
+.It Fl F
+If Kerberos V5 authentication is being used, the
+.Fl F
+option allows the local credentials to be forwarded
+to the remote system, including any credentials that
+have already been forwarded into the local environment.
+.It Fl K
+Specifies no automatic login to the remote system.
+.It Fl L
+Specifies an 8-bit data path on output.  This causes the
+BINARY option to be negotiated on output.
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos,
+which can be a numeric TOS value
+or, on systems that support it, a symbolic
+TOS name found in the /etc/iptos file.
+.It Fl X Ar atype 
+Disables the
+.Ar atype
+type of authentication.
+.It Fl a
+Attempt automatic login.
+Currently, this sends the user name via the
+.Ev USER
+variable
+of the
+.Ev ENVIRON
+option if supported by the remote system.
+The name used is that of the current user as returned by
+.Xr getlogin 2
+if it agrees with the current user ID,
+otherwise it is the name associated with the user ID.
+.It Fl c
+Disables the reading of the user's
+.Pa \&.telnetrc
+file.  (See the
+.Ic toggle skiprc
+command on this man page.)
+.It Fl d
+Sets the initial value of the
+.Ic debug
+toggle to
+.Dv TRUE
+.It Fl e Ar escape char 
+Sets the initial
+.Nm
+.Nm telnet
+escape character to
+.Ar escape char.
+If
+.Ar escape char
+is omitted, then
+there will be no escape character.
+.It Fl f
+If Kerberos V5 authentication is being used, the
+.Fl f
+option allows the local credentials to be forwarded to the remote system.
+.ne 1i
+.It Fl k Ar realm
+If Kerberos authentication is being used, the
+.Fl k
+option requests that telnet obtain tickets for the remote host in
+realm realm instead of the remote host's realm, as determined
+by
+.Xr krb_realmofhost 3 .
+.It Fl l Ar user 
+When connecting to the remote system, if the remote system
+understands the
+.Ev ENVIRON
+option, then
+.Ar user
+will be sent to the remote system as the value for the variable USER.
+This option implies the
+.Fl a
+option.
+This option may also be used with the
+.Ic open
+command.
+.It Fl n Ar tracefile 
+Opens
+.Ar tracefile
+for recording trace information.
+See the
+.Ic set tracefile
+command below.
+.It Fl r
+Specifies a user interface similar to
+.Xr rlogin 1 .
+In this
+mode, the escape character is set to the tilde (~) character,
+unless modified by the -e option.
+.It Fl x
+Turns on encryption of the data stream if possible. This is 
+currently the default and when it fails a warning is issued.
+.It Ar host
+Indicates the official name, an alias, or the Internet address
+of a remote host.
+.It Ar port
+Indicates a port number (address of an application).  If a number is
+not specified, the default
+.Nm telnet
+port is used.
+.El
+.Pp
+When in rlogin mode, a line of the form ~.  disconnects from the
+remote host; ~ is the telnet escape character.
+Similarly, the line ~^Z suspends the telnet session.
+The line ~^] escapes to the normal telnet escape prompt.
+.Pp
+Once a connection has been opened,
+.Nm telnet
+will attempt to enable the
+.Dv TELNET LINEMODE
+option.
+If this fails, then
+.Nm telnet
+will revert to one of two input modes:
+either \*(Lqcharacter at a time\*(Rq
+or \*(Lqold line by line\*(Rq
+depending on what the remote system supports.
+.Pp
+When 
+.Dv LINEMODE
+is enabled, character processing is done on the
+local system, under the control of the remote system.  When input
+editing or character echoing is to be disabled, the remote system
+will relay that information.  The remote system will also relay
+changes to any special characters that happen on the remote
+system, so that they can take effect on the local system.
+.Pp
+In \*(Lqcharacter at a time\*(Rq mode, most
+text typed is immediately sent to the remote host for processing.
+.Pp
+In \*(Lqold line by line\*(Rq mode, all text is echoed locally,
+and (normally) only completed lines are sent to the remote host.
+The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used
+to turn off and on the local echo
+(this would mostly be used to enter passwords
+without the password being echoed).
+.Pp
+If the 
+.Dv LINEMODE
+option is enabled, or if the
+.Ic localchars
+toggle is
+.Dv TRUE
+(the default for \*(Lqold line by line\*(Lq; see below),
+the user's
+.Ic quit  ,
+.Ic intr ,
+and
+.Ic flush
+characters are trapped locally, and sent as
+.Tn TELNET
+protocol sequences to the remote side.
+If 
+.Dv LINEMODE
+has ever been enabled, then the user's
+.Ic susp
+and
+.Ic eof
+are also sent as
+.Tn TELNET
+protocol sequences,
+and
+.Ic quit
+is sent as a 
+.Dv TELNET ABORT
+instead of 
+.Dv BREAK
+There are options (see
+.Ic toggle
+.Ic autoflush
+and
+.Ic toggle
+.Ic autosynch
+below)
+which cause this action to flush subsequent output to the terminal
+(until the remote host acknowledges the
+.Tn TELNET
+sequence) and flush previous terminal input
+(in the case of
+.Ic quit
+and
+.Ic intr  ) .
+.Pp
+While connected to a remote host,
+.Nm telnet
+command mode may be entered by typing the
+.Nm telnet
+\*(Lqescape character\*(Rq (initially \*(Lq^]\*(Rq).
+When in command mode, the normal terminal editing conventions are available.
+.Pp
+The following
+.Nm telnet
+commands are available.
+Only enough of each command to uniquely identify it need be typed
+(this is also true for arguments to the
+.Ic mode  ,
+.Ic set ,
+.Ic toggle  ,
+.Ic unset ,
+.Ic slc  ,
+.Ic environ ,
+and
+.Ic display
+commands).
+.Pp
+.Bl -tag -width "mode type"
+.It Ic auth Ar argument ... 
+The auth command manipulates the information sent through the
+.Dv TELNET AUTHENTICATE
+option.  Valid arguments for the
+auth command are as follows:
+.Bl -tag -width "disable type"
+.It Ic disable Ar type
+Disables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth disable \&?
+command.
+.It Ic enable Ar type
+Enables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth enable \&?
+command.
+.It Ic status
+Lists the current status of the various types of
+authentication.
+.El
+.It Ic close
+Close a
+.Tn TELNET
+session and return to command mode.
+.It Ic display Ar argument ... 
+Displays all, or some, of the
+.Ic set
+and
+.Ic toggle
+values (see below).
+.It Ic encrypt Ar argument ...
+The encrypt command manipulates the information sent through the
+.Dv TELNET ENCRYPT
+option.
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside of the United States and Canada.
+.Pp
+Valid arguments for the encrypt command are as follows:
+.Bl -tag -width Ar
+.It Ic disable Ar type Ic [input|output]
+Disables the specified type of encryption.  If you
+omit the input and output, both input and output
+are disabled.  To obtain a list of available
+types, use the
+.Ic encrypt disable \&?
+command.
+.It Ic enable Ar type Ic [input|output]
+Enables the specified type of encryption.  If you
+omit input and output, both input and output are
+enabled.  To obtain a list of available types, use the
+.Ic encrypt enable \&?
+command.
+.It Ic input
+This is the same as the
+.Ic encrypt start input
+command.
+.It Ic -input
+This is the same as the
+.Ic encrypt stop input
+command.
+.It Ic output
+This is the same as the
+.Ic encrypt start output
+command.
+.It Ic -output
+This is the same as the
+.Ic encrypt stop output
+command.
+.It Ic start Ic [input|output]
+Attempts to start encryption.  If you omit
+.Ic input
+and
+.Ic output,
+both input and output are enabled.  To
+obtain a list of available types, use the
+.Ic encrypt enable \&?
+command.
+.It Ic status
+Lists the current status of encryption.
+.It Ic stop Ic [input|output]
+Stops encryption.  If you omit input and output,
+encryption is on both input and output.
+.It Ic type Ar type
+Sets the default type of encryption to be used
+with later
+.Ic encrypt start
+or
+.Ic encrypt stop
+commands.
+.El
+.It Ic environ Ar arguments... 
+The
+.Ic environ
+command is used to manipulate the
+the variables that my be sent through the
+.Dv TELNET ENVIRON
+option.
+The initial set of variables is taken from the users
+environment, with only the
+.Ev DISPLAY
+and
+.Ev PRINTER
+variables being exported by default.
+The
+.Ev USER
+variable is also exported if the
+.Fl a
+or
+.Fl l
+options are used.
+.br
+Valid arguments for the
+.Ic environ
+command are:
+.Bl -tag -width Fl
+.It Ic define Ar variable value 
+Define the variable
+.Ar variable
+to have a value of
+.Ar value.
+Any variables defined by this command are automatically exported.
+The
+.Ar value
+may be enclosed in single or double quotes so
+that tabs and spaces may be included.
+.It Ic undefine Ar variable 
+Remove
+.Ar variable
+from the list of environment variables.
+.It Ic export Ar variable 
+Mark the variable
+.Ar variable
+to be exported to the remote side.
+.It Ic unexport Ar variable 
+Mark the variable
+.Ar variable
+to not be exported unless
+explicitly asked for by the remote side.
+.It Ic list
+List the current set of environment variables.
+Those marked with a
+.Cm *
+will be sent automatically,
+other variables will only be sent if explicitly requested.
+.It Ic \&?
+Prints out help information for the
+.Ic environ
+command.
+.El
+.It Ic logout
+Sends the
+.Dv TELNET LOGOUT
+option to the remote side.
+This command is similar to a
+.Ic close
+command; however, if the remote side does not support the
+.Dv LOGOUT
+option, nothing happens.
+If, however, the remote side does support the
+.Dv LOGOUT
+option, this command should cause the remote side to close the
+.Tn TELNET
+connection.
+If the remote side also supports the concept of
+suspending a user's session for later reattachment,
+the logout argument indicates that you
+should terminate the session immediately.
+.It Ic mode Ar type 
+.Ar Type
+is one of several options, depending on the state of the
+.Tn TELNET
+session.
+The remote host is asked for permission to go into the requested mode.
+If the remote host is capable of entering that mode, the requested
+mode will be entered.
+.Bl -tag -width Ar
+.It Ic character
+Disable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then enter \*(Lqcharacter at a time\*(Lq mode.
+.It Ic line
+Enable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then attempt to enter \*(Lqold-line-by-line\*(Lq mode.
+.It Ic isig Pq Ic \-isig 
+Attempt to enable (disable) the 
+.Dv TRAPSIG
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic edit Pq Ic \-edit 
+Attempt to enable (disable) the 
+.Dv EDIT
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic softtabs Pq Ic \-softtabs 
+Attempt to enable (disable) the 
+.Dv SOFT_TAB
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.ne 1i
+.It Ic litecho Pq Ic \-litecho 
+Attempt to enable (disable) the 
+.Dv LIT_ECHO
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic \&?
+Prints out help information for the
+.Ic mode
+command.
+.El
+.It Xo
+.Ic open Ar host
+.Oo Op Fl l
+.Ar user
+.Oc Ns Oo Fl
+.Ar port Oc
+.Xc
+Open a connection to the named host.
+If no port number
+is specified,
+.Nm telnet
+will attempt to contact a
+.Tn TELNET
+server at the default port.
+The host specification may be either a host name (see
+.Xr hosts  5  )
+or an Internet address specified in the \*(Lqdot notation\*(Rq (see
+.Xr inet 3 ) .
+The
+.Op Fl l
+option may be used to specify the user name
+to be passed to the remote system via the
+.Ev ENVIRON
+option.
+When connecting to a non-standard port,
+.Nm telnet
+omits any automatic initiation of
+.Tn TELNET
+options.  When the port number is preceded by a minus sign,
+the initial option negotiation is done.
+After establishing a connection, the file
+.Pa \&.telnetrc
+in the
+users home directory is opened.  Lines beginning with a # are
+comment lines.  Blank lines are ignored.  Lines that begin
+without white space are the start of a machine entry.  The
+first thing on the line is the name of the machine that is
+being connected to.  The rest of the line, and successive
+lines that begin with white space are assumed to be
+.Nm telnet
+commands and are processed as if they had been typed
+in manually to the
+.Nm telnet
+command prompt.
+.It Ic quit
+Close any open
+.Tn TELNET
+session and exit
+.Nm telnet  .
+An end of file (in command mode) will also close a session and exit.
+.It Ic send Ar arguments 
+Sends one or more special character sequences to the remote host.
+The following are the arguments which may be specified
+(more than one argument may be specified at a time):
+.Pp
+.Bl -tag -width escape
+.It Ic abort
+Sends the
+.Dv TELNET ABORT
+(Abort
+processes)
+sequence.
+.It Ic ao
+Sends the
+.Dv TELNET AO
+(Abort Output) sequence, which should cause the remote system to flush
+all output
+.Em from
+the remote system
+.Em to
+the user's terminal.
+.It Ic ayt
+Sends the
+.Dv TELNET AYT
+(Are You There)
+sequence, to which the remote system may or may not choose to respond.
+.It Ic brk
+Sends the
+.Dv TELNET BRK
+(Break) sequence, which may have significance to the remote
+system.
+.It Ic ec
+Sends the
+.Dv TELNET EC
+(Erase Character)
+sequence, which should cause the remote system to erase the last character
+entered.
+.It Ic el
+Sends the
+.Dv TELNET EL
+(Erase Line)
+sequence, which should cause the remote system to erase the line currently
+being entered.
+.It Ic eof
+Sends the
+.Dv TELNET EOF
+(End Of File)
+sequence.
+.It Ic eor
+Sends the
+.Dv TELNET EOR
+(End of Record)
+sequence.
+.It Ic escape
+Sends the current
+.Nm telnet
+escape character (initially \*(Lq^\*(Rq).
+.It Ic ga
+Sends the
+.Dv TELNET GA
+(Go Ahead)
+sequence, which likely has no significance to the remote system.
+.It Ic getstatus
+If the remote side supports the
+.Dv TELNET STATUS
+command,
+.Ic getstatus
+will send the subnegotiation to request that the server send
+its current option status.
+.ne 1i
+.It Ic ip
+Sends the
+.Dv TELNET IP
+(Interrupt Process) sequence, which should cause the remote
+system to abort the currently running process.
+.It Ic nop
+Sends the
+.Dv TELNET NOP
+(No OPeration)
+sequence.
+.It Ic susp
+Sends the
+.Dv TELNET SUSP
+(SUSPend process)
+sequence.
+.It Ic synch
+Sends the
+.Dv TELNET SYNCH
+sequence.
+This sequence causes the remote system to discard all previously typed
+(but not yet read) input.
+This sequence is sent as
+.Tn TCP
+urgent
+data (and may not work if the remote system is a
+.Bx 4.2
+system -- if
+it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal).
+.It Ic do Ar cmd
+.It Ic dont Ar cmd
+.It Ic will Ar cmd
+.It Ic wont Ar cmd
+Sends the
+.Dv TELNET DO
+.Ar cmd
+sequence.
+.Ar Cmd
+can be either a decimal number between 0 and 255,
+or a symbolic name for a specific
+.Dv TELNET
+command.
+.Ar Cmd
+can also be either
+.Ic help
+or
+.Ic \&?
+to print out help information, including
+a list of known symbolic names.
+.It Ic \&?
+Prints out help information for the
+.Ic send
+command.
+.El
+.It Ic set Ar argument value 
+.It Ic unset Ar argument value 
+The
+.Ic set
+command will set any one of a number of
+.Nm telnet
+variables to a specific value or to
+.Dv TRUE .
+The special value
+.Ic off
+turns off the function associated with
+the variable, this is equivalent to using the
+.Ic unset
+command.
+The
+.Ic unset
+command will disable or set to
+.Dv FALSE
+any of the specified functions.
+The values of variables may be interrogated with the
+.Ic display
+command.
+The variables which may be set or unset, but not toggled, are
+listed here.  In addition, any of the variables for the
+.Ic toggle
+command may be explicitly set or unset using
+the
+.Ic set
+and
+.Ic unset
+commands.
+.Bl -tag -width escape
+.It Ic ayt
+If
+.Tn TELNET
+is in localchars mode, or
+.Dv LINEMODE
+is enabled, and the status character is typed, a
+.Dv TELNET AYT
+sequence (see
+.Ic send ayt
+preceding) is sent to the
+remote host.  The initial value for the "Are You There"
+character is the terminal's status character.
+.It Ic echo
+This is the value (initially \*(Lq^E\*(Rq) which, when in
+\*(Lqline by line\*(Rq mode, toggles between doing local echoing
+of entered characters (for normal processing), and suppressing
+echoing of entered characters (for entering, say, a password).
+.It Ic eof
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, entering this character
+as the first character on a line will cause this character to be
+sent to the remote system.
+The initial value of the eof character is taken to be the terminal's
+.Ic eof
+character.
+.It Ic erase
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Sy and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EC
+sequence (see
+.Ic send
+.Ic ec
+above)
+is sent to the remote system.
+The initial value for the erase character is taken to be
+the terminal's
+.Ic erase
+character.
+.It Ic escape
+This is the
+.Nm telnet
+escape character (initially \*(Lq^[\*(Rq) which causes entry
+into
+.Nm telnet
+command mode (when connected to a remote system).
+.It Ic flushoutput
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic flushoutput
+character is typed, a
+.Dv TELNET AO
+sequence (see
+.Ic send
+.Ic ao
+above)
+is sent to the remote host.
+The initial value for the flush character is taken to be
+the terminal's
+.Ic flush
+character.
+.It Ic forw1
+.It Ic forw2
+If
+.Tn TELNET
+is operating in
+.Dv LINEMODE ,
+these are the
+characters that, when typed, cause partial lines to be
+forwarded to the remote system.  The initial value for
+the forwarding characters are taken from the terminal's
+eol and eol2 characters.
+.It Ic interrupt
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic interrupt
+character is typed, a
+.Dv TELNET IP
+sequence (see
+.Ic send
+.Ic ip
+above)
+is sent to the remote host.
+The initial value for the interrupt character is taken to be
+the terminal's
+.Ic intr
+character.
+.It Ic kill
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Ic and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EL
+sequence (see
+.Ic send
+.Ic el
+above)
+is sent to the remote system.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic kill
+character.
+.It Ic lnext
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic lnext
+character.
+The initial value for the lnext character is taken to be
+the terminal's
+.Ic lnext
+character.
+.It Ic quit
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic quit
+character is typed, a
+.Dv TELNET BRK
+sequence (see
+.Ic send
+.Ic brk
+above)
+is sent to the remote host.
+The initial value for the quit character is taken to be
+the terminal's
+.Ic quit
+character.
+.It Ic reprint
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic reprint
+character.
+The initial value for the reprint character is taken to be
+the terminal's
+.Ic reprint
+character.
+.It Ic rlogin
+This is the rlogin escape character.
+If set, the normal
+.Tn TELNET
+escape character is ignored unless it is
+preceded by this character at the beginning of a line.
+This character, at the beginning of a line followed by
+a "."  closes the connection; when followed by a ^Z it
+suspends the telnet command.  The initial state is to
+disable the rlogin escape character.
+.It Ic start
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic start
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic start
+character.
+.It Ic stop
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic stop
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic stop
+character.
+.It Ic susp
+If
+.Nm telnet
+is in
+.Ic localchars
+mode, or
+.Dv LINEMODE
+is enabled, and the
+.Ic suspend
+character is typed, a
+.Dv TELNET SUSP
+sequence (see
+.Ic send
+.Ic susp
+above)
+is sent to the remote host.
+The initial value for the suspend character is taken to be
+the terminal's
+.Ic suspend
+character.
+.ne 1i
+.It Ic tracefile
+This is the file to which the output, caused by
+.Ic netdata
+or
+.Ic option
+tracing being
+.Dv TRUE ,
+will be written.  If it is set to
+.Dq Fl ,
+then tracing information will be written to standard output (the default).
+.It Ic worderase
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic worderase
+character.
+The initial value for the worderase character is taken to be
+the terminal's
+.Ic worderase
+character.
+.It Ic \&?
+Displays the legal
+.Ic set
+.Pq Ic unset
+commands.
+.El
+.It Ic slc Ar state 
+The
+.Ic slc
+command (Set Local Characters) is used to set
+or change the state of the the special
+characters when the 
+.Dv TELNET LINEMODE
+option has
+been enabled.  Special characters are characters that get
+mapped to 
+.Tn TELNET
+commands sequences (like
+.Ic ip
+or
+.Ic quit  )
+or line editing characters (like
+.Ic erase
+and
+.Ic kill  ) .
+By default, the local special characters are exported.
+.Bl -tag -width Fl
+.It Ic check
+Verify the current settings for the current special characters.
+The remote side is requested to send all the current special
+character settings, and if there are any discrepancies with
+the local side, the local side will switch to the remote value.
+.It Ic export
+Switch to the local defaults for the special characters.  The
+local default characters are those of the local terminal at
+the time when
+.Nm telnet
+was started.
+.It Ic import
+Switch to the remote defaults for the special characters.
+The remote default characters are those of the remote system
+at the time when the 
+.Tn TELNET
+connection was established.
+.It Ic \&?
+Prints out help information for the
+.Ic slc
+command.
+.El
+.It Ic status
+Show the current status of
+.Nm telnet  .
+This includes the peer one is connected to, as well
+as the current mode.
+.It Ic toggle Ar arguments ... 
+Toggle (between
+.Dv TRUE
+and
+.Dv FALSE )
+various flags that control how
+.Nm telnet
+responds to events.
+These flags may be set explicitly to
+.Dv TRUE
+or
+.Dv FALSE
+using the
+.Ic set
+and
+.Ic unset
+commands listed above.
+More than one argument may be specified.
+The state of these flags may be interrogated with the
+.Ic display
+command.
+Valid arguments are:
+.Bl -tag -width Ar
+.It Ic authdebug
+Turns on debugging information for the authentication code.
+.It Ic autoflush
+If
+.Ic autoflush
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when the
+.Ic ao  ,
+or
+.Ic quit
+characters are recognized (and transformed into
+.Tn TELNET
+sequences; see
+.Ic set
+above for details),
+.Nm telnet
+refuses to display any data on the user's terminal
+until the remote system acknowledges (via a
+.Dv TELNET TIMING MARK
+option)
+that it has processed those
+.Tn TELNET
+sequences.
+The initial value for this toggle is
+.Dv TRUE
+if the terminal user had not
+done an "stty noflsh", otherwise
+.Dv FALSE
+(see
+.Xr stty  1  ) .
+.It Ic autodecrypt
+When the
+.Dv TELNET ENCRYPT
+option is negotiated, by
+default the actual encryption (decryption) of the data
+stream does not start automatically.  The autoencrypt
+(autodecrypt) command states that encryption of the
+output (input) stream should be enabled as soon as
+possible.
+.sp
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside the United States and Canada.
+.It Ic autologin
+If the remote side supports the
+.Dv TELNET AUTHENTICATION
+option
+.Tn TELNET
+attempts to use it to perform automatic authentication.  If the
+.Dv AUTHENTICATION
+option is not supported, the user's login
+name are propagated through the
+.Dv TELNET ENVIRON
+option.
+This command is the same as specifying
+.Ar a
+option on the
+.Ic open
+command.
+.It Ic autosynch
+If
+.Ic autosynch
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when either the
+.Ic intr
+or
+.Ic quit
+characters is typed (see
+.Ic set
+above for descriptions of the
+.Ic intr
+and
+.Ic quit
+characters), the resulting
+.Tn TELNET
+sequence sent is followed by the
+.Dv TELNET SYNCH
+sequence.
+This procedure
+.Ic should
+cause the remote system to begin throwing away all previously
+typed input until both of the
+.Tn TELNET
+sequences have been read and acted upon.
+The initial value of this toggle is
+.Dv FALSE .
+.It Ic binary
+Enable or disable the
+.Dv TELNET BINARY
+option on both input and output.
+.It Ic inbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on input.
+.It Ic outbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on output.
+.It Ic crlf
+If this is
+.Dv TRUE ,
+then carriage returns will be sent as
+.Li <CR><LF> .
+If this is
+.Dv FALSE ,
+then carriage returns will be send as
+.Li <CR><NUL> .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic crmod
+Toggle carriage return mode.
+When this mode is enabled, most carriage return characters received from
+the remote host will be mapped into a carriage return followed by
+a line feed.
+This mode does not affect those characters typed by the user, only
+those received from the remote host.
+This mode is not very useful unless the remote host
+only sends carriage return, but never line feed.
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic debug
+Toggles socket level debugging (useful only to the
+.Ic super user  ) .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic encdebug
+Turns on debugging information for the encryption code.
+.It Ic localchars
+If this is
+.Dv TRUE ,
+then the
+.Ic flush  ,
+.Ic interrupt ,
+.Ic quit  ,
+.Ic erase ,
+and
+.Ic kill
+characters (see
+.Ic set
+above) are recognized locally, and transformed into (hopefully) appropriate
+.Tn TELNET
+control sequences
+(respectively
+.Ic ao  ,
+.Ic ip ,
+.Ic brk  ,
+.Ic ec ,
+and
+.Ic el  ;
+see
+.Ic send
+above).
+The initial value for this toggle is
+.Dv TRUE
+in \*(Lqold line by line\*(Rq mode,
+and
+.Dv FALSE
+in \*(Lqcharacter at a time\*(Rq mode.
+When the
+.Dv LINEMODE
+option is enabled, the value of
+.Ic localchars
+is ignored, and assumed to always be
+.Dv TRUE .
+If
+.Dv LINEMODE
+has ever been enabled, then
+.Ic quit
+is sent as
+.Ic abort  ,
+and
+.Ic eof and
+.B suspend
+are sent as
+.Ic eof and
+.Ic susp ,
+see
+.Ic send
+above).
+.It Ic netdata
+Toggles the display of all network data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic options
+Toggles the display of some internal
+.Nm telnet
+protocol processing (having to do with
+.Tn TELNET
+options).
+The initial value for this toggle is
+.Dv FALSE .
+.ne 1i
+.It Ic prettydump
+When the
+.Ic netdata
+toggle is enabled, if
+.Ic prettydump
+is enabled the output from the
+.Ic netdata
+command will be formatted in a more user readable format.
+Spaces are put between each character in the output, and the
+beginning of any
+.Tn TELNET
+escape sequence is preceded by a '*' to aid in locating them.
+.It Ic skiprc
+When the skiprc toggle is
+.Dv TRUE ,
+.Tn TELNET
+skips the reading of the
+.Pa \&.telnetrc
+file in the users home
+directory when connections are opened.  The initial
+value for this toggle is
+.Dv FALSE.
+.It Ic termdata
+Toggles the display of all terminal data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic verbose_encrypt
+When the
+.Ic verbose_encrypt
+toggle is
+.Dv TRUE ,
+.Tn TELNET
+prints out a message each time encryption is enabled or
+disabled.  The initial value for this toggle is
+.Dv FALSE.
+Note:  Because of export controls, data encryption
+is not supported outside of the United States and Canada.
+.It Ic \&?
+Displays the legal
+.Ic toggle
+commands.
+.El
+.It Ic z
+Suspend
+.Nm telnet  .
+This command only works when the user is using the
+.Xr csh  1  .
+.It Ic \&! Op Ar command 
+Execute a single command in a subshell on the local
+system.  If
+.Ic command
+is omitted, then an interactive
+subshell is invoked.
+.It Ic \&? Op Ar command 
+Get help.  With no arguments,
+.Nm telnet
+prints a help summary.
+If a command is specified,
+.Nm telnet
+will print the help information for just that command.
+.El
+.Sh ENVIRONMENT
+.Nm Telnet
+uses at least the
+.Ev HOME ,
+.Ev SHELL ,
+.Ev DISPLAY ,
+and
+.Ev TERM
+environment variables.
+Other environment variables may be propagated
+to the other side via the
+.Dv TELNET ENVIRON
+option.
+.Sh FILES
+.Bl -tag -width ~/.telnetrc -compact
+.It Pa ~/.telnetrc
+user customized telnet startup values
+.El
+.Sh HISTORY
+The
+.Nm Telnet
+command appeared in
+.Bx 4.2 .
+.Sh NOTES
+.Pp
+On some remote systems, echo has to be turned off manually when in
+\*(Lqold line by line\*(Rq mode.
+.Pp
+In \*(Lqold line by line\*(Rq mode or 
+.Dv LINEMODE
+the terminal's
+.Ic eof
+character is only recognized (and sent to the remote system)
+when it is the first character on a line.
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.c b/crypto/heimdal/appl/telnet/telnet/telnet.c
new file mode 100644
index 0000000..792f018
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.c
@@ -0,0 +1,2321 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+#ifdef HAVE_TERMCAP_H
+#include <termcap.h>
+#endif
+
+RCSID("$Id: telnet.c,v 1.27 2000/01/01 11:53:24 assar Exp $");
+
+#define	strip(x) (eight ? (x) : ((x) & 0x7f))
+
+static unsigned char	subbuffer[SUBBUFSIZE],
+			*subpointer, *subend;	 /* buffer for sub-options */
+#define	SB_CLEAR()	subpointer = subbuffer;
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+				*subpointer++ = (c); \
+			}
+
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_PEEK()	((*subpointer)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+char	options[256];		/* The combined options */
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+
+int
+	eight = 3,
+	binary = 0,
+	autologin = 0,	/* Autologin anyone? */
+	skiprc = 0,
+	connected,
+	showoptions,
+	ISend,		/* trying to send network data in */
+	debug = 0,
+	crmod,
+	netdata,	/* Print out network data flow */
+	crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+	telnetport,
+	SYNCHing,	/* we are in TELNET SYNCH mode */
+	flushout,	/* flush output */
+	autoflush = 0,	/* flush output when interrupting? */
+	autosynch,	/* send interrupt characters with SYNCH? */
+	localflow,	/* we handle flow control locally */
+	restartany,	/* if flow control enabled, restart on any character */
+	localchars,	/* we recognize interrupt/quit */
+	donelclchars,	/* the user has set "localchars" */
+	donebinarytoggle,	/* the user has put us in binary */
+	dontlecho,	/* do we suppress local echoing right now? */
+	globalmode;
+
+char *prompt = 0;
+
+cc_t escape;
+cc_t rlogin;
+#ifdef	KLUDGELINEMODE
+cc_t echoc;
+#endif
+
+/*
+ * Telnet receiver states for fsm
+ */
+#define	TS_DATA		0
+#define	TS_IAC		1
+#define	TS_WILL		2
+#define	TS_WONT		3
+#define	TS_DO		4
+#define	TS_DONT		5
+#define	TS_CR		6
+#define	TS_SB		7		/* sub-option collection */
+#define	TS_SE		8		/* looking for sub-option end */
+
+static int	telrcv_state;
+#ifdef	OLD_ENVIRON
+unsigned char telopt_environ = TELOPT_NEW_ENVIRON;
+#else
+# define telopt_environ TELOPT_NEW_ENVIRON
+#endif
+
+jmp_buf	toplevel;
+jmp_buf	peerdied;
+
+int	flushline;
+int	linemode;
+
+#ifdef	KLUDGELINEMODE
+int	kludgelinemode = 1;
+#endif
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+Clocks clocks;
+
+static int is_unique(char *name, char **as, char **ae);
+
+
+/*
+ * Initialize telnet environment.
+ */
+
+void
+init_telnet(void)
+{
+    env_init();
+
+    SB_CLEAR();
+    memset(options, 0, sizeof options);
+
+    connected = ISend = localflow = donebinarytoggle = 0;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
+    restartany = -1;
+
+    SYNCHing = 0;
+
+    /* Don't change NetTrace */
+
+    escape = CONTROL(']');
+    rlogin = _POSIX_VDISABLE;
+#ifdef	KLUDGELINEMODE
+    echoc = CONTROL('E');
+#endif
+
+    flushline = 1;
+    telrcv_state = TS_DATA;
+}
+
+
+/*
+ * These routines are in charge of sending option negotiations
+ * to the other side.
+ *
+ * The basic idea is that we send the negotiation if either side
+ * is in disagreement as to what the current state should be.
+ */
+
+void
+send_do(int c, int init)
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_do(c)) ||
+				my_want_state_is_do(c))
+	    return;
+	set_my_want_state_do(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DO);
+    NETADD(c);
+    printoption("SENT", DO, c);
+}
+
+void
+send_dont(int c, int init)
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_dont(c)) ||
+				my_want_state_is_dont(c))
+	    return;
+	set_my_want_state_dont(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DONT);
+    NETADD(c);
+    printoption("SENT", DONT, c);
+}
+
+void
+send_will(int c, int init)
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_will(c)) ||
+				my_want_state_is_will(c))
+	    return;
+	set_my_want_state_will(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WILL);
+    NETADD(c);
+    printoption("SENT", WILL, c);
+}
+
+void
+send_wont(int c, int init)
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_wont(c)) ||
+				my_want_state_is_wont(c))
+	    return;
+	set_my_want_state_wont(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WONT);
+    NETADD(c);
+    printoption("SENT", WONT, c);
+}
+
+
+void
+willoption(int option)
+{
+	int new_state_ok = 0;
+
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_do(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_dont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_ECHO:
+	    case TELOPT_BINARY:
+	    case TELOPT_SGA:
+		settimer(modenegotiated);
+		/* FALL THROUGH */
+	    case TELOPT_STATUS:
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+#endif
+#if	defined(ENCRYPTION)
+	    case TELOPT_ENCRYPT:
+#endif
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		/*
+		 * Special case for TM.  If we get back a WILL,
+		 * pretend we got back a WONT.
+		 */
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;			/* Never reply to TM will's/wont's */
+
+	    case TELOPT_LINEMODE:
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_do(option);
+		send_do(option, 0);
+		setconnmode(0);		/* possibly set new tty mode */
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	}
+	set_my_state_do(option);
+#if	defined(ENCRYPTION)
+	if (option == TELOPT_ENCRYPT)
+		encrypt_send_support();
+#endif
+}
+
+void
+wontoption(int option)
+{
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_dont(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_do(option)) {
+
+	    switch (option) {
+
+#ifdef	KLUDGELINEMODE
+	    case TELOPT_SGA:
+		if (!kludgelinemode)
+		    break;
+		/* FALL THROUGH */
+#endif
+	    case TELOPT_ECHO:
+		settimer(modenegotiated);
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;		/* Never reply to TM will's/wont's */
+
+#ifdef ENCRYPTION
+  	    case TELOPT_ENCRYPT:
+	      encrypt_not();
+	      break;
+#endif
+	    default:
+		break;
+	    }
+	    set_my_want_state_dont(option);
+	    if (my_state_is_do(option))
+		send_dont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	} else if (option == TELOPT_TM) {
+	    /*
+	     * Special case for TM.
+	     */
+	    if (flushout)
+		flushout = 0;
+	    set_my_want_state_dont(option);
+	}
+	set_my_state_dont(option);
+}
+
+static void
+dooption(int option)
+{
+	int new_state_ok = 0;
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_will(option))
+		--will_wont_resp[option];
+	}
+
+	if (will_wont_resp[option] == 0) {
+	  if (my_want_state_is_wont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_TM:
+		/*
+		 * Special case for TM.  We send a WILL, but pretend
+		 * we sent WONT.
+		 */
+		send_will(option, 0);
+		set_my_want_state_wont(TELOPT_TM);
+		set_my_state_wont(TELOPT_TM);
+		return;
+
+	    case TELOPT_BINARY:		/* binary mode */
+	    case TELOPT_NAWS:		/* window size */
+	    case TELOPT_TSPEED:		/* terminal speed */
+	    case TELOPT_LFLOW:		/* local flow control */
+	    case TELOPT_TTYPE:		/* terminal type option */
+	    case TELOPT_SGA:		/* no big deal */
+#if	defined(ENCRYPTION)
+	    case TELOPT_ENCRYPT:	/* encryption variable option */
+#endif
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_NEW_ENVIRON:	/* New environment variable option */
+#ifdef	OLD_ENVIRON
+		if (my_state_is_will(TELOPT_OLD_ENVIRON))
+			send_wont(TELOPT_OLD_ENVIRON, 1); /* turn off the old */
+		goto env_common;
+	    case TELOPT_OLD_ENVIRON:	/* Old environment variable option */
+		if (my_state_is_will(TELOPT_NEW_ENVIRON))
+			break;		/* Don't enable if new one is in use! */
+	    env_common:
+		telopt_environ = option;
+#endif
+		new_state_ok = 1;
+		break;
+
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+		if (autologin)
+			new_state_ok = 1;
+		break;
+#endif
+
+	    case TELOPT_XDISPLOC:	/* X Display location */
+		if (env_getvalue((unsigned char *)"DISPLAY"))
+		    new_state_ok = 1;
+		break;
+
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_want_state_will(TELOPT_LINEMODE);
+		send_will(option, 0);
+		set_my_state_will(TELOPT_LINEMODE);
+		slc_init();
+		return;
+
+	    case TELOPT_ECHO:		/* We're never going to echo... */
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_will(option);
+		send_will(option, 0);
+		setconnmode(0);			/* Set new tty mode */
+	    } else {
+		will_wont_resp[option]++;
+		send_wont(option, 0);
+	    }
+	  } else {
+	    /*
+	     * Handle options that need more things done after the
+	     * other side has acknowledged the option.
+	     */
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_state_will(option);
+		slc_init();
+		send_do(TELOPT_SGA, 0);
+		return;
+	    }
+	  }
+	}
+	set_my_state_will(option);
+}
+
+static void
+dontoption(int option)
+{
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_wont(option))
+		--will_wont_resp[option];
+	}
+
+	if ((will_wont_resp[option] == 0) && my_want_state_is_will(option)) {
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+		linemode = 0;	/* put us back to the default state */
+		break;
+#ifdef	OLD_ENVIRON
+	    case TELOPT_NEW_ENVIRON:
+		/*
+		 * The new environ option wasn't recognized, try
+		 * the old one.
+		 */
+		send_will(TELOPT_OLD_ENVIRON, 1);
+		telopt_environ = TELOPT_OLD_ENVIRON;
+		break;
+#endif
+#if 0
+#ifdef ENCRYPTION
+	    case TELOPT_ENCRYPT:
+	      encrypt_not();
+	      break;
+#endif
+#endif
+	    }
+	    /* we always accept a DONT */
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	}
+	set_my_state_wont(option);
+}
+
+/*
+ * Given a buffer returned by tgetent(), this routine will turn
+ * the pipe seperated list of names in the buffer into an array
+ * of pointers to null terminated names.  We toss out any bad,
+ * duplicate, or verbose names (names with spaces).
+ */
+
+static char *name_unknown = "UNKNOWN";
+static char *unknown[] = { 0, 0 };
+
+static char **
+mklist(char *buf, char *name)
+{
+	int n;
+	char c, *cp, **argvp, *cp2, **argv, **avt;
+
+	if (name) {
+		if ((int)strlen(name) > 40) {
+			name = 0;
+			unknown[0] = name_unknown;
+		} else {
+			unknown[0] = name;
+			strupr(name);
+		}
+	} else
+		unknown[0] = name_unknown;
+	/*
+	 * Count up the number of names.
+	 */
+	for (n = 1, cp = buf; *cp && *cp != ':'; cp++) {
+		if (*cp == '|')
+			n++;
+	}
+	/*
+	 * Allocate an array to put the name pointers into
+	 */
+	argv = (char **)malloc((n+3)*sizeof(char *));
+	if (argv == 0)
+		return(unknown);
+
+	/*
+	 * Fill up the array of pointers to names.
+	 */
+	*argv = 0;
+	argvp = argv+1;
+	n = 0;
+	for (cp = cp2 = buf; (c = *cp);  cp++) {
+		if (c == '|' || c == ':') {
+			*cp++ = '\0';
+			/*
+			 * Skip entries that have spaces or are over 40
+			 * characters long.  If this is our environment
+			 * name, then put it up front.  Otherwise, as
+			 * long as this is not a duplicate name (case
+			 * insensitive) add it to the list.
+			 */
+			if (n || (cp - cp2 > 41))
+				;
+			else if (name && (strncasecmp(name, cp2, cp-cp2) == 0))
+				*argv = cp2;
+			else if (is_unique(cp2, argv+1, argvp))
+				*argvp++ = cp2;
+			if (c == ':')
+				break;
+			/*
+			 * Skip multiple delimiters. Reset cp2 to
+			 * the beginning of the next name. Reset n,
+			 * the flag for names with spaces.
+			 */
+			while ((c = *cp) == '|')
+				cp++;
+			cp2 = cp;
+			n = 0;
+		}
+		/*
+		 * Skip entries with spaces or non-ascii values.
+		 * Convert lower case letters to upper case.
+		 */
+#define ISASCII(c) (!((c)&0x80))
+		if ((c == ' ') || !ISASCII(c))
+			n = 1;
+		else if (islower(c))
+			*cp = toupper(c);
+	}
+
+	/*
+	 * Check for an old V6 2 character name.  If the second
+	 * name points to the beginning of the buffer, and is
+	 * only 2 characters long, move it to the end of the array.
+	 */
+	if ((argv[1] == buf) && (strlen(argv[1]) == 2)) {
+		--argvp;
+		for (avt = &argv[1]; avt < argvp; avt++)
+			*avt = *(avt+1);
+		*argvp++ = buf;
+	}
+
+	/*
+	 * Duplicate last name, for TTYPE option, and null
+	 * terminate the array.  If we didn't find a match on
+	 * our terminal name, put that name at the beginning.
+	 */
+	cp = *(argvp-1);
+	*argvp++ = cp;
+	*argvp = 0;
+
+	if (*argv == 0) {
+		if (name)
+			*argv = name;
+		else {
+			--argvp;
+			for (avt = argv; avt < argvp; avt++)
+				*avt = *(avt+1);
+		}
+	}
+	if (*argv)
+		return(argv);
+	else
+		return(unknown);
+}
+
+static int
+is_unique(char *name, char **as, char **ae)
+{
+	char **ap;
+	int n;
+
+	n = strlen(name) + 1;
+	for (ap = as; ap < ae; ap++)
+		if (strncasecmp(*ap, name, n) == 0)
+			return(0);
+	return (1);
+}
+
+static char termbuf[1024];
+
+static int
+telnet_setupterm(const char *tname, int fd, int *errp)
+{
+	if (tgetent(termbuf, tname) == 1) {
+		termbuf[1023] = '\0';
+		if (errp)
+			*errp = 1;
+		return(0);
+	}
+	if (errp)
+		*errp = 0;
+	return(-1);
+}
+
+int resettermname = 1;
+
+static char *
+gettermname()
+{
+	char *tname;
+	static char **tnamep = 0;
+	static char **next;
+	int err;
+
+	if (resettermname) {
+		resettermname = 0;
+		if (tnamep && tnamep != unknown)
+			free(tnamep);
+		if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+				telnet_setupterm(tname, 1, &err) == 0) {
+			tnamep = mklist(termbuf, tname);
+		} else {
+			if (tname && ((int)strlen(tname) <= 40)) {
+				unknown[0] = tname;
+				strupr(tname);
+			} else
+				unknown[0] = name_unknown;
+			tnamep = unknown;
+		}
+		next = tnamep;
+	}
+	if (*next == 0)
+		next = tnamep;
+	return(*next++);
+}
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *		Terminal type, send request.
+ *		Terminal speed (send request).
+ *		Local flow control (is request).
+ *		Linemode
+ */
+
+static void
+suboption()
+{
+    unsigned char subchar;
+
+    printsub('<', subbuffer, SB_LEN()+2);
+    switch (subchar = SB_GET()) {
+    case TELOPT_TTYPE:
+	if (my_want_state_is_wont(TELOPT_TTYPE))
+	    return;
+	if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
+	    return;
+	} else {
+	    char *name;
+	    unsigned char temp[50];
+	    int len;
+
+	    name = gettermname();
+	    len = strlen(name) + 4 + 2;
+	    if (len < NETROOM()) {
+		snprintf((char *)temp, sizeof(temp),
+			 "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+			 TELQUAL_IS, name, IAC, SE);
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', &temp[2], len-2);
+	    } else {
+		ExitString("No room in buffer for terminal type.\n", 1);
+		/*NOTREACHED*/
+	    }
+	}
+	break;
+    case TELOPT_TSPEED:
+	if (my_want_state_is_wont(TELOPT_TSPEED))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    long output_speed, input_speed;
+	    unsigned char temp[50];
+	    int len;
+
+	    TerminalSpeeds(&input_speed, &output_speed);
+
+	    snprintf((char *)temp, sizeof(temp),
+		     "%c%c%c%c%u,%u%c%c", IAC, SB, TELOPT_TSPEED,
+		     TELQUAL_IS,
+		     (unsigned)output_speed,
+		     (unsigned)input_speed, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+    case TELOPT_LFLOW:
+	if (my_want_state_is_wont(TELOPT_LFLOW))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch(SB_GET()) {
+	case LFLOW_RESTART_ANY:
+	    restartany = 1;
+	    break;
+	case LFLOW_RESTART_XON:
+	    restartany = 0;
+	    break;
+	case LFLOW_ON:
+	    localflow = 1;
+	    break;
+	case LFLOW_OFF:
+	    localflow = 0;
+	    break;
+	default:
+	    return;
+	}
+	setcommandmode();
+	setconnmode(0);
+	break;
+
+    case TELOPT_LINEMODE:
+	if (my_want_state_is_wont(TELOPT_LINEMODE))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch (SB_GET()) {
+	case WILL:
+	    lm_will(subpointer, SB_LEN());
+	    break;
+	case WONT:
+	    lm_wont(subpointer, SB_LEN());
+	    break;
+	case DO:
+	    lm_do(subpointer, SB_LEN());
+	    break;
+	case DONT:
+	    lm_dont(subpointer, SB_LEN());
+	    break;
+	case LM_SLC:
+	    slc(subpointer, SB_LEN());
+	    break;
+	case LM_MODE:
+	    lm_mode(subpointer, SB_LEN(), 0);
+	    break;
+	default:
+	    break;
+	}
+	break;
+
+#ifdef	OLD_ENVIRON
+    case TELOPT_OLD_ENVIRON:
+#endif
+    case TELOPT_NEW_ENVIRON:
+	if (SB_EOF())
+	    return;
+	switch(SB_PEEK()) {
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+	    if (my_want_state_is_dont(subchar))
+		return;
+	    break;
+	case TELQUAL_SEND:
+	    if (my_want_state_is_wont(subchar)) {
+		return;
+	    }
+	    break;
+	default:
+	    return;
+	}
+	env_opt(subpointer, SB_LEN());
+	break;
+
+    case TELOPT_XDISPLOC:
+	if (my_want_state_is_wont(TELOPT_XDISPLOC))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    unsigned char temp[50], *dp;
+	    int len;
+
+	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+		/*
+		 * Something happened, we no longer have a DISPLAY
+		 * variable.  So, turn off the option.
+		 */
+		send_wont(TELOPT_XDISPLOC, 1);
+		break;
+	    }
+	    snprintf((char *)temp, sizeof(temp),
+		     "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
+		     TELQUAL_IS, dp, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION: {
+		if (!autologin)
+			break;
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case TELQUAL_IS:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_is(subpointer, SB_LEN());
+			break;
+		case TELQUAL_SEND:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_send(subpointer, SB_LEN());
+			break;
+		case TELQUAL_REPLY:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_reply(subpointer, SB_LEN());
+			break;
+		case TELQUAL_NAME:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_name(subpointer, SB_LEN());
+			break;
+		}
+	}
+	break;
+#endif
+#if	defined(ENCRYPTION)
+	case TELOPT_ENCRYPT:
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case ENCRYPT_START:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_END:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_end();
+			break;
+		case ENCRYPT_SUPPORT:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_support(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQSTART:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_request_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQEND:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			/*
+			 * We can always send an REQEND so that we cannot
+			 * get stuck encrypting.  We should only get this
+			 * if we have been able to get in the correct mode
+			 * anyhow.
+			 */
+			encrypt_request_end();
+			break;
+		case ENCRYPT_IS:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_is(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REPLY:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_reply(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_ENC_KEYID:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_enc_keyid(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_DEC_KEYID:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_dec_keyid(subpointer, SB_LEN());
+			break;
+		default:
+			break;
+		}
+		break;
+#endif
+    default:
+	break;
+    }
+}
+
+static unsigned char str_lm[] = { IAC, SB, TELOPT_LINEMODE, 0, 0, IAC, SE };
+
+void
+lm_will(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_will: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	str_lm[3] = DONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_will: not enough room in buffer\n");
+	break;
+    }
+}
+
+void
+lm_wont(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_wont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	/* We are always DONT, so don't respond */
+	return;
+    }
+}
+
+void
+lm_do(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_do: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	str_lm[3] = WONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_do: not enough room in buffer\n");
+	break;
+    }
+}
+
+void
+lm_dont(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_dont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	/* we are always WONT, so don't respond */
+	break;
+    }
+}
+
+static unsigned char str_lm_mode[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_MODE, 0, IAC, SE
+};
+
+void
+lm_mode(unsigned char *cmd, int len, int init)
+{
+	if (len != 1)
+		return;
+	if ((linemode&MODE_MASK&~MODE_ACK) == *cmd)
+		return;
+	if (*cmd&MODE_ACK)
+		return;
+	linemode = *cmd&(MODE_MASK&~MODE_ACK);
+	str_lm_mode[4] = linemode;
+	if (!init)
+	    str_lm_mode[4] |= MODE_ACK;
+	if (NETROOM() > sizeof(str_lm_mode)) {
+	    ring_supply_data(&netoring, str_lm_mode, sizeof(str_lm_mode));
+	    printsub('>', &str_lm_mode[2], sizeof(str_lm_mode)-2);
+	}
+/*@*/	else printf("lm_mode: not enough room in buffer\n");
+	setconnmode(0);	/* set changed mode */
+}
+
+
+
+/*
+ * slc()
+ * Handle special character suboption of LINEMODE.
+ */
+
+struct spc {
+	cc_t val;
+	cc_t *valp;
+	char flags;	/* Current flags & level */
+	char mylevel;	/* Maximum level & flags */
+} spc_data[NSLC+1];
+
+#define SLC_IMPORT	0
+#define	SLC_EXPORT	1
+#define SLC_RVALUE	2
+static int slc_mode = SLC_EXPORT;
+
+void
+slc_init()
+{
+	struct spc *spcp;
+
+	localchars = 1;
+	for (spcp = spc_data; spcp < &spc_data[NSLC+1]; spcp++) {
+		spcp->val = 0;
+		spcp->valp = 0;
+		spcp->flags = spcp->mylevel = SLC_NOSUPPORT;
+	}
+
+#define	initfunc(func, flags) { \
+					spcp = &spc_data[func]; \
+					if ((spcp->valp = tcval(func))) { \
+					    spcp->val = *spcp->valp; \
+					    spcp->mylevel = SLC_VARIABLE|flags; \
+					} else { \
+					    spcp->val = 0; \
+					    spcp->mylevel = SLC_DEFAULT; \
+					} \
+				    }
+
+	initfunc(SLC_SYNCH, 0);
+	/* No BRK */
+	initfunc(SLC_AO, 0);
+	initfunc(SLC_AYT, 0);
+	/* No EOR */
+	initfunc(SLC_ABORT, SLC_FLUSHIN|SLC_FLUSHOUT);
+	initfunc(SLC_EOF, 0);
+	initfunc(SLC_SUSP, SLC_FLUSHIN);
+	initfunc(SLC_EC, 0);
+	initfunc(SLC_EL, 0);
+	initfunc(SLC_EW, 0);
+	initfunc(SLC_RP, 0);
+	initfunc(SLC_LNEXT, 0);
+	initfunc(SLC_XON, 0);
+	initfunc(SLC_XOFF, 0);
+	initfunc(SLC_FORW1, 0);
+	initfunc(SLC_FORW2, 0);
+	/* No FORW2 */
+
+	initfunc(SLC_IP, SLC_FLUSHIN|SLC_FLUSHOUT);
+#undef	initfunc
+
+	if (slc_mode == SLC_EXPORT)
+		slc_export();
+	else
+		slc_import(1);
+
+}
+
+void
+slcstate()
+{
+    printf("Special characters are %s values\n",
+		slc_mode == SLC_IMPORT ? "remote default" :
+		slc_mode == SLC_EXPORT ? "local" :
+					 "remote");
+}
+
+void
+slc_mode_export()
+{
+    slc_mode = SLC_EXPORT;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_export();
+}
+
+void
+slc_mode_import(int def)
+{
+    slc_mode = def ? SLC_IMPORT : SLC_RVALUE;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_import(def);
+}
+
+unsigned char slc_import_val[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_VARIABLE, 0, IAC, SE
+};
+unsigned char slc_import_def[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_DEFAULT, 0, IAC, SE
+};
+
+void
+slc_import(int def)
+{
+    if (NETROOM() > sizeof(slc_import_val)) {
+	if (def) {
+	    ring_supply_data(&netoring, slc_import_def, sizeof(slc_import_def));
+	    printsub('>', &slc_import_def[2], sizeof(slc_import_def)-2);
+	} else {
+	    ring_supply_data(&netoring, slc_import_val, sizeof(slc_import_val));
+	    printsub('>', &slc_import_val[2], sizeof(slc_import_val)-2);
+	}
+    }
+/*@*/ else printf("slc_import: not enough room\n");
+}
+
+void
+slc_export()
+{
+    struct spc *spcp;
+
+    TerminalDefaultChars();
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->mylevel != SLC_NOSUPPORT) {
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    if (spcp->valp)
+		spcp->val = *spcp->valp;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    slc_update();
+    setconnmode(1);	/* Make sure the character values are set */
+}
+
+void
+slc(unsigned char *cp, int len)
+{
+	struct spc *spcp;
+	int func,level;
+
+	slc_start_reply();
+
+	for (; len >= 3; len -=3, cp +=3) {
+
+		func = cp[SLC_FUNC];
+
+		if (func == 0) {
+			/*
+			 * Client side: always ignore 0 function.
+			 */
+			continue;
+		}
+		if (func > NSLC) {
+			if ((cp[SLC_FLAGS] & SLC_LEVELBITS) != SLC_NOSUPPORT)
+				slc_add_reply(func, SLC_NOSUPPORT, 0);
+			continue;
+		}
+
+		spcp = &spc_data[func];
+
+		level = cp[SLC_FLAGS]&(SLC_LEVELBITS|SLC_ACK);
+
+		if ((cp[SLC_VALUE] == (unsigned char)spcp->val) &&
+		    ((level&SLC_LEVELBITS) == (spcp->flags&SLC_LEVELBITS))) {
+			continue;
+		}
+
+		if (level == (SLC_DEFAULT|SLC_ACK)) {
+			/*
+			 * This is an error condition, the SLC_ACK
+			 * bit should never be set for the SLC_DEFAULT
+			 * level.  Our best guess to recover is to
+			 * ignore the SLC_ACK bit.
+			 */
+			cp[SLC_FLAGS] &= ~SLC_ACK;
+		}
+
+		if (level == ((spcp->flags&SLC_LEVELBITS)|SLC_ACK)) {
+			spcp->val = (cc_t)cp[SLC_VALUE];
+			spcp->flags = cp[SLC_FLAGS];	/* include SLC_ACK */
+			continue;
+		}
+
+		level &= ~SLC_ACK;
+
+		if (level <= (spcp->mylevel&SLC_LEVELBITS)) {
+			spcp->flags = cp[SLC_FLAGS]|SLC_ACK;
+			spcp->val = (cc_t)cp[SLC_VALUE];
+		}
+		if (level == SLC_DEFAULT) {
+			if ((spcp->mylevel&SLC_LEVELBITS) != SLC_DEFAULT)
+				spcp->flags = spcp->mylevel;
+			else
+				spcp->flags = SLC_NOSUPPORT;
+		}
+		slc_add_reply(func, spcp->flags, spcp->val);
+	}
+	slc_end_reply();
+	if (slc_update())
+		setconnmode(1);	/* set the  new character values */
+}
+
+void
+slc_check()
+{
+    struct spc *spcp;
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->valp && spcp->val != *spcp->valp) {
+	    spcp->val = *spcp->valp;
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    setconnmode(1);
+}
+
+
+unsigned char slc_reply[128];
+unsigned char *slc_replyp;
+
+void
+slc_start_reply()
+{
+	slc_replyp = slc_reply;
+	*slc_replyp++ = IAC;
+	*slc_replyp++ = SB;
+	*slc_replyp++ = TELOPT_LINEMODE;
+	*slc_replyp++ = LM_SLC;
+}
+
+void
+slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
+{
+	if ((*slc_replyp++ = func) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = flags) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = (unsigned char)value) == IAC)
+		*slc_replyp++ = IAC;
+}
+
+void
+slc_end_reply()
+{
+    int len;
+
+    *slc_replyp++ = IAC;
+    *slc_replyp++ = SE;
+    len = slc_replyp - slc_reply;
+    if (len <= 6)
+	return;
+    if (NETROOM() > len) {
+	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+    }
+/*@*/else printf("slc_end_reply: not enough room\n");
+}
+
+int
+slc_update()
+{
+	struct spc *spcp;
+	int need_update = 0;
+
+	for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+		if (!(spcp->flags&SLC_ACK))
+			continue;
+		spcp->flags &= ~SLC_ACK;
+		if (spcp->valp && (*spcp->valp != spcp->val)) {
+			*spcp->valp = spcp->val;
+			need_update = 1;
+		}
+	}
+	return(need_update);
+}
+
+#ifdef	OLD_ENVIRON
+#  define old_env_var OLD_ENV_VAR
+#  define old_env_value OLD_ENV_VALUE
+#endif
+
+void
+env_opt(unsigned char *buf, int len)
+{
+	unsigned char *ep = 0, *epc = 0;
+	int i;
+
+	switch(buf[0]&0xff) {
+	case TELQUAL_SEND:
+		env_opt_start();
+		if (len == 1) {
+			env_opt_add(NULL);
+		} else for (i = 1; i < len; i++) {
+			switch (buf[i]&0xff) {
+#ifdef	OLD_ENVIRON
+			case OLD_ENV_VAR:
+			case OLD_ENV_VALUE:
+				/*
+				 * Although OLD_ENV_VALUE is not legal, we will
+				 * still recognize it, just in case it is an
+				 * old server that has VAR & VALUE mixed up...
+				 */
+				/* FALL THROUGH */
+#else
+			case NEW_ENV_VAR:
+#endif
+			case ENV_USERVAR:
+				if (ep) {
+					*epc = 0;
+					env_opt_add(ep);
+				}
+				ep = epc = &buf[i+1];
+				break;
+			case ENV_ESC:
+				i++;
+				/*FALL THROUGH*/
+			default:
+				if (epc)
+					*epc++ = buf[i];
+				break;
+			}
+		}
+		if (ep) {
+			*epc = 0;
+			env_opt_add(ep);
+		}
+		env_opt_end(1);
+		break;
+
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+		/* Ignore for now.  We shouldn't get it anyway. */
+		break;
+
+	default:
+		break;
+	}
+}
+
+#define	OPT_REPLY_SIZE	256
+unsigned char *opt_reply;
+unsigned char *opt_replyp;
+unsigned char *opt_replyend;
+
+void
+env_opt_start()
+{
+	if (opt_reply) {
+		void *tmp = realloc (opt_reply, OPT_REPLY_SIZE);
+		if (tmp != NULL) {
+			opt_reply = tmp;
+		} else {
+			free (opt_reply);
+			opt_reply = NULL;
+		}
+	} else
+		opt_reply = (unsigned char *)malloc(OPT_REPLY_SIZE);
+	if (opt_reply == NULL) {
+/*@*/		printf("env_opt_start: malloc()/realloc() failed!!!\n");
+		opt_reply = opt_replyp = opt_replyend = NULL;
+		return;
+	}
+	opt_replyp = opt_reply;
+	opt_replyend = opt_reply + OPT_REPLY_SIZE;
+	*opt_replyp++ = IAC;
+	*opt_replyp++ = SB;
+	*opt_replyp++ = telopt_environ;
+	*opt_replyp++ = TELQUAL_IS;
+}
+
+void
+env_opt_start_info()
+{
+	env_opt_start();
+	if (opt_replyp)
+	    opt_replyp[-1] = TELQUAL_INFO;
+}
+
+void
+env_opt_add(unsigned char *ep)
+{
+	unsigned char *vp, c;
+
+	if (opt_reply == NULL)		/*XXX*/
+		return;			/*XXX*/
+
+	if (ep == NULL || *ep == '\0') {
+		/* Send user defined variables first. */
+		env_default(1, 0);
+		while ((ep = env_default(0, 0)))
+			env_opt_add(ep);
+
+		/* Now add the list of well know variables.  */
+		env_default(1, 1);
+		while ((ep = env_default(0, 1)))
+			env_opt_add(ep);
+		return;
+	}
+	vp = env_getvalue(ep);
+	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+				strlen((char *)ep) + 6 > opt_replyend)
+	{
+		int len;
+		void *tmp;
+		opt_replyend += OPT_REPLY_SIZE;
+		len = opt_replyend - opt_reply;
+		tmp = realloc(opt_reply, len);
+		if (tmp == NULL) {
+/*@*/			printf("env_opt_add: realloc() failed!!!\n");
+			opt_reply = opt_replyp = opt_replyend = NULL;
+			return;
+		}
+		opt_reply = tmp;
+		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+		opt_replyend = opt_reply + len;
+	}
+	if (opt_welldefined((char *)ep)) {
+#ifdef	OLD_ENVIRON
+		if (telopt_environ == TELOPT_OLD_ENVIRON)
+			*opt_replyp++ = old_env_var;
+		else
+#endif
+			*opt_replyp++ = NEW_ENV_VAR;
+	} else
+		*opt_replyp++ = ENV_USERVAR;
+	for (;;) {
+		while ((c = *ep++)) {
+			switch(c&0xff) {
+			case IAC:
+				*opt_replyp++ = IAC;
+				break;
+			case NEW_ENV_VAR:
+			case NEW_ENV_VALUE:
+			case ENV_ESC:
+			case ENV_USERVAR:
+				*opt_replyp++ = ENV_ESC;
+				break;
+			}
+			*opt_replyp++ = c;
+		}
+		if ((ep = vp)) {
+#ifdef	OLD_ENVIRON
+			if (telopt_environ == TELOPT_OLD_ENVIRON)
+				*opt_replyp++ = old_env_value;
+			else
+#endif
+				*opt_replyp++ = NEW_ENV_VALUE;
+			vp = NULL;
+		} else
+			break;
+	}
+}
+
+int
+opt_welldefined(char *ep)
+{
+	if ((strcmp(ep, "USER") == 0) ||
+	    (strcmp(ep, "DISPLAY") == 0) ||
+	    (strcmp(ep, "PRINTER") == 0) ||
+	    (strcmp(ep, "SYSTEMTYPE") == 0) ||
+	    (strcmp(ep, "JOB") == 0) ||
+	    (strcmp(ep, "ACCT") == 0))
+		return(1);
+	return(0);
+}
+
+void
+env_opt_end(int emptyok)
+{
+	int len;
+
+	len = opt_replyp - opt_reply + 2;
+	if (emptyok || len > 6) {
+		*opt_replyp++ = IAC;
+		*opt_replyp++ = SE;
+		if (NETROOM() > len) {
+			ring_supply_data(&netoring, opt_reply, len);
+			printsub('>', &opt_reply[2], len - 2);
+		}
+/*@*/		else printf("slc_end_reply: not enough room\n");
+	}
+	if (opt_reply) {
+		free(opt_reply);
+		opt_reply = opt_replyp = opt_replyend = NULL;
+	}
+}
+
+
+
+int
+telrcv(void)
+{
+    int c;
+    int scc;
+    unsigned char *sbp = NULL;
+    int count;
+    int returnValue = 0;
+
+    scc = 0;
+    count = 0;
+    while (TTYROOM() > 2) {
+	if (scc == 0) {
+	    if (count) {
+		ring_consumed(&netiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    sbp = netiring.consume;
+	    scc = ring_full_consecutive(&netiring);
+	    if (scc == 0) {
+		/* No more data coming in */
+		break;
+	    }
+	}
+
+	c = *sbp++ & 0xff, scc--; count++;
+#if	defined(ENCRYPTION)
+	if (decrypt_input)
+		c = (*decrypt_input)(c);
+#endif
+
+	switch (telrcv_state) {
+
+	case TS_CR:
+	    telrcv_state = TS_DATA;
+	    if (c == '\0') {
+		break;	/* Ignore \0 after CR */
+	    }
+	    else if ((c == '\n') && my_want_state_is_dont(TELOPT_ECHO) && !crmod) {
+		TTYADD(c);
+		break;
+	    }
+	    /* Else, fall through */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		telrcv_state = TS_IAC;
+		break;
+	    }
+		    /* 
+		     * The 'crmod' hack (see following) is needed
+		     * since we can't set CRMOD on output only.
+		     * Machines like MULTICS like to send \r without
+		     * \n; since we must turn off CRMOD to get proper
+		     * input, the mapping is done here (sigh).
+		     */
+	    if ((c == '\r') && my_want_state_is_dont(TELOPT_BINARY)) {
+		if (scc > 0) {
+		    c = *sbp&0xff;
+#if	defined(ENCRYPTION)
+		    if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif
+		    if (c == 0) {
+			sbp++, scc--; count++;
+			/* a "true" CR */
+			TTYADD('\r');
+		    } else if (my_want_state_is_dont(TELOPT_ECHO) &&
+					(c == '\n')) {
+			sbp++, scc--; count++;
+			TTYADD('\n');
+		    } else {
+#if	defined(ENCRYPTION)
+		        if (decrypt_input)
+			    (*decrypt_input)(-1);
+#endif
+
+			TTYADD('\r');
+			if (crmod) {
+				TTYADD('\n');
+			}
+		    }
+		} else {
+		    telrcv_state = TS_CR;
+		    TTYADD('\r');
+		    if (crmod) {
+			    TTYADD('\n');
+		    }
+		}
+	    } else {
+		TTYADD(c);
+	    }
+	    continue;
+
+	case TS_IAC:
+process_iac:
+	    switch (c) {
+
+	    case WILL:
+		telrcv_state = TS_WILL;
+		continue;
+
+	    case WONT:
+		telrcv_state = TS_WONT;
+		continue;
+
+	    case DO:
+		telrcv_state = TS_DO;
+		continue;
+
+	    case DONT:
+		telrcv_state = TS_DONT;
+		continue;
+
+	    case DM:
+		    /*
+		     * We may have missed an urgent notification,
+		     * so make sure we flush whatever is in the
+		     * buffer currently.
+		     */
+		printoption("RCVD", IAC, DM);
+		SYNCHing = 1;
+		ttyflush(1);
+		SYNCHing = stilloob();
+		settimer(gotDM);
+		break;
+
+	    case SB:
+		SB_CLEAR();
+		telrcv_state = TS_SB;
+		continue;
+
+
+	    case IAC:
+		TTYADD(IAC);
+		break;
+
+	    case NOP:
+	    case GA:
+	    default:
+		printoption("RCVD", IAC, c);
+		break;
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WILL:
+	    printoption("RCVD", WILL, c);
+	    willoption(c);
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    printoption("RCVD", WONT, c);
+	    wontoption(c);
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    printoption("RCVD", DO, c);
+	    dooption(c);
+	    if (c == TELOPT_NAWS) {
+		sendnaws();
+	    } else if (c == TELOPT_LFLOW) {
+		localflow = 1;
+		setcommandmode();
+		setconnmode(0);
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    printoption("RCVD", DONT, c);
+	    dontoption(c);
+	    flushline = 1;
+	    setconnmode(0);	/* set new tty mode (maybe) */
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_SB:
+	    if (c == IAC) {
+		telrcv_state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    continue;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * This is an error.  We only expect to get
+		     * "IAC IAC" or "IAC SE".  Several things may
+		     * have happend.  An IAC was not doubled, the
+		     * IAC SE was left off, or another option got
+		     * inserted into the suboption are all possibilities.
+		     * If we assume that the IAC was not doubled,
+		     * and really the IAC SE was left off, we could
+		     * get into an infinate loop here.  So, instead,
+		     * we terminate the suboption, and process the
+		     * partial suboption if we can.
+		     */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+		    SB_TERM();
+
+		    printoption("In SUBOPTION processing, RCVD", IAC, c);
+		    suboption();	/* handle sub-option */
+		    telrcv_state = TS_IAC;
+		    goto process_iac;
+		}
+		SB_ACCUM(c);
+		telrcv_state = TS_SB;
+	    } else {
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		telrcv_state = TS_DATA;
+	    }
+	}
+    }
+    if (count)
+	ring_consumed(&netiring, count);
+    return returnValue||count;
+}
+
+static int bol = 1, local = 0;
+
+int
+rlogin_susp(void)
+{
+    if (local) {
+	local = 0;
+	bol = 1;
+	command(0, "z\n", 2);
+	return(1);
+    }
+    return(0);
+}
+
+static int
+telsnd()
+{
+    int tcc;
+    int count;
+    int returnValue = 0;
+    unsigned char *tbp = NULL;
+
+    tcc = 0;
+    count = 0;
+    while (NETROOM() > 2) {
+	int sc;
+	int c;
+
+	if (tcc == 0) {
+	    if (count) {
+		ring_consumed(&ttyiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    tbp = ttyiring.consume;
+	    tcc = ring_full_consecutive(&ttyiring);
+	    if (tcc == 0) {
+		break;
+	    }
+	}
+	c = *tbp++ & 0xff, sc = strip(c), tcc--; count++;
+	if (rlogin != _POSIX_VDISABLE) {
+		if (bol) {
+			bol = 0;
+			if (sc == rlogin) {
+				local = 1;
+				continue;
+			}
+		} else if (local) {
+			local = 0;
+			if (sc == '.' || c == termEofChar) {
+				bol = 1;
+				command(0, "close\n", 6);
+				continue;
+			}
+			if (sc == termSuspChar) {
+				bol = 1;
+				command(0, "z\n", 2);
+				continue;
+			}
+			if (sc == escape) {
+				command(0, (char *)tbp, tcc);
+				bol = 1;
+				count += tcc;
+				tcc = 0;
+				flushline = 1;
+				break;
+			}
+			if (sc != rlogin) {
+				++tcc;
+				--tbp;
+				--count;
+				c = sc = rlogin;
+			}
+		}
+		if ((sc == '\n') || (sc == '\r'))
+			bol = 1;
+	} else if (sc == escape) {
+	    /*
+	     * Double escape is a pass through of a single escape character.
+	     */
+	    if (tcc && strip(*tbp) == escape) {
+		tbp++;
+		tcc--;
+		count++;
+		bol = 0;
+	    } else {
+		command(0, (char *)tbp, tcc);
+		bol = 1;
+		count += tcc;
+		tcc = 0;
+		flushline = 1;
+		break;
+	    }
+	} else
+	    bol = 0;
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode && (globalmode&MODE_EDIT) && (sc == echoc)) {
+	    if (tcc > 0 && strip(*tbp) == echoc) {
+		tcc--; tbp++; count++;
+	    } else {
+		dontlecho = !dontlecho;
+		settimer(echotoggle);
+		setconnmode(0);
+		flushline = 1;
+		break;
+	    }
+	}
+#endif
+	if (MODE_LOCAL_CHARS(globalmode)) {
+	    if (TerminalSpecialChars(sc) == 0) {
+		bol = 1;
+		break;
+	    }
+	}
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    switch (c) {
+	    case '\n':
+		    /*
+		     * If we are in CRMOD mode (\r ==> \n)
+		     * on our local machine, then probably
+		     * a newline (unix) is CRLF (TELNET).
+		     */
+		if (MODE_LOCAL_CHARS(globalmode)) {
+		    NETADD('\r');
+		}
+		NETADD('\n');
+		bol = flushline = 1;
+		break;
+	    case '\r':
+		if (!crlf) {
+		    NET2ADD('\r', '\0');
+		} else {
+		    NET2ADD('\r', '\n');
+		}
+		bol = flushline = 1;
+		break;
+	    case IAC:
+		NET2ADD(IAC, IAC);
+		break;
+	    default:
+		NETADD(c);
+		break;
+	    }
+	} else if (c == IAC) {
+	    NET2ADD(IAC, IAC);
+	} else {
+	    NETADD(c);
+	}
+    }
+    if (count)
+	ring_consumed(&ttyiring, count);
+    return returnValue||count;		/* Non-zero if we did anything */
+}
+
+/*
+ * Scheduler()
+ *
+ * Try to do something.
+ *
+ * If we do something useful, return 1; else return 0.
+ *
+ */
+
+
+static int
+Scheduler(int block) /* should we block in the select ? */
+{
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue;
+    int netin, netout, netex, ttyin, ttyout;
+
+    /* Decide which rings should be processed */
+
+    netout = ring_full_count(&netoring) &&
+	    (flushline ||
+		(my_want_state_is_wont(TELOPT_LINEMODE)
+#ifdef	KLUDGELINEMODE
+			&& (!kludgelinemode || my_want_state_is_do(TELOPT_SGA))
+#endif
+		) ||
+			my_want_state_is_will(TELOPT_BINARY));
+    ttyout = ring_full_count(&ttyoring);
+
+    ttyin = ring_empty_count(&ttyiring);
+
+    netin = !ISend && ring_empty_count(&netiring);
+
+    netex = !SYNCHing;
+
+    /* If we have seen a signal recently, reset things */
+
+    /* Call to system code to process rings */
+
+    returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
+
+    /* Now, look at the input rings, looking for work to do. */
+
+    if (ring_full_count(&ttyiring)) {
+	    returnValue |= telsnd();
+    }
+
+    if (ring_full_count(&netiring)) {
+	returnValue |= telrcv();
+    }
+    return returnValue;
+}
+
+/*
+ * Select from tty and network...
+ */
+void
+my_telnet(char *user)
+{
+    sys_telnet_init();
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    {
+	static char local_host[256] = { 0 };
+
+	if (!local_host[0]) {
+		/* XXX - should be k_gethostname? */
+		gethostname(local_host, sizeof(local_host));
+		local_host[sizeof(local_host)-1] = 0;
+	}
+	auth_encrypt_init(local_host, hostname, "TELNET", 0);
+	auth_encrypt_user(user);
+    }
+#endif
+    if (telnetport) {
+#if	defined(AUTHENTICATION)
+	if (autologin)
+		send_will(TELOPT_AUTHENTICATION, 1);
+#endif
+#if	defined(ENCRYPTION)
+	send_do(TELOPT_ENCRYPT, 1);
+	send_will(TELOPT_ENCRYPT, 1);
+#endif
+	send_do(TELOPT_SGA, 1);
+	send_will(TELOPT_TTYPE, 1);
+	send_will(TELOPT_NAWS, 1);
+	send_will(TELOPT_TSPEED, 1);
+	send_will(TELOPT_LFLOW, 1);
+	send_will(TELOPT_LINEMODE, 1);
+	send_will(TELOPT_NEW_ENVIRON, 1);
+	send_do(TELOPT_STATUS, 1);
+	if (env_getvalue((unsigned char *)"DISPLAY"))
+	    send_will(TELOPT_XDISPLOC, 1);
+	if (binary)
+	    tel_enter_binary(binary);
+    }
+
+    for (;;) {
+	int schedValue;
+
+	while ((schedValue = Scheduler(0)) != 0) {
+	    if (schedValue == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+
+	if (Scheduler(1) == -1) {
+	    setcommandmode();
+	    return;
+	}
+    }
+}
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+
+static void
+netclear()
+{
+#if	0	/* XXX */
+    char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+    thisitem = netobuf;
+
+    while ((next = nextitem(thisitem)) <= netobuf.send) {
+	thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+    good = netobuf;	/* where the good bytes go */
+
+    while (netoring.add > thisitem) {
+	if (wewant(thisitem)) {
+	    int length;
+
+	    next = thisitem;
+	    do {
+		next = nextitem(next);
+	    } while (wewant(next) && (nfrontp > next));
+	    length = next-thisitem;
+	    memmove(good, thisitem, length);
+	    good += length;
+	    thisitem = next;
+	} else {
+	    thisitem = nextitem(thisitem);
+	}
+    }
+
+#endif	/* 0 */
+}
+
+/*
+ * These routines add various telnet commands to the data stream.
+ */
+
+static void
+doflush()
+{
+    NET2ADD(IAC, DO);
+    NETADD(TELOPT_TM);
+    flushline = 1;
+    flushout = 1;
+    ttyflush(1);			/* Flush/drop output */
+    /* do printoption AFTER flush, otherwise the output gets tossed... */
+    printoption("SENT", DO, TELOPT_TM);
+}
+
+void
+xmitAO(void)
+{
+    NET2ADD(IAC, AO);
+    printoption("SENT", IAC, AO);
+    if (autoflush) {
+	doflush();
+    }
+}
+
+
+void
+xmitEL(void)
+{
+    NET2ADD(IAC, EL);
+    printoption("SENT", IAC, EL);
+}
+
+void
+xmitEC(void)
+{
+    NET2ADD(IAC, EC);
+    printoption("SENT", IAC, EC);
+}
+
+
+int
+dosynch()
+{
+    netclear();			/* clear the path to the network */
+    NETADD(IAC);
+    setneturg();
+    NETADD(DM);
+    printoption("SENT", IAC, DM);
+    return 1;
+}
+
+int want_status_response = 0;
+
+int
+get_status()
+{
+    unsigned char tmp[16];
+    unsigned char *cp;
+
+    if (my_want_state_is_dont(TELOPT_STATUS)) {
+	printf("Remote side does not support STATUS option\n");
+	return 0;
+    }
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_STATUS;
+    *cp++ = TELQUAL_SEND;
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+    ++want_status_response;
+    return 1;
+}
+
+void
+intp(void)
+{
+    NET2ADD(IAC, IP);
+    printoption("SENT", IAC, IP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendbrk(void)
+{
+    NET2ADD(IAC, BREAK);
+    printoption("SENT", IAC, BREAK);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendabort(void)
+{
+    NET2ADD(IAC, ABORT);
+    printoption("SENT", IAC, ABORT);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendsusp(void)
+{
+    NET2ADD(IAC, SUSP);
+    printoption("SENT", IAC, SUSP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendeof(void)
+{
+    NET2ADD(IAC, xEOF);
+    printoption("SENT", IAC, xEOF);
+}
+
+void
+sendayt(void)
+{
+    NET2ADD(IAC, AYT);
+    printoption("SENT", IAC, AYT);
+}
+
+/*
+ * Send a window size update to the remote system.
+ */
+
+void
+sendnaws()
+{
+    long rows, cols;
+    unsigned char tmp[16];
+    unsigned char *cp;
+
+    if (my_state_is_wont(TELOPT_NAWS))
+	return;
+
+#define	PUTSHORT(cp, x) { if ((*cp++ = ((x)>>8)&0xff) == IAC) *cp++ = IAC; \
+			    if ((*cp++ = ((x))&0xff) == IAC) *cp++ = IAC; }
+
+    if (TerminalWindowSize(&rows, &cols) == 0) {	/* Failed */
+	return;
+    }
+
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_NAWS;
+    PUTSHORT(cp, cols);
+    PUTSHORT(cp, rows);
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+}
+
+void
+tel_enter_binary(int rw)
+{
+    if (rw&1)
+	send_do(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_will(TELOPT_BINARY, 1);
+}
+
+void
+tel_leave_binary(int rw)
+{
+    if (rw&1)
+	send_dont(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_wont(TELOPT_BINARY, 1);
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet_locl.h b/crypto/heimdal/appl/telnet/telnet/telnet_locl.h
new file mode 100644
index 0000000..4f9f86d
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet_locl.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: telnet_locl.h,v 1.19 2000/02/04 09:49:28 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <ctype.h>
+#ifdef HAVE_SIGNAL_H
+#include <signal.h>
+#endif
+#include <errno.h>
+#include <setjmp.h>
+#ifdef HAVE_BSDSETJMP_H
+#include <bsdsetjmp.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/* termios.h *must* be included before curses.h */
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#if defined(SOCKS) && defined(HAVE_CURSES_H)
+#include <curses.h>
+#endif
+
+#if defined(HAVE_SYS_TERMIO_H) && !defined(HAVE_TERMIOS_H)
+#include <sys/termio.h>
+#endif
+
+#if defined(HAVE_TERMCAP_H)
+#include <termcap.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+/* not with SunOS 4 */
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <roken.h>
+/* krb.h? */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+#include <libtelnet/auth.h>
+#include <libtelnet/encrypt.h>
+#endif
+#include <libtelnet/misc.h>
+#include <libtelnet/misc-proto.h>
+
+#define LINEMODE
+#ifndef KLUDGELINEMODE
+#define KLUDGELINEMODE
+#endif
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+
+/* prototypes */
+
diff --git a/crypto/heimdal/appl/telnet/telnet/terminal.c b/crypto/heimdal/appl/telnet/telnet/terminal.c
new file mode 100644
index 0000000..4404384
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/terminal.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: terminal.c,v 1.10 1997/12/15 19:53:06 joda Exp $");
+
+Ring		ttyoring, ttyiring;
+unsigned char	ttyobuf[2*BUFSIZ], ttyibuf[BUFSIZ];
+
+int termdata;			/* Debugging flag */
+
+# ifndef VDISCARD
+cc_t termFlushChar;
+# endif
+# ifndef VLNEXT
+cc_t termLiteralNextChar;
+# endif
+# ifndef VSUSP
+cc_t termSuspChar;
+# endif
+# ifndef VWERASE
+cc_t termWerasChar;
+# endif
+# ifndef VREPRINT
+cc_t termRprntChar;
+# endif
+# ifndef VSTART
+cc_t termStartChar;
+# endif
+# ifndef VSTOP
+cc_t termStopChar;
+# endif
+# ifndef VEOL
+cc_t termForw1Char;
+# endif
+# ifndef VEOL2
+cc_t termForw2Char;
+# endif
+# ifndef VSTATUS
+cc_t termAytChar;
+# endif
+
+/*
+ * initialize the terminal data structures.
+ */
+
+void
+init_terminal(void)
+{
+    if (ring_init(&ttyoring, ttyobuf, sizeof ttyobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&ttyiring, ttyibuf, sizeof ttyibuf) != 1) {
+	exit(1);
+    }
+    autoflush = TerminalAutoFlush();
+}
+
+
+/*
+ *		Send as much data as possible to the terminal.
+ *
+ *		Return value:
+ *			-1: No useful work done, data waiting to go out.
+ *			 0: No data was waiting, so nothing was done.
+ *			 1: All waiting data was written out.
+ *			 n: All data - n was written out.
+ */
+
+
+int
+ttyflush(int drop)
+{
+    int n, n0, n1;
+
+    n0 = ring_full_count(&ttyoring);
+    if ((n1 = n = ring_full_consecutive(&ttyoring)) > 0) {
+	if (drop) {
+	    TerminalFlushOutput();
+	    /* we leave 'n' alone! */
+	} else {
+	    n = TerminalWrite((char *)ttyoring.consume, n);
+	}
+    }
+    if (n > 0) {
+	if (termdata && n) {
+	    Dump('>', ttyoring.consume, n);
+	}
+	/*
+	 * If we wrote everything, and the full count is
+	 * larger than what we wrote, then write the
+	 * rest of the buffer.
+	 */
+	if (n1 == n && n0 > n) {
+		n1 = n0 - n;
+		if (!drop)
+			n1 = TerminalWrite((char *)ttyoring.bottom, n1);
+		if (n1 > 0)
+			n += n1;
+	}
+	ring_consumed(&ttyoring, n);
+    }
+    if (n < 0)
+	return -1;
+    if (n == n0) {
+	if (n0)
+	    return -1;
+	return 0;
+    }
+    return n0 - n + 1;
+}
+
+
+/*
+ * These routines decides on what the mode should be (based on the values
+ * of various global variables).
+ */
+
+
+int
+getconnmode(void)
+{
+    extern int linemode;
+    int mode = 0;
+#ifdef	KLUDGELINEMODE
+    extern int kludgelinemode;
+#endif
+
+    if (my_want_state_is_dont(TELOPT_ECHO))
+	mode |= MODE_ECHO;
+
+    if (localflow)
+	mode |= MODE_FLOW;
+
+    if ((eight & 1) || my_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_INBIN;
+
+    if (eight & 2)
+	mode |= MODE_OUT8;
+    if (his_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_OUTBIN;
+
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode) {
+	if (my_want_state_is_dont(TELOPT_SGA)) {
+	    mode |= (MODE_TRAPSIG|MODE_EDIT);
+	    if (dontlecho && (clocks.echotoggle > clocks.modenegotiated)) {
+		mode &= ~MODE_ECHO;
+	    }
+	}
+	return(mode);
+    }
+#endif
+    if (my_want_state_is_will(TELOPT_LINEMODE))
+	mode |= linemode;
+    return(mode);
+}
+
+    void
+setconnmode(force)
+    int force;
+{
+#ifdef	ENCRYPTION
+    static int enc_passwd = 0;
+#endif
+    int newmode;
+
+    newmode = getconnmode()|(force?MODE_FORCE:0);
+
+    TerminalNewMode(newmode);
+    
+#ifdef  ENCRYPTION
+    if ((newmode & (MODE_ECHO|MODE_EDIT)) == MODE_EDIT) {
+	if (my_want_state_is_will(TELOPT_ENCRYPT)
+				&& (enc_passwd == 0) && !encrypt_output) {
+	    encrypt_request_start(0, 0);
+	    enc_passwd = 1;
+	}
+    } else {
+	if (enc_passwd) {
+	    encrypt_request_end();
+	    enc_passwd = 0;
+	}
+    }
+#endif
+
+}
+
+
+    void
+setcommandmode()
+{
+    TerminalNewMode(-1);
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/types.h b/crypto/heimdal/appl/telnet/telnet/types.h
new file mode 100644
index 0000000..191d311
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/types.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)types.h	8.1 (Berkeley) 6/6/93
+ */
+
+typedef struct {
+    char *modedescriptions;
+    char modetype;
+} Modelist;
+
+extern Modelist modelist[];
+
+typedef struct {
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	gotDM;			/* when did we last see a data mark */
+} Clocks;
+
+extern Clocks clocks;
diff --git a/crypto/heimdal/appl/telnet/telnet/utilities.c b/crypto/heimdal/appl/telnet/telnet/utilities.c
new file mode 100644
index 0000000..32788a9
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/utilities.c
@@ -0,0 +1,863 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define TELOPTS
+#define TELCMDS
+#define SLC_NAMES
+
+#include "telnet_locl.h"
+
+RCSID("$Id: utilities.c,v 1.22 1999/09/16 20:41:36 assar Exp $");
+
+FILE	*NetTrace = 0;		/* Not in bss, since needs to stay */
+int	prettydump;
+
+/*
+ * SetSockOpt()
+ *
+ * Compensate for differences in 4.2 and 4.3 systems.
+ */
+
+int
+SetSockOpt(int fd, int level, int option, int yesno)
+{
+#ifdef HAVE_SETSOCKOPT
+#ifndef	NOT43
+    return setsockopt(fd, level, option,
+				(void *)&yesno, sizeof yesno);
+#else	/* NOT43 */
+    if (yesno == 0) {		/* Can't do that in 4.2! */
+	fprintf(stderr, "Error: attempt to turn off an option 0x%x.\n",
+				option);
+	return -1;
+    }
+    return setsockopt(fd, level, option, 0, 0);
+#endif	/* NOT43 */
+#else
+    return -1;
+#endif
+}
+
+/*
+ * The following are routines used to print out debugging information.
+ */
+
+char NetTraceFile[256] = "(standard output)";
+
+void
+SetNetTrace(char *file)
+{
+    if (NetTrace && NetTrace != stdout)
+	fclose(NetTrace);
+    if (file  && (strcmp(file, "-") != 0)) {
+	NetTrace = fopen(file, "w");
+	if (NetTrace) {
+	    strlcpy(NetTraceFile, file, sizeof(NetTraceFile));
+	    return;
+	}
+	fprintf(stderr, "Cannot open %s.\n", file);
+    }
+    NetTrace = stdout;
+    strlcpy(NetTraceFile, "(standard output)", sizeof(NetTraceFile));
+}
+
+void
+Dump(char direction, unsigned char *buffer, int length)
+{
+#   define BYTES_PER_LINE	32
+    unsigned char *pThis;
+    int offset;
+
+    offset = 0;
+
+    while (length) {
+	/* print one line */
+	fprintf(NetTrace, "%c 0x%x\t", direction, offset);
+	pThis = buffer;
+	if (prettydump) {
+	    buffer = buffer + min(length, BYTES_PER_LINE/2);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%c%.2x",
+		    (((*pThis)&0xff) == 0xff) ? '*' : ' ',
+		    (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE/2;
+	    offset += BYTES_PER_LINE/2;
+	} else {
+	    buffer = buffer + min(length, BYTES_PER_LINE);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%.2x", (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE;
+	    offset += BYTES_PER_LINE;
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	if (length < 0) {
+	    fflush(NetTrace);
+	    return;
+	}
+	/* find next unique line */
+    }
+    fflush(NetTrace);
+}
+
+
+void
+printoption(char *direction, int cmd, int option)
+{
+	if (!showoptions)
+		return;
+	if (cmd == IAC) {
+		if (TELCMD_OK(option))
+		    fprintf(NetTrace, "%s IAC %s", direction, TELCMD(option));
+		else
+		    fprintf(NetTrace, "%s IAC %d", direction, option);
+	} else {
+		char *fmt;
+		fmt = (cmd == WILL) ? "WILL" : (cmd == WONT) ? "WONT" :
+			(cmd == DO) ? "DO" : (cmd == DONT) ? "DONT" : 0;
+		if (fmt) {
+		    fprintf(NetTrace, "%s %s ", direction, fmt);
+		    if (TELOPT_OK(option))
+			fprintf(NetTrace, "%s", TELOPT(option));
+		    else if (option == TELOPT_EXOPL)
+			fprintf(NetTrace, "EXOPL");
+		    else
+			fprintf(NetTrace, "%d", option);
+		} else
+		    fprintf(NetTrace, "%s %d %d", direction, cmd, option);
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	    fflush(NetTrace);
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	return;
+}
+
+void
+optionstatus(void)
+{
+    int i;
+    extern char will_wont_resp[], do_dont_resp[];
+
+    for (i = 0; i < 256; i++) {
+	if (do_dont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELOPT(i), do_dont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELCMD(i), do_dont_resp[i]);
+	    else
+		printf("resp DO_DONT %d: %d\n", i,
+				do_dont_resp[i]);
+	    if (my_want_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("want DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DO   %s\n", TELCMD(i));
+		else
+		    printf("want DO   %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want DONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DONT %s\n", TELCMD(i));
+		else
+		    printf("want DONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("     DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     DO   %s\n", TELCMD(i));
+		else
+		    printf("     DO   %d\n", i);
+	    }
+	}
+	if (will_wont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELOPT(i), will_wont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELCMD(i), will_wont_resp[i]);
+	    else
+		printf("resp WILL_WONT %d: %d\n",
+				i, will_wont_resp[i]);
+	    if (my_want_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("want WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WILL %s\n", TELCMD(i));
+		else
+		    printf("want WILL %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want WONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WONT %s\n", TELCMD(i));
+		else
+		    printf("want WONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("     WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     WILL %s\n", TELCMD(i));
+		else
+		    printf("     WILL %d\n", i);
+	    }
+	}
+    }
+
+}
+
+void
+printsub(int direction, unsigned char *pointer, int length)
+{
+    int i;
+    unsigned char buf[512];
+    extern int want_status_response;
+
+    if (showoptions || direction == 0 ||
+	(want_status_response && (pointer[0] == TELOPT_STATUS))) {
+	if (direction) {
+	    fprintf(NetTrace, "%s IAC SB ",
+				(direction == '<')? "RCVD":"SENT");
+	    if (length >= 3) {
+		int j;
+
+		i = pointer[length-2];
+		j = pointer[length-1];
+
+		if (i != IAC || j != SE) {
+		    fprintf(NetTrace, "(terminated by ");
+		    if (TELOPT_OK(i))
+			fprintf(NetTrace, "%s ", TELOPT(i));
+		    else if (TELCMD_OK(i))
+			fprintf(NetTrace, "%s ", TELCMD(i));
+		    else
+			fprintf(NetTrace, "%d ", i);
+		    if (TELOPT_OK(j))
+			fprintf(NetTrace, "%s", TELOPT(j));
+		    else if (TELCMD_OK(j))
+			fprintf(NetTrace, "%s", TELCMD(j));
+		    else
+			fprintf(NetTrace, "%d", j);
+		    fprintf(NetTrace, ", not IAC SE!) ");
+		}
+	    }
+	    length -= 2;
+	}
+	if (length < 1) {
+	    fprintf(NetTrace, "(Empty suboption??\?)");
+	    if (NetTrace == stdout)
+		fflush(NetTrace);
+	    return;
+	}
+	switch (pointer[0]) {
+	case TELOPT_TTYPE:
+	    fprintf(NetTrace, "TERMINAL-TYPE ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace,
+				"- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+	case TELOPT_TSPEED:
+	    fprintf(NetTrace, "TERMINAL-SPEED");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " IS ");
+		fprintf(NetTrace, "%.*s", length-2, (char *)pointer+2);
+		break;
+	    default:
+		if (pointer[1] == 1)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    }
+	    break;
+
+	case TELOPT_LFLOW:
+	    fprintf(NetTrace, "TOGGLE-FLOW-CONTROL");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case LFLOW_OFF:
+		fprintf(NetTrace, " OFF"); break;
+	    case LFLOW_ON:
+		fprintf(NetTrace, " ON"); break;
+	    case LFLOW_RESTART_ANY:
+		fprintf(NetTrace, " RESTART-ANY"); break;
+	    case LFLOW_RESTART_XON:
+		fprintf(NetTrace, " RESTART-XON"); break;
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    }
+	    for (i = 2; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+	case TELOPT_NAWS:
+	    fprintf(NetTrace, "NAWS");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    if (length == 2) {
+		fprintf(NetTrace, " ?%d?", pointer[1]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[1], pointer[2],
+		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+	    if (length == 4) {
+		fprintf(NetTrace, " ?%d?", pointer[3]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[3], pointer[4],
+		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+	    for (i = 5; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION:
+	    fprintf(NetTrace, "AUTHENTICATION");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_REPLY:
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " %s ", (pointer[1] == TELQUAL_IS) ?
+							"IS" : "REPLY");
+		if (AUTHTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, "%d ", pointer[2]);
+		if (length < 3) {
+		    fprintf(NetTrace, "(partial suboption??\?)");
+		    break;
+		}
+		fprintf(NetTrace, "%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case TELQUAL_SEND:
+		i = 2;
+		fprintf(NetTrace, " SEND ");
+		while (i < length) {
+		    if (AUTHTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    if (++i >= length) {
+			fprintf(NetTrace, "(partial suboption??\?)");
+			break;
+		    }
+		    fprintf(NetTrace, "%s|%s ",
+			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+							"CLIENT" : "SERVER",
+			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+							"MUTUAL" : "ONE-WAY");
+		    ++i;
+		}
+		break;
+
+	    case TELQUAL_NAME:
+		i = 2;
+		fprintf(NetTrace, " NAME \"");
+		while (i < length)
+		    putc(pointer[i++], NetTrace);
+		putc('"', NetTrace);
+		break;
+
+	    default:
+		    for (i = 2; i < length; i++)
+			fprintf(NetTrace, " ?%d?", pointer[i]);
+		    break;
+	    }
+	    break;
+#endif
+
+#if	defined(ENCRYPTION)
+	case TELOPT_ENCRYPT:
+	    fprintf(NetTrace, "ENCRYPT");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		fprintf(NetTrace, " START");
+		break;
+
+	    case ENCRYPT_END:
+		fprintf(NetTrace, " END");
+		break;
+
+	    case ENCRYPT_REQSTART:
+		fprintf(NetTrace, " REQUEST-START");
+		break;
+
+	    case ENCRYPT_REQEND:
+		fprintf(NetTrace, " REQUEST-END");
+		break;
+
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		fprintf(NetTrace, " %s ", (pointer[1] == ENCRYPT_IS) ?
+							"IS" : "REPLY");
+		if (length < 3) {
+		    fprintf(NetTrace, " (partial suboption?)");
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[2]);
+
+		encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		fprintf(NetTrace, " SUPPORT ");
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    i++;
+		}
+		break;
+
+	    case ENCRYPT_ENC_KEYID:
+		fprintf(NetTrace, " ENC_KEYID ");
+		goto encommon;
+
+	    case ENCRYPT_DEC_KEYID:
+		fprintf(NetTrace, " DEC_KEYID ");
+		goto encommon;
+
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    encommon:
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+		break;
+	    }
+	    break;
+#endif
+
+	case TELOPT_LINEMODE:
+	    fprintf(NetTrace, "LINEMODE ");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case WILL:
+		fprintf(NetTrace, "WILL ");
+		goto common;
+	    case WONT:
+		fprintf(NetTrace, "WONT ");
+		goto common;
+	    case DO:
+		fprintf(NetTrace, "DO ");
+		goto common;
+	    case DONT:
+		fprintf(NetTrace, "DONT ");
+	    common:
+		if (length < 3) {
+		    fprintf(NetTrace, "(no option??\?)");
+		    break;
+		}
+		switch (pointer[2]) {
+		case LM_FORWARDMASK:
+		    fprintf(NetTrace, "Forward Mask");
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %x", pointer[i]);
+		    break;
+		default:
+		    fprintf(NetTrace, "%d (unknown)", pointer[2]);
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %d", pointer[i]);
+		    break;
+		}
+		break;
+
+	    case LM_SLC:
+		fprintf(NetTrace, "SLC");
+		for (i = 2; i < length - 2; i += 3) {
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+			fprintf(NetTrace, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+		    else
+			fprintf(NetTrace, " %d", pointer[i+SLC_FUNC]);
+		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		    case SLC_NOSUPPORT:
+			fprintf(NetTrace, " NOSUPPORT"); break;
+		    case SLC_CANTCHANGE:
+			fprintf(NetTrace, " CANTCHANGE"); break;
+		    case SLC_VARIABLE:
+			fprintf(NetTrace, " VARIABLE"); break;
+		    case SLC_DEFAULT:
+			fprintf(NetTrace, " DEFAULT"); break;
+		    }
+		    fprintf(NetTrace, "%s%s%s",
+			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+						SLC_FLUSHOUT| SLC_LEVELBITS))
+			fprintf(NetTrace, "(0x%x)", pointer[i+SLC_FLAGS]);
+		    fprintf(NetTrace, " %d;", pointer[i+SLC_VALUE]);
+		    if ((pointer[i+SLC_VALUE] == IAC) &&
+			(pointer[i+SLC_VALUE+1] == IAC))
+				i++;
+		}
+		for (; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+
+	    case LM_MODE:
+		fprintf(NetTrace, "MODE ");
+		if (length < 3) {
+		    fprintf(NetTrace, "(no mode??\?)");
+		    break;
+		}
+		{
+		    char tbuf[64];
+		    snprintf(tbuf, sizeof(tbuf),
+			     "%s%s%s%s%s",
+			     pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			     pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			     pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			     pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			     pointer[2]&MODE_ACK ? "|ACK" : "");
+		    fprintf(NetTrace, "%s", tbuf[1] ? &tbuf[1] : "0");
+		}
+		if (pointer[2]&~(MODE_MASK))
+		    fprintf(NetTrace, " (0x%x)", pointer[2]);
+		for (i = 3; i < length; i++)
+		    fprintf(NetTrace, " ?0x%x?", pointer[i]);
+		break;
+	    default:
+		fprintf(NetTrace, "%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+	    }
+	    break;
+
+	case TELOPT_STATUS: {
+	    char *cp;
+	    int j, k;
+
+	    fprintf(NetTrace, "STATUS");
+
+	    switch (pointer[1]) {
+	    default:
+		if (pointer[1] == TELQUAL_SEND)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    case TELQUAL_IS:
+		if (--want_status_response < 0)
+		    want_status_response = 0;
+		if (NetTrace == stdout)
+		    fprintf(NetTrace, " IS\r\n");
+		else
+		    fprintf(NetTrace, " IS\n");
+
+		for (i = 2; i < length; i++) {
+		    switch(pointer[i]) {
+		    case DO:	cp = "DO"; goto common2;
+		    case DONT:	cp = "DONT"; goto common2;
+		    case WILL:	cp = "WILL"; goto common2;
+		    case WONT:	cp = "WONT"; goto common2;
+		    common2:
+			i++;
+			if (TELOPT_OK((int)pointer[i]))
+			    fprintf(NetTrace, " %s %s", cp, TELOPT(pointer[i]));
+			else
+			    fprintf(NetTrace, " %s %d", cp, pointer[i]);
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+			break;
+
+		    case SB:
+			fprintf(NetTrace, " SB ");
+			i++;
+			j = k = i;
+			while (j < length) {
+			    if (pointer[j] == SE) {
+				if (j+1 == length)
+				    break;
+				if (pointer[j+1] == SE)
+				    j++;
+				else
+				    break;
+			    }
+			    pointer[k++] = pointer[j++];
+			}
+			printsub(0, &pointer[i], k - i);
+			if (i < length) {
+			    fprintf(NetTrace, " SE");
+			    i = j;
+			} else
+			    i = j - 1;
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+
+			break;
+
+		    default:
+			fprintf(NetTrace, " %d", pointer[i]);
+			break;
+		    }
+		}
+		break;
+	    }
+	    break;
+	  }
+
+	case TELOPT_XDISPLOC:
+	    fprintf(NetTrace, "X-DISPLAY-LOCATION ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace, "- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+
+	case TELOPT_NEW_ENVIRON:
+	    fprintf(NetTrace, "NEW-ENVIRON ");
+#ifdef	OLD_ENVIRON
+	    goto env_common1;
+	case TELOPT_OLD_ENVIRON:
+	    fprintf(NetTrace, "OLD-ENVIRON");
+	env_common1:
+#endif
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS ");
+		goto env_common;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND ");
+		goto env_common;
+	    case TELQUAL_INFO:
+		fprintf(NetTrace, "INFO ");
+	    env_common:
+		{
+		    int noquote = 2;
+		    for (i = 2; i < length; i++ ) {
+			switch (pointer[i]) {
+			case NEW_ENV_VALUE:
+#ifdef OLD_ENVIRON
+		     /*	case NEW_ENV_OVAR: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+				    fprintf(NetTrace, "\" VAR " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VALUE " + noquote);
+			    noquote = 2;
+			    break;
+
+			case NEW_ENV_VAR:
+#ifdef OLD_ENVIRON
+		     /* case OLD_ENV_VALUE: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+				    fprintf(NetTrace, "\" VALUE " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_ESC:
+			    fprintf(NetTrace, "\" ESC " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_USERVAR:
+			    fprintf(NetTrace, "\" USERVAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			default:
+			    if (isprint(pointer[i]) && pointer[i] != '"') {
+				if (noquote) {
+				    putc('"', NetTrace);
+				    noquote = 0;
+				}
+				putc(pointer[i], NetTrace);
+			    } else {
+				fprintf(NetTrace, "\" %03o " + noquote,
+							pointer[i]);
+				noquote = 2;
+			    }
+			    break;
+			}
+		    }
+		    if (!noquote)
+			putc('"', NetTrace);
+		    break;
+		}
+	    }
+	    break;
+
+	default:
+	    if (TELOPT_OK(pointer[0]))
+		fprintf(NetTrace, "%s (unknown)", TELOPT(pointer[0]));
+	    else
+		fprintf(NetTrace, "%d (unknown)", pointer[0]);
+	    for (i = 1; i < length; i++)
+		fprintf(NetTrace, " %d", pointer[i]);
+	    break;
+	}
+	if (direction) {
+	    if (NetTrace == stdout)
+		fprintf(NetTrace, "\r\n");
+	    else
+		fprintf(NetTrace, "\n");
+	}
+	if (NetTrace == stdout)
+	    fflush(NetTrace);
+    }
+}
+
+/* EmptyTerminal - called to make sure that the terminal buffer is empty.
+ *			Note that we consider the buffer to run all the
+ *			way to the kernel (thus the select).
+ */
+
+void
+EmptyTerminal(void)
+{
+    fd_set	outs;
+
+    FD_ZERO(&outs);
+
+    if (TTYBYTES() == 0) {
+	FD_SET(tout, &outs);
+	select(tout+1, 0, &outs, 0,
+		      (struct timeval *) 0); /* wait for TTLOWAT */
+    } else {
+	while (TTYBYTES()) {
+	    ttyflush(0);
+	    FD_SET(tout, &outs);
+	    select(tout+1, 0, &outs, 0,
+			  (struct timeval *) 0); /* wait for TTLOWAT */
+	}
+    }
+}
+
+void
+SetForExit(void)
+{
+    setconnmode(0);
+    do {
+	telrcv();			/* Process any incoming data */
+	EmptyTerminal();
+    } while (ring_full_count(&netiring));	/* While there is any */
+    setcommandmode();
+    fflush(stdout);
+    fflush(stderr);
+    setconnmode(0);
+    EmptyTerminal();			/* Flush the path to the tty */
+    setcommandmode();
+}
+
+void
+Exit(int returnCode)
+{
+    SetForExit();
+    exit(returnCode);
+}
+
+void
+ExitString(char *string, int returnCode)
+{
+    SetForExit();
+    fwrite(string, 1, strlen(string), stderr);
+    exit(returnCode);
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.am b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
new file mode 100644
index 0000000..f94a435
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
@@ -0,0 +1,23 @@
+# $Id: Makefile.am,v 1.13 2000/01/06 15:12:46 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+libexec_PROGRAMS = telnetd
+
+CHECK_LOCAL = 
+
+telnetd_SOURCES  = telnetd.c state.c termstat.c slc.c sys_term.c \
+		   utility.c global.c authenc.c defs.h ext.h telnetd.h
+
+man_MANS = telnetd.8
+
+LDADD = \
+	../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_tgetent) \
+	$(LIB_logwtmp) \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.in b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
new file mode 100644
index 0000000..52ccb60
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
@@ -0,0 +1,683 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.13 2000/01/06 15:12:46 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include -I$(srcdir)/.. $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = 
+
+libexec_PROGRAMS = telnetd
+
+telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c 		   utility.c global.c authenc.c defs.h ext.h telnetd.h
+
+
+man_MANS = telnetd.8
+
+LDADD =  	../libtelnet/libtelnet.a 	$(LIB_krb5) 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(LIB_tgetent) 	$(LIB_logwtmp) 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  telnetd$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+telnetd_OBJECTS =  telnetd.$(OBJEXT) state.$(OBJEXT) termstat.$(OBJEXT) \
+slc.$(OBJEXT) sys_term.$(OBJEXT) utility.$(OBJEXT) global.$(OBJEXT) \
+authenc.$(OBJEXT)
+telnetd_LDADD = $(LDADD)
+@KRB5_TRUE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+telnetd_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(telnetd_SOURCES)
+OBJECTS = $(telnetd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnetd/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+telnetd$(EXEEXT): $(telnetd_OBJECTS) $(telnetd_DEPENDENCIES)
+	@rm -f telnetd$(EXEEXT)
+	$(LINK) $(telnetd_LDFLAGS) $(telnetd_OBJECTS) $(telnetd_LDADD) $(LIBS)
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/telnet/telnetd
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man8 uninstall-man8 install-man \
+uninstall-man tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/telnetd/authenc.c b/crypto/heimdal/appl/telnet/telnetd/authenc.c
new file mode 100644
index 0000000..ec5f2dc
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/authenc.c
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: authenc.c,v 1.9 1999/09/05 19:14:50 assar Exp $");
+
+#ifdef AUTHENTICATION
+
+int
+telnet_net_write(unsigned char *str, int len)
+{
+    if (nfrontp + len < netobuf + BUFSIZ) {
+	memmove(nfrontp, str, len);
+	nfrontp += len;
+	return(len);
+    }
+    return(0);
+}
+
+void
+net_encrypt(void)
+{
+#ifdef ENCRYPTION
+    char *s = (nclearto > nbackp) ? nclearto : nbackp;
+    if (s < nfrontp && encrypt_output) {
+	(*encrypt_output)((unsigned char *)s, nfrontp - s);
+    }
+    nclearto = nfrontp;
+#endif
+}
+
+int
+telnet_spin(void)
+{
+    return ttloop();
+}
+
+char *
+telnet_getenv(char *val)
+{
+    extern char *getenv(const char *);
+    return(getenv(val));
+}
+
+char *
+telnet_gets(char *prompt, char *result, int length, int echo)
+{
+    return NULL;
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnetd/defs.h b/crypto/heimdal/appl/telnet/telnetd/defs.h
new file mode 100644
index 0000000..dc3f842
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/defs.h
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defs.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Telnet server defines
+ */
+
+#ifndef __DEFS_H__
+#define __DEFS_H__
+
+#ifndef	BSD
+# define	BSD 43
+#endif
+
+#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
+#define TELOPTS
+#define TELCMDS
+#define	SLC_NAMES
+#endif
+
+#if	!defined(TIOCSCTTY) && defined(TCSETCTTY)
+# define	TIOCSCTTY TCSETCTTY
+#endif
+
+#ifndef TIOCPKT_FLUSHWRITE
+#define TIOCPKT_FLUSHWRITE      0x02
+#endif
+ 
+#ifndef TIOCPKT_NOSTOP
+#define TIOCPKT_NOSTOP  0x10
+#endif
+ 
+#ifndef TIOCPKT_DOSTOP
+#define TIOCPKT_DOSTOP  0x20
+#endif
+
+/*
+ * I/O data buffers defines
+ */
+#define	NETSLOP	64
+#ifdef _CRAY
+#undef BUFSIZ
+#define BUFSIZ  2048
+#endif
+
+#define	NIACCUM(c)	{   *netip++ = c; \
+			    ncc++; \
+			}
+
+/* clock manipulations */
+#define	settimer(x)	(clocks.x = ++clocks.system)
+#define	sequenceIs(x,y)	(clocks.x < clocks.y)
+
+/*
+ * Structures of information for each special character function.
+ */
+typedef struct {
+	unsigned char	flag;		/* the flags for this function */
+	cc_t		val;		/* the value of the special character */
+} slcent, *Slcent;
+
+typedef struct {
+	slcent		defset;		/* the default settings */
+	slcent		current;	/* the current settings */
+	cc_t		*sptr;		/* a pointer to the char in */
+					/* system data structures */
+} slcfun, *Slcfun;
+
+#ifdef DIAGNOSTICS
+/*
+ * Diagnostics capabilities
+ */
+#define	TD_REPORT	0x01	/* Report operations to client */
+#define TD_EXERCISE	0x02	/* Exercise client's implementation */
+#define TD_NETDATA	0x04	/* Display received data stream */
+#define TD_PTYDATA	0x08	/* Display data passed to pty */
+#define	TD_OPTIONS	0x10	/* Report just telnet options */
+#endif /* DIAGNOSTICS */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		(options[opt] |= MY_STATE_DO)
+#define	set_my_state_will(opt)		(options[opt] |= MY_STATE_WILL)
+#define	set_my_want_state_do(opt)	(options[opt] |= MY_WANT_STATE_DO)
+#define	set_my_want_state_will(opt)	(options[opt] |= MY_WANT_STATE_WILL)
+
+#define	set_my_state_dont(opt)		(options[opt] &= ~MY_STATE_DO)
+#define	set_my_state_wont(opt)		(options[opt] &= ~MY_STATE_WILL)
+#define	set_my_want_state_dont(opt)	(options[opt] &= ~MY_WANT_STATE_DO)
+#define	set_my_want_state_wont(opt)	(options[opt] &= ~MY_WANT_STATE_WILL)
+
+/*
+ * Tricky code here.  What we want to know is if the MY_STATE_WILL
+ * and MY_WANT_STATE_WILL bits have the same value.  Since the two
+ * bits are adjacent, a little arithmatic will show that by adding
+ * in the lower bit, the upper bit will be set if the two bits were
+ * different, and clear if they were the same.
+ */
+#define my_will_wont_is_changing(opt) \
+			((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL)
+
+#define my_do_dont_is_changing(opt) \
+			((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO)
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+#define his_will_wont_is_changing	my_do_dont_is_changing
+#define his_do_dont_is_changing		my_will_wont_is_changing
+
+#endif /* __DEFS_H__ */
diff --git a/crypto/heimdal/appl/telnet/telnetd/ext.h b/crypto/heimdal/appl/telnet/telnetd/ext.h
new file mode 100644
index 0000000..8f5edf1
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/ext.h
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ext.h	8.2 (Berkeley) 12/15/93
+ */
+
+/* $Id: ext.h,v 1.19 1999/09/05 19:15:21 assar Exp $ */
+
+#ifndef __EXT_H__
+#define __EXT_H__
+
+/*
+ * Telnet server variable declarations
+ */
+extern char	options[256];
+extern char	do_dont_resp[256];
+extern char	will_wont_resp[256];
+extern int	flowmode;	/* current flow control state */
+extern int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+extern int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+extern int	require_otp;
+#ifdef AUTHENTICATION
+extern int	auth_level;
+#endif
+extern const char *new_login;
+
+extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+extern char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+extern char	netibuf[BUFSIZ], *netip;
+
+extern char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char	*neturg;		/* one past last bye of urgent data */
+
+extern int	pcc, ncc;
+
+extern int	ourpty, net;
+extern char	*line;
+extern int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+int telnet_net_write (unsigned char *str, int len);
+void net_encrypt (void);
+int telnet_spin (void);
+char *telnet_getenv (char *val);
+char *telnet_gets (char *prompt, char *result, int length, int echo);
+void get_slc_defaults (void);
+void telrcv (void);
+void send_do (int option, int init);
+void willoption (int option);
+void send_dont (int option, int init);
+void wontoption (int option);
+void send_will (int option, int init);
+void dooption (int option);
+void send_wont (int option, int init);
+void dontoption (int option);
+void suboption (void);
+void doclientstat (void);
+void send_status (void);
+void init_termbuf (void);
+void set_termbuf (void);
+int spcset (int func, cc_t *valp, cc_t **valpp);
+void set_utid (void);
+int getpty (int *ptynum);
+int tty_isecho (void);
+int tty_flowmode (void);
+int tty_restartany (void);
+void tty_setecho (int on);
+int tty_israw (void);
+void tty_binaryin (int on);
+void tty_binaryout (int on);
+int tty_isbinaryin (void);
+int tty_isbinaryout (void);
+int tty_issofttab (void);
+void tty_setsofttab (int on);
+int tty_islitecho (void);
+void tty_setlitecho (int on);
+int tty_iscrnl (void);
+void tty_tspeed (int val);
+void tty_rspeed (int val);
+void getptyslave (void);
+int cleanopen (char *line);
+void startslave (char *host, int autologin, char *autoname);
+void init_env (void);
+void start_login (char *host, int autologin, char *name);
+void cleanup (int sig);
+int main (int argc, char **argv);
+int getterminaltype (char *name, size_t);
+void _gettermname (void);
+int terminaltypeok (char *s);
+void my_telnet (int f, int p, char*, int, char*);
+void interrupt (void);
+void sendbrk (void);
+void sendsusp (void);
+void recv_ayt (void);
+void doeof (void);
+void flowstat (void);
+void clientstat (int code, int parm1, int parm2);
+int ttloop (void);
+int stilloob (int s);
+void ptyflush (void);
+char *nextitem (char *current);
+void netclear (void);
+void netflush (void);
+void writenet (unsigned char *ptr, int len);
+void fatal (int f, char *msg);
+void fatalperror (int f, const char *msg);
+void edithost (char *pat, char *host);
+void putstr (char *s);
+void putchr (int cc);
+void putf (char *cp, char *where);
+void printoption (char *fmt, int option);
+void printsub (int direction, unsigned char *pointer, int length);
+void printdata (char *tag, char *ptr, int cnt);
+int login_tty(int t);
+
+#ifdef ENCRYPTION
+extern void	(*encrypt_output) (unsigned char *, int);
+extern int	(*decrypt_input) (int);
+extern char	*nclearto;
+#endif
+
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+struct clocks_t{
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	ttypesubopt,		/* ttype subopt is received */
+	tspeedsubopt,		/* tspeed subopt is received */
+	environsubopt,		/* environ subopt is received */
+	oenvironsubopt,		/* old environ subopt is received */
+	xdisplocsubopt,		/* xdisploc subopt is received */
+	baseline,		/* time started to do timed action */
+	gotDM;			/* when did we last see a data mark */
+};
+extern struct clocks_t clocks;
+
+extern int log_unauth;
+extern int no_warn;
+
+#ifdef STREAMSPTY
+extern int really_stream;
+#endif
+
+#ifndef USE_IM
+# ifdef CRAY
+#  define USE_IM "Cray UNICOS (%h) (%t)"
+# endif
+# ifdef _AIX
+#  define USE_IM "%s %v.%r (%h) (%t)"
+# endif
+# ifndef USE_IM
+#  define USE_IM "%s %r (%h) (%t)"
+# endif
+#endif
+
+#define DEFAULT_IM "\r\n\r\n" USE_IM "\r\n\r\n\r\n"
+
+#endif /* __EXT_H__ */
diff --git a/crypto/heimdal/appl/telnet/telnetd/global.c b/crypto/heimdal/appl/telnet/telnetd/global.c
new file mode 100644
index 0000000..275cb45
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/global.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* a *lot* of ugly global definitions that really should be removed...
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: global.c,v 1.12 1997/05/11 06:29:59 assar Exp $");
+
+/*
+ * Telnet server variable declarations
+ */
+char	options[256];
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+int	linemode;	/* linemode on/off */
+int	flowmode;	/* current flow control state */
+int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+int	require_otp;
+
+slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+char	netibuf[BUFSIZ], *netip;
+
+char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+char	*neturg;		/* one past last bye of urgent data */
+
+int	pcc, ncc;
+
+int	ourpty, net;
+int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+struct clocks_t clocks;
+
+
+/* whether to log unauthenticated login attempts */
+int log_unauth;
+
+/* do not print warning if connection is not encrypted */
+int no_warn;
+
+/*
+ * This function appends data to nfrontp and advances nfrontp.
+ */
+
+int
+output_data (const char *format, ...)
+{
+  va_list args;
+  size_t remaining, ret;
+
+  va_start(args, format);
+  remaining = BUFSIZ - (nfrontp - netobuf);
+  ret = vsnprintf (nfrontp,
+		   remaining,
+		   format,
+		   args);
+  nfrontp += ret;
+  va_end(args);
+  return ret;
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/slc.c b/crypto/heimdal/appl/telnet/telnetd/slc.c
new file mode 100644
index 0000000..799d2d8
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/slc.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: slc.c,v 1.10 1997/05/11 06:30:00 assar Exp $");
+
+/*
+ * get_slc_defaults
+ *
+ * Initialize the slc mapping table.
+ */
+void
+get_slc_defaults(void)
+{
+    int i;
+    
+    init_termbuf();
+    
+    for (i = 1; i <= NSLC; i++) {
+	slctab[i].defset.flag =
+	    spcset(i, &slctab[i].defset.val, &slctab[i].sptr);
+	slctab[i].current.flag = SLC_NOSUPPORT;
+	slctab[i].current.val = 0;
+    }
+    
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/state.c b/crypto/heimdal/appl/telnet/telnetd/state.c
new file mode 100644
index 0000000..80b90ea
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/state.c
@@ -0,0 +1,1356 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: state.c,v 1.13 1999/05/13 23:12:50 assar Exp $");
+
+unsigned char	doopt[] = { IAC, DO, '%', 'c', 0 };
+unsigned char	dont[] = { IAC, DONT, '%', 'c', 0 };
+unsigned char	will[] = { IAC, WILL, '%', 'c', 0 };
+unsigned char	wont[] = { IAC, WONT, '%', 'c', 0 };
+int	not42 = 1;
+
+/*
+ * Buffer for sub-options, and macros
+ * for suboptions buffer manipulations
+ */
+unsigned char subbuffer[2048], *subpointer= subbuffer, *subend= subbuffer;
+
+#define	SB_CLEAR()	subpointer = subbuffer
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+    *subpointer++ = (c); \
+			     }
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+#ifdef	ENV_HACK
+unsigned char *subsave;
+#define SB_SAVE()	subsave = subpointer;
+#define	SB_RESTORE()	subpointer = subsave;
+#endif
+
+
+/*
+ * State for recv fsm
+ */
+#define	TS_DATA		0	/* base state */
+#define	TS_IAC		1	/* look for double IAC's */
+#define	TS_CR		2	/* CR-LF ->'s CR */
+#define	TS_SB		3	/* throw away begin's... */
+#define	TS_SE		4	/* ...end's (suboption negotiation) */
+#define	TS_WILL		5	/* will option negotiation */
+#define	TS_WONT		6	/* wont -''- */
+#define	TS_DO		7	/* do -''- */
+#define	TS_DONT		8	/* dont -''- */
+
+void
+telrcv(void)
+{
+    int c;
+    static int state = TS_DATA;
+
+    while (ncc > 0) {
+	if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
+	    break;
+	c = *netip++ & 0377, ncc--;
+#ifdef ENCRYPTION
+	if (decrypt_input)
+	    c = (*decrypt_input)(c);
+#endif
+	switch (state) {
+
+	case TS_CR:
+	    state = TS_DATA;
+	    /* Strip off \n or \0 after a \r */
+	    if ((c == 0) || (c == '\n')) {
+		break;
+	    }
+	    /* FALL THROUGH */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		state = TS_IAC;
+		break;
+	    }
+	    /*
+	     * We now map \r\n ==> \r for pragmatic reasons.
+	     * Many client implementations send \r\n when
+	     * the user hits the CarriageReturn key.
+	     *
+	     * We USED to map \r\n ==> \n, since \r\n says
+	     * that we want to be in column 1 of the next
+	     * printable line, and \n is the standard
+	     * unix way of saying that (\r is only good
+	     * if CRMOD is set, which it normally is).
+	     */
+	    if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) {
+		int nc = *netip;
+#ifdef ENCRYPTION
+		if (decrypt_input)
+		    nc = (*decrypt_input)(nc & 0xff);
+#endif
+		{
+#ifdef ENCRYPTION
+		    if (decrypt_input)
+			(void)(*decrypt_input)(-1);
+#endif
+		    state = TS_CR;
+		}
+	    }
+	    *pfrontp++ = c;
+	    break;
+
+	case TS_IAC:
+	gotiac:			switch (c) {
+
+	    /*
+	     * Send the process on the pty side an
+	     * interrupt.  Do this with a NULL or
+	     * interrupt char; depending on the tty mode.
+	     */
+	case IP:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    interrupt();
+	    break;
+
+	case BREAK:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    sendbrk();
+	    break;
+
+	    /*
+	     * Are You There?
+	     */
+	case AYT:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    recv_ayt();
+	    break;
+
+	    /*
+	     * Abort Output
+	     */
+	case AO:
+	    {
+		DIAG(TD_OPTIONS,
+		     printoption("td: recv IAC", c));
+		ptyflush();	/* half-hearted */
+		init_termbuf();
+
+		if (slctab[SLC_AO].sptr &&
+		    *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) {
+		    *pfrontp++ =
+			(unsigned char)*slctab[SLC_AO].sptr;
+		}
+
+		netclear();	/* clear buffer back */
+		output_data ("%c%c", IAC, DM);
+		neturg = nfrontp-1; /* off by one XXX */
+		DIAG(TD_OPTIONS,
+		     printoption("td: send IAC", DM));
+		break;
+	    }
+
+	/*
+	 * Erase Character and
+	 * Erase Line
+	 */
+	case EC:
+	case EL:
+	    {
+		cc_t ch;
+
+		DIAG(TD_OPTIONS,
+		     printoption("td: recv IAC", c));
+		ptyflush();	/* half-hearted */
+		init_termbuf();
+		if (c == EC)
+		    ch = *slctab[SLC_EC].sptr;
+		else
+		    ch = *slctab[SLC_EL].sptr;
+		if (ch != (cc_t)(_POSIX_VDISABLE))
+		    *pfrontp++ = (unsigned char)ch;
+		break;
+	    }
+
+	/*
+	 * Check for urgent data...
+	 */
+	case DM:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    SYNCHing = stilloob(net);
+	    settimer(gotDM);
+	    break;
+
+
+	    /*
+	     * Begin option subnegotiation...
+	     */
+	case SB:
+	    state = TS_SB;
+	    SB_CLEAR();
+	    continue;
+
+	case WILL:
+	    state = TS_WILL;
+	    continue;
+
+	case WONT:
+	    state = TS_WONT;
+	    continue;
+
+	case DO:
+	    state = TS_DO;
+	    continue;
+
+	case DONT:
+	    state = TS_DONT;
+	    continue;
+	case EOR:
+	    if (his_state_is_will(TELOPT_EOR))
+		doeof();
+	    break;
+
+	    /*
+	     * Handle RFC 10xx Telnet linemode option additions
+	     * to command stream (EOF, SUSP, ABORT).
+	     */
+	case xEOF:
+	    doeof();
+	    break;
+
+	case SUSP:
+	    sendsusp();
+	    break;
+
+	case ABORT:
+	    sendbrk();
+	    break;
+
+	case IAC:
+	    *pfrontp++ = c;
+	    break;
+	}
+	state = TS_DATA;
+	break;
+
+	case TS_SB:
+	    if (c == IAC) {
+		state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    break;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * bad form of suboption negotiation.
+		     * handle it in such a way as to avoid
+		     * damage to local state.  Parse
+		     * suboption buffer found so far,
+		     * then treat remaining stream as
+		     * another command sequence.
+		     */
+
+		    /* for DIAGNOSTICS */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+
+		    SB_TERM();
+		    suboption();
+		    state = TS_IAC;
+		    goto gotiac;
+		}
+		SB_ACCUM(c);
+		state = TS_SB;
+	    } else {
+		/* for DIAGNOSTICS */
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		state = TS_DATA;
+	    }
+	    break;
+
+	case TS_WILL:
+	    willoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    wontoption(c);
+	    if (c==TELOPT_ENCRYPT && his_do_dont_is_changing(TELOPT_ENCRYPT) )
+                dontoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    dooption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    dontoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	default:
+	    syslog(LOG_ERR, "telnetd: panic state=%d\n", state);
+	    printf("telnetd: panic state=%d\n", state);
+	    exit(1);
+	}
+    }
+}  /* end of telrcv */
+
+/*
+ * The will/wont/do/dont state machines are based on Dave Borman's
+ * Telnet option processing state machine.
+ *
+ * These correspond to the following states:
+ *	my_state = the last negotiated state
+ *	want_state = what I want the state to go to
+ *	want_resp = how many requests I have sent
+ * All state defaults are negative, and resp defaults to 0.
+ *
+ * When initiating a request to change state to new_state:
+ *
+ * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) {
+ *	do nothing;
+ * } else {
+ *	want_state = new_state;
+ *	send new_state;
+ *	want_resp++;
+ * }
+ *
+ * When receiving new_state:
+ *
+ * if (want_resp) {
+ *	want_resp--;
+ *	if (want_resp && (new_state == my_state))
+ *		want_resp--;
+ * }
+ * if ((want_resp == 0) && (new_state != want_state)) {
+ *	if (ok_to_switch_to new_state)
+ *		want_state = new_state;
+ *	else
+ *		want_resp++;
+ *	send want_state;
+ * }
+ * my_state = new_state;
+ *
+ * Note that new_state is implied in these functions by the function itself.
+ * will and do imply positive new_state, wont and dont imply negative.
+ *
+ * Finally, there is one catch.  If we send a negative response to a
+ * positive request, my_state will be the positive while want_state will
+ * remain negative.  my_state will revert to negative when the negative
+ * acknowlegment arrives from the peer.  Thus, my_state generally tells
+ * us not only the last negotiated state, but also tells us what the peer
+ * wants to be doing as well.  It is important to understand this difference
+ * as we may wish to be processing data streams based on our desired state
+ * (want_state) or based on what the peer thinks the state is (my_state).
+ *
+ * This all works fine because if the peer sends a positive request, the data
+ * that we receive prior to negative acknowlegment will probably be affected
+ * by the positive state, and we can process it as such (if we can; if we
+ * can't then it really doesn't matter).  If it is that important, then the
+ * peer probably should be buffering until this option state negotiation
+ * is complete.
+ *
+ */
+void
+send_do(int option, int init)
+{
+    if (init) {
+	if ((do_dont_resp[option] == 0 && his_state_is_will(option)) ||
+	    his_want_state_is_will(option))
+	    return;
+	/*
+	 * Special case for TELOPT_TM:  We send a DO, but pretend
+	 * that we sent a DONT, so that we can send more DOs if
+	 * we want to.
+	 */
+	if (option == TELOPT_TM)
+	    set_his_want_state_wont(option);
+	else
+	    set_his_want_state_will(option);
+	do_dont_resp[option]++;
+    }
+    output_data((const char *)doopt, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send do", option));
+}
+
+#ifdef	AUTHENTICATION
+extern void auth_request(void);
+#endif
+#ifdef	ENCRYPTION
+extern void encrypt_send_support();
+#endif
+
+void
+willoption(int option)
+{
+    int changeok = 0;
+    void (*func)() = 0;
+
+    /*
+     * process input from peer.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv will", option));
+
+    if (do_dont_resp[option]) {
+	do_dont_resp[option]--;
+	if (do_dont_resp[option] && his_state_is_will(option))
+	    do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+	if (his_want_state_is_wont(option)) {
+	    switch (option) {
+
+	    case TELOPT_BINARY:
+		init_termbuf();
+		tty_binaryin(1);
+		set_termbuf();
+		changeok++;
+		break;
+
+	    case TELOPT_ECHO:
+		/*
+		 * See comments below for more info.
+		 */
+		not42 = 0;	/* looks like a 4.2 system */
+		break;
+
+	    case TELOPT_TM:
+		/*
+		 * We never respond to a WILL TM, and
+		 * we leave the state WONT.
+		 */
+		return;
+
+	    case TELOPT_LFLOW:
+		/*
+		 * If we are going to support flow control
+		 * option, then don't worry peer that we can't
+		 * change the flow control characters.
+		 */
+		slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XON].defset.flag |= SLC_DEFAULT;
+		slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT;
+	    case TELOPT_TTYPE:
+	    case TELOPT_SGA:
+	    case TELOPT_NAWS:
+	    case TELOPT_TSPEED:
+	    case TELOPT_XDISPLOC:
+	    case TELOPT_NEW_ENVIRON:
+	    case TELOPT_OLD_ENVIRON:
+		changeok++;
+		break;
+
+
+#ifdef	AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		func = auth_request;
+		changeok++;
+		break;
+#endif
+
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+		func = encrypt_send_support;
+		changeok++;
+		break;
+#endif
+			
+	    default:
+		break;
+	    }
+	    if (changeok) {
+		set_his_want_state_will(option);
+		send_do(option, 0);
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	} else {
+	    /*
+	     * Option processing that should happen when
+	     * we receive conformation of a change in
+	     * state that we had requested.
+	     */
+	    switch (option) {
+	    case TELOPT_ECHO:
+		not42 = 0;	/* looks like a 4.2 system */
+		/*
+		 * Egads, he responded "WILL ECHO".  Turn
+		 * it off right now!
+		 */
+		send_dont(option, 1);
+		/*
+		 * "WILL ECHO".  Kludge upon kludge!
+		 * A 4.2 client is now echoing user input at
+		 * the tty.  This is probably undesireable and
+		 * it should be stopped.  The client will
+		 * respond WONT TM to the DO TM that we send to
+		 * check for kludge linemode.  When the WONT TM
+		 * arrives, linemode will be turned off and a
+		 * change propogated to the pty.  This change
+		 * will cause us to process the new pty state
+		 * in localstat(), which will notice that
+		 * linemode is off and send a WILL ECHO
+		 * so that we are properly in character mode and
+		 * all is well.
+		 */
+		break;
+
+#ifdef	AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		func = auth_request;
+		break;
+#endif
+
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+		func = encrypt_send_support;
+		break;
+#endif
+
+	    case TELOPT_LFLOW:
+		func = flowstat;
+		break;
+	    }
+	}
+    }
+    set_his_state_will(option);
+    if (func)
+	(*func)();
+}  /* end of willoption */
+
+void
+send_dont(int option, int init)
+{
+    if (init) {
+	if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) ||
+	    his_want_state_is_wont(option))
+	    return;
+	set_his_want_state_wont(option);
+	do_dont_resp[option]++;
+    }
+    output_data((const char *)dont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send dont", option));
+}
+
+void
+wontoption(int option)
+{
+    /*
+     * Process client input.
+	 */
+
+    DIAG(TD_OPTIONS, printoption("td: recv wont", option));
+
+    if (do_dont_resp[option]) {
+	do_dont_resp[option]--;
+	if (do_dont_resp[option] && his_state_is_wont(option))
+	    do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+	if (his_want_state_is_will(option)) {
+	    /* it is always ok to change to negative state */
+	    switch (option) {
+	    case TELOPT_ECHO:
+		not42 = 1; /* doesn't seem to be a 4.2 system */
+		break;
+
+	    case TELOPT_BINARY:
+		init_termbuf();
+		tty_binaryin(0);
+		set_termbuf();
+		break;
+
+	    case TELOPT_TM:
+		/*
+		 * If we get a WONT TM, and had sent a DO TM,
+		 * don't respond with a DONT TM, just leave it
+		 * as is.  Short circut the state machine to
+		 * achive this.
+		 */
+		set_his_want_state_wont(TELOPT_TM);
+		return;
+
+	    case TELOPT_LFLOW:
+		/*
+		 * If we are not going to support flow control
+		 * option, then let peer know that we can't
+		 * change the flow control characters.
+		 */
+		slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE;
+		slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE;
+		break;
+
+#ifdef AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		auth_finished(0, AUTH_REJECT);
+		break;
+#endif
+
+		/*
+		 * For options that we might spin waiting for
+		 * sub-negotiation, if the client turns off the
+		 * option rather than responding to the request,
+		 * we have to treat it here as if we got a response
+		 * to the sub-negotiation, (by updating the timers)
+		 * so that we'll break out of the loop.
+		 */
+	    case TELOPT_TTYPE:
+		settimer(ttypesubopt);
+		break;
+
+	    case TELOPT_TSPEED:
+		settimer(tspeedsubopt);
+		break;
+
+	    case TELOPT_XDISPLOC:
+		settimer(xdisplocsubopt);
+		break;
+
+	    case TELOPT_OLD_ENVIRON:
+		settimer(oenvironsubopt);
+		break;
+
+	    case TELOPT_NEW_ENVIRON:
+		settimer(environsubopt);
+		break;
+
+	    default:
+		break;
+	    }
+	    set_his_want_state_wont(option);
+	    if (his_state_is_will(option))
+		send_dont(option, 0);
+	} else {
+	    switch (option) {
+	    case TELOPT_TM:
+		break;
+
+#ifdef AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		auth_finished(0, AUTH_REJECT);
+		break;
+#endif
+	    default:
+		break;
+	    }
+	}
+    }
+    set_his_state_wont(option);
+
+}  /* end of wontoption */
+
+void
+send_will(int option, int init)
+{
+    if (init) {
+	if ((will_wont_resp[option] == 0 && my_state_is_will(option))||
+	    my_want_state_is_will(option))
+	    return;
+	set_my_want_state_will(option);
+	will_wont_resp[option]++;
+    }
+    output_data ((const char *)will, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send will", option));
+}
+
+/*
+ * When we get a DONT SGA, we will try once to turn it
+ * back on.  If the other side responds DONT SGA, we
+ * leave it at that.  This is so that when we talk to
+ * clients that understand KLUDGELINEMODE but not LINEMODE,
+ * we'll keep them in char-at-a-time mode.
+ */
+int turn_on_sga = 0;
+
+void
+dooption(int option)
+{
+    int changeok = 0;
+
+    /*
+     * Process client input.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv do", option));
+
+    if (will_wont_resp[option]) {
+	will_wont_resp[option]--;
+	if (will_wont_resp[option] && my_state_is_will(option))
+	    will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) {
+	switch (option) {
+	case TELOPT_ECHO:
+	    {
+		init_termbuf();
+		tty_setecho(1);
+		set_termbuf();
+	    }
+	changeok++;
+	break;
+
+	case TELOPT_BINARY:
+	    init_termbuf();
+	    tty_binaryout(1);
+	    set_termbuf();
+	    changeok++;
+	    break;
+
+	case TELOPT_SGA:
+	    turn_on_sga = 0;
+	    changeok++;
+	    break;
+
+	case TELOPT_STATUS:
+	    changeok++;
+	    break;
+
+	case TELOPT_TM:
+	    /*
+	     * Special case for TM.  We send a WILL, but
+	     * pretend we sent a WONT.
+	     */
+	    send_will(option, 0);
+	    set_my_want_state_wont(option);
+	    set_my_state_wont(option);
+	    return;
+
+	case TELOPT_LOGOUT:
+	    /*
+	     * When we get a LOGOUT option, respond
+	     * with a WILL LOGOUT, make sure that
+	     * it gets written out to the network,
+	     * and then just go away...
+	     */
+	    set_my_want_state_will(TELOPT_LOGOUT);
+	    send_will(TELOPT_LOGOUT, 0);
+	    set_my_state_will(TELOPT_LOGOUT);
+	    netflush();
+	    cleanup(0);
+	    /* NOT REACHED */
+	    break;
+
+#ifdef ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    changeok++;
+	    break;
+#endif
+	case TELOPT_LINEMODE:
+	case TELOPT_TTYPE:
+	case TELOPT_NAWS:
+	case TELOPT_TSPEED:
+	case TELOPT_LFLOW:
+	case TELOPT_XDISPLOC:
+#ifdef	TELOPT_ENVIRON
+	case TELOPT_NEW_ENVIRON:
+#endif
+	case TELOPT_OLD_ENVIRON:
+	default:
+	    break;
+	}
+	if (changeok) {
+	    set_my_want_state_will(option);
+	    send_will(option, 0);
+	} else {
+	    will_wont_resp[option]++;
+	    send_wont(option, 0);
+	}
+    }
+    set_my_state_will(option);
+
+}  /* end of dooption */
+
+void
+send_wont(int option, int init)
+{
+    if (init) {
+	if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) ||
+	    my_want_state_is_wont(option))
+	    return;
+	set_my_want_state_wont(option);
+	will_wont_resp[option]++;
+    }
+    output_data ((const char *)wont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send wont", option));
+}
+
+void
+dontoption(int option)
+{
+    /*
+     * Process client input.
+	 */
+
+
+    DIAG(TD_OPTIONS, printoption("td: recv dont", option));
+
+    if (will_wont_resp[option]) {
+	will_wont_resp[option]--;
+	if (will_wont_resp[option] && my_state_is_wont(option))
+	    will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) {
+	switch (option) {
+	case TELOPT_BINARY:
+	    init_termbuf();
+	    tty_binaryout(0);
+	    set_termbuf();
+	    break;
+
+	case TELOPT_ECHO:	/* we should stop echoing */
+	    {
+		init_termbuf();
+		tty_setecho(0);
+		set_termbuf();
+	    }
+	break;
+
+	case TELOPT_SGA:
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    set_my_state_wont(option);
+	    if (turn_on_sga ^= 1)
+		send_will(option, 1);
+	    return;
+
+	default:
+	    break;
+	}
+
+	set_my_want_state_wont(option);
+	if (my_state_is_will(option))
+	    send_wont(option, 0);
+    }
+    set_my_state_wont(option);
+
+}  /* end of dontoption */
+
+#ifdef	ENV_HACK
+int env_ovar = -1;
+int env_ovalue = -1;
+#else	/* ENV_HACK */
+# define env_ovar OLD_ENV_VAR
+# define env_ovalue OLD_ENV_VALUE
+#endif	/* ENV_HACK */
+
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *	Terminal type is
+ *	Linemode
+ *	Window size
+ *	Terminal speed
+ */
+void
+suboption(void)
+{
+    int subchar;
+
+    DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);});
+
+    subchar = SB_GET();
+    switch (subchar) {
+    case TELOPT_TSPEED: {
+	int xspeed, rspeed;
+
+	if (his_state_is_wont(TELOPT_TSPEED))	/* Ignore if option disabled */
+	    break;
+
+	settimer(tspeedsubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+	    return;
+
+	xspeed = atoi((char *)subpointer);
+
+	while (SB_GET() != ',' && !SB_EOF());
+	if (SB_EOF())
+	    return;
+
+	rspeed = atoi((char *)subpointer);
+	clientstat(TELOPT_TSPEED, xspeed, rspeed);
+
+	break;
+
+    }  /* end of case TELOPT_TSPEED */
+
+    case TELOPT_TTYPE: {		/* Yaaaay! */
+	static char terminalname[41];
+
+	if (his_state_is_wont(TELOPT_TTYPE))	/* Ignore if option disabled */
+	    break;
+	settimer(ttypesubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS) {
+	    return;		/* ??? XXX but, this is the most robust */
+	}
+
+	terminaltype = terminalname;
+
+	while ((terminaltype < (terminalname + sizeof terminalname-1)) &&
+	       !SB_EOF()) {
+	    int c;
+
+	    c = SB_GET();
+	    if (isupper(c)) {
+		c = tolower(c);
+	    }
+	    *terminaltype++ = c;    /* accumulate name */
+	}
+	*terminaltype = 0;
+	terminaltype = terminalname;
+	break;
+    }  /* end of case TELOPT_TTYPE */
+
+    case TELOPT_NAWS: {
+	int xwinsize, ywinsize;
+
+	if (his_state_is_wont(TELOPT_NAWS))	/* Ignore if option disabled */
+	    break;
+
+	if (SB_EOF())
+	    return;
+	xwinsize = SB_GET() << 8;
+	if (SB_EOF())
+	    return;
+	xwinsize |= SB_GET();
+	if (SB_EOF())
+	    return;
+	ywinsize = SB_GET() << 8;
+	if (SB_EOF())
+	    return;
+	ywinsize |= SB_GET();
+	clientstat(TELOPT_NAWS, xwinsize, ywinsize);
+
+	break;
+
+    }  /* end of case TELOPT_NAWS */
+
+    case TELOPT_STATUS: {
+	int mode;
+
+	if (SB_EOF())
+	    break;
+	mode = SB_GET();
+	switch (mode) {
+	case TELQUAL_SEND:
+	    if (my_state_is_will(TELOPT_STATUS))
+		send_status();
+	    break;
+
+	case TELQUAL_IS:
+	    break;
+
+	default:
+	    break;
+	}
+	break;
+    }  /* end of case TELOPT_STATUS */
+
+    case TELOPT_XDISPLOC: {
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+	    return;
+	settimer(xdisplocsubopt);
+	subpointer[SB_LEN()] = '\0';
+	setenv("DISPLAY", (char *)subpointer, 1);
+	break;
+    }  /* end of case TELOPT_XDISPLOC */
+
+#ifdef	TELOPT_NEW_ENVIRON
+    case TELOPT_NEW_ENVIRON:
+#endif
+    case TELOPT_OLD_ENVIRON: {
+	int c;
+	char *cp, *varp, *valp;
+
+	if (SB_EOF())
+	    return;
+	c = SB_GET();
+	if (c == TELQUAL_IS) {
+	    if (subchar == TELOPT_OLD_ENVIRON)
+		settimer(oenvironsubopt);
+	    else
+		settimer(environsubopt);
+	} else if (c != TELQUAL_INFO) {
+	    return;
+	}
+
+#ifdef	TELOPT_NEW_ENVIRON
+	if (subchar == TELOPT_NEW_ENVIRON) {
+	    while (!SB_EOF()) {
+		c = SB_GET();
+		if ((c == NEW_ENV_VAR) || (c == ENV_USERVAR))
+		    break;
+	    }
+	} else
+#endif
+	    {
+#ifdef	ENV_HACK
+		/*
+		 * We only want to do this if we haven't already decided
+		 * whether or not the other side has its VALUE and VAR
+		 * reversed.
+		 */
+		if (env_ovar < 0) {
+		    int last = -1;		/* invalid value */
+		    int empty = 0;
+		    int got_var = 0, got_value = 0, got_uservar = 0;
+
+		    /*
+		     * The other side might have its VALUE and VAR values
+		     * reversed.  To be interoperable, we need to determine
+		     * which way it is.  If the first recognized character
+		     * is a VAR or VALUE, then that will tell us what
+		     * type of client it is.  If the fist recognized
+		     * character is a USERVAR, then we continue scanning
+		     * the suboption looking for two consecutive
+		     * VAR or VALUE fields.  We should not get two
+		     * consecutive VALUE fields, so finding two
+		     * consecutive VALUE or VAR fields will tell us
+		     * what the client is.
+		     */
+		    SB_SAVE();
+		    while (!SB_EOF()) {
+			c = SB_GET();
+			switch(c) {
+			case OLD_ENV_VAR:
+			    if (last < 0 || last == OLD_ENV_VAR
+				|| (empty && (last == OLD_ENV_VALUE)))
+				goto env_ovar_ok;
+			    got_var++;
+			    last = OLD_ENV_VAR;
+			    break;
+			case OLD_ENV_VALUE:
+			    if (last < 0 || last == OLD_ENV_VALUE
+				|| (empty && (last == OLD_ENV_VAR)))
+				goto env_ovar_wrong;
+			    got_value++;
+			    last = OLD_ENV_VALUE;
+			    break;
+			case ENV_USERVAR:
+			    /* count strings of USERVAR as one */
+			    if (last != ENV_USERVAR)
+				got_uservar++;
+			    if (empty) {
+				if (last == OLD_ENV_VALUE)
+				    goto env_ovar_ok;
+				if (last == OLD_ENV_VAR)
+				    goto env_ovar_wrong;
+			    }
+			    last = ENV_USERVAR;
+			    break;
+			case ENV_ESC:
+			    if (!SB_EOF())
+				c = SB_GET();
+			    /* FALL THROUGH */
+			default:
+			    empty = 0;
+			    continue;
+			}
+			empty = 1;
+		    }
+		    if (empty) {
+			if (last == OLD_ENV_VALUE)
+			    goto env_ovar_ok;
+			if (last == OLD_ENV_VAR)
+			    goto env_ovar_wrong;
+		    }
+		    /*
+		     * Ok, the first thing was a USERVAR, and there
+		     * are not two consecutive VAR or VALUE commands,
+		     * and none of the VAR or VALUE commands are empty.
+		     * If the client has sent us a well-formed option,
+		     * then the number of VALUEs received should always
+		     * be less than or equal to the number of VARs and
+		     * USERVARs received.
+		     *
+		     * If we got exactly as many VALUEs as VARs and
+		     * USERVARs, the client has the same definitions.
+		     *
+		     * If we got exactly as many VARs as VALUEs and
+		     * USERVARS, the client has reversed definitions.
+		     */
+		    if (got_uservar + got_var == got_value) {
+		    env_ovar_ok:
+			env_ovar = OLD_ENV_VAR;
+			env_ovalue = OLD_ENV_VALUE;
+		    } else if (got_uservar + got_value == got_var) {
+		    env_ovar_wrong:
+			env_ovar = OLD_ENV_VALUE;
+			env_ovalue = OLD_ENV_VAR;
+			DIAG(TD_OPTIONS, {
+			    output_data("ENVIRON VALUE and VAR are reversed!\r\n");
+			});
+
+		    }
+		}
+		SB_RESTORE();
+#endif
+
+		while (!SB_EOF()) {
+		    c = SB_GET();
+		    if ((c == env_ovar) || (c == ENV_USERVAR))
+			break;
+		}
+	    }
+
+	if (SB_EOF())
+	    return;
+
+	cp = varp = (char *)subpointer;
+	valp = 0;
+
+	while (!SB_EOF()) {
+	    c = SB_GET();
+	    if (subchar == TELOPT_OLD_ENVIRON) {
+		if (c == env_ovar)
+		    c = NEW_ENV_VAR;
+		else if (c == env_ovalue)
+		    c = NEW_ENV_VALUE;
+	    }
+	    switch (c) {
+
+	    case NEW_ENV_VALUE:
+		*cp = '\0';
+		cp = valp = (char *)subpointer;
+		break;
+
+	    case NEW_ENV_VAR:
+	    case ENV_USERVAR:
+		*cp = '\0';
+		if (valp)
+		    setenv(varp, valp, 1);
+		else
+		    unsetenv(varp);
+		cp = varp = (char *)subpointer;
+		valp = 0;
+		break;
+
+	    case ENV_ESC:
+		if (SB_EOF())
+		    break;
+		c = SB_GET();
+		/* FALL THROUGH */
+	    default:
+		*cp++ = c;
+		break;
+	    }
+	}
+	*cp = '\0';
+	if (valp)
+	    setenv(varp, valp, 1);
+	else
+	    unsetenv(varp);
+	break;
+    }  /* end of case TELOPT_NEW_ENVIRON */
+#ifdef AUTHENTICATION
+    case TELOPT_AUTHENTICATION:
+	if (SB_EOF())
+	    break;
+	switch(SB_GET()) {
+	case TELQUAL_SEND:
+	case TELQUAL_REPLY:
+	    /*
+	     * These are sent by us and cannot be sent by
+	     * the client.
+	     */
+	    break;
+	case TELQUAL_IS:
+	    auth_is(subpointer, SB_LEN());
+	    break;
+	case TELQUAL_NAME:
+	    auth_name(subpointer, SB_LEN());
+	    break;
+	}
+	break;
+#endif
+#ifdef ENCRYPTION
+    case TELOPT_ENCRYPT:
+	if (SB_EOF())
+	    break;
+	switch(SB_GET()) {
+	case ENCRYPT_SUPPORT:
+	    encrypt_support(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_IS:
+	    encrypt_is(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_REPLY:
+	    encrypt_reply(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_START:
+	    encrypt_start(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_END:
+	    encrypt_end();
+	    break;
+	case ENCRYPT_REQSTART:
+	    encrypt_request_start(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_REQEND:
+	    /*
+	     * We can always send an REQEND so that we cannot
+	     * get stuck encrypting.  We should only get this
+	     * if we have been able to get in the correct mode
+	     * anyhow.
+	     */
+	    encrypt_request_end();
+	    break;
+	case ENCRYPT_ENC_KEYID:
+	    encrypt_enc_keyid(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_DEC_KEYID:
+	    encrypt_dec_keyid(subpointer, SB_LEN());
+	    break;
+	default:
+	    break;
+	}
+	break;
+#endif
+
+    default:
+	break;
+    }  /* end of switch */
+
+}  /* end of suboption */
+
+void
+doclientstat(void)
+{
+    clientstat(TELOPT_LINEMODE, WILL, 0);
+}
+
+#define	ADD(c)	 *ncp++ = c
+#define	ADD_DATA(c) { *ncp++ = c; if (c == SE || c == IAC) *ncp++ = c; }
+
+void
+send_status(void)
+{
+    unsigned char statusbuf[256];
+    unsigned char *ncp;
+    unsigned char i;
+
+    ncp = statusbuf;
+
+    netflush();	/* get rid of anything waiting to go out */
+
+    ADD(IAC);
+    ADD(SB);
+    ADD(TELOPT_STATUS);
+    ADD(TELQUAL_IS);
+
+    /*
+     * We check the want_state rather than the current state,
+     * because if we received a DO/WILL for an option that we
+     * don't support, and the other side didn't send a DONT/WONT
+     * in response to our WONT/DONT, then the "state" will be
+     * WILL/DO, and the "want_state" will be WONT/DONT.  We
+     * need to go by the latter.
+     */
+    for (i = 0; i < (unsigned char)NTELOPTS; i++) {
+	if (my_want_state_is_will(i)) {
+	    ADD(WILL);
+	    ADD_DATA(i);
+	}
+	if (his_want_state_is_will(i)) {
+	    ADD(DO);
+	    ADD_DATA(i);
+	}
+    }
+
+    if (his_want_state_is_will(TELOPT_LFLOW)) {
+	ADD(SB);
+	ADD(TELOPT_LFLOW);
+	if (flowmode) {
+	    ADD(LFLOW_ON);
+	} else {
+	    ADD(LFLOW_OFF);
+	}
+	ADD(SE);
+
+	if (restartany >= 0) {
+	    ADD(SB);
+	    ADD(TELOPT_LFLOW);
+	    if (restartany) {
+		ADD(LFLOW_RESTART_ANY);
+	    } else {
+		ADD(LFLOW_RESTART_XON);
+	    }
+	    ADD(SE);
+	}
+    }
+
+
+    ADD(IAC);
+    ADD(SE);
+
+    writenet(statusbuf, ncp - statusbuf);
+    netflush();	/* Send it on its way */
+
+    DIAG(TD_OPTIONS,
+	 {printsub('>', statusbuf, ncp - statusbuf); netflush();});
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/sys_term.c b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
new file mode 100644
index 0000000..bbacb05
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
@@ -0,0 +1,1867 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: sys_term.c,v 1.90 2000/01/01 11:53:59 assar Exp $");
+
+#if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H))
+# define PARENT_DOES_UTMP
+#endif
+
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+
+#ifdef HAVE_UTMPX_H
+struct	utmpx wtmp;
+#elif defined(HAVE_UTMP_H)
+struct	utmp wtmp;
+#endif /* HAVE_UTMPX_H */
+
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+int	utmp_len = sizeof(wtmp.ut_host);
+#else
+int	utmp_len = MaxHostNameLen;
+#endif
+
+#ifndef UTMP_FILE
+#ifdef _PATH_UTMP
+#define UTMP_FILE _PATH_UTMP
+#else
+#define UTMP_FILE "/etc/utmp"
+#endif
+#endif
+
+#if !defined(WTMP_FILE) && defined(_PATH_WTMP)
+#define WTMP_FILE _PATH_WTMP
+#endif
+
+#ifndef PARENT_DOES_UTMP
+#ifdef WTMP_FILE
+char	wtmpf[] = WTMP_FILE;
+#else
+char	wtmpf[]	= "/usr/adm/wtmp";
+#endif
+char	utmpf[] = UTMP_FILE;
+#else /* PARENT_DOES_UTMP */
+#ifdef WTMP_FILE
+char	wtmpf[] = WTMP_FILE;
+#else
+char	wtmpf[]	= "/etc/wtmp";
+#endif
+#endif /* PARENT_DOES_UTMP */
+
+#ifdef HAVE_TMPDIR_H
+#include <tmpdir.h>
+#endif	/* CRAY */
+
+#ifdef	STREAMSPTY
+
+#ifdef HAVE_SAC_H
+#include <sac.h>
+#endif
+
+#ifdef HAVE_SYS_STROPTS_H
+#include <sys/stropts.h>
+#endif
+
+#endif /* STREAMSPTY */
+
+#ifdef	HAVE_SYS_STREAM_H
+#ifdef  HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef __hpux
+#undef SE
+#endif
+#include <sys/stream.h>
+#endif
+#if !(defined(__sgi) || defined(__linux) || defined(_AIX)) && defined(HAVE_SYS_TTY)
+#include <sys/tty.h>
+#endif
+#ifdef	t_erase
+#undef	t_erase
+#undef	t_kill
+#undef	t_intrc
+#undef	t_quitc
+#undef	t_startc
+#undef	t_stopc
+#undef	t_eofc
+#undef	t_brkc
+#undef	t_suspc
+#undef	t_dsuspc
+#undef	t_rprntc
+#undef	t_flushc
+#undef	t_werasc
+#undef	t_lnextc
+#endif
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#else
+#ifdef HAVE_TERMIO_H
+#include <termio.h>
+#endif
+#endif
+
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t)	ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t)	ioctl(f, a, t)
+#  define	cfsetospeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+(tp)->c_cflag |= (val)
+#  define	cfgetospeed(tp)		((tp)->c_cflag & CBAUD)
+#  ifdef CIBAUD
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CIBAUD; \
+     (tp)->c_cflag |= ((val)<<IBSHIFT)
+#   define	cfgetispeed(tp)		(((tp)->c_cflag & CIBAUD)>>IBSHIFT)
+#  else
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+     (tp)->c_cflag |= (val)
+#   define	cfgetispeed(tp)		((tp)->c_cflag & CBAUD)
+#  endif
+# endif /* TCSANOW */
+     struct termios termbuf, termbuf2;	/* pty control structure */
+# ifdef  STREAMSPTY
+     static int ttyfd = -1;
+     int really_stream = 0;
+# endif
+
+     const char *new_login = _PATH_LOGIN;
+
+/*
+ * init_termbuf()
+ * copy_termbuf(cp)
+ * set_termbuf()
+ *
+ * These three routines are used to get and set the "termbuf" structure
+ * to and from the kernel.  init_termbuf() gets the current settings.
+ * copy_termbuf() hands in a new "termbuf" to write to the kernel, and
+ * set_termbuf() writes the structure into the kernel.
+ */
+
+     void
+     init_termbuf(void)
+{
+# ifdef  STREAMSPTY
+    if (really_stream)
+	tcgetattr(ttyfd, &termbuf);
+    else
+# endif
+	tcgetattr(ourpty, &termbuf);
+    termbuf2 = termbuf;
+}
+
+void
+set_termbuf(void)
+{
+    /*
+     * Only make the necessary changes.
+	 */
+    if (memcmp(&termbuf, &termbuf2, sizeof(termbuf)))
+# ifdef  STREAMSPTY
+	if (really_stream)
+	    tcsetattr(ttyfd, TCSANOW, &termbuf);
+	else
+# endif
+	    tcsetattr(ourpty, TCSANOW, &termbuf);
+}
+
+
+/*
+ * spcset(func, valp, valpp)
+ *
+ * This function takes various special characters (func), and
+ * sets *valp to the current value of that character, and
+ * *valpp to point to where in the "termbuf" structure that
+ * value is kept.
+ *
+ * It returns the SLC_ level of support for this function.
+ */
+
+
+int
+spcset(int func, cc_t *valp, cc_t **valpp)
+{
+
+#define	setval(a, b)	*valp = termbuf.c_cc[a]; \
+    *valpp = &termbuf.c_cc[a]; \
+				   return(b);
+#define	defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT);
+
+    switch(func) {
+    case SLC_EOF:
+	setval(VEOF, SLC_VARIABLE);
+    case SLC_EC:
+	setval(VERASE, SLC_VARIABLE);
+    case SLC_EL:
+	setval(VKILL, SLC_VARIABLE);
+    case SLC_IP:
+	setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_ABORT:
+	setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_XON:
+#ifdef	VSTART
+	setval(VSTART, SLC_VARIABLE);
+#else
+	defval(0x13);
+#endif
+    case SLC_XOFF:
+#ifdef	VSTOP
+	setval(VSTOP, SLC_VARIABLE);
+#else
+	defval(0x11);
+#endif
+    case SLC_EW:
+#ifdef	VWERASE
+	setval(VWERASE, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_RP:
+#ifdef	VREPRINT
+	setval(VREPRINT, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_LNEXT:
+#ifdef	VLNEXT
+	setval(VLNEXT, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_AO:
+#if	!defined(VDISCARD) && defined(VFLUSHO)
+# define VDISCARD VFLUSHO
+#endif
+#ifdef	VDISCARD
+	setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT);
+#else
+	defval(0);
+#endif
+    case SLC_SUSP:
+#ifdef	VSUSP
+	setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN);
+#else
+	defval(0);
+#endif
+#ifdef	VEOL
+    case SLC_FORW1:
+	setval(VEOL, SLC_VARIABLE);
+#endif
+#ifdef	VEOL2
+    case SLC_FORW2:
+	setval(VEOL2, SLC_VARIABLE);
+#endif
+    case SLC_AYT:
+#ifdef	VSTATUS
+	setval(VSTATUS, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+
+    case SLC_BRK:
+    case SLC_SYNCH:
+    case SLC_EOR:
+	defval(0);
+
+    default:
+	*valp = 0;
+	*valpp = 0;
+	return(SLC_NOSUPPORT);
+    }
+}
+
+#ifdef _CRAY
+/*
+ * getnpty()
+ *
+ * Return the number of pty's configured into the system.
+ */
+int
+getnpty()
+{
+#ifdef _SC_CRAY_NPTY
+    int numptys;
+
+    if ((numptys = sysconf(_SC_CRAY_NPTY)) != -1)
+	return numptys;
+    else
+#endif /* _SC_CRAY_NPTY */
+	return 128;
+}
+#endif /* CRAY */
+
+/*
+ * getpty()
+ *
+ * Allocate a pty.  As a side effect, the external character
+ * array "line" contains the name of the slave side.
+ *
+ * Returns the file descriptor of the opened pty.
+ */
+
+static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *line = Xline;
+
+#ifdef	_CRAY
+char myline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+#endif	/* CRAY */
+
+#if !defined(HAVE_PTSNAME) && defined(STREAMSPTY)
+static char *ptsname(int fd)
+{
+#ifdef HAVE_TTYNAME
+    return ttyname(fd);
+#else
+    return NULL;
+#endif
+}
+#endif
+
+int getpty(int *ptynum)
+{
+#ifdef __osf__ /* XXX */
+    int master;
+    int slave;
+    if(openpty(&master, &slave, line, 0, 0) == 0){
+	close(slave);
+	return master;
+    }
+    return -1;
+#else
+#ifdef HAVE__GETPTY
+    int master, slave;
+    char *p;
+    p = _getpty(&master, O_RDWR, 0600, 1);
+    if(p == NULL)
+	return -1;
+    strlcpy(line, p, sizeof(Xline));
+    return master;
+#else
+
+    int p;
+    char *cp, *p1, *p2;
+    int i;
+#if SunOS == 40
+    int dummy;
+#endif
+#if 0 /* && defined(HAVE_OPENPTY) */
+    int master;
+    int slave;
+    if(openpty(&master, &slave, line, 0, 0) == 0){
+	close(slave);
+	return master;
+    }
+#else
+#ifdef	STREAMSPTY
+    char *clone[] = { "/dev/ptc", "/dev/ptmx", "/dev/ptm", 
+		      "/dev/ptym/clone", 0 };
+
+    char **q;
+    for(q=clone; *q; q++){
+	p=open(*q, O_RDWR);
+	if(p >= 0){
+#ifdef HAVE_GRANTPT
+	    grantpt(p);
+#endif
+#ifdef HAVE_UNLOCKPT
+	    unlockpt(p);
+#endif
+	    strlcpy(line, ptsname(p), sizeof(Xline));
+	    really_stream = 1;
+	    return p;
+	}
+    }
+#endif /* STREAMSPTY */
+#ifndef _CRAY
+
+#ifndef	__hpux
+    snprintf(line, sizeof(Xline), "/dev/ptyXX");
+    p1 = &line[8];
+    p2 = &line[9];
+#else
+    snprintf(line, sizeof(Xline), "/dev/ptym/ptyXX");
+    p1 = &line[13];
+    p2 = &line[14];
+#endif
+
+	
+    for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) {
+	struct stat stb;
+
+	*p1 = *cp;
+	*p2 = '0';
+	/*
+	 * This stat() check is just to keep us from
+	 * looping through all 256 combinations if there
+	 * aren't that many ptys available.
+	 */
+	if (stat(line, &stb) < 0)
+	    break;
+	for (i = 0; i < 16; i++) {
+	    *p2 = "0123456789abcdef"[i];
+	    p = open(line, O_RDWR);
+	    if (p > 0) {
+#ifndef	__hpux
+		line[5] = 't';
+#else
+		for (p1 = &line[8]; *p1; p1++)
+		    *p1 = *(p1+1);
+		line[9] = 't';
+#endif
+		chown(line, 0, 0);
+		chmod(line, 0600);
+#if SunOS == 40
+		if (ioctl(p, TIOCGPGRP, &dummy) == 0
+		    || errno != EIO) {
+		    chmod(line, 0666);
+		    close(p);
+		    line[5] = 'p';
+		} else
+#endif /* SunOS == 40 */
+		    return(p);
+	    }
+	}
+    }
+#else	/* CRAY */
+    extern lowpty, highpty;
+    struct stat sb;
+
+    for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) {
+	snprintf(myline, sizeof(myline), "/dev/pty/%03d", *ptynum);
+	p = open(myline, 2);
+	if (p < 0)
+	    continue;
+	snprintf(line, sizeof(Xline), "/dev/ttyp%03d", *ptynum);
+	/*
+	 * Here are some shenanigans to make sure that there
+	 * are no listeners lurking on the line.
+	 */
+	if(stat(line, &sb) < 0) {
+	    close(p);
+	    continue;
+	}
+	if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
+	    chown(line, 0, 0);
+	    chmod(line, 0600);
+	    close(p);
+	    p = open(myline, 2);
+	    if (p < 0)
+		continue;
+	}
+	/*
+	 * Now it should be safe...check for accessability.
+	 */
+	if (access(line, 6) == 0)
+	    return(p);
+	else {
+	    /* no tty side to pty so skip it */
+	    close(p);
+	}
+    }
+#endif	/* CRAY */
+#endif	/* STREAMSPTY */
+#endif /* OPENPTY */
+    return(-1);
+#endif
+}
+
+
+int
+tty_isecho(void)
+{
+    return (termbuf.c_lflag & ECHO);
+}
+
+int
+tty_flowmode(void)
+{
+    return((termbuf.c_iflag & IXON) ? 1 : 0);
+}
+
+int
+tty_restartany(void)
+{
+    return((termbuf.c_iflag & IXANY) ? 1 : 0);
+}
+
+void
+tty_setecho(int on)
+{
+    if (on)
+	termbuf.c_lflag |= ECHO;
+    else
+	termbuf.c_lflag &= ~ECHO;
+}
+
+int
+tty_israw(void)
+{
+    return(!(termbuf.c_lflag & ICANON));
+}
+
+void
+tty_binaryin(int on)
+{
+    if (on) {
+	termbuf.c_iflag &= ~ISTRIP;
+    } else {
+	termbuf.c_iflag |= ISTRIP;
+    }
+}
+
+void
+tty_binaryout(int on)
+{
+    if (on) {
+	termbuf.c_cflag &= ~(CSIZE|PARENB);
+	termbuf.c_cflag |= CS8;
+	termbuf.c_oflag &= ~OPOST;
+    } else {
+	termbuf.c_cflag &= ~CSIZE;
+	termbuf.c_cflag |= CS7|PARENB;
+	termbuf.c_oflag |= OPOST;
+    }
+}
+
+int
+tty_isbinaryin(void)
+{
+    return(!(termbuf.c_iflag & ISTRIP));
+}
+
+int
+tty_isbinaryout(void)
+{
+    return(!(termbuf.c_oflag&OPOST));
+}
+
+
+int
+tty_issofttab(void)
+{
+# ifdef	OXTABS
+    return (termbuf.c_oflag & OXTABS);
+# endif
+# ifdef	TABDLY
+    return ((termbuf.c_oflag & TABDLY) == TAB3);
+# endif
+}
+
+void
+tty_setsofttab(int on)
+{
+    if (on) {
+# ifdef	OXTABS
+	termbuf.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	termbuf.c_oflag &= ~TABDLY;
+	termbuf.c_oflag |= TAB3;
+# endif
+    } else {
+# ifdef	OXTABS
+	termbuf.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	termbuf.c_oflag &= ~TABDLY;
+	termbuf.c_oflag |= TAB0;
+# endif
+    }
+}
+
+int
+tty_islitecho(void)
+{
+# ifdef	ECHOCTL
+    return (!(termbuf.c_lflag & ECHOCTL));
+# endif
+# ifdef	TCTLECH
+    return (!(termbuf.c_lflag & TCTLECH));
+# endif
+# if	!defined(ECHOCTL) && !defined(TCTLECH)
+    return (0);	/* assumes ctl chars are echoed '^x' */
+# endif
+}
+
+void
+tty_setlitecho(int on)
+{
+# ifdef	ECHOCTL
+    if (on)
+	termbuf.c_lflag &= ~ECHOCTL;
+    else
+	termbuf.c_lflag |= ECHOCTL;
+# endif
+# ifdef	TCTLECH
+    if (on)
+	termbuf.c_lflag &= ~TCTLECH;
+    else
+	termbuf.c_lflag |= TCTLECH;
+# endif
+}
+
+int
+tty_iscrnl(void)
+{
+    return (termbuf.c_iflag & ICRNL);
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+
+/*
+ * A table of available terminal speeds
+ */
+struct termspeeds {
+    int	speed;
+    int	value;
+} termspeeds[] = {
+    { 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+    { 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+    { 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+    { 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+    { 4800,   B4800 },
+#ifdef	B7200
+    { 7200,  B7200 },
+#endif
+    { 9600,   B9600 },
+#ifdef	B14400
+    { 14400,  B14400 },
+#endif
+#ifdef	B19200
+    { 19200,  B19200 },
+#endif
+#ifdef	B28800
+    { 28800,  B28800 },
+#endif
+#ifdef	B38400
+    { 38400,  B38400 },
+#endif
+#ifdef	B57600
+    { 57600,  B57600 },
+#endif
+#ifdef	B115200
+    { 115200, B115200 },
+#endif
+#ifdef	B230400
+    { 230400, B230400 },
+#endif
+    { -1,     0 }
+};
+#endif	/* DECODE_BUAD */
+
+void
+tty_tspeed(int val)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+	;
+    if (tp->speed == -1)	/* back up to last valid value */
+	--tp;
+    cfsetospeed(&termbuf, tp->value);
+#else	/* DECODE_BUAD */
+    cfsetospeed(&termbuf, val);
+#endif	/* DECODE_BUAD */
+}
+
+void
+tty_rspeed(int val)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+	;
+    if (tp->speed == -1)	/* back up to last valid value */
+	--tp;
+    cfsetispeed(&termbuf, tp->value);
+#else	/* DECODE_BAUD */
+    cfsetispeed(&termbuf, val);
+#endif	/* DECODE_BAUD */
+}
+
+#ifdef PARENT_DOES_UTMP
+extern	struct utmp wtmp;
+extern char wtmpf[];
+
+extern void utmp_sig_init (void);
+extern void utmp_sig_reset (void);
+extern void utmp_sig_wait (void);
+extern void utmp_sig_notify (int);
+# endif /* PARENT_DOES_UTMP */
+
+#ifdef STREAMSPTY
+
+/* I_FIND seems to live a life of its own */
+static int my_find(int fd, char *module)
+{
+#if defined(I_FIND) && defined(I_LIST)
+    static int flag;
+    static struct str_list sl;
+    int n;
+    int i;
+  
+    if(!flag){
+	n = ioctl(fd, I_LIST, 0);
+	if(n < 0){
+	    perror("ioctl(fd, I_LIST, 0)");
+	    return -1;
+	}
+	sl.sl_modlist=(struct str_mlist*)malloc(n * sizeof(struct str_mlist));
+	sl.sl_nmods = n;
+	n = ioctl(fd, I_LIST, &sl);
+	if(n < 0){
+	    perror("ioctl(fd, I_LIST, n)");
+	    return -1;
+	}
+	flag = 1;
+    }
+  
+    for(i=0; i<sl.sl_nmods; i++)
+	if(!strcmp(sl.sl_modlist[i].l_name, module))
+	    return 1;
+#endif
+    return 0;
+}
+
+static void maybe_push_modules(int fd, char **modules)
+{
+    char **p;
+    int err;
+
+    for(p=modules; *p; p++){
+	err = my_find(fd, *p);
+	if(err == 1)
+	    break;
+	if(err < 0 && errno != EINVAL)
+	    fatalperror(net, "my_find()");
+	/* module not pushed or does not exist */
+    }
+    /* p points to null or to an already pushed module, now push all
+       modules before this one */
+  
+    for(p--; p >= modules; p--){
+	err = ioctl(fd, I_PUSH, *p);
+	if(err < 0 && errno != EINVAL)
+	    fatalperror(net, "I_PUSH");
+    }
+}
+#endif
+
+/*
+ * getptyslave()
+ *
+ * Open the slave side of the pty, and do any initialization
+ * that is necessary.  The return value is a file descriptor
+ * for the slave side.
+ */
+void getptyslave(void)
+{
+    int t = -1;
+
+    struct winsize ws;
+    extern int def_row, def_col;
+    extern int def_tspeed, def_rspeed;
+    /*
+     * Opening the slave side may cause initilization of the
+     * kernel tty structure.  We need remember the state of
+     * 	if linemode was turned on
+     *	terminal window size
+     *	terminal speed
+     * so that we can re-set them if we need to.
+     */
+
+
+    /*
+     * Make sure that we don't have a controlling tty, and
+     * that we are the session (process group) leader.
+     */
+
+#ifdef HAVE_SETSID
+    if(setsid()<0)
+	fatalperror(net, "setsid()");
+#else
+# ifdef	TIOCNOTTY
+    t = open(_PATH_TTY, O_RDWR);
+    if (t >= 0) {
+	ioctl(t, TIOCNOTTY, (char *)0);
+	close(t);
+    }
+# endif
+#endif
+
+# ifdef PARENT_DOES_UTMP
+    /*
+     * Wait for our parent to get the utmp stuff to get done.
+     */
+    utmp_sig_wait();
+# endif
+
+    t = cleanopen(line);
+    if (t < 0)
+	fatalperror(net, line);
+
+#ifdef  STREAMSPTY
+    ttyfd = t;
+	  
+
+    /*
+     * Not all systems have (or need) modules ttcompat and pckt so
+     * don't flag it as a fatal error if they don't exist.
+     */
+
+    if (really_stream)
+	{
+	    /* these are the streams modules that we want pushed. note
+	       that they are in reverse order, ptem will be pushed
+	       first. maybe_push_modules() will try to push all modules
+	       before the first one that isn't already pushed. i.e if
+	       ldterm is pushed, only ttcompat will be attempted.
+
+	       all this is because we don't know which modules are
+	       available, and we don't know which modules are already
+	       pushed (via autopush, for instance).
+
+	       */
+	     
+	    char *ttymodules[] = { "ttcompat", "ldterm", "ptem", NULL };
+	    char *ptymodules[] = { "pckt", NULL };
+
+	    maybe_push_modules(t, ttymodules);
+	    maybe_push_modules(ourpty, ptymodules);
+	}
+#endif
+    /*
+     * set up the tty modes as we like them to be.
+     */
+    init_termbuf();
+# ifdef	TIOCSWINSZ
+    if (def_row || def_col) {
+	memset(&ws, 0, sizeof(ws));
+	ws.ws_col = def_col;
+	ws.ws_row = def_row;
+	ioctl(t, TIOCSWINSZ, (char *)&ws);
+    }
+# endif
+
+    /*
+     * Settings for sgtty based systems
+     */
+
+    /*
+     * Settings for UNICOS (and HPUX)
+     */
+# if defined(_CRAY) || defined(__hpux)
+    termbuf.c_oflag = OPOST|ONLCR|TAB3;
+    termbuf.c_iflag = IGNPAR|ISTRIP|ICRNL|IXON;
+    termbuf.c_lflag = ISIG|ICANON|ECHO|ECHOE|ECHOK;
+    termbuf.c_cflag = EXTB|HUPCL|CS8;
+# endif
+
+    /*
+     * Settings for all other termios/termio based
+     * systems, other than 4.4BSD.  In 4.4BSD the
+     * kernel does the initial terminal setup.
+     */
+# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43)
+#  ifndef	OXTABS
+#   define OXTABS	0
+#  endif
+    termbuf.c_lflag |= ECHO;
+    termbuf.c_oflag |= ONLCR|OXTABS;
+    termbuf.c_iflag |= ICRNL;
+    termbuf.c_iflag &= ~IXOFF;
+# endif
+    tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600);
+    tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600);
+
+    /*
+     * Set the tty modes, and make this our controlling tty.
+     */
+    set_termbuf();
+    if (login_tty(t) == -1)
+	fatalperror(net, "login_tty");
+    if (net > 2)
+	close(net);
+    if (ourpty > 2) {
+	close(ourpty);
+	ourpty = -1;
+    }
+}
+
+#ifndef	O_NOCTTY
+#define	O_NOCTTY	0
+#endif
+/*
+ * Open the specified slave side of the pty,
+ * making sure that we have a clean tty.
+ */
+
+int cleanopen(char *line)
+{
+    int t;
+
+#ifdef STREAMSPTY
+    if (!really_stream)
+#endif
+	{
+	    /*
+	     * Make sure that other people can't open the
+	     * slave side of the connection.
+	     */
+	    chown(line, 0, 0);
+	    chmod(line, 0600);
+	}
+
+#ifdef HAVE_REVOKE
+    revoke(line);
+#endif
+
+    t = open(line, O_RDWR|O_NOCTTY);
+
+    if (t < 0)
+	return(-1);
+
+    /*
+     * Hangup anybody else using this ttyp, then reopen it for
+     * ourselves.
+     */
+# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43) && !defined(STREAMSPTY)
+    signal(SIGHUP, SIG_IGN);
+#ifdef HAVE_VHANGUP
+    vhangup();
+#else
+#endif
+    signal(SIGHUP, SIG_DFL);
+    t = open(line, O_RDWR|O_NOCTTY);
+    if (t < 0)
+	return(-1);
+# endif
+# if	defined(_CRAY) && defined(TCVHUP)
+    {
+	int i;
+	signal(SIGHUP, SIG_IGN);
+	ioctl(t, TCVHUP, (char *)0);
+	signal(SIGHUP, SIG_DFL);
+
+	i = open(line, O_RDWR);
+
+	if (i < 0)
+	    return(-1);
+	close(t);
+	t = i;
+    }
+# endif	/* defined(CRAY) && defined(TCVHUP) */
+    return(t);
+}
+
+#if !defined(BSD4_4)
+
+int login_tty(int t)
+{
+# if defined(TIOCSCTTY) && !defined(__hpux)
+    if (ioctl(t, TIOCSCTTY, (char *)0) < 0)
+	fatalperror(net, "ioctl(sctty)");
+#  ifdef _CRAY
+    /*
+     * Close the hard fd to /dev/ttypXXX, and re-open through
+     * the indirect /dev/tty interface.
+     */
+    close(t);
+    if ((t = open("/dev/tty", O_RDWR)) < 0)
+	fatalperror(net, "open(/dev/tty)");
+#  endif
+# else
+    /*
+     * We get our controlling tty assigned as a side-effect
+     * of opening up a tty device.  But on BSD based systems,
+     * this only happens if our process group is zero.  The
+     * setsid() call above may have set our pgrp, so clear
+     * it out before opening the tty...
+     */
+#ifdef HAVE_SETPGID
+    setpgid(0, 0);
+#else
+    setpgrp(0, 0); /* if setpgid isn't available, setpgrp
+		      probably takes arguments */
+#endif
+    close(open(line, O_RDWR));
+# endif
+    if (t != 0)
+	dup2(t, 0);
+    if (t != 1)
+	dup2(t, 1);
+    if (t != 2)
+	dup2(t, 2);
+    if (t > 2)
+	close(t);
+    return(0);
+}
+#endif	/* BSD <= 43 */
+
+/*
+ * This comes from ../../bsd/tty.c and should not really be here.
+ */
+
+/*
+ * Clean the tty name.  Return a pointer to the cleaned version.
+ */
+
+static char *
+clean_ttyname (char *tty)
+{
+  char *res = tty;
+
+  if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+    res += strlen(_PATH_DEV);
+  if (strncmp (res, "pty/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "ptym/", 5) == 0)
+    res += 5;
+  return res;
+}
+
+/*
+ * Generate a name usable as an `ut_id', typically without `tty'.
+ */
+
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+static char *
+make_id (char *tty)
+{
+  char *res = tty;
+  
+  if (strncmp (res, "pts/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "tty", 3) == 0)
+    res += 3;
+  return res;
+}
+#endif
+
+/*
+ * startslave(host)
+ *
+ * Given a hostname, do whatever
+ * is necessary to startup the login process on the slave side of the pty.
+ */
+
+/* ARGSUSED */
+void
+startslave(char *host, int autologin, char *autoname)
+{
+    int i;
+
+#ifdef AUTHENTICATION
+    if (!autoname || !autoname[0])
+	autologin = 0;
+
+    if (autologin < auth_level) {
+	fatal(net, "Authorization failed");
+	exit(1);
+    }
+#endif
+
+    {
+	char *tbuf =
+	    "\r\n*** Connection not encrypted! "
+	    "Communication may be eavesdropped. ***\r\n";
+#ifdef ENCRYPTION
+	if (!no_warn && (encrypt_output == 0 || decrypt_input == 0))
+#endif
+	    writenet((unsigned char*)tbuf, strlen(tbuf));
+    }
+# ifdef	PARENT_DOES_UTMP
+    utmp_sig_init();
+# endif	/* PARENT_DOES_UTMP */
+
+    if ((i = fork()) < 0)
+	fatalperror(net, "fork");
+    if (i) {
+# ifdef PARENT_DOES_UTMP
+	/*
+	 * Cray parent will create utmp entry for child and send
+	 * signal to child to tell when done.  Child waits for signal
+	 * before doing anything important.
+	 */
+	int pid = i;
+	void sigjob (int);
+
+	setpgrp();
+	utmp_sig_reset();		/* reset handler to default */
+	/*
+	 * Create utmp entry for child
+	 */
+	time(&wtmp.ut_time);
+	wtmp.ut_type = LOGIN_PROCESS;
+	wtmp.ut_pid = pid;
+	strncpy(wtmp.ut_user,  "LOGIN", sizeof(wtmp.ut_user));
+	strncpy(wtmp.ut_host,  host, sizeof(wtmp.ut_host));
+	strncpy(wtmp.ut_line,  clean_ttyname(line), sizeof(wtmp.ut_line));
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+	strncpy(wtmp.ut_id, wtmp.ut_line + 3, sizeof(wtmp.ut_id));
+#endif
+
+	pututline(&wtmp);
+	endutent();
+	if ((i = open(wtmpf, O_WRONLY|O_APPEND)) >= 0) {
+	    write(i, &wtmp, sizeof(struct utmp));
+	    close(i);
+	}
+#ifdef	_CRAY
+	signal(WJSIGNAL, sigjob);
+#endif
+	utmp_sig_notify(pid);
+# endif	/* PARENT_DOES_UTMP */
+    } else {
+	getptyslave();
+	start_login(host, autologin, autoname);
+	/*NOTREACHED*/
+    }
+}
+
+char	*envinit[3];
+extern char **environ;
+
+void
+init_env(void)
+{
+    extern char *getenv(const char *);
+    char **envp;
+
+    envp = envinit;
+    if ((*envp = getenv("TZ")))
+	*envp++ -= 3;
+#if defined(_CRAY) || defined(__hpux)
+    else
+	*envp++ = "TZ=GMT0";
+#endif
+    *envp = 0;
+    environ = envinit;
+}
+
+/*
+ * scrub_env()
+ *
+ * Remove variables from the environment that might cause login to
+ * behave in a bad manner. To avoid this, login should be staticly
+ * linked.
+ */
+
+static void scrub_env(void)
+{
+    static char *remove[] = { "LD_", "_RLD_", "LIBPATH=", "IFS=", NULL };
+
+    char **cpp, **cpp2;
+    char **p;
+  
+    for (cpp2 = cpp = environ; *cpp; cpp++) {
+	for(p = remove; *p; p++)
+	    if(strncmp(*cpp, *p, strlen(*p)) == 0)
+		break;
+	if(*p == NULL)
+	    *cpp2++ = *cpp;
+    }
+    *cpp2 = 0;
+}
+
+
+struct arg_val {
+    int size;
+    int argc;
+    char **argv;
+};
+
+static void addarg(struct arg_val*, char*);
+
+/*
+ * start_login(host)
+ *
+ * Assuming that we are now running as a child processes, this
+ * function will turn us into the login process.
+ */
+
+void
+start_login(char *host, int autologin, char *name)
+{
+    struct arg_val argv;
+    char *user;
+
+#ifdef HAVE_UTMPX_H
+    int pid = getpid();
+    struct utmpx utmpx;
+    char *clean_tty;
+
+    /*
+     * Create utmp entry for child
+     */
+
+    clean_tty = clean_ttyname(line);
+    memset(&utmpx, 0, sizeof(utmpx));
+    strncpy(utmpx.ut_user,  ".telnet", sizeof(utmpx.ut_user));
+    strncpy(utmpx.ut_line,  clean_tty, sizeof(utmpx.ut_line));
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+    strncpy(utmpx.ut_id, make_id(clean_tty), sizeof(utmpx.ut_id));
+#endif
+    utmpx.ut_pid = pid;
+	
+    utmpx.ut_type = LOGIN_PROCESS;
+
+    gettimeofday (&utmpx.ut_tv, NULL);
+    if (pututxline(&utmpx) == NULL)
+	fatal(net, "pututxline failed");
+#endif
+
+    scrub_env();
+	
+    /*
+     * -h : pass on name of host.
+     *		WARNING:  -h is accepted by login if and only if
+     *			getuid() == 0.
+     * -p : don't clobber the environment (so terminal type stays set).
+     *
+     * -f : force this login, he has already been authenticated
+     */
+
+    /* init argv structure */ 
+    argv.size=0;
+    argv.argc=0;
+    argv.argv=(char**)malloc(0); /*so we can call realloc later */
+    addarg(&argv, "login");
+    addarg(&argv, "-h");
+    addarg(&argv, host);
+    addarg(&argv, "-p");
+    if(name[0])
+	user = name;
+    else
+	user = getenv("USER");
+#ifdef AUTHENTICATION
+    if (auth_level < 0 || autologin != AUTH_VALID) {
+	if(!no_warn) {
+	    printf("User not authenticated. ");
+	    if (require_otp)
+		printf("Using one-time password\r\n");
+	    else
+		printf("Using plaintext username and password\r\n");
+	}
+	if (require_otp) {
+	    addarg(&argv, "-a");
+	    addarg(&argv, "otp");
+	}
+	if(log_unauth) 
+	    syslog(LOG_INFO, "unauthenticated access from %s (%s)", 
+		   host, user ? user : "unknown user");
+    }
+    if (auth_level >= 0 && autologin == AUTH_VALID)
+	addarg(&argv, "-f");
+#endif
+    if(user){
+	addarg(&argv, "--");
+	addarg(&argv, strdup(user));
+    }
+    if (getenv("USER")) {
+	/*
+	 * Assume that login will set the USER variable
+	 * correctly.  For SysV systems, this means that
+	 * USER will no longer be set, just LOGNAME by
+	 * login.  (The problem is that if the auto-login
+	 * fails, and the user then specifies a different
+	 * account name, he can get logged in with both
+	 * LOGNAME and USER in his environment, but the
+	 * USER value will be wrong.
+	 */
+	unsetenv("USER");
+    }
+    closelog();
+    /*
+     * This sleep(1) is in here so that telnetd can
+     * finish up with the tty.  There's a race condition
+     * the login banner message gets lost...
+     */
+    sleep(1);
+
+    execv(new_login, argv.argv);
+
+    syslog(LOG_ERR, "%s: %m\n", new_login);
+    fatalperror(net, new_login);
+    /*NOTREACHED*/
+}
+
+static void
+addarg(struct arg_val *argv, char *val)
+{
+    if(argv->size <= argv->argc+1) {
+	argv->argv = realloc(argv->argv, sizeof(char*) * (argv->size + 10));
+	if (argv->argv == NULL)
+	    fatal (net, "realloc: out of memory");
+	argv->size+=10;
+    }
+    argv->argv[argv->argc++] = val;
+    argv->argv[argv->argc]   = NULL;
+}
+
+
+/*
+ * rmut()
+ *
+ * This is the function called by cleanup() to
+ * remove the utmp entry for this person.
+ */
+
+#ifdef HAVE_UTMPX_H
+static void
+rmut(void)
+{
+    struct utmpx utmpx, *non_save_utxp;
+    char *clean_tty = clean_ttyname(line);
+
+    /*
+     * This updates the utmpx and utmp entries and make a wtmp/x entry
+     */
+
+    setutxent();
+    memset(&utmpx, 0, sizeof(utmpx));
+    strncpy(utmpx.ut_line, clean_tty, sizeof(utmpx.ut_line));
+    utmpx.ut_type = LOGIN_PROCESS;
+    non_save_utxp = getutxline(&utmpx);
+    if (non_save_utxp) {
+	struct utmpx *utxp;
+	char user0;
+
+	utxp = malloc(sizeof(struct utmpx));
+	*utxp = *non_save_utxp;
+	user0 = utxp->ut_user[0];
+	utxp->ut_user[0] = '\0';
+	utxp->ut_type = DEAD_PROCESS;
+#ifdef HAVE_STRUCT_UTMPX_UT_EXIT
+#ifdef _STRUCT___EXIT_STATUS
+	utxp->ut_exit.__e_termination = 0;
+	utxp->ut_exit.__e_exit = 0;
+#elif defined(__osf__) /* XXX */
+	utxp->ut_exit.ut_termination = 0;
+	utxp->ut_exit.ut_exit = 0;
+#else	
+	utxp->ut_exit.e_termination = 0;
+	utxp->ut_exit.e_exit = 0;
+#endif
+#endif
+	gettimeofday(&utxp->ut_tv, NULL);
+	pututxline(utxp);
+#ifdef WTMPX_FILE
+	utxp->ut_user[0] = user0;
+	updwtmpx(WTMPX_FILE, utxp);
+#elif defined(WTMP_FILE)
+	/* This is a strange system with a utmpx and a wtmp! */
+	{
+	  int f = open(wtmpf, O_WRONLY|O_APPEND);
+	  struct utmp wtmp;
+	  if (f >= 0) {
+	    strncpy(wtmp.ut_line,  clean_tty, sizeof(wtmp.ut_line));
+	    strncpy(wtmp.ut_name,  "", sizeof(wtmp.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
+#endif
+	    time(&wtmp.ut_time);
+	    write(f, &wtmp, sizeof(wtmp));
+	    close(f);
+	  }
+	}
+#endif
+	free (utxp);
+    }
+    endutxent();
+}  /* end of rmut */
+#endif
+
+#if !defined(HAVE_UTMPX_H) && !(defined(_CRAY) || defined(__hpux)) && BSD <= 43
+static void
+rmut(void)
+{
+    int f;
+    int found = 0;
+    struct utmp *u, *utmp;
+    int nutmp;
+    struct stat statbf;
+    char *clean_tty = clean_ttyname(line);
+
+    f = open(utmpf, O_RDWR);
+    if (f >= 0) {
+	fstat(f, &statbf);
+	utmp = (struct utmp *)malloc((unsigned)statbf.st_size);
+	if (!utmp)
+	    syslog(LOG_ERR, "utmp malloc failed");
+	if (statbf.st_size && utmp) {
+	    nutmp = read(f, utmp, (int)statbf.st_size);
+	    nutmp /= sizeof(struct utmp);
+
+	    for (u = utmp ; u < &utmp[nutmp] ; u++) {
+		if (strncmp(u->ut_line,
+			    clean_tty,
+			    sizeof(u->ut_line)) ||
+		    u->ut_name[0]==0)
+		    continue;
+		lseek(f, ((long)u)-((long)utmp), L_SET);
+		strncpy(u->ut_name,  "", sizeof(u->ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+		strncpy(u->ut_host,  "", sizeof(u->ut_host));
+#endif
+		time(&u->ut_time);
+		write(f, u, sizeof(wtmp));
+		found++;
+	    }
+	}
+	close(f);
+    }
+    if (found) {
+	f = open(wtmpf, O_WRONLY|O_APPEND);
+	if (f >= 0) {
+	    strncpy(wtmp.ut_line,  clean_tty, sizeof(wtmp.ut_line));
+	    strncpy(wtmp.ut_name,  "", sizeof(wtmp.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
+#endif
+	    time(&wtmp.ut_time);
+	    write(f, &wtmp, sizeof(wtmp));
+	    close(f);
+	}
+    }
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    line[strlen("/dev/")] = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+}  /* end of rmut */
+#endif	/* CRAY */
+
+#if defined(__hpux) && !defined(HAVE_UTMPX_H)
+static void
+rmut (char *line)
+{
+    struct utmp utmp;
+    struct utmp *utptr;
+    int fd;			/* for /etc/wtmp */
+
+    utmp.ut_type = USER_PROCESS;
+    strncpy(utmp.ut_line, clean_ttyname(line), sizeof(utmp.ut_line));
+    setutent();
+    utptr = getutline(&utmp);
+    /* write it out only if it exists */
+    if (utptr) {
+	utptr->ut_type = DEAD_PROCESS;
+	utptr->ut_time = time(NULL);
+	pututline(utptr);
+	/* set wtmp entry if wtmp file exists */
+	if ((fd = open(wtmpf, O_WRONLY | O_APPEND)) >= 0) {
+	    write(fd, utptr, sizeof(utmp));
+	    close(fd);
+	}
+    }
+    endutent();
+
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    line[14] = line[13];
+    line[13] = line[12];
+    line[8] = 'm';
+    line[9] = '/';
+    line[10] = 'p';
+    line[11] = 't';
+    line[12] = 'y';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+}
+#endif
+
+/*
+ * cleanup()
+ *
+ * This is the routine to call when we are all through, to
+ * clean up anything that needs to be cleaned up.
+ */
+
+#ifdef PARENT_DOES_UTMP
+
+void
+cleanup(int sig)
+{
+#ifdef _CRAY
+    static int incleanup = 0;
+    int t;
+    int child_status; /* status of child process as returned by waitpid */
+    int flags = WNOHANG|WUNTRACED;
+    
+    /*
+     * 1: Pick up the zombie, if we are being called
+     *    as the signal handler.
+     * 2: If we are a nested cleanup(), return.
+     * 3: Try to clean up TMPDIR.
+     * 4: Fill in utmp with shutdown of process.
+     * 5: Close down the network and pty connections.
+     * 6: Finish up the TMPDIR cleanup, if needed.
+     */
+    if (sig == SIGCHLD) {
+	while (waitpid(-1, &child_status, flags) > 0)
+	    ;	/* VOID */
+	/* Check if the child process was stopped
+	 * rather than exited.  We want cleanup only if
+	 * the child has died.
+	 */
+	if (WIFSTOPPED(child_status)) {
+	    return;
+	}
+    }
+    t = sigblock(sigmask(SIGCHLD));
+    if (incleanup) {
+	sigsetmask(t);
+	return;
+    }
+    incleanup = 1;
+    sigsetmask(t);
+    
+    t = cleantmp(&wtmp);
+    setutent();	/* just to make sure */
+#endif /* CRAY */
+    rmut(line);
+    close(ourpty);
+    shutdown(net, 2);
+#ifdef _CRAY
+    if (t == 0)
+	cleantmp(&wtmp);
+#endif /* CRAY */
+    exit(1);
+}
+
+#else /* PARENT_DOES_UTMP */
+
+void
+cleanup(int sig)
+{
+#if defined(HAVE_UTMPX_H) || !defined(HAVE_LOGWTMP)
+    rmut();
+#ifdef HAVE_VHANGUP
+#ifndef __sgi
+    vhangup(); /* XXX */
+#endif
+#endif
+#else
+    char *p;
+    
+    p = line + sizeof("/dev/") - 1;
+    if (logout(p))
+	logwtmp(p, "", "");
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    *p = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+#endif
+    shutdown(net, 2);
+    exit(1);
+}
+
+#endif /* PARENT_DOES_UTMP */
+
+#ifdef PARENT_DOES_UTMP
+/*
+ * _utmp_sig_rcv
+ * utmp_sig_init
+ * utmp_sig_wait
+ *	These three functions are used to coordinate the handling of
+ *	the utmp file between the server and the soon-to-be-login shell.
+ *	The server actually creates the utmp structure, the child calls
+ *	utmp_sig_wait(), until the server calls utmp_sig_notify() and
+ *	signals the future-login shell to proceed.
+ */
+static int caught=0;		/* NZ when signal intercepted */
+static void (*func)();		/* address of previous handler */
+
+void
+_utmp_sig_rcv(sig)
+     int sig;
+{
+    caught = 1;
+    signal(SIGUSR1, func);
+}
+
+void
+utmp_sig_init()
+{
+    /*
+     * register signal handler for UTMP creation
+     */
+    if ((int)(func = signal(SIGUSR1, _utmp_sig_rcv)) == -1)
+	fatalperror(net, "telnetd/signal");
+}
+
+void
+utmp_sig_reset()
+{
+    signal(SIGUSR1, func);	/* reset handler to default */
+}
+
+# ifdef __hpux
+# define sigoff() /* do nothing */
+# define sigon() /* do nothing */
+# endif
+
+void
+utmp_sig_wait()
+{
+    /*
+     * Wait for parent to write our utmp entry.
+	 */
+    sigoff();
+    while (caught == 0) {
+	pause();	/* wait until we get a signal (sigon) */
+	sigoff();	/* turn off signals while we check caught */
+    }
+    sigon();		/* turn on signals again */
+}
+
+void
+utmp_sig_notify(pid)
+{
+    kill(pid, SIGUSR1);
+}
+
+#ifdef _CRAY
+static int gotsigjob = 0;
+
+	/*ARGSUSED*/
+void
+sigjob(sig)
+     int sig;
+{
+    int jid;
+    struct jobtemp *jp;
+
+    while ((jid = waitjob(NULL)) != -1) {
+	if (jid == 0) {
+	    return;
+	}
+	gotsigjob++;
+	jobend(jid, NULL, NULL);
+    }
+}
+
+/*
+ *	jid_getutid:
+ *		called by jobend() before calling cleantmp()
+ *		to find the correct $TMPDIR to cleanup.
+ */
+
+struct utmp *
+jid_getutid(jid)
+     int jid;
+{
+    struct utmp *cur = NULL;
+
+    setutent();	/* just to make sure */
+    while (cur = getutent()) {
+	if ( (cur->ut_type != NULL) && (jid == cur->ut_jid) ) {
+	    return(cur);
+	}
+    }
+
+    return(0);
+}
+
+/*
+ * Clean up the TMPDIR that login created.
+ * The first time this is called we pick up the info
+ * from the utmp.  If the job has already gone away,
+ * then we'll clean up and be done.  If not, then
+ * when this is called the second time it will wait
+ * for the signal that the job is done.
+ */
+int
+cleantmp(wtp)
+     struct utmp *wtp;
+{
+    struct utmp *utp;
+    static int first = 1;
+    int mask, omask, ret;
+    extern struct utmp *getutid (const struct utmp *_Id);
+
+
+    mask = sigmask(WJSIGNAL);
+
+    if (first == 0) {
+	omask = sigblock(mask);
+	while (gotsigjob == 0)
+	    sigpause(omask);
+	return(1);
+    }
+    first = 0;
+    setutent();	/* just to make sure */
+
+    utp = getutid(wtp);
+    if (utp == 0) {
+	syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+	return(-1);
+    }
+    /*
+     * Nothing to clean up if the user shell was never started.
+     */
+    if (utp->ut_type != USER_PROCESS || utp->ut_jid == 0)
+	return(1);
+
+    /*
+     * Block the WJSIGNAL while we are in jobend().
+     */
+    omask = sigblock(mask);
+    ret = jobend(utp->ut_jid, utp->ut_tpath, utp->ut_user);
+    sigsetmask(omask);
+    return(ret);
+}
+
+int
+jobend(jid, path, user)
+     int jid;
+     char *path;
+     char *user;
+{
+    static int saved_jid = 0;
+    static int pty_saved_jid = 0;
+    static char saved_path[sizeof(wtmp.ut_tpath)+1];
+    static char saved_user[sizeof(wtmp.ut_user)+1];
+
+    /*
+     * this little piece of code comes into play
+     * only when ptyreconnect is used to reconnect
+     * to an previous session.
+     *
+     * this is the only time when the
+     * "saved_jid != jid" code is executed.
+     */
+
+    if ( saved_jid && saved_jid != jid ) {
+	if (!path) {	/* called from signal handler */
+	    pty_saved_jid = jid;
+	} else {
+	    pty_saved_jid = saved_jid;
+	}
+    }
+
+    if (path) {
+	strncpy(saved_path, path, sizeof(wtmp.ut_tpath));
+	strncpy(saved_user, user, sizeof(wtmp.ut_user));
+	saved_path[sizeof(saved_path)] = '\0';
+	saved_user[sizeof(saved_user)] = '\0';
+    }
+    if (saved_jid == 0) {
+	saved_jid = jid;
+	return(0);
+    }
+
+    /* if the jid has changed, get the correct entry from the utmp file */
+
+    if ( saved_jid != jid ) {
+	struct utmp *utp = NULL;
+	struct utmp *jid_getutid();
+
+	utp = jid_getutid(pty_saved_jid);
+
+	if (utp == 0) {
+	    syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+	    return(-1);
+	}
+
+	cleantmpdir(jid, utp->ut_tpath, utp->ut_user);
+	return(1);
+    }
+
+    cleantmpdir(jid, saved_path, saved_user);
+    return(1);
+}
+
+/*
+ * Fork a child process to clean up the TMPDIR
+ */
+cleantmpdir(jid, tpath, user)
+     int jid;
+     char *tpath;
+     char *user;
+{
+    switch(fork()) {
+    case -1:
+	syslog(LOG_ERR, "TMPDIR cleanup(%s): fork() failed: %m\n",
+	       tpath);
+	break;
+    case 0:
+	execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, 0);
+	syslog(LOG_ERR, "TMPDIR cleanup(%s): execl(%s) failed: %m\n",
+	       tpath, CLEANTMPCMD);
+	exit(1);
+    default:
+	/*
+	 * Forget about child.  We will exit, and
+	 * /etc/init will pick it up.
+	 */
+	break;
+    }
+}
+#endif /* CRAY */
+#endif	/* defined(PARENT_DOES_UTMP) */
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.8 b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
new file mode 100644
index 0000000..62cc4cd
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
@@ -0,0 +1,529 @@
+.\" Copyright (c) 1983, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
+.\"
+.Dd June 1, 1994
+.Dt TELNETD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm telnetd
+.Nd DARPA
+.Tn TELNET
+protocol server
+.Sh SYNOPSIS
+.Nm telnetd
+.Op Fl BUhkln
+.Op Fl D Ar debugmode
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl a Ar authmode
+.Op Fl r Ns Ar lowpty-highpty
+.Op Fl u Ar len
+.Op Fl debug
+.Op Fl L Ar /bin/login
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm telnetd
+command is a server which supports the
+.Tn DARPA
+standard
+.Tn TELNET
+virtual terminal protocol.
+.Nm Telnetd
+is normally invoked by the internet server (see
+.Xr inetd 8 )
+for requests to connect to the
+.Tn TELNET
+port as indicated by the
+.Pa /etc/services
+file (see
+.Xr services 5 ) .
+The
+.Fl debug
+option may be used to start up
+.Nm telnetd
+manually, instead of through
+.Xr inetd 8 .
+If started up this way, 
+.Ar port
+may be specified to run
+.Nm telnetd
+on an alternate
+.Tn TCP
+port number.
+.Pp
+The
+.Nm telnetd
+command accepts the following options:
+.Bl -tag -width "-a authmode"
+.It Fl a Ar authmode
+This option may be used for specifying what mode should
+be used for authentication.
+Note that this option is only useful if
+.Nm telnetd
+has been compiled with support for the
+.Dv AUTHENTICATION
+option.
+There are several valid values for
+.Ar authmode:
+.Bl -tag -width debug
+.It debug
+Turns on authentication debugging code.
+.It user
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user,
+and is allowed access to the specified account
+without providing a password.
+.It valid
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user.
+The
+.Xr login 1
+command will provide any additional user verification
+needed if the remote user is not allowed automatic
+access to the specified account.
+.It other
+Only allow connections that supply some authentication information.
+This option is currently not supported
+by any of the existing authentication mechanisms,
+and is thus the same as specifying
+.Fl a
+.Cm valid .
+.It otp
+Only allow authenticated connections (as with
+.Fl a
+.Cm user )
+and also logins with one-time passwords (OTPs).  This option will call
+login with an option so that only OTPs are accepted.  The user can of
+course still type secret information at the prompt.
+.It none
+This is the default state.
+Authentication information is not required.
+If no or insufficient authentication information
+is provided, then the
+.Xr login 1
+program will provide the necessary user
+verification.
+.It off
+This disables the authentication code.
+All user verification will happen through the
+.Xr login 1
+program.
+.El
+.It Fl B
+Ignored.
+.It Fl D Ar debugmode
+This option may be used for debugging purposes.
+This allows
+.Nm telnetd
+to print out debugging information
+to the connection, allowing the user to see what
+.Nm telnetd
+is doing.
+There are several possible values for 
+.Ar debugmode:
+.Bl -tag -width exercise
+.It Cm options
+Prints information about the negotiation of
+.Tn TELNET
+options.
+.It Cm report
+Prints the 
+.Cm options
+information, plus some additional information
+about what processing is going on.
+.It Cm netdata
+Displays the data stream received by
+.Nm telnetd.
+.It Cm ptydata
+Displays data written to the pty.
+.It Cm exercise
+Has not been implemented yet.
+.El
+.It Fl h
+Disables the printing of host-specific information before
+login has been completed.
+.It Fl k
+.It Fl l
+Ignored.
+.It Fl n
+Disable
+.Dv TCP
+keep-alives.  Normally
+.Nm telnetd
+enables the
+.Tn TCP
+keep-alive mechanism to probe connections that
+have been idle for some period of time to determine
+if the client is still there, so that idle connections
+from machines that have crashed or can no longer
+be reached may be cleaned up.
+.It Fl r Ar lowpty-highpty
+This option is only enabled when
+.Nm telnetd
+is compiled for
+.Dv UNICOS.
+It specifies an inclusive range of pseudo-terminal devices to
+use.  If the system has sysconf variable
+.Dv _SC_CRAY_NPTY
+configured, the default pty search range is 0 to
+.Dv _SC_CRAY_NPTY;
+otherwise, the default range is 0 to 128.  Either
+.Ar lowpty
+or
+.Ar highpty
+may be omitted to allow changing
+either end of the search range.  If
+.Ar lowpty
+is omitted, the - character is still required so that
+.Nm telnetd
+can differentiate
+.Ar highpty
+from
+.Ar lowpty .
+.It Fl S Ar tos
+.It Fl u Ar len
+This option is used to specify the size of the field
+in the
+.Dv utmp
+structure that holds the remote host name.
+If the resolved host name is longer than
+.Ar len ,
+the dotted decimal value will be used instead.
+This allows hosts with very long host names that
+overflow this field to still be uniquely identified.
+Specifying
+.Fl u0
+indicates that only dotted decimal addresses
+should be put into the
+.Pa utmp
+file.
+.ne 1i
+.It Fl U
+This option causes
+.Nm telnetd
+to refuse connections from addresses that
+cannot be mapped back into a symbolic name
+via the
+.Xr gethostbyaddr 3
+routine.
+.It Fl X Ar authtype
+This option is only valid if
+.Nm telnetd
+has been built with support for the authentication option.
+It disables the use of
+.Ar authtype
+authentication, and
+can be used to temporarily disable
+a specific authentication type without having to recompile
+.Nm telnetd .
+.It Fl L pathname
+Specify pathname to an alternative login program.
+.El
+.Pp
+.Nm Telnetd
+operates by allocating a pseudo-terminal device (see
+.Xr pty 4 )
+for a client, then creating a login process which has
+the slave side of the pseudo-terminal as 
+.Dv stdin ,
+.Dv stdout
+and
+.Dv stderr .
+.Nm Telnetd
+manipulates the master side of the pseudo-terminal,
+implementing the
+.Tn TELNET
+protocol and passing characters
+between the remote client and the login process.
+.Pp
+When a
+.Tn TELNET
+session is started up, 
+.Nm telnetd
+sends
+.Tn TELNET
+options to the client side indicating
+a willingness to do the
+following
+.Tn TELNET
+options, which are described in more detail below:
+.Bd -literal -offset indent
+DO AUTHENTICATION
+WILL ENCRYPT
+DO TERMINAL TYPE
+DO TSPEED
+DO XDISPLOC
+DO NEW-ENVIRON
+DO ENVIRON
+WILL SUPPRESS GO AHEAD
+DO ECHO
+DO LINEMODE
+DO NAWS
+WILL STATUS
+DO LFLOW
+DO TIMING-MARK
+.Ed
+.Pp
+The pseudo-terminal allocated to the client is configured
+to operate in \*(lqcooked\*(rq mode, and with
+.Dv XTABS and
+.Dv CRMOD
+enabled (see
+.Xr tty 4 ) .
+.Pp
+.Nm Telnetd
+has support for enabling locally the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "WILL ECHO"
+When the
+.Dv LINEMODE
+option is enabled, a
+.Dv WILL ECHO
+or
+.Dv WONT ECHO
+will be sent to the client to indicate the
+current state of terminal echoing.
+When terminal echo is not desired, a
+.Dv WILL ECHO
+is sent to indicate that
+.Tn telnetd
+will take care of echoing any data that needs to be
+echoed to the terminal, and then nothing is echoed.
+When terminal echo is desired, a
+.Dv WONT ECHO
+is sent to indicate that
+.Tn telnetd
+will not be doing any terminal echoing, so the
+client should do any terminal echoing that is needed.
+.It "WILL BINARY"
+Indicates that the client is willing to send a
+8 bits of data, rather than the normal 7 bits
+of the Network Virtual Terminal.
+.It "WILL SGA"
+Indicates that it will not be sending
+.Dv IAC GA,
+go ahead, commands.
+.It "WILL STATUS"
+Indicates a willingness to send the client, upon
+request, of the current status of all
+.Tn TELNET
+options.
+.It "WILL TIMING-MARK"
+Whenever a
+.Dv DO TIMING-MARK
+command is received, it is always responded
+to with a
+.Dv WILL TIMING-MARK
+.ne 1i
+.It "WILL LOGOUT"
+When a
+.Dv DO LOGOUT
+is received, a
+.Dv WILL LOGOUT
+is sent in response, and the
+.Tn TELNET
+session is shut down.
+.It "WILL ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Pp
+.Nm Telnetd
+has support for enabling remotely the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "DO BINARY"
+Sent to indicate that
+.Tn telnetd
+is willing to receive an 8 bit data stream.
+.It "DO LFLOW"
+Requests that the client handle flow control
+characters remotely.
+.It "DO ECHO"
+This is not really supported, but is sent to identify a 4.2BSD
+.Xr telnet 1
+client, which will improperly respond with
+.Dv WILL ECHO.
+If a
+.Dv WILL ECHO
+is received, a
+.Dv DONT ECHO
+will be sent in response.
+.It "DO TERMINAL-TYPE"
+Indicates a desire to be able to request the
+name of the type of terminal that is attached
+to the client side of the connection.
+.It "DO SGA"
+Indicates that it does not need to receive
+.Dv IAC GA,
+the go ahead command.
+.It "DO NAWS"
+Requests that the client inform the server when
+the window (display) size changes.
+.It "DO TERMINAL-SPEED"
+Indicates a desire to be able to request information
+about the speed of the serial line to which
+the client is attached.
+.It "DO XDISPLOC"
+Indicates a desire to be able to request the name
+of the X windows display that is associated with
+the telnet client.
+.It "DO NEW-ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1572.
+.It "DO ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1408.
+.It "DO LINEMODE"
+Only sent if
+.Nm telnetd
+is compiled with support for linemode, and
+requests that the client do line by line processing.
+.It "DO TIMING-MARK"
+Only sent if
+.Nm telnetd
+is compiled with support for both linemode and
+kludge linemode, and the client responded with
+.Dv WONT LINEMODE.
+If the client responds with
+.Dv WILL TM,
+the it is assumed that the client supports
+kludge linemode.
+Note that the
+.Op Fl k
+option can be used to disable this.
+.It "DO AUTHENTICATION"
+Only sent if
+.Nm telnetd
+is compiled with support for authentication, and
+indicates a willingness to receive authentication
+information for automatic login.
+.It "DO ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Sh ENVIRONMENT
+.Sh FILES
+.Pa /etc/services
+.br
+.Pa /etc/inittab
+(UNICOS systems only)
+.br
+.Pa /etc/iptos
+(if supported)
+.br
+.Sh "SEE ALSO"
+.Xr telnet 1 ,
+.Xr login 1
+.Sh STANDARDS
+.Bl -tag -compact -width RFC-1572
+.It Cm RFC-854
+.Tn TELNET
+PROTOCOL SPECIFICATION
+.It Cm RFC-855
+TELNET OPTION SPECIFICATIONS
+.It Cm RFC-856
+TELNET BINARY TRANSMISSION
+.It Cm RFC-857
+TELNET ECHO OPTION
+.It Cm RFC-858
+TELNET SUPPRESS GO AHEAD OPTION
+.It Cm RFC-859
+TELNET STATUS OPTION
+.It Cm RFC-860
+TELNET TIMING MARK OPTION
+.It Cm RFC-861
+TELNET EXTENDED OPTIONS - LIST OPTION
+.It Cm RFC-885
+TELNET END OF RECORD OPTION
+.It Cm RFC-1073
+Telnet Window Size Option
+.It Cm RFC-1079
+Telnet Terminal Speed Option
+.It Cm RFC-1091
+Telnet Terminal-Type Option
+.It Cm RFC-1096
+Telnet X Display Location Option
+.It Cm RFC-1123
+Requirements for Internet Hosts -- Application and Support
+.It Cm RFC-1184
+Telnet Linemode Option
+.It Cm RFC-1372
+Telnet Remote Flow Control Option
+.It Cm RFC-1416
+Telnet Authentication Option
+.It Cm RFC-1411
+Telnet Authentication: Kerberos Version 4
+.It Cm RFC-1412
+Telnet Authentication: SPX
+.It Cm RFC-1571
+Telnet Environment Option Interoperability Issues
+.It Cm RFC-1572
+Telnet Environment Option
+.El
+.Sh BUGS
+Some
+.Tn TELNET
+commands are only partially implemented.
+.Pp
+Because of bugs in the original 4.2 BSD
+.Xr telnet 1 ,
+.Nm telnetd
+performs some dubious protocol exchanges to try to discover if the remote
+client is, in fact, a 4.2 BSD
+.Xr telnet 1 .
+.Pp
+Binary mode
+has no common interpretation except between similar operating systems
+(Unix in this case).
+.Pp
+The terminal type name received from the remote client is converted to
+lower case.
+.Pp
+.Nm Telnetd
+never sends
+.Tn TELNET
+.Dv IAC GA
+(go ahead) commands.
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.c b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
new file mode 100644
index 0000000..678b508
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
@@ -0,0 +1,1355 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: telnetd.c,v 1.60 1999/12/05 10:59:52 assar Exp $");
+
+#ifdef _SC_CRAY_SECURE_SYS
+#include <sys/sysv.h>
+#include <sys/secdev.h>
+#include <sys/secparm.h>
+#include <sys/usrv.h>
+int	secflag;
+char	tty_dev[16];
+struct	secdev dv;
+struct	sysv sysv;
+struct	socksec ss;
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+#ifdef AUTHENTICATION
+int	auth_level = 0;
+#endif
+
+extern	int utmp_len;
+int	registerd_host_only = 0;
+
+#ifdef	STREAMSPTY
+# include <stropts.h>
+# include <termios.h>
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif /* HAVE_SYS_UIO_H */
+#ifdef HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif
+#ifdef _AIX
+#include <sys/termio.h>
+#endif
+# ifdef HAVE_SYS_STRTTY_H
+# include <sys/strtty.h>
+# endif
+# ifdef HAVE_SYS_STR_TTY_H
+# include <sys/str_tty.h>
+# endif
+/* make sure we don't get the bsd version */
+/* what is this here for? solaris? /joda */
+# ifdef HAVE_SYS_TTY_H
+# include "/usr/include/sys/tty.h"
+# endif
+# ifdef HAVE_SYS_PTYVAR_H
+# include <sys/ptyvar.h>
+# endif
+
+/*
+ * Because of the way ptyibuf is used with streams messages, we need
+ * ptyibuf+1 to be on a full-word boundary.  The following wierdness
+ * is simply to make that happen.
+ */
+long	ptyibufbuf[BUFSIZ/sizeof(long)+1];
+char	*ptyibuf = ((char *)&ptyibufbuf[1])-1;
+char	*ptyip = ((char *)&ptyibufbuf[1])-1;
+char	ptyibuf2[BUFSIZ];
+unsigned char ctlbuf[BUFSIZ];
+struct	strbuf strbufc, strbufd;
+
+int readstream(int, char*, int);
+
+#else	/* ! STREAMPTY */
+
+/*
+ * I/O data buffers,
+ * pointers, and counters.
+ */
+char	ptyibuf[BUFSIZ], *ptyip = ptyibuf;
+char	ptyibuf2[BUFSIZ];
+
+#endif /* ! STREAMPTY */
+
+int	hostinfo = 1;			/* do we print login banner? */
+
+#ifdef	_CRAY
+extern int      newmap; /* nonzero if \n maps to ^M^J */
+int	lowpty = 0, highpty;	/* low, high pty numbers */
+#endif /* CRAY */
+
+int debug = 0;
+int keepalive = 1;
+char *progname;
+
+static void usage (void);
+
+/*
+ * The string to pass to getopt().  We do it this way so
+ * that only the actual options that we support will be
+ * passed off to getopt().
+ */
+char valid_opts[] = "Bd:hklnS:u:UL:y"
+#ifdef AUTHENTICATION
+		    "a:X:z"
+#endif
+#ifdef DIAGNOSTICS
+		    "D:"
+#endif
+#ifdef _CRAY
+		    "r:"
+#endif
+		    ;
+
+static void doit(struct sockaddr*, int);
+
+int
+main(int argc, char **argv)
+{
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    int on = 1, sa_size;
+    int ch;
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+    int tos = -1;
+#endif
+#ifdef ENCRYPTION
+    extern int des_check_key;
+    des_check_key = 1;	/* Kludge for Mac NCSA telnet 2.6 /bg */
+#endif
+    pfrontp = pbackp = ptyobuf;
+    netip = netibuf;
+    nfrontp = nbackp = netobuf;
+
+    progname = *argv;
+#ifdef ENCRYPTION
+    nclearto = 0;
+#endif
+
+#ifdef _CRAY
+    /*
+     * Get number of pty's before trying to process options,
+     * which may include changing pty range.
+     */
+    highpty = getnpty();
+#endif /* CRAY */
+
+    while ((ch = getopt(argc, argv, valid_opts)) != -1) {
+	switch(ch) {
+
+#ifdef	AUTHENTICATION
+	case 'a':
+	    /*
+	     * Check for required authentication level
+	     */
+	    if (strcmp(optarg, "debug") == 0) {
+		auth_debug_mode = 1;
+	    } else if (strcasecmp(optarg, "none") == 0) {
+		auth_level = 0;
+	    } else if (strcasecmp(optarg, "otp") == 0) {
+		auth_level = 0;
+		require_otp = 1;
+	    } else if (strcasecmp(optarg, "other") == 0) {
+		auth_level = AUTH_OTHER;
+	    } else if (strcasecmp(optarg, "user") == 0) {
+		auth_level = AUTH_USER;
+	    } else if (strcasecmp(optarg, "valid") == 0) {
+		auth_level = AUTH_VALID;
+	    } else if (strcasecmp(optarg, "off") == 0) {
+		/*
+		 * This hack turns off authentication
+		 */
+		auth_level = -1;
+	    } else {
+		fprintf(stderr,
+			"telnetd: unknown authorization level for -a\n");
+	    }
+	    break;
+#endif	/* AUTHENTICATION */
+
+	case 'B': /* BFTP mode is not supported any more */
+	    break;
+	case 'd':
+	    if (strcmp(optarg, "ebug") == 0) {
+		debug++;
+		break;
+	    }
+	    usage();
+	    /* NOTREACHED */
+	    break;
+
+#ifdef DIAGNOSTICS
+	case 'D':
+	    /*
+	     * Check for desired diagnostics capabilities.
+	     */
+	    if (!strcmp(optarg, "report")) {
+		diagnostic |= TD_REPORT|TD_OPTIONS;
+	    } else if (!strcmp(optarg, "exercise")) {
+		diagnostic |= TD_EXERCISE;
+	    } else if (!strcmp(optarg, "netdata")) {
+		diagnostic |= TD_NETDATA;
+	    } else if (!strcmp(optarg, "ptydata")) {
+		diagnostic |= TD_PTYDATA;
+	    } else if (!strcmp(optarg, "options")) {
+		diagnostic |= TD_OPTIONS;
+	    } else {
+		usage();
+		/* NOT REACHED */
+	    }
+	    break;
+#endif /* DIAGNOSTICS */
+
+
+	case 'h':
+	    hostinfo = 0;
+	    break;
+
+	case 'k': /* Linemode is not supported any more */
+	case 'l':
+	    break;
+
+	case 'n':
+	    keepalive = 0;
+	    break;
+
+#ifdef _CRAY
+	case 'r':
+	    {
+		char *strchr();
+		char *c;
+
+		/*
+		 * Allow the specification of alterations
+		 * to the pty search range.  It is legal to
+		 * specify only one, and not change the
+		 * other from its default.
+		 */
+		c = strchr(optarg, '-');
+		if (c) {
+		    *c++ = '\0';
+		    highpty = atoi(c);
+		}
+		if (*optarg != '\0')
+		    lowpty = atoi(optarg);
+		if ((lowpty > highpty) || (lowpty < 0) ||
+		    (highpty > 32767)) {
+		    usage();
+		    /* NOT REACHED */
+		}
+		break;
+	    }
+#endif	/* CRAY */
+
+	case 'S':
+#ifdef	HAVE_PARSETOS
+	    if ((tos = parsetos(optarg, "tcp")) < 0)
+		fprintf(stderr, "%s%s%s\n",
+			"telnetd: Bad TOS argument '", optarg,
+			"'; will try to use default TOS");
+#else
+	    fprintf(stderr, "%s%s\n", "TOS option unavailable; ",
+		    "-S flag not supported\n");
+#endif
+	    break;
+
+	case 'u':
+	    utmp_len = atoi(optarg);
+	    break;
+
+	case 'U':
+	    registerd_host_only = 1;
+	    break;
+
+#ifdef	AUTHENTICATION
+	case 'X':
+	    /*
+	     * Check for invalid authentication types
+	     */
+	    auth_disable_name(optarg);
+	    break;
+#endif
+	case 'y':
+	    no_warn = 1;
+	    break;
+#ifdef AUTHENTICATION
+	case 'z':
+	    log_unauth = 1;
+	    break;
+
+#endif	/* AUTHENTICATION */
+
+	case 'L':
+	    new_login = optarg;
+	    break;
+			
+	default:
+	    fprintf(stderr, "telnetd: %c: unknown option\n", ch);
+	    /* FALLTHROUGH */
+	case '?':
+	    usage();
+	    /* NOTREACHED */
+	}
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (debug) {
+	int port = 0;
+	struct servent *sp;
+
+	if (argc > 1) {
+	    usage ();
+	} else if (argc == 1) {
+	    sp = roken_getservbyname (*argv, "tcp");
+	    if (sp)
+		port = sp->s_port;
+	    else
+		port = htons(atoi(*argv));
+	} else {
+#ifdef KRB5
+	    port = krb5_getportbyname (NULL, "telnet", "tcp", 23);
+#else
+	    port = k_getportbyname("telnet", "tcp", htons(23));
+#endif
+	}
+	mini_inetd (port);
+    } else if (argc > 0) {
+	usage();
+	/* NOT REACHED */
+    }
+
+#ifdef _SC_CRAY_SECURE_SYS
+    secflag = sysconf(_SC_CRAY_SECURE_SYS);
+
+    /*
+     *	Get socket's security label
+     */
+    if (secflag)  {
+	int szss = sizeof(ss);
+	int sock_multi;
+	int szi = sizeof(int);
+
+	memset(&dv, 0, sizeof(dv));
+
+	if (getsysv(&sysv, sizeof(struct sysv)) != 0) 
+	    fatalperror(net, "getsysv");
+
+	/*
+	 *	Get socket security label and set device values
+	 *	   {security label to be set on ttyp device}
+	 */
+#ifdef SO_SEC_MULTI			/* 8.0 code */
+	if ((getsockopt(0, SOL_SOCKET, SO_SECURITY,
+			(void *)&ss, &szss) < 0) ||
+	    (getsockopt(0, SOL_SOCKET, SO_SEC_MULTI,
+			(void *)&sock_multi, &szi) < 0)) 
+	    fatalperror(net, "getsockopt");
+	else {
+	    dv.dv_actlvl = ss.ss_actlabel.lt_level;
+	    dv.dv_actcmp = ss.ss_actlabel.lt_compart;
+	    if (!sock_multi) {
+		dv.dv_minlvl = dv.dv_maxlvl = dv.dv_actlvl;
+		dv.dv_valcmp = dv.dv_actcmp;
+	    } else {
+		dv.dv_minlvl = ss.ss_minlabel.lt_level;
+		dv.dv_maxlvl = ss.ss_maxlabel.lt_level;
+		dv.dv_valcmp = ss.ss_maxlabel.lt_compart;
+	    }
+	    dv.dv_devflg = 0;
+	}
+#else /* SO_SEC_MULTI */		/* 7.0 code */
+	if (getsockopt(0, SOL_SOCKET, SO_SECURITY,
+		       (void *)&ss, &szss) >= 0) {
+	    dv.dv_actlvl = ss.ss_slevel;
+	    dv.dv_actcmp = ss.ss_compart;
+	    dv.dv_minlvl = ss.ss_minlvl;
+	    dv.dv_maxlvl = ss.ss_maxlvl;
+	    dv.dv_valcmp = ss.ss_maxcmp;
+	}
+#endif /* SO_SEC_MULTI */
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    roken_openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+    sa_size = sizeof (__ss);
+    if (getpeername(STDIN_FILENO, sa, &sa_size) < 0) {
+	fprintf(stderr, "%s: ", progname);
+	perror("getpeername");
+	_exit(1);
+    }
+    if (keepalive &&
+	setsockopt(STDIN_FILENO, SOL_SOCKET, SO_KEEPALIVE,
+		   (void *)&on, sizeof (on)) < 0) {
+	syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+    }
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    {
+# ifdef HAVE_GETTOSBYNAME
+	struct tosent *tp;
+	if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+	    tos = tp->t_tos;
+# endif
+	if (tos < 0)
+	    tos = 020;	/* Low Delay bit */
+	if (tos
+	    && sa->sa_family == AF_INET
+	    && (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
+			   (void *)&tos, sizeof(tos)) < 0)
+	    && (errno != ENOPROTOOPT) )
+	    syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+    }
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+    net = STDIN_FILENO;
+    doit(sa, sa_size);
+    /* NOTREACHED */
+    return 0;
+}  /* end of main */
+
+static void
+usage(void)
+{
+    fprintf(stderr, "Usage: telnetd");
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-a (debug|other|otp|user|valid|off|none)]\n\t");
+#endif
+    fprintf(stderr, " [-debug]");
+#ifdef DIAGNOSTICS
+    fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t");
+#endif
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-edebug]");
+#endif
+    fprintf(stderr, " [-h]");
+    fprintf(stderr, " [-L login]");
+    fprintf(stderr, " [-n]");
+#ifdef	_CRAY
+    fprintf(stderr, " [-r[lowpty]-[highpty]]");
+#endif
+    fprintf(stderr, "\n\t");
+#ifdef	HAVE_GETTOSBYNAME
+    fprintf(stderr, " [-S tos]");
+#endif
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-X auth-type] [-y] [-z]");
+#endif
+    fprintf(stderr, " [-u utmp_hostname_length] [-U]");
+    fprintf(stderr, " [port]\n");
+    exit(1);
+}
+
+/*
+ * getterminaltype
+ *
+ *	Ask the other end to send along its terminal type and speed.
+ * Output is the variable terminaltype filled in.
+ */
+static unsigned char ttytype_sbbuf[] = {
+    IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE
+};
+
+int
+getterminaltype(char *name, size_t name_sz)
+{
+    int retval = -1;
+    void _gettermname();
+
+    settimer(baseline);
+#ifdef AUTHENTICATION
+    /*
+     * Handle the Authentication option before we do anything else.
+     */
+    send_do(TELOPT_AUTHENTICATION, 1);
+    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+	ttloop();
+    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+	retval = auth_wait(name, name_sz);
+    }
+#endif
+
+#ifdef ENCRYPTION
+    send_will(TELOPT_ENCRYPT, 1);
+    send_do(TELOPT_ENCRYPT, 1);	/* esc@magic.fi */
+#endif
+    send_do(TELOPT_TTYPE, 1);
+    send_do(TELOPT_TSPEED, 1);
+    send_do(TELOPT_XDISPLOC, 1);
+    send_do(TELOPT_NEW_ENVIRON, 1);
+    send_do(TELOPT_OLD_ENVIRON, 1);
+    while (
+#ifdef ENCRYPTION
+	   his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif
+	   his_will_wont_is_changing(TELOPT_TTYPE) ||
+	   his_will_wont_is_changing(TELOPT_TSPEED) ||
+	   his_will_wont_is_changing(TELOPT_XDISPLOC) ||
+	   his_will_wont_is_changing(TELOPT_NEW_ENVIRON) ||
+	   his_will_wont_is_changing(TELOPT_OLD_ENVIRON)) {
+	ttloop();
+    }
+#ifdef ENCRYPTION
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+	encrypt_wait();
+    }
+#endif
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    else if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_OLD_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+
+	telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf);
+	DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+				  sizeof ttytype_sbbuf - 2););
+    }
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	while (sequenceIs(tspeedsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	while (sequenceIs(xdisplocsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	while (sequenceIs(environsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	while (sequenceIs(oenvironsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+	char first[256], last[256];
+
+	while (sequenceIs(ttypesubopt, baseline))
+	    ttloop();
+
+	/*
+	 * If the other side has already disabled the option, then
+	 * we have to just go with what we (might) have already gotten.
+	 */
+	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
+	    strlcpy(first, terminaltype, sizeof(first));
+	    for(;;) {
+		/*
+		 * Save the unknown name, and request the next name.
+		 */
+		strlcpy(last, terminaltype, sizeof(last));
+		_gettermname();
+		if (terminaltypeok(terminaltype))
+		    break;
+		if ((strncmp(last, terminaltype, sizeof(last)) == 0) ||
+		    his_state_is_wont(TELOPT_TTYPE)) {
+		    /*
+		     * We've hit the end.  If this is the same as
+		     * the first name, just go with it.
+		     */
+		    if (strncmp(first, terminaltype, sizeof(first)) == 0)
+			break;
+		    /*
+		     * Get the terminal name one more time, so that
+		     * RFC1091 compliant telnets will cycle back to
+		     * the start of the list.
+		     */
+		    _gettermname();
+		    if (strncmp(first, terminaltype, sizeof(first)) != 0)
+			strcpy(terminaltype, first);
+		    break;
+		}
+	    }
+	}
+    }
+    return(retval);
+}  /* end of getterminaltype */
+
+void
+_gettermname()
+{
+    /*
+     * If the client turned off the option,
+     * we can't send another request, so we
+     * just return.
+     */
+    if (his_state_is_wont(TELOPT_TTYPE))
+	return;
+    settimer(baseline);
+    telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf);
+    DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+			      sizeof ttytype_sbbuf - 2););
+    while (sequenceIs(ttypesubopt, baseline))
+	ttloop();
+}
+
+int
+terminaltypeok(char *s)
+{
+    return 1;
+}
+
+
+char *hostname;
+char host_name[MaxHostNameLen];
+char remote_host_name[MaxHostNameLen];
+
+/*
+ * Get a pty, scan input lines.
+ */
+static void
+doit(struct sockaddr *who, int who_len)
+{
+    char *host = NULL;
+    int level;
+    int ptynum;
+    char user_name[256];
+    int error;
+    char host_addr[256];
+
+    /*
+     * Find an available pty to use.
+     */
+    ourpty = getpty(&ptynum);
+    if (ourpty < 0)
+	fatal(net, "All network ports in use");
+
+#ifdef _SC_CRAY_SECURE_SYS
+    /*
+     *	set ttyp line security label
+     */
+    if (secflag) {
+	char slave_dev[16];
+
+	snprintf(tty_dev, sizeof(tty_dev), "/dev/pty/%03d", ptynum);
+	if (setdevs(tty_dev, &dv) < 0)
+	    fatal(net, "cannot set pty security");
+	snprintf(slave_dev, sizeof(slave_dev), "/dev/ttyp%03d", ptynum);
+	if (setdevs(slave_dev, &dv) < 0)
+	    fatal(net, "cannot set tty security");
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    error = getnameinfo_verified (who, who_len, host_addr, sizeof(host_addr),
+				  NULL, 0, 
+				  registerd_host_only ? NI_NAMEREQD : 0);
+    if (error)
+	fatal(net, "Couldn't resolve your address into a host name.\r\n\
+Please contact your net administrator");
+
+    /*
+     * We must make a copy because Kerberos is probably going
+     * to also do a gethost* and overwrite the static data...
+     */
+    strlcpy(remote_host_name, host_addr, sizeof(remote_host_name));
+    host = remote_host_name;
+
+    /* XXX - should be k_gethostname? */
+    gethostname(host_name, sizeof (host_name));
+    hostname = host_name;
+
+    /* Only trim if too long (and possible) */
+    if (strlen(remote_host_name) > abs(utmp_len)) {
+	char *domain = strchr(host_name, '.');
+	char *p = strchr(remote_host_name, '.');
+	if (domain && p && (strcmp(p, domain) == 0))
+	    *p = 0; /* remove domain part */
+    }
+
+
+    /*
+     * If hostname still doesn't fit utmp, use ipaddr.
+     */
+    if (strlen(remote_host_name) > abs(utmp_len))
+	strlcpy(remote_host_name,
+		host_addr,
+		sizeof(remote_host_name));
+
+#ifdef AUTHENTICATION
+    auth_encrypt_init(hostname, host, "TELNETD", 1);
+#endif
+
+    init_env();
+    /*
+     * get terminal type.
+     */
+    *user_name = 0;
+    level = getterminaltype(user_name, sizeof(user_name));
+    setenv("TERM", terminaltype ? terminaltype : "network", 1);
+
+#ifdef _SC_CRAY_SECURE_SYS
+    if (secflag) {
+	if (setulvl(dv.dv_actlvl) < 0)
+	    fatal(net,"cannot setulvl()");
+	if (setucmp(dv.dv_actcmp) < 0)
+	    fatal(net, "cannot setucmp()");
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    /* begin server processing */
+    my_telnet(net, ourpty, host, level, user_name);
+    /*NOTREACHED*/
+}  /* end of doit */
+
+/* output contents of /etc/issue.net, or /etc/issue */
+static void
+show_issue(void)
+{
+    FILE *f;
+    char buf[128];
+    f = fopen("/etc/issue.net", "r");
+    if(f == NULL)
+	f = fopen("/etc/issue", "r");
+    if(f){
+	while(fgets(buf, sizeof(buf)-2, f)){
+	    strcpy(buf + strcspn(buf, "\r\n"), "\r\n");
+	    writenet((unsigned char*)buf, strlen(buf));
+	}
+	fclose(f);
+    }
+}
+
+/*
+ * Main loop.  Select from pty and network, and
+ * hand data to telnet receiver finite state machine.
+ */
+void
+my_telnet(int f, int p, char *host, int level, char *autoname)
+{
+    int on = 1;
+    char *he;
+    char *IM;
+    int nfd;
+    int startslave_called = 0;
+    time_t timeout;
+
+    /*
+     * Initialize the slc mapping table.
+     */
+    get_slc_defaults();
+
+    /*
+     * Do some tests where it is desireable to wait for a response.
+     * Rather than doing them slowly, one at a time, do them all
+     * at once.
+     */
+    if (my_state_is_wont(TELOPT_SGA))
+	send_will(TELOPT_SGA, 1);
+    /*
+     * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
+     * because 4.2 clients are unable to deal with TCP urgent data.
+     *
+     * To find out, we send out a "DO ECHO".  If the remote system
+     * answers "WILL ECHO" it is probably a 4.2 client, and we note
+     * that fact ("WILL ECHO" ==> that the client will echo what
+     * WE, the server, sends it; it does NOT mean that the client will
+     * echo the terminal input).
+     */
+    send_do(TELOPT_ECHO, 1);
+
+    /*
+     * Send along a couple of other options that we wish to negotiate.
+     */
+    send_do(TELOPT_NAWS, 1);
+    send_will(TELOPT_STATUS, 1);
+    flowmode = 1;		/* default flow control state */
+    restartany = -1;	/* uninitialized... */
+    send_do(TELOPT_LFLOW, 1);
+
+    /*
+     * Spin, waiting for a response from the DO ECHO.  However,
+     * some REALLY DUMB telnets out there might not respond
+     * to the DO ECHO.  So, we spin looking for NAWS, (most dumb
+     * telnets so far seem to respond with WONT for a DO that
+     * they don't understand...) because by the time we get the
+     * response, it will already have processed the DO ECHO.
+     * Kludge upon kludge.
+     */
+    while (his_will_wont_is_changing(TELOPT_NAWS))
+	ttloop();
+
+    /*
+     * But...
+     * The client might have sent a WILL NAWS as part of its
+     * startup code; if so, we'll be here before we get the
+     * response to the DO ECHO.  We'll make the assumption
+     * that any implementation that understands about NAWS
+     * is a modern enough implementation that it will respond
+     * to our DO ECHO request; hence we'll do another spin
+     * waiting for the ECHO option to settle down, which is
+     * what we wanted to do in the first place...
+     */
+    if (his_want_state_is_will(TELOPT_ECHO) &&
+	his_state_is_will(TELOPT_NAWS)) {
+	while (his_will_wont_is_changing(TELOPT_ECHO))
+	    ttloop();
+    }
+    /*
+     * On the off chance that the telnet client is broken and does not
+     * respond to the DO ECHO we sent, (after all, we did send the
+     * DO NAWS negotiation after the DO ECHO, and we won't get here
+     * until a response to the DO NAWS comes back) simulate the
+     * receipt of a will echo.  This will also send a WONT ECHO
+     * to the client, since we assume that the client failed to
+     * respond because it believes that it is already in DO ECHO
+     * mode, which we do not want.
+     */
+    if (his_want_state_is_will(TELOPT_ECHO)) {
+	DIAG(TD_OPTIONS,
+	     {output_data("td: simulating recv\r\n");
+	     });
+	willoption(TELOPT_ECHO);
+    }
+
+    /*
+     * Finally, to clean things up, we turn on our echo.  This
+     * will break stupid 4.2 telnets out of local terminal echo.
+     */
+
+    if (my_state_is_wont(TELOPT_ECHO))
+	send_will(TELOPT_ECHO, 1);
+
+#ifdef TIOCPKT
+#ifdef	STREAMSPTY
+    if (!really_stream)
+#endif
+	/*
+	 * Turn on packet mode
+	 */
+	ioctl(p, TIOCPKT, (char *)&on);
+#endif
+
+
+    /*
+     * Call telrcv() once to pick up anything received during
+     * terminal type negotiation, 4.2/4.3 determination, and
+     * linemode negotiation.
+     */
+    telrcv();
+
+    ioctl(f, FIONBIO, (char *)&on);
+    ioctl(p, FIONBIO, (char *)&on);
+
+#if	defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    setsockopt(net, SOL_SOCKET, SO_OOBINLINE,
+	       (void *)&on, sizeof on);
+#endif	/* defined(SO_OOBINLINE) */
+
+#ifdef	SIGTSTP
+    signal(SIGTSTP, SIG_IGN);
+#endif
+#ifdef	SIGTTOU
+    /*
+     * Ignoring SIGTTOU keeps the kernel from blocking us
+     * in ttioct() in /sys/tty.c.
+     */
+    signal(SIGTTOU, SIG_IGN);
+#endif
+
+    signal(SIGCHLD, cleanup);
+
+#ifdef  TIOCNOTTY
+    {
+	int t;
+	t = open(_PATH_TTY, O_RDWR);
+	if (t >= 0) {
+	    ioctl(t, TIOCNOTTY, (char *)0);
+	    close(t);
+	}
+    }
+#endif
+
+    show_issue();
+    /*
+     * Show banner that getty never gave.
+     *
+     * We put the banner in the pty input buffer.  This way, it
+     * gets carriage return null processing, etc., just like all
+     * other pty --> client data.
+     */
+
+    if (getenv("USER"))
+	hostinfo = 0;
+
+    IM = DEFAULT_IM;
+    he = 0;
+    edithost(he, host_name);
+    if (hostinfo && *IM)
+	putf(IM, ptyibuf2);
+
+    if (pcc)
+	strncat(ptyibuf2, ptyip, pcc+1);
+    ptyip = ptyibuf2;
+    pcc = strlen(ptyip);
+
+    DIAG(TD_REPORT, {
+	output_data("td: Entering processing loop\r\n");
+    });
+
+
+    nfd = ((f > p) ? f : p) + 1;
+    timeout = time(NULL) + 5;
+    for (;;) {
+	fd_set ibits, obits, xbits;
+	int c;
+
+	/* wait for encryption to be turned on, but don't wait
+           indefinitely */
+	if(!startslave_called && (!encrypt_delay() || timeout > time(NULL))){
+	    startslave_called = 1;
+	    startslave(host, level, autoname);
+	}
+
+	if (ncc < 0 && pcc < 0)
+	    break;
+
+	FD_ZERO(&ibits);
+	FD_ZERO(&obits);
+	FD_ZERO(&xbits);
+	/*
+	 * Never look for input if there's still
+	 * stuff in the corresponding output buffer
+	 */
+	if (nfrontp - nbackp || pcc > 0) {
+	    FD_SET(f, &obits);
+	} else {
+	    FD_SET(p, &ibits);
+	}
+	if (pfrontp - pbackp || ncc > 0) {
+	    FD_SET(p, &obits);
+	} else {
+	    FD_SET(f, &ibits);
+	}
+	if (!SYNCHing) {
+	    FD_SET(f, &xbits);
+	}
+	if ((c = select(nfd, &ibits, &obits, &xbits,
+			(struct timeval *)0)) < 1) {
+	    if (c == -1) {
+		if (errno == EINTR) {
+		    continue;
+		}
+	    }
+	    sleep(5);
+	    continue;
+	}
+
+	/*
+	 * Any urgent data?
+	 */
+	if (FD_ISSET(net, &xbits)) {
+	    SYNCHing = 1;
+	}
+
+	/*
+	 * Something to read from the network...
+	 */
+	if (FD_ISSET(net, &ibits)) {
+#ifndef SO_OOBINLINE
+	    /*
+	     * In 4.2 (and 4.3 beta) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	    if (SYNCHing) {
+		int atmark;
+
+		ioctl(net, SIOCATMARK, (char *)&atmark);
+		if (atmark) {
+		    ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB);
+		    if ((ncc == -1) && (errno == EINVAL)) {
+			ncc = read(net, netibuf, sizeof (netibuf));
+			if (sequenceIs(didnetreceive, gotDM)) {
+			    SYNCHing = stilloob(net);
+			}
+		    }
+		} else {
+		    ncc = read(net, netibuf, sizeof (netibuf));
+		}
+	    } else {
+		ncc = read(net, netibuf, sizeof (netibuf));
+	    }
+	    settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE)) */
+	    ncc = read(net, netibuf, sizeof (netibuf));
+#endif	/* !defined(SO_OOBINLINE)) */
+	    if (ncc < 0 && errno == EWOULDBLOCK)
+		ncc = 0;
+	    else {
+		if (ncc <= 0) {
+		    break;
+		}
+		netip = netibuf;
+	    }
+	    DIAG((TD_REPORT | TD_NETDATA), {
+		output_data("td: netread %d chars\r\n", ncc);
+		});
+	    DIAG(TD_NETDATA, printdata("nd", netip, ncc));
+	}
+
+	/*
+	 * Something to read from the pty...
+	 */
+	if (FD_ISSET(p, &ibits)) {
+#ifdef STREAMSPTY
+	    if (really_stream)
+		pcc = readstream(p, ptyibuf, BUFSIZ);
+	    else
+#endif
+		pcc = read(p, ptyibuf, BUFSIZ);
+
+	    /*
+	     * On some systems, if we try to read something
+	     * off the master side before the slave side is
+	     * opened, we get EIO.
+	     */
+	    if (pcc < 0 && (errno == EWOULDBLOCK ||
+#ifdef	EAGAIN
+			    errno == EAGAIN ||
+#endif
+			    errno == EIO)) {
+		pcc = 0;
+	    } else {
+		if (pcc <= 0)
+		    break;
+		if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) {
+		    netclear();	/* clear buffer back */
+#ifndef	NO_URGENT
+		    /*
+		     * There are client telnets on some
+		     * operating systems get screwed up
+		     * royally if we send them urgent
+		     * mode data.
+		     */
+		    output_data ("%c%c", IAC, DM);
+
+		    neturg = nfrontp-1; /* off by one XXX */
+		    DIAG(TD_OPTIONS,
+			 printoption("td: send IAC", DM));
+
+#endif
+		}
+		if (his_state_is_will(TELOPT_LFLOW) &&
+		    (ptyibuf[0] &
+		     (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) {
+		    int newflow =
+			ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0;
+		    if (newflow != flowmode) {
+			flowmode = newflow;
+			output_data("%c%c%c%c%c%c",
+				    IAC, SB, TELOPT_LFLOW,
+				    flowmode ? LFLOW_ON
+				    : LFLOW_OFF,
+				    IAC, SE);
+			DIAG(TD_OPTIONS, printsub('>',
+						  (unsigned char *)nfrontp-4,
+						  4););
+		    }
+		}
+		pcc--;
+		ptyip = ptyibuf+1;
+	    }
+	}
+
+	while (pcc > 0) {
+	    if ((&netobuf[BUFSIZ] - nfrontp) < 3)
+		break;
+	    c = *ptyip++ & 0377, pcc--;
+	    if (c == IAC)
+		*nfrontp++ = c;
+	    *nfrontp++ = c;
+	    if ((c == '\r') && (my_state_is_wont(TELOPT_BINARY))) {
+		if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
+		    *nfrontp++ = *ptyip++ & 0377;
+		    pcc--;
+		} else
+		    *nfrontp++ = '\0';
+	    }
+	}
+
+	if (FD_ISSET(f, &obits) && (nfrontp - nbackp) > 0)
+	    netflush();
+	if (ncc > 0)
+	    telrcv();
+	if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0)
+	    ptyflush();
+    }
+    cleanup(0);
+}
+
+#ifndef	TCSIG
+# ifdef	TIOCSIG
+#  define TCSIG TIOCSIG
+# endif
+#endif
+
+#ifdef	STREAMSPTY
+
+    int flowison = -1;  /* current state of flow: -1 is unknown */
+
+int
+readstream(int p, char *ibuf, int bufsize)
+{
+    int flags = 0;
+    int ret = 0;
+    struct termios *tsp;
+#if 0
+    struct termio *tp;
+#endif
+    struct iocblk *ip;
+    char vstop, vstart;
+    int ixon;
+    int newflow;
+
+    strbufc.maxlen = BUFSIZ;
+    strbufc.buf = (char *)ctlbuf;
+    strbufd.maxlen = bufsize-1;
+    strbufd.len = 0;
+    strbufd.buf = ibuf+1;
+    ibuf[0] = 0;
+
+    ret = getmsg(p, &strbufc, &strbufd, &flags);
+    if (ret < 0)  /* error of some sort -- probably EAGAIN */
+	return(-1);
+
+    if (strbufc.len <= 0 || ctlbuf[0] == M_DATA) {
+	/* data message */
+	if (strbufd.len > 0) {			/* real data */
+	    return(strbufd.len + 1);	/* count header char */
+	} else {
+	    /* nothing there */
+	    errno = EAGAIN;
+	    return(-1);
+	}
+    }
+
+    /*
+     * It's a control message.  Return 1, to look at the flag we set
+     */
+
+    switch (ctlbuf[0]) {
+    case M_FLUSH:
+	if (ibuf[1] & FLUSHW)
+	    ibuf[0] = TIOCPKT_FLUSHWRITE;
+	return(1);
+
+    case M_IOCTL:
+	ip = (struct iocblk *) (ibuf+1);
+
+	switch (ip->ioc_cmd) {
+#ifdef TCSETS
+	case TCSETS:
+	case TCSETSW:
+	case TCSETSF:
+	    tsp = (struct termios *)
+		(ibuf+1 + sizeof(struct iocblk));
+	    vstop = tsp->c_cc[VSTOP];
+	    vstart = tsp->c_cc[VSTART];
+	    ixon = tsp->c_iflag & IXON;
+	    break;
+#endif
+#if 0
+	case TCSETA:
+	case TCSETAW:
+	case TCSETAF:
+	    tp = (struct termio *) (ibuf+1 + sizeof(struct iocblk));
+	    vstop = tp->c_cc[VSTOP];
+	    vstart = tp->c_cc[VSTART];
+	    ixon = tp->c_iflag & IXON;
+	    break;
+#endif
+	default:
+	    errno = EAGAIN;
+	    return(-1);
+	}
+
+	newflow =  (ixon && (vstart == 021) && (vstop == 023)) ? 1 : 0;
+	if (newflow != flowison) {  /* it's a change */
+	    flowison = newflow;
+	    ibuf[0] = newflow ? TIOCPKT_DOSTOP : TIOCPKT_NOSTOP;
+	    return(1);
+	}
+    }
+
+    /* nothing worth doing anything about */
+    errno = EAGAIN;
+    return(-1);
+}
+#endif /* STREAMSPTY */
+
+/*
+ * Send interrupt to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write intr char.
+ */
+void
+interrupt()
+{
+    ptyflush();	/* half-hearted */
+
+#if defined(STREAMSPTY) && defined(TIOCSIGNAL)
+    /* Streams PTY style ioctl to post a signal */
+    if (really_stream)
+	{
+	    int sig = SIGINT;
+	    ioctl(ourpty, TIOCSIGNAL, &sig);
+	    ioctl(ourpty, I_FLUSH, FLUSHR);
+	}
+#else
+#ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGINT);
+#else	/* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_IP].sptr ?
+	(unsigned char)*slctab[SLC_IP].sptr : '\177';
+#endif	/* TCSIG */
+#endif
+}
+
+/*
+ * Send quit to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write quit char.
+ */
+void
+sendbrk()
+{
+    ptyflush();	/* half-hearted */
+#ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGQUIT);
+#else	/* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_ABORT].sptr ?
+	(unsigned char)*slctab[SLC_ABORT].sptr : '\034';
+#endif	/* TCSIG */
+}
+
+void
+sendsusp()
+{
+#ifdef	SIGTSTP
+    ptyflush();	/* half-hearted */
+# ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGTSTP);
+# else	/* TCSIG */
+    *pfrontp++ = slctab[SLC_SUSP].sptr ?
+	(unsigned char)*slctab[SLC_SUSP].sptr : '\032';
+# endif	/* TCSIG */
+#endif	/* SIGTSTP */
+}
+
+/*
+ * When we get an AYT, if ^T is enabled, use that.  Otherwise,
+ * just send back "[Yes]".
+ */
+void
+recv_ayt()
+{
+#if	defined(SIGINFO) && defined(TCSIG)
+    if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) {
+	ioctl(ourpty, TCSIG, (char *)SIGINFO);
+	return;
+    }
+#endif
+    output_data("\r\n[Yes]\r\n");
+}
+
+void
+doeof()
+{
+    init_termbuf();
+
+    *pfrontp++ = slctab[SLC_EOF].sptr ?
+	(unsigned char)*slctab[SLC_EOF].sptr : '\004';
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.h b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
new file mode 100644
index 0000000..5ad5bd8
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnetd.h	8.1 (Berkeley) 6/4/93
+ */
+
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+/* including both <sys/ioctl.h> and <termios.h> in SunOS 4 generates a
+   lot of warnings */
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#include <signal.h>
+#include <errno.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#include <ctype.h>
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include <termios.h>
+
+#ifdef HAVE_PTY_H
+#include <pty.h>
+#endif
+
+#include "defs.h"
+
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#ifndef _POSIX_VDISABLE
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((unsigned char)'\377')
+# endif
+#endif
+
+
+#ifdef HAVE_SYS_PTY_H
+#include <sys/pty.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#ifdef HAVE_SYS_PTYIO_H
+#include <sys/ptyio.h>
+#endif
+
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+#include "ext.h"
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#ifdef KRB4
+#include <des.h>
+#include <krb.h>
+#endif
+
+#ifdef AUTHENTICATION
+#include <libtelnet/auth.h>
+#include <libtelnet/misc.h>
+#ifdef ENCRYPTION
+#include <libtelnet/encrypt.h>
+#endif
+#endif
+
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+
+#include <roken.h>
+
+/* Don't use the system login, use our version instead */
+
+/* BINDIR should be defined somewhere else... */
+
+#ifndef BINDIR
+#define BINDIR "/usr/athena/bin"
+#endif
+
+#undef _PATH_LOGIN
+#define _PATH_LOGIN	BINDIR "/login"
+
+/* fallbacks */
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+
+#ifndef _PATH_TTY
+#define _PATH_TTY "/dev/tty"
+#endif /* _PATH_TTY */
+
+#ifdef	DIAGNOSTICS
+#define	DIAG(a,b)	if (diagnostic & (a)) b
+#else
+#define	DIAG(a,b)
+#endif
+
+/* other external variables */
+extern	char **environ;
+
+/* prototypes */
+
+/* appends data to nfrontp and advances */
+int output_data (const char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
diff --git a/crypto/heimdal/appl/telnet/telnetd/termstat.c b/crypto/heimdal/appl/telnet/telnetd/termstat.c
new file mode 100644
index 0000000..80ee145
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/termstat.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: termstat.c,v 1.11 1997/05/11 06:30:04 assar Exp $");
+
+/*
+ * local variables
+ */
+int def_tspeed = -1, def_rspeed = -1;
+#ifdef	TIOCSWINSZ
+int def_row = 0, def_col = 0;
+#endif
+
+/*
+ * flowstat
+ *
+ * Check for changes to flow control
+ */
+void
+flowstat()
+{
+    if (his_state_is_will(TELOPT_LFLOW)) {
+	if (tty_flowmode() != flowmode) {
+	    flowmode = tty_flowmode();
+	    output_data("%c%c%c%c%c%c",
+			IAC, SB, TELOPT_LFLOW,
+			flowmode ? LFLOW_ON : LFLOW_OFF,
+			IAC, SE);
+	}
+	if (tty_restartany() != restartany) {
+	    restartany = tty_restartany();
+	    output_data("%c%c%c%c%c%c",
+			IAC, SB, TELOPT_LFLOW,
+			restartany ? LFLOW_RESTART_ANY
+			: LFLOW_RESTART_XON,
+			IAC, SE);
+	}
+    }
+}
+
+/*
+ * clientstat
+ *
+ * Process linemode related requests from the client.
+ * Client can request a change to only one of linemode, editmode or slc's
+ * at a time, and if using kludge linemode, then only linemode may be
+ * affected.
+ */
+void
+clientstat(int code, int parm1, int parm2)
+{
+    void netflush();
+
+    /*
+     * Get a copy of terminal characteristics.
+     */
+    init_termbuf();
+
+    /*
+     * Process request from client. code tells what it is.
+     */
+    switch (code) {
+    case TELOPT_NAWS:
+#ifdef	TIOCSWINSZ
+	{
+	    struct winsize ws;
+
+	    def_col = parm1;
+	    def_row = parm2;
+
+	    /*
+	     * Change window size as requested by client.
+	     */
+
+	    ws.ws_col = parm1;
+	    ws.ws_row = parm2;
+	    ioctl(ourpty, TIOCSWINSZ, (char *)&ws);
+	}
+#endif	/* TIOCSWINSZ */
+
+    break;
+
+    case TELOPT_TSPEED:
+	{
+	    def_tspeed = parm1;
+	    def_rspeed = parm2;
+	    /*
+	     * Change terminal speed as requested by client.
+	     * We set the receive speed first, so that if we can't
+	     * store seperate receive and transmit speeds, the transmit
+	     * speed will take precedence.
+	     */
+	    tty_rspeed(parm2);
+	    tty_tspeed(parm1);
+	    set_termbuf();
+
+	    break;
+
+	}  /* end of case TELOPT_TSPEED */
+
+    default:
+	/* What? */
+	break;
+    }  /* end of switch */
+
+    netflush();
+
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/utility.c b/crypto/heimdal/appl/telnet/telnetd/utility.c
new file mode 100644
index 0000000..1e9be5c
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/utility.c
@@ -0,0 +1,1162 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define PRINTOPTIONS
+#include "telnetd.h"
+
+RCSID("$Id: utility.c,v 1.22 1999/09/16 20:41:38 assar Exp $");
+
+/*
+ * utility functions performing io related tasks
+ */
+
+/*
+ * ttloop
+ *
+ * A small subroutine to flush the network output buffer, get some
+ * data from the network, and pass it through the telnet state
+ * machine.  We also flush the pty input buffer (by dropping its data)
+ * if it becomes too full.
+ *
+ * return 0 if OK or 1 if interrupted by a signal.
+ */
+
+int
+ttloop(void)
+{
+    void netflush(void);
+    
+    DIAG(TD_REPORT, {
+	output_data("td: ttloop\r\n");
+    });
+    if (nfrontp-nbackp)
+	netflush();
+    ncc = read(net, netibuf, sizeof netibuf);
+    if (ncc < 0) {
+	if (errno == EINTR)
+	    return 1;
+	syslog(LOG_INFO, "ttloop:  read: %m\n");
+	exit(1);
+    } else if (ncc == 0) {
+	syslog(LOG_INFO, "ttloop:  peer died: %m\n");
+	exit(1);
+    }
+    DIAG(TD_REPORT, {
+	output_data("td: ttloop read %d chars\r\n", ncc);
+    });
+    netip = netibuf;
+    telrcv();			/* state machine */
+    if (ncc > 0) {
+	pfrontp = pbackp = ptyobuf;
+	telrcv();
+    }
+    return 0;
+}  /* end of ttloop */
+
+/*
+ * Check a descriptor to see if out of band data exists on it.
+ */
+int
+stilloob(int s)
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(s, &excepts);
+	value = select(s+1, 0, 0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	fatalperror(ourpty, "select");
+    }
+    if (FD_ISSET(s, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+void
+ptyflush(void)
+{
+    int n;
+
+    if ((n = pfrontp - pbackp) > 0) {
+	DIAG((TD_REPORT | TD_PTYDATA), { 
+	    output_data("td: ptyflush %d chars\r\n", n);
+	});
+	DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
+	n = write(ourpty, pbackp, n);
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+	    return;
+	cleanup(0);
+    }
+    pbackp += n;
+    if (pbackp == pfrontp)
+	pbackp = pfrontp = ptyobuf;
+}
+
+/*
+ * nextitem()
+ *
+ *	Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+char *
+nextitem(char *current)
+{
+    if ((*current&0xff) != IAC) {
+	return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+	return current+3;
+    case SB:{
+	/* loop forever looking for the SE */
+	char *look = current+2;
+
+	for (;;) {
+	    if ((*look++&0xff) == IAC) {
+		if ((*look++&0xff) == SE) {
+		    return look;
+		}
+	    }
+	}
+    }
+    default:
+	return current+2;
+    }
+}
+
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+void
+netclear(void)
+{
+    char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+			 ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+#ifdef ENCRYPTION
+	thisitem = nclearto > netobuf ? nclearto : netobuf;
+#else
+	thisitem = netobuf;
+#endif
+
+	while ((next = nextitem(thisitem)) <= nbackp) {
+	    thisitem = next;
+	}
+
+	/* Now, thisitem is first before/at boundary. */
+
+#ifdef ENCRYPTION
+	good = nclearto > netobuf ? nclearto : netobuf;
+#else
+	good = netobuf;	/* where the good bytes go */
+#endif
+
+	while (nfrontp > thisitem) {
+	    if (wewant(thisitem)) {
+		int length;
+
+		next = thisitem;
+		do {
+		    next = nextitem(next);
+		} while (wewant(next) && (nfrontp > next));
+		length = next-thisitem;
+		memmove(good, thisitem, length);
+		good += length;
+		thisitem = next;
+	    } else {
+		thisitem = nextitem(thisitem);
+	    }
+	}
+
+	nbackp = netobuf;
+	nfrontp = good;		/* next byte to be sent */
+	neturg = 0;
+}  /* end of netclear */
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ */
+void
+netflush(void)
+{
+    int n;
+    extern int not42;
+
+    if ((n = nfrontp - nbackp) > 0) {
+	DIAG(TD_REPORT,
+	     { n += output_data("td: netflush %d chars\r\n", n);
+	     });
+#ifdef ENCRYPTION
+	if (encrypt_output) {
+	    char *s = nclearto ? nclearto : nbackp;
+	    if (nfrontp - s > 0) {
+		(*encrypt_output)((unsigned char *)s, nfrontp-s);
+		nclearto = nfrontp;
+	    }
+	}
+#endif
+	/*
+	 * if no urgent data, or if the other side appears to be an
+	 * old 4.2 client (and thus unable to survive TCP urgent data),
+	 * write the entire buffer in non-OOB mode.
+	 */
+#if 1 /* remove this to make it work between solaris 2.6 and linux */
+	if ((neturg == 0) || (not42 == 0)) {
+#endif
+	    n = write(net, nbackp, n);	/* normal write */
+#if 1 /* remove this to make it work between solaris 2.6 and linux */
+	} else {
+	    n = neturg - nbackp;
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    if (n > 1) {
+		n = send(net, nbackp, n-1, 0);	/* send URGENT all by itself */
+	    } else {
+		n = send(net, nbackp, n, MSG_OOB);	/* URGENT data */
+	    }
+	}
+#endif
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+	    return;
+	cleanup(0);
+    }
+    nbackp += n;
+#ifdef ENCRYPTION
+    if (nbackp > nclearto)
+	nclearto = 0;
+#endif
+    if (nbackp >= neturg) {
+	neturg = 0;
+    }
+    if (nbackp == nfrontp) {
+	nbackp = nfrontp = netobuf;
+#ifdef ENCRYPTION
+	nclearto = 0;
+#endif
+    }
+    return;
+}
+
+
+/*
+ * writenet
+ *
+ * Just a handy little function to write a bit of raw data to the net.
+ * It will force a transmit of the buffer if necessary
+ *
+ * arguments
+ *    ptr - A pointer to a character string to write
+ *    len - How many bytes to write
+ */
+void
+writenet(unsigned char *ptr, int len)
+{
+    /* flush buffer if no room for new data) */
+    while ((&netobuf[BUFSIZ] - nfrontp) < len) {
+	/* if this fails, don't worry, buffer is a little big */
+	netflush();
+    }
+
+    memmove(nfrontp, ptr, len);
+    nfrontp += len;
+}
+
+
+/*
+ * miscellaneous functions doing a variety of little jobs follow ...
+ */
+
+
+void fatal(int f, char *msg)
+{
+    char buf[BUFSIZ];
+
+    snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
+#ifdef ENCRYPTION
+    if (encrypt_output) {
+	/*
+	 * Better turn off encryption first....
+	 * Hope it flushes...
+	 */
+	encrypt_send_end();
+	netflush();
+    }
+#endif
+    write(f, buf, (int)strlen(buf));
+    sleep(1);	/*XXX*/
+    exit(1);
+}
+
+void
+fatalperror(int f, const char *msg)
+{
+    char buf[BUFSIZ];
+    
+    snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
+    fatal(f, buf);
+}
+
+char editedhost[32];
+
+void edithost(char *pat, char *host)
+{
+    char *res = editedhost;
+
+    if (!pat)
+	pat = "";
+    while (*pat) {
+	switch (*pat) {
+
+	case '#':
+	    if (*host)
+		host++;
+	    break;
+
+	case '@':
+	    if (*host)
+		*res++ = *host++;
+	    break;
+
+	default:
+	    *res++ = *pat;
+	    break;
+	}
+	if (res == &editedhost[sizeof editedhost - 1]) {
+	    *res = '\0';
+	    return;
+	}
+	pat++;
+    }
+    if (*host)
+	strlcpy (res, host,
+			 sizeof editedhost - (res - editedhost));
+    else
+	*res = '\0';
+    editedhost[sizeof editedhost - 1] = '\0';
+}
+
+static char *putlocation;
+
+void
+putstr(char *s)
+{
+
+    while (*s)
+	putchr(*s++);
+}
+
+void
+putchr(int cc)
+{
+    *putlocation++ = cc;
+}
+
+/*
+ * This is split on two lines so that SCCS will not see the M
+ * between two % signs and expand it...
+ */
+static char fmtstr[] = { "%l:%M" "%P on %A, %d %B %Y" };
+
+void putf(char *cp, char *where)
+{
+#ifdef HAVE_UNAME
+    struct utsname name;
+#endif
+    char *slash;
+    time_t t;
+    char db[100];
+
+    /* if we don't have uname, set these to sensible values */
+    char *sysname = "Unix", 
+	*machine = "", 
+	*release = "",
+	*version = ""; 
+
+#ifdef HAVE_UNAME
+    uname(&name);
+    sysname=name.sysname;
+    machine=name.machine;
+    release=name.release;
+    version=name.version;
+#endif
+
+    putlocation = where;
+
+    while (*cp) {
+	if (*cp != '%') {
+	    putchr(*cp++);
+	    continue;
+	}
+	switch (*++cp) {
+
+	case 't':
+#ifdef	STREAMSPTY
+	    /* names are like /dev/pts/2 -- we want pts/2 */
+	    slash = strchr(line+1, '/');
+#else
+	    slash = strrchr(line, '/');
+#endif
+	    if (slash == (char *) 0)
+		putstr(line);
+	    else
+		putstr(&slash[1]);
+	    break;
+
+	case 'h':
+	    putstr(editedhost);
+	    break;
+
+	case 's':
+	    putstr(sysname);
+	    break;
+
+	case 'm':
+	    putstr(machine);
+	    break;
+
+	case 'r':
+	    putstr(release);
+	    break;
+
+	case 'v':
+	    putstr(version);
+	    break;
+
+	case 'd':
+	    time(&t);
+	    strftime(db, sizeof(db), fmtstr, localtime(&t));
+	    putstr(db);
+	    break;
+
+	case '%':
+	    putchr('%');
+	    break;
+	}
+	cp++;
+    }
+}
+
+#ifdef DIAGNOSTICS
+/*
+ * Print telnet options and commands in plain text, if possible.
+ */
+void
+printoption(char *fmt, int option)
+{
+    if (TELOPT_OK(option))
+	output_data("%s %s\r\n",
+		    fmt,
+		    TELOPT(option));
+    else if (TELCMD_OK(option))
+	output_data("%s %s\r\n",
+		    fmt,
+		    TELCMD(option));
+    else
+	output_data("%s %d\r\n",
+		    fmt,
+		    option);
+    return;
+}
+
+void
+printsub(int direction, unsigned char *pointer, int length)
+        		          	/* '<' or '>' */
+                 	         	/* where suboption data sits */
+       			       		/* length of suboption data */
+{
+    int i = 0;
+    unsigned char buf[512];
+
+    if (!(diagnostic & TD_OPTIONS))
+	return;
+
+    if (direction) {
+	output_data("td: %s suboption ",
+		    direction == '<' ? "recv" : "send");
+	if (length >= 3) {
+	    int j;
+
+	    i = pointer[length-2];
+	    j = pointer[length-1];
+
+	    if (i != IAC || j != SE) {
+		output_data("(terminated by ");
+		if (TELOPT_OK(i))
+		    output_data("%s ",
+				TELOPT(i));
+		else if (TELCMD_OK(i))
+		    output_data("%s ",
+				TELCMD(i));
+		else
+		    output_data("%d ",
+				i);
+		if (TELOPT_OK(j))
+		    output_data("%s",
+				TELOPT(j));
+		else if (TELCMD_OK(j))
+		    output_data("%s",
+				TELCMD(j));
+		else
+		    output_data("%d",
+				j);
+		output_data(", not IAC SE!) ");
+	    }
+	}
+	length -= 2;
+    }
+    if (length < 1) {
+	output_data("(Empty suboption??\?)");
+	return;
+    }
+    switch (pointer[0]) {
+    case TELOPT_TTYPE:
+	output_data("TERMINAL-TYPE ");
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS \"%.*s\"",
+			length-2,
+			(char *)pointer+2);
+	    break;
+	case TELQUAL_SEND:
+	    output_data("SEND");
+	    break;
+	default:
+	    output_data("- unknown qualifier %d (0x%x).",
+			pointer[1], pointer[1]);
+	}
+	break;
+    case TELOPT_TSPEED:
+	output_data("TERMINAL-SPEED");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data(" IS %.*s", length-2, (char *)pointer+2);
+	    break;
+	default:
+	    if (pointer[1] == 1)
+		output_data(" SEND");
+	    else
+		output_data(" %d (unknown)", pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?", pointer[i]);
+	    }
+	    break;
+	}
+	break;
+
+    case TELOPT_LFLOW:
+	output_data("TOGGLE-FLOW-CONTROL");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case LFLOW_OFF:
+	    output_data(" OFF");
+	    break;
+	case LFLOW_ON:
+	    output_data(" ON");
+	    break;
+	case LFLOW_RESTART_ANY:
+	    output_data(" RESTART-ANY");
+	    break;
+	case LFLOW_RESTART_XON:
+	    output_data(" RESTART-XON");
+	    break;
+	default:
+	    output_data(" %d (unknown)",
+			pointer[1]);
+	}
+	for (i = 2; i < length; i++) {
+	    output_data(" ?%d?",
+			pointer[i]);
+	}
+	break;
+
+    case TELOPT_NAWS:
+	output_data("NAWS");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	if (length == 2) {
+	    output_data(" ?%d?",
+			pointer[1]);
+	    break;
+	}
+	output_data(" %u %u(%u)",
+		    pointer[1],
+		    pointer[2],
+		    (((unsigned int)pointer[1])<<8) + pointer[2]);
+	if (length == 4) {
+	    output_data(" ?%d?",
+			pointer[3]);
+	    break;
+	}
+	output_data(" %u %u(%u)",
+		    pointer[3],
+		    pointer[4],
+		    (((unsigned int)pointer[3])<<8) + pointer[4]);
+	for (i = 5; i < length; i++) {
+	    output_data(" ?%d?",
+			pointer[i]);
+	}
+	break;
+
+    case TELOPT_LINEMODE:
+	output_data("LINEMODE ");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case WILL:
+	    output_data("WILL ");
+	    goto common;
+	case WONT:
+	    output_data("WONT ");
+	    goto common;
+	case DO:
+	    output_data("DO ");
+	    goto common;
+	case DONT:
+	    output_data("DONT ");
+	common:
+	    if (length < 3) {
+		output_data("(no option??\?)");
+		break;
+	    }
+	    switch (pointer[2]) {
+	    case LM_FORWARDMASK:
+		output_data("Forward Mask");
+		for (i = 3; i < length; i++) {
+		    output_data(" %x", pointer[i]);
+		}
+		break;
+	    default:
+		output_data("%d (unknown)",
+			    pointer[2]);
+		for (i = 3; i < length; i++) {
+		    output_data(" %d",
+				pointer[i]);
+		}
+		break;
+	    }
+	    break;
+
+	case LM_SLC:
+	    output_data("SLC");
+	    for (i = 2; i < length - 2; i += 3) {
+		if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+		    output_data(" %s",
+				SLC_NAME(pointer[i+SLC_FUNC]));
+		else
+		    output_data(" %d",
+				pointer[i+SLC_FUNC]);
+		switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		case SLC_NOSUPPORT:
+		    output_data(" NOSUPPORT");
+		    break;
+		case SLC_CANTCHANGE:
+		    output_data(" CANTCHANGE");
+		    break;
+		case SLC_VARIABLE:
+		    output_data(" VARIABLE");
+		    break;
+		case SLC_DEFAULT:
+		    output_data(" DEFAULT");
+		    break;
+		}
+		output_data("%s%s%s",
+			    pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			    pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			    pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+					    SLC_FLUSHOUT| SLC_LEVELBITS)) {
+		    output_data("(0x%x)",
+				pointer[i+SLC_FLAGS]);
+		}
+		output_data(" %d;",
+			    pointer[i+SLC_VALUE]);
+		if ((pointer[i+SLC_VALUE] == IAC) &&
+		    (pointer[i+SLC_VALUE+1] == IAC))
+		    i++;
+	    }
+	    for (; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+
+	case LM_MODE:
+	    output_data("MODE ");
+	    if (length < 3) {
+		output_data("(no mode??\?)");
+		break;
+	    }
+	    {
+		char tbuf[32];
+		snprintf(tbuf,
+			 sizeof(tbuf),
+			 "%s%s%s%s%s",
+			 pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			 pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			 pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			 pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			 pointer[2]&MODE_ACK ? "|ACK" : "");
+		output_data("%s",
+			    tbuf[1] ? &tbuf[1] : "0");
+	    }
+	    if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
+		output_data(" (0x%x)",
+			    pointer[2]);
+	    }
+	    for (i = 3; i < length; i++) {
+		output_data(" ?0x%x?",
+			 pointer[i]);
+	    }
+	    break;
+	default:
+	    output_data("%d (unknown)",
+			pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" %d", pointer[i]);
+	    }
+	}
+	break;
+
+    case TELOPT_STATUS: {
+	char *cp;
+	int j, k;
+
+	output_data("STATUS");
+
+	switch (pointer[1]) {
+	default:
+	    if (pointer[1] == TELQUAL_SEND)
+		output_data(" SEND");
+	    else
+		output_data(" %d (unknown)",
+			    pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+	case TELQUAL_IS:
+	    output_data(" IS\r\n");
+
+	    for (i = 2; i < length; i++) {
+		switch(pointer[i]) {
+		case DO:	cp = "DO"; goto common2;
+		case DONT:	cp = "DONT"; goto common2;
+		case WILL:	cp = "WILL"; goto common2;
+		case WONT:	cp = "WONT"; goto common2;
+		common2:
+		i++;
+		if (TELOPT_OK(pointer[i]))
+		    output_data(" %s %s",
+				cp,
+				TELOPT(pointer[i]));
+		else
+		    output_data(" %s %d",
+				cp,
+				pointer[i]);
+
+		output_data("\r\n");
+		break;
+
+		case SB:
+		    output_data(" SB ");
+		    i++;
+		    j = k = i;
+		    while (j < length) {
+			if (pointer[j] == SE) {
+			    if (j+1 == length)
+				break;
+			    if (pointer[j+1] == SE)
+				j++;
+			    else
+				break;
+			}
+			pointer[k++] = pointer[j++];
+		    }
+		    printsub(0, &pointer[i], k - i);
+		    if (i < length) {
+			output_data(" SE");
+			i = j;
+		    } else
+			i = j - 1;
+
+		    output_data("\r\n");
+
+		    break;
+
+		default:
+		    output_data(" %d",
+				pointer[i]);
+		    break;
+		}
+	    }
+	    break;
+	}
+	break;
+    }
+
+    case TELOPT_XDISPLOC:
+	output_data("X-DISPLAY-LOCATION ");
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS \"%.*s\"",
+			length-2,
+			(char *)pointer+2);
+	    break;
+	case TELQUAL_SEND:
+	    output_data("SEND");
+	    break;
+	default:
+	    output_data("- unknown qualifier %d (0x%x).",
+			pointer[1], pointer[1]);
+	}
+	break;
+
+    case TELOPT_NEW_ENVIRON:
+	output_data("NEW-ENVIRON ");
+	goto env_common1;
+    case TELOPT_OLD_ENVIRON:
+	output_data("OLD-ENVIRON");
+    env_common1:
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS ");
+	    goto env_common;
+	case TELQUAL_SEND:
+	    output_data("SEND ");
+	    goto env_common;
+	case TELQUAL_INFO:
+	    output_data("INFO ");
+	env_common:
+	    {
+		int noquote = 2;
+		for (i = 2; i < length; i++ ) {
+		    switch (pointer[i]) {
+		    case NEW_ENV_VAR:
+			output_data("\" VAR " + noquote);
+			noquote = 2;
+			break;
+
+		    case NEW_ENV_VALUE:
+			output_data("\" VALUE " + noquote);
+			noquote = 2;
+			break;
+
+		    case ENV_ESC:
+			output_data("\" ESC " + noquote);
+			noquote = 2;
+			break;
+
+		    case ENV_USERVAR:
+			output_data("\" USERVAR " + noquote);
+			noquote = 2;
+			break;
+
+		    default:
+			if (isprint(pointer[i]) && pointer[i] != '"') {
+			    if (noquote) {
+				output_data ("\"");
+				noquote = 0;
+			    }
+			    output_data ("%c", pointer[i]);
+			} else {
+			    output_data("\" %03o " + noquote,
+					pointer[i]);
+			    noquote = 2;
+			}
+			break;
+		    }
+		}
+		if (!noquote)
+		    output_data ("\"");
+		break;
+	    }
+	}
+	break;
+
+#ifdef AUTHENTICATION
+    case TELOPT_AUTHENTICATION:
+	output_data("AUTHENTICATION");
+
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case TELQUAL_REPLY:
+	case TELQUAL_IS:
+	    output_data(" %s ",
+			(pointer[1] == TELQUAL_IS) ?
+			"IS" : "REPLY");
+	    if (AUTHTYPE_NAME_OK(pointer[2]))
+		output_data("%s ",
+			    AUTHTYPE_NAME(pointer[2]));
+	    else
+		output_data("%d ",
+			    pointer[2]);
+	    if (length < 3) {
+		output_data("(partial suboption??\?)");
+		break;
+	    }
+	    output_data("%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+	    auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+	    output_data("%s",
+			buf);
+	    break;
+
+	case TELQUAL_SEND:
+	    i = 2;
+	    output_data(" SEND ");
+	    while (i < length) {
+		if (AUTHTYPE_NAME_OK(pointer[i]))
+		    output_data("%s ",
+				AUTHTYPE_NAME(pointer[i]));
+		else
+		    output_data("%d ",
+				pointer[i]);
+		if (++i >= length) {
+		    output_data("(partial suboption??\?)");
+		    break;
+		}
+		output_data("%s|%s ",
+			    ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			    "CLIENT" : "SERVER",
+			    ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			    "MUTUAL" : "ONE-WAY");
+		++i;
+	    }
+	    break;
+
+	case TELQUAL_NAME:
+	    i = 2;
+	    output_data(" NAME \"%.*s\"",
+			length - 2,
+			pointer);
+	    break;
+
+	default:
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+	}
+	break;
+#endif
+
+#ifdef ENCRYPTION
+    case TELOPT_ENCRYPT:
+	output_data("ENCRYPT");
+	if (length < 2) {
+	    output_data(" (empty suboption?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case ENCRYPT_START:
+	    output_data(" START");
+	    break;
+
+	case ENCRYPT_END:
+	    output_data(" END");
+	    break;
+
+	case ENCRYPT_REQSTART:
+	    output_data(" REQUEST-START");
+	    break;
+
+	case ENCRYPT_REQEND:
+	    output_data(" REQUEST-END");
+	    break;
+
+	case ENCRYPT_IS:
+	case ENCRYPT_REPLY:
+	    output_data(" %s ",
+			(pointer[1] == ENCRYPT_IS) ?
+			"IS" : "REPLY");
+	    if (length < 3) {
+		output_data(" (partial suboption?)");
+		break;
+	    }
+	    if (ENCTYPE_NAME_OK(pointer[2]))
+		output_data("%s ",
+			    ENCTYPE_NAME(pointer[2]));
+	    else
+		output_data(" %d (unknown)",
+			    pointer[2]);
+
+	    encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+	    output_data("%s",
+			buf);
+	    break;
+
+	case ENCRYPT_SUPPORT:
+	    i = 2;
+	    output_data(" SUPPORT ");
+	    while (i < length) {
+		if (ENCTYPE_NAME_OK(pointer[i]))
+		    output_data("%s ",
+				ENCTYPE_NAME(pointer[i]));
+		else
+		    output_data("%d ",
+				pointer[i]);
+		i++;
+	    }
+	    break;
+
+	case ENCRYPT_ENC_KEYID:
+	    output_data(" ENC_KEYID %d", pointer[1]);
+	    goto encommon;
+
+	case ENCRYPT_DEC_KEYID:
+	    output_data(" DEC_KEYID %d", pointer[1]);
+	    goto encommon;
+
+	default:
+	    output_data(" %d (unknown)", pointer[1]);
+	encommon:
+	    for (i = 2; i < length; i++) {
+		output_data(" %d", pointer[i]);
+	    }
+	    break;
+	}
+	break;
+#endif
+
+    default:
+	if (TELOPT_OK(pointer[0]))
+	    output_data("%s (unknown)",
+			TELOPT(pointer[0]));
+	else
+	    output_data("%d (unknown)",
+			pointer[i]);
+	for (i = 1; i < length; i++) {
+	    output_data(" %d", pointer[i]);
+	}
+	break;
+    }
+    output_data("\r\n");
+}
+
+/*
+ * Dump a data buffer in hex and ascii to the output data stream.
+ */
+void
+printdata(char *tag, char *ptr, int cnt)
+{
+    int i;
+    char xbuf[30];
+
+    while (cnt) {
+	/* flush net output buffer if no room for new data) */
+	if ((&netobuf[BUFSIZ] - nfrontp) < 80) {
+	    netflush();
+	}
+
+	/* add a line of output */
+	output_data("%s: ", tag);
+	for (i = 0; i < 20 && cnt; i++) {
+	    output_data("%02x", *ptr);
+	    if (isprint(*ptr)) {
+		xbuf[i] = *ptr;
+	    } else {
+		xbuf[i] = '.';
+	    }
+	    if (i % 2) {
+		output_data(" ");
+	    }
+	    cnt--;
+	    ptr++;
+	}
+	xbuf[i] = '\0';
+	output_data(" %s\r\n", xbuf);
+    }
+}
+#endif /* DIAGNOSTICS */
diff --git a/crypto/heimdal/appl/test/Makefile.am b/crypto/heimdal/appl/test/Makefile.am
new file mode 100644
index 0000000..9ae5cba
--- /dev/null
+++ b/crypto/heimdal/appl/test/Makefile.am
@@ -0,0 +1,37 @@
+# $Id: Makefile.am,v 1.13 1999/09/21 05:06:19 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
+	uu_server uu_client nt_gss_server nt_gss_client
+
+tcp_client_SOURCES = tcp_client.c common.c test_locl.h
+
+tcp_server_SOURCES = tcp_server.c common.c test_locl.h
+
+gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
+gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
+uu_server_SOURCES = uu_server.c common.c test_locl.h
+
+uu_client_SOURCES = uu_client.c common.c test_locl.h
+
+gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
+
+gssapi_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c
+
+nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c
+
+nt_gss_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_server_LDADD = $(nt_gss_client_LDADD)
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/test/Makefile.in b/crypto/heimdal/appl/test/Makefile.in
new file mode 100644
index 0000000..acada82
--- /dev/null
+++ b/crypto/heimdal/appl/test/Makefile.in
@@ -0,0 +1,708 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.13 1999/09/21 05:06:19 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client 	uu_server uu_client nt_gss_server nt_gss_client
+
+
+tcp_client_SOURCES = tcp_client.c common.c test_locl.h
+
+tcp_server_SOURCES = tcp_server.c common.c test_locl.h
+
+gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c 	gss_common.h test_locl.h
+
+
+gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c 	gss_common.h test_locl.h
+
+
+uu_server_SOURCES = uu_server.c common.c test_locl.h
+
+uu_client_SOURCES = uu_client.c common.c test_locl.h
+
+gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
+
+gssapi_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c
+
+nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c
+
+nt_gss_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_server_LDADD = $(nt_gss_client_LDADD)
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+noinst_PROGRAMS =  tcp_client$(EXEEXT) tcp_server$(EXEEXT) \
+gssapi_server$(EXEEXT) gssapi_client$(EXEEXT) uu_server$(EXEEXT) \
+uu_client$(EXEEXT) nt_gss_server$(EXEEXT) nt_gss_client$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+tcp_client_OBJECTS =  tcp_client.$(OBJEXT) common.$(OBJEXT)
+tcp_client_LDADD = $(LDADD)
+tcp_client_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+tcp_client_LDFLAGS = 
+tcp_server_OBJECTS =  tcp_server.$(OBJEXT) common.$(OBJEXT)
+tcp_server_LDADD = $(LDADD)
+tcp_server_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+tcp_server_LDFLAGS = 
+gssapi_server_OBJECTS =  gssapi_server.$(OBJEXT) gss_common.$(OBJEXT) \
+common.$(OBJEXT)
+gssapi_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+gssapi_server_LDFLAGS = 
+gssapi_client_OBJECTS =  gssapi_client.$(OBJEXT) gss_common.$(OBJEXT) \
+common.$(OBJEXT)
+gssapi_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+gssapi_client_LDFLAGS = 
+uu_server_OBJECTS =  uu_server.$(OBJEXT) common.$(OBJEXT)
+uu_server_LDADD = $(LDADD)
+uu_server_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+uu_server_LDFLAGS = 
+uu_client_OBJECTS =  uu_client.$(OBJEXT) common.$(OBJEXT)
+uu_client_LDADD = $(LDADD)
+uu_client_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+uu_client_LDFLAGS = 
+nt_gss_server_OBJECTS =  nt_gss_server.$(OBJEXT) nt_gss_common.$(OBJEXT)
+nt_gss_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+nt_gss_server_LDFLAGS = 
+nt_gss_client_OBJECTS =  nt_gss_client.$(OBJEXT) nt_gss_common.$(OBJEXT) \
+common.$(OBJEXT)
+nt_gss_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+nt_gss_client_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(tcp_client_SOURCES) $(tcp_server_SOURCES) $(gssapi_server_SOURCES) $(gssapi_client_SOURCES) $(uu_server_SOURCES) $(uu_client_SOURCES) $(nt_gss_server_SOURCES) $(nt_gss_client_SOURCES)
+OBJECTS = $(tcp_client_OBJECTS) $(tcp_server_OBJECTS) $(gssapi_server_OBJECTS) $(gssapi_client_OBJECTS) $(uu_server_OBJECTS) $(uu_client_OBJECTS) $(nt_gss_server_OBJECTS) $(nt_gss_client_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/test/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+tcp_client$(EXEEXT): $(tcp_client_OBJECTS) $(tcp_client_DEPENDENCIES)
+	@rm -f tcp_client$(EXEEXT)
+	$(LINK) $(tcp_client_LDFLAGS) $(tcp_client_OBJECTS) $(tcp_client_LDADD) $(LIBS)
+
+tcp_server$(EXEEXT): $(tcp_server_OBJECTS) $(tcp_server_DEPENDENCIES)
+	@rm -f tcp_server$(EXEEXT)
+	$(LINK) $(tcp_server_LDFLAGS) $(tcp_server_OBJECTS) $(tcp_server_LDADD) $(LIBS)
+
+gssapi_server$(EXEEXT): $(gssapi_server_OBJECTS) $(gssapi_server_DEPENDENCIES)
+	@rm -f gssapi_server$(EXEEXT)
+	$(LINK) $(gssapi_server_LDFLAGS) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS)
+
+gssapi_client$(EXEEXT): $(gssapi_client_OBJECTS) $(gssapi_client_DEPENDENCIES)
+	@rm -f gssapi_client$(EXEEXT)
+	$(LINK) $(gssapi_client_LDFLAGS) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS)
+
+uu_server$(EXEEXT): $(uu_server_OBJECTS) $(uu_server_DEPENDENCIES)
+	@rm -f uu_server$(EXEEXT)
+	$(LINK) $(uu_server_LDFLAGS) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS)
+
+uu_client$(EXEEXT): $(uu_client_OBJECTS) $(uu_client_DEPENDENCIES)
+	@rm -f uu_client$(EXEEXT)
+	$(LINK) $(uu_client_LDFLAGS) $(uu_client_OBJECTS) $(uu_client_LDADD) $(LIBS)
+
+nt_gss_server$(EXEEXT): $(nt_gss_server_OBJECTS) $(nt_gss_server_DEPENDENCIES)
+	@rm -f nt_gss_server$(EXEEXT)
+	$(LINK) $(nt_gss_server_LDFLAGS) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS)
+
+nt_gss_client$(EXEEXT): $(nt_gss_client_OBJECTS) $(nt_gss_client_DEPENDENCIES)
+	@rm -f nt_gss_client$(EXEEXT)
+	$(LINK) $(nt_gss_client_LDFLAGS) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS)
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/test
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-noinstPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/test/common.c b/crypto/heimdal/appl/test/common.c
new file mode 100644
index 0000000..30b2e2d
--- /dev/null
+++ b/crypto/heimdal/appl/test/common.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+
+RCSID("$Id: common.c,v 1.10 2000/02/12 21:30:47 assar Exp $");
+
+static int help_flag;
+static int version_flag;
+static char *port_str;
+char *service = SERVICE;
+int fork_flag;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "service", 's', arg_string, &service, "service to use", "service" },
+    { "fork", 'f', arg_flag, &fork_flag, "do fork" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+server_usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+static void
+client_usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "host");
+    exit(code);
+}
+
+
+static int
+common_setup(krb5_context *context, int *argc, char **argv, 
+	     void (*usage)(int, struct getargs*, int))
+{
+    int port = 0;
+    *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage);
+
+    if(help_flag)
+	(*usage)(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str){
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", 4711);
+    
+    return port;
+}
+
+int
+server_setup(krb5_context *context, int argc, char **argv)
+{
+    int port = common_setup(context, &argc, argv, server_usage);
+    if(argv[argc] != NULL)
+	server_usage(1, args, num_args);
+    return port;
+}
+
+int
+client_setup(krb5_context *context, int *argc, char **argv)
+{
+    int optind = *argc;
+    int port = common_setup(context, &optind, argv, client_usage);
+    if(*argc - optind != 1)
+	client_usage(1, args, num_args);
+    *argc = optind;
+    return port;
+}
+
+int
+client_doit (const char *hostname, int port, const char *service,
+	     int (*func)(int, const char *hostname, const char *service))
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) {
+	errx (1, "%s: %s", hostname, gai_strerror(error));
+	return -1;
+    }
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return (*func) (s, hostname, service);
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return 1;
+}
diff --git a/crypto/heimdal/appl/test/gss_common.c b/crypto/heimdal/appl/test/gss_common.c
new file mode 100644
index 0000000..821114b
--- /dev/null
+++ b/crypto/heimdal/appl/test/gss_common.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "gss_common.h"
+RCSID("$Id: gss_common.c,v 1.7 2000/02/12 21:31:38 assar Exp $");
+
+void
+write_token (int sock, gss_buffer_t buf)
+{
+    u_int32_t len, net_len;
+    OM_uint32 min_stat;
+
+    len = buf->length;
+
+    net_len = htonl(len);
+
+    if (write (sock, &net_len, 4) != 4)
+	err (1, "write");
+    if (write (sock, buf->value, len) != len)
+	err (1, "write");
+
+    gss_release_buffer (&min_stat, buf);
+}
+
+void
+read_token (int sock, gss_buffer_t buf)
+{
+    u_int32_t len, net_len;
+
+    if (read(sock, &net_len, 4) != 4)
+	err (1, "read");
+    len = ntohl(net_len);
+    buf->length = len;
+    buf->value  = malloc(len);
+    if (buf->value == NULL)
+	err (1, "malloc %u", len);
+    if (read (sock, buf->value, len) != len)
+	err (1, "read");
+}
+
+void
+gss_print_errors (int min_stat)
+{
+    OM_uint32 new_stat;
+    OM_uint32 msg_ctx = 0;
+    gss_buffer_desc status_string;
+    OM_uint32 ret;
+
+    do {
+	ret = gss_display_status (&new_stat,
+				  min_stat,
+				  GSS_C_MECH_CODE,
+				  GSS_C_NO_OID,
+				  &msg_ctx,
+				  &status_string);
+	fprintf (stderr, "%s\n", (char *)status_string.value);
+	gss_release_buffer (&new_stat, &status_string);
+    } while (!GSS_ERROR(ret) && msg_ctx != 0);
+}
+
+void
+gss_verr(int exitval, int status, const char *fmt, va_list ap)
+{
+    vwarnx (fmt, ap);
+    gss_print_errors (status);
+    exit (exitval);
+}
+
+void
+gss_err(int exitval, int status, const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    gss_verr (exitval, status, fmt, args);
+    va_end(args);
+}
+
diff --git a/crypto/heimdal/appl/test/gss_common.h b/crypto/heimdal/appl/test/gss_common.h
new file mode 100644
index 0000000..775126b
--- /dev/null
+++ b/crypto/heimdal/appl/test/gss_common.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gss_common.h,v 1.5 1999/12/02 17:04:56 joda Exp $ */
+
+void write_token (int sock, gss_buffer_t buf);
+void read_token (int sock, gss_buffer_t buf);
+
+void gss_print_errors (int min_stat);
+
+void gss_verr(int exitval, int status, const char *fmt, va_list ap)
+    __attribute__ ((format (printf, 3, 0)));
+
+void gss_err(int exitval, int status, const char *fmt, ...)
+    __attribute__ ((format (printf, 3, 4)));
diff --git a/crypto/heimdal/appl/test/gssapi_client.c b/crypto/heimdal/appl/test/gssapi_client.c
new file mode 100644
index 0000000..ed3c43a
--- /dev/null
+++ b/crypto/heimdal/appl/test/gssapi_client.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "gss_common.h"
+RCSID("$Id: gssapi_client.c,v 1.12 2000/02/12 21:33:17 assar Exp $");
+
+static int
+do_trans (int sock, gss_ctx_id_t context_hdl)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+
+    /* get_mic */
+
+    input_token->length = 3;
+    input_token->value  = strdup("hej");
+
+    maj_stat = gss_get_mic(&min_stat,
+			   context_hdl,
+			   GSS_C_QOP_DEFAULT,
+			   input_token,
+			   output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_get_mic");
+
+    write_token (sock, input_token);
+    write_token (sock, output_token);
+
+    /* wrap */
+
+    input_token->length = 7;
+    input_token->value  = "hemligt";
+
+
+    maj_stat = gss_wrap (&min_stat,
+			 context_hdl,
+			 1,
+			 GSS_C_QOP_DEFAULT,
+			 input_token,
+			 NULL,
+			 output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_wrap");
+
+    write_token (sock, output_token);
+
+    return 0;
+}
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+
+    int context_established = 0;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t server;
+    gss_buffer_desc name_token;
+
+    name_token.length = asprintf ((char **)&name_token.value,
+				  "%s@%s", service, hostname);
+
+    maj_stat = gss_import_name (&min_stat,
+				&name_token,
+				GSS_C_NT_HOSTBASED_SERVICE,
+				&server);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat,
+		 "Error importing name `%s@%s':\n", service, hostname);
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname(%s)", hostname);
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername(%s)", hostname);
+
+    input_token->length = 0;
+    output_token->length = 0;
+
+    while(!context_established) {
+	maj_stat =
+	    gss_init_sec_context(&min_stat,
+				 GSS_C_NO_CREDENTIAL,
+				 &context_hdl,
+				 server,
+				 GSS_C_NO_OID,
+				 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+				 0,
+				 GSS_C_NO_CHANNEL_BINDINGS,
+				 input_token,
+				 NULL,
+				 output_token,
+				 NULL,
+				 NULL);
+	if (GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_init_sec_context");
+	if (output_token->length != 0)
+	    write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    read_token (sock, input_token);
+	} else {
+	    context_established = 1;
+	}
+
+    }
+    if (fork_flag) {
+	pid_t pid;
+	int pipefd[2];
+
+	if (pipe (pipefd) < 0)
+	    err (1, "pipe");
+
+	pid = fork ();
+	if (pid < 0)
+	    err (1, "fork");
+	if (pid != 0) {
+	    gss_buffer_desc buf;
+
+	    maj_stat = gss_export_sec_context (&min_stat,
+					       &context_hdl,
+					       &buf);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_export_sec_context");
+	    write_token (pipefd[1], &buf);
+	    exit (0);
+	} else {
+	    gss_ctx_id_t context_hdl;
+	    gss_buffer_desc buf;
+
+	    close (pipefd[1]);
+	    read_token (pipefd[0], &buf);
+	    close (pipefd[0]);
+	    maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_import_sec_context");
+	    gss_release_buffer (&min_stat, &buf);
+	    return do_trans (sock, context_hdl);
+	}
+    } else {
+	return do_trans (sock, context_hdl);
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context; /* XXX */
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/gssapi_server.c b/crypto/heimdal/appl/test/gssapi_server.c
new file mode 100644
index 0000000..01aa769
--- /dev/null
+++ b/crypto/heimdal/appl/test/gssapi_server.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "gss_common.h"
+RCSID("$Id: gssapi_server.c,v 1.12 2000/02/12 21:34:11 assar Exp $");
+
+static int
+process_it(int sock,
+	   gss_ctx_id_t context_hdl,
+	   gss_name_t client_name
+	   )
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc name_token;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+
+    maj_stat = gss_display_name (&min_stat,
+				 client_name,
+				 &name_token,
+				 NULL);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_display_name");
+
+    fprintf (stderr, "User is `%.*s'\n", (int)name_token.length,
+	    (char *)name_token.value);
+
+    gss_release_buffer (&min_stat, &name_token);
+
+    /* gss_verify_mic */
+
+    read_token (sock, input_token);
+    read_token (sock, output_token);
+
+    maj_stat = gss_verify_mic (&min_stat,
+			       context_hdl,
+			       input_token,
+			       output_token,
+			       NULL);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_verify_mic");
+
+    fprintf (stderr, "gss_verify_mic: %.*s\n", (int)input_token->length,
+	    (char *)input_token->value);
+
+    gss_release_buffer (&min_stat, input_token);
+    gss_release_buffer (&min_stat, output_token);
+
+    /* gss_unwrap */
+
+    read_token (sock, input_token);
+
+    maj_stat = gss_unwrap (&min_stat,
+			   context_hdl,
+			   input_token,
+			   output_token,
+			   NULL,
+			   NULL);
+    if(GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_unwrap");
+
+    fprintf (stderr, "gss_unwrap: %.*s\n", (int)output_token->length,
+	    (char *)output_token->value);
+
+    gss_release_buffer (&min_stat, input_token);
+    gss_release_buffer (&min_stat, output_token);
+
+    return 0;
+}
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname)");
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername");
+
+    do {
+	read_token (sock, input_token);
+	maj_stat =
+	    gss_accept_sec_context (&min_stat,
+				    &context_hdl,
+				    GSS_C_NO_CREDENTIAL,
+				    input_token,
+				    GSS_C_NO_CHANNEL_BINDINGS,
+				    &client_name,
+				    NULL,
+				    output_token,
+				    NULL,
+				    NULL,
+				    NULL);
+	if(GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_accept_sec_context");
+	if (output_token->length != 0)
+	    write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+    } while(maj_stat & GSS_S_CONTINUE_NEEDED);
+
+    if (fork_flag) {
+	pid_t pid;
+	int pipefd[2];
+
+	if (pipe (pipefd) < 0)
+	    err (1, "pipe");
+
+	pid = fork ();
+	if (pid < 0)
+	    err (1, "fork");
+	if (pid != 0) {
+	    gss_buffer_desc buf;
+
+	    maj_stat = gss_export_sec_context (&min_stat,
+					       &context_hdl,
+					       &buf);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_export_sec_context");
+	    write_token (pipefd[1], &buf);
+	    exit (0);
+	} else {
+	    gss_ctx_id_t context_hdl;
+	    gss_buffer_desc buf;
+
+	    close (pipefd[1]);
+	    read_token (pipefd[0], &buf);
+	    close (pipefd[0]);
+	    maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_import_sec_context");
+	    gss_release_buffer (&min_stat, &buf);
+	    return process_it (sock, context_hdl, client_name);
+	}
+    } else {
+	return process_it (sock, context_hdl, client_name);
+    }
+}
+
+static int
+doit (int port, const char *service)
+{
+    int sock, sock2;
+    struct sockaddr_in my_addr;
+    int one = 1;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    memset (&my_addr, 0, sizeof(my_addr));
+    my_addr.sin_family      = AF_INET;
+    my_addr.sin_port        = port;
+    my_addr.sin_addr.s_addr = INADDR_ANY;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
+		    (void *)&one, sizeof(one)) < 0)
+	warn ("setsockopt SO_REUSEADDR");
+
+    if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
+	err (1, "bind");
+
+    if (listen (sock, 1) < 0)
+	err (1, "listen");
+
+    sock2 = accept (sock, NULL, NULL);
+    if (sock2 < 0)
+	err (1, "accept");
+
+    return proto (sock2, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context = NULL; /* XXX */
+    int port = server_setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/appl/test/nt_gss_client.c b/crypto/heimdal/appl/test/nt_gss_client.c
new file mode 100644
index 0000000..e77f9f2
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_client.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "nt_gss_common.h"
+
+RCSID("$Id: nt_gss_client.c,v 1.3 1999/12/04 18:16:19 assar Exp $");
+
+/*
+ * This program tries to act as a client for the sample in `Sample
+ * SSPI Code' in Windows 2000 RC1 SDK.
+ */
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+
+    int context_established = 0;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_t input_token, output_token;
+    gss_buffer_desc real_input_token, real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t server;
+    gss_buffer_desc name_token;
+
+    name_token.length = asprintf ((char **)&name_token.value,
+				  "%s@%s", service, hostname);
+
+    maj_stat = gss_import_name (&min_stat,
+				&name_token,
+				GSS_C_NT_HOSTBASED_SERVICE,
+				&server);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat,
+		 "Error importing name `%s@%s':\n", service, hostname);
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname(%s)", hostname);
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername(%s)", hostname);
+
+    input_token = &real_input_token;
+    output_token = &real_output_token;
+
+    input_token->length = 0;
+    output_token->length = 0;
+
+    while(!context_established) {
+	maj_stat =
+	    gss_init_sec_context(&min_stat,
+				 GSS_C_NO_CREDENTIAL,
+				 &context_hdl,
+				 server,
+				 GSS_C_NO_OID,
+				 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+				 0,
+				 GSS_C_NO_CHANNEL_BINDINGS,
+				 input_token,
+				 NULL,
+				 output_token,
+				 NULL,
+				 NULL);
+	if (GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_init_sec_context");
+	if (output_token->length != 0)
+	    nt_write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    nt_read_token (sock, input_token);
+	} else {
+	    context_established = 1;
+	}
+
+    }
+
+    /* get_mic */
+
+    input_token->length = 3;
+    input_token->value  = strdup("hej");
+
+    maj_stat = gss_get_mic(&min_stat,
+			   context_hdl,
+			   GSS_C_QOP_DEFAULT,
+			   input_token,
+			   output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_get_mic");
+
+    nt_write_token (sock, input_token);
+    nt_write_token (sock, output_token);
+
+    /* wrap */
+
+    input_token->length = 7;
+    input_token->value  = "hemligt";
+
+
+    maj_stat = gss_wrap (&min_stat,
+			 context_hdl,
+			 1,
+			 GSS_C_QOP_DEFAULT,
+			 input_token,
+			 NULL,
+			 output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_wrap");
+
+    nt_write_token (sock, output_token);
+
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context; /* XXX */
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/nt_gss_common.c b/crypto/heimdal/appl/test/nt_gss_common.c
new file mode 100644
index 0000000..ab10355
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_common.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "nt_gss_common.h"
+
+RCSID("$Id: nt_gss_common.c,v 1.3 1999/12/02 17:04:57 joda Exp $");
+
+/*
+ * These are functions that are needed to interoperate with the
+ * `Sample SSPI Code' in Windows 2000 RC1 SDK.
+ */
+
+/*
+ * Write the `gss_buffer_t' in `buf' onto the fd `sock', but remember that 
+ * the length is written in little-endian-order.
+ */
+
+void
+nt_write_token (int sock, gss_buffer_t buf)
+{
+    unsigned char net_len[4];
+    u_int32_t len;
+    OM_uint32 min_stat;
+
+    len = buf->length;
+
+    net_len[0] = (len >>  0) & 0xFF;
+    net_len[1] = (len >>  8) & 0xFF;
+    net_len[2] = (len >> 16) & 0xFF;
+    net_len[3] = (len >> 24) & 0xFF;
+
+    if (write (sock, net_len, 4) != 4)
+	err (1, "write");
+    if (write (sock, buf->value, len) != len)
+	err (1, "write");
+
+    gss_release_buffer (&min_stat, buf);
+}
+
+/*
+ *
+ */
+
+void
+nt_read_token (int sock, gss_buffer_t buf)
+{
+    unsigned char net_len[4];
+    u_int32_t len;
+
+    if (read(sock, net_len, 4) != 4)
+	err (1, "read");
+    len = (net_len[0] <<  0)
+	| (net_len[1] <<  8)
+	| (net_len[2] << 16)
+	| (net_len[3] << 24);
+
+    buf->length = len;
+    buf->value  = malloc(len);
+    if (read (sock, buf->value, len) != len)
+	err (1, "read");
+}
+
+void
+gss_print_errors (int min_stat)
+{
+    OM_uint32 new_stat;
+    OM_uint32 msg_ctx = 0;
+    gss_buffer_desc status_string;
+    OM_uint32 ret;
+
+    do {
+	ret = gss_display_status (&new_stat,
+				  min_stat,
+				  GSS_C_MECH_CODE,
+				  GSS_C_NO_OID,
+				  &msg_ctx,
+				  &status_string);
+	fprintf (stderr, "%s\n", (char *)status_string.value);
+	gss_release_buffer (&new_stat, &status_string);
+    } while (!GSS_ERROR(ret) && msg_ctx != 0);
+}
+
+void
+gss_verr(int exitval, int status, const char *fmt, va_list ap)
+{
+    vwarnx (fmt, ap);
+    gss_print_errors (status);
+    exit (exitval);
+}
+
+void
+gss_err(int exitval, int status, const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    gss_verr (exitval, status, fmt, args);
+    va_end(args);
+}
diff --git a/crypto/heimdal/appl/test/nt_gss_common.h b/crypto/heimdal/appl/test/nt_gss_common.h
new file mode 100644
index 0000000..07428dd
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_common.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: nt_gss_common.h,v 1.2 1999/12/02 17:04:57 joda Exp $ */
+
+void nt_write_token (int sock, gss_buffer_t buf);
+void nt_read_token (int sock, gss_buffer_t buf);
+
+void gss_print_errors (int min_stat);
+
+void gss_verr(int exitval, int status, const char *fmt, va_list ap)
+    __attribute__ ((format (printf, 3, 0)));
+
+void gss_err(int exitval, int status, const char *fmt, ...)
+    __attribute__ ((format (printf, 3, 4)));
diff --git a/crypto/heimdal/appl/test/nt_gss_server.c b/crypto/heimdal/appl/test/nt_gss_server.c
new file mode 100644
index 0000000..9781ed1
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_server.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include <krb5.h>
+#include "nt_gss_common.h"
+
+RCSID("$Id: nt_gss_server.c,v 1.3 1999/12/16 10:29:58 assar Exp $");
+
+/*
+ * This program tries to act as a server for the sample in `Sample
+ * SSPI Code' in Windows 2000 RC1 SDK.
+ *
+ * use --dump-add to get a binary dump of the authorization data in the ticket
+ */
+
+static int help_flag;
+static int version_flag;
+static char *port_str;
+char *service = SERVICE;
+static char *auth_file;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "service", 's', arg_string, &service, "service to use", "service" },
+    { "dump-auth", 0, arg_string, &auth_file, "dump authorization data",
+      "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_t input_token, output_token;
+    gss_buffer_desc real_input_token, real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+    gss_buffer_desc name_token;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname)");
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername");
+
+    input_token = &real_input_token;
+    output_token = &real_output_token;
+
+    do {
+	nt_read_token (sock, input_token);
+	maj_stat =
+	    gss_accept_sec_context (&min_stat,
+				    &context_hdl,
+				    GSS_C_NO_CREDENTIAL,
+				    input_token,
+				    GSS_C_NO_CHANNEL_BINDINGS,
+				    &client_name,
+				    NULL,
+				    output_token,
+				    NULL,
+				    NULL,
+				    NULL);
+	if(GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_accept_sec_context");
+	if (output_token->length != 0)
+	    nt_write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+    } while(maj_stat & GSS_S_CONTINUE_NEEDED);
+
+    if (auth_file != NULL) {
+	int fd = open (auth_file, O_WRONLY | O_CREAT, 0666);
+	krb5_ticket *ticket = context_hdl->ticket;
+	krb5_data *data = &ticket->ticket.authorization_data->val[0].ad_data;
+
+	if(fd < 0)
+	    err (1, "open %s", auth_file);
+	if (write (fd, data->data, data->length) != data->length)
+	    errx (1, "write to %s failed", auth_file);
+	if (close (fd))
+	    err (1, "close %s", auth_file);
+    }
+
+    maj_stat = gss_display_name (&min_stat,
+				 client_name,
+				 &name_token,
+				 NULL);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_display_name");
+
+    fprintf (stderr, "User is `%.*s'\n", (int)name_token.length,
+	    (char *)name_token.value);
+
+    /* write something back */
+
+    output_token->value  = strdup ("hejsan");
+    output_token->length = strlen (output_token->value) + 1;
+    nt_write_token (sock, output_token);
+
+    output_token->value  = strdup ("hoppsan");
+    output_token->length = strlen (output_token->value) + 1;
+    nt_write_token (sock, output_token);
+
+    return 0;
+}
+
+static int
+doit (int port, const char *service)
+{
+    int sock, sock2;
+    struct sockaddr_in my_addr;
+    int one = 1;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    memset (&my_addr, 0, sizeof(my_addr));
+    my_addr.sin_family      = AF_INET;
+    my_addr.sin_port        = port;
+    my_addr.sin_addr.s_addr = INADDR_ANY;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
+		    (void *)&one, sizeof(one)) < 0)
+	warn ("setsockopt SO_REUSEADDR");
+
+    if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
+	err (1, "bind");
+
+    if (listen (sock, 1) < 0)
+	err (1, "listen");
+
+    sock2 = accept (sock, NULL, NULL);
+    if (sock2 < 0)
+	err (1, "accept");
+
+    return proto (sock2, service);
+}
+
+static void
+usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+static int
+common_setup(krb5_context *context, int *argc, char **argv, 
+	     void (*usage)(int, struct getargs*, int))
+{
+    int port = 0;
+    *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage);
+
+    if(help_flag)
+	(*usage)(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str){
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", 4711);
+    
+    return port;
+}
+
+static int
+setup(krb5_context *context, int argc, char **argv)
+{
+    int port = common_setup(context, &argc, argv, usage);
+    if(argv[argc] != NULL)
+	usage(1, args, num_args);
+    return port;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context = NULL; /* XXX */
+    int port = setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/appl/test/tcp_client.c b/crypto/heimdal/appl/test/tcp_client.c
new file mode 100644
index 0000000..7affc43
--- /dev/null
+++ b/crypto/heimdal/appl/test/tcp_client.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: tcp_client.c,v 1.15 1999/12/16 10:30:17 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_data data;
+    krb5_data packet;
+    u_int32_t len, net_len;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_init");
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd");
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status)
+	krb5_err (context, 1, status, "krb5_sname_to_principal");
+
+    status = krb5_sendauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    NULL,
+			    server,
+			    AP_OPTS_MUTUAL_REQUIRED,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_sendauth");
+
+    data.data   = "hej";
+    data.length = 3;
+
+    krb5_data_zero (&packet);
+
+    status = krb5_mk_safe (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_mk_safe");
+
+    len = packet.length;
+    net_len = htonl(len);
+
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+	err (1, "krb5_net_write");
+    if (krb5_net_write (context, &sock, packet.data, len) != len)
+	err (1, "krb5_net_write");
+
+    data.data   = "hemligt";
+    data.length = 7;
+
+    krb5_data_free (&packet);
+
+    status = krb5_mk_priv (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_mk_priv");
+
+    len = packet.length;
+    net_len = htonl(len);
+
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+	err (1, "krb5_net_write");
+    if (krb5_net_write (context, &sock, packet.data, len) != len)
+	err (1, "krb5_net_write");
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/tcp_server.c b/crypto/heimdal/appl/test/tcp_server.c
new file mode 100644
index 0000000..4469c58
--- /dev/null
+++ b/crypto/heimdal/appl/test/tcp_server.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: tcp_server.c,v 1.16 1999/12/16 10:31:08 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_ticket *ticket;
+    char *name;
+    char hostname[MAXHOSTNAMELEN];
+    krb5_data packet;
+    krb5_data data;
+    u_int32_t len, net_len;
+    ssize_t n;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_init");
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd");
+
+    if(gethostname (hostname, sizeof(hostname)) < 0)
+	krb5_err (context, 1, errno, "gethostname");
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status)
+	krb5_err (context, 1, status, "krb5_sname_to_principal");
+
+    status = krb5_recvauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    server,
+			    0,
+			    NULL,
+			    &ticket);
+    if (status)
+	krb5_err (context, 1, status, "krb5_recvauth");
+
+    status = krb5_unparse_name (context,
+				ticket->client,
+				&name);
+    if (status)
+	krb5_err (context, 1, status, "krb5_unparse_name");
+
+    fprintf (stderr, "User is `%s'\n", name);
+    free (name);
+
+    krb5_data_zero (&data);
+    krb5_data_zero (&packet);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+
+    len = ntohl(net_len);
+
+    krb5_data_alloc (&packet, len);
+
+    n = krb5_net_read (context, &sock, packet.data, len);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+    
+    status = krb5_rd_safe (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_rd_safe");
+
+    fprintf (stderr, "safe packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+
+    len = ntohl(net_len);
+
+    krb5_data_alloc (&packet, len);
+
+    n = krb5_net_read (context, &sock, packet.data, len);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+    
+    status = krb5_rd_priv (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_rd_priv");
+
+    fprintf (stderr, "priv packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    return 0;
+}
+
+static int
+doit (int port, const char *service)
+{
+    mini_inetd (port);
+
+    return proto (STDIN_FILENO, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = server_setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/appl/test/test_locl.h b/crypto/heimdal/appl/test/test_locl.h
new file mode 100644
index 0000000..5c4ca36
--- /dev/null
+++ b/crypto/heimdal/appl/test/test_locl.h
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: test_locl.h,v 1.8 2000/02/14 02:52:55 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <errno.h>
+#include <roken.h>
+#include <getarg.h>
+#include <err.h>
+#include <krb5.h>
+
+#define SERVICE "test"
+
+#define PORT "test"
+
+extern char *service;
+extern int fork_flag;
+int server_setup(krb5_context*, int, char**);
+int client_setup(krb5_context*, int*, char**);
+int client_doit (const char *hostname, int port, const char *service,
+		 int (*func)(int, const char *hostname, const char *service));
diff --git a/crypto/heimdal/appl/test/uu_client.c b/crypto/heimdal/appl/test/uu_client.c
new file mode 100644
index 0000000..204f919
--- /dev/null
+++ b/crypto/heimdal/appl/test/uu_client.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: uu_client.c,v 1.5 1999/12/04 18:17:26 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+    krb5_address remote_addr, local_addr;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal client;
+    krb5_data data;
+    krb5_data packet;
+    krb5_creds mcred, cred;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname(%s)", hostname);
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername(%s)", hostname);
+
+    status = krb5_init_context(&context);
+    if (status)
+	krb5_err(context, 1, status, "krb5_init_context");
+
+    status = krb5_cc_default (context, &ccache);
+    if (status)
+	krb5_err(context, 1, status, "krb5_cc_default");
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	krb5_err(context, 1, status, "krb5_auth_con_init");
+
+    local_addr.addr_type = AF_INET;
+    local_addr.address.length = sizeof(local.sin_addr);
+    local_addr.address.data   = &local.sin_addr;
+
+    remote_addr.addr_type = AF_INET;
+    remote_addr.address.length = sizeof(remote.sin_addr);
+    remote_addr.address.data   = &remote.sin_addr;
+
+    status = krb5_auth_con_setaddrs (context,
+				     auth_context,
+				     &local_addr,
+				     &remote_addr);
+    if (status)
+	krb5_err(context, 1, status, "krb5_auth_con_setaddr");
+
+    status = krb5_cc_get_principal(context, ccache, &client);
+    if(status)
+	krb5_err(context, 1, status, "krb5_cc_get_principal");
+    status = krb5_make_principal(context, &mcred.server,
+				 *krb5_princ_realm(context, client), 
+				 "krbtgt", 
+				 *krb5_princ_realm(context, client),
+				 NULL);
+    if(status)
+	krb5_err(context, 1, status, "krb5_make_principal");
+    
+    status = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
+    if(status)
+	krb5_err(context, 1, status, "krb5_cc_retrieve_cred");
+
+    {
+	char *client_name;
+	krb5_data data;
+	status = krb5_unparse_name(context, cred.client, &client_name);
+	if(status)
+	    krb5_err(context, 1, status, "krb5_unparse_name");
+	data.data = client_name;
+	data.length = strlen(client_name) + 1;
+	status = krb5_write_message(context, &sock, &data);
+	if(status)
+	    krb5_err(context, 1, status, "krb5_write_message");
+	free(client_name);
+    }
+
+    status = krb5_write_message(context, &sock, &cred.ticket);
+    if(status)
+	krb5_err(context, 1, status, "krb5_write_message");
+
+    status = krb5_auth_con_setuserkey(context, auth_context, &cred.session);
+    if(status)
+	krb5_err(context, 1, status, "krb5_auth_con_setuserkey");
+    
+    status = krb5_recvauth(context, &auth_context, &sock, 
+			   VERSION, client, 0, NULL, NULL);
+
+    if (status)
+	krb5_err(context, 1, status, "krb5_recvauth");
+    
+    data.data   = "hej";
+    data.length = 3;
+
+    krb5_data_zero (&packet);
+
+    status = krb5_mk_safe (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err(context, 1, status, "krb5_mk_safe");
+
+    status = krb5_write_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_write_message");
+
+    data.data   = "hemligt";
+    data.length = 7;
+
+    krb5_data_free (&packet);
+
+    status = krb5_mk_priv (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err(context, 1, status, "krb5_mk_priv");
+
+    status = krb5_write_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_write_message");
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/uu_server.c b/crypto/heimdal/appl/test/uu_server.c
new file mode 100644
index 0000000..fabfea2
--- /dev/null
+++ b/crypto/heimdal/appl/test/uu_server.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: uu_server.c,v 1.6 1999/12/16 10:32:44 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+    krb5_address remote_addr, local_addr;
+    krb5_ccache ccache;
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_data packet;
+    krb5_data data;
+    krb5_data client_name;
+    krb5_creds in_creds, *out_creds;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname)");
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername");
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	errx (1, "krb5_auth_con_init: %s",
+	      krb5_get_err_text(context, status));
+
+    local_addr.addr_type = AF_INET;
+    local_addr.address.length = sizeof(local.sin_addr);
+    local_addr.address.data   = &local.sin_addr;
+
+    remote_addr.addr_type = AF_INET;
+    remote_addr.address.length = sizeof(remote.sin_addr);
+    remote_addr.address.data   = &remote.sin_addr;
+
+    status = krb5_auth_con_setaddrs (context,
+				     auth_context,
+				     &local_addr,
+				     &remote_addr);
+    if (status)
+	errx (1, "krb5_auth_con_setaddr: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_read_message(context, &sock, &client_name);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+    
+    memset(&in_creds, 0, sizeof(in_creds));
+    status = krb5_cc_default(context, &ccache);
+    status = krb5_cc_get_principal(context, ccache, &in_creds.client);
+
+    status = krb5_read_message(context, &sock, &in_creds.second_ticket);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+
+    status = krb5_parse_name(context, client_name.data, &in_creds.server);
+    if(status)
+	krb5_err(context, 1, status, "krb5_parse_name");
+    
+    status = krb5_get_credentials(context, KRB5_GC_USER_USER, ccache, 
+				  &in_creds, &out_creds);
+    if(status)
+	krb5_err(context, 1, status, "krb5_get_credentials");
+
+    status = krb5_cc_default(context, &ccache);
+
+    status = krb5_sendauth(context, 
+			   &auth_context,
+			   &sock, 
+			   VERSION, 
+			   in_creds.client,
+			   in_creds.server,
+			   AP_OPTS_USE_SESSION_KEY,
+			   NULL,
+			   out_creds,
+			   ccache,
+			   NULL,
+			   NULL,
+			   NULL);
+			   
+    if (status)
+	krb5_err(context, 1, status, "krb5_sendauth");
+    
+    fprintf (stderr, "User is `%.*s'\n", (int)client_name.length,
+	    (char *)client_name.data);
+
+    krb5_data_zero (&data);
+    krb5_data_zero (&packet);
+
+    status = krb5_read_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+    
+    status = krb5_rd_safe (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	errx (1, "krb5_rd_safe: %s",
+	      krb5_get_err_text(context, status));
+
+    fprintf (stderr, "safe packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    status = krb5_read_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+    
+    status = krb5_rd_priv (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	errx (1, "krb5_rd_priv: %s",
+	      krb5_get_err_text(context, status));
+
+    fprintf (stderr, "priv packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    return 0;
+}
+
+static int
+doit (int port, const char *service)
+{
+    int sock, sock2;
+    struct sockaddr_in my_addr;
+    int one = 1;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    memset (&my_addr, 0, sizeof(my_addr));
+    my_addr.sin_family      = AF_INET;
+    my_addr.sin_port        = port;
+    my_addr.sin_addr.s_addr = INADDR_ANY;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, 
+		    (void *)&one, sizeof(one)) < 0)
+	warn ("setsockopt SO_REUSEADDR");
+
+    if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
+	err (1, "bind");
+
+    if (listen (sock, 1) < 0)
+	err (1, "listen");
+
+    sock2 = accept (sock, NULL, NULL);
+    if (sock2 < 0)
+	err (1, "accept");
+
+    return proto (sock2, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = server_setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/cf/ChangeLog b/crypto/heimdal/cf/ChangeLog
new file mode 100644
index 0000000..2c21ce2
--- /dev/null
+++ b/crypto/heimdal/cf/ChangeLog
@@ -0,0 +1,235 @@
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* krb-bigendian.m4: new file, replacement for ac_c_bigendian
+
+2000-01-01  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: re-organize: test for type of stack first so that
+	we can find the libraries that we might have to link the test
+	program against.  not linking the test program means we don't know
+	if the right stuff is in the libraries.  also cosmetic changes to
+	make sure we print the checking for... nicely
+
+1999-12-21  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: try linking, not only compiling
+	* krb-ipv6.m4: add --without-ipv6 make sure we have `in6addr_any'
+ 	which we use in the code.  This test avoids false positives on
+ 	OpenBSD
+
+1999-11-05  Assar Westerlund  <assar@sics.se>
+
+	* check-x.m4: include X_PRE_LIBS and X_EXTRA_LIBS when testing
+
+1999-11-01  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): use `cp' instead of
+ 	INSTALL_DATA for copying header files inside the build tree.  The
+ 	user might have redefined INSTALL_DATA to specify owners and other
+ 	information.
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4: add yet another argument to allow specify
+ 	linker flags that will be added _before_ the library when trying
+ 	to link
+
+	* find-func-no-libs.m4: add yet another argument to allow specify
+ 	linker flags that will be added _before_ the library when trying
+ 	to link
+
+1999-10-12  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4 (AC_FIND_FUNC_NO_LIBS2): new argument
+ 	`extra libs'
+
+	* find-func-no-libs.m4 (AC_FIND_FUNC_NO_LIBS): new argument `extra
+ 	libs'
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* capabilities.m4: sgi capabilities
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* have-struct-field.m4: quote macros when undefining
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): add dependencies
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+	
+	* have-type.m4: try to get autoheader to co-operate
+
+	* have-type.m4: stolen from Arla
+
+	* krb-struct-sockaddr-sa-len.m4: not used any longer.  removed.
+
+1999-06-13  Assar Westerlund  <assar@sics.se>
+
+	* krb-struct-spwd.m4: consequent name of cache variables
+
+	* krb-func-getlogin.m4: new file for testing for posix (broken)
+ 	getlogin
+
+	* shared-libs.m4 (freebsd[34]): don't use ld -Bshareable
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-x.m4: extended test for X
+	
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* check-netinet-ip-and-tcp.m4: proper autoheader tricks
+
+	* check-netinet-ip-and-tcp.m4: new file for checking for
+ 	netinet/{ip,tcp}.h.  These are special as they on Irix 6.5.3
+	require <standards.h> to be included in advance.
+ 
+	* check-xau.m4: we also need to check for XauFilename since it's
+ 	used by appl/kx.  And on Irix 6.5 that function requires linking
+ 	with -lX11.
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* krb-find-db.m4: try with more header files than ndbm.h
+
+1999-04-19  Assar Westerlund  <assar@sics.se>
+
+	* test-package.m4: try to handle the case of --without-package
+ 	correctly
+
+1999-04-17  Assar Westerlund  <assar@sics.se>
+
+	* make-aclocal: removed.  Not used anymore, being replaced by
+	aclocal from automake.
+
+Thu Apr 15 14:17:26 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* make-proto.pl: handle __attribute__
+
+Fri Apr  9 20:37:18 1999  Assar Westerlund  <assar@sics.se>
+
+	* shared-libs.m4: quote $@
+	(freebsd3): add install_symlink_command2
+
+Wed Apr  7 20:40:22 1999  Assar Westerlund  <assar@sics.se>
+
+	* shared-libs.m4 (hpux): no library dependencies
+
+Mon Apr  5 16:13:08 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* test-package.m4: compile and link, rather than looking for
+ 	files; also export more information, so it's possible to add rpath
+ 	information
+
+Tue Mar 30 13:49:54 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am.common: CFLAGS -> AM_CFLAGS
+
+Mon Mar 29 16:51:12 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* check-xau.m4: check for XauWriteAuth before checking for
+ 	XauReadAuth to catch -lX11:s not containing XauWriteAuth, and IRIX
+ 	6.5 that doesn't work with -lXau
+
+Sat Mar 27 18:03:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* osfc2.m4: --enable-osfc2
+
+Fri Mar 19 15:34:52 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* shared-libs.m4: move shared lib stuff here
+
+Wed Mar 24 23:24:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): simplify loop
+
+Tue Mar 23 17:31:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* check-getpwnam_r-posix.m4: check for getpwnam_r, and if it's
+ 	posix or not
+
+Tue Mar 23 00:00:13 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install_build_headers): try to make it work
+ 	better when list of headers is empty.  handle make rewriting the
+ 	filenames.
+
+	* Makefile.am.common: hesoid -> hesiod
+
+Sun Mar 21 14:48:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* grok-type.m4: <bind/bitypes.h>
+
+	* Makefile.am.common: fix for automake bug/feature; add more LIB_*
+
+	* test-package.m4: fix typo
+
+	* check-man.m4: fix some typos
+
+	* auth-modules.m4: tests for authentication modules
+
+Thu Mar 18 11:02:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am.common: make install-build-headers a multi
+ 	dependency target
+
+	* Makefile.am.common: remove include_dir hack
+
+	* Makefile.am.common: define LIB_kafs and LIB_gssapi
+
+	* krb-find-db.m4: subst DBLIB also
+
+	* check-xau.m4: test for Xau{Read,Write}Auth
+
+Wed Mar 10 19:29:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* wflags.m4: AC_WFLAGS
+
+Mon Mar  1 11:23:41 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* have-struct-field.m4: remove extra AC_MSG_RESULT
+
+	* proto-compat.m4: typo
+
+	* krb-func-getcwd-broken.m4: update to autoconf 2.13
+
+	* krb-find-db.m4: update to autoconf 2.13
+
+	* check-declaration.m4: typo
+
+	* have-pragma-weak.m4: update to autoconf 2.13
+
+	* have-struct-field.m4: better handling of types with spaces
+
+Mon Feb 22 20:05:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* broken-glob.m4: check for broken glob
+
+Sun Jan 31 06:50:33 1999  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: more magic for different v6 implementations.  From
+ 	Jun-ichiro itojun Hagino <itojun@kame.net>
+
+Sun Nov 22 12:16:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* krb-struct-spwd.m4: new file
+
+Thu Jun  4 04:07:41 1998  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4: new file
+
+Fri May  1 23:31:28 1998  Assar Westerlund  <assar@sics.se>
+
+	* c-attribute.m4, c-function.m4: new files (from arla)
+
+Wed Mar 18 23:11:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6
+
+Thu Feb 26 02:37:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* make-proto.pl: should work with perl4
+
diff --git a/crypto/heimdal/cf/Makefile.am.common b/crypto/heimdal/cf/Makefile.am.common
new file mode 100644
index 0000000..e7d747b
--- /dev/null
+++ b/crypto/heimdal/cf/Makefile.am.common
@@ -0,0 +1,255 @@
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS += $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+## set build_HEADERZ to headers that should just be installed in build tree
+
+buildinclude = $(top_builddir)/include
+
+## these aren't detected by automake
+LIB_XauReadAuth		= @LIB_XauReadAuth@
+LIB_crypt		= @LIB_crypt@
+LIB_dbm_firstkey	= @LIB_dbm_firstkey@
+LIB_dbopen		= @LIB_dbopen@
+LIB_dlopen		= @LIB_dlopen@
+LIB_dn_expand		= @LIB_dn_expand@
+LIB_el_init		= @LIB_el_init@
+LIB_getattr		= @LIB_getattr@
+LIB_gethostbyname	= @LIB_gethostbyname@
+LIB_getpwent_r		= @LIB_getpwent_r@
+LIB_getpwnam_r		= @LIB_getpwnam_r@
+LIB_getsockopt		= @LIB_getsockopt@
+LIB_logout		= @LIB_logout@
+LIB_logwtmp		= @LIB_logwtmp@
+LIB_odm_initialize	= @LIB_odm_initialize@
+LIB_readline		= @LIB_readline@
+LIB_res_search		= @LIB_res_search@
+LIB_setpcred		= @LIB_setpcred@
+LIB_setsockopt		= @LIB_setsockopt@
+LIB_socket		= @LIB_socket@
+LIB_syslog		= @LIB_syslog@
+LIB_tgetent		= @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+LIB_readline = @LIB_readline@
+
+LEXLIB = @LEXLIB@
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+
+NROFF_MAN = groff -mandoc -Tascii
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+## MAINTAINERCLEANFILES += 
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+	
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+	
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+	
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+if KRB4
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+endif
+
+if KRB5
+LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la
+LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+endif
+
diff --git a/crypto/heimdal/cf/auth-modules.m4 b/crypto/heimdal/cf/auth-modules.m4
new file mode 100644
index 0000000..2f11c73
--- /dev/null
+++ b/crypto/heimdal/cf/auth-modules.m4
@@ -0,0 +1,27 @@
+dnl $Id: auth-modules.m4,v 1.1 1999/03/21 13:48:00 joda Exp $
+dnl
+dnl Figure what authentication modules should be built
+
+AC_DEFUN(AC_AUTH_MODULES,[
+AC_MSG_CHECKING(which authentication modules should be built)
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+changequote(,)dnl
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+changequote([,])dnl
+esac
+
+AC_MSG_RESULT($LIB_AUTH_SUBDIRS)
+
+AC_SUBST(LIB_AUTH_SUBDIRS)dnl
+])
diff --git a/crypto/heimdal/cf/broken-glob.m4 b/crypto/heimdal/cf/broken-glob.m4
new file mode 100644
index 0000000..8d52792
--- /dev/null
+++ b/crypto/heimdal/cf/broken-glob.m4
@@ -0,0 +1,22 @@
+dnl $Id: broken-glob.m4,v 1.2 1999/03/01 09:52:15 joda Exp $
+dnl
+dnl check for glob(3)
+dnl
+AC_DEFUN(AC_BROKEN_GLOB,[
+AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working,
+ac_cv_func_glob_working=yes
+AC_TRY_LINK([
+#include <stdio.h>
+#include <glob.h>],[
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
+],:,ac_cv_func_glob_working=no,:))
+
+if test "$ac_cv_func_glob_working" = yes; then
+	AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE])
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>
+#include <glob.h>],glob)
+fi
+])
diff --git a/crypto/heimdal/cf/broken-snprintf.m4 b/crypto/heimdal/cf/broken-snprintf.m4
new file mode 100644
index 0000000..efd69f0
--- /dev/null
+++ b/crypto/heimdal/cf/broken-snprintf.m4
@@ -0,0 +1,58 @@
+dnl $Id: broken-snprintf.m4,v 1.3 1999/03/01 09:52:22 joda Exp $
+dnl
+AC_DEFUN(AC_BROKEN_SNPRINTF, [
+AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working,
+ac_cv_func_snprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+changequote(`,')dnl
+	char foo[3];
+changequote([,])dnl
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}],:,ac_cv_func_snprintf_working=no,:))
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf])
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],snprintf)
+fi
+])
+
+AC_DEFUN(AC_BROKEN_VSNPRINTF,[
+AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working,
+ac_cv_func_vsnprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+changequote(`,')dnl
+	char bar[3];
+changequote([,])dnl
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+
+int main()
+{
+	return foo(0, "12");
+}],:,ac_cv_func_vsnprintf_working=no,:))
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf])
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],vsnprintf)
+fi
+])
diff --git a/crypto/heimdal/cf/broken.m4 b/crypto/heimdal/cf/broken.m4
new file mode 100644
index 0000000..4044064
--- /dev/null
+++ b/crypto/heimdal/cf/broken.m4
@@ -0,0 +1,19 @@
+dnl $Id: broken.m4,v 1.3 1998/03/16 22:16:19 joda Exp $
+dnl
+dnl
+dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
+dnl libraries 
+
+AC_DEFUN(AC_BROKEN,
+[for ac_func in $1
+do
+AC_CHECK_FUNC($ac_func, [
+ac_tr_func=HAVE_[]upcase($ac_func)
+AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+END
+done
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/heimdal/cf/c-attribute.m4 b/crypto/heimdal/cf/c-attribute.m4
new file mode 100644
index 0000000..87cea03
--- /dev/null
+++ b/crypto/heimdal/cf/c-attribute.m4
@@ -0,0 +1,31 @@
+dnl
+dnl $Id: c-attribute.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __attribute__
+dnl
+
+AC_DEFUN(AC_C___ATTRIBUTE__, [
+AC_MSG_CHECKING(for __attribute__)
+AC_CACHE_VAL(ac_cv___attribute__, [
+AC_TRY_COMPILE([
+#include <stdlib.h>
+],
+[
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+],
+ac_cv___attribute__=yes,
+ac_cv___attribute__=no)])
+if test "$ac_cv___attribute__" = "yes"; then
+  AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__])
+fi
+AC_MSG_RESULT($ac_cv___attribute__)
+])
+
diff --git a/crypto/heimdal/cf/c-function.m4 b/crypto/heimdal/cf/c-function.m4
new file mode 100644
index 0000000..b16d556
--- /dev/null
+++ b/crypto/heimdal/cf/c-function.m4
@@ -0,0 +1,33 @@
+dnl
+dnl $Id: c-function.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __FUNCTION__
+dnl
+
+AC_DEFUN(AC_C___FUNCTION__, [
+AC_MSG_CHECKING(for __FUNCTION__)
+AC_CACHE_VAL(ac_cv___function__, [
+AC_TRY_RUN([
+#include <string.h>
+
+static char *foo()
+{
+  return __FUNCTION__;
+}
+
+int main()
+{
+  return strcmp(foo(), "foo") != 0;
+}
+],
+ac_cv___function__=yes,
+ac_cv___function__=no,
+ac_cv___function__=no)])
+if test "$ac_cv___function__" = "yes"; then
+  AC_DEFINE(HAVE___FUNCTION__, 1, [define if your compiler has __FUNCTION__])
+fi
+AC_MSG_RESULT($ac_cv___function__)
+])
+
diff --git a/crypto/heimdal/cf/capabilities.m4 b/crypto/heimdal/cf/capabilities.m4
new file mode 100644
index 0000000..6d2669b
--- /dev/null
+++ b/crypto/heimdal/cf/capabilities.m4
@@ -0,0 +1,14 @@
+dnl
+dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
+dnl
+
+dnl
+dnl Test SGI capabilities
+dnl
+
+AC_DEFUN(KRB_CAPABILITIES,[
+
+AC_CHECK_HEADERS(capability.h sys/capability.h)
+
+AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
+])
diff --git a/crypto/heimdal/cf/check-declaration.m4 b/crypto/heimdal/cf/check-declaration.m4
new file mode 100644
index 0000000..5f584e5
--- /dev/null
+++ b/crypto/heimdal/cf/check-declaration.m4
@@ -0,0 +1,25 @@
+dnl $Id: check-declaration.m4,v 1.3 1999/03/01 13:03:08 joda Exp $
+dnl
+dnl
+dnl Check if we need the declaration of a variable
+dnl
+
+dnl AC_HAVE_DECLARATION(includes, variable)
+AC_DEFUN(AC_CHECK_DECLARATION, [
+AC_MSG_CHECKING([if $2 is properly declared])
+AC_CACHE_VAL(ac_cv_var_$2_declaration, [
+AC_TRY_COMPILE([$1
+extern struct { int foo; } $2;],
+[$2.foo = 1;],
+eval "ac_cv_var_$2_declaration=no",
+eval "ac_cv_var_$2_declaration=yes")
+])
+
+define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION])
+
+AC_MSG_RESULT($ac_cv_var_$2_declaration)
+if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then
+	AC_DEFINE(foo, 1, [define if your system declares $2])
+fi
+undefine([foo])
+])
diff --git a/crypto/heimdal/cf/check-getpwnam_r-posix.m4 b/crypto/heimdal/cf/check-getpwnam_r-posix.m4
new file mode 100644
index 0000000..cc75666
--- /dev/null
+++ b/crypto/heimdal/cf/check-getpwnam_r-posix.m4
@@ -0,0 +1,24 @@
+dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
+dnl
+dnl check for getpwnam_r, and if it's posix or not
+
+AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
+AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
+	ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	AC_TRY_RUN([
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+LIBS="$ac_libs")
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
+fi
+fi
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/check-man.m4 b/crypto/heimdal/cf/check-man.m4
new file mode 100644
index 0000000..2133069
--- /dev/null
+++ b/crypto/heimdal/cf/check-man.m4
@@ -0,0 +1,59 @@
+dnl $Id: check-man.m4,v 1.2 1999/03/21 14:30:50 joda Exp $
+dnl check how to format manual pages
+dnl
+
+AC_DEFUN(AC_CHECK_MAN,
+[AC_PATH_PROG(NROFF, nroff)
+AC_PATH_PROG(GROFF, groff)
+AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
+[cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@"
+fi
+])
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+	AC_SUBST(CATMAN)
+fi
+AM_CONDITIONAL(CATMAN, test "$CATMAN")
+AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext,
+[if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+])
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$ext'
+else
+	CATMANEXT=0
+fi
+AC_SUBST(CATMANEXT)
+
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4 b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
new file mode 100644
index 0000000..8cb529d
--- /dev/null
+++ b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
@@ -0,0 +1,38 @@
+dnl
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.2 1999/05/14 13:15:40 assar Exp $
+dnl
+
+dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
+dnl you have to include standards.h before including these files
+
+AC_DEFUN(CHECK_NETINET_IP_AND_TCP,
+[
+AC_CHECK_HEADERS(standards.h)
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+AC_MSG_CHECKING([for $i])
+AC_CACHE_VAL([ac_cv_header_$cv],
+[AC_TRY_CPP([\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+],
+eval "ac_cv_header_$cv=yes",
+eval "ac_cv_header_$cv=no")])
+AC_MSG_RESULT(`eval echo \\$ac_cv_header_$cv`)
+changequote(, )dnl
+if test `eval echo \\$ac_cv_header_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+changequote([, ])dnl
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+done
+dnl autoheader tricks *sigh*
+: << END
+@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
+END
+
+])
diff --git a/crypto/heimdal/cf/check-type-extra.m4 b/crypto/heimdal/cf/check-type-extra.m4
new file mode 100644
index 0000000..e6af4bd
--- /dev/null
+++ b/crypto/heimdal/cf/check-type-extra.m4
@@ -0,0 +1,23 @@
+dnl $Id: check-type-extra.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl ac_check_type + extra headers
+
+dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS)
+AC_DEFUN(AC_CHECK_TYPE_EXTRA,
+[AC_REQUIRE([AC_HEADER_STDC])dnl
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_type_$1,
+[AC_EGREP_CPP(dnl
+changequote(<<,>>)dnl
+<<$1[^a-zA-Z_0-9]>>dnl
+changequote([,]), [#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl
+AC_MSG_RESULT($ac_cv_type_$1)
+if test $ac_cv_type_$1 = no; then
+  AC_DEFINE($1, $2, [Define this to what the type $1 should be.])
+fi
+])
diff --git a/crypto/heimdal/cf/check-var.m4 b/crypto/heimdal/cf/check-var.m4
new file mode 100644
index 0000000..9f37366
--- /dev/null
+++ b/crypto/heimdal/cf/check-var.m4
@@ -0,0 +1,20 @@
+dnl $Id: check-var.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl AC_CHECK_VAR(includes, variable)
+AC_DEFUN(AC_CHECK_VAR, [
+AC_MSG_CHECKING(for $2)
+AC_CACHE_VAL(ac_cv_var_$2, [
+AC_TRY_LINK([extern int $2;
+int foo() { return $2; }],
+	    [foo()],
+	    ac_cv_var_$2=yes, ac_cv_var_$2=no)
+])
+define([foo], [HAVE_]translit($2, [a-z], [A-Z]))
+
+AC_MSG_RESULT(`eval echo \\$ac_cv_var_$2`)
+if test `eval echo \\$ac_cv_var_$2` = yes; then
+	AC_DEFINE_UNQUOTED(foo, 1, [define if you have $2])
+	AC_CHECK_DECLARATION([$1],[$2])
+fi
+undefine([foo])
+])
diff --git a/crypto/heimdal/cf/check-x.m4 b/crypto/heimdal/cf/check-x.m4
new file mode 100644
index 0000000..1791e5a
--- /dev/null
+++ b/crypto/heimdal/cf/check-x.m4
@@ -0,0 +1,52 @@
+dnl 
+dnl See if there is any X11 present
+dnl
+dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+
+AC_DEFUN(KRB_CHECK_X,[
+AC_PATH_XTRA
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		AC_TRY_RUN([
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	])
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+])
diff --git a/crypto/heimdal/cf/check-xau.m4 b/crypto/heimdal/cf/check-xau.m4
new file mode 100644
index 0000000..bad2a60
--- /dev/null
+++ b/crypto/heimdal/cf/check-xau.m4
@@ -0,0 +1,64 @@
+dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
+dnl
+dnl check for Xau{Read,Write}Auth and XauFileName
+dnl
+AC_DEFUN(AC_CHECK_XAU,[
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+## check for XauWriteAuth first, so we detect the case where
+## XauReadAuth is in -lX11, but XauWriteAuth is only in -lXau this
+## could be done by checking for XauReadAuth in -lXau first, but this
+## breaks in IRIX 6.5
+
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+LIBS="$LIB_XauReadAauth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+LIBS="$ac_xxx"
+
+## set LIB_XauReadAuth to union of these tests, since this is what the
+## Makefiles are using
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
+else
+	AC_SUBST(NEED_WRITEAUTH_TRUE)
+	AC_SUBST(NEED_WRITEAUTH_FALSE)
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+])
diff --git a/crypto/heimdal/cf/find-func-no-libs.m4 b/crypto/heimdal/cf/find-func-no-libs.m4
new file mode 100644
index 0000000..3deab02
--- /dev/null
+++ b/crypto/heimdal/cf/find-func-no-libs.m4
@@ -0,0 +1,9 @@
+dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
+AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
diff --git a/crypto/heimdal/cf/find-func-no-libs2.m4 b/crypto/heimdal/cf/find-func-no-libs2.m4
new file mode 100644
index 0000000..c404a7c
--- /dev/null
+++ b/crypto/heimdal/cf/find-func-no-libs2.m4
@@ -0,0 +1,63 @@
+dnl $Id: find-func-no-libs2.m4,v 1.3 1999/10/30 21:09:53 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS2, [
+
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(ac_cv_funclib_$1,
+[
+if eval "test \"\$ac_cv_func_$1\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $2; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
+		AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break)
+	done
+	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
+	LIBS="$ac_save_LIBS"
+fi
+])
+
+eval "ac_res=\$ac_cv_funclib_$1"
+
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+@@@libs="$libs $2"@@@
+END
+
+# $1
+eval "ac_tr_func=HAVE_[]upcase($1)"
+eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
+eval "LIB_$1=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_$1=yes"
+	eval "LIB_$1="
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_MSG_RESULT([yes])
+	;;
+	no)
+	eval "ac_cv_func_$1=no"
+	eval "LIB_$1="
+	AC_MSG_RESULT([no])
+	;;
+	*)
+	eval "ac_cv_func_$1=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_DEFINE_UNQUOTED($ac_tr_lib)
+	AC_MSG_RESULT([yes, in $ac_res])
+	;;
+esac
+AC_SUBST(LIB_$1)
+])
diff --git a/crypto/heimdal/cf/find-func.m4 b/crypto/heimdal/cf/find-func.m4
new file mode 100644
index 0000000..bb2b3ac
--- /dev/null
+++ b/crypto/heimdal/cf/find-func.m4
@@ -0,0 +1,9 @@
+dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
+dnl
+dnl AC_FIND_FUNC(func, libraries, includes, arguments)
+AC_DEFUN(AC_FIND_FUNC, [
+AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
+if test -n "$LIB_$1"; then
+	LIBS="$LIB_$1 $LIBS"
+fi
+])
diff --git a/crypto/heimdal/cf/find-if-not-broken.m4 b/crypto/heimdal/cf/find-if-not-broken.m4
new file mode 100644
index 0000000..e855ec7
--- /dev/null
+++ b/crypto/heimdal/cf/find-if-not-broken.m4
@@ -0,0 +1,13 @@
+dnl $Id: find-if-not-broken.m4,v 1.2 1998/03/16 22:16:27 joda Exp $
+dnl
+dnl
+dnl Mix between AC_FIND_FUNC and AC_BROKEN
+dnl
+
+AC_DEFUN(AC_FIND_IF_NOT_BROKEN,
+[AC_FIND_FUNC([$1], [$2], [$3], [$4])
+if eval "test \"$ac_cv_func_$1\" != yes"; then
+LIBOBJS[]="$LIBOBJS $1.o"
+fi
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/heimdal/cf/grok-type.m4 b/crypto/heimdal/cf/grok-type.m4
new file mode 100644
index 0000000..5bc6a66
--- /dev/null
+++ b/crypto/heimdal/cf/grok-type.m4
@@ -0,0 +1,38 @@
+dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $
+dnl
+AC_DEFUN(AC_GROK_TYPE, [
+AC_CACHE_VAL(ac_cv_type_$1, 
+AC_TRY_COMPILE([
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+],
+$i x;
+,
+eval ac_cv_type_$1=yes,
+eval ac_cv_type_$1=no))])
+
+AC_DEFUN(AC_GROK_TYPES, [
+for i in $1; do
+	AC_MSG_CHECKING(for $i)
+	AC_GROK_TYPE($i)
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_[]upcase($i)
+		AC_DEFINE_UNQUOTED($type)
+	fi
+	AC_MSG_RESULT($ac_res)
+done
+])
diff --git a/crypto/heimdal/cf/have-pragma-weak.m4 b/crypto/heimdal/cf/have-pragma-weak.m4
new file mode 100644
index 0000000..330e601
--- /dev/null
+++ b/crypto/heimdal/cf/have-pragma-weak.m4
@@ -0,0 +1,37 @@
+dnl $Id: have-pragma-weak.m4,v 1.3 1999/03/01 11:55:25 joda Exp $
+dnl
+AC_DEFUN(AC_HAVE_PRAGMA_WEAK, [
+if test "${enable_shared}" = "yes"; then
+AC_MSG_CHECKING(for pragma weak)
+AC_CACHE_VAL(ac_have_pragma_weak, [
+ac_have_pragma_weak=no
+cat > conftest_foo.$ac_ext <<'EOF'
+[#]line __oline__ "configure"
+#include "confdefs.h"
+#pragma weak foo = _foo
+int _foo = 17;
+EOF
+cat > conftest_bar.$ac_ext <<'EOF'
+[#]line __oline__ "configure"
+#include "confdefs.h"
+extern int foo;
+
+int t() {
+  return foo;
+}
+
+int main() {
+  return t();
+}
+EOF
+if AC_TRY_EVAL('CC -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest_foo.$ac_ext conftest_bar.$ac_ext 1>&AC_FD_CC'); then
+ac_have_pragma_weak=yes
+fi
+rm -rf conftest*
+])
+if test "$ac_have_pragma_weak" = "yes"; then
+	AC_DEFINE(HAVE_PRAGMA_WEAK, 1, [Define this if your compiler supports \`#pragma weak.'])dnl
+fi
+AC_MSG_RESULT($ac_have_pragma_weak)
+fi
+])
diff --git a/crypto/heimdal/cf/have-struct-field.m4 b/crypto/heimdal/cf/have-struct-field.m4
new file mode 100644
index 0000000..88ad5c3
--- /dev/null
+++ b/crypto/heimdal/cf/have-struct-field.m4
@@ -0,0 +1,19 @@
+dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
+dnl
+dnl check for fields in a structure
+dnl
+dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+
+AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
+define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+AC_CACHE_CHECK([for $2 in $1], cache_val,[
+AC_TRY_COMPILE([$3],[$1 x; x.$2;],
+cache_val=yes,
+cache_val=no)])
+if test "$cache_val" = yes; then
+	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
+	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
+	undefine([foo])
+fi
+undefine([cache_val])
+])
diff --git a/crypto/heimdal/cf/have-type.m4 b/crypto/heimdal/cf/have-type.m4
new file mode 100644
index 0000000..e882847
--- /dev/null
+++ b/crypto/heimdal/cf/have-type.m4
@@ -0,0 +1,32 @@
+dnl $Id: have-type.m4,v 1.5 1999/12/31 03:10:22 assar Exp $
+dnl
+dnl check for existance of a type
+
+dnl AC_HAVE_TYPE(TYPE,INCLUDES)
+AC_DEFUN(AC_HAVE_TYPE, [
+AC_REQUIRE([AC_HEADER_STDC])
+cv=`echo "$1" | sed 'y%./+- %__p__%'`
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL([ac_cv_type_$cv],
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$2],
+[$1 foo;],
+eval "ac_cv_type_$cv=yes",
+eval "ac_cv_type_$cv=no"))dnl
+AC_MSG_RESULT(`eval echo \\$ac_cv_type_$cv`)
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+dnl autoheader tricks *sigh*
+define(foo,translit($1, [ ], [_]))
+: << END
+@@@funcs="$funcs foo"@@@
+END
+undefine([foo])
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+])
diff --git a/crypto/heimdal/cf/have-types.m4 b/crypto/heimdal/cf/have-types.m4
new file mode 100644
index 0000000..7c85c5d
--- /dev/null
+++ b/crypto/heimdal/cf/have-types.m4
@@ -0,0 +1,14 @@
+dnl
+dnl $Id: have-types.m4,v 1.1 1999/07/24 18:38:58 assar Exp $
+dnl
+
+AC_DEFUN(AC_HAVE_TYPES, [
+for i in $1; do
+        AC_HAVE_TYPE($i)
+done
+: << END
+changequote(`,')dnl
+@@@funcs="$funcs $1"@@@
+changequote([,])dnl
+END
+])
diff --git a/crypto/heimdal/cf/krb-bigendian.m4 b/crypto/heimdal/cf/krb-bigendian.m4
new file mode 100644
index 0000000..0efbbd0
--- /dev/null
+++ b/crypto/heimdal/cf/krb-bigendian.m4
@@ -0,0 +1,57 @@
+dnl
+dnl $Id: krb-bigendian.m4,v 1.5 2000/01/08 10:34:44 assar Exp $
+dnl
+
+dnl check if this computer is little or big-endian
+dnl if we can figure it out at compile-time then don't define the cpp symbol
+dnl otherwise test for it and define it.  also allow options for overriding
+dnl it when cross-compiling
+
+AC_DEFUN(KRB_C_BIGENDIAN, [
+AC_ARG_ENABLE(bigendian,
+[  --enable-bigendian	the target is big endian],
+krb_cv_c_bigendian=yes)
+AC_ARG_ENABLE(littleendian,
+[  --enable-littleendian	the target is little endian],
+krb_cv_c_bigendian=no)
+AC_CACHE_CHECK(whether byte order is known at compile time,
+krb_cv_c_bigendian_compile,
+[AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
+if test "$krb_cv_c_bigendian_compile" = "no"; then
+  AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
+  if test "$krb_cv_c_bigendian" = ""; then
+    krb_cv_c_bigendian=unknown
+  fi
+  AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if BYTE_ORDER != BIG_ENDIAN
+  not big endian
+#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
+  if test "$krb_cv_c_bigendian" = "unknown"; then
+    AC_TRY_RUN([main () {
+      /* Are we little or big endian?  From Harbison&Steele.  */
+      union
+      {
+	long l;
+	char c[sizeof (long)];
+      } u;
+      u.l = 1;
+      exit (u.c[sizeof (long) - 1] == 1);
+    }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
+    AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
+  fi
+  ])
+  if test "$krb_cv_c_bigendian" = "yes"; then
+    AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
+  fi
+fi
+if test "$krb_cv_c_bigendian_compile" = "yes"; then
+  AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
+fi
+])
diff --git a/crypto/heimdal/cf/krb-find-db.m4 b/crypto/heimdal/cf/krb-find-db.m4
new file mode 100644
index 0000000..5080049
--- /dev/null
+++ b/crypto/heimdal/cf/krb-find-db.m4
@@ -0,0 +1,98 @@
+dnl $Id: krb-find-db.m4,v 1.5 1999/05/08 02:24:04 assar Exp $
+dnl
+dnl find a suitable database library
+dnl
+dnl AC_FIND_DB(libraries)
+AC_DEFUN(KRB_FIND_DB, [
+
+lib_dbm=no
+lib_db=no
+
+for i in $1; do
+
+	if test "$i"; then
+		m="lib$i"
+		l="-l$i"
+	else
+		m="libc"
+		l=""
+	fi	
+
+	AC_MSG_CHECKING(for dbm_open in $m)
+	AC_CACHE_VAL(ac_cv_krb_dbm_open_$m, [
+
+	save_LIBS="$LIBS"
+	LIBS="$l $LIBS"
+	AC_TRY_RUN([
+#include <unistd.h>
+#include <fcntl.h>
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#elif defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+int main()
+{
+  DBM *d;
+
+  d = dbm_open("conftest", O_RDWR | O_CREAT, 0666);
+  if(d == NULL)
+    return 1;
+  dbm_close(d);
+  return 0;
+}], [
+	if test -f conftest.db; then
+		ac_res=db
+	else
+		ac_res=dbm
+	fi], ac_res=no, ac_res=no)
+
+	LIBS="$save_LIBS"
+
+	eval ac_cv_krb_dbm_open_$m=$ac_res])
+	eval ac_res=\$ac_cv_krb_dbm_open_$m
+	AC_MSG_RESULT($ac_res)
+
+	if test "$lib_dbm" = no -a $ac_res = dbm; then
+		lib_dbm="$l"
+	elif test "$lib_db" = no -a $ac_res = db; then
+		lib_db="$l"
+		break
+	fi
+done
+
+AC_MSG_CHECKING(for NDBM library)
+ac_ndbm=no
+if test "$lib_db" != no; then
+	LIB_DBM="$lib_db"
+	ac_ndbm=yes
+	AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files ending in .db).])
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+elif test "$lib_dbm" != no; then
+	LIB_DBM="$lib_dbm"
+	ac_ndbm=yes
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+else
+	LIB_DBM=""
+	ac_res=no
+fi
+test "$ac_ndbm" = yes && AC_DEFINE(NDBM, 1, [Define if you have NDBM (and not DBM)])dnl
+AC_SUBST(LIB_DBM)
+DBLIB="$LIB_DBM"
+AC_SUBST(DBLIB)
+AC_MSG_RESULT($ac_res)
+
+])
diff --git a/crypto/heimdal/cf/krb-func-getcwd-broken.m4 b/crypto/heimdal/cf/krb-func-getcwd-broken.m4
new file mode 100644
index 0000000..d248922
--- /dev/null
+++ b/crypto/heimdal/cf/krb-func-getcwd-broken.m4
@@ -0,0 +1,42 @@
+dnl $Id: krb-func-getcwd-broken.m4,v 1.2 1999/03/01 13:03:32 joda Exp $
+dnl
+dnl
+dnl test for broken getcwd in (SunOS braindamage)
+dnl
+
+AC_DEFUN(AC_KRB_FUNC_GETCWD_BROKEN, [
+if test "$ac_cv_func_getcwd" = yes; then
+AC_MSG_CHECKING(if getcwd is broken)
+AC_CACHE_VAL(ac_cv_func_getcwd_broken, [
+ac_cv_func_getcwd_broken=no
+
+AC_TRY_RUN([
+#include <errno.h>
+char *getcwd(char*, int);
+
+void *popen(char *cmd, char *mode)
+{
+	errno = ENOTTY;
+	return 0;
+}
+
+int main()
+{
+	char *ret;
+	ret = getcwd(0, 1024);
+	if(ret == 0 && errno == ENOTTY)
+		return 0;
+	return 1;
+}
+], ac_cv_func_getcwd_broken=yes,:,:)
+])
+if test "$ac_cv_func_getcwd_broken" = yes; then
+	AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl
+	LIBOBJS="$LIBOBJS getcwd.o"
+	AC_SUBST(LIBOBJS)dnl
+	AC_MSG_RESULT($ac_cv_func_getcwd_broken)
+else
+	AC_MSG_RESULT([seems ok])
+fi
+fi
+])
diff --git a/crypto/heimdal/cf/krb-func-getlogin.m4 b/crypto/heimdal/cf/krb-func-getlogin.m4
new file mode 100644
index 0000000..921c5ab
--- /dev/null
+++ b/crypto/heimdal/cf/krb-func-getlogin.m4
@@ -0,0 +1,22 @@
+dnl
+dnl $Id: krb-func-getlogin.m4,v 1.1 1999/07/13 17:45:30 assar Exp $
+dnl
+dnl test for POSIX (broken) getlogin
+dnl
+
+
+AC_DEFUN(AC_FUNC_GETLOGIN, [
+AC_CHECK_FUNCS(getlogin setlogin)
+if test "$ac_cv_func_getlogin" = yes; then
+AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+])
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).])
+fi
+fi
+])
diff --git a/crypto/heimdal/cf/krb-ipv6.m4 b/crypto/heimdal/cf/krb-ipv6.m4
new file mode 100644
index 0000000..1644da3
--- /dev/null
+++ b/crypto/heimdal/cf/krb-ipv6.m4
@@ -0,0 +1,122 @@
+dnl $Id: krb-ipv6.m4,v 1.8 2000/01/01 11:44:45 assar Exp $
+dnl
+dnl test for IPv6
+dnl
+AC_DEFUN(AC_KRB_IPV6, [
+AC_ARG_WITH(ipv6,
+[  --without-ipv6	do not enable IPv6 support],[
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi])
+AC_CACHE_VAL(ac_cv_lib_ipv6,
+[dnl check for different v6 implementations (by itojun)
+v6type=unknown
+v6lib=none
+
+AC_MSG_CHECKING([ipv6 stack type])
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		AC_EGREP_CPP(yes, [dnl
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif],
+			[v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"])
+		;;
+	toshiba)
+		AC_EGREP_CPP(yes, [dnl
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	kame)
+		AC_EGREP_CPP(yes, [dnl
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	inria)
+		AC_EGREP_CPP(yes, [dnl
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif],
+			[v6type=$i; CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	zeta)
+		AC_EGREP_CPP(yes, [dnl
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+AC_MSG_RESULT($v6type)
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+AC_TRY_LINK([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+],
+[
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+],
+ac_cv_lib_ipv6=yes,
+ac_cv_lib_ipv6=no)])
+AC_MSG_CHECKING(for IPv6)
+AC_MSG_RESULT($ac_cv_lib_ipv6)
+if test "$ac_cv_lib_ipv6" = yes; then
+  AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.])
+fi
+])
diff --git a/crypto/heimdal/cf/krb-prog-ln-s.m4 b/crypto/heimdal/cf/krb-prog-ln-s.m4
new file mode 100644
index 0000000..efb706e
--- /dev/null
+++ b/crypto/heimdal/cf/krb-prog-ln-s.m4
@@ -0,0 +1,28 @@
+dnl $Id: krb-prog-ln-s.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Better test for ln -s, ln or cp
+dnl
+
+AC_DEFUN(AC_KRB_PROG_LN_S,
+[AC_MSG_CHECKING(for ln -s or something else)
+AC_CACHE_VAL(ac_cv_prog_LN_S,
+[rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi])dnl
+LN_S="$ac_cv_prog_LN_S"
+AC_MSG_RESULT($ac_cv_prog_LN_S)
+AC_SUBST(LN_S)dnl
+])
+
diff --git a/crypto/heimdal/cf/krb-prog-ranlib.m4 b/crypto/heimdal/cf/krb-prog-ranlib.m4
new file mode 100644
index 0000000..fd1d3db
--- /dev/null
+++ b/crypto/heimdal/cf/krb-prog-ranlib.m4
@@ -0,0 +1,8 @@
+dnl $Id: krb-prog-ranlib.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Also look for EMXOMF for OS/2
+dnl
+
+AC_DEFUN(AC_KRB_PROG_RANLIB,
+[AC_CHECK_PROGS(RANLIB, ranlib EMXOMF, :)])
diff --git a/crypto/heimdal/cf/krb-prog-yacc.m4 b/crypto/heimdal/cf/krb-prog-yacc.m4
new file mode 100644
index 0000000..28ae59c
--- /dev/null
+++ b/crypto/heimdal/cf/krb-prog-yacc.m4
@@ -0,0 +1,8 @@
+dnl $Id: krb-prog-yacc.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl We prefer byacc or yacc because they do not use `alloca'
+dnl
+
+AC_DEFUN(AC_KRB_PROG_YACC,
+[AC_CHECK_PROGS(YACC, byacc yacc 'bison -y')])
diff --git a/crypto/heimdal/cf/krb-struct-spwd.m4 b/crypto/heimdal/cf/krb-struct-spwd.m4
new file mode 100644
index 0000000..4ab81fd
--- /dev/null
+++ b/crypto/heimdal/cf/krb-struct-spwd.m4
@@ -0,0 +1,22 @@
+dnl $Id: krb-struct-spwd.m4,v 1.3 1999/07/13 21:04:11 assar Exp $
+dnl
+dnl Test for `struct spwd'
+
+AC_DEFUN(AC_KRB_STRUCT_SPWD, [
+AC_MSG_CHECKING(for struct spwd)
+AC_CACHE_VAL(ac_cv_struct_spwd, [
+AC_TRY_COMPILE(
+[#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif],
+[struct spwd foo;],
+ac_cv_struct_spwd=yes,
+ac_cv_struct_spwd=no)
+])
+AC_MSG_RESULT($ac_cv_struct_spwd)
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd])
+fi
+])
diff --git a/crypto/heimdal/cf/krb-struct-winsize.m4 b/crypto/heimdal/cf/krb-struct-winsize.m4
new file mode 100644
index 0000000..f89f683
--- /dev/null
+++ b/crypto/heimdal/cf/krb-struct-winsize.m4
@@ -0,0 +1,27 @@
+dnl $Id: krb-struct-winsize.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl
+dnl Search for struct winsize
+dnl
+
+AC_DEFUN(AC_KRB_STRUCT_WINSIZE, [
+AC_MSG_CHECKING(for struct winsize)
+AC_CACHE_VAL(ac_cv_struct_winsize, [
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+AC_EGREP_HEADER(
+changequote(, )dnl
+struct[ 	]*winsize,dnl
+changequote([,])dnl
+$i, ac_cv_struct_winsize=yes; break)dnl
+done
+])
+if test "$ac_cv_struct_winsize" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h])
+fi
+AC_MSG_RESULT($ac_cv_struct_winsize)
+AC_EGREP_HEADER(ws_xpixel, termios.h, 
+	AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel]))
+AC_EGREP_HEADER(ws_ypixel, termios.h, 
+	AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel]))
+])
diff --git a/crypto/heimdal/cf/krb-sys-aix.m4 b/crypto/heimdal/cf/krb-sys-aix.m4
new file mode 100644
index 0000000..a538005
--- /dev/null
+++ b/crypto/heimdal/cf/krb-sys-aix.m4
@@ -0,0 +1,15 @@
+dnl $Id: krb-sys-aix.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl AIX have a very different syscall convention
+dnl
+AC_DEFUN(AC_KRB_SYS_AIX, [
+AC_MSG_CHECKING(for AIX)
+AC_CACHE_VAL(krb_cv_sys_aix,
+AC_EGREP_CPP(yes, 
+[#ifdef _AIX
+	yes
+#endif 
+], krb_cv_sys_aix=yes, krb_cv_sys_aix=no) )
+AC_MSG_RESULT($krb_cv_sys_aix)
+])
diff --git a/crypto/heimdal/cf/krb-sys-nextstep.m4 b/crypto/heimdal/cf/krb-sys-nextstep.m4
new file mode 100644
index 0000000..31dc907
--- /dev/null
+++ b/crypto/heimdal/cf/krb-sys-nextstep.m4
@@ -0,0 +1,21 @@
+dnl $Id: krb-sys-nextstep.m4,v 1.2 1998/06/03 23:48:40 joda Exp $
+dnl
+dnl
+dnl NEXTSTEP is not posix compliant by default,
+dnl you need a switch -posix to the compiler
+dnl
+
+AC_DEFUN(AC_KRB_SYS_NEXTSTEP, [
+AC_MSG_CHECKING(for NEXTSTEP)
+AC_CACHE_VAL(krb_cv_sys_nextstep,
+AC_EGREP_CPP(yes, 
+[#if defined(NeXT) && !defined(__APPLE__)
+	yes
+#endif 
+], krb_cv_sys_nextstep=yes, krb_cv_sys_nextstep=no) )
+if test "$krb_cv_sys_nextstep" = "yes"; then
+  CFLAGS="$CFLAGS -posix"
+  LIBS="$LIBS -posix"
+fi
+AC_MSG_RESULT($krb_cv_sys_nextstep)
+])
diff --git a/crypto/heimdal/cf/krb-version.m4 b/crypto/heimdal/cf/krb-version.m4
new file mode 100644
index 0000000..a4a1221
--- /dev/null
+++ b/crypto/heimdal/cf/krb-version.m4
@@ -0,0 +1,25 @@
+dnl $Id: krb-version.m4,v 1.1 1997/12/14 15:59:03 joda Exp $
+dnl
+dnl
+dnl output a C header-file with some version strings
+dnl
+AC_DEFUN(AC_KRB_VERSION,[
+dnl AC_OUTPUT_COMMANDS([
+cat > include/newversion.h.in <<FOOBAR
+char *${PACKAGE}_long_version = "@(#)\$Version: $PACKAGE-$VERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+char *${PACKAGE}_version = "$PACKAGE-$VERSION";
+FOOBAR
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
+dnl ],host=$host PACKAGE=$PACKAGE VERSION=$VERSION)
+])
diff --git a/crypto/heimdal/cf/make-proto.pl b/crypto/heimdal/cf/make-proto.pl
new file mode 100644
index 0000000..9a47aed
--- /dev/null
+++ b/crypto/heimdal/cf/make-proto.pl
@@ -0,0 +1,199 @@
+# Make prototypes from .c files
+# $Id: make-proto.pl,v 1.11 1999/04/15 12:37:54 joda Exp $
+
+##use Getopt::Std;
+require 'getopts.pl';
+
+$brace = 0;
+$line = "";
+$debug = 0;
+
+do Getopts('o:p:d') || die "foo";
+
+if($opt_d) {
+    $debug = 1;
+}
+
+while(<>) {
+    print $brace, " ", $_ if($debug);
+    if(/^\#if 0/) {
+	$if_0 = 1;
+    }
+    if($if_0 && /^\#endif/) {
+	$if_0 = 0;
+    }
+    if($if_0) { next }
+    if(/^\s*\#/) {
+	next;
+    }
+    if(/^\s*$/) {
+	$line = "";
+	next;
+    }
+    if(/\{/){
+	$_ = $line;
+	while(s/\*\//\ca/){
+	    s/\/\*(.|\n)*\ca//;
+	}
+	s/^\s*//;
+	s/\s$//;
+	s/\s+/ /g;
+	if($line =~ /\)\s$/){
+	    if(!/^static/ && !/^PRIVATE/){
+		if(/(.*)(__attribute__\s?\(.*\))/) {
+		    $attr = $2;
+		    $_ = $1;
+		} else {
+		    $attr = "";
+		}
+		# remove outer ()
+		s/\s*\(/@/;
+		s/\)\s?$/@/;
+		# remove , within ()
+		while(s/\(([^()]*),(.*)\)/($1\$$2)/g){}
+		s/,\s*/,\n\t/g;
+		# fix removed ,
+		s/\$/,/g;
+		# match function name
+		/([a-zA-Z0-9_]+)\s*@/;
+		$f = $1;
+		# only add newline if more than one parameter
+		$LP = "((";  # XXX workaround for indentation bug in emacs
+		$RP = "))";
+		$P = "__P((";
+                if(/,/){ 
+		    s/@/ __P$LP\n\t/;
+		}else{
+		    s/@/ __P$LP/;
+		}
+		s/@/$RP/;
+		# insert newline before function name
+		s/(.*)\s([a-zA-Z0-9_]+ __P)/$1\n$2/;
+		if($attr ne "") {
+		    $_ .= "\n    $attr";
+		}
+		$_ = $_ . ";";
+		$funcs{$f} = $_;
+	    }
+	}
+	$line = "";
+	$brace++;
+    }
+    if(/\}/){
+	$brace--;
+    }
+    if(/^\}/){
+	$brace = 0;
+    }
+    if($brace == 0) {
+	$line = $line . " " . $_;
+    }
+}
+
+sub foo {
+    local ($arg) = @_;
+    $_ = $arg;
+    s/.*\/([^\/]*)/$1/;
+    s/[^a-zA-Z0-9]/_/g;
+    "__" . $_ . "__";
+}
+
+if($opt_o) {
+    open(OUT, ">$opt_o");
+    $block = &foo($opt_o);
+} else {
+    $block = "__public_h__";
+}
+
+if($opt_p) {
+    open(PRIV, ">$opt_p");
+    $private = &foo($opt_p);
+} else {
+    $private = "__private_h__";
+}
+
+$public_h = "";
+$private_h = "";
+
+$public_h_header = "/* This is a generated file */
+#ifndef $block
+#define $block
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+";
+
+$private_h_header = "/* This is a generated file */
+#ifndef $private
+#define $private
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+";
+
+foreach(sort keys %funcs){
+    if(/^(main)$/) { next }
+    if(/^_/) {
+	$private_h .= $funcs{$_} . "\n\n";
+	if($funcs{$_} =~ /__attribute__/) {
+	    $private_attribute_seen = 1;
+	}
+    } else {
+	$public_h .= $funcs{$_} . "\n\n";
+	if($funcs{$_} =~ /__attribute__/) {
+	    $public_attribute_seen = 1;
+	}
+    }
+}
+
+if ($public_attribute_seen) {
+    $public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+";
+}
+
+if ($private_attribute_seen) {
+    $private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+";
+}
+
+
+if ($public_h ne "") {
+    $public_h = $public_h_header . $public_h . "#endif /* $block */\n";
+}
+if ($private_h ne "") {
+    $private_h = $private_h_header . $private_h . "#endif /* $private */\n";
+}
+
+if($opt_o) {
+    print OUT $public_h;
+} 
+if($opt_p) {
+    print PRIV $private_h;
+} 
+
+close OUT;
+close PRIV;
diff --git a/crypto/heimdal/cf/mips-abi.m4 b/crypto/heimdal/cf/mips-abi.m4
new file mode 100644
index 0000000..c7b8815
--- /dev/null
+++ b/crypto/heimdal/cf/mips-abi.m4
@@ -0,0 +1,87 @@
+dnl $Id: mips-abi.m4,v 1.4 1998/05/16 20:44:15 joda Exp $
+dnl
+dnl
+dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
+dnl value.
+
+AC_DEFUN(AC_MIPS_ABI, [
+AC_ARG_WITH(mips_abi,
+[  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)])
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+dnl
+dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to
+dnl AC_MSG_RESULT
+dnl
+AC_MSG_CHECKING([if $CC supports the $abi option])
+AC_CACHE_VAL($ac_foo, [
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no)
+CFLAGS="$save_CFLAGS"
+])
+ac_res=`eval echo \\\$$ac_foo`
+AC_MSG_RESULT($ac_res)
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no)
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		AC_ERROR([$CC does not support the $with_mips_abi ABI])
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			AC_ERROR([$CC does not support the $with_mips_abi ABI])
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+])
diff --git a/crypto/heimdal/cf/misc.m4 b/crypto/heimdal/cf/misc.m4
new file mode 100644
index 0000000..0be97a4
--- /dev/null
+++ b/crypto/heimdal/cf/misc.m4
@@ -0,0 +1,3 @@
+dnl $Id: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
diff --git a/crypto/heimdal/cf/need-proto.m4 b/crypto/heimdal/cf/need-proto.m4
new file mode 100644
index 0000000..8c8d1d3
--- /dev/null
+++ b/crypto/heimdal/cf/need-proto.m4
@@ -0,0 +1,25 @@
+dnl $Id: need-proto.m4,v 1.2 1999/03/01 09:52:24 joda Exp $
+dnl
+dnl
+dnl Check if we need the prototype for a function
+dnl
+
+dnl AC_NEED_PROTO(includes, function)
+
+AC_DEFUN(AC_NEED_PROTO, [
+if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then
+AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto,
+AC_TRY_COMPILE([$1],
+[struct foo { int foo; } xx;
+extern int $2 (struct foo*);
+$2(&xx);
+],
+eval "ac_cv_func_$2_noproto=yes",
+eval "ac_cv_func_$2_noproto=no"))
+define([foo], [NEED_]translit($2, [a-z], [A-Z])[_PROTO])
+if test "$ac_cv_func_$2_noproto" = yes; then
+	AC_DEFINE(foo, 1, [define if the system is missing a prototype for $2()])
+fi
+undefine([foo])
+fi
+])
diff --git a/crypto/heimdal/cf/osfc2.m4 b/crypto/heimdal/cf/osfc2.m4
new file mode 100644
index 0000000..d8cb2e1
--- /dev/null
+++ b/crypto/heimdal/cf/osfc2.m4
@@ -0,0 +1,14 @@
+dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl
+dnl enable OSF C2 stuff
+
+AC_DEFUN(AC_CHECK_OSFC2,[
+AC_ARG_ENABLE(osfc2,
+[  --enable-osfc2          enable some OSF C2 support])
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
+	LIB_security=-lsecurity
+fi
+AC_SUBST(LIB_security)
+])
diff --git a/crypto/heimdal/cf/proto-compat.m4 b/crypto/heimdal/cf/proto-compat.m4
new file mode 100644
index 0000000..942f658
--- /dev/null
+++ b/crypto/heimdal/cf/proto-compat.m4
@@ -0,0 +1,22 @@
+dnl $Id: proto-compat.m4,v 1.3 1999/03/01 13:03:48 joda Exp $
+dnl
+dnl
+dnl Check if the prototype of a function is compatible with another one
+dnl
+
+dnl AC_PROTO_COMPAT(includes, function, prototype)
+
+AC_DEFUN(AC_PROTO_COMPAT, [
+AC_CACHE_CHECK([if $2 is compatible with system prototype],
+ac_cv_func_$2_proto_compat,
+AC_TRY_COMPILE([$1],
+[$3;],
+eval "ac_cv_func_$2_proto_compat=yes",
+eval "ac_cv_func_$2_proto_compat=no"))
+define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE])
+if test "$ac_cv_func_$2_proto_compat" = yes; then
+	AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with
+	$3])
+fi
+undefine([foo])
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/shared-libs.m4 b/crypto/heimdal/cf/shared-libs.m4
new file mode 100644
index 0000000..9fe576f
--- /dev/null
+++ b/crypto/heimdal/cf/shared-libs.m4
@@ -0,0 +1,187 @@
+dnl
+dnl $Id: shared-libs.m4,v 1.4 1999/07/13 17:47:09 assar Exp $
+dnl
+dnl Shared library stuff has to be different everywhere
+dnl
+
+AC_DEFUN(AC_SHARED_LIBS, [
+
+dnl Check if we want to use shared libraries
+AC_ARG_ENABLE(shared,
+[  --enable-shared         create shared libraries for Kerberos])
+
+AC_SUBST(CFLAGS)dnl
+AC_SUBST(LDFLAGS)dnl
+
+case ${enable_shared} in
+  yes ) enable_shared=yes;;
+  no  ) enable_shared=no;;
+  *   ) enable_shared=no;;
+esac
+
+# NOTE: Building shared libraries may not work if you do not use gcc!
+#
+# OS		$SHLIBEXT
+# HP-UX		sl
+# Linux		so
+# NetBSD	so
+# FreeBSD	so
+# OSF		so
+# SunOS5	so
+# SunOS4	so.0.5
+# Irix		so
+#
+# LIBEXT is the extension we should build (.a or $SHLIBEXT)
+LINK='$(CC)'
+AC_SUBST(LINK)
+lib_deps=yes
+REAL_PICFLAGS="-fpic"
+LDSHARED='$(CC) $(PICFLAGS) -shared'
+LIBPREFIX=lib
+build_symlink_command=@true
+install_symlink_command=@true
+install_symlink_command2=@true
+REAL_SHLIBEXT=so
+changequote({,})dnl
+SHLIB_VERSION=`echo $VERSION | sed 's/\([0-9.]*\).*/\1/'`
+SHLIB_SONAME=`echo $VERSION | sed 's/\([0-9]*\).*/\1/'`
+changequote([,])dnl
+case "${host}" in
+*-*-hpux*)
+	REAL_SHLIBEXT=sl
+	REAL_LD_FLAGS='-Wl,+b$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED="ld -b"
+		REAL_PICFLAGS="+z"
+	fi
+	lib_deps=no
+	;;
+*-*-linux*)
+	LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+changequote(,)dnl
+*-*-freebsd[34]*)
+changequote([,])dnl
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+*-*-*bsd*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	LDSHARED='ld -Bshareable'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	;;
+*-*-osf*)
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_PICFLAGS=
+	LDSHARED='ld -shared -expect_unresolved \*'
+	;;
+*-*-solaris2*)
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED='$(CC) -G'
+		REAL_PICFLAGS="-Kpic"
+	fi
+	;;
+*-fujitsu-uxpv*)
+	REAL_LD_FLAGS='' # really: LD_RUN_PATH=$(libdir) cc -o ...
+	REAL_LINK='LD_RUN_PATH=$(libdir) $(CC)'
+	LDSHARED='$(CC) -G'
+	REAL_PICFLAGS="-Kpic"
+	lib_deps=no # fails in mysterious ways
+	;;
+*-*-sunos*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-L$(libdir)'
+	lib_deps=no
+	;;
+*-*-irix*)
+        libdir="${libdir}${abilibdirext}"
+        REAL_LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+        LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+	LDSHARED="\$(CC) -shared ${abi}"
+        REAL_PICFLAGS=
+        CFLAGS="${abi} ${CFLAGS}"
+	;;
+*-*-os2*)
+	LIBPREFIX=
+	EXECSUFFIX='.exe'
+	RANLIB=EMXOMF
+	LD_FLAGS=-Zcrtdll
+	REAL_SHLIBEXT=nobuild
+	;;
+*-*-cygwin32*)
+	EXECSUFFIX='.exe'
+	REAL_SHLIBEXT=nobuild
+	;;
+*)	REAL_SHLIBEXT=nobuild
+	REAL_PICFLAGS= 
+	;;
+esac
+
+if test "${enable_shared}" != "yes" ; then 
+ PICFLAGS=""
+ SHLIBEXT="nobuild"
+ LIBEXT="a"
+ build_symlink_command=@true
+ install_symlink_command=@true
+ install_symlink_command2=@true
+else
+ PICFLAGS="$REAL_PICFLAGS"
+ SHLIBEXT="$REAL_SHLIBEXT"
+ LIBEXT="$SHLIBEXT"
+ AC_MSG_CHECKING(whether to use -rpath)
+ case "$libdir" in
+   /lib | /usr/lib | /usr/local/lib)
+     AC_MSG_RESULT(no)
+     REAL_LD_FLAGS=
+     LD_FLAGS=
+     ;;
+   *)
+     LD_FLAGS="$REAL_LD_FLAGS"
+     test "$REAL_LINK" && LINK="$REAL_LINK"
+     AC_MSG_RESULT($LD_FLAGS)
+     ;;
+   esac
+fi
+
+if test "$lib_deps" = yes; then
+	lib_deps_yes=""
+	lib_deps_no="# "
+else
+	lib_deps_yes="# "
+	lib_deps_no=""
+fi
+AC_SUBST(lib_deps_yes)
+AC_SUBST(lib_deps_no)
+
+# use supplied ld-flags, or none if `no'
+if test "$with_ld_flags" = no; then
+	LD_FLAGS=
+elif test -n "$with_ld_flags"; then
+	LD_FLAGS="$with_ld_flags"
+fi
+
+AC_SUBST(REAL_PICFLAGS) dnl
+AC_SUBST(REAL_SHLIBEXT) dnl
+AC_SUBST(REAL_LD_FLAGS) dnl
+
+AC_SUBST(PICFLAGS) dnl
+AC_SUBST(SHLIBEXT) dnl
+AC_SUBST(LDSHARED) dnl
+AC_SUBST(LD_FLAGS) dnl
+AC_SUBST(LIBEXT) dnl
+AC_SUBST(LIBPREFIX) dnl
+AC_SUBST(EXECSUFFIX) dnl
+
+AC_SUBST(build_symlink_command)dnl
+AC_SUBST(install_symlink_command)dnl
+AC_SUBST(install_symlink_command2)dnl
+])
diff --git a/crypto/heimdal/cf/test-package.m4 b/crypto/heimdal/cf/test-package.m4
new file mode 100644
index 0000000..6bae158
--- /dev/null
+++ b/crypto/heimdal/cf/test-package.m4
@@ -0,0 +1,88 @@
+dnl $Id: test-package.m4,v 1.7 1999/04/19 13:33:05 assar Exp $
+dnl
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations)
+
+AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
+
+AC_DEFUN(AC_TEST_PACKAGE_NEW,[
+AC_ARG_WITH($1,
+[  --with-$1=dir                use $1 in dir])
+AC_ARG_WITH($1-lib,
+[  --with-$1-lib=dir            use $1 libraries in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+AC_ARG_WITH($1-include,
+[  --with-$1-include=dir        use $1 headers in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_MSG_CHECKING(for $1)
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='$5'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_$1_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_$1_include $header_dirs";;
+esac
+case "$with_$1_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_$1_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	AC_TRY_COMPILE([$2],,ires=$i;break)
+done
+for i in $lib_dirs; do
+	LIBS="-L$i $3 $4 $save_LIBS"
+	AC_TRY_LINK([$2],,lres=$i;break)
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
+	$1_includedir="$ires"
+	$1_libdir="$lres"
+	INCLUDE_$1="-I$$1_includedir"
+	LIB_$1="-L$$1_libdir $3"
+	AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.])
+	with_$1=yes
+	AC_MSG_RESULT([headers $ires, libraries $lres])
+else
+	INCLUDE_$1=
+	LIB_$1=
+	with_$1=no
+	AC_MSG_RESULT($with_$1)
+fi
+AC_SUBST(INCLUDE_$1)
+AC_SUBST(LIB_$1)
+])
diff --git a/crypto/heimdal/cf/wflags.m4 b/crypto/heimdal/cf/wflags.m4
new file mode 100644
index 0000000..6d9e073
--- /dev/null
+++ b/crypto/heimdal/cf/wflags.m4
@@ -0,0 +1,21 @@
+dnl $Id: wflags.m4,v 1.3 1999/03/11 12:11:41 joda Exp $
+dnl
+dnl set WFLAGS
+
+AC_DEFUN(AC_WFLAGS,[
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="ifelse($#, 0,-Wall, $1)"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+AC_SUBST(WFLAGS)dnl
+AC_SUBST(WFLAGS_NOUNUSED)dnl
+AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
+])
diff --git a/crypto/heimdal/config.guess b/crypto/heimdal/config.guess
new file mode 100755
index 0000000..4e5345f
--- /dev/null
+++ b/crypto/heimdal/config.guess
@@ -0,0 +1,973 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 93, 94, 95, 96, 97, 1998 Free Software Foundation, Inc.
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Written by Per Bothner <bothner@cygnus.com>.
+# The master version of this file is at the FSF in /home/gd/gnu/lib.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit system type (host/target name).
+#
+# Only a few systems have been added to this list; please add others
+# (but try to keep the structure clean).
+#
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 8/24/94.)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+dummy=dummy-$$
+trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    alpha:OSF1:*:*)
+	if test $UNAME_RELEASE = "V4.0"; then
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+	fi
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	cat <<EOF >$dummy.s
+	.globl main
+	.ent main
+main:
+	.frame \$30,0,\$26,0
+	.prologue 0
+	.long 0x47e03d80 # implver $0
+	lda \$2,259
+	.long 0x47e20c21 # amask $2,$1
+	srl \$1,8,\$2
+	sll \$2,2,\$2
+	sll \$0,3,\$0
+	addl \$1,\$0,\$0
+	addl \$2,\$0,\$0
+	ret \$31,(\$26),1
+	.end main
+EOF
+	${CC-cc} $dummy.s -o $dummy 2>/dev/null
+	if test "$?" = 0 ; then
+		./$dummy
+		case "$?" in
+			7)
+				UNAME_MACHINE="alpha"
+				;;
+			15)
+				UNAME_MACHINE="alphaev5"
+				;;
+			14)
+				UNAME_MACHINE="alphaev56"
+				;;
+			10)
+				UNAME_MACHINE="alphapca56"
+				;;
+			16)
+				UNAME_MACHINE="alphaev6"
+				;;
+		esac
+	fi
+	rm -f $dummy.s $dummy
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr [[A-Z]] [[a-z]]`
+	exit 0 ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit 0 ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-cbm-sysv4
+	exit 0;;
+    amiga:NetBSD:*:*)
+      echo m68k-cbm-netbsd${UNAME_RELEASE}
+      exit 0 ;;
+    amiga:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit 0 ;;
+    arc64:OpenBSD:*:*)
+	echo mips64el-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    arc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    hkmips:OpenBSD:*:*)
+	echo mips-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    pmax:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sgi:OpenBSD:*:*)
+	echo mips-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    wgrisc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit 0;;
+    arm32:NetBSD:*:*)
+	echo arm-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	exit 0 ;;
+    SR2?01:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit 0;;
+    Pyramid*:OSx*:*:*|MIS*:OSx*:*:*|MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit 0 ;;
+    NILE:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit 0 ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit 0 ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit 0 ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:NetBSD:*:*)
+	echo m68k-atari-netbsd${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sun3*:NetBSD:*:*)
+	echo m68k-sun-netbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sun3*:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mac68k:NetBSD:*:*)
+	echo m68k-apple-netbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mac68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme88k:OpenBSD:*:*)
+	echo m88k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit 0 ;;
+    macppc:NetBSD:*:*)
+        echo powerpc-apple-netbsd${UNAME_RELEASE}
+        exit 0 ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit 0 ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    2020:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit 0 ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	sed 's/^	//' << EOF >$dummy.c
+	int main (argc, argv) int argc; char **argv; {
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	${CC-cc} $dummy.c -o $dummy \
+	  && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+	  && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit 0 ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit 0 ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit 0 ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit 0 ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+        if [ $UNAME_PROCESSOR = mc88100 -o $UNAME_PROCESSOR = mc88110 ] ; then
+	if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx \
+	     -o ${TARGET_BINARY_INTERFACE}x = x ] ; then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	fi
+        else echo i586-dg-dgux${UNAME_RELEASE}
+        fi
+ 	exit 0 ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit 0 ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit 0 ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit 0 ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit 0 ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
+	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
+    i?86:AIX:*:*)
+	echo i386-ibm-aix
+	exit 0 ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		${CC-cc} $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+		rm -f $dummy.c $dummy
+		echo rs6000-ibm-aix3.2.5
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit 0 ;;
+    *:AIX:*:4)
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=4.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit 0 ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit 0 ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit 0 ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC NetBSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit 0 ;;                           # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit 0 ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit 0 ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit 0 ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit 0 ;;
+    9000/[34678]??:HP-UX:*:*)
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/6?? | 9000/7?? | 9000/80[24] | 9000/8?[13679] | 9000/892 )
+              sed 's/^              //' << EOF >$dummy.c
+              #include <stdlib.h>
+              #include <unistd.h>
+              
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif 
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+              
+                  switch (cpu) 
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0: 
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits) 
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif 
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+	(${CC-cc} $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy`
+	rm -f $dummy.c $dummy
+	esac
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit 0 ;;
+    3050*:HI-UX:*:*)
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	${CC-cc} $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
+	echo unknown-hitachi-hiuxwe2
+	exit 0 ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit 0 ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit 0 ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit 0 ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit 0 ;;
+    i?86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit 0 ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit 0 ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit 0 ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit 0 ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit 0 ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit 0 ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit 0 ;;
+    CRAY*X-MP:*:*:*)
+	echo xmp-cray-unicos
+        exit 0 ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE}
+	exit 0 ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
+	exit 0 ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE}
+	exit 0 ;;
+    CRAY*T3E:*:*:*)
+	echo t3e-cray-unicosmk${UNAME_RELEASE}
+	exit 0 ;;
+    CRAY-2:*:*:*)
+	echo cray2-cray-unicos
+        exit 0 ;;
+    F300:UNIX_System_V:*:*)
+        FUJITSU_SYS=`uname -p | tr [A-Z] [a-z] | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit 0 ;;
+    F301:UNIX_System_V:*:*)
+       echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'`
+       exit 0 ;;
+    hp3[0-9][05]:NetBSD:*:*)
+	echo m68k-hp-netbsd${UNAME_RELEASE}
+	exit 0 ;;
+    hp300:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    i?86:BSD/386:*:* | i?86:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:FreeBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit 0 ;;
+    *:NetBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	exit 0 ;;
+    *:OpenBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	exit 0 ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit 0 ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit 0 ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit 0 ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    *:GNU:*:*)
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit 0 ;;
+    *:Linux:*:*)
+	# uname on the ARM produces all sorts of strangeness, and we need to
+	# filter it out.
+	case "$UNAME_MACHINE" in
+	  arm* | sa110*)	      UNAME_MACHINE="arm" ;;
+	esac
+
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us.
+	ld_help_string=`ld --help 2>&1`
+	ld_supported_emulations=`echo $ld_help_string \
+			 | sed -ne '/supported emulations:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported emulations: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_emulations" in
+	  i?86linux)  echo "${UNAME_MACHINE}-pc-linux-gnuaout"      ; exit 0 ;;
+	  i?86coff)   echo "${UNAME_MACHINE}-pc-linux-gnucoff"      ; exit 0 ;;
+	  sparclinux) echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
+	  armlinux)   echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
+	  m68klinux)  echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
+	  elf32ppc)   echo "powerpc-unknown-linux-gnu"              ; exit 0 ;;
+	esac
+
+	if test "${UNAME_MACHINE}" = "alpha" ; then
+		sed 's/^	//'  <<EOF >$dummy.s
+		.globl main
+		.ent main
+	main:
+		.frame \$30,0,\$26,0
+		.prologue 0
+		.long 0x47e03d80 # implver $0
+		lda \$2,259
+		.long 0x47e20c21 # amask $2,$1
+		srl \$1,8,\$2
+		sll \$2,2,\$2
+		sll \$0,3,\$0
+		addl \$1,\$0,\$0
+		addl \$2,\$0,\$0
+		ret \$31,(\$26),1
+		.end main
+EOF
+		LIBC=""
+		${CC-cc} $dummy.s -o $dummy 2>/dev/null
+		if test "$?" = 0 ; then
+			./$dummy
+			case "$?" in
+			7)
+				UNAME_MACHINE="alpha"
+				;;
+			15)
+				UNAME_MACHINE="alphaev5"
+				;;
+			14)
+				UNAME_MACHINE="alphaev56"
+				;;
+			10)
+				UNAME_MACHINE="alphapca56"
+				;;
+			16)
+				UNAME_MACHINE="alphaev6"
+				;;
+			esac	
+
+			objdump --private-headers $dummy | \
+			  grep ld.so.1 > /dev/null
+			if test "$?" = 0 ; then
+				LIBC="libc1"
+			fi
+		fi	
+		rm -f $dummy.s $dummy
+		echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0
+	elif test "${UNAME_MACHINE}" = "mips" ; then
+	  cat >$dummy.c <<EOF
+main(argc, argv)
+     int argc;
+     char *argv[];
+{
+#ifdef __MIPSEB__
+  printf ("%s-unknown-linux-gnu\n", argv[1]);
+#endif
+#ifdef __MIPSEL__
+  printf ("%sel-unknown-linux-gnu\n", argv[1]);
+#endif
+  return 0;
+}
+EOF
+	  ${CC-cc} $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
+	else
+	  # Either a pre-BFD a.out linker (linux-gnuoldld)
+	  # or one that does not give us useful --help.
+	  # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout.
+	  # If ld does not provide *any* "supported emulations:"
+	  # that means it is gnuoldld.
+	  echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:"
+	  test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0
+
+	  case "${UNAME_MACHINE}" in
+	  i?86)
+	    VENDOR=pc;
+	    ;;
+	  *)
+	    VENDOR=unknown;
+	    ;;
+	  esac
+	  # Determine whether the default compiler is a.out or elf
+	  cat >$dummy.c <<EOF
+#include <features.h>
+main(argc, argv)
+     int argc;
+     char *argv[];
+{
+#ifdef __ELF__
+# ifdef __GLIBC__
+#  if __GLIBC__ >= 2
+    printf ("%s-${VENDOR}-linux-gnu\n", argv[1]);
+#  else
+    printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
+#  endif
+# else
+   printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
+# endif
+#else
+  printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]);
+#endif
+  return 0;
+}
+EOF
+	  ${CC-cc} $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
+	fi ;;
+# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.  earlier versions
+# are messed up and put the nodename in both sysname and nodename.
+    i?86:DYNIX/ptx:4*:*)
+	echo i386-sequent-sysv4
+	exit 0 ;;
+    i?86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit 0 ;;
+    i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*)
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_RELEASE}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
+	fi
+	exit 0 ;;
+    i?86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit 0 ;;
+    i?86:UnixWare:*:*)
+	if /bin/uname -X 2>/dev/null >/dev/null ; then
+	  (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
+	    && UNAME_MACHINE=i586
+	fi
+	echo ${UNAME_MACHINE}-unixware-${UNAME_RELEASE}-${UNAME_VERSION}
+	exit 0 ;;
+    pc:*:*:*)
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit 0 ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit 0 ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit 0 ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit 0 ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit 0 ;;
+    M68*:*:R3V[567]*:*)
+	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
+    3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && echo i486-ncr-sysv4 && exit 0 ;;
+    m68*:LynxOS:2.*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit 0 ;;
+    i?86:LynxOS:2.*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit 0 ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit 0 ;;
+    PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                           # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit 0 ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit 0 ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit 0 ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit 0 ;;
+    news*:NEWS-OS:*:6*)
+	echo mips-sony-newsos6
+	exit 0 ;;
+    R3000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R4000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit 0 ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit 0 ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit 0 ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit 0 ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+#if !defined (ultrix)
+  printf ("vax-dec-bsd\n"); exit (0);
+#else
+  printf ("vax-dec-ultrix\n"); exit (0);
+#endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+${CC-cc} $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0
+rm -f $dummy.c $dummy
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit 0 ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit 0 ;;
+    c34*)
+	echo c34-convex-bsd
+	exit 0 ;;
+    c38*)
+	echo c38-convex-bsd
+	exit 0 ;;
+    c4*)
+	echo c4-convex-bsd
+	exit 0 ;;
+    esac
+fi
+
+#echo '(Unable to guess system type)' 1>&2
+
+exit 1
diff --git a/crypto/heimdal/config.sub b/crypto/heimdal/config.sub
new file mode 100755
index 0000000..7a40495
--- /dev/null
+++ b/crypto/heimdal/config.sub
@@ -0,0 +1,957 @@
+#! /bin/sh
+# Configuration validation subroutine script, version 1.1.
+#   Copyright (C) 1991, 92-97, 1998 Free Software Foundation, Inc.
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+if [ x$1 = x ]
+then
+	echo Configuration name missing. 1>&2
+	echo "Usage: $0 CPU-MFR-OPSYS" 1>&2
+	echo "or     $0 ALIAS" 1>&2
+	echo where ALIAS is a recognized configuration type. 1>&2
+	exit 1
+fi
+
+# First pass through any local machine types.
+case $1 in
+	*local*)
+		echo $1
+		exit 0
+		;;
+	*)
+	;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  linux-gnu*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple)
+		os=
+		basic_machine=$1
+		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	tahoe | i860 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
+		| arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \
+		| 580 | i960 | h8300 | hppa | hppa1.0 | hppa1.1 | hppa2.0 \
+		| alpha | alphaev5 | alphaev56 | we32k | ns16k | clipper \
+		| i370 | sh | powerpc | powerpcle | 1750a | dsp16xx | pdp11 \
+		| mips64 | mipsel | mips64el | mips64orion | mips64orionel \
+		| mipstx39 | mipstx39el \
+		| sparc | sparclet | sparclite | sparc64 | v850)
+		basic_machine=$basic_machine-unknown
+		;;
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i[34567]86)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	vax-* | tahoe-* | i[34567]86-* | i860-* | m32r-* | m68k-* | m68000-* \
+	      | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \
+	      | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
+	      | power-* | none-* | 580-* | cray2-* | h8300-* | i960-* \
+	      | xmp-* | ymp-* | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* \
+	      | alpha-* | alphaev5-* | alphaev56-* | we32k-* | cydra-* \
+	      | ns16k-* | pn-* | np1-* | xps100-* | clipper-* | orion-* \
+	      | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
+	      | sparc64-* | mips64-* | mipsel-* \
+	      | mips64el-* | mips64orion-* | mips64orionel-*  \
+	      | mipstx39-* | mipstx39el-* \
+	      | f301-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-cbm
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-cbm
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-cbm
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	cray2)
+		basic_machine=cray2-cray
+		os=-unicos
+		;;
+	[ctj]90-cray)
+		#basic_machine=c90-cray
+		os=`echo $os | sed -e 's/\(unicos[0-9]*\.[0-9]*\).*/\1/'`
+		#os=-unicos
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k7[0-9][0-9] | hp7[0-9][0-9] | hp9k8[0-9]7 | hp8[0-9]7)
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i[34567]86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i[34567]86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i[34567]86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i[34567]86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	mipsel*-linux*)
+		basic_machine=mipsel-unknown
+		os=-linux-gnu
+		;;
+	mips*-linux*)
+		basic_machine=mips-unknown
+		os=-linux-gnu
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+        pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | nexen)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | k6 | 6x86)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | nexen-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | k6-* | 6x86-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=rs6000-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+	        ;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+	        ;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+               basic_machine=f301-fujitsu
+               ;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	xmp)
+		basic_machine=xmp-cray
+		os=-unicos
+		;;
+        xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	mips)
+		if [ x$os = x-linux-gnu ]; then
+			basic_machine=mips-unknown
+		else
+			basic_machine=mips-mips
+		fi
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sparc)
+		basic_machine=sparc-sun
+		;;
+        cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -rhapsody* \
+	      | -openstep*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-ns2 )
+	        os=-nextstep2
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+        pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-ibm)
+		os=-aix
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+        *-gould)
+		os=-sysv
+		;;
+        *-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+        *-sgi)
+		os=-irix
+		;;
+        *-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f301-fujitsu)
+		os=-uxpv
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-vxsim* | -vxworks*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
diff --git a/crypto/heimdal/configure b/crypto/heimdal/configure
new file mode 100755
index 0000000..24e63e1
--- /dev/null
+++ b/crypto/heimdal/configure
@@ -0,0 +1,13021 @@
+#! /bin/sh
+
+# From configure.in Revision: 1.218 
+
+
+
+
+
+# Like AC_CONFIG_HEADER, but automatically create stamp file.
+
+
+
+# Do all the work for Automake.  This macro actually does too much --
+# some checks are only needed if your package does certain things.
+# But this isn't really a big deal.
+
+# serial 1
+
+
+
+
+#
+# Check to make sure that the build environment is sane.
+#
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# serial 25 AM_PROG_LIBTOOL
+
+
+# AM_ENABLE_SHARED - implement the --enable-shared flag
+# Usage: AM_ENABLE_SHARED[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+
+
+# AM_DISABLE_SHARED - set the default shared flag to --disable-shared
+
+
+# AM_DISABLE_STATIC - set the default static flag to --disable-static
+
+
+# AM_ENABLE_STATIC - implement the --enable-static flag
+# Usage: AM_ENABLE_STATIC[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+
+
+
+# AM_PROG_LD - find the path to the GNU or non-GNU linker
+
+
+
+
+# AM_PROG_NM - find the path to a BSD-compatible name lister
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Define a conditional.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Guess values for system-dependent variables and create Makefiles.
+# Generated automatically using autoconf version 2.13 
+# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
+#
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+
+# Defaults:
+ac_help=
+ac_default_prefix=/usr/local
+# Any additions from configure.in:
+ac_default_prefix=/usr/heimdal
+ac_help="$ac_help
+  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)"
+ac_help="$ac_help
+  --enable-shared[=PKGS]  build shared libraries [default=no]"
+ac_help="$ac_help
+  --enable-static[=PKGS]  build static libraries [default=yes]"
+ac_help="$ac_help
+  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]"
+ac_help="$ac_help
+  --without-berkeley-db   if you don't want berkeley db"
+ac_help="$ac_help
+  --with-krb4=dir                use krb4 in dir"
+ac_help="$ac_help
+  --with-krb4-lib=dir            use krb4 libraries in dir"
+ac_help="$ac_help
+  --with-krb4-include=dir        use krb4 headers in dir"
+ac_help="$ac_help
+  --enable-kaserver	  if you want the KDC to try to emulate a kaserver"
+ac_help="$ac_help
+  --enable-kaserver-db	  if you want support for reading kaserver databases in hprop"
+ac_help="$ac_help
+  --disable-otp          if you don't want OTP support"
+ac_help="$ac_help
+  --enable-osfc2          enable some OSF C2 support"
+ac_help="$ac_help
+  --with-readline=dir                use readline in dir"
+ac_help="$ac_help
+  --with-readline-lib=dir            use readline libraries in dir"
+ac_help="$ac_help
+  --with-readline-include=dir        use readline headers in dir"
+ac_help="$ac_help
+  --with-hesiod=dir                use hesiod in dir"
+ac_help="$ac_help
+  --with-hesiod-lib=dir            use hesiod libraries in dir"
+ac_help="$ac_help
+  --with-hesiod-include=dir        use hesiod headers in dir"
+ac_help="$ac_help
+  --enable-bigendian	the target is big endian"
+ac_help="$ac_help
+  --enable-littleendian	the target is little endian"
+ac_help="$ac_help
+  --with-x                use the X Window System"
+ac_help="$ac_help
+  --enable-netinfo      enable netinfo for configuration lookup"
+ac_help="$ac_help
+  --without-ipv6	do not enable IPv6 support"
+
+# Initialize some variables set by options.
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+build=NONE
+cache_file=./config.cache
+exec_prefix=NONE
+host=NONE
+no_create=
+nonopt=NONE
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+target=NONE
+verbose=
+x_includes=NONE
+x_libraries=NONE
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datadir='${prefix}/share'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+libdir='${exec_prefix}/lib'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+infodir='${prefix}/info'
+mandir='${prefix}/man'
+
+# Initialize some other variables.
+subdirs=
+MFLAGS= MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+# Maximum number of lines to put in a shell here document.
+ac_max_here_lines=12
+
+ac_prev=
+for ac_option
+do
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval "$ac_prev=\$ac_option"
+    ac_prev=
+    continue
+  fi
+
+  case "$ac_option" in
+  -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) ac_optarg= ;;
+  esac
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case "$ac_option" in
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir="$ac_optarg" ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build="$ac_optarg" ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file="$ac_optarg" ;;
+
+  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
+  | --da=*)
+    datadir="$ac_optarg" ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*disable-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    eval "enable_${ac_feature}=no" ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "enable_${ac_feature}='$ac_optarg'" ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix="$ac_optarg" ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he)
+    # Omit some internal or obsolete options to make the list less imposing.
+    # This message is too long to be a string in the A/UX 3.1 sh.
+    cat << EOF
+Usage: configure [options] [host]
+Options: [defaults in brackets after descriptions]
+Configuration:
+  --cache-file=FILE       cache test results in FILE
+  --help                  print this message
+  --no-create             do not create output files
+  --quiet, --silent       do not print \`checking...' messages
+  --version               print the version of autoconf that created configure
+Directory and file names:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+                          [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+                          [same as prefix]
+  --bindir=DIR            user executables in DIR [EPREFIX/bin]
+  --sbindir=DIR           system admin executables in DIR [EPREFIX/sbin]
+  --libexecdir=DIR        program executables in DIR [EPREFIX/libexec]
+  --datadir=DIR           read-only architecture-independent data in DIR
+                          [PREFIX/share]
+  --sysconfdir=DIR        read-only single-machine data in DIR [PREFIX/etc]
+  --sharedstatedir=DIR    modifiable architecture-independent data in DIR
+                          [PREFIX/com]
+  --localstatedir=DIR     modifiable single-machine data in DIR [PREFIX/var]
+  --libdir=DIR            object code libraries in DIR [EPREFIX/lib]
+  --includedir=DIR        C header files in DIR [PREFIX/include]
+  --oldincludedir=DIR     C header files for non-gcc in DIR [/usr/include]
+  --infodir=DIR           info documentation in DIR [PREFIX/info]
+  --mandir=DIR            man documentation in DIR [PREFIX/man]
+  --srcdir=DIR            find the sources in DIR [configure dir or ..]
+  --program-prefix=PREFIX prepend PREFIX to installed program names
+  --program-suffix=SUFFIX append SUFFIX to installed program names
+  --program-transform-name=PROGRAM
+                          run sed PROGRAM on installed program names
+EOF
+    cat << EOF
+Host type:
+  --build=BUILD           configure for building on BUILD [BUILD=HOST]
+  --host=HOST             configure for HOST [guessed]
+  --target=TARGET         configure for TARGET [TARGET=HOST]
+Features and packages:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --x-includes=DIR        X include files are in DIR
+  --x-libraries=DIR       X library files are in DIR
+EOF
+    if test -n "$ac_help"; then
+      echo "--enable and --with options recognized:$ac_help"
+    fi
+    exit 0 ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host="$ac_optarg" ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir="$ac_optarg" ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir="$ac_optarg" ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir="$ac_optarg" ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir="$ac_optarg" ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst \
+  | --locals | --local | --loca | --loc | --lo)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
+  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+    localstatedir="$ac_optarg" ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir="$ac_optarg" ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir="$ac_optarg" ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix="$ac_optarg" ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix="$ac_optarg" ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix="$ac_optarg" ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name="$ac_optarg" ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir="$ac_optarg" ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir="$ac_optarg" ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site="$ac_optarg" ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir="$ac_optarg" ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir="$ac_optarg" ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target="$ac_optarg" ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers)
+    echo "configure generated by autoconf version 2.13"
+    exit 0 ;;
+
+  -with-* | --with-*)
+    ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "with_${ac_package}='$ac_optarg'" ;;
+
+  -without-* | --without-*)
+    ac_package=`echo $ac_option|sed -e 's/-*without-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    eval "with_${ac_package}=no" ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes="$ac_optarg" ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries="$ac_optarg" ;;
+
+  -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
+    ;;
+
+  *)
+    if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then
+      echo "configure: warning: $ac_option: invalid host type" 1>&2
+    fi
+    if test "x$nonopt" != xNONE; then
+      { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; }
+    fi
+    nonopt="$ac_option"
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
+fi
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 6 checking for... messages and results
+# 5 compiler messages saved in config.log
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>./config.log
+
+echo "\
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+" 1>&5
+
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Also quote any args containing shell metacharacters.
+ac_configure_args=
+for ac_arg
+do
+  case "$ac_arg" in
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c) ;;
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
+  ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+  *) ac_configure_args="$ac_configure_args $ac_arg" ;;
+  esac
+done
+
+# NLS nuisances.
+# Only set these to C if already set.  These must not be set unconditionally
+# because not all systems understand e.g. LANG=C (notably SCO).
+# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'!
+# Non-C LC_CTYPE values break the ctype check.
+if test "${LANG+set}"   = set; then LANG=C;   export LANG;   fi
+if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
+if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi
+if test "${LC_CTYPE+set}"    = set; then LC_CTYPE=C;    export LC_CTYPE;    fi
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo > confdefs.h
+
+# A filename unique to this package, relative to the directory that
+# configure is in, which we can look for to find out if srcdir is correct.
+ac_unique_file=lib/krb5/send_to_kdc.c
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then its parent.
+  ac_prog=$0
+  ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'`
+  test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
+  srcdir=$ac_confdir
+  if test ! -r $srcdir/$ac_unique_file; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r $srcdir/$ac_unique_file; then
+  if test "$ac_srcdir_defaulted" = yes; then
+    { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; }
+  else
+    { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; }
+  fi
+fi
+srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'`
+
+# Prefer explicitly selected file to automatically selected ones.
+if test -z "$CONFIG_SITE"; then
+  if test "x$prefix" != xNONE; then
+    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
+  else
+    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
+  fi
+fi
+for ac_site_file in $CONFIG_SITE; do
+  if test -r "$ac_site_file"; then
+    echo "loading site script $ac_site_file"
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  echo "loading cache $cache_file"
+  . $cache_file
+else
+  echo "creating cache $cache_file"
+  > $cache_file
+fi
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+ac_exeext=
+ac_objext=o
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+  # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
+  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+    ac_n= ac_c='
+' ac_t='	'
+  else
+    ac_n=-n ac_c= ac_t=
+  fi
+else
+  ac_n= ac_c='\c' ac_t=
+fi
+
+
+
+
+
+
+ac_aux_dir=
+for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+  if test -f $ac_dir/install-sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f $ac_dir/install.sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
+fi
+ac_config_guess=$ac_aux_dir/config.guess
+ac_config_sub=$ac_aux_dir/config.sub
+ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# ./install, which can be erroneously created by make from ./install.sh.
+echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
+echo "configure:776: checking for a BSD compatible install" >&5
+if test -z "$INSTALL"; then
+if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    IFS="${IFS= 	}"; ac_save_IFS="$IFS"; IFS=":"
+  for ac_dir in $PATH; do
+    # Account for people who put trailing slashes in PATH elements.
+    case "$ac_dir/" in
+    /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
+    *)
+      # OSF1 and SCO ODT 3.0 have their own names for install.
+      # Don't use installbsd from OSF since it installs stuff as root
+      # by default.
+      for ac_prog in ginstall scoinst install; do
+        if test -f $ac_dir/$ac_prog; then
+	  if test $ac_prog = install &&
+            grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  else
+	    ac_cv_path_install="$ac_dir/$ac_prog -c"
+	    break 2
+	  fi
+	fi
+      done
+      ;;
+    esac
+  done
+  IFS="$ac_save_IFS"
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL="$ac_cv_path_install"
+  else
+    # As a last resort, use the slow shell script.  We don't cache a
+    # path for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the path is relative.
+    INSTALL="$ac_install_sh"
+  fi
+fi
+echo "$ac_t""$INSTALL" 1>&6
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+echo $ac_n "checking whether build environment is sane""... $ac_c" 1>&6
+echo "configure:829: checking whether build environment is sane" >&5
+# Just in case
+sleep 1
+echo timestamp > conftestfile
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftestfile 2> /dev/null`
+   if test "$*" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftestfile`
+   fi
+   if test "$*" != "X $srcdir/configure conftestfile" \
+      && test "$*" != "X conftestfile $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      { echo "configure: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" 1>&2; exit 1; }
+   fi
+
+   test "$2" = conftestfile
+   )
+then
+   # Ok.
+   :
+else
+   { echo "configure: error: newly created file is older than distributed files!
+Check your system clock" 1>&2; exit 1; }
+fi
+rm -f conftest*
+echo "$ac_t""yes" 1>&6
+if test "$program_transform_name" = s,x,x,; then
+  program_transform_name=
+else
+  # Double any \ or $.  echo might interpret backslashes.
+  cat <<\EOF_SED > conftestsed
+s,\\,\\\\,g; s,\$,$$,g
+EOF_SED
+  program_transform_name="`echo $program_transform_name|sed -f conftestsed`"
+  rm -f conftestsed
+fi
+test "$program_prefix" != NONE &&
+  program_transform_name="s,^,${program_prefix},; $program_transform_name"
+# Use a double $ so make ignores it.
+test "$program_suffix" != NONE &&
+  program_transform_name="s,\$\$,${program_suffix},; $program_transform_name"
+
+# sed with no file args requires a program.
+test "$program_transform_name" = "" && program_transform_name="s,x,x,"
+
+echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6
+echo "configure:886: checking whether ${MAKE-make} sets \${MAKE}" >&5
+set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftestmake <<\EOF
+all:
+	@echo 'ac_maketemp="${MAKE}"'
+EOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+eval `${MAKE-make} -f conftestmake 2>/dev/null | grep temp=`
+if test -n "$ac_maketemp"; then
+  eval ac_cv_prog_make_${ac_make}_set=yes
+else
+  eval ac_cv_prog_make_${ac_make}_set=no
+fi
+rm -f conftestmake
+fi
+if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  SET_MAKE=
+else
+  echo "$ac_t""no" 1>&6
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+
+PACKAGE=heimdal
+
+VERSION=0.2p
+
+if test "`cd $srcdir && pwd`" != "`pwd`" && test -f $srcdir/config.status; then
+  { echo "configure: error: source directory already configured; run "make distclean" there first" 1>&2; exit 1; }
+fi
+cat >> confdefs.h <<EOF
+#define PACKAGE "$PACKAGE"
+EOF
+
+cat >> confdefs.h <<EOF
+#define VERSION "$VERSION"
+EOF
+
+
+
+missing_dir=`cd $ac_aux_dir && pwd`
+echo $ac_n "checking for working aclocal""... $ac_c" 1>&6
+echo "configure:932: checking for working aclocal" >&5
+# Run test in a subshell; some versions of sh will print an error if
+# an executable is not found, even if stderr is redirected.
+# Redirect stdin to placate older versions of autoconf.  Sigh.
+if (aclocal --version) < /dev/null > /dev/null 2>&1; then
+   ACLOCAL=aclocal
+   echo "$ac_t""found" 1>&6
+else
+   ACLOCAL="$missing_dir/missing aclocal"
+   echo "$ac_t""missing" 1>&6
+fi
+
+echo $ac_n "checking for working autoconf""... $ac_c" 1>&6
+echo "configure:945: checking for working autoconf" >&5
+# Run test in a subshell; some versions of sh will print an error if
+# an executable is not found, even if stderr is redirected.
+# Redirect stdin to placate older versions of autoconf.  Sigh.
+if (autoconf --version) < /dev/null > /dev/null 2>&1; then
+   AUTOCONF=autoconf
+   echo "$ac_t""found" 1>&6
+else
+   AUTOCONF="$missing_dir/missing autoconf"
+   echo "$ac_t""missing" 1>&6
+fi
+
+echo $ac_n "checking for working automake""... $ac_c" 1>&6
+echo "configure:958: checking for working automake" >&5
+# Run test in a subshell; some versions of sh will print an error if
+# an executable is not found, even if stderr is redirected.
+# Redirect stdin to placate older versions of autoconf.  Sigh.
+if (automake --version) < /dev/null > /dev/null 2>&1; then
+   AUTOMAKE=automake
+   echo "$ac_t""found" 1>&6
+else
+   AUTOMAKE="$missing_dir/missing automake"
+   echo "$ac_t""missing" 1>&6
+fi
+
+echo $ac_n "checking for working autoheader""... $ac_c" 1>&6
+echo "configure:971: checking for working autoheader" >&5
+# Run test in a subshell; some versions of sh will print an error if
+# an executable is not found, even if stderr is redirected.
+# Redirect stdin to placate older versions of autoconf.  Sigh.
+if (autoheader --version) < /dev/null > /dev/null 2>&1; then
+   AUTOHEADER=autoheader
+   echo "$ac_t""found" 1>&6
+else
+   AUTOHEADER="$missing_dir/missing autoheader"
+   echo "$ac_t""missing" 1>&6
+fi
+
+echo $ac_n "checking for working makeinfo""... $ac_c" 1>&6
+echo "configure:984: checking for working makeinfo" >&5
+# Run test in a subshell; some versions of sh will print an error if
+# an executable is not found, even if stderr is redirected.
+# Redirect stdin to placate older versions of autoconf.  Sigh.
+if (makeinfo --version) < /dev/null > /dev/null 2>&1; then
+   MAKEINFO=makeinfo
+   echo "$ac_t""found" 1>&6
+else
+   MAKEINFO="$missing_dir/missing makeinfo"
+   echo "$ac_t""missing" 1>&6
+fi
+
+
+
+
+
+
+# Make sure we can run config.sub.
+if ${CONFIG_SHELL-/bin/sh} $ac_config_sub sun4 >/dev/null 2>&1; then :
+else { echo "configure: error: can not run $ac_config_sub" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking host system type""... $ac_c" 1>&6
+echo "configure:1007: checking host system type" >&5
+
+host_alias=$host
+case "$host_alias" in
+NONE)
+  case $nonopt in
+  NONE)
+    if host_alias=`${CONFIG_SHELL-/bin/sh} $ac_config_guess`; then :
+    else { echo "configure: error: can not guess host type; you must specify one" 1>&2; exit 1; }
+    fi ;;
+  *) host_alias=$nonopt ;;
+  esac ;;
+esac
+
+host=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $host_alias`
+host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+echo "$ac_t""$host" 1>&6
+
+CANONICAL_HOST=$host
+
+
+sunos=no
+case "$host" in 
+*-*-sunos4*)
+	sunos=40
+	;;
+*-*-solaris2.7)
+	sunos=57
+	;;
+*-*-solaris2*)
+	sunos=50
+	;;
+esac
+if test "$sunos" != no; then
+	cat >> confdefs.h <<EOF
+#define SunOS $sunos
+EOF
+
+fi
+
+aix=no
+case "$host" in 
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+
+#test -z "$CFLAGS" && CFLAGS="-g"
+
+# Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1064: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="gcc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1094: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_prog_rejected=no
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+	continue
+      fi
+      ac_cv_prog_CC="cc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# -gt 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    set dummy "$ac_dir/$ac_word" "$@"
+    shift
+    ac_cv_prog_CC="$@"
+  fi
+fi
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+  if test -z "$CC"; then
+    case "`uname -s`" in
+    *win32* | *WIN32*)
+      # Extract the first word of "cl", so it can be a program name with args.
+set dummy cl; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1145: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="cl"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+ ;;
+    esac
+  fi
+  test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
+echo "configure:1177: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+cat > conftest.$ac_ext << EOF
+
+#line 1188 "configure"
+#include "confdefs.h"
+
+main(){return(0);}
+EOF
+if { (eval echo configure:1193: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  ac_cv_prog_cc_works=yes
+  # If we can't run a trivial program, we are probably using a cross compiler.
+  if (./conftest; exit) 2>/dev/null; then
+    ac_cv_prog_cc_cross=no
+  else
+    ac_cv_prog_cc_cross=yes
+  fi
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_prog_cc_works=no
+fi
+rm -fr conftest*
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
+if test $ac_cv_prog_cc_works = no; then
+  { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
+fi
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
+echo "configure:1219: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
+echo "configure:1224: checking whether we are using GNU C" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.c <<EOF
+#ifdef __GNUC__
+  yes;
+#endif
+EOF
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1233: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+  ac_cv_prog_gcc=yes
+else
+  ac_cv_prog_gcc=no
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gcc" 1>&6
+
+if test $ac_cv_prog_gcc = yes; then
+  GCC=yes
+else
+  GCC=
+fi
+
+ac_test_CFLAGS="${CFLAGS+set}"
+ac_save_CFLAGS="$CFLAGS"
+CFLAGS=
+echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
+echo "configure:1252: checking whether ${CC-cc} accepts -g" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  echo 'void f(){}' > conftest.c
+if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
+  ac_cv_prog_cc_g=yes
+else
+  ac_cv_prog_cc_g=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS="$ac_save_CFLAGS"
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+
+
+echo $ac_n "checking for Cygwin environment""... $ac_c" 1>&6
+echo "configure:1285: checking for Cygwin environment" >&5
+if eval "test \"`echo '$''{'ac_cv_cygwin'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1290 "configure"
+#include "confdefs.h"
+
+int main() {
+
+#ifndef __CYGWIN__
+#define __CYGWIN__ __CYGWIN32__
+#endif
+return __CYGWIN__;
+; return 0; }
+EOF
+if { (eval echo configure:1301: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_cygwin=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_cygwin=no
+fi
+rm -f conftest*
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_cygwin" 1>&6
+CYGWIN=
+test "$ac_cv_cygwin" = yes && CYGWIN=yes
+echo $ac_n "checking for object suffix""... $ac_c" 1>&6
+echo "configure:1318: checking for object suffix" >&5
+if eval "test \"`echo '$''{'ac_cv_objext'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  rm -f conftest*
+echo 'int i = 1;' > conftest.$ac_ext
+if { (eval echo configure:1324: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  for ac_file in conftest.*; do
+    case $ac_file in
+    *.c) ;;
+    *) ac_cv_objext=`echo $ac_file | sed -e s/conftest.//` ;;
+    esac
+  done
+else
+  { echo "configure: error: installation or configuration problem; compiler does not work" 1>&2; exit 1; }
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_objext" 1>&6
+OBJEXT=$ac_cv_objext
+ac_objext=$ac_cv_objext
+
+echo $ac_n "checking for mingw32 environment""... $ac_c" 1>&6
+echo "configure:1342: checking for mingw32 environment" >&5
+if eval "test \"`echo '$''{'ac_cv_mingw32'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1347 "configure"
+#include "confdefs.h"
+
+int main() {
+return __MINGW32__;
+; return 0; }
+EOF
+if { (eval echo configure:1354: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_mingw32=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_mingw32=no
+fi
+rm -f conftest*
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_mingw32" 1>&6
+MINGW32=
+test "$ac_cv_mingw32" = yes && MINGW32=yes
+
+
+echo $ac_n "checking for executable suffix""... $ac_c" 1>&6
+echo "configure:1373: checking for executable suffix" >&5
+if eval "test \"`echo '$''{'ac_cv_exeext'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$CYGWIN" = yes || test "$MINGW32" = yes; then
+  ac_cv_exeext=.exe
+else
+  rm -f conftest*
+  echo 'int main () { return 0; }' > conftest.$ac_ext
+  ac_cv_exeext=
+  if { (eval echo configure:1383: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; }; then
+    for file in conftest.*; do
+      case $file in
+      *.c | *.o | *.obj) ;;
+      *) ac_cv_exeext=`echo $file | sed -e s/conftest//` ;;
+      esac
+    done
+  else
+    { echo "configure: error: installation or configuration problem: compiler cannot create executables." 1>&2; exit 1; }
+  fi
+  rm -f conftest*
+  test x"${ac_cv_exeext}" = x && ac_cv_exeext=no
+fi
+fi
+
+EXEEXT=""
+test x"${ac_cv_exeext}" != xno && EXEEXT=${ac_cv_exeext}
+echo "$ac_t""${ac_cv_exeext}" 1>&6
+ac_exeext=$EXEEXT
+
+
+for ac_prog in 'bison -y' byacc
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1409: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_YACC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$YACC"; then
+  ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_YACC="$ac_prog"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+YACC="$ac_cv_prog_YACC"
+if test -n "$YACC"; then
+  echo "$ac_t""$YACC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+test -n "$YACC" && break
+done
+test -n "$YACC" || YACC="yacc"
+
+echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
+echo "configure:1440: checking how to run the C preprocessor" >&5
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    # This must be in double quotes, not single quotes, because CPP may get
+  # substituted into the Makefile and "${CC-cc}" will confuse make.
+  CPP="${CC-cc} -E"
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp.
+  cat > conftest.$ac_ext <<EOF
+#line 1455 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1461: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -E -traditional-cpp"
+  cat > conftest.$ac_ext <<EOF
+#line 1472 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1478: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -nologo -E"
+  cat > conftest.$ac_ext <<EOF
+#line 1489 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1495: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP=/lib/cpp
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+  ac_cv_prog_CPP="$CPP"
+fi
+  CPP="$ac_cv_prog_CPP"
+else
+  ac_cv_prog_CPP="$CPP"
+fi
+echo "$ac_t""$CPP" 1>&6
+
+missing_dir=`cd $ac_aux_dir && pwd`
+for ac_prog in flex lex
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1525: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_LEX="$ac_prog"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+LEX="$ac_cv_prog_LEX"
+if test -n "$LEX"; then
+  echo "$ac_t""$LEX" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+test -n "$LEX" && break
+done
+test -n "$LEX" || LEX=""$missing_dir/missing flex""
+
+# Extract the first word of "flex", so it can be a program name with args.
+set dummy flex; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1558: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_LEX="flex"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_LEX" && ac_cv_prog_LEX="lex"
+fi
+fi
+LEX="$ac_cv_prog_LEX"
+if test -n "$LEX"; then
+  echo "$ac_t""$LEX" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$LEXLIB"
+then
+  case "$LEX" in
+  flex*) ac_lib=fl ;;
+  *) ac_lib=l ;;
+  esac
+  echo $ac_n "checking for yywrap in -l$ac_lib""... $ac_c" 1>&6
+echo "configure:1592: checking for yywrap in -l$ac_lib" >&5
+ac_lib_var=`echo $ac_lib'_'yywrap | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-l$ac_lib  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1600 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char yywrap();
+
+int main() {
+yywrap()
+; return 0; }
+EOF
+if { (eval echo configure:1611: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  LEXLIB="-l$ac_lib"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+fi
+
+echo $ac_n "checking lex output file root""... $ac_c" 1>&6
+echo "configure:1634: checking lex output file root" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_lex_root'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  # The minimal lex program is just a single line: %%.  But some broken lexes
+# (Solaris, I think it was) want two %% lines, so accommodate them.
+echo '%%
+%%' | $LEX
+if test -f lex.yy.c; then
+  ac_cv_prog_lex_root=lex.yy
+elif test -f lexyy.c; then
+  ac_cv_prog_lex_root=lexyy
+else
+  { echo "configure: error: cannot find output from $LEX; giving up" 1>&2; exit 1; }
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_lex_root" 1>&6
+LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
+
+echo $ac_n "checking whether yytext is a pointer""... $ac_c" 1>&6
+echo "configure:1655: checking whether yytext is a pointer" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_lex_yytext_pointer'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  # POSIX says lex can declare yytext either as a pointer or an array; the
+# default is implementation-dependent. Figure out which it is, since
+# not all implementations provide the %pointer and %array declarations.
+ac_cv_prog_lex_yytext_pointer=no
+echo 'extern char *yytext;' >>$LEX_OUTPUT_ROOT.c
+ac_save_LIBS="$LIBS"
+LIBS="$LIBS $LEXLIB"
+cat > conftest.$ac_ext <<EOF
+#line 1667 "configure"
+#include "confdefs.h"
+`cat $LEX_OUTPUT_ROOT.c`
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:1674: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_prog_lex_yytext_pointer=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+rm -f "${LEX_OUTPUT_ROOT}.c"
+
+fi
+
+echo "$ac_t""$ac_cv_prog_lex_yytext_pointer" 1>&6
+if test $ac_cv_prog_lex_yytext_pointer = yes; then
+  cat >> confdefs.h <<\EOF
+#define YYTEXT_POINTER 1
+EOF
+
+fi
+
+# Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1698: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_RANLIB="ranlib"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":"
+fi
+fi
+RANLIB="$ac_cv_prog_RANLIB"
+if test -n "$RANLIB"; then
+  echo "$ac_t""$RANLIB" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+for ac_prog in mawk gawk nawk awk
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1730: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_AWK'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_AWK="$ac_prog"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+AWK="$ac_cv_prog_AWK"
+if test -n "$AWK"; then
+  echo "$ac_t""$AWK" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+test -n "$AWK" && break
+done
+
+echo $ac_n "checking for ln -s or something else""... $ac_c" 1>&6
+echo "configure:1760: checking for ln -s or something else" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi
+fi
+LN_S="$ac_cv_prog_LN_S"
+echo "$ac_t""$ac_cv_prog_LN_S" 1>&6
+
+
+
+# Check whether --with-mips_abi or --without-mips_abi was given.
+if test "${with_mips_abi+set}" = set; then
+  withval="$with_mips_abi"
+  :
+fi
+
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) { echo "configure: error: "Invalid ABI specified"" 1>&2; exit 1; } ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+echo $ac_n "checking if $CC supports the $abi option""... $ac_c" 1>&6
+echo "configure:1815: checking if $CC supports the $abi option" >&5
+if eval "test \"`echo '$''{'$ac_foo'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+cat > conftest.$ac_ext <<EOF
+#line 1823 "configure"
+#include "confdefs.h"
+
+int main() {
+int x;
+; return 0; }
+EOF
+if { (eval echo configure:1830: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval $ac_foo=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval $ac_foo=no
+fi
+rm -f conftest*
+CFLAGS="$save_CFLAGS"
+
+fi
+
+ac_res=`eval echo \\\$$ac_foo`
+echo "$ac_t""$ac_res" 1>&6
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	cat > conftest.$ac_ext <<EOF
+#line 1853 "configure"
+#include "confdefs.h"
+
+int main() {
+int x;
+; return 0; }
+EOF
+if { (eval echo configure:1860: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_res=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_res=no
+fi
+rm -f conftest*
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		{ echo "configure: error: $CC does not support the $with_mips_abi ABI" 1>&2; exit 1; }
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			{ echo "configure: error: $CC does not support the $with_mips_abi ABI" 1>&2; exit 1; }
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) { echo "configure: error: "Invalid ABI specified"" 1>&2; exit 1; } ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+
+CC="$CC $abi"
+libdir="$libdir$abilibdirext"
+
+
+echo $ac_n "checking for __attribute__""... $ac_c" 1>&6
+echo "configure:1909: checking for __attribute__" >&5
+if eval "test \"`echo '$''{'ac_cv___attribute__'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 1915 "configure"
+#include "confdefs.h"
+
+#include <stdlib.h>
+
+int main() {
+
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+
+; return 0; }
+EOF
+if { (eval echo configure:1932: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv___attribute__=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv___attribute__=no
+fi
+rm -f conftest*
+fi
+
+if test "$ac_cv___attribute__" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE___ATTRIBUTE__ 1
+EOF
+
+fi
+echo "$ac_t""$ac_cv___attribute__" 1>&6
+
+
+# Check whether --enable-shared or --disable-shared was given.
+if test "${enable_shared+set}" = set; then
+  enableval="$enable_shared"
+  p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_shared=yes ;;
+no) enable_shared=no ;;
+*)
+  enable_shared=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_shared=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+else
+  enable_shared=no
+fi
+
+# Check whether --enable-static or --disable-static was given.
+if test "${enable_static+set}" = set; then
+  enableval="$enable_static"
+  p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_static=yes ;;
+no) enable_static=no ;;
+*)
+  enable_static=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_static=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+else
+  enable_static=yes
+fi
+
+# Check whether --with-gnu-ld or --without-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval="$with_gnu_ld"
+  test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+
+
+ac_prog=ld
+if test "$ac_cv_prog_gcc" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  echo $ac_n "checking for ld used by GCC""... $ac_c" 1>&6
+echo "configure:2012: checking for ld used by GCC" >&5
+  ac_prog=`($CC -print-prog-name=ld) 2>&5`
+  case "$ac_prog" in
+  # Accept absolute paths.
+  /* | [A-Za-z]:\\*)
+    test -z "$LD" && LD="$ac_prog"
+    ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  echo $ac_n "checking for GNU ld""... $ac_c" 1>&6
+echo "configure:2030: checking for GNU ld" >&5
+else
+  echo $ac_n "checking for non-GNU ld""... $ac_c" 1>&6
+echo "configure:2033: checking for non-GNU ld" >&5
+fi
+if eval "test \"`echo '$''{'ac_cv_path_LD'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -z "$LD"; then
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  for ac_dir in $PATH; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog"; then
+      ac_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
+	test "$with_gnu_ld" != no && break
+      else
+        test "$with_gnu_ld" != yes && break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+else
+  ac_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$ac_cv_path_LD"
+if test -n "$LD"; then
+  echo "$ac_t""$LD" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+test -z "$LD" && { echo "configure: error: no acceptable ld found in \$PATH" 1>&2; exit 1; }
+
+echo $ac_n "checking if the linker ($LD) is GNU ld""... $ac_c" 1>&6
+echo "configure:2069: checking if the linker ($LD) is GNU ld" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gnu_ld'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
+if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
+  ac_cv_prog_gnu_ld=yes
+else
+  ac_cv_prog_gnu_ld=no
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gnu_ld" 1>&6
+
+
+echo $ac_n "checking for BSD-compatible nm""... $ac_c" 1>&6
+echo "configure:2085: checking for BSD-compatible nm" >&5
+if eval "test \"`echo '$''{'ac_cv_path_NM'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$NM"; then
+  # Let the user override the test.
+  ac_cv_path_NM="$NM"
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+  for ac_dir in /usr/ucb /usr/ccs/bin $PATH /bin; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/nm; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+        ac_cv_path_NM="$ac_dir/nm -B"
+      elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+        ac_cv_path_NM="$ac_dir/nm -p"
+      else
+        ac_cv_path_NM="$ac_dir/nm"
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_path_NM" && ac_cv_path_NM=nm
+fi
+fi
+
+NM="$ac_cv_path_NM"
+echo "$ac_t""$NM" 1>&6
+
+
+echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6
+echo "configure:2120: checking whether ln -s works" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  ac_cv_prog_LN_S=ln
+fi
+fi
+LN_S="$ac_cv_prog_LN_S"
+if test "$ac_cv_prog_LN_S" = "ln -s"; then
+  echo "$ac_t""yes" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Always use our own libtool.
+LIBTOOL='$(top_builddir)/libtool'
+
+# Check for any special flags to pass to ltconfig.
+libtool_flags=
+test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
+test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
+test "$silent" = yes && libtool_flags="$libtool_flags --silent"
+test "$ac_cv_prog_gcc" = yes && libtool_flags="$libtool_flags --with-gcc"
+test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case "$host" in
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '#line 2156 "configure"' > conftest.$ac_ext
+  if { (eval echo configure:2157: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  CFLAGS="$CFLAGS -belf"
+  ;;
+esac
+
+# Actually configure libtool.  ac_aux_dir is where install-sh is found.
+CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
+LD="$LD" NM="$NM" RANLIB="$RANLIB" LN_S="$LN_S" \
+${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
+$libtool_flags --no-verify $ac_aux_dir/ltmain.sh $host \
+|| { echo "configure: error: libtool configure failed" 1>&2; exit 1; }
+
+# Redirect the config.log output again, so that the ltconfig log is not
+# clobbered by the next message.
+exec 5>>./config.log
+
+
+
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+
+
+berkeley_db=db
+# Check whether --with-berkeley-db or --without-berkeley-db was given.
+if test "${with_berkeley_db+set}" = set; then
+  withval="$with_berkeley_db"
+  
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+
+fi
+
+
+
+# Check whether --with-krb4 or --without-krb4 was given.
+if test "${with_krb4+set}" = set; then
+  withval="$with_krb4"
+  :
+fi
+
+# Check whether --with-krb4-lib or --without-krb4-lib was given.
+if test "${with_krb4_lib+set}" = set; then
+  withval="$with_krb4_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-krb4-lib" 1>&2; exit 1; }
+elif test "X$with_krb4" = "X"; then
+  with_krb4=yes
+fi
+fi
+
+# Check whether --with-krb4-include or --without-krb4-include was given.
+if test "${with_krb4_include+set}" = set; then
+  withval="$with_krb4_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-krb4-include" 1>&2; exit 1; }
+elif test "X$with_krb4" = "X"; then
+  with_krb4=yes
+fi
+fi
+
+
+echo $ac_n "checking for krb4""... $ac_c" 1>&6
+echo "configure:2247: checking for krb4" >&5
+
+case "$with_krb4" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_krb4_include" = ""; then
+		with_krb4_include="$with_krb4/include"
+	fi
+	if test "$with_krb4_lib" = ""; then
+		with_krb4_lib="$with_krb4/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='/usr/athena'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_krb4_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_krb4_include $header_dirs";;
+esac
+case "$with_krb4_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_krb4_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat > conftest.$ac_ext <<EOF
+#line 2286 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:2293: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ires=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lkrb -ldes $save_LIBS"
+	cat > conftest.$ac_ext <<EOF
+#line 2305 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:2312: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  lres=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_krb4" != "no"; then
+	krb4_includedir="$ires"
+	krb4_libdir="$lres"
+	INCLUDE_krb4="-I$krb4_includedir"
+	LIB_krb4="-L$krb4_libdir -lkrb"
+	cat >> confdefs.h <<EOF
+#define `echo krb4 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+EOF
+
+	with_krb4=yes
+	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+else
+	INCLUDE_krb4=
+	LIB_krb4=
+	with_krb4=no
+	echo "$ac_t""$with_krb4" 1>&6
+fi
+
+
+
+
+LIB_kdb=
+if test "$with_krb4" != "no"; then
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS $INCLUDE_krb4"
+	save_LIBS="$LIBS"
+	LIBS="$LIB_krb4 -ldes $LIBS"
+	EXTRA_LIB45=lib45.a
+	
+	echo $ac_n "checking for four valued krb_put_int""... $ac_c" 1>&6
+echo "configure:2354: checking for four valued krb_put_int" >&5
+if eval "test \"`echo '$''{'ac_cv_func_krb_put_int_four'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2359 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int main() {
+
+		char tmp[4];
+		krb_put_int(17, tmp, 4, sizeof(tmp));
+; return 0; }
+EOF
+if { (eval echo configure:2368: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_func_krb_put_int_four=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_krb_put_int_four=no
+fi
+rm -f conftest*
+	
+fi
+
+echo "$ac_t""$ac_cv_func_krb_put_int_four" 1>&6
+	if test "$ac_cv_func_krb_put_int_four" = yes; then
+		cat >> confdefs.h <<\EOF
+#define HAVE_FOUR_VALUED_KRB_PUT_INT 1
+EOF
+
+	fi
+	echo $ac_n "checking for KRB_VERIFY_SECURE""... $ac_c" 1>&6
+echo "configure:2389: checking for KRB_VERIFY_SECURE" >&5
+if eval "test \"`echo '$''{'ac_cv_func_krb_verify_secure'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2394 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int main() {
+
+		int x = KRB_VERIFY_SECURE
+; return 0; }
+EOF
+if { (eval echo configure:2402: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_func_krb_verify_secure=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_krb_verify_secure=no
+fi
+rm -f conftest*
+	
+fi
+
+echo "$ac_t""$ac_cv_func_krb_verify_secure" 1>&6
+	if test "$ac_cv_func_krb_verify_secure" != yes; then
+		cat >> confdefs.h <<\EOF
+#define KRB_VERIFY_SECURE 1
+EOF
+
+		cat >> confdefs.h <<\EOF
+#define KRB_VERIFY_SECURE_FAIL 2
+EOF
+
+	fi
+	echo $ac_n "checking for KRB_VERIFY_NOT_SECURE""... $ac_c" 1>&6
+echo "configure:2427: checking for KRB_VERIFY_NOT_SECURE" >&5
+if eval "test \"`echo '$''{'ac_cv_func_krb_verify_not_secure'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2432 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int main() {
+
+		int x = KRB_VERIFY_NOT_SECURE
+; return 0; }
+EOF
+if { (eval echo configure:2440: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_func_krb_verify_not_secure=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_krb_verify_not_secure=no
+fi
+rm -f conftest*
+	
+fi
+
+echo "$ac_t""$ac_cv_func_krb_verify_not_secure" 1>&6
+	if test "$ac_cv_func_krb_verify_not_secure" != yes; then
+		cat >> confdefs.h <<\EOF
+#define KRB_VERIFY_NOT_SECURE 0
+EOF
+
+	fi
+	
+
+
+
+echo $ac_n "checking for krb_enable_debug""... $ac_c" 1>&6
+echo "configure:2465: checking for krb_enable_debug" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_krb_enable_debug'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_krb_enable_debug\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 2480 "configure"
+#include "confdefs.h"
+
+int main() {
+krb_enable_debug()
+; return 0; }
+EOF
+if { (eval echo configure:2487: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_enable_debug=$ac_lib; else ac_cv_funclib_krb_enable_debug=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_krb_enable_debug=\${ac_cv_funclib_krb_enable_debug-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_krb_enable_debug"
+
+: << END
+@@@funcs="$funcs krb_enable_debug"@@@
+@@@libs="$libs "" "@@@
+END
+
+# krb_enable_debug
+eval "ac_tr_func=HAVE_`echo krb_enable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_krb_enable_debug=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_krb_enable_debug=yes"
+	eval "LIB_krb_enable_debug="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_krb_enable_debug=no"
+	eval "LIB_krb_enable_debug="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_krb_enable_debug=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_krb_enable_debug"; then
+	LIBS="$LIB_krb_enable_debug $LIBS"
+fi
+
+	
+
+
+
+echo $ac_n "checking for krb_disable_debug""... $ac_c" 1>&6
+echo "configure:2555: checking for krb_disable_debug" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_krb_disable_debug'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_krb_disable_debug\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 2570 "configure"
+#include "confdefs.h"
+
+int main() {
+krb_disable_debug()
+; return 0; }
+EOF
+if { (eval echo configure:2577: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_disable_debug=$ac_lib; else ac_cv_funclib_krb_disable_debug=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_krb_disable_debug=\${ac_cv_funclib_krb_disable_debug-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_krb_disable_debug"
+
+: << END
+@@@funcs="$funcs krb_disable_debug"@@@
+@@@libs="$libs "" "@@@
+END
+
+# krb_disable_debug
+eval "ac_tr_func=HAVE_`echo krb_disable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_krb_disable_debug=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_krb_disable_debug=yes"
+	eval "LIB_krb_disable_debug="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_krb_disable_debug=no"
+	eval "LIB_krb_disable_debug="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_krb_disable_debug=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_krb_disable_debug"; then
+	LIBS="$LIB_krb_disable_debug $LIBS"
+fi
+
+	
+
+
+
+echo $ac_n "checking for krb_get_our_ip_for_realm""... $ac_c" 1>&6
+echo "configure:2645: checking for krb_get_our_ip_for_realm" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_krb_get_our_ip_for_realm'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_krb_get_our_ip_for_realm\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 2660 "configure"
+#include "confdefs.h"
+
+int main() {
+krb_get_our_ip_for_realm()
+; return 0; }
+EOF
+if { (eval echo configure:2667: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_get_our_ip_for_realm=$ac_lib; else ac_cv_funclib_krb_get_our_ip_for_realm=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_krb_get_our_ip_for_realm=\${ac_cv_funclib_krb_get_our_ip_for_realm-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_krb_get_our_ip_for_realm"
+
+: << END
+@@@funcs="$funcs krb_get_our_ip_for_realm"@@@
+@@@libs="$libs "" "@@@
+END
+
+# krb_get_our_ip_for_realm
+eval "ac_tr_func=HAVE_`echo krb_get_our_ip_for_realm | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_krb_get_our_ip_for_realm=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
+	eval "LIB_krb_get_our_ip_for_realm="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_krb_get_our_ip_for_realm=no"
+	eval "LIB_krb_get_our_ip_for_realm="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_krb_get_our_ip_for_realm"; then
+	LIBS="$LIB_krb_get_our_ip_for_realm $LIBS"
+fi
+
+	LIBS="$save_LIBS"
+	CFLAGS="$save_CFLAGS"
+	LIB_kdb="-lkdb -lkrb"
+	if test "$krb4_libdir"; then
+		LIB_krb4="-rpath $krb4_libdir $LIB_krb4"
+		LIB_kdb="-rpath $krb4_libdir -L$krb4_libdir $LIB_kdb"
+	fi
+fi
+
+
+if test "$with_krb4" != "no"; then
+  KRB4_TRUE=
+  KRB4_FALSE='#'
+else
+  KRB4_TRUE='#'
+  KRB4_FALSE=
+fi
+
+
+if true; then
+  KRB5_TRUE=
+  KRB5_FALSE='#'
+else
+  KRB5_TRUE='#'
+  KRB5_FALSE=
+fi
+cat >> confdefs.h <<\EOF
+#define KRB5 1
+EOF
+
+
+if test "$aix" != no; then
+  AIX_TRUE=
+  AIX_FALSE='#'
+else
+  AIX_TRUE='#'
+  AIX_FALSE=
+fi
+
+if test "$aix" = 4; then
+  AIX4_TRUE=
+  AIX4_FALSE='#'
+else
+  AIX4_TRUE='#'
+  AIX4_FALSE=
+fi
+aix_dynamic_afs=yes
+
+
+if test "$aix_dynamic_afs" = yes; then
+  AIX_DYNAMIC_AFS_TRUE=
+  AIX_DYNAMIC_AFS_FALSE='#'
+else
+  AIX_DYNAMIC_AFS_TRUE='#'
+  AIX_DYNAMIC_AFS_FALSE=
+fi
+
+
+
+echo $ac_n "checking for dlopen""... $ac_c" 1>&6
+echo "configure:2790: checking for dlopen" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_dlopen'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_dlopen\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" dl; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 2805 "configure"
+#include "confdefs.h"
+
+int main() {
+dlopen()
+; return 0; }
+EOF
+if { (eval echo configure:2812: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dlopen=$ac_lib; else ac_cv_funclib_dlopen=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_dlopen=\${ac_cv_funclib_dlopen-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_dlopen"
+
+: << END
+@@@funcs="$funcs dlopen"@@@
+@@@libs="$libs "" dl"@@@
+END
+
+# dlopen
+eval "ac_tr_func=HAVE_`echo dlopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dlopen=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dlopen=yes"
+	eval "LIB_dlopen="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_dlopen=no"
+	eval "LIB_dlopen="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_dlopen=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+
+
+if test "$ac_cv_funclib_dlopen" != no; then
+  HAVE_DLOPEN_TRUE=
+  HAVE_DLOPEN_FALSE='#'
+else
+  HAVE_DLOPEN_TRUE='#'
+  HAVE_DLOPEN_FALSE=
+fi
+# Check whether --enable-kaserver or --disable-kaserver was given.
+if test "${enable_kaserver+set}" = set; then
+  enableval="$enable_kaserver"
+  :
+fi
+
+if test "$enable_kaserver" = yes; then
+	cat >> confdefs.h <<\EOF
+#define KASERVER 1
+EOF
+
+	if test "$with_krb4" = "no"; then
+		{ echo "configure: error: kaserver requires krb4" 1>&2; exit 1; }
+		exit 1
+	fi
+fi
+
+# Check whether --enable-kaserver-db or --disable-kaserver-db was given.
+if test "${enable_kaserver_db+set}" = set; then
+  enableval="$enable_kaserver_db"
+  :
+fi
+
+if test "$enable_kaserver_db" = yes; then
+	cat >> confdefs.h <<\EOF
+#define KASERVER_DB 1
+EOF
+
+	if test "$with_krb4" = "no"; then
+		{ echo "configure: error: kaserver-db requires krb4" 1>&2; exit 1; }
+		exit 1
+	fi
+fi
+
+otp=yes
+# Check whether --enable-otp or --disable-otp was given.
+if test "${enable_otp+set}" = set; then
+  enableval="$enable_otp"
+  
+if test "$enableval" = "no"; then
+	otp=no
+fi
+
+fi
+
+if test "$otp" = "yes"; then
+	cat >> confdefs.h <<\EOF
+#define OTP 1
+EOF
+
+	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
+fi
+
+
+
+if test "$otp" = yes; then
+  OTP_TRUE=
+  OTP_FALSE='#'
+else
+  OTP_TRUE='#'
+  OTP_FALSE=
+fi
+
+# Check whether --enable-osfc2 or --disable-osfc2 was given.
+if test "${enable_osfc2+set}" = set; then
+  enableval="$enable_osfc2"
+  :
+fi
+
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OSFC2 1
+EOF
+
+	LIB_security=-lsecurity
+fi
+
+
+
+# Extract the first word of "nroff", so it can be a program name with args.
+set dummy nroff; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:2978: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_NROFF'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  case "$NROFF" in
+  /*)
+  ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path.
+  ;;
+  ?:/*)			 
+  ac_cv_path_NROFF="$NROFF" # Let the user override the test with a dos path.
+  ;;
+  *)
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do 
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_path_NROFF="$ac_dir/$ac_word"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+fi
+NROFF="$ac_cv_path_NROFF"
+if test -n "$NROFF"; then
+  echo "$ac_t""$NROFF" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "groff", so it can be a program name with args.
+set dummy groff; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:3013: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_GROFF'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  case "$GROFF" in
+  /*)
+  ac_cv_path_GROFF="$GROFF" # Let the user override the test with a path.
+  ;;
+  ?:/*)			 
+  ac_cv_path_GROFF="$GROFF" # Let the user override the test with a dos path.
+  ;;
+  *)
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do 
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_path_GROFF="$ac_dir/$ac_word"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+fi
+GROFF="$ac_cv_path_GROFF"
+if test -n "$GROFF"; then
+  echo "$ac_t""$GROFF" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+echo $ac_n "checking how to format man pages""... $ac_c" 1>&6
+echo "configure:3046: checking how to format man pages" >&5
+if eval "test \"`echo '$''{'ac_cv_sys_man_format'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \$< > \$@"
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_sys_man_format" 1>&6
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+	
+fi
+
+
+if test "$CATMAN"; then
+  CATMAN_TRUE=
+  CATMAN_FALSE='#'
+else
+  CATMAN_TRUE='#'
+  CATMAN_FALSE=
+fi
+echo $ac_n "checking extension of pre-formatted manual pages""... $ac_c" 1>&6
+echo "configure:3098: checking extension of pre-formatted manual pages" >&5
+if eval "test \"`echo '$''{'ac_cv_sys_catman_ext'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_sys_catman_ext" 1>&6
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$ext'
+else
+	CATMANEXT=0
+fi
+
+
+
+
+
+# Check whether --with-readline or --without-readline was given.
+if test "${with_readline+set}" = set; then
+  withval="$with_readline"
+  :
+fi
+
+# Check whether --with-readline-lib or --without-readline-lib was given.
+if test "${with_readline_lib+set}" = set; then
+  withval="$with_readline_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-readline-lib" 1>&2; exit 1; }
+elif test "X$with_readline" = "X"; then
+  with_readline=yes
+fi
+fi
+
+# Check whether --with-readline-include or --without-readline-include was given.
+if test "${with_readline_include+set}" = set; then
+  withval="$with_readline_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-readline-include" 1>&2; exit 1; }
+elif test "X$with_readline" = "X"; then
+  with_readline=yes
+fi
+fi
+
+
+echo $ac_n "checking for readline""... $ac_c" 1>&6
+echo "configure:3149: checking for readline" >&5
+
+case "$with_readline" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_readline_include" = ""; then
+		with_readline_include="$with_readline/include"
+	fi
+	if test "$with_readline_lib" = ""; then
+		with_readline_lib="$with_readline/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_readline_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_readline_include $header_dirs";;
+esac
+case "$with_readline_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_readline_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat > conftest.$ac_ext <<EOF
+#line 3188 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+ #include <readline.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:3196: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ires=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lreadline  $save_LIBS"
+	cat > conftest.$ac_ext <<EOF
+#line 3208 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+ #include <readline.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:3216: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  lres=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_readline" != "no"; then
+	readline_includedir="$ires"
+	readline_libdir="$lres"
+	INCLUDE_readline="-I$readline_includedir"
+	LIB_readline="-L$readline_libdir -lreadline"
+	cat >> confdefs.h <<EOF
+#define `echo readline | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+EOF
+
+	with_readline=yes
+	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+else
+	INCLUDE_readline=
+	LIB_readline=
+	with_readline=no
+	echo "$ac_t""$with_readline" 1>&6
+fi
+
+
+
+
+
+# Check whether --with-hesiod or --without-hesiod was given.
+if test "${with_hesiod+set}" = set; then
+  withval="$with_hesiod"
+  :
+fi
+
+# Check whether --with-hesiod-lib or --without-hesiod-lib was given.
+if test "${with_hesiod_lib+set}" = set; then
+  withval="$with_hesiod_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-hesiod-lib" 1>&2; exit 1; }
+elif test "X$with_hesiod" = "X"; then
+  with_hesiod=yes
+fi
+fi
+
+# Check whether --with-hesiod-include or --without-hesiod-include was given.
+if test "${with_hesiod_include+set}" = set; then
+  withval="$with_hesiod_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-hesiod-include" 1>&2; exit 1; }
+elif test "X$with_hesiod" = "X"; then
+  with_hesiod=yes
+fi
+fi
+
+
+echo $ac_n "checking for hesiod""... $ac_c" 1>&6
+echo "configure:3278: checking for hesiod" >&5
+
+case "$with_hesiod" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_hesiod_include" = ""; then
+		with_hesiod_include="$with_hesiod/include"
+	fi
+	if test "$with_hesiod_lib" = ""; then
+		with_hesiod_lib="$with_hesiod/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_hesiod_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_hesiod_include $header_dirs";;
+esac
+case "$with_hesiod_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_hesiod_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat > conftest.$ac_ext <<EOF
+#line 3317 "configure"
+#include "confdefs.h"
+#include <hesiod.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:3324: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ires=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lhesiod  $save_LIBS"
+	cat > conftest.$ac_ext <<EOF
+#line 3336 "configure"
+#include "confdefs.h"
+#include <hesiod.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:3343: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  lres=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_hesiod" != "no"; then
+	hesiod_includedir="$ires"
+	hesiod_libdir="$lres"
+	INCLUDE_hesiod="-I$hesiod_includedir"
+	LIB_hesiod="-L$hesiod_libdir -lhesiod"
+	cat >> confdefs.h <<EOF
+#define `echo hesiod | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+EOF
+
+	with_hesiod=yes
+	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+else
+	INCLUDE_hesiod=
+	LIB_hesiod=
+	with_hesiod=no
+	echo "$ac_t""$with_hesiod" 1>&6
+fi
+
+
+
+
+
+# Check whether --enable-bigendian or --disable-bigendian was given.
+if test "${enable_bigendian+set}" = set; then
+  enableval="$enable_bigendian"
+  krb_cv_c_bigendian=yes
+fi
+
+# Check whether --enable-littleendian or --disable-littleendian was given.
+if test "${enable_littleendian+set}" = set; then
+  enableval="$enable_littleendian"
+  krb_cv_c_bigendian=no
+fi
+
+echo $ac_n "checking whether byte order is known at compile time""... $ac_c" 1>&6
+echo "configure:3390: checking whether byte order is known at compile time" >&5
+if eval "test \"`echo '$''{'krb_cv_c_bigendian_compile'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3395 "configure"
+#include "confdefs.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+int main() {
+
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif
+; return 0; }
+EOF
+if { (eval echo configure:3407: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  krb_cv_c_bigendian_compile=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  krb_cv_c_bigendian_compile=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$krb_cv_c_bigendian_compile" 1>&6
+if test "$krb_cv_c_bigendian_compile" = "no"; then
+  echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6
+echo "configure:3422: checking whether byte ordering is bigendian" >&5
+if eval "test \"`echo '$''{'krb_cv_c_bigendian'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+  if test "$krb_cv_c_bigendian" = ""; then
+    krb_cv_c_bigendian=unknown
+  fi
+  cat > conftest.$ac_ext <<EOF
+#line 3431 "configure"
+#include "confdefs.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+int main() {
+
+#if BYTE_ORDER != BIG_ENDIAN
+  not big endian
+#endif
+; return 0; }
+EOF
+if { (eval echo configure:3443: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  krb_cv_c_bigendian=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  krb_cv_c_bigendian=no
+fi
+rm -f conftest*
+  if test "$krb_cv_c_bigendian" = "unknown"; then
+    if test "$cross_compiling" = yes; then
+  { echo "configure: error: specify either --enable-bigendian or --enable-littleendian" 1>&2; exit 1; }
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3458 "configure"
+#include "confdefs.h"
+main () {
+      /* Are we little or big endian?  From Harbison&Steele.  */
+      union
+      {
+	long l;
+	char c[sizeof (long)];
+      } u;
+      u.l = 1;
+      exit (u.c[sizeof (long) - 1] == 1);
+    }
+EOF
+if { (eval echo configure:3471: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  krb_cv_c_bigendian=no
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  krb_cv_c_bigendian=yes
+fi
+rm -fr conftest*
+fi
+
+  fi
+  
+fi
+
+echo "$ac_t""$krb_cv_c_bigendian" 1>&6
+  if test "$krb_cv_c_bigendian" = "yes"; then
+    cat >> confdefs.h <<\EOF
+#define WORDS_BIGENDIAN 1
+EOF
+  fi
+fi
+if test "$krb_cv_c_bigendian_compile" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define ENDIANESS_IN_SYS_PARAM_H 1
+EOF
+fi
+
+echo $ac_n "checking for inline""... $ac_c" 1>&6
+echo "configure:3501: checking for inline" >&5
+if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_c_inline=no
+for ac_kw in inline __inline__ __inline; do
+  cat > conftest.$ac_ext <<EOF
+#line 3508 "configure"
+#include "confdefs.h"
+
+int main() {
+} $ac_kw foo() {
+; return 0; }
+EOF
+if { (eval echo configure:3515: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_inline=$ac_kw; break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+
+fi
+
+echo "$ac_t""$ac_cv_c_inline" 1>&6
+case "$ac_cv_c_inline" in
+  inline | yes) ;;
+  no) cat >> confdefs.h <<\EOF
+#define inline 
+EOF
+ ;;
+  *)  cat >> confdefs.h <<EOF
+#define inline $ac_cv_c_inline
+EOF
+ ;;
+esac
+
+
+# If we find X, set shell vars x_includes and x_libraries to the
+# paths, otherwise set no_x=yes.
+# Uses ac_ vars as temps to allow command line to override cache and checks.
+# --without-x overrides everything else, but does not touch the cache.
+echo $ac_n "checking for X""... $ac_c" 1>&6
+echo "configure:3546: checking for X" >&5
+
+# Check whether --with-x or --without-x was given.
+if test "${with_x+set}" = set; then
+  withval="$with_x"
+  :
+fi
+
+# $have_x is `yes', `no', `disabled', or empty when we do not yet know.
+if test "x$with_x" = xno; then
+  # The user explicitly disabled X.
+  have_x=disabled
+else
+  if test "x$x_includes" != xNONE && test "x$x_libraries" != xNONE; then
+    # Both variables are already set.
+    have_x=yes
+  else
+if eval "test \"`echo '$''{'ac_cv_have_x'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  # One or both of the vars are not set, and there is no cached value.
+ac_x_includes=NO ac_x_libraries=NO
+rm -fr conftestdir
+if mkdir conftestdir; then
+  cd conftestdir
+  # Make sure to not put "make" in the Imakefile rules, since we grep it out.
+  cat > Imakefile <<'EOF'
+acfindx:
+	@echo 'ac_im_incroot="${INCROOT}"; ac_im_usrlibdir="${USRLIBDIR}"; ac_im_libdir="${LIBDIR}"'
+EOF
+  if (xmkmf) >/dev/null 2>/dev/null && test -f Makefile; then
+    # GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+    eval `${MAKE-make} acfindx 2>/dev/null | grep -v make`
+    # Open Windows xmkmf reportedly sets LIBDIR instead of USRLIBDIR.
+    for ac_extension in a so sl; do
+      if test ! -f $ac_im_usrlibdir/libX11.$ac_extension &&
+        test -f $ac_im_libdir/libX11.$ac_extension; then
+        ac_im_usrlibdir=$ac_im_libdir; break
+      fi
+    done
+    # Screen out bogus values from the imake configuration.  They are
+    # bogus both because they are the default anyway, and because
+    # using them would break gcc on systems where it needs fixed includes.
+    case "$ac_im_incroot" in
+	/usr/include) ;;
+	*) test -f "$ac_im_incroot/X11/Xos.h" && ac_x_includes="$ac_im_incroot" ;;
+    esac
+    case "$ac_im_usrlibdir" in
+	/usr/lib | /lib) ;;
+	*) test -d "$ac_im_usrlibdir" && ac_x_libraries="$ac_im_usrlibdir" ;;
+    esac
+  fi
+  cd ..
+  rm -fr conftestdir
+fi
+
+if test "$ac_x_includes" = NO; then
+  # Guess where to find include files, by looking for this one X11 .h file.
+  test -z "$x_direct_test_include" && x_direct_test_include=X11/Intrinsic.h
+
+  # First, try using that file with no special directory specified.
+cat > conftest.$ac_ext <<EOF
+#line 3608 "configure"
+#include "confdefs.h"
+#include <$x_direct_test_include>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:3613: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  # We can compile using X headers with no special include directory.
+ac_x_includes=
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  # Look for the header file in a standard set of common directories.
+# Check X11 before X11Rn because it is often a symlink to the current release.
+  for ac_dir in               \
+    /usr/X11/include          \
+    /usr/X11R6/include        \
+    /usr/X11R5/include        \
+    /usr/X11R4/include        \
+                              \
+    /usr/include/X11          \
+    /usr/include/X11R6        \
+    /usr/include/X11R5        \
+    /usr/include/X11R4        \
+                              \
+    /usr/local/X11/include    \
+    /usr/local/X11R6/include  \
+    /usr/local/X11R5/include  \
+    /usr/local/X11R4/include  \
+                              \
+    /usr/local/include/X11    \
+    /usr/local/include/X11R6  \
+    /usr/local/include/X11R5  \
+    /usr/local/include/X11R4  \
+                              \
+    /usr/X386/include         \
+    /usr/x386/include         \
+    /usr/XFree86/include/X11  \
+                              \
+    /usr/include              \
+    /usr/local/include        \
+    /usr/unsupported/include  \
+    /usr/athena/include       \
+    /usr/local/x11r5/include  \
+    /usr/lpp/Xamples/include  \
+                              \
+    /usr/openwin/include      \
+    /usr/openwin/share/include \
+    ; \
+  do
+    if test -r "$ac_dir/$x_direct_test_include"; then
+      ac_x_includes=$ac_dir
+      break
+    fi
+  done
+fi
+rm -f conftest*
+fi # $ac_x_includes = NO
+
+if test "$ac_x_libraries" = NO; then
+  # Check for the libraries.
+
+  test -z "$x_direct_test_library" && x_direct_test_library=Xt
+  test -z "$x_direct_test_function" && x_direct_test_function=XtMalloc
+
+  # See if we find them without any special options.
+  # Don't add to $LIBS permanently.
+  ac_save_LIBS="$LIBS"
+  LIBS="-l$x_direct_test_library $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 3682 "configure"
+#include "confdefs.h"
+
+int main() {
+${x_direct_test_function}()
+; return 0; }
+EOF
+if { (eval echo configure:3689: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  LIBS="$ac_save_LIBS"
+# We can link X programs with no special library path.
+ac_x_libraries=
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  LIBS="$ac_save_LIBS"
+# First see if replacing the include by lib works.
+# Check X11 before X11Rn because it is often a symlink to the current release.
+for ac_dir in `echo "$ac_x_includes" | sed s/include/lib/` \
+    /usr/X11/lib          \
+    /usr/X11R6/lib        \
+    /usr/X11R5/lib        \
+    /usr/X11R4/lib        \
+                          \
+    /usr/lib/X11          \
+    /usr/lib/X11R6        \
+    /usr/lib/X11R5        \
+    /usr/lib/X11R4        \
+                          \
+    /usr/local/X11/lib    \
+    /usr/local/X11R6/lib  \
+    /usr/local/X11R5/lib  \
+    /usr/local/X11R4/lib  \
+                          \
+    /usr/local/lib/X11    \
+    /usr/local/lib/X11R6  \
+    /usr/local/lib/X11R5  \
+    /usr/local/lib/X11R4  \
+                          \
+    /usr/X386/lib         \
+    /usr/x386/lib         \
+    /usr/XFree86/lib/X11  \
+                          \
+    /usr/lib              \
+    /usr/local/lib        \
+    /usr/unsupported/lib  \
+    /usr/athena/lib       \
+    /usr/local/x11r5/lib  \
+    /usr/lpp/Xamples/lib  \
+    /lib/usr/lib/X11	  \
+                          \
+    /usr/openwin/lib      \
+    /usr/openwin/share/lib \
+    ; \
+do
+  for ac_extension in a so sl; do
+    if test -r $ac_dir/lib${x_direct_test_library}.$ac_extension; then
+      ac_x_libraries=$ac_dir
+      break 2
+    fi
+  done
+done
+fi
+rm -f conftest*
+fi # $ac_x_libraries = NO
+
+if test "$ac_x_includes" = NO || test "$ac_x_libraries" = NO; then
+  # Didn't find X anywhere.  Cache the known absence of X.
+  ac_cv_have_x="have_x=no"
+else
+  # Record where we found X for the cache.
+  ac_cv_have_x="have_x=yes \
+	        ac_x_includes=$ac_x_includes ac_x_libraries=$ac_x_libraries"
+fi
+fi
+  fi
+  eval "$ac_cv_have_x"
+fi # $with_x != no
+
+if test "$have_x" != yes; then
+  echo "$ac_t""$have_x" 1>&6
+  no_x=yes
+else
+  # If each of the values was on the command line, it overrides each guess.
+  test "x$x_includes" = xNONE && x_includes=$ac_x_includes
+  test "x$x_libraries" = xNONE && x_libraries=$ac_x_libraries
+  # Update the cache value to reflect the command line values.
+  ac_cv_have_x="have_x=yes \
+		ac_x_includes=$x_includes ac_x_libraries=$x_libraries"
+  echo "$ac_t""libraries $x_libraries, headers $x_includes" 1>&6
+fi
+
+
+if test "$no_x" = yes; then
+  # Not all programs may use this symbol, but it does not hurt to define it.
+  cat >> confdefs.h <<\EOF
+#define X_DISPLAY_MISSING 1
+EOF
+
+  X_CFLAGS= X_PRE_LIBS= X_LIBS= X_EXTRA_LIBS=
+else
+  if test -n "$x_includes"; then
+    X_CFLAGS="$X_CFLAGS -I$x_includes"
+  fi
+
+  # It would also be nice to do this for all -L options, not just this one.
+  if test -n "$x_libraries"; then
+    X_LIBS="$X_LIBS -L$x_libraries"
+    # For Solaris; some versions of Sun CC require a space after -R and
+    # others require no space.  Words are not sufficient . . . .
+    case "`(uname -sr) 2>/dev/null`" in
+    "SunOS 5"*)
+      echo $ac_n "checking whether -R must be followed by a space""... $ac_c" 1>&6
+echo "configure:3796: checking whether -R must be followed by a space" >&5
+      ac_xsave_LIBS="$LIBS"; LIBS="$LIBS -R$x_libraries"
+      cat > conftest.$ac_ext <<EOF
+#line 3799 "configure"
+#include "confdefs.h"
+
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:3806: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_R_nospace=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_R_nospace=no
+fi
+rm -f conftest*
+      if test $ac_R_nospace = yes; then
+	echo "$ac_t""no" 1>&6
+	X_LIBS="$X_LIBS -R$x_libraries"
+      else
+	LIBS="$ac_xsave_LIBS -R $x_libraries"
+	cat > conftest.$ac_ext <<EOF
+#line 3822 "configure"
+#include "confdefs.h"
+
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:3829: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_R_space=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_R_space=no
+fi
+rm -f conftest*
+	if test $ac_R_space = yes; then
+	  echo "$ac_t""yes" 1>&6
+	  X_LIBS="$X_LIBS -R $x_libraries"
+	else
+	  echo "$ac_t""neither works" 1>&6
+	fi
+      fi
+      LIBS="$ac_xsave_LIBS"
+    esac
+  fi
+
+  # Check for system-dependent libraries X programs must link with.
+  # Do this before checking for the system-independent R6 libraries
+  # (-lICE), since we may need -lsocket or whatever for X linking.
+
+  if test "$ISC" = yes; then
+    X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl_s -linet"
+  else
+    # Martyn.Johnson@cl.cam.ac.uk says this is needed for Ultrix, if the X
+    # libraries were built with DECnet support.  And karl@cs.umb.edu says
+    # the Alpha needs dnet_stub (dnet does not exist).
+    echo $ac_n "checking for dnet_ntoa in -ldnet""... $ac_c" 1>&6
+echo "configure:3861: checking for dnet_ntoa in -ldnet" >&5
+ac_lib_var=`echo dnet'_'dnet_ntoa | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldnet  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 3869 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char dnet_ntoa();
+
+int main() {
+dnet_ntoa()
+; return 0; }
+EOF
+if { (eval echo configure:3880: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_lib_dnet_dnet_ntoa = no; then
+      echo $ac_n "checking for dnet_ntoa in -ldnet_stub""... $ac_c" 1>&6
+echo "configure:3902: checking for dnet_ntoa in -ldnet_stub" >&5
+ac_lib_var=`echo dnet_stub'_'dnet_ntoa | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldnet_stub  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 3910 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char dnet_ntoa();
+
+int main() {
+dnet_ntoa()
+; return 0; }
+EOF
+if { (eval echo configure:3921: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet_stub"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # msh@cis.ufl.edu says -lnsl (and -lsocket) are needed for his 386/AT,
+    # to get the SysV transport functions.
+    # chad@anasazi.com says the Pyramis MIS-ES running DC/OSx (SVR4)
+    # needs -lnsl.
+    # The nsl library prevents programs from opening the X display
+    # on Irix 5.2, according to dickey@clark.net.
+    echo $ac_n "checking for gethostbyname""... $ac_c" 1>&6
+echo "configure:3950: checking for gethostbyname" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostbyname'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3955 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char gethostbyname(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char gethostbyname();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_gethostbyname) || defined (__stub___gethostbyname)
+choke me
+#else
+gethostbyname();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:3978: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'gethostbyname`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_gethostbyname = no; then
+      echo $ac_n "checking for gethostbyname in -lnsl""... $ac_c" 1>&6
+echo "configure:3999: checking for gethostbyname in -lnsl" >&5
+ac_lib_var=`echo nsl'_'gethostbyname | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lnsl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4007 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char gethostbyname();
+
+int main() {
+gethostbyname()
+; return 0; }
+EOF
+if { (eval echo configure:4018: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # lieder@skyler.mavd.honeywell.com says without -lsocket,
+    # socket/setsockopt and other routines are undefined under SCO ODT
+    # 2.0.  But -lsocket is broken on IRIX 5.2 (and is not necessary
+    # on later versions), says simon@lia.di.epfl.ch: it contains
+    # gethostby* variants that don't use the nameserver (or something).
+    # -lsocket must be given before -lnsl if both are needed.
+    # We assume that if connect needs -lnsl, so does gethostbyname.
+    echo $ac_n "checking for connect""... $ac_c" 1>&6
+echo "configure:4048: checking for connect" >&5
+if eval "test \"`echo '$''{'ac_cv_func_connect'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4053 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char connect(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char connect();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_connect) || defined (__stub___connect)
+choke me
+#else
+connect();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:4076: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_connect=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_connect=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'connect`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_connect = no; then
+      echo $ac_n "checking for connect in -lsocket""... $ac_c" 1>&6
+echo "configure:4097: checking for connect in -lsocket" >&5
+ac_lib_var=`echo socket'_'connect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lsocket $X_EXTRA_LIBS $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4105 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char connect();
+
+int main() {
+connect()
+; return 0; }
+EOF
+if { (eval echo configure:4116: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="-lsocket $X_EXTRA_LIBS"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # gomez@mi.uni-erlangen.de says -lposix is necessary on A/UX.
+    echo $ac_n "checking for remove""... $ac_c" 1>&6
+echo "configure:4140: checking for remove" >&5
+if eval "test \"`echo '$''{'ac_cv_func_remove'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4145 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char remove(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char remove();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_remove) || defined (__stub___remove)
+choke me
+#else
+remove();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:4168: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_remove=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_remove=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'remove`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_remove = no; then
+      echo $ac_n "checking for remove in -lposix""... $ac_c" 1>&6
+echo "configure:4189: checking for remove in -lposix" >&5
+ac_lib_var=`echo posix'_'remove | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lposix  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4197 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char remove();
+
+int main() {
+remove()
+; return 0; }
+EOF
+if { (eval echo configure:4208: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lposix"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # BSDI BSD/OS 2.1 needs -lipc for XOpenDisplay.
+    echo $ac_n "checking for shmat""... $ac_c" 1>&6
+echo "configure:4232: checking for shmat" >&5
+if eval "test \"`echo '$''{'ac_cv_func_shmat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4237 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shmat(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char shmat();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shmat) || defined (__stub___shmat)
+choke me
+#else
+shmat();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:4260: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_shmat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_shmat=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'shmat`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_shmat = no; then
+      echo $ac_n "checking for shmat in -lipc""... $ac_c" 1>&6
+echo "configure:4281: checking for shmat in -lipc" >&5
+ac_lib_var=`echo ipc'_'shmat | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lipc  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4289 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char shmat();
+
+int main() {
+shmat()
+; return 0; }
+EOF
+if { (eval echo configure:4300: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lipc"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+  fi
+
+  # Check for libraries that X11R6 Xt/Xaw programs need.
+  ac_save_LDFLAGS="$LDFLAGS"
+  test -n "$x_libraries" && LDFLAGS="$LDFLAGS -L$x_libraries"
+  # SM needs ICE to (dynamically) link under SunOS 4.x (so we have to
+  # check for ICE first), but we must link in the order -lSM -lICE or
+  # we get undefined symbols.  So assume we have SM if we have ICE.
+  # These have to be linked with before -lX11, unlike the other
+  # libraries we check for below, so use a different variable.
+  #  --interran@uluru.Stanford.EDU, kb@cs.umb.edu.
+  echo $ac_n "checking for IceConnectionNumber in -lICE""... $ac_c" 1>&6
+echo "configure:4333: checking for IceConnectionNumber in -lICE" >&5
+ac_lib_var=`echo ICE'_'IceConnectionNumber | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lICE $X_EXTRA_LIBS $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4341 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char IceConnectionNumber();
+
+int main() {
+IceConnectionNumber()
+; return 0; }
+EOF
+if { (eval echo configure:4352: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+  LDFLAGS="$ac_save_LDFLAGS"
+
+fi
+
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	echo $ac_n "checking for special X linker flags""... $ac_c" 1>&6
+echo "configure:4381: checking for special X linker flags" >&5
+if eval "test \"`echo '$''{'krb_cv_sys_x_libs_rpath'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		if test "$cross_compiling" = yes; then
+    { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4412 "configure"
+#include "confdefs.h"
+
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		
+EOF
+if { (eval echo configure:4426: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  :
+fi
+rm -fr conftest*
+fi
+
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	
+fi
+
+echo "$ac_t""$krb_cv_sys_x_libs_rpath" 1>&6
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+
+
+if test "$no_x" = "yes" ; then
+	MAKE_X_PROGS_BIN_PROGS=""
+	MAKE_X_PROGS_BIN_SCRPTS=""
+	MAKE_X_PROGS_LIBEXEC_PROGS=""
+else
+	MAKE_X_PROGS_BIN_PROGS='$(X_PROGS_BIN_PROGS)'
+	MAKE_X_PROGS_BIN_SCRPTS='$(X_PROGS_BIN_SCRPTS)'
+	MAKE_X_PROGS_LIBEXEC_PROGS='$(X_PROGS_LIBEXEC_PROGS)'
+fi
+
+
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+
+
+
+
+echo $ac_n "checking for XauWriteAuth""... $ac_c" 1>&6
+echo "configure:4472: checking for XauWriteAuth" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_XauWriteAuth'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_XauWriteAuth\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 4487 "configure"
+#include "confdefs.h"
+
+int main() {
+XauWriteAuth()
+; return 0; }
+EOF
+if { (eval echo configure:4494: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauWriteAuth=$ac_lib; else ac_cv_funclib_XauWriteAuth=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_XauWriteAuth=\${ac_cv_funclib_XauWriteAuth-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_XauWriteAuth"
+
+: << END
+@@@funcs="$funcs XauWriteAuth"@@@
+@@@libs="$libs "" X11 Xau"@@@
+END
+
+# XauWriteAuth
+eval "ac_tr_func=HAVE_`echo XauWriteAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauWriteAuth=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauWriteAuth=yes"
+	eval "LIB_XauWriteAuth="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_XauWriteAuth=no"
+	eval "LIB_XauWriteAuth="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_XauWriteAuth=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+
+
+
+echo $ac_n "checking for XauReadAuth""... $ac_c" 1>&6
+echo "configure:4559: checking for XauReadAuth" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_XauReadAuth'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_XauReadAuth\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 4574 "configure"
+#include "confdefs.h"
+
+int main() {
+XauReadAuth()
+; return 0; }
+EOF
+if { (eval echo configure:4581: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauReadAuth=$ac_lib; else ac_cv_funclib_XauReadAuth=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_XauReadAuth=\${ac_cv_funclib_XauReadAuth-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_XauReadAuth"
+
+: << END
+@@@funcs="$funcs XauReadAuth"@@@
+@@@libs="$libs "" X11 Xau"@@@
+END
+
+# XauReadAuth
+eval "ac_tr_func=HAVE_`echo XauReadAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauReadAuth=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauReadAuth=yes"
+	eval "LIB_XauReadAuth="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_XauReadAuth=no"
+	eval "LIB_XauReadAuth="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_XauReadAuth=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+LIBS="$LIB_XauReadAauth $LIBS"
+
+
+
+echo $ac_n "checking for XauFileName""... $ac_c" 1>&6
+echo "configure:4645: checking for XauFileName" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_XauFileName'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_XauFileName\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 4660 "configure"
+#include "confdefs.h"
+
+int main() {
+XauFileName()
+; return 0; }
+EOF
+if { (eval echo configure:4667: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauFileName=$ac_lib; else ac_cv_funclib_XauFileName=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_XauFileName=\${ac_cv_funclib_XauFileName-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_XauFileName"
+
+: << END
+@@@funcs="$funcs XauFileName"@@@
+@@@libs="$libs "" X11 Xau"@@@
+END
+
+# XauFileName
+eval "ac_tr_func=HAVE_`echo XauFileName | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauFileName=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauFileName=yes"
+	eval "LIB_XauFileName="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_XauFileName=no"
+	eval "LIB_XauFileName="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_XauFileName=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+LIBS="$ac_xxx"
+
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	
+
+if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+  NEED_WRITEAUTH_TRUE=
+  NEED_WRITEAUTH_FALSE='#'
+else
+  NEED_WRITEAUTH_TRUE='#'
+  NEED_WRITEAUTH_FALSE=
+fi
+else
+	
+	
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+
+
+
+echo $ac_n "checking for working const""... $ac_c" 1>&6
+echo "configure:4775: checking for working const" >&5
+if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4780 "configure"
+#include "confdefs.h"
+
+int main() {
+
+/* Ultrix mips cc rejects this.  */
+typedef int charset[2]; const charset x;
+/* SunOS 4.1.1 cc rejects this.  */
+char const *const *ccp;
+char **p;
+/* NEC SVR4.0.2 mips cc rejects this.  */
+struct point {int x, y;};
+static struct point const zero = {0,0};
+/* AIX XL C 1.02.0.0 rejects this.
+   It does not let you subtract one const X* pointer from another in an arm
+   of an if-expression whose if-part is not a constant expression */
+const char *g = "string";
+ccp = &g + (g ? g-g : 0);
+/* HPUX 7.0 cc rejects these. */
+++ccp;
+p = (char**) ccp;
+ccp = (char const *const *) p;
+{ /* SCO 3.2v4 cc rejects this.  */
+  char *t;
+  char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+  *t++ = 0;
+}
+{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+  int x[] = {25, 17};
+  const int *foo = &x[0];
+  ++foo;
+}
+{ /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+  typedef const int *iptr;
+  iptr p = 0;
+  ++p;
+}
+{ /* AIX XL C 1.02.0.0 rejects this saying
+     "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+  struct s { int j; const int *ap[3]; };
+  struct s *b; b->j = 5;
+}
+{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+  const int foo = 10;
+}
+
+; return 0; }
+EOF
+if { (eval echo configure:4829: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_const=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_c_const=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_c_const" 1>&6
+if test $ac_cv_c_const = no; then
+  cat >> confdefs.h <<\EOF
+#define const 
+EOF
+
+fi
+
+echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+echo "configure:4850: checking for ANSI C header files" >&5
+if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4855 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:4863: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  ac_cv_header_stdc=yes
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 4880 "configure"
+#include "confdefs.h"
+#include <string.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 4898 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4919 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int main () { int i; for (i = 0; i < 256; i++)
+if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
+exit (0); }
+
+EOF
+if { (eval echo configure:4930: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_header_stdc=no
+fi
+rm -fr conftest*
+fi
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_header_stdc" 1>&6
+if test $ac_cv_header_stdc = yes; then
+  cat >> confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+echo $ac_n "checking for off_t""... $ac_c" 1>&6
+echo "configure:4954: checking for off_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4959 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])off_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_off_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_off_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_off_t" 1>&6
+if test $ac_cv_type_off_t = no; then
+  cat >> confdefs.h <<\EOF
+#define off_t long
+EOF
+
+fi
+
+echo $ac_n "checking for size_t""... $ac_c" 1>&6
+echo "configure:4987: checking for size_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4992 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_size_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_size_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_size_t" 1>&6
+if test $ac_cv_type_size_t = no; then
+  cat >> confdefs.h <<\EOF
+#define size_t unsigned
+EOF
+
+fi
+
+echo $ac_n "checking for ssize_t""... $ac_c" 1>&6
+echo "configure:5020: checking for ssize_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_ssize_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5025 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <unistd.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ssize_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_ssize_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_ssize_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_ssize_t" 1>&6
+if test $ac_cv_type_ssize_t = no; then
+  cat >> confdefs.h <<\EOF
+#define ssize_t int
+EOF
+
+fi
+
+echo $ac_n "checking for pid_t""... $ac_c" 1>&6
+echo "configure:5054: checking for pid_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5059 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])pid_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_pid_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_pid_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_pid_t" 1>&6
+if test $ac_cv_type_pid_t = no; then
+  cat >> confdefs.h <<\EOF
+#define pid_t int
+EOF
+
+fi
+
+echo $ac_n "checking for uid_t in sys/types.h""... $ac_c" 1>&6
+echo "configure:5087: checking for uid_t in sys/types.h" >&5
+if eval "test \"`echo '$''{'ac_cv_type_uid_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5092 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "uid_t" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_uid_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_uid_t=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_type_uid_t" 1>&6
+if test $ac_cv_type_uid_t = no; then
+  cat >> confdefs.h <<\EOF
+#define uid_t int
+EOF
+
+  cat >> confdefs.h <<\EOF
+#define gid_t int
+EOF
+
+fi
+
+echo $ac_n "checking for mode_t""... $ac_c" 1>&6
+echo "configure:5121: checking for mode_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_mode_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5126 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "mode_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_mode_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_mode_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_mode_t" 1>&6
+if test $ac_cv_type_mode_t = no; then
+  cat >> confdefs.h <<\EOF
+#define mode_t unsigned short
+EOF
+
+fi
+
+echo $ac_n "checking for sig_atomic_t""... $ac_c" 1>&6
+echo "configure:5155: checking for sig_atomic_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_sig_atomic_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5160 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <signal.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "sig_atomic_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_sig_atomic_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_sig_atomic_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_sig_atomic_t" 1>&6
+if test $ac_cv_type_sig_atomic_t = no; then
+  cat >> confdefs.h <<\EOF
+#define sig_atomic_t int
+EOF
+
+fi
+
+
+
+cv=`echo "long long" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for long long""... $ac_c" 1>&6
+echo "configure:5192: checking for long long" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5197 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+int main() {
+long long foo;
+; return 0; }
+EOF
+if { (eval echo configure:5209: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs long_long"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
+echo "configure:5235: checking whether time.h and sys/time.h may both be included" >&5
+if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5240 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+int main() {
+struct tm *tp;
+; return 0; }
+EOF
+if { (eval echo configure:5249: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_header_time=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_time=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_header_time" 1>&6
+if test $ac_cv_header_time = yes; then
+  cat >> confdefs.h <<\EOF
+#define TIME_WITH_SYS_TIME 1
+EOF
+
+fi
+
+echo $ac_n "checking whether struct tm is in sys/time.h or time.h""... $ac_c" 1>&6
+echo "configure:5270: checking whether struct tm is in sys/time.h or time.h" >&5
+if eval "test \"`echo '$''{'ac_cv_struct_tm'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5275 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <time.h>
+int main() {
+struct tm *tp; tp->tm_sec;
+; return 0; }
+EOF
+if { (eval echo configure:5283: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_struct_tm=time.h
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_struct_tm=sys/time.h
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_struct_tm" 1>&6
+if test $ac_cv_struct_tm = sys/time.h; then
+  cat >> confdefs.h <<\EOF
+#define TM_IN_SYS_TIME 1
+EOF
+
+fi
+
+
+echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+echo "configure:5305: checking for ANSI C header files" >&5
+if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5310 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:5318: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  ac_cv_header_stdc=yes
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 5335 "configure"
+#include "confdefs.h"
+#include <string.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 5353 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5374 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int main () { int i; for (i = 0; i < 256; i++)
+if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
+exit (0); }
+
+EOF
+if { (eval echo configure:5385: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_header_stdc=no
+fi
+rm -fr conftest*
+fi
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_header_stdc" 1>&6
+if test $ac_cv_header_stdc = yes; then
+  cat >> confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+
+if test "$berkeley_db"; then
+  for ac_hdr in 				\
+	db.h					\
+	db_185.h				\
+  
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:5417: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5422 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:5427: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+fi
+
+for ac_hdr in \
+	arpa/ftp.h				\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	arpa/telnet.h				\
+	bind/bitypes.h				\
+	bsdsetjmp.h				\
+	crypt.h					\
+	curses.h				\
+	dbm.h					\
+	dirent.h				\
+	dlfcn.h					\
+	err.h					\
+	errno.h					\
+	fcntl.h					\
+	fnmatch.h				\
+	grp.h					\
+	inttypes.h				\
+	io.h					\
+	limits.h				\
+	maillock.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in6_machtypes.h			\
+	netinet/in6_var.h			\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinfo/ni.h				\
+	paths.h					\
+	pthread.h				\
+	pty.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	sac.h					\
+	security/pam_modules.h			\
+	sgtty.h					\
+	shadow.h				\
+	siad.h					\
+	signal.h				\
+	stropts.h				\
+	sys/bitypes.h				\
+	sys/category.h				\
+	sys/file.h				\
+	sys/filio.h				\
+	sys/ioccom.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/pty.h				\
+	sys/ptyio.h				\
+	sys/ptyvar.h				\
+	sys/resource.h				\
+	sys/select.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/str_tty.h				\
+	sys/stream.h				\
+	sys/stropts.h				\
+	sys/strtty.h				\
+	sys/syscall.h				\
+	sys/sysctl.h				\
+	sys/termio.h				\
+	sys/time.h				\
+	sys/timeb.h				\
+	sys/times.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/un.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	term.h					\
+	termio.h				\
+	termios.h				\
+	time.h					\
+	tmpdir.h				\
+	udb.h					\
+	unistd.h				\
+	util.h					\
+	utmp.h					\
+	utmpx.h					\
+
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:5546: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5551 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:5556: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+
+for ac_hdr in standards.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:5588: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5593 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:5598: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+echo $ac_n "checking for $i""... $ac_c" 1>&6
+echo "configure:5629: checking for $i" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5634 "configure"
+#include "confdefs.h"
+\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:5644: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$cv=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$cv=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""`eval echo \\$ac_cv_header_$cv`" 1>&6
+if test `eval echo \\$ac_cv_header_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+done
+: << END
+@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
+END
+
+
+
+
+# Check whether --enable-netinfo or --disable-netinfo was given.
+if test "${enable_netinfo+set}" = set; then
+  enableval="$enable_netinfo"
+  :
+fi
+
+
+if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then
+       cat >> confdefs.h <<\EOF
+#define HAVE_NETINFO 1
+EOF
+
+fi
+
+
+
+if test "$ac_cv_header_err_h" = yes; then
+  have_err_h_TRUE=
+  have_err_h_FALSE='#'
+else
+  have_err_h_TRUE='#'
+  have_err_h_FALSE=
+fi
+
+
+if test "$ac_cv_header_fnmatch_h" = yes; then
+  have_fnmatch_h_TRUE=
+  have_fnmatch_h_FALSE='#'
+else
+  have_fnmatch_h_TRUE='#'
+  have_fnmatch_h_FALSE=
+fi
+
+
+# Check whether --with-ipv6 or --without-ipv6 was given.
+if test "${with_ipv6+set}" = set; then
+  withval="$with_ipv6"
+  
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi
+fi
+
+if eval "test \"`echo '$''{'ac_cv_lib_ipv6'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  v6type=unknown
+v6lib=none
+
+echo $ac_n "checking ipv6 stack type""... $ac_c" 1>&6
+echo "configure:5725: checking ipv6 stack type" >&5
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		cat > conftest.$ac_ext <<EOF
+#line 5730 "configure"
+#include "confdefs.h"
+dnl
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  rm -rf conftest*
+  v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	toshiba)
+		cat > conftest.$ac_ext <<EOF
+#line 5750 "configure"
+#include "confdefs.h"
+dnl
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  rm -rf conftest*
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	kame)
+		cat > conftest.$ac_ext <<EOF
+#line 5770 "configure"
+#include "confdefs.h"
+dnl
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  rm -rf conftest*
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	inria)
+		cat > conftest.$ac_ext <<EOF
+#line 5790 "configure"
+#include "confdefs.h"
+dnl
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  rm -rf conftest*
+  v6type=$i; CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	zeta)
+		cat > conftest.$ac_ext <<EOF
+#line 5808 "configure"
+#include "confdefs.h"
+dnl
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  rm -rf conftest*
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+echo "$ac_t""$v6type" 1>&6
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+cat > conftest.$ac_ext <<EOF
+#line 5850 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+
+int main() {
+
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+
+; return 0; }
+EOF
+if { (eval echo configure:5880: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_lib_ipv6=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_ipv6=no
+fi
+rm -f conftest*
+fi
+
+echo $ac_n "checking for IPv6""... $ac_c" 1>&6
+echo "configure:5893: checking for IPv6" >&5
+echo "$ac_t""$ac_cv_lib_ipv6" 1>&6
+if test "$ac_cv_lib_ipv6" = yes; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_IPV6 1
+EOF
+
+fi
+
+
+
+
+
+
+
+echo $ac_n "checking for socket""... $ac_c" 1>&6
+echo "configure:5909: checking for socket" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_socket'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_socket\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" socket; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 5924 "configure"
+#include "confdefs.h"
+
+int main() {
+socket()
+; return 0; }
+EOF
+if { (eval echo configure:5931: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_socket"
+
+: << END
+@@@funcs="$funcs socket"@@@
+@@@libs="$libs "" socket"@@@
+END
+
+# socket
+eval "ac_tr_func=HAVE_`echo socket | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_socket=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_socket=yes"
+	eval "LIB_socket="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_socket=no"
+	eval "LIB_socket="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_socket=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_socket"; then
+	LIBS="$LIB_socket $LIBS"
+fi
+
+
+
+
+
+echo $ac_n "checking for gethostbyname""... $ac_c" 1>&6
+echo "configure:5999: checking for gethostbyname" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_gethostbyname'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_gethostbyname\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" nsl; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6014 "configure"
+#include "confdefs.h"
+
+int main() {
+gethostbyname()
+; return 0; }
+EOF
+if { (eval echo configure:6021: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname"
+
+: << END
+@@@funcs="$funcs gethostbyname"@@@
+@@@libs="$libs "" nsl"@@@
+END
+
+# gethostbyname
+eval "ac_tr_func=HAVE_`echo gethostbyname | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "LIB_gethostbyname="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname=no"
+	eval "LIB_gethostbyname="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_gethostbyname"; then
+	LIBS="$LIB_gethostbyname $LIBS"
+fi
+
+
+
+
+
+echo $ac_n "checking for syslog""... $ac_c" 1>&6
+echo "configure:6089: checking for syslog" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_syslog'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_syslog\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" syslog; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6104 "configure"
+#include "confdefs.h"
+
+int main() {
+syslog()
+; return 0; }
+EOF
+if { (eval echo configure:6111: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_syslog"
+
+: << END
+@@@funcs="$funcs syslog"@@@
+@@@libs="$libs "" syslog"@@@
+END
+
+# syslog
+eval "ac_tr_func=HAVE_`echo syslog | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_syslog=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_syslog=yes"
+	eval "LIB_syslog="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_syslog=no"
+	eval "LIB_syslog="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_syslog=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_syslog"; then
+	LIBS="$LIB_syslog $LIBS"
+fi
+
+
+
+
+
+echo $ac_n "checking for logwtmp""... $ac_c" 1>&6
+echo "configure:6179: checking for logwtmp" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_logwtmp'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_logwtmp\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" util; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6194 "configure"
+#include "confdefs.h"
+
+int main() {
+logwtmp()
+; return 0; }
+EOF
+if { (eval echo configure:6201: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_logwtmp=$ac_lib; else ac_cv_funclib_logwtmp=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_logwtmp=\${ac_cv_funclib_logwtmp-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_logwtmp"
+
+: << END
+@@@funcs="$funcs logwtmp"@@@
+@@@libs="$libs "" util"@@@
+END
+
+# logwtmp
+eval "ac_tr_func=HAVE_`echo logwtmp | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_logwtmp=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_logwtmp=yes"
+	eval "LIB_logwtmp="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_logwtmp=no"
+	eval "LIB_logwtmp="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_logwtmp=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for tgetent""... $ac_c" 1>&6
+echo "configure:6264: checking for tgetent" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_tgetent'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_tgetent\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" termcap ncurses curses; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6279 "configure"
+#include "confdefs.h"
+
+int main() {
+tgetent()
+; return 0; }
+EOF
+if { (eval echo configure:6286: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_tgetent=$ac_lib; else ac_cv_funclib_tgetent=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_tgetent=\${ac_cv_funclib_tgetent-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_tgetent"
+
+: << END
+@@@funcs="$funcs tgetent"@@@
+@@@libs="$libs "" termcap ncurses curses"@@@
+END
+
+# tgetent
+eval "ac_tr_func=HAVE_`echo tgetent | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_tgetent=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_tgetent=yes"
+	eval "LIB_tgetent="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_tgetent=no"
+	eval "LIB_tgetent="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_tgetent=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+
+echo $ac_n "checking for gethostbyname2""... $ac_c" 1>&6
+echo "configure:6350: checking for gethostbyname2" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_gethostbyname2'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_gethostbyname2\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" inet6 ip6; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6365 "configure"
+#include "confdefs.h"
+
+int main() {
+gethostbyname2()
+; return 0; }
+EOF
+if { (eval echo configure:6372: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname2=$ac_lib; else ac_cv_funclib_gethostbyname2=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_gethostbyname2=\${ac_cv_funclib_gethostbyname2-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname2"
+
+: << END
+@@@funcs="$funcs gethostbyname2"@@@
+@@@libs="$libs "" inet6 ip6"@@@
+END
+
+# gethostbyname2
+eval "ac_tr_func=HAVE_`echo gethostbyname2 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname2=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "LIB_gethostbyname2="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname2=no"
+	eval "LIB_gethostbyname2="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_gethostbyname2"; then
+	LIBS="$LIB_gethostbyname2 $LIBS"
+fi
+
+
+
+
+
+
+echo $ac_n "checking for res_search""... $ac_c" 1>&6
+echo "configure:6441: checking for res_search" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_res_search'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_res_search\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6456 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int main() {
+res_search(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:6477: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_res_search"
+
+: << END
+@@@funcs="$funcs res_search"@@@
+@@@libs="$libs "" resolv"@@@
+END
+
+# res_search
+eval "ac_tr_func=HAVE_`echo res_search | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_res_search=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_res_search=yes"
+	eval "LIB_res_search="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_res_search=no"
+	eval "LIB_res_search="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_res_search=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_res_search"; then
+	LIBS="$LIB_res_search $LIBS"
+fi
+
+
+
+
+
+
+echo $ac_n "checking for dn_expand""... $ac_c" 1>&6
+echo "configure:6546: checking for dn_expand" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_dn_expand'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6561 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int main() {
+dn_expand(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:6582: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_dn_expand"
+
+: << END
+@@@funcs="$funcs dn_expand"@@@
+@@@libs="$libs "" resolv"@@@
+END
+
+# dn_expand
+eval "ac_tr_func=HAVE_`echo dn_expand | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dn_expand=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "LIB_dn_expand="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_dn_expand=no"
+	eval "LIB_dn_expand="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_dn_expand"; then
+	LIBS="$LIB_dn_expand $LIBS"
+fi
+
+
+
+
+echo $ac_n "checking for working snprintf""... $ac_c" 1>&6
+echo "configure:6649: checking for working snprintf" >&5
+if eval "test \"`echo '$''{'ac_cv_func_snprintf_working'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_func_snprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6658 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+	char foo[3];
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}
+EOF
+if { (eval echo configure:6670: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_snprintf_working=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_snprintf_working" 1>&6
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_SNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
+echo $ac_n "checking if snprintf needs a prototype""... $ac_c" 1>&6
+echo "configure:6696: checking if snprintf needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_snprintf_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6701 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int main() {
+struct foo { int foo; } xx;
+extern int snprintf (struct foo*);
+snprintf(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:6711: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_snprintf_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_snprintf_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_snprintf_noproto" 1>&6
+
+if test "$ac_cv_func_snprintf_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_SNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+
+echo $ac_n "checking for working vsnprintf""... $ac_c" 1>&6
+echo "configure:6738: checking for working vsnprintf" >&5
+if eval "test \"`echo '$''{'ac_cv_func_vsnprintf_working'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_func_vsnprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6747 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+	char bar[3];
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+
+int main()
+{
+	return foo(0, "12");
+}
+EOF
+if { (eval echo configure:6770: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_vsnprintf_working=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_vsnprintf_working" 1>&6
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_VSNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+
+if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then
+echo $ac_n "checking if vsnprintf needs a prototype""... $ac_c" 1>&6
+echo "configure:6796: checking if vsnprintf needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_vsnprintf_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6801 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int main() {
+struct foo { int foo; } xx;
+extern int vsnprintf (struct foo*);
+vsnprintf(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:6811: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_vsnprintf_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_vsnprintf_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_vsnprintf_noproto" 1>&6
+
+if test "$ac_cv_func_vsnprintf_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_VSNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+
+
+echo $ac_n "checking for working glob""... $ac_c" 1>&6
+echo "configure:6839: checking for working glob" >&5
+if eval "test \"`echo '$''{'ac_cv_func_glob_working'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_func_glob_working=yes
+cat > conftest.$ac_ext <<EOF
+#line 6845 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <glob.h>
+int main() {
+
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
+
+; return 0; }
+EOF
+if { (eval echo configure:6856: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_glob_working=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_glob_working" 1>&6
+
+if test "$ac_cv_func_glob_working" = yes; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_GLOB 1
+EOF
+
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+
+if test "$ac_cv_func_glob+set" != set -o "$ac_cv_func_glob" = yes; then
+echo $ac_n "checking if glob needs a prototype""... $ac_c" 1>&6
+echo "configure:6880: checking if glob needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_glob_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6885 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <glob.h>
+int main() {
+struct foo { int foo; } xx;
+extern int glob (struct foo*);
+glob(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:6896: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_glob_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_glob_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_glob_noproto" 1>&6
+
+if test "$ac_cv_func_glob_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_GLOB_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+
+
+if test "$ac_cv_func_glob_working" = yes; then
+  have_glob_h_TRUE=
+  have_glob_h_FALSE='#'
+else
+  have_glob_h_TRUE='#'
+  have_glob_h_FALSE=
+fi
+
+
+
+
+
+echo $ac_n "checking for dbopen""... $ac_c" 1>&6
+echo "configure:6940: checking for dbopen" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_dbopen'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_dbopen\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" $berkeley_db; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6955 "configure"
+#include "confdefs.h"
+
+int main() {
+dbopen()
+; return 0; }
+EOF
+if { (eval echo configure:6962: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbopen=$ac_lib; else ac_cv_funclib_dbopen=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_dbopen=\${ac_cv_funclib_dbopen-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_dbopen"
+
+: << END
+@@@funcs="$funcs dbopen"@@@
+@@@libs="$libs "" $berkeley_db"@@@
+END
+
+# dbopen
+eval "ac_tr_func=HAVE_`echo dbopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dbopen=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dbopen=yes"
+	eval "LIB_dbopen="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_dbopen=no"
+	eval "LIB_dbopen="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_dbopen=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for dbm_firstkey""... $ac_c" 1>&6
+echo "configure:7025: checking for dbm_firstkey" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_dbm_firstkey'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_dbm_firstkey\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" $berkeley_db gdbm ndbm; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 7040 "configure"
+#include "confdefs.h"
+
+int main() {
+dbm_firstkey()
+; return 0; }
+EOF
+if { (eval echo configure:7047: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_dbm_firstkey"
+
+: << END
+@@@funcs="$funcs dbm_firstkey"@@@
+@@@libs="$libs "" $berkeley_db gdbm ndbm"@@@
+END
+
+# dbm_firstkey
+eval "ac_tr_func=HAVE_`echo dbm_firstkey | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dbm_firstkey=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dbm_firstkey=yes"
+	eval "LIB_dbm_firstkey="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_dbm_firstkey=no"
+	eval "LIB_dbm_firstkey="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_dbm_firstkey=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
+fi
+
+for ac_func in _getpty _scrsize asnprintf asprintf cgetent fcntl
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7115: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7120 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7143: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in getmsg getrlimit getspnam gettimeofday getuid
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7170: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7175 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7198: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in grantpt mktime ptsname rand random setproctitle
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7225: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7230 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7253: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in revoke select setitimer setpcred setpgid
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7280: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7285 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7308: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in setregid setresgid setresuid setreuid setutent
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7335: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7340 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7363: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in setsid sigaction strstr
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7390: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7395 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7418: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in sysconf sysctl timegm ttyname ttyslot umask uname
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7445: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7450 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7473: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in unlockpt vasnprintf vasprintf vhangup
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7500: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7505 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7528: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in yp_get_default_domain
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7555: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7560 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7583: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
+
+
+for ac_func in getlogin setlogin
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7616: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7621 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7644: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+if test "$ac_cv_func_getlogin" = yes; then
+echo $ac_n "checking if getlogin is posix""... $ac_c" 1>&6
+echo "configure:7670: checking if getlogin is posix" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getlogin_posix'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_getlogin_posix" 1>&6
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	cat >> confdefs.h <<\EOF
+#define POSIX_GETLOGIN 1
+EOF
+
+fi
+fi
+
+
+
+
+for ac_hdr in capability.h sys/capability.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:7699: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7704 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:7709: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+for ac_func in sgi_getcapabilitybyname cap_set_proc
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7739: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7744 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7767: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+
+
+
+
+
+echo $ac_n "checking for getpwnam_r""... $ac_c" 1>&6
+echo "configure:7798: checking for getpwnam_r" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_getpwnam_r'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_getpwnam_r\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" c_r; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 7813 "configure"
+#include "confdefs.h"
+
+int main() {
+getpwnam_r()
+; return 0; }
+EOF
+if { (eval echo configure:7820: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getpwnam_r=$ac_lib; else ac_cv_funclib_getpwnam_r=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_getpwnam_r=\${ac_cv_funclib_getpwnam_r-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_getpwnam_r"
+
+: << END
+@@@funcs="$funcs getpwnam_r"@@@
+@@@libs="$libs "" c_r"@@@
+END
+
+# getpwnam_r
+eval "ac_tr_func=HAVE_`echo getpwnam_r | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getpwnam_r=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getpwnam_r=yes"
+	eval "LIB_getpwnam_r="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_getpwnam_r=no"
+	eval "LIB_getpwnam_r="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_getpwnam_r=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	echo $ac_n "checking if getpwnam_r is posix""... $ac_c" 1>&6
+echo "configure:7881: checking if getpwnam_r is posix" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getpwnam_r_posix'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7891 "configure"
+#include "confdefs.h"
+
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+
+EOF
+if { (eval echo configure:7902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_func_getpwnam_r_posix=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_getpwnam_r_posix=no
+fi
+rm -fr conftest*
+fi
+
+LIBS="$ac_libs"
+fi
+
+echo "$ac_t""$ac_cv_func_getpwnam_r_posix" 1>&6
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	cat >> confdefs.h <<\EOF
+#define POSIX_GETPWNAM_R 1
+EOF
+
+fi
+fi
+
+
+
+
+
+echo $ac_n "checking for getsockopt""... $ac_c" 1>&6
+echo "configure:7931: checking for getsockopt" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_getsockopt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 7946 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int main() {
+getsockopt(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:7958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_getsockopt"
+
+: << END
+@@@funcs="$funcs getsockopt"@@@
+@@@libs="$libs "" "@@@
+END
+
+# getsockopt
+eval "ac_tr_func=HAVE_`echo getsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "LIB_getsockopt="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_getsockopt=no"
+	eval "LIB_getsockopt="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for setsockopt""... $ac_c" 1>&6
+echo "configure:8021: checking for setsockopt" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_setsockopt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 8036 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int main() {
+setsockopt(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:8048: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_setsockopt"
+
+: << END
+@@@funcs="$funcs setsockopt"@@@
+@@@libs="$libs "" "@@@
+END
+
+# setsockopt
+eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_setsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "LIB_setsockopt="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_setsockopt=no"
+	eval "LIB_setsockopt="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+for ac_func in getudbnam setlim
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8111: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8116 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8139: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+echo $ac_n "checking return type of signal handlers""... $ac_c" 1>&6
+echo "configure:8165: checking return type of signal handlers" >&5
+if eval "test \"`echo '$''{'ac_cv_type_signal'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8170 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <signal.h>
+#ifdef signal
+#undef signal
+#endif
+#ifdef __cplusplus
+extern "C" void (*signal (int, void (*)(int)))(int);
+#else
+void (*signal ()) ();
+#endif
+
+int main() {
+int i;
+; return 0; }
+EOF
+if { (eval echo configure:8187: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_signal=void
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_signal=int
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_signal" 1>&6
+cat >> confdefs.h <<EOF
+#define RETSIGTYPE $ac_cv_type_signal
+EOF
+
+
+if test "$ac_cv_type_signal" = "void" ; then
+	cat >> confdefs.h <<\EOF
+#define VOID_RETSIGTYPE 1
+EOF
+
+fi
+
+
+
+
+
+
+echo $ac_n "checking for hstrerror""... $ac_c" 1>&6
+echo "configure:8218: checking for hstrerror" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_hstrerror'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_hstrerror\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 8233 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int main() {
+hstrerror(17)
+; return 0; }
+EOF
+if { (eval echo configure:8242: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_hstrerror=$ac_lib; else ac_cv_funclib_hstrerror=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_hstrerror=\${ac_cv_funclib_hstrerror-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_hstrerror"
+
+: << END
+@@@funcs="$funcs hstrerror"@@@
+@@@libs="$libs "" resolv"@@@
+END
+
+# hstrerror
+eval "ac_tr_func=HAVE_`echo hstrerror | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_hstrerror=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "LIB_hstrerror="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_hstrerror=no"
+	eval "LIB_hstrerror="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_hstrerror"; then
+	LIBS="$LIB_hstrerror $LIBS"
+fi
+
+if eval "test \"$ac_cv_func_hstrerror\" != yes"; then
+LIBOBJS="$LIBOBJS hstrerror.o"
+fi
+
+if test "$ac_cv_func_hstrerror" = yes; then
+
+if test "$ac_cv_func_hstrerror+set" != set -o "$ac_cv_func_hstrerror" = yes; then
+echo $ac_n "checking if hstrerror needs a prototype""... $ac_c" 1>&6
+echo "configure:8313: checking if hstrerror needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_hstrerror_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8318 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int main() {
+struct foo { int foo; } xx;
+extern int hstrerror (struct foo*);
+hstrerror(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8331: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_hstrerror_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_hstrerror_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_hstrerror_noproto" 1>&6
+
+if test "$ac_cv_func_hstrerror_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_HSTRERROR_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+if test "$ac_cv_func_asprintf" = yes; then
+
+if test "$ac_cv_func_asprintf+set" != set -o "$ac_cv_func_asprintf" = yes; then
+echo $ac_n "checking if asprintf needs a prototype""... $ac_c" 1>&6
+echo "configure:8360: checking if asprintf needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_asprintf_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8365 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main() {
+struct foo { int foo; } xx;
+extern int asprintf (struct foo*);
+asprintf(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8377: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_asprintf_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_asprintf_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_asprintf_noproto" 1>&6
+
+if test "$ac_cv_func_asprintf_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_ASPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_vasprintf" = yes; then
+
+if test "$ac_cv_func_vasprintf+set" != set -o "$ac_cv_func_vasprintf" = yes; then
+echo $ac_n "checking if vasprintf needs a prototype""... $ac_c" 1>&6
+echo "configure:8404: checking if vasprintf needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_vasprintf_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8409 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main() {
+struct foo { int foo; } xx;
+extern int vasprintf (struct foo*);
+vasprintf(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8421: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_vasprintf_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_vasprintf_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_vasprintf_noproto" 1>&6
+
+if test "$ac_cv_func_vasprintf_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_VASPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_asnprintf" = yes; then
+
+if test "$ac_cv_func_asnprintf+set" != set -o "$ac_cv_func_asnprintf" = yes; then
+echo $ac_n "checking if asnprintf needs a prototype""... $ac_c" 1>&6
+echo "configure:8448: checking if asnprintf needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_asnprintf_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8453 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main() {
+struct foo { int foo; } xx;
+extern int asnprintf (struct foo*);
+asnprintf(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8465: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_asnprintf_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_asnprintf_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_asnprintf_noproto" 1>&6
+
+if test "$ac_cv_func_asnprintf_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_ASNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_vasnprintf" = yes; then
+
+if test "$ac_cv_func_vasnprintf+set" != set -o "$ac_cv_func_vasnprintf" = yes; then
+echo $ac_n "checking if vasnprintf needs a prototype""... $ac_c" 1>&6
+echo "configure:8492: checking if vasnprintf needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_vasnprintf_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8497 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main() {
+struct foo { int foo; } xx;
+extern int vasnprintf (struct foo*);
+vasnprintf(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8509: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_vasnprintf_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_vasnprintf_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_vasnprintf_noproto" 1>&6
+
+if test "$ac_cv_func_vasnprintf_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_VASNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+
+for ac_func in chown copyhostent daemon err errx fchown flock fnmatch
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8536: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8541 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8564: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs chown copyhostent daemon err errx fchown flock fnmatch"@@@
+END
+done
+
+for ac_func in freeaddrinfo freehostent gai_strerror getaddrinfo
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8597: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8602 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8625: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs freeaddrinfo freehostent gai_strerror getaddrinfo"@@@
+END
+done
+
+for ac_func in getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8658: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8663 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8686: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname"@@@
+END
+done
+
+for ac_func in geteuid getgid getegid
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8719: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8724 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8747: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs geteuid getgid getegid"@@@
+END
+done
+
+for ac_func in getnameinfo getopt getusershell
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8780: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8785 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8808: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs getnameinfo getopt getusershell"@@@
+END
+done
+
+for ac_func in inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8841: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8846 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8869: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat"@@@
+END
+done
+
+for ac_func in memmove
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8902: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8907 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8930: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs memmove"@@@
+END
+done
+
+for ac_func in mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8963: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8968 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8991: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid"@@@
+END
+done
+
+for ac_func in strcasecmp strncasecmp strdup strerror strftime
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:9024: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9029 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:9052: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs strcasecmp strncasecmp strdup strerror strftime"@@@
+END
+done
+
+for ac_func in strlcat strlcpy strlwr
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:9085: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9090 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:9113: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs strlcat strlcpy strlwr"@@@
+END
+done
+
+for ac_func in strndup strnlen strptime strsep strtok_r strupr
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:9146: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9151 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:9174: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs strndup strnlen strptime strsep strtok_r strupr"@@@
+END
+done
+
+for ac_func in swab unsetenv verr verrx vsyslog
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:9207: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9212 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:9235: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs swab unsetenv verr verrx vsyslog"@@@
+END
+done
+
+for ac_func in vwarn vwarnx warn warnx writev
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:9268: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9273 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:9296: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs vwarn vwarnx warn warnx writev"@@@
+END
+done
+
+
+
+if test "$ac_cv_func_setenv+set" != set -o "$ac_cv_func_setenv" = yes; then
+echo $ac_n "checking if setenv needs a prototype""... $ac_c" 1>&6
+echo "configure:9330: checking if setenv needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_setenv_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9335 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+int main() {
+struct foo { int foo; } xx;
+extern int setenv (struct foo*);
+setenv(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9345: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_setenv_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_setenv_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_setenv_noproto" 1>&6
+
+if test "$ac_cv_func_setenv_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_SETENV_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+if test "$ac_cv_func_unsetenv+set" != set -o "$ac_cv_func_unsetenv" = yes; then
+echo $ac_n "checking if unsetenv needs a prototype""... $ac_c" 1>&6
+echo "configure:9371: checking if unsetenv needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_unsetenv_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9376 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+int main() {
+struct foo { int foo; } xx;
+extern int unsetenv (struct foo*);
+unsetenv(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9386: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_unsetenv_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_unsetenv_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_unsetenv_noproto" 1>&6
+
+if test "$ac_cv_func_unsetenv_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_UNSETENV_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+if test "$ac_cv_func_gethostname+set" != set -o "$ac_cv_func_gethostname" = yes; then
+echo $ac_n "checking if gethostname needs a prototype""... $ac_c" 1>&6
+echo "configure:9412: checking if gethostname needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostname_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9417 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int main() {
+struct foo { int foo; } xx;
+extern int gethostname (struct foo*);
+gethostname(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostname_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostname_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_gethostname_noproto" 1>&6
+
+if test "$ac_cv_func_gethostname_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_GETHOSTNAME_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+if test "$ac_cv_func_mkstemp+set" != set -o "$ac_cv_func_mkstemp" = yes; then
+echo $ac_n "checking if mkstemp needs a prototype""... $ac_c" 1>&6
+echo "configure:9453: checking if mkstemp needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_mkstemp_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9458 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int main() {
+struct foo { int foo; } xx;
+extern int mkstemp (struct foo*);
+mkstemp(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9468: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_mkstemp_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_mkstemp_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_mkstemp_noproto" 1>&6
+
+if test "$ac_cv_func_mkstemp_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_MKSTEMP_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+if test "$ac_cv_func_getusershell+set" != set -o "$ac_cv_func_getusershell" = yes; then
+echo $ac_n "checking if getusershell needs a prototype""... $ac_c" 1>&6
+echo "configure:9494: checking if getusershell needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getusershell_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9499 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int main() {
+struct foo { int foo; } xx;
+extern int getusershell (struct foo*);
+getusershell(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9509: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_getusershell_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_getusershell_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_getusershell_noproto" 1>&6
+
+if test "$ac_cv_func_getusershell_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_GETUSERSHELL_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_inet_aton+set" != set -o "$ac_cv_func_inet_aton" = yes; then
+echo $ac_n "checking if inet_aton needs a prototype""... $ac_c" 1>&6
+echo "configure:9536: checking if inet_aton needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_inet_aton_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9541 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int main() {
+struct foo { int foo; } xx;
+extern int inet_aton (struct foo*);
+inet_aton(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9563: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_inet_aton_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_inet_aton_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_inet_aton_noproto" 1>&6
+
+if test "$ac_cv_func_inet_aton_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_INET_ATON_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+
+
+echo $ac_n "checking for crypt""... $ac_c" 1>&6
+echo "configure:9591: checking for crypt" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_crypt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_crypt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypt; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 9606 "configure"
+#include "confdefs.h"
+
+int main() {
+crypt()
+; return 0; }
+EOF
+if { (eval echo configure:9613: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_crypt=$ac_lib; else ac_cv_funclib_crypt=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_crypt=\${ac_cv_funclib_crypt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_crypt"
+
+: << END
+@@@funcs="$funcs crypt"@@@
+@@@libs="$libs "" crypt"@@@
+END
+
+# crypt
+eval "ac_tr_func=HAVE_`echo crypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_crypt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_crypt=yes"
+	eval "LIB_crypt="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_crypt=no"
+	eval "LIB_crypt="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_crypt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+LIB_roken='$(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen)'
+
+echo $ac_n "checking if realloc if broken""... $ac_c" 1>&6
+echo "configure:9676: checking if realloc if broken" >&5
+if eval "test \"`echo '$''{'ac_cv_func_realloc_broken'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+ac_cv_func_realloc_broken=no
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9686 "configure"
+#include "confdefs.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+
+EOF
+if { (eval echo configure:9698: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_realloc_broken=yes
+fi
+rm -fr conftest*
+fi
+
+
+fi
+
+echo "$ac_t""$ac_cv_func_realloc_broken" 1>&6
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	cat >> confdefs.h <<\EOF
+#define BROKEN_REALLOC 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if gethostbyname is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:9725: checking if gethostbyname is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostbyname_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9730 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int main() {
+struct hostent *gethostbyname(const char *);
+; return 0; }
+EOF
+if { (eval echo configure:9753: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_gethostbyname_proto_compat" 1>&6
+
+if test "$ac_cv_func_gethostbyname_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define GETHOSTBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if gethostbyaddr is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:9778: checking if gethostbyaddr is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostbyaddr_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9783 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int main() {
+struct hostent *gethostbyaddr(const void *, size_t, int);
+; return 0; }
+EOF
+if { (eval echo configure:9806: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyaddr_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyaddr_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_gethostbyaddr_proto_compat" 1>&6
+
+if test "$ac_cv_func_gethostbyaddr_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define GETHOSTBYADDR_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if getservbyname is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:9831: checking if getservbyname is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getservbyname_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9836 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int main() {
+struct servent *getservbyname(const char *, const char *);
+; return 0; }
+EOF
+if { (eval echo configure:9859: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_getservbyname_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_getservbyname_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_getservbyname_proto_compat" 1>&6
+
+if test "$ac_cv_func_getservbyname_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define GETSERVBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if openlog is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:9884: checking if openlog is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_openlog_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9889 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+
+int main() {
+void openlog(const char *, int, int);
+; return 0; }
+EOF
+if { (eval echo configure:9900: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_openlog_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_openlog_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_openlog_proto_compat" 1>&6
+
+if test "$ac_cv_func_openlog_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define OPENLOG_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+if test "$ac_cv_func_crypt+set" != set -o "$ac_cv_func_crypt" = yes; then
+echo $ac_n "checking if crypt needs a prototype""... $ac_c" 1>&6
+echo "configure:9926: checking if crypt needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_crypt_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9931 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+int main() {
+struct foo { int foo; } xx;
+extern int crypt (struct foo*);
+crypt(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9948: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_crypt_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_crypt_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_crypt_noproto" 1>&6
+
+if test "$ac_cv_func_crypt_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_CRYPT_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_strtok_r+set" != set -o "$ac_cv_func_strtok_r" = yes; then
+echo $ac_n "checking if strtok_r needs a prototype""... $ac_c" 1>&6
+echo "configure:9975: checking if strtok_r needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_strtok_r_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9980 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int main() {
+struct foo { int foo; } xx;
+extern int strtok_r (struct foo*);
+strtok_r(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:9992: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_strtok_r_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_strtok_r_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_strtok_r_noproto" 1>&6
+
+if test "$ac_cv_func_strtok_r_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_STRTOK_R_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_strsep+set" != set -o "$ac_cv_func_strsep" = yes; then
+echo $ac_n "checking if strsep needs a prototype""... $ac_c" 1>&6
+echo "configure:10019: checking if strsep needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_strsep_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10024 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int main() {
+struct foo { int foo; } xx;
+extern int strsep (struct foo*);
+strsep(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:10036: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_strsep_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_strsep_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_strsep_noproto" 1>&6
+
+if test "$ac_cv_func_strsep_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_STRSEP_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+echo $ac_n "checking for h_errno""... $ac_c" 1>&6
+echo "configure:10062: checking for h_errno" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errno'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10068 "configure"
+#include "confdefs.h"
+extern int h_errno;
+int foo() { return h_errno; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:10076: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_h_errno=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_h_errno=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_h_errno`" 1>&6
+if test `eval echo \\$ac_cv_var_h_errno` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_H_ERRNO 1
+EOF
+
+	
+echo $ac_n "checking if h_errno is properly declared""... $ac_c" 1>&6
+echo "configure:10099: checking if h_errno is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errno_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10105 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errno;
+int main() {
+h_errno.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10118: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_h_errno_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_h_errno_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_h_errno_declaration" 1>&6
+if eval "test \"\$ac_cv_var_h_errno_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_H_ERRNO_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking for h_errlist""... $ac_c" 1>&6
+echo "configure:10149: checking for h_errlist" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errlist'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10155 "configure"
+#include "confdefs.h"
+extern int h_errlist;
+int foo() { return h_errlist; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:10163: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_h_errlist=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_h_errlist=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_h_errlist`" 1>&6
+if test `eval echo \\$ac_cv_var_h_errlist` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_H_ERRLIST 1
+EOF
+
+	
+echo $ac_n "checking if h_errlist is properly declared""... $ac_c" 1>&6
+echo "configure:10186: checking if h_errlist is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errlist_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10192 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errlist;
+int main() {
+h_errlist.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10202: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_h_errlist_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_h_errlist_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_h_errlist_declaration" 1>&6
+if eval "test \"\$ac_cv_var_h_errlist_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_H_ERRLIST_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking for h_nerr""... $ac_c" 1>&6
+echo "configure:10233: checking for h_nerr" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_nerr'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10239 "configure"
+#include "confdefs.h"
+extern int h_nerr;
+int foo() { return h_nerr; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:10247: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_h_nerr=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_h_nerr=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_h_nerr`" 1>&6
+if test `eval echo \\$ac_cv_var_h_nerr` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_H_NERR 1
+EOF
+
+	
+echo $ac_n "checking if h_nerr is properly declared""... $ac_c" 1>&6
+echo "configure:10270: checking if h_nerr is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_nerr_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10276 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_nerr;
+int main() {
+h_nerr.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10286: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_h_nerr_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_h_nerr_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_h_nerr_declaration" 1>&6
+if eval "test \"\$ac_cv_var_h_nerr_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_H_NERR_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking for __progname""... $ac_c" 1>&6
+echo "configure:10317: checking for __progname" >&5
+if eval "test \"`echo '$''{'ac_cv_var___progname'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10323 "configure"
+#include "confdefs.h"
+extern int __progname;
+int foo() { return __progname; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:10331: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var___progname=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var___progname=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var___progname`" 1>&6
+if test `eval echo \\$ac_cv_var___progname` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE___PROGNAME 1
+EOF
+
+	
+echo $ac_n "checking if __progname is properly declared""... $ac_c" 1>&6
+echo "configure:10354: checking if __progname is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var___progname_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10360 "configure"
+#include "confdefs.h"
+#ifdef HAVE_ERR_H
+#include <err.h>
+#endif
+extern struct { int foo; } __progname;
+int main() {
+__progname.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10370: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var___progname_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var___progname_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var___progname_declaration" 1>&6
+if eval "test \"\$ac_cv_var___progname_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE___PROGNAME_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking if optarg is properly declared""... $ac_c" 1>&6
+echo "configure:10401: checking if optarg is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_optarg_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10407 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optarg;
+int main() {
+optarg.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10418: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_optarg_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_optarg_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_optarg_declaration" 1>&6
+if eval "test \"\$ac_cv_var_optarg_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTARG_DECLARATION 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking if optind is properly declared""... $ac_c" 1>&6
+echo "configure:10445: checking if optind is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_optind_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10451 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optind;
+int main() {
+optind.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10462: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_optind_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_optind_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_optind_declaration" 1>&6
+if eval "test \"\$ac_cv_var_optind_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTIND_DECLARATION 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking if opterr is properly declared""... $ac_c" 1>&6
+echo "configure:10489: checking if opterr is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_opterr_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10495 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } opterr;
+int main() {
+opterr.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10506: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_opterr_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_opterr_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_opterr_declaration" 1>&6
+if eval "test \"\$ac_cv_var_opterr_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTERR_DECLARATION 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking if optopt is properly declared""... $ac_c" 1>&6
+echo "configure:10533: checking if optopt is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_optopt_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10539 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optopt;
+int main() {
+optopt.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10550: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_optopt_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_optopt_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_optopt_declaration" 1>&6
+if eval "test \"\$ac_cv_var_optopt_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTOPT_DECLARATION 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if environ is properly declared""... $ac_c" 1>&6
+echo "configure:10578: checking if environ is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_environ_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10584 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+extern struct { int foo; } environ;
+int main() {
+environ.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:10592: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_environ_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_environ_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_environ_declaration" 1>&6
+if eval "test \"\$ac_cv_var_environ_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_ENVIRON_DECLARATION 1
+EOF
+
+fi
+
+
+
+
+
+
+echo $ac_n "checking for ut_addr in struct utmp""... $ac_c" 1>&6
+echo "configure:10622: checking for ut_addr in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_addr'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10628 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int main() {
+struct utmp x; x.ut_addr;
+; return 0; }
+EOF
+if { (eval echo configure:10635: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_addr=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_addr=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_addr" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_addr" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_ADDR 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_host in struct utmp""... $ac_c" 1>&6
+echo "configure:10661: checking for ut_host in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_host'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10667 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int main() {
+struct utmp x; x.ut_host;
+; return 0; }
+EOF
+if { (eval echo configure:10674: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_host=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_host=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_host" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_host" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_HOST 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_id in struct utmp""... $ac_c" 1>&6
+echo "configure:10700: checking for ut_id in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_id'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10706 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int main() {
+struct utmp x; x.ut_id;
+; return 0; }
+EOF
+if { (eval echo configure:10713: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_id=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_id=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_id" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_id" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_ID 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_pid in struct utmp""... $ac_c" 1>&6
+echo "configure:10739: checking for ut_pid in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_pid'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10745 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int main() {
+struct utmp x; x.ut_pid;
+; return 0; }
+EOF
+if { (eval echo configure:10752: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_pid=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_pid=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_pid" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_pid" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_PID 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_type in struct utmp""... $ac_c" 1>&6
+echo "configure:10778: checking for ut_type in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_type'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10784 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int main() {
+struct utmp x; x.ut_type;
+; return 0; }
+EOF
+if { (eval echo configure:10791: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_type=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_type=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_type" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_type" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_TYPE 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_user in struct utmp""... $ac_c" 1>&6
+echo "configure:10817: checking for ut_user in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_user'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10823 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int main() {
+struct utmp x; x.ut_user;
+; return 0; }
+EOF
+if { (eval echo configure:10830: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_user=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_user=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_user" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_user" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_USER 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_exit in struct utmpx""... $ac_c" 1>&6
+echo "configure:10856: checking for ut_exit in struct utmpx" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmpx_ut_exit'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10862 "configure"
+#include "confdefs.h"
+#include <utmpx.h>
+int main() {
+struct utmpx x; x.ut_exit;
+; return 0; }
+EOF
+if { (eval echo configure:10869: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_exit=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_exit=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmpx_ut_exit" 1>&6
+if test "$ac_cv_type_struct_utmpx_ut_exit" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMPX_UT_EXIT 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_syslen in struct utmpx""... $ac_c" 1>&6
+echo "configure:10895: checking for ut_syslen in struct utmpx" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmpx_ut_syslen'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10901 "configure"
+#include "confdefs.h"
+#include <utmpx.h>
+int main() {
+struct utmpx x; x.ut_syslen;
+; return 0; }
+EOF
+if { (eval echo configure:10908: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_syslen=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_syslen=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmpx_ut_syslen" 1>&6
+if test "$ac_cv_type_struct_utmpx_ut_syslen" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMPX_UT_SYSLEN 1
+EOF
+
+	
+fi
+
+
+
+
+
+
+echo $ac_n "checking for tm_gmtoff in struct tm""... $ac_c" 1>&6
+echo "configure:10936: checking for tm_gmtoff in struct tm" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_tm_tm_gmtoff'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10942 "configure"
+#include "confdefs.h"
+#include <time.h>
+int main() {
+struct tm x; x.tm_gmtoff;
+; return 0; }
+EOF
+if { (eval echo configure:10949: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_gmtoff=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_gmtoff=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_tm_tm_gmtoff" 1>&6
+if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_GMTOFF 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for tm_zone in struct tm""... $ac_c" 1>&6
+echo "configure:10975: checking for tm_zone in struct tm" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_tm_tm_zone'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10981 "configure"
+#include "confdefs.h"
+#include <time.h>
+int main() {
+struct tm x; x.tm_zone;
+; return 0; }
+EOF
+if { (eval echo configure:10988: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_zone=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_zone=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_tm_tm_zone" 1>&6
+if test "$ac_cv_type_struct_tm_tm_zone" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_ZONE 1
+EOF
+
+	
+fi
+
+
+
+
+
+echo $ac_n "checking for timezone""... $ac_c" 1>&6
+echo "configure:11015: checking for timezone" >&5
+if eval "test \"`echo '$''{'ac_cv_var_timezone'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 11021 "configure"
+#include "confdefs.h"
+extern int timezone;
+int foo() { return timezone; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:11029: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_timezone=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_timezone=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_timezone`" 1>&6
+if test `eval echo \\$ac_cv_var_timezone` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_TIMEZONE 1
+EOF
+
+	
+echo $ac_n "checking if timezone is properly declared""... $ac_c" 1>&6
+echo "configure:11052: checking if timezone is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_timezone_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 11058 "configure"
+#include "confdefs.h"
+#include <time.h>
+extern struct { int foo; } timezone;
+int main() {
+timezone.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:11066: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_timezone_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_timezone_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_timezone_declaration" 1>&6
+if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_TIMEZONE_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+
+cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6
+echo "configure:11099: checking for sa_family_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 11104 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int main() {
+sa_family_t foo;
+; return 0; }
+EOF
+if { (eval echo configure:11116: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs sa_family_t"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+
+
+
+cv=`echo "socklen_t" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for socklen_t""... $ac_c" 1>&6
+echo "configure:11146: checking for socklen_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 11151 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int main() {
+socklen_t foo;
+; return 0; }
+EOF
+if { (eval echo configure:11163: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs socklen_t"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+
+
+
+cv=`echo "struct sockaddr" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for struct sockaddr""... $ac_c" 1>&6
+echo "configure:11193: checking for struct sockaddr" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 11198 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int main() {
+struct sockaddr foo;
+; return 0; }
+EOF
+if { (eval echo configure:11210: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs struct_sockaddr"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+
+
+
+cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6
+echo "configure:11240: checking for struct sockaddr_storage" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 11245 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int main() {
+struct sockaddr_storage foo;
+; return 0; }
+EOF
+if { (eval echo configure:11257: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs struct_sockaddr_storage"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+
+
+
+cv=`echo "struct addrinfo" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6
+echo "configure:11287: checking for struct addrinfo" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 11292 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <netdb.h>
+int main() {
+struct addrinfo foo;
+; return 0; }
+EOF
+if { (eval echo configure:11304: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo struct addrinfo | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs struct_addrinfo"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking for struct winsize""... $ac_c" 1>&6
+echo "configure:11333: checking for struct winsize" >&5
+if eval "test \"`echo '$''{'ac_cv_struct_winsize'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+cat > conftest.$ac_ext <<EOF
+#line 11341 "configure"
+#include "confdefs.h"
+#include <$i>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "struct[ 	]*winsize" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_struct_winsize=yes; break
+fi
+rm -f conftest*
+done
+
+fi
+
+if test "$ac_cv_struct_winsize" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_WINSIZE 1
+EOF
+
+fi
+echo "$ac_t""$ac_cv_struct_winsize" 1>&6
+cat > conftest.$ac_ext <<EOF
+#line 11363 "configure"
+#include "confdefs.h"
+#include <termios.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_xpixel" >/dev/null 2>&1; then
+  rm -rf conftest*
+  cat >> confdefs.h <<\EOF
+#define HAVE_WS_XPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+cat > conftest.$ac_ext <<EOF
+#line 11378 "configure"
+#include "confdefs.h"
+#include <termios.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_ypixel" >/dev/null 2>&1; then
+  rm -rf conftest*
+  cat >> confdefs.h <<\EOF
+#define HAVE_WS_YPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+
+
+
+
+echo $ac_n "checking for struct spwd""... $ac_c" 1>&6
+echo "configure:11397: checking for struct spwd" >&5
+if eval "test \"`echo '$''{'ac_cv_struct_spwd'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 11403 "configure"
+#include "confdefs.h"
+#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+int main() {
+struct spwd foo;
+; return 0; }
+EOF
+if { (eval echo configure:11413: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_struct_spwd=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_struct_spwd=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_struct_spwd" 1>&6
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_SPWD 1
+EOF
+
+fi
+
+
+
+
+
+echo $ac_n "checking for sa_len in struct sockaddr""... $ac_c" 1>&6
+echo "configure:11440: checking for sa_len in struct sockaddr" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_sockaddr_sa_len'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 11446 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+int main() {
+struct sockaddr x; x.sa_len;
+; return 0; }
+EOF
+if { (eval echo configure:11454: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_sockaddr_sa_len=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_sockaddr_sa_len=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_sockaddr_sa_len" 1>&6
+if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_SOCKADDR_SA_LEN 1
+EOF
+
+	
+fi
+
+
+
+
+
+for i in int8_t int16_t int32_t int64_t; do
+	echo $ac_n "checking for $i""... $ac_c" 1>&6
+echo "configure:11482: checking for $i" >&5
+	
+if eval "test \"`echo '$''{'ac_cv_type_$i'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 11488 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+
+int main() {
+$i x;
+
+; return 0; }
+EOF
+if { (eval echo configure:11512: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval ac_cv_type_$i=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval ac_cv_type_$i=no
+fi
+rm -f conftest*
+fi
+
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_`echo $i | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+		cat >> confdefs.h <<EOF
+#define $type 1
+EOF
+
+	fi
+	echo "$ac_t""$ac_res" 1>&6
+done
+
+
+for i in u_int8_t u_int16_t u_int32_t u_int64_t; do
+	echo $ac_n "checking for $i""... $ac_c" 1>&6
+echo "configure:11538: checking for $i" >&5
+	
+if eval "test \"`echo '$''{'ac_cv_type_$i'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 11544 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+
+int main() {
+$i x;
+
+; return 0; }
+EOF
+if { (eval echo configure:11568: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval ac_cv_type_$i=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval ac_cv_type_$i=no
+fi
+rm -f conftest*
+fi
+
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_`echo $i | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+		cat >> confdefs.h <<EOF
+#define $type 1
+EOF
+
+	fi
+	echo "$ac_t""$ac_res" 1>&6
+done
+
+
+
+
+
+
+echo $ac_n "checking for MD4Init""... $ac_c" 1>&6
+echo "configure:11597: checking for MD4Init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_MD4Init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_MD4Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypto; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 11612 "configure"
+#include "confdefs.h"
+
+int main() {
+MD4Init()
+; return 0; }
+EOF
+if { (eval echo configure:11619: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD4Init=$ac_lib; else ac_cv_funclib_MD4Init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_MD4Init=\${ac_cv_funclib_MD4Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_MD4Init"
+
+: << END
+@@@funcs="$funcs MD4Init"@@@
+@@@libs="$libs "" crypto"@@@
+END
+
+# MD4Init
+eval "ac_tr_func=HAVE_`echo MD4Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_MD4Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_MD4Init=yes"
+	eval "LIB_MD4Init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_MD4Init=no"
+	eval "LIB_MD4Init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_MD4Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for MD4_Init""... $ac_c" 1>&6
+echo "configure:11682: checking for MD4_Init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_MD4_Init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_MD4_Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypto; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 11697 "configure"
+#include "confdefs.h"
+
+int main() {
+MD4_Init()
+; return 0; }
+EOF
+if { (eval echo configure:11704: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD4_Init=$ac_lib; else ac_cv_funclib_MD4_Init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_MD4_Init=\${ac_cv_funclib_MD4_Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_MD4_Init"
+
+: << END
+@@@funcs="$funcs MD4_Init"@@@
+@@@libs="$libs "" crypto"@@@
+END
+
+# MD4_Init
+eval "ac_tr_func=HAVE_`echo MD4_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_MD4_Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_MD4_Init=yes"
+	eval "LIB_MD4_Init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_MD4_Init=no"
+	eval "LIB_MD4_Init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_MD4_Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for MD5Init""... $ac_c" 1>&6
+echo "configure:11767: checking for MD5Init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_MD5Init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_MD5Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypto; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 11782 "configure"
+#include "confdefs.h"
+
+int main() {
+MD5Init()
+; return 0; }
+EOF
+if { (eval echo configure:11789: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD5Init=$ac_lib; else ac_cv_funclib_MD5Init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_MD5Init=\${ac_cv_funclib_MD5Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_MD5Init"
+
+: << END
+@@@funcs="$funcs MD5Init"@@@
+@@@libs="$libs "" crypto"@@@
+END
+
+# MD5Init
+eval "ac_tr_func=HAVE_`echo MD5Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_MD5Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_MD5Init=yes"
+	eval "LIB_MD5Init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_MD5Init=no"
+	eval "LIB_MD5Init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_MD5Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for MD5_Init""... $ac_c" 1>&6
+echo "configure:11852: checking for MD5_Init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_MD5_Init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_MD5_Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypto; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 11867 "configure"
+#include "confdefs.h"
+
+int main() {
+MD5_Init()
+; return 0; }
+EOF
+if { (eval echo configure:11874: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD5_Init=$ac_lib; else ac_cv_funclib_MD5_Init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_MD5_Init=\${ac_cv_funclib_MD5_Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_MD5_Init"
+
+: << END
+@@@funcs="$funcs MD5_Init"@@@
+@@@libs="$libs "" crypto"@@@
+END
+
+# MD5_Init
+eval "ac_tr_func=HAVE_`echo MD5_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_MD5_Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_MD5_Init=yes"
+	eval "LIB_MD5_Init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_MD5_Init=no"
+	eval "LIB_MD5_Init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_MD5_Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for SHA1Init""... $ac_c" 1>&6
+echo "configure:11937: checking for SHA1Init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_SHA1Init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_SHA1Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypto; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 11952 "configure"
+#include "confdefs.h"
+
+int main() {
+SHA1Init()
+; return 0; }
+EOF
+if { (eval echo configure:11959: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_SHA1Init=$ac_lib; else ac_cv_funclib_SHA1Init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_SHA1Init=\${ac_cv_funclib_SHA1Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_SHA1Init"
+
+: << END
+@@@funcs="$funcs SHA1Init"@@@
+@@@libs="$libs "" crypto"@@@
+END
+
+# SHA1Init
+eval "ac_tr_func=HAVE_`echo SHA1Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_SHA1Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_SHA1Init=yes"
+	eval "LIB_SHA1Init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_SHA1Init=no"
+	eval "LIB_SHA1Init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_SHA1Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for SHA1_Init""... $ac_c" 1>&6
+echo "configure:12022: checking for SHA1_Init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_SHA1_Init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_SHA1_Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypto; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 12037 "configure"
+#include "confdefs.h"
+
+int main() {
+SHA1_Init()
+; return 0; }
+EOF
+if { (eval echo configure:12044: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_SHA1_Init=$ac_lib; else ac_cv_funclib_SHA1_Init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_SHA1_Init=\${ac_cv_funclib_SHA1_Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_SHA1_Init"
+
+: << END
+@@@funcs="$funcs SHA1_Init"@@@
+@@@libs="$libs "" crypto"@@@
+END
+
+# SHA1_Init
+eval "ac_tr_func=HAVE_`echo SHA1_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_SHA1_Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_SHA1_Init=yes"
+	eval "LIB_SHA1_Init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_SHA1_Init=no"
+	eval "LIB_SHA1_Init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_SHA1_Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for des_cbc_encrypt""... $ac_c" 1>&6
+echo "configure:12107: checking for des_cbc_encrypt" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_des_cbc_encrypt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_des_cbc_encrypt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypto des; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 12122 "configure"
+#include "confdefs.h"
+
+int main() {
+des_cbc_encrypt()
+; return 0; }
+EOF
+if { (eval echo configure:12129: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_des_cbc_encrypt=$ac_lib; else ac_cv_funclib_des_cbc_encrypt=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_des_cbc_encrypt=\${ac_cv_funclib_des_cbc_encrypt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_des_cbc_encrypt"
+
+: << END
+@@@funcs="$funcs des_cbc_encrypt"@@@
+@@@libs="$libs "" crypto des"@@@
+END
+
+# des_cbc_encrypt
+eval "ac_tr_func=HAVE_`echo des_cbc_encrypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_des_cbc_encrypt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_des_cbc_encrypt=yes"
+	eval "LIB_des_cbc_encrypt="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_des_cbc_encrypt=no"
+	eval "LIB_des_cbc_encrypt="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_des_cbc_encrypt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+
+
+
+echo $ac_n "checking for el_init""... $ac_c" 1>&6
+echo "configure:12195: checking for el_init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_el_init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_el_init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" edit; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib $LIB_tgetent $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 12210 "configure"
+#include "confdefs.h"
+
+int main() {
+el_init()
+; return 0; }
+EOF
+if { (eval echo configure:12217: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_el_init=$ac_lib; else ac_cv_funclib_el_init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_el_init=\${ac_cv_funclib_el_init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_el_init"
+
+: << END
+@@@funcs="$funcs el_init"@@@
+@@@libs="$libs "" edit"@@@
+END
+
+# el_init
+eval "ac_tr_func=HAVE_`echo el_init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_el_init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_el_init=yes"
+	eval "LIB_el_init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_el_init=no"
+	eval "LIB_el_init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_el_init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test "$ac_cv_func_el_init" = yes ; then
+	echo $ac_n "checking for four argument el_init""... $ac_c" 1>&6
+echo "configure:12278: checking for four argument el_init" >&5
+if eval "test \"`echo '$''{'ac_cv_func_el_init_four'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+		cat > conftest.$ac_ext <<EOF
+#line 12284 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+			#include <histedit.h>
+int main() {
+el_init("", NULL, NULL, NULL);
+; return 0; }
+EOF
+if { (eval echo configure:12292: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_func_el_init_four=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_el_init_four=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_el_init_four" 1>&6
+	if test "$ac_cv_func_el_init_four" = yes; then
+		cat >> confdefs.h <<\EOF
+#define HAVE_FOUR_VALUED_EL_INIT 1
+EOF
+
+	fi
+fi
+
+
+ac_foo=no
+if test "$with_readline" = yes; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	:
+elif test "$ac_cv_func_el_init" = yes; then
+	ac_foo=yes
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.a $LIB_el_init"
+else
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.a'
+fi
+
+
+if test "$ac_foo" = yes; then
+  el_compat_TRUE=
+  el_compat_FALSE='#'
+else
+  el_compat_TRUE='#'
+  el_compat_FALSE=
+fi
+if test "$readline_libdir"; then
+	LIB_readline="-rpath $readline_libdir $LIB_readline"
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+cat >> confdefs.h <<\EOF
+#define HAVE_READLINE 1
+EOF
+
+
+cat >> confdefs.h <<\EOF
+#define AUTHENTICATION 1
+EOF
+cat >> confdefs.h <<\EOF
+#define ENCRYPTION 1
+EOF
+cat >> confdefs.h <<\EOF
+#define DES_ENCRYPTION 1
+EOF
+cat >> confdefs.h <<\EOF
+#define DIAGNOSTICS 1
+EOF
+cat >> confdefs.h <<\EOF
+#define OLD_ENVIRON 1
+EOF
+if false; then
+cat >> confdefs.h <<\EOF
+#define ENV_HACK 1
+EOF
+
+fi
+
+# Simple test for streamspty, based on the existance of getmsg(), alas
+# this breaks on SunOS4 which have streams but BSD-like ptys
+#
+# And also something wierd has happend with dec-osf1, fallback to bsd-ptys
+
+echo $ac_n "checking for streamspty""... $ac_c" 1>&6
+echo "configure:12371: checking for streamspty" >&5
+case "$host" in
+*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux10*)
+	krb_cv_sys_streamspty=no
+	;;
+*)
+	krb_cv_sys_streamspty="$ac_cv_func_getmsg"
+	;;
+esac
+if test "$krb_cv_sys_streamspty" = yes; then
+	cat >> confdefs.h <<\EOF
+#define STREAMSPTY 1
+EOF
+
+fi
+echo "$ac_t""$krb_cv_sys_streamspty" 1>&6
+
+
+echo $ac_n "checking which authentication modules should be built""... $ac_c" 1>&6
+echo "configure:12390: checking which authentication modules should be built" >&5
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+esac
+
+echo "$ac_t""$LIB_AUTH_SUBDIRS" 1>&6
+
+
+
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+for i in bin lib libexec sbin; do
+	i=${i}dir
+	foo=`echo $i | tr 'xindiscernible' 'XINDISCERNIBLE'`
+	x="\$${i}"
+	eval y="$x"
+	while test "x$y" != "x$x"; do
+		x="$y"
+		eval y="$x"
+	done
+	cat >> confdefs.h <<EOF
+#define $foo "$x"
+EOF
+
+done
+
+if false; then
+	# hack to shut up automake
+	LIBOBJS="$LIBOBJS make-print-version.o"
+fi
+LTLIBOBJS=`echo "$LIBOBJS" | sed 's/\.o/\.lo/g'`
+
+trap '' 1 2 15
+cat > confcache <<\EOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs.  It is not useful on other systems.
+# If it contains results you don't want to keep, you may remove or edit it.
+#
+# By default, configure uses ./config.cache as the cache file,
+# creating it if it does not exist already.  You can give configure
+# the --cache-file=FILE option to use a different cache file; that is
+# what configure does when it calls configure scripts in
+# subdirectories, so they share the cache.
+# Giving --cache-file=/dev/null disables caching, for debugging configure.
+# config.status only pays attention to the cache file if you give it the
+# --recheck option to rerun configure.
+#
+EOF
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(set) 2>&1 |
+  case `(ac_space=' '; set | grep ac_space) 2>&1` in
+  *ac_space=\ *)
+    # `set' does not quote correctly, so add quotes (double-quote substitution
+    # turns \\\\ into \\, and sed turns \\ into \).
+    sed -n \
+      -e "s/'/'\\\\''/g" \
+      -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
+    ;;
+  *)
+    # `set' quotes correctly as required by POSIX, so do not add quotes.
+    sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
+    ;;
+  esac >> confcache
+if cmp -s $cache_file confcache; then
+  :
+else
+  if test -w $cache_file; then
+    echo "updating cache $cache_file"
+    cat confcache > $cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Any assignment to VPATH causes Sun make to only execute
+# the first set of double-colon rules, so remove it if not needed.
+# If there is a colon in the path, we need to keep it.
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[ 	]*VPATH[ 	]*=[^:]*$/d'
+fi
+
+trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15
+
+DEFS=-DHAVE_CONFIG_H
+
+# Without the "./", some shells look in PATH for config.status.
+: ${CONFIG_STATUS=./config.status}
+
+echo creating $CONFIG_STATUS
+rm -f $CONFIG_STATUS
+cat > $CONFIG_STATUS <<EOF
+#! /bin/sh
+# Generated automatically by configure.
+# Run this file to recreate the current configuration.
+# This directory was configured as follows,
+# on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+#
+# $0 $ac_configure_args
+#
+# Compiler output produced by configure, useful for debugging
+# configure, is in ./config.log if it exists.
+
+ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]"
+for ac_option
+do
+  case "\$ac_option" in
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion"
+    exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;;
+  -version | --version | --versio | --versi | --vers | --ver | --ve | --v)
+    echo "$CONFIG_STATUS generated by autoconf version 2.13"
+    exit 0 ;;
+  -help | --help | --hel | --he | --h)
+    echo "\$ac_cs_usage"; exit 0 ;;
+  *) echo "\$ac_cs_usage"; exit 1 ;;
+  esac
+done
+
+ac_given_srcdir=$srcdir
+ac_given_INSTALL="$INSTALL"
+
+trap 'rm -fr `echo "Makefile 			\
+	include/Makefile		\
+	include/kadm5/Makefile		\
+	lib/Makefile			\
+	lib/45/Makefile			\
+	lib/auth/Makefile		\
+	lib/auth/afskauthlib/Makefile	\
+	lib/auth/pam/Makefile		\
+	lib/auth/sia/Makefile		\
+	lib/asn1/Makefile		\
+	lib/com_err/Makefile		\
+	lib/des/Makefile		\
+	lib/editline/Makefile		\
+	lib/gssapi/Makefile		\
+	lib/hdb/Makefile		\
+	lib/kadm5/Makefile		\
+	lib/kafs/Makefile		\
+	lib/krb5/Makefile		\
+	lib/otp/Makefile		\
+	lib/roken/Makefile		\
+	lib/sl/Makefile			\
+	kuser/Makefile			\
+	kpasswd/Makefile		\
+	kadmin/Makefile			\
+	admin/Makefile			\
+	kdc/Makefile			\
+	appl/Makefile			\
+	appl/afsutil/Makefile		\
+	appl/ftp/Makefile		\
+	appl/ftp/common/Makefile	\
+	appl/ftp/ftp/Makefile		\
+	appl/ftp/ftpd/Makefile		\
+	appl/kauth/Makefile		\
+	appl/kx/Makefile		\
+	appl/login/Makefile		\
+	appl/otp/Makefile		\
+	appl/popper/Makefile		\
+	appl/push/Makefile		\
+	appl/rsh/Makefile		\
+	appl/su/Makefile		\
+	appl/xnlock/Makefile		\
+	appl/telnet/Makefile		\
+	appl/telnet/libtelnet/Makefile	\
+	appl/telnet/telnet/Makefile	\
+	appl/telnet/telnetd/Makefile	\
+	appl/test/Makefile		\
+	appl/kf/Makefile		\
+	doc/Makefile			\
+ include/config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+# Protect against being on the right side of a sed subst in config.status.
+sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g;
+ s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF
+$ac_vpsub
+$extrasub
+s%@SHELL@%$SHELL%g
+s%@CFLAGS@%$CFLAGS%g
+s%@CPPFLAGS@%$CPPFLAGS%g
+s%@CXXFLAGS@%$CXXFLAGS%g
+s%@FFLAGS@%$FFLAGS%g
+s%@DEFS@%$DEFS%g
+s%@LDFLAGS@%$LDFLAGS%g
+s%@LIBS@%$LIBS%g
+s%@exec_prefix@%$exec_prefix%g
+s%@prefix@%$prefix%g
+s%@program_transform_name@%$program_transform_name%g
+s%@bindir@%$bindir%g
+s%@sbindir@%$sbindir%g
+s%@libexecdir@%$libexecdir%g
+s%@datadir@%$datadir%g
+s%@sysconfdir@%$sysconfdir%g
+s%@sharedstatedir@%$sharedstatedir%g
+s%@localstatedir@%$localstatedir%g
+s%@libdir@%$libdir%g
+s%@includedir@%$includedir%g
+s%@oldincludedir@%$oldincludedir%g
+s%@infodir@%$infodir%g
+s%@mandir@%$mandir%g
+s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
+s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
+s%@INSTALL_DATA@%$INSTALL_DATA%g
+s%@PACKAGE@%$PACKAGE%g
+s%@VERSION@%$VERSION%g
+s%@ACLOCAL@%$ACLOCAL%g
+s%@AUTOCONF@%$AUTOCONF%g
+s%@AUTOMAKE@%$AUTOMAKE%g
+s%@AUTOHEADER@%$AUTOHEADER%g
+s%@MAKEINFO@%$MAKEINFO%g
+s%@SET_MAKE@%$SET_MAKE%g
+s%@host@%$host%g
+s%@host_alias@%$host_alias%g
+s%@host_cpu@%$host_cpu%g
+s%@host_vendor@%$host_vendor%g
+s%@host_os@%$host_os%g
+s%@CANONICAL_HOST@%$CANONICAL_HOST%g
+s%@CC@%$CC%g
+s%@OBJEXT@%$OBJEXT%g
+s%@EXEEXT@%$EXEEXT%g
+s%@YACC@%$YACC%g
+s%@LEX@%$LEX%g
+s%@LEXLIB@%$LEXLIB%g
+s%@CPP@%$CPP%g
+s%@LEX_OUTPUT_ROOT@%$LEX_OUTPUT_ROOT%g
+s%@RANLIB@%$RANLIB%g
+s%@AWK@%$AWK%g
+s%@LN_S@%$LN_S%g
+s%@LD@%$LD%g
+s%@NM@%$NM%g
+s%@LIBTOOL@%$LIBTOOL%g
+s%@WFLAGS@%$WFLAGS%g
+s%@WFLAGS_NOUNUSED@%$WFLAGS_NOUNUSED%g
+s%@WFLAGS_NOIMPLICITINT@%$WFLAGS_NOIMPLICITINT%g
+s%@INCLUDE_krb4@%$INCLUDE_krb4%g
+s%@LIB_krb4@%$LIB_krb4%g
+s%@EXTRA_LIB45@%$EXTRA_LIB45%g
+s%@LIB_krb_enable_debug@%$LIB_krb_enable_debug%g
+s%@LIB_krb_disable_debug@%$LIB_krb_disable_debug%g
+s%@LIB_krb_get_our_ip_for_realm@%$LIB_krb_get_our_ip_for_realm%g
+s%@KRB4_TRUE@%$KRB4_TRUE%g
+s%@KRB4_FALSE@%$KRB4_FALSE%g
+s%@KRB5_TRUE@%$KRB5_TRUE%g
+s%@KRB5_FALSE@%$KRB5_FALSE%g
+s%@LIB_kdb@%$LIB_kdb%g
+s%@AIX_TRUE@%$AIX_TRUE%g
+s%@AIX_FALSE@%$AIX_FALSE%g
+s%@AIX4_TRUE@%$AIX4_TRUE%g
+s%@AIX4_FALSE@%$AIX4_FALSE%g
+s%@AIX_DYNAMIC_AFS_TRUE@%$AIX_DYNAMIC_AFS_TRUE%g
+s%@AIX_DYNAMIC_AFS_FALSE@%$AIX_DYNAMIC_AFS_FALSE%g
+s%@LIB_dlopen@%$LIB_dlopen%g
+s%@HAVE_DLOPEN_TRUE@%$HAVE_DLOPEN_TRUE%g
+s%@HAVE_DLOPEN_FALSE@%$HAVE_DLOPEN_FALSE%g
+s%@AFS_EXTRA_LD@%$AFS_EXTRA_LD%g
+s%@AIX_EXTRA_KAFS@%$AIX_EXTRA_KAFS%g
+s%@LIB_otp@%$LIB_otp%g
+s%@OTP_TRUE@%$OTP_TRUE%g
+s%@OTP_FALSE@%$OTP_FALSE%g
+s%@LIB_security@%$LIB_security%g
+s%@NROFF@%$NROFF%g
+s%@GROFF@%$GROFF%g
+s%@CATMAN@%$CATMAN%g
+s%@CATMAN_TRUE@%$CATMAN_TRUE%g
+s%@CATMAN_FALSE@%$CATMAN_FALSE%g
+s%@CATMANEXT@%$CATMANEXT%g
+s%@INCLUDE_readline@%$INCLUDE_readline%g
+s%@LIB_readline@%$LIB_readline%g
+s%@INCLUDE_hesiod@%$INCLUDE_hesiod%g
+s%@LIB_hesiod@%$LIB_hesiod%g
+s%@X_CFLAGS@%$X_CFLAGS%g
+s%@X_PRE_LIBS@%$X_PRE_LIBS%g
+s%@X_LIBS@%$X_LIBS%g
+s%@X_EXTRA_LIBS@%$X_EXTRA_LIBS%g
+s%@MAKE_X_PROGS_BIN_PROGS@%$MAKE_X_PROGS_BIN_PROGS%g
+s%@MAKE_X_PROGS_BIN_SCRPTS@%$MAKE_X_PROGS_BIN_SCRPTS%g
+s%@MAKE_X_PROGS_LIBEXEC_PROGS@%$MAKE_X_PROGS_LIBEXEC_PROGS%g
+s%@LIB_XauWriteAuth@%$LIB_XauWriteAuth%g
+s%@LIB_XauReadAuth@%$LIB_XauReadAuth%g
+s%@LIB_XauFileName@%$LIB_XauFileName%g
+s%@NEED_WRITEAUTH_TRUE@%$NEED_WRITEAUTH_TRUE%g
+s%@NEED_WRITEAUTH_FALSE@%$NEED_WRITEAUTH_FALSE%g
+s%@have_err_h_TRUE@%$have_err_h_TRUE%g
+s%@have_err_h_FALSE@%$have_err_h_FALSE%g
+s%@have_fnmatch_h_TRUE@%$have_fnmatch_h_TRUE%g
+s%@have_fnmatch_h_FALSE@%$have_fnmatch_h_FALSE%g
+s%@LIB_socket@%$LIB_socket%g
+s%@LIB_gethostbyname@%$LIB_gethostbyname%g
+s%@LIB_syslog@%$LIB_syslog%g
+s%@LIB_logwtmp@%$LIB_logwtmp%g
+s%@LIB_tgetent@%$LIB_tgetent%g
+s%@LIB_gethostbyname2@%$LIB_gethostbyname2%g
+s%@LIB_res_search@%$LIB_res_search%g
+s%@LIB_dn_expand@%$LIB_dn_expand%g
+s%@have_glob_h_TRUE@%$have_glob_h_TRUE%g
+s%@have_glob_h_FALSE@%$have_glob_h_FALSE%g
+s%@LIB_dbopen@%$LIB_dbopen%g
+s%@LIB_dbm_firstkey@%$LIB_dbm_firstkey%g
+s%@DBLIB@%$DBLIB%g
+s%@LIB_getpwnam_r@%$LIB_getpwnam_r%g
+s%@LIB_getsockopt@%$LIB_getsockopt%g
+s%@LIB_setsockopt@%$LIB_setsockopt%g
+s%@VOID_RETSIGTYPE@%$VOID_RETSIGTYPE%g
+s%@LIB_hstrerror@%$LIB_hstrerror%g
+s%@LIBOBJS@%$LIBOBJS%g
+s%@LIB_crypt@%$LIB_crypt%g
+s%@LIB_roken@%$LIB_roken%g
+s%@LIB_MD4Init@%$LIB_MD4Init%g
+s%@LIB_MD4_Init@%$LIB_MD4_Init%g
+s%@LIB_MD5Init@%$LIB_MD5Init%g
+s%@LIB_MD5_Init@%$LIB_MD5_Init%g
+s%@LIB_SHA1Init@%$LIB_SHA1Init%g
+s%@LIB_SHA1_Init@%$LIB_SHA1_Init%g
+s%@LIB_des_cbc_encrypt@%$LIB_des_cbc_encrypt%g
+s%@LIB_el_init@%$LIB_el_init%g
+s%@el_compat_TRUE@%$el_compat_TRUE%g
+s%@el_compat_FALSE@%$el_compat_FALSE%g
+s%@LIB_AUTH_SUBDIRS@%$LIB_AUTH_SUBDIRS%g
+s%@LTLIBOBJS@%$LTLIBOBJS%g
+
+CEOF
+EOF
+
+cat >> $CONFIG_STATUS <<\EOF
+
+# Split the substitutions into bite-sized pieces for seds with
+# small command number limits, like on Digital OSF/1 and HP-UX.
+ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script.
+ac_file=1 # Number of current file.
+ac_beg=1 # First line for current file.
+ac_end=$ac_max_sed_cmds # Line after last line for current file.
+ac_more_lines=:
+ac_sed_cmds=""
+while $ac_more_lines; do
+  if test $ac_beg -gt 1; then
+    sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file
+  else
+    sed "${ac_end}q" conftest.subs > conftest.s$ac_file
+  fi
+  if test ! -s conftest.s$ac_file; then
+    ac_more_lines=false
+    rm -f conftest.s$ac_file
+  else
+    if test -z "$ac_sed_cmds"; then
+      ac_sed_cmds="sed -f conftest.s$ac_file"
+    else
+      ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file"
+    fi
+    ac_file=`expr $ac_file + 1`
+    ac_beg=$ac_end
+    ac_end=`expr $ac_end + $ac_max_sed_cmds`
+  fi
+done
+if test -z "$ac_sed_cmds"; then
+  ac_sed_cmds=cat
+fi
+EOF
+
+cat >> $CONFIG_STATUS <<EOF
+
+CONFIG_FILES=\${CONFIG_FILES-"Makefile 			\
+	include/Makefile		\
+	include/kadm5/Makefile		\
+	lib/Makefile			\
+	lib/45/Makefile			\
+	lib/auth/Makefile		\
+	lib/auth/afskauthlib/Makefile	\
+	lib/auth/pam/Makefile		\
+	lib/auth/sia/Makefile		\
+	lib/asn1/Makefile		\
+	lib/com_err/Makefile		\
+	lib/des/Makefile		\
+	lib/editline/Makefile		\
+	lib/gssapi/Makefile		\
+	lib/hdb/Makefile		\
+	lib/kadm5/Makefile		\
+	lib/kafs/Makefile		\
+	lib/krb5/Makefile		\
+	lib/otp/Makefile		\
+	lib/roken/Makefile		\
+	lib/sl/Makefile			\
+	kuser/Makefile			\
+	kpasswd/Makefile		\
+	kadmin/Makefile			\
+	admin/Makefile			\
+	kdc/Makefile			\
+	appl/Makefile			\
+	appl/afsutil/Makefile		\
+	appl/ftp/Makefile		\
+	appl/ftp/common/Makefile	\
+	appl/ftp/ftp/Makefile		\
+	appl/ftp/ftpd/Makefile		\
+	appl/kauth/Makefile		\
+	appl/kx/Makefile		\
+	appl/login/Makefile		\
+	appl/otp/Makefile		\
+	appl/popper/Makefile		\
+	appl/push/Makefile		\
+	appl/rsh/Makefile		\
+	appl/su/Makefile		\
+	appl/xnlock/Makefile		\
+	appl/telnet/Makefile		\
+	appl/telnet/libtelnet/Makefile	\
+	appl/telnet/telnet/Makefile	\
+	appl/telnet/telnetd/Makefile	\
+	appl/test/Makefile		\
+	appl/kf/Makefile		\
+	doc/Makefile			\
+"}
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
+
+  # Remove last slash and all that follows it.  Not all systems have dirname.
+  ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+  if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+    # The file is in a subdirectory.
+    test ! -d "$ac_dir" && mkdir "$ac_dir"
+    ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`"
+    # A "../" for each directory in $ac_dir_suffix.
+    ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'`
+  else
+    ac_dir_suffix= ac_dots=
+  fi
+
+  case "$ac_given_srcdir" in
+  .)  srcdir=.
+      if test -z "$ac_dots"; then top_srcdir=.
+      else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;;
+  /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;;
+  *) # Relative path.
+    srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix"
+    top_srcdir="$ac_dots$ac_given_srcdir" ;;
+  esac
+
+  case "$ac_given_INSTALL" in
+  [/$]*) INSTALL="$ac_given_INSTALL" ;;
+  *) INSTALL="$ac_dots$ac_given_INSTALL" ;;
+  esac
+
+  echo creating "$ac_file"
+  rm -f "$ac_file"
+  configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure."
+  case "$ac_file" in
+  *Makefile*) ac_comsub="1i\\
+# $configure_input" ;;
+  *) ac_comsub= ;;
+  esac
+
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  sed -e "$ac_comsub
+s%@configure_input@%$configure_input%g
+s%@srcdir@%$srcdir%g
+s%@top_srcdir@%$top_srcdir%g
+s%@INSTALL@%$INSTALL%g
+" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
+fi; done
+rm -f conftest.s*
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s%^\([ 	]*\)#\([ 	]*define[ 	][ 	]*\)'
+ac_dB='\([ 	][ 	]*\)[^ 	]*%\1#\2'
+ac_dC='\3'
+ac_dD='%g'
+# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE".
+ac_uA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_uB='\([ 	]\)%\1#\2define\3'
+ac_uC=' '
+ac_uD='\4%g'
+# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_eA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_eB='$%\1#\2define\3'
+ac_eC=' '
+ac_eD='%g'
+
+if test "${CONFIG_HEADERS+set}" != set; then
+EOF
+cat >> $CONFIG_STATUS <<EOF
+  CONFIG_HEADERS="include/config.h"
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+fi
+for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  echo creating $ac_file
+
+  rm -f conftest.frag conftest.in conftest.out
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  cat $ac_file_inputs > conftest.in
+
+EOF
+
+# Transform confdefs.h into a sed script conftest.vals that substitutes
+# the proper values into config.h.in to produce config.h.  And first:
+# Protect against being on the right side of a sed subst in config.status.
+# Protect against being in an unquoted here document in config.status.
+rm -f conftest.vals
+cat > conftest.hdr <<\EOF
+s/[\\&%]/\\&/g
+s%[\\$`]%\\&%g
+s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp
+s%ac_d%ac_u%gp
+s%ac_u%ac_e%gp
+EOF
+sed -n -f conftest.hdr confdefs.h > conftest.vals
+rm -f conftest.hdr
+
+# This sed command replaces #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >> conftest.vals <<\EOF
+s%^[ 	]*#[ 	]*undef[ 	][ 	]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
+EOF
+
+# Break up conftest.vals because some shells have a limit on
+# the size of here documents, and old seds have small limits too.
+
+rm -f conftest.tail
+while :
+do
+  ac_lines=`grep -c . conftest.vals`
+  # grep -c gives empty output for an empty file on some AIX systems.
+  if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi
+  # Write a limited-size here document to conftest.frag.
+  echo '  cat > conftest.frag <<CEOF' >> $CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS
+  echo 'CEOF
+  sed -f conftest.frag conftest.in > conftest.out
+  rm -f conftest.in
+  mv conftest.out conftest.in
+' >> $CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail
+  rm -f conftest.vals
+  mv conftest.tail conftest.vals
+done
+rm -f conftest.vals
+
+cat >> $CONFIG_STATUS <<\EOF
+  rm -f conftest.frag conftest.h
+  echo "/* $ac_file.  Generated automatically by configure.  */" > conftest.h
+  cat conftest.in >> conftest.h
+  rm -f conftest.in
+  if cmp -s $ac_file conftest.h 2>/dev/null; then
+    echo "$ac_file is unchanged"
+    rm -f conftest.h
+  else
+    # Remove last slash and all that follows it.  Not all systems have dirname.
+      ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+      if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+      # The file is in a subdirectory.
+      test ! -d "$ac_dir" && mkdir "$ac_dir"
+    fi
+    rm -f $ac_file
+    mv conftest.h $ac_file
+  fi
+fi; done
+
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+test -z "$CONFIG_HEADERS" || echo timestamp > include/stamp-h
+
+exit 0
+EOF
+chmod +x $CONFIG_STATUS
+rm -fr confdefs* $ac_clean_files
+test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
+
+
+HEIMDALVERSION="$PACKAGE-$VERSION"
+
+cat > include/newversion.h.in <<EOF
+char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+char *heimdal_version = "$HEIMDALVERSION";
+EOF
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n || echo unknown) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
diff --git a/crypto/heimdal/configure.in b/crypto/heimdal/configure.in
new file mode 100644
index 0000000..844aa83
--- /dev/null
+++ b/crypto/heimdal/configure.in
@@ -0,0 +1,947 @@
+dnl Process this file with autoconf to produce a configure script.
+AC_REVISION($Revision: 1.218 $)
+AC_INIT(lib/krb5/send_to_kdc.c)
+AM_CONFIG_HEADER(include/config.h)
+
+AM_INIT_AUTOMAKE(heimdal,0.2p)
+
+AC_PREFIX_DEFAULT(/usr/heimdal)
+
+AC_CANONICAL_HOST
+CANONICAL_HOST=$host
+AC_SUBST(CANONICAL_HOST)
+
+sunos=no
+case "$host" in 
+*-*-sunos4*)
+	sunos=40
+	;;
+*-*-solaris2.7)
+	sunos=57
+	;;
+*-*-solaris2*)
+	sunos=50
+	;;
+esac
+if test "$sunos" != no; then
+	AC_DEFINE_UNQUOTED(SunOS, $sunos, 
+		[Define to what version of SunOS you are running.])
+fi
+
+aix=no
+case "$host" in 
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+
+#test -z "$CFLAGS" && CFLAGS="-g"
+
+dnl Checks for programs.
+AC_PROG_CC
+
+AC_CYGWIN
+AC_OBJEXT
+AC_EXEEXT
+
+dnl AC_KRB_PROG_YACC
+AC_PROG_YACC
+AM_PROG_LEX
+AC_PROG_RANLIB
+AC_PROG_AWK
+AC_KRB_PROG_LN_S
+
+AC_MIPS_ABI
+CC="$CC $abi"
+libdir="$libdir$abilibdirext"
+
+AC_C___ATTRIBUTE__
+
+AM_DISABLE_SHARED
+AM_PROG_LIBTOOL
+
+AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+
+berkeley_db=db
+AC_ARG_WITH(berkeley-db,
+[  --without-berkeley-db   if you don't want berkeley db],[
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+])
+
+AC_TEST_PACKAGE_NEW(krb4,[#include <krb.h>],-lkrb,-ldes,/usr/athena)
+
+LIB_kdb=
+if test "$with_krb4" != "no"; then
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS $INCLUDE_krb4"
+	save_LIBS="$LIBS"
+	LIBS="$LIB_krb4 -ldes $LIBS"
+	EXTRA_LIB45=lib45.a
+	AC_SUBST(EXTRA_LIB45)
+	AC_CACHE_CHECK(for four valued krb_put_int, ac_cv_func_krb_put_int_four,
+		[AC_TRY_COMPILE([#include <krb.h>],[
+		char tmp[4];
+		krb_put_int(17, tmp, 4, sizeof(tmp));],
+		ac_cv_func_krb_put_int_four=yes,
+		ac_cv_func_krb_put_int_four=no)
+	])
+	if test "$ac_cv_func_krb_put_int_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_KRB_PUT_INT, 1,
+			[define if krb_put_int takes four arguments.])
+	fi
+	AC_CACHE_CHECK(for KRB_VERIFY_SECURE, ac_cv_func_krb_verify_secure,
+		[AC_TRY_COMPILE([#include <krb.h>],[
+		int x = KRB_VERIFY_SECURE],
+		ac_cv_func_krb_verify_secure=yes,
+		ac_cv_func_krb_verify_secure=no)
+	])
+	if test "$ac_cv_func_krb_verify_secure" != yes; then
+		AC_DEFINE(KRB_VERIFY_SECURE, 1,
+			[Define to one if your krb.h doesn't])
+		AC_DEFINE(KRB_VERIFY_SECURE_FAIL, 2,
+			[Define to two if your krb.h doesn't])
+	fi
+	AC_CACHE_CHECK(for KRB_VERIFY_NOT_SECURE,
+		ac_cv_func_krb_verify_not_secure,
+		[AC_TRY_COMPILE([#include <krb.h>],[
+		int x = KRB_VERIFY_NOT_SECURE],
+		ac_cv_func_krb_verify_not_secure=yes,
+		ac_cv_func_krb_verify_not_secure=no)
+	])
+	if test "$ac_cv_func_krb_verify_not_secure" != yes; then
+		AC_DEFINE(KRB_VERIFY_NOT_SECURE, 0,
+			[Define to zero if your krb.h doesn't])
+	fi
+	AC_FIND_FUNC(krb_enable_debug)
+	AC_FIND_FUNC(krb_disable_debug)
+	AC_FIND_FUNC(krb_get_our_ip_for_realm)
+	LIBS="$save_LIBS"
+	CFLAGS="$save_CFLAGS"
+	LIB_kdb="-lkdb -lkrb"
+	if test "$krb4_libdir"; then
+		LIB_krb4="-rpath $krb4_libdir $LIB_krb4"
+		LIB_kdb="-rpath $krb4_libdir -L$krb4_libdir $LIB_kdb"
+	fi
+fi
+AM_CONDITIONAL(KRB4, test "$with_krb4" != "no")
+AM_CONDITIONAL(KRB5, true)
+AC_DEFINE(KRB5, 1, [Enable Kerberos 5 support in applications.])dnl
+AC_SUBST(LIB_kdb)dnl
+AM_CONDITIONAL(AIX, test "$aix" != no)dnl
+AM_CONDITIONAL(AIX4, test "$aix" = 4)
+aix_dynamic_afs=yes
+AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$aix_dynamic_afs" = yes)dnl
+
+AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)dnl
+AC_SUBST(AFS_EXTRA_LD)dnl
+AC_SUBST(AIX_EXTRA_KAFS)dnl
+
+AC_ARG_ENABLE(kaserver,
+[  --enable-kaserver	  if you want the KDC to try to emulate a kaserver])
+if test "$enable_kaserver" = yes; then
+	AC_DEFINE(KASERVER, 1,
+		[Define if you want to use the KDC as a kaserver.])
+	if test "$with_krb4" = "no"; then
+		AC_MSG_ERROR(kaserver requires krb4)
+		exit 1
+	fi
+fi
+
+AC_ARG_ENABLE(kaserver-db,
+[  --enable-kaserver-db	  if you want support for reading kaserver databases in hprop])
+if test "$enable_kaserver_db" = yes; then
+	AC_DEFINE(KASERVER_DB, 1,
+		[Define if you want support in hprop for reading kaserver databases])
+	if test "$with_krb4" = "no"; then
+		AC_MSG_ERROR(kaserver-db requires krb4)
+		exit 1
+	fi
+fi
+
+otp=yes
+AC_ARG_ENABLE(otp,
+[  --disable-otp          if you don't want OTP support],
+[
+if test "$enableval" = "no"; then
+	otp=no
+fi
+])
+if test "$otp" = "yes"; then
+	AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.])
+	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
+fi
+AC_SUBST(LIB_otp)
+AM_CONDITIONAL(OTP, test "$otp" = yes)dnl
+
+AC_CHECK_OSFC2
+
+AC_CHECK_MAN
+
+AC_TEST_PACKAGE_NEW(readline,
+[#include <stdio.h>
+ #include <readline.h>],-lreadline)
+
+AC_TEST_PACKAGE_NEW(hesiod,[#include <hesiod.h>],-lhesiod)
+
+KRB_C_BIGENDIAN
+AC_C_INLINE
+
+KRB_CHECK_X
+
+if test "$no_x" = "yes" ; then
+	MAKE_X_PROGS_BIN_PROGS=""
+	MAKE_X_PROGS_BIN_SCRPTS=""
+	MAKE_X_PROGS_LIBEXEC_PROGS=""
+else
+	MAKE_X_PROGS_BIN_PROGS='$(X_PROGS_BIN_PROGS)'
+	MAKE_X_PROGS_BIN_SCRPTS='$(X_PROGS_BIN_SCRPTS)'
+	MAKE_X_PROGS_LIBEXEC_PROGS='$(X_PROGS_LIBEXEC_PROGS)'
+fi
+AC_SUBST(MAKE_X_PROGS_BIN_PROGS)dnl
+AC_SUBST(MAKE_X_PROGS_BIN_SCRPTS)dnl
+AC_SUBST(MAKE_X_PROGS_LIBEXEC_PROGS)dnl
+
+AC_CHECK_XAU
+
+dnl AM_C_PROTOTYPES
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_TYPE_OFF_T
+AC_TYPE_SIZE_T
+AC_CHECK_TYPE_EXTRA(ssize_t, int, [#include <unistd.h>])
+AC_TYPE_PID_T
+AC_TYPE_UID_T
+AC_CHECK_TYPE_EXTRA(mode_t, unsigned short, [])
+AC_CHECK_TYPE_EXTRA(sig_atomic_t, int, [#include <signal.h>])
+AC_HAVE_TYPE([long long])
+AC_HEADER_TIME
+AC_STRUCT_TM
+
+dnl Checks for header files.
+AC_HEADER_STDC
+
+if test "$berkeley_db"; then
+  AC_CHECK_HEADERS([				\
+	db.h					\
+	db_185.h				\
+  ])
+fi
+
+AC_CHECK_HEADERS([\
+	arpa/ftp.h				\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	arpa/telnet.h				\
+	bind/bitypes.h				\
+	bsdsetjmp.h				\
+	crypt.h					\
+	curses.h				\
+	dbm.h					\
+	dirent.h				\
+	dlfcn.h					\
+	err.h					\
+	errno.h					\
+	fcntl.h					\
+	fnmatch.h				\
+	grp.h					\
+	inttypes.h				\
+	io.h					\
+	limits.h				\
+	maillock.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in6_machtypes.h			\
+	netinet/in6_var.h			\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinfo/ni.h				\
+	paths.h					\
+	pthread.h				\
+	pty.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	sac.h					\
+	security/pam_modules.h			\
+	sgtty.h					\
+	shadow.h				\
+	siad.h					\
+	signal.h				\
+	stropts.h				\
+	sys/bitypes.h				\
+	sys/category.h				\
+	sys/file.h				\
+	sys/filio.h				\
+	sys/ioccom.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/pty.h				\
+	sys/ptyio.h				\
+	sys/ptyvar.h				\
+	sys/resource.h				\
+	sys/select.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/str_tty.h				\
+	sys/stream.h				\
+	sys/stropts.h				\
+	sys/strtty.h				\
+	sys/syscall.h				\
+	sys/sysctl.h				\
+	sys/termio.h				\
+	sys/time.h				\
+	sys/timeb.h				\
+	sys/times.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/un.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	term.h					\
+	termio.h				\
+	termios.h				\
+	time.h					\
+	tmpdir.h				\
+	udb.h					\
+	unistd.h				\
+	util.h					\
+	utmp.h					\
+	utmpx.h					\
+])
+
+CHECK_NETINET_IP_AND_TCP
+
+
+AC_ARG_ENABLE(netinfo,
+[  --enable-netinfo      enable netinfo for configuration lookup])
+
+if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then
+       AC_DEFINE(HAVE_NETINFO, 1,
+               [Define if you want to use Netinfo instead of krb5.conf.])
+fi
+
+AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
+AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes)
+
+AC_KRB_IPV6
+
+dnl Checks for libraries.
+
+AC_FIND_FUNC(socket, socket)
+AC_FIND_FUNC(gethostbyname, nsl)
+AC_FIND_FUNC(syslog, syslog)
+
+AC_FIND_FUNC_NO_LIBS(logwtmp, util)
+AC_FIND_FUNC_NO_LIBS(tgetent, termcap ncurses curses)
+AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+dnl Checks for library functions.
+
+AC_BROKEN_SNPRINTF
+AC_BROKEN_VSNPRINTF
+
+AC_BROKEN_GLOB
+
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes)
+
+dnl these should happen after tests for *snprintf
+
+AC_FIND_FUNC_NO_LIBS(dbopen, $berkeley_db)
+AC_FIND_FUNC_NO_LIBS(dbm_firstkey, $berkeley_db gdbm ndbm)
+
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
+fi
+AC_SUBST(DBLIB)dnl
+
+AC_CHECK_FUNCS(_getpty _scrsize asnprintf asprintf cgetent fcntl)
+AC_CHECK_FUNCS(getmsg getrlimit getspnam gettimeofday getuid)
+AC_CHECK_FUNCS(grantpt mktime ptsname rand random setproctitle)
+AC_CHECK_FUNCS(revoke select setitimer setpcred setpgid)
+AC_CHECK_FUNCS(setregid setresgid setresuid setreuid setutent)
+AC_CHECK_FUNCS(setsid sigaction strstr)
+AC_CHECK_FUNCS(sysconf sysctl timegm ttyname ttyslot umask uname)
+AC_CHECK_FUNCS(unlockpt vasnprintf vasprintf vhangup)
+AC_CHECK_FUNCS(yp_get_default_domain)
+
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
+
+AC_FUNC_GETLOGIN
+
+KRB_CAPABILITIES
+
+AC_CHECK_GETPWNAM_R_POSIX
+
+AC_FIND_FUNC_NO_LIBS(getsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+AC_FIND_FUNC_NO_LIBS(setsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+
+dnl Cray stuff
+AC_CHECK_FUNCS(getudbnam setlim)
+
+AC_TYPE_SIGNAL
+if test "$ac_cv_type_signal" = "void" ; then
+	AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.])
+fi
+AC_SUBST(VOID_RETSIGTYPE)
+
+AC_FIND_IF_NOT_BROKEN(hstrerror, resolv,
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+17)
+if test "$ac_cv_func_hstrerror" = yes; then
+AC_NEED_PROTO([
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+hstrerror)
+fi
+
+dnl sigh, wish this could be done in a loop
+if test "$ac_cv_func_asprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asprintf)dnl
+fi
+if test "$ac_cv_func_vasprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasprintf)dnl
+fi
+if test "$ac_cv_func_asnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asnprintf)dnl
+fi
+if test "$ac_cv_func_vasnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasnprintf)dnl
+fi
+
+AC_BROKEN(chown copyhostent daemon err errx fchown flock fnmatch)
+AC_BROKEN(freeaddrinfo freehostent gai_strerror getaddrinfo)
+AC_BROKEN(getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname)
+AC_BROKEN(geteuid getgid getegid)
+AC_BROKEN(getnameinfo getopt getusershell)
+AC_BROKEN(inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat)
+AC_BROKEN(memmove)
+AC_BROKEN(mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid)
+AC_BROKEN(strcasecmp strncasecmp strdup strerror strftime)
+AC_BROKEN(strlcat strlcpy strlwr)
+AC_BROKEN(strndup strnlen strptime strsep strtok_r strupr)
+AC_BROKEN(swab unsetenv verr verrx vsyslog)
+AC_BROKEN(vwarn vwarnx warn warnx writev)
+
+AC_NEED_PROTO([#include <stdlib.h>], setenv)
+AC_NEED_PROTO([#include <stdlib.h>], unsetenv)
+AC_NEED_PROTO([#include <unistd.h>], gethostname)
+AC_NEED_PROTO([#include <unistd.h>], mkstemp)
+AC_NEED_PROTO([#include <unistd.h>], getusershell)
+
+AC_NEED_PROTO([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+inet_aton)
+
+AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl
+
+dnl
+dnl libroken references crypt and dbopen
+dnl
+
+LIB_roken='$(top_builddir)/lib/roken/libroken.la $(LIB_crypt) $(LIB_dbopen)'
+AC_SUBST(LIB_roken)dnl
+
+AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [
+ac_cv_func_realloc_broken=no
+AC_TRY_RUN([
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+],:, ac_cv_func_realloc_broken=yes, :)
+])
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.])
+fi
+
+dnl AC_KRB_FUNC_GETCWD_BROKEN
+
+dnl
+dnl Checks for prototypes and declarations
+dnl
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyname, struct hostent *gethostbyname(const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+getservbyname, struct servent *getservbyname(const char *, const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+],
+openlog, void openlog(const char *, int, int))
+
+AC_NEED_PROTO([
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+],
+crypt)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strtok_r)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strsep)
+
+AC_CHECK_VAR([#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+h_errno)
+
+AC_CHECK_VAR([#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+h_errlist)
+
+AC_CHECK_VAR([#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+h_nerr)
+
+AC_CHECK_VAR([#ifdef HAVE_ERR_H
+#include <err.h>
+#endif],[__progname])
+
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optarg)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optind)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], opterr)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optopt)
+
+AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
+
+dnl
+dnl Check for fields in struct utmp
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_addr, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_host, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_id, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_pid, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_type, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_user, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmpx, ut_exit, [#include <utmpx.h>])
+AC_HAVE_STRUCT_FIELD(struct utmpx, ut_syslen, [#include <utmpx.h>])
+
+dnl
+dnl Check for fields in struct tm
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include <time.h>])
+AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include <time.h>])
+
+dnl
+dnl or do we have a variable `timezone' ?
+dnl
+
+AC_CHECK_VAR(
+[#include <time.h>],
+timezone)
+
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+
+AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
+
+AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
+
+AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+
+dnl
+dnl Check for struct winsize
+dnl
+
+AC_KRB_STRUCT_WINSIZE
+
+dnl
+dnl Check for struct spwd
+dnl
+
+AC_KRB_STRUCT_SPWD
+
+dnl
+dnl Check for sa_len in struct sockaddr
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
+#include <sys/socket.h>])
+
+
+AC_GROK_TYPES(int8_t int16_t int32_t int64_t)
+AC_GROK_TYPES(u_int8_t u_int16_t u_int32_t u_int64_t)
+
+dnl
+dnl crypto functions tests
+dnl
+
+AC_FIND_FUNC_NO_LIBS(MD4Init, crypto)
+AC_FIND_FUNC_NO_LIBS(MD4_Init, crypto)
+AC_FIND_FUNC_NO_LIBS(MD5Init, crypto)
+AC_FIND_FUNC_NO_LIBS(MD5_Init, crypto)
+AC_FIND_FUNC_NO_LIBS(SHA1Init, crypto)
+AC_FIND_FUNC_NO_LIBS(SHA1_Init, crypto)
+AC_FIND_FUNC_NO_LIBS(des_cbc_encrypt, crypto des)
+
+dnl
+dnl Tests for editline
+dnl
+
+dnl el_init
+
+AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
+if test "$ac_cv_func_el_init" = yes ; then
+	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
+		AC_TRY_COMPILE([#include <stdio.h>
+			#include <histedit.h>],
+			[el_init("", NULL, NULL, NULL);],
+			ac_cv_func_el_init_four=yes,
+			ac_cv_func_el_init_four=no)])
+	if test "$ac_cv_func_el_init_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
+	fi
+fi
+
+dnl readline
+
+ac_foo=no
+if test "$with_readline" = yes; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	:
+elif test "$ac_cv_func_el_init" = yes; then
+	ac_foo=yes
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.a $LIB_el_init"
+else
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.a'
+fi
+AM_CONDITIONAL(el_compat, test "$ac_foo" = yes)
+if test "$readline_libdir"; then
+	LIB_readline="-rpath $readline_libdir $LIB_readline"
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+AC_DEFINE(HAVE_READLINE, 1, 
+	[Define if you have a readline compatible library.])dnl
+
+dnl telnet muck --------------------------------------------------
+
+AC_DEFINE(AUTHENTICATION, 1, 
+	[Define if you want authentication support in telnet.])dnl
+AC_DEFINE(ENCRYPTION, 1,
+	[Define if you want encryption support in telnet.])dnl
+AC_DEFINE(DES_ENCRYPTION, 1,
+	[Define if you want to use DES encryption in telnet.])dnl
+AC_DEFINE(DIAGNOSTICS, 1,
+	[Define this to enable diagnostics in telnet.])dnl
+AC_DEFINE(OLD_ENVIRON, 1,
+	[Define this to enable old environment option in telnet.])dnl
+if false; then
+AC_DEFINE(ENV_HACK, 1,
+	[Define this if you want support for broken ENV_{VAR,VAL} telnets.])
+fi
+
+# Simple test for streamspty, based on the existance of getmsg(), alas
+# this breaks on SunOS4 which have streams but BSD-like ptys
+#
+# And also something wierd has happend with dec-osf1, fallback to bsd-ptys
+
+AC_MSG_CHECKING(for streamspty)
+case "$host" in
+*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux10*)
+	krb_cv_sys_streamspty=no
+	;;
+*)
+	krb_cv_sys_streamspty="$ac_cv_func_getmsg"
+	;;
+esac
+if test "$krb_cv_sys_streamspty" = yes; then
+	AC_DEFINE(STREAMSPTY, 1, [Define if you have streams ptys.])
+fi
+dnl AC_SUBST(STREAMSPTY)
+AC_MSG_RESULT($krb_cv_sys_streamspty)
+
+AC_AUTH_MODULES
+
+dnl This is done by AC_OUTPUT but we need the result here.
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+for i in bin lib libexec sbin; do
+	i=${i}dir
+	foo=`echo $i | tr 'xindiscernible' 'XINDISCERNIBLE'`
+	x="\$${i}"
+	eval y="$x"
+	while test "x$y" != "x$x"; do
+		x="$y"
+		eval y="$x"
+	done
+	AC_DEFINE_UNQUOTED($foo,"$x")
+done
+
+if false; then
+	# hack to shut up automake
+	LIBOBJS="$LIBOBJS make-print-version.o"
+fi
+LTLIBOBJS=`echo "$LIBOBJS" | sed 's/\.o/\.lo/g'`
+AC_SUBST(LTLIBOBJS)
+AC_OUTPUT(Makefile 			\
+	include/Makefile		\
+	include/kadm5/Makefile		\
+	lib/Makefile			\
+	lib/45/Makefile			\
+	lib/auth/Makefile		\
+	lib/auth/afskauthlib/Makefile	\
+	lib/auth/pam/Makefile		\
+	lib/auth/sia/Makefile		\
+	lib/asn1/Makefile		\
+	lib/com_err/Makefile		\
+	lib/des/Makefile		\
+	lib/editline/Makefile		\
+	lib/gssapi/Makefile		\
+	lib/hdb/Makefile		\
+	lib/kadm5/Makefile		\
+	lib/kafs/Makefile		\
+	lib/krb5/Makefile		\
+	lib/otp/Makefile		\
+	lib/roken/Makefile		\
+	lib/sl/Makefile			\
+	kuser/Makefile			\
+	kpasswd/Makefile		\
+	kadmin/Makefile			\
+	admin/Makefile			\
+	kdc/Makefile			\
+	appl/Makefile			\
+	appl/afsutil/Makefile		\
+	appl/ftp/Makefile		\
+	appl/ftp/common/Makefile	\
+	appl/ftp/ftp/Makefile		\
+	appl/ftp/ftpd/Makefile		\
+	appl/kauth/Makefile		\
+	appl/kx/Makefile		\
+	appl/login/Makefile		\
+	appl/otp/Makefile		\
+	appl/popper/Makefile		\
+	appl/push/Makefile		\
+	appl/rsh/Makefile		\
+	appl/su/Makefile		\
+	appl/xnlock/Makefile		\
+	appl/telnet/Makefile		\
+	appl/telnet/libtelnet/Makefile	\
+	appl/telnet/telnet/Makefile	\
+	appl/telnet/telnetd/Makefile	\
+	appl/test/Makefile		\
+	appl/kf/Makefile		\
+	doc/Makefile			\
+)
+
+dnl
+dnl This is the release version name-number[beta]
+dnl
+HEIMDALVERSION="$PACKAGE-$VERSION"
+
+cat > include/newversion.h.in <<EOF
+char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+char *heimdal_version = "$HEIMDALVERSION";
+EOF
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n || echo unknown) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
diff --git a/crypto/heimdal/doc/Makefile.am b/crypto/heimdal/doc/Makefile.am
new file mode 100644
index 0000000..734bf62
--- /dev/null
+++ b/crypto/heimdal/doc/Makefile.am
@@ -0,0 +1,8 @@
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:16 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+AUTOMAKE_OPTIONS += no-texinfo.tex
+
+info_TEXINFOS = heimdal.texi
+heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi
diff --git a/crypto/heimdal/doc/Makefile.in b/crypto/heimdal/doc/Makefile.in
new file mode 100644
index 0000000..710abb8
--- /dev/null
+++ b/crypto/heimdal/doc/Makefile.in
@@ -0,0 +1,620 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:16 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies no-texinfo.tex
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+info_TEXINFOS = heimdal.texi
+heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+TEXI2DVI = texi2dvi
+INFO_DEPS = heimdal.info
+DVIS = heimdal.dvi
+TEXINFOS = heimdal.texi
+DIST_COMMON =  $(heimdal_TEXINFOS) Makefile.am Makefile.in mdate-sh
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .dvi .et .h .info .ps .texi .texinfo .txi .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+heimdal.info: heimdal.texi $(heimdal_TEXINFOS)
+heimdal.dvi: heimdal.texi $(heimdal_TEXINFOS)
+
+
+DVIPS = dvips
+
+.texi.info:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texi.dvi:
+	TEXINPUTS=.:$$TEXINPUTS \
+	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
+
+.texi:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texinfo.info:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texinfo:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texinfo.dvi:
+	TEXINPUTS=.:$$TEXINPUTS \
+	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
+
+.txi.info:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.txi.dvi:
+	TEXINPUTS=.:$$TEXINPUTS \
+	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
+
+.txi:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+.dvi.ps:
+	$(DVIPS) $< -o $@
+
+install-info-am: $(INFO_DEPS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(infodir)
+	@list='$(INFO_DEPS)'; \
+	for file in $$list; do \
+	  d=$(srcdir); \
+	  for ifile in `cd $$d && echo $$file $$file-[0-9] $$file-[0-9][0-9]`; do \
+	    if test -f $$d/$$ifile; then \
+	      echo " $(INSTALL_DATA) $$d/$$ifile $(DESTDIR)$(infodir)/$$ifile"; \
+	      $(INSTALL_DATA) $$d/$$ifile $(DESTDIR)$(infodir)/$$ifile; \
+	    else : ; fi; \
+	  done; \
+	done
+	@$(POST_INSTALL)
+	@if $(SHELL) -c 'install-info --version | sed 1q | fgrep -s -v -i debian' >/dev/null 2>&1; then \
+	  list='$(INFO_DEPS)'; \
+	  for file in $$list; do \
+	    echo " install-info --info-dir=$(DESTDIR)$(infodir) $(DESTDIR)$(infodir)/$$file";\
+	    install-info --info-dir=$(DESTDIR)$(infodir) $(DESTDIR)$(infodir)/$$file || :;\
+	  done; \
+	else : ; fi
+
+uninstall-info:
+	$(PRE_UNINSTALL)
+	@if $(SHELL) -c 'install-info --version | sed 1q | fgrep -s -v -i debian' >/dev/null 2>&1; then \
+	  ii=yes; \
+	else ii=; fi; \
+	list='$(INFO_DEPS)'; \
+	for file in $$list; do \
+	  test -z "$ii" \
+	    || install-info --info-dir=$(DESTDIR)$(infodir) --remove $$file; \
+	done
+	@$(NORMAL_UNINSTALL)
+	list='$(INFO_DEPS)'; \
+	for file in $$list; do \
+	  (cd $(DESTDIR)$(infodir) && rm -f $$file $$file-[0-9] $$file-[0-9][0-9]); \
+	done
+
+dist-info: $(INFO_DEPS)
+	list='$(INFO_DEPS)'; \
+	for base in $$list; do \
+	  d=$(srcdir); \
+	  for file in `cd $$d && eval echo $$base*`; do \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file; \
+	  done; \
+	done
+
+mostlyclean-aminfo:
+	-rm -f heimdal.aux heimdal.cp heimdal.cps heimdal.dvi heimdal.fn \
+	  heimdal.fns heimdal.ky heimdal.kys heimdal.ps heimdal.log \
+	  heimdal.pg heimdal.toc heimdal.tp heimdal.tps heimdal.vr \
+	  heimdal.vrs heimdal.op heimdal.tr heimdal.cv heimdal.cn
+
+clean-aminfo:
+
+distclean-aminfo:
+
+maintainer-clean-aminfo:
+	cd $(srcdir) && for i in $(INFO_DEPS); do \
+	  rm -f $$i; \
+	  if test "`echo $$i-[0-9]*`" != "$$i-[0-9]*"; then \
+	    rm -f $$i-[0-9]*; \
+	  fi; \
+	done
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = doc
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-info
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am: $(INFO_DEPS)
+info: info-am
+dvi-am: $(DVIS)
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-info-am install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-info
+uninstall: uninstall-am
+all-am: Makefile $(INFO_DEPS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(infodir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-aminfo mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-aminfo clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-aminfo distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-aminfo maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: install-info-am uninstall-info mostlyclean-aminfo \
+distclean-aminfo clean-aminfo maintainer-clean-aminfo tags distdir \
+info-am info dvi-am dvi check-local check check-am installcheck-am \
+installcheck install-exec-am install-exec install-data-local \
+install-data-am install-data install-am install uninstall-am uninstall \
+all-local all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/doc/ack.texi b/crypto/heimdal/doc/ack.texi
new file mode 100644
index 0000000..1594194
--- /dev/null
+++ b/crypto/heimdal/doc/ack.texi
@@ -0,0 +1,57 @@
+@node  Acknowledgments, , Windows 2000 compatability, Top
+@comment  node-name,  next,  previous,  up
+@appendix Acknowledgments
+
+Eric Young wrote ``libdes''.
+
+The University of California at Berkeley initially wrote @code{telnet},
+and @code{telnetd}.  The authentication and encryption code of
+@code{telnet} and @code{telnetd} was added by David Borman (then of Cray
+Research, Inc).  The encryption code was removed when this was exported
+and then added back by Juha Eskelinen, @email{esc@@magic.fi}.
+
+The @code{popper} was also a Berkeley program initially.
+
+Some of the functions in @file{libroken} also come from Berkeley by way
+of NetBSD/FreeBSD.
+
+@code{editline} was written by Simmule Turner and Rich Salz.
+
+Bugfixes, documentation, encouragement, and code has been contributed by:
+@table @asis
+@item Derrick J Brashear
+@email{shadow@@dementia.org}
+@item Ken Hornstein
+@email{kenh@@cmf.nrl.navy.mil}
+@item Johan Ihrén
+@email{johani@@pdc.kth.se}
+@item Love Hörnquist-Åstrand
+@email{e96_lho@@e.kth.se}
+@item Magnus Ahltorp
+@email{map@@stacken.kth.se}
+@item Mark Eichin
+@email{eichin@@cygnus.com}
+@item Marc Horowitz
+@email{marc@@cygnus.com}
+@item Luke Howard
+@email{lukeh@@xedoc.com.au}
+@item Brandon S. Allbery KF8NH
+@email{allbery@@kf8nh.apk.net}
+@item Jun-ichiro itojun Hagino
+@email{itojun@@kame.net}
+@item Daniel Kouril
+@email{kouril@@informatics.muni.cz}
+@item Åke Sandgren 
+@email{ake@@cs.umu.se}
+@item Michal Vocu
+@email{michal@@karlin.mff.cuni.cz}
+@item Miroslav Ruda
+@email{ruda@@ics.muni.cz}
+@item Brian A May
+@email{bmay@@snoopy.apana.org.au}
+@item Chaskiel M Grundman
+@email{cg2v@@andrew.cmu.edu}
+@item and we hope that those not mentioned here will forgive us.
+@end table
+
+All bugs were introduced by ourselves.
diff --git a/crypto/heimdal/doc/heimdal.texi b/crypto/heimdal/doc/heimdal.texi
new file mode 100644
index 0000000..4cf1b3f
--- /dev/null
+++ b/crypto/heimdal/doc/heimdal.texi
@@ -0,0 +1,246 @@
+\input texinfo @c -*- texinfo -*-
+@c %**start of header
+@c $Id: heimdal.texi,v 1.14 2000/01/02 04:09:00 assar Exp $
+@setfilename heimdal.info
+@settitle HEIMDAL
+@iftex
+@afourpaper
+@end iftex
+@c some sensible characters, please?
+@tex
+\input latin1.tex
+@end tex
+@setchapternewpage on
+@syncodeindex pg cp
+@c %**end of header
+
+@c not yet @include version.texi
+@set UPDATED $Date: 2000/01/02 04:09:00 $
+@set EDITION 0.0
+@set VERSION 0.2k
+
+@ifinfo
+@dircategory Heimdal
+@direntry
+* Heimdal: (heimdal).           The Kerberos 5 distribution from KTH
+@end direntry
+@end ifinfo
+
+@c title page
+@titlepage
+@title Heimdal
+@subtitle Kerberos 5 from KTH
+@subtitle Edition @value{EDITION}, for version @value{VERSION}
+@subtitle 1999
+@author Johan Danielsson
+@author Assar Westerlund
+@author last updated @value{UPDATED}
+
+@def@copynext{@vskip 20pt plus 1fil@penalty-1000}
+@def@copyrightstart{}
+@def@copyrightend{}
+@page
+@copyrightstart
+Copyright (c) 1997-2000 Kungliga Tekniska Högskolan 
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the Institute nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1995-1997 Eric Young (eay@@mincom.oz.au)
+All rights reserved.
+
+This package is an DES implementation written by Eric Young (eay@@mincom.oz.au).
+The implementation was written so as to conform with MIT's libdes.
+
+This library is free for commercial and non-commercial use as long as
+the following conditions are aheared to.  The following conditions
+apply to all code found in this distribution.
+
+Copyright remains Eric Young's, and as such any Copyright notices in
+the code are not to be removed.
+If this package is used in a product, Eric Young should be given attribution
+as the author of that the SSL library.  This can be in the form of a textual
+message at program startup or in documentation (online or textual) provided
+with the package.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@@mincom.oz.au)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1990 by the Massachusetts Institute of Technology
+
+Export of this software from the United States of America may
+require a specific license from the United States Government.
+It is the responsibility of any person or organization contemplating
+export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+@copynext
+
+Copyright (c) 1988, 1990, 1993
+     The Regents of the University of California.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+     This product includes software developed by the University of
+     California, Berkeley and its contributors.
+
+4. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+
+This software is not subject to any license of the American Telephone 
+and Telegraph Company or of the Regents of the University of California. 
+
+Permission is granted to anyone to use this software for any purpose on
+any computer system, and to alter it and redistribute it freely, subject
+to the following restrictions:
+
+1. The authors are not responsible for the consequences of use of this
+   software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by
+   explicit claim or by omission.  Since few users ever read sources,
+   credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.  Since few users
+   ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
+
+@copyrightend
+@end titlepage
+
+@c Less filling! Tastes great!
+@iftex
+@parindent=0pt
+@global@parskip 6pt plus 1pt
+@global@chapheadingskip = 15pt plus 4pt minus 2pt 
+@global@secheadingskip = 12pt plus 3pt minus 2pt
+@global@subsecheadingskip = 9pt plus 2pt minus 2pt
+@end iftex
+@ifinfo
+@paragraphindent 0
+@end ifinfo
+
+@ifinfo
+@node Top, Introduction, (dir), (dir)
+@top Heimdal
+@end ifinfo
+
+@menu
+* Introduction::                
+* What is Kerberos?::           
+* Building and Installing::     
+* Setting up a realm::          
+* Things in search for a better place::  
+* Kerberos 4 issues::           
+* Windows 2000 compatability::
+* Acknowledgments::             
+
+@end menu
+
+@include intro.texi
+@include whatis.texi
+@include install.texi
+@include setup.texi
+@include misc.texi
+@include kerberos4.texi
+@include win2k.texi
+@include ack.texi
+
+@c @shortcontents
+@contents
+
+@bye
diff --git a/crypto/heimdal/doc/init-creds b/crypto/heimdal/doc/init-creds
new file mode 100644
index 0000000..13667e0
--- /dev/null
+++ b/crypto/heimdal/doc/init-creds
@@ -0,0 +1,374 @@
+Currently, getting an initial ticket for a user involves many function
+calls, especially when a full set of features including password
+expiration and challenge preauthentication is desired.  In order to
+solve this problem, a new api is proposed.
+
+typedef struct _krb5_prompt {
+    char *prompt;
+    int hidden;
+    krb5_data *reply;
+} krb5_prompt;
+
+typedef int (*krb5_prompter_fct)(krb5_context context,
+				 void *data,
+				 const char *banner,
+				 int num_prompts,
+				 krb5_prompt prompts[]);
+
+typedef struct _krb5_get_init_creds_opt {
+    krb5_flags flags;
+    krb5_deltat tkt_life;
+    krb5_deltat renew_life;
+    int forwardable;
+    int proxiable;
+    krb5_enctype *etype_list;
+    int etype_list_length;
+    krb5_address **address_list;
+	/* XXX the next three should not be used, as they may be
+	removed later */
+    krb5_preauthtype *preauth_list;
+    int preauth_list_length;
+    krb5_data *salt;
+} krb5_get_init_creds_opt;
+
+#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE	0x0001
+#define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE	0x0002
+#define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE	0x0004
+#define KRB5_GET_INIT_CREDS_OPT_PROXIABLE	0x0008
+#define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST	0x0010
+#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST	0x0020
+#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
+#define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
+
+void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
+
+void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
+					  krb5_deltat tkt_life);
+void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
+					    krb5_deltat renew_life);
+void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
+					     int forwardable);
+void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
+					   int proxiable);
+void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
+					    krb5_enctype *etype_list,
+					    int etype_list_length);
+void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
+					      krb5_address **addresses);
+void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
+					      krb5_preauthtype *preauth_list,
+					      int preauth_list_length);
+void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
+				      krb5_data *salt);
+
+krb5_error_code
+krb5_get_init_creds_password(krb5_context context,
+			     krb5_creds *creds,
+			     krb5_principal client,
+			     char *password,
+			     krb5_prompter_fct prompter,
+			     void *data,
+			     krb5_deltat start_time,
+			     char *in_tkt_service,
+			     krb5_get_init_creds_opt *options);
+
+This function will attempt to acquire an initial ticket.  The function
+will perform whatever tasks are necessary to do so.  This may include
+changing an expired password, preauthentication.
+
+The arguments divide into two types.  Some arguments are basically
+invariant and arbitrary across all initial tickets, and if not
+specified are determined by configuration or library defaults.  Some
+arguments are different for each execution or application, and if not
+specified can be determined correctly from system configuration or
+environment.  The former arguments are contained in a structure whose
+pointer is passed to the function.  A bitmask specifies which elements
+of the structure should be used.  In most cases, a NULL pointer can be
+used.  The latter arguments are specified as individual arguments to
+the function.
+
+If a pointer to a credential is specified, the initial credential is
+filled in.  If the caller only wishes to do a simple password check
+and will not be doing any other kerberos functions, then a NULL
+pointer may be specified, and the credential will be destroyed.
+
+If the client name is non-NULL, the initial ticket requested will be
+for that principal.  Otherwise, the principal will be the the username
+specified by the USER environment variable, or if the USER environment
+variable is not set, the username corresponding to the real user id of
+the caller.
+
+If the password is non-NULL, then this string is used as the password.
+Otherwise, the prompter function will be used to prompt the user for
+the password.
+
+If a prompter function is non-NULL, it will be used if additional user
+input is required, such as if the user's password has expired and
+needs to be changed, or if input preauthentication is necessary.  If
+no function is specified and input is required, then the login will
+fail.
+
+	The context argument is the same as that passed to krb5_login.
+	The data argument is passed unmodified to the prompter
+	function and is intended to be used to pass application data
+	(such as a display handle) to the prompter function.
+
+	The banner argument, if non-NULL, will indicate what sort of
+	input is expected from the user (for example, "Password has
+	expired and must be changed" or "Enter Activcard response for
+	challenge 012345678"), and should be displayed accordingly.
+	
+	The num_prompts argument indicates the number of values which
+	should be prompted for.  If num_prompts == 0, then the banner
+	contains an informational message which should be displayed to
+	the user.
+
+	The prompts argument contains an array describing the values
+	for which the user should be prompted.  The prompt member
+	indicates the prompt for each value ("Enter new
+	password"/"Enter it again", or "Challenge response").  The
+	hidden member is nonzero if the response should not be
+	displayed back to the user.  The reply member is a pointer to
+	krb5_data structure which has already been allocated.  The
+	prompter should fill in the structure with the NUL-terminated
+	response from the user.
+
+	If the response data does not fit, or if any other error
+	occurs, then the prompter function should return a non-zero
+	value which will be returned by the krb5_get_init_creds
+	function. Otherwise, zero should be returned.
+
+	The library function krb5_prompter_posix() implements
+	a prompter using a posix terminal for user in.  This function
+	does not use the data argument.
+
+If the start_time is zero, then the requested ticket will be valid
+beginning immediately.  Otherwise, the start_time indicates how far in
+the future the ticket should be postdated.
+
+If the in_tkt_service name is non-NULL, that principal name will be
+used as the server name for the initial ticket request.  The realm of
+the name specified will be ignored and will be set to the realm of the
+client name.  If no in_tkt_service name is specified,
+krbtgt/CLIENT-REALM@CLIENT-REALM will be used.
+
+For the rest of arguments, a configuration or library default will be
+used if no value is specified in the options structure.
+
+If a tkt_life is specified, that will be the lifetime of the ticket.
+The library default is 10 hours; there is no configuration variable
+(there should be, but it's not there now).
+
+If a renew_life is specified and non-zero, then the RENEWABLE option
+on the ticket will be set, and the value of the argument will be the
+the renewable lifetime.  The configuration variable [libdefaults]
+"renew_lifetime" is the renewable lifetime if none is passed in.  The
+library default is not to set the RENEWABLE option.
+
+If forwardable is specified, the FORWARDABLE option on the ticket will
+be set if and only if forwardable is non-zero.  The configuration
+variable [libdefaults] "forwardable" is used if no value is passed in.
+The option will be set if and only if the variable is "y", "yes",
+"true", "t", "1", or "on", case insensitive.  The library default is
+not to set the FORWARDABLE option.
+
+If proxiable is specified, the PROXIABLE option on the ticket will be
+set if and only if proxiable is non-zero.  The configuration variable
+[libdefaults] "proxiable" is used if no value is passed in.  The
+option will be set if and only if the variable is "y", "yes", "true",
+"t", "1", or "on", case insensitive.  The library default is not to
+set the PROXIABLE option.
+
+If etype_list is specified, it will be used as the list of desired
+encryption algorithms in the request.  The configuration variable
+[libdefaults] "default_tkt_enctypes" is used if no value is passed in.
+The library default is "des-cbc-md5 des-cbc-crc".
+
+If address_list is specified, it will be used as the list of addresses
+for which the ticket will be valid.  The library default is to use all
+local non-loopback addresses.  There is no configuration variable.
+
+If preauth_list is specified, it names preauth data types which will
+be included in the request.  The library default is to interact with
+the kdc to determine the required preauth types.  There is no
+configuration variable.
+
+If salt is specified, it specifies the salt which will be used when
+converting the password to a key.  The library default is to interact
+with the kdc to determine the correct salt.  There is no configuration
+variable.
+
+================================================================
+
+typedef struct _krb5_verify_init_creds_opt {
+    krb5_flags flags;
+    int ap_req_nofail;
+} krb5_verify_init_creds_opt;
+
+#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL	0x0001
+
+void krb5_verify_init_creds_opt_init(krb5_init_creds_opt *options);
+void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_init_creds_opt *options,
+						  int ap_req_nofail);
+
+krb5_error_code
+krb5_verify_init_creds(krb5_context context,
+		       krb5_creds *creds,
+		       krb5_principal ap_req_server,
+		       krb5_keytab ap_req_keytab,
+		       krb5_ccache *ccache,
+		       krb5_verify_init_creds_opt *options);
+
+This function will use the initial ticket in creds to make an AP_REQ
+and verify it to insure that the AS_REP has not been spoofed.
+
+If the ap_req_server name is non-NULL, then this service name will be
+used for the AP_REQ; otherwise, the default host key
+(host/hostname.domain@LOCAL-REALM) will be used.
+
+If ap_req_keytab is non-NULL, the service key for the verification
+will be read from that keytab; otherwise, the service key will be read
+from the default keytab. 
+
+If the service of the ticket in creds is the same as the service name
+for the AP_REQ, then this ticket will be used directly.  If the ticket
+is a tgt, then it will be used to obtain credentials for the service.
+Otherwise, the verification will fail, and return an error.
+
+Other failures of the AP_REQ verification may or may not be considered
+errors, as described below.
+
+If a pointer to a credential cache handle is specified, and the handle
+is NULL, a credential cache handle referring to all credentials
+obtained in the course of verifying the user will be returned.  In
+order to avoid potential setuid race conditions and other problems
+related to file system access, this handle will refer to a memory
+credential cache.  If the handle is non-NULL, then the credentials
+will be added to the existing ccache.  If the caller only wishes to
+verify the password and will not be doing any other kerberos
+functions, then a NULL pointer may be specified, and the credentials
+will be deleted before the function returns.
+
+If ap_req_nofail is specified, then failures of the AP_REQ
+verification are considered errors if and only if ap_req_nofail is
+non-zero.
+
+Whether or not AP_REQ validation is performed and what failures mean
+depends on these inputs:
+
+ A) The appropriate keytab exists and contains the named key.
+
+ B) An AP_REQ request to the kdc succeeds, and the resulting AP_REQ
+can be decrypted and verified.
+
+ C) The administrator has specified in a configuration file that
+AP_REQ validation must succeed.  This is basically a paranoid bit, and
+can be overridden by the application based on a command line flag or
+other application-specific info.  This flag is especially useful if
+the admin is concerned that DNS might be spoofed while determining the
+host/FQDN name.  The configuration variable [libdefaults]
+"verify_ap_req_nofail" is used if no value is passed in.  The library
+default is not to set this option.
+
+Initial ticket verification will succeed if and only if:
+
+ - A && B    or
+ - !A && !C
+
+================================================================
+
+For illustrative purposes, here's the invocations I expect some
+programs will use.  Of course, error checking needs to be added.
+
+kinit:
+
+    /* Fill in client from the command line || existing ccache, and,
+       start_time, and options.{tkt_life,renew_life,forwardable,proxiable}
+       from the command line.  Some or all may remain unset. */
+
+    krb5_get_init_creds(context, &creds, client,
+			krb5_initial_prompter_posix, NULL,
+			start_time, NULL, &options);
+    krb5_cc_store_cred(context, ccache, &creds);
+    krb5_free_cred_contents(context, &creds);
+
+login:
+
+    krb5_get_init_creds(context, &creds, client,
+			krb5_initial_prompter_posix, NULL,
+			0, NULL, NULL);
+    krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL);
+    /* setuid */
+    krb5_cc_store_cred(context, ccache, &creds);
+    krb5_cc_copy(context, vcc, ccache);
+    krb5_free_cred_contents(context, &creds);
+    krb5_cc_destroy(context, vcc);
+
+xdm:
+
+    krb5_get_initial_creds(context, &creds, client,
+			   krb5_initial_prompter_xt, (void *) &xtstuff,
+			   0, NULL, NULL);
+    krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL);
+    /* setuid */
+    krb5_cc_store_cred(context, ccache, &creds);
+    krb5_free_cred_contents(context, &creds);
+    krb5_cc_copy(context, vcc, ccache);
+    krb5_cc_destroy(context, vcc);
+
+passwd:
+
+    krb5_init_creds_opt_init(&options);
+    krb5_init_creds_opt_set_tkt_life = 300;
+    krb5_get_initial_creds(context, &creds, client,
+			   krb5_initial_prompter_posix, NULL,
+			   0, "kadmin/changepw", &options);
+    /* change password */
+    krb5_free_cred_contents(context, &creds);
+
+pop3d (simple password validator when no user interation possible):
+
+    krb5_get_initial_creds(context, &creds, client,
+			   NULL, NULL, 0, NULL, NULL);
+    krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL);
+    krb5_cc_destroy(context, vcc);
+
+================================================================
+
+password expiration has a subtlety.  When a password expires and is
+changed, there is a delay between when the master gets the new key
+(immediately), and the slaves (propogation interval).  So, when
+getting an in_tkt, if the password is expired, the request should be
+reissued to the master (this kind of sucks if you have SAM, oh well).
+If this says expired, too, then the password should be changed, and
+then the initial ticket request should be issued to the master again.
+If the master times out, then a message that the password has expired
+and cannot be changed due to the master being unreachable should be
+displayed.
+
+================================================================
+
+get_init_creds reads config stuff from:
+
+[libdefaults]
+	varname1 = defvalue
+	REALM = {
+		varname1 = value
+		varname2 = value
+	}
+
+typedef struct _krb5_get_init_creds_opt {
+    krb5_flags flags;
+    krb5_deltat tkt_life;	/* varname = "ticket_lifetime" */
+    krb5_deltat renew_life;	/* varname = "renew_lifetime" */
+    int forwardable;		/* varname = "forwardable" */
+    int proxiable;		/* varname = "proxiable" */
+    krb5_enctype *etype_list;	/* varname = "default_tkt_enctypes" */
+    int etype_list_length;
+    krb5_address **address_list; /* no varname */
+    krb5_preauthtype *preauth_list; /* no varname */
+    int preauth_list_length;
+    krb5_data *salt;
+} krb5_get_init_creds_opt;
+
+
diff --git a/crypto/heimdal/doc/install.texi b/crypto/heimdal/doc/install.texi
new file mode 100644
index 0000000..5d195a6
--- /dev/null
+++ b/crypto/heimdal/doc/install.texi
@@ -0,0 +1,86 @@
+@node Building and Installing, Setting up a realm, What is Kerberos?, Top
+@comment  node-name,  next,  previous,  up
+@chapter Building and Installing
+
+Heimdal uses GNU Autoconf to configure for specific hosts, and GNU
+Automake to manage makefiles. If this is new to you, the short
+instruction is to run the @code{configure} script in the top level
+directory, and when that finishes @code{make}.
+
+If you want to build the distribution in a different directory from the
+source directory, you will need a make that implements VPATH correctly,
+such as GNU make.
+
+You will need to build the distribution:
+
+@itemize @bullet
+@item
+A compiler that supports a ``loose'' ANSI C mode, such as @code{gcc}.
+@item
+lex or flex
+@item
+awk
+@item
+yacc or bison
+@item
+a socket library
+@item
+NDBM or Berkeley DB for building the server side.
+@end itemize
+
+When everything is built, you can install by doing @kbd{make
+install}. The default location for installation is @file{/usr/heimdal},
+but this can be changed by running @code{configure} with
+@samp{--prefix=/some/other/place}.
+
+If you need to change the default behavior, configure understands the
+following options:
+
+@table @asis
+@item @kbd{--without-berkeley-db}
+DB is preferred before NDBM, but if you for some reason want to use NDBM
+instead, you can use this option.
+
+@item @kbd{--with-krb4=@file{dir}}
+Gives the location of Kerberos 4 libraries and headers. This enables
+Kerberos 4 support in the applications (telnet, rsh, popper, etc) and
+the KDC. It is automatically check for in @file{/usr/athena}. If you
+keep libraries and headers in different places, you can instead give the
+path to each with the @kbd{--with-krb4-lib=@file{dir}}, and
+@kbd{--with-krb4-include=@file{dir}} options.
+
+You will need a fairly recent version of our Kerberos 4 distribution for
+@code{rshd} and @code{popper} to support version 4 clients.
+
+@item @kbd{--enable-kaserver}
+Enables experimental kaserver support in the KDC. This is the protocol
+used by the ``KDC'' in AFS. Requires Kerberos 4 support.
+
+@item @kbd{--enable-kaserver-db}
+Enables experimental support for reading kaserver databases in hprop.
+This is useful when migrating from a kaserver to a Heimdal KDC.
+
+@item @kbd{--disable-otp}
+By default some of the application programs will build with support for
+one-time passwords (OTP).  Use this option to disable that support.
+
+@item @kbd{--enable-osfc2}
+Enable some C2 support for OSF/Digital Unix/Tru64.  Use this option if
+you are running your OSF operating system in C2 mode.
+
+@item @kbd{--with-readline=@file{dir}}
+Gives the path for the GNU Readline library, which will be used in some
+programs. If no readline library is found, the (simpler) editline
+library will be used instead.
+
+@item @kbd{--with-hesiod=@file{dir}}
+Enables hesiod support in push.
+
+@item @kbd{--enable-netinfo}
+Add support for using netinfo to lookup configuration information.
+Probably only useful (and working) on NextStep/Mac OS X.
+
+@item @kbd{--without-ipv6}
+Disable the IPv6 support.
+
+@end table
diff --git a/crypto/heimdal/doc/intro.texi b/crypto/heimdal/doc/intro.texi
new file mode 100644
index 0000000..518aada
--- /dev/null
+++ b/crypto/heimdal/doc/intro.texi
@@ -0,0 +1,93 @@
+@node Introduction, What is Kerberos?, Top, Top
+@c @node Introduction, What is Kerberos?, Top, Top
+@comment  node-name,  next,  previous,  up
+@chapter Introduction
+
+@heading What is Heimdal?
+
+Heimdal is a free implementation of Kerberos 5. The goals are to:
+
+@itemize @bullet
+@item
+have an implementation that can be freely used by anyone
+@item
+be protocol compatible with existing implementations and, if not in
+conflict, with RFC 1510 (and any future updated RFC)
+@item
+be reasonably compatible with the M.I.T Kerberos V5 API
+@item
+have support for Kerberos V5 over GSS-API (RFC1964)
+@item
+include the most important and useful application programs (rsh, telnet,
+popper, etc.)
+@item
+include enough backwards compatibility with Kerberos V4
+@end itemize
+
+@heading Status
+
+Heimdal has the following features (this does not mean any of this
+works):
+
+@itemize @bullet
+@item
+a stub generator and a library to encode/decode/whatever ASN.1/DER
+stuff
+@item
+a @code{libkrb5} library that should be possible to get to work with
+simple applications
+@item
+a GSS-API library that should have all the important functions for
+building applications
+@item
+Eric Young's @file{libdes}
+@item
+@file{kinit}, @file{klist}, @file{kdestroy}
+@item
+@file{telnet}, @file{telnetd}
+@item
+@file{rsh}, @file{rshd}
+@item
+@file{popper}, @file{push} (a movemail equivalent)
+@item
+@file{ftp}, and @file{ftpd}
+@item
+a library @file{libkafs} for authenticating to AFS and a program
+@file{afslog} that uses it
+@item
+some simple test programs
+@item
+a KDC that supports most things; optionally, it may also support
+Kerberos V4 and kaserver,
+@item
+simple programs for distributing databases between a KDC master and
+slaves
+@item
+a password changing daemon @file{kpasswdd}, library functions for
+changing passwords and a simple client
+@item
+some kind of administration system
+@item
+Kerberos V4 support in many of the applications.
+@end itemize
+
+@heading Bug reports
+
+If you find bugs in this software, make sure it is a genuine bug and not
+just a part of the code that isn't implemented.
+
+Bug reports should be sent to @email{heimdal-bugs@@pdc.kth.se}. Please
+include information on what machine and operating system (including
+version) you are running, what you are trying to do, what happens, what
+you think should have happened, an example for us to repeat, the output
+you get when trying the example, and a patch for the problem if you have
+one. Please make any patches with @code{diff -u} or @code{diff -c}.
+
+Suggestions, comments and other non bug reports are also welcome.
+
+@heading Mailing list
+
+There are two mailing lists with talk about
+Heimdal. @email{heimdal-announce@@sics.se} is a low-volume announcement
+list, while @email{heimdal-discuss@@sics.se} is for general discussion.
+Send a message to @email{majordomo@@sics.se} to subscribe.
diff --git a/crypto/heimdal/doc/kerberos4.texi b/crypto/heimdal/doc/kerberos4.texi
new file mode 100644
index 0000000..2e4f92c
--- /dev/null
+++ b/crypto/heimdal/doc/kerberos4.texi
@@ -0,0 +1,179 @@
+@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top
+@comment  node-name,  next,  previous,  up
+@chapter Kerberos 4 issues
+
+If compiled with version 4 support, the KDC can serve requests from a
+Kerberos 4 client. There are a few things you must do for this to work.
+
+@menu
+* Principal conversion issues::  
+* Converting a version 4 database::  
+@end menu
+
+@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
+@section Principal conversion issues
+
+First, Kerberos 4 and Kerberos 5 principals are different. A version 4
+principal consists of a name, an instance, and a realm. A version 5
+principal has one or more components, and a realm (the terms ``name''
+and ``instance'' are still used, for the first and second component,
+respectively).    Also, in some cases the name of a version 4 principal
+differs from the first component of the corresponding version 5
+principal. One notable example is the ``host'' type principals, where
+the version 4 name is @samp{rcmd} (for ``remote command''), and the
+version 5 name is @samp{host}. For the class of principals that has a
+hostname as instance, there is an other major difference, Kerberos 4
+uses only the first component of the hostname, whereas Kerberos 5 uses
+the fully qualified hostname.
+
+Because of this it can be hard or impossible to correctly convert a
+version 4 principal to a version 5 principal @footnote{the other way is
+not always trivial either, but usually easier}. The biggest problem is
+to know if the conversion resulted in a valid principal. To give an
+example, suppose you want to convert the principal @samp{rcmd.foo}.
+
+The @samp{rcmd} name suggests that the instance is a hostname (even if
+there are exceptions to this rule). To correctly convert the instance
+@samp{foo} to a hostname, you have to know which host it is referring
+to. You can to this by either guessing (from the realm) which domain
+name to append, or you have to have a list of possible hostnames. In the
+simplest cases you can cover most principals with the first rule. If you
+have several domains sharing a single realm this will not usually
+work. If the exceptions are few you can probably come by with a lookup
+table for the exceptions.
+
+In a complex scenario you will need some kind of host lookup mechanism.
+Using DNS for this is tempting, but DNS is error prone, slow and unsafe
+@footnote{at least until secure DNS is commonly available}.
+
+Fortunately, the KDC has a trump on hand: it can easily tell if a
+principal exists in the database. The KDC will use
+@code{krb5_425_conv_principal_ext} to convert principals when handling
+to version 4 requests.
+
+@node Converting a version 4 database,  , Principal conversion issues, Kerberos 4 issues
+@section Converting a version 4 database
+
+If you want to convert an existing version 4 database, the principal
+conversion issue arises too.
+
+If you decide to convert your database once and for all, you will only
+have to do this conversion once. It is also possible to run a version 5
+KDC as a slave to a version 4 KDC. In this case this conversion will
+happen every time the database is propagated.  When doing this
+conversion, there are a few things to look out for. If you have stale
+entries in the database, these entries will not be converted. This might
+be because these principals are not used anymore, or it might be just
+because the principal couldn't be converted.
+
+You might also see problems with a many-to-one mapping of
+principals. For instance, if you are using DNS lookups and you have two
+principals @samp{rcmd.foo} and @samp{rcmd.bar}, where `foo' is a CNAME
+for `bar', the resulting principals will be the same. Since the
+conversion function can't tell which is correct, these conflicts will
+have to be resolved manually.
+
+@subsection Conversion example
+
+Given the following set of hosts and services:
+
+@example
+foo.se          rcmd
+mail.foo.se     rcmd, pop
+ftp.bar.se      rcmd, ftp
+@end example
+
+you have a database that consists of the following principals:
+
+@samp{rcmd.foo}, @samp{rcmd.mail}, @samp{pop.mail}, @samp{rcmd.ftp}, and
+@samp{ftp.ftp}.
+
+lets say you also got these extra principals: @samp{rcmd.gone},
+@samp{rcmd.old-mail}, where @samp{gone.foo.se} was a machine that has
+now passed away, and @samp{old-mail.foo.se} was an old mail machine that
+is now a CNAME for @samp{mail.foo.se}.
+
+When you convert this database you want the following conversions to be
+done:
+@example
+rcmd.foo         host/foo.se
+rcmd.mail        host/mail.foo.se
+pop.mail         pop/mail.foo.se
+rcmd.ftp         host/ftp.bar.se
+ftp.ftp          ftp/ftp.bar.se
+rcmd.gone        @i{removed}
+rcmd.old-mail    @i{removed}
+@end example
+
+A @file{krb5.conf} that does this looks like:
+
+@example
+[realms]
+        FOO.SE = @{
+                v4_name_convert = @{
+                        host = @{
+                                ftp = ftp
+                                pop = pop
+                                rcmd = host
+                        @}
+                @}
+                v4_instance_convert = @{
+                        foo = foo.se
+                        ftp = ftp.bar.se
+                @}
+                default_domain = foo.se
+        @}
+@end example
+
+The @samp{v4_name_convert} section says which names should be considered
+having an instance consisting of a hostname, and it also says how the
+names should be converted (for instance @samp{rcmd} should be converted
+to @samp{host}). The @samp{v4_instance_convert} section says how a
+hostname should be qualified (this is just a hosts-file in
+disguise). Host-instances that aren't covered by
+@samp{v4_instance_convert} are qualified by appending the contents of
+the @samp{default_domain}.
+
+Actually, this example doesn't work. Or rather, it works to well. Since
+it has no way of knowing which hostnames are valid and which are not, it
+will happily convert @samp{rcmd.gone} to @samp{host/gone.foo.se}. This
+isn't a big problem, but if you have run your kerberos realm for a few
+years, chances are big that you have quite a few `junk' principals.
+
+If you don't want this you can remove the @samp{default_domain}
+statement, but then you will have to add entries for @emph{all} your hosts
+in the @samp{v4_instance_convert} section.
+
+Instead of doing this you can use DNS to convert instances. This is not
+a solution without problems, but it is probably easier than adding lots
+of static host entries. 
+
+To enable DNS lookup you should turn on @samp{v4_instance_resolve} in
+the @samp{[libdefaults]} section.
+
+@subsection Converting a database
+
+The database conversion is done with @samp{hprop}. Assuming that you
+have the @samp{kadmin/hprop} key in the keytab @file{hprop.keytab}, you
+can run this command to propagate the database to the machine called
+@samp{slave-server} (which should be running a @samp{hpropd}).
+
+@example
+hprop -4 -E -k hprop.keytab slave-server
+@end example
+
+@section Version 4 Kadmin
+
+@samp{kadmind} can act as a version 4 kadmind, and you can do most
+operations, but with some restrictions (since the version 4 kadmin
+protocol is, lets say, very ad hoc.) One example is that it only passes
+des keys when creating principals and changing passwords (modern kpasswd
+clients do send the password, so it's possible to to password quality
+checks). Because of this you can only create principals with des keys,
+and you can't set any flags or do any other fancy stuff.
+
+To get this to work, you have to add another entry to inetd (since
+version 4 uses port 751, not 749).
+
+@emph{And then there are a many more things you can do; more on this in
+a later version of this manual. Until then, UTSL.}
diff --git a/crypto/heimdal/doc/latin1.tex b/crypto/heimdal/doc/latin1.tex
new file mode 100644
index 0000000..e683dd2
--- /dev/null
+++ b/crypto/heimdal/doc/latin1.tex
@@ -0,0 +1,95 @@
+% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts.
+% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12
+\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi}
+\global\catcode`\^^a0=\active \global\let^^a0=~		% no-break space
+\global\catcode`\^^a1=\active \global\def^^a1{!`}		% inverted exclamation mark
+\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}}	% cent sign
+\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}}	% pound sign
+% currency sign, yen sign, broken bar
+\global\catcode`\^^a7=\active \global\let^^a7=\S		% section sign
+\global\catcode`\^^a8=\active \global\def^^a8{\"{}}		% diaeresis
+\global\catcode`\^^a9=\active \global\let^^a9=\copyright	% copyright sign
+% feminine ordinal indicator, left angle quotation mark
+\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign
+\global\catcode`\^^ad=\active \global\let^^ad=\-		% soft hyphen
+% registered trade mark sign
+\global\catcode`\^^af=\active \global\def^^af{\={}}		% macron
+% ...
+\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm}	% plus minus
+\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}}
+\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}}
+\global\catcode`\^^b4=\active \global\def^^b4{\'{}}		% acute accent
+\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu}	% mu
+\global\catcode`\^^b6=\active \global\let^^b6=\P		% pilcroy
+\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}}
+\global\catcode`\^^b8=\active \global\def^^b8{\c{}}		% cedilla
+\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}}
+% ...
+\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}}
+\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}}
+\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}}
+\global\catcode`\^^bf=\active \global\def^^bf{?`}		% inverted question mark
+\global\catcode`\^^c0=\active \global\def^^c0{\`A}
+\global\catcode`\^^c1=\active \global\def^^c1{\'A}
+\global\catcode`\^^c2=\active \global\def^^c2{\^A}
+\global\catcode`\^^c3=\active \global\def^^c3{\~A}
+\global\catcode`\^^c4=\active \global\def^^c4{\"A}		% capital a with diaeresis
+\global\catcode`\^^c5=\active \global\let^^c5=\AA		% capital a with ring above
+\global\catcode`\^^c6=\active \global\let^^c6=\AE
+\global\catcode`\^^c7=\active \global\def^^c7{\c C}
+\global\catcode`\^^c8=\active \global\def^^c8{\`E}
+\global\catcode`\^^c9=\active \global\def^^c9{\'E}
+\global\catcode`\^^ca=\active \global\def^^ca{\^E}
+\global\catcode`\^^cb=\active \global\def^^cb{\"E}
+\global\catcode`\^^cc=\active \global\def^^cc{\`I}
+\global\catcode`\^^cd=\active \global\def^^cd{\'I}
+\global\catcode`\^^ce=\active \global\def^^ce{\^I}
+\global\catcode`\^^cf=\active \global\def^^cf{\"I}
+% capital eth
+\global\catcode`\^^d1=\active \global\def^^d1{\~N}
+\global\catcode`\^^d2=\active \global\def^^d2{\`O}
+\global\catcode`\^^d3=\active \global\def^^d3{\'O}
+\global\catcode`\^^d4=\active \global\def^^d4{\^O}
+\global\catcode`\^^d5=\active \global\def^^d5{\~O}
+\global\catcode`\^^d6=\active \global\def^^d6{\"O}		% capital o with diaeresis
+\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign
+\global\catcode`\^^d8=\active \global\let^^d8=\O
+\global\catcode`\^^d9=\active \global\def^^d9{\`U}
+\global\catcode`\^^da=\active \global\def^^da{\'U}
+\global\catcode`\^^db=\active \global\def^^db{\^U}
+\global\catcode`\^^dc=\active \global\def^^dc{\"U}
+\global\catcode`\^^dd=\active \global\def^^dd{\'Y}
+% capital thorn
+\global\catcode`\^^df=\active \global\def^^df{\ss}
+\global\catcode`\^^e0=\active \global\def^^e0{\`a}
+\global\catcode`\^^e1=\active \global\def^^e1{\'a}
+\global\catcode`\^^e2=\active \global\def^^e2{\^a}
+\global\catcode`\^^e3=\active \global\def^^e3{\~a}
+\global\catcode`\^^e4=\active \global\def^^e4{\"a}		% small a with diaeresis
+\global\catcode`\^^e5=\active \global\let^^e5=\aa		% small a with ring above
+\global\catcode`\^^e6=\active \global\let^^e6=\ae
+\global\catcode`\^^e7=\active \global\def^^e7{\c c}
+\global\catcode`\^^e8=\active \global\def^^e8{\`e}
+\global\catcode`\^^e9=\active \global\def^^e9{\'e}
+\global\catcode`\^^ea=\active \global\def^^ea{\^e}
+\global\catcode`\^^eb=\active \global\def^^eb{\"e}
+\global\catcode`\^^ec=\active \global\def^^ec{\`\i}
+\global\catcode`\^^ed=\active \global\def^^ed{\'\i}
+\global\catcode`\^^ee=\active \global\def^^ee{\^\i}
+\global\catcode`\^^ef=\active \global\def^^ef{\"\i}
+% small eth
+\global\catcode`\^^f1=\active \global\def^^f1{\~n}
+\global\catcode`\^^f2=\active \global\def^^f2{\`o}
+\global\catcode`\^^f3=\active \global\def^^f3{\'o}
+\global\catcode`\^^f4=\active \global\def^^f4{\^o}
+\global\catcode`\^^f5=\active \global\def^^f5{\~o}
+\global\catcode`\^^f6=\active \global\def^^f6{\"o}		% small o with diaeresis
+\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign
+\global\catcode`\^^f8=\active \global\let^^f8=\o
+\global\catcode`\^^f9=\active \global\def^^f9{\`u}
+\global\catcode`\^^fa=\active \global\def^^fa{\'u}
+\global\catcode`\^^fb=\active \global\def^^fb{\^u}
+\global\catcode`\^^fc=\active \global\def^^fc{\"u}
+\global\catcode`\^^fd=\active \global\def^^fd{\'y}
+% capital thorn
+\global\catcode`\^^ff=\active \global\def^^ff{\"y}
diff --git a/crypto/heimdal/doc/layman.asc b/crypto/heimdal/doc/layman.asc
new file mode 100644
index 0000000..d4fbe64
--- /dev/null
+++ b/crypto/heimdal/doc/layman.asc
@@ -0,0 +1,1855 @@
+A Layman's Guide to a Subset of ASN.1, BER, and DER
+
+An RSA Laboratories Technical Note
+Burton S. Kaliski Jr.
+Revised November 1, 1993
+
+
+Supersedes June 3, 1991 version, which was also published as
+NIST/OSI Implementors' Workshop document SEC-SIG-91-17.
+PKCS documents are available by electronic mail to
+<pkcs@rsa.com>.
+
+Copyright (C) 1991-1993 RSA Laboratories, a division of RSA
+Data Security, Inc. License to copy this document is granted
+provided that it is identified as "RSA Data Security, Inc.
+Public-Key Cryptography Standards (PKCS)" in all material
+mentioning or referencing this document.
+003-903015-110-000-000
+
+
+Abstract. This note gives a layman's introduction to a
+subset of OSI's Abstract Syntax Notation One (ASN.1), Basic
+Encoding Rules (BER), and Distinguished Encoding Rules
+(DER). The particular purpose of this note is to provide
+background material sufficient for understanding and
+implementing the PKCS family of standards.
+
+
+1. Introduction
+
+It is a generally accepted design principle that abstraction
+is a key to managing software development. With abstraction,
+a designer can specify a part of a system without concern
+for how the part is actually implemented or represented.
+Such a practice leaves the implementation open; it
+simplifies the specification; and it makes it possible to
+state "axioms" about the part that can be proved when the
+part is implemented, and assumed when the part is employed
+in another, higher-level part. Abstraction is the hallmark
+of most modern software specifications.
+
+One of the most complex systems today, and one that also
+involves a great deal of abstraction, is Open Systems
+Interconnection (OSI, described in X.200). OSI is an
+internationally standardized architecture that governs the
+interconnection of computers from the physical layer up to
+the user application layer. Objects at higher layers are
+defined abstractly and intended to be implemented with
+objects at lower layers. For instance, a service at one
+layer may require transfer of certain abstract objects
+between computers; a lower layer may provide transfer
+services for strings of ones and zeroes, using encoding
+rules to transform the abstract objects into such strings.
+OSI is called an open system because it supports many
+different implementations of the services at each layer.
+
+OSI's method of specifying abstract objects is called ASN.1
+(Abstract Syntax Notation One, defined in X.208), and one
+set of rules for representing such objects as strings of
+ones and zeros is called the BER (Basic Encoding Rules,
+defined in X.209). ASN.1 is a flexible notation that allows
+one to define a variety data types, from simple types such
+as integers and bit strings to structured types such as sets
+and sequences, as well as complex types defined in terms of
+others. BER describes how to represent or encode values of
+each ASN.1 type as a string of eight-bit octets. There is
+generally more than one way to BER-encode a given value.
+Another set of rules, called the Distinguished Encoding
+Rules (DER), which is a subset of BER, gives a unique
+encoding to each ASN.1 value.
+
+The purpose of this note is to describe a subset of ASN.1,
+BER and DER sufficient to understand and implement one OSI-
+based application, RSA Data Security, Inc.'s Public-Key
+Cryptography Standards. The features described include an
+overview of ASN.1, BER, and DER and an abridged list of
+ASN.1 types and their BER and DER encodings. Sections 2-4
+give an overview of ASN.1, BER, and DER, in that order.
+Section 5 lists some ASN.1 types, giving their notation,
+specific encoding rules, examples, and comments about their
+application to PKCS. Section 6 concludes with an example,
+X.500 distinguished names.
+
+Advanced features of ASN.1, such as macros, are not
+described in this note, as they are not needed to implement
+PKCS. For information on the other features, and for more
+detail generally, the reader is referred to CCITT
+Recommendations X.208 and X.209, which define ASN.1 and BER.
+
+Terminology and notation. In this note, an octet is an eight-
+bit unsigned integer. Bit 8 of the octet is the most
+significant and bit 1 is the least significant.
+
+The following meta-syntax is used for in describing ASN.1
+notation:
+
+     BIT  monospace denotes literal characters in the type
+          and value notation; in examples, it generally
+          denotes an octet value in hexadecimal
+
+     n1   bold italics denotes a variable
+
+     []   bold square brackets indicate that a term is
+          optional
+
+     {}   bold braces group related terms
+
+     |    bold vertical bar delimits alternatives with a
+          group
+
+     ...  bold ellipsis indicates repeated occurrences
+
+     =    bold equals sign expresses terms as subterms
+
+
+2. Abstract Syntax Notation One
+
+Abstract Syntax Notation One, abbreviated ASN.1, is a
+notation for describing abstract types and values.
+
+In ASN.1, a type is a set of values. For some types, there
+are a finite number of values, and for other types there are
+an infinite number. A value of a given ASN.1 type is an
+element of the type's set. ASN.1 has four kinds of type:
+simple types, which are "atomic" and have no components;
+structured types, which have components; tagged types, which
+are derived from other types; and other types, which include
+the CHOICE type and the ANY type. Types and values can be
+given names with the ASN.1 assignment operator (::=) , and
+those names can be used in defining other types and values.
+
+Every ASN.1 type other than CHOICE and ANY has a tag, which
+consists of a class and a nonnegative tag number. ASN.1
+types are abstractly the same if and only if their tag
+numbers are the same. In other words, the name of an ASN.1
+type does not affect its abstract meaning, only the tag
+does. There are four classes of tag:
+
+     Universal, for types whose meaning is the same in all
+          applications; these types are only defined in
+          X.208.
+
+     Application, for types whose meaning is specific to an
+          application, such as X.500 directory services;
+          types in two different applications may have the
+          same application-specific tag and different
+          meanings.
+
+     Private, for types whose meaning is specific to a given
+          enterprise.
+
+     Context-specific, for types whose meaning is specific
+          to a given structured type; context-specific tags
+          are used to distinguish between component types
+          with the same underlying tag within the context of
+          a given structured type, and component types in
+          two different structured types may have the same
+          tag and different meanings.
+
+The types with universal tags are defined in X.208, which
+also gives the types' universal tag numbers. Types with
+other tags are defined in many places, and are always
+obtained by implicit or explicit tagging (see Section 2.3).
+Table 1 lists some ASN.1 types and their universal-class
+tags.
+
+    Type                     Tag number     Tag number
+                             (decimal)      (hexadecimal)
+    INTEGER                  2              02
+    BIT STRING               3              03
+    OCTET STRING             4              04
+    NULL                     5              05
+    OBJECT IDENTIFIER        6              06
+    SEQUENCE and SEQUENCE OF 16             10
+    SET and SET OF           17             11
+    PrintableString          19             13
+    T61String                20             14
+    IA5String                22             16
+    UTCTime                  23             17
+
+     Table 1. Some types and their universal-class tags.
+
+ASN.1 types and values are expressed in a flexible,
+programming-language-like notation, with the following
+special rules:
+
+     o    Layout is not significant; multiple spaces and
+          line breaks can be considered as a single space.
+
+     o    Comments are delimited by pairs of hyphens (--),
+          or a pair of hyphens and a line break.
+
+     o    Identifiers (names of values and fields) and type
+          references (names of types) consist of upper- and
+          lower-case letters, digits, hyphens, and spaces;
+          identifiers begin with lower-case letters; type
+          references begin with upper-case letters.
+
+The following four subsections give an overview of simple
+types, structured types, implicitly and explicitly tagged
+types, and other types. Section 5 describes specific types
+in more detail.
+
+
+2.1 Simple types
+
+Simple types are those not consisting of components; they
+are the "atomic" types. ASN.1 defines several; the types
+that are relevant to the PKCS standards are the following:
+
+     BIT STRING, an arbitrary string of bits (ones and
+          zeroes).
+
+     IA5String, an arbitrary string of IA5 (ASCII)
+          characters.
+
+     INTEGER, an arbitrary integer.
+
+     NULL, a null value.
+
+     OBJECT IDENTIFIER, an object identifier, which is a
+          sequence of integer components that identify an
+          object such as an algorithm or attribute type.
+
+     OCTET STRING, an arbitrary string of octets (eight-bit
+          values).
+
+     PrintableString, an arbitrary string of printable
+          characters.
+
+     T61String, an arbitrary string of T.61 (eight-bit)
+          characters.
+
+     UTCTime, a "coordinated universal time" or Greenwich
+          Mean Time (GMT) value.
+
+Simple types fall into two categories: string types and non-
+string types. BIT STRING, IA5String, OCTET STRING,
+PrintableString, T61String, and UTCTime are string types.
+
+String types can be viewed, for the purposes of encoding, as
+consisting of components, where the components are
+substrings. This view allows one to encode a value whose
+length is not known in advance (e.g., an octet string value
+input from a file stream) with a constructed, indefinite-
+length encoding (see Section 3).
+
+The string types can be given size constraints limiting the
+length of values.
+
+
+2.2 Structured types
+
+Structured types are those consisting of components. ASN.1
+defines four, all of which are relevant to the PKCS
+standards:
+
+     SEQUENCE, an ordered collection of one or more types.
+
+     SEQUENCE OF, an ordered collection of zero or more
+          occurrences of a given type.
+
+     SET, an unordered collection of one or more types.
+
+     SET OF, an unordered collection of zero or more
+          occurrences of a given type.
+
+The structured types can have optional components, possibly
+with default values.
+
+
+2.3 Implicitly and explicitly tagged types
+
+Tagging is useful to distinguish types within an
+application; it is also commonly used to distinguish
+component types within a structured type. For instance,
+optional components of a SET or SEQUENCE type are typically
+given distinct context-specific tags to avoid ambiguity.
+
+There are two ways to tag a type: implicitly and explicitly.
+
+Implicitly tagged types are derived from other types by
+changing the tag of the underlying type. Implicit tagging is
+denoted by the ASN.1 keywords [class number] IMPLICIT (see
+Section 5.1).
+
+Explicitly tagged types are derived from other types by
+adding an outer tag to the underlying type. In effect,
+explicitly tagged types are structured types consisting of
+one component, the underlying type. Explicit tagging is
+denoted by the ASN.1 keywords [class number] EXPLICIT (see
+Section 5.2).
+
+The keyword [class number] alone is the same as explicit
+tagging, except when the "module" in which the ASN.1 type is
+defined has implicit tagging by default. ("Modules" are
+among the advanced features not described in this note.)
+
+For purposes of encoding, an implicitly tagged type is
+considered the same as the underlying type, except that the
+tag is different. An explicitly tagged type is considered
+like a structured type with one component, the underlying
+type. Implicit tags result in shorter encodings, but
+explicit tags may be necessary to avoid ambiguity if the tag
+of the underlying type is indeterminate (e.g., the
+underlying type is CHOICE or ANY).
+
+
+2.4 Other types
+
+Other types in ASN.1 include the CHOICE and ANY types. The
+CHOICE type denotes a union of one or more alternatives; the
+ANY type denotes an arbitrary value of an arbitrary type,
+where the arbitrary type is possibly defined in the
+registration of an object identifier or integer value.
+
+
+3. Basic Encoding Rules
+
+The Basic Encoding Rules for ASN.1, abbreviated BER, give
+one or more ways to represent any ASN.1 value as an octet
+string. (There are certainly other ways to represent ASN.1
+values, but BER is the standard for interchanging such
+values in OSI.)
+
+There are three methods to encode an ASN.1 value under BER,
+the choice of which depends on the type of value and whether
+the length of the value is known. The three methods are
+primitive, definite-length encoding; constructed, definite-
+length encoding; and constructed, indefinite-length
+encoding. Simple non-string types employ the primitive,
+definite-length method; structured types employ either of
+the constructed methods; and simple string types employ any
+of the methods, depending on whether the length of the value
+is known. Types derived by implicit tagging employ the
+method of the underlying type and types derived by explicit
+tagging employ the constructed methods.
+
+In each method, the BER encoding has three or four parts:
+
+     Identifier octets. These identify the class and tag
+          number of the ASN.1 value, and indicate whether
+          the method is primitive or constructed.
+
+     Length octets. For the definite-length methods, these
+          give the number of contents octets. For the
+          constructed, indefinite-length method, these
+          indicate that the length is indefinite.
+
+     Contents octets. For the primitive, definite-length
+          method, these give a concrete representation of
+          the  value. For the constructed methods, these
+          give the concatenation of the BER encodings of the
+          components of the value.
+
+     End-of-contents octets. For the constructed, indefinite-
+          length method, these denote the end of the
+          contents. For the other methods, these are absent.
+
+The three methods of encoding are described in the following
+sections.
+
+
+3.1 Primitive, definite-length method
+
+This method applies to simple types and types derived from
+simple types by implicit tagging. It requires that the
+length of the value be known in advance. The parts of the
+BER encoding are as follows:
+
+Identifier octets. There are two forms: low tag number (for
+tag numbers between 0 and 30) and high tag number (for tag
+numbers 31 and greater).
+
+     Low-tag-number form. One octet. Bits 8 and 7 specify
+          the class (see Table 2), bit 6 has value "0,"
+          indicating that the encoding is primitive, and
+          bits 5-1 give the tag number.
+
+                  Class            Bit  Bit
+                                   8    7
+                  universal        0    0
+                  application      0    1
+                  context-specific 1    0
+                  private          1    1
+
+        Table 2. Class encoding in identifier octets.
+
+     High-tag-number form. Two or more octets. First octet
+          is as in low-tag-number form, except that bits 5-1
+          all have value "1." Second and following octets
+          give the tag number, base 128, most significant
+          digit first, with as few digits as possible, and
+          with the bit 8 of each octet except the last set
+          to "1."
+
+Length octets. There are two forms: short (for lengths
+between 0 and 127), and long definite (for lengths between 0
+and 21008-1).
+
+     Short form. One octet. Bit 8 has value "0" and bits 7-1
+          give the length.
+
+     Long form. Two to 127 octets. Bit 8 of first octet has
+          value "1" and bits 7-1 give the number of
+          additional length octets. Second and following
+          octets give the length, base 256, most significant
+          digit first.
+
+Contents octets. These give a concrete representation of the
+value (or the value of the underlying type, if the type is
+derived by implicit tagging). Details for particular types
+are given in Section 5.
+
+
+3.2 Constructed, definite-length method
+
+This method applies to simple string types, structured
+types, types derived simple string types and structured
+types by implicit tagging, and types derived from anything
+by explicit tagging. It requires that the length of the
+value be known in advance. The parts of the BER encoding are
+as follows:
+
+Identifier octets. As described in Section 3.1, except that
+bit 6 has value "1," indicating that the encoding is
+constructed.
+
+Length octets. As described in Section 3.1.
+
+Contents octets. The concatenation of the BER encodings of
+the components of the value:
+
+     o    For simple string types and types derived from
+          them by implicit tagging, the concatenation of the
+          BER encodings of consecutive substrings of the
+          value (underlying value for implicit tagging).
+
+     o    For structured types and types derived from them
+          by implicit tagging, the concatenation of the BER
+          encodings of components of the value (underlying
+          value for implicit tagging).
+
+     o    For types derived from anything by explicit
+          tagging, the BER encoding of the underlying value.
+
+Details for particular types are given in Section 5.
+
+
+3.3 Constructed, indefinite-length method
+
+This method applies to simple string types, structured
+types, types derived simple string types and structured
+types by implicit tagging, and types derived from anything
+by explicit tagging. It does not require that the length of
+the value be known in advance. The parts of the BER encoding
+are as follows:
+
+Identifier octets. As described in Section 3.2.
+
+Length octets. One octet, 80.
+
+Contents octets. As described in Section 3.2.
+
+End-of-contents octets. Two octets, 00 00.
+
+Since the end-of-contents octets appear where an ordinary
+BER encoding might be expected (e.g., in the contents octets
+of a sequence value), the 00 and 00 appear as identifier and
+length octets, respectively. Thus the end-of-contents octets
+is really the primitive, definite-length encoding of a value
+with universal class, tag number 0, and length 0.
+
+
+4. Distinguished Encoding Rules
+
+The Distinguished Encoding Rules for ASN.1, abbreviated DER,
+are a subset of BER, and give exactly one way to represent
+any ASN.1 value as an octet string. DER is intended for
+applications in which a unique octet string encoding is
+needed, as is the case when a digital signature is computed
+on an ASN.1 value. DER is defined in Section 8.7 of X.509.
+
+DER adds the following restrictions to the rules given in
+Section 3:
+
+     1.   When the length is between 0 and 127, the short
+          form of length must be used
+
+     2.   When the length is 128 or greater, the long form
+          of length must be used, and the length must be
+          encoded in the minimum number of octets.
+
+     3.   For simple string types and implicitly tagged
+          types derived from simple string types, the
+          primitive, definite-length method must be
+          employed.
+
+     4.   For structured types, implicitly tagged types
+          derived from structured types, and explicitly
+          tagged types derived from anything, the
+          constructed, definite-length method must be
+          employed.
+
+Other restrictions are defined for particular types (such as
+BIT STRING, SEQUENCE, SET, and SET OF), and can be found in
+Section 5.
+
+
+5. Notation and encodings for some types
+
+This section gives the notation for some ASN.1 types and
+describes how to encode values of those types under both BER
+and DER.
+
+The types described are those presented in Section 2. They
+are listed alphabetically here.
+
+Each description includes ASN.1 notation, BER encoding, and
+DER encoding. The focus of the encodings is primarily on the
+contents octets; the tag and length octets follow Sections 3
+and 4. The descriptions also explain where each type is used
+in PKCS and related standards. ASN.1 notation is generally
+only for types, although for the type OBJECT IDENTIFIER,
+value notation is given as well.
+
+
+5.1 Implicitly tagged types
+
+An implicitly tagged type is a type derived from another
+type by changing the tag of the underlying type.
+
+Implicit tagging is used for optional SEQUENCE components
+with underlying type other than ANY throughout PKCS, and for
+the extendedCertificate alternative of PKCS #7's
+ExtendedCertificateOrCertificate type.
+
+ASN.1 notation:
+
+[[class] number] IMPLICIT Type
+
+class = UNIVERSAL  |  APPLICATION  |  PRIVATE
+
+where Type is a type, class is an optional class name, and
+number is the tag number within the class, a nonnegative
+integer.
+
+In ASN.1 "modules" whose default tagging method is implicit
+tagging, the notation [[class] number] Type is also
+acceptable, and the keyword IMPLICIT is implied. (See
+Section 2.3.) For definitions stated outside a module, the
+explicit inclusion of the keyword IMPLICIT is preferable to
+prevent ambiguity.
+
+If the class name is absent, then the tag is context-
+specific. Context-specific tags can only appear in a
+component of a structured or CHOICE type.
+
+Example: PKCS #8's PrivateKeyInfo type has an optional
+attributes component with an implicit, context-specific tag:
+
+PrivateKeyInfo ::= SEQUENCE {
+  version Version,
+  privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+  privateKey PrivateKey,
+  attributes [0] IMPLICIT Attributes OPTIONAL }
+
+Here the underlying type is Attributes, the class is absent
+(i.e., context-specific), and the tag number within the
+class is 0.
+
+BER encoding. Primitive or constructed, depending on the
+underlying type. Contents octets are as for the BER encoding
+of the underlying value.
+
+Example: The BER encoding of the attributes component of a
+PrivateKeyInfo value is as follows:
+
+     o    the identifier octets are 80 if the underlying
+          Attributes value has a primitive BER encoding and
+          a0 if the underlying Attributes value has a
+          constructed BER encoding
+
+     o    the length and contents octets are the same as the
+          length and contents octets of the BER encoding of
+          the underlying Attributes value
+
+DER encoding. Primitive or constructed, depending on the
+underlying type. Contents octets are as for the DER encoding
+of the underlying value.
+
+
+5.2 Explicitly tagged types
+
+Explicit tagging denotes a type derived from another type by
+adding an outer tag to the underlying type.
+
+Explicit tagging is used for optional SEQUENCE components
+with underlying type ANY throughout PKCS, and for the
+version component of X.509's Certificate type.
+
+ASN.1 notation:
+
+[[class] number] EXPLICIT Type
+
+class = UNIVERSAL  |  APPLICATION  |  PRIVATE
+
+where Type is a type, class is an optional class name, and
+number is the tag number within the class, a nonnegative
+integer.
+
+If the class name is absent, then the tag is context-
+specific. Context-specific tags can only appear in a
+component of a SEQUENCE, SET or CHOICE type.
+
+In ASN.1 "modules" whose default tagging method is explicit
+tagging, the notation [[class] number] Type is also
+acceptable, and the keyword EXPLICIT is implied. (See
+Section 2.3.) For definitions stated outside a module, the
+explicit inclusion of the keyword EXPLICIT is preferable to
+prevent ambiguity.
+
+Example 1: PKCS #7's ContentInfo type has an optional
+content component with an explicit, context-specific tag:
+
+ContentInfo ::= SEQUENCE {
+  contentType ContentType,
+  content
+    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+Here the underlying type is ANY DEFINED BY contentType, the
+class is absent (i.e., context-specific), and the tag number
+within the class is 0.
+
+Example 2: X.509's Certificate type has a version component
+with an explicit, context-specific tag, where the EXPLICIT
+keyword is omitted:
+
+Certificate ::= ...
+  version [0] Version DEFAULT v1988,
+...
+
+The tag is explicit because the default tagging method for
+the ASN.1 "module" in X.509 that defines the Certificate
+type is explicit tagging.
+
+BER encoding. Constructed. Contents octets are the BER
+encoding of the underlying value.
+
+Example: the BER encoding of the content component of a
+ContentInfo value is as follows:
+
+     o    identifier octets are a0
+
+     o    length octets represent the length of the BER
+          encoding of the underlying ANY DEFINED BY
+          contentType value
+
+     o    contents octets are the BER encoding of the
+          underlying ANY DEFINED BY contentType value
+
+DER encoding. Constructed. Contents octets are the DER
+encoding of the underlying value.
+
+
+5.3 ANY
+
+The ANY type denotes an arbitrary value of an arbitrary
+type, where the arbitrary type is possibly defined in the
+registration of an object identifier or associated with an
+integer index.
+
+The ANY type is used for content of a particular content
+type in PKCS #7's ContentInfo type, for parameters of a
+particular algorithm in X.509's AlgorithmIdentifier type,
+and for attribute values in X.501's Attribute and
+AttributeValueAssertion types. The Attribute type is used by
+PKCS #6, #7, #8, #9 and #10, and the AttributeValueAssertion
+type is used in X.501 distinguished names.
+
+ASN.1 notation:
+
+ANY [DEFINED BY identifier]
+
+where identifier is an optional identifier.
+
+In the ANY form, the actual type is indeterminate.
+
+The ANY DEFINED BY identifier form can only appear in a
+component of a SEQUENCE or SET type for which identifier
+identifies some other component, and that other component
+has type INTEGER or OBJECT IDENTIFIER (or a type derived
+from either of those by tagging). In that form, the actual
+type is determined by the value of the other component,
+either in the registration of the object identifier value,
+or in a table of integer values.
+
+Example: X.509's AlgorithmIdentifier type has a component of
+type ANY:
+
+AlgorithmIdentifier ::= SEQUENCE {
+  algorithm OBJECT IDENTIFIER,
+  parameters ANY DEFINED BY algorithm OPTIONAL }
+
+Here the actual type of the parameter component depends on
+the value of the algorithm component. The actual type would
+be defined in the registration of object identifier values
+for the algorithm component.
+
+BER encoding. Same as the BER encoding of the actual value.
+
+Example: The BER encoding of the value of the parameter
+component is the BER encoding of the value of the actual
+type as defined in the registration of object identifier
+values for the algorithm component.
+
+DER encoding. Same as the DER encoding of the actual value.
+
+
+5.4 BIT STRING
+
+The BIT STRING type denotes an arbitrary string of bits
+(ones and zeroes). A BIT STRING value can have any length,
+including zero. This type is a string type.
+
+The BIT STRING type is used for digital signatures on
+extended certificates in PKCS #6's ExtendedCertificate type,
+for digital signatures on certificates in X.509's
+Certificate type, and for public keys in certificates in
+X.509's SubjectPublicKeyInfo type.
+
+ASN.1 notation:
+
+BIT STRING
+
+Example: X.509's SubjectPublicKeyInfo type has a component
+of type BIT STRING:
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+  algorithm AlgorithmIdentifier,
+  publicKey BIT STRING }
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the first contents octet gives the number of bits
+by which the length of the bit string is less than the next
+multiple of eight (this is called the "number of unused
+bits"). The second and following contents octets give the
+value of the bit string, converted to an octet string. The
+conversion process is as follows:
+
+     1.   The bit string is padded after the last bit with
+          zero to seven bits of any value to make the length
+          of the bit string a multiple of eight. If the
+          length of the bit string is a multiple of eight
+          already, no padding is done.
+
+     2.   The padded bit string is divided into octets. The
+          first eight bits of the padded bit string become
+          the first octet, bit 8 to bit 1, and so on through
+          the last eight bits of the padded bit string.
+
+In a constructed encoding, the contents octets give the
+concatenation of the BER encodings of consecutive substrings
+of the bit string, where each substring except the last has
+a length that is a multiple of eight bits.
+
+Example: The BER encoding of the BIT STRING value
+"011011100101110111" can be any of the following, among
+others, depending on the choice of padding bits, the form of
+length octets, and whether the encoding is primitive or
+constructed:
+
+03 04 06 6e 5d c0                               DER encoding
+
+03 04 06 6e 5d e0                       padded with "100000"
+
+03 81 04 06 6e 5d c0              long form of length octets
+
+23 09        constructed encoding: "0110111001011101" + "11"
+   03 03 00 6e 5d
+   03 02 06 c0
+
+DER encoding. Primitive. The contents octects are as for a
+primitive BER encoding, except that the bit string is padded
+with zero-valued bits.
+
+Example: The DER encoding of the BIT STRING value
+"011011100101110111" is
+
+03 04 06 6e 5d c0
+
+
+5.5 CHOICE
+
+The CHOICE type denotes a union of one or more alternatives.
+
+The CHOICE type is used to represent the union of an
+extended certificate and an X.509 certificate in PKCS #7's
+ExtendedCertificateOrCertificate type.
+
+ASN.1 notation:
+
+CHOICE {
+  [identifier1] Type1,
+  ...,
+  [identifiern] Typen }
+
+where identifier1 , ..., identifiern are optional, distinct
+identifiers for the alternatives, and Type1, ..., Typen are
+the types of the alternatives. The identifiers are primarily
+for documentation; they do not affect values of the type or
+their encodings in any way.
+
+The types must have distinct tags. This requirement is
+typically satisfied with explicit or implicit tagging on
+some of the alternatives.
+
+Example: PKCS #7's ExtendedCertificateOrCertificate type is
+a CHOICE type:
+
+ExtendedCertificateOrCertificate ::= CHOICE {
+  certificate Certificate, -- X.509
+  extendedCertificate [0] IMPLICIT ExtendedCertificate
+}
+
+Here the identifiers for the alternatives are certificate
+and extendedCertificate, and the types of the alternatives
+are Certificate and [0] IMPLICIT ExtendedCertificate.
+
+BER encoding. Same as the BER encoding of the chosen
+alternative. The fact that the alternatives have distinct
+tags makes it possible to distinguish between their BER
+encodings.
+
+Example: The identifier octets for the BER encoding are 30
+if the chosen alternative is certificate, and a0 if the
+chosen alternative is extendedCertificate.
+
+DER encoding. Same as the DER encoding of the chosen
+alternative.
+
+
+5.6 IA5String
+
+The IA5String type denotes an arbtrary string of IA5
+characters. IA5 stands for International Alphabet 5, which
+is the same as ASCII. The character set includes non-
+printing control characters. An IA5String value can have any
+length, including zero. This type is a string type.
+
+The IA5String type is used in PKCS #9's electronic-mail
+address, unstructured-name, and unstructured-address
+attributes.
+
+ASN.1 notation:
+
+IA5String
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the IA5
+string, encoded in ASCII. In a constructed encoding, the
+contents octets give the concatenation of the BER encodings
+of consecutive substrings of the IA5 string.
+
+Example: The BER encoding of the IA5String value
+"test1@rsa.com" can be any of the following, among others,
+depending on the form of length octets and whether the
+encoding is primitive or constructed:
+
+16 0d 74 65 73 74 31 40 72 73 61 2e 63 6f 6d DER encoding
+
+16 81 0d                       long form of length octets
+   74 65 73 74 31 40 72 73 61 2e 63 6f 6d
+
+36 13     constructed encoding: "test1" + "@" + "rsa.com"
+   16 05 74 65 73 74 31
+   16 01 40
+   16 07 72 73 61 2e 63 6f 6d
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The DER encoding of the IA5String value
+"test1@rsa.com" is
+
+16 0d 74 65 73 74 31 40 72 73 61 2e 63 6f 6d
+
+
+5.7 INTEGER
+
+The INTEGER type denotes an arbitrary integer. INTEGER
+values can be positive, negative, or zero, and can have any
+magnitude.
+
+The INTEGER type is used for version numbers throughout
+PKCS, cryptographic values such as modulus, exponent, and
+primes in PKCS #1's RSAPublicKey and RSAPrivateKey types and
+PKCS #3's DHParameter type, a message-digest iteration count
+in PKCS #5's PBEParameter type, and version numbers and
+serial numbers in X.509's Certificate type.
+
+ASN.1 notation:
+
+INTEGER [{ identifier1(value1) ... identifiern(valuen) }]
+
+where identifier1, ..., identifiern are optional distinct
+identifiers and value1, ..., valuen are optional integer
+values. The identifiers, when present, are associated with
+values of the type.
+
+Example: X.509's Version type is an INTEGER type with
+identified values:
+
+Version ::= INTEGER { v1988(0) }
+
+The identifier v1988 is associated with the value 0. X.509's
+Certificate type uses the identifier v1988 to give a default
+value of 0 for the version component:
+
+Certificate ::= ...
+  version Version DEFAULT v1988,
+...
+
+BER encoding. Primitive. Contents octets give the value of
+the integer, base 256, in two's complement form, most
+significant digit first, with the minimum number of octets.
+The value 0 is encoded as a single 00 octet.
+
+Some example BER encodings (which also happen to be DER
+encodings) are given in Table 3.
+
+                    Integer   BER encoding
+                    value
+                    0         02 01 00
+                    127       02 01 7F
+                    128       02 02 00 80
+                    256       02 02 01 00
+                    -128      02 01 80
+                    -129      02 02 FF 7F
+
+      Table 3. Example BER encodings of INTEGER values.
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+
+5.8 NULL
+
+The NULL type denotes a null value.
+
+The NULL type is used for algorithm parameters in several
+places in PKCS.
+
+ASN.1 notation:
+
+NULL
+
+BER encoding. Primitive. Contents octets are empty.
+
+Example: The BER encoding of a NULL value can be either of
+the following, as well as others, depending on the form of
+the length octets:
+
+05 00
+
+05 81 00
+
+DER encoding. Primitive. Contents octets are empty; the DER
+encoding of a NULL value is always 05 00.
+
+
+5.9 OBJECT IDENTIFIER
+
+The OBJECT IDENTIFIER type denotes an object identifier, a
+sequence of integer components that identifies an object
+such as an algorithm, an attribute type, or perhaps a
+registration authority that defines other object
+identifiers. An OBJECT IDENTIFIER value can have any number
+of components, and components can generally have any
+nonnegative value. This type is a non-string type.
+
+OBJECT IDENTIFIER values are given meanings by registration
+authorities. Each registration authority is responsible for
+all sequences of components beginning with a given sequence.
+A registration authority typically delegates responsibility
+for subsets of the sequences in its domain to other
+registration authorities, or for particular types of object.
+There are always at least two components.
+
+The OBJECT IDENTIFIER type is used to identify content in
+PKCS #7's ContentInfo type, to identify algorithms in
+X.509's AlgorithmIdentifier type, and to identify attributes
+in X.501's Attribute and AttributeValueAssertion types. The
+Attribute type is used by PKCS #6, #7, #8, #9, and #10, and
+the AttributeValueAssertion type is used in X.501
+distinguished names. OBJECT IDENTIFIER values are defined
+throughout PKCS.
+
+ASN.1 notation:
+
+OBJECT IDENTIFIER
+
+The ASN.1 notation for values of the OBJECT IDENTIFIER type
+is
+
+{ [identifier] component1 ... componentn }
+
+componenti = identifieri | identifieri (valuei) | valuei
+
+where identifier, identifier1, ..., identifiern are
+identifiers, and value1, ..., valuen are optional integer
+values.
+
+The form without identifier is the "complete" value with all
+its components; the form with identifier abbreviates the
+beginning components with another object identifier value.
+The identifiers identifier1, ..., identifiern are intended
+primarily for documentation, but they must correspond to the
+integer value when both are present. These identifiers can
+appear without integer values only if they are among a small
+set of identifiers defined in X.208.
+
+Example: The following values both refer to the object
+identifier assigned to RSA Data Security, Inc.:
+
+{ iso(1) member-body(2) 840 113549 }
+{ 1 2 840 113549 }
+
+(In this example, which gives ASN.1 value notation, the
+object identifier values are decimal, not hexadecimal.)
+Table 4 gives some other object identifier values and their
+meanings.
+
+ Object identifier value       Meaning
+ { 1 2 }                       ISO member bodies
+ { 1 2 840 }                   US (ANSI)
+ { 1 2 840 113549 }            RSA Data Security, Inc.
+ { 1 2 840 113549 1 }          RSA Data Security, Inc. PKCS
+ { 2 5 }                       directory services (X.500)
+ { 2 5 8 }                     directory services-algorithms
+
+ Table 4. Some object identifier values and their meanings.
+
+BER encoding. Primitive. Contents octets are as follows,
+where value1, ..., valuen denote the integer values of the
+components in the complete object identifier:
+
+     1.   The first octet has value 40 * value1 + value2.
+          (This is unambiguous, since value1 is limited to
+          values 0, 1, and 2; value2 is limited to the range
+          0 to 39 when value1 is 0 or 1; and, according to
+          X.208, n is always at least 2.)
+
+     2.   The following octets, if any, encode value3, ...,
+          valuen. Each value is encoded base 128, most
+          significant digit first, with as few digits as
+          possible, and the most significant bit of each
+          octet except the last in the value's encoding set
+          to "1."
+
+Example: The first octet of the BER encoding of RSA Data
+Security, Inc.'s object identifier is 40 * 1 + 2 = 42 =
+2a16. The encoding of 840 = 6 * 128 + 4816 is 86 48 and the
+encoding of 113549 = 6 * 1282 + 7716 * 128 + d16 is 86 f7
+0d. This leads to the following BER encoding:
+
+06 06 2a 86 48 86 f7 0d
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+
+5.10 OCTET STRING
+
+The OCTET STRING type denotes an arbitrary string of octets
+(eight-bit values). An OCTET STRING value can have any
+length, including zero. This type is a string type.
+
+The OCTET STRING type is used for salt values in PKCS #5's
+PBEParameter type, for message digests, encrypted message
+digests, and encrypted content in PKCS #7, and for private
+keys and encrypted private keys in PKCS #8.
+
+ASN.1 notation:
+
+OCTET STRING [SIZE ({size | size1..size2})]
+
+where size, size1, and size2 are optional size constraints.
+In the OCTET STRING SIZE (size) form, the octet string must
+have size octets. In the OCTET STRING SIZE (size1..size2)
+form, the octet string must have between size1 and size2
+octets. In the OCTET STRING form, the octet string can have
+any size.
+
+Example: PKCS #5's PBEParameter type has a component of type
+OCTET STRING:
+
+PBEParameter ::= SEQUENCE {
+  salt OCTET STRING SIZE(8),
+  iterationCount INTEGER }
+
+Here the size of the salt component is always eight octets.
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the value of the octet
+string, first octet to last octet. In a constructed
+encoding, the contents octets give the concatenation of the
+BER encodings of substrings of the OCTET STRING value.
+
+Example: The BER encoding of the OCTET STRING value 01 23 45
+67 89 ab cd ef can be any of the following, among others,
+depending on the form of length octets and whether the
+encoding is primitive or constructed:
+
+04 08 01 23 45 67 89 ab cd ef                   DER encoding
+
+04 81 08 01 23 45 67 89 ab cd ef  long form of length octets
+
+24 0c            constructed encoding: 01 ... 67 + 89 ... ef
+   04 04 01 23 45 67
+   04 04 89 ab cd ef
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The BER encoding of the OCTET STRING value 01 23 45
+67 89 ab cd ef is
+
+04 08 01 23 45 67 89 ab cd ef
+
+
+5.11 PrintableString
+
+The PrintableString type denotes an arbitrary string of
+printable characters from the following character set:
+
+                         A, B, ..., Z
+                         a, b, ..., z
+                         0, 1, ..., 9
+               (space) ' ( ) + , - . / : = ?
+
+This type is a string type.
+
+The PrintableString type is used in PKCS #9's challenge-
+password and unstructuerd-address attributes, and in several
+X.521 distinguished names attributes.
+
+ASN.1 notation:
+
+PrintableString
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the
+printable string, encoded in ASCII. In a constructed
+encoding, the contents octets give the concatenation of the
+BER encodings of consecutive substrings of the string.
+
+Example: The BER encoding of the PrintableString value "Test
+User 1" can be any of the following, among others, depending
+on the form of length octets and whether the encoding is
+primitive or constructed:
+
+13 0b 54 65 73 74 20 55 73 65 72 20 31          DER encoding
+
+13 81 0b                          long form of length octets
+   54 65 73 74 20 55 73 65 72 20 31
+
+33 0f               constructed encoding: "Test " + "User 1"
+   13 05 54 65 73 74 20
+   13 06 55 73 65 72 20 31
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The DER encoding of the PrintableString value "Test
+User 1" is
+
+13 0b 54 65 73 74 20 55 73 65 72 20 31
+
+
+5.12 SEQUENCE
+
+The SEQUENCE type denotes an ordered collection of one or
+more types.
+
+The SEQUENCE type is used throughout PKCS and related
+standards.
+
+ASN.1 notation:
+
+SEQUENCE {
+  [identifier1] Type1 [{OPTIONAL | DEFAULT value1}],
+  ...,
+  [identifiern] Typen [{OPTIONAL | DEFAULT valuen}]}
+
+where identifier1 , ..., identifiern are optional, distinct
+identifiers for the components, Type1, ..., Typen are the
+types of the components, and value1, ..., valuen are optional
+default values for the components. The identifiers are
+primarily for documentation; they do not affect values of
+the type or their encodings in any way.
+
+The OPTIONAL qualifier indicates that the value of a
+component is optional and need not be present in the
+sequence. The DEFAULT qualifier also indicates that the
+value of a component is optional, and assigns a default
+value to the component when the component is absent.
+
+The types of any consecutive series of components with the
+OPTIONAL or DEFAULT qualifier, as well as of any component
+immediately following that series, must have distinct tags.
+This requirement is typically satisfied with explicit or
+implicit tagging on some of the components.
+
+Example: X.509's Validity type is a SEQUENCE type with two
+components:
+
+Validity ::= SEQUENCE {
+  start UTCTime,
+  end UTCTime }
+
+Here the identifiers for the components are start and end,
+and the types of the components are both UTCTime.
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+components of the sequence, in order of definition, with the
+following rules for components with the OPTIONAL and DEFAULT
+qualifiers:
+
+     o    if the value of a component with the OPTIONAL or
+          DEFAULT qualifier is absent from the sequence,
+          then the encoding of that component is not
+          included in the contents octets
+
+     o    if the value of a component with the DEFAULT
+          qualifier is the default value, then the encoding
+          of that component may or may not be included in
+          the contents octets
+
+DER encoding. Constructed. Contents octets are the same as
+the BER encoding, except that if the value of a component
+with the DEFAULT qualifier is the default value, the
+encoding of that component is not included in the contents
+octets.
+
+
+5.13 SEQUENCE OF
+
+The SEQUENCE OF type denotes an ordered collection of zero
+or more occurrences of a given type.
+
+The SEQUENCE OF type is used in X.501 distinguished names.
+
+ASN.1 notation:
+
+SEQUENCE OF Type
+
+where Type is a type.
+
+Example: X.501's RDNSequence type consists of zero or more
+occurences of the RelativeDistinguishedName type, most
+significant occurrence first:
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+occurrences in the collection, in order of occurence.
+
+DER encoding. Constructed. Contents octets are the
+concatenation of the DER encodings of the values of the
+occurrences in the collection, in order of occurence.
+
+
+5.14 SET
+
+The SET type denotes an unordered collection of one or more
+types.
+
+The SET type is not used in PKCS.
+
+ASN.1 notation:
+
+SET {
+  [identifier1] Type1 [{OPTIONAL | DEFAULT value1}],
+  ...,
+  [identifiern] Typen [{OPTIONAL | DEFAULT valuen}]}
+
+where identifier1, ..., identifiern are optional, distinct
+identifiers for the components, Type1, ..., Typen are the
+types of the components, and value1, ..., valuen are
+optional default values for the components. The identifiers
+are primarily for documentation; they do not affect values
+of the type or their encodings in any way.
+
+The OPTIONAL qualifier indicates that the value of a
+component is optional and need not be present in the set.
+The DEFAULT qualifier also indicates that the value of a
+component is optional, and assigns a default value to the
+component when the component is absent.
+
+The types must have distinct tags. This requirement is
+typically satisfied with explicit or implicit tagging on
+some of the components.
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+components of the set, in any order, with the following
+rules for components with the OPTIONAL and DEFAULT
+qualifiers:
+
+     o    if the value of a component with the OPTIONAL or
+          DEFAULT qualifier is absent from the set, then the
+          encoding of that component is not included in the
+          contents octets
+
+     o    if the value of a component with the DEFAULT
+          qualifier is the default value, then the encoding
+          of that component may or may not be included in
+          the contents octets
+
+DER encoding. Constructed. Contents octets are the same as
+for the BER encoding, except that:
+
+     1.   If the value of a component with the DEFAULT
+          qualifier is the default value, the encoding of
+          that component is not included.
+
+     2.   There is an order to the components, namely
+          ascending order by tag.
+
+
+5.15 SET OF
+
+The SET OF type denotes an unordered collection of zero or
+more occurrences of a given type.
+
+The SET OF type is used for sets of attributes in PKCS #6,
+#7, #8, #9 and #10, for sets of message-digest algorithm
+identifiers, signer information, and recipient information
+in PKCS #7, and in X.501 distinguished names.
+
+ASN.1 notation:
+
+SET OF Type
+
+where Type is a type.
+
+Example: X.501's RelativeDistinguishedName type consists of
+zero or more occurrences of the AttributeValueAssertion
+type, where the order is unimportant:
+
+RelativeDistinguishedName ::=
+  SET OF AttributeValueAssertion
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+occurrences in the collection, in any order.
+
+DER encoding. Constructed. Contents octets are the same as
+for the BER encoding, except that there is an order, namely
+ascending lexicographic order of BER encoding. Lexicographic
+comparison of two different BER encodings is done as
+follows: Logically pad the shorter BER encoding after the
+last octet with dummy octets that are smaller in value than
+any normal octet. Scan the BER encodings from left to right
+until a difference is found. The smaller-valued BER encoding
+is the one with the smaller-valued octet at the point of
+difference.
+
+
+5.16 T61String
+
+The T61String type denotes an arbtrary string of T.61
+characters. T.61 is an eight-bit extension to the ASCII
+character set. Special "escape" sequences specify the
+interpretation of subsequent character values as, for
+example, Japanese; the initial interpretation is Latin. The
+character set includes non-printing control characters. The
+T61String type allows only the Latin and Japanese character
+interepretations, and implementors' agreements for directory
+names exclude control characters [NIST92]. A T61String value
+can have any length, including zero. This type is a string
+type.
+
+The T61String type is used in PKCS #9's unstructured-address
+and challenge-password attributes, and in several X.521
+attributes.
+
+ASN.1 notation:
+
+T61String
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the
+T.61 string, encoded in ASCII. In a constructed encoding,
+the contents octets give the concatenation of the BER
+encodings of consecutive substrings of the T.61 string.
+
+Example: The BER encoding of the T61String value "cl'es
+publiques" (French for "public keys") can be any of the
+following, among others, depending on the form of length
+octets and whether the encoding is primitive or constructed:
+
+14 0f                                           DER encoding
+   63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73
+
+14 81 0f                          long form of length octets
+   63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73
+
+34 15      constructed encoding: "cl'es" + " " + "publiques"
+   14 05 63 6c c2 65 73
+   14 01 20
+   14 09 70 75 62 6c 69 71 75 65 73
+
+The eight-bit character c2 is a T.61 prefix that adds an
+acute accent (') to the next character.
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The DER encoding of the T61String value "cl'es
+publiques" is
+
+14 0f 63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73
+
+
+5.17 UTCTime
+
+The UTCTime type denotes a "coordinated universal time" or
+Greenwich Mean Time (GMT) value. A UTCTime value includes
+the local time precise to either minutes or seconds, and an
+offset from GMT in hours and minutes. It takes any of the
+following forms:
+
+YYMMDDhhmmZ
+YYMMDDhhmm+hh'mm'
+YYMMDDhhmm-hh'mm'
+YYMMDDhhmmssZ
+YYMMDDhhmmss+hh'mm'
+YYMMDDhhmmss-hh'mm'
+
+where:
+
+     YY is the least significant two digits of the year
+
+     MM is the month (01 to 12)
+
+     DD is the day (01 to 31)
+
+     hh is the hour (00 to 23)
+
+     mm are the minutes (00 to 59)
+
+     ss are the seconds (00 to 59)
+
+     Z indicates that local time is GMT, + indicates that
+          local time is later than GMT, and - indicates that
+          local time is earlier than GMT
+
+     hh' is the absolute value of the offset from GMT in
+          hours
+
+     mm' is the absolute value of the offset from GMT in
+          minutes
+
+This type is a string type.
+
+The UTCTime type is used for signing times in PKCS #9's
+signing-time attribute and for certificate validity periods
+in X.509's Validity type.
+
+ASN.1 notation:
+
+UTCTime
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the
+string, encoded in ASCII. In a constructed encoding, the
+contents octets give the concatenation of the BER encodings
+of consecutive substrings of the string. (The constructed
+encoding is not particularly interesting, since UTCTime
+values are so short, but the constructed encoding is
+permitted.)
+
+Example: The time this sentence was originally written was
+4:45:40 p.m. Pacific Daylight Time on May 6, 1991, which can
+be represented with either of the following UTCTime values,
+among others:
+
+"910506164540-0700"
+
+"910506234540Z"
+
+These values have the following BER encodings, among others:
+
+17 0d 39 31 30 35 30 36 32 33 34 35 34 30 5a
+
+17 11 39 31 30 35 30 36 31 36 34 35 34 30 2D 30 37 30
+      30
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+
+6. An example
+
+This section gives an example of ASN.1 notation and DER
+encoding: the X.501 type Name.
+
+
+6.1 Abstract notation
+
+This section gives the ASN.1 notation for the X.501 type
+Name.
+
+Name ::= CHOICE {
+  RDNSequence }
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+RelativeDistinguishedName ::=
+  SET OF AttributeValueAssertion
+
+AttributeValueAssertion ::= SEQUENCE {
+   AttributeType,
+   AttributeValue }
+
+AttributeType ::= OBJECT IDENTIFIER
+
+AttributeValue ::= ANY
+
+The Name type identifies an object in an X.500 directory.
+Name is a CHOICE type consisting of one alternative:
+RDNSequence. (Future revisions of X.500 may have other
+alternatives.)
+
+The RDNSequence type gives a path through an X.500 directory
+tree starting at the root. RDNSequence is a SEQUENCE OF type
+consisting of zero or more occurences of
+RelativeDistinguishedName.
+
+The RelativeDistinguishedName type gives a unique name to an
+object relative to the object superior to it in the
+directory tree. RelativeDistinguishedName is a SET OF type
+consisting of zero or more occurrences of
+AttributeValueAssertion.
+
+The AttributeValueAssertion type assigns a value to some
+attribute of a relative distinguished name, such as country
+name or common name. AttributeValueAssertion is a SEQUENCE
+type consisting of two components, an AttributeType type and
+an AttributeValue type.
+
+The AttributeType type identifies an attribute by object
+identifier. The AttributeValue type gives an arbitrary
+attribute value. The actual type of the attribute value is
+determined by the attribute type.
+
+
+6.2 DER encoding
+
+This section gives an example of a DER encoding of a value
+of type Name, working from the bottom up.
+
+The name is that of the Test User 1 from the PKCS examples
+[Kal93]. The name is represented by the following path:
+
+                           (root)
+                              |
+                     countryName = "US"
+                              |
+          organizationName = "Example Organization"
+                              |
+                 commonName = "Test User 1"
+
+Each level corresponds to one RelativeDistinguishedName
+value, each of which happens for this name to consist of one
+AttributeValueAssertion value. The AttributeType value is
+before the equals sign, and the AttributeValue value (a
+printable string for the given attribute types) is after the
+equals sign.
+
+The countryName, organizationName, and commonUnitName are
+attribute types defined in X.520 as:
+
+attributeType OBJECT IDENTIFIER ::=
+  { joint-iso-ccitt(2) ds(5) 4 }
+
+countryName OBJECT IDENTIFIER ::= { attributeType 6 }
+organizationName OBJECT IDENTIFIER ::=
+  { attributeType 10 }
+commonUnitName OBJECT IDENTIFIER ::=
+  { attributeType 3 }
+
+
+6.2.1 AttributeType
+
+The three AttributeType values are OCTET STRING values, so
+their DER encoding follows the primitive, definite-length
+method:
+
+06 03 55 04 06                                   countryName
+
+06 03 55 04 0a                              organizationName
+
+06 03 55 04 03                                    commonName
+
+The identifier octets follow the low-tag form, since the tag
+is 6 for OBJECT IDENTIFIER. Bits 8 and 7 have value "0,"
+indicating universal class, and bit 6 has value "0,"
+indicating that the encoding is primitive. The length octets
+follow the short form. The contents octets are the
+concatenation of three octet strings derived from
+subidentifiers (in decimal): 40 * 2 + 5 = 85 = 5516; 4; and
+6, 10, or 3.
+
+
+6.2.2 AttributeValue
+
+The three AttributeValue values are PrintableString values,
+so their encodings follow the primitive, definite-length
+method:
+
+13 02 55 53                                             "US"
+
+13 14                                 "Example Organization"
+   45 78 61 6d 70 6c 65 20 4f 72 67 61 6e 69 7a 61
+   74 69 6f 6e
+
+13 0b                                          "Test User 1"
+   54 65 73 74 20 55 73 65 72 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for PrintableString, 19 (decimal), is between 0 and
+30. Bits 8 and 7 have value "0" since PrintableString is in
+the universal class. Bit 6 has value "0" since the encoding
+is primitive. The length octets follow the short form, and
+the contents octets are the ASCII representation of the
+attribute value.
+
+
+6.2.3 AttributeValueAssertion
+
+The three AttributeValueAssertion values are SEQUENCE
+values, so their DER encodings follow the constructed,
+definite-length method:
+
+30 09                                     countryName = "US"
+   06 03 55 04 06
+   13 02 55 53
+
+30 1b              organizationName = "Example Organizaiton"
+   06 03 55 04 0a
+   13 14 ... 6f 6e
+
+30 12                             commonName = "Test User 1"
+   06 03 55 04 0b
+   13 0b ... 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for SEQUENCE, 16 (decimal), is between 0 and 30.
+Bits 8 and 7 have value "0" since SEQUENCE is in the
+universal class. Bit 6 has value "1" since the encoding is
+constructed. The length octets follow the short form, and
+the contents octets are the concatenation of the DER
+encodings of the attributeType and attributeValue
+components.
+
+
+6.2.4 RelativeDistinguishedName
+
+The three RelativeDistinguishedName values are SET OF
+values, so their DER encodings follow the constructed,
+definite-length method:
+
+31 0b
+   30 09 ... 55 53
+
+31 1d
+   30 1b ... 6f 6e
+
+31 14
+   30 12 ... 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for SET OF, 17 (decimal), is between 0 and 30. Bits
+8 and 7 have value "0" since SET OF is in the universal
+class Bit 6 has value "1" since the encoding is constructed.
+The lengths octets follow the short form, and the contents
+octets are the DER encodings of the respective
+AttributeValueAssertion values, since there is only one
+value in each set.
+
+
+6.2.5 RDNSequence
+
+The RDNSequence value is a SEQUENCE OF value, so its DER
+encoding follows the constructed, definite-length method:
+
+30 42
+   31 0b ... 55 53
+   31 1d ... 6f 6e
+   31 14 ... 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for SEQUENCE OF, 16 (decimal), is between 0 and 30.
+Bits 8 and 7 have value "0" since SEQUENCE OF is in the
+universal class. Bit 6 has value "1" since the encoding is
+constructed. The lengths octets follow the short form, and
+the contents octets are the concatenation of the DER
+encodings of the three RelativeDistinguishedName values, in
+order of occurrence.
+
+
+6.2.6 Name
+
+The Name value is a CHOICE value, so its DER encoding is the
+same as that of the RDNSequence value:
+
+30 42
+   31 0b
+      30 09
+         06 03 55 04 06          attributeType = countryName
+         13 02 55 53                   attributeValue = "US"
+   31 1d
+      30 1b
+         06 03 55 04 0a     attributeType = organizationName
+         13 14       attributeValue = "Example Organization"
+            45 78 61 6d 70 6c 65 20 4f 72 67 61 6e 69 7a 61
+            74 69 6f 6e
+
+   31 14
+      30 12
+         06 03 55 04 03           attributeType = commonName
+         13 0b                attributeValue = "Test User 1"
+            54 65 73 74 20 55 73 65 72 20 31
+
+
+References
+
+PKCS #1   RSA Laboratories. PKCS #1: RSA Encryption
+          Standard. Version 1.5, November 1993.
+
+PKCS #3   RSA Laboratories. PKCS #3: Diffie-Hellman Key-
+          Agreement Standard. Version 1.4, November 1993.
+
+PKCS #5   RSA Laboratories. PKCS #5: Password-Based
+          Encryption Standard. Version 1.5, November 1993.
+
+PKCS #6   RSA Laboratories. PKCS #6: Extended-Certificate
+          Syntax Standard. Version 1.5, November 1993.
+
+PKCS #7   RSA Laboratories. PKCS #7: Cryptographic Message
+          Syntax Standard. Version 1.5, November 1993.
+
+PKCS #8   RSA Laboratories. PKCS #8: Private-Key Information
+          Syntax Standard. Version 1.2, November 1993.
+
+PKCS #9   RSA Laboratories. PKCS #9: Selected Attribute
+          Types. Version 1.1, November 1993.
+
+PKCS #10  RSA Laboratories. PKCS #10: Certification Request
+          Syntax Standard. Version 1.0, November 1993.
+
+X.200     CCITT. Recommendation X.200: Reference Model of
+          Open Systems Interconnection for CCITT
+          Applications. 1984.
+
+X.208     CCITT. Recommendation X.208: Specification of
+          Abstract Syntax Notation One (ASN.1). 1988.
+
+X.209     CCITT. Recommendation X.209: Specification of
+          Basic Encoding Rules for Abstract Syntax Notation
+          One (ASN.1). 1988.
+
+X.500     CCITT. Recommendation X.500: The
+          Directory--Overview of Concepts, Models and
+          Services. 1988.
+
+X.501     CCITT. Recommendation X.501: The Directory--
+          Models. 1988.
+
+X.509     CCITT. Recommendation X.509: The Directory--
+          Authentication Framework. 1988.
+
+X.520     CCITT. Recommendation X.520: The Directory--
+          Selected Attribute Types. 1988.
+
+[Kal93]   Burton S. Kaliski Jr. Some Examples of the PKCS
+          Standards. RSA Laboratories, November 1993.
+
+[NIST92]  NIST. Special Publication 500-202: Stable
+          Implementation Agreements for Open Systems
+          Interconnection Protocols. Part 11 (Directory
+          Services Protocols). December 1992.
+
+
+Revision history
+
+
+June 3, 1991 version
+
+The June 3, 1991 version is part of the initial public
+release of PKCS. It was published as NIST/OSI Implementors'
+Workshop document SEC-SIG-91-17.
+
+
+November 1, 1993 version
+
+The November 1, 1993 version incorporates several editorial
+changes, including the addition of a revision history. It is
+updated to be consistent with the following versions of the
+PKCS documents:
+
+     PKCS #1: RSA Encryption Standard. Version 1.5, November
+          1993.
+
+     PKCS #3: Diffie-Hellman Key-Agreement Standard. Version
+          1.4, November 1993.
+
+     PKCS #5: Password-Based Encryption Standard. Version
+          1.5, November 1993.
+
+     PKCS #6: Extended-Certificate Syntax Standard. Version
+          1.5, November 1993.
+
+     PKCS #7: Cryptographic Message Syntax Standard. Version
+          1.5, November 1993.
+
+     PKCS #8: Private-Key Information Syntax Standard.
+          Version 1.2, November 1993.
+
+     PKCS #9: Selected Attribute Types. Version 1.1,
+          November 1993.
+
+     PKCS #10: Certification Request Syntax Standard.
+          Version 1.0, November 1993.
+
+The following substantive changes were made:
+
+     Section 5: Description of T61String type is added.
+
+     Section 6: Names are changed, consistent with other
+          PKCS examples.
+
+
+Author's address
+
+Burton S. Kaliski Jr., Ph.D.
+Chief Scientist
+RSA Laboratories              (415) 595-7703
+100 Marine Parkway            (415) 595-4126 (fax)
+Redwood City, CA  94065  USA  burt@rsa.com
diff --git a/crypto/heimdal/doc/mdate-sh b/crypto/heimdal/doc/mdate-sh
new file mode 100755
index 0000000..37171f2
--- /dev/null
+++ b/crypto/heimdal/doc/mdate-sh
@@ -0,0 +1,92 @@
+#!/bin/sh
+# Get modification time of a file or directory and pretty-print it.
+# Copyright (C) 1995, 1996, 1997 Free Software Foundation, Inc.
+# written by Ulrich Drepper <drepper@gnu.ai.mit.edu>, June 1995
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Prevent date giving response in another language.
+LANG=C
+export LANG
+LC_ALL=C
+export LC_ALL
+LC_TIME=C
+export LC_TIME
+
+# Get the extended ls output of the file or directory.
+# On HPUX /bin/sh, "set" interprets "-rw-r--r--" as options, so the "x" below.
+if ls -L /dev/null 1>/dev/null 2>&1; then
+  set - x`ls -L -l -d $1`
+else
+  set - x`ls -l -d $1`
+fi
+# The month is at least the fourth argument
+# (3 shifts here, the next inside the loop).
+shift
+shift
+shift
+
+# Find the month.  Next argument is day, followed by the year or time.
+month=
+until test $month
+do
+  shift
+  case $1 in
+    Jan) month=January; nummonth=1;;
+    Feb) month=February; nummonth=2;;
+    Mar) month=March; nummonth=3;;
+    Apr) month=April; nummonth=4;;
+    May) month=May; nummonth=5;;
+    Jun) month=June; nummonth=6;;
+    Jul) month=July; nummonth=7;;
+    Aug) month=August; nummonth=8;;
+    Sep) month=September; nummonth=9;;
+    Oct) month=October; nummonth=10;;
+    Nov) month=November; nummonth=11;;
+    Dec) month=December; nummonth=12;;
+  esac
+done
+
+day=$2
+
+# Here we have to deal with the problem that the ls output gives either
+# the time of day or the year.
+case $3 in
+  *:*) set `date`; eval year=\$$#
+       case $2 in
+	 Jan) nummonthtod=1;;
+	 Feb) nummonthtod=2;;
+	 Mar) nummonthtod=3;;
+	 Apr) nummonthtod=4;;
+	 May) nummonthtod=5;;
+	 Jun) nummonthtod=6;;
+	 Jul) nummonthtod=7;;
+	 Aug) nummonthtod=8;;
+	 Sep) nummonthtod=9;;
+	 Oct) nummonthtod=10;;
+	 Nov) nummonthtod=11;;
+	 Dec) nummonthtod=12;;
+       esac
+       # For the first six month of the year the time notation can also
+       # be used for files modified in the last year.
+       if (expr $nummonth \> $nummonthtod) > /dev/null;
+       then
+	 year=`expr $year - 1`
+       fi;;
+  *) year=$3;;
+esac
+
+# The result.
+echo $day $month $year
diff --git a/crypto/heimdal/doc/misc.texi b/crypto/heimdal/doc/misc.texi
new file mode 100644
index 0000000..e926536
--- /dev/null
+++ b/crypto/heimdal/doc/misc.texi
@@ -0,0 +1,62 @@
+@node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top
+@chapter Things in search for a better place
+
+@section Making things work on Ciscos
+
+Modern versions of Cisco IOS has some support for authenticating via
+Kerberos 5. This can be used both to verify passwords via a ticket
+exchange Kerberos 5 (boring), and to use Kerberos authenticated telnet
+to access your router (less boring). The following has been tested on
+IOS 11.2(12), things might be different with other versions. Old
+versions are known to have bugs.
+
+To make this work, you will first have to configure your router to use
+Kerberos (this is explained in the documentation). A sample
+configuration looks like the following:
+
+@example
+aaa new-model
+aaa authentication login default krb5-telnet krb5 enable
+aaa authorization exec krb5-instance
+kerberos local-realm FOO.SE
+kerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567
+kerberos server FOO.SE 10.0.0.1
+kerberos instance map admin 15
+@end example
+
+This tells you (among other things) that the when logging in, the router
+should try to authenticate with kerberized telnet, and if that fails try
+to verify a plain text password via a Kerberos ticket exchange (as
+opposed to a local database or RADIUS or something similar), and if that
+fails try the local enable password. If you're not careful when you
+specify the `login default' authentication mechanism, you might not be
+able to login. The `instance map' and `authorization exec' lines says
+that people with `admin' instances should be given `enabled' shells when
+logging in.
+
+To make the Heimdal KDC produce tickets that the Cisco can decode you
+might have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the
+KDC. You will also have to specify that the router can't handle anything
+but @samp{des-cbc-crc}. There currently isn't an easy way to do
+this. The best you can do is to dump your database (with @samp{kadmin -l
+dump}), remove all entries for keys other than @samp{des-cbc-crc}, and
+then reloading the database (@samp{kadmin -l load}). An example should
+clarify this. You should have something like (again, truncated):
+@example 
+host/router.foo.se@@FOO.SE 4:0:1:...:-:... - - - - - - - 126
+@end example
+Change this to:
+@example 
+host/router.foo.se@@FOO.SE 4:0:1:...:- - - - - - - - 126
+@end example
+
+This all fine and so, but unless you have an IOS version with encryption
+(available only in the U.S) it doesn't really solve any problems. Sure
+you don't have to send your password over the wire, but since the telnet
+connection isn't protected it's still possible for someone to steal your
+session. This won't be fixed until someone adds integrity to the telnet
+protocol.
+
+A working solution would be to hook up a machine with a real operating
+system to the console of the Cisco and then use it as a backwards
+terminal server.
diff --git a/crypto/heimdal/doc/setup.texi b/crypto/heimdal/doc/setup.texi
new file mode 100644
index 0000000..a43eb7e
--- /dev/null
+++ b/crypto/heimdal/doc/setup.texi
@@ -0,0 +1,247 @@
+@node Setting up a realm, Things in search for a better place, Building and Installing, Top
+@chapter Setting up a realm
+
+A
+@cindex realm
+realm is an administrative domain.  The name of a Kerberos realm is
+usually the Internet domain name in uppercase.  Call your realm the same
+as your Internet domain name if you do not have strong reasons for not
+doing so.  It will make life easier for you and everyone else.
+
+@section Configuration file
+
+To setup a realm you will first have to create a configuration file:
+@file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many
+configuration options, some of which are described here.
+
+There is a sample @file{krb5.conf} supplied with the distribution.
+
+The configuration file is a hierarchical structure consisting of
+sections, each containing a list of bindings (either variable
+assignments or subsections). A section starts with
+@samp{[section-name]}.  A binding consists of a left hand side, an equal
+(@samp{=}) and a right hand side (the left hand side tag must be
+separated from the equal with some whitespace.) Subsections has a
+@samp{@{} as the first non-whitespace character after the equal. All
+other bindings are treated as variable assignments. The value of a
+variable extends to the end of the line.
+
+@example
+[section1]
+        a-subsection = @{
+                var = value1
+                other-var = value with @{@}
+                sub-sub-section = @{ 
+                        var = 123
+                @}
+        @}
+        var = some other value
+[section2]
+        var = yet another value
+@end example
+
+In this manual, names of sections and bindings will be given as strings
+separated by slashes (@samp{/}). The @samp{other-var} variable will thus
+be @samp{section1/a-subsection/other-var}.
+
+For in-depth information about the contents of the config file, refer to
+the @file{krb5.conf} manual page. Some of the more important sections
+are briefly described here.
+
+The @samp{libdefaults} section contains a list of library configuration
+parameters, such as the default realm and the timeout for kdc
+responses. The @samp{realms} section contains information about specific
+realms, such as where they hide their KDC. This section serves the same
+purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
+information. Finally the @samp{domain_realm} section contains a list of
+mappings from domains to realms, equivalent to the Kerberos 4
+@file{krb.realms} file.
+
+To continue with the realm setup, you will have to create a config file,
+with contents similar to the following.
+
+@example
+[libdefaults]
+        default_realm = MY.REALM
+[realms]
+        MY.REALM = @{
+                kdc = my.kdc
+        @}
+[domain_realm]
+        .my.domain = MY.REALM
+
+@end example
+
+If you use a realm name equal to your domain name, you can omit the
+@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a
+SRV-record for your realm, or your kerberos server has CNAME called
+@samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
+
+@section Creating the database
+
+The database library will look for the database in @file{/var/heimdal},
+so you should probably create that directory.
+
+The keys of all the principals are stored in the database.  If you
+choose to, these can be encrypted with a master key.  You do not have to
+remember this key (or password), but just to enter it once and it will
+be stored in a file (@file{/var/heimdal/m-key}).  If you want to have a
+master key, run @samp{kstash} to create this master key:
+
+@example
+# kstash
+Master key: 
+Verifying password - Master key: 
+@end example
+
+To initialise the database use the @code{kadmin} program, with the
+@samp{-l} option (to enable local database mode). First issue a
+@kbd{init MY.REALM} command. This will create the database and insert
+default principals for that realm. You can have more than one realm in
+one database, so @samp{init} does not destroy any old database.
+
+Before creating the database, @samp{init} will ask you some questions
+about max ticket lifetimes.
+
+After creating the database you should probably add yourself to it. You
+do this with the @samp{add} command. It takes as argument the name of a
+principal. The principal should contain a realm, so if you haven't setup
+a default realm, you will need to explicitly include the realm.
+
+@example
+# kadmin -l
+kadmin> init MY.REALM
+Realm max ticket life [unlimited]:
+Realm max renewable ticket life [unlimited]:
+kadmin> add me  
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Attributes []:
+Password: 
+Verifying password - Password: 
+@end example
+
+Now start the KDC and try getting a ticket.
+
+@example
+# kdc &
+# kinit me
+me@@MY.REALMS's Password:
+# klist
+Credentials cache: /tmp/krb5cc_0
+        Principal: me@@MY.REALM
+
+  Issued           Expires          Principal
+Aug 25 07:25:55  Aug 25 17:25:55  krbtgt/MY.REALM@@MY.REALM
+@end example
+
+If you are curious you can use the @samp{dump} command to list all the
+entries in the database.  It should look something similar to the
+following example (note that the entries here are truncated for
+typographical reasons):
+
+@smallexample
+kadmin> dump
+me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
+kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
+krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
+kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
+@end smallexample
+
+@section keytabs
+
+To extract a service ticket from the database and put it in a keytab you
+need to first create the principal in the database with @samp{ank}
+(using the @kbd{--random} flag to get a random password) and then
+extract it with @samp{ext_keytab}.
+
+@example
+kadmin> add --random host/my.host.name
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Attributes []:
+kadmin> ext host/my.host.name
+# ktutil list
+Version  Type             Principal
+     1   des-cbc-md5      host/my.host.name@@MY.REALM
+     1   des-cbc-md4      host/my.host.name@@MY.REALM
+     1   des-cbc-crc      host/my.host.name@@MY.REALM
+     1   des3-cbc-sha1    host/my.host.name@@MY.REALM
+@end example
+
+@section Remote administration
+
+The administration server, @samp{kadmind}, is started by @samp{inetd}
+and you should add a line similar to the one below to your
+@file{/etc/inetd.conf}.
+
+@example
+kerberos-adm stream     tcp     nowait  root /usr/heimdal/libexec/kadmind kadmind
+@end example
+
+You might need to add @samp{kerberos-adm} to your @file{/etc/services}
+as 749/tcp.
+
+Access to the admin server is controlled by an acl-file, (default
+@file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the
+following syntax:
+@smallexample
+principal       [priv1,priv2,...]
+@end smallexample
+
+The privileges you can assign to a principal are: @samp{add},
+@samp{change-password} (or @samp{cpw} for short), @samp{delete},
+@samp{get}, @samp{list}, and @samp{modify}, or the special privilege
+@samp{all}. All of these roughly corresponds to the different commands
+in @samp{kadmin}.
+
+@section Password changing
+
+To allow users to change their passwords, you should run @samp{kpasswdd}.
+It is not run from @samp{inetd}.
+
+You might need to add @samp{kpasswd} to your @file{/etc/services} as
+464/udp.
+
+@subsection Password quality assurance
+
+It is important that users have good passwords, both to make it harder
+to guess them and to avoid off-line attacks (pre-authentication provides
+some defense against off-line attacks).  To ensure that the users choose
+good passwords, you can enable password quality controls in
+@samp{kpasswdd}.  The controls themselves are done in a shared library
+that is used by @samp{kpasswdd}.  To configure in these controls, add
+lines similar to the following to your @file{/etc/krb5.conf}:
+
+@example
+[password_quality]
+        check_library = @var{library}
+        check_function = @var{function}
+@end example
+
+The function @var{function} in the shared library @var{library} will be
+called for proposed new passwords.  The function should be declared as:
+
+@example
+const char *
+function(krb5_context context, krb5_principal principal, krb5_data *pwd);
+@end example
+
+The function should verify that @var{pwd} is a good password for
+@var{principal} and if so return @code{NULL}.  If it is deemed to be of
+low quality, it should return a string explaining why that password
+should not be used.
+
+Code for a password quality checking function that uses the cracklib
+library can be found in @file{kpasswd/sample_password_check.c} in the
+source code distribution.  It requires the cracklib library built with
+the patch available at
+@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
+
+If no password quality checking function is configured, it is only
+verified that it is at least six characters of length.
+
+@section Testing clients and servers
+
+Now you should be able to run all the clients and servers.  Refer to the
+appropriate man pages for information on how to use them.
diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt
new file mode 100644
index 0000000..a97ef9d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt
@@ -0,0 +1,412 @@
+CAT working group                                              M. Swift 
+Internet Draft                                                J. Brezak 
+Document: draft-brezak-win2k-krb-rc4-hmac-01.txt              Microsoft 
+Category: Informational                                    October 1999 
+ 
+ 
+           The Windows 2000 RC4-HMAC Kerberos encryption type 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are 
+   working documents of the Internet Engineering Task Force (IETF), its 
+   areas, and its working groups. Note that other groups may also 
+   distribute working documents as Internet-Drafts. Internet-Drafts are 
+   draft documents valid for a maximum of six months and may be 
+   updated, replaced, or obsoleted by other documents at any time. It 
+   is inappropriate to use Internet- Drafts as reference material or to 
+   cite them other than as "work in progress." 
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+    
+   The Windows 2000 implementation of Kerberos introduces a new 
+   encryption type based on the RC4 encryption algorithm and using an 
+   MD5 HMAC for checksum. This is offered as an alternative to using 
+   the existing DES based encryption types. 
+    
+   The RC4-HMAC encryption types are used to ease upgrade of existing 
+   Windows NT environments, provide strong crypto (128-bit key 
+   lengths), and provide exportable (meet United States government 
+   export restriction requirements) encryption. 
+    
+   The Windows 2000 implementation of Kerberos contains new encryption 
+   and checksum types for two reasons: for export reasons early in the 
+   development process, 56 bit DES encryption could not be exported, 
+   and because upon upgrade from Windows NT 4.0 to Windows 2000, 
+   accounts will not have the appropriate DES keying material to do the 
+   standard DES encryption. Furthermore, 3DES is not available for 
+   export, and there was a desire to use a single flavor of encryption 
+   in the product for both US and international products. 
+    
+   As a result, there are two new encryption types and one new checksum 
+   type introduced in Windows 2000. 
+    
+    
+2. Conventions used in this document 
+    
+
+  
+Swift                  Category - Informational                      1 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+    
+3. Key Generation 
+    
+   On upgrade from existing Windows NT domains, the user accounts would 
+   not have a DES based key available to enable the use of DES base 
+   encryption types specified in RFC 1510. The key used for RC4-HMAC is 
+   the same as the existing Windows NT key (NT Password Hash) for 
+   compatibility reasons. Once the account password is changed, the DES 
+   based keys are created and maintained. Once the DES keys are 
+   available DES based encryption types can be used with Kerberos.  
+    
+   The RC4-HMAC String to key function is defined as follow: 
+    
+   String2Key(password) 
+    
+        K = MD4(UNICODE(password)) 
+         
+   The RC4-HMAC keys are generated by using the Windows UNICODE version 
+   of the password. Each Windows UNICODE character is encoded in 
+   little-endian format of 2 octets each. Then performing an MD4 [6] 
+   hash operation on just the UNICODE characters of the password (not 
+   including the terminating zero octets). 
+    
+4. Basic Operations 
+    
+   The MD5 HMAC function is defined in [3]. It is used in this 
+   encryption type for checksum operations. Refer to [3] for details on 
+   its operation. In this document this function is referred to as 
+   HMAC(Key, Data) returning the checksum using the specified key on 
+   the data. 
+    
+   The basic MD5 hash operation is used in this encryption type and 
+   defined in [7]. In this document this function is referred to as 
+   MD5(Data) returning the checksum of the data. 
+    
+   The basic RC4 encryption operation is used in this encryption type 
+   and defined in [8]. In this document the function is referred to as 
+   RC4(Key, Data) returning the encrypted data using the specified key 
+   on the data. 
+    
+   These encryption types use key derivation as defined in [9] (RFC-
+   1510BIS) in Section titled "Key Derivation". With each message, the 
+   message type (T) is used as a component of the keying material. 
+    
+   All strings in this document are ASCII unless otherwise specified. 
+   The lengths of ASCII encoded character strings include the trailing 
+   terminator character (0). 
+    
+   The concat(a,b,c,...) function will return the logical concatenation 
+   (left to right) of the values of the arguments. 
+  
+Swift                  Category - Informational                      2 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+   The nonce(n) function returns a pseudo-random number of "n" octets. 
+    
+5. Checksum Types 
+    
+   There is one checksum type used in this encryption type. The 
+   Kerberos constant for this type is: 
+        #define KERB_CHECKSUM_HMAC_MD5 (-138) 
+    
+   The function is defined as follows: 
+    
+   K - is the Key 
+   T - the message type, encoded as a little-endian four byte integer 
+    
+   CHKSUM(K, T, data) 
+    
+        Ksign = HMAC(K, "signature key")  //includes zero octet at end 
+        tmp = MD5(concat(T, data)) 
+        CHKSUM = HMAC(Ksign, tmp) 
+    
+    
+6. Encryption Types 
+    
+   There are two encryption types used in these encryption types. The 
+   Kerberos constants for these types are: 
+        #define KERB_ETYPE_RC4_HMAC             23 
+        #define KERB_ETYPE_RC4_HMAC_EXP         24 
+    
+   The basic encryption function is defined as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+    
+   ENCRYPT(K, T, data) 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                L = concat("fortybits", T) //includes zero octet at 
+                                           //end of string constant 
+        Else 
+                L = T 
+        Ksign = HMAC(K,L) 
+        Confounder = nonce(8) // get an 8 octet nonce for a confounder 
+        Checksum = HMAC(Ksign, concat(Confounder, data)) 
+        Ke = Ksign 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                memset(&Ke[7], 0x0ab, 9) 
+        Ke2 = HMAC(Ke, Checksum) 
+        data = RC4(Ke2, data) 
+    
+   The header field on the encrypted data in KDC messages is: 
+    
+        typedef struct _RC4_MDx_HEADER { 
+            UCHAR Checksum[16]; 
+            UCHAR Confounder[8]; 
+        } RC4_MDx_HEADER, *PRC4_MDx_HEADER; 
+  
+Swift                  Category - Informational                      3 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+7. Key Strength Negotiation 
+    
+   A Kerberos client and server can negotiate over key length if they 
+   are using mutual authentication. If the client is unable to perform 
+   full strength encryption, it may propose a key in the "subkey" field 
+   of the authenticator, using a weaker encryption type. The server 
+   must then either return the same key or suggest its own key in the 
+   subkey field of the AP reply message. The key used to encrypt data 
+   is derived from the key returned by the server. If the client is 
+   able to perform strong encryption but the server is not, it may 
+   propose a subkey in the AP reply without first being sent a subkey 
+   in the authenticator. 
+ 
+8. GSSAPI Kerberos V5 Mechanism Type  
+ 
+8.1 Mechanism Specific Changes 
+    
+   The GSSAPI per-message tokens also require new checksum and 
+   encryption types. The GSS-API per-message tokens must be changed to 
+   support these new encryption types (See [5] Section 1.2.2). The 
+   sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption 
+   is: 
+        Byte 4..5 SEAL_ALG      0x10 0x00 - RC4 
+    
+   The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: 
+        Byte 2..3 SGN ALG       0x11 0x00 - HMAC 
+    
+   The only support quality of protection is: 
+        #define GSS_KRB5_INTEG_C_QOP_DEFAULT    0x0 
+    
+   In addition, when using an RC4 based encryption type, the sequence 
+   number is sent in big-endian rather than little-endian order. 
+    
+8.2 GSSAPI Checksum Type 
+    
+   The GSSAPI checksum type and algorithm is defined in Section 5. Only 
+   the first 8 octets of the checksum are used. The resulting checksum 
+   is stored in the SGN_CKSUM field (See [5] Section 1.2) for 
+   GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). 
+    
+8.3 GSSAPI Encryption Types 
+    
+   There are two encryption types for GSSAPI message tokens, one that 
+   is 128 bits in strength, and one that is 56 bits in strength as 
+   defined in Section 6. 
+    
+
+  
+Swift                  Category - Informational                      4 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+   All padding is rounded up to 1 byte. One byte is needed to say that 
+   there is 1 byte of padding. The DES based mechanism type uses 8 byte 
+   padding. See [5] Section 1.2.2.3. 
+    
+   The encryption mechanism used for GSS based messages is as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+    
+   GSS-ENCRYPT(K, T, data) 
+        IV = SND_SEQ 
+        K = XOR(K, 0xf0f0f0f0f0f0f0f0f0f0f0f0f0f0f0) 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                L = concat("fortybits", T) //includes zero octet at end 
+        else 
+                L = T 
+        Ksign = HMAC(K, L) 
+        Ke = Ksign 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                memset(&Ke[7], 0x0ab, 9) 
+        Ke2 = HMAC(Ke, IV) 
+        Data = RC4(Ke2, data) 
+        SND_SEQ = RC4(Ke, seq#) 
+         
+   The sequence number (SND_SEQ) and IV are used as defined in [5] 
+   Section 1.2.2. 
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+8. Security Considerations 
+ 
+   Care must be taken in implementing this encryption type because it 
+   uses a stream cipher. If a different IV isnÆt used in each direction 
+   when using a session key, the encryption is weak. By using the 
+   sequence number as an IV, this is avoided. 
+    
+9. References 
+ 
+   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+      9, RFC 2026, October 1996. 
+    
+   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+      Levels", BCP 14, RFC 2119, March 1997 
+    
+   3  Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for 
+      Message Authentication", RFC 2104, February 1997 
+    
+   4  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
+      Service (V5)", RFC 1510, September 1993 
+ 
+ 
+  
+Swift                  Category - Informational                      5 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+ 
+   5  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, 
+      June 1996 
+ 
+   6  R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April 
+      1992 
+ 
+   7  R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April 
+      1992 
+ 
+   8  RC4 is a proprietary encryption algorithm available under license 
+             from RSA Data Security Inc.  For licensing information, 
+      contact: 
+             RSA Data Security, Inc. 
+             100 Marine Parkway 
+             Redwood City, CA 94065-1031 
+ 
+   9  Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network 
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      04.txt, June 25, 1999 
+ 
+    
+10. Author's Addresses 
+    
+   Mike Swift 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: mikesw@microsoft.com  
+    
+   John Brezak 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: jbrezak@microsoft.com 
+    
+    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      6 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+11. Full Copyright Statement 
+ 
+   Copyright (C) The Internet Society (1999).  All Rights Reserved. 
+    
+   This document and translations of it may be copied and furnished to 
+   others, and derivative works that comment on or otherwise explain it 
+   or assist in its implementation may be prepared, copied, published 
+   and distributed, in whole or in part, without restriction of any 
+   kind, provided that the above copyright notice and this paragraph 
+   are included on all such copies and derivative works.  However, this   
+   document itself may not be modified in any way, such as by removing   
+   the copyright notice or references to the Internet Society or other   
+   Internet organizations, except as needed for the purpose of 
+   developing Internet standards in which case the procedures for 
+   copyrights defined in the Internet Standards process must be 
+   followed, or as required to translate it into languages other than 
+   English. 
+    
+   The limited permissions granted above are perpetual and will not be 
+   revoked by the Internet Society or its successors or assigns. 
+    
+   This document and the information contained herein is provided on an 
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      7 
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/draft-foo b/crypto/heimdal/doc/standardisation/draft-foo
new file mode 100644
index 0000000..8174d46
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo
@@ -0,0 +1,171 @@
+
+
+
+
+
+
+Network Working Group                                   Assar Westerlund
+<draft-ietf-cat-krb5-ipv6.txt>                                      SICS
+Internet-Draft                                             October, 1997
+Expire in six months
+
+                           Kerberos over IPv6
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   To view the entire list of current Internet-Drafts, please check the
+   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+   ftp.isi.edu (US West Coast).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   This document specifies the address types and transport types
+   necessary for using Kerberos [RFC1510] over IPv6 [RFC1883].
+
+Specification
+
+   IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB
+   order.  The type of IPv6 addresses is twenty-four (24).
+
+   The following addresses (see [RFC1884]) MUST not appear in any
+   Kerberos packet:
+
+   the Unspecified Address
+   the Loopback Address
+   Link-Local addresses
+
+   IPv4-mapped IPv6 addresses MUST be represented as addresses of type
+   2.
+
+
+
+
+Westerlund                                                      [Page 1]
+
+Internet Draft             Kerberos over IPv6              October, 1997
+
+
+   Communication with the KDC over IPv6 MUST be done as in section 8.2.1
+   of [RFC1510].
+
+Discussion
+
+   [RFC1510] suggests using the address family constants in
+   <sys/socket.h> from BSD.  This cannot be done for IPv6 as these
+   numbers have diverged and are different on different BSD-derived
+   systems.  [RFC2133] does not either specify a value for AF_INET6.
+   Thus a value has to be decided and the implementations have to
+   convert between the value used in Kerberos HostAddress and the local
+   AF_INET6.
+
+   There are a few different address types in IPv6, see [RFC1884].  Some
+   of these are used for quite special purposes and it makes no sense to
+   include them in Kerberos packets.
+
+   It is necessary to represent IPv4-mapped addresses as Internet
+   addresses (type 2) to be compatible with Kerberos implementations
+   that only support IPv4.
+
+Security considerations
+
+   This memo does not introduce any known security considerations in
+   addition to those mentioned in [RFC1510].
+
+References
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+   [RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6
+   (IPv6) Specification", RFC 1883, December 1995.
+
+   [RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing
+   Architecture", RFC 1884, December 1995.
+
+   [RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic
+   Socket Interface Extensions for IPv6", RFC2133, April 1997.
+
+Author's Address
+
+   Assar Westerlund
+   Swedish Institute of Computer Science
+   Box 1263
+   S-164 29  KISTA
+   Sweden
+
+
+
+
+Westerlund                                                      [Page 2]
+
+Internet Draft             Kerberos over IPv6              October, 1997
+
+
+   Phone: +46-8-7521526
+   Fax:   +46-8-7517230
+   EMail: assar@sics.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Westerlund                                                      [Page 3]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-foo.ms b/crypto/heimdal/doc/standardisation/draft-foo.ms
new file mode 100644
index 0000000..62b109a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo.ms
@@ -0,0 +1,136 @@
+.pl 10.0i
+.po 0
+.ll 7.2i
+.lt 7.2i
+.nr LL 7.2i
+.nr LT 7.2i
+.ds LF Westerlund
+.ds RF [Page %]
+.ds CF
+.ds LH Internet Draft
+.ds RH October, 1997
+.ds CH Kerberos over IPv6
+.hy 0
+.ad l
+.in 0
+.ta \n(.luR
+Network Working Group	Assar Westerlund
+<draft-ietf-cat-krb5-ipv6.txt>	SICS
+Internet-Draft	October, 1997
+Expire in six months
+
+.ce
+Kerberos over IPv6
+
+.ti 0
+Status of this Memo
+
+.in 3
+This document is an Internet-Draft.  Internet-Drafts are working
+documents of the Internet Engineering Task Force (IETF), its
+areas, and its working groups.  Note that other groups may also
+distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six
+months and may be updated, replaced, or obsoleted by other
+documents at any time.  It is inappropriate to use Internet-
+Drafts as reference material or to cite them other than as
+"work in progress."
+
+To view the entire list of current Internet-Drafts, please check
+the "1id-abstracts.txt" listing contained in the Internet-Drafts
+Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
+(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
+Coast), or ftp.isi.edu (US West Coast).
+
+Distribution of this memo is unlimited.  Please send comments to the
+<cat-ietf@mit.edu> mailing list.
+
+.ti 0
+Abstract
+
+.in 3
+This document specifies the address types and transport types
+necessary for using Kerberos [RFC1510] over IPv6 [RFC1883].
+
+.ti 0
+Specification
+
+.in 3
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB
+order.  The type of IPv6 addresses is twenty-four (24).
+
+The following addresses (see [RFC1884]) MUST not appear in any
+Kerberos packet:
+
+the Unspecified Address
+.br
+the Loopback Address
+.br
+Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+Communication with the KDC over IPv6 MUST be done as in section
+8.2.1 of [RFC1510].
+
+.ti 0
+Discussion
+
+.in 3
+[RFC1510] suggests using the address family constants in
+<sys/socket.h> from BSD.  This cannot be done for IPv6 as these
+numbers have diverged and are different on different BSD-derived
+systems.  [RFC2133] does not either specify a value for AF_INET6.
+Thus a value has to be decided and the implementations have to convert
+between the value used in Kerberos HostAddress and the local AF_INET6.
+
+There are a few different address types in IPv6, see [RFC1884].  Some
+of these are used for quite special purposes and it makes no sense to
+include them in Kerberos packets.
+
+It is necessary to represent IPv4-mapped addresses as Internet
+addresses (type 2) to be compatible with Kerberos implementations that
+only support IPv4.
+
+.ti 0
+Security considerations
+
+.in 3
+This memo does not introduce any known security considerations in
+addition to those mentioned in [RFC1510].
+
+.ti 0
+References
+
+.in 3
+[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+Authentication Service (V5)", RFC 1510, September 1993.
+
+[RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6
+(IPv6) Specification", RFC 1883, December 1995.
+
+[RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing
+Architecture", RFC 1884, December 1995.
+
+[RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic
+Socket Interface Extensions for IPv6", RFC2133, April 1997.
+
+.ti 0
+Author's Address
+
+Assar Westerlund
+.br
+Swedish Institute of Computer Science
+.br
+Box 1263
+.br
+S-164 29  KISTA
+.br
+Sweden
+
+Phone: +46-8-7521526
+.br
+Fax:   +46-8-7517230
+.br
+EMail: assar@sics.se
diff --git a/crypto/heimdal/doc/standardisation/draft-foo2 b/crypto/heimdal/doc/standardisation/draft-foo2
new file mode 100644
index 0000000..0fa695f
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo2
@@ -0,0 +1,171 @@
+
+
+
+
+
+
+Network Working Group                                   Assar Westerlund
+<draft-ietf-cat-krb5-tcp.txt>                                       SICS
+Internet-Draft                                          Johan Danielsson
+November, 1997                                                  PDC, KTH
+Expire in six months
+
+                           Kerberos over TCP
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   To view the entire list of current Internet-Drafts, please check the
+   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+   ftp.isi.edu (US West Coast).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   This document specifies how the communication should be done between
+   a client and a KDC using Kerberos [RFC1510] with TCP as the transport
+   protocol.
+
+Specification
+
+   This draft specifies an extension to section 8.2.1 of RFC1510.
+
+   A Kerberos server MAY accept requests on TCP port 88 (decimal).
+
+   The data sent from the client to the KDC should consist of 4 bytes
+   containing the length, in network byte order, of the Kerberos
+   request, followed by the request (AS-REQ or TGS-REQ) itself.  The
+   reply from the KDC should consist of the length of the reply packet
+   (4 bytes, network byte order) followed by the packet itself (AS-REP,
+   TGS-REP, or KRB-ERROR).
+
+
+
+
+Westerlund, Danielsson                                          [Page 1]
+
+Internet Draft             Kerberos over TCP              November, 1997
+
+
+   C->S: Open connection to TCP port 88 at the server
+   C->S: length of request
+   C->S: AS-REQ or TGS-REQ
+   S->C: length of reply
+   S->C: AS-REP, TGS-REP, or KRB-ERROR
+
+Discussion
+
+   Even though the preferred way of sending kerberos packets is over UDP
+   there are several occasions when it's more practical to use TCP.
+
+   Mainly, it's usually much less cumbersome to get TCP through
+   firewalls than UDP.
+
+   In theory, there's no reason for having explicit length fields, that
+   information is already encoded in the ASN1 encoding of the Kerberos
+   packets.  But having explicit lengths makes it unnecessary to have to
+   decode the ASN.1 encoding just to know how much data has to be read.
+
+   Another way of signaling the end of the request of the reply would be
+   to do a half-close after the request and a full-close after the
+   reply.  This does not work well with all kinds of firewalls.
+
+Security considerations
+
+   This memo does not introduce any known security considerations in
+   addition to those mentioned in [RFC1510].
+
+References
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+Authors' Addresses
+
+   Assar Westerlund
+   Swedish Institute of Computer Science
+   Box 1263
+   S-164 29  KISTA
+   Sweden
+
+   Phone: +46-8-7521526
+   Fax:   +46-8-7517230
+   EMail: assar@sics.se
+
+   Johan Danielsson
+   PDC, KTH
+   S-100 44  STOCKHOLM
+
+
+
+Westerlund, Danielsson                                          [Page 2]
+
+Internet Draft             Kerberos over TCP              November, 1997
+
+
+   Sweden
+
+   Phone: +46-8-7907885
+   Fax:   +46-8-247784
+   EMail: joda@pdc.kth.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Westerlund, Danielsson                                          [Page 3]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-foo2.ms b/crypto/heimdal/doc/standardisation/draft-foo2.ms
new file mode 100644
index 0000000..7e0fa0a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo2.ms
@@ -0,0 +1,145 @@
+.pl 10.0i
+.po 0
+.ll 7.2i
+.lt 7.2i
+.nr LL 7.2i
+.nr LT 7.2i
+.ds LF Westerlund, Danielsson
+.ds RF [Page %]
+.ds CF
+.ds LH Internet Draft
+.ds RH November, 1997
+.ds CH Kerberos over TCP
+.hy 0
+.ad l
+.in 0
+.ta \n(.luR
+.nf
+Network Working Group	Assar Westerlund
+<draft-ietf-cat-krb5-tcp.txt>	SICS
+Internet-Draft	Johan Danielsson
+November, 1997	PDC, KTH
+Expire in six months
+.fi
+
+.ce
+Kerberos over TCP
+
+.ti 0
+Status of this Memo
+
+.in 3
+This document is an Internet-Draft.  Internet-Drafts are working
+documents of the Internet Engineering Task Force (IETF), its
+areas, and its working groups.  Note that other groups may also
+distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six
+months and may be updated, replaced, or obsoleted by other
+documents at any time.  It is inappropriate to use Internet-
+Drafts as reference material or to cite them other than as
+"work in progress."
+
+To view the entire list of current Internet-Drafts, please check
+the "1id-abstracts.txt" listing contained in the Internet-Drafts
+Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
+(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
+Coast), or ftp.isi.edu (US West Coast).
+
+Distribution of this memo is unlimited.  Please send comments to the
+<cat-ietf@mit.edu> mailing list.
+
+.ti 0
+Abstract
+
+.in 3
+This document specifies how the communication should be done between a
+client and a KDC using Kerberos [RFC1510] with TCP as the transport
+protocol.
+
+.ti 0
+Specification
+
+This draft specifies an extension to section 8.2.1 of RFC1510. 
+
+A Kerberos server MAY accept requests on TCP port 88 (decimal).
+
+The data sent from the client to the KDC should consist of 4 bytes
+containing the length, in network byte order, of the Kerberos request,
+followed by the request (AS-REQ or TGS-REQ) itself.  The reply from
+the KDC should consist of the length of the reply packet (4 bytes,
+network byte order) followed by the packet itself (AS-REP, TGS-REP, or
+KRB-ERROR).
+
+.nf
+C->S: Open connection to TCP port 88 at the server
+C->S: length of request
+C->S: AS-REQ or TGS-REQ
+S->C: length of reply
+S->C: AS-REP, TGS-REP, or KRB-ERROR
+.fi
+
+.ti 0
+Discussion
+
+Even though the preferred way of sending kerberos packets is over UDP
+there are several occasions when it's more practical to use TCP.
+
+Mainly, it's usually much less cumbersome to get TCP through firewalls
+than UDP.
+
+In theory, there's no reason for having explicit length fields, that
+information is already encoded in the ASN1 encoding of the Kerberos
+packets.  But having explicit lengths makes it unnecessary to have to
+decode the ASN.1 encoding just to know how much data has to be read.
+
+Another way of signaling the end of the request of the reply would be
+to do a half-close after the request and a full-close after the reply.
+This does not work well with all kinds of firewalls.
+
+.ti 0
+Security considerations
+
+.in 3
+This memo does not introduce any known security considerations in
+addition to those mentioned in [RFC1510].
+
+.ti 0
+References
+
+.in 3
+[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+Authentication Service (V5)", RFC 1510, September 1993.
+
+.ti 0
+Authors' Addresses
+
+Assar Westerlund
+.br
+Swedish Institute of Computer Science
+.br
+Box 1263
+.br
+S-164 29  KISTA
+.br
+Sweden
+
+Phone: +46-8-7521526
+.br
+Fax:   +46-8-7517230
+.br
+EMail: assar@sics.se
+
+Johan Danielsson
+.br
+PDC, KTH
+.br
+S-100 44  STOCKHOLM
+.br
+Sweden
+
+Phone: +46-8-7907885
+.br
+Fax:   +46-8-247784
+.br
+EMail: joda@pdc.kth.se
diff --git a/crypto/heimdal/doc/standardisation/draft-foo3 b/crypto/heimdal/doc/standardisation/draft-foo3
new file mode 100644
index 0000000..2b8b7bb
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo3
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group                                   Assar Westerlund
+<draft-ietf-cat-krb5-firewalls.txt>                                 SICS
+Internet-Draft                                          Johan Danielsson
+November, 1997                                                  PDC, KTH
+Expire in six months
+
+                         Kerberos vs firewalls
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   To view the entire list of current Internet-Drafts, please check the
+   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+   ftp.isi.edu (US West Coast).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+Introduction
+
+   Kerberos[RFC1510] is a protocol for authenticating parties
+   communicating over insecure networks.
+
+   Firewalling is a technique for achieving an illusion of security by
+   putting restrictions on what kinds of packets and how these are sent
+   between the internal (so called "secure") network and the global (or
+   "insecure") Internet.
+
+Definitions
+
+   client: the user, process, and host acquiring tickets from the KDC
+   and authenticating itself to the kerberised server.
+
+   KDC: the Kerberos Key Distribution Center
+
+
+
+
+Westerlund, Danielsson                                          [Page 1]
+
+Internet Draft           Kerberos vs firewalls            November, 1997
+
+
+   Kerberised server: the server using Kerberos to authenticate the
+   client, for example telnetd.
+
+Firewalls
+
+   A firewall is usually placed between the "inside" and the "outside"
+   networks, and is supposed to protect the inside from the evils on the
+   outside.  There are different kinds of firewalls.  The main
+   differences are in the way they forward packets.
+
+   o+  The most straight forward type is the one that just imposes
+      restrictions on incoming packets. Such a firewall could be
+      described as a router that filters packets that match some
+      criteria.
+
+   o+  They may also "hide" some or all addresses on the inside of the
+      firewall, replacing the addresses in the outgoing packets with the
+      address of the firewall (aka network address translation, or NAT).
+      NAT can also be used without any packet filtering, for instance
+      when you have more than one host sharing a single address (for
+      example, with a dialed-in PPP connection).
+
+   There are also firewalls that does NAT both on the inside and the
+   outside (a server on the inside will see this as a connection from
+   the firewall).
+
+   o+  A third type is the proxy type firewall, that parses the contents
+      of the packets, basically acting as a server to the client, and as
+      a client to the server (man-in-the-middle). If Kerberos is to be
+      used with this kind of firewall, a protocol module that handles
+      KDC requests has to be written.
+
+   This type of firewall might also cause extra trouble when used with
+   kerberised versions of protocols that the proxy understands, in
+   addition to the ones mentioned below. This is the case with the FTP
+   Security Extensions [RFC2228], that adds a new set of commands to the
+   FTP protocol [RFC959], for integrity, confidentiality, and privacy
+   protecting commands. When transferring data, the FTP protocol uses a
+   separate data channel, and an FTP proxy will have to look out for
+   commands that start a data transfer. If all commands are encrypted,
+   this is impossible. A protocol that doesn't suffer from this is the
+   Telnet Authentication Option [RFC1416] that does all authentication
+   and encryption in-bound.
+
+Scenarios
+
+   Here the different scenarios we have considered are described, the
+   problems they introduce and the proposed ways of solving them.
+
+
+
+Westerlund, Danielsson                                          [Page 2]
+
+Internet Draft           Kerberos vs firewalls            November, 1997
+
+
+   Combinations of these can also occur.
+
+ Client behind firewall
+
+   This is the most typical and common scenario.  First of all the
+   client needs some way of communicating with the KDC.  This can be
+   done with whatever means and is usually much simpler when the KDC is
+   able to communicate over TCP.
+
+   Apart from that, the client needs to be sure that the ticket it will
+   acquire from the KDC can be used to authenticate to a server outside
+   its firewall.  For this, it needs to add the address(es) of potential
+   firewalls between itself and the KDC/server, to the list of its own
+   addresses when requesting the ticket.  We are not aware of any
+   protocol for determining this set of addresses, thus this will have
+   to be manually configured in the client.
+
+   The client could also request a ticket with no addresses, but some
+   KDCs and servers might not accept such a ticket.
+
+   With the ticket in possession, communication with the kerberised
+   server will not need to be any different from communicating between a
+   non-kerberised client and server.
+
+ Kerberised server behind firewall
+
+   The kerberised server does not talk to the KDC at all so nothing
+   beyond normal firewall-traversal techniques for reaching the server
+   itself needs to be applied.
+
+   The kerberised server needs to be able to retrieve the original
+   address (before its firewall) that the request was sent for.  If this
+   is done via some out-of-band mechanism or it's directly able to see
+   it doesn't matter.
+
+ KDC behind firewall
+
+   The same restrictions applies for a KDC as for any other server.
+
+Specification
+
+Security considerations
+
+   This memo does not introduce any known security considerations in
+   addition to those mentioned in [RFC1510].
+
+References
+
+
+
+
+Westerlund, Danielsson                                          [Page 3]
+
+Internet Draft           Kerberos vs firewalls            November, 1997
+
+
+   [RFC959] Postel, J. and Reynolds, J., "File Transfer Protocol (FTP)",
+   RFC 969, October 1985
+
+   [RFC1416] Borman, D., "Telnet Authentication Option", RFC 1416,
+   February 1993.
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+   [RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions",
+   RFC2228, October 1997.
+
+Authors' Addresses
+
+   Assar Westerlund
+   Swedish Institute of Computer Science
+   Box 1263
+   S-164 29  KISTA
+   Sweden
+
+   Phone: +46-8-7521526
+   Fax:   +46-8-7517230
+   EMail: assar@sics.se
+
+   Johan Danielsson
+   PDC, KTH
+   S-100 44  STOCKHOLM
+   Sweden
+
+   Phone: +46-8-7907885
+   Fax:   +46-8-247784
+   EMail: joda@pdc.kth.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Westerlund, Danielsson                                          [Page 4]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-foo3.ms b/crypto/heimdal/doc/standardisation/draft-foo3.ms
new file mode 100644
index 0000000..c024ca3
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo3.ms
@@ -0,0 +1,260 @@
+.\" even if this file is called .ms, it's using the me macros.
+.\" to format try something like `nroff -me'
+.\" level 2 heading
+.de HH
+.$p "\\$2" "" "\\$1"
+.$0 "\\$2"
+..
+.\" make sure footnotes produce the right thing with nroff
+.ie t \
+\{\
+.ds { \v'-0.4m'\x'\\n(0x=0*-0.2m'\s-3
+.ds } \s0\v'0.4m'
+.\}
+.el \
+\{\
+.ds { [
+.ds } ]
+.\}
+.ds * \\*{\\n($f\\*}\k*
+.\" page footer
+.fo 'Westerlund, Danielsson''[Page %]'
+.\" date
+.ds RH \*(mo, 19\n(yr
+.\" left margin
+.nr lm 6
+.\" heading indent per level
+.nr si 3n
+.\" footnote indent
+.nr fi 0
+.\" paragraph indent
+.nr po 0
+.\" don't hyphenate
+.hy 0
+.\" left adjustment
+.ad l
+.\" indent 0
+.in 0
+.\" line length 16cm and page length 25cm (~10 inches)
+.ll 16c
+.pl 25c
+.ta \n(.luR
+.nf
+Network Working Group	Assar Westerlund
+<draft-ietf-cat-krb5-firewalls.txt>	SICS
+Internet-Draft	Johan Danielsson
+\*(RH	PDC, KTH
+Expire in six months	
+.fi
+
+.\" page header, has to be set here so it won't appear on page 1
+.he 'Internet Draft'Kerberos vs firewalls'\*(RH'
+.ce
+.b "Kerberos vs firewalls"
+
+.HH 1 "Status of this Memo"
+.lp
+This document is an Internet-Draft.  Internet-Drafts are working
+documents of the Internet Engineering Task Force (IETF), its areas,
+and its working groups.  Note that other groups may also distribute
+working documents as Internet-Drafts.
+.lp
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time.  It is inappropriate to use Internet- Drafts as reference
+material or to cite them other than as \*(lqwork in progress.\*(rq
+.lp
+To view the entire list of current Internet-Drafts, please check the
+\*(lq1id-abstracts.txt\*(rq listing contained in the Internet-Drafts
+Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+ftp.isi.edu (US West Coast).
+.lp
+Distribution of this memo is unlimited.  Please send comments to the
+<cat-ietf@mit.edu> mailing list.
+.HH 1 "Abstract"
+.lp
+Kerberos and firewalls both deal with security, but doesn't get along
+very well. This memo discusses ways to use Kerberos in a firewalled
+environment.
+.HH 1 "Introduction"
+.lp
+Kerberos[RFC1510]
+.(d
+[RFC1510]
+Kohl, J. and Neuman, C., \*(lqThe Kerberos Network Authentication
+Service (V5)\*(rq, RFC 1510, September 1993.
+.)d
+is a protocol for authenticating parties communicating over insecure
+networks.  Firewalling is a technique for achieving an illusion of
+security by putting restrictions on what kinds of packets and how
+these are sent between the internal (so called \*(lqsecure\*(rq)
+network and the global (or \*(lqinsecure\*(rq) Internet.  The problems
+with firewalls are many, but to name a few:
+.np
+Firewalls usually doesn't allow people to use UDP. The reason for this
+is that UDP is (by firewall advocates) considered insecure. This
+belief is probably based on the fact that many \*(lqinsecure\*(rq
+protocols (like NFS) use UDP. UDP packets are also considered easy to
+fake.
+.np
+Firewalls usually doesn't allow people to connect to arbitrary ports,
+such as the ports used when talking to the KDC.
+.np
+In many non-computer organisations, the computer staff isn't what
+you'd call \*(lqwizards\*(rq; a typical case is an academic
+institution, where someone is taking care of the computers part time,
+and is doing research the rest of the time. Adding a complex device
+like a firewall to an environment like this, often leads to poorly run
+systems that is more a hindrance for the legitimate users than to
+possible crackers.
+.lp
+The easiest way to deal with firewalls is to ignore them, however in
+some cases this just isn't possible. You might have users that are
+stuck behind a firewall, but also has to access your system, or you
+might find yourself behind a firewall, for instance when out
+travelling.
+.lp
+To make it possible for people to use Kerberos from behind a firewall,
+there are several things to consider.
+.(q
+.i
+Add things to do when stuck behind a firewall, like talking about the
+problem with local staff, making them open some port in the firewall,
+using some other port, or proxy.
+.r
+.)q
+.HH 1 "Firewalls"
+.lp
+A firewall is usually placed between the \*(lqinside\*(rq and the
+\*(lqoutside\*(rq networks, and is supposed to protect the inside from the
+evils on the outside.  There are different kinds of firewalls.  The
+main differences are in the way they forward (or doesn't) packets.
+.ip \(bu
+The most straight forward type is the one that just imposes
+restrictions on incoming packets. Such a firewall could be described
+as a router that filters packets that match some criteria.
+.ip \(bu
+They may also \*(lqhide\*(rq some or all addresses on the inside of the
+firewall, replacing the addresses in the outgoing packets with the
+address of the firewall (aka network address translation, or NAT). NAT
+can also be used without any packet filtering, for instance when you
+have more than one host sharing a single address (e.g with a dialed-in
+PPP connection).
+.ip
+There are also firewalls that does NAT both on the inside and the
+outside (a server on the inside will see this as a connection from the
+firewall).
+.ip \(bu
+A third type is the proxy type firewall, that parses the contents of
+the packets, basically acting as a server to the client, and as a
+client to the server (man-in-the-middle). If Kerberos is to be used
+with this kind of firewall, a protocol module that handles KDC
+requests has to be written\**.
+.(f
+\**Instead of writing a new module for Kerberos, it can be possible to
+hitch a ride on some other protocol, that's already beeing handled by
+the proxy.
+.)f
+.lp
+The last type of firewall might also cause extra trouble when used
+with kerberised versions of protocols that the proxy understands, in
+addition to the ones mentioned below. This is the case with the FTP
+Security Extensions [RFC2228],
+.(d
+[RFC2228]
+Horowitz, M. and Lunt, S., \*(lqFTP Security Extensions\*(rq, RFC2228,
+October 1997.
+.)d
+that adds a new set of commands to the FTP protocol [RFC959],
+.(d
+[RFC959] Postel, J. and Reynolds, J., \*(lqFile Transfer Protocol
+(FTP)\*(rq, RFC 969, October 1985
+.)d
+for integrity, confidentiality, and privacy protecting commands, and
+data. When transferring data, the FTP protocol uses a separate data
+channel, and an FTP proxy will have to look out for commands that
+start a data transfer. If all commands are encrypted, this is
+impossible. A protocol that doesn't suffer from this is the Telnet
+Authentication Option [RFC1416]
+.(d
+[RFC1416]
+Borman, D., \*(lqTelnet Authentication Option\*(rq, RFC 1416, February
+1993.
+.)d
+that does all
+authentication and encryption in-bound.
+.HH 1 "Scenarios"
+.lp
+Here the different scenarios we have considered are described, the
+problems they introduce and the proposed ways of solving them.
+Combinations of these can also occur.
+.HH 2 "Client behind firewall"
+.lp
+This is the most typical and common scenario.  First of all the client
+needs some way of communicating with the KDC.  This can be done with
+whatever means and is usually much simpler when the KDC is able to
+communicate over TCP.
+.lp
+Apart from that, the client needs to be sure that the ticket it will
+acquire from the KDC can be used to authenticate to a server outside
+its firewall.  For this, it needs to add the address(es) of potential
+firewalls between itself and the KDC/server, to the list of its own
+addresses when requesting the ticket.  We are not aware of any
+protocol for determining this set of addresses, thus this will have to
+be manually configured in the client.
+.lp
+The client could also request a ticket with no addresses. This is not
+a recommended way to solve this problem. The address was put into the
+ticket to make it harder to use a stolen ticket.  A ticket without
+addresses will therefore be less \*(lqsecure.\*(rq RFC1510 also says that
+the KDC may refuse to issue, and the server may refuse to accept an
+address-less ticket.
+.lp
+With the ticket in possession, communication with the kerberised
+server will not need to be any different from communicating between a
+non-kerberised client and server.
+.HH 2 "Kerberised server behind firewall"
+.lp
+The kerberised server does not talk to the KDC at all, so nothing
+beyond normal firewall-traversal techniques for reaching the server
+itself needs to be applied.
+.lp
+If the firewall rewrites the clients address, the server will have to
+use some other (possibly firewall specific) protocol to retrieve the
+original address. If this is not possible, the address field will have
+to be ignored. This has the same effect as if there were no addresses
+in the ticket (see the discussion above).
+.HH 2 "KDC behind firewall"
+.lp
+The KDC is in this respect basically just like any other server.
+.\" .uh "Specification"
+.HH 1 "Security considerations"
+.lp
+Since the whole network behind a NAT-type firewall looks like one
+computer from the outside, any security added by the addresses in the
+ticket will be lost.
+.HH 1 "References"
+.lp
+.pd
+.HH 1 "Authors' Addresses"
+.lp
+.nf
+Assar Westerlund
+Swedish Institute of Computer Science
+Box 1263
+S-164 29 KISTA
+.sp
+Phone: +46-8-7521526
+Fax: +46-8-7517230
+EMail: assar@sics.se
+.sp 2
+Johan Danielsson
+Center for Parallel Computers
+KTH
+S-100 44 STOCKHOLM
+.sp
+Phone: +46-8-7906356
+Fax: +46-8-247784
+EMail: joda@pdc.kth.se
+.fi
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt b/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt
new file mode 100644
index 0000000..4dcff48
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt
@@ -0,0 +1,244 @@
+Network Working Group                                        M. Horowitz
+<draft-horowitz-key-derivation-01.txt>                  Cygnus Solutions
+Internet-Draft                                               March, 1997
+
+
+       Key Derivation for Authentication, Integrity, and Privacy
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ds.internic.net (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   author.
+
+Abstract
+
+   Recent advances in cryptography have made it desirable to use longer
+   cryptographic keys, and to make more careful use of these keys.  In
+   particular, it is considered unwise by some cryptographers to use the
+   same key for multiple purposes.  Since most cryptographic-based
+   systems perform a range of functions, such as authentication, key
+   exchange, integrity, and encryption, it is desirable to use different
+   cryptographic keys for these purposes.
+
+   This RFC does not define a particular protocol, but defines a set of
+   cryptographic transformations for use with arbitrary network
+   protocols and block cryptographic algorithm.
+
+
+Deriving Keys
+
+   In order to use multiple keys for different functions, there are two
+   possibilities:
+
+    - Each protocol ``key'' contains multiple cryptographic keys.  The
+      implementation would know how to break up the protocol ``key'' for
+      use by the underlying cryptographic routines.
+
+    - The protocol ``key'' is used to derive the cryptographic keys.
+      The implementation would perform this derivation before calling
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft               Key Derivation                  March, 1997
+
+
+      the underlying cryptographic routines.
+
+   In the first solution, the system has the opportunity to provide
+   separate keys for different functions.  This has the advantage that
+   if one of these keys is broken, the others remain secret.  However,
+   this comes at the cost of larger ``keys'' at the protocol layer.  In
+   addition, since these ``keys'' may be encrypted, compromising the
+   cryptographic key which is used to encrypt them compromises all the
+   component keys.  Also, the not all ``keys'' are used for all possible
+   functions.  Some ``keys'', especially those derived from passwords,
+   are generated from limited amounts of entropy.  Wasting some of this
+   entropy on cryptographic keys which are never used is unwise.
+
+   The second solution uses keys derived from a base key to perform
+   cryptographic operations.  By carefully specifying how this key is
+   used, all of the advantages of the first solution can be kept, while
+   eliminating some disadvantages.  In particular, the base key must be
+   used only for generating the derived keys, and this derivation must
+   be non-invertible and entropy-preserving.  Given these restrictions,
+   compromise of one derived keys does not compromise the other subkeys.
+   Attack of the base key is limited, since it is only used for
+   derivation, and is not exposed to any user data.
+
+   Since the derived key has as much entropy as the base keys (if the
+   cryptosystem is good), password-derived keys have the full benefit of
+   all the entropy in the password.
+
+   To generate a derived key from a base key:
+
+      Derived Key = DK(Base Key, Well-Known Constant)
+
+   where
+
+      DK(Key, Constant) = n-truncate(E(Key, Constant))
+
+   In this construction, E(Key, Plaintext) is a block cipher, Constant
+   is a well-known constant defined by the protocol, and n-truncate
+   truncates its argument by taking the first n bits; here, n is the key
+   size of E.
+
+   If the output of E is is shorter than n bits, then some entropy in
+   the key will be lost.  If the Constant is smaller than the block size
+   of E, then it must be padded so it may be encrypted.  If the Constant
+   is larger than the block size, then it must be folded down to the
+   block size to avoid chaining, which affects the distribution of
+   entropy.
+
+   In any of these situations, a variation of the above construction is
+   used, where the folded Constant is encrypted, and the resulting
+   output is fed back into the encryption as necessary (the | indicates
+   concatentation):
+
+      K1 = E(Key, n-fold(Constant))
+      K2 = E(Key, K1)
+
+
+
+Horowitz                                                        [Page 2]
+
+Internet Draft               Key Derivation                  March, 1997
+
+
+      K3 = E(Key, K2)
+      K4 = ...
+
+      DK(Key, Constant) = n-truncate(K1 | K2 | K3 | K4 ...)
+
+   n-fold is an algorithm which takes m input bits and ``stretches''
+   them to form n output bits with no loss of entropy, as described in
+   [Blumenthal96].  In this document, n-fold is always used to produce n
+   bits of output, where n is the key size of E.
+
+   If the size of the Constant is not equal to the block size of E, then
+   the Constant must be n-folded to the block size of E.  This number is
+   used as input to E.  If the block size of E is less than the key
+   size, then the output from E is taken as input to a second invocation
+   of E.  This process is repeated until the number of bits accumulated
+   is greater than or equal to the key size of E.  When enough bits have
+   been computed, the first n are taken as the derived key.
+
+   Since the derived key is the result of one or more encryptions in the
+   base key, deriving the base key from the derived key is equivalent to
+   determining the key from a very small number of plaintext/ciphertext
+   pairs.  Thus, this construction is as strong as the cryptosystem
+   itself.
+
+
+Deriving Keys from Passwords
+
+   When protecting information with a password or other user data, it is
+   necessary to convert an arbitrary bit string into an encryption key.
+   In addition, it is sometimes desirable that the transformation from
+   password to key be difficult to reverse.  A simple variation on the
+   construction in the prior section can be used:
+
+      Key = DK(n-fold(Password), Well-Known Constant)
+
+   The n-fold algorithm is reversible, so recovery of the n-fold output
+   is equivalent to recovery of Password.  However, recovering the n-
+   fold output is difficult for the same reason recovering the base key
+   from a derived key is difficult.
+
+
+
+   Traditionally, the transformation from plaintext to ciphertext, or
+   vice versa, is determined by the cryptographic algorithm and the key.
+   A simple way to think of derived keys is that the transformation is
+   determined by the cryptographic algorithm, the constant, and the key.
+
+   For interoperability, the constants used to derive keys for different
+   purposes must be specified in the protocol specification.  The
+   constants must not be specified on the wire, or else an attacker who
+   determined one derived key could provide the associated constant and
+   spoof data using that derived key, rather than the one the protocol
+   designer intended.
+
+
+
+
+Horowitz                                                        [Page 3]
+
+Internet Draft               Key Derivation                  March, 1997
+
+
+   Determining which parts of a protocol require their own constants is
+   an issue for the designer of protocol using derived keys.
+
+
+Security Considerations
+
+   This entire document deals with security considerations relating to
+   the use of cryptography in network protocols.
+
+
+Acknowledgements
+
+   I would like to thank Uri Blumenthal, Hugo Krawczyk, and Bill
+   Sommerfeld for their contributions to this document.
+
+
+References
+
+   [Blumenthal96] Blumenthal, U., "A Better Key Schedule for DES-Like
+      Ciphers", Proceedings of PRAGOCRYPT '96, 1996.
+
+
+Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   Email: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 4]
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt
new file mode 100644
index 0000000..ccba35e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt
@@ -0,0 +1,62 @@
+
+
+A new Request for Comments is now available in online RFC libraries.
+
+
+        RFC 2078
+
+        Title:      Generic Security Service Application Program
+                    Interface, Version 2
+        Author:     J. Linn
+        Date:       January 1997
+        Mailbox:    John.Linn@ov.com
+        Pages:      85
+        Characters: 185990
+        Obsoletes:  1508
+
+        URL:        ftp://ds.internic.net/rfc/rfc2078.txt
+
+
+This memo revises RFC-1508, making specific, incremental changes in
+response to implementation experience and liaison requests. It is
+intended, therefore, that this memo or a successor version thereto
+will become the basis for subsequent progression of the GSS-API
+specification on the standards track.  This document is a product of
+the Common Authentication Technology Working Group.
+
+This is now a Proposed Standard Protocol.
+
+This document specifies an Internet standards track protocol for the
+Internet community, and requests discussion and suggestions for
+improvements.  Please refer to the current edition of the "Internet
+Official Protocol Standards" (STD 1) for the standardization state and
+status of this protocol.  Distribution of this memo is unlimited.
+
+This announcement is sent to the IETF list and the RFC-DIST list.
+Requests to be added to or deleted from the IETF distribution list
+should be sent to IETF-REQUEST@CNRI.RESTON.VA.US.  Requests to be
+added to or deleted from the RFC-DIST distribution list should
+be sent to RFC-DIST-REQUEST@ISI.EDU.
+
+Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
+an EMAIL message to rfc-info@ISI.EDU with the message body 
+help: ways_to_get_rfcs.  For example:
+
+        To: rfc-info@ISI.EDU
+        Subject: getting rfcs
+
+        help: ways_to_get_rfcs
+
+Requests for special distribution should be addressed to either the
+author of the RFC in question, or to admin@DS.INTERNIC.NET.  Unless
+specifically noted otherwise on the RFC itself, all RFCs are for
+unlimited distribution.
+
+Submissions for Requests for Comments should be sent to
+RFC-EDITOR@ISI.EDU.  Please consult RFC 1543, Instructions to RFC
+Authors, for further information.
+
+
+Joyce K. Reynolds and Mary Kennedy
+USC/Information Sciences Institute
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt
new file mode 100644
index 0000000..518f4c6
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt
@@ -0,0 +1,6188 @@
+
+   Internet draft                                                    J.Wray
+   IETF Common Authentication Technology WG   Digital Equipment Corporation
+   <draft-ietf-cat-gssv2-cbind-04.txt>                           March 1997
+
+
+
+             Generic Security Service API Version 2 : C-bindings
+
+
+   1. STATUS OF THIS MEMO
+
+   This document is an Internet Draft.  Internet Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its Areas, and
+   its Working Groups.  Note that other groups may also distribute working
+   documents as Internet Drafts.  Internet Drafts are draft documents valid
+   for a maximum of six months. Internet Drafts may be updated, replaced,
+   or obsoleted by other documents at any time.  It is not appropriate to
+   use Internet Drafts as reference material or to cite them other than as
+   a "working draft" or "work in progress." Please check the I-D abstract
+   listing contained in each Internet Draft directory to learn the current
+   status of this or any other Internet Draft.
+
+   Comments on this document should be sent to "cat-ietf@MIT.EDU", the IETF
+   Common Authentication Technology WG discussion list.
+
+
+   2. ABSTRACT
+
+   This draft document specifies C language bindings for Version 2 of the
+   Generic Security Service Application Program Interface (GSSAPI), which
+   is described at a language-independent conceptual level in other drafts
+   [GSSAPI]. It revises RFC-1509, making specific incremental changes in
+   response to implementation experience and liaison requests.  It is
+   intended, therefore, that this draft or a successor version thereof will
+   become the basis for subsequent progression of the GSS-API specification
+   on the standards track.
+
+   The Generic Security Service Application Programming Interface provides
+   security services to its callers, and is intended for implementation
+   atop a variety of underlying cryptographic mechanisms.  Typically,
+   GSSAPI callers will be application protocols into which security
+   enhancements are integrated through invocation of services provided by
+   the GSSAPI. The GSSAPI allows a caller application to authenticate a
+   principal identity associated with a peer application, to delegate
+   rights to a peer, and to apply security services such as confidentiality
+   and integrity on a per-message basis.
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 1]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   3. INTRODUCTION
+
+   The Generic Security Service Application Programming Interface [GSSAPI]
+   provides security services to calling applications.  It allows a
+   communicating application to authenticate the user associated with
+   another application, to delegate rights to another application, and to
+   apply security services such as confidentiality and integrity on a per-
+   message basis.
+
+   There are four stages to using the GSSAPI:
+
+     (a) The application acquires a set of credentials with which it may
+         prove its identity to other processes.  The application's
+         credentials vouch for its global identity, which may or may not be
+         related to any local username under which it may be running.
+
+     (b) A pair of communicating applications establish a joint security
+         context using their credentials.  The security context is a pair
+         of GSSAPI data structures that contain shared state information,
+         which is required in order that per-message security services may
+         be provided.  Examples of state that might be shared between
+         applications as part of a security context are cryptographic keys,
+         and message sequence numbers.  As part of the establishment of a
+         security context, the context initiator is authenticated to the
+         responder, and may require that the responder is authenticated in
+         turn.  The initiator may optionally give the responder the right
+         to initiate further security contexts, acting as an agent or
+         delegate of the initiator.  This transfer of rights is termed
+         delegation, and is achieved by creating a set of credentials,
+         similar to those used by the initiating application, but which may
+         be used by the responder.
+
+         To establish and maintain the shared information that makes up the
+         security context, certain GSSAPI calls will return a token data
+         structure, which is a cryptographically protected opaque data
+         type.  The caller of such a GSSAPI routine is responsible for
+         transferring the token to the peer application, encapsulated if
+         necessary in an application-application protocol.  On receipt of
+         such a token, the peer application should pass it to a
+         corresponding GSSAPI routine which will decode the token and
+         extract the information, updating the security context state
+         information accordingly.
+
+     (c) Per-message services are invoked to apply either:
+
+           (i) integrity and data origin authentication, or
+
+          (ii) confidentiality, integrity and data origin authentication
+
+         to application data, which are treated by GSSAPI as arbitrary
+         octet-strings.  An application transmitting a message that it
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 2]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+         wishes to protect will call the appropriate GSSAPI routine
+         (gss_get_mic or gss_wrap) to apply protection, specifying the
+         appropriate security context, and send the resulting token to the
+         receiving application.  The receiver will pass the received token
+         (and, in the case of data protected by gss_get_mic, the
+         accompanying message-data) to the corresponding decoding routine
+         (gss_verify_mic or gss_unwrap) to remove the protection and
+         validate the data.
+
+     (d) At the completion of a communications session (which may extend
+         across several transport connections), each application calls a
+         GSSAPI routine to delete the security context.  Multiple contexts
+         may also be used (either successively or simultaneously) within a
+         single communications association, at the option of the
+         applications.
+
+
+   4. GSSAPI ROUTINES
+
+   This section lists the routines that make up the GSSAPI, and offers a
+   brief description of the purpose of each routine.  Detailed descriptions
+   of each routine are listed in alphabetical order in section 7.
+
+   Table 4-1  GSSAPI Credential-management Routines
+
+         ROUTINE            SECTION        FUNCTION
+
+     gss_acquire_cred          7.2  Assume a global identity;
+                                    Obtain a GSSAPI credential
+                                    handle for pre-existing
+                                    credentials.
+
+     gss_add_cred              7.3  Construct credentials
+                                    incrementally
+
+     gss_inquire_cred          7.21 Obtain information about
+                                    a credential.
+
+     gss_inquire_cred_by_mech  7.22 Obtain per-mechanism information
+                                    about a credential.
+
+     gss_release_cred          7.27 Discard a credential handle.
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 3]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Table 4-2  GSSAPI Context-level Routines
+
+         ROUTINE            SECTION        FUNCTION
+
+     gss_init_sec_context      7.19 Initiate a security context
+                                    with a peer application
+
+
+     gss_accept_sec_context    7.1  Accept a security context
+                                    initiated by a peer
+                                    application
+
+     gss_delete_sec_context    7.9  Discard a security context
+
+     gss_process_context_token 7.25 Process a token on a security
+                                    context from a peer
+                                    application
+
+     gss_context_time          7.7  Determine for how long a
+                                    context will remain valid
+
+     gss_inquire_context       7.20 Obtain information about a
+                                    security context
+
+     gss_wrap_size_limit       7.33 Determine token-size limit for
+                                    gss_wrap on a context
+
+     gss_export_sec_context    7.14 Transfer a security context to
+                                    another process
+
+     gss_import_sec_context    7.17 Import a transferred context
+
+
+
+
+   Table 4-3  GSSAPI Per-message Routines
+
+         ROUTINE            SECTION        FUNCTION
+
+     gss_get_mic               7.15 Calculate a cryptographic
+                                    Message Integrity Code (MIC)
+                                    for a message; integrity service
+
+     gss_verify_mic            7.32 Check a MIC against a message;
+                                    verify integrity of a received
+                                    message
+
+     gss_wrap                  7.36 Attach a MIC to a message, and
+                                    optionally encrypt the message
+                                    content; confidentiality service
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 4]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+     gss_unwrap                7.31 Verify a message with attached
+                                    MIC, and decrypt message
+                                    content if necessary.
+
+
+
+
+   Table 4-4  GSSAPI Name manipulation Routines
+
+         ROUTINE              SECTION        FUNCTION
+
+     gss_import_name            7.16 Convert a contiguous string name
+                                     to internal-form
+
+     gss_display_name           7.10 Convert internal-form name
+                                     to text
+
+     gss_compare_name           7.6  Compare two internal-form names
+
+     gss_release_name           7.28 Discard an internal-form name
+
+     gss_inquire_names_for_mech 7.24 List the name-types supported
+                                     by a specified mechanism
+
+     gss_inquire_mechs_for_name 7.23 List mechanisms that support
+                                     a given nametype
+
+     gss_canonicalize_name      7.5  Convert an internal name to
+                                     an MN.
+
+     gss_export_name            7.13 Convert an MN to export form
+
+     gss_duplicate_name         7.12 Create a copy of an internal name
+
+
+
+
+   Table 4-5  GSSAPI Miscellaneous Routines
+
+         ROUTINE              SECTION        FUNCTION
+
+     gss_display_status         7.11 Convert a GSSAPI status code
+                                     to text
+
+     gss_indicate_mechs         7.18 Determine available underlying
+                                     authentication mechanisms
+
+     gss_release_buffer         7.26 Discard a buffer
+
+     gss_release_oid_set        7.29 Discard a set of object
+                                     identifiers
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 5]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+     gss_create_empty_oid_set   7.8  Create a set containing no
+                                     object identifiers
+
+     gss_add_oid_set_member     7.4  Add an object identifier to
+                                     a set
+
+     gss_test_oid_set_member    7.30 Determines whether an object
+                                     identifier is a member of a set
+
+
+
+
+
+   Individual GSSAPI implementations may augment these routines by
+   providing additional mechanism-specific routines if required
+   functionality is not available from the generic forms.  Applications are
+   encouraged to use the generic routines wherever possible on portability
+   grounds.
+
+
+   5. DATA TYPES AND CALLING CONVENTIONS
+
+   The following conventions are used by the GSSAPI C-language bindings:
+
+   5.1.  Integer types
+
+   GSSAPI uses the following integer data type:
+
+        OM_uint32      32-bit unsigned integer
+
+   Where guaranteed minimum bit-count is important, this portable data type
+   is used by the GSSAPI routine definitions.  Individual GSSAPI
+   implementations will include appropriate typedef definitions to map this
+   type onto a built-in data type.  If the platform supports the X/Open
+   xom.h header file, the OM_uint32 definition contained therein should be
+   used; the GSSAPI header file in Appendix A contains logic that will
+   detect the prior inclusion of xom.h, and will not attempt to re-declare
+   OM_uint32.  If the X/Open header file is not available on the platform,
+   the GSSAPI implementation should use the smallest natural unsigned
+   integer type that provides at least 32 bits of precision.
+
+   5.2.  String and similar data
+
+   Many of the GSSAPI routines take arguments and return values that
+   describe contiguous octet-strings.  All such data is passed between the
+   GSSAPI and the caller using the gss_buffer_t data type.  This data type
+   is a pointer to a buffer descriptor, which consists of a length field
+   that contains the total number of bytes in the datum, and a value field
+   which contains a pointer to the actual datum:
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 6]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+        typedef struct gss_buffer_desc_struct {
+           size_t  length;
+           void    *value;
+        } gss_buffer_desc, *gss_buffer_t;
+
+   Storage for data returned to the application by a GSSAPI routine using
+   the gss_buffer_t conventions is allocated by the GSSAPI routine.  The
+   application may free this storage by invoking the gss_release_buffer
+   routine.  Allocation of the gss_buffer_desc object is always the
+   responsibility of the application;  unused gss_buffer_desc objects may
+   be initialized to the value GSS_C_EMPTY_BUFFER.
+
+   5.2.1.  Opaque data types
+
+   Certain multiple-word data items are considered opaque data types at the
+   GSSAPI, because their internal structure has no significance either to
+   the GSSAPI or to the caller.  Examples of such opaque data types are the
+   input_token parameter to gss_init_sec_context (which is opaque to the
+   caller), and the input_message parameter to gss_wrap (which is opaque to
+   the GSSAPI).  Opaque data is passed between the GSSAPI and the
+   application using the gss_buffer_t datatype.
+
+   5.2.2.  Character strings
+
+   Certain multiple-word data items may be regarded as simple ISO Latin-1
+   character strings.  Examples are the printable strings passed to
+   gss_import_name via the input_name_buffer parameter. Some GSSAPI
+   routines also return character strings.  All such character strings are
+   passed between the application and the GSSAPI implementation using the
+   gss_buffer_t datatype, which is a pointer to a gss_buffer_desc object.
+
+   When a gss_buffer_desc object describes a printable string, the length
+   field of the gss_buffer_desc should only count printable characters
+   within the string.  In particular, a trailing NUL character should NOT
+   be included in the length count, nor should either the GSSAPI
+   implementation or the application assume the presence of an uncounted
+   trailing NUL.
+
+   5.3.  Object Identifiers
+
+   Certain GSSAPI procedures take parameters of the type gss_OID, or Object
+   identifier.  This is a type containing ISO-defined tree-structured
+   values, and is used by the GSSAPI caller to select an underlying
+   security mechanism and to specify namespaces.  A value of type gss_OID
+   has the following structure:
+
+        typedef struct gss_OID_desc_struct {
+           OM_uint32 length;
+           void      *elements;
+        } gss_OID_desc, *gss_OID;
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 7]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   The elements field of this structure points to the first byte of an
+   octet string containing the ASN.1 BER encoding of the value portion of
+   the normal BER TLV encoding of the gss_OID.  The length field contains
+   the number of bytes in this value.  For example, the gss_OID value
+   corresponding to {iso(1) identified-organization(3) icd-ecma(12)
+   member-company(2) dec(1011) cryptoAlgorithms(7) DASS(5)}, meaning the
+   DASS X.509 authentication mechanism, has a length field of 7 and an
+   elements field pointing to seven octets containing the following octal
+   values: 53,14,2,207,163,7,5. GSSAPI implementations should provide
+   constant gss_OID values to allow applications to request any supported
+   mechanism, although applications are encouraged on portability grounds
+   to accept the default mechanism.  gss_OID values should also be provided
+   to allow applications to specify particular name types (see section
+   5.10).  Applications should treat gss_OID_desc values returned by GSSAPI
+   routines as read-only.  In particular, the application should not
+   attempt to deallocate them with free().  The gss_OID_desc datatype is
+   equivalent to the X/Open OM_object_identifier datatype[XOM].
+
+   5.4.  Object Identifier Sets
+
+   Certain GSSAPI procedures take parameters of the type gss_OID_set.  This
+   type represents one or more object identifiers (section 5.3).  A
+   gss_OID_set object has the following structure:
+
+        typedef struct gss_OID_set_desc_struct {
+           size_t       count;
+           gss_OID   elements;
+        } gss_OID_set_desc, *gss_OID_set;
+
+   The count field contains the number of OIDs within the set.  The
+   elements field is a pointer to an array of gss_OID_desc objects, each of
+   which describes a single OID.  gss_OID_set values are used to name the
+   available mechanisms supported by the GSSAPI, to request the use of
+   specific mechanisms, and to indicate which mechanisms a given credential
+   supports.
+
+   All OID sets returned to the application by GSSAPI are dynamic objects
+   (the gss_OID_set_desc, the "elements" array of the set, and the
+   "elements" array of each member OID are all dynamically allocated), and
+   this storage must be deallocated by the application using the
+   gss_release_oid_set() routine.
+
+
+   5.5.  Credentials
+
+   A credential handle is a caller-opaque atomic datum that identifies a
+   GSSAPI credential data structure.  It is represented by the caller-
+   opaque type gss_cred_id_t, which should be implemented as a pointer or
+   arithmetic type.  If a pointer implementation is chosen, care must be
+   taken to ensure that two gss_cred_id_t values may be compared with the
+   == operator.
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 8]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSSAPI credentials can contain mechanism-specific principal
+   authentication data for multiple mechanisms.  A GSSAPI credential is
+   composed of a set of credential-elements, each of which is applicable to
+   a single mechanism.  A credential may contain at most one credential-
+   element for each supported mechanism. A credential-element identifies
+   the data needed by a single mechanism to authenticate a single
+   principal, and conceptually contains two credential-references that
+   describing the actual mechanism-specific authentication data, one to be
+   used by GSSAPI for initiating contexts,  and one to be used for
+   accepting contexts.  For mechanisms that do not distinguish between
+   acceptor and initiator credentials, both references would point to the
+   same underlying mechanism-specific authentication data.
+
+   Credentials describe a set of mechanism-specific principals, and give
+   their holder the ability to act as any of those principals.  All
+   principal identities asserted by a single GSSAPI credential should
+   belong to the same entity, although enforcement of this property is an
+   implementation-specific matter.  The GSSAPI does not make the actual
+   credentials available to applications; instead a credential handle is
+   used to identify a particular credential, held internally by GSSAPI.
+   The combination of GSSAPI credential handle and mechanism identifies the
+   principal whose identity will be asserted by the credential when used
+   with that mechanism.
+
+   The gss_init_sec_context and gss_accept_sec_context routines allow the
+   value GSS_C_NO_CREDENTIAL to be specified as their credential handle
+   parameter.  This special credential-handle indicates a desire by the
+   application to act as a default principal.  While individual GSSAPI
+   implementations are free to determine such default behavior as
+   appropriate to the mechanism, the following default behavior by these
+   routines is recommended for portability:
+
+     (a) gss_init_sec_context
+
+           (i) If there is only a single principal capable of initiating
+               security contexts for the chosen mechanism that the
+               application is authorized to act on behalf of, then that
+               principal shall be used, otherwise
+
+          (ii) If the platform maintains a concept of a default network-
+               identity for the chosen mechanism, and if the application is
+               authorized to act on behalf of that identity for the purpose
+               of initiating security contexts, then the principal
+               corresponding to that identity shall be used, otherwise
+
+         (iii) If the platform maintains a concept of a default local
+               identity, and provides a means to map local identities into
+               network-identities for the chosen mechanism, and if the
+               application is authorized to act on behalf of the network-
+               identity image of the default local identity for the purpose
+               of initiating security contexts using the chosen mechanism,
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 9]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               then the principal corresponding to that identity shall be
+               used, otherwise
+
+          (iv) A user-configurable default identity should be used.
+
+     (b) gss_accept_sec_context
+
+           (i) If there is only a single authorized principal identity
+               capable of accepting security contexts for the chosen
+               mechanism, then that principal shall be used, otherwise
+
+          (ii) If the mechanism can determine the identity of the target
+               principal by examining the context-establishment token, and
+               if the accepting application is authorized to act as that
+               principal for the purpose of accepting security contexts
+               using the chosen mechanism, then that principal identity
+               shall be used, otherwise
+
+         (iii) If the mechanism supports context acceptance by any
+               principal, and if mutual authentication was not requested,
+               any principal that the application is authorized to accept
+               security contexts under using the chosen mechanism may be
+               used, otherwise
+
+          (iv) A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are likely
+   to be more portable across mechanisms and platforms than ones that use
+   gss_acquire_cred to request a specific identity.
+
+   5.6.  Contexts
+
+   The gss_ctx_id_t data type contains a caller-opaque atomic value that
+   identifies one end of a GSSAPI security context.  It should be
+   implemented as a pointer or arithmetic type.  If a pointer type is
+   chosen, care should be taken to ensure that two gss_ctx_id_t values may
+   be compared with the == operator.
+
+   The security context holds state information about each end of a peer
+   communication, including cryptographic state information.
+
+   5.7.  Authentication tokens
+
+   A token is a caller-opaque type that GSSAPI uses to maintain
+   synchronization between the context data structures at each end of a
+   GSSAPI security context.  The token is a cryptographically protected
+   octet-string, generated by the underlying mechanism at one end of a
+   GSSAPI security context for use by the peer mechanism at the other end.
+   Encapsulation (if required) and transfer of the token are the
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 10]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   responsibility of the peer applications.  A token is passed between the
+   GSSAPI and the application using the gss_buffer_t conventions.
+
+   5.8.  Interprocess tokens
+
+   Certain GSSAPI routines are intended to transfer data between processes
+   in multi-process programs.  These routines use a caller-opaque octet-
+   string, generated by the GSSAPI in one process for use by the GSSAPI in
+   another process.  The calling application is responsible for
+   transferring such tokens between processes in an OS-specific manner.
+   Note that, while GSSAPI implementors are encouraged to avoid placing
+   sensitive information within interprocess tokens, or to
+   cryptographically protect them, many implementations will be unable to
+   avoid placing key material or other sensitive data within them.  It is
+   the application's responsibility to ensure that interprocess tokens are
+   protected in transit, and transferred only to processes that are
+   trustworthy. An interprocess token is passed between the GSSAPI and the
+   application using the gss_buffer_t conventions.
+
+   5.9.  Status values
+
+   One or more status codes are returned by each GSSAPI routine.  Two
+   distinct sorts of status codes are returned.  These are termed GSS
+   status codes and Mechanism status codes.
+
+   5.9.1.  GSS status codes
+
+   GSSAPI routines return GSS status codes as their OM_uint32 function
+   value.  These codes indicate errors that are independent of the
+   underlying mechanism(s) used to provide the security service.  The
+   errors that can be indicated via a GSS status code are either generic
+   API routine errors (errors that are defined in the GSS-API
+   specification) or calling errors (errors that are specific to these
+   language bindings).
+
+   A GSS status code can indicate a single fatal generic API error from the
+   routine and a single calling error.  In addition, supplementary status
+   information may be indicated via the setting of bits in the
+   supplementary info field of a GSS status code.
+
+   These errors are encoded into the 32-bit GSS status code as follows:
+
+       MSB                                                        LSB
+       |------------------------------------------------------------|
+       | Calling Error | Routine Error  |    Supplementary Info     |
+       |------------------------------------------------------------|
+    Bit 31           24 23            16 15                        0
+
+
+   Hence if a GSS-API routine returns a GSS status code whose upper 16 bits
+   contain a non-zero value, the call failed.  If the calling error field
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 11]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   is non-zero, the invoking application's call of the routine was
+   erroneous.  Calling errors are defined in table 5-1.  If the routine
+   error field is non-zero, the routine failed for one of the routine-
+   specific reasons listed below in table 5-2.  Whether or not the upper 16
+   bits indicate a failure or a success, the routine may indicate
+   additional information by setting bits in the supplementary info field
+   of the status code.  The meaning of individual bits is listed below in
+   table 5-3.
+
+   Table 5-1  Calling Errors
+
+         Name                    Value in        Meaning
+                                   Field
+    GSS_S_CALL_INACCESSIBLE_READ     1           A required input
+                                                 parameter could
+                                                 not be read.
+    GSS_S_CALL_INACCESSIBLE_WRITE    2           A required output
+                                                 parameter could
+                                                 not be written.
+    GSS_S_CALL_BAD_STRUCTURE         3           A parameter was
+                                                 malformed
+
+
+
+
+   Table 5-2  Routine Errors
+
+          Name             Value in       Meaning
+                            Field
+
+    GSS_S_BAD_MECH             1      An unsupported mechanism was
+                                      requested
+    GSS_S_BAD_NAME             2      An invalid name was supplied
+    GSS_S_BAD_NAMETYPE         3      A supplied name was of an
+                                      unsupported type
+    GSS_S_BAD_BINDINGS         4      Incorrect channel bindings
+                                      were supplied
+    GSS_S_BAD_STATUS           5      An invalid status code was
+                                      supplied
+    GSS_S_BAD_SIG              6      A token had an invalid
+    GSS_S_BAD_MIC                     MIC
+    GSS_S_NO_CRED              7      No credentials were supplied,
+                                      or the credentials were
+                                      unavailable or inaccessible.
+    GSS_S_NO_CONTEXT           8      No context has been
+                                      established
+    GSS_S_DEFECTIVE_TOKEN      9      A token was invalid
+    GSS_S_DEFECTIVE_CREDENTIAL 10     A credential was invalid
+    GSS_S_CREDENTIALS_EXPIRED  11     The referenced credentials
+                                      have expired
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 12]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+    GSS_S_CONTEXT_EXPIRED      12     The context has expired
+    GSS_S_FAILURE              13     Miscellaneous failure
+                                      (see text)
+    GSS_S_BAD_QOP              14     The quality-of-protection
+                                      requested could not be
+                                      provide
+    GSS_S_UNAUTHORIZED         15     The operation is forbidden by
+                                      local security policy
+    GSS_S_UNAVAILABLE          16     The operation or option is not
+                                      available
+    GSS_S_DUPLICATE_ELEMENT    17     The requested credential element
+                                      already exists
+    GSS_S_NAME_NOT_MN          18     The provided name was not a
+                                      mechanism name.
+
+
+
+
+
+   Table 5-3  Supplementary Status Bits
+
+    Name                Bit Number         Meaning
+    GSS_S_CONTINUE_NEEDED   0 (LSB)  The routine must be called
+                                     again to complete its function.
+                                     See routine documentation for
+                                     detailed description.
+    GSS_S_DUPLICATE_TOKEN   1        The token was a duplicate of
+                                     an earlier token
+    GSS_S_OLD_TOKEN         2        The token's validity period
+                                     has expired
+    GSS_S_UNSEQ_TOKEN       3        A later token has already been
+                                     processed
+    GSS_S_GAP_TOKEN         4        An expected per-message token
+                                     was not received
+
+
+   The routine documentation also uses the name GSS_S_COMPLETE, which is a
+   zero value, to indicate an absence of any API errors or supplementary
+   information bits.
+
+   All GSS_S_xxx symbols equate to complete OM_uint32 status codes, rather
+   than to bitfield values.  For example, the actual value of the symbol
+   GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is 3 << 16.
+
+   The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and
+   GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS status
+   code and removes all but the relevant field.  For example, the value
+   obtained by applying GSS_ROUTINE_ERROR to a status code removes the
+   calling errors and supplementary info fields, leaving only the routine
+   errors field.  The values delivered by these macros may be directly
+   compared with a GSS_S_xxx symbol of the appropriate type.  The macro
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 13]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_ERROR() is also provided, which when applied to a GSS status code
+   returns a non-zero value if the status code indicated a calling or
+   routine error, and a zero value otherwise.  All macros defined by GSS-
+   API evaluate their argument(s) exactly once.
+
+   A GSS-API implementation may choose to signal calling errors in a
+   platform-specific manner instead of, or in addition to the routine
+   value;  routine errors and supplementary info should be returned via
+   routine status values only.
+
+   5.9.2.  Mechanism-specific status codes
+
+   GSS-API routines return a minor_status parameter, which is used to
+   indicate specialized errors from the underlying security mechanism.
+   This parameter may contain a single mechanism-specific error, indicated
+   by a OM_uint32 value.
+
+   The minor_status parameter will always be set by a GSS-API routine, even
+   if it returns a calling error or one of the generic API errors indicated
+   above as fatal, although most other output parameters may remain unset
+   in such cases.  However, output parameters that are expected to return
+   pointers to storage allocated by a routine must always be set by the
+   routine, even in the event of an error, although in such cases the GSS-
+   API routine may elect to set the returned parameter value to NULL to
+   indicate that no storage was actually allocated.  Any length field
+   associated with such pointers (as in a gss_buffer_desc structure) should
+   also be set to zero in such cases.
+
+   The GSS status code GSS_S_FAILURE is used to indicate that the
+   underlying mechanism detected an error for which no specific GSS status
+   code is defined.  The mechanism status code will provide more details
+   about the error.
+
+   5.10.  Names
+
+   A name is used to identify a person or entity.  GSS-API authenticates
+   the relationship between a name and the entity claiming the name.
+
+   Since different authentication mechanisms may employ different
+   namespaces for identifying their principals, GSSAPI's naming support is
+   necessarily complex in multi-mechanism environments (or even in some
+   single-mechanism environments where the underlying mechanism supports
+   multiple namespaces).
+
+   Two distinct representations are defined for names:
+
+     (a) An internal form.  This is the GSSAPI "native" format for names,
+         represented by the implementation-specific gss_name_t type.  It is
+         opaque to GSSAPI callers.  A single gss_name_t object may contain
+         multiple names from different namespaces, but all names should
+         refer to the same entity.  An example of such an internal name
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 14]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+         would be the name returned from a call to the gss_inquire_cred
+         routine, when applied to a credential containing credential
+         elements for multiple authentication mechanisms employing
+         different namespaces.  This gss_name_t object will contain a
+         distinct name for the entity for each authentication mechanism.
+
+         For GSSAPI implementations supporting multiple namespaces, objects
+         of type gss_name_t must contain sufficient information to
+         determine the namespace to which each primitive name belongs.
+
+     (b) Mechanism-specific contiguous octet-string forms.  A format
+         capable of containing a single name (from a single namespace).
+         Contiguous string names are always accompanied by an object
+         identifier specifying the namespace to which the name belongs, and
+         their format is dependent on the authentication mechanism that
+         employs the name.  Many, but not all, contiguous string names will
+         be printable, and may therefore be used by GSSAPI applications for
+         communication with their users.
+
+   Routines (gss_import_name and gss_display_name) are provided to convert
+   names between contiguous string representations and the internal
+   gss_name_t type.  gss_import_name may support multiple syntaxes for each
+   supported namespace, allowing users the freedom to choose a preferred
+   name representation.  gss_display_name should use an implementation-
+   chosen printable syntax for each supported name-type.
+
+   If an application calls gss_display_name(), passing the internal name
+   resulting from a call to gss_import_name(), there is no guarantee the
+   the resulting contiguous string name will be the same as the original
+   imported string name.  Nor do name-space identifiers necessarily survive
+   unchanged after a journey through the internal name-form.  An example of
+   this might be a mechanism that authenticates X.500 names, but provides
+   an algorithmic mapping of Internet DNS names into X.500.  That
+   mechanism's implementation of gss_import_name() might, when presented
+   with a DNS name, generate an internal name that contained both the
+   original DNS name and the equivalent X.500 name. Alternatively, it might
+   only store the X.500 name.  In the latter case, gss_display_name() would
+   most likely generate a printable X.500 name, rather than the original
+   DNS name.
+
+   The process of authentication delivers to the context acceptor an
+   internal name.  Since this name has been authenticated by a single
+   mechanism, it contains only a single name (even if the internal name
+   presented by the context initiator to gss_init_sec_context had multiple
+   components).  Such names are termed internal mechanism names, or "MN"s
+   and the names emitted by gss_accept_sec_context() are always of this
+   type.  Since some applications may require MNs without wanting to incur
+   the overhead of an authentication operation, a second function,
+   gss_canonicalize_name(), is provided to convert a general internal name
+   into an MN.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 15]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Comparison of internal-form names may be accomplished via the
+   gss_compare_name() routine, which returns true if the two names being
+   compared refer to the same entity.  This removes the need for the
+   application program to understand the syntaxes of the various printable
+   names that a given GSS-API implementation may support.  Since GSSAPI
+   assumes that all primitive names contained within a given internal name
+   refer to the same entity, gss_compare_name() can return true if the two
+   names have at least one primitive name in common.  If the implementation
+   embodies knowledge of equivalence relationships between names taken from
+   different namespaces, this knowledge may also allow successful
+   comparison of internal names containing no overlapping primitive
+   elements.
+
+   When used in large access control lists, the overhead of invoking
+   gss_import_name() and gss_compare_name() on each name from the ACL may
+   be prohibitive.  As an alternative way of supporting this case, GSSAPI
+   defines a special form of the contiguous string name which may be
+   compared directly (e.g. with memcmp()).  Contigous names suitable for
+   comparison are generated by the gss_export_name() routine, which
+   requires an MN as input.  Exported names may be re-imported by the
+   gss_import_name() routine, and the resulting internal name will also be
+   an MN.  The gss_OID constant GSS_C_NT_EXPORT_NAME indentifies the
+   "export name" type, and the value of this constant is given in Appendix
+   A.     Structurally, an exported name object consists of a header
+   containing an OID identifying the mechanism that authenticated the name,
+   and a trailer containing the name itself, where the syntax of the
+   trailer is defined by the individual mechanism specification.   The
+   precise format of an export name is defined in the language-independent
+   GSSAPI specification [GSSAPI].
+
+   Note that the results obtained by using gss_compare_name() will in
+   general be different from those obtained by invoking
+   gss_canonicalize_name() and gss_export_name(), and then comparing the
+   exported names.  The first series of operation determines whether two
+   (unauthenticated) names identify the same principal; the second whether
+   a particular mechanism would authenticate them as the same principal.
+   These two operations will in general give the same results only for MNs.
+
+   The gss_name_t datatype should be implemented as a pointer type.  To
+   allow the compiler to aid the application programmer by performing
+   type-checking, the use of (void *) is discouraged.  A pointer to an
+   implementation-defined type is the preferred choice.
+
+   Storage is allocated by routines that return gss_name_t values.  A
+   procedure, gss_release_name, is provided to free storage associated with
+   an internal-form name.
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 16]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   5.11.  Channel Bindings
+
+   GSS-API supports the use of user-specified tags to identify a given
+   context to the peer application.  These tags are intended to be used to
+   identify the particular communications channel that carries the context.
+   Channel bindings are communicated to the GSS-API using the following
+   structure:
+
+        typedef struct gss_channel_bindings_struct {
+           OM_uint32       initiator_addrtype;
+           gss_buffer_desc initiator_address;
+           OM_uint32       acceptor_addrtype;
+           gss_buffer_desc acceptor_address;
+           gss_buffer_desc application_data;
+        } *gss_channel_bindings_t;
+
+   The initiator_addrtype and acceptor_addrtype fields denote the type of
+   addresses contained in the initiator_address and acceptor_address
+   buffers.  The address type should be one of the following:
+
+        GSS_C_AF_UNSPEC      Unspecified address type
+        GSS_C_AF_LOCAL       Host-local address type
+        GSS_C_AF_INET        Internet address type (e.g. IP)
+        GSS_C_AF_IMPLINK     ARPAnet IMP address type
+        GSS_C_AF_PUP         pup protocols (eg BSP) address type
+        GSS_C_AF_CHAOS       MIT CHAOS protocol address type
+        GSS_C_AF_NS          XEROX NS address type
+        GSS_C_AF_NBS         nbs address type
+        GSS_C_AF_ECMA        ECMA address type
+        GSS_C_AF_DATAKIT     datakit protocols address type
+        GSS_C_AF_CCITT       CCITT protocols
+        GSS_C_AF_SNA         IBM SNA address type
+        GSS_C_AF_DECnet      DECnet address type
+        GSS_C_AF_DLI         Direct data link interface address type
+        GSS_C_AF_LAT         LAT address type
+        GSS_C_AF_HYLINK      NSC Hyperchannel address type
+        GSS_C_AF_APPLETALK   AppleTalk address type
+        GSS_C_AF_BSC         BISYNC 2780/3780 address type
+        GSS_C_AF_DSS         Distributed system services address type
+        GSS_C_AF_OSI         OSI TP4 address type
+        GSS_C_AF_X25         X25
+        GSS_C_AF_NULLADDR    No address specified
+
+   Note that these symbols name address families rather than specific
+   addressing formats.  For address families that contain several
+   alternative address forms, the initiator_address and acceptor_address
+   fields must contain sufficient information to determine which address
+   form is used.  When not otherwise specified, addresses should be
+   specified in network byte-order (that is, native byte-ordering for the
+   address family).
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 17]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Conceptually, the GSS-API concatenates the initiator_addrtype,
+   initiator_address, acceptor_addrtype, acceptor_address and
+   application_data to form an octet string.  The mechanism calculates a
+   MIC over this octet string, and binds the MIC to the context
+   establishment token emitted by gss_init_sec_context.  The same bindings
+   are presented by the context acceptor to gss_accept_sec_context, and a
+   MIC is calculated in the same way.  The calculated MIC is compared with
+   that found in the token, and if the MICs differ, gss_accept_sec_context
+   will return a GSS_S_BAD_BINDINGS error, and the context will not be
+   established.  Some mechanisms may include the actual channel binding
+   data in the token (rather than just a MIC); applications should
+   therefore not use confidential data as channel-binding components.
+   Individual mechanisms may impose additional constraints on addresses and
+   address types that may appear in channel bindings.  For example, a
+   mechanism may verify that the initiator_address field of the channel
+   bindings presented to gss_init_sec_context contains the correct network
+   address of the host system.  Portable applications should therefore
+   ensure that they either provide correct information for the address
+   fields, or omit addressing information, specifying GSS_C_AF_NULLADDR as
+   the address-types.
+
+   5.12.  Optional parameters
+
+   Various parameters are described as optional.  This means that they
+   follow a convention whereby a default value may be requested.  The
+   following conventions are used for omitted parameters.  These
+   conventions apply only to those parameters that are explicitly
+   documented as optional.
+
+   5.12.1.  gss_buffer_t types
+
+   Specify GSS_C_NO_BUFFER as a value.  For an input parameter this
+   signifies that default behavior is requested, while for an output
+   parameter it indicates that the information that would be returned via
+   the parameter is not required by the application.
+
+   5.12.2.  Integer types (input)
+
+   Individual parameter documentation lists values to be used to indicate
+   default actions.
+
+   5.12.3.  Integer types (output)
+
+   Specify NULL as the value for the pointer.
+
+   5.12.4.  Pointer types
+
+   Specify NULL as the value.
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 18]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   5.12.5.  Object IDs
+
+   Specify GSS_C_NO_OID as the value.
+
+   5.12.6.  Object ID Sets
+
+   Specify GSS_C_NO_OID_SET as the value.
+
+   5.12.7.  Channel Bindings
+
+   Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings are
+   not to be used.
+
+
+   6. ADDITIONAL CONTROLS
+
+   This section discusses the optional services that a context initiator
+   may request of the GSS-API at context establishment.  Each of these
+   services is requested by setting a flag in the req_flags input parameter
+   to gss_init_sec_context.
+
+   The optional services currently defined are:
+
+   Delegation - The (usually temporary) transfer of rights from initiator
+         to acceptor, enabling the acceptor to authenticate itself as an
+         agent of the initiator.
+
+   Mutual Authentication - In addition to the initiator authenticating its
+         identity to the context acceptor, the context acceptor should also
+         authenticate itself to the initiator.
+
+   Replay detection - In addition to providing message integrity services,
+         gss_get_mic and gss_wrap should include message numbering
+         information to enable gss_verify_mic and gss_unwrap to detect if a
+         message has been duplicated.
+
+   Out-of-sequence detection - In addition to providing message integrity
+         services, gss_get_mic and gss_wrap should include message
+         sequencing information to enable gss_verify_mic and gss_unwrap to
+         detect if a message has been received out of sequence.
+
+   Anonymous authentication - The establishment of the security context
+         should not reveal the initiator's identity to the context
+         acceptor.
+
+   Any currently undefined bits within such flag arguments should be
+   ignored by GSS-API implementations when presented by an application, and
+   should be set to zero when returned to the application by the GSS-API
+   implementation.
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 19]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Some mechanisms may not support all optional services, and some
+   mechanisms may only support some services in conjunction with others.
+   Both gss_init_sec_context and gss_accept_sec_context inform the
+   applications which services will be available from the context when the
+   establishment phase is complete, via the ret_flags output parameter.  In
+   general, if the security mechanism is capable of providing a requested
+   service, it should do so, even if additional services must be enabled in
+   order to provide the requested service.  If the mechanism is incapable
+   of providing a requested service, it should proceed without the service,
+   leaving the application to abort the context establishment process if it
+   considers the requested service to be mandatory.
+
+   Some mechanisms may specify that support for some services is optional,
+   and that implementors of the mechanism need not provide it.  This is
+   most commonly true of the confidentiality service, often because of
+   legal restrictions on the use of data-encryption, but may apply to any
+   of the services.  Such mechanisms are required to send at least one
+   token from acceptor to initiator during context establishment when the
+   initiator indicates a desire to use such a service, so that the
+   initiating GSSAPI can correctly indicate whether the service is
+   supported by the acceptor's GSSAPI.
+
+   6.1.  Delegation
+
+   The GSS-API allows delegation to be controlled by the initiating
+   application via a boolean parameter to gss_init_sec_context(), the
+   routine that establishes a security context.  Some mechanisms do not
+   support delegation, and for such mechanisms attempts by an application
+   to enable delegation are ignored.
+
+   The acceptor of a security context for which the initiator enabled
+   delegation will receive (via the delegated_cred_handle parameter of
+   gss_accept_sec_context) a credential handle that contains the delegated
+   identity, and this credential handle may be used to initiate subsequent
+   GSSAPI security contexts as an agent or delegate of the initiator.  If
+   the original initiator's identity is "A" and the delegate's identity is
+   "B", then, depending on the underlying mechanism, the identity embodied
+   by the delegated credential may be either "A" or "B acting for A".
+
+   For many mechanisms that support delegation, a simple boolean does not
+   provide enough control.  Examples of additional aspects of delegation
+   control that a mechanism might provide to an application are duration of
+   delegation, network addresses from which delegation is valid, and
+   constraints on the tasks that may be performed by a delegate.  Such
+   controls are presently outside the scope of the GSS-API.  GSS-API
+   implementations supporting mechanisms offering additional controls
+   should provide extension routines that allow these controls to be
+   exercised (perhaps by modifying the initiator's GSS-API credential prior
+   to its use in establishing a context).  However, the simple delegation
+   control provided by GSS-API should always be able to over-ride other
+   mechanism-specific delegation controls - If the application instructs
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 20]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   gss_init_sec_context() that delegation is not desired, then the
+   implementation must not permit delegation to occur.  This is an
+   exception to the general rule that a mechanism may enable services even
+   if they are not requested - delegation may only be provide at the
+   explicit request of the application.
+
+   6.2.  Mutual authentication
+
+   Usually, a context acceptor will require that a context initiator
+   authenticate itself so that the acceptor may make an access-control
+   decision prior to performing a service for the initiator.  In some
+   cases, the initiator may also request that the acceptor authenticate
+   itself.  GSS-API allows the initiating application to request this
+   mutual authentication service by setting a flag when calling
+   gss_init_sec_context.
+
+   The initiating application is informed as to whether or not mutual
+   authentication is being requested of the context acceptor.  Note that
+   some mechanisms may not support mutual authentication, and other
+   mechanisms may always perform mutual authentication, whether or not the
+   initiating application requests it.  In particular, mutual
+   authentication my be required by some mechanisms in order to support
+   replay or out-of-sequence message detection, and for such mechanisms a
+   request for either of these services will automatically enable mutual
+   authentication.
+
+   6.3.  Replay and out-of-sequence detection
+
+   The GSS-API may provide detection of mis-ordered message once a security
+   context has been established.  Protection may be applied to messages by
+   either application, by calling either gss_get_mic or gss_wrap, and
+   verified by the peer application by calling gss_verify_mic or
+   gss_unwrap.
+
+   gss_get_mic calculates a cryptographic checksum of an application
+   message, and returns that checksum in a token.  The application should
+   pass both the token and the message to the peer application, which
+   presents them to gss_verify_mic.
+
+   gss_wrap calculates a cryptographic checksum of an application message,
+   and places both the checksum and the message inside a single token.  The
+   application should pass the token to the peer application, which
+   presents it to gss_unwrap to extract the message and verify the
+   checksum.
+
+   Either pair of routines may be capable of detecting out-of-sequence
+   message delivery, or duplication of messages. Details of such mis-
+   ordered messages are indicated through supplementary status bits in the
+   major status code returned by gss_verify_mic or gss_unwrap.  The
+   relevant supplementary bits are:
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 21]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_DUPLICATE_TOKEN - The token is a duplicate of one that has already
+         been received and processed.  Contexts that do not claim to
+         provide replay detection may still set this bit if the duplicate
+         message is processed immediately after the original, with no
+         intervening messages.
+
+   GSS_S_OLD_TOKEN - The token is too old to determine whether or not it is
+         a duplicate.  Contexts supporting out-of-sequence detection but
+         not replay detection should always set this bit if
+         GSS_S_UNSEQ_TOKEN is set; contexts that support replay detection
+         should only set this bit if the token is so old that it cannot be
+         checked for duplication.
+
+   GSS_S_UNSEQ_TOKEN - A later token has already been processed.
+
+   GSS_S_GAP_TOKEN - An earlier token has not yet been received.
+
+   A mechanism need not maintain a list of all tokens that have been
+   processed in order to support these status codes.  A typical mechanism
+   might retain information about only the most recent "N" tokens
+   processed, allowing it to distinguish duplicates and missing tokens
+   within the most recent "N" messages; the receipt of a token older than
+   the most recent "N" would result in a GSS_S_OLD_TOKEN status.
+
+   6.4.  Anonymous Authentication
+
+   In certain situations, an application may wish to initiate the
+   authentication process to authenticate a peer, without revealing its own
+   identity.  As an example, consider an application providing access to a
+   database containing medical information, and offering unrestricted
+   access to the service.  A client of such a service might wish to
+   authenticate the service (in order to establish trust in any information
+   retrieved from it), but might not wish the service to be able to obtain
+   the client's identity (perhaps due to privacy concerns about the
+   specific inquiries, or perhaps simply to avoid being placed on mailing-
+   lists).
+
+   In normal use of the GSS-API, the initiator's identity is made available
+   to the acceptor as a result of the context establishment process.
+   However, context initiators may request that their identity not be
+   revealed to the context acceptor.  Many mechanisms do not support
+   anonymous authentication, and for such mechanisms the request will not
+   be honored.  An authentication token will be still be generated, but the
+   application is always informed if a requested service is unavailable,
+   and has the option to abort context establishment if anonymity is valued
+   above the other security services that would require a context to be
+   established.
+
+   In addition to informing the application that a context is established
+   anonymously (via the ret_flags outputs from gss_init_sec_context and
+   gss_accept_sec_context), the optional src_name output from
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 22]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   gss_accept_sec_context and gss_inquire_context will, for such contexts,
+   return a reserved internal-form name, defined by the implementation.
+   When presented to gss_display_name, this reserved internal-form name
+   will result in a printable name that is syntactically distinguishable
+   from any valid principal name supported by the implementation,
+   associated with a name-type object identifier with the value
+   GSS_C_NT_ANONYMOUS, whose value us given in Appendix A.  The printable
+   form of an anonymous name should be chosen such that it implies
+   anonymity, since this name may appear in, for example, audit logs.  For
+   example, the string "<anonymous>" might be a good choice, if no valid
+   printable names supported by the implementation can begin with "<" and
+   end with ">".
+
+   6.5.  Confidentiality
+
+   If a context supports the confidentiality service, gss_wrap may be used
+   to encrypt application messages.  Messages are selectively encrypted,
+   under the control of the conf_req_flag input parameter to gss_wrap.
+
+   6.6.  Inter-process context transfer
+
+   GSSAPI V2 provides routines (gss_export_sec_context and
+   gss_import_sec_context) which allow a security context to be transferred
+   between processes on a single machine.  The most common use for such a
+   feature is a client-server design where the server is implemented as a
+   single process that accepts incoming security contexts, which then
+   launches child processes to deal with the data on these contexts.  In
+   such a design, the child processes must have access to the security
+   context data structure created within the parent by its call to
+   gss_accept_sec_context so that they can use per-message protection
+   services and delete the security context when the communication session
+   ends.
+
+   Since the security context data structure is expected to contain
+   sequencing information, it is impractical in general to share a context
+   between processes.  Thus GSSAPI provides a call (gss_export_sec_context)
+   that the process which currently owns the context can call to declare
+   that it has no intention to use the context subsequently, and to create
+   an inter-process token containing information needed by the adopting
+   process to successfully import the context.  After successful completion
+   of this call, the original security context is made inaccessible to the
+   calling process by GSSAPI, and any context handles referring to this
+   context are no longer valid.  The originating process transfers the
+   inter-process token to the adopting process, which passes it to
+   gss_import_sec_context, and a fresh gss_ctx_id_t is created such that it
+   is functionally identical to the original context.
+
+   The inter-process token may contain sensitive data from the original
+   security context (including cryptographic keys).  Applications using
+   inter-process tokens to transfer security contexts must take appropriate
+   steps to protect these tokens in transit.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 23]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Implementations are not required to support the inter-process transfer
+   of security contexts.  The ability to transfer a security context is
+   indicated when the context is created, by gss_init_sec_context or
+   gss_accept_sec_context setting the GSS_C_TRANS_FLAG bit in their
+   ret_flags parameter.
+
+
+   6.7.  The use of incomplete contexts
+
+   Some mechanisms may allow the per-message services to be used before the
+   context establishment process is complete.  For example, a mechanism may
+   include sufficient information in its initial context-level token for
+   the context acceptor to immediately decode messages protected with
+   gss_wrap or gss_get_mic.  For such a mechanism, the initiating
+   application need not wait until subsequent context-level tokens have
+   been sent and received before invoking the per-message protection
+   services.
+
+   The ability of a context to provide per-message services in advance of
+   complete context establishment is indicated by the setting of the
+   GSS_C_PROT_READY_FLAG bit in the ret_flags parameter from
+   gss_init_sec_context and gss_accept_sec_context.  Applications wishing
+   to use per-message protection services on partially-established contexts
+   should check this flag before attempting to invoke gss_wrap or
+   gss_get_mic.
+
+
+
+   7. GSS-API routine descriptions
+
+   In addition to the explicit major status codes documented here, the code
+   GSS_S_FAILURE may be returned by any routine, indicating an
+   implementation-specific or mechanism-specific error condition, further
+   details of which are reported via the minor_status parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 24]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.1.  gss_accept_sec_context
+
+   OM_uint32 gss_accept_sec_context (
+        OM_uint32 *              minor_status,
+        gss_ctx_id_t *           context_handle,
+        const gss_cred_id_t      acceptor_cred_handle,
+        const gss_buffer_t       input_token_buffer,
+        const gss_channel_bindings_t
+                                 input_chan_bindings,
+        const gss_name_t *       src_name,
+        gss_OID *                mech_type,
+        gss_buffer_t             output_token,
+        OM_uint32 *              ret_flags,
+        OM_uint32 *              time_rec,
+        gss_cred_id_t *          delegated_cred_handle)
+
+   Purpose:
+
+   Allows a remotely initiated security context between the application and
+   a remote peer to be established.  The routine may return a output_token
+   which should be transferred to the peer application, where the peer
+   application will present it to gss_init_sec_context.  If no token need
+   be sent, gss_accept_sec_context will indicate this by setting the length
+   field of the output_token argument to zero.  To complete the context
+   establishment, one or more reply tokens may be required from the peer
+   application; if so, gss_accept_sec_context  will return a status flag of
+   GSS_S_CONTINUE_NEEDED, in which case it should be called again when the
+   reply token is received from the peer application, passing the token to
+   gss_accept_sec_context via the input_token parameters.
+
+   Portable applications should be constructed to use the token length and
+   return status to determine whether a token needs to be sent or waited
+   for.  Thus a typical portable caller should always invoke
+   gss_accept_sec_context within a loop:
+
+       gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+       ...
+
+       do {
+          receive_token_from_peer(input_token);
+          maj_stat = gss_accept_sec_context(&min_stat,
+                                            &context_hdl,
+                                            cred_hdl,
+                                            input_token,
+                                            input_bindings,
+                                            &client_name,
+                                            &mech_type,
+                                            output_token,
+                                            &ret_flags,
+                                            &time_rec,
+                                            &deleg_cred);
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 25]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+          if (GSS_ERROR(maj_stat)) {
+             report_error(maj_stat, min_stat);
+          };
+          if (output_token->length != 0) {
+             send_token_to_peer(output_token);
+             gss_release_buffer(&min_stat,
+                                output_token)
+          };
+          if (GSS_ERROR(maj_stat)) {
+             if (context_hdl != GSS_C_NO_CONTEXT)
+                gss_delete_sec_context(&min_stat,
+                                       &context_hdl,
+                                       GSS_C_NO_BUFFER);
+             break;
+          };
+       } while (maj_stat & GSS_S_CONTINUE_NEEDED);
+
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+     (a) The value returned via the time_rec parameter is undefined
+
+     (b) Unless the accompanying ret_flags parameter contains the bit
+         GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+         applied in advance of a successful completion status, the value
+         returned via the mech_type parameter may be undefined until the
+         routine returns a major status value of GSS_S_COMPLETE.
+
+     (c) The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+         GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG,
+         GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the
+         ret_flags parameter should contain the values that the
+         implementation expects would be valid if context establishment
+         were to succeed.
+
+         The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+         within ret_flags should indicate the actual state at the time
+         gss_accept_sec_context returns, whether or not the context is
+         fully established.
+
+         Although this requires that GSSAPI implementations set the
+         GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller
+         (i.e. when accompanied by a GSS_S_COMPLETE status code),
+         applications should not rely on this behavior as the flag was not
+         defined in Version 1 of the GSSAPI. Instead, applications should
+         be prepared to use per-message services after a successful context
+         establishment, according to the GSS_C_INTEG_FLAG and
+         GSS_C_CONF_FLAG values.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 26]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+         All other bits within the ret_flags argument should be set to
+         zero.
+
+
+   While the routine returns GSS_S_CONTINUE_NEEDED, the values returned via
+   the ret_flags argument indicate the services that the implementation
+   expects to be available from the established context.
+
+   If the initial call of gss_accept_sec_context() fails, the
+   implementation should not create a context object, and should leave the
+   value of the context_handle parameter set to GSS_C_NO_CONTEXT to
+   indicate this.  In the event of a failure on a subsequent call, the
+   implementation is permitted to delete the "half-built" security context
+   (in which case it should set the context_handle parameter to
+   GSS_C_NO_CONTEXT), but the preferred behavior is to leave the security
+   context (and the context_handle parameter) untouched for the application
+   to delete (using gss_delete_sec_context).
+
+   Parameters:
+
+   context_handle    gss_ctx_id_t, read/modify
+                     context handle for new context.  Supply
+                     GSS_C_NO_CONTEXT for first call; use value
+                     returned in subsequent calls.  Once
+                     gss_accept_sec_context() has returned a value
+                     via this parameter, resources have been assigned
+                     to the corresponding context, and must be
+                     freed by the application after use with a call
+                     to gss_delete_sec_context().
+
+
+   acceptor_cred_handle  gss_cred_id_t, read
+                     Credential handle claimed by context acceptor.
+                     Specify GSS_C_NO_CREDENTIAL to accept the
+                     context as a default principal.  If
+                     GSS_C_NO_CREDENTIAL is specified, but no
+                     default acceptor principal is defined,
+                     GSS_S_NO_CRED will be returned.
+
+   input_token_buffer  buffer, opaque, read
+                     token obtained from remote application.
+
+   input_chan_bindings  channel bindings, read, optional
+                     Application-specified bindings.  Allows
+                     application to securely bind channel
+                     identification information to the security
+                     context.  If channel bindings are not
+                     used, specify GSS_C_NO_CHANNEL_BINDINGS.
+
+   src_name          gss_name_t, modify, optional
+                     Authenticated name of context initiator.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 27]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     After use, this name should be deallocated by
+                     passing it to gss_release_name().  If not
+                     required, specify NULL.
+
+   mech_type         Object ID, modify, optional
+                     Security mechanism used.  The returned
+                     OID value will be a pointer into static
+                     storage, and should be treated as read-only
+                     by the caller (in particular, it does not
+                     need to be freed).  If not required, specify
+                     NULL.
+
+   output_token      buffer, opaque, modify
+                     Token to be passed to peer application. If the
+                     length field of the returned token buffer is 0,
+                     then no token need be passed to the peer
+                     application.  If a non-zero length field is
+                     returned, the associated storage must be freed
+                     after use by the application with a call to
+                     gss_release_buffer().
+
+   ret_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of
+                     which indicates that the context supports a
+                     specific service option.  If not needed,
+                     specify NULL.  Symbolic names are
+                     provided for each flag, and the symbolic names
+                     corresponding to the required flags
+                     should be logically-ANDed with the ret_flags
+                     value to test whether a given option is
+                     supported by the context.  The flags are:
+                     GSS_C_DELEG_FLAG
+                           True - Delegated credentials are available
+                                  via the delegated_cred_handle
+                                  parameter
+                           False - No credentials were delegated
+                     GSS_C_MUTUAL_FLAG
+                           True - Remote peer asked for mutual
+                                  authentication
+                           False - Remote peer did not ask for mutual
+                                   authentication
+                     GSS_C_REPLAY_FLAG
+                           True - replay of protected messages
+                                  will be detected
+                           False - replayed messages will not be
+                                   detected
+                     GSS_C_SEQUENCE_FLAG
+                           True - out-of-sequence protected
+                                  messages will be detected
+                           False - out-of-sequence messages will not
+                                   be detected
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 28]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     GSS_C_CONF_FLAG
+                           True - Confidentiality service may be invoked
+                                  by calling the gss_wrap routine
+                           False - No confidentiality service (via
+                                   gss_wrap) available. gss_wrap will
+                                   provide message encapsulation,
+                                   data-origin authentication and
+                                   integrity services only.
+                     GSS_C_INTEG_FLAG
+                           True - Integrity service may be invoked by
+                                  calling either gss_get_mic or gss_wrap
+                                  routines.
+                           False - Per-message integrity service
+                                   unavailable.
+                     GSS_C_ANON_FLAG
+                           True - The initiator does not wish to
+                                  be authenticated; the src_name
+                                  parameter (if requested) contains
+                                  an anonymous internal name.
+                           False - The initiator has been
+                                   authenticated normally.
+                     GSS_C_PROT_READY_FLAG
+                           True - Protection services (as specified
+                                  by the states of the GSS_C_CONF_FLAG
+                                  and GSS_C_INTEG_FLAG) are available
+                                  if the accompanying major status return
+                                  value is either GSS_S_COMPLETE or
+                                  GSS_S_CONTINUE_NEEDED.
+                           False - Protection services (as specified
+                                   by the states of the GSS_C_CONF_FLAG
+                                   and GSS_C_INTEG_FLAG) are available
+                                   only if the accompanying major status
+                                   return value is GSS_S_COMPLETE.
+                     GSS_C_TRANS_FLAG
+                           True - The resultant security context may
+                                  be transferred to other processes via
+                                  a call to gss_export_sec_context().
+                           False - The security context is not
+                                   transferrable.
+                     All other bits should be set to zero.
+
+   time_rec          Integer, modify, optional
+                     number of seconds for which the context
+                     will remain valid. Specify NULL if not required.
+
+   delegated_cred_handle
+                     gss_cred_id_t, modify, optional
+                     credential handle for credentials received from
+                     context initiator.  Only valid if deleg_flag in
+                     ret_flags is true, in which case an explicit
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 29]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     credential handle (i.e. not GSS_C_NO_CREDENTIAL)
+                     will be returned; if deleg_flag is false,
+                     gss_accept_context() will set this parameter to
+                     GSS_C_NO_CREDENTIAL.  If a credential handle is
+                     returned, the associated resources must be released
+                     by the application after use with a call to
+                     gss_release_cred().  Specify NULL if not required.
+
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+
+   Function value:  GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer application
+                     is required to complete the context, and that
+                     gss_accept_sec_context must be called again with that
+                     token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the
+                     input_token failed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks performed
+                     on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                     acceptance, or the credential handle did not reference
+                     any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel bindings
+                     to those specified via the input_chan_bindings
+                     parameter.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                     refer to a valid context.
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC.
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                     during context establishment.
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of a
+                     token already processed.  This is a fatal error during
+                     context establishment.
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 30]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_BAD_MECH    The received token specified a mechanism that is not
+                     supported by the implementation or the provided
+                     credential.
+
+
+
+
+
+
+
+   7.2.  gss_acquire_cred
+
+
+   OM_uint32 gss_acquire_cred (
+        OM_uint32 *              minor_status,
+        const gss_name_t         desired_name,
+        OM_uint32                time_req,
+        const gss_OID_set        desired_mechs,
+        gss_cred_usage_t         cred_usage,
+        gss_cred_id_t *          output_cred_handle,
+        gss_OID_set *            actual_mechs,
+        OM_uint32 *              time_rec)
+
+   Purpose:
+
+   Allows an application to acquire a handle for a pre-existing credential
+   by name.  GSS-API implementations must impose a local access-control
+   policy on callers of this routine to prevent unauthorized callers from
+   acquiring credentials to which they are not entitled.  This routine is
+   not intended to provide a ``login to the network'' function, as such a
+   function would involve the creation of new credentials rather than
+   merely acquiring a handle to existing credentials.  Such functions, if
+   required, should be defined in implementation-specific extensions to the
+   API.
+
+   If desired_name is GSS_C_NO_NAME, the call is interpreted as a request
+   for a credential handle that will invoke default behavior when passed to
+   gss_init_sec_context() (if cred_usage is GSS_C_INITIATE or GSS_C_BOTH)
+   or gss_accept_sec_context() (if cred_usage is GSS_C_ACCEPT or
+   GSS_C_BOTH).
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways of
+   obtaining GSS-API initiator credentials from the system login process.
+   Some implementations may therefore not support the acquisition of
+   GSS_C_INITIATE or GSS_C_BOTH credentials via gss_acquire_cred for any
+   name other than an empty name.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may chooses to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 31]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call of
+   gss_inquire_cred immediately following the call of gss_acquire_cred must
+   return valid credential data, and may therefore incur the overhead of a
+   deferred credential acquisition.
+
+   Parameters:
+
+   desired_name      gss_name_t, read
+                     Name of principal whose credential
+                     should be acquired
+
+   time_req          Integer, read, optional
+                     number of seconds that credentials
+                     should remain valid. Specify GSS_C_INDEFINITE
+                     to request that the credentials have the maximum
+                     permitted lifetime.
+
+   desired_mechs     Set of Object IDs, read, optional
+                     set of underlying security mechanisms that
+                     may be used.  GSS_C_NO_OID_SET may be used
+                     to obtain an implementation-specific default.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credentials may be used
+                                  either to initiate or accept
+                                  security contexts.
+                     GSS_C_INITIATE - Credentials will only be
+                                      used to initiate security
+                                      contexts.
+                     GSS_C_ACCEPT - Credentials will only be used to
+                                    accept security contexts.
+
+   output_cred_handle  gss_cred_id_t, modify
+                     The returned credential handle.  Resources
+                     associated with this credential handle must
+                     be released by the application after use
+                     with a call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The set of mechanisms for which the
+                     credential is valid.  Storage associated
+                     with the returned OID-set must be released by
+                     the application after use with a call to
+                     gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   time_rec          Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid.  If the
+                     implementation does not support expiration of
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 32]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     credentials, the value GSS_C_INDEFINITE will
+                     be returned. Specify NULL if not required
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:  GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is not
+                     supported
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is ill-
+                     formed.
+
+   GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired because
+                     they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+
+
+
+
+
+
+   7.3.  gss_add_cred
+
+
+   OM_uint32 gss_add_cred (
+        OM_uint32 *              minor_status,
+        const gss_cred_id_t      input_cred_handle,
+        const gss_name_t         desired_name,
+        const gss_OID            desired_mech,
+        gss_cred_usage_t         cred_usage,
+        OM_uint32                initiator_time_req,
+        OM_uint32                acceptor_time_req,
+        gss_cred_id_t *          output_cred_handle,
+        gss_OID_set *            actual_mechs,
+        OM_uint32 *              initiator_time_rec,
+        OM_uint32 *              acceptor_time_rec)
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 33]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Purpose:
+
+   Adds a credential-element to a credential.  The credential-element is
+   identified by the name of the principal to which it refers.  GSSAPI
+   implementations must impose a local access-control policy on callers of
+   this routine to prevent unauthorized callers from acquiring credential-
+   elements to which they are not entitled. This routine is not intended to
+   provide a ``login to the network'' function, as such a function would
+   involve the creation of new mechanism-specific authentication data,
+   rather than merely acquiring a GSSAPI handle to existing data.  Such
+   functions, if required, should be defined in implementation-specific
+   extensions to the API.
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways of
+   obtaining GSS-API initiator credentials from the system login process.
+   Some implementations may therefore not support the acquisition of
+   GSS_C_INITIATE or GSS_C_BOTH credentials via gss_acquire_cred.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may chooses to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call of
+   gss_inquire_cred immediately following the call of gss_acquire_cred must
+   return valid credential data, and may therefore incur the overhead of a
+   deferred credential acquisition.
+
+   This routine can be used to either create a new credential containing
+   all credential-elements of the original in addition to the newly-acquire
+   credential-element, or to add the new credential-element to an existing
+   credential. If NULL is specified for the output_cred_handle parameter
+   argument, the new credential-element will be added to the credential
+   identified by input_cred_handle; if a valid pointer is specified for the
+   output_cred_handle parameter, a new credential and handle will be
+   created.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle, the
+   gss_add_cred will create its output_cred_handle based on default
+   behavior.  That is, the call will have the same effect as if the
+   application had first made a call to gss_acquire_cred(), specifying the
+   same usage and passing GSS_C_NO_NAME as the desired_name parameter to
+   obtain an explicit credential handle embodying default behavior, passed
+   this credential handle to gss_add_cred(), and finally called
+   gss_release_cred() on the first credential handle.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle parameter,
+   a non-NULL output_cred_handle must be supplied.
+
+   Parameters:
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 34]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_cred_handle gss_cred_id_t, read, optional
+                     The credential to which a credential-element
+                     will be added.  If GSS_C_NO_CREDENTIAL is
+                     specified, the routine will create the new
+                     credential based on default behavior (see
+                     description above).  Note that, while the
+                     credential-handle is not modified by
+                     gss_add_cred(), the underlying credential
+                     will be modified if output_credential_handle
+                     is NULL.
+
+   desired_name      gss_name_t, read.
+                     Name of principal whose credential
+                     should be acquired.
+
+   desired_mech      Object ID, read
+                     Underlying security mechanism with which the
+                     credential may be used.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credential may be used
+                                  either to initiate or accept
+                                  security contexts.
+                     GSS_C_INITIATE - Credential will only be
+                                      used to initiate security
+                                      contexts.
+                     GSS_C_ACCEPT - Credential will only be used to
+                                    accept security contexts.
+
+   initiator_time_req Integer, read, optional
+                     number of seconds that the credential
+                     should remain valid for initiating security
+                     contexts.  This argument is ignored if the
+                     created credentials are of type GSS_C_ACCEPT.
+                     Specify GSS_C_INDEFINITE to request that the
+                     credentials have the maximum permitted initiator
+                     lifetime.
+
+   acceptor_time_req Integer, read, optional
+                     number of seconds that the credential
+                     should remain valid for accepting security
+                     contexts.  This argument is ignored if the
+                     created credentials are of type GSS_C_INITIATE.
+                     Specify GSS_C_INDEFINITE to request that the
+                     credentials have the maximum permitted initiator
+                     lifetime.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 35]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   output_cred_handle gss_cred_id_t, modify, optional
+                     The returned credential handle, containing
+                     the new credential-element and all the
+                     credential-elements from input_cred_handle.
+                     If a valid pointer to a gss_cred_id_t is
+                     supplied for this parameter, gss_add_cred
+                     creates a new credential handle containing all
+                     credential-elements from the input_cred_handle
+                     and the newly acquired credential-element; if
+                     NULL is specified for this parameter, the newly
+                     acquired credential-element will be added
+                     to the credential identified by input_cred_handle.
+                     The resources associated with any credential
+                     handle returned via this parameter must be
+                     released by the application after use with a
+                     call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The complete set of mechanisms for which
+                     the new credential is valid.  Storage for
+                     the returned OID-set must be freed by the
+                     application after use with a call to
+                     gss_release_oid_set(). Specify NULL if
+                     not required.
+
+   initiator_time_rec Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid for
+                     initiating contexts using the specified
+                     mechanism.  If the implementation or mechanism
+                     does not support expiration of credentials, the
+                     value GSS_C_INDEFINITE will be returned. Specify
+                     NULL if not required
+
+   acceptor_time_rec Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid for
+                     accepting security contexts using the specified
+                     mechanism.  If the implementation or mechanism
+                     does not support expiration of credentials, the
+                     value GSS_C_INDEFINITE will be returned. Specify
+                     NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is not
+                     supported
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 36]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is ill-
+                     formed.
+
+   GSS_S_DUPLICATE_ELEMENT The credential already contains an element for
+                     the requested mechanism with overlapping usage and
+                     validity period.
+
+   GSS_S_CREDENTIALS_EXPIRED The required credentials could not be added
+                     because they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+
+
+
+
+
+
+   7.4.  gss_add_oid_set_member
+
+   OM_uint32 gss_add_oid_set_member (
+        OM_uint32  *             minor_status,
+        const gss_OID            member_oid,
+        gss_OID_set *            oid_set)
+
+   Purpose:
+
+   Add an Object Identifier to an Object Identifier set.  This routine is
+   intended for use in conjunction with gss_create_empty_oid_set when
+   constructing a set of mechanism OIDs for input to gss_acquire_cred.
+
+   The oid_set parameter must refer to an OID-set that was created by
+   GSSAPI (e.g. a set returned by gss_create_empty_oid_set()).  GSSAPI
+   creates a copy of the member_oid and inserts this copy into the set,
+   expanding the storage allocated to the OID-set's elements array if
+   necessary.  The routine may add the new member OID anywhere within the
+   elements array, and implementations should verify that the new
+   member_oid is not already contained within the elements array.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   member_oid        Object ID, read
+                     The object identifier to copied into
+                     the set.
+
+   oid_set           Set of Object ID, modify
+                     The set in which the object identifier
+                     should be inserted.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 37]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.5.  gss_canonicalize_name
+
+   OM_uint32 gss_canonicalize_name (
+        OM_uint32  *             minor_status,
+        const gss_name_t         input_name,
+        const gss_OID            mech_type,
+        gss_name_t *             output_name)
+
+   Purpose:
+
+   Generate a canonical mechanism name (MN) from an arbitrary internal
+   name.  The mechanism name is the name that would be returned to a
+   context acceptor on successful authentication of a context where the
+   initiator used the input_name in a successful call to gss_acquire_cred,
+   specifying an OID set containing <mech_type> as its only member,
+   followed by a call to gss_init_sec_context, specifying <mech_type> as
+   the authentication mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The name for which a canonical form is
+                     desired
+
+   mech_type         Object ID, read
+                     The authentication mechanism for which the
+                     canonical form of the name is desired.  The
+                     desired mechanism must be specified explicitly;
+                     no default is provided.
+
+   output_name       gss_name_t, modify
+                     The resultant canonical name.  Storage
+                     associated with this name must be freed by
+                     the application after use with a call to
+                     gss_release_name().
+
+   Function value:   GSS status code
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 38]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_BAD_MECH    The identified mechanism is not supported.
+
+   GSS_S_BAD_NAMETYPE The provided internal name contains no elements that
+                     could be processed by the sepcified mechanism.
+
+   GSS_S_BAD_NAME    The provided internal name was ill-formed.
+
+
+
+
+
+
+
+   7.6.  gss_compare_name
+
+   OM_uint32 gss_compare_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         name1,
+        const gss_name_t         name2,
+        int *                    name_equal)
+
+   Purpose:
+
+   Allows an application to compare two internal-form names to determine
+   whether they refer to the same entity.
+
+   If either name presented to gss_compare_name denotes an anonymous
+   principal, the routines should indicate that the two names do not refer
+   to the same identity.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   name1             gss_name_t, read
+                     internal-form name
+
+   name2             gss_name_t, read
+                     internal-form name
+
+   name_equal        boolean, modify
+                     non-zero - names refer to same entity
+                     zero - names refer to different entities
+                            (strictly, the names are not known
+                            to refer to the same identity).
+
+   Function value:   GSS status code
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 39]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The two names were of incomparable types.
+
+   GSS_S_BAD_NAME    One or both of name1 or name2 was ill-formed
+
+
+
+
+
+
+
+   7.7.  gss_context_time
+
+   OM_uint32 gss_context_time (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        OM_uint32 *              time_rec)
+
+   Purpose:
+
+   Determines the number of seconds for which the specified context will
+   remain valid.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context to be interrogated.
+
+   time_rec          Integer, modify
+                     Number of seconds that the context will remain
+                     valid.  If the context has already expired,
+                     zero will be returned.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 40]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.8.  gss_create_empty_oid_set
+
+   OM_uint32 gss_create_empty_oid_set (
+        OM_uint32  *             minor_status,
+        gss_OID_set *            oid_set)
+
+   Purpose:
+
+   Create an object-identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   gss_add_oid_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   gss_acquire_cred.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   oid_set           Set of Object IDs, modify
+                     The empty object identifier set.
+                     The routine will allocate the
+                     gss_OID_set_desc object, which the
+                     application must free after use with
+                     a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.9.  gss_delete_sec_context
+
+   OM_uint32 gss_delete_sec_context (
+       OM_uint32 *               minor_status,
+       gss_ctx_id_t *            context_handle,
+       gss_buffer_t              output_token)
+
+   Purpose:
+
+   Delete a security context.  gss_delete_sec_context will delete the local
+   data structures associated with the specified security context, and may
+   generate an output_token, which when passed to the peer
+   gss_process_context_token will instruct it to do likewise.  If no token
+   is required by the mechanism, the GSS-API should set the length field of
+   the output_token (if provided) to zero.  No further security services
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 41]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   may be obtained using the context specified by context_handle.
+
+   In addition to deleting established security contexts,
+   gss_delete_sec_context must also be able to delete "half-built" security
+   contexts resulting from an incomplete sequence of
+   gss_init_sec_context()/gss_accept_sec_context() calls.
+
+   The output_token parameter is retained for compatibility with version 1
+   of the GSS-API.  It is recommended that both peer applications invoke
+   gss_delete_sec_context passing the value GSS_C_NO_BUFFER for the
+   output_token parameter, indicating that no token is required, and that
+   gss_delete_sec_context should simply delete local context data
+   structures.  If the application does pass a valid buffer to
+   gss_delete_sec_context, mechanisms are encouraged to return a zero-
+   length token, indicating that no peer action is necessary, and that no
+   token should be transferred by the application.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying context to delete.
+                     After deleting the context, the GSSAPI will set
+                     this context handle to GSS_C_NO_CONTEXT.
+
+   output_token      buffer, opaque, modify, optional
+                     token to be sent to remote application to
+                     instruct it to also delete the context.  It
+                     is recommended that applications specify
+                     GSS_C_NO_BUFFER for this parameter, requesting
+                     local deletion only.  If a buffer parameter is
+                     provided by the application, the mechanism may
+                     return a token in it;  mechanisms that implement
+                     only local deletion should set the length field of
+                     this token to zero to indicate to the application
+                     that no token is to be sent to the peer.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  No valid context was supplied
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 42]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.10.  gss_display_name
+
+   OM_uint32 gss_display_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         input_name,
+        gss_buffer_t             output_name_buffer,
+        gss_OID *                output_name_type)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of an opaque
+   internal-form  name for display purposes.  The syntax of a printable
+   name is defined by the GSS-API implementation.
+
+   If input_name denotes an anonymous principal, the implementation should
+   return the gss_OID value GSS_C_NT_ANONYMOUS as the output_name_type, and
+   a textual name that is syntactically distinct from all valid supported
+   printable names in output_name_buffer.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_name        gss_name_t, read
+                     name to be displayed
+
+   output_name_buffer  buffer, character-string, modify
+                     buffer to receive textual name string.
+                     The application must free storage associated
+                     with this name after use with a call to
+                     gss_release_buffer().
+
+   output_name_type  Object ID, modify, optional
+                     The type of the returned name.  The returned
+                     gss_OID will be a pointer into static storage,
+                     and should be treated as read-only by the caller
+                     (in particular, it does not need to be freed).
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    input_name was ill-formed
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 43]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.11.  gss_display_status
+
+   OM_uint32 gss_display_status (
+        OM_uint32 *              minor_status,
+        OM_uint32                status_value,
+        int                      status_type,
+        const gss_OID            mech_type,
+        OM_uint32 *              message_context,
+        gss_buffer_t             status_string)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of a GSS-API
+   status code, for display to the user or for logging purposes.  Since
+   some status values may indicate multiple conditions, applications may
+   need to call gss_display_status multiple times, each call generating a
+   single text string.  The message_context parameter is used by
+   gss_acquire_cred to store state information about which error messages
+   have already been extracted from a given status_value; message_context
+   must be initialized to 0 by the application prior to the first call, and
+   gss_display_status will return a non-zero value in this parameter if
+   there are further messages to extract.  The message_context parameter
+   contains all state information required by gss_display_status in order
+   to extract further messages from the status_value;  even when a non-zero
+   value is returned in this parameter, the application is not required to
+   call gss_display_status again unless subsequent messages are desired.
+   The following code extracts all messages from a given status code and
+   prints them to stderr:
+
+
+       OM_uint32 message_context;
+       OM_uint32 status_code;
+       OM_uint32 maj_status;
+       OM_uint32 min_status;
+       gss_buffer_desc status_string;
+
+       ...
+
+       message_context = 0;
+
+       do {
+
+           maj_status = gss_display_status (&min_status,
+                                            status_code,
+                                            GSS_C_GSS_CODE,
+                                            GSS_C_NO_OID,
+                                            &message_context,
+                                            &status_string)
+
+           fprintf(stderr,
+                   "%.*s\n",
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 44]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                   status_string.length,
+                   status_string.value);
+
+           gss_release_buffer(&min_status,
+                              &status_string);
+
+       } while (message_context != 0);
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   status_value      Integer, read
+                     Status value to be converted
+
+   status_type       Integer, read
+                     GSS_C_GSS_CODE - status_value is a GSS status
+                                      code
+                     GSS_C_MECH_CODE - status_value is a mechanism
+                                       status code
+
+   mech_type         Object ID, read, optional
+                     Underlying mechanism (used to interpret a
+                     minor status value) Supply GSS_C_NO_OID to
+                     obtain the system default.
+
+   message_context   Integer, read/modify
+                     Should be initialized to zero by the
+                     application prior to the first call.
+                     On return from gss_display_status(),
+                     a non-zero status_value parameter indicates
+                     that additional messages may be extracted
+                     from the status code via subsequent calls
+                     to gss_display_status(), passing the same
+                     status_value, status_type, mech_type, and
+                     message_context parameters.
+
+   status_string     buffer, character string, modify
+                     textual interpretation of the status_value.
+                     Storage associated with this parameter must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 45]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_BAD_MECH    Indicates that translation in accordance with an
+                     unsupported mechanism type was requested
+
+   GSS_S_BAD_STATUS  The status value was not recognized, or the status
+                     type was neither GSS_C_GSS_CODE nor GSS_C_MECH_CODE.
+
+
+
+
+
+
+
+   7.12.  gss_duplicate_name
+
+   OM_uint32 gss_duplicate_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         src_name,
+        gss_name_t *             dest_name)
+
+   Purpose:
+
+   Create an exact duplicate of the existing internal name src_name.  The
+   new dest_name will be independent of src_name (i.e. src_name and
+   dest_name must both be released, and the release of one shall not affect
+   the validity of the other).
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   src_name          gss_name_t, read
+                     internal name to be duplicated.
+
+   dest_name         gss_name_t, modify
+                     The resultant copy of <src_name>.
+                     Storage associated with this name must
+                     be freed by the application after use
+                     with a call to gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The src_name parameter was ill-formed.
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 46]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.13.  gss_export_name
+
+   OM_uint32 gss_export_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         input_name,
+        gss_buffer_t             exported_name)
+
+   Purpose:
+
+   To produce a canonical contiguous string representation of a mechanism
+   name (MN), suitable for direct comparison (e.g. with memcmp) for use in
+   authorization functions (e.g. matching entries in an access-control
+   list).
+
+   The <input_name> parameter must specify a valid MN (i.e. an internal
+   name generated by gss_accept_sec_context or by gss_canonicalize_name).
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The MN to be exported
+
+   exported_name     gss_buffer_t, octet-string, modify
+                     The canonical contiguous string form of
+                     <input_name>.  Storage associated with
+                     this string must freed by the application
+                     after use with gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NAME_NOT_MN The provided internal name was not a mechanism name.
+
+   GSS_S_BAD_NAME    The provide internal name was ill-formed.
+
+   GSS_S_BAD_NAMETYPE The internal name was of a type not supported by the
+                     GSSAPI implementation.
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 47]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.14.  gss_export_sec_context
+
+   OM_uint32 gss_export_sec_context (
+        OM_uint32  *             minor_status,
+        gss_ctx_id_t *           context_handle,
+        gss_buffer_t             interprocess_token)
+
+   Purpose:
+
+   Provided to support the sharing of work between multiple processes.
+   This routine will typically be used by the context-acceptor, in an
+   application where a single process receives incoming connection requests
+   and accepts security contexts over them, then passes the established
+   context to one or more other processes for message exchange.
+   gss_export_sec_context() deactivates the security context for the
+   calling process and creates an interprocess token which, when passed to
+   gss_import_sec_context in another process, will re-activate the context
+   in the second process. Only a single instantiation of a given context
+   may be active at any one time; a subsequent attempt by a context
+   exporter to access the exported security context will fail.
+
+   The implementation may constrain the set of processes by which the
+   interprocess token may be imported, either as a function of local
+   security policy, or as a result of implementation decisions.  For
+   example, some implementations may constrain contexts to be passed only
+   between processes that run under the same account, or which are part of
+   the same process group.
+
+   The interprocess token may contain security-sensitive information (for
+   example cryptographic keys).  While mechanisms are encouraged to either
+   avoid placing such sensitive information within interprocess tokens, or
+   to encrypt the token before returning it to the application, in a
+   typical object-library GSSAPI implementation this may not be possible.
+   Thus the application must take care to protect the interprocess token,
+   and ensure that any process to which the token is transferred is
+   trustworthy.
+
+   If creation of the interprocess token is succesful, the implementation
+   shall deallocate all process-wide resources associated with the security
+   context, and set the context_handle to GSS_C_NO_CONTEXT.  In the event
+   of an error that makes it impossible to complete the export of the
+   security context, the implementation must not return an interprocess
+   token, and should strive to leave the security context referenced by the
+   context_handle parameter untouched.  If this is impossible, it is
+   permissible for the implementation to delete the security context,
+   providing it also sets the context_handle parameter to GSS_C_NO_CONTEXT.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 48]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying the context to transfer.
+
+   interprocess_token   buffer, opaque, modify
+                        token to be transferred to target process.
+                        Storage associated with this token must be
+                        freed by the application after use with a
+                        call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has expired
+
+   GSS_S_NO_CONTEXT  The context was invalid
+
+   GSS_S_UNAVAILABLE The operation is not supported.
+
+
+
+
+
+
+
+   7.15.  gss_get_mic
+
+   OM_uint32 gss_get_mic (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        gss_qop_t                qop_req,
+        const gss_buffer_t       message_buffer,
+        gss_buffer_t             msg_token)
+
+   Purpose:
+
+   Generates a cryptographic MIC for the supplied message, and places the
+   MIC in a token for transfer to the peer application.  The qop_req
+   parameter allows a choice between several cryptographic algorithms, if
+   supported by the chosen mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     identifies the context on which the message
+                     will be sent
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 49]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies requested quality of protection.
+                     Callers are encouraged, on portability grounds,
+                     to accept the default quality of protection
+                     offered by the chosen mechanism, which may be
+                     requested by specifying GSS_C_QOP_DEFAULT for
+                     this parameter.  If an unsupported protection
+                     strength is requested, gss_get_mic will return a
+                     major_status of GSS_S_BAD_QOP.
+
+   message_buffer    buffer, opaque, read
+                     message to be protected
+
+   msg_token         buffer, opaque, modify
+                     buffer to receive token.  The application must
+                     free storage associated with this buffer after
+                     use with a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the mechanism.
+
+
+
+
+
+
+
+   7.16.  gss_import_name
+
+   OM_uint32 gss_import_name (
+        OM_uint32 *              minor_status,
+        const gss_buffer_t       input_name_buffer,
+        const gss_OID            input_name_type,
+        gss_name_t *             output_name)
+
+   Purpose:
+
+   Convert a contiguous string name to internal form.  In general, the
+   internal name returned (via the <output_name> parameter) will not be an
+   MN; the exception to this is if the <input_name_type> indicates that the
+   contiguous string provided via the <input_name_buffer> parameter is of
+   type GSS_C_NT_EXPORT_NAME, in which case the returned internal name will
+   be an MN for the mechanism that exported the name.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 50]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name_buffer  buffer, octet-string, read
+                     buffer containing contiguous string name to convert
+
+   input_name_type   Object ID, read, optional
+                     Object ID specifying type of printable
+                     name.  Applications may specify either
+                     GSS_C_NO_OID to use a mechanism-specific
+                     default printable syntax, or an OID registered
+                     by the GSS-API implementation to name a
+                     specific namespace.
+
+   output_name       gss_name_t, modify
+                     returned name in internal form.  Storage
+                     associated with this name must be freed
+                     by the application after use with a call
+                     to gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The input_name_type was unrecognized
+
+   GSS_S_BAD_NAME    The input_name parameter could not be interpreted as a
+                     name of the specified type
+
+
+
+
+
+
+
+
+   7.17.  gss_import_sec_context
+
+   OM_uint32 gss_import_sec_context (
+        OM_uint32  *             minor_status,
+        const gss_buffer_t       interprocess_token,
+        gss_ctx_id_t *           context_handle)
+
+   Purpose:
+
+   Allows a process to import a security context established by another
+   process.  A given interprocess token may be imported only once.  See
+   gss_export_sec_context.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 51]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   interprocess_token  buffer, opaque, modify
+                     token received from exporting process
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle of newly reactivated context.
+                     Resources associated with this context handle
+                     must be released by the application after use
+                     with a call to gss_delete_sec_context().
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_NO_CONTEXT  The token did not contain a valid context reference.
+
+   GSS_S_DEFECTIVE_TOKEN The token was invalid.
+
+   GSS_S_UNAVAILABLE The operation is unavailable.
+
+   GSS_S_UNAUTHORIZED Local policy prevents the import of this context by
+                     the current process..
+
+
+
+
+
+
+
+   7.18.  gss_indicate_mechs
+
+   OM_uint32 gss_indicate_mechs (
+        OM_uint32 *              minor_status,
+        gss_OID_set *            mech_set)
+
+   Purpose:
+
+   Allows an application to determine which underlying security mechanisms
+   are available.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 52]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+   mech_set          set of Object IDs, modify
+                     set of implementation-supported mechanisms.
+                     The returned gss_OID_set value will be a
+                     dynamically-allocated OID set, that should
+                     be released by the caller after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.19.  gss_init_sec_context
+
+   OM_uint32 gss_init_sec_context (
+        OM_uint32 *              minor_status,
+        const gss_cred_id_t      initiator_cred_handle,
+        gss_ctx_id_t *           context_handle,
+        const gss_name_t         target_name,
+        const gss_OID            mech_type,
+        OM_uint32                req_flags,
+        OM_uint32                time_req,
+        const gss_channel_bindings_t
+                                 input_chan_bindings,
+        const gss_buffer_t       input_token
+        gss_OID *                actual_mech_type,
+        gss_buffer_t             output_token,
+        OM_uint32 *              ret_flags,
+        OM_uint32 *              time_rec )
+
+   Purpose:
+
+   Initiates the establishment of a security context between the
+   application and a remote peer.  Initially, the input_token parameter
+   should be specified either as GSS_C_NO_BUFFER, or as a pointer to a
+   gss_buffer_desc object whose length field contains the value zero.  The
+   routine may return a output_token which should be transferred to the
+   peer application, where the peer application will present it to
+   gss_accept_sec_context.  If no token need be sent, gss_init_sec_context
+   will indicate this by setting the length field of the output_token
+   argument to zero.  To complete the context establishment, one or more
+   reply tokens may be required from the peer application; if so,
+   gss_init_sec_context will return a status containing the supplementary
+   information bit GSS_S_CONTINUE_NEEDED.  In this case,
+   gss_init_sec_context should be called again when the reply token is
+   received from the peer application, passing the reply token to
+   gss_init_sec_context via the input_token parameters.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 53]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Portable applications should be constructed to use the token length and
+   return status to determine whether a token needs to be sent or waited
+   for.  Thus a typical portable caller should always invoke
+   gss_init_sec_context within a loop:
+
+       int context_established = 0;
+       gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+       ...
+       input_token->length = 0;
+
+       while (!context_established) {
+          maj_stat = gss_init_sec_context(&min_stat,
+                                          cred_hdl,
+                                          &context_hdl,
+                                          target_name,
+                                          desired_mech,
+                                          desired_services,
+                                          desired_time,
+                                          input_bindings,
+                                          input_token,
+                                          &actual_mech,
+                                          output_token,
+                                          &actual_services,
+                                          &actual_time);
+          if (GSS_ERROR(maj_stat)) {
+             report_error(maj_stat, min_stat);
+          };
+          if (output_token->length != 0) {
+             send_token_to_peer(output_token);
+             gss_release_buffer(&min_stat,
+                                output_token)
+          };
+          if (GSS_ERROR(maj_stat)) {
+             if (context_hdl != GSS_C_NO_CONTEXT)
+                gss_delete_sec_context(&min_stat,
+                                       &context_hdl,
+                                       GSS_C_NO_BUFFER);
+             break;
+          };
+          if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+             receive_token_from_peer(input_token);
+          } else {
+             context_established = 1;
+          };
+       };
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 54]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+     (a) The value returned via the time_rec parameter is undefined
+
+     (b) Unless the accompanying ret_flags parameter contains the bit
+         GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+         applied in advance of a successful completion status, the value
+         returned via the actual_mech_type parameter is undefined until the
+         routine returns a major status value of GSS_S_COMPLETE.
+
+     (c) The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+         GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG,
+         GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the
+         ret_flags parameter should contain the values that the
+         implementation expects would be valid if context establishment
+         were to succeed.  In particular, if the application has requested
+         a service such as delegation or anonymous authentication via the
+         req_flags argument, and such a service is unavailable from the
+         underlying mechanism, gss_init_sec_context should generate a token
+         that will not provide the service, and indicate via the ret_flags
+         argument that the service will not be supported.  The application
+         may choose to abort the context establishment by calling
+         gss_delete_sec_context (if it cannot continue in the absence of
+         the service), or it may choose to transmit the token and continue
+         context establishment (if the service was merely desired but not
+         mandatory).
+
+         The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+         within ret_flags should indicate the actual state at the time
+         gss_init_sec_context returns, whether or not the context is fully
+         established.
+
+         Although this requires that GSSAPI implementations set the
+         GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller
+         (i.e. when accompanied by a GSS_S_COMPLETE status code),
+         applications should not rely on this behavior as the flag was not
+         defined in Version 1 of the GSSAPI. Instead, applications should
+         be prepared to use per-message services after a successful context
+         establishment, according to the GSS_C_INTEG_FLAG and
+         GSS_C_CONF_FLAG values.
+
+         All other bits within the ret_flags argument should be set to
+         zero.
+
+   If the initial call of gss_init_sec_context() fails, the implementation
+   should not create a context object, and should leave the value of the
+   context_handle parameter set to GSS_C_NO_CONTEXT to indicate this.  In
+   the event of a failure on a subsequent call, the implementation is
+   permitted to delete the "half-built" security context (in which case it
+   should set the context_handle parameter to GSS_C_NO_CONTEXT), but the
+   preferred behavior is to leave the security context untouched for the
+   application to delete (using gss_delete_sec_context).
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 55]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer,  modify
+                     Mechanism specific status code.
+
+   initiator_cred_handle  gss_cred_id_t, read, optional
+                     handle for credentials claimed.  Supply
+                     GSS_C_NO_CREDENTIAL to act as a default
+                     initiator principal.  If no default
+                     initiator is defined, the function will
+                     return GSS_S_NO_CRED.
+
+   context_handle    gss_ctx_id_t, read/modify
+                     context handle for new context.  Supply
+                     GSS_C_NO_CONTEXT for first call; use value
+                     returned by first call in continuation calls.
+                     Resources associated with this context-handle
+                     must be released by the application after use
+                     with a call to gee_delete_sec_context().
+
+   target_name       gss_name_t, read
+                     Name of target
+
+   mech_type         OID, read, optional
+                     Object ID of desired mechanism. Supply
+                     GSS_C_NO_OID to obtain an implementation
+                     specific default
+
+   req_flags         bit-mask, read
+                     Contains various independent flags, each of
+                     which requests that the context support a
+                     specific service option.  Symbolic
+                     names are provided for each flag, and the
+                     symbolic names corresponding to the required
+                     flags should be logically-ORed
+                     together to form the bit-mask value.  The
+                     flags are:
+
+                     GSS_C_DELEG_FLAG
+                           True - Delegate credentials to remote peer
+                           False - Don't delegate
+                     GSS_C_MUTUAL_FLAG
+                           True - Request that remote peer
+                                  authenticate itself
+                           False - Authenticate self to remote peer
+                                   only
+                     GSS_C_REPLAY_FLAG
+                           True - Enable replay detection for
+                                  messages protected with gss_wrap
+                                  or gss_get_mic
+                           False - Don't attempt to detect
+                                   replayed messages
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 56]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     GSS_C_SEQUENCE_FLAG
+                           True - Enable detection of out-of-sequence
+                                  protected messages
+                           False - Don't attempt to detect
+                                   out-of-sequence messages
+                     GSS_C_ANON_FLAG
+                           True - Do not reveal the initiator's
+                                  identity to the acceptor.
+                           False - Authenticate normally.
+
+   time_req          Integer, read, optional
+                     Desired number of seconds for which context
+                     should remain valid.  Supply 0 to request a
+                     default validity period.
+
+   input_chan_bindings  channel bindings, read, optional
+                     Application-specified bindings.  Allows
+                     application to securely bind channel
+                     identification information to the security
+                     context.  Specify GSS_C_NO_CHANNEL_BINDINGS
+                     if channel bindings are not used.
+
+   input_token       buffer, opaque, read, optional (see text)
+                     Token received from peer application.
+                     Supply GSS_C_NO_BUFFER, or a pointer to
+                     a buffer containing the value GSS_C_EMPTY_BUFFER
+                     on initial call.
+
+   actual_mech_type  OID, modify, optional
+                     Actual mechanism used.  The OID returned via
+                     this parameter will be a pointer to static
+                     storage that should be treated as read-only;
+                     In particular the application should not attempt
+                     to free it.  Specify NULL if not required.
+
+   output_token      buffer, opaque, modify
+                     token to be sent to peer application.  If
+                     the length field of the returned buffer is
+                     zero, no token need be sent to the peer
+                     application.  Storage associated with this
+                     buffer must be freed by the application
+                     after use with a call to gss_release_buffer().
+
+   ret_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of which
+                     indicates that the context supports a specific
+                     service option.  Specify NULL if not
+                     required.  Symbolic names are provided
+                     for each flag, and the symbolic names
+                     corresponding to the required flags should be
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 57]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     logically-ANDed with the ret_flags value to test
+                     whether a given option is supported by the
+                     context.  The flags are:
+
+                     GSS_C_DELEG_FLAG
+                           True - Credentials were delegated to
+                                  the remote peer
+                           False - No credentials were delegated
+                     GSS_C_MUTUAL_FLAG
+                           True - Remote peer has been asked to
+                                  authenticated itself
+                           False - Remote peer has not been asked to
+                                   authenticate itself
+                     GSS_C_REPLAY_FLAG
+                           True - replay of protected messages
+                                  will be detected
+                           False - replayed messages will not be
+                                   detected
+                     GSS_C_SEQUENCE_FLAG
+                           True - out-of-sequence protected
+                                  messages will be detected
+                           False - out-of-sequence messages will
+                                   not be detected
+                     GSS_C_CONF_FLAG
+                           True - Confidentiality service may be
+                                  invoked by calling gss_wrap routine
+                           False - No confidentiality service (via
+                                   gss_wrap) available. gss_wrap will
+                                   provide message encapsulation,
+                                   data-origin authentication and
+                                   integrity services only.
+                     GSS_C_INTEG_FLAG
+                           True - Integrity service may be invoked by
+                                  calling either gss_get_mic or gss_wrap
+                                  routines.
+                           False - Per-message integrity service
+                                   unavailable.
+                     GSS_C_ANON_FLAG
+                           True - The initiator's identity has not been
+                                  revealed, and will not be revealed if
+                                  any emitted token is passed to the
+                                  acceptor.
+                           False - The initiator's identity has been or
+                                   will be authenticated normally.
+                     GSS_C_PROT_READY_FLAG
+                           True - Protection services (as specified
+                                  by the states of the GSS_C_CONF_FLAG
+                                  and GSS_C_INTEG_FLAG) are available for
+                                  use if the accompanying major status
+                                  return value is either GSS_S_COMPLETE or
+                                  GSS_S_CONTINUE_NEEDED.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 58]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                           False - Protection services (as specified
+                                   by the states of the GSS_C_CONF_FLAG
+                                   and GSS_C_INTEG_FLAG) are available
+                                   only if the accompanying major status
+                                   return value is GSS_S_COMPLETE.
+                     GSS_C_TRANS_FLAG
+                           True - The resultant security context may
+                                  be transferred to other processes via
+                                  a call to gss_export_sec_context().
+                           False - The security context is not
+                                   transferrable.
+                     All other bits should be set to zero.
+
+   time_rec          Integer, modify, optional
+                     number of seconds for which the context
+                     will remain valid. If the implementation does
+                     not support context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer application
+                     is required to complete the context, and that
+                     gss_init_sec_context must be called again with that
+                     token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the
+                     input_token failed
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks performed
+                     on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                     initiation, or the credential handle did not reference
+                     any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel bindings
+                     to those specified via the input_chan_bindings
+                     parameter
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC, or a MIC that
+                     could not be verified
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                     during context establishment
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 59]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of a
+                     token already processed.  This is a fatal error during
+                     context establishment.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                     refer to a valid context
+
+   GSS_S_BAD_NAMETYPE The provided target_name parameter contained an
+                     invalid or unsupported type of name
+
+   GSS_S_BAD_NAME    The provided target_name parameter was ill-formed.
+
+   GSS_S_BAD_MECH    The specified mechanism is not supported by the
+                     provided credential, or is unrecognized by the
+                     implementation.
+
+
+
+
+
+
+
+   7.20.  gss_inquire_context
+
+   OM_uint32 gss_inquire_context (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        gss_name_t *             src_name,
+        gss_name_t *             targ_name,
+        OM_uint32 *              lifetime_rec,
+        gss_OID *                mech_type,
+        OM_uint32 *              ctx_flags,
+        int *                    locally_initiated,
+        int *                    open )
+
+   Purpose:
+
+   Obtains information about a security context.  The caller must already
+   have obtained a handle that refers to the context, although the context
+   need not be fully established.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security context.
+
+   src_name          gss_name_t, modify, optional
+                     The name of the context initiator.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 60]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     If the context was established using anonymous
+                     authentication, and if the application invoking
+                     gss_inquire_context is the context acceptor,
+                     an anonymous name will be returned.  Storage
+                     associated with this name must be freed by the
+                     application after use with a call to
+                     gss_release_name().  Specify NULL if not
+                     required.
+
+   targ_name         gss_name_t, modify, optional
+                     The name of the context acceptor.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  Specify NULL if not
+                     Specify NULL if not required.
+
+   lifetime_rec      Integer, modify, optional
+                     The number of seconds for which the context
+                     will remain valid.  If the context has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   mech_type         gss_OID, modify, optional
+                     The security mechanism providing the
+                     context.  The returned OID will be a
+                     pointer to static storage that should
+                     be treated as read-only by the application;
+                     in particular the application should not
+                     attempt to free it.  Specify NULL if not
+                     required.
+
+   ctx_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of
+                     which indicates that the context supports
+                     (or is expected to support, if ctx_open is
+                     false) a specific service option.  If not
+                     needed, specify NULL.  Symbolic names are
+                     provided for each flag, and the symbolic names
+                     corresponding to the required flags
+                     should be logically-ANDed with the ret_flags
+                     value to test whether a given option is
+                     supported by the context.  The flags are:
+
+                     GSS_C_DELEG_FLAG
+                           True - Credentials were delegated from
+                                  the initiator to the acceptor.
+                           False - No credentials were delegated
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 61]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+                     GSS_C_MUTUAL_FLAG
+                           True - The acceptor was authenticated
+                                  to the initiator
+                           False - The acceptor did not authenticate
+                                   itself.
+                     GSS_C_REPLAY_FLAG
+                           True - replay of protected messages
+                                  will be detected
+                           False - replayed messages will not be
+                                   detected
+                     GSS_C_SEQUENCE_FLAG
+                           True - out-of-sequence protected
+                                  messages will be detected
+                           False - out-of-sequence messages will not
+                                   be detected
+                     GSS_C_CONF_FLAG
+                           True - Confidentiality service may be invoked
+                                  by calling gss_wrap routine
+                           False - No confidentiality service (via
+                                   gss_wrap) available. gss_wrap will
+                                   provide message encapsulation,
+                                   data-origin authentication and
+                                   integrity services only.
+                     GSS_C_INTEG_FLAG
+                           True - Integrity service may be invoked by
+                                  calling either gss_get_mic or gss_wrap
+                                  routines.
+                           False - Per-message integrity service
+                                   unavailable.
+                     GSS_C_ANON_FLAG
+                           True - The initiator's identity will not
+                                  be revealed to the acceptor.
+                                  The src_name parameter (if
+                                  requested) contains an anonymous
+                                  internal name.
+                           False - The initiator has been
+                                   authenticated normally.
+                     GSS_C_PROT_READY_FLAG
+                           True - Protection services (as specified
+                                  by the states of the GSS_C_CONF_FLAG
+                                  and GSS_C_INTEG_FLAG) are available
+                                  for use.
+                           False - Protection services (as specified
+                                   by the states of the GSS_C_CONF_FLAG
+                                   and GSS_C_INTEG_FLAG) are available
+                                   only if the context is fully
+                                   established (i.e. if the open parameter
+                                   is non-zero).
+                     GSS_C_TRANS_FLAG
+                           True - The resultant security context may
+                                  be transferred to other processes via
+                                  a call to gss_export_sec_context().
+                           False - The security context is not
+                                   transferrable.
+
+   Wray             Document Expiration: 1 September 1997         [Page 62]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+
+
+   locally_initiated Boolean, modify
+                     Non-zero if the invoking application is the
+                     context initiator.
+                     Specify NULL if not required.
+
+   open              Boolean, modify
+                     Non-zero if the context is fully established;
+                     Zero if a context-establishment token
+                     is expected from the peer application.
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+   GSS_S_CONTEXT_EXPIRED The context has expired.  If the lifetime_rec
+                     parameter was requested, it will be set to 0.
+
+
+
+
+
+
+
+   7.21.  gss_inquire_cred
+
+   OM_uint32 gss_inquire_cred (
+        OM_uint32  *             minor_status,
+        const gss_cred_id_t      cred_handle,
+        gss_name_t *             name,
+        OM_uint32 *              lifetime,
+        gss_cred_usage_t *       cred_usage,
+        gss_OID_set *            mechanisms )
+
+   Purpose:
+
+   Obtains information about a credential.  The caller must already have
+   obtained a handle that refers to the credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 63]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name should be freed
+                     by the application after use with a call to
+                     gss_release_name().  Specify NULL if not required.
+
+   lifetime          Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain valid.  If the credential has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     credential expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used.  One of the
+                     following:
+                        GSS_C_INITIATE
+                        GSS_C_ACCEPT
+                        GSS_C_BOTH
+                     Specify NULL if not required.
+
+   mechanisms        gss_OID_set, modify, optional
+                     Set of mechanisms supported by the credential.
+                     Storage associated with this OID set must be
+                     freed by the application after use with a call
+                     to gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.  If
+                     the lifetime parameter was not passed as NULL, it will
+                     be set to 0.
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 64]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.22.  gss_inquire_cred_by_mech
+
+   OM_uint32 gss_inquire_cred_by_mech (
+        OM_uint32 *              minor_status,
+        const gss_cred_id_t      cred_handle,
+        const gss_OID            mech_type,
+        gss_name_t *             name,
+        OM_uint32 *              initiator_lifetime,
+        OM_uint32 *              acceptor_lifetime,
+        gss_cred_usage_t *       cred_usage )
+
+   Purpose:
+
+   Obtains per-mechanism information about a credential.  The caller must
+   already have obtained a handle that refers to the credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+   mech_type         gss_OID, read
+                     The mechanism for which information should be
+                     returned.
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  Specify NULL if not
+                     required.
+
+   initiator_lifetime  Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain capable of initiating security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to initiate contexts, or if
+                     the credential usage for this mechanism is
+   GSS_C_ACCEPT,
+                     this parameter will be set to zero.  If the
+                     implementation does not support expiration of
+                     initiator credentials, the value GSS_C_INDEFINITE
+                     will be returned.  Specify NULL if not required.
+
+   acceptor_lifetime Integer, modify, optional
+                     The number of seconds for which the credential
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 65]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     will remain capable of accepting security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to accept contexts, or if
+                     the credential usage for this mechanism is
+                     GSS_C_INITIATE, this parameter will be set to zero.
+                     If the implementation does not support expiration
+                     of acceptor credentials, the value GSS_C_INDEFINITE
+                     will be returned.  Specify NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used with the specified
+                     mechanism.  One of the following:
+                        GSS_C_INITIATE
+                        GSS_C_ACCEPT
+                        GSS_C_BOTH
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.  If
+                     the lifetime parameter was not passed as NULL, it will
+                     be set to 0.
+
+
+
+
+
+
+
+   7.23.  gss_inquire_mechs_for_name
+
+   OM_uint32 gss_inquire_mechs_for_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         input_name,
+        gss_OID_set *            mech_types )
+
+   Purpose:
+
+   Returns the set of mechanisms supported by the GSSAPI implementation
+   that may be able to process the specified name.
+
+   Each mechanism returned will recognize at least one element within the
+   name.  It is permissible for this routine to be implemented within a
+   mechanism-independent GSSAPI layer, using the type information contained
+   within the presented name, and based on registration information
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 66]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   provided by individual mechanism implementations.  This means that the
+   returned mech_types set may indicate that a particular mechanism will
+   understand the name when in fact it would refuse to accept the name as
+   input to gss_canonicalize_name, gss_init_sec_context, gss_acquire_cred
+   or gss_add_cred (due to some property of the specific name, as opposed
+   to the name type).  Thus this routine should be used only as a pre-
+   filter for a call to a subsequent mechanism-specific routine.
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   input_name        gss_name_t, read
+                     The name to which the inquiry relates.
+
+   mech_types        gss_OID_set, modify
+                     Set of mechanisms that may support the
+                     specified name.  The returned OID set
+                     must be freed by the caller after use
+                     with a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The input_name parameter was ill-formed.
+
+   GSS_S_BAD_NAMETYPE The input_name parameter contained an invalid or
+                     unsupported type of name
+
+
+
+
+
+
+   7.24.  gss_inquire_names_for_mech
+
+   OM_uint32 gss_inquire_names_for_mech (
+        OM_uint32 *              minor_status,
+        const gss_OID            mechanism,
+        gss_OID_set *            name_types)
+
+   Purpose:
+
+   Returns the set of nametypes supported by the specified mechanism.
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 67]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   mechanism         gss_OID, read
+                     The mechanism to be interrogated.
+
+   name_types        gss_OID_set, modify
+                     Set of name-types supported by the specified
+                     mechanism.  The returned OID set must be
+                     freed by the application after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.25.  gss_process_context_token
+
+   OM_uint32 gss_process_context_token (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        const gss_buffer_t       token_buffer)
+
+   Purpose:
+
+   Provides a way to pass a token to the security service.  Used with
+   tokens emitted by gss_delete_sec_context.  Note that mechanisms are
+   encouraged to perform local deletion, and not emit tokens from
+   gss_delete_sec_context.  This routine, therefore, is primarily for
+   backwards compatibility with V1 applications.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     context handle of context on which token is to
+                     be processed
+
+   token_buffer      buffer, opaque, read
+                     token to process
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 68]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the
+                     token failed
+
+   GSS_S_NO_CONTEXT  The context_handle did not refer to a valid context
+
+
+
+
+
+
+
+   7.26.  gss_release_buffer
+
+   OM_uint32 gss_release_buffer (
+        OM_uint32 *              minor_status,
+        gss_buffer_t             buffer)
+
+   Purpose:
+
+   Free storage associated with a buffer.  The storage must have been
+   allocated by a GSS-API routine.  In addition to freeing the associated
+   storage, the routine will zero the length field in the descriptor to
+   which the buffer parameter refers.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   buffer            buffer, modify
+                     The storage associated with the buffer will be
+                     deleted.  The gss_buffer_desc object will not
+                     be freed, but its length field will be zeroed.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 69]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.27.  gss_release_cred
+
+   OM_uint32 gss_release_cred (
+        OM_uint32 *              minor_status,
+        gss_cred_id_t *          cred_handle)
+
+   Purpose:
+
+   Informs GSS-API that the specified credential handle is no longer
+   required by the application, and frees associated resources.
+
+   Parameters:
+
+   cred_handle       gss_cred_id_t, modify, optional
+                     Opaque handle identifying credential
+                     to be released.  If GSS_C_NO_CREDENTIAL
+                     is supplied, the routine will complete
+                     successfully, but will do nothing.
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     Credentials could not be accessed.
+
+
+
+
+
+
+
+   7.28.  gss_release_name
+
+   OM_uint32 gss_release_name (
+        OM_uint32 *              minor_status,
+        gss_name_t *             name)
+
+   Purpose:
+
+   Free GSSAPI-allocated storage by associated with an internal-form name.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   name              gss_name_t, modify
+                     The name to be deleted
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 70]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The name parameter did not contain a valid name
+
+
+
+
+
+
+
+   7.29.  gss_release_oid_set
+
+   OM_uint32 gss_release_oid_set (
+        OM_uint32 *              minor_status,
+        gss_OID_set *            set)
+
+   Purpose:
+
+   Free storage associated with a GSSAPI-generated gss_OID_set object.  The
+   set parameter must refer to an OID-set that was returned from a GSSAPI
+   routine.  gss_release_oid_set() will free the storage associated with
+   each individual member OID, the OID set's elements array, and the
+   gss_OID_set_desc.
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   set               Set of Object IDs, modify
+                     The storage associated with the gss_OID_set
+                     will be deleted.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 71]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.30.  gss_test_oid_set_member
+
+   OM_uint32 gss_test_oid_set_member (
+        OM_uint32  *             minor_status,
+        const gss_OID            member,
+        const gss_OID_set        set,
+        int *                    present)
+
+   Purpose:
+
+   Interrogate an Object Identifier set to determine whether a specified
+   Object Identifier is a member.  This routine is intended to be used with
+   OID sets returned by gss_indicate_mechs(), gss_acquire_cred(), and
+   gss_inquire_cred(), but will also work with user-generated sets.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   member            Object ID, read
+                     The object identifier whose presence
+                     is to be tested.
+
+   set               Set of Object ID, read
+                     The Object Identifier set.
+
+   present           Boolean, modify
+                     non-zero if the specified OID is a member
+                     of the set, zero if not.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.31.  gss_unwrap
+
+   OM_uint32 gss_unwrap (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        const gss_buffer_t       input_message_buffer,
+        gss_buffer_t             output_message_buffer,
+        int *                    conf_state,
+        gss_qop_t *              qop_state)
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 72]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Purpose:
+
+   Converts a message previously protected by gss_wrap back to a usable
+   form, verifying the embedded MIC.  The conf_state parameter indicates
+   whether the message was encrypted; the qop_state parameter indicates the
+   strength of protection that was used to provide the confidentiality and
+   integrity services.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   input_message_buffer  buffer, opaque, read
+                     protected message
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive unwrapped message.
+                     Storage associated with this buffer must
+                     be freed by the application after use use
+                     with a call to gss_release_buffer().
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality and integrity protection
+                                were used
+                     Zero - Integrity service only was used
+                     Specify NULL if not required
+
+   qop_state         gss_qop_t, modify, optional
+                     Quality of protection gained from MIC.
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but it had already been processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but it is too old to check for
+                     duplication.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 73]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence; a
+                     later token has already been received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence;
+                     an earlier expected token has not yet been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+
+
+
+
+
+
+   7.32.  gss_verify_mic
+
+   OM_uint32 gss_verify_mic (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        const gss_buffer_t       message_buffer,
+        const gss_buffer_t       token_buffer,
+        gss_qop_t *              qop_state)
+
+   Purpose:
+
+   Verifies that a cryptographic MIC, contained in the token parameter,
+   fits the supplied message.  The qop_state parameter allows a message
+   recipient to determine the strength of protection that was applied to
+   the message.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   message_buffer    buffer, opaque, read
+                     Message to be verified
+
+   token_buffer      buffer, opaque, read
+                     Token associated with message
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 74]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+   qop_state         gss_qop_t, modify, optional
+                     quality of protection gained from MIC
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but it had already been processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but it is too old to check for
+                     duplication.
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence; a
+                     later token has already been received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence;
+                     an earlier expected token has not yet been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+
+
+
+
+
+
+   7.33.  gss_wrap
+
+   OM_uint32 gss_wrap (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        int                      conf_req_flag,
+        gss_qop_t                qop_req
+        const gss_buffer_t       input_message_buffer,
+        int *                    conf_state,
+        gss_buffer_t             output_message_buffer )
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 75]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Purpose:
+
+   Attaches a cryptographic MIC and optionally encrypts the specified
+   input_message.  The output_message contains both the MIC and the
+   message.  The qop_req parameter allows a choice between several
+   cryptographic algorithms, if supported by the chosen mechanism.
+
+   Since some application-level protocols may wish to use tokens emitted by
+   gss_wrap() to provide "secure framing", implementations should support
+   the wrapping of zero-length messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     will be sent
+
+   conf_req_flag     boolean, read
+                     Non-zero - Both confidentiality and integrity
+                                services are requested
+                     Zero - Only integrity service is requested
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies required quality of protection.  A
+                     mechanism-specific default may be requested by
+                     setting qop_req to GSS_C_QOP_DEFAULT.  If an
+                     unsupported protection strength is requested,
+                     gss_wrap will return a major_status of
+                     GSS_S_BAD_QOP.
+
+   input_message_buffer  buffer, opaque, read
+                     Message to be protected
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality, data origin
+                                authentication and integrity
+                                services have been applied
+                     Zero - Integrity and data origin services only
+                            has been applied.
+                     Specify NULL if not required
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive protected message.
+                     Storage associated with this message must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 76]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the mechanism.
+
+
+
+
+
+
+
+   7.34.  gss_wrap_size_limit
+
+   OM_uint32 gss_wrap_size_limit (
+        OM_uint32  *             minor_status,
+        const gss_ctx_id_t       context_handle,
+        int                      conf_req_flag,
+        gss_qop_t                qop_req,
+        OM_uint32                req_output_size,
+        OM_uint32 *              max_input_size)
+
+   Purpose:
+
+   Allows an application to determine the maximum message size that, if
+   presented to gss_wrap with the same conf_req_flag and qop_req
+   parameters, will result in an output token containing no more than
+   req_output_size bytes.
+
+   This call is intended for use by applications that communicate over
+   protocols that impose a maximum message size.  It enables the
+   application to fragment messages prior to applying protection.
+
+   Successful completion of this call does not guarantee that gss_wrap will
+   be able to protect a message of length max_input_size bytes, since this
+   ability may depend on the availability of system resources at the time
+   that gss_wrap is called.  However, if the implementation itself imposes
+   an upper limit on the length of messages that may be processed by
+   gss_wrap, the implementation should not return a value via
+   max_input_bytes that is greater than this length.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security over
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 77]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     which the messages will be sent.
+
+   conf_req_flag     Boolean, read
+                     Indicates whether gss_wrap will be asked
+                     to apply confidentiality protection in
+                     addition to integrity protection.  See
+                     the routine description for gss_wrap
+                     for more details.
+
+   qop_req           gss_qop_t, read
+                     Indicates the level of protection that
+                     gss_wrap will be asked to provide.  See
+                     the routine description for gss_wrap for
+                     more details.
+
+   req_output_size   Integer, read
+                     The desired maximum size for tokens emitted
+                     by gss_wrap.
+
+   max_input_size    Integer, modify
+                     The maximum input message size that may
+                     be presented to gss_wrap in order to
+                     guarantee that the emitted token shall
+                     be no larger than req_output_size bytes.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+   GSS_S_CONTEXT_EXPIRED The context has expired.
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the mechanism.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 78]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   APPENDIX A. GSS-API C header file gssapi.h
+
+   C-language GSS-API implementations should include a copy of the
+   following header-file.
+
+   #ifndef GSSAPI_H_
+   #define GSSAPI_H_
+
+
+
+   /*
+    * First, include stddef.h to get size_t defined.
+    */
+   #include <stddef.h>
+
+   /*
+    * If the platform supports the xom.h header file, it should be
+    * included here.
+    */
+   #include <xom.h>
+
+
+
+   /*
+    * Now define the three implementation-dependent types.
+    */
+   typedef <platform-specific> gss_ctx_id_t;
+   typedef <platform-specific> gss_cred_id_t;
+   typedef <platform-specific> gss_name_t;
+
+   /*
+    * The following type must be defined as the smallest natural
+    * unsigned integer supported by the platform that has at least
+    * 32 bits of precision.
+    */
+   typedef <platform-specific> gss_uint32;
+
+
+   #ifdef OM_STRING
+   /*
+    * We have included the xom.h header file.  Verify that OM_uint32
+    * is defined correctly.
+    */
+
+   #if sizeof(gss_uint32) != sizeof(OM_uint32)
+   #error Incompatible definition of OM_uint32 from xom.h
+   #endif
+
+   typedef OM_object_identifier gss_OID_desc, *gss_OID;
+
+   #else
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 79]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /*
+    * We can't use X/Open definitions, so roll our own.
+    */
+
+   typedef gss_uint32 OM_uint32;
+
+   typedef struct gss_OID_desc_struct {
+         OM_uint32 length;
+         void      *elements;
+   } gss_OID_desc, *gss_OID;
+
+   #endif
+
+   typedef struct gss_OID_set_desc_struct  {
+         size_t     count;
+         gss_OID    elements;
+   } gss_OID_set_desc, *gss_OID_set;
+
+   typedef struct gss_buffer_desc_struct {
+         size_t length;
+         void *value;
+   } gss_buffer_desc, *gss_buffer_t;
+
+   typedef struct gss_channel_bindings_struct {
+         OM_uint32 initiator_addrtype;
+         gss_buffer_desc initiator_address;
+         OM_uint32 acceptor_addrtype;
+         gss_buffer_desc acceptor_address;
+         gss_buffer_desc application_data;
+   } *gss_channel_bindings_t;
+
+
+   /*
+    * For now, define a QOP-type as an OM_uint32
+    */
+   typedef OM_uint32 gss_qop_t;
+
+   typedef int gss_cred_usage_t;
+
+   /*
+    * Flag bits for context-level services.
+    */
+   #define GSS_C_DELEG_FLAG 1
+   #define GSS_C_MUTUAL_FLAG 2
+   #define GSS_C_REPLAY_FLAG 4
+   #define GSS_C_SEQUENCE_FLAG 8
+   #define GSS_C_CONF_FLAG 16
+   #define GSS_C_INTEG_FLAG 32
+   #define GSS_C_ANON_FLAG 64
+   #define GSS_C_PROT_READY_FLAG 128
+   #define GSS_C_TRANS_FLAG 256
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 80]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /*
+    * Credential usage options
+    */
+   #define GSS_C_BOTH 0
+   #define GSS_C_INITIATE 1
+   #define GSS_C_ACCEPT 2
+
+   /*
+    * Status code types for gss_display_status
+    */
+   #define GSS_C_GSS_CODE 1
+   #define GSS_C_MECH_CODE 2
+
+   /*
+    * The constant definitions for channel-bindings address families
+    */
+   #define GSS_C_AF_UNSPEC     0
+   #define GSS_C_AF_LOCAL      1
+   #define GSS_C_AF_INET       2
+   #define GSS_C_AF_IMPLINK    3
+   #define GSS_C_AF_PUP        4
+   #define GSS_C_AF_CHAOS      5
+   #define GSS_C_AF_NS         6
+   #define GSS_C_AF_NBS        7
+   #define GSS_C_AF_ECMA       8
+   #define GSS_C_AF_DATAKIT    9
+   #define GSS_C_AF_CCITT      10
+   #define GSS_C_AF_SNA        11
+   #define GSS_C_AF_DECnet     12
+   #define GSS_C_AF_DLI        13
+   #define GSS_C_AF_LAT        14
+   #define GSS_C_AF_HYLINK     15
+   #define GSS_C_AF_APPLETALK  16
+   #define GSS_C_AF_BSC        17
+   #define GSS_C_AF_DSS        18
+   #define GSS_C_AF_OSI        19
+   #define GSS_C_AF_X25        21
+
+   #define GSS_C_AF_NULLADDR   255
+
+   /*
+    * Various Null values
+    */
+   #define GSS_C_NO_NAME ((gss_name_t) 0)
+   #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+   #define GSS_C_NO_OID ((gss_OID) 0)
+   #define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+   #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+   #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+   #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+   #define GSS_C_EMPTY_BUFFER {0, NULL}
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 81]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /*
+    * Some alternate names for a couple of the above
+    * values.  These are defined for V1 compatibility.
+    */
+   #define GSS_C_NULL_OID GSS_C_NO_OID
+   #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+
+   /*
+    * Define the default Quality of Protection for per-message
+    * services.  Note that an implementation that offers multiple
+    * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
+    * (as done here) to mean "default protection", or to a specific
+    * explicit QOP value.  However, a value of 0 should always be
+    * interpreted by a GSSAPI implementation as a request for the
+    * default protection level.
+    */
+   #define GSS_C_QOP_DEFAULT 0
+
+   /*
+    * Expiration time of 2^32-1 seconds means infinite lifetime for a
+    * credential or security context
+    */
+   #define GSS_C_INDEFINITE 0xfffffffful
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x01"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+    * GSS_C_NT_USER_NAME should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_USER_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x02"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+    * The constant GSS_C_NT_MACHINE_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+   /*
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 82]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x03"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+    * The constant GSS_C_NT_STRING_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+    * corresponding to an object-identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 2(gss-host-based-services)}.  The constant
+    * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+    * corresponding to an object identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+    * and GSS_C_NT_ANONYMOUS should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_ANONYMOUS;
+
+
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+    * corresponding to an object-identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+    * GSS_C_NT_EXPORT_NAME should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 83]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /* Major status codes */
+
+   #define GSS_S_COMPLETE 0
+
+   /*
+    * Some "helper" definitions to make the status code macros obvious.
+    */
+   #define GSS_C_CALLING_ERROR_OFFSET 24
+   #define GSS_C_ROUTINE_ERROR_OFFSET 16
+   #define GSS_C_SUPPLEMENTARY_OFFSET 0
+   #define GSS_C_CALLING_ERROR_MASK 0377ul
+   #define GSS_C_ROUTINE_ERROR_MASK 0377ul
+   #define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+   /*
+    * The macros that test status codes for error conditions.
+    * Note that the GSS_ERROR() macro has changed slightly from
+    * the V1 GSSAPI so that it now evaluates its argument
+    * only once.
+    */
+   #define GSS_CALLING_ERROR(x) \
+     (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+   #define GSS_ROUTINE_ERROR(x) \
+     (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+   #define GSS_SUPPLEMENTARY_INFO(x) \
+     (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+   #define GSS_ERROR(x) \
+     (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+           (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+
+   /*
+    * Now the actual status code definitions
+    */
+
+   /*
+    * Calling errors:
+    */
+   #define GSS_S_CALL_INACCESSIBLE_READ \
+                                (1ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_INACCESSIBLE_WRITE \
+                                (2ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_BAD_STRUCTURE \
+                                (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+   /*
+    * Routine errors:
+    */
+   #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 84]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_MIC GSS_S_BAD_SIG
+   #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+   /*
+    * Supplementary info bits:
+    */
+   #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+   #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+   #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+   #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+   #define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+
+   /*
+    * Finally, function prototypes for the GSS-API routines.
+    */
+
+   OM_uint32 gss_acquire_cred
+              (OM_uint32 *,             /*  minor_status */
+               const gss_name_t,        /* desired_name */
+               OM_uint32,               /* time_req */
+               const gss_OID_set,       /* desired_mechs */
+               gss_cred_usage_t,        /* cred_usage */
+               gss_cred_id_t *,         /* output_cred_handle */
+               gss_OID_set *,           /* actual_mechs */
+               OM_uint32 *              /* time_rec */
+              );
+
+   OM_uint32 gss_release_cred
+              (OM_uint32 *,             /* minor_status */
+               gss_cred_id_t *          /* cred_handle */
+              );
+
+   OM_uint32 gss_init_sec_context
+              (OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* initiator_cred_handle */
+               gss_ctx_id_t *,          /* context_handle */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 85]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               const gss_name_t,        /* target_name */
+               const gss_OID,           /* mech_type */
+               OM_uint32,               /* req_flags */
+               OM_uint32,               /* time_req */
+               const gss_channel_bindings_t,
+                                        /* input_chan_bindings */
+               const gss_buffer_t,      /* input_token */
+               gss_OID *,               /* actual_mech_type */
+               gss_buffer_t,            /* output_token */
+               OM_uint32 *,             /* ret_flags */
+               OM_uint32 *              /* time_rec */
+              );
+
+   OM_uint32 gss_accept_sec_context
+              (OM_uint32 *,             /* minor_status */
+               gss_ctx_id_t *,          /* context_handle */
+               const gss_cred_id_t,     /* acceptor_cred_handle */
+               const gss_buffer_t,      /* input_token_buffer */
+               const gss_channel_bindings_t,
+                                        /* input_chan_bindings */
+               gss_name_t *,            /* src_name */
+               gss_OID *,               /* mech_type */
+               gss_buffer_t,            /* output_token */
+               OM_uint32 *,             /* ret_flags */
+               OM_uint32 *,             /* time_rec */
+               gss_cred_id_t *          /* delegated_cred_handle */
+              );
+
+   OM_uint32 gss_process_context_token
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               const gss_buffer_t       /* token_buffer */
+              );
+
+   OM_uint32 gss_delete_sec_context
+              (OM_uint32 *,             /* minor_status */
+               gss_ctx_id_t *,          /* context_handle */
+               gss_buffer_t             /* output_token */
+              );
+
+   OM_uint32 gss_context_time
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               OM_uint32 *              /* time_rec */
+              );
+
+   OM_uint32 gss_get_mic
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               gss_qop_t,               /* qop_req */
+               const gss_buffer_t,      /* message_buffer */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 86]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               gss_buffer_t             /* message_token */
+              );
+
+
+   OM_uint32 gss_verify_mic
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               const gss_buffer_t,      /* message_buffer */
+               const gss_buffer_t,      /* token_buffer */
+               gss_qop_t *              /* qop_state */
+              );
+
+   OM_uint32 gss_wrap
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               int,                     /* conf_req_flag */
+               gss_qop_t,               /* qop_req */
+               const gss_buffer_t,      /* input_message_buffer */
+               int *,                   /* conf_state */
+               gss_buffer_t             /* output_message_buffer */
+              );
+
+
+   OM_uint32 gss_unwrap
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               const gss_buffer_t,      /* input_message_buffer */
+               gss_buffer_t,            /* output_message_buffer */
+               int *,                   /* conf_state */
+               gss_qop_t *              /* qop_state */
+              );
+
+
+
+   OM_uint32 gss_display_status
+              (OM_uint32 *,             /* minor_status */
+               OM_uint32,               /* status_value */
+               int,                     /* status_type */
+               const gss_OID,           /* mech_type */
+               OM_uint32 *,             /* message_context */
+               gss_buffer_t             /* status_string */
+              );
+
+   OM_uint32 gss_indicate_mechs
+              (OM_uint32 *,             /* minor_status */
+               gss_OID_set *            /* mech_set */
+              );
+
+   OM_uint32 gss_compare_name
+              (OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* name1 */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 87]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               const gss_name_t,        /* name2 */
+               int *                    /* name_equal */
+              );
+
+   OM_uint32 gss_display_name
+              (OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* input_name */
+               gss_buffer_t,            /* output_name_buffer */
+               gss_OID *                /* output_name_type */
+              );
+
+   OM_uint32 gss_import_name
+              (OM_uint32 *,             /* minor_status */
+               const gss_buffer_t,      /* input_name_buffer */
+               const gss_OID,           /* input_name_type */
+               gss_name_t *             /* output_name */
+              );
+
+   OM_uint32 gss_export_name
+              (OM_uint32  *,            /* minor_status */
+               const gss_name_t,        /* input_name */
+               gss_buffer_t             /* exported_name */
+              );
+
+   OM_uint32 gss_release_name
+              (OM_uint32 *,             /* minor_status */
+               gss_name_t *             /* input_name */
+              );
+
+   OM_uint32 gss_release_buffer
+              (OM_uint32 *,             /* minor_status */
+               gss_buffer_t             /* buffer */
+              );
+
+   OM_uint32 gss_release_oid_set
+              (OM_uint32 *,             /* minor_status */
+               gss_OID_set *            /* set */
+              );
+
+   OM_uint32 gss_inquire_cred
+              (OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* cred_handle */
+               gss_name_t *,            /* name */
+               OM_uint32 *,             /* lifetime */
+               gss_cred_usage_t *,      /* cred_usage */
+               gss_OID_set *            /* mechanisms */
+              );
+
+   OM_uint32 gss_inquire_context (
+               OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 88]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               gss_name_t *,            /* src_name */
+               gss_name_t *,            /* targ_name */
+               OM_uint32 *,             /* lifetime_rec */
+               gss_OID *,               /* mech_type */
+               OM_uint32 *,             /* ctx_flags */
+               int *,                   /* locally_initiated */
+               int *                    /* open */
+              );
+
+   OM_uint32 gss_wrap_size_limit (
+               OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               int,                     /* conf_req_flag */
+               gss_qop_t,               /* qop_req */
+               OM_uint32,               /* req_output_size */
+               OM_uint32 *              /* max_input_size */
+              );
+
+
+   OM_uint32 gss_add_cred (
+               OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* input_cred_handle */
+               const gss_name_t,        /* desired_name */
+               const gss_OID,           /* desired_mech */
+               gss_cred_usage_t,        /* cred_usage */
+               OM_uint32,               /* initiator_time_req */
+               OM_uint32,               /* acceptor_time_req */
+               gss_cred_id_t *,         /* output_cred_handle */
+               gss_OID_set *,           /* actual_mechs */
+               OM_uint32 *,             /* initiator_time_rec */
+               OM_uint32 *              /* acceptor_time_rec */
+              );
+
+
+   OM_uint32 gss_inquire_cred_by_mech (
+               OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* cred_handle */
+               const gss_OID,           /* mech_type */
+               gss_name_t *,            /* name */
+               OM_uint32 *,             /* initiator_lifetime */
+               OM_uint32 *,             /* acceptor_lifetime */
+               gss_cred_usage_t *       /* cred_usage */
+              );
+
+   OM_uint32 gss_export_sec_context (
+               OM_uint32 *,             /* minor_status */
+               gss_ctx_id_t *,          /* context_handle */
+               gss_buffer_t             /* interprocess_token */
+              );
+
+   OM_uint32 gss_import_sec_context (
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 89]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               OM_uint32 *,             /* minor_status */
+               const gss_buffer_t,      /* interprocess_token */
+               gss_ctx_id_t *           /* context_handle */
+              );
+
+   OM_uint32 gss_create_empty_oid_set (
+               OM_uint32 *,             /* minor_status */
+               gss_OID_set *            /* oid_set */
+              );
+
+   OM_uint32 gss_add_oid_set_member (
+               OM_uint32 *,             /* minor_status */
+               const gss_OID,           /* member_oid */
+               gss_OID_set *            /* oid_set */
+              );
+
+   OM_uint32 gss_test_oid_set_member (
+               OM_uint32 *,             /* minor_status */
+               const gss_OID,           /* member */
+               const gss_OID_set,       /* set */
+               int *                    /* present */
+              );
+
+   OM_uint32 gss_inquire_names_for_mech (
+               OM_uint32 *,             /* minor_status */
+               const gss_OID,           /* mechanism */
+               gss_OID_set *            /* name_types */
+              );
+
+   OM_uint32 gss_inquire_mechs_for_name (
+               OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* input_name */
+               gss_OID_set *            /* mech_types */
+              );
+
+   OM_uint32 gss_canonicalize_name (
+               OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* input_name */
+               const gss_OID,           /* mech_type */
+               gss_name_t *             /* output_name */
+              );
+
+   OM_uint32 gss_duplicate_name (
+               OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* src_name */
+               gss_name_t *             /* dest_name */
+              );
+
+   /*
+    * The following routines are obsolete variants of gss_get_mic,
+    * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 90]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+    * provided by GSSAPI V2 implementations for backwards
+    * compatibility with V1 applications.  Distinct entrypoints
+    * (as opposed to #defines) should be provided, both to allow
+    * GSSAPI V1 applications to link against GSSAPI V2 implementations,
+    * and to retain the slight parameter type differences between the
+    * obsolete versions of these routines and their current forms.
+    */
+
+   OM_uint32 gss_sign
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               int,                /* qop_req */
+               gss_buffer_t,       /* message_buffer */
+               gss_buffer_t        /* message_token */
+              );
+
+
+   OM_uint32 gss_verify
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               gss_buffer_t,       /* message_buffer */
+               gss_buffer_t,       /* token_buffer */
+               int *               /* qop_state */
+              );
+
+   OM_uint32 gss_seal
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               int,                /* conf_req_flag */
+               int,                /* qop_req */
+               gss_buffer_t,       /* input_message_buffer */
+               int *,              /* conf_state */
+               gss_buffer_t        /* output_message_buffer */
+              );
+
+
+   OM_uint32 gss_unseal
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               gss_buffer_t,       /* input_message_buffer */
+               gss_buffer_t,       /* output_message_buffer */
+               int *,              /* conf_state */
+               int *               /* qop_state */
+              );
+
+
+
+
+   #endif /* GSSAPI_H_ */
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 91]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   APPENDIX B. Additional constraints for application binary portability
+
+   The purpose of this C-bindings document is to encourage source-level
+   portability of applications across GSS-API implementations on different
+   platforms and atop different mechanisms.  Additional goals that have not
+   been explicitly addressed by this document are link-time and run-time
+   portability.
+
+   Link-time portability provides the ability to compile an application
+   against one implementation of GSS-API, and then link it against a
+   different implementation on the same platform.  It is a stricter
+   requirement than source-level portability.
+
+   Run-time portability differs from link-time portability only on those
+   platforms that implement dynamically loadable GSS-API implementations,
+   but do not offer load-time symbol resolution.  On such platforms, run-
+   time portability is a stricter requirement than link-time portability,
+   and will typically include the precise placement of the various GSS-API
+   routines within library entrypoint vectors.
+
+   Individual platforms will impose their own rules that must be followed
+   to achieve link-time (and run-time, if different) portability.  In order
+   to ensure either form of binary portability, an ABI specification must
+   be written for GSS-API implementations on that platform.  However, it is
+   recognized that there are some issues that are likely to be common to
+   all such ABI specifications. This appendix is intended to be a
+   repository for such common issues, and contains some suggestions that
+   individual ABI specifications may choose to reference.  Since machine
+   architectures vary greatly, it may not be possible or desirable to
+   follow these suggestions on all platforms.
+
+   B.1.  Pointers
+
+   While ANSI-C provides a single pointer type for each declared type, plus
+   a single (void *) type, some platforms (notably those using segmented
+   memory architectures) augment this with various modified pointer types
+   (e.g. far pointers, near pointers).  These language bindings assume
+   ANSI-C, and thus do not address such non-standard implementations.
+   GSS-API implementations for such platforms must choose an appropriate
+   memory model, and should use it consistently throughout.  For example,
+   if a memory model is chosen that requires the use of far pointers when
+   passing routine parameters, then far pointers should also be used within
+   the structures defined by GSS-API.
+
+   B.2.  Internal structure alignment
+
+   GSS-API defines several data-structures containing differently-sized
+   fields.  An ABI specification should include a detailed description of
+   how the fields of such structures are aligned, and if there is any
+   internal padding in these data structures.  The use of compiler defaults
+   for the platform is recommended.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 92]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   B.3.  Handle types
+
+   The C bindings specify that the gss_cred_id_t and gss_ctx_id_t types
+   should be implemented as either pointer or arithmetic types, and that if
+   pointer types are used, care should be taken to ensure that two handles
+   may be compared with the == operator.  Note that ANSI-C does not
+   guarantee that two pointer values may be compared with the == operator
+   unless either the two pointers point to members of a single array, or at
+   least one of the pointers contains a NULL value.
+
+   For binary portability, additional constraints are required.  The
+   following is an attempt at defining platform-independent constraints.
+
+     (a) The size of the handle type must be the same as sizeof(void *),
+         using the appropriate memory model.
+
+     (b) The == operator for the chosen type must be a simple bit-wise
+         comparison.  That is, for two in-memory handle objects h1 and h2,
+         the boolean value of the expression
+
+              (h1 == h2)
+
+         should always be the same as the boolean value of the expression
+
+              (memcmp(&h1, &h2, sizeof(h1)) == 0)
+
+     (c) The actual use of the type (void *) for handle types is
+         discouraged, not for binary portability reasons, but since it
+         effectively disables much of the compile-time type-checking that
+         the compiler can otherwise perform, and is therefore not
+         "programmer-friendly".  If a pointer implementation is desired,
+         and if the platform's implementation of pointers permits, the
+         handles should be implemented as pointers to distinct
+         implementation-defined types.
+
+   B.4.  The gss_name_t type
+
+   The gss_name_t type, representing the internal name object, should be
+   implemented as a pointer type.  The use of the (void *) type is
+   discouraged as it does not allow the compiler to perform strong type-
+   checking.  However, the pointer type chosen should be of the same size
+   as the (void *) type.  Provided this rule is obeyed, ABI specifications
+   need not further constrain the implementation of gss_name_t objects.
+
+   B.5.  The int and size_t types
+
+   Some platforms may support differently sized implementations of the
+   "int" and "size_t" types, perhaps chosen through compiler switches, and
+   perhaps dependent on memory model.  An ABI specification for such a
+   platform should include required implementations for these types. It is
+   recommended that the default implementation (for the chosen memory
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 93]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   model, if appropriate) is chosen.
+
+   B.6.  Procedure-calling conventions
+
+   Some platforms support a variety of different binary conventions for
+   calling procedures.  Such conventions cover things like the format of
+   the stack frame, the order in which the routine parameters are pushed
+   onto the stack, whether or not a parameter count is pushed onto the
+   stack, whether some argument(s) or return values are to be passed in
+   registers, and whether the called routine or the caller is responsible
+   for removing the stack frame on return.  For such platforms, an ABI
+   specification should specify which calling convention is to be used for
+   GSSAPI implementations.
+
+
+   REFERENCES
+
+   [GSSAPI]    J. Linn, "Generic Security Service Application Program
+               Interface, Version 2", Internet-Draft draft-ietf-cat-gssv2-
+               08, 26 August 1996.  (This Internet-Draft, like all other
+               Internet-Drafts, is not an archival document and is subject
+               to change or deletion.  It is available at the time of this
+               writing by anonymous ftp from ds.internic.net, directory
+               internet-drafts. Would-be readers should check for successor
+               Internet-Draft versions or Internet RFCs before relying on
+               this document.)
+
+   [XOM]       OSI Object Management API Specification, Version 2.0 t",
+               X.400 API Association & X/Open Company Limited, August 24,
+               1990.  Specification of datatypes and routines for
+               manipulating information objects.
+
+
+   AUTHOR'S ADDRESS
+
+   John Wray                       Internet email: Wray@tuxedo.enet.dec.com
+   Digital Equipment Corporation                 Telephone: +1-508-486-5210
+   550 King Street, LKG2-2/Z7
+   Littleton, MA  01460
+   USA
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 94]
+
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt
new file mode 100644
index 0000000..e235bec
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt
@@ -0,0 +1,311 @@
+
+
+
+
+Network Working Group                                        M. Horowitz
+<draft-ietf-cat-kerb-chg-password-02.txt>                Stonecast, Inc.
+Internet-Draft                                              August, 1998
+
+                   Kerberos Change Password Protocol
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ftp.ietf.org (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   The Kerberos V5 protocol [RFC1510] does not describe any mechanism
+   for users to change their own passwords.  In order to promote
+   interoperability between workstations, personal computers, terminal
+   servers, routers, and KDC's from multiple vendors, a common password
+   changing protocol is required.
+
+
+
+Overview
+
+   When a user wishes to change his own password, or is required to by
+   local policy, a simple request of a password changing service is
+   necessary.  This service must be implemented on at least one host for
+   each Kerberos realm, probably on one of the kdc's for that realm.
+   The service must accept requests on UDP port 464 (kpasswd), and may
+   accept requests on TCP port 464 as well.
+
+   The protocol itself consists of a single request message followed by
+   a single reply message.  For UDP transport, each message must be
+   fully contained in a single UDP packet.
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP-REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   message length (16 bits)
+      Contains the length of the message, including this field, in bytes
+      (big-endian integer)
+   protocol version number (16 bits)
+      Contains the hex constant 0x0001 (big-endian integer)
+   AP-REQ length (16 bits)
+      length (big-endian integer) of AP-REQ data, in bytes.
+   AP-REQ data, as described in RFC1510 (variable length)
+      This AP-REQ must be for the service principal
+      kadmin/changepw@REALM, where REALM is the REALM of the user who
+      wishes to change his password.  The Ticket in the AP-REQ must be
+      derived from an AS request (thus having the INITIAL flag set), and
+      must include a subkey in the Authenticator.
+   KRB-PRIV message, as described in RFC1510 (variable length)
+      This KRB-PRIV message must be generated using the subkey in the
+      Authenticator in the AP-REQ data.  The user-data component of the
+      message must consist of the user's new password.
+
+   The server must verify the AP-REQ message, decrypt the new password,
+   perform any local policy checks (such as password quality, history,
+   authorization, etc.) required, then set the password to the new value
+   specified.
+
+   The principal whose password is to be changed is the principal which
+   authenticated to the password changing service.  This protocol does
+   not address administrators who want to change passwords of principal
+   besides their own.
+
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                KRB-PRIV or KRB-ERROR message                  /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   message length (16 bits)
+
+
+
+Horowitz                                                        [Page 2]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+      Contains the length of the message, including this field, in bytes
+      (big-endian integer),
+   protocol version number (16 bits)
+      Contains the hex constant 0x0001 (big-endian integer)
+   AP-REP length (16 bits)
+      length of AP-REP data, in bytes.  If the the length is zero, then
+      the last field will contain a KRB-ERROR message instead of a KRB-
+      PRIV message.
+   AP-REP data, as described in RFC1510 (variable length)
+      The AP-REP corresponding to the AP-REQ in the request packet.
+   KRB-PRIV or KRB-ERROR message, as described in RFC1510 (variable
+      length)
+      If the AP-REP length is zero, then this field contains a KRB-ERROR
+      message.  Otherwise, it contains a KRB-PRIV message.  This KRB-
+      PRIV message must be generated using the subkey in the
+      Authenticator in the AP-REQ data.
+
+      The user-data component of the KRB-PRIV message, or e-data
+      component of the KRB-ERROR message, must consist of the following
+      data:
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits)
+         The result code must have one of the following values (big-
+         endian integer):
+         0x0000 if the request succeeds.  (This value is not permitted
+            in a KRB-ERROR message.)
+         0x0001 if the request fails due to being malformed
+         0x0002 if the request fails due to a "hard" error processing
+            the request (for example, there is a resource or other
+            problem causing the request to fail)
+         0x0003 if the request fails due to an error in authentication
+            processing
+         0x0004 if the request fails due to a "soft" error processing
+            the request (for example, some policy or other similar
+            consideration is causing the request to be rejected).
+         0xFFFF if the request fails for some other reason.
+         Although only a few non-zero result codes are specified here,
+         the client should accept any non-zero result code as indicating
+         failure.
+      result string (variable length)
+         This field should contain information which the server thinks
+         might be useful to the user, such as feedback about policy
+         failures.  The string must be encoded in UTF-8.  It may be
+         omitted if the server does not wish to include it.  If it is
+         present, the client should display the string to the user.
+         This field is analogous to the string which follows the numeric
+         code in SMTP, FTP, and similar protocols.
+
+
+
+
+Horowitz                                                        [Page 3]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+Dropped and Modified Messages
+
+   An attacker (or simply a lossy network) could cause either the
+   request or reply to be dropped, or modified by substituting a KRB-
+   ERROR message in the reply.
+
+   If a request is dropped, no modification of the password/key database
+   will take place.  If a reply is dropped, the server will (assuming a
+   valid request) make the password change.  However, the client cannot
+   distinguish between these two cases.
+
+   In this situation, the client should construct a new authenticator,
+   re-encrypt the request, and retransmit.  If the original request was
+   lost, the server will treat this as a valid request, and the password
+   will be changed normally.  If the reply was lost, then the server
+   should take care to notice that the request was a duplicate of the
+   prior request, because the "new" password is the current password,
+   and the password change time is within some implementation-defined
+   replay time window.  The server should then return a success reply
+   (an AP-REP message with result code == 0x0000) without actually
+   changing the password or any other information (such as modification
+   timestamps).
+
+   If a success reply was replaced with an error reply, then the
+   application performing the request would return an error to the user.
+   In this state, the user's password has been changed, but the user
+   believes that it has not.  If the user attempts to change the
+   password again, this will probably fail, because the user cannot
+   successfully provide the old password to get an INITIAL ticket to
+   make the request.  This situation requires administrative
+   intervention as if a password was lost.  This situation is,
+   unfortunately, impossible to prevent.
+
+
+Security Considerations
+
+   This document deals with changing passwords for Kerberos.  Because
+   Kerberos is used for authentication and key distribution, it is
+   important that this protocol use the highest level of security
+   services available to a particular installation.  Mutual
+   authentication is performed, so that the server knows the request is
+   valid, and the client knows that the request has been received and
+   processed by the server.
+
+   There are also security issues relating to dropped or modified
+   messages which are addressed explicitly.
+
+
+References
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+      Authentication Service (V5)", RFC 1510, September 1993.
+
+
+
+
+
+Horowitz                                                        [Page 4]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+Author's Address
+
+   Marc Horowitz
+   Stonecast, Inc.
+   108 Stow Road
+   Harvard, MA 01451
+
+   Phone: +1 978 456 9103
+   Email: marc@stonecast.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 5]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt
new file mode 100644
index 0000000..2583a84
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt
@@ -0,0 +1,127 @@
+
+
+
+
+
+
+Network Working Group                                        M. Horowitz
+<draft-ietf-cat-kerb-des3-hmac-sha1-00.txt>             Cygnus Solutions
+Internet-Draft                                            November, 1996
+
+
+           Triple DES with HMAC-SHA1 Kerberos Encryption Type
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ds.internic.net (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   This document defines a new encryption type and a new checksum type
+   for use with Kerberos V5 [RFC1510].  This encryption type is based on
+   the Triple DES cryptosystem and the HMAC-SHA1 [Krawczyk96] message
+   authentication algorithm.
+
+   The des3-cbc-hmac-sha1 encryption type has been assigned the value 7.
+   The hmac-sha1-des3 checksum type has been assigned the value 12.
+
+
+Encryption Type des3-cbc-hmac-sha1
+
+   EncryptedData using this type must be generated as described in
+   [Horowitz96].  The encryption algorithm is Triple DES in Outer-CBC
+   mode.  The keyed hash algorithm is HMAC-SHA1.  Unless otherwise
+   specified, a zero IV must be used.  If the length of the input data
+   is not a multiple of the block size, zero octets must be used to pad
+   the plaintext to the next eight-octet boundary.  The counfounder must
+   be eight random octets (one block).
+
+
+Checksum Type hmac-sha1-des3
+
+   Checksums using this type must be generated as described in
+   [Horowitz96].  The keyed hash algorithm is HMAC-SHA1.
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft     Kerberos Triple DES with HMAC-SHA1     November, 1996
+
+
+Common Requirements
+
+   Where the Triple DES key is represented as an EncryptionKey, it shall
+   be represented as three DES keys, with parity bits, concatenated
+   together.  The key shall be represented with the most significant bit
+   first.
+
+   When keys are generated by the derivation function, a key length of
+   168 bits shall be used.  The output bit string will be converted to a
+   valid Triple DES key by inserting DES parity bits after every seventh
+   bit.
+
+   Any implementation which implements either of the encryption or
+   checksum types in this document must support both.
+
+
+Security Considerations
+
+   This entire document defines encryption and checksum types for use
+   with Kerberos V5.
+
+
+References
+
+   [Horowitz96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+      horowitz-kerb-key-derivation-00.txt, November 1996.
+   [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+      Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+      md5-01.txt, August, 1996.
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+      Authentication Service (V5)", RFC 1510, September 1993.
+
+
+Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   Email: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 2]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt
new file mode 100644
index 0000000..46a4158
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt
@@ -0,0 +1,250 @@
+
+
+
+
+
+Network Working Group                                        M. Horowitz
+<draft-ietf-cat-kerb-key-derivation-00.txt>             Cygnus Solutions
+Internet-Draft                                            November, 1996
+
+
+                     Key Derivation for Kerberos V5
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ds.internic.net (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   In the Kerberos protocol [RFC1510], cryptographic keys are used in a
+   number of places.  In order to minimize the effect of compromising a
+   key, it is desirable to use a different key for each of these places.
+   Key derivation [Horowitz96] can be used to construct different keys
+   for each operation from the keys transported on the network.  For
+   this to be possible, a small change to the specification is
+   necessary.
+
+
+Overview
+
+   Under RFC1510 as stated, key derivation could be specified as a set
+   of encryption types which share the same key type.  The constant for
+   each derivation would be a function of the encryption type.  However,
+   it is generally accepted that, for interoperability, key types and
+   encryption types must map one-to-one onto each other.  (RFC 1510 is
+   being revised to address this issue.)  Therefore, to use key
+   derivcation with Kerberos V5 requires a small change to the
+   specification.
+
+   For each place where a key is used in Kerberos, a ``key usage'' must
+   be specified for that purpose.  The key, key usage, and
+   encryption/checksum type together describe the transformation from
+   plaintext to ciphertext, or plaintext to checksum.  For backward
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft       Key Derivation for Kerberos V5       November, 1996
+
+
+   compatibility, old encryption types would be defined independently of
+   the key usage.
+
+
+Key Usage Values
+
+   This is a complete list of places keys are used in the kerberos
+   protocol, with key usage values and RFC 1510 section numbers:
+
+      1.  AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+          client key (section 5.4.1)
+      2.  AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+          application session key), encrypted with the service key
+          (section 5.4.2)
+      3.  AS-REP encrypted part (includes tgs session key or application
+          session key), encrypted with the client key (section 5.4.2)
+
+      4.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          session key (section 5.4.1)
+      5.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          authenticator subkey (section 5.4.1)
+      6.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+          with the tgs session key (sections 5.3.2, 5.4.1)
+      7.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+          authenticator subkey), encrypted with the tgs session key
+          (section 5.3.2)
+      8.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs session key (section 5.4.2)
+      9.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs authenticator subkey (section 5.4.2)
+
+      10. AP-REQ Authenticator cksum, keyed with the application session
+          key (section 5.3.2)
+      11. AP-REQ Authenticator (includes application authenticator
+          subkey), encrypted with the application session key (section
+          5.3.2)
+      12. AP-REP encrypted part (includes application session subkey),
+          encrypted with the application session key (section 5.5.2)
+
+      13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+          application (section 5.7.1)
+      14. KRB-CRED encrypted part, encrypted with a key chosen by the
+          application (section 5.6.1)
+      15. KRB-SAVE cksum, keyed with a key chosen by the application
+          (section 5.8.1)
+
+      16. Data which is defined in some specification outside of
+          Kerberos to be encrypted using an RFC1510 encryption type.
+      17. Data which is defined in some specification outside of
+          Kerberos to be checksummed using an RFC1510 checksum type.
+
+   A few of these key usages need a little clarification.  A service
+   which receives an AP-REQ has no way to know if the enclosed Ticket
+   was part of an AS-REP or TGS-REP.  Therefore, key usage 2 must always
+
+
+
+Horowitz                                                        [Page 2]
+
+Internet Draft       Key Derivation for Kerberos V5       November, 1996
+
+
+   be used for generating a Ticket, whether it is in response to an AS-
+   REQ or TGS-REQ.
+
+   There might exist other documents which define protocols in terms of
+   the RFC1510 encryption types or checksum types.  Such documents would
+   not know about key usages.  In order that these documents continue to
+   be meaningful until they are updated, key usages 16 and 17 must be
+   used to derive keys for encryption and checksums, respectively.  New
+   protocols defined in terms of the Kerberos encryption and checksum
+   types should use their own key usages.  Key usages may be registered
+   with IANA to avoid conflicts.  Key usages shall be unsigned 32 bit
+   integers.  Zero is not permitted.
+
+
+Defining Cryptosystems Using Key Derivation
+
+   Kerberos requires that the ciphertext component of EncryptedData be
+   tamper-resistant as well as confidential.  This implies encryption
+   and integrity functions, which must each use their own separate keys.
+   So, for each key usage, two keys must be generated, one for
+   encryption (Ke), and one for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+   where the key usage is represented as a 32 bit integer in network
+   byte order.  The ciphertest must be generated from the plaintext as
+   follows:
+
+      ciphertext = E(Ke, confounder | length | plaintext | padding) |
+                   H(Ki, confounder | length | plaintext | padding)
+
+   The confounder and padding are specific to the encryption algorithm
+   E.
+
+   When generating a checksum only, there is no need for a confounder or
+   padding.  Again, a new key (Kc) must be used.  Checksums must be
+   generated from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+
+      MAC = H(Kc, length | plaintext)
+
+   Note that each enctype is described by an encryption algorithm E and
+   a keyed hash algorithm H, and each checksum type is described by a
+   keyed hash algorithm H.  HMAC, with an appropriate hash, is
+   recommended for use as H.
+
+
+Security Considerations
+
+   This entire document addresses shortcomings in the use of
+   cryptographic keys in Kerberos V5.
+
+
+
+
+Horowitz                                                        [Page 3]
+
+Internet Draft       Key Derivation for Kerberos V5       November, 1996
+
+
+Acknowledgements
+
+   I would like to thank Uri Blumenthal, Sam Hartman, and Bill
+   Sommerfeld for their contributions to this document.
+
+
+References
+
+   [Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+      Integrity, and Privacy", draft-horowitz-key-derivation-00.txt,
+      November 1996.  [RFC1510] Kohl, J. and Neuman, C., "The Kerberos
+      Network Authentication Service (V5)", RFC 1510, September 1993.
+
+
+Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   Email: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 4]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt
new file mode 100644
index 0000000..c5e4d05
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt
@@ -0,0 +1,252 @@
+
+INTERNET-DRAFT                                           Ari Medvinsky
+draft-ietf-cat-kerberos-err-msg-00.txt                        Matt Hur
+Updates: RFC 1510                                  Dominique Brezinski
+expires September 30, 1997                       CyberSafe Corporation
+                                                           Gene Tsudik
+                                                            Brian Tung
+                                                                   ISI
+
+Integrity Protection for the Kerberos Error Message
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft.  Internet-Drafts are working
+    documents of the Internet Engineering Task Force (IETF), its
+    areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ds.internic.net (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-03.txt, and expires June xx, 1997.
+    Please send comments to the authors.
+
+1.  Abstract
+
+    The Kerberos error message, as defined in RFC 1510, is transmitted 
+    to the client without any integrity assurance.  Therefore, the 
+    client has no means to distinguish between a valid error message 
+    sent from the KDC and one sent by an attacker.  This draft describes 
+    a method for assuring the integrity of Kerberos error messages, and 
+    proposes a consistent format for the e-data field in the KRB_ERROR 
+    message.  This e-data format enables the storage of cryptographic 
+    checksums by providing an extensible mechanism for specifying e-data 
+    types.
+
+
+2.  Motivation      
+
+    In the Kerberos protocol [1], if an error occurs for AS_REQ,
+    TGS_REQ, or AP_REQ, a clear text error message is returned to the
+    client.  An attacker may exploit this vulnerability by sending a
+    false error message as a reply to any of the above requests.  For
+    example, an attacker may send the KDC_ERR_KEY_EXPIRED error message
+    in order to force a user to change their password in hope that the
+    new key will not be as strong as the current key, and thus, easier
+    to break.
+
+    Since false error messages may be utilized by an attacker, a
+    Kerberos client should have a means for determining how much trust
+    to place in a given error message.  The rest of this draft
+    describes a method for assuring the integrity of Kerberos error
+    messages.
+
+
+3.  Approach
+
+    We propose taking a cryptographic checksum over the entire KRB-ERROR
+    message.  This checksum would be returned as part of the error
+    message and would enable the client to verify the integrity of the
+    error message.  For interoperability reasons, no new fields are
+    added to the KRB-ERROR message.  Instead, the e-data field (see
+    figure 1) is utilized to carry the cryptographic checksum.
+
+
+3.1 Cryptographic checksums in error messages for AS_REQ,
+    TGS_REQ & AP_REQ
+
+    If an error occurs for the AS request, the only key that is
+    available to the KDC is the shared secret (the key derived from the
+    clients password) registered in the KDCs database.  The KDC will
+    use this key to sign the error message, if and only if, the client
+    already proved knowledge of the shared secret in the AS request
+    (e.g. via PA-ENC-TIMESTAMP in preauth data).  This policy is needed
+    to prevent an attacker from getting the KDC to send a signed error
+    message and then launching an off-line attack in order to obtain a
+    key of a given principal. 
+
+    If an error occurs for a TGS or an AP request, the server will use
+    the session key sealed in the clients ticket granting ticket to
+    compute the checksum over the error message.  If the checksum could
+    not be computed (e.g. error while decrypting the ticket) the error
+    message is returned to the client without the checksum.  The client
+    then has the option to treat unprotected error messages differently.
+
+
+    KRB-ERROR ::=  [APPLICATION 30] SEQUENCE {
+            pvno       [0]  integer,
+            msg-type   [1]  integer,
+            ctime      [2]  KerberosTime OPTIONAL,
+            cusec      [3]  INTEGER OPTIONAL,
+            stime      [4]  KerberosTime,
+            susec      [5]  INTEGER,
+            error-code [6]  INTEGER, 
+            crealm     [7]  Realm OPTIONAL,
+            cname      [8]  PrincipalName OPTIONAL,
+            realm      [9]  Realm,         --Correct realm  
+            sname      [10] PrincipalName, --Correct name  
+            e-text     [11] GeneralString OPTIONAL,
+            e-data     [12] OCTET STRING OPTIONAL
+    }
+    Figure 1
+
+
+3.2 Format of the e-data field
+
+    We propose to place the cryptographic checksum in the e-data field.
+    First, we review the format of the e-data field, as specified in
+    RFC 1510.  The format of e-data is specified only in two cases [2].
+    "If the error code is KDC_ERR_PREAUTH_REQUIRED, then the e-data
+    field will contain an encoding of a sequence of padata fields":
+
+    METHOD-DATA ::=  SEQUENCE of PA-DATA
+    PA-DATA ::= SEQUENCE {
+                padata-type    [1] INTEGER,
+                padata-value   [2] OCTET STRING
+    }
+
+    The second case deals with the KRB_AP_ERR_METHOD error code.  The
+    e-data field will contain an encoding of the following sequence:
+
+    METHOD-DATA ::=  SEQUENCE {
+                     method-type    [0] INTEGER,
+                     method-data    [1] OCTET STRING OPTIONAL
+    }
+
+    method-type indicates the required alternate authentication method.
+
+    It should be noted that, in the case of KRB_AP_ERR_METHOD, a signed
+    checksum is not returned as part of the error message, since the
+    error code indicates that the Kerberos credentials provided in the
+    AP_REQ message are unacceptable.
+
+    We propose that the e-data field have the following format for all
+    error-codes (except KRB_AP_ERR_METHOD):
+
+    E-DATA ::=  SEQUENCE {
+                data-type    [1] INTEGER,
+                data-value   [2] OCTET STRING,
+    }
+
+    The data-type field specifies the type of information that is
+    carried in the data-value field.  Thus, to send a cryptographic
+    checksum back to the client, the data-type is set to CHECKSUM, the
+    data-value is set to the ASN.1 encoding of the following sequence:
+
+    Checksum  ::=  SEQUENCE {
+                   cksumtype  [0] INTEGER,
+                   checksum   [1] OCTET STRING
+    }
+
+
+3.3 Computing the checksum 
+
+    After the error message is filled out, the error structure is
+    converted into ASN.1 representation.  A cryptographic checksum is
+    then taken over the encoded error message; the result is placed in
+    the error message structure, as the last item in the e-data field.
+    To send the error message, ASN.1 encoding is again performed over
+    the error message, which now includes the cryptographic checksum.
+
+
+3.4 Verifying the integrity of the error message
+
+    In addition to verifying the cryptographic checksum for the error
+    message, the client must verify that the error message is bound to
+    its request.  This is done by comparing the ctime field in the
+    error message to its counterpart in the request message.
+
+
+4.  E-DATA types
+
+    Since the e-data types must not conflict with preauthentication data
+    types, we propose that the preauthentication data types in the range
+    of 2048 and above be reserved for use as e-data types.
+
+    We define the following e-data type in support of integrity checking
+    for the Kerberos error message:
+
+    CHECKSUM = 2048 -- the keyed checksum described above
+
+
+5.  Discussion
+
+
+5.1 e-data types
+
+    The extension for Kerberos error messages, as outlined above, is
+    extensible to allow for definition of other error data types. 
+    We propose that the following e-data types be reserved:
+
+    KDCTIME = 2049
+    The error data would consist of the KDCs time in KerberosTime.
+    This data would be used by the client to adjust for clock skew.
+
+    REDIRECT = 2050
+    The error data would consist of a hostname.  The hostname would
+    indicate the authoritative KDC from which to obtain a TGT.
+
+
+5.2 e-data types vs. error code specific data formats
+
+    Since RFC 1510 does not define an error data type, the data format
+    must be explicitly specified for each error code.  This draft has
+    proposed an extension to RFC 1510 that would introduce the concept
+    of error data types.  This would allow for a manageable set of data
+    types to be used for any error message.  The authors assume that
+    the introduction of this e-data structure will not break any
+    existing Kerberos implementations.
+
+
+6.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication
+        Service (V5).  Request for Comments: 1510
+    [2] J. Kohl, C. Neuman.  The Kerberos Network Authentication
+        Service (V5).  Request for Comments: 1510 p.67
+
+
+7.  Authors
+
+    Ari Medvinsky       <ari.medvinsky@cybersafe.com>
+    Matthew Hur         <matt.hur@cybersafe.com>
+    Dominique Brezinski <dominique.brezinski@cybersafe.com>
+
+    CyberSafe Corporation 
+    1605 NW Sammamish Road
+    Suite 310
+    Issaquah, WA 98027-5378
+    Phone: (206) 391-6000
+    Fax:   (206) 391-0508
+    http:/www.cybersafe.com
+
+
+    Brian Tung  <brian@isi.edu>
+    Gene Tsudik <gts@isi.edu>
+
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: (310) 822-1511
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt
new file mode 100644
index 0000000..4b193c5
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt
@@ -0,0 +1,282 @@
+INTERNET-DRAFT                                              Brian Tung
+draft-ietf-cat-kerberos-pk-cross-01.txt                 Tatyana Ryutov
+Updates: RFC 1510                                      Clifford Neuman
+expires September 30, 1997                                 Gene Tsudik
+                                                                   ISI
+                                                       Bill Sommerfeld
+                                                       Hewlett-Packard
+                                                         Ari Medvinsky
+                                                           Matthew Hur
+                                                 CyberSafe Corporation
+
+
+    Public Key Cryptography for Cross-Realm Authentication in Kerberos
+
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft.  Internet-Drafts are working
+    documents of the Internet Engineering Task Force (IETF), its
+    areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as ``work in
+    progress.''
+
+    To learn the current status of any Internet-Draft, please check
+    the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
+    Shadow Directories on ds.internic.net (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-cross-01.txt, and expires September 30,
+    1997.  Please send comments to the authors.
+
+
+1.  Abstract
+
+    This document defines extensions to the Kerberos protocol
+    specification (RFC 1510, "The Kerberos Network Authentication
+    Service (V5)", September 1993) to provide a method for using
+    public key cryptography during cross-realm authentication.  The
+    methods defined here specify the way in which message exchanges
+    are to be used to transport cross-realm secret keys protected by
+    encryption under public keys certified as belonging to KDCs.
+
+
+2.  Motivation
+
+    The advantages provided by public key cryptography--ease of
+    recoverability in the event of a compromise, the possibility of
+    an autonomous authentication infrastructure, to name a few--have
+    produced a demand for use by Kerberos authentication protocol.  A
+    draft describing the use of public key cryptography in the initial
+    authentication exchange in Kerberos has already been submitted.
+    This draft describes its use in cross-realm authentication.
+
+    The principal advantage provided by public key cryptography in
+    cross-realm authentication lies in the ability to leverage the
+    existing public key infrastructure.  It frees the Kerberos realm
+    administrator from having to maintain separate keys for each other
+    realm with which it wishes to exchange authentication information,
+    or to utilize a hierarchical arrangement, which may pose problems
+    of trust.
+
+    Even with the multi-hop cross-realm authentication, there must be
+    some way to locate the path by which separate realms are to be
+    transited.  The current method, which makes use of the DNS-like
+    realm names typical to Kerberos, requires trust of the intermediate
+    KDCs.
+
+    The methods described in this draft allow a realm to specify, at
+    the time of authentication, which certification paths it will
+    trust.  A shared key for cross-realm authentication can be
+    established, for a period of time.  Furthermore, these methods are
+    transparent to the client, so that only the KDC's need to be
+    modified to use them.
+
+    It is not necessary to implement the changes described in the
+    "Public Key Cryptography for Initial Authentication" draft to make
+    use of the changes in this draft.  We solicit comments about the
+    interaction between the two protocol changes, but as of this
+    writing, the authors do not perceive any obstacles to using both.
+
+
+3.  Protocol Amendments
+
+    We assume that the user has already obtained a TGT.  To perform
+    cross-realm authentication, the user sends a request to the local
+    KDC as per RFC 1510.  If the two realms share a secret key, then
+    cross-realm authentication proceeds as usual.  Otherwise, the
+    local KDC may attempt to establish a shared key with the remote
+    KDC using public key cryptography, and exchange this key through
+    the cross-realm ticket granting ticket.
+
+    We will consider the specific channel on which the message
+    exchanges take place in Section 5 below.
+
+
+3.1.  Changes to the Cross-Realm Ticket Granting Ticket
+
+    In order to avoid the need for changes to the "installed base" of
+    Kerberos application clients and servers, the only protocol change
+    is to the way in which cross-realm ticket granting tickets (TGTs)
+    are encrypted; as these tickets are opaque to clients and servers,
+    the only change visible to them will be the increased size of the
+    tickets.
+
+    Cross-realm TGTs are granted by a local KDC to authenticate a user
+    to a remote KDC's ticket granting service.  In standard Kerberos,
+    they are encrypted using a shared secret key manually configured
+    into each KDC.
+
+    In order to incorporate public key cryptography, we define a new
+    encryption type, "ENCTYPE_PK_CROSS".  Operationally, this encryption
+    type transforms an OCTET STRING of plaintext (normally an EncTktPart)
+    into the following SEQUENCE:
+
+        PKCrossOutput ::= SEQUENCE {
+            certificate [0]     OCTET STRING OPTIONAL,
+                                    -- public key certificate
+                                    -- of local KDC
+            encSharedKey [1]    EncryptedData,
+                                    -- of type EncryptionKey
+                                    -- containing random symmetric key
+                                    -- encrypted using public key
+                                    -- of remote KDC
+            sigSharedKey [2]    Signature,
+                                    -- of encSharedKey
+                                    -- using signature key
+                                    -- of local KDC
+            pkEncData [3]       EncryptedData,
+                                    -- (normally) of type EncTktPart
+                                    -- encrypted using encryption key
+                                    -- found in encSharedKey
+        }
+
+    PKCROSS operates as follows: when a client submits a request for
+    cross-realm authentication, the local KDC checks to see if it has
+    a long-term shared key established for that realm.  If so, it uses
+    this key as per RFC 1510.
+
+    If not, it sends a request for information to the remote KDC.  The
+    content of this message is immaterial, as it does not need to be
+    processed by the remote KDC; for the sake of consistency, we define
+    it as follows:
+
+        RemoteRequest ::= [APPLICATION 41] SEQUENCE {
+            nonce [0]                   INTEGER
+        }
+
+    The remote KDC replies with a list of all trusted certifiers and
+    all its (the remote KDC's) certificates.  We note that this response
+    is universal and does not depend on which KDC makes the request:
+
+        RemoteReply ::= [APPLICATION 42] SEQUENCE {
+            trustedCertifiers [0]       SEQUENCE OF PrincipalName,
+            certificates[1]             SEQUENCE OF Certificate,
+            encTypeToUse [1]            SEQUENCE OF INTEGER
+                                            -- encryption types usable
+                                            -- for encrypting pkEncData
+        }
+
+        Certificate ::= SEQUENCE {
+            CertType                [0] INTEGER,
+                                        -- type of certificate
+                                        -- 1 = X.509v3 (DER encoding)
+                                        -- 2 = PGP (per PGP draft)
+            CertData                [1] OCTET STRING
+                                        -- actual certificate
+                                        -- type determined by CertType
+        } -- from pk-init draft
+
+    Upon receiving this reply, the local KDC determines whether it has
+    a certificate the remote KDC trusts, and whether the remote KDC has
+    a certificate the local KDC trusts.  If so, it issues a ticket
+    encrypted using the ENCTYPE_PK_CROSS encryption type defined above.
+
+
+3.2.  Profile Caches
+
+    We observe that using PKCROSS as specified above requires two
+    private key operations: a signature generation by the local KDC and
+    a decryption by the remote KDC.  This cost can be reduced in the
+    long term by judicious caching of the encSharedKey and the
+    sigSharedKey.
+
+    Let us define a "profile" as the encSharedKey and sigSharedKey, in
+    conjunction with the associated remote realm name and decrypted
+    shared key (the key encrypted in the encSharedKey).
+
+    To optimize these interactions, each KDC maintains two caches, one
+    for outbound profiles and one for inbound profiles.  When generating
+    an outbound TGT for another realm, the local KDC first checks to see
+    if the corresponding entry exists in the outbound profile cache; if
+    so, it uses its contents to form the first three fields of the
+    PKCrossOutput; the shared key is used to encrypt the data for the
+    fourth field.  If not, the components are generated fresh and stored
+    in the outbound profile cache.
+
+    Upon receipt of the TGT, the remote realm checks its inbound profile
+    cache for the corresponding entry.  If it exists, then it uses the
+    contents of the entry to decrypt the data encrypted in the pkEncData.
+    If not, then it goes through the full process of verifying and
+    extracting the shared key; if this is successful, then a new entry
+    is created in the inbound profile cache.
+
+    The inbound profile cache should support multiple entries per realm,
+    in the event that the initiating realm is replicated.
+
+
+4.  Finding Realms Supporting PKCROSS
+
+    If either the local realm or the destination realm does not support
+    PKCROSS, or both do not, the mechanism specified in Section 3 can
+    still be used in obtaining the desired remote TGT.
+
+    In the reference Kerberos implementations, the default behavior is
+    to traverse a path up and down the realm name hierarchy, if the
+    two realms do not share a key.  There is, however, the possibility
+    of using cross links--i.e., keys shared between two realms that
+    are non-contiguous in the realm name hierarchy--to shorten the
+    path, both to minimize delay and the number of intermediate realms
+    that need to be trusted.
+
+    PKCROSS can be used as a way to provide cross-links even in the
+    absence of shared keys.  If the client is aware that one or two
+    intermediate realms support PKCROSS, then a combination of
+    PKCROSS and conventional cross-realm authentication can be used
+    to reach the final destination realm.
+
+    We solicit discussion on the best methods for clients and KDCs to
+    determine or advertise support for PKCROSS.
+
+
+5.  Message Ports
+
+    We have not specified the port on which KDCs supporting PKCROSS
+    should listen to receive the request for information messages noted
+    above.  We solicit discussion on which port should be used.  We
+    propose to use the standard Kerberos ports (well-known 88 or 750),
+    but another possibility is to use a completely different port.
+
+    We also solicit discussion on what other approaches can be taken to
+    obtain the information in the RemoteReply (e.g., secure DNS or some
+    other repository).
+
+
+6.  Expiration Date
+
+    This Internet-Draft will expire on September 30, 1997.
+
+
+7.  Authors' Addresses
+
+    Brian Tung
+    Tatyana Ryutov
+    Clifford Neuman
+    Gene Tsudik
+    USC/Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey, CA 90292-6695
+    Phone: +1 310 822 1511
+    E-Mail: {brian, tryutov, bcn, gts}@isi.edu
+
+    Bill Sommerfeld
+    Hewlett Packard
+    300 Apollo Drive
+    Chelmsford MA 01824
+    Phone: +1 508 436 4352
+    E-Mail: sommerfeld@apollo.hp.com
+
+    Ari Medvinsky
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road Suite 310
+    Issaquah WA 98027-5378
+    Phone: +1 206 391 6000
+    E-mail: {ari.medvinsky, matt.hur}@cybersafe.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt
new file mode 100644
index 0000000..d91c087
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt
@@ -0,0 +1,589 @@
+
+INTERNET-DRAFT                                         Clifford Neuman
+draft-ietf-cat-kerberos-pk-init-03.txt                      Brian Tung
+Updates: RFC 1510                                                  ISI
+expires September 30, 1997                                   John Wray
+                                         Digital Equipment Corporation
+                                                         Ari Medvinsky
+                                                           Matthew Hur
+                                                 CyberSafe Corporation
+                                                      Jonathan Trostle
+                                                                Novell
+
+
+    Public Key Cryptography for Initial Authentication in Kerberos
+
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft.  Internet-Drafts are working
+    documents of the Internet Engineering Task Force (IETF), its
+    areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ds.internic.net (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-03.txt, and expires September 30,
+    1997.  Please send comments to the authors.
+
+
+1.  Abstract
+
+    This document defines extensions (PKINIT) to the Kerberos protocol
+    specification (RFC 1510 [1]) to provide a method for using public
+    key cryptography during initial authentication.  The methods
+    defined specify the ways in which preauthentication data fields and
+    error data fields in Kerberos messages are to be used to transport
+    public key data.
+
+
+2.  Introduction
+
+    The popularity of public key cryptography has produced a desire for
+    its support in Kerberos [2].  The advantages provided by public key
+    cryptography include simplified key management (from the Kerberos
+    perspective) and the ability to leverage existing and developing
+    public key certification infrastructures.
+
+    Public key cryptography can be integrated into Kerberos in a number
+    of ways.  One is to to associate a key pair with each realm, which
+    can then be used to facilitate cross-realm authentication; this is
+    the topic of another draft proposal.  Another way is to allow users
+    with public key certificates to use them in initial authentication.
+    This is the concern of the current document.
+
+    One of the guiding principles in the design of PKINIT is that
+    changes should be as minimal as possible.  As a result, the basic
+    mechanism of PKINIT is as follows:  The user sends a request to the
+    KDC as before, except that if that user is to use public key
+    cryptography in the initial authentication step, his certificate
+    accompanies the initial request, in the preauthentication fields.
+
+    Upon receipt of this request, the KDC verifies the certificate and
+    issues a ticket granting ticket (TGT) as before, except that instead
+    of being encrypted in the user's long-term key (which is derived
+    from a password), it is encrypted in a randomly-generated key.  This
+    random key is in turn encrypted using the public key certificate
+    that came with the request and signed using the KDC's signature key,
+    and accompanies the reply, in the preauthentication fields.
+
+    PKINIT also allows for users with only digital signature keys to
+    authenticate using those keys, and for users to store and retrieve
+    private keys on the KDC.
+
+    The PKINIT specification may also be used for direct peer to peer
+    authentication without contacting a central KDC. This application
+    of PKINIT is described in PKTAPP [4] and is based on concepts
+    introduced in [5, 6]. For direct client-to-server authentication,
+    the client uses PKINIT to authenticate to the end server (instead
+    of a central KDC), which then issues a ticket for itself.  This
+    approach has an advantage over SSL [7] in that the server does not
+    need to save state (cache session keys).  Furthermore, an
+    additional benefit is that Kerberos tickets can facilitate
+    delegation (see [8]).
+
+
+3.  Proposed Extensions
+
+    This section describes extensions to RFC 1510 for supporting the
+    use of public key cryptography in the initial request for a ticket
+    granting ticket (TGT).
+
+    In summary, the following changes to RFC 1510 are proposed:
+
+        --> Users may authenticate using either a public key pair or a
+            conventional (symmetric) key.  If public key cryptography is
+            used, public key data is transported in preauthentication
+            data fields to help establish identity.
+        --> Users may store private keys on the KDC for retrieval during
+            Kerberos initial authentication.
+
+    This proposal addresses two ways that users may use public key
+    cryptography for initial authentication.  Users may present public
+    key certificates, or they may generate their own session key,
+    signed by their digital signature key.  In either case, the end
+    result is that the user obtains an ordinary TGT that may be used for
+    subsequent authentication, with such authentication using only
+    conventional cryptography.
+
+    Section 3.1 provides definitions to help specify message formats.
+    Section 3.2 and 3.3 describe the extensions for the two initial
+    authentication methods.  Section 3.3 describes a way for the user to
+    store and retrieve his private key on the KDC.
+
+
+3.1.  Definitions
+
+    Hash and encryption types will be specified using ENCTYPE tags; we
+    propose the addition of the following types:
+
+        #define ENCTYPE_SIGN_DSA_GENERATE   0x0011
+        #define ENCTYPE_SIGN_DSA_VERIFY     0x0012
+        #define ENCTYPE_ENCRYPT_RSA_PRIV    0x0021
+        #define ENCTYPE_ENCRYPT_RSA_PUB     0x0022
+
+    allowing further signature types to be defined in the range 0x0011
+    through 0x001f, and further encryption types to be defined in the
+    range 0x0021 through 0x002f.
+
+    The extensions involve new preauthentication fields.  The
+    preauthentication data types are in the range 17 through 21.
+    These values are also specified along with their corresponding
+    ASN.1 definition.
+
+        #define PA-PK-AS-REQ                17
+        #define PA-PK-AS-REP                18
+        #define PA-PK-AS-SIGN               19
+        #define PA-PK-KEY-REQ               20
+        #define PA-PK-KEY-REP               21
+
+    The extensions also involve new error types.  The new error types
+    are in the range 227 through 229.  They are:
+
+        #define KDC_ERROR_CLIENT_NOT_TRUSTED    227
+        #define KDC_ERROR_KDC_NOT_TRUSTED       228
+        #define KDC_ERROR_INVALID_SIG           229
+
+    In the exposition below, we use the following terms: encryption key,
+    decryption key, signature key, verification key.  It should be
+    understood that encryption and verification keys are essentially
+    public keys, and decryption and signature keys are essentially
+    private keys.  The fact that they are logically distinct does
+    not preclude the assignment of bitwise identical keys.
+
+
+3.2.  Standard Public Key Authentication
+
+    Implementation of the changes in this section is REQUIRED for
+    compliance with pk-init.
+
+    It is assumed that all public keys are signed by some certification
+    authority (CA).  The initial authentication request is sent as per
+    RFC 1510, except that a preauthentication field containing data
+    signed by the user's signature key accompanies the request:
+
+    PA-PK-AS-REQ ::- SEQUENCE {
+                                -- PA TYPE 17
+        signedPKAuth            [0] SignedPKAuthenticator,
+        userCert                [1] SEQUENCE OF Certificate OPTIONAL,
+                                    -- the user's certificate
+                                    -- optionally followed by that
+                                    -- certificate's certifier chain
+        trustedCertifiers       [2] SEQUENCE OF PrincipalName OPTIONAL
+                                    -- CAs that the client trusts
+    }
+
+    SignedPKAuthenticator ::= SEQUENCE {
+        pkAuth                  [0] PKAuthenticator,
+        pkAuthSig               [1] Signature,
+                                    -- of pkAuth
+                                    -- using user's signature key
+    }
+
+    PKAuthenticator ::= SEQUENCE {
+        cusec                   [0] INTEGER,
+                                    -- for replay prevention
+        ctime                   [1] KerberosTime,
+                                    -- for replay prevention
+        nonce                   [2] INTEGER,
+                                    -- binds response to this request
+        kdcName                 [3] PrincipalName,
+        clientPubValue          [4] SubjectPublicKeyInfo OPTIONAL,
+                                    -- for Diffie-Hellman algorithm
+    }
+
+    Signature ::= SEQUENCE {
+        signedHash              [0] EncryptedData
+                                    -- of type Checksum
+                                    -- encrypted under signature key
+    }
+
+    Checksum ::=   SEQUENCE {
+        cksumtype               [0] INTEGER,
+        checksum                [1] OCTET STRING
+    }   -- as specified by RFC 1510
+
+    SubjectPublicKeyInfo ::= SEQUENCE {
+        algorithm               [0] algorithmIdentifier,
+        subjectPublicKey        [1] BIT STRING
+    }   -- as specified by the X.509 recommendation [9]
+
+    Certificate ::= SEQUENCE {
+        CertType                [0] INTEGER,
+                                    -- type of certificate
+                                    -- 1 = X.509v3 (DER encoding)
+                                    -- 2 = PGP (per PGP draft)
+        CertData                [1] OCTET STRING
+                                    -- actual certificate
+                                    -- type determined by CertType
+    }
+
+    Note: If the signature uses RSA keys, then it is to be performed
+    as per PKCS #1.
+
+    The PKAuthenticator carries information to foil replay attacks,
+    to bind the request and response, and to optionally pass the
+    client's Diffie-Hellman public value (i.e. for using DSA in
+    combination with Diffie-Hellman).  The PKAuthenticator is signed
+    with the private key corresponding to the public key in the
+    certificate found in userCert (or cached by the KDC).
+
+    In the PKAuthenticator, the client may specify the KDC name in one
+    of two ways: 1) a Kerberos principal name, or 2) the name in the
+    KDC's certificate (e.g., an X.500 name, or a PGP name).  Note that
+    case #1 requires that the certificate name and the Kerberos principal
+    name be bound together (e.g., via an X.509v3 extension).
+
+    The userCert field is a sequence of certificates, the first of which
+    must be the user's public key certificate. Any subsequent
+    certificates will be certificates of the certifiers of the user's
+    certificate.  These cerificates may be used by the KDC to verify the
+    user's public key.  This field is empty if the KDC already has the
+    user's certifcate.
+
+    The trustedCertifiers field contains a list of certification
+    authorities trusted by the client, in the case that the client does
+    not possess the KDC's public key certificate.
+
+    Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication
+    type, the KDC attempts to verify the user's certificate chain
+    (userCert), if one is provided in the request.  This is done by
+    verifying the certification path against the KDC's policy of
+    legitimate certifiers.  This may be based on a certification
+    hierarchy, or it may be simply a list of recognized certifiers in a
+    system like PGP.  If the certification path does not match one of
+    the KDC's trusted certifiers, the KDC sends back an error message of
+    type KDC_ERROR_CLIENT_NOT_TRUSTED, and it includes in the error data
+    field a list of its own trusted certifiers, upon which the client
+    resends the request.
+
+    If  trustedCertifiers is provided in the PA-PK-AS-REQ, the KDC
+    verifies that it has a certificate issued by one of the certifiers
+    trusted by the client.  If it does not have a suitable certificate,
+    the KDC returns an error message of type KDC_ERROR_KDC_NOT_TRUSTED
+    to the client. 
+
+    If a trust relationship exists, the KDC then verifies the client's
+    signature on PKAuthenticator.  If that fails, the KDC returns an
+    error message of type KDC_ERROR_INVALID_SIG.  Otherwise, the KDC
+    uses the timestamp in the PKAuthenticator to assure that the request
+    is not a replay.   The KDC also verifies that its name is specified
+    in PKAuthenticator.
+
+    Assuming no errors, the KDC replies as per RFC 1510, except that it
+    encrypts the reply not with the user's key, but with a random key
+    generated only for this particular response.  This random key
+    is sealed in the preauthentication field:
+
+    PA-PK-AS-REP ::= SEQUENCE {
+                               -- PA TYPE 18
+        kdcCert                 [0] SEQUENCE OF Certificate OPTIONAL,
+                                    -- the KDC's certificate
+                                    -- optionally followed by that
+                                    -- certificate's certifier chain
+        encPaReply              [1] EncryptedData,
+                                    -- of type PaReply
+                                    -- using either the client public
+                                    -- key or the Diffie-Hellman key
+                                    -- specified by SignedDHPublicValue
+        signedDHPublicValue     [2] SignedDHPublicValue OPTIONAL
+    }
+
+
+    PaReply ::= SEQUENCE {
+        replyEncKeyPack         [0] ReplyEncKeyPack,
+        replyEncKeyPackSig      [1] Signature,
+                                    -- of replyEncKeyPack
+                                    -- using KDC's signature key
+    }
+
+    ReplyEncKeyPack ::= SEQUENCE {
+        replyEncKey             [0] EncryptionKey,
+                                    -- used to encrypt main reply
+        nonce                   [1] INTEGER
+                                    -- binds response to the request
+                                    -- passed in the PKAuthenticator
+    }
+
+    SignedDHPublicValue ::= SEQUENCE {
+        dhPublicValue           [0] SubjectPublicKeyInfo,
+        dhPublicValueSig        [1] Signature
+                                    -- of dhPublicValue
+                                    -- using KDC's signature key
+    }
+
+    The kdcCert field is a sequence of certificates, the first of which
+    must have as its root certifier one of the certifiers sent to the
+    KDC in the PA-PK-AS-REQ. Any subsequent certificates will be 
+    certificates of the certifiers of the KDC's certificate.  These
+    cerificates may be used by the client to verify the KDC's public
+    key.  This field is empty if the client did not send to the KDC a
+    list of trusted certifiers (the trustedCertifiers field was empty).
+    
+    Since each certifier in the certification path of a user's
+    certificate is essentially a separate realm, the name of each
+    certifier shall be added to the transited field of the ticket.  The
+    format of these realm names shall follow the naming constraints set
+    forth in RFC 1510 (sections 7.1 and 3.3.3.1).  Note that this will
+    require new nametypes to be defined for PGP certifiers and other
+    types of realms as they arise.
+
+    The KDC's certificate must bind the public key to a name derivable
+    from the name of the realm for that KDC.  The client then extracts
+    the random key used to encrypt the main reply.  This random key (in
+    encPaReply) is encrypted with either the client's public key or
+    with a key derived from the DH values exchanged between the client
+    and the KDC.
+
+
+3.3.  Digital Signature
+
+    Implementation of the changes in this section are OPTIONAL for
+    compliance with pk-init.
+
+    We offer this option with the warning that it requires the client to
+    generate a random key; the client may not be able to guarantee the
+    same level of randomness as the KDC.
+
+    If the user registered a digital signature key with the KDC instead
+    of an encryption key, then a separate exchange must be used.  The
+    client sends a request for a TGT as usual, except that it (rather
+    than the KDC) generates the random key that will be used to encrypt
+    the KDC response.  This key is sent to the KDC along with the
+    request in a preauthentication field:
+
+    PA-PK-AS-SIGN ::= SEQUENCE {
+                                -- PA TYPE 19
+        encSignedKeyPack        [0] EncryptedData
+                                    -- of SignedKeyPack
+                                    -- using the KDC's public key
+    }
+
+    SignedKeyPack ::= SEQUENCE {
+        signedKey               [0] KeyPack,
+        signedKeyAuth           [1] PKAuthenticator,
+        signedKeySig            [2] Signature
+                                    -- of signedKey.signedKeyAuth
+                                    -- using user's signature key
+    }
+
+    KeyPack ::= SEQUENCE {
+        randomKey               [0] EncryptionKey,
+                                    -- will be used to encrypt reply
+        nonce                   [1] INTEGER
+    }
+
+    where the nonce is copied from the request.
+
+    Upon receipt of the PA-PK-AS-SIGN, the KDC decrypts then verifies
+    the randomKey.  It then replies as per RFC 1510, except that the
+    reply is encrypted not with a password-derived user key, but with
+    the randomKey sent in the request.  Since the client already knows
+    this key, there is no need to accompany the reply with an extra
+    preauthentication field.  The transited field of the ticket should
+    specify the certification path as described in Section 3.2.
+
+
+3.4.  Retrieving the Private Key From the KDC
+
+    Implementation of the changes in this section is RECOMMENDED for
+    compliance with pk-init.
+
+    When the user's private key is not stored local to the user, he may
+    choose to store the private key (normally encrypted using a
+    password-derived key) on the KDC.  We provide this option to present
+    the user with an alternative to storing the private key on local
+    disk at each machine where he expects to authenticate himself using
+    pk-init.  It should be noted that it replaces the added risk of
+    long-term storage of the private key on possibly many workstations
+    with the added risk of storing the private key on the KDC in a
+    form vulnerable to brute-force attack.
+
+    In order to obtain a private key, the client includes a
+    preauthentication field with the AS-REQ message:
+
+    PA-PK-KEY-REQ ::= SEQUENCE {
+                                -- PA TYPE 20
+        patimestamp             [0] KerberosTime OPTIONAL, 
+                                    -- used to address replay attacks.
+        pausec                  [1] INTEGER OPTIONAL,
+                                    -- used to address replay attacks.
+        nonce                   [2] INTEGER,
+                                    -- binds the reply to this request
+        privkeyID               [3] SEQUENCE OF KeyID OPTIONAL
+                                    -- constructed as a hash of
+                                    -- public key corresponding to
+                                    -- desired private key
+    }
+
+    KeyID ::= SEQUENCE {
+        KeyIdentifier           [0] OCTET STRING
+    }
+
+    The client may request a specific private key by sending the
+    corresponding ID.  If this field is left empty, then all
+    private keys are returned.
+
+    If all checks out, the KDC responds as described in the above
+    sections, except that an additional preauthentication field,
+    containing the user's private key, accompanies the reply:
+
+    PA-PK-KEY-REP ::= SEQUENCE {
+                                -- PA TYPE 21
+        nonce                   [0] INTEGER,
+                                    -- binds the reply to the request
+        KeyData                 [1] SEQUENCE OF KeyPair
+    }
+
+    KeyPair ::= SEQUENCE {
+        privKeyID               [0] OCTET STRING,
+                                    -- corresponding to encPrivKey
+        encPrivKey              [1] OCTET STRING
+    }
+
+
+3.4.1.  Additional Protection of Retrieved Private Keys
+
+    We solicit discussion on the following proposal: that the client may
+    optionally include in its request additional data to encrypt the
+    private key, which is currently only protected by the user's
+    password.  One possibility is that the client might generate a
+    random string of bits, encrypt it with the public key of the KDC (as
+    in the SignedKeyPack, but with an ordinary OCTET STRING in place of
+    an EncryptionKey), and include this with the request.  The KDC then
+    XORs each returned key with this random bit string.  (If the bit
+    string is too short, the KDC could either return an error, or XOR
+    the returned key with a repetition of the bit string.)
+
+    In order to make this work, additional means of preauthentication
+    need to be devised in order to prevent attackers from simply
+    inserting their own bit string.  One way to do this is to store
+    a hash of the password-derived key (the one used to encrypt the
+    private key).  This hash is then used in turn to derive a second
+    key (called the hash-key); the hash-key is used to encrypt an ASN.1
+    structure containing the generated bit string and a nonce value
+    that binds it to the request.
+
+    Since the KDC possesses the hash, it can generate the hash-key and
+    verify this (weaker) preauthentication, and yet cannot reproduce
+    the private key itself, since the hash is a one-way function.
+
+
+4.  Logistics and Policy Issues
+
+    We solicit discussion on how clients and KDCs should be configured
+    in order to determine which of the options described above (if any)
+    should be used.  One possibility is to set the user's database
+    record to indicate that authentication is to use public key
+    cryptography; this will not work, however, in the event that the
+    client needs to know before making the initial request.
+
+5.  Compatibility with One-Time Passcodes
+
+    We solicit discussion on how the protocol changes proposed in this
+    draft will interact with the proposed use of one-time passcodes
+    discussed in draft-ietf-cat-kerberos-passwords-00.txt.
+
+
+6.  Strength of Cryptographic Schemes
+
+    In light of recent findings on the strength of MD5 and DES,
+    we solicit discussion on which encryption types to incorporate
+    into the protocol changes.
+
+
+7.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication
+    Service (V5).  Request for Comments: 1510
+
+    [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+    for Computer Networks, IEEE Communications, 32(9):33-38.
+    September 1994.
+
+    [3] A. Medvinsky, M. Hur.  Addition of Kerberos Cipher Suites to
+    Transport Layer Security (TLS).
+    draft-ietf-tls-kerb-cipher-suites-00.txt
+
+    [4] A. Medvinsky, M. Hur, B. Clifford Neuman.  Public Key Utilizing
+    Tickets for Application Servers (PKTAPP).
+    draft-ietf-cat-pktapp-00.txt
+
+    [5] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos Using 
+    Public Key Cryptography.  Symposium On Network and Distributed System 
+    Security, 1997.
+
+    [6] B. Cox, J.D. Tygar, M. Sirbu.  NetBill Security and Transaction 
+    Protocol.  In Proceedings of the USENIX Workshop on Electronic Commerce,
+    July 1995.
+
+    [7] Alan O. Freier, Philip Karlton and Paul C. Kocher.
+    The SSL Protocol, Version 3.0 - IETF Draft. 
+
+    [8] B.C. Neuman, Proxy-Based Authorization and Accounting for 
+    Distributed Systems.  In Proceedings of the 13th International 
+    Conference on Distributed Computing Systems, May 1993
+
+    [9] ITU-T (formerly CCITT)
+    Information technology - Open Systems Interconnection -
+    The Directory: Authentication Framework Recommendation X.509
+    ISO/IEC 9594-8
+
+
+8.  Acknowledgements
+
+    Some of the ideas on which this proposal is based arose during
+    discussions over several years between members of the SAAG, the IETF
+    CAT working group, and the PSRG, regarding integration of Kerberos
+    and SPX.  Some ideas have also been drawn from the DASS system.
+    These changes are by no means endorsed by these groups.  This is an
+    attempt to revive some of the goals of those groups, and this
+    proposal approaches those goals primarily from the Kerberos
+    perspective.  Lastly, comments from groups working on similar ideas
+    in DCE have been invaluable.
+
+
+9.  Expiration Date
+
+    This draft expires September 30, 1997.
+
+
+10.  Authors
+
+    Clifford Neuman
+    Brian Tung
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: +1 310 822 1511
+    E-mail: {bcn, brian}@isi.edu
+
+    John Wray
+    Digital Equipment Corporation
+    550 King Street, LKG2-2/Z7
+    Littleton, MA 01460
+    Phone: +1 508 486 5210
+    E-mail: wray@tuxedo.enet.dec.com
+
+    Ari Medvinsky
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road Suite 310
+    Issaquah WA 98027-5378
+    Phone: +1 206 391 6000
+    E-mail: {ari.medvinsky, matt.hur}@cybersafe.com
+
+    Jonathan Trostle
+    Novell
+    E-mail: jonathan.trostle@novell.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt
new file mode 100644
index 0000000..2284c3c
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt
@@ -0,0 +1,8277 @@
+
+INTERNET-DRAFT                               Clifford Neuman
+                                                   John Kohl
+                                               Theodore Ts'o
+                                                11 July 1997
+
+
+
+     The Kerberos  Network Authentication Service (V5)
+
+
+STATUS OF THIS MEMO
+
+     This document is  an  Internet-Draft.   Internet-Drafts
+are working documents of the Internet Engineering Task Force
+(IETF), its areas, and its working groups.  Note that  other
+groups  may  also  distribute working documents as Internet-
+Drafts.
+
+     Internet-Drafts are draft documents valid for a maximum
+of  six months and may be updated, replaced, or obsoleted by
+other documents at any time.  It  is  inappropriate  to  use
+Internet-Drafts  as reference material or to cite them other
+than as "work in progress."
+
+     To learn the  current  status  of  any  Internet-Draft,
+please  check  the  "1id-abstracts.txt" listing contained in
+the Internet-Drafts Shadow  Directories  on  ds.internic.net
+(US  East  Coast),  nic.nordu.net  (Europe), ftp.isi.edu (US
+West Coast), or munnari.oz.au (Pacific Rim).
+
+     The distribution of this  memo  is  unlimited.   It  is
+filed  as  draft-ietf-cat-kerberos-revisions-00.txt,  and expires 
+11 January 1998.  Please send comments to:
+
+   krb-protocol@MIT.EDU
+
+ABSTRACT
+
+
+     This document provides an overview and specification of
+Version  5  of the Kerberos protocol, and updates RFC1510 to
+clarify aspects of the protocol and its  intended  use  that
+require  more  detailed or clearer explanation than was pro-
+vided in RFC1510.  This document is intended  to  provide  a
+detailed description of the protocol, suitable for implemen-
+tation, together with descriptions of the appropriate use of
+protocol messages and fields within those messages.
+
+     This document is not intended to describe  Kerberos  to
+__________________________
+Project Athena, Athena, and Kerberos are trademarks  of
+the  Massachusetts  Institute  of Technology (MIT).  No
+commercial use of these trademarks may be made  without
+prior written permission of MIT.
+
+
+
+Overview                   - 1 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+the  end  user,   system   administrator,   or   application
+developer.   Higher level papers describing Version 5 of the
+Kerberos system [1] and documenting  version  4   [23],  are
+available elsewhere.
+
+OVERVIEW
+
+     This INTERNET-DRAFT describes the  concepts  and  model
+upon  which  the  Kerberos  network authentication system is
+based.  It also specifies Version 5 of the  Kerberos  proto-
+col.
+
+     The  motivations,  goals,  assumptions,  and  rationale
+behind most design decisions are treated cursorily; they are
+more fully described in a paper available in IEEE communica-
+tions  [1] and earlier in the Kerberos portion of the Athena
+Technical Plan [2].  The  protocols  have  been  a  proposed
+standard  and are being considered for advancement for draft
+standard through the IETF standard  process.   Comments  are
+encouraged  on  the presentation, but only minor refinements
+to the protocol as implemented or extensions that fit within
+current protocol framework will be considered at this time.
+
+     Requests for addition to an electronic mailing list for
+discussion  of  Kerberos, kerberos@MIT.EDU, may be addressed
+to kerberos-request@MIT.EDU.  This mailing list is gatewayed
+onto   the  Usenet  as  the  group  comp.protocols.kerberos.
+Requests for further information,  including  documents  and
+code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+     The Kerberos model is based  in  part  on  Needham  and
+Schroeder's  trusted third-party authentication protocol [4]
+and on modifications suggested by  Denning  and  Sacco  [5].
+The  original design and implementation of Kerberos Versions
+1 through 4 was the work of two former Project Athena  staff
+members,  Steve  Miller of Digital Equipment Corporation and
+Clifford Neuman (now at the Information  Sciences  Institute
+of the University of Southern California), along with Jerome
+Saltzer, Technical Director of Project Athena,  and  Jeffrey
+Schiller, MIT Campus Network Manager.  Many other members of
+Project Athena have also contributed to  the  work  on  Ker-
+beros.
+
+     Version 5 of the Kerberos protocol (described  in  this
+document)  has  evolved from Version 4 based on new require-
+ments and desires for features not available in  Version  4.
+The  design of Version 5 of the Kerberos protocol was led by
+Clifford Neuman and John Kohl with much input from the  com-
+munity.  The development of the MIT reference implementation
+was led at MIT by John Kohl and Theodore T'so, with help and
+contributed  code  from  many others.  Reference implementa-
+tions of both version 4 and version 5 of Kerberos  are  pub-
+licly  available  and  commercial  implementations have been
+
+Overview                   - 2 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+developed and are widely used.
+
+     Details on the differences between Kerberos Versions  4
+and 5 can be found in [6].
+
+1.  Introduction
+
+     Kerberos provides a means of verifying  the  identities
+of principals, (e.g. a workstation user or a network server)
+on an open  (unprotected)  network.   This  is  accomplished
+without  relying on assertions by the host operating system,
+without basing trust on host  addresses,  without  requiring
+physical security of all the hosts on the network, and under
+the assumption that packets traveling along the network  can
+be read, modified, and inserted at will[1].   Kerberos  per-
+forms  authentication  under  these  conditions as a trusted
+third-party authentication  service  by  using  conventional
+(shared secret key[2])  cryptography.   Kerberos  extensions
+have  been proposed and implemented that provide for the use
+of public key cryptography  during  certain  phases  of  the
+authentication   protocol.   These  extensions  provide  for
+authentication of users registered with public key  certifi-
+cation  authorities, and allow the system to provide certain
+benefits of public key cryptography in situations where they
+are needed.
+
+     The basic Kerberos authentication process  proceeds  as
+follows:  A  client  sends  a  request to the authentication
+server (AS) requesting "credentials"  for  a  given  server.
+The  AS  responds  with  these credentials, encrypted in the
+client's key.  The credentials consist of 1) a "ticket"  for
+the server and 2) a temporary encryption key (often called a
+"session key").  The client transmits the ticket (which con-
+tains  the  client's identity and a copy of the session key,
+all encrypted in the server's key) to the server.  The  ses-
+sion  key  (now  shared by the client and server) is used to
+authenticate the client,  and  may  optionally  be  used  to
+__________________________
+[1] Note, however, that many applications use Kerberos'
+functions  only  upon  the initiation of a stream-based
+network connection.  Unless an application subsequently
+provides  integrity protection for the data stream, the
+identity verification applies only to the initiation of
+the  connection, and does not guarantee that subsequent
+messages on the  connection  originate  from  the  same
+principal.
+[2] Secret  and  private are often used interchangeably
+in the literature.  In our  usage,  it  takes  two  (or
+more)  to  share  a  secret, thus a shared DES key is a
+secret key.  Something is only private when no one  but
+its owner knows it.  Thus, in public key cryptosystems,
+one has a public and a private key.
+
+
+
+Section 1.                 - 3 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authenticate the server.  It may also  be  used  to  encrypt
+further communication between the two parties or to exchange
+a separate sub-session key to be  used  to  encrypt  further
+communication.
+
+     Implementation of the basic protocol consists of one or
+more  authentication  servers  running  on physically secure
+hosts.  The authentication servers maintain  a  database  of
+principals  (i.e., users and servers) and their secret keys.
+Code libraries provide encryption and implement the Kerberos
+protocol.   In  order  to add authentication to its transac-
+tions, a typical network application adds one or  two  calls
+to  the  Kerberos  library  directly  or through the Generic
+Security Services Application Programming Interface, GSSAPI,
+described  in  separate document.  These calls result in the
+transmission of the necessary messages to achieve  authenti-
+cation.
+
+     The Kerberos protocol consists of several sub-protocols
+(or  exchanges).   There  are  two  basic methods by which a
+client can ask a Kerberos server for  credentials.   In  the
+first  approach,  the client sends a cleartext request for a
+ticket for the desired server to the AS.  The reply is  sent
+encrypted  in the client's secret key.  Usually this request
+is for a ticket-granting ticket (TGT)  which  can  later  be
+used  with  the ticket-granting server (TGS).  In the second
+method, the client sends a request to the TGS.   The  client
+uses  the  TGT to authenticate itself to the TGS in the same
+manner as if it were contacting any other application server
+that   requires   Kerberos  authentication.   The  reply  is
+encrypted in the session key from the TGT.  Though the  pro-
+tocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different  pro-
+tocol entry points within a single Kerberos server.
+
+     Once obtained, credentials may be used  to  verify  the
+identity  of  the principals in a transaction, to ensure the
+integrity of messages exchanged between them, or to preserve
+privacy  of the messages.  The application is free to choose
+whatever protection may be necessary.
+
+     To verify the identities of the principals in  a  tran-
+saction,  the client transmits the ticket to the application
+server.  Since the ticket is sent "in the clear"  (parts  of
+it are encrypted, but this encryption doesn't thwart replay)
+and might be intercepted and reused by  an  attacker,  addi-
+tional  information  is  sent to prove that the message ori-
+ginated with the principal to whom the  ticket  was  issued.
+This  information (called the authenticator) is encrypted in
+the session key, and includes a  timestamp.   The  timestamp
+proves  that the message was recently generated and is not a
+replay.  Encrypting the authenticator  in  the  session  key
+proves  that it was generated by a party possessing the ses-
+sion key.  Since no one except the requesting principal  and
+
+
+Section 1.                 - 4 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+the  server  know the session key (it is never sent over the
+network in the clear) this guarantees the  identity  of  the
+client.
+
+     The integrity of the messages exchanged between princi-
+pals can also be guaranteed using the session key (passed in
+the ticket and contained in the credentials).  This approach
+provides detection of both replay attacks and message stream
+modification attacks.  It is accomplished by generating  and
+transmitting  a collision-proof checksum (elsewhere called a
+hash or digest function) of the client's message, keyed with
+the  session  key.   Privacy  and  integrity of the messages
+exchanged between principals can be  secured  by  encrypting
+the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+     The authentication exchanges  mentioned  above  require
+read-only  access to the Kerberos database.  Sometimes, how-
+ever, the entries in the database must be modified, such  as
+when  adding  new  principals or changing a principal's key.
+This is done using a protocol between a client and  a  third
+Kerberos  server, the Kerberos Administration Server (KADM).
+There is also a protocol for maintaining multiple copies  of
+the  Kerberos  database.   Neither  of  these  protocols are
+described in this document.
+
+1.1.  Cross-Realm Operation
+
+     The Kerberos protocol is  designed  to  operate  across
+organizational boundaries.  A client in one organization can
+be authenticated to a server in another.  Each  organization
+wishing  to  run  a  Kerberos  server  establishes  its  own
+"realm".  The name  of  the  realm  in  which  a  client  is
+registered  is part of the client's name, and can be used by
+the end-service to decide whether to honor a request.
+
+     By establishing "inter-realm" keys, the  administrators
+of  two realms can allow a client authenticated in the local
+realm to prove its identity to servers in  other  realms[3].
+The exchange of inter-realm keys (a separate key may be used
+for each direction) registers the ticket-granting service of
+each  realm  as a principal in the other realm.  A client is
+then able to obtain a ticket-granting ticket for the  remote
+realm's  ticket-granting service from its local realm.  When
+that ticket-granting ticket  is  used,  the  remote  ticket-
+granting  service  uses  the  inter-realm key (which usually
+__________________________
+[3] Of course, with appropriate permission  the  client
+could  arrange registration of a separately-named prin-
+cipal in a remote realm, and engage in normal exchanges
+with  that  realm's  services.  However, for even small
+numbers of clients this becomes  cumbersome,  and  more
+automatic methods as described here are necessary.
+
+
+Section 1.1.               - 5 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+differs from its own normal TGS key) to decrypt the  ticket-
+granting  ticket,  and is thus certain that it was issued by
+the client's own TGS.  Tickets issued by the remote  ticket-
+granting  service  will indicate to the end-service that the
+client was authenticated from another realm.
+
+     A realm is said to communicate with  another  realm  if
+the  two  realms  share  an inter-realm key, or if the local
+realm shares an inter-realm key with an  intermediate  realm
+that  communicates with the remote realm.  An authentication
+path is the sequence of intermediate realms that  are  tran-
+sited in communicating from one realm to another.
+
+     Realms are typically  organized  hierarchically.   Each
+realm  shares a key with its parent and a different key with
+each child.  If an inter-realm key is not directly shared by
+two  realms, the hierarchical organization allows an authen-
+tication path to be easily constructed.  If  a  hierarchical
+organization  is  not used, it may be necessary to consult a
+database  in  order  to  construct  an  authentication  path
+between realms.
+
+     Although realms are typically hierarchical,  intermedi-
+ate  realms may be bypassed to achieve cross-realm authenti-
+cation through alternate authentication paths  (these  might
+be established to make communication between two realms more
+efficient).  It is important for  the  end-service  to  know
+which  realms were transited when deciding how much faith to
+place in the authentication  process.   To  facilitate  this
+decision,  a  field in each ticket contains the names of the
+realms that were involved in authenticating the client.
+
+1.2.  Authorization
+
+As an authentication service, Kerberos provides a  means  of
+verifying  the identity of principals on a network.  Authen-
+tication is usually useful primarily as a first step in  the
+process  of  authorization, determining whether a client may
+use a service,  which  objects  the  client  is  allowed  to
+access,  and  the type of access allowed for each.  Kerberos
+does not, by itself, provide authorization.  Possession of a
+client ticket for a service provides only for authentication
+of the client to that service,  and  in  the  absence  of  a
+separate  authorization  procedure,  it  should  not be con-
+sidered by an application as authorizing  the  use  of  that
+service.
+
+     Such separate authorization methods may be  implemented
+as  application specific access control functions and may be
+based on  files  such  as  the  application  server,  or  on
+separately  issued  authorization  credentials such as those
+based on proxies [7] , or on other authorization services.
+
+     Applications should  not  be  modified  to  accept  the
+issuance of a service ticket by the Kerberos server (even by
+
+Section 1.2.               - 6 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+an modified Kerberos server) as granting  authority  to  use
+the  service,  since such applications may become vulnerable
+to the bypass of this authorization check in an  environment
+where  they  interoperate  with  other  KDCs  or where other
+options for application authentication (e.g. the PKTAPP pro-
+posal) are provided.
+
+1.3.  Environmental assumptions
+
+Kerberos imposes a few assumptions  on  the  environment  in
+which it can properly function:
+
++    "Denial of service" attacks are not  solved  with  Ker-
+     beros.   There  are  places in these protocols where an
+     intruder can prevent an application from  participating
+     in  the  proper  authentication  steps.   Detection and
+     solution of such attacks (some of which can  appear  to
+     be  not-uncommon "normal" failure modes for the system)
+     is usually best left to the  human  administrators  and
+     users.
+
++    Principals must keep their secret keys secret.   If  an
+     intruder  somehow  steals a principal's key, it will be
+     able to masquerade as that principal or impersonate any
+     server to the legitimate principal.
+
++    "Password guessing" attacks are not solved by Kerberos.
+     If  a  user chooses a poor password, it is possible for
+     an attacker to successfully mount an offline dictionary
+     attack  by  repeatedly attempting to decrypt, with suc-
+     cessive entries from a  dictionary,  messages  obtained
+     which are encrypted under a key derived from the user's
+     password.
+
++    Each host on the network must have  a  clock  which  is
+     "loosely  synchronized" to the time of the other hosts;
+     this synchronization is used to reduce the  bookkeeping
+     needs of application servers when they do replay detec-
+     tion.  The degree of "looseness" can be configured on a
+     per-server  basis,  but  is typically on the order of 5
+     minutes.  If the clocks are synchronized over the  net-
+     work, the clock synchronization protocol must itself be
+     secured from network attackers.
+
++    Principal identifiers are not recycled on a  short-term
+     basis.   A  typical  mode  of  access  control will use
+     access control lists (ACLs)  to  grant  permissions  to
+     particular  principals.   If  a stale ACL entry remains
+     for a deleted principal and the principal identifier is
+     reused, the new principal will inherit rights specified
+     in the stale ACL  entry.   By  not  re-using  principal
+     identifiers,   the  danger  of  inadvertent  access  is
+     removed.
+
+
+
+Section 1.3.               - 7 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+1.4.  Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+
+Authentication      Verifying  the  claimed  identity  of  a
+                    principal.
+
+
+Authentication headerA record containing  a  Ticket  and  an
+                    Authenticator   to  be  presented  to  a
+                    server as  part  of  the  authentication
+                    process.
+
+
+Authentication path A sequence of intermediate realms  tran-
+                    sited in the authentication process when
+                    communicating from one realm to another.
+
+
+Authenticator       A record containing information that can
+                    be shown to have been recently generated
+                    using the session key known only by  the
+                    client and server.
+
+
+Authorization       The process  of  determining  whether  a
+                    client may use a service,  which objects
+                    the client is allowed to access, and the
+                    type of access allowed for each.
+
+
+Capability          A token that grants the  bearer  permis-
+                    sion to access an object or service.  In
+                    Kerberos, this might be a  ticket  whose
+                    use is restricted by the contents of the
+                    authorization  data  field,  but   which
+                    lists  no  network  addresses,  together
+                    with the session key  necessary  to  use
+                    the ticket.
+
+
+Ciphertext          The output of  an  encryption  function.
+                    Encryption   transforms  plaintext  into
+                    ciphertext.
+
+
+Client              A process that makes use  of  a  network
+                    service  on behalf of a user.  Note that
+                    in some cases a Server may itself  be  a
+                    client  of  some  other  server  (e.g. a
+                    print server may be a client of  a  file
+                    server).
+
+
+
+Section 1.4.               - 8 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+Credentials         A ticket plus  the  secret  session  key
+                    necessary   to   successfully  use  that
+                    ticket in an authentication exchange.
+
+
+KDC                 Key Distribution Center, a network  ser-
+                    vice that supplies tickets and temporary
+                    session keys; or  an  instance  of  that
+                    service  or  the  host on which it runs.
+                    The KDC services both initial ticket and
+                    ticket-granting  ticket  requests.   The
+                    initial  ticket  portion  is   sometimes
+                    referred to as the Authentication Server
+                    (or   service).    The   ticket-granting
+                    ticket  portion is sometimes referred to
+                    as the ticket-granting server  (or  ser-
+                    vice).
+
+
+Kerberos            Aside from  the  3-headed  dog  guarding
+                    Hades,   the   name   given  to  Project
+                    Athena's  authentication  service,   the
+                    protocol  used  by  that service, or the
+                    code used to implement  the  authentica-
+                    tion service.
+
+
+Plaintext           The input to an encryption  function  or
+                    the  output  of  a  decryption function.
+                    Decryption  transforms  ciphertext  into
+                    plaintext.
+
+
+Principal           A  uniquely  named  client   or   server
+                    instance  that participates in a network
+                    communication.
+
+
+Principal identifierThe name used to uniquely identify  each
+                    different principal.
+
+
+Seal                To encipher a record containing  several
+                    fields  in  such  a  way that the fields
+                    cannot be individually replaced  without
+                    either  knowledge  of the encryption key
+                    or leaving evidence of tampering.
+
+
+Secret key          An encryption key shared by a  principal
+                    and  the  KDC,  distributed  outside the
+                    bounds of the system, with a long  life-
+                    time.   In  the  case  of a human user's
+                    principal, the  secret  key  is  derived
+
+
+Section 1.4.               - 9 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                    from a password.
+
+
+Server              A particular Principal which provides  a
+                    resource to network clients.  The server
+                    is sometimes refered to as the  Applica-
+                    tion Server.
+
+
+Service             A resource provided to network  clients;
+                    often  provided  by more than one server
+                    (for example, remote file service).
+
+
+Session key         A temporary encryption key used  between
+                    two  principals, with a lifetime limited
+                    to the duration of a single login  "ses-
+                    sion".
+
+
+Sub-session key     A temporary encryption key used  between
+                    two  principals,  selected and exchanged
+                    by the principals using the session key,
+                    and with a lifetime limited to the dura-
+                    tion of a single association.
+
+
+Ticket              A record that helps a  client  authenti-
+                    cate itself to a server; it contains the
+                    client's  identity,  a  session  key,  a
+                    timestamp,  and  other  information, all
+                    sealed using the  server's  secret  key.
+                    It  only serves to authenticate a client
+                    when  presented  along  with   a   fresh
+                    Authenticator.
+
+2.  Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are  used
+to  indicate  various attributes of that ticket.  Most flags
+may be requested by a client when the  ticket  is  obtained;
+some  are  automatically  turned  on  and  off by a Kerberos
+server as required.  The following sections explain what the
+various  flags  mean,  and  gives examples of reasons to use
+such a flag.
+
+2.1.  Initial and pre-authenticated tickets
+
+     The INITIAL flag indicates that  a  ticket  was  issued
+using  the  AS  protocol  and  not issued based on a ticket-
+granting ticket.  Application servers that want  to  require
+the  demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be  set
+in  any  tickets  they  accept, and thus be assured that the
+
+
+Section 2.1.               - 10 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+client's key  was  recently  presented  to  the  application
+client.
+
+     The PRE-AUTHENT and HW-AUTHENT flags  provide  addition
+information  about the initial authentication, regardless of
+whether the current ticket was  issued  directly  (in  which
+case  INITIAL  will also be set) or issued on the basis of a
+ticket-granting ticket (in which case the  INITIAL  flag  is
+clear,  but the PRE-AUTHENT and HW-AUTHENT flags are carried
+forward from the ticket-granting ticket).
+
+2.2.  Invalid tickets
+
+     The INVALID flag indicates that a  ticket  is  invalid.
+Application servers must reject tickets which have this flag
+set.  A postdated ticket will  usually  be  issued  in  this
+form.   Invalid  tickets must be validated by the KDC before
+use, by presenting them to the KDC in a TGS request with the
+VALIDATE option specified.  The KDC will only validate tick-
+ets after their starttime has  passed.   The  validation  is
+required  so  that  postdated tickets which have been stolen
+before their starttime can be rendered  permanently  invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3.  Renewable tickets
+
+     Applications may desire to hold tickets  which  can  be
+valid  for  long  periods of time.  However, this can expose
+their  credentials  to  potential  theft  for  equally  long
+periods,  and  those stolen credentials would be valid until
+the expiration time of the ticket(s).  Simply  using  short-
+lived  tickets  and  obtaining  new  ones periodically would
+require the client to have long-term access  to  its  secret
+key, an even greater risk.  Renewable tickets can be used to
+mitigate the consequences of theft.  Renewable tickets  have
+two  "expiration  times":  the  first  is  when  the current
+instance of the ticket expires, and the second is the latest
+permissible  value  for  an  individual expiration time.  An
+application  client  must  periodically  (i.e.   before   it
+expires)  present  a  renewable  ticket to the KDC, with the
+RENEW option set in the KDC request.  The KDC will  issue  a
+new  ticket  with  a  new session key and a later expiration
+time.  All other fields of the ticket are left unmodified by
+the renewal process.  When the latest permissible expiration
+time arrives,  the  ticket  expires  permanently.   At  each
+renewal,  the KDC may consult a hot-list to determine if the
+ticket had been reported stolen since its last  renewal;  it
+will  refuse  to  renew  such  stolen  tickets, and thus the
+usable lifetime of stolen tickets is reduced.
+
+     The RENEWABLE flag in a ticket is normally only  inter-
+preted  by  the  ticket-granting service (discussed below in
+section 3.3).  It can  usually  be  ignored  by  application
+servers.   However,  some  particularly  careful application
+
+
+Section 2.3.               - 11 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+servers may wish to disallow renewable tickets.
+
+     If a renewable ticket is not renewed by its  expiration
+time, the KDC will not renew the ticket.  The RENEWABLE flag
+is reset by default, but a client may request it be  set  by
+setting  the RENEWABLE option in the KRB_AS_REQ message.  If
+it is set, then the renew-till field in the ticket  contains
+the time after which the ticket may not be renewed.
+
+2.4.  Postdated tickets
+
+     Applications may occasionally need  to  obtain  tickets
+for  use  much  later,  e.g. a batch submission system would
+need tickets to be valid at the time the batch job  is  ser-
+viced.   However, it is dangerous to hold valid tickets in a
+batch queue, since they will  be  on-line  longer  and  more
+prone  to  theft.  Postdated tickets provide a way to obtain
+these tickets from the KDC at job submission  time,  but  to
+leave  them "dormant" until they are activated and validated
+by a further request of the KDC.  If  a  ticket  theft  were
+reported  in  the  interim, the KDC would refuse to validate
+the ticket, and the thief would be foiled.
+
+     The MAY-POSTDATE flag in  a  ticket  is  normally  only
+interpreted  by  the  ticket-granting  service.  It  can  be
+ignored by application servers.  This flag must be set in  a
+ticket-granting  ticket in order to issue a postdated ticket
+based on the presented ticket.  It is reset by  default;  it
+may  be  requested by a client by setting the ALLOW-POSTDATE
+option in the KRB_AS_REQ message.  This flag does not  allow
+a client to obtain a postdated ticket-granting ticket; post-
+dated  ticket-granting  tickets  can  only  by  obtained  by
+requesting  the  postdating  in the KRB_AS_REQ message.  The
+life (endtime-starttime) of a postdated ticket will  be  the
+remaining  life of the ticket-granting ticket at the time of
+the request, unless the RENEWABLE option  is  also  set,  in
+which  case  it  can be the full life (endtime-starttime) of
+the ticket-granting ticket.  The KDC may limit  how  far  in
+the future a ticket may be postdated.
+
+     The POSTDATED flag indicates that  a  ticket  has  been
+postdated.   The  application  server can check the authtime
+field in the ticket to see when the original  authentication
+occurred.   Some  services  may  choose  to reject postdated
+tickets, or they may  only  accept  them  within  a  certain
+period  after  the  original  authentication.   When the KDC
+issues a  POSTDATED  ticket,  it  will  also  be  marked  as
+INVALID,  so  that  the  application client must present the
+ticket to the KDC to be validated before use.
+
+2.5.  Proxiable and proxy tickets
+
+     At times it may be necessary for a principal to allow a
+service  to perform an operation on its behalf.  The service
+
+
+Section 2.5.               - 12 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+must be able to take on the identity of the client, but only
+for  a  particular purpose.  A principal can allow a service
+to take on the principal's identity for a particular purpose
+by granting it a proxy.
+
+     The process of granting a proxy  using  the  proxy  and
+proxiable  flags is used to provide credentials for use with
+specific services.  Though conceptually also a proxy, user's
+wishing  to delegate their identity for ANY purpose must use
+the ticket forwarding mechanism described in the  next  sec-
+tion to forward a ticket granting ticket.
+
+     The PROXIABLE flag in a ticket is normally only  inter-
+preted  by the ticket-granting service. It can be ignored by
+application servers.  When set, this flag tells the  ticket-
+granting server that it is OK to issue a new ticket (but not
+a ticket-granting ticket) with a different  network  address
+based  on this ticket.  This flag is set if requested by the
+client on initial authentication.  By  default,  the  client
+will  request that it be set when requesting a ticket grant-
+ing ticket, and reset when requesting any other ticket.
+
+     This flag allows a client to pass a proxy to  a  server
+to perform a remote request on its behalf, e.g. a print ser-
+vice client can give the print server a proxy to access  the
+client's  files  on  a  particular  file  server in order to
+satisfy a print request.
+
+     In order to complicate the use of  stolen  credentials,
+Kerberos  tickets  are usually valid from only those network
+addresses specifically  included  in  the  ticket[4].   When
+granting  a  proxy,  the client must specify the new network
+address from which the proxy is to be used, or indicate that
+the proxy is to be issued for use from any address.
+
+     The PROXY flag is set in a ticket by the  TGS  when  it
+issues  a  proxy ticket.  Application servers may check this
+flag and at their option they may require additional authen-
+tication  from  the  agent  presenting the proxy in order to
+provide an audit trail.
+
+2.6.  Forwardable tickets
+
+     Authentication forwarding is an  instance  of  a  proxy
+where  the  service  is granted complete use of the client's
+identity.  An example where it might be used is when a  user
+logs  in to a remote system and wants authentication to work
+from that system as if the login were local.
+
+     The FORWARDABLE flag  in  a  ticket  is  normally  only
+__________________________
+[4] Though it is permissible to request or issue  tick-
+ets with no network addresses specified.
+
+
+Section 2.6.               - 13 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+interpreted by  the  ticket-granting  service.   It  can  be
+ignored by application servers.  The FORWARDABLE flag has an
+interpretation similar to that of the PROXIABLE flag, except
+ticket-granting  tickets  may  also be issued with different
+network addresses.  This flag is reset by default, but users
+may request that it be set by setting the FORWARDABLE option
+in the AS request when they request  their  initial  ticket-
+granting ticket.
+
+     This flag allows for authentication forwarding  without
+requiring  the  user to enter a password again.  If the flag
+is not set, then authentication forwarding is not permitted,
+but  the  same  result  can  still  be  achieved if the user
+engages in the AS exchange specifying the requested  network
+addresses and supplies a password.
+
+     The FORWARDED flag is set by  the  TGS  when  a  client
+presents a ticket with the FORWARDABLE flag set and requests
+a forwarded ticket by specifying the  FORWARDED  KDC  option
+and  supplying a set of addresses for the new ticket.  It is
+also set in all tickets issued based  on  tickets  with  the
+FORWARDED  flag set.  Application servers may choose to pro-
+cess FORWARDED tickets differently than non-FORWARDED  tick-
+ets.
+
+2.7.  Other KDC options
+
+     There are two additional options which may be set in  a
+client's  request of the KDC.  The RENEWABLE-OK option indi-
+cates that the client will accept a renewable  ticket  if  a
+ticket with the requested life cannot otherwise be provided.
+If a ticket with the requested life cannot be provided, then
+the KDC may issue a renewable ticket with a renew-till equal
+to the the requested endtime.  The value of  the  renew-till
+field  may  still  be  adjusted by site-determined limits or
+limits imposed by the individual principal or server.
+
+     The ENC-TKT-IN-SKEY  option  is  honored  only  by  the
+ticket-granting service.  It indicates that the ticket to be
+issued for the end server is to be encrypted in the  session
+key from the a additional second ticket-granting ticket pro-
+vided with the request.   See  section  3.3.3  for  specific
+details.
+
+__________________________
+[5] The password-changing request must not  be  honored
+unless  the requester can provide the old password (the
+user's current secret key).   Otherwise,  it  would  be
+possible  for  someone to walk up to an unattended ses-
+sion and change another user's password.
+[6] To authenticate a user logging on to a  local  sys-
+tem,  the  credentials  obtained in the AS exchange may
+first be used in a TGS exchange to  obtain  credentials
+
+
+Section 3.1.               - 14 -    Expires 11 January 1998
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+3.  Message Exchanges
+
+The following sections  describe  the  interactions  between
+network  clients  and  servers  and the messages involved in
+those exchanges.
+
+3.1.  The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+
+     The Authentication Service (AS)  Exchange  between  the
+client  and  the Kerberos Authentication Server is initiated
+by a client when it wishes to obtain authentication  creden-
+tials for a given server but currently holds no credentials.
+In its basic form, the client's secret key is used  for  en-
+cryption and decryption.  This exchange is typically used at
+the initiation of a login session to obtain credentials  for
+a  Ticket-Granting Server which will subsequently be used to
+obtain credentials  for  other  servers  (see  section  3.3)
+without  requiring  further  use of the client's secret key.
+This exchange is also used to request credentials  for  ser-
+vices which must not be mediated through the Ticket-Granting
+Service, but rather require a principal's secret  key,  such
+as the password-changing service[5].  This exchange does not
+by  itself  provide any assurance of the the identity of the
+user[6].
+
+     The exchange consists of two messages: KRB_AS_REQ  from
+the  client  to  Kerberos,  and  KRB_AS_REP  or KRB_ERROR in
+reply.  The formats for these messages are described in sec-
+tions 5.4.1, 5.4.2, and 5.9.1.
+
+     In the request, the client sends (in cleartext) its own
+identity  and  the  identity  of  the server for which it is
+requesting credentials.  The response, KRB_AS_REP,  contains
+a ticket for the client to present to the server, and a ses-
+sion key that will be shared by the client and  the  server.
+The  session key and additional information are encrypted in
+the client's secret key.  The  KRB_AS_REP  message  contains
+information  which  can  be  used  to detect replays, and to
+associate it with the message to which it replies.   Various
+errors  can  occur; these are indicated by an error response
+(KRB_ERROR) instead of the KRB_AS_REP response.   The  error
+__________________________
+for  a  local  server.   Those credentials must then be
+verified by a local server through  successful  comple-
+tion of the Client/Server exchange.
+
+
+
+Section 3.1.               - 15 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+message is not encrypted.  The  KRB_ERROR  message  contains
+information  which can be used to associate it with the mes-
+sage to which it replies.  The lack  of  encryption  in  the
+KRB_ERROR  message  precludes the ability to detect replays,
+fabrications, or modifications of such messages.
+
+     Without  preautentication,  the  authentication  server
+does  not  know whether the client is actually the principal
+named in the request.  It simply sends a reply without know-
+ing or caring whether they are the same.  This is acceptable
+because nobody but the principal whose identity was given in
+the  request  will  be  able  to use the reply. Its critical
+information is encrypted in that principal's key.  The  ini-
+tial  request supports an optional field that can be used to
+pass additional information that might  be  needed  for  the
+initial   exchange.    This  field  may  be  used  for  pre-
+authentication as described in section <<sec preauth>>.
+
+3.1.1.  Generation of KRB_AS_REQ message
+
+     The client may specify a number of options in the  ini-
+tial   request.    Among  these  options  are  whether  pre-
+authentication is to be  performed;  whether  the  requested
+ticket  is  to  be  renewable,  proxiable,  or  forwardable;
+whether it  should  be  postdated  or  allow  postdating  of
+derivative  tickets;  and whether a renewable ticket will be
+accepted in lieu of a non-renewable ticket if the  requested
+ticket  expiration  date  cannot  be  satisfied  by  a  non-
+renewable ticket (due to configuration constraints; see sec-
+tion 4).  See section A.1 for pseudocode.
+
+     The client prepares the KRB_AS_REQ message and sends it
+to the KDC.
+
+3.1.2.  Receipt of KRB_AS_REQ message
+
+     If all goes well,  processing  the  KRB_AS_REQ  message
+will  result  in  the creation of a ticket for the client to
+present to  the  server.   The  format  for  the  ticket  is
+described  in section 5.3.1.  The contents of the ticket are
+determined as follows.
+
+3.1.3.  Generation of KRB_AS_REP message
+
+     The authentication  server  looks  up  the  client  and
+server  principals  named in the KRB_AS_REQ in its database,
+extracting their respective keys.  If required,  the  server
+pre-authenticates the request, and if the pre-authentication
+check   fails,   an   error   message    with    the    code
+KDC_ERR_PREAUTH_FAILED  is  returned.   If the server cannot
+accommodate the requested encryption type, an error  message
+with  code  KDC_ERR_ETYPE_NOSUPP  is returned.  Otherwise it
+generates a "random" session key[7].
+__________________________
+
+
+Section 3.1.3.             - 16 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     If there are multiple encryption keys registered for  a
+client  in  the  Kerberos database (or if the key registered
+supports multiple encryption  types;  e.g.  DES-CBC-CRC  and
+DES-CBC-MD5),  then  the  etype field from the AS request is
+used by the KDC to select the encryption method to  be  used
+for encrypting the response to the client.  If there is more
+than one supported, strong  encryption  type  in  the  etype
+list,  the  first valid etype for which an encryption key is
+available is used.  The encryption method used to respond to
+a  TGS  request is taken from the keytype of the session key
+found in the ticket granting ticket.
+
+     When the etype field  is  present  in  a  KDC  request,
+whether an AS or TGS request, the KDC will attempt to assign
+the type of the random session key from the list of  methods
+in  the  etype  field.   The KDC will select the appropriate
+type using the list of methods provided together with infor-
+mation  from  the  Kerberos  database  indicating acceptable
+encryption methods for the application server.  The KDC will
+not issue tickets with a weak session key encryption type.
+
+     If the requested start time is absent, indicates a time
+in  the  past,  or  is within the window of acceptable clock
+skew for the KDC and the POSTDATE option has not been speci-
+fied,  then  the  start  time  of  the  ticket is set to the
+authentication server's current time.   If  it  indicates  a
+time in the future beyond the acceptable clock skew, but the
+POSTDATED option has  not  been  specified  then  the  error
+KDC_ERR_CANNOT_POSTDATE    is   returned.    Otherwise   the
+requested start time is checked against the  policy  of  the
+local realm (the administrator might decide to prohibit cer-
+tain types or ranges of postdated tickets), and  if  accept-
+able,  the  ticket's  start time is set as requested and the
+INVALID flag is set in the new ticket. The postdated  ticket
+must  be  validated  before  use by presenting it to the KDC
+after the start time has been reached.
+
+
+
+
+
+
+
+
+
+__________________________
+[7] "Random" means that, among other things, it  should
+be  impossible  to  guess the next session key based on
+knowledge of past  session  keys.   This  can  only  be
+achieved  in  a pseudo-random number generator if it is
+based on cryptographic principles.  It is  more  desir-
+able  to  use  a truly random number generator, such as
+one based on measurements of random physical phenomena.
+
+
+
+Section 3.1.3.             - 17 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+The expiration time of the ticket will be set to the minimum
+of the following:
+
++The expiration time (endtime) requested in  the  KRB_AS_REQ
+ message.
+
++The ticket's start time plus the maximum allowable lifetime
+ associated  with  the  client principal (the authentication
+ server's database includes a maximum ticket lifetime  field
+ in each principal's record; see section 4).
+
++The ticket's start time plus the maximum allowable lifetime
+ associated with the server principal.
+
++The ticket's start time plus the maximum  lifetime  set  by
+ the policy of the local realm.
+
+     If the requested expiration time minus the  start  time
+(as determined above) is less than a site-determined minimum
+lifetime, an error message with code KDC_ERR_NEVER_VALID  is
+returned.   If  the requested expiration time for the ticket
+exceeds  what  was  determined  as   above,   and   if   the
+"RENEWABLE-OK"  option  was  requested, then the "RENEWABLE"
+flag is set in the new ticket, and the renew-till  value  is
+set  as  if the "RENEWABLE" option were requested (the field
+and option names are described fully in section 5.4.1).
+
+If the  RENEWABLE  option  has  been  requested  or  if  the
+RENEWABLE-OK  option  has been set and a renewable ticket is
+to be issued, then  the  renew-till  field  is  set  to  the
+minimum of:
+
++Its requested value.
+
++The start time of the ticket plus the minimum  of  the  two
+ maximum renewable lifetimes associated with the principals'
+ database entries.
+
++The start time of the ticket  plus  the  maximum  renewable
+ lifetime set by the policy of the local realm.
+
+     The flags field of the new ticket will have the follow-
+ing  options set if they have been requested and if the pol-
+icy of the local realm  allows:  FORWARDABLE,  MAY-POSTDATE,
+POSTDATED,  PROXIABLE, RENEWABLE. If the new ticket is post-
+dated (the start time is in the future),  its  INVALID  flag
+will also be set.
+
+     If all of the  above  succeed,  the  server  formats  a
+KRB_AS_REP   message   (see   section  5.4.2),  copying  the
+addresses in the request into the  caddr  of  the  response,
+placing any required pre-authentication data into the padata
+of the response, and encrypts the  ciphertext  part  in  the
+client's  key  using  the  requested  encryption method, and
+
+
+Section 3.1.3.             - 18 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+sends it to the client.  See section A.2 for pseudocode.
+
+3.1.4.  Generation of KRB_ERROR message
+
+     Several errors can occur, and the Authentication Server
+responds  by  returning  an error message, KRB_ERROR, to the
+client,  with  the  error-code  and  e-text  fields  set  to
+appropriate  values.  The error message contents and details
+are described in Section 5.9.1.
+
+3.1.5.  Receipt of KRB_AS_REP message
+
+     If the reply  message  type  is  KRB_AS_REP,  then  the
+client  verifies  that  the  cname  and crealm fields in the
+cleartext portion of the reply match what it requested.   If
+any  padata  fields  are present, they may be used to derive
+the proper secret key to decrypt the  message.   The  client
+decrypts the encrypted part of the response using its secret
+key, verifies that the nonce in the encrypted  part  matches
+the  nonce  it  supplied in its request (to detect replays).
+It also verifies that the sname and srealm in  the  response
+match  those  in  the  request  (or  are  otherwise expected
+values), and that the host address field  is  also  correct.
+It then stores the ticket, session key, start and expiration
+times, and  other  information  for  later  use.   The  key-
+expiration field from the encrypted part of the response may
+be checked to notify the user of  impending  key  expiration
+(the client program could then suggest remedial action, such
+as a password change).  See section A.3 for pseudocode.
+
+     Proper decryption of the KRB_AS_REP message is not suf-
+ficient  to verify the identity of the user; the user and an
+attacker could cooperate to  generate  a  KRB_AS_REP  format
+message  which  decrypts properly but is not from the proper
+KDC.  If the host wishes to verify the identity of the user,
+it  must require the user to present application credentials
+which can be verified using a securely-stored secret key for
+the  host.   If  those credentials can be verified, then the
+identity of the user can be assured.
+
+3.1.6.  Receipt of KRB_ERROR message
+
+     If the reply message type is KRB_ERROR, then the client
+interprets   it   as   an   error   and   performs  whatever
+application-specific tasks are necessary to recover.
+
+3.2.  The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+
+
+Section 3.2.               - 19 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     The client/server authentication (CS) exchange is  used
+by  network  applications  to authenticate the client to the
+server  and  vice  versa.   The  client  must  have  already
+acquired  credentials  for  the  server  using the AS or TGS
+exchange.
+
+3.2.1.  The KRB_AP_REQ message
+
+     The  KRB_AP_REQ  contains  authentication   information
+which  should  be  part of the first message in an authenti-
+cated transaction.  It contains a ticket, an  authenticator,
+and  some  additional  bookkeeping  information (see section
+5.5.1 for the exact format).  The ticket by itself is insuf-
+ficient  to  authenticate a client, since tickets are passed
+across the network in cleartext[8], so the authenticator  is
+used  to prevent invalid replay of tickets by proving to the
+server that the client knows the session key of  the  ticket
+and thus is entitled to use the ticket.  The KRB_AP_REQ mes-
+sage  is  referred  to  elsewhere  as  the   "authentication
+header."
+
+3.2.2.  Generation of a KRB_AP_REQ message
+
+     When a client wishes to initiate  authentication  to  a
+server,  it obtains (either through a credentials cache, the
+AS exchange, or the TGS exchange) a ticket and  session  key
+for  the desired service.  The client may re-use any tickets
+it holds until they expire.  To use a ticket the client con-
+structs  a  new  Authenticator from the the system time, its
+name, and optionally an application  specific  checksum,  an
+initial  sequence  number to be used in KRB_SAFE or KRB_PRIV
+messages, and/or a session subkey to be used in negotiations
+for  a  session  key  unique  to  this  particular  session.
+Authenticators may not be re-used and will  be  rejected  if
+replayed to a server[9].  If a  sequence  number  is  to  be
+included,  it  should  be randomly chosen so that even after
+many messages have been exchanged it is not likely  to  col-
+lide with other sequence numbers in use.
+
+     The  client  may  indicate  a  requirement  of   mutual
+__________________________
+[8] Tickets contain both an encrypted  and  unencrypted
+portion,  so  cleartext here refers to the entire unit,
+which can be copied from one message  and  replayed  in
+another without any cryptographic skill.
+[9] Note  that  this can make applications based on un-
+reliable transports difficult to code correctly. If the
+transport  might  deliver duplicated messages, either a
+new authenticator must be generated for each retry,  or
+the  application server must match requests and replies
+and replay the first reply in response  to  a  detected
+duplicate.
+
+
+
+Section 3.2.2.             - 20 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authentication or the use of a session-key based  ticket  by
+setting  the  appropriate flag(s) in the ap-options field of
+the message.
+
+     The Authenticator is encrypted in the session  key  and
+combined  with  the  ticket  to  form the KRB_AP_REQ message
+which is then sent to the end server along  with  any  addi-
+tional  application-specific  information.   See section A.9
+for pseudocode.
+
+3.2.3.  Receipt of KRB_AP_REQ message
+
+     Authentication is based on the server's current time of
+day  (clocks  must be loosely synchronized), the authentica-
+tor, and the ticket.  Several errors are  possible.   If  an
+error  occurs, the server is expected to reply to the client
+with a KRB_ERROR message.  This message may be  encapsulated
+in the application protocol if its "raw" form is not accept-
+able to the protocol.   The  format  of  error  messages  is
+described in section 5.9.1.
+
+     The algorithm for verifying authentication  information
+is  as  follows.  If the message type is not KRB_AP_REQ, the
+server returns the KRB_AP_ERR_MSG_TYPE error.   If  the  key
+version indicated by the Ticket in the KRB_AP_REQ is not one
+the server can use (e.g., it indicates an old key,  and  the
+server  no  longer  possesses  a  copy  of the old key), the
+KRB_AP_ERR_BADKEYVER  error  is  returned.   If   the   USE-
+SESSION-KEY  flag  is  set in the ap-options field, it indi-
+cates to the server that the ticket is encrypted in the ses-
+sion  key  from  the  server's ticket-granting ticket rather
+than its secret key[10].   Since  it  is  possible  for  the
+server  to  be registered in multiple realms, with different
+keys in each, the srealm field in the unencrypted portion of
+the ticket in the KRB_AP_REQ is used to specify which secret
+key the server should  use  to  decrypt  that  ticket.   The
+KRB_AP_ERR_NOKEY  error  code  is  returned  if  the  server
+doesn't have the proper key to decipher the ticket.
+
+     The ticket  is  decrypted  using  the  version  of  the
+server's  key  specified  by  the ticket.  If the decryption
+routines detect a modification of the ticket  (each  encryp-
+tion  system  must  provide  safeguards  to  detect modified
+ciphertext; see  section  6),  the  KRB_AP_ERR_BAD_INTEGRITY
+error is returned (chances are good that different keys were
+used to encrypt and decrypt).
+
+     The authenticator is decrypted using  the  session  key
+extracted from the decrypted ticket.  If decryption shows it
+to have been modified, the KRB_AP_ERR_BAD_INTEGRITY error is
+__________________________
+[10] This is used for  user-to-user  authentication  as
+described in  [8].
+
+
+Section 3.2.3.             - 21 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+returned.  The name and realm of the client from the  ticket
+are  compared  against the same fields in the authenticator.
+If  they  don't  match,  the  KRB_AP_ERR_BADMATCH  error  is
+returned  (they  might  not match, for example, if the wrong
+session key was used to  encrypt  the  authenticator).   The
+addresses  in  the  ticket (if any) are then searched for an
+address matching the operating-system  reported  address  of
+the  client.   If no match is found or the server insists on
+ticket addresses but none are present  in  the  ticket,  the
+KRB_AP_ERR_BADADDR error is returned.
+
+     If the local (server) time and the client time  in  the
+authenticator  differ  by more than the allowable clock skew
+(e.g., 5 minutes), the KRB_AP_ERR_SKEW  error  is  returned.
+If  the  server  name,  along with the client name, time and
+microsecond  fields  from  the   Authenticator   match   any
+recently-seen  such  tuples,  the KRB_AP_ERR_REPEAT error is
+returned[11].  The server must  remember  any  authenticator
+presented  within the allowable clock skew, so that a replay
+attempt is guaranteed to fail.  If a server loses  track  of
+any authenticator presented within the allowable clock skew,
+it must reject all requests until the  clock  skew  interval
+has passed.  This assures that any lost or re-played authen-
+ticators will fall outside the allowable clock skew and  can
+no  longer be successfully replayed (If this is not done, an
+attacker could conceivably record the ticket and authentica-
+tor  sent  over  the  network  to a server, then disable the
+client's host, pose as the disabled  host,  and  replay  the
+ticket  and  authenticator  to subvert the authentication.).
+If a sequence number is provided in the  authenticator,  the
+server  saves it for later use in processing KRB_SAFE and/or
+KRB_PRIV messages.  If  a  subkey  is  present,  the  server
+either  saves  it  for later use or uses it to help generate
+its own choice for a subkey to be returned in  a  KRB_AP_REP
+message.
+
+     The server  computes  the  age  of  the  ticket:  local
+(server)  time  minus  the start time inside the Ticket.  If
+the start time is later than the current time by  more  than
+the  allowable  clock  skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned.   Oth-
+erwise,  if  the current time is later than end time by more
+than the allowable clock  skew,  the  KRB_AP_ERR_TKT_EXPIRED
+error is returned.
+
+     If all these  checks  succeed  without  an  error,  the
+__________________________
+[11] Note that the rejection here is restricted to  au-
+thenticators  from  the  same  principal  to  the  same
+server.  Other client principals communicating with the
+same  server principal should not be have their authen-
+ticators rejected if the time  and  microsecond  fields
+happen to match some other client's authenticator.
+
+
+Section 3.2.3.             - 22 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+server is assured that the client possesses the  credentials
+of  the  principal  named in the ticket and thus, the client
+has been authenticated to the server.  See section A.10  for
+pseudocode.
+
+     Passing these checks provides  only  authentication  of
+the  named principal; it does not imply authorization to use
+the  named  service.   Applications  must  make  a  separate
+authorization decisions based upon the authenticated name of
+the user,  the  requested  operation,  local  acces  control
+information such as that contained in a .k5login or .k5users
+file, and possibly a separate distributed authorization ser-
+vice.
+
+3.2.4.  Generation of a KRB_AP_REP message
+
+     Typically, a client's request  will  include  both  the
+authentication  information  and  its initial request in the
+same message, and the server need not  explicitly  reply  to
+the KRB_AP_REQ.  However, if mutual authentication (not only
+authenticating the client to the server, but also the server
+to  the  client)  is being performed, the KRB_AP_REQ message
+will have MUTUAL-REQUIRED set in its ap-options field, and a
+KRB_AP_REP  message  is  required  in response.  As with the
+error message, this  message  may  be  encapsulated  in  the
+application  protocol if its "raw" form is not acceptable to
+the application's protocol.  The timestamp  and  microsecond
+field  used  in the reply must be the client's timestamp and
+microsecond field (as provided  in  the  authenticator)[12].
+If  a  sequence  number is to be included, it should be ran-
+domly chosen as described above for  the  authenticator.   A
+subkey  may be included if the server desires to negotiate a
+different subkey.  The KRB_AP_REP message  is  encrypted  in
+the session key extracted from the ticket.  See section A.11
+for pseudocode.
+
+3.2.5.  Receipt of KRB_AP_REP message
+
+
+     If a KRB_AP_REP message is returned,  the  client  uses
+the  session  key  from  the  credentials  obtained  for the
+server[13] to decrypt the message,  and  verifies  that  the
+__________________________
+[12] In the Kerberos version 4 protocol, the  timestamp
+in the reply was the client's timestamp plus one.  This
+is not necessary in version 5 because  version  5  mes-
+sages are formatted in such a way that it is not possi-
+ble to create the reply by  judicious  message  surgery
+(even  in  encrypted form) without knowledge of the ap-
+propriate encryption keys.
+[13] Note that for encrypting the  KRB_AP_REP  message,
+the sub-session key is not used, even if present in the
+Authenticator.
+
+
+Section 3.2.5.             - 23 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+timestamp and microsecond fields match those in the  Authen-
+ticator  it  sent  to  the  server.  If they match, then the
+client is assured that the server is genuine.  The  sequence
+number  and  subkey (if present) are retained for later use.
+See section A.12 for pseudocode.
+
+
+3.2.6.  Using the encryption key
+
+     After the KRB_AP_REQ/KRB_AP_REP exchange has  occurred,
+the  client  and server share an encryption key which can be
+used by the application.  The "true session key" to be  used
+for  KRB_PRIV,  KRB_SAFE, or other application-specific uses
+may be chosen by the application based on the subkeys in the
+KRB_AP_REP  message  and  the  authenticator[14].   In  some
+cases,  the  use of this session key will be implicit in the
+protocol; in others the method of use must  be  chosen  from
+several alternatives.  We leave the protocol negotiations of
+how to use the key (e.g.  selecting an encryption or  check-
+sum type) to the application programmer; the Kerberos proto-
+col does not constrain the implementation  options,  but  an
+example of how this might be done follows.
+
+     One way that an application may choose to  negotiate  a
+key  to  be used for subequent integrity and privacy protec-
+tion is for the client to propose a key in the subkey  field
+of  the  authenticator.   The  server  can then choose a key
+using the proposed key from the client as  input,  returning
+the new subkey in the subkey field of the application reply.
+This key could then be used  for  subsequent  communication.
+To make this example more concrete, if the encryption method
+in use required a 56 bit key, and for whatever  reason,  one
+of the parties was prevented from using a key with more than
+40 unknown bits, this method would allow the the party which
+is  prevented from using more than 40 bits to either propose
+(if the client) an initial key with a known quantity for  16
+of  those  bits,  or  to mask 16 of the bits (if the server)
+with the known quantity.   The  application  implementor  is
+warned,  however,  that this is only an example, and that an
+analysis of the particular crytosystem to be used,  and  the
+reasons  for  limiting  the  key length, must be made before
+deciding whether it is acceptable to mask bits of the key.
+
+     With  both  the  one-way  and   mutual   authentication
+exchanges,  the peers should take care not to send sensitive
+information to each other  without  proper  assurances.   In
+particular,  applications  that require privacy or integrity
+should use the KRB_AP_REP response from the server to client
+__________________________
+[14] Implementations of the protocol may wish  to  pro-
+vide  routines  to choose subkeys based on session keys
+and random numbers and to generate a negotiated key  to
+be returned in the KRB_AP_REP message.
+
+
+Section 3.2.6.             - 24 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+to assure both client and server of their  peer's  identity.
+If an application protocol requires privacy of its messages,
+it can use the KRB_PRIV message (section 3.5).  The KRB_SAFE
+message (section 3.4) can be used to assure integrity.
+
+
+3.3.  The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+
+     The TGS exchange between  a  client  and  the  Kerberos
+Ticket-Granting  Server  is  initiated  by  a client when it
+wishes to obtain  authentication  credentials  for  a  given
+server  (which  might be registered in a remote realm), when
+it wishes to renew or validate an existing ticket,  or  when
+it  wishes to obtain a proxy ticket.  In the first case, the
+client must already have acquired a ticket for  the  Ticket-
+Granting  Service using the AS exchange (the ticket-granting
+ticket is usually obtained when a client initially authenti-
+cates to the system, such as when a user logs in).  The mes-
+sage format for the TGS exchange is almost identical to that
+for the AS exchange.  The primary difference is that encryp-
+tion and decryption in the TGS exchange does not take  place
+under  the  client's key.  Instead, the session key from the
+ticket-granting ticket or renewable ticket,  or  sub-session
+key  from  an Authenticator is used.  As is the case for all
+application servers, expired tickets are not accepted by the
+TGS,  so once a renewable or ticket-granting ticket expires,
+the client must use a  separate  exchange  to  obtain  valid
+tickets.
+
+     The TGS exchange consists of two  messages:  A  request
+(KRB_TGS_REQ)  from  the  client  to  the  Kerberos  Ticket-
+Granting Server, and a  reply  (KRB_TGS_REP  or  KRB_ERROR).
+The  KRB_TGS_REQ message includes information authenticating
+the client plus a request for credentials.  The  authentica-
+tion  information  consists  of  the  authentication  header
+(KRB_AP_REQ) which includes the client's previously obtained
+ticket-granting,  renewable,  or  invalid  ticket.   In  the
+ticket-granting ticket and  proxy  cases,  the  request  may
+include  one or more of: a list of network addresses, a col-
+lection of typed authorization data  to  be  sealed  in  the
+ticket  for  authorization use by the application server, or
+additional tickets (the use of which are  described  later).
+The  TGS  reply (KRB_TGS_REP) contains the requested creden-
+tials, encrypted in the session key from the ticket-granting
+ticket  or  renewable  ticket,  or  if  present, in the sub-
+session key from the Authenticator (part of the  authentica-
+tion  header).  The KRB_ERROR message contains an error code
+
+
+Section 3.3.               - 25 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+and text explaining what went wrong.  The KRB_ERROR  message
+is not encrypted.  The KRB_TGS_REP message contains informa-
+tion which can be used to detect replays, and  to  associate
+it with the message to which it replies.  The KRB_ERROR mes-
+sage also contains information which can be used to  associ-
+ate it with the message to which it replies, but the lack of
+encryption in the KRB_ERROR message precludes the ability to
+detect replays or fabrications of such messages.
+
+3.3.1.  Generation of KRB_TGS_REQ message
+
+     Before sending a request to  the  ticket-granting  ser-
+vice,  the client must determine in which realm the applica-
+tion server is  registered[15].   If  the  client  does  not
+already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained.  This is  first  attempted
+by  requesting  a ticket-granting ticket for the destination
+realm from a Kerberos  server  for  which  the  client  does
+posess  a ticket-granting ticket (using the KRB_TGS_REQ mes-
+sage recursively).  The Kerberos server may return a TGT for
+the  desired  realm in which case one can proceed.  Alterna-
+tively, the Kerberos server may return a  TGT  for  a  realm
+which  is  "closer"  to the desired realm (further along the
+standard hierarchical path), in which case this step must be
+repeated  with  a  Kerberos server in the realm specified in
+the returned TGT.  If neither are returned, then the request
+must be retried with a Kerberos server for a realm higher in
+the hierarchy.  This request will itself require  a  ticket-
+granting  ticket for the higher realm which must be obtained
+by recursively applying these directions.
+
+
+     Once the client obtains a  ticket-granting  ticket  for
+the  appropriate realm, it determines which Kerberos servers
+serve that realm, and  contacts  one.   The  list  might  be
+obtained  through a configuration file or network service or
+it may be generated from the name of the realm; as  long  as
+the  secret  keys  exchanged by realms are kept secret, only
+denial of  service  results  from  using  a  false  Kerberos
+server.
+__________________________
+[15] This can be  accomplished  in  several  ways.   It
+might  be  known beforehand (since the realm is part of
+the principal identifier), it  might  be  stored  in  a
+nameserver,  or  it might be obtained from a configura-
+tion file.  If the realm to be used is obtained from  a
+nameserver,  there  is a danger of being spoofed if the
+nameservice providing the realm name is  not  authenti-
+cated.   This  might result in the use of a realm which
+has been compromised, and would result in an attacker's
+ability  to compromise the authentication of the appli-
+cation server to the client.
+
+
+
+Section 3.3.1.             - 26 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     As in the AS exchange, the client may specify a  number
+of  options in the KRB_TGS_REQ message.  The client prepares
+the KRB_TGS_REQ message, providing an authentication  header
+as  an  element  of the padata field, and including the same
+fields as used in the KRB_AS_REQ message along with  several
+optional fields: the enc-authorization-data field for appli-
+cation server use and additional tickets  required  by  some
+options.
+
+     In preparing the authentication header, the client  can
+select  a  sub-session key under which the response from the
+Kerberos server will be encrypted[16].  If  the  sub-session
+key  is  not  specified,  the  session  key from the ticket-
+granting ticket will be used.  If the enc-authorization-data
+is  present, it must be encrypted in the sub-session key, if
+present, from the authenticator portion of  the  authentica-
+tion  header,  or if not present, using the session key from
+the ticket-granting ticket.
+
+     Once prepared, the message is sent to a Kerberos server
+for the destination realm.  See section A.5 for pseudocode.
+
+3.3.2.  Receipt of KRB_TGS_REQ message
+
+     The KRB_TGS_REQ message is processed in a manner  simi-
+lar to the KRB_AS_REQ message, but there are many additional
+checks to be performed.  First,  the  Kerberos  server  must
+determine which server the accompanying ticket is for and it
+must select the appropriate key to decrypt it.  For a normal
+KRB_TGS_REQ message, it will be for the ticket granting ser-
+vice, and the TGS's key will be used.  If the TGT was issued
+by  another realm, then the appropriate inter-realm key must
+be used.  If the accompanying ticket is not a ticket  grant-
+ing  ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE,  or  PROXY
+options  are  specified  in  the request, and the server for
+which a ticket is requested  is  the  server  named  in  the
+accompanying ticket, then the KDC will decrypt the ticket in
+the authentication header using the key of  the  server  for
+which  it  was  issued.   If  no  ticket can be found in the
+padata  field,  the  KDC_ERR_PADATA_TYPE_NOSUPP   error   is
+returned.
+
+     Once the accompanying ticket has  been  decrypted,  the
+user-supplied checksum in the Authenticator must be verified
+against  the  contents  of  the  request,  and  the  message
+rejected  if  the checksums do not match (with an error code
+__________________________
+[16] If the client selects a sub-session key, care must
+be  taken to ensure the randomness of the selected sub-
+session key.  One approach would be to generate a  ran-
+dom  number  and  XOR  it with the session key from the
+ticket-granting ticket.
+
+
+Section 3.3.2.             - 27 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+of KRB_AP_ERR_MODIFIED) or if the checksum is not  keyed  or
+not    collision-proof    (with    an    error    code    of
+KRB_AP_ERR_INAPP_CKSUM).  If the checksum type is  not  sup-
+ported,  the  KDC_ERR_SUMTYPE_NOSUPP  error is returned.  If
+the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+     If any of the  decryptions  indicate  failed  integrity
+checks, the KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3.  Generation of KRB_TGS_REP message
+
+     The KRB_TGS_REP message  shares  its  format  with  the
+KRB_AS_REP  (KRB_KDC_REP),  but  with  its type field set to
+KRB_TGS_REP.   The  detailed  specification  is  in  section
+5.4.2.
+
+     The response will include a ticket  for  the  requested
+server.   The  Kerberos  database is queried to retrieve the
+record for the requested  server  (including  the  key  with
+which  the ticket will be encrypted).  If the request is for
+a ticket granting ticket for a remote realm, and if  no  key
+is shared with the requested realm, then the Kerberos server
+will select the realm "closest" to the requested realm  with
+which it does share a key, and use that realm instead.  This
+is the only case where the response from the KDC will be for
+a different server than that requested by the client.
+
+     By default, the address field, the  client's  name  and
+realm,  the  list  of  transited realms, the time of initial
+authentication, the expiration time, and  the  authorization
+data  of  the  newly-issued  ticket  will be copied from the
+ticket-granting ticket (TGT) or renewable  ticket.   If  the
+transited  field needs to be updated, but the transited type
+is  not  supported,  the  KDC_ERR_TRTYPE_NOSUPP   error   is
+returned.
+
+     If the request specifies an endtime, then  the  endtime
+of the new ticket is set to the minimum of (a) that request,
+(b) the endtime from the TGT, and (c) the starttime  of  the
+TGT plus the minimum of the maximum life for the application
+server and the maximum life for the local realm (the maximum
+life  for  the requesting principal was already applied when
+the TGT was issued).  If the new ticket is to be a  renewal,
+then the endtime above is replaced by the minimum of (a) the
+value of the renew_till field of  the  ticket  and  (b)  the
+starttime  for  the  new  ticket  plus  the  life  (endtime-
+starttime) of the old ticket.
+
+     If the FORWARDED option has been  requested,  then  the
+resulting ticket will contain the addresses specified by the
+client.  This option will only be honored if the FORWARDABLE
+flag  is  set in the TGT.  The PROXY option is similar;  the
+resulting ticket will contain the addresses specified by the
+
+
+Section 3.3.3.             - 28 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+client.   It  will  be honored only if the PROXIABLE flag in
+the TGT is set.  The PROXY option will  not  be  honored  on
+requests for additional ticket-granting tickets.
+
+     If the requested start time is absent, indicates a time
+in  the  past,  or  is within the window of acceptable clock
+skew for the KDC and the POSTDATE option has not been speci-
+fied,  then  the  start  time  of  the  ticket is set to the
+authentication server's current time.   If  it  indicates  a
+time in the future beyond the acceptable clock skew, but the
+POSTDATED option has not been specified or the  MAY-POSTDATE
+flag   is   not   set   in   the   TGT,   then   the   error
+KDC_ERR_CANNOT_POSTDATE  is  returned.   Otherwise,  if  the
+ticket-granting  ticket  has the MAY-POSTDATE flag set, then
+the resulting ticket will be  postdated  and  the  requested
+starttime  is checked against the policy of the local realm.
+If acceptable, the ticket's start time is set as  requested,
+and  the  INVALID flag is set.  The postdated ticket must be
+validated before use by presenting it to the KDC  after  the
+starttime  has  been  reached.   However, in no case may the
+starttime, endtime, or renew-till  time  of  a  newly-issued
+postdated  ticket  extend  beyond the renew-till time of the
+ticket-granting ticket.
+
+     If the ENC-TKT-IN-SKEY option has been specified and an
+additional  ticket has been included in the request, the KDC
+will decrypt the additional ticket using  the  key  for  the
+server  to which the additional ticket was issued and verify
+that it is a ticket-granting ticket.  If  the  name  of  the
+requested  server  is  missing from the request, the name of
+the client in the additional ticket will be used.  Otherwise
+the  name  of  the  requested server will be compared to the
+name of the client in the  additional  ticket  and  if  dif-
+ferent,  the  request  will  be  rejected.   If  the request
+succeeds, the session key from the additional ticket will be
+used  to  encrypt  the  new ticket that is issued instead of
+using the key of the server for which the new ticket will be
+used[17].
+
+     If the name  of  the  server  in  the  ticket  that  is
+presented to the KDC as part of the authentication header is
+not that of the ticket-granting server itself, the server is
+registered  in the realm of the KDC, and the RENEW option is
+requested, then the KDC will verify that the RENEWABLE  flag
+is  set  in  the ticket, that the INVALID flag is not set in
+the ticket, and that the renew_till time  is  still  in  the
+future.   If  the VALIDATE option is rqeuested, the KDC will
+__________________________
+[17] This allows easy  implementation  of  user-to-user
+authentication  [8],  which uses ticket-granting ticket
+session keys in lieu of secret server  keys  in  situa-
+tions  where  such secret keys could be easily comprom-
+ised.
+
+
+Section 3.3.3.             - 29 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+check that the starttime has passed and the INVALID flag  is
+set.   If  the  PROXY option is requested, then the KDC will
+check that the PROXIABLE flag is set in the ticket.  If  the
+tests  succeed,  and  the  ticket  passes  the hotlist check
+described in the next paragraph,  the  KDC  will  issue  the
+appropriate new ticket.
+
+
+3.3.3.1.  Checking for revoked tickets
+
+     Whenever a  request  is  made  to  the  ticket-granting
+server,  the  presented  ticket(s) is(are) checked against a
+hot-list of tickets which have been canceled.  This hot-list
+might  be implemented by storing a range of issue timestamps
+for "suspect tickets"; if a presented ticket had an authtime
+in  that range, it would be rejected.  In this way, a stolen
+ticket-granting ticket or renewable ticket cannot be used to
+gain  additional  tickets  (renewals  or otherwise) once the
+theft has been reported.  Any normal ticket obtained  before
+it  was  reported  stolen  will still be valid (because they
+require no interaction with the KDC), but only  until  their
+normal expiration time.
+
+     The ciphertext part of the response in the  KRB_TGS_REP
+message is encrypted in the sub-session key from the Authen-
+ticator, if  present,  or  the  session  key  key  from  the
+ticket-granting  ticket.   It  is  not  encrypted  using the
+client's  secret  key.   Furthermore,  the  client's   key's
+expiration  date  and the key version number fields are left
+out since these values are stored along  with  the  client's
+database  record, and that record is not needed to satisfy a
+request based on a ticket-granting ticket.  See section  A.6
+for pseudocode.
+
+3.3.3.2.  Encoding the transited field
+
+     If the identity of  the  server  in  the  TGT  that  is
+presented to the KDC as part of the authentication header is
+that of the ticket-granting service, but the TGT was  issued
+from another realm, the KDC will look up the inter-realm key
+shared with that realm and  use  that  key  to  decrypt  the
+ticket.  If the ticket is valid, then the KDC will honor the
+request, subject to the constraints outlined  above  in  the
+section  describing  the AS exchange.  The realm part of the
+client's identity will be  taken  from  the  ticket-granting
+ticket.   The  name  of  the  realm  that issued the ticket-
+granting ticket will be added to the transited field of  the
+ticket  to  be  issued.  This is accomplished by reading the
+transited field from the ticket-granting  ticket  (which  is
+treated  as an unordered set of realm names), adding the new
+realm to the set, then  constructing  and  writing  out  its
+encoded  (shorthand)  form (this may involve a rearrangement
+of the existing encoding).
+
+
+
+Section 3.3.3.2.           - 30 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     Note that the ticket-granting service does not add  the
+name  of  its  own realm.  Instead, its responsibility is to
+add the name of the previous realm.  This prevents  a  mali-
+cious Kerberos server from intentionally leaving out its own
+name (it could, however, omit other realms' names).
+
+     The  names  of  neither  the  local   realm   nor   the
+principal's realm are to be included in the transited field.
+They appear elsewhere in the ticket and both  are  known  to
+have  taken part in authenticating the principal.  Since the
+endpoints  are  not  included,  both  local  and  single-hop
+inter-realm  authentication result in a transited field that
+is empty.
+
+     Because the name of each realm transited  is  added  to
+this  field, it might potentially be very long.  To decrease
+the length of this field, its  contents  are  encoded.   The
+initially  supported  encoding  is  optimized for the normal
+case of inter-realm communication: a  hierarchical  arrange-
+ment  of  realms  using  either  domain or X.500 style realm
+names.  This encoding (called DOMAIN-X500-COMPRESS)  is  now
+described.
+
+     Realm names in the transited field are separated  by  a
+",".   The ",", "\", trailing "."s, and leading spaces (" ")
+are special characters, and if they  are  part  of  a  realm
+name,  they must be quoted in the transited field by preced-
+ing them with a "\".
+
+     A realm name ending with a "." is interpreted as  being
+prepended to the previous realm.  For example, we can encode
+traversal of EDU, MIT.EDU,  ATHENA.MIT.EDU,  WASHINGTON.EDU,
+and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were  end-
+points,  that  they would not be included in this field, and
+we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is  interpreted  as  being
+appended to the previous realm[18].  If it is  to  stand  by
+itself,  then  it  should be preceded by a space (" ").  For
+example, we can encode traversal of /COM/HP/APOLLO, /COM/HP,
+/COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+__________________________
+[18] For the purpose of appending, the realm  preceding
+the  first  listed  realm  is considered to be the null
+realm ("").
+
+
+Section 3.3.3.2.           - 31 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+Like the example above, if /COM/HP/APOLLO and  /COM/DEC  are
+endpoints,  they  they  would not be included in this field,
+and we would have:
+
+     "/COM,/HP"
+
+
+     A null subfield preceding or following a ","  indicates
+that  all  realms  between  the  previous realm and the next
+realm have been traversed[19].  Thus,  ","  means  that  all
+realms along the path between the client and the server have
+been traversed. ",EDU, /COM," means  that  that  all  realms
+from the client's realm up to EDU (in a domain style hierar-
+chy) have been traversed, and that everything from /COM down
+to  the  server's  realm  in  an  X.500  style has also been
+traversed.  This could occur if the EDU realm in one hierar-
+chy  shares  an inter-realm key directly with the /COM realm
+in another hierarchy.
+
+3.3.4.  Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it  is  pro-
+cessed  in  the  same  manner  as  the KRB_AS_REP processing
+described above.  The primary difference is that the cipher-
+text  part  of the response must be decrypted using the ses-
+sion key from the ticket-granting  ticket  rather  than  the
+client's secret key.  See section A.7 for pseudocode.
+
+
+3.4.  The KRB_SAFE Exchange
+
+     The KRB_SAFE message may be used by  clients  requiring
+the   ability  to  detect  modifications  of  messages  they
+exchange.  It achieves this by including a keyed  collision-
+proof  checksum  of  the user data and some control informa-
+tion.  The checksum is keyed with an encryption key (usually
+the  last  key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.4.1.  Generation of a KRB_SAFE message
+
+When an application wishes to send a  KRB_SAFE  message,  it
+collects  its  data  and the appropriate control information
+and computes a checksum over them.  The  checksum  algorithm
+should  be  a  keyed one-way hash function (such as the RSA-
+MD5-DES checksum algorithm specified in  section  6.4.5,  or
+the  DES  MAC),  generated  using  the  sub-session  key  if
+present, or the session key.  Different  algorithms  may  be
+__________________________
+[19] For the purpose of  interpreting  null  subfields,
+the  client's  realm  is considered to precede those in
+the transited field, and the  server's  realm  is  con-
+sidered to follow them.
+
+
+Section 3.4.1.             - 32 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+selected by changing  the  checksum  type  in  the  message.
+Unkeyed  or  non-collision-proof  checksums are not suitable
+for this use.
+
+     The  control  information  for  the  KRB_SAFE   message
+includes  both  a  timestamp  and  a  sequence  number.  The
+designer of an application using the KRB_SAFE  message  must
+choose  at  least  one  of  the two mechanisms.  This choice
+should be based on the needs of the application protocol.
+
+     Sequence numbers are useful when all messages sent will
+be  received  by  one's peer.  Connection state is presently
+required to maintain the session  key,  so  maintaining  the
+next  sequence number should not present an additional prob-
+lem.
+
+     If the application protocol  is  expected  to  tolerate
+lost  messages  without  them  being  resent, the use of the
+timestamp is the  appropriate  replay  detection  mechanism.
+Using  timestamps  is  also  the  appropriate  mechanism for
+multi-cast protocols where all of one's peers share a common
+sub-session  key, but some messages will be sent to a subset
+of one's peers.
+
+     After computing the checksum, the client then transmits
+the information and checksum to the recipient in the message
+format specified in section 5.6.1.
+
+3.4.2.  Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies
+it  as  follows.   If  any  error  occurs,  an error code is
+reported for use by the application.
+
+     The message is first checked by verifying that the pro-
+tocol  version and type fields match the current version and
+KRB_SAFE,   respectively.    A    mismatch    generates    a
+KRB_AP_ERR_BADVERSION  or  KRB_AP_ERR_MSG_TYPE  error.   The
+application verifies that the checksum used is a  collision-
+proof    keyed    checksum,    and   if   it   is   not,   a
+KRB_AP_ERR_INAPP_CKSUM error is  generated.   The  recipient
+verifies  that the operating system's report of the sender's
+address matches the sender's address in the message, and (if
+a  recipient  address is specified or the recipient requires
+an address) that one of the recipient's addresses appears as
+the  recipient's address in the message.  A failed match for
+either case generates a KRB_AP_ERR_BADADDR error.  Then  the
+timestamp  and  usec  and/or  the sequence number fields are
+checked.   If  timestamp  and  usec  are  expected  and  not
+present,   or   they   are  present  but  not  current,  the
+KRB_AP_ERR_SKEW error is generated.   If  the  server  name,
+along with the client name, time and microsecond fields from
+the  Authenticator  match   any   recently-seen   (sent   or
+received[20] ) such tuples, the KRB_AP_ERR_REPEAT  error  is
+__________________________
+[20] This means that a client and server running on the
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+generated.  If an incorrect sequence number is included,  or
+a   sequence   number  is  expected  but  not  present,  the
+KRB_AP_ERR_BADORDER error is generated.  If neither a  time-
+stamp   and   usec  or  a  sequence  number  is  present,  a
+KRB_AP_ERR_MODIFIED error is generated.  Finally, the check-
+sum  is  computed over the data and control information, and
+if   it   doesn't   match   the   received    checksum,    a
+KRB_AP_ERR_MODIFIED error is generated.
+
+     If all the checks succeed, the application  is  assured
+that the message was generated by its peer and was not modi-
+fied in transit.
+
+3.5.  The KRB_PRIV Exchange
+
+     The KRB_PRIV message may be used by  clients  requiring
+confidentiality  and  the ability to detect modifications of
+exchanged messages.  It achieves this by encrypting the mes-
+sages and adding control information.
+
+3.5.1.  Generation of a KRB_PRIV message
+
+When an application wishes to send a  KRB_PRIV  message,  it
+collects  its  data  and the appropriate control information
+(specified in section 5.7.1)  and  encrypts  them  under  an
+encryption key (usually the last key negotiated via subkeys,
+or the session key if no negotiation has occured).  As  part
+of  the  control  information, the client must choose to use
+either a timestamp or a sequence number (or both);  see  the
+discussion  in section 3.4.1 for guidelines on which to use.
+After the user data and control information  are  encrypted,
+the  client  transmits  the  ciphertext  and some "envelope"
+information to the recipient.
+
+3.5.2.  Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies
+it  as  follows.   If  any  error  occurs,  an error code is
+reported for use by the application.
+
+     The message is first checked by verifying that the pro-
+tocol  version and type fields match the current version and
+KRB_PRIV,   respectively.    A    mismatch    generates    a
+KRB_AP_ERR_BADVERSION  or  KRB_AP_ERR_MSG_TYPE  error.   The
+application then decrypts the ciphertext and  processes  the
+resultant  plaintext.   If decryption shows the data to have
+been modified,  a  KRB_AP_ERR_BAD_INTEGRITY  error  is  gen-
+erated.   The recipient verifies that the operating system's
+report of the sender's address matches the sender's  address
+__________________________
+same  host and communicating with one another using the
+KRB_SAFE messages should  not  share  a  common  replay
+cache to detect KRB_SAFE replays.
+
+
+
+Section 3.5.2.             - 34 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+in the message, and (if a recipient address is specified  or
+the   recipient   requires  an  address)  that  one  of  the
+recipient's addresses appears as the recipient's address  in
+the  message.   A  failed  match for either case generates a
+KRB_AP_ERR_BADADDR  error.   Then  the  timestamp  and  usec
+and/or the sequence number fields are checked.  If timestamp
+and usec are expected and not present, or they  are  present
+but  not current, the KRB_AP_ERR_SKEW error is generated. If
+the server name,  along  with  the  client  name,  time  and
+microsecond   fields   from   the  Authenticator  match  any
+recently-seen such tuples, the  KRB_AP_ERR_REPEAT  error  is
+generated.   If an incorrect sequence number is included, or
+a  sequence  number  is  expected  but  not   present,   the
+KRB_AP_ERR_BADORDER  error is generated.  If neither a time-
+stamp  and  usec  or  a  sequence  number  is   present,   a
+KRB_AP_ERR_MODIFIED error is generated.
+
+     If all the checks succeed, the application  can  assume
+the  message  was  generated  by  its peer, and was securely
+transmitted (without intruders able to see  the  unencrypted
+contents).
+
+3.6.  The KRB_CRED Exchange
+
+     The KRB_CRED message may be used by  clients  requiring
+the  ability  to  send Kerberos credentials from one host to
+another.  It achieves this by sending the  tickets  together
+with  encrypted  data  containing the session keys and other
+information associated with the tickets.
+
+3.6.1.  Generation of a KRB_CRED message
+
+When an application wishes to send  a  KRB_CRED  message  it
+first (using the KRB_TGS exchange) obtains credentials to be
+sent to the remote host.  It then constructs a KRB_CRED mes-
+sage  using  the  ticket or tickets so obtained, placing the
+session key needed to use each ticket in the  key  field  of
+the corresponding KrbCredInfo sequence of the encrypted part
+of the the KRB_CRED message.
+
+     Other  information  associated  with  each  ticket  and
+obtained  during  the KRB_TGS exchange is also placed in the
+corresponding KrbCredInfo sequence in the encrypted part  of
+the KRB_CRED message.  The current time and, if specifically
+required by the application the  nonce,  s-address,  and  r-
+address  fields,  are  placed  in  the encrypted part of the
+KRB_CRED message which is then encrypted under an encryption
+key previosuly exchanged in the KRB_AP exchange (usually the
+last key negotiated via subkeys, or the session  key  if  no
+negotiation has occured).
+
+3.6.2.  Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies
+
+
+Section 3.6.2.             - 35 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+it.   If any error occurs, an error code is reported for use
+by the application.  The message  is  verified  by  checking
+that  the protocol version and type fields match the current
+version and KRB_CRED, respectively.  A mismatch generates  a
+KRB_AP_ERR_BADVERSION  or  KRB_AP_ERR_MSG_TYPE  error.   The
+application then decrypts the ciphertext and  processes  the
+resultant  plaintext.   If decryption shows the data to have
+been modified,  a  KRB_AP_ERR_BAD_INTEGRITY  error  is  gen-
+erated.
+
+     If present or required, the recipient verifies that the
+operating  system's  report  of the sender's address matches
+the sender's address in the message, and  that  one  of  the
+recipient's  addresses appears as the recipient's address in
+the message.  A failed match for  either  case  generates  a
+KRB_AP_ERR_BADADDR  error.   The  timestamp  and usec fields
+(and the nonce field if required) are checked next.  If  the
+timestamp  and usec are not present, or they are present but
+not current, the KRB_AP_ERR_SKEW error is generated.
+
+     If all the checks succeed, the application stores  each
+of  the  new  tickets  in its ticket cache together with the
+session key  and  other  information  in  the  corresponding
+KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+4.  The Kerberos Database
+
+The Kerberos server must have access to a database  contain-
+ing  the principal identifiers and secret keys of principals
+to be authenticated[21].
+
+4.1.  Database contents
+
+A database entry  should  contain  at  least  the  following
+fields:
+
+Field                Value
+
+name                 Principal's                    identif-
+ier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+__________________________
+[21] The implementation of the Kerberos server need not
+combine  the  database  and  the  server  on  the  same
+machine; it is feasible to store the principal database
+in, say, a network name service, as long as the entries
+stored therein are protected  from  disclosure  to  and
+modification  by  unauthorized  parties.   However,  we
+recommend against such strategies,  as  they  can  make
+system management and threat analysis quite complex.
+
+
+Section 4.1.               - 36 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier.
+The  key  field contains an encryption key.  This key is the
+principal's secret key.  (The key can  be  encrypted  before
+storage  under a Kerberos "master key" to protect it in case
+the database is compromised but the master key is  not.   In
+that case, an extra field must be added to indicate the mas-
+ter key version used, see below.) The p_kvno  field  is  the
+key  version  number  of  the  principal's  secret key.  The
+max_life field contains the maximum allowable lifetime (end-
+time  - starttime) for any Ticket issued for this principal.
+The max_renewable_life field contains the maximum  allowable
+total  lifetime  for  any  renewable  Ticket issued for this
+principal.  (See section 3.1 for a description of how  these
+lifetimes  are  used  in determining the lifetime of a given
+Ticket.)
+
+     A server may provide KDC service to several realms,  as
+long  as the database representation provides a mechanism to
+distinguish between principal records with identifiers which
+differ only in the realm name.
+
+     When an application server's key changes, if the change
+is  routine  (i.e.  not  the result of disclosure of the old
+key), the old key should be retained by the server until all
+tickets  that  had  been issued using that key have expired.
+Because of this, it is  possible  for  several  keys  to  be
+active  for  a  single principal.  Ciphertext encrypted in a
+principal's key is always tagged with the version of the key
+that was used for encryption, to help the recipient find the
+proper key for decryption.
+
+     When more than one key is active for a particular prin-
+cipal,  the  principal will have more than one record in the
+Kerberos database.  The keys and key  version  numbers  will
+differ  between  the  records (the rest of the fields may or
+may not be the same). Whenever Kerberos issues a ticket,  or
+responds  to  a request for initial authentication, the most
+recent key (known by the Kerberos server) will be  used  for
+encryption.   This  is  the key with the highest key version
+number.
+
+4.2.  Additional fields
+
+Project Athena's KDC implementation uses  additional  fields
+in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+
+
+Section 4.2.               - 37 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+mod_name     Modifying principal's identifier
+
+
+The K_kvno field indicates the key version of  the  Kerberos
+master  key  under  which  the  principal's  secret  key  is
+encrypted.
+
+     After an entry's expiration date has  passed,  the  KDC
+will  return an error to any client attempting to gain tick-
+ets as or for the principal.  (A database may want to  main-
+tain  two  expiration  dates: one for the principal, and one
+for the principal's current key.  This allows password aging
+to  work  independently  of the principal's expiration date.
+However, due to the limited space in the responses, the  KDC
+must  combine  the  key  expiration and principal expiration
+date into a single value called "key_exp", which is used  as
+a hint to the user to take administrative action.)
+
+     The attributes field is a bitfield used to  govern  the
+operations  involving  the  principal.   This field might be
+useful in conjunction with user registration procedures, for
+site-specific   policy   implementations   (Project   Athena
+currently uses it for their user registration  process  con-
+trolled  by the system-wide database service, Moira [9]), to
+identify whether a principal can play the role of  a  client
+or  server  or both, to note whether a server is appropriate
+trusted to recieve credentials delegated by a client, or  to
+identify the "string to key" conversion algorithm used for a
+principal's key[22].  Other bits are used to  indicate  that
+certain  ticket  options  should  not  be allowed in tickets
+encrypted under a principal's key (one bit each):   Disallow
+issuing  postdated  tickets,  disallow  issuing  forwardable
+tickets, disallow issuing tickets based on  TGT  authentica-
+tion,  disallow  issuing renewable tickets, disallow issuing
+proxiable tickets, and disallow issuing  tickets  for  which
+the principal is the server.
+
+     The mod_date field contains the time of last  modifica-
+tion  of the entry, and the mod_name field contains the name
+of the principal which last modified the entry.
+
+4.3.  Frequently Changing Fields
+
+     Some KDC implementations may wish to maintain the  last
+time  that  a  request  was  made by a particular principal.
+Information that might be maintained includes  the  time  of
+the  last  request,  the  time  of  the  last  request for a
+ticket-granting ticket, the  time  of  the  last  use  of  a
+ticket-granting  ticket,  or  other times.  This information
+can then be returned to the user in the last-req field  (see
+__________________________
+[22] See the discussion of the padata field in  section
+5.4.2 for details on why this can be useful.
+
+
+Section 4.3.               - 38 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+section 5.2).
+
+     Other frequently changing information that can be main-
+tained  is  the  latest expiration time for any tickets that
+have been issued using each key.  This field would  be  used
+to indicate how long old keys must remain valid to allow the
+continued use of outstanding tickets.
+
+4.4.  Site Constants
+
+     The KDC implementation should have the following confi-
+gurable  constants  or options, to allow an administrator to
+make and enforce policy decisions:
+
++  The minimum supported lifetime (used to determine whether
+   the  KDC_ERR_NEVER_VALID error should be returned).  This
+   constant  should  reflect  reasonable   expectations   of
+   round-trip  time  to the KDC, encryption/decryption time,
+   and processing time by the client and target server,  and
+   it should allow for a minimum "useful" lifetime.
+
++  The maximum allowable total  (renewable)  lifetime  of  a
+   ticket (renew_till - starttime).
+
++  The maximum allowable lifetime of  a  ticket  (endtime  -
+   starttime).
+
++  Whether to allow the issue of tickets with empty  address
+   fields  (including the ability to specify that such tick-
+   ets may only be issued  if  the  request  specifies  some
+   authorization_data).
+
++  Whether proxiable, forwardable, renewable or post-datable
+   tickets are to be issued.
+
+
+5.  Message Specifications
+
+     The following sections describe the exact contents  and
+encoding  of  protocol messages and objects.  The ASN.1 base
+definitions are presented  in  the  first  subsection.   The
+remaining  subsections specify the protocol objects (tickets
+and authenticators) and messages.  Specification of  encryp-
+tion  and  checksum  techniques,  and  the fields related to
+them, appear in section 6.
+
+5.1.  ASN.1 Distinguished Encoding Representation
+
+     All uses of  ASN.1  in  Kerberos  shall  use  the  Dis-
+tinguished  Encoding  Representation of the data elements as
+described in the X.509 specification, section 8.7  [10].
+
+
+
+
+
+Section 5.1.               - 39 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+5.2.  ASN.1 Base Definitions
+
+     The following ASN.1 base definitions are  used  in  the
+rest  of this section.  Note that since the underscore char-
+acter (_) is not permitted in ASN.1 names, the hyphen (-) is
+used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+
+Kerberos realms are encoded as GeneralStrings.  Realms shall
+not  contain  a  character  with the code 0 (the ASCII NUL).
+Most realms  will  usually  consist  of  several  components
+separated  by  periods  (.), in the style of Internet Domain
+Names, or separated by slashes (/) in  the  style  of  X.500
+names.   Acceptable  forms  for realm names are specified in
+section 7.  A PrincipalName is  a  typed  sequence  of  com-
+ponents consisting of the following sub-fields:
+
+name-type This field specifies the type of  name  that  fol-
+          lows.   Pre-defined  values  for  this  field  are
+          specified in section 7.2.  The name-type should be
+          treated as a hint.  Ignoring the name type, no two
+          names can be the same (i.e. at least  one  of  the
+          components,  or  the  realm,  must  be different).
+          This constraint may be eliminated in the future.
+
+name-stringThis field encodes a sequence of components  that
+          form  a name, each component encoded as a General-
+          String.  Taken together,  a  PrincipalName  and  a
+          Realm  form  a principal identifier.  Most Princi-
+          palNames will have only a  few  components  (typi-
+          cally one or two).
+
+
+
+        KerberosTime ::=   GeneralizedTime
+                           -- Specifying UTC time zone (Z)
+
+
+     The timestamps used in Kerberos are encoded as General-
+izedTimes.   An encoding shall specify the UTC time zone (Z)
+and  shall  not  include  any  fractional  portions  of  the
+seconds.   It  further  shall  not  include  any separators.
+Example: The only valid format for UTC time  6  minutes,  27
+seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+ HostAddress ::=     SEQUENCE  {
+                     addr-type[0]             INTEGER,
+                     address[1]               OCTET STRING
+
+
+Section 5.2.               - 40 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+ }
+
+ HostAddresses ::=   SEQUENCE OF SEQUENCE {
+                     addr-type[0]             INTEGER,
+                     address[1]               OCTET STRING
+ }
+
+
+     The host adddress encodings consists of two fields:
+
+addr-type This field  specifies the  type  of  address  that
+          follows.   Pre-defined  values  for this field are
+          specified in section 8.1.
+
+
+address   This field encodes a single address of type  addr-
+          type.
+
+The two forms differ slightly. HostAddress contains  exactly
+one  address;  HostAddresses contains a sequence of possibly
+many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+
+ad-data   This  field  contains  authorization  data  to  be
+          interpreted   according   to   the  value  of  the
+          corresponding ad-type field.
+
+ad-type   This field specifies the format  for  the  ad-data
+          subfield.   All  negative  values are reserved for
+          local use.  Non-negative values are  reserved  for
+          registered use.
+
+                APOptions ::=   BIT STRING {
+                                reserved(0),
+                                use-session-key(1),
+                                mutual-required(2)
+                }
+
+
+          TicketFlags ::=   BIT STRING {
+                            reserved(0),
+                            forwardable(1),
+                            forwarded(2),
+                            proxiable(3),
+                            proxy(4),
+                            may-postdate(5),
+                            postdated(6),
+                            invalid(7),
+                            renewable(8),
+                            initial(9),
+
+
+Section 5.2.               - 41 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                            pre-authent(10),
+                            hw-authent(11),
+                            transited-policy-checked(12),
+                            ok-as-delegate(13)
+          }
+
+
+           KDCOptions ::=   BIT STRING {
+                            reserved(0),
+                            forwardable(1),
+                            forwarded(2),
+                            proxiable(3),
+                            proxy(4),
+                            allow-postdate(5),
+                            postdated(6),
+                            unused7(7),
+                            renewable(8),
+                            unused9(9),
+                            unused10(10),
+                            unused11(11),
+                            unused12(12),
+                            unused13(13),
+                            disable-transited-check(26),
+                            renewable-ok(27),
+                            enc-tkt-in-skey(28),
+                            renew(30),
+                            validate(31)
+           }
+
+          ASN.1 Bit strings have a length and a value.  When
+          used  in  Kerberos for the APOptions, TicketFlags,
+          and KDCOptions, the length of the  bit  string  on
+          generated  values  should be the smallest multiple
+          of 32 bits needed to include the highest order bit
+          that is set (1), but in no case less than 32 bits.
+          Implementations  should  accept  values   of   bit
+          strings of any length and treat the value of flags
+          cooresponding to bits beyond the end  of  the  bit
+          string as if the bit were reset (0).  Comparisonof
+          bit strings of different length should  treat  the
+          smaller  string  as  if  it were padded with zeros
+          beyond the high order bits to the  length  of  the
+          longer string[23].
+
+__________________________
+[23] Warning for implementations that unpack and repack
+data  structures during the generation and verification
+of embedded checksums: Because any checksums applied to
+data  structures  must  be checked against the original
+data the length of bit strings must be preserved within
+a  data  structure  between the time that a checksum is
+generated through transmission to  the  time  that  the
+checksum is verified.
+
+
+
+Section 5.2.               - 42 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+         LastReq ::=   SEQUENCE OF SEQUENCE {
+                       lr-type[0]               INTEGER,
+                       lr-value[1]              KerberosTime
+         }
+
+
+lr-type   This field indicates how  the  following  lr-value
+          field is to be interpreted.  Negative values indi-
+          cate that the information  pertains  only  to  the
+          responding server.  Non-negative values pertain to
+          all servers for the realm.
+
+          If the lr-type field is zero (0), then no informa-
+          tion is conveyed by the lr-value subfield.  If the
+          absolute value of the lr-type field  is  one  (1),
+          then  the  lr-value  subfield  is the time of last
+          initial request for a TGT.  If it is two (2), then
+          the  lr-value subfield is the time of last initial
+          request.  If it is three (3),  then  the  lr-value
+          subfield  is  the  time  of  issue  for the newest
+          ticket-granting ticket used.  If it is  four  (4),
+          then the lr-value subfield is the time of the last
+          renewal.  If it is five  (5),  then  the  lr-value
+          subfield  is  the  time  of  last  request (of any
+          type).
+
+
+lr-value  This field contains the time of the last  request.
+          The time must be interpreted according to the con-
+          tents of the accompanying lr-type subfield.
+
+     See section 6 for the definitions of  Checksum,  Check-
+sumType,  EncryptedData,  EncryptionKey, EncryptionType, and
+KeyType.
+
+
+5.3.  Tickets and Authenticators
+
+     This section describes the format and encryption param-
+eters  for  tickets  and  authenticators.   When a ticket or
+authenticator is  included  in  a  protocol  message  it  is
+treated as an opaque object.
+
+5.3.1.  Tickets
+
+     A ticket is a record that helps a  client  authenticate
+to a service.  A Ticket contains the following information:
+
+Ticket ::=                    [APPLICATION 1] SEQUENCE {
+                              tkt-vno[0]                   INTEGER,
+                              realm[1]                     Realm,
+                              sname[2]                     PrincipalName,
+                              enc-part[3]                  EncryptedData
+}
+
+
+Section 5.3.1.             - 43 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared
+by  Kerberos  and  the end server (the server's secret key).
+See section 6 for the format of the ciphertext.
+
+tkt-vno   This field specifies the version  number  for  the
+          ticket  format.   This  document describes version
+          number 5.
+
+
+realm     This field  specifies  the  realm  that  issued  a
+          ticket.  It also serves to identify the realm part
+          of the server's  principal  identifier.   Since  a
+          Kerberos server can only issue tickets for servers
+          within its realm, the two will always  be  identi-
+          cal.
+
+
+sname     This field specifies the name part of the server's
+          identity.
+
+
+enc-part  This field holds the  encrypted  encoding  of  the
+          EncTicketPart sequence.
+
+
+flags     This field indicates which of various options were
+          used  or requested when the ticket was issued.  It
+          is a bit-field, where  the  selected  options  are
+          indicated  by  the  bit  being  set  (1),  and the
+          unselected options and reserved fields being reset
+          (0).   Bit  0  is  the  most significant bit.  The
+          encoding of the bits is specified in section  5.2.
+          The  flags  are  described in more detail above in
+          section 2.  The meanings of the flags are:
+
+
+Section 5.3.1.             - 44 -    Expires 11 January 1998
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     Bit(s)      Name         Description
+
+     0           RESERVED
+                              Reserved for future  expansion  of  this
+                              field.
+
+     1           FORWARDABLE 
+                              The FORWARDABLE flag  is  normally  only
+                              interpreted  by  the  TGS,  and  can  be
+                              ignored by end servers.  When set,  this
+                              flag  tells  the  ticket-granting server
+                              that it is OK to  issue  a  new  ticket-
+                              granting ticket with a different network
+                              address based on the presented ticket.
+
+     2           FORWARDED   
+                              When set, this flag indicates  that  the
+                              ticket  has either been forwarded or was
+                              issued based on authentication involving
+                              a forwarded ticket-granting ticket.
+
+     3           PROXIABLE   
+                              The  PROXIABLE  flag  is  normally  only
+                              interpreted  by  the  TGS,  and  can  be
+                              ignored by end servers.   The  PROXIABLE
+                              flag  has an interpretation identical to
+                              that of  the  FORWARDABLE  flag,  except
+                              that   the   PROXIABLE  flag  tells  the
+                              ticket-granting server  that  only  non-
+                              ticket-granting  tickets  may  be issued
+                              with different network addresses.
+
+     4           PROXY       
+                              When set, this  flag  indicates  that  a
+                              ticket is a proxy.
+
+     5           MAY-POSTDATE 
+                              The MAY-POSTDATE flag is  normally  only
+                              interpreted  by  the  TGS,  and  can  be
+                              ignored by end servers.  This flag tells
+                              the  ticket-granting server that a post-
+                              dated ticket may be issued based on this
+                              ticket-granting ticket.
+
+     6           POSTDATED    
+                              This flag indicates that this ticket has
+                              been  postdated.   The  end-service  can
+                              check the authtime field to see when the
+                              original authentication occurred.
+
+     7           INVALID      
+                              This flag indicates  that  a  ticket  is
+                              invalid, and it must be validated by the
+                              KDC  before  use.   Application  servers
+                              must reject tickets which have this flag
+                              set.
+
+
+
+
+
+
+
+
+Section 5.3.1.             - 45 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     8           RENEWABLE                        
+                              The  RENEWABLE  flag  is  normally  only
+                              interpreted  by the TGS, and can usually
+                              be ignored by end servers (some particu-
+                              larly careful servers may wish to disal-
+                              low  renewable  tickets).   A  renewable
+                              ticket  can be used to obtain a replace-
+                              ment ticket  that  expires  at  a  later
+                              date.
+
+     9           INITIAL                    
+                              This flag indicates that this ticket was
+                              issued  using  the  AS protocol, and not
+                              issued  based   on   a   ticket-granting
+                              ticket.
+
+     10          PRE-AUTHENT              
+                              This flag indicates that during  initial
+                              authentication, the client was authenti-
+                              cated by the KDC  before  a  ticket  was
+                              issued.    The   strength  of  the  pre-
+                              authentication method is not  indicated,
+                              but is acceptable to the KDC.
+
+     11          HW-AUTHENT                    
+                              This flag indicates  that  the  protocol
+                              employed   for   initial  authentication
+                              required the use of hardware expected to
+                              be possessed solely by the named client.
+                              The hardware  authentication  method  is
+                              selected  by the KDC and the strength of
+                              the method is not indicated.
+
+
+
+
+Section 5.3.1.             - 46 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     12           TRANSITED   This flag indicates that the KDC for the
+             POLICY-CHECKED   realm has checked the transited field
+			      against a realm defined policy for
+			      trusted certifiers.  If this flag is
+			      reset (0), then the application server
+			      must check the transited field itself,
+			      and if unable to do so it must reject
+			      the authentication.  If the flag is set
+			      (1) then the application server may skip
+			      its own validation of the transited
+			      field, relying on the validation
+			      performed by the KDC.  At its option the
+			      application server may still apply its
+			      own validation based on a separate
+			      policy for acceptance.
+
+Section 5.3.1.             - 47 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     13      OK-AS-DELEGATE   This flag indicates that the server (not
+			      the client) specified in the ticket has
+			      been determined by policy of the realm
+			      to be a suitable recipient of
+			      delegation.  A client can use the
+			      presence of this flag to help it make a
+			      decision whether to delegate credentials
+			      (either grant a proxy or a forwarded
+			      ticket granting ticket) to this server.
+			      The client is free to ignore the value
+			      of this flag.  When setting this flag,
+			      an administrator should consider the
+			      security and placement of the server on
+			      which the service will run, as well as
+			      whether the service requires the use of
+			      delegated credentials.
+
+
+
+
+Section 5.3.1.             - 48 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     14          ANONYMOUS                
+                              This flag indicates that  the  principal
+                              named in the ticket is a generic princi-
+                              pal for the realm and does not  identify
+                              the  individual  using  the ticket.  The
+                              purpose  of  the  ticket  is   only   to
+                              securely  distribute  a session key, and
+                              not to identify  the  user.   Subsequent
+                              requests  using the same ticket and ses-
+                              sion may be  considered  as  originating
+                              from  the  same  user, but requests with
+                              the same username but a different ticket
+                              are  likely  to originate from different
+                              users.
+
+     15-31       RESERVED                
+                              Reserved for future use.
+
+
+
+key       This field  exists  in  the  ticket  and  the  KDC
+          response  and is used to pass the session key from
+          Kerberos to the application server and the client.
+          The field's encoding is described in section 6.2.
+
+crealm    This field contains the name of the realm in which
+          the  client  is  registered  and  in which initial
+          authentication took place.
+
+
+cname     This field contains the name part of the  client's
+          principal identifier.
+
+
+transited This field lists the names of the Kerberos  realms
+          that  took part in authenticating the user to whom
+          this ticket was issued.  It does not  specify  the
+          order  in  which  the  realms were transited.  See
+          section 3.3.3.2 for  details  on  how  this  field
+          encodes the traversed realms.
+
+
+authtime  This field indicates the time of initial authenti-
+          cation for the named principal.  It is the time of
+          issue for the original ticket on which this ticket
+          is based.  It is included in the ticket to provide
+          additional information to the end service, and  to
+          provide  the necessary information for implementa-
+          tion of a `hot list' service at the KDC.   An  end
+          service that is particularly paranoid could refuse
+          to accept tickets for which the initial  authenti-
+          cation occurred "too far" in the past.
+
+          This  field  is  also  returned  as  part  of  the
+          response  from  the KDC.  When returned as part of
+          the    response    to    initial    authentication
+
+
+Section 5.3.1.             - 49 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          (KRB_AS_REP), this is the current time on the Ker-
+          beros server[24].
+
+
+starttime This field in the ticket specifies the time  after
+          which the ticket is valid.  Together with endtime,
+          this field specifies the life of the  ticket.   If
+          it  is absent from the ticket, its value should be
+          treated as that of the authtime field.
+
+
+endtime   This field  contains  the  time  after  which  the
+          ticket  will not be honored (its expiration time).
+          Note that individual services may place their  own
+          limits  on  the  life  of  a ticket and may reject
+          tickets which have not yet expired.  As such, this
+          is  really  an  upper bound on the expiration time
+          for the ticket.
+
+
+renew-tillThis field is only present in  tickets  that  have
+          the  RENEWABLE  flag  set  in the flags field.  It
+          indicates the maximum endtime that may be included
+          in  a  renewal.  It can be thought of as the abso-
+          lute expiration time for the ticket, including all
+          renewals.
+
+
+caddr     This field in a ticket contains zero (if  omitted)
+          or  more  (if  present) host addresses.  These are
+          the addresses from which the ticket can  be  used.
+          If  there are no addresses, the ticket can be used
+          from any location.  The decision  by  the  KDC  to
+          issue  or by the end server to accept zero-address
+          tickets is a policy decision and is  left  to  the
+          Kerberos  and end-service administrators; they may
+          refuse to issue or accept such tickets.  The  sug-
+          gested  and  default policy, however, is that such
+          tickets will only be issued or accepted when addi-
+          tional  information  that  can be used to restrict
+          the  use  of  the  ticket  is  included   in   the
+          authorization_data  field.   Such  a  ticket  is a
+          capability.
+
+          Network addresses are included in  the  ticket  to
+          make  it  harder  for  an  attacker  to use stolen
+          credentials.  Because the session key is not  sent
+          over  the  network in cleartext, credentials can't
+__________________________
+[24] It is NOT recommended that this time value be used
+to adjust the workstation's clock since the workstation
+cannot reliably determine that such a KRB_AS_REP  actu-
+ally came from the proper KDC in a timely manner.
+
+
+Section 5.3.1.             - 50 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          be stolen simply by listening to the  network;  an
+          attacker  has  to  gain  access to the session key
+          (perhaps   through   operating   system   security
+          breaches  or a careless user's unattended session)
+          to make use of stolen tickets.
+
+          It is important to note that the  network  address
+          from  which  a  connection  is  received cannot be
+          reliably determined.  Even  if  it  could  be,  an
+          attacker who has compromised the client's worksta-
+          tion  could  use  the  credentials   from   there.
+          Including the network addresses only makes it more
+          difficult, not impossible, for an attacker to walk
+          off with stolen credentials and then use them from
+          a "safe" location.
+
+
+authorization-data
+          The  authorization-data  field  is  used  to  pass
+          authorization  data  from  the  principal on whose
+          behalf a ticket was issued to the application ser-
+          vice.   If no authorization data is included, this
+          field will be left out.  Experience has shown that
+          the  name  of  this field is confusing, and that a
+          better name for this field would be  restrictions.
+          Unfortunately,  it  is  not possible to change the
+          name of this field at this time.
+
+          This field contains restrictions on any  authority
+          obtained  on the bases of authentication using the
+          ticket.  It  is  possible  for  any  principal  in
+          posession  of  credentials  to  add entries to the
+          authorization  data  field  since  these   entries
+          further restrict what can be done with the ticket.
+          Such additions can be made by specifying the addi-
+          tional  entries when a new ticket is obtained dur-
+          ing the TGS exchange, or they may be added  during
+          chained  delegation  using  the authorization data
+          field of the authenticator.
+
+          Because entries may be added to this field by  the
+          holder of credentials, it is not allowable for the
+          presence of an entry  in  the  authorization  data
+          field  of  a  ticket to amplify the priveleges one
+          would obtain from using a ticket.
+
+          The data in this field may be specific to the  end
+          service;  the field will contain the names of ser-
+          vice specific objects, and  the  rights  to  those
+          objects.   The  format for this field is described
+          in section 5.2.  Although  Kerberos  is  not  con-
+          cerned with the format of the contents of the sub-
+          fields, it does carry type information (ad-type).
+
+
+
+Section 5.3.1.             - 51 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          By using the authorization_data field, a principal
+          is  able  to  issue  a  proxy  that is valid for a
+          specific purpose.  For example, a  client  wishing
+          to  print a file can obtain a file server proxy to
+          be passed to the print server.  By specifying  the
+          name  of the file in the authorization_data field,
+          the file server knows that the  print  server  can
+          only  use  the  client's rights when accessing the
+          particular file to be printed.
+
+          A separate service providing providing  authoriza-
+          tion  or  certifying group membership may be built
+          using the authorization-data field.  In this case,
+          the entity granting authorization (not the author-
+          ized entity), obtains a ticket  in  its  own  name
+          (e.g.  the  ticket  is  issued  in  the  name of a
+          privelege server), and this entity  adds  restric-
+          tions  on its own authority and delegates the res-
+          tricted authority through a proxy to  the  client.
+          The  client  would then present this authorization
+          credential to the  application  server  separately
+          from the authentication exchange.
+
+          Similarly, if one specifies the authorization-data
+          field  of  a  proxy  and leaves the host addresses
+          blank, the resulting ticket and session key can be
+          treated  as  a  capability.  See [7] for some sug-
+          gested uses of this field.
+
+          The authorization-data field is optional and  does
+          not have to be included in a ticket.
+
+
+5.3.2.  Authenticators
+
+     An authenticator is a record sent with a  ticket  to  a
+server  to  certify the client's knowledge of the encryption
+key in the ticket, to help the server detect replays, and to
+help  choose a "true session key" to use with the particular
+session.  The encoding is encrypted in the ticket's  session
+key shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+
+Section 5.3.2.             - 52 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authenticator-vno
+          This field specifies the version  number  for  the
+          format of the authenticator.  This document speci-
+          fies version 5.
+
+
+crealm and cname
+          These fields are the same as those  described  for
+          the ticket in section 5.3.1.
+
+
+cksum     This field contains a checksum of the the applica-
+          tion data that accompanies the KRB_AP_REQ.
+
+
+cusec     This field contains the microsecond  part  of  the
+          client's timestamp.  Its value (before encryption)
+          ranges from 0 to 999999.  It often  appears  along
+          with  ctime.   The two fields are used together to
+          specify a reasonably accurate timestamp.
+
+
+ctime     This  field  contains  the  current  time  on  the
+          client's host.
+
+
+subkey    This field contains the  client's  choice  for  an
+          encryption key which is to be used to protect this
+          specific application session.  Unless an  applica-
+          tion  specifies  otherwise,  if this field is left
+          out the session key from the ticket will be used.
+
+seq-numberThis optional field includes the initial  sequence
+          number to be used by the KRB_PRIV or KRB_SAFE mes-
+          sages when sequence numbers  are  used  to  detect
+          replays  (It  may  also  be  used  by  application
+          specific messages).  When included in the  authen-
+          ticator  this field specifies the initial sequence
+          number for messages from the client to the server.
+          When  included  in the AP-REP message, the initial
+          sequence number is  that  for  messages  from  the
+          server  to  the  client.  When used in KRB_PRIV or
+          KRB_SAFE messages, it is incremented by one  after
+          each message is sent.
+
+          For sequence numbers  to  adequately  support  the
+          detection of replays they should be non-repeating,
+          even across connection  boundaries.   The  initial
+          sequence  number  should  be  random and uniformly
+          distributed across  the  full  space  of  possible
+          sequence  numbers, so that it cannot be guessed by
+          an attacker and so  that  it  and  the  successive
+          sequence numbers do not repeat other sequences.
+
+
+
+Section 5.3.2.             - 53 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authorization-data
+          This field is the same as described for the ticket
+          in  section  5.3.1.   It is optional and will only
+          appear when  additional  restrictions  are  to  be
+          placed  on  the use of a ticket, beyond those car-
+          ried in the ticket itself.
+
+5.4.  Specifications for the AS and TGS exchanges
+
+     This section specifies the format of the messages  used
+in  the exchange between the client and the Kerberos server.
+The format of possible error  messages  appears  in  section
+5.9.1.
+
+5.4.1.  KRB_KDC_REQ definition
+
+     The  KRB_KDC_REQ  message  has  no  type  of  its  own.
+Instead,  its  type  is  one  of  KRB_AS_REQ  or KRB_TGS_REQ
+depending on whether the request is for an initial ticket or
+an  additional  ticket.  In either case, the message is sent
+from the client to  the  Authentication  Server  to  request
+credentials for a service.
+
+     The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER, 
+                                           -- EncryptionType,
+                                           -- in preference order
+
+
+Section 5.4.1.             - 54 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData 
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+
+pvno      This field is included in each message, and speci-
+          fies  the  protocol version number.  This document
+          specifies protocol version 5.
+
+
+msg-type  This field indicates the type of a  protocol  mes-
+          sage.   It  will  almost always be the same as the
+          application identifier associated with a  message.
+          It is included to make the identifier more readily
+          accessible to the application.   For  the  KDC-REQ
+          message,   this   type   will   be  KRB_AS_REQ  or
+          KRB_TGS_REQ.
+
+
+padata    The padata (pre-authentication  data)  field  con-
+          tains  a  sequence  of  authentication information
+          which may be  needed  before  credentials  can  be
+          issued  or decrypted.  In the case of requests for
+          additional tickets (KRB_TGS_REQ), this field  will
+          include  an element with padata-type of PA-TGS-REQ
+          and data  of  an  authentication  header  (ticket-
+          granting  ticket and authenticator).  The checksum
+          in the authenticator  (which  must  be  collision-
+          proof)  is  to  be  computed over the KDC-REQ-BODY
+          encoding.  In most requests for initial  authenti-
+          cation  (KRB_AS_REQ)  and  most replies (KDC-REP),
+          the padata field will be left out.
+
+          This field may also contain information needed  by
+          certain  extensions to the Kerberos protocol.  For
+          example, it might be used to initially verify  the
+          identity  of  a  client  before  any  response  is
+          returned.  This  is  accomplished  with  a  padata
+          field  with  padata-type equal to PA-ENC-TIMESTAMP
+          and padata-value defined as follows:
+
+padata-type     ::= PA-ENC-TIMESTAMP
+padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC   ::= SEQUENCE {
+                patimestamp[0]     KerberosTime, -- client's time
+                pausec[1]          INTEGER OPTIONAL
+}
+
+          with patimestamp containing the client's time  and
+
+
+Section 5.4.1.             - 55 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          pausec  containing  the  microseconds which may be
+          omitted if a client will not  generate  more  than
+          one  request  per second.  The ciphertext (padata-
+          value) consists  of  the  PA-ENC-TS-ENC  sequence,
+          encrypted using the client's secret key.
+
+          The padata  field  can  also  contain  information
+          needed  to  help  the KDC or the client select the
+          key  needed  for  generating  or  decrypting   the
+          response.   This  form of the padata is useful for
+          supporting the use of  certain  token  cards  with
+          Kerberos.   The  details  of  such  extensions are
+          specified in separate  documents.   See  [11]  for
+          additional uses of this field.
+
+padata-type
+          The padata-type element of the padata field  indi-
+          cates  the way that the padata-value element is to
+          be interpreted.  Negative  values  of  padata-type
+          are  reserved  for  unregistered use; non-negative
+          values are used for a registered interpretation of
+          the element type.
+
+
+req-body  This field is a placeholder delimiting the  extent
+          of  the  remaining fields.  If a checksum is to be
+          calculated over the request, it is calculated over
+          an  encoding of the KDC-REQ-BODY sequence which is
+          enclosed within the req-body field.
+
+
+kdc-options
+          This  field  appears   in   the   KRB_AS_REQ   and
+          KRB_TGS_REQ  requests to the KDC and indicates the
+          flags that the client wants set on the tickets  as
+          well  as  other  information that is to modify the
+          behavior of the KDC.  Where appropriate, the  name
+          of  an  option may be the same as the flag that is
+          set by that option.  Although in  most  case,  the
+          bit  in the options field will be the same as that
+          in the flags field, this is not guaranteed, so  it
+          is not acceptable to simply copy the options field
+          to the flags field.  There are various checks that
+          must be made before honoring an option anyway.
+
+          The kdc_options field is a  bit-field,  where  the
+          selected  options  are  indicated by the bit being
+          set (1), and the unselected options  and  reserved
+          fields  being reset (0).  The encoding of the bits
+          is specified in  section  5.2.   The  options  are
+          described  in more detail above in section 2.  The
+          meanings of the options are:
+
+
+
+
+Section 5.4.1.             - 56 -    Expires 11 January 1998
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+   Bit(s)    Name                Description
+    0        RESERVED
+                                 Reserved for future  expansion  of  this
+                                 field.
+
+    1        FORWARDABLE
+                                 The FORWARDABLE  option  indicates  that
+                                 the  ticket  to be issued is to have its
+                                 forwardable flag set.  It  may  only  be
+                                 set on the initial request, or in a sub-
+                                 sequent request if  the  ticket-granting
+                                 ticket on which it is based is also for-
+                                 wardable.
+
+    2        FORWARDED
+                                 The FORWARDED option is  only  specified
+                                 in  a  request  to  the  ticket-granting
+                                 server and will only be honored  if  the
+                                 ticket-granting  ticket  in  the request
+                                 has  its  FORWARDABLE  bit  set.    This
+                                 option  indicates that this is a request
+                                 for forwarding.  The address(es) of  the
+                                 host  from which the resulting ticket is
+                                 to  be  valid  are   included   in   the
+                                 addresses field of the request.
+
+    3        PROXIABLE
+                                 The PROXIABLE option indicates that  the
+                                 ticket to be issued is to have its prox-
+                                 iable flag set.  It may only be  set  on
+                                 the  initial request, or in a subsequent
+                                 request if the ticket-granting ticket on
+                                 which it is based is also proxiable.
+
+    4        PROXY
+                                 The PROXY option indicates that this  is
+                                 a request for a proxy.  This option will
+                                 only be honored if  the  ticket-granting
+                                 ticket  in the request has its PROXIABLE
+                                 bit set.  The address(es)  of  the  host
+                                 from which the resulting ticket is to be
+                                  valid  are  included  in  the  addresses
+                                 field of the request.
+
+    5        ALLOW-POSTDATE
+                                 The ALLOW-POSTDATE option indicates that
+                                 the  ticket  to be issued is to have its
+                                 MAY-POSTDATE flag set.  It may  only  be
+                                 set on the initial request, or in a sub-
+                                 sequent request if  the  ticket-granting
+                                 ticket on which it is based also has its
+                                 MAY-POSTDATE flag set.
+
+
+
+
+
+
+
+Section 5.4.1.             - 57 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+    6        POSTDATED
+                                 The POSTDATED option indicates that this
+                                 is  a  request  for  a postdated ticket.
+                                 This option will only be honored if  the
+                                 ticket-granting  ticket  on  which it is
+                                 based has  its  MAY-POSTDATE  flag  set.
+                                 The  resulting ticket will also have its
+                                 INVALID flag set, and that flag  may  be
+                                 reset by a subsequent request to the KDC
+                                 after the starttime in  the  ticket  has
+                                 been reached.
+
+    7        UNUSED
+                                 This option is presently unused.
+
+    8        RENEWABLE
+                                 The RENEWABLE option indicates that  the
+                                 ticket  to  be  issued  is  to  have its
+                                 RENEWABLE flag set.  It may only be  set
+                                 on  the  initial  request,  or  when the
+                                 ticket-granting  ticket  on  which   the
+                                 request  is based is also renewable.  If
+                                 this option is requested, then the rtime
+                                 field   in   the  request  contains  the
+                                 desired absolute expiration time for the
+                                 ticket.
+
+    9-13     UNUSED
+                                 These options are presently unused.
+
+    14       REQUEST-ANONYMOUS
+                                 The REQUEST-ANONYMOUS  option  indicates
+                                 that  the  ticket to be issued is not to
+                                 identify  the  user  to  which  it   was
+                                 issued.  Instead, the principal identif-
+                                 ier is to be generic,  as  specified  by
+                                 the  policy  of  the realm (e.g. usually
+                                 anonymous@realm).  The  purpose  of  the
+                                 ticket  is only to securely distribute a
+                                 session key, and  not  to  identify  the
+                                 user.   The ANONYMOUS flag on the ticket
+                                 to be returned should be  set.   If  the
+                                 local  realms  policy  does  not  permit
+                                 anonymous credentials, the request is to
+                                 be rejected.
+
+    15-25    RESERVED
+                                 Reserved for future use.
+
+    26       DISABLE-TRANSITED-CHECK
+				 By default the KDC will check the
+				 transited field of a ticket-granting-
+				 ticket against the policy of the local
+				 realm before it will issue derivative
+				 tickets based on the ticket granting
+				 ticket.  If this flag is set in the
+				 request, checking of the transited field
+				 is disabled.  Tickets issued without the
+				 performance of this check will be noted
+				 by the reset (0) value of the
+				 TRANSITED-POLICY-CHECKED flag,
+				 indicating to the application server
+				 that the tranisted field must be checked
+				 locally.  KDC's are encouraged but not
+				 required to honor the
+				 DISABLE-TRANSITED-CHECK option.
+
+
+
+Section 5.4.1.             - 58 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+    27       RENEWABLE-OK
+                                 The RENEWABLE-OK option indicates that a
+                                 renewable ticket will be acceptable if a
+                                 ticket with the  requested  life  cannot
+                                 otherwise be provided.  If a ticket with
+                                 the requested life cannot  be  provided,
+                                 then  a  renewable  ticket may be issued
+                                 with  a  renew-till  equal  to  the  the
+                                 requested  endtime.   The  value  of the
+                                 renew-till field may still be limited by
+                                 local  limits, or limits selected by the
+                                 individual principal or server.
+
+    28       ENC-TKT-IN-SKEY
+                                 This option is used only by the  ticket-
+                                 granting  service.   The ENC-TKT-IN-SKEY
+                                 option indicates that the ticket for the
+                                 end  server  is  to  be encrypted in the
+                                 session key from the additional  ticket-
+                                 granting ticket provided.
+
+    29       RESERVED
+                                 Reserved for future use.
+
+    30       RENEW
+                                 This option is used only by the  ticket-
+                                 granting   service.   The  RENEW  option
+                                 indicates that the  present  request  is
+                                 for  a  renewal.  The ticket provided is
+                                 encrypted in  the  secret  key  for  the
+                                 server  on  which  it  is  valid.   This
+                                 option  will  only  be  honored  if  the
+                                 ticket  to  be renewed has its RENEWABLE
+                                 flag set and if the time in  its  renew-
+                                 till  field  has not passed.  The ticket
+                                 to be renewed is passed  in  the  padata
+                                 field  as  part  of  the  authentication
+                                 header.
+
+    31       VALIDATE
+                                 This option is used only by the  ticket-
+                                 granting  service.   The VALIDATE option
+                                 indicates that the request is  to  vali-
+                                 date  a  postdated ticket.  It will only
+                                 be honored if the  ticket  presented  is
+                                 postdated,  presently  has  its  INVALID
+                                 flag set, and would be otherwise  usable
+                                 at  this time.  A ticket cannot be vali-
+                                 dated before its starttime.  The  ticket
+                                 presented for validation is encrypted in
+                                 the key of the server for  which  it  is
+                                 valid  and is passed in the padata field
+                                 as part of the authentication header.
+
+cname and sname
+          These fields are the same as those  described  for
+          the  ticket  in  section 5.3.1.  sname may only be
+
+
+Section 5.4.1.             - 59 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          absent when the ENC-TKT-IN-SKEY option  is  speci-
+          fied.   If absent, the name of the server is taken
+          from the name of the client in the  ticket  passed
+          as additional-tickets.
+
+
+enc-authorization-data
+          The enc-authorization-data, if present (and it can
+          only be present in the TGS_REQ form), is an encod-
+          ing of the  desired  authorization-data  encrypted
+          under  the  sub-session  key  if  present  in  the
+          Authenticator, or alternatively from  the  session
+          key  in  the ticket-granting ticket, both from the
+          padata field in the KRB_AP_REQ.
+
+
+realm     This  field  specifies  the  realm  part  of   the
+          server's   principal   identifier.    In   the  AS
+          exchange, this is  also  the  realm  part  of  the
+          client's principal identifier.
+
+
+from      This field  is  included  in  the  KRB_AS_REQ  and
+          KRB_TGS_REQ  ticket  requests  when  the requested
+          ticket  is  to  be  postdated.  It  specifies  the
+          desired start time for the requested ticket.
+
+
+
+till      This field contains the expiration date  requested
+          by  the  client in a ticket request.  It is option
+          and if omitted the requested ticket is to have the
+          maximum  endtime permitted according to KDC policy
+          for the parties to the authentication exchange  as
+          limited  by expiration date of the ticket granting
+          ticket or other preauthentication credentials.
+
+
+rtime     This field is the requested renew-till  time  sent
+          from  a client to the KDC in a ticket request.  It
+          is optional.
+
+
+nonce     This  field  is  part  of  the  KDC  request   and
+          response.   It it intended to hold a random number
+          generated by the client.  If the  same  number  is
+          included  in  the encrypted response from the KDC,
+          it provides evidence that the  response  is  fresh
+          and  has not been replayed by an attacker.  Nonces
+          must never be re-used.  Ideally, it should be gen-
+          erated randomly, but if the correct time is known,
+          it may suffice[25].
+__________________________
+[25] Note, however, that if the time  is  used  as  the
+
+Section 5.4.1.             - 60 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+etype     This field specifies the desired encryption  algo-
+          rithm to be used in the response.
+
+
+addresses This field is included in the initial request  for
+          tickets,  and  optionally included in requests for
+          additional  tickets   from   the   ticket-granting
+          server.  It specifies the addresses from which the
+          requested ticket is  to  be  valid.   Normally  it
+          includes  the addresses for the client's host.  If
+          a proxy is  requested,  this  field  will  contain
+          other  addresses.   The contents of this field are
+          usually copied by the KDC into the caddr field  of
+          the resulting ticket.
+
+
+additional-tickets
+          Additional tickets may be optionally included in a
+          request  to  the  ticket-granting  server.  If the
+          ENC-TKT-IN-SKEY option has  been  specified,  then
+          the session key from the additional ticket will be
+          used in place of the server's key to  encrypt  the
+          new   ticket.   If  more  than  one  option  which
+          requires additional tickets  has  been  specified,
+          then  the additional tickets are used in the order
+          specified by the ordering of the options bits (see
+          kdc-options, above).
+
+
+     The application code will be either ten (10) or  twelve
+(12)  depending  on  whether  the  request is for an initial
+ticket (AS-REQ) or for an additional ticket (TGS-REQ).
+
+     The optional fields (addresses, authorization-data  and
+additional-tickets)  are  only included if necessary to per-
+form the operation specified in the kdc-options field.
+
+     It should be noted that in  KRB_TGS_REQ,  the  protocol
+version number appears twice and two different message types
+appear:  the KRB_TGS_REQ message contains  these  fields  as
+does  the  authentication header (KRB_AP_REQ) that is passed
+in the padata field.
+
+5.4.2.  KRB_KDC_REP definition
+
+     The KRB_KDC_REP message format is used  for  the  reply
+from  the KDC for either an initial (AS) request or a subse-
+quent  (TGS)  request.   There  is  no  message   type   for
+__________________________
+nonce,  one must make sure that the workstation time is
+monotonically increasing.  If the time  is  ever  reset
+backwards,  there  is  a small, but finite, probability
+that a nonce will be reused.
+
+
+
+Section 5.4.2.             - 61 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+KRB_KDC_REP.  Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP.  The key used to encrypt the ciphertext part of
+the reply depends on the message type.  For KRB_AS_REP,  the
+ciphertext  is encrypted in the client's secret key, and the
+client's key version number is included in the  key  version
+number for the encrypted data.  For KRB_TGS_REP, the cipher-
+text is encrypted in the sub-session key from the  Authenti-
+cator,  or  if  absent,  the  session  key  from the ticket-
+granting ticket used in the request.  In that case, no  ver-
+sion number will be present in the EncryptedData sequence.
+
+     The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is either KRB_AS_REP or KRB_TGS_REP.
+__________________________
+[27] An application code in the  encrypted  part  of  a
+message  provides  an additional check that the message
+was decrypted properly.
+
+
+Section 5.4.2.             - 62 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+padata    This field  is  described  in  detail  in  section
+          5.4.1.   One  possible  use  for  this field is to
+          encode an alternate "mix-in"  string  to  be  used
+          with   a   string-to-key  algorithm  (such  as  is
+          described in section 6.3.2).  This ability is use-
+          ful  to  ease transitions if a realm name needs to
+          change (e.g. when a company is acquired); in  such
+          a  case  all  existing password-derived entries in
+          the KDC database would be  flagged  as  needing  a
+          special  mix-in  string  until  the  next password
+          change.
+
+
+crealm, cname, srealm and sname
+          These fields are the same as those  described  for
+          the ticket in section 5.3.1.
+
+
+ticket    The newly-issued ticket, from section 5.3.1.
+
+
+enc-part  This field is a place holder  for  the  ciphertext
+          and  related  information that forms the encrypted
+          part  of  a  message.   The  description  of   the
+          encrypted part of the message follows each appear-
+          ance of this field.  The encrypted part is encoded
+          as described in section 6.1.
+
+
+key       This field is the same as described for the ticket
+          in section 5.3.1.
+
+
+last-req  This field is returned by the  KDC  and  specifies
+          the  time(s)  of  the last request by a principal.
+          Depending on what information is  available,  this
+          might  be  the  last  time  that  a  request for a
+          ticket-granting ticket was made, or the last  time
+          that  a  request based on a ticket-granting ticket
+          was successful.  It also might cover  all  servers
+          for  a realm, or just the particular server.  Some
+          implementations may display  this  information  to
+          the user to aid in discovering unauthorized use of
+          one's identity.  It is similar in  spirit  to  the
+          last   login  time  displayed  when  logging  into
+          timesharing systems.
+
+
+nonce     This field is described above in section 5.4.1.
+
+
+key-expiration
+          The key-expiration field is part of  the  response
+          from  the  KDC  and  specifies  the  time that the
+
+
+Section 5.4.2.             - 63 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          client's secret key is due to expire.  The expira-
+          tion  might  be the result of password aging or an
+          account expiration.  This field  will  usually  be
+          left  out  of  the TGS reply since the response to
+          the TGS request is encrypted in a session key  and
+          no  client  information need be retrieved from the
+          KDC database.  It is up to the application  client
+          (usually  the  login  program) to take appropriate
+          action (such as notifying the user) if the expira-
+          tion time is imminent.
+
+
+flags, authtime, starttime, endtime, renew-till and caddr
+          These fields are duplicates of those found in  the
+          encrypted portion of the attached ticket (see sec-
+          tion 5.3.1), provided so  the  client  may  verify
+          they  match  the intended request and to assist in
+          proper ticket caching.  If the message is of  type
+          KRB_TGS_REP,  the  caddr field will only be filled
+          in if the request was for  a  proxy  or  forwarded
+          ticket, or if the user is substituting a subset of
+          the addresses from the ticket granting ticket.  If
+          the  client-requested addresses are not present or
+          not used, then  the  addresses  contained  in  the
+          ticket  will  be the same as those included in the
+          ticket-granting ticket.
+
+
+5.5.  Client/Server (CS) message specifications
+
+     This section specifies the format of the messages  used
+for  the  authentication  of  the  client to the application
+server.
+
+5.5.1.  KRB_AP_REQ definition
+
+     The KRB_AP_REQ message contains the  Kerberos  protocol
+version  number,  the  message  type  KRB_AP_REQ, an options
+field to indicate any options in use,  and  the  ticket  and
+authenticator  themselves.   The KRB_AP_REQ message is often
+referred to as the "authentication header".
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+
+
+Section 5.5.1.             - 64 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+}
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_AP_REQ.
+
+
+ap-optionsThis field  appears  in  the  application  request
+          (KRB_AP_REQ)  and  affects  the way the request is
+          processed.  It is a bit-field, where the  selected
+          options  are  indicated  by the bit being set (1),
+          and the unselected  options  and  reserved  fields
+          being  reset  (0).   The  encoding  of the bits is
+          specified in section 5.2.   The  meanings  of  the
+          options are:
+
+          Bit(s)   Name              Description
+
+          0        RESERVED
+                                     Reserved for future  expansion  of  this
+                                     field.
+
+          1        USE-SESSION-KEY
+                                     The  USE-SESSION-KEY  option   indicates
+                                     that the ticket the client is presenting
+                                     to a server is encrypted in the  session
+                                     key  from  the  server's ticket-granting
+                                     ticket.  When this option is not  speci-
+                                     fied,  the  ticket  is  encrypted in the
+                                     server's secret key.
+
+          2        MUTUAL-REQUIRED
+                                     The  MUTUAL-REQUIRED  option  tells  the
+                                     server  that  the client requires mutual
+                                     authentication, and that it must respond
+                                     with a KRB_AP_REP message.
+
+          3-31     RESERVED
+                                     Reserved for future use.
+
+
+
+ticket    This field is a ticket authenticating  the  client
+          to the server.
+
+
+authenticator
+          This contains the  authenticator,  which  includes
+          the  client's choice of a subkey.  Its encoding is
+          described in section 5.3.2.
+
+5.5.2.  KRB_AP_REP definition
+
+     The KRB_AP_REP message contains the  Kerberos  protocol
+version  number,  the  message  type, and an encrypted time-
+stamp.  The message is sent in in response to an application
+request  (KRB_AP_REQ) where the mutual authentication option
+
+
+Section 5.5.2.             - 65 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared  session
+key of the ticket.  The optional subkey field can be used in
+an application-arranged negotiation to choose a per associa-
+tion session key.
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_AP_REP.
+
+
+enc-part  This field is described above in section 5.4.2.
+
+
+ctime     This  field  contains  the  current  time  on  the
+          client's host.
+
+
+cusec     This field contains the microsecond  part  of  the
+          client's timestamp.
+
+
+subkey    This field contains an encryption key which is  to
+          be  used to protect this specific application ses-
+          sion.  See section 3.2.6 for specifics on how this
+          field  is  used  to  negotiate  a  key.  Unless an
+          application specifies otherwise, if this field  is
+          left out, the sub-session key from the authentica-
+          tor, or if also left out, the session key from the
+          ticket will be used.
+
+
+
+__________________________
+[29] An application code in the  encrypted  part  of  a
+message  provides  an additional check that the message
+was decrypted properly.
+
+
+
+Section 5.5.2.             - 66 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+5.5.3.  Error message reply
+
+     If an error occurs  while  processing  the  application
+request,  the  KRB_ERROR  message  will be sent in response.
+See section 5.9.1 for the format of the error message.   The
+cname and crealm fields may be left out if the server cannot
+determine their appropriate values  from  the  corresponding
+KRB_AP_REQ  message.  If the authenticator was decipherable,
+the ctime and cusec fields will contain the values from it.
+
+5.6.  KRB_SAFE message specification
+
+     This section specifies the format of a message that can
+be  used by either side (client or server) of an application
+to send a tamper-proof message to  its  peer.   It  presumes
+that  a session key has previously been exchanged (for exam-
+ple, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1.  KRB_SAFE definition
+
+     The KRB_SAFE message contains user data  along  with  a
+collision-proof  checksum keyed with the last encryption key
+negotiated via subkeys, or the session key if no negotiation
+has occured.  The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_SAFE.
+
+
+safe-body This field is a placeholder for the  body  of  the
+          KRB-SAFE  message.  It is to be encoded separately
+          and then have the checksum computed over  it,  for
+          use in the cksum field.
+
+
+
+Section 5.6.1.             - 67 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+cksum     This field contains the checksum of  the  applica-
+          tion data.  Checksum details are described in sec-
+          tion 6.4.   The  checksum  is  computed  over  the
+          encoding of the KRB-SAFE-BODY sequence.
+
+
+user-data This field is part of the  KRB_SAFE  and  KRB_PRIV
+          messages and contain the application specific data
+          that is being passed from the sender to the  reci-
+          pient.
+
+
+timestamp This field is part of the  KRB_SAFE  and  KRB_PRIV
+          messages.   Its  contents  are the current time as
+          known by the sender of the message.   By  checking
+          the  timestamp,  the  recipient  of the message is
+          able to make sure that it was recently  generated,
+          and is not a replay.
+
+
+usec      This field is part of the  KRB_SAFE  and  KRB_PRIV
+          headers.   It contains the microsecond part of the
+          timestamp.
+
+
+seq-number
+          This field is described above in section 5.3.2.
+
+
+s-address This field specifies the address  in  use  by  the
+          sender of the message.
+
+
+r-address This field specifies the address  in  use  by  the
+          recipient  of  the message.  It may be omitted for
+          some uses (such as broadcast protocols),  but  the
+          recipient  may  arbitrarily  reject such messages.
+          This field along with s-address  can  be  used  to
+          help  detect  messages which have been incorrectly
+          or maliciously delivered to the wrong recipient.
+
+5.7.  KRB_PRIV message specification
+
+     This section specifies the format of a message that can
+be  used by either side (client or server) of an application
+to securely and privately send a message to  its  peer.   It
+presumes  that  a  session key has previously been exchanged
+(for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1.  KRB_PRIV definition
+
+     The KRB_PRIV message contains user  data  encrypted  in
+the Session Key.  The message fields are:
+
+__________________________
+[31] An application code in the  encrypted  part  of  a
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's addr
+}
+
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_PRIV.
+
+
+enc-part  This field holds an encoding of the EncKrbPrivPart
+          sequence  encrypted  under  the  session  key[32].
+          This  encrypted  encoding is used for the enc-part
+          field of the KRB-PRIV message.  See section 6  for
+          the format of the ciphertext.
+
+
+user-data, timestamp, usec, s-address and r-address
+          These fields are described above in section 5.6.1.
+
+
+seq-number
+          This field is described above in section 5.3.2.
+
+5.8.  KRB_CRED message specification
+
+     This section specifies the format of a message that can
+be  used  to send Kerberos credentials from one principal to
+__________________________
+message  provides  an additional check that the message
+was decrypted properly.
+[32] If  supported  by the encryption method in use, an
+initialization vector may be passed to  the  encryption
+procedure,  in order to achieve proper cipher chaining.
+The initialization vector  might  come  from  the  last
+block of the ciphertext from the previous KRB_PRIV mes-
+sage, but it is the application's choice whether or not
+to use such an initialization vector.  If left out, the
+default initialization vector for the encryption  algo-
+rithm will be used.
+
+
+Section 5.8.               - 69 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+another.  It is presented here to encourage a common mechan-
+ism  to  be  used by applications when forwarding tickets or
+providing proxies to subordinate servers.  It presumes  that
+a  session  key  has already been exchanged perhaps by using
+the KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1.  KRB_CRED definition
+
+     The KRB_CRED message contains a sequence of tickets  to
+be sent and information needed to use the tickets, including
+the session key from each.  The information  needed  to  use
+the  tickets is encrypted under an encryption key previously
+exchanged or transferred  alongside  the  KRB_CRED  message.
+The message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+
+
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_CRED.
+
+
+
+
+Section 5.8.1.             - 70 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+tickets
+          These  are  the  tickets  obtained  from  the  KDC
+          specifically  for  use  by the intended recipient.
+          Successive tickets are paired with the correspond-
+          ing  KrbCredInfo sequence from the enc-part of the
+          KRB-CRED message.
+
+
+enc-part  This field holds an encoding of the EncKrbCredPart
+          sequence  encrypted  under  the session key shared
+          between the sender  and  the  intended  recipient.
+          This  encrypted  encoding is used for the enc-part
+          field of the KRB-CRED message.  See section 6  for
+          the format of the ciphertext.
+
+
+nonce     If  practical,  an  application  may  require  the
+          inclusion of a nonce generated by the recipient of
+          the message.  If the same value is included as the
+          nonce  in  the  message, it provides evidence that
+          the message is fresh and has not been replayed  by
+          an  attacker.   A  nonce must never be re-used; it
+          should be generated randomly by the  recipient  of
+          the message and provided to the sender of the mes-
+          sage in an application specific manner.
+
+
+timestamp and usec
+
+          These fields specify the time  that  the  KRB-CRED
+          message  was  generated.  The time is used to pro-
+          vide assurance that the message is fresh.
+
+
+s-address and r-address
+          These fields are described above in section 5.6.1.
+          They  are  used  optionally  to provide additional
+          assurance of the integrity of  the  KRB-CRED  mes-
+          sage.
+
+
+key       This field  exists  in  the  corresponding  ticket
+          passed by the KRB-CRED message and is used to pass
+          the session key from the sender  to  the  intended
+          recipient.   The  field's encoding is described in
+          section 6.2.
+
+     The following fields are optional.   If  present,  they
+can  be associated with the credentials in the remote ticket
+file.  If left out, then it is assumed that the recipient of
+the credentials already knows their value.
+
+
+prealm and pname
+
+
+Section 5.8.1.             - 71 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          The name and  realm  of  the  delegated  principal
+          identity.
+
+
+flags, authtime,  starttime,  endtime,  renew-till,  srealm,
+          sname, and caddr
+          These fields contain the values of the correspond-
+          ing  fields  from  the  ticket found in the ticket
+          field.  Descriptions of the fields  are  identical
+          to the descriptions in the KDC-REP message.
+
+5.9.  Error message specification
+
+     This section specifies the  format  for  the  KRB_ERROR
+message.  The fields included in the message are intended to
+return as much information as possible about an  error.   It
+is  not  expected  that  all the information required by the
+fields will be available for all types of  errors.   If  the
+appropriate information is not available when the message is
+composed, the corresponding field will be left  out  of  the
+message.
+
+     Note that since the KRB_ERROR message is not  protected
+by  any  encryption, it is quite possible for an intruder to
+synthesize or modify such a message.   In  particular,  this
+means that the client should not use any fields in this mes-
+sage for security-critical purposes, such as setting a  sys-
+tem  clock or generating a fresh authenticator.  The message
+can be useful, however, for advising a user  on  the  reason
+for some failure.
+
+5.9.1.  KRB_ERROR definition
+
+     The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL
+}
+
+
+
+
+
+Section 5.9.1.             - 72 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_ERROR.
+
+
+ctime     This field is described above in section 5.4.1.
+
+
+
+cusec     This field is described above in section 5.5.2.
+
+
+stime     This  field  contains  the  current  time  on  the
+          server.  It is of type KerberosTime.
+
+
+susec     This field contains the microsecond  part  of  the
+          server's  timestamp.   Its  value ranges from 0 to
+          999999.  It appears  along  with  stime.  The  two
+          fields  are  used in conjunction to specify a rea-
+          sonably accurate timestamp.
+
+
+error-codeThis field contains the  error  code  returned  by
+          Kerberos  or  the server when a request fails.  To
+          interpret the value of this field see the list  of
+          error  codes  in  section  8.  Implementations are
+          encouraged to provide for national  language  sup-
+          port in the display of error messages.
+
+
+crealm, cname, srealm and sname
+          These fields are described above in section 5.3.1.
+
+
+e-text    This  field  contains  additional  text  to   help
+          explain  the error code associated with the failed
+          request (for example, it might include a principal
+          name which was unknown).
+
+
+e-data     This field contains  additional  data  about  the
+          error  for  use  by  the  application  to  help it
+          recover from or handle the error.  If  the  error-
+          code  is KDC_ERR_PREAUTH_REQUIRED, then the e-data
+          field will contain an encoding of  a  sequence  of
+          padata fields, each corresponding to an acceptable
+          pre-authentication method and optionally  contain-
+          ing data for the method:
+
+
+e-cksum   This field contains an optional checksum  for  the
+          KRB-ERROR  message.   The  checksum  is calculated
+          over the Kerberos ASN.1 encoding of the  KRB-ERROR
+
+
+Section 5.9.1.             - 73 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          message with the checksum absent.  The checksum is
+          then added to the KRB-ERROR structure and the mes-
+          sage is re-encoded.  The Checksum should be calcu-
+          lated using the session key from the ticket grant-
+          ing ticket or service ticket, where available.  If
+          the error is in response to a TGS or  AP  request,
+          the  checksum  should  be  calculated uing the the
+          session key from  the  client's  ticket.   If  the
+          error  is  in  response to an AS request, then the
+          checksum should be calulated  using  the  client's
+          secret  key ONLY if there has been suitable preau-
+          thentication to prove knowledge of the secret  key
+          by the client[33].  If a checksum can not be  com-
+          puted because the key to be used is not available,
+          no checksum will be included.
+
+               METHOD-DATA ::=   SEQUENCE of PA-DATA
+
+
+          If the error-code is KRB_AP_ERR_METHOD,  then  the
+          e-data  field will contain an encoding of the fol-
+          lowing sequence:
+
+       METHOD-DATA ::=   SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+       }
+
+          method-type will indicate the  required  alternate
+          method;  method-data  will  contain  any  required
+          additional information.
+
+
+
+6.  Encryption and Checksum Specifications
+
+The  Kerberos  protocols  described  in  this  document  are
+designed  to  use  stream  encryption  ciphers, which can be
+simulated using commonly available block encryption ciphers,
+such  as  the  Data Encryption Standard, [12] in conjunction
+with block chaining and checksum methods  [13].   Encryption
+is used to prove the identities of the network entities par-
+ticipating  in  message  exchanges.   The  Key  Distribution
+Center   for   each  realm  is  trusted  by  all  principals
+registered in that realm to store a  secret  key  in  confi-
+dence.   Proof  of  knowledge  of this secret key is used to
+verify the authenticity of a principal.
+
+     The KDC uses the principal's  secret  key  (in  the  AS
+__________________________
+[33] This prevents an attacker  who  generates  an  in-
+correct  AS request from obtaining verifiable plaintext
+for use in an off-line password guessing attack.
+
+
+Section 6.                 - 74 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+exchange) or a shared session key (in the TGS  exchange)  to
+encrypt  responses to ticket requests; the ability to obtain
+the secret key or session key implies the knowledge  of  the
+appropriate  keys  and the identity of the KDC.  The ability
+of a principal to decrypt the KDC  response  and  present  a
+Ticket  and  a properly formed Authenticator (generated with
+the session key from the KDC response) to a service verifies
+the  identity  of the principal; likewise the ability of the
+service to extract the session key from the Ticket and prove
+its knowledge thereof in a response verifies the identity of
+the service.
+
+     The  Kerberos  protocols  generally  assume  that   the
+encryption  used  is  secure from cryptanalysis; however, in
+some cases, the order of fields in the encrypted portions of
+messages  are  arranged  to  minimize  the effects of poorly
+chosen keys.  It is still important to choose good keys.  If
+keys  are derived from user-typed passwords, those passwords
+need to be well chosen to make brute force attacks more dif-
+ficult.   Poorly  chosen  keys  still  make easy targets for
+intruders.
+
+     The  following  sections  specify  the  encryption  and
+checksum  mechanisms  currently  defined  for Kerberos.  The
+encodings, chaining, and padding requirements for  each  are
+described.  For encryption methods, it is often desirable to
+place random information (often referred to as a confounder)
+at  the  start  of the message.  The requirements for a con-
+founder are specified with each encryption mechanism.
+
+     Some encryption systems use a block-chaining method  to
+improve  the the security characteristics of the ciphertext.
+However, these  chaining  methods  often  don't  provide  an
+integrity  check upon decryption.  Such systems (such as DES
+in CBC mode) must be augmented with a checksum of the plain-
+text  which can be verified at decryption and used to detect
+any tampering or damage.  Such checksums should be  good  at
+detecting  burst  errors  in  the  input.   If any damage is
+detected, the decryption routine is expected  to  return  an
+error  indicating  the  failure of an integrity check.  Each
+encryption  type  is  expected  to  provide  and  verify  an
+appropriate  checksum.  The specification of each encryption
+method sets out its checksum requirements.
+
+     Finally, where a key is to be  derived  from  a  user's
+password,  an algorithm for converting the password to a key
+of the appropriate type is included.  It  is  desirable  for
+the  string  to key function to be one-way, and for the map-
+ping to be different in different realms.  This is important
+because users who are registered in more than one realm will
+often use the same password in each,  and  it  is  desirable
+that  an  attacker  compromising  the Kerberos server in one
+realm not obtain or derive the user's key in another.
+
+
+
+Section 6.                 - 75 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     For an discussion of the integrity  characteristics  of
+the candidate encryption and checksum methods considered for
+Kerberos, the the reader is referred to [14].
+
+6.1.  Encryption Specifications
+
+     The following ASN.1 definition describes all  encrypted
+messages.   The  enc-part  field  which appears in the unen-
+crypted part of messages in section 5 is a sequence consist-
+ing  of  an encryption type, an optional key version number,
+and the ciphertext.
+
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+}
+
+
+etype     This field identifies which  encryption  algorithm
+          was used to encipher the cipher.  Detailed specif-
+          ications  for  selected  encryption  types  appear
+          later in this section.
+
+
+kvno      This field contains the version number of the  key
+          under which data is encrypted.  It is only present
+          in messages encrypted  under  long  lasting  keys,
+          such as principals' secret keys.
+
+
+cipher    This field contains the enciphered  text,  encoded
+          as an OCTET STRING.
+
+
+     The cipher field is generated by applying the specified
+encryption  algorithm  to  data  composed of the message and
+algorithm-specific inputs.   Encryption  mechanisms  defined
+for  use  with  Kerberos  must  take  sufficient measures to
+guarantee the integrity of the plaintext, and  we  recommend
+they  also take measures to protect against precomputed dic-
+tionary attacks.  If the encryption algorithm is not  itself
+capable  of  doing so, the protections can often be enhanced
+by adding a checksum and a confounder.
+
+     The suggested format  for  the  data  to  be  encrypted
+includes  a  confounder,  a checksum, the encoded plaintext,
+and any necessary padding.  The msg-seq field  contains  the
+part of the protocol message described in section 5 which is
+to be encrypted.  The confounder, checksum, and padding  are
+all untagged and untyped, and their length is exactly suffi-
+cient to hold the appropriate item.  The type and length  is
+implicit  and  specified  by  the particular encryption type
+
+
+Section 6.1.               - 76 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+being used (etype).  The format for the data to be encrypted
+is described in the following diagram:
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for  those  who
+prefer an ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+
+     One generates a random confounder  of  the  appropriate
+length,  placing  it in confounder; zeroes out check; calcu-
+lates the appropriate checksum over confounder,  check,  and
+msg-seq,  placing  the  result  in check; adds the necessary
+padding; then encrypts using the specified  encryption  type
+and the appropriate key.
+
+     Unless otherwise specified, a definition of an  encryp-
+tion  algorithm  that specifies a checksum, a length for the
+confounder field, or an octet boundary for padding uses this
+ciphertext format[36].  Those fields which are not specified
+will be omitted.
+
+     In the interest of allowing all implementations using a
+__________________________
+[35] In  the  above   specification,   UNTAGGED   OCTET
+STRING(length) is the notation for an octet string with
+its tag and length removed.  It is not  a  valid  ASN.1
+type.  The tag bits and length must be removed from the
+confounder since the purpose of the  confounder  is  so
+that  the  message starts with random data, but the tag
+and its length are fixed.  For other fields, the length
+and  tag  would  be redundant if they were included be-
+cause they are specified by the encryption type.
+[36] The  ordering  of  the fields in the CipherText is
+important.  Additionally, messages encoded in this for-
+mat must include a length as part of the msg-seq field.
+This allows the recipient to verify  that  the  message
+has  not been truncated.  Without a length, an attacker
+could use a chosen plaintext attack to generate a  mes-
+sage which could be truncated, while leaving the check-
+sum intact.  Note that if the msg-seq is an encoding of
+an  ASN.1  SEQUENCE or OCTET STRING, then the length is
+part of that encoding.
+
+
+
+Section 6.1.               - 77 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+particular encryption type to communicate  with  all  others
+using  that  type,  the  specification of an encryption type
+defines any checksum that is needed as part of  the  encryp-
+tion  process.   If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+     Some  cryptosystems  require   additional   information
+beyond  the  key and the data to be encrypted.  For example,
+DES, when used in cipher-block-chaining  mode,  requires  an
+initialization  vector.   If  required,  the description for
+each encryption type must specify the source of  such  addi-
+tional information.
+
+6.2.  Encryption Keys
+
+     The sequence below shows the encoding of an  encryption
+key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+
+keytype   This field specifies the type  of  encryption  key
+          that  follows  in  the  keyvalue  field.   It will
+          almost always correspond to the  encryption  algo-
+          rithm  used  to generate the EncryptedData, though
+          more than one algorithm may use the same  type  of
+          key (the mapping is many to one).  This might hap-
+          pen, for example, if the encryption algorithm uses
+          an  alternate  checksum algorithm for an integrity
+          check, or a different chaining mechanism.
+
+
+keyvalue  This field contains the key itself, encoded as  an
+          octet string.
+
+     All negative values for the  encryption  key  type  are
+reserved   for  local  use.   All  non-negative  values  are
+reserved for officially assigned type fields and interpreta-
+tions.
+
+6.3.  Encryption Systems
+
+6.3.1.  The NULL Encryption System (null)
+
+     If no encryption is in use, the  encryption  system  is
+said  to be the NULL encryption system.  In the NULL encryp-
+tion system there is no  checksum,  confounder  or  padding.
+The  ciphertext  is  simply  the plaintext.  The NULL Key is
+used by the null encryption system and  is  zero  octets  in
+length, with keytype zero (0).
+
+
+
+Section 6.3.1.             - 78 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+6.3.2.  DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+     The des-cbc-crc encryption  mode  encrypts  information
+under  the  Data  Encryption Standard  [12] using the cipher
+block chaining mode [13].  A CRC-32 checksum  (described  in
+ISO  3309  [15])  is  applied  to the confounder and message
+sequence (msg-seq) and  placed  in  the  cksum  field.   DES
+blocks  are  8 bytes.  As a result, the data to be encrypted
+(the concatenation of  confounder,  checksum,  and  message)
+must be padded to an 8 byte boundary before encryption.  The
+details of the encryption of  this  data  are  identical  to
+those for the des-cbc-md5 encryption mode.
+
+     Note that, since the CRC-32 checksum is not  collision-
+proof,   an  attacker  could  use  a  probabilistic  chosen-
+plaintext attack to generate a valid message even if a  con-
+founder is used  [14].  The use of collision-proof checksums
+is recommended for environments where such attacks represent
+a significant threat.  The use of the CRC-32 as the checksum
+for ticket or authenticator is  no  longer  mandated  as  an
+interoperability requirement for Kerberos Version 5 Specifi-
+cation 1 (See section 9.1 for specific details).
+
+
+6.3.3.  DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+     The des-cbc-md4 encryption  mode  encrypts  information
+under  the  Data  Encryption Standard  [12] using the cipher
+block chaining mode [13].  An  MD4  checksum  (described  in
+[16])  is  applied  to  the  confounder and message sequence
+(msg-seq) and placed in the cksum field.  DES blocks  are  8
+bytes.   As a result, the data to be encrypted (the concate-
+nation of confounder, checksum, and message) must be  padded
+to an 8 byte boundary before encryption.  The details of the
+encryption of this data are identical to those for the  des-
+cbc-md5 encryption mode.
+
+
+6.3.4.  DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+     The des-cbc-md5 encryption  mode  encrypts  information
+under  the  Data  Encryption Standard  [12] using the cipher
+block chaining mode [13].  An MD5  checksum   (described  in
+[17].)  is  applied  to  the confounder and message sequence
+(msg-seq) and placed in the cksum field.  DES blocks  are  8
+bytes.   As a result, the data to be encrypted (the concate-
+nation of confounder, checksum, and message) must be  padded
+to an 8 byte boundary before encryption.
+
+     Plaintext and DES ciphtertext are  encoded  as  8-octet
+blocks  which are concatenated to make the 64-bit inputs for
+the DES algorithms.  The first octet  supplies  the  8  most
+significant  bits  (with  the  octet's MSbit used as the DES
+input block's MSbit, etc.), the  second  octet  the  next  8
+
+
+Section 6.3.4.             - 79 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+bits,  ..., and the eighth octet supplies the 8 least signi-
+ficant bits.
+
+     Encryption  under  DES  using  cipher  block   chaining
+requires  an  additional input in the form of an initializa-
+tion vector.  Unless otherwise  specified,  zero  should  be
+used  as  the  initialization  vector.  Kerberos' use of DES
+requires an 8-octet confounder.
+
+     The DES specifications identify some "weak" and  "semi-
+weak" keys; those keys shall not be used for encrypting mes-
+sages for use in Kerberos.  Additionally, because of the way
+that  keys are derived for the encryption of checksums, keys
+shall not be used that yield "weak" or "semi-weak" keys when
+eXclusive-ORed with the constant F0F0F0F0F0F0F0F0.
+
+     A DES key is 8 octets of data, with  keytype  one  (1).
+This  consists of 56 bits of key, and 8 parity bits (one per
+octet).  The key is encoded as a series of 8 octets  written
+in  MSB-first  order.   The  bits  within  the  key are also
+encoded in MSB order.  For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
+where B1,B2,...,B56 are the  key  bits  in  MSB  order,  and
+P1,P2,...,P8 are the parity bits, the first octet of the key
+would be B1,B2,...,B7,P1 (with B1 as the MSbit).   [See  the
+FIPS 81 introduction for reference.]
+
+     To generate a DES key from a  text  string  (password),
+the  text  string normally must have the realm and each com-
+ponent of the principal's  name  appended[37],  then  padded
+with ASCII nulls to an 8 byte boundary.  This string is then
+fan-folded and eXclusive-ORed with itself to form an 8  byte
+DES key.  The parity is corrected on the key, and it is used
+to generate a DES CBC checksum on the initial  string  (with
+the  realm and name appended).  Next, parity is corrected on
+the CBC checksum.  If the result matches a "weak" or  "semi-
+weak"  key  as  described  in  the  DES specification, it is
+eXclusive-ORed with the constant 00000000000000F0.  Finally,
+the result is returned as the key.  Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+          odd = 1;
+          s = string + realm;
+          for(each component in name) {
+               s = s + component;
+          }
+          tempkey = NULL;
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+__________________________
+[37] In some cases, it may be necessary to use  a  dif-
+ferent  "mix-in"  string for compatibility reasons; see
+the discussion of padata in section 5.4.2.
+
+
+Section 6.3.4.             - 80 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          fixparity(tempkey);
+          key = DES-CBC-check(s,tempkey);
+          fixparity(key);
+          if(is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+6.3.5.  Triple DES EDE in outer CBC mode with an SHA1 check-
+sum (des3-cbc-sha1)
+
+     The des3-cbc-sha1 encryption encodes information  using
+three  Data  Encryption  Standard transformations with three
+DES keys.  The first key  is  used  to  perform  a  DES  ECB
+encryption  on an eight-octet data block using the first DES
+key, followed by a DES ECB decryption of  the  result  using
+the  second  DES key, and a DES ECB encryption of the result
+using the third DES key.  Because DES blocks  are  8  bytes,
+the  data  to be encrypted (the concatenation of confounder,
+checksum, and message) must first be padded  to  an  8  byte
+boundary  before encryption.  To support the outer CBC mode,
+the input is padded an eight-octet boundary.   The  first  8
+octets  of  the  data  to  be  encrypted (the confounder) is
+exclusive-ored with an initialization  vector  of  zero  and
+then  ECB  encrypted  using  triple  DES as described above.
+Subsequent blocks of 8 octets are  exclusive-ored  with  the
+ciphertext  produced by the encryption on the previous block
+before ECB encryption.
+
+     An HMAC-SHA1 checksum  (described in  [18].) is applied
+to  the confounder and message sequence (msg-seq) and placed
+in the cksum field.
+
+     Plaintext  are encoded as 8-octet blocks which are con-
+catenated  to make the 64-bit inputs for the DES algorithms.
+The first octet supplies the 8 most significant  bits  (with
+the  octet's  MSbit  used  as  the  DES input block's MSbit,
+etc.), the second octet the next 8 bits, ..., and the eighth
+octet supplies the 8 least significant bits.
+
+     Encryption under Triple DES using cipher block chaining
+requires  an  additional input in the form of an initializa-
+tion vector.  Unless otherwise  specified,  zero  should  be
+used  as  the  initialization  vector.  Kerberos' use of DES
+requires an 8-octet confounder.
+
+     The DES specifications identify some "weak" and  "semi-
+
+
+Section 6.3.5.             - 81 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+weak" keys; those keys shall not be used for encrypting mes-
+sages for use in Kerberos.  Additionally, because of the way
+that  keys are derived for the encryption of checksums, keys
+shall not be used that yield "weak" or "semi-weak" keys when
+eXclusive-ORed with the constant F0F0F0F0F0F0F0F0.
+
+     A Triple DES key is 24 octets  of  data,  with  keytype
+seven  (7).  This consists of 168 bits of key, and 24 parity
+bits (one per octet).  The key is encoded as a series of  24
+octets  written  in MSB-first order, with the first 8 octets
+treated as the first DES key, the second  8  octets  as  the
+second  key,  and the third 8 octets the third DES key.  The
+bits within each key are also encoded  in  MSB  order.   For
+example,       if       the      encryption      key      is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
+where  B1,B2,...,B56  are  the  key  bits  in MSB order, and
+P1,P2,...,P8 are the parity bits, the first octet of the key
+would  be  B1,B2,...,B7,P1 (with B1 as the MSbit).  [See the
+FIPS 81 introduction for reference.]
+
+     To generate a DES key from a  text  string  (password),
+the  text  string normally must have the realm and each com-
+ponent of the principal's name appended[38],
+
+     The input string (with any salt data appended to it) is
+n-folded  into  a  24  octet  (192 bit) string.  To n-fold a
+number X, replicate the input value to a length that is  the
+least common multiple of n and the length of X.  Before each
+repetition, the input X is rotated to the right  by  13  bit
+positions.   The  successive n-bit chunks are added together
+using  1's-complement  addition  (addition  with  end-around
+carry)  to  yield  a  n-bit result. (This transformation was
+proposed by Richard Basch)
+
+     Each successive set of 8 octets is taken as a DES  key,
+and  its parity is adjusted in the same manner as previously
+described.  If any of the three sets of  8  octets  match  a
+"weak" or "semi-weak" key as described in the DES specifica-
+tion,  that  chunk  is  eXclusive-ORed  with  the   constant
+00000000000000F0.   The  resulting DES keys are then used in
+sequence to perform a Triple-DES CBC encryption  of  the  n-
+folded  input  string (appended with any salt data), using a
+zero initial vector.  Parity, weak, and semi-weak  keys  are
+once  again  corrected  and the result is returned as the 24
+octet key.
+
+     Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+__________________________
+[38] In some cases, it may be necessary to use  a  dif-
+ferent  "mix-in"  string for compatibility reasons; see
+the discussion of padata in section 5.4.2.
+
+
+Section 6.3.5.             - 82 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          s = string + realm;
+          for(each component in name) {
+               s = s + component;
+          }
+          tkey[24] = fold(s);
+          fixparity(tkey);
+          if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0;
+          if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0;
+          if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0;
+          key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0);
+          fixparity(key);
+          if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0;
+          if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0;
+          if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0;
+          return(key);
+     }
+
+6.4.  Checksums
+
+     The following is the ASN.1 definition used for a check-
+sum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+
+cksumtype This field indicates the algorithm  used  to  gen-
+          erate the accompanying checksum.
+
+checksum  This field contains the checksum  itself,  encoded
+          as an octet string.
+
+     Detailed  specification  of  selected  checksum   types
+appear  later  in  this  section.   Negative  values for the
+checksum type are reserved for local use.  All  non-negative
+values  are reserved for officially assigned type fields and
+interpretations.
+
+     Checksums used by Kerberos can  be  classified  by  two
+properties:   whether  they are collision-proof, and whether
+they are keyed.  It is infeasible  to  find  two  plaintexts
+which generate the same checksum value for a collision-proof
+checksum.  A key is required to perturb  or  initialize  the
+algorithm  in  a  keyed checksum.  To prevent message-stream
+modification by an active attacker, unkeyed checksums should
+only  be  used  when the checksum and message will be subse-
+quently encrypted (e.g. the checksums defined as part of the
+encryption algorithms covered earlier in this section).
+
+     Collision-proof checksums can be made  tamper-proof  if
+the  checksum  value is encrypted before inclusion in a mes-
+sage.  In such cases, the composition of  the  checksum  and
+
+
+Section 6.4.               - 83 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+the  encryption  algorithm  must  be  considered  a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using  DES  is  a
+new checksum algorithm of type RSA-MD5-DES).  For most keyed
+checksums, as well as for the  encrypted  forms  of  unkeyed
+collision-proof  checksums,  Kerberos  prepends a confounder
+before the checksum is calculated.
+
+6.4.1.  The CRC-32 Checksum (crc32)
+
+     The CRC-32 checksum calculates a checksum  based  on  a
+cyclic  redundancy check as described in ISO 3309 [15].  The
+resulting checksum is four (4) octets in length.  The CRC-32
+is  neither  keyed  nor  collision-proof.   The  use of this
+checksum is not recommended.  An  attacker  using  a  proba-
+bilistic  chosen-plaintext attack as described in [14] might
+be able to generate an alternative  message  that  satisfies
+the  checksum.   The  use  of  collision-proof  checksums is
+recommended for environments where such attacks represent  a
+significant threat.
+
+6.4.2.  The RSA MD4 Checksum (rsa-md4)
+
+     The RSA-MD4 checksum calculates a  checksum  using  the
+RSA  MD4  algorithm  [16].   The algorithm takes as input an
+input message of arbitrary length and produces as  output  a
+128-bit  (16  octet)  checksum.   RSA-MD4  is believed to be
+collision-proof.
+
+6.4.3.  RSA MD4 Cryptographic Checksum Using  DES  (rsa-md4-
+des)
+
+     The RSA-MD4-DES checksum calculates a keyed  collision-
+proof  checksum  by  prepending an 8 octet confounder before
+the text, applying  the  RSA  MD4  checksum  algorithm,  and
+encrypting  the  confounder  and  the  checksum using DES in
+cipher-block-chaining (CBC) mode using a variant of the key,
+where  the  variant  is  computed by eXclusive-ORing the key
+with the constant F0F0F0F0F0F0F0F0[39].  The  initialization
+vector  should be zero.  The resulting checksum is 24 octets
+long (8 octets of which are redundant).   This  checksum  is
+tamper-proof and believed to be collision-proof.
+
+     The DES specifications identify some  "weak  keys"  and
+__________________________
+[39] A variant of the key is used to limit the use of a
+key  to a particular function, separating the functions
+of generating a checksum  from  other  encryption  per-
+formed   using   the   session   key.    The   constant
+F0F0F0F0F0F0F0F0 was chosen because  it  maintains  key
+parity.  The properties of DES precluded the use of the
+complement.  The same constant is used for similar pur-
+pose  in  the  Message  Integrity  Check in the Privacy
+Enhanced Mail standard.
+
+
+Section 6.4.3.             - 84 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+"semi-weak keys"; those keys shall not be used for  generat-
+ing RSA-MD4 checksums for use in Kerberos.
+
+     The format for the checksum is described in the follow-
+ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for  those  who
+prefer an ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+
+
+6.4.4.  The RSA MD5 Checksum (rsa-md5)
+
+     The RSA-MD5 checksum calculates a  checksum  using  the
+RSA  MD5  algorithm.  [17].  The algorithm takes as input an
+input message of arbitrary length and produces as  output  a
+128-bit  (16  octet)  checksum.   RSA-MD5  is believed to be
+collision-proof.
+
+6.4.5.  RSA MD5 Cryptographic Checksum Using  DES  (rsa-md5-
+des)
+
+     The RSA-MD5-DES checksum calculates a keyed  collision-
+proof  checksum  by  prepending an 8 octet confounder before
+the text, applying  the  RSA  MD5  checksum  algorithm,  and
+encrypting  the  confounder  and  the  checksum using DES in
+cipher-block-chaining (CBC) mode using a variant of the key,
+where  the  variant  is  computed by eXclusive-ORing the key
+with the constant F0F0F0F0F0F0F0F0.  The initialization vec-
+tor  should  be  zero.   The resulting checksum is 24 octets
+long (8 octets of which are redundant).   This  checksum  is
+tamper-proof and believed to be collision-proof.
+
+     The DES specifications identify some  "weak  keys"  and
+"semi-weak  keys"; those keys shall not be used for encrypt-
+ing RSA-MD5 checksums for use in Kerberos.
+
+     The format for the checksum is described in the follow-
+ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for  those  who
+
+
+Section 6.4.5.             - 85 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+prefer an ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+
+6.4.6.  DES cipher-block chained checksum (des-mac)
+
+     The DES-MAC checksum is computed  by  prepending  an  8
+octet confounder to the plaintext, performing a DES CBC-mode
+encryption on the result using the key and an initialization
+vector  of  zero,  taking  the last block of the ciphertext,
+prepending the same confounder and encrypting the pair using
+DES in cipher-block-chaining (CBC) mode using a a variant of
+the key, where the variant is  computed  by  eXclusive-ORing
+the key with the constant F0F0F0F0F0F0F0F0.  The initializa-
+tion vector should be zero.  The resulting checksum  is  128
+bits (16 octets) long, 64 bits of which are redundant.  This
+checksum is tamper-proof and collision-proof.
+
+     The format for the checksum is described in the follow-
+ing diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for  those  who
+prefer an ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+
+     The DES specifications identify some "weak" and  "semi-
+weak"  keys;  those  keys  shall  not be used for generating
+DES-MAC checksums for use in Kerberos, nor shall  a  key  be
+used whose variant is "weak" or "semi-weak".
+
+6.4.7.  RSA MD4 Cryptographic Checksum Using DES alternative
+(rsa-md4-des-k)
+
+     The   RSA-MD4-DES-K   checksum   calculates   a   keyed
+collision-proof  checksum  by  applying the RSA MD4 checksum
+algorithm and encrypting the results using  DES  in  cipher-
+block-chaining  (CBC)  mode  using a DES key as both key and
+initialization vector.  The resulting checksum is 16  octets
+long.   This  checksum  is  tamper-proof  and believed to be
+collision-proof.  Note that this checksum type  is  the  old
+method  for  encoding  the RSA-MD4-DES checksum and it is no
+
+
+Section 6.4.7.             - 86 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+longer recommended.
+
+6.4.8.  DES cipher-block chained checksum alternative  (des-
+mac-k)
+
+     The DES-MAC-K checksum is computed by performing a  DES
+CBC-mode  encryption  of  the  plaintext, and using the last
+block of the ciphertext as the checksum value.  It is  keyed
+with  an  encryption  key  and an initialization vector; any
+uses which do not specify an additional initialization  vec-
+tor  will use the key as both key and initialization vector.
+The resulting checksum is 64 bits  (8  octets)  long.   This
+checksum  is  tamper-proof  and  collision-proof.  Note that
+this checksum type is the old method for encoding  the  DES-
+MAC checksum and it is no longer recommended.
+
+     The DES specifications identify some  "weak  keys"  and
+"semi-weak  keys"; those keys shall not be used for generat-
+ing DES-MAC checksums for use in Kerberos.
+
+7.  Naming Constraints
+
+
+7.1.  Realm Names
+
+     Although realm names are encoded as GeneralStrings  and
+although a realm can technically select any name it chooses,
+interoperability across realm boundaries requires  agreement
+on  how realm names are to be assigned, and what information
+they imply.
+
+     To enforce these conventions, each realm  must  conform
+to  the  conventions  itself,  and  it must require that any
+realms with which inter-realm keys are shared  also  conform
+to the conventions and require the same from its neighbors.
+
+     Kerberos realm names are case sensitive.   Realm  names
+that  differ  only  in  the  case  of the characters are not
+equivalent.  There are presently four styles of realm names:
+domain,  X500,  other, and reserved.  Examples of each style
+follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+
+Domain names must look like domain names:  they  consist  of
+components separated by periods (.) and they contain neither
+colons (:) nor slashes (/).  Domain names must be  converted
+to upper case when used as realm names.
+
+     X.500 names contain an equal (=) and cannot  contain  a
+
+
+Section 7.1.               - 87 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+colon (:) before the equal.  The realm names for X.500 names
+will be string representations of the names with  components
+separated by slashes.  Leading and trailing slashes will not
+be included.
+
+     Names that fall into the other category must begin with
+a  prefix  that  contains no equal (=) or period (.) and the
+prefix must be followed by a colon (:) and the rest  of  the
+name.   All  prefixes  must  be  assigned before they may be
+used.  Presently none are assigned.
+
+     The reserved category includes  strings  which  do  not
+fall  into  the  first  three categories.  All names in this
+category are reserved.  It is unlikely that  names  will  be
+assigned  to  this  category  unless  there is a very strong
+argument for not using the "other" category.
+
+     These rules guarantee that there will be  no  conflicts
+between  the  various name styles.  The following additional
+constraints apply to the assignment of realm  names  in  the
+domain  and  X.500  categories:  the name of a realm for the
+domain or X.500 formats must either be used by the organiza-
+tion  owning  (to  whom  it was assigned) an Internet domain
+name or X.500 name, or in the case that no  such  names  are
+registered,  authority  to  use  a realm name may be derived
+from the authority of the  parent  realm.  For  example,  if
+there  is  no domain name for E40.MIT.EDU, then the adminis-
+trator of the MIT.EDU realm can authorize the creation of  a
+realm with that name.
+
+     This is acceptable because the  organization  to  which
+the  parent  is  assigned  is  presumably  the  organization
+authorized to assign names to its children in the X.500  and
+domain  name systems as well.  If the parent assigns a realm
+name without also registering it in the domain name or X.500
+hierarchy,  it  is  the parent's responsibility to make sure
+that there will not in the future exists a name identical to
+the  realm  name  of  the child unless it is assigned to the
+same entity as the realm name.
+
+
+7.2.  Principal Names
+
+     As was the case for realm names, conventions are needed
+to ensure that all agree on what information is implied by a
+principal name.  The name-type field that  is  part  of  the
+principal  name indicates the kind of information implied by
+the name.  The  name-type  should  be  treated  as  a  hint.
+Ignoring  the  name type, no two names can be the same (i.e.
+at least one of the components, or the realm, must  be  dif-
+ferent).   This  constraint may be eliminated in the future.
+The following name types are defined:
+
+                    name-type      value   meaning
+
+
+Section 7.2.               - 88 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+   NT-UNKNOWN     0   Name type not known
+   NT-PRINCIPAL   1   General principal name (e.g. username, or DCE principal)
+   NT-SRV-INST    2   Service and other unique instance (krbtgt)
+   NT-SRV-HST     3   Service with host name as instance (telnet, rcommands)
+   NT-SRV-XHST    4   Service with slash-separated host name components
+   NT-UID         5   Unique ID
+
+
+When a name implies no information other than its uniqueness
+at a particular time the name type PRINCIPAL should be used.
+The principal name type should be used  for  users,  and  it
+might  also  be  used for a unique server.  If the name is a
+unique machine generated ID that is guaranteed never  to  be
+reassigned  then  the  name type of UID should be used (note
+that it is generally a bad idea to  reassign  names  of  any
+type  since  stale  entries  might  remain in access control
+lists).
+
+     If the first component of a name identifies  a  service
+and  the  remaining  components  identify an instance of the
+service in a server specified manner, then the name type  of
+SRV-INST  should  be  used.  An example of this name type is
+the Kerberos ticket-granting service whose name has a  first
+component  of  krbtgt and a second component identifying the
+realm for which the ticket is valid.
+
+     If instance is a single component following the service
+name  and  the  instance  identifies  the  host on which the
+server is running, then the  name  type  SRV-HST  should  be
+used.   This  type  is  typically used for Internet services
+such as telnet and the Berkeley R commands.  If the separate
+components  of the host name appear as successive components
+following the name of the service, then the name  type  SRV-
+XHST  should  be  used.  This type might be used to identify
+servers on hosts with X.500 names where the slash (/)  might
+otherwise be ambiguous.
+
+     A name type of UNKNOWN should be used when the form  of
+the name is not known.  When comparing names, a name of type
+UNKNOWN will match principals authenticated  with  names  of
+any  type.   A  principal  authenticated with a name of type
+UNKNOWN, however, will only match other names of  type  UNK-
+NOWN.
+
+     Names of any type with an initial component of "krbtgt"
+are  reserved for the Kerberos ticket granting service.  See
+section 8.2.3 for the form of such names.
+
+7.2.1.  Name of server principals
+
+     The principal identifier for a server on  a  host  will
+generally be composed of two parts: (1) the realm of the KDC
+with which the server is registered, and (2) a two-component
+
+
+Section 7.2.1.             - 89 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+name  of  type  NT-SRV-HST  if  the host name is an Internet
+domain name or a multi-component name of type NT-SRV-XHST if
+the  name of the host is of a form such as X.500 that allows
+slash (/) separators.  The first component of  the  two-  or
+multi-component  name  will  identify  the  service  and the
+latter components will identify the host.  Where the name of
+the  host  is not case sensitive (for example, with Internet
+domain names) the name of the host must be lower  case.   If
+specified  by  the application protocol for services such as
+telnet and the Berkeley R commands  which  run  with  system
+privileges,  the  first  component  may be the string "host"
+instead of a service specific identifier.  When a  host  has
+an  official name and one or more aliases, the official name
+of the host must be used when constructing the name  of  the
+server principal.
+
+8.  Constants and other defined values
+
+
+8.1.  Host address types
+
+     All negative values  for  the  host  address  type  are
+reserved   for  local  use.   All  non-negative  values  are
+reserved for officially assigned type fields and interpreta-
+tions.
+
+     The values of the types for the following addresses are
+chosen  to match the defined address family constants in the
+Berkeley Standard Distributions of Unix.  They can be  found
+in  <sys/socket.h>  with symbolic names AF_xxx (where xxx is
+an abbreviation of the address family name).
+
+
+Internet addresses
+
+     Internet addresses  are  32-bit  (4-octet)  quantities,
+encoded in MSB order.  The type of internet addresses is two
+(2).
+
+CHAOSnet addresses
+
+     CHAOSnet addresses  are  16-bit  (2-octet)  quantities,
+encoded  in  MSB  order.   The type of CHAOSnet addresses is
+five (5).
+
+ISO addresses
+
+     ISO addresses are variable-length.   The  type  of  ISO
+addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+     XNS addresses are 48-bit (6-octet) quantities,  encoded
+in MSB order.  The type of XNS addresses is six (6).
+
+
+Section 8.1.               - 90 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+     AppleTalk DDP addresses consist of an 8-bit node number
+and a 16-bit network number.  The first octet of the address
+is the node number; the remaining two octets encode the net-
+work  number  in  MSB  order.   The  type  of  AppleTalk DDP
+addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+     DECnet Phase IV addresses are 16-bit addresses, encoded
+in  LSB  order.   The  type  of DECnet Phase IV addresses is
+twelve (12).
+
+8.2.  KDC messages
+
+8.2.1.  IP transport
+
+     When  contacting  a  Kerberos  server   (KDC)   for   a
+KRB_KDC_REQ request using UDP IP transport, the client shall
+send a UDP datagram  containing  only  an  encoding  of  the
+request  to  port  88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram  containing  only  an
+encoding  of  the  reply  message  (either  a KRB_ERROR or a
+KRB_KDC_REP) to the sending port at the sender's IP address.
+
+     Kerberos servers supporting IP  transport  must  accept
+UDP  requests on port 88 (decimal).  Servers may also accept
+TCP requests on port 88  (decimal).   When  the  KRB_KDC_REQ
+message  is sent to the KDC by TCP, a new connection will be
+established  for  each  authentication  exchange   and   the
+KRB_KDC_REP  or  KRB_ERROR  message  will be returned to the
+client on the  TCP  stream  that  was  established  for  the
+request.   The connection will be broken after the reply has
+been received (or upon time-out).  Care  must  be  taken  in
+managing  TCP/IP  connections with the KDC to prevent denial
+of service attacks based on the number of TCP/IP connections
+with the KDC that remain open.
+
+8.2.2.  OSI transport
+
+     During authentication  of  an  OSI  client  to  an  OSI
+server, the mutual authentication of an OSI server to an OSI
+client, the transfer of credentials from an OSI client to an
+OSI  server,  or  during  exchange  of  private or integrity
+checked messages, Kerberos protocol messages may be  treated
+as opaque objects and the type of the authentication mechan-
+ism will be:
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),
+                       kerberosv5(2)} 
+
+Depending on the situation, the opaque  object  will  be  an
+authentication  header (KRB_AP_REQ), an authentication reply
+(KRB_AP_REP), a safe message (KRB_SAFE), a  private  message
+
+
+Section 8.2.2.             - 91 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+(KRB_PRIV), or a credentials message (KRB_CRED).  The opaque
+data contains an application code as specified in the  ASN.1
+description  for  each message.  The application code may be
+used by Kerberos to determine the message type.
+
+8.2.3.  Name of the TGS
+
+     The principal identifier of the ticket-granting service
+shall  be  composed of three parts: (1) the realm of the KDC
+issuing the TGS ticket (2) a two-part name of  type  NT-SRV-
+INST,  with  the first part "krbtgt" and the second part the
+name of the realm  which  will  accept  the  ticket-granting
+ticket.  For example, a ticket-granting ticket issued by the
+ATHENA.MIT.EDU realm to be used  to  get  tickets  from  the
+ATHENA.MIT.EDU   KDC   has   a   principal   identifier   of
+"ATHENA.MIT.EDU"   (realm),   ("krbtgt",   "ATHENA.MIT.EDU")
+(name).     A   ticket-granting   ticket   issued   by   the
+ATHENA.MIT.EDU realm to be used  to  get  tickets  from  the
+MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU"
+(realm), ("krbtgt", "MIT.EDU") (name).
+
+
+8.3.  Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings.
+
+Encryption type  etype value  block size    minimum pad size  confounder size
+NULL              0            1                 0                 0
+des-cbc-crc       1            8                 4                 8
+des-cbc-md4       2            8                 0                 8
+des-cbc-md5       3            8                 0                 8
+<reserved>        4
+des3-cbc-md5      5            8                 0                 8
+<reserved>        6
+des3-cbc-sha1     7            8                 0                 8
+sign-dsa-generate 8                                   (pkinit)
+encrypt-rsa-priv  9                                   (pkinit)
+encrypt-rsa-pub  10                                   (pkinit)
+ENCTYPE_PK_CROSS 48                                   (reserved for pkcross)
+<reserved>       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+rsa-md5-des3               9                   24
+hmac-sha1-des3             10                  20  (I had this as 10, is it 12)
+
+
+Section 8.3.               - 92 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+<reserved>                      4
+PA-ENC-UNIX-TIME                5
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (pkinit)
+PA-PK-KEY-REQ                   17                  (pkinit)
+PA-PK-KEY-REP                   18                  (pkinit)
+
+authorization data type         ad-type value
+reserved values                 0-63
+OSF-DCE                         64
+SESAME                          65
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward credentials
+KRB_ERROR              30   Error response
+
+
+Section 8.3.               - 93 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+name types
+
+KRB_NT_UNKNOWN       0   Name type not known
+KRB_NT_PRINCIPAL     1   Just the name of the principal as in DCE, or for users
+KRB_NT_SRV_INST      2   Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST       3   Service with host name as instance (telnet, rcommands)
+KRB_NT_SRV_XHST      4   Service with host as remaining components
+KRB_NT_UID           5   Unique ID
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version number not supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password to reset
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired-
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+
+
+
+Section 8.3.               - 94 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in message
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED   62   (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED      63   (pkinit)
+KDC_ERROR_INVALID_SIG          64   (pkinit)
+KDC_ERR_KEY_TOO_WEAK           65   (pkinit)
+
+
+9.  Interoperability requirements
+
+     Version 5 of the Kerberos protocol supports a myriad of
+options.   Among  these are multiple encryption and checksum
+types, alternative encoding schemes for the transited field,
+optional  mechanisms for pre-authentication, the handling of
+tickets with no addresses, options  for  mutual  authentica-
+tion, user to user authentication, support for proxies, for-
+warding, postdating, and renewing  tickets,  the  format  of
+realm names, and the handling of authorization data.
+
+     In order to ensure the interoperability of  realms,  it
+is necessary to define a minimal configuration which must be
+supported by all implementations.  This  minimal  configura-
+tion  is subject to change as technology does.  For example,
+if at some later date it  is  discovered  that  one  of  the
+required encryption or checksum algorithms is not secure, it
+will be replaced.
+
+9.1.  Specification 1
+
+     This section defines the first specification  of  these
+options.   Implementations  which are configured in this way
+can be said to support Kerberos Version  5  Specification  1
+(5.1).
+
+Encryption and checksum methods
+
+The following encryption and  checksum  mechanisms  must  be
+supported.   Implementations may support other mechanisms as
+well, but the additional mechanisms may only  be  used  when
+communicating with principals known to also support them:
+This list is to be determined.
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+
+__________________________
+- This error carries additional information in  the  e-
+data  field.  The contents of the e-data field for this
+message is described in section 5.9.1.
+
+
+
+Section 9.1.               - 95 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+Realm Names
+
+All implementations must understand hierarchical  realms  in
+both the Internet Domain and the X.500 style.  When a ticket
+granting ticket for an unknown realm is requested,  the  KDC
+must  be  able  to  determine  the names of the intermediate
+realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must  be
+supported.  Alternative encodings may be supported, but they
+may be used only when that  encoding  is  supported  by  ALL
+intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported.  The TGS-REQ method is
+not  used  on  the  initial  request.   The PA-ENC-TIMESTAMP
+method must be  supported  by  clients  but  whether  it  is
+enabled  by  default  may  be determined on a realm by realm
+basis.  If not used in the initial  request  and  the  error
+KDC_ERR_PREAUTH_REQUIRED   is  returned  specifying  PA-ENC-
+TIMESTAMP as an acceptable method, the client  should  retry
+the   initial   request   using  the  PA-ENC-TIMESTAMP  pre-
+authentication method.  Servers need  not  support  the  PA-
+ENC-TIMESTAMP method, but if not supported the server should
+ignore the presence of  PA-ENC-TIMESTAMP  pre-authentication
+in a request.
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message)  must  be
+supported.
+
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e.
+if  a TGT contains no addresses, the KDC will return deriva-
+tive tickets), but each realm may set  its  own  policy  for
+issuing  such  tickets, and each application server will set
+its own policy with respect to accepting them.
+
+     Proxies and forwarded tickets must be supported.  Indi-
+vidual realms and application servers can set their own pol-
+icy on when such tickets will be accepted.
+
+     All implementations must recognize renewable and  post-
+dated  tickets,  but  need  not actually implement them.  If
+these options are not supported, the starttime  and  endtime
+in  the  ticket shall specify a ticket's entire useful life.
+When a postdated ticket is decoded by a server,  all  imple-
+mentations  shall  make  the  presence of the postdated flag
+
+
+Section 9.1.               - 96 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+visible to the calling server.
+
+User-to-user authentication
+
+Support for user to user authentication  (via  the  ENC-TKT-
+IN-SKEY KDC option) must be provided by implementations, but
+individual realms may decide as a matter of policy to reject
+such requests on a per-principal or realm-wide basis.
+
+Authorization data
+
+Implementations must pass all authorization  data  subfields
+from  ticket-granting  tickets  to  any  derivative  tickets
+unless directed to suppress a subfield as part of the defin-
+ition   of  that  registered  subfield  type  (it  is  never
+incorrect to pass on a subfield, and no registered  subfield
+types presently specify suppression at the KDC).
+
+     Implementations must make the contents of any  authori-
+zation  data subfields available to the server when a ticket
+is used.  Implementations are not required to allow  clients
+to specify the contents of the authorization data fields.
+
+9.2.  Recommended KDC values
+
+Following is a list of recommended values for a  KDC  imple-
+mentation, based on the list of suggested configuration con-
+stants (see section 4.4).
+
+minimum lifetime    5 minutes
+
+maximum renewable lifetime1 week
+
+maximum ticket lifetime1 day
+
+empty addresses     only when suitable  restrictions  appear
+                    in authorization data
+
+proxiable, etc.     Allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Section 9.2.               - 97 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+10.  REFERENCES
+
+
+
+1.   B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+     cation  Service for Computer Networks," IEEE Communica-
+     tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+2.   S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+     Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+     Authorization System, M.I.T. Project Athena, Cambridge,
+     Massachusetts (December 21, 1987).
+
+3.   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+     beros:  An Authentication Service for Open Network Sys-
+     tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+     Dallas, Texas (February, 1988).
+
+4.   Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+     Encryption for Authentication in Large Networks of Com-
+     puters,"  Communications  of  the  ACM,  Vol.   21(12),
+     pp. 993-999 (December, 1978).
+
+5.   Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+     stamps  in  Key Distribution Protocols," Communications
+     of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+6.   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+     "The Evolution of the Kerberos Authentication Service,"
+     in an IEEE Computer Society Text soon to  be  published
+     (June 1992).
+
+7.   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+     Accounting  for Distributed Systems," in Proceedings of
+     the 13th International Conference on  Distributed  Com-
+     puting Systems, Pittsburgh, PA (May, 1993).
+
+8.   Don Davis and Ralph Swick,  "Workstation  Services  and
+     Kerberos  Authentication  at Project Athena," Technical
+     Memorandum TM-424,  MIT Laboratory for Computer Science
+     (February 1990).
+
+9.   P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+     merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+     ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+     sachusetts (1987).
+
+10.  CCITT, Recommendation X.509: The Directory  Authentica-
+     tion Framework, December 1988.
+
+11.  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+     Guessing  Attacks, Open Software Foundation DCE Request
+     for Comments 26 (December 1992).
+
+
+
+Section 10.                - 98 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+12.  National Bureau of Standards, U.S. Department  of  Com-
+     merce,  "Data Encryption Standard," Federal Information
+     Processing Standards Publication  46,   Washington,  DC
+     (1977).
+
+13.  National Bureau of Standards, U.S. Department  of  Com-
+     merce,  "DES  Modes  of Operation," Federal Information
+     Processing Standards Publication 81,   Springfield,  VA
+     (December 1980).
+
+14.  Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+     Integrity  in  Cryptographic Protocols," in Proceedings
+     of the IEEE  Symposium  on  Research  in  Security  and
+     Privacy, Oakland, California (May 1992).
+
+15.  International Organization  for  Standardization,  "ISO
+     Information  Processing  Systems - Data Communication -
+     High-Level Data Link Control Procedure -  Frame  Struc-
+     ture," IS 3309 (October 1984).  3rd Edition.
+
+16.  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+     1320,   MIT  Laboratory  for  Computer  Science  (April
+     1992).
+
+17.  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+     1321,   MIT  Laboratory  for  Computer  Science  (April
+     1992).
+
+18.  H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+     Hashing  for  Message  Authentication,"  Working  Draft
+     draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Section 10.                - 99 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+A.  Pseudo-code for protocol processing
+
+     This appendix provides pseudo-code describing  how  the
+messages  are  to  be constructed and interpreted by clients
+and servers.
+
+A.1.  KRB_AS_REQ generation
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.2.  KRB_AS_REQ verification and KRB_AS_REP generation
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+
+Section A.2.              - 100 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew) then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+        endif
+
+
+Section A.2.              - 101 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+
+
+Section A.2.              - 102 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                new_tkt.renew-till := min(rtime,
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+
+
+Section A.2.              - 103 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+A.3.  KRB_AS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4.  KRB_AS_REP and KRB_TGS_REP common checks
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that all that */
+        /* should be are set                                               */
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+
+
+Section A.4.              - 104 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5.  KRB_TGS_REQ generation
+        /* Note that make_application_request might have to recursivly     */
+        /* call this routine to get the appropriate ticket-granting ticket */
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+
+
+Section A.5.              - 105 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6.  KRB_TGS_REQ verification and KRB_TGS_REP generation
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname) then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+
+Section A.6.              - 106 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(server)) then
+                        server := best_intermediate_tgs(server);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+
+
+Section A.6.              - 107 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+
+Section A.6.              - 108 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would  */
+          /* have been rejected in the initial authentication stage, so     */
+          /* there is no need to check again here                           */
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till >= kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing */
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+
+Section A.6.              - 109 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm,
+                                          tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT; /* leave the renew-till field out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data into decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data +
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
+        endif
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key), second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key, server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+
+
+
+Section A.6.              - 110 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7.  KRB_TGS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+
+
+Section A.7.              - 111 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+A.8.  Authenticator generation
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+A.9.  KRB_AP_REQ generation
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10.  KRB_AP_REQ verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+
+
+Section A.10.             - 112 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11.  KRB_AP_REP generation
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+
+Section A.11.             - 113 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12.  KRB_AP_REP verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13.  KRB_SAFE generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+
+
+Section A.13.             - 114 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14.  KRB_SAFE verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15.  KRB_SAFE and KRB_PRIV common checks
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+
+Section A.15.             - 115 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number not present) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16.  KRB_PRIV generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+
+A.17.  KRB_PRIV verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+
+
+Section A.17.             - 116 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18.  KRB_CRED generation
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+
+
+Section A.18.             - 117 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+               using negotiated encryption key;
+
+
+A.19.  KRB_CRED verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+A.20.  KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+
+
+Section A.20.             - 118 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                          - 119 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                          - cxx -    Expires 11 January 1998
+
+
+
+
+
+
+
+
+
+
+                     Table of Contents
+
+
+
+
+Overview ..............................................    2
+
+Background ............................................    2
+
+1. Introduction .......................................    3
+
+1.1. Cross-Realm Operation ............................    5
+
+1.2. Authorization ....................................    6
+
+1.3. Environmental assumptions ........................    7
+
+1.4. Glossary of terms ................................    8
+
+2. Ticket flag uses and requests ......................   10
+
+2.1. Initial and pre-authenticated tickets ............   10
+
+2.2. Invalid tickets ..................................   11
+
+2.3. Renewable tickets ................................   11
+
+2.4. Postdated tickets ................................   12
+
+2.5. Proxiable and proxy tickets ......................   12
+
+2.6. Forwardable tickets ..............................   13
+
+2.7. Other KDC options ................................   14
+
+3. Message Exchanges ..................................   14
+
+3.1. The Authentication Service Exchange ..............   14
+
+3.1.1. Generation of KRB_AS_REQ message ...............   16
+
+3.1.2. Receipt of KRB_AS_REQ message ..................   16
+
+3.1.3. Generation of KRB_AS_REP message ...............   16
+
+3.1.4. Generation of KRB_ERROR message ................   19
+
+3.1.5. Receipt of KRB_AS_REP message ..................   19
+
+3.1.6. Receipt of KRB_ERROR message ...................   19
+
+3.2. The Client/Server Authentication Exchange ........   19
+
+3.2.1. The KRB_AP_REQ message .........................   20
+
+
+                           - i -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+3.2.2. Generation of a KRB_AP_REQ message .............   20
+
+3.2.3. Receipt of KRB_AP_REQ message ..................   21
+
+3.2.4. Generation of a KRB_AP_REP message .............   23
+
+3.2.5. Receipt of KRB_AP_REP message ..................   23
+
+3.2.6. Using the encryption key .......................   24
+
+3.3. The Ticket-Granting Service (TGS) Exchange .......   25
+
+3.3.1. Generation of KRB_TGS_REQ message ..............   26
+
+3.3.2. Receipt of KRB_TGS_REQ message .................   27
+
+3.3.3. Generation of KRB_TGS_REP message ..............   28
+
+3.3.3.1. Checking for revoked tickets .................   30
+
+3.3.3.2. Encoding the transited field .................   30
+
+3.3.4. Receipt of KRB_TGS_REP message .................   32
+
+3.4. The KRB_SAFE Exchange ............................   32
+
+3.4.1. Generation of a KRB_SAFE message ...............   32
+
+3.4.2. Receipt of KRB_SAFE message ....................   33
+
+3.5. The KRB_PRIV Exchange ............................   34
+
+3.5.1. Generation of a KRB_PRIV message ...............   34
+
+3.5.2. Receipt of KRB_PRIV message ....................   34
+
+3.6. The KRB_CRED Exchange ............................   35
+
+3.6.1. Generation of a KRB_CRED message ...............   35
+
+3.6.2. Receipt of KRB_CRED message ....................   35
+
+4. The Kerberos Database ..............................   36
+
+4.1. Database contents ................................   36
+
+4.2. Additional fields ................................   37
+
+4.3. Frequently Changing Fields .......................   38
+
+4.4. Site Constants ...................................   39
+
+5. Message Specifications .............................   39
+
+
+
+                           - ii -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+5.1. ASN.1 Distinguished Encoding Representation ......   39
+
+5.2. ASN.1 Base Definitions ...........................   40
+
+5.3. Tickets and Authenticators .......................   43
+
+5.3.1. Tickets ........................................   43
+
+5.3.2. Authenticators .................................   52
+
+5.4. Specifications for the AS and TGS exchanges ......   54
+
+5.4.1. KRB_KDC_REQ definition .........................   54
+
+5.4.2. KRB_KDC_REP definition .........................   61
+
+5.5. Client/Server (CS) message specifications ........   64
+
+5.5.1. KRB_AP_REQ definition ..........................   64
+
+5.5.2. KRB_AP_REP definition ..........................   65
+
+5.5.3. Error message reply ............................   67
+
+5.6. KRB_SAFE message specification ...................   67
+
+5.6.1. KRB_SAFE definition ............................   67
+
+5.7. KRB_PRIV message specification ...................   68
+
+5.7.1. KRB_PRIV definition ............................   68
+
+5.8. KRB_CRED message specification ...................   69
+
+5.8.1. KRB_CRED definition ............................   70
+
+5.9. Error message specification ......................   72
+
+5.9.1. KRB_ERROR definition ...........................   72
+
+6. Encryption and Checksum Specifications .............   74
+
+6.1. Encryption Specifications ........................   76
+
+6.2. Encryption Keys ..................................   78
+
+6.3. Encryption Systems ...............................   78
+
+6.3.1. The NULL Encryption System (null) ..............   78
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-
+cbc-crc) ..............................................   79
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-
+
+
+                          - iii -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+cbc-md4) ..............................................   79
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-
+cbc-md5) ..............................................   79
+
+6.3.5. Triple DES EDE in outer CBC mode with an SHA1
+checksum (des3-cbc-sha1) ..............................   81
+
+6.4. Checksums ........................................   83
+
+6.4.1. The CRC-32 Checksum (crc32) ....................   84
+
+6.4.2. The RSA MD4 Checksum (rsa-md4) .................   84
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES
+(rsa-md4-des) .........................................   84
+
+6.4.4. The RSA MD5 Checksum (rsa-md5) .................   85
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES
+(rsa-md5-des) .........................................   85
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES
+alternative (rsa-md4-des-k) ...........................   86
+
+6.4.8. DES cipher-block chained checksum alternative
+(des-mac-k) ...........................................   87
+
+7. Naming Constraints .................................   87
+
+7.1. Realm Names ......................................   87
+
+7.2. Principal Names ..................................   88
+
+7.2.1. Name of server principals ......................   89
+
+8. Constants and other defined values .................   90
+
+8.1. Host address types ...............................   90
+
+8.2. KDC messages .....................................   91
+
+8.2.1. IP transport ...................................   91
+
+8.2.2. OSI transport ..................................   91
+
+8.2.3. Name of the TGS ................................   92
+
+8.3. Protocol constants and associated values .........   92
+
+9. Interoperability requirements ......................   95
+
+
+
+                           - iv -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+9.1. Specification 1 ..................................   95
+
+9.2. Recommended KDC values ...........................   97
+
+10. REFERENCES ........................................   98
+
+A. Pseudo-code for protocol processing ................  100
+
+A.1. KRB_AS_REQ generation ............................  100
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP genera-
+tion ..................................................  100
+
+A.3. KRB_AS_REP verification ..........................  104
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks .........  104
+
+A.5. KRB_TGS_REQ generation ...........................  105
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP gen-
+eration ...............................................  106
+
+A.7. KRB_TGS_REP verification .........................  111
+
+A.8. Authenticator generation .........................  112
+
+A.9. KRB_AP_REQ generation ............................  112
+
+A.10. KRB_AP_REQ verification .........................  112
+
+A.11. KRB_AP_REP generation ...........................  113
+
+A.12. KRB_AP_REP verification .........................  114
+
+A.13. KRB_SAFE generation .............................  114
+
+A.14. KRB_SAFE verification ...........................  115
+
+A.15. KRB_SAFE and KRB_PRIV common checks .............  115
+
+A.16. KRB_PRIV generation .............................  116
+
+A.17. KRB_PRIV verification ...........................  116
+
+A.18. KRB_CRED generation .............................  117
+
+A.19. KRB_CRED verification ...........................  118
+
+A.20. KRB_ERROR generation ............................  118
+
+
+
+
+
+
+
+                           - v -     Expires 11 January 1998
+
+
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt
new file mode 100644
index 0000000..78db9d7
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt
@@ -0,0 +1,6214 @@
+
+INTERNET-DRAFT                                          Clifford Neuman
+                                                              John Kohl
+                                                          Theodore Ts'o
+                                                       21 November 1997
+
+The Kerberos Network Authentication Service (V5)
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft. Internet-Drafts are working documents of
+the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It is
+inappropriate to use Internet-Drafts as reference material or to cite them
+other than as 'work in progress.'
+
+To learn the current status of any Internet-Draft, please check the
+'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow
+Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-r-01.txt, and expires 21 May 1998. Please send
+comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the Kerberos
+network authentication system is based. It also specifies Version 5 of the
+Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+standard and are being considered for advancement for draft standard through
+the IETF standard process. Comments are encouraged on the presentation, but
+only minor refinements to the protocol as implemented or extensions that fit
+within current protocol framework will be considered at this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested by
+Denning and Sacco [DS81]. The original design and implementation of Kerberos
+Versions 1 through 4 was the work of two former Project Athena staff
+members, Steve Miller of Digital Equipment Corporation and Clifford Neuman
+(now at the Information Sciences Institute of the University of Southern
+California), along with Jerome Saltzer, Technical Director of Project
+Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members
+of Project Athena have also contributed to the work on Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol was
+led by Clifford Neuman and John Kohl with much input from the community. The
+development of the MIT reference implementation was led at MIT by John Kohl
+and Theodore T'so, with help and contributed code from many others.
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used.
+
+Details on the differences between Kerberos Versions 4 and 5 can be found in
+[KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g. a
+workstation user or a network server) on an open (unprotected) network. This
+is accomplished without relying on assertions by the host operating system,
+without basing trust on host addresses, without requiring physical security
+of all the hosts on the network, and under the assumption that packets
+traveling along the network can be read, modified, and inserted at will[1].
+Kerberos performs authentication under these conditions as a trusted
+third-party authentication service by using conventional (shared secret key
+[2] cryptography. Kerberos extensions have been proposed and implemented
+that provide for the use of public key cryptography during certain phases of
+the authentication protocol. These extensions provide for authentication of
+users registered with public key certification authorities, and allow the
+system to provide certain benefits of public key cryptography in situations
+where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in the
+client's key. The credentials consist of 1) a 'ticket' for the server and 2)
+a temporary encryption key (often called a "session key"). The client
+transmits the ticket (which contains the client's identity and a copy of the
+session key, all encrypted in the server's key) to the server. The session
+key (now shared by the client and server) is used to authenticate the
+client, and may optionally be used to authenticate the server. It may also
+be used to encrypt further communication between the two parties or to
+exchange a separate sub-session key to be used to encrypt further
+communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their secret
+keys. Code libraries provide encryption and implement the Kerberos protocol.
+In order to add authentication to its transactions, a typical network
+application adds one or two calls to the Kerberos library directly or
+through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request for
+a ticket for the desired server to the AS. The reply is sent encrypted in
+the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client uses
+the TGT to authenticate itself to the TGS in the same manner as if it were
+contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry points
+within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent "in
+the clear" (parts of it are encrypted, but this encryption doesn't thwart
+replay) and might be intercepted and reused by an attacker, additional
+information is sent to prove that the message originated with the principal
+to whom the ticket was issued. This information (called the authenticator)
+is encrypted in the session key, and includes a timestamp. The timestamp
+proves that the message was recently generated and is not a replay.
+Encrypting the authenticator in the session key proves that it was generated
+by a party possessing the session key. Since no one except the requesting
+principal and the server know the session key (it is never sent over the
+network in the clear) this guarantees the identity of the client.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to the
+Kerberos database. Sometimes, however, the entries in the database must be
+modified, such as when adding new principals or changing a principal's key.
+This is done using a protocol between a client and a third Kerberos server,
+the Kerberos Administration Server (KADM). There is also a protocol for
+maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server in
+another. Each organization wishing to run a Kerberos server establishes its
+own 'realm'. The name of the realm in which a client is registered is part
+of the client's name, and can be used by the end-service to decide whether
+to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate key
+may be used for each direction) registers the ticket-granting service of
+each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share an
+inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is not
+directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical organization
+is not used, it may be necessary to consult a database in order to construct
+an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in authenticating
+the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93] , or on other authorization services.
+
+Applications should not be modified to accept the issuance of a service
+ticket by the Kerberos server (even by an modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to successfully
+     mount an offline dictionary attack by repeatedly attempting to decrypt,
+     with successive entries from a dictionary, messages obtained which are
+     encrypted under a key derived from the user's password.
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A typical
+     mode of access control will use access control lists (ACLs) to grant
+     permissions to particular principals. If a stale ACL entry remains for
+     a deleted principal and the principal identifier is reused, the new
+     principal will inherit rights specified in the stale ACL entry. By not
+     re-using principal identifiers, the danger of inadvertent access is
+     removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been recently
+     generated using the session key known only by the client and server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access allowed
+     for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted by
+     the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user. Note
+     that in some cases a Server may itself be a client of some other server
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use that
+     ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and ticket-granting
+     ticket requests. The initial ticket portion is sometimes referred to as
+     the Authentication Server (or service). The ticket-granting ticket
+     portion is sometimes referred to as the ticket-granting server (or
+     service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than one
+     server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a lifetime
+     limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the various
+flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the KDC
+before use, by presenting them to the KDC in a TGS request with the VALIDATE
+option specified. The KDC will only validate tickets after their starttime
+has passed. The validation is required so that postdated tickets which have
+been stolen before their starttime can be rendered permanently invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set in
+the KDC request. The KDC will issue a new ticket with a new session key and
+a later expiration time. All other fields of the ticket are left unmodified
+by the renewal process. When the latest permissible expiration time arrives,
+the ticket expires permanently. At each renewal, the KDC may consult a
+hot-list to determine if the ticket had been reported stolen since its last
+renewal; it will refuse to renew such stolen tickets, and thus the usable
+lifetime of stolen tickets is reduced.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets in
+a batch queue, since they will be on-line longer and more prone to theft.
+Postdated tickets provide a way to obtain these tickets from the KDC at job
+submission time, but to leave them "dormant" until they are activated and
+validated by a further request of the KDC. If a ticket theft were reported
+in the interim, the KDC would refuse to validate the ticket, and the thief
+would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This flag
+must be set in a ticket-granting ticket in order to issue a postdated ticket
+based on the presented ticket. It is reset by default; it may be requested
+by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message.
+This flag does not allow a client to obtain a postdated ticket-granting
+ticket; postdated ticket-granting tickets can only by obtained by requesting
+the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a
+postdated ticket will be the remaining life of the ticket-granting ticket at
+the time of the request, unless the RENEWABLE option is also set, in which
+case it can be the full life (endtime-starttime) of the ticket-granting
+ticket. The KDC may limit how far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the identity
+of the client, but only for a particular purpose. A principal can allow a
+service to take on the principal's identity for a particular purpose by
+granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+also a proxy, user's wishing to delegate their identity for ANY purpose must
+use the ticket forwarding mechanism described in the next section to forward
+a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When set,
+this flag tells the ticket-granting server that it is OK to issue a new
+ticket (but not a ticket-granting ticket) with a different network address
+based on this ticket. This flag is set if requested by the client on initial
+authentication. By default, the client will request that it be set when
+requesting a ticket granting ticket, and reset when requesting any other
+ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print server
+a proxy to access the client's files on a particular file server in order to
+satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in the
+ticket[4]. When granting a proxy, the client must specify the new network
+address from which the proxy is to be used, or indicate that the proxy is to
+be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may require
+additional authentication from the agent presenting the proxy in order to
+provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request that
+it be set by setting the FORWARDABLE option in the AS request when they
+request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user to
+enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket. It
+is also set in all tickets issued based on tickets with the FORWARDED flag
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+set. Application servers may choose to process FORWARDED tickets differently
+than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients and
+servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the Kerberos
+Authentication Server is initiated by a client when it wishes to obtain
+authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the initiation
+of a login session to obtain credentials for a Ticket-Granting Server which
+will subsequently be used to obtain credentials for other servers (see
+section 3.3) without requiring further use of the client's secret key. This
+exchange is also used to request credentials for services which must not be
+mediated through the Ticket-Granting Service, but rather require a
+principal's secret key, such as the password-changing service[5]. This
+exchange does not by itself provide any assurance of the the identity of the
+user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The response,
+KRB_AS_REP, contains a ticket for the client to present to the server, and a
+session key that will be shared by the client and the server. The session
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+key and additional information are encrypted in the client's secret key. The
+KRB_AS_REP message contains information which can be used to detect replays,
+and to associate it with the message to which it replies. Various errors can
+occur; these are indicated by an error response (KRB_ERROR) instead of the
+KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR
+message contains information which can be used to associate it with the
+message to which it replies. The lack of encryption in the KRB_ERROR message
+precludes the ability to detect replays, fabrications, or modifications of
+such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends a
+reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is encrypted
+in that principal's key. The initial request supports an optional field that
+can be used to pass additional information that might be needed for the
+initial exchange. This field may be used for preauthentication as described
+in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether the
+requested ticket is to be renewable, proxiable, or forwardable; whether it
+should be postdated or allow postdating of derivative tickets; and whether a
+renewable ticket will be accepted in lieu of a non-renewable ticket if the
+requested ticket expiration date cannot be satisfied by a non-renewable
+ticket (due to configuration constraints; see section 4). See section A.1
+for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format for
+the ticket is described in section 5.3.1. The contents of the ticket are
+determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named in
+the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which an
+encryption key is available is used. The encryption method used to respond
+to a TGS request is taken from the keytype of the session key found in the
+ticket granting ticket.
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise
+the requested start time is checked against the policy of the local realm
+(the administrator might decide to prohibit certain types or ranges of
+postdated tickets), and if acceptable, the ticket's start time is set as
+requested and the INVALID flag is set in the new ticket. The postdated
+ticket must be validated before use by presenting it to the KDC after the
+start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option has
+been set and a renewable ticket is to be issued, then the renew-till field
+is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set by
+     the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using the
+requested encryption method, and sends it to the client. See section A.2 for
+pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key, start
+and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate a
+KRB_AS_REP format message which decrypts properly but is not from the proper
+KDC. If the host wishes to verify the identity of the user, it must require
+the user to present application credentials which can be verified using a
+securely-stored secret key for the host. If those credentials can be
+verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS or
+TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is
+referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange) a
+ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use of
+a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors are
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+possible. If an error occurs, the server is expected to reply to the client
+with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If the
+message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE
+error. If the key version indicated by the Ticket in the KRB_AP_REQ is not
+one the server can use (e.g., it indicates an old key, and the server no
+longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is
+returned. If the USE-SESSION-KEY flag is set in the ap-options field, it
+indicates to the server that the ticket is encrypted in the session key from
+the server's ticket-granting ticket rather than its secret key[10]. Since it
+is possible for the server to be registered in multiple realms, with
+different keys in each, the srealm field in the unencrypted portion of the
+ticket in the KRB_AP_REQ is used to specify which secret key the server
+should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is
+returned if the server doesn't have the proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client
+from the ticket are compared against the same fields in the authenticator.
+If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might
+not match, for example, if the wrong session key was used to encrypt the
+authenticator). The addresses in the ticket (if any) are then searched for
+an address matching the operating-system reported address of the client. If
+no match is found or the server insists on ticket addresses but none are
+present in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW
+error is returned. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must
+remember any authenticator presented within the allowable clock skew, so
+that a replay attempt is guaranteed to fail. If a server loses track of any
+authenticator presented within the allowable clock skew, it must reject all
+requests until the clock skew interval has passed. This assures that any
+lost or re-played authenticators will fall outside the allowable clock skew
+and can no longer be successfully replayed (If this is not done, an attacker
+could conceivably record the ticket and authenticator sent over the network
+to a server, then disable the client's host, pose as the disabled host, and
+replay the ticket and authenticator to subvert the authentication.). If a
+sequence number is provided in the authenticator, the server saves it for
+later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is
+present, the server either saves it for later use or uses it to help
+generate its own choice for a subkey to be returned in a KRB_AP_REP message.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that the
+client possesses the credentials of the principal named in the ticket and
+thus, the client has been authenticated to the server. See section A.10 for
+pseudocode.
+
+Passing these checks provides only authentication of the named principal; it
+does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name of
+the user, the requested operation, local acces control information such as
+that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server need
+not explicitly reply to the KRB_AP_REQ. However, if mutual authentication
+(not only authenticating the client to the server, but also the server to
+the client) is being performed, the KRB_AP_REQ message will have
+MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is
+required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not acceptable
+to the application's protocol. The timestamp and microsecond field used in
+the reply must be the client's timestamp and microsecond field (as provided
+in the authenticator)[12]. If a sequence number is to be included, it should
+be randomly chosen as described above for the authenticator. A subkey may be
+included if the server desires to negotiate a different subkey. The
+KRB_AP_REP message is encrypted in the session key extracted from the
+ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server
+share an encryption key which can be used by the application. The 'true
+session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption or
+checksum type) to the application programmer; the Kerberos protocol does not
+constrain the implementation options, but an example of how this might be
+done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever reason,
+one of the parties was prevented from using a key with more than 40 unknown
+bits, this method would allow the the party which is prevented from using
+more than 40 bits to either propose (if the client) an initial key with a
+known quantity for 16 of those bits, or to mask 16 of the bits (if the
+server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server is
+initiated by a client when it wishes to obtain authentication credentials
+for a given server (which might be registered in a remote realm), when it
+wishes to renew or validate an existing ticket, or when it wishes to obtain
+a proxy ticket. In the first case, the client must already have acquired a
+ticket for the Ticket-Granting Service using the AS exchange (the
+ticket-granting ticket is usually obtained when a client initially
+authenticates to the system, such as when a user logs in). The message
+format for the TGS exchange is almost identical to that for the AS exchange.
+The primary difference is that encryption and decryption in the TGS exchange
+does not take place under the client's key. Instead, the session key from
+the ticket-granting ticket or renewable ticket, or sub-session key from an
+Authenticator is used. As is the case for all application servers, expired
+tickets are not accepted by the TGS, so once a renewable or ticket-granting
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+ticket expires, the client must use a separate exchange to obtain valid
+tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed authorization
+data to be sealed in the ticket for authorization use by the application
+server, or additional tickets (the use of which are described later). The
+TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the
+session key from the ticket-granting ticket or renewable ticket, or if
+present, in the sub-session key from the Authenticator (part of the
+authentication header). The KRB_ERROR message contains an error code and
+text explaining what went wrong. The KRB_ERROR message is not encrypted. The
+KRB_TGS_REP message contains information which can be used to detect
+replays, and to associate it with the message to which it replies. The
+KRB_ERROR message also contains information which can be used to associate
+it with the message to which it replies, but the lack of encryption in the
+KRB_ERROR message precludes the ability to detect replays or fabrications of
+such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ
+message recursively). The Kerberos server may return a TGT for the desired
+realm in which case one can proceed. Alternatively, the Kerberos server may
+return a TGT for a realm which is 'closer' to the desired realm (further
+along the standard hierarchical path), in which case this step must be
+repeated with a Kerberos server in the realm specified in the returned TGT.
+If neither are returned, then the request must be retried with a Kerberos
+server for a realm higher in the hierarchy. This request will itself require
+a ticket-granting ticket for the higher realm which must be obtained by
+recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one. The
+list might be obtained through a configuration file or network service or it
+may be generated from the name of the realm; as long as the secret keys
+exchanged by realms are kept secret, only denial of service results from
+using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+optional fields: the enc-authorization-data field for application server use
+and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be encrypted[16].
+If the sub-session key is not specified, the session key from the
+ticket-granting ticket will be used. If the enc-authorization-data is
+present, it must be encrypted in the sub-session key, if present, from the
+authenticator portion of the authentication header, or if not present, using
+the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which it
+was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP),
+but with its type field set to KRB_TGS_REP. The detailed specification is in
+section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited field
+needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set. The
+PROXY option will not be honored on requests for additional ticket-granting
+tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting
+ticket has the MAY-POSTDATE flag set, then the resulting ticket will be
+postdated and the requested starttime is checked against the policy of the
+local realm. If acceptable, the ticket's start time is set as requested, and
+the INVALID flag is set. The postdated ticket must be validated before use
+by presenting it to the KDC after the starttime has been reached. However,
+in no case may the starttime, endtime, or renew-till time of a newly-issued
+postdated ticket extend beyond the renew-till time of the ticket-granting
+ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional ticket
+using the key for the server to which the additional ticket was issued and
+verify that it is a ticket-granting ticket. If the name of the requested
+server is missing from the request, the name of the client in the additional
+ticket will be used. Otherwise the name of the requested server will be
+compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as part
+of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is set
+in the ticket, that the INVALID flag is not set in the ticket, and that the
+renew_till time is still in the future. If the VALIDATE option is rqeuested,
+the KDC will check that the starttime has passed and the INVALID flag is
+set. If the PROXY option is requested, then the KDC will check that the
+PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket
+passes the hotlist check described in the next paragraph, the KDC will issue
+the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal expiration
+time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and the
+key version number fields are left out since these values are stored along
+with the client's database record, and that record is not needed to satisfy
+a request based on a ticket-granting ticket. See section A.6 for pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request, subject
+to the constraints outlined above in the section describing the AS exchange.
+The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket to
+be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+realm. Instead, its responsibility is to add the name of the previous realm.
+This prevents a malicious Kerberos server from intentionally leaving out its
+own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since the
+endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its contents
+are encoded. The initially supported encoding is optimized for the normal
+case of inter-realm communication: a hierarchical arrangement of realms
+using either domain or X.500 style realm names. This encoding (called
+DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they
+would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19]. Thus,
+"," means that all realms along the path between the client and the server
+have been traversed. ",EDU, /COM," means that that all realms from the
+client's realm up to EDU (in a domain style hierarchy) have been traversed,
+and that everything from /COM down to the server's realm in an X.500 style
+has also been traversed. This could occur if the EDU realm in one hierarchy
+shares an inter-realm key directly with the /COM realm in another hierarchy.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC),
+generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by one's
+peer. Connection state is presently required to maintain the session key, so
+maintaining the next sequence number should not present an additional
+problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_SAFE, respectively. A mismatch
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. The
+recipient verifies that the operating system's report of the sender's
+address matches the sender's address in the message, and (if a recipient
+address is specified or the recipient requires an address) that one of the
+recipient's addresses appears as the recipient's address in the message. A
+failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the
+timestamp and usec and/or the sequence number fields are checked. If
+timestamp and usec are expected and not present, or they are present but not
+current, the KRB_AP_ERR_SKEW error is generated. If the server name, along
+with the client name, time and microsecond fields from the Authenticator
+match any recently-seen (sent or received[20] ) such tuples, the
+KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number is
+included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+Finally, the checksum is computed over the data and control information, and
+if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error is
+generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_PRIV, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that the
+operating system's report of the sender's address matches the sender's
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses appears
+as the recipient's address in the message. A failed match for either case
+generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the
+sequence number fields are checked. If timestamp and usec are expected and
+not present, or they are present but not current, the KRB_AP_ERR_SKEW error
+is generated. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence
+number is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It then
+constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED
+message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in
+the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and r-address
+fields, are placed in the encrypted part of the KRB_CRED message which is
+then encrypted under an encryption key previosuly exchanged in the KRB_AP
+exchange (usually the last key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates a
+KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If decryption
+shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+generated.
+
+If present or required, the recipient verifies that the operating system's
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's address
+in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field
+if required) are checked next. If the timestamp and usec are not present, or
+they are present but not current, the KRB_AP_ERR_SKEW error is generated.
+
+If all the checks succeed, the application stores each of the new tickets in
+its ticket cache together with the session key and other information in the
+corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database contain- ing the
+principal identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The key
+can be encrypted before storage under a Kerberos "master key" to protect it
+in case the database is compromised but the master key is not. In that case,
+an extra field must be added to indicate the master key version used, see
+below.) The p_kvno field is the key version number of the principal's secret
+key. The max_life field contains the maximum allowable lifetime (endtime -
+starttime) for any Ticket issued for this principal. The max_renewable_life
+field contains the maximum allowable total lifetime for any renewable Ticket
+issued for this principal. (See section 3.1 for a description of how these
+lifetimes are used in determining the lifetime of a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal records
+with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e. not
+the result of disclosure of the old key), the old key should be retained by
+the server until all tickets that had been issued using that key have
+expired. Because of this, it is possible for several keys to be active for a
+single principal. Ciphertext encrypted in a principal's key is always tagged
+with the version of the key that was used for encryption, to help the
+recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to a
+request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error to
+any client attempting to gain tickets as or for the principal. (A database
+may want to maintain two expiration dates: one for the principal, and one
+for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether a
+server is appropriate trusted to recieve credentials delegated by a client,
+or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user in
+the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to allow
+the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509 specification,
+section 8.7 [X509-88].
+
+5.2. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A PrincipalName
+is a typed sequence of components consisting of the following sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the same
+     (i.e. at least one of the components, or the realm, must be different).
+     This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding
+shall specify the UTC time zone (Z) and shall not include any fractional
+portions of the seconds. It further shall not include any separators.
+Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm
+on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+ad-data
+     This field contains authorization data to be interpreted according to
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the interpretation
+of the encapsulating element determines which of the embedded elements must
+be interpreted, and which may be ignored. Definitions for these common
+elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+APOptions ::=   BIT STRING {
+                  reserved(0),
+                  use-session-key(1),
+                  mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+                  reserved(0),
+                  forwardable(1),
+                  forwarded(2),
+                  proxiable(3),
+                  proxy(4),
+                  may-postdate(5),
+                  postdated(6),
+                  invalid(7),
+                  renewable(8),
+                  initial(9),
+                  pre-authent(10),
+                  hw-authent(11),
+                  transited-policy-checked(12),
+                  ok-as-delegate(13)
+}
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+KDCOptions ::=   BIT STRING {
+                  reserved(0),
+                  forwardable(1),
+                  forwarded(2),
+                  proxiable(3),
+                  proxy(4),
+                  allow-postdate(5),
+                  postdated(6),
+                  unused7(7),
+                  renewable(8),
+                  unused9(9),
+                  unused10(10),
+                  unused11(11),
+                  unused12(12),
+                  unused13(13),
+                  disable-transited-check(26),
+                  renewable-ok(27),
+                  enc-tkt-in-skey(28),
+                  renew(30),
+                  validate(31)
+}
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest multiple of 32 bits needed to
+include the highest order bit that is set (1), but in no case less than 32
+bits. Implementations should accept values of bit strings of any length and
+treat the value of flags cooresponding to bits beyond the end of the bit
+string as if the bit were reset (0). Comparisonof bit strings of different
+length should treat the smaller string as if it were padded with zeros
+beyond the high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute value
+     of the lr-type field is one (1), then the lr-value subfield is the time
+     of last initial request for a TGT. If it is two (2), then the lr-value
+     subfield is the time of last initial request. If it is three (3), then
+     the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type).
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A Ticket
+contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos and
+the end server (the server's secret key). See section 6 for the format of
+the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     the two will always be identical.
+sname
+     This field specifies the name part of the server's identity.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of the
+     appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The meanings
+     of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the necessary
+     information for implementation of a `hot list' service at the KDC. An
+     end service that is particularly paranoid could refuse to accept
+     tickets for which the initial authentication occurred "too far" in the
+     past. This field is also returned as part of the response from the KDC.
+     When returned as part of the response to initial authentication
+     (KRB_AS_REP), this is the current time on the Ker- beros server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated as
+     that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be honored
+     (its expiration time). Note that individual services may place their
+     own limits on the life of a ticket and may reject tickets which have
+     not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is that
+     such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not sent
+     over the network in cleartext, credentials can't be stolen simply by
+     listening to the network; an attacker has to gain access to the session
+     key (perhaps through operating system security breaches or a careless
+     user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's worksta- tion could
+     use the credentials from there. Including the network addresses only
+     makes it more difficult, not impossible, for an attacker to walk off
+     with stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing, and
+     that a better name for this field would be restrictions. Unfortunately,
+     it is not possible to change the name of this field at this time.
+
+     This field contains restrictions on any authority obtained on the basis
+     of authentication using the ticket. It is possible for any principal in
+     posession of credentials to add entries to the authorization data field
+     since these entries further restrict what can be done with the ticket.
+     Such additions can be made by specifying the additional entries when a
+     new ticket is obtained during the TGS exchange, or they may be added
+     during chained delegation using the authorization data field of the
+     authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, it is not allowable for the presence of an entry in the
+     authorization data field of a ticket to amplify the priveleges one
+     would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     obtains a ticket in its own name (e.g. the ticket is issued in the name
+     of a privelege server), and this entity adds restrictions on its own
+     authority and delegates the restricted authority through a proxy to the
+     client. The client would then present this authorization credential to
+     the application server separately from the authentication exchange.
+
+     Similarly, if one specifies the authorization-data field of a proxy and
+     leaves the host addresses blank, the resulting ticket and session key
+     can be treated as a capability. See [Neu93] for some suggested uses of
+     this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp. Its
+     value (before encryption) ranges from 0 to 999999. It often appears
+     along with ctime. The two fields are used together to specify a
+     reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that for
+     messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is sent.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1. It
+     is optional and will only appear when additional restrictions are to be
+     placed on the use of a ticket, beyond those carried in the ticket
+     itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial
+ticket or an additional ticket. In either case, the message is sent from the
+client to the Authentication Server to request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting ticket
+     and authenticator). The checksum in the authenticator (which must be
+     collision-proof) is to be computed over the KDC-REQ-BODY encoding. In
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     most requests for initial authentication (KRB_AS_REQ) and most replies
+     (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions to
+     the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing the
+     microseconds which may be omitted if a client will not generate more
+     than one request per second. The ciphertext (padata-value) consists of
+     the PA-ENC-TS-ENC sequence, encrypted using the client's secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC or
+     the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets as
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     well as other information that is to modify the behavior of the KDC.
+     Where appropriate, the name of an option may be the same as the flag
+     that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field to
+     the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of  this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates  that
+                                      the  ticket  to be issued is to have its
+                                      forwardable flag set.  It  may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based is also for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only  specified
+                                      in  a  request  to  the  ticket-granting
+                                      server and will only be honored  if  the
+                                      ticket-granting  ticket  in  the request
+                                      has  its  FORWARDABLE  bit  set.    This
+                                      option  indicates that this is a request
+                                      for forwarding.  The address(es) of  the
+                                      host  from which the resulting ticket is
+                                      to  be  valid  are   included   in   the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that  the
+                                      ticket to be issued is to have its prox-
+                                      iable flag set.  It may only be  set  on
+                                      the  initial request, or in a subsequent
+                                      request if the ticket-granting ticket on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this  is
+                                      a request for a proxy.  This option will
+                                      only be honored if  the  ticket-granting
+                                      ticket  in the request has its PROXIABLE
+                                      bit set.  The address(es)  of  the  host
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                      from which the resulting ticket is to be
+                                       valid  are  included  in  the  addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates that
+                                      the  ticket  to be issued is to have its
+                                      MAY-POSTDATE flag set.  It may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based also has its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that this
+                                      is  a  request  for  a postdated ticket.
+                                      This option will only be honored if  the
+                                      ticket-granting  ticket  on  which it is
+                                      based has  its  MAY-POSTDATE  flag  set.
+                                      The  resulting ticket will also have its
+                                      INVALID flag set, and that flag  may  be
+                                      reset by a subsequent request to the KDC
+                                      after the starttime in  the  ticket  has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that  the
+                                      ticket  to  be  issued  is  to  have its
+                                      RENEWABLE flag set.  It may only be  set
+                                      on  the  initial  request,  or  when the
+                                      ticket-granting  ticket  on  which   the
+                                      request  is based is also renewable.  If
+                                      this option is requested, then the rtime
+                                      field   in   the  request  contains  the
+                                      desired absolute expiration time for the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option  indicates
+                                      that  the  ticket to be issued is not to
+                                      identify  the  user  to  which  it   was
+                                      issued.  Instead, the principal identif-
+                                      ier is to be generic,  as  specified  by
+                                      the  policy  of  the realm (e.g. usually
+                                      anonymous@realm).  The  purpose  of  the
+                                      ticket  is only to securely distribute a
+                                      session key, and  not  to  identify  the
+                                      user.   The ANONYMOUS flag on the ticket
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                      to be returned should be  set.   If  the
+                                      local  realms  policy  does  not  permit
+                                      anonymous credentials, the request is to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited field
+                                      is disabled.  Tickets issued without the
+                                      performance of this check will be noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that a
+                                      renewable ticket will be acceptable if a
+                                      ticket with the  requested  life  cannot
+                                      otherwise be provided.  If a ticket with
+                                      the requested life cannot  be  provided,
+                                      then  a  renewable  ticket may be issued
+                                      with  a  renew-till  equal  to  the  the
+                                      requested  endtime.   The  value  of the
+                                      renew-till field may still be limited by
+                                      local  limits, or limits selected by the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the  ticket-
+                                      granting  service.   The ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for the
+                                      end  server  is  to  be encrypted in the
+                                      session key from the additional  ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the  ticket-
+                                      granting   service.   The  RENEW  option
+                                      indicates that the  present  request  is
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                      for  a  renewal.  The ticket provided is
+                                      encrypted in  the  secret  key  for  the
+                                      server  on  which  it  is  valid.   This
+                                      option  will  only  be  honored  if  the
+                                      ticket  to  be renewed has its RENEWABLE
+                                      flag set and if the time in  its  renew-
+                                      till  field  has not passed.  The ticket
+                                      to be renewed is passed  in  the  padata
+                                      field  as  part  of  the  authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the  ticket-
+                                      granting  service.   The VALIDATE option
+                                      indicates that the request is  to  vali-
+                                      date  a  postdated ticket.  It will only
+                                      be honored if the  ticket  presented  is
+                                      postdated,  presently  has  its  INVALID
+                                      flag set, and would be otherwise  usable
+                                      at  this time.  A ticket cannot be vali-
+                                      dated before its starttime.  The  ticket
+                                      presented for validation is encrypted in
+                                      the key of the server for  which  it  is
+                                      valid  and is passed in the padata field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator, or
+     alternatively from the session key in the ticket-granting ticket, both
+     from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies the
+     desired start time for the requested ticket. If this field is omitted
+     then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date of
+     the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated randomly,
+     but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in the
+     response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses for
+     the client's host. If a proxy is requested, this field will contain
+     other addresses. The contents of this field are usually copied by the
+     KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be used
+     in place of the server's key to encrypt the new ticket. If more than
+     one option which requires additional tickets has been specified, then
+     the additional tickets are used in the order specified by the ordering
+     of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that is
+passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for either
+an initial (AS) request or a subsequent (TGS) request. There is no message
+type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or if
+absent, the session key from the ticket-granting ticket used in the request.
+In that case, no version number will be present in the EncryptedData
+sequence.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section 6.3.2).
+     This ability is useful to ease transitions if a realm name needs to
+     change (e.g. when a company is acquired); in such a case all existing
+     password-derived entries in the KDC database would be flagged as
+     needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related information
+     that forms the encrypted part of a message. The description of the
+     encrypted part of the message follows each appearance of this field.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     The encrypted part is encoded as described in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the last
+     request by a principal. Depending on what information is available,
+     this might be the last time that a request for a ticket-granting ticket
+     was made, or the last time that a request based on a ticket-granting
+     ticket was successful. It also might cover all servers for a realm, or
+     just the particular server. Some implementations may display this
+     information to the user to aid in discovering unauthorized use of one's
+     identity. It is similar in spirit to the last login time displayed when
+     logging into timesharing systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up to
+     the application client (usually the login program) to take appropriate
+     action (such as notifying the user) if the expiration time is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will be
+     the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is often
+referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). The encoding of the bits
+     is specified in section 5.2. The meanings of the options are:
+
+          Bit(s)   Name              Description
+          0        RESERVED
+                                     Reserved for future  expansion  of  this
+                                     field.
+
+          1        USE-SESSION-KEY
+                                     The  USE-SESSION-KEY  option   indicates
+                                     that the ticket the client is presenting
+                                     to a server is encrypted in the  session
+                                     key  from  the  server's ticket-granting
+                                     ticket.  When this option is not  speci-
+                                     fied,  the  ticket  is  encrypted in the
+                                     server's secret key.
+
+          2        MUTUAL-REQUIRED
+                                     The  MUTUAL-REQUIRED  option  tells  the
+                                     server  that  the client requires mutual
+                                     authentication, and that it must respond
+                                     with a KRB_AP_REP message.
+
+          3-31     RESERVED
+                                          Reserved for future use.
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message. It is
+     to be encoded separately and then have the checksum computed over it,
+     for use in the cksum field.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over the
+     encoding of the KRB-SAFE-BODY sequence.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By checking
+     the timestamp, the recipient of the message is able to make sure that
+     it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast protocols),
+     but the recipient may arbitrarily reject such messages. This field
+     along with s-address can be used to help detect messages which have
+     been incorrectly or maliciously delivered to the wrong recipient.
+
+5.7. KRB_PRIV message specification
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format of
+     the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by the
+     intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce must
+     never be re-used; it should be generated randomly by the recipient of
+     the message and provided to the sender of the message in an application
+     specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is not protected by any encryption, it
+is quite possible for an intruder to synthesize or modify such a message. In
+particular, this means that the client should not use any fields in this
+message for security-critical purposes, such as setting a system clock or
+generating a fresh authenticator. The message can be useful, however, for
+advising a user on the reason for some failure.
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+                e-typed-data[14]              SEQUENCE of ETypedData OPTIONAL
+}
+
+ETypedData ::=  SEQUENCE {
+                e-data-type    [1] INTEGER,
+                e-data-value   [2] OCTET STRING,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp. Its
+     value ranges from 0 to 999999. It appears along with stime. The two
+     fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the list
+     of error codes in section 8. Implementations are encouraged to provide
+     for national language support in the display of error messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If the
+     errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will
+     contain an encoding of a sequence of padata fields, each corresponding
+     to an acceptable pre-authentication method and optionally containing
+     data for the method:
+
+     METHOD-DATA ::=   SEQUENCE of PA-DATA
+
+     If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
+     contain an encoding of the following sequence:
+
+     METHOD-DATA ::=   SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     }
+
+     method-type will indicate the required alternate method; method-data
+     will contain any required additional information.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message. The
+     checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to an
+     AS request, then the checksum should be calulated using the client's
+     secret key ONLY if there has been suitable preauthentication to prove
+     knowledge of the secret key by the client[33]. If a checksum can not be
+     computed because the key to be used is not available, no checksum will
+     be included.
+e-typed-data
+     [This field for discussion, may be deleted from final spec] This field
+     contains optional data that may be used to help the client recover from
+     the indicated error. [This could contain the METHOD-DATA specified
+     since I don't think anyone actually uses it yet. It could also contain
+     the PA-DATA sequence for the preauth required error if we had a clear
+     way to transition to the use of this field from the use of the untype
+     e-data field.] For example, this field may specify the key version of
+     the key used to verify preauthentication:
+
+     e-data-type  := 20 -- Key version number
+     e-data-value := Integer -- Key version number used to verify
+                                preauthentication 
+
+6. Encryption and Checksum Specifications
+
+The Kerberos protocols described in this document are designed to use stream
+encryption ciphers, which can be simulated using commonly available block
+encryption ciphers, such as the Data Encryption Standard, [DES77] in
+conjunction with block chaining and checksum methods [DESM80]. Encryption is
+used to prove the identities of the network entities participating in
+message exchanges. The Key Distribution Center for each realm is trusted by
+all principals registered in that realm to store a secret key in confidence.
+Proof of knowledge of this secret key is used to verify the authenticity of
+a principal.
+
+The KDC uses the principal's secret key (in the AS exchange) or a shared
+session key (in the TGS exchange) to encrypt responses to ticket requests;
+the ability to obtain the secret key or session key implies the knowledge of
+the appropriate keys and the identity of the KDC. The ability of a principal
+to decrypt the KDC response and present a Ticket and a properly formed
+Authenticator (generated with the session key from the KDC response) to a
+service verifies the identity of the principal; likewise the ability of the
+service to extract the session key from the Ticket and prove its knowledge
+thereof in a response verifies the identity of the service.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The Kerberos protocols generally assume that the encryption used is secure
+from cryptanalysis; however, in some cases, the order of fields in the
+encrypted portions of messages are arranged to minimize the effects of
+poorly chosen keys. It is still important to choose good keys. If keys are
+derived from user-typed passwords, those passwords need to be well chosen to
+make brute force attacks more difficult. Poorly chosen keys still make easy
+targets for intruders.
+
+The following sections specify the encryption and checksum mechanisms
+currently defined for Kerberos. The encodings, chaining, and padding
+requirements for each are described. For encryption methods, it is often
+desirable to place random information (often referred to as a confounder) at
+the start of the message. The requirements for a confounder are specified
+with each encryption mechanism.
+
+Some encryption systems use a block-chaining method to improve the the
+security characteristics of the ciphertext. However, these chaining methods
+often don't provide an integrity check upon decryption. Such systems (such
+as DES in CBC mode) must be augmented with a checksum of the plain-text
+which can be verified at decryption and used to detect any tampering or
+damage. Such checksums should be good at detecting burst errors in the
+input. If any damage is detected, the decryption routine is expected to
+return an error indicating the failure of an integrity check. Each
+encryption type is expected to provide and verify an appropriate checksum.
+The specification of each encryption method sets out its checksum
+requirements.
+
+Finally, where a key is to be derived from a user's password, an algorithm
+for converting the password to a key of the appropriate type is included. It
+is desirable for the string to key function to be one-way, and for the
+mapping to be different in different realms. This is important because users
+who are registered in more than one realm will often use the same password
+in each, and it is desirable that an attacker compromising the Kerberos
+server in one realm not obtain or derive the user's key in another.
+
+For an discussion of the integrity characteristics of the candidate
+encryption and checksum methods considered for Kerberos, the the reader is
+referred to [SG92].
+
+6.1. Encryption Specifications
+
+The following ASN.1 definition describes all encrypted messages. The
+enc-part field which appears in the unencrypted part of messages in section
+5 is a sequence consisting of an encryption type, an optional key version
+number, and the ciphertext.
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+}
+
+
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+etype
+     This field identifies which encryption algorithm was used to encipher
+     the cipher. Detailed specifications for selected encryption types
+     appear later in this section.
+kvno
+     This field contains the version number of the key under which data is
+     encrypted. It is only present in messages encrypted under long lasting
+     keys, such as principals' secret keys.
+cipher
+     This field contains the enciphered text, encoded as an OCTET STRING.
+
+The cipher field is generated by applying the specified encryption algorithm
+to data composed of the message and algorithm-specific inputs. Encryption
+mechanisms defined for use with Kerberos must take sufficient measures to
+guarantee the integrity of the plaintext, and we recommend they also take
+measures to protect against precomputed dictionary attacks. If the
+encryption algorithm is not itself capable of doing so, the protections can
+often be enhanced by adding a checksum and a confounder.
+
+The suggested format for the data to be encrypted includes a confounder, a
+checksum, the encoded plaintext, and any necessary padding. The msg-seq
+field contains the part of the protocol message described in section 5 which
+is to be encrypted. The confounder, checksum, and padding are all untagged
+and untyped, and their length is exactly sufficient to hold the appropriate
+item. The type and length is implicit and specified by the particular
+encryption type being used (etype). The format for the data to be encrypted
+is described in the following diagram:
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+One generates a random confounder of the appropriate length, placing it in
+confounder; zeroes out check; calculates the appropriate checksum over
+confounder, check, and msg-seq, placing the result in check; adds the
+necessary padding; then encrypts using the specified encryption type and the
+appropriate key.
+
+Unless otherwise specified, a definition of an encryption algorithm that
+specifies a checksum, a length for the confounder field, or an octet
+boundary for padding uses this ciphertext format[36]. Those fields which are
+not specified will be omitted.
+
+In the interest of allowing all implementations using a particular
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+encryption type to communicate with all others using that type, the
+specification of an encryption type defines any checksum that is needed as
+part of the encryption process. If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+Some cryptosystems require additional information beyond the key and the
+data to be encrypted. For example, DES, when used in cipher-block-chaining
+mode, requires an initialization vector. If required, the description for
+each encryption type must specify the source of such additional information.
+6.2. Encryption Keys
+
+The sequence below shows the encoding of an encryption key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+keytype
+     This field specifies the type of encryption key that follows in the
+     keyvalue field. It will almost always correspond to the encryption
+     algorithm used to generate the EncryptedData, though more than one
+     algorithm may use the same type of key (the mapping is many to one).
+     This might happen, for example, if the encryption algorithm uses an
+     alternate checksum algorithm for an integrity check, or a different
+     chaining mechanism.
+keyvalue
+     This field contains the key itself, encoded as an octet string.
+
+All negative values for the encryption key type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpreta- tions.
+
+6.3. Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+If no encryption is in use, the encryption system is said to be the NULL
+encryption system. In the NULL encryption system there is no checksum,
+confounder or padding. The ciphertext is simply the plaintext. The NULL Key
+is used by the null encryption system and is zero octets in length, with
+keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+The des-cbc-crc encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. A
+CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the
+confounder and message sequence (msg-seq) and placed in the cksum field. DES
+blocks are 8 bytes. As a result, the data to be encrypted (the concatenation
+of confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+Note that, since the CRC-32 checksum is not collision-proof, an attacker
+could use a probabilistic chosen-plaintext attack to generate a valid
+message even if a confounder is used [SG92]. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat. The use of the CRC-32 as the checksum for ticket or
+authenticator is no longer mandated as an interoperability requirement for
+Kerberos Version 5 Specification 1 (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+The des-cbc-md4 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD4 checksum (described in [MD492]) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+The des-cbc-md5 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD5 checksum (described in [MD5-92].) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption.
+
+Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are
+concatenated to make the 64-bit inputs for the DES algorithms. The first
+octet supplies the 8 most significant bits (with the octet's MSbit used as
+the DES input block's MSbit, etc.), the second octet the next 8 bits, ...,
+and the eighth octet supplies the 8 least significant bits.
+
+Encryption under DES using cipher block chaining requires an additional
+input in the form of an initialization vector. Unless otherwise specified,
+zero should be used as the initialization vector. Kerberos' use of DES
+requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for encrypting messages for use in Kerberos. Additionally,
+because of the way that keys are derived for the encryption of checksums,
+keys shall not be used that yield 'weak' or 'semi-weak' keys when
+eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A DES key is 8 octets of data, with keytype one (1). This consists of 56
+bits of key, and 8 parity bits (one per octet). The key is encoded as a
+series of 8 octets written in MSB-first order. The bits within the key are
+also encoded in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity
+bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the
+MSbit). [See the FIPS 81 introduction for reference.]
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+String to key transformation
+
+To generate a DES key from a text string (password), the text string
+normally must have the realm and each component of the principal's name
+appended[37], then padded with ASCII nulls to an 8 byte boundary. This
+string is then fan-folded and eXclusive-ORed with itself to form an 8 byte
+DES key. The parity is corrected on the key, and it is used to generate a
+DES CBC checksum on the initial string (with the realm and name appended).
+Next, parity is corrected on the CBC checksum. If the result matches a
+'weak' or 'semi-weak' key as described in the DES specification, it is
+eXclusive-ORed with the constant 00000000000000F0. Finally, the result is
+returned as the key. Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+          odd = 1;
+          s = string + realm;
+          for(each component in name) {
+               s = s + component;
+          }
+          tempkey = NULL;
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          fixparity(tempkey);
+          key = DES-CBC-check(s,tempkey);
+          fixparity(key);
+          if(is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+6.3.5. Triple DES EDE in outer CBC mode with an SHA1 check-sum
+(des3-cbc-sha1)
+
+The des3-cbc-sha1 encryption encodes information using three Data Encryption
+Standard transformations with three DES keys. The first key is used to
+perform a DES ECB encryption on an eight-octet data block using the first
+DES key, followed by a DES ECB decryption of the result using the second DES
+key, and a DES ECB encryption of the result using the third DES key. Because
+DES blocks are 8 bytes, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must first be padded to an 8 byte
+boundary before encryption. To support the outer CBC mode, the input is
+padded to an eight-octet boundary. The first 8 octets of the data to be
+encrypted (the confounder) is exclusive-ored with an initialization vector
+of zero and then ECB encrypted using triple DES as described above.
+Subsequent blocks of 8 octets are exclusive-ored with the ciphertext
+produced by the encryption on the previous block before ECB encryption.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+An HMAC-SHA1 checksum (described in [KBC96].) is applied to the confounder
+and message sequence (msg-seq) and placed in the cksum field.
+
+Plaintext are encoded as blocks of 8 octets which are concatenated to make
+the 64-bit inputs for the DES algorithms. The first octet supplies the 8
+most significant bits (with the octet's MSbit used as the DES input block's
+MSbit, etc.), the second octet the next 8 bits, ..., and the eighth octet
+supplies the 8 least significant bits.
+
+Encryption under Triple DES using cipher block chaining requires an
+additional input in the form of an initialization vector. Unless otherwise
+specified, zero should be used as the initialization vector. Kerberos' use
+of DES requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for encrypting messages for use in Kerberos. Additionally,
+because of the way that keys are derived for the encryption of checksums,
+keys shall not be used that yield 'weak' or 'semi-weak' keys when
+eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A Triple DES key is 24 octets of data, with keytype seven (7). This consists
+of 168 bits of key, and 24 parity bits (one per octet). The key is encoded
+as a series of 24 octets written in MSB-first order, with the first 8 octets
+treated as the first DES key, the second 8 octets as the second key, and the
+third 8 octets the third DES key. The bits within each key are also encoded
+in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity
+bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the
+MSbit). [See the FIPS 81 introduction for reference.]
+
+Key derivation for specified operations (Horowitz)
+
+[Discussion is needed for this section, especially since it does not simply
+derive key generation, but also specifies encryption using triple DES in a
+manner that is different than the basic template that was specified for
+single DES and similar systems]
+
+In the Kerberos protocol cryptographic keys are used in a number of places.
+In order to minimize the effect of compromising a key, it is desirable to
+use a different key in each of these places. Key derivation [Horowitz96] can
+be used to construct different keys for each operation from the keys
+transported on the network or derived from the password specified by the
+user.
+
+For each place where a key is used in Kerberos, a ``key usage'' is specified
+for that purpose. The key, key usage, and encryption/checksum type together
+describe the transformation from plaintext to ciphertext. For backwards
+compatibility, this key derivation is only specified here for encryption
+methods based on triple DES. Encryption methods specified for use by
+Kerberos in the future should specify the key derivation function to be
+used.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+Kerberos requires that the ciphertext component of EncryptedData be
+tamper-resistant as well as confidential. This implies encryption and
+integrity functions, which must each use their own separate keys. So, for
+each key usage, two keys must be generated, one for encryption (Ke), and one
+for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+where the key usage is represented as a 32 bit integer in network byte
+order. The ciphertest must be generated from the plaintext as follows:
+
+      ciphertext = E(Ke, confounder | length | plaintext | padding) |
+                   H(Ki, confounder | length | plaintext | padding)
+
+The confounder and padding are specific to the encryption algorithm E.
+
+When generating a checksum only, there is no need for a confounder or
+padding. Again, a new key (Kc) must be used. Checksums must be generated
+from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+      MAC = H(Kc, length | plaintext)
+
+
+Note that each enctype is described by an encryption algorithm E and a keyed
+hash algorithm H, and each checksum type is described by a keyed hash
+algorithm H. HMAC, with an appropriate hash, is recommended for use as H.
+
+The key usage value will be taken from the following list of places where
+keys are used in the Kerberos protocol, with key usage values and Kerberos
+specification section numbers:
+
+      1.  AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+          client key (section 5.4.1)
+      2.  AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+          application session key), encrypted with the service key
+          (section 5.4.2)
+      3.  AS-REP encrypted part (includes tgs session key or application
+          session key), encrypted with the client key (section 5.4.2)
+
+      4.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          session key (section 5.4.1)
+      5.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          authenticator subkey (section 5.4.1)
+      6.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+          with the tgs session key (sections 5.3.2, 5.4.1)
+      7.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+          authenticator subkey), encrypted with the tgs session key
+          (section 5.3.2)
+      8.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs session key (section 5.4.2)
+      9.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs authenticator subkey (section 5.4.2)
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+      10. AP-REQ Authenticator cksum, keyed with the application session
+          key (section 5.3.2)
+      11. AP-REQ Authenticator (includes application authenticator
+          subkey), encrypted with the application session key (section
+          5.3.2)
+      12. AP-REP encrypted part (includes application session subkey),
+          encrypted with the application session key (section 5.5.2)
+
+      13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+          application (section 5.7.1)
+      14. KRB-CRED encrypted part, encrypted with a key chosen by the
+          application (section 5.6.1)
+      15. KRB-SAFE cksum, keyed with a key chosen by the application
+          (section 5.8.1)
+
+      16. Data which is defined in some specification outside of
+          Kerberos to be encrypted using Kerberos encryption type.
+      17. Data which is defined in some specification outside of
+          Kerberos to be checksummed using Kerberos checksum type.
+
+      18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+      19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+      20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+      21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+String to key transformation
+
+To generate a DES key from a text string (password), the text string
+normally must have the realm and each component of the principal's name
+appended[38].
+
+The input string (with any salt data appended to it) is n-folded into a 24
+octet (192 bit) string. To n-fold a number X, replicate the input value to a
+length that is the least common multiple of n and the length of X. Before
+each repetition, the input X is rotated to the right by 13 bit positions.
+The successive n-bit chunks are added together using 1's-complement addition
+(addition with end-around carry) to yield a n-bit result. (This
+transformation was proposed by Richard Basch)
+
+Each successive set of 8 octets is taken as a DES key, and its parity is
+adjusted in the same manner as previously described. If any of the three
+sets of 8 octets match a 'weak' or 'semi-weak key as described in the DES
+specification, that chunk is eXclusive-ORed with the hexadecimal constant
+00000000000000F0. The resulting DES keys are then used in sequence to
+perform a Triple-DES CBC encryption of the n-folded input string (appended
+with any salt data), using a zero initial vector. Parity, weak, and
+semi-weak keys are once again corrected and the result is returned as the 24
+octet key.
+
+Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+          s = string + realm;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+          for(each component in name) {
+               s = s + component;
+          }
+          tkey[24] = fold(s);
+          fixparity(tkey);
+          if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0;
+          if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0;
+          if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0;
+          key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0);
+          fixparity(key);
+          if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0;
+          if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0;
+          if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0;
+          return(key);
+     }
+
+6.4. Checksums
+
+The following is the ASN.1 definition used for a checksum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+cksumtype
+     This field indicates the algorithm used to generate the accompanying
+     checksum.
+checksum
+     This field contains the checksum itself, encoded as an octet string.
+
+Detailed specification of selected checksum types appear later in this
+section. Negative values for the checksum type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+Checksums used by Kerberos can be classified by two properties: whether they
+are collision-proof, and whether they are keyed. It is infeasible to find
+two plaintexts which generate the same checksum value for a collision-proof
+checksum. A key is required to perturb or initialize the algorithm in a
+keyed checksum. To prevent message-stream modification by an active
+attacker, unkeyed checksums should only be used when the checksum and
+message will be subsequently encrypted (e.g. the checksums defined as part
+of the encryption algorithms covered earlier in this section).
+
+Collision-proof checksums can be made tamper-proof if the checksum value is
+encrypted before inclusion in a message. In such cases, the composition of
+the checksum and the encryption algorithm must be considered a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum
+algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for the
+encrypted forms of unkeyed collision-proof checksums, Kerberos prepends a
+confounder before the checksum is calculated.
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+The CRC-32 checksum calculates a checksum based on a cyclic redundancy check
+as described in ISO 3309 [ISO3309]. The resulting checksum is four (4)
+octets in length. The CRC-32 is neither keyed nor collision-proof. The use
+of this checksum is not recommended. An attacker using a probabilistic
+chosen-plaintext attack as described in [SG92] might be able to generate an
+alternative message that satisfies the checksum. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+[MD4-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed to
+be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD4
+checksum algorithm, and encrypting the confounder and the checksum using DES
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the constant
+F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant). This
+checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some weak keys' and 'semi-weak keys'; those
+keys shall not be used for generating RSA-MD4 checksums for use in Kerberos.
+
+The format for the checksum is described in the follow- ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+[MD5-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed to
+be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD5
+checksum algorithm, and encrypting the confounder and the checksum using DES
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 24 octets long (8 octets of which are redundant). This checksum
+is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some 'weak keys' and 'semi-weak keys'; those
+keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+The DES-MAC checksum is computed by prepending an 8 octet confounder to the
+plaintext, performing a DES CBC-mode encryption on the result using the key
+and an initialization vector of zero, taking the last block of the
+ciphertext, prepending the same confounder and encrypting the pair using DES
+in cipher-block-chaining (CBC) mode using a a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This
+checksum is tamper-proof and collision-proof.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for generating DES-MAC checksums for use in Kerberos, nor
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+shall a key be used whose variant is 'weak' or 'semi-weak'.
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k)
+
+The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by
+applying the RSA MD4 checksum algorithm and encrypting the results using DES
+in cipher-block-chaining (CBC) mode using a DES key as both key and
+initialization vector. The resulting checksum is 16 octets long. This
+checksum is tamper-proof and believed to be collision-proof. Note that this
+checksum type is the old method for encoding the RSA-MD4-DES checksum and it
+is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption
+of the plaintext, and using the last block of the ciphertext as the checksum
+value. It is keyed with an encryption key and an initialization vector; any
+uses which do not specify an additional initialization vector will use the
+key as both key and initialization vector. The resulting checksum is 64 bits
+(8 octets) long. This checksum is tamper-proof and collision-proof. Note
+that this checksum type is the old method for encoding the DES-MAC checksum
+and it is no longer recommended. The DES specifications identify some 'weak
+keys' and 'semi-weak keys'; those keys shall not be used for generating
+DES-MAC checksums for use in Kerberos.
+
+7. Naming Constraints
+
+7.1. Realm Names
+
+Although realm names are encoded as GeneralStrings and although a realm can
+technically select any name it chooses, interoperability across realm
+boundaries requires agreement on how realm names are to be assigned, and
+what information they imply.
+
+To enforce these conventions, each realm must conform to the conventions
+itself, and it must require that any realms with which inter-realm keys are
+shared also conform to the conventions and require the same from its
+neighbors.
+
+Kerberos realm names are case sensitive. Realm names that differ only in the
+case of the characters are not equivalent. There are presently four styles
+of realm names: domain, X500, other, and reserved. Examples of each style
+follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+Domain names must look like domain names: they consist of components
+separated by periods (.) and they contain neither colons (:) nor slashes
+(/). Domain names must be converted to upper case when used as realm names.
+
+X.500 names contain an equal (=) and cannot contain a colon (:) before the
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+equal. The realm names for X.500 names will be string representations of the
+names with components separated by slashes. Leading and trailing slashes
+will not be included.
+
+Names that fall into the other category must begin with a prefix that
+contains no equal (=) or period (.) and the prefix must be followed by a
+colon (:) and the rest of the name. All prefixes must be assigned before
+they may be used. Presently none are assigned.
+
+The reserved category includes strings which do not fall into the first
+three categories. All names in this category are reserved. It is unlikely
+that names will be assigned to this category unless there is a very strong
+argument for not using the 'other' category.
+
+These rules guarantee that there will be no conflicts between the various
+name styles. The following additional constraints apply to the assignment of
+realm names in the domain and X.500 categories: the name of a realm for the
+domain or X.500 formats must either be used by the organization owning (to
+whom it was assigned) an Internet domain name or X.500 name, or in the case
+that no such names are registered, authority to use a realm name may be
+derived from the authority of the parent realm. For example, if there is no
+domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can
+authorize the creation of a realm with that name.
+
+This is acceptable because the organization to which the parent is assigned
+is presumably the organization authorized to assign names to its children in
+the X.500 and domain name systems as well. If the parent assigns a realm
+name without also registering it in the domain name or X.500 hierarchy, it
+is the parent's responsibility to make sure that there will not in the
+future exists a name identical to the realm name of the child unless it is
+assigned to the same entity as the realm name.
+
+7.2. Principal Names
+
+As was the case for realm names, conventions are needed to ensure that all
+agree on what information is implied by a principal name. The name-type
+field that is part of the principal name indicates the kind of information
+implied by the name. The name-type should be treated as a hint. Ignoring the
+name type, no two names can be the same (i.e. at least one of the
+components, or the realm, must be different). The following name types are
+defined:
+
+  name-type      value   meaning
+
+   NT-UNKNOWN        0   Name type not known
+   NT-PRINCIPAL      1   General principal name (e.g. username, or DCE principal)
+   NT-SRV-INST       2   Service and other unique instance (krbtgt)
+   NT-SRV-HST        3   Service with host name as instance (telnet, rcommands)
+   NT-SRV-XHST       4   Service with slash-separated host name components
+   NT-UID            5   Unique ID
+   NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+
+When a name implies no information other than its uniqueness at a particular
+time the name type PRINCIPAL should be used. The principal name type should
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+be used for users, and it might also be used for a unique server. If the
+name is a unique machine generated ID that is guaranteed never to be
+reassigned then the name type of UID should be used (note that it is
+generally a bad idea to reassign names of any type since stale entries might
+remain in access control lists).
+
+If the first component of a name identifies a service and the remaining
+components identify an instance of the service in a server specified manner,
+then the name type of SRV-INST should be used. An example of this name type
+is the Kerberos ticket-granting service whose name has a first component of
+krbtgt and a second component identifying the realm for which the ticket is
+valid.
+
+If instance is a single component following the service name and the
+instance identifies the host on which the server is running, then the name
+type SRV-HST should be used. This type is typically used for Internet
+services such as telnet and the Berkeley R commands. If the separate
+components of the host name appear as successive components following the
+name of the service, then the name type SRV-XHST should be used. This type
+might be used to identify servers on hosts with X.500 names where the slash
+(/) might otherwise be ambiguous.
+
+A name type of NT-X500-PRINCIPAL should be used when a name from an X.509
+certificiate is translated into a Kerberos name. The encoding of the X.509
+name as a Kerberos principal shall conform to the encoding rules specified
+in RFC 1779.
+
+A name type of UNKNOWN should be used when the form of the name is not
+known. When comparing names, a name of type UNKNOWN will match principals
+authenticated with names of any type. A principal authenticated with a name
+of type UNKNOWN, however, will only match other names of type UNKNOWN.
+
+Names of any type with an initial component of 'krbtgt' are reserved for the
+Kerberos ticket granting service. See section 8.2.3 for the form of such
+names.
+
+7.2.1. Name of server principals
+
+The principal identifier for a server on a host will generally be composed
+of two parts: (1) the realm of the KDC with which the server is registered,
+and (2) a two-component name of type NT-SRV-HST if the host name is an
+Internet domain name or a multi-component name of type NT-SRV-XHST if the
+name of the host is of a form such as X.500 that allows slash (/)
+separators. The first component of the two- or multi-component name will
+identify the service and the latter components will identify the host. Where
+the name of the host is not case sensitive (for example, with Internet
+domain names) the name of the host must be lower case. If specified by the
+application protocol for services such as telnet and the Berkeley R commands
+which run with system privileges, the first component may be the string
+'host' instead of a service specific identifier. When a host has an official
+name and one or more aliases, the official name of the host must be used
+when constructing the name of the server principal.
+
+8. Constants and other defined values
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+8.1. Host address types
+
+All negative values for the host address type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+The values of the types for the following addresses are chosen to match the
+defined address family constants in the Berkeley Standard Distributions of
+Unix. They can be found in with symbolic names AF_xxx (where xxx is an
+abbreviation of the address family name).
+
+Internet (IPv4) Addresses
+
+Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB
+order. The type of IPv4 addresses is two (2).
+
+Internet (IPv6) Addresses
+
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The
+type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The
+following addresses (see [RFC1884]) MUST not appear in any Kerberos packet:
+
+   * the Unspecified Address
+   * the Loopback Address
+   * Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+CHAOSnet addresses
+
+CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order.
+The type of CHAOSnet addresses is five (5).
+
+ISO addresses
+
+ISO addresses are variable-length. The type of ISO addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The
+type of XNS addresses is six (6).
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit network
+number. The first octet of the address is the node number; the remaining two
+octets encode the network number in MSB order. The type of AppleTalk DDP
+addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The
+type of DECnet Phase IV addresses is twelve (12).
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+8.2. KDC messages
+
+8.2.1. UDP/IP transport
+
+When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP
+IP transport, the client shall send a UDP datagram containing only an
+encoding of the request to port 88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram containing only an encoding of the
+reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at
+the sender's IP address. Kerberos servers supporting IP transport must
+accept UDP requests on port 88 (decimal). The response to a request made
+through UDP/IP transport must also use UDP/IP transport.
+
+8.2.2. TCP/IP transport
+
+Kerberos servers (KDC's) must accept TCP requests on port 88 (decimal). When
+the KRB_KDC_REQ message is sent to the KDC over a TCP stream, a new
+connection will be established for each authentication exchange (request and
+response). The KRB_KDC_REP or KRB_ERROR message will be returned to the
+client on the same TCP stream that was established for the request. The
+connection will be broken after the reply has been received (or upon
+time-out). Care must be taken in managing TCP/IP connections with the KDC to
+prevent denial of service attacks based on the number of TCP/IP connections
+with the KDC that remain open. If multiple exchanges with the KDC are needed
+for certain forms of preauthentication, multiple TCP connections will be
+required. The response to a request made through TCP/IP transport must also
+use TCP/IP transport.
+
+The first four octets of the TCP stream used to transmit the request request
+will encode in network byte order the length of the request (KRB_KDC_REQ),
+and the length will be followed by the request itself. The response will
+similarly be preceeded by a 4 octet encoding in network byte order of the
+length of the KRB_KDC_REP or the KRB_ERROR message and will be followed by
+the KRB_KDC_REP or the KRB_ERROR response.
+
+8.2.3. OSI transport
+
+During authentication of an OSI client to an OSI server, the mutual
+authentication of an OSI server to an OSI client, the transfer of
+credentials from an OSI client to an OSI server, or during exchange of
+private or integrity checked messages, Kerberos protocol messages may be
+treated as opaque objects and the type of the authentication mechanism will
+be:
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)}
+
+Depending on the situation, the opaque object will be an authentication
+header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message
+(KRB_SAFE), a private message (KRB_PRIV), or a credentials message
+(KRB_CRED). The opaque data contains an application code as specified in the
+ASN.1 description for each message. The application code may be used by
+Kerberos to determine the message type.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+8.2.3. Name of the TGS
+
+The principal identifier of the ticket-granting service shall be composed of
+three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part
+name of type NT-SRV-INST, with the first part "krbtgt" and the second part
+the name of the realm which will accept the ticket-granting ticket. For
+example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be
+used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier
+of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A
+ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get
+tickets from the MIT.EDU realm has a principal identifier of
+"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3. Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings.
+
+Encryption type  etype value  block size    minimum pad size  confounder size
+NULL              0            1                 0                 0
+des-cbc-crc       1            8                 4                 8
+des-cbc-md4       2            8                 0                 8
+des-cbc-md5       3            8                 0                 8
+        4
+des3-cbc-md5      5            8                 0                 8
+        6
+des3-cbc-sha1     7            8                 0                 8
+sign-dsa-generate 8                                   (pkinit)
+encrypt-rsa-priv  9                                   (pkinit)
+encrypt-rsa-pub  10                                   (pkinit)
+rsa-pub-md5      11                                   (pkinit)
+rsa-pub-sha1     12                                   (pkinit)
+ENCTYPE_PK_CROSS 48                                   (reserved for pkcross)
+       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+rsa-md5-des3               9                   24
+hmac-sha1-des3             10                  20  (I had this as 10, is it 12)
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+                      4
+PA-ENC-UNIX-TIME                5
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (pkinit)
+PA-PK-KEY-REQ                   17                  (pkinit)
+PA-PK-KEY-REP                   18                  (pkinit)
+PA-USE-SPECIFIED-KVNO           20
+
+authorization data type         ad-type value
+AD-KDC-ISSUED                      1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-IF-RELEVANT                     4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet, rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 1779]
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version number not 
+                                    supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+                                    to reset
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired [40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED   62   (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED      63   (pkinit)
+KDC_ERROR_INVALID_SIG          64   (pkinit)
+KDC_ERR_KEY_TOO_WEAK           65   (pkinit)
+KDC_ERR_CERTIFICATE_MISMATCH   66   (pkinit)
+
+9. Interoperability requirements
+
+Version 5 of the Kerberos protocol supports a myriad of options. Among these
+are multiple encryption and checksum types, alternative encoding schemes for
+the transited field, optional mechanisms for pre-authentication, the
+handling of tickets with no addresses, options for mutual authentication,
+user to user authentication, support for proxies, forwarding, postdating,
+and renewing tickets, the format of realm names, and the handling of
+authorization data.
+
+In order to ensure the interoperability of realms, it is necessary to define
+a minimal configuration which must be supported by all implementations. This
+minimal configuration is subject to change as technology does. For example,
+if at some later date it is discovered that one of the required encryption
+or checksum algorithms is not secure, it will be replaced.
+
+9.1. Specification 2
+
+This section defines the second specification of these options.
+Implementations which are configured in this way can be said to support
+Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may
+be found in RFC1510.
+
+Transport
+
+TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance
+to specification 2. Kerberos clients claiming conformance to specification 2
+must support UDP/IP transport for messages with the KDC and may support
+TCP/IP transport.
+
+Encryption and checksum methods
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The following encryption and checksum mechanisms must be supported.
+Implementations may support other mechanisms as well, but the additional
+mechanisms may only be used when communicating with principals known to also
+support them: This list is to be determined.
+
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+Realm Names
+
+All implementations must understand hierarchical realms in both the Internet
+Domain and the X.500 style. When a ticket granting ticket for an unknown
+realm is requested, the KDC must be able to determine the names of the
+intermediate realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+Alternative encodings may be supported, but they may be used only when that
+encoding is supported by ALL intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported. The TGS-REQ method is not used on the
+initial request. The PA-ENC-TIMESTAMP method must be supported by clients
+but whether it is enabled by default may be determined on a realm by realm
+basis. If not used in the initial request and the error
+KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+acceptable method, the client should retry the initial request using the
+PA-ENC-TIMESTAMP preauthentication method. Servers need not support the
+PA-ENC-TIMESTAMP method, but if not supported the server should ignore the
+presence of PA-ENC-TIMESTAMP pre-authentication in a request.
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+contains no addresses, the KDC will return derivative tickets), but each
+realm may set its own policy for issuing such tickets, and each application
+server will set its own policy with respect to accepting them.
+
+Proxies and forwarded tickets must be supported. Individual realms and
+application servers can set their own policy on when such tickets will be
+accepted.
+
+All implementations must recognize renewable and postdated tickets, but need
+not actually implement them. If these options are not supported, the
+starttime and endtime in the ticket shall specify a ticket's entire useful
+life. When a postdated ticket is decoded by a server, all implementations
+shall make the presence of the postdated flag visible to the calling server.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+User-to-user authentication
+
+Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC option)
+must be provided by implementations, but individual realms may decide as a
+matter of policy to reject such requests on a per-principal or realm-wide
+basis.
+
+Authorization data
+
+Implementations must pass all authorization data subfields from
+ticket-granting tickets to any derivative tickets unless directed to
+suppress a subfield as part of the definition of that registered subfield
+type (it is never incorrect to pass on a subfield, and no registered
+subfield types presently specify suppression at the KDC).
+
+Implementations must make the contents of any authorization data subfields
+available to the server when a ticket is used. Implementations are not
+required to allow clients to specify the contents of the authorization data
+fields.
+
+9.2. Recommended KDC values
+
+Following is a list of recommended values for a KDC implementation, based on
+the list of suggested configuration constants (see section 4.4).
+
+minimum lifetime              5 minutes
+maximum renewable lifetime    1 week
+maximum ticket lifetime       1 day
+empty addresses               only when suitable  restrictions  appear
+                              in authorization data
+proxiable, etc.               Allowed.
+
+10. REFERENCES
+
+[NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+          cation  Service for Computer Networks," IEEE Communica-
+          tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+[MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+          Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+          Authorization System, M.I.T. Project Athena, Cambridge,
+          Massachusetts (December 21, 1987).
+
+[SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+          beros:  An Authentication Service for Open Network Sys-
+          tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+          Dallas, Texas (February, 1988).
+
+[NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+          Encryption for Authentication in Large Networks of Com-
+          puters,"  Communications  of  the  ACM,  Vol.   21(12),
+          pp. 993-999 (December, 1978).
+
+[DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+          stamps  in  Key Distribution Protocols," Communications
+          of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+[KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+          "The Evolution of the Kerberos Authentication Service,"
+          in an IEEE Computer Society Text soon to  be  published
+          (June 1992).
+
+[Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+          Accounting  for Distributed Systems," in Proceedings of
+          the 13th International Conference on  Distributed  Com-
+          puting Systems, Pittsburgh, PA (May, 1993).
+
+[DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+          Kerberos  Authentication  at Project Athena," Technical
+          Memorandum TM-424,  MIT Laboratory for Computer Science
+          (February 1990).
+
+[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+          merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+          ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+          sachusetts (1987).
+
+[X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+          tion Framework, December 1988.
+
+[Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+          Guessing  Attacks, Open Software Foundation DCE Request
+          for Comments 26 (December 1992).
+
+[DES77]   National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "Data Encryption Standard," Federal Information
+          Processing Standards Publication  46,   Washington,  DC
+          (1977).
+
+[DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "DES  Modes  of Operation," Federal Information
+          Processing Standards Publication 81,   Springfield,  VA
+          (December 1980).
+
+[SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+          Integrity  in  Cryptographic Protocols," in Proceedings
+          of the IEEE  Symposium  on  Research  in  Security  and
+          Privacy, Oakland, California (May 1992).
+
+[IS3309]  International Organization  for  Standardization,  "ISO
+          Information  Processing  Systems - Data Communication -
+          High-Level Data Link Control Procedure -  Frame  Struc-
+          ture," IS 3309 (October 1984).  3rd Edition.
+
+[MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+          1320,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+[MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+          1321,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+          Hashing  for  Message  Authentication,"  Working  Draft
+          draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+A. Pseudo-code for protocol processing
+
+This appendix provides pseudo-code describing how the messages are to be
+constructed and interpreted by clients and servers.
+
+A.1. KRB_AS_REQ generation
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                retry or use alternate server;
+        endif
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew) then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+A.3. KRB_AS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        /* make sure no flags are set that shouldn't be, and that all that */
+        /* should be are set                                               */
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5. KRB_TGS_REQ generation
+
+        /* Note that make_application_request might have to recursivly     */
+        /* call this routine to get the appropriate ticket-granting ticket */
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname) then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(req.sname)) then
+                        server := best_intermediate_tgs(req.sname);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+        if (req.kdc-options.VALIDATE is set) then
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would  */
+          /* have been rejected in the initial authentication stage, so     */
+          /* there is no need to check again here                           */
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till < kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing */
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm,
+                                          tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT; /* leave the renew-till field out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data into decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data +
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
+                /* Don't check tranited field if TGT for foreign realm,
+                 * or requested not to check */
+                if (is_not_foreign_tgt_name(new_tkt.server)
+                   && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then
+                        /* Check it, so end-server does not have to
+                         * but don't fail, end-server may still accept it */
+                        if (check_transited_field(new_tkt.transited) == OK)
+                              set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                        endif
+                endif
+        endif
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key), second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key, server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7. KRB_TGS_REP verification
+
+        decode response into resp;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8. Authenticator generation
+
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+A.9. KRB_AP_REQ generation
+
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10. KRB_AP_REQ verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        if (decr_ticket.transited) then
+            /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+             * check anyway */
+            if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                 if (check_transited_field(decr_ticket.transited) then
+                      error_out(KDC_AP_PATH_NOT_ACCPETED);
+                 endif
+            endif
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11. KRB_AP_REP generation
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12. KRB_AP_REP verification
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13. KRB_SAFE generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14. KRB_SAFE verification
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15. KRB_SAFE and KRB_PRIV common checks
+
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number not present)
+        then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+A.16. KRB_PRIV generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+A.17. KRB_PRIV verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18. KRB_CRED generation
+
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+               using negotiated encryption key;
+
+A.19. KRB_CRED verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+A.20. KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        endif
+
+B. Definition of common authorization data elements
+
+This appendix contains the definitions of common authorization data
+elements. These common authorization data elements are recursivly defined,
+meaning the ad-data for these types will itself contain a sequence of
+authorization data whose interpretation is affected by the encapsulating
+element. Depending on the meaning of the encapsulating element, the
+encapsulated elements may be ignored, might be interpreted as issued
+directly by the KDC, or they might be stored in a separate plaintext part of
+the ticket. The types of the encapsulating elements are specified as part of
+the Kerberos specification ebcause the behavior based on these values should
+be understood across implementations whereas other elements need only be
+understood by the applications which they affect.
+
+In the definitions that follow, the value of the ad-type for the element
+will be specified in the subsection number, and the value of the ad-data
+will be as shown in the ASN.1 structure that follows the subsection heading.
+
+B.1. KDC Issued
+
+AD-KDCIssued   SEQUENCE {
+               ad-checksum[0]    Checksum,
+                i-realm[1]       Realm OPTIONAL,
+                i-sname[2]       PrincipalName OPTIONAL,
+               elements[3]       AuthorizationData.
+}
+
+ad-checksum
+     A checksum over the elements field using a cryptographic checksum
+     method that is identical to the checksum used to protect the ticket
+     itself (i.e. using the same hash function and the same encryption
+     algorithm used to encrypt the ticket) and using a key derived from the
+     same key used to protect the ticket.
+i-realm, i-sname
+     The name of the issuing principal if different from the KDC itself.
+     This field would be used when the KDC can verify the authenticity of
+     elements signed by the issuing principal and it allows this KDC to
+     notify the application server of the validity of those elements.
+elements
+     A sequence of authorization data elements issued by the KDC.
+
+The KDC-issued ad-data field is intended to provide a means for Kerberos
+principal credentials to embed within themselves privilege attributes and
+other mechanisms for positive authorization, amplifying the priveleges of
+the principal beyond what can be done using a credentials without such an
+a-data element.
+
+This can not be provided without this element because the definition of the
+authorization-data field allows elements to be added at will by the bearer
+of a TGT at the time that they request service tickets and elements may also
+be added to a delegated ticket by inclusion in the authenticator.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+For KDC-issued elements this is prevented because the elements are signed by
+the KDC by including a checksum encrypted using the server's key (the same
+key used to encrypt the ticket - or a key derived from that key). Elements
+encapsulated with in the KDC-issued element will be ignored by the
+application server if this "signature" is not present. Further, elements
+encapsulated within this element from a ticket granting ticket may be
+interpreted by the KDC, and used as a basis according to policy for
+including new signed elements within derivative tickets, but they will not
+be copied to a derivative ticket directly. If they are copied directly to a
+derivative ticket by a KDC that is not aware of this element, the signature
+will not be correct for the application ticket elements, and the field will
+be ignored by the application server.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.2. Intended for server
+
+AD-INTENDED-FOR-SERVER   SEQUENCE {
+         intended-server[0]     SEQUENCE OF PrincipalName
+         elements[1]            AuthorizationData
+}
+
+AD elements encapsulated within the intended-for-server element may be
+ignored if the application server is not in the list of principal names of
+intended servers. Further, a KDC issuing a ticket for an application server
+can remove this element if the application server is not in the list of
+intended servers.
+
+Application servers should check for their principal name in the
+intended-server field of this element. If their principal name is not found,
+this element should be ignored. If found, then the encapsulated elements
+should be evaluated in the same manner as if they were present in the top
+level authorization data field. Applications and application servers that do
+not implement this element should reject tickets that contain authorization
+data elements of this type.
+
+B.3. Intended for application class
+
+AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+encapsulated within the intended-for-application-class element may be
+ignored if the application server is not in one of the named classes of
+application servers. Examples of application server classes include
+"FILESYSTEM", and other kinds of servers.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.4. If relevant
+
+AD-IF-RELEVANT   AuthorizationData
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+AD elements encapsulated within the if-relevant element are intended for
+interpretation only by application servers that understand the particular
+ad-type of the embedded element. Application servers that do not understand
+the type of an element embedded within the if-relevant element may ignore
+the uninterpretable element. This element promotes interoperability across
+implementations which may have local extensions for authorization.
+
+B.5. And-Or
+
+AD-AND-OR           SEQUENCE {
+                        condition-count[0]    INTEGER,
+                        elements[1]           AuthorizationData
+}
+
+When restrictive AD elements encapsulated within the and-or element are
+encountered, only the number specified in condition-count of the
+encapsulated conditions must be met in order to satisfy this element. This
+element may be used to implement an "or" operation by setting the
+condition-count field to 1, and it may specify an "and" operation by setting
+the condition count to the number of embedded elements. Application servers
+that do not implement this element must reject tickets that contain
+authorization data elements of this type.
+
+B.6. Mandatory ticket extensions
+
+AD-Mandatory-Ticket-Extensions   Checksum
+
+An authorization data element of type mandatory-ticket-extensions specifies
+a collision-proof checksum using the same has angorithm used to protect the
+integrity of the ticket itself. This checksum will be calculated over the
+entire extensions field. If there are more than one extension, all will be
+covered by the checksum. This restriction indicates that the ticket should
+not be accepted if the checksum does not match that calculated over the
+ticket extensions. Application servers that do not implement this element
+must reject tickets that contain authorization data elements of this type.
+
+B.7. Authorization Data in ticket extensions
+
+AD-IN-Ticket-Extensions   Checksum
+
+An authorization data element of type in-ticket-extensions specifies a
+collision-proof checksum using the same has angorithm used to protect the
+integrity of the ticket itself. This checksum is calculated over a separate
+external AuthorizationData field carried in the ticket extensions.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type. Application servers
+that do implement this element will search the ticket extensions for
+authorization data fields, calculate the specified checksum over each
+authorization data field and look for one matching the checksum in this
+in-ticket-extensions element. If not found, then the ticket must be
+rejected. If found, the corresponding authorization data elements will be
+interpreted in the same manner as if they were contained in the top level
+authorization data field.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+Note that if multiple external authorization data fields are present in a
+ticket, each will have a corresponding element of type in-ticket-extensions
+in the top level authorization data field, and the external entries will be
+linked to the corresponding element by their checksums.
+
+C. Definition of common ticket extensions
+
+This appendix contains the definitions of common ticket extensions. Support
+for these extensions is optional. However, certain extensions have
+associated authorization data elements that may require rejection of a
+ticket containing an extension by application servers that do not implement
+the particular extension. Other extensions have been defined beyond those
+described in this specification. Such extensions are described elswhere and
+for some of those extensions the reserved number may be found in the list of
+constants.
+
+It is known that older versions of Kerberos did not support this field, and
+that some clients will strip this field from a ticket when they parse and
+then reassemble a ticket as it is passed to the application servers. The
+presence of the extension will not break such clients, but any functionaly
+dependent on the extensions will not work when such tickets are handled by
+old clients. In such situations, some implementation may use alternate
+methods to transmit the information in the extensions field.
+
+C.1. Null ticket extension
+
+TE-NullExtension   OctetString -- The empty Octet String
+
+The te-data field in the null ticket extension is an octet string of lenght
+zero. This extension may be included in a ticket granting ticket so that the
+KDC can determine on presentation of the ticket granting ticket whether the
+client software will strip the extensions field.
+
+C.2. External Authorization Data
+
+TE-ExternalAuthorizationData   AuthorizationData
+
+The te-data field in the external authorization data ticket extension is
+field of type AuthorizationData containing one or more authorization data
+elements. If present, a corresponding authorization data element will be
+present in the primary authorization data for the ticket and that element
+will contain a checksum of the external authorization data ticket extension.
+----------------------------------------------------------------------------
+[TM] Project Athena, Athena, and Kerberos are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.
+
+[1] Note, however, that many applications use Kerberos' functions only upon
+the initiation of a stream-based network connection. Unless an application
+subsequently provides integrity protection for the data stream, the identity
+verification applies only to the initiation of the connection, and does not
+guarantee that subsequent messages on the connection originate from the same
+principal.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+[2] Secret and private are often used interchangeably in the literature. In
+our usage, it takes two (or more) to share a secret, thus a shared DES key
+is a secret key. Something is only private when no one but its owner knows
+it. Thus, in public key cryptosystems, one has a public and a private key.
+
+[3] Of course, with appropriate permission the client could arrange
+registration of a separately-named prin- cipal in a remote realm, and engage
+in normal exchanges with that realm's services. However, for even small
+numbers of clients this becomes cumbersome, and more automatic methods as
+described here are necessary.
+
+[4] Though it is permissible to request or issue tick- ets with no network
+addresses specified.
+
+[5] The password-changing request must not be honored unless the requester
+can provide the old password (the user's current secret key). Otherwise, it
+would be possible for someone to walk up to an unattended ses- sion and
+change another user's password.
+
+[6] To authenticate a user logging on to a local system, the credentials
+obtained in the AS exchange may first be used in a TGS exchange to obtain
+credentials for a local server. Those credentials must then be verified by a
+local server through successful completion of the Client/Server exchange.
+
+[7] "Random" means that, among other things, it should be impossible to
+guess the next session key based on knowledge of past session keys. This can
+only be achieved in a pseudo-random number generator if it is based on
+cryptographic principles. It is more desirable to use a truly random number
+generator, such as one based on measurements of random physical phenomena.
+
+[8] Tickets contain both an encrypted and unencrypted portion, so cleartext
+here refers to the entire unit, which can be copied from one message and
+replayed in another without any cryptographic skill.
+
+[9] Note that this can make applications based on unreliable transports
+difficult to code correctly. If the transport might deliver duplicated
+messages, either a new authenticator must be generated for each retry, or
+the application server must match requests and replies and replay the first
+reply in response to a detected duplicate.
+
+[10] This is used for user-to-user authentication as described in [8].
+
+[11] Note that the rejection here is restricted to authenticators from the
+same principal to the same server. Other client principals communicating
+with the same server principal should not be have their authenticators
+rejected if the time and microsecond fields happen to match some other
+client's authenticator.
+
+[12] In the Kerberos version 4 protocol, the timestamp in the reply was the
+client's timestamp plus one. This is not necessary in version 5 because
+version 5 messages are formatted in such a way that it is not possible to
+create the reply by judicious message surgery (even in encrypted form)
+without knowledge of the appropriate encryption keys.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+[13] Note that for encrypting the KRB_AP_REP message, the sub-session key is
+not used, even if present in the Authenticator.
+
+[14] Implementations of the protocol may wish to provide routines to choose
+subkeys based on session keys and random numbers and to generate a
+negotiated key to be returned in the KRB_AP_REP message.
+
+[15]This can be accomplished in several ways. It might be known beforehand
+(since the realm is part of the principal identifier), it might be stored in
+a nameserver, or it might be obtained from a configura- tion file. If the
+realm to be used is obtained from a nameserver, there is a danger of being
+spoofed if the nameservice providing the realm name is not authenti- cated.
+This might result in the use of a realm which has been compromised, and
+would result in an attacker's ability to compromise the authentication of
+the application server to the client.
+
+[16] If the client selects a sub-session key, care must be taken to ensure
+the randomness of the selected sub- session key. One approach would be to
+generate a random number and XOR it with the session key from the
+ticket-granting ticket.
+
+[17] This allows easy implementation of user-to-user authentication [8],
+which uses ticket-granting ticket session keys in lieu of secret server keys
+in situa- tions where such secret keys could be easily comprom- ised.
+
+[18] For the purpose of appending, the realm preceding the first listed
+realm is considered to be the null realm ("").
+
+[19] For the purpose of interpreting null subfields, the client's realm is
+considered to precede those in the transited field, and the server's realm
+is considered to follow them.
+
+[20] This means that a client and server running on the same host and
+communicating with one another using the KRB_SAFE messages should not share
+a common replay cache to detect KRB_SAFE replays.
+
+[21] The implementation of the Kerberos server need not combine the database
+and the server on the same machine; it is feasible to store the principal
+database in, say, a network name service, as long as the entries stored
+therein are protected from disclosure to and modification by unauthorized
+parties. However, we recommend against such strategies, as they can make
+system management and threat analysis quite complex.
+
+[22] See the discussion of the padata field in section 5.4.2 for details on
+why this can be useful.
+
+[23] Warning for implementations that unpack and repack data structures
+during the generation and verification of embedded checksums: Because any
+checksums applied to data structures must be checked against the original
+data the length of bit strings must be preserved within a data structure
+between the time that a checksum is generated through transmission to the
+time that the checksum is verified.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+[24] It is NOT recommended that this time value be used to adjust the
+workstation's clock since the workstation cannot reliably determine that
+such a KRB_AS_REP actually came from the proper KDC in a timely manner.
+
+[25] Note, however, that if the time is used as the nonce, one must make
+sure that the workstation time is monotonically increasing. If the time is
+ever reset backwards, there is a small, but finite, probability that a nonce
+will be reused.
+
+[27] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[29] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[31] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[32] If supported by the encryption method in use, an initialization vector
+may be passed to the encryption procedure, in order to achieve proper cipher
+chaining. The initialization vector might come from the last block of the
+ciphertext from the previous KRB_PRIV message, but it is the application's
+choice whether or not to use such an initialization vector. If left out, the
+default initialization vector for the encryption algorithm will be used.
+
+[33] This prevents an attacker who generates an incorrect AS request from
+obtaining verifiable plaintext for use in an off-line password guessing
+attack.
+
+[35] In the above specification, UNTAGGED OCTET STRING(length) is the
+notation for an octet string with its tag and length removed. It is not a
+valid ASN.1 type. The tag bits and length must be removed from the
+confounder since the purpose of the confounder is so that the message starts
+with random data, but the tag and its length are fixed. For other fields,
+the length and tag would be redundant if they were included because they are
+specified by the encryption type. [36] The ordering of the fields in the
+CipherText is important. Additionally, messages encoded in this format must
+include a length as part of the msg-seq field. This allows the recipient to
+verify that the message has not been truncated. Without a length, an
+attacker could use a chosen plaintext attack to generate a message which
+could be truncated, while leaving the checksum intact. Note that if the
+msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length
+is part of that encoding.
+
+[37] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[38] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[39] A variant of the key is used to limit the use of a key to a particular
+function, separating the functions of generating a checksum from other
+encryption performed using the session key. The constant F0F0F0F0F0F0F0F0
+was chosen because it maintains key parity. The properties of DES precluded
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+the use of the complement. The same constant is used for similar purpose in
+the Message Integrity Check in the Privacy Enhanced Mail standard.
+
+[40] This error carries additional information in the e- data field. The
+contents of the e-data field for this message is described in section 5.9.1.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt
new file mode 100644
index 0000000..06d997d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt
@@ -0,0 +1,6766 @@
+
+
+
+INTERNET-DRAFT                                          Clifford Neuman
+                                                              John Kohl
+                                                          Theodore Ts'o
+                                                    November 18th, 1998
+
+The Kerberos Network Authentication Service (V5)
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It
+is inappropriate to use Internet-Drafts as reference material or to cite
+them other than as 'work in progress.'
+
+To learn the current status of any Internet-Draft, please check the
+'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow
+Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-03.txt, and expires May 18th, 1999. 
+Please send comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the
+Kerberos network authentication system is based. It also specifies Version
+5 of the Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard
+through the IETF standard process. Comments are encouraged on the
+presentation, but only minor refinements to the protocol as implemented or
+extensions that fit within current protocol framework will be considered at
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested
+by Denning and Sacco [DS81]. The original design and implementation of
+Kerberos Versions 1 through 4 was the work of two former Project Athena
+staff members, Steve Miller of Digital Equipment Corporation and Clifford
+Neuman (now at the Information Sciences Institute of the University of
+Southern California), along with Jerome Saltzer, Technical Director of
+Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many
+other members of Project Athena have also contributed to the work on
+Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol
+was led by Clifford Neuman and John Kohl with much input from the
+community. The development of the MIT reference implementation was led at
+MIT by John Kohl and Theodore T'so, with help and contributed code from
+many others. Since RFC1510 was issued, extensions and revisions to the
+protocol have been proposed by many individuals. Some of these proposals
+are reflected in this document. Where such changes involved significant
+effort, the document cites the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g.
+a workstation user or a network server) on an open (unprotected) network.
+This is accomplished without relying on assertions by the host operating
+system, without basing trust on host addresses, without requiring physical
+security of all the hosts on the network, and under the assumption that
+packets traveling along the network can be read, modified, and inserted at
+will[1]. Kerberos performs authentication under these conditions as a
+trusted third-party authentication service by using conventional (shared
+secret key [2] cryptography. Kerberos extensions have been proposed and
+implemented that provide for the use of public key cryptography during
+certain phases of the authentication protocol. These extensions provide for
+authentication of users registered with public key certification
+authorities, and allow the system to provide certain benefits of public key
+cryptography in situations where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in
+the client's key. The credentials consist of 1) a 'ticket' for the server
+and 2) a temporary encryption key (often called a "session key"). The
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+client transmits the ticket (which contains the client's identity and a
+copy of the session key, all encrypted in the server's key) to the server.
+The session key (now shared by the client and server) is used to
+authenticate the client, and may optionally be used to authenticate the
+server. It may also be used to encrypt further communication between the
+two parties or to exchange a separate sub-session key to be used to encrypt
+further communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their
+secret keys. Code libraries provide encryption and implement the Kerberos
+protocol. In order to add authentication to its transactions, a typical
+network application adds one or two calls to the Kerberos library directly
+or through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request
+for a ticket for the desired server to the AS. The reply is sent encrypted
+in the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client
+uses the TGT to authenticate itself to the TGS in the same manner as if it
+were contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry
+points within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent
+"in the clear" (parts of it are encrypted, but this encryption doesn't
+thwart replay) and might be intercepted and reused by an attacker,
+additional information is sent to prove that the message originated with
+the principal to whom the ticket was issued. This information (called the
+authenticator) is encrypted in the session key, and includes a timestamp.
+The timestamp proves that the message was recently generated and is not a
+replay. Encrypting the authenticator in the session key proves that it was
+generated by a party possessing the session key. Since no one except the
+requesting principal and the server know the session key (it is never sent
+over the network in the clear) this guarantees the identity of the client.
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+The authentication exchanges mentioned above require read-only access to
+the Kerberos database. Sometimes, however, the entries in the database must
+be modified, such as when adding new principals or changing a principal's
+key. This is done using a protocol between a client and a third Kerberos
+server, the Kerberos Administration Server (KADM). There is also a protocol
+for maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server
+in another. Each organization wishing to run a Kerberos server establishes
+its own 'realm'. The name of the realm in which a client is registered is
+part of the client's name, and can be used by the end-service to decide
+whether to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate
+key may be used for each direction) registers the ticket-granting service
+of each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share
+an inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is
+not directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical
+organization is not used, it may be necessary to consult a database in
+order to construct an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in
+authenticating the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93] , or on other authorization services.
+
+Applications should not be modified to accept the issuance of a service
+ticket by the Kerberos server (even by an modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to
+     successfully mount an offline dictionary attack by repeatedly
+     attempting to decrypt, with successive entries from a dictionary,
+     messages obtained which are encrypted under a key derived from the
+     user's password.
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A
+     typical mode of access control will use access control lists (ACLs) to
+     grant permissions to particular principals. If a stale ACL entry
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     remains for a deleted principal and the principal identifier is
+     reused, the new principal will inherit rights specified in the stale
+     ACL entry. By not re-using principal identifiers, the danger of
+     inadvertent access is removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been
+     recently generated using the session key known only by the client and
+     server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access
+     allowed for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted
+     by the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user.
+     Note that in some cases a Server may itself be a client of some other
+     server (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use
+     that ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and
+     ticket-granting ticket requests. The initial ticket portion is
+     sometimes referred to as the Authentication Server (or service). The
+     ticket-granting ticket portion is sometimes referred to as the
+     ticket-granting server (or service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than
+     one server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a
+     lifetime limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the
+various flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KDC before use, by presenting them to the KDC in a TGS request with the
+VALIDATE option specified. The KDC will only validate tickets after their
+starttime has passed. The validation is required so that postdated tickets
+which have been stolen before their starttime can be rendered permanently
+invalid (through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set
+in the KDC request. The KDC will issue a new ticket with a new session key
+and a later expiration time. All other fields of the ticket are left
+unmodified by the renewal process. When the latest permissible expiration
+time arrives, the ticket expires permanently. At each renewal, the KDC may
+consult a hot-list to determine if the ticket had been reported stolen
+since its last renewal; it will refuse to renew such stolen tickets, and
+thus the usable lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets
+in a batch queue, since they will be on-line longer and more prone to
+theft. Postdated tickets provide a way to obtain these tickets from the KDC
+at job submission time, but to leave them "dormant" until they are
+activated and validated by a further request of the KDC. If a ticket theft
+were reported in the interim, the KDC would refuse to validate the ticket,
+and the thief would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This
+flag must be set in a ticket-granting ticket in order to issue a postdated
+ticket based on the presented ticket. It is reset by default; it may be
+requested by a client by setting the ALLOW-POSTDATE option in the
+KRB_AS_REQ message. This flag does not allow a client to obtain a postdated
+ticket-granting ticket; postdated ticket-granting tickets can only by
+obtained by requesting the postdating in the KRB_AS_REQ message. The life
+(endtime-starttime) of a postdated ticket will be the remaining life of the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+ticket-granting ticket at the time of the request, unless the RENEWABLE
+option is also set, in which case it can be the full life
+(endtime-starttime) of the ticket-granting ticket. The KDC may limit how
+far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the
+identity of the client, but only for a particular purpose. A principal can
+allow a service to take on the principal's identity for a particular
+purpose by granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose
+must use the ticket forwarding mechanism described in the next section to
+forward a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When
+set, this flag tells the ticket-granting server that it is OK to issue a
+new ticket (but not a ticket-granting ticket) with a different network
+address based on this ticket. This flag is set if requested by the client
+on initial authentication. By default, the client will request that it be
+set when requesting a ticket granting ticket, and reset when requesting any
+other ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print
+server a proxy to access the client's files on a particular file server in
+order to satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in
+the ticket[4]. When granting a proxy, the client must specify the new
+network address from which the proxy is to be used, or indicate that the
+proxy is to be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may
+require additional authentication from the agent presenting the proxy in
+order to provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request
+that it be set by setting the FORWARDABLE option in the AS request when
+they request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user
+to enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket.
+It is also set in all tickets issued based on tickets with the FORWARDED
+flag set. Application servers may choose to process FORWARDED tickets
+differently than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients
+and servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the
+Kerberos Authentication Server is initiated by a client when it wishes to
+obtain authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the
+initiation of a login session to obtain credentials for a Ticket-Granting
+Server which will subsequently be used to obtain credentials for other
+servers (see section 3.3) without requiring further use of the client's
+secret key. This exchange is also used to request credentials for services
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+which must not be mediated through the Ticket-Granting Service, but rather
+require a principal's secret key, such as the password-changing service[5].
+This exchange does not by itself provide any assurance of the the identity
+of the user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The
+response, KRB_AS_REP, contains a ticket for the client to present to the
+server, and a session key that will be shared by the client and the server.
+The session key and additional information are encrypted in the client's
+secret key. The KRB_AS_REP message contains information which can be used
+to detect replays, and to associate it with the message to which it
+replies. Various errors can occur; these are indicated by an error response
+(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not
+encrypted. The KRB_ERROR message contains information which can be used to
+associate it with the message to which it replies. The lack of encryption
+in the KRB_ERROR message precludes the ability to detect replays,
+fabrications, or modifications of such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends
+a reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is
+encrypted in that principal's key. The initial request supports an optional
+field that can be used to pass additional information that might be needed
+for the initial exchange. This field may be used for preauthentication as
+described in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether
+the requested ticket is to be renewable, proxiable, or forwardable; whether
+it should be postdated or allow postdating of derivative tickets; and
+whether a renewable ticket will be accepted in lieu of a non-renewable
+ticket if the requested ticket expiration date cannot be satisfied by a
+non-renewable ticket (due to configuration constraints; see section 4). See
+section A.1 for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format
+for the ticket is described in section 5.3.1. The contents of the ticket
+are determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named
+in the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which
+an encryption key is available is used. The encryption method used to
+respond to a TGS request is taken from the keytype of the session key found
+in the ticket granting ticket.
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned.
+Otherwise the requested start time is checked against the policy of the
+local realm (the administrator might decide to prohibit certain types or
+ranges of postdated tickets), and if acceptable, the ticket's start time is
+set as requested and the INVALID flag is set in the new ticket. The
+postdated ticket must be validated before use by presenting it to the KDC
+after the start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option
+has been set and a renewable ticket is to be issued, then the renew-till
+field is set to the minimum of:
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set
+     by the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using
+the requested encryption method, and sends it to the client. See section
+A.2 for pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key,
+start and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate
+a KRB_AS_REP format message which decrypts properly but is not from the
+proper KDC. If the host wishes to verify the identity of the user, it must
+require the user to present application credentials which can be verified
+using a securely-stored secret key for the host. If those credentials can
+be verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+3.2. The Client/Server Authentication Exchange
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS
+or TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message
+is referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange)
+a ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use
+of a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors
+are possible. If an error occurs, the server is expected to reply to the
+client with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If
+the message type is not KRB_AP_REQ, the server returns the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in
+the KRB_AP_REQ is not one the server can use (e.g., it indicates an old
+key, and the server no longer possesses a copy of the old key), the
+KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set
+in the ap-options field, it indicates to the server that the ticket is
+encrypted in the session key from the server's ticket-granting ticket
+rather than its secret key[10]. Since it is possible for the server to be
+registered in multiple realms, with different keys in each, the srealm
+field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to
+specify which secret key the server should use to decrypt that ticket. The
+KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the
+proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the
+client from the ticket are compared against the same fields in the
+authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is
+returned (they might not match, for example, if the wrong session key was
+used to encrypt the authenticator). The addresses in the ticket (if any)
+are then searched for an address matching the operating-system reported
+address of the client. If no match is found or the server insists on ticket
+addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error
+is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the
+KRB_AP_ERR_SKEW error is returned. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The
+server must remember any authenticator presented within the allowable clock
+skew, so that a replay attempt is guaranteed to fail. If a server loses
+track of any authenticator presented within the allowable clock skew, it
+must reject all requests until the clock skew interval has passed. This
+assures that any lost or re-played authenticators will fall outside the
+allowable clock skew and can no longer be successfully replayed (If this is
+not done, an attacker could conceivably record the ticket and authenticator
+sent over the network to a server, then disable the client's host, pose as
+the disabled host, and replay the ticket and authenticator to subvert the
+authentication.). If a sequence number is provided in the authenticator,
+the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV
+messages. If a subkey is present, the server either saves it for later use
+or uses it to help generate its own choice for a subkey to be returned in a
+KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+the client possesses the credentials of the principal named in the ticket
+and thus, the client has been authenticated to the server. See section A.10
+for pseudocode.
+
+Passing these checks provides only authentication of the named principal;
+it does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name
+of the user, the requested operation, local acces control information such
+as that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server
+need not explicitly reply to the KRB_AP_REQ. However, if mutual
+authentication (not only authenticating the client to the server, but also
+the server to the client) is being performed, the KRB_AP_REQ message will
+have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message
+is required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not
+acceptable to the application's protocol. The timestamp and microsecond
+field used in the reply must be the client's timestamp and microsecond
+field (as provided in the authenticator)[12]. If a sequence number is to be
+included, it should be randomly chosen as described above for the
+authenticator. A subkey may be included if the server desires to negotiate
+a different subkey. The KRB_AP_REP message is encrypted in the session key
+extracted from the ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and
+server share an encryption key which can be used by the application. The
+'true session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption
+or checksum type) to the application programmer; the Kerberos protocol does
+not constrain the implementation options, but an example of how this might
+be done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+reason, one of the parties was prevented from using a key with more than 40
+unknown bits, this method would allow the the party which is prevented from
+using more than 40 bits to either propose (if the client) an initial key
+with a known quantity for 16 of those bits, or to mask 16 of the bits (if
+the server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server
+is initiated by a client when it wishes to obtain authentication
+credentials for a given server (which might be registered in a remote
+realm), when it wishes to renew or validate an existing ticket, or when it
+wishes to obtain a proxy ticket. In the first case, the client must already
+have acquired a ticket for the Ticket-Granting Service using the AS
+exchange (the ticket-granting ticket is usually obtained when a client
+initially authenticates to the system, such as when a user logs in). The
+message format for the TGS exchange is almost identical to that for the AS
+exchange. The primary difference is that encryption and decryption in the
+TGS exchange does not take place under the client's key. Instead, the
+session key from the ticket-granting ticket or renewable ticket, or
+sub-session key from an Authenticator is used. As is the case for all
+application servers, expired tickets are not accepted by the TGS, so once a
+renewable or ticket-granting ticket expires, the client must use a separate
+exchange to obtain valid tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed
+authorization data to be sealed in the ticket for authorization use by the
+application server, or additional tickets (the use of which are described
+later). The TGS reply (KRB_TGS_REP) contains the requested credentials,
+encrypted in the session key from the ticket-granting ticket or renewable
+ticket, or if present, in the sub-session key from the Authenticator (part
+of the authentication header). The KRB_ERROR message contains an error code
+and text explaining what went wrong. The KRB_ERROR message is not
+encrypted. The KRB_TGS_REP message contains information which can be used
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+to detect replays, and to associate it with the message to which it
+replies. The KRB_ERROR message also contains information which can be used
+to associate it with the message to which it replies, but the lack of
+encryption in the KRB_ERROR message precludes the ability to detect replays
+or fabrications of such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the
+appropriate realm, then one must be obtained. This is first attempted by
+requesting a ticket-granting ticket for the destination realm from a
+Kerberos server for which the client does posess a ticket-granting ticket
+(using the KRB_TGS_REQ message recursively). The Kerberos server may return
+a TGT for the desired realm in which case one can proceed. Alternatively,
+the Kerberos server may return a TGT for a realm which is 'closer' to the
+desired realm (further along the standard hierarchical path), in which case
+this step must be repeated with a Kerberos server in the realm specified in
+the returned TGT. If neither are returned, then the request must be retried
+with a Kerberos server for a realm higher in the hierarchy. This request
+will itself require a ticket-granting ticket for the higher realm which
+must be obtained by recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one.
+The list might be obtained through a configuration file or network service
+or it may be generated from the name of the realm; as long as the secret
+keys exchanged by realms are kept secret, only denial of service results
+from using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server
+use and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be
+encrypted[16]. If the sub-session key is not specified, the session key
+from the ticket-granting ticket will be used. If the enc-authorization-data
+is present, it must be encrypted in the sub-session key, if present, from
+the authenticator portion of the authentication header, or if not present,
+using the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which
+it was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP
+(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed
+specification is in section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited
+field needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set.
+The PROXY option will not be honored on requests for additional
+ticket-granting tickets.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the
+ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting
+ticket will be postdated and the requested starttime is checked against the
+policy of the local realm. If acceptable, the ticket's start time is set as
+requested, and the INVALID flag is set. The postdated ticket must be
+validated before use by presenting it to the KDC after the starttime has
+been reached. However, in no case may the starttime, endtime, or renew-till
+time of a newly-issued postdated ticket extend beyond the renew-till time
+of the ticket-granting ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional
+ticket using the key for the server to which the additional ticket was
+issued and verify that it is a ticket-granting ticket. If the name of the
+requested server is missing from the request, the name of the client in the
+additional ticket will be used. Otherwise the name of the requested server
+will be compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as
+part of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is
+set in the ticket, that the INVALID flag is not set in the ticket, and that
+the renew_till time is still in the future. If the VALIDATE option is
+rqeuested, the KDC will check that the starttime has passed and the INVALID
+flag is set. If the PROXY option is requested, then the KDC will check that
+the PROXIABLE flag is set in the ticket. If the tests succeed, and the
+ticket passes the hotlist check described in the next paragraph, the KDC
+will issue the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal
+expiration time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and
+the key version number fields are left out since these values are stored
+along with the client's database record, and that record is not needed to
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+satisfy a request based on a ticket-granting ticket. See section A.6 for
+pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request,
+subject to the constraints outlined above in the section describing the AS
+exchange. The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket
+to be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous
+realm. This prevents a malicious Kerberos server from intentionally leaving
+out its own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since
+the endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its
+contents are encoded. The initially supported encoding is optimized for the
+normal case of inter-realm communication: a hierarchical arrangement of
+realms using either domain or X.500 style realm names. This encoding
+(called DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that
+they would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19].
+Thus, "," means that all realms along the path between the client and the
+server have been traversed. ",EDU, /COM," means that that all realms from
+the client's realm up to EDU (in a domain style hierarchy) have been
+traversed, and that everything from /COM down to the server's realm in an
+X.500 style has also been traversed. This could occur if the EDU realm in
+one hierarchy shares an inter-realm key directly with the /COM realm in
+another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES
+MAC), generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by
+one's peer. Connection state is presently required to maintain the session
+key, so maintaining the next sequence number should not present an
+additional problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_SAFE, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated.
+The recipient verifies that the operating system's report of the sender's
+address matches the sender's address in the message, and (if a recipient
+address is specified or the recipient requires an address) that one of the
+recipient's addresses appears as the recipient's address in the message. A
+failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the
+timestamp and usec and/or the sequence number fields are checked. If
+timestamp and usec are expected and not present, or they are present but
+not current, the KRB_AP_ERR_SKEW error is generated. If the server name,
+along with the client name, time and microsecond fields from the
+Authenticator match any recently-seen (sent or received[20] ) such tuples,
+the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number
+is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+Finally, the checksum is computed over the data and control information,
+and if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error
+is generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_PRIV, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that
+the operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses
+appears as the recipient's address in the message. A failed match for
+either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an
+incorrect sequence number is included, or a sequence number is expected but
+not present, the KRB_AP_ERR_BADORDER error is generated. If neither a
+time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED
+error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It
+then constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the
+KRB_CRED message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence
+in the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and
+r-address fields, are placed in the encrypted part of the KRB_CRED message
+which is then encrypted under an encryption key previosuly exchanged in the
+KRB_AP exchange (usually the last key negotiated via subkeys, or the
+session key if no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates
+a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If
+decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+error is generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's
+address in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce
+field if required) are checked next. If the timestamp and usec are not
+present, or they are present but not current, the KRB_AP_ERR_SKEW error is
+generated.
+
+If all the checks succeed, the application stores each of the new tickets
+in its ticket cache together with the session key and other information in
+the corresponding KrbCredInfo sequence from the encrypted part of the
+KRB_CRED message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database contain- ing the
+principal identifiers and secret keys of principals to be
+authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The
+key can be encrypted before storage under a Kerberos "master key" to
+protect it in case the database is compromised but the master key is not.
+In that case, an extra field must be added to indicate the master key
+version used, see below.) The p_kvno field is the key version number of the
+principal's secret key. The max_life field contains the maximum allowable
+lifetime (endtime - starttime) for any Ticket issued for this principal.
+The max_renewable_life field contains the maximum allowable total lifetime
+for any renewable Ticket issued for this principal. (See section 3.1 for a
+description of how these lifetimes are used in determining the lifetime of
+a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal
+records with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e.
+not the result of disclosure of the old key), the old key should be
+retained by the server until all tickets that had been issued using that
+key have expired. Because of this, it is possible for several keys to be
+active for a single principal. Ciphertext encrypted in a principal's key is
+always tagged with the version of the key that was used for encryption, to
+help the recipient find the proper key for decryption.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to
+a request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error
+to any client attempting to gain tickets as or for the principal. (A
+database may want to maintain two expiration dates: one for the principal,
+and one for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether
+a server is appropriate trusted to recieve credentials delegated by a
+client, or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user
+in the last-req field (see section 5.2).
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to
+allow the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be
+allowed in the encoding because these values will always be represented
+through defaulting by the absence of the optional field. For example, one
+will not send a microsecond zero value because one must make sure that
+there is only one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through unmodified when
+the message is forwarded. Implementation should drop such fields if the
+sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509
+specification, section 8.7 [X509-88].
+
+5.3. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A
+PrincipalName is a typed sequence of components consisting of the following
+sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the
+     same (i.e. at least one of the components, or the realm, must be
+     different). This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An
+encoding shall specify the UTC time zone (Z) and shall not include any
+fractional portions of the seconds. It further shall not include any
+separators. Example: The only valid format for UTC time 6 minutes, 27
+seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the
+interpretation of the encapsulating element determines which of the
+embedded elements must be interpreted, and which may be ignored.
+Definitions for these common elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+                  -- unused10(10),
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include
+the highest order bit that is set (1), but in no case less than 32 bits.
+The ASN.1 representation of the bit strings uses unnamed bits, with the
+meaning of the individual bits defined by the comments in the specification
+above. Implementations should accept values of bit strings of any length
+and treat the value of flags corresponding to bits beyond the end of the
+bit string as if the bit were reset (0). Comparison of bit strings of
+different length should treat the smaller string as if it were padded with
+zeros beyond the high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute
+     value of the lr-type field is one (1), then the lr-value subfield is
+     the time of last initial request for a TGT. If it is two (2), then the
+     lr-value subfield is the time of last initial request. If it is three
+     (3), then the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A
+Ticket contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be
+registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos
+and the end server (the server's secret key). See section 6 for the format
+of the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies the name part of the server's identity.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of
+     the appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The
+     meanings of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal
+     identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the
+     necessary information for implementation of a `hot list' service at
+     the KDC. An end service that is particularly paranoid could refuse to
+     accept tickets for which the initial authentication occurred "too far"
+     in the past. This field is also returned as part of the response from
+     the KDC. When returned as part of the response to initial
+     authentication (KRB_AS_REP), this is the current time on the Ker-
+     beros server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated
+     as that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be
+     honored (its expiration time). Note that individual services may place
+     their own limits on the life of a ticket and may reject tickets which
+     have not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is
+     that such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not
+     sent over the network in cleartext, credentials can't be stolen simply
+     by listening to the network; an attacker has to gain access to the
+     session key (perhaps through operating system security breaches or a
+     careless user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's worksta- tion could
+     use the credentials from there. Including the network addresses only
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     makes it more difficult, not impossible, for an attacker to walk off
+     with stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing,
+     and that a better name for this field would be restrictions.
+     Unfortunately, it is not possible to change the name of this field at
+     this time.
+
+     This field contains restrictions on any authority obtained on the
+     basis of authentication using the ticket. It is possible for any
+     principal in posession of credentials to add entries to the
+     authorization data field since these entries further restrict what can
+     be done with the ticket. Such additions can be made by specifying the
+     additional entries when a new ticket is obtained during the TGS
+     exchange, or they may be added during chained delegation using the
+     authorization data field of the authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, it is not allowable for the presence of an entry in the
+     authorization data field of a ticket to amplify the priveleges one
+     would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     obtains a ticket in its own name (e.g. the ticket is issued in the
+     name of a privelege server), and this entity adds restrictions on its
+     own authority and delegates the restricted authority through a proxy
+     to the client. The client would then present this authorization
+     credential to the application server separately from the
+     authentication exchange.
+
+     Similarly, if one specifies the authorization-data field of a proxy
+     and leaves the host addresses blank, the resulting ticket and session
+     key can be treated as a capability. See [Neu93] for some suggested
+     uses of this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+     Its value (before encryption) ranges from 0 to 999999. It often
+     appears along with ctime. The two fields are used together to specify
+     a reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that
+     for messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is
+     sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and
+     wrap to zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1.
+     It is optional and will only appear when additional restrictions are
+     to be placed on the use of a ticket, beyond those carried in the
+     ticket itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an
+initial ticket or an additional ticket. In either case, the message is sent
+from the client to the Authentication Server to request credentials for a
+service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting
+     ticket and authenticator). The checksum in the authenticator (which
+     must be collision-proof) is to be computed over the KDC-REQ-BODY
+     encoding. In most requests for initial authentication (KRB_AS_REQ) and
+     most replies (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions
+     to the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing
+     the microseconds which may be omitted if a client will not generate
+     more than one request per second. The ciphertext (padata-value)
+     consists of the PA-ENC-TS-ENC sequence, encrypted using the client's
+     secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC
+     or the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets
+     as well as other information that is to modify the behavior of the
+     KDC. Where appropriate, the name of an option may be the same as the
+     flag that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field
+     to the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of
+this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      forwardable flag set.  It  may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based is also
+for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only
+specified
+                                      in  a  request  to  the
+ticket-granting
+                                      server and will only be honored  if
+the
+                                      ticket-granting  ticket  in  the
+request
+                                      has  its  FORWARDABLE  bit  set.
+This
+                                      option  indicates that this is a
+request
+                                      for forwarding.  The address(es) of
+the
+                                      host  from which the resulting ticket
+is
+                                      to  be  valid  are   included   in
+the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that
+the
+                                      ticket to be issued is to have its
+prox-
+                                      iable flag set.  It may only be  set
+on
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                      the  initial request, or in a
+subsequent
+                                      request if the ticket-granting ticket
+on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this
+is
+                                      a request for a proxy.  This option
+will
+                                      only be honored if  the
+ticket-granting
+                                      ticket  in the request has its
+PROXIABLE
+                                      bit set.  The address(es)  of  the
+host
+                                      from which the resulting ticket is to
+be
+                                       valid  are  included  in  the
+addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      MAY-POSTDATE flag set.  It may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based also has
+its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that
+this
+                                      is  a  request  for  a postdated
+ticket.
+                                      This option will only be honored if
+the
+                                      ticket-granting  ticket  on  which
+                                      it is based has  its  MAY-POSTDATE
+                                      flag set.
+                                      The  resulting ticket will also have
+its
+                                      INVALID flag set, and that flag  may
+be
+                                      reset by a subsequent request to the
+KDC
+                                      after the starttime in  the  ticket
+has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that
+the
+                                      ticket  to  be  issued  is  to  have
+its
+                                      RENEWABLE flag set.  It may only be
+set
+                                      on  the  initial  request,  or  when
+the
+                                      ticket-granting  ticket  on  which
+the
+                                      request  is based is also renewable.
+If
+                                      this option is requested, then the
+rtime
+                                      field   in   the  request  contains
+the
+                                      desired absolute expiration time for
+the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option
+indicates
+                                      that  the  ticket to be issued is not
+to
+                                      identify  the  user  to  which  it
+was
+                                      issued.  Instead, the principal
+identif-
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                      ier is to be generic,  as  specified
+by
+                                      the  policy  of  the realm (e.g.
+usually
+                                      anonymous@realm).  The  purpose  of
+the
+                                      ticket  is only to securely distribute
+a
+                                      session key, and  not  to  identify
+the
+                                      user.   The ANONYMOUS flag on the
+ticket
+                                      to be returned should be  set.   If
+the
+                                      local  realms  policy  does  not
+permit
+                                      anonymous credentials, the request is
+to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited
+field
+                                      is disabled.  Tickets issued without
+the
+                                      performance of this check will be
+noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be
+checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that
+a
+                                      renewable ticket will be acceptable if
+a
+                                      ticket with the  requested  life
+cannot
+                                      otherwise be provided.  If a ticket
+with
+                                      the requested life cannot  be
+provided,
+                                      then  a  renewable  ticket may be
+issued
+                                      with  a  renew-till  equal  to  the
+the
+                                      requested  endtime.   The  value  of
+the
+                                      renew-till field may still be limited
+by
+                                      local  limits, or limits selected by
+the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The
+ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for
+the
+                                      end  server  is  to  be encrypted in
+the
+                                      session key from the additional
+ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the
+ticket-
+                                      granting   service.   The  RENEW
+option
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                      indicates that the  present  request
+is
+                                      for  a  renewal.  The ticket provided
+is
+                                      encrypted in  the  secret  key  for
+the
+                                      server  on  which  it  is  valid.
+This
+                                      option  will  only  be  honored  if
+the
+                                      ticket  to  be renewed has its
+RENEWABLE
+                                      flag set and if the time in  its
+renew-
+                                      till  field  has not passed.  The
+ticket
+                                      to be renewed is passed  in  the
+padata
+                                      field  as  part  of  the
+authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The VALIDATE
+option
+                                      indicates that the request is  to
+vali-
+                                      date  a  postdated ticket.  It will
+only
+                                      be honored if the  ticket  presented
+is
+                                      postdated,  presently  has  its
+INVALID
+                                      flag set, and would be otherwise
+usable
+                                      at  this time.  A ticket cannot be
+vali-
+                                      dated before its starttime.  The
+ticket
+                                      presented for validation is encrypted
+in
+                                      the key of the server for  which  it
+is
+                                      valid  and is passed in the padata
+field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator,
+     or alternatively from the session key in the ticket-granting ticket,
+     both from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies
+     the desired start time for the requested ticket. If this field is
+     omitted then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date
+     of the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated
+     randomly, but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in
+     the response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses
+     for the client's host. If a proxy is requested, this field will
+     contain other addresses. The contents of this field are usually copied
+     by the KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be
+     used in place of the server's key to encrypt the new ticket. If more
+     than one option which requires additional tickets has been specified,
+     then the additional tickets are used in the order specified by the
+     ordering of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that
+is passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for
+either an initial (AS) request or a subsequent (TGS) request. There is no
+message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP
+or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or
+if absent, the session key from the ticket-granting ticket used in the
+request. In that case, no version number will be present in the
+EncryptedData sequence.
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section
+     6.3.2). This ability is useful to ease transitions if a realm name
+     needs to change (e.g. when a company is acquired); in such a case all
+     existing password-derived entries in the KDC database would be flagged
+     as needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related
+     information that forms the encrypted part of a message. The
+     description of the encrypted part of the message follows each
+     appearance of this field. The encrypted part is encoded as described
+     in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the
+     last request by a principal. Depending on what information is
+     available, this might be the last time that a request for a
+     ticket-granting ticket was made, or the last time that a request based
+     on a ticket-granting ticket was successful. It also might cover all
+     servers for a realm, or just the particular server. Some
+     implementations may display this information to the user to aid in
+     discovering unauthorized use of one's identity. It is similar in
+     spirit to the last login time displayed when logging into timesharing
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up
+     to the application client (usually the login program) to take
+     appropriate action (such as notifying the user) if the expiration time
+     is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will
+     be the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is
+often referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the
+     selected options are indicated by the bit being set (1), and the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     unselected options and reserved fields being reset (0). The encoding
+     of the bits is specified in section 5.2. The meanings of the options
+     are:
+
+          Bit(s)   Name              Description
+
+          0        RESERVED
+                                     Reserved for future  expansion  of
+this
+                                     field.
+
+          1        USE-SESSION-KEY
+                                     The  USE-SESSION-KEY  option
+indicates
+                                     that the ticket the client is
+presenting
+                                     to a server is encrypted in the
+session
+                                     key  from  the  server's
+ticket-granting
+                                     ticket.  When this option is not
+speci-
+                                     fied,  the  ticket  is  encrypted in
+the
+                                     server's secret key.
+
+          2        MUTUAL-REQUIRED
+                                     The  MUTUAL-REQUIRED  option  tells
+the
+                                     server  that  the client requires
+mutual
+                                     authentication, and that it must
+respond
+                                     with a KRB_AP_REP message.
+
+          3-31     RESERVED
+                                     Reserved for future use.
+
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over
+     the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and
+     the checksum is computed over the encoding of the KRB-SAFE sequence,
+     then the checksum is set to the result of that computation, and
+     finally the KRB-SAFE sequence is encoded again.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By
+     checking the timestamp, the recipient of the message is able to make
+     sure that it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast
+     protocols), but the recipient may arbitrarily reject such messages.
+     This field along with s-address can be used to help detect messages
+     which have been incorrectly or maliciously delivered to the wrong
+     recipient.
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's
+addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's
+addr
+}
+
+pvno and msg-type
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format
+     of the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by
+     the intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce
+     must never be re-used; it should be generated randomly by the
+     recipient of the message and provided to the sender of the message in
+     an application specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is not protected by any encryption,
+it is quite possible for an intruder to synthesize or modify such a
+message. In particular, this means that the client should not use any
+fields in this message for security-critical purposes, such as setting a
+system clock or generating a fresh authenticator. The message can be
+useful, however, for advising a user on the reason for some failure.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+                e-typed-data[14]              SEQUENCE of ETypedData
+OPTIONAL
+}
+
+ETypedData ::=  SEQUENCE {
+                e-data-type    [1] INTEGER,
+                e-data-value   [2] OCTET STRING,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp.
+     Its value ranges from 0 to 999999. It appears along with stime. The
+     two fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the
+     list of error codes in section 8. Implementations are encouraged to
+     provide for national language support in the display of error
+     messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     application to help it recover from or handle the error. If the
+     errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will
+     contain an encoding of a sequence of padata fields, each corresponding
+     to an acceptable pre-authentication method and optionally containing
+     data for the method:
+
+     METHOD-DATA ::=   SEQUENCE of PA-DATA
+
+     If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
+     contain an encoding of the following sequence:
+
+     METHOD-DATA ::=   SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+     }
+
+     method-type will indicate the required alternate method; method-data
+     will contain any required additional information.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message.
+     The checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to
+     an AS request, then the checksum should be calulated using the
+     client's secret key ONLY if there has been suitable preauthentication
+     to prove knowledge of the secret key by the client[33]. If a checksum
+     can not be computed because the key to be used is not available, no
+     checksum will be included.
+e-typed-data
+     [This field for discussion, may be deleted from final spec] This field
+     contains optional data that may be used to help the client recover
+     from the indicated error. [This could contain the METHOD-DATA
+     specified since I don't think anyone actually uses it yet. It could
+     also contain the PA-DATA sequence for the preauth required error if we
+     had a clear way to transition to the use of this field from the use of
+     the untype e-data field.] For example, this field may specify the key
+     version of the key used to verify preauthentication:
+
+     e-data-type  := 20 -- Key version number
+     e-data-value := Integer -- Key version number used to verify
+preauthentication
+
+6. Encryption and Checksum Specifications
+
+The Kerberos protocols described in this document are designed to use
+stream encryption ciphers, which can be simulated using commonly available
+block encryption ciphers, such as the Data Encryption Standard, [DES77] in
+conjunction with block chaining and checksum methods [DESM80]. Encryption
+is used to prove the identities of the network entities participating in
+message exchanges. The Key Distribution Center for each realm is trusted by
+all principals registered in that realm to store a secret key in
+confidence. Proof of knowledge of this secret key is used to verify the
+authenticity of a principal.
+
+The KDC uses the principal's secret key (in the AS exchange) or a shared
+session key (in the TGS exchange) to encrypt responses to ticket requests;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+the ability to obtain the secret key or session key implies the knowledge
+of the appropriate keys and the identity of the KDC. The ability of a
+principal to decrypt the KDC response and present a Ticket and a properly
+formed Authenticator (generated with the session key from the KDC response)
+to a service verifies the identity of the principal; likewise the ability
+of the service to extract the session key from the Ticket and prove its
+knowledge thereof in a response verifies the identity of the service.
+
+The Kerberos protocols generally assume that the encryption used is secure
+from cryptanalysis; however, in some cases, the order of fields in the
+encrypted portions of messages are arranged to minimize the effects of
+poorly chosen keys. It is still important to choose good keys. If keys are
+derived from user-typed passwords, those passwords need to be well chosen
+to make brute force attacks more difficult. Poorly chosen keys still make
+easy targets for intruders.
+
+The following sections specify the encryption and checksum mechanisms
+currently defined for Kerberos. The encodings, chaining, and padding
+requirements for each are described. For encryption methods, it is often
+desirable to place random information (often referred to as a confounder)
+at the start of the message. The requirements for a confounder are
+specified with each encryption mechanism.
+
+Some encryption systems use a block-chaining method to improve the the
+security characteristics of the ciphertext. However, these chaining methods
+often don't provide an integrity check upon decryption. Such systems (such
+as DES in CBC mode) must be augmented with a checksum of the plain-text
+which can be verified at decryption and used to detect any tampering or
+damage. Such checksums should be good at detecting burst errors in the
+input. If any damage is detected, the decryption routine is expected to
+return an error indicating the failure of an integrity check. Each
+encryption type is expected to provide and verify an appropriate checksum.
+The specification of each encryption method sets out its checksum
+requirements.
+
+Finally, where a key is to be derived from a user's password, an algorithm
+for converting the password to a key of the appropriate type is included.
+It is desirable for the string to key function to be one-way, and for the
+mapping to be different in different realms. This is important because
+users who are registered in more than one realm will often use the same
+password in each, and it is desirable that an attacker compromising the
+Kerberos server in one realm not obtain or derive the user's key in
+another.
+
+For an discussion of the integrity characteristics of the candidate
+encryption and checksum methods considered for Kerberos, the the reader is
+referred to [SG92].
+
+6.1. Encryption Specifications
+
+The following ASN.1 definition describes all encrypted messages. The
+enc-part field which appears in the unencrypted part of messages in section
+5 is a sequence consisting of an encryption type, an optional key version
+number, and the ciphertext.
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+}
+
+
+
+etype
+     This field identifies which encryption algorithm was used to encipher
+     the cipher. Detailed specifications for selected encryption types
+     appear later in this section.
+kvno
+     This field contains the version number of the key under which data is
+     encrypted. It is only present in messages encrypted under long lasting
+     keys, such as principals' secret keys.
+cipher
+     This field contains the enciphered text, encoded as an OCTET STRING.
+
+The cipher field is generated by applying the specified encryption
+algorithm to data composed of the message and algorithm-specific inputs.
+Encryption mechanisms defined for use with Kerberos must take sufficient
+measures to guarantee the integrity of the plaintext, and we recommend they
+also take measures to protect against precomputed dictionary attacks. If
+the encryption algorithm is not itself capable of doing so, the protections
+can often be enhanced by adding a checksum and a confounder.
+
+The suggested format for the data to be encrypted includes a confounder, a
+checksum, the encoded plaintext, and any necessary padding. The msg-seq
+field contains the part of the protocol message described in section 5
+which is to be encrypted. The confounder, checksum, and padding are all
+untagged and untyped, and their length is exactly sufficient to hold the
+appropriate item. The type and length is implicit and specified by the
+particular encryption type being used (etype). The format for the data to
+be encrypted is described in the following diagram:
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+One generates a random confounder of the appropriate length, placing it in
+confounder; zeroes out check; calculates the appropriate checksum over
+confounder, check, and msg-seq, placing the result in check; adds the
+necessary padding; then encrypts using the specified encryption type and
+the appropriate key.
+
+Unless otherwise specified, a definition of an encryption algorithm that
+specifies a checksum, a length for the confounder field, or an octet
+boundary for padding uses this ciphertext format[36]. Those fields which
+are not specified will be omitted.
+
+In the interest of allowing all implementations using a particular
+encryption type to communicate with all others using that type, the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+specification of an encryption type defines any checksum that is needed as
+part of the encryption process. If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+Some cryptosystems require additional information beyond the key and the
+data to be encrypted. For example, DES, when used in cipher-block-chaining
+mode, requires an initialization vector. If required, the description for
+each encryption type must specify the source of such additional
+information. 6.2. Encryption Keys
+
+The sequence below shows the encoding of an encryption key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+keytype
+     This field specifies the type of encryption key that follows in the
+     keyvalue field. It will almost always correspond to the encryption
+     algorithm used to generate the EncryptedData, though more than one
+     algorithm may use the same type of key (the mapping is many to one).
+     This might happen, for example, if the encryption algorithm uses an
+     alternate checksum algorithm for an integrity check, or a different
+     chaining mechanism.
+keyvalue
+     This field contains the key itself, encoded as an octet string.
+
+All negative values for the encryption key type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields
+and interpreta- tions.
+
+6.3. Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+If no encryption is in use, the encryption system is said to be the NULL
+encryption system. In the NULL encryption system there is no checksum,
+confounder or padding. The ciphertext is simply the plaintext. The NULL Key
+is used by the null encryption system and is zero octets in length, with
+keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+The des-cbc-crc encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+A CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the
+confounder and message sequence (msg-seq) and placed in the cksum field.
+DES blocks are 8 bytes. As a result, the data to be encrypted (the
+concatenation of confounder, checksum, and message) must be padded to an 8
+byte boundary before encryption. The details of the encryption of this data
+are identical to those for the des-cbc-md5 encryption mode.
+
+Note that, since the CRC-32 checksum is not collision-proof, an attacker
+could use a probabilistic chosen-plaintext attack to generate a valid
+message even if a confounder is used [SG92]. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat. The use of the CRC-32 as the checksum for ticket or
+authenticator is no longer mandated as an interoperability requirement for
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Kerberos Version 5 Specification 1 (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+The des-cbc-md4 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD4 checksum (described in [MD492]) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+The des-cbc-md5 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD5 checksum (described in [MD5-92].) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption.
+
+Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are
+concatenated to make the 64-bit inputs for the DES algorithms. The first
+octet supplies the 8 most significant bits (with the octet's MSbit used as
+the DES input block's MSbit, etc.), the second octet the next 8 bits, ...,
+and the eighth octet supplies the 8 least significant bits.
+
+Encryption under DES using cipher block chaining requires an additional
+input in the form of an initialization vector. Unless otherwise specified,
+zero should be used as the initialization vector. Kerberos' use of DES
+requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those
+keys shall not be used for encrypting messages for use in Kerberos.
+Additionally, because of the way that keys are derived for the encryption
+of checksums, keys shall not be used that yield 'weak' or 'semi-weak' keys
+when eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A DES key is 8 octets of data, with keytype one (1). This consists of 56
+bits of key, and 8 parity bits (one per octet). The key is encoded as a
+series of 8 octets written in MSB-first order. The bits within the key are
+also encoded in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the
+parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1
+as the MSbit). [See the FIPS 81 introduction for reference.]
+
+String to key transformation
+
+To generate a DES key from a text string (password), a "salt" is
+concatenated to the text string, and then padded with ASCII nulls to an 8
+byte boundary. This "salt" is normally the realm and each component of the
+principal's name appended. However, sometimes different salts are used ---
+for example, when a realm is renamed, or if a user changes her username, or
+for compatibility with Kerberos V4 (whose string-to-key algorithm uses a
+null string for the salt). This string is then fan-folded and
+eXclusive-ORed with itself to form an 8 byte DES key. Before
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+eXclusive-ORing a block, every byte is shifted one bit to the left to leave
+the lowest bit zero. The key is the "corrected" by correcting the parity on
+the key, and if the key matches a 'weak' or 'semi-weak' key as described in
+the DES specification, it is eXclusive-ORed with the constant
+00000000000000F0. This key is then used to generate a DES CBC checksum on
+the initial string (with the salt appended). The result of the CBC checksum
+is the "corrected" as described above to form the result which is return as
+the key. Pseudocode follows:
+
+     name_to_default_salt(realm, name) {
+          s = realm
+          for(each component in name) {
+               s = s + component;
+          }
+          return s;
+     }
+
+     key_correction(key) {
+          fixparity(key);
+          if (is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+     string_to_key(string,salt) {
+
+          odd = 1;
+          s = string + salt;
+          tempkey = NULL;
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               left shift every byte in 8byteblock one bit;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          tempkey = key_correction(tempkey);
+          key = key_correction(DES-CBC-check(s,tempkey));
+          return(key);
+     }
+
+6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with Key
+Derivation [Horowitz]
+
+NOTE: This description currently refers to documents, the contents of which
+might be bettered included by value in this spec. The description below was
+provided by Marc Horowitz, and the form in which it will finally appear is
+yet to be determined. This description is included in this version of the
+draft because it does describe the implemenation ready for use with the MIT
+implementation. Note also that the encryption identifier has been left
+unspecified here because the value from Marc Horowitz's spec conflicted
+with some other impmenentations implemented based on perevious versions of
+the specification.
+
+This encryption type is based on the Triple DES cryptosystem, the HMAC-SHA1
+[Krawczyk96] message authentication algorithm, and key derivation for
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Kerberos V5 [HorowitzB96].
+
+The des3-cbc-hmac-sha1 encryption type has been assigned the value ??. The
+hmac-sha1-des3 checksum type has been assigned the value 12.
+
+Encryption Type des3-cbc-hmac-sha1
+
+EncryptedData using this type must be generated as described in
+[Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. The
+keyed hash algorithm is HMAC-SHA1. Unless otherwise specified, a zero IV
+must be used. If the length of the input data is not a multiple of the
+block size, zero octets must be used to pad the plaintext to the next
+eight-octet boundary. The counfounder must be eight random octets (one
+block).
+
+Checksum Type hmac-sha1-des3
+
+Checksums using this type must be generated as described in [Horowitz96].
+The keyed hash algorithm is HMAC-SHA1.
+
+Common Requirements
+
+The EncryptionKey value is 24 octets long. The 7 most significant bits of
+each octet contain key bits, and the least significant bit is the inverse
+of the xor of the key bits.
+
+For the purposes of key derivation, the block size is 64 bits, and the key
+size is 168 bits. The 168 bits output by key derivation are converted to an
+EncryptionKey value as follows. First, the 168 bits are divided into three
+groups of 56 bits, which are expanded individually into 64 bits as follows:
+
+ 1  2  3  4  5  6  7  p
+ 9 10 11 12 13 14 15  p
+17 18 19 20 21 22 23  p
+25 26 27 28 29 30 31  p
+33 34 35 36 37 38 39  p
+41 42 43 44 45 46 47  p
+49 50 51 52 53 54 55  p
+56 48 40 32 24 16  8  p
+
+The "p" bits are parity bits computed over the data bits. The output of the
+three expansions are concatenated to form the EncryptionKey value.
+
+When the HMAC-SHA1 of a string is computed, the key is used in the
+EncryptedKey form.
+
+Key Derivation
+
+In the Kerberos protocol, cryptographic keys are used in a number of
+places. In order to minimize the effect of compromising a key, it is
+desirable to use a different key for each of these places. Key derivation
+[Horowitz96] can be used to construct different keys for each operation
+from the keys transported on the network. For this to be possible, a small
+change to the specification is necessary.
+
+This section specifies a profile for the use of key derivation [Horowitz96]
+with Kerberos. For each place where a key is used, a ``key usage'' must is
+specified for that purpose. The key, key usage, and encryption/checksum
+type together describe the transformation from plaintext to ciphertext, or
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+plaintext to checksum.
+
+Key Usage Values
+
+This is a complete list of places keys are used in the kerberos protocol,
+with key usage values and RFC 1510 section numbers:
+
+ 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+    client key (section 5.4.1)
+ 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+    application session key), encrypted with the service key
+    (section 5.4.2)
+ 3. AS-REP encrypted part (includes tgs session key or application
+    session key), encrypted with the client key (section 5.4.2)
+ 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    session key (section 5.4.1)
+ 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    authenticator subkey (section 5.4.1)
+ 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+    with the tgs session key (sections 5.3.2, 5.4.1)
+ 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+    authenticator subkey), encrypted with the tgs session key
+    (section 5.3.2)
+ 8. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs session key (section 5.4.2)
+ 9. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs authenticator subkey (section 5.4.2)
+10. AP-REQ Authenticator cksum, keyed with the application session
+    key (section 5.3.2)
+11. AP-REQ Authenticator (includes application authenticator
+    subkey), encrypted with the application session key (section
+    5.3.2)
+12. AP-REP encrypted part (includes application session subkey),
+    encrypted with the application session key (section 5.5.2)
+13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+    application (section 5.7.1)
+14. KRB-CRED encrypted part, encrypted with a key chosen by the
+    application (section 5.6.1)
+15. KRB-SAVE cksum, keyed with a key chosen by the application
+    (section 5.8.1)
+18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+Key usage values between 1024 and 2047 (inclusive) are reserved for
+application use. Applications should use even values for encryption and odd
+values for checksums within this range.
+
+A few of these key usages need a little clarification. A service which
+receives an AP-REQ has no way to know if the enclosed Ticket was part of an
+AS-REP or TGS-REP. Therefore, key usage 2 must always be used for
+generating a Ticket, whether it is in response to an AS- REQ or TGS-REQ.
+
+There might exist other documents which define protocols in terms of the
+RFC1510 encryption types or checksum types. Such documents would not know
+about key usages. In order that these documents continue to be meaningful
+until they are updated, key usages 1024 and 1025 must be used to derive
+keys for encryption and checksums, respectively. New protocols defined in
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+terms of the Kerberos encryption and checksum types should use their own
+key usages. Key usages may be registered with IANA to avoid conflicts. Key
+usages must be unsigned 32 bit integers. Zero is not permitted.
+
+Defining Cryptosystems Using Key Derivation
+
+Kerberos requires that the ciphertext component of EncryptedData be
+tamper-resistant as well as confidential. This implies encryption and
+integrity functions, which must each use their own separate keys. So, for
+each key usage, two keys must be generated, one for encryption (Ke), and
+one for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+where the protocol key is from the EncryptionKey from the wire protocol,
+and the key usage is represented as a 32 bit integer in network byte order.
+The ciphertest must be generated from the plaintext as follows:
+
+   ciphertext = E(Ke, confounder | plaintext | padding) |
+                H(Ki, confounder | plaintext | padding)
+
+The confounder and padding are specific to the encryption algorithm E.
+
+When generating a checksum only, there is no need for a confounder or
+padding. Again, a new key (Kc) must be used. Checksums must be generated
+from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+
+      MAC = H(Kc, plaintext)
+
+Note that each enctype is described by an encryption algorithm E and a
+keyed hash algorithm H, and each checksum type is described by a keyed hash
+algorithm H. HMAC, with an appropriate hash, is recommended for use as H.
+
+Key Derivation from Passwords
+
+The well-known constant for password key derivation must be the byte string
+{0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the
+ASCII encoding for the string "kerberos".
+
+6.4. Checksums
+
+The following is the ASN.1 definition used for a checksum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+cksumtype
+     This field indicates the algorithm used to generate the accompanying
+     checksum.
+checksum
+     This field contains the checksum itself, encoded as an octet string.
+
+Detailed specification of selected checksum types appear later in this
+section. Negative values for the checksum type are reserved for local use.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+All non-negative values are reserved for officially assigned type fields
+and interpretations.
+
+Checksums used by Kerberos can be classified by two properties: whether
+they are collision-proof, and whether they are keyed. It is infeasible to
+find two plaintexts which generate the same checksum value for a
+collision-proof checksum. A key is required to perturb or initialize the
+algorithm in a keyed checksum. To prevent message-stream modification by an
+active attacker, unkeyed checksums should only be used when the checksum
+and message will be subsequently encrypted (e.g. the checksums defined as
+part of the encryption algorithms covered earlier in this section).
+
+Collision-proof checksums can be made tamper-proof if the checksum value is
+encrypted before inclusion in a message. In such cases, the composition of
+the checksum and the encryption algorithm must be considered a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum
+algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for
+the encrypted forms of unkeyed collision-proof checksums, Kerberos prepends
+a confounder before the checksum is calculated.
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+The CRC-32 checksum calculates a checksum based on a cyclic redundancy
+check as described in ISO 3309 [ISO3309]. The resulting checksum is four
+(4) octets in length. The CRC-32 is neither keyed nor collision-proof. The
+use of this checksum is not recommended. An attacker using a probabilistic
+chosen-plaintext attack as described in [SG92] might be able to generate an
+alternative message that satisfies the checksum. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+[MD4-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed
+to be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD4
+checksum algorithm, and encrypting the confounder and the checksum using
+DES in cipher-block-chaining (CBC) mode using a variant of the key, where
+the variant is computed by eXclusive-ORing the key with the constant
+F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant).
+This checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some weak keys' and 'semi-weak keys'; those
+keys shall not be used for generating RSA-MD4 checksums for use in
+Kerberos.
+
+The format for the checksum is described in the follow- ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+[MD5-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed
+to be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD5
+checksum algorithm, and encrypting the confounder and the checksum using
+DES in cipher-block-chaining (CBC) mode using a variant of the key, where
+the variant is computed by eXclusive-ORing the key with the hexadecimal
+constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant).
+This checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some 'weak keys' and 'semi-weak keys';
+those keys shall not be used for encrypting RSA-MD5 checksums for use in
+Kerberos.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+The DES-MAC checksum is computed by prepending an 8 octet confounder to the
+plaintext, performing a DES CBC-mode encryption on the result using the key
+and an initialization vector of zero, taking the last block of the
+ciphertext, prepending the same confounder and encrypting the pair using
+DES in cipher-block-chaining (CBC) mode using a a variant of the key, where
+the variant is computed by eXclusive-ORing the key with the hexadecimal
+constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The
+resulting checksum is 128 bits (16 octets) long, 64 bits of which are
+redundant. This checksum is tamper-proof and collision-proof.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those
+keys shall not be used for generating DES-MAC checksums for use in
+Kerberos, nor shall a key be used whose variant is 'weak' or 'semi-weak'.
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k)
+
+The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by
+applying the RSA MD4 checksum algorithm and encrypting the results using
+DES in cipher-block-chaining (CBC) mode using a DES key as both key and
+initialization vector. The resulting checksum is 16 octets long. This
+checksum is tamper-proof and believed to be collision-proof. Note that this
+checksum type is the old method for encoding the RSA-MD4-DES checksum and
+it is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption
+of the plaintext, and using the last block of the ciphertext as the
+checksum value. It is keyed with an encryption key and an initialization
+vector; any uses which do not specify an additional initialization vector
+will use the key as both key and initialization vector. The resulting
+checksum is 64 bits (8 octets) long. This checksum is tamper-proof and
+collision-proof. Note that this checksum type is the old method for
+encoding the DES-MAC checksum and it is no longer recommended. The DES
+specifications identify some 'weak keys' and 'semi-weak keys'; those keys
+shall not be used for generating DES-MAC checksums for use in Kerberos.
+
+7. Naming Constraints
+
+7.1. Realm Names
+
+Although realm names are encoded as GeneralStrings and although a realm can
+technically select any name it chooses, interoperability across realm
+boundaries requires agreement on how realm names are to be assigned, and
+what information they imply.
+
+To enforce these conventions, each realm must conform to the conventions
+itself, and it must require that any realms with which inter-realm keys are
+shared also conform to the conventions and require the same from its
+neighbors.
+
+Kerberos realm names are case sensitive. Realm names that differ only in
+the case of the characters are not equivalent. There are presently four
+styles of realm names: domain, X500, other, and reserved. Examples of each
+style follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+Domain names must look like domain names: they consist of components
+separated by periods (.) and they contain neither colons (:) nor slashes
+(/). Domain names must be converted to upper case when used as realm names.
+
+X.500 names contain an equal (=) and cannot contain a colon (:) before the
+equal. The realm names for X.500 names will be string representations of
+the names with components separated by slashes. Leading and trailing
+slashes will not be included.
+
+Names that fall into the other category must begin with a prefix that
+contains no equal (=) or period (.) and the prefix must be followed by a
+colon (:) and the rest of the name. All prefixes must be assigned before
+they may be used. Presently none are assigned.
+
+The reserved category includes strings which do not fall into the first
+three categories. All names in this category are reserved. It is unlikely
+that names will be assigned to this category unless there is a very strong
+argument for not using the 'other' category.
+
+These rules guarantee that there will be no conflicts between the various
+name styles. The following additional constraints apply to the assignment
+of realm names in the domain and X.500 categories: the name of a realm for
+the domain or X.500 formats must either be used by the organization owning
+(to whom it was assigned) an Internet domain name or X.500 name, or in the
+case that no such names are registered, authority to use a realm name may
+be derived from the authority of the parent realm. For example, if there is
+no domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm
+can authorize the creation of a realm with that name.
+
+This is acceptable because the organization to which the parent is assigned
+is presumably the organization authorized to assign names to its children
+in the X.500 and domain name systems as well. If the parent assigns a realm
+name without also registering it in the domain name or X.500 hierarchy, it
+is the parent's responsibility to make sure that there will not in the
+future exists a name identical to the realm name of the child unless it is
+assigned to the same entity as the realm name.
+
+7.2. Principal Names
+
+As was the case for realm names, conventions are needed to ensure that all
+agree on what information is implied by a principal name. The name-type
+field that is part of the principal name indicates the kind of information
+implied by the name. The name-type should be treated as a hint. Ignoring
+the name type, no two names can be the same (i.e. at least one of the
+components, or the realm, must be different). The following name types are
+defined:
+
+  name-type      value   meaning
+
+   NT-UNKNOWN        0   Name type not known
+   NT-PRINCIPAL      1   General principal name (e.g. username, or DCE
+principal)
+   NT-SRV-INST       2   Service and other unique instance (krbtgt)
+   NT-SRV-HST        3   Service with host name as instance (telnet,
+rcommands)
+   NT-SRV-XHST       4   Service with slash-separated host name components
+   NT-UID            5   Unique ID
+   NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+When a name implies no information other than its uniqueness at a
+particular time the name type PRINCIPAL should be used. The principal name
+type should be used for users, and it might also be used for a unique
+server. If the name is a unique machine generated ID that is guaranteed
+never to be reassigned then the name type of UID should be used (note that
+it is generally a bad idea to reassign names of any type since stale
+entries might remain in access control lists).
+
+If the first component of a name identifies a service and the remaining
+components identify an instance of the service in a server specified
+manner, then the name type of SRV-INST should be used. An example of this
+name type is the Kerberos ticket-granting service whose name has a first
+component of krbtgt and a second component identifying the realm for which
+the ticket is valid.
+
+If instance is a single component following the service name and the
+instance identifies the host on which the server is running, then the name
+type SRV-HST should be used. This type is typically used for Internet
+services such as telnet and the Berkeley R commands. If the separate
+components of the host name appear as successive components following the
+name of the service, then the name type SRV-XHST should be used. This type
+might be used to identify servers on hosts with X.500 names where the slash
+(/) might otherwise be ambiguous.
+
+A name type of NT-X500-PRINCIPAL should be used when a name from an X.509
+certificiate is translated into a Kerberos name. The encoding of the X.509
+name as a Kerberos principal shall conform to the encoding rules specified
+in RFC 2253.
+
+A name type of UNKNOWN should be used when the form of the name is not
+known. When comparing names, a name of type UNKNOWN will match principals
+authenticated with names of any type. A principal authenticated with a name
+of type UNKNOWN, however, will only match other names of type UNKNOWN.
+
+Names of any type with an initial component of 'krbtgt' are reserved for
+the Kerberos ticket granting service. See section 8.2.3 for the form of
+such names.
+
+7.2.1. Name of server principals
+
+The principal identifier for a server on a host will generally be composed
+of two parts: (1) the realm of the KDC with which the server is registered,
+and (2) a two-component name of type NT-SRV-HST if the host name is an
+Internet domain name or a multi-component name of type NT-SRV-XHST if the
+name of the host is of a form such as X.500 that allows slash (/)
+separators. The first component of the two- or multi-component name will
+identify the service and the latter components will identify the host.
+Where the name of the host is not case sensitive (for example, with
+Internet domain names) the name of the host must be lower case. If
+specified by the application protocol for services such as telnet and the
+Berkeley R commands which run with system privileges, the first component
+may be the string 'host' instead of a service specific identifier. When a
+host has an official name and one or more aliases, the official name of the
+host must be used when constructing the name of the server principal.
+
+8. Constants and other defined values
+
+8.1. Host address types
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+All negative values for the host address type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields
+and interpretations.
+
+The values of the types for the following addresses are chosen to match the
+defined address family constants in the Berkeley Standard Distributions of
+Unix. They can be found in with symbolic names AF_xxx (where xxx is an
+abbreviation of the address family name).
+
+Internet (IPv4) Addresses
+
+Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB
+order. The type of IPv4 addresses is two (2).
+
+Internet (IPv6) Addresses [Westerlund]
+
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The
+type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The
+following addresses (see [RFC1884]) MUST not appear in any Kerberos packet:
+
+   * the Unspecified Address
+   * the Loopback Address
+   * Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+CHAOSnet addresses
+
+CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order.
+The type of CHAOSnet addresses is five (5).
+
+ISO addresses
+
+ISO addresses are variable-length. The type of ISO addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The
+type of XNS addresses is six (6).
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit
+network number. The first octet of the address is the node number; the
+remaining two octets encode the network number in MSB order. The type of
+AppleTalk DDP addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The
+type of DECnet Phase IV addresses is twelve (12).
+
+Netbios addresses
+
+Netbios addresses are 16-octet addresses typically composed of 1 to 15
+characters, trailing blank (ascii char 20) filled, with a 16th octet of
+0x0. The type of Netbios addresses is 20 (0x14).
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+8.2. KDC messages
+
+8.2.1. UDP/IP transport
+
+When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP
+IP transport, the client shall send a UDP datagram containing only an
+encoding of the request to port 88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram containing only an encoding of the
+reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at
+the sender's IP address. Kerberos servers supporting IP transport must
+accept UDP requests on port 88 (decimal). The response to a request made
+through UDP/IP transport must also use UDP/IP transport.
+
+8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+Kerberos servers (KDC's) should accept TCP requests on port 88 (decimal)
+and clients should support the sending of TCP requests on port 88
+(decimal). When the KRB_KDC_REQ message is sent to the KDC over a TCP
+stream, a new connection will be established for each authentication
+exchange (request and response). The KRB_KDC_REP or KRB_ERROR message will
+be returned to the client on the same TCP stream that was established for
+the request. The response to a request made through TCP/IP transport must
+also use TCP/IP transport. Implementors should note that some extentions to
+the Kerberos protocol will not work if any implementation not supporting
+the TCP transport is involved (client or KDC). Implementors are strongly
+urged to support the TCP transport on both the client and server and are
+advised that the current notation of "should" support will likely change in
+the future to must support. The KDC may close the TCP stream after sending
+a response, but may leave the stream open if it expects a followup - in
+which case it may close the stream at any time if resource constratints or
+other factors make it desirable to do so. Care must be taken in managing
+TCP/IP connections with the KDC to prevent denial of service attacks based
+on the number of TCP/IP connections with the KDC that remain open. If
+multiple exchanges with the KDC are needed for certain forms of
+preauthentication, multiple TCP connections may be required. A client may
+close the stream after receiving response, and should close the stream if
+it does not expect to send followup messages. The client must be prepared
+to have the stream closed by the KDC at anytime, in which case it must
+simply connect again when it is ready to send subsequent messages.
+
+The first four octets of the TCP stream used to transmit the request
+request will encode in network byte order the length of the request
+(KRB_KDC_REQ), and the length will be followed by the request itself. The
+response will similarly be preceeded by a 4 octet encoding in network byte
+order of the length of the KRB_KDC_REP or the KRB_ERROR message and will be
+followed by the KRB_KDC_REP or the KRB_ERROR response. If the sign bit is
+set on integer represented by the first 4 octets, then the next 4 octets
+will be read, extending the length of the field by another 4 octets (less 1
+bit).
+
+8.2.3. OSI transport
+
+During authentication of an OSI client to an OSI server, the mutual
+authentication of an OSI server to an OSI client, the transfer of
+credentials from an OSI client to an OSI server, or during exchange of
+private or integrity checked messages, Kerberos protocol messages may be
+treated as opaque objects and the type of the authentication mechanism will
+be:
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1),
+security(5),kerberosv5(2)}
+
+Depending on the situation, the opaque object will be an authentication
+header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message
+(KRB_SAFE), a private message (KRB_PRIV), or a credentials message
+(KRB_CRED). The opaque data contains an application code as specified in
+the ASN.1 description for each message. The application code may be used by
+Kerberos to determine the message type.
+
+8.2.3. Name of the TGS
+
+The principal identifier of the ticket-granting service shall be composed
+of three parts: (1) the realm of the KDC issuing the TGS ticket (2) a
+two-part name of type NT-SRV-INST, with the first part "krbtgt" and the
+second part the name of the realm which will accept the ticket-granting
+ticket. For example, a ticket-granting ticket issued by the ATHENA.MIT.EDU
+realm to be used to get tickets from the ATHENA.MIT.EDU KDC has a principal
+identifier of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU")
+(name). A ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be
+used to get tickets from the MIT.EDU realm has a principal identifier of
+"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3. Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings. Ranges are specified in the "specification" section that limit
+the values of constants for which values are defined here. This allows
+implementations to make assumptions about the maximum values that will be
+received for these constants. Implementation receiving values outside the
+range specified in the "specification" section may reject the request, but
+they must recover cleanly.
+
+Encryption type  etype value  block size    minimum pad size  confounder
+size
+NULL              0            1                 0                 0
+des-cbc-crc       1            8                 4                 8
+des-cbc-md4       2            8                 0                 8
+des-cbc-md5       3            8                 0                 8
+        4
+des3-cbc-md5      5            8                 0                 8
+        6
+des3-cbc-sha1     7            8                 0                 8
+sign-dsa-generate 8                                   (pkinit)
+encrypt-rsa-priv  9                                   (pkinit)
+encrypt-rsa-pub  10                                   (pkinit)
+rsa-pub-md5      11                                   (pkinit)
+rsa-pub-sha1     12                                   (pkinit)
+des3kd-cbc-sha1  ??            8                 0                 8
+ENCTYPE_PK_CROSS 48                                   (reserved for pkcross)
+       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+rsa-md5-des3               9                   24
+hmac-sha1-des3             12                  20  (I had this as 10, is it
+12)
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+                      4
+PA-ENC-UNIX-TIME                5
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (pkinit)
+PA-PK-KEY-REQ                   17                  (pkinit)
+PA-PK-KEY-REP                   18                  (pkinit)
+PA-USE-SPECIFIED-KVNO           20
+
+authorization data type         ad-type value
+AD-KDC-ISSUED                      1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-IF-RELEVANT                     4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward
+credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for
+users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet,
+rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version number not
+supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end
+time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+to reset
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was
+invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired
+[40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user
+only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field
+failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not
+available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method
+required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in
+message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry with TCP
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this
+implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED   62   (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED      63   (pkinit)
+KDC_ERROR_INVALID_SIG          64   (pkinit)
+KDC_ERR_KEY_TOO_WEAK           65   (pkinit)
+KDC_ERR_CERTIFICATE_MISMATCH   66   (pkinit)
+
+9. Interoperability requirements
+
+Version 5 of the Kerberos protocol supports a myriad of options. Among
+these are multiple encryption and checksum types, alternative encoding
+schemes for the transited field, optional mechanisms for
+pre-authentication, the handling of tickets with no addresses, options for
+mutual authentication, user to user authentication, support for proxies,
+forwarding, postdating, and renewing tickets, the format of realm names,
+and the handling of authorization data.
+
+In order to ensure the interoperability of realms, it is necessary to
+define a minimal configuration which must be supported by all
+implementations. This minimal configuration is subject to change as
+technology does. For example, if at some later date it is discovered that
+one of the required encryption or checksum algorithms is not secure, it
+will be replaced.
+
+9.1. Specification 2
+
+This section defines the second specification of these options.
+Implementations which are configured in this way can be said to support
+Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may
+be found in RFC1510.
+
+Transport
+
+TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance
+to specification 2. Kerberos clients claiming conformance to specification
+2 must support UDP/IP transport for messages with the KDC and should
+support TCP/IP transport.
+
+Encryption and checksum methods
+
+The following encryption and checksum mechanisms must be supported.
+Implementations may support other mechanisms as well, but the additional
+mechanisms may only be used when communicating with principals known to
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+also support them: This list is to be determined.
+
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+Realm Names
+
+All implementations must understand hierarchical realms in both the
+Internet Domain and the X.500 style. When a ticket granting ticket for an
+unknown realm is requested, the KDC must be able to determine the names of
+the intermediate realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+Alternative encodings may be supported, but they may be used only when that
+encoding is supported by ALL intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported. The TGS-REQ method is not used on the
+initial request. The PA-ENC-TIMESTAMP method must be supported by clients
+but whether it is enabled by default may be determined on a realm by realm
+basis. If not used in the initial request and the error
+KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+acceptable method, the client should retry the initial request using the
+PA-ENC-TIMESTAMP preauthentication method. Servers need not support the
+PA-ENC-TIMESTAMP method, but if not supported the server should ignore the
+presence of PA-ENC-TIMESTAMP pre-authentication in a request.
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+contains no addresses, the KDC will return derivative tickets), but each
+realm may set its own policy for issuing such tickets, and each application
+server will set its own policy with respect to accepting them.
+
+Proxies and forwarded tickets must be supported. Individual realms and
+application servers can set their own policy on when such tickets will be
+accepted.
+
+All implementations must recognize renewable and postdated tickets, but
+need not actually implement them. If these options are not supported, the
+starttime and endtime in the ticket shall specify a ticket's entire useful
+life. When a postdated ticket is decoded by a server, all implementations
+shall make the presence of the postdated flag visible to the calling
+server.
+
+User-to-user authentication
+
+Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC
+option) must be provided by implementations, but individual realms may
+decide as a matter of policy to reject such requests on a per-principal or
+realm-wide basis.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Authorization data
+
+Implementations must pass all authorization data subfields from
+ticket-granting tickets to any derivative tickets unless directed to
+suppress a subfield as part of the definition of that registered subfield
+type (it is never incorrect to pass on a subfield, and no registered
+subfield types presently specify suppression at the KDC).
+
+Implementations must make the contents of any authorization data subfields
+available to the server when a ticket is used. Implementations are not
+required to allow clients to specify the contents of the authorization data
+fields.
+
+Constant ranges
+
+All protocol constants are constrained to 32 bit (signed) values unless
+further constrained by the protocol definition. This limit is provided to
+allow implementations to make assumptions about the maximum values that
+will be received for these constants. Implementation receiving values
+outside this range may reject the request, but they must recover cleanly.
+
+9.2. Recommended KDC values
+
+Following is a list of recommended values for a KDC implementation, based
+on the list of suggested configuration constants (see section 4.4).
+
+minimum lifetime              5 minutes
+maximum renewable lifetime    1 week
+maximum ticket lifetime       1 day
+empty addresses               only when suitable  restrictions  appear
+                              in authorization data
+proxiable, etc.               Allowed.
+
+10. REFERENCES
+
+[NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+          cation  Service for Computer Networks," IEEE Communica-
+          tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+[MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+          Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+          Authorization System, M.I.T. Project Athena, Cambridge,
+          Massachusetts (December 21, 1987).
+
+[SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+          beros:  An Authentication Service for Open Network Sys-
+          tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+          Dallas, Texas (February, 1988).
+
+[NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+          Encryption for Authentication in Large Networks of Com-
+          puters,"  Communications  of  the  ACM,  Vol.   21(12),
+          pp. 993-999 (December, 1978).
+
+[DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+          stamps  in  Key Distribution Protocols," Communications
+          of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+[KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+          "The Evolution of the Kerberos Authentication Service,"
+          in an IEEE Computer Society Text soon to  be  published
+          (June 1992).
+
+[Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+          Accounting  for Distributed Systems," in Proceedings of
+          the 13th International Conference on  Distributed  Com-
+          puting Systems, Pittsburgh, PA (May, 1993).
+
+[DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+          Kerberos  Authentication  at Project Athena," Technical
+          Memorandum TM-424,  MIT Laboratory for Computer Science
+          (February 1990).
+
+[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+          merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+          ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+          sachusetts (1987).
+
+[X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+          tion Framework, December 1988.
+
+[Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+          Guessing  Attacks, Open Software Foundation DCE Request
+          for Comments 26 (December 1992).
+
+[DES77]   National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "Data Encryption Standard," Federal Information
+          Processing Standards Publication  46,   Washington,  DC
+          (1977).
+
+[DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "DES  Modes  of Operation," Federal Information
+          Processing Standards Publication 81,   Springfield,  VA
+          (December 1980).
+
+[SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+          Integrity  in  Cryptographic Protocols," in Proceedings
+          of the IEEE  Symposium  on  Research  in  Security  and
+          Privacy, Oakland, California (May 1992).
+
+[IS3309]  International Organization  for  Standardization,  "ISO
+          Information  Processing  Systems - Data Communication -
+          High-Level Data Link Control Procedure -  Frame  Struc-
+          ture," IS 3309 (October 1984).  3rd Edition.
+
+[MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+          1320,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+          1321,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+          Hashing  for  Message  Authentication,"  Working  Draft
+          draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+[Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+          Integrity, and Privacy", draft-horowitz-key-derivation-02.txt,
+          August 1998.
+
+[HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+          horowitz-kerb-key-derivation-01.txt, September 1998.
+
+[Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+          Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+          md5-01.txt, August, 1996.
+
+A. Pseudo-code for protocol processing
+
+This appendix provides pseudo-code describing how the messages are to be
+constructed and interpreted by clients and servers.
+
+A.1. KRB_AS_REQ generation
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew)
+then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+A.3. KRB_AS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that all that
+*/
+        /* should be are set
+*/
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5. KRB_TGS_REQ generation
+
+        /* Note that make_application_request might have to recursivly
+*/
+        /* call this routine to get the appropriate ticket-granting ticket
+*/
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+        kerberos := lookup(name of local kerberose server (or servers));
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing
+the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The
+realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname)
+then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and
+keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(req.sname)) then
+                        server := best_intermediate_tgs(req.sname);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would
+*/
+          /* have been rejected in the initial authentication stage, so
+*/
+          /* there is no need to check again here
+*/
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till < kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+
+                new_tkt.endtime := min(till,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing
+*/
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+new_tkt.starttime+max_rlife_for_realm,
+                                          tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT; /* leave the renew-till field
+out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data into
+decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data
++
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited := compress_transited(tgt.transited +
+tgt.realm)
+                /* Don't check tranited field if TGT for foreign realm,
+                 * or requested not to check */
+                if (is_not_foreign_tgt_name(new_tkt.server)
+                   && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                        /* Check it, so end-server does not have to
+                         * but don't fail, end-server may still accept it */
+                        if (check_transited_field(new_tkt.transited) == OK)
+                              set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                        endif
+                endif
+        endif
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key),
+second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key,
+server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7. KRB_TGS_REP verification
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and tgt's session
+key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8. Authenticator generation
+
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+A.9. KRB_AP_REQ generation
+
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10. KRB_AP_REQ verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        if (decr_ticket.transited) then
+            /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+             * check anyway */
+            if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                 if (check_transited_field(decr_ticket.transited) then
+                      error_out(KDC_AP_PATH_NOT_ACCPETED);
+                 endif
+            endif
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11. KRB_AP_REP generation
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12. KRB_AP_REP verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13. KRB_SAFE generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14. KRB_SAFE verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof and keyed)
+then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        else
+                return common_checks_error;
+        endif
+
+A.15. KRB_SAFE and KRB_PRIV common checks
+
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number not present)
+then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16. KRB_PRIV generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+A.17. KRB_PRIV verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18. KRB_CRED generation
+
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+               using negotiated encryption key;
+
+A.19. KRB_CRED verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+A.20. KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+B. Definition of common authorization data elements
+
+This appendix contains the definitions of common authorization data
+elements. These common authorization data elements are recursivly defined,
+meaning the ad-data for these types will itself contain a sequence of
+authorization data whose interpretation is affected by the encapsulating
+element. Depending on the meaning of the encapsulating element, the
+encapsulated elements may be ignored, might be interpreted as issued
+directly by the KDC, or they might be stored in a separate plaintext part
+of the ticket. The types of the encapsulating elements are specified as
+part of the Kerberos specification because the behavior based on these
+values should be understood across implementations whereas other elements
+need only be understood by the applications which they affect.
+
+In the definitions that follow, the value of the ad-type for the element
+will be specified in the subsection number, and the value of the ad-data
+will be as shown in the ASN.1 structure that follows the subsection
+heading.
+
+B.1. KDC Issued
+
+AD-KDCIssued   SEQUENCE {
+               ad-checksum[0]    Checksum,
+                i-realm[1]       Realm OPTIONAL,
+                i-sname[2]       PrincipalName OPTIONAL,
+               elements[3]       AuthorizationData.
+}
+
+ad-checksum
+     A checksum over the elements field using a cryptographic checksum
+     method that is identical to the checksum used to protect the ticket
+     itself (i.e. using the same hash function and the same encryption
+     algorithm used to encrypt the ticket) and using a key derived from the
+     same key used to protect the ticket.
+i-realm, i-sname
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     The name of the issuing principal if different from the KDC itself.
+     This field would be used when the KDC can verify the authenticity of
+     elements signed by the issuing principal and it allows this KDC to
+     notify the application server of the validity of those elements.
+elements
+     A sequence of authorization data elements issued by the KDC.
+
+The KDC-issued ad-data field is intended to provide a means for Kerberos
+principal credentials to embed within themselves privilege attributes and
+other mechanisms for positive authorization, amplifying the priveleges of
+the principal beyond what can be done using a credentials without such an
+a-data element.
+
+This can not be provided without this element because the definition of the
+authorization-data field allows elements to be added at will by the bearer
+of a TGT at the time that they request service tickets and elements may
+also be added to a delegated ticket by inclusion in the authenticator.
+
+For KDC-issued elements this is prevented because the elements are signed
+by the KDC by including a checksum encrypted using the server's key (the
+same key used to encrypt the ticket - or a key derived from that key).
+Elements encapsulated with in the KDC-issued element will be ignored by the
+application server if this "signature" is not present. Further, elements
+encapsulated within this element from a ticket granting ticket may be
+interpreted by the KDC, and used as a basis according to policy for
+including new signed elements within derivative tickets, but they will not
+be copied to a derivative ticket directly. If they are copied directly to a
+derivative ticket by a KDC that is not aware of this element, the signature
+will not be correct for the application ticket elements, and the field will
+be ignored by the application server.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.2. Intended for server
+
+AD-INTENDED-FOR-SERVER   SEQUENCE {
+         intended-server[0]     SEQUENCE OF PrincipalName
+         elements[1]            AuthorizationData
+}
+
+AD elements encapsulated within the intended-for-server element may be
+ignored if the application server is not in the list of principal names of
+intended servers. Further, a KDC issuing a ticket for an application server
+can remove this element if the application server is not in the list of
+intended servers.
+
+Application servers should check for their principal name in the
+intended-server field of this element. If their principal name is not
+found, this element should be ignored. If found, then the encapsulated
+elements should be evaluated in the same manner as if they were present in
+the top level authorization data field. Applications and application
+servers that do not implement this element should reject tickets that
+contain authorization data elements of this type.
+
+B.3. Intended for application class
+
+AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+encapsulated within the intended-for-application-class element may be
+ignored if the application server is not in one of the named classes of
+application servers. Examples of application server classes include
+"FILESYSTEM", and other kinds of servers.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.4. If relevant
+
+AD-IF-RELEVANT   AuthorizationData
+
+AD elements encapsulated within the if-relevant element are intended for
+interpretation only by application servers that understand the particular
+ad-type of the embedded element. Application servers that do not understand
+the type of an element embedded within the if-relevant element may ignore
+the uninterpretable element. This element promotes interoperability across
+implementations which may have local extensions for authorization.
+
+B.5. And-Or
+
+AD-AND-OR           SEQUENCE {
+                        condition-count[0]    INTEGER,
+                        elements[1]           AuthorizationData
+}
+
+When restrictive AD elements encapsulated within the and-or element are
+encountered, only the number specified in condition-count of the
+encapsulated conditions must be met in order to satisfy this element. This
+element may be used to implement an "or" operation by setting the
+condition-count field to 1, and it may specify an "and" operation by
+setting the condition count to the number of embedded elements. Application
+servers that do not implement this element must reject tickets that contain
+authorization data elements of this type.
+
+B.6. Mandatory ticket extensions
+
+AD-Mandatory-Ticket-Extensions   Checksum
+
+An authorization data element of type mandatory-ticket-extensions specifies
+a collision-proof checksum using the same hash algorithm used to protect
+the integrity of the ticket itself. This checksum will be calculated over
+an individual extension field. If there are more than one extension,
+multiple Mandatory-Ticket-Extensions authorization data elements may be
+present, each with a checksum for a different extension field. This
+restriction indicates that the ticket should not be accepted if a ticket
+extension is not present in the ticket for which the checksum does not
+match that checksum specified in the authorization data element.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type.
+
+B.7. Authorization Data in ticket extensions
+
+AD-IN-Ticket-Extensions   Checksum
+
+An authorization data element of type in-ticket-extensions specifies a
+collision-proof checksum using the same hash algorithm used to protect the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+integrity of the ticket itself. This checksum is calculated over a separate
+external AuthorizationData field carried in the ticket extensions.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type. Application servers
+that do implement this element will search the ticket extensions for
+authorization data fields, calculate the specified checksum over each
+authorization data field and look for one matching the checksum in this
+in-ticket-extensions element. If not found, then the ticket must be
+rejected. If found, the corresponding authorization data elements will be
+interpreted in the same manner as if they were contained in the top level
+authorization data field.
+
+Note that if multiple external authorization data fields are present in a
+ticket, each will have a corresponding element of type in-ticket-extensions
+in the top level authorization data field, and the external entries will be
+linked to the corresponding element by their checksums.
+
+C. Definition of common ticket extensions
+
+This appendix contains the definitions of common ticket extensions. Support
+for these extensions is optional. However, certain extensions have
+associated authorization data elements that may require rejection of a
+ticket containing an extension by application servers that do not implement
+the particular extension. Other extensions have been defined beyond those
+described in this specification. Such extensions are described elswhere and
+for some of those extensions the reserved number may be found in the list
+of constants.
+
+It is known that older versions of Kerberos did not support this field, and
+that some clients will strip this field from a ticket when they parse and
+then reassemble a ticket as it is passed to the application servers. The
+presence of the extension will not break such clients, but any functionaly
+dependent on the extensions will not work when such tickets are handled by
+old clients. In such situations, some implementation may use alternate
+methods to transmit the information in the extensions field.
+
+C.1. Null ticket extension
+
+TE-NullExtension   OctetString -- The empty Octet String
+
+The te-data field in the null ticket extension is an octet string of lenght
+zero. This extension may be included in a ticket granting ticket so that
+the KDC can determine on presentation of the ticket granting ticket whether
+the client software will strip the extensions field.
+
+C.2. External Authorization Data
+
+TE-ExternalAuthorizationData   AuthorizationData
+
+The te-data field in the external authorization data ticket extension is
+field of type AuthorizationData containing one or more authorization data
+elements. If present, a corresponding authorization data element will be
+present in the primary authorization data for the ticket and that element
+will contain a checksum of the external authorization data ticket
+extension.
+  ------------------------------------------------------------------------
+[TM] Project Athena, Athena, and Kerberos are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+[1] Note, however, that many applications use Kerberos' functions only upon
+the initiation of a stream-based network connection. Unless an application
+subsequently provides integrity protection for the data stream, the
+identity verification applies only to the initiation of the connection, and
+does not guarantee that subsequent messages on the connection originate
+from the same principal.
+
+[2] Secret and private are often used interchangeably in the literature. In
+our usage, it takes two (or more) to share a secret, thus a shared DES key
+is a secret key. Something is only private when no one but its owner knows
+it. Thus, in public key cryptosystems, one has a public and a private key.
+
+[3] Of course, with appropriate permission the client could arrange
+registration of a separately-named prin- cipal in a remote realm, and
+engage in normal exchanges with that realm's services. However, for even
+small numbers of clients this becomes cumbersome, and more automatic
+methods as described here are necessary.
+
+[4] Though it is permissible to request or issue tick- ets with no network
+addresses specified.
+
+[5] The password-changing request must not be honored unless the requester
+can provide the old password (the user's current secret key). Otherwise, it
+would be possible for someone to walk up to an unattended ses- sion and
+change another user's password.
+
+[6] To authenticate a user logging on to a local system, the credentials
+obtained in the AS exchange may first be used in a TGS exchange to obtain
+credentials for a local server. Those credentials must then be verified by
+a local server through successful completion of the Client/Server exchange.
+
+[7] "Random" means that, among other things, it should be impossible to
+guess the next session key based on knowledge of past session keys. This
+can only be achieved in a pseudo-random number generator if it is based on
+cryptographic principles. It is more desirable to use a truly random number
+generator, such as one based on measurements of random physical phenomena.
+
+[8] Tickets contain both an encrypted and unencrypted portion, so cleartext
+here refers to the entire unit, which can be copied from one message and
+replayed in another without any cryptographic skill.
+
+[9] Note that this can make applications based on unreliable transports
+difficult to code correctly. If the transport might deliver duplicated
+messages, either a new authenticator must be generated for each retry, or
+the application server must match requests and replies and replay the first
+reply in response to a detected duplicate.
+
+[10] This is used for user-to-user authentication as described in [8].
+
+[11] Note that the rejection here is restricted to authenticators from the
+same principal to the same server. Other client principals communicating
+with the same server principal should not be have their authenticators
+rejected if the time and microsecond fields happen to match some other
+client's authenticator.
+
+[12] In the Kerberos version 4 protocol, the timestamp in the reply was the
+client's timestamp plus one. This is not necessary in version 5 because
+version 5 messages are formatted in such a way that it is not possible to
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+create the reply by judicious message surgery (even in encrypted form)
+without knowledge of the appropriate encryption keys.
+
+[13] Note that for encrypting the KRB_AP_REP message, the sub-session key
+is not used, even if present in the Authenticator.
+
+[14] Implementations of the protocol may wish to provide routines to choose
+subkeys based on session keys and random numbers and to generate a
+negotiated key to be returned in the KRB_AP_REP message.
+
+[15]This can be accomplished in several ways. It might be known beforehand
+(since the realm is part of the principal identifier), it might be stored
+in a nameserver, or it might be obtained from a configura- tion file. If
+the realm to be used is obtained from a nameserver, there is a danger of
+being spoofed if the nameservice providing the realm name is not authenti-
+cated. This might result in the use of a realm which has been compromised,
+and would result in an attacker's ability to compromise the authentication
+of the application server to the client.
+
+[16] If the client selects a sub-session key, care must be taken to ensure
+the randomness of the selected sub- session key. One approach would be to
+generate a random number and XOR it with the session key from the
+ticket-granting ticket.
+
+[17] This allows easy implementation of user-to-user authentication [8],
+which uses ticket-granting ticket session keys in lieu of secret server
+keys in situa- tions where such secret keys could be easily comprom- ised.
+
+[18] For the purpose of appending, the realm preceding the first listed
+realm is considered to be the null realm ("").
+
+[19] For the purpose of interpreting null subfields, the client's realm is
+considered to precede those in the transited field, and the server's realm
+is considered to follow them.
+
+[20] This means that a client and server running on the same host and
+communicating with one another using the KRB_SAFE messages should not share
+a common replay cache to detect KRB_SAFE replays.
+
+[21] The implementation of the Kerberos server need not combine the
+database and the server on the same machine; it is feasible to store the
+principal database in, say, a network name service, as long as the entries
+stored therein are protected from disclosure to and modification by
+unauthorized parties. However, we recommend against such strategies, as
+they can make system management and threat analysis quite complex.
+
+[22] See the discussion of the padata field in section 5.4.2 for details on
+why this can be useful.
+
+[23] Warning for implementations that unpack and repack data structures
+during the generation and verification of embedded checksums: Because any
+checksums applied to data structures must be checked against the original
+data the length of bit strings must be preserved within a data structure
+between the time that a checksum is generated through transmission to the
+time that the checksum is verified.
+
+[24] It is NOT recommended that this time value be used to adjust the
+workstation's clock since the workstation cannot reliably determine that
+such a KRB_AS_REP actually came from the proper KDC in a timely manner.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+[25] Note, however, that if the time is used as the nonce, one must make
+sure that the workstation time is monotonically increasing. If the time is
+ever reset backwards, there is a small, but finite, probability that a
+nonce will be reused.
+
+[27] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[29] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[31] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[32] If supported by the encryption method in use, an initialization vector
+may be passed to the encryption procedure, in order to achieve proper
+cipher chaining. The initialization vector might come from the last block
+of the ciphertext from the previous KRB_PRIV message, but it is the
+application's choice whether or not to use such an initialization vector.
+If left out, the default initialization vector for the encryption algorithm
+will be used.
+
+[33] This prevents an attacker who generates an incorrect AS request from
+obtaining verifiable plaintext for use in an off-line password guessing
+attack.
+
+[35] In the above specification, UNTAGGED OCTET STRING(length) is the
+notation for an octet string with its tag and length removed. It is not a
+valid ASN.1 type. The tag bits and length must be removed from the
+confounder since the purpose of the confounder is so that the message
+starts with random data, but the tag and its length are fixed. For other
+fields, the length and tag would be redundant if they were included because
+they are specified by the encryption type. [36] The ordering of the fields
+in the CipherText is important. Additionally, messages encoded in this
+format must include a length as part of the msg-seq field. This allows the
+recipient to verify that the message has not been truncated. Without a
+length, an attacker could use a chosen plaintext attack to generate a
+message which could be truncated, while leaving the checksum intact. Note
+that if the msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING,
+then the length is part of that encoding.
+
+[37] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[38] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[39] A variant of the key is used to limit the use of a key to a particular
+function, separating the functions of generating a checksum from other
+encryption performed using the session key. The constant F0F0F0F0F0F0F0F0
+was chosen because it maintains key parity. The properties of DES precluded
+the use of the complement. The same constant is used for similar purpose in
+the Message Integrity Check in the Privacy Enhanced Mail standard.
+
+[40] This error carries additional information in the e- data field. The
+contents of the e-data field for this message is described in section
+5.9.1.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt
new file mode 100644
index 0000000..16af15d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt
@@ -0,0 +1,6780 @@
+INTERNET-DRAFT                                          Clifford Neuman
+                                                              John Kohl
+                                                          Theodore Ts'o
+                                                          June 25, 1999
+                                              Expires December 25, 1999
+draft-ietf-cat-kerberos-revisions-04.txt
+
+The Kerberos Network Authentication Service (V5)
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC2026. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It is
+inappropriate to use Internet- Drafts as reference material or to cite them
+other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html. To learn the current status of any
+Internet-Draft, please check the '1id-abstracts.txt' listing contained in
+the Internet-Drafts Shadow Directories.
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-04.txt, and expires December 25th, 1999.
+Please send comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the Kerberos
+network authentication system is based. It also specifies Version 5 of the
+Kerberos protocol.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard through
+the IETF standard process. Comments are encouraged on the presentation, but
+only minor refinements to the protocol as implemented or extensions that fit
+within current protocol framework will be considered at this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested by
+Denning and Sacco [DS81]. The original design and implementation of Kerberos
+Versions 1 through 4 was the work of two former Project Athena staff
+members, Steve Miller of Digital Equipment Corporation and Clifford Neuman
+(now at the Information Sciences Institute of the University of Southern
+California), along with Jerome Saltzer, Technical Director of Project
+Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members
+of Project Athena have also contributed to the work on Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol was
+led by Clifford Neuman and John Kohl with much input from the community. The
+development of the MIT reference implementation was led at MIT by John Kohl
+and Theodore T'so, with help and contributed code from many others. Since
+RFC1510 was issued, extensions and revisions to the protocol have been
+proposed by many individuals. Some of these proposals are reflected in this
+document. Where such changes involved significant effort, the document cites
+the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g. a
+workstation user or a network server) on an open (unprotected) network. This
+is accomplished without relying on assertions by the host operating system,
+without basing trust on host addresses, without requiring physical security
+of all the hosts on the network, and under the assumption that packets
+traveling along the network can be read, modified, and inserted at will[1].
+Kerberos performs authentication under these conditions as a trusted
+third-party authentication service by using conventional (shared secret key
+[2] cryptography. Kerberos extensions have been proposed and implemented
+that provide for the use of public key cryptography during certain phases of
+the authentication protocol. These extensions provide for authentication of
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+users registered with public key certification authorities, and allow the
+system to provide certain benefits of public key cryptography in situations
+where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in the
+client's key. The credentials consist of 1) a 'ticket' for the server and 2)
+a temporary encryption key (often called a "session key"). The client
+transmits the ticket (which contains the client's identity and a copy of the
+session key, all encrypted in the server's key) to the server. The session
+key (now shared by the client and server) is used to authenticate the
+client, and may optionally be used to authenticate the server. It may also
+be used to encrypt further communication between the two parties or to
+exchange a separate sub-session key to be used to encrypt further
+communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their secret
+keys. Code libraries provide encryption and implement the Kerberos protocol.
+In order to add authentication to its transactions, a typical network
+application adds one or two calls to the Kerberos library directly or
+through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request for
+a ticket for the desired server to the AS. The reply is sent encrypted in
+the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client uses
+the TGT to authenticate itself to the TGS in the same manner as if it were
+contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry points
+within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent "in
+the clear" (parts of it are encrypted, but this encryption doesn't thwart
+replay) and might be intercepted and reused by an attacker, additional
+information is sent to prove that the message originated with the principal
+to whom the ticket was issued. This information (called the authenticator)
+is encrypted in the session key, and includes a timestamp. The timestamp
+proves that the message was recently generated and is not a replay.
+Encrypting the authenticator in the session key proves that it was generated
+by a party possessing the session key. Since no one except the requesting
+principal and the server know the session key (it is never sent over the
+network in the clear) this guarantees the identity of the client.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to the
+Kerberos database. Sometimes, however, the entries in the database must be
+modified, such as when adding new principals or changing a principal's key.
+This is done using a protocol between a client and a third Kerberos server,
+the Kerberos Administration Server (KADM). There is also a protocol for
+maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server in
+another. Each organization wishing to run a Kerberos server establishes its
+own 'realm'. The name of the realm in which a client is registered is part
+of the client's name, and can be used by the end-service to decide whether
+to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate key
+may be used for each direction) registers the ticket-granting service of
+each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share an
+inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is not
+directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical organization
+is not used, it may be necessary to consult a database in order to construct
+an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in authenticating
+the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93] , or on other authorization services.
+
+Applications should not be modified to accept the issuance of a service
+ticket by the Kerberos server (even by an modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to successfully
+     mount an offline dictionary attack by repeatedly attempting to decrypt,
+     with successive entries from a dictionary, messages obtained which are
+     encrypted under a key derived from the user's password.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A typical
+     mode of access control will use access control lists (ACLs) to grant
+     permissions to particular principals. If a stale ACL entry remains for
+     a deleted principal and the principal identifier is reused, the new
+     principal will inherit rights specified in the stale ACL entry. By not
+     re-using principal identifiers, the danger of inadvertent access is
+     removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been recently
+     generated using the session key known only by the client and server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access allowed
+     for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted by
+     the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user. Note
+     that in some cases a Server may itself be a client of some other server
+     (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use that
+     ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and ticket-granting
+     ticket requests. The initial ticket portion is sometimes referred to as
+     the Authentication Server (or service). The ticket-granting ticket
+     portion is sometimes referred to as the ticket-granting server (or
+     service).
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than one
+     server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a lifetime
+     limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the various
+flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the KDC
+before use, by presenting them to the KDC in a TGS request with the VALIDATE
+option specified. The KDC will only validate tickets after their starttime
+has passed. The validation is required so that postdated tickets which have
+been stolen before their starttime can be rendered permanently invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set in
+the KDC request. The KDC will issue a new ticket with a new session key and
+a later expiration time. All other fields of the ticket are left unmodified
+by the renewal process. When the latest permissible expiration time arrives,
+the ticket expires permanently. At each renewal, the KDC may consult a
+hot-list to determine if the ticket had been reported stolen since its last
+renewal; it will refuse to renew such stolen tickets, and thus the usable
+lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets in
+a batch queue, since they will be on-line longer and more prone to theft.
+Postdated tickets provide a way to obtain these tickets from the KDC at job
+submission time, but to leave them "dormant" until they are activated and
+validated by a further request of the KDC. If a ticket theft were reported
+in the interim, the KDC would refuse to validate the ticket, and the thief
+would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This flag
+must be set in a ticket-granting ticket in order to issue a postdated ticket
+based on the presented ticket. It is reset by default; it may be requested
+by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message.
+This flag does not allow a client to obtain a postdated ticket-granting
+ticket; postdated ticket-granting tickets can only by obtained by requesting
+the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a
+postdated ticket will be the remaining life of the ticket-granting ticket at
+the time of the request, unless the RENEWABLE option is also set, in which
+case it can be the full life (endtime-starttime) of the ticket-granting
+ticket. The KDC may limit how far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the identity
+of the client, but only for a particular purpose. A principal can allow a
+service to take on the principal's identity for a particular purpose by
+granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose must
+use the ticket forwarding mechanism described in the next section to forward
+a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When set,
+this flag tells the ticket-granting server that it is OK to issue a new
+ticket (but not a ticket-granting ticket) with a different network address
+based on this ticket. This flag is set if requested by the client on initial
+authentication. By default, the client will request that it be set when
+requesting a ticket granting ticket, and reset when requesting any other
+ticket.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print server
+a proxy to access the client's files on a particular file server in order to
+satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in the
+ticket[4]. When granting a proxy, the client must specify the new network
+address from which the proxy is to be used, or indicate that the proxy is to
+be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may require
+additional authentication from the agent presenting the proxy in order to
+provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request that
+it be set by setting the FORWARDABLE option in the AS request when they
+request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user to
+enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket. It
+is also set in all tickets issued based on tickets with the FORWARDED flag
+set. Application servers may choose to process FORWARDED tickets differently
+than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients and
+servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the Kerberos
+Authentication Server is initiated by a client when it wishes to obtain
+authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the initiation
+of a login session to obtain credentials for a Ticket-Granting Server which
+will subsequently be used to obtain credentials for other servers (see
+section 3.3) without requiring further use of the client's secret key. This
+exchange is also used to request credentials for services which must not be
+mediated through the Ticket-Granting Service, but rather require a
+principal's secret key, such as the password-changing service[5]. This
+exchange does not by itself provide any assurance of the the identity of the
+user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The response,
+KRB_AS_REP, contains a ticket for the client to present to the server, and a
+session key that will be shared by the client and the server. The session
+key and additional information are encrypted in the client's secret key. The
+KRB_AS_REP message contains information which can be used to detect replays,
+and to associate it with the message to which it replies. Various errors can
+occur; these are indicated by an error response (KRB_ERROR) instead of the
+KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR
+message contains information which can be used to associate it with the
+message to which it replies. The lack of encryption in the KRB_ERROR message
+precludes the ability to detect replays, fabrications, or modifications of
+such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends a
+reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is encrypted
+in that principal's key. The initial request supports an optional field that
+can be used to pass additional information that might be needed for the
+initial exchange. This field may be used for preauthentication as described
+in section [hl<>].
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether the
+requested ticket is to be renewable, proxiable, or forwardable; whether it
+should be postdated or allow postdating of derivative tickets; and whether a
+renewable ticket will be accepted in lieu of a non-renewable ticket if the
+requested ticket expiration date cannot be satisfied by a non-renewable
+ticket (due to configuration constraints; see section 4). See section A.1
+for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format for
+the ticket is described in section 5.3.1. The contents of the ticket are
+determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named in
+the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which an
+encryption key is available is used. The encryption method used to respond
+to a TGS request is taken from the keytype of the session key found in the
+ticket granting ticket. [***I will change the example keytypes to be 3DES
+based examples 7/14***]
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise
+the requested start time is checked against the policy of the local realm
+(the administrator might decide to prohibit certain types or ranges of
+postdated tickets), and if acceptable, the ticket's start time is set as
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+requested and the INVALID flag is set in the new ticket. The postdated
+ticket must be validated before use by presenting it to the KDC after the
+start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option has
+been set and a renewable ticket is to be issued, then the renew-till field
+is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set by
+     the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using the
+requested encryption method, and sends it to the client. See section A.2 for
+pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key, start
+and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate a
+KRB_AS_REP format message which decrypts properly but is not from the proper
+KDC. If the host wishes to verify the identity of the user, it must require
+the user to present application credentials which can be verified using a
+securely-stored secret key for the host. If those credentials can be
+verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS or
+TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is
+referred to elsewhere as the 'authentication header.'
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange) a
+ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use of
+a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors are
+possible. If an error occurs, the server is expected to reply to the client
+with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If the
+message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE
+error. If the key version indicated by the Ticket in the KRB_AP_REQ is not
+one the server can use (e.g., it indicates an old key, and the server no
+longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is
+returned. If the USE-SESSION-KEY flag is set in the ap-options field, it
+indicates to the server that the ticket is encrypted in the session key from
+the server's ticket-granting ticket rather than its secret key[10]. Since it
+is possible for the server to be registered in multiple realms, with
+different keys in each, the srealm field in the unencrypted portion of the
+ticket in the KRB_AP_REQ is used to specify which secret key the server
+should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is
+returned if the server doesn't have the proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client
+from the ticket are compared against the same fields in the authenticator.
+If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+not match, for example, if the wrong session key was used to encrypt the
+authenticator). The addresses in the ticket (if any) are then searched for
+an address matching the operating-system reported address of the client. If
+no match is found or the server insists on ticket addresses but none are
+present in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW
+error is returned. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must
+remember any authenticator presented within the allowable clock skew, so
+that a replay attempt is guaranteed to fail. If a server loses track of any
+authenticator presented within the allowable clock skew, it must reject all
+requests until the clock skew interval has passed. This assures that any
+lost or re-played authenticators will fall outside the allowable clock skew
+and can no longer be successfully replayed (If this is not done, an attacker
+could conceivably record the ticket and authenticator sent over the network
+to a server, then disable the client's host, pose as the disabled host, and
+replay the ticket and authenticator to subvert the authentication.). If a
+sequence number is provided in the authenticator, the server saves it for
+later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is
+present, the server either saves it for later use or uses it to help
+generate its own choice for a subkey to be returned in a KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that the
+client possesses the credentials of the principal named in the ticket and
+thus, the client has been authenticated to the server. See section A.10 for
+pseudocode.
+
+Passing these checks provides only authentication of the named principal; it
+does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name of
+the user, the requested operation, local acces control information such as
+that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server need
+not explicitly reply to the KRB_AP_REQ. However, if mutual authentication
+(not only authenticating the client to the server, but also the server to
+the client) is being performed, the KRB_AP_REQ message will have
+MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is
+required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not acceptable
+to the application's protocol. The timestamp and microsecond field used in
+the reply must be the client's timestamp and microsecond field (as provided
+in the authenticator)[12]. If a sequence number is to be included, it should
+be randomly chosen as described above for the authenticator. A subkey may be
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+included if the server desires to negotiate a different subkey. The
+KRB_AP_REP message is encrypted in the session key extracted from the
+ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server
+share an encryption key which can be used by the application. The 'true
+session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption or
+checksum type) to the application programmer; the Kerberos protocol does not
+constrain the implementation options, but an example of how this might be
+done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever reason,
+one of the parties was prevented from using a key with more than 40 unknown
+bits, this method would allow the the party which is prevented from using
+more than 40 bits to either propose (if the client) an initial key with a
+known quantity for 16 of those bits, or to mask 16 of the bits (if the
+server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server is
+initiated by a client when it wishes to obtain authentication credentials
+for a given server (which might be registered in a remote realm), when it
+wishes to renew or validate an existing ticket, or when it wishes to obtain
+a proxy ticket. In the first case, the client must already have acquired a
+ticket for the Ticket-Granting Service using the AS exchange (the
+ticket-granting ticket is usually obtained when a client initially
+authenticates to the system, such as when a user logs in). The message
+format for the TGS exchange is almost identical to that for the AS exchange.
+The primary difference is that encryption and decryption in the TGS exchange
+does not take place under the client's key. Instead, the session key from
+the ticket-granting ticket or renewable ticket, or sub-session key from an
+Authenticator is used. As is the case for all application servers, expired
+tickets are not accepted by the TGS, so once a renewable or ticket-granting
+ticket expires, the client must use a separate exchange to obtain valid
+tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed authorization
+data to be sealed in the ticket for authorization use by the application
+server, or additional tickets (the use of which are described later). The
+TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the
+session key from the ticket-granting ticket or renewable ticket, or if
+present, in the sub-session key from the Authenticator (part of the
+authentication header). The KRB_ERROR message contains an error code and
+text explaining what went wrong. The KRB_ERROR message is not encrypted. The
+KRB_TGS_REP message contains information which can be used to detect
+replays, and to associate it with the message to which it replies. The
+KRB_ERROR message also contains information which can be used to associate
+it with the message to which it replies, but the lack of encryption in the
+KRB_ERROR message precludes the ability to detect replays or fabrications of
+such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ
+message recursively). The Kerberos server may return a TGT for the desired
+realm in which case one can proceed. Alternatively, the Kerberos server may
+return a TGT for a realm which is 'closer' to the desired realm (further
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+along the standard hierarchical path), in which case this step must be
+repeated with a Kerberos server in the realm specified in the returned TGT.
+If neither are returned, then the request must be retried with a Kerberos
+server for a realm higher in the hierarchy. This request will itself require
+a ticket-granting ticket for the higher realm which must be obtained by
+recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one. The
+list might be obtained through a configuration file or network service or it
+may be generated from the name of the realm; as long as the secret keys
+exchanged by realms are kept secret, only denial of service results from
+using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server use
+and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be encrypted[16].
+If the sub-session key is not specified, the session key from the
+ticket-granting ticket will be used. If the enc-authorization-data is
+present, it must be encrypted in the sub-session key, if present, from the
+authenticator portion of the authentication header, or if not present, using
+the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which it
+was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP),
+but with its type field set to KRB_TGS_REP. The detailed specification is in
+section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited field
+needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set. The
+PROXY option will not be honored on requests for additional ticket-granting
+tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting
+ticket has the MAY-POSTDATE flag set, then the resulting ticket will be
+postdated and the requested starttime is checked against the policy of the
+local realm. If acceptable, the ticket's start time is set as requested, and
+the INVALID flag is set. The postdated ticket must be validated before use
+by presenting it to the KDC after the starttime has been reached. However,
+in no case may the starttime, endtime, or renew-till time of a newly-issued
+postdated ticket extend beyond the renew-till time of the ticket-granting
+ticket.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional ticket
+using the key for the server to which the additional ticket was issued and
+verify that it is a ticket-granting ticket. If the name of the requested
+server is missing from the request, the name of the client in the additional
+ticket will be used. Otherwise the name of the requested server will be
+compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as part
+of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is set
+in the ticket, that the INVALID flag is not set in the ticket, and that the
+renew_till time is still in the future. If the VALIDATE option is rqeuested,
+the KDC will check that the starttime has passed and the INVALID flag is
+set. If the PROXY option is requested, then the KDC will check that the
+PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket
+passes the hotlist check described in the next paragraph, the KDC will issue
+the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal expiration
+time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and the
+key version number fields are left out since these values are stored along
+with the client's database record, and that record is not needed to satisfy
+a request based on a ticket-granting ticket. See section A.6 for pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request, subject
+to the constraints outlined above in the section describing the AS exchange.
+The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket to
+be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous realm.
+This prevents a malicious Kerberos server from intentionally leaving out its
+own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since the
+endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its contents
+are encoded. The initially supported encoding is optimized for the normal
+case of inter-realm communication: a hierarchical arrangement of realms
+using either domain or X.500 style realm names. This encoding (called
+DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they
+would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19]. Thus,
+"," means that all realms along the path between the client and the server
+have been traversed. ",EDU, /COM," means that that all realms from the
+client's realm up to EDU (in a domain style hierarchy) have been traversed,
+and that everything from /COM down to the server's realm in an X.500 style
+has also been traversed. This could occur if the EDU realm in one hierarchy
+shares an inter-realm key directly with the /COM realm in another hierarchy.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC),
+generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by one's
+peer. Connection state is presently required to maintain the session key, so
+maintaining the next sequence number should not present an additional
+problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_SAFE, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If
+the sender's address was included in the control information, the recipient
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+verifies that the operating system's report of the sender's address matches
+the sender's address in the message, and (if a recipient address is
+specified or the recipient requires an address) that one of the recipient's
+addresses appears as the recipient's address in the message. A failed match
+for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT
+error is generated. If an incorrect sequence number is included, or a
+sequence number is expected but not present, the KRB_AP_ERR_BADORDER error
+is generated. If neither a time-stamp and usec or a sequence number is
+present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is
+computed over the data and control information, and if it doesn't match the
+received checksum, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_PRIV, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was
+included in the control information, the recipient verifies that the
+operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses appears
+as the recipient's address in the message. A failed match for either case
+generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the
+sequence number fields are checked. If timestamp and usec are expected and
+not present, or they are present but not current, the KRB_AP_ERR_SKEW error
+is generated. If the server name, along with the client name, time and
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence
+number is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It then
+constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED
+message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in
+the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and r-address
+fields, are placed in the encrypted part of the KRB_CRED message which is
+then encrypted under an encryption key previosuly exchanged in the KRB_AP
+exchange (usually the last key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates a
+KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If decryption
+shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's address
+in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field
+if required) are checked next. If the timestamp and usec are not present, or
+they are present but not current, the KRB_AP_ERR_SKEW error is generated.
+
+If all the checks succeed, the application stores each of the new tickets in
+its ticket cache together with the session key and other information in the
+corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database contain- ing the
+principal identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The key
+can be encrypted before storage under a Kerberos "master key" to protect it
+in case the database is compromised but the master key is not. In that case,
+an extra field must be added to indicate the master key version used, see
+below.) The p_kvno field is the key version number of the principal's secret
+key. The max_life field contains the maximum allowable lifetime (endtime -
+starttime) for any Ticket issued for this principal. The max_renewable_life
+field contains the maximum allowable total lifetime for any renewable Ticket
+issued for this principal. (See section 3.1 for a description of how these
+lifetimes are used in determining the lifetime of a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal records
+with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e. not
+the result of disclosure of the old key), the old key should be retained by
+the server until all tickets that had been issued using that key have
+expired. Because of this, it is possible for several keys to be active for a
+single principal. Ciphertext encrypted in a principal's key is always tagged
+with the version of the key that was used for encryption, to help the
+recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to a
+request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error to
+any client attempting to gain tickets as or for the principal. (A database
+may want to maintain two expiration dates: one for the principal, and one
+for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether a
+server is appropriate trusted to recieve credentials delegated by a client,
+or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user in
+the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to allow
+the continued use of outstanding tickets.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be allowed
+in the encoding because these values will always be represented through
+defaulting by the absence of the optional field. For example, one will not
+send a microsecond zero value because one must make sure that there is only
+one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through, unmodified, when
+the message is forwarded. Implementations should not drop such fields if the
+sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509 specification,
+section 8.7 [X509-88].
+
+5.3. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A PrincipalName
+is a typed sequence of components consisting of the following sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the same
+     (i.e. at least one of the components, or the realm, must be different).
+     This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding
+shall specify the UTC time zone (Z) and shall not include any fractional
+portions of the seconds. It further shall not include any separators.
+Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm
+on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the interpretation
+of the encapsulating element determines which of the embedded elements must
+be interpreted, and which may be ignored. Definitions for these common
+elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+                  -- unused10(10),
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include the
+highest order bit that is set (1), but in no case less than 32 bits. The
+ASN.1 representation of the bit strings uses unnamed bits, with the meaning
+of the individual bits defined by the comments in the specification above.
+Implementations should accept values of bit strings of any length and treat
+the value of flags corresponding to bits beyond the end of the bit string as
+if the bit were reset (0). Comparison of bit strings of different length
+should treat the smaller string as if it were padded with zeros beyond the
+high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute value
+     of the lr-type field is one (1), then the lr-value subfield is the time
+     of last initial request for a TGT. If it is two (2), then the lr-value
+     subfield is the time of last initial request. If it is three (3), then
+     the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A Ticket
+contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be
+registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos and
+the end server (the server's secret key). See section 6 for the format of
+the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies all components of the name part of the server's
+     identity, including those parts that identify a specific instance of a
+     service.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     [*** This change is still subject to discussion. Several alternatives
+     for this - including none at all - will be distributed to the cat and
+     krb-protocol mailing lists before the Oslo IETF, and an alternative
+     will be selected and the spec modified by 7/14/99 ***] This optional
+     field contains a sequence of extentions that may be used to carry
+     information that must be carried with the ticket to support several
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     extensions, including but not limited to plaintext authorization data,
+     tokens for exchanging inter-realm keys, and other information that must
+     be associated with a ticket for use by the application server. See
+     Appendix C for definitions of some common extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of the
+     appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The meanings
+     of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+cname
+     This field contains the name part of the client's principal identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the necessary
+     information for implementation of a `hot list' service at the KDC. An
+     end service that is particularly paranoid could refuse to accept
+     tickets for which the initial authentication occurred "too far" in the
+     past. This field is also returned as part of the response from the KDC.
+     When returned as part of the response to initial authentication
+     (KRB_AS_REP), this is the current time on the Ker- beros server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated as
+     that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be honored
+     (its expiration time). Note that individual services may place their
+     own limits on the life of a ticket and may reject tickets which have
+     not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is that
+     such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not sent
+     over the network in cleartext, credentials can't be stolen simply by
+     listening to the network; an attacker has to gain access to the session
+     key (perhaps through operating system security breaches or a careless
+     user's unattended session) to make use of stolen tickets.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's workstation could use
+     the credentials from there. Including the network addresses only makes
+     it more difficult, not impossible, for an attacker to walk off with
+     stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing, and
+     that a better name for this field would be restrictions. Unfortunately,
+     it is not possible to change the name of this field at this time.
+
+     This field contains restrictions on any authority obtained on the basis
+     of authentication using the ticket. It is possible for any principal in
+     posession of credentials to add entries to the authorization data field
+     since these entries further restrict what can be done with the ticket.
+     Such additions can be made by specifying the additional entries when a
+     new ticket is obtained during the TGS exchange, or they may be added
+     during chained delegation using the authorization data field of the
+     authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, it is not allowable for the presence of an entry in the
+     authorization data field of a ticket to amplify the priveleges one
+     would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     obtains a ticket in its own name (e.g. the ticket is issued in the name
+     of a privelege server), and this entity adds restrictions on its own
+     authority and delegates the restricted authority through a proxy to the
+     client. The client would then present this authorization credential to
+     the application server separately from the authentication exchange.
+
+     Similarly, if one specifies the authorization-data field of a proxy and
+     leaves the host addresses blank, the resulting ticket and session key
+     can be treated as a capability. See [Neu93] for some suggested uses of
+     this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp. Its
+     value (before encryption) ranges from 0 to 999999. It often appears
+     along with ctime. The two fields are used together to specify a
+     reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that for
+     messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is sent.
+     Sequence numbers fall in the range of 0 through 2^32 - 1 and wrap to
+     zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1. It
+     is optional and will only appear when additional restrictions are to be
+     placed on the use of a ticket, beyond those carried in the ticket
+     itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial
+ticket or an additional ticket. In either case, the message is sent from the
+client to the Authentication Server to request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting ticket
+     and authenticator). The checksum in the authenticator (which must be
+     collision-proof) is to be computed over the KDC-REQ-BODY encoding. In
+     most requests for initial authentication (KRB_AS_REQ) and most replies
+     (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions to
+     the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing the
+     microseconds which may be omitted if a client will not generate more
+     than one request per second. The ciphertext (padata-value) consists of
+     the PA-ENC-TS-ENC sequence, encrypted using the client's secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC or
+     the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets as
+     well as other information that is to modify the behavior of the KDC.
+     Where appropriate, the name of an option may be the same as the flag
+     that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field to
+     the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of
+this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      forwardable flag set.  It  may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based is also
+for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only
+specified
+                                      in  a  request  to  the
+ticket-granting
+                                      server and will only be honored  if
+the
+                                      ticket-granting  ticket  in  the
+request
+                                      has  its  FORWARDABLE  bit  set.
+This
+                                      option  indicates that this is a
+request
+                                      for forwarding.  The address(es) of
+the
+                                      host  from which the resulting ticket
+is
+                                      to  be  valid  are   included   in
+the
+                                      addresses field of the request.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that
+the
+                                      ticket to be issued is to have its
+prox-
+                                      iable flag set.  It may only be  set
+on
+                                      the  initial request, or in a
+subsequent
+                                      request if the ticket-granting ticket
+on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this
+is
+                                      a request for a proxy.  This option
+will
+                                      only be honored if  the
+ticket-granting
+                                      ticket  in the request has its
+PROXIABLE
+                                      bit set.  The address(es)  of  the
+host
+                                      from which the resulting ticket is to
+be
+                                       valid  are  included  in  the
+addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      MAY-POSTDATE flag set.  It may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based also has
+its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that
+this
+                                      is  a  request  for  a postdated
+ticket.
+                                      This option will only be honored if
+the
+                                      ticket-granting  ticket  on  which it
+is
+                                      based has  its  MAY-POSTDATE  flag
+set.
+                                      The  resulting ticket will also have
+its
+                                      INVALID flag set, and that flag  may
+be
+                                      reset by a subsequent request to the
+KDC
+                                      after the starttime in  the  ticket
+has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that
+the
+                                      ticket  to  be  issued  is  to  have
+its
+                                      RENEWABLE flag set.  It may only be
+set
+                                      on  the  initial  request,  or  when
+the
+                                      ticket-granting  ticket  on  which
+the
+                                      request  is based is also renewable.
+If
+                                      this option is requested, then the
+rtime
+                                      field   in   the  request  contains
+the
+                                      desired absolute expiration time for
+the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option
+indicates
+                                      that  the  ticket to be issued is not
+to
+                                      identify  the  user  to  which  it
+was
+                                      issued.  Instead, the principal
+identif-
+                                      ier is to be generic,  as  specified
+by
+                                      the  policy  of  the realm (e.g.
+usually
+                                      anonymous@realm).  The  purpose  of
+the
+                                      ticket  is only to securely distribute
+a
+                                      session key, and  not  to  identify
+the
+                                      user.   The ANONYMOUS flag on the
+ticket
+                                      to be returned should be  set.   If
+the
+                                      local  realms  policy  does  not
+permit
+                                      anonymous credentials, the request is
+to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited
+field
+                                      is disabled.  Tickets issued without
+the
+                                      performance of this check will be
+noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be
+checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that
+a
+                                      renewable ticket will be acceptable if
+a
+                                      ticket with the  requested  life
+cannot
+                                      otherwise be provided.  If a ticket
+with
+                                      the requested life cannot  be
+provided,
+                                      then  a  renewable  ticket may be
+issued
+                                      with  a  renew-till  equal  to  the
+the
+                                      requested  endtime.   The  value  of
+the
+                                      renew-till field may still be limited
+by
+                                      local  limits, or limits selected by
+the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The
+ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for
+the
+                                      end  server  is  to  be encrypted in
+the
+                                      session key from the additional
+ticket-
+                                      granting ticket provided.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the
+ticket-
+                                      granting   service.   The  RENEW
+option
+                                      indicates that the  present  request
+is
+                                      for  a  renewal.  The ticket provided
+is
+                                      encrypted in  the  secret  key  for
+the
+                                      server  on  which  it  is  valid.
+This
+                                      option  will  only  be  honored  if
+the
+                                      ticket  to  be renewed has its
+RENEWABLE
+                                      flag set and if the time in  its
+renew-
+                                      till  field  has not passed.  The
+ticket
+                                      to be renewed is passed  in  the
+padata
+                                      field  as  part  of  the
+authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The VALIDATE
+option
+                                      indicates that the request is  to
+vali-
+                                      date  a  postdated ticket.  It will
+only
+                                      be honored if the  ticket  presented
+is
+                                      postdated,  presently  has  its
+INVALID
+                                      flag set, and would be otherwise
+usable
+                                      at  this time.  A ticket cannot be
+vali-
+                                      dated before its starttime.  The
+ticket
+                                      presented for validation is encrypted
+in
+                                      the key of the server for  which  it
+is
+                                      valid  and is passed in the padata
+field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator, or
+     alternatively from the session key in the ticket-granting ticket, both
+     from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies the
+     desired start time for the requested ticket. If this field is omitted
+     then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date of
+     the ticket granting ticket or other preauthentication credentials.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated randomly,
+     but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in the
+     response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses for
+     the client's host. If a proxy is requested, this field will contain
+     other addresses. The contents of this field are usually copied by the
+     KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be used
+     in place of the server's key to encrypt the new ticket. If more than
+     one option which requires additional tickets has been specified, then
+     the additional tickets are used in the order specified by the ordering
+     of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that is
+passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for either
+an initial (AS) request or a subsequent (TGS) request. There is no message
+type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or if
+absent, the session key from the ticket-granting ticket used in the request.
+In that case, no version number will be present in the EncryptedData
+sequence.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section 6.3.2).
+     This ability is useful to ease transitions if a realm name needs to
+     change (e.g. when a company is acquired); in such a case all existing
+     password-derived entries in the KDC database would be flagged as
+     needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related information
+     that forms the encrypted part of a message. The description of the
+     encrypted part of the message follows each appearance of this field.
+     The encrypted part is encoded as described in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+last-req
+     This field is returned by the KDC and specifies the time(s) of the last
+     request by a principal. Depending on what information is available,
+     this might be the last time that a request for a ticket-granting ticket
+     was made, or the last time that a request based on a ticket-granting
+     ticket was successful. It also might cover all servers for a realm, or
+     just the particular server. Some implementations may display this
+     information to the user to aid in discovering unauthorized use of one's
+     identity. It is similar in spirit to the last login time displayed when
+     logging into timesharing systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up to
+     the application client (usually the login program) to take appropriate
+     action (such as notifying the user) if the expiration time is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will be
+     the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is often
+referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). The encoding of the bits
+     is specified in section 5.2. The meanings of the options are:
+
+         Bit(s)   Name              Description
+
+         0        RESERVED
+                                    Reserved for future  expansion  of  this
+                                    field.
+
+         1        USE-SESSION-KEY
+                                    The  USE-SESSION-KEY  option   indicates
+                                    that the ticket the client is presenting
+                                    to a server is encrypted in the  session
+                                    key  from  the  server's ticket-granting
+                                    ticket.  When this option is not  speci-
+                                    fied,  the  ticket  is  encrypted in the
+                                    server's secret key.
+
+         2        MUTUAL-REQUIRED
+                                    The  MUTUAL-REQUIRED  option  tells  the
+                                    server  that  the client requires mutual
+                                    authentication, and that it must respond
+                                    with a KRB_AP_REP message.
+
+         3-31     RESERVED
+                                    Reserved for future use.
+
+ticket
+ This field is a ticket authenticating the client to the server.
+authenticator
+ This contains the authenticator, which includes the client's choice of
+ a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over the
+     encoding of the KRB-SAFE sequence. First, the cksum is zeroed and the
+     checksum is computed over the encoding of the KRB-SAFE sequence, then
+     the checksum is set to the result of that computation, and finally the
+     KRB-SAFE sequence is encoded again.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By checking
+     the timestamp, the recipient of the message is able to make sure that
+     it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+     It may be omitted if not required by the application protocol. The
+     application designer considering omission of this field is warned, that
+     the inclusion of this address prevents some kinds of replay attacks
+     (e.g., reflection attacks) and that it is only acceptable to omit this
+     address if there is sufficient information in the integrity protected
+     part of the application message for the recipient to unambiguously
+     determine if it was the intended recipient.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast protocols),
+     but the recipient may arbitrarily reject such messages. This field
+     along with s-address can be used to help detect messages which have
+     been incorrectly or maliciously delivered to the wrong recipient.
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's
+addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's
+addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format of
+     the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by the
+     intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce must
+     never be re-used; it should be generated randomly by the recipient of
+     the message and provided to the sender of the message in an application
+     specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is only optionally integrity
+protected, it is quite possible for an intruder to synthesize or modify such
+a message. In particular, this means that unless appropriate integrity
+protection mechanisms have been applied to the KRB_ERROR message, the client
+should not use any fields in this message for security-critical purposes,
+such as setting a system clock or generating a fresh authenticator. The
+message can be useful, however, for advising a user on the reason for some
+failure.
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+(*REMOVE7/14*)  e-typed-data[14]              SEQUENCE of ETypedData
+OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp. Its
+     value ranges from 0 to 999999. It appears along with stime. The two
+     fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the list
+     of error codes in section 8. Implementations are encouraged to provide
+     for national language support in the display of error messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If present,
+     this field will contain the encoding of a sequence of TypedData
+     (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED,
+     in which case it will contain the encoding of a sequence of of padata
+     fields (METHOD-DATA below), each corresponding to an acceptable
+     pre-authentication method and optionally containing data for the
+     method:
+
+     TYPED-DATA   ::=   SEQUENCE of TypeData
+     METHOD-DATA  ::=   SEQUENCE of PA-DATA
+
+     TypedData ::=   SEQUENCE {
+                         data-type[0]   INTEGER,
+                         data-value[1]  OCTET STRING OPTIONAL
+     }
+
+     Note that e-data-types have been reserved for all PA data types defined
+     prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, when
+     using new PA data types defined in July 1999 or later, the METHOD-DATA
+     sequence must itself be encapsulated in an TypedData element of type
+     TD-PADATA. All new implementations interpreting the METHOD-DATA field
+     for the KDC_ERR_PREAUTH_REQUIRED message must accept a type of
+     TD-PADATA, extract the typed data field and interpret the use any
+     elements encapsulated in the TD-PADATA elements as if they were present
+     in the METHOD-DATA sequence.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message. The
+     checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to an
+     AS request, then the checksum should be calulated using the client's
+     secret key ONLY if there has been suitable preauthentication to prove
+     knowledge of the secret key by the client[33]. If a checksum can not be
+     computed because the key to be used is not available, no checksum will
+     be included.
+e-typed-data
+     [***Will be deleted 7/14***] This field contains optional data that may
+     be used to help the client recover from the indicated error. [This
+     could contain the METHOD-DATA specified since I don't think anyone
+     actually uses it yet. It could also contain the PA-DATA sequence for
+     the preauth required error if we had a clear way to transition to the
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     use of this field from the use of the untyped e-data field.] For
+     example, this field may specify the key version of the key used to
+     verify preauthentication:
+
+     e-data-type  := 20 -- Key version number
+     e-data-value := Integer -- Key version number used to
+                      verify preauthentication
+
+6. Encryption and Checksum Specifications
+
+The Kerberos protocols described in this document are designed to use stream
+encryption ciphers, which can be simulated using commonly available block
+encryption ciphers, such as the Data Encryption Standard, [DES77] in
+conjunction with block chaining and checksum methods [DESM80]. Encryption is
+used to prove the identities of the network entities participating in
+message exchanges. The Key Distribution Center for each realm is trusted by
+all principals registered in that realm to store a secret key in confidence.
+Proof of knowledge of this secret key is used to verify the authenticity of
+a principal. [*** Discussion above will change to use 3DES as example
+7/14/99 ***]
+
+The KDC uses the principal's secret key (in the AS exchange) or a shared
+session key (in the TGS exchange) to encrypt responses to ticket requests;
+the ability to obtain the secret key or session key implies the knowledge of
+the appropriate keys and the identity of the KDC. The ability of a principal
+to decrypt the KDC response and present a Ticket and a properly formed
+Authenticator (generated with the session key from the KDC response) to a
+service verifies the identity of the principal; likewise the ability of the
+service to extract the session key from the Ticket and prove its knowledge
+thereof in a response verifies the identity of the service.
+
+The Kerberos protocols generally assume that the encryption used is secure
+from cryptanalysis; however, in some cases, the order of fields in the
+encrypted portions of messages are arranged to minimize the effects of
+poorly chosen keys. It is still important to choose good keys. If keys are
+derived from user-typed passwords, those passwords need to be well chosen to
+make brute force attacks more difficult. Poorly chosen keys still make easy
+targets for intruders.
+
+The following sections specify the encryption and checksum mechanisms
+currently defined for Kerberos. The encodings, chaining, and padding
+requirements for each are described. For encryption methods, it is often
+desirable to place random information (often referred to as a confounder) at
+the start of the message. The requirements for a confounder are specified
+with each encryption mechanism.
+
+Some encryption systems use a block-chaining method to improve the the
+security characteristics of the ciphertext. However, these chaining methods
+often don't provide an integrity check upon decryption. Such systems (such
+as DES in CBC mode) must be augmented with a checksum of the plain-text
+which can be verified at decryption and used to detect any tampering or
+damage. Such checksums should be good at detecting burst errors in the
+input. If any damage is detected, the decryption routine is expected to
+return an error indicating the failure of an integrity check. Each
+encryption type is expected to provide and verify an appropriate checksum.
+The specification of each encryption method sets out its checksum
+requirements.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Finally, where a key is to be derived from a user's password, an algorithm
+for converting the password to a key of the appropriate type is included. It
+is desirable for the string to key function to be one-way, and for the
+mapping to be different in different realms. This is important because users
+who are registered in more than one realm will often use the same password
+in each, and it is desirable that an attacker compromising the Kerberos
+server in one realm not obtain or derive the user's key in another.
+
+For an discussion of the integrity characteristics of the candidate
+encryption and checksum methods considered for Kerberos, the reader is
+referred to [SG92].
+
+6.1. Encryption Specifications
+
+The following ASN.1 definition describes all encrypted messages. The
+enc-part field which appears in the unencrypted part of messages in section
+5 is a sequence consisting of an encryption type, an optional key version
+number, and the ciphertext.
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+}
+
+etype
+     This field identifies which encryption algorithm was used to encipher
+     the cipher. Detailed specifications for selected encryption types
+     appear later in this section.
+kvno
+     This field contains the version number of the key under which data is
+     encrypted. It is only present in messages encrypted under long lasting
+     keys, such as principals' secret keys.
+cipher
+     This field contains the enciphered text, encoded as an OCTET STRING.
+
+The cipher field is generated by applying the specified encryption algorithm
+to data composed of the message and algorithm-specific inputs. Encryption
+mechanisms defined for use with Kerberos must take sufficient measures to
+guarantee the integrity of the plaintext, and we recommend they also take
+measures to protect against precomputed dictionary attacks. If the
+encryption algorithm is not itself capable of doing so, the protections can
+often be enhanced by adding a checksum and a confounder.
+
+The suggested format for the data to be encrypted includes a confounder, a
+checksum, the encoded plaintext, and any necessary padding. The msg-seq
+field contains the part of the protocol message described in section 5 which
+is to be encrypted. The confounder, checksum, and padding are all untagged
+and untyped, and their length is exactly sufficient to hold the appropriate
+item. The type and length is implicit and specified by the particular
+encryption type being used (etype). The format for the data to be encrypted
+is described in the following diagram:
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+One generates a random confounder of the appropriate length, placing it in
+confounder; zeroes out check; calculates the appropriate checksum over
+confounder, check, and msg-seq, placing the result in check; adds the
+necessary padding; then encrypts using the specified encryption type and the
+appropriate key.
+
+Unless otherwise specified, a definition of an encryption algorithm that
+specifies a checksum, a length for the confounder field, or an octet
+boundary for padding uses this ciphertext format[36]. Those fields which are
+not specified will be omitted.
+
+In the interest of allowing all implementations using a particular
+encryption type to communicate with all others using that type, the
+specification of an encryption type defines any checksum that is needed as
+part of the encryption process. If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+Some cryptosystems require additional information beyond the key and the
+data to be encrypted. For example, DES, when used in cipher-block-chaining
+mode, requires an initialization vector. If required, the description for
+each encryption type must specify the source of such additional information.
+6.2. Encryption Keys
+
+The sequence below shows the encoding of an encryption key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+keytype
+     This field specifies the type of encryption that is to be performed
+     using the key that follows in the keyvalue field. It will always
+     correspond to the etype to be used to generate or decode the
+     EncryptedData. In cases when multiple algorithms use a common kind of
+     key (e.g., if the encryption algorithm uses an alternate checksum
+     algorithm for an integrity check, or a different chaining mechanism),
+     the keytype provides information needed to determine which algorithm is
+     to be used.
+keyvalue
+     This field contains the key itself, encoded as an octet string.
+
+All negative values for the encryption key type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpreta- tions.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+6.3. Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+If no encryption is in use, the encryption system is said to be the NULL
+encryption system. In the NULL encryption system there is no checksum,
+confounder or padding. The ciphertext is simply the plaintext. The NULL Key
+is used by the null encryption system and is zero octets in length, with
+keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+The des-cbc-crc encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. A
+CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the
+confounder and message sequence (msg-seq) and placed in the cksum field. DES
+blocks are 8 bytes. As a result, the data to be encrypted (the concatenation
+of confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+Note that, since the CRC-32 checksum is not collision-proof, an attacker
+could use a probabilistic chosen-plaintext attack to generate a valid
+message even if a confounder is used [SG92]. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat. The use of the CRC-32 as the checksum for ticket or
+authenticator is no longer mandated as an interoperability requirement for
+Kerberos Version 5 Specification 1 (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+The des-cbc-md4 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD4 checksum (described in [MD492]) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+The des-cbc-md5 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD5 checksum (described in [MD5-92].) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption.
+
+Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are
+concatenated to make the 64-bit inputs for the DES algorithms. The first
+octet supplies the 8 most significant bits (with the octet's MSbit used as
+the DES input block's MSbit, etc.), the second octet the next 8 bits, ...,
+and the eighth octet supplies the 8 least significant bits.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Encryption under DES using cipher block chaining requires an additional
+input in the form of an initialization vector. Unless otherwise specified,
+zero should be used as the initialization vector. Kerberos' use of DES
+requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for encrypting messages for use in Kerberos. Additionally,
+because of the way that keys are derived for the encryption of checksums,
+keys shall not be used that yield 'weak' or 'semi-weak' keys when
+eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A DES key is 8 octets of data, with keytype one (1). This consists of 56
+bits of key, and 8 parity bits (one per octet). The key is encoded as a
+series of 8 octets written in MSB-first order. The bits within the key are
+also encoded in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity
+bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the
+MSbit). [See the FIPS 81 introduction for reference.]
+
+String to key transformation
+
+To generate a DES key from a text string (password), a "salt" is
+concatenated to the text string, and then padded with ASCII nulls to an 8
+byte boundary. This "salt" is normally the realm and each component of the
+principal's name appended. However, sometimes different salts are used ---
+for example, when a realm is renamed, or if a user changes her username, or
+for compatibility with Kerberos V4 (whose string-to-key algorithm uses a
+null string for the salt). This string is then fan-folded and eXclusive-ORed
+with itself to form an 8 byte DES key. Before eXclusive-ORing a block, every
+byte is shifted one bit to the left to leave the lowest bit zero. The key is
+the "corrected" by correcting the parity on the key, and if the key matches
+a 'weak' or 'semi-weak' key as described in the DES specification, it is
+eXclusive-ORed with the constant 00000000000000F0. This key is then used to
+generate a DES CBC checksum on the initial string (with the salt appended).
+The result of the CBC checksum is the "corrected" as described above to form
+the result which is return as the key. Pseudocode follows:
+
+     name_to_default_salt(realm, name) {
+          s = realm
+          for(each component in name) {
+               s = s + component;
+          }
+          return s;
+     }
+
+     key_correction(key) {
+          fixparity(key);
+          if (is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+     string_to_key(string,salt) {
+
+          odd = 1;
+          s = string + salt;
+          tempkey = NULL;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               left shift every byte in 8byteblock one bit;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          tempkey = key_correction(tempkey);
+          key = key_correction(DES-CBC-check(s,tempkey));
+          return(key);
+     }
+
+6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with Key
+Derivation [Horowitz]
+
+[*** Note that there are several 3DES varients in use in different Kerberos
+implemenations, updates to this section will be sent to the cat list and
+krb-protocol list prior to the Oslo IETF, including the key derivation and
+non-key derivation varients ***] NOTE: This description currently refers to
+documents, the contents of which might be bettered included by value in this
+spec. The description below was provided by Marc Horowitz, and the form in
+which it will finally appear is yet to be determined. This description is
+included in this version of the draft because it does describe the
+implemenation ready for use with the MIT implementation. Note also that the
+encryption identifier has been left unspecified here because the value from
+Marc Horowitz's spec conflicted with some other impmenentations implemented
+based on perevious versions of the specification.
+
+This encryption type is based on the Triple DES cryptosystem, the HMAC-SHA1
+[Krawczyk96] message authentication algorithm, and key derivation for
+Kerberos V5 [HorowitzB96].
+
+The des3-cbc-hmac-sha1 encryption type has been assigned the value ??. The
+hmac-sha1-des3 checksum type has been assigned the value 12.
+
+Encryption Type des3-cbc-hmac-sha1
+
+EncryptedData using this type must be generated as described in
+[Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. The
+keyed hash algorithm is HMAC-SHA1. Unless otherwise specified, a zero IV
+must be used. If the length of the input data is not a multiple of the block
+size, zero octets must be used to pad the plaintext to the next eight-octet
+boundary. The counfounder must be eight random octets (one block).
+
+Checksum Type hmac-sha1-des3
+
+Checksums using this type must be generated as described in [Horowitz96].
+The keyed hash algorithm is HMAC-SHA1.
+
+Common Requirements
+
+The EncryptionKey value is 24 octets long. The 7 most significant bits of
+each octet contain key bits, and the least significant bit is the inverse of
+the xor of the key bits.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+For the purposes of key derivation, the block size is 64 bits, and the key
+size is 168 bits. The 168 bits output by key derivation are converted to an
+EncryptionKey value as follows. First, the 168 bits are divided into three
+groups of 56 bits, which are expanded individually into 64 bits as follows:
+
+ 1  2  3  4  5  6  7  p
+ 9 10 11 12 13 14 15  p
+17 18 19 20 21 22 23  p
+25 26 27 28 29 30 31  p
+33 34 35 36 37 38 39  p
+41 42 43 44 45 46 47  p
+49 50 51 52 53 54 55  p
+56 48 40 32 24 16  8  p
+
+The "p" bits are parity bits computed over the data bits. The output of the
+three expansions are concatenated to form the EncryptionKey value.
+
+When the HMAC-SHA1 of a string is computed, the key is used in the
+EncryptedKey form.
+
+Key Derivation
+
+In the Kerberos protocol, cryptographic keys are used in a number of places.
+In order to minimize the effect of compromising a key, it is desirable to
+use a different key for each of these places. Key derivation [Horowitz96]
+can be used to construct different keys for each operation from the keys
+transported on the network. For this to be possible, a small change to the
+specification is necessary.
+
+This section specifies a profile for the use of key derivation [Horowitz96]
+with Kerberos. For each place where a key is used, a ``key usage'' must is
+specified for that purpose. The key, key usage, and encryption/checksum type
+together describe the transformation from plaintext to ciphertext, or
+plaintext to checksum.
+
+Key Usage Values
+
+This is a complete list of places keys are used in the kerberos protocol,
+with key usage values and RFC 1510 section numbers:
+
+ 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+    client key (section 5.4.1)
+ 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+    application session key), encrypted with the service key
+    (section 5.4.2)
+ 3. AS-REP encrypted part (includes tgs session key or application
+    session key), encrypted with the client key (section 5.4.2)
+ 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    session key (section 5.4.1)
+ 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    authenticator subkey (section 5.4.1)
+ 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+    with the tgs session key (sections 5.3.2, 5.4.1)
+ 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+    authenticator subkey), encrypted with the tgs session key
+    (section 5.3.2)
+ 8. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs session key (section 5.4.2)
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+ 9. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs authenticator subkey (section 5.4.2)
+10. AP-REQ Authenticator cksum, keyed with the application session
+    key (section 5.3.2)
+11. AP-REQ Authenticator (includes application authenticator
+    subkey), encrypted with the application session key (section
+    5.3.2)
+12. AP-REP encrypted part (includes application session subkey),
+    encrypted with the application session key (section 5.5.2)
+13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+    application (section 5.7.1)
+14. KRB-CRED encrypted part, encrypted with a key chosen by the
+    application (section 5.6.1)
+15. KRB-SAVE cksum, keyed with a key chosen by the application
+    (section 5.8.1)
+18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+Key usage values between 1024 and 2047 (inclusive) are reserved for
+application use. Applications should use even values for encryption and odd
+values for checksums within this range.
+
+A few of these key usages need a little clarification. A service which
+receives an AP-REQ has no way to know if the enclosed Ticket was part of an
+AS-REP or TGS-REP. Therefore, key usage 2 must always be used for generating
+a Ticket, whether it is in response to an AS- REQ or TGS-REQ.
+
+There might exist other documents which define protocols in terms of the
+RFC1510 encryption types or checksum types. Such documents would not know
+about key usages. In order that these documents continue to be meaningful
+until they are updated, key usages 1024 and 1025 must be used to derive keys
+for encryption and checksums, respectively. New protocols defined in terms
+of the Kerberos encryption and checksum types should use their own key
+usages. Key usages may be registered with IANA to avoid conflicts. Key
+usages must be unsigned 32 bit integers. Zero is not permitted.
+
+Defining Cryptosystems Using Key Derivation
+
+Kerberos requires that the ciphertext component of EncryptedData be
+tamper-resistant as well as confidential. This implies encryption and
+integrity functions, which must each use their own separate keys. So, for
+each key usage, two keys must be generated, one for encryption (Ke), and one
+for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+where the protocol key is from the EncryptionKey from the wire protocol, and
+the key usage is represented as a 32 bit integer in network byte order. The
+ciphertest must be generated from the plaintext as follows:
+
+   ciphertext = E(Ke, confounder | plaintext | padding) |
+                H(Ki, confounder | plaintext | padding)
+
+The confounder and padding are specific to the encryption algorithm E.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+When generating a checksum only, there is no need for a confounder or
+padding. Again, a new key (Kc) must be used. Checksums must be generated
+from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+
+      MAC = H(Kc, plaintext)
+
+Note that each enctype is described by an encryption algorithm E and a keyed
+hash algorithm H, and each checksum type is described by a keyed hash
+algorithm H. HMAC, with an appropriate hash, is recommended for use as H.
+
+Key Derivation from Passwords
+
+The well-known constant for password key derivation must be the byte string
+{0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the
+ASCII encoding for the string "kerberos".
+
+6.4. Checksums
+
+The following is the ASN.1 definition used for a checksum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+cksumtype
+     This field indicates the algorithm used to generate the accompanying
+     checksum.
+checksum
+     This field contains the checksum itself, encoded as an octet string.
+
+Detailed specification of selected checksum types appear later in this
+section. Negative values for the checksum type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+Checksums used by Kerberos can be classified by two properties: whether they
+are collision-proof, and whether they are keyed. It is infeasible to find
+two plaintexts which generate the same checksum value for a collision-proof
+checksum. A key is required to perturb or initialize the algorithm in a
+keyed checksum. To prevent message-stream modification by an active
+attacker, unkeyed checksums should only be used when the checksum and
+message will be subsequently encrypted (e.g. the checksums defined as part
+of the encryption algorithms covered earlier in this section).
+
+Collision-proof checksums can be made tamper-proof if the checksum value is
+encrypted before inclusion in a message. In such cases, the composition of
+the checksum and the encryption algorithm must be considered a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum
+algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for the
+encrypted forms of unkeyed collision-proof checksums, Kerberos prepends a
+confounder before the checksum is calculated.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+The CRC-32 checksum calculates a checksum based on a cyclic redundancy check
+as described in ISO 3309 [ISO3309]. The resulting checksum is four (4)
+octets in length. The CRC-32 is neither keyed nor collision-proof. The use
+of this checksum is not recommended. An attacker using a probabilistic
+chosen-plaintext attack as described in [SG92] might be able to generate an
+alternative message that satisfies the checksum. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+[MD4-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed to
+be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD4
+checksum algorithm, and encrypting the confounder and the checksum using DES
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the constant
+F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant). This
+checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some weak keys' and 'semi-weak keys'; those
+keys shall not be used for generating RSA-MD4 checksums for use in Kerberos.
+
+The format for the checksum is described in the follow- ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+[MD5-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed to
+be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD5
+checksum algorithm, and encrypting the confounder and the checksum using DES
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 24 octets long (8 octets of which are redundant). This checksum
+is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some 'weak keys' and 'semi-weak keys'; those
+keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+The DES-MAC checksum is computed by prepending an 8 octet confounder to the
+plaintext, performing a DES CBC-mode encryption on the result using the key
+and an initialization vector of zero, taking the last block of the
+ciphertext, prepending the same confounder and encrypting the pair using DES
+in cipher-block-chaining (CBC) mode using a a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This
+checksum is tamper-proof and collision-proof.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for generating DES-MAC checksums for use in Kerberos, nor
+shall a key be used whose variant is 'weak' or 'semi-weak'.
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k)
+
+The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by
+applying the RSA MD4 checksum algorithm and encrypting the results using DES
+in cipher-block-chaining (CBC) mode using a DES key as both key and
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+initialization vector. The resulting checksum is 16 octets long. This
+checksum is tamper-proof and believed to be collision-proof. Note that this
+checksum type is the old method for encoding the RSA-MD4-DES checksum and it
+is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption
+of the plaintext, and using the last block of the ciphertext as the checksum
+value. It is keyed with an encryption key and an initialization vector; any
+uses which do not specify an additional initialization vector will use the
+key as both key and initialization vector. The resulting checksum is 64 bits
+(8 octets) long. This checksum is tamper-proof and collision-proof. Note
+that this checksum type is the old method for encoding the DES-MAC checksum
+and it is no longer recommended. The DES specifications identify some 'weak
+keys' and 'semi-weak keys'; those keys shall not be used for generating
+DES-MAC checksums for use in Kerberos.
+
+7. Naming Constraints
+
+7.1. Realm Names
+
+Although realm names are encoded as GeneralStrings and although a realm can
+technically select any name it chooses, interoperability across realm
+boundaries requires agreement on how realm names are to be assigned, and
+what information they imply.
+
+To enforce these conventions, each realm must conform to the conventions
+itself, and it must require that any realms with which inter-realm keys are
+shared also conform to the conventions and require the same from its
+neighbors.
+
+Kerberos realm names are case sensitive. Realm names that differ only in the
+case of the characters are not equivalent. There are presently four styles
+of realm names: domain, X500, other, and reserved. Examples of each style
+follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+Domain names must look like domain names: they consist of components
+separated by periods (.) and they contain neither colons (:) nor slashes
+(/). Domain names must be converted to upper case when used as realm names.
+
+X.500 names contain an equal (=) and cannot contain a colon (:) before the
+equal. The realm names for X.500 names will be string representations of the
+names with components separated by slashes. Leading and trailing slashes
+will not be included.
+
+Names that fall into the other category must begin with a prefix that
+contains no equal (=) or period (.) and the prefix must be followed by a
+colon (:) and the rest of the name. All prefixes must be assigned before
+they may be used. Presently none are assigned.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The reserved category includes strings which do not fall into the first
+three categories. All names in this category are reserved. It is unlikely
+that names will be assigned to this category unless there is a very strong
+argument for not using the 'other' category.
+
+These rules guarantee that there will be no conflicts between the various
+name styles. The following additional constraints apply to the assignment of
+realm names in the domain and X.500 categories: the name of a realm for the
+domain or X.500 formats must either be used by the organization owning (to
+whom it was assigned) an Internet domain name or X.500 name, or in the case
+that no such names are registered, authority to use a realm name may be
+derived from the authority of the parent realm. For example, if there is no
+domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can
+authorize the creation of a realm with that name.
+
+This is acceptable because the organization to which the parent is assigned
+is presumably the organization authorized to assign names to its children in
+the X.500 and domain name systems as well. If the parent assigns a realm
+name without also registering it in the domain name or X.500 hierarchy, it
+is the parent's responsibility to make sure that there will not in the
+future exists a name identical to the realm name of the child unless it is
+assigned to the same entity as the realm name.
+
+7.2. Principal Names
+
+As was the case for realm names, conventions are needed to ensure that all
+agree on what information is implied by a principal name. The name-type
+field that is part of the principal name indicates the kind of information
+implied by the name. The name-type should be treated as a hint. Ignoring the
+name type, no two names can be the same (i.e. at least one of the
+components, or the realm, must be different). The following name types are
+defined:
+
+  name-type      value   meaning
+
+   NT-UNKNOWN        0   Name type not known
+   NT-PRINCIPAL      1   General principal name (e.g. username, or DCE
+principal)
+   NT-SRV-INST       2   Service and other unique instance (krbtgt)
+   NT-SRV-HST        3   Service with host name as instance (telnet,
+rcommands)
+   NT-SRV-XHST       4   Service with slash-separated host name components
+   NT-UID            5   Unique ID
+   NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+
+When a name implies no information other than its uniqueness at a particular
+time the name type PRINCIPAL should be used. The principal name type should
+be used for users, and it might also be used for a unique server. If the
+name is a unique machine generated ID that is guaranteed never to be
+reassigned then the name type of UID should be used (note that it is
+generally a bad idea to reassign names of any type since stale entries might
+remain in access control lists).
+
+If the first component of a name identifies a service and the remaining
+components identify an instance of the service in a server specified manner,
+then the name type of SRV-INST should be used. An example of this name type
+is the Kerberos ticket-granting service whose name has a first component of
+krbtgt and a second component identifying the realm for which the ticket is
+valid.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+If instance is a single component following the service name and the
+instance identifies the host on which the server is running, then the name
+type SRV-HST should be used. This type is typically used for Internet
+services such as telnet and the Berkeley R commands. If the separate
+components of the host name appear as successive components following the
+name of the service, then the name type SRV-XHST should be used. This type
+might be used to identify servers on hosts with X.500 names where the slash
+(/) might otherwise be ambiguous.
+
+A name type of NT-X500-PRINCIPAL should be used when a name from an X.509
+certificiate is translated into a Kerberos name. The encoding of the X.509
+name as a Kerberos principal shall conform to the encoding rules specified
+in RFC 2253.
+
+A name type of UNKNOWN should be used when the form of the name is not
+known. When comparing names, a name of type UNKNOWN will match principals
+authenticated with names of any type. A principal authenticated with a name
+of type UNKNOWN, however, will only match other names of type UNKNOWN.
+
+Names of any type with an initial component of 'krbtgt' are reserved for the
+Kerberos ticket granting service. See section 8.2.3 for the form of such
+names.
+
+7.2.1. Name of server principals
+
+The principal identifier for a server on a host will generally be composed
+of two parts: (1) the realm of the KDC with which the server is registered,
+and (2) a two-component name of type NT-SRV-HST if the host name is an
+Internet domain name or a multi-component name of type NT-SRV-XHST if the
+name of the host is of a form such as X.500 that allows slash (/)
+separators. The first component of the two- or multi-component name will
+identify the service and the latter components will identify the host. Where
+the name of the host is not case sensitive (for example, with Internet
+domain names) the name of the host must be lower case. If specified by the
+application protocol for services such as telnet and the Berkeley R commands
+which run with system privileges, the first component may be the string
+'host' instead of a service specific identifier. When a host has an official
+name and one or more aliases, the official name of the host must be used
+when constructing the name of the server principal.
+
+8. Constants and other defined values
+
+8.1. Host address types
+
+All negative values for the host address type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+The values of the types for the following addresses are chosen to match the
+defined address family constants in the Berkeley Standard Distributions of
+Unix. They can be found in with symbolic names AF_xxx (where xxx is an
+abbreviation of the address family name).
+
+Internet (IPv4) Addresses
+
+Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB
+order. The type of IPv4 addresses is two (2).
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Internet (IPv6) Addresses [Westerlund]
+
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The
+type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The
+following addresses (see [RFC1884]) MUST not appear in any Kerberos packet:
+
+   * the Unspecified Address
+   * the Loopback Address
+   * Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+CHAOSnet addresses
+
+CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order.
+The type of CHAOSnet addresses is five (5).
+
+ISO addresses
+
+ISO addresses are variable-length. The type of ISO addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The
+type of XNS addresses is six (6).
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit network
+number. The first octet of the address is the node number; the remaining two
+octets encode the network number in MSB order. The type of AppleTalk DDP
+addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The
+type of DECnet Phase IV addresses is twelve (12).
+
+Netbios addresses
+
+Netbios addresses are 16-octet addresses typically composed of 1 to 15
+characters, trailing blank (ascii char 20) filled, with a 16th octet of 0x0.
+The type of Netbios addresses is 20 (0x14).
+
+8.2. KDC messages
+
+8.2.1. UDP/IP transport
+
+When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP
+IP transport, the client shall send a UDP datagram containing only an
+encoding of the request to port 88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram containing only an encoding of the
+reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at
+the sender's IP address. Kerberos servers supporting IP transport must
+accept UDP requests on port 88 (decimal). The response to a request made
+through UDP/IP transport must also use UDP/IP transport.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+Kerberos servers (KDC's) should accept TCP requests on port 88 (decimal) and
+clients should support the sending of TCP requests on port 88 (decimal).
+When the KRB_KDC_REQ message is sent to the KDC over a TCP stream, a new
+connection will be established for each authentication exchange (request and
+response). The KRB_KDC_REP or KRB_ERROR message will be returned to the
+client on the same TCP stream that was established for the request. The
+response to a request made through TCP/IP transport must also use TCP/IP
+transport. Implementors should note that some extentions to the Kerberos
+protocol will not work if any implementation not supporting the TCP
+transport is involved (client or KDC). Implementors are strongly urged to
+support the TCP transport on both the client and server and are advised that
+the current notation of "should" support will likely change in the future to
+must support. The KDC may close the TCP stream after sending a response, but
+may leave the stream open if it expects a followup - in which case it may
+close the stream at any time if resource constratints or other factors make
+it desirable to do so. Care must be taken in managing TCP/IP connections
+with the KDC to prevent denial of service attacks based on the number of
+TCP/IP connections with the KDC that remain open. If multiple exchanges with
+the KDC are needed for certain forms of preauthentication, multiple TCP
+connections may be required. A client may close the stream after receiving
+response, and should close the stream if it does not expect to send followup
+messages. The client must be prepared to have the stream closed by the KDC
+at anytime, in which case it must simply connect again when it is ready to
+send subsequent messages.
+
+The first four octets of the TCP stream used to transmit the request request
+will encode in network byte order the length of the request (KRB_KDC_REQ),
+and the length will be followed by the request itself. The response will
+similarly be preceeded by a 4 octet encoding in network byte order of the
+length of the KRB_KDC_REP or the KRB_ERROR message and will be followed by
+the KRB_KDC_REP or the KRB_ERROR response. If the sign bit is set on the
+integer represented by the first 4 octets, then the next 4 octets will be
+read, extending the length of the field by another 4 octets (less the sign
+bit which is reserved for future expansion).
+
+8.2.3. OSI transport
+
+During authentication of an OSI client to an OSI server, the mutual
+authentication of an OSI server to an OSI client, the transfer of
+credentials from an OSI client to an OSI server, or during exchange of
+private or integrity checked messages, Kerberos protocol messages may be
+treated as opaque objects and the type of the authentication mechanism will
+be:
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1),
+                      security(5),kerberosv5(2)}
+
+Depending on the situation, the opaque object will be an authentication
+header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message
+(KRB_SAFE), a private message (KRB_PRIV), or a credentials message
+(KRB_CRED). The opaque data contains an application code as specified in the
+ASN.1 description for each message. The application code may be used by
+Kerberos to determine the message type.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+8.2.3. Name of the TGS
+
+The principal identifier of the ticket-granting service shall be composed of
+three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part
+name of type NT-SRV-INST, with the first part "krbtgt" and the second part
+the name of the realm which will accept the ticket-granting ticket. For
+example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be
+used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier
+of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A
+ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get
+tickets from the MIT.EDU realm has a principal identifier of
+"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3. Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings. Ranges are specified in the "specification" section that limit the
+values of constants for which values are defined here. This allows
+implementations to make assumptions about the maximum values that will be
+received for these constants. Implementation receiving values outside the
+range specified in the "specification" section may reject the request, but
+they must recover cleanly.
+
+Encryption type       etype value block size  minimum pad size  confounder
+size
+NULL                           0     1           0                 0
+des-cbc-crc                    1     8           4                 8
+des-cbc-md4                    2     8           0                 8
+des-cbc-md5                    3     8           0                 8
+                     4
+des3-cbc-md5                   5     8           0                 8
+                     6
+des3-cbc-sha1                  7     8           0                 8
+sign-dsa-generate              8
+(old-pkinit-will-remove)
+dsaWithSHA1-CmsOID             9                                 (pkinit)
+md5WithRSAEncryption-CmsOID   10                                 (pkinit)
+sha1WithRSAEncryption-CmsOID  11                                 (pkinit)
+rc2CBC-EnvOID                 12                                 (pkinit)
+rsaEncryption-EnvOID          13                      (pkinit from PKCS#1
+v1.5)
+rsaES-OAEP-ENV-OID            14                      (pkinit from PKCS#1
+v2.0)
+des-ede3-cbc-Env-OID          15                                 (pkinit)
+des3kd-cbc-sha1               ??     8                 0                 8
+ENCTYPE_PK_CROSS              48                      (reserved for pkcross)
+       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+rsa-md5-des3               9                   24
+hmac-sha1-des3             12                  20  (I had this as 10, is it
+12)
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+                      4
+PA-ENC-UNIX-TIME                5
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (***remove on 7/14***)
+PA-PK-KEY-REQ                   17                  (***remove on 7/14***)
+PA-PK-KEY-REP                   18                  (***remove on 7/14***)
+PA-USE-SPECIFIED-KVNO           20
+SAM-REDIRECT                    21                  (sam/otp)
+PA-GET-FROM-TYPED-DATA          22
+
+data-type                     value    form of typed-data
+
+                      1-21
+TD-PADATA                       22
+TD-PKINIT-CMS-CERTIFICATES      101      CertificateSet from CMS
+TD-KRB-PRINCIPAL                102
+TD-KRB-REALM                    103
+TD-TRUSTED-CERTIFIERS           104
+TD-CERTIFICATE-INDEX            105
+
+authorization data type         ad-type value
+AD-IF-RELEVANT                     1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-KDC-ISSUED                      4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward
+credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for
+users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet,
+rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version # not
+supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end
+time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was
+invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired
+[40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user
+only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KDC_ERR_SVC_UNAVAILABLE        29   A service is not available
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field
+failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not
+available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method
+required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in
+message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry with TCP
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this
+implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED            62 (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED               63 (pkinit)
+KDC_ERROR_INVALID_SIG                   64 (pkinit)
+KDC_ERR_KEY_TOO_WEAK                    65 (pkinit)
+KDC_ERR_CERTIFICATE_MISMATCH            66 (pkinit)
+KRB_AP_ERR_NO_TGT                       67 (user-to-user)
+KDC_ERR_WRONG_REALM                     68 (user-to-user)
+KRB_AP_ERR_USER_TO_USER_REQUIRED        69 (user-to-user)
+KDC_ERR_CANT_VERIFY_CERTIFICATE         70 (pkinit)
+KDC_ERR_INVALID_CERTIFICATE             71 (pkinit)
+KDC_ERR_REVOKED_CERTIFICATE             72 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNKNOWN       73 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74 (pkinit)
+KDC_ERR_CLIENT_NAME_MISMATCH            75 (pkinit)
+KDC_ERR_KDC_NAME_MISMATCH               76 (pkinit)
+
+9. Interoperability requirements
+
+Version 5 of the Kerberos protocol supports a myriad of options. Among these
+are multiple encryption and checksum types, alternative encoding schemes for
+the transited field, optional mechanisms for pre-authentication, the
+handling of tickets with no addresses, options for mutual authentication,
+user to user authentication, support for proxies, forwarding, postdating,
+and renewing tickets, the format of realm names, and the handling of
+authorization data.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+In order to ensure the interoperability of realms, it is necessary to define
+a minimal configuration which must be supported by all implementations. This
+minimal configuration is subject to change as technology does. For example,
+if at some later date it is discovered that one of the required encryption
+or checksum algorithms is not secure, it will be replaced.
+
+9.1. Specification 2
+
+This section defines the second specification of these options.
+Implementations which are configured in this way can be said to support
+Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may
+be found in RFC1510.
+
+Transport
+
+TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance
+to specification 2. Kerberos clients claiming conformance to specification 2
+must support UDP/IP transport for messages with the KDC and should support
+TCP/IP transport.
+
+Encryption and checksum methods
+
+The following encryption and checksum mechanisms must be supported.
+Implementations may support other mechanisms as well, but the additional
+mechanisms may only be used when communicating with principals known to also
+support them: This list is to be determined. [***This section will change,
+and alternatives will be sent to the cat and krb-protocol list prior to the
+Oslo IETF - change will be made 7/14/99 ***]
+
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+Realm Names
+
+All implementations must understand hierarchical realms in both the Internet
+Domain and the X.500 style. When a ticket granting ticket for an unknown
+realm is requested, the KDC must be able to determine the names of the
+intermediate realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+Alternative encodings may be supported, but they may be used only when that
+encoding is supported by ALL intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported. The TGS-REQ method is not used on the
+initial request. The PA-ENC-TIMESTAMP method must be supported by clients
+but whether it is enabled by default may be determined on a realm by realm
+basis. If not used in the initial request and the error
+KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+acceptable method, the client should retry the initial request using the
+PA-ENC-TIMESTAMP preauthentication method. Servers need not support the
+PA-ENC-TIMESTAMP method, but if not supported the server should ignore the
+presence of PA-ENC-TIMESTAMP pre-authentication in a request.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+contains no addresses, the KDC will return derivative tickets), but each
+realm may set its own policy for issuing such tickets, and each application
+server will set its own policy with respect to accepting them.
+
+Proxies and forwarded tickets must be supported. Individual realms and
+application servers can set their own policy on when such tickets will be
+accepted.
+
+All implementations must recognize renewable and postdated tickets, but need
+not actually implement them. If these options are not supported, the
+starttime and endtime in the ticket shall specify a ticket's entire useful
+life. When a postdated ticket is decoded by a server, all implementations
+shall make the presence of the postdated flag visible to the calling server.
+
+User-to-user authentication
+
+Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC option)
+must be provided by implementations, but individual realms may decide as a
+matter of policy to reject such requests on a per-principal or realm-wide
+basis.
+
+Authorization data
+
+Implementations must pass all authorization data subfields from
+ticket-granting tickets to any derivative tickets unless directed to
+suppress a subfield as part of the definition of that registered subfield
+type (it is never incorrect to pass on a subfield, and no registered
+subfield types presently specify suppression at the KDC).
+
+Implementations must make the contents of any authorization data subfields
+available to the server when a ticket is used. Implementations are not
+required to allow clients to specify the contents of the authorization data
+fields.
+
+Constant ranges
+
+All protocol constants are constrained to 32 bit (signed) values unless
+further constrained by the protocol definition. This limit is provided to
+allow implementations to make assumptions about the maximum values that will
+be received for these constants. Implementation receiving values outside
+this range may reject the request, but they must recover cleanly.
+
+9.2. Recommended KDC values
+
+Following is a list of recommended values for a KDC implementation, based on
+the list of suggested configuration constants (see section 4.4).
+
+minimum lifetime              5 minutes
+maximum renewable lifetime    1 week
+maximum ticket lifetime       1 day
+empty addresses               only when suitable  restrictions  appear
+                              in authorization data
+proxiable, etc.               Allowed.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+10. REFERENCES
+
+[NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+          cation  Service for Computer Networks," IEEE Communica-
+          tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+[MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+          Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+          Authorization System, M.I.T. Project Athena, Cambridge,
+          Massachusetts (December 21, 1987).
+
+[SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+          beros:  An Authentication Service for Open Network Sys-
+          tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+          Dallas, Texas (February, 1988).
+
+[NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+          Encryption for Authentication in Large Networks of Com-
+          puters,"  Communications  of  the  ACM,  Vol.   21(12),
+          pp. 993-999 (December, 1978).
+
+[DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+          stamps  in  Key Distribution Protocols," Communications
+          of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+[KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+          "The Evolution of the Kerberos Authentication Service,"
+          in an IEEE Computer Society Text soon to  be  published
+          (June 1992).
+
+[Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+          Accounting  for Distributed Systems," in Proceedings of
+          the 13th International Conference on  Distributed  Com-
+          puting Systems, Pittsburgh, PA (May, 1993).
+
+[DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+          Kerberos  Authentication  at Project Athena," Technical
+          Memorandum TM-424,  MIT Laboratory for Computer Science
+          (February 1990).
+
+[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+          merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+          ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+          sachusetts (1987).
+
+[X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+          tion Framework, December 1988.
+
+[Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+          Guessing  Attacks, Open Software Foundation DCE Request
+          for Comments 26 (December 1992).
+
+[DES77]   National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "Data Encryption Standard," Federal Information
+          Processing Standards Publication  46,   Washington,  DC
+          (1977).
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "DES  Modes  of Operation," Federal Information
+          Processing Standards Publication 81,   Springfield,  VA
+          (December 1980).
+
+[SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+          Integrity  in  Cryptographic Protocols," in Proceedings
+          of the IEEE  Symposium  on  Research  in  Security  and
+          Privacy, Oakland, California (May 1992).
+
+[IS3309]  International Organization  for  Standardization,  "ISO
+          Information  Processing  Systems - Data Communication -
+          High-Level Data Link Control Procedure -  Frame  Struc-
+          ture," IS 3309 (October 1984).  3rd Edition.
+
+[MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+          1320,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+          1321,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+          Hashing  for  Message  Authentication,"  Working  Draft
+          draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+[Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+          Integrity, and Privacy", draft-horowitz-key-derivation-02.txt,
+          August 1998.
+
+[HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+          horowitz-kerb-key-derivation-01.txt, September 1998.
+
+[Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+          Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+          md5-01.txt, August, 1996.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A. Pseudo-code for protocol processing
+
+This appendix provides pseudo-code describing how the messages are to be
+constructed and interpreted by clients and servers.
+
+A.1. KRB_AS_REQ generation
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew)
+then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                set new_tkt.flags.PROXIABLE;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                                     new_tkt.starttime+client.max_rlife,
+                                     new_tkt.starttime+server.max_rlife,
+                                     new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.3. KRB_AS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that all that
+*/
+        /* should be are set
+*/
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5. KRB_TGS_REQ generation
+
+        /* Note that make_application_request might have to recursivly
+*/
+        /* call this routine to get the appropriate ticket-granting ticket
+*/
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing
+the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The
+realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname)
+then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and
+            keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(req.sname)) then
+                        server := best_intermediate_tgs(req.sname);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would
+*/
+          /* have been rejected in the initial authentication stage, so
+*/
+          /* there is no need to check again here
+*/
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till < kdc_time) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing
+*/
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                                      new_tkt.starttime+client.max_rlife,
+                                      new_tkt.starttime+server.max_rlife,
+                                      new_tkt.starttime+max_rlife_for_realm,
+                                      tgt.renew-till);
+        else
+              new_tkt.renew-till := OMIT; /* leave the renew-till field out
+*/
+        endif
+        if (req.enc-authorization-data is present) then
+          decrypt req.enc-authorization-data into
+decrypted_authorization_data
+                  using auth_hdr.authenticator.subkey;
+          if (decrypt_error()) then
+                  error_out(KRB_AP_ERR_BAD_INTEGRITY);
+          endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data
++
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+            new_tkt.transited := compress_transited(tgt.transited +
+tgt.realm)
+                /* Don't check tranited field if TGT for foreign realm,
+                 * or requested not to check */
+                if (is_not_foreign_tgt_name(new_tkt.server)
+                   && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then
+                        /* Check it, so end-server does not have to
+                         * but don't fail, end-server may still accept it */
+                        if (check_transited_field(new_tkt.transited) == OK)
+                              set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                        endif
+                endif
+        endif
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                 using etype_for_key(second-ticket.key), second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                 using etype_for_key(server.key), server.key, server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7. KRB_TGS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                            using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8. Authenticator generation
+
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.9. KRB_AP_REQ generation
+
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10. KRB_AP_REQ verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        if (decr_ticket.transited) then
+            /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+             * check anyway */
+            if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                 if (check_transited_field(decr_ticket.transited) then
+                      error_out(KDC_AP_PATH_NOT_ACCPETED);
+                 endif
+            endif
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.11. KRB_AP_REP generation
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12. KRB_AP_REP verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.13. KRB_SAFE generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14. KRB_SAFE verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof
+              and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15. KRB_SAFE and KRB_PRIV common checks
+
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number
+              not present) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16. KRB_PRIV generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.17. KRB_PRIV verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18. KRB_CRED generation
+
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+               using negotiated encryption key;
+
+A.19. KRB_CRED verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.20. KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+B. Definition of common authorization data elements
+
+This appendix contains the definitions of common authorization data
+elements. These common authorization data elements are recursivly defined,
+meaning the ad-data for these types will itself contain a sequence of
+authorization data whose interpretation is affected by the encapsulating
+element. Depending on the meaning of the encapsulating element, the
+encapsulated elements may be ignored, might be interpreted as issued
+directly by the KDC, or they might be stored in a separate plaintext part of
+the ticket. The types of the encapsulating elements are specified as part of
+the Kerberos specification because the behavior based on these values should
+be understood across implementations whereas other elements need only be
+understood by the applications which they affect.
+
+In the definitions that follow, the value of the ad-type for the element
+will be specified in the subsection number, and the value of the ad-data
+will be as shown in the ASN.1 structure that follows the subsection heading.
+
+B.1. If relevant
+
+AD-IF-RELEVANT   AuthorizationData
+
+AD elements encapsulated within the if-relevant element are intended for
+interpretation only by application servers that understand the particular
+ad-type of the embedded element. Application servers that do not understand
+the type of an element embedded within the if-relevant element may ignore
+the uninterpretable element. This element promotes interoperability across
+implementations which may have local extensions for authorization.
+
+B.2. Intended for server
+
+AD-INTENDED-FOR-SERVER   SEQUENCE {
+         intended-server[0]     SEQUENCE OF PrincipalName
+         elements[1]            AuthorizationData
+}
+
+AD elements encapsulated within the intended-for-server element may be
+ignored if the application server is not in the list of principal names of
+intended servers. Further, a KDC issuing a ticket for an application server
+can remove this element if the application server is not in the list of
+intended servers.
+
+Application servers should check for their principal name in the
+intended-server field of this element. If their principal name is not found,
+this element should be ignored. If found, then the encapsulated elements
+should be evaluated in the same manner as if they were present in the top
+level authorization data field. Applications and application servers that do
+not implement this element should reject tickets that contain authorization
+data elements of this type.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+B.3. Intended for application class
+
+AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+encapsulated within the intended-for-application-class element may be
+ignored if the application server is not in one of the named classes of
+application servers. Examples of application server classes include
+"FILESYSTEM", and other kinds of servers.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.4. KDC Issued
+
+AD-KDCIssued   SEQUENCE {
+               ad-checksum[0]    Checksum,
+                i-realm[1]       Realm OPTIONAL,
+                i-sname[2]       PrincipalName OPTIONAL,
+               elements[3]       AuthorizationData.
+}
+
+ad-checksum
+     A checksum over the elements field using a cryptographic checksum
+     method that is identical to the checksum used to protect the ticket
+     itself (i.e. using the same hash function and the same encryption
+     algorithm used to encrypt the ticket) and using a key derived from the
+     same key used to protect the ticket.
+i-realm, i-sname
+     The name of the issuing principal if different from the KDC itself.
+     This field would be used when the KDC can verify the authenticity of
+     elements signed by the issuing principal and it allows this KDC to
+     notify the application server of the validity of those elements.
+elements
+     A sequence of authorization data elements issued by the KDC.
+
+The KDC-issued ad-data field is intended to provide a means for Kerberos
+principal credentials to embed within themselves privilege attributes and
+other mechanisms for positive authorization, amplifying the priveleges of
+the principal beyond what can be done using a credentials without such an
+a-data element.
+
+This can not be provided without this element because the definition of the
+authorization-data field allows elements to be added at will by the bearer
+of a TGT at the time that they request service tickets and elements may also
+be added to a delegated ticket by inclusion in the authenticator.
+
+For KDC-issued elements this is prevented because the elements are signed by
+the KDC by including a checksum encrypted using the server's key (the same
+key used to encrypt the ticket - or a key derived from that key). Elements
+encapsulated with in the KDC-issued element will be ignored by the
+application server if this "signature" is not present. Further, elements
+encapsulated within this element from a ticket granting ticket may be
+interpreted by the KDC, and used as a basis according to policy for
+including new signed elements within derivative tickets, but they will not
+be copied to a derivative ticket directly. If they are copied directly to a
+derivative ticket by a KDC that is not aware of this element, the signature
+will not be correct for the application ticket elements, and the field will
+be ignored by the application server.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+B.5. And-Or
+
+AD-AND-OR           SEQUENCE {
+                        condition-count[0]    INTEGER,
+                        elements[1]           AuthorizationData
+}
+
+When restrictive AD elements encapsulated within the and-or element are
+encountered, only the number specified in condition-count of the
+encapsulated conditions must be met in order to satisfy this element. This
+element may be used to implement an "or" operation by setting the
+condition-count field to 1, and it may specify an "and" operation by setting
+the condition count to the number of embedded elements. Application servers
+that do not implement this element must reject tickets that contain
+authorization data elements of this type.
+
+B.6. Mandatory ticket extensions
+
+AD-Mandatory-Ticket-Extensions   Checksum
+
+An authorization data element of type mandatory-ticket-extensions specifies
+a collision-proof checksum using the same hash algorithm used to protect the
+integrity of the ticket itself. This checksum will be calculated over an
+individual extension field. If there are more than one extension, multiple
+Mandatory-Ticket-Extensions authorization data elements may be present, each
+with a checksum for a different extension field. This restriction indicates
+that the ticket should not be accepted if a ticket extension is not present
+in the ticket for which the checksum does not match that checksum specified
+in the authorization data element. Application servers that do not implement
+this element must reject tickets that contain authorization data elements of
+this type.
+
+B.7. Authorization Data in ticket extensions
+
+AD-IN-Ticket-Extensions   Checksum
+
+An authorization data element of type in-ticket-extensions specifies a
+collision-proof checksum using the same hash algorithm used to protect the
+integrity of the ticket itself. This checksum is calculated over a separate
+external AuthorizationData field carried in the ticket extensions.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type. Application servers
+that do implement this element will search the ticket extensions for
+authorization data fields, calculate the specified checksum over each
+authorization data field and look for one matching the checksum in this
+in-ticket-extensions element. If not found, then the ticket must be
+rejected. If found, the corresponding authorization data elements will be
+interpreted in the same manner as if they were contained in the top level
+authorization data field.
+
+Note that if multiple external authorization data fields are present in a
+ticket, each will have a corresponding element of type in-ticket-extensions
+in the top level authorization data field, and the external entries will be
+linked to the corresponding element by their checksums.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+C. Definition of common ticket extensions
+
+This appendix contains the definitions of common ticket extensions. Support
+for these extensions is optional. However, certain extensions have
+associated authorization data elements that may require rejection of a
+ticket containing an extension by application servers that do not implement
+the particular extension. Other extensions have been defined beyond those
+described in this specification. Such extensions are described elswhere and
+for some of those extensions the reserved number may be found in the list of
+constants.
+
+It is known that older versions of Kerberos did not support this field, and
+that some clients will strip this field from a ticket when they parse and
+then reassemble a ticket as it is passed to the application servers. The
+presence of the extension will not break such clients, but any functionaly
+dependent on the extensions will not work when such tickets are handled by
+old clients. In such situations, some implementation may use alternate
+methods to transmit the information in the extensions field.
+
+C.1. Null ticket extension
+
+TE-NullExtension   OctetString -- The empty Octet String
+
+The te-data field in the null ticket extension is an octet string of lenght
+zero. This extension may be included in a ticket granting ticket so that the
+KDC can determine on presentation of the ticket granting ticket whether the
+client software will strip the extensions field.
+
+C.2. External Authorization Data
+
+TE-ExternalAuthorizationData   AuthorizationData
+
+The te-data field in the external authorization data ticket extension is
+field of type AuthorizationData containing one or more authorization data
+elements. If present, a corresponding authorization data element will be
+present in the primary authorization data for the ticket and that element
+will contain a checksum of the external authorization data ticket extension.
+  ------------------------------------------------------------------------
+[TM] Project Athena, Athena, and Kerberos are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.
+
+[1] Note, however, that many applications use Kerberos' functions only upon
+the initiation of a stream-based network connection. Unless an application
+subsequently provides integrity protection for the data stream, the identity
+verification applies only to the initiation of the connection, and does not
+guarantee that subsequent messages on the connection originate from the same
+principal.
+
+[2] Secret and private are often used interchangeably in the literature. In
+our usage, it takes two (or more) to share a secret, thus a shared DES key
+is a secret key. Something is only private when no one but its owner knows
+it. Thus, in public key cryptosystems, one has a public and a private key.
+
+[3] Of course, with appropriate permission the client could arrange
+registration of a separately-named prin- cipal in a remote realm, and engage
+in normal exchanges with that realm's services. However, for even small
+numbers of clients this becomes cumbersome, and more automatic methods as
+described here are necessary.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[4] Though it is permissible to request or issue tick- ets with no network
+addresses specified.
+
+[5] The password-changing request must not be honored unless the requester
+can provide the old password (the user's current secret key). Otherwise, it
+would be possible for someone to walk up to an unattended ses- sion and
+change another user's password.
+
+[6] To authenticate a user logging on to a local system, the credentials
+obtained in the AS exchange may first be used in a TGS exchange to obtain
+credentials for a local server. Those credentials must then be verified by a
+local server through successful completion of the Client/Server exchange.
+
+[7] "Random" means that, among other things, it should be impossible to
+guess the next session key based on knowledge of past session keys. This can
+only be achieved in a pseudo-random number generator if it is based on
+cryptographic principles. It is more desirable to use a truly random number
+generator, such as one based on measurements of random physical phenomena.
+
+[8] Tickets contain both an encrypted and unencrypted portion, so cleartext
+here refers to the entire unit, which can be copied from one message and
+replayed in another without any cryptographic skill.
+
+[9] Note that this can make applications based on unreliable transports
+difficult to code correctly. If the transport might deliver duplicated
+messages, either a new authenticator must be generated for each retry, or
+the application server must match requests and replies and replay the first
+reply in response to a detected duplicate.
+
+[10] This is used for user-to-user authentication as described in [8].
+
+[11] Note that the rejection here is restricted to authenticators from the
+same principal to the same server. Other client principals communicating
+with the same server principal should not be have their authenticators
+rejected if the time and microsecond fields happen to match some other
+client's authenticator.
+
+[12] In the Kerberos version 4 protocol, the timestamp in the reply was the
+client's timestamp plus one. This is not necessary in version 5 because
+version 5 messages are formatted in such a way that it is not possible to
+create the reply by judicious message surgery (even in encrypted form)
+without knowledge of the appropriate encryption keys.
+
+[13] Note that for encrypting the KRB_AP_REP message, the sub-session key is
+not used, even if present in the Authenticator.
+
+[14] Implementations of the protocol may wish to provide routines to choose
+subkeys based on session keys and random numbers and to generate a
+negotiated key to be returned in the KRB_AP_REP message.
+
+[15]This can be accomplished in several ways. It might be known beforehand
+(since the realm is part of the principal identifier), it might be stored in
+a nameserver, or it might be obtained from a configura- tion file. If the
+realm to be used is obtained from a nameserver, there is a danger of being
+spoofed if the nameservice providing the realm name is not authenti- cated.
+This might result in the use of a realm which has been compromised, and
+would result in an attacker's ability to compromise the authentication of
+the application server to the client.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[16] If the client selects a sub-session key, care must be taken to ensure
+the randomness of the selected sub- session key. One approach would be to
+generate a random number and XOR it with the session key from the
+ticket-granting ticket.
+
+[17] This allows easy implementation of user-to-user authentication [8],
+which uses ticket-granting ticket session keys in lieu of secret server keys
+in situa- tions where such secret keys could be easily comprom- ised.
+
+[18] For the purpose of appending, the realm preceding the first listed
+realm is considered to be the null realm ("").
+
+[19] For the purpose of interpreting null subfields, the client's realm is
+considered to precede those in the transited field, and the server's realm
+is considered to follow them.
+
+[20] This means that a client and server running on the same host and
+communicating with one another using the KRB_SAFE messages should not share
+a common replay cache to detect KRB_SAFE replays.
+
+[21] The implementation of the Kerberos server need not combine the database
+and the server on the same machine; it is feasible to store the principal
+database in, say, a network name service, as long as the entries stored
+therein are protected from disclosure to and modification by unauthorized
+parties. However, we recommend against such strategies, as they can make
+system management and threat analysis quite complex.
+
+[22] See the discussion of the padata field in section 5.4.2 for details on
+why this can be useful.
+
+[23] Warning for implementations that unpack and repack data structures
+during the generation and verification of embedded checksums: Because any
+checksums applied to data structures must be checked against the original
+data the length of bit strings must be preserved within a data structure
+between the time that a checksum is generated through transmission to the
+time that the checksum is verified.
+
+[24] It is NOT recommended that this time value be used to adjust the
+workstation's clock since the workstation cannot reliably determine that
+such a KRB_AS_REP actually came from the proper KDC in a timely manner.
+
+[25] Note, however, that if the time is used as the nonce, one must make
+sure that the workstation time is monotonically increasing. If the time is
+ever reset backwards, there is a small, but finite, probability that a nonce
+will be reused.
+
+[27] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[29] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[31] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[32] If supported by the encryption method in use, an initialization vector
+may be passed to the encryption procedure, in order to achieve proper cipher
+chaining. The initialization vector might come from the last block of the
+ciphertext from the previous KRB_PRIV message, but it is the application's
+choice whether or not to use such an initialization vector. If left out, the
+default initialization vector for the encryption algorithm will be used.
+
+[33] This prevents an attacker who generates an incorrect AS request from
+obtaining verifiable plaintext for use in an off-line password guessing
+attack.
+
+[35] In the above specification, UNTAGGED OCTET STRING(length) is the
+notation for an octet string with its tag and length removed. It is not a
+valid ASN.1 type. The tag bits and length must be removed from the
+confounder since the purpose of the confounder is so that the message starts
+with random data, but the tag and its length are fixed. For other fields,
+the length and tag would be redundant if they were included because they are
+specified by the encryption type. [36] The ordering of the fields in the
+CipherText is important. Additionally, messages encoded in this format must
+include a length as part of the msg-seq field. This allows the recipient to
+verify that the message has not been truncated. Without a length, an
+attacker could use a chosen plaintext attack to generate a message which
+could be truncated, while leaving the checksum intact. Note that if the
+msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length
+is part of that encoding.
+
+[37] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[38] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[39] A variant of the key is used to limit the use of a key to a particular
+function, separating the functions of generating a checksum from other
+encryption performed using the session key. The constant F0F0F0F0F0F0F0F0
+was chosen because it maintains key parity. The properties of DES precluded
+the use of the complement. The same constant is used for similar purpose in
+the Message Integrity Check in the Privacy Enhanced Mail standard.
+
+[40] This error carries additional information in the e- data field. The
+contents of the e-data field for this message is described in section 5.9.1.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt
new file mode 100644
index 0000000..e76a0e4
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt
@@ -0,0 +1,250 @@
+INTERNET-DRAFT                                             Ken Hornstein
+<draft-ietf-cat-krb-dns-locate-00.txt>                               NRL
+June 21, 1999                                             Jeffrey Altman
+Expires: December 21, 1999                           Columbia University
+
+          Distributing Kerberos KDC and Realm Information with DNS
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Distribution of this memo is unlimited.  It is filed as <draft-ietf-
+   cat-krb-dns-locate-00.txt>, and expires on December 21, 1999.  Please
+   send comments to the authors.
+
+Abstract
+
+   Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto-
+   col [RFC????] describe any mechanism for clients to learn critical
+   configuration information necessary for proper operation of the pro-
+   tocol.  Such information includes the location of Kerberos key dis-
+   tribution centers or a mapping between DNS domains and Kerberos
+   realms.
+
+   Current Kerberos implementations generally store such configuration
+   information in a file on each client machine.  Experience has shown
+   this method of storing configuration information presents problems
+   with out-of-date information and scaling problems, especially when
+
+Hornstein, Altman                                               [Page 1]
+
+RFC DRAFT                                                  June 21, 1999
+
+   using cross-realm authentication.
+
+   This memo describes a method for using the Domain Name System
+   [RFC1035] for storing such configuration information.  Specifically,
+   methods for storing KDC location and hostname/domain name to realm
+   mapping information are discussed.
+
+Overview - KDC location information
+
+   KDC location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kerberos is always "_kerberos".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_udp" record MUST be included.  If the Kerberos implementa-
+   tion supports TCP transport, a "_tcp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Example - KDC location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has two Ker-
+   beros servers, kdc1.asdf.com and kdc2.asdf.com.  Queries should be
+   directed to kdc1.asdf.com first as per the specified priority.
+   Weights are not used in these records.
+
+   _kerberos._udp.ASDF.COM.        IN      SRV     0 0 88 kdc1.asdf.com.
+   _kerberos._udp.ASDF.COM.        IN      SRV     1 0 88 kdc2.asdf.com.
+
+Overview - KAdmin location information
+
+   Kadmin location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kadmin is always "_kadmin".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_tcp" record MUST be included.  If the Kadmin implementation
+   supports UDP transport, a "_udp" record SHOULD be included.
+
+Hornstein, Altman                                               [Page 2]
+
+RFC DRAFT                                                  June 21, 1999
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Example - Kadmin location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has one Kad-
+   min server, kdc1.asdf.com.
+
+   _kadmin._tcp.ASDF.COM.  IN      SRV     0 0 88 kdc1.asdf.com.
+
+Overview - Hostname/domain name to Kerberos realm mapping
+
+   Information on the mapping of DNS hostnames and domain names to Ker-
+   beros realms is stored using DNS TXT records [RFC 1035].  These
+   records have the following format.
+
+   Service.Name TTL Class TXT Realm
+
+   The Service field is always "_kerberos", and prefixes all entries of
+   this type.
+
+   The Name is a DNS hostname or domain name.  This is explained in
+   greater detail below.
+
+   TTL, Class, and TXT have the standard DNS meaning as defined in RFC
+   1035.
+
+   The Realm is the data for the TXT RR, and consists simply of the Ker-
+   beros realm that corresponds to the Name specified.
+
+   When a Kerberos client wishes to utilize a host-specific service, it
+   will perform a DNS TXT query, using the hostname in the Name field of
+   the DNS query.  If the record is not found, the first label of the
+   name is stripped and the query is retried.
+
+   Compliant implementations MUST query the full hostname and the most
+   specific domain name (the hostname with the first label removed).
+   Compliant implementations SHOULD try stripping all subsequent labels
+   until a match is found or the Name field is empty.
+
+Example - Hostname/domain name to Kerberos realm mapping
+
+   For the previously mentioned ASDF.COM realm and domain, some sample
+   records might be as follows:
+
+   _kerberos.asdf.com.             IN      TXT     "ASDF.COM"
+
+Hornstein, Altman                                               [Page 3]
+
+RFC DRAFT                                                  June 21, 1999
+
+   _kerberos.mrkserver.asdf.com.   IN      TXT     "MARKETING.ASDF.COM"
+   _kerberos.salesserver.asdf.com. IN      TXT     "SALES.ASDF.COM"
+
+   Let us suppose that in this case, a Kerberos client wishes to use a
+   Kerberized service on the host foo.asdf.com.  It would first query:
+
+   _kerberos.foo.asdf.com. IN TXT
+
+   Finding no match, it would then query:
+
+   _kerberos.asdf.com. IN TXT
+
+   And find an answer of ASDF.COM.  This would be the realm that
+   foo.asdf.com resides in.
+
+   If another Kerberos client wishes to use a Kerberized service on the
+   host salesserver.asdf.com, it would query:
+
+   _kerberos.salesserver.asdf.com IN TXT
+
+   And find an answer of SALES.ASDF.COM.
+
+Security considerations
+
+   As DNS is deployed today, it is an unsecure service.  Thus the infor-
+   mation returned by it cannot be trusted.  However, the use of DNS to
+   store this configuration information does not introduce any new secu-
+   rity risks to the Kerberos protocol.
+
+   Current practice is to use hostnames to indicate KDC hosts (stored in
+   some implementation-dependent location, but generally a local config
+   file).  These hostnames are vulnerable to the standard set of DNS
+   attacks (denial of service, spoofed entries, etc).  The design of the
+   Kerberos protocol limits attacks of this sort to denial of service.
+   However, the use of SRV records does not change this attack in any
+   way.  They have the same vulnerabilities that already exist in the
+   common practice of using hostnames for KDC locations.
+
+   The same holds true for the TXT records used to indicate the domain
+   name to realm mapping.  Current practice is to configure these map-
+   pings locally.  But this again is vulnerable to spoofing via CNAME
+   records that point to hosts in other domains.  This has the same
+   effect as a spoofed TXT record.
+
+   While the described protocol does not introduce any new security
+   risks to the best of our knowledge, implementations SHOULD provide a
+   way of specifying this information locally without the use of DNS.
+   However, to make this feature worthwhile a lack of any configuration
+
+Hornstein, Altman                                               [Page 4]
+
+RFC DRAFT                                                  June 21, 1999
+
+   information on a client should be interpretted as permission to use
+   DNS.
+
+Expiration
+
+   This Internet-Draft expires on December 21, 1999.
+
+References
+
+   [RFC1510]
+        The Kerberos Network Authentication System; Kohl, Newman; Sep-
+        tember 1993.
+
+   [RFC1035]
+        Domain Names - Implementation and Specification; Mockapetris;
+        November 1987
+
+   [RFC2052]
+        A DNS RR for specifying the location of services (DNS SRV); Gul-
+        brandsen, Vixie; October 1996
+
+Authors' Addresses
+
+   Ken Hornstein
+   US Naval Research Laboratory
+   Bldg A-49, Room 2
+   4555 Overlook Avenue
+   Washington DC  20375 USA
+
+   Phone: +1 (202) 404-4765
+   EMail: kenh@cmf.nrl.navy.mil
+
+   Jeffrey Altman
+   The Kermit Project
+   Columbia University
+   612 West 115th Street #716
+   New York NY 10025-7799 USA
+
+   Phone: +1 (212) 854-1344
+   EMail: jaltman@columbia.edu
+
+Hornstein, Altman                                               [Page 5]
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt b/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt
new file mode 100644
index 0000000..885cf49
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt
@@ -0,0 +1,3415 @@
+FTPEXT Working Group                                              R. Elz
+Internet Draft                                   University of Melbourne
+Expiration Date: April 2000
+                                                              P. Hethmon
+                                                        Hethmon Brothers
+
+                                                            October 1999
+
+
+                           Extensions to FTP
+
+
+                     draft-ietf-ftpext-mlst-08.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is NOT offered in accordance
+   with Section 10 of RFC2026, and the author does not provide the IETF
+   with any rights other than to publish as an Internet-Draft.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   To view the list Internet-Draft Shadow Directories, see
+   http://www.ietf.org/shadow.html.
+
+   This entire section has been prepended to this document automatically
+   during formatting without any direct involvement by the author(s) of
+   this draft.
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 1]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+Abstract
+
+   In order to overcome the problems caused by the undefined format of
+   the current FTP LIST command output, a new command is needed to
+   transfer standardized listing information from Server-FTP to User-
+   FTP.  Commands to enable this are defined in this document.
+
+   In order to allow consenting clients and servers to interact more
+   freely, a quite basic, and optional, virtual file store structure is
+   defined.
+
+   This proposal also extends the FTP protocol to allow character sets
+   other than US-ASCII[1] by allowing the transmission of 8-bit
+   characters and the recommended use of UTF-8[2] encoding.
+
+   Much implemented, but long undocumented, mechanisms to permit
+   restarts of interrupted data transfers in STREAM mode, are also
+   included here.
+
+   Lastly, the HOST command has been added to allow a style of "virtual
+   site" to be constructed.
+
+   Changed in this version of this document: Minor corrections as
+   discussed on the mailing list, including fixing many typographical
+   errors; Additional examples.  This paragraph will be deleted from the
+   final version of this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 2]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+
+
+Table of Contents
+
+          Abstract  ................................................   2
+    1     Introduction  ............................................   4
+    2     Document Conventions  ....................................   4
+    2.1   Basic Tokens  ............................................   5
+    2.2   Pathnames  ...............................................   5
+    2.3   Times  ...................................................   7
+    2.4   Server Replies  ..........................................   8
+    3     File Modification Time (MDTM)  ...........................   8
+    3.1   Syntax  ..................................................   9
+    3.2   Error responses  .........................................   9
+    3.3   FEAT response for MDTM  ..................................   9
+    3.4   MDTM Examples  ...........................................  10
+    4     File SIZE  ...............................................  11
+    4.1   Syntax  ..................................................  11
+    4.2   Error responses  .........................................  11
+    4.3   FEAT response for SIZE  ..................................  12
+    4.4   Size Examples  ...........................................  12
+    5     Restart of Interrupted Transfer (REST)  ..................  13
+    5.1   Restarting in STREAM Mode  ...............................  13
+    5.2   Error Recovery and Restart  ..............................  14
+    5.3   Syntax  ..................................................  14
+    5.4   FEAT response for REST  ..................................  16
+    5.5   REST Example  ............................................  16
+    6     Virtual FTP servers  .....................................  16
+    6.1   The HOST command  ........................................  18
+    6.2   Syntax of the HOST command  ..............................  18
+    6.3   HOST command semantics  ..................................  19
+    6.4   HOST command errors  .....................................  21
+    6.5   FEAT response for HOST command  ..........................  22
+    7     A Trivial Virtual File Store (TVFS)  .....................  23
+    7.1   TVFS File Names  .........................................  23
+    7.2   TVFS Path Names  .........................................  24
+    7.3   FEAT Response for TVFS  ..................................  25
+    7.4   OPTS for TVFS  ...........................................  26
+    7.5   TVFS Examples  ...........................................  26
+    8     Listings for Machine Processing (MLST and MLSD)  .........  28
+    8.1   Format of MLSx Requests  .................................  29
+    8.2   Format of MLSx Response  .................................  29
+    8.3   Filename encoding  .......................................  32
+    8.4   Format of Facts  .........................................  33
+    8.5   Standard Facts  ..........................................  33
+    8.6   System Dependent and Local Facts  ........................  41
+    8.7   MLSx Examples  ...........................................  42
+    8.8   FEAT response for MLSx  ..................................  50
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 3]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+    8.9   OPTS parameters for MLST  ................................  51
+    9     Impact On Other FTP Commands  ............................  55
+   10     Character sets and Internationalization  .................  56
+   11     IANA Considerations  .....................................  56
+   11.1   The OS specific fact registry  ...........................  56
+   11.2   The OS specific filetype registry  .......................  57
+   12     Security Considerations  .................................  57
+   13     References  ..............................................  58
+          Acknowledgments  .........................................  59
+          Copyright  ...............................................  60
+          Editors' Addresses  ......................................  60
+
+
+
+
+1. Introduction
+
+   This document amends the File Transfer Protocol (FTP) [3].  Five new
+   commands are added: "SIZE", "HOST", "MDTM", "MLST", and "MLSD".  The
+   existing command "REST" is modified.  Of those, the "SIZE" and "MDTM"
+   commands, and the modifications to "REST" have been in wide use for
+   many years.  The others are new.
+
+   These commands allow a client to restart an interrupted transfer in
+   transfer modes not previously supported in any documented way, to
+   support the notion of virtual hosts, and to obtain a directory
+   listing in a machine friendly, predictable, format.
+
+   An optional structure for the server's file store (NVFS) is also
+   defined, allowing servers that support such a structure to convey
+   that information to clients in a standard way, thus allowing clients
+   more certainty in constructing and interpreting path names.
+
+2. Document Conventions
+
+   This document makes use of the document conventions defined in BCP14
+   [4].  That provides the interpretation of capitalized imperative
+   words like MUST, SHOULD, etc.
+
+   This document also uses notation defined in STD 9 [3].  In
+   particular, the terms "reply", "user", "NVFS", "file", "pathname",
+   "FTP commands", "DTP", "user-FTP process", "user-PI", "user-DTP",
+   "server-FTP process", "server-PI", "server-DTP", "mode", "type",
+   "NVT", "control connection", "data connection", and "ASCII", are all
+   used here as defined there.
+
+   Syntax required is defined using the Augmented BNF defined in [5].
+   Some general ABNF definitions are required throughout the document,
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 4]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   those will be defined later in this section.  At first reading, it
+   may be wise to simply recall that these definitions exist here, and
+   skip to the next section.
+
+2.1. Basic Tokens
+
+   This document imports the core definitions given in Appendix A of
+   [5].  There definitions will be found for basic ABNF elements like
+   ALPHA, DIGIT, SP, etc.  To that, the following terms are added for
+   use in this document.
+
+        TCHAR          = VCHAR / SP / HTAB    ; visible plus white space
+        RCHAR          = ALPHA / DIGIT / "," / "." / ":" / "!" /
+                         "@" / "#" / "$" / "%" / "^" /
+                         "&" / "(" / ")" / "-" / "_" /
+                         "+" / "?" / "/" / "\" / "'" /
+                         DQUOTE   ; <"> -- double quote character (%x22)
+
+   The VCHAR (from [5]), TCHAR, and RCHAR types give basic character
+   types from varying sub-sets of the ASCII character set for use in
+   various commands and responses.
+
+        token          = 1*RCHAR
+
+   A "token" is a string whose precise meaning depends upon the context
+   in which it is used.  In some cases it will be a value from a set of
+   possible values maintained elsewhere.  In others it might be a string
+   invented by one party to an FTP conversation from whatever sources it
+   finds relevant.
+
+   Note that in ABNF, string literals are case insensitive.  That
+   convention is preserved in this document, and implies that FTP
+   commands added by this specification have names that can be
+   represented in any case.  That is, "MDTM" is the same as "mdtm",
+   "Mdtm" and "MdTm" etc.  However note that ALPHA, in particular, is
+   case sensitive.  That implies that a "token" is a case sensitive
+   value.  That implication is correct.
+
+2.2. Pathnames
+
+   Various FTP commands take pathnames as arguments, or return pathnames
+   in responses.  When the MLST command is supported, as indicated in
+   the response to the FEAT command [6], pathnames are to be transferred
+   in one of the following two formats.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 5]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        pathname       = utf-8-name / raw
+        utf-8-name     = <a UTF-8 encoded Unicode string>
+        raw            = <any string not being a valid UTF-8 encoding>
+
+   Which format is used is at the option of the user-PI or server-PI
+   sending the pathname.  UTF-8 encodings [2] contain enough internal
+   structure that it is always, in practice, possible to determine
+   whether a UTF-8 or raw encoding has been used, in those cases where
+   it matters.  While it is useful for the user-PI to be able to
+   correctly display a pathname received from the server-PI to the user,
+   it is far more important for the user-PI to be able to retain and
+   retransmit the identical pathname when required.  Implementations are
+   advised against converting a UTF-8 pathname to a local encoding, and
+   then attempting to invert the encoding later.  Note that ASCII is a
+   subset of UTF-8.
+
+   Unless otherwise specified, the pathname is terminated by the CRLF
+   that terminates the FTP command, or by the CRLF that ends a reply.
+   Any trailing spaces preceding that CRLF form part of the name.
+   Exactly one space will precede the pathname and serve as a separator
+   from the preceding syntax element.  Any additional spaces form part
+   of the pathname.  See [7] for a fuller explanation of the character
+   encoding issues.  All implementations supporting MLST MUST support
+   [7].
+
+   Implementations should also beware that the control connection uses
+   Telnet NVT conventions [8], and that the Telnet IAC character, if
+   part of a pathname sent over the control connection, MUST be
+   correctly escaped as defined by the Telnet protocol.
+
+   Implementors should also be aware that although Telnet NVT
+   conventions are used over the control connections, Telnet option
+   negotiation MUST NOT be attempted.  See section 4.1.2.12 of [9].
+
+2.2.1. Pathname Syntax
+
+   Except where TVFS is supported (see section 7) this specification
+   imposes no syntax upon pathnames.  Nor does it restrict the character
+   set from which pathnames are created.  This does not imply that the
+   NVFS is required to make sense of all possible pathnames.  Server-PIs
+   may restrict the syntax of valid pathnames in their NVFS in any
+   manner appropriate to their implementation or underlying file system.
+   Similarly, a server-PI may parse the pathname, and assign meaning to
+   the components detected.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 6]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+2.2.2. Wildcarding
+
+   For the commands defined in this specification, all pathnames are to
+   be treated literally.  That is, for a pathname given as a parameter
+   to a command, the file whose name is identical to the pathname given
+   is implied.  No characters from the pathname may be treated as
+   special or "magic", thus no pattern matching (other than for exact
+   equality) between the pathname given and the files present in the
+   NVFS of the Server-FTP is permitted.
+
+   Clients that desire some form of pattern matching functionality must
+   obtain a listing of the relevant directory, or directories, and
+   implement their own filename selection procedures.
+
+2.3. Times
+
+   The syntax of a time value is:
+
+        time-val       = 14DIGIT [ "." 1*DIGIT ]
+
+   The leading, mandatory, fourteen digits are to be interpreted as, in
+   order from the leftmost, four digits giving the year, with a range of
+   1000-9999, two digits giving the month of the year, with a range of
+   01-12, two digits giving the day of the month, with a range of 01-31,
+   two digits giving the hour of the day, with a range of 00-23, two
+   digits giving minutes past the hour, with a range of 00-59, and
+   finally, two digits giving seconds past the minute, with a range of
+   00-60 (with 60 being used only at a leap second).  Years in the tenth
+   century, and earlier, cannot be expressed.  This is not considered a
+   serious defect of the protocol.
+
+   The optional digits, which are preceded by a period, give decimal
+   fractions of a second.  These may be given to whatever precision is
+   appropriate to the circumstance, however implementations MUST NOT add
+   precision to time-vals where that precision does not exist in the
+   underlying value being transmitted.
+
+   Symbolically, a time-val may be viewed as
+
+        YYYYMMDDHHMMSS.sss
+
+   The "." and subsequent digits ("sss") are optional.  However the "."
+   MUST NOT appear unless at least one following digit also appears.
+
+   Time values are always represented in UTC (GMT), and in the Gregorian
+   calendar regardless of what calendar may have been in use at the date
+   and time indicated at the location of the server-PI.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 7]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The technical differences between GMT, TAI, UTC, UT1, UT2, etc, are
+   not considered here.  A server-FTP process should always use the same
+   time reference, so the times it returns will be consistent.  Clients
+   are not expected to be time synchronized with the server, so the
+   possible difference in times that might be reported by the different
+   time standards is not considered important.
+
+2.4. Server Replies
+
+   Section 4.2 of [3] defines the format and meaning of replies by the
+   server-PI to FTP commands from the user-PI.  Those reply conventions
+   are used here without change.
+
+        error-response = error-code SP *TCHAR CRLF
+        error-code     = ("4" / "5") 2DIGIT
+
+   Implementors should note that the ABNF syntax (which was not used in
+   [3]) used in this document, and other FTP related documents,
+   sometimes shows replies using the one line format.  Unless otherwise
+   explicitly stated, that is not intended to imply that multi-line
+   responses are not permitted.  Implementors should assume that, unless
+   stated to the contrary, any reply to any FTP command (including QUIT)
+   may be of the multi-line format described in [3].
+
+   Throughout this document, replies will be identified by the three
+   digit code that is their first element.  Thus the term "500 reply"
+   means a reply from the server-PI using the three digit code "500".
+
+3. File Modification Time (MDTM)
+
+   The FTP command, MODIFICATION TIME (MDTM), can be used to determine
+   when a file in the server NVFS was last modified.  This command has
+   existed in many FTP servers for many years, as an adjunct to the REST
+   command for STREAM mode, thus is widely available.  However, where
+   supported, the "modify" fact which can be provided in the result from
+   the new MLST command is recommended as a superior alternative.
+
+   When attempting to restart a RETRieve, if the User-FTP makes use of
+   the MDTM command, or "modify" fact, it can check and see if the
+   modification time of the source file is more recent than the
+   modification time of the partially transferred file.  If it is, then
+   most likely the source file has changed and it would be unsafe to
+   restart the previously incomplete file transfer.
+
+   When attempting to restart a STORe, the User FTP can use the MDTM
+   command to discover the modification time of the partially
+   transferred file.  If it is older than the modification time of the
+   file that is about to be STORed, then most likely the source file has
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 8]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   changed and it would be unsafe to restart the file transfer.
+
+   Note that using MLST (described below) where available, can provide
+   this information, and much more, thus giving an even better
+   indication that a file has changed, and that restarting a transfer
+   would not give valid results.
+
+   Note that this is applicable to any RESTart attempt, regardless of
+   the mode of the file transfer.
+
+3.1. Syntax
+
+   The syntax for the MDTM command is:
+
+        mdtm          = "MdTm" SP pathname CRLF
+
+   As with all FTP commands, the "MDTM" command label is interpreted in
+   a case insensitive manner.
+
+   The "pathname" specifies an object in the NVFS which may be the
+   object of a RETR command.  Attempts to query the modification time of
+   files that are unable to be retrieved generate undefined responses.
+
+   The server-PI will respond to the MDTM command with a 213 reply
+   giving the last modification time of the file whose pathname was
+   supplied, or a 550 reply if the file does not exist, the modification
+   time is unavailable, or some other error has occurred.
+
+        mdtm-response = "213" SP time-val CRLF /
+                        error-response
+
+3.2. Error responses
+
+   Where the command is correctly parsed, but the modification time is
+   not available, either because the pathname identifies no existing
+   entity, or because the information is not available for the entity
+   named, then a 550 reply should be sent.  Where the command cannot be
+   correctly parsed, a 500 or 501 reply should be sent, as specified in
+   [3].
+
+3.3. FEAT response for MDTM
+
+   When replying to the FEAT command [6], an FTP server process that
+   supports the MDTM command MUST include a line containing the single
+   word "MDTM".  This MAY be sent in upper or lower case, or a mixture
+   of both (it is case insensitive) but SHOULD be transmitted in upper
+   case only.  That is, the response SHOULD be
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 9]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        C> Feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  MDTM
+        S>  ...
+        S> 211 End
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+3.4. MDTM Examples
+
+   If we assume the existence of three files, A B and C, and a directory
+   D, and no other files at all, then the MTDM command may behave as
+   indicated.  The "C>" lines are commands from user-PI to server-PI,
+   the "S>" lines are server-PI replies.
+
+        C> MDTM A
+        S> 213 19980615100045.014
+        C> MDTM B
+        S> 213 19980615100045.014
+        C> MDTM C
+        S> 213 19980705132316
+        C> MDTM D
+        S> 550 D is not retrievable
+        C> MDTM E
+        S> 550 No file named "E"
+        C> mdtm file6
+        S> 213 19990929003355
+        C> MdTm 19990929043300 File6
+        S> 213 19991005213102
+        C> MdTm 19990929043300 file6
+        S> 550 19990929043300 file6: No such file or directory.
+
+   From that we can conclude that both A and B were last modified at the
+   same time (to the nearest millisecond), and that C was modified 21
+   days and several hours later.
+
+   The times are in GMT, so file A was modified on the 15th of June,
+   1998, at approximately 11am in London (summer time was then in
+   effect), or perhaps at 8pm in Melbourne, Australia, or at 6am in New
+   York.  All of those represent the same absolute time of course.  The
+   location where the file was modified, and consequently the local wall
+   clock time at that location, is not available.
+
+   There is no file named "E" in the current directory, but there are
+   files named both "file6" and "19990929043300 File6".  The
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 10]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   modification times of those files were obtained.  There is no file
+   named "19990929043300 file6".
+
+4. File SIZE
+
+   The FTP command, SIZE OF FILE (SIZE), is used to obtain the transfer
+   size of a file from the server-FTP process.  That is, the exact
+   number of octets (8 bit bytes) which would be transmitted over the
+   data connection should that file be transmitted.  This value will
+   change depending on the current STRUcture, MODE and TYPE of the data
+   connection, or a data connection which would be created were one
+   created now.  Thus, the result of the SIZE command is dependent on
+   the currently established STRU, MODE and TYPE parameters.
+
+   The SIZE command returns how many octets would be transferred if the
+   file were to be transferred using the current transfer structure,
+   mode and type.  This command is normally used in conjunction with the
+   RESTART (REST) command.  The server-PI might need to read the
+   partially transferred file, do any appropriate conversion, and count
+   the number of octets that would be generated when sending the file in
+   order to correctly respond to this command.  Estimates of the file
+   transfer size MUST NOT be returned, only precise information is
+   acceptable.
+
+4.1. Syntax
+
+   The syntax of the SIZE command is:
+
+        size          = "Size" SP pathname CRLF
+
+   The server-PI will respond to the SIZE command with a 213 reply
+   giving the transfer size of the file whose pathname was supplied, or
+   an error response if the file does not exist, the size is
+   unavailable, or some other error has occurred.  The value returned is
+   in a format suitable for use with the RESTART (REST) command for mode
+   STREAM, provided the transfer mode and type are not altered.
+
+        size-response = "213" SP 1*DIGIT CRLF /
+                        error-response
+
+4.2. Error responses
+
+   Where the command is correctly parsed, but the size is not available,
+   either because the pathname identifies no existing entity, or because
+   the entity named cannot be transferred in the current MODE and TYPE
+   (or at all), then a 550 reply should be sent.  Where the command
+   cannot be correctly parsed, a 500 or 501 reply should be sent, as
+   specified in [3].
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 11]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+4.3. FEAT response for SIZE
+
+   When replying to the FEAT command [6], an FTP server process that
+   supports the SIZE command MUST include a line containing the single
+   word "SIZE".  This word is case insensitive, and MAY be sent in any
+   mixture of upper or lower case, however it SHOULD be sent in upper
+   case.  That is, the response SHOULD be
+
+        C> FEAT
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  SIZE
+        S>  ...
+        S> 211 END
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+4.4. Size Examples
+
+   Consider a text file "Example" stored on a Unix(TM) server where each
+   end of line is represented by a single octet.  Assume the file
+   contains 112 lines, and 1830 octets total.  Then the SIZE command
+   would produce:
+
+        C> TYPE I
+        S> 200 Type set to I.
+        C> size Example
+        S> 213 1830
+        C> TYPE A
+        S> 200 Type set to A.
+        C> Size Example
+        S> 213 1942
+
+   Notice that with TYPE=A the SIZE command reports an extra 112 octets.
+   Those are the extra octets that need to be inserted, one at the end
+   of each line, to provide correct end of line semantics for a transfer
+   using TYPE=A.  Other systems might need to make other changes to the
+   transfer format of files when converting between TYPEs and MODEs.
+   The SIZE command takes all of that into account.
+
+   Since calculating the size of a file with this degree of precision
+   may take considerable effort on the part of the server-PI, user-PIs
+   should not used this command unless this precision is essential (such
+   as when about to restart an interrupted transfer).  For other uses,
+   the "Size" fact of the MLST command (see section 8.5.7) ought be
+   requested.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 12]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+5. Restart of Interrupted Transfer (REST)
+
+   To avoid having to resend the entire file if the file is only
+   partially transferred, both sides need some way to be able to agree
+   on where in the data stream to restart the data transfer.
+
+   The FTP specification [3] includes three modes of data transfer,
+   Stream, Block and Compressed.  In Block and Compressed modes, the
+   data stream that is transferred over the data connection is
+   formatted, allowing the embedding of restart markers into the stream.
+   The sending DTP can include a restart marker with whatever
+   information it needs to be able to restart a file transfer at that
+   point.  The receiving DTP can keep a list of these restart markers,
+   and correlate them with how the file is being saved.  To restart the
+   file transfer, the receiver just sends back that last restart marker,
+   and both sides know how to resume the data transfer.  Note that there
+   are some flaws in the description of the restart mechanism in RFC 959
+   [3].  See section 4.1.3.4 of RFC 1123 [9] for the corrections.
+
+5.1. Restarting in STREAM Mode
+
+   In Stream mode, the data connection contains just a stream of
+   unformatted octets of data.  Explicit restart markers thus cannot be
+   inserted into the data stream, they would be indistinguishable from
+   data.  For this reason, the FTP specification [3] did not provide the
+   ability to do restarts in stream mode.  However, there is not really
+   a need to have explicit restart markers in this case, as restart
+   markers can be implied by the octet offset into the data stream.
+
+   Because the data stream defines the file in STREAM mode, a different
+   data stream would represent a different file.  Thus, an offset will
+   always represent the same position within a file.  On the other hand,
+   in other modes than STREAM, the same file can be transferred using
+   quite different octet sequences, and yet be reconstructed into the
+   one identical file.  Thus an offset into the data stream in transfer
+   modes other than STREAM would not give an unambiguous restart point.
+
+   If the data representation TYPE is IMAGE, and the STRUcture is File,
+   for many systems the file will be stored exactly in the same format
+   as it is sent across the data connection.  It is then usually very
+   easy for the receiver to determine how much data was previously
+   received, and notify the sender of the offset where the transfer
+   should be restarted.  In other representation types and structures
+   more effort will be required, but it remains always possible to
+   determine the offset with finite, but perhaps non-negligible, effort.
+   In the worst case an FTP process may need to open a data connection
+   to itself, set the appropriate transfer type and structure, and
+   actually transmit the file, counting the transmitted octets.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 13]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   If the user-FTP process is intending to restart a retrieve, it will
+   directly calculate the restart marker, and send that information in
+   the RESTart command.  However, if the user-FTP process is intending
+   to restart sending the file, it needs to be able to determine how
+   much data was previously sent, and correctly received and saved.  A
+   new FTP command is needed to get this information.  This is the
+   purpose of the SIZE command, as documented in section 4.
+
+5.2. Error Recovery and Restart
+
+   STREAM MODE transfers with FILE STRUcture may be restarted even
+   though no restart marker has been transferred in addition to the data
+   itself.  This is done by using the SIZE command, if needed, in
+   combination with the RESTART (REST) command, and one of the standard
+   file transfer commands.
+
+   When using TYPE ASCII or IMAGE, the SIZE command will return the
+   number of octets that would actually be transferred if the file were
+   to be sent between the two systems.  I.e. with type IMAGE, the SIZE
+   normally would be the number of octets in the file.  With type ASCII,
+   the SIZE would be the number of octets in the file including any
+   modifications required to satisfy the TYPE ASCII CR-LF end of line
+   convention.
+
+5.3. Syntax
+
+   The syntax for the REST command when the current transfer mode is
+   STREAM is:
+
+        rest          = "Rest" SP 1*DIGIT CRLF
+
+   The numeric value gives the number of octets of the immediately
+   following transfer to not actually send, effectively causing the
+   transmission to be restarted at a later point.  A value of zero
+   effectively disables restart, causing the entire file to be
+   transmitted.  The server-PI will respond to the REST command with a
+   350 reply, indicating that the REST parameter has been saved, and
+   that another command, which should be either RETR or STOR, should
+   then follow to complete the restart.
+
+        rest-response = "350" SP *TCHAR CRLF /
+                        error-response
+
+   Server-FTP processes may permit transfer commands other than RETR and
+   STOR, such as APPE and STOU, to complete a restart, however, this is
+   not recommended.  STOU (store unique) is undefined in this usage, as
+   storing the remainder of a file into a unique filename is rarely
+   going to be useful.  If APPE (append) is permitted, it MUST act
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 14]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   identically to STOR when a restart marker has been set.  That is, in
+   both cases, octets from the data connection are placed into the file
+   at the location indicated by the restart marker value.
+
+   The REST command is intended to complete a failed transfer.  Use with
+   RETR is comparatively well defined in all cases, as the client bears
+   the responsibility of merging the retrieved data with the partially
+   retrieved file.  If it chooses to use the data obtained other than to
+   complete an earlier transfer, or if it chooses to re-retrieve data
+   that had been retrieved before, that is its choice.  With STOR,
+   however, the server must insert the data into the file named.  The
+   results are undefined if a client uses REST to do other than restart
+   to complete a transfer of a file which had previously failed to
+   completely transfer.  In particular, if the restart marker set with a
+   REST command is not at the end of the data currently stored at the
+   server, as reported by the server, or if insufficient data are
+   provided in a STOR that follows a REST to extend the destination file
+   to at least its previous size, then the effects are undefined.
+
+   The REST command must be the last command issued before the data
+   transfer command which is to cause a restarted rather than complete
+   file transfer.  The effect of issuing a REST command at any other
+   time is undefined.  The server-PI may react to a badly positioned
+   REST command by issuing an error response to the following command,
+   not being a restartable data transfer command, or it may save the
+   restart value and apply it to the next data transfer command, or it
+   may silently ignore the inappropriate restart attempt.  Because of
+   this, a user-PI that has issued a REST command, but which has not
+   successfully transmitted the following data transfer command for any
+   reason, should send another REST command before the next data
+   transfer command.  If that transfer is not to be restarted, then
+   "REST 0" should be issued.
+
+   An error-response will follow a REST command only when the server
+   does not implement the command, or the restart marker value is
+   syntactically invalid for the current transfer mode.  That is, in
+   STREAM mode, if something other than one or more digits appears in
+   the parameter to the REST command.  Any other errors, including such
+   problems as restart marker out of range, should be reported when the
+   following transfer command is issued.  Such errors will cause that
+   transfer request to be rejected with an error indicating the invalid
+   restart attempt.
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 15]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+5.4. FEAT response for REST
+
+   Where a server-FTP process supports RESTart in STREAM mode, as
+   specified here, it MUST include in the response to the FEAT command
+   [6], a line containing exactly the string "REST STREAM".  This string
+   is not case sensitive, but SHOULD be transmitted in upper case.
+   Where REST is not supported at all, or supported only in block or
+   compressed modes, the REST line MUST NOT be included in the FEAT
+   response.  Where required, the response SHOULD be
+
+        C> feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  REST STREAM
+        S>  ...
+        S> 211 end
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+5.5. REST Example
+
+   Assume that the transfer of a largish file has previously been
+   interrupted after 802816 octets had been received, that the previous
+   transfer was with TYPE=I, and that it has been verified that the file
+   on the server has not since changed.
+
+        C> TYPE I
+        S> 200 Type set to I.
+        C> PORT 127,0,0,1,15,107
+        S> 200 PORT command successful.
+        C> REST 802816
+        S> 350 Restarting at 802816. Send STORE or RETRIEVE
+        C> RETR cap60.pl198.tar
+        S> 150 Opening BINARY mode data connection
+        [...]
+        S> 226 Transfer complete.
+
+6. Virtual FTP servers
+
+   It has become common in the Internet for many domain names to be
+   allocated to a single IP address.  This has introduced the concept of
+   a "virtual host", where a host appears to exist as an independent
+   entity, but in reality shares all of its resources with one, or more,
+   other such hosts.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 16]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   Such an arrangement presents some problems for FTP Servers, as all
+   the FTP Server can detect is an incoming FTP connection to a
+   particular IP address.  That is, all domain names which share the IP
+   address also share the FTP server, and more importantly, its NVFS.
+   This means that the various virtual hosts cannot offer different
+   virtual file systems to clients, nor can they offer different
+   authentication systems.
+
+   No scheme can overcome this without modifications of some kind to the
+   user-PI and the user-FTP process.  That process is the only entity
+   that knows which virtual host is required.  It has performed the
+   domain name to IP address translation, and thus has the original
+   domain name available.
+
+   One method which could be used to allow a style of virtual host would
+   be for the client to simply send a "CWD" command after connecting,
+   using the virtual host name as the argument to the CWD command.  This
+   would allow the server-FTP process to implement the file stores of
+   the virtual hosts as sub-directories in its NVFS.  This is simple,
+   and supported by essentially all server-FTP implementations without
+   requiring any code changes.
+
+   While that method is simple to describe, and to implement, it suffers
+   from several drawbacks.  First, the "CWD" command is available only
+   after the user-PI has authenticated itself to the server-FTP process.
+   Thus, all virtual hosts would be required to share a common
+   authentication scheme.  Second, either the server-FTP process needs
+   to be modified to understand the special nature of this first CWD
+   command, negating most of the advantage of this scheme, or all users
+   must see the same identical NVFS view upon connecting (they must
+   connect in the same initial directory) or the NVFS must implement the
+   full set of virtual host directories at each possible initial
+   directory for any possible user, or the virtual host will not be
+   truly transparent.  Third, and again unless the server is specially
+   modified, a user connecting this way to a virtual host would be able
+   to trivially move to any other virtual host supported at the same
+   server-FTP process, exposing the nature of the virtual host.
+
+   Other schemes overloading other existing FTP commands have also been
+   proposed.  None of those have sufficient merit to be worth
+   discussion.
+
+   The conclusion from the examination of the possibilities seems to be
+   that to obtain an adequate emulation of "real" FTP servers, server
+   modifications to support virtual hosts are required.  A new command
+   seems most likely to provide the support required.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 17]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+6.1. The HOST command
+
+   A new command "HOST" is added to the FTP command set to allow
+   server-FTP process to determine to which of possibly many virtual
+   hosts the client wishes to connect.  This command is intended to be
+   issued before the user is authenticated, allowing the authentication
+   scheme, and set of legal users, to be dependent upon the virtual host
+   chosen.  Server-FTP processes may, if they desire, permit the HOST
+   command to be issued after the user has been authenticated, or may
+   treat that as an erroneous sequence of commands.  The behavior of the
+   server-FTP process which does allow late HOST commands is undefined.
+   One reasonable interpretation would be for the user-PI to be returned
+   to the state that existed after the TCP connection was first
+   established, before user authentication.
+
+   Servers should note that the response to the HOST command is a
+   sensible time to send their "welcome" message.  This allows the
+   message to be personalized for any virtual hosts that are supported,
+   and also allows the client to have determined supported languages, or
+   representations, for the message, and other messages, via the FEAT
+   response, and selected an appropriate one via the LANG command.  See
+   [7] for more information.
+
+6.2. Syntax of the HOST command
+
+   The HOST command is defined as follows.
+
+        host-command     = "Host" SP hostname CRLF
+        hostname         = 1*DNCHAR 1*( "." 1*DNCHAR ) [ "." ]
+        DNCHAR           = ALPHA / DIGIT / "-" / "_" / "$" /
+                           "!" / "%" / "[" / "]" / ":"
+        host-response    = host-ok / error-response
+        host-ok          = "220" [ SP *TCHAR ] CRLF
+
+   As with all FTP commands, the "host" command word is case
+   independent, and may be specified in any character case desired.
+
+   The "hostname" given as a parameter specifies the virtual host to
+   which access is desired.  It should normally be the same name that
+   was used to obtain the IP address to which the FTP control connection
+   was made, after any client conversions to convert an abbreviated or
+   local alias to a complete (fully qualified) domain name, but before
+   resolving a DNS alias (owner of a CNAME resource record) to its
+   canonical name.
+
+   If the client was given a network literal address, and consequently
+   was not required to derive it from a hostname, it should send the
+   HOST command with the network address, as specified to it, enclosed
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 18]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   in brackets (after eliminating any syntax, which might also be
+   brackets, but is not required to be, from which the server deduced
+   that a literal address had been specified.) That is, for example
+
+                         HOST [10.1.2.3]
+
+   should be sent if the client had been instructed to connect to
+   "10.1.2.3", or "[10.1.2.3]", or perhaps even IPv4:10.1.2.3.  The
+   method of indicating to a client that a literal address is to be used
+   is beyond the scope of this specification.
+
+   The parameter is otherwise to be treated as a "complete domain name",
+   as that term is defined in section 3.1 of RFC 1034 [10].  That
+   implies that the name is to be treated as a case independent string,
+   in that upper case ASCII characters are to be treated as equivalent
+   to the corresponding lower case ASCII characters, but otherwise
+   preserved as given.  It also implies some limits on the length of the
+   parameter and of the components that create its internal structure.
+   Those limits are not altered in any way here.
+
+   RFC 1034 imposes no other restrictions upon what kinds of names can
+   be stored in the DNS.  Nor does RFC 1035.  This specification,
+   however, allows only a restricted set of names for the purposes of
+   the HOST command.  Those restrictions can be inferred from the ABNF
+   grammar given for the "hostname".
+
+6.3. HOST command semantics
+
+   Upon receiving the HOST command, before authenticating the user-PI, a
+   server-FTP process should validate that the hostname given represents
+   a valid virtual host for that server, and if so, establish the
+   appropriate environment for that virtual host.  The meaning of that
+   is not specified here, and may range from doing nothing at all, or
+   performing a simple change of working directory, to much more
+   elaborate state changes, as required.
+
+   If the hostname specified is unknown at the server, or if the server
+   is otherwise unwilling to treat the particular connection as a
+   connection to the hostname specified, the server will respond with a
+   504 reply.
+
+   Note: servers may require that the name specified is in some sense
+   equivalent to the particular network address that was used to reach
+   the server.
+
+   If the hostname specified would normally be acceptable, but for any
+   reason is temporarily unavailable, the server SHOULD reply to the
+   HOST command with a 434 reply.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 19]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The "220" reply code for the HOST command is the same as the code
+   used on the initial connection established "welcome" message.  This
+   is done deliberately so as to allow the implementation to implement
+   the front end FTP server as a wrapper which simply waits for the HOST
+   command, and then invokes an older, RFC959 compliant, server in the
+   appropriate environment for the particular hostname received.
+
+6.3.1. The REIN command
+
+   As specified in [3], the REIN command returns the state of the
+   connection to that it was immediately after the transport connection
+   was opened.  That is not changed here.  The effect of a HOST command
+   will be lost if a REIN command is performed, a new HOST command must
+   be issued.
+
+   Implementors of user-FTP should be aware that server-FTP
+   implementations which implement the HOST command as a wrapper around
+   older implementations will be unable to correctly implement the REIN
+   command.  In such an implementation, REIN will typically return the
+   server-FTP to the state that existed immediately after the HOST
+   command was issued, instead of to the state immediately after the
+   connection was opened.
+
+6.3.2. User-PI usage of HOST
+
+   A user-PI that conforms to this specification, MUST send the HOST
+   command after opening the transport connection, or after any REIN
+   command, before attempting to authenticate the user with the USER
+   command.
+
+   The following state diagram shows a typical sequence of flow of
+   control, where the "B" (begin) state is assumed to occur after the
+   transport connection has opened, or a REIN command has succeeded.
+   Other commands (such as FEAT [6]) which require no authentication may
+   have intervened.  This diagram is modeled upon (and largely borrowed
+   from) the similar diagram in section 6 of [3].
+
+   In this diagram, a three digit reply indicates that precise server
+   reply code, a single digit on a reply path indicates any server reply
+   beginning with that digit, other than any three digit replies that
+   might take another path.
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 20]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+
+              +---+   HOST    +---+ 1,3,5
+              | B |---------->| W |-----------------
+              +---+           +---+                 |
+                               | |                  |
+                     2,500,502 | | 4,501,503,504    |
+                 --------------   -------------     |
+                |                              |    |
+                V                   1          |    V
+              +---+   USER    +---+-------------->+---+
+              |   |---------->| W | 2       ----->| E |
+              +---+           +---+------  |  --->+---+
+                               | |       | | | |
+                             3 | | 4,5   | | | |
+                 --------------   -----  | | | |
+                |                      | | | | |
+                |                      | | | | |
+                |                 ---------  | |
+                |               1|     | |   | |
+                V                |     | |   | |
+              +---+   PASS    +---+ 2  |  ------->+---+
+              |   |---------->| W |-------------->| S |
+              +---+           +---+   ----------->+---+
+                               | |   | |     | |
+                             3 | |4,5| |     | |
+                 --------------   --------   | |
+                |                    | |  |  |  ----
+                |                    | |  |  |      |
+                |                 -----------       |
+                |             1,3|   | |  |         |
+                V                |  2| |  |         V
+              +---+   ACCT    +---+--  |   ------>+---+
+              |   |---------->| W | 4,5 --------->| F |
+              +---+           +---+-------------->+---+
+
+6.4. HOST command errors
+
+   The server-PI shall reply with a 500 or 502 reply if the HOST command
+   is unrecognized or unimplemented.  A 503 reply may be sent if the
+   HOST command is given after a previous HOST command, or after a user
+   has been authenticated.  Alternately, the server may accept the
+   command at such a time, with server defined behavior.  A 501 reply
+   should be sent if the hostname given is syntactically invalid, and a
+   504 reply if a syntactically valid hostname is not a valid virtual
+   host name for the server.
+
+   In all such cases the server-FTP process should act as if no HOST
+   command had been given.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 21]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   A user-PI receiving a 500 or 502 reply should assume that the
+   server-PI does not implement the HOST command style virtual server.
+   It may then proceed to login as if the HOST command had succeeded,
+   and perhaps, attempt a CWD command to the hostname after
+   authenticating the user.
+
+   A user-PI receiving some other error reply should assume that the
+   virtual HOST is unavailable, and terminate communications.
+
+   A server-PI that receives a USER command, beginning the
+   authentication sequence, without having received a HOST command
+   SHOULD NOT reject the USER command.  Clients conforming to earlier
+   FTP specifications do not send HOST commands.  In this case the
+   server may act as if some default virtual host had been explicitly
+   selected, or may enter an environment different from that of all
+   supported virtual hosts, perhaps one in which a union of all
+   available accounts exists, and which presents a NVFS which appears to
+   contain sub-directories containing the NVFS for all virtual hosts
+   supported.
+
+6.5. FEAT response for HOST command
+
+   A server-FTP process that supports the host command, and virtual FTP
+   servers, MUST include in the response to the FEAT command [6], a
+   feature line indicating that the HOST command is supported.  This
+   line should contain the single word "HOST".  This MAY be sent in
+   upper or lower case, or a mixture of both (it is case insensitive)
+   but SHOULD be transmitted in upper case only.  That is, the response
+   SHOULD be
+
+        C> Feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  HOST
+        S>  ...
+        S> 211 End
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 22]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+7. A Trivial Virtual File Store (TVFS)
+
+   Traditionally, FTP has placed almost no constraints upon the file
+   store (NVFS) provided by a server.  This specification does not alter
+   that.  However, it has become common for servers to attempt to
+   provide at least file system naming conventions modeled loosely upon
+   those of the UNIX(TM) file system.  That is, a tree structured file
+   system, built of directories, each of which can contain other
+   directories, or other kinds of files, or both.  Each file and
+   directory has a file name relative to the directory that contains it,
+   except for the directory at the root of the tree, which is contained
+   in no other directory, and hence has no name of its own.
+
+   That which has so far been described is perfectly consistent with the
+   standard FTP NVFS and access mechanisms.  The "CWD" command is used
+   to move from one directory to an embedded directory.  "CDUP" may be
+   provided to return to the parent directory, and the various file
+   manipulation commands ("RETR", "STOR", the rename commands, etc) are
+   used to manipulate files within the current directory.
+
+   However, it is often useful to be able to reference files other than
+   by changing directories, especially as FTP provides no guaranteed
+   mechanism to return to a previous directory.  The Trivial Virtual
+   File Store (TVFS), if implemented, provides that mechanism.
+
+7.1. TVFS File Names
+
+   Where a server implements the TVFS, no elementary filename shall
+   contain the character "/".  Where the underlying natural file store
+   permits files, or directories, to contain the "/" character in their
+   names, a server-PI implementing TVFS must encode that character in
+   some manner whenever file or directory names are being returned to
+   the user-PI, and reverse that encoding whenever such names are being
+   accepted from the user-PI.
+
+   The encoding method to be used is not specified here.  Where some
+   other character is illegal in file and directory names in the
+   underlying file store, a simple transliteration may be sufficient.
+   Where there is no suitable substitute character a more complex
+   encoding scheme, possibly using an escape character, is likely to be
+   required.
+
+   With the one exception of the unnamed root directory, a TVFS file
+   name may not be empty.  That is, all other file names contain at
+   least one character.
+
+   With the sole exception of the "/" character, any valid IS10646
+   character [11] may be used in a TVFS filename.  When transmitted,
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 23]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   file name characters are encoded using the UTF-8 encoding [2].
+
+7.2. TVFS Path Names
+
+   A TVFS "Path Name" combines the file or directory name of a target
+   file or directory, with the directory names of zero or more enclosing
+   directories, so as to allow the target file or directory to be
+   referenced other than when the server's "current working directory"
+   is the directory directly containing the target file or directory.
+
+   By definition, every TVFS file or directory name is also a TVFS path
+   name.  Such a path name is valid to reference the file from the
+   directory containing the name, that is, when that directory is the
+   server-FTP's current working directory.
+
+   Other TVFS path names are constructed by prefixing a path name by a
+   name of a directory from which the path is valid, and separating the
+   two with the "/" character.  Such a path name is valid to reference
+   the file or directory from the directory containing the newly added
+   directory name.
+
+   Where a path name has been extended to the point where the directory
+   added is the unnamed root directory, the path name will begin with
+   the "/" character.  Such a path is known as a fully qualified path
+   name.  Fully qualified paths may, obviously, not be further extended,
+   as, by definition, no directory contains the root directory.  Being
+   unnamed, it cannot be represented in any other directory.  A fully
+   qualified path name is valid to reference the named file or directory
+   from any location (that is, regardless of what the current working
+   directory may be) in the virtual file store.
+
+   Any path name which is not a fully qualified path name may be
+   referred to as a "relative path name" and will only correctly
+   reference the intended file when the current working directory of the
+   server-FTP is a directory from which the relative path name is valid.
+
+   As a special case, the path name "/" is defined to be a fully
+   qualified path name referring to the root directory.  That is, the
+   root directory does not have a directory (or file) name, but does
+   have a path name.  This special path name may be used only as is as a
+   reference to the root directory.  It may not be combined with other
+   path names using the rules above, as doing so would lead to a path
+   name containing two consecutive "/" characters, which is an undefined
+   sequence.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 24]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+7.2.1. Notes
+
+     + It is not required, or expected, that there be only one fully
+       qualified path name that will reference any particular file or
+       directory.
+     + As a caveat, though the TVFS file store is basically tree
+       structured, there is no requirement that any file or directory
+       have only one parent directory.
+     + As defined, no TVFS path name will ever contain two consecutive
+       "/" characters.  Such a name is not illegal however, and may be
+       defined by the server for any purpose that suits it.  Clients
+       implementing this specification should not assume any semantics
+       at all for such names.
+     + Similarly, other than the special case path that refers to the
+       root directory, no TVFS path name constructed as defined here
+       will ever end with the "/" character.  Such names are also not
+       illegal, but are undefined.
+     + While any legal IS10646 character is permitted to occur in a TVFS
+       file or directory name, other than "/", server FTP
+       implementations are not required to support all possible IS10646
+       characters.  The subset supported is entirely at the discretion
+       of the server.  The case (where it exists) of the characters that
+       make up file, directory, and path names may be significant.
+       Unless determined otherwise by means unspecified here, clients
+       should assume that all such names are comprised of characters
+       whose case is significant.  Servers are free to treat case (or
+       any other attribute) of a name as irrelevant, and hence map two
+       names which appear to be distinct onto the same underlying file.
+     + There are no defined "magic" names, like ".", ".." or "C:".
+       Servers may implement such names, with any semantics they choose,
+       but are not required to do so.
+     + TVFS imposes no particular semantics or properties upon files,
+       guarantees no access control schemes, or any of the other common
+       properties of a file store.  Only the naming scheme is defined.
+
+7.3. FEAT Response for TVFS
+
+   In response to the FEAT command [6] a server that wishes to indicate
+   support for the TVFS as defined here will include a line that begins
+   with the four characters "TVFS" (in any case, or mixture of cases,
+   upper case is not required).  Servers SHOULD send upper case.
+
+   Such a response to the FEAT command MUST NOT be returned unless the
+   server implements TVFS as defined here.
+
+   Later specifications may add to the TVFS definition.  Such additions
+   should be notified by means of additional text appended to the TVFS
+   feature line.  Such specifications, if any, will define the extra
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 25]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   text.
+
+   Until such a specification is defined, servers should not include
+   anything after "TVFS" in the TVFS feature line.  Clients, however,
+   should be prepared to deal with arbitrary text following the four
+   defined characters, and simply ignore it if unrecognized.
+
+   A typical response to the FEAT command issued by a server
+   implementing only this specification would be:
+
+        C> feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  TVFS
+        S>  ...
+        S> 211 end
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6], and is not counted as one of the
+   first four characters for the purposes of this feature listing.
+
+   The TVFS feature adds no new commands to the FTP command repertoire.
+
+7.4. OPTS for TVFS
+
+   There are no options in this TVFS specification, and hence there is
+   no OPTS command defined.
+
+7.5. TVFS Examples
+
+   Assume a TVFS file store is comprised of a root directory, which
+   contains two directories (A and B) and two non-directory files (X and
+   Y).  The A directory contains two directories (C and D) and one other
+   file (Z).  The B directory contains just two non-directory files (P
+   and Q) and the C directory also two non-directory files (also named P
+   and Q, by chance).  The D directory is empty, that is, contains no
+   files or directories.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 26]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   This structure may depicted graphically as...
+
+                      (unnamed root)
+                        /  |  \   \
+                       /   |   \   \
+                      A    X    B   Y
+                     /|\       / \
+                    / | \     /   \
+                   C  D  Z   P     Q
+                  / \
+                 /   \
+                P     Q
+
+   Given this structure, the following fully qualified path names exist.
+
+        /
+        /A
+        /B
+        /X
+        /Y
+        /A/C
+        /A/D
+        /A/Z
+        /A/C/P
+        /A/C/Q
+        /B/P
+        /B/Q
+
+   It is clear that none of the paths / /A /B or /A/D refer to the same
+   directory, as the contents of each is different.  Nor do any of / /A
+   /A/C or /A/D.  However /A/C and /B might be the same directory, there
+   is insufficient information given to tell.  Any of the other path
+   names (/X /Y /A/Z /A/C/P /A/C/Q /B/P and /B/Q) may refer to the same
+   underlying files, in almost any combination.
+
+   If the current working directory of the server-FTP is /A then the
+   following path names, in addition to all the fully qualified path
+   names, are valid
+
+        C
+        D
+        Z
+        C/P
+        C/Q
+
+   These all refer to the same files or directories as the corresponding
+   fully qualified path with "/A/" prepended.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 27]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   That those path names all exist does not imply that the TVFS sever
+   will necessarily grant any kind of access rights to the named paths,
+   or that access to the same file via different path names will
+   necessarily be granted equal rights.
+
+   None of the following relative paths are valid when the current
+   directory is /A
+
+        A
+        B
+        X
+        Y
+        B/P
+        B/Q
+        P
+        Q
+
+   Any of those could be made valid by changing the server-FTP's current
+   working directory to the appropriate directory.  Note that the paths
+   "P" and "Q" might refer to different files depending upon which
+   directory is selected to cause those to become valid TVFS relative
+   paths.
+
+8. Listings for Machine Processing (MLST and MLSD)
+
+   The MLST and MLSD commands are intended to standardize the file and
+   directory information returned by the Server-FTP process.  These
+   commands differ from the LIST command in that the format of the
+   replies is strictly defined although extensible.
+
+   Two commands are defined, MLST which provides data about exactly the
+   object named on its command line, and no others.  MLSD on the other
+   hand will list the contents of a directory if a directory is named,
+   otherwise a 501 reply will be returned.  In either case, if no object
+   is named, the current directory is assumed.  That will cause MLST to
+   send a one line response, describing the current directory itself,
+   and MLSD to list the contents of the current directory.
+
+   In the following, the term MLSx will be used wherever either MLST or
+   MLSD may be inserted.
+
+   The MLST and MLSD commands also extend the FTP protocol as presented
+   in RFC 959 [3] and RFC 1123 [9] to allow that transmission of 8-bit
+   data over the control connection.  Note this is not specifying
+   character sets which are 8-bit, but specifying that FTP
+   implementations are to specifically allow the transmission and
+   reception of 8-bit bytes, with all bits significant, over the control
+   connection.  That is, all 256 possible octet values are permitted.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 28]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The MLSx command allows both UTF-8/Unicode and "raw" forms as
+   arguments, and in responses both to the MLST and MLSD commands, and
+   all other FTP commands which take pathnames as arguments.
+
+8.1. Format of MLSx Requests
+
+   The MLST and MLSD commands each allow a single optional argument.
+   This argument may be either a directory name or, for MLST only, a
+   filename.  For these purposes, a "filename" is the name of any entity
+   in the server NVFS which is not a directory.  Where TVFS is
+   supported, any TVFS relative path name valid in the current working
+   directory, or any TVFS fully qualified path name, may be given.  If a
+   directory name is given then MLSD must return a listing of the
+   contents of the named directory, otherwise it issues a 501 reply, and
+   does not open a data connection.  In all cases for MLST, a single set
+   of fact lines (usually a single fact line) containing the information
+   about the named file or directory shall be returned over the control
+   connection, without opening a data connection.
+
+   If no argument is given then MLSD must return a listing of the
+   contents of the current working directory, and MLST must return a
+   listing giving information about the current working directory
+   itself.  For these purposes, the contents of a directory are whatever
+   filenames (not pathnames) the server-PI will allow to be referenced
+   when the current working directory is the directory named, and which
+   the server-PI desires to reveal to the user-PI.
+
+   No title, header, or summary, lines, or any other formatting, other
+   than as is specified below, is ever returned in the output of an MLST
+   or MLSD command.
+
+   If the Client-FTP sends an invalid argument, the Server-FTP MUST
+   reply with an error code of 501.
+
+   The syntax for the MLSx command is:
+
+        mlst             = "MLst" [ SP pathname ] CRLF
+        mlsd             = "MLsD" [ SP pathname ] CRLF
+
+8.2. Format of MLSx Response
+
+   The format of a response to an MLSx command is as follows:
+
+        mlst-response    = control-response / error-response
+        mlsd-response    = ( initial-response final-response ) /
+                           error-response
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 29]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        control-response = "250-" [ response-message ] CRLF
+                           1*( SP entry CRLF )
+                           "250" [ SP response-message ] CRLF
+
+        initial-response = "150" [ SP response-message ] CRLF
+        final-response   = "226" SP response-message CRLF
+
+        response-message = *TCHAR
+
+        data-response    = *( entry CRLF )
+
+        entry            = [ facts ] SP pathname
+        facts            = 1*( fact ";" )
+        fact             = factname "=" value
+        factname         = "Size" / "Modify" / "Create" /
+                           "Type" / "Unique" / "Perm" /
+                           "Lang" / "Media-Type" / "CharSet" /
+                           os-depend-fact / local-fact
+        os-depend-fact   = <IANA assigned OS name> "." token
+        local-fact       = "X." token
+        value            = *RCHAR
+
+   Upon receipt of a MLSx command, the server will verify the parameter,
+   and if invalid return an error-response.  For this purpose, the
+   parameter should be considered to be invalid if the client issuing
+   the command does not have permission to perform the request
+   operation.
+
+   If valid, then for an MLST command, the server-PI will send the first
+   (leading) line of the control response, the entry for the pathname
+   given, or the current directory if no pathname was provided, and the
+   terminating line.  Normally exactly one entry would be returned, more
+   entries are permitted only when required to represent a file that is
+   to have multiple "Type" facts returned.
+
+   Note that for MLST the fact set is preceded by a space.  That is
+   provided to guarantee that the fact set cannot be accidentally
+   interpreted as the terminating line of the control response, but is
+   required even when that would not be possible.  Exactly one space
+   exists between the set of facts and the pathname.  Where no facts are
+   present, there will be exactly two leading spaces before the
+   pathname.  No spaces are permitted in the facts, any other spaces in
+   the response are to be treated as being a part of the pathname.
+
+   If the command was an MLSD command, the server will open a data
+   connection as indicated in section 3.2 of RFC959 [3].  If that fails,
+   the server will return an error-response.  If all is OK, the server
+   will return the initial-response, send the appropriate data-response
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 30]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   over the new data connection, close that connection, and then send
+   the final-response over the control connection.  The grammar above
+   defines the format for the data-response, which defines the format of
+   the data returned over the data connection established.
+
+   The data connection opened for a MLSD response shall be a connection
+   as if the "TYPE L 8", "MODE S", and "STRU F" commands had been given,
+   whatever FTP transfer type, mode and structure had actually been set,
+   and without causing those settings to be altered for future commands.
+   That is, this transfer type shall be set for the duration of the data
+   connection established for this command only.  While the content of
+   the data sent can be viewed as a series of lines, implementations
+   should note that there is no maximum line length defined.
+   Implementations should be prepared to deal with arbitrarily long
+   lines.
+
+   The facts part of the specification would contain a series of "file
+   facts" about the file or directory named on the same line.  Typical
+   information to be presented would include file size, last
+   modification time, creation time, a unique identifier, and a
+   file/directory flag.
+
+   The complete format for a successful reply to the MLSD command would
+   be:
+
+        facts SP pathname CRLF
+        facts SP pathname CRLF
+        facts SP pathname CRLF
+        ...
+
+   Note that the format is intended for machine processing, not human
+   viewing, and as such the format is very rigid.  Implementations MUST
+   NOT vary the format by, for example, inserting extra spaces for
+   readability, replacing spaces by tabs, including header or title
+   lines, or inserting blank lines, or in any other way alter this
+   format.  Exactly one space is always required after the set of facts
+   (which may be empty).  More spaces may be present on a line if, and
+   only if, the file name presented contains significant spaces.  The
+   set of facts must not contain any spaces anywhere inside it.  Facts
+   should be provided in each output line only if they both provide
+   relevant information about the file named on the same line, and they
+   are in the set requested by the user-PI.  There is no requirement
+   that the same set of facts be provided for each file, or that the
+   facts presented occur in the same order for each file.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 31]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.3. Filename encoding
+
+   An FTP implementation supporting the MLSx commands must be 8-bit
+   clean.  This is necessary in order to transmit UTF-8 encoded
+   filenames.  This specification recommends the use of UTF-8 encoded
+   filenames.  FTP implementations SHOULD use UTF-8 whenever possible to
+   encourage the maximum interoperability.
+
+   Filenames are not restricted to UTF-8, however treatment of arbitrary
+   character encodings is not specified by this standard.  Applications
+   are encouraged to treat non-UTF-8 encodings of filenames as octet
+   sequences.
+
+   Note that this encoding is unrelated to that of the contents of the
+   file, even if the file contains character data.
+
+   Further information about filename encoding for FTP may be found in
+   "Internationalization of the File Transfer Protocol" [7].
+
+8.3.1. Notes about the Filename
+
+   The filename returned in the MLST response should be the same name as
+   was specified in the MLST command, or, where TVFS is supported, a
+   fully qualified TVFS path naming the same file.  Where no argument
+   was given to the MLST command, the server-PI may either include an
+   empty filename in the response, or it may supply a name that refers
+   to the current directory, if such a name is available.  Where TVFS is
+   supported, a fully qualified path name of the current directory
+   SHOULD be returned.
+
+   Filenames returned in the output from an MLSD command SHOULD be
+   unqualified names within the directory named, or the current
+   directory if no argument was given.  That is, the directory named in
+   the MLSD command SHOULD NOT appear as a component of the filenames
+   returned.
+
+   If the server-FTP process is able, and the "type" fact is being
+   returned, it MAY return in the MLSD response, an entry whose type is
+   "cdir", which names the directory from which the contents of the
+   listing were obtained.  Where TVFS is supported, the name MAY be the
+   fully qualified path name of the directory, or MAY be any other path
+   name which is valid to refer to that directory from the current
+   working directory of the server-FTP.  Where more than one name
+   exists, multiple of these entries may be returned.  In a sense, the
+   "cdir" entry can be viewed as a heading for the MLSD output.
+   However, it is not required to be the first entry returned, and may
+   occur anywhere within the listing.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 32]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   When TVFS is supported, a user-PI can refer to any file or directory
+   in the listing by combining a type "cdir" name, with the appropriate
+   name from the directory listing using the procedure defined in
+   section 7.2.
+
+   Alternatively, whether TVFS is supported or not, the user-PI can
+   issue a CWD command ([3]) giving a name of type "cdir" from the
+   listing returned, and from that point reference the files returned in
+   the MLSD response from which the cdir was obtained by using the
+   filename components of the listing.
+
+8.4. Format of Facts
+
+   The "facts" for a file in a reply to a MLSx command consist of
+   information about that file.  The facts are a series of keyword=value
+   pairs each followed by semi-colon (";") characters.  An individual
+   fact may not contain a semi-colon in its name or value.  The complete
+   series of facts may not contain the space character.  See the
+   definition or "RCHAR" in section 2.1 for a list of the characters
+   that can occur in a fact value.  Not all are applicable to all facts.
+
+   A sample of a typical series of facts would be: (spread over two
+   lines for presentation here only)
+
+        size=4161;lang=en-US;modify=19970214165800;create=19961001124534;
+        type=file;x.myfact=foo,bar;
+
+8.5. Standard Facts
+
+   This document defines a standard set of facts as follows:
+
+        size       -- Size in octets
+        modify     -- Last modification time
+        create     -- Creation time
+        type       -- Entry type
+        unique     -- Unique id of file/directory
+        perm       -- File permissions, whether read, write, execute is
+                      allowed for the login id.
+        lang       -- Language of the filename per IANA[12] registry.
+        media-type -- MIME media-type of file contents per IANA registry.
+        charset    -- Character set per IANA registry (if not UTF-8)
+
+   Fact names are case-insensitive.  Size, size, SIZE, and SiZe are the
+   same fact.
+
+   Further operating system specific keywords could be specified by
+   using the IANA operating system name as a prefix (examples only):
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 33]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        OS/2.ea   -- OS/2 extended attributes
+        MACOS.rf  -- MacIntosh resource forks
+        UNIX.mode -- Unix file modes (permissions)
+
+   Implementations may define keywords for experimental, or private use.
+   All such keywords MUST begin with the two character sequence "x.".
+   As type names are case independent, "x." and "X." are equivalent.
+   For example:
+
+        x.ver  -- Version information
+        x.desc -- File description
+        x.type -- File type
+
+8.5.1. The type Fact
+
+   The type fact needs a special description.  Part of the problem with
+   current practices is deciding when a file is a directory.  If it is a
+   directory, is it the current directory, a regular directory, or a
+   parent directory?  The MLST specification makes this unambiguous
+   using the type fact.  The type fact given specifies information about
+   the object listed on the same line of the MLST response.
+
+   Five values are possible for the type fact:
+
+        file         -- a file entry
+        cdir         -- the listed directory
+        pdir         -- a parent directory
+        dir          -- a directory or sub-directory
+        OS.name=type -- an OS or file system dependent file type
+
+   The syntax is defined to be:
+
+        type-fact       = type-label "=" type-val
+        type-label      = "Type"
+        type-val        = "File" / "cdir" / "pdir" / "dir" /
+                          os-type
+
+8.5.1.1. type=file
+
+   The presence of the type=file fact indicates the listed entry is a
+   file containing non-system data.  That is, it may be transferred from
+   one system to another of quite different characteristics, and perhaps
+   still be meaningful.
+
+8.5.1.2. type=cdir
+
+   The type=cdir fact indicates the listed entry contains a pathname of
+   the directory whose contents are listed.  An entry of this type will
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 34]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   only be returned as a part of the result of an MLSD command when the
+   type fact is included, and provides a name for the listed directory,
+   and facts about that directory.  In a sense, it can be viewed as
+   representing the title of the listing, in a machine friendly format.
+   It may appear at any point of the listing, it is not restricted to
+   appearing at the start, though frequently may do so, and may occur
+   multiple times.  It MUST NOT be included if the type fact is not
+   included, or there would be no way for the user-PI to distinguish the
+   name of the directory from an entry in the directory.
+
+   Where TVFS is supported by the server-FTP, this name may be used to
+   construct path names with which to refer to the files and directories
+   returned in the same MLSD output (see section 7.2).  These path names
+   are only expected to work when the server-PI's position in the NVFS
+   file tree is the same as its position when the MLSD command was
+   issued, unless a fully qualified path name results.
+
+   Where TVFS is not supported, the only defined semantics associated
+   with a "type=cdir" entry are that, provided the current working
+   directory of the server-PI has not been changed, a pathname of type
+   "cdir" may be used as an argument to a CWD command, which will cause
+   the current directory of the server-PI to change so that the
+   directory which was listed in its current working directory.
+
+8.5.1.3. type=dir
+
+   If present, the type=dir entry gives the name of a directory.  Such
+   an entry typically cannot be transferred from one system to another
+   using RETR, etc, but should (permissions permitting) be able to be
+   the object of an MLSD command.
+
+8.5.1.4. type=pdir
+
+   If present, which will occur only in the response to a MLSD command
+   when the type fact is included, the type=pdir entry represents a
+   pathname of the parent directory of the listed directory.  As well as
+   having the properties of a type=dir, a CWD command that uses the
+   pathname from this entry should change the user to a parent directory
+   of the listed directory.  If the listed directory is the current
+   directory, a CDUP command may also have the effect of changing to the
+   named directory.  User-FTP processes should note not all responses
+   will include this information, and that some systems may provide
+   multiple type=pdir responses.
+
+   Where TVFS is supported, a "type=pdir" name may be a relative path
+   name, or a fully qualified path name.  A relative path name will be
+   relative to the directory being listed, not to the current directory
+   of the server-PI at the time.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 35]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   For the purposes of this type value, a "parent directory" is any
+   directory in which there is an entry of type=dir which refers to the
+   directory in which the type=pdir entity was found.  Thus it is not
+   required that all entities with type=pdir refer to the same
+   directory.  The "unique" fact (if supported) can be used to determine
+   whether there is a relationship between the type=pdir entries or not.
+
+8.5.1.5. System defined types
+
+   Files types that are specific to a specific operating system, or file
+   system, can be encoded using the "OS." type names.  The format is:
+
+        os-type   = "OS." os-name "=" os-type
+        os-name   = <an IANA registered operating system name>
+        os-type   = token
+
+   The "os-name" indicates the specific system type which supports the
+   particular localtype.  OS specific types are registered by the IANA
+   using the procedures specified in section 11.  The "os-type" provides
+   the system dependent information as to the type of the file listed.
+   The os-name and os-type strings in an os-type are case independent.
+   "OS.unix=block" and "OS.Unix=BLOCK" represent the same type (or
+   would, if such a type were registered.)
+
+   Note: Where the underlying system supports a file type which is
+   essentially an indirect pointer to another file, the NVFS
+   representation of that type should normally be to represent the file
+   which the reference indicates.  That is, the underlying basic file
+   will appear more than once in the NVFS, each time with the "unique"
+   fact (see immediately following section) containing the same value,
+   indicating that the same file is represented by all such names.
+   User-PIs transferring the file need then transfer it only once, and
+   then insert their own form of indirect reference to construct
+   alternate names where desired, or perhaps even copy the local file if
+   that is the only way to provide two names with the same content.  A
+   file which would be a reference to another file, if only the other
+   file actually existed, may be represented in any OS dependent manner
+   appropriate, or not represented at all.
+
+8.5.1.6. Multiple types
+
+   Where a file is such that it may validly, and sensibly, treated by
+   the server-PI as being of more than one of the above types, then
+   multiple entries should be returned, each with its own "Type" fact of
+   the appropriate type, and each containing the same pathname.  This
+   may occur, for example, with a structured file, which may contain
+   sub-files, and where the server-PI permits the structured file to be
+   treated as a unit, or treated as a directory allowing the sub-files
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 36]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   within it to be referenced.
+
+8.5.2. The unique Fact
+
+   The unique fact is used to present a unique identifier for a file or
+   directory in the NVFS accessed via a server-FTP process.  The value
+   of this fact should be the same for any number of pathnames that
+   refer to the same underlying file.  The fact should have different
+   values for names which reference distinct files.  The mapping between
+   files, and unique fact tokens should be maintained, and remain
+   consistent, for at least the lifetime of the control connection from
+   user-PI to server-PI.
+
+        unique-fact  = "Unique" "=" token
+
+   This fact would be expected to be used by Server-FTPs whose host
+   system allows things such as symbolic links so that the same file may
+   be represented in more than one directory on the server.  The only
+   conclusion that should be drawn is that if two different names each
+   have the same value for the unique fact, they refer to the same
+   underlying object.  The value of the unique fact (the token) should
+   be considered an opaque string for comparison purposes, and is a case
+   dependent value.  The tokens "A" and "a" do not represent the same
+   underlying object.
+
+8.5.3. The modify Fact
+
+   The modify fact is used to determine the last time the content of the
+   file (or directory) indicated was modified.  Any change of substance
+   to the file should cause this value to alter.  That is, if a change
+   is made to a file such that the results of a RETR command would
+   differ, then the value of the modify fact should alter.  User-PIs
+   should not assume that a different modify fact value indicates that
+   the file contents are necessarily different than when last retrieved.
+   Some systems may alter the value of the modify fact for other
+   reasons, though this is discouraged wherever possible.  Also a file
+   may alter, and then be returned to its previous content, which would
+   often be indicated as two incremental alterations to the value of the
+   modify fact.
+
+   For directories, this value should alter whenever a change occurs to
+   the directory such that different filenames would (or might) be
+   included in MLSD output of that directory.
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 37]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        modify-fact  = "Modify" "=" time-val
+
+8.5.4. The create Fact
+
+   The create fact indicates when a file, or directory, was first
+   created.  Exactly what "creation" is for this purpose is not
+   specified here, and may vary from server to server.  About all that
+   can be said about the value returned is that it can never indicate a
+   later time than the modify fact.
+
+        create-fact  = "Create" "=" time-val
+
+   Implementation Note: Implementors of this fact on UNIX(TM) systems
+        should note that the unix "stat" "st_ctime" field does not give
+        creation time, and that unix file systems do not record creation
+        time at all.  Unix (and POSIX) implementations will normally not
+        include this fact.
+
+8.5.5. The perm Fact
+
+   The perm fact is used to indicate access rights the current FTP user
+   has over the object listed.  Its value is always an unordered
+   sequence of alphabetic characters.
+
+        perm-fact    = "Perm" "=" *pvals
+        pvals        = "a" / "c" / "d" / "e" / "f" /
+                       "l" / "m" / "p" / "r" / "w"
+
+   There are ten permission indicators currently defined.  Many are
+   meaningful only when used with a particular type of object.  The
+   indicators are case independent, "d" and "D" are the same indicator.
+
+   The "a" permission applies to objects of type=file, and indicates
+   that the APPE (append) command may be applied to the file named.
+
+   The "c" permission applies to objects of type=dir (and type=pdir,
+   type=cdir).  It indicates that files may be created in the directory
+   named.  That is, that a STOU command is likely to succeed, and that
+   STOR and APPE commands might succeed if the file named did not
+   previously exist, but is to be created in the directory object that
+   has the "c" permission.  It also indicates that the RNTO command is
+   likely to succeed for names in the directory.
+
+   The "d" permission applies to all types.  It indicates that the
+   object named may be deleted, that is, that the RMD command may be
+   applied to it if it is a directory, and otherwise that the DELE
+   command may be applied to it.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 38]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The "e" permission applies to the directory types.  When set on an
+   object of type=dir, type=cdir, or type=pdir it indicates that a CWD
+   command naming the object should succeed, and the user should be able
+   to enter the directory named.  For type=pdir it also indicates that
+   the CDUP command may succeed (if this particular pathname is the one
+   to which a CDUP would apply.)
+
+   The "f" permission for objects indicates that the object named may be
+   renamed - that is, may be the object of an RNFR command.
+
+   The "l" permission applies to the directory file types, and indicates
+   that the listing commands, LIST, NLST, and MLSD may be applied to the
+   directory in question.
+
+   The "m" permission applies to directory types, and indicates that the
+   MKD command may be used to create a new directory within the
+   directory under consideration.
+
+   The "p" permission applies to directory types, and indicates that
+   objects in the directory may be deleted, or (stretching naming a
+   little) that the directory may be purged.  Note: it does not indicate
+   that the RMD command may be used to remove the directory named
+   itself, the "d" permission indicator indicates that.
+
+   The "r" permission applies to type=file objects, and for some
+   systems, perhaps to other types of objects, and indicates that the
+   RETR command may be applied to that object.
+
+   The "w" permission applies to type=file objects, and for some
+   systems, perhaps to other types of objects, and indicates that the
+   STOR command may be applied to the object named.
+
+   Note: That a permission indicator is set can never imply that the
+        appropriate command is guaranteed to work - just that it might.
+        Other system specific limitations, such as limitations on
+        available space for storing files, may cause an operation to
+        fail, where the permission flags may have indicated that it was
+        likely to succeed.  The permissions are a guide only.
+
+   Implementation note: The permissions are described here as they apply
+        to FTP commands.  They may not map easily into particular
+        permissions available on the server's operating system.  Servers
+        are expected to synthesize these permission bits from the
+        permission information available from operating system.  For
+        example, to correctly determine whether the "D" permission bit
+        should be set on a directory for a server running on the
+        UNIX(TM) operating system, the server should check that the
+        directory named is empty, and that the user has write permission
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 39]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        on both the directory under consideration, and its parent
+        directory.
+
+        Some systems may have more specific permissions than those
+        listed here, such systems should map those to the flags defined
+        as best they are able.  Other systems may have only more broad
+        access controls.  They will generally have just a few possible
+        permutations of permission flags, however they should attempt to
+        correctly represent what is permitted.
+
+8.5.6. The lang Fact
+
+   The lang fact describes the natural language of the filename for use
+   in display purposes.  Values used here should be taken from the
+   language registry of the IANA.  See [13] for the syntax, and
+   procedures, related to language tags.
+
+        lang-fact  = "Lang" "=" token
+
+   Server-FTP implementations MUST NOT guess language values.  Language
+   values must be determined in an unambiguous way such as file system
+   tagging of language or by user configuration.  Note that the lang
+   fact provides no information at all about the content of a file, only
+   about the encoding of its name.
+
+8.5.7. The size Fact
+
+   The size fact applies to non-directory file types and should always
+   reflect the approximate size of the file.  This should be as accurate
+   as the server can make it, without going to extraordinary lengths,
+   such as reading the entire file.  The size is expressed in units of
+   octets of data in the file.
+
+   Given limitations in some systems, Client-FTP implementations must
+   understand this size may not be precise and may change between the
+   time of a MLST and RETR operation.
+
+   Clients that need highly accurate size information for some
+   particular reason should use the SIZE command as defined in section
+   4.  The most common need for this accuracy is likely to be in
+   conjunction with the REST command described in section 5.  The size
+   fact, on the other hand, should be used for purposes such as
+   indicating to a human user the approximate size of the file to be
+   transferred, and perhaps to give an idea of expected transfer
+   completion time.
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 40]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        size-fact  = "Size" "=" 1*DIGIT
+
+8.5.8. The media-type Fact
+
+   The media-type fact represents the IANA media type of the file named,
+   and applies only to non-directory types.  The list of values used
+   must follow the guidelines set by the IANA registry.
+
+        media-type  = "Media-Type" "=" <per IANA guidelines>
+
+   Server-FTP implementations MUST NOT guess media type values.  Media
+   type values must be determined in an unambiguous way such as file
+   system tagging of media-type or by user configuration.  This fact
+   gives information about the content of the file named.  Both the
+   primary media type, and any appropriate subtype should be given,
+   separated by a slash "/" as is traditional.
+
+8.5.9. The charset Fact
+
+   The charset fact provides the IANA character set name, or alias, for
+   the encoded pathnames in a MLSx response.  The default character set
+   is UTF-8 unless specified otherwise.  FTP implementations SHOULD use
+   UTF-8 if possible to encourage maximum interoperability.  The value
+   of this fact applies to the pathname only, and provides no
+   information about the contents of the file.
+
+        charset-type  = "Charset" "=" token
+
+8.5.10. Required facts
+
+   Servers are not required to support any particular set of the
+   available facts.  However, servers SHOULD, if conceivably possible,
+   support at least the type, perm, size, unique, and modify facts.
+
+8.6. System Dependent and Local Facts
+
+   By using an system dependent fact, or a local fact, a server-PI may
+   communicate to the user-PI information about the file named which is
+   peculiar to the underlying file system.
+
+8.6.1. System Dependent Facts
+
+   System dependent fact names are labeled by prefixing a label
+   identifying the specific information returned by the name of the
+   appropriate operating system from the IANA maintained list of
+   operating system names.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 41]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The value of an OS dependent fact may be whatever is appropriate to
+   convey the information available.  It must be encoded as a "token" as
+   defined in section 2.1 however.
+
+   In order to allow reliable interoperation between users of system
+   dependent facts, the IANA will maintain a registry of system
+   dependent fact names, their syntax, and the interpretation to be
+   given to their values.  Registrations of system dependent facts are
+   to be accomplished according to the procedures of section 11.
+
+8.6.2. Local Facts
+
+   Implementations may also make available other facts of their own
+   choosing.  As the method of interpretation of such information will
+   generally not be widely understood, server-PIs should be aware that
+   clients will typically ignore any local facts provided.  As there is
+   no registration of locally defined facts, it is entirely possible
+   that different servers will use the same local fact name to provide
+   vastly different information.  Hence user-PIs should be hesitant
+   about making any use of any information in a locally defined fact
+   without some other specific assurance that the particular fact is one
+   that they do comprehend.
+
+   Local fact names all begin with the sequence "X.".  The rest of the
+   name is a "token" (see section 2.1).  The value of a local fact can
+   be anything at all, provided it can be encoded as a "token".
+
+8.7. MLSx Examples
+
+   The following examples are all taken from dialogues between existing
+   FTP clients and servers.  Because of this, not all possible
+   variations of possible response formats are shown in the examples.
+   This should not be taken as limiting the options of other server
+   implementors.  Where the examples show OS dependent information, that
+   is to be treated as being purely for the purposes of demonstration of
+   some possible OS specific information that could be defined.  As at
+   the time of the writing of this document, no OS specific facts or
+   file types have been defined, the examples shown here should not be
+   treated as in any way to be preferred over other possible similar
+   definitions.  Consult the IANA registries to determine what types and
+   facts have been defined.
+
+   In the examples shown, only relevant commands and responses have been
+   included.  This is not to imply that other commands (including
+   authentication, directory modification, PORT or PASV commands, or
+   similar) would not be present in an actual connection, or were not,
+   in fact, actually used in the examples before editing.  Note also
+   that the formats shown are those that are transmitted between client
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 42]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   and server, not formats which would normally ever be reported to the
+   user of the client.
+
+   In the examples, lines that begin "C> " were sent over the control
+   connection from the client to the server, lines that begin "S> " were
+   sent over the control connection from the server to the client, and
+   lines that begin "D> " were sent from the server to the client over a
+   data connection created just to send those lines and closed
+   immediately after.  No examples here show data transferred over a
+   data connection from the client to the server.  In all cases, the
+   prefixes shown above, including the one space, have been added for
+   the purposes of this document, and are not a part of the data
+   exchanged between client and server.
+
+8.7.1. Simple MLST
+
+ C> PWD
+ S> 257 "/tmp" is current directory.
+ C> MLst cap60.pl198.tar.gz
+ S> 250- Listing cap60.pl198.tar.gz
+ S>  Type=file;Size=1024990;Perm=r; /tmp/cap60.pl198.tar.gz
+ S> 250 End
+
+   The client first asked to be told the current directory of the
+   server.  This was purely for the purposes of clarity of this example.
+   The client then requested facts about a specific file.  The server
+   returned the "250-" first control-response line, followed by a single
+   line of facts about the file, followed by the terminating "250 "
+   line.  The text on the control-response line and the terminating line
+   can be anything the server decides to send.  Notice that the fact
+   line is indented by a single space.  Notice also that there are no
+   spaces in the set of facts returned, until the single space before
+   the filename.  The filename returned on the fact line is a fully
+   qualified pathname of the file listed.  The facts returned show that
+   the line refers to a file, that file contains approximately 1024990
+   bytes, though more or less than that may be transferred if the file
+   is retrieved, and a different number may be required to store the
+   file at the client's file store, and the connected user has
+   permission to retrieve the file but not to do anything else
+   particularly interesting.
+
+8.7.2. MLST of a directory
+
+ C> PWD
+ S> 257 "/" is current directory.
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>  Type=dir;Modify=19981107085215;Perm=el; /tmp
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 43]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ S> 250 End
+
+   Again the PWD is just for the purposes of demonstration for the
+   example.  The MLST fact line this time shows that the file listed is
+   a directory, that it was last modified at 08:52:15 on the 7th of
+   November, 1998 UTC, and that the user has permission to enter the
+   directory, and to list its contents, but not to modify it in any way.
+   Again, the fully qualified path name of the directory listed is
+   given.
+
+8.7.3. MLSD of a directory
+
+ C> MLSD tmp
+ S> 150 BINARY connection open for MLSD tmp
+ D> Type=cdir;Modify=19981107085215;Perm=el; tmp
+ D> Type=cdir;Modify=19981107085215;Perm=el; /tmp
+ D> Type=pdir;Modify=19990112030508;Perm=el; ..
+ D> Type=file;Size=25730;Modify=19940728095854;Perm=; capmux.tar.z
+ D> Type=file;Size=1830;Modify=19940916055648;Perm=r; hatch.c
+ D> Type=file;Size=25624;Modify=19951003165342;Perm=r; MacIP-02.txt
+ D> Type=file;Size=2154;Modify=19950501105033;Perm=r; uar.netbsd.patch
+ D> Type=file;Size=54757;Modify=19951105101754;Perm=r; iptnnladev.1.0.sit.hqx
+ D> Type=file;Size=226546;Modify=19970515023901;Perm=r; melbcs.tif
+ D> Type=file;Size=12927;Modify=19961025135602;Perm=r; tardis.1.6.sit.hqx
+ D> Type=file;Size=17867;Modify=19961025135602;Perm=r; timelord.1.4.sit.hqx
+ D> Type=file;Size=224907;Modify=19980615100045;Perm=r; uar.1.2.3.sit.hqx
+ D> Type=file;Size=1024990;Modify=19980130010322;Perm=r; cap60.pl198.tar.gz
+ S> 226 MLSD completed
+
+   In this example notice that there is no leading space on the fact
+   lines returned over the data connection.  Also notice that two lines
+   of "type=cdir" have been given.  These show two alternate names for
+   the directory listed, one a fully qualified pathname, and the other a
+   local name relative to the servers current directory when the MLSD
+   was performed.  Note that all other filenames in the output are
+   relative to the directory listed, though the server could, if it
+   chose, give a fully qualified path name for the "type=pdir" line.
+   This server has chosen not to.  The other files listed present a
+   fairly boring set of files that are present in the listed directory.
+   Note that there is no particular order in which they are listed.
+   They are not sorted by filename, by size, or by modify time.  Note
+   also that the "perm" fact has an empty value for the file
+   "capmux.tar.z" indicating that the connected user has no permissions
+   at all for that file.  This server has chosen to present the "cdir"
+   and "pdir" lines before the lines showing the content of the
+   directory, it is not required to do so.  The "size" fact does not
+   provide any meaningful information for a directory, so is not
+   included in the fact lines for the directory types shown.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 44]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.7.4. A more complex example
+
+ C> MLst test
+ S> 250- Listing test
+ S>  Type=dir;Perm=el;Unique=keVO1+ZF4 test
+ S> 250 End
+ C> MLSD test
+ S> 150 BINARY connection open for MLSD test
+ D> Type=cdir;Perm=el;Unique=keVO1+ZF4; test
+ D> Type=pdir;Perm=e;Unique=keVO1+d?3; ..
+ D> Type=OS.unix=slink:/foobar;Perm=;Unique=keVO1+4G4; foobar
+ D> Type=OS.unix=chr-13/29;Perm=;Unique=keVO1+5G4; device
+ D> Type=OS.unix=blk-11/108;Perm=;Unique=keVO1+6G4; block
+ D> Type=file;Perm=awr;Unique=keVO1+8G4; writable
+ D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; promiscuous
+ D> Type=dir;Perm=;Unique=keVO1+1t2; no-exec
+ D> Type=file;Perm=r;Unique=keVO1+EG4; two words
+ D> Type=file;Perm=r;Unique=keVO1+IH4;  leading space
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file1
+ D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; incoming
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file2
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file3
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file4
+ S> 226 MLSD completed
+ C> MLSD test/incoming
+ S> 150 BINARY connection open for MLSD test/incoming
+ D> Type=cdir;Perm=cpmel;Unique=keVO1+7G4; test/incoming
+ D> Type=pdir;Perm=el;Unique=keVO1+ZF4; ..
+ D> Type=file;Perm=awdrf;Unique=keVO1+EH4; bar
+ D> Type=file;Perm=awdrf;Unique=keVO1+LH4;
+ D> Type=file;Perm=rf;Unique=keVO1+1G4; file5
+ D> Type=file;Perm=rf;Unique=keVO1+1G4; file6
+ D> Type=dir;Perm=cpmdelf;Unique=keVO1+!s2; empty
+ S> 226 MLSD completed
+
+   For the purposes of this example the fact set requested has been
+   modified to delete the "size" and "modify" facts, and add the
+   "unique" fact.  First, facts about a filename have been obtained via
+   MLST.  Note that no fully qualified path name was given this time.
+   That was because the server was unable to determine that information.
+   Then having determined that the filename represents a directory, that
+   directory has been listed.  That listing also shows no fully
+   qualified path name, for the same reason, thus has but a single
+   "type=cdir" line.  This directory (which was created especially for
+   the purpose) contains several interesting files.  There are some with
+   OS dependent file types, several sub-directories, and several
+   ordinary files.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 45]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   Not much can be said here about the OS dependent file types, as none
+   of the information shown there should be treated as any more than
+   possibilities.  It can be seen that the OS type of the server is
+   "unix" though, which is one of the OS types in the IANA registry of
+   Operating System names.
+
+   Of the three directories listed, "no-exec" has no permission granted
+   to this user to access at all.  From the "Unique" fact values, it can
+   be determined that "promiscuous" and "incoming" in fact represent the
+   same directory.  Its permissions show that the connected user has
+   permission to do essentially anything other than to delete the
+   directory.  That directory was later listed.  It happens that the
+   directory can not be deleted because it is not empty.
+
+   Of the normal files listed, two contain spaces in their names.  The
+   file called " leading space" actually contains two spaces in its
+   name, one before the "l" and one between the "g" and the "s".  The
+   two spaces that separate the facts from the visible part of the path
+   name make that clear.  The file "writable" has the "a" and "w"
+   permission bits set, and consequently the connected user should be
+   able to STOR or APPE to that file.
+
+   The other four file names, "file1", "file2", "file3", and "file4" all
+   represent the same underlying file, as can be seen from the values of
+   the "unique" facts of each.  It happens that "file1" and "file2" are
+   Unix "hard" links, and that "file3" and "file4" are "soft" or
+   "symbolic" links to the first two.  None of that information is
+   available via standard MLST facts, it is sufficient for the purposes
+   of FTP to note that all represent the same file, and that the same
+   data would be fetched no matter which of them was retrieved, and that
+   all would be simultaneously modified were data stored in any.
+
+   Finally, the sub-directory "incoming" is listed.  Since "promiscuous"
+   is the same directory there would be no point listing it as well.  In
+   that directory, the files "file5" and "file6" represent still more
+   names for the "file1" file we have seen before.  Notice the entry
+   between that for "bar" and "file5".  Though it is not possible to
+   easily represent it in this document, that shows a file with a name
+   comprising exactly three spaces ("   ").  A client will have no
+   difficulty determining that name from the output presented to it
+   however.  The directory "empty" is, as its name implies, empty,
+   though that is not shown here.  It can, however, be deleted, as can
+   file "bar" and the file whose name is three spaces.  All the files
+   that reside in this directory can be renamed.  This is a consequence
+   of the UNIX semantics of the directory that contains them being
+   modifiable.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 46]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.7.5. More accurate time information
+
+ C> MLst file1
+ S> 250- Listing file1
+ S>  Type=file;Modify=19990929003355.237; file1
+ S> 250 End
+
+   In this example, the server-FTP is indicating that "file1" was last
+   modified 237 milliseconds after 00:33:55 UTC on the 29th of
+   September, 1999.
+
+8.7.6. A different server
+
+ C> MLST
+ S> 250-Begin
+ S>  type=dir;unique=AQkAAAAAAAABCAAA; /
+ S> 250 End.
+ C> MLSD .
+ S> 150 Opening ASCII mode data connection for MLS.
+ D> type=cdir;unique=AQkAAAAAAAABCAAA; /
+ D> type=dir;unique=AQkAAAAAAAABEAAA; bin
+ D> type=dir;unique=AQkAAAAAAAABGAAA; etc
+ D> type=dir;unique=AQkAAAAAAAAB8AwA; halflife
+ D> type=dir;unique=AQkAAAAAAAABoAAA; incoming
+ D> type=dir;unique=AQkAAAAAAAABIAAA; lib
+ D> type=dir;unique=AQkAAAAAAAABWAEA; linux
+ D> type=dir;unique=AQkAAAAAAAABKAEA; ncftpd
+ D> type=dir;unique=AQkAAAAAAAABGAEA; outbox
+ D> type=dir;unique=AQkAAAAAAAABuAAA; quake2
+ D> type=dir;unique=AQkAAAAAAAABQAEA; winstuff
+ S> 226 Listing completed.
+ C> MLSD linux
+ S> 150 Opening ASCII mode data connection for MLS.
+ D> type=cdir;unique=AQkAAAAAAAABWAEA; /linux
+ D> type=pdir;unique=AQkAAAAAAAABCAAA; /
+ D> type=dir;unique=AQkAAAAAAAABeAEA; firewall
+ D> type=file;size=12;unique=AQkAAAAAAAACWAEA; helo_world
+ D> type=dir;unique=AQkAAAAAAAABYAEA; kernel
+ D> type=dir;unique=AQkAAAAAAAABmAEA; scripts
+ D> type=dir;unique=AQkAAAAAAAABkAEA; security
+ S> 226 Listing completed.
+ C> MLSD linux/kernel
+ S> 150 Opening ASCII mode data connection for MLS.
+ D> type=cdir;unique=AQkAAAAAAAABYAEA; /linux/kernel
+ D> type=pdir;unique=AQkAAAAAAAABWAEA; /linux
+ D> type=file;size=6704;unique=AQkAAAAAAAADYAEA; k.config
+ D> type=file;size=7269221;unique=AQkAAAAAAAACYAEA; linux-2.0.36.tar.gz
+ D> type=file;size=12514594;unique=AQkAAAAAAAAEYAEA; linux-2.1.130.tar.gz
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 47]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ S> 226 Listing completed.
+
+   Note that this server returns its "unique" fact value in quite a
+   different format.  It also returns fully qualified path names for the
+   "pdir" entry.
+
+8.7.7. Some IANA files
+
+ C> MLSD .
+ S> 150 BINARY connection open for MLSD .
+ D> Type=cdir;Modify=19990219183438; /iana/assignments
+ D> Type=pdir;Modify=19990112030453; ..
+ D> Type=dir;Modify=19990219073522; media-types
+ D> Type=dir;Modify=19990112033515; character-set-info
+ D> Type=dir;Modify=19990112033529; languages
+ D> Type=file;Size=44242;Modify=19990217230400; character-sets
+ D> Type=file;Size=1947;Modify=19990209215600; operating-system-names
+ S> 226 MLSD completed
+ C> MLSD media-types
+ S> 150 BINARY connection open for MLSD media-types
+ D> Type=cdir;Modify=19990219073522; media-types
+ D> Type=cdir;Modify=19990219073522; /iana/assignments/media-types
+ D> Type=pdir;Modify=19990219183438; ..
+ D> Type=dir;Modify=19990112033045; text
+ D> Type=dir;Modify=19990219183442; image
+ D> Type=dir;Modify=19990112033216; multipart
+ D> Type=dir;Modify=19990112033254; video
+ D> Type=file;Size=30249;Modify=19990218032700; media-types
+ S> 226 MLSD completed
+ C> MLSD character-set-info
+ S> 150 BINARY connection open for MLSD character-set-info
+ D> Type=cdir;Modify=19990112033515; character-set-info
+ D> Type=cdir;Modify=19990112033515; /iana/assignments/character-set-info
+ D> Type=pdir;Modify=19990219183438; ..
+ D> Type=file;Size=1234;Modify=19980903020400; windows-1251
+ D> Type=file;Size=4557;Modify=19980922001400; tis-620
+ D> Type=file;Size=801;Modify=19970324130000; ibm775
+ D> Type=file;Size=552;Modify=19970320130000; ibm866
+ D> Type=file;Size=922;Modify=19960505140000; windows-1258
+ S> 226 MLSD completed
+ C> MLSD languages
+ S> 150 BINARY connection open for MLSD languages
+ D> Type=cdir;Modify=19990112033529; languages
+ D> Type=cdir;Modify=19990112033529; /iana/assignments/languages
+ D> Type=pdir;Modify=19990219183438; ..
+ D> Type=file;Size=2391;Modify=19980309130000; default
+ D> Type=file;Size=943;Modify=19980309130000; tags
+ D> Type=file;Size=870;Modify=19971026130000; navajo
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 48]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ D> Type=file;Size=699;Modify=19950911140000; no-bok
+ S> 226 MLSD completed
+ C> PWD
+ S> 257 "/iana/assignments" is current directory.
+
+   This example shows some of the IANA maintained files that are
+   relevant for this specification in MLSD format.  Note that these
+   listings have been edited by deleting many entries, the actual
+   listings are much longer.
+
+8.7.8. A stress test of case (in)dependence
+
+   The following example is intended to make clear some cases where case
+   dependent strings are permitted in the MLSx commands, and where case
+   independent strings are required.
+
+ C> MlsD .
+ S> 150 BINARY connection open for MLSD .
+ D> Type=pdir;Modify=19990929011228;Perm=el;Unique=keVO1+ZF4; ..
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; FILE2
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+aG8; file3
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+ag8; FILE3
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file1
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file2
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Ag8; File3
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; File1
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; File2
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bd8; FILE1
+ S> 226 MLSD completed
+
+   Note first that the "MLSD" command, shown here as "MlsD" is case
+   independent.  Clients may issue this command in any case, or
+   combination of cases, they desire.  This is the case for all FTP
+   commands.
+
+   Next, notice the labels of the facts.  These are also case
+   independent strings, Server-FTP is permitted to return them in any
+   case they desire.  User-FTP must be prepared to deal with any case,
+   though it may do this by mapping the labels to a common case if
+   desired.
+
+   Then, notice that there are nine objects of "type" file returned.  In
+   a case independent NVFS these would represent three different file
+   names, "file1", "file2", and "file3".  With a case dependent NVFS all
+   nine represent different file names.  Either is possible, server-FTPs
+   may implement a case dependent or a case independent NVFS.  User-FTPs
+   must allow for case dependent selection of files to manipulate on the
+   server.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 49]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   Lastly, notice that the value of the "unique" fact is case dependent.
+   In the example shown, "file1", "File1", and "file2" all have the same
+   "unique" fact value "keVO1+bD8", and thus all represent the same
+   underlying file.  On the other hand, "FILE1" has a different "unique"
+   fact value ("keVO1+bd8") and hence represents a different file.
+   Similarly, "FILE2" and "File2" are two names for the same underlying
+   file, whereas "file3", "File3" and "FILE3" all represent different
+   underlying files.
+
+   That the approximate sizes ("size" fact) and last modification times
+   ("modify" fact) are the same in all cases might be no more than a
+   coincidence.
+
+   It is not suggested that the operators of server-FTPs create NVFS
+   which stress the protocols to this extent, however both user and
+   server implementations must be prepared to deal with such extreme
+   examples.
+
+8.8. FEAT response for MLSx
+
+   When responding to the FEAT command, a server-FTP process that
+   supports MLST, and MLSD, plus internationalization of pathnames, MUST
+   indicate that this support exists.  It does this by including a MLST
+   feature line.  As well as indicating the basic support, the MLST
+   feature line indicates which MLST facts are available from the
+   server, and which of those will be returned if no subsequent "OPTS
+   MLST" command is sent.
+
+        mlst-feat     = SP "MLST" [SP factlist] CRLF
+        factlist      = 1*( factname ["*"] ";" )
+
+   The initial space shown in the mlst-feat response is that required by
+   the FEAT command, two spaces are not permitted.  If no factlist is
+   given, then the server-FTP process is indicating that it supports
+   MLST, but implements no facts.  Only pathnames can be returned.  This
+   would be a minimal MLST implementation, and useless for most
+   practical purposes.  Where the factlist is present, the factnames
+   included indicate the facts supported by the server.  Where the
+   optional asterisk appears after a factname, that fact will be
+   included in MLST format responses, until an "OPTS MLST" is given to
+   alter the list of facts returned.  After that, subsequent FEAT
+   commands will return the asterisk to show the facts selected by the
+   most recent "OPTS MLST".
+
+   Note that there is no distinct FEAT output for MLSD.  The presence of
+   the MLST feature indicates that both MLST and MLSD are supported.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 50]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.8.1. Examples
+
+ C> Feat
+ S> 211- Features supported
+ S>  REST STREAM
+ S>  MDTM
+ S>  SIZE
+ S>  TVFS
+ S>  UTF8
+ S>  MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+
+   Aside from some features irrelevant here, this server indicates that
+   it supports MLST including several, but not all, standard facts, all
+   of which it will send by default.  It also supports two OS dependent
+   facts, and one locally defined fact.  The latter three must be
+   requested expressly by the client for this server to supply them.
+
+ C> Feat
+ S> 211-Extensions supported:
+ S>  CLNT
+ S>  MDTM
+ S>  MLST type*;size*;modify*;UNIX.mode*;UNIX.owner;UNIX.group;unique;
+ S>  PASV
+ S>  REST STREAM
+ S>  SIZE
+ S>  TVFS
+ S>  Compliance Level: 19981201 (IETF mlst-05)
+ S> 211 End.
+
+   Again, in addition to some irrelevant features here, this server
+   indicates that it supports MLST, four of the standard facts, one of
+   which ("unique") is not enabled by default, and several OS dependent
+   facts, one of which is provided by the server by default.  This
+   server actually supported more OS dependent facts.  Others were
+   deleted for the purposes of this document to comply with document
+   formatting restrictions.
+
+8.9. OPTS parameters for MLST
+
+   For the MLSx commands, the Client-FTP may specify a list of facts it
+   wishes to be returned in all subsequent MLSx commands until another
+   OPTS MLST command is sent.  The format is specified by:
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 51]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        mlst-opts     = "OPTS" SP "MLST"
+                        [ SP 1*( factname ";" ) ]
+
+   By sending the "OPTS MLST" command, the client requests the server to
+   include only the facts listed as arguments to the command in
+   subsequent output from MLSx commands.  Facts not included in the
+   "OPTS MLST" command MUST NOT be returned by the server.  Facts that
+   are included should be returned for each entry returned from the MLSx
+   command where they meaningfully apply.  Facts requested that are not
+   supported, or which are inappropriate to the file or directory being
+   listed should simply be omitted from the MLSx output.  This is not an
+   error.  Note that where no factname arguments are present, the client
+   is requesting that only the file names be returned.  In this case,
+   and in any other case where no facts are included in the result, the
+   space that separates the fact names and their values from the file
+   name is still required.  That is, the first character of the output
+   line will be a space, (or two characters will be spaces when the line
+   is returned over the control connection,) and the file name will
+   start immediately thereafter.
+
+   Clients should note that generating values for some facts can be
+   possible, but very expensive, for some servers.  It is generally
+   acceptable to retrieve any of the facts that the server offers as its
+   default set before any "OPTS MLST" command has been given, however
+   clients should use particular caution before requesting any facts not
+   in that set.  That is, while other facts may be available from the
+   server, clients should refrain from requesting such facts unless
+   there is a particular operational requirement for that particular
+   information, which ought be more significant than perhaps simply
+   improving the information displayed to an end user.
+
+   Note, there is no "OPTS MLSD" command, the fact names set with the
+   "OPTS MLST" command apply to both MLST and MLSD commands.
+
+   Servers are not required to accept "OPTS MLST" commands before
+   authentication of the user-PI, but may choose to permit them.
+
+8.9.1. OPTS MLST Response
+
+   The "response-message" from [6] to a successful OPTS MLST command has
+   the following syntax.
+
+        mlst-opt-resp = "MLST OPTS" [ SP 1*( factname ";" ) ]
+
+   This defines the "response-message" as used in the "opts-good"
+   message in RFC2389 [6].
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 52]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The facts named in the response are those which the server will now
+   include in MLST (and MLSD) response, after the processing of the
+   "OPTS MLST" command.  Any facts from the request not supported by the
+   server will be omitted from this response message.  If no facts will
+   be included, the list of facts will be empty.  Note that the list of
+   facts returned will be the same as those marked by a trailing
+   asterisk ("*") in a subsequent FEAT command response.  There is no
+   requirement that the order of the facts returned be the same as that
+   in which they were requested, or that in which they will be listed in
+   a FEAT command response, or that in which facts are returned in MLST
+   responses.  The fixed string "MLST OPTS" in the response may be
+   returned in any case, or mixture of cases.
+
+8.9.2. Examples
+
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size;Modify*;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> OptS Mlst Type;UNIX.mode;Perm;
+ S> 201 MLST OPTS Type;Perm;UNIX.mode;
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size;Modify;Perm*;Unique;UNIX.mode*;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> opts MLst lang;type;charset;create;
+ S> 201 MLST OPTS Type;
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> OPTS mlst size;frogs;
+ S> 201 MLST OPTS Size;
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> opts MLst unique type;
+ S> 501 Invalid MLST options
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+
+   For the purposes of this example, features other than MLST have been
+   deleted from the output to avoid clutter.  The example shows the
+   initial default feature output for MLST.  The facts requested are
+   then changed by the client.  The first change shows facts that are
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 53]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   available from the server being selected.  Subsequent FEAT output
+   shows the altered features as being returned.  The client then
+   attempts to select some standard features which the server does not
+   support.  This is not an error, however the server simply ignores the
+   requests for unsupported features, as the FEAT output that follows
+   shows.  Then, the client attempts to request a non-standard, and
+   unsupported, feature.  The server ignores that, and selects only the
+   supported features requested.  Lastly, the client sends a request
+   containing a syntax error (spaces cannot appear in the factlist.) The
+   server-FTP sends an error response and completely ignores the
+   request, leaving the fact set selected as it had been previously.
+
+   Note that in all cases, except the error response, the response lists
+   the facts that have been selected.
+
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> Opts MLST
+ S> 201 MLST OPTS
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>   /tmp
+ S> 250 End
+ C> OPTS mlst unique;size;
+ S> 201 MLST OPTS Size;Unique;
+ C>  MLst tmp
+ S> 250- Listing tmp
+ S>  Unique=keVO1+YZ5; /tmp
+ S> 250 End
+ C> OPTS mlst unique;type;modify;
+ S> 201 MLST OPTS Type;Modify;Unique;
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>  Type=dir;Modify=19990930152225;Unique=keVO1+YZ5; /tmp
+ S> 250 End
+ C> OPTS mlst fish;cakes;
+ S> 201 MLST OPTS
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>   /tmp
+ S> 250 End
+ C> OptS Mlst Modify;Unique;
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 54]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ S> 201 MLST OPTS Modify;Unique;
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>  Modify=19990930152225;Unique=keVO1+YZ5; /tmp
+ S> 250 End
+ C> opts MLst fish cakes;
+ S> 501 Invalid MLST options
+ C>  MLst tmp
+ S> 250- Listing tmp
+ S>  Modify=19990930152225;Unique=keVO1+YZ5; /tmp
+ S> 250 End
+
+   This example shows the effect of changing the facts requested upon
+   subsequent MLST commands.  Notice that a syntax error leaves the set
+   of selected facts unchanged.  Also notice exactly two spaces
+   preceding the pathname when no facts were selected, either
+   deliberately, or because none of the facts requested were available.
+
+9. Impact On Other FTP Commands
+
+   Along with the introduction of MLST, traditional FTP commands must be
+   extended to allow for the use of more than US-ASCII or EBCDIC
+   character sets.  In general, the support of MLST requires support for
+   arbitrary character sets wherever filenames and directory names are
+   allowed.  This applies equally to both arguments given to the
+   following commands and to the replies from them, as appropriate.
+
+        CWD
+        RETR
+        STOR
+        STOU
+        APPE
+        RNFR
+        RNTO
+        DELE
+        RMD
+        MKD
+        PWD
+        STAT
+
+   The arguments to all of these commands should be processed the same
+   way that MLST commands and responses are processed with respect to
+   handling embedded spaces, CRs and NULs.  See section 2.2.
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 55]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+10. Character sets and Internationalization
+
+   FTP commands are protocol elements, and are always expressed in
+   ASCII.  FTP responses are composed of the numeric code, which is a
+   protocol element, and a message, which is often expected to convey
+   information to the user.  It is not expected that users normally
+   interact directly with the protocol elements, rather the user FTP-
+   process constructs the commands, and interprets the results, in the
+   manner best suited for the particular user.  Explanatory text in
+   responses generally has no particular meaning to the protocol.  The
+   numeric codes provide all necessary information.  Server-PIs are free
+   to provide the text in any language that can be adequately
+   represented in ASCII, or where an alternative language and
+   representation has been negotiated (see [7]) in that language and
+   representation.
+
+   Pathnames are expected to be encoded in UTF-8 allowing essentially
+   any character to be represented in a pathname.  Meaningful pathnames
+   are defined by the server NVFS.
+
+   No restrictions at all are placed upon the contents of files
+   transferred using the FTP protocols.  Unless the "media-type" fact is
+   provided in a MLSx response nor is any advice given here which would
+   allow determining the content type.  That information is assumed to
+   be obtained via other means.
+
+11. IANA Considerations
+
+   This specification makes use of some lists of values currently
+   maintained by the IANA, and creates two new lists for the IANA to
+   maintain.  It does not add any values to any existing registries.
+
+   The existing IANA registries used by this specification are modified
+   using mechanisms specified elsewhere.
+
+11.1. The OS specific fact registry
+
+   A registry of OS specific fact names shall be maintained by the IANA.
+   The OS names for the OS portion of the fact name must be taken from
+   the IANA's list of registered OS names.  To add a fact name to this
+   OS specific registry of OS specific facts, an applicant must send to
+   the IANA a request, in which is specified the OS name, the OS
+   specific fact name, a definition of the syntax of the fact value,
+   which must conform to the syntax of a token as given in this
+   document, and a specification of the semantics to be associated with
+   the particular fact and its values.  Upon receipt of such an
+   application, and if the combination of OS name and OS specific fact
+   name has not been previously defined, the IANA will add the
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 56]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   specification to the registry.
+
+   Any examples of OS specific facts found in this document are to be
+   treated as examples of possible OS specific facts, and do not form a
+   part of the IANA's registry merely because of being included in this
+   document.
+
+11.2. The OS specific filetype registry
+
+   A registry of OS specific file types shall be maintained by the IANA.
+   The OS names for the OS portion of the fact name must be taken from
+   the IANA's list of registered OS names.  To add a file type to this
+   OS specific registry of OS specific file types, an applicant must
+   send to the IANA a request, in which is specified the OS name, the OS
+   specific file type, a definition of the syntax of the fact value,
+   which must conform to the syntax of a token as given in this
+   document, and a specification of the semantics to be associated with
+   the particular fact and its values.  Upon receipt of such an
+   application, and if the combination of OS name and OS specific file
+   type has not been previously defined, the IANA will add the
+   specification to the registry.
+
+   Any examples of OS specific file types found in this document are to
+   be treated as potential OS specific file types only, and do not form
+   a part of the IANA's registry merely because of being included in
+   this document.
+
+12. Security Considerations
+
+   This memo does not directly concern security.  It is not believed
+   that any of the mechanisms documented here impact in any particular
+   way upon the security of FTP.
+
+   Implementing the SIZE command, and perhaps some of the facts of the
+   MDLx commands, may impose a considerable load on the server, which
+   could lead to denial of service attacks.  Servers have, however,
+   implemented this for many years, without significant reported
+   difficulties.
+
+   With the introduction of virtual hosts to FTP, and the possible
+   accompanying multiple authentication environments, server
+   implementors will need to take some care to ensure that integrity is
+   maintained.
+
+   The FEAT and OPTS commands may be issued before the FTP
+   authentication has occurred [6].  This allows unauthenticated clients
+   to determine which of the features defined here are supported, and to
+   negotiate the fact list for MLSx output.  No actual MLSx commands may
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 57]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   be issued however, and no problems with permitting the selection of
+   the format prior to authentication are foreseen.
+
+   A general discussion of issues related to the security of FTP can be
+   found in [14].
+
+13. References
+
+   [1]  Coded Character Set--7-bit American Standard Code for Information
+        Interchange, ANSI X3.4-1986.
+
+   [2]  Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
+        10646", RFC 2044, October 1996.
+
+   [3]  Postel, J., Reynolds, J., "File Transfer Protocol (FTP)",
+        STD 9, RFC 959, October 1985
+
+   [4]  Bradner, S., "Key words for use in RFCs to Indicate
+        Requirement Levels", BCP 14, RFC 2119, March 1997
+
+   [5]  Crocker, D., Overell, P., "Augmented BNF for Syntax
+        Specifications: ABNF", RFC 2234, November 1997
+
+   [6]  Hethmon, P., Elz, R., "Feature negotiation mechanism for the
+        File Transfer Protocol", RFC 2389, August 1998
+
+   [7]  Curtin, W., "Internationalization of the File Transfer Protocol",
+        RFC 2640, July 1999
+
+   [8]  Postel, J., Reynolds, J., "Telnet protocol Specification"
+        STD 8, RFC 854, May 1983
+
+   [9]  Braden, R,. "Requirements for Internet Hosts -- Application
+        and Support", STD 3, RFC 1123, October 1989
+
+   [10] Mockapetris, P., "Domain Names - Concepts and Facilities"
+        STD 13, RFC 1034, November 1987
+
+   [11] ISO/IEC 10646-1:1993  "Universal multiple-octet coded character set
+        (UCS) -- Part 1: Architecture and basic multilingual plane",
+        International Standard -- Information Technology, 1993
+
+   [12] Internet Assigned Numbers Authority.  http://www.iana.org
+        Email: iana@iana.org.
+
+   [13] Alvestrand, H., "Tags for the Identification of Languages"
+        RFC 1766, March 1995
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 58]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   [14] Allman, M., Ostermann, S., "FTP Security Considerations"
+        RFC 2577, May 1999
+
+Acknowledgments
+
+   This document is a product of the FTPEXT working group of the IETF.
+
+   The following people are among those who have contributed to this
+   document:
+
+        Alex Belits
+        D. J. Bernstein
+        Dave Cridland
+        Martin J. Duerst
+        Mike Gleason
+        Mark Harris
+        Alun Jones
+        James Matthews
+        Luke Mewburn
+        Jan Mikkelsen
+        Keith Moore
+        Buz Owen
+        Mark Symons
+        Stephen Tihor
+        and the entire FTPEXT working group of the IETF.
+
+   Apologies are offered to any inadvertently omitted.
+
+   Bernhard Rosenkraenzer suggested the HOST command, and initially
+   described it.
+
+   The description of the modifications to the REST command and the MDTM
+   and SIZE commands comes from a set of modifications suggested for
+   RFC959 by Rick Adams in 1989.  A draft containing just those
+   commands, edited by David Borman, has been merged with this document.
+
+   Mike Gleason provided access to the FTP server used in some of the
+   examples.
+
+   All of the examples in this document are taken from actual
+   client/server exchanges, though some have been edited for brevity, or
+   to meet document formatting requirements.
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 59]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+Copyright
+
+   This document is in the public domain.  Any and all copyright
+   protection that might apply in any jurisdiction is expressly
+   disclaimed.
+
+Editors' Addresses
+
+   Robert Elz
+   University of Melbourne
+   Department of Computer Science
+   Parkville, Vic   3052
+   Australia
+
+   Email: kre@munnari.OZ.AU
+
+
+   Paul Hethmon
+   Hethmon Brothers
+   2305 Chukar Road
+   Knoxville, TN 37923 USA
+
+   Phone: +1 423 690 8990
+   Email: phethmon@hethmon.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 60]
diff --git a/crypto/heimdal/doc/standardisation/rfc1508.txt b/crypto/heimdal/doc/standardisation/rfc1508.txt
new file mode 100644
index 0000000..132b855
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1508.txt
@@ -0,0 +1,2747 @@
+
+
+
+
+
+
+Network Working Group                                            J. Linn
+Request for Comments: 1508                         Geer Zolot Associates
+                                                          September 1993
+
+
+         Generic Security Service Application Program Interface
+
+Status of this Memo
+
+   This RFC specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" for the standardization state and status
+   of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This Generic Security Service Application Program Interface (GSS-API)
+   definition provides security services to callers in a generic
+   fashion, supportable with a range of underlying mechanisms and
+   technologies and hence allowing source-level portability of
+   applications to different environments. This specification defines
+   GSS-API services and primitives at a level independent of underlying
+   mechanism and programming language environment, and is to be
+   complemented by other, related specifications:
+
+        documents defining specific parameter bindings for particular
+        language environments
+
+        documents defining token formats, protocols, and procedures to
+        be implemented in order to realize GSS-API services atop
+        particular security mechanisms
+
+Table of Contents
+
+   1. GSS-API Characteristics and Concepts .......................    2
+   1.1. GSS-API Constructs .......................................    5
+   1.1.1.  Credentials ...........................................    5
+   1.1.2.  Tokens ................................................    6
+   1.1.3.  Security Contexts .....................................    7
+   1.1.4.  Mechanism Types .......................................    8
+   1.1.5.  Naming ................................................    9
+   1.1.6.  Channel Bindings ......................................   10
+   1.2.  GSS-API Features and Issues .............................   11
+   1.2.1.  Status Reporting ......................................   11
+   1.2.2.  Per-Message Security Service Availability .............   12
+   1.2.3.  Per-Message Replay Detection and Sequencing ...........   13
+   1.2.4.  Quality of Protection .................................   15
+
+
+
+Linn                                                            [Page 1]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   2. Interface Descriptions .....................................   15
+   2.1.  Credential management calls .............................   17
+   2.1.1.  GSS_Acquire_cred call .................................   17
+   2.1.2.  GSS_Release_cred call .................................   19
+   2.1.3.  GSS_Inquire_cred call .................................   20
+   2.2.  Context-level calls .....................................   21
+   2.2.1.  GSS_Init_sec_context call .............................   21
+   2.2.2.  GSS_Accept_sec_context call ...........................   26
+   2.2.3.  GSS_Delete_sec_context call ...........................   29
+   2.2.4.  GSS_Process_context_token call ........................   30
+   2.2.5.  GSS_Context_time call .................................   31
+   2.3.  Per-message calls .......................................   32
+   2.3.1.  GSS_Sign call .........................................   32
+   2.3.2.  GSS_Verify call .......................................   33
+   2.3.3.  GSS_Seal call .........................................   35
+   2.3.4.  GSS_Unseal call .......................................   36
+   2.4.  Support calls ...........................................   37
+   2.4.1.  GSS_Display_status call ...............................   37
+   2.4.2.  GSS_Indicate_mechs call ...............................   38
+   2.4.3.  GSS_Compare_name call .................................   38
+   2.4.4.  GSS_Display_name call .................................   39
+   2.4.5.  GSS_Import_name call ..................................   40
+   2.4.6.  GSS_Release_name call .................................   41
+   2.4.7.  GSS_Release_buffer call ...............................   41
+   2.4.8.  GSS_Release_oid_set call ..............................   42
+   3. Mechanism-Specific Example Scenarios .......................   42
+   3.1.  Kerberos V5, single-TGT .................................   43
+   3.2.  Kerberos V5, double-TGT .................................   43
+   3.3.  X.509 Authentication Framework ..........................   44
+   4. Related Activities .........................................   45
+   5. Acknowledgments ............................................   46
+   6. Security Considerations ....................................   46
+   7. Author's Address ...........................................   46
+   Appendix A ....................................................   47
+   Appendix B ....................................................   48
+   Appendix C ....................................................   49
+
+1. GSS-API Characteristics and Concepts
+
+   The operational paradigm in which GSS-API operates is as follows. A
+   typical GSS-API caller is itself a communications protocol, calling
+   on GSS-API in order to protect its communications with
+   authentication, integrity, and/or confidentiality security services.
+   A GSS-API caller accepts tokens provided to it by its local GSS-API
+   implementation and transfers the tokens to a peer on a remote system;
+   that peer passes the received tokens to its local GSS-API
+   implementation for processing. The security services available
+   through GSS-API in this fashion are implementable (and have been
+
+
+
+Linn                                                            [Page 2]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   implemented) over a range of underlying mechanisms based on secret-
+   key and public-key cryptographic technologies.
+
+   The GSS-API separates the operations of initializing a security
+   context between peers, achieving peer entity authentication (This
+   security service definition, and other definitions used in this
+   document, corresponds to that provided in International Standard ISO
+   7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and
+   GSS_Accept_sec_context() calls), from the operations of providing
+   per-message data origin authentication and data integrity protection
+   (GSS_Sign() and GSS_Verify() calls) for messages subsequently
+   transferred in conjunction with that context. Per-message GSS_Seal()
+   and GSS_Unseal() calls provide the data origin authentication and
+   data integrity services which GSS_Sign() and GSS_Verify() offer, and
+   also support selection of confidentiality services as a caller
+   option.  Additional calls provide supportive functions to the GSS-
+   API's users.
+
+   The following paragraphs provide an example illustrating the
+   dataflows involved in use of the GSS-API by a client and server in a
+   mechanism-independent fashion, establishing a security context and
+   transferring a protected message. The example assumes that credential
+   acquisition has already been completed.  The example assumes that the
+   underlying authentication technology is capable of authenticating a
+   client to a server using elements carried within a single token, and
+   of authenticating the server to the client (mutual authentication)
+   with a single returned token; this assumption holds for presently-
+   documented CAT mechanisms but is not necessarily true for other
+   cryptographic technologies and associated protocols.
+
+   The client calls GSS_Init_sec_context()  to establish a security
+   context to the server identified by targ_name, and elects to set the
+   mutual_req_flag so that mutual authentication is performed in the
+   course of context establishment. GSS_Init_sec_context()  returns an
+   output_token to be passed to the server, and indicates
+   GSS_CONTINUE_NEEDED status pending completion of the mutual
+   authentication sequence. Had mutual_req_flag not been set, the
+   initial call to GSS_Init_sec_context()  would have returned
+   GSS_COMPLETE status. The client sends the output_token to the server.
+
+   The server passes the received token as the input_token parameter to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context indicates
+   GSS_COMPLETE status, provides the client's authenticated identity in
+   the src_name result, and provides an output_token to be passed to the
+   client. The server sends the output_token to the client.
+
+   The client passes the received token as the input_token parameter to
+   a successor call to GSS_Init_sec_context(),  which processes data
+
+
+
+Linn                                                            [Page 3]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   included in the token in order to achieve mutual authentication from
+   the client's viewpoint. This call to GSS_Init_sec_context()  returns
+   GSS_COMPLETE status, indicating successful mutual authentication and
+   the completion of context establishment for this example.
+
+   The client generates a data message and passes it to GSS_Seal().
+   GSS_Seal() performs data origin authentication, data integrity, and
+   (optionally) confidentiality processing on the message and
+   encapsulates the result into output_message, indicating GSS_COMPLETE
+   status. The client sends the output_message to the server.
+
+   The server passes the received message to GSS_Unseal().  GSS_Unseal
+   inverts the encapsulation performed by GSS_Seal(),  deciphers the
+   message if the optional confidentiality feature was applied, and
+   validates the data origin authentication and data integrity checking
+   quantities. GSS_Unseal()  indicates successful validation by
+   returning GSS_COMPLETE status along with the resultant
+   output_message.
+
+   For purposes of this example, we assume that the server knows by
+   out-of-band means that this context will have no further use after
+   one protected message is transferred from client to server. Given
+   this premise, the server now calls GSS_Delete_sec_context() to flush
+   context-level information. GSS_Delete_sec_context() returns a
+   context_token for the server to pass to the client.
+
+   The client passes the returned context_token to
+   GSS_Process_context_token(),  which returns GSS_COMPLETE status after
+   deleting context-level information at the client system.
+
+   The GSS-API design assumes and addresses several basic goals,
+   including:
+
+      Mechanism independence: The GSS-API defines an interface to
+      cryptographically implemented strong authentication and other
+      security services at a generic level which is independent of
+      particular underlying mechanisms. For example, GSS-API-provided
+      services can be implemented by secret-key technologies (e.g.,
+      Kerberos) or public-key approaches (e.g., X.509).
+
+      Protocol environment independence: The GSS-API is independent of
+      the communications protocol suites with which it is employed,
+      permitting use in a broad range of protocol environments. In
+      appropriate environments, an intermediate implementation "veneer"
+      which is oriented to a particular communication protocol (e.g.,
+      Remote Procedure Call (RPC)) may be interposed between
+      applications which call that protocol and the GSS-API, thereby
+      invoking GSS-API facilities in conjunction with that protocol's
+
+
+
+Linn                                                            [Page 4]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      communications invocations.
+
+      Protocol association independence: The GSS-API's security context
+      construct is independent of communications protocol association
+      constructs. This characteristic allows a single GSS-API
+      implementation to be utilized by a variety of invoking protocol
+      modules on behalf of those modules' calling applications. GSS-API
+      services can also be invoked directly by applications, wholly
+      independent of protocol associations.
+
+      Suitability to a range of implementation placements: GSS-API
+      clients are not constrained to reside within any Trusted Computing
+      Base (TCB) perimeter defined on a system where the GSS-API is
+      implemented; security services are specified in a manner suitable
+      to both intra-TCB and extra-TCB callers.
+
+1.1. GSS-API Constructs
+
+   This section describes the basic elements comprising the GSS-API.
+
+1.1.1.  Credentials
+
+   Credentials structures provide the prerequisites enabling peers to
+   establish security contexts with each other. A caller may designate
+   that its default credential be used for context establishment calls
+   without presenting an explicit handle to that credential.
+   Alternately, those GSS-API callers which need to make explicit
+   selection of particular credentials structures may make references to
+   those credentials through GSS-API-provided credential handles
+   ("cred_handles").
+
+   A single credential structure may be used for initiation of outbound
+   contexts and acceptance of inbound contexts. Callers needing to
+   operate in only one of these modes may designate this fact when
+   credentials are acquired for use, allowing underlying mechanisms to
+   optimize their processing and storage requirements. The credential
+   elements defined by a particular mechanism may contain multiple
+   cryptographic keys, e.g., to enable authentication and message
+   encryption to be performed with different algorithms.
+
+   A single credential structure may accommodate credential information
+   associated with multiple underlying mechanisms (mech_types); a
+   credential structure's contents will vary depending on the set of
+   mech_types supported by a particular GSS-API implementation.
+   Commonly, a single mech_type will be used for all security contexts
+   established by a particular initiator to a particular target; the
+   primary motivation for supporting credential sets representing
+   multiple mech_types is to allow initiators on systems which are
+
+
+
+Linn                                                            [Page 5]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   equipped to handle multiple types to initiate contexts to targets on
+   other systems which can accommodate only a subset of the set
+   supported at the initiator's system.
+
+   It is the responsibility of underlying system-specific mechanisms and
+   OS functions below the GSS-API to ensure that the ability to acquire
+   and use credentials associated with a given identity is constrained
+   to appropriate processes within a system. This responsibility should
+   be taken seriously by implementors, as the ability for an entity to
+   utilize a principal's credentials is equivalent to the entity's
+   ability to successfully assert that principal's identity.
+
+   Once a set of GSS-API credentials is established, the transferability
+   of that credentials set to other processes or analogous constructs
+   within a system is a local matter, not defined by the GSS-API. An
+   example local policy would be one in which any credentials received
+   as a result of login to a given user account, or of delegation of
+   rights to that account, are accessible by, or transferable to,
+   processes running under that account.
+
+   The credential establishment process (particularly when performed on
+   behalf of users rather than server processes) is likely to require
+   access to passwords or other quantities which should be protected
+   locally and exposed for the shortest time possible. As a result, it
+   will often be appropriate for preliminary credential establishment to
+   be performed through local means at user login time, with the
+   result(s) cached for subsequent reference. These preliminary
+   credentials would be set aside (in a system-specific fashion) for
+   subsequent use, either:
+
+      to be accessed by an invocation of the GSS-API GSS_Acquire_cred()
+      call, returning an explicit handle to reference that credential
+
+      as the default credentials installed on behalf of a process
+
+1.1.2. Tokens
+
+   Tokens are data elements transferred between GSS-API callers, and are
+   divided into two classes. Context-level tokens are exchanged in order
+   to establish and manage a security context between peers. Per-message
+   tokens are exchanged in conjunction with an established context to
+   provide protective security services for corresponding data messages.
+   The internal contents of both classes of tokens are specific to the
+   particular underlying mechanism used to support the GSS-API; Appendix
+   B of this document provides a uniform recommendation for designers of
+   GSS-API support mechanisms, encapsulating mechanism-specific
+   information along with a globally-interpretable mechanism identifier.
+
+
+
+
+Linn                                                            [Page 6]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Tokens are opaque from the viewpoint of GSS-API callers. They are
+   generated within the GSS-API implementation at an end system,
+   provided to a GSS-API caller to be transferred to the peer GSS-API
+   caller at a remote end system, and processed by the GSS-API
+   implementation at that remote end system. Tokens may be output by
+   GSS-API primitives (and are to be transferred to GSS-API peers)
+   independent of the status indications which those primitives
+   indicate. Token transfer may take place in an in-band manner,
+   integrated into the same protocol stream used by the GSS-API callers
+   for other data transfers, or in an out-of-band manner across a
+   logically separate channel.
+
+   Development of GSS-API support primitives based on a particular
+   underlying cryptographic technique and protocol does not necessarily
+   imply that GSS-API callers invoking that GSS-API mechanism type will
+   be able to interoperate with peers invoking the same technique and
+   protocol outside the GSS-API paradigm.  For example, the format of
+   GSS-API tokens defined in conjunction with a particular mechanism,
+   and the techniques used to integrate those tokens into callers'
+   protocols, may not be the same as those used by non-GSS-API callers
+   of the same underlying technique.
+
+1.1.3.  Security Contexts
+
+   Security contexts are established between peers, using credentials
+   established locally in conjunction with each peer or received by
+   peers via delegation. Multiple contexts may exist simultaneously
+   between a pair of peers, using the same or different sets of
+   credentials. Coexistence of multiple contexts using different
+   credentials allows graceful rollover when credentials expire.
+   Distinction among multiple contexts based on the same credentials
+   serves applications by distinguishing different message streams in a
+   security sense.
+
+   The GSS-API is independent of underlying protocols and addressing
+   structure, and depends on its callers to transport GSS-API-provided
+   data elements. As a result of these factors, it is a caller
+   responsibility to parse communicated messages, separating GSS-API-
+   related data elements from caller-provided data.  The GSS-API is
+   independent of connection vs. connectionless orientation of the
+   underlying communications service.
+
+   No correlation between security context and communications protocol
+   association is dictated. (The optional channel binding facility,
+   discussed in Section 1.1.6 of this document, represents an
+   intentional exception to this rule, supporting additional protection
+   features within GSS-API supporting mechanisms.) This separation
+   allows the GSS-API to be used in a wide range of communications
+
+
+
+Linn                                                            [Page 7]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   environments, and also simplifies the calling sequences of the
+   individual calls. In many cases (depending on underlying security
+   protocol, associated mechanism, and availability of cached
+   information), the state information required for context setup can be
+   sent concurrently with initial signed user data, without interposing
+   additional message exchanges.
+
+1.1.4.  Mechanism Types
+
+   In order to successfully establish a security context with a target
+   peer, it is necessary to identify an appropriate underlying mechanism
+   type (mech_type) which both initiator and target peers support. The
+   definition of a mechanism embodies not only the use of a particular
+   cryptographic technology (or a hybrid or choice among alternative
+   cryptographic technologies), but also definition of the syntax and
+   semantics of data element exchanges which that mechanism will employ
+   in order to support security services.
+
+   It is recommended that callers initiating contexts specify the
+   "default" mech_type value, allowing system-specific functions within
+   or invoked by the GSS-API implementation to select the appropriate
+   mech_type, but callers may direct that a particular mech_type be
+   employed when necessary.
+
+   The means for identifying a shared mech_type to establish a security
+   context with a peer will vary in different environments and
+   circumstances; examples include (but are not limited to):
+
+      use of a fixed mech_type, defined by configuration, within an
+      environment
+
+      syntactic convention on a target-specific basis, through
+      examination of a target's name
+
+      lookup of a target's name in a naming service or other database in
+      order to identify mech_types supported by that target
+
+      explicit negotiation between GSS-API callers in advance of
+      security context setup
+
+   When transferred between GSS-API peers, mech_type specifiers (per
+   Appendix B, represented as Object Identifiers (OIDs)) serve to
+   qualify the interpretation of associated tokens. (The structure and
+   encoding of Object Identifiers is defined in ISO/IEC 8824,
+   "Specification of Abstract Syntax Notation One (ASN.1)" and in
+   ISO/IEC 8825, "Specification of Basic Encoding Rules for Abstract
+   Syntax Notation One (ASN.1)".) Use of hierarchically structured OIDs
+   serves to preclude ambiguous interpretation of mech_type specifiers.
+
+
+
+Linn                                                            [Page 8]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   The OID representing the DASS MechType, for example, is
+   1.3.12.2.1011.7.5.
+
+1.1.5.  Naming
+
+   The GSS-API avoids prescription of naming structures, treating the
+   names transferred across the interface in order to initiate and
+   accept security contexts as opaque octet string quantities.  This
+   approach supports the GSS-API's goal of implementability atop a range
+   of underlying security mechanisms, recognizing the fact that
+   different mechanisms process and authenticate names which are
+   presented in different forms. Generalized services offering
+   translation functions among arbitrary sets of naming environments are
+   outside the scope of the GSS-API; availability and use of local
+   conversion functions to translate among the naming formats supported
+   within a given end system is anticipated.
+
+   Two distinct classes of name representations are used in conjunction
+   with different GSS-API parameters:
+
+      a printable form (denoted by OCTET STRING), for acceptance from
+      and presentation to users; printable name forms are accompanied by
+      OID tags identifying the namespace to which they correspond
+
+      an internal form (denoted by INTERNAL NAME), opaque to callers and
+      defined by individual GSS-API implementations; GSS-API
+      implementations supporting multiple namespace types are
+      responsible for maintaining internal tags to disambiguate the
+      interpretation of particular names
+
+      Tagging of printable names allows GSS-API callers and underlying
+      GSS-API mechanisms to disambiguate name types and to determine
+      whether an associated name's type is one which they are capable of
+      processing, avoiding aliasing problems which could result from
+      misinterpreting a name of one type as a name of another type.
+
+   In addition to providing means for names to be tagged with types,
+   this specification defines primitives to support a level of naming
+   environment independence for certain calling applications. To provide
+   basic services oriented towards the requirements of callers which
+   need not themselves interpret the internal syntax and semantics of
+   names, GSS-API calls for name comparison (GSS_Compare_name()),
+   human-readable display (GSS_Display_name()),  input conversion
+   (GSS_Import_name()), and internal name deallocation
+   (GSS_Release_name())  functions are defined. (It is anticipated that
+   these proposed GSS-API calls will be implemented in many end systems
+   based on system-specific name manipulation primitives already extant
+   within those end systems; inclusion within the GSS-API is intended to
+
+
+
+Linn                                                            [Page 9]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   offer GSS-API callers a portable means to perform specific
+   operations, supportive of authorization and audit requirements, on
+   authenticated names.)
+
+   GSS_Import_name()  implementations can, where appropriate, support
+   more than one printable syntax corresponding to a given namespace
+   (e.g., alternative printable representations for X.500 Distinguished
+   Names), allowing flexibility for their callers to select among
+   alternative representations. GSS_Display_name() implementations
+   output a printable syntax selected as appropriate to their
+   operational environments; this selection is a local matter. Callers
+   desiring portability across alternative printable syntaxes should
+   refrain from implementing comparisons based on printable name forms
+   and should instead use the GSS_Compare_name()  call to determine
+   whether or not one internal-format name matches another.
+
+1.1.6.  Channel Bindings
+
+   The GSS-API accommodates the concept of caller-provided channel
+   binding ("chan_binding") information, used by GSS-API callers to bind
+   the establishment of a security context to relevant characteristics
+   (e.g., addresses, transformed representations of encryption keys) of
+   the underlying communications channel and of protection mechanisms
+   applied to that communications channel.  Verification by one peer of
+   chan_binding information provided by the other peer to a context
+   serves to protect against various active attacks. The caller
+   initiating a security context must determine the chan_binding values
+   before making the GSS_Init_sec_context()  call, and consistent values
+   must be provided by both peers to a context. Callers should not
+   assume that underlying mechanisms provide confidentiality protection
+   for channel binding information.
+
+   Use or non-use of the GSS-API channel binding facility is a caller
+   option, and GSS-API supporting mechanisms can support operation in an
+   environment where NULL channel bindings are presented. When non-NULL
+   channel bindings are used, certain mechanisms will offer enhanced
+   security value by interpreting the bindings' content (rather than
+   simply representing those bindings, or signatures computed on them,
+   within tokens) and will therefore depend on presentation of specific
+   data in a defined format. To this end, agreements among mechanism
+   implementors are defining conventional interpretations for the
+   contents of channel binding arguments, including address specifiers
+   (with content dependent on communications protocol environment) for
+   context initiators and acceptors. (These conventions are being
+   incorporated into related documents.) In order for GSS-API callers to
+   be portable across multiple mechanisms and achieve the full security
+   functionality available from each mechanism, it is strongly
+   recommended that GSS-API callers provide channel bindings consistent
+
+
+
+Linn                                                           [Page 10]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   with these conventions and those of the networking environment in
+   which they operate.
+
+1.2.  GSS-API Features and Issues
+
+   This section describes aspects of GSS-API operations, of the security
+   services which the GSS-API provides, and provides commentary on
+   design issues.
+
+1.2.1.  Status Reporting
+
+   Each GSS-API call provides two status return values. Major_status
+   values provide a mechanism-independent indication of call status
+   (e.g., GSS_COMPLETE, GSS_FAILURE, GSS_CONTINUE_NEEDED), sufficient to
+   drive normal control flow within the caller in a generic fashion.
+   Table 1 summarizes the defined major_status return codes in tabular
+   fashion.
+
+   Table 1: GSS-API Major Status Codes
+
+      FATAL ERROR CODES
+
+      GSS_BAD_BINDINGS             channel binding mismatch
+      GSS_BAD_MECH                 unsupported mechanism requested
+      GSS_BAD_NAME                 invalid name provided
+      GSS_BAD_NAMETYPE             name of unsupported type provided
+      GSS_BAD_STATUS               invalid input status selector
+      GSS_BAD_SIG                  token had invalid signature
+      GSS_CONTEXT_EXPIRED          specified security context expired
+      GSS_CREDENTIALS_EXPIRED      expired credentials detected
+      GSS_DEFECTIVE_CREDENTIAL     defective credential detected
+      GSS_DEFECTIVE_TOKEN          defective token detected
+      GSS_FAILURE                  failure, unspecified at GSS-API
+                                   level
+      GSS_NO_CONTEXT               no valid security context specified
+      GSS_NO_CRED                  no valid credentials provided
+
+      INFORMATORY STATUS CODES
+
+      GSS_COMPLETE                 normal completion
+      GSS_CONTINUE_NEEDED          continuation call to routine
+                                   required
+      GSS_DUPLICATE_TOKEN          duplicate per-message token
+                                   detected
+      GSS_OLD_TOKEN                timed-out per-message token
+                                   detected
+      GSS_UNSEQ_TOKEN              out-of-order per-message token
+                                   detected
+
+
+
+Linn                                                           [Page 11]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Minor_status provides more detailed status information which may
+   include status codes specific to the underlying security mechanism.
+   Minor_status values are not specified in this document.
+
+   GSS_CONTINUE_NEEDED major_status returns, and optional message
+   outputs, are provided in GSS_Init_sec_context()  and
+   GSS_Accept_sec_context()  calls so that different mechanisms'
+   employment of different numbers of messages within their
+   authentication sequences need not be reflected in separate code paths
+   within calling applications. Instead, such cases are accomodated with
+   sequences of continuation calls to GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  The same mechanism is used to encapsulate
+   mutual authentication within the GSS-API's context initiation calls.
+
+   For mech_types which require interactions with third-party servers in
+   order to establish a security context, GSS-API context establishment
+   calls may block pending completion of such third-party interactions.
+   On the other hand, no GSS-API calls pend on serialized interactions
+   with GSS-API peer entities.  As a result, local GSS-API status
+   returns cannot reflect unpredictable or asynchronous exceptions
+   occurring at remote peers, and reflection of such status information
+   is a caller responsibility outside the GSS-API.
+
+1.2.2. Per-Message Security Service Availability
+
+   When a context is established, two flags are returned to indicate the
+   set of per-message protection security services which will be
+   available on the context:
+
+      the integ_avail flag indicates whether per-message integrity and
+      data origin authentication services are available
+
+      the conf_avail flag indicates whether per-message confidentiality
+      services are available, and will never be returned TRUE unless the
+      integ_avail flag is also returned TRUE
+
+      GSS-API callers desiring per-message security services should
+      check the values of these flags at context establishment time, and
+      must be aware that a returned FALSE value for integ_avail means
+      that invocation of GSS_Sign()  or GSS_Seal() primitives on the
+      associated context will apply no cryptographic protection to user
+      data messages.
+
+   The GSS-API per-message protection service primitives, as the
+   category name implies, are oriented to operation at the granularity
+   of protocol data units. They perform cryptographic operations on the
+   data units, transfer cryptographic control information in tokens,
+   and, in the case of GSS_Seal(), encapsulate the protected data unit.
+
+
+
+Linn                                                           [Page 12]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   As such, these primitives are not oriented to efficient data
+   protection for stream-paradigm protocols (e.g., Telnet) if
+   cryptography must be applied on an octet-by-octet basis.
+
+1.2.3. Per-Message Replay Detection and Sequencing
+
+   Certain underlying mech_types are expected to offer support for
+   replay detection and/or sequencing of messages transferred on the
+   contexts they support. These optionally-selectable protection
+   features are distinct from replay detection and sequencing features
+   applied to the context establishment operation itself; the presence
+   or absence of context-level replay or sequencing features is wholly a
+   function of the underlying mech_type's capabilities, and is not
+   selected or omitted as a caller option.
+
+   The caller initiating a context provides flags (replay_det_req_flag
+   and sequence_req_flag) to specify whether the use of per-message
+   replay detection and sequencing features is desired on the context
+   being established. The GSS-API implementation at the initiator system
+   can determine whether these features are supported (and whether they
+   are optionally selectable) as a function of mech_type, without need
+   for bilateral negotiation with the target. When enabled, these
+   features provide recipients with indicators as a result of GSS-API
+   processing of incoming messages, identifying whether those messages
+   were detected as duplicates or out-of-sequence. Detection of such
+   events does not prevent a suspect message from being provided to a
+   recipient; the appropriate course of action on a suspect message is a
+   matter of caller policy.
+
+   The semantics of the replay detection and sequencing services applied
+   to received messages, as visible across the interface which the GSS-
+   API provides to its clients, are as follows:
+
+   When replay_det_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      and that the message was not a replay of a previously-processed
+      message within that window.
+
+      2. GSS_DUPLICATE_TOKEN indicates that the signature on the
+      received message was correct, but that the message was recognized
+      as a duplicate of a previously-processed message.
+
+      3. GSS_OLD_TOKEN indicates that the signature on the received
+      message was correct, but that the message is too old to be checked
+      for duplication.
+
+
+
+Linn                                                           [Page 13]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   When sequence_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      and that the message was not a replay of a previously-processed
+      message within that window.
+
+      2. GSS_DUPLICATE_TOKEN indicates that the signature on the
+      received message was correct, but that the message was recognized
+      as a duplicate of a previously-processed message.
+
+      3. GSS_OLD_TOKEN indicates that the signature on the received
+      message was correct, but that the token is too old to be checked
+      for duplication.
+
+      4. GSS_UNSEQ_TOKEN indicates that the signature on the received
+      message was correct, but that it is earlier in a sequenced stream
+      than a message already processed on the context.  [Note:
+      Mechanisms can be architected to provide a stricter form of
+      sequencing service, delivering particular messages to recipients
+      only after all predecessor messages in an ordered stream have been
+      delivered.  This type of support is incompatible with the GSS-API
+      paradigm in which recipients receive all messages, whether in
+      order or not, and provide them (one at a time, without intra-GSS-
+      API message buffering) to GSS-API routines for validation.  GSS-
+      API facilities provide supportive functions, aiding clients to
+      achieve strict message stream integrity in an efficient manner in
+      conjunction with sequencing provisions in communications
+      protocols, but the GSS-API does not offer this level of message
+      stream integrity service by itself.]
+
+   As the message stream integrity features (especially sequencing) may
+   interfere with certain applications' intended communications
+   paradigms, and since support for such features is likely to be
+   resource intensive, it is highly recommended that mech_types
+   supporting these features allow them to be activated selectively on
+   initiator request when a context is established. A context initiator
+   and target are provided with corresponding indicators
+   (replay_det_state and sequence_state), signifying whether these
+   features are active on a given context.
+
+   An example mech_type supporting per-message replay detection could
+   (when replay_det_state is TRUE) implement the feature as follows: The
+   underlying mechanism would insert timestamps in data elements output
+   by GSS_Sign() and GSS_Seal(), and would maintain (within a time-
+   limited window) a cache (qualified by originator-recipient pair)
+   identifying received data elements processed by GSS_Verify() and
+
+
+
+Linn                                                           [Page 14]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   GSS_Unseal(). When this feature is active, exception status returns
+   (GSS_DUPLICATE_TOKEN, GSS_ OLD_TOKEN) will be provided when
+   GSS_Verify() or GSS_Unseal() is presented with a message which is
+   either a detected duplicate of a prior message or which is too old to
+   validate against a cache of recently received messages.
+
+1.2.4.  Quality of Protection
+
+   Some mech_types will provide their users with fine granularity
+   control over the means used to provide per-message protection,
+   allowing callers to trade off security processing overhead
+   dynamically against the protection requirements of particular
+   messages. A per-message quality-of-protection parameter (analogous to
+   quality-of-service, or QOS) selects among different QOP options
+   supported by that mechanism. On context establishment for a multi-QOP
+   mech_type, context-level data provides the prerequisite data for a
+   range of protection qualities.
+
+   It is expected that the majority of callers will not wish to exert
+   explicit mechanism-specific QOP control and will therefore request
+   selection of a default QOP. Definitions of, and choices among, non-
+   default QOP values are mechanism-specific, and no ordered sequences
+   of QOP values can be assumed equivalent across different mechanisms.
+   Meaningful use of non-default QOP values demands that callers be
+   familiar with the QOP definitions of an underlying mechanism or
+   mechanisms, and is therefore a non-portable construct.
+
+2.  Interface Descriptions
+
+   This section describes the GSS-API's service interface, dividing the
+   set of calls offered into four groups. Credential management calls
+   are related to the acquisition and release of credentials by
+   principals. Context-level calls are related to the management of
+   security contexts between principals. Per-message calls are related
+   to the protection of individual messages on established security
+   contexts. Support calls provide ancillary functions useful to GSS-API
+   callers. Table 2 groups and summarizes the calls in tabular fashion.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                                                           [Page 15]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      Table 2:  GSS-API Calls
+
+      CREDENTIAL MANAGEMENT
+
+      GSS_Acquire_cred             acquire credentials for use
+      GSS_Release_cred             release credentials after use
+      GSS_Inquire_cred             display information about
+                                   credentials
+
+      CONTEXT-LEVEL CALLS
+
+      GSS_Init_sec_context         initiate outbound security context
+      GSS_Accept_sec_context       accept inbound security context
+      GSS_Delete_sec_context       flush context when no longer needed
+      GSS_Process_context_token    process received control token on
+                                   context
+      GSS_Context_time             indicate validity time remaining on
+                                   context
+
+      PER-MESSAGE CALLS
+
+      GSS_Sign                     apply signature, receive as token
+                                   separate from message
+      GSS_Verify                   validate signature token along with
+                                   message
+      GSS_Seal                     sign, optionally encrypt,
+                                   encapsulate
+      GSS_Unseal                   decapsulate, decrypt if needed,
+                                   validate signature
+
+      SUPPORT CALLS
+
+      GSS_Display_status           translate status codes to printable
+                                   form
+      GSS_Indicate_mechs           indicate mech_types supported on
+                                   local system
+      GSS_Compare_name             compare two names for equality
+      GSS_Display_name             translate name to printable form
+      GSS_Import_name              convert printable name to
+                                   normalized form
+      GSS_Release_name             free storage of normalized-form
+                                   name
+      GSS_Release_buffer           free storage of printable name
+      GSS_Release_oid_set          free storage of OID set object
+
+
+
+
+
+
+
+Linn                                                           [Page 16]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+2.1.  Credential management calls
+
+   These GSS-API calls provide functions related to the management of
+   credentials. Their characterization with regard to whether or not
+   they may block pending exchanges with other network entities (e.g.,
+   directories or authentication servers) depends in part on OS-specific
+   (extra-GSS-API) issues, so is not specified in this document.
+
+   The GSS_Acquire_cred()  call is defined within the GSS-API in support
+   of application portability, with a particular orientation towards
+   support of portable server applications. It is recognized that (for
+   certain systems and mechanisms) credentials for interactive users may
+   be managed differently from credentials for server processes; in such
+   environments, it is the GSS-API implementation's responsibility to
+   distinguish these cases and the procedures for making this
+   distinction are a local matter. The GSS_Release_cred()  call provides
+   a means for callers to indicate to the GSS-API that use of a
+   credentials structure is no longer required. The GSS_Inquire_cred()
+   call allows callers to determine information about a credentials
+   structure.
+
+2.1.1.  GSS_Acquire_cred call
+
+   Inputs:
+
+   o  desired_name INTERNAL NAME, -NULL requests locally-determined
+      default
+
+   o  lifetime_req INTEGER,-in seconds; 0 requests default
+
+   o  desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests
+      system-selected default
+
+   o  cred_usage INTEGER-0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle OCTET STRING,
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER,
+
+   o  lifetime_rec INTEGER -in seconds, or reserved value for
+      INDEFINITE
+
+
+
+Linn                                                           [Page 17]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that requested credentials were
+      successfully established, for the duration indicated in
+      lifetime_rec, suitable for the usage requested in cred_usage, for
+      the set of mech_types indicated in actual_mechs, and that those
+      credentials can be referenced for subsequent use with the handle
+      returned in output_cred_handle.
+
+   o  GSS_BAD_MECH indicates that a mech_type unsupported by the GSS-API
+      implementation type was requested, causing the credential
+      establishment operation to fail.
+
+   o  GSS_BAD_NAMETYPE indicates that the provided desired_name is
+      uninterpretable or of a type unsupported by the supporting GSS-API
+      implementation, so no credentials could be established for the
+      accompanying desired_name.
+
+   o  GSS_BAD_NAME indicates that the provided desired_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so no credentials could be established for the
+      accompanying desired_name.
+
+   o  GSS_FAILURE indicates that credential establishment failed for
+      reasons unspecified at the GSS-API level, including lack of
+      authorization to establish and use credentials associated with the
+      identity named in the input desired_name argument.
+
+   GSS_Acquire_cred()  is used to acquire credentials so that a
+   principal can (as a function of the input cred_usage parameter)
+   initiate and/or accept security contexts under the identity
+   represented by the desired_name input argument. On successful
+   completion, the returned output_cred_handle result provides a handle
+   for subsequent references to the acquired credentials.  Typically,
+   single-user client processes using only default credentials for
+   context establishment purposes will have no need to invoke this call.
+
+   A caller may provide the value NULL for desired_name, signifying a
+   request for credentials corresponding to a default principal
+   identity.  The procedures used by GSS-API implementations to select
+   the appropriate principal identity in response to this form of
+   request are local matters. It is possible that multiple pre-
+   established credentials may exist for the same principal identity
+   (for example, as a result of multiple user login sessions) when
+   GSS_Acquire_cred() is called; the means used in such cases to select
+   a specific credential are local matters.  The input lifetime_req
+   argument to GSS_Acquire_cred() may provide useful information for
+   local GSS-API implementations to employ in making this disambiguation
+
+
+
+Linn                                                           [Page 18]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   in a manner which will best satisfy a caller's intent.
+
+   The lifetime_rec result indicates the length of time for which the
+   acquired credentials will be valid, as an offset from the present. A
+   mechanism may return a reserved value indicating INDEFINITE if no
+   constraints on credential lifetime are imposed.  A caller of
+   GSS_Acquire_cred()  can request a length of time for which acquired
+   credentials are to be valid (lifetime_req argument), beginning at the
+   present, or can request credentials with a default validity interval.
+   (Requests for postdated credentials are not supported within the
+   GSS-API.) Certain mechanisms and implementations may bind in
+   credential validity period specifiers at a point preliminary to
+   invocation of the GSS_Acquire_cred() call (e.g., in conjunction with
+   user login procedures). As a result, callers requesting non-default
+   values for lifetime_req must recognize that such requests cannot
+   always be honored and must be prepared to accommodate the use of
+   returned credentials with different lifetimes as indicated in
+   lifetime_rec.
+
+   The caller of GSS_Acquire_cred() can explicitly specify a set of
+   mech_types which are to be accommodated in the returned credentials
+   (desired_mechs argument), or can request credentials for a system-
+   defined default set of mech_types. Selection of the system-specified
+   default set is recommended in the interests of application
+   portability. The actual_mechs return value may be interrogated by the
+   caller to determine the set of mechanisms with which the returned
+   credentials may be used.
+
+2.1.2.  GSS_Release_cred call
+
+   Input:
+
+   o  cred_handle OCTET STRING-NULL specifies default credentials
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the credentials referenced by the
+      input cred_handle were released for purposes of subsequent access
+      by the caller. The effect on other processes which may be
+      authorized shared access to such credentials is a local matter.
+
+
+
+
+
+Linn                                                           [Page 19]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_NO_CRED indicates that no release operation was performed,
+      either because the input cred_handle was invalid or because the
+      caller lacks authorization to access the referenced credentials.
+
+   o  GSS_FAILURE indicates that the release operation failed for
+      reasons unspecified at the GSS-API level.
+
+   Provides a means for a caller to explicitly request that credentials
+   be released when their use is no longer required. Note that system-
+   specific credential management functions are also likely to exist,
+   for example to assure that credentials shared among processes are
+   properly deleted when all affected processes terminate, even if no
+   explicit release requests are issued by those processes.  Given the
+   fact that multiple callers are not precluded from gaining authorized
+   access to the same credentials, invocation of GSS_Release_cred()
+   cannot be assumed to delete a particular set of credentials on a
+   system-wide basis.
+
+2.1.3.  GSS_Inquire_cred call
+
+      Input:
+
+      o  cred_handle OCTET STRING -NULL specifies default credentials
+
+      Outputs:
+
+      o  major_status INTEGER,
+
+      o  minor_status INTEGER,
+
+      o  cred_name INTERNAL NAME,
+
+      o  lifetime_rec INTEGER -in seconds, or reserved value for
+         INDEFINITE
+
+      o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+         2=ACCEPT-ONLY
+
+      o  mech_set SET OF OBJECT IDENTIFIER
+
+      Return major_status codes:
+
+      o  GSS_COMPLETE indicates that the credentials referenced by the
+         input cred_handle argument were valid, and that the output
+         cred_name, lifetime_rec, and cred_usage values represent,
+         respectively, the credentials' associated principal name,
+         remaining lifetime, suitable usage modes, and supported
+         mechanism types.
+
+
+
+Linn                                                           [Page 20]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      o  GSS_NO_CRED indicates that no information could be returned
+         about the referenced credentials, either because the input
+         cred_handle was invalid or because the caller lacks
+         authorization to access the referenced credentials.
+
+      o  GSS_FAILURE indicates that the release operation failed for
+         reasons unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred()  call is defined primarily for the use of
+   those callers which make use of default credentials rather than
+   acquiring credentials explicitly with GSS_Acquire_cred().  It enables
+   callers to determine a credential structure's associated principal
+   name, remaining validity period, usability for security context
+   initiation and/or acceptance, and supported mechanisms.
+
+2.2.  Context-level calls
+
+   This group of calls is devoted to the establishment and management of
+   security contexts between peers. A context's initiator calls
+   GSS_Init_sec_context(),  resulting in generation of a token which the
+   caller passes to the target. At the target, that token is passed to
+   GSS_Accept_sec_context().  Depending on the underlying mech_type and
+   specified options, additional token exchanges may be performed in the
+   course of context establishment; such exchanges are accommodated by
+   GSS_CONTINUE_NEEDED status returns from GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  Either party to an established context may
+   invoke GSS_Delete_sec_context()  to flush context information when a
+   context is no longer required. GSS_Process_context_token()  is used
+   to process received tokens carrying context-level control
+   information. GSS_Context_time()  allows a caller to determine the
+   length of time for which an established context will remain valid.
+
+2.2.1.  GSS_Init_sec_context call
+
+   Inputs:
+
+   o  claimant_cred_handle OCTET STRING, -NULL specifies "use
+      default"
+
+   o  input_context_handle INTEGER, -0 specifies "none assigned
+      yet"
+
+   o  targ_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use
+      default"
+
+   o  deleg_req_flag BOOLEAN,
+
+
+
+Linn                                                           [Page 21]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  mutual_req_flag BOOLEAN,
+
+   o  replay_det_req_flag BOOLEAN,
+
+   o  sequence_req_flag BOOLEAN,
+
+   o  lifetime_req INTEGER,-0 specifies default lifetime
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING-NULL or token received from target
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_handle INTEGER,
+
+   o  mech_type OBJECT IDENTIFIER, -actual mechanism always
+      indicated, never NULL
+
+   o  output_token OCTET STRING, -NULL or token to pass to context
+      target
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   This call may block pending network interactions for those mech_types
+   in which an authentication server or other network entity must be
+   consulted on behalf of a context initiator in order to generate an
+   output_token suitable for presentation to a specified target.
+
+   Return major_status codes:
+
+
+
+
+Linn                                                           [Page 22]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_COMPLETE indicates that context-level information was
+      successfully initialized, and that the returned output_token will
+      provide sufficient information for the target to perform per-
+      message processing on the newly-established context.
+
+   o  GSS_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the target, and that a reply
+      must be received and passed as the input_token argument to a
+      continuation call to GSS_Init_sec_context(),  before per-message
+      processing can be performed in conjunction with this context.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the input_token failed, preventing further processing from being
+      performed based on that token.
+
+   o  GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      claimant_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_BAD_SIG indicates that the received input_token contains an
+      incorrect signature, so context setup cannot be accomplished.
+
+   o  GSS_NO_CRED indicates that no context was established, either
+      because the input cred_handle was invalid, because the referenced
+      credentials are valid for context acceptor use only, or because
+      the caller lacks authorization to access the referenced
+      credentials.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the credentials provided
+      through the input claimant_cred_handle argument are no longer
+      valid, so context establishment cannot be completed.
+
+   o  GSS_BAD_BINDINGS indicates that a mismatch between the caller-
+      provided chan_bindings and those extracted from the input_token
+      was detected, signifying a security-relevant event and preventing
+      context establishment. (This result will be returned by
+      GSS_Init_sec_context only for contexts where mutual_state is
+      TRUE.)
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided; this major status will be
+      returned only for successor calls following GSS_CONTINUE_NEEDED
+      status returns.
+
+   o  GSS_BAD_NAMETYPE indicates that the provided targ_name is of a
+      type uninterpretable or unsupported by the supporting GSS-API
+      implementation, so context establishment cannot be completed.
+
+
+
+Linn                                                           [Page 23]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_BAD_NAME indicates that the provided targ_name is inconsistent
+      in terms of internally-incorporated type specifier information, so
+      context establishment cannot be accomplished.
+
+   o  GSS_FAILURE indicates that context setup could not be accomplished
+      for reasons unspecified at the GSS-API level, and that no
+      interface-defined recovery action is available.
+
+   This routine is used by a context initiator, and ordinarily emits one
+   (or, for the case of a multi-step exchange, more than one)
+   output_token suitable for use by the target within the selected
+   mech_type's protocol. Using information in the credentials structure
+   referenced by claimant_cred_handle, GSS_Init_sec_context()
+   initializes the data structures required to establish a security
+   context with target targ_name. The claimant_cred_handle must
+   correspond to the same valid credentials structure on the initial
+   call to GSS_Init_sec_context()  and on any successor calls resulting
+   from GSS_CONTINUE_NEEDED status returns; different protocol sequences
+   modeled by the GSS_CONTINUE_NEEDED mechanism will require access to
+   credentials at different points in the context establishment
+   sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Init_sec_context()  call relating to a
+   given context. That call returns an output_context_handle for future
+   references to this context. When continuation attempts to
+   GSS_Init_sec_context()  are needed to perform context establishment,
+   the previously-returned non-zero handle value is entered into the
+   input_context_handle argument and will be echoed in the returned
+   output_context_handle argument. On such continuation attempts (and
+   only on continuation attempts) the input_token value is used, to
+   provide the token returned from the context's target.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The input_token argument contains a message received from the target,
+   and is significant only on a call to GSS_Init_sec_context() which
+   follows a previous return indicating GSS_CONTINUE_NEEDED
+   major_status.
+
+   It is the caller's responsibility to establish a communications path
+   to the target, and to transmit any returned output_token (independent
+   of the accompanying returned major_status value) to the target over
+   that path. The output_token can, however, be transmitted along with
+
+
+
+Linn                                                           [Page 24]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   the first application-provided input message to be processed by
+   GSS_Sign() or GSS_Seal() in conjunction with a successfully-
+   established context.
+
+   The initiator may request various context-level functions through
+   input flags: the deleg_req_flag requests delegation of access rights,
+   the mutual_req_flag requests mutual authentication, the
+   replay_det_req_flag requests that replay detection features be
+   applied to messages transferred on the established context, and the
+   sequence_req_flag requests that sequencing be enforced. (See Section
+   1.2.3 for more information on replay detection and sequencing
+   features.)
+
+   Not all of the optionally-requestable features will be available in
+   all underlying mech_types; the corresponding return state values
+   (deleg_state, mutual_state, replay_det_state, sequence_state)
+   indicate, as a function of mech_type processing capabilities and
+   initiator-provided input flags, the set of features which will be
+   active on the context. These state indicators' values are undefined
+   unless the routine's major_status indicates COMPLETE. Failure to
+   provide the precise set of features requested by the caller does not
+   cause context establishment to fail; it is the caller's prerogative
+   to delete the context if the feature set provided is unsuitable for
+   the caller's use.  The returned mech_type value indicates the
+   specific mechanism employed on the context, and will never indicate
+   the value for "default".
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Seal() can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_Sign() or GSS_Seal()) on
+   the established context.
+
+   The lifetime_req input specifies a desired upper bound for the
+   lifetime of the context to be established, with a value of 0 used to
+   request a default lifetime. The lifetime_rec return value indicates
+   the length of time for which the context will be valid, expressed as
+   an offset from the present; depending on mechanism capabilities,
+   credential lifetimes, and local policy, it may not correspond to the
+   value requested in lifetime_req.  If no constraints on context
+   lifetime are imposed, this may be indicated by returning a reserved
+   value representing INDEFINITE lifetime_req. The values of conf_avail,
+   integ_avail, and lifetime_rec are undefined unless the routine's
+   major_status indicates COMPLETE.
+
+   If the mutual_state is TRUE, this fact will be reflected within the
+
+
+
+Linn                                                           [Page 25]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   output_token. A call to GSS_Accept_sec_context() at the target in
+   conjunction with such a context will return a token, to be processed
+   by a continuation call to GSS_Init_sec_context(), in order to achieve
+   mutual authentication.
+
+2.2.2.  GSS_Accept_sec_context call
+
+   Inputs:
+
+   o  acceptor_cred_handle OCTET STRING,-NULL specifies "use
+      default"
+
+   o  input_context_handle INTEGER, -0 specifies "not yet assigned"
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER,
+
+   o  output_context_handle INTEGER,
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER, - in seconds, or reserved value for
+      INDEFINITE
+
+   o  delegated_cred_handle OCTET STRING,
+
+   o  output_token OCTET STRING -NULL or token to pass to context
+
+
+
+Linn                                                           [Page 26]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      initiator
+
+   This call may block pending network interactions for those mech_types
+   in which a directory service or other network entity must be
+   consulted on behalf of a context acceptor in order to validate a
+   received input_token.
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that context-level data structures were
+      successfully initialized, and that per-message processing can now
+      be performed in conjunction with this context.
+
+   o  GSS_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the initiator, and that a
+      response must be received and passed as the input_token argument
+      to a continuation call to GSS_Accept_sec_context(), before per-
+      message processing can be performed in conjunction with this
+      context.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the input_token failed, preventing further processing from being
+      performed based on that token.
+
+   o  GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      acceptor_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_BAD_SIG indicates that the received input_token contains an
+      incorrect signature, so context setup cannot be accomplished.
+
+   o  GSS_DUPLICATE_TOKEN indicates that the signature on the received
+      input_token was correct, but that the input_token was recognized
+      as a duplicate of an input_token already processed. No new context
+      is established.
+
+   o  GSS_OLD_TOKEN indicates that the signature on the received
+      input_token was correct, but that the input_token is too old to be
+      checked for duplication against previously-processed input_tokens.
+      No new context is established.
+
+   o  GSS_NO_CRED indicates that no context was established, either
+      because the input cred_handle was invalid, because the referenced
+      credentials are valid for context initiator use only, or because
+      the caller lacks authorization to access the referenced
+      credentials.
+
+
+
+
+Linn                                                           [Page 27]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the credentials provided
+      through the input acceptor_cred_handle argument are no longer
+      valid, so context establishment cannot be completed.
+
+   o  GSS_BAD_BINDINGS indicates that a mismatch between the caller-
+      provided chan_bindings and those extracted from the input_token
+      was detected, signifying a security-relevant event and preventing
+      context establishment.
+
+   o GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided; this major status will be
+      returned only for successor calls following GSS_CONTINUE_NEEDED
+      status returns.
+
+   o  GSS_FAILURE indicates that context setup could not be accomplished
+      for reasons unspecified at the GSS-API level, and that no
+      interface-defined recovery action is available.
+
+   The GSS_Accept_sec_context()  routine is used by a context target.
+   Using information in the credentials structure referenced by the
+   input acceptor_cred_handle, it verifies the incoming input_token and
+   (following the successful completion of a context establishment
+   sequence) returns the authenticated src_name and the mech_type used.
+   The acceptor_cred_handle must correspond to the same valid
+   credentials structure on the initial call to GSS_Accept_sec_context()
+   and on any successor calls resulting from GSS_CONTINUE_NEEDED status
+   returns; different protocol sequences modeled by the
+   GSS_CONTINUE_NEEDED mechanism will require access to credentials at
+   different points in the context establishment sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Accept_sec_context()  call relating to a
+   given context. That call returns an output_context_handle for future
+   references to this context; when continuation attempts to
+   GSS_Accept_sec_context()  are needed to perform context
+   establishment, that handle value will be entered into the
+   input_context_handle argument.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The returned state results (deleg_state, mutual_state,
+   replay_det_state, and sequence_state) reflect the same context state
+   values as returned to GSS_Init_sec_context()'s  caller at the
+   initiator system.
+
+
+
+Linn                                                           [Page 28]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Seal()  can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_Sign()  or GSS_Seal())  on
+   the established context.
+
+   The lifetime_rec return value indicates the length of time for which
+   the context will be valid, expressed as an offset from the present.
+   The values of deleg_state, mutual_state, replay_det_state,
+   sequence_state, conf_avail, integ_avail, and lifetime_rec are
+   undefined unless the accompanying major_status indicates COMPLETE.
+
+   The delegated_cred_handle result is significant only when deleg_state
+   is TRUE, and provides a means for the target to reference the
+   delegated credentials. The output_token result, when non-NULL,
+   provides a context-level token to be returned to the context
+   initiator to continue a multi-step context establishment sequence. As
+   noted with GSS_Init_sec_context(),  any returned token should be
+   transferred to the context's peer (in this case, the context
+   initiator), independent of the value of the accompanying returned
+   major_status.
+
+   Note: A target must be able to distinguish a context-level
+   input_token, which is passed to GSS_Accept_sec_context(),  from the
+   per-message data elements passed to GSS_Verify()  or GSS_Unseal().
+   These data elements may arrive in a single application message, and
+   GSS_Accept_sec_context()  must be performed before per-message
+   processing can be performed successfully.
+
+2.2.3. GSS_Delete_sec_context call
+
+   Input:
+
+   o  context_handle INTEGER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_token OCTET STRING
+
+   Return major_status codes:
+
+
+
+
+
+Linn                                                           [Page 29]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_COMPLETE indicates that the context was recognized, that
+      relevant context-specific information was flushed, and that the
+      returned output_context_token is ready for transfer to the
+      context's peer.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provide, so no deletion was performed.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Delete_sec_context()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   This call may block pending network interactions for mech_types in
+   which active notification must be made to a central server when a
+   security context is to be deleted.
+
+   This call can be made by either peer in a security context, to flush
+   context-specific information and to return an output_context_token
+   which can be passed to the context's peer informing it that the
+   peer's corresponding context information can also be flushed. (Once a
+   context is established, the peers involved are expected to retain
+   cached credential and context-related information until the
+   information's expiration time is reached or until a
+   GSS_Delete_sec_context() call is made.) Attempts to perform per-
+   message processing on a deleted context will result in error returns.
+
+2.2.4.  GSS_Process_context_token call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  input_context_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the input_context_token was
+      successfully processed in conjunction with the context referenced
+      by context_handle.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the received context_token failed, preventing further processing
+
+
+
+Linn                                                           [Page 30]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      from being performed with that token.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Process_context_token()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   This call is used to process context_tokens received from a peer once
+   a context has been established, with corresponding impact on
+   context-level state information. One use for this facility is
+   processing of the context_tokens generated by
+   GSS_Delete_sec_context();  GSS_Process_context_token() will not block
+   pending network interactions for that purpose. Another use is to
+   process tokens indicating remote-peer context establishment failures
+   after the point where the local GSS-API implementation has already
+   indicated GSS_COMPLETE status.
+
+2.2.5.  GSS_Context_time call
+
+   Input:
+
+   o  context_handle INTEGER,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the referenced context is valid, and
+      will remain valid for the amount of time indicated in
+      lifetime_rec.
+
+   o  GSS_CONTEXT_EXPIRED indicates that data items related to the
+      referenced context have expired.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+
+
+Linn                                                           [Page 31]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_FAILURE indicates that the requested operation failed for
+      reasons unspecified at the GSS-API level.
+
+   This call is used to determine the amount of time for which a
+   currently established context will remain valid.
+
+2.3.  Per-message calls
+
+   This group of calls is used to perform per-message protection
+   processing on an established security context. None of these calls
+   block pending network interactions. These calls may be invoked by a
+   context's initiator or by the context's target.  The four members of
+   this group should be considered as two pairs; the output from
+   GSS_Sign()  is properly input to GSS_Verify(),  and the output from
+   GSS_Seal() is properly input to GSS_Unseal().
+
+   GSS_Sign()  and GSS_Verify() support data origin authentication and
+   data integrity services. When GSS_Sign()  is invoked on an input
+   message, it yields a per-message token containing data items which
+   allow underlying mechanisms to provide the specified security
+   services. The original message, along with the generated per-message
+   token, is passed to the remote peer; these two data elements are
+   processed by GSS_Verify(),  which validates the message in
+   conjunction with the separate token.
+
+   GSS_Seal()  and GSS_Unseal() support caller-requested confidentiality
+   in addition to the data origin authentication and data integrity
+   services offered by GSS_Sign()  and GSS_Verify(). GSS_Seal()  outputs
+   a single data element, encapsulating optionally enciphered user data
+   as well as associated token data items.  The data element output from
+   GSS_Seal()  is passed to the remote peer and processed by
+   GSS_Unseal()  at that system. GSS_Unseal() combines decipherment (as
+   required) with validation of data items related to authentication and
+   integrity.
+
+2.3.1.  GSS_Sign call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+Linn                                                           [Page 32]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  minor_status INTEGER,
+
+   o  per_msg_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a signature, suitable for an
+      established security context, was successfully applied and that
+      the message and corresponding per_msg_token are ready for
+      transmission.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      requested operation could not be performed for reasons unspecified
+      at the GSS-API level.
+
+   Using the security context referenced by context_handle, apply a
+   signature to the input message (along with timestamps and/or other
+   data included in support of mech_type-specific mechanisms) and return
+   the result in per_msg_token. The qop_req parameter allows quality-
+   of-protection control. The caller passes the message and the
+   per_msg_token to the target.
+
+   The GSS_Sign()  function completes before the message and
+   per_msg_token is sent to the peer; successful application of
+   GSS_Sign()  does not guarantee that a corresponding GSS_Verify() has
+   been (or can necessarily be) performed successfully when the message
+   arrives at the destination.
+
+2.3.2.  GSS_Verify call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  message OCTET STRING,
+
+   o  per_msg_token OCTET STRING
+
+
+
+
+Linn                                                           [Page 33]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Outputs:
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the message was successfully verified.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the received per_msg_token failed, preventing further processing
+      from being performed with that token.
+
+   o  GSS_BAD_SIG indicates that the received per_msg_token contains an
+      incorrect signature for the message.
+
+   o  GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values
+      appear in conjunction with the optional per-message replay
+      detection features described in Section 1.2.3; their semantics are
+      described in that section.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Verify()  operation could not be performed for reasons
+      unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, verify that
+   the input per_msg_token contains an appropriate signature for the
+   input message, and apply any active replay detection or sequencing
+   features. Return an indication of the quality-of-protection applied
+   to the processed message in the qop_state result.
+
+
+
+
+
+
+
+
+Linn                                                           [Page 34]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+2.3.3. GSS_Seal call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  conf_state BOOLEAN,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the input_message was successfully
+      processed and that the output_message is ready for transmission.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Seal()  operation could not be performed for reasons
+      unspecified at the GSS-API level.
+
+   Performs the data origin authentication and data integrity functions
+   of GSS_Sign().  If the input conf_req_flag is TRUE, requests that
+   confidentiality be applied to the input_message.  Confidentiality may
+   not be supported in all mech_types or by all implementations; the
+   returned conf_state flag indicates whether confidentiality was
+   provided for the input_message. The qop_req parameter allows
+   quality-of-protection control.
+
+
+
+Linn                                                           [Page 35]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   In all cases, the GSS_Seal()  call yields a single output_message
+   data element containing (optionally enciphered) user data as well as
+   control information.
+
+2.3.4. GSS_Unseal call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  conf_state BOOLEAN,
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the input_message was successfully
+      processed and that the resulting output_message is available.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the per_msg_token extracted from the input_message failed,
+      preventing further processing from being performed.
+
+   o  GSS_BAD_SIG indicates that an incorrect signature was detected for
+      the message.
+
+   o  GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values
+      appear in conjunction with the optional per-message replay
+      detection features described in Section 1.2.3; their semantics are
+      described in that section.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+
+
+
+Linn                                                           [Page 36]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Unseal()  operation could not be performed for reasons
+      unspecified at the GSS-API level.
+
+   Processes a data element generated (and optionally enciphered) by
+   GSS_Seal(),  provided as input_message. The returned conf_state value
+   indicates whether confidentiality was applied to the input_message.
+   If conf_state is TRUE, GSS_Unseal()  deciphers the input_message.
+   Returns an indication of the quality-of-protection applied to the
+   processed message in the qop_state result. GSS_Seal()  performs the
+   data integrity and data origin authentication checking functions of
+   GSS_Verify()  on the plaintext data. Plaintext data is returned in
+   output_message.
+
+2.4.  Support calls
+
+   This group of calls provides support functions useful to GSS-API
+   callers, independent of the state of established contexts. Their
+   characterization with regard to blocking or non-blocking status in
+   terms of network interactions is unspecified.
+
+2.4.1.  GSS_Display_status call
+
+   Inputs:
+
+   o  status_value INTEGER,-GSS-API major_status or minor_status
+      return value
+
+   o  status_type INTEGER,-1 if major_status, 2 if minor_status
+
+   o  mech_type OBJECT IDENTIFIER-mech_type to be used for minor_
+      status translation
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  status_string_set SET OF OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a valid printable status
+      representation (possibly representing more than one status event
+
+
+
+Linn                                                           [Page 37]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      encoded within the status_value) is available in the returned
+      status_string_set.
+
+   o  GSS_BAD_MECH indicates that translation in accordance with an
+      unsupported mech_type was requested, so translation could not be
+      performed.
+
+   o  GSS_BAD_STATUS indicates that the input status_value was invalid,
+      or that the input status_type carried a value other than 1 or 2,
+      so translation could not be performed.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Provides a means for callers to translate GSS-API-returned major and
+   minor status codes into printable string representations.
+
+2.4.2.  GSS_Indicate_mechs call
+
+   Input:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a set of available mechanisms has
+      been returned in mech_set.
+
+   o  GSS_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of mechanism types available on
+   the local system. This call is intended for support of specialized
+   callers who need to request non-default mech_type sets from
+   GSS_Acquire_cred(),  and should not be needed by other callers.
+
+2.4.3.  GSS_Compare_name call
+
+   Inputs:
+
+
+
+
+Linn                                                           [Page 38]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  name1 INTERNAL NAME,
+
+   o  name2 INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_equal BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that name1 and name2 were comparable, and
+      that the name_equal result indicates whether name1 and name2 were
+      equal or unequal.
+
+   o  GSS_BAD_NAMETYPE indicates that one or both of name1 and name2
+      contained internal type specifiers uninterpretable by the
+      supporting GSS-API implementation, or that the two names' types
+      are different and incomparable, so the equality comparison could
+      not be completed.
+
+   o  GSS_BAD_NAME indicates that one or both of the input names was
+      ill-formed in terms of its internal type specifier, so the
+      equality comparison could not be completed.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to compare two internal name representations for
+   equality.
+
+2.4.4.  GSS_Display_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_string OCTET STRING,
+
+
+
+
+Linn                                                           [Page 39]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  name_type OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a valid printable name representation
+      is available in the returned name_string.
+
+   o  GSS_BAD_NAMETYPE indicates that the provided name was of a type
+      uninterpretable by the supporting GSS-API implementation, so no
+      printable representation could be generated.
+
+   o  GSS_BAD_NAME indicates that the contents of the provided name were
+      inconsistent with the internally-indicated name type, so no
+      printable representation could be generated.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to translate an internal name representation into a
+   printable form with associated namespace type descriptor. The syntax
+   of the printable form is a local matter.
+
+2.4.5.  GSS_Import_name call
+
+   Inputs:
+
+   o  input_name_string OCTET STRING,
+
+   o  input_name_type OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a valid name representation is output
+      in output_name and described by the type value in
+      output_name_type.
+
+   o  GSS_BAD_NAMETYPE indicates that the input_name_type is unsupported
+      by the GSS-API implementation, so the import operation could not
+      be completed.
+
+
+
+
+Linn                                                           [Page 40]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_BAD_NAME indicates that the provided input_name_string is
+      ill-formed in terms of the input_name_type, so the import
+      operation could not be completed.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to provide a printable name representation, designate
+   the type of namespace in conjunction with which it should be parsed,
+   and convert that printable representation to an internal form
+   suitable for input to other GSS-API routines.  The syntax of the
+   input_name is a local matter.
+
+2.4.6. GSS_Release_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the storage associated with the input
+      name was successfully released.
+
+   o  GSS_BAD_NAME indicates that the input name argument did not
+      contain a valid name.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an internal
+   name representation.
+
+2.4.7. GSS_Release_buffer call
+
+   Inputs:
+
+   o  buffer OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+Linn                                                           [Page 41]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the storage associated with the input
+      buffer was successfully released.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an OCTET STRING
+   buffer allocated by another GSS-API call.
+
+2.4.8. GSS_Release_oid_set call
+
+   Inputs:
+
+   o  buffer SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the storage associated with the input
+      object identifier set was successfully released.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an object
+   identifier set object allocated by another GSS-API call.
+
+3.  Mechanism-Specific Example Scenarios
+
+   This section provides illustrative overviews of the use of various
+   candidate mechanism types to support the GSS-API. These discussions
+   are intended primarily for readers familiar with specific security
+   technologies, demonstrating how GSS-API functions can be used and
+   implemented by candidate underlying mechanisms. They should not be
+   regarded as constrictive to implementations or as defining the only
+   means through which GSS-API functions can be realized with a
+   particular underlying technology, and do not demonstrate all GSS-API
+   features with each technology.
+
+
+
+
+Linn                                                           [Page 42]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+3.1. Kerberos V5, single-TGT
+
+   OS-specific login functions yield a TGT to the local realm Kerberos
+   server; TGT is placed in a credentials structure for the client.
+   Client calls GSS_Acquire_cred()  to acquire a cred_handle in order to
+   reference the credentials for use in establishing security contexts.
+
+   Client calls GSS_Init_sec_context().  If the requested service is
+   located in a different realm, GSS_Init_sec_context()  gets the
+   necessary TGT/key pairs needed to traverse the path from local to
+   target realm; these data are placed in the owner's TGT cache. After
+   any needed remote realm resolution, GSS_Init_sec_context()  yields a
+   service ticket to the requested service with a corresponding session
+   key; these data are stored in conjunction with the context. GSS-API
+   code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP
+   response(s) (in the successful case) or KRB_ERROR.
+
+   Assuming success, GSS_Init_sec_context()  builds a Kerberos-formatted
+   KRB_AP_REQ message, and returns it in output_token.  The client sends
+   the output_token to the service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which verifies the authenticator, provides
+   the service with the client's authenticated name, and returns an
+   output_context_handle.
+
+   Both parties now hold the session key associated with the service
+   ticket, and can use this key in subsequent GSS_Sign(), GSS_Verify(),
+   GSS_Seal(), and GSS_Unseal() operations.
+
+3.2. Kerberos V5, double-TGT
+
+   TGT acquisition as above.
+
+   Note: To avoid unnecessary frequent invocations of error paths when
+   implementing the GSS-API atop Kerberos V5, it seems appropriate to
+   represent "single-TGT K-V5" and "double-TGT K-V5" with separate
+   mech_types, and this discussion makes that assumption.
+
+   Based on the (specified or defaulted) mech_type,
+   GSS_Init_sec_context()  determines that the double-TGT protocol
+   should be employed for the specified target. GSS_Init_sec_context()
+   returns GSS_CONTINUE_NEEDED major_status, and its returned
+   output_token contains a request to the service for the service's TGT.
+   (If a service TGT with suitably long remaining lifetime already
+   exists in a cache, it may be usable, obviating the need for this
+   step.) The client passes the output_token to the service.  Note: this
+   scenario illustrates a different use for the GSS_CONTINUE_NEEDED
+
+
+
+Linn                                                           [Page 43]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   status return facility than for support of mutual authentication;
+   note that both uses can coexist as successive operations within a
+   single context establishment operation.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which recognizes it as a request for TGT.
+   (Note that current Kerberos V5 defines no intra-protocol mechanism to
+   represent such a request.) GSS_Accept_sec_context()  returns
+   GSS_CONTINUE_NEEDED major_status and provides the service's TGT in
+   its output_token. The service sends the output_token to the client.
+
+   The client passes the received token as the input_token argument to a
+   continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches
+   the received service TGT and uses it as part of a service ticket
+   request to the Kerberos authentication server, storing the returned
+   service ticket and session key in conjunction with the context.
+   GSS_Init_sec_context()  builds a Kerberos-formatted authenticator,
+   and returns it in output_token along with GSS_COMPLETE return
+   major_status. The client sends the output_token to the service.
+
+   Service passes the received token as the input_token argument to a
+   continuation call to GSS_Accept_sec_context().
+   GSS_Accept_sec_context()  verifies the authenticator, provides the
+   service with the client's authenticated name, and returns
+   major_status GSS_COMPLETE.
+
+   GSS_Sign(),  GSS_Verify(), GSS_Seal(), and GSS_Unseal()  as above.
+
+3.3.  X.509 Authentication Framework
+
+   This example illustrates use of the GSS-API in conjunction with
+   public-key mechanisms, consistent with the X.509 Directory
+   Authentication Framework.
+
+   The GSS_Acquire_cred()  call establishes a credentials structure,
+   making the client's private key accessible for use on behalf of the
+   client.
+
+   The client calls GSS_Init_sec_context(),  which interrogates the
+   Directory to acquire (and validate) a chain of public-key
+   certificates, thereby collecting the public key of the service.  The
+   certificate validation operation determines that suitable signatures
+   were applied by trusted authorities and that those certificates have
+   not expired. GSS_Init_sec_context()  generates a secret key for use
+   in per-message protection operations on the context, and enciphers
+   that secret key under the service's public key.
+
+   The enciphered secret key, along with an authenticator quantity
+
+
+
+Linn                                                           [Page 44]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   signed with the client's private key, is included in the output_token
+   from GSS_Init_sec_context().  The output_token also carries a
+   certification path, consisting of a certificate chain leading from
+   the service to the client; a variant approach would defer this path
+   resolution to be performed by the service instead of being asserted
+   by the client. The client application sends the output_token to the
+   service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context() validates the
+   certification path, and as a result determines a certified binding
+   between the client's distinguished name and the client's public key.
+   Given that public key, GSS_Accept_sec_context() can process the
+   input_token's authenticator quantity and verify that the client's
+   private key was used to sign the input_token. At this point, the
+   client is authenticated to the service. The service uses its private
+   key to decipher the enciphered secret key provided to it for per-
+   message protection operations on the context.
+
+   The client calls GSS_Sign()  or GSS_Seal() on a data message, which
+   causes per-message authentication, integrity, and (optional)
+   confidentiality facilities to be applied to that message. The service
+   uses the context's shared secret key to perform corresponding
+   GSS_Verify()  and GSS_Unseal() calls.
+
+4.  Related Activities
+
+   In order to implement the GSS-API atop existing, emerging, and future
+   security mechanisms:
+
+      object identifiers must be assigned to candidate GSS-API
+      mechanisms and the name types which they support
+
+      concrete data element formats must be defined for candidate
+      mechanisms
+
+   Calling applications must implement formatting conventions which will
+   enable them to distinguish GSS-API tokens from other data carried in
+   their application protocols.
+
+   Concrete language bindings are required for the programming
+   environments in which the GSS-API is to be employed; such bindings
+   for the C language are available in an associated RFC.
+
+
+
+
+
+
+
+
+Linn                                                           [Page 45]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+5.  Acknowledgments
+
+   This proposal is the result of a collaborative effort.
+   Acknowledgments are due to the many members of the IETF Security Area
+   Advisory Group (SAAG) and the Common Authentication Technology (CAT)
+   Working Group for their contributions at meetings and by electronic
+   mail. Acknowledgments are also due to Kannan Alagappan, Doug Barlow,
+   Bill Brown, Cliff Kahn, Charlie Kaufman, Butler Lampson, Richard
+   Pitkin, Joe Tardo, and John Wray of Digital Equipment Corporation,
+   and John Carr, John Kohl, Jon Rochlis, Jeff Schiller, and Ted T'so of
+   MIT and Project Athena.  Joe Pato and Bill Sommerfeld of HP/Apollo,
+   Walt Tuvell of OSF, and Bill Griffith and Mike Merritt of AT&T,
+   provided inputs which helped to focus and clarify directions.
+   Precursor work by Richard Pitkin, presented to meetings of the
+   Trusted Systems Interoperability Group (TSIG), helped to demonstrate
+   the value of a generic, mechanism-independent security service API.
+
+6. Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+7. Author's Address
+
+   John Linn
+   Geer Zolot Associates
+   One Main St.
+   Cambridge, MA  02142  USA
+
+   Phone: +1 617.374.3700
+   Email: Linn@gza.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                                                           [Page 46]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+APPENDIX  A
+
+PACS AND AUTHORIZATION SERVICES
+
+   Consideration has been given to modifying the GSS-API service
+   interface to recognize and manipulate Privilege Attribute
+   Certificates (PACs) as in ECMA 138, carrying authorization data as a
+   side effect of establishing a security context, but no such
+   modifications have been incorporated at this time. This appendix
+   provides rationale for this decision and discusses compatibility
+   alternatives between PACs and the GSS-API which do not require that
+   PACs be made visible to GSS-API callers.
+
+   Existing candidate mechanism types such as Kerberos and X.509 do not
+   incorporate PAC manipulation features, and exclusion of such
+   mechanisms from the set of candidates equipped to fully support the
+   GSS-API seems inappropriate. Inclusion (and GSS-API visibility) of a
+   feature supported by only a limited number of mechanisms could
+   encourage the development of ostensibly portable applications which
+   would in fact have only limited portability.
+
+   The status quo, in which PACs are not visible across the GSS-API
+   interface, does not preclude implementations in which PACs are
+   carried transparently, within the tokens defined and used for certain
+   mech_types, and stored within peers' credentials and context-level
+   data structures. While invisible to API callers, such PACs could be
+   used by operating system or other local functions as inputs in the
+   course of mediating access requests made by callers. This course of
+   action allows dynamic selection of PAC contents, if such selection is
+   administratively-directed rather than caller-directed.
+
+   In a distributed computing environment, authentication must span
+   different systems; the need for such authentication provides
+   motivation for GSS-API definition and usage. Heterogeneous systems in
+   a network can intercommunicate, with globally authenticated names
+   comprising the common bond between locally defined access control
+   policies. Access control policies to which authentication provides
+   inputs are often local, or specific to particular operating systems
+   or environments. If the GSS-API made particular authorization models
+   visible across its service interface, its scope of application would
+   become less general. The current GSS-API paradigm is consistent with
+   the precedent set by Kerberos, neither defining the interpretation of
+   authorization-related data nor enforcing access controls based on
+   such data.
+
+   The GSS-API is a general interface, whose callers may reside inside
+   or outside any defined TCB or NTCB boundaries. Given this
+   characteristic, it appears more realistic to provide facilities which
+
+
+
+Linn                                                           [Page 47]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   provide "value-added" security services to its callers than to offer
+   facilities which enforce restrictions on those callers. Authorization
+   decisions must often be mediated below the GSS-API level in a local
+   manner against (or in spite of) applications, and cannot be
+   selectively invoked or omitted at those applications' discretion.
+   Given that the GSS-API's placement prevents it from providing a
+   comprehensive solution to the authorization issue, the value of a
+   partial contribution specific to particular authorization models is
+   debatable.
+
+APPENDIX  B
+
+MECHANISM-INDEPENDENT TOKEN FORMAT
+
+   This appendix specifies a mechanism-independent level of
+   encapsulating representation for the initial token of a GSS-API
+   context establishment sequence, incorporating an identifier of the
+   mechanism type to be used on that context. Use of this format (with
+   ASN.1-encoded data elements represented in BER, constrained in the
+   interests of parsing simplicity to the Distinguished Encoding Rule
+   (DER) BER subset defined in X.509, clause 8.7) is recommended to the
+   designers of GSS-API implementations based on various mechanisms, so
+   that tokens can be interpreted unambiguously at GSS-API peers. There
+   is no requirement that the mechanism-specific innerContextToken,
+   innerMsgToken, and sealedUserData data elements be encoded in ASN.1
+   BER.
+
+          -- optional top-level token definitions to
+          -- frame different mechanisms
+
+          GSS-API DEFINITIONS ::=
+
+          BEGIN
+
+          MechType ::= OBJECT IDENTIFIER
+          -- data structure definitions
+
+          -- callers must be able to distinguish among
+          -- InitialContextToken, SubsequentContextToken,
+          -- PerMsgToken, and SealedMessage data elements
+          -- based on the usage in which they occur
+
+          InitialContextToken ::=
+          -- option indication (delegation, etc.) indicated within
+          -- mechanism-specific token
+          [APPLICATION 0] IMPLICIT SEQUENCE {
+                  thisMech MechType,
+                  innerContextToken ANY DEFINED BY thisMech
+
+
+
+Linn                                                           [Page 48]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+                     -- contents mechanism-specific
+                  }
+
+          SubsequentContextToken ::= innerContextToken ANY
+          -- interpretation based on predecessor InitialContextToken
+
+          PerMsgToken ::=
+          -- as emitted by GSS_Sign and processed by GSS_Verify
+                  innerMsgToken ANY
+
+          SealedMessage ::=
+          -- as emitted by GSS_Seal and processed by GSS_Unseal
+          -- includes internal, mechanism-defined indicator
+          -- of whether or not encrypted
+                  sealedUserData ANY
+
+          END
+
+APPENDIX  C
+
+MECHANISM DESIGN CONSTRAINTS
+
+   The following constraints on GSS-API mechanism designs are adopted in
+   response to observed caller protocol requirements, and adherence
+   thereto is anticipated in subsequent descriptions of GSS-API
+   mechanisms to be documented in standards-track Internet
+   specifications.
+
+   Use of the approach defined in Appendix B of this specification,
+   applying a mechanism type tag to the InitialContextToken, is
+   required.
+
+   It is strongly recommended that mechanisms offering per-message
+   protection services also offer at least one of the replay detection
+   and sequencing services, as mechanisms offering neither of the latter
+   will fail to satisfy recognized requirements of certain candidate
+   caller protocols.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                                                           [Page 49]
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/rfc1509.txt b/crypto/heimdal/doc/standardisation/rfc1509.txt
new file mode 100644
index 0000000..f36cd80
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1509.txt
@@ -0,0 +1,2691 @@
+
+
+
+
+
+
+Network Working Group                                            J. Wray
+Request for Comments: 1509                 Digital Equipment Corporation
+                                                          September 1993
+
+
+               Generic Security Service API : C-bindings
+
+Status of this Memo
+
+   This RFC specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" for the standardization state and status
+   of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This document specifies C language bindings for the Generic Security
+   Service Application Program Interface (GSS-API), which is described
+   at a language-independent conceptual level in other documents.
+
+   The Generic Security Service Application Programming Interface (GSS-
+   API) provides security services to its callers, and is intended for
+   implementation atop alternative underlying cryptographic mechanisms.
+   Typically, GSS-API callers will be application protocols into which
+   security enhancements are integrated through invocation of services
+   provided by the GSS-API. The GSS-API allows a caller application to
+   authenticate a principal identity associated with a peer application,
+   to delegate rights to a peer, and to apply security services such as
+   confidentiality and integrity on a per-message basis.
+
+1. INTRODUCTION
+
+   The Generic Security Service Application Programming Interface [1]
+   provides security services to calling applications.  It allows a
+   communicating application to authenticate the user associated with
+   another application, to delegate rights to another application, and
+   to apply security services such as confidentiality and integrity on a
+   per-message basis.
+
+   There are four stages to using the GSSAPI:
+
+   (a) The application acquires a set of credentials with which it may
+       prove its identity to other processes.  The application's
+       credentials vouch for its global identity, which may or may not
+       be related to the local username under which it is running.
+
+
+
+
+
+Wray                                                            [Page 1]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   (b) A pair of communicating applications establish a joint security
+       context using their credentials.  The security context is a
+       pair of GSSAPI data structures that contain shared state
+       information, which is required in order that per-message
+       security services may be provided.  As part of the
+       establishment of a security context, the context initiator is
+       authenticated to the responder, and may require that the
+       responder is authenticated in turn.  The initiator may
+       optionally give the responder the right to initiate further
+       security contexts.  This transfer of rights is termed
+       delegation, and is achieved by creating a set of credentials,
+       similar to those used by the originating application, but which
+       may be used by the responder.  To establish and maintain the
+       shared information that makes up the security context, certain
+       GSSAPI calls will return a token data structure, which is a
+       cryptographically protected opaque data type.  The caller of
+       such a GSSAPI routine is responsible for transferring the token
+       to the peer application, which should then pass it to a
+       corresponding GSSAPI routine which will decode it and extract
+       the information.
+
+   (c) Per-message services are invoked to apply either:
+
+       (i) integrity and data origin authentication, or
+
+       (ii) confidentiality, integrity and data origin authentication
+            to application data, which are treated by GSSAPI as
+            arbitrary octet-strings.  The application transmitting a
+            message that it wishes to protect will call the appropriate
+            GSSAPI routine (sign or seal) to apply protection, specifying
+            the appropriate security context, and send the result to the
+            receiving application.  The receiver will pass the received
+            data to the corresponding decoding routine (verify or unseal)
+            to remove the protection and validate the data.
+
+   (d) At the completion of a communications session (which may extend
+       across several connections), the peer applications call GSSAPI
+       routines to delete the security context.  Multiple contexts may
+       also be used (either successively or simultaneously) within a
+       single communications association.
+
+2. GSSAPI Routines
+
+   This section lists the functions performed by each of the GSSAPI
+   routines and discusses their major parameters, describing how they
+   are to be passed to the routines.  The routines are listed in figure
+   4-1.
+
+
+
+
+Wray                                                            [Page 2]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                      Figure 4-1  GSSAPI Routines
+
+
+            Routine                               Function
+
+            gss_acquire_cred               Assume a global identity
+
+            gss_release_cred               Discard credentials
+
+            gss_init_sec_context           Initiate a security context
+                                           with a peer application
+
+            gss_accept_sec_context         Accept a security context
+                                           initiated by a peer
+                                           application
+
+            gss_process_context_token      Process a token on a security
+                                           context from a peer
+                                           application
+
+            gss_delete_sec_context         Discard a security context
+
+            gss_context_time               Determine for how long a
+                                           context will remain valid
+
+            gss_sign                       Sign a message; integrity
+                                           service
+
+            gss_verify                     Check signature on a message
+
+            gss_seal                       Sign (optionally encrypt) a
+                                           message; confidentiality
+                                           service
+
+            gss_unseal                     Verify (optionally decrypt)
+                                           message
+
+            gss_display_status             Convert an API status code
+                                           to text
+
+            gss_indicate_mechs             Determine underlying
+                                           authentication mechanism
+
+            gss_compare_name               Compare two internal-form
+                                           names
+
+            gss_display_name               Convert opaque name to text
+
+
+
+
+Wray                                                            [Page 3]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+            gss_import_name                Convert a textual name to
+                                           internal-form
+
+            gss_release_name               Discard an internal-form
+                                           name
+
+            gss_release_buffer             Discard a buffer
+
+            gss_release_oid_set            Discard a set of object
+                                           identifiers
+
+            gss_inquire_cred               Determine information about
+                                           a credential
+
+   Individual GSSAPI implementations may augment these routines by
+   providing additional mechanism-specific routines if required
+   functionality is not available from the generic forms.  Applications
+   are encouraged to use the generic routines wherever possible on
+   portability grounds.
+
+2.1. Data Types and Calling Conventions
+
+   The following conventions are used by the GSSAPI:
+
+2.1.1. Structured data types
+
+   Wherever these GSSAPI C-bindings describe structured data, only
+   fields that must be provided by all GSSAPI implementation are
+   documented.  Individual implementations may provide additional
+   fields, either for internal use within GSSAPI routines, or for use by
+   non-portable applications.
+
+2.1.2. Integer types
+
+   GSSAPI defines the following integer data type:
+
+                 OM_uint32      32-bit unsigned integer
+
+   Where guaranteed minimum bit-count is important, this portable data
+   type is used by the GSSAPI routine definitions. Individual GSSAPI
+   implementations will include appropriate typedef definitions to map
+   this type onto a built-in data type.
+
+2.1.3. String and similar data
+
+   Many of the GSSAPI routines take arguments and return values that
+   describe contiguous multiple-byte data.  All such data is passed
+   between the GSSAPI and the caller using the gss_buffer_t data type.
+
+
+
+Wray                                                            [Page 4]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   This data type is a pointer to a buffer descriptor, which consists of
+   a length field that contains the total number of bytes in the datum,
+   and a value field which contains a pointer to the actual datum:
+
+                 typedef struct gss_buffer_desc_struct {
+                    size_t  length;
+                    void    *value;
+                 } gss_buffer_desc, *gss_buffer_t;
+
+   Storage for data passed to the application by a GSSAPI routine using
+   the gss_buffer_t conventions is allocated by the GSSAPI routine.  The
+   application may free this storage by invoking the gss_release_buffer
+   routine.  Allocation of the gss_buffer_desc object is always the
+   responsibility of the application;  Unused gss_buffer_desc objects
+   may be initialized to the value GSS_C_EMPTY_BUFFER.
+
+2.1.3.1. Opaque data types
+
+   Certain multiple-word data items are considered opaque data types at
+   the GSSAPI, because their internal structure has no significance
+   either to the GSSAPI or to the caller.  Examples of such opaque data
+   types are the input_token parameter to gss_init_sec_context (which is
+   opaque to the caller), and the input_message parameter to gss_seal
+   (which is opaque to the GSSAPI).  Opaque data is passed between the
+   GSSAPI and the application using the gss_buffer_t datatype.
+
+2.1.3.2. Character strings
+
+   Certain multiple-word data items may be regarded as simple ISO
+   Latin-1 character strings.  An example of this is the
+   input_name_buffer parameter to gss_import_name.  Some GSSAPI routines
+   also return character strings.  Character strings are passed between
+   the application and the GSSAPI using the gss_buffer_t datatype,
+   defined earlier.
+
+2.1.4. Object Identifiers
+
+   Certain GSSAPI procedures take parameters of the type gss_OID, or
+   Object identifier.  This is a type containing ISO-defined tree-
+   structured values, and is used by the GSSAPI caller to select an
+   underlying security mechanism.  A value of type gss_OID has the
+   following structure:
+
+                 typedef struct gss_OID_desc_struct {
+                    OM_uint32 length;
+                    void      *elements;
+                 } gss_OID_desc, *gss_OID;
+
+
+
+
+Wray                                                            [Page 5]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   The elements field of this structure points to the first byte of an
+   octet string containing the ASN.1 BER encoding of the value of the
+   gss_OID.  The length field contains the number of bytes in this
+   value.  For example, the  gss_OID value corresponding to {iso(1)
+   identified- oganization(3) icd-ecma(12) member-company(2) dec(1011)
+   cryptoAlgorithms(7) SPX(5)} meaning SPX (Digital's X.509
+   authentication mechanism) has a length field of 7 and an elements
+   field pointing to seven octets containing the following octal values:
+   53,14,2,207,163,7,5. GSSAPI implementations should provide constant
+   gss_OID values to allow callers to request any supported mechanism,
+   although applications are encouraged on portability grounds to accept
+   the default mechanism.   gss_OID values should also be provided to
+   allow applications to specify particular name types (see section
+   2.1.10).  Applications should treat gss_OID_desc values returned by
+   GSSAPI routines as read-only.  In particular, the application should
+   not attempt to deallocate them.  The gss_OID_desc datatype is
+   equivalent to the X/Open OM_object_identifier datatype [2].
+
+2.1.5. Object Identifier Sets
+
+   Certain GSSAPI procedures take parameters of the type gss_OID_set.
+   This type represents one or more object identifiers (section 2.1.4).
+   A gss_OID_set object has the following structure:
+
+                 typedef struct gss_OID_set_desc_struct {
+                    int       count;
+                    gss_OID   elements;
+                 } gss_OID_set_desc, *gss_OID_set;
+
+   The count field contains the number of OIDs within the set.  The
+   elements field is a pointer to an array of gss_OID_desc objects, each
+   of which describes a single OID. gss_OID_set values are used to name
+   the available mechanisms supported by the GSSAPI, to request the use
+   of specific mechanisms, and to indicate which mechanisms a given
+   credential supports.  Storage associated with gss_OID_set values
+   returned to the application by the GSSAPI may be deallocated by the
+   gss_release_oid_set routine.
+
+2.1.6. Credentials
+
+   A credential handle is a caller-opaque atomic datum that identifies a
+   GSSAPI credential data structure.  It is represented by the caller-
+   opaque type gss_cred_id_t, which may be implemented as either an
+   arithmetic or a pointer type.  Credentials describe a principal, and
+   they give their holder the ability to act as that principal.  The
+   GSSAPI does not make the actual credentials available to
+   applications; instead the credential handle is used to identify a
+   particular credential, held internally by GSSAPI or underlying
+
+
+
+Wray                                                            [Page 6]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   mechanism.  Thus the credential handle contains no security-relavent
+   information, and requires no special protection by the application.
+   Depending on the implementation, a given credential handle may refer
+   to different credentials when presented to the GSSAPI by different
+   callers.  Individual GSSAPI implementations should define both the
+   scope of a credential handle and the scope of a credential itself
+   (which must be at least as wide as that of a handle).  Possibilities
+   for credential handle scope include the process that acquired the
+   handle, the acquiring process and its children, or all processes
+   sharing some local identification information (e.g., UID).  If no
+   handles exist by which a given credential may be reached, the GSSAPI
+   may delete the credential.
+
+   Certain routines allow credential handle parameters to be omitted to
+   indicate the use of a default credential.  The mechanism by which a
+   default credential is established and its scope should be defined by
+   the individual GSSAPI implementation.
+
+2.1.7. Contexts
+
+   The gss_ctx_id_t data type contains a caller-opaque atomic value that
+   identifies one end of a GSSAPI security context.  It may be
+   implemented as either an arithmetic or a pointer type. Depending on
+   the implementation, a given gss_ctx_id_t value may refer to different
+   GSSAPI security contexts when presented to the GSSAPI by different
+   callers.  The security context holds state information about each end
+   of a peer communication, including cryptographic state information.
+   Individual GSSAPI implementations should define the scope of a
+   context.  Since no way is provided by which a new gss_ctx_id_t value
+   may be obtained for an existing context, the scope of a context
+   should be the same as the scope of a gss_ctx_id_t.
+
+2.1.8. Authentication tokens
+
+   A token is a caller-opaque type that GSSAPI uses to maintain
+   synchronization between the context data structures at each end of a
+   GSSAPI security context.  The token is a cryptographically protected
+   bit-string, generated by the underlying mechanism at one end of a
+   GSSAPI security context for use by the peer mechanism at the other
+   end.  Encapsulation (if required) and transfer of the token are the
+   responsibility of the peer applications.  A token is passed between
+   the GSSAPI and the application using the gss_buffer_t conventions.
+
+2.1.9. Status values
+
+   One or more status codes are returned by each GSSAPI routine.  Two
+   distinct sorts of status codes are returned.  These are termed GSS
+   status codes and Mechanism status codes.
+
+
+
+Wray                                                            [Page 7]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+2.1.9.1. GSS status codes
+
+   GSSAPI routines return GSS status codes as their OM_uint32 function
+   value.  These codes indicate errors that are independent of the
+   underlying mechanism used to provide the security service.  The
+   errors that can be indicated via a GSS status code are either generic
+   API routine errors (errors that are defined in the GSSAPI
+   specification) or calling errors (errors that are specific to these
+   bindings).
+
+   A GSS status code can indicate a single fatal generic API error from
+   the routine and a single calling error.  In addition, supplementary
+   status information may be indicated via the setting of bits in the
+   supplementary info field of a GSS status code.
+
+   These errors are encoded into the 32-bit GSS status code as follows:
+
+      MSB                                                        LSB
+      |------------------------------------------------------------|
+      | Calling Error | Routine Error  |    Supplementary Info     |
+      |------------------------------------------------------------|
+   Bit 31           24 23            16 15                        0
+
+   Hence if a GSSAPI routine returns a GSS status code whose upper 16
+   bits contain a non-zero value, the call failed.  If the calling error
+   field is non-zero, the invoking application's call of the routine was
+   erroneous.  Calling errors are defined in table 5-1.  If the routine
+   error field is non-zero, the routine failed for one of the routine-
+   specific reasons listed below in table 5-2.  Whether or not the upper
+   16 bits indicate a failure or a success, the routine may indicate
+   additional information by setting bits in the supplementary info
+   field of the status code.  The meaning of individual bits is listed
+   below in table 5-3.
+
+                     Table 5-1  Calling Errors
+
+              Name                    Value in        Meaning
+                                        Field
+         GSS_S_CALL_INACCESSIBLE_READ     1           A required input
+                                                      parameter could
+                                                      not be read.
+         GSS_S_CALL_INACCESSIBLE_WRITE    2           A required output
+                                                      parameter could
+                                                      not be written.
+         GSS_S_CALL_BAD_STRUCTURE         3           A parameter was
+                                                      malformed
+
+
+
+
+
+Wray                                                            [Page 8]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                     Table 5-2  Routine Errors
+
+               Name             Value in       Meaning
+                                 Field
+
+         GSS_S_BAD_MECH             1      An unsupported mechanism was
+                                           requested
+         GSS_S_BAD_NAME             2      An invalid name was supplied
+         GSS_S_BAD_NAMETYPE         3      A supplied name was of an
+                                           unsupported type
+         GSS_S_BAD_BINDINGS         4      Incorrect channel bindings
+                                           were supplied
+         GSS_S_BAD_STATUS           5      An invalid status code was
+                                           supplied
+
+         GSS_S_BAD_SIG              6      A token had an invalid
+                                           signature
+         GSS_S_NO_CRED              7      No credentials were supplied
+         GSS_S_NO_CONTEXT           8      No context has been
+                                           established
+         GSS_S_DEFECTIVE_TOKEN      9      A token was invalid
+         GSS_S_DEFECTIVE_CREDENTIAL 10     A credential was invalid
+         GSS_S_CREDENTIALS_EXPIRED  11     The referenced credentials
+                                           have expired
+         GSS_S_CONTEXT_EXPIRED      12     The context has expired
+         GSS_S_FAILURE              13     Miscellaneous failure
+                                           (see text)
+
+                     Table 5-3  Supplementary Status Bits
+
+         Name                Bit Number         Meaning
+         GSS_S_CONTINUE_NEEDED   0 (LSB)  The routine must be called
+                                          again to complete its
+                                          function.
+                                          See routine documentation for
+                                          detailed description.
+         GSS_S_DUPLICATE_TOKEN   1        The token was a duplicate of
+                                          an earlier token
+         GSS_S_OLD_TOKEN         2        The token's validity period
+                                          has expired
+         GSS_S_UNSEQ_TOKEN       3        A later token has already been
+                                          processed
+
+   The routine documentation also uses the name GSS_S_COMPLETE, which is
+   a zero value, to indicate an absence of any API errors or
+   supplementary information bits.
+
+
+
+
+
+Wray                                                            [Page 9]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   All GSS_S_xxx symbols equate to complete OM_uint32 status codes,
+   rather than to bitfield values.  For example, the actual value of the
+   symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is 3
+   << 16.
+
+   The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and
+   GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS
+   status code and removes all but the relevant field.  For example, the
+   value obtained by applying GSS_ROUTINE_ERROR to a status code removes
+   the calling errors and supplementary info fields, leaving only the
+   routine errors field.  The values delivered by these macros may be
+   directly compared with a GSS_S_xxx symbol of the appropriate type.
+   The macro GSS_ERROR() is also provided, which when applied to a GSS
+   status code returns a non-zero value if the status code indicated a
+   calling or routine error, and a zero value otherwise.
+
+   A GSSAPI implementation may choose to signal calling errors in a
+   platform-specific manner instead of, or in addition to the routine
+   value; routine errors and supplementary info should be returned via
+   routine status values only.
+
+2.1.9.2. Mechanism-specific status codes
+
+   GSSAPI routines return a minor_status parameter, which is used to
+   indicate specialized errors from the underlying security mechanism.
+   This parameter may contain a single mechanism-specific error,
+   indicated by a OM_uint32 value.
+
+   The minor_status parameter will always be set by a GSSAPI routine,
+   even if it returns a calling error or one of the generic API errors
+   indicated above as fatal, although other output parameters may remain
+   unset in such cases.  However, output parameters that are expected to
+   return pointers to storage allocated by a routine must always set set
+   by the routine, even in the event of an error, although in such cases
+   the GSSAPI routine may elect to set the returned parameter value to
+   NULL to indicate that no storage was actually allocated.  Any length
+   field associated with such pointers (as in a gss_buffer_desc
+   structure) should also be set to zero in such cases.
+
+   The GSS status code GSS_S_FAILURE is used to indicate that the
+   underlying mechanism detected an error for which no specific GSS
+   status code is defined.  The mechanism status code will provide more
+   details about the error.
+
+2.1.10. Names
+
+   A name is used to identify a person or entity.  GSSAPI authenticates
+   the relationship between a name and the entity claiming the name.
+
+
+
+Wray                                                           [Page 10]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Two distinct representations are defined for names:
+
+        (a) A printable form, for presentation to a user
+
+        (b) An internal form, for presentation at the API
+
+   The syntax of a printable name is defined by the GSSAPI
+   implementation, and may be dependent on local system configuration,
+   or on individual user preference.  The internal form provides a
+   canonical representation of the name that is independent of
+   configuration.
+
+   A given GSSAPI implementation may support names drawn from multiple
+   namespaces.  In such an implementation, the internal form of the name
+   must include fields that identify the namespace from which the name
+   is drawn.  The namespace from which a printable name is drawn is
+   specified by an accompanying object identifier.
+
+   Routines (gss_import_name and  gss_display_name) are provided to
+   convert names between their printable representations and the
+   gss_name_t type.  gss_import_name may support multiple syntaxes for
+   each supported namespace, allowing users the freedom to choose a
+   preferred name representation.  gss_display_name should use an
+   implementation-chosen preferred syntax for each supported name-type.
+
+   Comparison of internal-form names is accomplished via the
+   gss_compare_names routine.  This removes the need for the application
+   program to understand the syntaxes of the various printable names
+   that a given GSSAPI implementation may support.
+
+   Storage is allocated by routines that return gss_name_t values.  A
+   procedure, gss_release_name, is provided to free storage associated
+   with a name.
+
+2.1.11. Channel Bindings
+
+   GSSAPI supports the use of user-specified tags to identify a given
+   context to the peer application.  These tags are used to identify the
+   particular communications channel that carries the context.  Channel
+   bindings are communicated to the GSSAPI using the following
+   structure:
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 11]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                 typedef struct gss_channel_bindings_struct {
+                    OM_uint32       initiator_addrtype;
+                    gss_buffer_desc initiator_address;
+                    OM_uint32       acceptor_addrtype;
+                    gss_buffer_desc acceptor_address;
+                    gss_buffer_desc application_data;
+                 } *gss_channel_bindings_t;
+
+   The initiator_addrtype and acceptor_addrtype fields denote the type
+   of addresses contained in the initiator_address and acceptor_address
+   buffers.  The address type should be one of the following:
+
+          GSS_C_AF_UNSPEC      Unspecified address type
+          GSS_C_AF_LOCAL       Host-local address type
+          GSS_C_AF_INET        DARPA Internet address type
+          GSS_C_AF_IMPLINK     ARPAnet IMP address type (eg IP)
+          GSS_C_AF_PUP         pup protocols (eg BSP) address type
+          GSS_C_AF_CHAOS       MIT CHAOS protocol address type
+          GSS_C_AF_NS          XEROX NS address type
+          GSS_C_AF_NBS         nbs address type
+          GSS_C_AF_ECMA        ECMA address type
+          GSS_C_AF_DATAKIT     datakit protocols address type
+          GSS_C_AF_CCITT       CCITT protocols (eg X.25)
+          GSS_C_AF_SNA         IBM SNA address type
+          GSS_C_AF_DECnet      DECnet address type
+          GSS_C_AF_DLI         Direct data link interface address type
+          GSS_C_AF_LAT         LAT address type
+          GSS_C_AF_HYLINK      NSC Hyperchannel address type
+          GSS_C_AF_APPLETALK   AppleTalk address type
+          GSS_C_AF_BSC         BISYNC 2780/3780 address type
+          GSS_C_AF_DSS         Distributed system services address type
+          GSS_C_AF_OSI         OSI TP4 address type
+          GSS_C_AF_X25         X25
+          GSS_C_AF_NULLADDR    No address specified
+
+   Note that these name address families rather than specific addressing
+   formats.  For address families that contain several alternative
+   address forms, the initiator_address and acceptor_address fields must
+   contain sufficient information to determine which address form is
+   used.  When not otherwise specified, addresses should be specified in
+   network byte-order.
+
+   Conceptually, the GSSAPI concatenates the initiator_addrtype,
+   initiator_address, acceptor_addrtype, acceptor_address and
+   application_data to form an octet string.  The mechanism signs this
+   octet string, and binds the signature to the context establishment
+   token emitted by gss_init_sec_context.  The same bindings are
+   presented by the context acceptor to gss_accept_sec_context, and a
+
+
+
+Wray                                                           [Page 12]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   signature is calculated in the same way.  The calculated signature is
+   compared with that found in the token, and if the signatures differ,
+   gss_accept_sec_context will return a GSS_S_BAD_BINDINGS error, and
+   the context will not be established.  Some mechanisms may include the
+   actual channel binding data in the token (rather than just a
+   signature); applications should therefore not use confidential data
+   as channel-binding components.  Individual mechanisms may impose
+   additional constraints on addresses and address types that may appear
+   in channel bindings.  For example, a mechanism may verify that the
+   initiator_address field of the channel bindings presented to
+   gss_init_sec_context contains the correct network address of the host
+   system.
+
+2.1.12. Optional parameters
+
+   Various parameters are described as optional.  This means that they
+   follow a convention whereby a default value may be requested.  The
+   following conventions are used for omitted parameters.  These
+   conventions apply only to those parameters that are explicitly
+   documented as optional.
+
+2.1.12.1. gss_buffer_t types
+
+   Specify GSS_C_NO_BUFFER as a value.  For an input parameter this
+   signifies that default behavior is requested, while for an output
+   parameter it indicates that the information that would be returned
+   via the parameter is not required by the application.
+
+2.1.12.2. Integer types (input)
+
+   Individual parameter documentation lists values to be used to
+   indicate default actions.
+
+2.1.12.3. Integer types (output)
+
+   Specify NULL as the value for the pointer.
+
+2.1.12.4. Pointer types
+
+   Specify NULL as the value.
+
+2.1.12.5. Object IDs
+
+   Specify GSS_C_NULL_OID as the value.
+
+2.1.12.6. Object ID Sets
+
+   Specify GSS_C_NULL_OID_SET as the value.
+
+
+
+Wray                                                           [Page 13]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+2.1.12.7. Credentials
+
+   Specify GSS_C_NO_CREDENTIAL to use the default credential handle.
+
+2.1.12.8. Channel Bindings
+
+   Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings
+   are not to be used.
+
+3. GSSAPI routine descriptions
+
+2.1. gss_acquire_cred
+
+      OM_uint32  gss_acquire_cred (
+                     OM_uint32 *     minor_status,
+                     gss_name_t      desired_name,
+                     OM_uint32       time_req,
+                     gss_OID_set     desired_mechs,
+                     int             cred_usage,
+                     gss_cred_id_t * output_cred_handle,
+                     gss_OID_set *   actual_mechs,
+                      OM_int32 *      time_rec)
+   Purpose:
+
+   Allows an application to acquire a handle for a pre-existing
+   credential by name.  GSSAPI implementations must impose a local
+   access-control policy on callers of this routine to prevent
+   unauthorized callers from acquiring credentials to which they are not
+   entitled.  This routine is not intended to provide a "login to the
+   network" function, as such a function would result in the creation of
+   new credentials rather than merely acquiring a handle to existing
+   credentials.  Such functions, if required, should be defined in
+   implementation-specific extensions to the API.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may chooses to delay the actual acquisition until the
+   credential is required (e.g., by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of gss_inquire_cred immediately following the call of
+   gss_acquire_cred must return valid credential data, and may therefore
+   incur the overhead of a deferred credential acquisition.
+
+   Parameters:
+
+      desired_name      gss_name_t, read
+                        Name of principal whose credential
+                        should be acquired
+
+
+
+Wray                                                           [Page 14]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      time_req          integer, read
+                        number of seconds that credentials
+                        should remain valid
+
+      desired_mechs     Set of Object IDs, read
+                        set of underlying security mechanisms that
+                        may be used.  GSS_C_NULL_OID_SET may be used
+                        to obtain an implementation-specific default.
+
+      cred_usage        integer, read
+                        GSS_C_BOTH - Credentials may be used
+                                     either to initiate or accept
+                                     security contexts.
+                        GSS_C_INITIATE - Credentials will only be
+                                         used to initiate security
+                                         contexts.
+                        GSS_C_ACCEPT - Credentials will only be used to
+                                       accept security contexts.
+
+      output_cred_handle   gss_cred_id_t, modify
+                           The returned credential handle.
+
+      actual_mechs      Set of Object IDs, modify, optional
+                        The set of mechanisms for which the
+                        credential is valid.  Specify NULL
+                        if not required.
+
+      time_rec          Integer, modify, optional
+                        Actual number of seconds for which the
+                        returned credentials will remain valid.  If the
+                        implementation does not support expiration of
+                        credentials, the value GSS_C_INDEFINITE will
+                        be returned. Specify NULL if not required
+
+      minor_status      Integer, modify
+                        Mechanism specific status code.
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_MECH    Unavailable mechanism requested
+
+      GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is
+                        not supported
+
+      GSS_S_BAD_NAME    Value supplied for desired_name parameter is
+
+
+
+Wray                                                           [Page 15]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        ill-formed.
+
+      GSS_S_FAILURE     Unspecified failure.  The minor_status parameter
+                        contains more detailed information
+
+3.2. gss_release_cred
+
+      OM_uint32  gss_release_cred (
+                     OM_uint32 *     minor_status,
+                     gss_cred_id_t * cred_handle)
+
+   Purpose:
+
+   Informs GSSAPI that the specified credential handle is no longer
+   required by the process.  When all processes have released a
+   credential, it will be deleted.
+
+   Parameters:
+
+      cred_handle       gss_cred_id_t, modify, optional
+                        buffer containing opaque credential
+                        handle.  If  GSS_C_NO_CREDENTIAL  is supplied,
+                        the default credential will be released
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_NO_CRED     Credentials could not be accessed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 16]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+3.3. gss_init_sec_context
+
+      OM_uint32  gss_init_sec_context (
+                     OM_uint32 *     minor_status,
+                     gss_cred_id_t   claimant_cred_handle,
+                     gss_ctx_id_t *  context_handle,
+                     gss_name_t      target_name,
+                     gss_OID         mech_type,
+                     int             req_flags,
+                     int             time_req,
+                     gss_channel_bindings_t
+                                     input_chan_bindings,
+                     gss_buffer_t    input_token
+                     gss_OID *       actual_mech_type,
+                     gss_buffer_t    output_token,
+                     int *           ret_flags,
+                     OM_uint32 *     time_rec )
+
+   Purpose:
+
+   Initiates the establishment of a security context between the
+   application and a remote peer.  Initially, the input_token parameter
+   should be specified as GSS_C_NO_BUFFER.  The routine may return a
+   output_token which should be transferred to the peer application,
+   where the peer application will present it to gss_accept_sec_context.
+   If no token need be sent, gss_init_sec_context will indicate this by
+   setting the length field of the output_token argument to zero.  To
+   complete the context establishment, one or more reply tokens may be
+   required from the peer application; if so, gss_init_sec_context will
+   return a status indicating GSS_S_CONTINUE_NEEDED in which case it
+   should be called again when the reply token is received from the peer
+   application, passing the token to gss_init_sec_context via the
+   input_token parameters.
+
+   The values returned via the ret_flags and time_rec parameters are not
+   defined unless the routine returns GSS_S_COMPLETE.
+
+   Parameters:
+
+      claimant_cred_handle  gss_cred_id_t, read, optional
+                            handle for credentials claimed.  Supply
+                            GSS_C_NO_CREDENTIAL to use default
+                            credentials.
+
+      context_handle    gss_ctx_id_t, read/modify
+                        context handle for new context.  Supply
+                        GSS_C_NO_CONTEXT for first call; use value
+                        returned by first call in continuation calls.
+
+
+
+Wray                                                           [Page 17]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      target_name       gss_name_t, read
+                        Name of target
+
+      mech_type         OID, read, optional
+                        Object ID of desired mechanism. Supply
+                        GSS_C_NULL_OID to obtain an implementation
+                        specific default
+
+      req_flags         bit-mask, read
+                        Contains four independent flags, each of
+                        which requests that the context support a
+                        specific service option.  Symbolic
+                        names are provided for each flag, and the
+                        symbolic names corresponding to the required
+                        flags should be logically-ORed
+                        together to form the bit-mask value.  The
+                        flags are:
+
+                        GSS_C_DELEG_FLAG
+                              True - Delegate credentials to remote peer
+                              False - Don't delegate
+                        GSS_C_MUTUAL_FLAG
+                              True - Request that remote peer
+                                     authenticate itself
+                              False - Authenticate self to remote peer
+                                      only
+                        GSS_C_REPLAY_FLAG
+                              True - Enable replay detection for signed
+                                     or sealed messages
+                              False - Don't attempt to detect
+                                      replayed messages
+                        GSS_C_SEQUENCE_FLAG
+                              True - Enable detection of out-of-sequence
+                                     signed or sealed messages
+                              False - Don't attempt to detect
+                                      out-of-sequence messages
+
+      time_req          integer, read
+                        Desired number of seconds for which context
+                        should remain valid.  Supply 0 to request a
+                        default validity period.
+
+      input_chan_bindings     channel bindings, read
+                              Application-specified bindings.  Allows
+                              application to securely bind channel
+                              identification information to the security
+                              context.
+
+
+
+
+Wray                                                           [Page 18]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      input_token       buffer, opaque, read, optional (see text)
+                        Token received from peer application.
+                        Supply GSS_C_NO_BUFFER on initial call.
+
+      actual_mech_type  OID, modify
+                        actual mechanism used.
+
+      output_token      buffer, opaque, modify
+                        token to be sent to peer application.  If
+                        the length field of the returned buffer is
+                        zero, no token need be sent to the peer
+                        application.
+
+      ret_flags         bit-mask, modify
+                        Contains six independent flags, each of which
+                        indicates that the context supports a specific
+                        service option.  Symbolic names are provided
+                        for each flag, and the symbolic names
+                        corresponding to the required flags should be
+                        logically-ANDed with the ret_flags value to test
+                        whether a given option is supported by the
+                        context.  The flags are:
+
+                        GSS_C_DELEG_FLAG
+                              True - Credentials were delegated to
+                                     the remote peer
+                              False - No credentials were delegated
+                        GSS_C_MUTUAL_FLAG
+                              True - Remote peer has been asked to
+                                     authenticated itself
+                              False - Remote peer has not been asked to
+                                      authenticate itself
+                        GSS_C_REPLAY_FLAG
+                              True - replay of signed or sealed messages
+                                     will be detected
+                              False - replayed messages will not be
+                                      detected
+                        GSS_C_SEQUENCE_FLAG
+                              True - out-of-sequence signed or sealed
+                                     messages will be detected
+                              False - out-of-sequence messages will not
+                                      be detected
+                        GSS_C_CONF_FLAG
+                              True - Confidentiality service may be
+                                     invoked by calling seal routine
+                              False - No confidentiality service (via
+                                      seal) available. seal will provide
+                                      message encapsulation, data-origin
+
+
+
+Wray                                                           [Page 19]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                                      authentication and integrity
+                                      services only.
+                        GSS_C_INTEG_FLAG
+                              True - Integrity service may be invoked by
+                                     calling either gss_sign or gss_seal
+                                     routines.
+                              False - Per-message integrity service
+                                      unavailable.
+
+      time_rec          integer, modify, optional
+                        number of seconds for which the context
+                        will remain valid. If the implementation does
+                        not support credential expiration, the value
+                        GSS_C_INDEFINITE will be returned.  Specify
+                        NULL if not required.
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+   Function value:
+
+   GSS status code:
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                     application is required to complete thecontext, and
+                     that gss_init_sec_context must be called again with
+                     that token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on
+                     the input_token failed
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                     performed on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                     initiation, or the credential handle did not
+                     reference any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel
+                     bindings to those specified via the
+                     input_chan_bindings parameter
+
+   GSS_S_BAD_SIG     The input_token contains an invalid signature, or a
+                     signature that could not be verified
+
+
+
+Wray                                                           [Page 20]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                     during context establishment
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of
+                     a token already processed.  This is a fatal error
+                     during context establishment.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                     refer to a valid context
+
+   GSS_S_BAD_NAMETYPE The provided target_name parameter contained an
+                     invalid or unsupported type of name
+
+   GSS_S_BAD_NAME    The provided target_name parameter was ill-formed.
+
+   GSS_S_FAILURE     Failure.  See minor_status for more information
+
+3.4. gss_accept_sec_context
+
+      OM_uint32  gss_accept_sec_context (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t *  context_handle,
+                     gss_cred_id_t   verifier_cred_handle,
+                     gss_buffer_t    input_token_buffer
+                     gss_channel_bindings_t
+                                     input_chan_bindings,
+                     gss_name_t *    src_name,
+                     gss_OID *       mech_type,
+                     gss_buffer_t    output_token,
+                     int *           ret_flags,
+                     OM_uint32 *     time_rec,
+                     gss_cred_id_t * delegated_cred_handle)
+
+   Purpose:
+
+   Allows a remotely initiated security context between the application
+   and a remote peer to be established.  The routine may return a
+   output_token which should be transferred to the peer application,
+   where the peer application will present it to gss_init_sec_context.
+   If no token need be sent, gss_accept_sec_context will indicate this
+   by setting the length field of the output_token argument to zero.  To
+   complete the context establishment, one or more reply tokens may be
+   required from the peer application; if so, gss_accept_sec_context
+   will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it
+   should be called again when the reply token is received from the peer
+   application, passing the token to gss_accept_sec_context via the
+   input_token parameters.
+
+
+
+
+Wray                                                           [Page 21]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   The values returned via the src_name, ret_flags, time_rec, and
+   delegated_cred_handle parameters are not defined unless the routine
+   returns GSS_S_COMPLETE.
+
+   Parameters:
+
+      context_handle    gss_ctx_id_t, read/modify
+                        context handle for new context.  Supply
+                        GSS_C_NO_CONTEXT for first call; use value
+                        returned in subsequent calls.
+
+      verifier_cred_handle    gss_cred_id_t, read, optional
+                              Credential handle claimed by context
+      acceptor.
+                              Specify GSS_C_NO_CREDENTIAL to use default
+                              credentials.  If GSS_C_NO_CREDENTIAL is
+                              specified, but the caller has no default
+                              credentials established, an
+                              implementation-defined default credential
+                              may be used.
+
+      input_token_buffer      buffer, opaque, read
+                              token obtained from remote application
+
+      input_chan_bindings     channel bindings, read
+                              Application-specified bindings.  Allows
+                              application to securely bind channel
+                              identification information to the security
+                              context.
+
+      src_name          gss_name_t, modify, optional
+                        Authenticated name of context initiator.
+                        After use, this name should be deallocated by
+                        passing it to gss_release_name.  If not required,
+                        specify NULL.
+
+      mech_type         Object ID, modify
+                        Security mechanism used.  The returned
+                        OID value will be a pointer into static
+                        storage, and should be treated as read-only
+                        by the caller.
+
+      output_token      buffer, opaque, modify
+                        Token to be passed to peer application. If the
+                        length field of the returned token buffer is 0,
+                        then no token need be passed to the peer
+                        application.
+
+
+
+
+Wray                                                           [Page 22]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      ret_flags         bit-mask, modify
+                        Contains six independent flags, each of
+                        which indicates that the context supports a
+                        specific service option.  Symbolic names are
+                        provided for each flag, and the symbolic names
+                        corresponding to the required flags
+                        should be logically-ANDed with the ret_flags
+                        value to test whether a given option is
+                        supported by the context.  The flags are:
+                        GSS_C_DELEG_FLAG
+                              True - Delegated credentials are available
+                                     via the delegated_cred_handle
+                                     parameter
+                              False - No credentials were delegated
+                        GSS_C_MUTUAL_FLAG
+                              True - Remote peer asked for mutual
+                                     authentication
+                              False - Remote peer did not ask for mutual
+                                      authentication
+                        GSS_C_REPLAY_FLAG
+                              True - replay of signed or sealed messages
+                                     will be detected
+                              False - replayed messages will not be
+                                      detected
+                        GSS_C_SEQUENCE_FLAG
+                              True - out-of-sequence signed or sealed
+                                     messages will be detected
+                              False - out-of-sequence messages will not
+                                      be detected
+                        GSS_C_CONF_FLAG
+                              True - Confidentiality service may be
+                                     invoked by calling seal routine
+                              False - No confidentiality service (via
+                                      seal) available. seal will
+                                      provide message encapsulation,
+                                      data-origin authentication and
+                                      integrity services only.
+                        GSS_C_INTEG_FLAG
+                              True - Integrity service may be invoked
+                                     by calling either gss_sign or
+                                     gss_seal routines.
+                              False - Per-message integrity service
+                                      unavailable.
+
+      time_rec          integer, modify, optional
+                        number of seconds for which the context
+                        will remain valid. Specify NULL if not required.
+
+
+
+
+Wray                                                           [Page 23]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      delegated_cred_handle
+                        gss_cred_id_t, modify
+                        credential handle for credentials received from
+                        context initiator.  Only valid if deleg_flag in
+                        ret_flags is true.
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                        application is required to complete the context,
+                        and that gss_accept_sec_context must be called
+                        again with that token.
+
+      GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks
+                        performed on the input_token failed.
+
+      GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                        performed on the credential failed.
+
+      GSS_S_NO_CRED The supplied credentials were not valid for
+                        context acceptance, or the credential handle
+                        did not reference any credentials.
+
+      GSS_S_CREDENTIALS_EXPIRED The referenced credentials have
+                        expired.
+
+      GSS_S_BAD_BINDINGS The input_token contains different channel
+                        bindings to those specified via the
+                        input_chan_bindings parameter.
+
+      GSS_S_NO_CONTEXT Indicates that the supplied context handle did
+                       not refer to a valid context.
+
+      GSS_S_BAD_SIG    The input_token contains an invalid signature.
+
+      GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal
+                        error during context establishment.
+
+      GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a
+                        duplicate of a token already processed.  This
+                        is a fatal error during context establishment.
+
+
+
+Wray                                                           [Page 24]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.5. gss_process_context_token
+
+      OM_uint32  gss_process_context_token (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     gss_buffer_t    token_buffer)
+
+   Purpose:
+
+   Provides a way to pass a token to the security service.  Usually,
+   tokens are associated either with context establishment (when they
+   would be passed to gss_init_sec_context or gss_accept_sec_context) or
+   with per-message security service (when they would be passed to
+   gss_verify or gss_unseal).  Occasionally, tokens may be received at
+   other times, and gss_process_context_token allows such tokens to be
+   passed to the underlying security service for processing.  At
+   present, such additional tokens may only be generated by
+   gss_delete_sec_context.  GSSAPI implementation may use this service
+   to implement deletion of the security context.
+
+   Parameters:
+
+      context_handle    gss_ctx_id_t, read
+                        context handle of context on which token is to
+                        be processed
+
+      token_buffer      buffer, opaque, read
+                        pointer to first byte of token to process
+
+      minor_status      integer, modify
+                        Implementation specific status code.
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks
+                        performed on the token failed
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information
+
+      GSS_S_NO_CONTEXT The context_handle did not refer to a valid
+                       context
+
+
+
+
+Wray                                                           [Page 25]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+3.6. gss_delete_sec_context
+
+      OM_uint32  gss_delete_sec_context (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t *  context_handle,
+                     gss_buffer_t    output_token)
+
+   Purpose:
+
+   Delete a security context.  gss_delete_sec_context will delete the
+   local data structures associated with the specified security context,
+   and generate an output_token, which when passed to the peer
+   gss_process_context_token will instruct it to do likewise.  No
+   further security services may be obtained using the context specified
+   by context_handle.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      context_handle    gss_ctx_id_t, modify
+                        context handle identifying context to delete.
+
+      output_token      buffer, opaque, modify
+                        token to be sent to remote application to
+                        instruct it to also delete the context
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_FAILURE     Failure, see minor_status for more information
+
+      GSS_S_NO_CONTEXT  No valid context was supplied
+
+3.7. gss_context_time
+
+      OM_uint32  gss_context_time (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     OM_uint32 *     time_rec)
+   Purpose:
+
+   Determines the number of seconds for which the specified context will
+   remain valid.
+
+
+
+Wray                                                           [Page 26]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      Parameters:
+
+      minor_status      integer, modify
+                        Implementation specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        Identifies the context to be interrogated.
+
+      time_rec          integer, modify
+                        Number of seconds that the context will remain
+                        valid.  If the context has already expired,
+                        zero will be returned.
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+      GSS_S_NO_CONTEXT The context_handle parameter did not identify a
+                        valid context
+
+3.8. gss_sign
+
+      OM_uint32  gss_sign (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     int             qop_req,
+                     gss_buffer_t    message_buffer,
+                     gss_buffer_t    msg_token)
+   Purpose:
+
+   Generates a cryptographic signature for the supplied message, and
+   places the signature in a token for transfer to the peer application.
+   The qop_req parameter allows a choice between several cryptographic
+   algorithms, if supported by the chosen mechanism.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Implementation specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+
+
+
+Wray                                                           [Page 27]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        will be sent
+
+      qop_req           integer, read, optional
+                        Specifies requested quality of protection.
+                        Callers are encouraged, on portability grounds,
+                        to accept the default quality of protection
+                        offered by the chosen mechanism, which may be
+                        requested by specifying GSS_C_QOP_DEFAULT for
+                        this parameter.  If an unsupported protection
+                        strength is requested, gss_sign will return a
+                        major_status of GSS_S_FAILURE.
+
+      message_buffer    buffer, opaque, read
+                        message to be signed
+
+      msg_token         buffer, opaque, modify
+                        buffer to receive token
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure. See minor_status for more information.
+
+3.9. gss_verify
+
+      OM_uint32  gss_verify (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     gss_buffer_t    message_buffer,
+                     gss_buffer_t    token_buffer,
+                     int *           qop_state)
+   Purpose:
+
+   Verifies that a cryptographic signature, contained in the token
+   parameter, fits the supplied message.  The qop_state parameter allows
+   a message recipient to determine the strength of protection that was
+   applied to the message.
+
+
+
+Wray                                                           [Page 28]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+                        arrived
+
+      message_buffer    buffer, opaque, read
+                        message to be verified
+
+      token_buffer      buffer, opaque, read
+                        token associated with message
+
+      qop_state         integer, modify
+                        quality of protection gained from signature
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+      GSS_S_BAD_SIG     The signature was incorrect
+
+      GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct
+                        signature for the message, but it had already
+                        been processed
+
+      GSS_S_OLD_TOKEN   The token was valid, and contained a correct
+                        signature for the message, but it is too old
+
+      GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct
+                        signature for the message, but has been
+                        verified out of sequence; an earlier token has
+                        been signed or sealed by the remote
+                        application, but not yet been processed
+                        locally.
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+
+
+
+
+Wray                                                           [Page 29]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.10. gss_seal
+
+      OM_uint32  gss_seal (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     int             conf_req_flag,
+                     int             qop_req
+                     gss_buffer_t    input_message_buffer,
+                     int *           conf_state,
+                     gss_buffer_t    output_message_buffer)
+
+   Purpose:
+
+   Cryptographically signs and optionally encrypts the specified
+   input_message.  The output_message contains both the signature and
+   the message.  The qop_req parameter allows a choice between several
+   cryptographic algorithms, if supported by the chosen mechanism.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+                        will be sent
+
+      conf_req_flag     boolean, read
+                        True - Both confidentiality and integrity
+                               services are requested
+                        False - Only integrity service is requested
+
+      qop_req           integer, read, optional
+                        Specifies required quality of protection.  A
+                        mechanism-specific default may be requested by
+                        setting qop_req to GSS_C_QOP_DEFAULT.  If an
+                        unsupported protection strength is requested,
+                        gss_seal will return a major_status of
+                        GSS_S_FAILURE.
+
+      input_message_buffer   buffer, opaque, read
+                             message to be sealed
+
+
+
+
+Wray                                                           [Page 30]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      conf_state        boolean, modify
+                        True - Confidentiality, data origin
+                               authentication and integrity services
+                               have been applied
+                        False - Integrity and data origin services only
+                                has been applied.
+
+      output_message_buffer  buffer, opaque, modify
+                             buffer to receive sealed message
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.11. gss_unseal
+
+      OM_uint32  gss_unseal (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     gss_buffer_t    input_message_buffer,
+                     gss_buffer_t    output_message_buffer,
+                     int *           conf_state,
+                     int *           qop_state)
+
+   Purpose:
+
+   Converts a previously sealed message back to a usable form, verifying
+   the embedded signature.  The conf_state parameter indicates whether
+   the message was encrypted; the qop_state parameter indicates the
+   strength of protection that was used to provide the confidentiality
+   and integrity services.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+
+
+Wray                                                           [Page 31]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+                        arrived
+
+      input_message_buffer   buffer, opaque, read
+                             sealed message
+
+      output_message_buffer  buffer, opaque, modify
+                             buffer to receive unsealed message
+
+      conf_state        boolean, modify
+                        True - Confidentiality and integrity protection
+                               were used
+                        False - Inteegrity service only was used
+
+      qop_state         integer, modify
+                        quality of protection gained from signature
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+      GSS_S_BAD_SIG     The signature was incorrect
+
+      GSS_S_DUPLICATE_TOKEN The token was valid, and contained a
+                        correct signature for the message, but it had
+                        already been processed
+
+      GSS_S_OLD_TOKEN The token was valid, and contained a correct
+                        signature for the message, but it is too old
+
+      GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct
+                        signature for the message, but has been
+                        verified out of sequence; an earlier token has
+                        been signed or sealed by the remote
+                        application, but not yet been processed
+                        locally.
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+
+
+
+
+Wray                                                           [Page 32]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.12. gss_display_status
+
+      OM_uint32  gss_display_status (
+                     OM_uint32 *     minor_status,
+                     int             status_value,
+                     int             status_type,
+                     gss_OID         mech_type,
+                     int *           message_context,
+                     gss_buffer_t    status_string)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of a GSSAPI
+   status code, for display to the user or for logging purposes.  Since
+   some status values may indicate multiple errors, applications may
+   need to call gss_display_status multiple times, each call generating
+   a single text string.  The message_context parameter is used to
+   indicate which error message should be extracted from a given
+   status_value; message_context should be initialized to 0, and
+   gss_display_status will return a non-zero value if there are further
+   messages to extract.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      status_value      integer, read
+                        Status value to be converted
+
+      status_type       integer, read
+                        GSS_C_GSS_CODE - status_value is a GSS status
+                                         code
+                        GSS_C_MECH_CODE - status_value is a mechanism
+                                          status code
+
+      mech_type         Object ID, read, optional
+                        Underlying mechanism (used to interpret a
+                        minor status value) Supply GSS_C_NULL_OID to
+                        obtain the system default.
+
+      message_context   integer, read/modify
+                        Should be initialized to zero by caller
+
+
+
+Wray                                                           [Page 33]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        on first call.  If further messages are
+                        contained in the status_value parameter,
+                        message_context will be non-zero on return,
+                        and this value should be passed back to
+                        subsequent calls, along with the same
+                        status_value, status_type and mech_type
+                        parameters.
+
+      status_string     buffer, character string, modify
+                        textual interpretation of the status_value
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_MECH    Indicates that translation in accordance with
+                        an unsupported mechanism type was requested
+
+      GSS_S_BAD_STATUS The status value was not recognized, or the
+                        status type was neither GSS_C_GSS_CODE nor
+                        GSS_C_MECH_CODE.
+
+
+3.13. gss_indicate_mechs
+
+      OM_uint32  gss_indicate_mechs (
+                     OM_uint32 *     minor_status,
+                     gss_OID_set *   mech_set)
+
+   Purpose:
+
+         Allows an application to determine which underlying security
+         mechanisms are available.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      mech_set          set of Object IDs, modify
+                        set of implementation-supported mechanisms.
+                        The returned gss_OID_set value will be a
+                        pointer into static storage, and should be
+                        treated as read-only by the caller.
+
+
+
+
+
+Wray                                                           [Page 34]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+3.14. gss_compare_name
+
+      OM_uint32  gss_compare_name (
+                     OM_uint32 *     minor_status,
+                     gss_name_t      name1,
+                     gss_name_t      name2,
+                     int *           name_equal)
+
+   Purpose:
+
+   Allows an application to compare two internal-form names to determine
+   whether they refer to the same entity.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      name1             gss_name_t, read
+                        internal-form  name
+
+      name2             gss_name_t, read
+                        internal-form  name
+
+      name_equal        boolean, modify
+                        True - names refer to same entity
+                        False - names refer to different entities
+                                (strictly, the names are not known to
+                                refer to the same identity).
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAMETYPE The type contained within either name1 or
+                        name2 was unrecognized, or the names were of
+                        incomparable types.
+
+      GSS_S_BAD_NAME    One or both of name1 or name2 was ill-formed
+
+
+
+
+
+Wray                                                           [Page 35]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+3.15. gss_display_name
+
+      OM_uint32  gss_display_name (
+                     OM_uint32 *     minor_status,
+                     gss_name_t      input_name,
+                     gss_buffer_t    output_name_buffer,
+                     gss_OID *       output_name_type)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of an opaque
+   internal-form  name for display purposes.  The syntax of a printable
+   name is defined by the GSSAPI implementation.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      input_name        gss_name_t, read
+                        name to be displayed
+
+      output_name_buffer   buffer, character-string, modify
+                           buffer to receive textual name string
+
+      output_name_type  Object ID, modify
+                        The type of the returned name.  The returned
+                        gss_OID will be a pointer into static storage,
+                        and should be treated as read-only by the caller
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAMETYPE The type of input_name was not recognized
+
+      GSS_S_BAD_NAME    input_name was ill-formed
+
+3.16. gss_import_name
+
+      OM_uint32 gss_import_name (
+                    OM_uint32 *     minor_status,
+                    gss_buffer_t    input_name_buffer,
+                    gss_OID         input_name_type,
+                    gss_name_t *    output_name)
+
+
+
+
+Wray                                                           [Page 36]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Purpose:
+
+   Convert a printable name to internal form.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      input_name_buffer    buffer, character-string, read
+                           buffer containing printable name to convert
+
+      input_name_type   Object ID, read, optional
+                        Object Id specifying type of printable
+                        name.  Applications may specify either
+                        GSS_C_NULL_OID to use a local system-specific
+                        printable syntax, or an OID registered by the
+                        GSSAPI implementation to name a particular
+                        namespace.
+
+      output_name       gss_name_t, modify
+                        returned name in internal form
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAMETYPE The input_name_type was unrecognized
+
+      GSS_S_BAD_NAME    The input_name parameter could not be
+                        interpreted as a name of the specified type
+
+3.17. gss_release_name
+
+      OM_uint32 gss_release_name (
+                    OM_uint32 *     minor_status,
+                    gss_name_t *    name)
+
+   Purpose:
+
+   Free GSSAPI-allocated storage associated with an internal form name.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+
+
+Wray                                                           [Page 37]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      name              gss_name_t, modify
+                        The name to be deleted
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAME    The name parameter did not contain a valid name
+
+3.18. gss_release_buffer
+
+      OM_uint32 gss_release_buffer (
+                    OM_uint32 *     minor_status,
+                    gss_buffer_t    buffer)
+
+   Purpose:
+
+   Free storage associated with a buffer format name.  The storage must
+   have been allocated by a GSSAPI routine.  In addition to freeing the
+   associated storage, the routine will zero the length field in the
+   buffer parameter.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      buffer            buffer, modify
+                        The storage associated with the buffer will be
+                        deleted.  The gss_buffer_desc object will not
+                        be freed, but its length field will be zeroed.
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+3.19. gss_release_oid_set
+
+      OM_uint32 gss_release_oid_set (
+                    OM_uint32 *     minor_status,
+                    gss_OID_set *   set)
+
+   Purpose:
+
+
+
+
+Wray                                                           [Page 38]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Free storage associated with a gss_OID_set object.  The storage must
+   have been allocated by a GSSAPI routine.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      set               Set of Object IDs, modify
+                        The storage associated with the gss_OID_set
+                        will be deleted.
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+3.20. gss_inquire_cred
+
+      OM_uint32 gss_inquire_cred (
+                    OM_uint32  *    minor_status,
+                    gss_cred_id_t   cred_handle,
+                    gss_name_t *    name,
+                    OM_uint32 *     lifetime,
+                    int *           cred_usage,
+                    gss_OID_set *   mechanisms )
+
+   Purpose:
+
+   Obtains information about a credential.  The caller must already have
+   obtained a handle that refers to the credential.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      cred_handle       gss_cred_id_t, read
+                        A handle that refers to the target credential.
+                        Specify GSS_C_NO_CREDENTIAL to inquire about
+                        the default credential.
+
+      name              gss_name_t, modify
+                        The name whose identity the credential asserts.
+                        Specify NULL if not required.
+
+      lifetime          Integer, modify
+
+
+
+Wray                                                           [Page 39]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        The number of seconds for which the credential
+                        will remain valid.  If the credential has
+                        expired, this parameter will be set to zero.
+                        If the implementation does not support
+                        credential expiration, the value
+                        GSS_C_INDEFINITE will be returned.  Specify
+                        NULL if not required.
+
+      cred_usage        Integer, modify
+                        How the credential may be used.  One of the
+                        following:
+                           GSS_C_INITIATE
+                           GSS_C_ACCEPT
+                           GSS_C_BOTH
+                        Specify NULL if not required.
+
+      mechanisms        gss_OID_set, modify
+                        Set of mechanisms supported by the credential.
+                        Specify NULL if not required.
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_NO_CRED     The referenced credentials could not be
+                        accessed.
+
+      GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were
+                        invalid.
+
+      GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+                        If the lifetime parameter was not passed as
+                        NULL, it will be set to 0.
+
+
+  #ifndef GSSAPI_H_
+  #define GSSAPI_H_
+
+  /*
+   * First, define the platform-dependent types.
+   */
+  typedef <platform-specific> OM_uint32;
+  typedef <platform-specific> gss_ctx_id_t;
+  typedef <platform-specific> gss_cred_id_t;
+  typedef <platform-specific> gss_name_t;
+
+
+
+
+Wray                                                           [Page 40]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  /*
+   * Note that a platform supporting the xom.h X/Open header file
+   * may make use of that header for the definitions of OM_uint32
+   * and the structure to which gss_OID_desc equates.
+   */
+
+  typedef struct gss_OID_desc_struct {
+        OM_uint32 length;
+        void      *elements;
+  } gss_OID_desc, *gss_OID;
+
+  typedef struct gss_OID_set_desc_struct  {
+        int     count;
+        gss_OID elements;
+  } gss_OID_set_desc, *gss_OID_set;
+
+  typedef struct gss_buffer_desc_struct {
+        size_t length;
+        void *value;
+  } gss_buffer_desc, *gss_buffer_t;
+
+  typedef struct gss_channel_bindings_struct {
+        OM_uint32 initiator_addrtype;
+        gss_buffer_desc initiator_address;
+        OM_uint32 acceptor_addrtype;
+        gss_buffer_desc acceptor_address;
+        gss_buffer_desc application_data;
+  } *gss_channel_bindings_t;
+
+
+  /*
+   * Six independent flags each of which indicates that a context
+   * supports a specific service option.
+   */
+  #define GSS_C_DELEG_FLAG 1
+  #define GSS_C_MUTUAL_FLAG 2
+  #define GSS_C_REPLAY_FLAG 4
+  #define GSS_C_SEQUENCE_FLAG 8
+  #define GSS_C_CONF_FLAG 16
+  #define GSS_C_INTEG_FLAG 32
+
+
+  /*
+   * Credential usage options
+   */
+  #define GSS_C_BOTH 0
+  #define GSS_C_INITIATE 1
+  #define GSS_C_ACCEPT 2
+
+
+
+Wray                                                           [Page 41]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  /*
+   * Status code types for gss_display_status
+   */
+  #define GSS_C_GSS_CODE 1
+  #define GSS_C_MECH_CODE 2
+
+  /*
+   * The constant definitions for channel-bindings address families
+   */
+  #define GSS_C_AF_UNSPEC     0;
+  #define GSS_C_AF_LOCAL      1;
+  #define GSS_C_AF_INET       2;
+  #define GSS_C_AF_IMPLINK    3;
+  #define GSS_C_AF_PUP        4;
+  #define GSS_C_AF_CHAOS      5;
+  #define GSS_C_AF_NS         6;
+  #define GSS_C_AF_NBS        7;
+  #define GSS_C_AF_ECMA       8;
+  #define GSS_C_AF_DATAKIT    9;
+  #define GSS_C_AF_CCITT      10;
+  #define GSS_C_AF_SNA        11;
+  #define GSS_C_AF_DECnet     12;
+  #define GSS_C_AF_DLI        13;
+  #define GSS_C_AF_LAT        14;
+  #define GSS_C_AF_HYLINK     15;
+  #define GSS_C_AF_APPLETALK  16;
+  #define GSS_C_AF_BSC        17;
+  #define GSS_C_AF_DSS        18;
+  #define GSS_C_AF_OSI        19;
+  #define GSS_C_AF_X25        21;
+
+  #define GSS_C_AF_NULLADDR   255;
+
+  #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+  #define GSS_C_NULL_OID ((gss_OID) 0)
+  #define GSS_C_NULL_OID_SET ((gss_OID_set) 0)
+  #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+  #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+  #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+  #define GSS_C_EMPTY_BUFFER {0, NULL}
+
+  /*
+   * Define the default Quality of Protection for per-message
+   * services.  Note that an implementation that offers multiple
+   * levels of QOP may either reserve a value (for example zero,
+   * as assumed here) to mean "default protection", or alternatively
+   * may simply equate GSS_C_QOP_DEFAULT to a specific explicit QOP
+   * value.
+
+
+
+Wray                                                           [Page 42]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   */
+  #define GSS_C_QOP_DEFAULT 0
+
+  /*
+   * Expiration time of 2^32-1 seconds means infinite lifetime for a
+   * credential or security context
+   */
+  #define GSS_C_INDEFINITE 0xfffffffful
+
+
+  /* Major status codes */
+
+  #define GSS_S_COMPLETE 0
+
+  /*
+   * Some "helper" definitions to make the status code macros obvious.
+   */
+  #define GSS_C_CALLING_ERROR_OFFSET 24
+  #define GSS_C_ROUTINE_ERROR_OFFSET 16
+  #define GSS_C_SUPPLEMENTARY_OFFSET 0
+  #define GSS_C_CALLING_ERROR_MASK 0377ul
+  #define GSS_C_ROUTINE_ERROR_MASK 0377ul
+  #define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+  /*
+   * The macros that test status codes for error conditions
+   */
+  #define GSS_CALLING_ERROR(x) \
+    (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+  #define GSS_ROUTINE_ERROR(x) \
+    (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+  #define GSS_SUPPLEMENTARY_INFO(x) \
+    (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+  #define GSS_ERROR(x) \
+    ((GSS_CALLING_ERROR(x) != 0) || (GSS_ROUTINE_ERROR(x) != 0))
+
+
+  /*
+   * Now the actual status code definitions
+   */
+
+  /*
+   * Calling errors:
+   */
+  #define GSS_S_CALL_INACCESSIBLE_READ \
+                               (1ul << GSS_C_CALLING_ERROR_OFFSET)
+  #define GSS_S_CALL_INACCESSIBLE_WRITE \
+                               (2ul << GSS_C_CALLING_ERROR_OFFSET)
+
+
+
+Wray                                                           [Page 43]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  #define GSS_S_CALL_BAD_STRUCTURE \
+                               (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+  /*
+   * Routine errors:
+   */
+  #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+  /*
+   * Supplementary info bits:
+   */
+  #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+  #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+  #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+  #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+
+
+  /*
+   * Finally, function prototypes for the GSSAPI routines.
+   */
+
+  OM_uint32 gss_acquire_cred
+             (OM_uint32*,       /* minor_status */
+              gss_name_t,       /* desired_name */
+              OM_uint32,        /* time_req */
+              gss_OID_set,      /* desired_mechs */
+              int,              /* cred_usage */
+              gss_cred_id_t*,   /* output_cred_handle */
+              gss_OID_set*,     /* actual_mechs */
+              OM_uint32*        /* time_rec */
+             );
+
+  OM_uint32 gss_release_cred,
+             (OM_uint32*,       /* minor_status */
+              gss_cred_id_t*    /* cred_handle */
+             );
+
+
+
+Wray                                                           [Page 44]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  OM_uint32 gss_init_sec_context
+             (OM_uint32*,       /* minor_status */
+              gss_cred_id_t,    /* claimant_cred_handle */
+              gss_ctx_id_t*,    /* context_handle */
+              gss_name_t,       /* target_name */
+              gss_OID,          /* mech_type */
+              int,              /* req_flags */
+              OM_uint32,        /* time_req */
+              gss_channel_bindings_t,
+                                /* input_chan_bindings */
+              gss_buffer_t,     /* input_token */
+              gss_OID*,         /* actual_mech_type */
+              gss_buffer_t,     /* output_token */
+              int*,             /* ret_flags */
+              OM_uint32*        /* time_rec */
+             );
+
+  OM_uint32 gss_accept_sec_context
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t*,    /* context_handle */
+              gss_cred_id_t,    /* verifier_cred_handle */
+              gss_buffer_t,     /* input_token_buffer */
+              gss_channel_bindings_t,
+                                /* input_chan_bindings */
+              gss_name_t*,      /* src_name */
+              gss_OID*,         /* mech_type */
+              gss_buffer_t,     /* output_token */
+              int*,             /* ret_flags */
+              OM_uint32*,       /* time_rec */
+              gss_cred_id_t*    /* delegated_cred_handle */
+             );
+
+  OM_uint32 gss_process_context_token
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              gss_buffer_t      /* token_buffer */
+             );
+
+  OM_uint32 gss_delete_sec_context
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t*,    /* context_handle */
+              gss_buffer_t      /* output_token */
+             );
+
+
+
+
+
+
+
+
+Wray                                                           [Page 45]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  OM_uint32 gss_context_time
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              OM_uint32*        /* time_rec */
+             );
+
+  OM_uint32 gss_sign
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              int,              /* qop_req */
+              gss_buffer_t,     /* message_buffer */
+              gss_buffer_t      /* message_token */
+             );
+
+  OM_uitn32 gss_verify
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              gss_buffer_t,     /* message_buffer */
+              gss_buffer_t,     /* token_buffer */
+              int*              /* qop_state */
+             );
+
+  OM_uint32 gss_seal
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              int,              /* conf_req_flag */
+              int,              /* qop_req */
+              gss_buffer_t,     /* input_message_buffer */
+              int*,             /* conf_state */
+              gss_buffer_t      /* output_message_buffer */
+             );
+
+  OM_uint32 gss_unseal
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              gss_buffer_t,     /* input_message_buffer */
+              gss_buffer_t,     /* output_message_buffer */
+              int*,             /* conf_state */
+              int*              /* qop_state */
+             );
+
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 46]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  OM_uint32 gss_display_status
+             (OM_uint32*,       /* minor_status */
+              OM_uint32,        /* status_value */
+              int,              /* status_type */
+              gss_OID,          /* mech_type */
+              int*,             /* message_context */
+              gss_buffer_t      /* status_string */
+             );
+
+  OM_uint32 gss_indicate_mechs
+             (OM_uint32*,       /* minor_status */
+              gss_OID_set*      /* mech_set */
+             );
+
+  OM_uint32 gss_compare_name
+             (OM_uint32*,       /* minor_status */
+              gss_name_t,       /* name1 */
+              gss_name_t,       /* name2 */
+              int*              /* name_equal */
+             );
+
+  OM_uint32 gss_display_name,
+             (OM_uint32*,      /* minor_status */
+              gss_name_t,      /* input_name */
+              gss_buffer_t,     /* output_name_buffer */
+              gss_OID*         /* output_name_type */
+             );
+
+  OM_uint32 gss_import_name
+             (OM_uint32*,       /* minor_status */
+              gss_buffer_t,     /* input_name_buffer */
+              gss_OID,          /* input_name_type */
+              gss_name_t*       /* output_name */
+             );
+
+  OM_uint32 gss_release_name
+             (OM_uint32*,       /* minor_status */
+              gss_name_t*       /* input_name */
+             );
+
+  OM_uint32 gss_release_buffer
+             (OM_uint32*,       /* minor_status */
+              gss_buffer_t      /* buffer */
+             );
+
+  OM_uint32 gss_release_oid_set
+             (OM_uint32*,       /* minor_status */
+              gss_OID_set*      /* set */
+
+
+
+Wray                                                           [Page 47]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+             );
+
+  OM_uint32 gss_inquire_cred
+             (OM_uint32 *,      /* minor_status */
+              gss_cred_id_t,    /* cred_handle */
+              gss_name_t *,     /* name */
+              OM_uint32 *,      /* lifetime */
+              int *,            /* cred_usage */
+              gss_OID_set *     /* mechanisms */
+             );
+
+
+
+  #endif /* GSSAPI_H_ */
+
+References
+
+   [1] Linn, J., "Generic Security Service Application Program
+       Interface", RFC 1508, Geer Zolot Associate, September 1993.
+
+   [2] "OSI Object Management API Specification, Version 2.0 t", X.400
+       API Association & X/Open Company Limited, August 24, 1990.
+       Specification of datatypes and routines for manipulating
+       information objects.
+
+Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+Author's Address
+
+   John Wray
+   Digital Equipment Corporation
+   550 King Street, LKG2-2/AA6
+   Littleton, MA  01460
+   USA
+
+   Phone: +1-508-486-5210
+   EMail: Wray@tuxedo.enet.dec.com
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 48]
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/rfc1510.txt b/crypto/heimdal/doc/standardisation/rfc1510.txt
new file mode 100644
index 0000000..bc810cc
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1510.txt
@@ -0,0 +1,6275 @@
+
+
+
+
+
+
+Network Working Group                                            J. Kohl
+Request for Comments: 1510                 Digital Equipment Corporation
+                                                               C. Neuman
+                                                                     ISI
+                                                          September 1993
+
+
+            The Kerberos Network Authentication Service (V5)
+
+Status of this Memo
+
+   This RFC specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" for the standardization state and status
+   of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This document gives an overview and specification of Version 5 of the
+   protocol for the Kerberos network authentication system. Version 4,
+   described elsewhere [1,2], is presently in production use at MIT's
+   Project Athena, and at other Internet sites.
+
+Overview
+
+   Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos,
+   Moira, and Zephyr are trademarks of the Massachusetts Institute of
+   Technology (MIT).  No commercial use of these trademarks may be made
+   without prior written permission of MIT.
+
+   This RFC describes the concepts and model upon which the Kerberos
+   network authentication system is based. It also specifies Version 5
+   of the Kerberos protocol.
+
+   The motivations, goals, assumptions, and rationale behind most design
+   decisions are treated cursorily; for Version 4 they are fully
+   described in the Kerberos portion of the Athena Technical Plan [1].
+   The protocols are under review, and are not being submitted for
+   consideration as an Internet standard at this time.  Comments are
+   encouraged.  Requests for addition to an electronic mailing list for
+   discussion of Kerberos, kerberos@MIT.EDU, may be addressed to
+   kerberos-request@MIT.EDU.  This mailing list is gatewayed onto the
+   Usenet as the group comp.protocols.kerberos.  Requests for further
+   information, including documents and code availability, may be sent
+   to info-kerberos@MIT.EDU.
+
+
+
+
+
+Kohl & Neuman                                                   [Page 1]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+Background
+
+   The Kerberos model is based in part on Needham and Schroeder's
+   trusted third-party authentication protocol [3] and on modifications
+   suggested by Denning and Sacco [4].  The original design and
+   implementation of Kerberos Versions 1 through 4 was the work of two
+   former Project Athena staff members, Steve Miller of Digital
+   Equipment Corporation and Clifford Neuman (now at the Information
+   Sciences Institute of the University of Southern California), along
+   with Jerome Saltzer, Technical Director of Project Athena, and
+   Jeffrey Schiller, MIT Campus Network Manager.  Many other members of
+   Project Athena have also contributed to the work on Kerberos.
+   Version 4 is publicly available, and has seen wide use across the
+   Internet.
+
+   Version 5 (described in this document) has evolved from Version 4
+   based on new requirements and desires for features not available in
+   Version 4.  Details on the differences between Kerberos Versions 4
+   and 5 can be found in [5].
+
+Table of Contents
+
+   1. Introduction .......................................    5
+   1.1. Cross-Realm Operation ............................    7
+   1.2. Environmental assumptions ........................    8
+   1.3. Glossary of terms ................................    9
+   2. Ticket flag uses and requests ......................   12
+   2.1. Initial and pre-authenticated tickets ............   12
+   2.2. Invalid tickets ..................................   12
+   2.3. Renewable tickets ................................   12
+   2.4. Postdated tickets ................................   13
+   2.5. Proxiable and proxy tickets ......................   14
+   2.6. Forwardable tickets ..............................   15
+   2.7. Other KDC options ................................   15
+   3. Message Exchanges ..................................   16
+   3.1. The Authentication Service Exchange ..............   16
+   3.1.1. Generation of KRB_AS_REQ message ...............   17
+   3.1.2. Receipt of KRB_AS_REQ message ..................   17
+   3.1.3. Generation of KRB_AS_REP message ...............   17
+   3.1.4. Generation of KRB_ERROR message ................   19
+   3.1.5. Receipt of KRB_AS_REP message ..................   19
+   3.1.6. Receipt of KRB_ERROR message ...................   20
+   3.2. The Client/Server Authentication Exchange ........   20
+   3.2.1. The KRB_AP_REQ message .........................   20
+   3.2.2. Generation of a KRB_AP_REQ message .............   20
+   3.2.3. Receipt of KRB_AP_REQ message ..................   21
+   3.2.4. Generation of a KRB_AP_REP message .............   23
+   3.2.5. Receipt of KRB_AP_REP message ..................   23
+
+
+
+Kohl & Neuman                                                   [Page 2]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   3.2.6. Using the encryption key .......................   24
+   3.3. The Ticket-Granting Service (TGS) Exchange .......   24
+   3.3.1. Generation of KRB_TGS_REQ message ..............   25
+   3.3.2. Receipt of KRB_TGS_REQ message .................   26
+   3.3.3. Generation of KRB_TGS_REP message ..............   27
+   3.3.3.1. Encoding the transited field .................   29
+   3.3.4. Receipt of KRB_TGS_REP message .................   31
+   3.4. The KRB_SAFE Exchange ............................   31
+   3.4.1. Generation of a KRB_SAFE message ...............   31
+   3.4.2. Receipt of KRB_SAFE message ....................   32
+   3.5. The KRB_PRIV Exchange ............................   33
+   3.5.1. Generation of a KRB_PRIV message ...............   33
+   3.5.2. Receipt of KRB_PRIV message ....................   33
+   3.6. The KRB_CRED Exchange ............................   34
+   3.6.1. Generation of a KRB_CRED message ...............   34
+   3.6.2. Receipt of KRB_CRED message ....................   34
+   4. The Kerberos Database ..............................   35
+   4.1. Database contents ................................   35
+   4.2. Additional fields ................................   36
+   4.3. Frequently Changing Fields .......................   37
+   4.4. Site Constants ...................................   37
+   5. Message Specifications .............................   38
+   5.1. ASN.1 Distinguished Encoding Representation ......   38
+   5.2. ASN.1 Base Definitions ...........................   38
+   5.3. Tickets and Authenticators .......................   42
+   5.3.1. Tickets ........................................   42
+   5.3.2. Authenticators .................................   47
+   5.4. Specifications for the AS and TGS exchanges ......   49
+   5.4.1. KRB_KDC_REQ definition .........................   49
+   5.4.2. KRB_KDC_REP definition .........................   56
+   5.5. Client/Server (CS) message specifications ........   58
+   5.5.1. KRB_AP_REQ definition ..........................   58
+   5.5.2. KRB_AP_REP definition ..........................   60
+   5.5.3. Error message reply ............................   61
+   5.6. KRB_SAFE message specification ...................   61
+   5.6.1. KRB_SAFE definition ............................   61
+   5.7. KRB_PRIV message specification ...................   62
+   5.7.1. KRB_PRIV definition ............................   62
+   5.8. KRB_CRED message specification ...................   63
+   5.8.1. KRB_CRED definition ............................   63
+   5.9. Error message specification ......................   65
+   5.9.1. KRB_ERROR definition ...........................   66
+   6. Encryption and Checksum Specifications .............   67
+   6.1. Encryption Specifications ........................   68
+   6.2. Encryption Keys ..................................   71
+   6.3. Encryption Systems ...............................   71
+   6.3.1. The NULL Encryption System (null) ..............   71
+   6.3.2. DES in CBC mode with a CRC-32 checksum (descbc-crc)71
+
+
+
+Kohl & Neuman                                                   [Page 3]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   6.3.3. DES in CBC mode with an MD4 checksum (descbc-md4)  72
+   6.3.4. DES in CBC mode with an MD5 checksum (descbc-md5)  72
+   6.4. Checksums ........................................   74
+   6.4.1. The CRC-32 Checksum (crc32) ....................   74
+   6.4.2. The RSA MD4 Checksum (rsa-md4) .................   75
+   6.4.3. RSA MD4 Cryptographic Checksum Using DES
+   (rsa-md4-des) .........................................   75
+   6.4.4. The RSA MD5 Checksum (rsa-md5) .................   76
+   6.4.5. RSA MD5 Cryptographic Checksum Using DES
+   (rsa-md5-des) .........................................   76
+   6.4.6. DES cipher-block chained checksum (des-mac)
+   6.4.7. RSA MD4 Cryptographic Checksum Using DES
+   alternative (rsa-md4-des-k) ...........................   77
+   6.4.8. DES cipher-block chained checksum alternative
+   (des-mac-k) ...........................................   77
+   7. Naming Constraints .................................   78
+   7.1. Realm Names ......................................   77
+   7.2. Principal Names ..................................   79
+   7.2.1. Name of server principals ......................   80
+   8. Constants and other defined values .................   80
+   8.1. Host address types ...............................   80
+   8.2. KDC messages .....................................   81
+   8.2.1. IP transport ...................................   81
+   8.2.2. OSI transport ..................................   82
+   8.2.3. Name of the TGS ................................   82
+   8.3. Protocol constants and associated values .........   82
+   9. Interoperability requirements ......................   86
+   9.1. Specification 1 ..................................   86
+   9.2. Recommended KDC values ...........................   88
+   10. Acknowledgments ...................................   88
+   11. References ........................................   89
+   12. Security Considerations ...........................   90
+   13. Authors' Addresses ................................   90
+   A. Pseudo-code for protocol processing ................   91
+   A.1. KRB_AS_REQ generation ............................   91
+   A.2. KRB_AS_REQ verification and KRB_AS_REP generation    92
+   A.3. KRB_AS_REP verification ..........................   95
+   A.4. KRB_AS_REP and KRB_TGS_REP common checks .........   96
+   A.5. KRB_TGS_REQ generation ...........................   97
+   A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation  98
+   A.7. KRB_TGS_REP verification .........................  104
+   A.8. Authenticator generation .........................  104
+   A.9. KRB_AP_REQ generation ............................  105
+   A.10. KRB_AP_REQ verification .........................  105
+   A.11. KRB_AP_REP generation ...........................  106
+   A.12. KRB_AP_REP verification .........................  107
+   A.13. KRB_SAFE generation .............................  107
+   A.14. KRB_SAFE verification ...........................  108
+
+
+
+Kohl & Neuman                                                   [Page 4]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   A.15. KRB_SAFE and KRB_PRIV common checks .............  108
+   A.16. KRB_PRIV generation .............................  109
+   A.17. KRB_PRIV verification ...........................  110
+   A.18. KRB_CRED generation .............................  110
+   A.19. KRB_CRED verification ...........................  111
+   A.20. KRB_ERROR generation ............................  112
+
+1.  Introduction
+
+   Kerberos provides a means of verifying the identities of principals,
+   (e.g., a workstation user or a network server) on an open
+   (unprotected) network.  This is accomplished without relying on
+   authentication by the host operating system, without basing trust on
+   host addresses, without requiring physical security of all the hosts
+   on the network, and under the assumption that packets traveling along
+   the network can be read, modified, and inserted at will. (Note,
+   however, that many applications use Kerberos' functions only upon the
+   initiation of a stream-based network connection, and assume the
+   absence of any "hijackers" who might subvert such a connection.  Such
+   use implicitly trusts the host addresses involved.)  Kerberos
+   performs authentication under these conditions as a trusted third-
+   party authentication service by using conventional cryptography,
+   i.e., shared secret key.  (shared secret key - Secret and private are
+   often used interchangeably in the literature.  In our usage, it takes
+   two (or more) to share a secret, thus a shared DES key is a secret
+   key.  Something is only private when no one but its owner knows it.
+   Thus, in public key cryptosystems, one has a public and a private
+   key.)
+
+   The authentication process proceeds as follows: A client sends a
+   request to the authentication server (AS) requesting "credentials"
+   for a given server.  The AS responds with these credentials,
+   encrypted in the client's key.  The credentials consist of 1) a
+   "ticket" for the server and 2) a temporary encryption key (often
+   called a "session key").  The client transmits the ticket (which
+   contains the client's identity and a copy of the session key, all
+   encrypted in the server's key) to the server.  The session key (now
+   shared by the client and server) is used to authenticate the client,
+   and may optionally be used to authenticate the server.  It may also
+   be used to encrypt further communication between the two parties or
+   to exchange a separate sub-session key to be used to encrypt further
+   communication.
+
+   The implementation consists of one or more authentication servers
+   running on physically secure hosts.  The authentication servers
+   maintain a database of principals (i.e., users and servers) and their
+   secret keys. Code libraries provide encryption and implement the
+   Kerberos protocol.  In order to add authentication to its
+
+
+
+Kohl & Neuman                                                   [Page 5]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   transactions, a typical network application adds one or two calls to
+   the Kerberos library, which results in the transmission of the
+   necessary messages to achieve authentication.
+
+   The Kerberos protocol consists of several sub-protocols (or
+   exchanges).  There are two methods by which a client can ask a
+   Kerberos server for credentials.  In the first approach, the client
+   sends a cleartext request for a ticket for the desired server to the
+   AS. The reply is sent encrypted in the client's secret key. Usually
+   this request is for a ticket-granting ticket (TGT) which can later be
+   used with the ticket-granting server (TGS).  In the second method,
+   the client sends a request to the TGS.  The client sends the TGT to
+   the TGS in the same manner as if it were contacting any other
+   application server which requires Kerberos credentials.  The reply is
+   encrypted in the session key from the TGT.
+
+   Once obtained, credentials may be used to verify the identity of the
+   principals in a transaction, to ensure the integrity of messages
+   exchanged between them, or to preserve privacy of the messages.  The
+   application is free to choose whatever protection may be necessary.
+
+   To verify the identities of the principals in a transaction, the
+   client transmits the ticket to the server.  Since the ticket is sent
+   "in the clear" (parts of it are encrypted, but this encryption
+   doesn't thwart replay) and might be intercepted and reused by an
+   attacker, additional information is sent to prove that the message
+   was originated by the principal to whom the ticket was issued.  This
+   information (called the authenticator) is encrypted in the session
+   key, and includes a timestamp.  The timestamp proves that the message
+   was recently generated and is not a replay.  Encrypting the
+   authenticator in the session key proves that it was generated by a
+   party possessing the session key.  Since no one except the requesting
+   principal and the server know the session key (it is never sent over
+   the network in the clear) this guarantees the identity of the client.
+
+   The integrity of the messages exchanged between principals can also
+   be guaranteed using the session key (passed in the ticket and
+   contained in the credentials).  This approach provides detection of
+   both replay attacks and message stream modification attacks.  It is
+   accomplished by generating and transmitting a collision-proof
+   checksum (elsewhere called a hash or digest function) of the client's
+   message, keyed with the session key.  Privacy and integrity of the
+   messages exchanged between principals can be secured by encrypting
+   the data to be passed using the session key passed in the ticket, and
+   contained in the credentials.
+
+   The authentication exchanges mentioned above require read-only access
+   to the Kerberos database.  Sometimes, however, the entries in the
+
+
+
+Kohl & Neuman                                                   [Page 6]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   database must be modified, such as when adding new principals or
+   changing a principal's key.  This is done using a protocol between a
+   client and a third Kerberos server, the Kerberos Administration
+   Server (KADM).  The administration protocol is not described in this
+   document. There is also a protocol for maintaining multiple copies of
+   the Kerberos database, but this can be considered an implementation
+   detail and may vary to support different database technologies.
+
+1.1.  Cross-Realm Operation
+
+   The Kerberos protocol is designed to operate across organizational
+   boundaries.  A client in one organization can be authenticated to a
+   server in another.  Each organization wishing to run a Kerberos
+   server establishes its own "realm".  The name of the realm in which a
+   client is registered is part of the client's name, and can be used by
+   the end-service to decide whether to honor a request.
+
+   By establishing "inter-realm" keys, the administrators of two realms
+   can allow a client authenticated in the local realm to use its
+   authentication remotely (Of course, with appropriate permission the
+   client could arrange registration of a separately-named principal in
+   a remote realm, and engage in normal exchanges with that realm's
+   services. However, for even small numbers of clients this becomes
+   cumbersome, and more automatic methods as described here are
+   necessary).  The exchange of inter-realm keys (a separate key may be
+   used for each direction) registers the ticket-granting service of
+   each realm as a principal in the other realm.  A client is then able
+   to obtain a ticket-granting ticket for the remote realm's ticket-
+   granting service from its local realm. When that ticket-granting
+   ticket is used, the remote ticket-granting service uses the inter-
+   realm key (which usually differs from its own normal TGS key) to
+   decrypt the ticket-granting ticket, and is thus certain that it was
+   issued by the client's own TGS. Tickets issued by the remote ticket-
+   granting service will indicate to the end-service that the client was
+   authenticated from another realm.
+
+   A realm is said to communicate with another realm if the two realms
+   share an inter-realm key, or if the local realm shares an inter-realm
+   key with an intermediate realm that communicates with the remote
+   realm.  An authentication path is the sequence of intermediate realms
+   that are transited in communicating from one realm to another.
+
+   Realms are typically organized hierarchically. Each realm shares a
+   key with its parent and a different key with each child.  If an
+   inter-realm key is not directly shared by two realms, the
+   hierarchical organization allows an authentication path to be easily
+   constructed.  If a hierarchical organization is not used, it may be
+   necessary to consult some database in order to construct an
+
+
+
+Kohl & Neuman                                                   [Page 7]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   authentication path between realms.
+
+   Although realms are typically hierarchical, intermediate realms may
+   be bypassed to achieve cross-realm authentication through alternate
+   authentication paths (these might be established to make
+   communication between two realms more efficient).  It is important
+   for the end-service to know which realms were transited when deciding
+   how much faith to place in the authentication process. To facilitate
+   this decision, a field in each ticket contains the names of the
+   realms that were involved in authenticating the client.
+
+1.2.  Environmental assumptions
+
+   Kerberos imposes a few assumptions on the environment in which it can
+   properly function:
+
+   +    "Denial of service" attacks are not solved with Kerberos.  There
+        are places in these protocols where an intruder intruder can
+        prevent an application from participating in the proper
+        authentication steps.  Detection and solution of such attacks
+        (some of which can appear to be not-uncommon "normal" failure
+        modes for the system) is usually best left to the human
+        administrators and users.
+
+   +    Principals must keep their secret keys secret.  If an intruder
+        somehow steals a principal's key, it will be able to masquerade
+        as that principal or impersonate any server to the legitimate
+        principal.
+
+   +    "Password guessing" attacks are not solved by Kerberos.  If a
+        user chooses a poor password, it is possible for an attacker to
+        successfully mount an offline dictionary attack by repeatedly
+        attempting to decrypt, with successive entries from a
+        dictionary, messages obtained which are encrypted under a key
+        derived from the user's password.
+
+   +    Each host on the network must have a clock which is "loosely
+        synchronized" to the time of the other hosts; this
+        synchronization is used to reduce the bookkeeping needs of
+        application servers when they do replay detection.  The degree
+        of "looseness" can be configured on a per-server basis.  If the
+        clocks are synchronized over the network, the clock
+        synchronization protocol must itself be secured from network
+        attackers.
+
+   +    Principal identifiers are not recycled on a short-term basis.  A
+        typical mode of access control will use access control lists
+        (ACLs) to grant permissions to particular principals.  If a
+
+
+
+Kohl & Neuman                                                   [Page 8]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        stale ACL entry remains for a deleted principal and the
+        principal identifier is reused, the new principal will inherit
+        rights specified in the stale ACL entry. By not re-using
+        principal identifiers, the danger of inadvertent access is
+        removed.
+
+1.3.  Glossary of terms
+
+   Below is a list of terms used throughout this document.
+
+
+   Authentication      Verifying the claimed identity of a
+                       principal.
+
+
+   Authentication header A record containing a Ticket and an
+                         Authenticator to be presented to a
+                         server as part of the authentication
+                         process.
+
+
+   Authentication path  A sequence of intermediate realms transited
+                        in the authentication process when
+                        communicating from one realm to another.
+
+   Authenticator       A record containing information that can
+                       be shown to have been recently generated
+                       using the session key known only by  the
+                       client and server.
+
+
+   Authorization       The process of determining whether a
+                       client may use a service, which objects
+                       the client is allowed to access, and the
+                       type of access allowed for each.
+
+
+   Capability          A token that grants the bearer permission
+                       to access an object or service.  In
+                       Kerberos, this might be a ticket whose
+                       use is restricted by the contents of the
+                       authorization data field, but which
+                       lists no network addresses, together
+                       with the session key necessary to use
+                       the ticket.
+
+
+
+
+
+
+Kohl & Neuman                                                   [Page 9]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Ciphertext          The output of an encryption function.
+                       Encryption transforms plaintext into
+                       ciphertext.
+
+
+   Client              A process that makes use of a network
+                       service on behalf of a user.  Note that
+                       in some cases a Server may itself be a
+                       client of some other server (e.g., a
+                       print server may be a client of a file
+                       server).
+
+
+   Credentials         A ticket plus the secret session key
+                       necessary to successfully use that
+                       ticket in an authentication exchange.
+
+
+   KDC                 Key Distribution Center, a network service
+                       that supplies tickets and temporary
+                       session keys; or an instance of that
+                       service or the host on which it runs.
+                       The KDC services both initial ticket and
+                       ticket-granting ticket requests.  The
+                       initial ticket portion is sometimes
+                       referred to as the Authentication Server
+                       (or service).  The ticket-granting
+                       ticket portion is sometimes referred to
+                       as the ticket-granting server (or service).
+
+   Kerberos            Aside from the 3-headed dog guarding
+                       Hades, the name given to Project
+                       Athena's authentication service, the
+                       protocol used by that service, or the
+                       code used to implement the authentication
+                       service.
+
+
+   Plaintext           The input to an encryption function  or
+                       the output of a decryption function.
+                       Decryption transforms ciphertext into
+                       plaintext.
+
+
+   Principal           A uniquely named client or server
+                       instance that participates in a network
+                       communication.
+
+
+
+
+Kohl & Neuman                                                  [Page 10]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Principal identifier The name used to uniquely identify each
+                        different principal.
+
+
+   Seal                To encipher a record containing several
+                       fields in such a way that the fields
+                       cannot be individually replaced without
+                       either knowledge of the encryption key
+                       or leaving evidence of tampering.
+
+
+   Secret key          An encryption key shared by a principal
+                       and the KDC, distributed outside the
+                       bounds of the system, with a long lifetime.
+                       In the case of a human user's
+                       principal, the secret key is derived
+                       from a password.
+
+
+   Server              A particular Principal which provides a
+                       resource to network clients.
+
+
+   Service             A resource provided to network clients;
+                       often provided by more than one server
+                       (for example, remote file service).
+
+
+   Session key         A temporary encryption key used between
+                       two principals, with a lifetime limited
+                       to the duration of a single login "session".
+
+
+   Sub-session key     A temporary encryption key used between
+                       two principals, selected and exchanged
+                       by the principals using the session key,
+                       and with a lifetime limited to the duration
+                       of a single association.
+
+
+   Ticket              A record that helps a client authenticate
+                       itself to a server; it contains the
+                       client's identity, a session key, a
+                       timestamp, and other information, all
+                       sealed using the server's secret key.
+                       It only serves to authenticate a client
+                       when presented along with a fresh
+                       Authenticator.
+
+
+
+Kohl & Neuman                                                  [Page 11]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+2.  Ticket flag uses and requests
+
+   Each Kerberos ticket contains a set of flags which are used to
+   indicate various attributes of that ticket.  Most flags may be
+   requested by a client when the ticket is obtained; some are
+   automatically turned on and off by a Kerberos server as required.
+   The following sections explain what the various flags mean, and gives
+   examples of reasons to use such a flag.
+
+2.1.  Initial and pre-authenticated tickets
+
+   The INITIAL flag indicates that a ticket was issued using the AS
+   protocol and not issued based on a ticket-granting ticket.
+   Application servers that want to require the knowledge of a client's
+   secret key (e.g., a passwordchanging program) can insist that this
+   flag be set in any tickets they accept, and thus be assured that the
+   client's key was recently presented to the application client.
+
+   The PRE-AUTHENT and HW-AUTHENT flags provide addition information
+   about the initial authentication, regardless of whether the current
+   ticket was issued directly (in which case INITIAL will also be set)
+   or issued on the basis of a ticket-granting ticket (in which case the
+   INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags are
+   carried forward from the ticket-granting ticket).
+
+2.2.  Invalid tickets
+
+   The INVALID flag indicates that a ticket is invalid.  Application
+   servers must reject tickets which have this flag set.  A postdated
+   ticket will usually be issued in this form. Invalid tickets must be
+   validated by the KDC before use, by presenting them to the KDC in a
+   TGS request with the VALIDATE option specified.  The KDC will only
+   validate tickets after their starttime has passed.  The validation is
+   required so that postdated tickets which have been stolen before
+   their starttime can be rendered permanently invalid (through a hot-
+   list mechanism).
+
+2.3.  Renewable tickets
+
+   Applications may desire to hold tickets which can be valid for long
+   periods of time.  However, this can expose their credentials to
+   potential theft for equally long periods, and those stolen
+   credentials would be valid until the expiration time of the
+   ticket(s).  Simply using shortlived tickets and obtaining new ones
+   periodically would require the client to have long-term access to its
+   secret key, an even greater risk.  Renewable tickets can be used to
+   mitigate the consequences of theft.  Renewable tickets have two
+   "expiration times": the first is when the current instance of the
+
+
+
+Kohl & Neuman                                                  [Page 12]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   ticket expires, and the second is the latest permissible value for an
+   individual expiration time.  An application client must periodically
+   (i.e., before it expires) present a renewable ticket to the KDC, with
+   the RENEW option set in the KDC request.  The KDC will issue a new
+   ticket with a new session key and a later expiration time.  All other
+   fields of the ticket are left unmodified by the renewal process.
+   When the latest permissible expiration time arrives, the ticket
+   expires permanently.  At each renewal, the KDC may consult a hot-list
+   to determine if the ticket had been reported stolen since its last
+   renewal; it will refuse to renew such stolen tickets, and thus the
+   usable lifetime of stolen tickets is reduced.
+
+   The RENEWABLE flag in a ticket is normally only interpreted by the
+   ticket-granting service (discussed below in section 3.3).  It can
+   usually be ignored by application servers.  However, some
+   particularly careful application servers may wish to disallow
+   renewable tickets.
+
+   If a renewable ticket is not renewed by its  expiration time, the KDC
+   will not renew the ticket.  The RENEWABLE flag is reset by default,
+   but a client may request it be  set  by setting  the RENEWABLE option
+   in the KRB_AS_REQ message.  If it is set, then the renew-till field
+   in the ticket  contains the time after which the ticket may not be
+   renewed.
+
+2.4.  Postdated tickets
+
+   Applications may occasionally need to obtain tickets for use much
+   later, e.g., a batch submission system would need tickets to be valid
+   at the time the batch job is serviced.  However, it is dangerous to
+   hold valid tickets in a batch queue, since they will be on-line
+   longer and more prone to theft.  Postdated tickets provide a way to
+   obtain these tickets from the KDC at job submission time, but to
+   leave them "dormant" until they are activated and validated by a
+   further request of the KDC.  If a ticket theft were reported in the
+   interim, the KDC would refuse to validate the ticket, and the thief
+   would be foiled.
+
+   The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+   ticket-granting service.  It can be ignored by application servers.
+   This flag must be set in a ticket-granting ticket in order to issue a
+   postdated ticket based on the presented ticket. It is reset by
+   default; it may be requested by a client by setting the ALLOW-
+   POSTDATE option in the KRB_AS_REQ message.  This flag does not allow
+   a client to obtain a postdated ticket-granting ticket; postdated
+   ticket-granting tickets can only by obtained by requesting the
+   postdating in the KRB_AS_REQ message.  The life (endtime-starttime)
+   of a postdated ticket will be the remaining life of the ticket-
+
+
+
+Kohl & Neuman                                                  [Page 13]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   granting ticket at the time of the request, unless the RENEWABLE
+   option is also set, in which case it can be the full life (endtime-
+   starttime) of the ticket-granting ticket.  The KDC may limit how far
+   in the future a ticket may be postdated.
+
+   The POSTDATED flag indicates that a ticket has been postdated.  The
+   application server can check the authtime field in the ticket to see
+   when the original authentication occurred.  Some services may choose
+   to reject postdated tickets, or they may only accept them within a
+   certain period after the original authentication. When the KDC issues
+   a POSTDATED ticket, it will also be marked as INVALID, so that the
+   application client must present the ticket to the KDC to be validated
+   before use.
+
+2.5.  Proxiable and proxy tickets
+
+   At times it may be necessary for a principal to allow a service  to
+   perform an operation on its behalf.  The service must be able to take
+   on the identity of the client, but only for  a particular purpose.  A
+   principal can allow a service to take on the principal's identity for
+   a particular purpose by granting it a proxy.
+
+   The PROXIABLE flag in a ticket is normally only interpreted by the
+   ticket-granting service. It can be ignored by application servers.
+   When set, this flag tells the ticket-granting server that it is OK to
+   issue a new ticket (but not a ticket-granting ticket) with a
+   different network address based on this ticket.  This flag is set by
+   default.
+
+   This flag allows a client to pass a proxy to a server to perform a
+   remote request on its behalf, e.g., a print service client can give
+   the print server a proxy to access the client's files on a particular
+   file server in order to satisfy a print request.
+
+   In order to complicate the use of stolen credentials, Kerberos
+   tickets are usually valid from only those network addresses
+   specifically included in the ticket (It is permissible to request or
+   issue tickets with no network addresses specified, but we do not
+   recommend it).  For this reason, a client wishing to grant a proxy
+   must request a new ticket valid for the network address of the
+   service to be granted the proxy.
+
+   The PROXY flag is set in a ticket by the  TGS  when  it issues a
+   proxy ticket.  Application servers may check this flag and require
+   additional authentication  from  the  agent presenting the proxy in
+   order to provide an audit trail.
+
+
+
+
+
+Kohl & Neuman                                                  [Page 14]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+2.6.  Forwardable tickets
+
+   Authentication forwarding is an instance of the proxy case where the
+   service is granted complete use of the client's identity.  An example
+   where it might be used is when a user logs in to a remote system and
+   wants authentication to work from that system as if the login were
+   local.
+
+   The FORWARDABLE flag in a ticket is normally only interpreted by the
+   ticket-granting service.  It can be ignored by application servers.
+   The FORWARDABLE flag has an interpretation similar to that of the
+   PROXIABLE flag, except ticket-granting tickets may also be issued
+   with different network addresses.  This flag is reset by default, but
+   users may request that it be set by setting the FORWARDABLE option in
+   the AS request when they request their initial ticket-granting
+   ticket.
+
+   This flag allows for authentication forwarding without requiring the
+   user to enter a password again.  If the flag is not set, then
+   authentication forwarding is not permitted, but the same end result
+   can still be achieved if the user engages in the AS exchange with the
+   requested network addresses and supplies a password.
+
+   The FORWARDED flag is set by the TGS when a client presents a ticket
+   with the FORWARDABLE flag set and requests it be set by specifying
+   the FORWARDED KDC option and supplying a set of addresses for the new
+   ticket.  It is also set in all tickets issued based on tickets with
+   the FORWARDED flag set.  Application servers may wish to process
+   FORWARDED tickets differently than non-FORWARDED tickets.
+
+2.7.  Other KDC options
+
+   There are two additional options which may be set in a client's
+   request of the KDC.  The RENEWABLE-OK option indicates that the
+   client will accept a renewable ticket if a ticket with the requested
+   life cannot otherwise be provided.  If a ticket with the requested
+   life cannot be provided, then the KDC may issue a renewable ticket
+   with a renew-till equal to the the requested endtime.  The value of
+   the renew-till field may still be adjusted by site-determined limits
+   or limits imposed by the individual principal or server.
+
+   The ENC-TKT-IN-SKEY option is honored only by the ticket-granting
+   service.  It indicates that the to-be-issued ticket for the end
+   server is to be encrypted in the session key from the additional
+   ticket-granting ticket provided with the request.  See section 3.3.3
+   for specific details.
+
+
+
+
+
+Kohl & Neuman                                                  [Page 15]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+3.  Message Exchanges
+
+   The following sections describe the interactions between network
+   clients and servers and the messages involved in those exchanges.
+
+3.1.  The Authentication Service Exchange
+
+                             Summary
+
+         Message direction       Message type    Section
+         1. Client to Kerberos   KRB_AS_REQ      5.4.1
+         2. Kerberos to client   KRB_AS_REP or   5.4.2
+                                 KRB_ERROR       5.9.1
+
+   The Authentication Service (AS) Exchange between the client and the
+   Kerberos Authentication Server is usually initiated by a client when
+   it wishes to obtain authentication credentials for a given server but
+   currently holds no credentials.  The client's secret key is used for
+   encryption and decryption.  This exchange is typically used at the
+   initiation of a login session, to obtain credentials for a Ticket-
+   Granting Server, which will subsequently be used to obtain
+   credentials for other servers (see section 3.3) without requiring
+   further use of the client's secret key.  This exchange is also used
+   to request credentials for services which must not be mediated
+   through the Ticket-Granting Service, but rather require a principal's
+   secret key, such as the password-changing service.  (The password-
+   changing request must not be honored unless the requester can provide
+   the old password (the user's current secret key).  Otherwise, it
+   would be possible for someone to walk up to an unattended session and
+   change another user's password.)  This exchange does not by itself
+   provide any assurance of the the identity of the user.  (To
+   authenticate a user logging on to a local system, the credentials
+   obtained in the AS exchange may first be used in a TGS exchange to
+   obtain credentials for a local server.  Those credentials must then
+   be verified by the local server through successful completion of the
+   Client/Server exchange.)
+
+   The exchange consists of two messages: KRB_AS_REQ from the client to
+   Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+   messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+   In the request, the client sends (in cleartext) its own identity and
+   the identity of the server for which it is requesting credentials.
+   The response, KRB_AS_REP, contains a ticket for the client to present
+   to the server, and a session key that will be shared by the client
+   and the server.  The session key and additional information are
+   encrypted in the client's secret key.  The KRB_AS_REP message
+   contains information which can be used to detect replays, and to
+
+
+
+Kohl & Neuman                                                  [Page 16]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   associate it with the message to which it replies.  Various errors
+   can occur; these are indicated by an error response (KRB_ERROR)
+   instead of the KRB_AS_REP response.  The error message is not
+   encrypted.  The KRB_ERROR message also contains information which can
+   be used to associate it with the message to which it replies.  The
+   lack of encryption in the KRB_ERROR message precludes the ability to
+   detect replays or fabrications of such messages.
+
+   In the normal case the authentication server does not know whether
+   the client is actually the principal named in the request.  It simply
+   sends a reply without knowing or caring whether they are the same.
+   This is acceptable because nobody but the principal whose identity
+   was given in the request will be able to use the reply. Its critical
+   information is encrypted in that principal's key.  The initial
+   request supports an optional field that can be used to pass
+   additional information that might be needed for the initial exchange.
+   This field may be used for preauthentication if desired, but the
+   mechanism is not currently specified.
+
+3.1.1. Generation of KRB_AS_REQ message
+
+   The client may specify a number of options in the initial request.
+   Among these options are whether preauthentication is to be performed;
+   whether the requested ticket is to be renewable, proxiable, or
+   forwardable; whether it should be postdated or allow postdating of
+   derivative tickets; and whether a renewable ticket will be accepted
+   in lieu of a non-renewable ticket if the requested ticket expiration
+   date cannot be satisfied by a nonrenewable ticket (due to
+   configuration constraints; see section 4).  See section A.1 for
+   pseudocode.
+
+   The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+   If all goes well, processing the KRB_AS_REQ message will result in
+   the creation of a ticket for the client to present to the server.
+   The format for the ticket is described in section 5.3.1.  The
+   contents of the ticket are determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+   The authentication server looks up the client and server principals
+   named in the KRB_AS_REQ in its database, extracting their respective
+   keys.  If required, the server pre-authenticates the request, and if
+   the pre-authentication check fails, an error message with the code
+   KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate
+   the requested encryption type, an error message with code
+
+
+
+Kohl & Neuman                                                  [Page 17]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   KDC_ERR_ETYPE_NOSUPP is returned. Otherwise it generates a "random"
+   session key ("Random" means that, among other things, it should be
+   impossible to guess the next session key based on knowledge of past
+   session keys.  This can only be achieved in a pseudo-random number
+   generator if it is based on cryptographic principles.  It would be
+   more desirable to use a truly random number generator, such as one
+   based on measurements of random physical phenomena.).
+
+   If the requested start time is absent or indicates a time in the
+   past, then the start time of the ticket is set to the authentication
+   server's current time. If it indicates a time in the future, but the
+   POSTDATED option has not been specified, then the error
+   KDC_ERR_CANNOT_POSTDATE is returned.  Otherwise the requested start
+   time is checked against the policy of the local realm (the
+   administrator might decide to prohibit certain types or ranges of
+   postdated tickets), and if acceptable, the ticket's start time is set
+   as requested and the INVALID flag is set in the new ticket. The
+   postdated ticket must be validated before use by presenting it to the
+   KDC after the start time has been reached.
+
+   The expiration time of the ticket will be set to the minimum of the
+   following:
+
+   +The expiration time (endtime) requested in the KRB_AS_REQ
+    message.
+
+   +The ticket's start time plus the maximum allowable lifetime
+    associated with the client principal (the authentication
+    server's database includes a maximum ticket lifetime field
+    in each principal's record; see section 4).
+
+   +The ticket's start time plus the maximum allowable lifetime
+    associated with the server principal.
+
+   +The ticket's start time plus the maximum lifetime set by
+    the policy of the local realm.
+
+   If the requested expiration time minus the start time (as determined
+   above) is less than a site-determined minimum lifetime, an error
+   message with code KDC_ERR_NEVER_VALID is returned.  If the requested
+   expiration time for the ticket exceeds what was determined as above,
+   and if the "RENEWABLE-OK" option was requested, then the "RENEWABLE"
+   flag is set in the new ticket, and the renew-till value is set as if
+   the "RENEWABLE" option were requested (the field and option names are
+   described fully in section 5.4.1).  If the RENEWABLE option has been
+   requested or if the RENEWABLE-OK option has been set and a renewable
+   ticket is to be issued, then the renew-till field is set to the
+   minimum of:
+
+
+
+Kohl & Neuman                                                  [Page 18]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   +Its requested value.
+
+   +The start time of the ticket plus the minimum of the two
+    maximum renewable lifetimes associated with the principals'
+    database entries.
+
+   +The start time of the ticket plus the maximum renewable
+    lifetime set by the policy of the local realm.
+
+   The flags field of the new ticket will have the following options set
+   if they have been requested and if the policy of the local realm
+   allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE.
+   If the new ticket is postdated (the start time is in the future), its
+   INVALID flag will also be set.
+
+   If all of the above succeed, the server formats a KRB_AS_REP message
+   (see section 5.4.2), copying the addresses in the request into the
+   caddr of the response, placing any required pre-authentication data
+   into the padata of the response, and encrypts the ciphertext part in
+   the client's key using the requested encryption method, and sends it
+   to the client.  See section A.2 for pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+   Several errors can occur, and the Authentication Server responds by
+   returning an error message, KRB_ERROR, to the client, with the
+   error-code and e-text fields set to appropriate values.  The error
+   message contents and details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+   If the reply message type is KRB_AS_REP, then the client verifies
+   that the cname and crealm fields in the cleartext portion of the
+   reply match what it requested.  If any padata fields are present,
+   they may be used to derive the proper secret key to decrypt the
+   message.  The client decrypts the encrypted part of the response
+   using its secret key, verifies that the nonce in the encrypted part
+   matches the nonce it supplied in its request (to detect replays).  It
+   also verifies that the sname and srealm in the response match those
+   in the request, and that the host address field is also correct.  It
+   then stores the ticket, session key, start and expiration times, and
+   other information for later use.  The key-expiration field from the
+   encrypted part of the response may be checked to notify the user of
+   impending key expiration (the client program could then suggest
+   remedial action, such as a password change).  See section A.3 for
+   pseudocode.
+
+   Proper decryption of the KRB_AS_REP message is not sufficient to
+
+
+
+Kohl & Neuman                                                  [Page 19]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   verify the identity of the user; the user and an attacker could
+   cooperate to generate a KRB_AS_REP format message which decrypts
+   properly but is not from the proper KDC.  If the host wishes to
+   verify the identity of the user, it must require the user to present
+   application credentials which can be verified using a securely-stored
+   secret key.  If those credentials can be verified, then the identity
+   of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+   If the reply message type is KRB_ERROR, then the client interprets it
+   as an error and performs whatever application-specific tasks are
+   necessary to recover.
+
+3.2.  The Client/Server Authentication Exchange
+
+                        Summary
+
+   Message direction                         Message type    Section
+   Client to Application server              KRB_AP_REQ      5.5.1
+   [optional] Application server to client   KRB_AP_REP or   5.5.2
+                                             KRB_ERROR       5.9.1
+
+   The client/server authentication (CS) exchange is used by network
+   applications to authenticate the client to the server and vice versa.
+   The client must have already acquired credentials for the server
+   using the AS or TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+   The KRB_AP_REQ contains authentication information which should be
+   part of the first message in an authenticated transaction.  It
+   contains a ticket, an authenticator, and some additional bookkeeping
+   information (see section 5.5.1 for the exact format).  The ticket by
+   itself is insufficient to authenticate a client, since tickets are
+   passed across the network in cleartext(Tickets contain both an
+   encrypted and unencrypted portion, so cleartext here refers to the
+   entire unit, which can be copied from one message and replayed in
+   another without any cryptographic skill.), so the authenticator is
+   used to prevent invalid replay of tickets by proving to the server
+   that the client knows the session key of the ticket and thus is
+   entitled to use it.  The KRB_AP_REQ message is referred to elsewhere
+   as the "authentication header."
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+   When a client wishes to initiate authentication to a server, it
+   obtains (either through a credentials cache, the AS exchange, or the
+
+
+
+Kohl & Neuman                                                  [Page 20]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   TGS exchange) a ticket and session key for the desired service.  The
+   client may re-use any tickets it holds until they expire.  The client
+   then constructs a new Authenticator from the the system time, its
+   name, and optionally an application specific checksum, an initial
+   sequence number to be used in KRB_SAFE or KRB_PRIV messages, and/or a
+   session subkey to be used in negotiations for a session key unique to
+   this particular session.  Authenticators may not be re-used and will
+   be rejected if replayed to a server (Note that this can make
+   applications based on unreliable transports difficult to code
+   correctly, if the transport might deliver duplicated messages.  In
+   such cases, a new authenticator must be generated for each retry.).
+   If a sequence number is to be included, it should be randomly chosen
+   so that even after many messages have been exchanged it is not likely
+   to collide with other sequence numbers in use.
+
+   The client may indicate a requirement of mutual authentication or the
+   use of a session-key based ticket by setting the appropriate flag(s)
+   in the ap-options field of the message.
+
+   The Authenticator is encrypted in the session key and combined with
+   the ticket to form the KRB_AP_REQ message which is then sent to the
+   end server along with any additional application-specific
+   information.  See section A.9 for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+   Authentication is based on the server's current time of day (clocks
+   must be loosely synchronized), the authenticator, and the ticket.
+   Several errors are possible.  If an error occurs, the server is
+   expected to reply to the client with a KRB_ERROR message.  This
+   message may be encapsulated in the application protocol if its "raw"
+   form is not acceptable to the protocol. The format of error messages
+   is described in section 5.9.1.
+
+   The algorithm for verifying authentication information is as follows.
+   If the message type is not KRB_AP_REQ, the server returns the
+   KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket
+   in the KRB_AP_REQ is not one the server can use (e.g., it indicates
+   an old key, and the server no longer possesses a copy of the old
+   key), the KRB_AP_ERR_BADKEYVER error is returned.  If the USE-
+   SESSION-KEY flag is set in the ap-options field, it indicates to the
+   server that the ticket is encrypted in the session key from the
+   server's ticket-granting ticket rather than its secret key (This is
+   used for user-to-user authentication as described in [6]).  Since it
+   is possible for the server to be registered in multiple realms, with
+   different keys in each, the srealm field in the unencrypted portion
+   of the ticket in the KRB_AP_REQ is used to specify which secret key
+   the server should use to decrypt that ticket.  The KRB_AP_ERR_NOKEY
+
+
+
+Kohl & Neuman                                                  [Page 21]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   error code is returned if the server doesn't have the proper key to
+   decipher the ticket.
+
+   The ticket is decrypted using the version of the server's key
+   specified by the ticket.  If the decryption routines detect a
+   modification of the ticket (each encryption system must provide
+   safeguards to detect modified ciphertext; see section 6), the
+   KRB_AP_ERR_BAD_INTEGRITY error is returned (chances are good that
+   different keys were used to encrypt and decrypt).
+
+   The authenticator is decrypted using the session key extracted from
+   the decrypted ticket.  If decryption shows it to have been modified,
+   the KRB_AP_ERR_BAD_INTEGRITY error is returned.  The name and realm
+   of the client from the ticket are compared against the same fields in
+   the authenticator.  If they don't match, the KRB_AP_ERR_BADMATCH
+   error is returned (they might not match, for example, if the wrong
+   session key was used to encrypt the authenticator).  The addresses in
+   the ticket (if any) are then searched for an address matching the
+   operating-system reported address of the client.  If no match is
+   found or the server insists on ticket addresses but none are present
+   in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+   If the local (server) time and the client time in the authenticator
+   differ by more than the allowable clock skew (e.g., 5 minutes), the
+   KRB_AP_ERR_SKEW error is returned.  If the server name, along with
+   the client name, time and microsecond fields from the Authenticator
+   match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is
+   returned (Note that the rejection here is restricted to
+   authenticators from the same principal to the same server.  Other
+   client principals communicating with the same server principal should
+   not be have their authenticators rejected if the time and microsecond
+   fields happen to match some other client's authenticator.).  The
+   server must remember any authenticator presented within the allowable
+   clock skew, so that a replay attempt is guaranteed to fail. If a
+   server loses track of any authenticator presented within the
+   allowable clock skew, it must reject all requests until the clock
+   skew interval has passed.  This assures that any lost or re-played
+   authenticators will fall outside the allowable clock skew and can no
+   longer be successfully replayed (If this is not done, an attacker
+   could conceivably record the ticket and authenticator sent over the
+   network to a server, then disable the client's host, pose as the
+   disabled host, and replay the ticket and authenticator to subvert the
+   authentication.).  If a sequence number is provided in the
+   authenticator, the server saves it for later use in processing
+   KRB_SAFE and/or KRB_PRIV messages.  If a subkey is present, the
+   server either saves it for later use or uses it to help generate its
+   own choice for a subkey to be returned in a KRB_AP_REP message.
+
+
+
+
+Kohl & Neuman                                                  [Page 22]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   The server computes the age of the ticket: local (server) time minus
+   the start time inside the Ticket.  If the start time is later than
+   the current time by more than the allowable clock skew or if the
+   INVALID flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is
+   returned.  Otherwise, if the current time is later than end time by
+   more than the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED error
+   is returned.
+
+   If all these checks succeed without an error, the server is assured
+   that the client possesses the credentials of the principal named in
+   the ticket and thus, the client has been authenticated to the server.
+   See section A.10 for pseudocode.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+   Typically, a client's request will include both the authentication
+   information and its initial request in the same message, and the
+   server need not explicitly reply to the KRB_AP_REQ.  However, if
+   mutual authentication (not only authenticating the client to the
+   server, but also the server to the client) is being performed, the
+   KRB_AP_REQ message will have MUTUAL-REQUIRED set in its ap-options
+   field, and a KRB_AP_REP message is required in response.  As with the
+   error message, this message may be encapsulated in the application
+   protocol if its "raw" form is not acceptable to the application's
+   protocol.  The timestamp and microsecond field used in the reply must
+   be the client's timestamp and microsecond field (as provided in the
+   authenticator). [Note: In the Kerberos version 4 protocol, the
+   timestamp in the reply was the client's timestamp plus one.  This is
+   not necessary in version 5 because version 5 messages are formatted
+   in such a way that it is not possible to create the reply by
+   judicious message surgery (even in encrypted form) without knowledge
+   of the appropriate encryption keys.]  If a sequence number is to be
+   included, it should be randomly chosen as described above for the
+   authenticator.  A subkey may be included if the server desires to
+   negotiate a different subkey.  The KRB_AP_REP message is encrypted in
+   the session key extracted from the ticket.  See section A.11 for
+   pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+   If a KRB_AP_REP message is returned, the client uses the session key
+   from the credentials obtained for the server (Note that for
+   encrypting the KRB_AP_REP message, the sub-session key is not used,
+   even if present in the Authenticator.) to decrypt the message, and
+   verifies that the timestamp and microsecond fields match those in the
+   Authenticator it sent to the server.  If they match, then the client
+   is assured that the server is genuine. The sequence number and subkey
+   (if present) are retained for later use.  See section A.12 for
+
+
+
+Kohl & Neuman                                                  [Page 23]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   pseudocode.
+
+3.2.6. Using the encryption key
+
+   After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and
+   server share an encryption key which can be used by the application.
+   The "true session key" to be used for KRB_PRIV, KRB_SAFE, or other
+   application-specific uses may be chosen by the application based on
+   the subkeys in the KRB_AP_REP message and the authenticator
+   (Implementations of the protocol may wish to provide routines to
+   choose subkeys based on session keys and random numbers and to
+   orchestrate a negotiated key to be returned in the KRB_AP_REP
+   message.).  In some cases, the use of this session key will be
+   implicit in the protocol; in others the method of use must be chosen
+   from a several alternatives.  We leave the protocol negotiations of
+   how to use the key (e.g., selecting an encryption or checksum type)
+   to the application programmer; the Kerberos protocol does not
+   constrain the implementation options.
+
+   With both the one-way and mutual authentication exchanges, the peers
+   should take care not to send sensitive information to each other
+   without proper assurances.  In particular, applications that require
+   privacy or integrity should use the KRB_AP_REP or KRB_ERROR responses
+   from the server to client to assure both client and server of their
+   peer's identity.  If an application protocol requires privacy of its
+   messages, it can use the KRB_PRIV message (section 3.5). The KRB_SAFE
+   message (section 3.4) can be used to assure integrity.
+
+3.3.  The Ticket-Granting Service (TGS) Exchange
+
+                             Summary
+
+         Message direction       Message type     Section
+         1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+         2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                                 KRB_ERROR        5.9.1
+
+   The TGS exchange between a client and the Kerberos Ticket-Granting
+   Server is initiated by a client when it wishes to obtain
+   authentication credentials for a given server (which might be
+   registered in a remote realm), when it wishes to renew or validate an
+   existing ticket, or when it wishes to obtain a proxy ticket.  In the
+   first case, the client must already have acquired a ticket for the
+   Ticket-Granting Service using the AS exchange (the ticket-granting
+   ticket is usually obtained when a client initially authenticates to
+   the system, such as when a user logs in).  The message format for the
+   TGS exchange is almost identical to that for the AS exchange.  The
+   primary difference is that encryption and decryption in the TGS
+
+
+
+Kohl & Neuman                                                  [Page 24]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   exchange does not take place under the client's key.  Instead, the
+   session key from the ticket-granting ticket or renewable ticket, or
+   sub-session key from an Authenticator is used.  As is the case for
+   all application servers, expired tickets are not accepted by the TGS,
+   so once a renewable or ticket-granting ticket expires, the client
+   must use a separate exchange to obtain valid tickets.
+
+   The TGS exchange consists of two messages: A request (KRB_TGS_REQ)
+   from the client to the Kerberos Ticket-Granting Server, and a reply
+   (KRB_TGS_REP or KRB_ERROR).  The KRB_TGS_REQ message includes
+   information authenticating the client plus a request for credentials.
+   The authentication information consists of the authentication header
+   (KRB_AP_REQ) which includes the client's previously obtained ticket-
+   granting, renewable, or invalid ticket.  In the ticket-granting
+   ticket and proxy cases, the request may include one or more of: a
+   list of network addresses, a collection of typed authorization data
+   to be sealed in the ticket for authorization use by the application
+   server, or additional tickets (the use of which are described later).
+   The TGS reply (KRB_TGS_REP) contains the requested credentials,
+   encrypted in the session key from the ticket-granting ticket or
+   renewable ticket, or if present, in the subsession key from the
+   Authenticator (part of the authentication header). The KRB_ERROR
+   message contains an error code and text explaining what went wrong.
+   The KRB_ERROR message is not encrypted.  The KRB_TGS_REP message
+   contains information which can be used to detect replays, and to
+   associate it with the message to which it replies.  The KRB_ERROR
+   message also contains information which can be used to associate it
+   with the message to which it replies, but the lack of encryption in
+   the KRB_ERROR message precludes the ability to detect replays or
+   fabrications of such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+   Before sending a request to the ticket-granting service, the client
+   must determine in which realm the application server is registered
+   [Note: This can be accomplished in several ways.  It might be known
+   beforehand (since the realm is part of the principal identifier), or
+   it might be stored in a nameserver.  Presently, however, this
+   information is obtained from a configuration file.  If the realm to
+   be used is obtained from a nameserver, there is a danger of being
+   spoofed if the nameservice providing the realm name is not
+   authenticated.  This might result in the use of a realm which has
+   been compromised, and would result in an attacker's ability to
+   compromise the authentication of the application server to the
+   client.].  If the client does not already possess a ticket-granting
+   ticket for the appropriate realm, then one must be obtained.  This is
+   first attempted by requesting a ticket-granting ticket for the
+   destination realm from the local Kerberos server (using the
+
+
+
+Kohl & Neuman                                                  [Page 25]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   KRB_TGS_REQ message recursively).  The Kerberos server may return a
+   TGT for the desired realm in which case one can proceed.
+   Alternatively, the Kerberos server may return a TGT for a realm which
+   is "closer" to the desired realm (further along the standard
+   hierarchical path), in which case this step must be repeated with a
+   Kerberos server in the realm specified in the returned TGT.  If
+   neither are returned, then the request must be retried with a
+   Kerberos server for a realm higher in the hierarchy.  This request
+   will itself require a ticket-granting ticket for the higher realm
+   which must be obtained by recursively applying these directions.
+
+   Once the client obtains a ticket-granting ticket for the appropriate
+   realm, it determines which Kerberos servers serve that realm, and
+   contacts one. The list might be obtained through a configuration file
+   or network service; as long as the secret keys exchanged by realms
+   are kept secret, only denial of service results from a false Kerberos
+   server.
+
+   As in the AS exchange, the client may specify a number of options in
+   the KRB_TGS_REQ message.  The client prepares the KRB_TGS_REQ
+   message, providing an authentication header as an element of the
+   padata field, and including the same fields as used in the KRB_AS_REQ
+   message along with several optional fields: the enc-authorization-
+   data field for application server use and additional tickets required
+   by some options.
+
+   In preparing the authentication header, the client can select a sub-
+   session key under which the response from the Kerberos server will be
+   encrypted (If the client selects a sub-session key, care must be
+   taken to ensure the randomness of the selected subsession key.  One
+   approach would be to generate a random number and XOR it with the
+   session key from the ticket-granting ticket.). If the sub-session key
+   is not specified, the session key from the ticket-granting ticket
+   will be used.  If the enc-authorization-data is present, it must be
+   encrypted in the sub-session key, if present, from the authenticator
+   portion of the authentication header, or if not present in the
+   session key from the ticket-granting ticket.
+
+   Once prepared, the message is sent to a Kerberos server for the
+   destination realm.  See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+   The KRB_TGS_REQ message is processed in a manner similar to the
+   KRB_AS_REQ message, but there are many additional checks to be
+   performed.  First, the Kerberos server must determine which server
+   the accompanying ticket is for and it must select the appropriate key
+   to decrypt it. For a normal KRB_TGS_REQ message, it will be for the
+
+
+
+Kohl & Neuman                                                  [Page 26]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   ticket granting service, and the TGS's key will be used.  If the TGT
+   was issued by another realm, then the appropriate inter-realm key
+   must be used.  If the accompanying ticket is not a ticket granting
+   ticket for the current realm, but is for an application server in the
+   current realm, the RENEW, VALIDATE, or PROXY options are specified in
+   the request, and the server for which a ticket is requested is the
+   server named in the accompanying ticket, then the KDC will decrypt
+   the ticket in the authentication header using the key of the server
+   for which it was issued.  If no ticket can be found in the padata
+   field, the KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+   Once the accompanying ticket has been decrypted, the user-supplied
+   checksum in the Authenticator must be verified against the contents
+   of the request, and the message rejected if the checksums do not
+   match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum
+   is not keyed or not collision-proof (with an error code of
+   KRB_AP_ERR_INAPP_CKSUM).  If the checksum type is not supported, the
+   KDC_ERR_SUMTYPE_NOSUPP error is returned.  If the authorization-data
+   are present, they are decrypted using the sub-session key from the
+   Authenticator.
+
+   If any of the decryptions indicate failed integrity checks, the
+   KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+   The KRB_TGS_REP message shares its format with the KRB_AS_REP
+   (KRB_KDC_REP), but with its type field set to KRB_TGS_REP.  The
+   detailed specification is in section 5.4.2.
+
+   The response will include a ticket for the requested server.  The
+   Kerberos database is queried to retrieve the record for the requested
+   server (including the key with which the ticket will be encrypted).
+   If the request is for a ticket granting ticket for a remote realm,
+   and if no key is shared with the requested realm, then the Kerberos
+   server will select the realm "closest" to the requested realm with
+   which it does share a key, and use that realm instead. This is the
+   only case where the response from the KDC will be for a different
+   server than that requested by the client.
+
+   By default, the address field, the client's name and realm, the list
+   of transited realms, the time of initial authentication, the
+   expiration time, and the authorization data of the newly-issued
+   ticket will be copied from the ticket-granting ticket (TGT) or
+   renewable ticket.  If the transited field needs to be updated, but
+   the transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP error
+   is returned.
+
+
+
+
+Kohl & Neuman                                                  [Page 27]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   If the request specifies an endtime, then the endtime of the new
+   ticket is set to the minimum of (a) that request, (b) the endtime
+   from the TGT, and (c) the starttime of the TGT plus the minimum of
+   the maximum life for the application server and the maximum life for
+   the local realm (the maximum life for the requesting principal was
+   already applied when the TGT was issued).  If the new ticket is to be
+   a renewal, then the endtime above is replaced by the minimum of (a)
+   the value of the renew_till field of the ticket and (b) the starttime
+   for the new ticket plus the life (endtimestarttime) of the old
+   ticket.
+
+   If the FORWARDED option has been requested, then the resulting ticket
+   will contain the addresses specified by the client.  This option will
+   only be honored if the FORWARDABLE flag is set in the TGT.  The PROXY
+   option is similar; the resulting ticket will contain the addresses
+   specified by the client.  It will be honored only if the PROXIABLE
+   flag in the TGT is set.  The PROXY option will not be honored on
+   requests for additional ticket-granting tickets.
+
+   If the requested start time is absent or indicates a time in the
+   past, then the start time of the ticket is set to the authentication
+   server's current time.  If it indicates a time in the future, but the
+   POSTDATED option has not been specified or the MAY-POSTDATE flag is
+   not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is
+   returned.  Otherwise, if the ticket-granting ticket has the
+   MAYPOSTDATE flag set, then the resulting ticket will be postdated and
+   the requested starttime is checked against the policy of the local
+   realm. If acceptable, the ticket's start time is set as requested,
+   and the INVALID flag is set.  The postdated ticket must be validated
+   before use by presenting it to the KDC after the starttime has been
+   reached. However, in no case may the starttime, endtime, or renew-
+   till time of a newly-issued postdated ticket extend beyond the
+   renew-till time of the ticket-granting ticket.
+
+   If the ENC-TKT-IN-SKEY option has been specified and an additional
+   ticket has been included in the request, the KDC will decrypt the
+   additional ticket using the key for the server to which the
+   additional ticket was issued and verify that it is a ticket-granting
+   ticket.  If the name of the requested server is missing from the
+   request, the name of the client in the additional ticket will be
+   used.  Otherwise the name of the requested server will be compared to
+   the name of the client in the additional ticket and if different, the
+   request will be rejected.  If the request succeeds, the session key
+   from the additional ticket will be used to encrypt the new ticket
+   that is issued instead of using the key of the server for which the
+   new ticket will be used (This allows easy implementation of user-to-
+   user authentication [6], which uses ticket-granting ticket session
+   keys in lieu of secret server keys in situations where such secret
+
+
+
+Kohl & Neuman                                                  [Page 28]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   keys could be easily compromised.).
+
+   If the name of the server in the ticket that is presented to the KDC
+   as part of the authentication header is not that of the ticket-
+   granting server itself, and the server is registered in the realm of
+   the KDC, If the RENEW option is requested, then the KDC will verify
+   that the RENEWABLE flag is set in the ticket and that the renew_till
+   time is still in the future.  If the VALIDATE option is rqeuested,
+   the KDC will check that the starttime has passed and the INVALID flag
+   is set.  If the PROXY option is requested, then the KDC will check
+   that the PROXIABLE flag is set in the ticket.  If the tests succeed,
+   the KDC will issue the appropriate new ticket.
+
+   Whenever a request is made to the ticket-granting server, the
+   presented ticket(s) is(are) checked against a hot-list of tickets
+   which have been canceled.  This hot-list might be implemented by
+   storing a range of issue dates for "suspect tickets"; if a presented
+   ticket had an authtime in that range, it would be rejected.  In this
+   way, a stolen ticket-granting ticket or renewable ticket cannot be
+   used to gain additional tickets (renewals or otherwise) once the
+   theft has been reported.  Any normal ticket obtained before it was
+   reported stolen will still be valid (because they require no
+   interaction with the KDC), but only until their normal expiration
+   time.
+
+   The ciphertext part of the response in the KRB_TGS_REP message is
+   encrypted in the sub-session key from the Authenticator, if present,
+   or the session key key from the ticket-granting ticket.  It is not
+   encrypted using the client's secret key.  Furthermore, the client's
+   key's expiration date and the key version number fields are left out
+   since these values are stored along with the client's database
+   record, and that record is not needed to satisfy a request based on a
+   ticket-granting ticket.  See section A.6 for pseudocode.
+
+3.3.3.1.  Encoding the transited field
+
+   If the identity of the server in the TGT that is presented to the KDC
+   as part of the authentication header is that of the ticket-granting
+   service, but the TGT was issued from another realm, the KDC will look
+   up the inter-realm key shared with that realm and use that key to
+   decrypt the ticket.  If the ticket is valid, then the KDC will honor
+   the request, subject to the constraints outlined above in the section
+   describing the AS exchange.  The realm part of the client's identity
+   will be taken from the ticket-granting ticket.  The name of the realm
+   that issued the ticket-granting ticket will be added to the transited
+   field of the ticket to be issued.  This is accomplished by reading
+   the transited field from the ticket-granting ticket (which is treated
+   as an unordered set of realm names), adding the new realm to the set,
+
+
+
+Kohl & Neuman                                                  [Page 29]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   then constructing and writing out its encoded (shorthand) form (this
+   may involve a rearrangement of the existing encoding).
+
+   Note that the ticket-granting service does not add the name of its
+   own realm.  Instead, its responsibility is to add the name of the
+   previous realm.  This prevents a malicious Kerberos server from
+   intentionally leaving out its own name (it could, however, omit other
+   realms' names).
+
+   The names of neither the local realm nor the principal's realm are to
+   be included in the transited field.  They appear elsewhere in the
+   ticket and both are known to have taken part in authenticating the
+   principal.  Since the endpoints are not included, both local and
+   single-hop inter-realm authentication result in a transited field
+   that is empty.
+
+   Because the name of each realm transited  is  added  to this field,
+   it might potentially be very long.  To decrease the length of this
+   field, its contents are encoded.  The initially supported encoding is
+   optimized for the normal case of inter-realm communication: a
+   hierarchical arrangement of realms using either domain or X.500 style
+   realm names. This encoding (called DOMAIN-X500-COMPRESS) is now
+   described.
+
+   Realm names in the transited field are separated by a ",".  The ",",
+   "\", trailing "."s, and leading spaces (" ") are special characters,
+   and if they are part of a realm name, they must be quoted in the
+   transited field by preceding them with a "\".
+
+   A realm name ending with a "." is interpreted as  being prepended to
+   the previous realm.  For example, we can encode traversal of EDU,
+   MIT.EDU,  ATHENA.MIT.EDU,  WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+              "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+   Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were endpoints,
+   that they would not be included in this field, and we would have:
+
+              "EDU,MIT.,WASHINGTON.EDU"
+
+   A realm name beginning with a "/" is interpreted as being appended to
+   the previous realm (For the purpose of appending, the realm preceding
+   the first listed realm is considered to be the null realm ("")).  If
+   it is to stand by itself, then it should be preceded by a space ("
+   ").  For example, we can encode traversal of /COM/HP/APOLLO, /COM/HP,
+   /COM, and /COM/DEC as:
+
+              "/COM,/HP,/APOLLO, /COM/DEC".
+
+
+
+Kohl & Neuman                                                  [Page 30]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints,
+   they they would not be included in this field, and we would have:
+
+              "/COM,/HP"
+
+   A null subfield preceding or following a "," indicates that all
+   realms between the previous realm and the next realm have been
+   traversed (For the purpose of interpreting null subfields, the
+   client's realm is considered to precede those in the transited field,
+   and the server's realm is considered to follow them.). Thus, ","
+   means that all realms along the path between the client and the
+   server have been traversed.  ",EDU, /COM," means that that all realms
+   from the client's realm up to EDU (in a domain style hierarchy) have
+   been traversed, and that everything from /COM down to the server's
+   realm in an X.500 style has also been traversed.  This could occur if
+   the EDU realm in one hierarchy shares an inter-realm key directly
+   with the /COM realm in another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+   When the KRB_TGS_REP is received by the client, it is processed in
+   the same manner as the KRB_AS_REP processing described above.  The
+   primary difference is that the ciphertext part of the response must
+   be decrypted using the session key from the ticket-granting ticket
+   rather than the client's secret key.  See section A.7 for pseudocode.
+
+3.4.  The KRB_SAFE Exchange
+
+   The KRB_SAFE message may be used by clients requiring the ability to
+   detect modifications of messages they exchange.  It achieves this by
+   including a keyed collisionproof checksum of the user data and some
+   control information.  The checksum is keyed with an encryption key
+   (usually the last key negotiated via subkeys, or the session key if
+   no negotiation has occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+   When an application wishes to send a KRB_SAFE message, it collects
+   its data and the appropriate control information and computes a
+   checksum over them.  The checksum algorithm should be some sort of
+   keyed one-way hash function (such as the RSA-MD5-DES checksum
+   algorithm specified in section 6.4.5, or the DES MAC), generated
+   using the sub-session key if present, or the session key.  Different
+   algorithms may be selected by changing the checksum type in the
+   message.  Unkeyed or non-collision-proof checksums are not suitable
+   for this use.
+
+   The control information for the KRB_SAFE message includes both a
+
+
+
+Kohl & Neuman                                                  [Page 31]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   timestamp and a sequence number.  The designer of an application
+   using the KRB_SAFE message must choose at least one of the two
+   mechanisms.  This choice should be based on the needs of the
+   application protocol.
+
+   Sequence numbers are useful when all messages sent will be received
+   by one's peer.  Connection state is presently required to maintain
+   the session key, so maintaining the next sequence number should not
+   present an additional problem.
+
+   If the application protocol is expected to tolerate lost messages
+   without them being resent, the use of the timestamp is the
+   appropriate replay detection mechanism.  Using timestamps is also the
+   appropriate mechanism for multi-cast protocols where all of one's
+   peers share a common sub-session key, but some messages will be sent
+   to a subset of one's peers.
+
+   After computing the checksum, the client then transmits the
+   information and checksum to the recipient in the message format
+   specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+   When an application receives a KRB_SAFE message, it verifies it as
+   follows.  If any error occurs, an error code is reported for use by
+   the application.
+
+   The message is first checked by verifying that the protocol version
+   and type fields match the current version and KRB_SAFE, respectively.
+   A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE
+   error.  The application verifies that the checksum used is a
+   collisionproof keyed checksum, and if it is not, a
+   KRB_AP_ERR_INAPP_CKSUM error is generated.  The recipient verifies
+   that the operating system's report of the sender's address matches
+   the sender's address in the message, and (if a recipient address is
+   specified or the recipient requires an address) that one of the
+   recipient's addresses appears as the recipient's address in the
+   message.  A failed match for either case generates a
+   KRB_AP_ERR_BADADDR error.  Then the timestamp and usec and/or the
+   sequence number fields are checked.  If timestamp and usec are
+   expected and not present, or they are present but not current, the
+   KRB_AP_ERR_SKEW error is generated.  If the server name, along with
+   the client name, time and microsecond fields from the Authenticator
+   match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is
+   generated.  If an incorrect sequence number is included, or a
+   sequence number is expected but not present, the KRB_AP_ERR_BADORDER
+   error is generated.  If neither a timestamp and usec or a sequence
+   number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+
+
+Kohl & Neuman                                                  [Page 32]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Finally, the checksum is computed over the data and control
+   information, and if it doesn't match the received checksum, a
+   KRB_AP_ERR_MODIFIED error is generated.
+
+   If all the checks succeed, the application is assured that the
+   message was generated by its peer and was not modified in transit.
+
+3.5.  The KRB_PRIV Exchange
+
+   The KRB_PRIV message may be used by clients requiring confidentiality
+   and the ability to detect modifications of exchanged messages.  It
+   achieves this by encrypting the messages and adding control
+   information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+   When an application wishes to send a KRB_PRIV message, it collects
+   its data and the appropriate control information (specified in
+   section 5.7.1) and encrypts them under an encryption key (usually the
+   last key negotiated via subkeys, or the session key if no negotiation
+   has occured).  As part of the control information, the client must
+   choose to use either a timestamp or a sequence number (or both); see
+   the discussion in section 3.4.1 for guidelines on which to use.
+   After the user data and control information are encrypted, the client
+   transmits the ciphertext and some "envelope" information to the
+   recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+   When an application receives a KRB_PRIV message, it verifies it as
+   follows.  If any error occurs, an error code is reported for use by
+   the application.
+
+   The message is first checked by verifying that the protocol version
+   and type fields match the current version and KRB_PRIV, respectively.
+   A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE
+   error.  The application then decrypts the ciphertext and processes
+   the resultant plaintext. If decryption shows the data to have been
+   modified, a KRB_AP_ERR_BAD_INTEGRITY error is generated.  The
+   recipient verifies that the operating system's report of the sender's
+   address matches the sender's address in the message, and (if a
+   recipient address is specified or the recipient requires an address)
+   that one of the recipient's addresses appears as the recipient's
+   address in the message.  A failed match for either case generates a
+   KRB_AP_ERR_BADADDR error.  Then the timestamp and usec and/or the
+   sequence number fields are checked. If timestamp and usec are
+   expected and not present, or they are present but not current, the
+   KRB_AP_ERR_SKEW error is generated.  If the server name, along with
+
+
+
+Kohl & Neuman                                                  [Page 33]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   the client name, time and microsecond fields from the Authenticator
+   match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is
+   generated.  If an incorrect sequence number is included, or a
+   sequence number is expected but not present, the KRB_AP_ERR_BADORDER
+   error is generated.  If neither a timestamp and usec or a sequence
+   number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+   If all the checks succeed, the application can assume the message was
+   generated by its peer, and was securely transmitted (without
+   intruders able to see the unencrypted contents).
+
+3.6.  The KRB_CRED Exchange
+
+   The KRB_CRED message may be used by clients requiring the ability to
+   send Kerberos credentials from one host to another.  It achieves this
+   by sending the tickets together with encrypted data containing the
+   session keys and other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+   When an application wishes to send a KRB_CRED message it first (using
+   the KRB_TGS exchange) obtains credentials to be sent to the remote
+   host.  It then constructs a KRB_CRED message using the ticket or
+   tickets so obtained, placing the session key needed to use each
+   ticket in the key field of the corresponding KrbCredInfo sequence of
+   the encrypted part of the the KRB_CRED message.
+
+   Other information associated with each ticket and obtained during the
+   KRB_TGS exchange is also placed in the corresponding KrbCredInfo
+   sequence in the encrypted part of the KRB_CRED message.  The current
+   time and, if specifically required by the application the nonce, s-
+   address, and raddress fields, are placed in the encrypted part of the
+   KRB_CRED message which is then encrypted under an encryption key
+   previosuly exchanged in the KRB_AP exchange (usually the last key
+   negotiated via subkeys, or the session key if no negotiation has
+   occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+   When an application receives a KRB_CRED message, it verifies it.  If
+   any error occurs, an error code is reported for use by the
+   application.  The message is verified by checking that the protocol
+   version and type fields match the current version and KRB_CRED,
+   respectively.  A mismatch generates a KRB_AP_ERR_BADVERSION or
+   KRB_AP_ERR_MSG_TYPE error.  The application then decrypts the
+   ciphertext and processes the resultant plaintext. If decryption shows
+   the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+   generated.
+
+
+
+Kohl & Neuman                                                  [Page 34]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   If present or required, the recipient verifies that the operating
+   system's report of the sender's address matches the sender's address
+   in the message, and that one of the recipient's addresses appears as
+   the recipient's address in the message.  A failed match for either
+   case generates a KRB_AP_ERR_BADADDR error.  The timestamp and usec
+   fields (and the nonce field if required) are checked next.  If the
+   timestamp and usec are not present, or they are present but not
+   current, the KRB_AP_ERR_SKEW error is generated.
+
+   If all the checks succeed, the application stores each of the new
+   tickets in its ticket cache together with the session key and other
+   information in the corresponding KrbCredInfo sequence from the
+   encrypted part of the KRB_CRED message.
+
+4.  The Kerberos Database
+
+   The Kerberos server must have access to a database containing the
+   principal identifiers and secret keys of principals to be
+   authenticated (The implementation of the Kerberos server need not
+   combine the database and the server on the same machine; it is
+   feasible to store the principal database in, say, a network name
+   service, as long as the entries stored therein are protected from
+   disclosure to and modification by unauthorized parties.  However, we
+   recommend against such strategies, as they can make system management
+   and threat analysis quite complex.).
+
+4.1.  Database contents
+
+   A database entry should contain at least the following fields:
+
+   Field                Value
+
+   name                 Principal's identifier
+   key                  Principal's secret key
+   p_kvno               Principal's key version
+   max_life             Maximum lifetime for Tickets
+   max_renewable_life   Maximum total lifetime for renewable
+                        Tickets
+
+   The name field is an encoding of the principal's identifier.  The key
+   field contains an encryption key.  This key is the principal's secret
+   key.  (The key can be encrypted before storage under a Kerberos
+   "master key" to protect it in case the database is compromised but
+   the master key is not.  In that case, an extra field must be added to
+   indicate the master key version used, see below.) The p_kvno field is
+   the key version number of the principal's secret key.  The max_life
+   field contains the maximum allowable lifetime (endtime - starttime)
+   for any Ticket issued for this principal.  The max_renewable_life
+
+
+
+Kohl & Neuman                                                  [Page 35]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   field contains the maximum allowable total lifetime for any renewable
+   Ticket issued for this principal.  (See section 3.1 for a description
+   of how these lifetimes are used in determining the lifetime of a
+   given Ticket.)
+
+   A server may provide KDC service to several realms, as long as the
+   database representation provides a mechanism to distinguish between
+   principal records with identifiers which differ only in the realm
+   name.
+
+   When an application server's key changes, if the change is routine
+   (i.e.,  not the result of disclosure of the old key), the old key
+   should be retained by the server until all tickets that had been
+   issued using that key have expired.  Because of this, it is possible
+   for several keys to be active for a single principal.  Ciphertext
+   encrypted in a principal's key is always tagged with the version of
+   the key that was used for encryption, to help the recipient find the
+   proper key for decryption.
+
+   When more than one key is active for a particular principal, the
+   principal will have more than one record in the Kerberos database.
+   The keys and key version numbers will differ between the records (the
+   rest of the fields may or may not be the same). Whenever Kerberos
+   issues a ticket, or responds to a request for initial authentication,
+   the most recent key (known by the Kerberos server) will be used for
+   encryption.  This is the key with the highest key version number.
+
+4.2.  Additional fields
+
+   Project Athena's KDC implementation uses additional fields in its
+   database:
+
+   Field        Value
+
+   K_kvno       Kerberos' key version
+   expiration   Expiration date for entry
+   attributes   Bit field of attributes
+   mod_date     Timestamp of last modification
+   mod_name     Modifying principal's identifier
+
+   The K_kvno field indicates the key version of the Kerberos master key
+   under which the principal's secret key is encrypted.
+
+   After an entry's expiration date has passed, the KDC will return an
+   error to any client attempting to gain tickets as or for the
+   principal.  (A database may want to maintain two expiration dates:
+   one for the principal, and one for the principal's current key.  This
+   allows password aging to work independently of the principal's
+
+
+
+Kohl & Neuman                                                  [Page 36]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   expiration date.  However, due to the limited space in the responses,
+   the KDC must combine the key expiration and principal expiration date
+   into a single value called "key_exp", which is used as a hint to the
+   user to take administrative action.)
+
+   The attributes field is a bitfield used to govern the operations
+   involving the principal.  This field might be useful in conjunction
+   with user registration procedures, for site-specific policy
+   implementations (Project Athena currently uses it for their user
+   registration process controlled by the system-wide database service,
+   Moira [7]), or to identify the "string to key" conversion algorithm
+   used for a principal's key.  (See the discussion of the padata field
+   in section 5.4.2 for details on why this can be useful.)  Other bits
+   are used to indicate that certain ticket options should not be
+   allowed in tickets encrypted under a principal's key (one bit each):
+   Disallow issuing postdated tickets, disallow issuing forwardable
+   tickets, disallow issuing tickets based on TGT authentication,
+   disallow issuing renewable tickets, disallow issuing proxiable
+   tickets, and disallow issuing tickets for which the principal is the
+   server.
+
+   The mod_date field contains the time of last modification of the
+   entry, and the mod_name field contains the name of the principal
+   which last modified the entry.
+
+4.3.  Frequently Changing Fields
+
+   Some KDC implementations may wish to maintain the last time that a
+   request was made by a particular principal.  Information that might
+   be maintained includes the time of the last request, the time of the
+   last request for a ticket-granting ticket, the time of the last use
+   of a ticket-granting ticket, or other times.  This information can
+   then be returned to the user in the last-req field (see section 5.2).
+
+   Other frequently changing information that can be maintained is the
+   latest expiration time for any tickets that have been issued using
+   each key.  This field would be used to indicate how long old keys
+   must remain valid to allow the continued use of outstanding tickets.
+
+4.4.  Site Constants
+
+   The KDC implementation should have the following configurable
+   constants or options, to allow an administrator to make and enforce
+   policy decisions:
+
+   + The minimum supported lifetime (used to determine whether the
+      KDC_ERR_NEVER_VALID error should be returned). This constant
+      should reflect reasonable expectations of round-trip time to the
+
+
+
+Kohl & Neuman                                                  [Page 37]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+      KDC, encryption/decryption time, and processing time by the client
+      and target server, and it should allow for a minimum "useful"
+      lifetime.
+
+   + The maximum allowable total (renewable) lifetime of a ticket
+      (renew_till - starttime).
+
+   + The maximum allowable lifetime of a ticket (endtime - starttime).
+
+   + Whether to allow the issue of tickets with empty address fields
+      (including the ability to specify that such tickets may only be
+      issued if the request specifies some authorization_data).
+
+   + Whether proxiable, forwardable, renewable or post-datable tickets
+      are to be issued.
+
+5.  Message Specifications
+
+   The following sections describe the exact contents and encoding of
+   protocol messages and objects.  The ASN.1 base definitions are
+   presented in the first subsection.  The remaining subsections specify
+   the protocol objects (tickets and authenticators) and messages.
+   Specification of encryption and checksum techniques, and the fields
+   related to them, appear in section 6.
+
+5.1.  ASN.1 Distinguished Encoding Representation
+
+   All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+   Representation of the data elements as described in the X.509
+   specification, section 8.7 [8].
+
+5.2.  ASN.1 Base Definitions
+
+   The following ASN.1 base definitions are used in the rest of this
+   section. Note that since the underscore character (_) is not
+   permitted in ASN.1 names, the hyphen (-) is used in its place for the
+   purposes of ASN.1 names.
+
+   Realm ::=           GeneralString
+   PrincipalName ::=   SEQUENCE {
+                       name-type[0]     INTEGER,
+                       name-string[1]   SEQUENCE OF GeneralString
+   }
+
+   Kerberos realms are encoded as GeneralStrings. Realms shall not
+   contain a character with the code 0 (the ASCII NUL).  Most realms
+   will usually consist of several components separated by periods (.),
+   in the style of Internet Domain Names, or separated by slashes (/) in
+
+
+
+Kohl & Neuman                                                  [Page 38]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   the style of X.500 names.  Acceptable forms for realm names are
+   specified in section 7.  A PrincipalName is a typed sequence of
+   components consisting of the following sub-fields:
+
+   name-type This field specifies the type of name that follows.
+             Pre-defined values for this field are
+             specified in section 7.2.  The name-type should be
+             treated as a hint.  Ignoring the name type, no two
+             names can be the same (i.e., at least one of the
+             components, or the realm, must be different).
+             This constraint may be eliminated in the future.
+
+   name-string This field encodes a sequence of components that
+               form a name, each component encoded as a General
+               String.  Taken together, a PrincipalName and a Realm
+               form a principal identifier.  Most PrincipalNames
+               will have only a few components (typically one or two).
+
+           KerberosTime ::=   GeneralizedTime
+                              -- Specifying UTC time zone (Z)
+
+   The timestamps used in Kerberos are encoded as GeneralizedTimes.  An
+   encoding shall specify the UTC time zone (Z) and shall not include
+   any fractional portions of the seconds.  It further shall not include
+   any separators.  Example: The only valid format for UTC time 6
+   minutes, 27 seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+    HostAddress ::=     SEQUENCE  {
+                        addr-type[0]             INTEGER,
+                        address[1]               OCTET STRING
+    }
+
+    HostAddresses ::=   SEQUENCE OF SEQUENCE {
+                        addr-type[0]             INTEGER,
+                        address[1]               OCTET STRING
+    }
+
+
+   The host adddress encodings consists of two fields:
+
+   addr-type  This field specifies the type of  address that
+              follows. Pre-defined values for this field are
+              specified in section 8.1.
+
+
+   address   This field encodes a single address of type addr-type.
+
+   The two forms differ slightly. HostAddress contains exactly one
+
+
+
+Kohl & Neuman                                                  [Page 39]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   address; HostAddresses contains a sequence of possibly many
+   addresses.
+
+   AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                           ad-type[0]               INTEGER,
+                           ad-data[1]               OCTET STRING
+   }
+
+
+   ad-data   This field contains authorization data to be
+             interpreted according to the value of the
+             corresponding ad-type field.
+
+   ad-type   This field specifies the format for the ad-data
+             subfield.  All negative values are reserved for
+             local use.  Non-negative values are reserved for
+             registered use.
+
+                   APOptions ::=   BIT STRING {
+                                   reserved(0),
+                                   use-session-key(1),
+                                   mutual-required(2)
+                   }
+
+
+                   TicketFlags ::=   BIT STRING {
+                                     reserved(0),
+                                     forwardable(1),
+                                     forwarded(2),
+                                     proxiable(3),
+                                     proxy(4),
+                                     may-postdate(5),
+                                     postdated(6),
+                                     invalid(7),
+                                     renewable(8),
+                                     initial(9),
+                                     pre-authent(10),
+                                     hw-authent(11)
+                   }
+
+                  KDCOptions ::=   BIT STRING {
+                                   reserved(0),
+                                   forwardable(1),
+                                   forwarded(2),
+                                   proxiable(3),
+                                   proxy(4),
+                                   allow-postdate(5),
+                                   postdated(6),
+
+
+
+Kohl & Neuman                                                  [Page 40]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                   unused7(7),
+                                   renewable(8),
+                                   unused9(9),
+                                   unused10(10),
+                                   unused11(11),
+                                   renewable-ok(27),
+                                   enc-tkt-in-skey(28),
+                                   renew(30),
+                                   validate(31)
+                  }
+
+
+            LastReq ::=   SEQUENCE OF SEQUENCE {
+                          lr-type[0]               INTEGER,
+                          lr-value[1]              KerberosTime
+            }
+
+   lr-type   This field indicates how the following lr-value
+             field is to be interpreted.  Negative values indicate
+             that the information pertains only to the
+             responding server.  Non-negative values pertain to
+             all servers for the realm.
+
+             If the lr-type field is zero (0), then no information
+             is conveyed by the lr-value subfield.  If the
+             absolute value of the lr-type field is one (1),
+             then the lr-value subfield is the time of last
+             initial request for a TGT.  If it is two (2), then
+             the lr-value subfield is the time of last initial
+             request.  If it is three (3), then the lr-value
+             subfield is the time of issue for the newest
+             ticket-granting ticket used. If it is four (4),
+             then the lr-value subfield is the time of the last
+             renewal.  If it is five (5), then the lr-value
+             subfield is the time of last request (of any
+             type).
+
+   lr-value  This field contains the time of the last request.
+             The time must be interpreted according to the contents
+             of the accompanying lr-type subfield.
+
+   See section 6 for the definitions of Checksum, ChecksumType,
+   EncryptedData, EncryptionKey, EncryptionType, and KeyType.
+
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 41]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+5.3.  Tickets and Authenticators
+
+   This section describes the format and encryption parameters for
+   tickets and authenticators.  When a ticket or authenticator is
+   included in a protocol message it is treated as an opaque object.
+
+5.3.1. Tickets
+
+   A ticket is a record that helps a client authenticate to a service.
+   A Ticket contains the following information:
+
+Ticket ::=                    [APPLICATION 1] SEQUENCE {
+                              tkt-vno[0]                   INTEGER,
+                              realm[1]                     Realm,
+                              sname[2]                     PrincipalName,
+                              enc-part[3]                  EncryptedData
+}
+-- Encrypted part of ticket
+EncTicketPart ::=     [APPLICATION 3] SEQUENCE {
+                      flags[0]             TicketFlags,
+                      key[1]               EncryptionKey,
+                      crealm[2]            Realm,
+                      cname[3]             PrincipalName,
+                      transited[4]         TransitedEncoding,
+                      authtime[5]          KerberosTime,
+                      starttime[6]         KerberosTime OPTIONAL,
+                      endtime[7]           KerberosTime,
+                      renew-till[8]        KerberosTime OPTIONAL,
+                      caddr[9]             HostAddresses OPTIONAL,
+                      authorization-data[10]   AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=         SEQUENCE {
+                              tr-type[0]  INTEGER, -- must be registered
+                              contents[1]          OCTET STRING
+}
+
+   The encoding of EncTicketPart is encrypted in the key shared by
+   Kerberos and the end server (the server's secret key).  See section 6
+   for the format of the ciphertext.
+
+   tkt-vno   This field specifies the version number for the ticket
+             format.  This document describes version number 5.
+
+   realm     This field specifies the realm that issued a ticket.  It
+             also serves to identify the realm part of the server's
+             principal identifier.  Since a Kerberos server can only
+             issue tickets for servers within its realm, the two will
+
+
+
+Kohl & Neuman                                                  [Page 42]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             always be identical.
+
+   sname     This field specifies the name part of the server's
+             identity.
+
+   enc-part  This field holds the encrypted encoding of the
+             EncTicketPart sequence.
+
+   flags     This field indicates which of various options were used or
+             requested when the ticket was issued.  It is a bit-field,
+             where the selected options are indicated by the bit being
+             set (1), and the unselected options and reserved fields
+             being reset (0).  Bit 0 is the most significant bit.  The
+             encoding of the bits is specified in section 5.2.  The
+             flags are described in more detail above in section 2.  The
+             meanings of the flags are:
+
+             Bit(s)    Name        Description
+
+             0         RESERVED    Reserved for future expansion of this
+                                   field.
+
+             1         FORWARDABLE The FORWARDABLE flag is normally only
+                                   interpreted by the TGS, and can be
+                                   ignored by end servers.  When set,
+                                   this flag tells the ticket-granting
+                                   server that it is OK to issue a new
+                                   ticket- granting ticket with a
+                                   different network address based on
+                                   the presented ticket.
+
+             2         FORWARDED   When set, this flag indicates that
+                                   the ticket has either been forwarded
+                                   or was issued based on authentication
+                                   involving a forwarded ticket-granting
+                                   ticket.
+
+             3         PROXIABLE   The PROXIABLE flag is normally only
+                                   interpreted by the TGS, and can be
+                                   ignored by end servers. The PROXIABLE
+                                   flag has an interpretation identical
+                                   to that of the FORWARDABLE flag,
+                                   except that the PROXIABLE flag tells
+                                   the ticket-granting server that only
+                                   non- ticket-granting tickets may be
+                                   issued with different network
+                                   addresses.
+
+
+
+
+Kohl & Neuman                                                  [Page 43]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             4         PROXY      When set, this flag indicates that a
+                                   ticket is a proxy.
+
+             5         MAY-POSTDATE The MAY-POSTDATE flag is normally
+                                   only interpreted by the TGS, and can
+                                   be ignored by end servers.  This flag
+                                   tells the ticket-granting server that
+                                   a post- dated ticket may be issued
+                                   based on this ticket-granting ticket.
+
+             6         POSTDATED   This flag indicates that this ticket
+                                   has been postdated.  The end-service
+                                   can check the authtime field to see
+                                   when the original authentication
+                                   occurred.
+
+             7         INVALID     This flag indicates that a ticket is
+                                   invalid, and it must be validated by
+                                   the KDC before use.  Application
+                                   servers must reject tickets which
+                                   have this flag set.
+
+             8         RENEWABLE   The RENEWABLE flag is normally only
+                                   interpreted by the TGS, and can
+                                   usually be ignored by end servers
+                                   (some particularly careful servers
+                                   may wish to disallow renewable
+                                   tickets).  A renewable ticket can be
+                                   used to obtain a replacement ticket
+                                   that expires at a later date.
+
+             9         INITIAL     This flag indicates that this ticket
+                                   was issued using the AS protocol, and
+                                   not issued based on a ticket-granting
+                                   ticket.
+
+             10        PRE-AUTHENT This flag indicates that during
+                                   initial authentication, the client
+                                   was authenticated by the KDC before a
+                                   ticket was issued.  The strength of
+                                   the preauthentication method is not
+                                   indicated, but is acceptable to the
+                                   KDC.
+
+             11        HW-AUTHENT  This flag indicates that the protocol
+                                   employed for initial authentication
+                                   required the use of hardware expected
+                                   to be possessed solely by the named
+
+
+
+Kohl & Neuman                                                  [Page 44]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                   client.  The hardware authentication
+                                   method is selected by the KDC and the
+                                   strength of the method is not
+                                   indicated.
+
+             12-31     RESERVED    Reserved for future use.
+
+   key       This field exists in the ticket and the KDC response and is
+             used to pass the session key from Kerberos to the
+             application server and the client.  The field's encoding is
+             described in section 6.2.
+
+   crealm    This field contains the name of the realm in which the
+             client is registered and in which initial authentication
+             took place.
+
+   cname     This field contains the name part of the client's principal
+             identifier.
+
+   transited This field lists the names of the Kerberos realms that took
+             part in authenticating the user to whom this ticket was
+             issued.  It does not specify the order in which the realms
+             were transited.  See section 3.3.3.1 for details on how
+             this field encodes the traversed realms.
+
+   authtime  This field indicates the time of initial authentication for
+             the named principal.  It is the time of issue for the
+             original ticket on which this ticket is based.  It is
+             included in the ticket to provide additional information to
+             the end service, and  to provide  the necessary information
+             for implementation of a `hot list' service at the KDC.   An
+             end service that is particularly paranoid could refuse to
+             accept tickets for which the initial authentication
+             occurred "too far" in the past.
+
+             This field is also returned as part of the response from
+             the KDC.  When returned as part of the response to initial
+             authentication (KRB_AS_REP), this is the current time on
+             the Kerberos server (It is NOT recommended that this time
+             value be used to adjust the workstation's clock since the
+             workstation cannot reliably determine that such a
+             KRB_AS_REP actually came from the proper KDC in a timely
+             manner.).
+
+   starttime This field in the ticket specifies the time after which the
+             ticket is valid.  Together with endtime, this field
+             specifies the life of the ticket.   If it is absent from
+             the ticket, its value should be treated as that of the
+
+
+
+Kohl & Neuman                                                  [Page 45]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             authtime field.
+
+   endtime   This field contains the time after which the ticket will
+             not be honored (its expiration time).  Note that individual
+             services may place their own limits on the life of a ticket
+             and may reject tickets which have not yet expired.  As
+             such, this is really an upper bound on the expiration time
+             for the ticket.
+
+   renew-till This field is only present in tickets that have the
+             RENEWABLE flag set in the flags field.  It indicates the
+             maximum endtime that may be included in a renewal.  It can
+             be thought of as the absolute expiration time for the
+             ticket, including all renewals.
+
+   caddr     This field in a ticket contains zero (if omitted) or more
+             (if present) host addresses.  These are the addresses from
+             which the ticket can be used.  If there are no addresses,
+             the ticket can be used from any location.  The decision
+             by the KDC to issue or by the end server to accept zero-
+             address tickets is a policy decision and is left to the
+             Kerberos and end-service administrators; they may refuse to
+             issue or accept such tickets.  The suggested and default
+             policy, however, is that such tickets will only be issued
+             or accepted when additional information that can be used to
+             restrict the use of the ticket is included in the
+             authorization_data field.  Such a ticket is a capability.
+
+             Network addresses are included in the ticket to make it
+             harder for an attacker to use stolen credentials. Because
+             the session key is not sent over the network in cleartext,
+             credentials can't be stolen simply by listening to the
+             network; an attacker has to gain access to the session key
+             (perhaps through operating system security breaches or a
+             careless user's unattended session) to make use of stolen
+             tickets.
+
+             It is important to note that the network address from which
+             a connection is received cannot be reliably determined.
+             Even if it could be, an attacker who has compromised the
+             client's workstation could use the credentials from there.
+             Including the network addresses only makes it more
+             difficult, not impossible, for an attacker to walk off with
+             stolen credentials and then use them from a "safe"
+             location.
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 46]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   authorization-data The authorization-data field is used to pass
+             authorization data from the principal on whose behalf a
+             ticket was issued to the application service.  If no
+             authorization data is included, this field will be left
+             out.  The data in this field are specific to the end
+             service.  It is expected that the field will contain the
+             names of service specific objects, and the rights to those
+             objects.  The format for this field is described in section
+             5.2.  Although Kerberos is not concerned with the format of
+             the contents of the subfields, it does carry type
+             information (ad-type).
+
+             By using the authorization_data field, a principal is able
+             to issue a proxy that is valid for a specific purpose.  For
+             example, a client wishing to print a file can obtain a file
+             server proxy to be passed to the print server.  By
+             specifying the name of the file in the authorization_data
+             field, the file server knows that the print server can only
+             use the client's rights when accessing the particular file
+             to be printed.
+
+             It is interesting to note that if one specifies the
+             authorization-data field of a proxy and leaves the host
+             addresses blank, the resulting ticket and session key can
+             be treated as a capability.  See [9] for some suggested
+             uses of this field.
+
+             The authorization-data field is optional and does not have
+             to be included in a ticket.
+
+5.3.2. Authenticators
+
+   An authenticator is a record sent with a ticket to a server to
+   certify the client's knowledge of the encryption key in the ticket,
+   to help the server detect replays, and to help choose a "true session
+   key" to use with the particular session.  The encoding is encrypted
+   in the ticket's session key shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::=    [APPLICATION 2] SEQUENCE    {
+               authenticator-vno[0]          INTEGER,
+               crealm[1]                     Realm,
+               cname[2]                      PrincipalName,
+               cksum[3]                      Checksum OPTIONAL,
+               cusec[4]                      INTEGER,
+               ctime[5]                      KerberosTime,
+               subkey[6]                     EncryptionKey OPTIONAL,
+               seq-number[7]                 INTEGER OPTIONAL,
+
+
+
+Kohl & Neuman                                                  [Page 47]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+               authorization-data[8]         AuthorizationData OPTIONAL
+                     }
+
+   authenticator-vno This field specifies the version number for the
+             format of the authenticator. This document specifies
+             version 5.
+
+   crealm and cname These fields are the same as those described for the
+             ticket in section 5.3.1.
+
+   cksum     This field contains a checksum of the the application data
+             that accompanies the KRB_AP_REQ.
+
+   cusec     This field contains the microsecond part of the client's
+             timestamp.  Its value (before encryption) ranges from 0 to
+             999999.  It often appears along with ctime.  The two fields
+             are used together to specify a reasonably accurate
+             timestamp.
+
+   ctime     This field contains the current time on the client's host.
+
+   subkey    This field contains the client's choice for an encryption
+             key which is to be used to protect this specific
+             application session. Unless an application specifies
+             otherwise, if this field is left out the session key from
+             the ticket will be used.
+
+   seq-number This optional field includes the initial sequence number
+             to be used by the KRB_PRIV or KRB_SAFE messages when
+             sequence numbers are used to detect replays (It may also be
+             used by application specific messages).  When included in
+             the authenticator this field specifies the initial sequence
+             number for messages from the client to the server.  When
+             included in the AP-REP message, the initial sequence number
+             is that for messages from the server to the client.  When
+             used in KRB_PRIV or KRB_SAFE messages, it is incremented by
+             one after each message is sent.
+
+             For sequence numbers to adequately support the detection of
+             replays they should be non-repeating, even across
+             connection boundaries. The initial sequence number should
+             be random and uniformly distributed across the full space
+             of possible sequence numbers, so that it cannot be guessed
+             by an attacker and so that it and the successive sequence
+             numbers do not repeat other sequences.
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 48]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   authorization-data This field is the same as described for the ticket
+             in section 5.3.1.  It is optional and will only appear when
+             additional restrictions are to be placed on the use of a
+             ticket, beyond those carried in the ticket itself.
+
+5.4.  Specifications for the AS and TGS exchanges
+
+   This section specifies the format of the messages used in exchange
+   between the client and the Kerberos server.  The format of possible
+   error messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+   The KRB_KDC_REQ message has no type of its own.  Instead, its type is
+   one of KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is
+   for an initial ticket or an additional ticket.  In either case, the
+   message is sent from the client to the Authentication Server to
+   request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+           pvno[1]               INTEGER,
+           msg-type[2]           INTEGER,
+           padata[3]             SEQUENCE OF PA-DATA OPTIONAL,
+           req-body[4]           KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+           padata-type[1]        INTEGER,
+           padata-value[2]       OCTET STRING,
+                         -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+            kdc-options[0]       KDCOptions,
+            cname[1]             PrincipalName OPTIONAL,
+                         -- Used only in AS-REQ
+            realm[2]             Realm, -- Server's realm
+                         -- Also client's in AS-REQ
+            sname[3]             PrincipalName OPTIONAL,
+            from[4]              KerberosTime OPTIONAL,
+            till[5]              KerberosTime,
+            rtime[6]             KerberosTime OPTIONAL,
+            nonce[7]             INTEGER,
+
+
+
+Kohl & Neuman                                                  [Page 49]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+            etype[8]             SEQUENCE OF INTEGER, -- EncryptionType,
+                         -- in preference order
+            addresses[9]         HostAddresses OPTIONAL,
+            enc-authorization-data[10]   EncryptedData OPTIONAL,
+                         -- Encrypted AuthorizationData encoding
+            additional-tickets[11]       SEQUENCE OF Ticket OPTIONAL
+}
+
+   The fields in this message are:
+
+   pvno      This field is included in each message, and specifies the
+             protocol version number.  This document specifies protocol
+             version 5.
+
+   msg-type  This field indicates the type of a protocol message.  It
+             will almost always be the same as the application
+             identifier associated with a message.  It is included to
+             make the identifier more readily accessible to the
+             application.  For the KDC-REQ message, this type will be
+             KRB_AS_REQ or KRB_TGS_REQ.
+
+   padata    The padata (pre-authentication data) field contains a of
+             authentication information which may be needed before
+             credentials can be issued or decrypted.  In the case of
+             requests for additional tickets (KRB_TGS_REQ), this field
+             will include an element with padata-type of PA-TGS-REQ and
+             data of an authentication header (ticket-granting ticket
+             and authenticator). The checksum in the authenticator
+             (which must be collisionproof) is to be computed over the
+             KDC-REQ-BODY encoding.  In most requests for initial
+             authentication (KRB_AS_REQ) and most replies (KDC-REP), the
+             padata field will be left out.
+
+             This field may also contain information needed by certain
+             extensions to the Kerberos protocol.  For example, it might
+             be used to initially verify the identity of a client before
+             any response is returned.  This is accomplished with a
+             padata field with padata-type equal to PA-ENC-TIMESTAMP and
+             padata-value defined as follows:
+
+   padata-type     ::= PA-ENC-TIMESTAMP
+   padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+   PA-ENC-TS-ENC   ::= SEQUENCE {
+           patimestamp[0]               KerberosTime, -- client's time
+           pausec[1]                    INTEGER OPTIONAL
+   }
+
+
+
+
+Kohl & Neuman                                                  [Page 50]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             with patimestamp containing the client's time and pausec
+             containing the microseconds which may be omitted if a
+             client will not generate more than one request per second.
+             The ciphertext (padata-value) consists of the PA-ENC-TS-ENC
+             sequence, encrypted using the client's secret key.
+
+             The padata field can also contain information needed to
+             help the KDC or the client select the key needed for
+             generating or decrypting the response.  This form of the
+             padata is useful for supporting the use of certain
+             "smartcards" with Kerberos.  The details of such extensions
+             are beyond the scope of this specification.  See [10] for
+             additional uses of this field.
+
+   padata-type The padata-type element of the padata field indicates the
+             way that the padata-value element is to be interpreted.
+             Negative values of padata-type are reserved for
+             unregistered use; non-negative values are used for a
+             registered interpretation of the element type.
+
+   req-body  This field is a placeholder delimiting the extent of the
+             remaining fields.  If a checksum is to be calculated over
+             the request, it is calculated over an encoding of the KDC-
+             REQ-BODY sequence which is enclosed within the req-body
+             field.
+
+   kdc-options This field appears in the KRB_AS_REQ and KRB_TGS_REQ
+             requests to the KDC and indicates the flags that the client
+             wants set on the tickets as well as other information that
+             is to modify the behavior of the KDC. Where appropriate,
+             the name of an option may be the same as the flag that is
+             set by that option.  Although in most case, the bit in the
+             options field will be the same as that in the flags field,
+             this is not guaranteed, so it is not acceptable to simply
+             copy the options field to the flags field.  There are
+             various checks that must be made before honoring an option
+             anyway.
+
+             The kdc_options field is a bit-field, where the selected
+             options are indicated by the bit being set (1), and the
+             unselected options and reserved fields being reset (0).
+             The encoding of the bits is specified in section 5.2.  The
+             options are described in more detail above in section 2.
+             The meanings of the options are:
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 51]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             Bit(s)  Name         Description
+
+             0       RESERVED     Reserved for future expansion of this
+                                  field.
+
+             1       FORWARDABLE  The FORWARDABLE option indicates that
+                                  the ticket to be issued is to have its
+                                  forwardable flag set.  It may only be
+                                  set on the initial request, or in a
+                                  subsequent request if the ticket-
+                                  granting ticket on which it is based
+                                  is also forwardable.
+
+             2       FORWARDED    The FORWARDED option is only specified
+                                  in a request to the ticket-granting
+                                  server and will only be honored if the
+                                  ticket-granting ticket in the request
+                                  has its FORWARDABLE bit set.  This
+                                  option indicates that this is a
+                                  request for forwarding. The
+                                  address(es) of the host from which the
+                                  resulting ticket is to be valid are
+                                  included in the addresses field of the
+                                  request.
+
+
+             3       PROXIABLE    The PROXIABLE option indicates that
+                                  the ticket to be issued is to have its
+                                  proxiable flag set. It may only be set
+                                  on the initial request, or in a
+                                  subsequent request if the ticket-
+                                  granting ticket on which it is based
+                                  is also proxiable.
+
+             4       PROXY        The PROXY option indicates that this
+                                  is a request for a proxy.  This option
+                                  will only be honored if the ticket-
+                                  granting ticket in the request has its
+                                  PROXIABLE bit set.  The address(es) of
+                                  the host from which the resulting
+                                  ticket is to be valid are included in
+                                  the addresses field of the request.
+
+             5       ALLOW-POSTDATE The ALLOW-POSTDATE option indicates
+                                  that the ticket to be issued is to
+                                  have its MAY-POSTDATE flag set.  It
+                                  may only be set on the initial
+                                  request, or in a subsequent request if
+
+
+
+Kohl & Neuman                                                  [Page 52]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                  the ticket-granting ticket on which it
+                                  is based also has its MAY-POSTDATE
+                                  flag set.
+
+             6       POSTDATED    The POSTDATED option indicates that
+                                  this is a request for a postdated
+                                  ticket.  This option will only be
+                                  honored if the ticket-granting ticket
+                                  on which it is based has its MAY-
+                                  POSTDATE flag set.  The resulting
+                                  ticket will also have its INVALID flag
+                                  set, and that flag may be reset by a
+                                  subsequent request to the KDC after
+                                  the starttime in the ticket has been
+                                  reached.
+
+             7       UNUSED       This option is presently unused.
+
+             8       RENEWABLE    The RENEWABLE option indicates that
+                                  the ticket to be issued is to have its
+                                  RENEWABLE flag set.  It may only be
+                                  set on the initial request, or when
+                                  the ticket-granting ticket on which
+                                  the request is based is also
+                                  renewable.  If this option is
+                                  requested, then the rtime field in the
+                                  request contains the desired absolute
+                                  expiration time for the ticket.
+
+             9-26    RESERVED     Reserved for future use.
+
+             27      RENEWABLE-OK The RENEWABLE-OK option indicates that
+                                  a renewable ticket will be acceptable
+                                  if a ticket with the requested life
+                                  cannot otherwise be provided.  If a
+                                  ticket with the requested life cannot
+                                  be provided, then a renewable ticket
+                                  may be issued with a renew-till equal
+                                  to the the requested endtime.  The
+                                  value of the renew-till field may
+                                  still be limited by local limits, or
+                                  limits selected by the individual
+                                  principal or server.
+
+             28      ENC-TKT-IN-SKEY This option is used only by the
+                                  ticket-granting service.  The ENC-
+                                  TKT-IN-SKEY option indicates that the
+                                  ticket for the end server is to be
+
+
+
+Kohl & Neuman                                                  [Page 53]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                  encrypted in the session key from the
+                                  additional ticket-granting ticket
+                                  provided.
+
+             29      RESERVED     Reserved for future use.
+
+             30      RENEW        This option is used only by the
+                                  ticket-granting service.  The RENEW
+                                  option indicates that the present
+                                  request is for a renewal.  The ticket
+                                  provided is encrypted in the secret
+                                  key for the server on which it is
+                                  valid.  This option will only be
+                                  honored if the ticket to be renewed
+                                  has its RENEWABLE flag set and if the
+                                  time in its renew till field has not
+                                  passed.  The ticket to be renewed is
+                                  passed in the padata field as part of
+                                  the authentication header.
+
+             31      VALIDATE     This option is used only by the
+                                  ticket-granting service.  The VALIDATE
+                                  option indicates that the request is
+                                  to validate a postdated ticket.  It
+                                  will only be honored if the ticket
+                                  presented is postdated, presently has
+                                  its INVALID flag set, and would be
+                                  otherwise usable at this time.  A
+                                  ticket cannot be validated before its
+                                  starttime.  The ticket presented for
+                                  validation is encrypted in the key of
+                                  the server for which it is valid and
+                                  is passed in the padata field as part
+                                  of the authentication header.
+
+   cname and sname These fields are the same as those described for the
+             ticket in section 5.3.1.  sname may only be absent when the
+             ENC-TKT-IN-SKEY option is specified.  If absent, the name
+             of the server is taken from the name of the client in the
+             ticket passed as additional-tickets.
+
+   enc-authorization-data The enc-authorization-data, if present (and it
+             can only be present in the TGS_REQ form), is an encoding of
+             the desired authorization-data encrypted under the sub-
+             session key if present in the Authenticator, or
+             alternatively from the session key in the ticket-granting
+             ticket, both from the padata field in the KRB_AP_REQ.
+
+
+
+
+Kohl & Neuman                                                  [Page 54]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   realm     This field specifies the realm part of the server's
+             principal identifier. In the AS exchange, this is also the
+             realm part of the client's principal identifier.
+
+   from      This field is included in the KRB_AS_REQ and KRB_TGS_REQ
+             ticket requests when the requested ticket is to be
+             postdated.  It specifies the desired start time for the
+             requested ticket.
+
+   till      This field contains the expiration date requested by the
+             client in a ticket request.
+
+   rtime     This field is the requested renew-till time sent from a
+             client to the KDC in a ticket request.  It is optional.
+
+   nonce     This field is part of the KDC request and response.  It it
+             intended to hold a random number generated by the client.
+             If the same number is included in the encrypted response
+             from the KDC, it provides evidence that the response is
+             fresh and has not been replayed by an attacker.  Nonces
+             must never be re-used.  Ideally, it should be gen erated
+             randomly, but if the correct time is known, it may suffice
+             (Note, however, that if the time is used as the nonce, one
+             must make sure that the workstation time is monotonically
+             increasing.  If the time is ever reset backwards, there is
+             a small, but finite, probability that a nonce will be
+             reused.).
+
+   etype     This field specifies the desired encryption algorithm to be
+             used in the response.
+
+   addresses This field is included in the initial request for tickets,
+             and optionally included in requests for additional tickets
+             from the ticket-granting server.  It specifies the
+             addresses from which the requested ticket is to be valid.
+             Normally it includes the addresses for the client's host.
+             If a proxy is requested, this field will contain other
+             addresses.  The contents of this field are usually copied
+             by the KDC into the caddr field of the resulting ticket.
+
+   additional-tickets Additional tickets may be optionally included in a
+             request to the ticket-granting server.  If the ENC-TKT-IN-
+             SKEY option has been specified, then the session key from
+             the additional ticket will be used in place of the server's
+             key to encrypt the new ticket.  If more than one option
+             which requires additional tickets has been specified, then
+             the additional tickets are used in the order specified by
+             the ordering of the options bits (see kdc-options, above).
+
+
+
+Kohl & Neuman                                                  [Page 55]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   The application code will be either ten (10) or twelve (12) depending
+   on whether the request is for an initial ticket (AS-REQ) or for an
+   additional ticket (TGS-REQ).
+
+   The optional fields (addresses, authorization-data and additional-
+   tickets) are only included if necessary to perform the operation
+   specified in the kdc-options field.
+
+   It should be noted that in KRB_TGS_REQ, the protocol version number
+   appears twice and two different message types appear: the KRB_TGS_REQ
+   message contains these fields as does the authentication header
+   (KRB_AP_REQ) that is passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+   The KRB_KDC_REP message format is used for the reply from the KDC for
+   either an initial (AS) request or a subsequent (TGS) request.  There
+   is no message type for KRB_KDC_REP.  Instead, the type will be either
+   KRB_AS_REP or KRB_TGS_REP.  The key used to encrypt the ciphertext
+   part of the reply depends on the message type.  For KRB_AS_REP, the
+   ciphertext is encrypted in the client's secret key, and the client's
+   key version number is included in the key version number for the
+   encrypted data.  For KRB_TGS_REP, the ciphertext is encrypted in the
+   sub-session key from the Authenticator, or if absent, the session key
+   from the ticket-granting ticket used in the request.  In that case,
+   no version number will be present in the EncryptedData sequence.
+
+   The KRB_KDC_REP message contains the following fields:
+
+   AS-REP ::=    [APPLICATION 11] KDC-REP
+   TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+   KDC-REP ::=   SEQUENCE {
+                 pvno[0]                    INTEGER,
+                 msg-type[1]                INTEGER,
+                 padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+                 crealm[3]                  Realm,
+                 cname[4]                   PrincipalName,
+                 ticket[5]                  Ticket,
+                 enc-part[6]                EncryptedData
+   }
+
+   EncASRepPart ::=    [APPLICATION 25[25]] EncKDCRepPart
+   EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+   EncKDCRepPart ::=   SEQUENCE {
+               key[0]                       EncryptionKey,
+               last-req[1]                  LastReq,
+
+
+
+Kohl & Neuman                                                  [Page 56]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+               nonce[2]                     INTEGER,
+               key-expiration[3]            KerberosTime OPTIONAL,
+               flags[4]                     TicketFlags,
+               authtime[5]                  KerberosTime,
+               starttime[6]                 KerberosTime OPTIONAL,
+               endtime[7]                   KerberosTime,
+               renew-till[8]                KerberosTime OPTIONAL,
+               srealm[9]                    Realm,
+               sname[10]                    PrincipalName,
+               caddr[11]                    HostAddresses OPTIONAL
+   }
+
+   NOTE: In EncASRepPart, the application code in the encrypted
+         part of a message provides an additional check that
+         the message was decrypted properly.
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is either KRB_AS_REP or KRB_TGS_REP.
+
+   padata    This field is described in detail in section 5.4.1.  One
+             possible use for this field is to encode an alternate
+             "mix-in" string to be used with a string-to-key algorithm
+             (such as is described in section 6.3.2). This ability is
+             useful to ease transitions if a realm name needs to change
+             (e.g., when a company is acquired); in such a case all
+             existing password-derived entries in the KDC database would
+             be flagged as needing a special mix-in string until the
+             next password change.
+
+   crealm, cname, srealm and sname These fields are the same as those
+             described for the ticket in section 5.3.1.
+
+   ticket    The newly-issued ticket, from section 5.3.1.
+
+   enc-part  This field is a place holder for the ciphertext and related
+             information that forms the encrypted part of a message.
+             The description of the encrypted part of the message
+             follows each appearance of this field.  The encrypted part
+             is encoded as described in section 6.1.
+
+   key       This field is the same as described for the ticket in
+             section 5.3.1.
+
+   last-req  This field is returned by the KDC and specifies the time(s)
+             of the last request by a principal.  Depending on what
+             information is available, this might be the last time that
+             a request for a ticket-granting ticket was made, or the
+             last time that a request based on a ticket-granting ticket
+
+
+
+Kohl & Neuman                                                  [Page 57]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             was successful.  It also might cover all servers for a
+             realm, or just the particular server. Some implementations
+             may display this information to the user to aid in
+             discovering unauthorized use of one's identity.  It is
+             similar in spirit to the last login time displayed when
+             logging into timesharing systems.
+
+   nonce     This field is described above in section 5.4.1.
+
+   key-expiration The key-expiration field is part of the response from
+             the KDC and specifies the time that the client's secret key
+             is due to expire.  The expiration might be the result of
+             password aging or an account expiration.  This field will
+             usually be left out of the TGS reply since the response to
+             the TGS request is encrypted in a session key and no client
+             information need be retrieved from the KDC database.  It is
+             up to the application client (usually the login program) to
+             take appropriate action (such as notifying the user) if the
+             expira    tion time is imminent.
+
+   flags, authtime, starttime, endtime, renew-till and caddr These
+             fields are duplicates of those found in the encrypted
+             portion of the attached ticket (see section 5.3.1),
+             provided so the client may verify they match the intended
+             request and to assist in proper ticket caching.  If the
+             message is of type KRB_TGS_REP, the caddr field will only
+             be filled in if the request was for a proxy or forwarded
+             ticket, or if the user is substituting a subset of the
+             addresses from the ticket granting ticket.  If the client-
+             requested addresses are not present or not used, then the
+             addresses contained in the ticket will be the same as those
+             included in the ticket-granting ticket.
+
+5.5.  Client/Server (CS) message specifications
+
+   This section specifies the format of the messages used for the
+   authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+   The KRB_AP_REQ message contains the Kerberos protocol version number,
+   the message type KRB_AP_REQ, an options field to indicate any options
+   in use, and the ticket and authenticator themselves.  The KRB_AP_REQ
+   message is often referred to as the "authentication header".
+
+   AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                   pvno[0]                       INTEGER,
+                   msg-type[1]                   INTEGER,
+
+
+
+Kohl & Neuman                                                  [Page 58]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                   ap-options[2]                 APOptions,
+                   ticket[3]                     Ticket,
+                   authenticator[4]              EncryptedData
+   }
+
+   APOptions ::=   BIT STRING {
+                   reserved(0),
+                   use-session-key(1),
+                   mutual-required(2)
+   }
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_AP_REQ.
+
+   ap-options This field appears in the application request (KRB_AP_REQ)
+             and affects the way the request is processed.  It is a
+             bit-field, where the selected options are indicated by the
+             bit being set (1), and the unselected options and reserved
+             fields being reset (0).  The encoding of the bits is
+             specified in section 5.2.  The meanings of the options are:
+
+             Bit(s)  Name           Description
+
+             0       RESERVED       Reserved for future expansion of
+                                  this field.
+
+             1       USE-SESSION-KEYThe USE-SESSION-KEY option indicates
+                                  that the ticket the client is
+                                  presenting to a server is encrypted in
+                                  the session key from the server's
+                                  ticket-granting ticket. When this
+                                  option is not specified, the ticket is
+                                  encrypted in the server's secret key.
+
+             2       MUTUAL-REQUIREDThe MUTUAL-REQUIRED option tells the
+                                  server that the client requires mutual
+                                  authentication, and that it must
+                                  respond with a KRB_AP_REP message.
+
+             3-31    RESERVED       Reserved for future use.
+
+   ticket    This field is a ticket authenticating the client to the
+             server.
+
+   authenticator This contains the authenticator, which includes the
+             client's choice of a subkey.  Its encoding is described in
+             section 5.3.2.
+
+
+
+
+Kohl & Neuman                                                  [Page 59]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+5.5.2.  KRB_AP_REP definition
+
+   The KRB_AP_REP message contains the Kerberos protocol version number,
+   the message type, and an encrypted timestamp. The message is sent in
+   in response to an application request (KRB_AP_REQ) where the mutual
+   authentication option has been selected in the ap-options field.
+
+   AP-REP ::=         [APPLICATION 15] SEQUENCE {
+              pvno[0]                   INTEGER,
+              msg-type[1]               INTEGER,
+              enc-part[2]               EncryptedData
+   }
+
+   EncAPRepPart ::=   [APPLICATION 27]     SEQUENCE {
+              ctime[0]                  KerberosTime,
+              cusec[1]                  INTEGER,
+              subkey[2]                 EncryptionKey OPTIONAL,
+              seq-number[3]             INTEGER OPTIONAL
+   }
+
+   NOTE: in EncAPRepPart, the application code in the encrypted part of
+   a message provides an additional check that the message was decrypted
+   properly.
+
+   The encoded EncAPRepPart is encrypted in the shared session key of
+   the ticket.  The optional subkey field can be used in an
+   application-arranged negotiation to choose a per association session
+   key.
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_AP_REP.
+
+   enc-part  This field is described above in section 5.4.2.
+
+   ctime     This field contains the current time on the client's host.
+
+   cusec     This field contains the microsecond part of the client's
+             timestamp.
+
+   subkey    This field contains an encryption key which is to be used
+             to protect this specific application session.  See section
+             3.2.6 for specifics on how this field is used to negotiate
+             a key.  Unless an application specifies otherwise, if this
+             field is left out, the sub-session key from the
+             authenticator, or if also left out, the session key from
+             the ticket will be used.
+
+
+
+
+
+Kohl & Neuman                                                  [Page 60]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+5.5.3. Error message reply
+
+   If an error occurs while processing the application request, the
+   KRB_ERROR message will be sent in response.  See section 5.9.1 for
+   the format of the error message.  The cname and crealm fields may be
+   left out if the server cannot determine their appropriate values from
+   the corresponding KRB_AP_REQ message.  If the authenticator was
+   decipherable, the ctime and cusec fields will contain the values from
+   it.
+
+5.6.  KRB_SAFE message specification
+
+   This section specifies the format of a message that can be used by
+   either side (client or server) of an application to send a tamper-
+   proof message to its peer. It presumes that a session key has
+   previously been exchanged (for example, by using the
+   KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+   The KRB_SAFE message contains user data along with a collision-proof
+   checksum keyed with the session key.  The message fields are:
+
+   KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+               pvno[0]               INTEGER,
+               msg-type[1]           INTEGER,
+               safe-body[2]          KRB-SAFE-BODY,
+               cksum[3]              Checksum
+   }
+
+   KRB-SAFE-BODY ::=   SEQUENCE {
+               user-data[0]          OCTET STRING,
+               timestamp[1]          KerberosTime OPTIONAL,
+               usec[2]               INTEGER OPTIONAL,
+               seq-number[3]         INTEGER OPTIONAL,
+               s-address[4]          HostAddress,
+               r-address[5]          HostAddress OPTIONAL
+   }
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_SAFE.
+
+   safe-body This field is a placeholder for the body of the KRB-SAFE
+             message.  It is to be encoded separately and then have the
+             checksum computed over it, for use in the cksum field.
+
+   cksum     This field contains the checksum of the application data.
+             Checksum details are described in section 6.4.  The
+
+
+
+Kohl & Neuman                                                  [Page 61]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             checksum is computed over the encoding of the KRB-SAFE-BODY
+             sequence.
+
+   user-data This field is part of the KRB_SAFE and KRB_PRIV messages
+             and contain the application specific data that is being
+             passed from the sender to the recipient.
+
+   timestamp This field is part of the KRB_SAFE and KRB_PRIV messages.
+             Its contents are the current time as known by the sender of
+             the message. By checking the timestamp, the recipient of
+             the message is able to make sure that it was recently
+             generated, and is not a replay.
+
+   usec      This field is part of the KRB_SAFE and KRB_PRIV headers.
+             It contains the microsecond part of the timestamp.
+
+   seq-number This field is described above in section 5.3.2.
+
+   s-address This field specifies the address in use by the sender of
+             the message.
+
+   r-address This field specifies the address in use by the recipient of
+             the message.  It may be omitted for some uses (such as
+             broadcast protocols), but the recipient may arbitrarily
+             reject such messages.  This field along with s-address can
+             be used to help detect messages which have been incorrectly
+             or maliciously delivered to the wrong recipient.
+
+5.7.  KRB_PRIV message specification
+
+   This section specifies the format of a message that can be used by
+   either side (client or server) of an application to securely and
+   privately send a message to its peer.  It presumes that a session key
+   has previously been exchanged (for example, by using the
+   KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+   The KRB_PRIV message contains user data encrypted in the Session Key.
+   The message fields are:
+
+   KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                pvno[0]                   INTEGER,
+                msg-type[1]               INTEGER,
+                enc-part[3]               EncryptedData
+   }
+
+
+
+
+
+Kohl & Neuman                                                  [Page 62]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   EncKrbPrivPart ::=   [APPLICATION 28] SEQUENCE {
+                user-data[0]              OCTET STRING,
+                timestamp[1]              KerberosTime OPTIONAL,
+                usec[2]                   INTEGER OPTIONAL,
+                seq-number[3]             INTEGER OPTIONAL,
+                s-address[4]              HostAddress, -- sender's addr
+                r-address[5]              HostAddress OPTIONAL
+                                                      -- recip's addr
+   }
+
+   NOTE: In EncKrbPrivPart, the application code in the encrypted part
+   of a message provides an additional check that the message was
+   decrypted properly.
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_PRIV.
+
+   enc-part  This field holds an encoding of the EncKrbPrivPart sequence
+             encrypted under the session key (If supported by the
+             encryption method in use, an initialization vector may be
+             passed to the encryption procedure, in order to achieve
+             proper cipher chaining.  The initialization vector might
+             come from the last block of the ciphertext from the
+             previous KRB_PRIV message, but it is the application's
+             choice whether or not to use such an initialization vector.
+             If left out, the default initialization vector for the
+             encryption algorithm will be used.).  This encrypted
+             encoding is used for the enc-part field of the KRB-PRIV
+             message.  See section 6 for the format of the ciphertext.
+
+   user-data, timestamp, usec, s-address and r-address These fields are
+             described above in section 5.6.1.
+
+   seq-number This field is described above in section 5.3.2.
+
+5.8.  KRB_CRED message specification
+
+   This section specifies the format of a message that can be used to
+   send Kerberos credentials from one principal to another.  It is
+   presented here to encourage a common mechanism to be used by
+   applications when forwarding tickets or providing proxies to
+   subordinate servers.  It presumes that a session key has already been
+   exchanged perhaps by using the KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+   The KRB_CRED message contains a sequence of tickets to be sent and
+   information needed to use the tickets, including the session key from
+
+
+
+Kohl & Neuman                                                  [Page 63]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   each.  The information needed to use the tickets is encryped under an
+   encryption key previously exchanged.  The message fields are:
+
+   KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                    pvno[0]                INTEGER,
+                    msg-type[1]            INTEGER, -- KRB_CRED
+                    tickets[2]             SEQUENCE OF Ticket,
+                    enc-part[3]            EncryptedData
+   }
+
+   EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                    ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                    nonce[1]               INTEGER OPTIONAL,
+                    timestamp[2]           KerberosTime OPTIONAL,
+                    usec[3]                INTEGER OPTIONAL,
+                    s-address[4]           HostAddress OPTIONAL,
+                    r-address[5]           HostAddress OPTIONAL
+   }
+
+   KrbCredInfo      ::=                    SEQUENCE {
+                    key[0]                 EncryptionKey,
+                    prealm[1]              Realm OPTIONAL,
+                    pname[2]               PrincipalName OPTIONAL,
+                    flags[3]               TicketFlags OPTIONAL,
+                    authtime[4]            KerberosTime OPTIONAL,
+                    starttime[5]           KerberosTime OPTIONAL,
+                    endtime[6]             KerberosTime OPTIONAL
+                    renew-till[7]          KerberosTime OPTIONAL,
+                    srealm[8]              Realm OPTIONAL,
+                    sname[9]               PrincipalName OPTIONAL,
+                    caddr[10]              HostAddresses OPTIONAL
+   }
+
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_CRED.
+
+   tickets
+               These are the tickets obtained from the KDC specifically
+             for use by the intended recipient.  Successive tickets are
+             paired with the corresponding KrbCredInfo sequence from the
+             enc-part of the KRB-CRED message.
+
+   enc-part  This field holds an encoding of the EncKrbCredPart sequence
+             encrypted under the session key shared between the sender
+             and the intended recipient.  This encrypted encoding is
+             used for the enc-part field of the KRB-CRED message.  See
+             section 6 for the format of the ciphertext.
+
+
+
+Kohl & Neuman                                                  [Page 64]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   nonce     If practical, an application may require the inclusion of a
+             nonce generated by the recipient of the message. If the
+             same value is included as the nonce in the message, it
+             provides evidence that the message is fresh and has not
+             been replayed by an attacker.  A nonce must never be re-
+             used; it should be generated randomly by the recipient of
+             the message and provided to the sender of the mes  sage in
+             an application specific manner.
+
+   timestamp and usec These fields specify the time that the KRB-CRED
+             message was generated.  The time is used to provide
+             assurance that the message is fresh.
+
+   s-address and r-address These fields are described above in section
+             5.6.1.  They are used optionally to provide additional
+             assurance of the integrity of the KRB-CRED message.
+
+   key       This field exists in the corresponding ticket passed by the
+             KRB-CRED message and is used to pass the session key from
+             the sender to the intended recipient.  The field's encoding
+             is described in section 6.2.
+
+   The following fields are optional.   If present, they can be
+   associated with the credentials in the remote ticket file.  If left
+   out, then it is assumed that the recipient of the credentials already
+   knows their value.
+
+   prealm and pname The name and realm of the delegated principal
+             identity.
+
+   flags, authtime,  starttime,  endtime, renew-till,  srealm, sname,
+             and caddr These fields contain the values of the
+             corresponding fields from the ticket found in the ticket
+             field.  Descriptions of the fields are identical to the
+             descriptions in the KDC-REP message.
+
+5.9.  Error message specification
+
+   This section specifies the format for the KRB_ERROR message.  The
+   fields included in the message are intended to return as much
+   information as possible about an error.  It is not expected that all
+   the information required by the fields will be available for all
+   types of errors.  If the appropriate information is not available
+   when the message is composed, the corresponding field will be left
+   out of the message.
+
+   Note that since the KRB_ERROR message is not protected by any
+   encryption, it is quite possible for an intruder to synthesize or
+
+
+
+Kohl & Neuman                                                  [Page 65]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   modify such a message.  In particular, this means that the client
+   should not use any fields in this message for security-critical
+   purposes, such as setting a system clock or generating a fresh
+   authenticator.  The message can be useful, however, for advising a
+   user on the reason for some failure.
+
+5.9.1. KRB_ERROR definition
+
+   The KRB_ERROR message consists of the following fields:
+
+   KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                   pvno[0]               INTEGER,
+                   msg-type[1]           INTEGER,
+                   ctime[2]              KerberosTime OPTIONAL,
+                   cusec[3]              INTEGER OPTIONAL,
+                   stime[4]              KerberosTime,
+                   susec[5]              INTEGER,
+                   error-code[6]         INTEGER,
+                   crealm[7]             Realm OPTIONAL,
+                   cname[8]              PrincipalName OPTIONAL,
+                   realm[9]              Realm, -- Correct realm
+                   sname[10]             PrincipalName, -- Correct name
+                   e-text[11]            GeneralString OPTIONAL,
+                   e-data[12]            OCTET STRING OPTIONAL
+   }
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_ERROR.
+
+   ctime     This field is described above in section 5.4.1.
+
+   cusec     This field is described above in section 5.5.2.
+
+   stime     This field contains the current time on the server.  It is
+             of type KerberosTime.
+
+   susec     This field contains the microsecond part of the server's
+             timestamp.  Its value ranges from 0 to 999. It appears
+             along with stime. The two fields are used in conjunction to
+             specify a reasonably accurate timestamp.
+
+   error-code This field contains the error code returned by Kerberos or
+             the server when a request fails.  To interpret the value of
+             this field see the list of error codes in section 8.
+             Implementations are encouraged to provide for national
+             language support in the display of error messages.
+
+   crealm, cname, srealm and sname These fields are described above in
+
+
+
+Kohl & Neuman                                                  [Page 66]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             section 5.3.1.
+
+   e-text    This field contains additional text to help explain the
+             error code associated with the failed request (for example,
+             it might include a principal name which was unknown).
+
+   e-data    This field contains additional data about the error for use
+             by the application to help it recover from or handle the
+             error.  If the errorcode is KDC_ERR_PREAUTH_REQUIRED, then
+             the e-data field will contain an encoding of a sequence of
+             padata fields, each corresponding to an acceptable pre-
+             authentication method and optionally containing data for
+             the method:
+
+      METHOD-DATA ::=    SEQUENCE of PA-DATA
+
+   If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
+   contain an encoding of the following sequence:
+
+      METHOD-DATA ::=    SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+       }
+
+   method-type will indicate the required alternate method; method-data
+   will contain any required additional information.
+
+6.  Encryption and Checksum Specifications
+
+   The Kerberos protocols described in this document are designed to use
+   stream encryption ciphers, which can be simulated using commonly
+   available block encryption ciphers, such as the Data Encryption
+   Standard [11], in conjunction with block chaining and checksum
+   methods [12].  Encryption is used to prove the identities of the
+   network entities participating in message exchanges.  The Key
+   Distribution Center for each realm is trusted by all principals
+   registered in that realm to store a secret key in confidence.  Proof
+   of knowledge of this secret key is used to verify the authenticity of
+   a principal.
+
+   The KDC uses the principal's secret key (in the AS exchange) or a
+   shared session key (in the TGS exchange) to encrypt responses to
+   ticket requests; the ability to obtain the secret key or session key
+   implies the knowledge of the appropriate keys and the identity of the
+   KDC. The ability of a principal to decrypt the KDC response and
+   present a Ticket and a properly formed Authenticator (generated with
+   the session key from the KDC response) to a service verifies the
+   identity of the principal; likewise the ability of the service to
+
+
+
+Kohl & Neuman                                                  [Page 67]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   extract the session key from the Ticket and prove its knowledge
+   thereof in a response verifies the identity of the service.
+
+   The Kerberos protocols generally assume that the encryption used is
+   secure from cryptanalysis; however, in some cases, the order of
+   fields in the encrypted portions of messages are arranged to minimize
+   the effects of poorly chosen keys.  It is still important to choose
+   good keys.  If keys are derived from user-typed passwords, those
+   passwords need to be well chosen to make brute force attacks more
+   difficult.  Poorly chosen keys still make easy targets for intruders.
+
+   The following sections specify the encryption and checksum mechanisms
+   currently defined for Kerberos.  The encodings, chaining, and padding
+   requirements for each are described.  For encryption methods, it is
+   often desirable to place random information (often referred to as a
+   confounder) at the start of the message.  The requirements for a
+   confounder are specified with each encryption mechanism.
+
+   Some encryption systems use a block-chaining method to improve the
+   the security characteristics of the ciphertext.  However, these
+   chaining methods often don't provide an integrity check upon
+   decryption.  Such systems (such as DES in CBC mode) must be augmented
+   with a checksum of the plaintext which can be verified at decryption
+   and used to detect any tampering or damage.  Such checksums should be
+   good at detecting burst errors in the input.  If any damage is
+   detected, the decryption routine is expected to return an error
+   indicating the failure of an integrity check. Each encryption type is
+   expected to provide and verify an appropriate checksum. The
+   specification of each encryption method sets out its checksum
+   requirements.
+
+   Finally, where a key is to be derived from a user's password, an
+   algorithm for converting the password to a key of the appropriate
+   type is included.  It is desirable for the string to key function to
+   be one-way, and for the mapping to be different in different realms.
+   This is important because users who are registered in more than one
+   realm will often use the same password in each, and it is desirable
+   that an attacker compromising the Kerberos server in one realm not
+   obtain or derive the user's key in another.
+
+   For a discussion of the integrity characteristics of the candidate
+   encryption and checksum methods considered for Kerberos, the the
+   reader is referred to [13].
+
+6.1.  Encryption Specifications
+
+   The following ASN.1 definition describes all encrypted messages.  The
+   enc-part field which appears in the unencrypted part of messages in
+
+
+
+Kohl & Neuman                                                  [Page 68]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   section 5 is a sequence consisting of an encryption type, an optional
+   key version number, and the ciphertext.
+
+   EncryptedData ::=   SEQUENCE {
+                       etype[0]     INTEGER, -- EncryptionType
+                       kvno[1]      INTEGER OPTIONAL,
+                       cipher[2]    OCTET STRING -- ciphertext
+   }
+
+   etype     This field identifies which encryption algorithm was used
+             to encipher the cipher.  Detailed specifications for
+             selected encryption types appear later in this section.
+
+   kvno      This field contains the version number of the key under
+             which data is encrypted.  It is only present in messages
+             encrypted under long lasting keys, such as principals'
+             secret keys.
+
+   cipher    This field contains the enciphered text, encoded as an
+             OCTET STRING.
+
+   The cipher field is generated by applying the specified encryption
+   algorithm to data composed of the message and algorithm-specific
+   inputs.  Encryption mechanisms defined for use with Kerberos must
+   take sufficient measures to guarantee the integrity of the plaintext,
+   and we recommend they also take measures to protect against
+   precomputed dictionary attacks.  If the encryption algorithm is not
+   itself capable of doing so, the protections can often be enhanced by
+   adding a checksum and a confounder.
+
+   The suggested format for the data to be encrypted includes a
+   confounder, a checksum, the encoded plaintext, and any necessary
+   padding.  The msg-seq field contains the part of the protocol message
+   described in section 5 which is to be encrypted.  The confounder,
+   checksum, and padding are all untagged and untyped, and their length
+   is exactly sufficient to hold the appropriate item.  The type and
+   length is implicit and specified by the particular encryption type
+   being used (etype).  The format for the data to be encrypted is
+   described in the following diagram:
+
+         +-----------+----------+-------------+-----+
+         |confounder |   check  |   msg-seq   | pad |
+         +-----------+----------+-------------+-----+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+
+
+
+
+Kohl & Neuman                                                  [Page 69]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+         confounder[0]   UNTAGGED OCTET STRING(conf_length)     OPTIONAL,
+         check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+         msg-seq[2]      MsgSequence,
+         pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+   In the above specification, UNTAGGED OCTET STRING(length) is the
+   notation for an octet string with its tag and length removed.  It is
+   not a valid ASN.1 type.  The tag bits and length must be removed from
+   the confounder since the purpose of the confounder is so that the
+   message starts with random data, but the tag and its length are
+   fixed.  For other fields, the length and tag would be redundant if
+   they were included because they are specified by the encryption type.
+
+   One generates a random confounder of the appropriate length, placing
+   it in confounder; zeroes out check; calculates the appropriate
+   checksum over confounder, check, and msg-seq, placing the result in
+   check; adds the necessary padding; then encrypts using the specified
+   encryption type and the appropriate key.
+
+   Unless otherwise specified, a definition of an encryption algorithm
+   that specifies a checksum, a length for the confounder field, or an
+   octet boundary for padding uses this ciphertext format (The ordering
+   of the fields in the CipherText is important.  Additionally, messages
+   encoded in this format must include a length as part of the msg-seq
+   field.  This allows the recipient to verify that the message has not
+   been truncated.  Without a length, an attacker could use a chosen
+   plaintext attack to generate a message which could be truncated,
+   while leaving the checksum intact.  Note that if the msg-seq is an
+   encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length is
+   part of that encoding.). Those fields which are not specified will be
+   omitted.
+
+   In the interest of allowing all implementations using a particular
+   encryption type to communicate with all others using that type, the
+   specification of an encryption type defines any checksum that is
+   needed as part of the encryption process.  If an alternative checksum
+   is to be used, a new encryption type must be defined.
+
+   Some cryptosystems require additional information beyond the key and
+   the data to be encrypted. For example, DES, when used in cipher-
+   block-chaining mode, requires an initialization vector.  If required,
+   the description for each encryption type must specify the source of
+   such additional information.
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 70]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+6.2.  Encryption Keys
+
+   The sequence below shows the encoding of an encryption key:
+
+          EncryptionKey ::=   SEQUENCE {
+                              keytype[0]    INTEGER,
+                              keyvalue[1]   OCTET STRING
+          }
+
+   keytype   This field specifies the type of encryption key that
+             follows in the keyvalue field.  It will almost always
+             correspond to the encryption algorithm used to generate the
+             EncryptedData, though more than one algorithm may use the
+             same type of key (the mapping is many to one).  This might
+             happen, for example, if the encryption algorithm uses an
+             alternate checksum algorithm for an integrity check, or a
+             different chaining mechanism.
+
+   keyvalue  This field contains the key itself, encoded as an octet
+             string.
+
+   All negative values for the  encryption key type are reserved for
+   local use.  All non-negative values are reserved for officially
+   assigned type fields and interpretations.
+
+6.3.  Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+   If no encryption is in use, the encryption system is said to be the
+   NULL encryption system.  In the NULL encryption system there is no
+   checksum, confounder or padding.  The ciphertext is simply the
+   plaintext.  The NULL Key is used by the null encryption system and is
+   zero octets in length, with keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+   The des-cbc-crc encryption mode encrypts information under the Data
+   Encryption Standard [11] using the cipher block chaining mode [12].
+   A CRC-32 checksum (described in ISO 3309 [14]) is applied to the
+   confounder and message sequence (msg-seq) and placed in the cksum
+   field.  DES blocks are 8 bytes.  As a result, the data to be
+   encrypted (the concatenation of confounder, checksum, and message)
+   must be padded to an 8 byte boundary before encryption.  The details
+   of the encryption of this data are identical to those for the des-
+   cbc-md5 encryption mode.
+
+   Note that, since the CRC-32 checksum is not collisionproof, an
+
+
+
+Kohl & Neuman                                                  [Page 71]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   attacker could use a probabilistic chosenplaintext attack to generate
+   a valid message even if a confounder is used [13]. The use of
+   collision-proof checksums is recommended for environments where such
+   attacks represent a significant threat.  The use of the CRC-32 as the
+   checksum for ticket or authenticator is no longer mandated as an
+   interoperability requirement for Kerberos Version 5 Specification 1
+   (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+   The des-cbc-md4 encryption mode encrypts information under the Data
+   Encryption Standard [11] using the cipher block chaining mode [12].
+   An MD4 checksum (described in [15]) is applied to the confounder and
+   message sequence (msg-seq) and placed in the cksum field.  DES blocks
+   are 8 bytes.  As a result, the data to be encrypted (the
+   concatenation of confounder, checksum, and message) must be padded to
+   an 8 byte boundary before encryption.  The details of the encryption
+   of this data are identical to those for the descbc-md5 encryption
+   mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+   The des-cbc-md5 encryption mode encrypts information under the Data
+   Encryption Standard [11] using the cipher block chaining mode [12].
+   An MD5 checksum (described in [16]) is applied to the confounder and
+   message sequence (msg-seq) and placed in the cksum field.  DES blocks
+   are 8 bytes.  As a result, the data to be encrypted (the
+   concatenation of confounder, checksum, and message) must be padded to
+   an 8 byte boundary before encryption.
+
+   Plaintext and DES ciphtertext are encoded as 8-octet blocks which are
+   concatenated to make the 64-bit inputs for the DES algorithms.  The
+   first octet supplies the 8 most significant bits (with the octet's
+   MSbit used as the DES input block's MSbit, etc.), the second octet
+   the next 8 bits, ..., and the eighth octet supplies the 8 least
+   significant bits.
+
+   Encryption under DES using cipher block chaining requires an
+   additional input in the form of an initialization vector.  Unless
+   otherwise specified, zero should be used as the initialization
+   vector.  Kerberos' use of DES requires an 8-octet confounder.
+
+   The DES specifications identify some "weak" and "semiweak" keys;
+   those keys shall not be used for encrypting messages for use in
+   Kerberos.  Additionally, because of the way that keys are derived for
+   the encryption of checksums, keys shall not be used that yield "weak"
+   or "semi-weak" keys when eXclusive-ORed with the constant
+   F0F0F0F0F0F0F0F0.
+
+
+
+Kohl & Neuman                                                  [Page 72]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   A DES key is 8 octets of data, with keytype one (1).  This consists
+   of 56 bits of key, and 8 parity bits (one per octet).  The key is
+   encoded as a series of 8 octets written in MSB-first order. The bits
+   within the key are also encoded in MSB order.  For example, if the
+   encryption key is:
+   (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+   B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the
+   parity bits, the first octet of the key would be B1,B2,...,B7,P1
+   (with B1 as the MSbit).  [See the FIPS 81 introduction for
+   reference.]
+
+   To generate a DES key from a text string (password), the text string
+   normally must have the realm and each component of the principal's
+   name appended(In some cases, it may be necessary to use a different
+   "mix-in" string for compatibility reasons; see the discussion of
+   padata in section 5.4.2.), then padded with ASCII nulls to an 8 byte
+   boundary.  This string is then fan-folded and eXclusive-ORed with
+   itself to form an 8 byte DES key.  The parity is corrected on the
+   key, and it is used to generate a DES CBC checksum on the initial
+   string (with the realm and name appended).  Next, parity is corrected
+   on the CBC checksum.  If the result matches a "weak" or "semiweak"
+   key as described in the DES specification, it is eXclusive-ORed with
+   the constant 00000000000000F0.  Finally, the result is returned as
+   the key.  Pseudocode follows:
+
+        string_to_key(string,realm,name) {
+             odd = 1;
+             s = string + realm;
+             for(each component in name) {
+                  s = s + component;
+             }
+             tempkey = NULL;
+             pad(s); /* with nulls to 8 byte boundary */
+             for(8byteblock in s) {
+                  if(odd == 0)  {
+                      odd = 1;
+                      reverse(8byteblock)
+                  }
+                  else odd = 0;
+                  tempkey = tempkey XOR 8byteblock;
+             }
+             fixparity(tempkey);
+             key = DES-CBC-check(s,tempkey);
+             fixparity(key);
+             if(is_weak_key_key(key))
+                  key = key XOR 0xF0;
+             return(key);
+        }
+
+
+
+Kohl & Neuman                                                  [Page 73]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+6.4.  Checksums
+
+   The following is the ASN.1 definition used for a checksum:
+
+            Checksum ::=   SEQUENCE {
+                           cksumtype[0]   INTEGER,
+                           checksum[1]    OCTET STRING
+            }
+
+   cksumtype This field indicates the algorithm used to generate the
+             accompanying checksum.
+
+   checksum  This field contains the checksum itself, encoded
+             as an octet string.
+
+   Detailed specification of selected checksum types appear later in
+   this section.  Negative values for the checksum type are reserved for
+   local use.  All non-negative values are reserved for officially
+   assigned type fields and interpretations.
+
+   Checksums used by Kerberos can be classified by two properties:
+   whether they are collision-proof, and whether they are keyed.  It is
+   infeasible to find two plaintexts which generate the same checksum
+   value for a collision-proof checksum.  A key is required to perturb
+   or initialize the algorithm in a keyed checksum.  To prevent
+   message-stream modification by an active attacker, unkeyed checksums
+   should only be used when the checksum and message will be
+   subsequently encrypted (e.g., the checksums defined as part of the
+   encryption algorithms covered earlier in this section).  Collision-
+   proof checksums can be made tamper-proof as well if the checksum
+   value is encrypted before inclusion in a message.  In such cases, the
+   composition of the checksum and the encryption algorithm must be
+   considered a separate checksum algorithm (e.g., RSA-MD5 encrypted
+   using DES is a new checksum algorithm of type RSA-MD5-DES).  For most
+   keyed checksums, as well as for the encrypted forms of collisionproof
+   checksums, Kerberos prepends a confounder before the checksum is
+   calculated.
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+   The CRC-32 checksum calculates a checksum based on a cyclic
+   redundancy check as described in ISO 3309 [14].  The resulting
+   checksum is four (4) octets in length.  The CRC-32 is neither keyed
+   nor collision-proof.  The use of this checksum is not recommended.
+   An attacker using a probabilistic chosen-plaintext attack as
+   described in [13] might be able to generate an alternative message
+   that satisfies the checksum.  The use of collision-proof checksums is
+   recommended for environments where such attacks represent a
+
+
+
+Kohl & Neuman                                                  [Page 74]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+   The RSA-MD4 checksum calculates a checksum using the RSA MD4
+   algorithm [15].  The algorithm takes as input an input message of
+   arbitrary length and produces as output a 128-bit (16 octet)
+   checksum.  RSA-MD4 is believed to be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4des)
+
+   The RSA-MD4-DES checksum calculates a keyed collisionproof checksum
+   by prepending an 8 octet confounder before the text, applying the RSA
+   MD4 checksum algorithm, and encrypting the confounder and the
+   checksum using DES in cipher-block-chaining (CBC) mode using a
+   variant of the key, where the variant is computed by eXclusive-ORing
+   the key with the constant F0F0F0F0F0F0F0F0 (A variant of the key is
+   used to limit the use of a key to a particular function, separating
+   the functions of generating a checksum from other encryption
+   performed using the session key.  The constant F0F0F0F0F0F0F0F0 was
+   chosen because it maintains key parity.  The properties of DES
+   precluded the use of the complement.  The same constant is used for
+   similar purpose in the Message Integrity Check in the Privacy
+   Enhanced Mail standard.).  The initialization vector should be zero.
+   The resulting checksum is 24 octets long (8 octets of which are
+   redundant).  This checksum is tamper-proof and believed to be
+   collision-proof.
+
+   The DES specifications identify some "weak keys"; those keys shall
+   not be used for generating RSA-MD4 checksums for use in Kerberos.
+
+   The format for the checksum is described in the following diagram:
+
+      +--+--+--+--+--+--+--+--
+      |  des-cbc(confounder
+      +--+--+--+--+--+--+--+--
+
+                    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+                        rsa-md4(confounder+msg),key=var(key),iv=0)  |
+                    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+   rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                              confounder[0]   UNTAGGED OCTET STRING(8),
+                              check[1]        UNTAGGED OCTET STRING(16)
+   }
+
+
+
+Kohl & Neuman                                                  [Page 75]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+   The RSA-MD5 checksum calculates a checksum using the RSA MD5
+   algorithm [16].  The algorithm takes as input an input message of
+   arbitrary length and produces as output a 128-bit (16 octet)
+   checksum.  RSA-MD5 is believed to be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5des)
+
+   The RSA-MD5-DES checksum calculates a keyed collisionproof checksum
+   by prepending an 8 octet confounder before the text, applying the RSA
+   MD5 checksum algorithm, and encrypting the confounder and the
+   checksum using DES in cipher-block-chaining (CBC) mode using a
+   variant of the key, where the variant is computed by eXclusive-ORing
+   the key with the constant F0F0F0F0F0F0F0F0.  The initialization
+   vector should be zero.  The resulting checksum is 24 octets long (8
+   octets of which are redundant).  This checksum is tamper-proof and
+   believed to be collision-proof.
+
+   The DES specifications identify some "weak keys"; those keys shall
+   not be used for encrypting RSA-MD5 checksums for use in Kerberos.
+
+   The format for the checksum is described in the following diagram:
+
+      +--+--+--+--+--+--+--+--
+      |  des-cbc(confounder
+      +--+--+--+--+--+--+--+--
+
+                     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+                         rsa-md5(confounder+msg),key=var(key),iv=0)  |
+                     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+   rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                              confounder[0]   UNTAGGED OCTET STRING(8),
+                              check[1]        UNTAGGED OCTET STRING(16)
+   }
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+   The DES-MAC checksum is computed by prepending an 8 octet confounder
+   to the plaintext, performing a DES CBC-mode encryption on the result
+   using the key and an initialization vector of zero, taking the last
+   block of the ciphertext, prepending the same confounder and
+   encrypting the pair using DES in cipher-block-chaining (CBC) mode
+   using a a variant of the key, where the variant is computed by
+
+
+
+Kohl & Neuman                                                  [Page 76]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0.  The
+   initialization vector should be zero.  The resulting checksum is 128
+   bits (16 octets) long, 64 bits of which are redundant. This checksum
+   is tamper-proof and collision-proof.
+
+   The format for the checksum is described in the following diagram:
+
+      +--+--+--+--+--+--+--+--
+      |   des-cbc(confounder
+      +--+--+--+--+--+--+--+--
+
+                     +-----+-----+-----+-----+-----+-----+-----+-----+
+                       des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
+                     +-----+-----+-----+-----+-----+-----+-----+-----+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+   des-mac-checksum ::=    ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(8)
+   }
+
+   The DES specifications identify some "weak" and "semiweak" keys;
+   those keys shall not be used for generating DES-MAC checksums for use
+   in Kerberos, nor shall a key be used whose veriant is "weak" or
+   "semi-weak".
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative
+       (rsa-md4-des-k)
+
+   The RSA-MD4-DES-K checksum calculates a keyed collision-proof
+   checksum by applying the RSA MD4 checksum algorithm and encrypting
+   the results using DES in cipherblock-chaining (CBC) mode using a DES
+   key as both key and initialization vector. The resulting checksum is
+   16 octets long. This checksum is tamper-proof and believed to be
+   collision-proof.  Note that this checksum type is the old method for
+   encoding the RSA-MD4-DES checksum and it is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (desmac-k)
+
+   The DES-MAC-K checksum is computed by performing a DES CBC-mode
+   encryption of the plaintext, and using the last block of the
+   ciphertext as the checksum value. It is keyed with an encryption key
+   and an initialization vector; any uses which do not specify an
+   additional initialization vector will use the key as both key and
+   initialization vector.  The resulting checksum is 64 bits (8 octets)
+   long. This checksum is tamper-proof and collision-proof.  Note that
+
+
+
+Kohl & Neuman                                                  [Page 77]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   this checksum type is the old method for encoding the DESMAC checksum
+   and it is no longer recommended.
+
+   The DES specifications identify some "weak keys"; those keys shall
+   not be used for generating DES-MAC checksums for use in Kerberos.
+
+7.  Naming Constraints
+
+7.1.  Realm Names
+
+   Although realm names are encoded as GeneralStrings and although a
+   realm can technically select any name it chooses, interoperability
+   across realm boundaries requires agreement on how realm names are to
+   be assigned, and what information they imply.
+
+   To enforce these conventions, each realm must conform to the
+   conventions itself, and it must require that any realms with which
+   inter-realm keys are shared also conform to the conventions and
+   require the same from its neighbors.
+
+   There are presently four styles of realm names: domain, X500, other,
+   and reserved.  Examples of each style follow:
+
+        domain:   host.subdomain.domain (example)
+          X500:   C=US/O=OSF (example)
+         other:   NAMETYPE:rest/of.name=without-restrictions (example)
+      reserved:   reserved, but will not conflict with above
+
+   Domain names must look like domain names: they consist of components
+   separated by periods (.) and they contain neither colons (:) nor
+   slashes (/).
+
+   X.500 names contain an equal (=) and cannot contain a colon (:)
+   before the equal.  The realm names for X.500 names will be string
+   representations of the names with components separated by slashes.
+   Leading and trailing slashes will not be included.
+
+   Names that fall into the other category must begin with a prefix that
+   contains no equal (=) or period (.) and the prefix must be followed
+   by a colon (:) and the rest of the name. All prefixes must be
+   assigned before they may be used.  Presently none are assigned.
+
+   The reserved category includes strings which do not fall into the
+   first three categories.  All names in this category are reserved. It
+   is unlikely that names will be assigned to this category unless there
+   is a very strong argument for not using the "other" category.
+
+   These rules guarantee that there will be no conflicts between the
+
+
+
+Kohl & Neuman                                                  [Page 78]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   various name styles.  The following additional constraints apply to
+   the assignment of realm names in the domain and X.500 categories: the
+   name of a realm for the domain or X.500 formats must either be used
+   by the organization owning (to whom it was assigned) an Internet
+   domain name or X.500 name, or in the case that no such names are
+   registered, authority to use a realm name may be derived from the
+   authority of the parent realm.  For example, if there is no domain
+   name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can
+   authorize the creation of a realm with that name.
+
+   This is acceptable because the organization to which the parent is
+   assigned is presumably the organization authorized to assign names to
+   its children in the X.500 and domain name systems as well.  If the
+   parent assigns a realm name without also registering it in the domain
+   name or X.500 hierarchy, it is the parent's responsibility to make
+   sure that there will not in the future exists a name identical to the
+   realm name of the child unless it is assigned to the same entity as
+   the realm name.
+
+7.2.  Principal Names
+
+   As was the case for realm names, conventions are needed to ensure
+   that all agree on what information is implied by a principal name.
+   The name-type field that is part of the principal name indicates the
+   kind of information implied by the name.  The name-type should be
+   treated as a hint.  Ignoring the name type, no two names can be the
+   same (i.e., at least one of the components, or the realm, must be
+   different).  This constraint may be eliminated in the future.  The
+   following name types are defined:
+
+      name-type      value   meaning
+      NT-UNKNOWN       0     Name type not known
+      NT-PRINCIPAL     1     Just the name of the principal as in
+                             DCE, or for users
+      NT-SRV-INST      2     Service and other unique instance (krbtgt)
+      NT-SRV-HST       3     Service with host name as instance
+                             (telnet, rcommands)
+      NT-SRV-XHST      4     Service with host as remaining components
+      NT-UID           5     Unique ID
+
+   When a name implies no information other than its uniqueness at a
+   particular time the name type PRINCIPAL should be used.  The
+   principal name type should be used for users, and it might also be
+   used for a unique server.  If the name is a unique machine generated
+   ID that is guaranteed never to be reassigned then the name type of
+   UID should be used (note that it is generally a bad idea to reassign
+   names of any type since stale entries might remain in access control
+   lists).
+
+
+
+Kohl & Neuman                                                  [Page 79]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   If the first component of a name identifies a service and the
+   remaining components identify an instance of the service in a server
+   specified manner, then the name type of SRV-INST should be used.  An
+   example of this name type is the Kerberos ticket-granting ticket
+   which has a first component of krbtgt and a second component
+   identifying the realm for which the ticket is valid.
+
+   If instance is a single component following the service name and the
+   instance identifies the host on which the server is running, then the
+   name type SRV-HST should be used. This type is typically used for
+   Internet services such as telnet and the Berkeley R commands.  If the
+   separate components of the host name appear as successive components
+   following the name of the service, then the name type SRVXHST should
+   be used.  This type might be used to identify servers on hosts with
+   X.500 names where the slash (/) might otherwise be ambiguous.
+
+   A name type of UNKNOWN should be used when the form of the name is
+   not known. When comparing names, a name of type UNKNOWN will match
+   principals authenticated with names of any type.  A principal
+   authenticated with a name of type UNKNOWN, however, will only match
+   other names of type UNKNOWN.
+
+   Names of any type with an initial component of "krbtgt" are reserved
+   for the Kerberos ticket granting service.  See section 8.2.3 for the
+   form of such names.
+
+7.2.1. Name of server principals
+
+   The principal identifier for a server on a host will generally be
+   composed of two parts: (1) the realm of the KDC with which the server
+   is registered, and (2) a two-component name of type NT-SRV-HST if the
+   host name is an Internet domain name or a multi-component name of
+   type NT-SRV-XHST if the name of the host is of a form such as X.500
+   that allows slash (/) separators.  The first component of the two- or
+   multi-component name will identify the service and the latter
+   components will identify the host.  Where the name of the host is not
+   case sensitive (for example, with Internet domain names) the name of
+   the host must be lower case.  For services such as telnet and the
+   Berkeley R commands which run with system privileges, the first
+   component will be the string "host" instead of a service specific
+   identifier.
+
+8.  Constants and other defined values
+
+8.1.  Host address types
+
+   All negative values for the host address type are reserved for local
+   use.  All non-negative values are reserved for officially assigned
+
+
+
+Kohl & Neuman                                                  [Page 80]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   type fields and interpretations.
+
+   The values of the types for the following addresses are chosen to
+   match the defined address family constants in the Berkeley Standard
+   Distributions of Unix.  They can be found in <sys/socket.h> with
+   symbolic names AF_xxx (where xxx is an abbreviation of the address
+   family name).
+
+
+   Internet addresses
+
+      Internet addresses are 32-bit (4-octet) quantities, encoded in MSB
+      order.  The type of internet addresses is two (2).
+
+   CHAOSnet addresses
+
+      CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB
+      order.  The type of CHAOSnet addresses is five (5).
+
+   ISO addresses
+
+      ISO addresses are variable-length.  The type of ISO addresses is
+      seven (7).
+
+   Xerox Network Services (XNS) addresses
+
+      XNS addresses are 48-bit (6-octet) quantities, encoded in MSB
+      order.  The type of XNS addresses is six (6).
+
+   AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+      AppleTalk DDP addresses consist of an 8-bit node number and a 16-
+      bit network number.  The first octet of the address is the node
+      number; the remaining two octets encode the network number in MSB
+      order. The type of AppleTalk DDP addresses is sixteen (16).
+
+   DECnet Phase IV addresses
+
+      DECnet Phase IV addresses are 16-bit addresses, encoded in LSB
+      order.  The type of DECnet Phase IV addresses is twelve (12).
+
+8.2.  KDC messages
+
+8.2.1. IP transport
+
+   When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request
+   using IP transport, the client shall send a UDP datagram containing
+   only an encoding of the request to port 88 (decimal) at the KDC's IP
+
+
+
+Kohl & Neuman                                                  [Page 81]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   address; the KDC will respond with a reply datagram containing only
+   an encoding of the reply message (either a KRB_ERROR or a
+   KRB_KDC_REP) to the sending port at the sender's IP address.
+
+8.2.2. OSI transport
+
+   During authentication of an OSI client to and OSI server, the mutual
+   authentication of an OSI server to an OSI client, the transfer of
+   credentials from an OSI client to an OSI server, or during exchange
+   of private or integrity checked messages, Kerberos protocol messages
+   may be treated as opaque objects and the type of the authentication
+   mechanism will be:
+
+   OBJECT IDENTIFIER ::= {iso (1), org(3), dod(5),internet(1),
+                          security(5), kerberosv5(2)}
+
+   Depending on the situation, the opaque object will be an
+   authentication header (KRB_AP_REQ), an authentication reply
+   (KRB_AP_REP), a safe message (KRB_SAFE), a private message
+   (KRB_PRIV), or a credentials message (KRB_CRED).  The opaque data
+   contains an application code as specified in the ASN.1 description
+   for each message.  The application code may be used by Kerberos to
+   determine the message type.
+
+8.2.3. Name of the TGS
+
+   The principal identifier of the ticket-granting service shall be
+   composed of three parts: (1) the realm of the KDC issuing the TGS
+   ticket (2) a two-part name of type NT-SRVINST, with the first part
+   "krbtgt" and the second part the name of the realm which will accept
+   the ticket-granting ticket.  For example, a ticket-granting ticket
+   issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+   ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU"
+   (realm), ("krbtgt", "ATHENA.MIT.EDU") (name).  A ticket-granting
+   ticket issued by the ATHENA.MIT.EDU realm to be used to get tickets
+   from the MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU"
+   (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3.  Protocol constants and associated values
+
+   The following tables list constants used in the protocol and defines
+   their meanings.
+
+
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 82]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+---------------+-----------+----------+----------------+---------------
+Encryption type|etype value|block size|minimum pad size|confounder size
+---------------+-----------+----------+----------------+---------------
+NULL                0            1              0              0
+des-cbc-crc         1            8              4              8
+des-cbc-md4         2            8              0              8
+des-cbc-md5         3            8              0              8
+
+-------------------------------+-------------------+-------------
+Checksum type                  |sumtype value      |checksum size
+-------------------------------+-------------------+-------------
+CRC32                           1                   4
+rsa-md4                         2                   16
+rsa-md4-des                     3                   24
+des-mac                         4                   16
+des-mac-k                       5                   8
+rsa-md4-des-k                   6                   16
+rsa-md5                         7                   16
+rsa-md5-des                     8                   24
+
+-------------------------------+-----------------
+padata type                    |padata-type value
+-------------------------------+-----------------
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+
+-------------------------------+-------------
+authorization data type        |ad-type value
+-------------------------------+-------------
+reserved values                 0-63
+OSF-DCE                         64
+SESAME                          65
+
+-------------------------------+-----------------
+alternate authentication type  |method-type value
+-------------------------------+-----------------
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+-------------------------------+-------------
+transited encoding type        |tr-type value
+-------------------------------+-------------
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 83]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+--------------+-------+-----------------------------------------
+Label         |Value  |Meaning or MIT code
+--------------+-------+-----------------------------------------
+
+pvno             5     current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ      10     Request for initial authentication
+KRB_AS_REP      11     Response to KRB_AS_REQ request
+KRB_TGS_REQ     12     Request for authentication based on TGT
+KRB_TGS_REP     13     Response to KRB_TGS_REQ request
+KRB_AP_REQ      14     application request to server
+KRB_AP_REP      15     Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE        20     Safe (checksummed) application message
+KRB_PRIV        21     Private (encrypted) application message
+KRB_CRED        22     Private (encrypted) message to forward
+                       credentials
+KRB_ERROR       30     Error response
+
+name types
+
+KRB_NT_UNKNOWN   0   Name type not known
+KRB_NT_PRINCIPAL 1   Just the name of the principal as in DCE, or
+                     for users
+KRB_NT_SRV_INST  2   Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST   3   Service with host name as instance (telnet,
+                     rcommands)
+KRB_NT_SRV_XHST  4   Service with host as remaining components
+KRB_NT_UID       5   Unique ID
+
+error codes
+
+KDC_ERR_NONE                   0   No error
+KDC_ERR_NAME_EXP               1   Client's entry in database has
+                                   expired
+KDC_ERR_SERVICE_EXP            2   Server's entry in database has
+                                   expired
+KDC_ERR_BAD_PVNO               3   Requested protocol version number
+                                   not supported
+KDC_ERR_C_OLD_MAST_KVNO        4   Client's key encrypted in old
+                                   master key
+KDC_ERR_S_OLD_MAST_KVNO        5   Server's key encrypted in old
+                                   master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN    6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN    7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE   8   Multiple principal entries in
+                                   database
+
+
+
+Kohl & Neuman                                                  [Page 84]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+KDC_ERR_NULL_KEY               9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE       10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID           11   Requested start time is later than
+                                   end time
+KDC_ERR_POLICY                12   KDC policy rejects request
+KDC_ERR_BADOPTION             13   KDC cannot accommodate requested
+                                   option
+KDC_ERR_ETYPE_NOSUPP          14   KDC has no support for encryption
+                                   type
+KDC_ERR_SUMTYPE_NOSUPP        15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP    16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP         17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED        18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED       19   Credentials for server have been
+                                   revoked
+KDC_ERR_TGT_REVOKED           20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET         21   Client not yet valid - try again
+                                   later
+KDC_ERR_SERVICE_NOTYET        22   Server not yet valid - try again
+                                   later
+KDC_ERR_KEY_EXPIRED           23   Password has expired - change
+                                   password to reset
+KDC_ERR_PREAUTH_FAILED        24   Pre-authentication information
+                                   was invalid
+KDC_ERR_PREAUTH_REQUIRED      25   Additional pre-authentication
+                                   required*
+KRB_AP_ERR_BAD_INTEGRITY      31   Integrity check on decrypted field
+                                   failed
+KRB_AP_ERR_TKT_EXPIRED        32   Ticket expired
+KRB_AP_ERR_TKT_NYV            33   Ticket not yet valid
+KRB_AP_ERR_REPEAT             34   Request is a replay
+KRB_AP_ERR_NOT_US             35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH           36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW               37   Clock skew too great
+KRB_AP_ERR_BADADDR            38   Incorrect net address
+KRB_AP_ERR_BADVERSION         39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE           40   Invalid msg type
+KRB_AP_ERR_MODIFIED           41   Message stream modified
+KRB_AP_ERR_BADORDER           42   Message out of order
+KRB_AP_ERR_BADKEYVER          44   Specified version of key is not
+                                   available
+KRB_AP_ERR_NOKEY              45   Service key not available
+KRB_AP_ERR_MUT_FAIL           46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION       47   Incorrect message direction
+KRB_AP_ERR_METHOD             48   Alternative authentication method
+                                   required*
+KRB_AP_ERR_BADSEQ             49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM        50   Inappropriate type of checksum in
+
+
+
+Kohl & Neuman                                                  [Page 85]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                   message
+KRB_ERR_GENERIC               60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG         61   Field is too long for this
+                                   implementation
+
+   *This error carries additional information in the e-data field.  The
+   contents of the e-data field for this message is described in section
+   5.9.1.
+
+9.  Interoperability requirements
+
+   Version 5 of the Kerberos protocol supports a myriad of options.
+   Among these are multiple encryption and checksum types, alternative
+   encoding schemes for the transited field, optional mechanisms for
+   pre-authentication, the handling of tickets with no addresses,
+   options for mutual authentication, user to user authentication,
+   support for proxies, forwarding, postdating, and renewing tickets,
+   the format of realm names, and the handling of authorization data.
+
+   In order to ensure the interoperability of realms, it is necessary to
+   define a minimal configuration which must be supported by all
+   implementations.  This minimal configuration is subject to change as
+   technology does. For example, if at some later date it is discovered
+   that one of the required encryption or checksum algorithms is not
+   secure, it will be replaced.
+
+9.1.  Specification 1
+
+   This section defines the first specification of these options.
+   Implementations which are configured in this way can be said to
+   support Kerberos Version 5 Specification 1 (5.1).
+
+   Encryption and checksum methods
+
+   The following encryption and checksum mechanisms must be supported.
+   Implementations may support other mechanisms as well, but the
+   additional mechanisms may only be used when communicating with
+   principals known to also support them: Encryption: DES-CBC-MD5
+   Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+   Realm Names
+
+   All implementations must understand hierarchical realms in both the
+   Internet Domain and the X.500 style.  When a ticket granting ticket
+   for an unknown realm is requested, the KDC must be able to determine
+   the names of the intermediate realms between the KDCs realm and the
+   requested realm.
+
+
+
+
+Kohl & Neuman                                                  [Page 86]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Transited field encoding
+
+   DOMAIN-X500-COMPRESS (described in section 3.3.3.1) must be
+   supported.  Alternative encodings may be supported, but they may be
+   used only when that encoding is supported by ALL intermediate realms.
+
+   Pre-authentication methods
+
+   The TGS-REQ method must be supported.  The TGS-REQ method is not used
+   on the initial request. The PA-ENC-TIMESTAMP method must be supported
+   by clients but whether it is enabled by default may be determined on
+   a realm by realm basis. If not used in the initial request and the
+   error KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENCTIMESTAMP
+   as an acceptable method, the client should retry the initial request
+   using the PA-ENC-TIMESTAMP preauthentication method. Servers need not
+   support the PAENC-TIMESTAMP method, but if not supported the server
+   should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in
+   a request.
+
+   Mutual authentication
+
+   Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+   Ticket addresses and flags
+
+   All KDC's must pass on tickets that carry no addresses (i.e.,  if a
+   TGT contains no addresses, the KDC will return derivative tickets),
+   but each realm may set its own policy for issuing such tickets, and
+   each application server will set its own policy with respect to
+   accepting them. By default, servers should not accept them.
+
+   Proxies and forwarded tickets must be supported.  Individual realms
+   and application servers can set their own policy on when such tickets
+   will be accepted.
+
+   All implementations must recognize renewable and postdated tickets,
+   but need not actually implement them.  If these options are not
+   supported, the starttime and endtime in the ticket shall specify a
+   ticket's entire useful life.  When a postdated ticket is decoded by a
+   server, all implementations shall make the presence of the postdated
+   flag visible to the calling server.
+
+   User-to-user authentication
+
+   Support for user to user authentication (via the ENC-TKTIN-SKEY KDC
+   option) must be provided by implementations, but individual realms
+   may decide as a matter of policy to reject such requests on a per-
+   principal or realm-wide basis.
+
+
+
+Kohl & Neuman                                                  [Page 87]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Authorization data
+
+   Implementations must pass all authorization data subfields from
+   ticket-granting tickets to any derivative tickets unless directed to
+   suppress a subfield as part of the definition of that registered
+   subfield type (it is never incorrect to pass on a subfield, and no
+   registered subfield types presently specify suppression at the KDC).
+
+   Implementations must make the contents of any authorization data
+   subfields available to the server when a ticket is used.
+   Implementations are not required to allow clients to specify the
+   contents of the authorization data fields.
+
+9.2.  Recommended KDC values
+
+   Following is a list of recommended values for a KDC implementation,
+   based on the list of suggested configuration constants (see section
+   4.4).
+
+   minimum lifetime                5 minutes
+
+   maximum renewable lifetime      1 week
+
+   maximum ticket lifetime         1 day
+
+   empty addresses                 only when suitable restrictions appear
+                                   in authorization data
+
+   proxiable, etc.                 Allowed.
+
+10.  Acknowledgments
+
+   Early versions of this document, describing version 4 of the
+   protocol, were written by Jennifer Steiner (formerly at Project
+   Athena); these drafts provided an excellent starting point for this
+   current version 5 specification.  Many people in the Internet
+   community have contributed ideas and suggested protocol changes for
+   version 5. Notable contributions came from Ted Anderson, Steve
+   Bellovin and Michael Merritt [17], Daniel Bernstein, Mike Burrows,
+   Donald Davis, Ravi Ganesan, Morrie Gasser, Virgil Gligor, Bill
+   Griffeth, Mark Lillibridge, Mark Lomas, Steve Lunt, Piers McMahon,
+   Joe Pato, William Sommerfeld, Stuart Stubblebine, Ralph Swick, Ted
+   T'so, and Stanley Zanarotti.  Many others commented and helped shape
+   this specification into its current form.
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 88]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+11.  References
+
+   [1]  Miller, S., Neuman, C., Schiller, J., and  J. Saltzer, "Section
+        E.2.1: Kerberos  Authentication and Authorization System",
+        M.I.T. Project Athena, Cambridge, Massachusetts, December 21,
+        1987.
+
+   [2]  Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An
+        Authentication Service for Open Network Systems", pp. 191-202 in
+        Usenix Conference Proceedings, Dallas, Texas, February, 1988.
+
+   [3]  Needham, R., and M. Schroeder, "Using Encryption for
+        Authentication in Large Networks of Computers", Communications
+        of the ACM, Vol. 21 (12), pp. 993-999, December 1978.
+
+   [4]  Denning, D., and G. Sacco, "Time stamps in Key Distribution
+        Protocols", Communications of the ACM, Vol. 24 (8), pp. 533-536,
+        August 1981.
+
+   [5]  Kohl, J., Neuman, C., and T. Ts'o, "The Evolution of the
+        Kerberos Authentication Service", in an IEEE Computer Society
+        Text soon to be published, June 1992.
+
+   [6]  Davis, D., and R. Swick, "Workstation Services and Kerberos
+        Authentication at Project Athena", Technical Memorandum TM-424,
+        MIT Laboratory for Computer Science, February 1990.
+
+   [7]  Levine, P., Gretzinger, M, Diaz, J., Sommerfeld, W., and K.
+        Raeburn, "Section E.1: Service Management System, M.I.T.
+        Project Athena, Cambridge, Mas sachusetts (1987).
+
+   [8]  CCITT, Recommendation X.509: The Directory Authentication
+        Framework, December 1988.
+
+   [9]  Neuman, C., "Proxy-Based Authorization and Accounting for
+        Distributed Systems," in Proceedings of the 13th International
+        Conference on Distributed Computing Systems", Pittsburgh, PA,
+        May 1993.
+
+   [10] Pato, J., "Using Pre-Authentication to Avoid Password Guessing
+        Attacks", Open Software Foundation DCE Request for Comments 26,
+        December 1992.
+
+   [11] National Bureau of Standards, U.S. Department of Commerce, "Data
+        Encryption Standard", Federal Information Processing Standards
+        Publication 46, Washington, DC (1977).
+
+
+
+
+
+Kohl & Neuman                                                  [Page 89]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   [12] National Bureau of Standards, U.S. Department of Commerce, "DES
+        Modes of Operation", Federal Information Processing Standards
+        Publication 81, Springfield, VA, December 1980.
+
+   [13] Stubblebine S., and V. Gligor, "On Message Integrity in
+        Cryptographic Protocols", in Proceedings of the IEEE Symposium
+        on Research in Security and Privacy, Oakland, California, May
+        1992.
+
+   [14] International Organization for Standardization, "ISO Information
+        Processing Systems - Data Communication High-Level Data Link
+        Control Procedure - Frame Structure", IS 3309, October 1984, 3rd
+        Edition.
+
+   [15] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT
+        Laboratory for Computer Science, April 1992.
+
+   [16] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, MIT
+        Laboratory for Computer Science, April 1992.
+
+   [17] Bellovin S., and M. Merritt, "Limitations of the Kerberos
+        Authentication System", Computer Communications Review, Vol.
+        20(5), pp. 119-132, October 1990.
+
+12.  Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+13.  Authors' Addresses
+
+   John Kohl
+   Digital Equipment Corporation
+   110 Spit Brook Road, M/S ZKO3-3/U14
+   Nashua, NH  03062
+
+   Phone: 603-881-2481
+   EMail: jtkohl@zk3.dec.com
+
+
+   B. Clifford Neuman
+   USC/Information Sciences Institute
+   4676 Admiralty Way #1001
+   Marina del Rey, CA 90292-6695
+
+   Phone: 310-822-1511
+   EMail: bcn@isi.edu
+
+
+
+
+
+Kohl & Neuman                                                  [Page 90]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+A.  Pseudo-code for protocol processing
+
+   This appendix provides pseudo-code describing how the messages are to
+   be constructed and interpreted by clients and servers.
+
+A.1.  KRB_AS_REQ generation
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",
+                                         "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+
+
+Kohl & Neuman                                                  [Page 91]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+A.2.  KRB_AS_REQ verification and KRB_AS_REP generation
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable
+                        skew) then error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+
+
+
+Kohl & Neuman                                                  [Page 92]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.ALLOW-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when
+                                      omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+
+
+Kohl & Neuman                                                  [Page 93]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                new_tkt.starttime+client.max_rlife,
+                new_tkt.starttime+server.max_rlife,
+                new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+            using etype_for_key(server.key), server.key, server.p_kvno;
+
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+
+
+
+Kohl & Neuman                                                  [Page 94]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+A.3.  KRB_AS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP))
+                        then set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+
+
+
+Kohl & Neuman                                                  [Page 95]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4.  KRB_AS_REP and KRB_TGS_REP common checks
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that  */
+        /* all that should be are set                              */
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags))
+                then destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+
+
+
+Kohl & Neuman                                                  [Page 96]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        endif
+
+A.5.  KRB_TGS_REQ generation
+        /* Note that make_application_request might have to     */
+        /* recursivly call this routine to get the appropriate  */
+        /* ticket-granting ticket                               */
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+
+
+
+Kohl & Neuman                                                  [Page 97]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6.  KRB_TGS_REQ verification and KRB_TGS_REP generation
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and
+        choosing the correct key for decryption.  The name of the
+        server appears in the plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is
+        operating is determined by the instance from the
+        ticket-granting ticket.  The realm in the ticket-granting
+        ticket is the realm under which the ticket granting ticket was
+        issued.  It is possible for a single Kerberos server to
+        support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not
+                req.sname) then error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof
+            and keyed)  then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+
+
+Kohl & Neuman                                                  [Page 98]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(server)) then
+                        server := best_intermediate_tgs(server);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+
+
+
+Kohl & Neuman                                                  [Page 99]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.POSTDATE is set) then
+                if (tgt.flags.POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+
+
+
+Kohl & Neuman                                                 [Page 100]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket */
+          /* would have been rejected in the initial authentication  */
+          /* stage, so there is no need to check again here          */
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till >= kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                   new_tkt.starttime+client.max_life,
+                                   new_tkt.starttime+server.max_life,
+                                   new_tkt.starttime+max_life_for_realm,
+                                   tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later  */
+                        /* processing                             */
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+
+
+
+Kohl & Neuman                                                 [Page 101]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                new_tkt.starttime+client.max_rlife,
+                new_tkt.starttime+server.max_rlife,
+                new_tkt.starttime+max_rlife_for_realm,
+                tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT;
+                              /* leave the renew-till field out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data
+                        into    decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data :=
+        req.auth_hdr.ticket.authorization_data +
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited
+                   := compress_transited(tgt.transited + tgt.realm)
+        endif
+
+
+
+Kohl & Neuman                                                 [Page 102]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key),
+                                                      second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key,
+                                                      server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+
+
+
+Kohl & Neuman                                                 [Page 103]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING
+                              using use_etype, tgt.key;
+
+        send(resp);
+
+A.7.  KRB_TGS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp :=
+                        decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp :=
+                        decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8.  Authenticator generation
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+
+
+Kohl & Neuman                                                 [Page 104]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+A.9.  KRB_AP_REQ generation
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator
+                             using session_key;
+
+A.10.  KRB_AP_REQ verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+           retrieve service key for
+           packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+
+
+
+Kohl & Neuman                                                 [Page 105]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket
+                                       using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr)
+                        then error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm}))
+                then error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        /* caller must check decr_ticket.flags for any pertinent */
+        /* details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11.  KRB_AP_REP generation
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+
+
+
+Kohl & Neuman                                                 [Page 106]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12.  KRB_AP_REP verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part)
+                     using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13.  KRB_SAFE generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+
+
+Kohl & Neuman                                                 [Page 107]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14.  KRB_SAFE verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof
+                                             and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15.  KRB_SAFE and KRB_PRIV common checks
+        if (packet.s-address != O/S_sender(packet)) then
+            /* O/S report of sender not who claims to have sent it */
+            error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+
+
+
+Kohl & Neuman                                                 [Page 108]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected))
+                then error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address))
+                then error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected))
+                then error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and
+            packet.seq-number not present) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16.  KRB_PRIV generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+
+
+
+Kohl & Neuman                                                 [Page 109]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+A.17.  KRB_PRIV verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+            return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18.  KRB_CRED generation
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+
+
+
+Kohl & Neuman                                                 [Page 110]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+        using negotiated encryption key;
+
+A.19.  KRB_CRED verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+            /* O/S report of sender not who claims to have sent it */
+            error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+
+
+
+Kohl & Neuman                                                 [Page 111]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address))
+                then error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+A.20.  KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+
+
+
+
+
+
+
+
+
+
+Kohl & Neuman                                                 [Page 112]
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/rfc1750.txt b/crypto/heimdal/doc/standardisation/rfc1750.txt
new file mode 100644
index 0000000..56d478c
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1750.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Network Working Group                                   D. Eastlake, 3rd
+Request for Comments: 1750                                           DEC
+Category: Informational                                       S. Crocker
+                                                               Cybercash
+                                                             J. Schiller
+                                                                     MIT
+                                                           December 1994
+
+
+                Randomness Recommendations for Security
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+Abstract
+
+   Security systems today are built on increasingly strong cryptographic
+   algorithms that foil pattern analysis attempts. However, the security
+   of these systems is dependent on generating secret quantities for
+   passwords, cryptographic keys, and similar quantities.  The use of
+   pseudo-random processes to generate secret quantities can result in
+   pseudo-security.  The sophisticated attacker of these security
+   systems may find it easier to reproduce the environment that produced
+   the secret quantities, searching the resulting small set of
+   possibilities, than to locate the quantities in the whole of the
+   number space.
+
+   Choosing random quantities to foil a resourceful and motivated
+   adversary is surprisingly difficult.  This paper points out many
+   pitfalls in using traditional pseudo-random number generation
+   techniques for choosing such quantities.  It recommends the use of
+   truly random hardware techniques and shows that the existing hardware
+   on many systems can be used for this purpose.  It provides
+   suggestions to ameliorate the problem when a hardware solution is not
+   available.  And it gives examples of how large such quantities need
+   to be for some particular applications.
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 1]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+Acknowledgements
+
+   Comments on this document that have been incorporated were received
+   from (in alphabetic order) the following:
+
+        David M. Balenson (TIS)
+        Don Coppersmith (IBM)
+        Don T. Davis (consultant)
+        Carl Ellison (Stratus)
+        Marc Horowitz (MIT)
+        Christian Huitema (INRIA)
+        Charlie Kaufman (IRIS)
+        Steve Kent (BBN)
+        Hal Murray (DEC)
+        Neil Haller (Bellcore)
+        Richard Pitkin (DEC)
+        Tim Redmond (TIS)
+        Doug Tygar (CMU)
+
+Table of Contents
+
+   1. Introduction........................................... 3
+   2. Requirements........................................... 4
+   3. Traditional Pseudo-Random Sequences.................... 5
+   4. Unpredictability....................................... 7
+   4.1 Problems with Clocks and Serial Numbers............... 7
+   4.2 Timing and Content of External Events................  8
+   4.3 The Fallacy of Complex Manipulation..................  8
+   4.4 The Fallacy of Selection from a Large Database.......  9
+   5. Hardware for Randomness............................... 10
+   5.1 Volume Required...................................... 10
+   5.2 Sensitivity to Skew.................................. 10
+   5.2.1 Using Stream Parity to De-Skew..................... 11
+   5.2.2 Using Transition Mappings to De-Skew............... 12
+   5.2.3 Using FFT to De-Skew............................... 13
+   5.2.4 Using Compression to De-Skew....................... 13
+   5.3 Existing Hardware Can Be Used For Randomness......... 14
+   5.3.1 Using Existing Sound/Video Input................... 14
+   5.3.2 Using Existing Disk Drives......................... 14
+   6. Recommended Non-Hardware Strategy..................... 14
+   6.1 Mixing Functions..................................... 15
+   6.1.1 A Trivial Mixing Function.......................... 15
+   6.1.2 Stronger Mixing Functions.......................... 16
+   6.1.3 Diff-Hellman as a Mixing Function.................. 17
+   6.1.4 Using a Mixing Function to Stretch Random Bits..... 17
+   6.1.5 Other Factors in Choosing a Mixing Function........ 18
+   6.2 Non-Hardware Sources of Randomness................... 19
+   6.3 Cryptographically Strong Sequences................... 19
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 2]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   6.3.1 Traditional Strong Sequences....................... 20
+   6.3.2 The Blum Blum Shub Sequence Generator.............. 21
+   7. Key Generation Standards.............................. 22
+   7.1 US DoD Recommendations for Password Generation....... 23
+   7.2 X9.17 Key Generation................................. 23
+   8. Examples of Randomness Required....................... 24
+   8.1  Password Generation................................. 24
+   8.2 A Very High Security Cryptographic Key............... 25
+   8.2.1 Effort per Key Trial............................... 25
+   8.2.2 Meet in the Middle Attacks......................... 26
+   8.2.3 Other Considerations............................... 26
+   9. Conclusion............................................ 27
+   10. Security Considerations.............................. 27
+   References............................................... 28
+   Authors' Addresses....................................... 30
+
+1. Introduction
+
+   Software cryptography is coming into wider use.  Systems like
+   Kerberos, PEM, PGP, etc. are maturing and becoming a part of the
+   network landscape [PEM].  These systems provide substantial
+   protection against snooping and spoofing.  However, there is a
+   potential flaw.  At the heart of all cryptographic systems is the
+   generation of secret, unguessable (i.e., random) numbers.
+
+   For the present, the lack of generally available facilities for
+   generating such unpredictable numbers is an open wound in the design
+   of cryptographic software.  For the software developer who wants to
+   build a key or password generation procedure that runs on a wide
+   range of hardware, the only safe strategy so far has been to force
+   the local installation to supply a suitable routine to generate
+   random numbers.  To say the least, this is an awkward, error-prone
+   and unpalatable solution.
+
+   It is important to keep in mind that the requirement is for data that
+   an adversary has a very low probability of guessing or determining.
+   This will fail if pseudo-random data is used which only meets
+   traditional statistical tests for randomness or which is based on
+   limited range sources, such as clocks.  Frequently such random
+   quantities are determinable by an adversary searching through an
+   embarrassingly small space of possibilities.
+
+   This informational document suggests techniques for producing random
+   quantities that will be resistant to such attack.  It recommends that
+   future systems include hardware random number generation or provide
+   access to existing hardware that can be used for this purpose.  It
+   suggests methods for use if such hardware is not available.  And it
+   gives some estimates of the number of random bits required for sample
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 3]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   applications.
+
+2. Requirements
+
+   Probably the most commonly encountered randomness requirement today
+   is the user password. This is usually a simple character string.
+   Obviously, if a password can be guessed, it does not provide
+   security.  (For re-usable passwords, it is desirable that users be
+   able to remember the password.  This may make it advisable to use
+   pronounceable character strings or phrases composed on ordinary
+   words.  But this only affects the format of the password information,
+   not the requirement that the password be very hard to guess.)
+
+   Many other requirements come from the cryptographic arena.
+   Cryptographic techniques can be used to provide a variety of services
+   including confidentiality and authentication.  Such services are
+   based on quantities, traditionally called "keys", that are unknown to
+   and unguessable by an adversary.
+
+   In some cases, such as the use of symmetric encryption with the one
+   time pads [CRYPTO*] or the US Data Encryption Standard [DES], the
+   parties who wish to communicate confidentially and/or with
+   authentication must all know the same secret key.  In other cases,
+   using what are called asymmetric or "public key" cryptographic
+   techniques, keys come in pairs.  One key of the pair is private and
+   must be kept secret by one party, the other is public and can be
+   published to the world.  It is computationally infeasible to
+   determine the private key from the public key [ASYMMETRIC, CRYPTO*].
+
+   The frequency and volume of the requirement for random quantities
+   differs greatly for different cryptographic systems.  Using pure RSA
+   [CRYPTO*], random quantities are required when the key pair is
+   generated, but thereafter any number of messages can be signed
+   without any further need for randomness.  The public key Digital
+   Signature Algorithm that has been proposed by the US National
+   Institute of Standards and Technology (NIST) requires good random
+   numbers for each signature.  And encrypting with a one time pad, in
+   principle the strongest possible encryption technique, requires a
+   volume of randomness equal to all the messages to be processed.
+
+   In most of these cases, an adversary can try to determine the
+   "secret" key by trial and error.  (This is possible as long as the
+   key is enough smaller than the message that the correct key can be
+   uniquely identified.)  The probability of an adversary succeeding at
+   this must be made acceptably low, depending on the particular
+   application.  The size of the space the adversary must search is
+   related to the amount of key "information" present in the information
+   theoretic sense [SHANNON].  This depends on the number of different
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 4]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   secret values possible and the probability of each value as follows:
+
+                      -----
+                       \
+        Bits-of-info =  \  - p   * log  ( p  )
+                        /     i       2    i
+                       /
+                      -----
+
+   where i varies from 1 to the number of possible secret values and p
+   sub i is the probability of the value numbered i.  (Since p sub i is
+   less than one, the log will be negative so each term in the sum will
+   be non-negative.)
+
+   If there are 2^n different values of equal probability, then n bits
+   of information are present and an adversary would, on the average,
+   have to try half of the values, or 2^(n-1) , before guessing the
+   secret quantity.  If the probability of different values is unequal,
+   then there is less information present and fewer guesses will, on
+   average, be required by an adversary.  In particular, any values that
+   the adversary can know are impossible, or are of low probability, can
+   be initially ignored by an adversary, who will search through the
+   more probable values first.
+
+   For example, consider a cryptographic system that uses 56 bit keys.
+   If these 56 bit keys are derived by using a fixed pseudo-random
+   number generator that is seeded with an 8 bit seed, then an adversary
+   needs to search through only 256 keys (by running the pseudo-random
+   number generator with every possible seed), not the 2^56 keys that
+   may at first appear to be the case. Only 8 bits of "information" are
+   in these 56 bit keys.
+
+3. Traditional Pseudo-Random Sequences
+
+   Most traditional sources of random numbers use deterministic sources
+   of "pseudo-random" numbers.  These typically start with a "seed"
+   quantity and use numeric or logical operations to produce a sequence
+   of values.
+
+   [KNUTH] has a classic exposition on pseudo-random numbers.
+   Applications he mentions are simulation of natural phenomena,
+   sampling, numerical analysis, testing computer programs, decision
+   making, and games.  None of these have the same characteristics as
+   the sort of security uses we are talking about.  Only in the last two
+   could there be an adversary trying to find the random quantity.
+   However, in these cases, the adversary normally has only a single
+   chance to use a guessed value.  In guessing passwords or attempting
+   to break an encryption scheme, the adversary normally has many,
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 5]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   perhaps unlimited, chances at guessing the correct value and should
+   be assumed to be aided by a computer.
+
+   For testing the "randomness" of numbers, Knuth suggests a variety of
+   measures including statistical and spectral.  These tests check
+   things like autocorrelation between different parts of a "random"
+   sequence or distribution of its values.  They could be met by a
+   constant stored random sequence, such as the "random" sequence
+   printed in the CRC Standard Mathematical Tables [CRC].
+
+   A typical pseudo-random number generation technique, known as a
+   linear congruence pseudo-random number generator, is modular
+   arithmetic where the N+1th value is calculated from the Nth value by
+
+        V    = ( V  * a + b )(Mod c)
+         N+1      N
+
+   The above technique has a strong relationship to linear shift
+   register pseudo-random number generators, which are well understood
+   cryptographically [SHIFT*].  In such generators bits are introduced
+   at one end of a shift register as the Exclusive Or (binary sum
+   without carry) of bits from selected fixed taps into the register.
+
+   For example:
+
+      +----+     +----+     +----+                      +----+
+      | B  | <-- | B  | <-- | B  | <--  . . . . . . <-- | B  | <-+
+      |  0 |     |  1 |     |  2 |                      |  n |   |
+      +----+     +----+     +----+                      +----+   |
+        |                     |            |                     |
+        |                     |            V                  +-----+
+        |                     V            +----------------> |     |
+        V                     +-----------------------------> | XOR |
+        +---------------------------------------------------> |     |
+                                                              +-----+
+
+
+       V    = ( ( V  * 2 ) + B .xor. B ... )(Mod 2^n)
+        N+1         N         0       2
+
+   The goodness of traditional pseudo-random number generator algorithms
+   is measured by statistical tests on such sequences.  Carefully chosen
+   values of the initial V and a, b, and c or the placement of shift
+   register tap in the above simple processes can produce excellent
+   statistics.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 6]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   These sequences may be adequate in simulations (Monte Carlo
+   experiments) as long as the sequence is orthogonal to the structure
+   of the space being explored.  Even there, subtle patterns may cause
+   problems.  However, such sequences are clearly bad for use in
+   security applications.  They are fully predictable if the initial
+   state is known.  Depending on the form of the pseudo-random number
+   generator, the sequence may be determinable from observation of a
+   short portion of the sequence [CRYPTO*, STERN].  For example, with
+   the generators above, one can determine V(n+1) given knowledge of
+   V(n).  In fact, it has been shown that with these techniques, even if
+   only one bit of the pseudo-random values is released, the seed can be
+   determined from short sequences.
+
+   Not only have linear congruent generators been broken, but techniques
+   are now known for breaking all polynomial congruent generators
+   [KRAWCZYK].
+
+4. Unpredictability
+
+   Randomness in the traditional sense described in section 3 is NOT the
+   same as the unpredictability required for security use.
+
+   For example, use of a widely available constant sequence, such as
+   that from the CRC tables, is very weak against an adversary. Once
+   they learn of or guess it, they can easily break all security, future
+   and past, based on the sequence [CRC].  Yet the statistical
+   properties of these tables are good.
+
+   The following sections describe the limitations of some randomness
+   generation techniques and sources.
+
+4.1 Problems with Clocks and Serial Numbers
+
+   Computer clocks, or similar operating system or hardware values,
+   provide significantly fewer real bits of unpredictability than might
+   appear from their specifications.
+
+   Tests have been done on clocks on numerous systems and it was found
+   that their behavior can vary widely and in unexpected ways.  One
+   version of an operating system running on one set of hardware may
+   actually provide, say, microsecond resolution in a clock while a
+   different configuration of the "same" system may always provide the
+   same lower bits and only count in the upper bits at much lower
+   resolution.  This means that successive reads on the clock may
+   produce identical values even if enough time has passed that the
+   value "should" change based on the nominal clock resolution. There
+   are also cases where frequently reading a clock can produce
+   artificial sequential values because of extra code that checks for
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 7]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   the clock being unchanged between two reads and increases it by one!
+   Designing portable application code to generate unpredictable numbers
+   based on such system clocks is particularly challenging because the
+   system designer does not always know the properties of the system
+   clocks that the code will execute on.
+
+   Use of a hardware serial number such as an Ethernet address may also
+   provide fewer bits of uniqueness than one would guess.  Such
+   quantities are usually heavily structured and subfields may have only
+   a limited range of possible values or values easily guessable based
+   on approximate date of manufacture or other data.  For example, it is
+   likely that most of the Ethernet cards installed on Digital Equipment
+   Corporation (DEC) hardware within DEC were manufactured by DEC
+   itself, which significantly limits the range of built in addresses.
+
+   Problems such as those described above related to clocks and serial
+   numbers make code to produce unpredictable quantities difficult if
+   the code is to be ported across a variety of computer platforms and
+   systems.
+
+4.2 Timing and Content of External Events
+
+   It is possible to measure the timing and content of mouse movement,
+   key strokes, and similar user events.  This is a reasonable source of
+   unguessable data with some qualifications.  On some machines, inputs
+   such as key strokes are buffered.  Even though the user's inter-
+   keystroke timing may have sufficient variation and unpredictability,
+   there might not be an easy way to access that variation.  Another
+   problem is that no standard method exists to sample timing details.
+   This makes it hard to build standard software intended for
+   distribution to a large range of machines based on this technique.
+
+   The amount of mouse movement or the keys actually hit are usually
+   easier to access than timings but may yield less unpredictability as
+   the user may provide highly repetitive input.
+
+   Other external events, such as network packet arrival times, can also
+   be used with care.  In particular, the possibility of manipulation of
+   such times by an adversary must be considered.
+
+4.3 The Fallacy of Complex Manipulation
+
+   One strategy which may give a misleading appearance of
+   unpredictability is to take a very complex algorithm (or an excellent
+   traditional pseudo-random number generator with good statistical
+   properties) and calculate a cryptographic key by starting with the
+   current value of a computer system clock as the seed.  An adversary
+   who knew roughly when the generator was started would have a
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 8]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   relatively small number of seed values to test as they would know
+   likely values of the system clock.  Large numbers of pseudo-random
+   bits could be generated but the search space an adversary would need
+   to check could be quite small.
+
+   Thus very strong and/or complex manipulation of data will not help if
+   the adversary can learn what the manipulation is and there is not
+   enough unpredictability in the starting seed value.  Even if they can
+   not learn what the manipulation is, they may be able to use the
+   limited number of results stemming from a limited number of seed
+   values to defeat security.
+
+   Another serious strategy error is to assume that a very complex
+   pseudo-random number generation algorithm will produce strong random
+   numbers when there has been no theory behind or analysis of the
+   algorithm.  There is a excellent example of this fallacy right near
+   the beginning of chapter 3 in [KNUTH] where the author describes a
+   complex algorithm.  It was intended that the machine language program
+   corresponding to the algorithm would be so complicated that a person
+   trying to read the code without comments wouldn't know what the
+   program was doing.  Unfortunately, actual use of this algorithm
+   showed that it almost immediately converged to a single repeated
+   value in one case and a small cycle of values in another case.
+
+   Not only does complex manipulation not help you if you have a limited
+   range of seeds but blindly chosen complex manipulation can destroy
+   the randomness in a good seed!
+
+4.4 The Fallacy of Selection from a Large Database
+
+   Another strategy that can give a misleading appearance of
+   unpredictability is selection of a quantity randomly from a database
+   and assume that its strength is related to the total number of bits
+   in the database.  For example, typical USENET servers as of this date
+   process over 35 megabytes of information per day.  Assume a random
+   quantity was selected by fetching 32 bytes of data from a random
+   starting point in this data.  This does not yield 32*8 = 256 bits
+   worth of unguessability.  Even after allowing that much of the data
+   is human language and probably has more like 2 or 3 bits of
+   information per byte, it doesn't yield 32*2.5 = 80 bits of
+   unguessability.  For an adversary with access to the same 35
+   megabytes the unguessability rests only on the starting point of the
+   selection.  That is, at best, about 25 bits of unguessability in this
+   case.
+
+   The same argument applies to selecting sequences from the data on a
+   CD ROM or Audio CD recording or any other large public database.  If
+   the adversary has access to the same database, this "selection from a
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 9]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   large volume of data" step buys very little.  However, if a selection
+   can be made from data to which the adversary has no access, such as
+   system buffers on an active multi-user system, it may be of some
+   help.
+
+5. Hardware for Randomness
+
+   Is there any hope for strong portable randomness in the future?
+   There might be.  All that's needed is a physical source of
+   unpredictable numbers.
+
+   A thermal noise or radioactive decay source and a fast, free-running
+   oscillator would do the trick directly [GIFFORD].  This is a trivial
+   amount of hardware, and could easily be included as a standard part
+   of a computer system's architecture.  Furthermore, any system with a
+   spinning disk or the like has an adequate source of randomness
+   [DAVIS].  All that's needed is the common perception among computer
+   vendors that this small additional hardware and the software to
+   access it is necessary and useful.
+
+5.1 Volume Required
+
+   How much unpredictability is needed?  Is it possible to quantify the
+   requirement in, say, number of random bits per second?
+
+   The answer is not very much is needed.  For DES, the key is 56 bits
+   and, as we show in an example in Section 8, even the highest security
+   system is unlikely to require a keying material of over 200 bits.  If
+   a series of keys are needed, it can be generated from a strong random
+   seed using a cryptographically strong sequence as explained in
+   Section 6.3.  A few hundred random bits generated once a day would be
+   enough using such techniques.  Even if the random bits are generated
+   as slowly as one per second and it is not possible to overlap the
+   generation process, it should be tolerable in high security
+   applications to wait 200 seconds occasionally.
+
+   These numbers are trivial to achieve.  It could be done by a person
+   repeatedly tossing a coin.  Almost any hardware process is likely to
+   be much faster.
+
+5.2 Sensitivity to Skew
+
+   Is there any specific requirement on the shape of the distribution of
+   the random numbers?  The good news is the distribution need not be
+   uniform.  All that is needed is a conservative estimate of how non-
+   uniform it is to bound performance.  Two simple techniques to de-skew
+   the bit stream are given below and stronger techniques are mentioned
+   in Section 6.1.2 below.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 10]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+5.2.1 Using Stream Parity to De-Skew
+
+   Consider taking a sufficiently long string of bits and map the string
+   to "zero" or "one".  The mapping will not yield a perfectly uniform
+   distribution, but it can be as close as desired.  One mapping that
+   serves the purpose is to take the parity of the string.  This has the
+   advantages that it is robust across all degrees of skew up to the
+   estimated maximum skew and is absolutely trivial to implement in
+   hardware.
+
+   The following analysis gives the number of bits that must be sampled:
+
+   Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is
+   between 0 and 0.5 and is a measure of the "eccentricity" of the
+   distribution.  Consider the distribution of the parity function of N
+   bit samples.  The probabilities that the parity will be one or zero
+   will be the sum of the odd or even terms in the binomial expansion of
+   (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 -
+   e, the probability of a zero.
+
+   These sums can be computed easily as
+
+                         N            N
+        1/2 * ( ( p + q )  + ( p - q )  )
+   and
+                         N            N
+        1/2 * ( ( p + q )  - ( p - q )  ).
+
+   (Which one corresponds to the probability the parity will be 1
+   depends on whether N is odd or even.)
+
+   Since p + q = 1 and p - q = 2e, these expressions reduce to
+
+                       N
+        1/2 * [1 + (2e) ]
+   and
+                       N
+        1/2 * [1 - (2e) ].
+
+   Neither of these will ever be exactly 0.5 unless e is zero, but we
+   can bring them arbitrarily close to 0.5.  If we want the
+   probabilities to be within some delta d of 0.5, i.e. then
+
+                            N
+        ( 0.5 + ( 0.5 * (2e)  ) )  <  0.5 + d.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 11]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Solving for N yields N > log(2d)/log(2e).  (Note that 2e is less than
+   1, so its log is negative.  Division by a negative number reverses
+   the sense of an inequality.)
+
+   The following table gives the length of the string which must be
+   sampled for various degrees of skew in order to come within 0.001 of
+   a 50/50 distribution.
+
+                       +---------+--------+-------+
+                       | Prob(1) |    e   |    N  |
+                       +---------+--------+-------+
+                       |   0.5   |  0.00  |    1  |
+                       |   0.6   |  0.10  |    4  |
+                       |   0.7   |  0.20  |    7  |
+                       |   0.8   |  0.30  |   13  |
+                       |   0.9   |  0.40  |   28  |
+                       |   0.95  |  0.45  |   59  |
+                       |   0.99  |  0.49  |  308  |
+                       +---------+--------+-------+
+
+   The last entry shows that even if the distribution is skewed 99% in
+   favor of ones, the parity of a string of 308 samples will be within
+   0.001 of a 50/50 distribution.
+
+5.2.2 Using Transition Mappings to De-Skew
+
+   Another technique, originally due to von Neumann [VON NEUMANN], is to
+   examine a bit stream as a sequence of non-overlapping pairs. You
+   could then discard any 00 or 11 pairs found, interpret 01 as a 0 and
+   10 as a 1.  Assume the probability of a 1 is 0.5+e and the
+   probability of a 0 is 0.5-e where e is the eccentricity of the source
+   and described in the previous section.  Then the probability of each
+   pair is as follows:
+
+            +------+-----------------------------------------+
+            | pair |            probability                  |
+            +------+-----------------------------------------+
+            |  00  | (0.5 - e)^2          =  0.25 - e + e^2  |
+            |  01  | (0.5 - e)*(0.5 + e)  =  0.25     - e^2  |
+            |  10  | (0.5 + e)*(0.5 - e)  =  0.25     - e^2  |
+            |  11  | (0.5 + e)^2          =  0.25 + e + e^2  |
+            +------+-----------------------------------------+
+
+   This technique will completely eliminate any bias but at the expense
+   of taking an indeterminate number of input bits for any particular
+   desired number of output bits.  The probability of any particular
+   pair being discarded is 0.5 + 2e^2 so the expected number of input
+   bits to produce X output bits is X/(0.25 - e^2).
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 12]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   This technique assumes that the bits are from a stream where each bit
+   has the same probability of being a 0 or 1 as any other bit in the
+   stream and that bits are not correlated, i.e., that the bits are
+   identical independent distributions.  If alternate bits were from two
+   correlated sources, for example, the above analysis breaks down.
+
+   The above technique also provides another illustration of how a
+   simple statistical analysis can mislead if one is not always on the
+   lookout for patterns that could be exploited by an adversary.  If the
+   algorithm were mis-read slightly so that overlapping successive bits
+   pairs were used instead of non-overlapping pairs, the statistical
+   analysis given is the same; however, instead of provided an unbiased
+   uncorrelated series of random 1's and 0's, it instead produces a
+   totally predictable sequence of exactly alternating 1's and 0's.
+
+5.2.3 Using FFT to De-Skew
+
+   When real world data consists of strongly biased or correlated bits,
+   it may still contain useful amounts of randomness.  This randomness
+   can be extracted through use of the discrete Fourier transform or its
+   optimized variant, the FFT.
+
+   Using the Fourier transform of the data, strong correlations can be
+   discarded.  If adequate data is processed and remaining correlations
+   decay, spectral lines approaching statistical independence and
+   normally distributed randomness can be produced [BRILLINGER].
+
+5.2.4 Using Compression to De-Skew
+
+   Reversible compression techniques also provide a crude method of de-
+   skewing a skewed bit stream.  This follows directly from the
+   definition of reversible compression and the formula in Section 2
+   above for the amount of information in a sequence.  Since the
+   compression is reversible, the same amount of information must be
+   present in the shorter output than was present in the longer input.
+   By the Shannon information equation, this is only possible if, on
+   average, the probabilities of the different shorter sequences are
+   more uniformly distributed than were the probabilities of the longer
+   sequences.  Thus the shorter sequences are de-skewed relative to the
+   input.
+
+   However, many compression techniques add a somewhat predicatable
+   preface to their output stream and may insert such a sequence again
+   periodically in their output or otherwise introduce subtle patterns
+   of their own.  They should be considered only a rough technique
+   compared with those described above or in Section 6.1.2.  At a
+   minimum, the beginning of the compressed sequence should be skipped
+   and only later bits used for applications requiring random bits.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 13]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+5.3 Existing Hardware Can Be Used For Randomness
+
+   As described below, many computers come with hardware that can, with
+   care, be used to generate truly random quantities.
+
+5.3.1 Using Existing Sound/Video Input
+
+   Increasingly computers are being built with inputs that digitize some
+   real world analog source, such as sound from a microphone or video
+   input from a camera.  Under appropriate circumstances, such input can
+   provide reasonably high quality random bits.  The "input" from a
+   sound digitizer with no source plugged in or a camera with the lens
+   cap on, if the system has enough gain to detect anything, is
+   essentially thermal noise.
+
+   For example, on a SPARCstation, one can read from the /dev/audio
+   device with nothing plugged into the microphone jack.  Such data is
+   essentially random noise although it should not be trusted without
+   some checking in case of hardware failure.  It will, in any case,
+   need to be de-skewed as described elsewhere.
+
+   Combining this with compression to de-skew one can, in UNIXese,
+   generate a huge amount of medium quality random data by doing
+
+        cat /dev/audio | compress - >random-bits-file
+
+5.3.2 Using Existing Disk Drives
+
+   Disk drives have small random fluctuations in their rotational speed
+   due to chaotic air turbulence [DAVIS].  By adding low level disk seek
+   time instrumentation to a system, a series of measurements can be
+   obtained that include this randomness. Such data is usually highly
+   correlated so that significant processing is needed, including FFT
+   (see section 5.2.3).  Nevertheless experimentation has shown that,
+   with such processing, disk drives easily produce 100 bits a minute or
+   more of excellent random data.
+
+   Partly offsetting this need for processing is the fact that disk
+   drive failure will normally be rapidly noticed.  Thus, problems with
+   this method of random number generation due to hardware failure are
+   very unlikely.
+
+6. Recommended Non-Hardware Strategy
+
+   What is the best overall strategy for meeting the requirement for
+   unguessable random numbers in the absence of a reliable hardware
+   source?  It is to obtain random input from a large number of
+   uncorrelated sources and to mix them with a strong mixing function.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 14]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Such a function will preserve the randomness present in any of the
+   sources even if other quantities being combined are fixed or easily
+   guessable.  This may be advisable even with a good hardware source as
+   hardware can also fail, though this should be weighed against any
+   increase in the chance of overall failure due to added software
+   complexity.
+
+6.1 Mixing Functions
+
+   A strong mixing function is one which combines two or more inputs and
+   produces an output where each output bit is a different complex non-
+   linear function of all the input bits.  On average, changing any
+   input bit will change about half the output bits.  But because the
+   relationship is complex and non-linear, no particular output bit is
+   guaranteed to change when any particular input bit is changed.
+
+   Consider the problem of converting a stream of bits that is skewed
+   towards 0 or 1 to a shorter stream which is more random, as discussed
+   in Section 5.2 above.  This is simply another case where a strong
+   mixing function is desired, mixing the input bits to produce a
+   smaller number of output bits.  The technique given in Section 5.2.1
+   of using the parity of a number of bits is simply the result of
+   successively Exclusive Or'ing them which is examined as a trivial
+   mixing function immediately below.  Use of stronger mixing functions
+   to extract more of the randomness in a stream of skewed bits is
+   examined in Section 6.1.2.
+
+6.1.1 A Trivial Mixing Function
+
+   A trivial example for single bit inputs is the Exclusive Or function,
+   which is equivalent to addition without carry, as show in the table
+   below.  This is a degenerate case in which the one output bit always
+   changes for a change in either input bit.  But, despite its
+   simplicity, it will still provide a useful illustration.
+
+                   +-----------+-----------+----------+
+                   |  input 1  |  input 2  |  output  |
+                   +-----------+-----------+----------+
+                   |     0     |     0     |     0    |
+                   |     0     |     1     |     1    |
+                   |     1     |     0     |     1    |
+                   |     1     |     1     |     0    |
+                   +-----------+-----------+----------+
+
+   If inputs 1 and 2 are uncorrelated and combined in this fashion then
+   the output will be an even better (less skewed) random bit than the
+   inputs.  If we assume an "eccentricity" e as defined in Section 5.2
+   above, then the output eccentricity relates to the input eccentricity
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 15]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   as follows:
+
+        e       = 2 * e        * e
+         output        input 1    input 2
+
+   Since e is never greater than 1/2, the eccentricity is always
+   improved except in the case where at least one input is a totally
+   skewed constant.  This is illustrated in the following table where
+   the top and left side values are the two input eccentricities and the
+   entries are the output eccentricity:
+
+     +--------+--------+--------+--------+--------+--------+--------+
+     |    e   |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
+     +--------+--------+--------+--------+--------+--------+--------+
+     |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |
+     |  0.10  |  0.00  |  0.02  |  0.04  |  0.06  |  0.08  |  0.10  |
+     |  0.20  |  0.00  |  0.04  |  0.08  |  0.12  |  0.16  |  0.20  |
+     |  0.30  |  0.00  |  0.06  |  0.12  |  0.18  |  0.24  |  0.30  |
+     |  0.40  |  0.00  |  0.08  |  0.16  |  0.24  |  0.32  |  0.40  |
+     |  0.50  |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
+     +--------+--------+--------+--------+--------+--------+--------+
+
+   However, keep in mind that the above calculations assume that the
+   inputs are not correlated.  If the inputs were, say, the parity of
+   the number of minutes from midnight on two clocks accurate to a few
+   seconds, then each might appear random if sampled at random intervals
+   much longer than a minute.  Yet if they were both sampled and
+   combined with xor, the result would be zero most of the time.
+
+6.1.2 Stronger Mixing Functions
+
+   The US Government Data Encryption Standard [DES] is an example of a
+   strong mixing function for multiple bit quantities.  It takes up to
+   120 bits of input (64 bits of "data" and 56 bits of "key") and
+   produces 64 bits of output each of which is dependent on a complex
+   non-linear function of all input bits.  Other strong encryption
+   functions with this characteristic can also be used by considering
+   them to mix all of their key and data input bits.
+
+   Another good family of mixing functions are the "message digest" or
+   hashing functions such as The US Government Secure Hash Standard
+   [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series.  These functions
+   all take an arbitrary amount of input and produce an output mixing
+   all the input bits. The MD* series produce 128 bits of output and SHS
+   produces 160 bits.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 16]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Although the message digest functions are designed for variable
+   amounts of input, DES and other encryption functions can also be used
+   to combine any number of inputs.  If 64 bits of output is adequate,
+   the inputs can be packed into a 64 bit data quantity and successive
+   56 bit keys, padding with zeros if needed, which are then used to
+   successively encrypt using DES in Electronic Codebook Mode [DES
+   MODES].  If more than 64 bits of output are needed, use more complex
+   mixing.  For example, if inputs are packed into three quantities, A,
+   B, and C, use DES to encrypt A with B as a key and then with C as a
+   key to produce the 1st part of the output, then encrypt B with C and
+   then A for more output and, if necessary, encrypt C with A and then B
+   for yet more output.  Still more output can be produced by reversing
+   the order of the keys given above to stretch things. The same can be
+   done with the hash functions by hashing various subsets of the input
+   data to produce multiple outputs.  But keep in mind that it is
+   impossible to get more bits of "randomness" out than are put in.
+
+   An example of using a strong mixing function would be to reconsider
+   the case of a string of 308 bits each of which is biased 99% towards
+   zero.  The parity technique given in Section 5.2.1 above reduced this
+   to one bit with only a 1/1000 deviance from being equally likely a
+   zero or one.  But, applying the equation for information given in
+   Section 2, this 308 bit sequence has 5 bits of information in it.
+   Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the
+   result would yield 5 unbiased random bits as opposed to the single
+   bit given by calculating the parity of the string.
+
+6.1.3 Diffie-Hellman as a Mixing Function
+
+   Diffie-Hellman exponential key exchange is a technique that yields a
+   shared secret between two parties that can be made computationally
+   infeasible for a third party to determine even if they can observe
+   all the messages between the two communicating parties.  This shared
+   secret is a mixture of initial quantities generated by each of them
+   [D-H].  If these initial quantities are random, then the shared
+   secret contains the combined randomness of them both, assuming they
+   are uncorrelated.
+
+6.1.4 Using a Mixing Function to Stretch Random Bits
+
+   While it is not necessary for a mixing function to produce the same
+   or fewer bits than its inputs, mixing bits cannot "stretch" the
+   amount of random unpredictability present in the inputs.  Thus four
+   inputs of 32 bits each where there is 12 bits worth of
+   unpredicatability (such as 4,096 equally probable values) in each
+   input cannot produce more than 48 bits worth of unpredictable output.
+   The output can be expanded to hundreds or thousands of bits by, for
+   example, mixing with successive integers, but the clever adversary's
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 17]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   search space is still 2^48 possibilities.  Furthermore, mixing to
+   fewer bits than are input will tend to strengthen the randomness of
+   the output the way using Exclusive Or to produce one bit from two did
+   above.
+
+   The last table in Section 6.1.1 shows that mixing a random bit with a
+   constant bit with Exclusive Or will produce a random bit.  While this
+   is true, it does not provide a way to "stretch" one random bit into
+   more than one.  If, for example, a random bit is mixed with a 0 and
+   then with a 1, this produces a two bit sequence but it will always be
+   either 01 or 10.  Since there are only two possible values, there is
+   still only the one bit of original randomness.
+
+6.1.5 Other Factors in Choosing a Mixing Function
+
+   For local use, DES has the advantages that it has been widely tested
+   for flaws, is widely documented, and is widely implemented with
+   hardware and software implementations available all over the world
+   including source code available by anonymous FTP.  The SHS and MD*
+   family are younger algorithms which have been less tested but there
+   is no particular reason to believe they are flawed.  Both MD5 and SHS
+   were derived from the earlier MD4 algorithm.  They all have source
+   code available by anonymous FTP [SHS, MD2, MD4, MD5].
+
+   DES and SHS have been vouched for the the US National Security Agency
+   (NSA) on the basis of criteria that primarily remain secret.  While
+   this is the cause of much speculation and doubt, investigation of DES
+   over the years has indicated that NSA involvement in modifications to
+   its design, which originated with IBM, was primarily to strengthen
+   it.  No concealed or special weakness has been found in DES.  It is
+   almost certain that the NSA modification to MD4 to produce the SHS
+   similarly strengthened the algorithm, possibly against threats not
+   yet known in the public cryptographic community.
+
+   DES, SHS, MD4, and MD5 are royalty free for all purposes.  MD2 has
+   been freely licensed only for non-profit use in connection with
+   Privacy Enhanced Mail [PEM].  Between the MD* algorithms, some people
+   believe that, as with "Goldilocks and the Three Bears", MD2 is strong
+   but too slow, MD4 is fast but too weak, and MD5 is just right.
+
+   Another advantage of the MD* or similar hashing algorithms over
+   encryption algorithms is that they are not subject to the same
+   regulations imposed by the US Government prohibiting the unlicensed
+   export or import of encryption/decryption software and hardware.  The
+   same should be true of DES rigged to produce an irreversible hash
+   code but most DES packages are oriented to reversible encryption.
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 18]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+6.2 Non-Hardware Sources of Randomness
+
+   The best source of input for mixing would be a hardware randomness
+   such as disk drive timing affected by air turbulence, audio input
+   with thermal noise, or radioactive decay.  However, if that is not
+   available there are other possibilities.  These include system
+   clocks, system or input/output buffers, user/system/hardware/network
+   serial numbers and/or addresses and timing, and user input.
+   Unfortunately, any of these sources can produce limited or
+   predicatable values under some circumstances.
+
+   Some of the sources listed above would be quite strong on multi-user
+   systems where, in essence, each user of the system is a source of
+   randomness.  However, on a small single user system, such as a
+   typical IBM PC or Apple Macintosh, it might be possible for an
+   adversary to assemble a similar configuration.  This could give the
+   adversary inputs to the mixing process that were sufficiently
+   correlated to those used originally as to make exhaustive search
+   practical.
+
+   The use of multiple random inputs with a strong mixing function is
+   recommended and can overcome weakness in any particular input.  For
+   example, the timing and content of requested "random" user keystrokes
+   can yield hundreds of random bits but conservative assumptions need
+   to be made.  For example, assuming a few bits of randomness if the
+   inter-keystroke interval is unique in the sequence up to that point
+   and a similar assumption if the key hit is unique but assuming that
+   no bits of randomness are present in the initial key value or if the
+   timing or key value duplicate previous values.  The results of mixing
+   these timings and characters typed could be further combined with
+   clock values and other inputs.
+
+   This strategy may make practical portable code to produce good random
+   numbers for security even if some of the inputs are very weak on some
+   of the target systems.  However, it may still fail against a high
+   grade attack on small single user systems, especially if the
+   adversary has ever been able to observe the generation process in the
+   past.  A hardware based random source is still preferable.
+
+6.3 Cryptographically Strong Sequences
+
+   In cases where a series of random quantities must be generated, an
+   adversary may learn some values in the sequence.  In general, they
+   should not be able to predict other values from the ones that they
+   know.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 19]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   The correct technique is to start with a strong random seed, take
+   cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and
+   do not reveal the complete state of the generator in the sequence
+   elements.  If each value in the sequence can be calculated in a fixed
+   way from the previous value, then when any value is compromised, all
+   future values can be determined.  This would be the case, for
+   example, if each value were a constant function of the previously
+   used values, even if the function were a very strong, non-invertible
+   message digest function.
+
+   It should be noted that if your technique for generating a sequence
+   of key values is fast enough, it can trivially be used as the basis
+   for a confidentiality system.  If two parties use the same sequence
+   generating technique and start with the same seed material, they will
+   generate identical sequences.  These could, for example, be xor'ed at
+   one end with data being send, encrypting it, and xor'ed with this
+   data as received, decrypting it due to the reversible properties of
+   the xor operation.
+
+6.3.1 Traditional Strong Sequences
+
+   A traditional way to achieve a strong sequence has been to have the
+   values be produced by hashing the quantities produced by
+   concatenating the seed with successive integers or the like and then
+   mask the values obtained so as to limit the amount of generator state
+   available to the adversary.
+
+   It may also be possible to use an "encryption" algorithm with a
+   random key and seed value to encrypt and feedback some or all of the
+   output encrypted value into the value to be encrypted for the next
+   iteration.  Appropriate feedback techniques will usually be
+   recommended with the encryption algorithm.  An example is shown below
+   where shifting and masking are used to combine the cypher output
+   feedback.  This type of feedback is recommended by the US Government
+   in connection with DES [DES MODES].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 20]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+      +---------------+
+      |       V       |
+      |  |     n      |
+      +--+------------+
+            |      |           +---------+
+            |      +---------> |         |      +-----+
+         +--+                  | Encrypt | <--- | Key |
+         |           +-------- |         |      +-----+
+         |           |         +---------+
+         V           V
+      +------------+--+
+      |      V     |  |
+      |       n+1     |
+      +---------------+
+
+   Note that if a shift of one is used, this is the same as the shift
+   register technique described in Section 3 above but with the all
+   important difference that the feedback is determined by a complex
+   non-linear function of all bits rather than a simple linear or
+   polynomial combination of output from a few bit position taps.
+
+   It has been shown by Donald W. Davies that this sort of shifted
+   partial output feedback significantly weakens an algorithm compared
+   will feeding all of the output bits back as input.  In particular,
+   for DES, repeated encrypting a full 64 bit quantity will give an
+   expected repeat in about 2^63 iterations.  Feeding back anything less
+   than 64 (and more than 0) bits will give an expected repeat in
+   between 2**31 and 2**32 iterations!
+
+   To predict values of a sequence from others when the sequence was
+   generated by these techniques is equivalent to breaking the
+   cryptosystem or inverting the "non-invertible" hashing involved with
+   only partial information available.  The less information revealed
+   each iteration, the harder it will be for an adversary to predict the
+   sequence.  Thus it is best to use only one bit from each value.  It
+   has been shown that in some cases this makes it impossible to break a
+   system even when the cryptographic system is invertible and can be
+   broken if all of each generated value was revealed.
+
+6.3.2 The Blum Blum Shub Sequence Generator
+
+   Currently the generator which has the strongest public proof of
+   strength is called the Blum Blum Shub generator after its inventors
+   [BBS].  It is also very simple and is based on quadratic residues.
+   It's only disadvantage is that is is computationally intensive
+   compared with the traditional techniques give in 6.3.1 above.  This
+   is not a serious draw back if it is used for moderately infrequent
+   purposes, such as generating session keys.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 21]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Simply choose two large prime numbers, say p and q, which both have
+   the property that you get a remainder of 3 if you divide them by 4.
+   Let n = p * q.  Then you choose a random number x relatively prime to
+   n.  The initial seed for the generator and the method for calculating
+   subsequent values are then
+
+                   2
+        s    =  ( x  )(Mod n)
+         0
+
+                   2
+        s    = ( s   )(Mod n)
+         i+1      i
+
+   You must be careful to use only a few bits from the bottom of each s.
+   It is always safe to use only the lowest order bit.  If you use no
+   more than the
+
+                  log  ( log  ( s  ) )
+                     2      2    i
+
+   low order bits, then predicting any additional bits from a sequence
+   generated in this manner is provable as hard as factoring n.  As long
+   as the initial x is secret, you can even make n public if you want.
+
+   An intersting characteristic of this generator is that you can
+   directly calculate any of the s values.  In particular
+
+                     i
+               ( ( 2  )(Mod (( p - 1 ) * ( q - 1 )) ) )
+      s  = ( s                                          )(Mod n)
+       i      0
+
+   This means that in applications where many keys are generated in this
+   fashion, it is not necessary to save them all.  Each key can be
+   effectively indexed and recovered from that small index and the
+   initial s and n.
+
+7. Key Generation Standards
+
+   Several public standards are now in place for the generation of keys.
+   Two of these are described below.  Both use DES but any equally
+   strong or stronger mixing function could be substituted.
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 22]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+7.1 US DoD Recommendations for Password Generation
+
+   The United States Department of Defense has specific recommendations
+   for password generation [DoD].  They suggest using the US Data
+   Encryption Standard [DES] in Output Feedback Mode [DES MODES] as
+   follows:
+
+        use an initialization vector determined from
+             the system clock,
+             system ID,
+             user ID, and
+             date and time;
+        use a key determined from
+             system interrupt registers,
+             system status registers, and
+             system counters; and,
+        as plain text, use an external randomly generated 64 bit
+        quantity such as 8 characters typed in by a system
+        administrator.
+
+   The password can then be calculated from the 64 bit "cipher text"
+   generated in 64-bit Output Feedback Mode.  As many bits as are needed
+   can be taken from these 64 bits and expanded into a pronounceable
+   word, phrase, or other format if a human being needs to remember the
+   password.
+
+7.2 X9.17 Key Generation
+
+   The American National Standards Institute has specified a method for
+   generating a sequence of keys as follows:
+
+        s  is the initial 64 bit seed
+         0
+
+        g  is the sequence of generated 64 bit key quantities
+         n
+
+        k is a random key reserved for generating this key sequence
+
+        t is the time at which a key is generated to as fine a resolution
+            as is available (up to 64 bits).
+
+        DES ( K, Q ) is the DES encryption of quantity Q with key K
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 23]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+        g    = DES ( k, DES ( k, t ) .xor. s  )
+         n                                  n
+
+        s    = DES ( k, DES ( k, t ) .xor. g  )
+         n+1                                n
+
+   If g sub n is to be used as a DES key, then every eighth bit should
+   be adjusted for parity for that use but the entire 64 bit unmodified
+   g should be used in calculating the next s.
+
+8. Examples of Randomness Required
+
+   Below are two examples showing rough calculations of needed
+   randomness for security.  The first is for moderate security
+   passwords while the second assumes a need for a very high security
+   cryptographic key.
+
+8.1  Password Generation
+
+   Assume that user passwords change once a year and it is desired that
+   the probability that an adversary could guess the password for a
+   particular account be less than one in a thousand.  Further assume
+   that sending a password to the system is the only way to try a
+   password.  Then the crucial question is how often an adversary can
+   try possibilities.  Assume that delays have been introduced into a
+   system so that, at most, an adversary can make one password try every
+   six seconds.  That's 600 per hour or about 15,000 per day or about
+   5,000,000 tries in a year.  Assuming any sort of monitoring, it is
+   unlikely someone could actually try continuously for a year.  In
+   fact, even if log files are only checked monthly, 500,000 tries is
+   more plausible before the attack is noticed and steps taken to change
+   passwords and make it harder to try more passwords.
+
+   To have a one in a thousand chance of guessing the password in
+   500,000 tries implies a universe of at least 500,000,000 passwords or
+   about 2^29.  Thus 29 bits of randomness are needed. This can probably
+   be achieved using the US DoD recommended inputs for password
+   generation as it has 8 inputs which probably average over 5 bits of
+   randomness each (see section 7.1).  Using a list of 1000 words, the
+   password could be expressed as a three word phrase (1,000,000,000
+   possibilities) or, using case insensitive letters and digits, six
+   would suffice ((26+10)^6 = 2,176,782,336 possibilities).
+
+   For a higher security password, the number of bits required goes up.
+   To decrease the probability by 1,000 requires increasing the universe
+   of passwords by the same factor which adds about 10 bits.  Thus to
+   have only a one in a million chance of a password being guessed under
+   the above scenario would require 39 bits of randomness and a password
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 24]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   that was a four word phrase from a 1000 word list or eight
+   letters/digits.  To go to a one in 10^9 chance, 49 bits of randomness
+   are needed implying a five word phrase or ten letter/digit password.
+
+   In a real system, of course, there are also other factors.  For
+   example, the larger and harder to remember passwords are, the more
+   likely users are to write them down resulting in an additional risk
+   of compromise.
+
+8.2 A Very High Security Cryptographic Key
+
+   Assume that a very high security key is needed for symmetric
+   encryption / decryption between two parties.  Assume an adversary can
+   observe communications and knows the algorithm being used.  Within
+   the field of random possibilities, the adversary can try key values
+   in hopes of finding the one in use.  Assume further that brute force
+   trial of keys is the best the adversary can do.
+
+8.2.1 Effort per Key Trial
+
+   How much effort will it take to try each key?  For very high security
+   applications it is best to assume a low value of effort.  Even if it
+   would clearly take tens of thousands of computer cycles or more to
+   try a single key, there may be some pattern that enables huge blocks
+   of key values to be tested with much less effort per key.  Thus it is
+   probably best to assume no more than a couple hundred cycles per key.
+   (There is no clear lower bound on this as computers operate in
+   parallel on a number of bits and a poor encryption algorithm could
+   allow many keys or even groups of keys to be tested in parallel.
+   However, we need to assume some value and can hope that a reasonably
+   strong algorithm has been chosen for our hypothetical high security
+   task.)
+
+   If the adversary can command a highly parallel processor or a large
+   network of work stations, 2*10^10 cycles per second is probably a
+   minimum assumption for availability today.  Looking forward just a
+   couple years, there should be at least an order of magnitude
+   improvement.  Thus assuming 10^9 keys could be checked per second or
+   3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is
+   reasonable.  This implies a need for a minimum of 51 bits of
+   randomness in keys to be sure they cannot be found in a month.  Even
+   then it is possible that, a few years from now, a highly determined
+   and resourceful adversary could break the key in 2 weeks (on average
+   they need try only half the keys).
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 25]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+8.2.2 Meet in the Middle Attacks
+
+   If chosen or known plain text and the resulting encrypted text are
+   available, a "meet in the middle" attack is possible if the structure
+   of the encryption algorithm allows it.  (In a known plain text
+   attack, the adversary knows all or part of the messages being
+   encrypted, possibly some standard header or trailer fields.  In a
+   chosen plain text attack, the adversary can force some chosen plain
+   text to be encrypted, possibly by "leaking" an exciting text that
+   would then be sent by the adversary over an encrypted channel.)
+
+   An oversimplified explanation of the meet in the middle attack is as
+   follows: the adversary can half-encrypt the known or chosen plain
+   text with all possible first half-keys, sort the output, then half-
+   decrypt the encoded text with all the second half-keys.  If a match
+   is found, the full key can be assembled from the halves and used to
+   decrypt other parts of the message or other messages.  At its best,
+   this type of attack can halve the exponent of the work required by
+   the adversary while adding a large but roughly constant factor of
+   effort.  To be assured of safety against this, a doubling of the
+   amount of randomness in the key to a minimum of 102 bits is required.
+
+   The meet in the middle attack assumes that the cryptographic
+   algorithm can be decomposed in this way but we can not rule that out
+   without a deep knowledge of the algorithm.  Even if a basic algorithm
+   is not subject to a meet in the middle attack, an attempt to produce
+   a stronger algorithm by applying the basic algorithm twice (or two
+   different algorithms sequentially) with different keys may gain less
+   added security than would be expected.  Such a composite algorithm
+   would be subject to a meet in the middle attack.
+
+   Enormous resources may be required to mount a meet in the middle
+   attack but they are probably within the range of the national
+   security services of a major nation.  Essentially all nations spy on
+   other nations government traffic and several nations are believed to
+   spy on commercial traffic for economic advantage.
+
+8.2.3 Other Considerations
+
+   Since we have not even considered the possibilities of special
+   purpose code breaking hardware or just how much of a safety margin we
+   want beyond our assumptions above, probably a good minimum for a very
+   high security cryptographic key is 128 bits of randomness which
+   implies a minimum key length of 128 bits.  If the two parties agree
+   on a key by Diffie-Hellman exchange [D-H], then in principle only
+   half of this randomness would have to be supplied by each party.
+   However, there is probably some correlation between their random
+   inputs so it is probably best to assume that each party needs to
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 26]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   provide at least 96 bits worth of randomness for very high security
+   if Diffie-Hellman is used.
+
+   This amount of randomness is beyond the limit of that in the inputs
+   recommended by the US DoD for password generation and could require
+   user typing timing, hardware random number generation, or other
+   sources.
+
+   It should be noted that key length calculations such at those above
+   are controversial and depend on various assumptions about the
+   cryptographic algorithms in use.  In some cases, a professional with
+   a deep knowledge of code breaking techniques and of the strength of
+   the algorithm in use could be satisfied with less than half of the
+   key size derived above.
+
+9. Conclusion
+
+   Generation of unguessable "random" secret quantities for security use
+   is an essential but difficult task.
+
+   We have shown that hardware techniques to produce such randomness
+   would be relatively simple.  In particular, the volume and quality
+   would not need to be high and existing computer hardware, such as
+   disk drives, can be used.  Computational techniques are available to
+   process low quality random quantities from multiple sources or a
+   larger quantity of such low quality input from one source and produce
+   a smaller quantity of higher quality, less predictable key material.
+   In the absence of hardware sources of randomness, a variety of user
+   and software sources can frequently be used instead with care;
+   however, most modern systems already have hardware, such as disk
+   drives or audio input, that could be used to produce high quality
+   randomness.
+
+   Once a sufficient quantity of high quality seed key material (a few
+   hundred bits) is available, strong computational techniques are
+   available to produce cryptographically strong sequences of
+   unpredicatable quantities from this seed material.
+
+10. Security Considerations
+
+   The entirety of this document concerns techniques and recommendations
+   for generating unguessable "random" quantities for use as passwords,
+   cryptographic keys, and similar security uses.
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 27]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+References
+
+   [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems,
+   edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview
+   Press, Inc.
+
+   [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM
+   Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub.
+
+   [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day,
+   1981, David Brillinger.
+
+   [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber
+   Publishing Company.
+
+   [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication,
+   John Wiley & Sons, 1981, Alan G. Konheim.
+
+   [CRYPTO2] - Cryptography:  A New Dimension in Computer Data Security,
+   A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H.
+   Meyer & Stephen M. Matyas.
+
+   [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source
+   Code in C, John Wiley & Sons, 1994, Bruce Schneier.
+
+   [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk
+   Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture
+   Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and
+   Philip Fenstermacher.
+
+   [DES] -  Data Encryption Standard, United States of America,
+   Department of Commerce, National Institute of Standards and
+   Technology, Federal Information Processing Standard (FIPS) 46-1.
+   - Data Encryption Algorithm, American National Standards Institute,
+   ANSI X3.92-1981.
+   (See also FIPS 112, Password Usage, which includes FORTRAN code for
+   performing DES.)
+
+   [DES MODES] - DES Modes of Operation, United States of America,
+   Department of Commerce, National Institute of Standards and
+   Technology, Federal Information Processing Standard (FIPS) 81.
+   - Data Encryption Algorithm - Modes of Operation, American National
+   Standards Institute, ANSI X3.106-1983.
+
+   [D-H] - New Directions in Cryptography, IEEE Transactions on
+   Information Technology, November, 1976, Whitfield Diffie and Martin
+   E. Hellman.
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 28]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   [DoD] - Password Management Guideline, United States of America,
+   Department of Defense, Computer Security Center, CSC-STD-002-85.
+   (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85
+   as one of its appendices.)
+
+   [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988,
+   David K. Gifford
+
+   [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical
+   Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing
+   Company, Second Edition 1982, Donald E. Knuth.
+
+   [KRAWCZYK] - How to Predict Congruential Generators, Journal of
+   Algorithms, V. 13, N. 4, December 1992, H. Krawczyk
+
+   [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B.
+   Kaliski
+   [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R.
+   Rivest
+   [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R.
+   Rivest
+
+   [PEM] - RFCs 1421 through 1424:
+   - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part
+   IV: Key Certification and Related Services, 02/10/1993, B. Kaliski
+   - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part
+   III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson
+   - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part
+   II: Certificate-Based Key Management, 02/10/1993, S. Kent
+   - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I:
+   Message Encryption and Authentication Procedures, 02/10/1993, J. Linn
+
+   [SHANNON] - The Mathematical Theory of Communication, University of
+   Illinois Press, 1963, Claude E. Shannon.  (originally from:  Bell
+   System Technical Journal, July and October 1948)
+
+   [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised
+   Edition 1982, Solomon W. Golomb.
+
+   [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher
+   Systems, Aegean Park Press, 1984, Wayne G. Barker.
+
+   [SHS] - Secure Hash Standard, United States of American, National
+   Institute of Science and Technology, Federal Information Processing
+   Standard (FIPS) 180, April 1993.
+
+   [STERN] - Secret Linear Congruential Generators are not
+   Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 29]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   [VON NEUMANN] - Various techniques used in connection with random
+   digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963,
+   J. von Neumann.
+
+Authors' Addresses
+
+   Donald E. Eastlake 3rd
+   Digital Equipment Corporation
+   550 King Street, LKG2-1/BB3
+   Littleton, MA 01460
+
+   Phone:   +1 508 486 6577(w)  +1 508 287 4877(h)
+   EMail:   dee@lkg.dec.com
+
+
+   Stephen D. Crocker
+   CyberCash Inc.
+   2086 Hunters Crest Way
+   Vienna, VA 22181
+
+   Phone:   +1 703-620-1222(w)  +1 703-391-2651 (fax)
+   EMail:   crocker@cybercash.com
+
+
+   Jeffrey I. Schiller
+   Massachusetts Institute of Technology
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone:   +1 617 253 0161(w)
+   EMail:   jis@mit.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 30]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc1831.txt b/crypto/heimdal/doc/standardisation/rfc1831.txt
new file mode 100644
index 0000000..0556c9e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1831.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Network Working Group                                      R. Srinivasan
+Request for Comments: 1831                              Sun Microsystems
+Category: Standards Track                                    August 1995
+
+
+      RPC: Remote Procedure Call Protocol Specification Version 2
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+ABSTRACT
+
+   This document describes the ONC Remote Procedure Call (ONC RPC
+   Version 2) protocol as it is currently deployed and accepted.  "ONC"
+   stands for "Open Network Computing".
+
+TABLE OF CONTENTS
+
+      1. INTRODUCTION                                              2
+      2. TERMINOLOGY                                               2
+      3. THE RPC MODEL                                             2
+      4. TRANSPORTS AND SEMANTICS                                  4
+      5. BINDING AND RENDEZVOUS INDEPENDENCE                       5
+      6. AUTHENTICATION                                            5
+      7. RPC PROTOCOL REQUIREMENTS                                 5
+      7.1 RPC Programs and Procedures                              6
+      7.2 Authentication                                           7
+      7.3 Program Number Assignment                                8
+      7.4 Other Uses of the RPC Protocol                           8
+      7.4.1 Batching                                               8
+      7.4.2 Broadcast Remote Procedure Calls                       8
+      8. THE RPC MESSAGE PROTOCOL                                  9
+      9. AUTHENTICATION PROTOCOLS                                 12
+      9.1 Null Authentication                                     13
+      10. RECORD MARKING STANDARD                                 13
+      11. THE RPC LANGUAGE                                        13
+      11.1 An Example Service Described in the RPC Language       13
+      11.2 The RPC Language Specification                         14
+      11.3 Syntax Notes                                           15
+      APPENDIX A: SYSTEM AUTHENTICATION                           16
+      REFERENCES                                                  17
+      Security Considerations                                     18
+      Author's Address                                            18
+
+
+
+Srinivasan                  Standards Track                     [Page 1]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+1. INTRODUCTION
+
+   This document specifies version two of the message protocol used in
+   ONC Remote Procedure Call (RPC).  The message protocol is specified
+   with the eXternal Data Representation (XDR) language [9].  This
+   document assumes that the reader is familiar with XDR.  It does not
+   attempt to justify remote procedure calls systems or describe their
+   use.  The paper by Birrell and Nelson [1] is recommended as an
+   excellent background for the remote procedure call concept.
+
+2. TERMINOLOGY
+
+   This document discusses clients, calls, servers, replies, services,
+   programs, procedures, and versions.  Each remote procedure call has
+   two sides: an active client side that makes the call to a server,
+   which sends back a reply.  A network service is a collection of one
+   or more remote programs.  A remote program implements one or more
+   remote procedures; the procedures, their parameters, and results are
+   documented in the specific program's protocol specification.  A
+   server may support more than one version of a remote program in order
+   to be compatible with changing protocols.
+
+   For example, a network file service may be composed of two programs.
+   One program may deal with high-level applications such as file system
+   access control and locking.  The other may deal with low-level file
+   input and output and have procedures like "read" and "write".  A
+   client of the network file service would call the procedures
+   associated with the two programs of the service on behalf of the
+   client.
+
+   The terms client and server only apply to a particular transaction; a
+   particular hardware entity (host) or software entity (process or
+   program) could operate in both roles at different times.  For
+   example, a program that supplies remote execution service could also
+   be a client of a network file service.
+
+3. THE RPC MODEL
+
+   The ONC RPC protocol is based on the remote procedure call model,
+   which is similar to the local procedure call model.  In the local
+   case, the caller places arguments to a procedure in some well-
+   specified location (such as a register window).  It then transfers
+   control to the procedure, and eventually regains control.  At that
+   point, the results of the procedure are extracted from the well-
+   specified location, and the caller continues execution.
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 2]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   The remote procedure call model is similar.  One thread of control
+   logically winds through two processes: the caller's process, and a
+   server's process.  The caller process first sends a call message to
+   the server process and waits (blocks) for a reply message.  The call
+   message includes the procedure's parameters, and the reply message
+   includes the procedure's results.  Once the reply message is
+   received, the results of the procedure are extracted, and caller's
+   execution is resumed.
+
+   On the server side, a process is dormant awaiting the arrival of a
+   call message.  When one arrives, the server process extracts the
+   procedure's parameters, computes the results, sends a reply message,
+   and then awaits the next call message.
+
+   In this model, only one of the two processes is active at any given
+   time.  However, this model is only given as an example.  The ONC RPC
+   protocol makes no restrictions on the concurrency model implemented,
+   and others are possible.  For example, an implementation may choose
+   to have RPC calls be asynchronous, so that the client may do useful
+   work while waiting for the reply from the server.  Another
+   possibility is to have the server create a separate task to process
+   an incoming call, so that the original server can be free to receive
+   other requests.
+
+   There are a few important ways in which remote procedure calls differ
+   from local procedure calls:
+
+      1. Error handling: failures of the remote server or network must
+      be handled when using remote procedure calls.
+
+      2. Global variables and side-effects: since the server does not
+      have access to the client's address space, hidden arguments cannot
+      be passed as global variables or returned as side effects.
+
+      3. Performance:  remote procedures usually operate one or more
+      orders of magnitude slower than local procedure calls.
+
+      4. Authentication: since remote procedure calls can be transported
+      over unsecured networks, authentication may be necessary.
+      Authentication prevents one entity from masquerading as some other
+      entity.
+
+   The conclusion is that even though there are tools to automatically
+   generate client and server libraries for a given service, protocols
+   must still be designed carefully.
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 3]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+4. TRANSPORTS AND SEMANTICS
+
+   The RPC protocol can be implemented on several different transport
+   protocols.  The RPC protocol does not care how a message is passed
+   from one process to another, but only with specification and
+   interpretation of messages.  However, the application may wish to
+   obtain information about (and perhaps control over) the transport
+   layer through an interface not specified in this document.  For
+   example, the transport protocol may impose a restriction on the
+   maximum size of RPC messages, or it may be stream-oriented like TCP
+   with no size limit.  The client and server must agree on their
+   transport protocol choices.
+
+   It is important to point out that RPC does not try to implement any
+   kind of reliability and that the application may need to be aware of
+   the type of transport protocol underneath RPC.  If it knows it is
+   running on top of a reliable transport such as TCP [6], then most of
+   the work is already done for it.  On the other hand, if it is running
+   on top of an unreliable transport such as UDP [7], it must implement
+   its own time-out, retransmission, and duplicate detection policies as
+   the RPC protocol does not provide these services.
+
+   Because of transport independence, the RPC protocol does not attach
+   specific semantics to the remote procedures or their execution
+   requirements.  Semantics can be inferred from (but should be
+   explicitly specified by) the underlying transport protocol.  For
+   example, consider RPC running on top of an unreliable transport such
+   as UDP.  If an application retransmits RPC call messages after time-
+   outs, and does not receive a reply, it cannot infer anything about
+   the number of times the procedure was executed.  If it does receive a
+   reply, then it can infer that the procedure was executed at least
+   once.
+
+   A server may wish to remember previously granted requests from a
+   client and not regrant them in order to insure some degree of
+   execute-at-most-once semantics.  A server can do this by taking
+   advantage of the transaction ID that is packaged with every RPC
+   message.  The main use of this transaction ID is by the client RPC
+   entity in matching replies to calls.  However, a client application
+   may choose to reuse its previous transaction ID when retransmitting a
+   call.  The server may choose to remember this ID after executing a
+   call and not execute calls with the same ID in order to achieve some
+   degree of execute-at-most-once semantics.  The server is not allowed
+   to examine this ID in any other way except as a test for equality.
+
+   On the other hand, if using a "reliable" transport such as TCP, the
+   application can infer from a reply message that the procedure was
+   executed exactly once, but if it receives no reply message, it cannot
+
+
+
+Srinivasan                  Standards Track                     [Page 4]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   assume that the remote procedure was not executed.  Note that even if
+   a connection-oriented protocol like TCP is used, an application still
+   needs time-outs and reconnection to handle server crashes.
+
+   There are other possibilities for transports besides datagram- or
+   connection-oriented protocols.  For example, a request-reply protocol
+   such as VMTP [2] is perhaps a natural transport for RPC.  ONC RPC
+   uses both TCP and UDP transport protocols.  Section 10 (RECORD
+   MARKING STANDARD) describes the mechanism employed by ONC RPC to
+   utilize a connection-oriented, stream-oriented transport such as TCP.
+
+5. BINDING AND RENDEZVOUS INDEPENDENCE
+
+   The act of binding a particular client to a particular service and
+   transport parameters is NOT part of this RPC protocol specification.
+   This important and necessary function is left up to some higher-level
+   software.
+
+   Implementors could think of the RPC protocol as the jump-subroutine
+   instruction ("JSR") of a network; the loader (binder) makes JSR
+   useful, and the loader itself uses JSR to accomplish its task.
+   Likewise, the binding software makes RPC useful, possibly using RPC
+   to accomplish this task.
+
+6. AUTHENTICATION
+
+   The RPC protocol provides the fields necessary for a client to
+   identify itself to a service, and vice-versa, in each call and reply
+   message.  Security and access control mechanisms can be built on top
+   of this message authentication.  Several different authentication
+   protocols can be supported.  A field in the RPC header indicates
+   which protocol is being used. More information on specific
+   authentication protocols is in section 9: "Authentication Protocols".
+
+7. RPC PROTOCOL REQUIREMENTS
+
+   The RPC protocol must provide for the following:
+
+      (1) Unique specification of a procedure to be called.
+      (2) Provisions for matching response messages to request messages.
+      (3) Provisions for authenticating the caller to service and
+          vice-versa.
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 5]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   Besides these requirements, features that detect the following are
+   worth supporting because of protocol roll-over errors, implementation
+   bugs, user error, and network administration:
+
+      (1) RPC protocol mismatches.
+      (2) Remote program protocol version mismatches.
+      (3) Protocol errors (such as misspecification of a procedure's
+          parameters).
+      (4) Reasons why remote authentication failed.
+      (5) Any other reasons why the desired procedure was not called.
+
+7.1 RPC Programs and Procedures
+
+   The RPC call message has three unsigned integer fields -- remote
+   program number, remote program version number, and remote procedure
+   number -- which uniquely identify the procedure to be called.
+   Program numbers are administered by a central authority
+   (rpc@sun.com).  Once implementors have a program number, they can
+   implement their remote program; the first implementation would most
+   likely have the version number 1.  Because most new protocols evolve,
+   a version field of the call message identifies which version of the
+   protocol the caller is using.  Version numbers enable support of both
+   old and new protocols through the same server process.
+
+   The procedure number identifies the procedure to be called.  These
+   numbers are documented in the specific program's protocol
+   specification.  For example, a file service's protocol specification
+   may state that its procedure number 5 is "read" and procedure number
+   12 is "write".
+
+   Just as remote program protocols may change over several versions,
+   the actual RPC message protocol could also change.  Therefore, the
+   call message also has in it the RPC version number, which is always
+   equal to two for the version of RPC described here.
+
+   The reply message to a request message has enough information to
+   distinguish the following error conditions:
+
+      (1) The remote implementation of RPC does not support protocol
+      version 2.  The lowest and highest supported RPC version numbers
+      are returned.
+
+      (2) The remote program is not available on the remote system.
+
+      (3) The remote program does not support the requested version
+      number.  The lowest and highest supported remote program version
+      numbers are returned.
+
+
+
+
+Srinivasan                  Standards Track                     [Page 6]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+      (4) The requested procedure number does not exist.  (This is
+      usually a client side protocol or programming error.)
+
+      (5) The parameters to the remote procedure appear to be garbage
+      from the server's point of view.  (Again, this is usually caused
+      by a disagreement about the protocol between client and service.)
+
+7.2 Authentication
+
+   Provisions for authentication of caller to service and vice-versa are
+   provided as a part of the RPC protocol.  The call message has two
+   authentication fields, the credential and verifier.  The reply
+   message has one authentication field, the response verifier.  The RPC
+   protocol specification defines all three fields to be the following
+   opaque type (in the eXternal Data Representation (XDR) language [9]):
+
+      enum auth_flavor {
+         AUTH_NONE       = 0,
+         AUTH_SYS        = 1,
+         AUTH_SHORT      = 2
+         /* and more to be defined */
+      };
+
+      struct opaque_auth {
+         auth_flavor flavor;
+         opaque body<400>;
+      };
+
+   In other words, any "opaque_auth" structure is an "auth_flavor"
+   enumeration followed by up to 400 bytes which are opaque to
+   (uninterpreted by) the RPC protocol implementation.
+
+   The interpretation and semantics of the data contained within the
+   authentication fields is specified by individual, independent
+   authentication protocol specifications.  (Section 9 defines the
+   various authentication protocols.)
+
+   If authentication parameters were rejected, the reply message
+   contains information stating why they were rejected.
+
+
+
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 7]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+7.3 Program Number Assignment
+
+   Program numbers are given out in groups of hexadecimal 20000000
+   (decimal 536870912) according to the following chart:
+
+              0 - 1fffffff   defined by rpc@sun.com
+       20000000 - 3fffffff   defined by user
+       40000000 - 5fffffff   transient
+       60000000 - 7fffffff   reserved
+       80000000 - 9fffffff   reserved
+       a0000000 - bfffffff   reserved
+       c0000000 - dfffffff   reserved
+       e0000000 - ffffffff   reserved
+
+   The first group is a range of numbers administered by rpc@sun.com and
+   should be identical for all sites.  The second range is for
+   applications peculiar to a particular site.  This range is intended
+   primarily for debugging new programs.  When a site develops an
+   application that might be of general interest, that application
+   should be given an assigned number in the first range.  Application
+   developers may apply for blocks of RPC program numbers in the first
+   range by sending electronic mail to "rpc@sun.com".  The third group
+   is for applications that generate program numbers dynamically.  The
+   final groups are reserved for future use, and should not be used.
+
+7.4 Other Uses of the RPC Protocol
+
+   The intended use of this protocol is for calling remote procedures.
+   Normally, each call message is matched with a reply message.
+   However, the protocol itself is a message-passing protocol with which
+   other (non-procedure call) protocols can be implemented.
+
+7.4.1 Batching
+
+   Batching is useful when a client wishes to send an arbitrarily large
+   sequence of call messages to a server.  Batching typically uses
+   reliable byte stream protocols (like TCP) for its transport.  In the
+   case of batching, the client never waits for a reply from the server,
+   and the server does not send replies to batch calls.  A sequence of
+   batch calls is usually terminated by a legitimate remote procedure
+   call operation in order to flush the pipeline and get positive
+   acknowledgement.
+
+7.4.2 Broadcast Remote Procedure Calls
+
+   In broadcast protocols, the client sends a broadcast call to the
+   network and waits for numerous replies.  This requires the use of
+   packet-based protocols (like UDP) as its transport protocol.  Servers
+
+
+
+Srinivasan                  Standards Track                     [Page 8]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   that support broadcast protocols usually respond only when the call
+   is successfully processed and are silent in the face of errors, but
+   this varies with the application.
+
+   The principles of broadcast RPC also apply to multicasting - an RPC
+   request can be sent to a multicast address.
+
+8. THE RPC MESSAGE PROTOCOL
+
+   This section defines the RPC message protocol in the XDR data
+   description language [9].
+
+      enum msg_type {
+         CALL  = 0,
+         REPLY = 1
+      };
+
+   A reply to a call message can take on two forms: The message was
+   either accepted or rejected.
+
+      enum reply_stat {
+         MSG_ACCEPTED = 0,
+         MSG_DENIED   = 1
+      };
+
+   Given that a call message was accepted, the following is the status
+   of an attempt to call a remote procedure.
+
+      enum accept_stat {
+         SUCCESS       = 0, /* RPC executed successfully             */
+         PROG_UNAVAIL  = 1, /* remote hasn't exported program        */
+         PROG_MISMATCH = 2, /* remote can't support version #        */
+         PROC_UNAVAIL  = 3, /* program can't support procedure       */
+         GARBAGE_ARGS  = 4, /* procedure can't decode params         */
+         SYSTEM_ERR    = 5  /* errors like memory allocation failure */
+      };
+
+   Reasons why a call message was rejected:
+
+      enum reject_stat {
+         RPC_MISMATCH = 0, /* RPC version number != 2          */
+         AUTH_ERROR = 1    /* remote can't authenticate caller */
+      };
+
+   Why authentication failed:
+
+      enum auth_stat {
+         AUTH_OK           = 0,  /* success                          */
+
+
+
+Srinivasan                  Standards Track                     [Page 9]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+         /*
+          * failed at remote end
+          */
+         AUTH_BADCRED      = 1,  /* bad credential (seal broken)     */
+         AUTH_REJECTEDCRED = 2,  /* client must begin new session    */
+         AUTH_BADVERF      = 3,  /* bad verifier (seal broken)       */
+         AUTH_REJECTEDVERF = 4,  /* verifier expired or replayed     */
+         AUTH_TOOWEAK      = 5,  /* rejected for security reasons    */
+         /*
+          * failed locally
+          */
+         AUTH_INVALIDRESP  = 6,  /* bogus response verifier          */
+         AUTH_FAILED       = 7   /* reason unknown                   */
+      };
+
+   The RPC message:
+
+   All messages start with a transaction identifier, xid, followed by a
+   two-armed discriminated union.  The union's discriminant is a
+   msg_type which switches to one of the two types of the message.  The
+   xid of a REPLY message always matches that of the initiating CALL
+   message.  NB: The xid field is only used for clients matching reply
+   messages with call messages or for servers detecting retransmissions;
+   the service side cannot treat this id as any type of sequence number.
+
+      struct rpc_msg {
+         unsigned int xid;
+         union switch (msg_type mtype) {
+         case CALL:
+            call_body cbody;
+         case REPLY:
+            reply_body rbody;
+         } body;
+      };
+
+   Body of an RPC call:
+
+   In version 2 of the RPC protocol specification, rpcvers must be equal
+   to 2.  The fields prog, vers, and proc specify the remote program,
+   its version number, and the procedure within the remote program to be
+   called.  After these fields are two authentication parameters:  cred
+   (authentication credential) and verf (authentication verifier).  The
+   two authentication parameters are followed by the parameters to the
+   remote procedure, which are specified by the specific program
+   protocol.
+
+   The purpose of the authentication verifier is to validate the
+   authentication credential.  Note that these two items are
+
+
+
+Srinivasan                  Standards Track                    [Page 10]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   historically separate, but are always used together as one logical
+   entity.
+
+      struct call_body {
+         unsigned int rpcvers;       /* must be equal to two (2) */
+         unsigned int prog;
+         unsigned int vers;
+         unsigned int proc;
+         opaque_auth  cred;
+         opaque_auth  verf;
+         /* procedure specific parameters start here */
+      };
+
+   Body of a reply to an RPC call:
+
+      union reply_body switch (reply_stat stat) {
+      case MSG_ACCEPTED:
+         accepted_reply areply;
+      case MSG_DENIED:
+         rejected_reply rreply;
+      } reply;
+
+   Reply to an RPC call that was accepted by the server:
+
+   There could be an error even though the call was accepted.  The first
+   field is an authentication verifier that the server generates in
+   order to validate itself to the client.  It is followed by a union
+   whose discriminant is an enum accept_stat.  The SUCCESS arm of the
+   union is protocol specific.  The PROG_UNAVAIL, PROC_UNAVAIL,
+   GARBAGE_ARGS, and SYSTEM_ERR arms of the union are void.  The
+   PROG_MISMATCH arm specifies the lowest and highest version numbers of
+   the remote program supported by the server.
+
+      struct accepted_reply {
+         opaque_auth verf;
+         union switch (accept_stat stat) {
+         case SUCCESS:
+            opaque results[0];
+            /*
+             * procedure-specific results start here
+             */
+          case PROG_MISMATCH:
+             struct {
+                unsigned int low;
+                unsigned int high;
+             } mismatch_info;
+          default:
+             /*
+
+
+
+Srinivasan                  Standards Track                    [Page 11]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+              * Void.  Cases include PROG_UNAVAIL, PROC_UNAVAIL,
+              * GARBAGE_ARGS, and SYSTEM_ERR.
+              */
+             void;
+          } reply_data;
+      };
+
+   Reply to an RPC call that was rejected by the server:
+
+   The call can be rejected for two reasons: either the server is not
+   running a compatible version of the RPC protocol (RPC_MISMATCH), or
+   the server rejects the identity of the caller (AUTH_ERROR). In case
+   of an RPC version mismatch, the server returns the lowest and highest
+   supported RPC version numbers.  In case of invalid authentication,
+   failure status is returned.
+
+      union rejected_reply switch (reject_stat stat) {
+      case RPC_MISMATCH:
+         struct {
+            unsigned int low;
+            unsigned int high;
+         } mismatch_info;
+      case AUTH_ERROR:
+         auth_stat stat;
+      };
+
+9. AUTHENTICATION PROTOCOLS
+
+   As previously stated, authentication parameters are opaque, but
+   open-ended to the rest of the RPC protocol.  This section defines two
+   standard "flavors" of authentication.  Implementors are free to
+   invent new authentication types, with the same rules of flavor number
+   assignment as there is for program number assignment.  The "flavor"
+   of a credential or verifier refers to the value of the "flavor" field
+   in the opaque_auth structure. Flavor numbers, like RPC program
+   numbers, are also administered centrally, and developers may assign
+   new flavor numbers by applying through electronic mail to
+   "rpc@sun.com".  Credentials and verifiers are represented as variable
+   length opaque data (the "body" field in the opaque_auth structure).
+
+   In this document, two flavors of authentication are described.  Of
+   these, Null authentication (described in the next subsection) is
+   mandatory - it must be available in all implementations.  System
+   authentication is described in Appendix A.  It is strongly
+   recommended that implementors include System authentication in their
+   implementations.  Many applications use this style of authentication,
+   and availability of this flavor in an implementation will enhance
+   interoperability.
+
+
+
+Srinivasan                  Standards Track                    [Page 12]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+9.1 Null Authentication
+
+   Often calls must be made where the client does not care about its
+   identity or the server does not care who the client is.  In this
+   case, the flavor of the RPC message's credential, verifier, and reply
+   verifier is "AUTH_NONE".  Opaque data associated with "AUTH_NONE" is
+   undefined.  It is recommended that the length of the opaque data be
+   zero.
+
+10. RECORD MARKING STANDARD
+
+   When RPC messages are passed on top of a byte stream transport
+   protocol (like TCP), it is necessary to delimit one message from
+   another in order to detect and possibly recover from protocol errors.
+   This is called record marking (RM).  One RPC message fits into one RM
+   record.
+
+   A record is composed of one or more record fragments.  A record
+   fragment is a four-byte header followed by 0 to (2**31) - 1 bytes of
+   fragment data.  The bytes encode an unsigned binary number; as with
+   XDR integers, the byte order is from highest to lowest.  The number
+   encodes two values -- a boolean which indicates whether the fragment
+   is the last fragment of the record (bit value 1 implies the fragment
+   is the last fragment) and a 31-bit unsigned binary value which is the
+   length in bytes of the fragment's data.  The boolean value is the
+   highest-order bit of the header; the length is the 31 low-order bits.
+   (Note that this record specification is NOT in XDR standard form!)
+
+11. THE RPC LANGUAGE
+
+   Just as there was a need to describe the XDR data-types in a formal
+   language, there is also need to describe the procedures that operate
+   on these XDR data-types in a formal language as well.  The RPC
+   Language is an extension to the XDR language, with the addition of
+   "program", "procedure", and "version" declarations.  The following
+   example is used to describe the essence of the language.
+
+11.1 An Example Service Described in the RPC Language
+
+   Here is an example of the specification of a simple ping program.
+
+   program PING_PROG {
+         /*
+          * Latest and greatest version
+          */
+         version PING_VERS_PINGBACK {
+            void
+            PINGPROC_NULL(void) = 0;
+
+
+
+Srinivasan                  Standards Track                    [Page 13]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+            /*
+             * Ping the client, return the round-trip time
+             * (in microseconds). Returns -1 if the operation
+             * timed out.
+             */
+            int
+            PINGPROC_PINGBACK(void) = 1;
+         } = 2;
+
+         /*
+          * Original version
+          */
+         version PING_VERS_ORIG {
+            void
+            PINGPROC_NULL(void) = 0;
+         } = 1;
+      } = 1;
+
+      const PING_VERS = 2;      /* latest version */
+
+   The first version described is PING_VERS_PINGBACK with two
+   procedures, PINGPROC_NULL and PINGPROC_PINGBACK.  PINGPROC_NULL takes
+   no arguments and returns no results, but it is useful for computing
+   round-trip times from the client to the server and back again.  By
+   convention, procedure 0 of any RPC protocol should have the same
+   semantics, and never require any kind of authentication.  The second
+   procedure is used for the client to have the server do a reverse ping
+   operation back to the client, and it returns the amount of time (in
+   microseconds) that the operation used.  The next version,
+   PING_VERS_ORIG, is the original version of the protocol and it does
+   not contain PINGPROC_PINGBACK procedure. It is useful for
+   compatibility with old client programs, and as this program matures
+   it may be dropped from the protocol entirely.
+
+11.2 The RPC Language Specification
+
+   The RPC language is identical to the XDR language defined in RFC
+   1014, except for the added definition of a "program-def" described
+   below.
+
+   program-def:
+      "program" identifier "{"
+         version-def
+         version-def *
+      "}" "=" constant ";"
+
+   version-def:
+      "version" identifier "{"
+
+
+
+Srinivasan                  Standards Track                    [Page 14]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+          procedure-def
+          procedure-def *
+      "}" "=" constant ";"
+
+   procedure-def:
+      type-specifier identifier "(" type-specifier
+        ("," type-specifier )* ")" "=" constant ";"
+
+11.3 Syntax Notes
+
+   (1) The following keywords are added and cannot be used as
+   identifiers: "program" and "version";
+
+   (2) A version name cannot occur more than once within the scope of a
+   program definition. Nor can a version number occur more than once
+   within the scope of a program definition.
+
+   (3) A procedure name cannot occur more than once within the scope of
+   a version definition. Nor can a procedure number occur more than once
+   within the scope of version definition.
+
+   (4) Program identifiers are in the same name space as constant and
+   type identifiers.
+
+   (5) Only unsigned constants can be assigned to programs, versions and
+   procedures.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                    [Page 15]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+APPENDIX A: SYSTEM AUTHENTICATION
+
+   The client may wish to identify itself, for example, as it is
+   identified on a UNIX(tm) system.  The flavor of the client credential
+   is "AUTH_SYS".  The opaque data constituting the credential encodes
+   the following structure:
+
+      struct authsys_parms {
+         unsigned int stamp;
+         string machinename<255>;
+         unsigned int uid;
+         unsigned int gid;
+         unsigned int gids<16>;
+      };
+
+   The "stamp" is an arbitrary ID which the caller machine may generate.
+   The "machinename" is the name of the caller's machine (like
+   "krypton").  The "uid" is the caller's effective user ID.  The "gid"
+   is the caller's effective group ID.  The "gids" is a counted array of
+   groups which contain the caller as a member.  The verifier
+   accompanying the credential should have "AUTH_NONE" flavor value
+   (defined above).  Note this credential is only unique within a
+   particular domain of machine names, uids, and gids.
+
+   The flavor value of the verifier received in the reply message from
+   the server may be "AUTH_NONE" or "AUTH_SHORT".  In the case of
+   "AUTH_SHORT", the bytes of the reply verifier's string encode an
+   opaque structure.  This new opaque structure may now be passed to the
+   server instead of the original "AUTH_SYS" flavor credential.  The
+   server may keep a cache which maps shorthand opaque structures
+   (passed back by way of an "AUTH_SHORT" style reply verifier) to the
+   original credentials of the caller.  The caller can save network
+   bandwidth and server cpu cycles by using the shorthand credential.
+
+   The server may flush the shorthand opaque structure at any time.  If
+   this happens, the remote procedure call message will be rejected due
+   to an authentication error.  The reason for the failure will be
+   "AUTH_REJECTEDCRED".  At this point, the client may wish to try the
+   original "AUTH_SYS" style of credential.
+
+   It should be noted that use of this flavor of authentication does not
+   guarantee any security for the users or providers of a service, in
+   itself.  The authentication provided by this scheme can be considered
+   legitimate only when applications using this scheme and the network
+   can be secured externally, and privileged transport addresses are
+   used for the communicating end-points (an example of this is the use
+   of privileged TCP/UDP ports in Unix systems - note that not all
+   systems enforce privileged transport address mechanisms).
+
+
+
+Srinivasan                  Standards Track                    [Page 16]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+REFERENCES
+
+   [1]  Birrell, A. D.  & Nelson, B. J., "Implementing Remote Procedure
+        Calls", XEROX CSL-83-7, October 1983.
+
+   [2]  Cheriton, D., "VMTP: Versatile Message Transaction Protocol",
+        Preliminary Version 0.3, Stanford University, January 1987.
+
+   [3]  Diffie & Hellman, "New Directions in Cryptography", IEEE
+        Transactions on Information Theory IT-22, November 1976.
+
+   [4]  Mills, D., "Network Time Protocol", RFC 1305, UDEL,
+        March 1992.
+
+   [5]  National Bureau of Standards, "Data Encryption Standard",
+        Federal Information Processing Standards Publication 46, January
+        1977.
+
+   [6]  Postel, J., "Transmission Control Protocol - DARPA Internet
+        Program Protocol Specification", STD 7, RFC 793, USC/Information
+        Sciences Institute, September 1981.
+
+   [7]  Postel, J., "User Datagram Protocol", STD 6, RFC 768,
+        USC/Information Sciences Institute, August 1980.
+
+   [8]  Reynolds, J., and Postel, J., "Assigned Numbers", STD 2,
+        RFC 1700, USC/Information Sciences Institute, October 1994.
+
+   [9]  Srinivasan, R., "XDR: External Data Representation Standard",
+        RFC 1832, Sun Microsystems, Inc., August 1995.
+
+   [10] Miller, S., Neuman, C., Schiller, J., and  J. Saltzer, "Section
+        E.2.1: Kerberos  Authentication and Authorization System",
+        M.I.T. Project Athena, Cambridge, Massachusetts, December 21,
+        1987.
+
+   [11] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An
+        Authentication Service for Open Network Systems", pp. 191-202 in
+        Usenix Conference Proceedings, Dallas, Texas, February 1988.
+
+   [12] Kohl, J. and C. Neuman, "The Kerberos Network Authentication
+        Service (V5)", RFC 1510, Digital Equipment Corporation,
+        USC/Information Sciences Institute, September 1993.
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                    [Page 17]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+Security Considerations
+
+   Security issues are not discussed in this memo.
+
+Author's Address
+
+   Raj Srinivasan
+   Sun Microsystems, Inc.
+   ONC Technologies
+   2550 Garcia Avenue
+   M/S MTV-5-40
+   Mountain View, CA  94043
+   USA
+
+   Phone: 415-336-2478
+   Fax:   415-336-6015
+   EMail: raj@eng.sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                    [Page 18]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc1964.txt b/crypto/heimdal/doc/standardisation/rfc1964.txt
new file mode 100644
index 0000000..f2960b9
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1964.txt
@@ -0,0 +1,1123 @@
+
+
+
+
+
+
+Network Working Group                                            J. Linn
+Request for Comments: 1964                       OpenVision Technologies
+Category: Standards Track                                      June 1996
+
+
+                The Kerberos Version 5 GSS-API Mechanism
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+ABSTRACT
+
+   This specification defines protocols, procedures, and conventions to
+   be employed by peers implementing the Generic Security Service
+   Application Program Interface (as specified in RFCs 1508 and 1509)
+   when using Kerberos Version 5 technology (as specified in RFC 1510).
+
+ACKNOWLEDGMENTS
+
+   Much of the material in this memo is based on working documents
+   drafted by John Wray of Digital Equipment Corporation and on
+   discussions, implementation activities, and interoperability testing
+   involving Marc Horowitz, Ted Ts'o, and John Wray.  Particular thanks
+   are due to each of these individuals for their contributions towards
+   development and availability of GSS-API support within the Kerberos
+   Version 5 code base.
+
+1. Token Formats
+
+   This section discusses protocol-visible characteristics of the GSS-
+   API mechanism to be implemented atop Kerberos V5 security technology
+   per RFC-1508 and RFC-1510; it defines elements of protocol for
+   interoperability and is independent of language bindings per RFC-
+   1509.
+
+   Tokens transferred between GSS-API peers (for security context
+   management and per-message protection purposes) are defined.  The
+   data elements exchanged between a GSS-API endpoint implementation and
+   the Kerberos KDC are not specific to GSS-API usage and are therefore
+   defined within RFC-1510 rather than within this specification.
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 1]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   To support ongoing experimentation, testing, and evolution of the
+   specification, the Kerberos V5 GSS-API mechanism as defined in this
+   and any successor memos will be identified with the following Object
+   Identifier, as defined in RFC-1510, until the specification is
+   advanced to the level of Proposed Standard RFC:
+
+   {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)}
+
+   Upon advancement to the level of Proposed Standard RFC, the Kerberos
+   V5 GSS-API mechanism will be identified by an Object Identifier
+   having the value:
+
+   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
+   gssapi(2) krb5(2)}
+
+1.1. Context Establishment Tokens
+
+   Per RFC-1508, Appendix B, the initial context establishment token
+   will be enclosed within framing as follows:
+
+   InitialContextToken ::=
+   [APPLICATION 0] IMPLICIT SEQUENCE {
+           thisMech        MechType
+                   -- MechType is OBJECT IDENTIFIER
+                   -- representing "Kerberos V5"
+           innerContextToken ANY DEFINED BY thisMech
+                   -- contents mechanism-specific;
+                   -- ASN.1 usage within innerContextToken
+                   -- is not required
+           }
+
+   The innerContextToken of the initial context token will consist of a
+   Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id
+   (TOK_ID) field, which shall contain the value 01 00.
+
+   The above GSS-API framing shall be applied to all tokens emitted by
+   the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR,
+   context-deletion, and per-message tokens, not just to the initial
+   token in a context establishment sequence.  While not required by
+   RFC-1508, this enables implementations to perform enhanced error-
+   checking. The innerContextToken field of context establishment tokens
+   for the Kerberos V5 GSS-API mechanism will contain a Kerberos message
+   (KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
+   field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
+   messages and 03 00 for KRB_ERROR messages.
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 2]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+1.1.1. Initial Token
+
+   Relevant KRB_AP_REQ syntax (from RFC-1510) is as follows:
+
+   AP-REQ ::= [APPLICATION 14] SEQUENCE {
+           pvno [0]        INTEGER,        -- indicates Version 5
+           msg-type [1]    INTEGER,        -- indicates KRB_AP_REQ
+           ap-options[2]   APOptions,
+           ticket[3]       Ticket,
+           authenticator[4]        EncryptedData
+   }
+
+   APOptions ::= BIT STRING {
+           reserved (0),
+           use-session-key (1),
+           mutual-required (2)
+   }
+
+   Ticket ::= [APPLICATION 1] SEQUENCE {
+           tkt-vno [0]     INTEGER,        -- indicates Version 5
+           realm [1]       Realm,
+           sname [2]       PrincipalName,
+           enc-part [3]    EncryptedData
+   }
+
+   -- Encrypted part of ticket
+   EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+           flags[0]        TicketFlags,
+           key[1]          EncryptionKey,
+           crealm[2]       Realm,
+           cname[3]        PrincipalName,
+           transited[4]    TransitedEncoding,
+           authtime[5]     KerberosTime,
+           starttime[6]    KerberosTime OPTIONAL,
+           endtime[7]      KerberosTime,
+           renew-till[8]   KerberosTime OPTIONAL,
+           caddr[9]        HostAddresses OPTIONAL,
+           authorization-data[10]  AuthorizationData OPTIONAL
+   }
+
+   -- Unencrypted authenticator
+   Authenticator ::= [APPLICATION 2] SEQUENCE  {
+           authenticator-vno[0]    INTEGER,
+           crealm[1]               Realm,
+           cname[2]                PrincipalName,
+           cksum[3]                Checksum OPTIONAL,
+           cusec[4]                INTEGER,
+           ctime[5]                KerberosTime,
+
+
+
+Linn                        Standards Track                     [Page 3]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+           subkey[6]               EncryptionKey OPTIONAL,
+           seq-number[7]           INTEGER OPTIONAL,
+           authorization-data[8]   AuthorizationData OPTIONAL
+   }
+
+   For purposes of this specification, the authenticator shall include
+   the optional sequence number, and the checksum field shall be used to
+   convey channel binding, service flags, and optional delegation
+   information.  The checksum will have a type of 0x8003 (a value being
+   registered within the Kerberos protocol specification), and a value
+   field of at least 24 bytes in length.  The length of the value field
+   is extended beyond 24 bytes if and only if an optional facility to
+   carry a Kerberos-defined KRB_CRED message for delegation purposes is
+   supported by an implementation and active on a context. When
+   delegation is active, a TGT with its FORWARDABLE flag set will be
+   transferred within the KRB_CRED message.
+
+   The checksum value field's format is as follows:
+
+   Byte    Name    Description
+   0..3    Lgth    Number of bytes in Bnd field;
+                   Currently contains hex 10 00 00 00
+                   (16, represented in little-endian form)
+   4..19   Bnd     MD5 hash of channel bindings, taken over all non-null
+                   components of bindings, in order of declaration.
+                   Integer fields within channel bindings are represented
+                   in little-endian order for the purposes of the MD5
+                   calculation.
+   20..23  Flags   Bit vector of context-establishment flags,
+                   with values consistent with RFC-1509, p. 41:
+                           GSS_C_DELEG_FLAG:       1
+                           GSS_C_MUTUAL_FLAG:      2
+                           GSS_C_REPLAY_FLAG:      4
+                           GSS_C_SEQUENCE_FLAG:    8
+                           GSS_C_CONF_FLAG:        16
+                           GSS_C_INTEG_FLAG:       32
+                   The resulting bit vector is encoded into bytes 20..23
+                   in little-endian form.
+   24..25  DlgOpt  The Delegation Option identifier (=1) [optional]
+   26..27  Dlgth   The length of the Deleg field. [optional]
+   28..n   Deleg   A KRB_CRED message (n = Dlgth + 29) [optional]
+
+   In computing the contents of the "Bnd" field, the following detailed
+   points apply:
+
+        (1) Each integer field shall be formatted into four bytes, using
+        little-endian byte ordering, for purposes of MD5 hash
+        computation.
+
+
+
+Linn                        Standards Track                     [Page 4]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+        (2) All input length fields within gss_buffer_desc elements of a
+        gss_channel_bindings_struct, even those which are zero-valued,
+        shall be included in the hash calculation; the value elements of
+        gss_buffer_desc elements shall be dereferenced, and the
+        resulting data shall be included within the hash computation,
+        only for the case of gss_buffer_desc elements having non-zero
+        length specifiers.
+
+        (3) If the caller passes the value GSS_C_NO_BINDINGS instead of
+        a valid channel bindings structure, the Bnd field shall be set
+        to 16 zero-valued bytes.
+
+   In the initial Kerberos V5 GSS-API mechanism token (KRB_AP_REQ token)
+   from initiator to target, the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+   GSS_C_REPLAY_FLAG, and GSS_C_SEQUENCE_FLAG values shall each be set
+   as the logical AND of the initiator's corresponding request flag to
+   GSS_Init_sec_context() and a Boolean indicator of whether that
+   optional service is available to GSS_Init_sec_context()'s caller.
+   GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG, for which no corresponding
+   context-level input indicator flags to GSS_Init_sec_context() exist,
+   shall each be set to indicate whether their respective per-message
+   protection services are available for use on the context being
+   established.
+
+   When input source address channel binding values are provided by a
+   caller (i.e., unless the input argument is GSS_C_NO_BINDINGS or the
+   source address specifier value within the input structure is
+   GSS_C_NULL_ADDRTYPE), and the corresponding token received from the
+   context's peer bears address restrictions, it is recommended that an
+   implementation of the Kerberos V5 GSS-API mechanism should check that
+   the source address as provided by the caller matches that in the
+   received token, and should return the GSS_S_BAD_BINDINGS major_status
+   value if a mismatch is detected. Note: discussion is ongoing about
+   the strength of recommendation to be made in this area, and on the
+   circumstances under which such a recommendation should be applicable;
+   implementors are therefore advised that changes on this matter may be
+   included in subsequent versions of this specification.
+
+1.1.2. Response Tokens
+
+   A context establishment sequence based on the Kerberos V5 mechanism
+   will perform one-way authentication (without confirmation or any
+   return token from target to initiator in response to the initiator's
+   KRB_AP_REQ) if the mutual_req bit is not set in the application's
+   call to GSS_Init_sec_context().  Applications requiring confirmation
+   that their authentication was successful should request mutual
+   authentication, resulting in a "mutual-required" indication within
+   KRB_AP_REQ APoptions and the setting of the mutual_req bit in the
+
+
+
+Linn                        Standards Track                     [Page 5]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   flags field of the authenticator checksum.  In response to such a
+   request, the context target will reply to the initiator with a token
+   containing either a KRB_AP_REP or KRB_ERROR, completing the mutual
+   context establishment exchange.
+
+   Relevant KRB_AP_REP syntax is as follows:
+
+   AP-REP ::= [APPLICATION 15] SEQUENCE {
+           pvno [0]        INTEGER,        -- represents Kerberos V5
+           msg-type [1]    INTEGER,        -- represents KRB_AP_REP
+           enc-part [2]    EncryptedData
+   }
+
+   EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+           ctime [0]       KerberosTime,
+           cusec [1]       INTEGER,
+           subkey [2]      EncryptionKey OPTIONAL,
+           seq-number [3]  INTEGER OPTIONAL
+   }
+
+   The optional seq-number element within the AP-REP's EncAPRepPart
+   shall be included.
+
+   The syntax of KRB_ERROR is as follows:
+
+   KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+           pvno[0]         INTEGER,
+           msg-type[1]     INTEGER,
+           ctime[2]        KerberosTime OPTIONAL,
+           cusec[3]        INTEGER OPTIONAL,
+           stime[4]        KerberosTime,
+           susec[5]        INTEGER,
+           error-code[6]   INTEGER,
+           crealm[7]       Realm OPTIONAL,
+           cname[8]        PrincipalName OPTIONAL,
+           realm[9]        Realm, -- Correct realm
+           sname[10]       PrincipalName, -- Correct name
+           e-text[11]      GeneralString OPTIONAL,
+           e-data[12]      OCTET STRING OPTIONAL
+   }
+
+   Values to be transferred in the error-code field of a KRB-ERROR
+   message are defined in [RFC-1510], not in this specification.
+
+
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 6]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+1.2. Per-Message and Context Deletion Tokens
+
+   Three classes of tokens are defined in this section: "MIC" tokens,
+   emitted by calls to GSS_GetMIC() (formerly GSS_Sign()) and consumed
+   by calls to GSS_VerifyMIC() (formerly GSS_Verify()), "Wrap" tokens,
+   emitted by calls to GSS_Wrap() (formerly GSS_Seal()) and consumed by
+   calls to GSS_Unwrap() (formerly GSS_Unseal()), and context deletion
+   tokens, emitted by calls to GSS_Delete_sec_context() and consumed by
+   calls to GSS_Process_context_token().  Note: References to GSS-API
+   per-message routines in the remainder of this specification will be
+   based on those routines' newer recommended names rather than those
+   names' predecessors.
+
+   Several variants of cryptographic keys are used in generation and
+   processing of per-message tokens:
+
+        (1) context key: uses Kerberos session key (or subkey, if
+        present in authenticator emitted by context initiator) directly
+
+        (2) confidentiality key: forms variant of context key by
+        exclusive-OR with the hexadecimal constant f0f0f0f0f0f0f0f0.
+
+        (3) MD2.5 seed key: forms variant of context key by reversing
+        the bytes of the context key (i.e. if the original key is the
+        8-byte sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the seed key
+        will be {hh, gg, ff, ee, dd, cc, bb, aa}).
+
+1.2.1. Per-message Tokens - MIC
+
+Use of the GSS_GetMIC() call yields a token, separate from the user
+data being protected, which can be used to verify the integrity of
+that data as received.  The token has the following format:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by GSS_GetMIC() contain
+                                   the hex value 01 01 in this field.
+    2..3           SGN_ALG         Integrity algorithm indicator.
+                                   00 00 - DES MAC MD5
+                                   01 00 - MD2.5
+                                   02 00 - DES MAC
+    4..7           Filler          Contains ff ff ff ff
+    8..15          SND_SEQ         Sequence number field.
+    16..23         SGN_CKSUM       Checksum of "to-be-signed data",
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+
+
+
+
+
+Linn                        Standards Track                     [Page 7]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   GSS-API tokens must be encapsulated within the higher-level protocol
+   by the application; no embedded length field is necessary.
+
+1.2.1.1. Checksum
+
+   Checksum calculation procedure (common to all algorithms): Checksums
+   are calculated over the data field, logically prepended by the first
+   8 bytes of the plaintext packet header.  The resulting value binds
+   the data to the packet type and signature algorithm identifier
+   fields.
+
+   DES MAC MD5 algorithm: The checksum is formed by computing an MD5
+   [RFC-1321] hash over the plaintext data, and then computing a DES-CBC
+   MAC on the 16-byte MD5 result.  A standard 64-bit DES-CBC MAC is
+   computed per [FIPS-PUB-113], employing the context key and a zero IV.
+   The 8-byte result is stored in the SGN_CKSUM field.
+
+   MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a
+   16-byte zero-block, using a zero IV and a key formed by reversing the
+   bytes of the context key (i.e. if the original key is the 8-byte
+   sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be
+   {hh, gg, ff, ee, dd, cc, bb, aa}).   The resulting 16-byte value is
+   logically prepended to the to-be-signed data.  A standard MD5
+   checksum is calculated over the combined data, and the first 8 bytes
+   of the result are stored in the SGN_CKSUM field.  Note 1: we refer to
+   this algorithm informally as "MD2.5" to connote the fact that it uses
+   half of the 128 bits generated by MD5; use of only a subset of the
+   MD5 bits is intended to protect against the prospect that data could
+   be postfixed to an existing message with corresponding modifications
+   being made to the checksum.  Note 2: This algorithm is fairly novel
+   and has received more limited evaluation than that to which other
+   integrity algorithms have been subjected.  An initial, limited
+   evaluation indicates that it may be significantly weaker than DES MAC
+   MD5.
+
+   DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the
+   plaintext data per [FIPS-PUB-113], employing the context key and a
+   zero IV. Padding procedures to accomodate plaintext data lengths
+   which may not be integral multiples of 8 bytes are defined in [FIPS-
+   PUB-113].  The result is an 8-byte value, which is stored in the
+   SGN_CKSUM field.  Support for this algorithm may not be present in
+   all implementations.
+
+1.2.1.2. Sequence Number
+
+   Sequence number field: The 8 byte plaintext sequence number field is
+   formed from the sender's four-byte sequence number as follows.  If
+   the four bytes of the sender's sequence number are named s0, s1, s2
+
+
+
+Linn                        Standards Track                     [Page 8]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   and s3 (from least to most significant), the plaintext sequence
+   number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di,
+   di), where 'di' is the direction-indicator (Hex 0 - sender is the
+   context initiator, Hex FF - sender is the context acceptor).  The
+   field is then DES-CBC encrypted using the context key and an IV
+   formed from the first 8 bytes of the previously calculated SGN_CKSUM
+   field. After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's
+   sequence number is incremented by one.
+
+   The receiver of the token will first verify the SGN_CKSUM field.  If
+   valid, the sequence number field may be decrypted and compared to the
+   expected sequence number.  The repetition of the (effectively 1-bit)
+   direction indicator within the sequence number field provides
+   redundancy so that the receiver may verify that the decryption
+   succeeded.
+
+   Since the checksum computation is used as an IV to the sequence
+   number decryption, attempts to splice a checksum and sequence number
+   from different messages will be detected.  The direction indicator
+   will detect packets that have been maliciously reflected.
+
+   The sequence number provides a basis for detection of replayed
+   tokens.  Replay detection can be performed using state information
+   retained on received sequence numbers, interpreted in conjunction
+   with the security context on which they arrive.
+
+   Provision of per-message replay and out-of-sequence detection
+   services is optional for implementations of the Kerberos V5 GSS-API
+   mechanism.  Further, it is recommended that implementations of the
+   Kerberos V5 GSS-API mechanism which offer these services should honor
+   a caller's request that the services be disabled on a context.
+   Specifically, if replay_det_req_flag is input FALSE, replay_det_state
+   should be returned FALSE and the GSS_DUPLICATE_TOKEN and
+   GSS_OLD_TOKEN stati should not be indicated as a result of duplicate
+   detection when tokens are processed; if sequence_req_flag is input
+   FALSE, sequence_state should be returned FALSE and
+   GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN stati should
+   not be indicated as a result of out-of-sequence detection when tokens
+   are processed.
+
+1.2.2. Per-message Tokens - Wrap
+
+   Use of the GSS_Wrap() call yields a token which encapsulates the
+   input user data (optionally encrypted) along with associated
+   integrity check quantities. The token emitted by GSS_Wrap() consists
+   of an integrity header whose format is identical to that emitted by
+   GSS_GetMIC() (except that the TOK_ID field contains the value 02 01),
+   followed by a body portion that contains either the plaintext data
+
+
+
+Linn                        Standards Track                     [Page 9]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   (if SEAL_ALG = ff ff) or encrypted data for any other supported value
+   of SEAL_ALG.  Currently, only SEAL_ALG = 00 00 is supported, and
+   means that DES-CBC encryption is being used to protect the data.
+
+   The GSS_Wrap() token has the following format:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by GSS_Wrap() contain
+                                   the hex value 02 01 in this field.
+    2..3           SGN_ALG         Checksum algorithm indicator.
+                                   00 00 - DES MAC MD5
+                                   01 00 - MD2.5
+                                   02 00 - DES MAC
+    4..5           SEAL_ALG        ff ff - none
+                                   00 00 - DES
+    6..7           Filler          Contains ff ff
+    8..15          SND_SEQ         Encrypted sequence number field.
+    16..23         SGN_CKSUM       Checksum of plaintext padded data,
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+    24..last       Data            encrypted or plaintext padded data
+
+   GSS-API tokens must be encapsulated within the higher-level protocol
+   by the application; no embedded length field is necessary.
+
+1.2.2.1. Checksum
+
+   Checksum calculation procedure (common to all algorithms): Checksums
+   are calculated over the plaintext padded data field, logically
+   prepended by the first 8 bytes of the plaintext packet header.  The
+   resulting signature binds the data to the packet type, protocol
+   version, and signature algorithm identifier fields.
+
+   DES MAC MD5 algorithm: The checksum is formed by computing an MD5
+   hash over the plaintext padded data, and then computing a DES-CBC MAC
+   on the 16-byte MD5 result.  A standard 64-bit DES-CBC MAC is computed
+   per [FIPS-PUB-113], employing the context key and a zero IV. The 8-
+   byte result is stored in the SGN_CKSUM field.
+
+   MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a
+   16-byte zero-block, using a zero IV and a key formed by reversing the
+   bytes of the context key (i.e., if the original key is the 8-byte
+   sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be
+   {hh, gg, ff, ee, dd, cc, bb, aa}). The resulting 16-byte value is
+   logically pre-pended to the "to-be-signed data".  A standard MD5
+   checksum is calculated over the combined data, and the first 8 bytes
+   of the result are stored in the SGN_CKSUM field.
+
+
+
+Linn                        Standards Track                    [Page 10]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the
+   plaintext padded data per [FIPS-PUB-113], employing the context key
+   and a zero IV. The plaintext padded data is already assured to be an
+   integral multiple of 8 bytes; no additional padding is required or
+   applied in order to accomplish MAC calculation.  The result is an 8-
+   byte value, which is stored in the SGN_CKSUM field.  Support for this
+   lgorithm may not be present in all implementations.
+
+1.2.2.2. Sequence Number
+
+   Sequence number field: The 8 byte plaintext sequence number field is
+   formed from the sender's four-byte sequence number as follows.  If
+   the four bytes of the sender's sequence number are named s0, s1, s2
+   and s3 (from least to most significant), the plaintext sequence
+   number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di,
+   di), where 'di' is the direction-indicator (Hex 0 - sender is the
+   context initiator, Hex FF - sender is the context acceptor).
+
+   The field is then DES-CBC encrypted using the context key and an IV
+   formed from the first 8 bytes of the SEAL_CKSUM field.
+
+   After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's
+   sequence numbers are incremented by one.
+
+1.2.2.3. Padding
+
+   Data padding: Before encryption and/or signature calculation,
+   plaintext data is padded to the next highest multiple of 8 bytes, by
+   appending between 1 and 8 bytes, the value of each such byte being
+   the total number of pad bytes.  For example, given data of length 20
+   bytes, four pad bytes will be appended, and each byte will contain
+   the hex value 04.  An 8-byte random confounder is prepended to the
+   data, and signatures are calculated over the resulting padded
+   plaintext.
+
+   After padding, the data is encrypted according to the algorithm
+   specified in the SEAL_ALG field.  For SEAL_ALG=DES (the only non-null
+   algorithm currently supported), the data is encrypted using DES-CBC,
+   with an IV of zero.  The key used is derived from the established
+   context key by XOR-ing the context key with the hexadecimal constant
+   f0f0f0f0f0f0f0f0.
+
+1.2.3. Context deletion token
+
+   The token emitted by GSS_Delete_sec_context() is based on the packet
+   format for tokens emitted by GSS_GetMIC().  The context-deletion
+   token has the following format:
+
+
+
+
+Linn                        Standards Track                    [Page 11]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by
+                                   GSS_Delete_sec_context() contain
+                                   the hex value 01 02 in this field.
+    2..3           SGN_ALG         Integrity algorithm indicator.
+                                   00 00 - DES MAC MD5
+                                   01 00 - MD2.5
+                                   02 00 - DES MAC
+    4..7           Filler          Contains ff ff ff ff
+    8..15          SND_SEQ         Sequence number field.
+    16..23         SGN_CKSUM       Checksum of "to-be-signed data",
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+
+   SGN_ALG and SND_SEQ will be calculated as for tokens emitted by
+   GSS_GetMIC().  The SGN_CKSUM will be calculated as for tokens emitted
+   by GSS_GetMIC(), except that the user-data component of the "to-be-
+   signed" data will be a zero-length string.
+
+2. Name Types and Object Identifiers
+
+   This section discusses the name types which may be passed as input to
+   the Kerberos V5 GSS-API mechanism's GSS_Import_name() call, and their
+   associated identifier values.  It defines interface elements in
+   support of portability, and assumes use of C language bindings per
+   RFC-1509.  In addition to specifying OID values for name type
+   identifiers, symbolic names are included and recommended to GSS-API
+   implementors in the interests of convenience to callers.  It is
+   understood that not all implementations of the Kerberos V5 GSS-API
+   mechanism need support all name types in this list, and that
+   additional name forms will likely be added to this list over time.
+   Further, the definitions of some or all name types may later migrate
+   to other, mechanism-independent, specifications. The occurrence of a
+   name type in this specification is specifically not intended to
+   suggest that the type may be supported only by an implementation of
+   the Kerberos V5 mechanism.   In particular, the occurrence of the
+   string "_KRB5_" in the symbolic name strings constitutes a means to
+   unambiguously register the name strings, avoiding collision with
+   other documents; it is not meant to limit the name types' usage or
+   applicability.
+
+   For purposes of clarification to GSS-API implementors, this section's
+   discussion of some name forms describes means through which those
+   forms can be supported with existing Kerberos technology.  These
+   discussions are not intended to preclude alternative implementation
+   strategies for support of the name forms within Kerberos mechanisms
+   or mechanisms based on other technologies.  To enhance application
+
+
+
+Linn                        Standards Track                    [Page 12]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   portability, implementors of mechanisms are encouraged to support
+   name forms as defined in this section, even if their mechanisms are
+   independent of Kerberos V5.
+
+2.1. Mandatory Name Forms
+
+   This section discusses name forms which are to be supported by all
+   conformant implementations of the Kerberos V5 GSS-API mechanism.
+
+2.1.1. Kerberos Principal Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
+   is "GSS_KRB5_NT_PRINCIPAL_NAME".
+
+   This name type corresponds to the single-string representation of a
+   Kerberos name.  (Within the MIT Kerberos V5 implementation, such
+   names are parseable with the krb5_parse_name() function.)  The
+   elements included within this name representation are as follows,
+   proceeding from the beginning of the string:
+
+        (1) One or more principal name components; if more than one
+        principal name component is included, the components are
+        separated by `/`.  Arbitrary octets may be included within
+        principal name components, with the following constraints and
+        special considerations:
+
+           (1a) Any occurrence of the characters `@` or `/` within a
+           name component must be immediately preceded by the `\`
+           quoting character, to prevent interpretation as a component
+           or realm separator.
+
+           (1b) The ASCII newline, tab, backspace, and null characters
+           may occur directly within the component or may be
+           represented, respectively, by `\n`, `\t`, `\b`, or `\0`.
+
+           (1c) If the `\` quoting character occurs outside the contexts
+           described in (1a) and (1b) above, the following character is
+           interpreted literally.  As a special case, this allows the
+           doubled representation `\\` to represent a single occurrence
+           of the quoting character.
+
+           (1d) An occurrence of the `\` quoting character as the last
+           character of a component is illegal.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 13]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+        (2) Optionally, a `@` character, signifying that a realm name
+        immediately follows. If no realm name element is included, the
+        local realm name is assumed.  The `/` , `:`, and null characters
+        may not occur within a realm name; the `@`, newline, tab, and
+        backspace characters may be included using the quoting
+        conventions described in (1a), (1b), and (1c) above.
+
+2.1.2. Host-Based Service Name Form
+
+   This name form has been incorporated at the mechanism-independent
+   GSS-API level as of GSS-API, Version 2.  This subsection retains the
+   Object Identifier and symbolic name assignments previously made at
+   the Kerberos V5 GSS-API mechanism level, and adopts the definition as
+   promoted to the mechanism-independent level.
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) service_name(4)}.  The previously recommended symbolic
+   name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME".  The
+   currently preferred symbolic name for this type is
+   "GSS_C_NT_HOSTBASED_SERVICE".
+
+   This name type is used to represent services associated with host
+   computers.  This name form is constructed using two elements,
+   "service" and "hostname", as follows:
+
+      service@hostname
+
+   When a reference to a name of this type is resolved, the "hostname"
+   is canonicalized by attempting a DNS lookup and using the fully-
+   qualified domain name which is returned, or by using the "hostname"
+   as provided if the DNS lookup fails.  The canonicalization operation
+   also maps the host's name into lower-case characters.
+
+   The "hostname" element may be omitted. If no "@" separator is
+   included, the entire name is interpreted as the service specifier,
+   with the "hostname" defaulted to the canonicalized name of the local
+   host.
+
+   Values for the "service" element will be registered with the IANA.
+
+2.1.3. Exported Name Object Form for Kerberos V5 Mechanism
+
+   Support for this name form is not required for GSS-V1
+   implementations, but will be required for use in conjunction with the
+   GSS_Export_name() call planned for GSS-API Version 2.  Use of this
+   name form will be signified by a "GSS-API Exported Name Object" OID
+   value which will be defined at the mechanism-independent level for
+
+
+
+Linn                        Standards Track                    [Page 14]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   GSS-API Version 2.
+
+   This name type represents a self-describing object, whose framing
+   structure will be defined at the mechanism-independent level for
+   GSS-API Version 2.  When generated by the Kerberos V5 mechanism, the
+   Mechanism OID within the exportable name shall be that of the
+   Kerberos V5 mechanism.  The name component within the exportable name
+   shall be a contiguous string with structure as defined for the
+   Kerberos Principal Name Form.
+
+   In order to achieve a distinguished encoding for comparison purposes,
+   the following additional constraints are imposed on the export
+   operation:
+
+        (1) all occurrences of the characters `@`,  `/`, and `\` within
+        principal components or realm names shall be quoted with an
+        immediately-preceding `\`.
+
+        (2) all occurrences of the null, backspace, tab, or newline
+        characters within principal components or realm names will be
+        represented, respectively, with `\0`, `\b`, `\t`, or `\n`.
+
+        (3) the `\` quoting character shall not be emitted within an
+        exported name except to accomodate cases (1) and (2).
+
+2.2. Optional Name Forms
+
+   This section discusses additional name forms which may optionally be
+   supported by implementations of the Kerberos V5 GSS-API mechanism.
+   It is recognized that some of the name forms cited here are derived
+   from UNIX(tm) operating system platforms; some listed forms may be
+   irrelevant to non-UNIX platforms, and definition of additional forms
+   corresponding to such platforms may also be appropriate.  It is also
+   recognized that OS-specific functions outside GSS-API are likely to
+   exist in order to perform translations among these forms, and that
+   GSS-API implementations supporting these forms may themselves be
+   layered atop such OS-specific functions.  Inclusion of this support
+   within GSS-API implementations is intended as a convenience to
+   applications.
+
+2.2.1. User Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) user_name(1)}.  The recommended symbolic name for this
+   type is "GSS_KRB5_NT_USER_NAME".
+
+   This name type is used to indicate a named user on a local system.
+
+
+
+Linn                        Standards Track                    [Page 15]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   Its interpretation is OS-specific.  This name form is constructed as:
+
+      username
+
+   Assuming that users' principal names are the same as their local
+   operating system names, an implementation of GSS_Import_name() based
+   on Kerberos V5 technology can process names of this form by
+   postfixing an "@" sign and the name of the local realm.
+
+2.2.2. Machine UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) machine_uid_name(2)}.  The recommended symbolic name for
+   this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
+
+   This name type is used to indicate a numeric user identifier
+   corresponding to a user on a local system.  Its interpretation is
+   OS-specific.  The gss_buffer_desc representing a name of this type
+   should contain a locally-significant uid_t, represented in host byte
+   order.  The GSS_Import_name() operation resolves this uid into a
+   username, which is then treated as the User Name Form.
+
+2.2.3. String UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+   this type is "GSS_KRB5_NT_STRING_UID_NAME".
+
+   This name type is used to indicate a string of digits representing
+   the numeric user identifier of a user on a local system.  Its
+   interpretation is OS-specific. This name type is similar to the
+   Machine UID Form, except that the buffer contains a string
+   representing the uid_t.
+
+3. Credentials Management
+
+   The Kerberos V5 protocol uses different credentials (in the GSSAPI
+   sense) for initiating and accepting security contexts.  Normal
+   clients receive a ticket-granting ticket (TGT) and an associated
+   session key at "login" time; the pair of a TGT and its corresponding
+   session key forms a credential which is suitable for initiating
+   security contexts.  A ticket-granting ticket, its session key, and
+   any other (ticket, key) pairs obtained through use of the ticket-
+   granting-ticket, are typically stored in a Kerberos V5 credentials
+   cache, sometimes known as a ticket file.
+
+
+
+
+Linn                        Standards Track                    [Page 16]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   The encryption key used by the Kerberos server to seal tickets for a
+   particular application service forms the credentials suitable for
+   accepting security contexts.  These service keys are typically stored
+   in a Kerberos V5 key table, or srvtab file.  In addition to their use
+   as accepting credentials, these service keys may also be used to
+   obtain initiating credentials for their service principal.
+
+   The Kerberos V5 mechanism's credential handle may contain references
+   to either or both types of credentials.  It is a local matter how the
+   Kerberos V5 mechanism implementation finds the appropriate Kerberos
+   V5 credentials cache or key table.
+
+   However, when the Kerberos V5 mechanism attempts to obtain initiating
+   credentials for a service principal which are not available in a
+   credentials cache, and the key for that service principal is
+   available in a Kerberos V5 key table, the mechanism should use the
+   service key to obtain initiating credentials for that service.  This
+   should be accomplished by requesting a ticket-granting-ticket from
+   the Kerberos Key Distribution Center (KDC), and decrypting the KDC's
+   reply using the service key.
+
+4. Parameter Definitions
+
+   This section defines parameter values used by the Kerberos V5 GSS-API
+   mechanism.  It defines interface elements in support of portability,
+   and assumes use of C language bindings per RFC-1509.
+
+4.1. Minor Status Codes
+
+   This section recommends common symbolic names for minor_status values
+   to be returned by the Kerberos V5 GSS-API mechanism.  Use of these
+   definitions will enable independent implementors to enhance
+   application portability across different implementations of the
+   mechanism defined in this specification.  (In all cases,
+   implementations of GSS_Display_status() will enable callers to
+   convert minor_status indicators to text representations.) Each
+   implementation should make available, through include files or other
+   means, a facility to translate these symbolic names into the concrete
+   values which a particular GSS-API implementation uses to represent
+   the minor_status values specified in this section.
+
+   It is recognized that this list may grow over time, and that the need
+   for additional minor_status codes specific to particular
+   implementations may arise.  It is recommended, however, that
+   implementations should return a minor_status value as defined on a
+   mechanism-wide basis within this section when that code is accurately
+   representative of reportable status rather than using a separate,
+   implementation-defined code.
+
+
+
+Linn                        Standards Track                    [Page 17]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+4.1.1. Non-Kerberos-specific codes
+
+   GSS_KRB5_S_G_BAD_SERVICE_NAME
+           /* "No @ in SERVICE-NAME name string" */
+   GSS_KRB5_S_G_BAD_STRING_UID
+           /* "STRING-UID-NAME contains nondigits" */
+   GSS_KRB5_S_G_NOUSER
+           /* "UID does not resolve to username" */
+   GSS_KRB5_S_G_VALIDATE_FAILED
+           /* "Validation error" */
+   GSS_KRB5_S_G_BUFFER_ALLOC
+           /* "Couldn't allocate gss_buffer_t data" */
+   GSS_KRB5_S_G_BAD_MSG_CTX
+           /* "Message context invalid" */
+   GSS_KRB5_S_G_WRONG_SIZE
+           /* "Buffer is the wrong size" */
+   GSS_KRB5_S_G_BAD_USAGE
+           /* "Credential usage type is unknown" */
+   GSS_KRB5_S_G_UNKNOWN_QOP
+           /* "Unknown quality of protection specified" */
+
+4.1.2. Kerberos-specific-codes
+
+   GSS_KRB5_S_KG_CCACHE_NOMATCH
+           /* "Principal in credential cache does not match desired name" */
+   GSS_KRB5_S_KG_KEYTAB_NOMATCH
+           /* "No principal in keytab matches desired name" */
+   GSS_KRB5_S_KG_TGT_MISSING
+           /* "Credential cache has no TGT" */
+   GSS_KRB5_S_KG_NO_SUBKEY
+           /* "Authenticator has no subkey" */
+   GSS_KRB5_S_KG_CONTEXT_ESTABLISHED
+           /* "Context is already fully established" */
+   GSS_KRB5_S_KG_BAD_SIGN_TYPE
+           /* "Unknown signature type in token" */
+   GSS_KRB5_S_KG_BAD_LENGTH
+           /* "Invalid field length in token" */
+   GSS_KRB5_S_KG_CTX_INCOMPLETE
+           /* "Attempt to use incomplete security context" */
+
+4.2. Quality of Protection Values
+
+   This section defines Quality of Protection (QOP) values to be used
+   with the Kerberos V5 GSS-API mechanism as input to GSS_Wrap() and
+   GSS_GetMIC() routines in order to select among alternate integrity
+   and confidentiality algorithms. Additional QOP values may be added in
+   future versions of this specification.  Non-overlapping bit positions
+   are and will be employed in order that both integrity and
+
+
+
+Linn                        Standards Track                    [Page 18]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   confidentiality QOP may be selected within a single parameter, via
+   inclusive-OR of the specified integrity and confidentiality values.
+
+4.2.1. Integrity Algorithms
+
+   The following Quality of Protection (QOP) values are currently
+   defined for the Kerberos V5 GSS-API mechanism, and are used to select
+   among alternate integrity checking algorithms.
+
+   GSS_KRB5_INTEG_C_QOP_MD5        (numeric value: 1)
+           /* Integrity using partial MD5 ("MD2.5") of plaintext */
+
+   GSS_KRB5_INTEG_C_QOP_DES_MD5    (numeric value: 2)
+           /* Integrity using DES MAC of MD5 of plaintext */
+
+   GSS_KRB5_INTEG_C_QOP_DES_MAC    (numeric value: 3)
+           /* Integrity using DES MAC of plaintext */
+
+4.2.2. Confidentiality Algorithms
+
+   Only one confidentiality QOP value is currently defined for the
+   Kerberos V5 GSS-API mechanism:
+
+   GSS_KRB5_CONF_C_QOP_DES         (numeric value: 0)
+           /* Confidentiality with DES */
+
+   Note: confidentiality QOP should be indicated only by GSS-API calls
+   capable of providing confidentiality services. If non-zero
+   confidentiality QOP values are defined in future to represent
+   different algorithms, therefore, the bit positions containing those
+   values should be cleared before being returned by implementations of
+   GSS_GetMIC() and GSS_VerifyMIC().
+
+4.3. Buffer Sizes
+
+   All implementations of this specification shall be capable of
+   accepting buffers of at least 16 Kbytes as input to GSS_GetMIC(),
+   GSS_VerifyMIC(), and GSS_Wrap(), and shall be capable of accepting
+   the output_token generated by GSS_Wrap() for a 16 Kbyte input buffer
+   as input to GSS_Unwrap(). Support for larger buffer sizes is optional
+   but recommended.
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 19]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+5. Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+6. References
+
+
+   [RFC-1321]: Rivest, R., "The MD5 Message-Digest Algorithm", RFC
+   1321, April 1992.
+
+   [RFC-1508]: Linn, J., "Generic Security Service Application Program
+   Interface", RFC 1508, September 1993.
+
+   [RFC-1509]: Wray, J., "Generic Security Service Application Program
+   Interface: C-bindings", RFC 1509, September 1993.
+
+   [RFC-1510]: Kohl, J., and C. Neuman, "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+   [FIPS-PUB-113]: National Bureau of Standards, Federal Information
+   Processing Standard 113, "Computer Data Authentication", May 1985.
+
+AUTHOR'S ADDRESS
+
+   John Linn
+   OpenVision Technologies
+   One Main St.
+   Cambridge, MA  02142  USA
+
+   Phone: +1 617.374.2245
+   EMail: John.Linn@ov.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 20]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2078.txt b/crypto/heimdal/doc/standardisation/rfc2078.txt
new file mode 100644
index 0000000..1dd1e4a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2078.txt
@@ -0,0 +1,4763 @@
+
+
+
+
+
+
+Network Working Group                                           J. Linn
+Request for Comments: 2078                      OpenVision Technologies
+Category: Standards Track                                  January 1997
+Obsoletes: 1508
+
+
+   Generic Security Service Application Program Interface, Version 2
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   The Generic Security Service Application Program Interface (GSS-API),
+   as defined in RFC-1508, provides security services to callers in a
+   generic fashion, supportable with a range of underlying mechanisms
+   and technologies and hence allowing source-level portability of
+   applications to different environments. This specification defines
+   GSS-API services and primitives at a level independent of underlying
+   mechanism and programming language environment, and is to be
+   complemented by other, related specifications:
+
+      documents defining specific parameter bindings for particular
+      language environments
+
+      documents defining token formats, protocols, and procedures to be
+      implemented in order to realize GSS-API services atop particular
+      security mechanisms
+
+   This memo revises RFC-1508, making specific, incremental changes in
+   response to implementation experience and liaison requests. It is
+   intended, therefore, that this memo or a successor version thereto
+   will become the basis for subsequent progression of the GSS-API
+   specification on the standards track.
+
+Table of Contents
+
+   1: GSS-API Characteristics and Concepts..........................  3
+   1.1: GSS-API Constructs..........................................  6
+   1.1.1:  Credentials..............................................  6
+   1.1.1.1: Credential Constructs and Concepts......................  6
+   1.1.1.2: Credential Management...................................  7
+   1.1.1.3: Default Credential Resolution...........................  8
+
+
+
+Linn                        Standards Track                     [Page 1]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   1.1.2: Tokens....................................................  9
+   1.1.3:  Security Contexts........................................ 10
+   1.1.4:  Mechanism Types.......................................... 11
+   1.1.5:  Naming................................................... 12
+   1.1.6:  Channel Bindings......................................... 14
+   1.2:  GSS-API Features and Issues................................ 15
+   1.2.1:  Status Reporting......................................... 15
+   1.2.2: Per-Message Security Service Availability................. 17
+   1.2.3: Per-Message Replay Detection and Sequencing............... 18
+   1.2.4:  Quality of Protection.................................... 20
+   1.2.5: Anonymity Support......................................... 21
+   1.2.6: Initialization............................................ 22
+   1.2.7: Per-Message Protection During Context Establishment....... 22
+   1.2.8: Implementation Robustness................................. 23
+   2:  Interface Descriptions....................................... 23
+   2.1:  Credential management calls................................ 25
+   2.1.1:  GSS_Acquire_cred call.................................... 26
+   2.1.2:  GSS_Release_cred call.................................... 28
+   2.1.3:  GSS_Inquire_cred call.................................... 29
+   2.1.4:  GSS_Add_cred call........................................ 31
+   2.1.5:  GSS_Inquire_cred_by_mech call............................ 33
+   2.2:  Context-level calls........................................ 34
+   2.2.1:  GSS_Init_sec_context call................................ 34
+   2.2.2:  GSS_Accept_sec_context call.............................. 40
+   2.2.3:  GSS_Delete_sec_context call.............................. 44
+   2.2.4:  GSS_Process_context_token call........................... 46
+   2.2.5:  GSS_Context_time call.................................... 47
+   2.2.6:  GSS_Inquire_context call................................. 47
+   2.2.7:  GSS_Wrap_size_limit call................................. 49
+   2.2.8:  GSS_Export_sec_context call.............................. 50
+   2.2.9:  GSS_Import_sec_context call.............................. 52
+   2.3:  Per-message calls.......................................... 53
+   2.3.1:  GSS_GetMIC call.......................................... 54
+   2.3.2:  GSS_VerifyMIC call....................................... 55
+   2.3.3:  GSS_Wrap call............................................ 56
+   2.3.4:  GSS_Unwrap call.......................................... 58
+   2.4:  Support calls.............................................. 59
+   2.4.1:  GSS_Display_status call.................................. 60
+   2.4.2:  GSS_Indicate_mechs call.................................. 60
+   2.4.3:  GSS_Compare_name call.................................... 61
+   2.4.4:  GSS_Display_name call.................................... 62
+   2.4.5:  GSS_Import_name call..................................... 63
+   2.4.6:  GSS_Release_name call.................................... 64
+   2.4.7:  GSS_Release_buffer call.................................. 65
+   2.4.8:  GSS_Release_OID_set call................................. 65
+   2.4.9:  GSS_Create_empty_OID_set call............................ 66
+   2.4.10: GSS_Add_OID_set_member call.............................. 67
+   2.4.11: GSS_Test_OID_set_member call............................. 67
+
+
+
+Linn                        Standards Track                     [Page 2]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   2.4.12: GSS_Release_OID call..................................... 68
+   2.4.13: GSS_OID_to_str call...................................... 68
+   2.4.14: GSS_Str_to_OID call...................................... 69
+   2.4.15: GSS_Inquire_names_for_mech call.......................... 69
+   2.4.16: GSS_Inquire_mechs_for_name call.......................... 70
+   2.4.17: GSS_Canonicalize_name call............................... 71
+   2.4.18: GSS_Export_name call..................................... 72
+   2.4.19: GSS_Duplicate_name call.................................. 73
+   3: Data Structure Definitions for GSS-V2 Usage................... 73
+   3.1: Mechanism-Independent Token Format.......................... 74
+   3.2: Mechanism-Independent Exported Name Object Format........... 77
+   4: Name Type Definitions......................................... 77
+   4.1: Host-Based Service Name Form................................ 77
+   4.2: User Name Form.............................................. 78
+   4.3: Machine UID Form............................................ 78
+   4.4: String UID Form............................................. 79
+   5:  Mechanism-Specific Example Scenarios......................... 79
+   5.1: Kerberos V5, single-TGT..................................... 79
+   5.2: Kerberos V5, double-TGT..................................... 80
+   5.3:  X.509 Authentication Framework............................. 81
+   6:  Security Considerations...................................... 82
+   7:  Related Activities........................................... 82
+   Appendix A: Mechanism Design Constraints......................... 83
+   Appendix B: Compatibility with GSS-V1............................ 83
+
+1: GSS-API Characteristics and Concepts
+
+   GSS-API operates in the following paradigm.  A typical GSS-API caller
+   is itself a communications protocol, calling on GSS-API in order to
+   protect its communications with authentication, integrity, and/or
+   confidentiality security services.  A GSS-API caller accepts tokens
+   provided to it by its local GSS-API implementation and transfers the
+   tokens to a peer on a remote system; that peer passes the received
+   tokens to its local GSS-API implementation for processing. The
+   security services available through GSS-API in this fashion are
+   implementable (and have been implemented) over a range of underlying
+   mechanisms based on secret-key and public-key cryptographic
+   technologies.
+
+   The GSS-API separates the operations of initializing a security
+   context between peers, achieving peer entity authentication (This
+   security service definition, and other definitions used in this
+   document, corresponds to that provided in International Standard ISO
+   7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context()  and
+   GSS_Accept_sec_context() calls), from the operations of providing
+   per-message data origin authentication and data integrity protection
+   (GSS_GetMIC()  and GSS_VerifyMIC()  calls) for messages subsequently
+   transferred in conjunction with that context.  When establishing a
+
+
+
+Linn                        Standards Track                     [Page 3]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   security context, the GSS-API enables a context initiator to
+   optionally permit its credentials to be delegated, meaning that the
+   context acceptor may initiate further security contexts on behalf of
+   the initiating caller. Per-message GSS_Wrap()  and GSS_Unwrap() calls
+   provide the data origin authentication and data integrity services
+   which GSS_GetMIC()  and GSS_VerifyMIC() offer, and also support
+   selection of confidentiality services as a caller option.  Additional
+   calls provide supportive functions to the GSS-API's users.
+
+   The following paragraphs provide an example illustrating the
+   dataflows involved in use of the GSS-API by a client and server in a
+   mechanism-independent fashion, establishing a security context and
+   transferring a protected message. The example assumes that credential
+   acquisition has already been completed.  The example assumes that the
+   underlying authentication technology is capable of authenticating a
+   client to a server using elements carried within a single token, and
+   of authenticating the server to the client (mutual authentication)
+   with a single returned token; this assumption holds for presently-
+   documented CAT mechanisms but is not necessarily true for other
+   cryptographic technologies and associated protocols.
+
+   The client calls GSS_Init_sec_context()  to establish a security
+   context to the server identified by targ_name, and elects to set the
+   mutual_req_flag so that mutual authentication is performed in the
+   course of context establishment. GSS_Init_sec_context()  returns an
+   output_token to be passed to the server, and indicates
+   GSS_S_CONTINUE_NEEDED status pending completion of the mutual
+   authentication sequence. Had mutual_req_flag not been set, the
+   initial call to GSS_Init_sec_context()  would have returned
+   GSS_S_COMPLETE status. The client sends the output_token to the
+   server.
+
+   The server passes the received token as the input_token parameter to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context indicates
+   GSS_S_COMPLETE status, provides the client's authenticated identity
+   in the src_name result, and provides an output_token to be passed to
+   the client. The server sends the output_token to the client.
+
+   The client passes the received token as the input_token parameter to
+   a successor call to GSS_Init_sec_context(),  which processes data
+   included in the token in order to achieve mutual authentication from
+   the client's viewpoint. This call to GSS_Init_sec_context()  returns
+   GSS_S_COMPLETE status, indicating successful mutual authentication
+   and the completion of context establishment for this example.
+
+   The client generates a data message and passes it to GSS_Wrap().
+   GSS_Wrap() performs data origin authentication, data integrity, and
+   (optionally) confidentiality processing on the message and
+
+
+
+Linn                        Standards Track                     [Page 4]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   encapsulates the result into output_message, indicating
+   GSS_S_COMPLETE status. The client sends the output_message to the
+   server.
+
+   The server passes the received message to GSS_Unwrap().  GSS_Unwrap()
+   inverts the encapsulation performed by GSS_Wrap(),  deciphers the
+   message if the optional confidentiality feature was applied, and
+   validates the data origin authentication and data integrity checking
+   quantities. GSS_Unwrap()  indicates successful validation by
+   returning GSS_S_COMPLETE status along with the resultant
+   output_message.
+
+   For purposes of this example, we assume that the server knows by
+   out-of-band means that this context will have no further use after
+   one protected message is transferred from client to server. Given
+   this premise, the server now calls GSS_Delete_sec_context() to flush
+   context-level information.  Optionally, the server-side application
+   may provide a token buffer to GSS_Delete_sec_context(), to receive a
+   context_token to be transferred to the client in order to request
+   that client-side context-level information be deleted.
+
+   If a context_token is transferred, the client passes the
+   context_token to GSS_Process_context_token(), which returns
+   GSS_S_COMPLETE status after deleting context-level information at the
+   client system.
+
+   The GSS-API design assumes and addresses several basic goals,
+   including:
+
+      Mechanism independence: The GSS-API defines an interface to
+      cryptographically implemented strong authentication and other
+      security services at a generic level which is independent of
+      particular underlying mechanisms. For example, GSS-API-provided
+      services can be implemented by secret-key technologies (e.g.,
+      Kerberos) or public-key approaches (e.g., X.509).
+
+      Protocol environment independence: The GSS-API is independent of
+      the communications protocol suites with which it is employed,
+      permitting use in a broad range of protocol environments. In
+      appropriate environments, an intermediate implementation "veneer"
+      which is oriented to a particular communication protocol (e.g.,
+      Remote Procedure Call (RPC)) may be interposed between
+      applications which call that protocol and the GSS-API, thereby
+      invoking GSS-API facilities in conjunction with that protocol's
+      communications invocations.
+
+      Protocol association independence: The GSS-API's security context
+      construct is independent of communications protocol association
+
+
+
+Linn                        Standards Track                     [Page 5]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      constructs. This characteristic allows a single GSS-API
+      implementation to be utilized by a variety of invoking protocol
+      modules on behalf of those modules' calling applications. GSS-API
+      services can also be invoked directly by applications, wholly
+      independent of protocol associations.
+
+      Suitability to a range of implementation placements: GSS-API
+      clients are not constrained to reside within any Trusted Computing
+      Base (TCB) perimeter defined on a system where the GSS-API is
+      implemented; security services are specified in a manner suitable
+      to both intra-TCB and extra-TCB callers.
+
+1.1: GSS-API Constructs
+
+   This section describes the basic elements comprising the GSS-API.
+
+1.1.1:  Credentials
+
+1.1.1.1: Credential Constructs and Concepts
+
+   Credentials provide the prerequisites which permit GSS-API peers to
+   establish security contexts with each other. A caller may designate
+   that the credential elements which are to be applied for context
+   initiation or acceptance be selected by default.  Alternately, those
+   GSS-API callers which need to make explicit selection of particular
+   credentials structures may make references to those credentials
+   through GSS-API-provided credential handles ("cred_handles").  In all
+   cases, callers' credential references are indirect, mediated by GSS-
+   API implementations and not requiring callers to access the selected
+   credential elements.
+
+   A single credential structure may be used to initiate outbound
+   contexts and to accept inbound contexts. Callers needing to operate
+   in only one of these modes may designate this fact when credentials
+   are acquired for use, allowing underlying mechanisms to optimize
+   their processing and storage requirements. The credential elements
+   defined by a particular mechanism may contain multiple cryptographic
+   keys, e.g., to enable authentication and message encryption to be
+   performed with different algorithms.
+
+   A GSS-API credential structure may contain multiple credential
+   elements, each containing mechanism-specific information for a
+   particular underlying mechanism (mech_type), but the set of elements
+   within a given credential structure represent a common entity.  A
+   credential structure's contents will vary depending on the set of
+   mech_types supported by a particular GSS-API implementation. Each
+   credential element identifies the data needed by its mechanism in
+   order to establish contexts on behalf of a particular principal, and
+
+
+
+Linn                        Standards Track                     [Page 6]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   may contain separate credential references for use in context
+   initiation and context acceptance.  Multiple credential elements
+   within a given credential having overlapping combinations of
+   mechanism, usage mode, and validity period are not permitted.
+
+   Commonly, a single mech_type will be used for all security contexts
+   established by a particular initiator to a particular target. A major
+   motivation for supporting credential sets representing multiple
+   mech_types is to allow initiators on systems which are equipped to
+   handle multiple types to initiate contexts to targets on other
+   systems which can accommodate only a subset of the set supported at
+   the initiator's system.
+
+1.1.1.2: Credential Management
+
+   It is the responsibility of underlying system-specific mechanisms and
+   OS functions below the GSS-API to ensure that the ability to acquire
+   and use credentials associated with a given identity is constrained
+   to appropriate processes within a system. This responsibility should
+   be taken seriously by implementors, as the ability for an entity to
+   utilize a principal's credentials is equivalent to the entity's
+   ability to successfully assert that principal's identity.
+
+   Once a set of GSS-API credentials is established, the transferability
+   of that credentials set to other processes or analogous constructs
+   within a system is a local matter, not defined by the GSS-API. An
+   example local policy would be one in which any credentials received
+   as a result of login to a given user account, or of delegation of
+   rights to that account, are accessible by, or transferable to,
+   processes running under that account.
+
+   The credential establishment process (particularly when performed on
+   behalf of users rather than server processes) is likely to require
+   access to passwords or other quantities which should be protected
+   locally and exposed for the shortest time possible. As a result, it
+   will often be appropriate for preliminary credential establishment to
+   be performed through local means at user login time, with the
+   result(s) cached for subsequent reference. These preliminary
+   credentials would be set aside (in a system-specific fashion) for
+   subsequent use, either:
+
+      to be accessed by an invocation of the GSS-API GSS_Acquire_cred()
+      call, returning an explicit handle to reference that credential
+
+      to comprise default credential elements to be installed, and to be
+      used when default credential behavior is requested on behalf of a
+      process
+
+
+
+
+Linn                        Standards Track                     [Page 7]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+1.1.1.3: Default Credential Resolution
+
+   The gss_init_sec_context and gss_accept_sec_context routines allow
+   the value GSS_C_NO_CREDENTIAL to be specified as their credential
+   handle parameter.  This special credential-handle indicates a desire
+   by the application to act as a default principal.  While individual
+   GSS-API implementations are free to determine such default behavior
+   as appropriate to the mechanism, the following default behavior by
+   these routines is recommended for portability:
+
+   GSS_Init_sec_context:
+
+      (i) If there is only a single principal capable of initiating
+      security contexts that the application is authorized to act on
+      behalf of, then that principal shall be used, otherwise
+
+      (ii) If the platform maintains a concept of a default network-
+      identity, and if the application is authorized to act on behalf of
+      that identity for the purpose of initiating security contexts,
+      then the principal corresponding to that identity shall be used,
+      otherwise
+
+      (iii) If the platform maintains a concept of a default local
+      identity, and provides a means to map local identities into
+      network-identities, and if the application is authorized to act on
+      behalf of the network-identity image of the default local identity
+      for the purpose of initiating security contexts, then the
+      principal corresponding to that identity shall be used, otherwise
+
+      (iv) A user-configurable default identity should be used.
+
+   GSS_Accept_sec_context:
+
+      (i) If there is only a single authorized principal identity
+      capable of accepting security contexts, then that principal shall
+      be used, otherwise
+
+      (ii) If the mechanism can determine the identity of the target
+      principal by examining the context-establishment token, and if the
+      accepting application is authorized to act as that principal for
+      the purpose of accepting security contexts, then that principal
+      identity shall be used, otherwise
+
+      (iii) If the mechanism supports context acceptance by any
+      principal, and mutual authentication was not requested, any
+      principal that the application is authorized to accept security
+      contexts under may be used, otherwise
+
+
+
+
+Linn                        Standards Track                     [Page 8]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      (iv) A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are
+   likely to be more portable across mechanisms and platforms than ones
+   that use GSS_Acquire_cred to request a specific identity.
+
+1.1.2: Tokens
+
+   Tokens are data elements transferred between GSS-API callers, and are
+   divided into two classes. Context-level tokens are exchanged in order
+   to establish and manage a security context between peers. Per-message
+   tokens relate to an established context and are exchanged to provide
+   protective security services (i.e., data origin authentication,
+   integrity, and optional confidentiality) for corresponding data
+   messages.
+
+   The first context-level token obtained from GSS_Init_sec_context() is
+   required to indicate at its very beginning a globally-interpretable
+   mechanism identifier, i.e., an Object Identifier (OID) of the
+   security mechanism. The remaining part of this token as well as the
+   whole content of all other tokens are specific to the particular
+   underlying mechanism used to support the GSS-API. Section 3 of this
+   document provides, for designers of GSS-API support mechanisms, the
+   description of the header of the first context-level token which is
+   then followed by mechanism-specific information.
+
+   Tokens' contents are opaque from the viewpoint of GSS-API callers.
+   They are generated within the GSS-API implementation at an end
+   system, provided to a GSS-API caller to be transferred to the peer
+   GSS-API caller at a remote end system, and processed by the GSS-API
+   implementation at that remote end system. Tokens may be output by
+   GSS-API calls (and should be transferred to GSS-API peers) whether or
+   not the calls' status indicators indicate successful completion.
+   Token transfer may take place in an in-band manner, integrated into
+   the same protocol stream used by the GSS-API callers for other data
+   transfers, or in an out-of-band manner across a logically separate
+   channel.
+
+   Different GSS-API tokens are used for different purposes (e.g.,
+   context initiation, context acceptance, protected message data on an
+   established context), and it is the responsibility of a GSS-API
+   caller receiving tokens to distinguish their types, associate them
+   with corresponding security contexts, and pass them to appropriate
+   GSS-API processing routines.  Depending on the caller protocol
+   environment, this distinction may be accomplished in several ways.
+
+
+
+
+Linn                        Standards Track                     [Page 9]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The following examples illustrate means through which tokens' types
+   may be distinguished:
+
+      - implicit tagging based on state information (e.g., all tokens on
+      a new association are considered to be context establishment
+      tokens until context establishment is completed, at which point
+      all tokens are considered to be wrapped data objects for that
+      context),
+
+      - explicit tagging at the caller protocol level,
+
+      - a hybrid of these approaches.
+
+   Commonly, the encapsulated data within a token includes internal
+   mechanism-specific tagging information, enabling mechanism-level
+   processing modules to distinguish tokens used within the mechanism
+   for different purposes.  Such internal mechanism-level tagging is
+   recommended to mechanism designers, and enables mechanisms to
+   determine whether a caller has passed a particular token for
+   processing by an inappropriate GSS-API routine.
+
+   Development of GSS-API support primitives based on a particular
+   underlying cryptographic technique and protocol (i.e., conformant to
+   a specific GSS-API mechanism definition) does not necessarily imply
+   that GSS-API callers using that GSS-API mechanism will be able to
+   interoperate with peers invoking the same technique and protocol
+   outside the GSS-API paradigm, or with peers implementing a different
+   GSS-API mechanism based on the same underlying technology.  The
+   format of GSS-API tokens defined in conjunction with a particular
+   mechanism, and the techniques used to integrate those tokens into
+   callers' protocols, may not be interoperable with the tokens used by
+   non-GSS-API callers of the same underlying technique.
+
+1.1.3:  Security Contexts
+
+   Security contexts are established between peers, using credentials
+   established locally in conjunction with each peer or received by
+   peers via delegation. Multiple contexts may exist simultaneously
+   between a pair of peers, using the same or different sets of
+   credentials. Coexistence of multiple contexts using different
+   credentials allows graceful rollover when credentials expire.
+   Distinction among multiple contexts based on the same credentials
+   serves applications by distinguishing different message streams in a
+   security sense.
+
+   The GSS-API is independent of underlying protocols and addressing
+   structure, and depends on its callers to transport GSS-API-provided
+   data elements. As a result of these factors, it is a caller
+
+
+
+Linn                        Standards Track                    [Page 10]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   responsibility to parse communicated messages, separating GSS-API-
+   related data elements from caller-provided data.  The GSS-API is
+   independent of connection vs. connectionless orientation of the
+   underlying communications service.
+
+   No correlation between security context and communications protocol
+   association is dictated. (The optional channel binding facility,
+   discussed in Section 1.1.6 of this document, represents an
+   intentional exception to this rule, supporting additional protection
+   features within GSS-API supporting mechanisms.) This separation
+   allows the GSS-API to be used in a wide range of communications
+   environments, and also simplifies the calling sequences of the
+   individual calls. In many cases (depending on underlying security
+   protocol, associated mechanism, and availability of cached
+   information), the state information required for context setup can be
+   sent concurrently with initial signed user data, without interposing
+   additional message exchanges.
+
+1.1.4:  Mechanism Types
+
+   In order to successfully establish a security context with a target
+   peer, it is necessary to identify an appropriate underlying mechanism
+   type (mech_type) which both initiator and target peers support. The
+   definition of a mechanism embodies not only the use of a particular
+   cryptographic technology (or a hybrid or choice among alternative
+   cryptographic technologies), but also definition of the syntax and
+   semantics of data element exchanges which that mechanism will employ
+   in order to support security services.
+
+   It is recommended that callers initiating contexts specify the
+   "default" mech_type value, allowing system-specific functions within
+   or invoked by the GSS-API implementation to select the appropriate
+   mech_type, but callers may direct that a particular mech_type be
+   employed when necessary.
+
+   The means for identifying a shared mech_type to establish a security
+   context with a peer will vary in different environments and
+   circumstances; examples include (but are not limited to):
+
+      use of a fixed mech_type, defined by configuration, within an
+      environment
+
+      syntactic convention on a target-specific basis, through
+      examination of a target's name
+
+      lookup of a target's name in a naming service or other database in
+      order to identify mech_types supported by that target
+
+
+
+
+Linn                        Standards Track                    [Page 11]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      explicit negotiation between GSS-API callers in advance of
+      security context setup
+
+   When transferred between GSS-API peers, mech_type specifiers (per
+   Section 3, represented as Object Identifiers (OIDs)) serve to qualify
+   the interpretation of associated tokens. (The structure and encoding
+   of Object Identifiers is defined in ISO/IEC 8824, "Specification of
+   Abstract Syntax Notation One (ASN.1)" and in ISO/IEC 8825,
+   "Specification of Basic Encoding Rules for Abstract Syntax Notation
+   One (ASN.1)".) Use of hierarchically structured OIDs serves to
+   preclude ambiguous interpretation of mech_type specifiers. The OID
+   representing the DASS MechType, for example, is 1.3.12.2.1011.7.5,
+   and that of the Kerberos V5 mechanism, once advanced to the level of
+   Proposed Standard, will be 1.2.840.113554.1.2.2.
+
+1.1.5:  Naming
+
+   The GSS-API avoids prescribing naming structures, treating the names
+   which are transferred across the interface in order to initiate and
+   accept security contexts as opaque objects.  This approach supports
+   the GSS-API's goal of implementability atop a range of underlying
+   security mechanisms, recognizing the fact that different mechanisms
+   process and authenticate names which are presented in different
+   forms. Generalized services offering translation functions among
+   arbitrary sets of naming environments are outside the scope of the
+   GSS-API; availability and use of local conversion functions to
+   translate among the naming formats supported within a given end
+   system is anticipated.
+
+   Different classes of name representations are used in conjunction
+   with different GSS-API parameters:
+
+      - Internal form (denoted in this document by INTERNAL NAME),
+      opaque to callers and defined by individual GSS-API
+      implementations.  GSS-API implementations supporting multiple
+      namespace types must maintain internal tags to disambiguate the
+      interpretation of particular names.  A Mechanism Name (MN) is a
+      special case of INTERNAL NAME, guaranteed to contain elements
+      corresponding to one and only one mechanism; calls which are
+      guaranteed to emit MNs or which require MNs as input are so
+      identified within this specification.
+
+      - Contiguous string ("flat") form (denoted in this document by
+      OCTET STRING); accompanied by OID tags identifying the namespace
+      to which they correspond.  Depending on tag value, flat names may
+      or may not be printable strings for direct acceptance from and
+      presentation to users. Tagging of flat names allows GSS-API
+      callers and underlying GSS-API mechanisms to disambiguate name
+
+
+
+Linn                        Standards Track                    [Page 12]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      types and to determine whether an associated name's type is one
+      which they are capable of processing, avoiding aliasing problems
+      which could result from misinterpreting a name of one type as a
+      name of another type.
+
+      - The GSS-API Exported Name Object, a special case of flat name
+      designated by a reserved OID value, carries a canonicalized form
+      of a name suitable for binary comparisons.
+
+   In addition to providing means for names to be tagged with types,
+   this specification defines primitives to support a level of naming
+   environment independence for certain calling applications. To provide
+   basic services oriented towards the requirements of callers which
+   need not themselves interpret the internal syntax and semantics of
+   names, GSS-API calls for name comparison (GSS_Compare_name()),
+   human-readable display (GSS_Display_name()), input conversion
+   (GSS_Import_name()), internal name deallocation (GSS_Release_name()),
+   and internal name duplication (GSS_Duplicate_name()) functions are
+   defined. (It is anticipated that these proposed GSS-API calls will be
+   implemented in many end systems based on system-specific name
+   manipulation primitives already extant within those end systems;
+   inclusion within the GSS-API is intended to offer GSS-API callers a
+   portable means to perform specific operations, supportive of
+   authorization and audit requirements, on authenticated names.)
+
+   GSS_Import_name() implementations can, where appropriate, support
+   more than one printable syntax corresponding to a given namespace
+   (e.g., alternative printable representations for X.500 Distinguished
+   Names), allowing flexibility for their callers to select among
+   alternative representations. GSS_Display_name() implementations
+   output a printable syntax selected as appropriate to their
+   operational environments; this selection is a local matter. Callers
+   desiring portability across alternative printable syntaxes should
+   refrain from implementing comparisons based on printable name forms
+   and should instead use the GSS_Compare_name()  call to determine
+   whether or not one internal-format name matches another.
+
+   The GSS_Canonicalize_name() and GSS_Export_name() calls enable
+   callers to acquire and process Exported Name Objects, canonicalized
+   and translated in accordance with the procedures of a particular
+   GSS-API mechanism.  Exported Name Objects can, in turn, be input to
+   GSS_Import_name(), yielding equivalent MNs. These facilities are
+   designed specifically to enable efficient storage and comparison of
+   names (e.g., for use in access control lists).
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 13]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The following diagram illustrates the intended dataflow among name-
+   related GSS-API processing routines.
+
+                        GSS-API library defaults
+                               |
+                               |
+                               V                         text, for
+   text -------------->  internal_name (IN) -----------> display only
+         import_name()          /          display_name()
+                               /
+                              /
+                             /
+    accept_sec_context()    /
+          |                /
+          |               /
+          |              /  canonicalize_name()
+          |             /
+          |            /
+          |           /
+          |          /
+          |         /
+          |        |
+          V        V     <---------------------
+    single mechanism        import_name()         exported name: flat
+    internal_name (MN)                            binary "blob" usable
+                         ---------------------->  for access control
+                            export_name()
+
+1.1.6:  Channel Bindings
+
+   The GSS-API accommodates the concept of caller-provided channel
+   binding ("chan_binding") information.  Channel bindings are used to
+   strengthen the quality with which peer entity authentication is
+   provided during context establishment, by limiting the scope within
+   which an intercepted context establishment token can be reused by an
+   attacker. Specifically, they enable GSS-API callers to bind the
+   establishment of a security context to relevant characteristics
+   (e.g., addresses, transformed representations of encryption keys) of
+   the underlying communications channel, of protection mechanisms
+   applied to that communications channel, and to application-specific
+   data.
+
+   The caller initiating a security context must determine the
+   appropriate channel binding values to provide as input to the
+   GSS_Init_sec_context() call, and consistent values must be provided
+   to GSS_Accept_sec_context() by the context's target, in order for
+   both peers' GSS-API mechanisms to validate that received tokens
+   possess correct channel-related characteristics. Use or non-use of
+
+
+
+Linn                        Standards Track                    [Page 14]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   the GSS-API channel binding facility is a caller option.  GSS-API
+   mechanisms can operate in an environment where NULL channel bindings
+   are presented; mechanism implementors are encouraged, but not
+   required, to make use of caller-provided channel binding data within
+   their mechanisms. Callers should not assume that underlying
+   mechanisms provide confidentiality protection for channel binding
+   information.
+
+   When non-NULL channel bindings are provided by callers, certain
+   mechanisms can offer enhanced security value by interpreting the
+   bindings' content (rather than simply representing those bindings, or
+   integrity check values computed on them, within tokens) and will
+   therefore depend on presentation of specific data in a defined
+   format. To this end, agreements among mechanism implementors are
+   defining conventional interpretations for the contents of channel
+   binding arguments, including address specifiers (with content
+   dependent on communications protocol environment) for context
+   initiators and acceptors. (These conventions are being incorporated
+   in GSS-API mechanism specifications and into the GSS-API C language
+   bindings specification.) In order for GSS-API callers to be portable
+   across multiple mechanisms and achieve the full security
+   functionality which each mechanism can provide, it is strongly
+   recommended that GSS-API callers provide channel bindings consistent
+   with these conventions and those of the networking environment in
+   which they operate.
+
+1.2:  GSS-API Features and Issues
+
+   This section describes aspects of GSS-API operations, of the security
+   services which the GSS-API provides, and provides commentary on
+   design issues.
+
+1.2.1:  Status Reporting
+
+   Each GSS-API call provides two status return values. Major_status
+   values provide a mechanism-independent indication of call status
+   (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED),
+   sufficient to drive normal control flow within the caller in a
+   generic fashion. Table 1 summarizes the defined major_status return
+   codes in tabular fashion.
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 15]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+Table 1: GSS-API Major Status Codes
+
+   FATAL ERROR CODES
+
+   GSS_S_BAD_BINDINGS            channel binding mismatch
+   GSS_S_BAD_MECH                unsupported mechanism requested
+   GSS_S_BAD_NAME                invalid name provided
+   GSS_S_BAD_NAMETYPE            name of unsupported type provided
+   GSS_S_BAD_STATUS              invalid input status selector
+   GSS_S_BAD_SIG                 token had invalid integrity check
+   GSS_S_CONTEXT_EXPIRED         specified security context expired
+   GSS_S_CREDENTIALS_EXPIRED     expired credentials detected
+   GSS_S_DEFECTIVE_CREDENTIAL    defective credential detected
+   GSS_S_DEFECTIVE_TOKEN         defective token detected
+   GSS_S_FAILURE                 failure, unspecified at GSS-API
+                                   level
+   GSS_S_NO_CONTEXT              no valid security context specified
+   GSS_S_NO_CRED                 no valid credentials provided
+   GSS_S_BAD_QOP                 unsupported QOP value
+   GSS_S_UNAUTHORIZED            operation unauthorized
+   GSS_S_UNAVAILABLE             operation unavailable
+   GSS_S_DUPLICATE_ELEMENT       duplicate credential element requested
+   GSS_S_NAME_NOT_MN             name contains multi-mechanism elements
+
+   INFORMATORY STATUS CODES
+
+   GSS_S_COMPLETE                normal completion
+   GSS_S_CONTINUE_NEEDED         continuation call to routine
+                                  required
+   GSS_S_DUPLICATE_TOKEN         duplicate per-message token
+                                  detected
+   GSS_S_OLD_TOKEN               timed-out per-message token
+                                  detected
+   GSS_S_UNSEQ_TOKEN             reordered (early) per-message token
+                                  detected
+   GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                  detected
+
+   Minor_status provides more detailed status information which may
+   include status codes specific to the underlying security mechanism.
+   Minor_status values are not specified in this document.
+
+   GSS_S_CONTINUE_NEEDED major_status returns, and optional message
+   outputs, are provided in GSS_Init_sec_context() and
+   GSS_Accept_sec_context()  calls so that different mechanisms'
+   employment of different numbers of messages within their
+   authentication sequences need not be reflected in separate code paths
+   within calling applications. Instead, such cases are accommodated
+
+
+
+Linn                        Standards Track                    [Page 16]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   with sequences of continuation calls to GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  The same mechanism is used to encapsulate
+   mutual authentication within the GSS-API's context initiation calls.
+
+   For mech_types which require interactions with third-party servers in
+   order to establish a security context, GSS-API context establishment
+   calls may block pending completion of such third-party interactions.
+
+   On the other hand, no GSS-API calls pend on serialized interactions
+   with GSS-API peer entities.  As a result, local GSS-API status
+   returns cannot reflect unpredictable or asynchronous exceptions
+   occurring at remote peers, and reflection of such status information
+   is a caller responsibility outside the GSS-API.
+
+1.2.2: Per-Message Security Service Availability
+
+   When a context is established, two flags are returned to indicate the
+   set of per-message protection security services which will be
+   available on the context:
+
+      the integ_avail flag indicates whether per-message integrity and
+      data origin authentication services are available
+
+      the conf_avail flag indicates whether per-message confidentiality
+      services are available, and will never be returned TRUE unless the
+      integ_avail flag is also returned TRUE
+
+      GSS-API callers desiring per-message security services should
+      check the values of these flags at context establishment time, and
+      must be aware that a returned FALSE value for integ_avail means
+      that invocation of GSS_GetMIC()  or GSS_Wrap() primitives on the
+      associated context will apply no cryptographic protection to user
+      data messages.
+
+   The GSS-API per-message integrity and data origin authentication
+   services provide assurance to a receiving caller that protection was
+   applied to a message by the caller's peer on the security context,
+   corresponding to the entity named at context initiation.  The GSS-API
+   per-message confidentiality service provides assurance to a sending
+   caller that the message's content is protected from access by
+   entities other than the context's named peer.
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 17]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The GSS-API per-message protection service primitives, as the
+   category name implies, are oriented to operation at the granularity
+   of protocol data units. They perform cryptographic operations on the
+   data units, transfer cryptographic control information in tokens,
+   and, in the case of GSS_Wrap(), encapsulate the protected data unit.
+   As such, these primitives are not oriented to efficient data
+   protection for stream-paradigm protocols (e.g., Telnet) if
+   cryptography must be applied on an octet-by-octet basis.
+
+1.2.3: Per-Message Replay Detection and Sequencing
+
+   Certain underlying mech_types offer support for replay detection
+   and/or sequencing of messages transferred on the contexts they
+   support. These optionally-selectable protection features are distinct
+   from replay detection and sequencing features applied to the context
+   establishment operation itself; the presence or absence of context-
+   level replay or sequencing features is wholly a function of the
+   underlying mech_type's capabilities, and is not selected or omitted
+   as a caller option.
+
+   The caller initiating a context provides flags (replay_det_req_flag
+   and sequence_req_flag) to specify whether the use of per-message
+   replay detection and sequencing features is desired on the context
+   being established. The GSS-API implementation at the initiator system
+   can determine whether these features are supported (and whether they
+   are optionally selectable) as a function of mech_type, without need
+   for bilateral negotiation with the target. When enabled, these
+   features provide recipients with indicators as a result of GSS-API
+   processing of incoming messages, identifying whether those messages
+   were detected as duplicates or out-of-sequence. Detection of such
+   events does not prevent a suspect message from being provided to a
+   recipient; the appropriate course of action on a suspect message is a
+   matter of caller policy.
+
+   The semantics of the replay detection and sequencing services applied
+   to received messages, as visible across the interface which the GSS-
+   API provides to its clients, are as follows:
+
+   When replay_det_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      and that the message was not a replay of a previously-processed
+      message within that window.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 18]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic
+      checkvalue on the received message was correct, but that the
+      message was recognized as a duplicate of a previously-processed
+      message.
+
+      3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that the message is too old
+      to be checked for duplication.
+
+   When sequence_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      that the message was not a replay of a previously-processed
+      message within that window, and that no predecessor sequenced
+      messages are missing relative to the last received message (if
+      any) processed on the context with a correct cryptographic
+      checkvalue.
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value
+      on the received message was correct, but that the message was
+      recognized as a duplicate of a previously-processed message.
+
+      3. GSS_S_OLD_TOKEN indicates that the integrity check value on the
+      received message was correct, but that the token is too old to be
+      checked for duplication.
+
+      4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue
+      on the received message was correct, but that it is earlier in a
+      sequenced stream than a message already processed on the context.
+      [Note: Mechanisms can be architected to provide a stricter form of
+      sequencing service, delivering particular messages to recipients
+      only after all predecessor messages in an ordered stream have been
+      delivered.  This type of support is incompatible with the GSS-API
+      paradigm in which recipients receive all messages, whether in
+      order or not, and provide them (one at a time, without intra-GSS-
+      API message buffering) to GSS-API routines for validation.  GSS-
+      API facilities provide supportive functions, aiding clients to
+      achieve strict message stream integrity in an efficient manner in
+      conjunction with sequencing provisions in communications
+      protocols, but the GSS-API does not offer this level of message
+      stream integrity service by itself.]
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 19]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that one or more predecessor
+      sequenced messages have not been successfully processed relative
+      to the last received message (if any) processed on the context
+      with a correct cryptographic checkvalue.
+
+   As the message stream integrity features (especially sequencing) may
+   interfere with certain applications' intended communications
+   paradigms, and since support for such features is likely to be
+   resource intensive, it is highly recommended that mech_types
+   supporting these features allow them to be activated selectively on
+   initiator request when a context is established. A context initiator
+   and target are provided with corresponding indicators
+   (replay_det_state and sequence_state), signifying whether these
+   features are active on a given context.
+
+   An example mech_type supporting per-message replay detection could
+   (when replay_det_state is TRUE) implement the feature as follows: The
+   underlying mechanism would insert timestamps in data elements output
+   by GSS_GetMIC()  and GSS_Wrap(), and would maintain (within a time-
+   limited window) a cache (qualified by originator-recipient pair)
+   identifying received data elements processed by GSS_VerifyMIC()  and
+   GSS_Unwrap(). When this feature is active, exception status returns
+   (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when
+   GSS_VerifyMIC()  or GSS_Unwrap() is presented with a message which is
+   either a detected duplicate of a prior message or which is too old to
+   validate against a cache of recently received messages.
+
+1.2.4:  Quality of Protection
+
+   Some mech_types provide their users with fine granularity control
+   over the means used to provide per-message protection, allowing
+   callers to trade off security processing overhead dynamically against
+   the protection requirements of particular messages. A per-message
+   quality-of-protection parameter (analogous to quality-of-service, or
+   QOS) selects among different QOP options supported by that mechanism.
+   On context establishment for a multi-QOP mech_type, context-level
+   data provides the prerequisite data for a range of protection
+   qualities.
+
+   It is expected that the majority of callers will not wish to exert
+   explicit mechanism-specific QOP control and will therefore request
+   selection of a default QOP. Definitions of, and choices among, non-
+   default QOP values are mechanism-specific, and no ordered sequences
+   of QOP values can be assumed equivalent across different mechanisms.
+   Meaningful use of non-default QOP values demands that callers be
+   familiar with the QOP definitions of an underlying mechanism or
+   mechanisms, and is therefore a non-portable construct.  The
+
+
+
+Linn                        Standards Track                    [Page 20]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   GSS_S_BAD_QOP major_status value is defined in order to indicate that
+   a provided QOP value is unsupported for a security context, most
+   likely because that value is unrecognized by the underlying
+   mechanism.
+
+1.2.5: Anonymity Support
+
+   In certain situations or environments, an application may wish to
+   authenticate a peer and/or protect communications using GSS-API per-
+   message services without revealing its own identity.  For example,
+   consider an application which provides read access to a research
+   database, and which permits queries by arbitrary requestors.  A
+   client of such a service might wish to authenticate the service, to
+   establish trust in the information received from it, but might not
+   wish to disclose its identity to the service for privacy reasons.
+
+   In ordinary GSS-API usage, a context initiator's identity is made
+   available to the context acceptor as part of the context
+   establishment process.  To provide for anonymity support, a facility
+   (input anon_req_flag to GSS_Init_sec_context()) is provided through
+   which context initiators may request that their identity not be
+   provided to the context acceptor.  Mechanisms are not required to
+   honor this request, but a caller will be informed (via returned
+   anon_state indicator from GSS_Init_sec_context()) whether or not the
+   request is honored. Note that authentication as the anonymous
+   principal does not necessarily imply that credentials are not
+   required in order to establish a context.
+
+   The following Object Identifier value is provided as a means to
+   identify anonymous names, and can be compared against in order to
+   determine, in a mechanism-independent fashion, whether a name refers
+   to an anonymous principal:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   3(gss-anonymous-name)}
+
+   The recommended symbolic name corresponding to this definition is
+   GSS_C_NT_ANONYMOUS.
+
+   Four possible combinations of anon_state and mutual_state are
+   possible, with the following results:
+
+      anon_state == FALSE, mutual_state == FALSE: initiator
+      authenticated to target.
+
+      anon_state == FALSE, mutual_state == TRUE: initiator authenticated
+      to target, target authenticated to initiator.
+
+
+
+
+Linn                        Standards Track                    [Page 21]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      anon_state == TRUE, mutual_state == FALSE: initiator authenticated
+      as anonymous principal to target.
+
+      anon_state == TRUE, mutual_state == TRUE: initiator authenticated
+      as anonymous principal to target, target authenticated to
+      initiator.
+
+1.2.6: Initialization
+
+   No initialization calls (i.e., calls which must be invoked prior to
+   invocation of other facilities in the interface) are defined in GSS-
+   API.  As an implication of this fact, GSS-API implementations must
+   themselves be self-initializing.
+
+1.2.7: Per-Message Protection During Context Establishment
+
+   A facility is defined in GSS-V2 to enable protection and buffering of
+   data messages for later transfer while a security context's
+   establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases
+   where the caller side already possesses the necessary session key to
+   enable this processing. Specifically, a new state Boolean, called
+   prot_ready_state, is added to the set of information returned by
+   GSS_Init_sec_context(), GSS_Accept_sec_context(), and
+   GSS_Inquire_context().
+
+   For context establishment calls, this state Boolean is valid and
+   interpretable when the associated major_status is either
+   GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE.  Callers of GSS-API (both
+   initiators and acceptors) can assume that per-message protection (via
+   GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is
+   available and ready for use if either: prot_ready_state == TRUE, or
+   major_status == GSS_S_COMPLETE, though mutual authentication (if
+   requested) cannot be guaranteed until GSS_S_COMPLETE is returned.
+
+   This achieves full, transparent backward compatibility for GSS-API V1
+   callers, who need not even know of the existence of prot_ready_state,
+   and who will get the expected behavior from GSS_S_COMPLETE, but who
+   will not be able to use per-message protection before GSS_S_COMPLETE
+   is returned.
+
+   It is not a requirement that GSS-V2 mechanisms ever return TRUE
+   prot_ready_state before completion of context establishment (indeed,
+   some mechanisms will not evolve usable message protection keys,
+   especially at the context acceptor, before context establishment is
+   complete).  It is expected but not required that GSS-V2 mechanisms
+   will return TRUE prot_ready_state upon completion of context
+   establishment if they support per-message protection at all (however
+   GSS-V2 applications should not assume that TRUE prot_ready_state will
+
+
+
+Linn                        Standards Track                    [Page 22]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   always be returned together with the GSS_S_COMPLETE major_status,
+   since GSS-V2 implementations may continue to support GSS-V1 mechanism
+   code, which will never return TRUE prot_ready_state).
+
+   When prot_ready_state is returned TRUE, mechanisms shall also set
+   those context service indicator flags (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state,
+   conf_avail, integ_avail) which represent facilities confirmed, at
+   that time, to be available on the context being established.  In
+   situations where prot_ready_state is returned before GSS_S_COMPLETE,
+   it is possible that additional facilities may be confirmed and
+   subsequently indicated when GSS_S_COMPLETE is returned.
+
+1.2.8: Implementation Robustness
+
+   This section recommends aspects of GSS-API implementation behavior in
+   the interests of overall robustness.
+
+   If a token is presented for processing on a GSS-API security context
+   and that token is determined to be invalid for that context, the
+   context's state should not be disrupted for purposes of processing
+   subsequent valid tokens.
+
+   Certain local conditions at a GSS-API implementation (e.g.,
+   unavailability of memory) may preclude, temporarily or permanently,
+   the successful processing of tokens on a GSS-API security context,
+   typically generating GSS_S_FAILURE major_status returns along with
+   locally-significant minor_status.  For robust operation under such
+   conditions, the following recommendations are made:
+
+      Failing calls should free any memory they allocate, so that
+      callers may retry without causing further loss of resources.
+
+      Failure of an individual call on an established context should not
+      preclude subsequent calls from succeeding on the same context.
+
+      Whenever possible, it should be possible for
+      GSS_Delete_sec_context() calls to be successfully processed even
+      if other calls cannot succeed, thereby enabling context-related
+      resources to be released.
+
+2:  Interface Descriptions
+
+   This section describes the GSS-API's service interface, dividing the
+   set of calls offered into four groups. Credential management calls
+   are related to the acquisition and release of credentials by
+   principals. Context-level calls are related to the management of
+   security contexts between principals. Per-message calls are related
+
+
+
+Linn                        Standards Track                    [Page 23]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   to the protection of individual messages on established security
+   contexts. Support calls provide ancillary functions useful to GSS-API
+   callers. Table 2 groups and summarizes the calls in tabular fashion.
+
+Table 2:  GSS-API Calls
+
+   CREDENTIAL MANAGEMENT
+
+   GSS_Acquire_cred             acquire credentials for use
+   GSS_Release_cred             release credentials after use
+   GSS_Inquire_cred             display information about
+                                credentials
+   GSS_Add_cred                 construct credentials incrementally
+   GSS_Inquire_cred_by_mech     display per-mechanism credential
+                                information
+
+   CONTEXT-LEVEL CALLS
+
+   GSS_Init_sec_context         initiate outbound security context
+   GSS_Accept_sec_context       accept inbound security context
+   GSS_Delete_sec_context       flush context when no longer needed
+   GSS_Process_context_token    process received control token on
+                                context
+   GSS_Context_time             indicate validity time remaining on
+                                      context
+   GSS_Inquire_context          display information about context
+   GSS_Wrap_size_limit          determine GSS_Wrap token size limit
+   GSS_Export_sec_context       transfer context to other process
+   GSS_Import_sec_context       import transferred context
+
+   PER-MESSAGE CALLS
+
+   GSS_GetMIC                   apply integrity check, receive as
+                                token separate from message
+   GSS_VerifyMIC                validate integrity check token
+                                along with message
+   GSS_Wrap                     sign, optionally encrypt,
+                                encapsulate
+   GSS_Unwrap                   decapsulate, decrypt if needed,
+                                validate integrity check
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 24]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   SUPPORT CALLS
+
+   GSS_Display_status           translate status codes to printable
+                                form
+   GSS_Indicate_mechs           indicate mech_types supported on
+                                local system
+   GSS_Compare_name             compare two names for equality
+   GSS_Display_name             translate name to printable form
+   GSS_Import_name              convert printable name to
+                                normalized form
+   GSS_Release_name             free storage of normalized-form
+                                name
+   GSS_Release_buffer           free storage of printable name
+   GSS_Release_OID              free storage of OID object
+   GSS_Release_OID_set          free storage of OID set object
+   GSS_Create_empty_OID_set     create empty OID set
+   GSS_Add_OID_set_member       add member to OID set
+   GSS_Test_OID_set_member      test if OID is member of OID set
+   GSS_OID_to_str               display OID as string
+   GSS_Str_to_OID               construct OID from string
+   GSS_Inquire_names_for_mech   indicate name types supported by
+                                mechanism
+   GSS_Inquire_mechs_for_name   indicates mechanisms supporting name
+                                type
+   GSS_Canonicalize_name        translate name to per-mechanism form
+   GSS_Export_name              externalize per-mechanism name
+   GSS_Duplicate_name           duplicate name object
+
+2.1:  Credential management calls
+
+   These GSS-API calls provide functions related to the management of
+   credentials. Their characterization with regard to whether or not
+   they may block pending exchanges with other network entities (e.g.,
+   directories or authentication servers) depends in part on OS-specific
+   (extra-GSS-API) issues, so is not specified in this document.
+
+   The GSS_Acquire_cred() call is defined within the GSS-API in support
+   of application portability, with a particular orientation towards
+   support of portable server applications. It is recognized that (for
+   certain systems and mechanisms) credentials for interactive users may
+   be managed differently from credentials for server processes; in such
+   environments, it is the GSS-API implementation's responsibility to
+   distinguish these cases and the procedures for making this
+   distinction are a local matter. The GSS_Release_cred()  call provides
+   a means for callers to indicate to the GSS-API that use of a
+   credentials structure is no longer required. The GSS_Inquire_cred()
+   call allows callers to determine information about a credentials
+   structure.  The GSS_Add_cred() call enables callers to append
+
+
+
+Linn                        Standards Track                    [Page 25]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   elements to an existing credential structure, allowing iterative
+   construction of a multi-mechanism credential. The
+   GSS_Inquire_cred_by_mech() call enables callers to extract per-
+   mechanism information describing a credentials structure.
+
+2.1.1:  GSS_Acquire_cred call
+
+   Inputs:
+
+   o  desired_name INTERNAL NAME, -NULL requests locally-determined
+      default
+
+   o  lifetime_req INTEGER,-in seconds; 0 requests default
+
+   o  desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests
+      system-selected default
+
+   o  cred_usage INTEGER -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE,
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER,
+
+   o  lifetime_rec INTEGER -in seconds, or reserved value for
+      INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that requested credentials were
+      successfully established, for the duration indicated in
+      lifetime_rec, suitable for the usage requested in cred_usage,
+      for the set of mech_types indicated in actual_mechs, and that
+      those credentials can be referenced for subsequent use with
+      the handle returned in output_cred_handle.
+
+   o  GSS_S_BAD_MECH indicates that a mech_type unsupported by the
+      GSS-API implementation type was requested, causing the
+      credential establishment operation to fail.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 26]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name is
+      uninterpretable or of a type unsupported by the applicable
+      underlying GSS-API mechanism(s), so no credentials could be
+      established for the accompanying desired_name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so no credentials could be established for the
+      accompanying desired_name.
+
+   o  GSS_S_FAILURE indicates that credential establishment failed
+      for reasons unspecified at the GSS-API level, including lack
+      of authorization to establish and use credentials associated
+      with the identity named in the input desired_name argument.
+
+   GSS_Acquire_cred()  is used to acquire credentials so that a
+   principal can (as a function of the input cred_usage parameter)
+   initiate and/or accept security contexts under the identity
+   represented by the desired_name input argument. On successful
+   completion, the returned output_cred_handle result provides a handle
+   for subsequent references to the acquired credentials.  Typically,
+   single-user client processes requesting that default credential
+   behavior be applied for context establishment purposes will have no
+   need to invoke this call.
+
+   A caller may provide the value NULL for desired_name, signifying a
+   request for credentials corresponding to a principal identity
+   selected by default for the caller. The procedures used by GSS-API
+   implementations to select the appropriate principal identity in
+   response to such a request are local matters. It is possible that
+   multiple pre-established credentials may exist for the same principal
+   identity (for example, as a result of multiple user login sessions)
+   when GSS_Acquire_cred() is called; the means used in such cases to
+   select a specific credential are local matters.  The input
+   lifetime_req argument to GSS_Acquire_cred() may provide useful
+   information for local GSS-API implementations to employ in making
+   this disambiguation in a manner which will best satisfy a caller's
+   intent.
+
+   The lifetime_rec result indicates the length of time for which the
+   acquired credentials will be valid, as an offset from the present. A
+   mechanism may return a reserved value indicating INDEFINITE if no
+   constraints on credential lifetime are imposed.  A caller of
+   GSS_Acquire_cred()  can request a length of time for which acquired
+   credentials are to be valid (lifetime_req argument), beginning at the
+   present, or can request credentials with a default validity interval.
+   (Requests for postdated credentials are not supported within the
+   GSS-API.) Certain mechanisms and implementations may bind in
+
+
+
+Linn                        Standards Track                    [Page 27]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   credential validity period specifiers at a point preliminary to
+   invocation of the GSS_Acquire_cred() call (e.g., in conjunction with
+   user login procedures). As a result, callers requesting non-default
+   values for lifetime_req must recognize that such requests cannot
+   always be honored and must be prepared to accommodate the use of
+   returned credentials with different lifetimes as indicated in
+   lifetime_rec.
+
+   The caller of GSS_Acquire_cred()  can explicitly specify a set of
+   mech_types which are to be accommodated in the returned credentials
+   (desired_mechs argument), or can request credentials for a system-
+   defined default set of mech_types. Selection of the system-specified
+   default set is recommended in the interests of application
+   portability. The actual_mechs return value may be interrogated by the
+   caller to determine the set of mechanisms with which the returned
+   credentials may be used.
+
+2.1.2:  GSS_Release_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE - NULL specifies that
+      the credential elements used when default credential behavior
+      is requested be released.
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+      input cred_handle were released for purposes of subsequent
+      access by the caller. The effect on other processes which may
+      be authorized shared access to such credentials is a local
+      matter.
+
+   o  GSS_S_NO_CRED indicates that no release operation was
+      performed, either because the input cred_handle was invalid or
+      because the caller lacks authorization to access the
+      referenced credentials.
+
+   o  GSS_S_FAILURE indicates that the release operation failed for
+      reasons unspecified at the GSS-API level.
+
+
+
+
+
+Linn                        Standards Track                    [Page 28]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Provides a means for a caller to explicitly request that credentials
+   be released when their use is no longer required. Note that system-
+   specific credential management functions are also likely to exist,
+   for example to assure that credentials shared among processes are
+   properly deleted when all affected processes terminate, even if no
+   explicit release requests are issued by those processes. Given the
+   fact that multiple callers are not precluded from gaining authorized
+   access to the same credentials, invocation of GSS_Release_cred()
+   cannot be assumed to delete a particular set of credentials on a
+   system-wide basis.
+
+2.1.3:  GSS_Inquire_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE -NULL specifies that the
+      credential elements used when default credential behavior is
+      requested are to be queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME,
+
+   o  lifetime_rec INTEGER -in seconds, or reserved value for
+      INDEFINITE
+
+   o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+      input cred_handle argument were valid, and that the output
+      cred_name, lifetime_rec, and cred_usage values represent,
+      respectively, the credentials' associated principal name,
+      remaining lifetime, suitable usage modes, and supported
+      mechanism types.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+      about the referenced credentials, either because the input
+      cred_handle was invalid or because the caller lacks
+      authorization to access the referenced credentials.
+
+
+
+Linn                        Standards Track                    [Page 29]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+      credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+      credentials have expired.
+
+   o  GSS_S_FAILURE indicates that the operation failed for
+      reasons unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred() call is defined primarily for the use of those
+   callers which request use of default credential behavior rather than
+   acquiring credentials explicitly with GSS_Acquire_cred().  It enables
+   callers to determine a credential structure's associated principal
+   name, remaining validity period, usability for security context
+   initiation and/or acceptance, and supported mechanisms.
+
+   For a multi-mechanism credential, the returned "lifetime" specifier
+   indicates the shortest lifetime of any of the mechanisms' elements in
+   the credential (for either context initiation or acceptance
+   purposes).
+
+   GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for
+   "cred_usage" if both of the following conditions hold:
+
+      (1) there exists in the credential an element which allows context
+      initiation using some mechanism
+
+      (2) there exists in the credential an element which allows context
+      acceptance using some mechanism (allowably, but not necessarily,
+      one of the same mechanism(s) qualifying for (1)).
+
+   If condition (1) holds but not condition (2), GSS_Inquire_cred()
+   should indicate INITIATE-ONLY for "cred_usage".  If condition (2)
+   holds but not condition (1), GSS_Inquire_cred() should indicate
+   ACCEPT-ONLY for "cred_usage".
+
+   Callers requiring finer disambiguation among available combinations
+   of lifetimes, usage modes, and mechanisms should call the
+   GSS_Inquire_cred_by_mech() routine, passing that routine one of the
+   mech OIDs returned by GSS_Inquire_cred().
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 30]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.1.4:  GSS_Add_cred call
+
+   Inputs:
+
+   o  input_cred_handle CREDENTIAL HANDLE - handle to credential
+      structure created with prior GSS_Acquire_cred() or
+      GSS_Add_cred() call, or NULL to append elements to the set
+      which are applied for the caller when default credential
+      behavior is specified.
+
+   o  desired_name INTERNAL NAME - NULL requests locally-determined
+      default
+
+   o  initiator_time_req INTEGER - in seconds; 0 requests default
+
+   o  acceptor_time_req INTEGER - in seconds; 0 requests default
+
+   o  desired_mech OBJECT IDENTIFIER
+
+   o  cred_usage INTEGER - 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+       2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE, - NULL to request that
+      credential elements be added "in place" to the credential
+      structure  identified by input_cred_handle, non-NULL pointer
+      to request that a new credential structure and handle be created.
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER,
+
+   o  initiator_time_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   o  acceptor_time_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms
+      supported by resulting credential.
+
+
+
+
+
+Linn                        Standards Track                    [Page 31]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by
+      the input_cred_handle argument were valid, and that the
+      resulting credential from GSS_Add_cred() is valid for the
+      durations indicated in initiator_time_rec and acceptor_time_rec,
+      suitable for the usage requested in cred_usage, and for the
+      mechanisms indicated in actual_mechs.
+
+   o  GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech
+      specified a mechanism for which the referenced credential
+      already contained a credential element with overlapping
+      cred_usage and validity time specifiers.
+
+   o  GSS_S_BAD_MECH indicates that the input desired_mech specified
+      a mechanism unsupported by the GSS-API implementation, causing
+      the GSS_Add_cred() operation to fail.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name
+      is uninterpretable or of a type unsupported by the applicable
+      underlying GSS-API mechanism(s), so the GSS_Add_cred() operation
+      could not be performed for that name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so the GSS_Add_cred() operation could not be
+      performed for that name.
+
+   o  GSS_S_NO_CRED indicates that the input_cred_handle referenced
+      invalid or inaccessible credentials.
+
+   o  GSS_S_FAILURE indicates that the operation failed for
+      reasons unspecified at the GSS-API level, including lack of
+      authorization to establish or use credentials representing
+      the requested identity.
+
+   GSS_Add_cred() enables callers to construct credentials iteratively
+   by adding credential elements in successive operations, corresponding
+   to different mechanisms.  This offers particular value in multi-
+   mechanism environments, as the major_status and minor_status values
+   returned on each iteration are individually visible and can therefore
+   be interpreted unambiguously on a per-mechanism basis.
+
+   The same input desired_name, or default reference, should be used on
+   all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a
+   particular credential.
+
+
+
+
+
+Linn                        Standards Track                    [Page 32]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.1.5:  GSS_Inquire_cred_by_mech call
+
+   Inputs:
+
+   o  cred_handle CREDENTIAL HANDLE  -- NULL specifies that the
+      credential elements used when default credential behavior is
+      requested are to be queried
+
+   o  mech_type OBJECT IDENTIFIER  -- specific mechanism for
+      which credentials are being queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME, -- guaranteed to be MN
+
+   o  lifetime_rec_initiate INTEGER -- in seconds, or reserved value for
+      INDEFINITE
+
+   o  lifetime_rec_accept INTEGER -- in seconds, or reserved value for
+      INDEFINITE
+
+   o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+      input cred_handle argument were valid, that the mechanism
+      indicated by the input mech_type was represented with elements
+      within those credentials, and that the output cred_name,
+      lifetime_rec_initiate, lifetime_rec_accept, and cred_usage values
+      represent, respectively, the credentials' associated principal
+      name, remaining lifetimes, and suitable usage modes.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+      about the referenced credentials, either because the input
+      cred_handle was invalid or because the caller lacks
+      authorization to access the referenced credentials.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+      credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+      credentials have expired.
+
+
+
+Linn                        Standards Track                    [Page 33]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_MECH indicates that the referenced credentials do not
+      contain elements for the requested mechanism.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+      unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred_by_mech() call enables callers in multi-
+   mechanism environments to acquire specific data about available
+   combinations of lifetimes, usage modes, and mechanisms within a
+   credential structure.  The lifetime_rec_initiate result indicates the
+   available lifetime for context initiation purposes; the
+   lifetime_rec_accept result indicates the available lifetime for
+   context acceptance purposes.
+
+2.2:  Context-level calls
+
+   This group of calls is devoted to the establishment and management of
+   security contexts between peers. A context's initiator calls
+   GSS_Init_sec_context(),  resulting in generation of a token which the
+   caller passes to the target. At the target, that token is passed to
+   GSS_Accept_sec_context().  Depending on the underlying mech_type and
+   specified options, additional token exchanges may be performed in the
+   course of context establishment; such exchanges are accommodated by
+   GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().
+
+   Either party to an established context may invoke
+   GSS_Delete_sec_context() to flush context information when a context
+   is no longer required. GSS_Process_context_token()  is used to
+   process received tokens carrying context-level control information.
+   GSS_Context_time()  allows a caller to determine the length of time
+   for which an established context will remain valid.
+   GSS_Inquire_context() returns status information describing context
+   characteristics. GSS_Wrap_size_limit() allows a caller to determine
+   the size of a token which will be generated by a GSS_Wrap()
+   operation.  GSS_Export_sec_context() and GSS_Import_sec_context()
+   enable transfer of active contexts between processes on an end
+   system.
+
+2.2.1:  GSS_Init_sec_context call
+
+   Inputs:
+
+   o  claimant_cred_handle CREDENTIAL HANDLE, -NULL specifies "use
+      default"
+
+   o  input_context_handle CONTEXT HANDLE, -0 specifies "none assigned
+      yet"
+
+
+
+Linn                        Standards Track                    [Page 34]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  targ_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use
+      default"
+
+   o  deleg_req_flag BOOLEAN,
+
+   o  mutual_req_flag BOOLEAN,
+
+   o  replay_det_req_flag BOOLEAN,
+
+   o  sequence_req_flag BOOLEAN,
+
+   o  anon_req_flag BOOLEAN,
+
+   o  lifetime_req INTEGER,-0 specifies default lifetime
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING-NULL or token received from target
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_handle CONTEXT HANDLE,
+
+   o  mech_type OBJECT IDENTIFIER, -actual mechanism always
+      indicated, never NULL
+
+   o  output_token OCTET STRING, -NULL or token to pass to context
+      target
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7
+
+
+
+Linn                        Standards Track                    [Page 35]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   This call may block pending network interactions for those mech_types
+   in which an authentication server or other network entity must be
+   consulted on behalf of a context initiator in order to generate an
+   output_token suitable for presentation to a specified target.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level information was
+      successfully initialized, and that the returned output_token
+      will provide sufficient information for the target to perform
+      per-message processing on the newly-established context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the target, and that a
+      reply must be received and passed as the input_token argument
+      to a continuation call to GSS_Init_sec_context(),  before
+      per-message processing can be performed in conjunction with
+      this context.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks
+      performed on the input_token failed, preventing further
+      processing from being performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      claimant_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_S_BAD_SIG indicates that the received input_token
+      contains an incorrect integrity check, so context setup cannot
+      be accomplished.
+
+   o  GSS_S_NO_CRED indicates that no context was established,
+      either because the input cred_handle was invalid, because the
+      referenced credentials are valid for context acceptor use
+      only, or because the caller lacks authorization to access the
+      referenced credentials.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials
+      provided through the input claimant_cred_handle argument are no
+      longer valid, so context establishment cannot be completed.
+
+
+
+Linn                        Standards Track                    [Page 36]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the
+      caller-provided chan_bindings and those extracted from the
+      input_token was detected, signifying a security-relevant
+      event and preventing context establishment. (This result will
+      be returned by GSS_Init_sec_context only for contexts where
+      mutual_state is TRUE.)
+
+   o  GSS_S_OLD_TOKEN indicates that the input_token is too old to
+      be checked for integrity. This is a fatal error during context
+      establishment.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the input token has a
+      correct integrity check, but is a duplicate of a token already
+      processed. This is a fatal error during context establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided; this major status will
+      be returned only for successor calls following GSS_S_CONTINUE_
+      NEEDED status returns.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided targ_name is
+      of a type uninterpretable or unsupported by the applicable
+      underlying GSS-API mechanism(s), so context establishment
+      cannot be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided targ_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so context establishment cannot be accomplished.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+      or of a caller request specifying a mechanism unsupported by
+      the local system or with the caller's active credentials
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+      accomplished for reasons unspecified at the GSS-API level, and
+      that no interface-defined recovery action is available.
+
+   This routine is used by a context initiator, and ordinarily emits one
+   (or, for the case of a multi-step exchange, more than one)
+   output_token suitable for use by the target within the selected
+   mech_type's protocol. Using information in the credentials structure
+   referenced by claimant_cred_handle, GSS_Init_sec_context()
+   initializes the data structures required to establish a security
+   context with target targ_name. The targ_name may be any valid
+   INTERNAL NAME; it need not be an MN. The claimant_cred_handle must
+   correspond to the same valid credentials structure on the initial
+   call to GSS_Init_sec_context()  and on any successor calls resulting
+   from GSS_S_CONTINUE_NEEDED status returns; different protocol
+
+
+
+Linn                        Standards Track                    [Page 37]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   sequences modeled by the GSS_S_CONTINUE_NEEDED facility will require
+   access to credentials at different points in the context
+   establishment sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Init_sec_context()  call relating to a
+   given context. If successful (i.e., if accompanied by major_status
+   GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the
+   initial GSS_Init_sec_context() call returns a non-zero
+   output_context_handle for use in future references to this context.
+   Once a non-zero output_context_handle has been returned, GSS-API
+   callers should call GSS_Delete_sec_context() to release context-
+   related resources if errors occur in later phases of context
+   establishment, or when an established context is no longer required.
+
+   When continuation attempts to GSS_Init_sec_context() are needed to
+   perform context establishment, the previously-returned non-zero
+   handle value is entered into the input_context_handle argument and
+   will be echoed in the returned output_context_handle argument. On
+   such continuation attempts (and only on continuation attempts) the
+   input_token value is used, to provide the token returned from the
+   context's target.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The input_token argument contains a message received from the target,
+   and is significant only on a call to GSS_Init_sec_context()  which
+   follows a previous return indicating GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   It is the caller's responsibility to establish a communications path
+   to the target, and to transmit any returned output_token (independent
+   of the accompanying returned major_status value) to the target over
+   that path. The output_token can, however, be transmitted along with
+   the first application-provided input message to be processed by
+   GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully-
+   established context.
+
+   The initiator may request various context-level functions through
+   input flags: the deleg_req_flag requests delegation of access rights,
+   the mutual_req_flag requests mutual authentication, the
+   replay_det_req_flag requests that replay detection features be
+   applied to messages transferred on the established context, and the
+   sequence_req_flag requests that sequencing be enforced. (See Section
+
+
+
+Linn                        Standards Track                    [Page 38]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   1.2.3 for more information on replay detection and sequencing
+   features.)  The anon_req_flag requests that the initiator's identity
+   not be transferred within tokens to be sent to the acceptor.
+
+   Not all of the optionally-requestable features will be available in
+   all underlying mech_types. The corresponding return state values
+   deleg_state, mutual_state, replay_det_state, and sequence_state
+   indicate, as a function of mech_type processing capabilities and
+   initiator-provided input flags, the set of features which will be
+   active on the context.  The returned trans_state value indicates
+   whether the context is transferable to other processes through use of
+   GSS_Export_sec_context().  These state indicators' values are
+   undefined unless either the routine's major_status indicates
+   GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with
+   GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is
+   possible that additional features, not confirmed or indicated along
+   with TRUE prot_ready_state, will be confirmed and indicated when
+   GSS_S_COMPLETE is subsequently returned.
+
+   The returned anon_state and prot_ready_state values are significant
+   for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status
+   returns from GSS_Init_sec_context().  When anon_state is returned
+   TRUE, this indicates that neither the current token nor its
+   predecessors delivers or has delivered the initiator's identity.
+   Callers wishing to perform context establishment only if anonymity
+   support is provided should transfer a returned token from
+   GSS_Init_sec_context() to the peer only if it is accompanied by a
+   TRUE anon_state indicator.  When prot_ready_state is returned TRUE in
+   conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates
+   that per-message protection operations may be applied on the context:
+   see Section 1.2.7 for further discussion of this facility.
+
+   Failure to provide the precise set of features requested by the
+   caller does not cause context establishment to fail; it is the
+   caller's prerogative to delete the context if the feature set
+   provided is unsuitable for the caller's use.
+
+   The returned mech_type value indicates the specific mechanism
+   employed on the context, is valid only along with major_status
+   GSS_S_COMPLETE, and will never indicate the value for "default".
+   Note that, for the case of certain mechanisms which themselves
+   perform negotiation, the returned mech_type result may indicate
+   selection of a mechanism identified by an OID different than that
+   passed in the input mech_type argument.
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+
+
+
+Linn                        Standards Track                    [Page 39]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   input to GSS_Wrap()  can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC() or GSS_Wrap()) on
+   the established context. These state indicators' values are undefined
+   unless either the routine's major_status indicates GSS_S_COMPLETE, or
+   TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   The lifetime_req input specifies a desired upper bound for the
+   lifetime of the context to be established, with a value of 0 used to
+   request a default lifetime. The lifetime_rec return value indicates
+   the length of time for which the context will be valid, expressed as
+   an offset from the present; depending on mechanism capabilities,
+   credential lifetimes, and local policy, it may not correspond to the
+   value requested in lifetime_req.  If no constraints on context
+   lifetime are imposed, this may be indicated by returning a reserved
+   value representing INDEFINITE lifetime_req. The value of lifetime_rec
+   is undefined unless the routine's major_status indicates
+   GSS_S_COMPLETE.
+
+   If the mutual_state is TRUE, this fact will be reflected within the
+   output_token. A call to GSS_Accept_sec_context()  at the target in
+   conjunction with such a context will return a token, to be processed
+   by a continuation call to GSS_Init_sec_context(),  in order to
+   achieve mutual authentication.
+
+2.2.2:  GSS_Accept_sec_context call
+
+   Inputs:
+
+   o  acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies
+      "use default"
+
+   o  input_context_handle CONTEXT HANDLE, -- 0 specifies
+      "not yet assigned"
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME, -- guaranteed to be MN
+
+
+
+
+Linn                        Standards Track                    [Page 40]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  mech_type OBJECT IDENTIFIER,
+
+   o  output_context_handle CONTEXT HANDLE,
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER, - in seconds, or reserved value for
+      INDEFINITE
+
+   o  delegated_cred_handle CREDENTIAL HANDLE,
+
+   o  output_token OCTET STRING -NULL or token to pass to context
+      initiator
+
+   This call may block pending network interactions for those mech_types
+   in which a directory service or other network entity must be
+   consulted on behalf of a context acceptor in order to validate a
+   received input_token.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level data structures
+      were successfully initialized, and that per-message processing
+      can now be performed in conjunction with this context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the initiator, and that
+      a response must be received and passed as the input_token
+      argument to a continuation call to GSS_Accept_sec_context(),
+      before per-message processing can be performed in conjunction
+      with this context.
+
+
+
+
+Linn                        Standards Track                    [Page 41]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+      on the input_token failed, preventing further processing from
+      being performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      acceptor_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_S_BAD_SIG indicates that the received input_token contains
+      an incorrect integrity check, so context setup cannot be
+      accomplished.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the
+      received input_token was correct, but that the input_token
+      was recognized as a duplicate of an input_token already
+      processed. No new context is established.
+
+   o  GSS_S_OLD_TOKEN indicates that the integrity check on the received
+      input_token was correct, but that the input_token is too old
+      to be checked for duplication against previously-processed
+      input_tokens. No new context is established.
+
+   o  GSS_S_NO_CRED indicates that no context was established, either
+      because the input cred_handle was invalid, because the
+      referenced credentials are valid for context initiator use
+      only, or because the caller lacks authorization to access the
+      referenced credentials.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided
+      through the input acceptor_cred_handle argument are no
+      longer valid, so context establishment cannot be completed.
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the
+      caller-provided chan_bindings and those extracted from the
+      input_token was detected, signifying a security-relevant
+      event and preventing context establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided; this major status will
+      be returned only for successor calls following GSS_S_CONTINUE_
+      NEEDED status returns.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+      specifying a mechanism unsupported by the local system or with
+      the caller's active credentials.
+
+
+
+
+
+Linn                        Standards Track                    [Page 42]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+      accomplished for reasons unspecified at the GSS-API level, and
+      that no interface-defined recovery action is available.
+
+   The GSS_Accept_sec_context()  routine is used by a context target.
+   Using information in the credentials structure referenced by the
+   input acceptor_cred_handle, it verifies the incoming input_token and
+   (following the successful completion of a context establishment
+   sequence) returns the authenticated src_name and the mech_type used.
+   The returned src_name is guaranteed to be an MN, processed by the
+   mechanism under which the context was established. The
+   acceptor_cred_handle must correspond to the same valid credentials
+   structure on the initial call to GSS_Accept_sec_context() and on any
+   successor calls resulting from GSS_S_CONTINUE_NEEDED status returns;
+   different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED
+   mechanism will require access to credentials at different points in
+   the context establishment sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Accept_sec_context()  call relating to a
+   given context.  If successful (i.e., if accompanied by major_status
+   GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the
+   initial GSS_Accept_sec_context() call returns a non-zero
+   output_context_handle for use in future references to this context.
+   Once a non-zero output_context_handle has been returned, GSS-API
+   callers should call GSS_Delete_sec_context() to release context-
+   related resources if errors occur in later phases of context
+   establishment, or when an established context is no longer required.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The returned state results (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state, and
+   prot_ready_state) reflect the same information as described for
+   GSS_Init_sec_context(), and their values are significant under the
+   same return state conditions.
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 43]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Wrap()  can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC()  or GSS_Wrap())
+   on the established context.  These values are significant under the
+   same return state conditions as described under
+   GSS_Init_sec_context().
+
+   The lifetime_rec return value is significant only in conjunction with
+   GSS_S_COMPLETE major_status, and indicates the length of time for
+   which the context will be valid, expressed as an offset from the
+   present.
+
+   The mech_type return value indicates the specific mechanism employed
+   on the context, is valid only along with major_status GSS_S_COMPLETE,
+   and will never indicate the value for "default".
+
+   The delegated_cred_handle result is significant only when deleg_state
+   is TRUE, and provides a means for the target to reference the
+   delegated credentials. The output_token result, when non-NULL,
+   provides a context-level token to be returned to the context
+   initiator to continue a multi-step context establishment sequence. As
+   noted with GSS_Init_sec_context(),  any returned token should be
+   transferred to the context's peer (in this case, the context
+   initiator), independent of the value of the accompanying returned
+   major_status.
+
+   Note: A target must be able to distinguish a context-level
+   input_token, which is passed to GSS_Accept_sec_context(),  from the
+   per-message data elements passed to GSS_VerifyMIC()  or GSS_Unwrap().
+   These data elements may arrive in a single application message, and
+   GSS_Accept_sec_context()  must be performed before per-message
+   processing can be performed successfully.
+
+2.2.3: GSS_Delete_sec_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 44]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  output_context_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context was recognized, and that
+      relevant context-specific information was flushed.  If the caller
+      provides a non-null buffer to receive an output_context_token, and
+      the mechanism returns a non-NULL token into that buffer, the
+      returned output_context_token is ready for transfer to the
+      context's peer.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided, so no deletion was
+      performed.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Delete_sec_context()  operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   This call may block pending network interactions for mech_types in
+   which active notification must be made to a central server when a
+   security context is to be deleted.
+
+   This call can be made by either peer in a security context, to flush
+   context-specific information.  If a non-null output_context_token
+   parameter is provided by the caller, an output_context_token may be
+   returned to the caller.  If an output_context_token is provided to
+   the caller, it can be passed to the context's peer to inform the
+   peer's GSS-API implementation that the peer's corresponding context
+   information can also be flushed. (Once a context is established, the
+   peers involved are expected to retain cached credential and context-
+   related information until the information's expiration time is
+   reached or until a GSS_Delete_sec_context() call is made.)
+
+   The facility for context_token usage to signal context deletion is
+   retained for compatibility with GSS-API Version 1.  For current
+   usage, it is recommended that both peers to a context invoke
+   GSS_Delete_sec_context() independently, passing a null
+   output_context_token buffer to indicate that no context_token is
+   required.  Implementations of GSS_Delete_sec_context() should delete
+   relevant locally-stored context information.
+
+   Attempts to perform per-message processing on a deleted context will
+   result in error returns.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 45]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.2.4:  GSS_Process_context_token call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_context_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_context_token was
+      successfully processed in conjunction with the context
+      referenced by context_handle.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks
+      performed on the received context_token failed, preventing
+      further processing from being performed with that token.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Process_context_token()  operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   This call is used to process context_tokens received from a peer once
+   a context has been established, with corresponding impact on
+   context-level state information. One use for this facility is
+   processing of the context_tokens generated by
+   GSS_Delete_sec_context();  GSS_Process_context_token() will not block
+   pending network interactions for that purpose. Another use is to
+   process tokens indicating remote-peer context establishment failures
+   after the point where the local GSS-API implementation has already
+   indicated GSS_S_COMPLETE status.
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 46]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.2.5:  GSS_Context_time call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid,
+      and will remain valid for the amount of time indicated in
+      lifetime_rec.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that data items related to the
+      referenced context have expired.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+      recognized, but that its associated credentials have expired.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+       reasons unspecified at the GSS-API level.
+
+   This call is used to determine the amount of time for which a
+   currently established context will remain valid.
+
+2.2.6:   GSS_Inquire_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 47]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  src_name INTERNAL NAME,  -- name of context initiator,
+                               -- guaranteed to be MN
+
+   o  targ_name INTERNAL NAME,  -- name of context target,
+                                -- guaranteed to be MN
+
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+      INDEFINITE,
+
+   o  mech_type OBJECT IDENTIFIER, -- the mechanism supporting this
+      security context
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid
+      and that src_name, targ_name, lifetime_rec, mech_type, deleg_state,
+      mutual_state, replay_det_state, sequence_state, anon_state,
+      trans_state, prot_ready_state, conf_avail, integ_avail, and
+      locally_initiated return values describe the corresponding
+      characteristics of the context.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+      context_handle is recognized, but that the referenced context
+      has expired.  Return values other than major_status and
+      minor_status are undefined.
+
+
+
+
+
+Linn                        Standards Track                    [Page 48]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided. Return values other than
+      major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+     reasons unspecified at the GSS-API level. Return values other than
+         major_status and minor_status are undefined.
+
+   This call is used to extract information describing characteristics
+   of a security context.
+
+2.2.7:   GSS_Wrap_size_limit call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  qop INTEGER,
+
+   o  output_size INTEGER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  max_input_size INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates a successful token size determination:
+   an input message with a length in octets equal to the
+   returned max_input_size value will, when passed to GSS_Wrap()
+   for processing on the context identified by the context_handle
+   parameter and with the quality of protection specifier provided
+   in the qop parameter, yield an output token no larger than the
+   value of the provided output_size parameter.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context
+   has expired.  Return values other than major_status and
+   minor_status are undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+
+
+
+Linn                        Standards Track                    [Page 49]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call is used to determine the largest input datum which may be
+   passed to GSS_Wrap() without yielding an output token larger than a
+   caller-specified value.
+
+2.2.8:   GSS_Export_sec_context call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  interprocess_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context has been
+   successfully exported to a representation in the interprocess_token,
+   and is no longer available for use by the caller.
+
+   o  GSS_S_UNAVAILABLE indicates that the context export facility
+   is not available for use on the referenced context.  (This status
+   should occur only for contexts for which the trans_state value is
+   FALSE.) Return values other than major_status and minor_status are
+   undefined.
+
+   o GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context has
+   expired.  Return values other than major_status and minor_status are
+   undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 50]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call generates an interprocess token for transfer to another
+   process within an end system, in order to transfer control of a
+   security context to that process.  The recipient of the interprocess
+   token will call GSS_Import_sec_context() to accept the transfer.  The
+   GSS_Export_sec_context() operation is defined for use only with
+   security contexts which are fully and successfully established (i.e.,
+   those for which GSS_Init_sec_context() and GSS_Accept_sec_context()
+   have returned GSS_S_COMPLETE major_status).
+
+   To ensure portability, a caller of GSS_Export_sec_context() must not
+   assume that a context may continue to be used once it has been
+   exported; following export, the context referenced by the
+   context_handle cannot be assumed to remain valid.  Further, portable
+   callers must not assume that a given interprocess token can be
+   imported by GSS_Import_sec_context() more than once, thereby creating
+   multiple instantiations of a single context.  GSS-API implementations
+   may detect and reject attempted multiple imports, but are not
+   required to do so.
+
+   The internal representation contained within the interprocess token
+   is an implementation-defined local matter.  Interprocess tokens
+   cannot be assumed to be transferable across different GSS-API
+   implementations.
+
+   It is recommended that GSS-API implementations adopt policies suited
+   to their operational environments in order to define the set of
+   processes eligible to import a context, but specific constraints in
+   this area are local matters.  Candidate examples include transfers
+   between processes operating on behalf of the same user identity, or
+   processes comprising a common job.  However, it may be impossible to
+   enforce such policies in some implementations.
+
+   In support of the above goals, implementations may protect the
+   transferred context data by using cryptography to protect data within
+   the interprocess token, or by using interprocess tokens as a means to
+   reference local interprocess communication facilities (protected by
+   other means) rather than storing the context data directly within the
+   tokens.
+
+   Transfer of an open context may, for certain mechanisms and
+   implementations, reveal data about the credential which was used to
+   establish the context.  Callers should, therefore, be cautious about
+   the trustworthiness of processes to which they transfer contexts.
+   Although the GSS-API implementation may provide its own set of
+
+
+
+Linn                        Standards Track                    [Page 51]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   protections over the exported context, the caller is responsible for
+   protecting the interprocess token from disclosure, and for taking
+   care that the context is transferred to an appropriate destination
+   process.
+
+2.2.9:   GSS_Import_sec_context call
+
+   Inputs:
+
+   o  interprocess_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  context_handle CONTEXT HANDLE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context represented by the
+   input interprocess_token has been successfully transferred to
+   the caller, and is available for future use via the output
+   context_handle.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the context represented by
+   the input interprocess_token has expired. Return values other
+   than major_status and minor_status are undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that the context represented by the
+   input interprocess_token was invalid. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token
+   was defective.  Return values other than major_status and
+   minor_status are undefined.
+
+   o  GSS_S_UNAVAILABLE indicates that the context import facility
+   is not available for use on the referenced context.  Return values
+   other than major_status and minor_status are undefined.
+
+   o  GSS_S_UNAUTHORIZED indicates that the context represented by
+   the input interprocess_token is unauthorized for transfer to the
+   caller. Return values other than major_status and minor_status
+   are undefined.
+
+
+
+
+
+Linn                        Standards Track                    [Page 52]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call processes an interprocess token generated by
+   GSS_Export_sec_context(), making the transferred context available
+   for use by the caller.  After a successful GSS_Import_sec_context()
+   operation, the imported context is available for use by the importing
+   process.
+
+   For further discussion of the security and authorization issues
+   regarding this call, please see the discussion in Section 2.2.8.
+
+2.3:  Per-message calls
+
+   This group of calls is used to perform per-message protection
+   processing on an established security context. None of these calls
+   block pending network interactions. These calls may be invoked by a
+   context's initiator or by the context's target.  The four members of
+   this group should be considered as two pairs; the output from
+   GSS_GetMIC()  is properly input to GSS_VerifyMIC(),  and the output
+   from GSS_Wrap() is properly input to GSS_Unwrap().
+
+   GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication
+   and data integrity services. When GSS_GetMIC()  is invoked on an
+   input message, it yields a per-message token containing data items
+   which allow underlying mechanisms to provide the specified security
+   services. The original message, along with the generated per-message
+   token, is passed to the remote peer; these two data elements are
+   processed by GSS_VerifyMIC(),  which validates the message in
+   conjunction with the separate token.
+
+   GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality
+   in addition to the data origin authentication and data integrity
+   services offered by GSS_GetMIC()  and GSS_VerifyMIC(). GSS_Wrap()
+   outputs a single data element, encapsulating optionally enciphered
+   user data as well as associated token data items.  The data element
+   output from GSS_Wrap()  is passed to the remote peer and processed by
+   GSS_Unwrap()  at that system. GSS_Unwrap() combines decipherment (as
+   required) with validation of data items related to authentication and
+   integrity.
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 53]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.3.1:  GSS_GetMIC call
+
+   Note: This call is functionally equivalent to the GSS_Sign call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Sign are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  per_msg_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that an integrity check, suitable for an
+      established security context, was successfully applied and
+      that the message and corresponding per_msg_token are ready
+      for transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+      recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the requested operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+
+
+Linn                        Standards Track                    [Page 54]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Using the security context referenced by context_handle, apply an
+   integrity check to the input message (along with timestamps and/or
+   other data included in support of mech_type-specific mechanisms) and
+   return the result in per_msg_token. The qop_req parameter,
+   interpretation of which is discussed in Section 1.2.4, allows
+   quality-of-protection control. The caller passes the message and the
+   per_msg_token to the target.
+
+   The GSS_GetMIC()  function completes before the message and
+   per_msg_token is sent to the peer; successful application of
+   GSS_GetMIC()  does not guarantee that a corresponding GSS_VerifyMIC()
+   has been (or can necessarily be) performed successfully when the
+   message arrives at the destination.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.2:  GSS_VerifyMIC call
+
+   Note: This call is functionally equivalent to the GSS_Verify call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Verify are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  message OCTET STRING,
+
+   o  per_msg_token OCTET STRING
+
+   Outputs:
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the message was successfully
+      verified.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 55]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+      on the received per_msg_token failed, preventing
+      further processing from being performed with that token.
+
+   o  GSS_S_BAD_SIG indicates that the received per_msg_token contains
+      an incorrect integrity check for the message.
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN,
+      and GSS_S_GAP_TOKEN values appear in conjunction with the
+      optional per-message replay detection features described
+      in Section 1.2.3; their semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+   recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_VerifyMIC() operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, verify that
+   the input per_msg_token contains an appropriate integrity check for
+   the input message, and apply any active replay detection or
+   sequencing features. Return an indication of the quality-of-
+   protection applied to the processed message in the qop_state result.
+   Since the GSS_VerifyMIC() routine never provides a confidentiality
+   service, its implementations should not return non-zero values in the
+   confidentiality fields of the output qop_state.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.3: GSS_Wrap call
+
+   Note: This call is functionally equivalent to the GSS_Seal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Seal are deprecated.
+
+
+
+
+Linn                        Standards Track                    [Page 56]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  conf_state BOOLEAN,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was successfully
+      processed and that the output_message is ready for
+      transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+   recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+      recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Wrap()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   Performs the data origin authentication and data integrity functions
+   of GSS_GetMIC().  If the input conf_req_flag is TRUE, requests that
+   confidentiality be applied to the input_message.  Confidentiality may
+
+
+
+Linn                        Standards Track                    [Page 57]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   not be supported in all mech_types or by all implementations; the
+   returned conf_state flag indicates whether confidentiality was
+   provided for the input_message. The qop_req parameter, interpretation
+   of which is discussed in Section 1.2.4, allows quality-of-protection
+   control.
+
+   In all cases, the GSS_Wrap()  call yields a single output_message
+   data element containing (optionally enciphered) user data as well as
+   control information.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.4: GSS_Unwrap call
+
+   Note: This call is functionally equivalent to the GSS_Unseal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Unseal are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  conf_state BOOLEAN,
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was
+      successfully processed and that the resulting output_message is
+      available.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+      on the per_msg_token extracted from the input_message
+      failed, preventing further processing from being performed.
+
+
+
+Linn                        Standards Track                    [Page 58]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_SIG indicates that an incorrect integrity check was
+   detected
+      for the message.
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN,
+      and GSS_S_GAP_TOKEN values appear in conjunction with the
+      optional per-message replay detection features described
+      in Section 1.2.3; their semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+   recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Unwrap()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   Processes a data element generated (and optionally enciphered) by
+   GSS_Wrap(),  provided as input_message. The returned conf_state value
+   indicates whether confidentiality was applied to the input_message.
+   If conf_state is TRUE, GSS_Unwrap()  deciphers the input_message.
+   Returns an indication of the quality-of-protection applied to the
+   processed message in the qop_state result. GSS_Wrap()  performs the
+   data integrity and data origin authentication checking functions of
+   GSS_VerifyMIC()  on the plaintext data. Plaintext data is returned in
+   output_message.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.4:  Support calls
+
+   This group of calls provides support functions useful to GSS-API
+   callers, independent of the state of established contexts. Their
+   characterization with regard to blocking or non-blocking status in
+   terms of network interactions is unspecified.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 59]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.4.1:  GSS_Display_status call
+
+   Inputs:
+
+   o  status_value INTEGER,-GSS-API major_status or minor_status
+      return value
+
+   o  status_type INTEGER,-1 if major_status, 2 if minor_status
+
+   o  mech_type OBJECT IDENTIFIER-mech_type to be used for minor_
+      status translation
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  status_string_set SET OF OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable status
+      representation (possibly representing more than one status event
+      encoded within the status_value) is available in the returned
+      status_string_set.
+
+   o  GSS_S_BAD_MECH indicates that translation in accordance with an
+      unsupported mech_type was requested, so translation could not
+      be performed.
+
+   o  GSS_S_BAD_STATUS indicates that the input status_value was
+      invalid, or that the input status_type carried a value other
+      than 1 or 2, so translation could not be performed.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Provides a means for callers to translate GSS-API-returned major and
+   minor status codes into printable string representations.
+
+2.4.2:  GSS_Indicate_mechs call
+
+   Input:
+
+   o  (none)
+
+
+
+
+
+Linn                        Standards Track                    [Page 60]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of available mechanisms has
+      been returned in mech_set.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of mechanism types available on
+   the local system. This call is intended for support of specialized
+   callers who need to request non-default mech_type sets from
+   GSS_Acquire_cred(),  and should not be needed by other callers.
+
+2.4.3:  GSS_Compare_name call
+
+   Inputs:
+
+   o  name1 INTERNAL NAME,
+
+   o  name2 INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_equal BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that name1 and name2 were comparable,
+      and that the name_equal result indicates whether name1 and
+      name2 represent the same entity.
+
+   o  GSS_S_BAD_NAMETYPE indicates that one or both of name1 and
+      name2 contained internal type specifiers uninterpretable
+      by the applicable underlying GSS-API mechanism(s), or that
+      the two names' types are different and incomparable, so that
+      the comparison operation could not be completed.
+
+
+
+Linn                        Standards Track                    [Page 61]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_NAME indicates that one or both of the input names
+      was ill-formed in terms of its internal type specifier, so
+      the comparison operation could not be completed.
+
+   o  GSS_S_FAILURE indicates that the call's operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to compare two internal name representations to
+   determine whether they refer to the same entity.  If either name
+   presented to GSS_Compare_name() denotes an anonymous principal,
+   GSS_Compare_name() shall indicate FALSE.  It is not required that
+   either or both inputs name1 and name2 be MNs; for some
+   implementations and cases, GSS_S_BAD_NAMETYPE may be returned,
+   indicating name incomparability, for the case where neither input
+   name is an MN.
+
+2.4.4:  GSS_Display_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_string OCTET STRING,
+
+   o  name_type OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable name
+      representation is available in the returned name_string.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided name was of a
+      type uninterpretable by the applicable underlying GSS-API
+      mechanism(s), so no printable representation could be generated.
+
+   o  GSS_S_BAD_NAME indicates that the contents of the provided name
+      were inconsistent with the internally-indicated name type, so
+      no printable representation could be generated.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+
+
+
+Linn                        Standards Track                    [Page 62]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Allows callers to translate an internal name representation into a
+   printable form with associated namespace type descriptor. The syntax
+   of the printable form is a local matter.
+
+   If the input name represents an anonymous identity, a reserved value
+   (GSS_C_NT_ANONYMOUS) shall be returned for name_type.
+
+2.4.5:  GSS_Import_name call
+
+   Inputs:
+
+   o  input_name_string OCTET STRING,
+
+   o  input_name_type OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid name representation is
+      output in output_name and described by the type value in
+      output_name_type.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input_name_type is unsupported
+      by the applicable underlying GSS-API mechanism(s), so the import
+      operation could not be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided input_name_string
+      is ill-formed in terms of the input_name_type, so the import
+      operation could not be completed.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to provide a name representation as a contiguous octet
+   string, designate the type of namespace in conjunction with which it
+   should be parsed, and convert that representation to an internal form
+   suitable for input to other GSS-API routines.  The syntax of the
+   input_name_string is defined in conjunction with its associated name
+   type; depending on the input_name_type, the associated
+   input_name_string may or may not be a printable string. Note: The
+   input_name_type argument serves to describe and qualify the
+
+
+
+Linn                        Standards Track                    [Page 63]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   interpretation of the associated input_name_string; it does not
+   specify the data type of the returned output_name.
+
+   If a mechanism claims support for a particular name type, its
+   GSS_Import_name() operation shall be able to accept all possible
+   values conformant to the external name syntax as defined for that
+   name type.  These imported values may correspond to:
+
+      (1) locally registered entities (for which credentials may be
+      acquired),
+
+      (2) non-local entities (for which local credentials cannot be
+      acquired, but which may be referenced as targets of initiated
+      security contexts or initiators of accepted security contexts), or
+      to
+
+      (3) neither of the above.
+
+   Determination of whether a particular name belongs to class (1), (2),
+   or (3) as described above is not guaranteed to be performed by the
+   GSS_Import_name() function.
+
+   The internal name generated by a GSS_Import_name() operation may be a
+   single-mechanism MN, and is likely to be an MN within a single-
+   mechanism implementation, but portable callers must not depend on
+   this property (and must not, therefore, assume that the output from
+   GSS_Import_name() can be passed directly to GSS_Export_name() without
+   first being processed through GSS_Canonicalize_name()).
+
+2.4.6: GSS_Release_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+      input name was successfully released.
+
+   o  GSS_S_BAD_NAME indicates that the input name argument did not
+      contain a valid name.
+
+
+
+Linn                        Standards Track                    [Page 64]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an internal
+   name representation.  This call's specific behavior depends on the
+   language and programming environment within which a GSS-API
+   implementation operates, and is therefore detailed within applicable
+   bindings specifications; in particular, this call may be superfluous
+   within bindings where memory management is automatic.
+
+2.4.7: GSS_Release_buffer call
+
+   Inputs:
+
+   o  buffer OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+      input buffer was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an OCTET STRING
+   buffer allocated by another GSS-API call.  This call's specific
+   behavior depends on the language and programming environment within
+   which a GSS-API implementation operates, and is therefore detailed
+   within applicable bindings specifications; in particular, this call
+   may be superfluous within bindings where memory management is
+   automatic.
+
+2.4.8: GSS_Release_OID_set call
+
+   Inputs:
+
+   o  buffer SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 65]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+      input object identifier set was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an object
+   identifier set object allocated by another GSS-API call.  This call's
+   specific behavior depends on the language and programming environment
+   within which a GSS-API implementation operates, and is therefore
+   detailed within applicable bindings specifications; in particular,
+   this call may be superfluous within bindings where memory management
+   is automatic.
+
+2.4.9: GSS_Create_empty_OID_set call
+
+   Inputs:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Creates an object identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   GSS_Add_OID_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   GSS_Acquire_cred().
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 66]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.4.10: GSS_Add_OID_set_member call
+
+   Inputs:
+
+   o  member_oid OBJECT IDENTIFIER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Adds an Object Identifier to an Object Identifier set.  This routine
+   is intended for use in conjunction with GSS_Create_empty_OID_set()
+   when constructing a set of mechanism OIDs for input to
+   GSS_Acquire_cred().
+
+2.4.11: GSS_Test_OID_set_member call
+
+   Inputs:
+
+   o  member OBJECT IDENTIFIER,
+
+   o  set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  present BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+
+
+
+
+Linn                        Standards Track                    [Page 67]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Interrogates an Object Identifier set to determine whether a
+   specified Object Identifier is a member.  This routine is intended to
+   be used with OID sets returned by GSS_Indicate_mechs(),
+   GSS_Acquire_cred(), and GSS_Inquire_cred().
+
+2.4.12: GSS_Release_OID call
+
+   Inputs:
+
+   o  oid OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Allows the caller to release the storage associated with an OBJECT
+   IDENTIFIER buffer allocated by another GSS-API call. This call's
+   specific behavior depends on the language and programming environment
+   within which a GSS-API implementation operates, and is therefore
+   detailed within applicable bindings specifications; in particular,
+   this call may be superfluous within bindings where memory management
+   is automatic.
+
+2.4.13: GSS_OID_to_str call
+
+   Inputs:
+
+   o  oid OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid_str OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+
+
+Linn                        Standards Track                    [Page 68]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   The function GSS_OID_to_str() returns a string representing the input
+   OID in numeric ASN.1 syntax format (curly-brace enclosed, space-
+   delimited, e.g., "{2 16 840 1 113687 1 2 1}"). The string is
+   releasable using GSS_Release_buffer(). If the input "oid" does not
+   represent a syntactically valid object identifier, GSS_S_FAILURE
+   status is returned and the returned oid_str result is NULL.
+
+2.4.14: GSS_Str_to_OID call
+
+   Inputs:
+
+   o  oid_str OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   The function GSS_Str_to_OID() constructs and returns an OID from its
+   printable form; implementations should be able to accept the numeric
+   ASN.1 syntax form as described for GSS_OID_to_str(), and this form
+   should be used for portability, but implementations of this routine
+   may also accept other formats (e.g., "1.2.3.3"). The OID is suitable
+   for release using the function GSS_Release_OID(). If the input
+   oid_str cannot be translated into an OID, GSS_S_FAILURE status is
+   returned and the "oid" result is NULL.
+
+2.4.15:  GSS_Inquire_names_for_mech call
+
+   Input:
+
+   o  input_mech_type OBJECT IDENTIFIER, -- mechanism type
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 69]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  minor_status INTEGER,
+
+   o  name_type_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the output name_type_set contains
+      a list of name types which are supported by the locally available
+      mechanism identified by input_mech_type.
+
+   o  GSS_S_BAD_MECH indicates that the mechanism identified by
+      input_mech_type was unsupported within the local implementation,
+      causing the query to fail.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of name types which are
+   supportable by a specific locally-available mechanism.
+
+2.4.16: GSS_Inquire_mechs_for_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_types SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of object identifiers,
+      corresponding to the set of mechanisms suitable for processing
+      the input_name, is available in mech_types.
+
+   o  GSS_S_BAD_NAME indicates that the input_name could not be
+      processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the type of the input_name
+      is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+
+
+Linn                        Standards Track                    [Page 70]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This routine returns the mechanism set with which the input_name may
+   be processed.  After use, the mech_types object should be freed by
+   the caller via the GSS_Release_OID_set() call.  Note: it is
+   anticipated that implementations of GSS_Inquire_mechs_for_name() will
+   commonly operate based on type information describing the
+   capabilities of available mechanisms; it is not guaranteed that all
+   identified mechanisms will necessarily be able to canonicalize (via
+   GSS_Canonicalize_name()) a particular name.
+
+2.4.17: GSS_Canonicalize_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER  -- must be explicit mechanism,
+                                      not "default" specifier
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a mechanism-specific reduction of
+      the input_name, as processed by the mechanism identified by
+      mech_type, is available in output_name.
+
+   o  GSS_S_BAD_MECH indicates that the identified mechanism is
+      unsupported.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name does not
+      contain an element with suitable type for processing by the
+      identified mechanism.
+
+   o  GSS_S_BAD_NAME indicates that the input name contains an
+      element with suitable type for processing by the identified
+      mechanism, but that this element could not be processed
+      successfully.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+
+
+
+
+Linn                        Standards Track                    [Page 71]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This routine reduces a GSS-API internal name, which may in general
+   contain elements corresponding to multiple mechanisms, to a
+   mechanism-specific Mechanism Name (MN) by applying the translations
+   corresponding to the mechanism identified by mech_type.
+
+2.4.18: GSS_Export_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME, -- required to be MN
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a flat representation of the
+      input name is available in output_name.
+
+   o  GSS_S_NAME_NOT_MN indicates that the input name contained
+      elements corresponding to multiple mechanisms, so cannot
+      be exported into a single-mechanism flat form.
+
+   o  GSS_S_BAD_NAME indicates that the input name was an MN,
+      but could not be processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name was an MN,
+      but that its type is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   This routine creates a flat name representation, suitable for
+   bytewise comparison or for input to GSS_Import_name() in conjunction
+   with the reserved GSS-API Exported Name Object OID, from a internal-
+   form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name()
+   or GSS_Accept_sec_context().
+
+   The emitted GSS-API Exported Name Object is self-describing; no
+   associated parameter-level OID need be emitted by this call.  This
+   flat representation consists of a mechanism-independent wrapper
+   layer, defined in Section 3.2 of this document, enclosing a
+   mechanism-defined name representation.
+
+
+
+Linn                        Standards Track                    [Page 72]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   In all cases, the flat name output by GSS_Export_name() to correspond
+   to a particular input MN must be invariant over time within a
+   particular installation.
+
+   The GSS_S_NAME_NOT_MN status code is provided to enable
+   implementations to reject input names which are not MNs.  It is not,
+   however, required for purposes of conformance to this specification
+   that all non-MN input names must necessarily be rejected.
+
+2.4.19: GSS_Duplicate_name call
+
+   Inputs:
+
+   o  src_name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  dest_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that dest_name references an internal
+      name object containing the same name as passed to src_name.
+
+   o  GSS_S_BAD_NAME indicates that the input name was invalid.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name's type
+      is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   This routine takes input internal name src_name, and returns another
+   reference (dest_name) to that name which can be used even if src_name
+   is later freed.  (Note: This may be implemented by copying or through
+   use of reference counts.)
+
+3: Data Structure Definitions for GSS-V2 Usage
+
+   Subsections of this section define, for interoperability and
+   portability purposes, certain data structures for use with GSS-V2.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 73]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+3.1: Mechanism-Independent Token Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for the initial token of a GSS-API context
+   establishment sequence, incorporating an identifier of the mechanism
+   type to be used on that context and enabling tokens to be interpreted
+   unambiguously at GSS-API peers. Use of this format is required for
+   initial context establishment tokens of Internet standards-track
+   GSS-API mechanisms; use in non-initial tokens is optional.
+
+   The encoding format for the token tag is derived from ASN.1 and DER
+   (per illustrative ASN.1 syntax included later within this
+   subsection), but its concrete representation is defined directly in
+   terms of octets rather than at the ASN.1 level in order to facilitate
+   interoperable implementation without use of general ASN.1 processing
+   code.  The token tag consists of the following elements, in order:
+
+      1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that
+      constructed form, definite length encoding follows.
+
+      2. Token length octets, specifying length of subsequent data
+      (i.e., the summed lengths of elements 3-5 in this list, and of the
+      mechanism-defined token object following the tag).  This element
+      comprises a variable number of octets:
+
+      2a. If the indicated value is less than 128, it shall be
+      represented in a single octet with bit 8 (high order) set to "0"
+      and the remaining bits representing the value.
+
+      2b. If the indicated value is 128 or more, it shall be represented
+      in two or more octets, with bit 8 of the first octet set to "1"
+      and the remaining bits of the first octet specifying the number of
+      additional octets.  The subsequent octets carry the value, 8 bits
+      per octet, most significant digit first.  The minimum number of
+      octets shall be used to encode the length (i.e., no octets
+      representing leading zeros shall be included within the length
+      encoding).
+
+      3. 0x06 -- Tag for OBJECT IDENTIFIER
+
+      4. Object identifier length -- length (number of octets) of the
+      encoded object identifier contained in element 5, encoded per
+      rules as described in 2a. and 2b. above.
+
+      5. Object identifier octets -- variable number of octets, encoded
+      per ASN.1 BER rules:
+
+
+
+
+
+Linn                        Standards Track                    [Page 74]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      5a. The first octet contains the sum of two values: (1) the top-
+      level object identifier component, multiplied by 40 (decimal), and
+      (2) the second-level object identifier component.  This special
+      case is the only point within an object identifier encoding where
+      a single octet represents contents of more than one component.
+
+      5b. Subsequent octets, if required, encode successively-lower
+      components in the represented object identifier.  A component's
+      encoding may span multiple octets, encoding 7 bits per octet (most
+      significant bits first) and with bit 8 set to "1" on all but the
+      final octet in the component's encoding.  The minimum number of
+      octets shall be used to encode each component (i.e., no octets
+      representing leading zeros shall be included within a component's
+      encoding).
+
+      (Note: In many implementations, elements 3-5 may be stored and
+      referenced as a contiguous string constant.)
+
+   The token tag is immediately followed by a mechanism-defined token
+   object.  Note that no independent size specifier intervenes following
+   the object identifier value to indicate the size of the mechanism-
+   defined token object.  While ASN.1 usage within mechanism-defined
+   tokens is permitted, there is no requirement that the mechanism-
+   specific innerContextToken, innerMsgToken, and sealedUserData data
+   elements must employ ASN.1 BER/DER encoding conventions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 75]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The following ASN.1 syntax is included for descriptive purposes only,
+   to illustrate structural relationships among token and tag objects.
+   For interoperability purposes, token and tag encoding shall be
+   performed using the concrete encoding procedures described earlier in
+   this subsection.
+
+       GSS-API DEFINITIONS ::=
+
+       BEGIN
+
+       MechType ::= OBJECT IDENTIFIER
+       -- data structure definitions
+
+       -- callers must be able to distinguish among
+       -- InitialContextToken, SubsequentContextToken,
+       -- PerMsgToken, and SealedMessage data elements
+       -- based on the usage in which they occur
+
+       InitialContextToken ::=
+       -- option indication (delegation, etc.) indicated within
+       -- mechanism-specific token
+       [APPLICATION 0] IMPLICIT SEQUENCE {
+               thisMech MechType,
+               innerContextToken ANY DEFINED BY thisMech
+                  -- contents mechanism-specific
+                  -- ASN.1 structure not required
+               }
+
+       SubsequentContextToken ::= innerContextToken ANY
+       -- interpretation based on predecessor InitialContextToken
+       -- ASN.1 structure not required
+
+       PerMsgToken ::=
+       -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC
+       -- ASN.1 structure not required
+               innerMsgToken ANY
+
+       SealedMessage ::=
+       -- as emitted by GSS_Wrap and processed by GSS_Unwrap
+       -- includes internal, mechanism-defined indicator
+       -- of whether or not encrypted
+       -- ASN.1 structure not required
+               sealedUserData ANY
+
+       END
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 76]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+3.2: Mechanism-Independent Exported Name Object Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for names exported via the GSS_Export_name() call,
+   including an object identifier representing the exporting mechanism.
+   The format of names encapsulated via this representation shall be
+   defined within individual mechanism drafts.  Name objects of this
+   type will be identified with the following Object Identifier:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   4(gss-api-exported-name)}
+
+   No name type OID is included in this mechanism-independent level of
+   format definition, since (depending on individual mechanism
+   specifications) the enclosed name may be implicitly typed or may be
+   explicitly typed using a means other than OID encoding.
+
+        Length    Name          Description
+
+        2               TOK_ID          Token Identifier
+                                        For exported name objects, this
+                                        must be hex 04 01.
+        2               MECH_OID_LEN    Length of the Mechanism OID
+        MECH_OID_LEN    MECH_OID        Mechanism OID, in DER
+        4               NAME_LEN        Length of name
+        NAME_LEN        NAME            Exported name; format defined in
+                                        applicable mechanism draft.
+
+4: Name Type Definitions
+
+   This section includes definitions for name types and associated
+   syntaxes which are defined in a mechanism-independent fashion at the
+   GSS-API level rather than being defined in individual mechanism
+   specifications.
+
+4.1: Host-Based Service Name Form
+
+   The following Object Identifier value is provided as a means to
+   identify this name form:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   2(gss-host-based-services)}
+
+   The recommended symbolic name for this type is
+   "GSS_C_NT_HOSTBASED_SERVICE".
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 77]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This name type is used to represent services associated with host
+   computers.  This name form is constructed using two elements,
+   "service" and "hostname", as follows:
+
+                             service@hostname
+
+   When a reference to a name of this type is resolved, the "hostname"
+   is canonicalized by attempting a DNS lookup and using the fully-
+   qualified domain name which is returned, or by using the "hostname"
+   as provided if the DNS lookup fails.  The canonicalization operation
+   also maps the host's name into lower-case characters.
+
+   The "hostname" element may be omitted. If no "@" separator is
+   included, the entire name is interpreted as the service specifier,
+   with the "hostname" defaulted to the canonicalized name of the local
+   host.
+
+   Values for the "service" element are registered with the IANA.
+
+4.2: User Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) user_name(1)}. The recommended mechanism-independent
+   symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same
+   name form and OID is defined within the Kerberos V5 GSS-API
+   mechanism, but the symbolic name recommended there begins with a
+   "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a named user on a local system.
+   Its interpretation is OS-specific.  This name form is constructed as:
+
+                                 username
+
+4.3: Machine UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) machine_uid_name(2)}.  The recommended mechanism-
+   independent symbolic name for this type is
+   "GSS_C_NT_MACHINE_UID_NAME".  (Note: the same name form and OID is
+   defined within the Kerberos V5 GSS-API mechanism, but the symbolic
+   name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a numeric user identifier
+   corresponding to a user on a local system.  Its interpretation is
+   OS-specific.  The gss_buffer_desc representing a name of this type
+   should contain a locally-significant uid_t, represented in host byte
+
+
+
+Linn                        Standards Track                    [Page 78]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   order.  The GSS_Import_name() operation resolves this uid into a
+   username, which is then treated as the User Name Form.
+
+4.4: String UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+   this type is "GSS_C_NT_STRING_UID_NAME".  (Note: the same name form
+   and OID is defined within the Kerberos V5 GSS-API mechanism, but the
+   symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a string of digits representing
+   the numeric user identifier of a user on a local system.  Its
+   interpretation is OS-specific. This name type is similar to the
+   Machine UID Form, except that the buffer contains a string
+   representing the uid_t.
+
+5:  Mechanism-Specific Example Scenarios
+
+   This section provides illustrative overviews of the use of various
+   candidate mechanism types to support the GSS-API. These discussions
+   are intended primarily for readers familiar with specific security
+   technologies, demonstrating how GSS-API functions can be used and
+   implemented by candidate underlying mechanisms. They should not be
+   regarded as constrictive to implementations or as defining the only
+   means through which GSS-API functions can be realized with a
+   particular underlying technology, and do not demonstrate all GSS-API
+   features with each technology.
+
+5.1: Kerberos V5, single-TGT
+
+   OS-specific login functions yield a TGT to the local realm Kerberos
+   server; TGT is placed in a credentials structure for the client.
+   Client calls GSS_Acquire_cred()  to acquire a cred_handle in order to
+   reference the credentials for use in establishing security contexts.
+
+   Client calls GSS_Init_sec_context().  If the requested service is
+   located in a different realm, GSS_Init_sec_context()  gets the
+   necessary TGT/key pairs needed to traverse the path from local to
+   target realm; these data are placed in the owner's TGT cache. After
+   any needed remote realm resolution, GSS_Init_sec_context()  yields a
+   service ticket to the requested service with a corresponding session
+   key; these data are stored in conjunction with the context. GSS-API
+   code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP
+   response(s) (in the successful case) or KRB_ERROR.
+
+
+
+
+
+Linn                        Standards Track                    [Page 79]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Assuming success, GSS_Init_sec_context()  builds a Kerberos-formatted
+   KRB_AP_REQ message, and returns it in output_token.  The client sends
+   the output_token to the service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which verifies the authenticator, provides
+   the service with the client's authenticated name, and returns an
+   output_context_handle.
+
+   Both parties now hold the session key associated with the service
+   ticket, and can use this key in subsequent GSS_GetMIC(),
+   GSS_VerifyMIC(),  GSS_Wrap(), and GSS_Unwrap() operations.
+
+5.2: Kerberos V5, double-TGT
+
+   TGT acquisition as above.
+
+   Note: To avoid unnecessary frequent invocations of error paths when
+   implementing the GSS-API atop Kerberos V5, it seems appropriate to
+   represent "single-TGT K-V5" and "double-TGT K-V5" with separate
+   mech_types, and this discussion makes that assumption.
+
+   Based on the (specified or defaulted) mech_type,
+   GSS_Init_sec_context()  determines that the double-TGT protocol
+   should be employed for the specified target. GSS_Init_sec_context()
+   returns GSS_S_CONTINUE_NEEDED major_status, and its returned
+   output_token contains a request to the service for the service's TGT.
+   (If a service TGT with suitably long remaining lifetime already
+   exists in a cache, it may be usable, obviating the need for this
+   step.) The client passes the output_token to the service.  Note: this
+   scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED
+   status return facility than for support of mutual authentication;
+   note that both uses can coexist as successive operations within a
+   single context establishment operation.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which recognizes it as a request for TGT.
+   (Note that current Kerberos V5 defines no intra-protocol mechanism to
+   represent such a request.) GSS_Accept_sec_context()  returns
+   GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in
+   its output_token. The service sends the output_token to the client.
+
+   The client passes the received token as the input_token argument to a
+   continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches
+   the received service TGT and uses it as part of a service ticket
+   request to the Kerberos authentication server, storing the returned
+   service ticket and session key in conjunction with the context.
+   GSS_Init_sec_context()  builds a Kerberos-formatted authenticator,
+
+
+
+Linn                        Standards Track                    [Page 80]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   and returns it in output_token along with GSS_S_COMPLETE return
+   major_status. The client sends the output_token to the service.
+
+   Service passes the received token as the input_token argument to a
+   continuation call to GSS_Accept_sec_context().
+   GSS_Accept_sec_context()  verifies the authenticator, provides the
+   service with the client's authenticated name, and returns
+   major_status GSS_S_COMPLETE.
+
+   GSS_GetMIC(),  GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap()  as
+   above.
+
+5.3:  X.509 Authentication Framework
+
+   This example illustrates use of the GSS-API in conjunction with
+   public-key mechanisms, consistent with the X.509 Directory
+   Authentication Framework.
+
+   The GSS_Acquire_cred()  call establishes a credentials structure,
+   making the client's private key accessible for use on behalf of the
+   client.
+
+   The client calls GSS_Init_sec_context(),  which interrogates the
+   Directory to acquire (and validate) a chain of public-key
+   certificates, thereby collecting the public key of the service.  The
+   certificate validation operation determines that suitable integrity
+   checks were applied by trusted authorities and that those
+   certificates have not expired. GSS_Init_sec_context()  generates a
+   secret key for use in per-message protection operations on the
+   context, and enciphers that secret key under the service's public
+   key.
+
+   The enciphered secret key, along with an authenticator quantity
+   signed with the client's private key, is included in the output_token
+   from GSS_Init_sec_context().  The output_token also carries a
+   certification path, consisting of a certificate chain leading from
+   the service to the client; a variant approach would defer this path
+   resolution to be performed by the service instead of being asserted
+   by the client. The client application sends the output_token to the
+   service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context() validates the
+   certification path, and as a result determines a certified binding
+   between the client's distinguished name and the client's public key.
+   Given that public key, GSS_Accept_sec_context() can process the
+   input_token's authenticator quantity and verify that the client's
+   private key was used to sign the input_token. At this point, the
+
+
+
+Linn                        Standards Track                    [Page 81]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   client is authenticated to the service. The service uses its private
+   key to decipher the enciphered secret key provided to it for per-
+   message protection operations on the context.
+
+   The client calls GSS_GetMIC()  or GSS_Wrap() on a data message, which
+   causes per-message authentication, integrity, and (optional)
+   confidentiality facilities to be applied to that message. The service
+   uses the context's shared secret key to perform corresponding
+   GSS_VerifyMIC()  and GSS_Unwrap() calls.
+
+6:  Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+7:  Related Activities
+
+   In order to implement the GSS-API atop existing, emerging, and future
+   security mechanisms:
+
+      object identifiers must be assigned to candidate GSS-API
+      mechanisms and the name types which they support
+
+      concrete data element formats and processing procedures must be
+      defined for candidate mechanisms
+
+   Calling applications must implement formatting conventions which will
+   enable them to distinguish GSS-API tokens from other data carried in
+   their application protocols.
+
+   Concrete language bindings are required for the programming
+   environments in which the GSS-API is to be employed, as RFC-1509
+   defines for the C programming language and GSS-V1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 82]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+APPENDIX A
+
+MECHANISM DESIGN CONSTRAINTS
+
+   The following constraints on GSS-API mechanism designs are adopted in
+   response to observed caller protocol requirements, and adherence
+   thereto is anticipated in subsequent descriptions of GSS-API
+   mechanisms to be documented in standards-track Internet
+   specifications.
+
+   It is strongly recommended that mechanisms offering per-message
+   protection services also offer at least one of the replay detection
+   and sequencing services, as mechanisms offering neither of the latter
+   will fail to satisfy recognized requirements of certain candidate
+   caller protocols.
+
+APPENDIX B
+
+                         COMPATIBILITY WITH GSS-V1
+
+   It is the intent of this document to define an interface and
+   procedures which preserve compatibility between GSS-V1 (RFC-1508)
+   callers and GSS- V2 providers.  All calls defined in GSS-V1 are
+   preserved, and it has been a goal that GSS-V1 callers should be able
+   to operate atop GSS-V2 provider implementations.  Certain detailed
+   changes, summarized in this section, have been made in order to
+   resolve omissions identified in GSS-V1.
+
+   The following GSS-V1 constructs, while supported within GSS-V2, are
+   deprecated:
+
+      Names for per-message processing routines: GSS_Seal() deprecated
+      in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of
+      GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap();
+      GSS_Verify() deprecated in favor of GSS_VerifyMIC().
+
+      GSS_Delete_sec_context() facility for context_token usage,
+      allowing mechanisms to signal context deletion, is retained for
+      compatibility with GSS-V1.  For current usage, it is recommended
+      that both peers to a context invoke GSS_Delete_sec_context()
+      independently, passing a null output_context_token buffer to
+      indicate that no context_token is required.  Implementations of
+      GSS_Delete_sec_context() should delete relevant locally-stored
+      context information.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 83]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This GSS-V2 specification adds the following calls which are not
+   present in GSS-V1:
+
+      Credential management calls: GSS_Add_cred(),
+      GSS_Inquire_cred_by_mech().
+
+      Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(),
+      GSS_Export_sec_context(), GSS_Import_sec_context().
+
+      Per-message calls: No new calls.  Existing calls have been renamed.
+
+      Support calls: GSS_Create_empty_OID_set(),
+      GSS_Add_OID_set_member(), GSS_Test_OID_set_member(),
+      GSS_Release_OID(), GSS_OID_to_str(), GSS_Str_to_OID(),
+      GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(),
+      GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name().
+
+   This GSS-V2 specification introduces three new facilities applicable
+   to security contexts, indicated using the following context state
+   values which are not present in GSS-V1:
+
+      anon_state, set TRUE to indicate that a context's initiator is
+      anonymous from the viewpoint of the target; Section 1.2.5 of this
+      specification provides a summary description of the GSS-V2
+      anonymity support facility, support and use of which is optional.
+
+      prot_ready_state, set TRUE to indicate that a context may be used
+      for per-message protection before final completion of context
+      establishment; Section 1.2.7 of this specification provides a
+      summary description of the GSS-V2 facility enabling mechanisms to
+      selectively permit per-message protection during context
+      establishment, support and use of which is optional.
+
+      trans_state, set TRUE to indicate that a context is transferable to
+      another process using the GSS-V2 GSS_Export_sec_context() facility.
+
+   These state values are represented (at the C bindings level) in
+   positions within a bit vector which are unused in GSS-V1, and may be
+   safely ignored by GSS-V1 callers.
+
+   Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API
+   implementors in the following areas: implementation robustness,
+   credential management, behavior in multi-mechanism configurations,
+   naming support, and inclusion of optional sequencing services.  The
+   token tagging facility as defined in GSS-V2, Section 3.1, is now
+   described directly in terms of octets to facilitate interoperable
+   implementation without general ASN.1 processing code; the
+   corresponding ASN.1 syntax, included for descriptive purposes, is
+
+
+
+Linn                        Standards Track                    [Page 84]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   unchanged from that in GSS-V1. For use in conjunction with added
+   naming support facilities, a new Exported Name Object construct is
+   added.  Additional name types are introduced in Section 4.
+
+   This GSS-V2 specification adds the following major_status values
+   which are not defined in GSS-V1:
+
+     GSS_S_BAD_QOP                 unsupported QOP value
+     GSS_S_UNAUTHORIZED            operation unauthorized
+     GSS_S_UNAVAILABLE             operation unavailable
+     GSS_S_DUPLICATE_ELEMENT       duplicate credential element requested
+     GSS_S_NAME_NOT_MN             name contains multi-mechanism elements
+     GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                    detected
+
+   Of these added status codes, only two values are defined to be
+   returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by
+   GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by
+   GSS_VerifyMIC() and GSS_Unwrap()).
+
+   Additionally, GSS-V2 descriptions of certain calls present in GSS-V1
+   have been updated to allow return of additional major_status values
+   from the set as defined in GSS-V1: GSS_Inquire_cred() has
+   GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as
+   returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN,
+   GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and
+   GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable.
+
+Author's Address
+
+   John Linn
+   OpenVision Technologies
+   One Main St.
+   Cambridge, MA  02142  USA
+
+   Phone: +1 617.374.2245
+   EMail: John.Linn@ov.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 85]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2203.txt b/crypto/heimdal/doc/standardisation/rfc2203.txt
new file mode 100644
index 0000000..2f6a8a0
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2203.txt
@@ -0,0 +1,1291 @@
+
+
+
+
+
+
+Network Working Group                                          M. Eisler
+Request for Comments: 2203                                       A. Chiu
+Category: Standards Track                                        L. Ling
+                                                          September 1997
+
+
+                   RPCSEC_GSS Protocol Specification
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This memo describes an ONC/RPC security flavor that allows RPC
+   protocols to access the Generic Security Services Application
+   Programming Interface (referred to henceforth as GSS-API).
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+   2.  The ONC RPC Message Protocol . . . . . . . . . . . . . . . . . 2
+   3.  Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 3
+   4.  New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 3
+   5.  Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 3
+   5.1.  Version Selection  . . . . . . . . . . . . . . . . . . . . . 5
+   5.2.  Context Creation . . . . . . . . . . . . . . . . . . . . . . 5
+   5.2.1.  Mechanism and QOP Selection  . . . . . . . . . . . . . . . 5
+   5.2.2.  Context Creation Requests  . . . . . . . . . . . . . . . . 6
+   5.2.3.  Context Creation Responses . . . . . . . . . . . . . . . . 8
+   5.2.3.1.  Context Creation Response - Successful Acceptance  . . . 8
+   5.2.3.1.1.  Client Processing of Successful Context Creation
+               Responses  . . . . . . . . . . . . . . . . . . . . . . 9
+   5.2.3.2.  Context Creation Response - Unsuccessful Cases . . . . . 9
+   5.3.  RPC Data Exchange  . . . . . . . . . . . . . . . . . . . .  10
+   5.3.1.  RPC Request Header . . . . . . . . . . . . . . . . . . .  10
+   5.3.2.  RPC Request Data . . . . . . . . . . . . . . . . . . . .  11
+   5.3.2.1.  RPC Request Data - No Data Integrity . . . . . . . . .  11
+   5.3.2.2.  RPC Request Data - With Data Integrity . . . . . . . .  11
+   5.3.2.3.  RPC Request Data - With Data Privacy . . . . . . . . .  12
+   5.3.3.  Server Processing of RPC Data Requests . . . . . . . . .  12
+   5.3.3.1.  Context Management . . . . . . . . . . . . . . . . . .  12
+   5.3.3.2.  Server Reply - Request Accepted  . . . . . . . . . . .  14
+   5.3.3.3.  Server Reply - Request Denied  . . . . . . . . . . . .  15
+
+
+
+Eisler, et. al.             Standards Track                     [Page 1]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   5.3.3.4.  Mapping of GSS-API Errors to Server Responses  . . . .  16
+   5.3.3.4.1.  GSS_GetMIC() Failure . . . . . . . . . . . . . . . .  16
+   5.3.3.4.2.  GSS_VerifyMIC() Failure  . . . . . . . . . . . . . .  16
+   5.3.3.4.3.  GSS_Unwrap() Failure . . . . . . . . . . . . . . . .  16
+   5.3.3.4.4.  GSS_Wrap() Failure . . . . . . . . . . . . . . . . .  16
+   5.4.  Context Destruction  . . . . . . . . . . . . . . . . . . .  17
+   6.  Set of GSS-API Mechanisms  . . . . . . . . . . . . . . . . .  17
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . .  18
+   7.1.  Privacy of Call Header . . . . . . . . . . . . . . . . . .  18
+   7.2.  Sequence Number Attacks  . . . . . . . . . . . . . . . . .  18
+   7.2.1.  Sequence Numbers Above the Window  . . . . . . . . . . .  18
+   7.2.2.  Sequence Numbers Within or Below the Window  . . . . . .  18
+   7.3.  Message Stealing Attacks . . . . . . . . . . . . . . . . .  19
+   Appendix A. GSS-API Major Status Codes . . . . . . . . . . . . .  20
+   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . .  22
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .  23
+
+1.  Introduction
+
+   This document describes the protocol used by the RPCSEC_GSS security
+   flavor.  Security flavors have been called authentication flavors for
+   historical reasons. This memo recognizes that there are two other
+   security services besides authentication, integrity, and privacy, and
+   so defines a new RPCSEC_GSS security flavor.
+
+   The protocol is described using the XDR language [Srinivasan-xdr].
+   The reader is assumed to be familiar with ONC RPC and the security
+   flavor mechanism [Srinivasan-rpc].  The reader is also assumed to be
+   familiar with the GSS-API framework [Linn].  The RPCSEC_GSS security
+   flavor uses GSS-API interfaces to provide security services that are
+   independent of the underlying security mechanism.
+
+2.  The ONC RPC Message Protocol
+
+   This memo refers to the following XDR types of the ONC RPC protocol,
+   which are described in the document entitled Remote Procedure Call
+   Protocol Specification Version 2 [Srinivasan-rpc]:
+
+      msg_type
+      reply_stat
+      auth_flavor
+      accept_stat
+      reject_stat
+      auth_stat
+      opaque_auth
+      rpc_msg
+      call_body
+      reply_body
+
+
+
+Eisler, et. al.             Standards Track                     [Page 2]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+      accepted_reply
+      rejected_reply
+
+3.  Flavor Number Assignment
+
+   The RPCSEC_GSS security flavor has been assigned the value of 6:
+
+      enum auth_flavor {
+          ...
+          RPCSEC_GSS = 6      /* RPCSEC_GSS security flavor */
+      };
+
+4.  New auth_stat Values
+
+   RPCSEC_GSS requires the addition of two new values to the auth_stat
+   enumerated type definition:
+
+      enum auth_stat {
+              ...
+              /*
+               * RPCSEC_GSS errors
+               */
+              RPCSEC_GSS_CREDPROBLEM = 13,
+              RPCSEC_GSS_CTXPROBLEM = 14
+      };
+
+   The descriptions of these two new values are defined later in this
+   memo.
+
+5.  Elements of the RPCSEC_GSS Security Protocol
+
+   An RPC session based on the RPCSEC_GSS security flavor consists of
+   three phases: context creation, RPC data exchange, and context
+   destruction.  In the following discussion, protocol elements for
+   these three phases are described.
+
+   The following description of the RPCSEC_GSS protocol uses some of the
+   definitions within XDR language description of the RPC protocol.
+
+   Context creation and destruction use control messages that are not
+   dispatched to service procedures registered by an RPC server.  The
+   program and version numbers used in these control messages are the
+   same as the RPC service's program and version numbers.  The procedure
+   number used is NULLPROC (zero).  A field in the credential
+   information (the gss_proc field which is defined in the
+   rpc_gss_cred_t structure below) specifies whether a message is to be
+   interpreted as a control message or a regular RPC message.  If this
+   field is set to RPCSEC_GSS_DATA, no control action is implied; in
+
+
+
+Eisler, et. al.             Standards Track                     [Page 3]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   this case, it is a regular data message.  If this field is set to any
+   other value, a control action is implied.  This is described in the
+   following sections.
+
+   Just as with normal RPC data exchange messages, the transaction
+   identifier (the xid field in struct rpc_msg), should be set to unique
+   values on each call for context creation and context destruction.
+
+   The following definitions are used for describing the protocol.
+
+      /* RPCSEC_GSS control procedures */
+
+
+      enum rpc_gss_proc_t {
+              RPCSEC_GSS_DATA = 0,
+              RPCSEC_GSS_INIT = 1,
+              RPCSEC_GSS_CONTINUE_INIT = 2,
+              RPCSEC_GSS_DESTROY = 3
+      };
+
+      /* RPCSEC_GSS services */
+
+      enum rpc_gss_service_t {
+          /* Note: the enumerated value for 0 is reserved. */
+          rpc_gss_svc_none = 1,
+          rpc_gss_svc_integrity = 2,
+          rpc_gss_svc_privacy = 3
+      };
+
+      /* Credential */
+
+      /*
+       * Note: version 0 is reserved for possible future
+       * definition of a version negotiation protocol
+       *
+       */
+      #define RPCSEC_GSS_VERS_1 1
+
+      struct rpc_gss_cred_t {
+          union switch (unsigned int version) { /* version of
+                                                      RPCSEC_GSS */
+          case RPCSEC_GSS_VERS_1:
+              struct {
+                  rpc_gss_proc_t gss_proc;  /* control procedure */
+                  unsigned int seq_num;   /* sequence number */
+                  rpc_gss_service_t service; /* service used */
+                  opaque handle<>;       /* context handle */
+              } rpc_gss_cred_vers_1_t;
+
+
+
+Eisler, et. al.             Standards Track                     [Page 4]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+          }
+      };
+
+      /* Maximum sequence number value */
+
+      #define MAXSEQ 0x80000000
+
+5.1.  Version Selection
+
+   This document defines just one protocol version (RPCSEC_GSS_VERS_1).
+   The client should assume that the server supports RPCSEC_GSS_VERS_1
+   and issue a Context Creation message (as described in the section
+   RPCSEC_GSS_VERS_1, the RPC response will have a reply_stat of
+   MSG_DENIED, a rejection status of AUTH_ERROR, and an auth_stat of
+   AUTH_REJECTED_CRED.
+
+5.2.  Context Creation
+
+   Before RPC data is exchanged on a session using the RPCSEC_GSS
+   flavor, a context must be set up between the client and the server.
+   Context creation may involve zero or more RPC exchanges.  The number
+   of exchanges depends on the security mechanism.
+
+5.2.1.  Mechanism and QOP Selection
+
+   There is no facility in the RPCSEC_GSS protocol to negotiate GSS-API
+   mechanism identifiers or QOP values. At minimum, it is expected that
+   implementations of the RPCSEC_GSS protocol provide a means to:
+
+   *    specify mechanism identifiers, QOP values, and RPCSEC_GSS
+        service values on the client side, and to
+
+   *    enforce mechanism identifiers, QOP values, and RPCSEC_GSS
+        service values on a per-request basis on the server side.
+
+   It is necessary that above capabilities exist so that applications
+   have the means to conform the required set of required set of
+   <mechanism, QOP, service> tuples (See the section entitled Set of
+   GSS-API Mechanisms).  An application may negotiate <mechanism, QOP,
+   service> selection within its protocol or via an out of band
+   protocol. Hence it may be necessary for RPCSEC_GSS implementations to
+   provide programming interfaces for the specification and enforcement
+   of <mechanism, QOP, service>.
+
+   Additionally, implementations may depend on negotiation schemes
+   constructed as pseudo-mechanisms under the GSS-API.  Because such
+   schemes are below the GSS-API layer, the RPCSEC_GSS protocol, as
+   specified in this document, can make use of them.
+
+
+
+Eisler, et. al.             Standards Track                     [Page 5]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.2.2.  Context Creation Requests
+
+   The first RPC request from the client to the server initiates context
+   creation.  Within the RPC message protocol's call_body structure,
+   rpcvers is set to 2. prog and vers are always those for the service
+   being accessed.  The proc is always set to NULLPROC (zero).
+
+   Within the RPC message protocol's cred structure, flavor is set to
+   RPCSEC_GSS (6).  The opaque data of the cred structure (the body
+   field) constituting the credential encodes the rpc_gss_cred_t
+   structure defined previously.
+
+   The values of the fields contained in the rpc_gss_cred_t structure
+   are set as follows.  The version field is set to the version of the
+   RPCSEC_GSS protocol the client wants to use.  The remainder of this
+   memo documents version RPCSEC_GSS_VERS_1 of RPCSEC_GSS, and so the
+   version field would be set to RPCSEC_GSS_VERS_1.  The gss_proc field
+   must be set to RPCSEC_GSS_INIT for the first creation request.  In
+   subsequent creation requests, the gss_proc field must be set to
+   RPCSEC_GSS_CONTINUE_INIT.  In a creation request, the seq_num and
+   service fields are undefined and both must be ignored by the server.
+   In the first creation request, the handle field is NULL (opaque data
+   of zero length).  In subsequent creation requests, handle must be
+   equal to the value returned by the server.  The handle field serves
+   as the identifier for the context, and will not change for the
+   duration of the context, including responses to
+   RPCSEC_GSS_CONTINUE_INIT.
+
+   The verifier field in the RPC message header is also described by the
+   opaque_auth structure.  All creation requests have the NULL verifier
+   (AUTH_NONE flavor with zero length opaque data).
+
+   Following the verifier are the call data (procedure specific
+   parameters).  Note that the proc field of the call_body structure is
+   set to NULLPROC, and thus normally there would be zero octets
+   following the verifier.  However, since there is no RPC data exchange
+   during a context creation, it is safe to transfer information
+   following the verifier.  It is necessary to "overload" the call data
+   in this way, rather than pack the GSS-API token into the RPC header,
+   because RPC Version 2 restricts the amount of data that can be sent
+   in the header.  The opaque body of the credential and verifier fields
+   can be each at most 400 octets long, and GSS tokens can be longer
+   than 800 octets.
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                     [Page 6]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   The call data for a context creation request is described by the
+   following structure for all creation requests:
+
+      struct rpc_gss_init_arg {
+          opaque gss_token<>;
+      };
+
+   Here, gss_token is the token returned by the call to  GSS-API's
+   GSS_Init_sec_context() routine, opaquely encoded.  The value of this
+   field will likely be different in each creation request, if there is
+   more than one creation request.  If no token is returned by the call
+   to GSS_Init_sec_context(), the context must have been created
+   (assuming no errors), and there will not be any more creation
+   requests.
+
+   When GSS_Init_sec_context() is called, the parameters
+   replay_det_req_flag and sequence_req_flag must be turned off. The
+   reasons for this are:
+
+   *    ONC RPC can be used over unreliable transports and provides no
+        layer to reliably re-assemble messages. Thus it is possible for
+        gaps in message sequencing to occur, as well as out of order
+        messages.
+
+   *    RPC servers can be multi-threaded, and thus the order in which
+        GSS-API messages are signed or wrapped can be different from the
+        order in which the messages are verified or unwrapped, even if
+        the requests are sent on reliable transports.
+
+   *    To maximize convenience of implementation, the order in which an
+        ONC RPC entity will verify the header and verify/unwrap the body
+        of an RPC call or reply is left unspecified.
+
+   The RPCSEC_GSS protocol provides for protection from replay attack,
+   yet tolerates out-of-order delivery or processing of messages and
+   tolerates dropped requests.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                     [Page 7]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.2.3.  Context Creation Responses
+
+5.2.3.1.  Context Creation Response - Successful Acceptance
+
+   The response to a successful creation request has an MSG_ACCEPTED
+   response with a status of SUCCESS.  The results field encodes a
+   response with the following structure:
+
+      struct rpc_gss_init_res {
+              opaque handle<>;
+              unsigned int gss_major;
+              unsigned int gss_minor;
+              unsigned int seq_window;
+              opaque gss_token<>;
+      };
+
+   Here, handle is non-NULL opaque data that serves as the context
+   identifier. The client must use this value in all subsequent requests
+   whether control messages or otherwise).  The gss_major and gss_minor
+   fields contain the results of the call to GSS_Accept_sec_context()
+   executed by the server.  The values for the gss_major field are
+   defined in Appendix A of this document.  The values for the gss_minor
+   field are GSS-API mechanism specific and are defined in the
+   mechanism's specification.  If gss_major is not one of GSS_S_COMPLETE
+   or GSS_S_CONTINUE_NEEDED, the context setup has failed; in this case
+   handle and gss_token must be set to NULL by the server.  The value of
+   gss_minor is dependent on the value of gss_major and the security
+   mechanism used.  The gss_token field contains any token returned by
+   the GSS_Accept_sec_context() call executed by the server.  A token
+   may be returned for both successful values of gss_major.  If the
+   value is GSS_S_COMPLETE, it indicates that the server is not
+   expecting any more tokens, and the RPC Data Exchange phase must begin
+   on the subsequent request from the client. If the value is
+   GSS_S_CONTINUE_NEEDED, the server is expecting another token.  Hence
+   the client must send at least one more creation request (with
+   gss_proc set to RPCSEC_GSS_CONTINUE_INIT in the request's credential)
+   carrying the required token.
+
+   In a successful response, the seq_window field is set to the sequence
+   window length supported by the server for this context.  This window
+   specifies the maximum number of client requests that may be
+   outstanding for this context. The server will accept "seq_window"
+   requests at a time, and these may be out of order.  The client may
+   use this number to determine the number of threads that can
+   simultaneously send requests on this context.
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                     [Page 8]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   If gss_major is GSS_S_COMPLETE, the verifier's (the verf element in
+   the response) flavor field is set to RPCSEC_GSS, and the body field
+   set to the checksum of the seq_window (in network order). The QOP
+   used for this checksum is 0 (zero), which is the default QOP.  For
+   all other values of gss_major, a NULL verifier (AUTH_NONE flavor with
+   zero-length opaque data) is used.
+
+5.2.3.1.1.  Client Processing of Successful Context Creation Responses
+
+   If the value of gss_major in the response is GSS_S_CONTINUE_NEEDED,
+   then the client, per the GSS-API specification, must invoke
+   GSS_Init_sec_context() using the token returned in gss_token in the
+   context creation response. The client must then generate a context
+   creation request, with gss_proc set to RPCSEC_GSS_CONTINUE_INIT.
+
+   If the value of gss_major in the response is GSS_S_COMPLETE, and if
+   the client's previous invocation of GSS_Init_sec_context() returned a
+   gss_major value of GSS_S_CONTINUE_NEEDED, then the client, per the
+   GSS-API specification, must invoke GSS_Init_sec_context() using the
+   token returned in gss_token in the context creation response. If
+   GSS_Init_sec_context() returns GSS_S_COMPLETE, the context is
+   successfully set up, and the RPC data exchange phase must begin on
+   the subsequent request from the client.
+
+5.2.3.2.  Context Creation Response - Unsuccessful Cases
+
+   An MSG_ACCEPTED reply (to a creation request) with an acceptance
+   status of other than SUCCESS has a NULL verifier (flavor set to
+   AUTH_NONE, and zero length opaque data in the body field), and is
+   formulated as usual for different status values.
+
+   An MSG_DENIED reply (to a creation request) is also formulated as
+   usual.  Note that MSG_DENIED could be returned because the server's
+   RPC implementation does not recognize the RPCSEC_GSS security flavor.
+   RFC 1831 does not specify the appropriate reply status in this
+   instance, but common implementation practice appears to be to return
+   a rejection status of AUTH_ERROR with an auth_stat of
+   AUTH_REJECTEDCRED. Even though two new values (RPCSEC_GSS_CREDPROBLEM
+   and RPCSEC_GSS_CTXPROBLEM) have been defined for the auth_stat type,
+   neither of these two can be returned in responses to context creation
+   requests.  The auth_stat new values can be used for responses to
+   normal (data) requests.  This is described later.
+
+   MSG_DENIED might also be returned if the RPCSEC_GSS version number in
+   the credential is not supported on the server. In that case, the
+   server returns a rejection status of AUTH_ERROR, with an auth_stat of
+
+   AUTH_REJECTED_CRED.
+
+
+
+Eisler, et. al.             Standards Track                     [Page 9]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.3.  RPC Data Exchange
+
+   The data exchange phase is entered after a context has been
+   successfully set up. The format of the data exchanged depends on the
+   security service used for the request.  Although clients can change
+   the security service and QOP used on a per-request basis, this may
+   not be acceptable to all RPC services; some RPC services may "lock"
+   the data exchange phase into using the QOP and service used on the
+   first data exchange message.  For all three modes of service (no data
+   integrity, data integrity, data privacy), the RPC request header has
+   the same format.
+
+5.3.1.  RPC Request Header
+
+   The credential has the opaque_auth structure described earlier.  The
+   flavor field is set to RPCSEC_GSS.  The credential body is created by
+   XDR encoding the rpc_gss_cred_t structure listed earlier into an
+   octet stream, and then opaquely encoding this octet stream as the
+   body field.
+
+   Values of the fields contained in the rpc_gss_cred_t structure are
+   set as follows.  The version field is set to same version value that
+   was used to create the context, which within the scope of this memo
+   will always be RPCSEC_GSS_VERS_1.  The gss_proc field is set to
+   RPCSEC_GSS_DATA.  The service field is set to indicate the desired
+   service (one of rpc_gss_svc_none, rpc_gss_svc_integrity, or
+   rpc_gss_svc_privacy).  The handle field is set to the context handle
+   value received from the RPC server during context creation.  The
+   seq_num field can start at any value below MAXSEQ, and must be
+   incremented (by one or more) for successive requests.  Use of
+   sequence numbers is described in detail when server processing of the
+   request is discussed.
+
+   The verifier has the opaque_auth structure described earlier.  The
+   flavor field is set to RPCSEC_GSS.  The body field is set as follows.
+   The checksum of the RPC header (up to and including the credential)
+   is computed using the GSS_GetMIC() call with the desired QOP.  This
+   returns the checksum as an opaque octet stream and its length.  This
+   is encoded into the body field.  Note that the QOP is not explicitly
+   specified anywhere in the request.  It is implicit in the checksum or
+   encrypted data.  The same QOP value as is used for the header
+   checksum must also be used for the data (for checksumming or
+   encrypting), unless the service used for the request is
+   rpc_gss_svc_none.
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 10]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.3.2.  RPC Request Data
+
+5.3.2.1.  RPC Request Data - No Data Integrity
+
+   If the service specified is rpc_gss_svc_none, the data (procedure
+   arguments) are not integrity or privacy protected.  They are sent in
+   exactly the same way as they would be if the AUTH_NONE flavor were
+   used (following the verifier).  Note, however, that since the RPC
+   header is integrity protected, the sender will still be authenticated
+   in this case.
+
+5.3.2.2.  RPC Request Data - With Data Integrity
+
+   When data integrity is used, the request data is represented as
+   follows:
+
+      struct rpc_gss_integ_data {
+          opaque databody_integ<>;
+          opaque checksum<>;
+      };
+
+   The databody_integ field is created as follows.  A structure
+   consisting of a sequence number followed by the procedure arguments
+   is constructed. This is shown below as the type rpc_gss_data_t:
+
+      struct rpc_gss_data_t {
+          unsigned int seq_num;
+          proc_req_arg_t arg;
+      };
+
+   Here, seq_num must have the same value as in the credential.  The
+   type proc_req_arg_t is the procedure specific XDR type describing the
+   procedure arguments (and so is not specified here).  The octet stream
+   corresponding to the XDR encoded rpc_gss_data_t structure and its
+   length are placed in the databody_integ field. Note that because the
+   XDR type of databody_integ is opaque, the XDR encoding of
+   databody_integ will include an initial four octet length field,
+   followed by the XDR encoded octet stream of rpc_gss_data_t.
+
+   The checksum field represents the checksum of the XDR encoded octet
+   stream corresponding to the XDR encoded rpc_gss_data_t structure
+   (note, this is not the checksum of the databody_integ field).  This
+   is obtained using the GSS_GetMIC() call, with the same QOP as was
+   used to compute the header checksum (in the verifier). The
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 11]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   GSS_GetMIC() call returns the checksum as an opaque octet stream and
+   its length. The checksum field of struct rpc_gss_integ_data has an
+   XDR type of opaque. Thus the checksum length from GSS_GetMIC() is
+   encoded as a four octet  length field, followed by the checksum,
+   padded to a multiple of four octets.
+
+5.3.2.3.  RPC Request Data - With Data Privacy
+
+   When data privacy is used, the request data is represented as
+   follows:
+
+      struct rpc_gss_priv_data {
+          opaque databody_priv<>
+      };
+
+   The databody_priv field is created as follows.  The rpc_gss_data_t
+   structure described earlier is constructed again in the same way as
+   for the case of data integrity.  Next, the GSS_Wrap() call is invoked
+   to encrypt the octet stream corresponding to the rpc_gss_data_t
+   structure, using the same value for QOP (argument qop_req to
+   GSS_Wrap()) as was used for the header checksum (in the verifier) and
+   conf_req_flag (an argument to GSS_Wrap()) of TRUE.  The GSS_Wrap()
+   call returns an opaque octet stream (representing the encrypted
+   rpc_gss_data_t structure) and its length, and this is encoded as the
+   databody_priv field. Since databody_priv has an XDR type of opaque,
+   the length returned by GSS_Wrap() is encoded as the four octet
+   length, followed by the encrypted octet stream (padded to a multiple
+   of four octets).
+
+5.3.3.  Server Processing of RPC Data Requests
+
+5.3.3.1.  Context Management
+
+   When a request is received by the server, the following are verified
+   to be acceptable:
+
+   *    the version number in the credential
+
+   *    the service specified in the credential
+
+   *    the context handle specified in the credential
+
+   *    the header checksum in the verifier (via GSS_VerifyMIC())
+
+   *    the sequence number (seq_num) specified in the credential (more
+        on this follows)
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 12]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   The gss_proc field in the credential must be set to RPCSEC_GSS_DATA
+   for data requests (otherwise, the message will be interpreted as a
+   control message).
+
+   The server maintains a window of "seq_window" sequence numbers,
+   starting with the last sequence number seen and extending backwards.
+   If a sequence number higher than the last number seen is received
+   (AND if GSS_VerifyMIC() on the header checksum from the verifier
+   returns GSS_S_COMPLETE), the window is moved forward to the new
+   sequence number.  If the last sequence number seen is N, the server
+   is prepared to receive requests with sequence numbers in the range N
+   through (N - seq_window + 1), both inclusive.  If the sequence number
+   received falls below this range, it is silently discarded.  If the
+   sequence number is within this range, and the server has not seen it,
+   the request is accepted, and the server turns on a bit to "remember"
+   that this sequence number has been seen.  If the server determines
+   that it has already seen a sequence number within the window, the
+   request is silently discarded. The server should select a seq_window
+   value based on the number requests it expects to process
+   simultaneously. For example, in a threaded implementation seq_window
+   might be equal to the number of server threads. There are no known
+   security issues with selecting a large window. The primary issue is
+   how much space the server is willing to allocate to keep track of
+   requests received within the window.
+
+   The reason for discarding requests silently is that the server is
+   unable to determine if the duplicate or out of range request was due
+   to a sequencing problem in the client, network, or the operating
+   system, or due to some quirk in routing, or a replay attack by an
+   intruder.  Discarding the request allows the client to recover after
+   timing out, if indeed the duplication was unintentional or well
+   intended.  Note that a consequence of the silent discard is that
+   clients may increment the seq_num by more than one. The effect of
+   this is that the window will move forward more quickly. It is not
+   believed that there is any benefit to doing this.
+
+   Note that the sequence number algorithm requires that the client
+   increment the sequence number even if it is retrying a request with
+   the same RPC transaction identifier.  It is not infrequent for
+   clients to get into a situation where they send two or more attempts
+   and a slow server sends the reply for the first attempt. With
+   RPCSEC_GSS, each request and reply will have a unique sequence
+   number. If the client wishes to improve turn around time on the RPC
+   call, it can cache the RPCSEC_GSS sequence number of each request it
+   sends. Then when it receives a response with a matching RPC
+   transaction identifier, it can compute the checksum of each sequence
+   number in the cache to try to match the checksum in the reply's
+   verifier.
+
+
+
+Eisler, et. al.             Standards Track                    [Page 13]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   The data is decoded according to the service specified in the
+   credential.  In the case of integrity or privacy, the server ensures
+   that the QOP value is acceptable, and that it is the same as that
+   used for the header checksum in the verifier.  Also, in the case of
+   integrity or privacy, the server will reject the message (with a
+   reply status of MSG_ACCEPTED, and an acceptance status of
+   GARBAGE_ARGS) if the sequence number embedded in the request body is
+   different from the sequence number in the credential.
+
+5.3.3.2.  Server Reply - Request Accepted
+
+   An MSG_ACCEPTED reply to a request in the data exchange phase will
+   have the verifier's (the verf element in the response) flavor field
+   set to RPCSEC_GSS, and the body field set to the checksum (the output
+   of GSS_GetMIC()) of the sequence number (in network order) of the
+   corresponding request.  The QOP used is the same as the QOP used for
+   the corresponding request.
+
+   If the status of the reply is not SUCCESS, the rest of the message is
+   formatted as usual.
+
+   If the status of the message is SUCCESS, the format of the rest of
+   the message depends on the service specified in the corresponding
+   request message. Basically, what follows the verifier in this case
+   are the procedure results, formatted in different ways depending on
+   the requested service.
+
+   If no data integrity was requested, the procedure results are
+   formatted as for the AUTH_NONE security flavor.
+
+   If data integrity was requested, the results are encoded in exactly
+   the same way as the procedure arguments were in the corresponding
+   request.  See the section 'RPC Request Data - With Data Integrity.'
+   The only difference is that the structure representing the
+   procedure's result - proc_res_arg_t - must be substituted in place of
+   the request argument structure proc_req_arg_t.  The QOP used for the
+   checksum must be the same as that used for constructing the reply
+   verifier.
+
+   If data privacy was requested, the results are encoded in exactly the
+   same way as the procedure arguments were in the corresponding
+   request.  See the section 'RPC Request Data - With Data Privacy.' The
+   QOP used for  encryption must be the same as that used for
+   constructing the reply verifier.
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 14]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.3.3.3.  Server Reply - Request Denied
+
+   An MSG_DENIED reply (to a data request) is formulated as usual.  Two
+   new values (RPCSEC_GSS_CREDPROBLEM and RPCSEC_GSS_CTXPROBLEM) have
+   been defined for the auth_stat type.  When the reason for denial of
+   the request is a reject_stat of AUTH_ERROR, one of the two new
+   auth_stat values could be returned in addition to the existing
+   values.  These two new values have special significance from the
+   existing reasons for denial of a request.
+
+   The server maintains a list of contexts for the clients that are
+   currently in session with it.  Normally, a context is destroyed when
+   the client ends the session corresponding to it.  However, due to
+   resource constraints, the server may destroy a context prematurely
+   (on an LRU basis, or if the server machine is rebooted, for example).
+   In this case, when a client request comes in, there may not be a
+   context corresponding to its handle. The server rejects the request,
+   with the reason RPCSEC_GSS_CREDPROBLEM in this case.  Upon receiving
+   this error, the client must refresh the context - that is,
+   reestablish it after destroying the old one - and try the request
+   again.  This error is also returned if the context handle matches
+   that of a different context that was allocated after the client's
+   context was destroyed (this will be detected by a failure in
+   verifying the header checksum).
+
+   If the GSS_VerifyMIC() call on the header checksum (contained in the
+   verifier) fails to return GSS_S_COMPLETE, the server rejects the
+   request and returns an auth_stat of RPCSEC_GSS_CREDPROBLEM.
+
+   When the client's sequence number exceeds the maximum the server will
+   allow, the server will reject the request with the reason
+   RPCSEC_GSS_CTXPROBLEM.  Also, if security credentials become stale
+   while in use (due to ticket expiry in the case of the Kerberos V5
+   mechanism, for example), the failures which result cause the
+   RPCSEC_GSS_CTXPROBLEM reason to be returned.  In these cases also,
+   the client must refresh the context, and retry the request.
+
+   For other errors, retrying will not rectify the problem and the
+   client must not refresh the context until the problem causing the
+   client request to be denied is rectified.
+
+   If the version field in the credential does not match the version of
+   RPCSEC_GSS that was used when the context was created, the
+   AUTH_BADCRED value is returned.
+
+   If there is a problem with the credential, such a bad length, illegal
+   control procedure, or an illegal service, the appropriate auth_stat
+   status is AUTH_BADCRED.
+
+
+
+Eisler, et. al.             Standards Track                    [Page 15]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   Other errors can be returned as appropriate.
+
+5.3.3.4.  Mapping of GSS-API Errors to Server Responses
+
+   During the data exchange phase, the server may invoke GSS_GetMIC(),
+   GSS_VerifyMIC(), GSS_Unwrap(), and GSS_Wrap(). If any of these
+   routines fail to return GSS_S_COMPLETE, then various unsuccessful
+   responses can be returned. The are described as follows for each of
+   the aforementioned four interfaces.
+
+5.3.3.4.1.  GSS_GetMIC() Failure
+
+   When GSS_GetMIC() is called to generate the verifier in the response,
+   a failure results in an RPC response with a reply status of
+   MSG_DENIED, reject status of AUTH_ERROR and an auth status of
+   RPCSEC_GSS_CTXPROBLEM.
+
+   When GSS_GetMIC() is called to sign the call results (service is
+   rpc_gss_svc_integrity), a failure results in no RPC response being
+   sent. Since ONC RPC server applications will typically control when a
+   response is sent, the failure indication will be returned to the
+   server application and it can take appropriate action (such as
+   logging the error).
+
+5.3.3.4.2.  GSS_VerifyMIC() Failure
+
+   When GSS_VerifyMIC() is called to verify the verifier in request, a
+   failure results in an RPC response with a reply status of MSG_DENIED,
+   reject status of AUTH_ERROR and an auth status of
+   RPCSEC_GSS_CREDPROBLEM.
+
+   When GSS_VerifyMIC() is called to verify the call arguments (service
+   is rpc_gss_svc_integrity), a failure results in an RPC response with
+   a reply status of MSG_ACCEPTED, and an acceptance status of
+   GARBAGE_ARGS.
+
+5.3.3.4.3.  GSS_Unwrap() Failure
+
+   When GSS_Unwrap() is called to decrypt the call arguments (service is
+   rpc_gss_svc_privacy), a failure results in an RPC response with a
+   reply status of MSG_ACCEPTED, and an acceptance status of
+   GARBAGE_ARGS.
+
+5.3.3.4.4.  GSS_Wrap() Failure
+
+   When GSS_Wrap() is called to encrypt the call results (service is
+   rpc_gss_svc_privacy), a failure results in no RPC response being
+   sent. Since ONC RPC server applications will typically control when a
+
+
+
+Eisler, et. al.             Standards Track                    [Page 16]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   response is sent, the failure indication will be returned to the
+   application and it can take appropriate action (such as logging the
+   error).
+
+5.4.  Context Destruction
+
+   When the client is done using the session, it must send a control
+   message informing the server that it no longer requires the context.
+   This message is formulated just like a data request packet, with the
+   following differences:  the credential has gss_proc set to
+   RPCSEC_GSS_DESTROY, the procedure specified in the header is
+   NULLPROC, and there are no procedure arguments.  The sequence number
+   in the request must be valid, and the header checksum in the verifier
+   must be valid, for the server to accept the message.  The server
+   sends a response as it would to a data request.  The client and
+   server must then destroy the context for the session.
+
+   If the request to destroy the context fails for some reason, the
+   client need not take any special action.  The server must be prepared
+   to deal with situations where clients never inform the server that
+   they no longer are in session and so don't need the server to
+   maintain a context.  An LRU mechanism or an aging mechanism should be
+   employed by the server to clean up in such cases.
+
+6.  Set of GSS-API Mechanisms
+
+   RPCSEC_GSS is effectively a "pass-through" to the GSS-API layer, and
+   as such it is inappropriate for the RPCSEC_GSS specification to
+   enumerate a minimum set of required security mechanisms and/or
+   quality of protections.
+
+   If an application protocol specification references RPCSEC_GSS, the
+   protocol specification must list a mandatory set of { mechanism, QOP,
+   service } triples, such that an implementation cannot claim
+   conformance to the protocol specification unless it implements the
+   set of triples. Within each triple, mechanism is a GSS-API security
+   mechanism, QOP is a valid quality-of-protection within the mechanism,
+   and service is either rpc_gss_svc_integrity or rpc_gss_svc_privacy.
+
+   For example, a network filing protocol built on RPC that depends on
+   RPCSEC_GSS for security, might require that Kerberos V5 with the
+   default QOP using the rpc_gss_svc_integrity service be supported by
+   implementations conforming to the network filing protocol
+   specification.
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 17]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+7.  Security Considerations
+
+7.1.  Privacy of Call Header
+
+   The reader will note that for the privacy option, only the call
+   arguments and results are encrypted. Information about the
+   application in the form of RPC program number, program version
+   number, and program procedure number is transmitted in the clear.
+   Encrypting these fields in the RPC call header would have changed the
+   size and format of the call header. This would have required revising
+   the RPC protocol which was beyond the scope of this proposal. Storing
+   the encrypted numbers in the credential would have obviated a
+   protocol change, but would have introduced more overloading of fields
+   and would have made implementations of RPC more complex. Even if the
+   fields were encrypted somehow, in most cases an attacker can
+   determine the program number and version number by examining the
+   destination address of the request and querying the rpcbind service
+   on the destination host [Srinivasan-bind].  In any case, even by not
+   encrypting the three numbers, RPCSEC_GSS still improves the state of
+   security over what existing RPC services have had available
+   previously. Implementors of new RPC services that are concerned about
+   this risk may opt to design in a "sub-procedure" field that is
+   included in the service specific call arguments.
+
+7.2.  Sequence Number Attacks
+
+7.2.1.  Sequence Numbers Above the Window
+
+   An attacker cannot coax the server into raising the sequence number
+   beyond the range the legitimate client is aware of (and thus engineer
+   a denial of server attack) without constructing an RPC request that
+   will pass the header checksum. If the cost of verifying the header
+   checksum is sufficiently large (depending on the speed of the
+   processor doing the checksum and the cost of checksum algorithm), it
+   is possible to envision a denial of service attack (vandalism, in the
+   form of wasting processing resources) whereby the attacker sends
+   requests that are above the window. The simplest method might be for
+   the attacker to monitor the network traffic and then choose a
+   sequence number that is far above the current sequence number. Then
+   the attacker can send bogus requests using the above window sequence
+   number.
+
+7.2.2.  Sequence Numbers Within or Below the Window
+
+   If the attacker sends requests that are within or below the window,
+   then even if the header checksum is successfully verified, the server
+   will silently discard the requests because the server assumes it has
+   already processed the request. In this case, a server can optimize by
+
+
+
+Eisler, et. al.             Standards Track                    [Page 18]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   skipping the header checksum verification if the sequence number is
+   below the window, or if it is within the window, not attempt the
+   checksum verification if the sequence number has already been seen.
+
+7.3.  Message Stealing Attacks
+
+   This proposal does not address attacks where an attacker can block or
+   steal messages without being detected by the server. To implement
+   such protection would be tantamount to assuming a state in the RPC
+   service. RPCSEC_GSS does not worsen this situation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 19]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+Appendix A. GSS-API Major Status Codes
+
+   The GSS-API definition [Linn] does not include numerical values for
+   the various GSS-API major status codes. It is expected that this will
+   be addressed in future RFC. Until then, this appendix defines the
+   values for each GSS-API major status code listed in the GSS-API
+   definition.  If in the future, the GSS-API definition defines values
+   for the codes that are different than what follows, then implementors
+   of RPCSEC_GSS will be obliged to map them into the values defined
+   below. If in the future, the GSS-API definition defines additional
+   status codes not defined below, then the RPCSEC_GSS definition will
+   subsume those additional values.
+
+   Here are the definitions of each GSS_S_* major status that the
+   implementor of RPCSEC_GSS can expect in the gss_major major field of
+   rpc_gss_init_res.  These definitions are not in RPC description
+   language form.  The numbers are in base 16 (hexadecimal):
+
+      GSS_S_COMPLETE                  0x00000000
+      GSS_S_CONTINUE_NEEDED           0x00000001
+      GSS_S_DUPLICATE_TOKEN           0x00000002
+      GSS_S_OLD_TOKEN                 0x00000004
+      GSS_S_UNSEQ_TOKEN               0x00000008
+      GSS_S_GAP_TOKEN                 0x00000010
+      GSS_S_BAD_MECH                  0x00010000
+      GSS_S_BAD_NAME                  0x00020000
+      GSS_S_BAD_NAMETYPE              0x00030000
+      GSS_S_BAD_BINDINGS              0x00040000
+      GSS_S_BAD_STATUS                0x00050000
+      GSS_S_BAD_MIC                   0x00060000
+      GSS_S_BAD_SIG                   0x00060000
+      GSS_S_NO_CRED                   0x00070000
+      GSS_S_NO_CONTEXT                0x00080000
+      GSS_S_DEFECTIVE_TOKEN           0x00090000
+      GSS_S_DEFECTIVE_CREDENTIAL      0x000a0000
+      GSS_S_CREDENTIALS_EXPIRED       0x000b0000
+      GSS_S_CONTEXT_EXPIRED           0x000c0000
+      GSS_S_FAILURE                   0x000d0000
+      GSS_S_BAD_QOP                   0x000e0000
+      GSS_S_UNAUTHORIZED              0x000f0000
+      GSS_S_UNAVAILABLE               0x00100000
+      GSS_S_DUPLICATE_ELEMENT         0x00110000
+      GSS_S_NAME_NOT_MN               0x00120000
+      GSS_S_CALL_INACCESSIBLE_READ    0x01000000
+      GSS_S_CALL_INACCESSIBLE_WRITE   0x02000000
+      GSS_S_CALL_BAD_STRUCTURE        0x03000000
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 20]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   Note that the GSS-API major status is split into three fields as
+   follows:
+
+        Most Significant Bit                     Least Significant Bit
+        |------------------------------------------------------------|
+        | Calling Error | Routine Error  |    Supplementary Info     |
+        |------------------------------------------------------------|
+      Bit 31           24 23            16 15                        0
+
+   Up to one status in the Calling Error field can be logically ORed
+   with up to one status in the Routine Error field which in turn can be
+   logically ORed with zero or more statuses in the Supplementary Info
+   field. If the resulting major status has a non-zero Calling Error
+   and/or a non-zero Routine Error, then the applicable GSS-API
+   operation has failed.  For purposes of RPCSEC_GSS, this means that
+   the GSS_Accept_sec_context() call executed by the server has failed.
+
+   If the major status is equal GSS_S_COMPLETE, then this indicates the
+   absence of any Errors or Supplementary Info.
+
+   The meanings of most of the GSS_S_* status are defined in the GSS-API
+   definition, which the exceptions of:
+
+   GSS_S_BAD_MIC       This code has the same meaning as GSS_S_BAD_SIG.
+
+   GSS_S_CALL_INACCESSIBLE_READ
+                        A required input parameter could not be read.
+
+   GSS_S_CALL_INACCESSIBLE_WRITE
+                        A required input parameter could not be written.
+
+   GSS_S_CALL_BAD_STRUCTURE
+                       A parameter was malformed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 21]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+Acknowledgements
+
+   Much of the protocol was based on the AUTH_GSSAPI security flavor
+   developed by Open Vision Technologies [Jaspan].  In particular, we
+   acknowledge Barry Jaspan, Marc Horowitz, John Linn, and Ellen
+   McDermott.
+
+   Raj Srinivasan designed RPCSEC_GSS [Eisler] with input from Mike
+   Eisler.  Raj, Roland Schemers, Lin Ling, and Alex Chiu contributed to
+   Sun Microsystems' implementation of RPCSEC_GSS.
+
+   Brent Callaghan, Marc Horowitz, Barry Jaspan, John Linn, Hilarie
+   Orman, Martin Rex, Ted Ts'o, and John Wroclawski analyzed the
+   specification and gave valuable feedback.
+
+   Steve Nahm and Kathy Slattery reviewed various drafts of this
+   specification.
+
+   Much of content of Appendix A was excerpted from John Wray's Work in
+   Progress on GSS-API Version 2 C-bindings.
+
+References
+
+   [Eisler]            Eisler, M., Schemers, R., and Srinivasan, R.
+                       (1996).  "Security Mechanism Independence in ONC
+                       RPC," Proceedings of the Sixth Annual USENIX
+                       Security Symposium, pp. 51-65.
+
+   [Jaspan]            Jaspan, B. (1995). "GSS-API Security for ONC
+                       RPC," `95 Proceedings of The Internet Society
+                       Symposium on Network and Distributed System
+                       Security, pp. 144- 151.
+
+   [Linn]              Linn, J., "Generic Security Service Application
+                       Program Interface, Version 2", RFC 2078, January
+                       1997.
+
+   [Srinivasan-bind]   Srinivasan, R., "Binding Protocols for
+                       ONC RPC Version 2", RFC 1833, August 1995.
+
+   [Srinivasan-rpc]    Srinivasan, R., "RPC: Remote Procedure Call
+                       Protocol Specification Version 2", RFC 1831,
+                       August 1995.
+
+   [Srinivasan-xdr]    Srinivasan, R., "XDR: External Data
+                       Representation Standard", RFC 1832, August 1995.
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 22]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+Authors' Addresses
+
+   Michael Eisler
+   Sun Microsystems, Inc.
+   M/S UCOS03
+   2550 Garcia Avenue
+   Mountain View, CA 94043
+
+   Phone: +1 (719) 599-9026
+   EMail: mre@eng.sun.com
+
+
+   Alex Chiu
+   Sun Microsystems, Inc.
+   M/S UMPK17-203
+   2550 Garcia Avenue
+   Mountain View, CA 94043
+
+   Phone: +1 (415) 786-6465
+   EMail: hacker@eng.sun.com
+
+
+   Lin Ling
+   Sun Microsystems, Inc.
+   M/S UMPK17-201
+   2550 Garcia Avenue
+   Mountain View, CA 94043
+
+   Phone: +1 (415) 786-5084
+   EMail: lling@eng.sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 23]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2228.txt b/crypto/heimdal/doc/standardisation/rfc2228.txt
new file mode 100644
index 0000000..1fbfcbf
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2228.txt
@@ -0,0 +1,1515 @@
+
+
+
+
+
+
+Network Working Group                                        M. Horowitz
+Request for Comments: 2228                              Cygnus Solutions
+Updates: 959                                                     S. Lunt
+Category: Standards Track                                       Bellcore
+                                                            October 1997
+
+                        FTP Security Extensions
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+Abstract
+
+   This document defines extensions to the FTP specification STD 9, RFC
+   959, "FILE TRANSFER PROTOCOL (FTP)" (October 1985).  These extensions
+   provide strong authentication, integrity, and confidentiality on both
+   the control and data channels with the introduction of new optional
+   commands, replies, and file transfer encodings.
+
+   The following new optional commands are introduced in this
+   specification:
+
+      AUTH (Authentication/Security Mechanism),
+      ADAT (Authentication/Security Data),
+      PROT (Data Channel Protection Level),
+      PBSZ (Protection Buffer Size),
+      CCC (Clear Command Channel),
+      MIC (Integrity Protected Command),
+      CONF (Confidentiality Protected Command), and
+      ENC (Privacy Protected Command).
+
+   A new class of reply types (6yz) is also introduced for protected
+   replies.
+
+   None of the above commands are required to be implemented, but
+   interdependencies exist.  These dependencies are documented with the
+   commands.
+
+   Note that this specification is compatible with STD 9, RFC 959.
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 1]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+1.  Introduction
+
+   The File Transfer Protocol (FTP) currently defined in STD 9, RFC 959
+   and in place on the Internet uses usernames and passwords passed in
+   cleartext to authenticate clients to servers (via the USER and PASS
+   commands).  Except for services such as "anonymous" FTP archives,
+   this represents a security risk whereby passwords can be stolen
+   through monitoring of local and wide-area networks.  This either aids
+   potential attackers through password exposure and/or limits
+   accessibility of files by FTP servers who cannot or will not accept
+   the inherent security risks.
+
+   Aside from the problem of authenticating users in a secure manner,
+   there is also the problem of authenticating servers, protecting
+   sensitive data and/or verifying its integrity.  An attacker may be
+   able to access valuable or sensitive data merely by monitoring a
+   network, or through active means may be able to delete or modify the
+   data being transferred so as to corrupt its integrity.  An active
+   attacker may also initiate spurious file transfers to and from a site
+   of the attacker's choice, and may invoke other commands on the
+   server.  FTP does not currently have any provision for the encryption
+   or verification of the authenticity of commands, replies, or
+   transferred data.  Note that these security services have value even
+   to anonymous file access.
+
+   Current practice for sending files securely is generally either:
+
+      1.  via FTP of files pre-encrypted under keys which are manually
+          distributed,
+
+      2.  via electronic mail containing an encoding of a file encrypted
+          under keys which are manually distributed,
+
+      3.  via a PEM message, or
+
+      4.  via the rcp command enhanced to use Kerberos.
+
+   None of these means could be considered even a de facto standard, and
+   none are truly interactive.  A need exists to securely transfer files
+   using FTP in a secure manner which is supported within the FTP
+   protocol in a consistent manner and which takes advantage of existing
+   security infrastructure and technology.  Extensions are necessary to
+   the FTP specification if these security services are to be introduced
+   into the protocol in an interoperable way.
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 2]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   Although the FTP control connection follows the Telnet protocol, and
+   Telnet has defined an authentication and encryption option [TELNET-
+   SEC], [RFC-1123] explicitly forbids the use of Telnet option
+   negotiation over the control connection (other than Synch and IP).
+
+   Also, the Telnet authentication and encryption option does not
+   provide for integrity protection only (without confidentiality), and
+   does not address the protection of the data channel.
+
+2.  FTP Security Overview
+
+   At the highest level, the FTP security extensions seek to provide an
+   abstract mechanism for authenticating and/or authorizing connections,
+   and integrity and/or confidentiality protecting commands, replies,
+   and data transfers.
+
+   In the context of FTP security, authentication is the establishment
+   of a client's identity and/or a server's identity in a secure way,
+   usually using cryptographic techniques.  The basic FTP protocol does
+   not have a concept of authentication.
+
+   Authorization is the process of validating a user for login.  The
+   basic authorization process involves the USER, PASS, and ACCT
+   commands.  With the FTP security extensions, authentication
+   established using a security mechanism may also be used to make the
+   authorization decision.
+
+   Without the security extensions, authentication of the client, as
+   this term is usually understood, never happens.  FTP authorization is
+   accomplished with a password, passed on the network in the clear as
+   the argument to the PASS command.  The possessor of this password is
+   assumed to be authorized to transfer files as the user named in the
+   USER command, but the identity of the client is never securely
+   established.
+
+   An FTP security interaction begins with a client telling the server
+   what security mechanism it wants to use with the AUTH command.  The
+   server will either accept this mechanism, reject this mechanism, or,
+   in the case of a server which does not implement the security
+   extensions, reject the command completely.  The client may try
+   multiple security mechanisms until it requests one which the server
+   accepts.  This allows a rudimentary form of negotiation to take
+   place.  (If more complex negotiation is desired, this may be
+   implemented as a security mechanism.)  The server's reply will
+   indicate if the client must respond with additional data for the
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 3]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   security mechanism to interpret.  If none is needed, this will
+   usually mean that the mechanism is one where the password (specified
+   by the PASS command) is to be interpreted differently, such as with a
+   token or one-time password system.
+
+   If the server requires additional security information, then the
+   client and server will enter into a security data exchange.  The
+   client will send an ADAT command containing the first block of
+   security data.  The server's reply will indicate if the data exchange
+   is complete, if there was an error, or if more data is needed.  The
+   server's reply can optionally contain security data for the client to
+   interpret.  If more data is needed, the client will send another ADAT
+   command containing the next block of data, and await the server's
+   reply.  This exchange can continue as many times as necessary.  Once
+   this exchange completes, the client and server have established a
+   security association.  This security association may include
+   authentication (client, server, or mutual) and keying information for
+   integrity and/or confidentiality, depending on the mechanism in use.
+
+   The term "security data" here is carefully chosen.  The purpose of
+   the security data exchange is to establish a security association,
+   which might not actually include any authentication at all, between
+   the client and the server as described above.  For instance, a
+   Diffie-Hellman exchange establishes a secret key, but no
+   authentication takes place.  If an FTP server has an RSA key pair but
+   the client does not, then the client can authenticate the server, but
+   the server cannot authenticate the client.
+
+   Once a security association is established, authentication which is a
+   part of this association may be used instead of or in addition to the
+   standard username/password exchange for authorizing a user to connect
+   to the server.  A username specified by the USER command is always
+   required to specify the identity to be used on the server.
+
+   In order to prevent an attacker from inserting or deleting commands
+   on the control stream, if the security association supports
+   integrity, then the server and client must use integrity protection
+   on the control stream, unless it first transmits a CCC command to
+   turn off this requirement.  Integrity protection is performed with
+   the MIC and ENC commands, and the 63z reply codes.  The CCC command
+   and its reply must be transmitted with integrity protection.
+   Commands and replies may be transmitted without integrity (that is,
+   in the clear or with confidentiality only) only if no security
+   association is established, the negotiated security association does
+   not support integrity, or the CCC command has succeeded.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 4]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   Once the client and server have negotiated with the PBSZ command an
+   acceptable buffer size for encapsulating protected data over the data
+   channel, the security mechanism may also be used to protect data
+   channel transfers.
+
+   Policy is not specified by this document.  In particular, client and
+   server implementations may choose to implement restrictions on what
+   operations can be performed depending on the security association
+   which exists.  For example, a server may require that a client
+   authorize via a security mechanism rather than using a password,
+   require that the client provide a one-time password from a token,
+   require at least integrity protection on the command channel, or
+   require that certain files only be transmitted encrypted.  An
+   anonymous ftp client might refuse to do file transfers without
+   integrity protection in order to insure the validity of files
+   downloaded.
+
+   No particular set of functionality is required, except as
+   dependencies described in the next section.  This means that none of
+   authentication, integrity, or confidentiality are required of an
+   implementation, although a mechanism which does none of these is not
+   of much use.  For example, it is acceptable for a mechanism to
+   implement only integrity protection, one-way authentication and/or
+   encryption, encryption without any authentication or integrity
+   protection, or any other subset of functionality if policy or
+   technical considerations make this desirable.  Of course, one peer
+   might require as a matter of policy stronger protection than the
+   other is able to provide, preventing perfect interoperability.
+
+3.  New FTP Commands
+
+   The following commands are optional, but dependent on each other.
+   They are extensions to the FTP Access Control Commands.
+
+   The reply codes documented here are generally described as
+   recommended, rather than required.  The intent is that reply codes
+   describing the full range of success and failure modes exist, but
+   that servers be allowed to limit information presented to the client.
+   For example, a server might implement a particular security
+   mechanism, but have a policy restriction against using it.  The
+   server should respond with a 534 reply code in this case, but may
+   respond with a 504 reply code if it does not wish to divulge that the
+   disallowed mechanism is supported.  If the server does choose to use
+   a different reply code than the recommended one, it should try to use
+   a reply code which only differs in the last digit.  In all cases, the
+   server must use a reply code which is documented as returnable from
+   the command received, and this reply code must begin with the same
+   digit as the recommended reply code for the situation.
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 5]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   AUTHENTICATION/SECURITY MECHANISM (AUTH)
+
+      The argument field is a Telnet string identifying a supported
+      mechanism.  This string is case-insensitive.  Values must be
+      registered with the IANA, except that values beginning with "X-"
+      are reserved for local use.
+
+      If the server does not recognize the AUTH command, it must respond
+      with reply code 500.  This is intended to encompass the large
+      deployed base of non-security-aware ftp servers, which will
+      respond with reply code 500 to any unrecognized command.  If the
+      server does recognize the AUTH command but does not implement the
+      security extensions, it should respond with reply code 502.
+
+      If the server does not understand the named security mechanism, it
+      should respond with reply code 504.
+
+      If the server is not willing to accept the named security
+      mechanism, it should respond with reply code 534.
+
+      If the server is not able to accept the named security mechanism,
+      such as if a required resource is unavailable, it should respond
+      with reply code 431.
+
+      If the server is willing to accept the named security mechanism,
+      but requires security data, it must respond with reply code 334.
+
+      If the server is willing to accept the named security mechanism,
+      and does not require any security data, it must respond with reply
+      code 234.
+
+      If the server is responding with a 334 reply code, it may include
+      security data as described in the next section.
+
+      Some servers will allow the AUTH command to be reissued in order
+      to establish new authentication.  The AUTH command, if accepted,
+      removes any state associated with prior FTP Security commands.
+      The server must also require that the user reauthorize (that is,
+      reissue some or all of the USER, PASS, and ACCT commands) in this
+      case (see section 4 for an explanation of "authorize" in this
+      context).
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 6]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   AUTHENTICATION/SECURITY DATA (ADAT)
+
+      The argument field is a Telnet string representing base 64 encoded
+      security data (see Section 9, "Base 64 Encoding").  If a reply
+      code indicating success is returned, the server may also use a
+      string of the form "ADAT=base64data" as the text part of the reply
+      if it wishes to convey security data back to the client.
+
+      The data in both cases is specific to the security mechanism
+      specified by the previous AUTH command.  The ADAT command, and the
+      associated replies, allow the client and server to conduct an
+      arbitrary security protocol.  The security data exchange must
+      include enough information for both peers to be aware of which
+      optional features are available.  For example, if the client does
+      not support data encryption, the server must be made aware of
+      this, so it will know not to send encrypted command channel
+      replies.  It is strongly recommended that the security mechanism
+      provide sequencing on the command channel, to insure that commands
+      are not deleted, reordered, or replayed.
+
+      The ADAT command must be preceded by a successful AUTH command,
+      and cannot be issued once a security data exchange completes
+      (successfully or unsuccessfully), unless it is preceded by an AUTH
+      command to reset the security state.
+
+      If the server has not yet received an AUTH command, or if a prior
+      security data exchange completed, but the security state has not
+      been reset with an AUTH command, it should respond with reply code
+      503.
+
+      If the server cannot base 64 decode the argument, it should
+      respond with reply code 501.
+
+      If the server rejects the security data (if a checksum fails, for
+      instance), it should respond with reply code 535.
+
+      If the server accepts the security data, and requires additional
+      data, it should respond with reply code 335.
+
+      If the server accepts the security data, but does not require any
+      additional data (i.e., the security data exchange has completed
+      successfully), it must respond with reply code 235.
+
+      If the server is responding with a 235 or 335 reply code, then it
+      may include security data in the text part of the reply as
+      specified above.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 7]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      If the ADAT command returns an error, the security data exchange
+      will fail, and the client must reset its internal security state.
+      If the client becomes unsynchronized with the server (for example,
+      the server sends a 234 reply code to an AUTH command, but the
+      client has more data to transmit), then the client must reset the
+      server's security state.
+
+   PROTECTION BUFFER SIZE (PBSZ)
+
+      The argument is a decimal integer representing the maximum size,
+      in bytes, of the encoded data blocks to be sent or received during
+      file transfer.  This number shall be no greater than can be
+      represented in a 32-bit unsigned integer.
+
+      This command allows the FTP client and server to negotiate a
+      maximum protected buffer size for the connection.  There is no
+      default size; the client must issue a PBSZ command before it can
+      issue the first PROT command.
+
+      The PBSZ command must be preceded by a successful security data
+      exchange.
+
+      If the server cannot parse the argument, or if it will not fit in
+      32 bits, it should respond with a 501 reply code.
+
+      If the server has not completed a security data exchange with the
+      client, it should respond with a 503 reply code.
+
+      Otherwise, the server must reply with a 200 reply code.  If the
+      size provided by the client is too large for the server, it must
+      use a string of the form "PBSZ=number" in the text part of the
+      reply to indicate a smaller buffer size.  The client and the
+      server must use the smaller of the two buffer sizes if both buffer
+      sizes are specified.
+
+   DATA CHANNEL PROTECTION LEVEL (PROT)
+
+      The argument is a single Telnet character code specifying the data
+      channel protection level.
+
+      This command indicates to the server what type of data channel
+      protection the client and server will be using.  The following
+      codes are assigned:
+
+         C - Clear
+         S - Safe
+         E - Confidential
+         P - Private
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 8]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      The default protection level if no other level is specified is
+      Clear.  The Clear protection level indicates that the data channel
+      will carry the raw data of the file transfer, with no security
+      applied.  The Safe protection level indicates that the data will
+      be integrity protected.  The Confidential protection level
+      indicates that the data will be confidentiality protected.  The
+      Private protection level indicates that the data will be integrity
+      and confidentiality protected.
+
+      It is reasonable for a security mechanism not to provide all data
+      channel protection levels.  It is also reasonable for a mechanism
+      to provide more protection at a level than is required (for
+      instance, a mechanism might provide Confidential protection, but
+      include integrity-protection in that encoding, due to API or other
+      considerations).
+
+      The PROT command must be preceded by a successful protection
+      buffer size negotiation.
+
+      If the server does not understand the specified protection level,
+      it should respond with reply code 504.
+
+      If the current security mechanism does not support the specified
+      protection level, the server should respond with reply code 536.
+
+      If the server has not completed a protection buffer size
+      negotiation with the client, it should respond with a 503 reply
+      code.
+
+      The PROT command will be rejected and the server should reply 503
+      if no previous PBSZ command was issued.
+
+      If the server is not willing to accept the specified protection
+      level, it should respond with reply code 534.
+
+      If the server is not able to accept the specified protection
+      level, such as if a required resource is unavailable, it should
+      respond with reply code 431.
+
+      Otherwise, the server must reply with a 200 reply code to indicate
+      that the specified protection level is accepted.
+
+   CLEAR COMMAND CHANNEL (CCC)
+
+      This command does not take an argument.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 9]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      It is desirable in some environments to use a security mechanism
+      to authenticate and/or authorize the client and server, but not to
+      perform any integrity checking on the subsequent commands.  This
+      might be used in an environment where IP security is in place,
+      insuring that the hosts are authenticated and that TCP streams
+      cannot be tampered, but where user authentication is desired.
+
+      If unprotected commands are allowed on any connection, then an
+      attacker could insert a command on the control stream, and the
+      server would have no way to know that it was invalid.  In order to
+      prevent such attacks, once a security data exchange completes
+      successfully, if the security mechanism supports integrity, then
+      integrity (via the MIC or ENC command, and 631 or 632 reply) must
+      be used, until the CCC command is issued to enable non-integrity
+      protected control channel messages.  The CCC command itself must
+      be integrity protected.
+
+      Once the CCC command completes successfully, if a command is not
+      protected, then the reply to that command must also not be
+      protected.  This is to support interoperability with clients which
+      do not support protection once the CCC command has been issued.
+
+      This command must be preceded by a successful security data
+      exchange.
+
+      If the command is not integrity-protected, the server must respond
+      with a 533 reply code.
+
+      If the server is not willing to turn off the integrity
+      requirement, it should respond with a 534 reply code.
+
+      Otherwise, the server must reply with a 200 reply code to indicate
+      that unprotected commands and replies may now be used on the
+      command channel.
+
+   INTEGRITY PROTECTED COMMAND (MIC) and
+   CONFIDENTIALITY PROTECTED COMMAND (CONF) and
+   PRIVACY PROTECTED COMMAND (ENC)
+
+      The argument field of MIC is a Telnet string consisting of a base
+      64 encoded "safe" message produced by a security mechanism
+      specific message integrity procedure.  The argument field of CONF
+      is a Telnet string consisting of a base 64 encoded "confidential"
+      message produced by a security mechanism specific confidentiality
+      procedure.  The argument field of ENC is a Telnet string
+      consisting of a base 64 encoded "private" message produced by a
+      security mechanism specific message integrity and confidentiality
+      procedure.
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 10]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      The server will decode and/or verify the encoded message.
+
+      This command must be preceded by a successful security data
+      exchange.
+
+      A server may require that the first command after a successful
+      security data exchange be CCC, and not implement the protection
+      commands at all.  In this case, the server should respond with a
+      502 reply code.
+
+      If the server cannot base 64 decode the argument, it should
+      respond with a 501 reply code.
+
+      If the server has not completed a security data exchange with the
+      client, it should respond with a 503 reply code.
+
+      If the server has completed a security data exchange with the
+      client using a mechanism which supports integrity, and requires a
+      CCC command due to policy or implementation limitations, it should
+      respond with a 503 reply code.
+
+      If the server rejects the command because it is not supported by
+      the current security mechanism, the server should respond with
+      reply code 537.
+
+      If the server rejects the command (if a checksum fails, for
+      instance), it should respond with reply code 535.
+
+      If the server is not willing to accept the command (if privacy is
+      required by policy, for instance, or if a CONF command is received
+      before a CCC command), it should respond with reply code 533.
+
+      Otherwise, the command will be interpreted as an FTP command.  An
+      end-of-line code need not be included, but if one is included, it
+      must be a Telnet end-of-line code, not a local end-of-line code.
+
+      The server may require that, under some or all circumstances, all
+      commands be protected.  In this case, it should make a 533 reply
+      to commands other than MIC, CONF, and ENC.
+
+4.  Login Authorization
+
+   The security data exchange may, among other things, establish the
+   identity of the client in a secure way to the server.  This identity
+   may be used as one input to the login authorization process.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 11]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   In response to the FTP login commands (AUTH, PASS, ACCT), the server
+   may choose to change the sequence of commands and replies specified
+   by RFC 959 as follows.  There are also some new replies available.
+
+   If the server is willing to allow the user named by the USER command
+   to log in based on the identity established by the security data
+   exchange, it should respond with reply code 232.
+
+   If the security mechanism requires a challenge/response password, it
+   should respond to the USER command with reply code 336.  The text
+   part of the reply should contain the challenge.  The client must
+   display the challenge to the user before prompting for the password
+   in this case.  This is particularly relevant to more sophisticated
+   clients or graphical user interfaces which provide dialog boxes or
+   other modal input.  These clients should be careful not to prompt for
+   the password before the username has been sent to the server, in case
+   the user needs the challenge in the 336 reply to construct a valid
+   password.
+
+5.  New FTP Replies
+
+   The new reply codes are divided into two classes.  The first class is
+   new replies made necessary by the new FTP Security commands.  The
+   second class is a new reply type to indicate protected replies.
+
+   5.1.  New individual reply codes
+
+      232 User logged in, authorized by security data exchange.
+      234 Security data exchange complete.
+      235 [ADAT=base64data]
+            ; This reply indicates that the security data exchange
+            ; completed successfully.  The square brackets are not
+            ; to be included in the reply, but indicate that
+            ; security data in the reply is optional.
+
+      334 [ADAT=base64data]
+            ; This reply indicates that the requested security mechanism
+            ; is ok, and includes security data to be used by the client
+            ; to construct the next command.  The square brackets are not
+            ; to be included in the reply, but indicate that
+            ; security data in the reply is optional.
+      335 [ADAT=base64data]
+            ; This reply indicates that the security data is
+            ; acceptable, and more is required to complete the
+            ; security data exchange.  The square brackets
+            ; are not to be included in the reply, but indicate
+            ; that security data in the reply is optional.
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 12]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      336 Username okay, need password.  Challenge is "...."
+            ; The exact representation of the challenge should be chosen
+            ; by the mechanism to be sensible to the human user of the
+            ; system.
+
+      431 Need some unavailable resource to process security.
+
+      533 Command protection level denied for policy reasons.
+      534 Request denied for policy reasons.
+      535 Failed security check (hash, sequence, etc).
+      536 Requested PROT level not supported by mechanism.
+      537 Command protection level not supported by security mechanism.
+
+   5.2.  Protected replies.
+
+      One new reply type is introduced:
+
+         6yz   Protected reply
+
+            There are three reply codes of this type.  The first, reply
+            code 631 indicates an integrity protected reply.  The
+            second, reply code 632, indicates a confidentiality and
+            integrity protected reply.  the third, reply code 633,
+            indicates a confidentiality protected reply.
+
+            The text part of a 631 reply is a Telnet string consisting
+            of a base 64 encoded "safe" message produced by a security
+            mechanism specific message integrity procedure.  The text
+            part of a 632 reply is a Telnet string consisting of a base
+            64 encoded "private" message produced by a security
+            mechanism specific message confidentiality and integrity
+            procedure.  The text part of a 633 reply is a Telnet string
+            consisting of a base 64 encoded "confidential" message
+            produced by a security mechanism specific message
+            confidentiality procedure.
+
+            The client will decode and verify the encoded reply.  How
+            failures decoding or verifying replies are handled is
+            implementation-specific.  An end-of-line code need not be
+            included, but if one is included, it must be a Telnet end-
+            of-line code, not a local end-of-line code.
+
+            A protected reply may only be sent if a security data
+            exchange has succeeded.
+
+            The 63z reply may be a multiline reply.  In this case, the
+            plaintext reply must be broken up into a number of
+            fragments.  Each fragment must be protected, then base 64
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 13]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+            encoded in order into a separate line of the multiline
+            reply.  There need not be any correspondence between the
+            line breaks in the plaintext reply and the encoded reply.
+            Telnet end-of-line codes must appear in the plaintext of the
+            encoded reply, except for the final end-of-line code, which
+            is optional.
+
+            The multiline reply must be formatted more strictly than the
+            continuation specification in RFC 959.  In particular, each
+            line before the last must be formed by the reply code,
+            followed immediately by a hyphen, followed by a base 64
+            encoded fragment of the reply.
+
+            For example, if the plaintext reply is
+
+               123-First line
+               Second line
+                 234 A line beginning with numbers
+               123 The last line
+
+            then the resulting protected reply could be any of the
+            following (the first example has a line break only to fit
+            within the margins):
+
+  631 base64(protect("123-First line\r\nSecond line\r\n  234 A line
+  631-base64(protect("123-First line\r\n"))
+  631-base64(protect("Second line\r\n"))
+  631-base64(protect("  234 A line beginning with numbers\r\n"))
+  631 base64(protect("123 The last line"))
+
+  631-base64(protect("123-First line\r\nSecond line\r\n  234 A line b"))
+  631 base64(protect("eginning with numbers\r\n123 The last line\r\n"))
+
+6.  Data Channel Encapsulation
+
+   When data transfers are protected between the client and server (in
+   either direction), certain transformations and encapsulations must be
+   performed so that the recipient can properly decode the transmitted
+   file.
+
+   The sender must apply all protection services after transformations
+   associated with the representation type, file structure, and transfer
+   mode have been performed.  The data sent over the data channel is,
+   for the purposes of protection, to be treated as a byte stream.
+
+   When performing a data transfer in an authenticated manner, the
+   authentication checks are performed on individual blocks of the file,
+   rather than on the file as a whole. Consequently, it is possible for
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 14]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   insertion attacks to insert blocks into the data stream (i.e.,
+   replays) that authenticate correctly, but result in a corrupted file
+   being undetected by the receiver. To guard against such attacks, the
+   specific security mechanism employed should include mechanisms to
+   protect against such attacks.  Many GSS-API mechanisms usable with
+   the specification in Appendix I, and the Kerberos mechanism in
+   Appendix II do so.
+
+   The sender must take the input byte stream, and break it up into
+   blocks such that each block, when encoded using a security mechanism
+   specific procedure, will be no larger than the buffer size negotiated
+   by the client with the PBSZ command.  Each block must be encoded,
+   then transmitted with the length of the encoded block prepended as a
+   four byte unsigned integer, most significant byte first.
+
+   When the end of the file is reached, the sender must encode a block
+   of zero bytes, and send this final block to the recipient before
+   closing the data connection.
+
+   The recipient will read the four byte length, read a block of data
+   that many bytes long, then decode and verify this block with a
+   security mechanism specific procedure.  This must be repeated until a
+   block encoding a buffer of zero bytes is received.  This indicates
+   the end of the encoded byte stream.
+
+   Any transformations associated with the representation type, file
+   structure, and transfer mode are to be performed by the recipient on
+   the byte stream resulting from the above process.
+
+   When using block transfer mode, the sender's (cleartext) buffer size
+   is independent of the block size.
+
+   The server will reply 534 to a STOR, STOU, RETR, LIST, NLST, or APPE
+   command if the current protection level is not at the level dictated
+   by the server's security requirements for the particular file
+   transfer.
+
+   If any data protection services fail at any time during data transfer
+   at the server end (including an attempt to send a buffer size greater
+   than the negotiated maximum), the server will send a 535 reply to the
+   data transfer command (either STOR, STOU, RETR, LIST, NLST, or APPE).
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 15]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+7.  Potential policy considerations
+
+   While there are no restrictions on client and server policy, there
+   are a few recommendations which an implementation should implement.
+
+    - Once a security data exchange takes place, a server should require
+      all commands be protected (with integrity and/or confidentiality),
+      and it should protect all replies.  Replies should use the same
+      level of protection as the command which produced them.  This
+      includes replies which indicate failure of the MIC, CONF, and ENC
+      commands.  In particular, it is not meaningful to require that
+      AUTH and ADAT be protected; it is meaningful and useful to require
+      that PROT and PBSZ be protected.  In particular, the use of CCC is
+      not recommended, but is defined in the interest of
+      interoperability between implementations which might desire such
+      functionality.
+
+    - A client should encrypt the PASS command whenever possible.  It is
+      reasonable for the server to refuse to accept a non-encrypted PASS
+      command if the server knows encryption is available.
+
+    - Although no security commands are required to be implemented, it
+      is recommended that an implementation provide all commands which
+      can be implemented, given the mechanisms supported and the policy
+      considerations of the site (export controls, for instance).
+
+8.  Declarative specifications
+
+   These sections are modelled after sections 5.3 and 5.4 of RFC 959,
+   which describe the same information, except for the standard FTP
+   commands and replies.
+
+   8.1.  FTP Security commands and arguments
+
+      AUTH <SP> <mechanism-name> <CRLF>
+      ADAT <SP> <base64data> <CRLF>
+      PROT <SP> <prot-code> <CRLF>
+      PBSZ <SP> <decimal-integer> <CRLF>
+      MIC <SP> <base64data> <CRLF>
+      CONF <SP> <base64data> <CRLF>
+      ENC <SP> <base64data> <CRLF>
+
+      <mechanism-name> ::= <string>
+      <base64data> ::= <string>
+              ; must be formatted as described in section 9
+      <prot-code> ::= C | S | E | P
+      <decimal-integer> ::= any decimal integer from 1 to (2^32)-1
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 16]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   8.2.  Command-Reply sequences
+
+      Security Association Setup
+         AUTH
+            234
+            334
+            502, 504, 534, 431
+            500, 501, 421
+         ADAT
+            235
+            335
+            503, 501, 535
+            500, 501, 421
+      Data protection negotiation commands
+         PBSZ
+            200
+            503
+            500, 501, 421, 530
+         PROT
+            200
+            504, 536, 503, 534, 431
+            500, 501, 421, 530
+      Command channel protection commands
+         MIC
+            535, 533
+            500, 501, 421
+         CONF
+            535, 533
+            500, 501, 421
+         ENC
+            535, 533
+            500, 501, 421
+      Security-Enhanced login commands (only new replies listed)
+         USER
+            232
+            336
+      Data channel commands (only new replies listed)
+         STOR
+            534, 535
+         STOU
+            534, 535
+         RETR
+            534, 535
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 17]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+         LIST
+            534, 535
+         NLST
+            534, 535
+         APPE
+            534, 535
+
+      In addition to these reply codes, any security command can return
+      500, 501, 502, 533, or 421.  Any ftp command can return a reply
+      code encapsulated in a 631, 632, or 633 reply once a security data
+      exchange has completed successfully.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 18]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+9.  State Diagrams
+
+   This section includes a state diagram which demonstrates the flow of
+   authentication and authorization in a security enhanced FTP
+   implementation.  The rectangular blocks show states where the client
+   must issue a command, and the diamond blocks show states where the
+   server must issue a response.
+
+
+          ,------------------,  USER
+       __\| Unauthenticated  |_________\
+      |  /| (new connection) |         /|
+      |   `------------------'          |
+      |            |                    |
+      |            | AUTH               |
+      |            V                    |
+      |           / \                   |
+      | 4yz,5yz  /   \   234            |
+      |<--------<     >------------->.  |
+      |          \   /               |  |
+      |           \_/                |  |
+      |            |                 |  |
+      |            | 334             |  |
+      |            V                 |  |
+      |  ,--------------------,      |  |
+      |  | Need Security Data |<--.  |  |
+      |  `--------------------'   |  |  |
+      |            |              |  |  |
+      |            | ADAT         |  |  |
+      |            V              |  |  |
+      |           / \             |  |  |
+      | 4yz,5yz  /   \   335      |  |  |
+      `<--------<     >-----------'  |  |
+                 \   /               |  |
+                  \_/                |  |
+                   |                 |  |
+                   | 235             |  |
+                   V                 |  |
+           ,---------------.         |  |
+      ,--->| Authenticated |<--------'  |  After the client and server
+      |    `---------------'            |  have completed authenti-
+      |            |                    |  cation, command must be
+      |            | USER               |  integrity-protected if
+      |            |                    |  integrity is available.  The
+      |            |<-------------------'  CCC command may be issued to
+      |            V                       relax this restriction.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 19]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      |           / \
+      | 4yz,5yz  /   \   2yz
+      |<--------<     >------------->.
+      |          \   /               |
+      |           \_/                |
+      |            |                 |
+      |            | 3yz             |
+      |            V                 |
+      |    ,---------------.         |
+      |    | Need Password |         |
+      |    `---------------'         |
+      |            |                 |
+      |            | PASS            |
+      |            V                 |
+      |           / \                |
+      | 4yz,5yz  /   \   2yz         |
+      |<--------<     >------------->|
+      |          \   /               |
+      |           \_/                |
+      |            |                 |
+      |            | 3yz             |
+      |            V                 |
+      |    ,--------------.          |
+      |    | Need Account |          |
+      |    `--------------'          |
+      |            |                 |
+      |            | ACCT            |
+      |            V                 |
+      |           / \                |
+      | 4yz,5yz  /   \   2yz         |
+      `<--------<     >------------->|
+                 \   /               |
+                  \_/                |
+                   |                 |
+                   | 3yz             |
+                   V                 |
+             ,-------------.         |
+             | Authorized  |/________|
+             | (Logged in) |\
+             `-------------'
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 20]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+10.  Base 64 Encoding
+
+   Base 64 encoding is the same as the Printable Encoding described in
+   Section 4.3.2.4 of [RFC-1421], except that line breaks must not be
+   included. This encoding is defined as follows.
+
+   Proceeding from left to right, the bit string resulting from the
+   mechanism specific protection routine is encoded into characters
+   which are universally representable at all sites, though not
+   necessarily with the same bit patterns (e.g., although the character
+   "E" is represented in an ASCII-based system as hexadecimal 45 and as
+   hexadecimal C5 in an EBCDIC-based system, the local significance of
+   the two representations is equivalent).
+
+   A 64-character subset of International Alphabet IA5 is used, enabling
+   6 bits to be represented per printable character.  (The proposed
+   subset of characters is represented identically in IA5 and ASCII.)
+   The character "=" signifies a special processing function used for
+   padding within the printable encoding procedure.
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters.  Proceeding from left to right
+   across a 24-bit input group output from the security mechanism
+   specific message protection procedure, each 6-bit group is used as an
+   index into an array of 64 printable characters, namely "[A-Z][a-
+   z][0-9]+/".  The character referenced by the index is placed in the
+   output string.  These characters are selected so as to be universally
+   representable, and the set excludes characters with particular
+   significance to Telnet (e.g., "<CR>", "<LF>", IAC).
+
+   Special processing is performed if fewer than 24 bits are available
+   in an input group at the end of a message.  A full encoding quantum
+   is always completed at the end of a message.  When fewer than 24
+   input bits are available in an input group, zero bits are added (on
+   the right) to form an integral number of 6-bit groups.  Output
+   character positions which are not required to represent actual input
+   data are set to the character "=".  Since all canonically encoded
+   output is an integral number of octets, only the following cases can
+   arise: (1) the final quantum of encoding input is an integral
+   multiple of 24 bits; here, the final unit of encoded output will be
+   an integral multiple of 4 characters with no "=" padding, (2) the
+   final quantum of encoding input is exactly 8 bits; here, the final
+   unit of encoded output will be two characters followed by two "="
+   padding characters, or (3) the final quantum of encoding input is
+   exactly 16 bits; here, the final unit of encoded output will be three
+   characters followed by one "=" padding character.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 21]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   Implementors must keep in mind that the base 64 encodings in ADAT,
+   MIC, CONF, and ENC commands, and in 63z replies may be arbitrarily
+   long.  Thus, the entire line must be read before it can be processed.
+   Several successive reads on the control channel may be necessary.  It
+   is not appropriate to for a server to reject a command containing a
+   base 64 encoding simply because it is too long (assuming that the
+   decoding is otherwise well formed in the context in which it was
+   sent).
+
+   Case must not be ignored when reading commands and replies containing
+   base 64 encodings.
+
+11.  Security Considerations
+
+   This entire document deals with security considerations related to
+   the File Transfer Protocol.
+
+   Third party file transfers cannot be secured using these extensions,
+   since a security context cannot be established between two servers
+   using these facilities (no control connection exists between servers
+   over which to pass ADAT tokens).  Further work in this area is
+   deferred.
+
+12.  Acknowledgements
+
+   I would like to thank the members of the CAT WG, as well as all
+   participants in discussions on the "cat-ietf@mit.edu" mailing list,
+   for their contributions to this document.  I would especially like to
+   thank Sam Sjogren, John Linn, Ted Ts'o, Jordan Brown, Michael Kogut,
+   Derrick Brashear, John Gardiner Myers, Denis Pinkas, and Karri Balk
+   for their contributions to this work.  Of course, without Steve Lunt,
+   the author of the first six revisions of this document, it would not
+   exist at all.
+
+13.  References
+
+   [TELNET-SEC] Borman, D., "Telnet Authentication and Encryption
+      Option", Work in Progress.
+
+   [RFC-1123] Braden, R., "Requirements for Internet Hosts --
+      Application and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC-1421] Linn, J., "Privacy Enhancement for Internet Electronic
+      Mail: Part I: Message Encryption and Authentication Procedures",
+      RFC 1421, February 1993.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 22]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+14.  Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   EMail: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 23]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+Appendix I: Specification under the GSSAPI
+
+   In order to maximise the utility of new security mechanisms, it is
+   desirable that new mechanisms be implemented as GSSAPI mechanisms
+   rather than as FTP security mechanisms.  This will enable existing
+   ftp implementations to support the new mechanisms more easily, since
+   little or no code will need to be changed.  In addition, the
+   mechanism will be usable by other protocols, such as IMAP, which are
+   built on top of the GSSAPI, with no additional specification or
+   implementation work needed by the mechanism designers.
+
+   The security mechanism name (for the AUTH command) associated with
+   all mechanisms employing the GSSAPI is GSSAPI.  If the server
+   supports a security mechanism employing the GSSAPI, it must respond
+   with a 334 reply code indicating that an ADAT command is expected
+   next.
+
+   The client must begin the authentication exchange by calling
+   GSS_Init_Sec_Context, passing in 0 for input_context_handle
+   (initially), and a targ_name equal to output_name from
+   GSS_Import_Name called with input_name_type of Host-Based Service and
+   input_name_string of "ftp@hostname" where "hostname" is the fully
+   qualified host name of the server with all letters in lower case.
+   (Failing this, the client may try again using input_name_string of
+   "host@hostname".) The output_token must then be base 64 encoded and
+   sent to the server as the argument to an ADAT command.  If
+   GSS_Init_Sec_Context returns GSS_S_CONTINUE_NEEDED, then the client
+   must expect a token to be returned in the reply to the ADAT command.
+   This token must subsequently be passed to another call to
+   GSS_Init_Sec_Context.  In this case, if GSS_Init_Sec_Context returns
+   no output_token, then the reply code from the server for the previous
+   ADAT command must have been 235.  If GSS_Init_Sec_Context returns
+   GSS_S_COMPLETE, then no further tokens are expected from the server,
+   and the client must consider the server authenticated.
+
+   The server must base 64 decode the argument to the ADAT command and
+   pass the resultant token to GSS_Accept_Sec_Context as input_token,
+   setting acceptor_cred_handle to NULL (for "use default credentials"),
+   and 0 for input_context_handle (initially).  If an output_token is
+   returned, it must be base 64 encoded and returned to the client by
+   including "ADAT=base64string" in the text of the reply.  If
+   GSS_Accept_Sec_Context returns GSS_S_COMPLETE, the reply code must be
+   235, and the server must consider the client authenticated.  If
+   GSS_Accept_Sec_Context returns GSS_S_CONTINUE_NEEDED, the reply code
+   must be 335.  Otherwise, the reply code should be 535, and the text
+   of the reply should contain a descriptive error message.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 24]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   The chan_bindings input to GSS_Init_Sec_Context and
+   GSS_Accept_Sec_Context should use the client internet address and
+   server internet address as the initiator and acceptor addresses,
+   respectively.  The address type for both should be GSS_C_AF_INET. No
+   application data should be specified.
+
+   Since GSSAPI supports anonymous peers to security contexts, it is
+   possible that the client's authentication of the server does not
+   actually establish an identity.
+
+   The procedure associated with MIC commands, 631 replies, and Safe
+   file transfers is:
+
+      GSS_Wrap for the sender, with conf_flag == FALSE
+
+      GSS_Unwrap for the receiver
+
+   The procedure associated with ENC commands, 632 replies, and Private
+   file transfers is:
+
+      GSS_Wrap for the sender, with conf_flag == TRUE
+      GSS_Unwrap for the receiver
+
+   CONF commands and 633 replies are not supported.
+
+   Both the client and server should inspect the value of conf_avail to
+   determine whether the peer supports confidentiality services.
+
+   When the security state is reset (when AUTH is received a second
+   time, or when REIN is received), this should be done by calling the
+   GSS_Delete_sec_context function.
+
+Appendix II:  Specification under Kerberos version 4
+
+   The security mechanism name (for the AUTH command) associated with
+   Kerberos Version 4 is KERBEROS_V4.  If the server supports
+   KERBEROS_V4, it must respond with a 334 reply code indicating that an
+   ADAT command is expected next.
+
+   The client must retrieve a ticket for the Kerberos principal
+   "ftp.hostname@realm" by calling krb_mk_req(3) with a principal name
+   of "ftp", an instance equal to the first part of the canonical host
+   name of the server with all letters in lower case (as returned by
+   krb_get_phost(3)), the server's realm name (as returned by
+   krb_realmofhost(3)), and an arbitrary checksum.  The ticket must then
+   be base 64 encoded and sent as the argument to an ADAT command.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 25]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   If the "ftp" principal name is not a registered principal in the
+   Kerberos database, then the client may fall back on the "rcmd"
+   principal name (same instance and realm).  However, servers must
+   accept only one or the other of these principal names, and must not
+   be willing to accept either.  Generally, if the server has a key for
+   the "ftp" principal in its srvtab, then that principal only must be
+   used, otherwise the "rcmd" principal only must be used.
+
+   The server must base 64 decode the argument to the ADAT command and
+   pass the result to krb_rd_req(3).  The server must add one to the
+   checksum from the authenticator, convert the result to network byte
+   order (most significant byte first), and sign it using
+   krb_mk_safe(3), and base 64 encode the result.  Upon success, the
+   server must reply to the client with a 235 code and include
+   "ADAT=base64string" in the text of the reply.  Upon failure, the
+   server should reply 535.
+
+   Upon receipt of the 235 reply from the server, the client must parse
+   the text of the reply for the base 64 encoded data, decode it,
+   convert it from network byte order, and pass the result to
+   krb_rd_safe(3).  The client must consider the server authenticated if
+   the resultant checksum is equal to one plus the value previously
+   sent.
+
+   The procedure associated with MIC commands, 631 replies, and Safe
+   file transfers is:
+
+      krb_mk_safe(3) for the sender
+      krb_rd_safe(3) for the receiver
+
+   The procedure associated with ENC commands, 632 replies, and Private
+   file transfers is:
+
+      krb_mk_priv(3) for the sender
+      krb_rd_priv(3) for the receiver
+
+   CONF commands and 633 replies are not supported.
+
+   Note that this specification for KERBEROS_V4 contains no provision
+   for negotiating alternate means for integrity and confidentiality
+   routines.  Note also that the ADAT exchange does not convey whether
+   the peer supports confidentiality services.
+
+   In order to stay within the allowed PBSZ, implementors must take note
+   that a cleartext buffer will grow by 31 bytes when processed by
+   krb_mk_safe(3) and will grow by 26 bytes when processed by
+   krb_mk_priv(3).
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 26]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implmentation may be prepared, copied, published
+   andand distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 27]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2743.txt b/crypto/heimdal/doc/standardisation/rfc2743.txt
new file mode 100644
index 0000000..e5da571
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2743.txt
@@ -0,0 +1,5659 @@
+
+
+
+
+
+
+Network Working Group                                            J. Linn
+Request for Comments: 2743                              RSA Laboratories
+Obsoletes: 2078                                             January 2000
+Category: Standards Track
+
+
+         Generic Security Service Application Program Interface
+                          Version 2, Update 1
+
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   The Generic Security Service Application Program Interface (GSS-API),
+   Version 2, as defined in [RFC-2078], provides security services to
+   callers in a generic fashion, supportable with a range of underlying
+   mechanisms and technologies and hence allowing source-level
+   portability of applications to different environments. This
+   specification defines GSS-API services and primitives at a level
+   independent of underlying mechanism and programming language
+   environment, and is to be complemented by other, related
+   specifications:
+
+      documents defining specific parameter bindings for particular
+      language environments
+
+      documents defining token formats, protocols, and procedures to be
+      implemented in order to realize GSS-API services atop particular
+      security mechanisms
+
+   This memo obsoletes [RFC-2078], making specific, incremental changes
+   in response to implementation experience and liaison requests. It is
+   intended, therefore, that this memo or a successor version thereto
+   will become the basis for subsequent progression of the GSS-API
+   specification on the standards track.
+
+
+
+
+
+Linn                        Standards Track                     [Page 1]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+TABLE OF CONTENTS
+
+   1: GSS-API Characteristics and Concepts . . . . . . . . . . . .  4
+   1.1: GSS-API Constructs . . . . . . . . . . . . . . . . . . . .  6
+   1.1.1:  Credentials . . . . . . . . . . . . . . . . . . . . . .  6
+   1.1.1.1: Credential Constructs and Concepts . . . . . . . . . .  6
+   1.1.1.2: Credential Management  . . . . . . . . . . . . . . . .  7
+   1.1.1.3: Default Credential Resolution  . . . . . . . . . . . .  8
+   1.1.2: Tokens . . . . . . . . . . . . . . . . . . . . . . . . .  9
+   1.1.3:  Security Contexts . . . . . . . . . . . . . . . . . . . 11
+   1.1.4:  Mechanism Types . . . . . . . . . . . . . . . . . . . . 12
+   1.1.5:  Naming  . . . . . . . . . . . . . . . . . . . . . . . . 13
+   1.1.6:  Channel Bindings  . . . . . . . . . . . . . . . . . . . 16
+   1.2:  GSS-API Features and Issues . . . . . . . . . . . . . . . 17
+   1.2.1:  Status Reporting  and Optional Service Support  . . . . 17
+   1.2.1.1: Status Reporting . . . . . . . . . . . . . . . . . . . 17
+   1.2.1.2: Optional Service Support . . . . . . . . . . . . . . . 19
+   1.2.2: Per-Message Security Service Availability  . . . . . . . 20
+   1.2.3: Per-Message Replay Detection and Sequencing  . . . . . . 21
+   1.2.4:  Quality of Protection . . . . . . . . . . . . . . . . . 24
+   1.2.5: Anonymity Support  . . . . . . . . . . . . . . . . . . . 25
+   1.2.6: Initialization . . . . . . . . . . . . . . . . . . . . . 25
+   1.2.7: Per-Message Protection During Context Establishment  . . 26
+   1.2.8: Implementation Robustness  . . . . . . . . . . . . . . . 27
+   1.2.9: Delegation . . . . . . . . . . . . . . . . . . . . . . . 28
+   1.2.10: Interprocess Context Transfer . . . . . . . . . . . . . 28
+   2:  Interface Descriptions  . . . . . . . . . . . . . . . . . . 29
+   2.1:  Credential management calls . . . . . . . . . . . . . . . 31
+   2.1.1:  GSS_Acquire_cred call . . . . . . . . . . . . . . . . . 31
+   2.1.2:  GSS_Release_cred call . . . . . . . . . . . . . . . . . 34
+   2.1.3:  GSS_Inquire_cred call . . . . . . . . . . . . . . . . . 35
+   2.1.4:  GSS_Add_cred call . . . . . . . . . . . . . . . . . . . 37
+   2.1.5:  GSS_Inquire_cred_by_mech call . . . . . . . . . . . . . 40
+   2.2:  Context-level calls . . . . . . . . . . . . . . . . . . . 41
+   2.2.1:  GSS_Init_sec_context call . . . . . . . . . . . . . . . 42
+   2.2.2:  GSS_Accept_sec_context call . . . . . . . . . . . . . . 49
+   2.2.3:  GSS_Delete_sec_context call . . . . . . . . . . . . . . 53
+   2.2.4:  GSS_Process_context_token call  . . . . . . . . . . . . 54
+   2.2.5:  GSS_Context_time call . . . . . . . . . . . . . . . . . 55
+   2.2.6:  GSS_Inquire_context call  . . . . . . . . . . . . . . . 56
+   2.2.7:  GSS_Wrap_size_limit call  . . . . . . . . . . . . . . . 57
+   2.2.8:  GSS_Export_sec_context call . . . . . . . . . . . . . . 59
+   2.2.9:  GSS_Import_sec_context call . . . . . . . . . . . . . . 61
+   2.3:  Per-message calls . . . . . . . . . . . . . . . . . . . . 62
+   2.3.1:  GSS_GetMIC call . . . . . . . . . . . . . . . . . . . . 63
+   2.3.2:  GSS_VerifyMIC call  . . . . . . . . . . . . . . . . . . 64
+   2.3.3:  GSS_Wrap call . . . . . . . . . . . . . . . . . . . . . 65
+   2.3.4:  GSS_Unwrap call . . . . . . . . . . . . . . . . . . . . 66
+
+
+
+Linn                        Standards Track                     [Page 2]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   2.4:  Support calls . . . . . . . . . . . . . . . . . . . . . . 68
+   2.4.1:  GSS_Display_status call . . . . . . . . . . . . . . . . 68
+   2.4.2:  GSS_Indicate_mechs call . . . . . . . . . . . . . . . . 69
+   2.4.3:  GSS_Compare_name call . . . . . . . . . . . . . . . . . 70
+   2.4.4:  GSS_Display_name call . . . . . . . . . . . . . . . . . 71
+   2.4.5:  GSS_Import_name call  . . . . . . . . . . . . . . . . . 72
+   2.4.6:  GSS_Release_name call . . . . . . . . . . . . . . . . . 73
+   2.4.7:  GSS_Release_buffer call . . . . . . . . . . . . . . . . 74
+   2.4.8:  GSS_Release_OID_set call  . . . . . . . . . . . . . . . 74
+   2.4.9:  GSS_Create_empty_OID_set call . . . . . . . . . . . . . 75
+   2.4.10: GSS_Add_OID_set_member call . . . . . . . . . . . . . . 76
+   2.4.11: GSS_Test_OID_set_member call  . . . . . . . . . . . . . 76
+   2.4.12: GSS_Inquire_names_for_mech call . . . . . . . . . . . . 77
+   2.4.13: GSS_Inquire_mechs_for_name call . . . . . . . . . . . . 77
+   2.4.14: GSS_Canonicalize_name call  . . . . . . . . . . . . . . 78
+   2.4.15: GSS_Export_name call  . . . . . . . . . . . . . . . . . 79
+   2.4.16: GSS_Duplicate_name call . . . . . . . . . . . . . . . . 80
+   3: Data Structure Definitions for GSS-V2 Usage  . . . . . . . . 81
+   3.1: Mechanism-Independent Token Format . . . . . . . . . . . . 81
+   3.2: Mechanism-Independent Exported Name Object Format  . . . . 84
+   4: Name Type Definitions  . . . . . . . . . . . . . . . . . . . 85
+   4.1: Host-Based Service Name Form . . . . . . . . . . . . . . . 85
+   4.2: User Name Form . . . . . . . . . . . . . . . . . . . . . . 86
+   4.3: Machine UID Form . . . . . . . . . . . . . . . . . . . . . 87
+   4.4: String UID Form  . . . . . . . . . . . . . . . . . . . . . 87
+   4.5: Anonymous Nametype . . . . . . . . . . . . . . . . . . . . 87
+   4.6: GSS_C_NO_OID . . . . . . . . . . . . . . . . . . . . . . . 88
+   4.7: Exported Name Object . . . . . . . . . . . . . . . . . . . 88
+   4.8: GSS_C_NO_NAME  . . . . . . . . . . . . . . . . . . . . . . 88
+   5:  Mechanism-Specific Example Scenarios  . . . . . . . . . . . 88
+   5.1: Kerberos V5, single-TGT  . . . . . . . . . . . . . . . . . 89
+   5.2: Kerberos V5, double-TGT  . . . . . . . . . . . . . . . . . 89
+   5.3:  X.509 Authentication Framework  . . . . . . . . . . . . . 90
+   6:  Security Considerations . . . . . . . . . . . . . . . . . . 91
+   7:  Related Activities  . . . . . . . . . . . . . . . . . . . . 92
+   8:  Referenced Documents  . . . . . . . . . . . . . . . . . . . 93
+   Appendix A: Mechanism Design Constraints  . . . . . . . . . . . 94
+   Appendix B: Compatibility with GSS-V1 . . . . . . . . . . . . . 94
+   Appendix C: Changes Relative to RFC-2078  . . . . . . . . . . . 96
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . .100
+   Full Copyright Statement  . . . . . . . . . . . . . . . . . . .101
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 3]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1: GSS-API Characteristics and Concepts
+
+   GSS-API operates in the following paradigm.  A typical GSS-API caller
+   is itself a communications protocol, calling on GSS-API in order to
+   protect its communications with authentication, integrity, and/or
+   confidentiality security services.  A GSS-API caller accepts tokens
+   provided to it by its local GSS-API implementation and transfers the
+   tokens to a peer on a remote system; that peer passes the received
+   tokens to its local GSS-API implementation for processing. The
+   security services available through GSS-API in this fashion are
+   implementable (and have been implemented) over a range of underlying
+   mechanisms based on secret-key and public-key cryptographic
+   technologies.
+
+   The GSS-API separates the operations of initializing a security
+   context between peers, achieving peer entity authentication
+   (GSS_Init_sec_context() and GSS_Accept_sec_context() calls), from the
+   operations of providing per-message data origin authentication and
+   data integrity protection (GSS_GetMIC() and GSS_VerifyMIC() calls)
+   for messages subsequently transferred in conjunction with that
+   context.  (The definition for the peer entity authentication service,
+   and other definitions used in this document, corresponds to that
+   provided in [ISO-7498-2].) When establishing a security context, the
+   GSS-API enables a context initiator to optionally permit its
+   credentials to be delegated, meaning that the context acceptor may
+   initiate further security contexts on behalf of the initiating
+   caller. Per-message GSS_Wrap() and GSS_Unwrap() calls provide the
+   data origin authentication and data integrity services which
+   GSS_GetMIC() and GSS_VerifyMIC() offer, and also support selection of
+   confidentiality services as a caller option. Additional calls provide
+   supportive functions to the GSS-API's users.
+
+   The following paragraphs provide an example illustrating the
+   dataflows involved in use of the GSS-API by a client and server in a
+   mechanism-independent fashion, establishing a security context and
+   transferring a protected message. The example assumes that credential
+   acquisition has already been completed.  The example also assumes
+   that the underlying authentication technology is capable of
+   authenticating a client to a server using elements carried within a
+   single token, and of authenticating the server to the client (mutual
+   authentication) with a single returned token; this assumption holds
+   for some presently-documented CAT mechanisms but is not necessarily
+   true for other cryptographic technologies and associated protocols.
+
+   The client calls GSS_Init_sec_context() to establish a security
+   context to the server identified by targ_name, and elects to set the
+   mutual_req_flag so that mutual authentication is performed in the
+   course of context establishment. GSS_Init_sec_context() returns an
+
+
+
+Linn                        Standards Track                     [Page 4]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   output_token to be passed to the server, and indicates
+   GSS_S_CONTINUE_NEEDED status pending completion of the mutual
+   authentication sequence. Had mutual_req_flag not been set, the
+   initial call to GSS_Init_sec_context() would have returned
+   GSS_S_COMPLETE status. The client sends the output_token to the
+   server.
+
+   The server passes the received token as the input_token parameter to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context indicates
+   GSS_S_COMPLETE status, provides the client's authenticated identity
+   in the src_name result, and provides an output_token to be passed to
+   the client. The server sends the output_token to the client.
+
+   The client passes the received token as the input_token parameter to
+   a successor call to GSS_Init_sec_context(), which processes data
+   included in the token in order to achieve mutual authentication from
+   the client's viewpoint. This call to GSS_Init_sec_context() returns
+   GSS_S_COMPLETE status, indicating successful mutual authentication
+   and the completion of context establishment for this example.
+
+   The client generates a data message and passes it to GSS_Wrap().
+   GSS_Wrap() performs data origin authentication, data integrity, and
+   (optionally) confidentiality processing on the message and
+   encapsulates the result into output_message, indicating
+   GSS_S_COMPLETE status. The client sends the output_message to the
+   server.
+
+   The server passes the received message to GSS_Unwrap().  GSS_Unwrap()
+   inverts the encapsulation performed by GSS_Wrap(), deciphers the
+   message if the optional confidentiality feature was applied, and
+   validates the data origin authentication and data integrity checking
+   quantities. GSS_Unwrap() indicates successful validation by returning
+   GSS_S_COMPLETE status along with the resultant output_message.
+
+   For purposes of this example, we assume that the server knows by
+   out-of-band means that this context will have no further use after
+   one protected message is transferred from client to server. Given
+   this premise, the server now calls GSS_Delete_sec_context() to flush
+   context-level information.  Optionally, the server-side application
+   may provide a token buffer to GSS_Delete_sec_context(), to receive a
+   context_token to be transferred to the client in order to request
+   that client-side context-level information be deleted.
+
+   If a context_token is transferred, the client passes the
+   context_token to GSS_Process_context_token(), which returns
+   GSS_S_COMPLETE status after deleting context-level information at the
+   client system.
+
+
+
+
+Linn                        Standards Track                     [Page 5]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The GSS-API design assumes and addresses several basic goals,
+   including:
+
+      Mechanism independence: The GSS-API defines an interface to
+      cryptographically implemented strong authentication and other
+      security services at a generic level which is independent of
+      particular underlying mechanisms. For example, GSS-API-provided
+      services have been implemented using secret-key technologies
+      (e.g., Kerberos, per [RFC-1964]) and with public-key approaches
+      (e.g., SPKM, per [RFC-2025]).
+
+      Protocol environment independence: The GSS-API is independent of
+      the communications protocol suites with which it is employed,
+      permitting use in a broad range of protocol environments. In
+      appropriate environments, an intermediate implementation "veneer"
+      which is oriented to a particular communication protocol may be
+      interposed between applications which call that protocol and the
+      GSS-API (e.g., as defined in [RFC-2203] for Open Network Computing
+      Remote Procedure Call (RPC)), thereby invoking GSS-API facilities
+      in conjunction with that protocol's communications invocations.
+
+      Protocol association independence: The GSS-API's security context
+      construct is independent of communications protocol association
+      constructs. This characteristic allows a single GSS-API
+      implementation to be utilized by a variety of invoking protocol
+      modules on behalf of those modules' calling applications. GSS-API
+      services can also be invoked directly by applications, wholly
+      independent of protocol associations.
+
+      Suitability to a range of implementation placements: GSS-API
+      clients are not constrained to reside within any Trusted Computing
+      Base (TCB) perimeter defined on a system where the GSS-API is
+      implemented; security services are specified in a manner suitable
+      to both intra-TCB and extra-TCB callers.
+
+1.1: GSS-API Constructs
+
+   This section describes the basic elements comprising the GSS-API.
+
+1.1.1:  Credentials
+
+1.1.1.1: Credential Constructs and Concepts
+
+   Credentials provide the prerequisites which permit GSS-API peers to
+   establish security contexts with each other. A caller may designate
+   that the credential elements which are to be applied for context
+   initiation or acceptance be selected by default.  Alternately, those
+   GSS-API callers which need to make explicit selection of particular
+
+
+
+Linn                        Standards Track                     [Page 6]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   credentials structures may make references to those credentials
+   through GSS-API-provided credential handles ("cred_handles").  In all
+   cases, callers' credential references are indirect, mediated by GSS-
+   API implementations and not requiring callers to access the selected
+   credential elements.
+
+   A single credential structure may be used to initiate outbound
+   contexts and to accept inbound contexts. Callers needing to operate
+   in only one of these modes may designate this fact when credentials
+   are acquired for use, allowing underlying mechanisms to optimize
+   their processing and storage requirements. The credential elements
+   defined by a particular mechanism may contain multiple cryptographic
+   keys, e.g., to enable authentication and message encryption to be
+   performed with different algorithms.
+
+   A GSS-API credential structure may contain multiple credential
+   elements, each containing mechanism-specific information for a
+   particular underlying mechanism (mech_type), but the set of elements
+   within a given credential structure represent a common entity.  A
+   credential structure's contents will vary depending on the set of
+   mech_types supported by a particular GSS-API implementation. Each
+   credential element identifies the data needed by its mechanism in
+   order to establish contexts on behalf of a particular principal, and
+   may contain separate credential references for use in context
+   initiation and context acceptance.  Multiple credential elements
+   within a given credential having overlapping combinations of
+   mechanism, usage mode, and validity period are not permitted.
+
+   Commonly, a single mech_type will be used for all security contexts
+   established by a particular initiator to a particular target. A major
+   motivation for supporting credential sets representing multiple
+   mech_types is to allow initiators on systems which are equipped to
+   handle multiple types to initiate contexts to targets on other
+   systems which can accommodate only a subset of the set supported at
+   the initiator's system.
+
+1.1.1.2: Credential Management
+
+   It is the responsibility of underlying system-specific mechanisms and
+   OS functions below the GSS-API to ensure that the ability to acquire
+   and use credentials associated with a given identity is constrained
+   to appropriate processes within a system. This responsibility should
+   be taken seriously by implementors, as the ability for an entity to
+   utilize a principal's credentials is equivalent to the entity's
+   ability to successfully assert that principal's identity.
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 7]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Once a set of GSS-API credentials is established, the transferability
+   of that credentials set to other processes or analogous constructs
+   within a system is a local matter, not defined by the GSS-API. An
+   example local policy would be one in which any credentials received
+   as a result of login to a given user account, or of delegation of
+   rights to that account, are accessible by, or transferable to,
+   processes running under that account.
+
+   The credential establishment process (particularly when performed on
+   behalf of users rather than server processes) is likely to require
+   access to passwords or other quantities which should be protected
+   locally and exposed for the shortest time possible. As a result, it
+   will often be appropriate for preliminary credential establishment to
+   be performed through local means at user login time, with the
+   result(s) cached for subsequent reference. These preliminary
+   credentials would be set aside (in a system-specific fashion) for
+   subsequent use, either:
+
+      to be accessed by an invocation of the GSS-API GSS_Acquire_cred()
+      call, returning an explicit handle to reference that credential
+
+      to comprise default credential elements to be installed, and to be
+      used when default credential behavior is requested on behalf of a
+      process
+
+1.1.1.3: Default Credential Resolution
+
+   The GSS_Init_sec_context() and GSS_Accept_sec_context() routines
+   allow the value GSS_C_NO_CREDENTIAL to be specified as their
+   credential handle parameter.  This special credential handle
+   indicates a desire by the application to act as a default principal.
+   In support of application portability, support for the default
+   resolution behavior described below for initiator credentials
+   (GSS_Init_sec_context() usage) is mandated; support for the default
+   resolution behavior described below for acceptor credentials
+   (GSS_Accept_sec_context() usage) is recommended. If default
+   credential resolution fails, GSS_S_NO_CRED status is to be returned.
+
+      GSS_Init_sec_context:
+
+         (i) If there is only a single principal capable of initiating
+         security contexts that the application is authorized to act on
+         behalf of, then that principal shall be used, otherwise
+
+
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 8]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+         (ii) If the platform maintains a concept of a default network-
+         identity, and if the application is authorized to act on behalf
+         of that identity for the purpose of initiating security
+         contexts, then the principal corresponding to that identity
+         shall be used, otherwise
+
+         (iii) If the platform maintains a concept of a default local
+         identity, and provides a means to map local identities into
+         network-identities, and if the application is authorized to act
+         on behalf of the network-identity image of the default local
+         identity for the purpose of initiating security contexts, then
+         the principal corresponding to that identity shall be used,
+         otherwise
+
+         (iv) A user-configurable default identity should be used.
+
+      GSS_Accept_sec_context:
+
+         (i) If there is only a single authorized principal identity
+         capable of accepting security contexts, then that principal
+         shall be used, otherwise
+
+         (ii) If the mechanism can determine the identity of the target
+         principal by examining the context-establishment token, and if
+         the accepting application is authorized to act as that
+         principal for the purpose of accepting security contexts, then
+         that principal identity shall be used, otherwise
+
+         (iii) If the mechanism supports context acceptance by any
+         principal, and mutual authentication was not requested, any
+         principal that the application is authorized to accept security
+         contexts under may be used, otherwise
+
+         (iv) A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are
+   likely to be more portable across mechanisms and platforms than those
+   that use GSS_Acquire_cred() to request a specific identity.
+
+1.1.2: Tokens
+
+   Tokens are data elements transferred between GSS-API callers, and are
+   divided into two classes. Context-level tokens are exchanged in order
+   to establish and manage a security context between peers. Per-message
+   tokens relate to an established context and are exchanged to provide
+
+
+
+
+Linn                        Standards Track                     [Page 9]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   protective security services (i.e., data origin authentication,
+   integrity, and optional confidentiality) for corresponding data
+   messages.
+
+   The first context-level token obtained from GSS_Init_sec_context() is
+   required to indicate at its very beginning a globally-interpretable
+   mechanism identifier, i.e., an Object Identifier (OID) of the
+   security mechanism. The remaining part of this token as well as the
+   whole content of all other tokens are specific to the particular
+   underlying mechanism used to support the GSS-API. Section 3.1 of this
+   document provides, for designers of GSS-API mechanisms, the
+   description of the header of the first context-level token which is
+   then followed by mechanism-specific information.
+
+   Tokens' contents are opaque from the viewpoint of GSS-API callers.
+   They are generated within the GSS-API implementation at an end
+   system, provided to a GSS-API caller to be transferred to the peer
+   GSS-API caller at a remote end system, and processed by the GSS-API
+   implementation at that remote end system.
+
+   Context-level tokens may be output by GSS-API calls (and should be
+   transferred to GSS-API peers) whether or not the calls' status
+   indicators indicate successful completion.  Per-message tokens, in
+   contrast, are to be returned only upon successful completion of per-
+   message calls. Zero-length tokens are never returned by GSS routines
+   for transfer to a peer. Token transfer may take place in an in-band
+   manner, integrated into the same protocol stream used by the GSS-API
+   callers for other data transfers, or in an out-of-band manner across
+   a logically separate channel.
+
+   Different GSS-API tokens are used for different purposes (e.g.,
+   context initiation, context acceptance, protected message data on an
+   established context), and it is the responsibility of a GSS-API
+   caller receiving tokens to distinguish their types, associate them
+   with corresponding security contexts, and pass them to appropriate
+   GSS-API processing routines.  Depending on the caller protocol
+   environment, this distinction may be accomplished in several ways.
+
+   The following examples illustrate means through which tokens' types
+   may be distinguished:
+
+      - implicit tagging based on state information (e.g., all tokens on
+      a new association are considered to be context establishment
+      tokens until context establishment is completed, at which point
+      all tokens are considered to be wrapped data objects for that
+      context),
+
+
+
+
+
+Linn                        Standards Track                    [Page 10]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      - explicit tagging at the caller protocol level,
+
+      - a hybrid of these approaches.
+
+   Commonly, the encapsulated data within a token includes internal
+   mechanism-specific tagging information, enabling mechanism-level
+   processing modules to distinguish tokens used within the mechanism
+   for different purposes.  Such internal mechanism-level tagging is
+   recommended to mechanism designers, and enables mechanisms to
+   determine whether a caller has passed a particular token for
+   processing by an inappropriate GSS-API routine.
+
+   Development of GSS-API mechanisms based on a particular underlying
+   cryptographic technique and protocol (i.e., conformant to a specific
+   GSS-API mechanism definition) does not necessarily imply that GSS-API
+   callers using that GSS-API mechanism will be able to interoperate
+   with peers invoking the same technique and protocol outside the GSS-
+   API paradigm, or with peers implementing a different GSS-API
+   mechanism based on the same underlying technology.  The format of
+   GSS-API tokens defined in conjunction with a particular mechanism,
+   and the techniques used to integrate those tokens into callers'
+   protocols, may not be interoperable with the tokens used by non-GSS-
+   API callers of the same underlying technique.
+
+1.1.3:  Security Contexts
+
+   Security contexts are established between peers, using credentials
+   established locally in conjunction with each peer or received by
+   peers via delegation. Multiple contexts may exist simultaneously
+   between a pair of peers, using the same or different sets of
+   credentials. Coexistence of multiple contexts using different
+   credentials allows graceful rollover when credentials expire.
+   Distinction among multiple contexts based on the same credentials
+   serves applications by distinguishing different message streams in a
+   security sense.
+
+   The GSS-API is independent of underlying protocols and addressing
+   structure, and depends on its callers to transport GSS-API-provided
+   data elements. As a result of these factors, it is a caller
+   responsibility to parse communicated messages, separating GSS-API-
+   related data elements from caller-provided data.  The GSS-API is
+   independent of connection vs. connectionless orientation of the
+   underlying communications service.
+
+   No correlation between security context and communications protocol
+   association is dictated. (The optional channel binding facility,
+   discussed in Section 1.1.6 of this document, represents an
+   intentional exception to this rule, supporting additional protection
+
+
+
+Linn                        Standards Track                    [Page 11]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   features within GSS-API supporting mechanisms.) This separation
+   allows the GSS-API to be used in a wide range of communications
+   environments, and also simplifies the calling sequences of the
+   individual calls. In many cases (depending on underlying security
+   protocol, associated mechanism, and availability of cached
+   information), the state information required for context setup can be
+   sent concurrently with initial signed user data, without interposing
+   additional message exchanges.  Messages may be protected and
+   transferred in both directions on an established GSS-API security
+   context concurrently; protection of messages in one direction does
+   not interfere with protection of messages in the reverse direction.
+
+   GSS-API implementations are expected to retain inquirable context
+   data on a context until the context is released by a caller, even
+   after the context has expired, although underlying cryptographic data
+   elements may be deleted after expiration in order to limit their
+   exposure.
+
+1.1.4:  Mechanism Types
+
+   In order to successfully establish a security context with a target
+   peer, it is necessary to identify an appropriate underlying mechanism
+   type (mech_type) which both initiator and target peers support. The
+   definition of a mechanism embodies not only the use of a particular
+   cryptographic technology (or a hybrid or choice among alternative
+   cryptographic technologies), but also definition of the syntax and
+   semantics of data element exchanges which that mechanism will employ
+   in order to support security services.
+
+   It is recommended that callers initiating contexts specify the
+   "default" mech_type value, allowing system-specific functions within
+   or invoked by the GSS-API implementation to select the appropriate
+   mech_type, but callers may direct that a particular mech_type be
+   employed when necessary.
+
+   For GSS-API purposes, the phrase "negotiating mechanism" refers to a
+   mechanism which itself performs negotiation in order to select a
+   concrete mechanism which is shared between peers and is then used for
+   context establishment.  Only those mechanisms which are defined in
+   their specifications as negotiating mechanisms are to yield selected
+   mechanisms with different identifier values than the value which is
+   input by a GSS-API caller, except for the case of a caller requesting
+   the "default" mech_type.
+
+   The means for identifying a shared mech_type to establish a security
+   context with a peer will vary in different environments and
+   circumstances; examples include (but are not limited to):
+
+
+
+
+Linn                        Standards Track                    [Page 12]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      use of a fixed mech_type, defined by configuration, within an
+      environment
+
+      syntactic convention on a target-specific basis, through
+      examination of a target's name lookup of a target's name in a
+      naming service or other database in order to identify mech_types
+      supported by that target
+
+      explicit negotiation between GSS-API callers in advance of
+      security context setup
+
+      use of a negotiating mechanism
+
+   When transferred between GSS-API peers, mech_type specifiers (per
+   Section 3 of this document, represented as Object Identifiers (OIDs))
+   serve to qualify the interpretation of associated tokens. (The
+   structure and encoding of Object Identifiers is defined in [ISOIEC-
+   8824] and [ISOIEC-8825].) Use of hierarchically structured OIDs
+   serves to preclude ambiguous interpretation of mech_type specifiers.
+   The OID representing the DASS ([RFC-1507]) MechType, for example, is
+   1.3.12.2.1011.7.5, and that of the Kerberos V5 mechanism ([RFC-
+   1964]), having been advanced to the level of Proposed Standard, is
+   1.2.840.113554.1.2.2.
+
+1.1.5:  Naming
+
+   The GSS-API avoids prescribing naming structures, treating the names
+   which are transferred across the interface in order to initiate and
+   accept security contexts as opaque objects.  This approach supports
+   the GSS-API's goal of implementability atop a range of underlying
+   security mechanisms, recognizing the fact that different mechanisms
+   process and authenticate names which are presented in different
+   forms. Generalized services offering translation functions among
+   arbitrary sets of naming environments are outside the scope of the
+   GSS-API; availability and use of local conversion functions to
+   translate among the naming formats supported within a given end
+   system is anticipated.
+
+   Different classes of name representations are used in conjunction
+   with different GSS-API parameters:
+
+      - Internal form (denoted in this document by INTERNAL NAME),
+      opaque to callers and defined by individual GSS-API
+      implementations.  GSS-API implementations supporting multiple
+      namespace types must maintain internal tags to disambiguate the
+      interpretation of particular names.  A Mechanism Name (MN) is a
+      special case of INTERNAL NAME, guaranteed to contain elements
+
+
+
+
+Linn                        Standards Track                    [Page 13]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      corresponding to one and only one mechanism; calls which are
+      guaranteed to emit MNs or which require MNs as input are so
+      identified within this specification.
+
+      - Contiguous string ("flat") form (denoted in this document by
+      OCTET STRING); accompanied by OID tags identifying the namespace
+      to which they correspond.  Depending on tag value, flat names may
+      or may not be printable strings for direct acceptance from and
+      presentation to users. Tagging of flat names allows GSS-API
+      callers and underlying GSS-API mechanisms to disambiguate name
+      types and to determine whether an associated name's type is one
+      which they are capable of processing, avoiding aliasing problems
+      which could result from misinterpreting a name of one type as a
+      name of another type.
+
+      - The GSS-API Exported Name Object, a special case of flat name
+      designated by a reserved OID value, carries a canonicalized form
+      of a name suitable for binary comparisons.
+
+   In addition to providing means for names to be tagged with types,
+   this specification defines primitives to support a level of naming
+   environment independence for certain calling applications. To provide
+   basic services oriented towards the requirements of callers which
+   need not themselves interpret the internal syntax and semantics of
+   names, GSS-API calls for name comparison (GSS_Compare_name()),
+   human-readable display (GSS_Display_name()), input conversion
+   (GSS_Import_name()), internal name deallocation (GSS_Release_name()),
+   and internal name duplication (GSS_Duplicate_name()) functions are
+   defined. (It is anticipated that these proposed GSS-API calls will be
+   implemented in many end systems based on system-specific name
+   manipulation primitives already extant within those end systems;
+   inclusion within the GSS-API is intended to offer GSS-API callers a
+   portable means to perform specific operations, supportive of
+   authorization and audit requirements, on authenticated names.)
+
+   GSS_Import_name() implementations can, where appropriate, support
+   more than one printable syntax corresponding to a given namespace
+   (e.g., alternative printable representations for X.500 Distinguished
+   Names), allowing flexibility for their callers to select among
+   alternative representations. GSS_Display_name() implementations
+   output a printable syntax selected as appropriate to their
+   operational environments; this selection is a local matter. Callers
+   desiring portability across alternative printable syntaxes should
+   refrain from implementing comparisons based on printable name forms
+   and should instead use the GSS_Compare_name()  call to determine
+   whether or not one internal-format name matches another.
+
+
+
+
+
+Linn                        Standards Track                    [Page 14]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   When used in large access control lists, the overhead of invoking
+   GSS_Import_name() and GSS_Compare_name() on each name from the ACL
+   may be prohibitive.  As an alternative way of supporting this case,
+   GSS-API defines a special form of the contiguous string name which
+   may be compared directly (e.g., with memcmp()).  Contiguous names
+   suitable for comparison are generated by the GSS_Export_name()
+   routine, which requires an MN as input.  Exported names may be re-
+   imported by the GSS_Import_name() routine, and the resulting internal
+   name will also be an MN.  The symbolic constant GSS_C_NT_EXPORT_NAME
+   identifies the "export name" type. Structurally, an exported name
+   object consists of a header containing an OID identifying the
+   mechanism that authenticated the name, and a trailer containing the
+   name itself, where the syntax of the trailer is defined by the
+   individual mechanism specification.  The precise format of an
+   exported name is defined in Section 3.2 of this specification.
+
+   Note that the results obtained by using GSS_Compare_name() will in
+   general be different from those obtained by invoking
+   GSS_Canonicalize_name() and GSS_Export_name(), and then comparing the
+   exported names.  The first series of operations determines whether
+   two (unauthenticated) names identify the same principal; the second
+   whether a particular mechanism would authenticate them as the same
+   principal.  These two operations will in general give the same
+   results only for MNs.
+
+   The following diagram illustrates the intended dataflow among name-
+   related GSS-API processing routines.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 15]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+                        GSS-API library defaults
+                               |
+                               |
+                               V                         text, for
+   text -------------->  internal_name (IN) -----------> display only
+         import_name()          /          display_name()
+                               /
+                              /
+                             /
+    accept_sec_context()    /
+          |                /
+          |               /
+          |              /  canonicalize_name()
+          |             /
+          |            /
+          |           /
+          |          /
+          |         /
+          |        |
+          V        V     <---------------------
+    single mechanism        import_name()         exported name: flat
+    internal_name (MN)                            binary "blob" usable
+                         ---------------------->  for access control
+                            export_name()
+
+1.1.6:  Channel Bindings
+
+   The GSS-API accommodates the concept of caller-provided channel
+   binding ("chan_binding") information.  Channel bindings are used to
+   strengthen the quality with which peer entity authentication is
+   provided during context establishment, by limiting the scope within
+   which an intercepted context establishment token can be reused by an
+   attacker. Specifically, they enable GSS-API callers to bind the
+   establishment of a security context to relevant characteristics
+   (e.g., addresses, transformed representations of encryption keys) of
+   the underlying communications channel, of protection mechanisms
+   applied to that communications channel, and to application-specific
+   data.
+
+   The caller initiating a security context must determine the
+   appropriate channel binding values to provide as input to the
+   GSS_Init_sec_context() call, and consistent values must be provided
+   to GSS_Accept_sec_context() by the context's target, in order for
+   both peers' GSS-API mechanisms to validate that received tokens
+   possess correct channel-related characteristics. Use or non-use of
+   the GSS-API channel binding facility is a caller option.  GSS-API
+   mechanisms can operate in an environment where NULL channel bindings
+   are presented; mechanism implementors are encouraged, but not
+
+
+
+Linn                        Standards Track                    [Page 16]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   required, to make use of caller-provided channel binding data within
+   their mechanisms. Callers should not assume that underlying
+   mechanisms provide confidentiality protection for channel binding
+   information.
+
+   When non-NULL channel bindings are provided by callers, certain
+   mechanisms can offer enhanced security value by interpreting the
+   bindings' content (rather than simply representing those bindings, or
+   integrity check values computed on them, within tokens) and will
+   therefore depend on presentation of specific data in a defined
+   format. To this end, agreements among mechanism implementors are
+   defining conventional interpretations for the contents of channel
+   binding arguments, including address specifiers (with content
+   dependent on communications protocol environment) for context
+   initiators and acceptors. (These conventions are being incorporated
+   in GSS-API mechanism specifications and into the GSS-API C language
+   bindings specification.) In order for GSS-API callers to be portable
+   across multiple mechanisms and achieve the full security
+   functionality which each mechanism can provide, it is strongly
+   recommended that GSS-API callers provide channel bindings consistent
+   with these conventions and those of the networking environment in
+   which they operate.
+
+1.2:  GSS-API Features and Issues
+
+   This section describes aspects of GSS-API operations, of the security
+   services which the GSS-API provides, and provides commentary on
+   design issues.
+
+1.2.1:  Status Reporting and Optional Service Support
+
+1.2.1.1: Status Reporting
+
+   Each GSS-API call provides two status return values. Major_status
+   values provide a mechanism-independent indication of call status
+   (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED),
+   sufficient to drive normal control flow within the caller in a
+   generic fashion. Table 1 summarizes the defined major_status return
+   codes in tabular fashion.
+
+   Sequencing-related informatory major_status codes
+   (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and
+   GSS_S_GAP_TOKEN) can be indicated in conjunction with either
+   GSS_S_COMPLETE or GSS_S_FAILURE status for GSS-API per-message calls.
+   For context establishment calls, these sequencing-related codes will
+   be indicated only in conjunction with GSS_S_FAILURE status (never in
+
+
+
+
+
+Linn                        Standards Track                    [Page 17]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   conjunction with GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and,
+   therefore, always correspond to fatal failures if encountered during
+   the context establishment phase.
+
+   Table 1: GSS-API Major Status Codes
+
+   FATAL ERROR CODES
+
+   GSS_S_BAD_BINDINGS            channel binding mismatch
+   GSS_S_BAD_MECH                unsupported mechanism requested
+   GSS_S_BAD_NAME                invalid name provided
+   GSS_S_BAD_NAMETYPE            name of unsupported type provided
+   GSS_S_BAD_STATUS              invalid input status selector
+   GSS_S_BAD_SIG                 token had invalid integrity check
+   GSS_S_BAD_MIC                   preferred alias for GSS_S_BAD_SIG
+   GSS_S_CONTEXT_EXPIRED         specified security context expired
+   GSS_S_CREDENTIALS_EXPIRED     expired credentials detected
+   GSS_S_DEFECTIVE_CREDENTIAL    defective credential detected
+   GSS_S_DEFECTIVE_TOKEN         defective token detected
+   GSS_S_FAILURE                 failure, unspecified at GSS-API
+                                   level
+   GSS_S_NO_CONTEXT              no valid security context specified
+   GSS_S_NO_CRED                 no valid credentials provided
+   GSS_S_BAD_QOP                 unsupported QOP value
+   GSS_S_UNAUTHORIZED            operation unauthorized
+   GSS_S_UNAVAILABLE             operation unavailable
+   GSS_S_DUPLICATE_ELEMENT       duplicate credential element requested
+   GSS_S_NAME_NOT_MN             name contains multi-mechanism elements
+
+   INFORMATORY STATUS CODES
+
+   GSS_S_COMPLETE                normal completion
+   GSS_S_CONTINUE_NEEDED         continuation call to routine
+                                  required
+   GSS_S_DUPLICATE_TOKEN         duplicate per-message token
+                                  detected
+   GSS_S_OLD_TOKEN               timed-out per-message token
+                                  detected
+   GSS_S_UNSEQ_TOKEN             reordered (early) per-message token
+                                  detected
+   GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                  detected
+
+   Minor_status provides more detailed status information which may
+   include status codes specific to the underlying security mechanism.
+   Minor_status values are not specified in this document.
+
+
+
+
+
+Linn                        Standards Track                    [Page 18]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_S_CONTINUE_NEEDED major_status returns, and optional message
+   outputs, are provided in GSS_Init_sec_context() and
+   GSS_Accept_sec_context() calls so that different mechanisms'
+   employment of different numbers of messages within their
+   authentication sequences need not be reflected in separate code paths
+   within calling applications. Instead, such cases are accommodated
+   with sequences of continuation calls to GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  The same facility is used to encapsulate
+   mutual authentication within the GSS-API's context initiation calls.
+
+   For mech_types which require interactions with third-party servers in
+   order to establish a security context, GSS-API context establishment
+   calls may block pending completion of such third-party interactions.
+   On the other hand, no GSS-API calls pend on serialized interactions
+   with GSS-API peer entities.  As a result, local GSS-API status
+   returns cannot reflect unpredictable or asynchronous exceptions
+   occurring at remote peers, and reflection of such status information
+   is a caller responsibility outside the GSS-API.
+
+1.2.1.2: Optional Service Support
+
+   A context initiator may request various optional services at context
+   establishment time. Each of these services is requested by setting a
+   flag in the req_flags input parameter to GSS_Init_sec_context().
+
+   The optional services currently defined are:
+
+      - Delegation - The (usually temporary) transfer of rights from
+      initiator to acceptor, enabling the acceptor to authenticate
+      itself as an agent of the initiator.
+
+      - Mutual Authentication - In addition to the initiator
+      authenticating its identity to the context acceptor, the context
+      acceptor should also authenticate itself to the initiator.
+
+      - Replay detection - In addition to providing message integrity
+      services, GSS_GetMIC() and GSS_Wrap() should include message
+      numbering information to enable GSS_VerifyMIC() and GSS_Unwrap()
+      to detect if a message has been duplicated.
+
+      - Out-of-sequence detection - In addition to providing message
+      integrity services, GSS_GetMIC() and GSS_Wrap() should include
+      message sequencing information to enable GSS_VerifyMIC() and
+      GSS_Unwrap() to detect if a message has been received out of
+      sequence.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 19]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      - Anonymous authentication - The establishment of the security
+      context should not reveal the initiator's identity to the context
+      acceptor.
+
+      - Available per-message confidentiality - requests that per-
+      message confidentiality services be available on the context.
+
+      - Available per-message integrity - requests that per-message
+      integrity services be available on the context.
+
+   Any currently undefined bits within such flag arguments should be
+   ignored by GSS-API implementations when presented by an application,
+   and should be set to zero when returned to the application by the
+   GSS-API implementation.
+
+   Some mechanisms may not support all optional services, and some
+   mechanisms may only support some services in conjunction with others.
+   Both GSS_Init_sec_context() and GSS_Accept_sec_context() inform the
+   applications which services will be available from the context when
+   the establishment phase is complete, via the ret_flags output
+   parameter.  In general, if the security mechanism is capable of
+   providing a requested service, it should do so, even if additional
+   services must be enabled in order to provide the requested service.
+   If the mechanism is incapable of providing a requested service, it
+   should proceed without the service, leaving the application to abort
+   the context establishment process if it considers the requested
+   service to be mandatory.
+
+   Some mechanisms may specify that support for some services is
+   optional, and that implementors of the mechanism need not provide it.
+   This is most commonly true of the confidentiality service, often
+   because of legal restrictions on the use of data-encryption, but may
+   apply to any of the services.  Such mechanisms are required to send
+   at least one token from acceptor to initiator during context
+   establishment when the initiator indicates a desire to use such a
+   service, so that the initiating GSS-API can correctly indicate
+   whether the service is supported by the acceptor's GSS-API.
+
+1.2.2: Per-Message Security Service Availability
+
+   When a context is established, two flags are returned to indicate the
+   set of per-message protection security services which will be
+   available on the context:
+
+      the integ_avail flag indicates whether per-message integrity and
+      data origin authentication services are available
+
+
+
+
+
+Linn                        Standards Track                    [Page 20]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      the conf_avail flag indicates whether per-message confidentiality
+      services are available, and will never be returned TRUE unless the
+      integ_avail flag is also returned TRUE
+
+   GSS-API callers desiring per-message security services should check
+   the values of these flags at context establishment time, and must be
+   aware that a returned FALSE value for integ_avail means that
+   invocation of GSS_GetMIC() or GSS_Wrap() primitives on the associated
+   context will apply no cryptographic protection to user data messages.
+
+   The GSS-API per-message integrity and data origin authentication
+   services provide assurance to a receiving caller that protection was
+   applied to a message by the caller's peer on the security context,
+   corresponding to the entity named at context initiation.  The GSS-API
+   per-message confidentiality service provides assurance to a sending
+   caller that the message's content is protected from access by
+   entities other than the context's named peer.
+
+   The GSS-API per-message protection service primitives, as the
+   category name implies, are oriented to operation at the granularity
+   of protocol data units. They perform cryptographic operations on the
+   data units, transfer cryptographic control information in tokens,
+   and, in the case of GSS_Wrap(), encapsulate the protected data unit.
+   As such, these primitives are not oriented to efficient data
+   protection for stream-paradigm protocols (e.g., Telnet) if
+   cryptography must be applied on an octet-by-octet basis.
+
+1.2.3: Per-Message Replay Detection and Sequencing
+
+   Certain underlying mech_types offer support for replay detection
+   and/or sequencing of messages transferred on the contexts they
+   support. These optionally-selectable protection features are distinct
+   from replay detection and sequencing features applied to the context
+   establishment operation itself; the presence or absence of context-
+   level replay or sequencing features is wholly a function of the
+   underlying mech_type's capabilities, and is not selected or omitted
+   as a caller option.
+
+   The caller initiating a context provides flags (replay_det_req_flag
+   and sequence_req_flag) to specify whether the use of per-message
+   replay detection and sequencing features is desired on the context
+   being established. The GSS-API implementation at the initiator system
+   can determine whether these features are supported (and whether they
+   are optionally selectable) as a function of the selected mechanism,
+   without need for bilateral negotiation with the target. When enabled,
+   these features provide recipients with indicators as a result of
+   GSS-API processing of incoming messages, identifying whether those
+   messages were detected as duplicates or out-of-sequence. Detection of
+
+
+
+Linn                        Standards Track                    [Page 21]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   such events does not prevent a suspect message from being provided to
+   a recipient; the appropriate course of action on a suspect message is
+   a matter of caller policy.
+
+   The semantics of the replay detection and sequencing services applied
+   to received messages, as visible across the interface which the GSS-
+   API provides to its clients, are as follows:
+
+   When replay_det_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE, without concurrent indication of
+      GSS_S_DUPLICATE_TOKEN or GSS_S_OLD_TOKEN, indicates that the
+      message was within the window (of time or sequence space) allowing
+      replay events to be detected, and that the message was not a
+      replay of a previously-processed message within that window.
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic
+      checkvalue on the received message was correct, but that the
+      message was recognized as a duplicate of a previously-processed
+      message.  In addition to identifying duplicated tokens originated
+      by a context's peer, this status may also be used to identify
+      reflected copies of locally-generated tokens; it is recommended
+      that mechanism designers include within their protocols facilities
+      to detect and report such tokens.
+
+      3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that the message is too old
+      to be checked for duplication.
+
+   When sequence_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE, without concurrent indication of
+      GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, or
+      GSS_S_GAP_TOKEN, indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      that the message was not a replay of a previously-processed
+      message within that window, and that no predecessor sequenced
+      messages are missing relative to the last received message (if
+      any) processed on the context with a correct cryptographic
+      checkvalue.
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value
+      on the received message was correct, but that the message was
+      recognized as a duplicate of a previously-processed message.  In
+      addition to identifying duplicated tokens originated by a
+      context's peer, this status may also be used to identify reflected
+
+
+
+Linn                        Standards Track                    [Page 22]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      copies of locally-generated tokens; it is recommended that
+      mechanism designers include within their protocols facilities to
+      detect and report such tokens.
+
+      3. GSS_S_OLD_TOKEN indicates that the integrity check value on the
+      received message was correct, but that the token is too old to be
+      checked for duplication.
+
+      4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue
+      on the received message was correct, but that it is earlier in a
+      sequenced stream than a message already processed on the context.
+      [Note: Mechanisms can be architected to provide a stricter form of
+      sequencing service, delivering particular messages to recipients
+      only after all predecessor messages in an ordered stream have been
+      delivered.  This type of support is incompatible with the GSS-API
+      paradigm in which recipients receive all messages, whether in
+      order or not, and provide them (one at a time, without intra-GSS-
+      API message buffering) to GSS-API routines for validation.  GSS-
+      API facilities provide supportive functions, aiding clients to
+      achieve strict message stream integrity in an efficient manner in
+      conjunction with sequencing provisions in communications
+      protocols, but the GSS-API does not offer this level of message
+      stream integrity service by itself.]
+
+      5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that one or more predecessor
+      sequenced messages have not been successfully processed relative
+      to the last received message (if any) processed on the context
+      with a correct cryptographic checkvalue.
+
+   As the message stream integrity features (especially sequencing) may
+   interfere with certain applications' intended communications
+   paradigms, and since support for such features is likely to be
+   resource intensive, it is highly recommended that mech_types
+   supporting these features allow them to be activated selectively on
+   initiator request when a context is established. A context initiator
+   and target are provided with corresponding indicators
+   (replay_det_state and sequence_state), signifying whether these
+   features are active on a given context.
+
+   An example mech_type supporting per-message replay detection could
+   (when replay_det_state is TRUE) implement the feature as follows: The
+   underlying mechanism would insert timestamps in data elements output
+   by GSS_GetMIC() and GSS_Wrap(), and would maintain (within a time-
+   limited window) a cache (qualified by originator-recipient pair)
+   identifying received data elements processed by GSS_VerifyMIC() and
+   GSS_Unwrap(). When this feature is active, exception status returns
+   (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when
+
+
+
+Linn                        Standards Track                    [Page 23]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_VerifyMIC() or GSS_Unwrap() is presented with a message which is
+   either a detected duplicate of a prior message or which is too old to
+   validate against a cache of recently received messages.
+
+1.2.4:  Quality of Protection
+
+   Some mech_types provide their users with fine granularity control
+   over the means used to provide per-message protection, allowing
+   callers to trade off security processing overhead dynamically against
+   the protection requirements of particular messages. A per-message
+   quality-of-protection parameter (analogous to quality-of-service, or
+   QOS) selects among different QOP options supported by that mechanism.
+   On context establishment for a multi-QOP mech_type, context-level
+   data provides the prerequisite data for a range of protection
+   qualities.
+
+   It is expected that the majority of callers will not wish to exert
+   explicit mechanism-specific QOP control and will therefore request
+   selection of a default QOP. Definitions of, and choices among, non-
+   default QOP values are mechanism-specific, and no ordered sequences
+   of QOP values can be assumed equivalent across different mechanisms.
+   Meaningful use of non-default QOP values demands that callers be
+   familiar with the QOP definitions of an underlying mechanism or
+   mechanisms, and is therefore a non-portable construct.  The
+   GSS_S_BAD_QOP major_status value is defined in order to indicate that
+   a provided QOP value is unsupported for a security context, most
+   likely because that value is unrecognized by the underlying
+   mechanism.
+
+   In the interests of interoperability, mechanisms which allow optional
+   support of particular QOP values shall satisfy one of the following
+   conditions.  Either:
+
+      (i) All implementations of the mechanism are required to be
+      capable of processing messages protected using any QOP value,
+      regardless of whether they can apply protection corresponding to
+      that QOP, or
+
+      (ii) The set of mutually-supported receiver QOP values must be
+      determined during context establishment, and messages may be
+      protected by either peer using only QOP values from this
+      mutually-supported set.
+
+   NOTE: (i) is just a special-case of (ii), where implementations are
+   required to support all QOP values on receipt.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 24]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1.2.5: Anonymity Support
+
+   In certain situations or environments, an application may wish to
+   authenticate a peer and/or protect communications using GSS-API per-
+   message services without revealing its own identity.  For example,
+   consider an application which provides read access to a research
+   database, and which permits queries by arbitrary requestors.  A
+   client of such a service might wish to authenticate the service, to
+   establish trust in the information received from it, but might not
+   wish to disclose its identity to the service for privacy reasons.
+
+   In ordinary GSS-API usage, a context initiator's identity is made
+   available to the context acceptor as part of the context
+   establishment process.  To provide for anonymity support, a facility
+   (input anon_req_flag to GSS_Init_sec_context()) is provided through
+   which context initiators may request that their identity not be
+   provided to the context acceptor.  Mechanisms are not required to
+   honor this request, but a caller will be informed (via returned
+   anon_state indicator from GSS_Init_sec_context()) whether or not the
+   request is honored. Note that authentication as the anonymous
+   principal does not necessarily imply that credentials are not
+   required in order to establish a context.
+
+   Section 4.5 of this document defines the Object Identifier value used
+   to identify an anonymous principal.
+
+   Four possible combinations of anon_state and mutual_state are
+   possible, with the following results:
+
+      anon_state == FALSE, mutual_state == FALSE: initiator
+      authenticated to target.
+
+      anon_state == FALSE, mutual_state == TRUE: initiator authenticated
+      to target, target authenticated to initiator.
+
+      anon_state == TRUE, mutual_state == FALSE: initiator authenticated
+      as anonymous principal to target.
+
+      anon_state == TRUE, mutual_state == TRUE: initiator authenticated
+      as anonymous principal to target, target authenticated to
+      initiator.
+
+1.2.6: Initialization
+
+   No initialization calls (i.e., calls which must be invoked prior to
+   invocation of other facilities in the interface) are defined in GSS-
+   API.  As an implication of this fact, GSS-API implementations must
+   themselves be self-initializing.
+
+
+
+Linn                        Standards Track                    [Page 25]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1.2.7: Per-Message Protection During Context Establishment
+
+   A facility is defined in GSS-V2 to enable protection and buffering of
+   data messages for later transfer while a security context's
+   establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases
+   where the caller side already possesses the necessary session key to
+   enable this processing. Specifically, a new state Boolean, called
+   prot_ready_state, is added to the set of information returned by
+   GSS_Init_sec_context(), GSS_Accept_sec_context(), and
+   GSS_Inquire_context().
+
+   For context establishment calls, this state Boolean is valid and
+   interpretable when the associated major_status is either
+   GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE.  Callers of GSS-API (both
+   initiators and acceptors) can assume that per-message protection (via
+   GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is
+   available and ready for use if either: prot_ready_state == TRUE, or
+   major_status == GSS_S_COMPLETE, though mutual authentication (if
+   requested) cannot be guaranteed until GSS_S_COMPLETE is returned.
+   Callers making use of per-message protection services in advance of
+   GSS_S_COMPLETE status should be aware of the possibility that a
+   subsequent context establishment step may fail, and that certain
+   context data (e.g., mech_type) as returned for subsequent calls may
+   change.
+
+   This approach achieves full, transparent backward compatibility for
+   GSS-API V1 callers, who need not even know of the existence of
+   prot_ready_state, and who will get the expected behavior from
+   GSS_S_COMPLETE, but who will not be able to use per-message
+   protection before GSS_S_COMPLETE is returned.
+
+   It is not a requirement that GSS-V2 mechanisms ever return TRUE
+   prot_ready_state before completion of context establishment (indeed,
+   some mechanisms will not evolve usable message protection keys,
+   especially at the context acceptor, before context establishment is
+   complete).  It is expected but not required that GSS-V2 mechanisms
+   will return TRUE prot_ready_state upon completion of context
+   establishment if they support per-message protection at all (however
+   GSS-V2 applications should not assume that TRUE prot_ready_state will
+   always be returned together with the GSS_S_COMPLETE major_status,
+   since GSS-V2 implementations may continue to support GSS-V1 mechanism
+   code, which will never return TRUE prot_ready_state).
+
+   When prot_ready_state is returned TRUE, mechanisms shall also set
+   those context service indicator flags (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state,
+   conf_avail, integ_avail) which represent facilities confirmed, at
+   that time, to be available on the context being established.  In
+
+
+
+Linn                        Standards Track                    [Page 26]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   situations where prot_ready_state is returned before GSS_S_COMPLETE,
+   it is possible that additional facilities may be confirmed and
+   subsequently indicated when GSS_S_COMPLETE is returned.
+
+1.2.8: Implementation Robustness
+
+   This section recommends aspects of GSS-API implementation behavior in
+   the interests of overall robustness.
+
+   Invocation of GSS-API calls is to incur no undocumented side effects
+   visible at the GSS-API level.
+
+   If a token is presented for processing on a GSS-API security context
+   and that token generates a fatal error in processing or is otherwise
+   determined to be invalid for that context, the context's state should
+   not be disrupted for purposes of processing subsequent valid tokens.
+
+   Certain local conditions at a GSS-API implementation (e.g.,
+   unavailability of memory) may preclude, temporarily or permanently,
+   the successful processing of tokens on a GSS-API security context,
+   typically generating GSS_S_FAILURE major_status returns along with
+   locally-significant minor_status.  For robust operation under such
+   conditions, the following recommendations are made:
+
+      Failing calls should free any memory they allocate, so that
+      callers may retry without causing further loss of resources.
+
+      Failure of an individual call on an established context should not
+      preclude subsequent calls from succeeding on the same context.
+
+      Whenever possible, it should be possible for
+      GSS_Delete_sec_context() calls to be successfully processed even
+      if other calls cannot succeed, thereby enabling context-related
+      resources to be released.
+
+   A failure of GSS_GetMIC() or GSS_Wrap() due to an attempt to use an
+   unsupported QOP will not interfere with context validity, nor shall
+   such a failure impact the ability of the application to subsequently
+   invoke GSS_GetMIC() or GSS_Wrap() using a supported QOP. Any state
+   information concerning sequencing of outgoing messages shall be
+   unchanged by an unsuccessful call of GSS_GetMIC() or GSS_Wrap().
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 27]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1.2.9: Delegation
+
+   The GSS-API allows delegation to be controlled by the initiating
+   application via a Boolean parameter to GSS_Init_sec_context(), the
+   routine that establishes a security context.  Some mechanisms do not
+   support delegation, and for such mechanisms attempts by an
+   application to enable delegation are ignored.
+
+   The acceptor of a security context for which the initiator enabled
+   delegation will receive (via the delegated_cred_handle parameter of
+   GSS_Accept_sec_context()) a credential handle that contains the
+   delegated identity, and this credential handle may be used to
+   initiate subsequent GSS-API security contexts as an agent or delegate
+   of the initiator.  If the original initiator's identity is "A" and
+   the delegate's identity is "B", then, depending on the underlying
+   mechanism, the identity embodied by the delegated credential may be
+   either "A" or "B acting for A".
+
+   For many mechanisms that support delegation, a simple Boolean does
+   not provide enough control.  Examples of additional aspects of
+   delegation control that a mechanism might provide to an application
+   are duration of delegation, network addresses from which delegation
+   is valid, and constraints on the tasks that may be performed by a
+   delegate.  Such controls are presently outside the scope of the GSS-
+   API.  GSS-API implementations supporting mechanisms offering
+   additional controls should provide extension routines that allow
+   these controls to be exercised (perhaps by modifying the initiator's
+   GSS-API credential prior to its use in establishing a context).
+   However, the simple delegation control provided by GSS-API should
+   always be able to over-ride other mechanism-specific delegation
+   controls; if the application instructs GSS_Init_sec_context() that
+   delegation is not desired, then the implementation must not permit
+   delegation to occur.  This is an exception to the general rule that a
+   mechanism may enable services even if they are not requested;
+   delegation may only be provided at the explicit request of the
+   application.
+
+1.2.10: Interprocess Context Transfer
+
+   GSS-API V2 provides routines (GSS_Export_sec_context() and
+   GSS_Import_sec_context()) which allow a security context to be
+   transferred between processes on a single machine.  The most common
+   use for such a feature is a client-server design where the server is
+   implemented as a single process that accepts incoming security
+   contexts, which then launches child processes to deal with the data
+   on these contexts.  In such a design, the child processes must have
+   access to the security context data structure created within the
+
+
+
+
+Linn                        Standards Track                    [Page 28]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   parent by its call to GSS_Accept_sec_context() so that they can use
+   per-message protection services and delete the security context when
+   the communication session ends.
+
+   Since the security context data structure is expected to contain
+   sequencing information, it is impractical in general to share a
+   context between processes.  Thus GSS-API provides a call
+   (GSS_Export_sec_context()) that the process which currently owns the
+   context can call to declare that it has no intention to use the
+   context subsequently, and to create an inter-process token containing
+   information needed by the adopting process to successfully import the
+   context.  After successful completion of this call, the original
+   security context is made inaccessible to the calling process by GSS-
+   API, and any context handles referring to this context are no longer
+   valid.  The originating process transfers the inter-process token to
+   the adopting process, which passes it to GSS_Import_sec_context(),
+   and a fresh context handle is created such that it is functionally
+   identical to the original context.
+
+   The inter-process token may contain sensitive data from the original
+   security context (including cryptographic keys).  Applications using
+   inter-process tokens to transfer security contexts must take
+   appropriate steps to protect these tokens in transit.
+   Implementations are not required to support the inter-process
+   transfer of security contexts.  The ability to transfer a security
+   context is indicated when the context is created, by
+   GSS_Init_sec_context() or GSS_Accept_sec_context() indicating a TRUE
+   trans_state return value.
+
+2:  Interface Descriptions
+
+   This section describes the GSS-API's service interface, dividing the
+   set of calls offered into four groups. Credential management calls
+   are related to the acquisition and release of credentials by
+   principals. Context-level calls are related to the management of
+   security contexts between principals. Per-message calls are related
+   to the protection of individual messages on established security
+   contexts. Support calls provide ancillary functions useful to GSS-API
+   callers. Table 2 groups and summarizes the calls in tabular fashion.
+
+   Table 2:  GSS-API Calls
+
+   CREDENTIAL MANAGEMENT
+
+   GSS_Acquire_cred             acquire credentials for use
+   GSS_Release_cred             release credentials after use
+   GSS_Inquire_cred             display information about
+                                credentials
+
+
+
+Linn                        Standards Track                    [Page 29]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_Add_cred                 construct credentials incrementally
+   GSS_Inquire_cred_by_mech     display per-mechanism credential
+                                  information
+
+   CONTEXT-LEVEL CALLS
+
+   GSS_Init_sec_context         initiate outbound security context
+   GSS_Accept_sec_context       accept inbound security context
+   GSS_Delete_sec_context       flush context when no longer needed
+   GSS_Process_context_token    process received control token on
+                                  context
+   GSS_Context_time             indicate validity time remaining on
+                                     context
+   GSS_Inquire_context          display information about context
+   GSS_Wrap_size_limit          determine GSS_Wrap token size limit
+   GSS_Export_sec_context       transfer context to other process
+   GSS_Import_sec_context       import transferred context
+
+   PER-MESSAGE CALLS
+
+   GSS_GetMIC                   apply integrity check, receive as
+                                  token separate from message
+   GSS_VerifyMIC                validate integrity check token
+                                  along with message
+   GSS_Wrap                     sign, optionally encrypt,
+                                  encapsulate
+   GSS_Unwrap                   decapsulate, decrypt if needed,
+                                  validate integrity check
+
+   SUPPORT CALLS
+
+   GSS_Display_status           translate status codes to printable
+                                  form
+   GSS_Indicate_mechs           indicate mech_types supported on
+                                  local system
+   GSS_Compare_name             compare two names for equality
+   GSS_Display_name             translate name to printable form
+   GSS_Import_name              convert printable name to
+                                  normalized form
+   GSS_Release_name             free storage of normalized-form
+                                  name
+   GSS_Release_buffer           free storage of general GSS-allocated
+                                  object
+   GSS_Release_OID_set          free storage of OID set object
+   GSS_Create_empty_OID_set     create empty OID set
+   GSS_Add_OID_set_member       add member to OID set
+   GSS_Test_OID_set_member      test if OID is member of OID set
+   GSS_Inquire_names_for_mech   indicate name types supported by
+
+
+
+Linn                        Standards Track                    [Page 30]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+                                  mechanism
+   GSS_Inquire_mechs_for_name   indicates mechanisms supporting name
+                                  type
+   GSS_Canonicalize_name        translate name to per-mechanism form
+   GSS_Export_name              externalize per-mechanism name
+   GSS_Duplicate_name           duplicate name object
+
+2.1:  Credential management calls
+
+   These GSS-API calls provide functions related to the management of
+   credentials. Their characterization with regard to whether or not
+   they may block pending exchanges with other network entities (e.g.,
+   directories or authentication servers) depends in part on OS-specific
+   (extra-GSS-API) issues, so is not specified in this document.
+
+   The GSS_Acquire_cred() call is defined within the GSS-API in support
+   of application portability, with a particular orientation towards
+   support of portable server applications. It is recognized that (for
+   certain systems and mechanisms) credentials for interactive users may
+   be managed differently from credentials for server processes; in such
+   environments, it is the GSS-API implementation's responsibility to
+   distinguish these cases and the procedures for making this
+   distinction are a local matter. The GSS_Release_cred() call provides
+   a means for callers to indicate to the GSS-API that use of a
+   credentials structure is no longer required. The GSS_Inquire_cred()
+   call allows callers to determine information about a credentials
+   structure.  The GSS_Add_cred() call enables callers to append
+   elements to an existing credential structure, allowing iterative
+   construction of a multi-mechanism credential. The
+   GSS_Inquire_cred_by_mech() call enables callers to extract per-
+   mechanism information describing a credentials structure.
+
+2.1.1:  GSS_Acquire_cred call
+
+   Inputs:
+
+   o  desired_name INTERNAL NAME, -- NULL requests locally-determined
+   -- default
+
+   o  lifetime_req INTEGER, -- in seconds; 0 requests default
+
+   o  desired_mechs SET OF OBJECT IDENTIFIER, -- NULL requests
+   -- system-selected default
+
+   o  cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+
+
+
+
+Linn                        Standards Track                    [Page 31]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL,
+   -- caller must release with GSS_Release_cred()
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER, -- if returned non-NULL,
+   -- caller must release with GSS_Release_oid_set()
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that requested credentials were
+   successfully established, for the duration indicated in lifetime_rec,
+   suitable for the usage requested in cred_usage, for the set of
+   mech_types indicated in actual_mechs, and that those credentials can
+   be referenced for subsequent use with the handle returned in
+   output_cred_handle.
+
+   o  GSS_S_BAD_MECH indicates that a mech_type unsupported by the GSS-
+   API implementation type was requested, causing the credential
+   establishment operation to fail.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name is
+   uninterpretable or of a type unsupported by the applicable underlying
+   GSS-API mechanism(s), so no credentials could be established for the
+   accompanying desired_name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+   inconsistent in terms of internally-incorporated type specifier
+   information, so no credentials could be established for the
+   accompanying desired_name.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that underlying credential
+   elements corresponding to the requested desired_name have expired, so
+   requested credentials could not be established.
+
+   o GSS_S_NO_CRED indicates that no credential elements corresponding
+   to the requested desired_name and usage could be accessed, so
+   requested credentials could not be established.  In particular, this
+   status should be returned upon temporary user-fixable conditions
+
+
+
+
+
+Linn                        Standards Track                    [Page 32]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   preventing successful credential establishment and upon lack of
+   authorization to establish and use credentials associated with the
+   identity named in the input desired_name argument.
+
+   o  GSS_S_FAILURE indicates that credential establishment failed for
+   reasons unspecified at the GSS-API level.
+
+   GSS_Acquire_cred() is used to acquire credentials so that a principal
+   can (as a function of the input cred_usage parameter) initiate and/or
+   accept security contexts under the identity represented by the
+   desired_name input argument. On successful completion, the returned
+   output_cred_handle result provides a handle for subsequent references
+   to the acquired credentials.  Typically, single-user client processes
+   requesting that default credential behavior be applied for context
+   establishment purposes will have no need to invoke this call.
+
+   A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name,
+   which will be interpreted as a request for a credential handle that
+   will invoke default behavior when passed to GSS_Init_sec_context(),
+   if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or
+   GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or
+   GSS_C_BOTH.  It is possible that multiple pre-established credentials
+   may exist for the same principal identity (for example, as a result
+   of multiple user login sessions) when GSS_Acquire_cred() is called;
+   the means used in such cases to select a specific credential are
+   local matters.  The input lifetime_req argument to GSS_Acquire_cred()
+   may provide useful information for local GSS-API implementations to
+   employ in making this disambiguation in a manner which will best
+   satisfy a caller's intent.
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name
+   resulting from applying GSS_Inquire_context() to an active context,
+   or a name resulting from applying GSS_Inquire_cred() against a
+   credential handle corresponding to default behavior. It is important
+   to recognize that the explicit name which is yielded by resolving a
+   default reference may change over time, e.g., as a result of local
+   credential element management operations outside GSS-API; once
+   resolved, however, the value of such an explicit name will remain
+   constant.
+
+   The lifetime_rec result indicates the length of time for which the
+   acquired credentials will be valid, as an offset from the present. A
+   mechanism may return a reserved value indicating INDEFINITE if no
+
+
+
+Linn                        Standards Track                    [Page 33]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   constraints on credential lifetime are imposed.  A caller of
+   GSS_Acquire_cred() can request a length of time for which acquired
+   credentials are to be valid (lifetime_req argument), beginning at the
+   present, or can request credentials with a default validity interval.
+   (Requests for postdated credentials are not supported within the
+   GSS-API.) Certain mechanisms and implementations may bind in
+   credential validity period specifiers at a point preliminary to
+   invocation of the GSS_Acquire_cred() call (e.g., in conjunction with
+   user login procedures). As a result, callers requesting non-default
+   values for lifetime_req must recognize that such requests cannot
+   always be honored and must be prepared to accommodate the use of
+   returned credentials with different lifetimes as indicated in
+   lifetime_rec.
+
+   The caller of GSS_Acquire_cred() can explicitly specify a set of
+   mech_types which are to be accommodated in the returned credentials
+   (desired_mechs argument), or can request credentials for a system-
+   defined default set of mech_types. Selection of the system-specified
+   default set is recommended in the interests of application
+   portability. The actual_mechs return value may be interrogated by the
+   caller to determine the set of mechanisms with which the returned
+   credentials may be used.
+
+2.1.2:  GSS_Release_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
+   -- is specified, the call will complete successfully, but
+   -- will have no effect; no credential elements will be
+   -- released.
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input cred_handle were released for purposes of subsequent access by
+   the caller. The effect on other processes which may be authorized
+   shared access to such credentials is a local matter.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 34]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_NO_CRED indicates that no release operation was performed,
+   either because the input cred_handle was invalid or because the
+   caller lacks authorization to access the referenced credentials.
+
+   o  GSS_S_FAILURE indicates that the release operation failed for
+   reasons unspecified at the GSS-API level.
+
+   Provides a means for a caller to explicitly request that credentials
+   be released when their use is no longer required. Note that system-
+   specific credential management functions are also likely to exist,
+   for example to assure that credentials shared among processes are
+   properly deleted when all affected processes terminate, even if no
+   explicit release requests are issued by those processes. Given the
+   fact that multiple callers are not precluded from gaining authorized
+   access to the same credentials, invocation of GSS_Release_cred()
+   cannot be assumed to delete a particular set of credentials on a
+   system-wide basis.
+
+2.1.3:  GSS_Inquire_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
+   -- is specified, default initiator credentials are queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME,  -- caller must release with
+   -- GSS_Release_name()
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 35]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input cred_handle argument were valid, and that the output cred_name,
+   lifetime_rec, and cred_usage values represent, respectively, the
+   credentials' associated principal name, remaining lifetime, suitable
+   usage modes, and supported mechanism types.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+   about the referenced credentials, either because the input
+   cred_handle was invalid or because the caller lacks authorization to
+   access the referenced credentials.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+   credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+   credentials have expired.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+   unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred() call is defined primarily for the use of those
+   callers which request use of default credential behavior rather than
+   acquiring credentials explicitly with GSS_Acquire_cred().  It enables
+   callers to determine a credential structure's associated principal
+   name, remaining validity period, usability for security context
+   initiation and/or acceptance, and supported mechanisms.
+
+   For a multi-mechanism credential, the returned "lifetime" specifier
+   indicates the shortest lifetime of any of the mechanisms' elements in
+   the credential (for either context initiation or acceptance
+   purposes).
+
+   GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for
+   "cred_usage" if both of the following conditions hold:
+
+      (1) there exists in the credential an element which allows context
+      initiation using some mechanism
+
+      (2) there exists in the credential an element which allows context
+      acceptance using some mechanism (allowably, but not necessarily,
+      one of the same mechanism(s) qualifying for (1)).
+
+   If condition (1) holds but not condition (2), GSS_Inquire_cred()
+   should indicate INITIATE-ONLY for "cred_usage".  If condition (2)
+   holds but not condition (1), GSS_Inquire_cred() should indicate
+   ACCEPT-ONLY for "cred_usage".
+
+
+
+Linn                        Standards Track                    [Page 36]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Callers requiring finer disambiguation among available combinations
+   of lifetimes, usage modes, and mechanisms should call the
+   GSS_Inquire_cred_by_mech() routine, passing that routine one of the
+   mech OIDs returned by GSS_Inquire_cred().
+
+2.1.4:  GSS_Add_cred call
+
+   Inputs:
+
+   o  input_cred_handle CREDENTIAL HANDLE -- handle to credential
+   -- structure created with prior GSS_Acquire_cred() or
+   -- GSS_Add_cred() call; see text for definition of behavior
+   -- when GSS_C_NO_CREDENTIAL provided.
+
+   o  desired_name INTERNAL NAME
+
+   o  initiator_time_req INTEGER -- in seconds; 0 requests default
+
+   o  acceptor_time_req INTEGER -- in seconds; 0 requests default
+
+   o  desired_mech OBJECT IDENTIFIER
+
+   o  cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE, -- NULL to request that
+   -- credential elements be added "in place" to the credential
+   -- structure identified by input_cred_handle,
+   -- non-NULL pointer to request that
+   -- a new credential structure and handle be created.
+   -- if credential handle returned, caller must release with
+   -- GSS_Release_cred()
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER, -- if returned, caller must
+   -- release with GSS_Release_oid_set()
+
+   o  initiator_time_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  acceptor_time_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+
+
+
+Linn                        Standards Track                    [Page 37]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms
+   -- supported by resulting credential.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input_cred_handle argument were valid, and that the resulting
+   credential from GSS_Add_cred() is valid for the durations indicated
+   in initiator_time_rec and acceptor_time_rec, suitable for the usage
+   requested in cred_usage, and for the mechanisms indicated in
+   actual_mechs.
+
+   o  GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech
+   specified a mechanism for which the referenced credential already
+   contained a credential element with overlapping cred_usage and
+   validity time specifiers.
+
+   o  GSS_S_BAD_MECH indicates that the input desired_mech specified a
+   mechanism unsupported by the GSS-API implementation, causing the
+   GSS_Add_cred() operation to fail.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name is
+   uninterpretable or of a type unsupported by the applicable underlying
+   GSS-API mechanism(s), so the GSS_Add_cred() operation could not be
+   performed for that name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+   inconsistent in terms of internally-incorporated type specifier
+   information, so the GSS_Add_cred() operation could not be performed
+   for that name.
+
+   o  GSS_S_NO_CRED indicates that the input_cred_handle referenced
+   invalid or inaccessible credentials. In particular, this status
+   should be returned upon temporary user-fixable conditions preventing
+   successful credential establishment or upon lack of authorization to
+   establish or use credentials representing the requested identity.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that referenced credential
+   elements have expired, so the GSS_Add_cred() operation could not be
+   performed.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+   unspecified at the GSS-API level.
+
+
+
+
+
+Linn                        Standards Track                    [Page 38]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_Add_cred() enables callers to construct credentials iteratively
+   by adding credential elements in successive operations, corresponding
+   to different mechanisms.  This offers particular value in multi-
+   mechanism environments, as the major_status and minor_status values
+   returned on each iteration are individually visible and can therefore
+   be interpreted unambiguously on a per-mechanism basis. A credential
+   element is identified by the name of the principal to which it
+   refers.  GSS-API implementations must impose a local access control
+   policy on callers of this routine to prevent unauthorized callers
+   from acquiring credential elements to which they are not entitled.
+   This routine is not intended to provide a "login to the network"
+   function, as such a function would involve the creation of new
+   mechanism-specific authentication data, rather than merely acquiring
+   a GSS-API handle to existing data.  Such functions, if required,
+   should be defined in implementation-specific extension routines.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may choose to delay the actual acquisition until the
+   credential is required (e.g. by GSS_Init_sec_context() or
+   GSS_Accept_sec_context()).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of GSS_Inquire_cred() immediately following the call of
+   GSS_Acquire_cred() must return valid credential data, and may
+   therefore incur the overhead of a deferred credential acquisition.
+
+   If GSS_C_NO_CREDENTIAL is specified as input_cred_handle, a non-NULL
+   output_cred_handle must be supplied.  For the case of
+   GSS_C_NO_CREDENTIAL as input_cred_handle, GSS_Add_cred() will create
+   the credential referenced by its output_cred_handle based on default
+   behavior.  That is, the call will have the same effect as if the
+   caller had previously called GSS_Acquire_cred(), specifying the same
+   usage and passing GSS_C_NO_NAME as the desired_name parameter
+   (thereby obtaining an explicit credential handle corresponding to
+   default behavior), had passed that credential handle to
+   GSS_Add_cred(), and had finally called GSS_Release_cred() on the
+   credential handle received from GSS_Acquire_cred().
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name
+   resulting from applying GSS_Inquire_context() to an active context,
+   or a name resulting from applying GSS_Inquire_cred() against a
+   credential handle corresponding to default behavior. It is important
+   to recognize that the explicit name which is yielded by resolving a
+   default reference may change over time, e.g., as a result of local
+
+
+
+Linn                        Standards Track                    [Page 39]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   credential element management operations outside GSS-API; once
+   resolved, however, the value of such an explicit name will remain
+   constant.
+
+   A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name,
+   which will be interpreted as a request for a credential handle that
+   will invoke default behavior when passed to GSS_Init_sec_context(),
+   if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or
+   GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or
+   GSS_C_BOTH.
+
+   The same input desired_name, or default reference, should be used on
+   all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a
+   particular credential.
+
+2.1.5:  GSS_Inquire_cred_by_mech call
+
+   Inputs:
+
+   o  cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
+   -- specified, default initiator credentials are queried
+
+   o  mech_type OBJECT IDENTIFIER  -- specific mechanism for
+   -- which credentials are being queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME, -- guaranteed to be MN; caller must
+   -- release with GSS_Release_name()
+
+   o  lifetime_rec_initiate INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  lifetime_rec_accept INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input cred_handle argument were valid, that the mechanism indicated
+   by the input mech_type was represented with elements within those
+
+
+
+Linn                        Standards Track                    [Page 40]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   credentials, and that the output cred_name, lifetime_rec_initiate,
+   lifetime_rec_accept, and cred_usage values represent, respectively,
+   the credentials' associated principal name, remaining lifetimes, and
+   suitable usage modes.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+   about the referenced credentials, either because the input
+   cred_handle was invalid or because the caller lacks authorization to
+   access the referenced credentials.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+   credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+   credentials have expired.
+
+   o  GSS_S_BAD_MECH indicates that the referenced credentials do not
+   contain elements for the requested mechanism.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+   unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred_by_mech() call enables callers in multi-
+   mechanism environments to acquire specific data about available
+   combinations of lifetimes, usage modes, and mechanisms within a
+   credential structure.  The lifetime_rec_initiate result indicates the
+   available lifetime for context initiation purposes; the
+   lifetime_rec_accept result indicates the available lifetime for
+   context acceptance purposes.
+
+2.2:  Context-level calls
+
+   This group of calls is devoted to the establishment and management of
+   security contexts between peers. A context's initiator calls
+   GSS_Init_sec_context(), resulting in generation of a token which the
+   caller passes to the target. At the target, that token is passed to
+   GSS_Accept_sec_context(). Depending on the underlying mech_type and
+   specified options, additional token exchanges may be performed in the
+   course of context establishment; such exchanges are accommodated by
+   GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and
+   GSS_Accept_sec_context().
+
+   Either party to an established context may invoke
+   GSS_Delete_sec_context() to flush context information when a context
+   is no longer required. GSS_Process_context_token() is used to process
+   received tokens carrying context-level control information.
+   GSS_Context_time() allows a caller to determine the length of time
+   for which an established context will remain valid.
+
+
+
+Linn                        Standards Track                    [Page 41]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_Inquire_context() returns status information describing context
+   characteristics. GSS_Wrap_size_limit() allows a caller to determine
+   the size of a token which will be generated by a GSS_Wrap()
+   operation.  GSS_Export_sec_context() and GSS_Import_sec_context()
+   enable transfer of active contexts between processes on an end
+   system.
+
+2.2.1:  GSS_Init_sec_context call
+
+   Inputs:
+
+   o  claimant_cred_handle CREDENTIAL HANDLE, -- NULL specifies "use
+   -- default"
+
+   o  input_context_handle CONTEXT HANDLE, -- 0
+   -- (GSS_C_NO_CONTEXT) specifies "none assigned yet"
+
+   o  targ_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER, -- NULL parameter specifies "use
+   -- default"
+
+   o  deleg_req_flag BOOLEAN,
+
+   o  mutual_req_flag BOOLEAN,
+
+   o  replay_det_req_flag BOOLEAN,
+
+   o  sequence_req_flag BOOLEAN,
+
+   o  anon_req_flag BOOLEAN,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  integ_req_flag BOOLEAN,
+
+   o  lifetime_req INTEGER, -- 0 specifies default lifetime
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING -- NULL or token received from target
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 42]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  output_context_handle CONTEXT HANDLE,  -- once returned non-NULL,
+   -- caller must release with GSS_Delete_sec_context()
+
+   o  mech_type OBJECT IDENTIFIER, -- actual mechanism always
+   -- indicated, never NULL; caller should treat as read-only
+   -- and should not attempt to release
+
+   o  output_token OCTET STRING, -- NULL or token to pass to context
+   -- target; caller must release with GSS_Release_buffer()
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   This call may block pending network interactions for those mech_types
+   in which an authentication server or other network entity must be
+   consulted on behalf of a context initiator in order to generate an
+   output_token suitable for presentation to a specified target.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level information was
+   successfully initialized, and that the returned output_token will
+   provide sufficient information for the target to perform per-message
+   processing on the newly-established context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+   returned output_token must be sent to the target, and that a reply
+   must be received and passed as the input_token argument
+
+
+
+
+
+Linn                        Standards Track                    [Page 43]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   to a continuation call to GSS_Init_sec_context(), before per-message
+   processing can be performed in conjunction with this context (unless
+   the prot_ready_state value is concurrently returned TRUE).
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the input_token failed, preventing further processing from being
+   performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+   performed on the credential structure referenced by
+   claimant_cred_handle failed, preventing further processing from being
+   performed using that credential structure.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received
+   input_token contains an incorrect integrity check, so context setup
+   cannot be accomplished.
+
+   o  GSS_S_NO_CRED indicates that no context was established, either
+   because the input cred_handle was invalid, because the referenced
+   credentials are valid for context acceptor use only, because the
+   caller lacks authorization to access the referenced credentials, or
+   because the resolution of default credentials failed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided
+   through the input claimant_cred_handle argument are no longer valid,
+   so context establishment cannot be completed.
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the caller-
+   provided chan_bindings and those extracted from the input_token was
+   detected, signifying a security-relevant event and preventing context
+   establishment. (This result will be returned by
+   GSS_Init_sec_context() only for contexts where mutual_state is TRUE.)
+
+   o  GSS_S_OLD_TOKEN indicates that the input_token is too old to be
+   checked for integrity. This is a fatal error during context
+   establishment.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the input token has a correct
+   integrity check, but is a duplicate of a token already processed.
+   This is a fatal error during context establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided; this major status will be
+   returned only for successor calls following GSS_S_CONTINUE_ NEEDED
+   status returns.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 44]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided targ_name is of a
+   type uninterpretable or unsupported by the applicable underlying
+   GSS-API mechanism(s), so context establishment cannot be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided targ_name is
+   inconsistent in terms of internally-incorporated type specifier
+   information, so context establishment cannot be accomplished.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+   or of a caller request specifying a mechanism unsupported by the
+   local system or with the caller's active credentials
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+   accomplished for reasons unspecified at the GSS-API level, and that
+   no interface-defined recovery action is available.
+
+   This routine is used by a context initiator, and ordinarily emits an
+   output_token suitable for use by the target within the selected
+   mech_type's protocol.  For the case of a multi-step exchange, this
+   output_token will be one in a series, each generated by a successive
+   call. Using information in the credentials structure referenced by
+   claimant_cred_handle, GSS_Init_sec_context() initializes the data
+   structures required to establish a security context with target
+   targ_name.
+
+   The targ_name may be any valid INTERNAL NAME; it need not be an MN.
+   In addition to support for other name types, it is recommended (newly
+   as of GSS-V2, Update 1) that mechanisms be able to accept
+   GSS_C_NO_NAME as an input type for targ_name.  While recommended,
+   such support is not required, and it is recognized that not all
+   mechanisms can construct tokens without explicitly naming the context
+   target, even when mutual authentication of the target is not
+   obtained.  Callers wishing to make use of this facility and concerned
+   with portability should be aware that support for GSS_C_NO_NAME as
+   input targ_name type is unlikely to be provided within mechanism
+   definitions specified prior to GSS-V2, Update 1.
+
+   The claimant_cred_handle must correspond to the same valid
+   credentials structure on the initial call to GSS_Init_sec_context()
+   and on any successor calls resulting from GSS_S_CONTINUE_NEEDED
+   status returns; different protocol sequences modeled by the
+   GSS_S_CONTINUE_NEEDED facility will require access to credentials at
+   different points in the context establishment sequence.
+
+   The caller-provided input_context_handle argument is to be 0
+   (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first
+   GSS_Init_sec_context()  call relating to a given context. If
+   successful (i.e., if accompanied by major_status GSS_S_COMPLETE or
+
+
+
+Linn                        Standards Track                    [Page 45]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_S_CONTINUE_NEEDED), and only if successful, the initial
+   GSS_Init_sec_context() call returns a non-zero output_context_handle
+   for use in future references to this context.  Once a non-zero
+   output_context_handle has been returned, GSS-API callers should call
+   GSS_Delete_sec_context() to release context-related resources if
+   errors occur in later phases of context establishment, or when an
+   established context is no longer required. If GSS_Init_sec_context()
+   is passed the handle of a context which is already fully established,
+   GSS_S_FAILURE status is returned.
+
+   When continuation attempts to GSS_Init_sec_context() are needed to
+   perform context establishment, the previously-returned non-zero
+   handle value is entered into the input_context_handle argument and
+   will be echoed in the returned output_context_handle argument. On
+   such continuation attempts (and only on continuation attempts) the
+   input_token value is used, to provide the token returned from the
+   context's target.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The input_token argument contains a message received from the target,
+   and is significant only on a call to GSS_Init_sec_context() which
+   follows a previous return indicating GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   It is the caller's responsibility to establish a communications path
+   to the target, and to transmit any returned output_token (independent
+   of the accompanying returned major_status value) to the target over
+   that path. The output_token can, however, be transmitted along with
+   the first application-provided input message to be processed by
+   GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully-
+   established context. (Note: when the GSS-V2 prot_ready_state
+   indicator is returned TRUE, it can be possible to transfer a
+   protected message before context establishment is complete:  see also
+   Section 1.2.7)
+
+   The initiator may request various context-level functions through
+   input flags: the deleg_req_flag requests delegation of access rights,
+   the mutual_req_flag requests mutual authentication, the
+   replay_det_req_flag requests that replay detection features be
+   applied to messages transferred on the established context, and the
+   sequence_req_flag requests that sequencing be enforced. (See Section
+
+
+
+
+
+Linn                        Standards Track                    [Page 46]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   1.2.3 for more information on replay detection and sequencing
+   features.)  The anon_req_flag requests that the initiator's identity
+   not be transferred within tokens to be sent to the acceptor.
+
+   The conf_req_flag and integ_req_flag provide informatory inputs to
+   the GSS-API implementation as to whether, respectively, per-message
+   confidentiality and per-message integrity services will be required
+   on the context.  This information is important as an input to
+   negotiating mechanisms.  It is important to recognize, however, that
+   the inclusion of these flags (which are newly defined for GSS-V2)
+   introduces a backward incompatibility with callers implemented to
+   GSS-V1, where the flags were not defined.  Since no GSS-V1 callers
+   would set these flags, even if per-message services are desired,
+   GSS-V2 mechanism implementations which enable such services
+   selectively based on the flags' values may fail to provide them to
+   contexts established for GSS-V1 callers.  It may be appropriate under
+   certain circumstances, therefore, for such mechanism implementations
+   to infer these service request flags to be set if a caller is known
+   to be implemented to GSS-V1.
+
+   Not all of the optionally-requestable features will be available in
+   all underlying mech_types. The corresponding return state values
+   deleg_state, mutual_state, replay_det_state, and sequence_state
+   indicate, as a function of mech_type processing capabilities and
+   initiator-provided input flags, the set of features which will be
+   active on the context.  The returned trans_state value indicates
+   whether the context is transferable to other processes through use of
+   GSS_Export_sec_context().  These state indicators' values are
+   undefined unless either the routine's major_status indicates
+   GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with
+   GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is
+   possible that additional features, not confirmed or indicated along
+   with TRUE prot_ready_state, will be confirmed and indicated when
+   GSS_S_COMPLETE is subsequently returned.
+
+   The returned anon_state and prot_ready_state values are significant
+   for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status
+   returns from GSS_Init_sec_context(). When anon_state is returned
+   TRUE, this indicates that neither the current token nor its
+   predecessors delivers or has delivered the initiator's identity.
+   Callers wishing to perform context establishment only if anonymity
+   support is provided should transfer a returned token from
+   GSS_Init_sec_context() to the peer only if it is accompanied by a
+   TRUE anon_state indicator.  When prot_ready_state is returned TRUE in
+   conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates
+   that per-message protection operations may be applied on the context:
+   see Section 1.2.7 for further discussion of this facility.
+
+
+
+
+Linn                        Standards Track                    [Page 47]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Failure to provide the precise set of features requested by the
+   caller does not cause context establishment to fail; it is the
+   caller's prerogative to delete the context if the feature set
+   provided is unsuitable for the caller's use.
+
+   The returned mech_type value indicates the specific mechanism
+   employed on the context; it will never indicate the value for
+   "default".  A valid mech_type result must be returned along with a
+   GSS_S_COMPLETE status return; GSS-API implementations may (but are
+   not required to) also return mech_type along with predecessor calls
+   indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is
+   determinable) in conjunction with fatal error cases.  For the case of
+   mechanisms which themselves perform negotiation, the returned
+   mech_type result may indicate selection of a mechanism identified by
+   an OID different than that passed in the input mech_type argument,
+   and the returned value may change between successive calls returning
+   GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE.
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Wrap() can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC() or GSS_Wrap()) on
+   the established context. These state indicators' values are undefined
+   unless either the routine's major_status indicates GSS_S_COMPLETE, or
+   TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   The lifetime_req input specifies a desired upper bound for the
+   lifetime of the context to be established, with a value of 0 used to
+   request a default lifetime. The lifetime_rec return value indicates
+   the length of time for which the context will be valid, expressed as
+   an offset from the present; depending on mechanism capabilities,
+   credential lifetimes, and local policy, it may not correspond to the
+   value requested in lifetime_req.  If no constraints on context
+   lifetime are imposed, this may be indicated by returning a reserved
+   value representing INDEFINITE lifetime_req. The value of lifetime_rec
+   is undefined unless the routine's major_status indicates
+   GSS_S_COMPLETE.
+
+   If the mutual_state is TRUE, this fact will be reflected within the
+   output_token. A call to GSS_Accept_sec_context() at the target in
+   conjunction with such a context will return a token, to be processed
+   by a continuation call to GSS_Init_sec_context(), in order to achieve
+   mutual authentication.
+
+
+
+
+
+Linn                        Standards Track                    [Page 48]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.2.2:  GSS_Accept_sec_context call
+
+   Inputs:
+
+   o  acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies
+   -- "use default"
+
+   o  input_context_handle CONTEXT HANDLE, -- 0
+   -- (GSS_C_NO_CONTEXT) specifies "not yet assigned"
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME, -- guaranteed to be MN
+   -- once returned, caller must release with GSS_Release_name()
+
+   o  mech_type OBJECT IDENTIFIER, -- caller should treat as
+   -- read-only; does not need to be released
+
+   o  output_context_handle CONTEXT HANDLE, -- once returned
+   -- non-NULL in context establishment sequence, caller
+   -- must release with GSS_Delete_sec_context()
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+
+
+
+Linn                        Standards Track                    [Page 49]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  lifetime_rec INTEGER, -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  delegated_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL,
+   -- caller must release with GSS_Release_cred()
+
+   o  output_token OCTET STRING -- NULL or token to pass to context
+   -- initiator; if returned non-NULL, caller must release with
+   -- GSS_Release_buffer()
+
+   This call may block pending network interactions for those mech_types
+   in which a directory service or other network entity must be
+   consulted on behalf of a context acceptor in order to validate a
+   received input_token.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level data structures were
+   successfully initialized, and that per-message processing can now be
+   performed in conjunction with this context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+   returned output_token must be sent to the initiator, and that a
+   response must be received and passed as the input_token argument to a
+   continuation call to GSS_Accept_sec_context(), before per-message
+   processing can be performed in conjunction with this context.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the input_token failed, preventing further processing from being
+   performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+   performed on the credential structure referenced by
+   acceptor_cred_handle failed, preventing further processing from being
+   performed using that credential structure.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received
+   input_token contains an incorrect integrity check, so context setup
+   cannot be accomplished.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the
+   received input_token was correct, but that the input_token was
+   recognized as a duplicate of an input_token already processed. No new
+   context is established.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 50]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_OLD_TOKEN indicates that the integrity check on the received
+   input_token was correct, but that the input_token is too old to be
+   checked for duplication against previously-processed input_tokens. No
+   new context is established.
+
+   o  GSS_S_NO_CRED indicates that no context was established, either
+   because the input cred_handle was invalid, because the referenced
+   credentials are valid for context initiator use only, because the
+   caller lacks authorization to access the referenced credentials, or
+   because the procedure for default credential resolution failed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided
+   through the input acceptor_cred_handle argument are no longer valid,
+   so context establishment cannot be completed.
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the caller-
+   provided chan_bindings and those extracted from the input_token was
+   detected, signifying a security-relevant event and preventing context
+   establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided; this major status will be
+   returned only for successor calls following GSS_S_CONTINUE_ NEEDED
+   status returns.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+   specifying a mechanism unsupported by the local system or with the
+   caller's active credentials.
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+   accomplished for reasons unspecified at the GSS-API level, and that
+   no interface-defined recovery action is available.
+
+   The GSS_Accept_sec_context() routine is used by a context target.
+   Using information in the credentials structure referenced by the
+   input acceptor_cred_handle, it verifies the incoming input_token and
+   (following the successful completion of a context establishment
+   sequence) returns the authenticated src_name and the mech_type used.
+   The returned src_name is guaranteed to be an MN, processed by the
+   mechanism under which the context was established. The
+   acceptor_cred_handle must correspond to the same valid credentials
+   structure on the initial call to GSS_Accept_sec_context() and on any
+   successor calls resulting from GSS_S_CONTINUE_NEEDED status returns;
+   different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED
+   mechanism will require access to credentials at different points in
+   the context establishment sequence.
+
+
+
+
+
+Linn                        Standards Track                    [Page 51]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The caller-provided input_context_handle argument is to be 0
+   (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first
+   GSS_Accept_sec_context() call relating to a given context. If
+   successful (i.e., if accompanied by major_status GSS_S_COMPLETE or
+   GSS_S_CONTINUE_NEEDED), and only if successful, the initial
+   GSS_Accept_sec_context() call returns a non-zero
+   output_context_handle for use in future references to this context.
+   Once a non-zero output_context_handle has been returned, GSS-API
+   callers should call GSS_Delete_sec_context() to release context-
+   related resources if errors occur in later phases of context
+   establishment, or when an established context is no longer required.
+   If GSS_Accept_sec_context() is passed the handle of a context which
+   is already fully established, GSS_S_FAILURE status is returned.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The returned state results (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state, and
+   prot_ready_state) reflect the same information as described for
+   GSS_Init_sec_context(), and their values are significant under the
+   same return state conditions.
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Wrap() can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC()  or GSS_Wrap())
+   on the established context.  These values are significant under the
+   same return state conditions as described under
+   GSS_Init_sec_context().
+
+   The lifetime_rec return value is significant only in conjunction with
+   GSS_S_COMPLETE major_status, and indicates the length of time for
+   which the context will be valid, expressed as an offset from the
+   present.
+
+   The returned mech_type value indicates the specific mechanism
+   employed on the context; it will never indicate the value for
+   "default".  A valid mech_type result must be returned whenever
+   GSS_S_COMPLETE status is indicated; GSS-API implementations may (but
+   are not required to) also return mech_type along with predecessor
+   calls indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is
+   determinable) in conjunction with fatal error cases.  For the case of
+
+
+
+Linn                        Standards Track                    [Page 52]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   mechanisms which themselves perform negotiation, the returned
+   mech_type result may indicate selection of a mechanism identified by
+   an OID different than that passed in the input mech_type argument,
+   and the returned value may change between successive calls returning
+   GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE.
+
+   The delegated_cred_handle result is significant only when deleg_state
+   is TRUE, and provides a means for the target to reference the
+   delegated credentials. The output_token result, when non-NULL,
+   provides a context-level token to be returned to the context
+   initiator to continue a multi-step context establishment sequence. As
+   noted with GSS_Init_sec_context(), any returned token should be
+   transferred to the context's peer (in this case, the context
+   initiator), independent of the value of the accompanying returned
+   major_status.
+
+   Note: A target must be able to distinguish a context-level
+   input_token, which is passed to GSS_Accept_sec_context(), from the
+   per-message data elements passed to GSS_VerifyMIC()  or GSS_Unwrap().
+   These data elements may arrive in a single application message, and
+   GSS_Accept_sec_context() must be performed before per-message
+   processing can be performed successfully.
+
+2.2.3: GSS_Delete_sec_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context was recognized, and that
+   relevant context-specific information was flushed.  If the caller
+   provides a non-null buffer to receive an output_context_token, and
+   the mechanism returns a non-NULL token into that buffer, the returned
+   output_context_token is ready for transfer to the context's peer.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided, so no deletion was performed.
+
+
+
+
+Linn                        Standards Track                    [Page 53]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Delete_sec_context() operation could not be performed for
+   reasons unspecified at the GSS-API level.
+
+   This call can be made by either peer in a security context, to flush
+   context-specific information. Once a non-zero output_context_handle
+   has been returned by context establishment calls, GSS-API callers
+   should call GSS_Delete_sec_context() to release context-related
+   resources if errors occur in later phases of context establishment,
+   or when an established context is no longer required.  This call may
+   block pending network interactions for mech_types in which active
+   notification must be made to a central server when a security context
+   is to be deleted.
+
+   If a non-null output_context_token parameter is provided by the
+   caller, an output_context_token may be returned to the caller.  If an
+   output_context_token is provided to the caller, it can be passed to
+   the context's peer to inform the peer's GSS-API implementation that
+   the peer's corresponding context information can also be flushed.
+   (Once a context is established, the peers involved are expected to
+   retain cached credential and context-related information until the
+   information's expiration time is reached or until a
+   GSS_Delete_sec_context() call is made.)
+
+   The facility for context_token usage to signal context deletion is
+   retained for compatibility with GSS-API Version 1.  For current
+   usage, it is recommended that both peers to a context invoke
+   GSS_Delete_sec_context() independently, passing a null
+   output_context_token buffer to indicate that no context_token is
+   required.  Implementations of GSS_Delete_sec_context() should delete
+   relevant locally-stored context information.
+
+   Attempts to perform per-message processing on a deleted context will
+   result in error returns.
+
+2.2.4:  GSS_Process_context_token call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_context_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+Linn                        Standards Track                    [Page 54]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_context_token was
+   successfully processed in conjunction with the context referenced by
+   context_handle.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the received context_token failed, preventing further processing
+   from being performed with that token.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Process_context_token() operation could not be performed for
+   reasons unspecified at the GSS-API level.
+
+   This call is used to process context_tokens received from a peer once
+   a context has been established, with corresponding impact on
+   context-level state information. One use for this facility is
+   processing of the context_tokens generated by
+   GSS_Delete_sec_context(); GSS_Process_context_token() will not block
+   pending network interactions for that purpose. Another use is to
+   process tokens indicating remote-peer context establishment failures
+   after the point where the local GSS-API implementation has already
+   indicated GSS_S_COMPLETE status.
+
+2.2.5:  GSS_Context_time call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid, and
+   will remain valid for the amount of time indicated in lifetime_rec.
+
+
+
+
+
+Linn                        Standards Track                    [Page 55]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that data items related to the
+   referenced context have expired.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level.
+
+   This call is used to determine the amount of time for which a
+   currently established context will remain valid.
+
+2.2.6: GSS_Inquire_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME,  -- name of context initiator,
+   -- guaranteed to be MN;
+   -- caller must release with GSS_Release_name() if returned
+
+   o  targ_name INTERNAL NAME,  -- name of context target,
+   -- guaranteed to be MN;
+   -- caller must release with GSS_Release_name() if returned
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE or EXPIRED
+
+   o  mech_type OBJECT IDENTIFIER, -- the mechanism supporting this
+   -- security context; caller should treat as read-only and not
+   -- attempt to release
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+
+
+Linn                        Standards Track                    [Page 56]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor
+
+   o  open BOOLEAN, -- TRUE if context fully established, FALSE
+   -- if partly established (in CONTINUE_NEEDED state)
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid and
+   that deleg_state, mutual_state, replay_det_state, sequence_state,
+   anon_state, trans_state, prot_ready_state, conf_avail, integ_avail,
+   locally_initiated, and open return values describe the corresponding
+   characteristics of the context.  If open is TRUE, lifetime_rec is
+   also returned: if open is TRUE and the context peer's name is known,
+   src_name and targ_name are valid in addition to the values listed
+   above.  The mech_type value must be returned for contexts where open
+   is TRUE and may be returned for contexts where open is FALSE.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call is used to extract information describing characteristics
+   of a security context.  Note that GSS-API implementations are
+   expected to retain inquirable context data on a context until the
+   context is released by a caller, even after the context has expired,
+   although underlying cryptographic data elements may be deleted after
+   expiration in order to limit their exposure.
+
+2.2.7:   GSS_Wrap_size_limit call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  conf_req_flag BOOLEAN,
+
+
+
+
+Linn                        Standards Track                    [Page 57]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  qop INTEGER,
+
+   o  output_size INTEGER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  max_input_size INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates a successful token size determination:
+   an input message with a length in octets equal to the returned
+   max_input_size value will, when passed to GSS_Wrap() for processing
+   on the context identified by the context_handle parameter with the
+   confidentiality request state as provided in conf_req_flag and with
+   the quality of protection specifier provided in the qop parameter,
+   yield an output token no larger than the value of the provided
+   output_size parameter.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context has
+   expired.  Return values other than major_status and minor_status are
+   undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call is used to determine the largest input datum which may be
+   passed to GSS_Wrap() without yielding an output token larger than a
+   caller-specified value.
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 58]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.2.8:   GSS_Export_sec_context call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  interprocess_token OCTET STRING  -- caller must release
+   -- with GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context has been
+   successfully exported to a representation in the interprocess_token,
+   and is no longer available for use by the caller.
+
+   o  GSS_S_UNAVAILABLE indicates that the context export facility is
+   not available for use on the referenced context.  (This status should
+   occur only for contexts for which the trans_state value is FALSE.)
+   Return values other than major_status and minor_status are undefined.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context has
+   expired.  Return values other than major_status and minor_status are
+   undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call generates an interprocess token for transfer to another
+   process within an end system, in order to transfer control of a
+   security context to that process.  The recipient of the interprocess
+   token will call GSS_Import_sec_context() to accept the transfer.  The
+   GSS_Export_sec_context() operation is defined for use only with
+   security contexts which are fully and successfully established (i.e.,
+   those for which GSS_Init_sec_context() and GSS_Accept_sec_context()
+   have returned GSS_S_COMPLETE major_status).
+
+
+
+
+Linn                        Standards Track                    [Page 59]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   A successful GSS_Export_sec_context() operation deactivates the
+   security context for the calling process; for this case, the GSS-API
+   implementation shall deallocate all process-wide resources associated
+   with the security context and shall set the context_handle to
+   GSS_C_NO_CONTEXT.  In the event of an error that makes it impossible
+   to complete export of the security context, the GSS-API
+   implementation must not return an interprocess token and should
+   strive to leave the security context referenced by the context_handle
+   untouched.  If this is impossible, it is permissible for the
+   implementation to delete the security context, provided that it also
+   sets the context_handle parameter to GSS_C_NO_CONTEXT.
+
+   Portable callers must not assume that a given interprocess token can
+   be imported by GSS_Import_sec_context() more than once, thereby
+   creating multiple instantiations of a single context.  GSS-API
+   implementations may detect and reject attempted multiple imports, but
+   are not required to do so.
+
+   The internal representation contained within the interprocess token
+   is an implementation-defined local matter.  Interprocess tokens
+   cannot be assumed to be transferable across different GSS-API
+   implementations.
+
+   It is recommended that GSS-API implementations adopt policies suited
+   to their operational environments in order to define the set of
+   processes eligible to import a context, but specific constraints in
+   this area are local matters.  Candidate examples include transfers
+   between processes operating on behalf of the same user identity, or
+   processes comprising a common job.  However, it may be impossible to
+   enforce such policies in some implementations.
+
+   In support of the above goals, implementations may protect the
+   transferred context data by using cryptography to protect data within
+   the interprocess token, or by using interprocess tokens as a means to
+   reference local interprocess communication facilities (protected by
+   other means) rather than storing the context data directly within the
+   tokens.
+
+   Transfer of an open context may, for certain mechanisms and
+   implementations, reveal data about the credential which was used to
+   establish the context.  Callers should, therefore, be cautious about
+   the trustworthiness of processes to which they transfer contexts.
+   Although the GSS-API implementation may provide its own set of
+   protections over the exported context, the caller is responsible for
+   protecting the interprocess token from disclosure, and for taking
+   care that the context is transferred to an appropriate destination
+   process.
+
+
+
+
+Linn                        Standards Track                    [Page 60]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.2.9:   GSS_Import_sec_context call
+
+   Inputs:
+
+   o  interprocess_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  context_handle CONTEXT HANDLE  -- if successfully returned,
+   -- caller must release with GSS_Delete_sec_context()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context represented by the input
+   interprocess_token has been successfully transferred to the caller,
+   and is available for future use via the output context_handle.
+
+   o  GSS_S_NO_CONTEXT indicates that the context represented by the
+   input interprocess_token was invalid. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token
+   was defective.  Return values other than major_status and
+   minor_status are undefined.
+
+   o  GSS_S_UNAVAILABLE indicates that the context import facility is
+   not available for use on the referenced context.  Return values other
+   than major_status and minor_status are undefined.
+
+   o  GSS_S_UNAUTHORIZED indicates that the context represented by the
+   input interprocess_token is unauthorized for transfer to the caller.
+   Return values other than major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call processes an interprocess token generated by
+   GSS_Export_sec_context(), making the transferred context available
+   for use by the caller.  After a successful GSS_Import_sec_context()
+   operation, the imported context is available for use by the importing
+   process. In particular, the imported context is usable for all per-
+   message operations and may be deleted or exported by its importer.
+   The inability to receive delegated credentials through
+
+
+
+Linn                        Standards Track                    [Page 61]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   gss_import_sec_context() precludes establishment of new contexts
+   based on information delegated to the importer's end system within
+   the context which is being imported, unless those delegated
+   credentials are obtained through separate routines (e.g., XGSS-API
+   calls) outside the GSS-V2 definition.
+
+   For further discussion of the security and authorization issues
+   regarding this call, please see the discussion in Section 2.2.8.
+
+2.3:  Per-message calls
+
+   This group of calls is used to perform per-message protection
+   processing on an established security context. None of these calls
+   block pending network interactions. These calls may be invoked by a
+   context's initiator or by the context's target.  The four members of
+   this group should be considered as two pairs; the output from
+   GSS_GetMIC() is properly input to GSS_VerifyMIC(), and the output
+   from GSS_Wrap() is properly input to GSS_Unwrap().
+
+   GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication
+   and data integrity services. When GSS_GetMIC() is invoked on an input
+   message, it yields a per-message token containing data items which
+   allow underlying mechanisms to provide the specified security
+   services. The original message, along with the generated per-message
+   token, is passed to the remote peer; these two data elements are
+   processed by GSS_VerifyMIC(), which validates the message in
+   conjunction with the separate token.
+
+   GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality
+   in addition to the data origin authentication and data integrity
+   services offered by GSS_GetMIC() and GSS_VerifyMIC(). GSS_Wrap()
+   outputs a single data element, encapsulating optionally enciphered
+   user data as well as associated token data items.  The data element
+   output from GSS_Wrap() is passed to the remote peer and processed by
+   GSS_Unwrap() at that system. GSS_Unwrap() combines decipherment (as
+   required) with validation of data items related to authentication and
+   integrity.
+
+   Although zero-length tokens are never returned by GSS calls for
+   transfer to a context's peer, a zero-length object may be passed by a
+   caller into GSS_Wrap(), in which case the corresponding peer calling
+   GSS_Unwrap() on the transferred token will receive a zero-length
+   object as output from GSS_Unwrap().  Similarly, GSS_GetMIC() can be
+   called on an empty object, yielding a MIC which GSS_VerifyMIC() will
+   successfully verify against the active security context in
+   conjunction with a zero-length object.
+
+
+
+
+
+Linn                        Standards Track                    [Page 62]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.3.1:  GSS_GetMIC call
+
+   Note: This call is functionally equivalent to the GSS_Sign call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Sign are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  qop_req INTEGER, -- 0 specifies default QOP
+
+   o  message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  per_msg_token OCTET STRING  -- caller must release
+   -- with GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that an integrity check, suitable for an
+   established security context, was successfully applied and that the
+   message and corresponding per_msg_token are ready for transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the requested operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, apply an
+   integrity check to the input message (along with timestamps and/or
+   other data included in support of mech_type-specific mechanisms) and
+   (if GSS_S_COMPLETE status is indicated) return the result in
+
+
+
+Linn                        Standards Track                    [Page 63]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   per_msg_token. The qop_req parameter, interpretation of which is
+   discussed in Section 1.2.4, allows quality-of-protection control. The
+   caller passes the message and the per_msg_token to the target.
+
+   The GSS_GetMIC() function completes before the message and
+   per_msg_token is sent to the peer; successful application of
+   GSS_GetMIC() does not guarantee that a corresponding GSS_VerifyMIC()
+   has been (or can necessarily be) performed successfully when the
+   message arrives at the destination.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.2:  GSS_VerifyMIC call
+
+   Note: This call is functionally equivalent to the GSS_Verify call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Verify are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  message OCTET STRING,
+
+   o  per_msg_token OCTET STRING
+
+   Outputs:
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the message was successfully
+   verified.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the received per_msg_token failed, preventing further processing
+   from being performed with that token.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received
+   per_msg_token contains an incorrect integrity check for the message.
+
+
+
+Linn                        Standards Track                    [Page 64]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and
+   GSS_S_GAP_TOKEN values appear in conjunction with the optional per-
+   message replay detection features described in Section 1.2.3; their
+   semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_VerifyMIC() operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, verify that
+   the input per_msg_token contains an appropriate integrity check for
+   the input message, and apply any active replay detection or
+   sequencing features. Returns an indication of the quality-of-
+   protection applied to the processed message in the qop_state result.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.3: GSS_Wrap call
+
+   Note: This call is functionally equivalent to the GSS_Seal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Seal are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  qop_req INTEGER, -- 0 specifies default QOP
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 65]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  conf_state BOOLEAN,
+
+   o  output_message OCTET STRING  -- caller must release with
+   -- GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was successfully
+   processed and that the output_message is ready for transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Wrap() operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+   Performs the data origin authentication and data integrity functions
+   of GSS_GetMIC().  If the input conf_req_flag is TRUE, requests that
+   confidentiality be applied to the input_message.  Confidentiality may
+   not be supported in all mech_types or by all implementations; the
+   returned conf_state flag indicates whether confidentiality was
+   provided for the input_message. The qop_req parameter, interpretation
+   of which is discussed in Section 1.2.4, allows quality-of-protection
+   control.
+
+   When GSS_S_COMPLETE status is returned, the GSS_Wrap() call yields a
+   single output_message data element containing (optionally enciphered)
+   user data as well as control information.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.4: GSS_Unwrap call
+
+   Note: This call is functionally equivalent to the GSS_Unseal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Unseal are deprecated.
+
+
+
+
+
+Linn                        Standards Track                    [Page 66]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  conf_state BOOLEAN,
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_message OCTET STRING  -- caller must release with
+   -- GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was successfully
+   processed and that the resulting output_message is available.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the per_msg_token extracted from the input_message failed,
+   preventing further processing from being performed.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that an incorrect
+   integrity check was detected for the message.
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and
+   GSS_S_GAP_TOKEN values appear in conjunction with the optional per-
+   message replay detection features described in Section 1.2.3; their
+   semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Unwrap() operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 67]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Processes a data element generated (and optionally enciphered) by
+   GSS_Wrap(), provided as input_message. The returned conf_state value
+   indicates whether confidentiality was applied to the input_message.
+   If conf_state is TRUE, GSS_Unwrap() has deciphered the input_message.
+   Returns an indication of the quality-of-protection applied to the
+   processed message in the qop_state result. GSS_Unwrap() performs the
+   data integrity and data origin authentication checking functions of
+   GSS_VerifyMIC() on the plaintext data. Plaintext data is returned in
+   output_message.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.4:  Support calls
+
+   This group of calls provides support functions useful to GSS-API
+   callers, independent of the state of established contexts. Their
+   characterization with regard to blocking or non-blocking status in
+   terms of network interactions is unspecified.
+
+2.4.1:  GSS_Display_status call
+
+   Inputs:
+
+   o  status_value INTEGER, -- GSS-API major_status or minor_status
+   -- return value
+
+   o  status_type INTEGER, -- 1 if major_status, 2 if minor_status
+
+   o  mech_type OBJECT IDENTIFIER -- mech_type to be used for
+   -- minor_status translation
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  status_string_set SET OF OCTET STRING  -- required calls for
+   -- release by caller are specific to language bindings
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable status
+   representation (possibly representing more than one status event
+   encoded within the status_value) is available in the returned
+   status_string_set.
+
+
+
+
+Linn                        Standards Track                    [Page 68]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_BAD_MECH indicates that translation in accordance with an
+   unsupported mech_type was requested, so translation could not be
+   performed.
+
+   o  GSS_S_BAD_STATUS indicates that the input status_value was
+   invalid, or that the input status_type carried a value other than 1
+   or 2, so translation could not be performed.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Provides a means for callers to translate GSS-API-returned major and
+   minor status codes into printable string representations.  Note: some
+   language bindings may employ an iterative approach in order to emit
+   successive status components; this approach is acceptable but not
+   required for conformance with the current specification.
+
+   Although not contemplated in [RFC-2078], it has been observed that
+   some existing GSS-API implementations return GSS_S_CONTINUE_NEEDED
+   status when iterating through successive messages returned from
+   GSS_Display_status(). This behavior is deprecated;
+   GSS_S_CONTINUE_NEEDED should be returned only by
+   GSS_Init_sec_context() and GSS_Accept_sec_context().  For maximal
+   portability, however, it is recommended that defensive callers be
+   able to accept and ignore GSS_S_CONTINUE_NEEDED status if indicated
+   by GSS_Display_status() or any other call other than
+   GSS_Init_sec_context() or GSS_Accept_sec_context().
+
+2.4.2:  GSS_Indicate_mechs call
+
+   Input:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_set SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of available mechanisms has
+   been returned in mech_set.
+
+
+
+
+Linn                        Standards Track                    [Page 69]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of mechanism types available on
+   the local system. This call is intended for support of specialized
+   callers who need to request non-default mech_type sets from GSS-API
+   calls which accept input mechanism type specifiers.
+
+2.4.3:  GSS_Compare_name call
+
+   Inputs:
+
+   o  name1 INTERNAL NAME,
+
+   o  name2 INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_equal BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that name1 and name2 were comparable, and
+   that the name_equal result indicates whether name1 and name2
+   represent the same entity.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the two input names' types are
+   different and incomparable, so that the comparison operation could
+   not be completed.
+
+   o  GSS_S_BAD_NAME indicates that one or both of the input names was
+   ill-formed in terms of its internal type specifier, so the comparison
+   operation could not be completed.
+
+   o  GSS_S_FAILURE indicates that the call's operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to compare two internal name representations to
+   determine whether they refer to the same entity.  If either name
+   presented to GSS_Compare_name() denotes an anonymous principal,
+   GSS_Compare_name() shall indicate FALSE.  It is not required that
+   either or both inputs name1 and name2 be MNs; for some
+
+
+
+
+
+Linn                        Standards Track                    [Page 70]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   implementations and cases, GSS_S_BAD_NAMETYPE may be returned,
+   indicating name incomparability, for the case where neither input
+   name is an MN.
+
+2.4.4:  GSS_Display_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_string OCTET STRING, -- caller must release
+   -- with GSS_Release_buffer()
+
+   o  name_type OBJECT IDENTIFIER  -- caller should treat
+   -- as read-only; does not need to be released
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable name
+   representation is available in the returned name_string.
+
+   o  GSS_S_BAD_NAME indicates that the contents of the provided name
+   were inconsistent with the internally-indicated name type, so no
+   printable representation could be generated.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to translate an internal name representation into a
+   printable form with associated namespace type descriptor. The syntax
+   of the printable form is a local matter.
+
+   If the input name represents an anonymous identity, a reserved value
+   (GSS_C_NT_ANONYMOUS) shall be returned for name_type.
+
+   The GSS_C_NO_OID name type is to be returned only when the
+   corresponding internal name was created through import with
+   GSS_C_NO_OID. It is acceptable for mechanisms to normalize names
+   imported with GSS_C_NO_OID into other supported types and, therefore,
+   to display them with types other than GSS_C_NO_OID.
+
+
+
+
+
+Linn                        Standards Track                    [Page 71]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.4.5:  GSS_Import_name call
+
+   Inputs:
+
+   o  input_name_string OCTET STRING,
+
+   o  input_name_type OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME  -- caller must release with
+   -- GSS_Release_name()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid name representation is
+   output in output_name and described by the type value in
+   output_name_type.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input_name_type is
+   unsupported by the applicable underlying GSS-API mechanism(s), so the
+   import operation could not be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided input_name_string is
+   ill-formed in terms of the input_name_type, so the import operation
+   could not be completed.
+
+   o  GSS_S_BAD_MECH indicates that the input presented for import was
+   an exported name object and that its enclosed mechanism type was not
+   recognized or was unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to provide a name representation as a contiguous octet
+   string, designate the type of namespace in conjunction with which it
+   should be parsed, and convert that representation to an internal form
+   suitable for input to other GSS-API routines.  The syntax of the
+   input_name_string is defined in conjunction with its associated name
+   type; depending on the input_name_type, the associated
+   input_name_string may or may not be a printable string.  If the
+   input_name_type's value is GSS_C_NO_OID, a mechanism-specific default
+   printable syntax (which shall be specified in the corresponding GSS-
+   V2 mechanism specification) is assumed for the input_name_string;
+
+
+
+Linn                        Standards Track                    [Page 72]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   other input_name_type values as registered by GSS-API implementations
+   can be used to indicate specific non-default name syntaxes. Note: The
+   input_name_type argument serves to describe and qualify the
+   interpretation of the associated input_name_string; it does not
+   specify the data type of the returned output_name.
+
+   If a mechanism claims support for a particular name type, its
+   GSS_Import_name() operation shall be able to accept all possible
+   values conformant to the external name syntax as defined for that
+   name type.  These imported values may correspond to:
+
+      (1) locally registered entities (for which credentials may be
+      acquired),
+
+      (2) non-local entities (for which local credentials cannot be
+      acquired, but which may be referenced as targets of initiated
+      security contexts or initiators of accepted security contexts), or
+      to
+
+      (3) neither of the above.
+
+   Determination of whether a particular name belongs to class (1), (2),
+   or (3) as described above is not guaranteed to be performed by the
+   GSS_Import_name() function.
+
+   The internal name generated by a GSS_Import_name() operation may be a
+   single-mechanism MN, and is likely to be an MN within a single-
+   mechanism implementation, but portable callers must not depend on
+   this property (and must not, therefore, assume that the output from
+   GSS_Import_name() can be passed directly to GSS_Export_name() without
+   first being processed through GSS_Canonicalize_name()).
+
+2.4.6: GSS_Release_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+   input name was successfully released.
+
+
+
+Linn                        Standards Track                    [Page 73]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_BAD_NAME indicates that the input name argument did not
+   contain a valid name.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an internal
+   name representation.  This call's specific behavior depends on the
+   language and programming environment within which a GSS-API
+   implementation operates, and is therefore detailed within applicable
+   bindings specifications; in particular, implementation and invocation
+   of this call may be superfluous (and may be omitted) within bindings
+   where memory management is automatic.
+
+2.4.7: GSS_Release_buffer call
+
+   Inputs:
+
+   o  buffer OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+   input buffer was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an OCTET STRING
+   buffer allocated by another GSS-API call.  This call's specific
+   behavior depends on the language and programming environment within
+   which a GSS-API implementation operates, and is therefore detailed
+   within applicable bindings specifications; in particular,
+   implementation and invocation of this call may be superfluous (and
+   may be omitted) within bindings where memory management is automatic.
+
+2.4.8: GSS_Release_OID_set call
+
+   Inputs:
+
+   o  buffer SET OF OBJECT IDENTIFIER
+
+
+
+
+Linn                        Standards Track                    [Page 74]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+   input object identifier set was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an object
+   identifier set object allocated by another GSS-API call.  This call's
+   specific behavior depends on the language and programming environment
+   within which a GSS-API implementation operates, and is therefore
+   detailed within applicable bindings specifications; in particular,
+   implementation and invocation of this call may be superfluous (and
+   may be omitted) within bindings where memory management is automatic.
+
+2.4.9: GSS_Create_empty_OID_set call
+
+   Inputs:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Creates an object identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   GSS_Add_OID_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   GSS_Acquire_cred().
+
+
+
+Linn                        Standards Track                    [Page 75]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.4.10: GSS_Add_OID_set_member call
+
+   Inputs:
+
+   o  member_oid OBJECT IDENTIFIER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Adds an Object Identifier to an Object Identifier set.  This routine
+   is intended for use in conjunction with GSS_Create_empty_OID_set()
+   when constructing a set of mechanism OIDs for input to
+   GSS_Acquire_cred().
+
+2.4.11: GSS_Test_OID_set_member call
+
+   Inputs:
+
+   o  member OBJECT IDENTIFIER,
+
+   o  set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  present BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+
+
+
+
+Linn                        Standards Track                    [Page 76]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Interrogates an Object Identifier set to determine whether a
+   specified Object Identifier is a member.  This routine is intended to
+   be used with OID sets returned by GSS_Indicate_mechs(),
+   GSS_Acquire_cred(), and GSS_Inquire_cred().
+
+2.4.12:  GSS_Inquire_names_for_mech call
+
+   Input:
+
+   o  input_mech_type OBJECT IDENTIFIER, -- mechanism type
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_type_set SET OF OBJECT IDENTIFIER -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the output name_type_set contains a
+   list of name types which are supported by the locally available
+   mechanism identified by input_mech_type.
+
+   o  GSS_S_BAD_MECH indicates that the mechanism identified by
+   input_mech_type was unsupported within the local implementation,
+   causing the query to fail.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of name types which are
+   supportable by a specific locally-available mechanism.
+
+2.4.13: GSS_Inquire_mechs_for_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 77]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  mech_types SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of object identifiers,
+   corresponding to the set of mechanisms suitable for processing the
+   input_name, is available in mech_types.
+
+   o  GSS_S_BAD_NAME indicates that the input_name was ill-formed and
+   could not be processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input_name parameter
+   contained an invalid name type or a name type unsupported by the
+   GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine returns the mechanism set with which the input_name may
+   be processed.
+
+   Each mechanism returned will recognize at least one element within
+   the name. It is permissible for this routine to be implemented within
+   a mechanism-independent GSS-API layer, using the type information
+   contained within the presented name, and based on registration
+   information provided by individual mechanism implementations.  This
+   means that the returned mech_types result may indicate that a
+   particular mechanism will understand a particular name when in fact
+   it would refuse to accept that name as input to
+   GSS_Canonicalize_name(), GSS_Init_sec_context(), GSS_Acquire_cred(),
+   or GSS_Add_cred(), due to some property of the particular name rather
+   than a property of the name type.  Thus, this routine should be used
+   only as a pre-filter for a call to a subsequent mechanism-specific
+   routine.
+
+2.4.14: GSS_Canonicalize_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER  -- must be explicit mechanism,
+   -- not "default" specifier or identifier of negotiating mechanism
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+Linn                        Standards Track                    [Page 78]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME  -- caller must release with
+   -- GSS_Release_name()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a mechanism-specific reduction of
+   the input_name, as processed by the mechanism identified by
+   mech_type, is available in output_name.
+
+   o  GSS_S_BAD_MECH indicates that the identified mechanism is
+   unsupported for this operation; this may correspond either to a
+   mechanism wholly unsupported by the local GSS-API implementation or
+   to a negotiating mechanism with which the canonicalization operation
+   cannot be performed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name does not contain
+   an element with suitable type for processing by the identified
+   mechanism.
+
+   o  GSS_S_BAD_NAME indicates that the input name contains an element
+   with suitable type for processing by the identified mechanism, but
+   that this element could not be processed successfully.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine reduces a GSS-API internal name input_name, which may in
+   general contain elements corresponding to multiple mechanisms, to a
+   mechanism-specific Mechanism Name (MN) output_name by applying the
+   translations corresponding to the mechanism identified by mech_type.
+   The contents of input_name are unaffected by the
+   GSS_Canonicalize_name() operation.  References to output_name will
+   remain valid until output_name is released, independent of whether or
+   not input_name is subsequently released.
+
+2.4.15: GSS_Export_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME, -- required to be MN
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+Linn                        Standards Track                    [Page 79]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  output_name OCTET STRING  -- caller must release
+   -- with GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a flat representation of the input
+   name is available in output_name.
+
+   o  GSS_S_NAME_NOT_MN indicates that the input name contained elements
+   corresponding to multiple mechanisms, so cannot be exported into a
+   single-mechanism flat form.
+
+   o  GSS_S_BAD_NAME indicates that the input name was an MN, but could
+   not be processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name was an MN, but
+   that its type is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine creates a flat name representation, suitable for
+   bytewise comparison or for input to GSS_Import_name() in conjunction
+   with the reserved GSS-API Exported Name Object OID, from a internal-
+   form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name()
+   or GSS_Accept_sec_context().
+
+   The emitted GSS-API Exported Name Object is self-describing; no
+   associated parameter-level OID need be emitted by this call.  This
+   flat representation consists of a mechanism-independent wrapper
+   layer, defined in Section 3.2 of this document, enclosing a
+   mechanism-defined name representation.
+
+   In all cases, the flat name output by GSS_Export_name() to correspond
+   to a particular input MN must be invariant over time within a
+   particular installation.
+
+   The GSS_S_NAME_NOT_MN status code is provided to enable
+   implementations to reject input names which are not MNs.  It is not,
+   however, required for purposes of conformance to this specification
+   that all non-MN input names must necessarily be rejected.
+
+2.4.16: GSS_Duplicate_name call
+
+   Inputs:
+
+   o  src_name INTERNAL NAME
+
+
+
+
+Linn                        Standards Track                    [Page 80]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  dest_name INTERNAL NAME  -- caller must release
+   -- with GSS_Release_name()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that dest_name references an internal
+   name object containing the same name as passed to src_name.
+
+   o  GSS_S_BAD_NAME indicates that the input name was invalid.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine takes input internal name src_name, and returns another
+   reference (dest_name) to that name which can be used even if src_name
+   is later freed.  (Note: This may be implemented by copying or through
+   use of reference counts.)
+
+3: Data Structure Definitions for GSS-V2 Usage
+
+   Subsections of this section define, for interoperability and
+   portability purposes, certain data structures for use with GSS-V2.
+
+3.1: Mechanism-Independent Token Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for the initial token of a GSS-API context
+   establishment sequence, incorporating an identifier of the mechanism
+   type to be used on that context and enabling tokens to be interpreted
+   unambiguously at GSS-API peers. Use of this format is required for
+   initial context establishment tokens of Internet standards-track
+   GSS-API mechanisms; use in non-initial tokens is optional.
+
+   The encoding format for the token tag is derived from ASN.1 and DER
+   (per illustrative ASN.1 syntax included later within this
+   subsection), but its concrete representation is defined directly in
+   terms of octets rather than at the ASN.1 level in order to facilitate
+   interoperable implementation without use of general ASN.1 processing
+   code.  The token tag consists of the following elements, in order:
+
+      1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that
+      -- constructed form, definite length encoding follows.
+
+
+
+Linn                        Standards Track                    [Page 81]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      2. Token length octets, specifying length of subsequent data
+      (i.e., the summed lengths of elements 3-5 in this list, and of the
+      mechanism-defined token object following the tag).  This element
+      comprises a variable number of octets:
+
+         2a. If the indicated value is less than 128, it shall be
+         represented in a single octet with bit 8 (high order) set to
+         "0" and the remaining bits representing the value.
+
+         2b. If the indicated value is 128 or more, it shall be
+         represented in two or more octets, with bit 8 of the first
+         octet set to "1" and the remaining bits of the first octet
+         specifying the number of additional octets.  The subsequent
+         octets carry the value, 8 bits per octet, most significant
+         digit first.  The minimum number of octets shall be used to
+         encode the length (i.e., no octets representing leading zeros
+         shall be included within the length encoding).
+
+      3. 0x06 -- Tag for OBJECT IDENTIFIER
+
+      4. Object identifier length -- length (number of octets) of
+      -- the encoded object identifier contained in element 5,
+      -- encoded per rules as described in 2a. and 2b. above.
+
+      5. Object identifier octets -- variable number of octets,
+      -- encoded per ASN.1 BER rules:
+
+         5a. The first octet contains the sum of two values: (1) the
+         top-level object identifier component, multiplied by 40
+         (decimal), and (2) the second-level object identifier
+         component.  This special case is the only point within an
+         object identifier encoding where a single octet represents
+         contents of more than one component.
+
+         5b. Subsequent octets, if required, encode successively-lower
+         components in the represented object identifier.  A component's
+         encoding may span multiple octets, encoding 7 bits per octet
+         (most significant bits first) and with bit 8 set to "1" on all
+         but the final octet in the component's encoding.  The minimum
+         number of octets shall be used to encode each component (i.e.,
+         no octets representing leading zeros shall be included within a
+         component's encoding).
+
+      (Note: In many implementations, elements 3-5 may be stored and
+      referenced as a contiguous string constant.)
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 82]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The token tag is immediately followed by a mechanism-defined token
+   object.  Note that no independent size specifier intervenes following
+   the object identifier value to indicate the size of the mechanism-
+   defined token object.  While ASN.1 usage within mechanism-defined
+   tokens is permitted, there is no requirement that the mechanism-
+   specific innerContextToken, innerMsgToken, and sealedUserData data
+   elements must employ ASN.1 BER/DER encoding conventions.
+
+   The following ASN.1 syntax is included for descriptive purposes only,
+   to illustrate structural relationships among token and tag objects.
+   For interoperability purposes, token and tag encoding shall be
+   performed using the concrete encoding procedures described earlier in
+   this subsection.
+
+      GSS-API DEFINITIONS ::=
+
+      BEGIN
+
+      MechType ::= OBJECT IDENTIFIER
+      -- data structure definitions
+      -- callers must be able to distinguish among
+      -- InitialContextToken, SubsequentContextToken,
+      -- PerMsgToken, and SealedMessage data elements
+      -- based on the usage in which they occur
+
+      InitialContextToken ::=
+      -- option indication (delegation, etc.) indicated within
+      -- mechanism-specific token
+      [APPLICATION 0] IMPLICIT SEQUENCE {
+              thisMech MechType,
+              innerContextToken ANY DEFINED BY thisMech
+                 -- contents mechanism-specific
+                 -- ASN.1 structure not required
+              }
+
+      SubsequentContextToken ::= innerContextToken ANY
+      -- interpretation based on predecessor InitialContextToken
+      -- ASN.1 structure not required
+
+      PerMsgToken ::=
+      -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC
+      -- ASN.1 structure not required
+              innerMsgToken ANY
+
+      SealedMessage ::=
+      -- as emitted by GSS_Wrap and processed by GSS_Unwrap
+      -- includes internal, mechanism-defined indicator
+      -- of whether or not encrypted
+
+
+
+Linn                        Standards Track                    [Page 83]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      -- ASN.1 structure not required
+              sealedUserData ANY
+
+      END
+
+3.2: Mechanism-Independent Exported Name Object Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for names exported via the GSS_Export_name() call,
+   including an object identifier representing the exporting mechanism.
+   The format of names encapsulated via this representation shall be
+   defined within individual mechanism drafts.  The Object Identifier
+   value to indicate names of this type is defined in Section 4.7 of
+   this document.
+
+   No name type OID is included in this mechanism-independent level of
+   format definition, since (depending on individual mechanism
+   specifications) the enclosed name may be implicitly typed or may be
+   explicitly typed using a means other than OID encoding.
+
+   The bytes within MECH_OID_LEN and NAME_LEN elements are represented
+   most significant byte first (equivalently, in IP network byte order).
+
+        Length    Name          Description
+
+        2               TOK_ID          Token Identifier
+                                        For exported name objects, this
+                                        must be hex 04 01.
+        2               MECH_OID_LEN    Length of the Mechanism OID
+        MECH_OID_LEN    MECH_OID        Mechanism OID, in DER
+        4               NAME_LEN        Length of name
+        NAME_LEN        NAME            Exported name; format defined in
+                                        applicable mechanism draft.
+
+   A concrete example of the contents of an exported name object,
+   derived from the Kerberos Version 5 mechanism, is as follows:
+
+   04 01 00 0B 06 09 2A 86 48 86 F7 12 01 02 02 hx xx xx xl pp qq ... zz
+
+   04 01        mandatory token identifier
+
+   00 0B        2-byte length of the immediately following DER-encoded
+                ASN.1 value of type OID, most significant octet first
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 84]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   06 09 2A 86 48 86 F7 12 01 02 02    DER-encoded ASN.1 value
+                                       of type OID; Kerberos V5
+                                       mechanism OID indicates
+                                       Kerberos V5 exported name
+
+          in Detail:      06                  Identifier octet (6=OID)
+                          09                           Length octet(s)
+                          2A 86 48 86 F7 12 01 02 02   Content octet(s)
+
+   hx xx xx xl   4-byte length of the immediately following exported
+                 name blob, most significant octet first
+
+   pp qq ... zz  exported name blob of specified length,
+                 bits and bytes specified in the
+                 (Kerberos 5) GSS-API v2 mechanism spec
+
+4: Name Type Definitions
+
+   This section includes definitions for name types and associated
+   syntaxes which are defined in a mechanism-independent fashion at the
+   GSS-API level rather than being defined in individual mechanism
+   specifications.
+
+4.1: Host-Based Service Name Form
+
+   This name form shall be represented by the Object Identifier:
+
+   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
+   "gssapi(2) generic(1) service_name(4)}.
+
+   The recommended symbolic name for this type is
+   "GSS_C_NT_HOSTBASED_SERVICE".
+
+   For reasons of compatibility with existing implementations, it is
+   recommended that this OID be used rather than the alternate value as
+   included in [RFC-2078]:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   2(gss-host-based-services)}
+
+   While it is not recommended that this alternate value be emitted on
+   output by GSS implementations, it is recommended that it be accepted
+   on input as equivalent to the recommended value.
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 85]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   This name type is used to represent services associated with host
+   computers.  Support for this name form is recommended to mechanism
+   designers in the interests of portability, but is not mandated by
+   this specification. This name form is constructed using two elements,
+   "service" and "hostname", as follows:
+
+   service@hostname
+
+   When a reference to a name of this type is resolved, the "hostname"
+   may (as an example implementation strategy) be canonicalized by
+   attempting a DNS lookup and using the fully-qualified domain name
+   which is returned, or by using the "hostname" as provided if the DNS
+   lookup fails.  The canonicalization operation also maps the host's
+   name into lower-case characters.
+
+   The "hostname" element may be omitted. If no "@" separator is
+   included, the entire name is interpreted as the service specifier,
+   with the "hostname" defaulted to the canonicalized name of the local
+   host.
+
+   Documents specifying means for GSS integration into a particular
+   protocol should state either:
+
+      (a) that a specific IANA-registered name associated with that
+      protocol shall be used for the "service" element (this admits, if
+      needed, the possibility that a single name can be registered and
+      shared among a related set of protocols), or
+
+      (b) that the generic name "host" shall be used for the "service"
+      element, or
+
+      (c) that, for that protocol, fallback in specified order (a, then
+      b) or (b, then a) shall be applied.
+
+   IANA registration of specific names per (a) should be handled in
+   accordance with the "Specification Required" assignment policy,
+   defined by BCP 26, RFC 2434 as follows: "Values and their meaning
+   must be documented in an RFC or other available reference, in
+   sufficient detail so that interoperability between independent
+   implementations is possible."
+
+4.2: User Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) user_name(1)}. The recommended mechanism-independent
+   symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same
+
+
+
+
+Linn                        Standards Track                    [Page 86]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   name form and OID is defined within the Kerberos V5 GSS-API
+   mechanism, but the symbolic name recommended there begins with a
+   "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a named user on a local system.
+   Its syntax and interpretation may be OS-specific. This name form is
+   constructed as:
+
+   username
+
+4.3: Machine UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) machine_uid_name(2)}.  The recommended mechanism-
+   independent symbolic name for this type is
+   "GSS_C_NT_MACHINE_UID_NAME".  (Note: the same name form and OID is
+   defined within the Kerberos V5 GSS-API mechanism, but the symbolic
+   name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a numeric user identifier
+   corresponding to a user on a local system.  Its interpretation is
+   OS-specific.  The gss_buffer_desc representing a name of this type
+   should contain a locally-significant user ID, represented in host
+   byte order.  The GSS_Import_name() operation resolves this uid into a
+   username, which is then treated as the User Name Form.
+
+4.4: String UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+   this type is "GSS_C_NT_STRING_UID_NAME".  (Note: the same name form
+   and OID is defined within the Kerberos V5 GSS-API mechanism, but the
+   symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a string of digits representing
+   the numeric user identifier of a user on a local system.  Its
+   interpretation is OS-specific. This name type is similar to the
+   Machine UID Form, except that the buffer contains a string
+   representing the user ID.
+
+4.5: Anonymous Nametype
+
+   The following Object Identifier value is provided as a means to
+   identify anonymous names, and can be compared against in order to
+   determine, in a mechanism-independent fashion, whether a name refers
+   to an anonymous principal:
+
+
+
+Linn                        Standards Track                    [Page 87]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   3(gss-anonymous-name)}
+
+   The recommended symbolic name corresponding to this definition is
+   GSS_C_NT_ANONYMOUS.
+
+4.6: GSS_C_NO_OID
+
+   The recommended symbolic name GSS_C_NO_OID corresponds to a null
+   input value instead of an actual object identifier.  Where specified,
+   it indicates interpretation of an associated name based on a
+   mechanism-specific default printable syntax.
+
+4.7: Exported Name Object
+
+   Name objects of the Mechanism-Independent Exported Name Object type,
+   as defined in Section 3.2 of this document, will be identified with
+   the following Object Identifier:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   4(gss-api-exported-name)}
+
+   The recommended symbolic name corresponding to this definition is
+   GSS_C_NT_EXPORT_NAME.
+
+4.8: GSS_C_NO_NAME
+
+   The recommended symbolic name GSS_C_NO_NAME indicates that no name is
+   being passed within a particular value of a parameter used for the
+   purpose of transferring names. Note: GSS_C_NO_NAME is not an actual
+   name type, and is not represented by an OID; its acceptability in
+   lieu of an actual name is confined to specific calls
+   (GSS_Acquire_cred(), GSS_Add_cred(), and GSS_Init_sec_context()) with
+   usages as identified within this specification.
+
+5:  Mechanism-Specific Example Scenarios
+
+   This section provides illustrative overviews of the use of various
+   candidate mechanism types to support the GSS-API. These discussions
+   are intended primarily for readers familiar with specific security
+   technologies, demonstrating how GSS-API functions can be used and
+   implemented by candidate underlying mechanisms. They should not be
+   regarded as constrictive to implementations or as defining the only
+   means through which GSS-API functions can be realized with a
+   particular underlying technology, and do not demonstrate all GSS-API
+   features with each technology.
+
+
+
+
+
+Linn                        Standards Track                    [Page 88]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+5.1: Kerberos V5, single-TGT
+
+   OS-specific login functions yield a TGT to the local realm Kerberos
+   server; TGT is placed in a credentials structure for the client.
+   Client calls GSS_Acquire_cred()  to acquire a cred_handle in order to
+   reference the credentials for use in establishing security contexts.
+
+   Client calls GSS_Init_sec_context().  If the requested service is
+   located in a different realm, GSS_Init_sec_context()  gets the
+   necessary TGT/key pairs needed to traverse the path from local to
+   target realm; these data are placed in the owner's TGT cache. After
+   any needed remote realm resolution, GSS_Init_sec_context() yields a
+   service ticket to the requested service with a corresponding session
+   key; these data are stored in conjunction with the context. GSS-API
+   code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP
+   response(s) (in the successful case) or KRB_ERROR.
+
+   Assuming success, GSS_Init_sec_context()  builds a Kerberos-formatted
+   KRB_AP_REQ message, and returns it in output_token.  The client sends
+   the output_token to the service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which verifies the authenticator, provides
+   the service with the client's authenticated name, and returns an
+   output_context_handle.
+
+   Both parties now hold the session key associated with the service
+   ticket, and can use this key in subsequent GSS_GetMIC(),
+   GSS_VerifyMIC(),  GSS_Wrap(), and GSS_Unwrap() operations.
+
+5.2: Kerberos V5, double-TGT
+
+   TGT acquisition as above.
+
+   Note: To avoid unnecessary frequent invocations of error paths when
+   implementing the GSS-API atop Kerberos V5, it seems appropriate to
+   represent "single-TGT K-V5" and "double-TGT K-V5" with separate
+   mech_types, and this discussion makes that assumption.
+
+   Based on the (specified or defaulted) mech_type,
+   GSS_Init_sec_context()  determines that the double-TGT protocol
+   should be employed for the specified target. GSS_Init_sec_context()
+   returns GSS_S_CONTINUE_NEEDED major_status, and its returned
+   output_token contains a request to the service for the service's TGT.
+   (If a service TGT with suitably long remaining lifetime already
+   exists in a cache, it may be usable, obviating the need for this
+   step.) The client passes the output_token to the service.  Note: this
+   scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED
+
+
+
+Linn                        Standards Track                    [Page 89]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   status return facility than for support of mutual authentication;
+   note that both uses can coexist as successive operations within a
+   single context establishment operation.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which recognizes it as a request for TGT.
+   (Note that current Kerberos V5 defines no intra-protocol mechanism to
+   represent such a request.) GSS_Accept_sec_context() returns
+   GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in
+   its output_token. The service sends the output_token to the client.
+
+   The client passes the received token as the input_token argument to a
+   continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches
+   the received service TGT and uses it as part of a service ticket
+   request to the Kerberos authentication server, storing the returned
+   service ticket and session key in conjunction with the context.
+   GSS_Init_sec_context() builds a Kerberos-formatted authenticator, and
+   returns it in output_token along with GSS_S_COMPLETE return
+   major_status. The client sends the output_token to the service.
+
+   Service passes the received token as the input_token argument to a
+   continuation call to GSS_Accept_sec_context().
+   GSS_Accept_sec_context()  verifies the authenticator, provides the
+   service with the client's authenticated name, and returns
+   major_status GSS_S_COMPLETE.
+
+   GSS_GetMIC(),  GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap()  as
+   above.
+
+5.3:  X.509 Authentication Framework
+
+   This example illustrates use of the GSS-API in conjunction with
+   public-key mechanisms, consistent with the X.509 Directory
+   Authentication Framework.
+
+   The GSS_Acquire_cred() call establishes a credentials structure,
+   making the client's private key accessible for use on behalf of the
+   client.
+
+   The client calls GSS_Init_sec_context(), which interrogates the
+   Directory to acquire (and validate) a chain of public-key
+   certificates, thereby collecting the public key of the service.  The
+   certificate validation operation determines that suitable integrity
+   checks were applied by trusted authorities and that those
+   certificates have not expired. GSS_Init_sec_context() generates a
+   secret key for use in per-message protection operations on the
+   context, and enciphers that secret key under the service's public
+   key.
+
+
+
+Linn                        Standards Track                    [Page 90]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The enciphered secret key, along with an authenticator quantity
+   signed with the client's private key, is included in the output_token
+   from GSS_Init_sec_context().  The output_token also carries a
+   certification path, consisting of a certificate chain leading from
+   the service to the client; a variant approach would defer this path
+   resolution to be performed by the service instead of being asserted
+   by the client. The client application sends the output_token to the
+   service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the
+   certification path, and as a result determines a certified binding
+   between the client's distinguished name and the client's public key.
+   Given that public key, GSS_Accept_sec_context() can process the
+   input_token's authenticator quantity and verify that the client's
+   private key was used to sign the input_token. At this point, the
+   client is authenticated to the service. The service uses its private
+   key to decipher the enciphered secret key provided to it for per-
+   message protection operations on the context.
+
+   The client calls GSS_GetMIC() or GSS_Wrap() on a data message, which
+   causes per-message authentication, integrity, and (optional)
+   confidentiality facilities to be applied to that message. The service
+   uses the context's shared secret key to perform corresponding
+   GSS_VerifyMIC()  and GSS_Unwrap() calls.
+
+6:  Security Considerations
+
+   This document specifies a service interface for security facilities
+   and services; as such, security considerations are considered
+   throughout the specification.  Nonetheless, it is appropriate to
+   summarize certain specific points relevant to GSS-API implementors
+   and calling applications.  Usage of the GSS-API interface does not in
+   itself provide security services or assurance; instead, these
+   attributes are dependent on the underlying mechanism(s) which support
+   a GSS-API implementation.  Callers must be attentive to the requests
+   made to GSS-API calls and to the status indicators returned by GSS-
+   API, as these specify the security service characteristics which
+   GSS-API will provide.  When the interprocess context transfer
+   facility is used, appropriate local controls should be applied to
+   constrain access to interprocess tokens and to the sensitive data
+   which they contain.
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 91]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+7:  Related Activities
+
+   In order to implement the GSS-API atop existing, emerging, and future
+   security mechanisms:
+
+      object identifiers must be assigned to candidate GSS-API
+      mechanisms and the name types which they support
+
+      concrete data element formats and processing procedures must be
+      defined for candidate mechanisms
+
+   Calling applications must implement formatting conventions which will
+   enable them to distinguish GSS-API tokens from other data carried in
+   their application protocols.
+
+   Concrete language bindings are required for the programming
+   environments in which the GSS-API is to be employed, as [RFC-1509]
+   defines for the C programming language and GSS-V1.  C Language
+   bindings for GSS-V2 are defined in [RFC-2744].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 92]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+8:  Referenced Documents
+
+   [ISO-7498-2]  International Standard ISO 7498-2-1988(E), Security
+                 Architecture.
+
+   [ISOIEC-8824] ISO/IEC 8824, "Specification of Abstract Syntax
+                 Notation One (ASN.1)".
+
+   [ISOIEC-8825] ISO/IEC 8825, "Specification of Basic Encoding Rules
+                 for Abstract Syntax Notation One (ASN.1)".)
+
+   [RFC-1507]:   Kaufman, C., "DASS: Distributed Authentication Security
+                 Service", RFC 1507, September 1993.
+
+   [RFC-1508]:   Linn, J., "Generic Security Service Application Program
+                 Interface", RFC 1508, September 1993.
+
+   [RFC-1509]:   Wray, J., "Generic Security Service API: C-bindings",
+                 RFC 1509, September 1993.
+
+   [RFC-1964]:   Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+                 RFC 1964, June 1996.
+
+   [RFC-2025]:   Adams, C., "The Simple Public-Key GSS-API Mechanism
+                 (SPKM)", RFC 2025, October 1996.
+
+   [RFC-2078]:   Linn, J., "Generic Security Service Application Program
+                 Interface, Version 2", RFC 2078, January 1997.
+
+   [RFC-2203]:   Eisler, M., Chiu, A. and L. Ling, "RPCSEC_GSS Protocol
+                 Specification", RFC 2203, September 1997.
+
+   [RFC-2744]:   Wray, J., "Generic Security Service API Version 2 :
+                 C-bindings", RFC 2744, January 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 93]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+APPENDIX A
+
+MECHANISM DESIGN CONSTRAINTS
+
+   The following constraints on GSS-API mechanism designs are adopted in
+   response to observed caller protocol requirements, and adherence
+   thereto is anticipated in subsequent descriptions of GSS-API
+   mechanisms to be documented in standards-track Internet
+   specifications.
+
+   It is strongly recommended that mechanisms offering per-message
+   protection services also offer at least one of the replay detection
+   and sequencing services, as mechanisms offering neither of the latter
+   will fail to satisfy recognized requirements of certain candidate
+   caller protocols.
+
+APPENDIX B
+
+COMPATIBILITY WITH GSS-V1
+
+   It is the intent of this document to define an interface and
+   procedures which preserve compatibility between GSS-V1 [RFC-1508]
+   callers and GSS-V2 providers.  All calls defined in GSS-V1 are
+   preserved, and it has been a goal that GSS-V1 callers should be able
+   to operate atop GSS-V2 provider implementations.  Certain detailed
+   changes, summarized in this section, have been made in order to
+   resolve omissions identified in GSS-V1.
+
+   The following GSS-V1 constructs, while supported within GSS-V2, are
+   deprecated:
+
+      Names for per-message processing routines: GSS_Seal() deprecated
+      in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of
+      GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap();
+      GSS_Verify() deprecated in favor of GSS_VerifyMIC().
+
+      GSS_Delete_sec_context() facility for context_token usage,
+      allowing mechanisms to signal context deletion, is retained for
+      compatibility with GSS-V1.  For current usage, it is recommended
+      that both peers to a context invoke GSS_Delete_sec_context()
+      independently, passing a null output_context_token buffer to
+      indicate that no context_token is required.  Implementations of
+      GSS_Delete_sec_context() should delete relevant locally-stored
+      context information.
+
+   This GSS-V2 specification adds the following calls which are not
+   present in GSS-V1:
+
+
+
+
+Linn                        Standards Track                    [Page 94]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      Credential management calls: GSS_Add_cred(),
+      GSS_Inquire_cred_by_mech().
+
+      Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(),
+      GSS_Export_sec_context(), GSS_Import_sec_context().
+
+      Per-message calls: No new calls.  Existing calls have been
+      renamed.
+
+      Support calls: GSS_Create_empty_OID_set(),
+      GSS_Add_OID_set_member(), GSS_Test_OID_set_member(),
+      GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(),
+      GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name().
+
+   This GSS-V2 specification introduces three new facilities applicable
+   to security contexts, indicated using the following context state
+   values which are not present in GSS-V1:
+
+      anon_state, set TRUE to indicate that a context's initiator is
+      anonymous from the viewpoint of the target; Section 1.2.5 of this
+      specification provides a summary description of the GSS-V2
+      anonymity support facility, support and use of which is optional.
+
+      prot_ready_state, set TRUE to indicate that a context may be used
+      for per-message protection before final completion of context
+      establishment; Section 1.2.7 of this specification provides a
+      summary description of the GSS-V2 facility enabling mechanisms to
+      selectively permit per-message protection during context
+      establishment, support and use of which is optional.
+
+      trans_state, set TRUE to indicate that a context is transferable
+      to another process using the GSS-V2 GSS_Export_sec_context()
+      facility.
+
+   These state values are represented (at the C bindings level) in
+   positions within a bit vector which are unused in GSS-V1, and may be
+   safely ignored by GSS-V1 callers.
+
+   New conf_req_flag and integ_req_flag inputs are defined for
+   GSS_Init_sec_context(), primarily to provide information to
+   negotiating mechanisms.  This introduces a compatibility issue with
+   GSS-V1 callers, discussed in section 2.2.1 of this specification.
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 95]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API
+   implementors in the following areas: implementation robustness,
+   credential management, behavior in multi-mechanism configurations,
+   naming support, and inclusion of optional sequencing services.  The
+   token tagging facility as defined in GSS-V2, Section 3.1, is now
+   described directly in terms of octets to facilitate interoperable
+   implementation without general ASN.1 processing code; the
+   corresponding ASN.1 syntax, included for descriptive purposes, is
+   unchanged from that in GSS-V1. For use in conjunction with added
+   naming support facilities, a new Exported Name Object construct is
+   added.  Additional name types are introduced in Section 4.
+
+   This GSS-V2 specification adds the following major_status values
+   which are not defined in GSS-V1:
+
+        GSS_S_BAD_QOP                 unsupported QOP value
+        GSS_S_UNAUTHORIZED            operation unauthorized
+        GSS_S_UNAVAILABLE             operation unavailable
+        GSS_S_DUPLICATE_ELEMENT       duplicate credential element
+                                        requested
+        GSS_S_NAME_NOT_MN                   name contains multi-mechanism
+                                        elements
+        GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                        detected
+
+   Of these added status codes, only two values are defined to be
+   returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by
+   GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by
+   GSS_VerifyMIC() and GSS_Unwrap()).
+
+   Additionally, GSS-V2 descriptions of certain calls present in GSS-V1
+   have been updated to allow return of additional major_status values
+   from the set as defined in GSS-V1: GSS_Inquire_cred() has
+   GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as
+   returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN,
+   GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and
+   GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable.
+
+APPENDIX C
+
+CHANGES RELATIVE TO RFC-2078
+
+   This document incorporates a number of changes relative to RFC-2078,
+   made primarily in response to implementation experience, for purposes
+   of alignment with the GSS-V2 C language bindings document, and to add
+   informative clarification.  This section summarizes technical changes
+   incorporated.
+
+
+
+
+Linn                        Standards Track                    [Page 96]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   General:
+
+      Clarified usage of object release routines, and incorporated
+      statement that some may be omitted within certain operating
+      environments.
+
+      Removed GSS_Release_OID, GSS_OID_to_str(), and GSS_Str_to_OID()
+      routines.
+
+      Clarified circumstances under which zero-length tokens may validly
+      exist as inputs and outputs to/from GSS-API calls.
+
+      Added GSS_S_BAD_MIC status code as alias for GSS_S_BAD_SIG.
+
+      For GSS_Display_status(), deferred to language bindings the choice
+      of whether to return multiple status values in parallel or via
+      iteration, and added commentary deprecating return of
+      GSS_S_CONTINUE_NEEDED.
+
+      Adapted and incorporated clarifying material on optional service
+      support, delegation, and interprocess context transfer from C
+      bindings document.
+
+      Added and updated references to related documents, and to current
+      status of cited Kerberos mechanism OID.
+
+      Added general statement about GSS-API calls having no side effects
+      visible at the GSS-API level.
+
+   Context-related (including per-message protection issues):
+
+      Clarified GSS_Delete_sec_context() usage for partially-established
+      contexts.
+
+      Added clarification on GSS_Export_sec_context() and
+      GSS_Import_sec_context() behavior and context usage following an
+      export-import sequence.
+
+      Added informatory conf_req_flag, integ_req_flag inputs to
+      GSS_Init_sec_context().  (Note: this facility introduces a
+      backward incompatibility with GSS-V1 callers, discussed in Section
+      2.2.1; this implication was recognized and accepted in working
+      group discussion.)
+
+      Stated that GSS_S_FAILURE is to be returned if
+      GSS_Init_sec_context() or GSS_Accept_sec_context() is passed the
+      handle of a context which is already fully established.
+
+
+
+
+Linn                        Standards Track                    [Page 97]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      Re GSS_Inquire_sec_context(), stated that src_name and targ_name
+      are not returned until GSS_S_COMPLETE status is reached; removed
+      use of GSS_S_CONTEXT_EXPIRED status code (replacing with EXPIRED
+      lifetime return value); stated requirement to retain inquirable
+      data until context released by caller; added result value
+      indicating whether or not context is fully open.
+
+      Added discussion of interoperability conditions for mechanisms
+      permitting optional support of QOPs. Removed reference to
+      structured QOP elements in GSS_Verify_MIC().
+
+      Added discussion of use of GSS_S_DUPLICATE_TOKEN status to
+      indicate reflected per-message tokens.
+
+      Clarified use of informational sequencing codes from per-message
+      protection calls in conjunction with GSS_S_COMPLETE and
+      GSS_S_FAILURE major_status returns, adjusting status code
+      descriptions accordingly.
+
+      Added specific statements about impact of GSS_GetMIC() and
+      GSS_Wrap() failures on context state information, and generalized
+      existing statements about impact of processing failures on
+      received per-message tokens.
+
+      For GSS_Init_sec_context() and GSS_Accept_sec_context(), permitted
+      returned mech_type to be valid before GSS_S_COMPLETE, recognizing
+      that the value may change on successive continuation calls in the
+      negotiated mechanism case.
+
+      Deleted GSS_S_CONTEXT_EXPIRED status from
+      GSS_Import_sec_context().
+
+      Added conf_req_flag input to GSS_Wrap_size_limit().
+
+      Stated requirement for mechanisms' support of per-message
+      protection services to be usable concurrently in both directions
+      on a context.
+
+   Credential-related:
+
+      For GSS_Acquire_cred() and GSS_Add_cred(), aligned with C bindings
+      statement of likely non-support for INITIATE or BOTH credentials
+      if input name is neither empty nor a name resulting from applying
+      GSS_Inquire_cred() against the default credential.  Further,
+      stated that an explicit name returned by GSS_Inquire_context()
+      should also be accepted.  Added commentary about potentially
+      time-variant results of default resolution and attendant
+      implications.  Aligned with C bindings re behavior when
+
+
+
+Linn                        Standards Track                    [Page 98]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      GSS_C_NO_NAME provided for desired_name. In GSS_Acquire_cred(),
+      stated that NULL, rather than empty OID set, should be used for
+      desired_mechs in order to request default mechanism set.
+
+      Added GSS_S_CREDENTIALS_EXPIRED as returnable major_status for
+      GSS_Acquire_cred(), GSS_Add_cred(), also specifying GSS_S_NO_CRED
+      as appropriate return for temporary, user-fixable credential
+      unavailability.  GSS_Acquire_cred() and GSS_Add_cred() are also to
+      return GSS_S_NO_CRED if an authorization failure is encountered
+      upon credential acquisition.
+
+      Removed GSS_S_CREDENTIALS_EXPIRED status return from per-message
+      protection, GSS_Context_time(), and GSS_Inquire_context() calls.
+
+      For GSS_Add_cred(), aligned with C bindings' description of
+      behavior when addition of elements to the default credential is
+      requested.
+
+      Upgraded recommended default credential resolution algorithm to
+      status of requirement for initiator credentials.
+
+      For GSS_Release_cred(), GSS_Inquire_cred(), and
+      GSS_Inquire_cred_by_mech(), clarified behavior for input
+      GSS_C_NO_CREDENTIAL.
+
+   Name-related:
+
+      Aligned GSS_Inquire_mechs_for_name() description with C bindings.
+
+      Removed GSS_S_BAD_NAMETYPE status return from
+      GSS_Duplicate_name(), GSS_Display_name(); constrained its
+      applicability for GSS_Compare_name().
+
+      Aligned with C bindings statement re GSS_Import_name() behavior
+      with GSS_C_NO_OID input name type, and stated that GSS-V2
+      mechanism specifications are to define processing procedures
+      applicable to their mechanisms.  Also clarified GSS_C_NO_OID usage
+      with GSS_Display_name().
+
+      Downgraded reference to name canonicalization via DNS lookup to an
+      example.
+
+      For GSS_Canonicalize_name(), stated that neither negotiated
+      mechanisms nor the default mechanism are supported input
+      mech_types for this operation, and specified GSS_S_BAD_MECH status
+      to be returned in this case.  Clarified that the
+      GSS_Canonicalize_name() operation is non-destructive to its input
+      name.
+
+
+
+Linn                        Standards Track                    [Page 99]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      Clarified semantics of GSS_C_NT_USER_NAME name type.
+
+      Added descriptions of additional name types.  Also added
+      discussion of GSS_C_NO_NAME and its constrained usage with
+      specific GSS calls.
+
+      Adapted and incorporated C bindings discussion about name
+      comparisons with exported name objects.
+
+      Added recommendation to mechanism designers for support of host-
+      based service name type, deferring any requirement statement to
+      individual mechanism specifications.  Added discussion of host-
+      based service's service name element and proposed approach for
+      IANA registration policy therefor.
+
+      Clarified byte ordering within exported name object.  Stated that
+      GSS_S_BAD_MECH is to be returned if, in the course of attempted
+      import of an exported name object, the name object's enclosed
+      mechanism type is unrecognized or unsupported.
+
+      Stated that mechanisms may optionally accept GSS_C_NO_NAME as an
+      input target name to GSS_Init_sec_context(), with comment that
+      such support is unlikely within mechanisms predating GSS-V2,
+      Update 1.
+
+AUTHOR'S ADDRESS
+
+   John Linn
+   RSA Laboratories
+   20 Crosby Drive
+   Bedford, MA  01730 USA
+
+   Phone: +1 781.687.7817
+   EMail: jlinn@rsasecurity.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                   [Page 100]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                   [Page 101]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2744.txt b/crypto/heimdal/doc/standardisation/rfc2744.txt
new file mode 100644
index 0000000..7f0c619
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2744.txt
@@ -0,0 +1,5659 @@
+
+
+
+
+
+
+Network Working Group                                             J. Wray
+Request for Comments: 2744                                Iris Associates
+Obsoletes: 1509                                              January 2000
+Category: Standards Track
+
+
+          Generic Security Service API Version 2 : C-bindings
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document specifies C language bindings for Version 2, Update 1
+   of the Generic Security Service Application Program Interface (GSS-
+   API), which is described at a language-independent conceptual level
+   in RFC-2743 [GSSAPI].  It obsoletes RFC-1509, making specific
+   incremental changes in response to implementation experience and
+   liaison requests.  It is intended, therefore, that this memo or a
+   successor version thereof will become the basis for subsequent
+   progression of the GSS-API specification on the standards track.
+
+   The Generic Security Service Application Programming Interface
+   provides security services to its callers, and is intended for
+   implementation atop a variety of underlying cryptographic mechanisms.
+   Typically, GSS-API callers will be application protocols into which
+   security enhancements are integrated through invocation of services
+   provided by the GSS-API. The GSS-API allows a caller application to
+   authenticate a principal identity associated with a peer application,
+   to delegate rights to a peer, and to apply security services such as
+   confidentiality and integrity on a per-message basis.
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 1]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+1.   Introduction
+
+   The Generic Security Service Application Programming Interface
+   [GSSAPI] provides security services to calling applications.  It
+   allows a communicating application to authenticate the user
+   associated with another application, to delegate rights to another
+   application, and to apply security services such as confidentiality
+   and integrity on a per-message basis.
+
+   There are four stages to using the GSS-API:
+
+   a) The application acquires a set of credentials with which it may
+      prove its identity to other processes. The application's
+      credentials vouch for its global identity, which may or may not be
+      related to any local username under which it may be running.
+
+   b) A pair of communicating applications establish a joint security
+      context using their credentials.  The security context is a pair
+      of GSS-API data structures that contain shared state information,
+      which is required in order that per-message security services may
+      be provided.  Examples of state that might be shared between
+      applications as part of a security context are cryptographic keys,
+      and message sequence numbers.  As part of the establishment of a
+      security context, the context initiator is authenticated to the
+      responder, and may require that the responder is authenticated in
+      turn.  The initiator may optionally give the responder the right
+      to initiate further security contexts, acting as an agent or
+      delegate of the initiator.  This transfer of rights is termed
+      delegation, and is achieved by creating a set of credentials,
+      similar to those used by the initiating application, but which may
+      be used by the responder.
+
+      To establish and maintain the shared information that makes up the
+      security context, certain GSS-API calls will return a token data
+      structure, which is an opaque data type that may contain
+      cryptographically protected data.  The caller of such a GSS-API
+      routine is responsible for transferring the token to the peer
+      application, encapsulated if necessary in an application-
+      application protocol.  On receipt of such a token, the peer
+      application should pass it to a corresponding GSS-API routine
+      which will decode the token and extract the information, updating
+      the security context state information accordingly.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 2]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   c) Per-message services are invoked to apply either:
+
+      integrity and data origin authentication, or confidentiality,
+      integrity and data origin authentication to application data,
+      which are treated by GSS-API as arbitrary octet-strings.  An
+      application transmitting a message that it wishes to protect will
+      call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to
+      apply protection, specifying the appropriate security context, and
+      send the resulting token to the receiving application.  The
+      receiver will pass the received token (and, in the case of data
+      protected by gss_get_mic, the accompanying message-data) to the
+      corresponding decoding routine (gss_verify_mic or gss_unwrap) to
+      remove the protection and validate the data.
+
+   d) At the completion of a communications session (which may extend
+      across several transport connections), each application calls a
+      GSS-API routine to delete the security context.  Multiple contexts
+      may also be used (either successively or simultaneously) within a
+      single communications association, at the option of the
+      applications.
+
+2.   GSS-API Routines
+
+      This section lists the routines that make up the GSS-API, and
+      offers a brief description of the purpose of each routine.
+      Detailed descriptions of each routine are listed in alphabetical
+      order in section 5.
+
+   Table 2-1  GSS-API Credential-management Routines
+
+   Routine                Section              Function
+   -------                -------              --------
+   gss_acquire_cred           5.2  Assume a global identity; Obtain
+                                   a GSS-API credential handle for
+                                   pre-existing credentials.
+   gss_add_cred               5.3  Construct credentials
+                                   incrementally
+   gss_inquire_cred           5.21 Obtain information about a
+                                   credential
+   gss_inquire_cred_by_mech   5.22 Obtain per-mechanism information
+                                   about a credential.
+   gss_release_cred           5.27 Discard a credential handle.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 3]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 2-2  GSS-API Context-Level Routines
+
+   Routine                 Section              Function
+   -------                 -------              --------
+   gss_init_sec_context       5.19 Initiate a security context with
+                                   a peer application
+   gss_accept_sec_context     5.1  Accept a security context
+                                   initiated by a
+                                   peer application
+   gss_delete_sec_context     5.9  Discard a security context
+   gss_process_context_token  5.25 Process a token on a security
+                                   context from a peer application
+   gss_context_time           5.7  Determine for how long a context
+                                   will remain valid
+   gss_inquire_context        5.20 Obtain information about a
+                                   security context
+   gss_wrap_size_limit        5.34 Determine token-size limit for
+                                   gss_wrap on a context
+   gss_export_sec_context     5.14 Transfer a security context to
+                                   another process
+   gss_import_sec_context     5.17 Import a transferred context
+
+
+   Table 2-3  GSS-API Per-message Routines
+
+   Routine                 Section              Function
+   -------                 -------              --------
+   gss_get_mic                5.15 Calculate a cryptographic message
+                                   integrity code (MIC) for a
+                                   message; integrity service
+   gss_verify_mic             5.32 Check a MIC against a message;
+                                   verify integrity of a received
+                                   message
+   gss_wrap                   5.33 Attach a MIC to a message, and
+                                   optionally encrypt the message
+                                   content;
+                                   confidentiality service
+   gss_unwrap                 5.31 Verify a message with attached
+                                   MIC, and decrypt message content
+                                   if necessary.
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 4]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 2-4  GSS-API Name manipulation Routines
+
+   Routine                 Section              Function
+   -------                 -------              --------
+   gss_import_name            5.16 Convert a contiguous string name
+                                   to internal-form
+   gss_display_name           5.10 Convert internal-form name to
+                                   text
+   gss_compare_name           5.6  Compare two internal-form names
+
+   gss_release_name           5.28 Discard an internal-form name
+   gss_inquire_names_for_mech 5.24 List the name-types supported by
+                                   the specified mechanism
+   gss_inquire_mechs_for_name 5.23 List mechanisms that support the
+                                   specified name-type
+   gss_canonicalize_name      5.5  Convert an internal name to an MN
+   gss_export_name            5.13 Convert an MN to export form
+   gss_duplicate_name         5.12 Create a copy of an internal name
+
+
+   Table 2-5  GSS-API Miscellaneous Routines
+
+   Routine                Section              Function
+   -------                -------              --------
+   gss_add_oid_set_member    5.4  Add an object identifier to
+                                  a set
+   gss_display_status        5.11 Convert a GSS-API status code
+                                  to text
+   gss_indicate_mechs        5.18 Determine available underlying
+                                  authentication mechanisms
+   gss_release_buffer        5.26 Discard a buffer
+   gss_release_oid_set       5.29 Discard a set of object
+                                  identifiers
+   gss_create_empty_oid_set  5.8  Create a set containing no
+                                  object identifiers
+   gss_test_oid_set_member   5.30 Determines whether an object
+                                       identifier is a member of a set.
+
+   Individual GSS-API implementations may augment these routines by
+   providing additional mechanism-specific routines if required
+   functionality is not available from the generic forms. Applications
+   are encouraged to use the generic routines wherever possible on
+   portability grounds.
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 5]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.   Data Types and Calling Conventions
+
+   The following conventions are used by the GSS-API C-language
+   bindings:
+
+3.1. Integer types
+
+   GSS-API uses the following integer data type:
+
+   OM_uint32    32-bit unsigned integer
+
+   Where guaranteed minimum bit-count is important, this portable data
+   type is used by the GSS-API routine definitions.  Individual GSS-API
+   implementations will include appropriate typedef definitions to map
+   this type onto a built-in data type.  If the platform supports the
+   X/Open xom.h header file, the OM_uint32 definition contained therein
+   should be used; the GSS-API header file in Appendix A contains logic
+   that will detect the prior inclusion of xom.h, and will not attempt
+   to re-declare OM_uint32.  If the X/Open header file is not available
+   on the platform, the GSS-API implementation should use the smallest
+   natural unsigned integer type that provides at least 32 bits of
+   precision.
+
+3.2. String and similar data
+
+   Many of the GSS-API routines take arguments and return values that
+   describe contiguous octet-strings.  All such data is passed between
+   the GSS-API and the caller using the gss_buffer_t data type.  This
+   data type is a pointer to a buffer descriptor, which consists of a
+   length field that contains the total number of bytes in the datum,
+   and a value field which contains a pointer to the actual datum:
+
+   typedef struct gss_buffer_desc_struct {
+      size_t    length;
+      void      *value;
+   } gss_buffer_desc, *gss_buffer_t;
+
+   Storage for data returned to the application by a GSS-API routine
+   using the gss_buffer_t conventions is allocated by the GSS-API
+   routine.  The application may free this storage by invoking the
+   gss_release_buffer routine.  Allocation of the gss_buffer_desc object
+   is always the responsibility of the application;  unused
+   gss_buffer_desc objects may be initialized to the value
+   GSS_C_EMPTY_BUFFER.
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 6]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.2.1. Opaque data types
+
+   Certain multiple-word data items are considered opaque data types at
+   the GSS-API, because their internal structure has no significance
+   either to the GSS-API or to the caller.  Examples of such opaque data
+   types are the input_token parameter to gss_init_sec_context (which is
+   opaque to the caller), and the input_message parameter to gss_wrap
+   (which is opaque to the GSS-API).  Opaque data is passed between the
+   GSS-API and the application using the gss_buffer_t datatype.
+
+3.2.2. Character strings
+
+   Certain multiple-word data items may be regarded as simple ISO
+   Latin-1 character strings.  Examples are the printable strings passed
+   to gss_import_name via the input_name_buffer parameter. Some GSS-API
+   routines also return character strings.  All such character strings
+   are passed between the application and the GSS-API implementation
+   using the gss_buffer_t datatype, which is a pointer to a
+   gss_buffer_desc object.
+
+   When a gss_buffer_desc object describes a printable string, the
+   length field of the gss_buffer_desc should only count printable
+   characters within the string.  In particular, a trailing NUL
+   character should NOT be included in the length count, nor should
+   either the GSS-API implementation or the application assume the
+   presence of an uncounted trailing NUL.
+
+3.3. Object Identifiers
+
+   Certain GSS-API procedures take parameters of the type gss_OID, or
+   Object identifier.  This is a type containing ISO-defined tree-
+   structured values, and is used by the GSS-API caller to select an
+   underlying security mechanism and to specify namespaces.  A value of
+   type gss_OID has the following structure:
+
+   typedef struct gss_OID_desc_struct {
+      OM_uint32   length;
+      void        *elements;
+   } gss_OID_desc, *gss_OID;
+
+   The elements field of this structure points to the first byte of an
+   octet string containing the ASN.1 BER encoding of the value portion
+   of the normal BER TLV encoding of the gss_OID.  The length field
+   contains the number of bytes in this value.  For example, the gss_OID
+   value corresponding to {iso(1) identified-organization(3) icd-
+   ecma(12) member-company(2) dec(1011) cryptoAlgorithms(7) DASS(5)},
+   meaning the DASS X.509 authentication mechanism, has a length field
+   of 7 and an elements field pointing to seven octets containing the
+
+
+
+Wray                        Standards Track                     [Page 7]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   following octal values: 53,14,2,207,163,7,5. GSS-API implementations
+   should provide constant gss_OID values to allow applications to
+   request any supported mechanism, although applications are encouraged
+   on portability grounds to accept the default mechanism.  gss_OID
+   values should also be provided to allow applications to specify
+   particular name types (see section 3.10).  Applications should treat
+   gss_OID_desc values returned by GSS-API routines as read-only.  In
+   particular, the application should not attempt to deallocate them
+   with free().  The gss_OID_desc datatype is equivalent to the X/Open
+   OM_object_identifier datatype[XOM].
+
+3.4. Object Identifier Sets
+
+   Certain GSS-API procedures take parameters of the type gss_OID_set.
+   This type represents one or more object identifiers (section 2.3).  A
+   gss_OID_set object has the following structure:
+
+   typedef struct gss_OID_set_desc_struct {
+      size_t    count;
+      gss_OID   elements;
+   } gss_OID_set_desc, *gss_OID_set;
+
+   The count field contains the number of OIDs within the set.  The
+   elements field is a pointer to an array of gss_OID_desc objects, each
+   of which describes a single OID.  gss_OID_set values are used to name
+   the available mechanisms supported by the GSS-API, to request the use
+   of specific mechanisms, and to indicate which mechanisms a given
+   credential supports.
+
+   All OID sets returned to the application by GSS-API are dynamic
+   objects (the gss_OID_set_desc, the "elements" array of the set, and
+   the "elements" array of each member OID are all dynamically
+   allocated), and this storage must be deallocated by the application
+   using the gss_release_oid_set() routine.
+
+3.5. Credentials
+
+   A credential handle is a caller-opaque atomic datum that identifies a
+   GSS-API credential data structure.  It is represented by the caller-
+   opaque type gss_cred_id_t, which should be implemented as a pointer
+   or arithmetic type.  If a pointer implementation is chosen, care must
+   be taken to ensure that two gss_cred_id_t values may be compared with
+   the == operator.
+
+   GSS-API credentials can contain mechanism-specific principal
+   authentication data for multiple mechanisms.  A GSS-API credential is
+   composed of a set of credential-elements, each of which is applicable
+   to a single mechanism.  A credential may contain at most one
+
+
+
+Wray                        Standards Track                     [Page 8]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   credential-element for each supported mechanism. A credential-element
+   identifies the data needed by a single mechanism to authenticate a
+   single principal, and conceptually contains two credential-references
+   that describe the actual mechanism-specific authentication data, one
+   to be used by GSS-API for initiating contexts,  and one to be used
+   for accepting contexts.  For mechanisms that do not distinguish
+   between acceptor and initiator credentials, both references would
+   point to the same underlying mechanism-specific authentication data.
+
+   Credentials describe a set of mechanism-specific principals, and give
+   their holder the ability to act as any of those principals. All
+   principal identities asserted by a single GSS-API credential should
+   belong to the same entity, although enforcement of this property is
+   an implementation-specific matter.  The GSS-API does not make the
+   actual credentials available to applications; instead a credential
+   handle is used to identify a particular credential, held internally
+   by GSS-API.  The combination of GSS-API credential handle and
+   mechanism identifies the principal whose identity will be asserted by
+   the credential when used with that mechanism.
+
+   The gss_init_sec_context and gss_accept_sec_context routines allow
+   the value GSS_C_NO_CREDENTIAL to be specified as their credential
+   handle parameter.  This special credential-handle indicates a desire
+   by the application to act as a default principal.  While individual
+   GSS-API implementations are free to determine such default behavior
+   as appropriate to the mechanism, the following default behavior by
+   these routines is recommended for portability:
+
+   gss_init_sec_context
+
+      1) If there is only a single principal capable of initiating
+         security contexts for the chosen mechanism that the application
+         is authorized to act on behalf of, then that principal shall be
+         used, otherwise
+
+      2) If the platform maintains a concept of a default network-
+         identity for the chosen mechanism, and if the application is
+         authorized to act on behalf of that identity for the purpose of
+         initiating security contexts, then the principal corresponding
+         to that identity shall be used, otherwise
+
+      3) If the platform maintains a concept of a default local
+         identity, and provides a means to map local identities into
+         network-identities for the chosen mechanism, and if the
+         application is authorized to act on behalf of the network-
+         identity image of the default local identity for the purpose of
+
+
+
+
+
+Wray                        Standards Track                     [Page 9]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+         initiating security contexts using the chosen mechanism, then
+         the principal corresponding to that identity shall be used,
+         otherwise
+
+      4) A user-configurable default identity should be used.
+
+   gss_accept_sec_context
+
+      1) If there is only a single authorized principal identity capable
+         of accepting security contexts for the chosen mechanism, then
+         that principal shall be used, otherwise
+
+      2) If the mechanism can determine the identity of the target
+         principal by examining the context-establishment token, and if
+         the accepting application is authorized to act as that
+         principal for the purpose of accepting security contexts using
+         the chosen mechanism, then that principal identity shall be
+         used, otherwise
+
+      3) If the mechanism supports context acceptance by any principal,
+         and if mutual authentication was not requested, any principal
+         that the application is authorized to accept security contexts
+         under using the chosen mechanism may be used, otherwise
+
+      4)A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are
+   likely to be more portable across mechanisms and platforms than ones
+   that use gss_acquire_cred to request a specific identity.
+
+3.6. Contexts
+
+   The gss_ctx_id_t data type contains a caller-opaque atomic value that
+   identifies one end of a GSS-API security context.  It should be
+   implemented as a pointer or arithmetic type.  If a pointer type is
+   chosen, care should be taken to ensure that two gss_ctx_id_t values
+   may be compared with the == operator.
+
+   The security context holds state information about each end of a peer
+   communication, including cryptographic state information.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 10]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.7. Authentication tokens
+
+   A token is a caller-opaque type that GSS-API uses to maintain
+   synchronization between the context data structures at each end of a
+   GSS-API security context.  The token is a cryptographically protected
+   octet-string, generated by the underlying mechanism at one end of a
+   GSS-API security context for use by the peer mechanism at the other
+   end.  Encapsulation (if required) and transfer of the token are the
+   responsibility of the peer applications.  A token is passed between
+   the GSS-API and the application using the gss_buffer_t conventions.
+
+3.8. Interprocess tokens
+
+   Certain GSS-API routines are intended to transfer data between
+   processes in multi-process programs.  These routines use a caller-
+   opaque octet-string, generated by the GSS-API in one process for use
+   by the GSS-API in another process.  The calling application is
+   responsible for transferring such tokens between processes in an OS-
+   specific manner.  Note that, while GSS-API implementors are
+   encouraged to avoid placing sensitive information within interprocess
+   tokens, or to cryptographically protect them, many implementations
+   will be unable to avoid placing key material or other sensitive data
+   within them.  It is the application's responsibility to ensure that
+   interprocess tokens are protected in transit, and transferred only to
+   processes that are trustworthy. An interprocess token is passed
+   between the GSS-API and the application using the gss_buffer_t
+   conventions.
+
+3.9. Status values
+
+   Every GSS-API routine returns two distinct values to report status
+   information to the caller: GSS status codes and Mechanism status
+   codes.
+
+3.9.1. GSS status codes
+
+   GSS-API routines return GSS status codes as their OM_uint32 function
+   value.  These codes indicate errors that are independent of the
+   underlying mechanism(s) used to provide the security service.  The
+   errors that can be indicated via a GSS status code are either generic
+   API routine errors (errors that are defined in the GSS-API
+   specification) or calling errors (errors that are specific to these
+   language bindings).
+
+   A GSS status code can indicate a single fatal generic API error from
+   the routine and a single calling error.  In addition, supplementary
+   status information may be indicated via the setting of bits in the
+   supplementary info field of a GSS status code.
+
+
+
+Wray                        Standards Track                    [Page 11]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   These errors are encoded into the 32-bit GSS status code as follows:
+
+      MSB                                                        LSB
+      |------------------------------------------------------------|
+      |  Calling Error | Routine Error  |    Supplementary Info    |
+      |------------------------------------------------------------|
+   Bit 31            24 23            16 15                       0
+
+   Hence if a GSS-API routine returns a GSS status code whose upper 16
+   bits contain a non-zero value, the call failed.  If the calling error
+   field is non-zero, the invoking application's call of the routine was
+   erroneous.  Calling errors are defined in table 5-1.  If the routine
+   error field is non-zero, the routine failed for one of the routine-
+   specific reasons listed below in table 5-2.  Whether or not the upper
+   16 bits indicate a failure or a success, the routine may indicate
+   additional information by setting bits in the supplementary info
+   field of the status code. The meaning of individual bits is listed
+   below in table 5-3.
+
+   Table 3-1  Calling Errors
+
+   Name                   Value in field           Meaning
+   ----                   --------------           -------
+   GSS_S_CALL_INACCESSIBLE_READ  1       A required input parameter
+                                         could not be read
+   GSS_S_CALL_INACCESSIBLE_WRITE 2       A required output parameter
+                                          could not be written.
+   GSS_S_CALL_BAD_STRUCTURE      3       A parameter was malformed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 12]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 3-2  Routine Errors
+
+   Name                   Value in field           Meaning
+   ----                   --------------           -------
+   GSS_S_BAD_MECH                1       An unsupported mechanism
+                                         was requested
+   GSS_S_BAD_NAME                2       An invalid name was
+                                         supplied
+   GSS_S_BAD_NAMETYPE            3       A supplied name was of an
+                                         unsupported type
+   GSS_S_BAD_BINDINGS            4       Incorrect channel bindings
+                                         were supplied
+   GSS_S_BAD_STATUS              5       An invalid status code was
+                                         supplied
+   GSS_S_BAD_MIC GSS_S_BAD_SIG   6       A token had an invalid MIC
+   GSS_S_NO_CRED                 7       No credentials were
+                                         supplied, or the
+                                         credentials were
+                                         unavailable or
+                                         inaccessible.
+   GSS_S_NO_CONTEXT              8       No context has been
+                                         established
+   GSS_S_DEFECTIVE_TOKEN         9       A token was invalid
+   GSS_S_DEFECTIVE_CREDENTIAL   10       A credential was invalid
+   GSS_S_CREDENTIALS_EXPIRED    11       The referenced credentials
+                                         have expired
+   GSS_S_CONTEXT_EXPIRED        12       The context has expired
+   GSS_S_FAILURE                13       Miscellaneous failure (see
+                                         text)
+   GSS_S_BAD_QOP                14       The quality-of-protection
+                                         requested could not be
+                                         provided
+   GSS_S_UNAUTHORIZED           15       The operation is forbidden
+                                         by local security policy
+   GSS_S_UNAVAILABLE            16       The operation or option is
+                                         unavailable
+   GSS_S_DUPLICATE_ELEMENT      17       The requested credential
+                                         element already exists
+   GSS_S_NAME_NOT_MN            18       The provided name was not a
+                                         mechanism name
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 13]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 3-3  Supplementary Status Bits
+
+   Name                   Bit Number           Meaning
+   ----                   ----------           -------
+   GSS_S_CONTINUE_NEEDED   0 (LSB)   Returned only by
+                                     gss_init_sec_context or
+                                     gss_accept_sec_context. The
+                                     routine must be called again
+                                     to complete its function.
+                                     See routine documentation for
+                                     detailed description
+   GSS_S_DUPLICATE_TOKEN   1         The token was a duplicate of
+                                     an earlier token
+   GSS_S_OLD_TOKEN         2         The token's validity period
+                                     has expired
+   GSS_S_UNSEQ_TOKEN       3         A later token has already been
+                                     processed
+   GSS_S_GAP_TOKEN         4         An expected per-message token
+                                     was not received
+
+   The routine documentation also uses the name GSS_S_COMPLETE, which is
+   a zero value, to indicate an absence of any API errors or
+   supplementary information bits.
+
+   All GSS_S_xxx symbols equate to complete OM_uint32 status codes,
+   rather than to bitfield values.  For example, the actual value of the
+   symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is
+   3<<16.  The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and
+   GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS
+   status code and removes all but the relevant field.  For example, the
+   value obtained by applying GSS_ROUTINE_ERROR to a status code removes
+   the calling errors and supplementary info fields, leaving only the
+   routine errors field.  The values delivered by these macros may be
+   directly compared with a GSS_S_xxx symbol of the appropriate type.
+   The macro GSS_ERROR() is also provided, which when applied to a GSS
+   status code returns a non-zero value if the status code indicated a
+   calling or routine error, and a zero value otherwise.  All macros
+   defined by GSS-API evaluate their argument(s) exactly once.
+
+   A GSS-API implementation may choose to signal calling errors in a
+   platform-specific manner instead of, or in addition to the routine
+   value;  routine errors and supplementary info should be returned via
+   major status values only.
+
+   The GSS major status code GSS_S_FAILURE is used to indicate that the
+   underlying mechanism detected an error for which no specific GSS
+   status code is defined.  The mechanism-specific status code will
+   provide more details about the error.
+
+
+
+Wray                        Standards Track                    [Page 14]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.9.2. Mechanism-specific status codes
+
+   GSS-API routines return a minor_status parameter, which is used to
+   indicate specialized errors from the underlying security mechanism.
+   This parameter may contain a single mechanism-specific error,
+   indicated by a OM_uint32 value.
+
+   The minor_status parameter will always be set by a GSS-API routine,
+   even if it returns a calling error or one of the generic API errors
+   indicated above as fatal, although most other output parameters may
+   remain unset in such cases.  However, output parameters that are
+   expected to return pointers to storage allocated by a routine must
+   always be set by the routine, even in the event of an error, although
+   in such cases the GSS-API routine may elect to set the returned
+   parameter value to NULL to indicate that no storage was actually
+   allocated.  Any length field associated with such pointers (as in a
+   gss_buffer_desc structure) should also be set to zero in such cases.
+
+3.10. Names
+
+   A name is used to identify a person or entity.  GSS-API authenticates
+   the relationship between a name and the entity claiming the name.
+
+   Since different authentication mechanisms may employ different
+   namespaces for identifying their principals, GSSAPI's naming support
+   is necessarily complex in multi-mechanism environments (or even in
+   some single-mechanism environments where the underlying mechanism
+   supports multiple namespaces).
+
+   Two distinct representations are defined for names:
+
+   An internal form.  This is the GSS-API "native" format for names,
+      represented by the implementation-specific gss_name_t type.  It is
+      opaque to GSS-API callers.  A single gss_name_t object may contain
+      multiple names from different namespaces, but all names should
+      refer to the same entity.  An example of such an internal name
+      would be the name returned from a call to the gss_inquire_cred
+      routine, when applied to a credential containing credential
+      elements for multiple authentication mechanisms employing
+      different namespaces.  This gss_name_t object will contain a
+      distinct name for the entity for each authentication mechanism.
+
+      For GSS-API implementations supporting multiple namespaces,
+      objects of type gss_name_t must contain sufficient information to
+      determine the namespace to which each primitive name belongs.
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 15]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Mechanism-specific contiguous octet-string forms.  A format
+      capable of containing a single name (from a single namespace).
+      Contiguous string names are always accompanied by an object
+      identifier specifying the namespace to which the name belongs, and
+      their format is dependent on the authentication mechanism that
+      employs the name.  Many, but not all, contiguous string names will
+      be printable, and may therefore be used by GSS-API applications
+      for communication with their users.
+
+   Routines (gss_import_name and gss_display_name) are provided to
+   convert names between contiguous string representations and the
+   internal gss_name_t type.  gss_import_name may support multiple
+   syntaxes for each supported namespace, allowing users the freedom to
+   choose a preferred name representation. gss_display_name should use
+   an implementation-chosen printable syntax for each supported name-
+   type.
+
+   If an application calls gss_display_name(), passing the internal name
+   resulting from a call to gss_import_name(), there is no guarantee the
+   the resulting contiguous string name will be the same as the original
+   imported string name.  Nor do name-space identifiers necessarily
+   survive unchanged after a journey through the internal name-form.  An
+   example of this might be a mechanism that authenticates X.500 names,
+   but provides an algorithmic mapping of Internet DNS names into X.500.
+   That mechanism's implementation of gss_import_name() might, when
+   presented with a DNS name, generate an internal name that contained
+   both the original DNS name and the equivalent X.500 name.
+   Alternatively, it might only store the X.500 name.  In the latter
+   case, gss_display_name() would most likely generate a printable X.500
+   name, rather than the original DNS name.
+
+   The process of authentication delivers to the context acceptor an
+   internal name.  Since this name has been authenticated by a single
+   mechanism, it contains only a single name (even if the internal name
+   presented by the context initiator to gss_init_sec_context had
+   multiple components).  Such names are termed internal mechanism
+   names, or "MN"s and the names emitted by gss_accept_sec_context() are
+   always of this type.  Since some applications may require MNs without
+   wanting to incur the overhead of an authentication operation, a
+   second function, gss_canonicalize_name(), is provided to convert a
+   general internal name into an MN.
+
+   Comparison of internal-form names may be accomplished via the
+   gss_compare_name() routine, which returns true if the two names being
+   compared refer to the same entity.  This removes the need for the
+   application program to understand the syntaxes of the various
+   printable names that a given GSS-API implementation may support.
+   Since GSS-API assumes that all primitive names contained within a
+
+
+
+Wray                        Standards Track                    [Page 16]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   given internal name refer to the same entity, gss_compare_name() can
+   return true if the two names have at least one primitive name in
+   common.  If the implementation embodies knowledge of equivalence
+   relationships between names taken from different namespaces, this
+   knowledge may also allow successful comparison of internal names
+   containing no overlapping primitive elements.
+
+   When used in large access control lists, the overhead of invoking
+   gss_import_name() and gss_compare_name() on each name from the ACL
+   may be prohibitive.  As an alternative way of supporting this case,
+   GSS-API defines a special form of the contiguous string name which
+   may be compared directly (e.g. with memcmp()).  Contiguous names
+   suitable for comparison are generated by the gss_export_name()
+   routine, which requires an MN as input.  Exported names may be re-
+   imported by the gss_import_name() routine, and the resulting internal
+   name will also be an MN.  The gss_OID constant GSS_C_NT_EXPORT_NAME
+   indentifies the "export name" type, and the value of this constant is
+   given in Appendix A.  Structurally, an exported name object consists
+   of a header containing an OID identifying the mechanism that
+   authenticated the name, and a trailer containing the name itself,
+   where the syntax of the trailer is defined by the individual
+   mechanism specification.   The precise format of an export name is
+   defined in the language-independent GSS-API specification [GSSAPI].
+
+   Note that the results obtained by using gss_compare_name() will in
+   general be different from those obtained by invoking
+   gss_canonicalize_name() and gss_export_name(), and then comparing the
+   exported names.  The first series of operation determines whether two
+   (unauthenticated) names identify the same principal; the second
+   whether a particular mechanism would authenticate them as the same
+   principal.  These two operations will in general give the same
+   results only for MNs.
+
+   The gss_name_t datatype should be implemented as a pointer type. To
+   allow the compiler to aid the application programmer by performing
+   type-checking, the use of (void *) is discouraged.  A pointer to an
+   implementation-defined type is the preferred choice.
+
+   Storage is allocated by routines that return gss_name_t values. A
+   procedure, gss_release_name, is provided to free storage associated
+   with an internal-form name.
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 17]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.11. Channel Bindings
+
+   GSS-API supports the use of user-specified tags to identify a given
+   context to the peer application.  These tags are intended to be used
+   to identify the particular communications channel that carries the
+   context.  Channel bindings are communicated to the GSS-API using the
+   following structure:
+
+   typedef struct gss_channel_bindings_struct {
+      OM_uint32       initiator_addrtype;
+      gss_buffer_desc initiator_address;
+      OM_uint32       acceptor_addrtype;
+      gss_buffer_desc acceptor_address;
+      gss_buffer_desc application_data;
+   } *gss_channel_bindings_t;
+
+   The initiator_addrtype and acceptor_addrtype fields denote the type
+   of addresses contained in the initiator_address and acceptor_address
+   buffers.  The address type should be one of the following:
+
+   GSS_C_AF_UNSPEC     Unspecified address type
+   GSS_C_AF_LOCAL      Host-local address type
+   GSS_C_AF_INET       Internet address type (e.g. IP)
+   GSS_C_AF_IMPLINK    ARPAnet IMP address type
+   GSS_C_AF_PUP        pup protocols (eg BSP) address type
+   GSS_C_AF_CHAOS      MIT CHAOS protocol address type
+   GSS_C_AF_NS         XEROX NS address type
+   GSS_C_AF_NBS        nbs address type
+   GSS_C_AF_ECMA       ECMA address type
+   GSS_C_AF_DATAKIT    datakit protocols address type
+   GSS_C_AF_CCITT      CCITT protocols
+   GSS_C_AF_SNA        IBM SNA address type
+   GSS_C_AF_DECnet     DECnet address type
+   GSS_C_AF_DLI        Direct data link interface address type
+   GSS_C_AF_LAT        LAT address type
+   GSS_C_AF_HYLINK     NSC Hyperchannel address type
+   GSS_C_AF_APPLETALK  AppleTalk address type
+   GSS_C_AF_BSC        BISYNC 2780/3780 address type
+   GSS_C_AF_DSS        Distributed system services address type
+   GSS_C_AF_OSI        OSI TP4 address type
+   GSS_C_AF_X25        X.25
+   GSS_C_AF_NULLADDR   No address specified
+
+   Note that these symbols name address families rather than specific
+   addressing formats.  For address families that contain several
+   alternative address forms, the initiator_address and acceptor_address
+   fields must contain sufficient information to determine which address
+
+
+
+
+Wray                        Standards Track                    [Page 18]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   form is used.  When not otherwise specified, addresses should be
+   specified in network byte-order (that is, native byte-ordering for
+   the address family).
+
+   Conceptually, the GSS-API concatenates the initiator_addrtype,
+   initiator_address, acceptor_addrtype, acceptor_address and
+   application_data to form an octet string.  The mechanism calculates a
+   MIC over this octet string, and binds the MIC to the context
+   establishment token emitted by gss_init_sec_context. The same
+   bindings are presented by the context acceptor to
+   gss_accept_sec_context, and a MIC is calculated in the same way. The
+   calculated MIC is compared with that found in the token, and if the
+   MICs differ, gss_accept_sec_context will return a GSS_S_BAD_BINDINGS
+   error, and the context will not be established.  Some mechanisms may
+   include the actual channel binding data in the token (rather than
+   just a MIC); applications should therefore not use confidential data
+   as channel-binding components.
+
+   Individual mechanisms may impose additional constraints on addresses
+   and address types that may appear in channel bindings.  For example,
+   a mechanism may verify that the initiator_address field of the
+   channel bindings presented to gss_init_sec_context contains the
+   correct network address of the host system.  Portable applications
+   should therefore ensure that they either provide correct information
+   for the address fields, or omit addressing information, specifying
+   GSS_C_AF_NULLADDR as the address-types.
+
+3.12. Optional parameters
+
+   Various parameters are described as optional.  This means that they
+   follow a convention whereby a default value may be requested.  The
+   following conventions are used for omitted parameters.  These
+   conventions apply only to those parameters that are explicitly
+   documented as optional.
+
+3.12.1. gss_buffer_t types
+
+   Specify GSS_C_NO_BUFFER as a value.  For an input parameter this
+   signifies that default behavior is requested, while for an output
+   parameter it indicates that the information that would be returned
+   via the parameter is not required by the application.
+
+3.12.2. Integer types (input)
+
+   Individual parameter documentation lists values to be used to
+   indicate default actions.
+
+
+
+
+
+Wray                        Standards Track                    [Page 19]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.12.3. Integer types (output)
+
+   Specify NULL as the value for the pointer.
+
+3.12.4. Pointer types
+
+   Specify NULL as the value.
+
+3.12.5. Object IDs
+
+   Specify GSS_C_NO_OID as the value.
+
+3.12.6. Object ID Sets
+
+   Specify GSS_C_NO_OID_SET as the value.
+
+3.12.7. Channel Bindings
+
+   Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings
+   are not to be used.
+
+4.   Additional Controls
+
+   This section discusses the optional services that a context initiator
+   may request of the GSS-API at context establishment. Each of these
+   services is requested by setting a flag in the req_flags input
+   parameter to gss_init_sec_context.
+
+   The optional services currently defined are:
+
+   Delegation - The (usually temporary) transfer of rights from
+       initiator to acceptor, enabling the acceptor to authenticate
+       itself as an agent of the initiator.
+
+   Mutual Authentication - In addition to the initiator authenticating
+       its identity to the context acceptor, the context acceptor should
+       also authenticate itself to the initiator.
+
+   Replay detection - In addition to providing message integrity
+       services, gss_get_mic and gss_wrap should include message
+       numbering information to enable gss_verify_mic and gss_unwrap to
+       detect if a message has been duplicated.
+
+   Out-of-sequence detection - In addition to providing message
+       integrity services, gss_get_mic and gss_wrap should include
+       message sequencing information to enable gss_verify_mic and
+       gss_unwrap to detect if a message has been received out of
+       sequence.
+
+
+
+Wray                        Standards Track                    [Page 20]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Anonymous authentication - The establishment of the security context
+       should not reveal the initiator's identity to the context
+       acceptor.
+
+   Any currently undefined bits within such flag arguments should be
+   ignored by GSS-API implementations when presented by an application,
+   and should be set to zero when returned to the application by the
+   GSS-API implementation.
+
+   Some mechanisms may not support all optional services, and some
+   mechanisms may only support some services in conjunction with others.
+   Both gss_init_sec_context and gss_accept_sec_context inform the
+   applications which services will be available from the context when
+   the establishment phase is complete, via the ret_flags output
+   parameter.  In general, if the security mechanism is capable of
+   providing a requested service, it should do so, even if additional
+   services must be enabled in order to provide the requested service.
+   If the mechanism is incapable of providing a requested service, it
+   should proceed without the service, leaving the application to abort
+   the context establishment process if it considers the requested
+   service to be mandatory.
+
+   Some mechanisms may specify that support for some services is
+   optional, and that implementors of the mechanism need not provide it.
+   This is most commonly true of the confidentiality service, often
+   because of legal restrictions on the use of data-encryption, but may
+   apply to any of the services.  Such mechanisms are required to send
+   at least one token from acceptor to initiator during context
+   establishment when the initiator indicates a desire to use such a
+   service, so that the initiating GSS-API can correctly indicate
+   whether the service is supported by the acceptor's GSS-API.
+
+4.1. Delegation
+
+   The GSS-API allows delegation to be controlled by the initiating
+   application via a boolean parameter to gss_init_sec_context(), the
+   routine that establishes a security context.  Some mechanisms do not
+   support delegation, and for such mechanisms attempts by an
+   application to enable delegation are ignored.
+
+   The acceptor of a security context for which the initiator enabled
+   delegation will receive (via the delegated_cred_handle parameter of
+   gss_accept_sec_context) a credential handle that contains the
+   delegated identity, and this credential handle may be used to
+   initiate subsequent GSS-API security contexts as an agent or delegate
+   of the initiator.  If the original initiator's identity is "A" and
+   the delegate's identity is "B", then, depending on the underlying
+   mechanism, the identity embodied by the delegated credential may be
+
+
+
+Wray                        Standards Track                    [Page 21]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   either "A" or "B acting for A".
+
+   For many mechanisms that support delegation, a simple boolean does
+   not provide enough control.  Examples of additional aspects of
+   delegation control that a mechanism might provide to an application
+   are duration of delegation, network addresses from which delegation
+   is valid, and constraints on the tasks that may be performed by a
+   delegate.  Such controls are presently outside the scope of the GSS-
+   API.  GSS-API implementations supporting mechanisms offering
+   additional controls should provide extension routines that allow
+   these controls to be exercised (perhaps by modifying the initiator's
+   GSS-API credential prior to its use in establishing a context).
+   However, the simple delegation control provided by GSS-API should
+   always be able to over-ride other mechanism-specific delegation
+   controls - If the application instructs gss_init_sec_context() that
+   delegation is not desired, then the implementation must not permit
+   delegation to occur. This is an exception to the general rule that a
+   mechanism may enable services even if they are not requested -
+   delegation may only be provided at the explicit request of the
+   application.
+
+4.2. Mutual authentication
+
+   Usually, a context acceptor will require that a context initiator
+   authenticate itself so that the acceptor may make an access-control
+   decision prior to performing a service for the initiator.  In some
+   cases, the initiator may also request that the acceptor authenticate
+   itself.  GSS-API allows the initiating application to request this
+   mutual authentication service by setting a flag when calling
+   gss_init_sec_context.
+
+   The initiating application is informed as to whether or not the
+   context acceptor has authenticated itself.  Note that some mechanisms
+   may not support mutual authentication, and other mechanisms may
+   always perform mutual authentication, whether or not the initiating
+   application requests it.  In particular, mutual authentication my be
+   required by some mechanisms in order to support replay or out-of-
+   sequence message detection, and for such mechanisms a request for
+   either of these services will automatically enable mutual
+   authentication.
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 22]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+4.3. Replay and out-of-sequence detection
+
+   The GSS-API may provide detection of mis-ordered message once a
+   security context has been established.  Protection may be applied to
+   messages by either application, by calling either gss_get_mic or
+   gss_wrap, and verified by the peer application by calling
+   gss_verify_mic or gss_unwrap.
+
+   gss_get_mic calculates a cryptographic MIC over an application
+   message, and returns that MIC in a token.  The application should
+   pass both the token and the message to the peer application, which
+   presents them to gss_verify_mic.
+
+   gss_wrap calculates a cryptographic MIC of an application message,
+   and places both the MIC and the message inside a single token.  The
+   Application should pass the token to the peer application, which
+   presents it to gss_unwrap to extract the message and verify the MIC.
+
+   Either pair of routines may be capable of detecting out-of-sequence
+   message delivery, or duplication of messages. Details of such mis-
+   ordered messages are indicated through supplementary status bits in
+   the major status code returned by gss_verify_mic or gss_unwrap.  The
+   relevant supplementary bits are:
+
+   GSS_S_DUPLICATE_TOKEN - The token is a duplicate of one that has
+                    already been received and processed.  Only
+                    contexts that claim to provide replay detection
+                    may set this bit.
+   GSS_S_OLD_TOKEN - The token is too old to determine whether or
+                    not it is a duplicate.  Contexts supporting
+                    out-of-sequence detection but not replay
+                    detection should always set this bit if
+                    GSS_S_UNSEQ_TOKEN is set; contexts that support
+                    replay detection should only set this bit if the
+                    token is so old that it cannot be checked for
+                    duplication.
+   GSS_S_UNSEQ_TOKEN - A later token has already been processed.
+   GSS_S_GAP_TOKEN - An earlier token has not yet been received.
+
+   A mechanism need not maintain a list of all tokens that have been
+   processed in order to support these status codes.  A typical
+   mechanism might retain information about only the most recent "N"
+   tokens processed, allowing it to distinguish duplicates and missing
+   tokens within the most recent "N" messages; the receipt of a token
+   older than the most recent "N" would result in a GSS_S_OLD_TOKEN
+   status.
+
+
+
+
+
+Wray                        Standards Track                    [Page 23]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+4.4. Anonymous Authentication
+
+   In certain situations, an application may wish to initiate the
+   authentication process to authenticate a peer, without revealing its
+   own identity.  As an example, consider an application providing
+   access to a database containing medical information, and offering
+   unrestricted access to the service.  A client of such a service might
+   wish to authenticate the service (in order to establish trust in any
+   information retrieved from it), but might not wish the service to be
+   able to obtain the client's identity (perhaps due to privacy concerns
+   about the specific inquiries, or perhaps simply to avoid being placed
+   on mailing-lists).
+
+   In normal use of the GSS-API, the initiator's identity is made
+   available to the acceptor as a result of the context establishment
+   process.  However, context initiators may request that their identity
+   not be revealed to the context acceptor. Many mechanisms do not
+   support anonymous authentication, and for such mechanisms the request
+   will not be honored.  An authentication token will be still be
+   generated, but the application is always informed if a requested
+   service is unavailable, and has the option to abort context
+   establishment if anonymity is valued above the other security
+   services that would require a context to be established.
+
+   In addition to informing the application that a context is
+   established anonymously (via the ret_flags outputs from
+   gss_init_sec_context and gss_accept_sec_context), the optional
+   src_name output from gss_accept_sec_context and gss_inquire_context
+   will, for such contexts, return a reserved internal-form name,
+   defined by the implementation.
+
+   When presented to gss_display_name, this reserved internal-form name
+   will result in a printable name that is syntactically distinguishable
+   from any valid principal name supported by the implementation,
+   associated with a name-type object identifier with the value
+   GSS_C_NT_ANONYMOUS, whose value us given in Appendix A.  The
+   printable form of an anonymous name should be chosen such that it
+   implies anonymity, since this name may appear in, for example, audit
+   logs.  For example, the string "<anonymous>" might be a good choice,
+   if no valid printable names supported by the implementation can begin
+   with "<" and end with ">".
+
+4.5. Confidentiality
+
+   If a context supports the confidentiality service, gss_wrap may be
+   used to encrypt application messages.  Messages are selectively
+   encrypted, under the control of the conf_req_flag input parameter to
+   gss_wrap.
+
+
+
+Wray                        Standards Track                    [Page 24]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+4.6. Inter-process context transfer
+
+   GSS-API V2 provides routines (gss_export_sec_context and
+   gss_import_sec_context) which allow a security context to be
+   transferred between processes on a single machine.  The most common
+   use for such a feature is a client-server design where the server is
+   implemented as a single process that accepts incoming security
+   contexts, which then launches child processes to deal with the data
+   on these contexts.  In such a design, the child processes must have
+   access to the security context data structure created within the
+   parent by its call to gss_accept_sec_context so that they can use
+   per-message protection services and delete the security context when
+   the communication session ends.
+
+   Since the security context data structure is expected to contain
+   sequencing information, it is impractical in general to share a
+   context between processes.  Thus GSS-API provides a call
+   (gss_export_sec_context) that the process which currently owns the
+   context can call to declare that it has no intention to use the
+   context subsequently, and to create an inter-process token containing
+   information needed by the adopting process to successfully import the
+   context.  After successful completion of gss_export_sec_context, the
+   original security context is made inaccessible to the calling process
+   by GSS-API, and any context handles referring to this context are no
+   longer valid.  The originating process transfers the inter-process
+   token to the adopting process, which passes it to
+   gss_import_sec_context, and a fresh gss_ctx_id_t is created such that
+   it is functionally identical to the original context.
+
+   The inter-process token may contain sensitive data from the original
+   security context (including cryptographic keys). Applications using
+   inter-process tokens to transfer security contexts must take
+   appropriate steps to protect these tokens in transit.
+
+   Implementations are not required to support the inter-process
+   transfer of security contexts.  The ability to transfer a security
+   context is indicated when the context is created, by
+   gss_init_sec_context or gss_accept_sec_context setting the
+   GSS_C_TRANS_FLAG bit in their ret_flags parameter.
+
+4.7. The use of incomplete contexts
+
+   Some mechanisms may allow the per-message services to be used before
+   the context establishment process is complete.  For example, a
+   mechanism may include sufficient information in its initial context-
+   level token for the context acceptor to immediately decode messages
+   protected with gss_wrap or gss_get_mic.  For such a mechanism, the
+   initiating application need not wait until subsequent context-level
+
+
+
+Wray                        Standards Track                    [Page 25]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   tokens have been sent and received before invoking the per-message
+   protection services.
+
+   The ability of a context to provide per-message services in advance
+   of complete context establishment is indicated by the setting of the
+   GSS_C_PROT_READY_FLAG bit in the ret_flags parameter from
+   gss_init_sec_context and gss_accept_sec_context. Applications wishing
+   to use per-message protection services on partially-established
+   contexts should check this flag before attempting to invoke gss_wrap
+   or gss_get_mic.
+
+5. GSS-API Routine Descriptions
+
+   In addition to the explicit major status codes documented here, the
+   code GSS_S_FAILURE may be returned by any routine, indicating an
+   implementation-specific or mechanism-specific error condition,
+   further details of which are reported via the minor_status parameter.
+
+5.1. gss_accept_sec_context
+
+   OM_uint32 gss_accept_sec_context (
+     OM_uint32           *minor_status,
+     gss_ctx_id_t        *context_handle,
+     const gss_cred_id_t acceptor_cred_handle,
+     const gss_buffer_t  input_token_buffer,
+     const gss_channel_bindings_t  input_chan_bindings,
+     const gss_name_t    *src_name,
+     gss_OID             *mech_type,
+     gss_buffer_t        output_token,
+     OM_uint32           *ret_flags,
+     OM_uint32           *time_rec,
+     gss_cred_id_t       *delegated_cred_handle)
+
+   Purpose:
+
+   Allows a remotely initiated security context between the application
+   and a remote peer to be established.  The routine may return a
+   output_token which should be transferred to the peer application,
+   where the peer application will present it to gss_init_sec_context.
+   If no token need be sent, gss_accept_sec_context will indicate this
+   by setting the length field of the output_token argument to zero.  To
+   complete the context establishment, one or more reply tokens may be
+   required from the peer application; if so, gss_accept_sec_context
+   will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it
+   should be called again when the reply token is received from the peer
+   application, passing the token to gss_accept_sec_context via the
+   input_token parameters.
+
+
+
+
+Wray                        Standards Track                    [Page 26]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Portable applications should be constructed to use the token length
+   and return status to determine whether a token needs to be sent or
+   waited for.  Thus a typical portable caller should always invoke
+   gss_accept_sec_context within a loop:
+
+   gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+
+   do {
+     receive_token_from_peer(input_token);
+     maj_stat = gss_accept_sec_context(&min_stat,
+                                       &context_hdl,
+                                       cred_hdl,
+                                       input_token,
+                                       input_bindings,
+                                       &client_name,
+                                       &mech_type,
+                                       output_token,
+                                       &ret_flags,
+                                       &time_rec,
+                                       &deleg_cred);
+     if (GSS_ERROR(maj_stat)) {
+       report_error(maj_stat, min_stat);
+     };
+     if (output_token->length != 0) {
+       send_token_to_peer(output_token);
+
+       gss_release_buffer(&min_stat, output_token);
+     };
+     if (GSS_ERROR(maj_stat)) {
+       if (context_hdl != GSS_C_NO_CONTEXT)
+         gss_delete_sec_context(&min_stat,
+                                &context_hdl,
+                                GSS_C_NO_BUFFER);
+       break;
+     };
+   } while (maj_stat & GSS_S_CONTINUE_NEEDED);
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+   The value returned via the time_rec parameter is undefined Unless the
+   accompanying ret_flags parameter contains the bit
+   GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+   applied in advance of a successful completion status, the value
+   returned via the mech_type parameter may be undefined until the
+   routine returns a major status value of GSS_S_COMPLETE.
+
+
+
+
+Wray                        Standards Track                    [Page 27]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   The values of the GSS_C_DELEG_FLAG,
+   GSS_C_MUTUAL_FLAG,GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG,
+   GSS_C_CONF_FLAG,GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned
+   via the ret_flags parameter should contain the values that the
+   implementation expects would be valid if context establishment were
+   to succeed.
+
+   The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+   within ret_flags should indicate the actual state at the time
+   gss_accept_sec_context returns, whether or not the context is fully
+   established.
+
+   Although this requires that GSS-API implementations set the
+   GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller
+   (i.e. when accompanied by a GSS_S_COMPLETE status code), applications
+   should not rely on this behavior as the flag was not defined in
+   Version 1 of the GSS-API. Instead, applications should be prepared to
+   use per-message services after a successful context establishment,
+   according to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values.
+
+   All other bits within the ret_flags argument should be set to zero.
+   While the routine returns GSS_S_CONTINUE_NEEDED, the values returned
+   via the ret_flags argument indicate the services that the
+   implementation expects to be available from the established context.
+
+   If the initial call of gss_accept_sec_context() fails, the
+   implementation should not create a context object, and should leave
+   the value of the context_handle parameter set to GSS_C_NO_CONTEXT to
+   indicate this.  In the event of a failure on a subsequent call, the
+   implementation is permitted to delete the "half-built" security
+   context (in which case it should set the context_handle parameter to
+   GSS_C_NO_CONTEXT), but the preferred behavior is to leave the
+   security context (and the context_handle parameter) untouched for the
+   application to delete (using gss_delete_sec_context).
+
+   During context establishment, the informational status bits
+   GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and
+   GSS-API mechanisms should always return them in association with a
+   routine error of GSS_S_FAILURE.  This requirement for pairing did not
+   exist in version 1 of the GSS-API specification, so applications that
+   wish to run over version 1 implementations must special-case these
+   codes.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 28]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   context_handle    gss_ctx_id_t, read/modify context handle for new
+                        context.  Supply GSS_C_NO_CONTEXT for first
+                        call; use value returned in subsequent calls.
+                        Once gss_accept_sec_context() has returned a
+                        value via this parameter, resources have been
+                        assigned to the corresponding context, and must
+                        be freed by the application after use with a
+                        call to gss_delete_sec_context().
+
+
+   acceptor_cred_handle  gss_cred_id_t, read Credential handle claimed
+                         by context acceptor. Specify
+                         GSS_C_NO_CREDENTIAL to accept the context as a
+                         default principal.  If GSS_C_NO_CREDENTIAL is
+                         specified, but no default acceptor principal is
+                         defined, GSS_S_NO_CRED will be returned.
+
+   input_token_buffer   buffer, opaque, read token obtained from remote
+                        application.
+
+   input_chan_bindings  channel bindings, read, optional Application-
+                        specified bindings.  Allows application to
+                        securely bind channel identification information
+                        to the security context.  If channel bindings
+                        are not used, specify GSS_C_NO_CHANNEL_BINDINGS.
+
+   src_name             gss_name_t, modify, optional Authenticated name
+                        of context initiator.  After use, this name
+                        should be deallocated by passing it to
+                        gss_release_name().  If not required, specify
+                        NULL.
+
+   mech_type            Object ID, modify, optional Security mechanism
+                        used.  The returned OID value will be a pointer
+                        into static storage, and should be treated as
+                        read-only by the caller (in particular, it does
+                        not need to be freed).  If not required, specify
+                        NULL.
+
+   output_token         buffer, opaque, modify Token to be passed to
+                        peer application.  If the length field of the
+                        returned token buffer is 0, then no token need
+                        be passed to the peer application.  If a non-
+                        zero length field is returned, the associated
+                        storage must be freed after use by the
+                        application with a call to gss_release_buffer().
+
+
+
+Wray                        Standards Track                    [Page 29]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   ret_flags            bit-mask, modify, optional Contains various
+                        independent flags, each of which indicates that
+                        the context supports a specific service option.
+                        If not needed, specify NULL.  Symbolic names are
+                        provided for each flag, and the symbolic names
+                        corresponding to the required flags should be
+                        logically-ANDed with the ret_flags value to test
+                        whether a given option is supported by the
+                        context.  The flags are:
+                        GSS_C_DELEG_FLAG
+                        True - Delegated credentials are available
+                               via the delegated_cred_handle
+                               parameter
+                        False - No credentials were delegated
+                        GSS_C_MUTUAL_FLAG
+                        True - Remote peer asked for mutual
+                               authentication
+                        False - Remote peer did not ask for mutual
+                                authentication
+                        GSS_C_REPLAY_FLAG
+                        True - replay of protected messages
+                               will be detected
+                        False - replayed messages will not be
+                                detected
+                        GSS_C_SEQUENCE_FLAG
+                        True - out-of-sequence protected
+                               messages will be detected
+                        False - out-of-sequence messages will not
+                                be detected
+                        GSS_C_CONF_FLAG
+                        True - Confidentiality service may be
+                               invoked by calling the gss_wrap
+                               routine
+                        False - No confidentiality service (via
+                                gss_wrap) available. gss_wrap will
+                                provide message encapsulation,
+                                data-origin authentication and
+                                integrity services only.
+                        GSS_C_INTEG_FLAG
+                        True - Integrity service may be invoked by
+                               calling either gss_get_mic or
+                               gss_wrap routines.
+                        False - Per-message integrity service
+                                unavailable.
+                        GSS_C_ANON_FLAG
+                        True - The initiator does not wish to
+                               be authenticated; the src_name
+                               parameter (if requested) contains
+
+
+
+Wray                        Standards Track                    [Page 30]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                               an anonymous internal name.
+                        False - The initiator has been
+                                authenticated normally.
+                        GSS_C_PROT_READY_FLAG
+                        True - Protection services (as specified
+                               by the states of the GSS_C_CONF_FLAG
+                               and GSS_C_INTEG_FLAG) are available
+                               if the accompanying major status
+                               return value is either GSS_S_COMPLETE
+                               or GSS_S_CONTINUE_NEEDED.
+                        False - Protection services (as specified
+                                by the states of the GSS_C_CONF_FLAG
+                                and GSS_C_INTEG_FLAG) are available
+                                only if the accompanying major status
+                                return value is GSS_S_COMPLETE.
+                        GSS_C_TRANS_FLAG
+                        True - The resultant security context may
+                               be transferred to other processes via
+                               a call to gss_export_sec_context().
+                        False - The security context is not
+                                transferable.
+                        All other bits should be set to zero.
+
+   time_rec             Integer, modify, optional
+                        number of seconds for which the context will
+                        remain valid. Specify NULL if not required.
+
+   delegated_cred_handle
+                        gss_cred_id_t, modify, optional credential
+                        handle for credentials received from context
+                        initiator.  Only valid if deleg_flag in
+                        ret_flags is true, in which case an explicit
+                        credential handle (i.e. not GSS_C_NO_CREDENTIAL)
+                        will be returned; if deleg_flag is false,
+                        gss_accept_context() will set this parameter to
+                        GSS_C_NO_CREDENTIAL.  If a credential handle is
+                        returned, the associated resources must be
+                        released by the application after use with a
+                        call to gss_release_cred().  Specify NULL if not
+                        required.
+
+   minor_status         Integer, modify
+                        Mechanism specific status code.
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                         application is required to complete the
+                         context, and that gss_accept_sec_context must
+                         be called again with that token.
+
+
+
+Wray                        Standards Track                    [Page 31]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on
+                         the input_token failed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                         performed on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                         acceptance, or the credential handle did not
+                         reference any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+
+   GSS_S_BAD_BINDINGS  The input_token contains different channel
+                         bindings to those specified via the
+                         input_chan_bindings parameter.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                         refer to a valid context.
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC.
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                         during context establishment.
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of
+                         a token already processed.  This is a fatal
+                         error during context establishment.
+
+   GSS_S_BAD_MECH    The received token specified a mechanism that is
+                         not supported by the implementation or the
+                         provided credential.
+
+5.2. gss_acquire_cred
+
+   OM_uint32 gss_acquire_cred (
+     OM_uint32         *minor_status,
+     const gss_name_t  desired_name,
+     OM_uint32         time_req,
+     const gss_OID_set desired_mechs,
+     gss_cred_usage_t  cred_usage,
+     gss_cred_id_t     *output_cred_handle,
+     gss_OID_set       *actual_mechs,
+     OM_uint32         *time_rec)
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 32]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Allows an application to acquire a handle for a pre-existing
+   credential by name.  GSS-API implementations must impose a local
+   access-control policy on callers of this routine to prevent
+   unauthorized callers from acquiring credentials to which they are not
+   entitled.  This routine is not intended to provide a "login to the
+   network" function, as such a function would involve the creation of
+   new credentials rather than merely acquiring a handle to existing
+   credentials.  Such functions, if required, should be defined in
+   implementation-specific extensions to the API.
+
+   If desired_name is GSS_C_NO_NAME, the call is interpreted as a
+   request for a credential handle that will invoke default behavior
+   when passed to gss_init_sec_context() (if cred_usage is
+   GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
+   cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
+
+   Mechanisms should honor the desired_mechs parameter, and return a
+   credential that is suitable to use only with the requested
+   mechanisms.  An exception to this is the case where one underlying
+   credential element can be shared by multiple mechanisms; in this case
+   it is permissible for an implementation to indicate all mechanisms
+   with which the credential element may be used.  If desired_mechs is
+   an empty set, behavior is undefined.
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
+   produced by applying either gss_inquire_cred to a valid credential,
+   or gss_inquire_context to an active context.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may choose to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of gss_inquire_cred immediately following the call of
+   gss_acquire_cred must return valid credential data, and may therefore
+   incur the overhead of a deferred credential acquisition.
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 33]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   desired_name      gss_name_t, read
+                     Name of principal whose credential
+                     should be acquired
+
+   time_req          Integer, read, optional
+                     number of seconds that credentials
+                     should remain valid. Specify GSS_C_INDEFINITE
+                     to request that the credentials have the maximum
+                     permitted lifetime.
+
+   desired_mechs     Set of Object IDs, read, optional
+                     set of underlying security mechanisms that
+                     may be used.  GSS_C_NO_OID_SET may be used
+                     to obtain an implementation-specific default.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credentials may be used
+                        either to initiate or accept
+                        security contexts.
+                     GSS_C_INITIATE - Credentials will only be
+                        used to initiate security contexts.
+                     GSS_C_ACCEPT - Credentials will only be used to
+                        accept security contexts.
+
+   output_cred_handle  gss_cred_id_t, modify
+                       The returned credential handle.  Resources
+                       associated with this credential handle must
+                       be released by the application after use
+                       with a call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The set of mechanisms for which the
+                     credential is valid.  Storage associated
+                     with the returned OID-set must be released by
+                     the application after use with a call to
+                     gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   time_rec          Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid.  If the
+                     implementation does not support expiration of
+                     credentials, the value GSS_C_INDEFINITE will
+                     be returned. Specify NULL if not required
+
+
+
+
+
+Wray                        Standards Track                    [Page 34]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:  GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter
+                      is not supported
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is ill
+                     formed.
+
+   GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired
+                             Because they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+5.3. gss_add_cred
+
+   OM_uint32 gss_add_cred (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t input_cred_handle,
+     const gss_name_t    desired_name,
+     const gss_OID       desired_mech,
+     gss_cred_usage_t    cred_usage,
+     OM_uint32           initiator_time_req,
+     OM_uint32           acceptor_time_req,
+     gss_cred_id_t       *output_cred_handle,
+     gss_OID_set         *actual_mechs,
+     OM_uint32           *initiator_time_rec,
+     OM_uint32           *acceptor_time_rec)
+
+   Purpose:
+
+   Adds a credential-element to a credential.  The credential-element is
+   identified by the name of the principal to which it refers.  GSS-API
+   implementations must impose a local access-control policy on callers
+   of this routine to prevent unauthorized callers from acquiring
+   credential-elements to which they are not entitled. This routine is
+   not intended to provide a "login to the network" function, as such a
+   function would involve the creation of new mechanism-specific
+   authentication data, rather than merely acquiring a GSS-API handle to
+   existing data.  Such functions, if required, should be defined in
+   implementation-specific extensions to the API.
+
+
+
+
+Wray                        Standards Track                    [Page 35]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   If desired_name is GSS_C_NO_NAME, the call is interpreted as a
+   request to add a credential element that will invoke default behavior
+   when passed to gss_init_sec_context() (if cred_usage is
+   GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
+   cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
+   produced by applying either gss_inquire_cred to a valid credential,
+   or gss_inquire_context to an active context.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may choose to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of gss_inquire_cred immediately following the call of gss_add_cred
+   must return valid credential data, and may therefore incur the
+   overhead of a deferred credential acquisition.
+
+   This routine can be used to either compose a new credential
+   containing all credential-elements of the original in addition to the
+   newly-acquire credential-element, or to add the new credential-
+   element to an existing credential. If NULL is specified for the
+   output_cred_handle parameter argument, the new credential-element
+   will be added to the credential identified by input_cred_handle; if a
+   valid pointer is specified for the output_cred_handle parameter, a
+   new credential handle will be created.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle,
+   gss_add_cred will compose a credential (and set the
+   output_cred_handle parameter accordingly) based on default behavior.
+   That is, the call will have the same effect as if the application had
+   first made a call to gss_acquire_cred(), specifying the same usage
+   and passing GSS_C_NO_NAME as the desired_name parameter to obtain an
+   explicit credential handle embodying default behavior, passed this
+   credential handle to gss_add_cred(), and finally called
+   gss_release_cred() on the first credential handle.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle
+   parameter, a non-NULL output_cred_handle must be supplied.
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 36]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_cred_handle gss_cred_id_t, read, optional
+                     The credential to which a credential-element
+                     will be added.  If GSS_C_NO_CREDENTIAL is
+                     specified, the routine will compose the new
+                     credential based on default behavior (see
+                     description above).  Note that, while the
+                     credential-handle is not modified by
+                     gss_add_cred(), the underlying credential
+                     will be modified if output_credential_handle
+                     is NULL.
+
+   desired_name      gss_name_t, read.
+                     Name of principal whose credential
+                     should be acquired.
+
+   desired_mech      Object ID, read
+                     Underlying security mechanism with which the
+                     credential may be used.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credential may be used
+                     either to initiate or accept
+                     security contexts.
+                     GSS_C_INITIATE - Credential will only be
+                                      used to initiate security
+                                      contexts.
+                     GSS_C_ACCEPT - Credential will only be used to
+                                    accept security contexts.
+
+   initiator_time_req Integer, read, optional
+                      number of seconds that the credential
+                      should remain valid for initiating security
+                      contexts.  This argument is ignored if the
+                      composed credentials are of type GSS_C_ACCEPT.
+                      Specify GSS_C_INDEFINITE to request that the
+                      credentials have the maximum permitted
+                      initiator lifetime.
+
+   acceptor_time_req Integer, read, optional
+                     number of seconds that the credential
+                     should remain valid for accepting security
+                     contexts.  This argument is ignored if the
+                     composed credentials are of type GSS_C_INITIATE.
+
+
+
+Wray                        Standards Track                    [Page 37]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     Specify GSS_C_INDEFINITE to request that the
+                     credentials have the maximum permitted initiator
+                     lifetime.
+
+   output_cred_handle gss_cred_id_t, modify, optional
+                      The returned credential handle, containing
+                      the new credential-element and all the
+                      credential-elements from input_cred_handle.
+                      If a valid pointer to a gss_cred_id_t is
+                      supplied for this parameter, gss_add_cred
+                      creates a new credential handle containing all
+                      credential-elements from the input_cred_handle
+                      and the newly acquired credential-element; if
+                      NULL is specified for this parameter, the newly
+                      acquired credential-element will be added
+                      to the credential identified by input_cred_handle.
+
+                      The resources associated with any credential
+                      handle returned via this parameter must be
+                      released by the application after use with a
+                      call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The complete set of mechanisms for which
+                     the new credential is valid.  Storage for
+                     the returned OID-set must be freed by the
+                     application after use with a call to
+                     gss_release_oid_set(). Specify NULL if
+                     not required.
+
+   initiator_time_rec Integer, modify, optional
+                      Actual number of seconds for which the
+                      returned credentials will remain valid for
+                      initiating contexts using the specified
+                      mechanism.  If the implementation or mechanism
+                      does not support expiration of credentials, the
+                      value GSS_C_INDEFINITE will be returned. Specify
+                      NULL if not required
+
+   acceptor_time_rec Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid for
+                     accepting security contexts using the specified
+                     mechanism.  If the implementation or mechanism
+                     does not support expiration of credentials, the
+                     value GSS_C_INDEFINITE will be returned. Specify
+                     NULL if not required
+
+
+
+
+Wray                        Standards Track                    [Page 38]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter
+                     is not supported
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is
+                     ill-formed.
+
+   GSS_S_DUPLICATE_ELEMENT The credential already contains an element
+                     for the requested mechanism with overlapping
+                     usage and validity period.
+
+   GSS_S_CREDENTIALS_EXPIRED The required credentials could not be
+                     added because they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+5.4. gss_add_oid_set_member
+
+   OM_uint32 gss_add_oid_set_member (
+     OM_uint32       *minor_status,
+     const gss_OID   member_oid,
+     gss_OID_set     *oid_set)
+
+   Purpose:
+
+   Add an Object Identifier to an Object Identifier set.  This routine
+   is intended for use in conjunction with gss_create_empty_oid_set when
+   constructing a set of mechanism OIDs for input to gss_acquire_cred.
+   The oid_set parameter must refer to an OID-set that was created by
+   GSS-API (e.g. a set returned by gss_create_empty_oid_set()). GSS-API
+   creates a copy of the member_oid and inserts this copy into the set,
+   expanding the storage allocated to the OID-set's elements array if
+   necessary.  The routine may add the new member OID anywhere within
+   the elements array, and implementations should verify that the new
+   member_oid is not already contained within the elements array; if the
+   member_oid is already present, the oid_set should remain unchanged.
+
+   Parameters:
+
+      minor_status      Integer, modify
+                        Mechanism specific status code
+
+
+
+
+
+Wray                        Standards Track                    [Page 39]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+      member_oid        Object ID, read
+                        The object identifier to copied into
+                        the set.
+
+      oid_set           Set of Object ID, modify
+                        The set in which the object identifier
+                        should be inserted.
+
+   Function value:   GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+5.5. gss_canonicalize_name
+
+   OM_uint32 gss_canonicalize_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     const gss_OID    mech_type,
+     gss_name_t       *output_name)
+
+   Purpose:
+
+   Generate a canonical mechanism name (MN) from an arbitrary internal
+   name.  The mechanism name is the name that would be returned to a
+   context acceptor on successful authentication of a context where the
+   initiator used the input_name in a successful call to
+   gss_acquire_cred, specifying an OID set containing <mech_type> as its
+   only member, followed by a call to gss_init_sec_context, specifying
+   <mech_type> as the authentication mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The name for which a canonical form is
+                     desired
+
+   mech_type         Object ID, read
+                     The authentication mechanism for which the
+                     canonical form of the name is desired.  The
+                     desired mechanism must be specified explicitly;
+                     no default is provided.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 40]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   output_name       gss_name_t, modify
+                     The resultant canonical name.  Storage
+                     associated with this name must be freed by
+                     the application after use with a call to
+                     gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_BAD_MECH    The identified mechanism is not supported.
+
+   GSS_S_BAD_NAMETYPE The provided internal name contains no elements
+                     that could be processed by the specified
+                     mechanism.
+
+   GSS_S_BAD_NAME    The provided internal name was ill-formed.
+
+5.6. gss_compare_name
+
+   OM_uint32 gss_compare_name (
+     OM_uint32        *minor_status,
+     const gss_name_t name1,
+     const gss_name_t name2,
+     int              *name_equal)
+
+   Purpose:
+
+   Allows an application to compare two internal-form names to determine
+   whether they refer to the same entity.
+
+   If either name presented to gss_compare_name denotes an anonymous
+   principal, the routines should indicate that the two names do not
+   refer to the same identity.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   name1             gss_name_t, read
+                     internal-form name
+
+   name2             gss_name_t, read
+                     internal-form name
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 41]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   name_equal        boolean, modify
+                     non-zero - names refer to same entity
+                     zero - names refer to different entities
+                           (strictly, the names are not known
+                           to refer to the same identity).
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The two names were of incomparable types.
+
+   GSS_S_BAD_NAME    One or both of name1 or name2 was ill-formed.
+
+5.7. gss_context_time
+
+   OM_uint32 gss_context_time (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     OM_uint32          *time_rec)
+
+   Purpose:
+
+   Determines the number of seconds for which the specified context will
+   remain valid.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context to be interrogated.
+
+   time_rec          Integer, modify
+                     Number of seconds that the context will remain
+                     valid.  If the context has already expired,
+                     zero will be returned.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify
+                     a valid context
+
+
+
+
+Wray                        Standards Track                    [Page 42]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.8. gss_create_empty_oid_set
+
+   OM_uint32 gss_create_empty_oid_set (
+     OM_uint32    *minor_status,
+     gss_OID_set  *oid_set)
+
+   Purpose:
+
+   Create an object-identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   gss_add_oid_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   gss_acquire_cred.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   oid_set           Set of Object IDs, modify
+                     The empty object identifier set.
+                     The routine will allocate the
+                     gss_OID_set_desc object, which the
+                     application must free after use with
+                     a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.9. gss_delete_sec_context
+
+   OM_uint32 gss_delete_sec_context (
+     OM_uint32    *minor_status,
+     gss_ctx_id_t *context_handle,
+     gss_buffer_t output_token)
+
+   Purpose:
+
+   Delete a security context.  gss_delete_sec_context will delete the
+   local data structures associated with the specified security context,
+   and may generate an output_token, which when passed to the peer
+   gss_process_context_token will instruct it to do likewise.  If no
+   token is required by the mechanism, the GSS-API should set the length
+   field of the output_token (if provided) to zero.  No further security
+   services may be obtained using the context specified by
+   context_handle.
+
+
+
+
+Wray                        Standards Track                    [Page 43]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   In addition to deleting established security contexts,
+   gss_delete_sec_context must also be able to delete "half-built"
+   security contexts resulting from an incomplete sequence of
+   gss_init_sec_context()/gss_accept_sec_context() calls.
+
+   The output_token parameter is retained for compatibility with version
+   1 of the GSS-API.  It is recommended that both peer applications
+   invoke gss_delete_sec_context passing the value GSS_C_NO_BUFFER for
+   the output_token parameter, indicating that no token is required, and
+   that gss_delete_sec_context should simply delete local context data
+   structures.  If the application does pass a valid buffer to
+   gss_delete_sec_context, mechanisms are encouraged to return a zero-
+   length token, indicating that no peer action is necessary, and that
+   no token should be transferred by the application.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying context to delete.
+                     After deleting the context, the GSS-API will set
+                     this context handle to GSS_C_NO_CONTEXT.
+
+   output_token      buffer, opaque, modify, optional
+                     token to be sent to remote application to
+                     instruct it to also delete the context.  It
+                     is recommended that applications specify
+                     GSS_C_NO_BUFFER for this parameter, requesting
+                     local deletion only.  If a buffer parameter is
+                     provided by the application, the mechanism may
+                     return a token in it;  mechanisms that implement
+                     only local deletion should set the length field of
+                     this token to zero to indicate to the application
+                     that no token is to be sent to the peer.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  No valid context was supplied
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 44]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.10.gss_display_name
+
+   OM_uint32 gss_display_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     gss_buffer_t     output_name_buffer,
+     gss_OID          *output_name_type)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of an opaque
+   internal-form  name for display purposes.  The syntax of a printable
+   name is defined by the GSS-API implementation.
+
+   If input_name denotes an anonymous principal, the implementation
+   should return the gss_OID value GSS_C_NT_ANONYMOUS as the
+   output_name_type, and a textual name that is syntactically distinct
+   from all valid supported printable names in output_name_buffer.
+
+   If input_name was created by a call to gss_import_name, specifying
+   GSS_C_NO_OID as the name-type, implementations that employ lazy
+   conversion between name types may return GSS_C_NO_OID via the
+   output_name_type parameter.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_name        gss_name_t, read
+                     name to be displayed
+
+   output_name_buffer  buffer, character-string, modify
+                     buffer to receive textual name string.
+                     The application must free storage associated
+                     with this name after use with a call to
+                     gss_release_buffer().
+
+   output_name_type  Object ID, modify, optional
+                     The type of the returned name.  The returned
+                     gss_OID will be a pointer into static storage,
+                     and should be treated as read-only by the caller
+                     (in particular, the application should not attempt
+                     to free it). Specify NULL if not required.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 45]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    input_name was ill-formed
+
+5.11.gss_display_status
+
+   OM_uint32 gss_display_status (
+     OM_uint32      *minor_status,
+     OM_uint32      status_value,
+     int            status_type,
+     const gss_OID  mech_type,
+     OM_uint32      *message_context,
+     gss_buffer_t   status_string)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of a GSS-API
+   status code, for display to the user or for logging purposes.  Since
+   some status values may indicate multiple conditions, applications may
+   need to call gss_display_status multiple times, each call generating
+   a single text string.  The message_context parameter is used by
+   gss_display_status to store state information about which error
+   messages have already been extracted from a given status_value;
+   message_context must be initialized to 0 by the application prior to
+   the first call, and gss_display_status will return a non-zero value
+   in this parameter if there are further messages to extract.
+
+   The message_context parameter contains all state information required
+   by gss_display_status in order to extract further messages from the
+   status_value;  even when a non-zero value is returned in this
+   parameter, the application is not required to call gss_display_status
+   again unless subsequent messages are desired.  The following code
+   extracts all messages from a given status code and prints them to
+   stderr:
+
+   OM_uint32 message_context;
+   OM_uint32 status_code;
+   OM_uint32 maj_status;
+   OM_uint32 min_status;
+   gss_buffer_desc status_string;
+
+          ...
+
+   message_context = 0;
+
+   do {
+
+
+
+Wray                        Standards Track                    [Page 46]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+     maj_status = gss_display_status (
+                     &min_status,
+                     status_code,
+                     GSS_C_GSS_CODE,
+                     GSS_C_NO_OID,
+                     &message_context,
+                     &status_string)
+
+     fprintf(stderr,
+             "%.*s\n",
+            (int)status_string.length,
+
+            (char *)status_string.value);
+
+     gss_release_buffer(&min_status, &status_string);
+
+   } while (message_context != 0);
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   status_value      Integer, read
+                     Status value to be converted
+
+   status_type       Integer, read
+                     GSS_C_GSS_CODE - status_value is a GSS status
+                     code
+
+   GSS_C_MECH_CODE - status_value is a mechanism
+                     status code
+
+   mech_type         Object ID, read, optional
+                     Underlying mechanism (used to interpret a
+                     minor status value) Supply GSS_C_NO_OID to
+                     obtain the system default.
+
+   message_context   Integer, read/modify
+                     Should be initialized to zero by the
+                     application prior to the first call.
+                     On return from gss_display_status(),
+                     a non-zero status_value parameter indicates
+                     that additional messages may be extracted
+                     from the status code via subsequent calls
+
+
+
+
+
+Wray                        Standards Track                    [Page 47]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     to gss_display_status(), passing the same
+                     status_value, status_type, mech_type, and
+                     message_context parameters.
+
+   status_string     buffer, character string, modify
+                     textual interpretation of the status_value.
+                     Storage associated with this parameter must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Indicates that translation in accordance with
+                     an unsupported mechanism type was requested
+
+   GSS_S_BAD_STATUS  The status value was not recognized, or the
+                     status type was neither GSS_C_GSS_CODE nor
+                     GSS_C_MECH_CODE.
+
+5.12. gss_duplicate_name
+
+   OM_uint32 gss_duplicate_name (
+     OM_uint32        *minor_status,
+     const gss_name_t src_name,
+     gss_name_t       *dest_name)
+
+   Purpose:
+
+   Create an exact duplicate of the existing internal name src_name.
+   The new dest_name will be independent of src_name (i.e. src_name and
+   dest_name must both be released, and the release of one shall not
+   affect the validity of the other).
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   src_name          gss_name_t, read
+                     internal name to be duplicated.
+
+   dest_name         gss_name_t, modify
+                     The resultant copy of <src_name>.
+                     Storage associated with this name must
+                     be freed by the application after use
+                     with a call to gss_release_name().
+
+
+
+Wray                        Standards Track                    [Page 48]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The src_name parameter was ill-formed.
+
+5.13. gss_export_name
+
+   OM_uint32 gss_export_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     gss_buffer_t     exported_name)
+
+   Purpose:
+
+   To produce a canonical contiguous string representation of a
+   mechanism name (MN), suitable for direct comparison (e.g. with
+   memcmp) for use in authorization functions (e.g. matching entries in
+   an access-control list).  The <input_name> parameter must specify a
+   valid MN (i.e. an internal name generated by gss_accept_sec_context
+   or by gss_canonicalize_name).
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The MN to be exported
+
+   exported_name     gss_buffer_t, octet-string, modify
+                     The canonical contiguous string form of
+                     <input_name>.  Storage associated with
+                     this string must freed by the application
+                     after use with gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NAME_NOT_MN The provided internal name was not a mechanism
+                     name.
+
+   GSS_S_BAD_NAME    The provided internal name was ill-formed.
+
+   GSS_S_BAD_NAMETYPE The internal name was of a type not supported
+                     by the GSS-API implementation.
+
+
+
+
+Wray                        Standards Track                    [Page 49]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.14. gss_export_sec_context
+
+   OM_uint32 gss_export_sec_context (
+     OM_uint32    *minor_status,
+     gss_ctx_id_t *context_handle,
+     gss_buffer_t interprocess_token)
+
+   Purpose:
+
+   Provided to support the sharing of work between multiple processes.
+   This routine will typically be used by the context-acceptor, in an
+   application where a single process receives incoming connection
+   requests and accepts security contexts over them, then passes the
+   established context to one or more other processes for message
+   exchange. gss_export_sec_context() deactivates the security context
+   for the calling process and creates an interprocess token which, when
+   passed to gss_import_sec_context in another process, will re-activate
+   the context in the second process. Only a single instantiation of a
+   given context may be active at any one time; a subsequent attempt by
+   a context exporter to access the exported security context will fail.
+
+   The implementation may constrain the set of processes by which the
+   interprocess token may be imported, either as a function of local
+   security policy, or as a result of implementation decisions.  For
+   example, some implementations may constrain contexts to be passed
+   only between processes that run under the same account, or which are
+   part of the same process group.
+
+   The interprocess token may contain security-sensitive information
+   (for example cryptographic keys).  While mechanisms are encouraged to
+   either avoid placing such sensitive information within interprocess
+   tokens, or to encrypt the token before returning it to the
+   application, in a typical object-library GSS-API implementation this
+   may not be possible. Thus the application must take care to protect
+   the interprocess token, and ensure that any process to which the
+   token is transferred is trustworthy.
+
+   If creation of the interprocess token is successful, the
+   implementation shall deallocate all process-wide resources associated
+   with the security context, and set the context_handle to
+   GSS_C_NO_CONTEXT.  In the event of an error that makes it impossible
+   to complete the export of the security context, the implementation
+   must not return an interprocess token, and should strive to leave the
+   security context referenced by the context_handle parameter
+   untouched.  If this is impossible, it is permissible for the
+   implementation to delete the security context, providing it also sets
+   the context_handle parameter to GSS_C_NO_CONTEXT.
+
+
+
+
+Wray                        Standards Track                    [Page 50]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying the context to
+                     transfer.
+
+   interprocess_token   buffer, opaque, modify
+                        token to be transferred to target process.
+                        Storage associated with this token must be
+                        freed by the application after use with a
+                        call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has expired
+
+   GSS_S_NO_CONTEXT  The context was invalid
+
+   GSS_S_UNAVAILABLE The operation is not supported.
+
+5.15. gss_get_mic
+
+   OM_uint32 gss_get_mic (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     gss_qop_t             qop_req,
+     const gss_buffer_t message_buffer,
+     gss_buffer_t       msg_token)
+
+   Purpose:
+
+   Generates a cryptographic MIC for the supplied message, and places
+   the MIC in a token for transfer to the peer application. The qop_req
+   parameter allows a choice between several cryptographic algorithms,
+   if supported by the chosen mechanism.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support derivation of MICs from zero-length messages.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 51]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     identifies the context on which the message
+                     will be sent
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies requested quality of protection.
+                     Callers are encouraged, on portability grounds,
+                     to accept the default quality of protection
+                     offered by the chosen mechanism, which may be
+                     requested by specifying GSS_C_QOP_DEFAULT for
+                     this parameter.  If an unsupported protection
+                     strength is requested, gss_get_mic will return a
+                     major_status of GSS_S_BAD_QOP.
+
+   message_buffer    buffer, opaque, read
+                     message to be protected
+
+   msg_token         buffer, opaque, modify
+                     buffer to receive token.  The application must
+                     free storage associated with this buffer after
+                     use with a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify
+                     a valid context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the
+                     mechanism.
+
+5.16. gss_import_name
+
+   OM_uint32 gss_import_name (
+     OM_uint32          *minor_status,
+     const gss_buffer_t input_name_buffer,
+     const gss_OID      input_name_type,
+     gss_name_t         *output_name)
+
+
+
+
+
+Wray                        Standards Track                    [Page 52]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Convert a contiguous string name to internal form.  In general, the
+   internal name returned (via the <output_name> parameter) will not be
+   an MN; the exception to this is if the <input_name_type> indicates
+   that the contiguous string provided via the <input_name_buffer>
+   parameter is of type GSS_C_NT_EXPORT_NAME, in which case the returned
+   internal name will be an MN for the mechanism that exported the name.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name_buffer  buffer, octet-string, read
+                     buffer containing contiguous string name to convert
+
+   input_name_type   Object ID, read, optional
+                     Object ID specifying type of printable
+                     name.  Applications may specify either
+                     GSS_C_NO_OID to use a mechanism-specific
+                     default printable syntax, or an OID recognized
+                     by the GSS-API implementation to name a
+                     specific namespace.
+
+   output_name       gss_name_t, modify
+                     returned name in internal form.  Storage
+                     associated with this name must be freed
+                     by the application after use with a call
+                     to gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The input_name_type was unrecognized
+
+   GSS_S_BAD_NAME    The input_name parameter could not be interpreted
+                     as a name of the specified type
+
+   GSS_S_BAD_MECH    The input name-type was GSS_C_NT_EXPORT_NAME,
+                     but the mechanism contained within the
+                     input-name is not supported
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 53]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.17. gss_import_sec_context
+
+   OM_uint32 gss_import_sec_context (
+     OM_uint32          *minor_status,
+     const gss_buffer_t interprocess_token,
+     gss_ctx_id_t       *context_handle)
+
+   Purpose:
+
+   Allows a process to import a security context established by another
+   process.  A given interprocess token may be imported only once.  See
+   gss_export_sec_context.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   interprocess_token  buffer, opaque, modify
+                       token received from exporting process
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle of newly reactivated context.
+                     Resources associated with this context handle
+                     must be released by the application after use
+                     with a call to gss_delete_sec_context().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_NO_CONTEXT  The token did not contain a valid context
+   reference.
+
+   GSS_S_DEFECTIVE_TOKEN The token was invalid.
+
+   GSS_S_UNAVAILABLE The operation is unavailable.
+
+   GSS_S_UNAUTHORIZED Local policy prevents the import of this context
+                      by the current process.
+
+5.18. gss_indicate_mechs
+
+   OM_uint32 gss_indicate_mechs (
+     OM_uint32   *minor_status,
+     gss_OID_set *mech_set)
+
+
+
+
+
+Wray                        Standards Track                    [Page 54]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Allows an application to determine which underlying security
+   mechanisms are available.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   mech_set          set of Object IDs, modify
+                     set of implementation-supported mechanisms.
+                     The returned gss_OID_set value will be a
+                     dynamically-allocated OID set, that should
+                     be released by the caller after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.19. gss_init_sec_context
+
+   OM_uint32 gss_init_sec_context (
+     OM_uint32                    *minor_status,
+     const gss_cred_id_t          initiator_cred_handle,
+     gss_ctx_id_t                 *context_handle,\
+     const gss_name_t             target_name,
+     const gss_OID                mech_type,
+     OM_uint32                    req_flags,
+     OM_uint32                    time_req,
+     const gss_channel_bindings_t input_chan_bindings,
+     const gss_buffer_t           input_token
+     gss_OID                      *actual_mech_type,
+     gss_buffer_t                 output_token,
+     OM_uint32                    *ret_flags,
+     OM_uint32                    *time_rec )
+
+   Purpose:
+
+   Initiates the establishment of a security context between the
+   application and a remote peer.  Initially, the input_token parameter
+   should be specified either as GSS_C_NO_BUFFER, or as a pointer to a
+   gss_buffer_desc object whose length field contains the value zero.
+   The routine may return a output_token which should be transferred to
+   the peer application, where the peer application will present it to
+   gss_accept_sec_context.  If no token need be sent,
+   gss_init_sec_context will indicate this by setting the length field
+
+
+
+Wray                        Standards Track                    [Page 55]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   of the output_token argument to zero. To complete the context
+   establishment, one or more reply tokens may be required from the peer
+   application; if so, gss_init_sec_context will return a status
+   containing the supplementary information bit GSS_S_CONTINUE_NEEDED.
+   In this case, gss_init_sec_context should be called again when the
+   reply token is received from the peer application, passing the reply
+   token to gss_init_sec_context via the input_token parameters.
+
+   Portable applications should be constructed to use the token length
+   and return status to determine whether a token needs to be sent or
+   waited for.  Thus a typical portable caller should always invoke
+   gss_init_sec_context within a loop:
+
+   int context_established = 0;
+   gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+          ...
+   input_token->length = 0;
+
+   while (!context_established) {
+     maj_stat = gss_init_sec_context(&min_stat,
+                                     cred_hdl,
+                                     &context_hdl,
+                                     target_name,
+                                     desired_mech,
+                                     desired_services,
+                                     desired_time,
+                                     input_bindings,
+                                     input_token,
+                                     &actual_mech,
+                                     output_token,
+                                     &actual_services,
+                                     &actual_time);
+     if (GSS_ERROR(maj_stat)) {
+       report_error(maj_stat, min_stat);
+     };
+
+     if (output_token->length != 0) {
+       send_token_to_peer(output_token);
+       gss_release_buffer(&min_stat, output_token)
+     };
+     if (GSS_ERROR(maj_stat)) {
+
+       if (context_hdl != GSS_C_NO_CONTEXT)
+         gss_delete_sec_context(&min_stat,
+                                &context_hdl,
+                                GSS_C_NO_BUFFER);
+       break;
+     };
+
+
+
+Wray                        Standards Track                    [Page 56]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+     if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+       receive_token_from_peer(input_token);
+     } else {
+       context_established = 1;
+     };
+   };
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+      The value returned via the time_rec parameter is undefined Unless
+      the accompanying ret_flags parameter contains the bit
+      GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+      applied in advance of a successful completion status, the value
+      returned via the actual_mech_type parameter is undefined until the
+      routine returns a major status value of GSS_S_COMPLETE.
+
+      The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+      GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG,
+      GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the
+      ret_flags parameter should contain the values that the
+      implementation expects would be valid if context establishment
+      were to succeed.  In particular, if the application has requested
+      a service such as delegation or anonymous authentication via the
+      req_flags argument, and such a service is unavailable from the
+      underlying mechanism, gss_init_sec_context should generate a token
+      that will not provide the service, and indicate via the ret_flags
+      argument that the service will not be supported.  The application
+      may choose to abort the context establishment by calling
+      gss_delete_sec_context (if it cannot continue in the absence of
+      the service), or it may choose to transmit the token and continue
+      context establishment (if the service was merely desired but not
+      mandatory).
+
+      The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+      within ret_flags should indicate the actual state at the time
+      gss_init_sec_context returns, whether or not the context is fully
+      established.
+
+      GSS-API implementations that support per-message protection are
+      encouraged to set the GSS_C_PROT_READY_FLAG in the final ret_flags
+      returned to a caller (i.e. when accompanied by a GSS_S_COMPLETE
+      status code).  However, applications should not rely on this
+      behavior as the flag was not defined in Version 1 of the GSS-API.
+      Instead, applications should determine what per-message services
+      are available after a successful context establishment according
+      to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values.
+
+
+
+Wray                        Standards Track                    [Page 57]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+      All other bits within the ret_flags argument should be set to
+      zero.
+
+   If the initial call of gss_init_sec_context() fails, the
+   implementation should not create a context object, and should leave
+   the value of the context_handle parameter set to GSS_C_NO_CONTEXT to
+   indicate this.  In the event of a failure on a subsequent call, the
+   implementation is permitted to delete the "half-built" security
+   context (in which case it should set the context_handle parameter to
+   GSS_C_NO_CONTEXT), but the preferred behavior is to leave the
+   security context untouched for the application to delete (using
+   gss_delete_sec_context).
+
+   During context establishment, the informational status bits
+   GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and
+   GSS-API mechanisms should always return them in association with a
+   routine error of GSS_S_FAILURE.  This requirement for pairing did not
+   exist in version 1 of the GSS-API specification, so applications that
+   wish to run over version 1 implementations must special-case these
+   codes.
+
+   Parameters:
+
+   minor_status      Integer,  modify
+                     Mechanism specific status code.
+
+   initiator_cred_handle  gss_cred_id_t, read, optional
+                          handle for credentials claimed.  Supply
+                          GSS_C_NO_CREDENTIAL to act as a default
+                          initiator principal.  If no default
+                          initiator is defined, the function will
+                          return GSS_S_NO_CRED.
+
+   context_handle    gss_ctx_id_t, read/modify
+                     context handle for new context.  Supply
+                     GSS_C_NO_CONTEXT for first call; use value
+                     returned by first call in continuation calls.
+                     Resources associated with this context-handle
+                     must be released by the application after use
+                     with a call to gss_delete_sec_context().
+
+   target_name       gss_name_t, read
+                     Name of target
+
+   mech_type         OID, read, optional
+                     Object ID of desired mechanism. Supply
+                     GSS_C_NO_OID to obtain an implementation
+                     specific default
+
+
+
+Wray                        Standards Track                    [Page 58]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   req_flags         bit-mask, read
+                     Contains various independent flags, each of
+                     which requests that the context support a
+                     specific service option.  Symbolic
+                     names are provided for each flag, and the
+                     symbolic names corresponding to the required
+                     flags should be logically-ORed
+                     together to form the bit-mask value.  The
+                     flags are:
+
+                     GSS_C_DELEG_FLAG
+                       True - Delegate credentials to remote peer
+                       False - Don't delegate
+
+                     GSS_C_MUTUAL_FLAG
+                       True - Request that remote peer
+                              authenticate itself
+                       False - Authenticate self to remote peer
+                               only
+
+                     GSS_C_REPLAY_FLAG
+                       True - Enable replay detection for
+                              messages protected with gss_wrap
+                              or gss_get_mic
+                       False - Don't attempt to detect
+                               replayed messages
+
+                     GSS_C_SEQUENCE_FLAG
+                       True - Enable detection of out-of-sequence
+                              protected messages
+                       False - Don't attempt to detect
+                               out-of-sequence messages
+
+                     GSS_C_CONF_FLAG
+                       True - Request that confidentiality service
+                              be made available (via gss_wrap)
+                       False - No per-message confidentiality service
+                               is required.
+
+                     GSS_C_INTEG_FLAG
+                       True - Request that integrity service be
+                              made available (via gss_wrap or
+                              gss_get_mic)
+                       False - No per-message integrity service
+                               is required.
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 59]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     GSS_C_ANON_FLAG
+                       True - Do not reveal the initiator's
+                              identity to the acceptor.
+                       False - Authenticate normally.
+
+   time_req          Integer, read, optional
+                     Desired number of seconds for which context
+                     should remain valid.  Supply 0 to request a
+                     default validity period.
+
+   input_chan_bindings  channel bindings, read, optional
+                        Application-specified bindings.  Allows
+                        application to securely bind channel
+                        identification information to the security
+                        context.  Specify GSS_C_NO_CHANNEL_BINDINGS
+                        if channel bindings are not used.
+
+   input_token       buffer, opaque, read, optional (see text)
+                     Token received from peer application.
+                     Supply GSS_C_NO_BUFFER, or a pointer to
+                     a buffer containing the value GSS_C_EMPTY_BUFFER
+                     on initial call.
+
+   actual_mech_type  OID, modify, optional
+                     Actual mechanism used.  The OID returned via
+                     this parameter will be a pointer to static
+                     storage that should be treated as read-only;
+                     In particular the application should not attempt
+                     to free it.  Specify NULL if not required.
+
+   output_token      buffer, opaque, modify
+                     token to be sent to peer application.  If
+                     the length field of the returned buffer is
+                     zero, no token need be sent to the peer
+                     application.  Storage associated with this
+                     buffer must be freed by the application
+                     after use with a call to gss_release_buffer().
+
+   ret_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of which
+                     indicates that the context supports a specific
+                     service option.  Specify NULL if not
+                     required.  Symbolic names are provided
+                     for each flag, and the symbolic names
+                     corresponding to the required flags should be
+                     logically-ANDed with the ret_flags value to test
+                     whether a given option is supported by the
+                     context.  The flags are:
+
+
+
+Wray                        Standards Track                    [Page 60]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     GSS_C_DELEG_FLAG
+                       True - Credentials were delegated to
+                              the remote peer
+                       False - No credentials were delegated
+
+                     GSS_C_MUTUAL_FLAG
+                       True - The remote peer has authenticated
+                              itself.
+                       False - Remote peer has not authenticated
+                               itself.
+
+                     GSS_C_REPLAY_FLAG
+                       True - replay of protected messages
+                              will be detected
+                       False - replayed messages will not be
+                               detected
+
+                     GSS_C_SEQUENCE_FLAG
+                       True - out-of-sequence protected
+                              messages will be detected
+                       False - out-of-sequence messages will
+                               not be detected
+
+                     GSS_C_CONF_FLAG
+                       True - Confidentiality service may be
+                              invoked by calling gss_wrap routine
+                       False - No confidentiality service (via
+                               gss_wrap) available. gss_wrap will
+                               provide message encapsulation,
+                               data-origin authentication and
+                               integrity services only.
+
+                     GSS_C_INTEG_FLAG
+                       True - Integrity service may be invoked by
+                              calling either gss_get_mic or gss_wrap
+                              routines.
+                       False - Per-message integrity service
+                               unavailable.
+
+                     GSS_C_ANON_FLAG
+                       True - The initiator's identity has not been
+                              revealed, and will not be revealed if
+                              any emitted token is passed to the
+                              acceptor.
+                       False - The initiator's identity has been or
+                               will be authenticated normally.
+
+                     GSS_C_PROT_READY_FLAG
+
+
+
+Wray                        Standards Track                    [Page 61]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                       True - Protection services (as specified
+                              by the states of the GSS_C_CONF_FLAG
+                              and GSS_C_INTEG_FLAG) are available for
+                              use if the accompanying major status
+                              return value is either GSS_S_COMPLETE or
+                              GSS_S_CONTINUE_NEEDED.
+                       False - Protection services (as specified
+                               by the states of the GSS_C_CONF_FLAG
+                               and GSS_C_INTEG_FLAG) are available
+                               only if the accompanying major status
+                               return value is GSS_S_COMPLETE.
+
+                     GSS_C_TRANS_FLAG
+                       True - The resultant security context may
+                              be transferred to other processes via
+                              a call to gss_export_sec_context().
+                       False - The security context is not
+                               transferable.
+
+                     All other bits should be set to zero.
+
+   time_rec          Integer, modify, optional
+                     number of seconds for which the context
+                     will remain valid. If the implementation does
+                     not support context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                         application is required to complete the
+                         context, and that gss_init_sec_context
+                         must be called again with that token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed
+                         on the input_token failed
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                              performed on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for
+                     context initiation, or the credential handle
+                     did not reference any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired
+
+
+
+Wray                        Standards Track                    [Page 62]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel
+                      bindings to those specified via the
+                      input_chan_bindings parameter
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC, or a MIC
+                     that could not be verified
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal
+                     error during context establishment
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate
+                         of a token already processed.  This is a
+                         fatal error during context establishment.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did
+                     not refer to a valid context
+
+   GSS_S_BAD_NAMETYPE The provided target_name parameter contained an
+                      invalid or unsupported type of name
+
+   GSS_S_BAD_NAME    The provided target_name parameter was ill-formed.
+
+   GSS_S_BAD_MECH    The specified mechanism is not supported by the
+                     provided credential, or is unrecognized by the
+                     implementation.
+
+5.20. gss_inquire_context
+
+   OM_uint32 gss_inquire_context (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     gss_name_t         *src_name,
+     gss_name_t         *targ_name,
+     OM_uint32          *lifetime_rec,
+     gss_OID            *mech_type,
+     OM_uint32          *ctx_flags,
+     int                *locally_initiated,
+     int                *open )
+
+   Purpose:
+
+   Obtains information about a security context.  The caller must
+   already have obtained a handle that refers to the context, although
+   the context need not be fully established.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 63]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security context.
+
+   src_name          gss_name_t, modify, optional
+                     The name of the context initiator.
+                     If the context was established using anonymous
+                     authentication, and if the application invoking
+                     gss_inquire_context is the context acceptor,
+                     an anonymous name will be returned.  Storage
+                     associated with this name must be freed by the
+                     application after use with a call to
+                     gss_release_name().  Specify NULL if not
+                     required.
+
+   targ_name         gss_name_t, modify, optional
+                     The name of the context acceptor.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  If the context acceptor
+                     did not authenticate itself, and if the initiator
+                     did not specify a target name in its call to
+                     gss_init_sec_context(), the value GSS_C_NO_NAME
+                     will be returned.  Specify NULL if not required.
+
+   lifetime_rec      Integer, modify, optional
+                     The number of seconds for which the context
+                     will remain valid.  If the context has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   mech_type         gss_OID, modify, optional
+                     The security mechanism providing the
+                     context.  The returned OID will be a
+                     pointer to static storage that should
+                     be treated as read-only by the application;
+                     in particular the application should not
+                     attempt to free it.  Specify NULL if not
+                     required.
+
+
+
+
+
+Wray                        Standards Track                    [Page 64]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   ctx_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of
+                     which indicates that the context supports
+                     (or is expected to support, if ctx_open is
+                     false) a specific service option.  If not
+                     needed, specify NULL.  Symbolic names are
+                     provided for each flag, and the symbolic names
+                     corresponding to the required flags
+                     should be logically-ANDed with the ret_flags
+                     value to test whether a given option is
+                     supported by the context.  The flags are:
+
+                     GSS_C_DELEG_FLAG
+                       True - Credentials were delegated from
+                              the initiator to the acceptor.
+                       False - No credentials were delegated
+
+                     GSS_C_MUTUAL_FLAG
+                       True - The acceptor was authenticated
+                              to the initiator
+                       False - The acceptor did not authenticate
+                               itself.
+
+                     GSS_C_REPLAY_FLAG
+                       True - replay of protected messages
+                              will be detected
+                       False - replayed messages will not be
+                               detected
+
+                     GSS_C_SEQUENCE_FLAG
+                       True - out-of-sequence protected
+                              messages will be detected
+                       False - out-of-sequence messages will not
+                               be detected
+
+                     GSS_C_CONF_FLAG
+                       True - Confidentiality service may be invoked
+                              by calling gss_wrap routine
+                       False - No confidentiality service (via
+                               gss_wrap) available. gss_wrap will
+                               provide message encapsulation,
+                               data-origin authentication and
+                               integrity services only.
+
+                     GSS_C_INTEG_FLAG
+                       True - Integrity service may be invoked by
+                              calling either gss_get_mic or gss_wrap
+                              routines.
+
+
+
+Wray                        Standards Track                    [Page 65]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                       False - Per-message integrity service
+                               unavailable.
+
+                     GSS_C_ANON_FLAG
+                       True - The initiator's identity will not
+                              be revealed to the acceptor.
+                              The src_name parameter (if
+                              requested) contains an anonymous
+                              internal name.
+                       False - The initiator has been
+                               authenticated normally.
+
+                     GSS_C_PROT_READY_FLAG
+                       True - Protection services (as specified
+                              by the states of the GSS_C_CONF_FLAG
+                              and GSS_C_INTEG_FLAG) are available
+                              for use.
+                       False - Protection services (as specified
+                               by the states of the GSS_C_CONF_FLAG
+                               and GSS_C_INTEG_FLAG) are available
+                               only if the context is fully
+                               established (i.e. if the open parameter
+                               is non-zero).
+
+                     GSS_C_TRANS_FLAG
+                       True - The resultant security context may
+                              be transferred to other processes via
+                              a call to gss_export_sec_context().
+                       False - The security context is not
+                               transferable.
+
+   locally_initiated Boolean, modify
+                     Non-zero if the invoking application is the
+                     context initiator.
+                     Specify NULL if not required.
+
+   open              Boolean, modify
+                     Non-zero if the context is fully established;
+                     Zero if a context-establishment token
+                     is expected from the peer application.
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+
+
+
+Wray                        Standards Track                    [Page 66]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.21. gss_inquire_cred
+
+   OM_uint32 gss_inquire_cred (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t cred_handle,
+     gss_name_t          *name,
+     OM_uint32           *lifetime,
+     gss_cred_usage_t    *cred_usage,
+     gss_OID_set         *mechanisms )
+
+   Purpose:
+
+   Obtains information about a credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name should be freed
+                     by the application after use with a call to
+                     gss_release_name().  Specify NULL if not required.
+
+   lifetime          Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain valid.  If the credential has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     credential expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used.  One of the
+                     following:
+                     GSS_C_INITIATE
+                     GSS_C_ACCEPT
+                     GSS_C_BOTH
+                     Specify NULL if not required.
+
+
+
+
+
+Wray                        Standards Track                    [Page 67]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   mechanisms        gss_OID_set, modify, optional
+                     Set of mechanisms supported by the credential.
+                     Storage associated with this OID set must be
+                     freed by the application after use with a call
+                     to gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+                     If the lifetime parameter was not passed as NULL,
+                     it will be set to 0.
+
+5.22. gss_inquire_cred_by_mech
+
+   OM_uint32 gss_inquire_cred_by_mech (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t cred_handle,
+     const gss_OID       mech_type,
+     gss_name_t          *name,
+     OM_uint32           *initiator_lifetime,
+     OM_uint32           *acceptor_lifetime,
+     gss_cred_usage_t    *cred_usage )
+
+   Purpose:
+
+   Obtains per-mechanism information about a credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+   mech_type         gss_OID, read
+                     The mechanism for which information should be
+                     returned.
+
+
+
+
+Wray                        Standards Track                    [Page 68]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  Specify NULL if not
+                     required.
+
+   initiator_lifetime  Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain capable of initiating security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to initiate contexts, or if
+                     the credential usage for this mechanism is
+                     GSS_C_ACCEPT, this parameter will be set to zero.
+                     If the implementation does not support expiration
+                     of initiator credentials, the value
+                     GSS_C_INDEFINITE will be returned.  Specify NULL
+                     if not required.
+
+   acceptor_lifetime Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain capable of accepting security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to accept contexts, or if
+                     the credential usage for this mechanism is
+                     GSS_C_INITIATE, this parameter will be set to zero.
+
+                     If the implementation does not support expiration
+                     of acceptor credentials, the value GSS_C_INDEFINITE
+                     will be returned.  Specify NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used with the specified
+                     mechanism.  One of the following:
+                       GSS_C_INITIATE
+                       GSS_C_ACCEPT
+                       GSS_C_BOTH
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+
+
+
+
+Wray                        Standards Track                    [Page 69]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+                    If the lifetime parameter was not passed as NULL,
+                    it will be set to 0.
+
+5.23. gss_inquire_mechs_for_name
+
+   OM_uint32 gss_inquire_mechs_for_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     gss_OID_set      *mech_types )
+
+   Purpose:
+
+   Returns the set of mechanisms supported by the GSS-API implementation
+   that may be able to process the specified name.
+
+   Each mechanism returned will recognize at least one element within
+   the name.  It is permissible for this routine to be implemented
+   within a mechanism-independent GSS-API layer, using the type
+   information contained within the presented name, and based on
+   registration information provided by individual mechanism
+   implementations.  This means that the returned mech_types set may
+   indicate that a particular mechanism will understand the name when in
+   fact it would refuse to accept the name as input to
+   gss_canonicalize_name, gss_init_sec_context, gss_acquire_cred or
+   gss_add_cred (due to some property of the specific name, as opposed
+   to the name type).  Thus this routine should be used only as a pre-
+   filter for a call to a subsequent mechanism-specific routine.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   input_name        gss_name_t, read
+                     The name to which the inquiry relates.
+
+   mech_types        gss_OID_set, modify
+                     Set of mechanisms that may support the
+                     specified name.  The returned OID set
+                     must be freed by the caller after use
+                     with a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The input_name parameter was ill-formed.
+
+
+
+Wray                        Standards Track                    [Page 70]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_BAD_NAMETYPE The input_name parameter contained an invalid or
+                      unsupported type of name
+
+5.24. gss_inquire_names_for_mech
+
+   OM_uint32 gss_inquire_names_for_mech (
+     OM_uint32     *minor_status,
+     const gss_OID mechanism,
+     gss_OID_set   *name_types)
+
+   Purpose:
+
+   Returns the set of nametypes supported by the specified mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   mechanism         gss_OID, read
+                     The mechanism to be interrogated.
+
+   name_types        gss_OID_set, modify
+                     Set of name-types supported by the specified
+                     mechanism.  The returned OID set must be
+                     freed by the application after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.25. gss_process_context_token
+
+   OM_uint32 gss_process_context_token (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     const gss_buffer_t token_buffer)
+
+        Purpose:
+
+   Provides a way to pass an asynchronous token to the security service.
+   Most context-level tokens are emitted and processed synchronously by
+   gss_init_sec_context and gss_accept_sec_context, and the application
+   is informed as to whether further tokens are expected by the
+   GSS_C_CONTINUE_NEEDED major status bit.  Occasionally, a mechanism
+   may need to emit a context-level token at a point when the peer
+   entity is not expecting a token.  For example, the initiator's final
+
+
+
+Wray                        Standards Track                    [Page 71]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   call to gss_init_sec_context may emit a token and return a status of
+   GSS_S_COMPLETE, but the acceptor's call to gss_accept_sec_context may
+   fail.  The acceptor's mechanism may wish to send a token containing
+   an error indication to the initiator, but the initiator is not
+   expecting a token at this point, believing that the context is fully
+   established.  Gss_process_context_token provides a way to pass such a
+   token to the mechanism at any time.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     context handle of context on which token is to
+                     be processed
+
+   token_buffer      buffer, opaque, read
+                     token to process
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed
+                     on the token failed
+
+   GSS_S_NO_CONTEXT  The context_handle did not refer to a valid context
+
+5.26. gss_release_buffer
+
+   OM_uint32 gss_release_buffer (
+     OM_uint32    *minor_status,
+     gss_buffer_t buffer)
+
+   Purpose:
+
+   Free storage associated with a buffer.  The storage must have been
+   allocated by a GSS-API routine.  In addition to freeing the
+   associated storage, the routine will zero the length field in the
+   descriptor to which the buffer parameter refers, and implementations
+   are encouraged to additionally set the pointer field in the
+   descriptor to NULL.  Any buffer object returned by a GSS-API routine
+   may be passed to gss_release_buffer (even if there is no storage
+   associated with the buffer).
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 72]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   buffer            buffer, modify
+                     The storage associated with the buffer will be
+                     deleted.  The gss_buffer_desc object will not
+                     be freed, but its length field will be zeroed.
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.27. gss_release_cred
+
+   OM_uint32 gss_release_cred (
+     OM_uint32     *minor_status,
+     gss_cred_id_t *cred_handle)
+
+   Purpose:
+
+   Informs GSS-API that the specified credential handle is no longer
+   required by the application, and frees associated resources.
+   Implementations are encouraged to set the cred_handle to
+   GSS_C_NO_CREDENTIAL on successful completion of this call.
+
+   Parameters:
+
+   cred_handle       gss_cred_id_t, modify, optional
+                     Opaque handle identifying credential
+                     to be released.  If GSS_C_NO_CREDENTIAL
+                     is supplied, the routine will complete
+                     successfully, but will do nothing.
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     Credentials could not be accessed.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 73]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.28. gss_release_name
+
+   OM_uint32 gss_release_name (
+     OM_uint32  *minor_status,
+     gss_name_t *name)
+
+   Purpose:
+
+   Free GSSAPI-allocated storage associated with an internal-form name.
+   Implementations are encouraged to set the name to GSS_C_NO_NAME on
+   successful completion of this call.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   name              gss_name_t, modify
+                     The name to be deleted
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The name parameter did not contain a valid name
+
+5.29. gss_release_oid_set
+
+   OM_uint32 gss_release_oid_set (
+     OM_uint32   *minor_status,
+     gss_OID_set *set)
+
+   Purpose:
+
+   Free storage associated with a GSSAPI-generated gss_OID_set object.
+   The set parameter must refer to an OID-set that was returned from a
+   GSS-API routine.  gss_release_oid_set() will free the storage
+   associated with each individual member OID, the OID set's elements
+   array, and the gss_OID_set_desc.
+
+   Implementations are encouraged to set the gss_OID_set parameter to
+   GSS_C_NO_OID_SET on successful completion of this routine.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+
+
+
+Wray                        Standards Track                    [Page 74]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   set               Set of Object IDs, modify
+                     The storage associated with the gss_OID_set
+                     will be deleted.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.30. gss_test_oid_set_member
+
+   OM_uint32 gss_test_oid_set_member (
+     OM_uint32         *minor_status,
+     const gss_OID     member,
+     const gss_OID_set set,
+     int               *present)
+
+   Purpose:
+
+   Interrogate an Object Identifier set to determine whether a specified
+   Object Identifier is a member.  This routine is intended to be used
+   with OID sets returned by gss_indicate_mechs(), gss_acquire_cred(),
+   and gss_inquire_cred(), but will also work with user-generated sets.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   member            Object ID, read
+                     The object identifier whose presence
+                     is to be tested.
+
+   set               Set of Object ID, read
+                     The Object Identifier set.
+
+   present           Boolean, modify
+                     non-zero if the specified OID is a member
+                     of the set, zero if not.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 75]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.31. gss_unwrap
+
+   OM_uint32 gss_unwrap (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     const gss_buffer_t input_message_buffer,
+     gss_buffer_t       output_message_buffer,
+     int                *conf_state,
+     gss_qop_t          *qop_state)
+
+   Purpose:
+
+   Converts a message previously protected by gss_wrap back to a usable
+   form, verifying the embedded MIC.  The conf_state parameter indicates
+   whether the message was encrypted; the qop_state parameter indicates
+   the strength of protection that was used to provide the
+   confidentiality and integrity services.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support the wrapping and unwrapping of zero-length messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   input_message_buffer  buffer, opaque, read
+                     protected message
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive unwrapped message.
+                     Storage associated with this buffer must
+                     be freed by the application after use use
+                     with a call to gss_release_buffer().
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality and integrity
+                                protection were used
+                     Zero - Integrity service only was used
+                     Specify NULL if not required
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 76]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   qop_state         gss_qop_t, modify, optional
+                     Quality of protection provided.
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct
+                         MIC for the message, but it had already been
+                         processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but it is too old to check for
+                     duplication.
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; a later token has already been
+                     received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; an earlier expected token has not yet
+                     been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify
+                     a valid context
+
+5.32. gss_verify_mic
+
+   OM_uint32 gss_verify_mic (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     const gss_buffer_t message_buffer,
+     const gss_buffer_t token_buffer,
+     gss_qop_t          *qop_state)
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 77]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Verifies that a cryptographic MIC, contained in the token parameter,
+   fits the supplied message.  The qop_state parameter allows a message
+   recipient to determine the strength of protection that was applied to
+   the message.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support the calculation and verification of MICs over zero-length
+   messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   message_buffer    buffer, opaque, read
+                     Message to be verified
+
+   token_buffer      buffer, opaque, read
+                     Token associated with message
+
+   qop_state         gss_qop_t, modify, optional
+                     quality of protection gained from MIC
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct
+                     MIC for the message, but it had already been
+                     processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but it is too old to check for
+                     duplication.
+
+
+
+
+
+Wray                        Standards Track                    [Page 78]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; a later token has already been received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; an earlier expected token has not yet
+                     been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                     valid context
+
+5.33. gss_wrap
+
+   OM_uint32 gss_wrap (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     int               conf_req_flag,
+     gss_qop_t          qop_req
+     const gss_buffer_t input_message_buffer,
+     int                *conf_state,
+     gss_buffer_t       output_message_buffer )
+
+   Purpose:
+
+   Attaches a cryptographic MIC and optionally encrypts the specified
+   input_message.  The output_message contains both the MIC and the
+   message.  The qop_req parameter allows a choice between several
+   cryptographic algorithms, if supported by the chosen mechanism.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support the wrapping of zero-length messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     will be sent
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 79]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   conf_req_flag     boolean, read
+                     Non-zero - Both confidentiality and integrity
+                                services are requested
+                     Zero - Only integrity service is requested
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies required quality of protection.  A
+                     mechanism-specific default may be requested by
+                     setting qop_req to GSS_C_QOP_DEFAULT.  If an
+                     unsupported protection strength is requested,
+                     gss_wrap will return a major_status of
+                     GSS_S_BAD_QOP.
+
+   input_message_buffer  buffer, opaque, read
+                     Message to be protected
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality, data origin
+                                authentication and integrity
+                                services have been applied
+                     Zero - Integrity and data origin services only
+                            has been applied.
+                     Specify NULL if not required
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive protected message.
+                     Storage associated with this message must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                     valid context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the
+                     mechanism.
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 80]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.34. gss_wrap_size_limit
+
+   OM_uint32 gss_wrap_size_limit (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     int                conf_req_flag,
+     gss_qop_t          qop_req,
+     OM_uint32          req_output_size,
+     OM_uint32          *max_input_size)
+
+   Purpose:
+
+   Allows an application to determine the maximum message size that, if
+   presented to gss_wrap with the same conf_req_flag and qop_req
+   parameters, will result in an output token containing no more than
+   req_output_size bytes.
+
+   This call is intended for use by applications that communicate over
+   protocols that impose a maximum message size.  It enables the
+   application to fragment messages prior to applying protection.
+
+   GSS-API implementations are recommended but not required to detect
+   invalid QOP values when gss_wrap_size_limit() is called. This routine
+   guarantees only a maximum message size, not the availability of
+   specific QOP values for message protection.
+
+   Successful completion of this call does not guarantee that gss_wrap
+   will be able to protect a message of length max_input_size bytes,
+   since this ability may depend on the availability of system resources
+   at the time that gss_wrap is called.  However, if the implementation
+   itself imposes an upper limit on the length of messages that may be
+   processed by gss_wrap, the implementation should not return a value
+   via max_input_bytes that is greater than this length.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security over
+                     which the messages will be sent.
+
+   conf_req_flag     Boolean, read
+                     Indicates whether gss_wrap will be asked
+                     to apply confidentiality protection in
+
+
+
+
+
+Wray                        Standards Track                    [Page 81]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     addition to integrity protection.  See
+                     the routine description for gss_wrap
+                     for more details.
+
+   qop_req           gss_qop_t, read
+                     Indicates the level of protection that
+                     gss_wrap will be asked to provide.  See
+                     the routine description for gss_wrap for
+                     more details.
+
+   req_output_size   Integer, read
+                     The desired maximum size for tokens emitted
+                     by gss_wrap.
+
+   max_input_size    Integer, modify
+                     The maximum input message size that may
+                     be presented to gss_wrap in order to
+                     guarantee that the emitted token shall
+                     be no larger than req_output_size bytes.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+   GSS_S_CONTEXT_EXPIRED The context has expired.
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the
+                     mechanism.
+
+6.   Security Considerations
+
+   This document specifies a service interface for security facilities
+   and services; as such, security considerations appear throughout the
+   specification. Nonetheless, it is appropriate to summarize certain
+   specific points relevant to GSS-API implementors and calling
+   applications. Usage of the GSS-API interface does not in itself
+   provide security services or assurance; instead, these attributes are
+   dependent on the underlying mechanism(s) which support a GSS-API
+   implementation. Callers must be attentive to the requests made to
+   GSS-API calls and to the status indicators returned by GSS-API, as
+   these specify the security service characteristics which GSS-API will
+   provide. When the interprocess context transfer facility is used,
+   appropriate local controls should be applied to constrain access to
+   interprocess tokens and to the sensitive data which they contain.
+
+
+
+
+
+Wray                        Standards Track                    [Page 82]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Appendix A. GSS-API C header file gssapi.h
+
+   C-language GSS-API implementations should include a copy of the
+   following header-file.
+
+   #ifndef GSSAPI_H_
+   #define GSSAPI_H_
+
+
+
+   /*
+    * First, include stddef.h to get size_t defined.
+    */
+   #include <stddef.h>
+
+   /*
+    * If the platform supports the xom.h header file, it should be
+    * included here.
+    */
+   #include <xom.h>
+
+
+   /*
+    * Now define the three implementation-dependent types.
+    */
+   typedef <platform-specific> gss_ctx_id_t;
+   typedef <platform-specific> gss_cred_id_t;
+   typedef <platform-specific> gss_name_t;
+
+   /*
+    * The following type must be defined as the smallest natural
+    * unsigned integer supported by the platform that has at least
+    * 32 bits of precision.
+    */
+   typedef <platform-specific> gss_uint32;
+
+
+   #ifdef OM_STRING
+   /*
+    * We have included the xom.h header file.  Verify that OM_uint32
+    * is defined correctly.
+    */
+
+   #if sizeof(gss_uint32) != sizeof(OM_uint32)
+   #error Incompatible definition of OM_uint32 from xom.h
+   #endif
+
+   typedef OM_object_identifier gss_OID_desc, *gss_OID;
+
+
+
+Wray                        Standards Track                    [Page 83]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #else
+
+   /*
+    * We can't use X/Open definitions, so roll our own.
+    */
+
+   typedef gss_uint32 OM_uint32;
+
+   typedef struct gss_OID_desc_struct {
+     OM_uint32 length;
+     void      *elements;
+   } gss_OID_desc, *gss_OID;
+
+   #endif
+
+   typedef struct gss_OID_set_desc_struct  {
+     size_t     count;
+     gss_OID    elements;
+   } gss_OID_set_desc, *gss_OID_set;
+
+   typedef struct gss_buffer_desc_struct {
+     size_t length;
+     void *value;
+   } gss_buffer_desc, *gss_buffer_t;
+
+   typedef struct gss_channel_bindings_struct {
+     OM_uint32 initiator_addrtype;
+     gss_buffer_desc initiator_address;
+     OM_uint32 acceptor_addrtype;
+     gss_buffer_desc acceptor_address;
+     gss_buffer_desc application_data;
+   } *gss_channel_bindings_t;
+
+   /*
+    * For now, define a QOP-type as an OM_uint32
+    */
+   typedef OM_uint32 gss_qop_t;
+
+   typedef int gss_cred_usage_t;
+
+   /*
+    * Flag bits for context-level services.
+    */
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 84]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #define GSS_C_DELEG_FLAG      1
+   #define GSS_C_MUTUAL_FLAG     2
+   #define GSS_C_REPLAY_FLAG     4
+   #define GSS_C_SEQUENCE_FLAG   8
+   #define GSS_C_CONF_FLAG       16
+   #define GSS_C_INTEG_FLAG      32
+   #define GSS_C_ANON_FLAG       64
+   #define GSS_C_PROT_READY_FLAG 128
+   #define GSS_C_TRANS_FLAG      256
+
+   /*
+    * Credential usage options
+    */
+   #define GSS_C_BOTH     0
+   #define GSS_C_INITIATE 1
+   #define GSS_C_ACCEPT   2
+
+   /*
+    * Status code types for gss_display_status
+    */
+   #define GSS_C_GSS_CODE  1
+   #define GSS_C_MECH_CODE 2
+
+   /*
+    * The constant definitions for channel-bindings address families
+    */
+   #define GSS_C_AF_UNSPEC     0
+   #define GSS_C_AF_LOCAL      1
+   #define GSS_C_AF_INET       2
+   #define GSS_C_AF_IMPLINK    3
+   #define GSS_C_AF_PUP        4
+   #define GSS_C_AF_CHAOS      5
+   #define GSS_C_AF_NS         6
+   #define GSS_C_AF_NBS        7
+   #define GSS_C_AF_ECMA       8
+   #define GSS_C_AF_DATAKIT    9
+   #define GSS_C_AF_CCITT      10
+   #define GSS_C_AF_SNA        11
+   #define GSS_C_AF_DECnet     12
+   #define GSS_C_AF_DLI        13
+   #define GSS_C_AF_LAT        14
+   #define GSS_C_AF_HYLINK     15
+   #define GSS_C_AF_APPLETALK  16
+   #define GSS_C_AF_BSC        17
+   #define GSS_C_AF_DSS        18
+   #define GSS_C_AF_OSI        19
+   #define GSS_C_AF_X25        21
+
+
+
+
+Wray                        Standards Track                    [Page 85]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #define GSS_C_AF_NULLADDR   255
+
+   /*
+    * Various Null values
+    */
+   #define GSS_C_NO_NAME ((gss_name_t) 0)
+   #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+   #define GSS_C_NO_OID ((gss_OID) 0)
+   #define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+   #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+   #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+   #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+   #define GSS_C_EMPTY_BUFFER {0, NULL}
+
+   /*
+    * Some alternate names for a couple of the above
+    * values.  These are defined for V1 compatibility.
+    */
+   #define GSS_C_NULL_OID GSS_C_NO_OID
+   #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+
+   /*
+    * Define the default Quality of Protection for per-message
+    * services.  Note that an implementation that offers multiple
+    * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
+    * (as done here) to mean "default protection", or to a specific
+    * explicit QOP value.  However, a value of 0 should always be
+    * interpreted by a GSS-API implementation as a request for the
+    * default protection level.
+    */
+   #define GSS_C_QOP_DEFAULT 0
+
+   /*
+    * Expiration time of 2^32-1 seconds means infinite lifetime for a
+    * credential or security context
+    */
+   #define GSS_C_INDEFINITE 0xfffffffful
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    * "\x01\x02\x01\x01"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    * infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+    * GSS_C_NT_USER_NAME should be initialized to point
+    * to that gss_OID_desc.
+
+
+
+Wray                        Standards Track                    [Page 86]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+    */
+   extern gss_OID GSS_C_NT_USER_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x02"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+    * The constant GSS_C_NT_MACHINE_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x03"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+    * The constant GSS_C_NT_STRING_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+    * corresponding to an object-identifier value of
+    * {iso(1) org(3) dod(6) internet(1) security(5)
+    * nametypes(6) gss-host-based-services(2)).  The constant
+    * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+    * to that gss_OID_desc.  This is a deprecated OID value, and
+    * implementations wishing to support hostbased-service names
+    * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+    * defined below, to identify such names;
+    * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+    * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+    * parameter, but should not be emitted by GSS-API
+    * implementations
+    */
+   extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+
+
+
+Wray                        Standards Track                    [Page 87]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x04"}, corresponding to an
+    * object-identifier value of {iso(1) member-body(2)
+    * Unites States(840) mit(113554) infosys(1) gssapi(2)
+    * generic(1) service_name(4)}.  The constant
+    * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+    * to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+    * corresponding to an object identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+    * and GSS_C_NT_ANONYMOUS should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_ANONYMOUS;
+
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+    * corresponding to an object-identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+    * GSS_C_NT_EXPORT_NAME should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+
+   /* Major status codes */
+
+   #define GSS_S_COMPLETE 0
+
+   /*
+    * Some "helper" definitions to make the status code macros obvious.
+    */
+   #define GSS_C_CALLING_ERROR_OFFSET 24
+   #define GSS_C_ROUTINE_ERROR_OFFSET 16
+
+
+
+Wray                        Standards Track                    [Page 88]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #define GSS_C_SUPPLEMENTARY_OFFSET 0
+   #define GSS_C_CALLING_ERROR_MASK 0377ul
+   #define GSS_C_ROUTINE_ERROR_MASK 0377ul
+   #define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+   /*
+    * The macros that test status codes for error conditions.
+    * Note that the GSS_ERROR() macro has changed slightly from
+    * the V1 GSS-API so that it now evaluates its argument
+    * only once.
+    */
+   #define GSS_CALLING_ERROR(x) \
+    (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+   #define GSS_ROUTINE_ERROR(x) \
+    (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+   #define GSS_SUPPLEMENTARY_INFO(x) \
+    (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+   #define GSS_ERROR(x) \
+    (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+          (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+   /*
+    * Now the actual status code definitions
+    */
+
+   /*
+    * Calling errors:
+
+    */
+   #define GSS_S_CALL_INACCESSIBLE_READ \
+   (1ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_INACCESSIBLE_WRITE \
+   (2ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_BAD_STRUCTURE \
+   (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+   /*
+    * Routine errors:
+    */
+   #define GSS_S_BAD_MECH             (1ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAME             (2ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAMETYPE         (3ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_BINDINGS         (4ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_STATUS           (5ul <<
+
+
+
+Wray                        Standards Track                    [Page 89]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_SIG              (6ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_MIC GSS_S_BAD_SIG
+   #define GSS_S_NO_CRED              (7ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NO_CONTEXT           (8ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_TOKEN      (9ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_CREDENTIAL (10ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CREDENTIALS_EXPIRED  (11ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CONTEXT_EXPIRED      (12ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_FAILURE              (13ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_QOP              (14ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAUTHORIZED         (15ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAVAILABLE          (16ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DUPLICATE_ELEMENT    (17ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NAME_NOT_MN          (18ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+
+   /*
+    * Supplementary info bits:
+    */
+   #define GSS_S_CONTINUE_NEEDED \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+   #define GSS_S_DUPLICATE_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+   #define GSS_S_OLD_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+   #define GSS_S_UNSEQ_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+   #define GSS_S_GAP_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+   /*
+    * Finally, function prototypes for the GSS-API routines.
+    */
+
+
+
+
+
+Wray                        Standards Track                    [Page 90]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_acquire_cred
+                 (OM_uint32 ,             /*  minor_status */
+                  const gss_name_t,       /* desired_name */
+                  OM_uint32,              /* time_req */
+                  const gss_OID_set,      /* desired_mechs */
+                  gss_cred_usage_t,       /* cred_usage */
+                  gss_cred_id_t ,         /* output_cred_handle */
+                  gss_OID_set ,           /* actual_mechs */
+                  OM_uint32 *             /* time_rec */
+                 );
+
+   OM_uint32 gss_release_cred
+                 (OM_uint32 ,             /* minor_status */
+                  gss_cred_id_t *         /* cred_handle */
+                 );
+
+   OM_uint32 gss_init_sec_context
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* initiator_cred_handle */
+                  gss_ctx_id_t ,          /* context_handle */
+                  const gss_name_t,       /* target_name */
+                  const gss_OID,          /* mech_type */
+                  OM_uint32,              /* req_flags */
+                  OM_uint32,              /* time_req */
+                  const gss_channel_bindings_t,
+                                          /* input_chan_bindings */
+                  const gss_buffer_t,     /* input_token */
+                  gss_OID ,               /* actual_mech_type */
+                  gss_buffer_t,           /* output_token */
+                  OM_uint32 ,             /* ret_flags */
+                  OM_uint32 *             /* time_rec */
+                 );
+
+   OM_uint32 gss_accept_sec_context
+                 (OM_uint32 ,             /* minor_status */
+                  gss_ctx_id_t ,          /* context_handle */
+                  const gss_cred_id_t,    /* acceptor_cred_handle */
+                  const gss_buffer_t,     /* input_token_buffer */
+                  const gss_channel_bindings_t,
+                                          /* input_chan_bindings */
+                  gss_name_t ,            /* src_name */
+                  gss_OID ,               /* mech_type */
+                  gss_buffer_t,           /* output_token */
+                  OM_uint32 ,             /* ret_flags */
+                  OM_uint32 ,             /* time_rec */
+                  gss_cred_id_t *         /* delegated_cred_handle */
+                 );
+
+
+
+
+Wray                        Standards Track                    [Page 91]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_process_context_token
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  const gss_buffer_t      /* token_buffer */
+                 );
+
+   OM_uint32 gss_delete_sec_context
+                 (OM_uint32 ,             /* minor_status */
+                  gss_ctx_id_t ,          /* context_handle */
+                  gss_buffer_t            /* output_token */
+                 );
+
+   OM_uint32 gss_context_time
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  OM_uint32 *             /* time_rec */
+                 );
+
+   OM_uint32 gss_get_mic
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  gss_qop_t,              /* qop_req */
+                  const gss_buffer_t,     /* message_buffer */
+                  gss_buffer_t            /* message_token */
+                 );
+
+   OM_uint32 gss_verify_mic
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  const gss_buffer_t,     /* message_buffer */
+                  const gss_buffer_t,     /* token_buffer */
+                  gss_qop_t *             /* qop_state */
+                 );
+
+   OM_uint32 gss_wrap
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  int,                    /* conf_req_flag */
+                  gss_qop_t,              /* qop_req */
+                  const gss_buffer_t,     /* input_message_buffer */
+                  int ,                   /* conf_state */
+                  gss_buffer_t            /* output_message_buffer */
+                 );
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 92]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_unwrap
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  const gss_buffer_t,     /* input_message_buffer */
+                  gss_buffer_t,           /* output_message_buffer */
+                  int ,                   /* conf_state */
+                  gss_qop_t *             /* qop_state */
+                 );
+
+
+
+   OM_uint32 gss_display_status
+                 (OM_uint32 ,             /* minor_status */
+                  OM_uint32,              /* status_value */
+                  int,                    /* status_type */
+                  const gss_OID,          /* mech_type */
+                  OM_uint32 ,             /* message_context */
+                  gss_buffer_t            /* status_string */
+                 );
+
+   OM_uint32 gss_indicate_mechs
+                 (OM_uint32 ,             /* minor_status */
+                  gss_OID_set *           /* mech_set */
+                 );
+
+   OM_uint32 gss_compare_name
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* name1 */
+                  const gss_name_t,       /* name2 */
+                  int *                   /* name_equal */
+                 );
+
+   OM_uint32 gss_display_name
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  gss_buffer_t,           /* output_name_buffer */
+                  gss_OID *               /* output_name_type */
+                 );
+
+   OM_uint32 gss_import_name
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_buffer_t,     /* input_name_buffer */
+                  const gss_OID,          /* input_name_type */
+                  gss_name_t *            /* output_name */
+                 );
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 93]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_export_name
+                 (OM_uint32,              /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  gss_buffer_t            /* exported_name */
+                 );
+
+   OM_uint32 gss_release_name
+                 (OM_uint32 *,            /* minor_status */
+                  gss_name_t *            /* input_name */
+                 );
+
+   OM_uint32 gss_release_buffer
+                 (OM_uint32 ,             /* minor_status */
+                  gss_buffer_t            /* buffer */
+                 );
+
+   OM_uint32 gss_release_oid_set
+                 (OM_uint32 ,             /* minor_status */
+                  gss_OID_set *           /* set */
+                 );
+
+   OM_uint32 gss_inquire_cred
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* cred_handle */
+                  gss_name_t ,            /* name */
+                  OM_uint32 ,             /* lifetime */
+                  gss_cred_usage_t ,      /* cred_usage */
+                  gss_OID_set *           /* mechanisms */
+                 );
+
+   OM_uint32 gss_inquire_context (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  gss_name_t ,            /* src_name */
+                  gss_name_t ,            /* targ_name */
+                  OM_uint32 ,             /* lifetime_rec */
+                  gss_OID ,               /* mech_type */
+                  OM_uint32 ,             /* ctx_flags */
+                  int ,                   /* locally_initiated */
+                  int *                   /* open */
+                 );
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 94]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_wrap_size_limit (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  int,                    /* conf_req_flag */
+                  gss_qop_t,              /* qop_req */
+                  OM_uint32,              /* req_output_size */
+                  OM_uint32 *             /* max_input_size */
+                 );
+
+   OM_uint32 gss_add_cred (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* input_cred_handle */
+                  const gss_name_t,       /* desired_name */
+                  const gss_OID,          /* desired_mech */
+                  gss_cred_usage_t,       /* cred_usage */
+                  OM_uint32,              /* initiator_time_req */
+                  OM_uint32,              /* acceptor_time_req */
+                  gss_cred_id_t ,         /* output_cred_handle */
+                  gss_OID_set ,           /* actual_mechs */
+                  OM_uint32 ,             /* initiator_time_rec */
+                  OM_uint32 *             /* acceptor_time_rec */
+                 );
+
+   OM_uint32 gss_inquire_cred_by_mech (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* cred_handle */
+                  const gss_OID,          /* mech_type */
+                  gss_name_t ,            /* name */
+                  OM_uint32 ,             /* initiator_lifetime */
+                  OM_uint32 ,             /* acceptor_lifetime */
+                  gss_cred_usage_t *      /* cred_usage */
+                 );
+
+   OM_uint32 gss_export_sec_context (
+                  OM_uint32 ,             /* minor_status */
+                  gss_ctx_id_t ,          /* context_handle */
+                  gss_buffer_t            /* interprocess_token */
+                 );
+
+   OM_uint32 gss_import_sec_context (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_buffer_t,     /* interprocess_token */
+                  gss_ctx_id_t *          /* context_handle */
+                 );
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 95]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_create_empty_oid_set (
+                  OM_uint32 ,             /* minor_status */
+                  gss_OID_set *           /* oid_set */
+                 );
+
+   OM_uint32 gss_add_oid_set_member (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_OID,          /* member_oid */
+                  gss_OID_set *           /* oid_set */
+                 );
+
+   OM_uint32 gss_test_oid_set_member (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_OID,          /* member */
+                  const gss_OID_set,      /* set */
+                  int *                   /* present */
+                 );
+
+   OM_uint32 gss_inquire_names_for_mech (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_OID,          /* mechanism */
+                  gss_OID_set *           /* name_types */
+                 );
+
+   OM_uint32 gss_inquire_mechs_for_name (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  gss_OID_set *           /* mech_types */
+                 );
+
+   OM_uint32 gss_canonicalize_name (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  const gss_OID,          /* mech_type */
+                  gss_name_t *            /* output_name */
+                 );
+
+   OM_uint32 gss_duplicate_name (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* src_name */
+                  gss_name_t *            /* dest_name */
+                 );
+
+   /*
+    * The following routines are obsolete variants of gss_get_mic,
+    * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
+    * provided by GSS-API V2 implementations for backwards
+    * compatibility with V1 applications.  Distinct entrypoints
+
+
+
+Wray                        Standards Track                    [Page 96]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+    * (as opposed to #defines) should be provided, both to allow
+    * GSS-API V1 applications to link against GSS-API V2
+      implementations,
+    * and to retain the slight parameter type differences between the
+    * obsolete versions of these routines and their current forms.
+    */
+
+   OM_uint32 gss_sign
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  int,               /* qop_req */
+                  gss_buffer_t,      /* message_buffer */
+                  gss_buffer_t       /* message_token */
+                 );
+
+
+   OM_uint32 gss_verify
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  gss_buffer_t,      /* message_buffer */
+                  gss_buffer_t,      /* token_buffer */
+                  int *              /* qop_state */
+                 );
+
+   OM_uint32 gss_seal
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  int,               /* conf_req_flag */
+                  int,               /* qop_req */
+                  gss_buffer_t,      /* input_message_buffer */
+                  int ,              /* conf_state */
+                  gss_buffer_t       /* output_message_buffer */
+                 );
+
+
+   OM_uint32 gss_unseal
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  gss_buffer_t,      /* input_message_buffer */
+                  gss_buffer_t,      /* output_message_buffer */
+                  int ,              /* conf_state */
+                  int *              /* qop_state */
+                 );
+
+   #endif /* GSSAPI_H_ */
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 97]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+Appendix B. Additional constraints for application binary portability
+
+   The purpose of this C-bindings document is to encourage source-level
+   portability of applications across GSS-API implementations on
+   different platforms and atop different mechanisms.  Additional goals
+   that have not been explicitly addressed by this document are link-
+   time and run-time portability.
+
+   Link-time portability provides the ability to compile an application
+   against one implementation of GSS-API, and then link it against a
+   different implementation on the same platform.  It is a stricter
+   requirement than source-level portability.
+
+   Run-time portability differs from link-time portability only on those
+   platforms that implement dynamically loadable GSS-API
+   implementations, but do not offer load-time symbol resolution. On
+   such platforms, run-time portability is a stricter requirement than
+   link-time portability, and will typically include the precise
+   placement of the various GSS-API routines within library entrypoint
+   vectors.
+
+   Individual platforms will impose their own rules that must be
+   followed to achieve link-time (and run-time, if different)
+   portability.  In order to ensure either form of binary portability,
+   an ABI specification must be written for GSS-API implementations on
+   that platform.  However, it is recognized that there are some issues
+   that are likely to be common to all such ABI specifications. This
+   appendix is intended to be a repository for such common issues, and
+   contains some suggestions that individual ABI specifications may
+   choose to reference. Since machine architectures vary greatly, it may
+   not be possible or desirable to follow these suggestions on all
+   platforms.
+
+B.1. Pointers
+
+   While ANSI-C provides a single pointer type for each declared type,
+   plus a single (void *) type, some platforms (notably those using
+   segmented memory architectures) augment this with various modified
+   pointer types (e.g. far pointers, near pointers). These language
+   bindings assume ANSI-C, and thus do not address such non-standard
+   implementations.  GSS-API implementations for such platforms must
+   choose an appropriate memory model, and should use it consistently
+   throughout.  For example, if a memory model is chosen that requires
+   the use of far pointers when passing routine parameters, then far
+   pointers should also be used within the structures defined by GSS-
+   API.
+
+
+
+
+
+Wray                        Standards Track                    [Page 98]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+B.2. Internal structure alignment
+
+   GSS-API defines several data-structures containing differently-sized
+   fields.  An ABI specification should include a detailed description
+   of how the fields of such structures are aligned, and if there is any
+   internal padding in these data structures.  The use of compiler
+   defaults for the platform is recommended.
+
+B.3. Handle types
+
+   The C bindings specify that the gss_cred_id_t and gss_ctx_id_t types
+   should be implemented as either pointer or arithmetic types, and that
+   if pointer types are used, care should be taken to ensure that two
+   handles may be compared with the == operator. Note that ANSI-C does
+   not guarantee that two pointer values may be compared with the ==
+   operator unless either the two pointers point to members of a single
+   array, or at least one of the pointers contains a NULL value.
+
+   For binary portability, additional constraints are required. The
+   following is an attempt at defining platform-independent constraints.
+
+   The size of the handle type must be the same as sizeof(void *), using
+   the appropriate memory model.
+
+   The == operator for the chosen type must be a simple bit-wise
+   comparison.  That is, for two in-memory handle objects h1 and h2, the
+   boolean value of the expression
+
+      (h1 == h2)
+
+   should always be the same as the boolean value of the expression
+
+      (memcmp(&h1, &h2, sizeof(h1)) == 0)
+
+   The actual use of the type (void *) for handle types is discouraged,
+   not for binary portability reasons, but since it effectively disables
+   much of the compile-time type-checking that the compiler can
+   otherwise perform, and is therefore not "programmer-friendly".  If a
+   pointer implementation is desired, and if the platform's
+   implementation of pointers permits, the handles should be implemented
+   as pointers to distinct implementation-defined types.
+
+B.4. The gss_name_t type
+
+   The gss_name_t type, representing the internal name object, should be
+   implemented as a pointer type.  The use of the (void *) type is
+   discouraged as it does not allow the compiler to perform strong
+   type-checking.  However, the pointer type chosen should be of the
+
+
+
+Wray                        Standards Track                    [Page 99]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   same size as the (void *) type.  Provided this rule is obeyed, ABI
+   specifications need not further constrain the implementation of
+   gss_name_t objects.
+
+B.5. The int and size_t types
+
+   Some platforms may support differently sized implementations of the
+   "int" and "size_t" types, perhaps chosen through compiler switches,
+   and perhaps dependent on memory model.  An ABI specification for such
+   a platform should include required implementations for these types.
+   It is recommended that the default implementation (for the chosen
+   memory model, if appropriate) is chosen.
+
+B.6. Procedure-calling conventions
+
+   Some platforms support a variety of different binary conventions for
+   calling procedures.  Such conventions cover things like the format of
+   the stack frame, the order in which the routine parameters are pushed
+   onto the stack, whether or not a parameter count is pushed onto the
+   stack, whether some argument(s) or return values are to be passed in
+   registers, and whether the called routine or the caller is
+   responsible for removing the stack frame on return.  For such
+   platforms, an ABI specification should specify which calling
+   convention is to be used for GSS-API implementations.
+
+References
+
+   [GSSAPI]    Linn, J., "Generic Security Service Application Program
+               Interface Version 2, Update 1", RFC 2743, January 2000.
+
+   [XOM]       OSI Object Management API Specification, Version 2.0 t",
+               X.400 API Association & X/Open Company Limited, August
+               24, 1990 Specification of datatypes and routines for
+               manipulating information objects.
+
+Author's Address
+
+   John Wray
+   Iris Associates
+   5 Technology Park Drive,
+   Westford, MA  01886
+   USA
+
+   Phone: +1-978-392-6689
+   EMail: John_Wray@Iris.com
+
+
+
+
+
+
+Wray                        Standards Track                   [Page 100]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                   [Page 101]
+
diff --git a/crypto/heimdal/doc/whatis.texi b/crypto/heimdal/doc/whatis.texi
new file mode 100644
index 0000000..97d4da2
--- /dev/null
+++ b/crypto/heimdal/doc/whatis.texi
@@ -0,0 +1,149 @@
+@node What is Kerberos?, Building and Installing, Introduction, Top
+@chapter What is Kerberos?
+
+@quotation
+@flushleft
+        Now this Cerberus had three heads of dogs,
+        the tail of a dragon, and on his back the
+        heads of all sorts of snakes.
+        --- Pseudo-Apollodorus Library 2.5.12
+@end flushleft
+@end quotation
+
+Kerberos is a system for authenticating users and services on a network.
+It is built upon the assumption that the network is ``unsafe''.  For
+example, data sent over the network can be eavesdropped and altered, and
+addresses can also be faked.  Therefore they cannot be used for
+authentication purposes.
+@cindex authentication
+
+Kerberos is a trusted third-party service.  That means that there is a
+third party (the kerberos server) that is trusted by all the entities on
+the network (users and services, usually called @dfn{principals}).  All
+principals share a secret password (or key) with the kerberos server and
+this enables principals to verify that the messages from the kerberos
+server are authentic.  Thus trusting the kerberos server, users and
+services can authenticate each other.
+
+@section Basic mechanism
+
+@ifinfo
+@macro sub{arg}
+<\arg\>
+@end macro
+@end ifinfo
+
+@tex
+@def@xsub#1{$_{#1}$}
+@global@let@sub=@xsub
+@end tex
+
+@ifhtml
+@macro sub{arg}
+<\arg\>
+@end macro
+@end ifhtml
+
+@quotation
+@strong{Note:} This discussion is about Kerberos version 4, but version
+5 works similarly.
+@end quotation
+
+In Kerberos, principals use @dfn{tickets} to prove that they are who
+they claim to be. In the following example, @var{A} is the initiator of
+the authentication exchange, usually a user, and @var{B} is the service
+that @var{A} wishes to use.
+
+To obtain a ticket for a specific service, @var{A} sends a ticket
+request to the kerberos server. The request contains @var{A}'s and
+@var{B}'s names (along with some other fields). The kerberos server
+checks that both @var{A} and @var{B} are valid principals.
+
+Having verified the validity of the principals, it creates a packet
+containing @var{A}'s and @var{B}'s names, @var{A}'s network address
+(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime
+of the ticket (@var{life}), and a secret @dfn{session key}
+@cindex session key
+(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key
+(@var{K@sub{B}}).  The actual ticket (@var{T@sub{AB}}) looks like this:
+(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life},
+@var{K@sub{AB}}@}@var{K@sub{B}}).
+
+The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s
+name, the current time, the lifetime of the ticket, and the session key, all
+encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}},
+@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A}
+decrypts the reply and retains it for later use.
+
+@sp 1
+
+Before sending a message to @var{B}, @var{A} creates an authenticator
+consisting of @var{A}'s name, @var{A}'s address, the current time, and a
+``checksum'' chosen by @var{A}, all encrypted with the secret session
+key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}},
+@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket
+received from the kerberos server to @var{B}.  Upon reception, @var{B}
+decrypts the ticket using @var{B}'s secret key.  Since the ticket
+contains the session key that the authenticator was encrypted with,
+@var{B} can now also decrypt the authenticator. To verify that @var{A}
+really is @var{A}, @var{B} now has to compare the contents of the ticket
+with that of the authenticator. If everything matches, @var{B} now
+considers @var{A} as properly authenticated.
+
+@c (here we should have some more explanations)
+
+@section Different attacks
+
+@subheading Impersonating A
+
+An impostor, @var{C} could steal the authenticator and the ticket as it
+is transmitted across the network, and use them to impersonate
+@var{A}. The address in the ticket and the authenticator was added to
+make it more difficult to perform this attack.  To succeed @var{C} will
+have to either use the same machine as @var{A} or fake the source
+addresses of the packets. By including the time stamp in the
+authenticator, @var{C} does not have much time in which to mount the
+attack.
+
+@subheading Impersonating B
+
+@var{C} can hijack @var{B}'s network address, and when @var{A} sends
+her credentials, @var{C} just pretend to verify them. @var{C} can't
+be sure that she is talking to @var{A}.
+
+@section Defense strategies
+
+It would be possible to add a @dfn{replay cache}
+@cindex replay cache
+to the server side.  The idea is to save the authenticators sent during
+the last few minutes, so that @var{B} can detect when someone is trying
+to retransmit an already used message. This is somewhat impractical
+(mostly regarding efficiency), and is not part of Kerberos 4; MIT
+Kerberos 5 contains it.
+
+To authenticate @var{B}, @var{A} might request that @var{B} sends
+something back that proves that @var{B} has access to the session
+key. An example of this is the checksum that @var{A} sent as part of the
+authenticator. One typical procedure is to add one to the checksum,
+encrypt it with the session key and send it back to @var{A}.  This is
+called @dfn{mutual authentication}.
+
+The session key can also be used to add cryptographic checksums to the
+messages sent between @var{A} and @var{B} (known as @dfn{message
+integrity}).  Encryption can also be added (@dfn{message
+confidentiality}). This is probably the best approach in all cases.
+@cindex integrity
+@cindex confidentiality
+
+@section Further reading
+
+The original paper on Kerberos from 1988 is @cite{Kerberos: An
+Authentication Service for Open Network Systems}, by Jennifer Steiner,
+Clifford Neuman and Jeffrey I. Schiller.
+
+A less technical description can be found in @cite{Designing an
+Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also
+from 1988.
+
+These documents can be found on our web-page at
+@url{http://www.pdc.kth.se/kth-krb/}.
diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi
new file mode 100644
index 0000000..1a0e731
--- /dev/null
+++ b/crypto/heimdal/doc/win2k.texi
@@ -0,0 +1,58 @@
+@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
+@comment  node-name,  next,  previous,  up
+@chapter Windows 2000 compatability
+
+Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
+Kerberos 5.  Their implementation, however, has some quirks,
+peculiarities, and bugs.  This chapter is a short summary of the things
+that we have found out while trying to test Heimdal against Windows
+2000.  Another big problem with the Kerberos implementation in Windows
+2000 is the almost complete lack of documentation.
+
+This information should apply to Heimdal @value{VERSION} and Windows
+2000 RC1.  It's of course subject all the time and mostly consists of
+our not so inspired guesses.  Hopefully it's still somewhat useful.
+
+@menu
+* Encryption types::            
+* Authorization data::          
+@end menu
+
+@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Encryption types
+
+Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
+des-cbc-md5) and its own proprietary encryption that is based on md4 and
+rc4 and which is supposed to be described in
+draft-brezak-win2k-krb-rc4-hmac-01.txt.  To enable a given principal to
+use DES, it needs to have DES keys in the database.  To do this, you
+need to enable DES keys for the particular principal with the user
+administration tool and then change the password.
+
+@node Authorization data,  , Encryption types, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Authorization data
+
+The Windows 2000 KDC also adds extra authorization data in tickets.
+It is at this point unclear what triggers it to do this.  The format of
+this data is unknown and according to Microsoft, subject to change.  A
+simple way of getting hold of the data to be able to understand it
+better is described here.
+
+@enumerate
+@item Find the client example on using the SSPI in the SDK documentation.
+@item Change ``AuthSamp'' in the source code to lowercase.
+@item Build the program.
+@item Add the ``authsamp'' principal with a known password to the
+database.  Make sure it has a DES key.
+@item Run @kbd{ktutil add} to add the key for that principal to a
+keytab.
+@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
+--dump-auth=file} where file is an appropriate file.
+@item It should authenticate and dump for you the authorization data in
+the file.
+@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
+analyzing the data.
+@end enumerate
+
diff --git a/crypto/heimdal/etc/services.append b/crypto/heimdal/etc/services.append
new file mode 100644
index 0000000..e3a31f9
--- /dev/null
+++ b/crypto/heimdal/etc/services.append
@@ -0,0 +1,27 @@
+#
+# $Id: services.append,v 1.4 1999/07/23 21:36:03 assar Exp $
+#
+# Kerberos services
+#
+kerberos	88/udp		kerberos-sec	# Kerberos v5 UDP
+kerberos	88/tcp		kerberos-sec	# Kerberos v5 TCP
+kpasswd		464/udp				# password changing
+kpasswd		464/tdp				# password changing
+klogin		543/tcp				# Kerberos authenticated rlogin
+kshell		544/tcp		krcmd		# and remote shell
+ekshell		545/tcp		      # Kerberos encrypted remote shell -kfall
+ekshell2	2106/tcp	      # What U of Colorado @ Boulder uses?
+kerberos-adm	749/udp				# v5 kadmin
+kerberos-adm	749/tcp				# v5 kadmin
+kerberos-iv	750/udp		kdc		# Kerberos authentication--udp
+kerberos-iv	750/tcp		kdc		# Kerberos authentication--tcp
+kerberos_master 751/udp				# v4 kadmin
+kerberos_master 751/tcp				# v4 kadmin
+krb_prop	754/tcp		hprop		# Kerberos slave propagation
+kpop		1109/tcp			# Pop with Kerberos
+eklogin		2105/tcp			# Kerberos encrypted rlogin
+rkinit		2108/tcp			# Kerberos remote kinit
+kf		2110/tcp			# forward credentials
+kx		2111/tcp			# X over kerberos
+kip		2112/tcp			# IP over kerberos
+kauth		2120/tcp			# Remote kauth
diff --git a/crypto/heimdal/include/Makefile.am b/crypto/heimdal/include/Makefile.am
new file mode 100644
index 0000000..f9d240b
--- /dev/null
+++ b/crypto/heimdal/include/Makefile.am
@@ -0,0 +1,50 @@
+# $Id: Makefile.am,v 1.30 1999/12/21 17:03:11 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = kadm5
+
+noinst_PROGRAMS = bits
+CHECK_LOCAL =
+
+INCLUDES = -DHOST=\"$(CANONICAL_HOST)\"
+
+include_HEADERS = krb5-types.h
+
+krb5-types.h: bits$(EXEEXT)
+	./bits$(EXEEXT) krb5-types.h
+
+CLEANFILES =		\
+	asn1.h		\
+	asn1_err.h	\
+	base64.h	\
+	com_err.h	\
+	com_right.h	\
+	der.h		\
+	des.h		\
+	editline.h	\
+	err.h		\
+	getarg.h	\
+	glob.h		\
+	gssapi.h	\
+	hdb.h		\
+	hdb_asn1.h	\
+	hdb_err.h	\
+	heim_err.h	\
+	kafs.h		\
+	krb5-protos.h	\
+	krb5-private.h	\
+	krb5-types.h	\
+	krb5.h		\
+	krb5_err.h	\
+	md4.h		\
+	md5.h		\
+	otp.h		\
+	parse_time.h	\
+	parse_units.h	\
+	resolve.h	\
+	roken-common.h	\
+	roken.h		\
+	sha.h		\
+	sl.h		\
+	xdbm.h
diff --git a/crypto/heimdal/include/Makefile.in b/crypto/heimdal/include/Makefile.in
new file mode 100644
index 0000000..dd23443
--- /dev/null
+++ b/crypto/heimdal/include/Makefile.in
@@ -0,0 +1,748 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.30 1999/12/21 17:03:11 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -DHOST=\"$(CANONICAL_HOST)\"
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+CHECK_LOCAL = 
+
+SUBDIRS = kadm5
+
+noinst_PROGRAMS = bits
+
+include_HEADERS = krb5-types.h
+
+CLEANFILES =  	asn1.h			asn1_err.h		base64.h		com_err.h		com_right.h		der.h			des.h			editline.h		err.h			getarg.h		glob.h			gssapi.h		hdb.h			hdb_asn1.h		hdb_err.h		heim_err.h		kafs.h			krb5-protos.h		krb5-private.h		krb5-types.h		krb5.h			krb5_err.h		md4.h			md5.h			otp.h			parse_time.h		parse_units.h		resolve.h		roken-common.h		roken.h			sha.h			sl.h			xdbm.h
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = config.h
+CONFIG_CLEAN_FILES = 
+noinst_PROGRAMS =  bits$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I.
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+bits_SOURCES = bits.c
+bits_OBJECTS =  bits.$(OBJEXT)
+bits_LDADD = $(LDADD)
+bits_DEPENDENCIES = 
+bits_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+HEADERS =  $(include_HEADERS)
+
+DIST_COMMON =  ./stamp-h.in Makefile.am Makefile.in config.h.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = bits.c
+OBJECTS = bits.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign include/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+config.h: stamp-h
+	@if test ! -f $@; then \
+		rm -f stamp-h; \
+		$(MAKE) stamp-h; \
+	else :; fi
+stamp-h: $(srcdir)/config.h.in $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES= CONFIG_HEADERS=include/config.h \
+	     $(SHELL) ./config.status
+	@echo timestamp > stamp-h 2> /dev/null
+$(srcdir)/config.h.in: $(srcdir)/stamp-h.in
+	@if test ! -f $@; then \
+		rm -f $(srcdir)/stamp-h.in; \
+		$(MAKE) $(srcdir)/stamp-h.in; \
+	else :; fi
+$(srcdir)/stamp-h.in: $(top_srcdir)/configure.in $(ACLOCAL_M4) 
+	cd $(top_srcdir) && $(AUTOHEADER)
+	@echo timestamp > $(srcdir)/stamp-h.in 2> /dev/null
+
+mostlyclean-hdr:
+
+clean-hdr:
+
+distclean-hdr:
+	-rm -f config.h
+
+maintainer-clean-hdr:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+bits$(EXEEXT): $(bits_OBJECTS) $(bits_DEPENDENCIES)
+	@rm -f bits$(EXEEXT)
+	$(LINK) $(bits_LDFLAGS) $(bits_OBJECTS) $(bits_LDADD) $(LIBS)
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+@SET_MAKE@
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
+	  rev="$$subdir $$rev"; \
+	  test "$$subdir" = "." && dot_seen=yes; \
+	done; \
+	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)config.h.in$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags config.h.in $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = include
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    chmod 777 $(distdir)/$$subdir; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+all-recursive-am: config.h
+	$(MAKE) $(AM_MAKEFLAGS) all-recursive
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am: uninstall-includeHEADERS
+uninstall: uninstall-recursive
+all-am: Makefile $(PROGRAMS) $(HEADERS) config.h all-local
+all-redirect: all-recursive-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+	$(mkinstalldirs)  $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-hdr mostlyclean-noinstPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-hdr clean-noinstPROGRAMS clean-compile clean-libtool \
+		clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-hdr distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-hdr \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: mostlyclean-hdr distclean-hdr clean-hdr maintainer-clean-hdr \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool uninstall-includeHEADERS \
+install-includeHEADERS install-data-recursive uninstall-data-recursive \
+install-exec-recursive uninstall-exec-recursive installdirs-recursive \
+uninstalldirs-recursive all-recursive check-recursive \
+installcheck-recursive info-recursive dvi-recursive \
+mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+all-recursive-am install-exec-am install-exec install-data-local \
+install-data-am install-data install-am install uninstall-am uninstall \
+all-local all-redirect all-am all installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+krb5-types.h: bits$(EXEEXT)
+	./bits$(EXEEXT) krb5-types.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/include/bits.c b/crypto/heimdal/include/bits.c
new file mode 100644
index 0000000..5eb9bd0
--- /dev/null
+++ b/crypto/heimdal/include/bits.c
@@ -0,0 +1,201 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: bits.c,v 1.16 1999/12/02 17:04:57 joda Exp $");
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+static void
+my_strupr(char *s)
+{
+    char *p = s;
+
+    while(*p){
+	if(islower((unsigned char)*p))
+	    *p = toupper((unsigned char)*p);
+	p++;
+    }	
+}
+
+
+#define BITSIZE(TYPE)						\
+{								\
+    int b = 0; TYPE x = 1, zero = 0; char *pre = "u_";		\
+    char tmp[128], tmp2[128];					\
+    while(x){ x <<= 1; b++; if(x < zero) pre=""; }		\
+    if(b >= len){						\
+        int tabs;						\
+	sprintf(tmp, "%sint%d_t" , pre, len);			\
+	sprintf(tmp2, "typedef %s %s;", #TYPE, tmp);		\
+	my_strupr(tmp);						\
+	tabs = 5 - strlen(tmp2) / 8;				\
+        fprintf(f, "%s", tmp2);					\
+	while(tabs-- > 0) fprintf(f, "\t");			\
+	fprintf(f, "/* %2d bits */\n", b);			\
+        return;                                                 \
+    }								\
+}
+
+static void
+try_signed(FILE *f, int len)
+{
+    BITSIZE(signed char);
+    BITSIZE(short);
+    BITSIZE(int);
+    BITSIZE(long);
+#ifdef HAVE_LONG_LONG
+    BITSIZE(long long);
+#endif
+    fprintf(f, "/* There is no %d bit type */\n", len);
+}
+
+static void
+try_unsigned(FILE *f, int len)
+{
+    BITSIZE(unsigned char);
+    BITSIZE(unsigned short);
+    BITSIZE(unsigned int);
+    BITSIZE(unsigned long);
+#ifdef HAVE_LONG_LONG
+    BITSIZE(unsigned long long);
+#endif
+    fprintf(f, "/* There is no %d bit type */\n", len);
+}
+
+static int
+print_bt(FILE *f, int flag)
+{
+    if(flag == 0){
+	fprintf(f, "/* For compatibility with various type definitions */\n");
+	fprintf(f, "#ifndef __BIT_TYPES_DEFINED__\n");
+	fprintf(f, "#define __BIT_TYPES_DEFINED__\n");
+	fprintf(f, "\n");
+    }
+    return 1;
+}
+
+int main(int argc, char **argv)
+{
+    FILE *f;
+    int flag;
+    char *fn, *hb;
+    
+    if(argc < 2){
+	fn = "bits.h";
+	hb = "__BITS_H__";
+	f = stdout;
+    } else {
+	char *p;
+	fn = argv[1];
+	hb = malloc(strlen(fn) + 5);
+	sprintf(hb, "__%s__", fn);
+	for(p = hb; *p; p++){
+	    if(!isalnum((unsigned char)*p))
+		*p = '_';
+	}
+	f = fopen(argv[1], "w");
+    }
+    fprintf(f, "/* %s -- this file was generated for %s by\n", fn, HOST);
+    fprintf(f, "   %*s    %s */\n\n", (int)strlen(fn), "", 
+	    "$Id: bits.c,v 1.16 1999/12/02 17:04:57 joda Exp $");
+    fprintf(f, "#ifndef %s\n", hb);
+    fprintf(f, "#define %s\n", hb);
+    fprintf(f, "\n");
+#ifdef HAVE_SYS_TYPES_H
+    fprintf(f, "#include <sys/types.h>\n");
+#endif
+#ifdef HAVE_INTTYPES_H
+    fprintf(f, "#include <inttypes.h>\n");
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+    fprintf(f, "#include <sys/bitypes.h>\n");
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+    fprintf(f, "#include <bind/bitypes.h>\n");
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+    fprintf(f, "#include <netinet/in6_machtypes.h>\n");
+#endif
+    fprintf(f, "\n");
+
+    flag = 0;
+#ifndef HAVE_INT8_T
+    flag = print_bt(f, flag);
+    try_signed (f, 8);
+#endif /* HAVE_INT8_T */
+#ifndef HAVE_INT16_T
+    flag = print_bt(f, flag);
+    try_signed (f, 16);
+#endif /* HAVE_INT16_T */
+#ifndef HAVE_INT32_T
+    flag = print_bt(f, flag);
+    try_signed (f, 32);
+#endif /* HAVE_INT32_T */
+#if 0
+#ifndef HAVE_INT64_T
+    flag = print_bt(f, flag);
+    try_signed (f, 64);
+#endif /* HAVE_INT64_T */
+#endif
+
+#ifndef HAVE_U_INT8_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 8);
+#endif /* HAVE_INT8_T */
+#ifndef HAVE_U_INT16_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 16);
+#endif /* HAVE_U_INT16_T */
+#ifndef HAVE_U_INT32_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 32);
+#endif /* HAVE_U_INT32_T */
+#if 0
+#ifndef HAVE_U_INT64_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 64);
+#endif /* HAVE_U_INT64_T */
+#endif
+
+    if(flag){
+	fprintf(f, "\n");
+	fprintf(f, "#endif /* __BIT_TYPES_DEFINED__ */\n\n");
+    }
+    fprintf(f, "#endif /* %s */\n", hb);
+    return 0;
+}
diff --git a/crypto/heimdal/include/config.h.in b/crypto/heimdal/include/config.h.in
new file mode 100644
index 0000000..9707f56
--- /dev/null
+++ b/crypto/heimdal/include/config.h.in
@@ -0,0 +1,1194 @@
+/* include/config.h.in.  Generated automatically from configure.in by autoheader.  */
+
+/* Define to empty if the keyword does not work.  */
+#undef const
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#undef gid_t
+
+/* Define as __inline if that's what the C compiler calls it.  */
+#undef inline
+
+/* Define to `long' if <sys/types.h> doesn't define.  */
+#undef off_t
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#undef pid_t
+
+/* Define as the return type of signal handlers (int or void).  */
+#undef RETSIGTYPE
+
+/* Define to `unsigned' if <sys/types.h> doesn't define.  */
+#undef size_t
+
+/* Define if you have the ANSI C header files.  */
+#undef STDC_HEADERS
+
+/* Define if you can safely include both <sys/time.h> and <time.h>.  */
+#undef TIME_WITH_SYS_TIME
+
+/* Define if your <sys/time.h> declares struct tm.  */
+#undef TM_IN_SYS_TIME
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#undef uid_t
+
+/* Define if the X Window System is missing or not being used.  */
+#undef X_DISPLAY_MISSING
+
+/* Define if lex declares yytext as a char * by default, not a char[].  */
+#undef YYTEXT_POINTER
+
+/* Define if you have the MD4Init function.  */
+#undef HAVE_MD4INIT
+
+/* Define if you have the MD4_Init function.  */
+#undef HAVE_MD4_INIT
+
+/* Define if you have the MD5Init function.  */
+#undef HAVE_MD5INIT
+
+/* Define if you have the MD5_Init function.  */
+#undef HAVE_MD5_INIT
+
+/* Define if you have the SHA1Init function.  */
+#undef HAVE_SHA1INIT
+
+/* Define if you have the SHA1_Init function.  */
+#undef HAVE_SHA1_INIT
+
+/* Define if you have the XauFileName function.  */
+#undef HAVE_XAUFILENAME
+
+/* Define if you have the XauReadAuth function.  */
+#undef HAVE_XAUREADAUTH
+
+/* Define if you have the XauWriteAuth function.  */
+#undef HAVE_XAUWRITEAUTH
+
+/* Define if you have the _getpty function.  */
+#undef HAVE__GETPTY
+
+/* Define if you have the _scrsize function.  */
+#undef HAVE__SCRSIZE
+
+/* Define if you have the asnprintf function.  */
+#undef HAVE_ASNPRINTF
+
+/* Define if you have the asprintf function.  */
+#undef HAVE_ASPRINTF
+
+/* Define if you have the cap_set_proc function.  */
+#undef HAVE_CAP_SET_PROC
+
+/* Define if you have the cgetent function.  */
+#undef HAVE_CGETENT
+
+/* Define if you have the chown function.  */
+#undef HAVE_CHOWN
+
+/* Define if you have the copyhostent function.  */
+#undef HAVE_COPYHOSTENT
+
+/* Define if you have the crypt function.  */
+#undef HAVE_CRYPT
+
+/* Define if you have the daemon function.  */
+#undef HAVE_DAEMON
+
+/* Define if you have the dbm_firstkey function.  */
+#undef HAVE_DBM_FIRSTKEY
+
+/* Define if you have the dbopen function.  */
+#undef HAVE_DBOPEN
+
+/* Define if you have the des_cbc_encrypt function.  */
+#undef HAVE_DES_CBC_ENCRYPT
+
+/* Define if you have the dlopen function.  */
+#undef HAVE_DLOPEN
+
+/* Define if you have the dn_expand function.  */
+#undef HAVE_DN_EXPAND
+
+/* Define if you have the el_init function.  */
+#undef HAVE_EL_INIT
+
+/* Define if you have the err function.  */
+#undef HAVE_ERR
+
+/* Define if you have the errx function.  */
+#undef HAVE_ERRX
+
+/* Define if you have the fchown function.  */
+#undef HAVE_FCHOWN
+
+/* Define if you have the fcntl function.  */
+#undef HAVE_FCNTL
+
+/* Define if you have the flock function.  */
+#undef HAVE_FLOCK
+
+/* Define if you have the fnmatch function.  */
+#undef HAVE_FNMATCH
+
+/* Define if you have the freeaddrinfo function.  */
+#undef HAVE_FREEADDRINFO
+
+/* Define if you have the freehostent function.  */
+#undef HAVE_FREEHOSTENT
+
+/* Define if you have the gai_strerror function.  */
+#undef HAVE_GAI_STRERROR
+
+/* Define if you have the getaddrinfo function.  */
+#undef HAVE_GETADDRINFO
+
+/* Define if you have the getcwd function.  */
+#undef HAVE_GETCWD
+
+/* Define if you have the getdtablesize function.  */
+#undef HAVE_GETDTABLESIZE
+
+/* Define if you have the getegid function.  */
+#undef HAVE_GETEGID
+
+/* Define if you have the geteuid function.  */
+#undef HAVE_GETEUID
+
+/* Define if you have the getgid function.  */
+#undef HAVE_GETGID
+
+/* Define if you have the gethostbyname function.  */
+#undef HAVE_GETHOSTBYNAME
+
+/* Define if you have the gethostbyname2 function.  */
+#undef HAVE_GETHOSTBYNAME2
+
+/* Define if you have the gethostname function.  */
+#undef HAVE_GETHOSTNAME
+
+/* Define if you have the getipnodebyaddr function.  */
+#undef HAVE_GETIPNODEBYADDR
+
+/* Define if you have the getipnodebyname function.  */
+#undef HAVE_GETIPNODEBYNAME
+
+/* Define if you have the getlogin function.  */
+#undef HAVE_GETLOGIN
+
+/* Define if you have the getmsg function.  */
+#undef HAVE_GETMSG
+
+/* Define if you have the getnameinfo function.  */
+#undef HAVE_GETNAMEINFO
+
+/* Define if you have the getopt function.  */
+#undef HAVE_GETOPT
+
+/* Define if you have the getpwnam_r function.  */
+#undef HAVE_GETPWNAM_R
+
+/* Define if you have the getrlimit function.  */
+#undef HAVE_GETRLIMIT
+
+/* Define if you have the getsockopt function.  */
+#undef HAVE_GETSOCKOPT
+
+/* Define if you have the getspnam function.  */
+#undef HAVE_GETSPNAM
+
+/* Define if you have the gettimeofday function.  */
+#undef HAVE_GETTIMEOFDAY
+
+/* Define if you have the getudbnam function.  */
+#undef HAVE_GETUDBNAM
+
+/* Define if you have the getuid function.  */
+#undef HAVE_GETUID
+
+/* Define if you have the getusershell function.  */
+#undef HAVE_GETUSERSHELL
+
+/* Define if you have the grantpt function.  */
+#undef HAVE_GRANTPT
+
+/* Define if you have the hstrerror function.  */
+#undef HAVE_HSTRERROR
+
+/* Define if you have the inet_aton function.  */
+#undef HAVE_INET_ATON
+
+/* Define if you have the inet_ntop function.  */
+#undef HAVE_INET_NTOP
+
+/* Define if you have the inet_pton function.  */
+#undef HAVE_INET_PTON
+
+/* Define if you have the initgroups function.  */
+#undef HAVE_INITGROUPS
+
+/* Define if you have the innetgr function.  */
+#undef HAVE_INNETGR
+
+/* Define if you have the iruserok function.  */
+#undef HAVE_IRUSEROK
+
+/* Define if you have the krb_disable_debug function.  */
+#undef HAVE_KRB_DISABLE_DEBUG
+
+/* Define if you have the krb_enable_debug function.  */
+#undef HAVE_KRB_ENABLE_DEBUG
+
+/* Define if you have the krb_get_our_ip_for_realm function.  */
+#undef HAVE_KRB_GET_OUR_IP_FOR_REALM
+
+/* Define if you have the logwtmp function.  */
+#undef HAVE_LOGWTMP
+
+/* Define if you have the long_long function.  */
+#undef HAVE_LONG_LONG
+
+/* Define if you have the lstat function.  */
+#undef HAVE_LSTAT
+
+/* Define if you have the memmove function.  */
+#undef HAVE_MEMMOVE
+
+/* Define if you have the mkstemp function.  */
+#undef HAVE_MKSTEMP
+
+/* Define if you have the mktime function.  */
+#undef HAVE_MKTIME
+
+/* Define if you have the ptsname function.  */
+#undef HAVE_PTSNAME
+
+/* Define if you have the putenv function.  */
+#undef HAVE_PUTENV
+
+/* Define if you have the rand function.  */
+#undef HAVE_RAND
+
+/* Define if you have the random function.  */
+#undef HAVE_RANDOM
+
+/* Define if you have the rcmd function.  */
+#undef HAVE_RCMD
+
+/* Define if you have the readv function.  */
+#undef HAVE_READV
+
+/* Define if you have the recvmsg function.  */
+#undef HAVE_RECVMSG
+
+/* Define if you have the res_search function.  */
+#undef HAVE_RES_SEARCH
+
+/* Define if you have the revoke function.  */
+#undef HAVE_REVOKE
+
+/* Define if you have the sa_family_t function.  */
+#undef HAVE_SA_FAMILY_T
+
+/* Define if you have the select function.  */
+#undef HAVE_SELECT
+
+/* Define if you have the sendmsg function.  */
+#undef HAVE_SENDMSG
+
+/* Define if you have the setegid function.  */
+#undef HAVE_SETEGID
+
+/* Define if you have the setenv function.  */
+#undef HAVE_SETENV
+
+/* Define if you have the seteuid function.  */
+#undef HAVE_SETEUID
+
+/* Define if you have the setitimer function.  */
+#undef HAVE_SETITIMER
+
+/* Define if you have the setlim function.  */
+#undef HAVE_SETLIM
+
+/* Define if you have the setlogin function.  */
+#undef HAVE_SETLOGIN
+
+/* Define if you have the setpcred function.  */
+#undef HAVE_SETPCRED
+
+/* Define if you have the setpgid function.  */
+#undef HAVE_SETPGID
+
+/* Define if you have the setproctitle function.  */
+#undef HAVE_SETPROCTITLE
+
+/* Define if you have the setregid function.  */
+#undef HAVE_SETREGID
+
+/* Define if you have the setresgid function.  */
+#undef HAVE_SETRESGID
+
+/* Define if you have the setresuid function.  */
+#undef HAVE_SETRESUID
+
+/* Define if you have the setreuid function.  */
+#undef HAVE_SETREUID
+
+/* Define if you have the setsid function.  */
+#undef HAVE_SETSID
+
+/* Define if you have the setsockopt function.  */
+#undef HAVE_SETSOCKOPT
+
+/* Define if you have the setutent function.  */
+#undef HAVE_SETUTENT
+
+/* Define if you have the sgi_getcapabilitybyname function.  */
+#undef HAVE_SGI_GETCAPABILITYBYNAME
+
+/* Define if you have the sigaction function.  */
+#undef HAVE_SIGACTION
+
+/* Define if you have the socket function.  */
+#undef HAVE_SOCKET
+
+/* Define if you have the socklen_t function.  */
+#undef HAVE_SOCKLEN_T
+
+/* Define if you have the strcasecmp function.  */
+#undef HAVE_STRCASECMP
+
+/* Define if you have the strdup function.  */
+#undef HAVE_STRDUP
+
+/* Define if you have the strerror function.  */
+#undef HAVE_STRERROR
+
+/* Define if you have the strftime function.  */
+#undef HAVE_STRFTIME
+
+/* Define if you have the strlcat function.  */
+#undef HAVE_STRLCAT
+
+/* Define if you have the strlcpy function.  */
+#undef HAVE_STRLCPY
+
+/* Define if you have the strlwr function.  */
+#undef HAVE_STRLWR
+
+/* Define if you have the strncasecmp function.  */
+#undef HAVE_STRNCASECMP
+
+/* Define if you have the strndup function.  */
+#undef HAVE_STRNDUP
+
+/* Define if you have the strnlen function.  */
+#undef HAVE_STRNLEN
+
+/* Define if you have the strptime function.  */
+#undef HAVE_STRPTIME
+
+/* Define if you have the strsep function.  */
+#undef HAVE_STRSEP
+
+/* Define if you have the strstr function.  */
+#undef HAVE_STRSTR
+
+/* Define if you have the strtok_r function.  */
+#undef HAVE_STRTOK_R
+
+/* Define if you have the struct_addrinfo function.  */
+#undef HAVE_STRUCT_ADDRINFO
+
+/* Define if you have the struct_sockaddr function.  */
+#undef HAVE_STRUCT_SOCKADDR
+
+/* Define if you have the struct_sockaddr_storage function.  */
+#undef HAVE_STRUCT_SOCKADDR_STORAGE
+
+/* Define if you have the strupr function.  */
+#undef HAVE_STRUPR
+
+/* Define if you have the swab function.  */
+#undef HAVE_SWAB
+
+/* Define if you have the sysconf function.  */
+#undef HAVE_SYSCONF
+
+/* Define if you have the sysctl function.  */
+#undef HAVE_SYSCTL
+
+/* Define if you have the syslog function.  */
+#undef HAVE_SYSLOG
+
+/* Define if you have the tgetent function.  */
+#undef HAVE_TGETENT
+
+/* Define if you have the timegm function.  */
+#undef HAVE_TIMEGM
+
+/* Define if you have the ttyname function.  */
+#undef HAVE_TTYNAME
+
+/* Define if you have the ttyslot function.  */
+#undef HAVE_TTYSLOT
+
+/* Define if you have the umask function.  */
+#undef HAVE_UMASK
+
+/* Define if you have the uname function.  */
+#undef HAVE_UNAME
+
+/* Define if you have the unlockpt function.  */
+#undef HAVE_UNLOCKPT
+
+/* Define if you have the unsetenv function.  */
+#undef HAVE_UNSETENV
+
+/* Define if you have the vasnprintf function.  */
+#undef HAVE_VASNPRINTF
+
+/* Define if you have the vasprintf function.  */
+#undef HAVE_VASPRINTF
+
+/* Define if you have the verr function.  */
+#undef HAVE_VERR
+
+/* Define if you have the verrx function.  */
+#undef HAVE_VERRX
+
+/* Define if you have the vhangup function.  */
+#undef HAVE_VHANGUP
+
+/* Define if you have the vsyslog function.  */
+#undef HAVE_VSYSLOG
+
+/* Define if you have the vwarn function.  */
+#undef HAVE_VWARN
+
+/* Define if you have the vwarnx function.  */
+#undef HAVE_VWARNX
+
+/* Define if you have the warn function.  */
+#undef HAVE_WARN
+
+/* Define if you have the warnx function.  */
+#undef HAVE_WARNX
+
+/* Define if you have the writev function.  */
+#undef HAVE_WRITEV
+
+/* Define if you have the yp_get_default_domain function.  */
+#undef HAVE_YP_GET_DEFAULT_DOMAIN
+
+/* Define if you have the <arpa/ftp.h> header file.  */
+#undef HAVE_ARPA_FTP_H
+
+/* Define if you have the <arpa/inet.h> header file.  */
+#undef HAVE_ARPA_INET_H
+
+/* Define if you have the <arpa/nameser.h> header file.  */
+#undef HAVE_ARPA_NAMESER_H
+
+/* Define if you have the <arpa/telnet.h> header file.  */
+#undef HAVE_ARPA_TELNET_H
+
+/* Define if you have the <bind/bitypes.h> header file.  */
+#undef HAVE_BIND_BITYPES_H
+
+/* Define if you have the <bsdsetjmp.h> header file.  */
+#undef HAVE_BSDSETJMP_H
+
+/* Define if you have the <capability.h> header file.  */
+#undef HAVE_CAPABILITY_H
+
+/* Define if you have the <crypt.h> header file.  */
+#undef HAVE_CRYPT_H
+
+/* Define if you have the <curses.h> header file.  */
+#undef HAVE_CURSES_H
+
+/* Define if you have the <db.h> header file.  */
+#undef HAVE_DB_H
+
+/* Define if you have the <db_185.h> header file.  */
+#undef HAVE_DB_185_H
+
+/* Define if you have the <dbm.h> header file.  */
+#undef HAVE_DBM_H
+
+/* Define if you have the <dirent.h> header file.  */
+#undef HAVE_DIRENT_H
+
+/* Define if you have the <dlfcn.h> header file.  */
+#undef HAVE_DLFCN_H
+
+/* Define if you have the <err.h> header file.  */
+#undef HAVE_ERR_H
+
+/* Define if you have the <errno.h> header file.  */
+#undef HAVE_ERRNO_H
+
+/* Define if you have the <fcntl.h> header file.  */
+#undef HAVE_FCNTL_H
+
+/* Define if you have the <fnmatch.h> header file.  */
+#undef HAVE_FNMATCH_H
+
+/* Define if you have the <grp.h> header file.  */
+#undef HAVE_GRP_H
+
+/* Define if you have the <inttypes.h> header file.  */
+#undef HAVE_INTTYPES_H
+
+/* Define if you have the <io.h> header file.  */
+#undef HAVE_IO_H
+
+/* Define if you have the <limits.h> header file.  */
+#undef HAVE_LIMITS_H
+
+/* Define if you have the <maillock.h> header file.  */
+#undef HAVE_MAILLOCK_H
+
+/* Define if you have the <ndbm.h> header file.  */
+#undef HAVE_NDBM_H
+
+/* Define if you have the <net/if.h> header file.  */
+#undef HAVE_NET_IF_H
+
+/* Define if you have the <netdb.h> header file.  */
+#undef HAVE_NETDB_H
+
+/* Define if you have the <netinet/in.h> header file.  */
+#undef HAVE_NETINET_IN_H
+
+/* Define if you have the <netinet/in6.h> header file.  */
+#undef HAVE_NETINET_IN6_H
+
+/* Define if you have the <netinet/in6_machtypes.h> header file.  */
+#undef HAVE_NETINET_IN6_MACHTYPES_H
+
+/* Define if you have the <netinet/in6_var.h> header file.  */
+#undef HAVE_NETINET_IN6_VAR_H
+
+/* Define if you have the <netinet/in_systm.h> header file.  */
+#undef HAVE_NETINET_IN_SYSTM_H
+
+/* Define if you have the <netinet/ip.h> header file.  */
+#undef HAVE_NETINET_IP_H
+
+/* Define if you have the <netinet/tcp.h> header file.  */
+#undef HAVE_NETINET_TCP_H
+
+/* Define if you have the <netinet6/in6.h> header file.  */
+#undef HAVE_NETINET6_IN6_H
+
+/* Define if you have the <netinfo/ni.h> header file.  */
+#undef HAVE_NETINFO_NI_H
+
+/* Define if you have the <paths.h> header file.  */
+#undef HAVE_PATHS_H
+
+/* Define if you have the <pthread.h> header file.  */
+#undef HAVE_PTHREAD_H
+
+/* Define if you have the <pty.h> header file.  */
+#undef HAVE_PTY_H
+
+/* Define if you have the <pwd.h> header file.  */
+#undef HAVE_PWD_H
+
+/* Define if you have the <resolv.h> header file.  */
+#undef HAVE_RESOLV_H
+
+/* Define if you have the <rpcsvc/dbm.h> header file.  */
+#undef HAVE_RPCSVC_DBM_H
+
+/* Define if you have the <sac.h> header file.  */
+#undef HAVE_SAC_H
+
+/* Define if you have the <security/pam_modules.h> header file.  */
+#undef HAVE_SECURITY_PAM_MODULES_H
+
+/* Define if you have the <sgtty.h> header file.  */
+#undef HAVE_SGTTY_H
+
+/* Define if you have the <shadow.h> header file.  */
+#undef HAVE_SHADOW_H
+
+/* Define if you have the <siad.h> header file.  */
+#undef HAVE_SIAD_H
+
+/* Define if you have the <signal.h> header file.  */
+#undef HAVE_SIGNAL_H
+
+/* Define if you have the <standards.h> header file.  */
+#undef HAVE_STANDARDS_H
+
+/* Define if you have the <stropts.h> header file.  */
+#undef HAVE_STROPTS_H
+
+/* Define if you have the <sys/bitypes.h> header file.  */
+#undef HAVE_SYS_BITYPES_H
+
+/* Define if you have the <sys/capability.h> header file.  */
+#undef HAVE_SYS_CAPABILITY_H
+
+/* Define if you have the <sys/category.h> header file.  */
+#undef HAVE_SYS_CATEGORY_H
+
+/* Define if you have the <sys/file.h> header file.  */
+#undef HAVE_SYS_FILE_H
+
+/* Define if you have the <sys/filio.h> header file.  */
+#undef HAVE_SYS_FILIO_H
+
+/* Define if you have the <sys/ioccom.h> header file.  */
+#undef HAVE_SYS_IOCCOM_H
+
+/* Define if you have the <sys/ioctl.h> header file.  */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define if you have the <sys/param.h> header file.  */
+#undef HAVE_SYS_PARAM_H
+
+/* Define if you have the <sys/proc.h> header file.  */
+#undef HAVE_SYS_PROC_H
+
+/* Define if you have the <sys/pty.h> header file.  */
+#undef HAVE_SYS_PTY_H
+
+/* Define if you have the <sys/ptyio.h> header file.  */
+#undef HAVE_SYS_PTYIO_H
+
+/* Define if you have the <sys/ptyvar.h> header file.  */
+#undef HAVE_SYS_PTYVAR_H
+
+/* Define if you have the <sys/resource.h> header file.  */
+#undef HAVE_SYS_RESOURCE_H
+
+/* Define if you have the <sys/select.h> header file.  */
+#undef HAVE_SYS_SELECT_H
+
+/* Define if you have the <sys/socket.h> header file.  */
+#undef HAVE_SYS_SOCKET_H
+
+/* Define if you have the <sys/sockio.h> header file.  */
+#undef HAVE_SYS_SOCKIO_H
+
+/* Define if you have the <sys/stat.h> header file.  */
+#undef HAVE_SYS_STAT_H
+
+/* Define if you have the <sys/str_tty.h> header file.  */
+#undef HAVE_SYS_STR_TTY_H
+
+/* Define if you have the <sys/stream.h> header file.  */
+#undef HAVE_SYS_STREAM_H
+
+/* Define if you have the <sys/stropts.h> header file.  */
+#undef HAVE_SYS_STROPTS_H
+
+/* Define if you have the <sys/strtty.h> header file.  */
+#undef HAVE_SYS_STRTTY_H
+
+/* Define if you have the <sys/syscall.h> header file.  */
+#undef HAVE_SYS_SYSCALL_H
+
+/* Define if you have the <sys/sysctl.h> header file.  */
+#undef HAVE_SYS_SYSCTL_H
+
+/* Define if you have the <sys/termio.h> header file.  */
+#undef HAVE_SYS_TERMIO_H
+
+/* Define if you have the <sys/time.h> header file.  */
+#undef HAVE_SYS_TIME_H
+
+/* Define if you have the <sys/timeb.h> header file.  */
+#undef HAVE_SYS_TIMEB_H
+
+/* Define if you have the <sys/times.h> header file.  */
+#undef HAVE_SYS_TIMES_H
+
+/* Define if you have the <sys/tty.h> header file.  */
+#undef HAVE_SYS_TTY_H
+
+/* Define if you have the <sys/types.h> header file.  */
+#undef HAVE_SYS_TYPES_H
+
+/* Define if you have the <sys/uio.h> header file.  */
+#undef HAVE_SYS_UIO_H
+
+/* Define if you have the <sys/un.h> header file.  */
+#undef HAVE_SYS_UN_H
+
+/* Define if you have the <sys/utsname.h> header file.  */
+#undef HAVE_SYS_UTSNAME_H
+
+/* Define if you have the <sys/wait.h> header file.  */
+#undef HAVE_SYS_WAIT_H
+
+/* Define if you have the <syslog.h> header file.  */
+#undef HAVE_SYSLOG_H
+
+/* Define if you have the <term.h> header file.  */
+#undef HAVE_TERM_H
+
+/* Define if you have the <termio.h> header file.  */
+#undef HAVE_TERMIO_H
+
+/* Define if you have the <termios.h> header file.  */
+#undef HAVE_TERMIOS_H
+
+/* Define if you have the <time.h> header file.  */
+#undef HAVE_TIME_H
+
+/* Define if you have the <tmpdir.h> header file.  */
+#undef HAVE_TMPDIR_H
+
+/* Define if you have the <udb.h> header file.  */
+#undef HAVE_UDB_H
+
+/* Define if you have the <unistd.h> header file.  */
+#undef HAVE_UNISTD_H
+
+/* Define if you have the <util.h> header file.  */
+#undef HAVE_UTIL_H
+
+/* Define if you have the <utmp.h> header file.  */
+#undef HAVE_UTMP_H
+
+/* Define if you have the <utmpx.h> header file.  */
+#undef HAVE_UTMPX_H
+
+/* Define if you have the X11 library (-lX11).  */
+#undef HAVE_LIBX11
+
+/* Define if you have the Xau library (-lXau).  */
+#undef HAVE_LIBXAU
+
+/* Define if you have the c_r library (-lc_r).  */
+#undef HAVE_LIBC_R
+
+/* Define if you have the crypt library (-lcrypt).  */
+#undef HAVE_LIBCRYPT
+
+/* Define if you have the crypto library (-lcrypto).  */
+#undef HAVE_LIBCRYPTO
+
+/* Define if you have the curses library (-lcurses).  */
+#undef HAVE_LIBCURSES
+
+/* Define if you have the des library (-ldes).  */
+#undef HAVE_LIBDES
+
+/* Define if you have the dl library (-ldl).  */
+#undef HAVE_LIBDL
+
+/* Define if you have the edit library (-ledit).  */
+#undef HAVE_LIBEDIT
+
+/* Define if you have the gdbm library (-lgdbm).  */
+#undef HAVE_LIBGDBM
+
+/* Define if you have the inet6 library (-linet6).  */
+#undef HAVE_LIBINET6
+
+/* Define if you have the ip6 library (-lip6).  */
+#undef HAVE_LIBIP6
+
+/* Define if you have the ncurses library (-lncurses).  */
+#undef HAVE_LIBNCURSES
+
+/* Define if you have the ndbm library (-lndbm).  */
+#undef HAVE_LIBNDBM
+
+/* Define if you have the nsl library (-lnsl).  */
+#undef HAVE_LIBNSL
+
+/* Define if you have the resolv library (-lresolv).  */
+#undef HAVE_LIBRESOLV
+
+/* Define if you have the socket library (-lsocket).  */
+#undef HAVE_LIBSOCKET
+
+/* Define if you have the syslog library (-lsyslog).  */
+#undef HAVE_LIBSYSLOG
+
+/* Define if you have the termcap library (-ltermcap).  */
+#undef HAVE_LIBTERMCAP
+
+/* Define if you have the util library (-lutil).  */
+#undef HAVE_LIBUTIL
+
+/* Name of package */
+#undef PACKAGE
+
+/* Version number of package */
+#undef VERSION
+
+/* Define to what version of SunOS you are running. */
+#undef SunOS
+
+/* define if your compiler has __attribute__ */
+#undef HAVE___ATTRIBUTE__
+
+/* Define if you have the krb4 package. */
+#undef KRB4
+
+/* define if krb_put_int takes four arguments. */
+#undef HAVE_FOUR_VALUED_KRB_PUT_INT
+
+/* Define to one if your krb.h doesn't */
+#undef KRB_VERIFY_SECURE
+
+/* Define to two if your krb.h doesn't */
+#undef KRB_VERIFY_SECURE_FAIL
+
+/* Define to zero if your krb.h doesn't */
+#undef KRB_VERIFY_NOT_SECURE
+
+/* Enable Kerberos 5 support in applications. */
+#undef KRB5
+
+/* Define if you want to use the KDC as a kaserver. */
+#undef KASERVER
+
+/* Define if you want support in hprop for reading kaserver databases */
+#undef KASERVER_DB
+
+/* Define if you want OTP support in applications. */
+#undef OTP
+
+/* Define to enable basic OSF C2 support. */
+#undef HAVE_OSFC2
+
+/* Define if you have the readline package. */
+#undef READLINE
+
+/* Define if you have the hesiod package. */
+#undef HESIOD
+
+/* define if target is big endian */
+#undef WORDS_BIGENDIAN
+
+/* define if sys/param.h defines the endiness */
+#undef ENDIANESS_IN_SYS_PARAM_H
+
+/* Define this to what the type ssize_t should be. */
+#undef ssize_t
+
+/* Define this to what the type mode_t should be. */
+#undef mode_t
+
+/* Define this to what the type sig_atomic_t should be. */
+#undef sig_atomic_t
+
+/* Define if you want to use Netinfo instead of krb5.conf. */
+#undef HAVE_NETINFO
+
+/* Define if you have IPv6. */
+#undef HAVE_IPV6
+
+/* define if you have a working snprintf */
+#undef HAVE_SNPRINTF
+
+/* define if the system is missing a prototype for snprintf() */
+#undef NEED_SNPRINTF_PROTO
+
+/* define if you have a working vsnprintf */
+#undef HAVE_VSNPRINTF
+
+/* define if the system is missing a prototype for vsnprintf() */
+#undef NEED_VSNPRINTF_PROTO
+
+/* define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE */
+#undef HAVE_GLOB
+
+/* define if the system is missing a prototype for glob() */
+#undef NEED_GLOB_PROTO
+
+/* Define if getlogin has POSIX flavour (and not BSD). */
+#undef POSIX_GETLOGIN
+
+/* Define if getpwnam_r has POSIX flavour. */
+#undef POSIX_GETPWNAM_R
+
+/* Define if signal handlers return void. */
+#undef VOID_RETSIGTYPE
+
+/* define if the system is missing a prototype for hstrerror() */
+#undef NEED_HSTRERROR_PROTO
+
+/* define if the system is missing a prototype for asprintf() */
+#undef NEED_ASPRINTF_PROTO
+
+/* define if the system is missing a prototype for vasprintf() */
+#undef NEED_VASPRINTF_PROTO
+
+/* define if the system is missing a prototype for asnprintf() */
+#undef NEED_ASNPRINTF_PROTO
+
+/* define if the system is missing a prototype for vasnprintf() */
+#undef NEED_VASNPRINTF_PROTO
+
+/* define if the system is missing a prototype for setenv() */
+#undef NEED_SETENV_PROTO
+
+/* define if the system is missing a prototype for unsetenv() */
+#undef NEED_UNSETENV_PROTO
+
+/* define if the system is missing a prototype for gethostname() */
+#undef NEED_GETHOSTNAME_PROTO
+
+/* define if the system is missing a prototype for mkstemp() */
+#undef NEED_MKSTEMP_PROTO
+
+/* define if the system is missing a prototype for getusershell() */
+#undef NEED_GETUSERSHELL_PROTO
+
+/* define if the system is missing a prototype for inet_aton() */
+#undef NEED_INET_ATON_PROTO
+
+/* Define if realloc(NULL) doesn't work. */
+#undef BROKEN_REALLOC
+
+/* define if prototype of gethostbyname is compatible with
+	struct hostent *gethostbyname(const char *) */
+#undef GETHOSTBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of gethostbyaddr is compatible with
+	struct hostent *gethostbyaddr(const void *, size_t, int) */
+#undef GETHOSTBYADDR_PROTO_COMPATIBLE
+
+/* define if prototype of getservbyname is compatible with
+	struct servent *getservbyname(const char *, const char *) */
+#undef GETSERVBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of openlog is compatible with
+	void openlog(const char *, int, int) */
+#undef OPENLOG_PROTO_COMPATIBLE
+
+/* define if the system is missing a prototype for crypt() */
+#undef NEED_CRYPT_PROTO
+
+/* define if the system is missing a prototype for strtok_r() */
+#undef NEED_STRTOK_R_PROTO
+
+/* define if the system is missing a prototype for strsep() */
+#undef NEED_STRSEP_PROTO
+
+/* define if you have h_errno */
+#undef HAVE_H_ERRNO
+
+/* define if your system declares h_errno */
+#undef HAVE_H_ERRNO_DECLARATION
+
+/* define if you have h_errlist */
+#undef HAVE_H_ERRLIST
+
+/* define if your system declares h_errlist */
+#undef HAVE_H_ERRLIST_DECLARATION
+
+/* define if you have h_nerr */
+#undef HAVE_H_NERR
+
+/* define if your system declares h_nerr */
+#undef HAVE_H_NERR_DECLARATION
+
+/* define if you have __progname */
+#undef HAVE___PROGNAME
+
+/* define if your system declares __progname */
+#undef HAVE___PROGNAME_DECLARATION
+
+/* define if your system declares optarg */
+#undef HAVE_OPTARG_DECLARATION
+
+/* define if your system declares optind */
+#undef HAVE_OPTIND_DECLARATION
+
+/* define if your system declares opterr */
+#undef HAVE_OPTERR_DECLARATION
+
+/* define if your system declares optopt */
+#undef HAVE_OPTOPT_DECLARATION
+
+/* define if your system declares environ */
+#undef HAVE_ENVIRON_DECLARATION
+
+/* Define if struct utmp has field ut_addr. */
+#undef HAVE_STRUCT_UTMP_UT_ADDR
+
+/* Define if struct utmp has field ut_host. */
+#undef HAVE_STRUCT_UTMP_UT_HOST
+
+/* Define if struct utmp has field ut_id. */
+#undef HAVE_STRUCT_UTMP_UT_ID
+
+/* Define if struct utmp has field ut_pid. */
+#undef HAVE_STRUCT_UTMP_UT_PID
+
+/* Define if struct utmp has field ut_type. */
+#undef HAVE_STRUCT_UTMP_UT_TYPE
+
+/* Define if struct utmp has field ut_user. */
+#undef HAVE_STRUCT_UTMP_UT_USER
+
+/* Define if struct utmpx has field ut_exit. */
+#undef HAVE_STRUCT_UTMPX_UT_EXIT
+
+/* Define if struct utmpx has field ut_syslen. */
+#undef HAVE_STRUCT_UTMPX_UT_SYSLEN
+
+/* Define if struct tm has field tm_gmtoff. */
+#undef HAVE_STRUCT_TM_TM_GMTOFF
+
+/* Define if struct tm has field tm_zone. */
+#undef HAVE_STRUCT_TM_TM_ZONE
+
+/* define if you have timezone */
+#undef HAVE_TIMEZONE
+
+/* define if your system declares timezone */
+#undef HAVE_TIMEZONE_DECLARATION
+
+/* define if struct winsize is declared in sys/termios.h */
+#undef HAVE_STRUCT_WINSIZE
+
+/* define if struct winsize has ws_xpixel */
+#undef HAVE_WS_XPIXEL
+
+/* define if struct winsize has ws_ypixel */
+#undef HAVE_WS_YPIXEL
+
+/* define if you have struct spwd */
+#undef HAVE_STRUCT_SPWD
+
+/* Define if struct sockaddr has field sa_len. */
+#undef HAVE_STRUCT_SOCKADDR_SA_LEN
+
+/* Define if el_init takes four arguments. */
+#undef HAVE_FOUR_VALUED_EL_INIT
+
+/* Define if you have a readline compatible library. */
+#undef HAVE_READLINE
+
+/* Define if you want authentication support in telnet. */
+#undef AUTHENTICATION
+
+/* Define if you want encryption support in telnet. */
+#undef ENCRYPTION
+
+/* Define if you want to use DES encryption in telnet. */
+#undef DES_ENCRYPTION
+
+/* Define this to enable diagnostics in telnet. */
+#undef DIAGNOSTICS
+
+/* Define this to enable old environment option in telnet. */
+#undef OLD_ENVIRON
+
+/* Define this if you want support for broken ENV_{VAR,VAL} telnets. */
+#undef ENV_HACK
+
+/* Define if you have streams ptys. */
+#undef STREAMSPTY
+
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+
+#undef PROTOTYPES
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+#if defined(HAVE_SGTTY_H) && defined(__NeXT__)
+#define SGTTY
+#endif
+
+/*
+ * Define NDBM if you are using the 4.3 ndbm library (which is part of
+ * libc).  If not defined, 4.2 dbm will be assumed.
+ */
+#if defined(HAVE_DBM_FIRSTKEY)
+#define NDBM
+#endif
+
+/* telnet stuff ----------------------------------------------- */
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
+/* random defines */
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
+
+/*
+ * this assumes that KRB_C_BIGENDIAN is used.
+ * if we can find out endianess at compile-time, do so,
+ * otherwise WORDS_BIGENDIAN should already have been defined
+ */
+
+#if ENDIANESS_IN_SYS_PARAM_H
+#  include <sys/types.h>
+#  include <sys/param.h>
+#  if BYTE_ORDER == BIG_ENDIAN
+#  define WORDS_BIGENDIAN 1
+#  endif
+#endif
diff --git a/crypto/heimdal/include/kadm5/Makefile.am b/crypto/heimdal/include/kadm5/Makefile.am
new file mode 100644
index 0000000..e0647b8
--- /dev/null
+++ b/crypto/heimdal/include/kadm5/Makefile.am
@@ -0,0 +1,5 @@
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES = admin.h kadm5_err.h private.h
diff --git a/crypto/heimdal/include/kadm5/Makefile.in b/crypto/heimdal/include/kadm5/Makefile.in
new file mode 100644
index 0000000..895c9f5
--- /dev/null
+++ b/crypto/heimdal/include/kadm5/Makefile.in
@@ -0,0 +1,494 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+CLEANFILES = admin.h kadm5_err.h private.h
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign include/kadm5/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = include/kadm5
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/include/stamp-h.in b/crypto/heimdal/include/stamp-h.in
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/crypto/heimdal/include/stamp-h.in
diff --git a/crypto/heimdal/install-sh b/crypto/heimdal/install-sh
new file mode 100755
index 0000000..89fc9b0
--- /dev/null
+++ b/crypto/heimdal/install-sh
@@ -0,0 +1,238 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+tranformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/crypto/heimdal/kadmin/ChangeLog b/crypto/heimdal/kadmin/ChangeLog
new file mode 100644
index 0000000..05ee0d4
--- /dev/null
+++ b/crypto/heimdal/kadmin/ChangeLog
@@ -0,0 +1,222 @@
+2000-02-16  Assar Westerlund  <assar@sics.se>
+
+	* load.c (doit): check return value from parse_hdbflags2int
+	correctly
+
+2000-01-25  Assar Westerlund  <assar@sics.se>
+
+	* load.c: checking all parsing for errors and all memory
+	allocations also
+
+2000-01-02  Assar Westerlund  <assar@sics.se>
+
+	* server.c: check initial flag in ticket and allow users to change
+	their own password if it's set
+	* ext.c (do_ext_keytab): set timestamp
+
+1999-12-14  Assar Westerlund  <assar@sics.se>
+
+	* del_enctype.c (usage): don't use arg_printusage
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* del_enctype.c (del_enctype): try not to leak memory
+
+	* version4.c (kadm_ser_mod): use kadm5_s_modify_principal (no
+ 	_with_key)
+
+	* kadmin.c: add `del_enctype'
+
+	* del_enctype.c (del_enctype): new function for deleting enctypes
+	from a principal
+
+	* Makefile.am (kadmin_SOURCES): add del_enctype.c
+
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* server.c: cope with old clients
+
+	* kadmin_locl.h: remove version string
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (kadmin_LDADD): add LIB_dlopen
+
+1999-10-01  Assar Westerlund  <assar@sics.se>
+
+	* ank.c (add_one_principal): `password' can cactually be NULL in
+ 	the overwrite code, check for it.
+
+1999-09-20  Assar Westerlund  <assar@sics.se>
+
+	* mod.c (mod_entry): print the correct principal name in error
+ 	messages.  From Love <lha@e.kth.se>
+
+1999-09-10  Assar Westerlund  <assar@sics.se>
+
+	* init.c (init): also create `changepw/kerberos'
+
+	* version4.c: only create you loose packets when we fail decoding
+ 	and not when an operation is not performed for some reason
+	(decode_packet): read the service key from the hdb
+	(dispatch, decode_packet): return proper error messages
+
+	* version4.c (kadm_ser_cpw): add password quality functions
+
+1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* server.c (handle_v5): give more informative message if
+	KRB5_KT_NOTFOUND
+
+1999-08-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmind.c: use HDB keytabs
+
+1999-08-25  Assar Westerlund  <assar@sics.se>
+
+	* cpw.c (set_password): use correct variable.  From Love
+ 	<lha@e.kth.se>
+
+	* server.c (v5_loop): use correct error code
+
+	* ank.c (add_one_principal): initialize `default_ent'
+
+1999-08-21  Assar Westerlund  <assar@sics.se>
+
+	* random_password.c: new file, stolen from krb4
+
+	* kadmin_locl.h: add prototype for random_password
+
+	* cpw.c: add support for --random-password
+
+	* ank.c: add support for --random-password
+
+	* Makefile.am (kadmin_SOURCES): add random_password.c
+
+1999-08-19  Assar Westerlund  <assar@sics.se>
+
+	* util.c (edit_timet): break when we manage to parse the time not
+ 	the inverse.
+
+	* mod.c: add parsing of lots of options.  From Love
+ 	<lha@stacken.kth.se>
+
+	* ank.c: add setting of expiration and password expiration
+
+	* kadmin_locl.h: update util.c prototypes
+
+	* util.c: move-around.  clean-up, rename, make consistent (and
+ 	some other weird stuff).  based on patches from Love
+ 	<lha@stacken.kth.se>
+
+	* version4.c (kadm_ser_cpw): initialize password
+	(handle_v4): remove unused variable `ret'
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (handle_v4): more error checking and more correct
+ 	error messages
+
+	* server.c (v5_loop, kadmind_loop): more error checking and more
+ 	correct error messages
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* util.c (str2timeval, edit_time): functions for parsing and
+ 	editing times.  Based on patches from Love <lha@stacken.kth.se>.
+	(edit_entry): call new functions
+
+	* mod.c (mod_entry): allow modifying expiration times
+
+	* kadmin_locl.h (str2timeval): add prototype
+
+	* ank.c (add_one_principal): allow setting expiration times
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* server.c (v5_loop): handle data allocation with krb5_data_alloc
+ 	and check return value
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (kadm_ser_cpw): read the key in the strange order
+ 	it's sent
+
+	* util.c (edit_entry): look at default
+	(edit_time): always set mask even if value == 0
+
+	* kadmin_locl.h (edit_entry): update
+
+	* ank.c: make ank use the values of the default principal for
+ 	prompting
+
+	* version4.c (values_to_ent): convert key data correctly
+
+1999-05-23  Assar Westerlund  <assar@sics.se>
+
+	* init.c (create_random_entry): more correct setting of mask
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* server.c (handle_v5): read sendauth version correctly.
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (error_code): try to handle really old krb4
+ 	distributions
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* init.c (init): initialize realm_max_life and realm_max_rlife
+
+1999-05-07  Assar Westerlund  <assar@sics.se>
+
+	* ank.c (add_new_key): initialize more variables
+
+1999-05-04  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (kadm_ser_cpw): always allow a user to change her
+ 	password
+	(kadm_ser_*): make logging work
+	clean-up and restructure
+	
+	* kadmin_locl.h (set_entry): add prototype
+
+	* kadmin.c (usage): update usage string
+
+	* init.c (init): new arguments realm-max-ticket-life and
+ 	realm-max-renewable-life
+
+	* util.c (edit_time, edit_attributes): don't do anything if it's
+ 	already set
+	(set_entry): new function
+
+	* ank.c (add_new_key): new options for setting max-ticket-life,
+ 	max-renewable-life, and attributes
+
+	* server.c (v5_loop): remove unused variable
+
+	* kadmin_locl.h: add prototypes
+
+	* version4.c: re-insert krb_err.h and other miss
+
+	* server.c (kadmind_loop): break-up and restructure
+
+	* version4.c: add ACL checks more error code checks restructure
+	
+1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* load.c: check for (un-)encrypted keys
+
+	* dump.c: use hdb_print_entry
+	
+	* version4.c: version 4 support
+
+	* Makefile.am: link with krb4
+
+	* kadmin_locl.h: include <sys/un.h>
+
+	* server.c: move from lib/kadm5, and add basic support for krb4
+	kadmin protocol
+
+	* kadmind.c: move recvauth to kadmind_loop()
diff --git a/crypto/heimdal/kadmin/Makefile.am b/crypto/heimdal/kadmin/Makefile.am
new file mode 100644
index 0000000..2bafb55
--- /dev/null
+++ b/crypto/heimdal/kadmin/Makefile.am
@@ -0,0 +1,55 @@
+# $Id: Makefile.am,v 1.25 2000/01/06 08:04:13 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_readline) $(INCLUDE_krb4)
+
+sbin_PROGRAMS = kadmin
+
+libexec_PROGRAMS = kadmind
+
+kadmin_SOURCES =				\
+	ank.c					\
+	cpw.c					\
+	del.c					\
+	del_enctype.c				\
+	dump.c					\
+	ext.c					\
+	get.c					\
+	init.c					\
+	kadmin.c				\
+	load.c					\
+	mod.c					\
+	rename.c				\
+	util.c					\
+	random_password.c			\
+	kadmin_locl.h
+
+if KRB4
+KRB4LIB = $(LIB_krb4)
+version4_c = version4.c
+endif
+
+kadmind_SOURCES = kadmind.c server.c kadmin_locl.h $(version4_c)
+
+EXTRA_kadmind_SOURCES = version4.c
+
+COMMON_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
+kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
+
+kadmin_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
diff --git a/crypto/heimdal/kadmin/Makefile.in b/crypto/heimdal/kadmin/Makefile.in
new file mode 100644
index 0000000..b7fa775
--- /dev/null
+++ b/crypto/heimdal/kadmin/Makefile.in
@@ -0,0 +1,702 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.25 2000/01/06 08:04:13 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_readline) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+sbin_PROGRAMS = kadmin
+
+libexec_PROGRAMS = kadmind
+
+kadmin_SOURCES =  	ank.c						cpw.c						del.c						del_enctype.c					dump.c						ext.c						get.c						init.c						kadmin.c					load.c						mod.c						rename.c					util.c						random_password.c				kadmin_locl.h
+
+
+@KRB4_TRUE@KRB4LIB = $(LIB_krb4)
+@KRB4_TRUE@version4_c = version4.c
+
+kadmind_SOURCES = kadmind.c server.c kadmin_locl.h $(version4_c)
+
+EXTRA_kadmind_SOURCES = version4.c
+
+COMMON_LDADD =  	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB)
+
+
+kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la 	$(COMMON_LDADD) 	$(LIB_dlopen)
+
+
+kadmin_LDADD =  	$(top_builddir)/lib/kadm5/libkadm5clnt.la 	$(top_builddir)/lib/kadm5/libkadm5srv.la 	$(top_builddir)/lib/sl/libsl.la 	$(LIB_readline) 	$(COMMON_LDADD) 	$(LIB_dlopen)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  kadmind$(EXEEXT)
+sbin_PROGRAMS =  kadmin$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS) $(sbin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+@KRB4_TRUE@kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT) \
+@KRB4_TRUE@version4.$(OBJEXT)
+@KRB4_FALSE@kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT)
+@KRB4_TRUE@kadmind_DEPENDENCIES =  \
+@KRB4_TRUE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
+@KRB4_TRUE@$(top_builddir)/lib/hdb/libhdb.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@kadmind_DEPENDENCIES =  \
+@KRB4_FALSE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
+@KRB4_FALSE@$(top_builddir)/lib/hdb/libhdb.la \
+@KRB4_FALSE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+kadmind_LDFLAGS = 
+kadmin_OBJECTS =  ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \
+del_enctype.$(OBJEXT) dump.$(OBJEXT) ext.$(OBJEXT) get.$(OBJEXT) \
+init.$(OBJEXT) kadmin.$(OBJEXT) load.$(OBJEXT) mod.$(OBJEXT) \
+rename.$(OBJEXT) util.$(OBJEXT) random_password.$(OBJEXT)
+kadmin_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5clnt.la \
+$(top_builddir)/lib/kadm5/libkadm5srv.la \
+$(top_builddir)/lib/sl/libsl.la $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kadmin_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) $(kadmin_SOURCES)
+OBJECTS = $(kadmind_OBJECTS) $(kadmin_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kadmin/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES)
+	@rm -f kadmind$(EXEEXT)
+	$(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS)
+
+kadmin$(EXEEXT): $(kadmin_OBJECTS) $(kadmin_DEPENDENCIES)
+	@rm -f kadmin$(EXEEXT)
+	$(LINK) $(kadmin_LDFLAGS) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS)
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = kadmin
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-sbinPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-sbinPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-sbinPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-sbinPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-sbinPROGRAMS maintainer-clean-compile \
+		maintainer-clean-libtool maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS clean-sbinPROGRAMS \
+maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kadmin/ank.c b/crypto/heimdal/kadmin/ank.c
new file mode 100644
index 0000000..7068912
--- /dev/null
+++ b/crypto/heimdal/kadmin/ank.c
@@ -0,0 +1,266 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: ank.c,v 1.19 1999/12/02 17:04:57 joda Exp $");
+
+/*
+ * fetch the default principal corresponding to `princ'
+ */
+
+static krb5_error_code
+get_default (kadm5_server_context *context,
+	     krb5_principal princ,
+	     kadm5_principal_ent_t default_ent)
+{
+    krb5_error_code ret;
+    krb5_principal def_principal;
+    krb5_realm *realm = krb5_princ_realm(context->context, princ);
+
+    ret = krb5_make_principal (context->context, &def_principal,
+			       *realm, "default", NULL);
+    if (ret)
+	return ret;
+    ret = kadm5_get_principal (context, def_principal, default_ent,
+			       KADM5_PRINCIPAL_NORMAL_MASK);
+    krb5_free_principal (context->context, def_principal);
+    return ret;
+}
+
+/*
+ * Add the principal `name' to the database.
+ * Prompt for all data not given by the input parameters.
+ */
+
+static krb5_error_code
+add_one_principal (const char *name,
+		   int rand_key,
+		   int rand_password,
+		   char *password,
+		   const char *max_ticket_life,
+		   const char *max_renewable_life,
+		   const char *attributes,
+		   const char *expiration,
+		   const char *pw_expiration)
+{
+    krb5_error_code ret;
+    kadm5_principal_ent_rec princ, defrec;
+    kadm5_principal_ent_rec *default_ent = NULL;
+    krb5_principal princ_ent = NULL;
+    int mask = 0;
+    int default_mask = 0;
+    char pwbuf[1024];
+
+    memset(&princ, 0, sizeof(princ));
+    ret = krb5_parse_name(context, name, &princ_ent);
+    if (ret) {
+	krb5_warn(context, ret, "krb5_parse_name");
+	return ret;
+    }
+    princ.principal = princ_ent;
+    mask |= KADM5_PRINCIPAL;
+
+    ret = set_entry(context, &princ, &mask,
+		    max_ticket_life, max_renewable_life, 
+		    expiration, pw_expiration, attributes);
+    if (ret)
+	goto out;
+
+    default_ent = &defrec;
+    ret = get_default (kadm_handle, princ_ent, default_ent);
+    if (ret) {
+	default_ent  = NULL;
+	default_mask = 0;
+    } else {
+	default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
+	    KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION;
+    }
+
+    edit_entry(&princ, &mask, default_ent, default_mask);
+    if(rand_key) {
+	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+	mask |= KADM5_ATTRIBUTES;
+	strlcpy (pwbuf, "hemlig", sizeof(pwbuf));
+	password = pwbuf;
+    } else if (rand_password) {
+	random_password (pwbuf, sizeof(pwbuf));
+	password = pwbuf;
+    } else if(password == NULL) {
+	char *princ_name;
+	char *prompt;
+
+	krb5_unparse_name(context, princ_ent, &princ_name);
+	asprintf (&prompt, "%s's Password: ", princ_name);
+	free (princ_name);
+	ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1);
+	free (prompt);
+	if (ret)
+	    goto out;
+	password = pwbuf;
+    }
+    
+    ret = kadm5_create_principal(kadm_handle, &princ, mask, password);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_create_principal");
+    if(rand_key) {
+	krb5_keyblock *new_keys;
+	int n_keys, i;
+	ret = kadm5_randkey_principal(kadm_handle, princ_ent, 
+				      &new_keys, &n_keys);
+	if(ret){
+	    krb5_warn(context, ret, "kadm5_randkey_principal");
+	    n_keys = 0;
+	}
+	for(i = 0; i < n_keys; i++)
+	    krb5_free_keyblock_contents(context, &new_keys[i]);
+	free(new_keys);
+	kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+			    KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
+	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+	princ.kvno = 1;
+	kadm5_modify_principal(kadm_handle, &princ, 
+			       KADM5_ATTRIBUTES | KADM5_KVNO);
+	kadm5_free_principal_ent(kadm_handle, &princ);
+    } else if (rand_password) {
+	char *princ_name;
+
+	krb5_unparse_name(context, princ_ent, &princ_name);
+	printf ("added %s with password `%s'\n", princ_name, password);
+	free (princ_name);
+    }
+out:
+    if (princ_ent)
+	krb5_free_principal (context, princ_ent);
+    if(default_ent)
+	kadm5_free_principal_ent (context, default_ent);
+    if (password != NULL)
+	memset (password, 0, strlen(password));
+    return ret;
+}
+
+/*
+ * the ank command
+ */
+
+static struct getargs args[] = {
+    { "random-key",	'r',	arg_flag,	NULL, "set random key" },
+    { "random-password", 0,	arg_flag,	NULL, "set random password" },
+    { "password",	'p',	arg_string,	NULL, "princial's password" },
+    { "max-ticket-life",  0,	arg_string,	NULL, "max ticket lifetime",
+      "lifetime"},
+    { "max-renewable-life",  0,	arg_string,	NULL,
+      "max renewable lifetime", "lifetime" },
+    { "attributes",	0,	arg_string,	NULL, "principal attributes",
+      "attributes"},
+    { "expiration-time",0,	arg_string,	NULL, "Expiration time",
+      "time"},
+    { "pw-expiration-time", 0,  arg_string,	NULL,
+      "Password expiration time", "time"}
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "ank", "principal");
+}
+
+/*
+ * Parse arguments and add all the principals.
+ */
+
+int
+add_new_key(int argc, char **argv)
+{
+    char *password = NULL;
+    int random_key = 0;
+    int random_password = 0;
+    int optind = 0;
+    krb5_error_code ret;
+    char *max_ticket_life	= NULL;
+    char *max_renewable_life	= NULL;
+    char *attributes		= NULL;
+    char *expiration		= NULL;
+    char *pw_expiration		= NULL;
+    int i;
+    int num;
+
+    args[0].value = &random_key;
+    args[1].value = &random_password;
+    args[2].value = &password;
+    args[3].value = &max_ticket_life;
+    args[4].value = &max_renewable_life;
+    args[5].value = &attributes;
+    args[6].value = &expiration;
+    args[7].value = &pw_expiration;
+    
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
+	return 0;
+    }
+    if(optind == argc) {
+	usage ();
+	return 0;
+    }
+
+    num = 0;
+    if (random_key)
+	++num;
+    if (random_password)
+	++num;
+    if (password)
+	++num;
+
+    if (num > 1) {
+	printf ("give only one of "
+		"--random-key, --random-password, --password\n");
+	return 0;
+    }
+
+    for (i = optind; i < argc; ++i) {
+	ret = add_one_principal (argv[i], random_key, random_password,
+				 password,
+				 max_ticket_life,
+				 max_renewable_life,
+				 attributes,
+				 expiration,
+				 pw_expiration);
+	if (ret) {
+	    krb5_warn (context, ret, "adding %s", argv[i]);
+	    break;
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/cpw.c b/crypto/heimdal/kadmin/cpw.c
new file mode 100644
index 0000000..2bd71a7
--- /dev/null
+++ b/crypto/heimdal/kadmin/cpw.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: cpw.c,v 1.9 1999/12/02 17:04:57 joda Exp $");
+
+struct cpw_entry_data {
+    int random_key;
+    int random_password;
+    char *password;
+};
+
+static struct getargs args[] = {
+    { "random-key",	'r',	arg_flag,	NULL, "set random key" },
+    { "random-password", 0,	arg_flag,	NULL, "set random password" },
+    { "password",	'p',	arg_string,	NULL, "princial's password" },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage(args, num_args, "cpw", "principal...");
+}
+
+static int
+set_random_key (krb5_principal principal)
+{
+    krb5_error_code ret;
+    int i;
+    krb5_keyblock *keys;
+    int num_keys;
+
+    ret = kadm5_randkey_principal(kadm_handle, principal, &keys, &num_keys);
+    if(ret)
+	return ret;
+    for(i = 0; i < num_keys; i++)
+	krb5_free_keyblock_contents(context, &keys[i]);
+    free(keys);
+    return 0;
+}
+
+static int
+set_random_password (krb5_principal principal)
+{
+    krb5_error_code ret;
+    char pw[128];
+
+    random_password (pw, sizeof(pw));
+    ret = kadm5_chpass_principal(kadm_handle, principal, pw);
+    if (ret == 0) {
+	char *princ_name;
+
+	krb5_unparse_name(context, principal, &princ_name);
+
+	printf ("%s's password set to `%s'\n", princ_name, pw);
+	free (princ_name);
+    }
+    memset (pw, 0, sizeof(pw));
+    return ret;
+}
+
+static int
+set_password (krb5_principal principal, char *password)
+{
+    krb5_error_code ret = 0;
+    char pwbuf[128];
+
+    if(password == NULL) {
+	char *princ_name;
+	char *prompt;
+
+	krb5_unparse_name(context, principal, &princ_name);
+	asprintf(&prompt, "%s's Password: ", princ_name);
+	free (princ_name);
+	ret = des_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1);
+	free (prompt);
+	if(ret){
+	    return 0; /* XXX error code? */
+	}
+	password = pwbuf;
+    }
+    if(ret == 0)
+	ret = kadm5_chpass_principal(kadm_handle, principal, password);
+    memset(pwbuf, 0, sizeof(pwbuf));
+    return ret;
+}
+
+static int
+do_cpw_entry(krb5_principal principal, void *data)
+{
+    struct cpw_entry_data *e = data;
+    
+    if (e->random_key)
+	return set_random_key (principal);
+    else if (e->random_password)
+	return set_random_password (principal);
+    else
+	return set_password (principal, e->password);
+}
+
+int
+cpw_entry(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int i;
+    int optind = 0;
+    struct cpw_entry_data data;
+    int num;
+
+    data.random_key      = 0;
+    data.random_password = 0;
+    data.password        = NULL;
+
+    args[0].value = &data.random_key;
+    args[1].value = &data.random_password;
+    args[2].value = &data.password;
+    if(getarg(args, num_args, argc, argv, &optind)){
+	usage();
+	return 0;
+    }
+
+    num = 0;
+    if (data.random_key)
+	++num;
+    if (data.random_password)
+	++num;
+    if (data.password)
+	++num;
+
+    if (num > 1) {
+	printf ("give only one of "
+		"--random-key, --random-password, --password\n");
+	return 0;
+    }
+	
+    argc -= optind;
+    argv += optind;
+
+    for(i = 0; i < argc; i++)
+	ret = foreach_principal(argv[i], do_cpw_entry, &data);
+
+    return 0;
+}
+
diff --git a/crypto/heimdal/kadmin/del.c b/crypto/heimdal/kadmin/del.c
new file mode 100644
index 0000000..39ee24e
--- /dev/null
+++ b/crypto/heimdal/kadmin/del.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: del.c,v 1.4 1999/12/02 17:04:58 joda Exp $");
+
+static int
+do_del_entry(krb5_principal principal, void *data)
+{
+    return kadm5_delete_principal(kadm_handle, principal);
+}
+
+int
+del_entry(int argc, char **argv)
+{
+    int i;
+    krb5_error_code ret;
+
+    for(i = 1; i < argc; i++)
+	ret = foreach_principal(argv[i], do_del_entry, NULL);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/del_enctype.c b/crypto/heimdal/kadmin/del_enctype.c
new file mode 100644
index 0000000..d772b65
--- /dev/null
+++ b/crypto/heimdal/kadmin/del_enctype.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: del_enctype.c,v 1.4 1999/12/14 02:37:49 assar Exp $");
+
+static void
+usage(void)
+{
+    fprintf (stderr, "Usage: del_enctype principal enctypes...\n");
+}
+
+/*
+ * del_enctype principal enctypes...
+ */
+
+int
+del_enctype(int argc, char **argv)
+{
+    kadm5_principal_ent_rec princ;
+    krb5_principal princ_ent = NULL;
+    krb5_error_code ret;
+    const char *princ_name;
+    int i, j, k;
+    krb5_key_data *new_key_data;
+    int n_etypes;
+    krb5_enctype *etypes;
+
+    if (argc < 3) {
+	usage ();
+	return 0;
+    }
+
+    memset (&princ, 0, sizeof(princ));
+    princ_name = argv[1];
+    n_etypes   = argc - 2;
+    etypes     = malloc (n_etypes * sizeof(*etypes));
+    if (etypes == NULL) {
+	krb5_warnx (context, "out of memory");
+	return 0;
+    }
+    for (i = 0; i < n_etypes; ++i) {
+	ret = krb5_string_to_enctype (context, argv[i + 2], &etypes[i]);
+	if (ret) {
+	    krb5_warnx (context, "bad enctype `%s'", argv[i + 2]);
+	    goto out2;
+	}
+    }
+
+    ret = krb5_parse_name(context, princ_name, &princ_ent);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_parse_name %s", princ_name);
+	goto out2;
+    }
+
+    ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
+			      KADM5_PRINCIPAL | KADM5_KEY_DATA);
+    if (ret) {
+	krb5_free_principal (context, princ_ent);
+	krb5_warnx (context, "no such principal: %s", princ_name);
+	goto out2;
+    }
+
+    new_key_data   = malloc(princ.n_key_data * sizeof(*new_key_data));
+    if (new_key_data == NULL) {
+	krb5_warnx (context, "out of memory");
+	goto out;
+    }
+
+    for (i = 0, j = 0; i < princ.n_key_data; ++i) {
+	krb5_key_data *key = &princ.key_data[i];
+	int docopy = 1;
+
+	for (k = 0; k < n_etypes; ++k)
+	    if (etypes[k] == key->key_data_type[0]) {
+		docopy = 0;
+		break;
+	    }
+	if (docopy) {
+	    new_key_data[j++] = *key;
+	} else {
+	    int16_t ignore;
+
+	    kadm5_free_key_data (kadm_handle, &ignore, key);
+	}
+    }
+
+    free (princ.key_data);
+    princ.n_key_data = j;
+    princ.key_data   = new_key_data;
+
+    ret = kadm5_modify_principal (kadm_handle, &princ, KADM5_KEY_DATA);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_modify_principal");
+out:
+    krb5_free_principal (context, princ_ent);
+    kadm5_free_principal_ent(kadm_handle, &princ);
+out2:
+    free (etypes);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/dump.c b/crypto/heimdal/kadmin/dump.c
new file mode 100644
index 0000000..a57309c
--- /dev/null
+++ b/crypto/heimdal/kadmin/dump.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <kadm5/private.h>
+
+RCSID("$Id: dump.c,v 1.26 1999/12/02 17:04:58 joda Exp $");
+
+int
+dump(int argc, char **argv)
+{
+    krb5_error_code ret;
+    FILE *f;
+    HDB *db = _kadm5_s_get_db(kadm_handle);
+    int decrypt = 0;
+    int optind = 0;
+
+    struct getargs args[] = {
+	{ "decrypt", 'd', arg_flag, NULL, "decrypt keys" }
+    };
+    args[0].value = &decrypt;
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) {
+	arg_printusage(args, sizeof(args) / sizeof(args[0]), "kadmin dump", 
+		       "[dump-file]");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+    if(argc < 1)
+	f = stdout;
+    else
+	f = fopen(argv[0], "w");
+    
+    ret = db->open(context, db, O_RDONLY, 0600);
+    if(ret){
+	krb5_warn(context, ret, "hdb_open");
+	if(f != stdout)
+	    fclose(f);
+	return 0;
+    }
+
+    hdb_foreach(context, db, decrypt ? HDB_F_DECRYPT : 0, hdb_print_entry, f);
+
+    if(f != stdout)
+	fclose(f);
+    db->close(context, db);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/ext.c b/crypto/heimdal/kadmin/ext.c
new file mode 100644
index 0000000..9d2be17
--- /dev/null
+++ b/crypto/heimdal/kadmin/ext.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: ext.c,v 1.5 2000/01/02 03:58:02 assar Exp $");
+
+struct ext_keytab_data {
+    krb5_keytab keytab;
+};
+
+static struct getargs args[] = {
+    { "keytab",		'k',	arg_string,	NULL, "keytab to use" },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage(args, num_args, "ext", "principal...");
+}
+
+static int
+do_ext_keytab(krb5_principal principal, void *data)
+{
+    krb5_error_code ret;
+    int i;
+    kadm5_principal_ent_rec princ;
+    struct ext_keytab_data *e = data;
+
+    ret = kadm5_get_principal(kadm_handle, principal, &princ, 
+			      KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA);
+    if(ret)
+	return ret;
+    for(i = 0; i < princ.n_key_data; i++){
+	krb5_keytab_entry key;
+	krb5_key_data *k = &princ.key_data[i];
+	key.principal = princ.principal;
+	key.vno = k->key_data_kvno;
+	key.keyblock.keytype = k->key_data_type[0];
+	key.keyblock.keyvalue.length = k->key_data_length[0];
+	key.keyblock.keyvalue.data = k->key_data_contents[0];
+	key.timestamp = time(NULL);
+	ret = krb5_kt_add_entry(context, e->keytab, &key);
+	if(ret)
+	    krb5_warn(context, ret, "krb5_kt_add_entry");
+    }
+    kadm5_free_principal_ent(kadm_handle, &princ);
+    return 0;
+}
+
+int
+ext_keytab(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int i;
+    int optind = 0;
+    char *keytab = NULL;
+    struct ext_keytab_data data;
+    
+    args[0].value = &keytab;
+    if(getarg(args, num_args, argc, argv, &optind)){
+	usage();
+	return 0;
+    }
+    if(keytab)
+	ret = krb5_kt_resolve(context, keytab, &data.keytab);
+    else
+	ret = krb5_kt_default(context, &data.keytab);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_resolve");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    for(i = 0; i < argc; i++) 
+	foreach_principal(argv[i], do_ext_keytab, &data);
+
+    krb5_kt_close(context, data.keytab);
+
+    return 0;
+}
+
diff --git a/crypto/heimdal/kadmin/get.c b/crypto/heimdal/kadmin/get.c
new file mode 100644
index 0000000..1492ca9
--- /dev/null
+++ b/crypto/heimdal/kadmin/get.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <parse_units.h>
+
+RCSID("$Id: get.c,v 1.8 1999/12/02 17:04:58 joda Exp $");
+
+struct get_entry_data {
+    void (*header)(void);
+    void (*format)(kadm5_principal_ent_t);
+};
+
+static void
+print_entry_terse(kadm5_principal_ent_t princ)
+{
+    char *p;
+    krb5_unparse_name(context, princ->principal, &p);
+    printf("  %s\n", p);
+    free(p);
+}
+
+static void
+print_header_short(void)
+{
+    printf("%-20s ", "Principal");
+    
+    printf("%-10s ", "Expires");
+	    
+    printf("%-10s ", "PW-exp");
+	    
+    printf("%-10s ", "PW-change");
+	
+    printf("%-9s ", "Max life");
+
+    printf("%-9s ", "Max renew");
+    
+    printf("\n");
+}
+
+static void
+print_entry_short(kadm5_principal_ent_t princ)
+{
+    char buf[1024];
+    
+    krb5_unparse_name_fixed_short(context, princ->principal, buf, sizeof(buf));
+    printf("%-20s ", buf);
+    
+    time_t2str(princ->princ_expire_time, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+	    
+    time_t2str(princ->pw_expiration, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+	    
+    time_t2str(princ->last_pwd_change, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+	
+    deltat2str(princ->max_life, buf, sizeof(buf));
+    printf("%-9s ", buf);
+
+    deltat2str(princ->max_renewable_life, buf, sizeof(buf));
+    printf("%-9s ", buf);
+
+#if 0
+    time_t2str(princ->mod_date, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+
+    krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
+    printf("%-24s", buf);
+#endif
+    
+    printf("\n");
+}
+
+static void
+print_entry_long(kadm5_principal_ent_t princ)
+{
+    char buf[1024];
+    int i;
+    
+    krb5_unparse_name_fixed(context, princ->principal, buf, sizeof(buf));
+    printf("%24s: %s\n", "Principal", buf);
+    time_t2str(princ->princ_expire_time, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Principal expires", buf);
+	    
+    time_t2str(princ->pw_expiration, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Password expires", buf);
+	    
+    time_t2str(princ->last_pwd_change, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last password change", buf);
+	
+    deltat2str(princ->max_life, buf, sizeof(buf));
+    printf("%24s: %s\n", "Max ticket life", buf);
+
+    deltat2str(princ->max_renewable_life, buf, sizeof(buf));
+    printf("%24s: %s\n", "Max renewable life", buf);
+    printf("%24s: %d\n", "Kvno", princ->kvno);
+    printf("%24s: %d\n", "Mkvno", princ->mkvno);
+    printf("%24s: %s\n", "Policy", princ->policy ? princ->policy : "none");
+    time_t2str(princ->last_success, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last successful login", buf);
+    time_t2str(princ->last_failed, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last failed login", buf);
+    printf("%24s: %d\n", "Failed login count", princ->fail_auth_count);
+    time_t2str(princ->mod_date, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last modified", buf);
+    krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
+    printf("%24s: %s\n", "Modifier", buf);
+    attributes2str (princ->attributes, buf, sizeof(buf));
+    printf("%24s: %s\n", "Attributes", buf);
+
+    printf("%24s: ", "Keytypes(salts)");
+
+    for (i = 0; i < princ->n_key_data; ++i) {
+	krb5_key_data *k = &princ->key_data[i];
+	krb5_error_code ret;
+	char *e_string, *s_string;
+
+	ret = krb5_enctype_to_string (context,
+				      k->key_data_type[0],
+				      &e_string);
+	if (ret)
+	    asprintf (&e_string, "unknown(%d)", k->key_data_type[0]);
+
+	ret = krb5_salttype_to_string (context,
+				       k->key_data_type[0],
+				       k->key_data_type[1],
+				       &s_string);
+	if (ret)
+	    asprintf (&s_string, "unknown(%d)", k->key_data_type[1]);
+
+	printf ("%s%s(%s)", (i != 0) ? ", " : "", e_string, s_string);
+	free (e_string);
+	free (s_string);
+    }
+    printf("\n\n");
+}
+
+static int
+do_get_entry(krb5_principal principal, void *data)
+{
+    kadm5_principal_ent_rec princ;
+    krb5_error_code ret;
+    struct get_entry_data *e = data;
+    
+    memset(&princ, 0, sizeof(princ));
+    ret = kadm5_get_principal(kadm_handle, principal, 
+			      &princ,
+			      KADM5_PRINCIPAL_NORMAL_MASK|KADM5_KEY_DATA);
+    if(ret)
+	return ret;
+    else {
+	if(e->header) {
+	    (*e->header)();
+	    e->header = NULL; /* XXX only once */
+	}
+	(e->format)(&princ);
+	kadm5_free_principal_ent(kadm_handle, &princ);
+    }
+    return 0;
+}
+
+int
+get_entry(int argc, char **argv)
+{
+    int i;
+    krb5_error_code ret;
+    struct get_entry_data data;
+    struct getargs args[] = {
+	{ "long",	'l',	arg_flag,	NULL, "long format" },
+	{ "terse",	't',	arg_flag,	NULL, "terse format" },
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int long_flag = 0;
+    int terse_flag = 0;
+    
+    args[0].value = &long_flag;
+    args[1].value = &terse_flag;
+    if(getarg(args, num_args, argc, argv, &optind))
+	goto usage;
+    if(optind == argc)
+	goto usage;
+
+    if(long_flag) {
+	data.format = print_entry_long;
+	data.header = NULL;
+    } else if(terse_flag) {
+	data.format = print_entry_terse;
+	data.header = NULL;
+    } else {
+	data.format = print_entry_short;
+	data.header = print_header_short;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    for(i = 0; i < argc; i++)
+	ret = foreach_principal(argv[i], do_get_entry, &data);
+    return 0;
+usage:
+    arg_printusage (args, num_args, "get", "principal...");
+    return 0;
+}
+
+int
+list_princs(int argc, char **argv)
+{
+    int i;
+    krb5_error_code ret;
+    struct get_entry_data data;
+
+    data.format = print_entry_terse;
+    data.header = NULL;
+    
+    for(i = 1; i < argc; i++)
+	ret = foreach_principal(argv[i], do_get_entry, &data);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/init.c b/crypto/heimdal/kadmin/init.c
new file mode 100644
index 0000000..b889131
--- /dev/null
+++ b/crypto/heimdal/kadmin/init.c
@@ -0,0 +1,210 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <kadm5/private.h>
+
+RCSID("$Id: init.c,v 1.23 1999/12/02 17:04:58 joda Exp $");
+
+static kadm5_ret_t
+create_random_entry(krb5_principal princ,
+		    unsigned max_life,
+		    unsigned max_rlife,
+		    u_int32_t attributes)
+{
+    kadm5_principal_ent_rec ent;
+    kadm5_ret_t ret;
+    int mask = 0;
+    krb5_keyblock *keys;
+    int n_keys, i;
+
+    memset(&ent, 0, sizeof(ent));
+    ent.principal = princ;
+    mask |= KADM5_PRINCIPAL;
+    if (max_life) {
+	ent.max_life = max_life;
+	mask |= KADM5_MAX_LIFE;
+    }
+    if (max_rlife) {
+	ent.max_renewable_life = max_rlife;
+	mask |= KADM5_MAX_RLIFE;
+    }
+    ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX;
+    mask |= KADM5_ATTRIBUTES;
+
+    ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig");
+    if(ret)
+	return ret;
+    ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys);
+    if(ret)
+	return ret;
+    for(i = 0; i < n_keys; i++)
+	krb5_free_keyblock_contents(context, &keys[i]);
+    free(keys);
+    ret = kadm5_get_principal(kadm_handle, princ, &ent, 
+			      KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
+    if(ret)
+	return ret;
+    ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+    ent.kvno = 1;
+    ret = kadm5_modify_principal(kadm_handle, &ent, 
+				 KADM5_ATTRIBUTES|KADM5_KVNO);
+    kadm5_free_principal_ent (kadm_handle, &ent);
+    if(ret)
+	return ret;
+    return 0;
+}
+
+static struct getargs args[] = {
+    { "realm-max-ticket-life",  0,	arg_string,	NULL,
+      "realm max ticket lifetime" },
+    { "realm-max-renewable-life",  0,	arg_string,	NULL,
+      "realm max renewable lifetime" },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "ank", "principal");
+}
+
+int
+init(int argc, char **argv)
+{
+    kadm5_ret_t ret;
+    int i;
+    char *realm_max_life  = NULL;
+    char *realm_max_rlife = NULL;
+    HDB *db;
+    int optind = 0;
+    krb5_deltat max_life, max_rlife;
+
+    args[0].value = &realm_max_life;
+    args[1].value = &realm_max_rlife;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage();
+	return 0;
+    }
+
+    if (realm_max_life) {
+	if (str2deltat (realm_max_life, &max_life) != 0) {
+	    krb5_warnx (context, "unable to parse `%s'", realm_max_life);
+	    return 0;
+	}
+    }
+    if (realm_max_rlife) {
+	if (str2deltat (realm_max_rlife, &max_rlife) != 0) {
+	    krb5_warnx (context, "unable to parse `%s'", realm_max_rlife);
+	    return 0;
+	}
+    }
+
+    db = _kadm5_s_get_db(kadm_handle);
+
+    ret = db->open(context, db, O_RDWR | O_CREAT, 0600);
+    if(ret){
+	krb5_warn(context, ret, "hdb_open");
+	return 0;
+    }
+    db->close(context, db);
+    for(i = optind; i < argc; i++){
+	krb5_principal princ;
+	const char *realm = argv[i];
+
+	/* Create `krbtgt/REALM' */
+	krb5_make_principal(context, &princ, realm, "krbtgt", realm, NULL);
+	if (realm_max_life == NULL) {
+	    max_life = 0;
+	    edit_deltat ("Realm max ticket life", &max_life, NULL, 0);
+	}
+	if (realm_max_rlife == NULL) {
+	    max_rlife = 0;
+	    edit_deltat("Realm max renewable ticket life", &max_rlife,
+			NULL, 0);
+	}
+	create_random_entry(princ, max_life, max_rlife, 0);
+	krb5_free_principal(context, princ);
+
+	/* Create `kadmin/changepw' */
+	krb5_make_principal(context, &princ, realm, 
+			    "kadmin", "changepw", NULL);
+	create_random_entry(princ, 5*60, 5*60, 
+			    KRB5_KDB_DISALLOW_TGT_BASED|
+			    KRB5_KDB_PWCHANGE_SERVICE|
+			    KRB5_KDB_DISALLOW_POSTDATED|
+			    KRB5_KDB_DISALLOW_FORWARDABLE|
+			    KRB5_KDB_DISALLOW_RENEWABLE|
+			    KRB5_KDB_DISALLOW_PROXIABLE|
+			    KRB5_KDB_REQUIRES_PRE_AUTH);
+	krb5_free_principal(context, princ);
+
+	/* Create `kadmin/admin' */
+	krb5_make_principal(context, &princ, realm, 
+			    "kadmin", "admin", NULL);
+	create_random_entry(princ, 60*60, 60*60, KRB5_KDB_REQUIRES_PRE_AUTH);
+	krb5_free_principal(context, princ);
+
+	/* Create `changepw/kerberos' (for v4 compat) */
+	krb5_make_principal(context, &princ, realm,
+			    "changepw", "kerberos", NULL);
+	create_random_entry(princ, 60*60, 60*60, 0);
+	krb5_free_principal(context, princ);
+
+	/* Create `default' */
+	{
+	    kadm5_principal_ent_rec ent;
+	    int mask = 0;
+
+	    memset (&ent, 0, sizeof(ent));
+	    mask |= KADM5_PRINCIPAL;
+	    krb5_make_principal(context, &ent.principal, realm,
+				"default", NULL);
+	    mask |= KADM5_MAX_LIFE;
+	    ent.max_life = 24 * 60 * 60;
+	    mask |= KADM5_MAX_RLIFE;
+	    ent.max_renewable_life = 7 * ent.max_life;
+	    ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
+	    mask |= KADM5_ATTRIBUTES;
+
+	    ret = kadm5_create_principal(kadm_handle, &ent, mask, "");
+	    if (ret)
+		krb5_err (context, 1, ret, "kadm5_create_principal");
+
+	    krb5_free_principal(context, ent.principal);
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/kadmin.c b/crypto/heimdal/kadmin/kadmin.c
new file mode 100644
index 0000000..6d29d63
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin.c
@@ -0,0 +1,281 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <sl.h>
+
+RCSID("$Id: kadmin.c,v 1.27 2000/01/31 23:51:52 assar Exp $");
+
+static char *config_file;
+static char *keyfile;
+static int local_flag;
+static int help_flag;
+static int version_flag;
+static char *realm;
+static char *admin_server;
+static int server_port = 0;
+static char *client_name;
+
+static struct getargs args[] = {
+    {	"principal", 	'p',	arg_string,	&client_name,
+	"principal to authenticate as" },
+    { 
+	"config-file",	'c',	arg_string,	&config_file, 
+	"location of config file",	"file" 
+    },
+    {
+	"key-file",	'k',	arg_string, &keyfile, 
+	"location of master key file", "file"
+    },
+    {	
+	"realm",	'r',	arg_string,   &realm, 
+	"realm to use", "realm" 
+    },
+    {	
+	"admin-server",	'a',	arg_string,   &admin_server, 
+	"server to contact", "host" 
+    },
+    {	
+	"server-port",	's',	arg_integer,   &server_port, 
+	"port to use", "port number" 
+    },
+    {	"local", 'l', arg_flag, &local_flag, "local admin mode" },
+    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"version",	'v',	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static SL_cmd commands[] = {
+    /* commands that are only available with `-l' */
+    { 
+	"dump",		dump,		"dump [file]",
+	"Dumps the database in a human readable format to the\n"
+	"specified file, or the standard out." 
+    },
+    { 
+	"load",		load,		"load file",
+	"Loads a previously dumped file."
+    },
+    { 
+	"merge",	merge,		"merge file" ,
+	"Merges the contents of a dump file into the database."
+    },
+    { 
+	"init",		init,		"init realm...",
+	"Initializes the default principals for a realm.\n"
+	"Creates the database if necessary."
+    },
+    /* common commands */
+    { 
+	"add",	add_new_key, 	"add principal" ,
+	"Adds a principal to the database."
+    },
+    { "add_new_key"},
+    { "ank"},
+    { 
+	"passwd",	cpw_entry, 	"passwd expression..." ,
+	"Changes the password of one or more principals\n"
+	"matching the expressions."
+    },
+    { "change_password"},
+    { "cpw"},
+    { 
+	"delete",	del_entry, 	"delete expression...",
+	"Deletes all principals matching the expressions."
+    },
+    { "del_entry" },
+    {
+	"del_enctype",	del_enctype,	"del_enctype principal enctype...",
+	"Delete all the mentioned enctypes for principal."
+    },
+    { 
+	"ext_keytab",	ext_keytab, 	"ext_keytab expression...",
+	"Extracts the keys of all principals matching the expressions,\n"
+	"and stores them in a keytab." 
+    },
+    { 
+	"get",		get_entry, 	"get expression...",
+	"Shows information about principals matching the expressions."
+    },
+    { "get_entry" },
+    { 
+	"rename",	rename_entry, 	"rename source target",
+	"Renames `source' to `target'."
+    },
+    { 
+	"modify",	mod_entry, 	"modify principal",
+	"Modifies some attributes of the specified principal."
+    },
+    { 
+	"privileges",	get_privs,	"privileges",
+	"Shows which kinds of operations you are allowed to perform."
+    },
+    { 
+	"list",		list_princs,	"list expression...", 
+	"Lists principals in a terse format. The same as `get -t'." 
+    },
+    { "help",		help, "help"},
+    { "?"},
+    { "exit",		exit_kadmin, "exit"},
+    { NULL}
+};
+
+krb5_context context;
+void *kadm_handle;
+
+int
+help(int argc, char **argv)
+{
+    sl_help(commands, argc, argv);
+    return 0;
+}
+
+int
+exit_kadmin (int argc, char **argv)
+{
+    return 1;
+}
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "[command]");
+    exit (ret);
+}
+
+int
+get_privs(int argc, char **argv)
+{
+    u_int32_t privs;
+    char str[128];
+    kadm5_ret_t ret;
+    
+    ret = kadm5_get_privs(kadm_handle, &privs);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_get_privs");
+    else{
+	ret =_kadm5_privs_to_string(privs, str, sizeof(str));
+	printf("%s\n", str);
+    }
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_config_section *cf = NULL;
+    kadm5_config_params conf;
+    int optind = 0;
+    int e;
+    SL_cmd *cmd;
+
+    set_progname(argv[0]);
+
+    krb5_init_context(&context);
+
+    while((e = getarg(args, num_args, argc, argv, &optind)))
+	warnx("error at argument `%s'", argv[optind]);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (config_file == NULL)
+	config_file = HDB_DB_DIR "/kdc.conf";
+
+    if(krb5_config_parse_file(config_file, &cf) == 0) {
+	const char *p = krb5_config_get_string (context, cf, 
+						"kdc", "key-file", NULL);
+	if (p)
+	    keyfile = strdup(p);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	krb5_set_default_realm(context, realm); /* XXX should be fixed
+						   some other way */
+	conf.realm = realm;
+	conf.mask |= KADM5_CONFIG_REALM;
+    }
+
+    if (admin_server) {
+	conf.admin_server = admin_server;
+	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    }
+
+    if (server_port) {
+	conf.kadmind_port = htons(server_port);
+	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
+    }
+
+    if(local_flag){
+	ret = kadm5_s_init_with_password_ctx(context, 
+					     KADM5_ADMIN_SERVICE,
+					     NULL,
+					     KADM5_ADMIN_SERVICE,
+					     &conf, 0, 0, 
+					     &kadm_handle);
+	cmd = commands;
+    } else {
+	ret = kadm5_c_init_with_password_ctx(context, 
+					     client_name,
+					     NULL,
+					     KADM5_ADMIN_SERVICE,
+					     &conf, 0, 0, 
+					     &kadm_handle);
+	cmd = commands + 4; /* XXX */
+    }
+    
+    if(ret)
+	krb5_err(context, 1, ret, "kadm5_init_with_password");
+    if (argc != 0) {
+	ret = sl_command (cmd, argc, argv);
+	if(ret == -1)
+	    krb5_warnx (context, "unrecognized command: %s", argv[0]);
+    } else
+	ret = sl_loop (cmd, "kadmin> ") != 0;
+
+    kadm5_destroy(kadm_handle);
+    krb5_config_file_free (context, cf);
+    krb5_free_context(context);
+    return ret;
+}
diff --git a/crypto/heimdal/kadmin/kadmin_locl.h b/crypto/heimdal/kadmin/kadmin_locl.h
new file mode 100644
index 0000000..aa5ba13
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin_locl.h
@@ -0,0 +1,163 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: kadmin_locl.h,v 1.25 2000/02/06 05:16:35 assar Exp $
+ * $FreeBSD$
+ */
+
+#ifndef __ADMIN_LOCL_H__
+#define __ADMIN_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <openssl/des.h>
+#include <krb5.h>
+#include <hdb.h>
+#include <hdb_err.h>
+#include <kadm5/admin.h>
+#include <kadm5/private.h>
+#include <kadm5/kadm5_err.h>
+#include <parse_time.h>
+#include <getarg.h>
+
+
+extern krb5_context context;
+extern void * kadm_handle;
+
+#define DECL(X) int X(int, char **)
+
+DECL(add_new_key);
+DECL(cpw_entry);
+DECL(del_entry);
+DECL(del_enctype);
+DECL(exit_kadmin);
+DECL(ext_keytab);
+DECL(get_entry);
+DECL(get_privs);
+DECL(help);
+DECL(list_princs);
+DECL(mod_entry);
+DECL(rename_entry);
+DECL(init);
+DECL(dump);
+DECL(load);
+DECL(merge);
+
+#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
+
+/* util.c */
+
+void attributes2str(krb5_flags attributes, char *str, size_t len);
+int  str2attributes(const char *str, krb5_flags *flags);
+int  parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit);
+int  edit_attributes (const char *prompt, krb5_flags *attr, int *mask,
+		      int bit);
+
+void time_t2str(time_t t, char *str, size_t len, int include_time);
+int  str2time_t (const char *str, time_t *time);
+int  parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit);
+int  edit_timet (const char *prompt, krb5_timestamp *value, int *mask,
+		 int bit);
+
+void deltat2str(unsigned t, char *str, size_t len);
+int  str2deltat(const char *str, krb5_deltat *delta);
+int  parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit);
+int  edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit);
+
+int edit_entry(kadm5_principal_ent_t ent, int *mask,
+	       kadm5_principal_ent_t default_ent, int default_mask);
+int set_entry(krb5_context context,
+	      kadm5_principal_ent_t ent,
+	      int *mask,
+	      const char *max_ticket_life,
+	      const char *max_renewable_life,
+	      const char *expiration,
+	      const char *pw_expiration,
+	      const char *attributes);
+int
+foreach_principal(const char *exp, 
+		  int (*func)(krb5_principal, void*), 
+		  void *data);
+
+void get_response(const char *prompt, const char *def, char *buf, size_t len);
+
+/* server.c */
+
+krb5_error_code
+kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int);
+
+/* version4.c */
+
+void
+handle_v4(krb5_context context, int len, int fd);
+
+/* random_password.c */
+
+void
+random_password(char *pw, size_t len);
+
+#endif /* __ADMIN_LOCL_H__ */
diff --git a/crypto/heimdal/kadmin/kadmind.c b/crypto/heimdal/kadmin/kadmind.c
new file mode 100644
index 0000000..4b4fb0d
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmind.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: kadmind.c,v 1.16 1999/12/02 17:04:58 joda Exp $");
+
+static char *config_file;
+static char *keyfile;
+static char *keytab_str = "HDB:";
+static int help_flag;
+static int version_flag;
+static int debug_flag;
+static int debug_port;
+char *realm;
+
+static struct getargs args[] = {
+    { 
+	"config-file",	'c',	arg_string,	&config_file, 
+	"location of config file",	"file" 
+    },
+    {
+	"key-file",	'k',	arg_string, &keyfile, 
+	"location of master key file", "file"
+    },
+    {
+	"keytab",	0,	arg_string, &keytab_str,
+	"what keytab to use", "keytab"
+    },
+    {	"realm",	'r',	arg_string,   &realm, 
+	"realm to use", "realm" 
+    },
+    {	"debug",	'd',	arg_flag,   &debug_flag, 
+	"enable debugging" 
+    },
+    {	"debug-port",	'p',	arg_integer,&debug_port, 
+	"port to use with debug", "port" },
+    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"version",	'v',	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+krb5_context context;
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (ret);
+}
+
+krb5_error_code
+kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int);
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_config_section *cf;
+    int optind = 0;
+    int e;
+    krb5_log_facility *logf;
+    krb5_keytab keytab;
+
+    set_progname(argv[0]);
+
+    krb5_init_context(&context);
+
+    ret = krb5_openlog(context, "kadmind", &logf);
+    ret = krb5_set_warn_dest(context, logf);
+
+    while((e = getarg(args, num_args, argc, argv, &optind)))
+	warnx("error at argument `%s'", argv[optind]);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    if (config_file == NULL)
+	config_file = HDB_DB_DIR "/kdc.conf";
+
+    if(krb5_config_parse_file(config_file, &cf) == 0) {
+	const char *p = krb5_config_get_string (context, cf, 
+						"kdc", "key-file", NULL);
+	if (p)
+	    keyfile = strdup(p);
+    }
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    {
+	int fd = 0;
+	krb5_auth_context ac = NULL;
+	if(debug_flag){
+	    if(debug_port == 0)
+		debug_port = krb5_getportbyname (context, "kerberos-adm", 
+						 "tcp", 749);
+	    else
+		debug_port = htons(debug_port);
+	    mini_inetd(debug_port);
+	}
+	if(realm)
+	    krb5_set_default_realm(context, realm); /* XXX */
+	kadmind_loop(context, ac, keytab, fd);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/load.c b/crypto/heimdal/kadmin/load.c
new file mode 100644
index 0000000..6a95887
--- /dev/null
+++ b/crypto/heimdal/kadmin/load.c
@@ -0,0 +1,485 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <kadm5/private.h>
+
+RCSID("$Id: load.c,v 1.36 2000/02/16 16:05:28 assar Exp $");
+
+struct entry {
+    char *principal;
+    char *key;
+    char *max_life;
+    char *max_renew;
+    char *created;
+    char *modified;
+    char *valid_start;
+    char *valid_end;
+    char *pw_end;
+    char *flags;
+    char *etypes;
+};
+
+static char *
+skip_next(char *p)
+{
+    while(*p && !isspace((unsigned char)*p)) 
+	p++;
+    *p++ = 0;
+    while(*p && isspace((unsigned char)*p))
+	p++;
+    return p;
+}
+
+/*
+ * Parse the time in `s', returning:
+ * -1 if error parsing
+ * 0  if none  present
+ * 1  if parsed ok
+ */
+
+static int
+parse_time_string(time_t *t, const char *s)
+{
+    int year, month, date, hour, minute, second;
+    struct tm tm;
+
+    if(strcmp(s, "-") == 0)
+	return 0;
+    if(sscanf(s, "%04d%02d%02d%02d%02d%02d", 
+	      &year, &month, &date, &hour, &minute, &second) != 6)
+	return -1;
+    tm.tm_year  = year - 1900;
+    tm.tm_mon   = month - 1;
+    tm.tm_mday  = date;
+    tm.tm_hour  = hour;
+    tm.tm_min   = minute;
+    tm.tm_sec   = second;
+    tm.tm_isdst = 0;
+    *t = timegm(&tm);
+    return 1;
+}
+
+/*
+ * parse time, allocating space in *t if it's there
+ */
+
+static int
+parse_time_string_alloc (time_t **t, const char *s)
+{
+    time_t tmp;
+    int ret;
+
+    *t = NULL;
+    ret = parse_time_string (&tmp, s);
+    if (ret == 1) {
+	*t = malloc (sizeof (**t));
+	if (*t == NULL)
+	    krb5_errx (context, 1, "malloc: out of memory");
+	**t = tmp;
+    }
+    return ret;
+}
+
+/*
+ * see parse_time_string for calling convention
+ */
+
+static int
+parse_integer(unsigned *u, const char *s)
+{
+    if(strcmp(s, "-") == 0)
+	return 0;
+    if (sscanf(s, "%u", u) != 1)
+	return -1;
+    return 1;
+}
+
+static int
+parse_integer_alloc (int **u, const char *s)
+{
+    unsigned tmp;
+    int ret;
+
+    *u = NULL;
+    ret = parse_integer (&tmp, s);
+    if (ret == 1) {
+	*u = malloc (sizeof (**u));
+	if (*u == NULL)
+	    krb5_errx (context, 1, "malloc: out of memory");
+	**u = tmp;
+    }
+    return ret;
+}
+
+/*
+ * Parse dumped keys in `str' and store them in `ent'
+ * return -1 if parsing failed
+ */
+
+static int
+parse_keys(hdb_entry *ent, char *str)
+{
+    krb5_error_code ret;
+    int tmp;
+    char *p;
+    int i;
+    
+    p = strsep(&str, ":");
+    if (sscanf(p, "%d", &tmp) != 1)
+	return 1;
+    ent->kvno = tmp;
+    p = strsep(&str, ":");
+    while(p){
+	Key *key;
+	key = realloc(ent->keys.val, 
+		      (ent->keys.len + 1) * sizeof(*ent->keys.val));
+	if(key == NULL)
+	    krb5_errx (context, 1, "realloc: out of memory");
+	ent->keys.val = key;
+	key = ent->keys.val + ent->keys.len;
+	ent->keys.len++;
+	memset(key, 0, sizeof(*key));
+	if(sscanf(p, "%d", &tmp) == 1) {
+	    key->mkvno = malloc(sizeof(*key->mkvno));
+	    *key->mkvno = tmp;
+	} else
+	    key->mkvno = NULL;
+	p = strsep(&str, ":");
+	if (sscanf(p, "%d", &tmp) != 1)
+	    return 1;
+	key->key.keytype = tmp;
+	p = strsep(&str, ":");
+	ret = krb5_data_alloc(&key->key.keyvalue, (strlen(p) - 1) / 2 + 1);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_data_alloc");
+	for(i = 0; i < strlen(p); i += 2) {
+	    if(sscanf(p + i, "%02x", &tmp) != 1)
+		return 1;
+	    ((u_char*)key->key.keyvalue.data)[i / 2] = tmp;
+	}
+	p = strsep(&str, ":");
+	if(strcmp(p, "-") != 0){
+	    unsigned type;
+	    size_t p_len;
+
+	    if(sscanf(p, "%u/", &type) != 1)
+		return 1;
+	    p = strchr(p, '/');
+	    if(p == NULL)
+		return 1;
+	    p++;
+	    p_len = strlen(p);
+
+	    key->salt = malloc(sizeof(*key->salt));
+	    if (key->salt == NULL)
+		krb5_errx (context, 1, "malloc: out of memory");
+	    key->salt->type = type;
+		
+	    if (p_len) {
+		if(*p == '\"') {
+		    ret = krb5_data_copy(&key->salt->salt, p + 1, p_len - 2);
+		    if (ret)
+			krb5_err (context, 1, ret, "krb5_data_copy");
+		} else {
+		    ret = krb5_data_alloc(&key->salt->salt,
+					  (p_len - 1) / 2 + 1);
+		    if (ret)
+			krb5_err (context, 1, ret, "krb5_data_alloc");
+		    for(i = 0; i < p_len; i += 2){
+			if (sscanf(p + i, "%02x", &tmp) != 1)
+			    return 1;
+			((u_char*)key->salt->salt.data)[i / 2] = tmp;
+		    }
+		}
+	    } else
+		krb5_data_zero (&key->salt->salt);
+	}
+	p = strsep(&str, ":");
+    }
+    return 0;
+}
+
+/*
+ * see parse_time_string for calling convention
+ */
+
+static int
+parse_event(Event *ev, char *s)
+{
+    krb5_error_code ret;
+    char *p;
+
+    if(strcmp(s, "-") == 0)
+	return 0;
+    memset(ev, 0, sizeof(*ev));
+    p = strsep(&s, ":");
+    if(parse_time_string(&ev->time, p) != 1)
+	return -1;
+    p = strsep(&s, ":");
+    ret = krb5_parse_name(context, p, &ev->principal);
+    if (ret)
+	return -1;
+    return 1;
+}
+
+static int
+parse_event_alloc (Event **ev, char *s)
+{
+    Event tmp;
+    int ret;
+
+    *ev = NULL;
+    ret = parse_event (&tmp, s);
+    if (ret == 1) {
+	*ev = malloc (sizeof (**ev));
+	if (*ev == NULL)
+	    krb5_errx (context, 1, "malloc: out of memory");
+	**ev = tmp;
+    }
+    return ret;
+}
+
+static int
+parse_hdbflags2int(HDBFlags *f, const char *s)
+{
+    int ret;
+    unsigned tmp;
+
+    ret = parse_integer (&tmp, s);
+    if (ret == 1)
+	*f = int2HDBFlags (tmp);
+    return ret;
+}
+
+#if 0
+static void
+parse_etypes(char *str, unsigned **val, unsigned *len)
+{
+    unsigned v;
+    
+    *val = NULL;
+    *len = 0;
+    while(sscanf(str, "%u", &v) == 1) {
+	*val = realloc(*val, (*len+1) * sizeof(**val));
+	(*val)[(*len)++] = v;
+	str = strchr(str, ':');
+	if(str == NULL)
+	    break;
+	str++;
+    }
+}
+#endif
+
+/*
+ * Parse the dump file in `filename' and create the database (merging
+ * iff merge)
+ */
+
+static int
+doit(const char *filename, int merge)
+{
+    krb5_error_code ret;
+    FILE *f;
+    char s[1024];
+    char *p;
+    int line;
+    int flags = O_RDWR;
+    struct entry e;
+    hdb_entry ent;
+    HDB *db = _kadm5_s_get_db(kadm_handle);
+
+    f = fopen(filename, "r");
+    if(f == NULL){
+	krb5_warn(context, errno, "fopen(%s)", filename);
+	return 1;
+    }
+    if(!merge)
+	flags |= O_CREAT | O_TRUNC;
+    ret = db->open(context, db, flags, 0600);
+    if(ret){
+	krb5_warn(context, ret, "hdb_open");
+	fclose(f);
+	return 1;
+    }
+    line = 0;
+    while(fgets(s, sizeof(s), f)){
+	line++;
+	e.principal = s;
+	for(p = s; *p; p++){
+	    if(*p == '\\')
+		p++;
+	    else if(isspace((unsigned char)*p)) {
+		*p = 0;
+		break;
+	    }
+	}
+	p = skip_next(p);
+	
+	e.key = p;
+	p = skip_next(p);
+
+	e.created = p;
+	p = skip_next(p);
+
+	e.modified = p;
+	p = skip_next(p);
+
+	e.valid_start = p;
+	p = skip_next(p);
+
+	e.valid_end = p;
+	p = skip_next(p);
+
+	e.pw_end = p;
+	p = skip_next(p);
+
+	e.max_life = p;
+	p = skip_next(p);
+
+	e.max_renew = p;
+	p = skip_next(p);
+
+	e.flags = p;
+	p = skip_next(p);
+
+	e.etypes = p;
+	p = skip_next(p);
+
+	memset(&ent, 0, sizeof(ent));
+	ret = krb5_parse_name(context, e.principal, &ent.principal);
+	if(ret) {
+	    fprintf(stderr, "%s:%d:%s (%s)\n", 
+		    filename, 
+		    line,
+		    krb5_get_err_text(context, ret),
+		    e.principal);
+	    continue;
+	}
+	
+	if (parse_keys(&ent, e.key)) {
+	    fprintf (stderr, "%s:%d:error parsing keys (%s)\n",
+		     filename, line, e.key);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	
+	if (parse_event(&ent.created_by, e.created) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing created event (%s)\n",
+		     filename, line, e.created);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_event_alloc (&ent.modified_by, e.modified) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing event (%s)\n",
+		     filename, line, e.modified);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
+		     filename, line, e.valid_start);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_time_string_alloc (&ent.valid_end,   e.valid_end) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
+		     filename, line, e.valid_end);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_time_string_alloc (&ent.pw_end,      e.pw_end) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
+		     filename, line, e.pw_end);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+
+	if (parse_integer_alloc (&ent.max_life,  e.max_life) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
+		     filename, line, e.max_life);
+	    hdb_free_entry (context, &ent);
+	    continue;
+
+	}
+	if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
+		     filename, line, e.max_renew);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+
+	if (parse_hdbflags2int (&ent.flags, e.flags) != 1) {
+	    fprintf (stderr, "%s:%d:error parsing flags (%s)\n",
+		     filename, line, e.flags);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+#if 0
+	ALLOC(ent.etypes);
+	parse_etypes(e.etypes, &ent.etypes->val, &ent.etypes->len);
+	if(ent.etypes->len == 0) {
+	    free(ent.etypes);
+	    ent.etypes = NULL;
+	}
+#endif
+
+	db->store(context, db, HDB_F_REPLACE, &ent);
+	hdb_free_entry (context, &ent);
+    }
+    db->close(context, db);
+    fclose(f);
+    return 0;
+}
+
+int
+load(int argc, char **argv)
+{
+    if(argc < 2){
+	krb5_warnx(context, "Usage: load filename");
+	return 0;
+    }
+    doit(argv[1], 0);
+    return 0;
+}
+
+int
+merge(int argc, char **argv)
+{
+    if(argc < 2){
+	krb5_warnx(context, "Usage: merge filename");
+	return 0;
+    }
+    doit(argv[1], 1);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/mod.c b/crypto/heimdal/kadmin/mod.c
new file mode 100644
index 0000000..48d00a6
--- /dev/null
+++ b/crypto/heimdal/kadmin/mod.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: mod.c,v 1.7 1999/12/02 17:04:58 joda Exp $");
+
+static int parse_args (krb5_context context, kadm5_principal_ent_t ent,
+		       int argc, char **argv, int *optind, char *name,
+		       int *mask);
+
+static int
+parse_args(krb5_context context, kadm5_principal_ent_t ent,
+	    int argc, char **argv, int *optind, char *name,
+	    int *mask)
+{
+    char *attr_str = NULL;
+    char *max_life_str = NULL;
+    char *max_rlife_str = NULL;
+    char *expiration_str = NULL;
+    char *pw_expiration_str = NULL;
+    int ret, i;
+
+    struct getargs args[] = {
+	{"attributes",	'a',	arg_string, NULL, "Attributies",
+	 "attributes"},
+	{"max-ticket-life", 0,	arg_string, NULL, "max ticket lifetime",
+	 "lifetime"},
+	{"max-renewable-life",  0, arg_string,	NULL,
+	 "max renewable lifetime", "lifetime" },
+	{"expiration-time",	0,	arg_string, 
+	 NULL, "Expiration time", "time"},
+	{"pw-expiration-time",  0,	arg_string, 
+	 NULL, "Password expiration time", "time"},
+    };
+
+    i = 0;
+    args[i++].value = &attr_str;
+    args[i++].value = &max_life_str;
+    args[i++].value = &max_rlife_str;
+    args[i++].value = &expiration_str;
+    args[i++].value = &pw_expiration_str;
+
+    *optind = 0; /* XXX */
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), 
+	      argc, argv, optind)){
+	arg_printusage(args, 
+		       sizeof(args) / sizeof(args[0]), 
+		       name ? name : "",
+		       "principal");
+	return -1;
+    }
+    
+    ret = set_entry(context, ent, mask, max_life_str, max_rlife_str, 
+		    expiration_str, pw_expiration_str, attr_str);
+    if (ret)
+	return ret;
+    return 0;
+}
+
+int
+mod_entry(int argc, char **argv)
+{
+    kadm5_principal_ent_rec princ;
+    int mask = 0;
+    krb5_error_code ret;
+    krb5_principal princ_ent = NULL;
+    int optind;
+
+    memset (&princ, 0, sizeof(princ));
+
+    ret = parse_args (context, &princ, argc, argv,
+		      &optind, "mod", &mask);
+    if (ret)
+	return 0;
+
+    argc -= optind;
+    argv += optind;
+    
+    if (argc != 1) {
+	printf ("Usage: mod [options] principal\n");
+	return 0;
+    }
+
+    krb5_parse_name(context, argv[0], &princ_ent);
+
+    if (mask == 0) {
+	memset(&princ, 0, sizeof(princ));
+	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+				  KADM5_PRINCIPAL | KADM5_ATTRIBUTES | 
+				  KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
+				  KADM5_PRINC_EXPIRE_TIME |
+				  KADM5_PW_EXPIRATION);
+	if (ret) {
+	    printf ("no such principal: %s\n", argv[0]);
+	    krb5_free_principal (context, princ_ent);
+	    return 0;
+	}
+	edit_entry(&princ, &mask, NULL, 0);
+
+    } else {
+	princ.principal = princ_ent;
+    }
+
+    ret = kadm5_modify_principal(kadm_handle, &princ, mask);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_modify_principal");
+    if(princ_ent)
+	krb5_free_principal(context, princ_ent);
+    kadm5_free_principal_ent(kadm_handle, &princ);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/random_password.c b/crypto/heimdal/kadmin/random_password.c
new file mode 100644
index 0000000..aabe08c
--- /dev/null
+++ b/crypto/heimdal/kadmin/random_password.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: random_password.c,v 1.3 1999/12/02 17:04:58 joda Exp $");
+
+/* This file defines some a function that generates a random password,
+   that can be used when creating a large amount of principals (such
+   as for a batch of students). Since this is a political matter, you
+   should think about how secure generated passwords has to be.
+   
+   Both methods defined here will give you at least 55 bits of
+   entropy.
+   */
+
+/* If you want OTP-style passwords, define OTP_STYLE */
+
+#ifdef OTP_STYLE
+#include <otp.h>
+#else
+static void generate_password(char **pw, int num_classes, ...);
+#endif
+
+void
+random_password(char *pw, size_t len)
+{
+#ifdef OTP_STYLE
+    {
+	des_cblock newkey;
+
+	des_new_random_key(&newkey);
+	otp_print_stddict (newkey, pw, len);
+	strlwr(pw);
+    }
+#else
+    char *pass;
+    generate_password(&pass, 3, 
+		      "abcdefghijklmnopqrstuvwxyz", 7, 
+		      "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 2, 
+		      "@$%&*()-+=:,/<>1234567890", 1);
+    strlcpy(pw, pass, len);
+    memset(pass, 0, strlen(pass));
+    free(pass);
+#endif
+}
+
+/* some helper functions */
+
+#ifndef OTP_STYLE
+/* return a random value in range 0-127 */
+static int
+RND(des_cblock *key, int *left)
+{
+    if(*left == 0){
+	des_new_random_key(key);
+	*left = 8;
+    }
+    (*left)--;
+    return ((unsigned char*)key)[*left];
+}
+
+/* This a helper function that generates a random password with a
+   number of characters from a set of character classes.
+
+   If there are n classes, and the size of each class is Pi, and the
+   number of characters from each class is Ni, the number of possible
+   passwords are (given that the character classes are disjoint):
+
+     n             n
+   -----        /  ----  \
+   |   |  Ni    |  \     |
+   |   | Pi     |   \  Ni| !
+   |   | ---- * |   /    |
+   |   | Ni!    |  /___  |
+    i=1          \  i=1  /
+   
+    Since it uses the RND function above, neither the size of each
+    class, nor the total length of the generated password should be
+    larger than 127 (without fixing RND).
+   
+   */
+static void
+generate_password(char **pw, int num_classes, ...)
+{
+    struct {
+	const char *str;
+	int len;
+	int freq;
+    } *classes;
+    va_list ap;
+    int len, i;
+    des_cblock rbuf; /* random buffer */
+    int rleft = 0;
+
+    classes = malloc(num_classes * sizeof(*classes));
+    va_start(ap, num_classes);
+    len = 0;
+    for(i = 0; i < num_classes; i++){
+	classes[i].str = va_arg(ap, const char*);
+	classes[i].len = strlen(classes[i].str);
+	classes[i].freq = va_arg(ap, int);
+	len += classes[i].freq;
+    }
+    va_end(ap);
+    *pw = malloc(len + 1);
+    if(*pw == NULL)
+	return;
+    for(i = 0; i < len; i++) {
+	int j;
+	int x = RND(&rbuf, &rleft) % (len - i);
+	int t = 0;
+	for(j = 0; j < num_classes; j++) {
+	    if(x < t + classes[j].freq) {
+		(*pw)[i] = classes[j].str[RND(&rbuf, &rleft) % classes[j].len];
+		classes[j].freq--;
+		break;
+	    }
+	    t += classes[j].freq;
+	}
+    }
+    (*pw)[len] = '\0';
+    memset(rbuf, 0, sizeof(rbuf));
+    free(classes);
+}
+#endif
diff --git a/crypto/heimdal/kadmin/rename.c b/crypto/heimdal/kadmin/rename.c
new file mode 100644
index 0000000..4d8a48e
--- /dev/null
+++ b/crypto/heimdal/kadmin/rename.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: rename.c,v 1.2 1999/12/02 17:04:58 joda Exp $");
+
+int
+rename_entry(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_principal princ1, princ2;
+
+    if(argc != 3){
+	krb5_warnx(context, "rename source target");
+	return 0;
+    }
+    ret = krb5_parse_name(context, argv[1], &princ1);
+    if(ret){
+	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]);
+	return 0;
+    }
+    ret = krb5_parse_name(context, argv[2], &princ2);
+    if(ret){
+	krb5_free_principal(context, princ2);
+	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[2]);
+	return 0;
+    }
+    ret = kadm5_rename_principal(kadm_handle, princ1, princ2);
+    if(ret)
+	krb5_warn(context, ret, "rename");
+    krb5_free_principal(context, princ1);
+    krb5_free_principal(context, princ2);
+    return 0;
+}
+
diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c
new file mode 100644
index 0000000..d491e46
--- /dev/null
+++ b/crypto/heimdal/kadmin/server.c
@@ -0,0 +1,506 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <krb5-private.h>
+
+RCSID("$Id: server.c,v 1.24 2000/01/02 03:58:45 assar Exp $");
+
+static kadm5_ret_t
+kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
+		 krb5_data *in, krb5_data *out)
+{
+    kadm5_ret_t ret;
+    int32_t cmd, mask, tmp;
+    kadm5_server_context *context = kadm_handle;
+    char client[128], name[128], name2[128];
+    char *op = "";
+    krb5_principal princ, princ2;
+    kadm5_principal_ent_rec ent;
+    char *password, *exp;
+    krb5_keyblock *new_keys;
+    int n_keys;
+    char **princs;
+    int n_princs;
+    krb5_storage *sp;
+    
+    krb5_unparse_name_fixed(context->context, context->caller, 
+			    client, sizeof(client));
+    
+    sp = krb5_storage_from_data(in);
+
+    krb5_ret_int32(sp, &cmd);
+    switch(cmd){
+    case kadm_get:{
+	op = "GET";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &mask);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_get_principal(kadm_handle, princ, &ent, mask);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0){
+	    kadm5_store_principal_ent(sp, &ent);
+	    kadm5_free_principal_ent(kadm_handle, &ent);
+	}
+	krb5_free_principal(context->context, princ);
+	break;
+    }
+    case kadm_delete:{
+	op = "DELETE";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_delete_principal(kadm_handle, princ);
+	krb5_free_principal(context->context, princ);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_create:{
+	op = "CREATE";
+	ret = kadm5_ret_principal_ent(sp, &ent);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &mask);
+	if(ret){
+	    kadm5_free_principal_ent(context->context, &ent);
+	    goto fail;
+	}
+	ret = krb5_ret_string(sp, &password);
+	if(ret){
+	    kadm5_free_principal_ent(context->context, &ent);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, ent.principal, 
+				name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD);
+	if(ret){
+	    kadm5_free_principal_ent(context->context, &ent);
+	    memset(password, 0, strlen(password));
+	    free(password);
+	    goto fail;
+	}
+	ret = kadm5_create_principal(kadm_handle, &ent, 
+				     mask, password);
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	memset(password, 0, strlen(password));
+	free(password);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_modify:{
+	op = "MODIFY";
+	ret = kadm5_ret_principal_ent(sp, &ent);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &mask);
+	if(ret){
+	    kadm5_free_principal_ent(context, &ent);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, ent.principal, 
+				name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY);
+	if(ret){
+	    kadm5_free_principal_ent(context, &ent);
+	    goto fail;
+	}
+	ret = kadm5_modify_principal(kadm_handle, &ent, mask);
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_rename:{
+	op = "RENAME";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_principal(sp, &princ2);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(context->context, princ2, name2, sizeof(name2));
+	krb5_warnx(context->context, "%s: %s %s -> %s", 
+		   client, op, name, name2);
+	ret = _kadm5_acl_check_permission(context, 
+					  KADM5_PRIV_ADD|KADM5_PRIV_DELETE);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_rename_principal(kadm_handle, princ, princ2);
+	krb5_free_principal(context->context, princ);
+	krb5_free_principal(context->context, princ2);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_chpass:{
+	op = "CHPASS";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_string(sp, &password);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+
+	/*
+	 * The change is allowed if at least one of:
+	 * a) it's for the principal him/herself and this was an initial ticket
+	 * b) the user is on the CPW ACL.
+	 */
+
+	if (initial
+	    && krb5_principal_compare (context->context, context->caller,
+				       princ))
+	    ret = 0;
+	else
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+
+	if(ret) {
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_chpass_principal(kadm_handle, princ, password);
+	krb5_free_principal(context->context, princ);
+	memset(password, 0, strlen(password));
+	free(password);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_randkey:{
+	op = "RANDKEY";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	/*
+	 * The change is allowed if at least one of:
+	 * a) it's for the principal him/herself and this was an initial ticket
+	 * b) the user is on the CPW ACL.
+	 */
+
+	if (initial
+	    && krb5_principal_compare (context->context, context->caller,
+				       princ))
+	    ret = 0;
+	else
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+
+	if(ret) {
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_randkey_principal(kadm_handle, princ, 
+				      &new_keys, &n_keys);
+	krb5_free_principal(context->context, princ);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0){
+	    int i;
+	    krb5_store_int32(sp, n_keys);
+	    for(i = 0; i < n_keys; i++){
+		krb5_store_keyblock(sp, new_keys[i]);
+		krb5_free_keyblock_contents(context->context, &new_keys[i]);
+	    }
+	}
+	break;
+    }
+    case kadm_get_privs:{
+	ret = kadm5_get_privs(kadm_handle, &mask);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0)
+	    krb5_store_int32(sp, mask);
+	break;
+    }
+    case kadm_get_princs:{
+	op = "LIST";
+	ret = krb5_ret_int32(sp, &tmp);
+	if(ret)
+	    goto fail;
+	if(tmp){
+	    ret = krb5_ret_string(sp, &exp);
+	    if(ret)
+		goto fail;
+	}else
+	    exp = NULL;
+	krb5_warnx(context->context, "%s: %s %s", client, op, exp ? exp : "*");
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST);
+	if(ret){
+	    free(exp);
+	    goto fail;
+	}
+	ret = kadm5_get_principals(kadm_handle, exp, &princs, &n_princs);
+	free(exp);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0){
+	    int i;
+	    krb5_store_int32(sp, n_princs);
+	    for(i = 0; i < n_princs; i++)
+		krb5_store_string(sp, princs[i]);
+	    kadm5_free_name_list(kadm_handle, princs, &n_princs);
+	}
+	break;
+    }
+    default:
+	krb5_warnx(context->context, "%s: UNKNOWN OP %d", client, cmd);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, KADM5_FAILURE);
+	break;
+    }
+    krb5_storage_to_data(sp, out);
+    krb5_storage_free(sp);
+    return 0;
+fail:
+    krb5_warn(context->context, ret, "%s", op);
+    sp->seek(sp, 0, SEEK_SET);
+    krb5_store_int32(sp, ret);
+    krb5_storage_to_data(sp, out);
+    krb5_storage_free(sp);
+    return 0;
+}
+
+static void
+v5_loop (krb5_context context,
+	 krb5_auth_context ac,
+	 krb5_boolean initial,
+	 void *kadm_handle,
+	 int fd)
+{
+    krb5_error_code ret;
+    ssize_t n;
+    unsigned long len;
+    u_char tmp[4];
+    struct iovec iov[2];
+    krb5_data in, out, msg, reply;
+
+    for (;;) {
+	n = krb5_net_read(context, &fd, tmp, 4);
+	if (n < 0)
+	    krb5_err (context, 1, errno, "krb5_net_read");
+	if (n == 0)
+	    exit (0);
+	_krb5_get_int (tmp, &len, 4);
+
+	ret = krb5_data_alloc(&in, len);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_data_alloc");
+
+	n = krb5_net_read(context, &fd, in.data, in.length);
+	if (n == 0)
+	    exit (0);
+	if(n < 0)
+	    krb5_errx(context, 1, "read error: %d", errno);
+	ret = krb5_rd_priv(context, ac, &in, &out, NULL);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_rd_priv");
+	krb5_data_free(&in);
+	kadmind_dispatch(kadm_handle, initial, &out, &msg);
+	krb5_data_free(&out);
+	ret = krb5_mk_priv(context, ac, &msg, &reply, NULL);
+	krb5_data_free(&msg);
+	if(ret) 
+	    krb5_err(context, 1, ret, "krb5_mk_priv");
+
+	_krb5_put_int(tmp, reply.length, 4);
+
+	iov[0].iov_base = tmp;
+	iov[0].iov_len  = 4;
+	iov[1].iov_base = reply.data;
+	iov[1].iov_len  = reply.length;
+	n = writev(fd, iov, 2);
+	krb5_data_free(&reply);
+	if(n < 0)
+	    krb5_err(context, 1, errno, "writev");
+	if(n < iov[0].iov_len + iov[1].iov_len)
+	    krb5_errx(context, 1, "short write");
+    }
+}
+
+static krb5_boolean
+match_appl_version(void *data, const char *appl_version)
+{
+    unsigned minor;
+    if(sscanf(appl_version, "KADM0.%u", &minor) != 1)
+	return 0;
+    *(unsigned*)data = minor;
+    return 1;
+}
+
+static void
+handle_v5(krb5_context context,
+	  krb5_auth_context ac,
+	  krb5_keytab keytab,
+	  int len,
+	  int fd)
+{
+    krb5_error_code ret;
+    u_char version[sizeof(KRB5_SENDAUTH_VERSION)];
+    krb5_ticket *ticket;
+    krb5_principal server;
+    char *client;
+    void *kadm_handle;
+    ssize_t n;
+    krb5_boolean initial;
+
+    unsigned kadm_version;
+    kadm5_config_params realm_params;
+
+    if (len != sizeof(KRB5_SENDAUTH_VERSION))
+	krb5_errx(context, 1, "bad sendauth len %d", len);
+    n = krb5_net_read(context, &fd, version, len);
+    if (n < 0)
+	krb5_err (context, 1, errno, "reading sendauth version");
+    if (n == 0)
+	krb5_errx (context, 1, "EOF reading sendauth version");
+    if(memcmp(version, KRB5_SENDAUTH_VERSION, len) != 0)
+	krb5_errx(context, 1, "bad sendauth version %.8s", version);
+	
+    ret = krb5_parse_name(context, KADM5_ADMIN_SERVICE, &server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_parse_name %s", KADM5_ADMIN_SERVICE);
+    ret = krb5_recvauth_match_version(context, &ac, &fd, 
+				      match_appl_version, &kadm_version,
+				      server, KRB5_RECVAUTH_IGNORE_VERSION, 
+				      keytab, &ticket);
+    if(ret == KRB5_KT_NOTFOUND) {
+	char *name;
+	krb5_unparse_name(context, server, &name);
+	krb5_errx(context, 1, "krb5_recvauth: %s (%s)", 
+		  krb5_get_err_text(context, ret),
+		  name);
+    }
+    krb5_free_principal(context, server);
+	    
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_recvauth");
+
+    memset(&realm_params, 0, sizeof(realm_params));
+
+    if(kadm_version == 1) {
+	krb5_data enc_data, params;
+	ret = krb5_read_message(context, &fd, &enc_data);
+	ret = krb5_rd_priv(context, ac, &enc_data, &params, NULL);
+	krb5_data_free(&enc_data);
+	_kadm5_unmarshal_params(context, &params, &realm_params);
+    }
+
+    initial = ticket->ticket.flags.initial;
+    ret = krb5_unparse_name(context, ticket->client, &client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+    krb5_free_ticket (context, ticket);
+    ret = kadm5_init_with_password_ctx(context, 
+				       client, 
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       &realm_params, 
+				       0, 0, 
+				       &kadm_handle);
+    if(ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+    v5_loop (context, ac, initial, kadm_handle, fd);
+}
+
+krb5_error_code
+kadmind_loop(krb5_context context,
+	     krb5_auth_context ac,
+	     krb5_keytab keytab, 
+	     int fd)
+{
+    unsigned char tmp[4];
+    ssize_t n;
+    unsigned long len;
+
+    n = krb5_net_read(context, &fd, tmp, 4);
+    if(n == 0)
+	exit(0);
+    if(n < 0)
+	krb5_errx(context, 1, "read error: %d", errno);
+    _krb5_get_int(tmp, &len, 4);
+    if(len > 0xffff && (len & 0xffff) == ('K' << 8) + 'A') {
+	len >>= 16;
+#ifdef KRB4
+	handle_v4(context, len, fd);
+#else
+	krb5_errx(context, 1, "packet appears to be version 4");
+#endif
+    } else {
+	handle_v5(context, ac, keytab, len, fd);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/util.c b/crypto/heimdal/kadmin/util.c
new file mode 100644
index 0000000..f30c8c5
--- /dev/null
+++ b/crypto/heimdal/kadmin/util.c
@@ -0,0 +1,520 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <parse_units.h>
+
+RCSID("$Id: util.c,v 1.23 1999/12/02 17:04:58 joda Exp $");
+
+/*
+ * util.c - functions for parsing, unparsing, and editing different
+ * types of data used in kadmin.
+ */
+
+/*
+ * attributes 
+ */
+
+struct units kdb_attrs[] = {
+    { "new-princ",		KRB5_KDB_NEW_PRINC },
+    { "support-desmd5",		KRB5_KDB_SUPPORT_DESMD5 },
+    { "pwchange-service",	KRB5_KDB_PWCHANGE_SERVICE },
+    { "disallow-svr",		KRB5_KDB_DISALLOW_SVR },
+    { "requires-pw-change",	KRB5_KDB_REQUIRES_PWCHANGE },
+    { "requires-hw-auth",	KRB5_KDB_REQUIRES_HW_AUTH },
+    { "requires-pre-auth",	KRB5_KDB_REQUIRES_PRE_AUTH },
+    { "disallow-all-tix",	KRB5_KDB_DISALLOW_ALL_TIX },
+    { "disallow-dup-skey",	KRB5_KDB_DISALLOW_DUP_SKEY },
+    { "disallow-proxiable",	KRB5_KDB_DISALLOW_PROXIABLE },
+    { "disallow-renewable",	KRB5_KDB_DISALLOW_RENEWABLE },
+    { "disallow-tgt-based",	KRB5_KDB_DISALLOW_TGT_BASED },
+    { "disallow-forwardable",	KRB5_KDB_DISALLOW_FORWARDABLE },
+    { "disallow-postdated",	KRB5_KDB_DISALLOW_POSTDATED },
+    { NULL }
+};
+
+/*
+ * convert the attributes in `attributes' into a printable string
+ * in `str, len'
+ */
+
+void
+attributes2str(krb5_flags attributes, char *str, size_t len)
+{
+    unparse_flags (attributes, kdb_attrs, str, len);
+}
+
+/*
+ * convert the string in `str' into attributes in `flags'
+ * return 0 if parsed ok, else -1.
+ */
+
+int
+str2attributes(const char *str, krb5_flags *flags)
+{
+    int res;
+
+    res = parse_flags (str, kdb_attrs, *flags);
+    if (res < 0)
+	return res;
+    else {
+	*flags = res;
+	return 0;
+    }
+}
+
+/*
+ * try to parse the string `resp' into attributes in `attr', also
+ * setting the `bit' in `mask' if attributes are given and valid.
+ */
+
+int
+parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit)
+{
+    krb5_flags tmp = *attr;
+
+    if (resp[0] == '\0')
+	return 0;
+    else if (str2attributes(resp, &tmp) == 0) {
+	*attr = tmp;
+	if (mask)
+	    *mask |= bit;
+	return 0;
+    } else if(*resp == '?') {
+	print_flags_table (kdb_attrs, stderr);
+    } else {
+	fprintf (stderr, "Unable to parse '%s'\n", resp);
+    }
+    return -1;
+}
+
+/*
+ * allow the user to edit the attributes in `attr', prompting with `prompt'
+ */
+
+int
+edit_attributes (const char *prompt, krb5_flags *attr, int *mask, int bit)
+{
+    char buf[1024], resp[1024];
+
+    if (mask && (*mask & bit))
+	return 0;
+
+    attributes2str(*attr, buf, sizeof(buf));
+    for (;;) {
+	get_response("Attributes", buf, resp, sizeof(resp));
+	if (parse_attributes (resp, attr, mask, bit) == 0)
+	    break;
+    }
+    return 0;
+}
+
+/*
+ * time_t
+ * the special value 0 means ``never''
+ */
+
+/*
+ * Convert the time `t' to a string representation in `str' (of max
+ * size `len').  If include_time also include time, otherwise just
+ * date.  
+ */
+
+void
+time_t2str(time_t t, char *str, size_t len, int include_time)
+{
+    if(t) {
+	if(include_time)
+	    strftime(str, len, "%Y-%m-%d %H:%M:%S UTC", gmtime(&t));
+	else
+	    strftime(str, len, "%Y-%m-%d", gmtime(&t));
+    } else
+	snprintf(str, len, "never");
+}
+
+/*
+ * Convert the time representation in `str' to a time in `time'.
+ * Return 0 if succesful, else -1.
+ */
+
+int
+str2time_t (const char *str, time_t *time)
+{
+    const char *p;
+    struct tm tm;
+
+    memset (&tm, 0, sizeof (tm));
+
+    if(strcasecmp(str, "never") == 0) {
+	*time = 0;
+	return 0;
+    }
+
+    p = strptime (str, "%Y-%m-%d", &tm);
+
+    if (p == NULL)
+	return -1;
+
+    /* Do it on the end of the day */
+    tm.tm_hour = 23;
+    tm.tm_min  = 59;
+    tm.tm_sec  = 59;
+
+    strptime (p, "%H:%M:%S", &tm);
+
+    *time = tm2time (tm, 0);
+    return 0;
+}
+
+/*
+ * try to parse the time in `resp' storing it in `value'
+ */
+
+int
+parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit)
+{
+    time_t tmp;
+
+    if (str2time_t(resp, &tmp) == 0) {
+	*value = tmp;
+	if(mask)
+	    *mask |= bit;
+	return 0;
+    } else if(*resp == '?') {
+	printf ("Print date on format YYYY-mm-dd [hh:mm:ss]\n");
+    } else {
+	fprintf (stderr, "Unable to parse time '%s'\n", resp);
+    }
+    return -1;
+}
+
+/*
+ * allow the user to edit the time in `value'
+ */
+
+int
+edit_timet (const char *prompt, krb5_timestamp *value, int *mask, int bit)
+{
+    char buf[1024], resp[1024];
+
+    if (mask && (*mask & bit))
+	return 0;
+
+    time_t2str (*value, buf, sizeof (buf), 0);
+
+    for (;;) {
+	get_response(prompt, buf, resp, sizeof(resp));
+	if (parse_timet (resp, value, mask, bit) == 0)
+	    break;
+    }
+    return 0;
+}
+
+/*
+ * deltat
+ * the special value 0 means ``unlimited''
+ */
+
+/*
+ * convert the delta_t value in `t' into a printable form in `str, len'
+ */
+
+void
+deltat2str(unsigned t, char *str, size_t len)
+{
+    if(t)
+	unparse_time(t, str, len);
+    else
+	snprintf(str, len, "unlimited");
+}
+
+/*
+ * parse the delta value in `str', storing result in `*delta'
+ * return 0 if ok, else -1
+ */
+
+int
+str2deltat(const char *str, krb5_deltat *delta)
+{
+    int res;
+
+    if(strcasecmp(str, "unlimited") == 0) {
+	*delta = 0;
+	return 0;
+    }
+    res = parse_time(str, "day");
+    if (res < 0)
+	return res;
+    else {
+	*delta = res;
+	return 0;
+    }
+}
+
+/*
+ * try to parse the string in `resp' into a deltad in `value'
+ * `mask' will get the bit `bit' set if a value was given.
+ */
+
+int
+parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit)
+{
+    krb5_deltat tmp;
+
+    if (str2deltat(resp, &tmp) == 0) {
+	*value = tmp;
+	if (mask)
+	    *mask |= bit;
+	return 0;
+    } else if(*resp == '?') {
+	print_time_table (stderr);
+    } else {
+	fprintf (stderr, "Unable to parse time '%s'\n", resp);
+    }
+    return -1;
+}
+
+/*
+ * allow the user to edit the deltat in `value'
+ */
+
+int
+edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit)
+{
+    char buf[1024], resp[1024];
+
+    if (mask && (*mask & bit))
+	return 0;
+
+    deltat2str(*value, buf, sizeof(buf));
+    for (;;) {
+	get_response(prompt, buf, resp, sizeof(resp));
+	if (parse_deltat (resp, value, mask, bit) == 0)
+	    break;
+    }
+    return 0;
+}
+
+/*
+ * allow the user to edit `ent'
+ */
+
+int
+edit_entry(kadm5_principal_ent_t ent, int *mask,
+	   kadm5_principal_ent_t default_ent, int default_mask)
+{
+    if (default_ent && (default_mask & KADM5_MAX_LIFE))
+	ent->max_life = default_ent->max_life;
+    edit_deltat ("Max ticket life", &ent->max_life, mask,
+		 KADM5_MAX_LIFE);
+
+    if (default_ent && (default_mask & KADM5_MAX_RLIFE))
+	ent->max_renewable_life = default_ent->max_renewable_life;
+    edit_deltat ("Max renewable life", &ent->max_renewable_life, mask,
+		 KADM5_MAX_RLIFE);
+
+    if (default_ent && (default_mask & KADM5_PRINC_EXPIRE_TIME))
+	ent->princ_expire_time = default_ent->princ_expire_time;
+    edit_timet ("Principal expiration time", &ent->princ_expire_time, mask,
+	       KADM5_PRINC_EXPIRE_TIME);
+
+    if (default_ent && (default_mask & KADM5_PW_EXPIRATION))
+	ent->pw_expiration = default_ent->pw_expiration;
+    edit_timet ("Password expiration time", &ent->pw_expiration, mask,
+	       KADM5_PW_EXPIRATION);
+
+    if (default_ent && (default_mask & KADM5_ATTRIBUTES))
+	ent->attributes = default_ent->attributes & ~KRB5_KDB_DISALLOW_ALL_TIX;
+    edit_attributes ("Attributes", &ent->attributes, mask,
+		     KADM5_ATTRIBUTES);
+    return 0;
+}
+
+/*
+ * Parse the arguments, set the fields in `ent' and the `mask' for the
+ * entries having been set.
+ * Return 1 on failure and 0 on success.
+ */
+
+int
+set_entry(krb5_context context,
+	  kadm5_principal_ent_t ent,
+	  int *mask,
+	  const char *max_ticket_life,
+	  const char *max_renewable_life,
+	  const char *expiration,
+	  const char *pw_expiration,
+	  const char *attributes)
+{
+    if (max_ticket_life != NULL) {
+	if (parse_deltat (max_ticket_life, &ent->max_life, 
+			  mask, KADM5_MAX_LIFE)) {
+	    krb5_warnx (context, "unable to parse `%s'", max_ticket_life);
+	    return 1;
+	}
+    }
+    if (max_renewable_life != NULL) {
+	if (parse_deltat (max_renewable_life, &ent->max_renewable_life, 
+			  mask, KADM5_MAX_RLIFE)) {
+	    krb5_warnx (context, "unable to parse `%s'", max_renewable_life);
+	    return 1;
+	}
+    }
+
+    if (expiration) {
+	if (parse_timet (expiration, &ent->princ_expire_time, 
+			mask, KADM5_PRINC_EXPIRE_TIME)) {
+	    krb5_warnx (context, "unable to parse `%s'", expiration);
+	    return 1;
+	}
+    }
+    if (pw_expiration) {
+	if (parse_timet (pw_expiration, &ent->pw_expiration, 
+			 mask, KADM5_PW_EXPIRATION)) {
+	    krb5_warnx (context, "unable to parse `%s'", pw_expiration);
+	    return 1;
+	}
+    }
+    if (attributes != NULL) {
+	if (parse_attributes (attributes, &ent->attributes, 
+			      mask, KADM5_ATTRIBUTES)) {
+	    krb5_warnx (context, "unable to parse `%s'", attributes);
+	    return 1;
+	}
+    }
+    return 0;
+}
+
+/*
+ * Does `string' contain any globing characters?
+ */
+
+static int
+is_expression(const char *string)
+{
+    const char *p;
+    int quote = 0;
+
+    for(p = string; *p; p++) {
+	if(quote) {
+	    quote = 0;
+	    continue;
+	}
+	if(*p == '\\')
+	    quote++;
+	else if(strchr("[]*?", *p) != NULL) 
+	    return 1;
+    }
+    return 0;
+}
+
+/* loop over all principals matching exp */
+int
+foreach_principal(const char *exp, 
+		  int (*func)(krb5_principal, void*), 
+		  void *data)
+{
+    char **princs;
+    int num_princs;
+    int i;
+    krb5_error_code ret;
+    krb5_principal princ_ent;
+    int is_expr;
+
+    /* if this isn't an expression, there is no point in wading
+       through the whole database looking for matches */
+    is_expr = is_expression(exp);
+    if(is_expr)
+	ret = kadm5_get_principals(kadm_handle, exp, &princs, &num_princs);
+    if(!is_expr || ret == KADM5_AUTH_LIST) {
+	/* we might be able to perform the requested opreration even
+           if we're not allowed to list principals */
+	num_princs = 1;
+	princs = malloc(sizeof(*princs));
+	if(princs == NULL)
+	    return ENOMEM;
+	princs[0] = strdup(exp);
+	if(princs[0] == NULL){ 
+	    free(princs);
+	    return ENOMEM;
+	}
+    } else if(ret) {
+	krb5_warn(context, ret, "kadm5_get_principals");
+	return ret;
+    }
+    for(i = 0; i < num_princs; i++) {
+	ret = krb5_parse_name(context, princs[i], &princ_ent);
+	if(ret){
+	    krb5_warn(context, ret, "krb5_parse_name(%s)", princs[i]);
+	    continue;
+	}
+	ret = (*func)(princ_ent, data);
+	if(ret) {
+	    char *tmp;
+	    krb5_error_code ret2;
+
+	    ret2 = krb5_unparse_name(context, princ_ent, &tmp);
+	    if(ret2) {
+		krb5_warn(context, ret2, "krb5_unparse_name");
+		krb5_warn(context, ret, "<unknown principal>");
+	    } else {
+		krb5_warn(context, ret, "%s", tmp);
+		free(tmp);
+	    }
+	}
+	krb5_free_principal(context, princ_ent);
+    }
+    kadm5_free_name_list(kadm_handle, princs, &num_princs);
+    return 0;
+}
+
+/*
+ * prompt with `prompt' and default value `def', and store the reply
+ * in `buf, len'
+ */
+
+void
+get_response(const char *prompt, const char *def, char *buf, size_t len)
+{
+    char *p;
+
+    printf("%s [%s]:", prompt, def);
+    if(fgets(buf, len, stdin) == NULL)
+	*buf = '\0';
+    p = strchr(buf, '\n');
+    if(p)
+	*p = '\0';
+    if(strcmp(buf, "") == 0)
+	strncpy(buf, def, len);
+    buf[len-1] = 0;
+}
diff --git a/crypto/heimdal/kadmin/version4.c b/crypto/heimdal/kadmin/version4.c
new file mode 100644
index 0000000..77ac029
--- /dev/null
+++ b/crypto/heimdal/kadmin/version4.c
@@ -0,0 +1,985 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "kadmin_locl.h"
+#include <krb5-private.h>
+
+#define Principal krb4_Principal
+#define kadm_get krb4_kadm_get
+#undef ALLOC
+#include <krb.h>
+#include <kadm.h>
+#include <krb_err.h>
+#include <kadm_err.h>
+
+RCSID("$Id: version4.c,v 1.16 1999/11/25 22:32:47 assar Exp $");
+
+#define KADM_NO_OPCODE -1
+#define KADM_NO_ENCRYPT -2
+
+/*
+ * make an error packet if we fail encrypting
+ */
+
+static void
+make_you_loose_packet(int code, krb5_data *reply)
+{
+    krb5_data_alloc(reply, KADM_VERSIZE + 4);
+    memcpy(reply->data, KADM_ULOSE, KADM_VERSIZE);
+    _krb5_put_int((char*)reply->data + KADM_VERSIZE, code, 4);
+}
+
+static int
+ret_fields(krb5_storage *sp, char *fields)
+{
+    return sp->fetch(sp, fields, FLDSZ);
+}
+
+static int
+store_fields(krb5_storage *sp, char *fields)
+{
+    return sp->store(sp, fields, FLDSZ);
+}
+
+static void
+ret_vals(krb5_storage *sp, Kadm_vals *vals)
+{
+    int field;
+    char *tmp_string;
+
+    memset(vals, 0, sizeof(*vals));
+    
+    ret_fields(sp, vals->fields);
+    
+    for(field = 31; field >= 0; field--) {
+	if(IS_FIELD(field, vals->fields)) {
+	    switch(field) {
+	    case KADM_NAME:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->name, tmp_string, sizeof(vals->name));
+		free(tmp_string);
+		break;
+	    case KADM_INST:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->instance, tmp_string, 
+				sizeof(vals->instance));
+		free(tmp_string);
+		break;
+	    case KADM_EXPDATE:
+		krb5_ret_int32(sp, &vals->exp_date);
+		break;
+	    case KADM_ATTR:
+		krb5_ret_int16(sp, &vals->attributes);
+		break;
+	    case KADM_MAXLIFE:
+		krb5_ret_int8(sp, &vals->max_life);
+		break;
+	    case KADM_DESKEY:
+		krb5_ret_int32(sp, &vals->key_high);
+		krb5_ret_int32(sp, &vals->key_low);
+		break;
+#ifdef EXTENDED_KADM
+	    case KADM_MODDATE:
+		krb5_ret_int32(sp, &vals->mod_date);
+		break;
+	    case KADM_MODNAME:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->mod_name, tmp_string, 
+				sizeof(vals->mod_name));
+		free(tmp_string);
+		break;
+	    case KADM_MODINST:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->mod_instance, tmp_string, 
+				sizeof(vals->mod_instance));
+		free(tmp_string);
+		break;
+	    case KADM_KVNO:
+		krb5_ret_int8(sp, &vals->key_version);
+		break;
+#endif
+	    default:
+		break;
+	    }
+	}
+    }
+}
+
+static void
+store_vals(krb5_storage *sp, Kadm_vals *vals)
+{
+    int field;
+    
+    store_fields(sp, vals->fields);
+
+    for(field = 31; field >= 0; field--) {
+	if(IS_FIELD(field, vals->fields)) {
+	    switch(field) {
+	    case KADM_NAME:
+		krb5_store_stringz(sp, vals->name);
+		break;
+	    case KADM_INST:
+		krb5_store_stringz(sp, vals->instance);
+		break;
+	    case KADM_EXPDATE:
+		krb5_store_int32(sp, vals->exp_date);
+		break;
+	    case KADM_ATTR:
+		krb5_store_int16(sp, vals->attributes);
+		break;
+	    case KADM_MAXLIFE:
+		krb5_store_int8(sp, vals->max_life);
+		break;
+	    case KADM_DESKEY:
+		krb5_store_int32(sp, vals->key_high);
+		krb5_store_int32(sp, vals->key_low);
+		break;
+#ifdef EXTENDED_KADM
+	    case KADM_MODDATE:
+		krb5_store_int32(sp, vals->mod_date);
+		break;
+	    case KADM_MODNAME:
+		krb5_store_stringz(sp, vals->mod_name);
+		break;
+	    case KADM_MODINST:
+		krb5_store_stringz(sp, vals->mod_instance);
+		break;
+	    case KADM_KVNO:
+		krb5_store_int8(sp, vals->key_version);
+		break;
+#endif
+	    default:
+		break;
+	    }
+	}
+    }
+}
+
+static int
+flags_4_to_5(char *flags)
+{
+    int i;
+    int32_t mask = 0;
+    for(i = 31; i >= 0; i--) {
+	if(IS_FIELD(i, flags))
+	    switch(i) {
+	    case KADM_NAME:
+	    case KADM_INST:
+		mask |= KADM5_PRINCIPAL;
+	    case KADM_EXPDATE:
+		mask |= KADM5_PW_EXPIRATION;
+	    case KADM_MAXLIFE:
+		mask |= KADM5_MAX_LIFE;
+#ifdef EXTENDED_KADM
+	    case KADM_KVNO:
+		mask |= KADM5_KEY_DATA;
+	    case KADM_MODDATE:
+		mask |= KADM5_MOD_TIME;
+	    case KADM_MODNAME:
+	    case KADM_MODINST:
+		mask |= KADM5_MOD_NAME;
+#endif
+	    }
+    }
+    return mask;
+}
+
+static void
+ent_to_values(krb5_context context,
+	      kadm5_principal_ent_t ent,
+	      int32_t mask,
+	      Kadm_vals *vals)
+{
+    krb5_error_code ret;
+    char realm[REALM_SZ];
+
+    memset(vals, 0, sizeof(*vals));
+    if(mask & KADM5_PRINCIPAL) {
+	ret = krb5_524_conv_principal(context, ent->principal, 
+				      vals->name, vals->instance, realm);
+	SET_FIELD(KADM_NAME, vals->fields);
+	SET_FIELD(KADM_INST, vals->fields);
+    }
+    if(mask & KADM5_PW_EXPIRATION) {
+	time_t exp = 0;
+	if(ent->princ_expire_time != 0)
+	    exp = ent->princ_expire_time;
+	if(ent->pw_expiration != 0 && (exp == 0 || exp > ent->pw_expiration))
+	    exp = ent->pw_expiration;
+	if(exp) {
+	    vals->exp_date = exp;
+	    SET_FIELD(KADM_EXPDATE, vals->fields);
+	}
+    }
+    if(mask & KADM5_MAX_LIFE) {
+	if(ent->max_life == 0)
+	    vals->max_life = 255;
+	else
+	    vals->max_life = krb_time_to_life(0, ent->max_life);
+	SET_FIELD(KADM_MAXLIFE, vals->fields);
+    }
+    if(mask & KADM5_KEY_DATA) {
+	if(ent->n_key_data > 0) {
+#ifdef EXTENDED_KADM
+	vals->key_version = ent->key_data[0].key_data_kvno;
+	SET_FIELD(KADM_KVNO, vals->fields);
+#endif
+	}
+	/* XXX the key itself? */
+    }
+#ifdef EXTENDED_KADM
+    if(mask & KADM5_MOD_TIME) {
+	vals->mod_date = ent->mod_date;
+	SET_FIELD(KADM_MODDATE, vals->fields);
+    }
+    if(mask & KADM5_MOD_NAME) {
+	krb5_524_conv_principal(context, ent->mod_name, 
+				vals->mod_name, vals->mod_instance, realm);
+	SET_FIELD(KADM_MODNAME, vals->fields);
+	SET_FIELD(KADM_MODINST, vals->fields);
+    }
+#endif
+}
+
+/*
+ * convert the kadm4 values in `vals' to `ent' (and `mask')
+ */
+
+static krb5_error_code
+values_to_ent(krb5_context context,
+	      Kadm_vals *vals, 
+	      kadm5_principal_ent_t ent,
+	      int32_t *mask)
+{
+    krb5_error_code ret;
+    *mask = 0;
+    memset(ent, 0, sizeof(*ent));
+    
+    if(IS_FIELD(KADM_NAME, vals->fields)) {
+	char *inst = NULL;
+	if(IS_FIELD(KADM_INST, vals->fields))
+	    inst = vals->instance;
+	ret = krb5_425_conv_principal(context, 
+				      vals->name,
+				      inst,
+				      NULL,
+				      &ent->principal);
+	if(ret)
+	    return ret;
+	*mask |= KADM5_PRINCIPAL;
+    }
+    if(IS_FIELD(KADM_EXPDATE, vals->fields)) {
+	ent->pw_expiration = vals->exp_date;
+	*mask |= KADM5_PW_EXPIRATION;
+    }
+    if(IS_FIELD(KADM_MAXLIFE, vals->fields)) {
+	ent->max_life = krb_life_to_time(0, vals->max_life);
+	*mask |= KADM5_MAX_LIFE;
+    }
+    
+    if(IS_FIELD(KADM_DESKEY, vals->fields)) {
+	int i;
+	ent->key_data = calloc(3, sizeof(*ent->key_data));
+	if(ent->key_data == NULL)
+	    return ENOMEM;
+	for(i = 0; i < 3; i++) {
+	    u_int32_t key_low, key_high;
+
+	    ent->key_data[i].key_data_ver = 2;
+#ifdef EXTENDED_KADM
+	    if(IS_FIELD(KADM_KVNO, vals->fields))
+		ent->key_data[i].key_data_kvno = vals->key_version;
+#endif
+	    ent->key_data[i].key_data_type[0] = ETYPE_DES_CBC_MD5;
+	    ent->key_data[i].key_data_length[0] = 8;
+	    if((ent->key_data[i].key_data_contents[0] = malloc(8)) == NULL)
+		return ENOMEM;
+
+	    key_low  = ntohl(vals->key_low);
+	    key_high = ntohl(vals->key_high);
+	    memcpy(ent->key_data[i].key_data_contents[0],
+		   &key_low, 4);
+	    memcpy((char*)ent->key_data[i].key_data_contents[0] + 4,
+		   &key_high, 4);
+	    ent->key_data[i].key_data_type[1] = KRB5_PW_SALT;
+	    ent->key_data[i].key_data_length[1] = 0;
+	    ent->key_data[i].key_data_contents[1] = NULL;
+	}
+	ent->key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4;
+	ent->key_data[2].key_data_type[0] = ETYPE_DES_CBC_CRC;
+	ent->n_key_data = 3;
+	*mask |= KADM5_KEY_DATA;
+    }
+    
+#ifdef EXTENDED_KADM
+    if(IS_FIELD(KADM_MODDATE, vals->fields)) {
+	ent->mod_date = vals->mod_date;
+	*mask |= KADM5_MOD_TIME;
+    }
+    if(IS_FIELD(KADM_MODNAME, vals->fields)) {
+	char *inst = NULL;
+	if(IS_FIELD(KADM_MODINST, vals->fields))
+	    inst = vals->mod_instance;
+	ret = krb5_425_conv_principal(context, 
+				      vals->mod_name,
+				      inst,
+				      NULL,
+				      &ent->mod_name);
+	if(ret)
+	    return ret;
+	*mask |= KADM5_MOD_NAME;
+    }
+#endif
+    return 0;
+}
+
+/*
+ * Try to translate a KADM5 error code into a v4 kadmin one.
+ */
+
+static int
+error_code(int ret)
+{
+    switch (ret) {
+    case 0:
+	return 0;
+    case KADM5_FAILURE :
+    case KADM5_AUTH_GET :
+    case KADM5_AUTH_ADD :
+    case KADM5_AUTH_MODIFY :
+    case KADM5_AUTH_DELETE :
+    case KADM5_AUTH_INSUFFICIENT :
+	return KADM_UNAUTH;
+    case KADM5_BAD_DB :
+	return KADM_UK_RERROR;
+    case KADM5_DUP :
+	return KADM_INUSE;
+    case KADM5_RPC_ERROR :
+    case KADM5_NO_SRV :
+	return KADM_NO_SERV;
+    case KADM5_NOT_INIT :
+	return KADM_NO_CONN;
+    case KADM5_UNK_PRINC :
+	return KADM_NOENTRY;
+    case KADM5_PASS_Q_TOOSHORT :
+#ifdef KADM_PASS_Q_TOOSHORT
+	return KADM_PASS_Q_TOOSHORT;
+#else
+	return KADM_INSECURE_PW;
+#endif
+    case KADM5_PASS_Q_CLASS :
+#ifdef KADM_PASS_Q_CLASS
+	return KADM_PASS_Q_CLASS;
+#else
+	return KADM_INSECURE_PW;
+#endif
+    case KADM5_PASS_Q_DICT :
+#ifdef KADM_PASS_Q_DICT
+	return KADM_PASS_Q_DICT;
+#else
+	return KADM_INSECURE_PW;
+#endif
+    case KADM5_PASS_REUSE :
+    case KADM5_PASS_TOOSOON :
+    case KADM5_BAD_PASSWORD :
+	return KADM_INSECURE_PW;
+    case KADM5_PROTECT_PRINCIPAL :
+	return KADM_IMMUTABLE;
+    case KADM5_POLICY_REF :
+    case KADM5_INIT :
+    case KADM5_BAD_HIST_KEY :
+    case KADM5_UNK_POLICY :
+    case KADM5_BAD_MASK :
+    case KADM5_BAD_CLASS :
+    case KADM5_BAD_LENGTH :
+    case KADM5_BAD_POLICY :
+    case KADM5_BAD_PRINCIPAL :
+    case KADM5_BAD_AUX_ATTR :
+    case KADM5_BAD_HISTORY :
+    case KADM5_BAD_MIN_PASS_LIFE :
+    case KADM5_BAD_SERVER_HANDLE :
+    case KADM5_BAD_STRUCT_VERSION :
+    case KADM5_OLD_STRUCT_VERSION :
+    case KADM5_NEW_STRUCT_VERSION :
+    case KADM5_BAD_API_VERSION :
+    case KADM5_OLD_LIB_API_VERSION :
+    case KADM5_OLD_SERVER_API_VERSION :
+    case KADM5_NEW_LIB_API_VERSION :
+    case KADM5_NEW_SERVER_API_VERSION :
+    case KADM5_SECURE_PRINC_MISSING :
+    case KADM5_NO_RENAME_SALT :
+    case KADM5_BAD_CLIENT_PARAMS :
+    case KADM5_BAD_SERVER_PARAMS :
+    case KADM5_AUTH_LIST :
+    case KADM5_AUTH_CHANGEPW :
+    case KADM5_BAD_TL_TYPE :
+    case KADM5_MISSING_CONF_PARAMS :
+    case KADM5_BAD_SERVER_NAME :
+    default :
+	return KADM_UNAUTH;	/* XXX */
+    }
+}
+
+/*
+ * server functions
+ */
+
+static int
+kadm_ser_cpw(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    char key[8];
+    char *password = NULL;
+    krb5_error_code ret;
+    
+    krb5_warnx(context, "v4-compat %s: cpw %s",
+	       principal_string, principal_string); 
+
+    ret = message->fetch(message, key + 4, 4);
+    ret = message->fetch(message, key, 4);
+    ret = krb5_ret_stringz(message, &password);
+    
+    if(password) {
+	krb5_data pwd_data;
+	const char *tmp;
+
+	pwd_data.data   = password;
+	pwd_data.length = strlen(password);
+
+	tmp = kadm5_check_password_quality (context, principal, &pwd_data);
+
+	if (tmp != NULL) {
+	    krb5_store_stringz (reply, (char *)tmp);
+	    ret = KADM5_PASS_Q_DICT;
+	    goto fail;
+	}
+	ret = kadm5_chpass_principal(kadm_handle, principal, password);
+    } else {
+	krb5_key_data key_data[3];
+	int i;
+	for(i = 0; i < 3; i++) {
+	    key_data[i].key_data_ver = 2;
+	    key_data[i].key_data_kvno = 0;
+	    /* key */
+	    key_data[i].key_data_type[0] = ETYPE_DES_CBC_CRC;
+	    key_data[i].key_data_length[0] = 8;
+	    key_data[i].key_data_contents[0] = malloc(8);
+	    memcpy(key_data[i].key_data_contents[0], &key, 8);
+	    /* salt */
+	    key_data[i].key_data_type[1] = KRB5_PW_SALT;
+	    key_data[i].key_data_length[1] = 0;
+	    key_data[i].key_data_contents[1] = NULL;
+	}
+	key_data[0].key_data_type[0] = ETYPE_DES_CBC_MD5;
+	key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4;
+	ret = kadm5_s_chpass_principal_with_key(kadm_handle, 
+						principal, 3, key_data);
+    }
+
+    if(ret != 0) {
+	krb5_store_stringz(reply, (char*)krb5_get_err_text(context, ret));
+	goto fail;
+    }
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat cpw");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_add(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    int32_t mask;
+    kadm5_principal_ent_rec ent, out;
+    Kadm_vals values;
+    krb5_error_code ret;
+    char name[128];
+
+    ret_vals(message, &values);
+
+    ret = values_to_ent(context, &values, &ent, &mask);
+    if(ret)
+	goto fail;
+
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: add %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_ADD);
+    if (ret)
+	goto fail;
+
+    ret = kadm5_s_create_principal_with_key(kadm_handle, &ent, mask);
+    if(ret) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	goto fail;
+    }
+
+    mask = KADM5_PRINCIPAL | KADM5_PW_EXPIRATION | KADM5_MAX_LIFE |
+	KADM5_KEY_DATA | KADM5_MOD_TIME | KADM5_MOD_NAME;
+    
+    kadm5_get_principal(kadm_handle, ent.principal, &out, mask);
+    ent_to_values(context, &out, mask, &values);
+    kadm5_free_principal_ent(kadm_handle, &ent);
+    kadm5_free_principal_ent(kadm_handle, &out);
+    store_vals(reply, &values);
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat add");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_get(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    krb5_error_code ret;
+    Kadm_vals values;
+    kadm5_principal_ent_rec ent, out;
+    int32_t mask;
+    char flags[FLDSZ];
+    char name[128];
+
+    ret_vals(message, &values);
+    /* XXX BRAIN DAMAGE! these flags are not stored in the same order
+       as in the header */
+    krb5_ret_int8(message, &flags[3]);
+    krb5_ret_int8(message, &flags[2]);
+    krb5_ret_int8(message, &flags[1]);
+    krb5_ret_int8(message, &flags[0]);
+    ret = values_to_ent(context, &values, &ent, &mask);
+    if(ret)
+	goto fail;
+
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: get %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_GET);
+    if (ret)
+	goto fail;
+
+    mask = flags_4_to_5(flags);
+
+    ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask);
+    kadm5_free_principal_ent(kadm_handle, &ent);
+
+    if (ret)
+	goto fail;
+    
+    ent_to_values(context, &out, mask, &values);
+
+    kadm5_free_principal_ent(kadm_handle, &out);
+
+    store_vals(reply, &values);
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat get");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_mod(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    Kadm_vals values1, values2;
+    kadm5_principal_ent_rec ent, out;
+    int32_t mask;
+    krb5_error_code ret;
+    char name[128];
+    
+    ret_vals(message, &values1);
+    /* why are the old values sent? is the mask the same in the old and
+       the new entry? */
+    ret_vals(message, &values2);
+    
+    ret = values_to_ent(context, &values2, &ent, &mask);
+    if(ret)
+	goto fail;
+
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: mod %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_MODIFY);
+    if (ret)
+	goto fail;
+
+    ret = kadm5_s_modify_principal(kadm_handle, &ent, mask);
+    if(ret) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	krb5_warn(context, ret, "kadm5_s_modify_principal");
+	goto fail;
+    }
+
+    ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask);
+    if(ret) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	krb5_warn(context, ret, "kadm5_s_modify_principal");
+	goto fail;
+    }
+
+    ent_to_values(context, &out, mask, &values1);
+
+    kadm5_free_principal_ent(kadm_handle, &ent);
+    kadm5_free_principal_ent(kadm_handle, &out);
+    
+    store_vals(reply, &values1);
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat mod");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_del(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    Kadm_vals values;
+    kadm5_principal_ent_rec ent;
+    int32_t mask;
+    krb5_error_code ret;
+    char name[128];
+
+    ret_vals(message, &values);
+
+    ret = values_to_ent(context, &values, &ent, &mask);
+    if(ret)
+	goto fail;
+    
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: del %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_DELETE);
+    if (ret)
+	goto fail;
+
+    ret = kadm5_delete_principal(kadm_handle, ent.principal);
+
+    kadm5_free_principal_ent(kadm_handle, &ent);
+
+    if (ret)
+	goto fail;
+
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat add");
+    return error_code(ret);
+}
+
+static int
+dispatch(krb5_context context,
+	 void *kadm_handle,
+	 krb5_principal principal,
+	 const char *principal_string,
+	 krb5_data msg, 
+	 krb5_data *reply)
+{
+    int retval;
+    int8_t command;
+    krb5_storage *sp_in, *sp_out;
+    
+    sp_in = krb5_storage_from_data(&msg);
+    krb5_ret_int8(sp_in, &command);
+    
+    sp_out = krb5_storage_emem();
+    sp_out->store(sp_out, KADM_VERSTR, KADM_VERSIZE);
+    krb5_store_int32(sp_out, 0);
+
+    switch(command) {
+    case CHANGE_PW:
+	retval = kadm_ser_cpw(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case ADD_ENT:
+	retval = kadm_ser_add(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case GET_ENT:
+	retval = kadm_ser_get(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case MOD_ENT:
+	retval = kadm_ser_mod(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case DEL_ENT:
+	retval = kadm_ser_del(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    default:
+	krb5_warnx(context, "v4-compat %s: unknown opcode: %d",
+		   principal_string, command);
+	retval = KADM_NO_OPCODE;
+	break;
+    }
+    krb5_storage_free(sp_in);
+    if(retval) {
+	sp_out->seek(sp_out, KADM_VERSIZE, SEEK_SET);
+	krb5_store_int32(sp_out, retval);
+    }
+    krb5_storage_to_data(sp_out, reply);
+    krb5_storage_free(sp_out);
+    return retval;
+}
+
+/*
+ * Decode a v4 kadmin packet in `message' and create a reply in `reply'
+ */
+
+static void
+decode_packet(krb5_context context,
+	      struct sockaddr_in *admin_addr,
+	      struct sockaddr_in *client_addr,
+	      krb5_data message,
+	      krb5_data *reply)
+{
+    int ret;
+    KTEXT_ST authent;
+    AUTH_DAT ad;
+    MSG_DAT msg_dat;
+    off_t off = 0;
+    unsigned long rlen;
+    char sname[] = "changepw", sinst[] = "kerberos";
+    unsigned long checksum;
+    des_key_schedule schedule;
+    char *msg = message.data;
+    void *kadm_handle;
+    krb5_principal client;
+    char *client_str;
+    
+    if(message.length < KADM_VERSIZE
+       || strncmp(msg, KADM_VERSTR, KADM_VERSIZE) != 0) {
+	make_you_loose_packet (KADM_BAD_VER, reply);
+	return;
+    }
+
+    off = KADM_VERSIZE;
+    off += _krb5_get_int(msg + off, &rlen, 4);
+    memset(&authent, 0, sizeof(authent));
+    authent.length = message.length - rlen - KADM_VERSIZE - 4;
+    memcpy(authent.dat, (char*)msg + off, authent.length);
+    off += authent.length;
+    
+    {
+	krb5_principal principal;
+	krb5_keyblock *key;
+
+	ret = krb5_make_principal(context, &principal, NULL, 
+				  "changepw", "kerberos", NULL);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_make_principal");
+	    make_you_loose_packet (KADM_NOMEM, reply);
+	    return;
+	}
+	ret = krb5_kt_read_service_key(context, 
+				       "HDB:",
+				       principal,
+				       0,
+/*				       ETYPE_DES_CBC_CRC,*/
+				       ETYPE_DES_CBC_MD5,
+				       &key);
+	krb5_free_principal(context, principal);
+	if(ret) {
+	    if(ret == KRB5_KT_NOTFOUND)
+		make_you_loose_packet(KADM_NO_AUTH, reply);
+	    else
+		/* XXX */
+		make_you_loose_packet(KADM_NO_AUTH, reply);
+	    krb5_warn(context, ret, "krb5_kt_read_service_key");
+	    return;
+	}
+	
+	if(key->keyvalue.length != 8)
+	    krb5_abortx(context, "key has wrong length (%lu)", 
+			(unsigned long)key->keyvalue.length);
+	krb_set_key(key->keyvalue.data, 0);
+	krb5_free_keyblock(context, key);
+    }
+    
+    ret = krb_rd_req(&authent, sname, sinst, 
+		     client_addr->sin_addr.s_addr, &ad, NULL);
+
+    if(ret) {
+	make_you_loose_packet(krb_err_base + ret, reply);
+	krb5_warnx(context, "krb_rd_req: %d", ret);
+	return;
+    }
+
+    krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
+			    &client);
+    krb5_unparse_name(context, client, &client_str);
+
+    ret = kadm5_init_with_password_ctx(context, 
+				       client_str, 
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       NULL, 0, 0, 
+				       &kadm_handle);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+	make_you_loose_packet (KADM_NOMEM, reply);
+	goto out;
+    }
+    
+    checksum = des_quad_cksum((des_cblock*)(msg + off), NULL, rlen, 
+			      0, &ad.session);
+    if(checksum != ad.checksum) {
+	krb5_warnx(context, "decode_packet: bad checksum");
+	make_you_loose_packet (KADM_BAD_CHK, reply);
+	goto out;
+    }
+    des_set_key(&ad.session, schedule);
+    ret = krb_rd_priv(msg + off, rlen, schedule, &ad.session, 
+		      client_addr, admin_addr, &msg_dat);
+    if (ret) {
+	make_you_loose_packet (krb_err_base + ret, reply);
+	krb5_warnx(context, "krb_rd_priv: %d", ret);
+	goto out;
+    }
+
+    {
+	krb5_data d, r;
+	int retval;
+
+	d.data   = msg_dat.app_data;
+	d.length = msg_dat.app_length;
+	
+	retval = dispatch(context, kadm_handle,
+			  client, client_str, d, &r);
+	krb5_data_alloc(reply, r.length + 26);
+	reply->length = krb_mk_priv(r.data, reply->data, r.length, 
+				    schedule, &ad.session, 
+				    admin_addr, client_addr);
+	if((ssize_t)reply->length < 0) {
+	    make_you_loose_packet(KADM_NO_ENCRYPT, reply);
+	    goto out;
+	}
+    }
+out:
+    krb5_free_principal(context, client);
+    free(client_str);
+}
+
+void
+handle_v4(krb5_context context,
+	  int len,
+	  int fd)
+{
+    int first = 1;
+    struct sockaddr_in admin_addr, client_addr;
+    int addr_len;
+    krb5_data message, reply;
+    ssize_t n;
+
+    addr_len = sizeof(client_addr);
+    if (getsockname(fd, (struct sockaddr*)&admin_addr, &addr_len) < 0)
+	krb5_errx (context, 1, "getsockname");
+    addr_len = sizeof(client_addr);
+    if (getpeername(fd, (struct sockaddr*)&client_addr, &addr_len) < 0)
+	krb5_errx (context, 1, "getpeername");
+
+    while(1) {
+	if(first) {
+	    /* first time around, we have already read len, and two
+               bytes of the version string */
+	    krb5_data_alloc(&message, len);
+	    memcpy(message.data, "KA", 2);
+	    n = krb5_net_read(context, &fd, (char*)message.data + 2,
+			      len - 2);
+	    if (n == 0)
+		exit (0);
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_read");
+	    first = 0;
+	} else {
+	    char buf[2];
+	    unsigned long tmp;
+	    ssize_t n;
+
+	    n = krb5_net_read(context, &fd, buf, sizeof(2));
+	    if (n == 0)
+		exit (0);
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_read");
+	    _krb5_get_int(buf, &tmp, 2);
+	    krb5_data_alloc(&message, tmp);
+	    n = krb5_net_read(context, &fd, message.data, message.length);
+	    if (n == 0)
+		krb5_errx (context, 1, "EOF in krb5_net_read");
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_read");
+	}
+	decode_packet(context, &admin_addr, &client_addr, 
+		      message, &reply);
+	krb5_data_free(&message);
+	{
+	    char buf[2];
+
+	    _krb5_put_int(buf, reply.length, sizeof(buf));
+	    n = krb5_net_write(context, &fd, buf, sizeof(buf));
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_write");
+	    n = krb5_net_write(context, &fd, reply.data, reply.length);
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_write");
+	    krb5_data_free(&reply);
+	}
+    }
+}
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c
new file mode 100644
index 0000000..fb188de
--- /dev/null
+++ b/crypto/heimdal/kdc/524.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: 524.c,v 1.10 1999/12/02 17:04:58 joda Exp $");
+
+#ifdef KRB4
+
+krb5_error_code
+do_524(Ticket *t, krb5_data *reply, const char *from, struct sockaddr *addr)
+{
+    krb5_error_code ret = 0;
+    krb5_principal sprinc = NULL;
+    krb5_crypto crypto;
+    hdb_entry *server;
+    Key *skey;
+    krb5_data et_data;
+    EncTicketPart et;
+    EncryptedData ticket;
+    krb5_storage *sp;
+    char *spn = NULL;
+    unsigned char buf[MAX_KTXT_LEN + 4 * 4];
+    size_t len;
+    
+    principalname2krb5_principal(&sprinc, t->sname, t->realm);
+    krb5_unparse_name(context, sprinc, &spn);
+    server = db_fetch(sprinc);
+    if(server == NULL){
+	kdc_log(0, "Request to convert ticket from %s for unknown principal %s",
+		from, spn);
+	goto out;
+    }
+    ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
+    if(ret){
+	kdc_log(0, "No suitable key found for server (%s) "
+		"when converting ticket from ", spn, from);
+	goto out;
+    }
+    krb5_crypto_init(context, &skey->key, 0, &crypto);
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_TICKET,
+				      &t->enc_part,
+				      &et_data);
+    krb5_crypto_destroy(context, crypto);
+    if(ret){
+	kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
+	goto out;
+    }
+    ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, 
+				    &et, &len);
+    krb5_data_free(&et_data);
+    if(ret){
+	kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
+	goto out;
+    }
+    {
+	krb5_principal client;
+	char *cpn;
+	principalname2krb5_principal(&client, et.cname, et.crealm);
+	krb5_unparse_name(context, client, &cpn);
+	kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
+	free(cpn);
+	krb5_free_principal(context, client);
+    }
+
+    if(et.endtime < kdc_time){
+	kdc_log(0, "Ticket expired (%s)", spn);
+	free_EncTicketPart(&et);
+	ret = KRB5KRB_AP_ERR_TKT_EXPIRED;
+	goto out;
+    }
+    if(et.flags.invalid){
+	kdc_log(0, "Ticket not valid (%s)", spn);
+	free_EncTicketPart(&et);
+	ret = KRB5KRB_AP_ERR_TKT_NYV;
+	goto out;
+    }
+    {
+	krb5_addresses *save_caddr, new_addr;
+	krb5_address v4_addr;
+
+	ret = krb5_sockaddr2address(addr, &v4_addr);
+	if(ret) {
+	    kdc_log(0, "Failed to convert address (%s)", spn);
+	    free_EncTicketPart(&et);
+	    goto out;
+	}
+	    
+	if (et.caddr && !krb5_address_search (context, &v4_addr, et.caddr)) {
+	    kdc_log(0, "Incorrect network address (%s)", spn);
+	    free_EncTicketPart(&et);
+	    krb5_free_address(context, &v4_addr);
+	    ret = KRB5KRB_AP_ERR_BADADDR;
+	    goto out;
+	}
+	if(v4_addr.addr_type == KRB5_ADDRESS_INET) {
+	    /* we need to collapse the addresses in the ticket to a
+	       single address; best guess is to use the address the
+	       connection came from */
+	    save_caddr = et.caddr;
+	    new_addr.len = 1;
+	    new_addr.val = &v4_addr;
+	    et.caddr = &new_addr;
+	}
+	ret  = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
+				&et, &t->sname, &len);
+	if(v4_addr.addr_type == KRB5_ADDRESS_INET)
+	    et.caddr = save_caddr;
+    }
+    free_EncTicketPart(&et);
+    if(ret){
+	kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
+	goto out;
+    }
+    ret = get_des_key(server, &skey);
+    if(ret){
+	kdc_log(0, "No DES key for server (%s)", spn);
+	goto out;
+    }
+    ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, 
+			    skey->key.keyvalue.data, &ticket);
+    if(ret){
+	kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
+	goto out;
+    }
+out:
+    /* make reply */
+    memset(buf, 0, sizeof(buf));
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    krb5_store_int32(sp, ret);
+    if(ret == 0){
+	krb5_store_int32(sp, server->kvno); /* is this right? */
+	krb5_store_data(sp, ticket.cipher);
+	/* Aargh! This is coded as a KTEXT_ST. */
+	sp->seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
+	krb5_store_int32(sp, 0); /* mbz */
+	free_EncryptedData(&ticket);
+    }
+    ret = krb5_storage_to_data(sp, reply);
+    krb5_storage_free(sp);
+    
+    if(spn)
+	free(spn);
+    if(sprinc)
+	krb5_free_principal(context, sprinc);
+    hdb_free_entry(context, server);
+    free(server);
+    return ret;
+}
+
+#endif
diff --git a/crypto/heimdal/kdc/Makefile.am b/crypto/heimdal/kdc/Makefile.am
new file mode 100644
index 0000000..3e3df20
--- /dev/null
+++ b/crypto/heimdal/kdc/Makefile.am
@@ -0,0 +1,62 @@
+# $Id: Makefile.am,v 1.33 1999/05/13 23:32:35 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = string2key
+
+sbin_PROGRAMS = kstash
+
+libexec_PROGRAMS = hprop hpropd kdc
+
+man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8
+
+hprop_SOURCES = hprop.c hprop-common.c hprop.h kadb.h 
+hpropd_SOURCES = hpropd.c hprop-common.c hprop.h
+
+kstash_SOURCES = kstash.c headers.h
+
+string2key_SOURCES = string2key.c headers.h
+
+kdc_SOURCES = \
+	524.c		\
+	config.c	\
+	connect.c	\
+	kaserver.c	\
+	kdc_locl.h	\
+	kerberos4.c	\
+	kerberos4.h	\
+	kerberos5.c	\
+	log.c		\
+	main.c		\
+	misc.c		\
+	rx.h
+
+
+hprop_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+hpropd_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+LDADD = $(top_builddir)/lib/hdb/libhdb.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in
new file mode 100644
index 0000000..6ba90e1
--- /dev/null
+++ b/crypto/heimdal/kdc/Makefile.in
@@ -0,0 +1,799 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.33 1999/05/13 23:32:35 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = string2key
+
+sbin_PROGRAMS = kstash
+
+libexec_PROGRAMS = hprop hpropd kdc
+
+man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8
+
+hprop_SOURCES = hprop.c hprop-common.c hprop.h kadb.h 
+hpropd_SOURCES = hpropd.c hprop-common.c hprop.h
+
+kstash_SOURCES = kstash.c headers.h
+
+string2key_SOURCES = string2key.c headers.h
+
+kdc_SOURCES =  	524.c			config.c		connect.c		kaserver.c		kdc_locl.h		kerberos4.c		kerberos4.h		kerberos5.c		log.c			main.c			misc.c			rx.h
+
+
+hprop_LDADD =  	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_kdb) $(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB) 
+
+
+hpropd_LDADD =  	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_kdb) $(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB) 
+
+
+LDADD = $(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken) 	$(DBLIB)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  string2key$(EXEEXT)
+libexec_PROGRAMS =  hprop$(EXEEXT) hpropd$(EXEEXT) kdc$(EXEEXT)
+sbin_PROGRAMS =  kstash$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS) $(sbin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+string2key_OBJECTS =  string2key.$(OBJEXT)
+string2key_LDADD = $(LDADD)
+string2key_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+string2key_LDFLAGS = 
+hprop_OBJECTS =  hprop.$(OBJEXT) hprop-common.$(OBJEXT)
+hprop_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+hprop_LDFLAGS = 
+hpropd_OBJECTS =  hpropd.$(OBJEXT) hprop-common.$(OBJEXT)
+hpropd_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+hpropd_LDFLAGS = 
+kdc_OBJECTS =  524.$(OBJEXT) config.$(OBJEXT) connect.$(OBJEXT) \
+kaserver.$(OBJEXT) kerberos4.$(OBJEXT) kerberos5.$(OBJEXT) \
+log.$(OBJEXT) main.$(OBJEXT) misc.$(OBJEXT)
+kdc_LDADD = $(LDADD)
+kdc_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kdc_LDFLAGS = 
+kstash_OBJECTS =  kstash.$(OBJEXT)
+kstash_LDADD = $(LDADD)
+kstash_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/des/libdes.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kstash_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(string2key_SOURCES) $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES)
+OBJECTS = $(string2key_OBJECTS) $(hprop_OBJECTS) $(hpropd_OBJECTS) $(kdc_OBJECTS) $(kstash_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kdc/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES)
+	@rm -f string2key$(EXEEXT)
+	$(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS)
+
+hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES)
+	@rm -f hprop$(EXEEXT)
+	$(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS)
+
+hpropd$(EXEEXT): $(hpropd_OBJECTS) $(hpropd_DEPENDENCIES)
+	@rm -f hpropd$(EXEEXT)
+	$(LINK) $(hpropd_LDFLAGS) $(hpropd_OBJECTS) $(hpropd_LDADD) $(LIBS)
+
+kdc$(EXEEXT): $(kdc_OBJECTS) $(kdc_DEPENDENCIES)
+	@rm -f kdc$(EXEEXT)
+	$(LINK) $(kdc_LDFLAGS) $(kdc_OBJECTS) $(kdc_LDADD) $(LIBS)
+
+kstash$(EXEEXT): $(kstash_OBJECTS) $(kstash_DEPENDENCIES)
+	@rm -f kstash$(EXEEXT)
+	$(LINK) $(kstash_LDFLAGS) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS)
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = kdc
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
+		install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-sbinPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(sbindir) $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-sbinPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-sbinPROGRAMS \
+		clean-compile clean-libtool clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-sbinPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-sbinPROGRAMS maintainer-clean-compile \
+		maintainer-clean-libtool maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS clean-sbinPROGRAMS \
+maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c
new file mode 100644
index 0000000..3db7173
--- /dev/null
+++ b/crypto/heimdal/kdc/config.c
@@ -0,0 +1,341 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+#include <getarg.h>
+#include <parse_bytes.h>
+
+RCSID("$Id: config.c,v 1.30 2000/02/11 17:47:19 assar Exp $");
+
+static char *config_file;	/* location of kdc config file */
+
+int require_preauth = -1;	/* 1 == require preauth for all principals */
+
+size_t max_request;		/* maximal size of a request */
+
+static char *max_request_str;	/* `max_request' as a string */
+
+time_t kdc_warn_pwexpire;	/* time before expiration to print a warning */
+
+struct dbinfo *databases;
+HDB **db;
+int num_db;
+
+char *port_str;
+
+int enable_http = -1;
+krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
+
+krb5_boolean check_ticket_addresses;
+krb5_boolean allow_null_ticket_addresses;
+
+static struct getarg_strings addresses_str;	/* addresses to listen on */
+krb5_addresses explicit_addresses;
+
+#ifdef KRB4
+char *v4_realm;
+#endif
+#ifdef KASERVER
+krb5_boolean enable_kaserver = -1;
+#endif
+
+static int help_flag;
+static int version_flag;
+
+static struct getargs args[] = {
+    { 
+	"config-file",	'c',	arg_string,	&config_file, 
+	"location of config file",	"file" 
+    },
+    { 
+	"require-preauth",	'p',	arg_negative_flag, &require_preauth, 
+	"don't require pa-data in as-reqs"
+    },
+    { 
+	"max-request",	0,	arg_string, &max_request, 
+	"max size for a kdc-request", "size"
+    },
+#if 0
+    {
+	"database",	'd', 	arg_string, &databases,
+	"location of database", "database"
+    },
+#endif
+    { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
+#ifdef KRB4
+    { 
+	"v4-realm",	'r',	arg_string, &v4_realm, 
+	"realm to serve v4-requests for"
+    },
+#endif
+#ifdef KASERVER
+    {
+	"kaserver", 'K', arg_negative_flag,   &enable_kaserver,
+	"turn off kaserver support"
+    },
+#endif
+    {	"ports",	'P', 	arg_string, &port_str,
+	"ports to listen to" 
+    },
+    {	"addresses",	0,	arg_strings, &addresses_str,
+	"addresses to listen on", "list of addresses" },
+    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"version",	'v',	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (ret);
+}
+
+static void
+get_dbinfo(krb5_config_section *cf)
+{
+    krb5_config_binding *top_binding = NULL;
+    krb5_config_binding *db_binding;
+    krb5_config_binding *default_binding = NULL;
+    struct dbinfo *di, **dt;
+    const char *default_dbname = HDB_DEFAULT_DB;
+    const char *default_mkey = HDB_DB_DIR "/m-key";
+    const char *p;
+
+    databases = NULL;
+    dt = &databases;
+    while((db_binding = (krb5_config_binding *)
+	   krb5_config_get_next(context, cf, &top_binding, 
+				krb5_config_list, 
+				"kdc", 
+				"database",
+				NULL))) {
+	p = krb5_config_get_string(context, db_binding, "realm", NULL);
+	if(p == NULL) {
+	    if(default_binding) {
+		krb5_warnx(context, "WARNING: more than one realm-less "
+			   "database specification");
+		krb5_warnx(context, "WARNING: using the first encountered");
+	    } else
+		default_binding = db_binding;
+	    continue;
+	}
+	di = calloc(1, sizeof(*di));
+	di->realm = strdup(p);
+	p = krb5_config_get_string(context, db_binding, "dbname", NULL);
+	if(p)
+	    di->dbname = strdup(p);
+	p = krb5_config_get_string(context, db_binding, "mkey_file", NULL);
+	if(p)
+	    di->mkey_file = strdup(p);
+	*dt = di;
+	dt = &di->next;
+    }
+    if(default_binding) {
+	di = calloc(1, sizeof(*di));
+	p = krb5_config_get_string(context, default_binding, "dbname", NULL);
+	if(p) {
+	    di->dbname = strdup(p);
+	    default_dbname = p;
+	}
+	p = krb5_config_get_string(context, default_binding, "mkey_file", NULL);
+	if(p) {
+	    di->mkey_file = strdup(p);
+	    default_mkey = p;
+	}
+	*dt = di;
+	dt = &di->next;
+    } else {
+	di = calloc(1, sizeof(*di));
+	di->dbname = strdup(default_dbname);
+	di->mkey_file = strdup(default_mkey);
+	*dt = di;
+	dt = &di->next;
+    }
+    for(di = databases; di; di = di->next) {
+	if(di->dbname == NULL)
+	    di->dbname = strdup(default_dbname);
+	if(di->mkey_file == NULL) {
+	    p = strrchr(di->dbname, '.');
+	    if(p == NULL || strchr(p, '/') != NULL)
+		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
+	    else
+		asprintf(&di->mkey_file, "%.*s.mkey", 
+			 (int)(p - di->dbname), di->dbname);
+	}
+    }
+}
+
+static void
+add_one_address (const char *str, int first)
+{
+    krb5_error_code ret;
+    krb5_addresses tmp;
+
+    ret = krb5_parse_address (context, str, &tmp);
+    if (ret)
+	krb5_err (context, 1, ret, "parse_address `%s'", str);
+    if (first)
+	krb5_copy_addresses(context, &tmp, &explicit_addresses);
+    else
+	krb5_append_addresses(context, &explicit_addresses, &tmp);
+    krb5_free_addresses (context, &tmp);
+}
+
+void
+configure(int argc, char **argv)
+{
+    krb5_config_section *cf = NULL;
+    int optind = 0;
+    int e;
+    const char *p;
+    
+    while((e = getarg(args, num_args, argc, argv, &optind)))
+	warnx("error at argument `%s'", argv[optind]);
+
+    if(help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage(1);
+    
+    if(config_file == NULL)
+	config_file = HDB_DB_DIR "/kdc.conf";
+    
+    if(krb5_config_parse_file(config_file, &cf))
+	cf = NULL;
+    
+    get_dbinfo(cf);
+    
+    if(max_request_str){
+	max_request = parse_bytes(max_request_str, NULL);
+    }
+
+    if(max_request == 0){
+	p = krb5_config_get_string (context,
+				    cf, 
+				    "kdc",
+				    "max-request",
+				    NULL);
+	if(p)
+	    max_request = parse_bytes(p, NULL);
+    }
+    
+    if(require_preauth == -1)
+	require_preauth = krb5_config_get_bool(context, cf, "kdc", 
+					       "require-preauth", NULL);
+
+    if(port_str == NULL){
+	p = krb5_config_get_string(context, cf, "kdc", "ports", NULL);
+	if (p != NULL)
+	    port_str = strdup(p);
+    }
+
+    explicit_addresses.len = 0;
+
+    if (addresses_str.num_strings) {
+	int i;
+
+	for (i = 0; i < addresses_str.num_strings; ++i)
+	    add_one_address (addresses_str.strings[i], i == 0);
+    } else {
+	char **foo = krb5_config_get_strings (context, cf,
+					      "kdc", "addresses", NULL);
+
+	if (foo != NULL) {
+	    add_one_address (*foo++, TRUE);
+	    while (*foo)
+		add_one_address (*foo++, FALSE);
+	}
+    }
+
+    if(enable_http == -1)
+	enable_http = krb5_config_get_bool(context, cf, "kdc", 
+					   "enable-http", NULL);
+    check_ticket_addresses = 
+	krb5_config_get_bool(context, cf, "kdc", 
+			     "check-ticket-addresses", NULL);
+    allow_null_ticket_addresses = 
+	krb5_config_get_bool(context, cf, "kdc", 
+			     "allow-null-ticket-addresses", NULL);
+#ifdef KRB4
+    if(v4_realm == NULL){
+	p = krb5_config_get_string (context, cf, 
+				    "kdc",
+				    "v4-realm",
+				    NULL);
+	if(p)
+	    v4_realm = strdup(p);
+    }
+#endif
+#ifdef KASERVER
+    if (enable_kaserver == -1)
+	enable_kaserver = krb5_config_get_bool_default(context, cf, TRUE,
+						       "kdc",
+						       "enable-kaserver",
+						       NULL);
+#endif
+
+    encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, cf, "kdc", 
+						    "encode_as_rep_as_tgs_rep", 
+						    NULL);
+
+    kdc_warn_pwexpire = krb5_config_get_time (context, cf,
+					      "kdc",
+					      "kdc_warn_pwexpire",
+					      NULL);
+    kdc_openlog(cf);
+    if(cf)
+	krb5_config_file_free (context, cf);
+    if(max_request == 0)
+	max_request = 64 * 1024;
+    if(require_preauth == -1)
+	require_preauth = 1;
+    if (port_str == NULL)
+	port_str = "+";
+#ifdef KRB4
+    if(v4_realm == NULL){
+	v4_realm = malloc(40); /* REALM_SZ */
+	krb_get_lrealm(v4_realm, 1);
+    }
+#endif
+}
diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c
new file mode 100644
index 0000000..0ce23b5
--- /dev/null
+++ b/crypto/heimdal/kdc/connect.c
@@ -0,0 +1,763 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: connect.c,v 1.70 2000/02/19 18:41:24 assar Exp $");
+
+/*
+ * a tuple describing on what to listen
+ */
+
+struct port_desc{
+    int family;
+    int type;
+    int port;
+};
+
+/* the current ones */
+
+static struct port_desc *ports;
+static int num_ports;
+
+/*
+ * add `family, port, protocol' to the list with duplicate suppresion.
+ */
+
+static void
+add_port(int family, int port, const char *protocol)
+{
+    int type;
+    int i;
+
+    if(strcmp(protocol, "udp") == 0)
+	type = SOCK_DGRAM;
+    else if(strcmp(protocol, "tcp") == 0)
+	type = SOCK_STREAM;
+    else
+	return;
+    for(i = 0; i < num_ports; i++){
+	if(ports[i].type == type
+	   && ports[i].port == port
+	   && ports[i].family == family)
+	    return;
+    }
+    ports = realloc(ports, (num_ports + 1) * sizeof(*ports));
+    if (ports == NULL)
+	krb5_err (context, 1, errno, "realloc");
+    ports[num_ports].family = family;
+    ports[num_ports].type   = type;
+    ports[num_ports].port   = port;
+    num_ports++;
+}
+
+/*
+ * add a triple but with service -> port lookup
+ * (this prints warnings for stuff that does not exist)
+ */
+
+static void
+add_port_service(int family, const char *service, int port,
+		 const char *protocol)
+{
+    port = krb5_getportbyname (context, service, protocol, port);
+    add_port (family, port, protocol);
+}
+
+/*
+ * add the port with service -> port lookup or string -> number
+ * (no warning is printed)
+ */
+
+static void
+add_port_string (int family, const char *port_str, const char *protocol)
+{
+    struct servent *sp;
+    int port;
+
+    sp = roken_getservbyname (port_str, protocol);
+    if (sp != NULL) {
+	port = sp->s_port;
+    } else {
+	char *end;
+
+	port = htons(strtol(port_str, &end, 0));
+	if (end == port_str)
+	    return;
+    }
+    add_port (family, port, protocol);
+}
+
+/*
+ * add the standard collection of ports for `family'
+ */
+
+static void
+add_standard_ports (int family)
+{
+    add_port_service(family, "kerberos", 88, "udp");
+    add_port_service(family, "kerberos", 88, "tcp");
+    add_port_service(family, "kerberos-sec", 88, "udp");
+    add_port_service(family, "kerberos-sec", 88, "tcp");
+    add_port_service(family, "kerberos-iv", 750, "udp");
+    add_port_service(family, "kerberos-iv", 750, "tcp");
+    if(enable_http)
+	add_port_service(family, "http", 80, "tcp");
+#ifdef KASERVER
+    if (enable_kaserver)
+	add_port_service(family, "afs3-kaserver", 7004, "udp");
+#endif
+}
+
+/*
+ * parse the set of space-delimited ports in `str' and add them.
+ * "+" => all the standard ones
+ * otherwise it's port|service[/protocol]
+ */
+
+static void
+parse_ports(const char *str)
+{
+    char *pos = NULL;
+    char *p;
+    char *str_copy = strdup (str);
+
+    p = strtok_r(str_copy, " \t", &pos);
+    while(p != NULL) {
+	if(strcmp(p, "+") == 0) {
+#ifdef HAVE_IPV6
+	    add_standard_ports(AF_INET6);
+#endif
+	    add_standard_ports(AF_INET);
+	} else {
+	    char *q = strchr(p, '/');
+	    if(q){
+		*q++ = 0;
+#ifdef HAVE_IPV6
+		add_port_string(AF_INET6, p, q);
+#endif
+		add_port_string(AF_INET, p, q);
+	    }else {
+#ifdef HAVE_IPV6
+		add_port_string(AF_INET6, p, "udp");
+		add_port_string(AF_INET6, p, "tcp");
+#endif
+		add_port_string(AF_INET, p, "udp");
+		add_port_string(AF_INET, p, "tcp");
+	    }
+	}
+	    
+	p = strtok_r(NULL, " \t", &pos);
+    }
+    free (str_copy);
+}
+
+/*
+ * every socket we listen on
+ */
+
+struct descr {
+    int s;
+    int type;
+    unsigned char *buf;
+    size_t size;
+    size_t len;
+    time_t timeout;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa;
+    int sock_len;
+    char addr_string[128];
+};
+
+/*
+ * Create the socket (family, type, port) in `d'
+ */
+
+static void 
+init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
+{
+    krb5_error_code ret;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    int sa_size;
+
+    memset(d, 0, sizeof(*d));
+    d->sa = (struct sockaddr *)&d->__ss;
+    d->s = -1;
+
+    ret = krb5_addr2sockaddr (a, sa, &sa_size, port);
+    if (ret) {
+	krb5_warn(context, ret, "krb5_addr2sockaddr");
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+
+    if (sa->sa_family != family)
+	return;
+
+    d->s = socket(family, type, 0);
+    if(d->s < 0){
+	krb5_warn(context, errno, "socket(%d, %d, 0)", family, type);
+	d->s = -1;
+	return;
+    }
+#if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_REUSEADDR)
+    {
+	int one = 1;
+	setsockopt(d->s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one));
+    }
+#endif
+    d->type = type;
+
+    if(bind(d->s, sa, sa_size) < 0){
+	char a_str[256];
+	size_t len;
+
+	krb5_print_address (a, a_str, sizeof(a_str), &len);
+	krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port));
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+    if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){
+	char a_str[256];
+	size_t len;
+
+	krb5_print_address (a, a_str, sizeof(a_str), &len);
+	krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port));
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+}
+
+/*
+ * Allocate descriptors for all the sockets that we should listen on
+ * and return the number of them.
+ */
+
+static int
+init_sockets(struct descr **desc)
+{
+    krb5_error_code ret;
+    int i, j;
+    struct descr *d;
+    int num = 0;
+    krb5_addresses addresses;
+
+    if (explicit_addresses.len) {
+	addresses = explicit_addresses;
+    } else {
+	ret = krb5_get_all_server_addrs (context, &addresses);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+    }
+    parse_ports(port_str);
+    d = malloc(addresses.len * num_ports * sizeof(*d));
+    if (d == NULL)
+	krb5_errx(context, 1, "malloc(%u) failed", num_ports * sizeof(*d));
+
+    for (i = 0; i < num_ports; i++){
+	for (j = 0; j < addresses.len; ++j) {
+	    init_socket(&d[num], &addresses.val[j],
+			ports[i].family, ports[i].type, ports[i].port);
+	    if(d[num].s != -1){
+		char a_str[80];
+		size_t len;
+
+		krb5_print_address (&addresses.val[j], a_str,
+				    sizeof(a_str), &len);
+
+		kdc_log(5, "listening on %s port %u/%s",
+			a_str,
+			ntohs(ports[i].port), 
+			(ports[i].type == SOCK_STREAM) ? "tcp" : "udp");
+		/* XXX */
+		num++;
+	    }
+	}
+    }
+    krb5_free_addresses (context, &addresses);
+    d = realloc(d, num * sizeof(*d));
+    if (d == NULL && num != 0)
+	krb5_errx(context, 1, "realloc(%u) failed", num * sizeof(*d));
+    *desc = d;
+    return num;
+}
+
+/*
+ * handle the request in `buf, len', from `addr' (or `from' as a string),
+ * sending a reply in `reply'.
+ */
+
+static int
+process_request(unsigned char *buf, 
+		size_t len, 
+		krb5_data *reply,
+		int *sendlength,
+		const char *from,
+		struct sockaddr *addr)
+{
+    KDC_REQ req;
+#ifdef KRB4
+    Ticket ticket;
+#endif
+    krb5_error_code ret;
+    size_t i;
+
+    gettimeofday(&now, NULL);
+    if(decode_AS_REQ(buf, len, &req, &i) == 0){
+	ret = as_rep(&req, reply, from, addr);
+	free_AS_REQ(&req);
+	return ret;
+    }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
+	ret = tgs_rep(&req, reply, from, addr);
+	free_TGS_REQ(&req);
+	return ret;
+    }
+#ifdef KRB4
+    else if(maybe_version4(buf, len)){
+	*sendlength = 0; /* elbitapmoc sdrawkcab XXX */
+	do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
+	return 0;
+    }else if(decode_Ticket(buf, len, &ticket, &i) == 0){
+	ret = do_524(&ticket, reply, from, addr);
+	free_Ticket(&ticket);
+	return ret;
+    }
+#endif
+#ifdef KASERVER
+    else if (enable_kaserver) {
+	ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
+	return ret;
+    }
+#endif
+			  
+    return -1;
+}
+
+static void
+addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
+{
+    krb5_address a;
+    krb5_sockaddr2address(addr, &a);
+    if(krb5_print_address(&a, str, len, &len) == 0) {
+	krb5_free_address(context, &a);
+	return;
+    }
+    krb5_free_address(context, &a);
+    snprintf(str, len, "<family=%d>", addr->sa_family);
+}
+
+/*
+ * Handle the request in `buf, len' to socket `d'
+ */
+
+static void
+do_request(void *buf, size_t len, int sendlength,
+	   struct descr *d)
+{
+    krb5_error_code ret;
+    krb5_data reply;
+    
+    reply.length = 0;
+    ret = process_request(buf, len, &reply, &sendlength,
+			  d->addr_string, d->sa);
+    if(reply.length){
+	kdc_log(5, "sending %d bytes to %s", reply.length, d->addr_string);
+	if(sendlength){
+	    unsigned char len[4];
+	    len[0] = (reply.length >> 24) & 0xff;
+	    len[1] = (reply.length >> 16) & 0xff;
+	    len[2] = (reply.length >> 8) & 0xff;
+	    len[3] = reply.length & 0xff;
+	    if(sendto(d->s, len, sizeof(len), 0, d->sa, d->sock_len) < 0) {
+		kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
+		krb5_data_free(&reply);
+		return;
+	    }
+	}
+	if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) {
+	    kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
+	    krb5_data_free(&reply);
+	    return;
+	}
+	krb5_data_free(&reply);
+    }
+    if(ret)
+	kdc_log(0, "Failed processing %lu byte request from %s", 
+		(unsigned long)len, d->addr_string);
+}
+
+/*
+ * Handle incoming data to the UDP socket in `d'
+ */
+
+static void
+handle_udp(struct descr *d)
+{
+    unsigned char *buf;
+    int n;
+
+    buf = malloc(max_request);
+    if(buf == NULL){
+	kdc_log(0, "Failed to allocate %u bytes", max_request);
+	return;
+    }
+
+    d->sock_len = sizeof(d->__ss);
+    n = recvfrom(d->s, buf, max_request, 0, d->sa, &d->sock_len);
+    if(n < 0)
+	krb5_warn(context, errno, "recvfrom");
+    else {
+	addr_to_string (d->sa, d->sock_len,
+			d->addr_string, sizeof(d->addr_string));
+	do_request(buf, n, 0, d);
+    }
+    free (buf);
+}
+
+static void
+clear_descr(struct descr *d)
+{
+    if(d->buf)
+	memset(d->buf, 0, d->size);
+    d->len = 0;
+    if(d->s != -1)
+	close(d->s);
+    d->s = -1;
+}
+
+
+/* remove HTTP %-quoting from buf */
+static int
+de_http(char *buf)
+{
+    char *p, *q;
+    for(p = q = buf; *p; p++, q++) {
+	if(*p == '%') {
+	    unsigned int x;
+	    if(sscanf(p + 1, "%2x", &x) != 1)
+		return -1;
+	    *q = x;
+	    p += 2;
+	} else
+	    *q = *p;
+    }
+    *q = '\0';
+    return 0;
+}
+
+#define TCP_TIMEOUT 4
+
+/*
+ * accept a new TCP connection on `d[index]'
+ */
+
+static void
+add_new_tcp (struct descr *d, int index, int min_free)
+{
+    int s;
+
+    d->sock_len = sizeof(d->__ss);
+    s = accept(d[index].s, d->sa, &d->sock_len);
+    if(s < 0) {
+	krb5_warn(context, errno, "accept");
+	return;
+    }
+    if(min_free == -1){
+	close(s);
+	return;
+    }
+	    
+    d[min_free].s = s;
+    d[min_free].timeout = time(NULL) + TCP_TIMEOUT;
+    d[min_free].type = SOCK_STREAM;
+    addr_to_string (d[min_free].sa, d[min_free].sock_len,
+		    d[min_free].addr_string, sizeof(d[min_free].addr_string));
+}
+
+/*
+ * Grow `d' to handle at least `n'.
+ * Return != 0 if fails
+ */
+
+static int
+grow_descr (struct descr *d, size_t n)
+{
+    if (d->size - d->len < n) {
+	unsigned char *tmp;
+
+	d->size += max(1024, d->len + n);
+	if (d->size >= max_request) {
+	    kdc_log(0, "Request exceeds max request size (%u bytes).",
+		    d->size);
+	    clear_descr(d);
+	    return -1;
+	}
+	tmp = realloc (d->buf, d->size);
+	if (tmp == NULL) {
+	    kdc_log(0, "Failed to re-allocate %u bytes.", d->size);
+	    clear_descr(d);
+	    return -1;
+	}
+	d->buf = tmp;
+    }
+    return 0;
+}
+
+/*
+ * Try to handle the TCP data at `d->buf, d->len'.
+ * Return -1 if failed, 0 if succesful, and 1 if data is complete.
+ */
+
+static int
+handle_vanilla_tcp (struct descr *d)
+{
+    krb5_storage *sp;
+    int32_t len;
+
+    sp = krb5_storage_from_mem(d->buf, d->len);
+    if (sp == NULL) {
+	kdc_log (0, "krb5_storage_from_mem failed");
+	return -1;
+    }
+    krb5_ret_int32(sp, &len);
+    krb5_storage_free(sp);
+    if(d->len - 4 >= len) {
+	memcpy(d->buf, d->buf + 4, d->len - 4);
+	return 1;
+    }
+    return 0;
+}
+
+/*
+ * Try to handle the TCP/HTTP data at `d->buf, d->len'.
+ * Return -1 if failed, 0 if succesful, and 1 if data is complete.
+ */
+
+static int
+handle_http_tcp (struct descr *d)
+{
+    char *s, *p, *t;
+    void *data;
+    char *proto;
+    int len;
+
+    s = (char *)d->buf;
+
+    p = strstr(s, "\r\n");
+    if (p == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	return -1;
+    }
+    *p = 0;
+
+    p = NULL;
+    t = strtok_r(s, " \t", &p);
+    if (t == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	return -1;
+    }
+    t = strtok_r(NULL, " \t", &p);
+    if(t == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	return -1;
+    }
+    data = malloc(strlen(t));
+    if (data == NULL) {
+	kdc_log(0, "Failed to allocate %u bytes", strlen(t));
+	return -1;
+    }
+    if(*t == '/')
+	t++;
+    if(de_http(t) != 0) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	kdc_log(5, "Request: %s", t);
+	free(data);
+	return -1;
+    }
+    proto = strtok_r(NULL, " \t", &p);
+    if (proto == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	free(data);
+	return -1;
+    }
+    len = base64_decode(t, data);
+    if(len <= 0){
+	const char *msg = 
+	    " 404 Not found\r\n"
+	    "Server: Heimdal/" VERSION "\r\n"
+	    "Content-type: text/html\r\n"
+	    "Content-transfer-encoding: 8bit\r\n\r\n"
+	    "<TITLE>404 Not found</TITLE>\r\n"
+	    "<H1>404 Not found</H1>\r\n"
+	    "That page doesn't exist, maybe you are looking for "
+	    "<A HREF=\"http://www.pdc.kth.se/heimdal\">Heimdal</A>?\r\n";
+	write(d->s, proto, strlen(proto));
+	write(d->s, msg, strlen(msg));
+	kdc_log(0, "HTTP request from %s is non KDC request", d->addr_string);
+	kdc_log(5, "Request: %s", t);
+	free(data);
+	return -1;
+    }
+    {
+	const char *msg = 
+	    " 200 OK\r\n"
+	    "Server: Heimdal/" VERSION "\r\n"
+	    "Content-type: application/octet-stream\r\n"
+	    "Content-transfer-encoding: binary\r\n\r\n";
+	write(d->s, proto, strlen(proto));
+	write(d->s, msg, strlen(msg));
+    }
+    memcpy(d->buf, data, len);
+    d->len = len;
+    free(data);
+    return 1;
+}
+
+/*
+ * Handle incoming data to the TCP socket in `d[index]'
+ */
+
+static void
+handle_tcp(struct descr *d, int index, int min_free)
+{
+    unsigned char buf[1024];
+    int n;
+    int ret = 0;
+
+    if (d[index].timeout == 0) {
+	add_new_tcp (d, index, min_free);
+	return;
+    }
+
+    n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL);
+    if(n < 0){
+	krb5_warn(context, errno, "recvfrom");
+	return;
+    }
+    if (grow_descr (&d[index], n))
+	return;
+    memcpy(d[index].buf + d[index].len, buf, n);
+    d[index].len += n;
+    if(d[index].len > 4 && d[index].buf[0] == 0) {
+	ret = handle_vanilla_tcp (&d[index]);
+    } else if(enable_http &&
+	      d[index].len >= 4 &&
+	      strncmp((char *)d[index].buf, "GET ", 4) == 0 && 
+	      strncmp((char *)d[index].buf + d[index].len - 4,
+		      "\r\n\r\n", 4) == 0) {
+	ret = handle_http_tcp (&d[index]);
+	if (ret < 0)
+	    clear_descr (d + index);
+    } else if (d[index].len > 4) {
+	kdc_log (0, "TCP data of strange type from %s", d[index].addr_string);
+	return;
+    }
+    if (ret < 0)
+	return;
+    else if (ret == 1) {
+	do_request(d[index].buf, d[index].len, 1, &d[index]);
+	clear_descr(d + index);
+    }
+}
+
+void
+loop(void)
+{
+    struct descr *d;
+    int ndescr;
+
+    ndescr = init_sockets(&d);
+    if(ndescr <= 0)
+	krb5_errx(context, 1, "No sockets!");
+    while(exit_flag == 0){
+	struct timeval tmout;
+	fd_set fds;
+	int min_free = -1;
+	int max_fd = 0;
+	int i;
+	FD_ZERO(&fds);
+	for(i = 0; i < ndescr; i++){
+	    if(d[i].s >= 0){
+		if(d[i].type == SOCK_STREAM && 
+		   d[i].timeout && d[i].timeout < time(NULL)) {
+		    kdc_log(1, "TCP-connection from %s expired after %u bytes",
+			    d[i].addr_string, d[i].len);
+		    clear_descr(&d[i]);
+		    continue;
+		}
+		if(max_fd < d[i].s)
+		    max_fd = d[i].s;
+		FD_SET(d[i].s, &fds);
+	    }else if(min_free < 0 || i < min_free)
+		min_free = i;
+	}
+	if(min_free == -1){
+	    struct descr *tmp;
+	    tmp = realloc(d, (ndescr + 4) * sizeof(*d));
+	    if(tmp == NULL)
+		krb5_warnx(context, "No memory");
+	    else{
+		d = tmp;
+		memset(d + ndescr, 0, 4 * sizeof(*d));
+		for(i = ndescr; i < ndescr + 4; i++)
+		    d[i].s = -1;
+		min_free = ndescr;
+		ndescr += 4;
+	    }
+	}
+    
+	tmout.tv_sec = TCP_TIMEOUT;
+	tmout.tv_usec = 0;
+	switch(select(max_fd + 1, &fds, 0, 0, &tmout)){
+	case 0:
+	    break;
+	case -1:
+	    if (errno != EINTR)
+		krb5_warn(context, errno, "select");
+	    break;
+	default:
+	    for(i = 0; i < ndescr; i++)
+		if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
+		    if(d[i].type == SOCK_DGRAM)
+			handle_udp(&d[i]);
+		    else if(d[i].type == SOCK_STREAM)
+			handle_tcp(d, i, min_free);
+		}
+	}
+    }
+    free (d);
+}
diff --git a/crypto/heimdal/kdc/headers.h b/crypto/heimdal/kdc/headers.h
new file mode 100644
index 0000000..118e0d8
--- /dev/null
+++ b/crypto/heimdal/kdc/headers.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: headers.h,v 1.6 2000/02/06 06:04:36 assar Exp $ 
+ * $FreeBSD$ 
+ */
+
+#ifndef __HEADERS_H__
+#define __HEADERS_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdarg.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <base64.h>
+#include <parse_units.h>
+#include <openssl/des.h>
+#include <krb5.h>
+#include <hdb.h>
+#include <hdb_err.h>
+#include <der.h> /* copy_octet_string */
+
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#define Principal Principal4
+#include <krb_db.h>
+#endif
+
+#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
+
+#endif /* __HEADERS_H__ */
diff --git a/crypto/heimdal/kdc/hprop-common.c b/crypto/heimdal/kdc/hprop-common.c
new file mode 100644
index 0000000..660725f
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop-common.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: hprop-common.c,v 1.7 1999/12/02 17:04:59 joda Exp $");
+
+krb5_error_code 
+send_priv(krb5_context context, krb5_auth_context ac,
+	  krb5_data *data, int fd)
+{
+    krb5_data packet;
+    krb5_error_code ret;
+
+    ret = krb5_mk_priv (context,
+			ac,
+			data,
+			&packet,
+			NULL);
+    if (ret)
+	return ret;
+    
+    ret = krb5_write_message (context, &fd, &packet);
+    krb5_data_free(&packet);
+    return ret;
+}
+
+krb5_error_code
+recv_priv(krb5_context context, krb5_auth_context ac, int fd, krb5_data *out)
+{
+    krb5_error_code ret;
+    krb5_data data;
+
+    ret = krb5_read_message (context, &fd, &data);
+    if (ret)
+	return ret;
+
+    ret = krb5_rd_priv(context, ac, &data, out, NULL);
+    krb5_data_free (&data);
+    return ret;
+}
+
+krb5_error_code
+send_clear(krb5_context context, int fd, krb5_data data)
+{
+    return krb5_write_message (context, &fd, &data);
+}
+
+krb5_error_code
+recv_clear(krb5_context context, int fd, krb5_data *out)
+{
+    return krb5_read_message (context, &fd, out);
+}
diff --git a/crypto/heimdal/kdc/hprop.8 b/crypto/heimdal/kdc/hprop.8
new file mode 100644
index 0000000..d700577
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop.8
@@ -0,0 +1,66 @@
+.\" $Id: hprop.8,v 1.3 1997/09/03 20:33:04 joda Exp $
+.\"
+.Dd September 3, 1997
+.Dt HPROP 8
+.Os HEIMDAL
+.Sh NAME
+.Nm hprop
+.Nd
+propagate the KDC database
+.Sh SYNOPSIS
+.Nm
+.Op Fl 4DEhnv
+.Op Fl d Ar file
+.Op Fl -database= Ns Ar file
+.Op Fl -decrypt
+.Op Fl -encrypt
+.Op Fl -help
+.Op Fl k
+.Op Fl -keytab= Ns Ar file
+.Op Fl m Ar file
+.Op Fl -master-key= Ns Ar file
+.Op Fl -stdout
+.Op Fl -v4-db
+.Op Fl -verbose
+.Op Fl -version
+.Ar host ...
+.Sh DESCRIPTION
+.Nm
+propagates the database from a master KDC to a slave. It connects to
+all
+.Ar hosts
+specified on the command by opening a TCP connection to port 754
+(service hprop) and sends the database in encrypted form.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl d Ar file
+.It Fl -database= Ns Ar file
+The database to be propagated.
+.It Fl D
+.It Fl -decrypt
+The encryption keys in the database can either be in clear, or
+encrypted with a master key. This option thansmits the database with
+unencrypted keys.
+.It Fl E
+.It Fl -encrypt
+This option thansmits the database with encrypted keys.
+.It Fl k
+.It Fl -keytab= Ns Ar file
+The keytab to use for fetching the key to be used for authenticating
+to the propagation daemon(s). The key
+.Pa kadmin/hprop
+is used from this keytab.
+.It Fl m Ar file
+.It Fl -master-key= Ns Ar file
+Where to find the master key to encrypt or decrypt keys with.
+.It Fl n
+.It Fl -stdout
+Dump the database on stdout, in a format that can be fed to hpropd.
+.It Fl 4
+.It Fl -v4-db
+Use a version 4 database. This option is only available if the code is
+compiled with Kerberos 4 support.
+.El
+.Sh SEE ALSO
+.Xr hpropd 8
diff --git a/crypto/heimdal/kdc/hprop.c b/crypto/heimdal/kdc/hprop.c
new file mode 100644
index 0000000..3be6a6f
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop.c
@@ -0,0 +1,676 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: hprop.c,v 1.40 1999/12/04 18:02:18 assar Exp $");
+
+static int version_flag;
+static int help_flag;
+static char *ktname = HPROP_KEYTAB;
+static char *database;
+static char *mkeyfile;
+static int to_stdout;
+static int verbose_flag;
+static int encrypt_flag;
+static int decrypt_flag;
+static EncryptionKey mkey5;
+static krb5_data msched5;
+
+static int v4_db;
+static int ka_db;
+static char *afs_cell;
+
+#ifdef KRB4
+static char *realm;
+
+#ifdef KASERVER_DB
+static int kaspecials_flag;
+#endif
+#endif
+
+static int
+open_socket(krb5_context context, const char *hostname)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr),
+	      "%u",
+	      ntohs(krb5_getportbyname (context, "hprop", "tcp", HPROP_PORT)));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", hostname, gai_strerror(error));
+	return -1;
+    }
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return s;
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return -1;
+}
+
+struct prop_data{
+    krb5_context context;
+    krb5_auth_context auth_context;
+    int sock;
+};
+
+int hdb_entry2value(krb5_context, hdb_entry*, krb5_data*);
+
+static krb5_error_code
+v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
+{
+    krb5_error_code ret;
+    struct prop_data *pd = appdata;
+    krb5_data data;
+
+    if(encrypt_flag)
+	_hdb_seal_keys_int(entry, 0, msched5);
+    if(decrypt_flag)
+	_hdb_unseal_keys_int(entry, 0, msched5);
+
+    ret = hdb_entry2value(context, entry, &data);
+    if(ret) return ret;
+
+    if(to_stdout)
+	ret = send_clear(context, STDOUT_FILENO, data);
+    else
+	ret = send_priv(context, pd->auth_context, &data, pd->sock);
+    krb5_data_free(&data);
+    return ret;
+}
+
+#ifdef KRB4
+static des_cblock mkey4;
+static des_key_schedule msched4;
+static char realm_buf[REALM_SZ];
+
+static int
+v4_prop(void *arg, Principal *p)
+{
+    struct prop_data *pd = arg;
+    hdb_entry ent;
+    krb5_error_code ret;
+
+    memset(&ent, 0, sizeof(ent));
+
+    ret = krb5_425_conv_principal(pd->context, p->name, p->instance, realm,
+				  &ent.principal);
+    if(ret){
+	krb5_warn(pd->context, ret,
+		  "krb5_425_conv_principal %s.%s@%s",
+		  p->name, p->instance, realm);
+	return 0;
+    }
+
+    if(verbose_flag) {
+	char *s;
+	krb5_unparse_name_short(pd->context, ent.principal, &s);
+	krb5_warnx(pd->context, "%s.%s -> %s", p->name, p->instance, s);
+	free(s);
+    }
+
+    ent.kvno = p->key_version;
+    ent.keys.len = 3;
+    ent.keys.val = malloc(ent.keys.len * sizeof(*ent.keys.val));
+    ent.keys.val[0].mkvno = NULL;
+#if 0
+    ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno));
+    *(ent.keys.val[0].mkvno) = p->kdc_key_ver; /* XXX */
+#endif
+    ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
+    ent.keys.val[0].salt->type = pa_pw_salt;
+    ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
+    krb5_data_alloc(&ent.keys.val[0].key.keyvalue, sizeof(des_cblock));
+    
+    {
+	unsigned char *key = ent.keys.val[0].key.keyvalue.data;
+	unsigned char null_key[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+	memcpy(key, &p->key_low, 4);
+	memcpy(key + 4, &p->key_high, 4);
+	kdb_encrypt_key((des_cblock*)key, (des_cblock*)key,
+			&mkey4, msched4, DES_DECRYPT);
+	if(memcmp(key, null_key, sizeof(null_key)) == 0) {
+	    free_Key(&ent.keys.val[0]);
+	    ent.keys.val = 0;
+	    ent.flags.invalid = 1;
+	}
+    }
+    copy_Key(&ent.keys.val[0], &ent.keys.val[1]);
+    ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    copy_Key(&ent.keys.val[0], &ent.keys.val[2]);
+    ent.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
+
+    ALLOC(ent.max_life);
+    *ent.max_life = krb_life_to_time(0, p->max_life);
+    if(*ent.max_life == NEVERDATE){
+	free(ent.max_life);
+	ent.max_life = NULL;
+    }
+
+    ALLOC(ent.pw_end);
+    *ent.pw_end = p->exp_date;
+    ret = krb5_make_principal(pd->context, &ent.created_by.principal,
+			      realm,
+			      "kadmin",
+			      "hprop",
+			      NULL);
+    if(ret){
+	krb5_warn(pd->context, ret, "krb5_make_principal");
+	ret = 0;
+	goto out;
+    }
+    ent.created_by.time = time(NULL);
+    ALLOC(ent.modified_by);
+    ret = krb5_425_conv_principal(pd->context, p->mod_name, p->mod_instance, 
+				  realm, &ent.modified_by->principal);
+    if(ret){
+	krb5_warn(pd->context, ret, "%s.%s@%s", p->name, p->instance, realm);
+	ent.modified_by->principal = NULL;
+	ret = 0;
+	goto out;
+    }
+    ent.modified_by->time = p->mod_date;
+
+    ent.flags.forwardable = 1;
+    ent.flags.renewable = 1;
+    ent.flags.proxiable = 1;
+    ent.flags.postdate = 1;
+    ent.flags.client = 1;
+    ent.flags.server = 1;
+    
+    /* special case password changing service */
+    if(strcmp(p->name, "changepw") == 0 && 
+       strcmp(p->instance, "kerberos") == 0) {
+	ent.flags.forwardable = 0;
+	ent.flags.renewable = 0;
+	ent.flags.proxiable = 0;
+	ent.flags.postdate = 0;
+	ent.flags.initial = 1;
+	ent.flags.change_pw = 1;
+    }
+
+    ret = v5_prop(pd->context, NULL, &ent, pd);
+
+    if (strcmp (p->name, "krbtgt") == 0
+	&& strcmp (realm, p->instance) != 0) {
+	krb5_free_principal (pd->context, ent.principal);
+	ret = krb5_425_conv_principal (pd->context, p->name,
+				       realm, p->instance,
+				       &ent.principal);
+	if (ret == 0)
+	    ret = v5_prop (pd->context, NULL, &ent, pd);
+    }
+
+out:
+    hdb_free_entry(pd->context, &ent);
+    return ret;
+}
+
+#ifdef KASERVER_DB
+
+#include "kadb.h"
+
+/* read a `ka_entry' from `fd' at offset `pos' */
+static void
+read_block(krb5_context context, int fd, int32_t pos, void *buf, size_t len)
+{
+    krb5_error_code ret;
+    if(lseek(fd, 64 + pos, SEEK_SET) == (off_t)-1)
+	krb5_err(context, 1, errno, "lseek(%u)", 64 + pos);
+    ret = read(fd, buf, len);
+    if(ret < 0)
+	krb5_err(context, 1, errno, "read(%u)", len);
+    if(ret != len)
+	krb5_errx(context, 1, "read(%u) = %u", len, ret);
+}
+
+static int
+ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent,
+	   const char *cell)
+{
+    int32_t flags = ntohl(ent->flags);
+    krb5_error_code ret;
+    hdb_entry hdb;
+
+    if(!kaspecials_flag
+       && (flags & KAFNORMAL) == 0) /* remove special entries */
+	return 0;
+    memset(&hdb, 0, sizeof(hdb));
+    ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, realm,
+				  &hdb.principal);
+    if(ret) {
+	krb5_warn(pd->context, ret,
+		  "krb5_425_conv_principal (%s.%s@%s)",
+		  ent->name, ent->instance, realm);
+	return 0;
+    }
+    hdb.kvno = ntohl(ent->kvno);
+    hdb.keys.len = 3;
+    hdb.keys.val = malloc(hdb.keys.len * sizeof(*hdb.keys.val));
+    hdb.keys.val[0].mkvno = NULL;
+    hdb.keys.val[0].salt = calloc(1, sizeof(*hdb.keys.val[0].salt));
+    hdb.keys.val[0].salt->type = hdb_afs3_salt;
+    hdb.keys.val[0].salt->salt.data = strdup(cell);
+    hdb.keys.val[0].salt->salt.length = strlen(cell);
+    
+    hdb.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
+    krb5_data_copy(&hdb.keys.val[0].key.keyvalue, ent->key, sizeof(ent->key));
+    copy_Key(&hdb.keys.val[0], &hdb.keys.val[1]);
+    hdb.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    copy_Key(&hdb.keys.val[0], &hdb.keys.val[2]);
+    hdb.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
+
+    ALLOC(hdb.max_life);
+    *hdb.max_life = ntohl(ent->max_life);
+
+    if(ntohl(ent->pw_end) != NEVERDATE && ntohl(ent->pw_end) != -1){
+	ALLOC(hdb.pw_end);
+	*hdb.pw_end = ntohl(ent->pw_end);
+    }
+    
+    ret = krb5_make_principal(pd->context, &hdb.created_by.principal,
+			      realm,
+			      "kadmin",
+			      "hprop",
+			      NULL);
+    hdb.created_by.time = time(NULL);
+
+    if(ent->mod_ptr){
+	struct ka_entry mod;
+	ALLOC(hdb.modified_by);
+	read_block(pd->context, fd, ntohl(ent->mod_ptr), &mod, sizeof(mod));
+	
+	krb5_425_conv_principal(pd->context, mod.name, mod.instance, realm, 
+				&hdb.modified_by->principal);
+	hdb.modified_by->time = ntohl(ent->mod_time);
+	memset(&mod, 0, sizeof(mod));
+    }
+
+    hdb.flags.forwardable = 1;
+    hdb.flags.renewable = 1;
+    hdb.flags.proxiable = 1;
+    hdb.flags.postdate = 1;
+    /* XXX - AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL */
+    if (strcmp(ent->name, "krbtgt") == 0 &&
+	(flags & (KAFNOTGS|KAFNOSEAL)) == (KAFNOTGS|KAFNOSEAL))
+	flags &= ~(KAFNOTGS|KAFNOSEAL);
+
+    hdb.flags.client = (flags & KAFNOTGS) == 0;
+    hdb.flags.server = (flags & KAFNOSEAL) == 0;
+
+    ret = v5_prop(pd->context, NULL, &hdb, pd);
+    hdb_free_entry(pd->context, &hdb);
+    return ret;
+}
+
+static int
+ka_dump(struct prop_data *pd, const char *file, const char *cell)
+{
+    struct ka_header header;
+    int i;
+    int fd = open(file, O_RDONLY);
+
+    if(fd < 0)
+	krb5_err(pd->context, 1, errno, "open(%s)", file);
+    read_block(pd->context, fd, 0, &header, sizeof(header));
+    if(header.version1 != header.version2)
+	krb5_errx(pd->context, 1, "Version mismatch in header: %d/%d", 
+		  ntohl(header.version1), ntohl(header.version2));
+    if(ntohl(header.version1) != 5)
+	krb5_errx(pd->context, 1, "Unknown database version %d (expected 5)", 
+		  ntohl(header.version1));
+    for(i = 0; i < ntohl(header.hashsize); i++){
+	int32_t pos = ntohl(header.hash[i]);
+	while(pos){
+	    struct ka_entry ent;
+	    read_block(pd->context, fd, pos, &ent, sizeof(ent));
+	    ka_convert(pd, fd, &ent, cell);
+	    pos = ntohl(ent.next);
+	}
+    }
+    return 0;
+}
+
+#endif /* KASERVER_DB */
+
+#endif /* KRB4 */
+
+
+struct getargs args[] = {
+    { "master-key", 'm', arg_string, &mkeyfile, "v5 master key file", "file" },
+#ifdef KRB4
+#endif
+    { "database", 'd',	arg_string, &database, "database", "file" },
+#ifdef KRB4
+    { "v4-db",    '4',	arg_flag, &v4_db, "use version 4 database" },
+    { "v4-realm", 'r',  arg_string, &realm, "v4 realm to use" },
+#endif
+#ifdef KASERVER_DB
+    { "ka-db",	  'K',  arg_flag, &ka_db, "use kaserver database" },
+    { "cell",	  'c',  arg_string, &afs_cell, "name of AFS cell" },
+    { "kaspecials", 'S', arg_flag,   &kaspecials_flag, "dump KASPECIAL keys"},
+#endif
+    { "keytab",   'k',	arg_string, &ktname, "keytab to use for authentication", "keytab" },
+    { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys" },
+    { "encrypt",  'E',  arg_flag,   &encrypt_flag,   "encrypt keys" },
+    { "stdout",	  'n',  arg_flag,   &to_stdout, "dump to stdout" },
+    { "verbose",  'v',	arg_flag, &verbose_flag },
+    { "version",   0,	arg_flag, &version_flag },
+    { "help",     'h',	arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "host ...");
+    exit (ret);
+}
+
+static void
+get_creds(krb5_context context, krb5_ccache *cache)
+{
+    krb5_keytab keytab;
+    krb5_principal client;
+    krb5_error_code ret;
+    krb5_get_init_creds_opt init_opts;
+    krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
+    krb5_creds creds;
+    
+    ret = krb5_kt_resolve(context, ktname, &keytab);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve");
+    
+    ret = krb5_make_principal(context, &client, NULL, 
+			      "kadmin", HPROP_NAME, NULL);
+    if(ret) krb5_err(context, 1, ret, "krb5_make_principal");
+
+    krb5_get_init_creds_opt_init(&init_opts);
+    krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1);
+
+    ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, &init_opts);
+    if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
+    
+    ret = krb5_kt_close(context, keytab);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
+    
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_initialize(context, *cache, client);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    ret = krb5_cc_store_cred(context, *cache, &creds);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
+}
+
+static void
+iterate (krb5_context context,
+	 const char *database,
+	 const char *afs_cell,
+	 HDB *db,
+	 int v4_db, int ka_db,
+	 struct prop_data *pd)
+{
+#ifdef KRB4
+    if(v4_db) {
+	int e = kerb_db_iterate ((k_iter_proc_t)v4_prop, pd);
+	if(e)
+	    krb5_errx(context, 1, "kerb_db_iterate: %s", 
+		      krb_get_err_text(e));
+#ifdef KASERVER_DB
+    } else if(ka_db) {
+	int e = ka_dump(pd, database, afs_cell);
+	if(e)
+	    krb5_errx(context, 1, "ka_dump: %s", krb_get_err_text(e));
+#endif
+    } else
+#endif
+    {
+	krb5_error_code ret = hdb_foreach(context, db, HDB_F_DECRYPT,
+					  v5_prop, pd);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_foreach");
+    }
+}
+
+static int
+dump_database (krb5_context context, int v4_db, int ka_db,
+	       const char *database, const char *afs_cell,
+	       HDB *db)
+{
+    struct prop_data pd;
+
+    pd.context      = context;
+    pd.auth_context = NULL;
+    pd.sock         = STDOUT_FILENO;
+	
+    iterate (context, database, afs_cell, db, v4_db, ka_db, &pd);
+    return 0;
+}
+
+static int
+propagate_database (krb5_context context, int v4_db, int ka_db,
+		    const char *database, const char *afs_cell,
+		    HDB *db, krb5_ccache ccache,
+		    int optind, int argc, char **argv)
+{
+    krb5_principal server;
+    krb5_error_code ret;
+    int i;
+
+    for(i = optind; i < argc; i++){
+	krb5_auth_context auth_context;
+	int fd;
+	struct prop_data pd;
+	krb5_data data;
+
+	fd = open_socket(context, argv[i]);
+	if(fd < 0) {
+	    krb5_warn (context, errno, "connect %s", argv[i]);
+	    continue;
+	}
+
+	ret = krb5_sname_to_principal(context, argv[i],
+				      HPROP_NAME, KRB5_NT_SRV_HST, &server);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_sname_to_principal(%s)", argv[i]);
+	    close(fd);
+	    continue;
+	}
+    
+	auth_context = NULL;
+	ret = krb5_sendauth(context,
+			    &auth_context,
+			    &fd,
+			    HPROP_VERSION,
+			    NULL,
+			    server,
+			    AP_OPTS_MUTUAL_REQUIRED,
+			    NULL, /* in_data */
+			    NULL, /* in_creds */
+			    ccache,
+			    NULL,
+			    NULL,
+			    NULL);
+
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_sendauth");
+	    close(fd);
+	    continue;
+	}
+
+	pd.context      = context;
+	pd.auth_context = auth_context;
+	pd.sock         = fd;
+
+	iterate (context, database, afs_cell, db,
+		 v4_db, ka_db, &pd);
+
+	data.data = NULL;
+	data.length = 0;
+	ret = send_priv(context, auth_context, &data, fd);
+	if(ret)
+	    krb5_warn(context, ret, "send_priv");
+
+	ret = recv_priv(context, auth_context, fd, &data);
+	if(ret)
+	    krb5_warn(context, ret, "recv_priv");
+	else
+	    krb5_data_free (&data);
+	
+	krb5_auth_con_free(context, auth_context);
+	close(fd);
+    }
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache ccache;
+    HDB *db;
+    int optind = 0;
+
+    set_progname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+    if(help_flag)
+	usage(0);
+    
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if(ret)
+	exit(1);
+
+    if(encrypt_flag && decrypt_flag)
+	krb5_errx(context, 1, 
+		  "Only one of `--encrypt' and `--decrypt' is meaningful");
+
+    if(!to_stdout)
+	get_creds(context, &ccache);
+    
+    ret = hdb_read_master_key(context, mkeyfile, &mkey5);
+    if(ret && ret != ENOENT)
+	krb5_err(context, 1, ret, "hdb_read_master_key");
+    if(ret) {
+	if(encrypt_flag || decrypt_flag)
+	    krb5_errx(context, 1, "No master key file found");
+    } else {
+	ret = hdb_process_master_key(context, mkey5, &msched5);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_process_master_key");
+    }
+    
+#ifdef KRB4
+    if (v4_db
+#ifdef KASERVER_DB
+ || ka_db
+#endif
+) {
+	int e;
+
+	if (realm == NULL) {
+	    e = krb_get_lrealm(realm_buf, 1);
+	    if(e)
+		krb5_errx(context, 1, "krb_get_lrealm: %s",
+			  krb_get_err_text(e));
+	    realm = realm_buf;
+	}
+    }
+
+    if(v4_db) {
+	int e = kerb_db_set_name (database);
+	if(e)
+	    krb5_errx(context, 1, "kerb_db_set_name: %s",
+		      krb_get_err_text(e));
+	e = kdb_get_master_key(0, &mkey4, msched4);
+	if(e)
+	    krb5_errx(context, 1, "kdb_get_master_key: %s",
+		      krb_get_err_text(e));
+    } else
+#ifdef KASERVER_DB
+	if (ka_db) {
+				/* no preparation required */
+	} else
+#endif
+#endif /* KRB4 */
+	{
+	    ret = hdb_create (context, &db, database);
+	    if(ret)
+		krb5_err(context, 1, ret, "hdb_create: %s", database);
+	    ret = db->open(context, db, O_RDONLY, 0);
+	    if(ret)
+		krb5_err(context, 1, ret, "db->open");
+	}
+
+    if (to_stdout)
+	dump_database (context, v4_db, ka_db,
+		       database, afs_cell, db);
+    else
+	propagate_database (context, v4_db, ka_db,
+			    database, afs_cell,
+			    db, ccache,
+			    optind, argc, argv);
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/hprop.h b/crypto/heimdal/kdc/hprop.h
new file mode 100644
index 0000000..3802c5d
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hprop.h,v 1.7 1999/12/02 17:04:59 joda Exp $ */
+
+#ifndef __HPROP_H__
+#define __HPROP_H__
+
+#include "headers.h"
+
+#define HPROP_VERSION "hprop-0.0"
+#define HPROP_NAME "hprop"
+#define HPROP_KEYTAB "FILE:/etc/hprop.keytab"
+#define HPROP_PORT 754
+
+#ifndef NEVERDATE
+#define NEVERDATE ((1U << 31) - 1)
+#endif
+
+krb5_error_code send_priv(krb5_context, krb5_auth_context, krb5_data*, int);
+krb5_error_code recv_priv(krb5_context, krb5_auth_context, int, krb5_data*);
+krb5_error_code send_clear(krb5_context context, int fd, krb5_data data);
+krb5_error_code recv_clear(krb5_context context, int fd, krb5_data *out);
+
+#endif /* __HPROP_H__ */
diff --git a/crypto/heimdal/kdc/hpropd.8 b/crypto/heimdal/kdc/hpropd.8
new file mode 100644
index 0000000..de4249a
--- /dev/null
+++ b/crypto/heimdal/kdc/hpropd.8
@@ -0,0 +1,27 @@
+.\" $Id: hpropd.8,v 1.1 1997/08/27 23:42:34 assar Exp $
+.\"
+.Dd Aug 27, 1997
+.Dt HPROPD 8
+.Os HEIMDAL
+.Sh NAME
+.Nm hpropd
+.Nd
+receive a propagated database
+.Sh SYNOPSIS
+.Nm
+.Op Fl d Ar database
+.Op Fl -database= Ns Ar database
+.Sh DESCRIPTION
+.Nm
+receives databases sent by
+.Nm hprop .
+and writes it as a local database.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl d Ar database
+.It Fl -database= Ns Ar database
+the database to create.
+.El
+.Sh SEE ALSO
+.Xr hprop 8
diff --git a/crypto/heimdal/kdc/hpropd.c b/crypto/heimdal/kdc/hpropd.c
new file mode 100644
index 0000000..df29240
--- /dev/null
+++ b/crypto/heimdal/kdc/hpropd.c
@@ -0,0 +1,419 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: hpropd.c,v 1.22 2000/01/06 21:39:24 assar Exp $");
+
+#ifdef KRB4
+static des_cblock mkey4;
+static des_key_schedule msched4;
+
+static char *
+time2str(time_t t)
+{
+    static char buf[128];
+    strftime(buf, sizeof(buf), "%Y%m%d%H%M", gmtime(&t));
+    return buf;
+}
+
+static int 
+dump_krb4(krb5_context context, hdb_entry *ent, int fd)
+{
+    char name[ANAME_SZ];  
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+    char buf[1024];
+    char *p;
+    int i;
+    int ret;
+    char *princ_name;
+    Event *modifier;
+    krb5_realm *realms;
+    int cmp;
+  
+    ret = krb5_524_conv_principal(context, ent->principal,
+				  name, instance, realm);
+    if (ret) {
+	krb5_unparse_name(context, ent->principal, &princ_name);
+	krb5_warn(context, ret, "%s", princ_name);
+	free(princ_name);
+	return -1;
+    }
+
+    ret = krb5_get_default_realms (context, &realms);
+    if (ret) {
+	krb5_warn(context, ret, "krb5_get_default_realms");
+	return -1;
+    }
+
+    cmp = strcmp (realms[0], ent->principal->realm);
+    krb5_free_host_realm (context, realms);
+    if (cmp != 0)
+        return -1;
+
+    snprintf (buf, sizeof(buf), "%s %s ", name,
+	      (strlen(instance) != 0) ? instance : "*");
+
+    if (ent->max_life) { 
+	asprintf(&p, "%d", krb_time_to_life(0, *ent->max_life));
+	strcat(buf, p);
+	free(p);
+    } else 
+	strcat(buf, "255"); 
+    strcat(buf, " ");
+
+    i = 0;
+    while (i < ent->keys.len &&
+	   ent->keys.val[i].key.keytype != KEYTYPE_DES)
+	++i;
+
+    if (i == ent->keys.len) {
+	krb5_warnx(context, "No DES key for %s.%s", name, instance);
+	return -1;
+    }
+
+    if (ent->keys.val[i].mkvno)
+	asprintf(&p, "%d ", *ent->keys.val[i].mkvno);
+    else
+	asprintf(&p, "%d ", 1);
+    strcat(buf, p);
+    free(p);
+
+    asprintf(&p, "%d ", ent->kvno);
+    strcat(buf, p);
+    free(p);
+
+    asprintf(&p, "%d ", 0); /* Attributes are always 0*/  
+    strcat(buf, p);
+    free(p);
+
+    { 
+	u_int32_t *key = ent->keys.val[i].key.keyvalue.data;
+	kdb_encrypt_key((des_cblock*)key, (des_cblock*)key,
+			&mkey4, msched4, DES_ENCRYPT);
+	asprintf(&p, "%x %x ", (int)htonl(*key), (int)htonl(*(key+1)));
+	strcat(buf, p);
+	free(p);
+    }
+ 
+    if (ent->pw_end == NULL)
+	strcat(buf, time2str(60*60*24*365*50)); /* passwd will never expire */
+    else
+	strcat(buf, time2str(*ent->pw_end));
+    strcat(buf, " ");
+
+    if (ent->modified_by == NULL) 
+	modifier = &ent->created_by;
+    else  
+	modifier = ent->modified_by;
+    
+    ret = krb5_524_conv_principal(context, modifier->principal,
+				  name, instance, realm);
+    if (ret) { 
+	krb5_unparse_name(context, modifier->principal, &princ_name);
+	krb5_warn(context, ret, "%s", princ_name);
+	free(princ_name);
+	return -1;
+    } 
+    asprintf(&p, "%s %s %s\n", time2str(modifier->time), 
+	     (strlen(name) != 0) ? name : "*", 
+	     (strlen(instance) != 0) ? instance : "*");
+    strcat(buf, p);
+    free(p);
+
+    ret = write(fd, buf, strlen(buf));
+    if (ret == -1)
+	krb5_warnx(context, "write");
+    return 0;
+}
+#endif /* KRB4 */
+
+static int inetd_flag = -1;
+static int help_flag;
+static int version_flag;
+static int print_dump;
+static char *database = HDB_DEFAULT_DB;
+static int from_stdin;
+#ifdef KRB4
+static int v4dump;
+#endif
+
+struct getargs args[] = {
+    { "database", 'd', arg_string, &database, "database", "file" },
+    { "stdin",    'n', arg_flag, &from_stdin, "read from stdin" },
+    { "print",	    0, arg_flag, &print_dump, "print dump to stdout" },
+    { "inetd",	   'i',	arg_negative_flag,	&inetd_flag,
+      "Not started from inetd" },
+#ifdef KRB4
+    { "v4dump",       '4',  arg_flag, &v4dump, "create v4 type DB" },
+#endif
+    { "version",    0, arg_flag, &version_flag, NULL, NULL },
+    { "help",    'h',  arg_flag, &help_flag, NULL, NULL}
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_auth_context ac = NULL;
+    krb5_principal server;
+    krb5_principal c1, c2;
+    krb5_authenticator authent;
+    krb5_keytab keytab;
+    int fd;
+    HDB *db;
+    char hostname[128];
+    int optind = 0;
+    char *tmp_db;
+    krb5_log_facility *fac;
+    int nprincs;
+#ifdef KRB4
+    int e;
+    int fd_out;
+#endif
+
+    set_progname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if(ret)
+	exit(1);
+
+    ret = krb5_openlog(context, "hpropd", &fac);
+    if(ret)
+	;
+    krb5_set_warn_dest(context, fac);
+  
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+#ifdef KRB4
+    if (v4dump && database == HDB_DEFAULT_DB)
+       database = "/var/kerberos/524_dump";
+#endif /* KRB4 */
+    
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage(1);
+
+    if(from_stdin)
+	fd = STDIN_FILENO;
+    else {
+	struct sockaddr_storage ss;
+	struct sockaddr *sa = (struct sockaddr *)&ss;
+	int sin_len = sizeof(ss);
+	char addr_name[256];
+
+	fd = STDIN_FILENO;
+	if (inetd_flag == -1) {
+	    if (getpeername (fd, sa, &sin_len) < 0)
+		inetd_flag = 0;
+	    else
+		inetd_flag = 1;
+	}
+	if (!inetd_flag) {
+	    mini_inetd (krb5_getportbyname (context, "hprop", "tcp",
+					    HPROP_PORT));
+	}
+	sin_len = sizeof(ss);
+	if(getpeername(fd, sa, &sin_len) < 0)
+	    krb5_err(context, 1, errno, "getpeername");
+
+	if (inet_ntop(sa->sa_family,
+		      socket_get_address (sa),
+		      addr_name,
+		      sizeof(addr_name)) == NULL)
+	    strlcpy (addr_name, "unknown address",
+			     sizeof(addr_name));
+
+	krb5_log(context, fac, 0, "Connection from %s", addr_name);
+    
+	gethostname(hostname, sizeof(hostname));
+	ret = krb5_sname_to_principal(context, hostname, HPROP_NAME,
+				      KRB5_NT_SRV_HST, &server);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_sname_to_principal");
+	
+	ret = krb5_kt_default(context, &keytab);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_kt_default");
+	
+	ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION,
+			    server, 0, keytab, NULL);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_recvauth");
+	
+	ret = krb5_auth_getauthenticator(context, ac, &authent);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_auth_getauthenticator");
+	
+	ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_make_principal");
+	principalname2krb5_principal(&c2, authent->cname, authent->crealm);
+	if(!krb5_principal_compare(context, c1, c2)) {
+	    char *s;
+	    krb5_unparse_name(context, c2, &s);
+	    krb5_errx(context, 1, "Unauthorized connection from %s", s);
+	}
+	krb5_free_principal(context, c1);
+	krb5_free_principal(context, c2);
+
+	ret = krb5_kt_close(context, keytab);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_kt_close");
+    }
+    
+    if(!print_dump) {
+	asprintf(&tmp_db, "%s~", database);
+#ifdef KRB4
+	if (v4dump) {
+	    fd_out = open(tmp_db, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	    if (fd_out == -1)
+		krb5_errx(context, 1, "%s", strerror(errno));
+	}
+	else
+#endif /* KRB4 */
+	{
+	    ret = hdb_create(context, &db, tmp_db);
+	    if(ret)
+		krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
+	    ret = db->open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
+	    if(ret)
+		krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
+	}
+    }
+
+#ifdef KRB4
+    if (v4dump) {
+	e = kdb_get_master_key(0, &mkey4, msched4);
+	if(e)
+	    krb5_errx(context, 1, "kdb_get_master_key: %s",
+		      krb_get_err_text(e));
+    }
+#endif /* KRB4 */
+
+    nprincs = 0;
+    while(1){
+	krb5_data data;
+	hdb_entry entry;
+
+	if(from_stdin){
+	    ret = recv_clear(context, fd, &data);
+	    if(ret)
+		krb5_err(context, 1, ret, "recv_clear");
+	}else{
+	    ret = recv_priv(context, ac, fd, &data);
+	    if(ret)
+		krb5_err(context, 1, ret, "recv_priv");
+	}
+
+	if(data.length == 0) {
+	    if(!from_stdin) {
+		data.data = NULL;
+		data.length = 0;
+		send_priv(context, ac, &data, fd);
+	    }
+	    if(!print_dump) {
+#ifdef KRB4
+		if (v4dump) {
+		    ret = rename(tmp_db, database);
+		    if (ret)
+			krb5_errx(context, 1, "rename");
+		    ret = close(fd_out);
+		    if (ret)
+			krb5_errx(context, 1, "close");
+		} else
+#endif /* KRB4 */
+		{
+		    ret = db->rename(context, db, database);
+		    if(ret)
+			krb5_err(context, 1, ret, "db_rename");
+		    ret = db->close(context, db);
+		    if(ret)
+			krb5_err(context, 1, ret, "db_close");
+		}
+	    }
+	    break;
+	}
+	ret = hdb_value2entry(context, &data, &entry);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_value2entry");
+	if(print_dump)
+	    hdb_print_entry(context, db, &entry, stdout);
+	else {
+#ifdef KRB4
+	    if (v4dump) {
+		ret = dump_krb4(context, &entry, fd_out);
+		if(!ret) nprincs++;
+	    }
+	    else
+#endif /* KRB4 */
+	    {
+		ret = db->store(context, db, 0, &entry);
+		if(ret == HDB_ERR_EXISTS) {
+		    char *s;
+		    krb5_unparse_name(context, entry.principal, &s);
+		    krb5_warnx(context, "Entry exists: %s", s);
+		    free(s);
+		} else if(ret) 
+		    krb5_err(context, 1, ret, "db_store");
+		else
+		    nprincs++;
+	    }
+	}
+	hdb_free_entry(context, &entry);
+    }
+    if (!print_dump)
+	krb5_log(context, fac, 0, "Received %d principals", nprincs);
+    exit(0);
+}
diff --git a/crypto/heimdal/kdc/kadb.h b/crypto/heimdal/kdc/kadb.h
new file mode 100644
index 0000000..e85dbe2
--- /dev/null
+++ b/crypto/heimdal/kdc/kadb.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadb.h,v 1.2 1999/12/02 17:04:59 joda Exp $ */
+
+#ifndef __kadb_h__
+#define __kadb_h__
+
+#define HASHSIZE 8191
+
+struct ka_header {
+    int32_t version1;			/* file format version, should
+					   match version2 */
+    int32_t size;
+    int32_t free_ptr;
+    int32_t eof_ptr;
+    int32_t kvno_ptr;
+    int32_t stats[8];
+    int32_t admin_accounts;
+    int32_t special_keys_version;
+    int32_t hashsize;			/* allocated size of hash */
+    int32_t hash[HASHSIZE];
+    int32_t version2;
+};
+
+struct ka_entry {
+    int32_t flags;			/* see below */
+    int32_t next;			/* next in hash list */
+    int32_t pw_end;			/* expiration date */
+    int32_t mod_time;			/* time last modified */
+    int32_t mod_ptr;			/* pointer to modifier */
+    int32_t pw_change;			/* last pw change */
+    int32_t max_life;			/* max ticket life */
+    int32_t kvno;
+    int32_t foo2[2];			/* huh? */
+    char name[64];
+    char instance[64];
+    char key[8];
+};
+
+#define KAFNORMAL	(1<<0)
+#define KAFADMIN        (1<<2)	/* an administrator */
+#define KAFNOTGS        (1<<3)	/* ! allow principal to get or use TGT */
+#define KAFNOSEAL       (1<<5)	/* ! allow principal as server in GetTicket */
+#define KAFNOCPW        (1<<6)	/* ! allow principal to change its own key */
+#define KAFSPECIAL      (1<<8)	/* set if special AuthServer principal */
+
+#endif /* __kadb_h__ */
diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c
new file mode 100644
index 0000000..64121eb
--- /dev/null
+++ b/crypto/heimdal/kdc/kaserver.c
@@ -0,0 +1,794 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: kaserver.c,v 1.10 2000/02/13 19:21:22 assar Exp $");
+
+#ifdef KASERVER
+
+#include "kerberos4.h"
+#include <rx.h>
+
+#define KA_AUTHENTICATION_SERVICE 731
+#define KA_TICKET_GRANTING_SERVICE 732
+#define KA_MAINTENANCE_SERVICE 733
+
+#define AUTHENTICATE_OLD	 1
+#define CHANGEPASSWORD		 2
+#define GETTICKET_OLD		 3
+#define SETPASSWORD		 4
+#define SETFIELDS		 5
+#define CREATEUSER		 6
+#define DELETEUSER		 7
+#define GETENTRY		 8
+#define LISTENTRY		 9
+#define GETSTATS		10
+#define DEBUG			11
+#define GETPASSWORD		12
+#define GETRANDOMKEY		13
+#define AUTHENTICATE		21
+#define AUTHENTICATE_V2		22
+#define GETTICKET		23
+
+/* XXX - Where do we get these? */
+
+#define RXGEN_OPCODE (-455)
+
+#define KADATABASEINCONSISTENT                   (180480L)
+#define KAEXIST                                  (180481L)
+#define KAIO                                     (180482L)
+#define KACREATEFAIL                             (180483L)
+#define KANOENT                                  (180484L)
+#define KAEMPTY                                  (180485L)
+#define KABADNAME                                (180486L)
+#define KABADINDEX                               (180487L)
+#define KANOAUTH                                 (180488L)
+#define KAANSWERTOOLONG                          (180489L)
+#define KABADREQUEST                             (180490L)
+#define KAOLDINTERFACE                           (180491L)
+#define KABADARGUMENT                            (180492L)
+#define KABADCMD                                 (180493L)
+#define KANOKEYS                                 (180494L)
+#define KAREADPW                                 (180495L)
+#define KABADKEY                                 (180496L)
+#define KAUBIKINIT                               (180497L)
+#define KAUBIKCALL                               (180498L)
+#define KABADPROTOCOL                            (180499L)
+#define KANOCELLS                                (180500L)
+#define KANOCELL                                 (180501L)
+#define KATOOMANYUBIKS                           (180502L)
+#define KATOOMANYKEYS                            (180503L)
+#define KABADTICKET                              (180504L)
+#define KAUNKNOWNKEY                             (180505L)
+#define KAKEYCACHEINVALID                        (180506L)
+#define KABADSERVER                              (180507L)
+#define KABADUSER                                (180508L)
+#define KABADCPW                                 (180509L)
+#define KABADCREATE                              (180510L)
+#define KANOTICKET                               (180511L)
+#define KAASSOCUSER                              (180512L)
+#define KANOTSPECIAL                             (180513L)
+#define KACLOCKSKEW                              (180514L)
+#define KANORECURSE                              (180515L)
+#define KARXFAIL                                 (180516L)
+#define KANULLPASSWORD                           (180517L)
+#define KAINTERNALERROR                          (180518L)
+#define KAPWEXPIRED                              (180519L)
+#define KAREUSED                                 (180520L)
+#define KATOOSOON                                (180521L)
+#define KALOCKED                                 (180522L)
+
+static void
+decode_rx_header (krb5_storage *sp,
+		  struct rx_header *h)
+{
+    krb5_ret_int32(sp, &h->epoch);
+    krb5_ret_int32(sp, &h->connid);
+    krb5_ret_int32(sp, &h->callid);
+    krb5_ret_int32(sp, &h->seqno);
+    krb5_ret_int32(sp, &h->serialno);
+    krb5_ret_int8(sp,  &h->type);
+    krb5_ret_int8(sp,  &h->flags);
+    krb5_ret_int8(sp,  &h->status);
+    krb5_ret_int8(sp,  &h->secindex);
+    krb5_ret_int16(sp, &h->reserved);
+    krb5_ret_int16(sp, &h->serviceid);
+}
+
+static void
+encode_rx_header (struct rx_header *h,
+		  krb5_storage *sp)
+{
+    krb5_store_int32(sp, h->epoch);
+    krb5_store_int32(sp, h->connid);
+    krb5_store_int32(sp, h->callid);
+    krb5_store_int32(sp, h->seqno);
+    krb5_store_int32(sp, h->serialno);
+    krb5_store_int8(sp,  h->type);
+    krb5_store_int8(sp,  h->flags);
+    krb5_store_int8(sp,  h->status);
+    krb5_store_int8(sp,  h->secindex);
+    krb5_store_int16(sp, h->reserved);
+    krb5_store_int16(sp, h->serviceid);
+}
+
+static void
+init_reply_header (struct rx_header *hdr,
+		   struct rx_header *reply_hdr,
+		   u_char type,
+		   u_char flags)
+{
+    reply_hdr->epoch     = hdr->epoch;
+    reply_hdr->connid    = hdr->connid;
+    reply_hdr->callid    = hdr->callid;
+    reply_hdr->seqno     = 1;
+    reply_hdr->serialno  = 1;
+    reply_hdr->type      = type;
+    reply_hdr->flags     = flags;
+    reply_hdr->status    = 0;
+    reply_hdr->secindex  = 0;
+    reply_hdr->reserved  = 0;
+    reply_hdr->serviceid = hdr->serviceid;
+}
+
+static void
+make_error_reply (struct rx_header *hdr,
+		  u_int32_t ret,
+		  krb5_data *reply)
+
+{
+    krb5_storage *sp;
+    struct rx_header reply_hdr;
+
+    init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
+    sp = krb5_storage_emem();
+    encode_rx_header (&reply_hdr, sp);
+    krb5_store_int32(sp, ret);
+    krb5_storage_to_data (sp, reply);
+    krb5_storage_free (sp);
+}
+
+static krb5_error_code
+krb5_ret_xdr_data(krb5_storage *sp,
+		  krb5_data *data)
+{
+    int ret;
+    int size;
+    ret = krb5_ret_int32(sp, &size);
+    if(ret)
+	return ret;
+    data->length = size;
+    if (size) {
+	u_char foo[4];
+	size_t pad = (4 - size % 4) % 4;
+
+	data->data = malloc(size);
+	if (data->data == NULL)
+	    return ENOMEM;
+	ret = sp->fetch(sp, data->data, size);
+	if(ret != size)
+	    return (ret < 0)? errno : KRB5_CC_END;
+	if (pad) {
+	    ret = sp->fetch(sp, foo, pad);
+	    if (ret != pad)
+		return (ret < 0)? errno : KRB5_CC_END;
+	}
+    } else
+	data->data = NULL;
+    return 0;
+}
+
+static krb5_error_code
+krb5_store_xdr_data(krb5_storage *sp,
+		    krb5_data data)
+{
+    u_char zero[4] = {0, 0, 0, 0};
+    int ret;
+    size_t pad;
+
+    ret = krb5_store_int32(sp, data.length);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data.data, data.length);
+    if(ret != data.length){
+	if(ret < 0)
+	    return errno;
+	return KRB5_CC_END;
+    }
+    pad = (4 - data.length % 4) % 4;
+    if (pad) {
+	ret = sp->store(sp, zero, pad);
+	if (ret != pad) {
+	    if (ret < 0)
+		return errno;
+	    return KRB5_CC_END;
+	}
+    }
+    return 0;
+}
+
+
+static krb5_error_code
+create_reply_ticket (struct rx_header *hdr,
+		     Key *skey,
+		     char *name, char *instance, char *realm,
+		     struct sockaddr_in *addr,
+		     int life,
+		     int kvno,
+		     int32_t max_seq_len,
+		     char *sname, char *sinstance,
+		     u_int32_t challenge,
+		     char *label,
+		     des_cblock *key,
+		     krb5_data *reply)
+{
+    KTEXT_ST ticket;
+    des_cblock session;
+    krb5_storage *sp;
+    krb5_data enc_data;
+    des_key_schedule schedule;
+    struct rx_header reply_hdr;
+    des_cblock zero;
+    size_t pad;
+    unsigned fyrtiosjuelva;
+
+    /* create the ticket */
+
+    des_new_random_key(&session);
+
+    krb_create_ticket (&ticket, 0, name, instance, realm,
+		       addr->sin_addr.s_addr,
+		       &session, life, kdc_time,
+		       sname, sinstance, skey->key.keyvalue.data);
+
+    /* create the encrypted part of the reply */
+    sp = krb5_storage_emem ();
+    krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva));
+    fyrtiosjuelva &= 0xffffffff;
+    krb5_store_int32 (sp, fyrtiosjuelva);
+#if 0
+    krb5_store_int32 (sp, 4711); /* XXX */
+#endif
+    krb5_store_int32 (sp, challenge);
+    sp->store  (sp, session, 8);
+    memset (&session, 0, sizeof(session));
+    krb5_store_int32 (sp, kdc_time);
+    krb5_store_int32 (sp, kdc_time + krb_life_to_time (0, life));
+    krb5_store_int32 (sp, kvno);
+    krb5_store_int32 (sp, ticket.length);
+    krb5_store_stringz (sp, name);
+    krb5_store_stringz (sp, instance);
+#if 1 /* XXX - Why shouldn't the realm go here? */
+    krb5_store_stringz (sp, "");
+#else
+    krb5_store_stringz (sp, realm);
+#endif
+    krb5_store_stringz (sp, sname);
+    krb5_store_stringz (sp, sinstance);
+    sp->store (sp, ticket.dat, ticket.length);
+    sp->store (sp, label, strlen(label));
+
+    /* pad to DES block */
+    memset (zero, 0, sizeof(zero));
+    pad = (8 - sp->seek (sp, 0, SEEK_CUR) % 8) % 8;
+    sp->store (sp, zero, pad);
+
+    krb5_storage_to_data (sp, &enc_data);
+    krb5_storage_free (sp);
+
+    if (enc_data.length > max_seq_len) {
+	krb5_data_free (&enc_data);
+	make_error_reply (hdr, KAANSWERTOOLONG, reply);
+	return 0;
+    }
+
+    /* encrypt it */
+    des_set_key (key, schedule);
+    des_pcbc_encrypt ((des_cblock *)enc_data.data,
+		      (des_cblock *)enc_data.data,
+		      enc_data.length,
+		      schedule,
+		      key,
+		      DES_ENCRYPT);
+    memset (&schedule, 0, sizeof(schedule));
+
+    /* create the reply packet */
+    init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
+    sp = krb5_storage_emem ();
+    encode_rx_header (&reply_hdr, sp);
+    krb5_store_int32 (sp, max_seq_len);
+    krb5_store_xdr_data (sp, enc_data);
+    krb5_data_free (&enc_data);
+    krb5_storage_to_data (sp, reply);
+    krb5_storage_free (sp);
+    return 0;
+}
+
+static krb5_error_code
+unparse_auth_args (krb5_storage *sp,
+		   char **name,
+		   char **instance,
+		   time_t *start_time,
+		   time_t *end_time,
+		   krb5_data *request,
+		   int32_t *max_seq_len)
+{
+    krb5_data data;
+    int32_t tmp;
+
+    krb5_ret_xdr_data (sp, &data);
+    *name = malloc(data.length + 1);
+    if (*name == NULL)
+	return ENOMEM;
+    memcpy (*name, data.data, data.length);
+    (*name)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, &data);
+    *instance = malloc(data.length + 1);
+    if (*instance == NULL) {
+	free (*name);
+	return ENOMEM;
+    }
+    memcpy (*instance, data.data, data.length);
+    (*instance)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_int32 (sp, &tmp);
+    *start_time = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    *end_time = tmp;
+    krb5_ret_xdr_data (sp, request);
+    krb5_ret_int32 (sp, max_seq_len);
+    /* ignore the rest */
+    return 0;
+}
+
+static void
+do_authenticate (struct rx_header *hdr,
+		 krb5_storage *sp,
+		 struct sockaddr_in *addr,
+		 krb5_data *reply)
+{
+    krb5_error_code ret;
+    char *name = NULL;
+    char *instance = NULL;
+    time_t start_time;
+    time_t end_time;
+    krb5_data request;
+    int32_t max_seq_len;
+    hdb_entry *client_entry = NULL;
+    hdb_entry *server_entry = NULL;
+    Key *ckey = NULL;
+    Key *skey = NULL;
+    des_cblock key;
+    des_key_schedule schedule;
+    krb5_storage *reply_sp;
+    time_t max_life;
+    u_int8_t life;
+    int32_t chal;
+	
+    krb5_data_zero (&request);
+
+    unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
+		       &request, &max_seq_len);
+
+    client_entry = db_fetch4 (name, instance, v4_realm);
+    if (client_entry == NULL) {
+	kdc_log(0, "Client not found in database: %s.%s@%s",
+		name, instance, v4_realm);
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    server_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm);
+    if (server_entry == NULL) {
+	kdc_log(0, "Server not found in database: %s.%s@%s",
+		"krbtgt", v4_realm, v4_realm);
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(client_entry, &ckey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(server_entry, &skey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* try to decode the `request' */
+    memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
+    des_set_key (&key, schedule);
+    des_pcbc_encrypt ((des_cblock *)request.data,
+		      (des_cblock *)request.data,
+		      request.length,
+		      schedule,
+		      &key,
+		      DES_DECRYPT);
+    memset (&schedule, 0, sizeof(schedule));
+
+    /* check for the magic label */
+    if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
+	make_error_reply (hdr, KABADREQUEST, reply);
+	goto out;
+    }
+
+    reply_sp = krb5_storage_from_mem (request.data, 4);
+    krb5_ret_int32 (reply_sp, &chal);
+    krb5_storage_free (reply_sp);
+
+    /* life */
+    max_life = end_time - kdc_time;
+    if (client_entry->max_life)
+	max_life = min(max_life, *client_entry->max_life);
+    if (server_entry->max_life)
+	max_life = min(max_life, *server_entry->max_life);
+
+    life = krb_time_to_life(kdc_time, kdc_time + max_life);
+
+    create_reply_ticket (hdr, skey,
+			 name, instance, v4_realm,
+			 addr, life, server_entry->kvno,
+			 max_seq_len,
+			 "krbtgt", v4_realm,
+			 chal + 1, "tgsT",
+			 &key, reply);
+    memset (&key, 0, sizeof(key));
+
+out:
+    if (request.length) {
+	memset (request.data, 0, request.length);
+	krb5_data_free (&request);
+    }
+    if (name)
+	free (name);
+    if (instance)
+	free (instance);
+    if (client_entry) {
+	hdb_free_entry (context, client_entry);
+	free (client_entry);
+    }
+    if (server_entry) {
+	hdb_free_entry (context, server_entry);
+	free (server_entry);
+    }
+}
+
+static krb5_error_code
+unparse_getticket_args (krb5_storage *sp,
+			int *kvno,
+			char **auth_domain,
+			krb5_data *ticket,
+			char **name,
+			char **instance,
+			krb5_data *times,
+			int32_t *max_seq_len)
+{
+    krb5_data data;
+    int32_t tmp;
+
+    krb5_ret_int32 (sp, &tmp);
+    *kvno = tmp;
+
+    krb5_ret_xdr_data (sp, &data);
+    *auth_domain = malloc(data.length + 1);
+    if (*auth_domain == NULL)
+	return ENOMEM;
+    memcpy (*auth_domain, data.data, data.length);
+    (*auth_domain)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, ticket);
+
+    krb5_ret_xdr_data (sp, &data);
+    *name = malloc(data.length + 1);
+    if (*name == NULL) {
+	free (*auth_domain);
+	return ENOMEM;
+    }
+    memcpy (*name, data.data, data.length);
+    (*name)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, &data);
+    *instance = malloc(data.length + 1);
+    if (*instance == NULL) {
+	free (*auth_domain);
+	free (*name);
+	return ENOMEM;
+    }
+    memcpy (*instance, data.data, data.length);
+    (*instance)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, times);
+
+    krb5_ret_int32 (sp, max_seq_len);
+    /* ignore the rest */
+    return 0;
+}
+
+static void
+do_getticket (struct rx_header *hdr,
+	      krb5_storage *sp,
+	      struct sockaddr_in *addr,
+	      krb5_data *reply)
+{
+    krb5_error_code ret;
+    int kvno;
+    char *auth_domain = NULL;
+    krb5_data aticket;
+    char *name = NULL;
+    char *instance = NULL;
+    krb5_data times;
+    int32_t max_seq_len;
+    hdb_entry *server_entry = NULL;
+    hdb_entry *krbtgt_entry = NULL;
+    Key *kkey = NULL;
+    Key *skey = NULL;
+    des_cblock key;
+    des_key_schedule schedule;
+    des_cblock session;
+    time_t max_life;
+    int8_t life;
+    time_t start_time, end_time;
+    char pname[ANAME_SZ];
+    char pinst[INST_SZ];
+    char prealm[REALM_SZ];
+
+    krb5_data_zero (&aticket);
+    krb5_data_zero (&times);
+
+    unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
+			    &name, &instance, &times, &max_seq_len);
+
+    server_entry = db_fetch4 (name, instance, v4_realm);
+    if (server_entry == NULL) {
+	kdc_log(0, "Server not found in database: %s.%s@%s",
+		name, instance, v4_realm);
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    krbtgt_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm);
+    if (krbtgt_entry == NULL) {
+	kdc_log(0, "Server not found in database: %s.%s@%s",
+		"krbtgt", v4_realm, v4_realm);
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(krbtgt_entry, &kkey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(server_entry, &skey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* decrypt the incoming ticket */
+    memcpy (&key, kkey->key.keyvalue.data, sizeof(key));
+
+    /* unpack the ticket */
+    {
+	KTEXT_ST ticket;
+	u_char flags;
+	int life;
+	u_int32_t time_sec;
+	char sname[ANAME_SZ];
+	char sinstance[SNAME_SZ];
+	u_int32_t paddress;
+
+	ticket.length = aticket.length;
+	memcpy (ticket.dat, aticket.data, ticket.length);
+
+	des_set_key (&key, schedule);
+	decomp_ticket (&ticket, &flags, pname, pinst, prealm,
+		       &paddress, session, &life, &time_sec,
+		       sname, sinstance, 
+		       &key, schedule);
+
+	if (strcmp (sname, "krbtgt") != 0
+	    || strcmp (sinstance, v4_realm) != 0) {
+	    kdc_log(0, "no TGT: %s.%s for %s.%s@%s",
+		    sname, sinstance,
+		    pname, pinst, prealm);
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+
+	if (kdc_time > krb_life_to_time(time_sec, life)) {
+	    kdc_log(0, "TGT expired: %s.%s@%s",
+		    pname, pinst, prealm);
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+    }
+
+    /* decrypt the times */
+    des_set_key (&session, schedule);
+    des_ecb_encrypt (times.data,
+		     times.data,
+		     schedule,
+		     DES_DECRYPT);
+    memset (&schedule, 0, sizeof(schedule));
+
+    /* and extract them */
+    {
+	krb5_storage *sp;
+	int32_t tmp;
+
+	sp = krb5_storage_from_mem (times.data, times.length);
+	krb5_ret_int32 (sp, &tmp);
+	start_time = tmp;
+	krb5_ret_int32 (sp, &tmp);
+	end_time = tmp;
+	krb5_storage_free (sp);
+    }
+
+    /* life */
+    max_life = end_time - kdc_time;
+    if (krbtgt_entry->max_life)
+	max_life = min(max_life, *krbtgt_entry->max_life);
+    if (server_entry->max_life)
+	max_life = min(max_life, *server_entry->max_life);
+
+    life = krb_time_to_life(kdc_time, kdc_time + max_life);
+
+    create_reply_ticket (hdr, skey,
+			 pname, pinst, prealm,
+			 addr, life, server_entry->kvno,
+			 max_seq_len,
+			 name, instance,
+			 0, "gtkt",
+			 &session, reply);
+    memset (&session, 0, sizeof(session));
+    
+out:
+    if (aticket.length) {
+	memset (aticket.data, 0, aticket.length);
+	krb5_data_free (&aticket);
+    }
+    if (times.length) {
+	memset (times.data, 0, times.length);
+	krb5_data_free (&times);
+    }
+    if (auth_domain)
+	free (auth_domain);
+    if (name)
+	free (name);
+    if (instance)
+	free (instance);
+    if (krbtgt_entry) {
+	hdb_free_entry (context, krbtgt_entry);
+	free (krbtgt_entry);
+    }
+    if (server_entry) {
+	hdb_free_entry (context, server_entry);
+	free (server_entry);
+    }
+}
+
+krb5_error_code
+do_kaserver(unsigned char *buf,
+	    size_t len,
+	    krb5_data *reply,
+	    const char *from,
+	    struct sockaddr_in *addr)
+{
+    krb5_error_code ret = 0;
+    struct rx_header hdr;
+    u_int32_t op;
+    krb5_storage *sp;
+
+    if (len < RX_HEADER_SIZE)
+	return -1;
+    sp = krb5_storage_from_mem (buf, len);
+
+    decode_rx_header (sp, &hdr);
+    buf += RX_HEADER_SIZE;
+    len -= RX_HEADER_SIZE;
+
+    switch (hdr.type) {
+    case HT_DATA :
+	break;
+    case HT_ACK :
+    case HT_BUSY :
+    case HT_ABORT :
+    case HT_ACKALL :
+    case HT_CHAL :
+    case HT_RESP :
+    case HT_DEBUG :
+    default:
+	/* drop */
+	goto out;
+    }
+
+
+    if (hdr.serviceid != KA_AUTHENTICATION_SERVICE
+	&& hdr.serviceid != KA_TICKET_GRANTING_SERVICE) {
+	ret = -1;
+	goto out;
+    }
+
+    krb5_ret_int32(sp, &op);
+    switch (op) {
+    case AUTHENTICATE :
+	do_authenticate (&hdr, sp, addr, reply);
+	break;
+    case GETTICKET :
+	do_getticket (&hdr, sp, addr, reply);
+	break;
+    case AUTHENTICATE_OLD :
+    case CHANGEPASSWORD :
+    case GETTICKET_OLD :
+    case SETPASSWORD :
+    case SETFIELDS :
+    case CREATEUSER :
+    case DELETEUSER :
+    case GETENTRY :
+    case LISTENTRY :
+    case GETSTATS :
+    case DEBUG :
+    case GETPASSWORD :
+    case GETRANDOMKEY :
+    case AUTHENTICATE_V2 :
+    default :
+	make_error_reply (&hdr, RXGEN_OPCODE, reply);
+	break;
+    }
+
+out:
+    krb5_storage_free (sp);
+    return ret;
+}
+
+#endif /* KASERVER */
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
new file mode 100644
index 0000000..181a3ce
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc.8
@@ -0,0 +1,119 @@
+.\" $Id: kdc.8,v 1.5 2000/02/13 21:04:32 assar Exp $
+.\"
+.Dd July 27, 1997
+.Dt KDC 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kdc
+.Nd
+Kerberos 5 server
+.Sh SYNOPSIS
+.Nm
+.Op Fl c Ar file
+.Op Fl -config-file= Ns Ar file
+.Op Fl p | Fl -no-require-preauth
+.Op Fl -max-request= Ns Ar size
+.Op Fl H | Fl -enable-http
+.Op Fl K | Fl -no-kaserver
+.Op Fl r Ar realm
+.Op Fl -v4-realm= Ns Ar realm
+.Oo Fl P Ar string \*(Ba Xo
+.Fl -ports= Ns Ar string Oc
+.Xc
+.Op Fl -addresses= Ns Ar list of addresses
+
+.Sh DESCRIPTION
+.Nm
+serves requests for tickets. When it starts, it first checks the flags
+passed, any options that are not specified with a command line flag is
+taken from a config file, or from a default compiled-in value.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl c Ar file
+.It Fl -config-file= Ns Ar file
+Specifies the location of the config file, the default is
+.Pa /var/heimdal/kdc.conf .
+This is the only value that can't be specified in the config file.
+.It Fl p
+.It Fl -no-require-preauth
+Turn off the requirement for pre-autentication in the initial AS-REQ
+for all principals. The use of pre-authentication makes it more
+difficult to do offline password attacks. You might want to turn it
+off if you have clients that doesn't do pre-authentication. Since the
+version 4 protocol doesn't support any pre-authentication, so serving
+version 4 clients is just about the same as not requiring
+pre-athentication. The default is to require
+pre-authentication. Adding the require-preauth per principal is a more
+flexible way of handling this.
+.It Xo
+.Fl -max-request= Ns Ar size
+.Xc
+Gives an upper limit on the size of the requests that the kdc is
+willing to handle.
+.It Xo
+.Fl H Ns ,
+.Fl -enable-http
+.Xc
+Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
+.It Xo
+.Fl K Ns ,
+.Fl -no-kaserver
+.Xc
+Disables kaserver emulation (in case it's compiled in).
+.It Fl r Ar realm
+.It Fl -v4-realm= Ns Ar realm
+What realm this server should act as when dealing with version 4
+requests. The database can contain any number of realms, but since the
+version 4 protocol doesn't contain a realm for the server, it must be
+explicitly specified. The default is whatever is returned by
+.Fn krb_get_lrealm .
+This option is only availabe if the KDC has been compiled with version
+4 support.
+.It Xo
+.Fl P Ar string Ns ,
+.Fl -ports= Ns Ar string
+.Xc
+Specifies the set of ports the KDC should listen on.  It is given as a
+white-space separated list of services or port numbers.
+.It Xo
+.Fl -addresses= Ns Ar list of addresses
+.Xc
+The list of addresses to listen for requests on.  By default, the kdc
+will listen on all the locally configured addresses.  If only a subset
+is desired, or the automatic detection fails, this option might be used.
+.El
+.Pp
+All activities , are logged to one or more destinations, see 
+.Xr krb5.conf 5 ,
+and
+.Xr krb5_openlog 3 .
+The entity used for logging is
+.Nm kdc .
+.Sh CONFIGURATION FILE
+The configuration file has the same syntax as the 
+.Pa krb5.conf
+file (you can actually put the configuration in
+.Pa /etc/krb5.conf ,
+and then start the KDC with
+.Fl -config-file= Ns Ar /etc/krb5.conf ) .
+All options should be in a section called
+.Dq kdc .
+Options are called the same as the long option name, and takes the
+same arguments. The only difference is the pre-authentication flag,
+that has to be specified as:
+.Pp
+.Dl require-preauth = no
+.Pp
+(in fact you can specify the option as
+.Fl -require-preauth=no ) .
+.Pp
+An example of a config file:
+.Bd -literal -offset indent
+[kdc]
+	require-preauth = no
+	v4-realm = FOO.SE
+	key-file = /key-file
+.Ed
+.Sh SEE ALSO
+.Xr kinit 1
diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h
new file mode 100644
index 0000000..c703030
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc_locl.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: kdc_locl.h,v 1.40 2000/02/11 17:46:29 assar Exp $ 
+ */
+
+#ifndef __KDC_LOCL_H__
+#define __KDC_LOCL_H__
+
+#include "headers.h"
+
+extern krb5_context context;
+
+extern int require_preauth;
+extern sig_atomic_t exit_flag;
+extern size_t max_request;
+extern time_t kdc_warn_pwexpire;
+extern struct dbinfo {
+    char *realm;
+    char *dbname;
+    char *mkey_file;
+    struct dbinfo *next;
+} *databases;
+extern HDB **db;
+extern int num_db;
+extern char *port_str;
+extern krb5_addresses explicit_addresses;
+
+extern int enable_http;
+extern krb5_boolean encode_as_rep_as_tgs_rep;
+extern krb5_boolean check_ticket_addresses;
+extern krb5_boolean allow_null_ticket_addresses;
+
+#ifdef KRB4
+extern char *v4_realm;
+#endif
+#ifdef KASERVER
+extern krb5_boolean enable_kaserver;
+#endif
+
+extern struct timeval now;
+#define kdc_time (now.tv_sec)
+
+krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
+void configure (int, char**);
+hdb_entry* db_fetch (krb5_principal);
+void kdc_log (int, const char*, ...);
+char* kdc_log_msg (int, const char*, ...);
+char* kdc_log_msg_va (int, const char*, va_list);
+void kdc_openlog (krb5_config_section*);
+void loop (void);
+void set_master_key (EncryptionKey);
+krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
+Key* unseal_key (Key*);
+
+#ifdef KRB4
+hdb_entry* db_fetch4 (const char*, const char*, const char*);
+krb5_error_code do_524 (Ticket*, krb5_data*, const char*, struct sockaddr*);
+krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, 
+			     struct sockaddr_in*);
+krb5_error_code encode_v4_ticket (void*, size_t, EncTicketPart*, 
+				  PrincipalName*, size_t*);
+krb5_error_code encrypt_v4_ticket (void*, size_t, des_cblock*, EncryptedData*);
+krb5_error_code get_des_key(hdb_entry*, Key**);
+int maybe_version4 (unsigned char*, int);
+#endif
+
+#ifdef KASERVER
+krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*, 
+			     struct sockaddr_in*);
+#endif
+
+#endif /* __KDC_LOCL_H__ */
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
new file mode 100644
index 0000000..23d59dd
--- /dev/null
+++ b/crypto/heimdal/kdc/kerberos4.c
@@ -0,0 +1,587 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: kerberos4.c,v 1.27 2000/02/13 19:27:36 assar Exp $");
+
+#ifdef KRB4
+
+#include "kerberos4.h"
+
+#ifndef swap32
+static u_int32_t
+swap32(u_int32_t x)
+{
+    return ((x << 24) & 0xff000000) |
+	((x << 8) & 0xff0000) |
+	((x >> 8) & 0xff00) |
+	((x >> 24) & 0xff);
+}
+#endif /* swap32 */
+
+int
+maybe_version4(unsigned char *buf, int len)
+{
+    return len > 0 && *buf == 4;
+}
+
+static void
+make_err_reply(krb5_data *reply, int code, const char *msg)
+{
+    KTEXT_ST er;
+
+    /* name, instance and realm is not checked in most (all?) version
+       implementations; msg is also never used, but we send it anyway
+       (for debugging purposes) */
+
+    if(msg == NULL)
+	msg = krb_get_err_text(code);
+    cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
+    krb5_data_copy(reply, er.dat, er.length);
+}
+
+static krb5_boolean
+valid_princ(krb5_context context, krb5_principal princ)
+{
+    char *s;
+    hdb_entry *ent;
+    krb5_unparse_name(context, princ, &s);
+    ent = db_fetch(princ);
+    if(ent == NULL){
+	kdc_log(7, "Lookup %s failed", s);
+	free(s);
+	return 0;
+    }
+    kdc_log(7, "Lookup %s succeeded", s);
+    free(s);
+    hdb_free_entry(context, ent);
+    free(ent);
+    return 1;
+}
+
+hdb_entry*
+db_fetch4(const char *name, const char *instance, const char *realm)
+{
+    krb5_principal p;
+    hdb_entry *ent;
+    krb5_error_code ret;
+    
+    ret = krb5_425_conv_principal_ext(context, name, instance, realm, 
+				      valid_princ, 0, &p);
+    if(ret)
+	return NULL;
+    ent = db_fetch(p);
+    krb5_free_principal(context, p);
+    return ent;
+}
+
+krb5_error_code
+get_des_key(hdb_entry *principal, Key **key)
+{
+    krb5_error_code ret;
+
+    ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_MD5, key);
+    if(ret)
+	ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_MD4, key);
+    if(ret)
+	ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_CRC, key);
+    if(ret)
+	return ret;
+    if ((*key)->key.keyvalue.length == 0)
+	return KERB_ERR_NULL_KEY;
+    return 0;
+}
+
+#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
+
+/*
+ * Process the v4 request in `buf, len' (received from `addr'
+ * (with string `from').
+ * Return an error code and a reply in `reply'.
+ */
+
+krb5_error_code
+do_version4(unsigned char *buf,
+	    size_t len,
+	    krb5_data *reply,
+	    const char *from,
+	    struct sockaddr_in *addr)
+{
+    krb5_storage *sp;
+    krb5_error_code ret;
+    hdb_entry *client = NULL, *server = NULL;
+    Key *ckey, *skey;
+    int8_t pvno;
+    int8_t msg_type;
+    int lsb;
+    char *name = NULL, *inst = NULL, *realm = NULL;
+    char *sname = NULL, *sinst = NULL;
+    int32_t req_time;
+    time_t max_life;
+    u_int8_t life;
+
+    sp = krb5_storage_from_mem(buf, len);
+    RCHECK(krb5_ret_int8(sp, &pvno), out);
+    if(pvno != 4){
+	kdc_log(0, "Protocol version mismatch (%d)", pvno);
+	make_err_reply(reply, KDC_PKT_VER, NULL);
+	goto out;
+    }
+    RCHECK(krb5_ret_int8(sp, &msg_type), out);
+    lsb = msg_type & 1;
+    msg_type &= ~1;
+    switch(msg_type){
+    case AUTH_MSG_KDC_REQUEST:
+	RCHECK(krb5_ret_stringz(sp, &name), out1);
+	RCHECK(krb5_ret_stringz(sp, &inst), out1);
+	RCHECK(krb5_ret_stringz(sp, &realm), out1);
+	RCHECK(krb5_ret_int32(sp, &req_time), out1);
+	if(lsb)
+	    req_time = swap32(req_time);
+	RCHECK(krb5_ret_int8(sp, &life), out1);
+	RCHECK(krb5_ret_stringz(sp, &sname), out1);
+	RCHECK(krb5_ret_stringz(sp, &sinst), out1);
+	kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s", 
+		name, inst, realm, from, sname, sinst);
+
+	client = db_fetch4(name, inst, realm);
+	if(client == NULL){
+	    kdc_log(0, "Client not found in database: %s.%s@%s", 
+		    name, inst, realm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+	    goto out1;
+	}
+	server = db_fetch4(sname, sinst, v4_realm);
+	if(server == NULL){
+	    kdc_log(0, "Server not found in database: %s.%s@%s", 
+		    sname, sinst, v4_realm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+	    goto out1;
+	}
+
+	/*
+	 * There's no way to do pre-authentication in v4 and thus no
+	 * good error code to return if preauthentication is required.
+	 */
+
+	if (require_preauth
+	    || client->flags.require_preauth
+	    || server->flags.require_preauth) {
+	    kdc_log(0,
+		    "Pre-authentication required for v4-request: "
+		    "%s.%s@%s for %s.%s@%s", 
+		    name, inst, realm,
+		    sname, sinst, v4_realm);
+	    make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
+	    goto out1;
+	}
+
+	ret = get_des_key(client, &ckey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (client)");
+	    goto out1;
+	}
+
+#if 0
+	/* this is not necessary with the new code in libkrb */
+	/* find a properly salted key */
+	while(ckey->salt == NULL || ckey->salt->salt.length != 0)
+	    ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
+	if(ret){
+	    kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", 
+		    name, inst, realm);
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No version-4 salted key in database");
+	    goto out1;
+	}
+#endif
+	
+	ret = get_des_key(server, &skey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (server)");
+	    goto out1;
+	}
+
+	max_life = krb_life_to_time(0, life);
+	if(client->max_life)
+	    max_life = min(max_life, *client->max_life);
+	if(server->max_life)
+	    max_life = min(max_life, *server->max_life);
+
+	life = krb_time_to_life(kdc_time, kdc_time + max_life);
+    
+	{
+	    KTEXT_ST cipher, ticket;
+	    KTEXT r;
+	    des_cblock session;
+
+	    des_new_random_key(&session);
+
+	    krb_create_ticket(&ticket, 0, name, inst, v4_realm,
+			      addr->sin_addr.s_addr, session, life, kdc_time, 
+			      sname, sinst, skey->key.keyvalue.data);
+	
+	    create_ciph(&cipher, session, sname, sinst, v4_realm,
+			life, server->kvno, &ticket, kdc_time, 
+			ckey->key.keyvalue.data);
+	    memset(&session, 0, sizeof(session));
+	    r = create_auth_reply(name, inst, realm, req_time, 0, 
+				  client->pw_end ? *client->pw_end : 0, 
+				  client->kvno, &cipher);
+	    krb5_data_copy(reply, r->dat, r->length);
+	    memset(&cipher, 0, sizeof(cipher));
+	    memset(&ticket, 0, sizeof(ticket));
+	}
+    out1:
+	break;
+    case AUTH_MSG_APPL_REQUEST: {
+	int8_t kvno;
+	int8_t ticket_len;
+	int8_t req_len;
+	KTEXT_ST auth;
+	AUTH_DAT ad;
+	size_t pos;
+	krb5_principal tgt_princ = NULL;
+	hdb_entry *tgt = NULL;
+	Key *tkey;
+	
+	RCHECK(krb5_ret_int8(sp, &kvno), out2);
+	RCHECK(krb5_ret_stringz(sp, &realm), out2);
+	
+	ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
+				      &tgt_princ);
+	if(ret){
+	    kdc_log(0, "Converting krbtgt principal: %s", 
+		    krb5_get_err_text(context, ret));
+	    make_err_reply(reply, KFAILURE, 
+			   "Failed to convert v4 principal (krbtgt)");
+	    goto out2;
+	}
+
+	tgt = db_fetch(tgt_princ);
+	if(tgt == NULL){
+	    char *s;
+	    s = kdc_log_msg(0, "Ticket-granting ticket not "
+			    "found in database: krbtgt.%s@%s", 
+			    realm, v4_realm);
+	    make_err_reply(reply, KFAILURE, s);
+	    free(s);
+	    goto out2;
+	}
+	
+	if(tgt->kvno != kvno){
+	    kdc_log(0, "tgs-req with old kvno %d (current %d) for "
+		    "krbtgt.%s@%s", kvno, tgt->kvno, realm, v4_realm);
+	    make_err_reply(reply, KDC_AUTH_EXP,
+			   "old krbtgt kvno used");
+	    goto out2;
+	}
+
+	ret = get_des_key(tgt, &tkey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (krbtgt)");
+	    goto out2;
+	}
+
+	RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
+	RCHECK(krb5_ret_int8(sp, &req_len), out2);
+	
+	pos = sp->seek(sp, ticket_len + req_len, SEEK_CUR);
+	
+	memset(&auth, 0, sizeof(auth));
+	memcpy(&auth.dat, buf, pos);
+	auth.length = pos;
+	krb_set_key(tkey->key.keyvalue.data, 0);
+
+	krb_ignore_ip_address = !check_ticket_addresses;
+
+	ret = krb_rd_req(&auth, "krbtgt", realm, 
+			 addr->sin_addr.s_addr, &ad, 0);
+	if(ret){
+	    kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
+	    make_err_reply(reply, ret, NULL);
+	    goto out2;
+	}
+	
+	RCHECK(krb5_ret_int32(sp, &req_time), out2);
+	if(lsb)
+	    req_time = swap32(req_time);
+	RCHECK(krb5_ret_int8(sp, &life), out2);
+	RCHECK(krb5_ret_stringz(sp, &sname), out2);
+	RCHECK(krb5_ret_stringz(sp, &sinst), out2);
+	kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s", 
+		ad.pname, ad.pinst, ad.prealm, from, sname, sinst);
+	
+	if(strcmp(ad.prealm, realm)){
+	    kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+			   "Can't hop realms");
+	    goto out2;
+	}
+
+	if(strcmp(sname, "changepw") == 0){
+	    kdc_log(0, "Bad request for changepw ticket");
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+			   "Can't authorize password change based on TGT");
+	    goto out2;
+	}
+	
+#if 0
+	client = db_fetch4(ad.pname, ad.pinst, ad.prealm);
+	if(client == NULL){
+	    char *s;
+	    s = kdc_log_msg(0, "Client not found in database: %s.%s@%s", 
+			    ad.pname, ad.pinst, ad.prealm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    free(s);
+	    goto out2;
+	}
+#endif
+	
+	server = db_fetch4(sname, sinst, v4_realm);
+	if(server == NULL){
+	    char *s;
+	    s = kdc_log_msg(0, "Server not found in database: %s.%s@%s", 
+			    sname, sinst, v4_realm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    free(s);
+	    goto out2;
+	}
+
+	ret = get_des_key(server, &skey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (server)");
+	    goto out2;
+	}
+
+	max_life = krb_life_to_time(ad.time_sec, ad.life);
+	max_life = min(max_life, krb_life_to_time(kdc_time, life));
+	life = min(life, krb_time_to_life(kdc_time, max_life));
+	max_life = krb_life_to_time(0, life);
+#if 0
+	if(client->max_life)
+	    max_life = min(max_life, *client->max_life);
+#endif
+	if(server->max_life)
+	    max_life = min(max_life, *server->max_life);
+	
+	{
+	    KTEXT_ST cipher, ticket;
+	    KTEXT r;
+	    des_cblock session;
+	    des_new_random_key(&session);
+	    krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
+			      addr->sin_addr.s_addr, &session, life, kdc_time,
+			      sname, sinst, skey->key.keyvalue.data);
+	    
+	    create_ciph(&cipher, session, sname, sinst, v4_realm,
+			life, server->kvno, &ticket,
+			kdc_time, &ad.session);
+
+	    memset(&session, 0, sizeof(session));
+	    memset(ad.session, 0, sizeof(ad.session));
+
+	    r = create_auth_reply(ad.pname, ad.pinst, ad.prealm, 
+				  req_time, 0, 0, 0, &cipher);
+	    krb5_data_copy(reply, r->dat, r->length);
+	    memset(&cipher, 0, sizeof(cipher));
+	    memset(&ticket, 0, sizeof(ticket));
+	}
+    out2:
+	if(tgt_princ)
+	    krb5_free_principal(context, tgt_princ);
+	if(tgt){
+	    hdb_free_entry(context, tgt);
+	    free(tgt);
+	}
+
+	break;
+    }
+    
+    case AUTH_MSG_ERR_REPLY:
+	break;
+    default:
+	kdc_log(0, "Unknown message type: %d from %s", 
+		msg_type, from);
+	
+	make_err_reply(reply, KFAILURE, "Unknown message type");
+    }
+out:
+    if(name)
+	free(name);
+    if(inst)
+	free(inst);
+    if(realm)
+	free(realm);
+    if(sname)
+	free(sname);
+    if(sinst)
+	free(sinst);
+    if(client){
+	hdb_free_entry(context, client);
+	free(client);
+    }
+    if(server){
+	hdb_free_entry(context, server);
+	free(server);
+    }
+    krb5_storage_free(sp);
+    return 0;
+}
+
+
+#define ETYPE_DES_PCBC 17 /* XXX */
+
+krb5_error_code
+encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
+{
+    des_key_schedule schedule;
+
+    reply->etype = ETYPE_DES_PCBC;
+    reply->kvno = NULL;
+    reply->cipher.length = len;
+    reply->cipher.data = malloc(len);
+    if(len != 0 && reply->cipher.data == NULL)
+	return ENOMEM;
+    des_set_key(key, schedule);
+    des_pcbc_encrypt(buf,
+		     reply->cipher.data,
+		     len,
+		     schedule,
+		     key,
+		     DES_ENCRYPT);
+    memset(schedule, 0, sizeof(schedule));
+    return 0;
+}
+
+krb5_error_code
+encode_v4_ticket(void *buf, size_t len, EncTicketPart *et, 
+		 PrincipalName *service, size_t *size)
+{
+    krb5_storage *sp;
+    krb5_error_code ret;
+    char name[40], inst[40], realm[40];
+    char sname[40], sinst[40];
+
+    {
+	krb5_principal princ;
+	principalname2krb5_principal(&princ,
+				     *service,
+				     et->crealm);
+	ret = krb5_524_conv_principal(context, 
+				      princ,
+				      sname,
+				      sinst,
+				      realm);
+	krb5_free_principal(context, princ);
+	if(ret)
+	    return ret;
+
+	principalname2krb5_principal(&princ,
+				     et->cname,
+				     et->crealm);
+				     
+	ret = krb5_524_conv_principal(context, 
+				      princ,
+				      name,
+				      inst,
+				      realm);
+	krb5_free_principal(context, princ);
+    }
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_emem();
+    
+    krb5_store_int8(sp, 0); /* flags */
+    krb5_store_stringz(sp, name);
+    krb5_store_stringz(sp, inst);
+    krb5_store_stringz(sp, realm);
+    {
+	unsigned char tmp[4] = { 0, 0, 0, 0 };
+	int i;
+	if(et->caddr){
+	    for(i = 0; i < et->caddr->len; i++)
+		if(et->caddr->val[i].addr_type == AF_INET &&
+		   et->caddr->val[i].address.length == 4){
+		    memcpy(tmp, et->caddr->val[i].address.data, 4);
+		    break;
+		}
+	}
+	sp->store(sp, tmp, sizeof(tmp));
+    }
+
+    if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
+	et->key.keytype != ETYPE_DES_CBC_MD4 &&
+	et->key.keytype != ETYPE_DES_CBC_CRC) || 
+       et->key.keyvalue.length != 8)
+	return -1;
+    sp->store(sp, et->key.keyvalue.data, 8);
+    
+    {
+	time_t start = et->starttime ? *et->starttime : et->authtime;
+	krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
+	krb5_store_int32(sp, start);
+    }
+
+    krb5_store_stringz(sp, sname);
+    krb5_store_stringz(sp, sinst);
+    
+    {
+	krb5_data data;
+	krb5_storage_to_data(sp, &data);
+	krb5_storage_free(sp);
+	*size = (data.length + 7) & ~7; /* pad to 8 bytes */
+	if(*size > len)
+	    return -1;
+	memset((unsigned char*)buf - *size + 1, 0, *size);
+	memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
+	krb5_data_free(&data);
+    }
+    return 0;
+}
+
+#endif /* KRB4 */
diff --git a/crypto/heimdal/kdc/kerberos4.h b/crypto/heimdal/kdc/kerberos4.h
new file mode 100644
index 0000000..5bf3c2b
--- /dev/null
+++ b/crypto/heimdal/kdc/kerberos4.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kerberos4.h,v 1.2 1999/12/02 17:04:59 joda Exp $ */
+
+#ifndef __KERBEROS4_H__
+#define __KERBEROS4_H__
+
+hdb_entry* db_fetch4(const char *name,
+		     const char *instance,
+		     const char *realm);
+
+#endif /* __KERBEROS4_H__ */
diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c
new file mode 100644
index 0000000..7100274
--- /dev/null
+++ b/crypto/heimdal/kdc/kerberos5.c
@@ -0,0 +1,1641 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: kerberos5.c,v 1.109 2000/01/18 03:13:00 assar Exp $");
+
+#define MAX_TIME ((time_t)((1U << 31) - 1))
+
+static void
+fix_time(time_t **t)
+{
+    if(*t == NULL){
+	ALLOC(*t);
+	**t = MAX_TIME;
+    }
+    if(**t == 0) **t = MAX_TIME; /* fix for old clients */
+}
+
+static void
+set_salt_padata (METHOD_DATA **m, Salt *salt)
+{
+    if (salt) {
+	ALLOC(*m);
+	(*m)->len = 1;
+	ALLOC((*m)->val);
+	(*m)->val->padata_type = salt->type;
+	copy_octet_string(&salt->salt,
+			  &(*m)->val->padata_value);
+    }
+}
+
+static PA_DATA*
+find_padata(KDC_REQ *req, int *start, int type)
+{
+    while(*start < req->padata->len){
+	(*start)++;
+	if(req->padata->val[*start - 1].padata_type == type)
+	    return &req->padata->val[*start - 1];
+    }
+    return NULL;
+}
+
+#if 0
+
+static krb5_error_code
+find_keys(hdb_entry *client, 
+	  hdb_entry *server, 
+	  Key **ckey, 
+	  krb5_enctype *cetype,
+	  Key **skey,
+	  krb5_enctype *setype,
+	  unsigned *etypes, 
+	  unsigned num_etypes)
+{
+    int i;
+    krb5_error_code ret;
+    for(i = 0; i < num_etypes; i++) {
+	if(client){
+	    ret = hdb_enctype2key(context, client, etypes[i], ckey);
+	    if(ret)
+		continue;
+	}
+	if(server){
+	    ret = hdb_enctype2key(context, server, etypes[i], skey);
+	    if(ret)
+		continue;
+	}
+	if(etype)
+	    *cetype = *setype = etypes[i];
+	return 0;
+    }
+    return KRB5KDC_ERR_ETYPE_NOSUPP;
+}
+
+#else
+
+static krb5_error_code
+find_etype(hdb_entry *princ, unsigned *etypes, unsigned len, 
+	   Key **key, int *index)
+{
+    int i;
+    krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+
+    for(i = 0; i < len ; i++) {
+	krb5_error_code tmp;
+
+	tmp = hdb_enctype2key(context, princ, etypes[i], key);
+	if (tmp == 0) {
+	    if ((*key)->key.keyvalue.length != 0) {
+		ret = 0;
+		break;
+	    } else {
+		ret = KRB5KDC_ERR_NULL_KEY;
+	    }
+	}
+    }
+    if(index)
+	*index = i;
+    return ret;
+}
+
+static krb5_error_code
+find_keys(hdb_entry *client,
+	  hdb_entry *server, 
+	  Key **ckey,
+	  krb5_enctype *cetype,
+	  Key **skey,
+	  krb5_enctype *setype, 
+	  int *etypes,
+	  unsigned num_etypes)
+{
+    int i;
+    krb5_error_code ret;
+    if(client){
+	/* find client key */
+	ret = find_etype(client, etypes, num_etypes, ckey, &i);
+	if (ret) {
+	    kdc_log(0, "Client has no support for etypes");
+	    return ret;
+	}
+	*cetype = etypes[i];
+    }
+
+    if(server){
+	/* find server key */
+	ret = find_etype(server, etypes, num_etypes, skey, NULL);
+	if (ret) {
+	    kdc_log(0, "Server has no support for etypes");
+	    return ret;
+	}
+	*setype = (*skey)->key.keytype;
+    }
+    return 0;
+}
+#endif
+
+static krb5_error_code
+encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, 
+	     krb5_enctype etype, 
+	     int skvno, EncryptionKey *skey,
+	     int ckvno, EncryptionKey *ckey,
+	     krb5_data *reply)
+{
+    unsigned char buf[8192]; /* XXX The data could be indefinite */
+    size_t len;
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = encode_EncTicketPart(buf + sizeof(buf) - 1, sizeof(buf), et, &len);
+    if(ret) {
+	kdc_log(0, "Failed to encode ticket: %s", 
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    
+
+    krb5_crypto_init(context, skey, etype, &crypto);
+
+    krb5_encrypt_EncryptedData(context, 
+			       crypto,
+			       KRB5_KU_TICKET,
+			       buf + sizeof(buf) - len,
+			       len,
+			       skvno,
+			       &rep->ticket.enc_part);
+
+    krb5_crypto_destroy(context, crypto);
+    
+    if(rep->msg_type == krb_as_rep && !encode_as_rep_as_tgs_rep)
+	ret = encode_EncASRepPart(buf + sizeof(buf) - 1, sizeof(buf), 
+				  ek, &len);
+    else
+	ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1, sizeof(buf), 
+				   ek, &len);
+    if(ret) {
+	kdc_log(0, "Failed to encode KDC-REP: %s", 
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    krb5_crypto_init(context, ckey, 0, &crypto);
+    if(rep->msg_type == krb_as_rep) {
+	krb5_encrypt_EncryptedData(context,
+				   crypto,
+				   KRB5_KU_AS_REP_ENC_PART,
+				   buf + sizeof(buf) - len,
+				   len,
+				   ckvno,
+				   &rep->enc_part);
+	ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), rep, &len);
+    } else {
+	krb5_encrypt_EncryptedData(context,
+				   crypto,
+				   KRB5_KU_TGS_REP_ENC_PART_SESSION,
+				   buf + sizeof(buf) - len,
+				   len,
+				   ckvno,
+				   &rep->enc_part);
+	ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), rep, &len);
+    }
+    krb5_crypto_destroy(context, crypto);
+    if(ret) {
+	kdc_log(0, "Failed to encode KDC-REP: %s", 
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    krb5_data_copy(reply, buf + sizeof(buf) - len, len);
+    return 0;
+}
+
+static int
+realloc_method_data(METHOD_DATA *md)
+{
+    PA_DATA *pa;
+    pa = realloc(md->val, (md->len + 1) * sizeof(*md->val));
+    if(pa == NULL)
+	return ENOMEM;
+    md->val = pa;
+    md->len++;
+    return 0;
+}
+
+static krb5_error_code
+get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
+{
+    krb5_error_code ret = 0;
+    int i;
+    ETYPE_INFO pa;
+    unsigned char *buf;
+    size_t len;
+    
+
+    pa.len = client->keys.len;
+    pa.val = malloc(pa.len * sizeof(*pa.val));
+    if(pa.val == NULL)
+	return ENOMEM;
+    for(i = 0; i < client->keys.len; i++) {
+	pa.val[i].etype = client->keys.val[i].key.keytype;
+	ALLOC(pa.val[i].salttype);
+	if(client->keys.val[i].salt){
+#if 0
+	    if(client->keys.val[i].salt->type == hdb_pw_salt)
+		*pa.val[i].salttype = 0; /* or 1? or NULL? */
+	    else if(client->keys.val[i].salt->type == hdb_afs3_salt)
+		*pa.val[i].salttype = 2;
+	    else {
+		free_ETYPE_INFO(&pa);
+		kdc_log(0, "unknown salt-type: %d", 
+			client->keys.val[i].salt->type);
+		return KRB5KRB_ERR_GENERIC;
+	    }
+	    /* according to `the specs', we can't send a salt if
+	       we have AFS3 salted key, but that requires that you
+	       *know* what cell you are using (e.g by assuming
+	       that the cell is the same as the realm in lower
+	       case) */
+#else
+	    *pa.val[i].salttype = client->keys.val[i].salt->type;
+#endif
+	    krb5_copy_data(context, &client->keys.val[i].salt->salt,
+			   &pa.val[i].salt);
+	} else {
+#if 0
+	    *pa.val[i].salttype = 1; /* or 0 with salt? */
+#else
+	    *pa.val[i].salttype = pa_pw_salt;
+#endif
+	    pa.val[i].salt = NULL;
+	}
+    }
+    len = length_ETYPE_INFO(&pa);
+    buf = malloc(len);
+    if (buf) {
+	free_ETYPE_INFO(&pa);
+	return ret;
+    }
+    ret = encode_ETYPE_INFO(buf + len - 1, len, &pa, &len);
+    free_ETYPE_INFO(&pa);
+    if(ret) {
+	free(buf);
+	return ret;
+    }
+    ret = realloc_method_data(md);
+    if(ret) {
+	free(buf);
+	return ret;
+    }
+    md->val[md->len - 1].padata_type = pa_etype_info;
+    md->val[md->len - 1].padata_value.length = len;
+    md->val[md->len - 1].padata_value.data = buf;
+    return 0;
+}
+
+static int
+check_flags(hdb_entry *client, const char *client_name,
+	    hdb_entry *server, const char *server_name,
+	    krb5_boolean is_as_req)
+{
+    if(client != NULL) {
+	/* check client */
+	if (client->flags.invalid) {
+	    kdc_log(0, "Client (%s) has invalid bit set", client_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+	
+	if(!client->flags.client){
+	    kdc_log(0, "Principal may not act as client -- %s", 
+		    client_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+	
+	if (client->valid_start && *client->valid_start > kdc_time) {
+	    kdc_log(0, "Client not yet valid -- %s", client_name);
+	    return KRB5KDC_ERR_CLIENT_NOTYET;
+	}
+	
+	if (client->valid_end && *client->valid_end < kdc_time) {
+	    kdc_log(0, "Client expired -- %s", client_name);
+	    return KRB5KDC_ERR_NAME_EXP;
+	}
+	
+	if (client->pw_end && *client->pw_end < kdc_time
+	    && !server->flags.change_pw) {
+	    kdc_log(0, "Client's key has expired -- %s", client_name);
+	    return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+    }
+
+    /* check server */
+    
+    if (server != NULL) {
+	if (server->flags.invalid) {
+	    kdc_log(0, "Server has invalid flag set -- %s", server_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
+	if(!server->flags.server){
+	    kdc_log(0, "Principal may not act as server -- %s", 
+		    server_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
+	if(!is_as_req && server->flags.initial) {
+	    kdc_log(0, "AS-REQ is required for server -- %s", server_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
+	if (server->valid_start && *server->valid_start > kdc_time) {
+	    kdc_log(0, "Server not yet valid -- %s", server_name);
+	    return KRB5KDC_ERR_SERVICE_NOTYET;
+	}
+
+	if (server->valid_end && *server->valid_end < kdc_time) {
+	    kdc_log(0, "Server expired -- %s", server_name);
+	    return KRB5KDC_ERR_SERVICE_EXP;
+	}
+
+	if (server->pw_end && *server->pw_end < kdc_time) {
+	    kdc_log(0, "Server's key has expired -- %s", server_name);
+	    return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+    }
+    return 0;
+}
+
+static krb5_boolean
+check_addresses(HostAddresses *addresses, struct sockaddr *from)
+{
+    krb5_error_code ret;
+    krb5_address addr;
+    
+    if(check_ticket_addresses == 0)
+	return TRUE;
+
+    if(addresses == NULL)
+	return allow_null_ticket_addresses;
+    
+    ret = krb5_sockaddr2address (from, &addr);
+    if(ret)
+	return FALSE;
+
+    return krb5_address_search(context, &addr, addresses);
+}
+
+krb5_error_code
+as_rep(KDC_REQ *req, 
+       krb5_data *reply,
+       const char *from,
+       struct sockaddr *from_addr)
+{
+    KDC_REQ_BODY *b = &req->req_body;
+    AS_REP rep;
+    KDCOptions f = b->kdc_options;
+    hdb_entry *client = NULL, *server = NULL;
+    krb5_enctype cetype, setype;
+    EncTicketPart et;
+    EncKDCRepPart ek;
+    krb5_principal client_princ, server_princ;
+    char *client_name, *server_name;
+    krb5_error_code ret = 0;
+    const char *e_text = NULL;
+    krb5_crypto crypto;
+
+    Key *ckey, *skey;
+
+    if(b->sname == NULL){
+	server_name = "<unknown server>";
+	ret = KRB5KRB_ERR_GENERIC;
+	e_text = "No server in request";
+    } else{
+	principalname2krb5_principal (&server_princ, *(b->sname), b->realm);
+	krb5_unparse_name(context, server_princ, &server_name);
+    }
+    
+    if(b->cname == NULL){
+	client_name = "<unknown client>";
+	ret = KRB5KRB_ERR_GENERIC;
+	e_text = "No client in request";
+    } else {
+	principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
+	krb5_unparse_name(context, client_princ, &client_name);
+    }
+    kdc_log(0, "AS-REQ %s from %s for %s", 
+	    client_name, from, server_name);
+
+    if(ret)
+	goto out;
+
+    client = db_fetch(client_princ);
+    if(client == NULL){
+	kdc_log(0, "UNKNOWN -- %s", client_name);
+	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	goto out;
+    }
+
+    server = db_fetch(server_princ);
+
+    if(server == NULL){
+	kdc_log(0, "UNKNOWN -- %s", server_name);
+	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	goto out;
+    }
+
+    ret = check_flags(client, client_name, server, server_name, TRUE);
+    if(ret)
+	goto out;
+
+    memset(&et, 0, sizeof(et));
+    memset(&ek, 0, sizeof(ek));
+
+    if(req->padata){
+	int i = 0;
+	PA_DATA *pa;
+	int found_pa = 0;
+	kdc_log(5, "Looking for pa-data -- %s", client_name);
+	while((pa = find_padata(req, &i, pa_enc_timestamp))){
+	    krb5_data ts_data;
+	    PA_ENC_TS_ENC p;
+	    time_t patime;
+	    size_t len;
+	    EncryptedData enc_data;
+	    Key *pa_key;
+	    
+	    found_pa = 1;
+	    
+	    ret = decode_EncryptedData(pa->padata_value.data,
+				       pa->padata_value.length,
+				       &enc_data,
+				       &len);
+	    if (ret) {
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		kdc_log(5, "Failed to decode PA-DATA -- %s", 
+			client_name);
+		goto out;
+	    }
+	    
+	    ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key);
+	    if(ret){
+		char *estr;
+		e_text = "No key matches pa-data";
+		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		if(krb5_enctype_to_string(context, enc_data.etype, &estr))
+		    estr = NULL;
+		if(estr == NULL)
+		    kdc_log(5, "No client key matching pa-data (%d) -- %s", 
+			    enc_data.etype, client_name);
+		else
+		    kdc_log(5, "No client key matching pa-data (%s) -- %s", 
+			    estr, client_name);
+		free(estr);
+		    
+		free_EncryptedData(&enc_data);
+		continue;
+	    }
+	    
+	    krb5_crypto_init(context, &pa_key->key, 0, &crypto);
+	    ret = krb5_decrypt_EncryptedData (context,
+					      crypto,
+					      KRB5_KU_PA_ENC_TIMESTAMP,
+					      &enc_data,
+					      &ts_data);
+	    krb5_crypto_destroy(context, crypto);
+	    free_EncryptedData(&enc_data);
+	    if(ret){
+		e_text = "Failed to decrypt PA-DATA";
+		kdc_log (5, "Failed to decrypt PA-DATA -- %s",
+			 client_name);
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		continue;
+	    }
+	    ret = decode_PA_ENC_TS_ENC(ts_data.data,
+				       ts_data.length,
+				       &p,
+				       &len);
+	    krb5_data_free(&ts_data);
+	    if(ret){
+		e_text = "Failed to decode PA-ENC-TS-ENC";
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s",
+			 client_name);
+		continue;
+	    }
+	    patime = p.patimestamp;
+	    free_PA_ENC_TS_ENC(&p);
+	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
+		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		e_text = "Too large time skew";
+		kdc_log(0, "Too large time skew -- %s", client_name);
+		goto out;
+	    }
+	    et.flags.pre_authent = 1;
+	    kdc_log(2, "Pre-authentication succeded -- %s", client_name);
+	    break;
+	}
+	if(found_pa == 0 && require_preauth)
+	    goto use_pa;
+	/* We come here if we found a pa-enc-timestamp, but if there
+           was some problem with it, other than too large skew */
+	if(found_pa && et.flags.pre_authent == 0){
+	    kdc_log(0, "%s -- %s", e_text, client_name);
+	    e_text = NULL;
+	    goto out;
+	}
+    }else if (require_preauth
+	      || client->flags.require_preauth
+	      || server->flags.require_preauth) {
+	METHOD_DATA method_data;
+	PA_DATA *pa;
+	unsigned char *buf;
+	size_t len;
+	krb5_data foo_data;
+
+    use_pa: 
+	method_data.len = 0;
+	method_data.val = NULL;
+
+	ret = realloc_method_data(&method_data);
+	pa = &method_data.val[method_data.len-1];
+	pa->padata_type		= pa_enc_timestamp;
+	pa->padata_value.length	= 0;
+	pa->padata_value.data	= NULL;
+
+	ret = get_pa_etype_info(&method_data, client); /* XXX check ret */
+	
+	len = length_METHOD_DATA(&method_data);
+	buf = malloc(len);
+	encode_METHOD_DATA(buf + len - 1,
+			   len,
+			   &method_data,
+			   &len);
+	free_METHOD_DATA(&method_data);
+	foo_data.length = len;
+	foo_data.data   = buf;
+	
+	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
+	krb5_mk_error(context,
+		      ret,
+		      "Need to use PA-ENC-TIMESTAMP",
+		      &foo_data,
+		      client_princ,
+		      server_princ,
+		      0,
+		      reply);
+	free(buf);
+	kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
+	ret = 0;
+	goto out2;
+    }
+    
+    ret = find_keys(client, server, &ckey, &cetype, &skey, &setype,
+		    b->etype.val, b->etype.len);
+    if(ret) {
+	kdc_log(0, "Server/client has no support for etypes");
+	goto out;
+    }
+	
+    {
+	char *cet;
+	char *set;
+	krb5_enctype_to_string(context, cetype, &cet);
+	krb5_enctype_to_string(context, setype, &set);
+	kdc_log(5, "Using %s/%s", cet, set);
+	free(cet);
+	free(set);
+    }
+    
+
+    memset(&rep, 0, sizeof(rep));
+    rep.pvno = 5;
+    rep.msg_type = krb_as_rep;
+    copy_Realm(&b->realm, &rep.crealm);
+    copy_PrincipalName(b->cname, &rep.cname);
+    rep.ticket.tkt_vno = 5;
+    copy_Realm(&b->realm, &rep.ticket.realm);
+    copy_PrincipalName(b->sname, &rep.ticket.sname);
+
+    {
+	char str[128];
+	unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str));
+	if(*str)
+	    kdc_log(2, "Requested flags: %s", str);
+    }
+    
+    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey || 
+       f.request_anonymous){
+	ret = KRB5KDC_ERR_BADOPTION;
+	kdc_log(0, "Bad KDC options -- %s", client_name);
+	goto out;
+    }
+    
+    et.flags.initial = 1;
+    if(client->flags.forwardable && server->flags.forwardable)
+	et.flags.forwardable = f.forwardable;
+    else if (f.forwardable) {
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Ticket may not be forwardable -- %s", client_name);
+	goto out;
+    }
+    if(client->flags.proxiable && server->flags.proxiable)
+	et.flags.proxiable = f.proxiable;
+    else if (f.proxiable) {
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Ticket may not be proxiable -- %s", client_name);
+	goto out;
+    }
+    if(client->flags.postdate && server->flags.postdate)
+	et.flags.may_postdate = f.allow_postdate;
+    else if (f.allow_postdate){
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Ticket may not be postdatable -- %s", client_name);
+	goto out;
+    }
+
+    /* check for valid set of addresses */
+    if(!check_addresses(b->addresses, from_addr)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	kdc_log(0, "Bad address list requested -- %s", client_name);
+	goto out;
+    }
+
+    krb5_generate_random_keyblock(context, setype, &et.key);
+    copy_PrincipalName(b->cname, &et.cname);
+    copy_Realm(&b->realm, &et.crealm);
+    
+    {
+	time_t start;
+	time_t t;
+	
+	start = et.authtime = kdc_time;
+    
+	if(f.postdated && req->req_body.from){
+	    ALLOC(et.starttime);
+	    start = *et.starttime = *req->req_body.from;
+	    et.flags.invalid = 1;
+	    et.flags.postdated = 1; /* XXX ??? */
+	}
+	fix_time(&b->till);
+	t = *b->till;
+	if(client->max_life)
+	    t = min(t, start + *client->max_life);
+	if(server->max_life)
+	    t = min(t, start + *server->max_life);
+#if 0
+	t = min(t, start + realm->max_life);
+#endif
+	et.endtime = t;
+	if(f.renewable_ok && et.endtime < *b->till){
+	    f.renewable = 1;
+	    if(b->rtime == NULL){
+		ALLOC(b->rtime);
+		*b->rtime = 0;
+	    }
+	    if(*b->rtime < *b->till)
+		*b->rtime = *b->till;
+	}
+	if(f.renewable && b->rtime){
+	    t = *b->rtime;
+	    if(t == 0)
+		t = MAX_TIME;
+	    if(client->max_renew)
+		t = min(t, start + *client->max_renew);
+	    if(server->max_renew)
+		t = min(t, start + *server->max_renew);
+#if 0
+	    t = min(t, start + realm->max_renew);
+#endif
+	    ALLOC(et.renew_till);
+	    *et.renew_till = t;
+	    et.flags.renewable = 1;
+	}
+    }
+    
+    if(b->addresses){
+	ALLOC(et.caddr);
+	copy_HostAddresses(b->addresses, et.caddr);
+    }
+    
+    {
+	krb5_data empty_string;
+      
+	krb5_data_zero(&empty_string); 
+	et.transited.tr_type = DOMAIN_X500_COMPRESS;
+	et.transited.contents = empty_string;
+    }
+     
+    copy_EncryptionKey(&et.key, &ek.key);
+
+    /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
+     * as 0 and as 0x80 (meaning indefinite length) apart, and is thus
+     * incapable of correctly decoding SEQUENCE OF's of zero length.
+     *
+     * To fix this, always send at least one no-op last_req
+     *
+     * If there's a pw_end or valid_end we will use that,
+     * otherwise just a dummy lr.
+     */
+    ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
+    ek.last_req.len = 0;
+    if (client->pw_end
+	&& (kdc_warn_pwexpire == 0
+	    || kdc_time + kdc_warn_pwexpire <= *client->pw_end)) {
+	ek.last_req.val[ek.last_req.len].lr_type  = 6;
+	ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end;
+	++ek.last_req.len;
+    }
+    if (client->valid_end) {
+	ek.last_req.val[ek.last_req.len].lr_type  = 7;
+	ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end;
+	++ek.last_req.len;
+    }
+    if (ek.last_req.len == 0) {
+	ek.last_req.val[ek.last_req.len].lr_type  = 0;
+	ek.last_req.val[ek.last_req.len].lr_value = 0;
+	++ek.last_req.len;
+    }
+    ek.nonce = b->nonce;
+    if (client->valid_end || client->pw_end) {
+	ALLOC(ek.key_expiration);
+	if (client->valid_end) {
+	    if (client->pw_end)
+		*ek.key_expiration = min(*client->valid_end, *client->pw_end);
+	    else
+		*ek.key_expiration = *client->valid_end;
+	} else
+	    *ek.key_expiration = *client->pw_end;
+    } else
+	ek.key_expiration = NULL;
+    ek.flags = et.flags;
+    ek.authtime = et.authtime;
+    if (et.starttime) {
+	ALLOC(ek.starttime);
+	*ek.starttime = *et.starttime;
+    }
+    ek.endtime = et.endtime;
+    if (et.renew_till) {
+	ALLOC(ek.renew_till);
+	*ek.renew_till = *et.renew_till;
+    }
+    copy_Realm(&rep.ticket.realm, &ek.srealm);
+    copy_PrincipalName(&rep.ticket.sname, &ek.sname);
+    if(et.caddr){
+	ALLOC(ek.caddr);
+	copy_HostAddresses(et.caddr, ek.caddr);
+    }
+
+    set_salt_padata (&rep.padata, ckey->salt);
+    ret = encode_reply(&rep, &et, &ek, setype, server->kvno, &skey->key,
+		       client->kvno, &ckey->key, reply);
+    free_EncTicketPart(&et);
+    free_EncKDCRepPart(&ek);
+    free_AS_REP(&rep);
+out:
+    if(ret){
+	krb5_mk_error(context,
+		      ret,
+		      e_text,
+		      NULL,
+		      client_princ,
+		      server_princ,
+		      0,
+		      reply);
+	ret = 0;
+    }
+out2:
+    krb5_free_principal(context, client_princ);
+    free(client_name);
+    krb5_free_principal(context, server_princ);
+    free(server_name);
+    if(client){
+	hdb_free_entry(context, client);
+	free(client);
+    }
+    if(server){
+	hdb_free_entry(context, server);
+	free(server);
+    }
+    
+    return ret;
+}
+
+
+static krb5_error_code
+check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
+{
+    KDCOptions f = b->kdc_options;
+	
+    if(f.validate){
+	if(!tgt->flags.invalid || tgt->starttime == NULL){
+	    kdc_log(0, "Bad request to validate ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	if(*tgt->starttime > kdc_time){
+	    kdc_log(0, "Early request to validate ticket");
+	    return KRB5KRB_AP_ERR_TKT_NYV;
+	}
+	/* XXX  tkt = tgt */
+	et->flags.invalid = 0;
+    }else if(tgt->flags.invalid){
+	kdc_log(0, "Ticket-granting ticket has INVALID flag set");
+	return KRB5KRB_AP_ERR_TKT_INVALID;
+    }
+
+    if(f.forwardable){
+	if(!tgt->flags.forwardable){
+	    kdc_log(0, "Bad request for forwardable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.forwardable = 1;
+    }
+    if(f.forwarded){
+	if(!tgt->flags.forwardable){
+	    kdc_log(0, "Request to forward non-forwardable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.forwarded = 1;
+	et->caddr = b->addresses;
+    }
+    if(tgt->flags.forwarded)
+	et->flags.forwarded = 1;
+	
+    if(f.proxiable){
+	if(!tgt->flags.proxiable){
+	    kdc_log(0, "Bad request for proxiable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.proxiable = 1;
+    }
+    if(f.proxy){
+	if(!tgt->flags.proxiable){
+	    kdc_log(0, "Request to proxy non-proxiable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.proxy = 1;
+	et->caddr = b->addresses;
+    }
+    if(tgt->flags.proxy)
+	et->flags.proxy = 1;
+
+    if(f.allow_postdate){
+	if(!tgt->flags.may_postdate){
+	    kdc_log(0, "Bad request for post-datable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.may_postdate = 1;
+    }
+    if(f.postdated){
+	if(!tgt->flags.may_postdate){
+	    kdc_log(0, "Bad request for postdated ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	if(b->from)
+	    *et->starttime = *b->from;
+	et->flags.postdated = 1;
+	et->flags.invalid = 1;
+    }else if(b->from && *b->from > kdc_time + context->max_skew){
+	kdc_log(0, "Ticket cannot be postdated");
+	return KRB5KDC_ERR_CANNOT_POSTDATE;
+    }
+
+    if(f.renewable){
+	if(!tgt->flags.renewable){
+	    kdc_log(0, "Bad request for renewable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.renewable = 1;
+	ALLOC(et->renew_till);
+	fix_time(&b->rtime);
+	*et->renew_till = *b->rtime;
+    }
+    if(f.renew){
+	time_t old_life;
+	if(!tgt->flags.renewable || tgt->renew_till == NULL){
+	    kdc_log(0, "Request to renew non-renewable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	old_life = tgt->endtime;
+	if(tgt->starttime)
+	    old_life -= *tgt->starttime;
+	else
+	    old_life -= tgt->authtime;
+	et->endtime = min(*b->till, *et->starttime + old_life);
+    }	    
+    
+    /* checks for excess flags */
+    if(f.request_anonymous){
+	kdc_log(0, "Request for anonymous ticket");
+	return KRB5KDC_ERR_BADOPTION;
+    }
+    return 0;
+}
+
+static krb5_error_code
+fix_transited_encoding(TransitedEncoding *tr, 
+		       const char *client_realm, 
+		       const char *server_realm, 
+		       const char *tgt_realm)
+{
+    krb5_error_code ret = 0;
+    if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)){
+	char **realms = NULL, **tmp;
+	int num_realms = 0;
+	int i;
+	if(tr->tr_type && tr->contents.length != 0) {
+	    if(tr->tr_type != DOMAIN_X500_COMPRESS){
+		kdc_log(0, "Unknown transited type: %u", 
+			tr->tr_type);
+		return KRB5KDC_ERR_TRTYPE_NOSUPP;
+	    }
+	    ret = krb5_domain_x500_decode(tr->contents,
+					  &realms, 
+					  &num_realms,
+					  client_realm,
+					  server_realm);
+	    if(ret){
+		krb5_warn(context, ret, "Decoding transited encoding");
+		return ret;
+	    }
+	}
+	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
+	if(tmp == NULL){
+	    ret = ENOMEM;
+	    goto free_realms;
+	}
+	realms = tmp;
+	realms[num_realms] = strdup(tgt_realm);
+	if(realms[num_realms] == NULL){
+	    ret = ENOMEM;
+	    goto free_realms;
+	}
+	num_realms++;
+	free_TransitedEncoding(tr);
+	tr->tr_type = DOMAIN_X500_COMPRESS;
+	ret = krb5_domain_x500_encode(realms, num_realms, &tr->contents);
+	if(ret)
+	    krb5_warn(context, ret, "Encoding transited encoding");
+    free_realms:
+	for(i = 0; i < num_realms; i++)
+	    free(realms[i]);
+	free(realms);
+    }
+    return ret;
+}
+
+
+static krb5_error_code
+tgs_make_reply(KDC_REQ_BODY *b, 
+	       EncTicketPart *tgt, 
+	       EncTicketPart *adtkt, 
+	       AuthorizationData *auth_data,
+	       hdb_entry *server, 
+	       hdb_entry *client, 
+	       krb5_principal client_principal, 
+	       hdb_entry *krbtgt,
+	       krb5_enctype cetype,
+	       krb5_data *reply)
+{
+    KDC_REP rep;
+    EncKDCRepPart ek;
+    EncTicketPart et;
+    KDCOptions f = b->kdc_options;
+    krb5_error_code ret;
+    krb5_enctype etype;
+    Key *skey;
+    EncryptionKey *ekey;
+    
+    if(adtkt) {
+	int i;
+	krb5_keytype kt;
+	ekey = &adtkt->key;
+	for(i = 0; i < b->etype.len; i++){
+	    ret = krb5_enctype_to_keytype(context, b->etype.val[i], &kt);
+	    if(ret)
+		continue;
+	    if(adtkt->key.keytype == kt)
+		break;
+	}
+	if(i == b->etype.len)
+	    return KRB5KDC_ERR_ETYPE_NOSUPP;
+	etype = b->etype.val[i];
+    }else{
+	ret = find_keys(NULL, server, NULL, NULL, &skey, &etype, 
+			b->etype.val, b->etype.len);
+	if(ret) {
+	    kdc_log(0, "Server has no support for etypes");
+	    return ret;
+	}
+	ekey = &skey->key;
+    }
+    
+    memset(&rep, 0, sizeof(rep));
+    memset(&et, 0, sizeof(et));
+    memset(&ek, 0, sizeof(ek));
+    
+    rep.pvno = 5;
+    rep.msg_type = krb_tgs_rep;
+
+    et.authtime = tgt->authtime;
+    fix_time(&b->till);
+    et.endtime = min(tgt->endtime, *b->till);
+    ALLOC(et.starttime);
+    *et.starttime = kdc_time;
+    
+    ret = check_tgs_flags(b, tgt, &et);
+    if(ret)
+	return ret;
+
+    copy_TransitedEncoding(&tgt->transited, &et.transited);
+    ret = fix_transited_encoding(&et.transited,
+				 *krb5_princ_realm(context, client_principal),
+				 *krb5_princ_realm(context, server->principal),
+				 *krb5_princ_realm(context, krbtgt->principal));
+    if(ret){
+	free_TransitedEncoding(&et.transited);
+	return ret;
+    }
+
+
+    copy_Realm(krb5_princ_realm(context, server->principal), 
+	       &rep.ticket.realm);
+    krb5_principal2principalname(&rep.ticket.sname, server->principal);
+    copy_Realm(&tgt->crealm, &rep.crealm);
+    copy_PrincipalName(&tgt->cname, &rep.cname);
+    rep.ticket.tkt_vno = 5;
+
+    ek.caddr = et.caddr;
+    if(et.caddr == NULL)
+	et.caddr = tgt->caddr;
+
+    {
+	time_t life;
+	life = et.endtime - *et.starttime;
+	if(client && client->max_life)
+	    life = min(life, *client->max_life);
+	if(server->max_life)
+	    life = min(life, *server->max_life);
+	et.endtime = *et.starttime + life;
+    }
+    if(f.renewable_ok && tgt->flags.renewable && 
+       et.renew_till == NULL && et.endtime < *b->till){
+	et.flags.renewable = 1;
+	ALLOC(et.renew_till);
+	*et.renew_till = *b->till;
+    }
+    if(et.renew_till){
+	time_t renew;
+	renew = *et.renew_till - et.authtime;
+	if(client && client->max_renew)
+	    renew = min(renew, *client->max_renew);
+	if(server->max_renew)
+	    renew = min(renew, *server->max_renew);
+	*et.renew_till = et.authtime + renew;
+    }
+	    
+    if(et.renew_till){
+	*et.renew_till = min(*et.renew_till, *tgt->renew_till);
+	*et.starttime = min(*et.starttime, *et.renew_till);
+	et.endtime = min(et.endtime, *et.renew_till);
+    }
+    
+    *et.starttime = min(*et.starttime, et.endtime);
+
+    if(*et.starttime == et.endtime){
+	ret = KRB5KDC_ERR_NEVER_VALID;
+	goto out;
+    }
+    if(et.renew_till && et.endtime == *et.renew_till){
+	free(et.renew_till);
+	et.renew_till = NULL;
+	et.flags.renewable = 0;
+    }
+    
+    et.flags.pre_authent = tgt->flags.pre_authent;
+    et.flags.hw_authent = tgt->flags.hw_authent;
+	    
+    /* XXX Check enc-authorization-data */
+    et.authorization_data = auth_data;
+
+    krb5_generate_random_keyblock(context, etype, &et.key);
+    et.crealm = tgt->crealm;
+    et.cname = tgt->cname;
+	    
+    ek.key = et.key;
+    /* MIT must have at least one last_req */
+    ek.last_req.len = 1;
+    ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
+    ek.nonce = b->nonce;
+    ek.flags = et.flags;
+    ek.authtime = et.authtime;
+    ek.starttime = et.starttime;
+    ek.endtime = et.endtime;
+    ek.renew_till = et.renew_till;
+    ek.srealm = rep.ticket.realm;
+    ek.sname = rep.ticket.sname;
+	    
+    /* It is somewhat unclear where the etype in the following
+       encryption should come from. What we have is a session
+       key in the passed tgt, and a list of preferred etypes
+       *for the new ticket*. Should we pick the best possible
+       etype, given the keytype in the tgt, or should we look
+       at the etype list here as well?  What if the tgt
+       session key is DES3 and we want a ticket with a (say)
+       CAST session key. Should the DES3 etype be added to the
+       etype list, even if we don't want a session key with
+       DES3? */
+    ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
+		       0, &tgt->key, reply);
+out:
+    free_TGS_REP(&rep);
+    free_TransitedEncoding(&et.transited);
+    if(et.starttime)
+	free(et.starttime);
+    if(et.renew_till)
+	free(et.renew_till);
+    free_LastReq(&ek.last_req);
+    memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
+    free_EncryptionKey(&et.key);
+    return ret;
+}
+
+static krb5_error_code
+tgs_check_authenticator(krb5_auth_context ac,
+			KDC_REQ_BODY *b, 
+			krb5_keyblock *key)
+{
+    krb5_authenticator auth;
+    size_t len;
+    unsigned char buf[8192];
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    
+    krb5_auth_getauthenticator(context, ac, &auth);
+    if(auth->cksum == NULL){
+	kdc_log(0, "No authenticator in request");
+	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+	goto out;
+    }
+    /*
+     * according to RFC1510 it doesn't need to be keyed,
+     * but according to the latest draft it needs to.
+     */
+    if (
+#if 0
+!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
+	||
+#endif
+ !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
+	kdc_log(0, "Bad checksum type in authenticator: %d", 
+		auth->cksum->cksumtype);
+	ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;
+	goto out;
+    }
+		
+    /* XXX should not re-encode this */
+    ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf),
+			      b, &len);
+    if(ret){
+	kdc_log(0, "Failed to encode KDC-REQ-BODY: %s", 
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_verify_checksum(context,
+			       crypto,
+			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
+			       buf + sizeof(buf) - len, 
+			       len,
+			       auth->cksum);
+    krb5_crypto_destroy(context, crypto);
+    if(ret){
+	kdc_log(0, "Failed to verify checksum: %s", 
+		krb5_get_err_text(context, ret));
+    }
+out:
+    free_Authenticator(auth);
+    free(auth);
+    return ret;
+}
+
+static Realm 
+is_krbtgt(PrincipalName *p)
+{
+    if(p->name_string.len == 2 && strcmp(p->name_string.val[0], "krbtgt") == 0)
+	return p->name_string.val[1];
+    else
+	return NULL;
+}
+
+static Realm
+find_rpath(Realm r)
+{
+    const char *new_realm = krb5_config_get_string(context,
+						   NULL,
+						   "libdefaults", 
+						   "capath", 
+						   r, 
+						   NULL);
+    return (Realm)new_realm;
+}
+	    
+
+static krb5_error_code
+tgs_rep2(KDC_REQ_BODY *b,
+	 PA_DATA *tgs_req,
+	 krb5_data *reply,
+	 const char *from,
+	 struct sockaddr *from_addr)
+{
+    krb5_ap_req ap_req;
+    krb5_error_code ret;
+    krb5_principal princ;
+    krb5_auth_context ac = NULL;
+    krb5_ticket *ticket = NULL;
+    krb5_flags ap_req_options;
+    krb5_flags verify_ap_req_flags;
+    const char *e_text = NULL;
+    krb5_crypto crypto;
+
+    hdb_entry *krbtgt = NULL;
+    EncTicketPart *tgt;
+    Key *tkey;
+    krb5_enctype cetype;
+    krb5_principal cp = NULL;
+    krb5_principal sp = NULL;
+    AuthorizationData *auth_data = NULL;
+
+    memset(&ap_req, 0, sizeof(ap_req));
+    ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
+    if(ret){
+	kdc_log(0, "Failed to decode AP-REQ: %s", 
+		krb5_get_err_text(context, ret));
+	goto out2;
+    }
+    
+    if(!is_krbtgt(&ap_req.ticket.sname)){
+	/* XXX check for ticket.sname == req.sname */
+	kdc_log(0, "PA-DATA is not a ticket-granting ticket");
+	ret = KRB5KDC_ERR_POLICY; /* ? */
+	goto out2;
+    }
+    
+    principalname2krb5_principal(&princ,
+				 ap_req.ticket.sname,
+				 ap_req.ticket.realm);
+    
+    krbtgt = db_fetch(princ);
+
+    if(krbtgt == NULL) {
+	char *p;
+	krb5_unparse_name(context, princ, &p);
+	kdc_log(0, "Ticket-granting ticket not found in database: %s", p);
+	free(p);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+	goto out2;
+    }
+    
+    if(ap_req.ticket.enc_part.kvno && 
+       *ap_req.ticket.enc_part.kvno != krbtgt->kvno){
+	char *p;
+
+	krb5_unparse_name (context, princ, &p);
+	kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)", 
+		*ap_req.ticket.enc_part.kvno,
+		krbtgt->kvno,
+		p);
+	free (p);
+	ret = KRB5KRB_AP_ERR_BADKEYVER;
+	goto out2;
+    }
+
+    ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey);
+    if(ret){
+	char *str;
+	krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
+	kdc_log(0, "No server key found for %s", str);
+	free(str);
+	ret = KRB5KRB_AP_ERR_BADKEYVER;
+	goto out2;
+    }
+    
+    if (b->kdc_options.validate)
+	verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
+    else
+	verify_ap_req_flags = 0;
+
+    ret = krb5_verify_ap_req(context,
+			     &ac,
+			     &ap_req,
+			     princ,
+			     &tkey->key,
+			     verify_ap_req_flags,
+			     &ap_req_options,
+			     &ticket);
+			     
+    krb5_free_principal(context, princ);
+    if(ret) {
+	kdc_log(0, "Failed to verify AP-REQ: %s", 
+		krb5_get_err_text(context, ret));
+	goto out2;
+    }
+
+    cetype = ap_req.authenticator.etype;
+
+    tgt = &ticket->ticket;
+
+    ret = tgs_check_authenticator(ac, b, &tgt->key);
+
+    if (b->enc_authorization_data) {
+	krb5_keyblock *subkey;
+	krb5_data ad;
+	ret = krb5_auth_con_getremotesubkey(context,
+					    ac,
+					    &subkey);
+	if(ret){
+	    kdc_log(0, "Failed to get remote subkey: %s", 
+		    krb5_get_err_text(context, ret));
+	    goto out2;
+	}
+	if(subkey == NULL){
+	    ret = krb5_auth_con_getkey(context, ac, &subkey);
+	    if(ret) {
+		kdc_log(0, "Failed to get session key: %s", 
+			krb5_get_err_text(context, ret));
+		goto out2;
+	    }
+	}
+	if(subkey == NULL){
+	    kdc_log(0, "Failed to get key for enc-authorization-data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out2;
+	}
+	krb5_crypto_init(context, subkey, 0, &crypto);
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
+					  b->enc_authorization_data,
+					  &ad);
+	krb5_crypto_destroy(context, crypto);
+	if(ret){
+	    kdc_log(0, "Failed to decrypt enc-authorization-data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out2;
+	}
+	krb5_free_keyblock(context, subkey);
+	ALLOC(auth_data);
+	ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
+	if(ret){
+	    free(auth_data);
+	    auth_data = NULL;
+	    kdc_log(0, "Failed to decode authorization data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out2;
+	}
+    }
+
+    krb5_auth_con_free(context, ac);
+
+    if(ret){
+	kdc_log(0, "Failed to verify authenticator: %s", 
+		krb5_get_err_text(context, ret));
+	goto out2;
+    }
+    
+    {
+	PrincipalName *s;
+	Realm r;
+	char *spn = NULL, *cpn = NULL;
+	hdb_entry *server = NULL, *client = NULL;
+	int loop = 0;
+	EncTicketPart adtkt;
+	char opt_str[128];
+
+	s = b->sname;
+	r = b->realm;
+	if(b->kdc_options.enc_tkt_in_skey){
+	    Ticket *t;
+	    hdb_entry *uu;
+	    krb5_principal p;
+	    Key *tkey;
+	    
+	    if(b->additional_tickets == NULL || 
+	       b->additional_tickets->len == 0){
+		ret = KRB5KDC_ERR_BADOPTION; /* ? */
+		kdc_log(0, "No second ticket present in request");
+		goto out;
+	    }
+	    t = &b->additional_tickets->val[0];
+	    if(!is_krbtgt(&t->sname)){
+		kdc_log(0, "Additional ticket is not a ticket-granting ticket");
+		ret = KRB5KDC_ERR_POLICY;
+		goto out2;
+	    }
+	    principalname2krb5_principal(&p, t->sname, t->realm);
+	    uu = db_fetch(p);
+	    krb5_free_principal(context, p);
+	    if(uu == NULL){
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+		goto out;
+	    }
+	    ret = hdb_enctype2key(context, uu, t->enc_part.etype, &tkey);
+	    if(ret){
+		ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
+		goto out;
+	    }
+	    ret = krb5_decrypt_ticket(context, t, &tkey->key, &adtkt, 0);
+
+	    if(ret)
+		goto out;
+	    s = &adtkt.cname;
+	    r = adtkt.crealm;
+	}
+
+	principalname2krb5_principal(&sp, *s, r);
+	krb5_unparse_name(context, sp, &spn);	
+	principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
+	krb5_unparse_name(context, cp, &cpn);
+	unparse_flags (KDCOptions2int(b->kdc_options), KDCOptions_units,
+		       opt_str, sizeof(opt_str));
+	if(*opt_str)
+	    kdc_log(0, "TGS-REQ %s from %s for %s [%s]", 
+		    cpn, from, spn, opt_str);
+	else
+	    kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
+    server_lookup:
+	server = db_fetch(sp);
+    
+
+	if(server == NULL){
+	    Realm req_rlm, new_rlm;
+	    if(loop++ < 2 && (req_rlm = is_krbtgt(&sp->name))){
+		new_rlm = find_rpath(req_rlm);
+		if(new_rlm) {
+		    kdc_log(5, "krbtgt for realm %s not found, trying %s", 
+			    req_rlm, new_rlm);
+		    krb5_free_principal(context, sp);
+		    free(spn);
+		    krb5_make_principal(context, &sp, r, 
+					"krbtgt", new_rlm, NULL);
+		    krb5_unparse_name(context, sp, &spn);	
+		    goto server_lookup;
+		}
+	    }
+	    kdc_log(0, "Server not found in database: %s", spn);
+	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    goto out;
+	}
+
+	client = db_fetch(cp);
+	if(client == NULL)
+	    kdc_log(1, "Client not found in database: %s", cpn);
+#if 0
+	/* XXX check client only if same realm as krbtgt-instance */
+	if(client == NULL){
+	    kdc_log(0, "Client not found in database: %s", cpn);
+	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	    goto out;
+	}
+#endif
+
+	ret = check_flags(client, cpn, server, spn, FALSE);
+	if(ret)
+	    goto out;
+
+	if((b->kdc_options.validate || b->kdc_options.renew) && 
+	   !krb5_principal_compare(context, 
+				   krbtgt->principal,
+				   server->principal)){
+	    kdc_log(0, "Inconsistent request.");
+	    ret = KRB5KDC_ERR_SERVER_NOMATCH;
+	    goto out;
+	}
+
+	/* check for valid set of addresses */
+	if(!check_addresses(tgt->caddr, from_addr)) {
+	    ret = KRB5KRB_AP_ERR_BADADDR;
+	    kdc_log(0, "Request from wrong address");
+	    goto out;
+	}
+	
+	ret = tgs_make_reply(b, 
+			     tgt, 
+			     b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
+			     auth_data,
+			     server, 
+			     client, 
+			     cp, 
+			     krbtgt, 
+			     cetype, 
+			     reply);
+	
+    out:
+	free(spn);
+	free(cpn);
+	    
+	if(server){
+	    hdb_free_entry(context, server);
+	    free(server);
+	}
+	if(client){
+	    hdb_free_entry(context, client);
+	    free(client);
+	}
+	
+    }
+out2:
+    if(ret)
+	krb5_mk_error(context,
+		      ret,
+		      e_text,
+		      NULL,
+		      cp,
+		      sp,
+		      0,
+		      reply);
+    krb5_free_principal(context, cp);
+    krb5_free_principal(context, sp);
+    if (ticket) {
+	krb5_free_ticket(context, ticket);
+	free(ticket);
+    }
+    free_AP_REQ(&ap_req);
+    if(auth_data){
+	free_AuthorizationData(auth_data);
+	free(auth_data);
+    }
+
+    if(krbtgt){
+	hdb_free_entry(context, krbtgt);
+	free(krbtgt);
+    }
+    return ret;
+}
+
+
+krb5_error_code
+tgs_rep(KDC_REQ *req, 
+	krb5_data *data,
+	const char *from,
+	struct sockaddr *from_addr)
+{
+    krb5_error_code ret;
+    int i = 0;
+    PA_DATA *tgs_req = NULL;
+
+    if(req->padata == NULL){
+	ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
+	kdc_log(0, "TGS-REQ from %s without PA-DATA", from);
+	goto out;
+    }
+    
+    tgs_req = find_padata(req, &i, pa_tgs_req);
+
+    if(tgs_req == NULL){
+	ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+	
+	kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from);
+	goto out;
+    }
+    ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr);
+out:
+    if(ret && data->data == NULL){
+	krb5_mk_error(context,
+		      ret,
+		      NULL,
+		      NULL,
+		      NULL,
+		      NULL,
+		      0,
+		      data);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/kstash.8 b/crypto/heimdal/kdc/kstash.8
new file mode 100644
index 0000000..e9a7502
--- /dev/null
+++ b/crypto/heimdal/kdc/kstash.8
@@ -0,0 +1,27 @@
+.\" $Id: kstash.8,v 1.2 2000/01/08 10:57:31 assar Exp $
+.\"
+.Dd Aug 27, 1997
+.Dt KSTASH 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kstash
+.Nd
+Store the KDC master password in a file
+.Sh SYNOPSIS
+.Nm
+.Op Fl k Ar file
+.Op Fl -key-file= Ns Ar file
+.Sh DESCRIPTION
+.Nm
+allows you to the master password and store in a file that will be read
+by the KDC.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl k Ar file
+.It Fl -key-file= Ns Ar file
+Specify what file the master key is stored in.  The default is
+.Pa m-key .
+.El
+.Sh SEE ALSO
+.Xr kdc 8
diff --git a/crypto/heimdal/kdc/kstash.c b/crypto/heimdal/kdc/kstash.c
new file mode 100644
index 0000000..5b79fd1
--- /dev/null
+++ b/crypto/heimdal/kdc/kstash.c
@@ -0,0 +1,188 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "headers.h"
+
+RCSID("$Id: kstash.c,v 1.10 1999/11/13 04:14:17 assar Exp $");
+
+krb5_context context;
+
+char *keyfile = HDB_DB_DIR "/m-key";
+char *v4_keyfile;
+int convert_flag;
+int help_flag;
+int version_flag;
+
+struct getargs args[] = {
+    { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
+    { "version4-key-file", '4', arg_string, &v4_keyfile, 
+      "kerberos 4 master key file", "file" },
+    { "convert-file", 0, arg_flag, &convert_flag, 
+      "convert keytype of keyfile" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+write_keyfile(EncryptionKey key)
+{
+    FILE *f;
+    char buf[1024];
+    size_t len;
+
+#ifdef HAVE_UMASK
+    umask(077);
+#endif
+
+    f = fopen(keyfile, "w");
+    if(f == NULL)
+	krb5_err(context, 1, errno, "%s", keyfile);
+    encode_EncryptionKey((unsigned char *)buf + sizeof(buf) - 1,
+			 sizeof(buf), &key, &len);
+    fwrite(buf + sizeof(buf) - len, len, 1, f);
+    memset(buf, 0, sizeof(buf));
+    if(ferror(f)) {
+	int e = errno;
+	unlink(keyfile);
+	krb5_err(context, 1, e, "%s", keyfile);
+    }
+    fclose(f);
+    chmod(keyfile, 0400);
+}
+
+static int
+convert_file(void)
+{
+    FILE *f;
+    unsigned char buf[1024];
+    char *fn;
+    size_t len;
+    EncryptionKey key;
+    krb5_error_code ret;
+
+    f = fopen(keyfile, "r");
+    if(f == NULL) {
+	krb5_warn(context, errno, "%s", keyfile);
+	return 1;
+    }
+    len = fread(buf, 1, sizeof(buf), f);
+    if(ferror(f)) {
+	krb5_warn(context, errno, "fread");
+	ret = 1;
+	goto out1;
+    }
+    fclose(f);
+    ret = decode_EncryptionKey(buf, len, &key, &len);
+    memset(buf, 0, sizeof(buf));
+    if(ret) {
+	krb5_warn(context, ret, "decode_EncryptionKey");
+	goto out2;
+    }
+    if(key.keytype == KEYTYPE_DES)
+	key.keytype = ETYPE_DES_CBC_MD5;
+    else if(key.keytype == ETYPE_DES_CBC_MD5) {
+	krb5_warnx(context, "keyfile already converted");
+	ret = 0;
+	goto out2;
+    } else {
+	krb5_warnx(context, "bad encryption key type (%d)", key.keytype);
+	ret = 1;
+	goto out2;
+    }
+    asprintf(&fn, "%s.old", keyfile);
+    if(fn == NULL) {
+	krb5_warn(context, ENOMEM, "malloc");
+	ret = 1;
+	goto out1;
+    }
+    if(rename(keyfile, fn) < 0) {
+	krb5_warn(context, errno, "rename");
+	ret = 1;
+	goto out1;
+    }
+    write_keyfile(key);
+    krb5_free_keyblock_contents(context, &key);
+    return 0;
+out1:
+    memset(buf, 0, sizeof(buf));
+    return ret ? 1 : 0;
+out2:
+    krb5_free_keyblock_contents(context, &key);
+    return ret ? 1 : 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    char buf[1024];
+    EncryptionKey key;
+    FILE *f;
+    
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(convert_flag)
+	exit(convert_file());
+
+    key.keytype = ETYPE_DES_CBC_MD5; /* XXX */
+    if(v4_keyfile) {
+	f = fopen(v4_keyfile, "r");
+	if(f == NULL)
+	    krb5_err(context, 1, errno, "fopen(%s)", v4_keyfile);
+	key.keyvalue.length = sizeof(des_cblock);
+	key.keyvalue.data = malloc(key.keyvalue.length);
+	fread(key.keyvalue.data, 1, key.keyvalue.length, f);
+	fclose(f);
+    } else {
+	krb5_salt salt;
+	salt.salttype = KRB5_PW_SALT;
+	/* XXX better value? */
+	salt.saltvalue.data = NULL;
+	salt.saltvalue.length = 0;
+	if(des_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
+	    exit(1);
+	krb5_string_to_key_salt(context, key.keytype, buf, salt, &key);
+    }
+    
+    write_keyfile(key);
+    krb5_free_keyblock_contents(context, &key);
+    exit(0);
+}
diff --git a/crypto/heimdal/kdc/log.c b/crypto/heimdal/kdc/log.c
new file mode 100644
index 0000000..ddbdbee
--- /dev/null
+++ b/crypto/heimdal/kdc/log.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+RCSID("$Id: log.c,v 1.12 1999/12/02 17:05:00 joda Exp $");
+
+static krb5_log_facility *logf;
+
+void
+kdc_openlog(krb5_config_section *cf)
+{
+    char **s = NULL, **p;
+    krb5_initlog(context, "kdc", &logf);
+    if(cf)
+	s = krb5_config_get_strings(context, cf, "kdc", "logging", NULL);
+
+    if(s == NULL)
+	s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);
+    if(s){
+	for(p = s; *p; p++)
+	    krb5_addlog_dest(context, logf, *p);
+	krb5_config_free_strings(s);
+    }else
+	krb5_addlog_dest(context, logf, "0-1/FILE:" HDB_DB_DIR "/kdc.log");
+    krb5_set_warn_dest(context, logf);
+}
+
+char*
+kdc_log_msg_va(int level, const char *fmt, va_list ap)
+{
+    char *msg;
+    krb5_vlog_msg(context, logf, &msg, level, fmt, ap);
+    return msg;
+}
+
+char*
+kdc_log_msg(int level, const char *fmt, ...)
+{
+    va_list ap;
+    char *s;
+    va_start(ap, fmt);
+    s = kdc_log_msg_va(level, fmt, ap);
+    va_end(ap);
+    return s;
+}
+
+void
+kdc_log(int level, const char *fmt, ...)
+{
+    va_list ap;
+    char *s;
+    va_start(ap, fmt);
+    s = kdc_log_msg_va(level, fmt, ap);
+    if(s) free(s);
+    va_end(ap);
+}
diff --git a/crypto/heimdal/kdc/main.c b/crypto/heimdal/kdc/main.c
new file mode 100644
index 0000000..46d7aba
--- /dev/null
+++ b/crypto/heimdal/kdc/main.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: main.c,v 1.21 1999/12/02 17:05:00 joda Exp $");
+
+sig_atomic_t exit_flag = 0;
+krb5_context context;
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+    exit_flag = 1;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    set_progname(argv[0]);
+    
+    krb5_init_context(&context);
+
+    configure(argc, argv);
+
+    if(databases == NULL) {
+	db = malloc(sizeof(*db));
+	num_db = 1;
+	ret = hdb_create(context, &db[0], NULL);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
+	ret = hdb_set_master_keyfile(context, db[0], NULL);
+	if (ret)
+	    krb5_err(context, 1, ret, "hdb_set_master_keyfile");
+    } else {
+	struct dbinfo *d;
+	int i;
+	/* count databases */
+	for(d = databases, i = 0; d; d = d->next, i++);
+	db = malloc(i * sizeof(*db));
+	for(d = databases, num_db = 0; d; d = d->next, num_db++) {
+	    ret = hdb_create(context, &db[num_db], d->dbname);
+	    if(ret)
+		krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
+	    ret = hdb_set_master_keyfile(context, db[num_db], d->mkey_file);
+	    if (ret)
+		krb5_err(context, 1, ret, "hdb_set_master_keyfile");
+	}
+    }
+
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = sigterm;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGINT, &sa, NULL);
+    }
+#else
+    signal(SIGINT, sigterm);
+#endif
+    loop();
+    krb5_free_context(context);
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/misc.c b/crypto/heimdal/kdc/misc.c
new file mode 100644
index 0000000..e476ebc
--- /dev/null
+++ b/crypto/heimdal/kdc/misc.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: misc.c,v 1.18 1999/12/02 17:05:00 joda Exp $");
+
+struct timeval now;
+
+hdb_entry*
+db_fetch(krb5_principal principal)
+{
+    hdb_entry *ent;
+    krb5_error_code ret;
+    int i;
+    ALLOC(ent);
+    ent->principal = principal;
+
+    for(i = 0; i < num_db; i++) {
+	ret = db[i]->open(context, db[i], O_RDONLY, 0);
+	if (ret) {
+	    kdc_log(0, "Failed to open database: %s", 
+		    krb5_get_err_text(context, ret));
+	    continue;
+	}
+	ret = db[i]->fetch(context, db[i], HDB_F_DECRYPT, ent);
+	db[i]->close(context, db[i]);
+	if(ret == 0)
+	    return ent;
+    }
+    free(ent);
+    return NULL;
+}
diff --git a/crypto/heimdal/kdc/rx.h b/crypto/heimdal/kdc/rx.h
new file mode 100644
index 0000000..ab8ec805
--- /dev/null
+++ b/crypto/heimdal/kdc/rx.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */
+
+#ifndef __RX_H__
+#define __RX_H__
+
+/* header of a RPC packet */
+
+enum rx_header_type {
+     HT_DATA = 1,
+     HT_ACK = 2,
+     HT_BUSY = 3,
+     HT_ABORT = 4,
+     HT_ACKALL = 5,
+     HT_CHAL = 6,
+     HT_RESP = 7,
+     HT_DEBUG = 8
+};
+
+/* For flags in header */
+
+enum rx_header_flag {
+     HF_CLIENT_INITIATED = 1,
+     HF_REQ_ACK = 2,
+     HF_LAST = 4,
+     HF_MORE = 8
+};
+
+struct rx_header {
+     u_int32_t epoch;
+     u_int32_t connid;		/* And channel ID */
+     u_int32_t callid;
+     u_int32_t seqno;
+     u_int32_t serialno;
+     u_char type;
+     u_char flags;
+     u_char status;
+     u_char secindex;
+     u_int16_t reserved;	/* ??? verifier? */
+     u_int16_t serviceid;
+/* This should be the other way around according to everything but */
+/* tcpdump */
+};
+
+#define RX_HEADER_SIZE 28
+
+#endif /* __RX_H__ */
diff --git a/crypto/heimdal/kdc/string2key.c b/crypto/heimdal/kdc/string2key.c
new file mode 100644
index 0000000..e0cc871
--- /dev/null
+++ b/crypto/heimdal/kdc/string2key.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "headers.h"
+#include <getarg.h>
+
+RCSID("$Id: string2key.c,v 1.18 1999/12/02 17:05:00 joda Exp $");
+
+int version5;
+int version4;
+int afs;
+char *principal;
+char *cell;
+char *password;
+char *keytype_str = "des-cbc-md5";
+int version;
+int help;
+
+struct getargs args[] = {
+    { "version5", '5', arg_flag,   &version5, "Output Kerberos v5 string-to-key" },
+    { "version4", '4', arg_flag,   &version4, "Output Kerberos v4 string-to-key" },
+    { "afs",      'a', arg_flag,   &afs, "Output AFS string-to-key" },
+    { "cell",     'c', arg_string, &cell, "AFS cell to use", "cell" },
+    { "password", 'w', arg_string, &password, "Password to use", "password" },
+    { "principal",'p', arg_string, &principal, "Kerberos v5 principal to use", "principal" },
+    { "keytype",  'k', arg_string, &keytype_str, "Keytype" },
+    { "version",    0, arg_flag,   &version, "print version" },
+    { "help",       0, arg_flag,   &help, NULL }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int status)
+{
+    arg_printusage (args, num_args, NULL, "password");
+    exit(status);
+}
+
+static void
+tokey(krb5_context context, 
+      krb5_enctype enctype, 
+      const char *password, 
+      krb5_salt salt, 
+      const char *label)
+{
+    int i;
+    krb5_keyblock key;
+    krb5_string_to_key_salt(context, enctype, password, salt, &key);
+    printf("%s: ", label);
+    for(i = 0; i < key.keyvalue.length; i++)
+	printf("%02x", ((unsigned char*)key.keyvalue.data)[i]);
+    printf("\n");
+    krb5_free_keyblock_contents(context, &key);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_principal princ;
+    krb5_salt salt;
+    int optind;
+    char buf[1024];
+    krb5_enctype etype;
+    krb5_error_code ret;
+
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+
+    if(help)
+	usage(0);
+    
+    if(version){
+	print_version (NULL);
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc > 1)
+	usage(1);
+
+    if(!version5 && !version4 && !afs)
+	version5 = 1;
+
+    ret = krb5_string_to_enctype(context, keytype_str, &etype);
+#if 0
+    if(ret) {
+	krb5_keytype keytype;
+	ret = krb5_string_to_keytype(context, keytype_str, &keytype);
+	ret = krb5_keytype_to_enctype(context, keytype, &etype);
+    }
+#endif
+    if(ret)
+	krb5_err(context, 1, ret, "%s", keytype_str);
+    
+    if((etype != ETYPE_DES_CBC_CRC &&
+	etype != ETYPE_DES_CBC_MD4 &&
+	etype != ETYPE_DES_CBC_MD5) &&
+       (afs || version4))
+	krb5_errx(context, 1, 
+		  "DES is the only valid keytype for AFS and Kerberos 4");
+    
+
+    if(version5 && principal == NULL){
+	printf("Kerberos v5 principal: ");
+	if(fgets(buf, sizeof(buf), stdin) == NULL)
+	    return 1;
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	principal = estrdup(buf);
+    }
+    if(afs && cell == NULL){
+	printf("AFS cell: ");
+	if(fgets(buf, sizeof(buf), stdin) == NULL)
+	    return 1;
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	cell = estrdup(buf);
+    }
+    if(argv[0])
+	password = argv[0];
+    if(password == NULL){
+	if(des_read_pw_string(buf, sizeof(buf), "Password: ", 0))
+	    return 1;
+	password = buf;
+    }
+	
+    if(version5){
+	krb5_parse_name(context, principal, &princ);
+	krb5_get_pw_salt(context, princ, &salt);
+	tokey(context, etype, password, salt, "Kerberos v5 key");
+	krb5_free_salt(context, salt);
+    }
+    if(version4){
+	salt.salttype = KRB5_PW_SALT;
+	salt.saltvalue.length = 0;
+	salt.saltvalue.data = NULL;
+	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "Kerberos v4 key");
+    }
+    if(afs){
+	salt.salttype = KRB5_AFS3_SALT;
+	salt.saltvalue.length = strlen(cell);
+	salt.saltvalue.data = cell;
+	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "AFS key");
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kpasswd/Makefile.am b/crypto/heimdal/kpasswd/Makefile.am
new file mode 100644
index 0000000..fba61e3
--- /dev/null
+++ b/crypto/heimdal/kpasswd/Makefile.am
@@ -0,0 +1,25 @@
+# $Id: Makefile.am,v 1.11 1999/04/20 16:48:34 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+man_MANS = kpasswd.1 kpasswdd.8
+
+bin_PROGRAMS = kpasswd
+
+kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
+
+libexec_PROGRAMS = kpasswdd
+
+kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h
+
+kpasswdd_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LDADD) \
+	$(LIB_dlopen) \
+	$(DBLIB)
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/kpasswd/Makefile.in b/crypto/heimdal/kpasswd/Makefile.in
new file mode 100644
index 0000000..11e169b
--- /dev/null
+++ b/crypto/heimdal/kpasswd/Makefile.in
@@ -0,0 +1,758 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.11 1999/04/20 16:48:34 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+man_MANS = kpasswd.1 kpasswdd.8
+
+bin_PROGRAMS = kpasswd
+
+kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
+
+libexec_PROGRAMS = kpasswdd
+
+kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h
+
+kpasswdd_LDADD =  	$(top_builddir)/lib/kadm5/libkadm5srv.la 	$(top_builddir)/lib/hdb/libhdb.la 	$(LDADD) 	$(LIB_dlopen) 	$(DBLIB)
+
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  kpasswd$(EXEEXT)
+libexec_PROGRAMS =  kpasswdd$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+kpasswd_OBJECTS =  kpasswd.$(OBJEXT)
+kpasswd_LDADD = $(LDADD)
+kpasswd_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+kpasswd_LDFLAGS = 
+kpasswdd_OBJECTS =  kpasswdd.$(OBJEXT)
+kpasswdd_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+kpasswdd_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man1dir = $(mandir)/man1
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(kpasswd_SOURCES) $(kpasswdd_SOURCES)
+OBJECTS = $(kpasswd_OBJECTS) $(kpasswdd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kpasswd/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kpasswd$(EXEEXT): $(kpasswd_OBJECTS) $(kpasswd_DEPENDENCIES)
+	@rm -f kpasswd$(EXEEXT)
+	$(LINK) $(kpasswd_LDFLAGS) $(kpasswd_OBJECTS) $(kpasswd_LDADD) $(LIBS)
+
+kpasswdd$(EXEEXT): $(kpasswdd_OBJECTS) $(kpasswdd_DEPENDENCIES)
+	@rm -f kpasswdd$(EXEEXT)
+	$(LINK) $(kpasswdd_LDFLAGS) $(kpasswdd_OBJECTS) $(kpasswdd_LDADD) $(LIBS)
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = kpasswd
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man1 uninstall-man1 install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kpasswd/kpasswd.1 b/crypto/heimdal/kpasswd/kpasswd.1
new file mode 100644
index 0000000..8cbc83b
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd.1
@@ -0,0 +1,20 @@
+.\" $Id: kpasswd.1,v 1.1 1997/08/27 23:44:08 assar Exp $
+.\"
+.Dt Aug 27, 1997
+.Dt KPASSWD 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kpasswd
+.Nd
+Kerberos 5 password changing program
+.Sh SYNOPSIS
+.Nm
+.Op Ar principal
+.Sh DESCRIPTION
+.Nm
+is the client for changing passwords.
+.Sh DIAGNOSTICS
+If the password quality check fails or some other error occurs, an
+explanation is printed.
+.Sh SEE ALSO
+.Xr kpasswdd 8
diff --git a/crypto/heimdal/kpasswd/kpasswd.c b/crypto/heimdal/kpasswd/kpasswd.c
new file mode 100644
index 0000000..f072804
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id: kpasswd.c,v 1.21 2000/01/28 03:19:32 assar Exp $");
+
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
+    { "version", 		0,   arg_flag, &version_flag },
+    { "help",			0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[principal]");
+    exit (ret);
+}
+
+int
+main (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_principal principal;
+    int optind = 0;
+    krb5_get_init_creds_opt opt;
+    krb5_creds cred;
+    int result_code;
+    krb5_data result_code_string, result_string;
+    char pwbuf[BUFSIZ];
+
+    optind = krb5_program_setup(&context, argc, argv,
+				args, sizeof(args) / sizeof(args[0]), NULL);
+
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version (NULL);
+	exit(0);
+    }
+
+    krb5_get_init_creds_opt_init (&opt);
+    
+    krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
+    krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc > 1)
+	usage(1);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context: %s", krb5_get_err_text(context, ret));
+  
+    if(argv[0]) {
+	ret = krb5_parse_name (context, argv[0], &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name");
+    } else
+	principal = NULL;
+
+    ret = krb5_get_init_creds_password (context,
+					&cred,
+					principal,
+					NULL,
+					krb5_prompter_posix,
+					NULL,
+					0,
+					"kadmin/changepw",
+					&opt);
+    switch (ret) {
+    case 0:
+	break;
+    case KRB5_LIBOS_PWDINTR :
+	return 1;
+    case KRB5KRB_AP_ERR_BAD_INTEGRITY :
+    case KRB5KRB_AP_ERR_MODIFIED :
+	krb5_errx(context, 1, "Password incorrect");
+	break;
+    default:
+	krb5_err(context, 1, ret, "krb5_get_init_creds");
+    }
+
+    krb5_data_zero (&result_code_string);
+    krb5_data_zero (&result_string);
+
+    if(des_read_pw_string (pwbuf, sizeof(pwbuf), "New password: ", 1) != 0)
+	return 1;
+
+    ret = krb5_change_password (context, &cred, pwbuf,
+				&result_code,
+				&result_code_string,
+				&result_string);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_change_password");
+
+    printf ("Reply from server: %.*s\n", (int)result_string.length,
+	    (char *)result_string.data);
+
+    krb5_data_free (&result_code_string);
+    krb5_data_free (&result_string);
+    
+    krb5_free_creds_contents (context, &cred);
+    krb5_free_context (context);
+    return result_code;
+}
diff --git a/crypto/heimdal/kpasswd/kpasswd_locl.h b/crypto/heimdal/kpasswd/kpasswd_locl.h
new file mode 100644
index 0000000..0e05489
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd_locl.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kpasswd_locl.h,v 1.7 1999/12/02 17:05:00 joda Exp $ */
+
+#ifndef __KPASSWD_LOCL_H__
+#define __KPASSWD_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <krb5.h>
+
+#endif /* __KPASSWD_LOCL_H__ */
diff --git a/crypto/heimdal/kpasswd/kpasswdd.8 b/crypto/heimdal/kpasswd/kpasswdd.8
new file mode 100644
index 0000000..f4db441
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswdd.8
@@ -0,0 +1,60 @@
+.\" $Id: kpasswdd.8,v 1.2 1999/04/19 16:32:01 joda Exp $
+.\"
+.Dd April 19, 1999
+.Dt KPASSWDD 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kpasswdd
+.Nd
+Kerberos 5 password changing server
+.Sh SYNOPSIS
+.Nm
+.Op Fl -check-library= Ns Ar library
+.Op Fl -check-function= Ns Ar function
+.Sh DESCRIPTION
+.Nm
+serves request for password changes. It listens on UDP port 464
+(service kpasswd) and processes requests when they arrive. It changes
+the database directly and should thus only run on the master KDC.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl -check-library= Ns Ar library
+.Xc
+If your system has support for dynamic loading of shared libraries,
+you can use an external function to check password quality. This
+option specifies which library to load.
+.It Xo
+.Fl -check-function= Ns Ar function
+.Xc
+This is the function to call in the loaded library. The function
+should look like this:
+.Pp
+.Ft const char *
+.Fn passwd_check "krb5_context context" "krb5_principal principal" "krb5_data *password"
+.Pp
+.Fa context
+is an initialized context;
+.Fa principal
+is the one who tries to change passwords, and
+.Fa password
+is the new password. Note that the password (in
+.Fa password->data )
+is not zero terminated.
+.El
+.Sh DIAGNOSTICS
+If an error occurs, the error message is returned to the user and/or
+logged to syslog.
+.Sh BUGS
+The default password quality checks are too basic.
+.Sh SEE ALSO
+.Xr kdc 8 ,
+.Xr kpasswd 1
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh SEE ALSO
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
diff --git a/crypto/heimdal/kpasswd/kpasswdd.c b/crypto/heimdal/kpasswd/kpasswdd.c
new file mode 100644
index 0000000..04b8ea3
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswdd.c
@@ -0,0 +1,634 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id: kpasswdd.c,v 1.41 1999/12/02 17:05:00 joda Exp $");
+
+#include <kadm5/admin.h>
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <hdb.h>
+
+static krb5_context context;
+static krb5_log_facility *log_facility;
+
+static sig_atomic_t exit_flag = 0;
+
+static void
+send_reply (int s,
+	    struct sockaddr *sa,
+	    int sa_size,
+	    krb5_data *ap_rep,
+	    krb5_data *rest)
+{
+    struct msghdr msghdr;
+    struct iovec iov[3];
+    u_int16_t len, ap_rep_len;
+    u_char header[6];
+    u_char *p;
+
+    if (ap_rep)
+	ap_rep_len = ap_rep->length;
+    else
+	ap_rep_len = 0;
+
+    len = 6 + ap_rep_len + rest->length;
+    p = header;
+    *p++ = (len >> 8) & 0xFF;
+    *p++ = (len >> 0) & 0xFF;
+    *p++ = 0;
+    *p++ = 1;
+    *p++ = (ap_rep_len >> 8) & 0xFF;
+    *p++ = (ap_rep_len >> 0) & 0xFF;
+
+    memset (&msghdr, 0, sizeof(msghdr));
+    msghdr.msg_name       = (void *)sa;
+    msghdr.msg_namelen    = sa_size;
+    msghdr.msg_iov        = iov;
+    msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
+#if 0
+    msghdr.msg_control    = NULL;
+    msghdr.msg_controllen = 0;
+#endif
+
+    iov[0].iov_base       = (char *)header;
+    iov[0].iov_len        = 6;
+    if (ap_rep_len) {
+	iov[1].iov_base   = ap_rep->data;
+	iov[1].iov_len    = ap_rep->length;
+    } else {
+	iov[1].iov_base   = NULL;
+	iov[1].iov_len    = 0;
+    }
+    iov[2].iov_base       = rest->data;
+    iov[2].iov_len        = rest->length;
+
+    if (sendmsg (s, &msghdr, 0) < 0)
+	krb5_warn (context, errno, "sendmsg");
+}
+
+static int
+make_result (krb5_data *data,
+	     u_int16_t result_code,
+	     const char *expl)
+{
+    krb5_data_zero (data);
+
+    data->length = asprintf ((char **)&data->data,
+			     "%c%c%s",
+			     (result_code >> 8) & 0xFF,
+			     result_code & 0xFF,
+			     expl);
+
+    if (data->data == NULL) {
+	krb5_warnx (context, "Out of memory generating error reply");
+	return 1;
+    }
+    return 0;
+}
+
+static void
+reply_error (krb5_principal server,
+	     int s,
+	     struct sockaddr *sa,
+	     int sa_size,
+	     krb5_error_code error_code,
+	     u_int16_t result_code,
+	     const char *expl)
+{
+    krb5_error_code ret;
+    krb5_data error_data;
+    krb5_data e_data;
+
+    if (make_result(&e_data, result_code, expl))
+	return;
+
+    ret = krb5_mk_error (context,
+			 error_code,
+			 NULL,
+			 &e_data,
+			 NULL,
+			 server,
+			 0,
+			 &error_data);
+    krb5_data_free (&e_data);
+    if (ret) {
+	krb5_warn (context, ret, "Could not even generate error reply");
+	return;
+    }
+    send_reply (s, sa, sa_size, NULL, &error_data);
+    krb5_data_free (&error_data);
+}
+
+static void
+reply_priv (krb5_auth_context auth_context,
+	    int s,
+	    struct sockaddr *sa,
+	    int sa_size,
+	    u_int16_t result_code,
+	    const char *expl)
+{
+    krb5_error_code ret;
+    krb5_data krb_priv_data;
+    krb5_data ap_rep_data;
+    krb5_data e_data;
+
+    ret = krb5_mk_rep (context,
+		       &auth_context,
+		       &ap_rep_data);
+    if (ret) {
+	krb5_warn (context, ret, "Could not even generate error reply");
+	return;
+    }
+
+    if (make_result(&e_data, result_code, expl))
+	return;
+
+    ret = krb5_mk_priv (context,
+			auth_context,
+			&e_data,
+			&krb_priv_data,
+			NULL);
+    krb5_data_free (&e_data);
+    if (ret) {
+	krb5_warn (context, ret, "Could not even generate error reply");
+	return;
+    }
+    send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
+    krb5_data_free (&ap_rep_data);
+    krb5_data_free (&krb_priv_data);
+}
+
+/*
+ * Change the password for `principal', sending the reply back on `s'
+ * (`sa', `sa_size') to `pwd_data'.
+ */
+
+static void
+change (krb5_auth_context auth_context,
+	krb5_principal principal,
+	int s,
+	struct sockaddr *sa,
+	int sa_size,
+	krb5_data *pwd_data)
+{
+    krb5_error_code ret;
+    char *client;
+    kadm5_principal_ent_rec ent;
+    krb5_key_data *kd;
+    krb5_salt salt;
+    krb5_keyblock new_keyblock;
+    const char *pwd_reason;
+    int unchanged;
+    kadm5_config_params conf;
+    void *kadm5_handle;
+
+    memset (&conf, 0, sizeof(conf));
+    
+    krb5_unparse_name (context, principal, &client);
+
+    ret = kadm5_init_with_password_ctx(context, 
+				       client,
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       &conf, 0, 0, 
+				       &kadm5_handle);
+    if (ret) {
+	free (client);
+	krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+	reply_priv (auth_context, s, sa, sa_size, 2,
+		    "Internal error");
+	return;
+    }
+
+    krb5_warnx (context, "Changing password for %s", client);
+    free (client);
+
+    pwd_reason = kadm5_check_password_quality (context, principal, pwd_data);
+    if (pwd_reason != NULL ) {
+	krb5_warnx (context, "%s", pwd_reason);
+	reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason);
+	kadm5_destroy (kadm5_handle);
+	return;
+    }
+
+    ret = kadm5_get_principal (kadm5_handle,
+			       principal,
+			       &ent,
+			       KADM5_KEY_DATA);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_get_principal");
+	reply_priv (auth_context, s, sa, sa_size, 2,
+		    "Internal error");
+	kadm5_destroy (kadm5_handle);
+	return;
+    }
+
+    /*
+     * Compare with the first key to see if it already has been
+     * changed.  If it hasn't, store the new key in the database and
+     * string2key all the rest of them.
+     */
+
+    kd = &ent.key_data[0];
+    
+    salt.salttype         = kd->key_data_type[1];
+    salt.saltvalue.length = kd->key_data_length[1];
+    salt.saltvalue.data   = kd->key_data_contents[1];
+
+    memset (&new_keyblock, 0, sizeof(new_keyblock));
+    krb5_string_to_key_data_salt (context,
+				  kd->key_data_type[0],
+				  *pwd_data,
+				  salt,
+				  &new_keyblock);
+
+    unchanged = new_keyblock.keytype == kd->key_data_type[0]
+	&& new_keyblock.keyvalue.length == kd->key_data_length[0]
+	&& memcmp(new_keyblock.keyvalue.data,
+		  kd->key_data_contents[0],
+		  new_keyblock.keyvalue.length) == 0;
+
+    krb5_free_keyblock_contents (context, &new_keyblock);
+
+    if (unchanged) {
+	ret = 0;
+    } else {
+	char *tmp;
+
+	tmp = malloc (pwd_data->length + 1);
+	if (tmp == NULL) {
+	    krb5_warnx (context, "malloc: out of memory");
+	    reply_priv (auth_context, s, sa, sa_size, 2,
+			"Internal error");
+	    goto out;
+	}
+	memcpy (tmp, pwd_data->data, pwd_data->length);
+	tmp[pwd_data->length] = '\0';
+
+	ret = kadm5_chpass_principal (kadm5_handle,
+				      principal,
+				      tmp);
+	memset (tmp, 0, pwd_data->length);
+	free (tmp);
+	if (ret) {
+	    krb5_warn (context, ret, "kadm5_s_chpass_principal");
+	    reply_priv (auth_context, s, sa, sa_size, 2,
+			"Internal error");
+	    goto out;
+	}
+    }
+    reply_priv (auth_context, s, sa, sa_size, 0, "Password changed");
+out:
+    kadm5_free_principal_ent (kadm5_handle, &ent);
+    kadm5_destroy (kadm5_handle);
+}
+
+static int
+verify (krb5_auth_context *auth_context,
+	krb5_principal server,
+	krb5_keytab keytab,
+	krb5_ticket **ticket,
+	krb5_data *out_data,
+	int s,
+	struct sockaddr *sa,
+	int sa_size,
+	u_char *msg,
+	size_t len)
+{
+    krb5_error_code ret;
+    u_int16_t pkt_len, pkt_ver, ap_req_len;
+    krb5_data ap_req_data;
+    krb5_data krb_priv_data;
+
+    pkt_len = (msg[0] << 8) | (msg[1]);
+    pkt_ver = (msg[2] << 8) | (msg[3]);
+    ap_req_len = (msg[4] << 8) | (msg[5]);
+    if (pkt_len != len) {
+	krb5_warnx (context, "Strange len: %ld != %ld", 
+		    (long)pkt_len, (long)len);
+	reply_error (server, s, sa, sa_size, 0, 1, "Bad request");
+	return 1;
+    }
+    if (pkt_ver != 0x0001) {
+	krb5_warnx (context, "Bad version (%d)", pkt_ver);
+	reply_error (server, s, sa, sa_size, 0, 1, "Wrong program version");
+	return 1;
+    }
+
+    ap_req_data.data   = msg + 6;
+    ap_req_data.length = ap_req_len;
+
+    ret = krb5_rd_req (context,
+		       auth_context,
+		       &ap_req_data,
+		       server,
+		       keytab,
+		       NULL,
+		       ticket);
+    if (ret) {
+	if(ret == KRB5_KT_NOTFOUND) {
+	    char *name;
+	    krb5_unparse_name(context, server, &name);
+	    krb5_warnx (context, "krb5_rd_req: %s (%s)", 
+			krb5_get_err_text(context, ret), name);
+	    free(name);
+	} else
+	    krb5_warn (context, ret, "krb5_rd_req");
+	reply_error (server, s, sa, sa_size, ret, 3, "Authentication failed");
+	return 1;
+    }
+
+    if (!(*ticket)->ticket.flags.initial) {
+	krb5_warnx (context, "initial flag not set");
+	reply_error (server, s, sa, sa_size, ret, 1,
+		     "Bad request");
+	goto out;
+    }
+    krb_priv_data.data   = msg + 6 + ap_req_len;
+    krb_priv_data.length = len - 6 - ap_req_len;
+
+    ret = krb5_rd_priv (context,
+			*auth_context,
+			&krb_priv_data,
+			out_data,
+			NULL);
+    
+    if (ret) {
+	krb5_warn (context, ret, "krb5_rd_priv");
+	reply_error (server, s, sa, sa_size, ret, 3, "Bad request");
+	goto out;
+    }
+    return 0;
+out:
+    krb5_free_ticket (context, *ticket);
+    return 1;
+}
+
+static void
+process (krb5_principal server,
+	 krb5_keytab keytab,
+	 int s,
+	 krb5_address *this_addr,
+	 struct sockaddr *sa,
+	 int sa_size,
+	 u_char *msg,
+	 int len)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    krb5_data out_data;
+    krb5_ticket *ticket;
+    krb5_address other_addr;
+
+    krb5_data_zero (&out_data);
+
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_auth_con_init");
+	return;
+    }
+
+    krb5_auth_con_setflags (context, auth_context,
+			    KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+    ret = krb5_sockaddr2address (sa, &other_addr);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_sockaddr2address");
+	goto out;
+    }
+
+    ret = krb5_auth_con_setaddrs (context,
+				  auth_context,
+				  this_addr,
+				  &other_addr);
+    krb5_free_address (context, &other_addr);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_auth_con_setaddr");
+	goto out;
+    }
+
+    if (verify (&auth_context, server, keytab, &ticket, &out_data,
+		s, sa, sa_size, msg, len) == 0) {
+	change (auth_context,
+		ticket->client,
+		s,
+		sa, sa_size,
+		&out_data);
+	krb5_free_ticket (context, ticket);
+	free (ticket);
+    }
+
+out:
+    krb5_data_free (&out_data);
+    krb5_auth_con_free (context, auth_context);
+}
+
+static int
+doit (krb5_keytab keytab,
+      int port)
+{
+    krb5_error_code ret;
+    krb5_principal server;
+    int *sockets;
+    int maxfd;
+    char *realm;
+    krb5_addresses addrs;
+    unsigned n, i;
+    fd_set real_fdset;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+
+    ret = krb5_get_default_realm (context, &realm);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_default_realm");
+
+    ret = krb5_build_principal (context,
+				&server,
+				strlen(realm),
+				realm,
+				"kadmin",
+				"changepw",
+				NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_build_principal");
+
+    free (realm);
+
+    ret = krb5_get_all_server_addrs (context, &addrs);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+
+    n = addrs.len;
+
+    sockets = malloc (n * sizeof(*sockets));
+    if (sockets == NULL)
+	krb5_errx (context, 1, "out of memory");
+    maxfd = 0;
+    FD_ZERO(&real_fdset);
+    for (i = 0; i < n; ++i) {
+	int sa_size;
+
+	krb5_addr2sockaddr (&addrs.val[i], sa, &sa_size, port);
+
+	
+	sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
+	if (sockets[i] < 0)
+	    krb5_err (context, 1, errno, "socket");
+	if (bind (sockets[i], sa, sa_size) < 0) {
+	    char str[128];
+	    size_t len;
+	    ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
+	    krb5_err (context, 1, errno, "bind(%s)", str);
+	}
+	maxfd = max (maxfd, sockets[i]);
+	FD_SET(sockets[i], &real_fdset);
+    }
+
+    while(exit_flag == 0) {
+	int ret;
+	fd_set fdset = real_fdset;
+
+	ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		krb5_err (context, 1, errno, "select");
+	}
+	for (i = 0; i < n; ++i)
+	    if (FD_ISSET(sockets[i], &fdset)) {
+		u_char buf[BUFSIZ];
+		int addrlen = sizeof(__ss);
+
+		ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
+				sa, &addrlen);
+		if (ret < 0) {
+		    if(errno == EINTR)
+			break;
+		    else
+			krb5_err (context, 1, errno, "recvfrom");
+		}
+
+		process (server, keytab, sockets[i],
+			 &addrs.val[i],
+			 sa, addrlen,
+			 buf, ret);
+	    }
+    }
+    krb5_free_addresses (context, &addrs);
+    krb5_free_principal (context, server);
+    krb5_free_context (context);
+    return 0;
+}
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+    exit_flag = 1;
+}
+
+const char *check_library  = NULL;
+const char *check_function = NULL;
+char *keytab_str = "HDB:";
+char *realm_str;
+int version_flag;
+int help_flag;
+
+struct getargs args[] = {
+#ifdef HAVE_DLOPEN
+    { "check-library", 0, arg_string, &check_library, 
+      "library to load password check function from", "library" },
+    { "check-function", 0, arg_string, &check_function,
+      "password check function to load", "function" },
+#endif
+    { "keytab", 'k', arg_string, &keytab_str, 
+      "keytab to get authentication key from", "kspec" },
+    { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main (int argc, char **argv)
+{
+    int optind;
+    krb5_keytab keytab;
+    krb5_error_code ret;
+    
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(realm_str)
+	krb5_set_default_realm(context, realm_str);
+    
+    krb5_openlog (context, "kpasswdd", &log_facility);
+    krb5_set_warn_dest(context, log_facility);
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "%s", keytab_str);
+    
+    kadm5_setup_passwd_quality_check (context, check_library, check_function);
+
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = sigterm;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGINT, &sa, NULL);
+    }
+#else
+    signal(SIGINT, sigterm);
+#endif
+
+    return doit (keytab,
+		 krb5_getportbyname (context, "kpasswd", 
+				     "udp", KPASSWD_PORT));
+}
diff --git a/crypto/heimdal/krb5.conf b/crypto/heimdal/krb5.conf
new file mode 100644
index 0000000..c9f4c44
--- /dev/null
+++ b/crypto/heimdal/krb5.conf
@@ -0,0 +1,26 @@
+[libdefaults]
+        default_realm = MY.REALM
+	clockskew = 300
+	v4_instance_resolve = false
+	v4_name_convert = {
+		host = {
+			rcmd = host
+			ftp = ftp
+		}
+		plain = {
+			something = something-else
+		}
+	}
+	
+[realms]
+	MY.REALM = {
+		kdc = MY.COMPUTER
+	}
+	OTHER.REALM = {
+		v4_instance_convert = {
+			kerberos = kerberos
+			computer = computer.some.other.domain
+		}
+	}
+[domain_realm]
+	.my.domain = MY.REALM
diff --git a/crypto/heimdal/kuser/Makefile.am b/crypto/heimdal/kuser/Makefile.am
new file mode 100644
index 0000000..4faed9a
--- /dev/null
+++ b/crypto/heimdal/kuser/Makefile.am
@@ -0,0 +1,37 @@
+# $Id: Makefile.am,v 1.25 1999/09/21 05:12:29 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1
+
+bin_PROGRAMS = kinit kauth klist kdestroy kgetcred
+
+kinit_SOURCES = kinit.c kinit_options.c
+
+kauth_SOURCES = kinit.c kauth_options.c
+
+noinst_PROGRAMS = kverify kdecode_ticket
+
+CHECK_LOCAL = $(bin_PROGRAMS)
+
+kauth_LDADD = \
+	$(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+kinit_LDADD	= $(kauth_LDADD)
+
+kdestroy_LDADD	= $(kauth_LDADD)
+
+klist_LDADD	= $(kauth_LDADD)
+
+LDADD = \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+ 	$(top_builddir)/lib/des/libdes.la \
+ 	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/kuser/Makefile.in b/crypto/heimdal/kuser/Makefile.in
new file mode 100644
index 0000000..06ec4716
--- /dev/null
+++ b/crypto/heimdal/kuser/Makefile.in
@@ -0,0 +1,777 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.25 1999/09/21 05:12:29 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(bin_PROGRAMS)
+
+man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1
+
+bin_PROGRAMS = kinit kauth klist kdestroy kgetcred
+
+kinit_SOURCES = kinit.c kinit_options.c
+
+kauth_SOURCES = kinit.c kauth_options.c
+
+noinst_PROGRAMS = kverify kdecode_ticket
+
+kauth_LDADD =  	$(LIB_kafs) 	$(top_builddir)/lib/krb5/libkrb5.la 	$(LIB_krb4) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+
+
+kinit_LDADD = $(kauth_LDADD)
+
+kdestroy_LDADD = $(kauth_LDADD)
+
+klist_LDADD = $(kauth_LDADD)
+
+LDADD =  	$(top_builddir)/lib/krb5/libkrb5.la  	$(top_builddir)/lib/des/libdes.la  	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  kinit$(EXEEXT) kauth$(EXEEXT) klist$(EXEEXT) \
+kdestroy$(EXEEXT) kgetcred$(EXEEXT)
+noinst_PROGRAMS =  kverify$(EXEEXT) kdecode_ticket$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+kinit_OBJECTS =  kinit.$(OBJEXT) kinit_options.$(OBJEXT)
+@KRB4_TRUE@kinit_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@kinit_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+kinit_LDFLAGS = 
+kauth_OBJECTS =  kinit.$(OBJEXT) kauth_options.$(OBJEXT)
+@KRB4_TRUE@kauth_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@kauth_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+kauth_LDFLAGS = 
+klist_SOURCES = klist.c
+klist_OBJECTS =  klist.$(OBJEXT)
+@KRB4_TRUE@klist_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@klist_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+klist_LDFLAGS = 
+kdestroy_SOURCES = kdestroy.c
+kdestroy_OBJECTS =  kdestroy.$(OBJEXT)
+@KRB4_TRUE@kdestroy_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@kdestroy_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+kdestroy_LDFLAGS = 
+kgetcred_SOURCES = kgetcred.c
+kgetcred_OBJECTS =  kgetcred.$(OBJEXT)
+kgetcred_LDADD = $(LDADD)
+kgetcred_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+kgetcred_LDFLAGS = 
+kverify_SOURCES = kverify.c
+kverify_OBJECTS =  kverify.$(OBJEXT)
+kverify_LDADD = $(LDADD)
+kverify_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+kverify_LDFLAGS = 
+kdecode_ticket_SOURCES = kdecode_ticket.c
+kdecode_ticket_OBJECTS =  kdecode_ticket.$(OBJEXT)
+kdecode_ticket_LDADD = $(LDADD)
+kdecode_ticket_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la
+kdecode_ticket_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(kinit_SOURCES) $(kauth_SOURCES) klist.c kdestroy.c kgetcred.c kverify.c kdecode_ticket.c
+OBJECTS = $(kinit_OBJECTS) $(kauth_OBJECTS) klist.$(OBJEXT) kdestroy.$(OBJEXT) kgetcred.$(OBJEXT) kverify.$(OBJEXT) kdecode_ticket.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kuser/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kinit$(EXEEXT): $(kinit_OBJECTS) $(kinit_DEPENDENCIES)
+	@rm -f kinit$(EXEEXT)
+	$(LINK) $(kinit_LDFLAGS) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS)
+
+kauth$(EXEEXT): $(kauth_OBJECTS) $(kauth_DEPENDENCIES)
+	@rm -f kauth$(EXEEXT)
+	$(LINK) $(kauth_LDFLAGS) $(kauth_OBJECTS) $(kauth_LDADD) $(LIBS)
+
+klist$(EXEEXT): $(klist_OBJECTS) $(klist_DEPENDENCIES)
+	@rm -f klist$(EXEEXT)
+	$(LINK) $(klist_LDFLAGS) $(klist_OBJECTS) $(klist_LDADD) $(LIBS)
+
+kdestroy$(EXEEXT): $(kdestroy_OBJECTS) $(kdestroy_DEPENDENCIES)
+	@rm -f kdestroy$(EXEEXT)
+	$(LINK) $(kdestroy_LDFLAGS) $(kdestroy_OBJECTS) $(kdestroy_LDADD) $(LIBS)
+
+kgetcred$(EXEEXT): $(kgetcred_OBJECTS) $(kgetcred_DEPENDENCIES)
+	@rm -f kgetcred$(EXEEXT)
+	$(LINK) $(kgetcred_LDFLAGS) $(kgetcred_OBJECTS) $(kgetcred_LDADD) $(LIBS)
+
+kverify$(EXEEXT): $(kverify_OBJECTS) $(kverify_DEPENDENCIES)
+	@rm -f kverify$(EXEEXT)
+	$(LINK) $(kverify_LDFLAGS) $(kverify_OBJECTS) $(kverify_LDADD) $(LIBS)
+
+kdecode_ticket$(EXEEXT): $(kdecode_ticket_OBJECTS) $(kdecode_ticket_DEPENDENCIES)
+	@rm -f kdecode_ticket$(EXEEXT)
+	$(LINK) $(kdecode_ticket_LDFLAGS) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS)
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = kuser
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-noinstPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-noinstPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kuser/kauth_options.c b/crypto/heimdal/kuser/kauth_options.c
new file mode 100644
index 0000000..c432d32
--- /dev/null
+++ b/crypto/heimdal/kuser/kauth_options.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kauth_options.c,v 1.2 1999/12/02 17:05:00 joda Exp $");
+
+#ifdef KRB4
+int do_afslog		= 1;
+int get_v4_tgt		= 1;
+#endif
diff --git a/crypto/heimdal/kuser/kdecode_ticket.c b/crypto/heimdal/kuser/kdecode_ticket.c
new file mode 100644
index 0000000..dd365dc
--- /dev/null
+++ b/crypto/heimdal/kuser/kdecode_ticket.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: kdecode_ticket.c,v 1.2 1999/12/02 17:05:00 joda Exp $");
+
+static char *etype_str;
+static int version_flag;
+static int help_flag;
+
+static void
+print_and_decode_tkt (krb5_context context,
+		      krb5_data *ticket,
+		      krb5_principal server,
+		      krb5_enctype enctype)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_data dec_data;
+    size_t len;
+    EncTicketPart decr_part;
+    krb5_keyblock key;
+    Ticket tkt;
+
+    ret = decode_Ticket (ticket->data, ticket->length, &tkt, &len);
+    if (ret)
+	krb5_err (context, 1, ret, "decode_Ticket");
+
+    ret = krb5_string_to_key (context, enctype, "foo", server, &key);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_string_to_key");
+
+    krb5_crypto_init(context, &key, 0, &crypto);
+
+    ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET,
+				      &tkt.enc_part, &dec_data);
+    krb5_crypto_destroy (context, crypto);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_decrypt_EncryptedData");
+    ret = krb5_decode_EncTicketPart (context, dec_data.data, dec_data.length,
+				     &decr_part, &len);
+    krb5_data_free (&dec_data);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_decode_EncTicketPart");
+}
+
+struct getargs args[] = {
+    { "enctype",	'e', arg_string, &etype_str,
+      "encryption type to use", "enctype"},
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "service");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache cache;
+    krb5_creds in, *out;
+    int optind = 0;
+
+    set_progname (argv[0]);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %u", ret);
+  
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage (1);
+
+    ret = krb5_cc_default(context, &cache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_default");
+
+    memset(&in, 0, sizeof(in));
+
+    if (etype_str) {
+	krb5_enctype enctype;
+
+	ret = krb5_string_to_enctype(context, etype_str, &enctype);
+	if (ret)
+	    krb5_errx (context, 1, "unrecognized enctype: %s", etype_str);
+	in.session.keytype = enctype;
+    }
+
+    ret = krb5_cc_get_principal(context, cache, &in.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_get_principal");
+
+    ret = krb5_parse_name(context, argv[0], &in.server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
+
+    in.times.endtime = 0;
+    ret = krb5_get_credentials(context, 0, cache, &in, &out);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_credentials");
+
+    print_and_decode_tkt (context, &out->ticket, out->server,
+			  out->session.keytype);
+
+    krb5_free_creds_contents(context, out);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kdestroy.1 b/crypto/heimdal/kuser/kdestroy.1
new file mode 100644
index 0000000..18c5320
--- /dev/null
+++ b/crypto/heimdal/kuser/kdestroy.1
@@ -0,0 +1,34 @@
+.\" $Id: kdestroy.1,v 1.2 1999/05/14 14:05:40 assar Exp $
+.\"
+.Dd Aug 27, 1997
+.Dt KDESTROY 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kdestroy
+.Nd
+destroy the current ticket file
+.Sh SYNOPSIS
+.Nm
+.Op Fl c Ar cachefile
+.Op Fl -cache= Ns Ar cachefile
+.Op Fl -no-unlog
+.Op Fl -no-delete-v4
+.Op Fl -version
+.Op Fl -help
+.Sh DESCRIPTION
+.Nm
+remove the current set of tickets.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl c Ar cachefile
+.It Fl cache= Ns Ar cachefile
+The cache file to remove.
+.It Fl -no-unlog
+Do not remove AFS tokens.
+.It Fl -no-delete-v4
+Do not remove v4 tickets.
+.El
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr klist 1
diff --git a/crypto/heimdal/kuser/kdestroy.c b/crypto/heimdal/kuser/kdestroy.c
new file mode 100644
index 0000000..632d02e
--- /dev/null
+++ b/crypto/heimdal/kuser/kdestroy.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kdestroy.c,v 1.11 1999/12/02 17:05:01 joda Exp $");
+
+static const char *cache;
+static int help_flag;
+static int version_flag;
+static int unlog_flag = 1;
+static int dest_tkt_flag = 1;
+
+struct getargs args[] = {
+    { "cache",		'c', arg_string, &cache, "cache to destroy", "cache" },
+    { "unlog",		0,   arg_negative_flag, &unlog_flag,
+      "do not destroy tokens", NULL },
+    { "delete-v4",	0,   arg_negative_flag, &dest_tkt_flag,
+      "do not destroy v4 tickets", NULL },
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		'h', arg_flag, &help_flag, NULL, NULL}
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage (int status)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (status);
+}
+
+int
+main (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache  ccache;
+    int optind = 0;
+    int exit_val = 0;
+
+    set_progname (argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+  
+    if (help_flag)
+	usage (0);
+  
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+  
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage (1);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context: %s", krb5_get_err_text(context, ret));
+  
+    if(cache == NULL)
+	cache = krb5_cc_default_name(context);
+
+    ret =  krb5_cc_resolve(context, 
+			   cache, 
+			   &ccache);
+
+    if (ret == 0) {
+	ret = krb5_cc_destroy (context, ccache);
+	if (ret) {
+	    warnx ("krb5_cc_destroy: %s", krb5_get_err_text(context, ret));
+	    exit_val = 1;
+	}
+    } else {
+	warnx ("krb5_cc_resolve(%s): %s", cache,
+	       krb5_get_err_text(context, ret));
+	exit_val = 1;
+    }
+
+    krb5_free_context (context);
+
+#if KRB4
+    if(dest_tkt_flag && dest_tkt ())
+	exit_val = 1;
+    if (unlog_flag && k_hasafs ()) {
+	if (k_unlog ())
+	    exit_val = 1;
+    }
+#endif
+
+    return exit_val;
+}
diff --git a/crypto/heimdal/kuser/kgetcred.1 b/crypto/heimdal/kuser/kgetcred.1
new file mode 100644
index 0000000..0dbbbff
--- /dev/null
+++ b/crypto/heimdal/kuser/kgetcred.1
@@ -0,0 +1,41 @@
+.\" $Id: kgetcred.1,v 1.2 1999/05/13 22:26:35 assar Exp $
+.\"
+.Dd May 14, 1999
+.Dt KGETCRED 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kgetcred
+.Nd
+get a ticket for a particular service
+.Sh SYNOPSIS
+.Nm
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl -enctype= Ns Ar enctype Oc
+.Xc
+.Op Fl -version
+.Op Fl -help
+.Ar service
+.Sh DESCRIPTION
+.Nm
+obtains a ticket for a service.
+Usually tickets for services are obtained automatically when needed
+but sometimes for some odd reason you want to obtain a particular
+ticket or of a special type.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl e Ar enctype Ns ,
+.Fl -enctype= Ns Ar enctype
+.Xc
+encryption type to use
+.It Xo
+.Fl -version
+.Xc
+.It Xo
+.Fl -help
+.Xc
+.El
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr klist 1
diff --git a/crypto/heimdal/kuser/kgetcred.c b/crypto/heimdal/kuser/kgetcred.c
new file mode 100644
index 0000000..644e69e
--- /dev/null
+++ b/crypto/heimdal/kuser/kgetcred.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: kgetcred.c,v 1.3 1999/12/02 17:05:01 joda Exp $");
+
+static char *etype_str;
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "enctype",	'e', arg_string, &etype_str,
+      "encryption type to use", "enctype"},
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "service");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache cache;
+    krb5_creds in, *out;
+    int optind = 0;
+
+    set_progname (argv[0]);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %u", ret);
+  
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage (1);
+
+    ret = krb5_cc_default(context, &cache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_default");
+
+    memset(&in, 0, sizeof(in));
+
+    if (etype_str) {
+	krb5_enctype enctype;
+
+	ret = krb5_string_to_enctype(context, etype_str, &enctype);
+	if (ret)
+	    krb5_errx (context, 1, "unrecognized enctype: %s", etype_str);
+	in.session.keytype = enctype;
+    }
+
+    ret = krb5_cc_get_principal(context, cache, &in.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_get_principal");
+
+    ret = krb5_parse_name(context, argv[0], &in.server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
+
+    in.times.endtime = 0;
+    ret = krb5_get_credentials(context, 0, cache, &in, &out);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_credentials");
+
+    krb5_free_creds_contents(context, out);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kinit.1 b/crypto/heimdal/kuser/kinit.1
new file mode 100644
index 0000000..749798a
--- /dev/null
+++ b/crypto/heimdal/kuser/kinit.1
@@ -0,0 +1,181 @@
+.\" $Id: kinit.1,v 1.4 2000/02/01 14:12:13 joda Exp $
+.\"
+.Dd May 29, 1998
+.Dt KINIT 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kinit ,
+.Nm kauth
+.Nd
+acquire initial tickets
+.Sh SYNOPSIS
+.Nm kinit
+.Op Fl 4
+.Op Fl -524init
+.Op Fl -afslog
+.Op Fl c Ar cachename
+.Op Fl -cache= Ns Ar cachename
+.Op Fl c Ar cachename
+.Op Fl -cache= Ns Ar cachename
+.Op Fl f
+.Op Fl -forwardable
+.Op Fl t Ar keytabname
+.Op Fl -keytab= Ns Ar keytabname
+.Op Fl l Ar seconds
+.Op Fl -lifetime= Ns Ar seconds
+.Op Fl p
+.Op Fl -proxiable
+.Op Fl R
+.Op Fl -renew
+.Op Fl -renewable
+.Op Fl r Ar seconds
+.Op Fl -renewable-life= Ns Ar seconds
+.Op Fl S Ar principal
+.Op Fl -server= Ns Ar principal
+.Op Fl s Ar seconds
+.Op Fl -start-time= Ns Ar seconds
+.Op Fl k
+.Op Fl -use-keytab
+.Op Fl v
+.Op Fl -validate
+.Op Fl e
+.Op Fl -enctypes= Ns Ar enctypes
+.Op Fl -fcache-version= Ns Ar version
+.Op Fl -no-addresses
+.Op Fl -version
+.Op Fl -help
+.Op Ar principal
+.Sh DESCRIPTION
+.Nm
+is used to authenticate to the kerberos server as
+.Ar principal ,
+or if none is given, a system generated default, and acquire a ticket
+granting ticket that can later be used to obtain tickets for other
+services.
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar cachename
+.Fl -cache= Ns Ar cachename
+.Xc
+The credentials cache to put the acquired ticket in, if other than
+default.
+.It Xo
+.Fl f Ns ,
+.Fl -forwardable
+.Xc
+Get ticket that can be forwarded to another host.
+.It Xo
+.Fl t Ar keytabname Ns ,
+.Fl -keytab= Ns Ar keytabname
+.Xc
+Don't ask for a password, but instead get the key from the specified
+keytab.
+.It Xo 
+.Fl l Ar seconds Ns , 
+.Fl -lifetime= Ns Ar seconds
+.Xc
+Specifies the lifetime of the ticket.
+.It Xo
+.Fl p Ns ,
+.Fl -proxiable
+.Xc
+Request tickets with the proxiable flag set.
+.It Xo
+.Fl R Ns ,
+.Fl -renew
+.Xc
+Try to renew ticket. The ticket must have the
+.Sq renewable
+flag set, and must not be expired.
+.It Fl -renewable
+The same as
+.Fl -renewable-life ,
+with an infinite time.
+.It Xo
+.Fl r Ar seconds Ns ,
+.Fl -renewable-life= Ns Ar seconds
+.Xc
+The max renewable ticket life.
+.It Xo
+.Fl S Ar principal Ns ,
+.Fl -server= Ns Ar principal
+.Xc
+Get a ticket for a service other than krbtgt/LOCAL.REALM.
+.It Xo
+.Fl s Ar seconds Ns ,
+.Fl -start-time= Ns Ar seconds
+.Xc
+Start time of ticket, if other than the current time.
+.It Xo
+.Fl k Ns ,
+.Fl -use-keytab
+.Xc
+The same as
+.Fl -keytab ,
+but with the default keytab name (normally
+.Ar FILE:/etc/krb5.keytab ) .
+.It Xo
+.Fl v Ns ,
+.Fl -validate
+.Xc
+Try to validate an invalid ticket.
+.It Xo
+.Fl e ,
+.Fl -enctypes= Ns Ar enctypes
+.Xc
+Request tickets with this particular enctype.
+.It Xo
+.Fl -fcache-version= Ns Ar version
+.Xc
+Create a credentials cache of version
+.Nm version .
+.It Xo
+.Fl -no-addresses
+.Xc
+Request a ticket with no addresses.
+.El
+
+The following options are only available if
+.Nm 
+has been compiled with support for Kerberos 4. The 
+.Nm kauth
+program is identical to
+.Nm kinit ,
+but has these options enabled by
+default.
+.Bl -tag -width Ds
+.It Xo
+.Fl 4 Ns ,
+.Fl -524init
+.Xc
+Try to convert the obtained krbtgt to a version 4 compatible
+ticket. It will store this ticket in the default Kerberos 4 ticket
+file.
+.It Fl -afslog
+Gets AFS tickets, converts them to version 4 format, and stores them
+in the kernel. Only useful if you have AFS.
+.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.It Ev KRB5CCNAME
+Specifies the default cache file.
+.It Ev KRB5_CONFIG
+The directory where the
+.Pa krb5.conf
+can be found, default is 
+.Pa /etc .
+.It Ev KRBTKFILE
+Specifies the Kerberos 4 ticket file to store version 4 tickets in.
+.El
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr krb5.conf 5 ,
+.Xr klist 1 ,
+.Xr kdestroy 1
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kuser/kinit.c b/crypto/heimdal/kuser/kinit.c
new file mode 100644
index 0000000..35b493a
--- /dev/null
+++ b/crypto/heimdal/kuser/kinit.c
@@ -0,0 +1,391 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kinit.c,v 1.60 2000/02/01 14:06:33 joda Exp $");
+
+int forwardable		= 0;
+int proxiable		= 0;
+int renewable		= 0;
+int renew_flag		= 0;
+int validate_flag	= 0;
+int version_flag	= 0;
+int help_flag		= 0;
+int addrs_flag		= 1;
+char *lifetime 		= NULL;
+char *renew_life	= NULL;
+char *server		= NULL;
+char *cred_cache	= NULL;
+char *start_str		= NULL;
+struct getarg_strings etype_str;
+int use_keytab		= 0;
+char *keytab_str	= NULL;
+#ifdef KRB4
+extern int do_afslog;
+extern int get_v4_tgt;
+#endif
+int fcache_version;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "524init", 	'4', arg_flag, &get_v4_tgt,
+      "obtain version 4 TGT" },
+    
+    { "afslog", 	0  , arg_flag, &do_afslog,
+      "obtain afs tokens"  },
+#endif
+    { "cache", 		'c', arg_string, &cred_cache,
+      "credentials cache", "cachename" },
+
+    { "forwardable",	'f', arg_flag, &forwardable,
+      "get forwardable tickets"},
+
+    { "keytab",         't', arg_string, &keytab_str,
+      "keytab to use", "keytabname" },
+
+    { "lifetime",	'l', arg_string, &lifetime,
+      "lifetime of tickets", "seconds"},
+
+    { "proxiable",	'p', arg_flag, &proxiable,
+      "get proxiable tickets" },
+
+    { "renew",          'R', arg_flag, &renew_flag,
+      "renew TGT" },
+
+    { "renewable",	0,   arg_flag, &renewable,
+      "get renewable tickets" },
+
+    { "renewable-life",	'r', arg_string, &renew_life,
+      "renewable lifetime of tickets", "seconds" },
+
+    { "server", 	'S', arg_string, &server,
+      "server to get ticket for", "principal" },
+
+    { "start-time",	's', arg_string, &start_str,
+      "when ticket gets valid", "seconds" },
+
+    { "use-keytab",     'k', arg_flag, &use_keytab,
+      "get key from keytab" },
+
+    { "validate",	'v', arg_flag, &validate_flag,
+      "validate TGT" },
+
+    { "enctypes",	'e', arg_strings, &etype_str,
+      "encryption type to use", "enctype" },
+
+    { "fcache-version", 0,   arg_integer, &fcache_version,
+      "file cache version to create" },
+
+    { "addresses",	0,   arg_negative_flag,	&addrs_flag,
+      "request a ticket with no addresses" },
+
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[principal]");
+    exit (ret);
+}
+
+static int
+renew_validate(krb5_context context, 
+	       int renew,
+	       int validate,
+	       krb5_ccache cache, 
+	       const char *server,
+	       krb5_deltat life)
+{
+    krb5_error_code ret;
+    krb5_creds in, *out;
+    krb5_kdc_flags flags;
+
+    memset(&in, 0, sizeof(in));
+
+    ret = krb5_cc_get_principal(context, cache, &in.client);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_cc_get_principal");
+	return ret;
+    }
+    if(server) {
+	ret = krb5_parse_name(context, server, &in.server);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_parse_name");
+	    goto out;
+	}
+    } else {
+	krb5_realm *client_realm = krb5_princ_realm (context, in.client);
+
+	ret = krb5_make_principal(context, &in.server, *client_realm,
+				  KRB5_TGS_NAME, *client_realm, NULL);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_make_principal");
+	    goto out;
+	}
+    }
+    flags.i = 0;
+    flags.b.renewable   = flags.b.renew = renew;
+    flags.b.validate    = validate;
+    flags.b.forwardable = forwardable;
+    flags.b.proxiable   = proxiable;
+    if(life)
+	in.times.endtime = time(NULL) + life;
+
+    ret = krb5_get_kdc_cred(context,
+			    cache,
+			    flags,
+			    NULL,
+			    NULL,
+			    &in,
+			    &out);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_get_kdc_cred");
+	goto out;
+    }
+    ret = krb5_cc_initialize(context, cache, in.client);
+    if(ret) {
+	krb5_free_creds (context, out);
+	krb5_warn(context, ret, "krb5_cc_initialize");
+	goto out;
+    }
+    ret = krb5_cc_store_cred(context, cache, out);
+    krb5_free_creds (context, out);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_cc_store_cred");
+	goto out;
+    }
+out:
+    krb5_free_creds_contents(context, &in);
+    return ret;
+}
+
+int
+main (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache  ccache;
+    krb5_principal principal;
+    krb5_creds cred;
+    int optind = 0;
+    krb5_get_init_creds_opt opt;
+    krb5_deltat start_time = 0;
+    krb5_deltat ticket_life = 0;
+    krb5_addresses no_addrs;
+
+    set_progname (argv[0]);
+    memset(&cred, 0, sizeof(cred));
+    
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %u", ret);
+  
+    forwardable = krb5_config_get_bool (context, NULL,
+					"libdefaults",
+					"forwardable",
+					NULL);
+
+#ifdef KRB4
+    get_v4_tgt = krb5_config_get_bool_default (context, NULL,
+					       get_v4_tgt,
+					       "libdefaults",
+					       "krb4_get_tickets",
+					       NULL);
+#endif
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(fcache_version)
+	krb5_set_fcache_version(context, fcache_version);
+
+    if(cred_cache) 
+	ret = krb5_cc_resolve(context, cred_cache, &ccache);
+    else
+	ret = krb5_cc_default (context, &ccache);
+    if (ret)
+	krb5_err (context, 1, ret, "resolving credentials cache");
+
+    if (lifetime) {
+	int tmp = parse_time (lifetime, "s");
+	if (tmp < 0)
+	    errx (1, "unparsable time: %s", lifetime);
+
+	ticket_life = tmp;
+    }
+    if(renew_flag || validate_flag) {
+	ret = renew_validate(context, renew_flag, validate_flag, 
+			     ccache, server, ticket_life);
+	exit(ret != 0);
+    }
+
+    krb5_get_init_creds_opt_init (&opt);
+    
+    krb5_get_init_creds_opt_set_forwardable (&opt, forwardable);
+    krb5_get_init_creds_opt_set_proxiable (&opt, proxiable);
+
+    if (!addrs_flag) {
+	no_addrs.len = 0;
+	no_addrs.val = NULL;
+
+	krb5_get_init_creds_opt_set_address_list (&opt, &no_addrs);
+    }
+
+    if(renew_life) {
+	int tmp = parse_time (renew_life, "s");
+	if (tmp < 0)
+	    errx (1, "unparsable time: %s", renew_life);
+
+	krb5_get_init_creds_opt_set_renew_life (&opt, tmp);
+    } else if (renewable)
+	krb5_get_init_creds_opt_set_renew_life (&opt, 1 << 30);
+
+    if(ticket_life != 0)
+	krb5_get_init_creds_opt_set_tkt_life (&opt, ticket_life);
+
+    if(start_str) {
+	int tmp = parse_time (start_str, "s");
+	if (tmp < 0)
+	    errx (1, "unparsable time: %s", start_str);
+
+	start_time = tmp;
+    }
+
+    if(etype_str.num_strings) {
+	krb5_enctype *enctype = NULL;
+	int i;
+	enctype = malloc(etype_str.num_strings * sizeof(*enctype));
+	if(enctype == NULL)
+	    errx(1, "out of memory");
+	for(i = 0; i < etype_str.num_strings; i++) {
+	    ret = krb5_string_to_enctype(context, 
+					 etype_str.strings[i], 
+					 &enctype[i]);
+	    if(ret)
+		errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
+	}
+	krb5_get_init_creds_opt_set_etype_list(&opt, enctype, 
+					       etype_str.num_strings);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc > 1)
+	usage (1);
+
+    if (argv[0]) {
+	ret = krb5_parse_name (context, argv[0], &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name");
+    } else
+	principal = NULL;
+
+    if(use_keytab || keytab_str) {
+	krb5_keytab kt;
+	if(keytab_str)
+	    ret = krb5_kt_resolve(context, keytab_str, &kt);
+	else
+	    ret = krb5_kt_default(context, &kt);
+	if (ret)
+	    krb5_err (context, 1, ret, "resolving keytab");
+	ret = krb5_get_init_creds_keytab (context,
+					  &cred,
+					  principal,
+					  kt,
+					  start_time,
+					  server,
+					  &opt);
+	krb5_kt_close(context, kt);
+    } else 
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    principal,
+					    NULL,
+					    krb5_prompter_posix,
+					    NULL,
+					    start_time,
+					    server,
+					    &opt);
+    switch(ret){
+    case 0:
+	break;
+    case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
+	exit(1);
+    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+    case KRB5KRB_AP_ERR_MODIFIED:
+	krb5_errx(context, 1, "Password incorrect");
+	break;
+    default:
+	krb5_err(context, 1, ret, "krb5_get_init_creds");
+    }
+
+    ret = krb5_cc_initialize (context, ccache, cred.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_initialize");
+    
+    ret = krb5_cc_store_cred (context, ccache, &cred);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_store_cred");
+
+#ifdef KRB4
+    if(get_v4_tgt) {
+	CREDENTIALS c;
+	ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
+	if(ret)
+	    krb5_warn(context, ret, "converting creds");
+	else
+	    tf_setup(&c, c.pname, c.pinst);
+	memset(&c, 0, sizeof(c));
+    }
+    if(do_afslog && k_hasafs())
+	krb5_afslog(context, ccache, NULL, NULL);
+#endif
+    krb5_free_creds_contents (context, &cred);
+    krb5_cc_close (context, ccache);
+    krb5_free_context (context);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kinit_options.c b/crypto/heimdal/kuser/kinit_options.c
new file mode 100644
index 0000000..5a7dcd9
--- /dev/null
+++ b/crypto/heimdal/kuser/kinit_options.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kinit_options.c,v 1.2 1999/12/02 17:05:01 joda Exp $");
+
+#ifdef KRB4
+int do_afslog		= 0;
+int get_v4_tgt		= 0;
+#endif
diff --git a/crypto/heimdal/kuser/klist.1 b/crypto/heimdal/kuser/klist.1
new file mode 100644
index 0000000..e875401
--- /dev/null
+++ b/crypto/heimdal/kuser/klist.1
@@ -0,0 +1,37 @@
+.\" $Id: klist.1,v 1.4 1999/05/14 14:03:55 assar Exp $
+.\"
+.Dd Aug 27, 1997
+.Dt KLIST 1
+.Os HEIMDAL
+.Sh NAME
+.Nm klist
+.Nd
+list the current tickets
+.Sh SYNOPSIS
+.Nm
+.Op Fl t | Fl -test
+.Op Fl v | Fl -verbose
+.Op Fl -version
+.Op Fl -help
+.Sh DESCRIPTION
+.Nm
+reads and displays the current tickets in the crential cache (also
+knows as the ticket file).
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Xo
+.Fl t Ns ,
+.Fl -test
+.Xc
+Test for there being an active and valid TGT for the local realm of
+the user in the credential cache.
+.It Xo
+.Fl v Ns ,
+.Fl -verbose
+.Xc
+Verbose output. Include all information from tickets.
+.El
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr kdestroy 1
diff --git a/crypto/heimdal/kuser/klist.c b/crypto/heimdal/kuser/klist.c
new file mode 100644
index 0000000..180e9f3
--- /dev/null
+++ b/crypto/heimdal/kuser/klist.c
@@ -0,0 +1,445 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: klist.c,v 1.53 2000/02/06 08:15:40 assar Exp $");
+
+static char*
+printable_time(time_t t)
+{
+    static char s[128];
+    strcpy(s, ctime(&t)+ 4);
+    s[15] = 0;
+    return s;
+}
+
+static char*
+printable_time_long(time_t t)
+{
+    static char s[128];
+    strcpy(s, ctime(&t)+ 4);
+    s[20] = 0;
+    return s;
+}
+
+static void
+print_cred(krb5_context context, krb5_creds *cred)
+{
+    char *str;
+    krb5_error_code ret;
+    krb5_timestamp sec;
+
+    krb5_timeofday (context, &sec);
+
+    if(cred->times.starttime)
+	printf ("%s  ", printable_time(cred->times.starttime));
+    else
+	printf ("%s  ", printable_time(cred->times.authtime));
+    
+    if(cred->times.endtime > sec)
+	printf ("%s  ", printable_time(cred->times.endtime));
+    else
+	printf ("%-15s  ", ">>>Expired<<<");
+    ret = krb5_unparse_name (context, cred->server, &str);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name");
+    printf ("%s\n", str);
+    free (str);
+}
+
+static void
+print_cred_verbose(krb5_context context, krb5_creds *cred)
+{
+    int j;
+    char *str;
+    krb5_error_code ret;
+    int first_flag;
+    krb5_timestamp sec;
+
+    krb5_timeofday (context, &sec);
+
+    ret = krb5_unparse_name(context, cred->server, &str);
+    if(ret)
+	exit(1);
+    printf("Server: %s\n", str);
+    free (str);
+    {
+	Ticket t;
+	size_t len;
+	char *s;
+
+	decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
+	ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
+	if (ret == 0) {
+	    printf("Ticket etype: %s", s);
+	    free(s);
+	} else {
+	    printf("Unknown etype: %d", t.enc_part.etype);
+	}
+	if(t.enc_part.kvno)
+	    printf(", kvno %d", *t.enc_part.kvno);
+	printf("\n");
+	if(cred->session.keytype != t.enc_part.etype) {
+	    ret = krb5_keytype_to_string(context, cred->session.keytype, &str);
+	    if(ret == KRB5_PROG_KEYTYPE_NOSUPP)
+		ret = krb5_enctype_to_string(context, cred->session.keytype, 
+					     &str);
+	    if(ret)
+		krb5_warn(context, ret, "session keytype");
+	    else {
+		printf("Session key: %s\n", str);
+		free(str);
+	    }
+	}
+	free_Ticket(&t);
+    }
+    printf("Auth time:  %s\n", printable_time_long(cred->times.authtime));
+    if(cred->times.authtime != cred->times.starttime)
+	printf("Start time: %s\n", printable_time_long(cred->times.starttime));
+    printf("End time:   %s", printable_time_long(cred->times.endtime));
+    if(sec > cred->times.endtime)
+	printf(" (expired)");
+    printf("\n");
+    if(cred->flags.b.renewable)
+	printf("Renew till: %s\n", 
+	       printable_time_long(cred->times.renew_till));
+    printf("Ticket flags: ");
+#define PRINT_FLAG2(f, s) if(cred->flags.b.f) { if(!first_flag) printf(", "); printf("%s", #s); first_flag = 0; }
+#define PRINT_FLAG(f) PRINT_FLAG2(f, f)
+    first_flag = 1;
+    PRINT_FLAG(forwardable);
+    PRINT_FLAG(forwarded);
+    PRINT_FLAG(proxiable);
+    PRINT_FLAG(proxy);
+    PRINT_FLAG2(may_postdate, may-postdate);
+    PRINT_FLAG(postdated);
+    PRINT_FLAG(invalid);
+    PRINT_FLAG(renewable);
+    PRINT_FLAG(initial);
+    PRINT_FLAG2(pre_authent, pre-authenticated);
+    PRINT_FLAG2(hw_authent, hw-authenticated);
+    PRINT_FLAG2(transited_policy_checked, transited-policy-checked);
+    PRINT_FLAG2(ok_as_delegate, ok-as-delegate);
+    PRINT_FLAG(anonymous);
+    printf("\n");
+    printf("Addresses: ");
+    for(j = 0; j < cred->addresses.len; j++){
+	char buf[128];
+	size_t len;
+	if(j) printf(", ");
+	ret = krb5_print_address(&cred->addresses.val[j], 
+				 buf, sizeof(buf), &len);
+
+	if(ret == 0)
+	    printf("%s", buf);
+    }
+    printf("\n\n");
+}
+
+/*
+ * Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
+ */
+
+static void
+print_tickets (krb5_context context,
+	       krb5_ccache ccache,
+	       krb5_principal principal,
+	       int do_verbose)
+{
+    krb5_error_code ret;
+    char *str;
+    krb5_cc_cursor cursor;
+    krb5_creds creds;
+
+    ret = krb5_unparse_name (context, principal, &str);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+
+    printf ("%17s: %s:%s\n", 
+	    "Credentials cache",
+	    krb5_cc_get_type(context, ccache),
+	    krb5_cc_get_name(context, ccache));
+    printf ("%17s: %s\n", "Principal", str);
+    free (str);
+    
+    if(do_verbose)
+	printf ("%17s: %d\n", "Cache version",
+		krb5_cc_get_version(context, ccache));
+    
+    if (do_verbose && context->kdc_sec_offset) {
+	char buf[BUFSIZ];
+	int val;
+	int sig;
+
+	val = context->kdc_sec_offset;
+	sig = 1;
+	if (val < 0) {
+	    sig = -1;
+	    val = -val;
+	}
+
+	unparse_time (val, buf, sizeof(buf));
+
+	printf ("%17s: %s%s\n", "KDC time offset",
+		sig == -1 ? "-" : "", buf);
+    }
+
+    printf("\n");
+
+    ret = krb5_cc_start_seq_get (context, ccache, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
+
+    if(!do_verbose)
+	printf("  %-15s  %-15s  %s\n", "Issued", "Expires", "Principal");
+
+    while (krb5_cc_next_cred (context,
+			      ccache,
+			      &creds,
+			      &cursor) == 0) {
+	if(do_verbose){
+	    print_cred_verbose(context, &creds);
+	}else{
+	    print_cred(context, &creds);
+	}
+	krb5_free_creds_contents (context, &creds);
+    }
+    ret = krb5_cc_end_seq_get (context, ccache, &cursor);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
+}
+
+/*
+ * Check if there's a tgt for the realm of `principal' and ccache and
+ * if so return 0, else 1
+ */
+
+static int
+check_for_tgt (krb5_context context,
+	       krb5_ccache ccache,
+	       krb5_principal principal)
+{
+    krb5_error_code ret;
+    krb5_creds pattern;
+    krb5_creds creds;
+    krb5_realm *client_realm;
+    int expired;
+
+    client_realm = krb5_princ_realm (context, principal);
+
+    ret = krb5_make_principal (context, &pattern.server,
+			       *client_realm, KRB5_TGS_NAME, *client_realm,
+			       NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_make_principal");
+
+    ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
+    expired = time(NULL) > creds.times.endtime;
+    krb5_free_principal (context, pattern.server);
+    krb5_free_creds_contents (context, &creds);
+    if (ret) {
+	if (ret == KRB5_CC_END)
+	    return 1;
+	krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
+    }
+    return expired;
+}
+
+#ifdef KRB4
+/*
+ * Print a list of all AFS tokens
+ */
+
+static void
+display_tokens(int do_verbose)
+{
+    u_int32_t i;
+    unsigned char t[128];
+    struct ViceIoctl parms;
+
+    parms.in = (void *)&i;
+    parms.in_size = sizeof(i);
+    parms.out = (void *)t;
+    parms.out_size = sizeof(t);
+
+    for (i = 0; k_pioctl(NULL, VIOCGETTOK, &parms, 0) == 0; i++) {
+        int32_t size_secret_tok, size_public_tok;
+        unsigned char *cell;
+	struct ClearToken ct;
+	unsigned char *r = t;
+	struct timeval tv;
+	char buf1[20], buf2[20];
+
+	memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
+	/* dont bother about the secret token */
+	r += size_secret_tok + sizeof(size_secret_tok);
+	memcpy(&size_public_tok, r, sizeof(size_public_tok));
+	r += sizeof(size_public_tok);
+	memcpy(&ct, r, size_public_tok);
+	r += size_public_tok;
+	/* there is a int32_t with length of cellname, but we dont read it */
+	r += sizeof(int32_t);
+	cell = r;
+
+	gettimeofday (&tv, NULL);
+	strlcpy (buf1, printable_time(ct.BeginTimestamp),
+			 sizeof(buf1));
+	if (do_verbose || tv.tv_sec < ct.EndTimestamp)
+	    strlcpy (buf2, printable_time(ct.EndTimestamp),
+			     sizeof(buf2));
+	else
+	    strlcpy (buf2, ">>> Expired <<<", sizeof(buf2));
+
+	printf("%s  %s  ", buf1, buf2);
+
+	if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
+	  printf("User's (AFS ID %d) tokens for %s", ct.ViceId, cell);
+	else
+	  printf("Tokens for %s", cell);
+	if (do_verbose)
+	    printf(" (%d)", ct.AuthHandle);
+	putchar('\n');
+    }
+}
+#endif
+
+static int version_flag = 0;
+static int help_flag	= 0;
+static int do_verbose	= 0;
+static int do_test	= 0;
+#ifdef KRB4
+static int do_tokens	= 0;
+#endif
+static char *cred_cache;
+
+static struct getargs args[] = {
+    { "cache",			'c', arg_string, &cred_cache,
+      "credentials cache to list", "cache" },
+    { "test",			't', arg_flag, &do_test,
+      "test for having tickets", NULL },
+#ifdef KRB4
+    { "tokens",			'T',   arg_flag, &do_tokens,
+      "display AFS tokens", NULL },
+#endif
+    { "verbose",		'v', arg_flag, &do_verbose,
+      "Verbose output", NULL },
+    { "version", 		0,   arg_flag, &version_flag, 
+      "print version", NULL },
+    { "help",			0,   arg_flag, &help_flag, 
+      NULL, NULL}
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_principal principal;
+    int optind = 0;
+    int exit_status = 0;
+
+    set_progname (argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage (1);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_init_context");
+
+    if(cred_cache) {
+	ret = krb5_cc_resolve(context, cred_cache, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "%s", cred_cache);
+    } else {
+	ret = krb5_cc_default (context, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	if(ret == ENOENT) {
+	    if (do_test)
+		return 1;
+	    else
+		krb5_errx(context, 1, "No ticket file: %s", 
+			  krb5_cc_get_name(context, ccache));
+	} else
+	    krb5_err (context, 1, ret, "krb5_cc_get_principal");
+    }
+    if (do_test)
+	exit_status = check_for_tgt (context, ccache, principal);
+    else
+	print_tickets (context, ccache, principal, do_verbose);
+
+    ret = krb5_cc_close (context, ccache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_close");
+
+    krb5_free_principal (context, principal);
+    krb5_free_context (context);
+
+#ifdef KRB4
+    if (!do_test && do_tokens && k_hasafs ())
+	display_tokens (do_verbose);
+#endif
+
+    return exit_status;
+}
diff --git a/crypto/heimdal/kuser/kuser_locl.h b/crypto/heimdal/kuser/kuser_locl.h
new file mode 100644
index 0000000..2010150
--- /dev/null
+++ b/crypto/heimdal/kuser/kuser_locl.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kuser_locl.h,v 1.12 1999/12/02 17:05:01 joda Exp $ */
+
+#ifndef __KUSER_LOCL_H__
+#define __KUSER_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#include <roken.h>
+#include <getarg.h>
+#include <parse_time.h>
+#include <err.h>
+#include <krb5.h>
+
+#ifdef KRB4
+#include <krb.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+#include <kafs.h>
+
+#endif /* __KUSER_LOCL_H__ */
diff --git a/crypto/heimdal/kuser/kverify.c b/crypto/heimdal/kuser/kverify.c
new file mode 100644
index 0000000..986d7c9
--- /dev/null
+++ b/crypto/heimdal/kuser/kverify.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: kverify.c,v 1.3 1999/12/02 17:05:01 joda Exp $");
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_creds cred;
+    krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
+    krb5_get_init_creds_opt get_options;
+    krb5_verify_init_creds_opt verify_options;
+
+    krb5_init_context(&context);
+
+    krb5_get_init_creds_opt_init (&get_options);
+
+    krb5_get_init_creds_opt_set_preauth_list (&get_options,
+					      pre_auth_types,
+					      1);
+
+    krb5_verify_init_creds_opt_init (&verify_options);
+    
+    ret = krb5_get_init_creds_password (context,
+					&cred,
+					NULL,
+					NULL,
+					krb5_prompter_posix,
+					NULL,
+					0,
+					NULL,
+					&get_options);
+    if (ret)
+	errx (1, "krb5_get_init_creds: %s", krb5_get_err_text(context, ret));
+
+    ret = krb5_verify_init_creds (context,
+				  &cred,
+				  NULL,
+				  NULL,
+				  NULL,
+				  &verify_options);
+    if (ret)
+	errx (1, "krb5_verify_init_creds: %s",
+	      krb5_get_err_text(context, ret));
+    krb5_free_creds_contents (context, &cred);
+    krb5_free_context (context);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/45/45_locl.h b/crypto/heimdal/lib/45/45_locl.h
new file mode 100644
index 0000000..8104179
--- /dev/null
+++ b/crypto/heimdal/lib/45/45_locl.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifndef __45_LOCL_H__
+#define __45_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+
+#include <krb5.h>
+#include <krb.h>
+#include <prot.h>
+
+#endif /* __45_LOCL_H__ */
diff --git a/crypto/heimdal/lib/45/Makefile.am b/crypto/heimdal/lib/45/Makefile.am
new file mode 100644
index 0000000..50d47fd
--- /dev/null
+++ b/crypto/heimdal/lib/45/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+lib_LIBRARIES = @EXTRA_LIB45@
+
+EXTRA_LIBRARIES = lib45.a
+
+lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h
diff --git a/crypto/heimdal/lib/45/Makefile.in b/crypto/heimdal/lib/45/Makefile.in
new file mode 100644
index 0000000..9b0c7fc
--- /dev/null
+++ b/crypto/heimdal/lib/45/Makefile.in
@@ -0,0 +1,636 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+lib_LIBRARIES = @EXTRA_LIB45@
+
+EXTRA_LIBRARIES = lib45.a
+
+lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LIBRARIES =  $(lib_LIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+lib45_a_LIBADD = 
+lib45_a_OBJECTS =  get_ad_tkt.$(OBJEXT) mk_req.$(OBJEXT)
+AR = ar
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(lib45_a_SOURCES)
+OBJECTS = $(lib45_a_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/45/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLIBRARIES:
+
+clean-libLIBRARIES:
+	-test -z "$(lib_LIBRARIES)" || rm -f $(lib_LIBRARIES)
+
+distclean-libLIBRARIES:
+
+maintainer-clean-libLIBRARIES:
+
+install-libLIBRARIES: $(lib_LIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(INSTALL_DATA) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+	@$(POST_INSTALL)
+	@list='$(lib_LIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(RANLIB) $(DESTDIR)$(libdir)/$$p"; \
+	    $(RANLIB) $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LIBRARIES)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+lib45.a: $(lib45_a_OBJECTS) $(lib45_a_DEPENDENCIES)
+	-rm -f lib45.a
+	$(AR) cru lib45.a $(lib45_a_OBJECTS) $(lib45_a_LIBADD)
+	$(RANLIB) lib45.a
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/45
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLIBRARIES
+uninstall: uninstall-am
+all-am: Makefile $(LIBRARIES) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLIBRARIES distclean-libLIBRARIES \
+clean-libLIBRARIES maintainer-clean-libLIBRARIES uninstall-libLIBRARIES \
+install-libLIBRARIES mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/45/get_ad_tkt.c b/crypto/heimdal/lib/45/get_ad_tkt.c
new file mode 100644
index 0000000..3619606
--- /dev/null
+++ b/crypto/heimdal/lib/45/get_ad_tkt.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "45_locl.h"
+
+RCSID("$Id: get_ad_tkt.c,v 1.3 1999/12/02 17:05:01 joda Exp $");
+
+/* get an additional version 4 ticket via the 524 protocol */
+
+#ifndef NEVERDATE
+#define NEVERDATE ((unsigned long)0x7fffffffL)
+#endif
+
+int
+get_ad_tkt(char *service, char *sinstance, char *realm, int lifetime)
+{
+    krb5_error_code ret;
+    int code;
+    krb5_context context;
+    krb5_ccache id;
+    krb5_creds in_creds, *out_creds;
+    CREDENTIALS cred;
+    time_t now;
+    char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
+    
+    ret = krb5_init_context(&context);
+    if(ret)
+	return KFAILURE;
+    ret = krb5_cc_default(context, &id);
+    if(ret){
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    memset(&in_creds, 0, sizeof(in_creds));
+    now = time(NULL);
+    in_creds.times.endtime = krb_life_to_time(time(NULL), lifetime);
+    if(in_creds.times.endtime == NEVERDATE)
+	in_creds.times.endtime = 0;
+    ret = krb5_cc_get_principal(context, id, &in_creds.client);
+    if(ret){
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb5_524_conv_principal(context, in_creds.client, 
+				  pname, pinst, prealm);
+    if(ret){
+	krb5_free_principal(context, in_creds.client);
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb5_425_conv_principal(context, service, sinstance, realm, 
+				  &in_creds.server);
+    if(ret){
+	krb5_free_principal(context, in_creds.client);
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb5_get_credentials(context, 
+			       0, 
+			       id,
+			       &in_creds,
+			       &out_creds);
+    krb5_free_principal(context, in_creds.client);
+    krb5_free_principal(context, in_creds.server);
+    if(ret){
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb524_convert_creds_kdc(context, id, out_creds, &cred);
+    krb5_cc_close(context, id);
+    krb5_free_context(context);
+    krb5_free_creds(context, out_creds);
+    if(ret)
+	return KFAILURE;
+    code = save_credentials(cred.service, cred.instance, cred.realm, 
+			    cred.session, cred.lifetime, cred.kvno, 
+			    &cred.ticket_st, now);
+    if(code == NO_TKT_FIL)
+	code = tf_setup(&cred, pname, pinst);
+    memset(&cred.session, 0, sizeof(cred.session));
+    return code;
+}
diff --git a/crypto/heimdal/lib/45/mk_req.c b/crypto/heimdal/lib/45/mk_req.c
new file mode 100644
index 0000000..7074ebf
--- /dev/null
+++ b/crypto/heimdal/lib/45/mk_req.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* implementation of krb_mk_req that uses 524 protocol */
+
+#include "45_locl.h"
+
+RCSID("$Id: mk_req.c,v 1.2 1999/12/02 17:05:01 joda Exp $");
+
+static int lifetime = 255;
+
+static void
+build_request(KTEXT req, char *name, char *inst, char *realm, 
+	      u_int32_t checksum)
+{
+    struct timeval tv;
+    krb5_storage *sp;
+    krb5_data data;
+    sp = krb5_storage_emem();
+    krb5_store_stringz(sp, name);
+    krb5_store_stringz(sp, inst);
+    krb5_store_stringz(sp, realm);
+    krb5_store_int32(sp, checksum);
+    gettimeofday(&tv, NULL);
+    krb5_store_int8(sp, tv.tv_usec  / 5000);
+    krb5_store_int32(sp, tv.tv_sec);
+    krb5_storage_to_data(sp, &data);
+    krb5_storage_free(sp);
+    memcpy(req->dat, data.data, data.length);
+    req->length = (data.length + 7) & ~7;
+    krb5_data_free(&data);
+}
+
+int
+krb_mk_req(KTEXT authent, char *service, char *instance, char *realm, 
+	   int32_t checksum)
+{
+    CREDENTIALS cr;
+    KTEXT_ST req;
+    krb5_storage *sp;
+    int code;
+    char *myrealm;
+    krb5_data a;
+
+    code = krb_get_cred(service, instance, realm, &cr);
+    if(code || time(NULL) > krb_life_to_time(cr.issue_date, cr.lifetime)){
+	code = get_ad_tkt(service, instance, realm, lifetime);
+	if(code == KSUCCESS)
+	    code = krb_get_cred(service, instance, realm, &cr);
+    }
+
+    if(code)
+	return code;
+
+    /* XXX get user realm */
+    myrealm = realm;
+
+    sp = krb5_storage_emem();
+
+    krb5_store_int8(sp, KRB_PROT_VERSION);
+    krb5_store_int8(sp, AUTH_MSG_APPL_REQUEST);
+    
+    krb5_store_int8(sp, cr.kvno);
+    krb5_store_stringz(sp, realm);
+    krb5_store_int8(sp, cr.ticket_st.length);
+
+    build_request(&req, cr.pname, cr.pinst, myrealm, checksum);
+    encrypt_ktext(&req, &cr.session, DES_ENCRYPT);
+
+    krb5_store_int8(sp, req.length);
+
+    sp->store(sp, cr.ticket_st.dat, cr.ticket_st.length);
+    sp->store(sp, req.dat, req.length);
+    krb5_storage_to_data(sp, &a);
+    krb5_storage_free(sp);
+    memcpy(authent->dat, a.data, a.length);
+    authent->length = a.length;
+    krb5_data_free(&a);
+
+    memset(&cr, 0, sizeof(cr));
+    memset(&req, 0, sizeof(req));
+
+    return KSUCCESS;
+}
+
+/* 
+ * krb_set_lifetime sets the default lifetime for additional tickets
+ * obtained via krb_mk_req().
+ * 
+ * It returns the previous value of the default lifetime.
+ */
+
+int
+krb_set_lifetime(int newval)
+{
+    int olife = lifetime;
+
+    lifetime = newval;
+    return(olife);
+}
diff --git a/crypto/heimdal/lib/Makefile.am b/crypto/heimdal/lib/Makefile.am
new file mode 100644
index 0000000..c600c22
--- /dev/null
+++ b/crypto/heimdal/lib/Makefile.am
@@ -0,0 +1,13 @@
+# $Id: Makefile.am,v 1.16 1999/04/01 15:03:37 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+if KRB4
+dir_45 = 45
+endif
+if OTP
+dir_otp = otp
+endif
+
+SUBDIRS = roken editline com_err sl asn1 des krb5 \
+	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp)
diff --git a/crypto/heimdal/lib/Makefile.in b/crypto/heimdal/lib/Makefile.in
new file mode 100644
index 0000000..4c8aa71
--- /dev/null
+++ b/crypto/heimdal/lib/Makefile.in
@@ -0,0 +1,604 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.16 1999/04/01 15:03:37 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@KRB4_TRUE@dir_45 = 45
+@OTP_TRUE@dir_otp = otp
+
+SUBDIRS = roken editline com_err sl asn1 des krb5 	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+DIST_SUBDIRS =  roken editline com_err sl asn1 des krb5 kafs hdb kadm5 \
+gssapi auth 45 otp
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+@SET_MAKE@
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
+	  rev="$$subdir $$rev"; \
+	  test "$$subdir" = "." && dot_seen=yes; \
+	done; \
+	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	for subdir in $(DIST_SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    chmod 777 $(distdir)/$$subdir; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-data-recursive uninstall-data-recursive \
+install-exec-recursive uninstall-exec-recursive installdirs-recursive \
+uninstalldirs-recursive all-recursive check-recursive \
+installcheck-recursive info-recursive dvi-recursive \
+mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/asn1/Makefile.am b/crypto/heimdal/lib/asn1/Makefile.am
new file mode 100644
index 0000000..97fb2bb
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/Makefile.am
@@ -0,0 +1,107 @@
+# $Id: Makefile.am,v 1.54 1999/12/21 17:03:42 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libasn1.la
+libasn1_la_LDFLAGS = -version-info 1:4:0
+
+BUILT_SOURCES =			\
+	$(gen_files:.x=.c)	\
+	asn1_err.h		\
+	asn1_err.c
+
+gen_files =				\
+	asn1_APOptions.x		\
+	asn1_AP_REP.x			\
+	asn1_AP_REQ.x			\
+	asn1_AS_REP.x			\
+	asn1_AS_REQ.x			\
+	asn1_Authenticator.x		\
+	asn1_AuthorizationData.x	\
+	asn1_Checksum.x			\
+	asn1_EncAPRepPart.x		\
+	asn1_EncASRepPart.x		\
+	asn1_EncKDCRepPart.x		\
+	asn1_EncKrbCredPart.x		\
+	asn1_EncKrbPrivPart.x		\
+	asn1_EncTGSRepPart.x		\
+	asn1_EncTicketPart.x		\
+	asn1_EncryptedData.x		\
+	asn1_EncryptionKey.x		\
+	asn1_ETYPE_INFO.x		\
+	asn1_ETYPE_INFO_ENTRY.x		\
+	asn1_HostAddress.x		\
+	asn1_HostAddresses.x		\
+	asn1_KDCOptions.x		\
+	asn1_KDC_REP.x			\
+	asn1_KDC_REQ.x			\
+	asn1_KDC_REQ_BODY.x		\
+	asn1_KRB_CRED.x			\
+	asn1_KRB_ERROR.x		\
+	asn1_KRB_PRIV.x			\
+	asn1_KRB_SAFE.x			\
+	asn1_KRB_SAFE_BODY.x		\
+	asn1_KerberosTime.x		\
+	asn1_KrbCredInfo.x		\
+	asn1_LastReq.x			\
+	asn1_METHOD_DATA.x		\
+	asn1_PA_DATA.x			\
+	asn1_PA_ENC_TS_ENC.x		\
+	asn1_Principal.x		\
+	asn1_PrincipalName.x		\
+	asn1_Realm.x			\
+	asn1_TGS_REP.x			\
+	asn1_TGS_REQ.x			\
+	asn1_Ticket.x			\
+	asn1_TicketFlags.x		\
+	asn1_TransitedEncoding.x
+
+
+noinst_PROGRAMS = asn1_compile asn1_print
+check_PROGRAMS = check-der
+TESTS = check-der
+
+asn1_compile_SOURCES = parse.y lex.l main.c hash.c symbol.c gen.c \
+	gen_encode.c gen_decode.c gen_free.c gen_length.c gen_copy.c \
+	gen_glue.c
+
+libasn1_la_SOURCES = \
+	der_get.c \
+	der_put.c \
+	der_free.c \
+	der_length.c \
+	der_copy.c \
+	timegm.c \
+	$(BUILT_SOURCES)
+
+asn1_compile_LDADD = \
+	$(LIB_roken) $(LEXLIB)
+
+check_der_LDADD = \
+	libasn1.la \
+	../com_err/libcom_err.la \
+	$(LIB_roken)
+
+asn1_print_LDADD = $(check_der_LDADD)
+
+TESTS = check-der
+
+CLEANFILES = lex.c parse.c parse.h asn1.h $(BUILT_SOURCES) \
+	$(gen_files) asn1_files
+
+include_HEADERS = asn1.h asn1_err.h der.h
+
+$(asn1_compile_OBJECTS): parse.h
+
+$(gen_files) asn1.h: asn1_files
+
+asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+
+$(libasn1_la_OBJECTS): asn1.h asn1_err.h
+
+$(asn1_print_OBJECTS): asn1.h
+
+EXTRA_DIST = asn1_err.et
diff --git a/crypto/heimdal/lib/asn1/Makefile.in b/crypto/heimdal/lib/asn1/Makefile.in
new file mode 100644
index 0000000..25acf1a
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/Makefile.in
@@ -0,0 +1,794 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.54 1999/12/21 17:03:42 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libasn1.la
+libasn1_la_LDFLAGS = -version-info 1:4:0
+
+BUILT_SOURCES =  	$(gen_files:.x=.c)		asn1_err.h			asn1_err.c
+
+
+gen_files =  	asn1_APOptions.x			asn1_AP_REP.x				asn1_AP_REQ.x				asn1_AS_REP.x				asn1_AS_REQ.x				asn1_Authenticator.x			asn1_AuthorizationData.x		asn1_Checksum.x				asn1_EncAPRepPart.x			asn1_EncASRepPart.x			asn1_EncKDCRepPart.x			asn1_EncKrbCredPart.x			asn1_EncKrbPrivPart.x			asn1_EncTGSRepPart.x			asn1_EncTicketPart.x			asn1_EncryptedData.x			asn1_EncryptionKey.x			asn1_ETYPE_INFO.x			asn1_ETYPE_INFO_ENTRY.x			asn1_HostAddress.x			asn1_HostAddresses.x			asn1_KDCOptions.x			asn1_KDC_REP.x				asn1_KDC_REQ.x				asn1_KDC_REQ_BODY.x			asn1_KRB_CRED.x				asn1_KRB_ERROR.x			asn1_KRB_PRIV.x				asn1_KRB_SAFE.x				asn1_KRB_SAFE_BODY.x			asn1_KerberosTime.x			asn1_KrbCredInfo.x			asn1_LastReq.x				asn1_METHOD_DATA.x			asn1_PA_DATA.x				asn1_PA_ENC_TS_ENC.x			asn1_Principal.x			asn1_PrincipalName.x			asn1_Realm.x				asn1_TGS_REP.x				asn1_TGS_REQ.x				asn1_Ticket.x				asn1_TicketFlags.x			asn1_TransitedEncoding.x
+
+
+noinst_PROGRAMS = asn1_compile asn1_print
+check_PROGRAMS = check-der
+
+TESTS = check-der
+
+asn1_compile_SOURCES = parse.y lex.l main.c hash.c symbol.c gen.c 	gen_encode.c gen_decode.c gen_free.c gen_length.c gen_copy.c 	gen_glue.c
+
+
+libasn1_la_SOURCES =  	der_get.c 	der_put.c 	der_free.c 	der_length.c 	der_copy.c 	timegm.c 	$(BUILT_SOURCES)
+
+
+asn1_compile_LDADD =  	$(LIB_roken) $(LEXLIB)
+
+
+check_der_LDADD =  	libasn1.la 	../com_err/libcom_err.la 	$(LIB_roken)
+
+
+asn1_print_LDADD = $(check_der_LDADD)
+
+CLEANFILES = lex.c parse.c parse.h asn1.h $(BUILT_SOURCES) 	$(gen_files) asn1_files
+
+
+include_HEADERS = asn1.h asn1_err.h der.h
+
+EXTRA_DIST = asn1_err.et
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libasn1_la_LIBADD = 
+libasn1_la_OBJECTS =  der_get.lo der_put.lo der_free.lo der_length.lo \
+der_copy.lo timegm.lo asn1_APOptions.lo asn1_AP_REP.lo asn1_AP_REQ.lo \
+asn1_AS_REP.lo asn1_AS_REQ.lo asn1_Authenticator.lo \
+asn1_AuthorizationData.lo asn1_Checksum.lo asn1_EncAPRepPart.lo \
+asn1_EncASRepPart.lo asn1_EncKDCRepPart.lo asn1_EncKrbCredPart.lo \
+asn1_EncKrbPrivPart.lo asn1_EncTGSRepPart.lo asn1_EncTicketPart.lo \
+asn1_EncryptedData.lo asn1_EncryptionKey.lo asn1_ETYPE_INFO.lo \
+asn1_ETYPE_INFO_ENTRY.lo asn1_HostAddress.lo asn1_HostAddresses.lo \
+asn1_KDCOptions.lo asn1_KDC_REP.lo asn1_KDC_REQ.lo asn1_KDC_REQ_BODY.lo \
+asn1_KRB_CRED.lo asn1_KRB_ERROR.lo asn1_KRB_PRIV.lo asn1_KRB_SAFE.lo \
+asn1_KRB_SAFE_BODY.lo asn1_KerberosTime.lo asn1_KrbCredInfo.lo \
+asn1_LastReq.lo asn1_METHOD_DATA.lo asn1_PA_DATA.lo \
+asn1_PA_ENC_TS_ENC.lo asn1_Principal.lo asn1_PrincipalName.lo \
+asn1_Realm.lo asn1_TGS_REP.lo asn1_TGS_REQ.lo asn1_Ticket.lo \
+asn1_TicketFlags.lo asn1_TransitedEncoding.lo asn1_err.lo
+check_PROGRAMS =  check-der$(EXEEXT)
+noinst_PROGRAMS =  asn1_compile$(EXEEXT) asn1_print$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+check_der_SOURCES = check-der.c
+check_der_OBJECTS =  check-der.$(OBJEXT)
+check_der_DEPENDENCIES =  libasn1.la ../com_err/libcom_err.la
+check_der_LDFLAGS = 
+asn1_compile_OBJECTS =  parse.$(OBJEXT) lex.$(OBJEXT) main.$(OBJEXT) \
+hash.$(OBJEXT) symbol.$(OBJEXT) gen.$(OBJEXT) gen_encode.$(OBJEXT) \
+gen_decode.$(OBJEXT) gen_free.$(OBJEXT) gen_length.$(OBJEXT) \
+gen_copy.$(OBJEXT) gen_glue.$(OBJEXT)
+asn1_compile_DEPENDENCIES = 
+asn1_compile_LDFLAGS = 
+asn1_print_SOURCES = asn1_print.c
+asn1_print_OBJECTS =  asn1_print.$(OBJEXT)
+asn1_print_DEPENDENCIES =  libasn1.la ../com_err/libcom_err.la
+asn1_print_LDFLAGS = 
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+HEADERS =  $(include_HEADERS)
+
+DIST_COMMON =  Makefile.am Makefile.in lex.c parse.c
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libasn1_la_SOURCES) check-der.c $(asn1_compile_SOURCES) asn1_print.c
+OBJECTS = $(libasn1_la_OBJECTS) check-der.$(OBJEXT) $(asn1_compile_OBJECTS) asn1_print.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .l .lo .o .obj .s .x .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/asn1/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libasn1.la: $(libasn1_la_OBJECTS) $(libasn1_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libasn1_la_LDFLAGS) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS)
+
+mostlyclean-checkPROGRAMS:
+
+clean-checkPROGRAMS:
+	-test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS)
+
+distclean-checkPROGRAMS:
+
+maintainer-clean-checkPROGRAMS:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES)
+	@rm -f check-der$(EXEEXT)
+	$(LINK) $(check_der_LDFLAGS) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
+
+asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES)
+	@rm -f asn1_compile$(EXEEXT)
+	$(LINK) $(asn1_compile_LDFLAGS) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS)
+
+asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES)
+	@rm -f asn1_print$(EXEEXT)
+	$(LINK) $(asn1_print_LDFLAGS) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS)
+.l.c:
+	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+parse.h: parse.c
+
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/asn1
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+check-TESTS: $(TESTS)
+	@failed=0; all=0; \
+	srcdir=$(srcdir); export srcdir; \
+	for tst in $(TESTS); do \
+	  if test -f $$tst; then dir=.; \
+	  else dir="$(srcdir)"; fi; \
+	  if $(TESTS_ENVIRONMENT) $$dir/$$tst; then \
+	    all=`expr $$all + 1`; \
+	    echo "PASS: $$tst"; \
+	  elif test $$? -ne 77; then \
+	    all=`expr $$all + 1`; \
+	    failed=`expr $$failed + 1`; \
+	    echo "FAIL: $$tst"; \
+	  fi; \
+	done; \
+	if test "$$failed" -eq 0; then \
+	  banner="All $$all tests passed"; \
+	else \
+	  banner="$$failed of $$all tests failed"; \
+	fi; \
+	dashes=`echo "$$banner" | sed s/./=/g`; \
+	echo "$$dashes"; \
+	echo "$$banner"; \
+	echo "$$dashes"; \
+	test "$$failed" -eq 0
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-test -z "lexlparsehparsec$(BUILT_SOURCES)" || rm -f lexl parseh parsec $(BUILT_SOURCES)
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-checkPROGRAMS \
+		mostlyclean-noinstPROGRAMS mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-checkPROGRAMS clean-noinstPROGRAMS clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-checkPROGRAMS \
+		distclean-noinstPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-checkPROGRAMS \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-checkPROGRAMS \
+distclean-checkPROGRAMS clean-checkPROGRAMS \
+maintainer-clean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir check-TESTS info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(asn1_compile_OBJECTS): parse.h
+
+$(gen_files) asn1.h: asn1_files
+
+asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+
+$(libasn1_la_OBJECTS): asn1.h asn1_err.h
+
+$(asn1_print_OBJECTS): asn1.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/asn1/asn1_err.et b/crypto/heimdal/lib/asn1/asn1_err.et
new file mode 100644
index 0000000..8f1f272
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1_err.et
@@ -0,0 +1,20 @@
+#
+# Error messages for the asn.1 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: asn1_err.et,v 1.5 1998/02/16 16:17:17 joda Exp $"
+
+error_table asn1
+prefix ASN1
+error_code BAD_TIMEFORMAT,	"ASN.1 failed call to system time library"
+error_code MISSING_FIELD,	"ASN.1 structure is missing a required field"
+error_code MISPLACED_FIELD,	"ASN.1 unexpected field number"
+error_code TYPE_MISMATCH,	"ASN.1 type numbers are inconsistent"
+error_code OVERFLOW,		"ASN.1 value too large"
+error_code OVERRUN,		"ASN.1 encoding ended unexpectedly"
+error_code BAD_ID,		"ASN.1 identifier doesn't match expected value"
+error_code BAD_LENGTH,		"ASN.1 length doesn't match expected value"
+error_code BAD_FORMAT,		"ASN.1 badly-formatted encoding"
+error_code PARSE_ERROR,		"ASN.1 parse error"
+end
diff --git a/crypto/heimdal/lib/asn1/asn1_print.c b/crypto/heimdal/lib/asn1/asn1_print.c
new file mode 100644
index 0000000..92e6419
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1_print.c
@@ -0,0 +1,239 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <getarg.h>
+#include <err.h>
+
+RCSID("$Id: asn1_print.c,v 1.5 1999/12/02 17:05:01 joda Exp $");
+
+static struct et_list *et_list;
+
+const char *class_names[] = {
+    "UNIV",			/* 0 */
+    "APPL",			/* 1 */
+    "CONTEXT",			/* 2 */
+    "PRIVATE"			/* 3 */
+};
+
+const char *type_names[] = {
+    "PRIM",			/* 0 */
+    "CONS"			/* 1 */
+};
+
+const char *tag_names[] = {
+    NULL,			/* 0 */
+    NULL,			/* 1 */
+    "Integer",			/* 2 */
+    "BitString",		/* 3 */
+    "OctetString",		/* 4 */
+    "Null",			/* 5 */
+    "ObjectID",			/* 6 */
+    NULL,			/* 7 */
+    NULL,			/* 8 */
+    NULL,			/* 9 */
+    NULL,			/* 10 */
+    NULL,			/* 11 */
+    NULL,			/* 12 */
+    NULL,			/* 13 */
+    NULL,			/* 14 */
+    NULL,			/* 15 */
+    "Sequence",			/* 16 */
+    "Set",			/* 17 */
+    NULL,			/* 18 */
+    "PrintableString",		/* 19 */
+    NULL,			/* 20 */
+    NULL,			/* 21 */
+    "IA5String",		/* 22 */
+    "UTCTime",			/* 23 */
+    "GeneralizedTime",		/* 24 */
+    NULL,			/* 25 */
+    "VisibleString",		/* 26 */
+    "GeneralString"		/* 27 */
+};
+
+static int
+loop (unsigned char *buf, size_t len, int indent)
+{
+    while (len > 0) {
+	int ret;
+	Der_class class;
+	Der_type type;
+	int tag;
+	size_t sz;
+	size_t length;
+	int i;
+
+	ret = der_get_tag (buf, len, &class, &type, &tag, &sz);
+	if (ret)
+	    errx (1, "der_get_tag: %s", com_right (et_list, ret));
+	buf += sz;
+	len -= sz;
+	for (i = 0; i < indent; ++i)
+	    printf (" ");
+	printf ("%s %s ", class_names[class], type_names[type]);
+	if (tag_names[tag])
+	    printf ("%s = ", tag_names[tag]);
+	else
+	    printf ("tag %d = ", tag);
+	ret = der_get_length (buf, len, &length, &sz);
+	if (ret)
+	    errx (1, "der_get_tag: %s", com_right (et_list, ret));
+	buf += sz;
+	len -= sz;
+
+	if (class == CONTEXT) {
+	    printf ("[%d]\n", tag);
+	    loop (buf, length, indent);
+	} else if (class == UNIV) {
+	    switch (tag) {
+	    case UT_Sequence :
+		printf ("{\n");
+		loop (buf, length, indent + 2);
+		for (i = 0; i < indent; ++i)
+		    printf (" ");
+		printf ("}\n");
+		break;
+	    case UT_Integer : {
+		int val;
+
+		ret = der_get_int (buf, length, &val, NULL);
+		if (ret)
+		    errx (1, "der_get_int: %s", com_right (et_list, ret));
+		printf ("integer %d\n", val);
+		break;
+	    }
+	    case UT_OctetString : {
+		octet_string str;
+		int i;
+		unsigned char *uc;
+
+		ret = der_get_octet_string (buf, length, &str, NULL);
+		if (ret)
+		    errx (1, "der_get_octet_string: %s",
+			  com_right (et_list, ret));
+		printf ("(length %d), ", length);
+		uc = (unsigned char *)str.data;
+		for (i = 0; i < 16; ++i)
+		    printf ("%02x", uc[i]);
+		printf ("\n");
+		free (str.data);
+		break;
+	    }
+	    case UT_GeneralizedTime :
+	    case UT_GeneralString : {
+		general_string str;
+
+		ret = der_get_general_string (buf, length, &str, NULL);
+		if (ret)
+		    errx (1, "der_get_general_string: %s",
+			  com_right (et_list, ret));
+		printf ("\"%s\"\n", str);
+		free (str);
+		break;
+	    }
+	    default :
+		printf ("%d bytes\n", length);
+		break;
+	    }
+	}
+	buf += length;
+	len -= length;
+    }
+    return 0;
+}
+
+static int
+doit (const char *filename)
+{
+    int fd = open (filename, O_RDONLY);
+    struct stat sb;
+    unsigned char *buf;
+    size_t len;
+    int ret;
+
+    if(fd < 0)
+	err (1, "opening %s for read", filename);
+    if (fstat (fd, &sb) < 0)
+	err (1, "stat %s", filename);
+    len = sb.st_size;
+    buf = malloc (len);
+    if (buf == NULL)
+	err (1, "malloc %u", len);
+    if (read (fd, buf, len) != len)
+	errx (1, "read failed");
+    close (fd);
+    ret = loop (buf, len, 0);
+    free (buf);
+    return ret;
+}
+
+
+static int version_flag;
+static int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "dump-file");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+
+    set_progname (argv[0]);
+    initialize_asn1_error_table_r (&et_list);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argv += optind;
+    argc -= optind;
+    if (argc != 1)
+	usage (1);
+    return doit (argv[0]);
+}
diff --git a/crypto/heimdal/lib/asn1/check-der.c b/crypto/heimdal/lib/asn1/check-der.c
new file mode 100644
index 0000000..a2f1217
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/check-der.c
@@ -0,0 +1,289 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <err.h>
+#include <roken.h>
+
+#include <libasn1.h>
+
+RCSID("$Id: check-der.c,v 1.7 1999/12/02 17:05:01 joda Exp $");
+
+static void
+print_bytes (unsigned const char *buf, size_t len)
+{
+    int i;
+
+    for (i = 0; i < len; ++i)
+	printf ("%02x ", buf[i]);
+}
+
+struct test_case {
+    void *val;
+    int byte_len;
+    const unsigned char *bytes;
+    char *name;
+};
+
+static int
+generic_test (const struct test_case *tests,
+	      unsigned ntests,
+	      size_t data_size,
+	      int (*encode)(unsigned char *, size_t, void *, size_t *),
+	      int (*length)(void *),
+	      int (*decode)(unsigned char *, size_t, void *, size_t *),
+	      int (*cmp)(void *a, void *b))
+{
+    unsigned char buf[4711];
+    int i;
+    int failures = 0;
+    void *val = malloc (data_size);
+
+    if (data_size != 0 && val == NULL)
+	err (1, "malloc");
+
+    for (i = 0; i < ntests; ++i) {
+	int ret;
+	size_t sz, consumed_sz, length_sz;
+	unsigned char *beg;
+
+	ret = (*encode) (buf + sizeof(buf) - 1, sizeof(buf),
+			 tests[i].val, &sz);
+	beg = buf + sizeof(buf) - sz;
+	if (ret != 0) {
+	    printf ("encoding of %s failed\n", tests[i].name);
+	    ++failures;
+	}
+	if (sz != tests[i].byte_len) {
+	    printf ("encoding of %s has wrong len (%lu != %lu)\n",
+		    tests[i].name, 
+		    (unsigned long)sz, (unsigned long)tests[i].byte_len);
+	    ++failures;
+	}
+
+	length_sz = (*length) (tests[i].val);
+	if (sz != length_sz) {
+	    printf ("length for %s is bad (%lu != %lu)\n",
+		    tests[i].name, (unsigned long)length_sz, (unsigned long)sz);
+	    ++failures;
+	}
+
+	if (memcmp (beg, tests[i].bytes, tests[i].byte_len) != 0) {
+	    printf ("encoding of %s has bad bytes:\n"
+		    "correct: ", tests[i].name);
+	    print_bytes (tests[i].bytes, tests[i].byte_len);
+	    printf ("\nactual:  ");
+	    print_bytes (beg, sz);
+	    printf ("\n");
+	    ++failures;
+	}
+	ret = (*decode) (beg, sz, val, &consumed_sz);
+	if (ret != 0) {
+	    printf ("decoding of %s failed\n", tests[i].name);
+	    ++failures;
+	}
+	if (sz != consumed_sz) {
+	    printf ("different length decoding %s (%ld != %ld)\n",
+		    tests[i].name, 
+		    (unsigned long)sz, (unsigned long)consumed_sz);
+	    ++failures;
+	}
+	if ((*cmp)(val, tests[i].val) != 0) {
+	    printf ("%s: comparison failed\n", tests[i].name);
+	    ++failures;
+	}
+    }
+    free (val);
+    return failures;
+}
+
+static int
+cmp_integer (void *a, void *b)
+{
+    int *ia = (int *)a;
+    int *ib = (int *)b;
+
+    return *ib - *ia;
+}
+
+static int
+test_integer (void)
+{
+    struct test_case tests[] = {
+	{NULL, 3, "\x02\x01\x00"},
+	{NULL, 3, "\x02\x01\x7f"},
+	{NULL, 4, "\x02\x02\x00\x80"},
+	{NULL, 4, "\x02\x02\x01\x00"},
+	{NULL, 3, "\x02\x01\x80"},
+	{NULL, 4, "\x02\x02\xff\x7f"},
+	{NULL, 3, "\x02\x01\xff"},
+	{NULL, 4, "\x02\x02\xff\x01"},
+	{NULL, 4, "\x02\x02\x00\xff"},
+	{NULL, 6, "\x02\x04\x80\x00\x00\x00"},
+	{NULL, 6, "\x02\x04\x7f\xff\xff\xff"}
+    };
+
+    int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255,
+		    0x80000000, 0x7fffffff};
+    int i;
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "integer %d", values[i]);
+    }
+
+    return generic_test (tests, ntests, sizeof(int),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_integer,
+			 (int (*)(void *))length_integer,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_integer,
+			 cmp_integer);
+}
+
+static int
+cmp_octet_string (void *a, void *b)
+{
+    octet_string *oa = (octet_string *)a;
+    octet_string *ob = (octet_string *)b;
+
+    if (oa->length != ob->length)
+	return ob->length - oa->length;
+
+    return (memcmp (oa->data, ob->data, oa->length));
+}
+
+static int
+test_octet_string (void)
+{
+    octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};
+
+    struct test_case tests[] = {
+	{NULL, 10, "\x04\x08\x01\x23\x45\x67\x89\xab\xcd\xef"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    tests[0].val = &s1;
+    asprintf (&tests[0].name, "a octet string");
+
+    return generic_test (tests, ntests, sizeof(octet_string),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_octet_string,
+			 (int (*)(void *))length_octet_string,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_octet_string,
+			 cmp_octet_string);
+}
+
+static int
+cmp_general_string (void *a, void *b)
+{
+    unsigned char **sa = (unsigned char **)a;
+    unsigned char **sb = (unsigned char **)b;
+
+    return strcmp (*sa, *sb);
+}
+
+static int
+test_general_string (void)
+{
+    unsigned char *s1 = "Test User 1";
+
+    struct test_case tests[] = {
+	{NULL, 13, "\x1b\x0b\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    tests[0].val = &s1;
+    asprintf (&tests[0].name, "the string \"%s\"", s1);
+
+    return generic_test (tests, ntests, sizeof(unsigned char *),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_general_string,
+			 (int (*)(void *))length_general_string,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_general_string,
+			 cmp_general_string);
+}
+
+static int
+cmp_generalized_time (void *a, void *b)
+{
+    time_t *ta = (time_t *)a;
+    time_t *tb = (time_t *)b;
+
+    return *tb - *ta;
+}
+
+static int
+test_generalized_time (void)
+{
+    struct test_case tests[] = {
+	{NULL, 17, "\x18\x0f""19700101000000Z"},
+	{NULL, 17, "\x18\x0f""19851106210627Z"}
+    };
+    time_t values[] = {0, 500159187};
+    int i;
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "time %d", (int)values[i]);
+    }
+
+    return generic_test (tests, ntests, sizeof(time_t),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_generalized_time,
+			 (int (*)(void *))length_generalized_time,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_generalized_time,
+			 cmp_generalized_time);
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret = 0;
+
+    ret += test_integer ();
+    ret += test_octet_string ();
+    ret += test_general_string ();
+    ret += test_generalized_time ();
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/asn1/der.h b/crypto/heimdal/lib/asn1/der.h
new file mode 100644
index 0000000..37158af
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: der.h,v 1.18 1999/12/02 17:05:01 joda Exp $ */
+
+#ifndef __DER_H__
+#define __DER_H__
+
+#include <time.h>
+
+typedef enum {UNIV = 0, APPL = 1, CONTEXT = 2 , PRIVATE = 3} Der_class;
+
+typedef enum {PRIM = 0, CONS = 1} Der_type;
+
+/* Universal tags */
+
+enum {
+     UT_Integer		= 2,	
+     UT_BitString	= 3,
+     UT_OctetString	= 4,
+     UT_Null		= 5,
+     UT_ObjID		= 6,
+     UT_Sequence	= 16,
+     UT_Set		= 17,
+     UT_PrintableString	= 19,
+     UT_IA5String	= 22,
+     UT_UTCTime		= 23,
+     UT_GeneralizedTime	= 24,
+     UT_VisibleString	= 26,
+     UT_GeneralString	= 27
+};
+
+#define ASN1_INDEFINITE 0xdce0deed
+
+#ifndef HAVE_TIMEGM
+time_t timegm (struct tm *);
+#endif
+
+void time2generalizedtime (time_t t, octet_string *s);
+
+int der_get_int (const unsigned char *p, size_t len, int *ret, size_t *size);
+int der_get_length (const unsigned char *p, size_t len,
+		    size_t *val, size_t *size);
+int der_get_general_string (const unsigned char *p, size_t len, 
+			    general_string *str, size_t *size);
+int der_get_octet_string (const unsigned char *p, size_t len, 
+			  octet_string *data, size_t *size);
+int der_get_tag (const unsigned char *p, size_t len, 
+		 Der_class *class, Der_type *type,
+		 int *tag, size_t *size);
+
+int der_match_tag (const unsigned char *p, size_t len, 
+		   Der_class class, Der_type type,
+		   int tag, size_t *size);
+int der_match_tag_and_length (const unsigned char *p, size_t len,
+			      Der_class class, Der_type type, int tag,
+			      size_t *length_ret, size_t *size);
+
+int decode_integer (const unsigned char*, size_t, int*, size_t*);
+int decode_general_string (const unsigned char*, size_t,
+			   general_string*, size_t*);
+int decode_octet_string (const unsigned char*, size_t, octet_string*, size_t*);
+int decode_generalized_time (const unsigned char*, size_t, time_t*, size_t*);
+
+int der_put_int (unsigned char *p, size_t len, int val, size_t*);
+int der_put_length (unsigned char *p, size_t len, size_t val, size_t*);
+int der_put_general_string (unsigned char *p, size_t len,
+			    const general_string *str, size_t*);
+int der_put_octet_string (unsigned char *p, size_t len,
+			  const octet_string *data, size_t*);
+int der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
+		 int tag, size_t*);
+int der_put_length_and_tag (unsigned char*, size_t, size_t, 
+			    Der_class, Der_type, int, size_t*);
+
+int encode_integer (unsigned char *p, size_t len,
+		    const int *data, size_t*);
+int encode_general_string (unsigned char *p, size_t len, 
+			   const general_string *data, size_t*);
+int encode_octet_string (unsigned char *p, size_t len,
+			 const octet_string *k, size_t*);
+int encode_generalized_time (unsigned char *p, size_t len,
+			     const time_t *t, size_t*);
+
+void free_integer (int *num);
+void free_general_string (general_string *str);
+void free_octet_string (octet_string *k);
+void free_generalized_time (time_t *t);
+
+size_t length_len (size_t len);
+size_t length_integer (const int *data);
+size_t length_general_string (const general_string *data);
+size_t length_octet_string (const octet_string *k);
+size_t length_generalized_time (const time_t *t);
+
+int copy_general_string (const general_string *from, general_string *to);
+int copy_octet_string (const octet_string *from, octet_string *to);
+
+int fix_dce(size_t reallen, size_t *len);
+
+#endif /* __DER_H__ */
+
diff --git a/crypto/heimdal/lib/asn1/der_copy.c b/crypto/heimdal/lib/asn1/der_copy.c
new file mode 100644
index 0000000..83c2446
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_copy.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_copy.c,v 1.8 1999/12/02 17:05:01 joda Exp $");
+
+int
+copy_general_string (const general_string *from, general_string *to)
+{
+    *to = malloc(strlen(*from) + 1);
+    if(*to == NULL)
+	return ENOMEM;
+    strcpy(*to, *from);
+    return 0;
+}
+
+int
+copy_octet_string (const octet_string *from, octet_string *to)
+{
+    to->length = from->length;
+    to->data   = malloc(to->length);
+    if(to->length != 0 && to->data == NULL)
+	return ENOMEM;
+    memcpy(to->data, from->data, to->length);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/asn1/der_free.c b/crypto/heimdal/lib/asn1/der_free.c
new file mode 100644
index 0000000..7191e4e
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_free.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_free.c,v 1.7 1999/12/02 17:05:01 joda Exp $");
+
+void
+free_general_string (general_string *str)
+{
+    free(*str);
+}
+
+void
+free_octet_string (octet_string *k)
+{
+    free(k->data);
+}
diff --git a/crypto/heimdal/lib/asn1/der_get.c b/crypto/heimdal/lib/asn1/der_get.c
new file mode 100644
index 0000000..9f0616b
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_get.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_get.c,v 1.27 1999/12/02 17:05:01 joda Exp $");
+
+#include <version.h>
+
+/* 
+ * All decoding functions take a pointer `p' to first position in
+ * which to read, from the left, `len' which means the maximum number
+ * of characters we are able to read, `ret' were the value will be
+ * returned and `size' where the number of used bytes is stored.
+ * Either 0 or an error code is returned.
+ */
+
+static int
+der_get_unsigned (const unsigned char *p, size_t len,
+		  unsigned *ret, size_t *size)
+{
+    unsigned val = 0;
+    size_t oldlen = len;
+
+    while (len--)
+	val = val * 256 + *p++;
+    *ret = val;
+    if(size) *size = oldlen;
+    return 0;
+}
+
+int
+der_get_int (const unsigned char *p, size_t len,
+	     int *ret, size_t *size)
+{
+    int val = 0;
+    size_t oldlen = len;
+
+    if (len--)
+	val = (signed char)*p++;
+    while (len--)
+	val = val * 256 + *p++;
+    *ret = val;
+    if(size) *size = oldlen;
+    return 0;
+}
+
+int
+der_get_length (const unsigned char *p, size_t len,
+		size_t *val, size_t *size)
+{
+    size_t v;
+
+    if (len <= 0)
+	return ASN1_OVERRUN;
+    --len;
+    v = *p++;
+    if (v < 128) {
+	*val = v;
+	if(size) *size = 1;
+    } else {
+	int e;
+	size_t l;
+	unsigned tmp;
+
+	if(v == 0x80){
+	    *val = ASN1_INDEFINITE;
+	    if(size) *size = 1;
+	    return 0;
+	}
+	v &= 0x7F;
+	if (len < v)
+	    return ASN1_OVERRUN;
+	e = der_get_unsigned (p, v, &tmp, &l);
+	if(e) return e;
+	*val = tmp;
+	if(size) *size = l + 1;
+    }
+    return 0;
+}
+
+int
+der_get_general_string (const unsigned char *p, size_t len, 
+			general_string *str, size_t *size)
+{
+    char *s;
+
+    s = malloc (len + 1);
+    if (s == NULL)
+	return ENOMEM;
+    memcpy (s, p, len);
+    s[len] = '\0';
+    *str = s;
+    if(size) *size = len;
+    return 0;
+}
+
+int
+der_get_octet_string (const unsigned char *p, size_t len, 
+		      octet_string *data, size_t *size)
+{
+    data->length = len;
+    data->data = malloc(len);
+    if (data->data == NULL && data->length != 0)
+	return ENOMEM;
+    memcpy (data->data, p, len);
+    if(size) *size = len;
+    return 0;
+}
+
+int
+der_get_tag (const unsigned char *p, size_t len,
+	     Der_class *class, Der_type *type,
+	     int *tag, size_t *size)
+{
+    if (len < 1)
+	return ASN1_OVERRUN;
+    *class = (Der_class)(((*p) >> 6) & 0x03);
+    *type = (Der_type)(((*p) >> 5) & 0x01);
+    *tag = (*p) & 0x1F;
+    if(size) *size = 1;
+    return 0;
+}
+
+int
+der_match_tag (const unsigned char *p, size_t len,
+	       Der_class class, Der_type type,
+	       int tag, size_t *size)
+{
+    size_t l;
+    Der_class thisclass;
+    Der_type thistype;
+    int thistag;
+    int e;
+
+    e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l);
+    if (e) return e;
+    if (class != thisclass || type != thistype)
+	return ASN1_BAD_ID;
+    if(tag > thistag)
+	return ASN1_MISPLACED_FIELD;
+    if(tag < thistag)
+	return ASN1_MISSING_FIELD;
+    if(size) *size = l;
+    return 0;
+}
+
+int
+der_match_tag_and_length (const unsigned char *p, size_t len,
+			  Der_class class, Der_type type, int tag,
+			  size_t *length_ret, size_t *size)
+{
+    size_t l, ret = 0;
+    int e;
+
+    e = der_match_tag (p, len, class, type, tag, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_length (p, len, length_ret, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
+decode_integer (const unsigned char *p, size_t len,
+		int *num, size_t *size)
+{
+    size_t ret = 0;
+    size_t l, reallen;
+    int e;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_length (p, len, &reallen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_int (p, reallen, num, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
+decode_general_string (const unsigned char *p, size_t len, 
+		       general_string *str, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+    size_t slen;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralString, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+
+    e = der_get_length (p, len, &slen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if (len < slen)
+	return ASN1_OVERRUN;
+
+    e = der_get_general_string (p, slen, str, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
+decode_octet_string (const unsigned char *p, size_t len, 
+		     octet_string *k, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+    size_t slen;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_OctetString, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+
+    e = der_get_length (p, len, &slen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if (len < slen)
+	return ASN1_OVERRUN;
+
+    e = der_get_octet_string (p, slen, k, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+static void
+generalizedtime2time (const char *s, time_t *t)
+{
+    struct tm tm;
+
+    memset(&tm, 0, sizeof(tm));
+    sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
+	    &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
+	    &tm.tm_min, &tm.tm_sec);
+    tm.tm_year -= 1900;
+    tm.tm_mon -= 1;
+    *t = timegm (&tm);
+}
+
+int
+decode_generalized_time (const unsigned char *p, size_t len,
+			 time_t *t, size_t *size)
+{
+    octet_string k;
+    char *times;
+    size_t ret = 0;
+    size_t l;
+    int e;
+    size_t slen;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralizedTime, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+
+    e = der_get_length (p, len, &slen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if (len < slen)
+	return ASN1_OVERRUN;
+    e = der_get_octet_string (p, slen, &k, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    times = realloc(k.data, k.length + 1);
+    if (times == NULL){
+	free(k.data);
+	return ENOMEM;
+    }
+    times[k.length] = 0;
+    generalizedtime2time (times, t);
+    free (times);
+    if(size) *size = ret;
+    return 0;
+}
+
+
+int
+fix_dce(size_t reallen, size_t *len)
+{
+    if(reallen == ASN1_INDEFINITE)
+	return 1;
+    if(*len < reallen)
+	return -1;
+    *len = reallen;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/asn1/der_length.c b/crypto/heimdal/lib/asn1/der_length.c
new file mode 100644
index 0000000..5db95ba
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_length.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_length.c,v 1.10 1999/12/02 17:05:01 joda Exp $");
+
+static size_t
+length_unsigned (unsigned val)
+{
+  size_t ret = 0;
+
+  do {
+    ++ret;
+    val /= 256;
+  } while (val);
+  return ret;
+}
+
+static size_t
+length_int (int val)
+{
+  size_t ret = 0;
+
+  if (val == 0)
+    return 1;
+  while (val > 255 || val < -255) {
+    ++ret;
+    val /= 256;
+  }
+  if (val != 0) {
+    ++ret;
+    if ((signed char)val != val)
+      ++ret;
+    val /= 256;
+  }
+  return ret;
+}
+
+size_t
+length_len (size_t len)
+{
+  if (len < 128)
+    return 1;
+  else
+    return length_unsigned (len) + 1;
+}
+
+size_t
+length_integer (const int *data)
+{
+  size_t len = length_int (*data);
+
+  return 1 + length_len(len) + len;
+}
+
+size_t
+length_general_string (const general_string *data)
+{
+  char *str = *data;
+  size_t len = strlen(str);
+  return 1 + length_len(len) + len;
+}
+
+size_t
+length_octet_string (const octet_string *k)
+{
+  return 1 + length_len(k->length) + k->length;
+}
+
+size_t
+length_generalized_time (const time_t *t)
+{
+  octet_string k;
+  size_t ret;
+
+  time2generalizedtime (*t, &k);
+  ret = 1 + length_len(k.length) + k.length;
+  free (k.data);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/asn1/der_locl.h b/crypto/heimdal/lib/asn1/der_locl.h
new file mode 100644
index 0000000..6eeb42d
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_locl.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: der_locl.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+
+#ifndef __DER_LOCL_H__
+#define __DER_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <ctype.h>
+#include <time.h>
+#include <errno.h>
+#include <roken.h>
+
+#include <libasn1.h>
+
+#endif /* __DER_LOCL_H__ */
diff --git a/crypto/heimdal/lib/asn1/der_put.c b/crypto/heimdal/lib/asn1/der_put.c
new file mode 100644
index 0000000..ce21654
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_put.c
@@ -0,0 +1,310 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_put.c,v 1.22 1999/12/02 17:05:02 joda Exp $");
+
+/*
+ * All encoding functions take a pointer `p' to first position in
+ * which to write, from the right, `len' which means the maximum
+ * number of characters we are able to write and return an int
+ * indicating how many actually got written, or <0 in case of errors.
+ */
+
+static int
+der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
+{
+    unsigned char *base = p;
+
+    if (val) {
+	while (len > 0 && val) {
+	    *p-- = val % 256;
+	    val /= 256;
+	    --len;
+	}
+	if (val != 0)
+	    return ASN1_OVERFLOW;
+	else {
+	    *size = base - p;
+	    return 0;
+	}
+    } else if (len < 1)
+	return ASN1_OVERFLOW;
+    else {
+	*p    = 0;
+	*size = 1;
+	return 0;
+    }
+}
+
+int
+der_put_int (unsigned char *p, size_t len, int val, size_t *size)
+{
+    unsigned char *base = p;
+
+    if(val >= 0) {
+	do {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = val % 256;
+	    len--;
+	    val /= 256;
+	} while(val);
+	if(p[1] >= 128) {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = 0;
+	    len--;
+	}
+    } else {
+	val = ~val;
+	do {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = ~(val % 256);
+	    len--;
+	    val /= 256;
+	} while(val);
+	if(p[1] < 128) {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = 0xff;
+	    len--;
+	}
+    }
+    *size = base - p;
+    return 0;
+}
+
+
+int
+der_put_length (unsigned char *p, size_t len, size_t val, size_t *size)
+{
+    if (val < 128) {
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	else {
+	    *p = val;
+	    *size = 1;
+	    return 0;
+	}
+    } else {
+	size_t l;
+	int e;
+
+	e = der_put_unsigned (p, len - 1, val, &l);
+	if (e)
+	    return e;
+	p -= l;
+	*p = 0x80 | l;
+	*size = l + 1;
+	return 0;
+    }
+}
+
+int
+der_put_general_string (unsigned char *p, size_t len, 
+			const general_string *str, size_t *size)
+{
+    size_t slen = strlen(*str);
+
+    if (len < slen)
+	return ASN1_OVERFLOW;
+    p -= slen;
+    len -= slen;
+    memcpy (p+1, *str, slen);
+    *size = slen;
+    return 0;
+}
+
+int
+der_put_octet_string (unsigned char *p, size_t len, 
+		      const octet_string *data, size_t *size)
+{
+    if (len < data->length)
+	return ASN1_OVERFLOW;
+    p -= data->length;
+    len -= data->length;
+    memcpy (p+1, data->data, data->length);
+    *size = data->length;
+    return 0;
+}
+
+int
+der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
+	     int tag, size_t *size)
+{
+    if (len < 1)
+	return ASN1_OVERFLOW;
+    *p = (class << 6) | (type << 5) | tag; /* XXX */
+    *size = 1;
+    return 0;
+}
+
+int
+der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val,
+			Der_class class, Der_type type, int tag, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+
+    e = der_put_length (p, len, len_val, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_tag (p, len, class, type, tag, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+encode_integer (unsigned char *p, size_t len, const int *data, size_t *size)
+{
+    int num = *data;
+    size_t ret = 0;
+    size_t l;
+    int e;
+    
+    e = der_put_int (p, len, num, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+encode_general_string (unsigned char *p, size_t len, 
+		       const general_string *data, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+
+    e = der_put_general_string (p, len, data, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_GeneralString, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+encode_octet_string (unsigned char *p, size_t len, 
+		     const octet_string *k, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+
+    e = der_put_octet_string (p, len, k, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OctetString, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+void
+time2generalizedtime (time_t t, octet_string *s)
+{
+     struct tm *tm;
+
+     s->data = malloc(16);
+     s->length = 15;
+     tm = gmtime (&t);
+     sprintf (s->data, "%04d%02d%02d%02d%02d%02dZ", tm->tm_year + 1900,
+	      tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min,
+	      tm->tm_sec);
+}
+
+int
+encode_generalized_time (unsigned char *p, size_t len,
+			 const time_t *t, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    octet_string k;
+    int e;
+
+    time2generalizedtime (*t, &k);
+    e = der_put_octet_string (p, len, &k, &l);
+    free (k.data);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, k.length, UNIV, PRIM, 
+				UT_GeneralizedTime, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/asn1/gen.c b/crypto/heimdal/lib/asn1/gen.c
new file mode 100644
index 0000000..bca4516
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen.c
@@ -0,0 +1,351 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen.c,v 1.41 1999/12/02 17:05:02 joda Exp $");
+
+FILE *headerfile, *codefile, *logfile;
+
+#define STEM "asn1"
+
+static char *orig_filename;
+static char header[1024];
+static char headerbase[1024] = STEM;
+
+void
+init_generate (char *filename, char *base)
+{
+    orig_filename = filename;
+    if(base)
+	strcpy(headerbase, base);
+    sprintf(header, "%s.h", headerbase);
+    headerfile = fopen (header, "w");
+    if (headerfile == NULL)
+	err (1, "open %s", header);
+    fprintf (headerfile,
+	     "/* Generated from %s */\n"
+	     "/* Do not edit */\n\n",
+	     filename);
+    fprintf (headerfile, 
+	     "#ifndef __%s_h__\n"
+	     "#define __%s_h__\n\n", headerbase, headerbase);
+    fprintf (headerfile, 
+	     "#include <stddef.h>\n"
+	     "#include <time.h>\n\n");
+#ifndef HAVE_TIMEGM
+    fprintf (headerfile, "time_t timegm (struct tm*);\n\n");
+#endif
+    fprintf (headerfile,
+	     "#ifndef __asn1_common_definitions__\n"
+	     "#define __asn1_common_definitions__\n\n");
+    fprintf (headerfile,
+	     "typedef struct octet_string {\n"
+	     "  size_t length;\n"
+	     "  void *data;\n"
+	     "} octet_string;\n\n");
+    fprintf (headerfile,
+#if 0
+	     "typedef struct general_string {\n"
+	     "  size_t length;\n"
+	     "  char *data;\n"
+	     "} general_string;\n\n"
+#else
+	     "typedef char *general_string;\n\n"
+#endif
+	     );
+    fprintf (headerfile, "#endif\n\n");
+    logfile = fopen(STEM "_files", "w");
+    if (logfile == NULL)
+	err (1, "open " STEM "_files");
+}
+
+void
+close_generate ()
+{
+    fprintf (headerfile, "#endif /* __%s_h__ */\n", headerbase);
+
+    fclose (headerfile);
+    fprintf (logfile, "\n");
+    fclose (logfile);
+}
+
+void
+generate_constant (const Symbol *s)
+{
+  fprintf (headerfile, "enum { %s = %d };\n\n",
+	   s->gen_name, s->constant);
+}
+
+static void
+space(int level)
+{
+    while(level-- > 0)
+	fprintf(headerfile, "  ");
+}
+
+static void
+define_asn1 (int level, Type *t)
+{
+    switch (t->type) {
+    case TType:
+	space(level);
+	fprintf (headerfile, "%s", t->symbol->name);
+	break;
+    case TInteger:
+	space(level);
+	fprintf (headerfile, "INTEGER");
+	break;
+    case TOctetString:
+	space(level);
+	fprintf (headerfile, "OCTET STRING");
+	break;
+    case TBitString: {
+	Member *m;
+	Type i;
+	int tag = -1;
+
+	i.type = TInteger;
+	space(level);
+	fprintf (headerfile, "BIT STRING {\n");
+	for (m = t->members; m && m->val != tag; m = m->next) {
+	    if (tag == -1)
+		tag = m->val;
+	    space(level + 1);
+	    fprintf (headerfile, "%s(%d)%s\n", m->name, m->val, 
+		     m->next->val == tag?"":",");
+
+	}
+	space(level);
+	fprintf (headerfile, "}");
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag;
+	int max_width = 0;
+
+	space(level);
+	fprintf (headerfile, "SEQUENCE {\n");
+	for (m = t->members, tag = -1; m && m->val != tag; m = m->next) {
+	    if (tag == -1)
+		tag = m->val;
+	    if(strlen(m->name) + (m->val > 9) > max_width)
+		max_width = strlen(m->name) + (m->val > 9);
+	}
+	max_width += 3 + 2;
+	if(max_width < 16) max_width = 16;
+	for (m = t->members, tag = -1 ; m && m->val != tag; m = m->next) {
+	    int width;
+	    if (tag == -1)
+		tag = m->val;
+	    space(level + 1);
+	    fprintf(headerfile, "%s[%d]", m->name, m->val);
+	    width = max_width - strlen(m->name) - 3 - (m->val > 9) - 2;
+	    fprintf(headerfile, "%*s", width, "");
+	    define_asn1(level + 1, m->type);
+	    if(m->optional)
+		fprintf(headerfile, " OPTIONAL");
+	    if(m->next->val != tag)
+		fprintf (headerfile, ",");
+	    fprintf (headerfile, "\n");
+	}
+	space(level);
+	fprintf (headerfile, "}");
+	break;
+    }
+    case TSequenceOf: {
+	space(level);
+	fprintf (headerfile, "SEQUENCE OF ");
+	define_asn1 (0, t->subtype);
+	break;
+    }
+    case TGeneralizedTime:
+	space(level);
+	fprintf (headerfile, "GeneralizedTime");
+	break;
+    case TGeneralString:
+	space(level);
+	fprintf (headerfile, "GeneralString");
+	break;
+    case TApplication:
+	fprintf (headerfile, "[APPLICATION %d] ", t->application);
+	define_asn1 (level, t->subtype);
+	break;
+    default:
+	abort ();
+    }
+}
+
+static void
+define_type (int level, char *name, Type *t, int typedefp)
+{
+    switch (t->type) {
+    case TType:
+	space(level);
+	fprintf (headerfile, "%s %s;\n", t->symbol->gen_name, name);
+	break;
+    case TInteger:
+	space(level);
+	fprintf (headerfile, "int %s;\n", name);
+	break;
+    case TUInteger:
+	space(level);
+	fprintf (headerfile, "unsigned int %s;\n", name);
+	break;
+    case TOctetString:
+	space(level);
+	fprintf (headerfile, "octet_string %s;\n", name);
+	break;
+    case TBitString: {
+	Member *m;
+	Type i;
+	int tag = -1;
+
+	i.type = TUInteger;
+	space(level);
+	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	for (m = t->members; m && m->val != tag; m = m->next) {
+	    char *n;
+
+	    asprintf (&n, "%s:1", m->gen_name);
+	    define_type (level + 1, n, &i, FALSE);
+	    free (n);
+	    if (tag == -1)
+		tag = m->val;
+	}
+	space(level);
+	fprintf (headerfile, "} %s;\n\n", name);
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag = -1;
+
+	space(level);
+	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	for (m = t->members; m && m->val != tag; m = m->next) {
+	    if (m->optional) {
+		char *n;
+
+		asprintf (&n, "*%s", m->gen_name);
+		define_type (level + 1, n, m->type, FALSE);
+		free (n);
+	    } else
+		define_type (level + 1, m->gen_name, m->type, FALSE);
+	    if (tag == -1)
+		tag = m->val;
+	}
+	space(level);
+	fprintf (headerfile, "} %s;\n", name);
+	break;
+    }
+    case TSequenceOf: {
+	Type i;
+
+	i.type = TUInteger;
+	i.application = 0;
+
+	space(level);
+	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	define_type (level + 1, "len", &i, FALSE);
+	define_type (level + 1, "*val", t->subtype, FALSE);
+	space(level);
+	fprintf (headerfile, "} %s;\n", name);
+	break;
+    }
+    case TGeneralizedTime:
+	space(level);
+	fprintf (headerfile, "time_t %s;\n", name);
+	break;
+    case TGeneralString:
+	space(level);
+	fprintf (headerfile, "general_string %s;\n", name);
+	break;
+    case TApplication:
+	define_type (level, name, t->subtype, FALSE);
+	break;
+    default:
+	abort ();
+    }
+}
+
+static void
+generate_type_header (const Symbol *s)
+{
+    fprintf (headerfile, "/*\n");
+    fprintf (headerfile, "%s ::= ", s->name);
+    define_asn1 (0, s->type);
+    fprintf (headerfile, "\n*/\n\n");
+
+    fprintf (headerfile, "typedef ");
+    define_type (0, s->gen_name, s->type, TRUE);
+
+    fprintf (headerfile, "\n");
+}
+
+
+void
+generate_type (const Symbol *s)
+{
+    char *filename;
+
+    asprintf (&filename, "%s_%s.x", STEM, s->gen_name);
+    codefile = fopen (filename, "w");
+    if (codefile == NULL)
+	err (1, "fopen %s", filename);
+    fprintf(logfile, "%s ", filename);
+    free(filename);
+    fprintf (codefile, 
+	     "/* Generated from %s */\n"
+	     "/* Do not edit */\n\n"
+	     "#include \"libasn1.h\"\n\n"
+#if 0
+	     "#include <stdio.h>\n"
+	     "#include <stdlib.h>\n"
+	     "#include <time.h>\n"
+	     "#include <" STEM ".h>\n\n"
+	     "#include <asn1_err.h>\n"
+	     "#include <der.h>\n"
+#endif
+	     ,orig_filename);
+    generate_type_header (s);
+    generate_type_encode (s);
+    generate_type_decode (s);
+    generate_type_free (s);
+    generate_type_length (s);
+    generate_type_copy (s);
+    generate_glue (s);
+    fprintf(headerfile, "\n\n");
+    fclose(codefile);
+}
diff --git a/crypto/heimdal/lib/asn1/gen.h b/crypto/heimdal/lib/asn1/gen.h
new file mode 100644
index 0000000..369b6e3
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gen.h,v 1.4 1999/12/02 17:05:02 joda Exp $ */
+
+#include <stdio.h>
+#include "symbol.h"
+
diff --git a/crypto/heimdal/lib/asn1/gen_copy.c b/crypto/heimdal/lib/asn1/gen_copy.c
new file mode 100644
index 0000000..f9aa489
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_copy.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_copy.c,v 1.10 1999/12/02 17:05:02 joda Exp $");
+
+static void
+copy_primitive (const char *typename, const char *from, const char *to)
+{
+    fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
+	     typename, from, to);
+}
+
+static void
+copy_type (const char *from, const char *to, const Type *t)
+{
+  switch (t->type) {
+  case TType:
+#if 0
+      copy_type (from, to, t->symbol->type);
+#endif
+      fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
+	       t->symbol->gen_name, from, to);
+      break;
+  case TInteger:
+      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+      break;
+  case TOctetString:
+      copy_primitive ("octet_string", from, to);
+      break;
+  case TBitString: {
+      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+      break;
+  }
+  case TSequence: {
+      Member *m;
+      int tag = -1;
+
+      if (t->members == NULL)
+	  break;
+      
+      for (m = t->members; m && tag != m->val; m = m->next) {
+	  char *f;
+	  char *t;
+
+	  asprintf (&f, "%s(%s)->%s",
+		    m->optional ? "" : "&", from, m->gen_name);
+	  asprintf (&t, "%s(%s)->%s",
+		    m->optional ? "" : "&", to, m->gen_name);
+	  if(m->optional){
+	      fprintf(codefile, "if(%s) {\n", f);
+	      fprintf(codefile, "%s = malloc(sizeof(*%s));\n", t, t);
+	      fprintf(codefile, "if(%s == NULL) return ENOMEM;\n", t);
+	  }
+	  copy_type (f, t, m->type);
+	  if(m->optional){
+	      fprintf(codefile, "}else\n");
+	      fprintf(codefile, "%s = NULL;\n", t);
+	  }
+	  if (tag == -1)
+	      tag = m->val;
+	  free (f);
+	  free (t);
+      }
+      break;
+  }
+  case TSequenceOf: {
+      char *f;
+      char *T;
+
+      fprintf (codefile, "if(((%s)->val = "
+	       "malloc((%s)->len * sizeof(*(%s)->val))) == NULL && (%s)->len != 0)\n", 
+	       to, from, to, from);
+      fprintf (codefile, "return ENOMEM;\n");
+      fprintf(codefile,
+	      "for((%s)->len = 0; (%s)->len < (%s)->len; (%s)->len++){\n",
+	      to, to, from, to);
+      asprintf(&f, "&(%s)->val[(%s)->len]", from, to);
+      asprintf(&T, "&(%s)->val[(%s)->len]", to, to);
+      copy_type(f, T, t->subtype);
+      fprintf(codefile, "}\n");
+      free(f);
+      free(T);
+      break;
+  }
+  case TGeneralizedTime:
+      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+      break;
+  case TGeneralString:
+      copy_primitive ("general_string", from, to);
+      break;
+  case TApplication:
+      copy_type (from, to, t->subtype);
+      break;
+  default :
+      abort ();
+  }
+}
+
+void
+generate_type_copy (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "int    copy_%s  (const %s *, %s *);\n",
+	   s->gen_name, s->gen_name, s->gen_name);
+
+  fprintf (codefile, "int\n"
+	   "copy_%s(const %s *from, %s *to)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name, s->gen_name);
+
+  copy_type ("from", "to", s->type);
+  fprintf (codefile, "return 0;\n}\n\n");
+}
+
diff --git a/crypto/heimdal/lib/asn1/gen_decode.c b/crypto/heimdal/lib/asn1/gen_decode.c
new file mode 100644
index 0000000..078ac44
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_decode.c
@@ -0,0 +1,375 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_decode.c,v 1.11 1999/12/02 17:05:02 joda Exp $");
+
+static void
+decode_primitive (const char *typename, const char *name)
+{
+    fprintf (codefile,
+	     "e = decode_%s(p, len, %s, &l);\n"
+	     "FORW;\n",
+	     typename,
+	     name);
+}
+
+static void
+decode_type (const char *name, const Type *t)
+{
+  switch (t->type) {
+  case TType:
+#if 0
+    decode_type (name, t->symbol->type);
+#endif
+    fprintf (codefile,
+	     "e = decode_%s(p, len, %s, &l);\n"
+	     "FORW;\n",
+	     t->symbol->gen_name, name);
+    break;
+  case TInteger:
+    decode_primitive ("integer", name);
+    break;
+  case TOctetString:
+    decode_primitive ("octet_string", name);
+    break;
+  case TBitString: {
+    Member *m;
+    int tag = -1;
+    int pos;
+
+    fprintf (codefile,
+	     "e = der_match_tag_and_length (p, len, UNIV, PRIM, UT_BitString,"
+	     "&reallen, &l);\n"
+	     "FORW;\n"
+	     "if(len < reallen)\n"
+	     "return ASN1_OVERRUN;\n"
+	     "p++;\n"
+	     "len--;\n"
+	     "reallen--;\n"
+	     "ret++;\n");
+    pos = 0;
+    for (m = t->members; m && tag != m->val; m = m->next) {
+      while (m->val / 8 > pos / 8) {
+	fprintf (codefile,
+		 "p++; len--; reallen--; ret++;\n");
+	pos += 8;
+      }
+      fprintf (codefile,
+	       "%s->%s = (*p >> %d) & 1;\n",
+	       name, m->gen_name, 7 - m->val % 8);
+      if (tag == -1)
+	tag = m->val;
+    }
+    fprintf (codefile,
+	     "p += reallen; len -= reallen; ret += reallen;\n");
+    break;
+  }
+  case TSequence: {
+    Member *m;
+    int tag = -1;
+
+    if (t->members == NULL)
+      break;
+
+    fprintf (codefile,
+	     "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
+	     "&reallen, &l);\n"
+	     "FORW;\n"
+	     "{\n"
+	     "int dce_fix;\n"
+	     "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
+	     "return ASN1_BAD_FORMAT;\n");
+
+    for (m = t->members; m && tag != m->val; m = m->next) {
+      char *s;
+
+      asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
+      if (0 && m->type->type == TType){
+	  if(m->optional)
+	      fprintf (codefile,
+		       "%s = malloc(sizeof(*%s));\n", s, s);
+	  fprintf (codefile, 
+		   "e = decode_seq_%s(p, len, %d, %d, %s, &l);\n",
+		   m->type->symbol->gen_name,
+		   m->val, 
+		   m->optional,
+		   s);
+	  if(m->optional)
+	      fprintf (codefile, 
+		       "if (e == ASN1_MISSING_FIELD) {\n"
+		       "free(%s);\n"
+		       "%s = NULL;\n"
+		       "e = l = 0;\n"
+		       "}\n",
+		       s, s);
+	  
+	  fprintf (codefile, "FORW;\n");
+	  
+      }else{
+	  fprintf (codefile, "{\n"
+		   "size_t newlen, oldlen;\n\n"
+		   "e = der_match_tag (p, len, CONTEXT, CONS, %d, &l);\n",
+		   m->val);
+	  fprintf (codefile,
+		   "if (e)\n");
+	  if(m->optional)
+	      /* XXX should look at e */
+	      fprintf (codefile,
+		       "%s = NULL;\n", s);
+	  else
+	      fprintf (codefile,
+		       "return e;\n");
+	  fprintf (codefile, 
+		   "else {\n");
+	  fprintf (codefile,
+		   "p += l;\n"
+		   "len -= l;\n"
+		   "ret += l;\n"
+		   "e = der_get_length (p, len, &newlen, &l);\n"
+		   "FORW;\n"
+		   "{\n"
+	       
+		   "int dce_fix;\n"
+		   "oldlen = len;\n"
+		   "if((dce_fix = fix_dce(newlen, &len)) < 0)"
+		   "return ASN1_BAD_FORMAT;\n");
+	  if (m->optional)
+	      fprintf (codefile,
+		       "%s = malloc(sizeof(*%s));\n",
+		       s, s);
+	  decode_type (s, m->type);
+	  fprintf (codefile,
+		   "if(dce_fix){\n"
+		   "e = der_match_tag_and_length (p, len, "
+		   "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+		   "FORW;\n"
+		   "}else \n"
+		   "len = oldlen - newlen;\n"
+		   "}\n"
+		   "}\n");
+	  fprintf (codefile,
+		   "}\n");
+      }
+      if (tag == -1)
+	tag = m->val;
+      free (s);
+    }
+    fprintf(codefile,
+	    "if(dce_fix){\n"
+	    "e = der_match_tag_and_length (p, len, "
+	    "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+	    "FORW;\n"
+	    "}\n"
+	    "}\n");
+
+    break;
+  }
+  case TSequenceOf: {
+    char *n;
+
+    fprintf (codefile,
+	     "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
+	     "&reallen, &l);\n"
+	     "FORW;\n"
+	     "if(len < reallen)\n"
+	     "return ASN1_OVERRUN;\n"
+	     "len = reallen;\n");
+
+    fprintf (codefile,
+	     "{\n"
+	     "size_t origlen = len;\n"
+	     "int oldret = ret;\n"
+	     "ret = 0;\n"
+	     "(%s)->len = 0;\n"
+	     "(%s)->val = NULL;\n"
+	     "while(ret < origlen) {\n"
+	     "(%s)->len++;\n"
+	     "(%s)->val = realloc((%s)->val, sizeof(*((%s)->val)) * (%s)->len);\n",
+	     name, name, name, name, name, name, name);
+    asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
+    decode_type (n, t->subtype);
+    fprintf (codefile, 
+	     "len = origlen - ret;\n"
+	     "}\n"
+	     "ret += oldret;\n"
+	     "}\n");
+    free (n);
+    break;
+  }
+  case TGeneralizedTime:
+    decode_primitive ("generalized_time", name);
+    break;
+  case TGeneralString:
+    decode_primitive ("general_string", name);
+    break;
+  case TApplication:
+    fprintf (codefile,
+	     "e = der_match_tag_and_length (p, len, APPL, CONS, %d, "
+	     "&reallen, &l);\n"
+	     "FORW;\n"
+	     "{\n"
+	     "int dce_fix;\n"
+	     "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
+	     "return ASN1_BAD_FORMAT;\n", 
+	     t->application);
+    decode_type (name, t->subtype);
+    fprintf(codefile,
+	    "if(dce_fix){\n"
+	    "e = der_match_tag_and_length (p, len, "
+	    "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+	    "FORW;\n"
+	    "}\n"
+	    "}\n");
+
+    break;
+  default :
+    abort ();
+  }
+}
+
+void
+generate_type_decode (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "int    "
+	   "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile, "#define FORW "
+	   "if(e) return e; "
+	   "p += l; "
+	   "len -= l; "
+	   "ret += l\n\n");
+
+
+  fprintf (codefile, "int\n"
+	   "decode_%s(const unsigned char *p,"
+	   " size_t len, %s *data, size_t *size)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name);
+
+  switch (s->type->type) {
+  case TInteger:
+    fprintf (codefile, "return decode_integer (p, len, data, size);\n");
+    break;
+  case TOctetString:
+    fprintf (codefile, "return decode_octet_string (p, len, data, size);\n");
+    break;
+  case TGeneralizedTime:
+    fprintf (codefile, "return decode_generalized_time (p, len, data, size);\n");
+    break;
+  case TGeneralString:
+    fprintf (codefile, "return decode_general_string (p, len, data, size);\n");
+    break;
+  case TBitString:
+  case TSequence:
+  case TSequenceOf:
+  case TApplication:
+  case TType:
+    fprintf (codefile,
+	     "size_t ret = 0, reallen;\n"
+	     "size_t l;\n"
+	     "int i, e;\n\n");
+    fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+
+    decode_type ("data", s->type);
+    fprintf (codefile, 
+	     "if(size) *size = ret;\n"
+	     "return 0;\n");
+    break;
+  default:
+    abort ();
+  }
+  fprintf (codefile, "}\n\n");
+}
+
+void
+generate_seq_type_decode (const Symbol *s)
+{
+    fprintf (headerfile,
+	     "int decode_seq_%s(const unsigned char *, size_t, int, int, "
+	     "%s *, size_t *);\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile, "int\n"
+	     "decode_seq_%s(const unsigned char *p, size_t len, int tag, "
+	     "int optional, %s *data, size_t *size)\n"
+	     "{\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile,
+	     "size_t newlen, oldlen;\n"
+	     "size_t l, ret = 0;\n"
+	     "int e;\n"
+	     "int dce_fix;\n");
+    
+    fprintf (codefile,
+	     "e = der_match_tag(p, len, CONTEXT, CONS, tag, &l);\n"
+	     "if (e)\n"
+	     "return e;\n");
+    fprintf (codefile, 
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "e = der_get_length(p, len, &newlen, &l);\n"
+	     "if (e)\n"
+	     "return e;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "oldlen = len;\n"
+	     "if ((dce_fix = fix_dce(newlen, &len)) < 0)\n"
+	     "return ASN1_BAD_FORMAT;\n"
+	     "e = decode_%s(p, len, data, &l);\n"
+	     "if (e)\n"
+	     "return e;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "if (dce_fix) {\n"
+	     "size_t reallen;\n\n"
+	     "e = der_match_tag_and_length(p, len, "
+	     "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+	     "if (e)\n"
+	     "return e;\n"
+	     "ret += l;\n"
+	     "}\n",
+	     s->gen_name);
+    fprintf (codefile, 
+	     "if(size) *size = ret;\n"
+	     "return 0;\n");
+
+    fprintf (codefile, "}\n\n");
+}
diff --git a/crypto/heimdal/lib/asn1/gen_encode.c b/crypto/heimdal/lib/asn1/gen_encode.c
new file mode 100644
index 0000000..9e9b293
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_encode.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_encode.c,v 1.9 1999/12/02 17:05:02 joda Exp $");
+
+static void
+encode_primitive (const char *typename, const char *name)
+{
+    fprintf (codefile,
+	     "e = encode_%s(p, len, %s, &l);\n"
+	     "BACK;\n",
+	     typename,
+	     name);
+}
+
+static void
+encode_type (const char *name, const Type *t)
+{
+  switch (t->type) {
+  case TType:
+#if 0
+    encode_type (name, t->symbol->type);
+#endif
+    fprintf (codefile,
+	     "e = encode_%s(p, len, %s, &l);\n"
+	     "BACK;\n",
+	     t->symbol->gen_name, name);
+    break;
+  case TInteger:
+    encode_primitive ("integer", name);
+    break;
+  case TOctetString:
+    encode_primitive ("octet_string", name);
+    break;
+  case TBitString: {
+    Member *m;
+    int pos;
+    int rest;
+    int tag = -1;
+
+    if (t->members == NULL)
+      break;
+
+    fprintf (codefile, "{\n"
+	     "unsigned char c = 0;\n");
+    pos = t->members->prev->val;
+    /* fix for buggy MIT (and OSF?) code */
+    if (pos > 31)
+	abort ();
+    /*
+     * It seems that if we do not always set pos to 31 here, the MIT
+     * code will do the wrong thing.
+     *
+     * I hate ASN.1 (and DER), but I hate it even more when everybody
+     * has to screw it up differently.
+     */
+    pos = 31;
+    rest = 7 - (pos % 8);
+
+    for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+      while (m->val / 8 < pos / 8) {
+	fprintf (codefile,
+		 "*p-- = c; len--; ret++;\n"
+		 "c = 0;\n");
+	pos -= 8;
+      }
+      fprintf (codefile,
+	       "if(%s->%s) c |= 1<<%d;\n", name, m->gen_name,
+	       7 - m->val % 8);
+
+      if (tag == -1)
+	tag = m->val;
+    }
+
+    fprintf (codefile, 
+	     "*p-- = c;\n"
+	     "*p-- = %d;\n"
+	     "len -= 2;\n"
+	     "ret += 2;\n"
+	     "}\n\n"
+	     "e = der_put_length_and_tag (p, len, ret, UNIV, PRIM,"
+	     "UT_BitString, &l);\n"
+	     "BACK;\n",
+	     rest);
+    break;
+  }
+  case TSequence: {
+    Member *m;
+    int tag = -1;
+
+    if (t->members == NULL)
+      break;
+
+    for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+      char *s;
+
+      asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
+      if (m->optional)
+	fprintf (codefile,
+		 "if(%s)\n",
+		 s);
+#if 1
+      fprintf (codefile, "{\n"
+	       "int oldret = ret;\n"
+	       "ret = 0;\n");
+#endif
+      encode_type (s, m->type);
+      fprintf (codefile,
+	       "e = der_put_length_and_tag (p, len, ret, CONTEXT, CONS, "
+	       "%d, &l);\n"
+	       "BACK;\n",
+	       m->val);
+#if 1
+      fprintf (codefile,
+	       "ret += oldret;\n"
+	       "}\n");
+#endif
+      if (tag == -1)
+	tag = m->val;
+      free (s);
+    }
+    fprintf (codefile,
+	     "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
+	     "BACK;\n");
+    break;
+  }
+  case TSequenceOf: {
+    char *n;
+
+    fprintf (codefile,
+	     "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+#if 1
+	     "int oldret = ret;\n"
+	     "ret = 0;\n",
+#else
+	     ,
+#endif
+	     name);
+    asprintf (&n, "&(%s)->val[i]", name);
+    encode_type (n, t->subtype);
+    fprintf (codefile,
+#if 1
+	     "ret += oldret;\n"
+#endif
+	     "}\n"
+	     "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
+	     "BACK;\n");
+    free (n);
+    break;
+  }
+  case TGeneralizedTime:
+    encode_primitive ("generalized_time", name);
+    break;
+  case TGeneralString:
+    encode_primitive ("general_string", name);
+    break;
+  case TApplication:
+    encode_type (name, t->subtype);
+    fprintf (codefile,
+	     "e = der_put_length_and_tag (p, len, ret, APPL, CONS, %d, &l);\n"
+	     "BACK;\n",
+	     t->application);
+    break;
+  default:
+    abort ();
+  }
+}
+
+void
+generate_type_encode (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "int    "
+	   "encode_%s(unsigned char *, size_t, const %s *, size_t *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile, "#define BACK if (e) return e; p -= l; len -= l; ret += l\n\n");
+
+
+  fprintf (codefile, "int\n"
+	   "encode_%s(unsigned char *p, size_t len,"
+	   " const %s *data, size_t *size)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name);
+
+  switch (s->type->type) {
+  case TInteger:
+    fprintf (codefile, "return encode_integer (p, len, data, size);\n");
+    break;
+  case TOctetString:
+    fprintf (codefile, "return encode_octet_string (p, len, data, size);\n");
+    break;
+  case TGeneralizedTime:
+    fprintf (codefile, "return encode_generalized_time (p, len, data, size);\n");
+    break;
+  case TGeneralString:
+    fprintf (codefile, "return encode_general_string (p, len, data, size);\n");
+    break;
+  case TBitString:
+  case TSequence:
+  case TSequenceOf:
+  case TApplication:
+  case TType:
+    fprintf (codefile,
+	     "size_t ret = 0;\n"
+	     "size_t l;\n"
+	     "int i, e;\n\n");
+    fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+    
+    encode_type ("data", s->type);
+    fprintf (codefile, "*size = ret;\n"
+	     "return 0;\n");
+    break;
+  default:
+    abort ();
+  }
+  fprintf (codefile, "}\n\n");
+}
diff --git a/crypto/heimdal/lib/asn1/gen_free.c b/crypto/heimdal/lib/asn1/gen_free.c
new file mode 100644
index 0000000..0f6078b
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_free.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_free.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+
+static void
+free_primitive (const char *typename, const char *name)
+{
+    fprintf (codefile, "free_%s(%s);\n", typename, name);
+}
+
+static void
+free_type (const char *name, const Type *t)
+{
+  switch (t->type) {
+  case TType:
+#if 0
+      free_type (name, t->symbol->type);
+#endif
+      fprintf (codefile, "free_%s(%s);\n", t->symbol->gen_name, name);
+      break;
+  case TInteger:
+      break;
+  case TOctetString:
+      free_primitive ("octet_string", name);
+      break;
+  case TBitString: {
+      break;
+  }
+  case TSequence: {
+      Member *m;
+      int tag = -1;
+
+      if (t->members == NULL)
+	  break;
+      
+      for (m = t->members; m && tag != m->val; m = m->next) {
+	  char *s;
+
+	  asprintf (&s, "%s(%s)->%s",
+		    m->optional ? "" : "&", name, m->gen_name);
+	  if(m->optional)
+	      fprintf(codefile, "if(%s) {\n", s);
+	  free_type (s, m->type);
+	  if(m->optional)
+	      fprintf(codefile, 
+		      "free(%s);\n"
+		      "}\n",s);
+	  if (tag == -1)
+	      tag = m->val;
+	  free (s);
+      }
+      break;
+  }
+  case TSequenceOf: {
+      char *n;
+
+      fprintf (codefile, "while((%s)->len){\n", name);
+      asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
+      free_type(n, t->subtype);
+      fprintf(codefile, 
+	      "(%s)->len--;\n"
+	      "}\n",
+	      name);
+      fprintf(codefile,
+	      "free((%s)->val);\n", name);
+      free(n);
+      break;
+  }
+  case TGeneralizedTime:
+      break;
+  case TGeneralString:
+      free_primitive ("general_string", name);
+      break;
+  case TApplication:
+      free_type (name, t->subtype);
+      break;
+  default :
+      abort ();
+  }
+}
+
+void
+generate_type_free (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "void   free_%s  (%s *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile, "void\n"
+	   "free_%s(%s *data)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name);
+
+  free_type ("data", s->type);
+  fprintf (codefile, "}\n\n");
+}
+
diff --git a/crypto/heimdal/lib/asn1/gen_glue.c b/crypto/heimdal/lib/asn1/gen_glue.c
new file mode 100644
index 0000000..2f6280a
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_glue.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_glue.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+
+static void
+generate_2int (const Symbol *s)
+{
+    Type *t = s->type;
+    Member *m;
+    int tag = -1;
+
+    fprintf (headerfile,
+	     "unsigned %s2int(%s);\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile,
+	     "unsigned %s2int(%s f)\n"
+	     "{\n"
+	     "unsigned r = 0;\n",
+	     s->gen_name, s->gen_name);
+
+    for (m = t->members; m && m->val != tag; m = m->next) {
+	fprintf (codefile, "if(f.%s) r |= (1U << %d);\n",
+		 m->gen_name, m->val);
+	
+	if (tag == -1)
+	    tag = m->val;
+    }
+    fprintf (codefile, "return r;\n"
+	     "}\n\n");
+}
+
+static void
+generate_int2 (const Symbol *s)
+{
+    Type *t = s->type;
+    Member *m;
+    int tag = -1;
+
+    fprintf (headerfile,
+	     "%s int2%s(unsigned);\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile,
+	     "%s int2%s(unsigned n)\n"
+	     "{\n"
+	     "\t%s flags;\n\n",
+	     s->gen_name, s->gen_name, s->gen_name);
+
+    for (m = t->members; m && m->val != tag; m = m->next) {
+	fprintf (codefile, "\tflags.%s = (n >> %d) & 1;\n",
+		 m->gen_name, m->val);
+	
+	if (tag == -1)
+	    tag = m->val;
+    }
+    fprintf (codefile, "\treturn flags;\n"
+	     "}\n\n");
+}
+
+/*
+ * This depends on the bit string being declared in increasing order
+ */
+
+static void
+generate_units (const Symbol *s)
+{
+    Type *t = s->type;
+    Member *m;
+    int tag = -1;
+
+    fprintf (headerfile,
+	     "extern struct units %s_units[];",
+	     s->gen_name);
+
+    fprintf (codefile,
+	     "struct units %s_units[] = {\n",
+	     s->gen_name);
+
+    if(t->members)
+	for (m = t->members->prev; m && m->val != tag; m = m->prev) {
+	    fprintf (codefile,
+		     "\t{\"%s\",\t1U << %d},\n", m->gen_name, m->val);
+	    
+	    if (tag == -1)
+		tag = m->val;
+	}
+
+    fprintf (codefile,
+	     "\t{NULL,\t0}\n"
+	     "};\n\n");
+}
+
+void
+generate_glue (const Symbol *s)
+{
+    switch(s->type->type) {
+    case TBitString :
+	generate_2int (s);
+	generate_int2 (s);
+	generate_units (s);
+	break;
+    default :
+	break;
+    }
+}
diff --git a/crypto/heimdal/lib/asn1/gen_length.c b/crypto/heimdal/lib/asn1/gen_length.c
new file mode 100644
index 0000000..1c3566d
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_length.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_length.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+
+static void
+length_primitive (const char *typename,
+		  const char *name,
+		  const char *variable)
+{
+    fprintf (codefile, "%s += length_%s(%s);\n", variable, typename, name);
+}
+
+static void
+length_type (const char *name, const Type *t, const char *variable)
+{
+  switch (t->type) {
+  case TType:
+#if 0
+      length_type (name, t->symbol->type);
+#endif
+      fprintf (codefile, "%s += length_%s(%s);\n",
+	       variable, t->symbol->gen_name, name);
+      break;
+  case TInteger:
+      length_primitive ("integer", name, variable);
+      break;
+  case TOctetString:
+      length_primitive ("octet_string", name, variable);
+      break;
+  case TBitString: {
+      /*
+       * XXX - Hope this is correct
+       * look at TBitString case in `encode_type'
+       */
+      fprintf (codefile, "%s += 7;\n", variable);
+      break;
+  }
+  case TSequence: {
+      Member *m;
+      int tag = -1;
+
+      if (t->members == NULL)
+	  break;
+      
+      for (m = t->members; m && tag != m->val; m = m->next) {
+	  char *s;
+
+	  asprintf (&s, "%s(%s)->%s",
+		    m->optional ? "" : "&", name, m->gen_name);
+	  if (m->optional)
+	      fprintf (codefile, "if(%s)", s);
+	  fprintf (codefile, "{\n"
+		   "int oldret = %s;\n"
+		   "%s = 0;\n", variable, variable);
+	  length_type (s, m->type, "ret");
+	  fprintf (codefile, "%s += 1 + length_len(%s) + oldret;\n",
+		   variable, variable);
+	  fprintf (codefile, "}\n");
+	  if (tag == -1)
+	      tag = m->val;
+	  free (s);
+      }
+      fprintf (codefile,
+	       "%s += 1 + length_len(%s);\n", variable, variable);
+      break;
+  }
+  case TSequenceOf: {
+      char *n;
+
+      fprintf (codefile,
+	       "{\n"
+	       "int oldret = %s;\n"
+	       "int i;\n"
+	       "%s = 0;\n",
+	       variable, variable);
+
+      fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
+      asprintf (&n, "&(%s)->val[i]", name);
+      length_type(n, t->subtype, variable);
+      fprintf (codefile, "}\n");
+
+      fprintf (codefile,
+	       "%s += 1 + length_len(%s) + oldret;\n"
+	       "}\n", variable, variable);
+      free(n);
+      break;
+  }
+  case TGeneralizedTime:
+      length_primitive ("generalized_time", name, variable);
+      break;
+  case TGeneralString:
+      length_primitive ("general_string", name, variable);
+      break;
+  case TApplication:
+      length_type (name, t->subtype, variable);
+      fprintf (codefile, "ret += 1 + length_len (ret);\n");
+      break;
+  default :
+      abort ();
+  }
+}
+
+void
+generate_type_length (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "size_t length_%s(const %s *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile,
+	   "size_t\n"
+	   "length_%s(const %s *data)\n"
+	   "{\n"
+	   "size_t ret = 0;\n",
+	   s->gen_name, s->gen_name);
+
+  length_type ("data", s->type, "ret");
+  fprintf (codefile, "return ret;\n}\n\n");
+}
+
diff --git a/crypto/heimdal/lib/asn1/gen_locl.h b/crypto/heimdal/lib/asn1/gen_locl.h
new file mode 100644
index 0000000..7ee37ae
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_locl.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gen_locl.h,v 1.6 1999/12/02 17:05:02 joda Exp $ */
+
+#ifndef __GEN_LOCL_H__
+#define __GEN_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <ctype.h>
+#include <time.h>
+#include <errno.h>
+#include <err.h>
+#include <roken.h>
+#include "hash.h"
+#include "symbol.h"
+
+void generate_type (const Symbol *);
+void generate_constant (const Symbol *);
+void generate_type_encode (const Symbol *s);
+void generate_type_decode (const Symbol *s);
+void generate_seq_type_decode (const Symbol *s);
+void generate_type_free (const Symbol *s);
+void generate_type_length (const Symbol *s);
+void generate_type_copy (const Symbol *s);
+void generate_type_maybe (const Symbol *s);
+void generate_glue (const Symbol *s);
+
+void init_generate (char *filename, char *basename);
+void close_generate(void);
+int yyparse(void);
+
+extern FILE *headerfile, *codefile, *logfile;
+
+#endif /* __GEN_LOCL_H__ */
diff --git a/crypto/heimdal/lib/asn1/hash.c b/crypto/heimdal/lib/asn1/hash.c
new file mode 100644
index 0000000..a8d3eb3
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/hash.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * Hash table functions
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: hash.c,v 1.8 1999/12/02 17:05:02 joda Exp $");
+
+static Hashentry *_search(Hashtab * htab,	/* The hash table */
+			  void *ptr);	/* And key */
+
+Hashtab *
+hashtabnew(int sz,
+	   int (*cmp) (void *, void *),
+	   unsigned (*hash) (void *))
+{
+    Hashtab *htab;
+    int i;
+
+    assert(sz > 0);
+
+    htab = (Hashtab *) malloc(sizeof(Hashtab) + (sz - 1) * sizeof(Hashentry *));
+    for (i = 0; i < sz; ++i)
+	htab->tab[i] = NULL;
+
+    if (htab == NULL) {
+	return NULL;
+    } else {
+	htab->cmp = cmp;
+	htab->hash = hash;
+	htab->sz = sz;
+	return htab;
+    }
+}
+
+/* Intern search function */
+
+static Hashentry *
+_search(Hashtab * htab, void *ptr)
+{
+    Hashentry *hptr;
+
+    assert(htab && ptr);
+
+    for (hptr = htab->tab[(*htab->hash) (ptr) % htab->sz];
+	 hptr;
+	 hptr = hptr->next)
+	if ((*htab->cmp) (ptr, hptr->ptr) == 0)
+	    break;
+    return hptr;
+}
+
+/* Search for element in hash table */
+
+void *
+hashtabsearch(Hashtab * htab, void *ptr)
+{
+    Hashentry *tmp;
+
+    tmp = _search(htab, ptr);
+    return tmp ? tmp->ptr : tmp;
+}
+
+/* add element to hash table */
+/* if already there, set new value */
+/* !NULL if succesful */
+
+void *
+hashtabadd(Hashtab * htab, void *ptr)
+{
+    Hashentry *h = _search(htab, ptr);
+    Hashentry **tabptr;
+
+    assert(htab && ptr);
+
+    if (h)
+	free((void *) h->ptr);
+    else {
+	h = (Hashentry *) malloc(sizeof(Hashentry));
+	if (h == NULL) {
+	    return NULL;
+	}
+	tabptr = &htab->tab[(*htab->hash) (ptr) % htab->sz];
+	h->next = *tabptr;
+	*tabptr = h;
+	h->prev = tabptr;
+	if (h->next)
+	    h->next->prev = &h->next;
+    }
+    h->ptr = ptr;
+    return h;
+}
+
+/* delete element with key key. Iff freep, free Hashentry->ptr */
+
+int
+_hashtabdel(Hashtab * htab, void *ptr, int freep)
+{
+    Hashentry *h;
+
+    assert(htab && ptr);
+
+    h = _search(htab, ptr);
+    if (h) {
+	if (freep)
+	    free(h->ptr);
+	if ((*(h->prev) = h->next))
+	    h->next->prev = h->prev;
+	free(h);
+	return 0;
+    } else
+	return -1;
+}
+
+/* Do something for each element */
+
+void
+hashtabforeach(Hashtab * htab, int (*func) (void *ptr, void *arg),
+	       void *arg)
+{
+    Hashentry **h, *g;
+
+    assert(htab);
+
+    for (h = htab->tab; h < &htab->tab[htab->sz]; ++h)
+	for (g = *h; g; g = g->next)
+	    if ((*func) (g->ptr, arg))
+		return;
+}
+
+/* standard hash-functions for strings */
+
+unsigned
+hashadd(const char *s)
+{				/* Standard hash function */
+    unsigned i;
+
+    assert(s);
+
+    for (i = 0; *s; ++s)
+	i += *s;
+    return i;
+}
+
+unsigned
+hashcaseadd(const char *s)
+{				/* Standard hash function */
+    unsigned i;
+
+    assert(s);
+
+    for (i = 0; *s; ++s)
+	i += toupper(*s);
+    return i;
+}
+
+#define TWELVE (sizeof(unsigned))
+#define SEVENTYFIVE (6*sizeof(unsigned))
+#define HIGH_BITS (~((unsigned)(~0) >> TWELVE))
+
+unsigned
+hashjpw(const char *ss)
+{				/* another hash function */
+    unsigned h = 0;
+    unsigned g;
+    const unsigned char *s = (const unsigned char *)ss;
+
+    for (; *s; ++s) {
+	h = (h << TWELVE) + *s;
+	if ((g = h & HIGH_BITS))
+	    h = (h ^ (g >> SEVENTYFIVE)) & ~HIGH_BITS;
+    }
+    return h;
+}
diff --git a/crypto/heimdal/lib/asn1/hash.h b/crypto/heimdal/lib/asn1/hash.h
new file mode 100644
index 0000000..b54e102
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/hash.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * hash.h. Header file for hash table functions
+ */
+
+/* $Id: hash.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+
+struct hashentry {		/* Entry in bucket */
+     struct hashentry **prev;
+     struct hashentry *next;
+     void *ptr;
+};
+
+typedef struct hashentry Hashentry;
+
+struct hashtab {		/* Hash table */
+     int (*cmp)(void *, void *); /* Compare function */
+     unsigned (*hash)(void *);	/* hash function */
+     int sz;			/* Size */
+     Hashentry *tab[1];		/* The table */
+};
+
+typedef struct hashtab Hashtab;
+
+/* prototypes */
+
+Hashtab *hashtabnew(int sz, 
+		    int (*cmp)(void *, void *),
+		    unsigned (*hash)(void *));	/* Make new hash table */
+
+void *hashtabsearch(Hashtab *htab, /* The hash table */
+		    void *ptr);	/*  The key */
+
+
+void *hashtabadd(Hashtab *htab,	/* The hash table */
+	       void *ptr);	/* The element */
+
+int _hashtabdel(Hashtab *htab,	/* The table */
+		void *ptr,	/* Key */
+		int freep);	/* Free data part? */
+
+void hashtabforeach(Hashtab *htab,
+		    int (*func)(void *ptr, void *arg),
+		    void *arg);
+
+unsigned hashadd(const char *s);		/* Standard hash function */
+unsigned hashcaseadd(const char *s);		/* Standard hash function */
+unsigned hashjpw(const char *s);		/* another hash function */
+
+/* macros */
+
+ /* Don't free space */
+#define hashtabdel(htab,key)  _hashtabdel(htab,key,FALSE)
+
+#define hashtabfree(htab,key) _hashtabdel(htab,key,TRUE) /* Do! */
diff --git a/crypto/heimdal/lib/asn1/k5.asn1 b/crypto/heimdal/lib/asn1/k5.asn1
new file mode 100644
index 0000000..a7f4199
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/k5.asn1
@@ -0,0 +1,385 @@
+KERBEROS5 DEFINITIONS ::=
+BEGIN
+
+nt-unknown INTEGER ::= 0 -- Name type not known
+nt-principal INTEGER ::= 1 -- Just the name of the principal as in
+nt-srv-inst INTEGER ::= 2 -- Service and other unique instance (krbtgt)
+nt-srv-hst INTEGER ::= 3 -- Service with host name as instance
+nt-srv-xhst INTEGER ::= 4 -- Service with host as remaining components
+nt-uid INTEGER ::= 5 -- Unique ID
+
+Realm ::= GeneralString
+PrincipalName ::= SEQUENCE {
+	name-type[0]		INTEGER,
+	name-string[1]		SEQUENCE OF GeneralString
+}
+
+-- this is not part of RFC1510
+Principal ::= SEQUENCE {
+	name[0]			PrincipalName,
+	realm[1]		Realm
+}
+
+HostAddress ::= SEQUENCE  {
+	addr-type[0]		INTEGER,
+	address[1]		OCTET STRING
+}
+
+-- This is from RFC1510.
+--
+-- HostAddresses ::= SEQUENCE OF SEQUENCE {
+-- 	addr-type[0]		INTEGER,
+--	address[1]		OCTET STRING
+-- }
+
+-- This seems much better.
+HostAddresses ::= SEQUENCE OF HostAddress
+
+
+KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
+
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+	ad-type[0]		INTEGER,
+	ad-data[1]		OCTET STRING
+}
+
+APOptions ::= BIT STRING {
+	reserved(0),
+	use-session-key(1),
+	mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	may-postdate(5),
+	postdated(6),
+	invalid(7),
+	renewable(8),
+	initial(9),
+	pre-authent(10),
+	hw-authent(11),
+	transited-policy-checked(12),
+	ok-as-delegate(13),
+	anonymous(14)
+}
+
+KDCOptions ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	allow-postdate(5),
+	postdated(6),
+	unused7(7),
+	renewable(8),
+	unused9(9),
+	unused10(10),
+	unused11(11),
+	request-anonymous(14),
+	disable-transited-check(26),
+	renewable-ok(27),
+	enc-tkt-in-skey(28),
+	renew(30),
+	validate(31)
+}
+
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+	lr-type[0]		INTEGER,
+	lr-value[1]		KerberosTime
+}
+
+EncryptedData ::= SEQUENCE {
+	etype[0] 		INTEGER, -- EncryptionType
+	kvno[1]			INTEGER OPTIONAL,
+	cipher[2]		OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+	keytype[0]		INTEGER,
+	keyvalue[1]		OCTET STRING
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+	tr-type[0]		INTEGER, -- must be registered
+	contents[1]		OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+	tkt-vno[0]		INTEGER,
+	realm[1]		Realm,
+	sname[2]		PrincipalName,
+	enc-part[3]		EncryptedData
+}
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+	flags[0]		TicketFlags,
+	key[1]			EncryptionKey,
+	crealm[2]		Realm,
+	cname[3]		PrincipalName,
+	transited[4]		TransitedEncoding,
+	authtime[5]		KerberosTime,
+	starttime[6]		KerberosTime OPTIONAL,
+	endtime[7]		KerberosTime,
+	renew-till[8]		KerberosTime OPTIONAL,
+	caddr[9]		HostAddresses OPTIONAL,
+	authorization-data[10]	AuthorizationData OPTIONAL
+}
+
+Checksum ::= SEQUENCE {
+	cksumtype[0]		INTEGER,
+	checksum[1]		OCTET STRING
+}
+
+Authenticator ::= [APPLICATION 2] SEQUENCE    {
+	authenticator-vno[0]	INTEGER,
+	crealm[1]		Realm,
+	cname[2]		PrincipalName,
+	cksum[3]		Checksum OPTIONAL,
+	cusec[4]		INTEGER,
+	ctime[5]		KerberosTime,
+	subkey[6]		EncryptionKey OPTIONAL,
+	seq-number[7]		INTEGER OPTIONAL,
+	authorization-data[8]	AuthorizationData OPTIONAL
+	}
+
+PA-DATA ::= SEQUENCE {
+	-- might be encoded AP-REQ
+	padata-type[1]		INTEGER,
+	padata-value[2]		OCTET STRING
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+	etype[0]		INTEGER,
+	salt[1]			OCTET STRING OPTIONAL,
+	salttype[2]		INTEGER OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+KDC-REQ-BODY ::= SEQUENCE {
+	kdc-options[0]		KDCOptions,
+	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
+	realm[2]		Realm,	-- Server's realm
+					-- Also client's in AS-REQ
+	sname[3]		PrincipalName OPTIONAL,
+	from[4]			KerberosTime OPTIONAL,
+	till[5]			KerberosTime OPTIONAL,
+	rtime[6]		KerberosTime OPTIONAL,
+	nonce[7]		INTEGER,
+	etype[8]		SEQUENCE OF INTEGER, -- EncryptionType,
+					-- in preference order
+	addresses[9]		HostAddresses OPTIONAL,
+	enc-authorization-data[10] EncryptedData OPTIONAL,
+					-- Encrypted AuthorizationData encoding
+	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
+}
+
+KDC-REQ ::= SEQUENCE {
+	pvno[1]			INTEGER,
+	msg-type[2]		INTEGER,
+	padata[3]		METHOD-DATA OPTIONAL,
+	req-body[4]		KDC-REQ-BODY
+}
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+-- padata-type ::= PA-ENC-TIMESTAMP
+-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+	patimestamp[0]		KerberosTime, -- client's time
+	pausec[1]		INTEGER OPTIONAL
+}
+
+KDC-REP ::= SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		INTEGER,
+	padata[2]		METHOD-DATA OPTIONAL,
+	crealm[3]		Realm,
+	cname[4]		PrincipalName,
+	ticket[5]		Ticket,
+	enc-part[6]		EncryptedData
+}
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+EncKDCRepPart ::= SEQUENCE {
+	key[0]			EncryptionKey,
+	last-req[1]		LastReq,
+	nonce[2]		INTEGER,
+	key-expiration[3]	KerberosTime OPTIONAL,
+	flags[4]		TicketFlags,
+	authtime[5]		KerberosTime,
+	starttime[6]		KerberosTime OPTIONAL,
+	endtime[7]		KerberosTime,
+	renew-till[8]		KerberosTime OPTIONAL,
+	srealm[9]		Realm,
+	sname[10]		PrincipalName,
+	caddr[11]		HostAddresses OPTIONAL
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		INTEGER,
+	ap-options[2]		APOptions,
+	ticket[3]		Ticket,
+	authenticator[4]	EncryptedData
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		INTEGER,
+	enc-part[2]		EncryptedData
+}
+
+EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
+	ctime[0]		KerberosTime,
+	cusec[1]		INTEGER,
+	subkey[2]		EncryptionKey OPTIONAL,
+	seq-number[3]		INTEGER OPTIONAL
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+	user-data[0]		OCTET STRING,
+	timestamp[1]		KerberosTime OPTIONAL,
+	usec[2]			INTEGER OPTIONAL,
+	seq-number[3]		INTEGER OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL,
+	r-address[5]		HostAddress OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		INTEGER,
+	safe-body[2]		KRB-SAFE-BODY,
+	cksum[3]		Checksum
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		INTEGER,
+	enc-part[3]		EncryptedData
+}
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+	user-data[0]		OCTET STRING,
+	timestamp[1]		KerberosTime OPTIONAL,
+	usec[2]			INTEGER OPTIONAL,
+	seq-number[3]		INTEGER OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL, -- sender's addr
+	r-address[5]		HostAddress OPTIONAL  -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		INTEGER, -- KRB_CRED
+	tickets[2]		SEQUENCE OF Ticket,
+	enc-part[3]		EncryptedData
+}
+
+KrbCredInfo ::= SEQUENCE {
+	key[0]			EncryptionKey,
+	prealm[1]		Realm OPTIONAL,
+	pname[2]		PrincipalName OPTIONAL,
+	flags[3]		TicketFlags OPTIONAL,
+	authtime[4]		KerberosTime OPTIONAL,
+	starttime[5]		KerberosTime OPTIONAL,
+	endtime[6] 		KerberosTime OPTIONAL,
+	renew-till[7]		KerberosTime OPTIONAL,
+	srealm[8]		Realm OPTIONAL,
+	sname[9]		PrincipalName OPTIONAL,
+	caddr[10]		HostAddresses OPTIONAL
+}
+
+EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
+	ticket-info[0]		SEQUENCE OF KrbCredInfo,
+	nonce[1]		INTEGER OPTIONAL,
+	timestamp[2]		KerberosTime OPTIONAL,
+	usec[3]			INTEGER OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL,
+	r-address[5]		HostAddress OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		INTEGER,
+	ctime[2]		KerberosTime OPTIONAL,
+	cusec[3]		INTEGER OPTIONAL,
+	stime[4]		KerberosTime,
+	susec[5]		INTEGER,
+	error-code[6]		INTEGER,
+	crealm[7]		Realm OPTIONAL,
+	cname[8]		PrincipalName OPTIONAL,
+	realm[9]		Realm, -- Correct realm
+	sname[10]		PrincipalName, -- Correct name
+	e-text[11]		GeneralString OPTIONAL,
+	e-data[12]		OCTET STRING OPTIONAL
+}
+
+pvno INTEGER ::= 5 -- current Kerberos protocol version number
+
+-- message types
+
+krb-as-req INTEGER ::= 10 -- Request for initial authentication
+krb-as-rep INTEGER ::= 11 -- Response to KRB_AS_REQ request
+krb-tgs-req INTEGER ::= 12 -- Request for authentication based on TGT
+krb-tgs-rep INTEGER ::= 13 -- Response to KRB_TGS_REQ request
+krb-ap-req INTEGER ::= 14 -- application request to server
+krb-ap-rep INTEGER ::= 15 -- Response to KRB_AP_REQ_MUTUAL
+krb-safe INTEGER ::= 20 -- Safe (checksummed) application message
+krb-priv INTEGER ::= 21 -- Private (encrypted) application message
+krb-cred INTEGER ::= 22 -- Private (encrypted) message to forward credentials
+krb-error INTEGER ::= 30 -- Error response
+
+-- pa-data types
+
+pa-tgs-req		INTEGER ::= 1
+pa-enc-timestamp	INTEGER ::= 2
+pa-pw-salt		INTEGER ::= 3
+pa-enc-unix-time	INTEGER ::= 5
+pa-sandia-secureid	INTEGER ::= 6
+pa-sesame		INTEGER ::= 7
+pa-osf-dce		INTEGER ::= 8
+pa-cybersafe-secureid	INTEGER ::= 9
+pa-afs3-salt		INTEGER ::= 10
+pa-etype-info		INTEGER ::= 11
+sam-challenge		INTEGER ::= 12 -- (sam/otp)
+sam-response		INTEGER ::= 13 -- (sam/otp)
+pa-pk-as-req		INTEGER ::= 14 -- (pkinit)
+pa-pk-as-rep		INTEGER ::= 15 -- (pkinit)
+pa-pk-as-sign		INTEGER ::= 16 -- (pkinit)
+pa-pk-key-req		INTEGER ::= 17 -- (pkinit)
+pa-pk-key-rep		INTEGER ::= 18 -- (pkinit)
+-- checksumtypes
+
+CRC32 			INTEGER ::= 1
+rsa-md4 		INTEGER ::= 2
+rsa-md4-des		INTEGER ::= 3
+des-mac			INTEGER ::= 4
+des-mac-k 		INTEGER ::= 5
+rsa-md4-des-k		INTEGER ::= 6
+rsa-md5			INTEGER ::= 7
+rsa-md5-des		INTEGER ::= 8
+rsa-md5-des3		INTEGER ::= 9
+hmac-sha1-des3		INTEGER ::= 12
+
+-- transited encodings
+
+DOMAIN-X500-COMPRESS	INTEGER ::= 1
+
+END
+
+-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
diff --git a/crypto/heimdal/lib/asn1/lex.h b/crypto/heimdal/lib/asn1/lex.h
new file mode 100644
index 0000000..66d708c
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/lex.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: lex.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+
+void error_message (char *, ...);
diff --git a/crypto/heimdal/lib/asn1/lex.l b/crypto/heimdal/lib/asn1/lex.l
new file mode 100644
index 0000000..b3fbf71
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/lex.l
@@ -0,0 +1,102 @@
+%{
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: lex.l,v 1.10 1999/12/02 17:05:02 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include "symbol.h"
+#include "parse.h"
+
+void error_message(char *, ...);
+
+static unsigned lineno = 1;
+
+/* ","|"{"|"}"|"("|")"|"["|"]"|"|"	{ return *yytext; } */
+%}
+
+
+%%
+INTEGER			{ return INTEGER; }
+SEQUENCE		{ return SEQUENCE; }
+OF			{ return OF; }
+OCTET			{ return OCTET; }
+STRING			{ return STRING; }
+GeneralizedTime		{ return GeneralizedTime; }
+GeneralString		{ return GeneralString; }
+BIT			{ return BIT; }
+APPLICATION		{ return APPLICATION; }
+OPTIONAL		{ return OPTIONAL; }
+BEGIN			{ return TBEGIN; }
+END			{ return END; }
+DEFINITIONS		{ return DEFINITIONS; }
+EXTERNAL		{ return EXTERNAL; }
+[,{}()|]		{ return *yytext; }
+"["			{ return *yytext; }
+"]"			{ return *yytext; }
+::=			{ return EEQUAL; }
+--[^\n]*\n		{ ; }
+-?[0-9]+		{ yylval.constant = atoi(yytext); return CONSTANT; }
+[A-Za-z][-A-Za-z0-9_]*	{ yylval.name =  strdup (yytext); return IDENTIFIER; }
+[ \t]			;
+\n			{ lineno++; }
+.			{ error_message("Ignoring char(%c)\n", *yytext); }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+void
+error_message (char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, ":%d: ", lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+}
diff --git a/crypto/heimdal/lib/asn1/libasn1.h b/crypto/heimdal/lib/asn1/libasn1.h
new file mode 100644
index 0000000..90eda60
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/libasn1.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: libasn1.h,v 1.7 1999/12/02 17:05:02 joda Exp $ */
+
+#ifndef __LIBASN1_H__
+#define __LIBASN1_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <errno.h>
+#include "asn1.h"
+#include "der.h"
+#include "asn1_err.h"
+#include <parse_units.h>
+
+#endif /* __LIBASN1_H__ */
diff --git a/crypto/heimdal/lib/asn1/main.c b/crypto/heimdal/lib/asn1/main.c
new file mode 100644
index 0000000..538af5a
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/main.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: main.c,v 1.10 1999/12/02 17:05:02 joda Exp $");
+
+extern FILE *yyin;
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "[asn1-file [name]]");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret;
+    char *file;
+    char *name = NULL;
+    int optind = 0;
+
+    set_progname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    if (argc == optind) {
+	file = "stdin";
+	name = "stdin";
+	yyin = stdin;
+    } else {
+	file = argv[optind];
+	yyin = fopen (file, "r");
+	if (yyin == NULL)
+	    err (1, "open %s", file);
+	name = argv[optind + 1];
+    }
+
+    init_generate (file, name);
+    initsym ();
+    ret = yyparse ();
+    close_generate ();
+    return ret;
+}
diff --git a/crypto/heimdal/lib/asn1/parse.y b/crypto/heimdal/lib/asn1/parse.y
new file mode 100644
index 0000000..f9e82b5
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/parse.y
@@ -0,0 +1,231 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse.y,v 1.12 1999/12/02 17:05:02 joda Exp $ */
+
+%{
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "symbol.h"
+#include "lex.h"
+#include "gen_locl.h"
+
+RCSID("$Id: parse.y,v 1.12 1999/12/02 17:05:02 joda Exp $");
+
+static Type *new_type (Typetype t);
+void yyerror (char *);
+int yylex(void);
+
+static void append (Member *l, Member *r);
+
+%}
+
+%union {
+  int constant;
+  char *name;
+  Type *type;
+  Member *member;
+}
+
+%token INTEGER SEQUENCE OF OCTET STRING GeneralizedTime GeneralString
+%token BIT APPLICATION OPTIONAL EEQUAL TBEGIN END DEFINITIONS EXTERNAL
+%token <name> IDENTIFIER 
+%token <constant> CONSTANT
+
+%type <constant> constant optional2
+%type <type> type
+%type <member> memberdecls memberdecl bitdecls bitdecl
+
+%start envelope
+
+%%
+
+envelope	: IDENTIFIER DEFINITIONS EEQUAL TBEGIN specification END {}
+		;
+
+specification	:
+		| specification declaration
+		;
+
+declaration	: extern_decl
+		| type_decl
+		| constant_decl
+		;
+
+extern_decl	: IDENTIFIER EXTERNAL
+		{
+			Symbol *s = addsym($1);
+			s->stype = Stype;
+		}
+		;
+
+type_decl	: IDENTIFIER EEQUAL type
+		{
+		  Symbol *s = addsym ($1);
+		  s->stype = Stype;
+		  s->type = $3;
+		  generate_type (s);
+		}
+		;
+
+constant_decl	: IDENTIFIER type EEQUAL constant
+		{
+		  Symbol *s = addsym ($1);
+		  s->stype = SConstant;
+		  s->constant = $4;
+		  generate_constant (s);
+		}
+		;
+
+type		: INTEGER     { $$ = new_type(TInteger); }
+		| OCTET STRING { $$ = new_type(TOctetString); }
+		| GeneralString { $$ = new_type(TGeneralString); }
+		| GeneralizedTime { $$ = new_type(TGeneralizedTime); }
+		| SEQUENCE OF type
+		{
+		  $$ = new_type(TSequenceOf);
+		  $$->subtype = $3;
+		}
+		| SEQUENCE '{' memberdecls '}'
+		{
+		  $$ = new_type(TSequence);
+		  $$->members = $3;
+		}
+		| BIT STRING '{' bitdecls '}'
+		{
+		  $$ = new_type(TBitString);
+		  $$->members = $4;
+		}
+		| IDENTIFIER
+		{
+		  Symbol *s = addsym($1);
+		  $$ = new_type(TType);
+		  if(s->stype != Stype)
+		    error_message ("%s is not a type\n", $1);
+		  else
+		    $$->symbol = s;
+		}
+		| '[' APPLICATION constant ']' type
+		{
+		  $$ = new_type(TApplication);
+		  $$->subtype = $5;
+		  $$->application = $3;
+		}
+		;
+
+memberdecls	: { $$ = NULL; }
+		| memberdecl	{ $$ = $1; }
+		| memberdecls ',' memberdecl { $$ = $1; append($$, $3); }
+		;
+
+memberdecl	: IDENTIFIER '[' constant ']' type optional2
+		{
+		  $$ = malloc(sizeof(*$$));
+		  $$->name = $1;
+		  $$->gen_name = strdup($1);
+		  output_name ($$->gen_name);
+		  $$->val = $3;
+		  $$->optional = $6;
+		  $$->type = $5;
+		  $$->next = $$->prev = $$;
+		}
+		;
+
+optional2	: { $$ = 0; }
+		| OPTIONAL { $$ = 1; }
+		;
+
+bitdecls	: { $$ = NULL; }
+		| bitdecl { $$ = $1; }
+		| bitdecls ',' bitdecl { $$ = $1; append($$, $3); }
+		;
+
+bitdecl		: IDENTIFIER '(' constant ')'
+		{
+		  $$ = malloc(sizeof(*$$));
+		  $$->name = $1;
+		  $$->gen_name = strdup($1);
+		  output_name ($$->gen_name);
+		  $$->val = $3;
+		  $$->optional = 0;
+		  $$->type = NULL;
+		  $$->prev = $$->next = $$;
+		}
+		;
+
+constant	: CONSTANT	{ $$ = $1; }
+		| IDENTIFIER	{
+				  Symbol *s = addsym($1);
+				  if(s->stype != SConstant)
+				    error_message ("%s is not a constant\n",
+						   s->name);
+				  else
+				    $$ = s->constant;
+				}
+		;
+%%
+
+void
+yyerror (char *s)
+{
+     error_message ("%s\n", s);
+}
+
+static Type *
+new_type (Typetype tt)
+{
+  Type *t = malloc(sizeof(*t));
+  if (t == NULL) {
+      error_message ("out of memory in malloc(%u)", sizeof(*t));
+      exit (1);
+  }
+  t->type = tt;
+  t->application = 0;
+  t->members = NULL;
+  t->subtype = NULL;
+  t->symbol  = NULL;
+  return t;
+}
+
+static void
+append (Member *l, Member *r)
+{
+  l->prev->next = r;
+  r->prev = l->prev;
+  l->prev = r;
+  r->next = l;
+}
diff --git a/crypto/heimdal/lib/asn1/symbol.c b/crypto/heimdal/lib/asn1/symbol.c
new file mode 100644
index 0000000..5e6e741
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/symbol.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: symbol.c,v 1.8 1999/12/02 17:05:02 joda Exp $");
+
+static Hashtab *htab;
+
+static int
+cmp (void *a, void *b)
+{
+  Symbol *s1 = (Symbol *)a;
+  Symbol *s2 = (Symbol *)b;
+
+  return strcmp (s1->name, s2->name);
+}
+
+static unsigned
+hash (void *a)
+{
+  Symbol *s = (Symbol *)a;
+
+  return hashjpw (s->name);
+}
+
+void
+initsym ()
+{
+  htab = hashtabnew (101, cmp, hash);
+}
+
+
+void
+output_name (char *s)
+{
+  char *p;
+
+  for (p = s; *p; ++p)
+    if (*p == '-')
+      *p = '_';
+}
+
+Symbol*
+addsym (char *name)
+{
+  Symbol key, *s;
+
+  key.name = name;
+  s = (Symbol *)hashtabsearch (htab, (void *)&key);
+  if (s == NULL) {
+    s = (Symbol *)malloc (sizeof (*s));
+    s->name = name;
+    s->gen_name = strdup(name);
+    output_name (s->gen_name);
+    s->stype = SUndefined;
+    hashtabadd (htab, s);
+  }
+  return s;
+}
diff --git a/crypto/heimdal/lib/asn1/symbol.h b/crypto/heimdal/lib/asn1/symbol.h
new file mode 100644
index 0000000..bc4707f
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/symbol.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: symbol.h,v 1.5 1999/12/02 17:05:02 joda Exp $ */
+
+#ifndef _SYMBOL_H
+#define _SYMBOL_H
+
+enum typetype { TInteger, TOctetString, TBitString, TSequence, TSequenceOf,
+		TGeneralizedTime, TGeneralString, TApplication, TType, 
+		TUInteger };
+
+typedef enum typetype Typetype;
+
+struct type;
+
+struct member {
+  char *name;
+  char *gen_name;
+  int val;
+  int optional;
+  struct type *type;
+  struct member *next, *prev;
+};
+
+typedef struct member Member;
+
+struct symbol;
+
+struct type {
+  Typetype type;
+  int application;
+  Member *members;
+  struct type *subtype;
+  struct symbol *symbol;
+};
+
+typedef struct type Type;
+
+struct symbol {
+  char *name;
+  char *gen_name;
+  enum { SUndefined, SConstant, Stype } stype;
+  int constant;
+  Type *type;
+};
+
+typedef struct symbol Symbol;
+
+void initsym (void);
+Symbol *addsym (char *);
+void output_name (char *);
+#endif
diff --git a/crypto/heimdal/lib/asn1/timegm.c b/crypto/heimdal/lib/asn1/timegm.c
new file mode 100644
index 0000000..bdc997f
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/timegm.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: timegm.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+
+#ifndef HAVE_TIMEGM
+
+static int
+is_leap(unsigned y)
+{
+    y += 1900;
+    return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0);
+}
+
+time_t
+timegm (struct tm *tm)
+{
+  static const unsigned ndays[2][12] ={
+    {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
+    {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}};
+  time_t res = 0;
+  unsigned i;
+
+  for (i = 70; i < tm->tm_year; ++i)
+    res += is_leap(i) ? 366 : 365;
+
+  for (i = 0; i < tm->tm_mon; ++i)
+    res += ndays[is_leap(tm->tm_year)][i];
+  res += tm->tm_mday - 1;
+  res *= 24;
+  res += tm->tm_hour;
+  res *= 60;
+  res += tm->tm_min;
+  res *= 60;
+  res += tm->tm_sec;
+  return res;
+}
+
+#endif /* HAVE_TIMEGM */
diff --git a/crypto/heimdal/lib/auth/ChangeLog b/crypto/heimdal/lib/auth/ChangeLog
new file mode 100644
index 0000000..9b1ebaf
--- /dev/null
+++ b/crypto/heimdal/lib/auth/ChangeLog
@@ -0,0 +1,74 @@
+1999-12-30  Assar Westerlund  <assar@sics.se>
+
+	* sia/Makefile.am: try to link with shared libraries if we don't
+ 	find any static ones
+
+1999-12-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* sia/sia.c: don't use string concatenation with TKT_ROOT
+
+1999-11-15  Assar Westerlund  <assar@sics.se>
+
+	* */lib/Makefile.in: set LIBNAME.  From Enrico Scholz
+ 	<Enrico.Scholz@informatik.tu-chemnitz.de>
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c (verify_krb5): need realm for v5 -> v4
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c (verify_krb5): update to new
+ 	krb524_convert_creds_kdc
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* sia/sia.c (doauth): use krb5_get_local_realms and
+ 	krb5_verify_user_lrealm
+
+	* afskauthlib/verify.c (verify_krb5): remove krb5_kuserok.  use
+ 	krb5_verify_user_lrealm
+
+1999-08-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* afskauthlib/verify.c: make this compile w/o krb4
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c: incorporate patches from Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+Thu Apr  8 14:35:34 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+	* sia/Makefile.am: make it build w/o krb4
+
+	* afskauthlib/verify.c: add krb5 support
+
+	* afskauthlib/Makefile.am: build afskauthlib.so
+
+Wed Apr  7 14:06:22 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia.c: make it compile w/o krb4
+
+	* sia/Makefile.am: make it compile w/o krb4
+
+Thu Apr  1 18:09:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia_locl.h: POSIX_GETPWNAM_R is defined in config.h
+
+Sun Mar 21 14:08:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/Makefile.in: add posix_getpw.c
+	  
+	* sia/Makefile.am: makefile for sia
+	  
+	* sia/posix_getpw.c: move from sia.c
+	  
+	* sia/sia_locl.h: merge with krb5 version
+	  
+	* sia/sia.c: merge with krb5 version
+	  
+	* sia/sia5.c: remove unused variables
diff --git a/crypto/heimdal/lib/auth/Makefile.am b/crypto/heimdal/lib/auth/Makefile.am
new file mode 100644
index 0000000..0310dc3
--- /dev/null
+++ b/crypto/heimdal/lib/auth/Makefile.am
@@ -0,0 +1,6 @@
+# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = @LIB_AUTH_SUBDIRS@
+DIST_SUBDIRS = afskauthlib pam sia
diff --git a/crypto/heimdal/lib/auth/Makefile.in b/crypto/heimdal/lib/auth/Makefile.in
new file mode 100644
index 0000000..aab069e
--- /dev/null
+++ b/crypto/heimdal/lib/auth/Makefile.in
@@ -0,0 +1,599 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = @LIB_AUTH_SUBDIRS@
+DIST_SUBDIRS = afskauthlib pam sia
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+@SET_MAKE@
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
+	  rev="$$subdir $$rev"; \
+	  test "$$subdir" = "." && dot_seen=yes; \
+	done; \
+	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/auth
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	for subdir in $(DIST_SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    chmod 777 $(distdir)/$$subdir; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-data-recursive uninstall-data-recursive \
+install-exec-recursive uninstall-exec-recursive installdirs-recursive \
+uninstalldirs-recursive all-recursive check-recursive \
+installcheck-recursive info-recursive dvi-recursive \
+mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs-am installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.am b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
new file mode 100644
index 0000000..7dd6d52
--- /dev/null
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
@@ -0,0 +1,38 @@
+# $Id: Makefile.am,v 1.3 1999/04/08 12:35:33 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+DEFS = @DEFS@
+
+foodir = $(libdir)
+foo_DATA = afskauthlib.so
+
+SUFFIXES += .c .o
+
+SRCS = verify.c
+OBJS = verify.o
+
+CLEANFILES = $(foo_DATA) $(OBJS) so_locations
+
+afskauthlib.so: $(OBJS)
+	$(LD) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)
+
+.c.o:
+	$(COMPILE) -c $<
+
+if KRB4
+KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
+endif
+
+L = \
+	$(KAFS)	\
+	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
+	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/.libs/libdes.a		\
+	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	-lc
+
+$(OBJS): $(top_builddir)/include/config.h
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.in b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
new file mode 100644
index 0000000..d3a4041
--- /dev/null
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
@@ -0,0 +1,538 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.3 1999/04/08 12:35:33 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+DEFS = @DEFS@
+
+foodir = $(libdir)
+foo_DATA = afskauthlib.so
+
+SRCS = verify.c
+OBJS = verify.o
+
+CLEANFILES = $(foo_DATA) $(OBJS) so_locations
+
+@KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
+
+L =  	$(KAFS)		$(top_builddir)/lib/krb5/.libs/libkrb5.a		$(top_builddir)/lib/asn1/.libs/libasn1.a		$(LIB_krb4)						$(top_builddir)/lib/des/.libs/libdes.a			$(top_builddir)/lib/roken/.libs/libroken.a		-lc
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DATA =  $(foo_DATA)
+
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .o .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/afskauthlib/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+install-fooDATA: $(foo_DATA)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(foodir)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  if test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p"; \
+	    $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p; \
+	  else if test -f $$p; then \
+	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p"; \
+	    $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p; \
+	  fi; fi; \
+	done
+
+uninstall-fooDATA:
+	@$(NORMAL_UNINSTALL)
+	list='$(foo_DATA)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(foodir)/$$p; \
+	done
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/auth/afskauthlib
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-fooDATA install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-fooDATA
+uninstall: uninstall-am
+all-am: Makefile $(DATA) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(foodir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: uninstall-fooDATA install-fooDATA tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+afskauthlib.so: $(OBJS)
+	$(LD) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)
+
+.c.o:
+	$(COMPILE) -c $<
+
+$(OBJS): $(top_builddir)/include/config.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/afskauthlib/verify.c b/crypto/heimdal/lib/auth/afskauthlib/verify.c
new file mode 100644
index 0000000..1c23119
--- /dev/null
+++ b/crypto/heimdal/lib/auth/afskauthlib/verify.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verify.c,v 1.20 1999/12/02 16:58:37 joda Exp $");
+#endif
+#include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+#include <roken.h>
+
+#ifdef KRB5
+static char krb5ccname[128];
+#endif
+#ifdef KRB4
+static char krbtkfile[128];
+#endif
+
+/* 
+   In some cases is afs_gettktstring called twice (once before
+   afs_verify and once after afs_verify).
+   In some cases (rlogin with access allowed via .rhosts) 
+   afs_verify is not called!
+   So we can't rely on correct value in krbtkfile in some
+   cases!
+*/
+
+static int correct_tkfilename=0;
+static int pag_set=0;
+
+#ifdef KRB4
+static void
+set_krbtkfile(uid_t uid)
+{
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+    krb_set_tkt_string (krbtkfile);
+    correct_tkfilename = 1;
+}
+#endif
+
+/* XXX this has to be the default cache name, since the KRB5CCNAME
+ * environment variable isn't exported by login/xdm
+ */
+
+#ifdef KRB5
+static void
+set_krb5ccname(uid_t uid)
+{
+    snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid);
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+#endif
+    correct_tkfilename = 1;
+}
+#endif
+
+static void
+set_spec_krbtkfile(void)
+{
+    int fd;
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT);
+    fd = mkstemp(krbtkfile);
+    close(fd);
+    unlink(krbtkfile); 
+    krb_set_tkt_string (krbtkfile);
+#endif
+#ifdef KRB5
+    snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX");
+    fd=mkstemp(krb5ccname+5);
+    close(fd);
+    unlink(krb5ccname+5);
+#endif
+}
+
+#ifdef KRB5
+static int
+verify_krb5(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_ccache ccache;
+    krb5_principal principal;
+    
+    krb5_init_context(&context);
+
+    ret = krb5_parse_name (context, pwd->pw_name, &principal);
+    if (ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    set_krb5ccname(pwd->pw_uid);
+    ret = krb5_cc_resolve(context, krb5ccname, &ccache);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    ret = krb5_verify_user_lrealm(context,
+				  principal,
+				  ccache,
+				  password,
+				  TRUE,
+				  NULL);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
+	syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", 
+	       krb5_get_err_text(context, errno));
+	goto out;
+    }
+
+#ifdef KRB4
+    if (krb5_config_get_bool(context, NULL,
+			     "libdefaults",
+			     "krb4_get_tickets",
+			     NULL)) {
+	CREDENTIALS c;
+	krb5_creds mcred, cred;
+        krb5_realm realm;
+
+        krb5_get_default_realm(context, &realm);
+	krb5_make_principal(context, &mcred.server, realm,
+			    "krbtgt",
+			    realm,
+			    NULL);
+	free (realm);
+	ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
+	if(ret == 0) {
+	    ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
+	    if(ret)
+		krb5_warn(context, ret, "converting creds");
+	    else {
+		set_krbtkfile(pwd->pw_uid);
+		tf_setup(&c, c.pname, c.pinst); 
+	    }
+	    memset(&c, 0, sizeof(c));
+	    krb5_free_creds_contents(context, &cred);
+	} else
+	    syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", 
+		   krb5_get_err_text(context, ret));
+	    
+	krb5_free_principal(context, mcred.server);
+    }
+    if (!pag_set && k_hasafs()) {
+	k_setpag();
+	pag_set = 1;
+	krb5_afslog_uid_home(context, ccache, NULL, NULL, 
+			     pwd->pw_uid, pwd->pw_dir);
+    }
+#endif
+out:
+    if(ret && !quiet)
+	printf ("%s\n", krb5_get_err_text (context, ret));
+    return ret;
+}
+#endif
+
+#ifdef KRB4
+static int
+verify_krb4(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    int ret = 1;
+    char lrealm[REALM_SZ];
+    
+    if (krb_get_lrealm (lrealm, 1) != KFAILURE) {
+	set_krbtkfile(pwd->pw_uid);
+	ret = krb_verify_user (pwd->pw_name, "", lrealm, password,
+			       KRB_VERIFY_SECURE, NULL);
+	if (ret == KSUCCESS) {
+	    if (!pag_set && k_hasafs()) {
+		k_setpag ();
+		pag_set = 1;
+		krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
+	    }
+	} else if (!quiet)
+	    printf ("%s\n", krb_get_err_text (ret));
+    }
+    return ret;
+}
+#endif
+
+int
+afs_verify(char *name,
+	   char *password,
+	   int32_t *exp,
+	   int quiet)
+{
+    int ret = 1;
+    struct passwd *pwd = k_getpwnam (name);
+
+    if(pwd == NULL)
+	return 1;
+    if (ret)
+	ret = unix_verify_user (name, password);
+#ifdef KRB5
+    if (ret)
+	ret = verify_krb5(pwd, password, exp, quiet);
+#endif
+#ifdef KRB4
+    if(ret)
+	ret = verify_krb4(pwd, password, exp, quiet);
+#endif
+    return ret;
+}
+
+char *
+afs_gettktstring (void)
+{
+    char *ptr;
+    struct passwd *pwd;
+
+    if (!correct_tkfilename) {
+	ptr = getenv("LOGNAME"); 
+	if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) {
+	    set_krb5ccname(pwd->pw_uid);
+#ifdef KRB4
+	    set_krbtkfile(pwd->pw_uid);
+	    if (!pag_set && k_hasafs()) {
+                k_setpag();
+                pag_set=1;
+	    }
+#endif
+	} else {
+	    set_spec_krbtkfile();
+	}
+    }
+#ifdef KRB5
+    setenv("KRB5CCNAME",krb5ccname,1);
+#endif
+#ifdef KRB4
+    setenv("KRBTKFILE",krbtkfile,1);
+    return krbtkfile;
+#else
+    return "";
+#endif
+}
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.am b/crypto/heimdal/lib/auth/pam/Makefile.am
new file mode 100644
index 0000000..abde2d9
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/Makefile.am
@@ -0,0 +1,3 @@
+# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.in b/crypto/heimdal/lib/auth/pam/Makefile.in
new file mode 100644
index 0000000..37f8d22
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/Makefile.in
@@ -0,0 +1,491 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/pam/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/auth/pam
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/pam/pam.c b/crypto/heimdal/lib/auth/pam/pam.c
new file mode 100644
index 0000000..1a385e0
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/pam.c
@@ -0,0 +1,425 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include<config.h>
+RCSID("$Id: pam.c,v 1.24 2000/02/18 14:33:06 bg Exp $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <syslog.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */
+#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
+#endif
+
+#include <netinet/in.h>
+#include <krb.h>
+#include <kafs.h>
+
+#if 0
+/* Debugging PAM modules is a royal pain, truss helps. */
+#define DEBUG(msg) (access(msg " at line", __LINE__))
+#endif
+
+static void
+log_error(int level, const char *format, ...)
+{
+  va_list args;
+  va_start(args, format);
+  openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
+  vsyslog(level | LOG_AUTH, format, args);
+  va_end(args);
+  closelog();
+}
+
+enum {
+  KRB4_DEBUG,
+  KRB4_USE_FIRST_PASS,
+  KRB4_TRY_FIRST_PASS,
+  KRB4_IGNORE_ROOT,
+  KRB4_NO_VERIFY,
+  KRB4_REAFSLOG,
+  KRB4_CTRLS			/* Number of ctrl arguments defined. */
+};
+
+#define KRB4_DEFAULTS  0
+
+static int ctrl_flags = KRB4_DEFAULTS;
+#define ctrl_on(x)  (krb4_args[x].flag & ctrl_flags)
+#define ctrl_off(x) (!ctrl_on(x))
+
+typedef struct
+{
+  const char *token;
+  unsigned int flag;
+} krb4_ctrls_t;
+
+static krb4_ctrls_t krb4_args[KRB4_CTRLS] =
+{
+  /* KRB4_DEBUG          */ { "debug",          0x01 },
+  /* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 },
+  /* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 },
+  /* KRB4_IGNORE_ROOT    */ { "ignore_root",    0x08 },
+  /* KRB4_NO_VERIFY      */ { "no_verify",      0x10 },
+  /* KRB4_REAFSLOG       */ { "reafslog",       0x20 },
+};
+
+static void
+parse_ctrl(int argc, const char **argv)
+{
+  int i, j;
+
+  ctrl_flags = KRB4_DEFAULTS;
+  for (i = 0; i < argc; i++)
+    {
+      for (j = 0; j < KRB4_CTRLS; j++)
+	if (strcmp(argv[i], krb4_args[j].token) == 0)
+	  break;
+    
+      if (j >= KRB4_CTRLS)
+	log_error(LOG_ALERT, "unrecognized option [%s]", *argv);
+      else
+	ctrl_flags |= krb4_args[j].flag;
+    }
+}
+
+static void
+pdeb(const char *format, ...)
+{
+  va_list args;
+  if (ctrl_off(KRB4_DEBUG))
+    return;
+  va_start(args, format);
+  openlog("pam_krb4", LOG_PID, LOG_AUTH);
+  vsyslog(LOG_DEBUG | LOG_AUTH, format, args);
+  va_end(args);
+  closelog();
+}
+
+#define ENTRY(f) pdeb("%s() ruid = %d euid = %d", f, getuid(), geteuid())
+
+static void
+set_tkt_string(uid_t uid)
+{
+  char buf[128];
+
+  snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid);
+  krb_set_tkt_string(buf);
+
+#if 0
+  /* pam_set_data+pam_get_data are not guaranteed to work, grr. */
+  pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup);
+  if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS)
+    {
+      pam_putenv(pamh, var);
+    }
+#endif
+
+  /* We don't want to inherit this variable.
+   * If we still do, it must have a sane value. */
+  if (getenv("KRBTKFILE") != 0)
+    {
+      char *var = malloc(sizeof(buf));
+      snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string());
+      putenv(var);
+      /* free(var); XXX */
+    }
+}
+
+static int
+verify_pass(pam_handle_t *pamh,
+	    const char *name,
+	    const char *inst,
+	    const char *pass)
+{
+  char realm[REALM_SZ];
+  int ret, krb_verify, old_euid, old_ruid;
+
+  krb_get_lrealm(realm, 1);
+  if (ctrl_on(KRB4_NO_VERIFY))
+    krb_verify = KRB_VERIFY_SECURE_FAIL;
+  else
+    krb_verify = KRB_VERIFY_SECURE;
+  old_ruid = getuid();
+  old_euid = geteuid();
+  setreuid(0, 0);
+  ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
+  if (setreuid(old_ruid, old_euid) != 0)
+    {
+      log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+      exit(1);
+    }
+    
+  switch(ret) {
+  case KSUCCESS:
+    return PAM_SUCCESS;
+  case KDC_PR_UNKNOWN:
+    return PAM_USER_UNKNOWN;
+  case SKDC_CANT:
+  case SKDC_RETRY:
+  case RD_AP_TIME:
+    return PAM_AUTHINFO_UNAVAIL;
+  default:
+    return PAM_AUTH_ERR;
+  }
+}
+
+static int
+krb4_auth(pam_handle_t *pamh,
+	  int flags,
+	  const char *name,
+	  const char *inst,
+	  struct pam_conv *conv)
+{
+  struct pam_response *resp;
+  char prompt[128];
+  struct pam_message msg, *pmsg = &msg;
+  int ret;
+
+  if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS))
+    {
+      char *pass = 0;
+      ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
+      if (ret != PAM_SUCCESS)
+        {
+          log_error(LOG_ERR , "pam_get_item returned error to get-password");
+          return ret;
+        }
+      else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
+	return PAM_SUCCESS;
+      else if (ctrl_on(KRB4_USE_FIRST_PASS))
+	return PAM_AUTHTOK_RECOVERY_ERR;       /* Wrong password! */
+      else
+	/* We tried the first password but it didn't work, cont. */;
+    }
+
+  msg.msg_style = PAM_PROMPT_ECHO_OFF;
+  if (*inst == 0)
+    snprintf(prompt, sizeof(prompt), "%s's Password: ", name);
+  else
+    snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst);
+  msg.msg = prompt;
+
+  ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr);
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  ret = verify_pass(pamh, name, inst, resp->resp);
+  if (ret == PAM_SUCCESS)
+    {
+      memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */
+      free(resp->resp);
+      free(resp);
+    }
+  else
+    {
+      pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */
+      /* free(resp->resp); XXX */
+      /* free(resp); XXX */
+    }
+  
+  return ret;
+}
+
+int
+pam_sm_authenticate(pam_handle_t *pamh,
+		    int flags,
+		    int argc,
+		    const char **argv)
+{
+  char *user;
+  int ret;
+  struct pam_conv *conv;
+  struct passwd *pw;
+  uid_t uid = -1;
+  const char *name, *inst;
+
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_authenticate");
+
+  ret = pam_get_user(pamh, &user, "login: ");
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0)
+    return PAM_AUTHINFO_UNAVAIL;
+
+  ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  pw = getpwnam(user);
+  if (pw != 0)
+    {
+      uid = pw->pw_uid;
+      set_tkt_string(uid);
+    }
+    
+  if (strcmp(user, "root") == 0 && getuid() != 0)
+    {
+      pw = getpwuid(getuid());
+      if (pw != 0)
+	{
+	  name = strdup(pw->pw_name);
+	  inst = "root";
+	}
+    }
+  else
+    {
+      name = user;
+      inst = "";
+    }
+
+  ret = krb4_auth(pamh, flags, name, inst, conv);
+
+  /*
+   * The realm was lost inside krb_verify_user() so we can't simply do
+   * a krb_kuserok() when inst != "".
+   */
+  if (ret == PAM_SUCCESS && inst[0] != 0)
+    {
+      char realm[REALM_SZ];
+      uid_t old_euid = geteuid();
+      uid_t old_ruid = getuid();
+
+      realm[0] = 0;
+      setreuid(0, 0);		/* To read ticket file. */
+      if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
+	ret = PAM_SERVICE_ERR;
+      else if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
+	{
+	  setreuid(0, uid);	/*  To read ~/.klogin. */
+	  if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
+	    ret = PAM_PERM_DENIED;
+	}
+
+      if (ret != PAM_SUCCESS)
+	{
+	  dest_tkt();		/* Passwd known, ok to kill ticket. */
+	  log_error(LOG_NOTICE,
+		    "%s.%s@%s is not allowed to log in as %s",
+		    name, inst, realm, user);
+	}
+
+      if (setreuid(old_ruid, old_euid) != 0)
+	{
+	  log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+	  exit(1);
+	}
+    }
+
+  if (ret == PAM_SUCCESS)
+    chown(tkt_string(), uid, -1);
+
+  /* Sun dtlogin unlock screen does not call any other pam_* funcs. */
+  if (ret == PAM_SUCCESS
+      && ctrl_on(KRB4_REAFSLOG)
+      && k_hasafs()
+      && (pw = getpwnam(user)) != 0)
+    krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir);
+
+  return ret;
+}
+
+int 
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_setcred");
+  pdeb("flags = 0x%x", flags);
+
+  switch (flags & ~PAM_SILENT) {
+  case 0:
+  case PAM_ESTABLISH_CRED:
+    if (k_hasafs())
+      k_setpag();
+    /* Fill PAG with credentials below. */
+  case PAM_REINITIALIZE_CRED:
+  case PAM_REFRESH_CRED:
+    if (k_hasafs())
+      {
+	void *user = 0;
+
+	if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS)
+	  {
+	    struct passwd *pw = getpwnam((char *)user);
+	    if (pw != 0)
+	      krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0,
+				  pw->pw_uid, pw->pw_dir);
+	  }
+      }
+    break;
+  case PAM_DELETE_CRED:
+    dest_tkt();
+    if (k_hasafs())
+      k_unlog();
+    break;
+  default:
+    log_error(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
+    break;
+  }
+  
+  return PAM_SUCCESS;
+}
+
+int
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_open_session");
+
+  return PAM_SUCCESS;
+}
+
+
+int
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_close_session");
+
+  /* This isn't really kosher, but it's handy. */
+  dest_tkt();
+  if (k_hasafs())
+    k_unlog();
+
+  return PAM_SUCCESS;
+}
diff --git a/crypto/heimdal/lib/auth/pam/pam.conf.add b/crypto/heimdal/lib/auth/pam/pam.conf.add
new file mode 100644
index 0000000..64a4915
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/pam.conf.add
@@ -0,0 +1,81 @@
+To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch:
+
+--- /etc/pam.conf.DIST	Mon Jul 20 15:37:46 1998
++++ /etc/pam.conf	Tue Feb 15 19:39:12 2000
+@@ -4,15 +4,19 @@
+ #
+ # Authentication management
+ #
++login	auth sufficient	/usr/athena/lib/pam_krb4.so
+ login	auth required 	/usr/lib/security/pam_unix.so.1 
+ login	auth required 	/usr/lib/security/pam_dial_auth.so.1 
+ #
+ rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
+ rlogin	auth required 	/usr/lib/security/pam_unix.so.1
+ #
++dtlogin	auth sufficient	/usr/athena/lib/pam_krb4.so
+ dtlogin	auth required 	/usr/lib/security/pam_unix.so.1 
+ #
+ rsh	auth required	/usr/lib/security/pam_rhosts_auth.so.1
++# Reafslog is for dtlogin lock display
++other	auth sufficient	/usr/athena/lib/pam_krb4.so reafslog
+ other	auth required	/usr/lib/security/pam_unix.so.1
+ #
+ # Account management
+@@ -24,6 +28,8 @@
+ #
+ # Session management
+ #
++dtlogin	session required	/usr/athena/lib/pam_krb4.so
++login	session required	/usr/athena/lib/pam_krb4.so
+ other	session required	/usr/lib/security/pam_unix.so.1 
+ #
+ # Password management
+---------------------------------------------------------------------------
+To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches:
+
+--- /etc/pam.d/login~   Thu Jul  8 00:14:02 1999
++++ /etc/pam.d/login    Mon Aug 30 14:33:12 1999
+@@ -1,9 +1,12 @@
+ #%PAM-1.0
++# Updated to work with kerberos
++auth       sufficient   /lib/security/pam_krb4.so
+ auth       required    /lib/security/pam_securetty.so
+ auth       required    /lib/security/pam_pwdb.so shadow nullok
+ auth       required    /lib/security/pam_nologin.so
+ account    required    /lib/security/pam_pwdb.so
+ password   required    /lib/security/pam_cracklib.so
+ password   required    /lib/security/pam_pwdb.so nullok use_authtok shadow
++session    required     /lib/security/pam_krb4.so
+ session    required    /lib/security/pam_pwdb.so
+ session    optional    /lib/security/pam_console.so
+--- /etc/pam.d/xdm~     Mon Jun 14 17:39:05 1999
++++ /etc/pam.d/xdm      Mon Aug 30 14:54:51 1999
+@@ -1,8 +1,10 @@
+ #%PAM-1.0
++auth       sufficient   /lib/security/pam_krb4.so
+ auth       required    /lib/security/pam_pwdb.so shadow nullok
+ auth       required    /lib/security/pam_nologin.so
+ account    required    /lib/security/pam_pwdb.so
+ password   required    /lib/security/pam_cracklib.so
+ password   required    /lib/security/pam_pwdb.so shadow nullok use_authtok
++session    required     /lib/security/pam_krb4.so
+ session    required    /lib/security/pam_pwdb.so
+ session    optional     /lib/security/pam_console.so
+--------------------------------------------------------------------------
+
+This stuff may work under some other system.
+
+# To get this to work, you will have to add entries to /etc/pam.conf
+#
+# To make login kerberos-aware, you might change pam.conf to look
+# like:
+
+# login authorization
+login   auth       sufficient   /lib/security/pam_krb4.so
+login   auth       required     /lib/security/pam_securetty.so
+login   auth       required     /lib/security/pam_unix_auth.so
+login   account    required     /lib/security/pam_unix_acct.so
+login   password   required     /lib/security/pam_unix_passwd.so
+login   session    required     /lib/security/pam_krb4.so
+login   session    required     /lib/security/pam_unix_session.so
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.am b/crypto/heimdal/lib/auth/sia/Makefile.am
new file mode 100644
index 0000000..efba5c0
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/Makefile.am
@@ -0,0 +1,66 @@
+# $Id: Makefile.am,v 1.5 1999/12/30 03:47:03 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+WFLAGS += $(WFLAGS_NOIMPLICITINT)
+
+DEFS = @DEFS@
+
+## this is horribly ugly, but automake/libtool doesn't allow us to
+## unconditionally build shared libraries, and it does not allow us to
+## link with non-installed libraries
+
+if KRB4
+KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a
+KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so
+endif
+
+L = \
+	$(KAFS)						\
+	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
+	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/.libs/libdes.a		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+L_shared = \
+	$(KAFS_S)					\
+	$(top_builddir)/lib/krb5/.libs/libkrb5.so	\
+	$(top_builddir)/lib/asn1/.libs/libasn1.so	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/.libs/libdes.so		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+	$(top_builddir)/lib/roken/.libs/libroken.so	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+EXTRA_DIST = sia.c krb5_matrix.conf krb5+c2_matrix.conf security.patch
+
+foodir = $(libdir)
+foo_DATA = libsia_krb5.so
+
+LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* 
+
+OBJS = sia.o posix_getpw.o
+
+libsia_krb5.so: $(OBJS)
+	if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
+	elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x -z $@
+
+CLEANFILES = libsia_krb5.so $(OBJS) so_locations
+
+SUFFIXES += .c .o
+
+.c.o:
+	$(COMPILE) -c $<
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.in b/crypto/heimdal/lib/auth/sia/Makefile.in
new file mode 100644
index 0000000..fb36b4e
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/Makefile.in
@@ -0,0 +1,551 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.5 1999/12/30 03:47:03 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
+
+DEFS = @DEFS@
+
+@KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
+@KRB4_TRUE@KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
+
+L =  	$(KAFS)							$(top_builddir)/lib/krb5/.libs/libkrb5.a		$(top_builddir)/lib/asn1/.libs/libasn1.a		$(LIB_krb4)						$(top_builddir)/lib/des/.libs/libdes.a			$(top_builddir)/lib/com_err/.libs/libcom_err.a		$(top_builddir)/lib/roken/.libs/libroken.a		$(LIB_getpwnam_r)					-lc
+
+
+L_shared =  	$(KAFS_S)						$(top_builddir)/lib/krb5/.libs/libkrb5.so		$(top_builddir)/lib/asn1/.libs/libasn1.so		$(LIB_krb4)						$(top_builddir)/lib/des/.libs/libdes.so			$(top_builddir)/lib/com_err/.libs/libcom_err.so		$(top_builddir)/lib/roken/.libs/libroken.so		$(LIB_getpwnam_r)					-lc
+
+
+EXTRA_DIST = sia.c krb5_matrix.conf krb5+c2_matrix.conf security.patch
+
+foodir = $(libdir)
+foo_DATA = libsia_krb5.so
+
+LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* 
+
+OBJS = sia.o posix_getpw.o
+
+CLEANFILES = libsia_krb5.so $(OBJS) so_locations
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DATA =  $(foo_DATA)
+
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .o .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/sia/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+install-fooDATA: $(foo_DATA)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(foodir)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  if test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p"; \
+	    $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p; \
+	  else if test -f $$p; then \
+	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p"; \
+	    $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p; \
+	  fi; fi; \
+	done
+
+uninstall-fooDATA:
+	@$(NORMAL_UNINSTALL)
+	list='$(foo_DATA)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(foodir)/$$p; \
+	done
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/auth/sia
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-fooDATA install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-fooDATA
+uninstall: uninstall-am
+all-am: Makefile $(DATA) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(foodir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: uninstall-fooDATA install-fooDATA tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+libsia_krb5.so: $(OBJS)
+	if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
+	elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x -z $@
+
+.c.o:
+	$(COMPILE) -c $<
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf b/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf
new file mode 100644
index 0000000..4b90e02
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf
@@ -0,0 +1,58 @@
+# Copyright (c) 1998 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+# $Id: krb4+c2_matrix.conf,v 1.4 1999/12/02 16:58:37 joda Exp $
+
+# sia matrix configuration file (Kerberos 4 + C2)
+
+siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chk_invoker=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_estab=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_finger=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_shell=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
diff --git a/crypto/heimdal/lib/auth/sia/krb4_matrix.conf b/crypto/heimdal/lib/auth/sia/krb4_matrix.conf
new file mode 100644
index 0000000..4f55a81
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb4_matrix.conf
@@ -0,0 +1,59 @@
+# Copyright (c) 1998 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+# $Id: krb4_matrix.conf,v 1.6 1999/12/02 16:58:37 joda Exp $
+
+# sia matrix configuration file (Kerberos 4 + BSD)
+
+siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) 
+siad_chk_invoker=(BSD,libc.so)
+siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)
+siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_estab=(BSD,libc.so)
+siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chg_finger=(BSD,libc.so)
+siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chg_shell=(BSD,libc.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+
diff --git a/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf b/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf
new file mode 100644
index 0000000..c2952e2
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf
@@ -0,0 +1,27 @@
+# $Id: krb5+c2_matrix.conf,v 1.2 1998/11/26 20:58:18 assar Exp $
+
+# sia matrix configuration file (Kerberos 5 + C2)
+
+siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_estab=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_reauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_finger=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_password=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_shell=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chk_user=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
diff --git a/crypto/heimdal/lib/auth/sia/krb5_matrix.conf b/crypto/heimdal/lib/auth/sia/krb5_matrix.conf
new file mode 100644
index 0000000..e49366a
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb5_matrix.conf
@@ -0,0 +1,27 @@
+# $Id: krb5_matrix.conf,v 1.1 1997/05/15 18:34:18 joda Exp $
+
+# sia matrix configuration file (Kerberos 5 + BSD)
+
+siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) 
+siad_chk_invoker=(BSD,libc.so)
+siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)
+siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_estab=(BSD,libc.so)
+siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_reauthent=(BSD,libc.so)
+siad_chg_finger=(BSD,libc.so)
+siad_chg_password=(BSD,libc.so)
+siad_chg_shell=(BSD,libc.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_chk_user=(BSD,libc.so)
diff --git a/crypto/heimdal/lib/auth/sia/posix_getpw.c b/crypto/heimdal/lib/auth/sia/posix_getpw.c
new file mode 100644
index 0000000..c5961dc
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/posix_getpw.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "sia_locl.h"
+
+RCSID("$Id: posix_getpw.c,v 1.1 1999/03/21 17:07:02 joda Exp $");
+
+#ifndef POSIX_GETPWNAM_R
+/* 
+ * These functions translate from the old Digital UNIX 3.x interface
+ * to POSIX.1c.
+ */
+
+int
+posix_getpwnam_r(const char *name, struct passwd *pwd, 
+		 char *buffer, int len, struct passwd **result)
+{
+    int ret = getpwnam_r(name, pwd, buffer, len);
+    if(ret == 0)
+	*result = pwd;
+    else{
+	*result = NULL;
+	ret = _Geterrno();
+	if(ret == 0){
+	    ret = ERANGE;
+	    _Seterrno(ret);
+	}
+    }
+    return ret;
+}
+
+int
+posix_getpwuid_r(uid_t uid, struct passwd *pwd, 
+		 char *buffer, int len, struct passwd **result)
+{
+    int ret = getpwuid_r(uid, pwd, buffer, len);
+    if(ret == 0)
+	*result = pwd;
+    else{
+	*result = NULL;
+	ret = _Geterrno();
+	if(ret == 0){
+	    ret = ERANGE;
+	    _Seterrno(ret);
+	}
+    }
+    return ret;
+}
+#endif /* POSIX_GETPWNAM_R */
diff --git a/crypto/heimdal/lib/auth/sia/security.patch b/crypto/heimdal/lib/auth/sia/security.patch
new file mode 100644
index 0000000..c407876
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/security.patch
@@ -0,0 +1,11 @@
+--- /sbin/init.d/security~      Tue Aug 20 22:44:09 1996
++++ /sbin/init.d/security       Fri Nov  1 14:52:56 1996
+@@ -49,7 +49,7 @@
+                    SECURITY=BASE
+                fi
+                ;;
+-       BASE)
++       BASE|KRB4)
+                ;;
+        *)
+                echo "security configuration set to default (BASE)."
diff --git a/crypto/heimdal/lib/auth/sia/sia.c b/crypto/heimdal/lib/auth/sia/sia.c
new file mode 100644
index 0000000..01e2ac0
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/sia.c
@@ -0,0 +1,672 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "sia_locl.h"
+
+RCSID("$Id: sia.c,v 1.33 1999/12/20 09:46:44 joda Exp $");
+
+int 
+siad_init(void)
+{
+    return SIADSUCCESS;
+}
+
+int 
+siad_chk_invoker(void)
+{
+    SIA_DEBUG(("DEBUG", "siad_chk_invoker"));
+    return SIADFAIL;
+}
+
+int 
+siad_ses_init(SIAENTITY *entity, int pkgind)
+{
+    struct state *s = malloc(sizeof(*s));
+    SIA_DEBUG(("DEBUG", "siad_ses_init"));
+    if(s == NULL)
+	return SIADFAIL;
+    memset(s, 0, sizeof(*s));
+#ifdef SIA_KRB5
+    krb5_init_context(&s->context);
+#endif
+    entity->mech[pkgind] = (int*)s;
+    return SIADSUCCESS;
+}
+
+static int
+setup_name(SIAENTITY *e, prompt_t *p)
+{
+    SIA_DEBUG(("DEBUG", "setup_name"));
+    e->name = malloc(SIANAMEMIN + 1);
+    if(e->name == NULL){
+	SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1));
+	return SIADFAIL;
+    }
+    p->prompt = (unsigned char*)"login: ";
+    p->result = (unsigned char*)e->name;
+    p->min_result_length = 1;
+    p->max_result_length = SIANAMEMIN;
+    p->control_flags = 0;
+    return SIADSUCCESS;
+}
+
+static int
+setup_password(SIAENTITY *e, prompt_t *p)
+{
+    SIA_DEBUG(("DEBUG", "setup_password"));
+    e->password = malloc(SIAMXPASSWORD + 1);
+    if(e->password == NULL){
+	SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1));
+	return SIADFAIL;
+    }
+    p->prompt = (unsigned char*)"Password: ";
+    p->result = (unsigned char*)e->password;
+    p->min_result_length = 0;
+    p->max_result_length = SIAMXPASSWORD;
+    p->control_flags = SIARESINVIS;
+    return SIADSUCCESS;
+}
+
+
+static int
+doauth(SIAENTITY *entity, int pkgind, char *name)
+{
+    struct passwd pw, *pwd;
+    char pwbuf[1024];
+    struct state *s = (struct state*)entity->mech[pkgind];
+#ifdef SIA_KRB5
+    krb5_realm *realms, *r;
+    krb5_principal principal;
+    krb5_ccache ccache;
+    krb5_error_code ret;
+#endif
+#ifdef SIA_KRB4
+    char realm[REALM_SZ];
+    char *toname, *toinst;
+    int ret;
+    struct passwd fpw, *fpwd;
+    char fpwbuf[1024];
+    int secure;
+#endif
+	
+    if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){
+	SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name));
+	return SIADFAIL;
+    }
+
+#ifdef SIA_KRB5
+    ret = krb5_get_default_realms(s->context, &realms);
+
+    for (r = realms; *r != NULL; ++r) {
+	krb5_make_principal (s->context, &principal, *r, entity->name, NULL);
+
+	if(krb5_kuserok(s->context, principal, entity->name))
+	    break;
+    }
+    krb5_free_host_realm (s->context, realms);
+    if (*r == NULL)
+	return SIADFAIL;
+
+    sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid());
+    ret = krb5_cc_resolve(s->context, s->ticket, &ccache);
+    if(ret)
+	return SIADFAIL;
+#endif
+	
+#ifdef SIA_KRB4
+    snprintf(s->ticket, sizeof(s->ticket),
+	     "%s%u_%u", TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid());
+    krb_get_lrealm(realm, 1);
+    toname = name;
+    toinst = "";
+    if(entity->authtype == SIA_A_SUAUTH){
+	uid_t ouid;
+#ifdef HAVE_SIAENTITY_OUID
+	ouid = entity->ouid;
+#else
+	ouid = getuid();
+#endif
+	if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){
+	    SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid));
+	    return SIADFAIL;
+	}
+	snprintf(s->ticket, sizeof(s->ticket), "%s_%s_to_%s_%d", 
+		 TKT_ROOT, fpwd->pw_name, pwd->pw_name, getpid());
+	if(strcmp(pwd->pw_name, "root") == 0){
+	    toname = fpwd->pw_name;
+	    toinst = pwd->pw_name;
+	}
+    }
+    if(entity->authtype == SIA_A_REAUTH) 
+	snprintf(s->ticket, sizeof(s->ticket), "%s", tkt_string());
+    
+    krb_set_tkt_string(s->ticket);
+	
+    setuid(0); /* XXX fix for fix in tf_util.c */
+    if(krb_kuserok(toname, toinst, realm, name)){
+	SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s", 
+		   toname, toinst, realm, name));
+	return SIADFAIL;
+    }
+#endif
+#ifdef SIA_KRB5
+    ret = krb5_verify_user_lrealm(s->context, principal, ccache,
+				  entity->password, 1, NULL);
+    if(ret){
+	/* if this is most likely a local user (such as
+	   root), just silently return failure when the
+	   principal doesn't exist */
+	if(ret != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && 
+	   ret != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
+	    SIALOG("WARNING", "krb5_verify_user(%s): %s", 
+		   entity->name, error_message(ret));
+	return SIADFAIL;
+    }
+#endif
+#ifdef SIA_KRB4
+    if (getuid () == 0)
+	secure = KRB_VERIFY_SECURE;
+    else
+	secure = KRB_VERIFY_NOT_SECURE;
+	
+    ret = krb_verify_user(toname, toinst, realm,
+			  entity->password, secure, NULL);
+    if(ret){
+	SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret)));
+	if(ret != KDC_PR_UNKNOWN)
+	    /* since this is most likely a local user (such as
+	       root), just silently return failure when the
+	       principal doesn't exist */
+	    SIALOG("WARNING", "krb_verify_user(%s.%s): %s", 
+		   toname, toinst, krb_get_err_text(ret));
+	return SIADFAIL;
+    }
+#endif
+    if(sia_make_entity_pwd(pwd, entity) == SIAFAIL)
+	return SIADFAIL;
+    s->valid = 1;
+    return SIADSUCCESS;
+}
+
+
+static int 
+common_auth(sia_collect_func_t *collect, 
+	    SIAENTITY *entity, 
+	    int siastat,
+	    int pkgind)
+{
+    prompt_t prompts[2], *pr;
+    char *name;
+
+    SIA_DEBUG(("DEBUG", "common_auth"));
+    if((siastat == SIADSUCCESS) && (geteuid() == 0))
+	return SIADSUCCESS;
+    if(entity == NULL) {
+	SIA_DEBUG(("DEBUG", "entity == NULL"));
+	return SIADFAIL | SIADSTOP;
+    }
+    name = entity->name;
+    if(entity->acctname)
+	name = entity->acctname;
+    
+    if((collect != NULL) && entity->colinput) {
+	int num;
+	pr = prompts;
+	if(name == NULL){
+	    if(setup_name(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	if(entity->password == NULL){
+	    if(setup_password(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	num = pr - prompts;
+	if(num == 1){
+	    if((*collect)(240, SIAONELINER, (unsigned char*)"", num, 
+			  prompts) != SIACOLSUCCESS){
+		SIA_DEBUG(("DEBUG", "collect failed"));
+		return SIADFAIL | SIADSTOP;
+	    }
+	} else if(num > 0){
+	    if((*collect)(0, SIAFORM, (unsigned char*)"", num, 
+			  prompts) != SIACOLSUCCESS){
+		SIA_DEBUG(("DEBUG", "collect failed"));
+		return SIADFAIL | SIADSTOP;
+	    }
+	}
+    }
+    if(name == NULL)
+	name = entity->name;
+    if(name == NULL || name[0] == '\0'){
+	SIA_DEBUG(("DEBUG", "name is null"));
+	return SIADFAIL;
+    }
+
+    if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){
+	SIA_DEBUG(("DEBUG", "entity->password is null"));
+	return SIADFAIL;
+    }
+    
+    return doauth(entity, pkgind, name);
+}
+
+
+int 
+siad_ses_authent(sia_collect_func_t *collect, 
+		 SIAENTITY *entity, 
+		 int siastat,
+		 int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_authent"));
+    return common_auth(collect, entity, siastat, pkgind);
+}
+
+int 
+siad_ses_estab(sia_collect_func_t *collect, 
+	       SIAENTITY *entity, int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_estab"));
+    return SIADFAIL;
+}
+
+int 
+siad_ses_launch(sia_collect_func_t *collect,
+		SIAENTITY *entity,
+		int pkgind)
+{
+    static char env[MaxPathLen];
+    struct state *s = (struct state*)entity->mech[pkgind];
+    SIA_DEBUG(("DEBUG", "siad_ses_launch"));
+    if(s->valid){
+#ifdef SIA_KRB5
+	chown(s->ticket + sizeof("FILE:") - 1, 
+	      entity->pwd->pw_uid, 
+	      entity->pwd->pw_gid);
+	snprintf(env, sizeof(env), "KRB5CCNAME=%s", s->ticket);
+#endif
+#ifdef SIA_KRB4
+	chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
+	snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket);
+#endif
+	putenv(env);
+    }
+#ifdef KRB4
+    if (k_hasafs()) {
+	char cell[64];
+	k_setpag();
+	if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0)
+	    krb_afslog(cell, 0);
+	krb_afslog_home(0, 0, entity->pwd->pw_dir);
+    }
+#endif
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_release(SIAENTITY *entity, int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_release"));
+    if(entity->mech[pkgind]){
+#ifdef SIA_KRB5
+	struct state *s = (struct state*)entity->mech[pkgind];
+	krb5_free_context(s->context);
+#endif
+	free(entity->mech[pkgind]);
+    }
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_suauthent(sia_collect_func_t *collect,
+		   SIAENTITY *entity,
+		   int siastat,
+		   int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_suauth"));
+    if(geteuid() != 0)
+	return SIADFAIL;
+    if(entity->name == NULL)
+	return SIADFAIL;
+    if(entity->name[0] == '\0') {
+	free(entity->name);
+	entity->name = strdup("root");
+	if (entity->name == NULL)
+	    return SIADFAIL;
+    }
+    return common_auth(collect, entity, siastat, pkgind);
+}
+
+int
+siad_ses_reauthent (sia_collect_func_t *collect,
+		    SIAENTITY *entity,
+		    int siastat,
+		    int pkgind)
+{
+    int ret;
+    SIA_DEBUG(("DEBUG", "siad_ses_reauthent"));
+    if(entity == NULL || entity->name == NULL)
+	return SIADFAIL;
+    ret = common_auth(collect, entity, siastat, pkgind);
+    if((ret & SIADSUCCESS)){
+	/* launch isn't (always?) called when doing reauth, so we must
+           duplicate some code here... */
+	struct state *s = (struct state*)entity->mech[pkgind];
+	chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
+#ifdef KRB4
+	if(k_hasafs()) {
+	    char cell[64];
+	    if(k_afs_cell_of_file(entity->pwd->pw_dir, 
+				  cell, sizeof(cell)) == 0)
+		krb_afslog(cell, 0);
+	    krb_afslog_home(0, 0, entity->pwd->pw_dir);
+	}
+#endif
+    }
+    return ret;
+}
+
+int
+siad_chg_finger (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    SIA_DEBUG(("DEBUG", "siad_chg_finger"));
+    return SIADFAIL;
+}
+
+#ifdef SIA_KRB5
+int
+siad_chg_password (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    return SIADFAIL;
+}
+#endif
+
+#ifdef SIA_KRB4
+static void
+sia_message(sia_collect_func_t *collect, int rendition, 
+	    const char *title, const char *message)
+{
+    prompt_t prompt;
+    prompt.prompt = (unsigned char*)message;
+    (*collect)(0, rendition, (unsigned char*)title, 1, &prompt);
+}
+
+static int
+init_change(sia_collect_func_t *collect, krb_principal *princ)
+{
+    prompt_t prompt;
+    char old_pw[MAX_KPW_LEN+1];
+    char *msg;
+    char tktstring[128];
+    int ret;
+    
+    SIA_DEBUG(("DEBUG", "init_change"));
+    prompt.prompt = (unsigned char*)"Old password: ";
+    prompt.result = (unsigned char*)old_pw;
+    prompt.min_result_length = 0;
+    prompt.max_result_length = sizeof(old_pw) - 1;
+    prompt.control_flags = SIARESINVIS;
+    asprintf(&msg, "Changing password for %s", krb_unparse_name(princ));
+    if(msg == NULL){
+	SIA_DEBUG(("DEBUG", "out of memory"));
+	return SIADFAIL;
+    }
+    ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt);
+    free(msg);
+    SIA_DEBUG(("DEBUG", "ret = %d", ret));
+    if(ret != SIACOLSUCCESS)
+	return SIADFAIL;
+    snprintf(tktstring, sizeof(tktstring), 
+	     "%s_cpw_%u", TKT_ROOT, (unsigned)getpid());
+    krb_set_tkt_string(tktstring);
+    
+    ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm, 
+			    PWSERV_NAME, KADM_SINST, 1, old_pw);
+    if (ret != KSUCCESS) {
+	SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret)));
+	if (ret == INTK_BADPW)
+	    sia_message(collect, SIAWARNING, "", "Incorrect old password.");
+	else
+	    sia_message(collect, SIAWARNING, "", "Kerberos error.");
+	memset(old_pw, 0, sizeof(old_pw));
+	return SIADFAIL;
+    }
+    if(chown(tktstring, getuid(), -1) < 0){
+	dest_tkt();
+	return SIADFAIL;
+    }
+    memset(old_pw, 0, sizeof(old_pw));
+    return SIADSUCCESS;
+}
+
+int
+siad_chg_password (sia_collect_func_t *collect,
+		   const char *username, 
+		   int argc, 
+		   char *argv[])
+{
+    prompt_t prompts[2];
+    krb_principal princ;
+    int ret;
+    char new_pw1[MAX_KPW_LEN+1];
+    char new_pw2[MAX_KPW_LEN+1];
+    static struct et_list *et_list;
+
+    set_progname(argv[0]);
+
+    SIA_DEBUG(("DEBUG", "siad_chg_password"));
+    if(collect == NULL)
+	return SIADFAIL;
+
+    if(username == NULL)
+	username = getlogin();
+
+    ret = krb_parse_name(username, &princ);
+    if(ret)
+	return SIADFAIL;
+    if(princ.realm[0] == '\0')
+	krb_get_lrealm(princ.realm, 1);
+
+    if(et_list == NULL) {
+	initialize_kadm_error_table_r(&et_list);
+	initialize_krb_error_table_r(&et_list);
+    }
+
+    ret = init_change(collect, &princ);
+    if(ret != SIADSUCCESS)
+	return ret;
+
+again:
+    prompts[0].prompt = (unsigned char*)"New password: ";
+    prompts[0].result = (unsigned char*)new_pw1;
+    prompts[0].min_result_length = MIN_KPW_LEN;
+    prompts[0].max_result_length = sizeof(new_pw1) - 1;
+    prompts[0].control_flags = SIARESINVIS;
+    prompts[1].prompt = (unsigned char*)"Verify new password: ";
+    prompts[1].result = (unsigned char*)new_pw2;
+    prompts[1].min_result_length = MIN_KPW_LEN;
+    prompts[1].max_result_length = sizeof(new_pw2) - 1;
+    prompts[1].control_flags = SIARESINVIS;
+    if((*collect)(120, SIAFORM, (unsigned char*)"", 2, prompts) != 
+       SIACOLSUCCESS) {
+	dest_tkt();
+	return SIADFAIL;
+    }
+    if(strcmp(new_pw1, new_pw2) != 0){
+	sia_message(collect, SIAWARNING, "", "Password mismatch.");
+	goto again;
+    }
+    ret = kadm_check_pw(new_pw1);
+    if(ret) {
+	sia_message(collect, SIAWARNING, "", com_right(et_list, ret));
+	goto again;
+    }
+    
+    memset(new_pw2, 0, sizeof(new_pw2));
+    ret = kadm_init_link (PWSERV_NAME, KRB_MASTER, princ.realm);
+    if (ret != KADM_SUCCESS)
+	sia_message(collect, SIAWARNING, "Error initing kadmin connection", 
+		    com_right(et_list, ret));
+    else {
+	des_cblock newkey;
+	char *pw_msg; /* message from server */
+
+	des_string_to_key(new_pw1, &newkey);
+	ret = kadm_change_pw_plain((unsigned char*)&newkey, new_pw1, &pw_msg);
+	memset(newkey, 0, sizeof(newkey));
+      
+	if (ret == KADM_INSECURE_PW)
+	    sia_message(collect, SIAWARNING, "Insecure password", pw_msg);
+	else if (ret != KADM_SUCCESS)
+	    sia_message(collect, SIAWARNING, "Error changing password", 
+			com_right(et_list, ret));
+    }
+    memset(new_pw1, 0, sizeof(new_pw1));
+
+    if (ret != KADM_SUCCESS)
+	sia_message(collect, SIAWARNING, "", "Password NOT changed.");
+    else
+	sia_message(collect, SIAINFO, "", "Password changed.");
+    
+    dest_tkt();
+    if(ret)
+	return SIADFAIL;
+    return SIADSUCCESS;
+}
+#endif
+
+int
+siad_chg_shell (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwent(struct passwd *result, 
+	      char *buf, 
+	      int bufsize, 
+	      struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwuid (uid_t uid, 
+	       struct passwd *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwnam (const char *name, 
+	       struct passwd *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_setpwent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_endpwent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrent(struct group *result, 
+	      char *buf, 
+	      int bufsize, 
+	      struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrgid (gid_t gid, 
+	       struct group *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrnam (const char *name, 
+	       struct group *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_setgrent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_endgrent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_chk_user (const char *logname, int checkflag)
+{
+    if(checkflag != CHGPASSWD)
+	return SIADFAIL;
+    return SIADSUCCESS;
+}
diff --git a/crypto/heimdal/lib/auth/sia/sia_locl.h b/crypto/heimdal/lib/auth/sia/sia_locl.h
new file mode 100644
index 0000000..0f3f74d
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/sia_locl.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+/* $Id: sia_locl.h,v 1.2 1999/04/01 16:09:22 joda Exp $ */
+
+#ifndef __sia_locl_h__
+#define __sia_locl_h__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <siad.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+#ifdef KRB5
+#define SIA_KRB5
+#elif defined(KRB4)
+#define SIA_KRB4
+#endif
+
+#ifdef SIA_KRB5
+#include <krb5.h>
+#include <com_err.h>
+#endif
+#ifdef SIA_KRB4
+#include <krb.h>
+#include <krb_err.h>
+#include <kadm.h>
+#include <kadm_err.h>
+#endif
+#ifdef KRB4
+#include <kafs.h>
+#endif
+
+#include <roken.h>
+
+#ifndef POSIX_GETPWNAM_R
+
+#define getpwnam_r posix_getpwnam_r
+#define getpwuid_r posix_getpwuid_r
+
+#endif /* POSIX_GETPWNAM_R */
+
+#ifndef DEBUG
+#define SIA_DEBUG(X)
+#else
+#define SIA_DEBUG(X) SIALOG X
+#endif
+
+struct state{
+#ifdef SIA_KRB5
+    krb5_context context;
+    krb5_auth_context auth_context;
+#endif
+    char ticket[MaxPathLen];
+    int valid;
+};
+
+#endif /* __sia_locl_h__ */
diff --git a/crypto/heimdal/lib/des/rc4.h b/crypto/heimdal/lib/des/rc4.h
new file mode 100644
index 0000000..15441f6
--- /dev/null
+++ b/crypto/heimdal/lib/des/rc4.h
@@ -0,0 +1,76 @@
+/* crypto/rc4/rc4.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* $Id: rc4.h,v 1.2 1999/10/21 12:58:31 joda Exp $ */
+
+#ifndef HEADER_RC4_H
+#define HEADER_RC4_H
+
+typedef unsigned int RC4_INT;
+
+typedef struct rc4_key_st {
+    RC4_INT x,y;
+    RC4_INT data[256];
+} RC4_KEY;
+
+ 
+void RC4_set_key(RC4_KEY *key, int len, unsigned char *data);
+void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata,
+	 unsigned char *outdata);
+
+#endif
diff --git a/crypto/heimdal/lib/des/rc4_enc.c b/crypto/heimdal/lib/des/rc4_enc.c
new file mode 100644
index 0000000..7e02f85
--- /dev/null
+++ b/crypto/heimdal/lib/des/rc4_enc.c
@@ -0,0 +1,134 @@
+/* crypto/rc4/rc4_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* #include "des_locl.h" */
+#include "rc4.h"
+
+/* RCSID("$Id: rc4_enc.c,v 1.2 1999/10/21 12:58:43 joda Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+/* RC4 as implemented from a posting from
+ * Newsgroups: sci.crypt
+ * From: sterndark@netcom.com (David Sterndark)
+ * Subject: RC4 Algorithm revealed.
+ * Message-ID: <sternCvKL4B.Hyy@netcom.com>
+ * Date: Wed, 14 Sep 1994 06:35:31 GMT
+ */
+
+void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata,
+	     unsigned char *outdata)
+	{
+        register RC4_INT *d;
+        register RC4_INT x,y,tx,ty;
+	int i;
+        
+        x=key->x;     
+        y=key->y;     
+        d=key->data; 
+
+#define LOOP(in,out) \
+		x=((x+1)&0xff); \
+		tx=d[x]; \
+		y=(tx+y)&0xff; \
+		d[x]=ty=d[y]; \
+		d[y]=tx; \
+		(out) = d[(tx+ty)&0xff]^ (in);
+
+#ifndef RC4_INDEX
+#define RC4_LOOP(a,b,i)	LOOP(*((a)++),*((b)++))
+#else
+#define RC4_LOOP(a,b,i)	LOOP(a[i],b[i])
+#endif
+
+	i=(int)(len>>3L);
+	if (i)
+		{
+		for (;;)
+			{
+			RC4_LOOP(indata,outdata,0);
+			RC4_LOOP(indata,outdata,1);
+			RC4_LOOP(indata,outdata,2);
+			RC4_LOOP(indata,outdata,3);
+			RC4_LOOP(indata,outdata,4);
+			RC4_LOOP(indata,outdata,5);
+			RC4_LOOP(indata,outdata,6);
+			RC4_LOOP(indata,outdata,7);
+#ifdef RC4_INDEX
+			indata+=8;
+			outdata+=8;
+#endif
+			if (--i == 0) break;
+			}
+		}
+	i=(int)len&0x07;
+	if (i)
+		{
+		for (;;)
+			{
+			RC4_LOOP(indata,outdata,0); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,1); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,2); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,3); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,4); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,5); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,6); if (--i == 0) break;
+			}
+		}               
+	key->x=x;     
+	key->y=y;
+	}
diff --git a/crypto/heimdal/lib/des/rc4_skey.c b/crypto/heimdal/lib/des/rc4_skey.c
new file mode 100644
index 0000000..ec9e9da
--- /dev/null
+++ b/crypto/heimdal/lib/des/rc4_skey.c
@@ -0,0 +1,102 @@
+/* crypto/rc4/rc4_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* #include "des_locl.h" */
+#include "rc4.h"
+
+/* RCSID("$Id: rc4_skey.c,v 1.2 1999/10/21 12:58:52 joda Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+/* RC4 as implemented from a posting from
+ * Newsgroups: sci.crypt
+ * From: sterndark@netcom.com (David Sterndark)
+ * Subject: RC4 Algorithm revealed.
+ * Message-ID: <sternCvKL4B.Hyy@netcom.com>
+ * Date: Wed, 14 Sep 1994 06:35:31 GMT
+ */
+
+void RC4_set_key(RC4_KEY *key, int len, register unsigned char *data)
+	{
+        register RC4_INT tmp;
+        register int id1,id2;
+        register RC4_INT *d;
+        unsigned int i;
+        
+        d= &(key->data[0]);
+	for (i=0; i<256; i++)
+		d[i]=i;
+        key->x = 0;     
+        key->y = 0;     
+        id1=id2=0;     
+
+#define SK_LOOP(n) { \
+		tmp=d[(n)]; \
+		id2 = (data[id1] + tmp + id2) & 0xff; \
+		if (++id1 == len) id1=0; \
+		d[(n)]=d[id2]; \
+		d[id2]=tmp; }
+
+	for (i=0; i < 256; i+=4)
+		{
+		SK_LOOP(i+0);
+		SK_LOOP(i+1);
+		SK_LOOP(i+2);
+		SK_LOOP(i+3);
+		}
+	}
+    
diff --git a/crypto/heimdal/lib/des/rc4test.c b/crypto/heimdal/lib/des/rc4test.c
new file mode 100644
index 0000000..5abf8cf
--- /dev/null
+++ b/crypto/heimdal/lib/des/rc4test.c
@@ -0,0 +1,201 @@
+/* crypto/rc4/rc4test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef NO_RC4
+int main(int argc, char *argv[])
+{
+    printf("No RC4 support\n");
+    return(0);
+}
+#else
+#include <openssl/rc4.h>
+
+unsigned char keys[7][30]={
+	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
+	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
+	{8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{4,0xef,0x01,0x23,0x45},
+	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
+	{4,0xef,0x01,0x23,0x45},
+	};
+
+unsigned char data_len[7]={8,8,8,20,28,10};
+unsigned char data[7][30]={
+	{0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	   0x00,0x00,0x00,0x00,0xff},
+	{0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
+	   0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
+	   0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
+	   0x12,0x34,0x56,0x78,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
+	{0},
+	};
+
+unsigned char output[7][30]={
+	{0x75,0xb7,0x87,0x80,0x99,0xe0,0xc5,0x96,0x00},
+	{0x74,0x94,0xc2,0xe7,0x10,0x4b,0x08,0x79,0x00},
+	{0xde,0x18,0x89,0x41,0xa3,0x37,0x5d,0x3a,0x00},
+	{0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,
+	 0xbd,0x61,0x5a,0x11,0x62,0xe1,0xc7,0xba,
+	 0x36,0xb6,0x78,0x58,0x00},
+	{0x66,0xa0,0x94,0x9f,0x8a,0xf7,0xd6,0x89,
+	 0x1f,0x7f,0x83,0x2b,0xa8,0x33,0xc0,0x0c,
+	 0x89,0x2e,0xbe,0x30,0x14,0x3c,0xe2,0x87,
+	 0x40,0x01,0x1e,0xcf,0x00},
+	{0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,0xbd,0x61,0x00},
+	{0},
+	};
+
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	int j;
+	unsigned char *p;
+	RC4_KEY key;
+	unsigned char buf[512],obuf[512];
+
+	for (i=0; i<512; i++) buf[i]=0x01;
+
+	for (i=0; i<6; i++)
+		{
+		RC4_set_key(&key,keys[i][0],&(keys[i][1]));
+		memset(obuf,0x00,sizeof(obuf));
+		RC4(&key,data_len[i],&(data[i][0]),obuf);
+		if (memcmp(obuf,output[i],data_len[i]+1) != 0)
+			{
+			printf("error calculating RC4\n");
+			printf("output:");
+			for (j=0; j<data_len[i]+1; j++)
+				printf(" %02x",obuf[j]);
+			printf("\n");
+			printf("expect:");
+			p= &(output[i][0]);
+			for (j=0; j<data_len[i]+1; j++)
+				printf(" %02x",*(p++));
+			printf("\n");
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		}
+	printf("test end processing ");
+	for (i=0; i<data_len[3]; i++)
+		{
+		RC4_set_key(&key,keys[3][0],&(keys[3][1]));
+		memset(obuf,0x00,sizeof(obuf));
+		RC4(&key,i,&(data[3][0]),obuf);
+		if ((memcmp(obuf,output[3],i) != 0) || (obuf[i] != 0))
+			{
+			printf("error in RC4 length processing\n");
+			printf("output:");
+			for (j=0; j<i+1; j++)
+				printf(" %02x",obuf[j]);
+			printf("\n");
+			printf("expect:");
+			p= &(output[3][0]);
+			for (j=0; j<i; j++)
+				printf(" %02x",*(p++));
+			printf(" 00\n");
+			err++;
+			}
+		else
+			{
+			printf(".");
+			fflush(stdout);
+			}
+		}
+	printf("done\n");
+	printf("test multi-call ");
+	for (i=0; i<data_len[3]; i++)
+		{
+		RC4_set_key(&key,keys[3][0],&(keys[3][1]));
+		memset(obuf,0x00,sizeof(obuf));
+		RC4(&key,i,&(data[3][0]),obuf);
+		RC4(&key,data_len[3]-i,&(data[3][i]),&(obuf[i]));
+		if (memcmp(obuf,output[3],data_len[3]+1) != 0)
+			{
+			printf("error in RC4 multi-call processing\n");
+			printf("output:");
+			for (j=0; j<data_len[3]+1; j++)
+				printf(" %02x",obuf[j]);
+			printf("\n");
+			printf("expect:");
+			p= &(output[3][0]);
+			for (j=0; j<data_len[3]+1; j++)
+				printf(" %02x",*(p++));
+			err++;
+			}
+		else
+			{
+			printf(".");
+			fflush(stdout);
+			}
+		}
+	printf("done\n");
+	exit(err);
+	return(0);
+	}
+#endif
diff --git a/crypto/heimdal/lib/gssapi/8003.c b/crypto/heimdal/lib/gssapi/8003.c
new file mode 100644
index 0000000..f37fe04
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/8003.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: 8003.c,v 1.6 2000/01/25 23:10:13 assar Exp $");
+
+static krb5_error_code
+encode_om_uint32(OM_uint32 n, u_char *p)
+{
+  p[0] = (n >> 0)  & 0xFF;
+  p[1] = (n >> 8)  & 0xFF;
+  p[2] = (n >> 16) & 0xFF;
+  p[3] = (n >> 24) & 0xFF;
+  return 0;
+}
+
+static krb5_error_code
+decode_om_uint32(u_char *p, OM_uint32 *n)
+{
+    *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+    return 0;
+}
+
+static krb5_error_code
+hash_input_chan_bindings (const gss_channel_bindings_t b,
+			  u_char *p)
+{
+  u_char num[4];
+  MD5_CTX md5;
+
+  MD5Init(&md5);
+  encode_om_uint32 (b->initiator_addrtype, num);
+  MD5Update (&md5, num, sizeof(num));
+  encode_om_uint32 (b->initiator_address.length, num);
+  MD5Update (&md5, num, sizeof(num));
+  if (b->initiator_address.length)
+    MD5Update (&md5,
+		b->initiator_address.value,
+		b->initiator_address.length);
+  encode_om_uint32 (b->acceptor_addrtype, num);
+  MD5Update (&md5, num, sizeof(num));
+  encode_om_uint32 (b->acceptor_address.length, num);
+  MD5Update (&md5, num, sizeof(num));
+  if (b->acceptor_address.length)
+    MD5Update (&md5,
+		b->acceptor_address.value,
+		b->acceptor_address.length);
+  encode_om_uint32 (b->application_data.length, num);
+  MD5Update (&md5, num, sizeof(num));
+  if (b->application_data.length)
+    MD5Update (&md5,
+		b->application_data.value,
+		b->application_data.length);
+  MD5Final (p, &md5);
+  return 0;
+}
+
+krb5_error_code
+gssapi_krb5_create_8003_checksum (
+		      const gss_channel_bindings_t input_chan_bindings,
+		      OM_uint32 flags,
+		      Checksum *result)
+{
+  u_char *p;
+
+  result->cksumtype = 0x8003;
+  result->checksum.length = 24;
+  result->checksum.data   = malloc (result->checksum.length);
+  if (result->checksum.data == NULL)
+    return ENOMEM;
+  
+  p = result->checksum.data;
+  encode_om_uint32 (16, p);
+  p += 4;
+  if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) {
+    memset (p, 0, 16);
+  } else {
+    hash_input_chan_bindings (input_chan_bindings, p);
+  }
+  p += 16;
+  encode_om_uint32 (flags, p);
+  p += 4;
+  if (p - (u_char *)result->checksum.data != result->checksum.length)
+    abort ();
+  return 0;
+}
+
+krb5_error_code
+gssapi_krb5_verify_8003_checksum(
+		      const gss_channel_bindings_t input_chan_bindings,
+		      Checksum *cksum,
+		      OM_uint32 *flags)
+{
+    unsigned char hash[16];
+    unsigned char *p;
+    OM_uint32 length;
+
+    /* XXX should handle checksums > 24 bytes */
+    if(cksum->cksumtype != 0x8003 || cksum->checksum.length != 24)
+	return GSS_S_BAD_BINDINGS;
+    
+    p = cksum->checksum.data;
+    decode_om_uint32(p, &length);
+    if(length != sizeof(hash))
+	return GSS_S_FAILURE;
+    
+    p += 4;
+    
+    if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
+	if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
+	    return GSS_S_FAILURE;
+	if(memcmp(hash, p, sizeof(hash)) != 0)
+	    return GSS_S_FAILURE;
+    }
+    
+    p += sizeof(hash);
+    
+    decode_om_uint32(p, flags);
+    
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/ChangeLog b/crypto/heimdal/lib/gssapi/ChangeLog
new file mode 100644
index 0000000..ba765ba
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ChangeLog
@@ -0,0 +1,103 @@
+2000-02-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+2000-02-12  Assar Westerlund  <assar@sics.se>
+
+	* gssapi_locl.h: add flags for import/export
+	* import_sec_context.c (import_sec_context: add flags for what
+	fields are included.  do not include the authenticator for now.
+	* export_sec_context.c (export_sec_context: add flags for what
+	fields are included.  do not include the authenticator for now.
+	* accept_sec_context.c (gss_accept_sec_context): set target in
+	context_handle
+
+2000-02-11  Assar Westerlund  <assar@sics.se>
+
+	* delete_sec_context.c (gss_delete_sec_context): set context to
+	GSS_C_NO_CONTEXT
+
+	* Makefile.am: add {export,import}_sec_context.c
+	* export_sec_context.c: new file
+	* import_sec_context.c: new file
+	* accept_sec_context.c (gss_accept_sec_context): set trans flag
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:5:0
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* delete_sec_context.c (gss_delete_sec_context): handle a NULL
+	output_token
+
+	* wrap.c: update to pseudo-standard APIs for md4,md5,sha.  some
+	changes to libdes calls to make them more portable.
+	* verify_mic.c: update to pseudo-standard APIs for md4,md5,sha.
+	some changes to libdes calls to make them more portable.
+	* unwrap.c: update to pseudo-standard APIs for md4,md5,sha.  some
+	changes to libdes calls to make them more portable.
+	* get_mic.c: update to pseudo-standard APIs for md4,md5,sha.  some
+	changes to libdes calls to make them more portable.
+	* 8003.c: update to pseudo-standard APIs for md4,md5,sha.
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:4:0
+
+1999-12-26  Assar Westerlund  <assar@sics.se>
+
+	* accept_sec_context.c (gss_accept_sec_context): always set
+ 	`output_token'
+	* init_sec_context.c (init_auth): always initialize `output_token'
+	* delete_sec_context.c (gss_delete_sec_context): always set
+ 	`output_token'
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 0:3:0
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:2:0
+
+1999-09-21  Assar Westerlund  <assar@sics.se>
+
+	* init_sec_context.c (gss_init_sec_context): initialize `ticket'
+
+	* gssapi.h (gss_ctx_id_t_desc): add ticket in here.  ick.
+
+	* delete_sec_context.c (gss_delete_sec_context): free ticket
+
+	* accept_sec_context.c (gss_accept_sec_context): stove away
+ 	`krb5_ticket' in context so that ugly programs such as
+ 	gss_nt_server can get at it.  uck.
+
+1999-09-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* accept_sec_context.c: set minor_status
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* display_status.c (calling_error, routine_error): right shift the
+ 	code to make it possible to index into the arrays
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* gssapi.h (GSS_C_AF_INET6): add
+
+	* import_name.c (import_hostbased_name): set minor_status
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:1:0
+
+Wed Apr  7 14:05:15 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* display_status.c: set minor_status
+
+	* init_sec_context.c: set minor_status
+
+	* lib/gssapi/init.c: remove donep (check gssapi_krb5_context
+ 	directly)
+
diff --git a/crypto/heimdal/lib/gssapi/Makefile.am b/crypto/heimdal/lib/gssapi/Makefile.am
new file mode 100644
index 0000000..07d4e65
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/Makefile.am
@@ -0,0 +1,48 @@
+# $Id: Makefile.am,v 1.21 2000/02/13 20:34:49 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../krb5
+
+lib_LTLIBRARIES = libgssapi.la
+libgssapi_la_LDFLAGS = -version-info 1:0:1
+
+include_HEADERS = gssapi.h
+
+libgssapi_la_SOURCES =		\
+	8003.c			\
+	accept_sec_context.c	\
+	acquire_cred.c		\
+	add_oid_set_member.c	\
+	canonicalize_name.c	\
+	compare_name.c		\
+	context_time.c		\
+	create_emtpy_oid_set.c	\
+	decapsulate.c		\
+	delete_sec_context.c	\
+	display_name.c		\
+	display_status.c	\
+	duplicate_name.c	\
+	encapsulate.c		\
+	export_sec_context.c	\
+	export_name.c		\
+	external.c		\
+	get_mic.c		\
+	gssapi.h		\
+	gssapi_locl.h		\
+	import_name.c		\
+	import_sec_context.c	\
+	indicate_mechs.c	\
+	init.c			\
+	init_sec_context.c	\
+	inquire_context.c	\
+	inquire_cred.c		\
+	release_buffer.c	\
+	release_cred.c		\
+	release_name.c		\
+	release_oid_set.c	\
+	test_oid_set_member.c	\
+	unwrap.c		\
+	v1.c			\
+	verify_mic.c		\
+	wrap.c
diff --git a/crypto/heimdal/lib/gssapi/Makefile.in b/crypto/heimdal/lib/gssapi/Makefile.in
new file mode 100644
index 0000000..31ea813
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/Makefile.in
@@ -0,0 +1,655 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.21 2000/02/13 20:34:49 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include -I$(srcdir)/../krb5
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+lib_LTLIBRARIES = libgssapi.la
+libgssapi_la_LDFLAGS = -version-info 1:0:1
+
+include_HEADERS = gssapi.h
+
+libgssapi_la_SOURCES =  	8003.c				accept_sec_context.c		acquire_cred.c			add_oid_set_member.c		canonicalize_name.c		compare_name.c			context_time.c			create_emtpy_oid_set.c		decapsulate.c			delete_sec_context.c		display_name.c			display_status.c		duplicate_name.c		encapsulate.c			export_sec_context.c		export_name.c			external.c			get_mic.c			gssapi.h			gssapi_locl.h			import_name.c			import_sec_context.c		indicate_mechs.c		init.c				init_sec_context.c		inquire_context.c		inquire_cred.c			release_buffer.c		release_cred.c			release_name.c			release_oid_set.c		test_oid_set_member.c		unwrap.c			v1.c				verify_mic.c			wrap.c
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libgssapi_la_LIBADD = 
+libgssapi_la_OBJECTS =  8003.lo accept_sec_context.lo acquire_cred.lo \
+add_oid_set_member.lo canonicalize_name.lo compare_name.lo \
+context_time.lo create_emtpy_oid_set.lo decapsulate.lo \
+delete_sec_context.lo display_name.lo display_status.lo \
+duplicate_name.lo encapsulate.lo export_sec_context.lo export_name.lo \
+external.lo get_mic.lo import_name.lo import_sec_context.lo \
+indicate_mechs.lo init.lo init_sec_context.lo inquire_context.lo \
+inquire_cred.lo release_buffer.lo release_cred.lo release_name.lo \
+release_oid_set.lo test_oid_set_member.lo unwrap.lo v1.lo verify_mic.lo \
+wrap.lo
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+HEADERS =  $(include_HEADERS)
+
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libgssapi_la_SOURCES)
+OBJECTS = $(libgssapi_la_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/gssapi/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libgssapi_la_LDFLAGS) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS)
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/gssapi
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/gssapi/accept_sec_context.c b/crypto/heimdal/lib/gssapi/accept_sec_context.c
new file mode 100644
index 0000000..3f61ae1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/accept_sec_context.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: accept_sec_context.c,v 1.17 2000/02/12 21:24:08 assar Exp $");
+
+static krb5_keytab gss_keytab;
+
+OM_uint32
+gsskrb5_register_acceptor_identity (char *identity)
+{
+    char *p;
+    if(gss_keytab != NULL) {
+	krb5_kt_close(gssapi_krb5_context, gss_keytab);
+	gss_keytab = NULL;
+    }
+    asprintf(&p, "FILE:%s", identity);
+    if(p == NULL)
+	return GSS_S_FAILURE;
+    krb5_kt_resolve(gssapi_krb5_context, p, &gss_keytab);
+    free(p);
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gss_accept_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            const gss_cred_id_t acceptor_cred_handle,
+            const gss_buffer_t input_token_buffer,
+            const gss_channel_bindings_t input_chan_bindings,
+            gss_name_t * src_name,
+            gss_OID * mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec,
+            gss_cred_id_t * delegated_cred_handle
+           )
+{
+  krb5_error_code kret;
+  OM_uint32 ret;
+  krb5_data indata;
+  krb5_flags ap_options;
+  OM_uint32 flags;
+  krb5_ticket *ticket = NULL;
+  krb5_keytab keytab = NULL;
+
+  gssapi_krb5_init ();
+
+  output_token->length = 0;
+  output_token->value   = NULL;
+
+  if (*context_handle == GSS_C_NO_CONTEXT) {
+      *context_handle = malloc(sizeof(**context_handle));
+    if (*context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+  }
+
+  (*context_handle)->auth_context =  NULL;
+  (*context_handle)->source = NULL;
+  (*context_handle)->target = NULL;
+  (*context_handle)->flags = 0;
+  (*context_handle)->more_flags = 0;
+  (*context_handle)->ticket = NULL;
+
+  kret = krb5_auth_con_init (gssapi_krb5_context,
+			     &(*context_handle)->auth_context);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    goto failure;
+  }
+
+  {
+    int32_t tmp;
+
+    krb5_auth_con_getflags(gssapi_krb5_context,
+			   (*context_handle)->auth_context,
+			   &tmp);
+    tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
+    krb5_auth_con_setflags(gssapi_krb5_context,
+			   (*context_handle)->auth_context,
+			   tmp);
+  }
+
+  ret = gssapi_krb5_decapsulate (input_token_buffer,
+				 &indata,
+				 "\x01\x00");
+  if (ret) {
+      kret = 0;
+      goto failure;
+  }
+
+  if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
+      if (gss_keytab != NULL) {
+	  keytab = gss_keytab;
+     }
+  } else if (acceptor_cred_handle->keytab != NULL) {
+     keytab = acceptor_cred_handle->keytab;
+  }
+
+  kret = krb5_rd_req (gssapi_krb5_context,
+		      &(*context_handle)->auth_context,
+		      &indata,
+		      (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL 
+			: acceptor_cred_handle->principal,
+		      keytab,
+		      &ap_options,
+		      &ticket);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    goto failure;
+  }
+
+  kret = krb5_copy_principal (gssapi_krb5_context,
+			      ticket->client,
+			      &(*context_handle)->source);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    goto failure;
+  }
+
+  kret = krb5_copy_principal (gssapi_krb5_context,
+			      ticket->server,
+			      &(*context_handle)->target);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    goto failure;
+  }
+
+  if (src_name) {
+    kret = krb5_copy_principal (gssapi_krb5_context,
+				ticket->client,
+				src_name);
+    if (kret) {
+      ret = GSS_S_FAILURE;
+      goto failure;
+    }
+  }
+
+  {
+      krb5_authenticator authenticator;
+      
+      kret = krb5_auth_getauthenticator(gssapi_krb5_context,
+					(*context_handle)->auth_context,
+					&authenticator);
+      if(kret) {
+	  ret = GSS_S_FAILURE;
+	  goto failure;
+      }
+
+      kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
+					      authenticator->cksum,
+					      &flags);
+      krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+      if (kret) {
+	  ret = GSS_S_FAILURE;
+	  goto failure;
+      }
+  }
+
+  flags |= GSS_C_TRANS_FLAG;
+
+  if (ret_flags)
+    *ret_flags = flags;
+  (*context_handle)->flags = flags;
+  (*context_handle)->more_flags |= OPEN;
+
+  if (mech_type)
+    *mech_type = GSS_KRB5_MECHANISM;
+
+  if (time_rec)
+    *time_rec = GSS_C_INDEFINITE;
+
+  if(flags & GSS_C_MUTUAL_FLAG) {
+    krb5_data outbuf;
+
+    kret = krb5_mk_rep (gssapi_krb5_context,
+			&(*context_handle)->auth_context,
+			&outbuf);
+    if (kret) {
+      krb5_data_free (&outbuf);
+      ret = GSS_S_FAILURE;
+      goto failure;
+    }
+    ret = gssapi_krb5_encapsulate (&outbuf,
+				   output_token,
+				   "\x02\x00");
+    if (ret) {
+	kret = 0;
+      goto failure;
+    }
+  } else {
+    output_token->length = 0;
+  }
+
+  (*context_handle)->ticket = ticket;
+  ticket = NULL;
+
+#if 0
+  krb5_free_ticket (context, ticket);
+#endif
+
+  return GSS_S_COMPLETE;
+
+failure:
+  if (ticket != NULL)
+    krb5_free_ticket (gssapi_krb5_context, ticket);
+  krb5_auth_con_free (gssapi_krb5_context,
+		      (*context_handle)->auth_context);
+  if((*context_handle)->source)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->source);
+  if((*context_handle)->target)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->target);
+  free (*context_handle);
+  *context_handle = GSS_C_NO_CONTEXT;
+  *minor_status = kret;
+  return GSS_S_FAILURE;
+}
diff --git a/crypto/heimdal/lib/gssapi/acquire_cred.c b/crypto/heimdal/lib/gssapi/acquire_cred.c
new file mode 100644
index 0000000..821bbc3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/acquire_cred.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: acquire_cred.c,v 1.3 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_acquire_cred
+           (OM_uint32 * minor_status,
+            const gss_name_t desired_name,
+            OM_uint32 time_req,
+            const gss_OID_set desired_mechs,
+            gss_cred_usage_t cred_usage,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * time_rec
+           )
+{
+    gss_cred_id_t handle;
+    OM_uint32 ret;
+
+    handle = (gss_cred_id_t)malloc(sizeof(*handle));
+    if (handle == GSS_C_NO_CREDENTIAL) {
+        return GSS_S_FAILURE;
+    }
+
+    ret = gss_duplicate_name(minor_status, desired_name, &handle->principal);
+    if (ret) {
+        return ret;
+    }
+
+    /* XXX */
+    handle->lifetime = time_req;
+
+    handle->keytab = NULL;
+    handle->usage = cred_usage;
+
+    ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+    if (ret) {
+        return ret;
+    }
+    ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+				 &handle->mechanisms);
+    if (ret) {
+        return ret;
+    }
+
+    ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
+			   actual_mechs);
+    if (ret) {
+        return ret;
+    }
+
+    *output_cred_handle = handle;
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/add_oid_set_member.c b/crypto/heimdal/lib/gssapi/add_oid_set_member.c
new file mode 100644
index 0000000..996c5cf
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/add_oid_set_member.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: add_oid_set_member.c,v 1.3 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_add_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member_oid,
+            gss_OID_set * oid_set
+           )
+{
+  size_t n = (*oid_set)->count;
+
+  (*oid_set)->elements = realloc ((*oid_set)->elements,
+				  n * sizeof(gss_OID_desc));
+  if ((*oid_set)->elements == NULL) {
+    return GSS_S_FAILURE;
+  }
+  (*oid_set)->count = n;
+  (*oid_set)->elements[n-1] = *member_oid;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/canonicalize_name.c b/crypto/heimdal/lib/gssapi/canonicalize_name.c
new file mode 100644
index 0000000..afa39f3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/canonicalize_name.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: canonicalize_name.c,v 1.2 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_canonicalize_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            const gss_OID mech_type,
+            gss_name_t * output_name
+           )
+{
+    return gss_duplicate_name (minor_status, input_name, output_name);
+}
diff --git a/crypto/heimdal/lib/gssapi/compare_name.c b/crypto/heimdal/lib/gssapi/compare_name.c
new file mode 100644
index 0000000..5926b15
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/compare_name.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: compare_name.c,v 1.2 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_compare_name
+           (OM_uint32 * minor_status,
+            const gss_name_t name1,
+            const gss_name_t name2,
+            int * name_equal
+           )
+{
+    gssapi_krb5_init ();
+    *name_equal = krb5_principal_compare (gssapi_krb5_context,
+					  name1, name2);
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/context_time.c b/crypto/heimdal/lib/gssapi/context_time.c
new file mode 100644
index 0000000..1882eb3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/context_time.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: context_time.c,v 1.3 2000/02/06 08:14:16 assar Exp $");
+
+OM_uint32 gss_context_time
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            OM_uint32 * time_rec
+           )
+{
+    OM_uint32 lifetime;
+    OM_uint32 ret;
+    krb5_error_code kret;
+    krb5_timestamp timeret;
+
+    gssapi_krb5_init();
+
+    ret = gss_inquire_context(minor_status, context_handle,
+			      NULL, NULL, &lifetime, NULL, NULL, NULL, NULL);
+    if (ret) {
+        return ret;
+    }
+
+    kret = krb5_timeofday(gssapi_krb5_context, &timeret);
+    if (kret) {
+        return GSS_S_FAILURE;
+    }
+
+    *time_rec = lifetime - timeret;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c b/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c
new file mode 100644
index 0000000..acec30e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: create_emtpy_oid_set.c,v 1.3 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_create_empty_oid_set (
+            OM_uint32 * minor_status,
+            gss_OID_set * oid_set
+           )
+{
+  *oid_set = malloc(sizeof(**oid_set));
+  if (*oid_set == NULL) {
+    return GSS_S_FAILURE;
+  }
+  (*oid_set)->count = 0;
+  (*oid_set)->elements = NULL;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/decapsulate.c b/crypto/heimdal/lib/gssapi/decapsulate.c
new file mode 100644
index 0000000..e3603c7
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/decapsulate.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: decapsulate.c,v 1.5 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32
+gssapi_krb5_verify_header(u_char **str,
+			  size_t total_len,
+			  char *type)
+{
+    size_t len, len_len, mech_len, foo;
+    int e;
+    u_char *p = *str;
+
+    if (*p++ != 0x60)
+	return GSS_S_DEFECTIVE_TOKEN;
+    e = der_get_length (p, total_len - 1, &len, &len_len);
+    if (e || 1 + len_len + len != total_len)
+	abort ();
+    p += len_len;
+    if (*p++ != 0x06)
+	return GSS_S_DEFECTIVE_TOKEN;
+    e = der_get_length (p, total_len - 1 - len_len - 1,
+			&mech_len, &foo);
+    if (e)
+	abort ();
+    p += foo;
+    if (mech_len != GSS_KRB5_MECHANISM->length)
+	return GSS_S_BAD_MECH;
+    if (memcmp(p,
+	       GSS_KRB5_MECHANISM->elements,
+	       GSS_KRB5_MECHANISM->length) != 0)
+	return GSS_S_BAD_MECH;
+    p += mech_len;
+    if (memcmp (p, type, 2) != 0)
+	return GSS_S_DEFECTIVE_TOKEN;
+    p += 2;
+    *str = p;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Remove the GSS-API wrapping from `in_token' giving `out_data.
+ * Does not copy data, so just free `in_token'.
+ */
+
+OM_uint32
+gssapi_krb5_decapsulate(
+			gss_buffer_t input_token_buffer,
+			krb5_data *out_data,
+			char *type
+)
+{
+    u_char *p;
+    OM_uint32 ret;
+
+    p = input_token_buffer->value;
+    ret = gssapi_krb5_verify_header(&p,
+				    input_token_buffer->length,
+				    type);
+    if (ret)
+	return ret;
+
+    out_data->length = input_token_buffer->length -
+	(p - (u_char *)input_token_buffer->value);
+    out_data->data   = p;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/delete_sec_context.c b/crypto/heimdal/lib/gssapi/delete_sec_context.c
new file mode 100644
index 0000000..15e3cfa
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/delete_sec_context.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: delete_sec_context.c,v 1.7 2000/02/11 23:00:48 assar Exp $");
+
+OM_uint32 gss_delete_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t output_token
+           )
+{
+  gssapi_krb5_init ();
+
+  if (output_token) {
+      output_token->length = 0;
+      output_token->value  = NULL;
+  }
+
+  krb5_auth_con_free (gssapi_krb5_context,
+		      (*context_handle)->auth_context);
+  if((*context_handle)->source)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->source);
+  if((*context_handle)->target)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->target);
+  if ((*context_handle)->ticket)
+    krb5_free_ticket (gssapi_krb5_context,
+		      (*context_handle)->ticket);
+  free (*context_handle);
+  *context_handle = GSS_C_NO_CONTEXT;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/display_name.c b/crypto/heimdal/lib/gssapi/display_name.c
new file mode 100644
index 0000000..4efed14
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/display_name.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: display_name.c,v 1.5 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_display_name
+           (OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t output_name_buffer,
+            gss_OID * output_name_type
+           )
+{
+  krb5_error_code kret;
+  char *buf;
+  size_t len;
+
+  gssapi_krb5_init ();
+  kret = krb5_unparse_name (gssapi_krb5_context,
+			    input_name,
+			    &buf);
+  if (kret)
+    return GSS_S_FAILURE;
+  len = strlen (buf);
+  output_name_buffer->length = len;
+  output_name_buffer->value  = malloc(len + 1);
+  if (output_name_buffer->value == NULL) {
+    free (buf);
+    return GSS_S_FAILURE;
+  }
+  memcpy (output_name_buffer->value, buf, len);
+  ((char *)output_name_buffer->value)[len] = '\0';
+  free (buf);
+  if (output_name_type)
+      *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/display_status.c b/crypto/heimdal/lib/gssapi/display_status.c
new file mode 100644
index 0000000..f08c47e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/display_status.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: display_status.c,v 1.5 1999/12/02 17:05:03 joda Exp $");
+
+static char *
+calling_error(OM_uint32 v)
+{
+    static char *msgs[] = {
+	NULL,			/* 0 */
+	"A required input parameter could not be read.", /*  */
+	"A required output parameter could not be written.", /*  */
+	"A parameter was malformed"
+    };
+
+    v >>= GSS_C_CALLING_ERROR_OFFSET;
+
+    if (v == 0)
+	return "";
+    else if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown calling error";
+    else
+	return msgs[v];
+}
+
+static char *
+routine_error(OM_uint32 v)
+{
+    static char *msgs[] = {
+	NULL,			/* 0 */
+	"An unsupported mechanism was requested",
+	"An invalid name was supplied",
+	"A supplied name was of an unsupported type",
+	"Incorrect channel bindings were supplied",
+	"An invalid status code was supplied",
+	"A token had an invalid MIC",
+	"No credentials were supplied, "
+	"or the credentials were unavailable or inaccessible.",
+	"No context has been established",
+	"A token was invalid",
+	"A credential was invalid",
+	"The referenced credentials have expired",
+	"The context has expired",
+	"Miscellaneous failure (see text)",
+	"The quality-of-protection requested could not be provide",
+	"The operation is forbidden by local security policy",
+	"The operation or option is not available",
+	"The requested credential element already exists",
+	"The provided name was not a mechanism name.",
+    };
+
+    v >>= GSS_C_ROUTINE_ERROR_OFFSET;
+
+    if (v == 0)
+	return "";
+    else if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown routine error";
+    else
+	return msgs[v];
+}
+
+OM_uint32 gss_display_status
+           (OM_uint32		*minor_status,
+	    OM_uint32		 status_value,
+	    int			 status_type,
+	    const gss_OID	 mech_type,
+	    OM_uint32		*message_context,
+	    gss_buffer_t	 status_string)
+{
+  char *buf;
+
+  gssapi_krb5_init ();
+
+  *minor_status = 0;
+
+  if (mech_type != GSS_C_NO_OID &&
+      mech_type != GSS_KRB5_MECHANISM)
+      return GSS_S_BAD_MECH;
+
+  if (status_type == GSS_C_GSS_CODE) {
+      asprintf (&buf, "%s %s",
+		calling_error(GSS_CALLING_ERROR(status_value)),
+		routine_error(GSS_ROUTINE_ERROR(status_value)));
+      if (buf == NULL) {
+	  *minor_status = ENOMEM;
+	  return GSS_S_FAILURE;
+      }
+  } else if (status_type == GSS_C_MECH_CODE) {
+      buf = strdup(krb5_get_err_text (gssapi_krb5_context, status_value));
+      if (buf == NULL) {
+	  *minor_status = ENOMEM;
+	  return GSS_S_FAILURE;
+      }
+  } else
+      return GSS_S_BAD_STATUS;
+
+  *message_context = 0;
+
+  status_string->length = strlen(buf);
+  status_string->value  = buf;
+  
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/duplicate_name.c b/crypto/heimdal/lib/gssapi/duplicate_name.c
new file mode 100644
index 0000000..a3118d3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/duplicate_name.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: duplicate_name.c,v 1.3 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_duplicate_name (
+            OM_uint32 * minor_status,
+            const gss_name_t src_name,
+            gss_name_t * dest_name
+           )
+{
+  krb5_error_code kret;
+
+  gssapi_krb5_init ();
+
+  kret = krb5_copy_principal (gssapi_krb5_context,
+			      src_name,
+			      dest_name);
+  if (kret)
+    return GSS_S_FAILURE;
+  else
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/encapsulate.c b/crypto/heimdal/lib/gssapi/encapsulate.c
new file mode 100644
index 0000000..1b8636bc
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/encapsulate.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: encapsulate.c,v 1.4 1999/12/02 17:05:03 joda Exp $");
+
+void
+gssapi_krb5_encap_length (size_t data_len,
+			  size_t *len,
+			  size_t *total_len)
+{
+    size_t len_len;
+
+    *len = 1 + 1 + GSS_KRB5_MECHANISM->length + 2 + data_len;
+
+    len_len = length_len(*len);
+
+    *total_len = 1 + len_len + *len;
+}
+
+u_char *
+gssapi_krb5_make_header (u_char *p,
+			 size_t len,
+			 u_char *type)
+{
+    int e;
+    size_t len_len, foo;
+
+    *p++ = 0x60;
+    len_len = length_len(len);
+    e = der_put_length (p + len_len - 1, len_len, len, &foo);
+    if(e || foo != len_len)
+	abort ();
+    p += len_len;
+    *p++ = 0x06;
+    *p++ = GSS_KRB5_MECHANISM->length;
+    memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length);
+    p += GSS_KRB5_MECHANISM->length;
+    memcpy (p, type, 2);
+    p += 2;
+    return p;
+}
+
+/*
+ * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
+ */
+
+OM_uint32
+gssapi_krb5_encapsulate(
+			krb5_data *in_data,
+			gss_buffer_t output_token,
+			u_char *type
+)
+{
+    size_t len, outer_len;
+    u_char *p;
+
+    gssapi_krb5_encap_length (in_data->length, &len, &outer_len);
+    
+    output_token->length = outer_len;
+    output_token->value  = malloc (outer_len);
+    if (output_token->value == NULL)
+	return GSS_S_FAILURE;
+
+    p = gssapi_krb5_make_header (output_token->value, len, type);
+    memcpy (p, in_data->data, in_data->length);
+    krb5_data_free (in_data);
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/export_name.c b/crypto/heimdal/lib/gssapi/export_name.c
new file mode 100644
index 0000000..efbd9c4
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/export_name.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: export_name.c,v 1.4 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_export_name
+           (OM_uint32  * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t exported_name
+           )
+{
+  return gss_display_name(minor_status,
+        input_name,
+        exported_name,
+        NULL);
+}
diff --git a/crypto/heimdal/lib/gssapi/export_sec_context.c b/crypto/heimdal/lib/gssapi/export_sec_context.c
new file mode 100644
index 0000000..d982be7
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/export_sec_context.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: export_sec_context.c,v 1.2 2000/02/12 21:25:24 assar Exp $");
+
+OM_uint32
+gss_export_sec_context (
+    OM_uint32 * minor_status,
+    gss_ctx_id_t * context_handle,
+    gss_buffer_t interprocess_token
+    )
+{
+    krb5_storage *sp;
+    krb5_auth_context ac;
+    unsigned char auth_buf[1024];
+    size_t sz;
+    int ret;
+    krb5_data data;
+    gss_buffer_desc buffer;
+    int flags;
+
+    gssapi_krb5_init ();
+    if (!((*context_handle)->flags & GSS_C_TRANS_FLAG))
+	return GSS_S_UNAVAILABLE;
+
+    sp = krb5_storage_emem ();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    ac = (*context_handle)->auth_context;
+
+    /* flagging included fields */
+
+    flags = 0;
+    if (ac->local_address)
+	flags |= SC_LOCAL_ADDRESS;
+    if (ac->remote_address)
+	flags |= SC_REMOTE_ADDRESS;
+    if (ac->keyblock)
+	flags |= SC_KEYBLOCK;
+    if (ac->local_subkey)
+	flags |= SC_LOCAL_SUBKEY;
+    if (ac->remote_subkey)
+	flags |= SC_REMOTE_SUBKEY;
+
+    krb5_store_int32 (sp, flags);
+
+    /* marshall auth context */
+
+    krb5_store_int32 (sp, ac->flags);
+    if (ac->local_address)
+	krb5_store_address (sp, *ac->local_address);
+    if (ac->remote_address)
+	krb5_store_address (sp, *ac->remote_address);
+    krb5_store_int16 (sp, ac->local_port);
+    krb5_store_int16 (sp, ac->remote_port);
+    if (ac->keyblock)
+	krb5_store_keyblock (sp, *ac->keyblock);
+    if (ac->local_subkey)
+	krb5_store_keyblock (sp, *ac->local_subkey);
+    if (ac->remote_subkey)
+	krb5_store_keyblock (sp, *ac->remote_subkey);
+    krb5_store_int32 (sp, ac->local_seqnumber);
+    krb5_store_int32 (sp, ac->remote_seqnumber);
+
+#if 0
+    ret = encode_Authenticator (auth_buf, sizeof(auth_buf),
+				ac->authenticator, &sz);
+    if (ret) {
+	krb5_storage_free (sp);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    data.data   = auth_buf;
+    data.length = sz;
+    krb5_store_data (sp, data);
+#endif
+    krb5_store_int32 (sp, ac->keytype);
+    krb5_store_int32 (sp, ac->cksumtype);
+
+    /* names */
+
+    gss_export_name (minor_status, (*context_handle)->source, &buffer);
+    data.data   = buffer.value;
+    data.length = buffer.length;
+    krb5_store_data (sp, data);
+
+    gss_export_name (minor_status, (*context_handle)->target, &buffer);
+    data.data   = buffer.value;
+    data.length = buffer.length;
+    krb5_store_data (sp, data);
+
+    krb5_store_int32 (sp, (*context_handle)->flags);
+    krb5_store_int32 (sp, (*context_handle)->more_flags);
+
+    ret = krb5_storage_to_data (sp, &data);
+    krb5_storage_free (sp);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    interprocess_token->length = data.length;
+    interprocess_token->value  = data.data;
+    ret = gss_delete_sec_context (minor_status, context_handle,
+				  GSS_C_NO_BUFFER);
+    if (ret != GSS_S_COMPLETE)
+	gss_release_buffer (NULL, interprocess_token);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/external.c b/crypto/heimdal/lib/gssapi/external.c
new file mode 100644
index 0000000..19e8306
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/external.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: external.c,v 1.4 1999/12/02 17:05:03 joda Exp $");
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_user_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ "\x01\x02\x01\x01"};
+
+gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ "\x01\x02\x01\x02"};
+
+gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_string_uid_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ "\x01\x02\x01\x03"};
+
+gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 2(gss-host-based-services)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
+{6, (void *)"\x2b\x06\x01\x05\x06\x02"};
+
+gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_anonymous_oid_desc =
+{6, (void *)"\x2b\x06\01\x05\x06\x03"};
+
+gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_export_name_oid_desc =
+{6, (void *)"\x2b\x06\x01\x05\x06\x04"};
+
+gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
+ *   is "GSS_KRB5_NT_PRINCIPAL_NAME".
+ */
+
+static gss_OID_desc gss_krb5_nt_principal_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"};
+
+gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) user_name(1)}.  The recommended symbolic name for this
+ *   type is "GSS_KRB5_NT_USER_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) machine_uid_name(2)}.  The recommended symbolic name for
+ *   this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+ *   this type is "GSS_KRB5_NT_STRING_UID_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+
+/*
+ *   To support ongoing experimentation, testing, and evolution of the
+ *   specification, the Kerberos V5 GSS-API mechanism as defined in this
+ *   and any successor memos will be identified with the following Object
+ *   Identifier, as defined in RFC-1510, until the specification is
+ *   advanced to the level of Proposed Standard RFC:
+ *
+ *   {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)}
+ *
+ *   Upon advancement to the level of Proposed Standard RFC, the Kerberos
+ *   V5 GSS-API mechanism will be identified by an Object Identifier
+ *   having the value:
+ *
+ *   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
+ *   gssapi(2) krb5(2)}
+ */
+
+#if 0 /* This is the old OID */
+
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+{5, (void *)"\x2b\x05\x01\x05\x02"};
+
+#endif
+
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+
+gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
+
+/*
+ * Context for krb5 calls.
+ */
+
+krb5_context gssapi_krb5_context;
diff --git a/crypto/heimdal/lib/gssapi/get_mic.c b/crypto/heimdal/lib/gssapi/get_mic.c
new file mode 100644
index 0000000..8dd1b6f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/get_mic.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: get_mic.c,v 1.11 2000/01/25 23:19:22 assar Exp $");
+
+OM_uint32 gss_get_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16];
+  des_key_schedule schedule;
+  des_cblock key;
+  des_cblock zero;
+  int32_t seq_number;
+  size_t len, total_len;
+
+  gssapi_krb5_encap_length (22, &len, &total_len);
+
+  message_token->length = total_len;
+  message_token->value  = malloc (total_len);
+  if (message_token->value == NULL)
+    return GSS_S_FAILURE;
+
+  p = gssapi_krb5_make_header(message_token->value,
+			      len,
+			      "\x01\x01");
+
+  memcpy (p, "\x00\x00", 2);
+  p += 2;
+  memcpy (p, "\xff\xff\xff\xff", 4);
+  p += 4;
+
+  /* Fill in later */
+  memset (p, 0, 16);
+  p += 16;
+
+  /* checksum */
+  MD5Init (&md5);
+  MD5Update (&md5, p - 24, 8);
+  MD5Update (&md5, message_buffer->value,
+	     message_buffer->length);
+  MD5Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  gss_krb5_getsomekey(context_handle, &key);
+  des_set_key (&key, schedule);
+  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  memcpy (p - 8, hash, 8);
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  p -= 16;
+  p[0] = (seq_number >> 0)  & 0xFF;
+  p[1] = (seq_number >> 8)  & 0xFF;
+  p[2] = (seq_number >> 16) & 0xFF;
+  p[3] = (seq_number >> 24) & 0xFF;
+  memset (p + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  des_set_key (&key, schedule);
+  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+  
+  memset (key, 0, sizeof(key));
+  memset (schedule, 0, sizeof(schedule));
+  
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/gssapi.h b/crypto/heimdal/lib/gssapi/gssapi.h
new file mode 100644
index 0000000..4c1b606
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi.h
@@ -0,0 +1,742 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gssapi.h,v 1.14 1999/12/02 17:05:03 joda Exp $ */
+
+#ifndef GSSAPI_H_
+#define GSSAPI_H_
+
+/*
+ * First, include stddef.h to get size_t defined.
+ */
+#include <stddef.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <sys/types.h>
+
+#include <krb5-types.h>
+
+/*
+ * Now define the three implementation-dependent types.
+ */
+
+typedef u_int32_t OM_uint32;
+
+/*
+ * This is to avoid having to include <krb5.h>
+ */
+
+struct krb5_auth_context_data;
+
+struct Principal;
+
+/* typedef void *gss_name_t; */
+
+typedef struct Principal *gss_name_t;
+
+typedef struct gss_ctx_id_t_desc_struct {
+  struct krb5_auth_context_data *auth_context;
+  gss_name_t source, target;
+  OM_uint32 flags;
+  enum { LOCAL = 1, OPEN = 2} more_flags;
+  struct krb5_ticket *ticket;
+} gss_ctx_id_t_desc;
+
+typedef gss_ctx_id_t_desc *gss_ctx_id_t;
+
+typedef struct gss_OID_desc_struct {
+      OM_uint32 length;
+      void      *elements;
+} gss_OID_desc, *gss_OID;
+
+typedef struct gss_OID_set_desc_struct  {
+      size_t     count;
+      gss_OID    elements;
+} gss_OID_set_desc, *gss_OID_set;
+
+struct krb5_keytab_data;
+
+typedef int gss_cred_usage_t;
+
+typedef struct gss_cred_id_t_desc_struct {
+  gss_name_t principal;
+  struct krb5_keytab_data *keytab;
+  OM_uint32 lifetime;
+  gss_cred_usage_t usage;
+  gss_OID_set mechanisms;
+} gss_cred_id_t_desc;
+
+typedef gss_cred_id_t_desc *gss_cred_id_t;
+
+typedef struct gss_buffer_desc_struct {
+      size_t length;
+      void *value;
+} gss_buffer_desc, *gss_buffer_t;
+
+typedef struct gss_channel_bindings_struct {
+      OM_uint32 initiator_addrtype;
+      gss_buffer_desc initiator_address;
+      OM_uint32 acceptor_addrtype;
+      gss_buffer_desc acceptor_address;
+      gss_buffer_desc application_data;
+} *gss_channel_bindings_t;
+
+/*
+ * For now, define a QOP-type as an OM_uint32
+ */
+typedef OM_uint32 gss_qop_t;
+
+/*
+ * Flag bits for context-level services.
+ */
+#define GSS_C_DELEG_FLAG 1
+#define GSS_C_MUTUAL_FLAG 2
+#define GSS_C_REPLAY_FLAG 4
+#define GSS_C_SEQUENCE_FLAG 8
+#define GSS_C_CONF_FLAG 16
+#define GSS_C_INTEG_FLAG 32
+#define GSS_C_ANON_FLAG 64
+#define GSS_C_PROT_READY_FLAG 128
+#define GSS_C_TRANS_FLAG 256
+
+/*
+ * Credential usage options
+ */
+#define GSS_C_BOTH 0
+#define GSS_C_INITIATE 1
+#define GSS_C_ACCEPT 2
+
+/*
+ * Status code types for gss_display_status
+ */
+#define GSS_C_GSS_CODE 1
+#define GSS_C_MECH_CODE 2
+
+/*
+ * The constant definitions for channel-bindings address families
+ */
+#define GSS_C_AF_UNSPEC     0
+#define GSS_C_AF_LOCAL      1
+#define GSS_C_AF_INET       2
+#define GSS_C_AF_IMPLINK    3
+#define GSS_C_AF_PUP        4
+#define GSS_C_AF_CHAOS      5
+#define GSS_C_AF_NS         6
+#define GSS_C_AF_NBS        7
+#define GSS_C_AF_ECMA       8
+#define GSS_C_AF_DATAKIT    9
+#define GSS_C_AF_CCITT      10
+#define GSS_C_AF_SNA        11
+#define GSS_C_AF_DECnet     12
+#define GSS_C_AF_DLI        13
+#define GSS_C_AF_LAT        14
+#define GSS_C_AF_HYLINK     15
+#define GSS_C_AF_APPLETALK  16
+#define GSS_C_AF_BSC        17
+#define GSS_C_AF_DSS        18
+#define GSS_C_AF_OSI        19
+#define GSS_C_AF_X25        21
+#define GSS_C_AF_INET6	    24
+
+#define GSS_C_AF_NULLADDR   255
+
+/*
+ * Various Null values
+ */
+#define GSS_C_NO_NAME ((gss_name_t) 0)
+#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+#define GSS_C_NO_OID ((gss_OID) 0)
+#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+#define GSS_C_EMPTY_BUFFER {0, NULL}
+
+/*
+ * Some alternate names for a couple of the above
+ * values.  These are defined for V1 compatibility.
+ */
+#define GSS_C_NULL_OID GSS_C_NO_OID
+#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+
+/*
+ * Define the default Quality of Protection for per-message
+ * services.  Note that an implementation that offers multiple
+ * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
+ * (as done here) to mean "default protection", or to a specific
+ * explicit QOP value.  However, a value of 0 should always be
+ * interpreted by a GSSAPI implementation as a request for the
+ * default protection level.
+ */
+#define GSS_C_QOP_DEFAULT 0
+
+/*
+ * Expiration time of 2^32-1 seconds means infinite lifetime for a
+ * credential or security context
+ */
+#define GSS_C_INDEFINITE 0xfffffffful
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_USER_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 2(gss-host-based-services)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_ANONYMOUS;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+/*
+ * This if for kerberos5 names.
+ */
+
+extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
+extern gss_OID GSS_KRB5_NT_USER_NAME;
+extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
+extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
+
+extern gss_OID GSS_KRB5_MECHANISM;
+
+/* Major status codes */
+
+#define GSS_S_COMPLETE 0
+
+/*
+ * Some "helper" definitions to make the status code macros obvious.
+ */
+#define GSS_C_CALLING_ERROR_OFFSET 24
+#define GSS_C_ROUTINE_ERROR_OFFSET 16
+#define GSS_C_SUPPLEMENTARY_OFFSET 0
+#define GSS_C_CALLING_ERROR_MASK 0377ul
+#define GSS_C_ROUTINE_ERROR_MASK 0377ul
+#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+/*
+ * The macros that test status codes for error conditions.
+ * Note that the GSS_ERROR() macro has changed slightly from
+ * the V1 GSSAPI so that it now evaluates its argument
+ * only once.
+ */
+#define GSS_CALLING_ERROR(x) \
+  (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+#define GSS_ROUTINE_ERROR(x) \
+  (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+#define GSS_SUPPLEMENTARY_INFO(x) \
+  (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+#define GSS_ERROR(x) \
+  (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+        (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+/*
+ * Now the actual status code definitions
+ */
+
+/*
+ * Calling errors:
+ */
+#define GSS_S_CALL_INACCESSIBLE_READ \
+                             (1ul << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_INACCESSIBLE_WRITE \
+                             (2ul << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_BAD_STRUCTURE \
+                             (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+/*
+ * Routine errors:
+ */
+#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_MIC GSS_S_BAD_SIG
+#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+/*
+ * Supplementary info bits:
+ */
+#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+/*
+ * From RFC1964:
+ *
+ * 4.1.1. Non-Kerberos-specific codes
+ */
+
+#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1
+           /* "No @ in SERVICE-NAME name string" */
+#define GSS_KRB5_S_G_BAD_STRING_UID 2
+           /* "STRING-UID-NAME contains nondigits" */
+#define GSS_KRB5_S_G_NOUSER 3
+           /* "UID does not resolve to username" */
+#define GSS_KRB5_S_G_VALIDATE_FAILED 4
+           /* "Validation error" */
+#define GSS_KRB5_S_G_BUFFER_ALLOC 5
+           /* "Couldn't allocate gss_buffer_t data" */
+#define GSS_KRB5_S_G_BAD_MSG_CTX 6
+           /* "Message context invalid" */
+#define GSS_KRB5_S_G_WRONG_SIZE 7
+           /* "Buffer is the wrong size" */
+#define GSS_KRB5_S_G_BAD_USAGE 8
+           /* "Credential usage type is unknown" */
+#define GSS_KRB5_S_G_UNKNOWN_QOP 9
+           /* "Unknown quality of protection specified" */
+
+  /*
+   * 4.1.2. Kerberos-specific-codes
+   */
+
+#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10
+           /* "Principal in credential cache does not match desired name" */
+#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11
+           /* "No principal in keytab matches desired name" */
+#define GSS_KRB5_S_KG_TGT_MISSING 12
+           /* "Credential cache has no TGT" */
+#define GSS_KRB5_S_KG_NO_SUBKEY 13
+           /* "Authenticator has no subkey" */
+#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14
+           /* "Context is already fully established" */
+#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15
+           /* "Unknown signature type in token" */
+#define GSS_KRB5_S_KG_BAD_LENGTH 16
+           /* "Invalid field length in token" */
+#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17
+           /* "Attempt to use incomplete security context" */
+
+/*
+ * Finally, function prototypes for the GSS-API routines.
+ */
+
+OM_uint32 gss_acquire_cred
+           (OM_uint32 * minor_status,
+            const gss_name_t desired_name,
+            OM_uint32 time_req,
+            const gss_OID_set desired_mechs,
+            gss_cred_usage_t cred_usage,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * time_rec
+           );
+
+OM_uint32 gss_release_cred
+           (OM_uint32 * minor_status,
+            gss_cred_id_t * cred_handle
+           );
+
+OM_uint32 gss_init_sec_context
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           );
+
+OM_uint32 gss_accept_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            const gss_cred_id_t acceptor_cred_handle,
+            const gss_buffer_t input_token_buffer,
+            const gss_channel_bindings_t input_chan_bindings,
+            gss_name_t * src_name,
+            gss_OID * mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec,
+            gss_cred_id_t * delegated_cred_handle
+           );
+
+OM_uint32 gss_process_context_token
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t token_buffer
+           );
+
+OM_uint32 gss_delete_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t output_token
+           );
+
+OM_uint32 gss_context_time
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            OM_uint32 * time_rec
+           );
+
+OM_uint32 gss_get_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           );
+
+OM_uint32 gss_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+           );
+
+OM_uint32 gss_wrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           );
+
+OM_uint32 gss_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           );
+
+OM_uint32 gss_display_status
+           (OM_uint32 * minor_status,
+            OM_uint32 status_value,
+            int status_type,
+            const gss_OID mech_type,
+            OM_uint32 * message_context,
+            gss_buffer_t status_string
+           );
+
+OM_uint32 gss_indicate_mechs
+           (OM_uint32 * minor_status,
+            gss_OID_set * mech_set
+           );
+
+OM_uint32 gss_compare_name
+           (OM_uint32 * minor_status,
+            const gss_name_t name1,
+            const gss_name_t name2,
+            int * name_equal
+           );
+
+OM_uint32 gss_display_name
+           (OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t output_name_buffer,
+            gss_OID * output_name_type
+           );
+
+OM_uint32 gss_import_name
+           (OM_uint32 * minor_status,
+            const gss_buffer_t input_name_buffer,
+            const gss_OID input_name_type,
+            gss_name_t * output_name
+           );
+
+OM_uint32 gss_export_name
+           (OM_uint32  * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t exported_name
+           );
+
+OM_uint32 gss_release_name
+           (OM_uint32 * minor_status,
+            gss_name_t * input_name
+           );
+
+OM_uint32 gss_release_buffer
+           (OM_uint32 * minor_status,
+            gss_buffer_t buffer
+           );
+
+OM_uint32 gss_release_oid_set
+           (OM_uint32 * minor_status,
+            gss_OID_set * set
+           );
+
+OM_uint32 gss_inquire_cred
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            gss_name_t * name,
+            OM_uint32 * lifetime,
+            gss_cred_usage_t * cred_usage,
+            gss_OID_set * mechanisms
+           );
+
+OM_uint32 gss_inquire_context (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_name_t * src_name,
+            gss_name_t * targ_name,
+            OM_uint32 * lifetime_rec,
+            gss_OID * mech_type,
+            OM_uint32 * ctx_flags,
+            int * locally_initiated,
+            int * open
+           );
+
+OM_uint32 gss_wrap_size_limit (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size
+           );
+
+OM_uint32 gss_add_cred (
+            OM_uint32 * minor_status,
+            const gss_cred_id_t input_cred_handle,
+            const gss_name_t desired_name,
+            const gss_OID desired_mech,
+            gss_cred_usage_t cred_usage,
+            OM_uint32 initiator_time_req,
+            OM_uint32 acceptor_time_req,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * initiator_time_rec,
+            OM_uint32 * acceptor_time_rec
+           );
+
+OM_uint32 gss_inquire_cred_by_mech (
+            OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            const gss_OID mech_type,
+            gss_name_t * name,
+            OM_uint32 * initiator_lifetime,
+            OM_uint32 * acceptor_lifetime,
+            gss_cred_usage_t * cred_usage
+           );
+
+OM_uint32 gss_export_sec_context (
+            OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t interprocess_token
+           );
+
+OM_uint32 gss_import_sec_context (
+            OM_uint32 * minor_status,
+            const gss_buffer_t interprocess_token,
+            gss_ctx_id_t * context_handle
+           );
+
+OM_uint32 gss_create_empty_oid_set (
+            OM_uint32 * minor_status,
+            gss_OID_set * oid_set
+           );
+
+OM_uint32 gss_add_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member_oid,
+            gss_OID_set * oid_set
+           );
+
+OM_uint32 gss_test_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member,
+            const gss_OID_set set,
+            int * present
+           );
+
+OM_uint32 gss_inquire_names_for_mech (
+            OM_uint32 * minor_status,
+            const gss_OID mechanism,
+            gss_OID_set * name_types
+           );
+
+OM_uint32 gss_inquire_mechs_for_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_OID_set * mech_types
+           );
+
+OM_uint32 gss_canonicalize_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            const gss_OID mech_type,
+            gss_name_t * output_name
+           );
+
+OM_uint32 gss_duplicate_name (
+            OM_uint32 * minor_status,
+            const gss_name_t src_name,
+            gss_name_t * dest_name
+           );
+
+/*
+ * The following routines are obsolete variants of gss_get_mic,
+ * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
+ * provided by GSSAPI V2 implementations for backwards
+ * compatibility with V1 applications.  Distinct entrypoints
+ * (as opposed to #defines) should be provided, both to allow
+ * GSSAPI V1 applications to link against GSSAPI V2 implementations,
+ * and to retain the slight parameter type differences between the
+ * obsolete versions of these routines and their current forms.
+ */
+
+OM_uint32 gss_sign
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int qop_req,
+            gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           );
+
+OM_uint32 gss_verify
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t message_buffer,
+            gss_buffer_t token_buffer,
+            int * qop_state
+           );
+
+OM_uint32 gss_seal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            int qop_req,
+            gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           );
+
+OM_uint32 gss_unseal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            int * qop_state
+           );
+
+/*
+ * kerberos mechanism specific functions
+ */
+
+OM_uint32 gsskrb5_register_acceptor_identity
+        (char *identity);
+
+#endif /* GSSAPI_H_ */
diff --git a/crypto/heimdal/lib/gssapi/gssapi_locl.h b/crypto/heimdal/lib/gssapi/gssapi_locl.h
new file mode 100644
index 0000000..53f9cdc
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi_locl.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gssapi_locl.h,v 1.12 2000/02/12 21:26:26 assar Exp $ */
+
+#ifndef GSSAPI_LOCL_H
+#define GSSAPI_LOCL_H
+
+#include <krb5_locl.h>
+#include <gssapi.h>
+
+extern krb5_context gssapi_krb5_context;
+
+void gssapi_krb5_init (void);
+
+krb5_error_code
+gssapi_krb5_create_8003_checksum (
+		      const gss_channel_bindings_t input_chan_bindings,
+		      OM_uint32 flags,
+		      Checksum *result);
+
+krb5_error_code
+gssapi_krb5_verify_8003_checksum (
+		      const gss_channel_bindings_t input_chan_bindings,
+		      Checksum *cksum,
+		      OM_uint32 *flags);
+
+OM_uint32
+gssapi_krb5_encapsulate(
+			krb5_data *in_data,
+			gss_buffer_t output_token,
+			u_char *type);
+
+OM_uint32
+gssapi_krb5_decapsulate(
+			gss_buffer_t input_token_buffer,
+			krb5_data *out_data,
+			char *type);
+
+void
+gssapi_krb5_encap_length (size_t data_len,
+			  size_t *len,
+			  size_t *total_len);
+
+u_char *
+gssapi_krb5_make_header (u_char *p,
+			 size_t len,
+			 u_char *type);
+
+OM_uint32
+gssapi_krb5_verify_header(u_char **str,
+			  size_t total_len,
+			  char *type);
+
+OM_uint32
+gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
+		    des_cblock *key);
+
+/* sec_context flags */
+
+#define SC_LOCAL_ADDRESS  0x01
+#define SC_REMOTE_ADDRESS 0x02
+#define SC_KEYBLOCK	  0x04
+#define SC_LOCAL_SUBKEY	  0x08
+#define SC_REMOTE_SUBKEY  0x10
+
+#endif
diff --git a/crypto/heimdal/lib/gssapi/import_name.c b/crypto/heimdal/lib/gssapi/import_name.c
new file mode 100644
index 0000000..6cb94c4
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/import_name.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: import_name.c,v 1.8 1999/12/02 17:05:03 joda Exp $");
+
+static OM_uint32
+import_krb5_name (OM_uint32 *minor_status,
+		  const gss_buffer_t input_name_buffer,
+		  gss_name_t *output_name)
+{
+    krb5_error_code kerr;
+    char *tmp;
+
+    tmp = malloc (input_name_buffer->length + 1);
+    if (tmp == NULL)
+	return GSS_S_FAILURE;
+    memcpy (tmp,
+	    input_name_buffer->value,
+	    input_name_buffer->length);
+    tmp[input_name_buffer->length] = '\0';
+
+    kerr = krb5_parse_name (gssapi_krb5_context,
+			    tmp,
+			    output_name);
+    free (tmp);
+    if (kerr == 0)
+	return GSS_S_COMPLETE;
+    else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
+	return GSS_S_BAD_NAME;
+    else
+	return GSS_S_FAILURE;
+}
+
+static OM_uint32
+import_hostbased_name (OM_uint32 *minor_status,
+		       const gss_buffer_t input_name_buffer,
+		       gss_name_t *output_name)
+{
+    krb5_error_code kerr;
+    char *tmp;
+    char *p;
+    char *host;
+    char local_hostname[MAXHOSTNAMELEN];
+
+    tmp = malloc (input_name_buffer->length + 1);
+    if (tmp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy (tmp,
+	    input_name_buffer->value,
+	    input_name_buffer->length);
+    tmp[input_name_buffer->length] = '\0';
+
+    p = strchr (tmp, '@');
+    if (p != NULL) {
+	*p = '\0';
+	host = p + 1;
+    } else {
+	if (gethostname(local_hostname, sizeof(local_hostname)) < 0) {
+	    *minor_status = errno;
+	    free (tmp);
+	    return GSS_S_FAILURE;
+	}
+	host = local_hostname;
+    }
+
+    kerr = krb5_sname_to_principal (gssapi_krb5_context,
+				    host,
+				    tmp,
+				    KRB5_NT_SRV_HST,
+				    output_name);
+    free (tmp);
+    *minor_status = kerr;
+    if (kerr == 0)
+	return GSS_S_COMPLETE;
+    else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) 
+	return GSS_S_BAD_NAME;
+    else
+	return GSS_S_FAILURE;
+}
+
+OM_uint32 gss_import_name
+           (OM_uint32 * minor_status,
+            const gss_buffer_t input_name_buffer,
+            const gss_OID input_name_type,
+            gss_name_t * output_name
+           )
+{
+    gssapi_krb5_init ();
+
+    if (input_name_type == GSS_C_NT_HOSTBASED_SERVICE)
+	return import_hostbased_name (minor_status,
+				      input_name_buffer,
+				      output_name);
+    else if (input_name_type == GSS_C_NO_OID
+	     || input_name_type == GSS_C_NT_USER_NAME
+	     || input_name_type == GSS_KRB5_NT_PRINCIPAL_NAME)
+ 	/* default printable syntax */
+	return import_krb5_name (minor_status,
+				 input_name_buffer,
+				 output_name);
+    else
+	return GSS_S_BAD_NAMETYPE;
+}
diff --git a/crypto/heimdal/lib/gssapi/import_sec_context.c b/crypto/heimdal/lib/gssapi/import_sec_context.c
new file mode 100644
index 0000000..2667637
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/import_sec_context.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: import_sec_context.c,v 1.2 2000/02/12 21:26:00 assar Exp $");
+
+OM_uint32
+gss_import_sec_context (
+    OM_uint32 * minor_status,
+    const gss_buffer_t interprocess_token,
+    gss_ctx_id_t * context_handle
+    )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_error_code kret;
+    krb5_storage *sp;
+    krb5_auth_context ac;
+    krb5_address local, remote;
+    krb5_address *localp, *remotep;
+    krb5_data data;
+    gss_buffer_desc buffer;
+    krb5_keyblock keyblock;
+    size_t sz;
+    int32_t tmp;
+    int32_t flags;
+
+    gssapi_krb5_init ();
+
+    sp = krb5_storage_from_mem (interprocess_token->value,
+				interprocess_token->length);
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    *context_handle = malloc(sizeof(**context_handle));
+    if (*context_handle == NULL) {
+	*minor_status = ENOMEM;
+	krb5_storage_free (sp);
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_auth_con_init (gssapi_krb5_context,
+			       &(*context_handle)->auth_context);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    /* flags */
+
+    krb5_ret_int32 (sp, &flags);
+
+    /* retrieve the auth context */
+
+    ac = (*context_handle)->auth_context;
+    krb5_ret_int32 (sp, &ac->flags);
+    if (flags & SC_LOCAL_ADDRESS)
+	krb5_ret_address (sp, localp = &local);
+    else
+	localp = NULL;
+    if (flags & SC_REMOTE_ADDRESS)
+	krb5_ret_address (sp, remotep  = &remote);
+    else
+	remotep = NULL;
+    krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep);
+    if (localp)
+	krb5_free_address (gssapi_krb5_context, localp);
+    if (remotep)
+	krb5_free_address (gssapi_krb5_context, remotep);
+    krb5_ret_int16 (sp, &ac->local_port);
+    krb5_ret_int16 (sp, &ac->remote_port);
+    if (flags & SC_KEYBLOCK) {
+	krb5_ret_keyblock (sp, &keyblock);
+	krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock);
+	krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
+    }
+    if (flags & SC_LOCAL_SUBKEY) {
+	krb5_ret_keyblock (sp, &keyblock);
+	krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock);
+	krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
+    }
+    if (flags & SC_REMOTE_SUBKEY) {
+	krb5_ret_keyblock (sp, &keyblock);
+	krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock);
+	krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
+    }
+    krb5_ret_int32 (sp, &ac->local_seqnumber);
+    krb5_ret_int32 (sp, &ac->remote_seqnumber);
+
+#if 0
+    krb5_ret_data (sp, &data);
+    ac->authenticator = malloc (sizeof (*ac->authenticator));
+    if (ac->authenticator == NULL) {
+	*minor_status = ENOMEM;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = decode_Authenticator (data.data, data.length,
+				 ac->authenticator, &sz);
+    krb5_data_free (&data);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+#endif
+
+    krb5_ret_int32 (sp, &tmp);
+    ac->keytype = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    ac->cksumtype = tmp;
+
+    /* names */
+
+    krb5_ret_data (sp, &data);
+    buffer.value  = data.data;
+    buffer.length = data.length;
+
+    gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
+		     &(*context_handle)->source);
+    krb5_data_free (&data);
+
+    krb5_ret_data (sp, &data);
+    buffer.value  = data.data;
+    buffer.length = data.length;
+
+    gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
+		     &(*context_handle)->target);
+    krb5_data_free (&data);
+
+    krb5_ret_int32 (sp, &tmp);
+    (*context_handle)->flags = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    (*context_handle)->more_flags = tmp;
+
+    (*context_handle)->ticket = NULL;
+
+    return GSS_S_COMPLETE;
+
+failure:
+    krb5_auth_con_free (gssapi_krb5_context,
+			(*context_handle)->auth_context);
+    free (*context_handle);
+    *context_handle = GSS_C_NO_CONTEXT;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/indicate_mechs.c b/crypto/heimdal/lib/gssapi/indicate_mechs.c
new file mode 100644
index 0000000..26e018e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/indicate_mechs.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: indicate_mechs.c,v 1.3 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_indicate_mechs
+           (OM_uint32 * minor_status,
+            gss_OID_set * mech_set
+           )
+{
+  *mech_set = malloc(sizeof(**mech_set));
+  if (*mech_set == NULL) {
+    return GSS_S_FAILURE;
+  }
+  (*mech_set)->count = 1;
+  (*mech_set)->elements = malloc((*mech_set)->count * sizeof(gss_OID_desc));
+  if ((*mech_set)->elements == NULL) {
+    free (*mech_set);
+    return GSS_S_FAILURE;
+  }
+  (*mech_set)->elements[0] = *GSS_KRB5_MECHANISM;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/init.c b/crypto/heimdal/lib/gssapi/init.c
new file mode 100644
index 0000000..2c01490
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/init.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: init.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+
+void
+gssapi_krb5_init (void)
+{
+    if(gssapi_krb5_context == NULL)
+	krb5_init_context (&gssapi_krb5_context);
+}
diff --git a/crypto/heimdal/lib/gssapi/init_sec_context.c b/crypto/heimdal/lib/gssapi/init_sec_context.c
new file mode 100644
index 0000000..2f9bbc9
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/init_sec_context.c
@@ -0,0 +1,360 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: init_sec_context.c,v 1.18 1999/12/26 18:31:36 assar Exp $");
+
+static OM_uint32
+init_auth
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_error_code kret;
+    krb5_flags ap_options;
+    krb5_creds this_cred, *cred;
+    krb5_data outbuf;
+    krb5_ccache ccache;
+    u_int32_t flags;
+    Authenticator *auth;
+    krb5_data authenticator;
+    Checksum cksum;
+    krb5_enctype enctype;
+
+    output_token->length = 0;
+    output_token->value  = NULL;
+
+    outbuf.length = 0;
+    outbuf.data   = NULL;
+
+    *minor_status = 0;
+
+    *context_handle = malloc(sizeof(**context_handle));
+    if (*context_handle == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    (*context_handle)->auth_context =  NULL;
+    (*context_handle)->source = NULL;
+    (*context_handle)->target = NULL;
+    (*context_handle)->flags = 0;
+    (*context_handle)->more_flags = 0;
+    (*context_handle)->ticket = NULL;
+
+    kret = krb5_auth_con_init (gssapi_krb5_context,
+			       &(*context_handle)->auth_context);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    {
+	int32_t tmp;
+
+	krb5_auth_con_getflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       &tmp);
+	tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
+	krb5_auth_con_setflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       tmp);
+    }
+
+    if (actual_mech_type)
+	*actual_mech_type = GSS_KRB5_MECHANISM;
+
+    flags = 0;
+    ap_options = 0;
+    if (req_flags & GSS_C_DELEG_FLAG)
+	;				/* XXX */
+    if (req_flags & GSS_C_MUTUAL_FLAG) {
+	flags |= GSS_C_MUTUAL_FLAG;
+	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
+    }
+    if (req_flags & GSS_C_REPLAY_FLAG)
+	;				/* XXX */
+    if (req_flags & GSS_C_SEQUENCE_FLAG)
+	;				/* XXX */
+    if (req_flags & GSS_C_ANON_FLAG)
+	;				/* XXX */
+    flags |= GSS_C_CONF_FLAG;
+    flags |= GSS_C_INTEG_FLAG;
+    flags |= GSS_C_SEQUENCE_FLAG;
+    flags |= GSS_C_TRANS_FLAG;
+
+    if (ret_flags)
+	*ret_flags = flags;
+    (*context_handle)->flags = flags;
+    (*context_handle)->more_flags = LOCAL;
+
+    kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = krb5_cc_get_principal (gssapi_krb5_context,
+				  ccache,
+				  &(*context_handle)->source);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = krb5_copy_principal (gssapi_krb5_context,
+				target_name,
+				&(*context_handle)->target);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    memset(&this_cred, 0, sizeof(this_cred));
+    this_cred.client          = (*context_handle)->source;
+    this_cred.server          = (*context_handle)->target;
+    this_cred.times.endtime   = 0;
+    this_cred.session.keytype = ETYPE_DES_CBC_CRC;
+  
+    kret = krb5_get_credentials (gssapi_krb5_context,
+				 KRB5_TC_MATCH_KEYTYPE,
+				 ccache,
+				 &this_cred,
+				 &cred);
+
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    krb5_auth_con_setkey(gssapi_krb5_context, 
+			 (*context_handle)->auth_context, 
+			 &cred->session);
+  
+    kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
+					     flags,
+					     &cksum);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+#if 1
+    enctype = (*context_handle)->auth_context->keyblock->keytype;
+#else
+    if ((*context_handle)->auth_context->enctype)
+	enctype = (*context_handle)->auth_context->enctype;
+    else {
+	kret = krb5_keytype_to_enctype(gssapi_krb5_context,
+				       (*context_handle)->auth_context->keyblock->keytype,
+				       &enctype);
+	if (kret)
+	    return kret;
+    }
+#endif
+
+
+
+    kret = krb5_build_authenticator (gssapi_krb5_context,
+				     (*context_handle)->auth_context,
+				     enctype,
+				     cred,
+				     &cksum,
+				     &auth,
+				     &authenticator);
+
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = krb5_build_ap_req (gssapi_krb5_context,
+			      enctype,
+			      cred,
+			      ap_options,
+			      authenticator,
+			      &outbuf);
+
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    ret = gssapi_krb5_encapsulate (&outbuf,
+				   output_token,
+				   "\x01\x00");
+    if (ret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    if (flags & GSS_C_MUTUAL_FLAG) {
+	return GSS_S_CONTINUE_NEEDED;
+    } else {
+	(*context_handle)->more_flags |= OPEN;
+	return GSS_S_COMPLETE;
+    }
+
+failure:
+    krb5_auth_con_free (gssapi_krb5_context,
+			(*context_handle)->auth_context);
+    if((*context_handle)->source)
+	krb5_free_principal (gssapi_krb5_context,
+			     (*context_handle)->source);
+    if((*context_handle)->target)
+	krb5_free_principal (gssapi_krb5_context,
+			     (*context_handle)->target);
+    free (*context_handle);
+    krb5_data_free (&outbuf);
+    *context_handle = GSS_C_NO_CONTEXT;
+    return ret;
+}
+
+static OM_uint32
+repl_mutual
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           )
+{
+  OM_uint32 ret;
+  krb5_error_code kret;
+  krb5_data indata;
+  krb5_ap_rep_enc_part *repl;
+
+  ret = gssapi_krb5_decapsulate (input_token,
+				 &indata,
+				 "\x02\x00");
+  if (ret) {
+				/* XXX - Handle AP_ERROR */
+    return GSS_S_FAILURE;
+  }
+
+  kret = krb5_rd_rep (gssapi_krb5_context,
+		      (*context_handle)->auth_context,
+		      &indata,
+		      &repl);
+  if (kret)
+    return GSS_S_FAILURE;
+  krb5_free_ap_rep_enc_part (gssapi_krb5_context,
+			     repl);
+
+  output_token->length = 0;
+
+  (*context_handle)->more_flags |= OPEN;
+
+  return GSS_S_COMPLETE;
+}
+
+/*
+ * gss_init_sec_context
+ */
+
+OM_uint32 gss_init_sec_context
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           )
+{
+  gssapi_krb5_init ();
+
+  if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
+    return init_auth (minor_status,
+		      initiator_cred_handle,
+		      context_handle,
+		      target_name,
+		      mech_type,
+		      req_flags,
+		      time_req,
+		      input_chan_bindings,
+		      input_token,
+		      actual_mech_type,
+		      output_token,
+		      ret_flags,
+		      time_rec);
+  else
+    return repl_mutual(minor_status,
+		       initiator_cred_handle,
+		       context_handle,
+		       target_name,
+		       mech_type,
+		       req_flags,
+		       time_req,
+		       input_chan_bindings,
+		       input_token,
+		       actual_mech_type,
+		       output_token,
+		       ret_flags,
+		       time_rec);
+}
diff --git a/crypto/heimdal/lib/gssapi/inquire_context.c b/crypto/heimdal/lib/gssapi/inquire_context.c
new file mode 100644
index 0000000..6463253
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/inquire_context.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: inquire_context.c,v 1.3 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_inquire_context (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_name_t * src_name,
+            gss_name_t * targ_name,
+            OM_uint32 * lifetime_rec,
+            gss_OID * mech_type,
+            OM_uint32 * ctx_flags,
+            int * locally_initiated,
+            int * open
+           )
+{
+  OM_uint32 ret;
+
+  if (src_name) {
+    ret = gss_duplicate_name (minor_status,
+			      context_handle->source,
+			      src_name);
+    if (ret)
+      return ret;
+  }
+
+  if (targ_name) {
+    ret = gss_duplicate_name (minor_status,
+			      context_handle->target,
+			      targ_name);
+    if (ret)
+      return ret;
+  }
+
+  if (lifetime_rec)
+    *lifetime_rec = GSS_C_INDEFINITE;
+
+  if (mech_type)
+    *mech_type = GSS_KRB5_MECHANISM;
+
+  if (ctx_flags)
+    *ctx_flags = context_handle->flags;
+
+  if (locally_initiated)
+    *locally_initiated = context_handle->more_flags & LOCAL;
+
+  if (open)
+    *open = context_handle->more_flags & OPEN;
+
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/inquire_cred.c b/crypto/heimdal/lib/gssapi/inquire_cred.c
new file mode 100644
index 0000000..9e181f3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/inquire_cred.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: inquire_cred.c,v 1.2 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_inquire_cred
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            gss_name_t * name,
+            OM_uint32 * lifetime,
+            gss_cred_usage_t * cred_usage,
+            gss_OID_set * mechanisms
+           )
+{
+    OM_uint32 ret;
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL) {
+        return GSS_S_FAILURE;
+    }
+
+    if (name != NULL) {
+        ret = gss_duplicate_name(minor_status, cred_handle->principal, name);
+        if (ret) {
+        	return ret;
+        }
+    }
+    if (lifetime != NULL) {
+        *lifetime = cred_handle->lifetime;
+    }
+    if (cred_usage != NULL) {
+        *cred_usage = cred_handle->usage;
+    }
+    if (mechanisms != NULL) {
+        ret = gss_create_empty_oid_set(minor_status, mechanisms);
+        if (ret) {
+            return ret;
+        }
+        ret = gss_add_oid_set_member(minor_status,
+				     &cred_handle->mechanisms->elements[0],
+				     mechanisms);
+        if (ret) {
+            return ret;
+        }
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/release_buffer.c b/crypto/heimdal/lib/gssapi/release_buffer.c
new file mode 100644
index 0000000..85f971f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_buffer.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_buffer.c,v 1.3 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_release_buffer
+           (OM_uint32 * minor_status,
+            gss_buffer_t buffer
+           )
+{
+  free (buffer->value);
+  buffer->length = 0;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/release_cred.c b/crypto/heimdal/lib/gssapi/release_cred.c
new file mode 100644
index 0000000..0ee876e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_cred.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_cred.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_release_cred
+           (OM_uint32 * minor_status,
+            gss_cred_id_t * cred_handle
+           )
+{
+    if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+        return GSS_S_COMPLETE;
+    }
+
+    gssapi_krb5_init ();
+
+    krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
+    if ((*cred_handle)->keytab != NULL)
+	krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
+    gss_release_oid_set(NULL, &(*cred_handle)->mechanisms);
+    free(*cred_handle);
+    *cred_handle = GSS_C_NO_CREDENTIAL;
+    return GSS_S_COMPLETE;
+}
+
diff --git a/crypto/heimdal/lib/gssapi/release_name.c b/crypto/heimdal/lib/gssapi/release_name.c
new file mode 100644
index 0000000..7c0fcd3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_name.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_name.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_release_name
+           (OM_uint32 * minor_status,
+            gss_name_t * input_name
+           )
+{
+  gssapi_krb5_init ();
+  krb5_free_principal(gssapi_krb5_context,
+		      *input_name);
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/release_oid_set.c b/crypto/heimdal/lib/gssapi/release_oid_set.c
new file mode 100644
index 0000000..fe7171e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_oid_set.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_oid_set.c,v 1.3 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_release_oid_set
+           (OM_uint32 * minor_status,
+            gss_OID_set * set
+           )
+{
+  free ((*set)->elements);
+  free (*set);
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/test_oid_set_member.c b/crypto/heimdal/lib/gssapi/test_oid_set_member.c
new file mode 100644
index 0000000..47e9fa7
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_oid_set_member.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: test_oid_set_member.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_test_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member,
+            const gss_OID_set set,
+            int * present
+           )
+{
+  size_t i;
+
+  *present = 0;
+  for (i = 0; i < set->count; ++i)
+    if (member->length == set->elements[i].length
+	&& memcmp (member->elements,
+		   set->elements[i].elements,
+		   member->length) == 0) {
+      *present = 1;
+      break;
+    }
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/unwrap.c b/crypto/heimdal/lib/gssapi/unwrap.c
new file mode 100644
index 0000000..210bab1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/unwrap.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: unwrap.c,v 1.11 2000/01/25 23:13:38 assar Exp $");
+
+OM_uint32
+gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
+		    des_cblock *key)
+{
+    /* XXX this is ugly, and probably incorrect... */
+    krb5_keyblock *skey;
+    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+				 context_handle->auth_context, 
+				 &skey);
+    if(skey == NULL)
+	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				      context_handle->auth_context, 
+				      &skey);
+    if(skey == NULL)
+	krb5_auth_con_getkey(gssapi_krb5_context,
+			     context_handle->auth_context, 
+			     &skey);
+    if(skey == NULL)
+	return GSS_S_FAILURE;
+    memcpy(key, skey->keyvalue.data, sizeof(*key));
+    krb5_free_keyblock(gssapi_krb5_context, skey);
+    return 0;
+}
+
+OM_uint32 gss_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           )
+{
+  u_char *p, *pad;
+  size_t len;
+  MD5_CTX md5;
+  u_char hash[16], seq_data[8];
+  des_key_schedule schedule;
+  des_cblock key;
+  des_cblock zero;
+  int i;
+  int32_t seq_number;
+  size_t padlength;
+  OM_uint32 ret;
+  int cstate;
+
+  p = input_message_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   input_message_buffer->length,
+				   "\x02\x01");
+  if (ret)
+      return ret;
+
+  if (memcmp (p, "\x00\x00", 2) != 0)
+    return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\x00\x00", 2) == 0) {
+      cstate = 1;
+  } else if (memcmp (p, "\xFF\xFF", 2) == 0) {
+      cstate = 0;
+  } else
+      return GSS_S_BAD_MIC;
+  p += 2;
+  if(conf_state != NULL)
+      *conf_state = cstate;
+  if (memcmp (p, "\xff\xff", 2) != 0)
+    return GSS_S_DEFECTIVE_TOKEN;
+  p += 2;
+  p += 16;
+
+  len = p - (u_char *)input_message_buffer->value;
+
+  if(cstate) {
+      /* decrypt data */
+      gss_krb5_getsomekey(context_handle, &key);
+      for (i = 0; i < sizeof(key); ++i)
+	  key[i] ^= 0xf0;
+      des_set_key (&key, schedule);
+      memset (&zero, 0, sizeof(zero));
+      des_cbc_encrypt ((const void *)p,
+		       (void *)p,
+		       input_message_buffer->length - len,
+		       schedule,
+		       &zero,
+		       DES_DECRYPT);
+      
+      memset (key, 0, sizeof(key));
+      memset (schedule, 0, sizeof(schedule));
+  }
+  /* check pad */
+
+  pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1;
+  padlength = *pad;
+
+  for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+    ;
+  if (i != 0)
+    return GSS_S_BAD_MIC;
+
+  MD5Init (&md5);
+  MD5Update (&md5, p - 24, 8);
+  MD5Update (&md5, p, input_message_buffer->length - len);
+  MD5Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  gss_krb5_getsomekey(context_handle, &key);
+  des_set_key (&key, schedule);
+  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  if (memcmp (p - 8, hash, 8) != 0)
+    return GSS_S_BAD_MIC;
+
+  /* verify sequence number */
+  
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq_data[0] = (seq_number >> 0)  & 0xFF;
+  seq_data[1] = (seq_number >> 8)  & 0xFF;
+  seq_data[2] = (seq_number >> 16) & 0xFF;
+  seq_data[3] = (seq_number >> 24) & 0xFF;
+  memset (seq_data + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+
+  p -= 16;
+  des_set_key (&key, schedule);
+  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)hash, DES_DECRYPT);
+
+  memset (key, 0, sizeof(key));
+  memset (schedule, 0, sizeof(schedule));
+
+  if (memcmp (p, seq_data, 8) != 0) {
+    return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  /* copy out data */
+
+  output_message_buffer->length = input_message_buffer->length
+    - len - 8 - padlength;
+  output_message_buffer->value  = malloc(output_message_buffer->length);
+  if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+      return GSS_S_FAILURE;
+  memcpy (output_message_buffer->value,
+	  p + 24,
+	  output_message_buffer->length);
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/v1.c b/crypto/heimdal/lib/gssapi/v1.c
new file mode 100644
index 0000000..34091ea
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/v1.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: v1.c,v 1.2 1999/12/02 17:05:04 joda Exp $");
+
+/* These functions are for V1 compatibility */
+
+OM_uint32 gss_sign
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int qop_req,
+            gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+  return gss_get_mic(minor_status,
+	context_handle,
+	(gss_qop_t)qop_req,
+	message_buffer,
+	message_token);
+}
+
+OM_uint32 gss_verify
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t message_buffer,
+            gss_buffer_t token_buffer,
+            int * qop_state
+           )
+{
+  return gss_verify_mic(minor_status,
+	context_handle,
+	message_buffer,
+	token_buffer,
+	(gss_qop_t *)qop_state);
+}
+
+OM_uint32 gss_seal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            int qop_req,
+            gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+  return gss_wrap(minor_status,
+	context_handle,
+	conf_req_flag,
+	(gss_qop_t)qop_req,
+	input_message_buffer,
+	conf_state,
+	output_message_buffer);
+}
+
+OM_uint32 gss_unseal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            int * qop_state
+           )
+{
+  return gss_unwrap(minor_status,
+	context_handle,
+	input_message_buffer,
+	output_message_buffer,
+	conf_state,
+	(gss_qop_t *)qop_state);
+}
diff --git a/crypto/heimdal/lib/gssapi/verify_mic.c b/crypto/heimdal/lib/gssapi/verify_mic.c
new file mode 100644
index 0000000..1cc4c52
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/verify_mic.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: verify_mic.c,v 1.9 2000/01/25 23:14:47 assar Exp $");
+
+OM_uint32 gss_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+	    )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16], seq_data[8];
+  des_key_schedule schedule;
+  des_cblock key;
+  des_cblock zero;
+  int32_t seq_number;
+  OM_uint32 ret;
+
+  p = token_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   token_buffer->length,
+				   "\x01\x01");
+  if (ret)
+      return ret;
+
+  if (memcmp(p, "\x00\x00", 2) != 0)
+      return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+    return GSS_S_BAD_MIC;
+  p += 4;
+  p += 16;
+
+  /* verify checksum */
+  MD5Init (&md5);
+  MD5Update (&md5, p - 24, 8);
+  MD5Update (&md5, message_buffer->value,
+	     message_buffer->length);
+  MD5Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+#if 0
+  memcpy (&key, context_handle->auth_context->key.keyvalue.data,
+	  sizeof(key));
+#endif
+  memcpy (&key, context_handle->auth_context->remote_subkey->keyvalue.data,
+	  sizeof(key));
+
+  des_set_key (&key, schedule);
+  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  if (memcmp (p - 8, hash, 8) != 0) {
+    memset (key, 0, sizeof(key));
+    memset (schedule, 0, sizeof(schedule));
+    return GSS_S_BAD_MIC;
+  }
+
+  /* verify sequence number */
+  
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq_data[0] = (seq_number >> 0)  & 0xFF;
+  seq_data[1] = (seq_number >> 8)  & 0xFF;
+  seq_data[2] = (seq_number >> 16) & 0xFF;
+  seq_data[3] = (seq_number >> 24) & 0xFF;
+  memset (seq_data + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+
+  p -= 16;
+  des_set_key (&key, schedule);
+  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)hash, DES_DECRYPT);
+
+  memset (key, 0, sizeof(key));
+  memset (schedule, 0, sizeof(schedule));
+
+  if (memcmp (p, seq_data, 8) != 0) {
+    return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/wrap.c b/crypto/heimdal/lib/gssapi/wrap.c
new file mode 100644
index 0000000..c71f2b1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/wrap.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: wrap.c,v 1.11 2000/01/25 23:15:44 assar Exp $");
+
+OM_uint32 gss_wrap_size_limit (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size
+           )
+{
+  size_t len, total_len, padlength;
+  padlength = 8 - (req_output_size % 8);
+  len = req_output_size + 8 + padlength + 22;
+  gssapi_krb5_encap_length(len, &len, &total_len);
+  *max_input_size = (OM_uint32)total_len;
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 gss_wrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16];
+  des_key_schedule schedule;
+  des_cblock key;
+  des_cblock zero;
+  int i;
+  int32_t seq_number;
+  size_t len, total_len, padlength;
+
+  padlength = 8 - (input_message_buffer->length % 8);
+  len = input_message_buffer->length + 8 + padlength + 22;
+  gssapi_krb5_encap_length (len, &len, &total_len);
+
+  output_message_buffer->length = total_len;
+  output_message_buffer->value  = malloc (total_len);
+  if (output_message_buffer->value == NULL)
+    return GSS_S_FAILURE;
+
+  p = gssapi_krb5_make_header(output_message_buffer->value,
+			      len,
+			      "\x02\x01");
+
+
+  /* SGN_ALG */
+  memcpy (p, "\x00\x00", 2);
+  p += 2;
+  /* SEAL_ALG */
+  if(conf_req_flag)
+      memcpy (p, "\x00\x00", 2);
+  else
+      memcpy (p, "\xff\xff", 2);
+  p += 2;
+  /* Filler */
+  memcpy (p, "\xff\xff", 2);
+  p += 2;
+
+  /* fill in later */
+  memset (p, 0, 16);
+  p += 16;
+
+  /* confounder + data + pad */
+  des_new_random_key((des_cblock*)p);
+  memcpy (p + 8, input_message_buffer->value,
+	  input_message_buffer->length);
+  memset (p + 8 + input_message_buffer->length, padlength, padlength);
+
+  /* checksum */
+  MD5Init (&md5);
+  MD5Update (&md5, p - 24, 8);
+  MD5Update (&md5, p, input_message_buffer->length + padlength + 8);
+  MD5Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  gss_krb5_getsomekey(context_handle, &key);
+  des_set_key (&key, schedule);
+  des_cbc_cksum ((const void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  memcpy (p - 8, hash, 8);
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  p -= 16;
+  p[0] = (seq_number >> 0)  & 0xFF;
+  p[1] = (seq_number >> 8)  & 0xFF;
+  p[2] = (seq_number >> 16) & 0xFF;
+  p[3] = (seq_number >> 24) & 0xFF;
+  memset (p + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  des_set_key (&key, schedule);
+  des_cbc_encrypt ((const void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+
+  /* encrypt the data */
+  p += 16;
+
+  if(conf_req_flag) {
+      gss_krb5_getsomekey(context_handle, &key);
+      for (i = 0; i < sizeof(key); ++i)
+	  key[i] ^= 0xf0;
+      des_set_key (&key, schedule);
+      memset (&zero, 0, sizeof(zero));
+      des_cbc_encrypt ((const void *)p,
+		       (void *)p,
+		       8 + input_message_buffer->length + padlength,
+		       schedule,
+		       &zero,
+		       DES_ENCRYPT);
+      
+      memset (key, 0, sizeof(key));
+      memset (schedule, 0, sizeof(schedule));
+  }
+  if(conf_state != NULL)
+      *conf_state = conf_req_flag;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/hdb/Makefile.am b/crypto/heimdal/lib/hdb/Makefile.am
new file mode 100644
index 0000000..6c4341e
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/Makefile.am
@@ -0,0 +1,57 @@
+# $Id: Makefile.am,v 1.33 2000/01/06 21:45:41 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I../asn1 -I$(srcdir)/../asn1
+
+BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \
+	asn1_Salt.c hdb_err.c hdb_err.h
+
+foo = asn1_Key.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
+
+CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
+
+noinst_PROGRAMS = convert_db
+LDADD = libhdb.la \
+	../krb5/libkrb5.la \
+	../asn1/libasn1.la \
+	../des/libdes.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
+lib_LTLIBRARIES = libhdb.la
+libhdb_la_LDFLAGS = -version-info 4:1:1
+
+libhdb_la_SOURCES = 				\
+		    keytab.c			\
+		    hdb.c			\
+		    common.c			\
+		    db.c			\
+		    ndbm.c			\
+		    print.c			\
+		    $(BUILT_SOURCES)
+
+include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
+
+libhdb_la_LIBADD = 
+
+$(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h
+
+$(srcdir)/hdb-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h
+
+$(srcdir)/hdb-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h
+
+$(foo) hdb_asn1.h: asn1_files
+
+asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
+	../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1
+
+$(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h
+
+$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h
+
+# to help stupid solaris make
+
+hdb_err.h: hdb_err.et
diff --git a/crypto/heimdal/lib/hdb/Makefile.in b/crypto/heimdal/lib/hdb/Makefile.in
new file mode 100644
index 0000000..ef92550
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/Makefile.in
@@ -0,0 +1,709 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.33 2000/01/06 21:45:41 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include -I../asn1 -I$(srcdir)/../asn1
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c 	asn1_Salt.c hdb_err.c hdb_err.h
+
+
+foo = asn1_Key.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
+
+CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
+
+noinst_PROGRAMS = convert_db
+LDADD = libhdb.la 	../krb5/libkrb5.la 	../asn1/libasn1.la 	../des/libdes.la 	$(LIB_roken) 	$(DBLIB)
+
+
+lib_LTLIBRARIES = libhdb.la
+libhdb_la_LDFLAGS = -version-info 4:1:1
+
+libhdb_la_SOURCES =  		    keytab.c					    hdb.c					    common.c					    db.c					    ndbm.c					    print.c					    $(BUILT_SOURCES)
+
+
+include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
+
+libhdb_la_LIBADD = 
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libhdb_la_DEPENDENCIES = 
+libhdb_la_OBJECTS =  keytab.lo hdb.lo common.lo db.lo ndbm.lo print.lo \
+asn1_Key.lo asn1_Event.lo asn1_HDBFlags.lo asn1_hdb_entry.lo \
+asn1_Salt.lo hdb_err.lo
+noinst_PROGRAMS =  convert_db$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+convert_db_SOURCES = convert_db.c
+convert_db_OBJECTS =  convert_db.$(OBJEXT)
+convert_db_LDADD = $(LDADD)
+convert_db_DEPENDENCIES =  libhdb.la ../krb5/libkrb5.la \
+../asn1/libasn1.la ../des/libdes.la
+convert_db_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+HEADERS =  $(include_HEADERS)
+
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libhdb_la_SOURCES) convert_db.c
+OBJECTS = $(libhdb_la_OBJECTS) convert_db.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/hdb/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libhdb.la: $(libhdb_la_OBJECTS) $(libhdb_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libhdb_la_LDFLAGS) $(libhdb_la_OBJECTS) $(libhdb_la_LIBADD) $(LIBS)
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+convert_db$(EXEEXT): $(convert_db_OBJECTS) $(convert_db_DEPENDENCIES)
+	@rm -f convert_db$(EXEEXT)
+	$(LINK) $(convert_db_LDFLAGS) $(convert_db_OBJECTS) $(convert_db_LDADD) $(LIBS)
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/hdb
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h
+
+$(srcdir)/hdb-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h
+
+$(srcdir)/hdb-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h
+
+$(foo) hdb_asn1.h: asn1_files
+
+asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
+	../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1
+
+$(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h
+
+$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h
+
+# to help stupid solaris make
+
+hdb_err.h: hdb_err.et
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/hdb/common.c b/crypto/heimdal/lib/hdb/common.c
new file mode 100644
index 0000000..6e95667
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/common.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: common.c,v 1.6 1999/12/02 17:05:04 joda Exp $");
+
+int
+hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key)
+{
+    Principal new;
+    size_t len;
+    unsigned char *buf;
+    int ret;
+
+    ret = copy_Principal(p, &new);
+    if(ret)
+	goto out;
+    new.name.name_type = 0;
+    len = length_Principal(&new);
+    buf  = malloc(len);
+    if(buf == NULL){
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = encode_Principal(buf + len - 1, len, &new, &len);
+    if(ret){
+	free(buf);
+	goto out;
+    }
+    key->data = buf;
+    key->length = len;
+out:
+    free_Principal(&new);
+    return ret;
+}
+
+int
+hdb_key2principal(krb5_context context, krb5_data *key, krb5_principal p)
+{
+    return decode_Principal(key->data, key->length, p, NULL);
+}
+
+int
+hdb_entry2value(krb5_context context, hdb_entry *ent, krb5_data *value)
+{
+    unsigned char *buf;
+    size_t len;
+    int ret;
+
+    len = length_hdb_entry(ent);
+    buf = malloc(len);
+    if(buf == NULL)
+	return ENOMEM;
+    ret = encode_hdb_entry(buf + len - 1, len, ent, &len);
+    if(ret){
+	free(buf);
+	return ret;
+    }
+    value->data = buf;
+    value->length = len;
+    return 0;
+}
+
+int
+hdb_value2entry(krb5_context context, krb5_data *value, hdb_entry *ent)
+{
+    return decode_hdb_entry(value->data, value->length, ent, NULL);
+}
+
+krb5_error_code
+_hdb_fetch(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    krb5_data key, value;
+    int code;
+
+    hdb_principal2key(context, entry->principal, &key);
+    code = db->_get(context, db, key, &value);
+    krb5_data_free(&key);
+    if(code)
+	return code;
+    hdb_value2entry(context, &value, entry);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT))
+	hdb_unseal_keys (db, entry);
+    krb5_data_free(&value);
+    return 0;
+}
+
+krb5_error_code
+_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    krb5_data key, value;
+    int code;
+
+    hdb_principal2key(context, entry->principal, &key);
+    hdb_seal_keys(db, entry);
+    hdb_entry2value(context, entry, &value);
+    code = db->_put(context, db, flags & HDB_F_REPLACE, key, value);
+    krb5_data_free(&value);
+    krb5_data_free(&key);
+    return code;
+}
+
+krb5_error_code
+_hdb_remove(krb5_context context, HDB *db, hdb_entry *entry)
+{
+    krb5_data key;
+    int code;
+
+    hdb_principal2key(context, entry->principal, &key);
+    code = db->_del(context, db, key);
+    krb5_data_free(&key);
+    return code;
+}
+
diff --git a/crypto/heimdal/lib/hdb/convert_db.c b/crypto/heimdal/lib/hdb/convert_db.c
new file mode 100644
index 0000000..b257809
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/convert_db.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+/* Converts a database from version 0.0* to 0.1. This is done by
+ * making three copies of each DES key (DES-CBC-CRC, DES-CBC-MD4, and
+ * DES-CBC-MD5).
+ *
+ * Use with care. 
+ */
+
+#include "hdb_locl.h"
+#include "getarg.h"
+
+RCSID("$Id: convert_db.c,v 1.8 1999/05/09 22:47:47 assar Exp $");
+
+static krb5_error_code
+update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data)
+{
+    int i;
+    int n = 0;
+    Key *k;
+    int save_len;
+    Key *save_val;
+    HDB *new = data;
+    krb5_error_code ret;
+
+    for(i = 0; i < entry->keys.len; i++) 
+	if(entry->keys.val[i].key.keytype == KEYTYPE_DES)
+	    n += 2;
+	else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3)
+	    n += 1;
+    k = malloc(sizeof(*k) * (entry->keys.len + n));
+    n = 0;
+    for(i = 0; i < entry->keys.len; i++) {
+	copy_Key(&entry->keys.val[i], &k[n]);
+	if(entry->keys.val[i].key.keytype == KEYTYPE_DES) {
+	    copy_Key(&entry->keys.val[i], &k[n+1]);
+	    k[n+1].key.keytype = ETYPE_DES_CBC_MD4;
+	    copy_Key(&entry->keys.val[i], &k[n+2]);
+	    k[n+2].key.keytype = ETYPE_DES_CBC_MD5;
+	    n += 2;
+	}
+	else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3) {
+	    copy_Key(&entry->keys.val[i], &k[n+1]);
+	    k[n+1].key.keytype = ETYPE_DES3_CBC_MD5;
+	    n += 1;
+	}
+	n++;
+    }
+    save_len = entry->keys.len;
+    save_val = entry->keys.val;
+    entry->keys.len = n;
+    entry->keys.val = k;
+    ret = new->store(context, new, HDB_F_REPLACE, entry);
+    entry->keys.len = save_len;
+    entry->keys.val = save_val;
+    for(i = 0; i < n; i++) 
+	free_Key(&k[i]);
+    free(k);
+    return 0;
+}
+
+static krb5_error_code
+update_version2(krb5_context context, HDB *db, hdb_entry *entry, void *data)
+{
+    HDB *new = data;
+    if(!db->master_key_set) {
+	int i;
+	for(i = 0; i < entry->keys.len; i++) {
+	    free(entry->keys.val[i].mkvno);
+	    entry->keys.val[i].mkvno = NULL;
+	}
+    }
+    new->store(context, new, HDB_F_REPLACE, entry);
+    return 0;
+}
+
+char *old_database = HDB_DEFAULT_DB;
+char *new_database = HDB_DEFAULT_DB ".new";
+char *mkeyfile;
+int update_version;
+int help_flag;
+int version_flag;
+
+struct getargs args[] = {
+    { "old-database",	0,	arg_string, &old_database,
+      "name of database to convert", "file" },
+    { "new-database",	0,	arg_string, &new_database,
+      "name of converted database", "file" },
+    { "master-key",	0,	arg_string, &mkeyfile, 
+      "v5 master key file", "file" },
+    { "update-version", 0, 	arg_flag, &update_version,
+      "update the database to the current version" },
+    { "help",		'h',	arg_flag,   &help_flag },
+    { "version",	0,	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    HDB *db, *new;
+    EncryptionKey key;
+    int optind = 0;
+    int master_key_set = 0;
+    
+    set_progname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	krb5_std_usage(1, args, num_args);
+
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if(ret != 0)
+	krb5_err(NULL, 1, ret, "krb5_init_context");
+    
+    ret = hdb_create(context, &db, old_database);
+    if(ret != 0)
+	krb5_err(context, 1, ret, "hdb_create");
+
+    ret = hdb_read_master_key(context, mkeyfile, &key);
+    if(ret == 0) {
+	if(key.keytype == KEYTYPE_DES)
+	    key.keytype = ETYPE_DES_CBC_MD5;
+    
+	ret = hdb_set_master_key(context, db, key);
+	if (ret)
+	    krb5_err(context, 1, ret, "hdb_set_master_key");
+	master_key_set = 1;
+    }
+    ret = hdb_create(context, &new, new_database);
+    if(ret != 0)
+	krb5_err(context, 1, ret, "hdb_create");
+    if (master_key_set) {
+	ret = hdb_set_master_key(context, new, key);
+	if (ret)
+	    krb5_err(context, 1, ret, "hdb_set_master_key");
+    }
+    ret = db->open(context, db, O_RDONLY, 0);
+    if(ret == HDB_ERR_BADVERSION) {
+	krb5_data tag;
+	krb5_data version;
+	int foo;
+	unsigned ver;
+	tag.data = HDB_DB_FORMAT_ENTRY;
+	tag.length = strlen(tag.data);
+	ret = (*db->_get)(context, db, tag, &version);
+	if(ret)
+	    krb5_errx(context, 1, "database is wrong version, "
+		      "but couldn't find version key (%s)", 
+		      HDB_DB_FORMAT_ENTRY);
+	foo = sscanf(version.data, "%u", &ver);
+	krb5_data_free (&version);
+	if(foo != 1)
+	    krb5_errx(context, 1, "database version is not a number");
+	if(ver == 1 && HDB_DB_FORMAT == 2) {
+	    krb5_warnx(context, "will upgrade database from version %d to %d", 
+		       ver, HDB_DB_FORMAT);
+	    krb5_warnx(context, "rerun to do other conversions");
+	    update_version = 1;
+	} else
+	    krb5_errx(context, 1, 
+		      "don't know how to upgrade from version %d to %d", 
+		      ver, HDB_DB_FORMAT);
+    } else if(ret)
+	krb5_err(context, 1, ret, "%s", old_database);
+    ret = new->open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600);
+    if(ret)
+	krb5_err(context, 1, ret, "%s", new_database);
+    if(update_version)
+	ret = hdb_foreach(context, db, 0, update_version2, new);
+    else
+	ret = hdb_foreach(context, db, 0, update_keytypes, new);
+    if(ret != 0)
+	krb5_err(context, 1, ret, "hdb_foreach");
+    db->close(context, db);
+    new->close(context, new);
+    krb5_warnx(context, "wrote converted database to `%s'", new_database);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hdb/db.c b/crypto/heimdal/lib/hdb/db.c
new file mode 100644
index 0000000..4699437
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/db.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: db.c,v 1.25 1999/12/02 17:05:04 joda Exp $");
+
+#ifdef HAVE_DB_H
+
+static krb5_error_code
+DB_close(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    d->close(d);
+    return 0;
+}
+
+static krb5_error_code
+DB_destroy(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key (context, db);
+    free(db->name);
+    free(db);
+    return ret;
+}
+
+static krb5_error_code
+DB_lock(krb5_context context, HDB *db, int operation)
+{
+    DB *d = (DB*)db->db;
+    int fd = (*d->fd)(d);
+    if(fd < 0)
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_lock(fd, operation);
+}
+
+static krb5_error_code
+DB_unlock(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    int fd = (*d->fd)(d);
+    if(fd < 0)
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_unlock(fd);
+}
+
+
+static krb5_error_code
+DB_seq(krb5_context context, HDB *db,
+       unsigned flags, hdb_entry *entry, int flag)
+{
+    DB *d = (DB*)db->db;
+    DBT key, value;
+    krb5_data key_data, data;
+    int code;
+
+    code = db->lock(context, db, HDB_RLOCK);
+    if(code == -1)
+	return HDB_ERR_DB_INUSE;
+    code = d->seq(d, &key, &value, flag);
+    db->unlock(context, db); /* XXX check value */
+    if(code == -1)
+	return errno;
+    if(code == 1)
+	return HDB_ERR_NOENTRY;
+
+    key_data.data = key.data;
+    key_data.length = key.size;
+    data.data = value.data;
+    data.length = value.size;
+    if (hdb_value2entry(context, &data, entry))
+	return DB_seq(context, db, flags, entry, R_NEXT);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT))
+	hdb_unseal_keys (db, entry);
+    if (entry->principal == NULL) {
+	entry->principal = malloc(sizeof(*entry->principal));
+	hdb_key2principal(context, &key_data, entry->principal);
+    }
+    return 0;
+}
+
+
+static krb5_error_code
+DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, R_FIRST);
+}
+
+
+static krb5_error_code
+DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, R_NEXT);
+}
+
+static krb5_error_code
+DB_rename(krb5_context context, HDB *db, const char *new_name)
+{
+    int ret;
+    char *old, *new;
+
+    asprintf(&old, "%s.db", db->name);
+    asprintf(&new, "%s.db", new_name);
+    ret = rename(old, new);
+    free(old);
+    free(new);
+    if(ret)
+	return errno;
+    
+    free(db->name);
+    db->name = strdup(new_name);
+    return 0;
+}
+
+static krb5_error_code
+DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    k.data = key.data;
+    k.size = key.length;
+    code = db->lock(context, db, HDB_RLOCK);
+    if(code)
+	return code;
+    code = d->get(d, &k, &v, 0);
+    db->unlock(context, db);
+    if(code < 0)
+	return errno;
+    if(code == 1)
+	return HDB_ERR_NOENTRY;
+    
+    krb5_data_copy(reply, v.data, v.size);
+    return 0;
+}
+
+static krb5_error_code
+DB__put(krb5_context context, HDB *db, int replace, 
+	krb5_data key, krb5_data value)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    k.data = key.data;
+    k.size = key.length;
+    v.data = value.data;
+    v.size = value.length;
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = d->put(d, &k, &v, replace ? 0 : R_NOOVERWRITE);
+    db->unlock(context, db);
+    if(code < 0)
+	return errno;
+    if(code == 1)
+	return HDB_ERR_EXISTS;
+    return 0;
+}
+
+static krb5_error_code
+DB__del(krb5_context context, HDB *db, krb5_data key)
+{
+    DB *d = (DB*)db->db;
+    DBT k;
+    krb5_error_code code;
+    k.data = key.data;
+    k.size = key.length;
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = d->del(d, &k, 0);
+    db->unlock(context, db);
+    if(code == 1)
+	return HDB_ERR_NOENTRY;
+    if(code < 0)
+	return errno;
+    return 0;
+}
+
+static krb5_error_code
+DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
+{
+    char *fn;
+    krb5_error_code ret;
+
+    asprintf(&fn, "%s.db", db->name);
+    if (fn == NULL)
+	return ENOMEM;
+    db->db = dbopen(fn, flags, mode, DB_BTREE, NULL);
+    free(fn);
+    /* try to open without .db extension */
+    if(db->db == NULL && errno == ENOENT)
+	db->db = dbopen(db->name, flags, mode, DB_BTREE, NULL);
+    if(db->db == NULL)
+	return errno;
+    if((flags & O_ACCMODE) == O_RDONLY)
+	ret = hdb_check_db_format(context, db);
+    else
+	ret = hdb_init_db(context, db);
+    if(ret == HDB_ERR_NOENTRY)
+	return 0;
+    return ret;
+}
+
+krb5_error_code
+hdb_db_create(krb5_context context, HDB **db, 
+	      const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+    (*db)->name = strdup(filename);
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open  = DB_open;
+    (*db)->close = DB_close;
+    (*db)->fetch = _hdb_fetch;
+    (*db)->store = _hdb_store;
+    (*db)->remove = _hdb_remove;
+    (*db)->firstkey = DB_firstkey;
+    (*db)->nextkey= DB_nextkey;
+    (*db)->lock = DB_lock;
+    (*db)->unlock = DB_unlock;
+    (*db)->rename = DB_rename;
+    (*db)->_get = DB__get;
+    (*db)->_put = DB__put;
+    (*db)->_del = DB__del;
+    (*db)->destroy = DB_destroy;
+    return 0;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/hdb/hdb-private.h b/crypto/heimdal/lib/hdb/hdb-private.h
new file mode 100644
index 0000000..ce868bd
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb-private.h
@@ -0,0 +1,48 @@
+/* This is a generated file */
+#ifndef __hdb_private_h__
+#define __hdb_private_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+krb5_error_code
+_hdb_fetch __P((
+	krb5_context context,
+	HDB *db,
+	unsigned flags,
+	hdb_entry *entry));
+
+krb5_error_code
+_hdb_remove __P((
+	krb5_context context,
+	HDB *db,
+	hdb_entry *entry));
+
+void
+_hdb_seal_keys_int __P((
+	hdb_entry *ent,
+	int key_version,
+	krb5_data schedule));
+
+krb5_error_code
+_hdb_store __P((
+	krb5_context context,
+	HDB *db,
+	unsigned flags,
+	hdb_entry *entry));
+
+void
+_hdb_unseal_keys_int __P((
+	hdb_entry *ent,
+	int key_version,
+	krb5_data schedule));
+
+#endif /* __hdb_private_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb-protos.h b/crypto/heimdal/lib/hdb/hdb-protos.h
new file mode 100644
index 0000000..e0f15b1
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb-protos.h
@@ -0,0 +1,158 @@
+/* This is a generated file */
+#ifndef __hdb_protos_h__
+#define __hdb_protos_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+krb5_error_code
+hdb_check_db_format __P((
+	krb5_context context,
+	HDB *db));
+
+krb5_error_code
+hdb_clear_master_key __P((
+	krb5_context context,
+	HDB *db));
+
+krb5_error_code
+hdb_create __P((
+	krb5_context context,
+	HDB **db,
+	const char *filename));
+
+krb5_error_code
+hdb_db_create __P((
+	krb5_context context,
+	HDB **db,
+	const char *filename));
+
+krb5_error_code
+hdb_enctype2key __P((
+	krb5_context context,
+	hdb_entry *e,
+	krb5_enctype enctype,
+	Key **key));
+
+krb5_error_code
+hdb_entry2string __P((
+	krb5_context context,
+	hdb_entry *ent,
+	char **str));
+
+int
+hdb_entry2value __P((
+	krb5_context context,
+	hdb_entry *ent,
+	krb5_data *value));
+
+krb5_error_code
+hdb_foreach __P((
+	krb5_context context,
+	HDB *db,
+	unsigned flags,
+	hdb_foreach_func_t func,
+	void *data));
+
+void
+hdb_free_entry __P((
+	krb5_context context,
+	hdb_entry *ent));
+
+void
+hdb_free_key __P((Key *key));
+
+krb5_error_code
+hdb_init_db __P((
+	krb5_context context,
+	HDB *db));
+
+int
+hdb_key2principal __P((
+	krb5_context context,
+	krb5_data *key,
+	krb5_principal p));
+
+krb5_error_code
+hdb_lock __P((
+	int fd,
+	int operation));
+
+krb5_error_code
+hdb_ndbm_create __P((
+	krb5_context context,
+	HDB **db,
+	const char *filename));
+
+krb5_error_code
+hdb_next_enctype2key __P((
+	krb5_context context,
+	hdb_entry *e,
+	krb5_enctype enctype,
+	Key **key));
+
+int
+hdb_principal2key __P((
+	krb5_context context,
+	krb5_principal p,
+	krb5_data *key));
+
+krb5_error_code
+hdb_print_entry __P((
+	krb5_context context,
+	HDB *db,
+	hdb_entry *entry,
+	void *data));
+
+krb5_error_code
+hdb_process_master_key __P((
+	krb5_context context,
+	EncryptionKey key,
+	krb5_data *schedule));
+
+krb5_error_code
+hdb_read_master_key __P((
+	krb5_context context,
+	const char *filename,
+	EncryptionKey *key));
+
+void
+hdb_seal_keys __P((
+	HDB *db,
+	hdb_entry *ent));
+
+krb5_error_code
+hdb_set_master_key __P((
+	krb5_context context,
+	HDB *db,
+	EncryptionKey key));
+
+krb5_error_code
+hdb_set_master_keyfile __P((
+	krb5_context context,
+	HDB *db,
+	const char *keyfile));
+
+krb5_error_code
+hdb_unlock __P((int fd));
+
+void
+hdb_unseal_keys __P((
+	HDB *db,
+	hdb_entry *ent));
+
+int
+hdb_value2entry __P((
+	krb5_context context,
+	krb5_data *value,
+	hdb_entry *ent));
+
+#endif /* __hdb_protos_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb.asn1 b/crypto/heimdal/lib/hdb/hdb.asn1
new file mode 100644
index 0000000..99537d6
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb.asn1
@@ -0,0 +1,65 @@
+-- $Id: hdb.asn1,v 1.7 1999/05/03 16:48:52 joda Exp $
+HDB DEFINITIONS ::=
+BEGIN
+
+EncryptionKey EXTERNAL
+KerberosTime EXTERNAL
+Principal EXTERNAL
+
+HDB_DB_FORMAT INTEGER ::= 2	-- format of database, 
+				-- update when making changes
+
+-- these should have the same value as the pa-* counterparts
+hdb-pw-salt	INTEGER	::= 3
+hdb-afs3-salt	INTEGER	::= 10
+
+Salt ::= SEQUENCE {
+	type[0]		INTEGER,
+	salt[1]		OCTET STRING
+}
+
+Key ::= SEQUENCE {
+	mkvno[0]	INTEGER OPTIONAL,	-- master key version number
+	key[1]		EncryptionKey,
+	salt[2]		Salt OPTIONAL
+}
+
+Event ::= SEQUENCE {
+	time[0]		KerberosTime,
+	principal[1]	Principal OPTIONAL
+}
+
+HDBFlags ::= BIT STRING {
+	initial(0),		-- require as-req
+	forwardable(1),		-- may issue forwardable
+	proxiable(2),		-- may issue proxiable
+	renewable(3),		-- may issue renewable
+	postdate(4),		-- may issue postdatable
+	server(5),		-- may be server
+	client(6),		-- may be client
+	invalid(7),		-- entry is invalid
+	require-preauth(8),	-- must use preauth
+	change-pw(9),		-- change password service
+	require-hwauth(10),	-- must use hwauth
+	ok-as-delegate(11),	-- as in TicketFlags
+	user-to-user(12),	-- may use user-to-user auth
+	immutable(13)		-- may not be deleted
+}
+
+hdb_entry ::= SEQUENCE {
+	principal[0]	Principal  OPTIONAL, -- this is optional only 
+					     -- for compatibility with libkrb5
+	kvno[1]		INTEGER,
+	keys[2]		SEQUENCE OF Key,
+	created-by[3]	Event,
+	modified-by[4]	Event OPTIONAL,
+	valid-start[5]	KerberosTime OPTIONAL,
+	valid-end[6]	KerberosTime OPTIONAL,
+	pw-end[7]	KerberosTime OPTIONAL,
+	max-life[8]	INTEGER OPTIONAL,
+	max-renew[9]	INTEGER OPTIONAL,
+	flags[10]	HDBFlags,
+	etypes[11]	SEQUENCE OF INTEGER OPTIONAL
+}
+
+END
diff --git a/crypto/heimdal/lib/hdb/hdb.c b/crypto/heimdal/lib/hdb/hdb.c
new file mode 100644
index 0000000..edf6677
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb.c
@@ -0,0 +1,349 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: hdb.c,v 1.35 1999/12/02 17:05:05 joda Exp $");
+
+krb5_error_code
+hdb_next_enctype2key(krb5_context context,
+		     hdb_entry *e,
+		     krb5_enctype enctype,
+		     Key **key)
+{
+    Key *k;
+    
+    for (k = *key ? *key : e->keys.val; 
+	 k < e->keys.val + e->keys.len; 
+	 k++)
+	if(k->key.keytype == enctype){
+	    *key = k;
+	    return 0;
+	}
+    return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
+}
+
+krb5_error_code
+hdb_enctype2key(krb5_context context, 
+		hdb_entry *e, 
+		krb5_enctype enctype, 
+		Key **key)
+{
+    *key = NULL;
+    return hdb_next_enctype2key(context, e, enctype, key);
+}
+
+/* this is a bit ugly, but will get better when the crypto framework
+   gets fixed */
+
+krb5_error_code
+hdb_process_master_key(krb5_context context, EncryptionKey key, 
+		       krb5_data *schedule)
+{
+    krb5_error_code ret;
+
+    if(key.keytype != ETYPE_DES_CBC_MD5)
+	return KRB5_PROG_KEYTYPE_NOSUPP;
+
+    ret = krb5_data_alloc (schedule, sizeof(des_key_schedule));
+    if (ret)
+	return ret;
+
+    des_set_key((des_cblock*)key.keyvalue.data, schedule->data);
+    return 0;
+}
+
+krb5_error_code
+hdb_read_master_key(krb5_context context, const char *filename, 
+		    EncryptionKey *key)
+{
+    FILE *f;
+    unsigned char buf[256];
+    size_t len;
+    krb5_error_code ret;
+    if(filename == NULL)
+	filename = HDB_DB_DIR "/m-key";
+    f = fopen(filename, "r");
+    if(f == NULL)
+	return errno;
+    len = fread(buf, 1, sizeof(buf), f);
+    if(ferror(f))
+	ret = errno;
+    else
+	ret = decode_EncryptionKey(buf, len, key, &len);
+    fclose(f);
+    memset(buf, 0, sizeof(buf));
+    return ret;
+}
+
+void
+_hdb_unseal_keys_int(hdb_entry *ent, int key_version, krb5_data schedule)
+{
+    int i;
+    for(i = 0; i < ent->keys.len; i++){
+	des_cblock iv;
+	int num = 0;
+	if(ent->keys.val[i].mkvno == NULL)
+	    continue;
+	if(*ent->keys.val[i].mkvno != key_version)
+	    ;
+	memset(&iv, 0, sizeof(iv));
+	
+	des_cfb64_encrypt(ent->keys.val[i].key.keyvalue.data, 
+			  ent->keys.val[i].key.keyvalue.data, 
+			  ent->keys.val[i].key.keyvalue.length, 
+			  schedule.data, &iv, &num, 0);
+	free(ent->keys.val[i].mkvno);
+	ent->keys.val[i].mkvno = NULL;
+    }
+}
+
+void
+hdb_unseal_keys(HDB *db, hdb_entry *ent)
+{
+    if (db->master_key_set == 0)
+	return;
+    _hdb_unseal_keys_int(ent, db->master_key_version, db->master_key);
+}
+
+void
+_hdb_seal_keys_int(hdb_entry *ent, int key_version, krb5_data schedule)
+{
+    int i;
+    for(i = 0; i < ent->keys.len; i++){
+	des_cblock iv;
+	int num = 0;
+
+	if(ent->keys.val[i].mkvno != NULL)
+	    continue;
+	memset(&iv, 0, sizeof(iv));
+	des_cfb64_encrypt(ent->keys.val[i].key.keyvalue.data, 
+			  ent->keys.val[i].key.keyvalue.data, 
+			  ent->keys.val[i].key.keyvalue.length, 
+			  schedule.data, &iv, &num, 1);
+	ent->keys.val[i].mkvno = malloc(sizeof(*ent->keys.val[i].mkvno));
+	*ent->keys.val[i].mkvno = key_version;
+    }
+}
+
+void
+hdb_seal_keys(HDB *db, hdb_entry *ent)
+{
+    if (db->master_key_set == 0)
+	return;
+    
+    _hdb_seal_keys_int(ent, db->master_key_version, db->master_key);
+}
+
+void
+hdb_free_key(Key *key)
+{
+    memset(key->key.keyvalue.data, 
+	   0,
+	   key->key.keyvalue.length);
+    free_Key(key);
+    free(key);
+}
+
+
+krb5_error_code
+hdb_lock(int fd, int operation)
+{
+    int i, code;
+    for(i = 0; i < 3; i++){
+	code = flock(fd, (operation == HDB_RLOCK ? LOCK_SH : LOCK_EX) | LOCK_NB);
+	if(code == 0 || errno != EWOULDBLOCK)
+	    break;
+	sleep(1);
+    }
+    if(code == 0)
+	return 0;
+    if(errno == EWOULDBLOCK)
+	return HDB_ERR_DB_INUSE;
+    return HDB_ERR_CANT_LOCK_DB;
+}
+
+krb5_error_code
+hdb_unlock(int fd)
+{
+    int code;
+    code = flock(fd, LOCK_UN);
+    if(code)
+	return 4711 /* XXX */;
+    return 0;
+}
+
+void
+hdb_free_entry(krb5_context context, hdb_entry *ent)
+{
+    int i;
+
+    for(i = 0; i < ent->keys.len; ++i) {
+	Key *k = &ent->keys.val[i];
+
+	memset (k->key.keyvalue.data, 0, k->key.keyvalue.length);
+    }
+    free_hdb_entry(ent);
+}
+
+krb5_error_code
+hdb_foreach(krb5_context context,
+	    HDB *db,
+	    unsigned flags,
+	    hdb_foreach_func_t func,
+	    void *data)
+{
+    krb5_error_code ret;
+    hdb_entry entry;
+    ret = db->firstkey(context, db, flags, &entry);
+    while(ret == 0){
+	ret = (*func)(context, db, &entry, data);
+	hdb_free_entry(context, &entry);
+	if(ret == 0)
+	    ret = db->nextkey(context, db, flags, &entry);
+    }
+    if(ret == HDB_ERR_NOENTRY)
+	ret = 0;
+    return ret;
+}
+
+krb5_error_code
+hdb_check_db_format(krb5_context context, HDB *db)
+{
+    krb5_data tag;
+    krb5_data version;
+    krb5_error_code ret;
+    unsigned ver;
+    int foo;
+
+    tag.data = HDB_DB_FORMAT_ENTRY;
+    tag.length = strlen(tag.data);
+    ret = (*db->_get)(context, db, tag, &version);
+    if(ret)
+	return ret;
+    foo = sscanf(version.data, "%u", &ver);
+    krb5_data_free (&version);
+    if (foo != 1)
+	return HDB_ERR_BADVERSION;
+    if(ver != HDB_DB_FORMAT)
+	return HDB_ERR_BADVERSION;
+    return 0;
+}
+
+krb5_error_code
+hdb_init_db(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+    krb5_data tag;
+    krb5_data version;
+    char ver[32];
+    
+    ret = hdb_check_db_format(context, db);
+    if(ret != HDB_ERR_NOENTRY)
+	return ret;
+    
+    tag.data = HDB_DB_FORMAT_ENTRY;
+    tag.length = strlen(tag.data);
+    snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT);
+    version.data = ver;
+    version.length = strlen(version.data) + 1; /* zero terminated */
+    ret = (*db->_put)(context, db, 0, tag, version);
+    return ret;
+}
+
+krb5_error_code
+hdb_create(krb5_context context, HDB **db, const char *filename)
+{
+    krb5_error_code ret = 0;
+    if(filename == NULL)
+	filename = HDB_DEFAULT_DB;
+    initialize_hdb_error_table_r(&context->et_list);
+#ifdef HAVE_DB_H
+    ret = hdb_db_create(context, db, filename);
+#elif HAVE_NDBM_H
+    ret = hdb_ndbm_create(context, db, filename);
+#else
+    krb5_errx(context, 1, "No database support! (hdb_create)");
+#endif
+    return ret;
+}
+
+krb5_error_code
+hdb_set_master_key (krb5_context context,
+		    HDB *db,
+		    EncryptionKey key)
+{
+    krb5_error_code ret;
+
+    ret = hdb_process_master_key(context, key, &db->master_key);
+    if (ret)
+	return ret;
+#if 0 /* XXX - why? */
+    des_set_random_generator_seed(key.keyvalue.data);
+#endif
+    db->master_key_set = 1;
+    db->master_key_version = 0; /* XXX */
+    return 0;
+}
+
+krb5_error_code
+hdb_set_master_keyfile (krb5_context context,
+			HDB *db,
+			const char *keyfile)
+{
+    EncryptionKey key;
+    krb5_error_code ret;
+
+    ret = hdb_read_master_key(context, keyfile, &key);
+    if (ret) {
+	if (ret != ENOENT)
+	    return ret;
+	return 0;
+    }
+    ret = hdb_set_master_key(context, db, key);
+    memset(key.keyvalue.data, 0, key.keyvalue.length);
+    free_EncryptionKey(&key);
+    return ret;
+}
+
+krb5_error_code
+hdb_clear_master_key (krb5_context context,
+		      HDB *db)
+{
+    if (db->master_key_set) {
+	memset(db->master_key.data, 0, db->master_key.length);
+	krb5_data_free(&db->master_key);
+	db->master_key_set = 0;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hdb/hdb.h b/crypto/heimdal/lib/hdb/hdb.h
new file mode 100644
index 0000000..f4cb001
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb.h
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hdb.h,v 1.26 1999/12/02 17:05:05 joda Exp $ */
+
+#ifndef __HDB_H__
+#define __HDB_H__
+
+#include <hdb_err.h>
+
+#include <hdb_asn1.h>
+
+enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
+
+/* flags for various functions */
+#define HDB_F_DECRYPT	1 /* decrypt keys */
+#define HDB_F_REPLACE	2 /* replace entry */
+
+typedef struct HDB{
+    void *db;
+    char *name;
+    int master_key_set;
+    krb5_data master_key;
+    int master_key_version;
+    int openp;
+
+    krb5_error_code (*open)(krb5_context, struct HDB*, int, mode_t);
+    krb5_error_code (*close)(krb5_context, struct HDB*);
+    krb5_error_code (*fetch)(krb5_context, struct HDB*, unsigned, hdb_entry*);
+    krb5_error_code (*store)(krb5_context, struct HDB*, unsigned, hdb_entry*);
+    krb5_error_code (*remove)(krb5_context, struct HDB*, hdb_entry*);
+    krb5_error_code (*firstkey)(krb5_context, struct HDB*, 
+				unsigned, hdb_entry*);
+    krb5_error_code (*nextkey)(krb5_context, struct HDB*, 
+			       unsigned, hdb_entry*);
+    krb5_error_code (*lock)(krb5_context, struct HDB*, int operation);
+    krb5_error_code (*unlock)(krb5_context, struct HDB*);
+    krb5_error_code (*rename)(krb5_context, struct HDB*, const char*);
+    krb5_error_code (*_get)(krb5_context, struct HDB*, krb5_data, krb5_data*);
+    krb5_error_code (*_put)(krb5_context, struct HDB*, int, 
+			    krb5_data, krb5_data);
+    krb5_error_code (*_del)(krb5_context, struct HDB*, krb5_data);
+    krb5_error_code (*destroy)(krb5_context, struct HDB*);
+}HDB;
+
+#define HDB_DB_DIR "/var/heimdal"
+#define HDB_DEFAULT_DB HDB_DB_DIR "/heimdal"
+#define HDB_DB_FORMAT_ENTRY "hdb/db-format"
+
+typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
+					      hdb_entry*, void*);
+extern krb5_kt_ops hdb_kt_ops;
+
+#include <hdb-protos.h>
+
+#endif /* __HDB_H__ */
diff --git a/crypto/heimdal/lib/hdb/hdb_err.et b/crypto/heimdal/lib/hdb/hdb_err.et
new file mode 100644
index 0000000..a08a2d4
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb_err.et
@@ -0,0 +1,26 @@
+#
+# Error messages for the hdb library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: hdb_err.et,v 1.4 1998/02/16 16:29:15 joda Exp $"
+
+error_table hdb
+
+prefix HDB_ERR
+
+index 1
+#error_code INUSE,		"Entry already exists in database"
+error_code UK_SERROR,		"Database store error"
+error_code UK_RERROR,		"Database read error"
+error_code NOENTRY,		"No such entry in the database"
+error_code DB_INUSE,		"Database is locked or in use--try again later"
+error_code DB_CHANGED,		"Database was modified during read"
+error_code RECURSIVELOCK,	"Attempt to lock database twice"
+error_code NOTLOCKED,		"Attempt to unlock database when not locked"
+error_code BADLOCKMODE,		"Invalid kdb lock mode"
+error_code CANT_LOCK_DB,	"Insufficient access to lock database"
+error_code EXISTS,		"Entry already exists in database"
+error_code BADVERSION,		"Wrong database version"
+
+end
diff --git a/crypto/heimdal/lib/hdb/hdb_locl.h b/crypto/heimdal/lib/hdb/hdb_locl.h
new file mode 100644
index 0000000..2ce6be7
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb_locl.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hdb_locl.h,v 1.13 2000/02/06 05:17:05 assar Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __HDB_LOCL_H__
+#define __HDB_LOCL_H__
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#include <roken.h>
+
+#include <openssl/des.h>
+#include <krb5.h>
+#include <hdb.h>
+#include <hdb-private.h>
+
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+
+#ifdef HAVE_NDBM_H
+#include <ndbm.h>
+#endif
+
+int hdb_principal2key(krb5_context, krb5_principal, krb5_data*);
+int hdb_key2principal(krb5_context, krb5_data*, krb5_principal);
+
+krb5_error_code hdb_lock(int, int);
+krb5_error_code hdb_unlock(int);
+
+krb5_error_code _hdb_fetch(krb5_context, HDB*, unsigned, hdb_entry*);
+krb5_error_code _hdb_store(krb5_context, HDB*, unsigned, hdb_entry*);
+krb5_error_code _hdb_remove(krb5_context, HDB*, hdb_entry*);
+
+#endif /* __HDB_LOCL_H__ */
diff --git a/crypto/heimdal/lib/hdb/keytab.c b/crypto/heimdal/lib/hdb/keytab.c
new file mode 100644
index 0000000..d9be75d
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/keytab.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+/* keytab backend for HDB databases */
+
+RCSID("$Id: keytab.c,v 1.2 1999/08/26 13:24:05 joda Exp $");
+
+struct hdb_data {
+    char *dbname;
+    char *mkey;
+    HDB *db;
+};
+
+static krb5_error_code
+hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    krb5_error_code ret;
+    struct hdb_data *d;
+    const char *db, *mkey;
+    d = malloc(sizeof(*d));
+    if(d == NULL)
+	return ENOMEM;
+    db = name;
+    mkey = strchr(name, ':');
+    if(mkey == NULL || mkey[1] == '\0') {
+	if(*name == '\0')
+	    d->dbname = NULL;
+	else {
+	    d->dbname = strdup(name);
+	    if(d->dbname == NULL) {
+		free(d);
+		return ENOMEM;
+	    }
+	}
+	d->mkey = NULL;
+    } else {
+	if((mkey - db) == 0) {
+	    d->dbname = NULL;
+	} else {
+	    d->dbname = malloc(mkey - db);
+	    if(d->dbname == NULL) {
+		free(d);
+		return ENOMEM;
+	    }
+	    strncpy(d->dbname, db, mkey - db);
+	    d->dbname[mkey - db] = '\0';
+	}
+	d->mkey = strdup(mkey + 1);
+	if(d->mkey == NULL) {
+	    free(d->dbname);
+	    free(d);
+	    return ENOMEM;
+	}
+    }
+    ret = hdb_create(context, &d->db, d->dbname);
+    if(ret) {
+	free(d->dbname);
+	free(d->mkey);
+	free(d);
+	return ret;
+    }
+    ret = hdb_set_master_keyfile (context, d->db, d->mkey);
+    if(ret) {
+	(*d->db->destroy)(context, d->db);
+	free(d->dbname);
+	free(d->mkey);
+	free(d);
+	return ret;
+    }
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+hdb_close(krb5_context context, krb5_keytab id)
+{
+    struct hdb_data *d = id->data;
+    (*d->db->destroy)(context, d->db);
+    free(d);
+    return 0;
+}
+
+static krb5_error_code 
+hdb_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t namesize)
+{
+    struct hdb_data *d = id->data;
+    snprintf(name, namesize, "%s%s%s", 
+	     d->dbname ? d->dbname : "",
+	     (d->dbname || d->mkey) ? ":" : "",
+	     d->mkey ? d->mkey : "");
+    return 0;
+}
+
+static krb5_error_code
+hdb_get_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_const_principal principal,
+	      krb5_kvno kvno,
+	      krb5_enctype enctype,
+	      krb5_keytab_entry *entry)
+{
+    hdb_entry ent;
+    krb5_error_code ret;
+    struct hdb_data *d = id->data;
+    int i;
+
+    ret = (*d->db->open)(context, d->db, O_RDONLY, 0);
+    if (ret)
+	return ret;
+    ent.principal = (krb5_principal)principal;
+    ret = (*d->db->fetch)(context, d->db, HDB_F_DECRYPT, &ent);
+    (*d->db->close)(context, d->db);
+    if(ret == HDB_ERR_NOENTRY)
+	return KRB5_KT_NOTFOUND;
+    else if(ret)
+	return ret;
+    if(kvno && ent.kvno != kvno) {
+	hdb_free_entry(context, &ent);
+ 	return KRB5_KT_NOTFOUND;
+    }
+    if(enctype == 0)
+	if(ent.keys.len > 0)
+	    enctype = ent.keys.val[0].key.keytype;
+    ret = KRB5_KT_NOTFOUND;
+    for(i = 0; i < ent.keys.len; i++) {
+	if(ent.keys.val[i].key.keytype == enctype) {
+	    krb5_copy_principal(context, principal, &entry->principal);
+	    entry->vno = ent.kvno;
+	    krb5_copy_keyblock_contents(context, 
+					&ent.keys.val[i].key, 
+					&entry->keyblock);
+	    ret = 0;
+	    break;
+	}
+    }
+    hdb_free_entry(context, &ent);
+    return ret;
+}
+
+krb5_kt_ops hdb_kt_ops = {
+    "HDB",
+    hdb_resolve,
+    hdb_get_name,
+    hdb_close,
+    hdb_get_entry,
+    NULL,		/* start_seq_get */
+    NULL,		/* next_entry */
+    NULL,		/* end_seq_get */
+    NULL,		/* add */
+    NULL		/* remove */
+};
+
diff --git a/crypto/heimdal/lib/hdb/libasn1.h b/crypto/heimdal/lib/hdb/libasn1.h
new file mode 100644
index 0000000..03d951a
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/libasn1.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: libasn1.h,v 1.4 1999/12/02 17:05:05 joda Exp $ */
+
+#ifndef __LIBASN1_H__
+#define __LIBASN1_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <errno.h>
+#include <asn1.h>
+#include <der.h>
+#include "hdb_asn1.h"
+#include <asn1_err.h>
+#include <parse_units.h>
+
+#endif /* __LIBASN1_H__ */
diff --git a/crypto/heimdal/lib/hdb/ndbm.c b/crypto/heimdal/lib/hdb/ndbm.c
new file mode 100644
index 0000000..79ca978
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/ndbm.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: ndbm.c,v 1.26 1999/12/02 17:05:05 joda Exp $");
+
+#ifdef HAVE_NDBM_H
+
+struct ndbm_db {
+    DBM *db;
+    int lock_fd;
+};
+
+static krb5_error_code
+NDBM_destroy(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key (context, db);
+    free(db->name);
+    free(db);
+    return 0;
+}
+
+static krb5_error_code
+NDBM_lock(krb5_context context, HDB *db, int operation)
+{
+    struct ndbm_db *d = db->db;
+    return hdb_lock(d->lock_fd, operation);
+}
+
+static krb5_error_code
+NDBM_unlock(krb5_context context, HDB *db)
+{
+    struct ndbm_db *d = db->db;
+    return hdb_unlock(d->lock_fd);
+}
+
+static krb5_error_code
+NDBM_seq(krb5_context context, HDB *db, 
+	 unsigned flags, hdb_entry *entry, int first)
+
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum key, value;
+    krb5_data key_data, data;
+    krb5_error_code ret;
+
+    if(first)
+	key = dbm_firstkey(d->db);
+    else
+	key = dbm_nextkey(d->db);
+    if(key.dptr == NULL)
+	return HDB_ERR_NOENTRY;
+    key_data.data = key.dptr;
+    key_data.length = key.dsize;
+    ret = db->lock(context, db, HDB_RLOCK);
+    if(ret) return ret;
+    value = dbm_fetch(d->db, key);
+    db->unlock(context, db);
+    data.data = value.dptr;
+    data.length = value.dsize;
+    if(hdb_value2entry(context, &data, entry))
+	return NDBM_seq(context, db, flags, entry, 0);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT))
+	hdb_unseal_keys (db, entry);
+    if (entry->principal == NULL) {
+	entry->principal = malloc (sizeof(*entry->principal));
+	hdb_key2principal (context, &key_data, entry->principal);
+    }
+    return 0;
+}
+
+
+static krb5_error_code
+NDBM_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return NDBM_seq(context, db, flags, entry, 1);
+}
+
+
+static krb5_error_code
+NDBM_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return NDBM_seq(context, db, flags, entry, 0);
+}
+
+static krb5_error_code
+NDBM_rename(krb5_context context, HDB *db, const char *new_name)
+{
+    /* XXX this function will break */
+    struct ndbm_db *d = db->db;
+
+    int ret;
+    char *old_dir, *old_pag, *new_dir, *new_pag;
+    char *new_lock;
+    int lock_fd;
+
+    /* lock old and new databases */
+    ret = db->lock(context, db, HDB_WLOCK);
+    if(ret) return ret;
+    asprintf(&new_lock, "%s.lock", new_name);
+    lock_fd = open(new_lock, O_RDWR | O_CREAT, 0600);
+    free(new_lock);
+    if(lock_fd < 0) {
+	ret = errno;
+	db->unlock(context, db);
+	return ret;
+    }
+    ret = hdb_lock(lock_fd, HDB_WLOCK);
+    if(ret) {
+	db->unlock(context, db);
+	close(lock_fd);
+	return ret;
+    }
+
+    asprintf(&old_dir, "%s.dir", db->name);
+    asprintf(&old_pag, "%s.pag", db->name);
+    asprintf(&new_dir, "%s.dir", new_name);
+    asprintf(&new_pag, "%s.pag", new_name);
+
+    ret = rename(old_dir, new_dir) || rename(old_pag, new_pag);
+    free(old_dir);
+    free(old_pag);
+    free(new_dir);
+    free(new_pag);
+    hdb_unlock(lock_fd);
+    db->unlock(context, db);
+
+    if(ret) {
+	close(lock_fd);
+	return errno;
+    }
+
+    close(d->lock_fd);
+    d->lock_fd = lock_fd;
+    
+    free(db->name);
+    db->name = strdup(new_name);
+    return 0;
+}
+
+static krb5_error_code
+NDBM__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum k, v;
+    int code;
+
+    k.dptr  = key.data;
+    k.dsize = key.length;
+    code = db->lock(context, db, HDB_RLOCK);
+    if(code)
+	return code;
+    v = dbm_fetch(d->db, k);
+    db->unlock(context, db);
+    if(v.dptr == NULL)
+	return HDB_ERR_NOENTRY;
+
+    krb5_data_copy(reply, v.dptr, v.dsize);
+    return 0;
+}
+
+static krb5_error_code
+NDBM__put(krb5_context context, HDB *db, int replace, 
+	krb5_data key, krb5_data value)
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum k, v;
+    int code;
+
+    k.dptr  = key.data;
+    k.dsize = key.length;
+    v.dptr  = value.data;
+    v.dsize = value.length;
+
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = dbm_store(d->db, k, v, replace ? DBM_REPLACE : DBM_INSERT);
+    db->unlock(context, db);
+    if(code == 1)
+	return HDB_ERR_EXISTS;
+    if (code < 0)
+	return code;
+    return 0;
+}
+
+static krb5_error_code
+NDBM__del(krb5_context context, HDB *db, krb5_data key)
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum k;
+    int code;
+    krb5_error_code ret;
+
+    k.dptr = key.data;
+    k.dsize = key.length;
+    ret = db->lock(context, db, HDB_WLOCK);
+    if(ret) return ret;
+    code = dbm_delete(d->db, k);
+    db->unlock(context, db);
+    if(code < 0)
+	return errno;
+    return 0;
+}
+
+static krb5_error_code
+NDBM_open(krb5_context context, HDB *db, int flags, mode_t mode)
+{
+    krb5_error_code ret;
+    struct ndbm_db *d = malloc(sizeof(*d));
+    char *lock_file;
+
+    if(d == NULL)
+	return ENOMEM;
+    asprintf(&lock_file, "%s.lock", (char*)db->name);
+    if(lock_file == NULL) {
+	free(d);
+	return ENOMEM;
+    }
+    d->db = dbm_open((char*)db->name, flags, mode);
+    if(d->db == NULL){
+	free(d);
+	free(lock_file);
+	return errno;
+    }
+    d->lock_fd = open(lock_file, O_RDWR | O_CREAT, 0600);
+    free(lock_file);
+    if(d->lock_fd < 0){
+	dbm_close(d->db);
+	free(d);
+	return errno;
+    }
+    db->db = d;
+    if((flags & O_ACCMODE) == O_RDONLY)
+	ret = hdb_check_db_format(context, db);
+    else
+	ret = hdb_init_db(context, db);
+    if(ret == HDB_ERR_NOENTRY)
+	return 0;
+    return ret;
+}
+
+static krb5_error_code
+NDBM_close(krb5_context context, HDB *db)
+{
+    struct ndbm_db *d = db->db;
+    dbm_close(d->db);
+    close(d->lock_fd);
+    free(d);
+    return 0;
+}
+
+krb5_error_code
+hdb_ndbm_create(krb5_context context, HDB **db, 
+		const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+    (*db)->name = strdup(filename);
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open = NDBM_open;
+    (*db)->close = NDBM_close;
+    (*db)->fetch = _hdb_fetch;
+    (*db)->store = _hdb_store;
+    (*db)->remove = _hdb_remove;
+    (*db)->firstkey = NDBM_firstkey;
+    (*db)->nextkey= NDBM_nextkey;
+    (*db)->lock = NDBM_lock;
+    (*db)->unlock = NDBM_unlock;
+    (*db)->rename = NDBM_rename;
+    (*db)->_get = NDBM__get;
+    (*db)->_put = NDBM__put;
+    (*db)->_del = NDBM__del;
+    (*db)->destroy = NDBM_destroy;
+    return 0;
+}
+
+
+#endif
diff --git a/crypto/heimdal/lib/hdb/print.c b/crypto/heimdal/lib/hdb/print.c
new file mode 100644
index 0000000..5db3166
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/print.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "hdb_locl.h"
+#include <ctype.h>
+
+RCSID("$Id: print.c,v 1.4 1999/12/26 13:50:22 assar Exp $");
+
+/* 
+   This is the present contents of a dump line. This might change at
+   any time. Fields are separated by white space.
+
+  principal
+  keyblock
+  	kvno
+	keys...
+		mkvno
+		enctype
+		keyvalue
+		salt (- means use normal salt)
+  creation date and principal
+  modification date and principal
+  principal valid from date (not used)
+  principal valid end date (not used)
+  principal key expires (not used)
+  max ticket life
+  max renewable life
+  flags
+  */
+
+static void
+append_hex(char *str, krb5_data *data)
+{
+    int i, s = 1;
+    char *p;
+
+    p = data->data;
+    for(i = 0; i < data->length; i++)
+	if(!isalnum((unsigned char)p[i]) && p[i] != '.'){
+	    s = 0;
+	    break;
+	}
+    if(s){
+	p = calloc(1, data->length + 2 + 1);
+	p[0] = '\"';
+	p[data->length + 1] = '\"';
+	memcpy(p + 1, data->data, data->length);
+    }else{
+	p = calloc(1, data->length * 2 + 1);
+	for(i = 0; i < data->length; i++)
+	    sprintf(p + 2 * i, "%02x", ((u_char*)data->data)[i]);
+    }
+    strcat(str, p);
+    free(p);
+}
+
+static char *
+time2str(time_t t)
+{
+    static char buf[128];
+    strftime(buf, sizeof(buf), "%Y%m%d%H%M%S", gmtime(&t));
+    return buf;
+}
+
+static krb5_error_code
+event2string(krb5_context context, Event *ev, char **str)
+{
+    char *p;
+    char *pr;
+    krb5_error_code ret;
+    if(ev == NULL){
+	*str = strdup("-");
+	return (*str == NULL) ? ENOMEM : 0;
+    }
+    if (ev->principal == NULL) {
+       pr = strdup("UNKNOWN");
+       if (pr == NULL)
+	   return ENOMEM;
+    } else {
+       ret = krb5_unparse_name(context, ev->principal, &pr);
+       if(ret)
+           return ret;
+    }
+    ret = asprintf(&p, "%s:%s", time2str(ev->time), pr);
+    free(pr);
+    if(ret < 0)
+	return ENOMEM;
+    *str = p;
+    return 0;
+}
+
+krb5_error_code
+hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
+{
+    char *p;
+    char buf[1024] = "";
+    int i;
+    krb5_error_code ret;
+
+    /* --- principal */
+    ret = krb5_unparse_name(context, ent->principal, &p);
+    if(ret)
+	return ret;
+    strlcat(buf, p, sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    free(p);
+    /* --- kvno */
+    asprintf(&p, "%d", ent->kvno);
+    strlcat(buf, p, sizeof(buf));
+    free(p);
+    /* --- keys */
+    for(i = 0; i < ent->keys.len; i++){
+	/* --- mkvno, keytype */
+	if(ent->keys.val[i].mkvno)
+	    asprintf(&p, ":%d:%d:", 
+		     *ent->keys.val[i].mkvno, 
+		     ent->keys.val[i].key.keytype);
+	else
+	    asprintf(&p, "::%d:", 
+		     ent->keys.val[i].key.keytype);
+	strlcat(buf, p, sizeof(buf));
+	free(p);
+	/* --- keydata */
+	append_hex(buf, &ent->keys.val[i].key.keyvalue);
+	strlcat(buf, ":", sizeof(buf));
+	/* --- salt */
+	if(ent->keys.val[i].salt){
+	    asprintf(&p, "%u/", ent->keys.val[i].salt->type);
+	    strlcat(buf, p, sizeof(buf));
+	    free(p);
+	    append_hex(buf, &ent->keys.val[i].salt->salt);
+	}else
+	    strlcat(buf, "-", sizeof(buf));
+    }
+    strlcat(buf, " ", sizeof(buf));
+    /* --- created by */
+    event2string(context, &ent->created_by, &p);
+    strlcat(buf, p, sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    free(p);
+    /* --- modified by */
+    event2string(context, ent->modified_by, &p);
+    strlcat(buf, p, sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    free(p);
+
+    /* --- valid start */
+    if(ent->valid_start)
+	strlcat(buf, time2str(*ent->valid_start), sizeof(buf));
+    else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- valid end */
+    if(ent->valid_end)
+	strlcat(buf, time2str(*ent->valid_end), sizeof(buf));
+    else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    
+    /* --- password ends */
+    if(ent->pw_end)
+	strlcat(buf, time2str(*ent->pw_end), sizeof(buf));
+    else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- max life */
+    if(ent->max_life){
+	asprintf(&p, "%d", *ent->max_life);
+	strlcat(buf, p, sizeof(buf));
+	free(p);
+    }else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- max renewable life */
+    if(ent->max_renew){
+	asprintf(&p, "%d", *ent->max_renew);
+	strlcat(buf, p, sizeof(buf));
+	free(p);
+    }else
+	strlcat(buf, "-", sizeof(buf));
+    
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- flags */
+    asprintf(&p, "%d", HDBFlags2int(ent->flags));
+    strlcat(buf, p, sizeof(buf));
+    free(p);
+
+    *str = strdup(buf);
+    
+    return 0;
+}
+
+/* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */
+
+krb5_error_code
+hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry, void *data)
+{
+    char *p;
+    hdb_entry2string(context, entry, &p);
+    fprintf((FILE*)data, "%s\n", p);
+    free(p);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/ChangeLog b/crypto/heimdal/lib/kadm5/ChangeLog
new file mode 100644
index 0000000..f5a6ee4
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ChangeLog
@@ -0,0 +1,315 @@
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 4:2:0
+
+2000-01-28  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_new_cache): make sure to request non-forwardable,
+	non-proxiable
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv.la): bump version to 5:1:0
+
+	* context_s.c (_kadm5_s_init_context): handle params == NULL
+
+1999-12-26  Assar Westerlund  <assar@sics.se>
+
+	* get_s.c (kadm5_s_get_principal): handle modified_by->principal
+ 	== NULL
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5clnt_la_LDFLAGS): bump version to 4:1:0
+
+	* init_c.c (_kadm5_c_init_context): handle getting back port
+ 	number from admin host
+	(kadm5_c_init_with_context): remove `proto/' part before doing
+	getaddrinfo()
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 5:0:0 and 4:0:0
+
+	* init_c.c (kadm5_c_init_with_context): don't use unitialized
+ 	stuff
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* replay_log.c: adapt to changed kadm5_log_foreach
+
+	* log.c (kadm5_log_foreach): change to take a
+ 	`kadm5_server_context'
+
+	* init_c.c: use krb5_warn{,x}
+
+	* dump_log.c: adapt to changed kadm5_log_foreach
+
+	* init_c.c: re-write to use getaddrinfo
+	* Makefile.am (install-build-headers): add dependency
+	
+1999-12-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* log.c (kadm5_log_foreach): pass context
+
+	* dump_log.c: print more interesting things
+
+1999-12-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ipropd_master.c (process_msg): check for short reads
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* modify_s.c (kadm5_s_modify_principal): support key_data
+	(kadm5_s_modify_principal_with_key): remove
+
+	* admin.h (kadm5_s_modify_principal_with_key): remove
+
+1999-11-20  Assar Westerlund  <assar@sics.se>
+
+	* context_s.c (find_db_spec): ugly cast work-around.
+
+1999-11-14  Assar Westerlund  <assar@sics.se>
+
+	* context_s.c (_kadm5_s_init_context): call krb5_add_et_list so
+ 	that we aren't dependent on the layout of krb5_context_data
+	* init_c.c (_kadm5_c_init_context): call krb5_add_et_list so that
+ 	we aren't dependent on the layout of krb5_context_data
+
+1999-11-13  Assar Westerlund  <assar@sics.se>
+
+	* password_quality.c (kadm5_setup_passwd_quality_check): use
+	correct types for function pointers
+	
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* randkey_s.c: always bail out if the fetch fails
+
+	* admin.h (kadm5_config_params): remove fields we're not using
+
+	* ipropd_slave.c: allow passing a realm
+
+	* ipropd_master.c: allow passing a realm
+
+	* dump_log.c: allow passing a realm
+
+	* acl.c: correctly get acl file
+
+	* private.h (kadm5_server_context): add config_params struct and
+	remove acl_file; bump protocol version number
+
+	* marshall.c: marshalling of config parameters
+
+	* init_c.c (kadm5_c_init_with_context): try to cope with old
+	servers
+
+	* init_s.c (kadm5_s_init_with_context): actually use some passed
+	values
+
+	* context_s.c (_kadm5_s_init_context): get dbname, acl_file, and
+	stash_file from the config parameters, try to figure out these if
+	they're not provided
+
+1999-11-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (install-build-headers): use `cp' instead of
+ 	INSTALL_DATA
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 4:0:0 and 3:0:0 (they access fields
+ 	directly in libkrb5's context - bad functions)
+
+	* set_keys.c (_kadm5_set_keys_randomly): set enctypes correctly in
+ 	the copied keys
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version of kadm5srv to 3:0:2 (new password
+ 	quality functions).
+ 	set version of kdam5clnt to 2:1:1 (no interface changes)
+
+	* Makefile.am (LDADD): add $(LIB_dlopen)
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* randkey_s.c (kadm5_s_randkey_principal): use
+ 	_kadm5_set_keys_randomly
+
+	* set_keys.c (free_keys): free more memory
+	(_kadm5_set_keys): a little bit more generic
+	(_kadm5_set_keys_randomly): new function for setting random keys.
+
+1999-10-14  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (_kadm5_set_keys): ignore old keys when setting new
+ 	ones and always add 3 DES keys and one 3DES key
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (_kadm5_c_init_context): use `krb5_get_krb_admin_hst'.
+  	check return value from strdup
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* acl.c (_kadm5_privs_to_string): forgot one strcpy_truncate ->
+ 	strlcpy
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* dump_log.c: remove unused `optind'
+
+	* replay_log.c: remove unused `optind'
+
+1999-09-13  Assar Westerlund  <assar@sics.se>
+
+	* chpass_c.c (kadm5_c_chpass_principal): new _kadm5_client_recv
+
+	* send_recv.c (_kadm5_client_recv): return result in a `krb5_data'
+ 	so that we avoid copying it and don't need to dimension in
+ 	advance.  change all callers.
+
+1999-09-10  Assar Westerlund  <assar@sics.se>
+
+	* password_quality.c: new file
+
+	* admin.h
+ 	(kadm5_setup_passwd_quality_check,kadm5_check_password_quality):
+ 	add prototypes
+
+	* Makefile.am (S_SOURCES): add password_quality.c
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: update versions to 2:0:1
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* ent_setup.c (_kadm5_setup_entry): make princ_expire_time == 0
+ 	and pw_expiration == 0 mean never
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* log.c (kadm5_log_flush): extra cast
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* marshall.c (store_principal_ent): encoding princ_expire_time and
+ 	pw_expiration in correct order
+
+1999-06-28  Assar Westerlund  <assar@sics.se>
+
+	* randkey_s.c (kadm5_s_randkey_principal): nuke old mkvno,
+ 	otherwise hdb will think that the new random keys are already
+ 	encrypted which will cause lots of confusion later.
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* ent_setup.c (_kadm5_setup_entry): handle 0 == unlimited
+ 	correctly.  From Michal Vocu <michal@karlin.mff.cuni.cz>
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_cred_cache): use get_default_username
+
+1999-05-23  Assar Westerlund  <assar@sics.se>
+
+	* create_s.c (create_principal): if there's no default entry the
+	mask should be zero.
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_cred_cache): use $USERNAME
+
+1999-05-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* init_c.c (get_cred_cache): figure out principal
+
+1999-05-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* send_recv.c: cleanup _kadm5_client_{send,recv}
+
+1999-05-04  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (_kadm5_set_keys2): don't check the recently created
+ 	memory for NULL pointers
+
+	* private.h (_kadm5_setup_entry): change prototype
+
+	* modify_s.c: call new _kadm5_setup_entry
+
+	* ent_setup.c (_kadm5_setup_entry): change so that it takes three
+ 	masks, one for what bits to set and one for each of principal and
+ 	def containing the bits that are set there.
+
+	* create_s.c: call new _kadm5_setup_entry
+
+	* create_s.c (get_default): check return value
+	(create_principal): send wider mask to _kadm5_setup_entry
+
+1999-05-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* send_recv.c (_kadm5_client_recv): handle arbitrarily sized
+	packets, check for errors
+
+	* get_c.c: check for failure from _kadm5_client_{send,recv}
+
+1999-05-04  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_new_cache): don't abort when interrupted from
+ 	password prompt
+	
+	* destroy_c.c (kadm5_c_destroy): check if we should destroy the
+ 	auth context
+
+1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* chpass_s.c: fix arguments to _kadm5_set_keys2
+
+	* private.h: proto
+
+	* set_keys.c: clear mkvno
+
+	* rename_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* randkey_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* modify_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* log.c: add flags to fetch and store; seal keys before logging
+
+	* get_s.c: add flags to fetch and store; seal keys before logging
+
+	* get_princs_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* delete_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* create_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* chpass_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* Makefile.am: remove server.c
+
+	* admin.h: add prototypes
+
+	* ent_setup.c (_kadm5_setup_entry): set key_data
+
+	* set_keys.c: add _kadm5_set_keys2 to sey keys from key_data
+
+	* modify_s.c: add kadm5_s_modify_principal_with_key
+
+	* create_s.c: add kadm5_s_create_principal_with_key
+
+	* chpass_s.c: add kadm5_s_chpass_principal_with_key
+
+	* kadm5_locl.h: move stuff to private.h
+
+	* private.h: move stuff from kadm5_locl.h
+	
\ No newline at end of file
diff --git a/crypto/heimdal/lib/kadm5/Makefile.am b/crypto/heimdal/lib/kadm5/Makefile.am
new file mode 100644
index 0000000..89399d4
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/Makefile.am
@@ -0,0 +1,110 @@
+# $Id: Makefile.am,v 1.33 2000/02/07 03:37:27 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
+libkadm5srv_la_LDFLAGS = -version-info 5:1:0
+libkadm5clnt_la_LDFLAGS = -version-info 4:2:0
+sbin_PROGRAMS = dump_log replay_log
+
+libexec_PROGRAMS = ipropd-master ipropd-slave
+
+kadm5includedir = $(includedir)/kadm5
+buildkadm5include = $(buildinclude)/kadm5
+
+kadm5include_HEADERS = kadm5_err.h admin.h private.h
+
+install-build-headers:: $(kadm5include_HEADERS)
+	@foo='$(kadm5include_HEADERS)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildkadm5include)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo "cp $$file $(buildkadm5include)/$$f";\
+			cp $$file $(buildkadm5include)/$$f; \
+		fi ; \
+	done
+
+C_SOURCES =		\
+	admin.h		\
+	chpass_c.c	\
+	common_glue.c	\
+	create_c.c	\
+	delete_c.c	\
+	destroy_c.c	\
+	flush_c.c	\
+	free.c		\
+	get_c.c		\
+	get_princs_c.c	\
+	init_c.c	\
+	kadm5_err.c	\
+	kadm5_locl.h	\
+	marshall.c	\
+	modify_c.c	\
+	private.h	\
+	privs_c.c	\
+	randkey_c.c	\
+	rename_c.c	\
+	send_recv.c
+
+S_SOURCES =		\
+	acl.c		\
+	admin.h		\
+	chpass_s.c	\
+	common_glue.c	\
+	context_s.c	\
+	create_s.c	\
+	delete_s.c	\
+	destroy_s.c	\
+	ent_setup.c	\
+	error.c		\
+	flush_s.c	\
+	free.c		\
+	get_princs_s.c	\
+	get_s.c		\
+	init_s.c	\
+	kadm5_err.c	\
+	kadm5_locl.h	\
+	log.c		\
+	marshall.c	\
+	modify_s.c	\
+	private.h	\
+	privs_s.c	\
+	randkey_s.c	\
+	rename_s.c	\
+	set_keys.c	\
+	set_modifier.c	\
+	password_quality.c
+
+libkadm5srv_la_SOURCES = $(S_SOURCES) server_glue.c
+libkadm5clnt_la_SOURCES = $(C_SOURCES) client_glue.c
+
+dump_log_SOURCES = dump_log.c kadm5_locl.h
+
+replay_log_SOURCES = replay_log.c kadm5_locl.h
+
+ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
+
+ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
+
+LDADD = \
+	libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken) \
+	$(DBLIB) \
+	$(LIB_dlopen)
+
+CLEANFILES = kadm5_err.c kadm5_err.h
+
+$(libkadm5srv_la_OBJECTS): kadm5_err.h
+
+client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
+
+# to help stupid solaris make
+
+kadm5_err.h: kadm5_err.et
diff --git a/crypto/heimdal/lib/kadm5/Makefile.in b/crypto/heimdal/lib/kadm5/Makefile.in
new file mode 100644
index 0000000..233ef9d
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/Makefile.in
@@ -0,0 +1,812 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.33 2000/02/07 03:37:27 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
+libkadm5srv_la_LDFLAGS = -version-info 5:1:0
+libkadm5clnt_la_LDFLAGS = -version-info 4:2:0
+sbin_PROGRAMS = dump_log replay_log
+
+libexec_PROGRAMS = ipropd-master ipropd-slave
+
+kadm5includedir = $(includedir)/kadm5
+buildkadm5include = $(buildinclude)/kadm5
+
+kadm5include_HEADERS = kadm5_err.h admin.h private.h
+
+C_SOURCES =  	admin.h			chpass_c.c		common_glue.c		create_c.c		delete_c.c		destroy_c.c		flush_c.c		free.c			get_c.c			get_princs_c.c		init_c.c		kadm5_err.c		kadm5_locl.h		marshall.c		modify_c.c		private.h		privs_c.c		randkey_c.c		rename_c.c		send_recv.c
+
+
+S_SOURCES =  	acl.c			admin.h			chpass_s.c		common_glue.c		context_s.c		create_s.c		delete_s.c		destroy_s.c		ent_setup.c		error.c			flush_s.c		free.c			get_princs_s.c		get_s.c			init_s.c		kadm5_err.c		kadm5_locl.h		log.c			marshall.c		modify_s.c		private.h		privs_s.c		randkey_s.c		rename_s.c		set_keys.c		set_modifier.c		password_quality.c
+
+
+libkadm5srv_la_SOURCES = $(S_SOURCES) server_glue.c
+libkadm5clnt_la_SOURCES = $(C_SOURCES) client_glue.c
+
+dump_log_SOURCES = dump_log.c kadm5_locl.h
+
+replay_log_SOURCES = replay_log.c kadm5_locl.h
+
+ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
+
+ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
+
+LDADD =  	libkadm5srv.la 	$(top_builddir)/lib/hdb/libhdb.la 	$(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(top_builddir)/lib/des/libdes.la 	$(LIB_roken) 	$(DBLIB) 	$(LIB_dlopen)
+
+
+CLEANFILES = kadm5_err.c kadm5_err.h
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libkadm5srv_la_LIBADD = 
+libkadm5srv_la_OBJECTS =  acl.lo chpass_s.lo common_glue.lo context_s.lo \
+create_s.lo delete_s.lo destroy_s.lo ent_setup.lo error.lo flush_s.lo \
+free.lo get_princs_s.lo get_s.lo init_s.lo kadm5_err.lo log.lo \
+marshall.lo modify_s.lo privs_s.lo randkey_s.lo rename_s.lo set_keys.lo \
+set_modifier.lo password_quality.lo server_glue.lo
+libkadm5clnt_la_LIBADD = 
+libkadm5clnt_la_OBJECTS =  chpass_c.lo common_glue.lo create_c.lo \
+delete_c.lo destroy_c.lo flush_c.lo free.lo get_c.lo get_princs_c.lo \
+init_c.lo kadm5_err.lo marshall.lo modify_c.lo privs_c.lo randkey_c.lo \
+rename_c.lo send_recv.lo client_glue.lo
+libexec_PROGRAMS =  ipropd-master$(EXEEXT) ipropd-slave$(EXEEXT)
+sbin_PROGRAMS =  dump_log$(EXEEXT) replay_log$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS) $(sbin_PROGRAMS)
+
+ipropd_master_OBJECTS =  ipropd_master.$(OBJEXT)
+ipropd_master_LDADD = $(LDADD)
+ipropd_master_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
+ipropd_master_LDFLAGS = 
+ipropd_slave_OBJECTS =  ipropd_slave.$(OBJEXT)
+ipropd_slave_LDADD = $(LDADD)
+ipropd_slave_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
+ipropd_slave_LDFLAGS = 
+dump_log_OBJECTS =  dump_log.$(OBJEXT)
+dump_log_LDADD = $(LDADD)
+dump_log_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
+dump_log_LDFLAGS = 
+replay_log_OBJECTS =  replay_log.$(OBJEXT)
+replay_log_LDADD = $(LDADD)
+replay_log_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/des/libdes.la
+replay_log_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+HEADERS =  $(kadm5include_HEADERS)
+
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libkadm5srv_la_SOURCES) $(libkadm5clnt_la_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) $(dump_log_SOURCES) $(replay_log_SOURCES)
+OBJECTS = $(libkadm5srv_la_OBJECTS) $(libkadm5clnt_la_OBJECTS) $(ipropd_master_OBJECTS) $(ipropd_slave_OBJECTS) $(dump_log_OBJECTS) $(replay_log_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/kadm5/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libkadm5srv.la: $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkadm5srv_la_LDFLAGS) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS)
+
+libkadm5clnt.la: $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkadm5clnt_la_LDFLAGS) $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_LIBADD) $(LIBS)
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(sbindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+ipropd-master$(EXEEXT): $(ipropd_master_OBJECTS) $(ipropd_master_DEPENDENCIES)
+	@rm -f ipropd-master$(EXEEXT)
+	$(LINK) $(ipropd_master_LDFLAGS) $(ipropd_master_OBJECTS) $(ipropd_master_LDADD) $(LIBS)
+
+ipropd-slave$(EXEEXT): $(ipropd_slave_OBJECTS) $(ipropd_slave_DEPENDENCIES)
+	@rm -f ipropd-slave$(EXEEXT)
+	$(LINK) $(ipropd_slave_LDFLAGS) $(ipropd_slave_OBJECTS) $(ipropd_slave_LDADD) $(LIBS)
+
+dump_log$(EXEEXT): $(dump_log_OBJECTS) $(dump_log_DEPENDENCIES)
+	@rm -f dump_log$(EXEEXT)
+	$(LINK) $(dump_log_LDFLAGS) $(dump_log_OBJECTS) $(dump_log_LDADD) $(LIBS)
+
+replay_log$(EXEEXT): $(replay_log_OBJECTS) $(replay_log_DEPENDENCIES)
+	@rm -f replay_log$(EXEEXT)
+	$(LINK) $(replay_log_LDFLAGS) $(replay_log_OBJECTS) $(replay_log_LDADD) $(LIBS)
+
+install-kadm5includeHEADERS: $(kadm5include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(kadm5includedir)
+	@list='$(kadm5include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$p; \
+	done
+
+uninstall-kadm5includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(kadm5include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(kadm5includedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/kadm5
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES install-libexecPROGRAMS \
+		install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-kadm5includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \
+		uninstall-sbinPROGRAMS uninstall-kadm5includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(sbindir) $(DESTDIR)$(kadm5includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-libexecPROGRAMS \
+		mostlyclean-sbinPROGRAMS mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-libexecPROGRAMS clean-sbinPROGRAMS clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-libexecPROGRAMS \
+		distclean-sbinPROGRAMS distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-sbinPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-libexecPROGRAMS \
+distclean-libexecPROGRAMS clean-libexecPROGRAMS \
+maintainer-clean-libexecPROGRAMS uninstall-libexecPROGRAMS \
+install-libexecPROGRAMS mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS \
+clean-sbinPROGRAMS maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS uninstall-kadm5includeHEADERS \
+install-kadm5includeHEADERS tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+install-build-headers:: $(kadm5include_HEADERS)
+	@foo='$(kadm5include_HEADERS)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildkadm5include)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo "cp $$file $(buildkadm5include)/$$f";\
+			cp $$file $(buildkadm5include)/$$f; \
+		fi ; \
+	done
+
+$(libkadm5srv_la_OBJECTS): kadm5_err.h
+
+client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
+
+# to help stupid solaris make
+
+kadm5_err.h: kadm5_err.et
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/kadm5/acl.c b/crypto/heimdal/lib/kadm5/acl.c
new file mode 100644
index 0000000..3f42c60
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/acl.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: acl.c,v 1.10 1999/12/02 17:05:05 joda Exp $");
+
+static struct units acl_units[] = {
+    { "all",		KADM5_PRIV_ALL },
+    { "change-password",KADM5_PRIV_CPW },
+    { "cpw",		KADM5_PRIV_CPW },
+    { "list",		KADM5_PRIV_LIST },
+    { "delete",		KADM5_PRIV_DELETE },
+    { "modify",		KADM5_PRIV_MODIFY },
+    { "add",		KADM5_PRIV_ADD },
+    { "get", 		KADM5_PRIV_GET },
+    { NULL }
+};
+
+kadm5_ret_t
+_kadm5_string_to_privs(const char *s, u_int32_t* privs)
+{
+    int flags;
+    flags = parse_flags(s, acl_units, 0);
+    if(flags < 0)
+	return KADM5_FAILURE;
+    *privs = flags;
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_privs_to_string(u_int32_t privs, char *string, size_t len)
+{
+    if(privs == 0)
+	strlcpy(string, "none", len);
+    else
+	unparse_flags(privs, acl_units + 1, string, len);
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_acl_init(kadm5_server_context *context)
+{
+    FILE *f;
+    char buf[128];
+    krb5_principal princ;
+    int flags;
+    krb5_error_code ret;
+    
+    krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ);
+    ret = krb5_principal_compare(context->context, context->caller, princ);
+    krb5_free_principal(context->context, princ);
+    if(ret != 0){
+	context->acl_flags = KADM5_PRIV_ALL;
+	return 0;
+    }
+
+    flags = -1;
+    f = fopen(context->config.acl_file, "r");
+    if(f){
+	while(fgets(buf, sizeof(buf), f)){
+	    char *foo = NULL, *p;
+	    p = strtok_r(buf, " \t\n", &foo);
+	    if(p == NULL)
+		continue;
+	    ret = krb5_parse_name(context->context, p, &princ);
+	    if(ret)
+		continue;
+	    if(!krb5_principal_compare(context->context, 
+				       context->caller,  princ)){
+		krb5_free_principal(context->context, princ);
+		continue;
+	    }
+	    krb5_free_principal(context->context, princ);
+	    p = strtok_r(NULL, "\n", &foo);
+	    if(p == NULL)
+		continue;
+	    ret = _kadm5_string_to_privs(p, &flags);
+	    break;
+	}
+	fclose(f);
+    }
+    if(flags == -1)
+	flags = 0;
+    context->acl_flags = flags;
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_acl_check_permission(kadm5_server_context *context, unsigned op)
+{
+    unsigned res = ~context->acl_flags & op;
+    if(res & KADM5_PRIV_GET)
+	return KADM5_AUTH_GET;
+    if(res & KADM5_PRIV_ADD)
+	return KADM5_AUTH_ADD;
+    if(res & KADM5_PRIV_MODIFY)
+	return KADM5_AUTH_MODIFY;
+    if(res & KADM5_PRIV_DELETE)
+	return KADM5_AUTH_DELETE;
+    if(res & KADM5_PRIV_CPW)
+	return KADM5_AUTH_CHANGEPW;
+    if(res & KADM5_PRIV_LIST)
+	return KADM5_AUTH_LIST;
+    if(res)
+	return KADM5_AUTH_INSUFFICIENT;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/admin.h b/crypto/heimdal/lib/kadm5/admin.h
new file mode 100644
index 0000000..6cb08a3
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/admin.h
@@ -0,0 +1,698 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: admin.h,v 1.15 1999/12/02 17:05:05 joda Exp $ */
+
+#ifndef __KADM5_ADMIN_H__
+#define __KADM5_ADMIN_H__
+
+#define KADM5_API_VERSION_1 1
+#define KADM5_API_VERSION_2 2
+
+#ifndef USE_KADM5_API_VERSION
+#define USE_KADM5_API_VERSION KADM5_API_VERSION_2
+#endif
+
+#if USE_KADM5_API_VERSION != KADM5_API_VERSION_2
+#error No support for API versions other than 2
+#endif
+
+#define KADM5_STRUCT_VERSION 0
+
+#include <krb5.h>
+
+#define KRB5_KDB_DISALLOW_POSTDATED	0x00000001
+#define KRB5_KDB_DISALLOW_FORWARDABLE	0x00000002
+#define KRB5_KDB_DISALLOW_TGT_BASED	0x00000004
+#define KRB5_KDB_DISALLOW_RENEWABLE	0x00000008
+#define KRB5_KDB_DISALLOW_PROXIABLE	0x00000010
+#define KRB5_KDB_DISALLOW_DUP_SKEY	0x00000020
+#define KRB5_KDB_DISALLOW_ALL_TIX	0x00000040
+#define KRB5_KDB_REQUIRES_PRE_AUTH	0x00000080
+#define KRB5_KDB_REQUIRES_HW_AUTH	0x00000100
+#define KRB5_KDB_REQUIRES_PWCHANGE	0x00000200
+#define KRB5_KDB_DISALLOW_SVR		0x00001000
+#define KRB5_KDB_PWCHANGE_SERVICE	0x00002000
+#define KRB5_KDB_SUPPORT_DESMD5		0x00004000
+#define KRB5_KDB_NEW_PRINC		0x00008000
+
+#define KADM5_PRINCIPAL		0x000001
+#define KADM5_PRINC_EXPIRE_TIME	0x000002
+#define KADM5_PW_EXPIRATION	0x000004
+#define KADM5_LAST_PWD_CHANGE	0x000008
+#define KADM5_ATTRIBUTES	0x000010
+#define KADM5_MAX_LIFE		0x000020
+#define KADM5_MOD_TIME		0x000040
+#define KADM5_MOD_NAME		0x000080
+#define KADM5_KVNO		0x000100
+#define KADM5_MKVNO		0x000200
+#define KADM5_AUX_ATTRIBUTES	0x000400
+#define KADM5_POLICY		0x000800
+#define KADM5_POLICY_CLR	0x001000
+#define KADM5_MAX_RLIFE		0x002000
+#define KADM5_LAST_SUCCESS	0x004000
+#define KADM5_LAST_FAILED	0x008000
+#define KADM5_FAIL_AUTH_COUNT	0x010000
+#define KADM5_KEY_DATA		0x020000
+#define KADM5_TL_DATA		0x040000
+
+#define KADM5_PRINCIPAL_NORMAL_MASK (~(KADM5_KEY_DATA | KADM5_TL_DATA))
+
+#define KADM5_PW_MAX_LIFE 	0x004000
+#define KADM5_PW_MIN_LIFE	0x008000
+#define KADM5_PW_MIN_LENGTH 	0x010000
+#define KADM5_PW_MIN_CLASSES	0x020000
+#define KADM5_PW_HISTORY_NUM	0x040000
+#define KADM5_REF_COUNT		0x080000
+
+#define KADM5_POLICY_NORMAL_MASK (~0)
+
+#define KADM5_ADMIN_SERVICE	"kadmin/admin"
+#define KADM5_HIST_PRINCIPAL	"kadmin/history"
+#define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
+
+typedef struct _krb5_key_data {
+    int16_t key_data_ver;	/* Version */
+    int16_t key_data_kvno;	/* Key Version */
+    int16_t key_data_type[2];	/* Array of types */
+    int16_t key_data_length[2];	/* Array of lengths */
+    void** key_data_contents[2];/* Array of pointers */
+} krb5_key_data;
+
+typedef struct _krb5_tl_data {
+    struct _krb5_tl_data* tl_data_next;
+    int16_t tl_data_type;         
+    int16_t tl_data_length;       
+    void **tl_data_contents;     
+} krb5_tl_data;
+
+typedef struct _kadm5_principal_ent_t {
+    krb5_principal principal;
+
+    krb5_timestamp princ_expire_time;
+    krb5_timestamp last_pwd_change;
+    krb5_timestamp pw_expiration;
+    krb5_deltat max_life;
+    krb5_principal mod_name;
+    krb5_timestamp mod_date;
+    krb5_flags attributes;
+    krb5_kvno kvno;
+    krb5_kvno mkvno;
+
+    char * policy;
+    u_int32_t aux_attributes;
+
+    krb5_deltat max_renewable_life;
+    krb5_timestamp last_success;
+    krb5_timestamp last_failed;
+    krb5_kvno fail_auth_count;
+    int16_t n_key_data;
+    int16_t n_tl_data;
+    krb5_tl_data *tl_data;
+    krb5_key_data *key_data;
+} kadm5_principal_ent_rec, *kadm5_principal_ent_t;
+
+typedef struct _kadm5_policy_ent_t {
+    char *policy;
+
+    u_int32_t pw_min_life;
+    u_int32_t pw_max_life;
+    u_int32_t pw_min_length;
+    u_int32_t pw_min_classes;
+    u_int32_t pw_history_num;
+    u_int32_t policy_refcnt;
+} kadm5_policy_ent_rec, *kadm5_policy_ent_t;
+
+#define KADM5_CONFIG_REALM			(1 << 0)
+#define KADM5_CONFIG_PROFILE			(1 << 1)
+#define KADM5_CONFIG_KADMIND_PORT		(1 << 2)
+#define KADM5_CONFIG_ADMIN_SERVER		(1 << 3)
+#define KADM5_CONFIG_DBNAME			(1 << 4)
+#define KADM5_CONFIG_ADBNAME			(1 << 5)
+#define KADM5_CONFIG_ADB_LOCKFILE		(1 << 6)
+#define KADM5_CONFIG_ACL_FILE			(1 << 7)
+#define KADM5_CONFIG_DICT_FILE			(1 << 8)
+#define KADM5_CONFIG_ADMIN_KEYTAB		(1 << 9)
+#define KADM5_CONFIG_MKEY_FROM_KEYBOARD		(1 << 10)
+#define KADM5_CONFIG_STASH_FILE			(1 << 11)
+#define KADM5_CONFIG_MKEY_NAME			(1 << 12)
+#define KADM5_CONFIG_ENCTYPE			(1 << 13)
+#define KADM5_CONFIG_MAX_LIFE			(1 << 14)
+#define KADM5_CONFIG_MAX_RLIFE			(1 << 15)
+#define KADM5_CONFIG_EXPIRATION			(1 << 16)
+#define KADM5_CONFIG_FLAGS			(1 << 17)
+#define KADM5_CONFIG_ENCTYPES			(1 << 18)
+
+#define KADM5_PRIV_GET		(1 << 0)
+#define KADM5_PRIV_ADD 		(1 << 1)
+#define KADM5_PRIV_MODIFY	(1 << 2)
+#define KADM5_PRIV_DELETE	(1 << 3)
+#define KADM5_PRIV_LIST		(1 << 4)
+#define KADM5_PRIV_CPW		(1 << 5)
+#define KADM5_PRIV_ALL		(KADM5_PRIV_GET | KADM5_PRIV_ADD | KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST | KADM5_PRIV_CPW)
+
+typedef struct {
+    int XXX;
+}krb5_key_salt_tuple;
+
+typedef struct _kadm5_config_params {
+    u_int32_t mask;
+
+    /* Client and server fields */
+    char *realm;
+    int kadmind_port;
+
+    /* client fields */
+    char *admin_server;
+
+    /* server fields */
+    char *dbname;
+    char *acl_file;
+
+    /* server library (database) fields */
+    char *stash_file;
+} kadm5_config_params;
+
+typedef krb5_error_code kadm5_ret_t;
+
+kadm5_ret_t
+kadm5_c_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_c_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_c_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_c_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_c_flush __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_c_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_c_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_c_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_c_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_c_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_c_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_flush __P((void *server_handle));
+
+void
+kadm5_free_key_data __P((
+	void *server_handle,
+	int16_t *n_key_data,
+	krb5_key_data *key_data));
+
+void
+kadm5_free_name_list __P((
+	void *server_handle,
+	char **names,
+	int *count));
+
+void
+kadm5_free_principal_ent __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_ret_key_data __P((
+	krb5_storage *sp,
+	krb5_key_data *key));
+
+kadm5_ret_t
+kadm5_ret_principal_ent __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_ret_principal_ent_mask __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ,
+	u_int32_t *mask));
+
+kadm5_ret_t
+kadm5_ret_tl_data __P((
+	krb5_storage *sp,
+	krb5_tl_data *tl));
+
+kadm5_ret_t
+kadm5_s_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_chpass_principal_with_key __P((
+	void *server_handle,
+	krb5_principal princ,
+	int n_key_data,
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+kadm5_s_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_create_principal_with_key __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_s_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_s_flush __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_s_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_s_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_s_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_s_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_store_key_data __P((
+	krb5_storage *sp,
+	krb5_key_data *key));
+
+kadm5_ret_t
+kadm5_store_principal_ent __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_store_principal_ent_mask __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_store_tl_data __P((
+	krb5_storage *sp,
+	krb5_tl_data *tl));
+
+void
+kadm5_setup_passwd_quality_check(krb5_context context,
+				 const char *check_library,
+				 const char *check_function);
+
+const char *
+kadm5_check_password_quality (krb5_context context,
+			      krb5_principal principal,
+			      krb5_data *pwd_data);
+
+#if 0
+/* unimplemented functions */
+kadm5_ret_t 
+kadm5_decrypt_key(void *server_handle,
+		  kadm5_principal_ent_t entry, int32_t
+		  ktype, int32_t stype, int32_t
+		  kvno, krb5_keyblock *keyblock,
+		  krb5_keysalt *keysalt, int *kvnop);
+
+kadm5_ret_t
+kadm5_create_policy(void *server_handle,
+		    kadm5_policy_ent_t policy, u_int32_t mask); 
+
+kadm5_ret_t
+kadm5_delete_policy(void *server_handle, char *policy);
+
+
+kadm5_ret_t
+kadm5_modify_policy(void *server_handle,
+		    kadm5_policy_ent_t policy, 
+		    u_int32_t mask);
+
+kadm5_ret_t
+kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent); 
+
+kadm5_ret_t
+kadm5_get_policies(void *server_handle, char *exp,
+		   char ***pols, int *count);
+
+void 
+kadm5_free_policy_ent(kadm5_policy_ent_t policy);
+
+#endif
+
+#endif /* __KADM5_ADMIN_H__ */
diff --git a/crypto/heimdal/lib/kadm5/chpass_c.c b/crypto/heimdal/lib/kadm5/chpass_c.c
new file mode 100644
index 0000000..aaec48f
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/chpass_c.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: chpass_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_chpass_principal(void *server_handle, 
+			 krb5_principal princ,
+			 char *password)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_chpass);
+    krb5_store_principal(sp, princ);
+    krb5_store_string(sp, password);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/kadm5/chpass_s.c b/crypto/heimdal/lib/kadm5/chpass_s.c
new file mode 100644
index 0000000..e915124
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/chpass_s.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: chpass_s.c,v 1.8 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t
+kadm5_s_chpass_principal(void *server_handle, 
+			 krb5_principal princ,
+			 char *password)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 
+			     0, &ent);
+    if(ret == HDB_ERR_NOENTRY)
+	goto out;
+    ret = _kadm5_set_keys(context, &ent, password);
+    if(ret)
+	goto out2;
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+
+    hdb_seal_keys(context->db, &ent);
+
+    kadm5_log_modify (context,
+		      &ent,
+		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
+		      KADM5_KEY_DATA | KADM5_KVNO);
+    
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
+
+kadm5_ret_t
+kadm5_s_chpass_principal_with_key(void *server_handle, 
+				  krb5_principal princ,
+				  int n_key_data,
+				  krb5_key_data *key_data)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret == HDB_ERR_NOENTRY)
+	goto out;
+    ret = _kadm5_set_keys2(&ent, n_key_data, key_data);
+    if(ret)
+	goto out2;
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+
+    hdb_seal_keys(context->db, &ent);
+
+    kadm5_log_modify (context,
+		      &ent,
+		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
+		      KADM5_KEY_DATA | KADM5_KVNO);
+    
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/client_glue.c b/crypto/heimdal/lib/kadm5/client_glue.c
new file mode 100644
index 0000000..395577d
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/client_glue.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: client_glue.c,v 1.5 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t
+kadm5_init_with_password(const char *client_name,
+			 const char *password,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_c_init_with_password(client_name,
+				      password,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_password_ctx(krb5_context context,
+			     const char *client_name,
+			     const char *password,
+			     const char *service_name,
+			     kadm5_config_params *realm_params,
+			     unsigned long struct_version,
+			     unsigned long api_version,
+			     void **server_handle)
+{
+    return kadm5_c_init_with_password_ctx(context,
+					  client_name,
+					  password,
+					  service_name,
+					  realm_params,
+					  struct_version,
+					  api_version,
+					  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey(const char *client_name,
+		     const char *keytab,
+		     const char *service_name,
+		     kadm5_config_params *realm_params,
+		     unsigned long struct_version,
+		     unsigned long api_version,
+		     void **server_handle)
+{
+    return kadm5_c_init_with_skey(client_name,
+				  keytab,
+				  service_name,
+				  realm_params,
+				  struct_version,
+				  api_version,
+				  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey_ctx(krb5_context context,
+			 const char *client_name,
+			 const char *keytab,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_c_init_with_skey_ctx(context,
+				      client_name,
+				      keytab,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds(const char *client_name,
+		      krb5_ccache ccache,
+		      const char *service_name,
+		      kadm5_config_params *realm_params,
+		      unsigned long struct_version,
+		      unsigned long api_version,
+		      void **server_handle)
+{
+    return kadm5_c_init_with_creds(client_name,
+				   ccache,
+				   service_name,
+				   realm_params,
+				   struct_version,
+				   api_version,
+				   server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds_ctx(krb5_context context,
+			  const char *client_name,
+			  krb5_ccache ccache,
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    return kadm5_c_init_with_creds_ctx(context,
+				       client_name,
+				       ccache,
+				       service_name,
+				       realm_params,
+				       struct_version,
+				       api_version,
+				       server_handle);
+}
diff --git a/crypto/heimdal/lib/kadm5/common_glue.c b/crypto/heimdal/lib/kadm5/common_glue.c
new file mode 100644
index 0000000..38c551c
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/common_glue.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: common_glue.c,v 1.4 1999/12/02 17:05:05 joda Exp $");
+
+#define __CALL(F, P) (*((kadm5_common_context*)server_handle)->funcs.F)P;
+
+kadm5_ret_t
+kadm5_chpass_principal(void *server_handle,
+		       krb5_principal princ,
+		       char *password)
+{
+    return __CALL(chpass_principal, (server_handle, princ, password));
+}
+
+kadm5_ret_t
+kadm5_create_principal(void *server_handle,
+		       kadm5_principal_ent_t princ,
+		       u_int32_t mask,
+		       char *password)
+{
+    return __CALL(create_principal, (server_handle, princ, mask, password));
+}
+
+kadm5_ret_t
+kadm5_delete_principal(void *server_handle,
+		       krb5_principal princ)
+{
+    return __CALL(delete_principal, (server_handle, princ));
+}
+
+kadm5_ret_t
+kadm5_destroy (void *server_handle)
+{
+    return __CALL(destroy, (server_handle));
+}
+
+kadm5_ret_t
+kadm5_flush (void *server_handle)
+{
+    return __CALL(flush, (server_handle));
+}
+
+kadm5_ret_t
+kadm5_get_principal(void *server_handle,
+		    krb5_principal princ,
+		    kadm5_principal_ent_t out,
+		    u_int32_t mask)
+{
+    return __CALL(get_principal, (server_handle, princ, out, mask));
+}
+
+kadm5_ret_t
+kadm5_modify_principal(void *server_handle,
+		       kadm5_principal_ent_t princ,
+		       u_int32_t mask)
+{
+    return __CALL(modify_principal, (server_handle, princ, mask));
+}
+
+kadm5_ret_t
+kadm5_randkey_principal(void *server_handle,
+			krb5_principal princ,
+			krb5_keyblock **new_keys,
+			int *n_keys)
+{
+    return __CALL(randkey_principal, (server_handle, princ, new_keys, n_keys));
+}
+
+kadm5_ret_t
+kadm5_rename_principal(void *server_handle,
+		       krb5_principal source,
+		       krb5_principal target)
+{
+    return __CALL(rename_principal, (server_handle, source, target));
+}
+
+kadm5_ret_t
+kadm5_get_principals(void *server_handle,
+		     const char *exp,
+		     char ***princs,
+		     int *count)
+{
+    return __CALL(get_principals, (server_handle, exp, princs, count));
+}
+
+kadm5_ret_t
+kadm5_get_privs(void *server_handle,
+		u_int32_t *privs)
+{
+    return __CALL(get_privs, (server_handle, privs));
+}
diff --git a/crypto/heimdal/lib/kadm5/context_s.c b/crypto/heimdal/lib/kadm5/context_s.c
new file mode 100644
index 0000000..fc52576
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/context_s.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: context_s.c,v 1.13 2000/01/06 21:40:08 assar Exp $");
+
+static void
+set_funcs(kadm5_server_context *c)
+{
+#define SET(C, F) (C)->funcs.F = kadm5_s_ ## F
+    SET(c, chpass_principal);
+    SET(c, chpass_principal);
+    SET(c, create_principal);
+    SET(c, delete_principal);
+    SET(c, destroy);
+    SET(c, flush);
+    SET(c, get_principal);
+    SET(c, get_principals);
+    SET(c, get_privs);
+    SET(c, modify_principal);
+    SET(c, randkey_principal);
+    SET(c, rename_principal);
+}
+
+struct database_spec {
+    char *dbpath;
+    char *logfile;
+    char *mkeyfile;
+    char *aclfile;
+};
+
+static void
+set_field(krb5_context context, krb5_config_binding *binding, 
+	  const char *dbname, const char *name, const char *ext, 
+	  char **variable)
+{
+    const char *p;
+    p = krb5_config_get_string(context, binding, name, NULL);
+    if(p)
+	*variable = strdup(p);
+    else {
+	p = strrchr(dbname, '.');
+	if(p == NULL)
+	    asprintf(variable, "%s.%s", dbname, ext);
+	else
+	    asprintf(variable, "%.*s.%s", (int)(p - dbname), dbname, ext);
+    }
+}
+
+static void
+set_socket_name(const char *dbname, struct sockaddr_un *un)
+{
+    const char *p;
+    memset(un, 0, sizeof(*un));
+    un->sun_family = AF_UNIX;
+    p = strrchr(dbname, '.');
+    if(p == NULL)
+	snprintf(un->sun_path, sizeof(un->sun_path), "%s.signal", 
+		 dbname);
+    else
+	snprintf(un->sun_path, sizeof(un->sun_path), "%.*s.signal", 
+		 (int)(p - dbname), dbname);
+}
+
+static void
+set_config(kadm5_server_context *ctx,
+	   krb5_config_binding *binding)
+{
+    const char *p;
+    if(ctx->config.dbname == NULL) {
+	p = krb5_config_get_string(ctx->context, binding, "dbname", NULL);
+	if(p)
+	    ctx->config.dbname = strdup(p);
+	else
+	    ctx->config.dbname = strdup(HDB_DEFAULT_DB);
+    }
+    if(ctx->log_context.log_file == NULL)
+	set_field(ctx->context, binding, ctx->config.dbname, 
+		  "log_file", "log", &ctx->log_context.log_file);
+    set_socket_name(ctx->config.dbname, &ctx->log_context.socket_name);
+    if(ctx->config.acl_file == NULL)
+	set_field(ctx->context, binding, ctx->config.dbname, 
+		  "acl_file", "acl", &ctx->config.acl_file);
+    /* XXX calling a file a `stash file' isn't very clever */
+    if(ctx->config.stash_file == NULL)
+	set_field(ctx->context, binding, ctx->config.dbname, 
+		  "mkey_file", "mkey", &ctx->config.stash_file);
+}
+
+static kadm5_ret_t
+find_db_spec(kadm5_server_context *ctx)
+{
+    krb5_config_binding *top_binding = NULL;
+    krb5_config_binding *db_binding;
+    krb5_config_binding *default_binding = NULL;
+    krb5_context context = ctx->context;
+
+    while((db_binding = (krb5_config_binding *)
+	   krb5_config_get_next(context,
+				NULL, &top_binding, 
+				krb5_config_list, 
+				"kdc", 
+				"database",
+				NULL))) {
+	const char *p;
+	p = krb5_config_get_string(context, db_binding, "realm", NULL);
+	if(p == NULL) {
+	    if(default_binding) {
+		krb5_warnx(context, "WARNING: more than one realm-less "
+			   "database specification");
+		krb5_warnx(context, "WARNING: using the first encountered");
+	    } else
+		default_binding = db_binding;
+	    continue;
+	}
+	if(strcmp(ctx->config.realm, p) != 0)
+	    continue;
+	
+	set_config(ctx, db_binding);
+	return 0;
+    }
+    if(default_binding)
+	set_config(ctx, default_binding);
+    else {
+	ctx->config.dbname = strdup(HDB_DEFAULT_DB);
+	ctx->config.acl_file = HDB_DB_DIR "/kadmind.acl";
+	ctx->config.stash_file = HDB_DB_DIR "/m-key";
+	ctx->log_context.log_file = HDB_DB_DIR "/log";
+	memset(&ctx->log_context.socket_name, 0, 
+	       sizeof(ctx->log_context.socket_name));
+	ctx->log_context.socket_name.sun_family = AF_UNIX;
+	strlcpy(ctx->log_context.socket_name.sun_path, 
+		KADM5_LOG_SIGNAL, 
+		sizeof(ctx->log_context.socket_name.sun_path));
+    }
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_s_init_context(kadm5_server_context **ctx, 
+		      kadm5_config_params *params,
+		      krb5_context context)
+{
+    *ctx = malloc(sizeof(**ctx));
+    if(*ctx == NULL)
+	return ENOMEM;
+    memset(*ctx, 0, sizeof(**ctx));
+    set_funcs(*ctx);
+    (*ctx)->context = context;
+    krb5_add_et_list (context, initialize_kadm5_error_table_r);
+#define is_set(M) (params && params->mask & KADM5_CONFIG_ ## M)
+    if(is_set(REALM))
+	(*ctx)->config.realm = strdup(params->realm);
+    else
+	krb5_get_default_realm(context, &(*ctx)->config.realm);
+    if(is_set(DBNAME))
+	(*ctx)->config.dbname = strdup(params->dbname);
+    if(is_set(ACL_FILE))
+	(*ctx)->config.acl_file = strdup(params->acl_file);
+    if(is_set(STASH_FILE))
+	(*ctx)->config.stash_file = strdup(params->stash_file);
+    
+    find_db_spec(*ctx);
+    
+    /* PROFILE can't be specified for now */
+    /* KADMIND_PORT is supposed to be used on the server also, 
+       but this doesn't make sense */
+    /* ADMIN_SERVER is client only */
+    /* ADNAME is not used at all (as far as I can tell) */
+    /* ADB_LOCKFILE ditto */
+    /* DICT_FILE */
+    /* ADMIN_KEYTAB */
+    /* MKEY_FROM_KEYBOARD is not supported */
+    /* MKEY_NAME neither */
+    /* ENCTYPE */
+    /* MAX_LIFE */
+    /* MAX_RLIFE */
+    /* EXPIRATION */
+    /* FLAGS */
+    /* ENCTYPES */
+
+    return 0;
+}
+
+HDB *
+_kadm5_s_get_db(void *server_handle)
+{
+    kadm5_server_context *context = server_handle;
+    return context->db;
+}
diff --git a/crypto/heimdal/lib/kadm5/create_c.c b/crypto/heimdal/lib/kadm5/create_c.c
new file mode 100644
index 0000000..45eb3e2
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/create_c.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: create_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_create_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask,
+			 char *password)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_create);
+    kadm5_store_principal_ent(sp, princ);
+    krb5_store_int32(sp, mask);
+    krb5_store_string(sp, password);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/create_s.c b/crypto/heimdal/lib/kadm5/create_s.c
new file mode 100644
index 0000000..6e352f6
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/create_s.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: create_s.c,v 1.16 1999/12/02 17:05:05 joda Exp $");
+
+static kadm5_ret_t
+get_default(kadm5_server_context *context, krb5_principal princ, 
+	    kadm5_principal_ent_t def)
+{
+    kadm5_ret_t ret;
+    krb5_principal def_principal;
+    krb5_realm *realm = krb5_princ_realm(context->context, princ);
+
+    ret = krb5_make_principal(context->context, &def_principal, 
+			      *realm, "default", NULL);
+    if (ret)
+	return ret;
+    ret = kadm5_s_get_principal(context, def_principal, def, 
+				KADM5_PRINCIPAL_NORMAL_MASK);
+    krb5_free_principal (context->context, def_principal);
+    return ret;
+}
+
+static kadm5_ret_t
+create_principal(kadm5_server_context *context,
+		 kadm5_principal_ent_t princ,
+		 u_int32_t mask,
+		 hdb_entry *ent,
+		 u_int32_t required_mask,
+		 u_int32_t forbidden_mask)
+{
+    kadm5_ret_t ret;
+    kadm5_principal_ent_rec defrec, *defent;
+    u_int32_t def_mask;
+    
+    if((mask & required_mask) != required_mask)
+	return KADM5_BAD_MASK;
+    if((mask & forbidden_mask))
+	return KADM5_BAD_MASK;
+    if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
+	/* XXX no real policies for now */
+	return KADM5_UNK_POLICY;
+    memset(ent, 0, sizeof(*ent));
+    ret  = krb5_copy_principal(context->context, princ->principal, 
+			       &ent->principal);
+    if(ret)
+	return ret;
+    
+    defent = &defrec;
+    ret = get_default(context, princ->principal, defent);
+    if(ret) {
+	defent   = NULL;
+	def_mask = 0;
+    } else {
+	def_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE;
+    }
+
+    ret = _kadm5_setup_entry(ent, mask | def_mask,
+			     princ, mask,
+			     defent, def_mask);
+    if(defent)
+	kadm5_free_principal_ent(context, defent);
+    
+    ent->created_by.time = time(NULL);
+    ret = krb5_copy_principal(context->context, context->caller, 
+			      &ent->created_by.principal);
+
+    return ret;
+}
+
+kadm5_ret_t
+kadm5_s_create_principal_with_key(void *server_handle,
+				  kadm5_principal_ent_t princ,
+				  u_int32_t mask)
+{
+    kadm5_ret_t ret;
+    hdb_entry ent;
+    kadm5_server_context *context = server_handle;
+
+    ret = create_principal(context, princ, mask, &ent,
+			   KADM5_PRINCIPAL | KADM5_KEY_DATA,
+			   KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 
+			   | KADM5_MOD_NAME | KADM5_MKVNO 
+			   | KADM5_AUX_ATTRIBUTES 
+			   | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS 
+			   | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT);
+    if(ret)
+	goto out;
+
+    ret = _kadm5_set_keys2(&ent, princ->n_key_data, princ->key_data);
+    if(ret)
+	goto out;
+    
+    hdb_seal_keys(context->db, &ent);
+    
+    kadm5_log_create (context, &ent);
+
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	goto out;
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    context->db->close(context->context, context->db);
+out:
+    hdb_free_entry(context->context, &ent);
+    return _kadm5_error_code(ret);
+}
+				  
+
+kadm5_ret_t
+kadm5_s_create_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask,
+			 char *password)
+{
+    kadm5_ret_t ret;
+    hdb_entry ent;
+    kadm5_server_context *context = server_handle;
+
+    ret = create_principal(context, princ, mask, &ent,
+			   KADM5_PRINCIPAL,
+			   KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 
+			   | KADM5_MOD_NAME | KADM5_MKVNO 
+			   | KADM5_AUX_ATTRIBUTES | KADM5_KEY_DATA
+			   | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS 
+			   | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT);
+    if(ret)
+	goto out;
+
+    /* XXX this should be fixed */
+    ent.keys.len = 4;
+    ent.keys.val = calloc(ent.keys.len, sizeof(*ent.keys.val));
+    ent.keys.val[0].key.keytype = ETYPE_DES_CBC_CRC;
+    /* flag as version 4 compatible salt; ignored by _kadm5_set_keys
+       if we don't want to be compatible */
+    ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
+    ent.keys.val[0].salt->type = hdb_pw_salt;
+    ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    ent.keys.val[1].salt = calloc(1, sizeof(*ent.keys.val[1].salt));
+    ent.keys.val[1].salt->type = hdb_pw_salt;
+    ent.keys.val[2].key.keytype = ETYPE_DES_CBC_MD5;
+    ent.keys.val[2].salt = calloc(1, sizeof(*ent.keys.val[2].salt));
+    ent.keys.val[2].salt->type = hdb_pw_salt;
+    ent.keys.val[3].key.keytype = ETYPE_DES3_CBC_SHA1;
+    ret = _kadm5_set_keys(context, &ent, password);
+
+    hdb_seal_keys(context->db, &ent);
+    
+    kadm5_log_create (context, &ent);
+
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	goto out;
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    context->db->close(context->context, context->db);
+out:
+    hdb_free_entry(context->context, &ent);
+    return _kadm5_error_code(ret);
+}
+
diff --git a/crypto/heimdal/lib/kadm5/delete_c.c b/crypto/heimdal/lib/kadm5/delete_c.c
new file mode 100644
index 0000000..71a3cf0
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/delete_c.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: delete_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_delete_principal(void *server_handle, krb5_principal princ)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_delete);
+    krb5_store_principal(sp, princ);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if (ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if (ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if(sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/kadm5/delete_s.c b/crypto/heimdal/lib/kadm5/delete_s.c
new file mode 100644
index 0000000..ef326587b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/delete_s.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: delete_s.c,v 1.7 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t
+kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
+{
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    hdb_entry ent;
+
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret) {
+	krb5_warn(context->context, ret, "opening database");
+	return ret;
+    }
+    ret = context->db->fetch(context->context, context->db, 
+			     HDB_F_DECRYPT, &ent);
+    if(ret == HDB_ERR_NOENTRY)
+	goto out2;
+    if(ent.flags.immutable) {
+	ret = KADM5_PROTECT_PRINCIPAL;
+	goto out;
+    }
+    
+    hdb_seal_keys(context->db, &ent);
+
+    kadm5_log_delete (context, princ);
+    
+    ret = context->db->remove(context->context, context->db, &ent);
+out:
+    hdb_free_entry(context->context, &ent);
+out2:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/destroy_c.c b/crypto/heimdal/lib/kadm5/destroy_c.c
new file mode 100644
index 0000000..b42c84c
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/destroy_c.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: destroy_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t 
+kadm5_c_destroy(void *server_handle)
+{
+    kadm5_client_context *context = server_handle;
+
+    free(context->realm);
+    free(context->admin_server);
+    close(context->sock);
+    if (context->ac != NULL)
+	krb5_auth_con_free(context->context, context->ac);
+    if(context->my_context)
+	krb5_free_context(context->context);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/destroy_s.c b/crypto/heimdal/lib/kadm5/destroy_s.c
new file mode 100644
index 0000000..22158d0
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/destroy_s.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: destroy_s.c,v 1.5 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t 
+kadm5_s_destroy(void *server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_server_context *context = server_handle;
+    krb5_context kcontext = context->context;
+
+    ret = context->db->destroy(kcontext, context->db);
+    if(context->my_context)
+	krb5_free_context(kcontext);
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/dump_log.c b/crypto/heimdal/lib/kadm5/dump_log.c
new file mode 100644
index 0000000..68a3f53
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/dump_log.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+#include "parse_time.h"
+
+RCSID("$Id: dump_log.c,v 1.9 1999/12/04 19:49:43 assar Exp $");
+
+static char *op_names[] = {
+    "get",
+    "delete",
+    "create",
+    "rename",
+    "chpass",
+    "modify",
+    "randkey",
+    "get_privs",
+    "get_princs"
+};
+
+static void
+print_entry(kadm5_server_context *server_context,
+	    u_int32_t ver,
+	    time_t timestamp,
+	    enum kadm_ops op,
+	    u_int32_t len,
+	    krb5_storage *sp)
+{
+    char t[256];
+    u_int32_t mask;
+    hdb_entry ent;
+    krb5_principal source;
+    char *name1, *name2;
+    krb5_data data;
+    krb5_context context = server_context->context;
+
+    off_t end = sp->seek(sp, 0, SEEK_CUR) + len;
+    
+    krb5_error_code ret;
+
+    strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(&timestamp));
+
+    if(op < kadm_get || op > kadm_get_princs) {
+	printf("unknown op: %d\n", op);
+	sp->seek(sp, end, SEEK_SET);
+	return;
+    }
+
+    printf ("%s: ver = %u, timestamp = %s, len = %u\n",
+	    op_names[op], ver, t, len);
+    switch(op) {
+    case kadm_delete:
+	krb5_ret_principal(sp, &source);
+	krb5_unparse_name(context, source, &name1);
+	printf("    %s\n", name1);
+	free(name1);
+	krb5_free_principal(context, source);
+	break;
+    case kadm_rename:
+	krb5_data_alloc(&data, len);
+	krb5_ret_principal(sp, &source);
+	sp->fetch(sp, data.data, data.length);
+	hdb_value2entry(context, &data, &ent);
+	krb5_unparse_name(context, source, &name1);
+	krb5_unparse_name(context, ent.principal, &name2);
+	printf("    %s -> %s\n", name1, name2);
+	free(name1);
+	free(name2);
+	krb5_free_principal(context, source);
+	hdb_free_entry(context, &ent);
+	break;
+    case kadm_create:
+	krb5_data_alloc(&data, len);
+	sp->fetch(sp, data.data, data.length);
+	ret = hdb_value2entry(context, &data, &ent);
+	if(ret)
+	    abort();
+	mask = ~0;
+	goto foo;
+    case kadm_modify:
+	krb5_data_alloc(&data, len);
+	krb5_ret_int32(sp, &mask);
+	sp->fetch(sp, data.data, data.length);
+	ret = hdb_value2entry(context, &data, &ent);
+	if(ret)
+	    abort();
+    foo:
+	if(ent.principal /* mask & KADM5_PRINCIPAL */) {
+	    krb5_unparse_name(context, ent.principal, &name1);
+	    printf("    principal = %s\n", name1);
+	    free(name1);
+	}
+	if(mask & KADM5_PRINC_EXPIRE_TIME) {
+	    if(ent.valid_end == NULL) {
+		strcpy(t, "never");
+	    } else {
+		strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", 
+			 localtime(ent.valid_end));
+	    }
+	    printf("    expires = %s\n", t);
+	}
+	if(mask & KADM5_PW_EXPIRATION) {
+	    if(ent.valid_end == NULL) {
+		strcpy(t, "never");
+	    } else {
+		strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", 
+			 localtime(ent.valid_end));
+	    }
+	    printf("    password exp = %s\n", t);
+	}
+	if(mask & KADM5_LAST_PWD_CHANGE) {
+	}
+	if(mask & KADM5_ATTRIBUTES) {
+	    unparse_flags(HDBFlags2int(ent.flags), 
+			  HDBFlags_units, t, sizeof(t));
+	    printf("    attributes = %s\n", t);
+	}
+	if(mask & KADM5_MAX_LIFE) {
+	    if(ent.max_life == NULL)
+		strcpy(t, "for ever");
+	    else
+		unparse_time(*ent.max_life, t, sizeof(t));
+	    printf("    max life = %s\n", t);
+	}
+	if(mask & KADM5_MAX_RLIFE) {
+	    if(ent.max_renew == NULL)
+		strcpy(t, "for ever");
+	    else
+		unparse_time(*ent.max_renew, t, sizeof(t));
+	    printf("    max rlife = %s\n", t);
+	}
+	if(mask & KADM5_MOD_TIME) {
+	    printf("    mod time\n");
+	}
+	if(mask & KADM5_MOD_NAME) {
+	    printf("    mod name\n");
+	}
+	if(mask & KADM5_KVNO) {
+	    printf("    kvno = %d\n", ent.kvno);
+	}
+	if(mask & KADM5_MKVNO) {
+	    printf("    mkvno\n");
+	}
+	if(mask & KADM5_AUX_ATTRIBUTES) {
+	    printf("    aux attributes\n");
+	}
+	if(mask & KADM5_POLICY) {
+	    printf("    policy\n");
+	}
+	if(mask & KADM5_POLICY_CLR) {
+	    printf("    mod time\n");
+	}
+	if(mask & KADM5_LAST_SUCCESS) {
+	    printf("    last success\n");
+	}
+	if(mask & KADM5_LAST_FAILED) {
+	    printf("    last failed\n");
+	}
+	if(mask & KADM5_FAIL_AUTH_COUNT) {
+	    printf("    fail auth count\n");
+	}
+	if(mask & KADM5_KEY_DATA) {
+	    printf("    key data\n");
+	}
+	if(mask & KADM5_TL_DATA) {
+	    printf("    tl data\n");
+	}
+	hdb_free_entry(context, &ent);
+	break;
+    default:
+	abort();
+    }
+    sp->seek(sp, end, SEEK_SET);
+}
+
+char *realm;
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    ret = kadm5_log_foreach (server_context, print_entry);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_log_foreach");
+
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_log_end");
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/ent_setup.c b/crypto/heimdal/lib/kadm5/ent_setup.c
new file mode 100644
index 0000000..46653c7
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ent_setup.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: ent_setup.c,v 1.11 1999/12/02 17:05:06 joda Exp $");
+
+#define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0)
+#define set_null(X)     do { if((X) != NULL) free((X)); (X) = NULL; } while (0)
+
+static void
+attr_to_flags(unsigned attr, HDBFlags *flags)
+{
+    flags->postdate =		!(attr & KRB5_KDB_DISALLOW_POSTDATED);
+    flags->forwardable =	!(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
+    flags->initial =	       !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
+    flags->renewable =		!(attr & KRB5_KDB_DISALLOW_RENEWABLE);
+    flags->proxiable =		!(attr & KRB5_KDB_DISALLOW_PROXIABLE);
+    /* DUP_SKEY */
+    flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
+    flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
+    /* HW_AUTH */
+    flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
+    flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
+    flags->client =	        1; /* XXX */
+}
+
+/*
+ * Create the hdb entry `ent' based on data from `princ' with
+ * `princ_mask' specifying what fields to be gotten from there and
+ * `mask' specifying what fields we want filled in.
+ */
+
+kadm5_ret_t
+_kadm5_setup_entry(hdb_entry *ent,
+		   u_int32_t mask,
+		   kadm5_principal_ent_t princ, 
+		   u_int32_t princ_mask,
+		   kadm5_principal_ent_t def,
+		   u_int32_t def_mask)
+{
+    if(mask & KADM5_PRINC_EXPIRE_TIME
+       && princ_mask & KADM5_PRINC_EXPIRE_TIME) {
+	if (princ->princ_expire_time)
+	    set_value(ent->valid_end, princ->princ_expire_time);
+	else
+	    set_null(ent->valid_end);
+    }
+    if(mask & KADM5_PW_EXPIRATION
+       && princ_mask & KADM5_PW_EXPIRATION) {
+	if (princ->pw_expiration)
+	    set_value(ent->pw_end, princ->pw_expiration);
+	else
+	    set_null(ent->pw_end);
+    }
+    if(mask & KADM5_ATTRIBUTES) {
+	if (princ_mask & KADM5_ATTRIBUTES) {
+	    attr_to_flags(princ->attributes, &ent->flags);
+	} else if(def_mask & KADM5_ATTRIBUTES) {
+	    attr_to_flags(def->attributes, &ent->flags);
+	    ent->flags.invalid = 0;
+	} else {
+	    ent->flags.client      = 1;
+	    ent->flags.server      = 1;
+	    ent->flags.forwardable = 1;
+	    ent->flags.proxiable   = 1;
+	    ent->flags.renewable   = 1;
+	    ent->flags.postdate    = 1;
+	}
+    }
+    if(mask & KADM5_MAX_LIFE) {
+	if(princ_mask & KADM5_MAX_LIFE) {
+	    if(princ->max_life)
+	      set_value(ent->max_life, princ->max_life);
+	    else
+	      set_null(ent->max_life);
+	} else if(def_mask & KADM5_MAX_LIFE) {
+	    if(def->max_life)
+	      set_value(ent->max_life, def->max_life);
+	    else
+	      set_null(ent->max_life);
+	}
+    }
+    if(mask & KADM5_KVNO
+       && princ_mask & KADM5_KVNO)
+	ent->kvno = princ->kvno;
+    if(mask & KADM5_MAX_RLIFE) {
+	if(princ_mask & KADM5_MAX_RLIFE) {
+	  if(princ->max_renewable_life)
+	    set_value(ent->max_renew, princ->max_renewable_life);
+	  else
+	    set_null(ent->max_renew);
+	} else if(def_mask & KADM5_MAX_RLIFE) {
+	  if(def->max_renewable_life)
+	    set_value(ent->max_renew, def->max_renewable_life);
+	  else
+	    set_null(ent->max_renew);
+	}
+    }
+    if(mask & KADM5_KEY_DATA
+       && princ_mask & KADM5_KEY_DATA) {
+	_kadm5_set_keys2(ent, princ->n_key_data, princ->key_data);
+    }
+    if(mask & KADM5_TL_DATA) {
+	/* XXX */
+    }
+    if(mask & KADM5_FAIL_AUTH_COUNT) {
+	/* XXX */
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/error.c b/crypto/heimdal/lib/kadm5/error.c
new file mode 100644
index 0000000..11b1ded
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/error.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: error.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t
+_kadm5_error_code(kadm5_ret_t code)
+{
+    switch(code){
+    case HDB_ERR_EXISTS:
+	return KADM5_DUP;
+    case HDB_ERR_NOENTRY:
+	return KADM5_UNK_PRINC;
+    }
+    return code;
+}
diff --git a/crypto/heimdal/lib/kadm5/flush.c b/crypto/heimdal/lib/kadm5/flush.c
new file mode 100644
index 0000000..4808259
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/flush.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: flush.c,v 1.2 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t 
+kadm5_s_flush(void *server_handle)
+{
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_c_flush(void *server_handle)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/flush_c.c b/crypto/heimdal/lib/kadm5/flush_c.c
new file mode 100644
index 0000000..01cdcf7
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/flush_c.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: flush_c.c,v 1.1 1999/03/23 18:23:36 joda Exp $");
+
+kadm5_ret_t 
+kadm5_c_flush(void *server_handle)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/flush_s.c b/crypto/heimdal/lib/kadm5/flush_s.c
new file mode 100644
index 0000000..dffbe2f
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/flush_s.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: flush_s.c,v 1.1 1999/03/23 18:23:37 joda Exp $");
+
+kadm5_ret_t 
+kadm5_s_flush(void *server_handle)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/free.c b/crypto/heimdal/lib/kadm5/free.c
new file mode 100644
index 0000000..fcc1e70
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/free.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: free.c,v 1.4 1999/12/02 17:05:06 joda Exp $");
+
+void 
+kadm5_free_key_data(void *server_handle,
+		    int16_t *n_key_data, 
+		    krb5_key_data *key_data)
+{
+    int i;
+    for(i = 0; i < *n_key_data; i++){
+	if(key_data[i].key_data_contents[0]){
+	    memset(key_data[i].key_data_contents[0], 
+		   0,
+		   key_data[i].key_data_length[0]);
+	    free(key_data[i].key_data_contents[0]);
+	}
+	if(key_data[i].key_data_contents[1])
+	    free(key_data[i].key_data_contents[1]);
+    }
+    *n_key_data = 0;
+}
+
+
+void 
+kadm5_free_principal_ent(void *server_handle,
+			 kadm5_principal_ent_t princ)
+{
+    kadm5_server_context *context = server_handle;
+    if(princ->principal)
+	krb5_free_principal(context->context, princ->principal);
+    if(princ->mod_name)
+	krb5_free_principal(context->context, princ->mod_name);
+    kadm5_free_key_data(server_handle, &princ->n_key_data, princ->key_data);
+    while(princ->n_tl_data && princ->tl_data) {
+	krb5_tl_data *tp;
+	tp = princ->tl_data;
+	princ->tl_data = tp->tl_data_next;
+	princ->n_tl_data--;
+	memset(tp->tl_data_contents, 0, tp->tl_data_length);
+	free(tp->tl_data_contents);
+	free(tp);
+    }
+    if (princ->key_data != NULL)
+	free (princ->key_data);
+}
+
+void 
+kadm5_free_name_list(void *server_handle,
+		     char **names, 
+		     int *count)
+{
+    int i;
+    for(i = 0; i < *count; i++)
+	free(names[i]);
+    free(names);
+    *count = 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/get_c.c b/crypto/heimdal/lib/kadm5/get_c.c
new file mode 100644
index 0000000..9ca672a
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_c.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_c.c,v 1.5 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_get_principal(void *server_handle, 
+		      krb5_principal princ, 
+		      kadm5_principal_ent_t out, 
+		      u_int32_t mask)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_get);
+    krb5_store_principal(sp, princ);
+    krb5_store_int32(sp, mask);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if(ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if (ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0)
+	kadm5_ret_principal_ent(sp, out);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/get_princs_c.c b/crypto/heimdal/lib/kadm5/get_princs_c.c
new file mode 100644
index 0000000..0956052
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_princs_c.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_princs_c.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_get_principals(void *server_handle, 
+		       const char *exp,
+		       char ***princs, 
+		       int *count)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_get_princs);
+    krb5_store_int32(sp, exp != NULL);
+    if(exp)
+	krb5_store_string(sp, exp);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0) {
+	int i;
+	krb5_ret_int32(sp, &tmp);
+	*princs = calloc(tmp + 1, sizeof(**princs));
+	if (*princs == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	for(i = 0; i < tmp; i++)
+	    krb5_ret_string(sp, &(*princs)[i]);
+	*count = tmp;
+    }
+out:
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/get_princs_s.c b/crypto/heimdal/lib/kadm5/get_princs_s.c
new file mode 100644
index 0000000..2702bae
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_princs_s.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_princs_s.c,v 1.5 1999/12/02 17:05:06 joda Exp $");
+
+struct foreach_data {
+    const char *exp;
+    char *exp2;
+    char **princs;
+    int count;
+};
+
+static krb5_error_code
+add_princ(struct foreach_data *d, char *princ)
+{
+    char **tmp;
+    tmp = realloc(d->princs, (d->count + 1) * sizeof(*tmp));
+    if(tmp == NULL)
+	return ENOMEM;
+    d->princs = tmp;
+    d->princs[d->count++] = princ;
+    return 0;
+}
+
+static krb5_error_code
+foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data)
+{
+    struct foreach_data *d = data;
+    char *princ;
+    krb5_error_code ret;
+    ret = krb5_unparse_name(context, ent->principal, &princ);
+    if(ret)
+	return ret;
+    if(d->exp){
+	if(fnmatch(d->exp, princ, 0) == 0 || fnmatch(d->exp2, princ, 0) == 0)
+	    ret = add_princ(d, princ);
+	else
+	    free(princ);
+    }else{
+	ret = add_princ(d, princ);
+    }
+    if(ret)
+	free(princ);
+    return ret;
+}
+
+kadm5_ret_t
+kadm5_s_get_principals(void *server_handle, 
+		       const char *exp,
+		       char ***princs, 
+		       int *count)
+{
+    struct foreach_data d;
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret) {
+	krb5_warn(context->context, ret, "opening database");
+	return ret;
+    }
+    d.exp = exp;
+    {
+	krb5_realm r;
+	krb5_get_default_realm(context->context, &r);
+	asprintf(&d.exp2, "%s@%s", exp, r);
+	free(r);
+    }
+    d.princs = NULL;
+    d.count = 0;
+    ret = hdb_foreach(context->context, context->db, 0, foreach, &d);
+    context->db->close(context->context, context->db);
+    if(ret == 0)
+	ret = add_princ(&d, NULL);
+    if(ret == 0){
+	*princs = d.princs;
+	*count = d.count - 1;
+    }else
+	kadm5_free_name_list(context, d.princs, &d.count);
+    free(d.exp2);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/get_s.c b/crypto/heimdal/lib/kadm5/get_s.c
new file mode 100644
index 0000000..12613b6
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_s.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_s.c,v 1.11 1999/12/26 19:38:23 assar Exp $");
+
+kadm5_ret_t
+kadm5_s_get_principal(void *server_handle, 
+		      krb5_principal princ, 
+		      kadm5_principal_ent_t out, 
+		      u_int32_t mask)
+{
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    hdb_entry ent;
+    
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDONLY, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 
+			     HDB_F_DECRYPT, &ent);
+    context->db->close(context->context, context->db);
+    if(ret)
+	return _kadm5_error_code(ret);
+
+    memset(out, 0, sizeof(*out));
+    if(mask & KADM5_PRINCIPAL)
+	ret  = krb5_copy_principal(context->context, ent.principal, 
+				   &out->principal);
+    if(ret)
+	goto out;
+    if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end)
+	out->princ_expire_time = *ent.valid_end;
+    if(mask & KADM5_PW_EXPIRATION && ent.pw_end)
+	out->pw_expiration = *ent.pw_end;
+    if(mask & KADM5_LAST_PWD_CHANGE)
+	/* XXX implement */;
+    if(mask & KADM5_ATTRIBUTES){
+	out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
+	out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
+	out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
+	out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
+	out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
+	out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
+	out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
+	out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
+	out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
+    }
+    if(mask & KADM5_MAX_LIFE && ent.max_life)
+	out->max_life = *ent.max_life;
+    if(mask & KADM5_MOD_TIME) {
+	if(ent.modified_by)
+	    out->mod_date = ent.modified_by->time;
+	else
+	    out->mod_date = ent.created_by.time;
+    }
+    if(mask & KADM5_MOD_NAME) {
+	if(ent.modified_by) {
+	    if (ent.modified_by->principal != NULL)
+		ret = krb5_copy_principal(context->context, 
+					  ent.modified_by->principal,
+					  &out->mod_name);
+	} else
+	    ret = krb5_copy_principal(context->context, 
+				      ent.created_by.principal,
+				      &out->mod_name);
+    }
+    if(ret)
+	goto out;
+
+    if(mask & KADM5_KVNO)
+	out->kvno = ent.kvno;
+    if(mask & KADM5_MKVNO) {
+	int n;
+	out->mkvno = 0; /* XXX */
+	for(n = 0; n < ent.keys.len; n++)
+	    if(ent.keys.val[n].mkvno) {
+		out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */
+		break;
+	    }
+    }
+    if(mask & KADM5_AUX_ATTRIBUTES)
+	/* XXX implement */;
+    if(mask & KADM5_POLICY)
+	out->policy = NULL;
+    if(mask & KADM5_MAX_RLIFE && ent.max_renew)
+	out->max_renewable_life = *ent.max_renew;
+    if(mask & KADM5_LAST_SUCCESS)
+	/* XXX implement */;
+    if(mask & KADM5_LAST_FAILED)
+	/* XXX implement */;
+    if(mask & KADM5_FAIL_AUTH_COUNT)
+	/* XXX implement */;
+    if(mask & KADM5_KEY_DATA){
+	int i;
+	Key *key;
+	krb5_key_data *kd;
+	krb5_salt salt;
+	krb5_data *sp;
+	krb5_get_pw_salt(context->context, ent.principal, &salt);
+	out->key_data = malloc(ent.keys.len * sizeof(*out->key_data));
+	for(i = 0; i < ent.keys.len; i++){
+	    key = &ent.keys.val[i];
+	    kd = &out->key_data[i];
+	    kd->key_data_ver = 2;
+	    kd->key_data_kvno = ent.kvno;
+	    kd->key_data_type[0] = key->key.keytype;
+	    if(key->salt)
+		kd->key_data_type[1] = key->salt->type;
+	    else
+		kd->key_data_type[1] = pa_pw_salt;
+	    /* setup key */
+	    kd->key_data_length[0] = key->key.keyvalue.length;
+	    kd->key_data_contents[0] = malloc(kd->key_data_length[0]);
+	    if(kd->key_data_contents[0] == NULL){
+		ret = ENOMEM;
+		break;
+	    }
+	    memcpy(kd->key_data_contents[0], key->key.keyvalue.data, 
+		   kd->key_data_length[0]);
+	    /* setup salt */
+	    if(key->salt)
+		sp = &key->salt->salt;
+	    else
+		sp = &salt.saltvalue;
+	    kd->key_data_length[1] = sp->length;
+	    kd->key_data_contents[1] = malloc(kd->key_data_length[1]);
+	    if(kd->key_data_length[1] != 0
+	       && kd->key_data_contents[1] == NULL) {
+		memset(kd->key_data_contents[0], 0, kd->key_data_length[0]);
+		ret = ENOMEM;
+		break;
+	    }
+	    memcpy(kd->key_data_contents[1], sp->data, kd->key_data_length[1]);
+	    out->n_key_data = i + 1;
+	}
+	krb5_free_salt(context->context, salt);
+    }
+    if(ret){
+	kadm5_free_principal_ent(context, out);
+	goto out;
+    }
+    if(mask & KADM5_TL_DATA)
+	/* XXX implement */;
+out:
+    hdb_free_entry(context->context, &ent);
+
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/init_c.c b/crypto/heimdal/lib/kadm5/init_c.c
new file mode 100644
index 0000000..098e9c8
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/init_c.c
@@ -0,0 +1,605 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+RCSID("$Id: init_c.c,v 1.35 2000/01/28 03:20:18 assar Exp $");
+
+static void
+set_funcs(kadm5_client_context *c)
+{
+#define SET(C, F) (C)->funcs.F = kadm5 ## _c_ ## F
+    SET(c, chpass_principal);
+    SET(c, chpass_principal);
+    SET(c, create_principal);
+    SET(c, delete_principal);
+    SET(c, destroy);
+    SET(c, flush);
+    SET(c, get_principal);
+    SET(c, get_principals);
+    SET(c, get_privs);
+    SET(c, modify_principal);
+    SET(c, randkey_principal);
+    SET(c, rename_principal);
+}
+
+kadm5_ret_t
+_kadm5_c_init_context(kadm5_client_context **ctx, 
+		      kadm5_config_params *params,
+		      krb5_context context)
+{
+    krb5_error_code ret;
+    char *colon;
+
+    *ctx = malloc(sizeof(**ctx));
+    if(*ctx == NULL)
+	return ENOMEM;
+    memset(*ctx, 0, sizeof(**ctx));
+    krb5_add_et_list (context, initialize_kadm5_error_table_r);
+    set_funcs(*ctx);
+    (*ctx)->context = context;
+    if(params->mask & KADM5_CONFIG_REALM)
+	(*ctx)->realm = strdup(params->realm);
+    else
+	krb5_get_default_realm((*ctx)->context, &(*ctx)->realm);
+    if(params->mask & KADM5_CONFIG_ADMIN_SERVER)
+	(*ctx)->admin_server = strdup(params->admin_server);
+    else {
+	char **hostlist;
+
+	ret = krb5_get_krb_admin_hst (context, &(*ctx)->realm, &hostlist);
+	if (ret)
+	    return ret;
+	(*ctx)->admin_server = strdup(*hostlist);
+	krb5_free_krbhst (context, hostlist);
+    }
+
+    if ((*ctx)->admin_server == NULL)
+	return ENOMEM;
+    colon = strchr ((*ctx)->admin_server, ':');
+    if (colon != NULL)
+	*colon++ = '\0';
+
+    (*ctx)->kadmind_port = 0;
+
+    if(params->mask & KADM5_CONFIG_KADMIND_PORT)
+	(*ctx)->kadmind_port = params->kadmind_port;
+    else if (colon != NULL) {
+	char *end;
+
+	(*ctx)->kadmind_port = htons(strtol (colon, &end, 0));
+    }
+    if ((*ctx)->kadmind_port == 0)
+	(*ctx)->kadmind_port = krb5_getportbyname (context, "kerberos-adm", 
+						   "tcp", 749);
+    return 0;
+}
+
+static krb5_error_code
+get_kadm_ticket(krb5_context context,
+		krb5_ccache id,
+		krb5_principal client,
+		const char *server_name)
+{
+    krb5_error_code ret;
+    krb5_creds in, *out;
+    
+    memset(&in, 0, sizeof(in));
+    in.client = client;
+    ret = krb5_parse_name(context, server_name, &in.server);
+    if(ret) 
+	return ret;
+    ret = krb5_get_credentials(context, 0, id, &in, &out);
+    if(ret == 0)
+	krb5_free_creds(context, out);
+    krb5_free_principal(context, in.server);
+    return ret;
+}
+
+static krb5_error_code
+get_new_cache(krb5_context context,
+	      krb5_principal client,
+	      const char *password,
+	      krb5_prompter_fct prompter,
+	      const char *keytab,
+	      const char *server_name,
+	      krb5_ccache *ret_cache)
+{
+    krb5_error_code ret;
+    krb5_creds cred;
+    krb5_get_init_creds_opt opt;
+    krb5_ccache id;
+    
+    krb5_get_init_creds_opt_init (&opt);
+    krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+
+    if(password == NULL && prompter == NULL) {
+	krb5_keytab kt;
+	if(keytab == NULL)
+	    ret = krb5_kt_default(context, &kt);
+	else
+	    ret = krb5_kt_resolve(context, keytab, &kt);
+	if(ret) 
+	    return ret;
+	ret = krb5_get_init_creds_keytab (context,
+					  &cred,
+					  client,
+					  kt,
+					  0,
+					  server_name,
+					  &opt);
+	krb5_kt_close(context, kt);
+    } else {
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    client,
+					    password,
+					    prompter,
+					    NULL,
+					    0,
+					    server_name,
+					    &opt);
+    }
+    switch(ret){
+    case 0:
+	break;
+    case KRB5_LIBOS_PWDINTR:	/* don't print anything if it was just C-c:ed */
+    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+    case KRB5KRB_AP_ERR_MODIFIED:
+	return KADM5_BAD_PASSWORD;
+    default:
+	return ret;
+    }
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+    if(ret)
+	return ret;
+    ret = krb5_cc_initialize (context, id, cred.client);
+    if (ret)
+	return ret;
+    ret = krb5_cc_store_cred (context, id, &cred);
+    if (ret)
+	return ret;
+    krb5_free_creds_contents (context, &cred);
+    *ret_cache = id;
+    return 0;
+}
+
+static krb5_error_code
+get_cred_cache(krb5_context context,
+	       const char *client_name,
+	       const char *server_name,
+	       const char *password,
+	       krb5_prompter_fct prompter,
+	       const char *keytab,
+	       krb5_ccache ccache,
+	       krb5_ccache *ret_cache)
+{
+    krb5_error_code ret;
+    krb5_ccache id = NULL;
+    krb5_principal default_client = NULL, client = NULL;
+    
+    /* treat empty password as NULL */
+    if(password && *password == '\0')
+	password = NULL;
+    if(server_name == NULL)
+	server_name = KADM5_ADMIN_SERVICE;
+    
+    if(client_name != NULL) {
+	ret = krb5_parse_name(context, client_name, &client);
+	if(ret) 
+	    return ret;
+    }
+
+    if(password != NULL || prompter != NULL) {
+	/* get principal from default cache, ok if this doesn't work */
+	ret = krb5_cc_default(context, &id);
+	if(ret == 0) {
+	    ret = krb5_cc_get_principal(context, id, &default_client);
+	    if(ret) {
+		krb5_cc_close(context, id);
+		id = NULL;
+	    }
+	}
+	
+	if(client == NULL)
+	    client = default_client;
+	if(client == NULL) {
+	    const char *user;
+
+	    user = get_default_username ();
+
+	    if(user == NULL)
+		return KADM5_FAILURE;
+	    ret = krb5_make_principal(context, &client, 
+				      NULL, user, "admin", NULL);
+	    if(ret)
+		return ret;
+	}
+	if(client != default_client) {
+	    krb5_free_principal(context, default_client);
+	    default_client = NULL;
+	    if (id != NULL) {
+		krb5_cc_close(context, id);
+		id = NULL;
+	    }
+	}
+    } else if(ccache != NULL)
+	id = ccache;
+    
+
+    if(id && (default_client == NULL || 
+	      krb5_principal_compare(context, client, default_client))) {
+	ret = get_kadm_ticket(context, id, client, server_name);
+	if(ret == 0) {
+	    *ret_cache = id;
+	    krb5_free_principal(context, default_client);
+	    if (default_client != client)
+		krb5_free_principal(context, client);
+	    return 0;
+	}
+	if(ccache != NULL)
+	    /* couldn't get ticket from cache */
+	    return -1;
+    }
+    /* get creds via AS request */
+    if(id)
+	krb5_cc_close(context, id);
+    if (client != default_client)
+	krb5_free_principal(context, default_client);
+
+    ret = get_new_cache(context, client, password, prompter, keytab, 
+			server_name, ret_cache);
+    krb5_free_principal(context, client);
+    return ret;
+}
+
+static kadm5_ret_t 
+kadm5_c_init_with_context(krb5_context context,
+			  const char *client_name, 
+			  const char *password,
+			  krb5_prompter_fct prompter,
+			  const char *keytab,
+			  krb5_ccache ccache,
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_client_context *ctx;
+    krb5_principal server;
+    krb5_ccache cc;
+    int s;
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    char *hostname, *slash;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    ret = _kadm5_c_init_context(&ctx, realm_params, context);
+    if(ret)
+	return ret;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(ctx->kadmind_port));
+
+    hostname = ctx->admin_server;
+    slash = strchr (hostname, '/');
+    if (slash != NULL)
+	hostname = slash + 1;
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) 
+	return KADM5_BAD_SERVER_NAME;
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    krb5_warn (context, errno, "connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+    if (a == NULL) {
+	freeaddrinfo (ai);
+	krb5_warnx (context, "failed to contact %s", hostname);
+	return KADM5_FAILURE;
+    }
+    ret = get_cred_cache(context, client_name, service_name, 
+			 password, prompter, keytab, ccache, &cc);
+    
+    if(ret) {
+	freeaddrinfo (ai);
+	close(s);
+	return ret;
+    }
+    ret = krb5_parse_name(context, KADM5_ADMIN_SERVICE, &server);
+    if(ret) {
+	freeaddrinfo (ai);
+	if(ccache == NULL)
+	    krb5_cc_close(context, cc);
+	close(s);
+	return ret;
+    }
+    ctx->ac = NULL;
+
+    ret = krb5_sendauth(context, &ctx->ac, &s, 
+			KADMIN_APPL_VERSION, NULL, 
+			server, AP_OPTS_MUTUAL_REQUIRED, 
+			NULL, NULL, cc, NULL, NULL, NULL);
+    if(ret == 0) {
+	krb5_data params, enc_data;
+	ret = _kadm5_marshal_params(context, realm_params, &params);
+	
+	ret = krb5_mk_priv(context,
+			   ctx->ac,
+			   &params,
+			   &enc_data,
+			   NULL);
+
+	ret = krb5_write_message(context, &s, &enc_data);
+	
+	krb5_data_free(&params);
+	krb5_data_free(&enc_data);
+    } else if(ret == KRB5_SENDAUTH_BADAPPLVERS) {
+	close(s);
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0) {
+	    freeaddrinfo (ai);
+	    return errno;
+	}
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    close (s);
+	    freeaddrinfo (ai);
+	    return errno;
+	}
+	freeaddrinfo (ai);
+
+	ret = krb5_sendauth(context, &ctx->ac, &s, 
+			    KADMIN_OLD_APPL_VERSION, NULL, 
+			    server, AP_OPTS_MUTUAL_REQUIRED, 
+			    NULL, NULL, cc, NULL, NULL, NULL);
+    }
+    freeaddrinfo (ai);
+    if(ret) {
+	close(s);
+	return ret;
+    }
+    
+    krb5_free_principal(context, server);
+    if(ccache == NULL)
+	krb5_cc_close(context, cc);
+    if(ret) {
+	close(s);
+	return ret;
+    }
+    ctx->sock = s;
+    *server_handle = ctx;
+    return 0;
+}
+
+static kadm5_ret_t 
+init_context(const char *client_name, 
+	     const char *password,
+	     krb5_prompter_fct prompter,
+	     const char *keytab,
+	     krb5_ccache ccache,
+	     const char *service_name,
+	     kadm5_config_params *realm_params,
+	     unsigned long struct_version,
+	     unsigned long api_version,
+	     void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+    
+    krb5_init_context(&context);
+    ret = kadm5_c_init_with_context(context,
+				    client_name,
+				    password,
+				    prompter,
+				    keytab,
+				    ccache,
+				    service_name,
+				    realm_params,
+				    struct_version,
+				    api_version,
+				    server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_password_ctx(krb5_context context,
+			       const char *client_name, 
+			       const char *password,
+			       const char *service_name,
+			       kadm5_config_params *realm_params,
+			       unsigned long struct_version,
+			       unsigned long api_version,
+			       void **server_handle)
+{
+    return kadm5_c_init_with_context(context,
+				     client_name,
+				     password,
+				     krb5_prompter_posix,
+				     NULL,
+				     NULL,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_password(const char *client_name, 
+			   const char *password,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    return init_context(client_name, 
+			password, 
+			krb5_prompter_posix,
+			NULL,
+			NULL,
+			service_name, 
+			realm_params, 
+			struct_version, 
+			api_version, 
+			server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_skey_ctx(krb5_context context,
+			   const char *client_name, 
+			   const char *keytab,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    return kadm5_c_init_with_context(context,
+				     client_name,
+				     NULL,
+				     NULL,
+				     keytab,
+				     NULL,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+
+kadm5_ret_t 
+kadm5_c_init_with_skey(const char *client_name, 
+		     const char *keytab,
+		     const char *service_name,
+		     kadm5_config_params *realm_params,
+		     unsigned long struct_version,
+		     unsigned long api_version,
+		     void **server_handle)
+{
+    return init_context(client_name, 
+			NULL,
+			NULL,
+			keytab,
+			NULL,
+			service_name, 
+			realm_params, 
+			struct_version, 
+			api_version, 
+			server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_creds_ctx(krb5_context context,
+			    const char *client_name,
+			    krb5_ccache ccache,
+			    const char *service_name,
+			    kadm5_config_params *realm_params,
+			    unsigned long struct_version,
+			    unsigned long api_version,
+			    void **server_handle)
+{
+    return kadm5_c_init_with_context(context,
+				     client_name,
+				     NULL,
+				     NULL,
+				     NULL,
+				     ccache,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_creds(const char *client_name,
+			krb5_ccache ccache,
+			const char *service_name,
+			kadm5_config_params *realm_params,
+			unsigned long struct_version,
+			unsigned long api_version,
+			void **server_handle)
+{
+    return init_context(client_name, 
+			NULL,
+			NULL,
+			NULL,
+			ccache,
+			service_name, 
+			realm_params, 
+			struct_version, 
+			api_version, 
+			server_handle);
+}
+
+#if 0
+kadm5_ret_t 
+kadm5_init(char *client_name, char *pass,
+	   char *service_name,
+	   kadm5_config_params *realm_params,
+	   unsigned long struct_version,
+	   unsigned long api_version,
+	   void **server_handle)
+{
+}
+#endif
+
diff --git a/crypto/heimdal/lib/kadm5/init_s.c b/crypto/heimdal/lib/kadm5/init_s.c
new file mode 100644
index 0000000..6c1f3d1
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/init_s.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: init_s.c,v 1.9 1999/12/02 17:05:06 joda Exp $");
+
+
+static kadm5_ret_t 
+kadm5_s_init_with_context(krb5_context context,
+			  const char *client_name, 
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+    ret = _kadm5_s_init_context(&ctx, realm_params, context);
+    if(ret)
+	return ret;
+
+    assert(ctx->config.dbname != NULL);
+    assert(ctx->config.stash_file != NULL);
+    assert(ctx->config.acl_file != NULL);
+    assert(ctx->log_context.log_file != NULL);
+    assert(ctx->log_context.socket_name.sun_path[0] != '\0');
+
+    ret = hdb_create(ctx->context, &ctx->db, ctx->config.dbname);
+    if(ret)
+	return ret;
+    ret = hdb_set_master_keyfile (ctx->context, 
+				  ctx->db, ctx->config.stash_file);
+    if(ret)
+	return ret;
+
+    ctx->log_context.log_fd   = -1;
+
+    ctx->log_context.socket_fd = socket (AF_UNIX, SOCK_DGRAM, 0);
+
+    ret = krb5_parse_name(ctx->context, client_name, &ctx->caller);
+    if(ret)
+	return ret;
+
+    ret = _kadm5_acl_init(ctx);
+    if(ret)
+	return ret;
+    
+    *server_handle = ctx;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_password_ctx(krb5_context context,
+			       const char *client_name, 
+			       const char *password,
+			       const char *service_name,
+			       kadm5_config_params *realm_params,
+			       unsigned long struct_version,
+			       unsigned long api_version,
+			       void **server_handle)
+{
+    return kadm5_s_init_with_context(context,
+				     client_name,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_password(const char *client_name, 
+			   const char *password,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+
+    krb5_init_context(&context);
+    ret = kadm5_s_init_with_password_ctx(context, 
+					 client_name, 
+					 password, 
+					 service_name, 
+					 realm_params, 
+					 struct_version, 
+					 api_version, 
+					 server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_skey_ctx(krb5_context context,
+			   const char *client_name, 
+			   const char *keytab,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    return kadm5_s_init_with_context(context,
+				     client_name,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_skey(const char *client_name,
+		       const char *keytab,
+		       const char *service_name,
+		       kadm5_config_params *realm_params,
+		       unsigned long struct_version,
+		       unsigned long api_version,
+		       void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+
+    krb5_init_context(&context);
+    ret = kadm5_s_init_with_skey_ctx(context, 
+				     client_name, 
+				     keytab, 
+				     service_name, 
+				     realm_params, 
+				     struct_version, 
+				     api_version, 
+				     server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_creds_ctx(krb5_context context,
+			    const char *client_name,
+			    krb5_ccache ccache,
+			    const char *service_name,
+			    kadm5_config_params *realm_params,
+			    unsigned long struct_version,
+			    unsigned long api_version,
+			    void **server_handle)
+{
+    return kadm5_s_init_with_context(context,
+				     client_name,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_creds(const char *client_name,
+			krb5_ccache ccache,
+			const char *service_name,
+			kadm5_config_params *realm_params,
+			unsigned long struct_version,
+			unsigned long api_version,
+			void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+
+    krb5_init_context(&context);
+    ret = kadm5_s_init_with_creds_ctx(context, 
+				      client_name, 
+				      ccache, 
+				      service_name, 
+				      realm_params, 
+				      struct_version, 
+				      api_version, 
+				      server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/iprop.h b/crypto/heimdal/lib/kadm5/iprop.h
new file mode 100644
index 0000000..499f515
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/iprop.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1998-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: iprop.h,v 1.4 1999/12/02 17:05:06 joda Exp $ */
+
+#ifndef __IPROP_H__
+#define __IPROP_H__
+
+#include "kadm5_locl.h"
+#include <getarg.h>
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#define IPROP_VERSION "iprop-0.0"
+
+#define KADM5_SLAVE_ACL HDB_DB_DIR "/slaves"
+
+#define IPROP_NAME "iprop"
+
+enum iprop_cmd { I_HAVE = 1, FOR_YOU = 2 };
+
+#endif /* __IPROP_H__ */
diff --git a/crypto/heimdal/lib/kadm5/ipropd_master.c b/crypto/heimdal/lib/kadm5/ipropd_master.c
new file mode 100644
index 0000000..b2e71a7
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ipropd_master.c
@@ -0,0 +1,422 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: ipropd_master.c,v 1.12 1999/12/02 17:05:06 joda Exp $");
+
+static int
+make_signal_socket (krb5_context context)
+{
+    struct sockaddr_un addr;
+    int fd;
+
+    fd = socket (AF_UNIX, SOCK_DGRAM, 0);
+    if (fd < 0)
+	krb5_err (context, 1, errno, "socket AF_UNIX");
+    memset (&addr, 0, sizeof(addr));
+    addr.sun_family = AF_UNIX;
+    strncpy (addr.sun_path, KADM5_LOG_SIGNAL, sizeof(addr.sun_path));
+    addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
+    unlink (addr.sun_path);
+    if (bind (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	krb5_err (context, 1, errno, "bind %s", addr.sun_path);
+    return fd;
+}
+
+static int
+make_listen_socket (krb5_context context)
+{
+    int fd;
+    int one = 1;
+    struct sockaddr_in addr;
+
+    fd = socket (AF_INET, SOCK_STREAM, 0);
+    if (fd < 0)
+	krb5_err (context, 1, errno, "socket AF_INET");
+    setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
+    memset (&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_port   = htons(4711);
+    if(bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	krb5_err (context, 1, errno, "bind");
+    if (listen(fd, SOMAXCONN) < 0)
+	krb5_err (context, 1, errno, "listen");
+    return fd;
+}
+
+struct slave {
+    int fd;
+    struct sockaddr_in addr;
+    char *name;
+    krb5_auth_context ac;
+    u_int32_t version;
+    struct slave *next;
+};
+
+typedef struct slave slave;
+
+static int
+check_acl (krb5_context context, const char *name)
+{
+    FILE *fp;
+    char buf[256];
+    int ret = 1;
+
+    fp = fopen (KADM5_SLAVE_ACL, "r");
+    if (fp == NULL)
+	return 1;
+    while (fgets(buf, sizeof(buf), fp) != NULL) {
+	if (buf[strlen(buf) - 1 ] == '\n')
+	    buf[strlen(buf) - 1 ] = '\0';
+	if (strcmp (buf, name) == 0) {
+	    ret = 0;
+	    break;
+	}
+    }
+    fclose (fp);
+    return ret;
+}
+
+static void
+add_slave (krb5_context context, slave **root, int fd)
+{
+    krb5_principal server;
+    krb5_error_code ret;
+    slave *s;
+    int addr_len;
+    krb5_ticket *ticket = NULL;
+    char hostname[128];
+
+    s = malloc(sizeof(*s));
+    if (s == NULL) {
+	krb5_warnx (context, "add_slave: no memory");
+	return;
+    }
+    s->name = NULL;
+    s->ac = NULL;
+
+    addr_len = sizeof(s->addr);
+    s->fd = accept (fd, (struct sockaddr *)&s->addr, &addr_len);
+    if (s->fd < 0) {
+	krb5_warn (context, errno, "accept");
+	goto error;
+    }
+    gethostname(hostname, sizeof(hostname));
+    ret = krb5_sname_to_principal (context, hostname, IPROP_NAME,
+				   KRB5_NT_SRV_HST, &server);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_sname_to_principal");
+	goto error;
+    }
+
+    ret = krb5_recvauth (context, &s->ac, &s->fd,
+			 IPROP_VERSION, server, 0, NULL, &ticket);
+    krb5_free_principal (context, server);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_recvauth");
+	goto error;
+    }
+    ret = krb5_unparse_name (context, ticket->client, &s->name);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_unparse_name");
+	goto error;
+    }
+    if (check_acl (context, s->name)) {
+	krb5_warnx (context, "%s not in acl", s->name);
+	goto error;
+    }
+    krb5_free_ticket (context, ticket);
+    printf ("connection from %s\n", s->name);
+
+    s->version = 0;
+    s->next = *root;
+    *root = s;
+    return;
+error:
+    if (s->name)
+	free (s->name);
+    if (s->ac)
+	krb5_auth_con_free(context, s->ac);
+    if (ticket)
+    krb5_free_ticket (context, ticket);
+    close (s->fd);
+    free(s);
+}
+
+static void
+remove_slave (krb5_context context, slave *s, slave **root)
+{
+    slave **p;
+
+    close (s->fd);
+    free (s->name);
+    krb5_auth_con_free (context, s->ac);
+
+    for (p = root; *p; p = &(*p)->next)
+	if (*p == s) {
+	    *p = s->next;
+	    break;
+	}
+    free (s);
+}
+
+static int
+send_complete (krb5_context context, slave *s)
+{
+    abort ();
+}
+
+static int
+send_diffs (krb5_context context, slave *s, int log_fd,
+	    u_int32_t current_version)
+{
+    krb5_storage *sp, *data_sp;
+    u_int32_t ver;
+    time_t timestamp;
+    enum kadm_ops op;
+    u_int32_t len;
+    off_t right, left;
+    krb5_data data;
+    krb5_data priv_data;
+    int ret = 0;
+
+    if (s->version == current_version)
+	return 0;
+
+    sp = kadm5_log_goto_end (log_fd);
+    right = sp->seek(sp, 0, SEEK_CUR);
+    printf ("%ld, looking for %d\n", (long)right, s->version);
+    for (;;) {
+	if (kadm5_log_previous (sp, &ver, &timestamp, &op, &len))
+	    abort ();
+	printf ("version = %d\n", ver);
+	left = sp->seek(sp, -16, SEEK_CUR);
+	if (ver == s->version)
+	    return 0;
+	if (ver == s->version + 1)
+	    break;
+	if (left == 0)
+	    return send_complete (context, s);
+    }
+    krb5_data_alloc (&data, right - left + 4);
+    sp->fetch (sp, (char *)data.data + 4, data.length - 4);
+    krb5_storage_free(sp);
+
+    _krb5_put_int(data.data, FOR_YOU, 4);
+
+    ret = krb5_mk_priv (context, s->ac, &data, &priv_data, NULL);
+    krb5_data_free(&data);
+    if (ret) {
+	krb5_warn (context, ret, "krb_mk_priv");
+	return 0;
+    }
+
+    ret = krb5_write_message (context, &s->fd, &priv_data);
+    krb5_data_free (&priv_data);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_write_message");
+	return 1;
+    }
+    return 0;
+}
+
+static int
+process_msg (krb5_context context, slave *s, int log_fd,
+	     u_int32_t current_version)
+{
+    int ret = 0;
+    krb5_data in, out;
+    krb5_storage *sp;
+    int32_t tmp;
+
+    ret = krb5_read_message (context, &s->fd, &in);
+    if (ret)
+	return 1;
+
+    if(in.length == 0) {
+	krb5_warnx(context, "process_msg: short message");
+	return 1;
+    }
+
+    ret = krb5_rd_priv (context, s->ac, &in, &out, NULL);
+    krb5_data_free (&in);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_rd_priv");
+	return 1;
+    }
+
+    sp = krb5_storage_from_mem (out.data, out.length);
+    krb5_ret_int32 (sp, &tmp);
+    switch (tmp) {
+    case I_HAVE :
+	krb5_ret_int32 (sp, &tmp);
+	s->version = tmp;
+	ret = send_diffs (context, s, log_fd, current_version);
+	break;
+    case FOR_YOU :
+    default :
+	krb5_warnx (context, "Ignoring command %d", tmp);
+	break;
+    }
+
+    krb5_data_free (&out);
+    return ret;
+}
+
+char *realm;
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+    int signal_fd, listen_fd;
+    int log_fd;
+    slave *slaves = NULL;
+    u_int32_t current_version, old_version = 0;
+
+    int optind;
+    
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    log_fd = open (server_context->log_context.log_file, O_RDONLY, 0);
+    if (log_fd < 0)
+	krb5_err (context, 1, errno, "open %s",
+		  server_context->log_context.log_file);
+
+    signal_fd = make_signal_socket (context);
+    listen_fd = make_listen_socket (context);
+
+    for (;;) {
+	slave *p;
+	fd_set readset;
+	int max_fd = 0;
+	struct timeval to = {30, 0};
+	u_int32_t vers;
+
+	FD_ZERO(&readset);
+	FD_SET(signal_fd, &readset);
+	max_fd = max(max_fd, signal_fd);
+	FD_SET(listen_fd, &readset);
+	max_fd = max(max_fd, listen_fd);
+
+	for (p = slaves; p != NULL; p = p->next) {
+	    FD_SET(p->fd, &readset);
+	    max_fd = max(max_fd, p->fd);
+	}
+
+	ret = select (max_fd + 1,
+		      &readset, NULL, NULL, &to);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		krb5_err (context, 1, errno, "select");
+	}
+
+	if (ret == 0) {
+	    old_version = current_version;
+	    kadm5_log_get_version (log_fd, &current_version);
+
+	    if (current_version > old_version)
+		for (p = slaves; p != NULL; p = p->next)
+		    send_diffs (context, p, log_fd, current_version);
+	}
+
+	if (ret && FD_ISSET(signal_fd, &readset)) {
+	    struct sockaddr_un peer_addr;
+	    int peer_len = sizeof(peer_addr);
+
+	    if(recvfrom(signal_fd, &vers, sizeof(vers), 0,
+			(struct sockaddr *)&peer_addr, &peer_len) < 0) {
+		krb5_warn (context, errno, "recvfrom");
+		continue;
+	    }
+	    printf ("signal: %u\n", vers);
+	    --ret;
+	    old_version = current_version;
+	    kadm5_log_get_version (log_fd, &current_version);
+	    for (p = slaves; p != NULL; p = p->next)
+		send_diffs (context, p, log_fd, current_version);
+	}
+
+	for(p = slaves; p != NULL && ret--; p = p->next)
+	    if (FD_ISSET(p->fd, &readset)) {
+		if(process_msg (context, p, log_fd, current_version))
+		    remove_slave (context, p, &slaves);
+	    }
+
+	if (ret && FD_ISSET(listen_fd, &readset)) {
+	    add_slave (context, &slaves, listen_fd);
+	    --ret;
+	}
+
+    }
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/ipropd_slave.c b/crypto/heimdal/lib/kadm5/ipropd_slave.c
new file mode 100644
index 0000000..76884eb
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ipropd_slave.c
@@ -0,0 +1,313 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: ipropd_slave.c,v 1.10 1999/12/02 17:05:06 joda Exp $");
+
+static int
+connect_to_master (krb5_context context, const char *master)
+{
+    int fd;
+    struct sockaddr_in addr;
+    struct hostent *he;
+
+    fd = socket (AF_INET, SOCK_STREAM, 0);
+    if (fd < 0)
+	krb5_err (context, 1, errno, "socket AF_INET");
+    memset (&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_port   = htons(4711);
+    he = roken_gethostbyname (master);
+    if (he == NULL)
+	krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno));
+    memcpy (&addr.sin_addr, he->h_addr, sizeof(addr.sin_addr));
+    if(connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	krb5_err (context, 1, errno, "connect");
+    return fd;
+}
+
+static void
+get_creds(krb5_context context, krb5_ccache *cache, const char *host)
+{
+    krb5_keytab keytab;
+    krb5_principal client;
+    krb5_error_code ret;
+    krb5_get_init_creds_opt init_opts;
+#if 0
+    krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
+#endif
+    krb5_creds creds;
+    char my_hostname[128];
+    char *server;
+    
+    ret = krb5_kt_default(context, &keytab);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_default");
+
+    gethostname (my_hostname, sizeof(my_hostname));
+    ret = krb5_sname_to_principal (context, my_hostname, IPROP_NAME,
+				   KRB5_NT_SRV_HST, &client);
+    if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
+
+    krb5_get_init_creds_opt_init(&init_opts);
+#if 0
+    krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1);
+#endif
+
+    asprintf (&server, "%s/%s", IPROP_NAME, host);
+    if (server == NULL)
+	krb5_errx (context, 1, "malloc: no memory");
+
+    ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
+				     0, server, &init_opts);
+    free (server);
+    if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
+    
+    ret = krb5_kt_close(context, keytab);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
+    
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_initialize(context, *cache, client);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    ret = krb5_cc_store_cred(context, *cache, &creds);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
+}
+
+static void
+ihave (krb5_context context, krb5_auth_context auth_context,
+       int fd, u_int32_t version)
+{
+    int ret;
+    u_char buf[8];
+    krb5_storage *sp;
+    krb5_data data, priv_data;
+
+    sp = krb5_storage_from_mem (buf, 8);
+    krb5_store_int32 (sp, I_HAVE);
+    krb5_store_int32 (sp, version);
+    krb5_storage_free (sp);
+    data.length = 8;
+    data.data   = buf;
+    
+    ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb_mk_priv");
+
+    ret = krb5_write_message (context, &fd, &priv_data);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_write_message");
+
+    krb5_data_free (&priv_data);
+}
+
+static void
+receive (krb5_context context,
+	 krb5_storage *sp,
+	 kadm5_server_context *server_context)
+{
+    int ret;
+    off_t left, right;
+    void *buf;
+    int32_t vers;
+
+    ret = server_context->db->open(context,
+				   server_context->db,
+				   O_RDWR | O_CREAT, 0);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    do {
+	int32_t len, timestamp, tmp;
+	enum kadm_ops op;
+
+	if(krb5_ret_int32 (sp, &vers) != 0)
+	    return;
+	krb5_ret_int32 (sp, &timestamp);
+	krb5_ret_int32 (sp, &tmp);
+	op = tmp;
+	krb5_ret_int32 (sp, &len);
+	if (vers <= server_context->log_context.version)
+	    sp->seek(sp, len, SEEK_CUR);
+    } while(vers <= server_context->log_context.version);
+
+    left  = sp->seek (sp, -16, SEEK_CUR);
+    right = sp->seek (sp, 0, SEEK_END);
+    buf = malloc (right - left);
+    if (buf == NULL) {
+	krb5_warnx (context, "malloc: no memory");
+	return;
+    }
+    sp->seek (sp, left, SEEK_SET);
+    sp->fetch (sp, buf, right - left);
+    write (server_context->log_context.log_fd, buf, right-left);
+    fsync (server_context->log_context.log_fd);
+    free (buf);
+
+    sp->seek (sp, left, SEEK_SET);
+
+    for(;;) {
+	int32_t len, timestamp, tmp;
+	enum kadm_ops op;
+
+	if(krb5_ret_int32 (sp, &vers) != 0)
+	    break;
+	krb5_ret_int32 (sp, &timestamp);
+	krb5_ret_int32 (sp, &tmp);
+	op = tmp;
+	krb5_ret_int32 (sp, &len);
+
+	ret = kadm5_log_replay (server_context,
+				op, vers, len, sp);
+	if (ret)
+	    krb5_warn (context, ret, "kadm5_log_replay");
+	else
+	    server_context->log_context.version = vers;
+	sp->seek (sp, 8, SEEK_CUR);
+    }
+
+    ret = server_context->db->close (context, server_context->db);
+    if (ret)
+	krb5_err (context, 1, ret, "db->close");
+}
+
+char *realm;
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_auth_context auth_context;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+    int master_fd;
+    krb5_ccache ccache;
+    krb5_principal server;
+
+    int optind;
+    
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    get_creds(context, &ccache, argv[1]);
+
+    master_fd = connect_to_master (context, argv[1]);
+
+    ret = krb5_sname_to_principal (context, argv[1], IPROP_NAME,
+				   KRB5_NT_SRV_HST, &server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_sname_to_principal");
+
+    auth_context = NULL;
+    ret = krb5_sendauth (context, &auth_context, &master_fd,
+			 IPROP_VERSION, NULL, server,
+			 AP_OPTS_MUTUAL_REQUIRED, NULL, NULL,
+			 ccache, NULL, NULL, NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_sendauth");
+
+    ihave (context, auth_context, master_fd,
+	   server_context->log_context.version);
+
+    for (;;) {
+	int ret;
+	krb5_data data, out;
+	krb5_storage *sp;
+	int32_t tmp;
+
+	ret = krb5_read_message (context, &master_fd, &data);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_read_message");
+
+	ret = krb5_rd_priv (context, auth_context,  &data, &out, NULL);
+	krb5_data_free (&data);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_rd_priv");
+
+	sp = krb5_storage_from_mem (out.data, out.length);
+	krb5_ret_int32 (sp, &tmp);
+	switch (tmp) {
+	case FOR_YOU :
+	    receive (context, sp, server_context);
+	    ihave (context, auth_context, master_fd,
+		   server_context->log_context.version);
+	    break;
+	case I_HAVE :
+	default :
+	    krb5_warnx (context, "Ignoring command %d", tmp);
+	    break;
+	}
+	krb5_storage_free (sp);
+	krb5_data_free (&out);
+    }
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/kadm5_err.et b/crypto/heimdal/lib/kadm5/kadm5_err.et
new file mode 100644
index 0000000..506a554
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5_err.et
@@ -0,0 +1,59 @@
+#
+# Error messages for the kadm5 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: kadm5_err.et,v 1.4 1998/02/16 16:37:17 joda Exp $"
+
+error_table ovk kadm5
+
+prefix KADM5
+error_code FAILURE,		"Operation failed for unspecified reason"
+error_code AUTH_GET,		"Operation requires `get' privilege"
+error_code AUTH_ADD,		"Operation requires `add' privilege"
+error_code AUTH_MODIFY,		"Operation requires `modify' privilege"
+error_code AUTH_DELETE,		"Operation requires `delete' privilege"
+error_code AUTH_INSUFFICIENT,	"Insufficient authorization for operation"
+error_code BAD_DB,		"Database inconsistency detected"
+error_code DUP,			"Principal or policy already exists"
+error_code RPC_ERROR,		"Communication failure with server"
+error_code NO_SRV,		"No administration server found for realm"
+error_code BAD_HIST_KEY,	"Password history principal key version mismatch"
+error_code NOT_INIT,		"Connection to server not initialized"
+error_code UNK_PRINC,		"Principal does not exist"
+error_code UNK_POLICY,		"Policy does not exist"
+error_code BAD_MASK,		"Invalid field mask for operation"
+error_code BAD_CLASS,		"Invalid number of character classes"
+error_code BAD_LENGTH,		"Invalid password length"
+error_code BAD_POLICY,		"Invalid policy name"
+error_code BAD_PRINCIPAL,	"Invalid principal name."
+error_code BAD_AUX_ATTR,	"Invalid auxillary attributes"
+error_code BAD_HISTORY,		"Invalid password history count"
+error_code BAD_MIN_PASS_LIFE,	"Password minimum life is greater then password maximum life"
+error_code PASS_Q_TOOSHORT,	"Password is too short"
+error_code PASS_Q_CLASS,	"Password does not contain enough character classes"
+error_code PASS_Q_DICT,		"Password is in the password dictionary"
+error_code PASS_REUSE,		"Can't resuse password"
+error_code PASS_TOOSOON,	"Current password's minimum life has not expired"
+error_code POLICY_REF,		"Policy is in use"
+error_code INIT,		"Connection to server already initialized"
+error_code BAD_PASSWORD,	"Incorrect password"
+error_code PROTECT_PRINCIPAL,	"Can't change protected principal"
+error_code BAD_SERVER_HANDLE,	"Programmer error!  Bad Admin server handle"
+error_code BAD_STRUCT_VERSION,	"Programmer error!  Bad API structure version"
+error_code OLD_STRUCT_VERSION,	"API structure version specified by application is no longer supported"
+error_code NEW_STRUCT_VERSION,	"API structure version specified by application is unknown to libraries"
+error_code BAD_API_VERSION,	"Programmer error!  Bad API version"
+error_code OLD_LIB_API_VERSION,	"API version specified by application is no longer supported by libraries"
+error_code OLD_SERVER_API_VERSION,"API version specified by application is no longer supported by server"
+error_code NEW_LIB_API_VERSION,	"API version specified by application is unknown to libraries"
+error_code NEW_SERVER_API_VERSION,"API version specified by application is unknown to server"
+error_code SECURE_PRINC_MISSING,"Database error! Required principal missing"
+error_code NO_RENAME_SALT,	"The salt type of the specified principal does not support renaming"
+error_code BAD_CLIENT_PARAMS,	"Invalid configuration parameter for remote KADM5 client"
+error_code BAD_SERVER_PARAMS,	"Invalid configuration parameter for local KADM5 client."
+error_code AUTH_LIST,		"Operation requires `list' privilege"
+error_code AUTH_CHANGEPW,	"Operation requires `change-password' privilege"
+error_code BAD_TL_TYPE,		"Programmer error!  Invalid tagged data list element type"
+error_code MISSING_CONF_PARAMS,	"Required parameters in kdc.conf missing"
+error_code BAD_SERVER_NAME,	"Bad krb5 admin server hostname"
diff --git a/crypto/heimdal/lib/kadm5/kadm5_locl.h b/crypto/heimdal/lib/kadm5/kadm5_locl.h
new file mode 100644
index 0000000..9344a2c
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5_locl.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadm5_locl.h,v 1.21 1999/12/02 17:05:06 joda Exp $ */
+
+#ifndef __KADM5_LOCL_H__
+#define __KADM5_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <fnmatch.h>
+#include "admin.h"
+#include "kadm5_err.h"
+#include <hdb.h>
+#include <roken.h>
+#include <parse_units.h>
+#include "private.h"
+
+#endif /* __KADM5_LOCL_H__ */
diff --git a/crypto/heimdal/lib/kadm5/log.c b/crypto/heimdal/lib/kadm5/log.c
new file mode 100644
index 0000000..e9dc38c
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/log.c
@@ -0,0 +1,666 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: log.c,v 1.13 1999/12/04 19:50:35 assar Exp $");
+
+/*
+ * A log record consists of:
+ *
+ * version number		4 bytes
+ * time in seconds		4 bytes
+ * operation (enum kadm_ops)	4 bytes
+ * length of record		4 bytes
+ * data...			n bytes
+ * length of record		4 bytes
+ * version number		4 bytes
+ *
+ */
+
+kadm5_ret_t
+kadm5_log_get_version (int fd,
+		       u_int32_t *ver)
+{
+    int ret;
+    krb5_storage *sp;
+    int32_t old_version;
+
+    ret = lseek (fd, 0, SEEK_END);
+    if(ret < 0)
+	return errno;
+    if(ret == 0) {
+	*ver = 0;
+	return 0;
+    }
+    sp = krb5_storage_from_fd (fd);
+    sp->seek(sp, -4, SEEK_CUR);
+    krb5_ret_int32 (sp, &old_version);
+    *ver = old_version;
+    krb5_storage_free(sp);
+    lseek (fd, 0, SEEK_END);
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_log_init (kadm5_server_context *context)
+{
+    int fd;
+    kadm5_ret_t ret;
+    kadm5_log_context *log_context = &context->log_context;
+
+    if (log_context->log_fd != -1)
+	return 0;
+    fd = open (log_context->log_file, O_RDWR | O_CREAT, 0600);
+    if (fd < 0)
+	return errno;
+    if (flock (fd, LOCK_EX) < 0) {
+	close (fd);
+	return errno;
+    }
+
+    ret = kadm5_log_get_version (fd, &log_context->version);
+    if (ret)
+	return ret;
+
+    log_context->log_fd  = fd;
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_log_end (kadm5_server_context *context)
+{
+    kadm5_log_context *log_context = &context->log_context;
+    int fd = log_context->log_fd;
+
+    flock (fd, LOCK_UN);
+    close(fd);
+    log_context->log_fd = -1;
+    return 0;
+}
+
+static kadm5_ret_t
+kadm5_log_preamble (kadm5_server_context *context,
+		    krb5_storage *sp,
+		    enum kadm_ops op)
+{
+    kadm5_log_context *log_context = &context->log_context;
+    kadm5_ret_t kadm_ret;
+
+    kadm_ret = kadm5_log_init (context);
+    if (kadm_ret)
+	return kadm_ret;
+
+    krb5_store_int32 (sp, ++log_context->version);
+    krb5_store_int32 (sp, time(NULL));
+    krb5_store_int32 (sp, op);
+    return 0;
+}
+
+static kadm5_ret_t
+kadm5_log_postamble (kadm5_log_context *context,
+		     krb5_storage *sp)
+{
+    krb5_store_int32 (sp, context->version);
+    return 0;
+}
+
+/*
+ * flush the log record in `sp'.
+ */
+
+static kadm5_ret_t
+kadm5_log_flush (kadm5_log_context *log_context,
+		 krb5_storage *sp)
+{
+    krb5_data data;
+    size_t len;
+    int ret;
+
+    krb5_storage_to_data(sp, &data);
+    len = data.length;
+    ret = write (log_context->log_fd, data.data, len);
+    if (ret != len) {
+	krb5_data_free(&data);
+	return errno;
+    }
+    if (fsync (log_context->log_fd) < 0) {
+	krb5_data_free(&data);
+	return errno;
+    }
+    /*
+     * Try to send a signal to any running `ipropd-master'
+     */
+    sendto (log_context->socket_fd,
+	    (void *)&log_context->version,
+	    sizeof(log_context->version),
+	    0,
+	    (struct sockaddr *)&log_context->socket_name,
+	    sizeof(log_context->socket_name));
+
+    krb5_data_free(&data);
+    return 0;
+}
+
+/*
+ * Add a `create' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_create (kadm5_server_context *context,
+		  hdb_entry *ent)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    krb5_data value;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = hdb_entry2value (context->context, ent, &value);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    ret = kadm5_log_preamble (context, sp, kadm_create);
+    if (ret) {
+	krb5_data_free (&value);
+	krb5_storage_free(sp);
+	return ret;
+    }
+    krb5_store_int32 (sp, value.length);
+    sp->store(sp, value.data, value.length);
+    krb5_store_int32 (sp, value.length);
+    krb5_data_free (&value);
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read the data of a create log record from `sp' and change the
+ * database.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_create (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    hdb_entry ent;
+
+    krb5_data_alloc (&data, len);
+    sp->fetch (sp, data.data, len);
+    ret = hdb_value2entry (context->context, &data, &ent);
+    krb5_data_free(&data);
+    if (ret)
+	return ret;
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    hdb_free_entry (context->context, &ent);
+    return ret;
+}
+
+/*
+ * Add a `delete' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_delete (kadm5_server_context *context,
+		  krb5_principal princ)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    off_t off;
+    off_t len;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = kadm5_log_preamble (context, sp, kadm_delete);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    krb5_store_int32 (sp, 0);
+    off = sp->seek (sp, 0, SEEK_CUR);
+    krb5_store_principal (sp, princ);
+    len = sp->seek (sp, 0, SEEK_CUR) - off;
+    sp->seek(sp, -(len + 4), SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    sp->seek(sp, len, SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `delete' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_delete (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    hdb_entry ent;
+
+    krb5_ret_principal (sp, &ent.principal);
+
+    ret = context->db->remove(context->context, context->db, &ent);
+    krb5_free_principal (context->context, ent.principal);
+    return ret;
+}
+
+/*
+ * Add a `rename' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_rename (kadm5_server_context *context,
+		  krb5_principal source,
+		  hdb_entry *ent)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    off_t off;
+    off_t len;
+    krb5_data value;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = hdb_entry2value (context->context, ent, &value);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    ret = kadm5_log_preamble (context, sp, kadm_rename);
+    if (ret) {
+	krb5_storage_free(sp);
+	krb5_data_free (&value);
+	return ret;
+    }
+    krb5_store_int32 (sp, 0);
+    off = sp->seek (sp, 0, SEEK_CUR);
+    krb5_store_principal (sp, source);
+    sp->store(sp, value.data, value.length);
+    krb5_data_free (&value);
+    len = sp->seek (sp, 0, SEEK_CUR) - off;
+
+    sp->seek(sp, -(len + 4), SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    sp->seek(sp, len, SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `rename' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_rename (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    krb5_principal source;
+    hdb_entry source_ent, target_ent;
+    krb5_data value;
+    off_t off;
+    size_t princ_len, data_len;
+
+    off = sp->seek(sp, 0, SEEK_CUR);
+    krb5_ret_principal (sp, &source);
+    princ_len = sp->seek(sp, 0, SEEK_CUR) - off;
+    data_len = len - princ_len;
+    krb5_data_alloc (&value, data_len);
+    sp->fetch (sp, value.data, data_len);
+    ret = hdb_value2entry (context->context, &value, &target_ent);
+    krb5_data_free(&value);
+    if (ret) {
+	krb5_free_principal (context->context, source);
+	return ret;
+    }
+    ret = context->db->store (context->context, context->db, 0, &target_ent);
+    hdb_free_entry (context->context, &target_ent);
+    if (ret) {
+	krb5_free_principal (context->context, source);
+	return ret;
+    }
+    source_ent.principal = source;
+    ret = context->db->remove (context->context, context->db, &source_ent);
+    krb5_free_principal (context->context, source);
+    return ret;
+}
+
+
+/*
+ * Add a `modify' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_modify (kadm5_server_context *context,
+		  hdb_entry *ent,
+		  u_int32_t mask)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    krb5_data value;
+    u_int32_t len;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = hdb_entry2value (context->context, ent, &value);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    ret = kadm5_log_preamble (context, sp, kadm_modify);
+    if (ret) {
+	krb5_data_free (&value);
+	krb5_storage_free(sp);
+	return ret;
+    }
+    len = value.length + 4;
+    krb5_store_int32 (sp, len);
+    krb5_store_int32 (sp, mask);
+    sp->store(sp, value.data, value.length);
+    krb5_data_free (&value);
+    krb5_store_int32 (sp, len);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `modify' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_modify (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int32_t mask;
+    krb5_data value;
+    hdb_entry ent, log_ent;
+
+    krb5_ret_int32 (sp, &mask);
+    len -= 4;
+    krb5_data_alloc (&value, len);
+    sp->fetch (sp, value.data, len);
+    ret = hdb_value2entry (context->context, &value, &log_ent);
+    krb5_data_free(&value);
+    if (ret)
+	return ret;
+    ent.principal = log_ent.principal;
+    log_ent.principal = NULL;
+    ret = context->db->fetch(context->context, context->db, 
+			     HDB_F_DECRYPT, &ent);
+    if (ret)
+	return ret;
+    if (mask & KADM5_PRINC_EXPIRE_TIME) {
+	if (ent.valid_end == NULL)
+	    ent.valid_end = malloc(sizeof(*ent.valid_end));
+	*ent.valid_end = *log_ent.valid_end;
+    }
+    if (mask & KADM5_PW_EXPIRATION) {
+	if (ent.pw_end == NULL)
+	    ent.pw_end = malloc(sizeof(*ent.pw_end));
+	*ent.pw_end = *log_ent.pw_end;
+    }
+    if (mask & KADM5_LAST_PWD_CHANGE) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_ATTRIBUTES) {
+	ent.flags = log_ent.flags;
+    }
+    if (mask & KADM5_MAX_LIFE) {
+	if (ent.max_life == NULL)
+	    ent.max_life = malloc (sizeof(*ent.max_life));
+	*ent.max_life = *log_ent.max_life;
+    }
+    if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
+	if (ent.modified_by == NULL) {
+	    ent.modified_by = malloc(sizeof(*ent.modified_by));
+	} else
+	    free_Event(ent.modified_by);
+	copy_Event(log_ent.modified_by, ent.modified_by);
+    }
+    if (mask & KADM5_KVNO) {
+	ent.kvno = log_ent.kvno;
+    }
+    if (mask & KADM5_MKVNO) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_AUX_ATTRIBUTES) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_POLICY) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_POLICY_CLR) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_MAX_RLIFE) {
+	if (ent.max_renew == NULL)
+	    ent.max_renew = malloc (sizeof(*ent.max_renew));
+	*ent.max_renew = *log_ent.max_renew;
+    }
+    if (mask & KADM5_LAST_SUCCESS) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_LAST_FAILED) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_FAIL_AUTH_COUNT) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_KEY_DATA) {
+	size_t len;
+	int i;
+
+	for (i = 0; i < ent.keys.len; ++i)
+	    free_Key(&ent.keys.val[i]);
+	free (ent.keys.val);
+
+	len = log_ent.keys.len;
+
+	ent.keys.len = len;
+	ent.keys.val = malloc(len * sizeof(*ent.keys.val));
+	for (i = 0; i < ent.keys.len; ++i)
+	    copy_Key(&log_ent.keys.val[i],
+		     &ent.keys.val[i]);
+    }
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+    hdb_free_entry (context->context, &ent);
+    hdb_free_entry (context->context, &log_ent);
+    return ret;
+}
+
+/*
+ * Call `func' for each log record in the log in `context'
+ */
+
+kadm5_ret_t
+kadm5_log_foreach (kadm5_server_context *context,
+		   void (*func)(kadm5_server_context *server_context,
+				u_int32_t ver,
+				time_t timestamp,
+				enum kadm_ops op,
+				u_int32_t len,
+				krb5_storage *sp))
+{
+    int fd = context->log_context.log_fd;
+    krb5_storage *sp;
+
+    lseek (fd, 0, SEEK_SET);
+    sp = krb5_storage_from_fd (fd);
+    for (;;) {
+	int32_t ver, timestamp, op, len;
+
+	if(krb5_ret_int32 (sp, &ver) != 0)
+	    break;
+	krb5_ret_int32 (sp, &timestamp);
+	krb5_ret_int32 (sp, &op);
+	krb5_ret_int32 (sp, &len);
+	(*func)(context, ver, timestamp, op, len, sp);
+	sp->seek(sp, 8, SEEK_CUR);
+    }
+    return 0;
+}
+
+/*
+ * Go to end of log.
+ */
+
+krb5_storage *
+kadm5_log_goto_end (int fd)
+{
+    krb5_storage *sp;
+
+    sp = krb5_storage_from_fd (fd);
+    sp->seek(sp, 0, SEEK_END);
+    return sp;
+}
+
+/*
+ * Return previous log entry.
+ */
+
+kadm5_ret_t
+kadm5_log_previous (krb5_storage *sp,
+		    u_int32_t *ver,
+		    time_t *timestamp,
+		    enum kadm_ops *op,
+		    u_int32_t *len)
+{
+    off_t off;
+    int32_t tmp;
+
+    sp->seek(sp, -8, SEEK_CUR);
+    krb5_ret_int32 (sp, &tmp);
+    *len = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    *ver = tmp;
+    off = 24 + *len;
+    sp->seek(sp, -off, SEEK_CUR);
+    krb5_ret_int32 (sp, &tmp);
+    assert(tmp == *ver);
+    krb5_ret_int32 (sp, &tmp);
+    *timestamp = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    *op = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    assert(tmp == *len);
+    return 0;
+}
+
+/*
+ * Replay a record from the log
+ */
+
+kadm5_ret_t
+kadm5_log_replay (kadm5_server_context *context,
+		  enum kadm_ops op,
+		  u_int32_t ver,
+		  u_int32_t len,
+		  krb5_storage *sp)
+{
+    switch (op) {
+    case kadm_create :
+	return kadm5_log_replay_create (context, ver, len, sp);
+    case kadm_delete :
+	return kadm5_log_replay_delete (context, ver, len, sp);
+    case kadm_rename :
+	return kadm5_log_replay_rename (context, ver, len, sp);
+    case kadm_modify :
+	return kadm5_log_replay_modify (context, ver, len, sp);
+    default :
+	return KADM5_FAILURE;
+    }
+}
diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
new file mode 100644
index 0000000..9828837
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -0,0 +1,330 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: marshall.c,v 1.6 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t
+kadm5_store_key_data(krb5_storage *sp,
+		     krb5_key_data *key)
+{
+    krb5_data c;
+    krb5_store_int32(sp, key->key_data_ver);
+    krb5_store_int32(sp, key->key_data_kvno);
+    krb5_store_int32(sp, key->key_data_type[0]);
+    c.length = key->key_data_length[0];
+    c.data = key->key_data_contents[0];
+    krb5_store_data(sp, c);
+    krb5_store_int32(sp, key->key_data_type[1]);
+    c.length = key->key_data_length[1];
+    c.data = key->key_data_contents[1];
+    krb5_store_data(sp, c);
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_ret_key_data(krb5_storage *sp,
+		   krb5_key_data *key)
+{
+    krb5_data c;
+    int32_t tmp;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_ver = tmp;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_kvno = tmp;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_type[0] = tmp;
+    krb5_ret_data(sp, &c);
+    key->key_data_length[0] = c.length;
+    key->key_data_contents[0] = c.data;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_type[1] = tmp;
+    krb5_ret_data(sp, &c);
+    key->key_data_length[1] = c.length;
+    key->key_data_contents[1] = c.data;
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_store_tl_data(krb5_storage *sp,
+		    krb5_tl_data *tl)
+{
+    krb5_data c;
+    krb5_store_int32(sp, tl->tl_data_type);
+    c.length = tl->tl_data_length;
+    c.data = tl->tl_data_contents;
+    krb5_store_data(sp, c);
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_ret_tl_data(krb5_storage *sp,
+		  krb5_tl_data *tl)
+{
+    krb5_data c;
+    int32_t tmp;
+    krb5_ret_int32(sp, &tmp);
+    tl->tl_data_type = tmp;
+    krb5_ret_data(sp, &c);
+    tl->tl_data_length = c.length;
+    tl->tl_data_contents = c.data;
+    return 0;
+}
+
+static kadm5_ret_t
+store_principal_ent(krb5_storage *sp,
+		    kadm5_principal_ent_t princ,
+		    u_int32_t mask)
+{
+    int i;
+
+    if (mask & KADM5_PRINCIPAL)
+	krb5_store_principal(sp, princ->principal);
+    if (mask & KADM5_PRINC_EXPIRE_TIME)
+	krb5_store_int32(sp, princ->princ_expire_time);
+    if (mask & KADM5_PW_EXPIRATION)
+	krb5_store_int32(sp, princ->pw_expiration);
+    if (mask & KADM5_LAST_PWD_CHANGE)
+	krb5_store_int32(sp, princ->last_pwd_change);
+    if (mask & KADM5_MAX_LIFE)
+	krb5_store_int32(sp, princ->max_life);
+    if (mask & KADM5_MOD_NAME) {
+	krb5_store_int32(sp, princ->mod_name != NULL);
+	if(princ->mod_name)
+	    krb5_store_principal(sp, princ->mod_name);
+    }
+    if (mask & KADM5_MOD_TIME)
+	krb5_store_int32(sp, princ->mod_date);
+    if (mask & KADM5_ATTRIBUTES)
+	krb5_store_int32(sp, princ->attributes);
+    if (mask & KADM5_KVNO)
+	krb5_store_int32(sp, princ->kvno);
+    if (mask & KADM5_MKVNO)
+	krb5_store_int32(sp, princ->mkvno);
+    if (mask & KADM5_POLICY) {
+	krb5_store_int32(sp, princ->policy != NULL);
+	if(princ->policy)
+	    krb5_store_string(sp, princ->policy);
+    }
+    if (mask & KADM5_AUX_ATTRIBUTES)
+	krb5_store_int32(sp, princ->aux_attributes);
+    if (mask & KADM5_MAX_RLIFE)
+	krb5_store_int32(sp, princ->max_renewable_life);
+    if (mask & KADM5_LAST_SUCCESS)
+	krb5_store_int32(sp, princ->last_success);
+    if (mask & KADM5_LAST_FAILED)
+	krb5_store_int32(sp, princ->last_failed);
+    if (mask & KADM5_FAIL_AUTH_COUNT)
+	krb5_store_int32(sp, princ->fail_auth_count);
+    if (mask & KADM5_KEY_DATA) {
+	krb5_store_int32(sp, princ->n_key_data);
+	for(i = 0; i < princ->n_key_data; i++)
+	    kadm5_store_key_data(sp, &princ->key_data[i]);
+    }
+    if (mask & KADM5_TL_DATA) {
+	krb5_tl_data *tp;
+
+	krb5_store_int32(sp, princ->n_tl_data);
+	for(tp = princ->tl_data; tp; tp = tp->tl_data_next)
+	    kadm5_store_tl_data(sp, tp);
+    }
+    return 0;
+}
+
+
+kadm5_ret_t
+kadm5_store_principal_ent(krb5_storage *sp,
+			  kadm5_principal_ent_t princ)
+{
+    return store_principal_ent (sp, princ, ~0);
+}
+
+kadm5_ret_t
+kadm5_store_principal_ent_mask(krb5_storage *sp,
+			       kadm5_principal_ent_t princ,
+			       u_int32_t mask)
+{
+    krb5_store_int32(sp, mask);
+    return store_principal_ent (sp, princ, mask);
+}
+
+static kadm5_ret_t
+ret_principal_ent(krb5_storage *sp,
+		  kadm5_principal_ent_t princ,
+		  u_int32_t mask)
+{
+    int i;
+    int32_t tmp;
+
+    if (mask & KADM5_PRINCIPAL)
+	krb5_ret_principal(sp, &princ->principal);
+    
+    if (mask & KADM5_PRINC_EXPIRE_TIME) {
+	krb5_ret_int32(sp, &tmp);
+	princ->princ_expire_time = tmp;
+    }
+    if (mask & KADM5_PW_EXPIRATION) {
+	krb5_ret_int32(sp, &tmp);
+	princ->pw_expiration = tmp;
+    }
+    if (mask & KADM5_LAST_PWD_CHANGE) {
+	krb5_ret_int32(sp, &tmp);
+	princ->last_pwd_change = tmp;
+    }
+    if (mask & KADM5_MAX_LIFE) {
+	krb5_ret_int32(sp, &tmp);
+	princ->max_life = tmp;
+    }
+    if (mask & KADM5_MOD_NAME) {
+	krb5_ret_int32(sp, &tmp);
+	if(tmp)
+	    krb5_ret_principal(sp, &princ->mod_name);
+	else
+	    princ->mod_name = NULL;
+    }
+    if (mask & KADM5_MOD_TIME) {
+	krb5_ret_int32(sp, &tmp);
+	princ->mod_date = tmp;
+    }
+    if (mask & KADM5_ATTRIBUTES) {
+	krb5_ret_int32(sp, &tmp);
+	princ->attributes = tmp;
+    }
+    if (mask & KADM5_KVNO) {
+	krb5_ret_int32(sp, &tmp);
+	princ->kvno = tmp;
+    }
+    if (mask & KADM5_MKVNO) {
+	krb5_ret_int32(sp, &tmp);
+	princ->mkvno = tmp;
+    }
+    if (mask & KADM5_POLICY) {
+	krb5_ret_int32(sp, &tmp);
+	if(tmp)
+	    krb5_ret_string(sp, &princ->policy);
+	else
+	    princ->policy = NULL;
+    }
+    if (mask & KADM5_AUX_ATTRIBUTES) {
+	krb5_ret_int32(sp, &tmp);
+	princ->aux_attributes = tmp;
+    }
+    if (mask & KADM5_MAX_RLIFE) {
+	krb5_ret_int32(sp, &tmp);
+	princ->max_renewable_life = tmp;
+    }
+    if (mask & KADM5_LAST_SUCCESS) {
+	krb5_ret_int32(sp, &tmp);
+	princ->last_success = tmp;
+    }
+    if (mask & KADM5_LAST_FAILED) {
+	krb5_ret_int32(sp, &tmp);
+	princ->last_failed = tmp;
+    }
+    if (mask & KADM5_FAIL_AUTH_COUNT) {
+	krb5_ret_int32(sp, &tmp);
+	princ->fail_auth_count = tmp;
+    }
+    if (mask & KADM5_KEY_DATA) {
+	krb5_ret_int32(sp, &tmp);
+	princ->n_key_data = tmp;
+	princ->key_data = malloc(princ->n_key_data * sizeof(*princ->key_data));
+	for(i = 0; i < princ->n_key_data; i++)
+	    kadm5_ret_key_data(sp, &princ->key_data[i]);
+    }
+    if (mask & KADM5_TL_DATA) {
+	krb5_ret_int32(sp, &tmp);
+	princ->n_tl_data = tmp;
+	princ->tl_data = NULL;
+	for(i = 0; i < princ->n_tl_data; i++){
+	    krb5_tl_data *tp = malloc(sizeof(*tp));
+	    kadm5_ret_tl_data(sp, tp);
+	    tp->tl_data_next = princ->tl_data;
+	    princ->tl_data = tp;
+	}
+    }
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_ret_principal_ent(krb5_storage *sp,
+			kadm5_principal_ent_t princ)
+{
+    return ret_principal_ent (sp, princ, ~0);
+}
+
+kadm5_ret_t
+kadm5_ret_principal_ent_mask(krb5_storage *sp,
+			     kadm5_principal_ent_t princ,
+			     u_int32_t *mask)
+{
+    int32_t tmp;
+
+    krb5_ret_int32 (sp, &tmp);
+    *mask = tmp;
+    return ret_principal_ent (sp, princ, *mask);
+}
+
+kadm5_ret_t
+_kadm5_marshal_params(krb5_context context, 
+		      kadm5_config_params *params, 
+		      krb5_data *out)
+{
+    krb5_storage *sp = krb5_storage_emem();
+    
+    krb5_store_int32(sp, params->mask & (KADM5_CONFIG_REALM));
+	
+    if(params->mask & KADM5_CONFIG_REALM)
+	krb5_store_string(sp, params->realm);
+    krb5_storage_to_data(sp, out);
+    krb5_storage_free(sp);
+
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_unmarshal_params(krb5_context context,
+			krb5_data *in,
+			kadm5_config_params *params)
+{
+    krb5_storage *sp = krb5_storage_from_data(in);
+    
+    krb5_ret_int32(sp, &params->mask);
+	
+    if(params->mask & KADM5_CONFIG_REALM)
+	krb5_ret_string(sp, &params->realm);
+    krb5_storage_free(sp);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/modify_c.c b/crypto/heimdal/lib/kadm5/modify_c.c
new file mode 100644
index 0000000..2a64ccc
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/modify_c.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: modify_c.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_modify_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_modify);
+    kadm5_store_principal_ent(sp, princ);
+    krb5_store_int32(sp, mask);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if(ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/modify_s.c b/crypto/heimdal/lib/kadm5/modify_s.c
new file mode 100644
index 0000000..4157202
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/modify_s.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: modify_s.c,v 1.9 1999/12/02 17:05:06 joda Exp $");
+
+static kadm5_ret_t
+modify_principal(void *server_handle,
+		 kadm5_principal_ent_t princ, 
+		 u_int32_t mask,
+		 u_int32_t forbidden_mask)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+    if((mask & forbidden_mask))
+	return KADM5_BAD_MASK;
+    if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
+	return KADM5_UNK_POLICY;
+    
+    ent.principal = princ->principal;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret)
+	goto out;
+    ret = _kadm5_setup_entry(&ent, mask, princ, mask, NULL, 0);
+    if(ret)
+	goto out2;
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+
+    hdb_seal_keys(context->db, &ent);
+
+    kadm5_log_modify (context,
+		      &ent,
+		      mask | KADM5_MOD_NAME | KADM5_MOD_TIME);
+		      
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
+
+
+kadm5_ret_t
+kadm5_s_modify_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask)
+{
+    return modify_principal(server_handle, princ, mask, 
+			    KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 
+			    | KADM5_MOD_NAME | KADM5_MKVNO 
+			    | KADM5_AUX_ATTRIBUTES | KADM5_LAST_SUCCESS
+			    | KADM5_LAST_FAILED);
+}
diff --git a/crypto/heimdal/lib/kadm5/password_quality.c b/crypto/heimdal/lib/kadm5/password_quality.c
new file mode 100644
index 0000000..86d35f3
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/password_quality.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: password_quality.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+static const char *
+simple_passwd_quality (krb5_context context,
+		       krb5_principal principal,
+		       krb5_data *pwd)
+{
+    if (pwd->length < 6)
+	return "Password too short";
+    else
+	return NULL;
+}
+
+typedef const char* (*passwd_quality_check_func)(krb5_context, 
+						 krb5_principal, 
+						 krb5_data*);
+
+static passwd_quality_check_func passwd_quality_check = simple_passwd_quality;
+
+#ifdef HAVE_DLOPEN
+extern const char *check_library;
+extern const char *check_function;
+
+#define PASSWD_VERSION 0
+
+#endif
+
+/*
+ * setup the password quality hook
+ */
+
+void
+kadm5_setup_passwd_quality_check(krb5_context context,
+				 const char *check_library,
+				 const char *check_function)
+{
+#ifdef HAVE_DLOPEN
+    void *handle;
+    void *sym;
+    int *version;
+    int flags;
+    const char *tmp;
+
+#ifdef RTLD_NOW
+    flags = RTLD_NOW;
+#else
+    flags = 0;
+#endif
+
+    if(check_library == NULL) {
+	tmp = krb5_config_get_string(context, NULL, 
+				     "password_quality", 
+				     "check_library", 
+				     NULL);
+	if(tmp != NULL)
+	    check_library = tmp;
+    }
+    if(check_function == NULL) {
+	tmp = krb5_config_get_string(context, NULL, 
+				     "password_quality", 
+				     "check_function", 
+				     NULL);
+	if(tmp != NULL)
+	    check_function = tmp;
+    }
+    if(check_library != NULL && check_function == NULL)
+	check_function = "passwd_check";
+
+    if(check_library == NULL)
+	return;
+    handle = dlopen(check_library, flags);
+    if(handle == NULL) {
+	krb5_warnx(context, "failed to open `%s'", check_library);
+	return;
+    }
+    version = dlsym(handle, "version");
+    if(version == NULL) {
+	krb5_warnx(context,
+		   "didn't find `version' symbol in `%s'", check_library);
+	dlclose(handle);
+	return;
+    }
+    if(*version != PASSWD_VERSION) {
+	krb5_warnx(context,
+		   "version of loaded library is %d (expected %d)",
+		   *version, PASSWD_VERSION);
+	dlclose(handle);
+	return;
+    }
+    sym = dlsym(handle, check_function);
+    if(sym == NULL) {
+	krb5_warnx(context, 
+		   "didn't find `%s' symbol in `%s'", 
+		   check_function, check_library);
+	dlclose(handle);
+	return;
+    }
+    passwd_quality_check = (passwd_quality_check_func) sym;
+#endif /* HAVE_DLOPEN */
+}
+
+const char *
+kadm5_check_password_quality (krb5_context context,
+			      krb5_principal principal,
+			      krb5_data *pwd_data)
+{
+    return (*passwd_quality_check) (context, principal, pwd_data);
+}
diff --git a/crypto/heimdal/lib/kadm5/private.h b/crypto/heimdal/lib/kadm5/private.h
new file mode 100644
index 0000000..e56a0f5
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/private.h
@@ -0,0 +1,281 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: private.h,v 1.10 1999/12/04 23:09:34 assar Exp $ */
+
+#ifndef __kadm5_private_h__
+#define __kadm5_private_h__
+
+struct kadm_func {
+    kadm5_ret_t (*chpass_principal) (void *, krb5_principal, char*);
+    kadm5_ret_t (*create_principal) (void*, kadm5_principal_ent_t, 
+				     u_int32_t, char*);
+    kadm5_ret_t (*delete_principal) (void*, krb5_principal);
+    kadm5_ret_t (*destroy) (void*);
+    kadm5_ret_t (*flush) (void*);
+    kadm5_ret_t (*get_principal) (void*, krb5_principal, 
+				  kadm5_principal_ent_t, u_int32_t);
+    kadm5_ret_t (*get_principals) (void*, const char*, char***, int*);
+    kadm5_ret_t (*get_privs) (void*, u_int32_t*);
+    kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, u_int32_t);
+    kadm5_ret_t (*randkey_principal) (void*, krb5_principal, 
+				      krb5_keyblock**, int*);
+    kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal);
+};
+
+/* XXX should be integrated */
+typedef struct kadm5_common_context {
+    krb5_context context;
+    krb5_boolean my_context;
+    struct kadm_func funcs;
+    void *data;
+}kadm5_common_context;
+
+typedef struct kadm5_log_peer {
+    int fd;
+    char *name;
+    krb5_auth_context ac;
+    struct kadm5_log_peer *next;
+} kadm5_log_peer;
+
+typedef struct kadm5_log_context {
+    char *log_file;
+    int log_fd;
+    u_int32_t version;
+    struct sockaddr_un socket_name;
+    int socket_fd;
+} kadm5_log_context;
+
+typedef struct kadm5_server_context {
+    krb5_context context;
+    krb5_boolean my_context;
+    struct kadm_func funcs;
+    /* */
+    kadm5_config_params config;
+    HDB *db;
+    krb5_principal caller;
+    unsigned acl_flags;
+    kadm5_log_context log_context;
+}kadm5_server_context;
+
+typedef struct kadm5_client_context {
+    krb5_context context;
+    krb5_boolean my_context;
+    struct kadm_func funcs;
+    /* */
+    krb5_auth_context ac;
+    char *realm;
+    char *admin_server;
+    int kadmind_port;
+    int sock;
+}kadm5_client_context;
+
+enum kadm_ops {
+    kadm_get,
+    kadm_delete,
+    kadm_create,
+    kadm_rename,
+    kadm_chpass,
+    kadm_modify,
+    kadm_randkey,
+    kadm_get_privs,
+    kadm_get_princs
+};
+
+#define KADMIN_APPL_VERSION "KADM0.1"
+#define KADMIN_OLD_APPL_VERSION "KADM0.0"
+
+#define KADM5_LOG_SIGNAL HDB_DB_DIR "/signal"
+
+kadm5_ret_t _kadm5_privs_to_string (u_int32_t, char*, size_t);
+
+kadm5_ret_t _kadm5_string_to_privs (const char*, u_int32_t*);
+
+HDB *_kadm5_s_get_db (void *);
+
+kadm5_ret_t
+_kadm5_acl_check_permission __P((
+	kadm5_server_context *context,
+	unsigned op));
+
+kadm5_ret_t
+_kadm5_acl_init __P((kadm5_server_context *context));
+
+kadm5_ret_t
+_kadm5_c_init_context __P((
+	kadm5_client_context **ctx,
+	kadm5_config_params *params,
+	krb5_context context));
+
+kadm5_ret_t
+_kadm5_client_recv __P((
+	kadm5_client_context *context,
+	krb5_data *reply));
+
+kadm5_ret_t
+_kadm5_client_send __P((
+	kadm5_client_context *context,
+	krb5_storage *sp));
+
+kadm5_ret_t
+_kadm5_error_code __P((kadm5_ret_t code));
+
+kadm5_ret_t
+_kadm5_s_init_context __P((
+	kadm5_server_context **ctx,
+	kadm5_config_params *params,
+	krb5_context context));
+
+kadm5_ret_t
+_kadm5_set_keys __P((
+	kadm5_server_context *context,
+	hdb_entry *ent,
+	const char *password));
+
+kadm5_ret_t
+_kadm5_set_keys2 __P((
+	hdb_entry *ent, 
+	int16_t n_key_data, 
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+_kadm5_set_keys_randomly __P((kadm5_server_context *context,
+			      hdb_entry *ent,
+			      krb5_keyblock **new_keys,
+			      int *n_keys));
+
+kadm5_ret_t
+_kadm5_set_modifier __P((
+	kadm5_server_context *context,
+	hdb_entry *ent));
+
+kadm5_ret_t
+_kadm5_setup_entry __P((
+	hdb_entry *ent,
+	u_int32_t mask,
+	kadm5_principal_ent_t princ,
+	u_int32_t princ_mask,
+	kadm5_principal_ent_t def,
+	u_int32_t def_mask));
+
+kadm5_ret_t
+kadm5_log_get_version (int fd,
+		       u_int32_t *ver);
+
+kadm5_ret_t
+kadm5_log_init (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_create (kadm5_server_context *context,
+		  hdb_entry *ent);
+
+kadm5_ret_t
+kadm5_log_delete (kadm5_server_context *context,
+		  krb5_principal princ);
+
+kadm5_ret_t
+kadm5_log_rename (kadm5_server_context *context,
+		  krb5_principal source,
+		  hdb_entry *ent);
+
+kadm5_ret_t
+kadm5_log_modify (kadm5_server_context *context,
+		  hdb_entry *ent,
+		  u_int32_t mask);
+
+kadm5_ret_t
+kadm5_log_end (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_foreach (kadm5_server_context *context,
+		   void (*func)(kadm5_server_context *server_context,
+				u_int32_t ver,
+				time_t timestamp,
+				enum kadm_ops op,
+				u_int32_t len,
+				krb5_storage *sp));
+
+kadm5_ret_t
+kadm5_log_replay_create (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_delete (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_rename (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_modify (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay (kadm5_server_context *context,
+		  enum kadm_ops op,
+		  u_int32_t ver,
+		  u_int32_t len,
+		  krb5_storage *sp);
+
+krb5_storage *
+kadm5_log_goto_end (int fd);
+
+kadm5_ret_t
+kadm5_log_previous (krb5_storage *sp,
+		    u_int32_t *ver,
+		    time_t *timestamp,
+		    enum kadm_ops *op,
+		    u_int32_t *len);
+
+kadm5_ret_t
+_kadm5_marshal_params __P((krb5_context context, 
+			   kadm5_config_params *params, 
+			   krb5_data *out));
+
+kadm5_ret_t
+_kadm5_unmarshal_params __P((krb5_context context,
+			     krb5_data *in,
+			     kadm5_config_params *params));
+
+
+
+#endif /* __kadm5_private_h__ */
diff --git a/crypto/heimdal/lib/kadm5/privs_c.c b/crypto/heimdal/lib/kadm5/privs_c.c
new file mode 100644
index 0000000..25d4976
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/privs_c.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: privs_c.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_get_privs(void *server_handle, u_int32_t *privs)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_get_privs);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if(ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if (ret)
+	return ret;
+    sp = krb5_storage_from_data(&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0){
+	krb5_ret_int32(sp, &tmp);
+	*privs = tmp;
+    }
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/privs_s.c b/crypto/heimdal/lib/kadm5/privs_s.c
new file mode 100644
index 0000000..85cd5d5
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/privs_s.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: privs_s.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_s_get_privs(void *server_handle, u_int32_t *privs)
+{
+    kadm5_server_context *context = server_handle;
+    *privs = context->acl_flags;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/randkey_c.c b/crypto/heimdal/lib/kadm5/randkey_c.c
new file mode 100644
index 0000000..7531b6e
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/randkey_c.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: randkey_c.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_randkey_principal(void *server_handle, 
+			  krb5_principal princ,
+			  krb5_keyblock **new_keys, 
+			  int *n_keys)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_randkey);
+    krb5_store_principal(sp, princ);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if (ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data(&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0){
+	krb5_keyblock *k;
+	int i;
+
+	krb5_ret_int32(sp, &tmp);
+	k = malloc(tmp * sizeof(*k));
+	if (k == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	for(i = 0; i < tmp; i++)
+	    krb5_ret_keyblock(sp, &k[i]);
+	*n_keys = tmp;
+	*new_keys = k;
+    }
+out:
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/randkey_s.c b/crypto/heimdal/lib/kadm5/randkey_s.c
new file mode 100644
index 0000000..25c8571
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/randkey_s.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: randkey_s.c,v 1.10 1999/12/02 17:05:07 joda Exp $");
+
+/*
+ * Set the keys of `princ' to random values, returning the random keys
+ * in `new_keys', `n_keys'.
+ */
+
+kadm5_ret_t
+kadm5_s_randkey_principal(void *server_handle, 
+			  krb5_principal princ,
+			  krb5_keyblock **new_keys, 
+			  int *n_keys)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret)
+	goto out;
+
+    ret = _kadm5_set_keys_randomly (context,
+				    &ent,
+				    new_keys,
+				    n_keys);
+    if (ret)
+	goto out2;
+
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out3;
+
+    hdb_seal_keys(context->db, &ent);
+
+    kadm5_log_modify (context,
+		      &ent,
+		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
+		      KADM5_KEY_DATA | KADM5_KVNO);
+
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out3:
+    if (ret) {
+	int i;
+
+	for (i = 0; i < *n_keys; ++i)
+	    krb5_free_keyblock_contents (context->context, &(*new_keys)[i]);
+	free (*new_keys);
+	*new_keys = NULL;
+	*n_keys = 0;
+    }
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/rename_c.c b/crypto/heimdal/lib/kadm5/rename_c.c
new file mode 100644
index 0000000..d33e611
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/rename_c.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: rename_c.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_rename_principal(void *server_handle, 
+			 krb5_principal source,
+			 krb5_principal target)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_rename);
+    krb5_store_principal(sp, source);
+    krb5_store_principal(sp, target);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if (ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/rename_s.c b/crypto/heimdal/lib/kadm5/rename_s.c
new file mode 100644
index 0000000..e7f9038
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/rename_s.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: rename_s.c,v 1.9 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_s_rename_principal(void *server_handle, 
+			 krb5_principal source,
+			 krb5_principal target)
+{
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    hdb_entry ent, ent2;
+    ent.principal = source;
+    if(krb5_principal_compare(context->context, source, target))
+	return KADM5_DUP; /* XXX is this right? */
+    if(!krb5_realm_compare(context->context, source, target))
+	return KADM5_FAILURE; /* XXX better code */
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret){
+	context->db->close(context->context, context->db);
+	goto out;
+    }
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+    {
+	/* fix salt */
+	int i;
+	Salt salt;
+	krb5_salt salt2;
+	krb5_get_pw_salt(context->context, source, &salt2);
+	salt.type = hdb_pw_salt;
+	salt.salt = salt2.saltvalue;
+	for(i = 0; i < ent.keys.len; i++){
+	    if(ent.keys.val[i].salt == NULL){
+		ent.keys.val[i].salt = malloc(sizeof(*ent.keys.val[i].salt));
+		ret = copy_Salt(&salt, ent.keys.val[i].salt);
+		if(ret)
+		    break;
+	    }
+	}
+	krb5_free_salt(context->context, salt2);
+    }
+    if(ret)
+	goto out2;
+    ent2.principal = ent.principal;
+    ent.principal = target;
+
+    hdb_seal_keys(context->db, &ent);
+
+    kadm5_log_rename (context,
+		      source,
+		      &ent);
+
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    if(ret){
+	ent.principal = ent2.principal;
+	goto out2;
+    }
+    ret = context->db->remove(context->context, context->db, &ent2);
+    ent.principal = ent2.principal;
+out2:
+    context->db->close(context->context, context->db);
+    hdb_free_entry(context->context, &ent);
+out:
+    return _kadm5_error_code(ret);
+}
+
diff --git a/crypto/heimdal/lib/kadm5/replay_log.c b/crypto/heimdal/lib/kadm5/replay_log.c
new file mode 100644
index 0000000..c0e05ee
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/replay_log.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: replay_log.c,v 1.7 1999/12/04 19:51:11 assar Exp $");
+
+static void
+apply_entry(kadm5_server_context *server_context,
+	    u_int32_t ver,
+	    time_t timestamp,
+	    enum kadm_ops op,
+	    u_int32_t len,
+	    krb5_storage *sp)
+{
+    krb5_error_code ret;
+
+    printf ("ver %u... ", ver);
+    fflush (stdout);
+
+    ret = kadm5_log_replay (server_context,
+			    op, ver, len, sp);
+    if (ret)
+	krb5_warn (server_context->context, ret, "kadm5_log_replay");
+
+    
+    printf ("done\n");
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    void *kadm_handle;
+    kadm5_config_params conf;
+    kadm5_server_context *server_context;
+
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = server_context->db->open(context,
+				   server_context->db,
+				   O_RDWR | O_CREAT, 0);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    ret = kadm5_log_foreach (server_context, apply_entry);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_log_foreach");
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_log_end");
+    ret = server_context->db->close (context, server_context->db);
+    if (ret)
+	krb5_err (context, 1, ret, "db->close");
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/sample_passwd_check.c b/crypto/heimdal/lib/kadm5/sample_passwd_check.c
new file mode 100644
index 0000000..4ff5122
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/sample_passwd_check.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+/* $Id: sample_passwd_check.c,v 1.1 1999/09/10 10:11:03 assar Exp $ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <krb5.h>
+
+/* specify the api-version this library conforms to */
+
+int version = 0;
+
+/* just check the length of the password, this is what the default
+   check does, but this lets you specify the minimum length in
+   krb5.conf */
+const char*
+check_length(krb5_context context,
+             krb5_principal prinipal,
+             krb5_data *password)
+{
+    int min_length = krb5_config_get_int_default(context, NULL, 6,
+						 "password_quality",
+						 "min_length",
+						 NULL);
+    if(password->length < min_length)
+	return "Password too short";
+    return NULL;
+}
+
+#ifdef DICTPATH
+
+/* use cracklib to check password quality; this requires a patch for
+   cracklib that can be found at
+   ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch */
+
+const char*
+check_cracklib(krb5_context context,
+	       krb5_principal principal,
+	       krb5_data *password)
+{
+    char *s = malloc(password->length + 1);
+    char *msg;
+    char *strings[2];
+    if(s == NULL)
+	return NULL; /* XXX */
+    strings[0] = principal->name.name_string.val[0]; /* XXX */
+    strings[1] = NULL;
+    memcpy(s, password->data, password->length);
+    s[password->length] = '\0';
+    msg = FascistCheck(s, DICTPATH, strings);
+    memset(s, 0, password->length);
+    free(s);
+    return msg;
+}
+#endif
diff --git a/crypto/heimdal/lib/kadm5/send_recv.c b/crypto/heimdal/lib/kadm5/send_recv.c
new file mode 100644
index 0000000..51f6972
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/send_recv.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: send_recv.c,v 1.7 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t 
+_kadm5_client_send(kadm5_client_context *context, krb5_storage *sp)
+{
+    krb5_data msg, out;
+    krb5_error_code ret;
+    size_t len;
+    krb5_storage *sock;
+
+    len = sp->seek(sp, 0, SEEK_CUR);
+    ret = krb5_data_alloc(&msg, len);
+    sp->seek(sp, 0, SEEK_SET);
+    sp->fetch(sp, msg.data, msg.length);
+    
+    ret = krb5_mk_priv(context->context, context->ac, &msg, &out, NULL);
+    krb5_data_free(&msg);
+    if(ret)
+	return ret;
+    
+    sock = krb5_storage_from_fd(context->sock);
+    if(sock == NULL) {
+	krb5_data_free(&out);
+	return ENOMEM;
+    }
+    
+    ret = krb5_store_data(sock, out);
+    krb5_storage_free(sock);
+    krb5_data_free(&out);
+    return ret;
+}
+
+kadm5_ret_t
+_kadm5_client_recv(kadm5_client_context *context, krb5_data *reply)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    krb5_storage *sock;
+
+    sock = krb5_storage_from_fd(context->sock);
+    if(sock == NULL)
+	return ENOMEM;
+    ret = krb5_ret_data(sock, &data);
+    krb5_storage_free(sock);
+    if(ret == KRB5_CC_END)
+	return KADM5_RPC_ERROR;
+    else if(ret)
+	return ret;
+
+    ret = krb5_rd_priv(context->context, context->ac, &data, reply, NULL);
+    krb5_data_free(&data);
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/server_glue.c b/crypto/heimdal/lib/kadm5/server_glue.c
new file mode 100644
index 0000000..21b6077
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/server_glue.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: server_glue.c,v 1.6 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_init_with_password(const char *client_name,
+			 const char *password,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_s_init_with_password(client_name,
+				      password,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_password_ctx(krb5_context context,
+			     const char *client_name,
+			     const char *password,
+			     const char *service_name,
+			     kadm5_config_params *realm_params,
+			     unsigned long struct_version,
+			     unsigned long api_version,
+			     void **server_handle)
+{
+    return kadm5_s_init_with_password_ctx(context,
+					  client_name,
+					  password,
+					  service_name,
+					  realm_params,
+					  struct_version,
+					  api_version,
+					  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey(const char *client_name,
+		     const char *keytab,
+		     const char *service_name,
+		     kadm5_config_params *realm_params,
+		     unsigned long struct_version,
+		     unsigned long api_version,
+		     void **server_handle)
+{
+    return kadm5_s_init_with_skey(client_name,
+				  keytab,
+				  service_name,
+				  realm_params,
+				  struct_version,
+				  api_version,
+				  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey_ctx(krb5_context context,
+			 const char *client_name,
+			 const char *keytab,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_s_init_with_skey_ctx(context,
+				      client_name,
+				      keytab,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds(const char *client_name,
+		      krb5_ccache ccache,
+		      const char *service_name,
+		      kadm5_config_params *realm_params,
+		      unsigned long struct_version,
+		      unsigned long api_version,
+		      void **server_handle)
+{
+    return kadm5_s_init_with_creds(client_name,
+				   ccache,
+				   service_name,
+				   realm_params,
+				   struct_version,
+				   api_version,
+				   server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds_ctx(krb5_context context,
+			  const char *client_name,
+			  krb5_ccache ccache,
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    return kadm5_s_init_with_creds_ctx(context,
+				       client_name,
+				       ccache,
+				       service_name,
+				       realm_params,
+				       struct_version,
+				       api_version,
+				       server_handle);
+}
diff --git a/crypto/heimdal/lib/kadm5/set_keys.c b/crypto/heimdal/lib/kadm5/set_keys.c
new file mode 100644
index 0000000..e4d5d1a
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/set_keys.c
@@ -0,0 +1,292 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: set_keys.c,v 1.18 1999/12/04 23:11:01 assar Exp $");
+
+/*
+ * free all the memory used by (len, keys)
+ */
+
+static void
+free_keys (kadm5_server_context *context,
+	   int len, Key *keys)
+{
+    int i;
+
+    for (i = 0; i < len; ++i) {
+	free (keys[i].mkvno);
+	keys[i].mkvno = NULL;
+	if (keys[i].salt != NULL) {
+	    free_Salt(keys[i].salt);
+	    free(keys[i].salt);
+	    keys[i].salt = NULL;
+	}
+	krb5_free_keyblock_contents(context->context, &keys[i].key);
+    }
+    free (keys);
+}
+
+/*
+ * null-ify `len', `keys'
+ */
+
+static void
+init_keys (Key *keys, int len)
+{
+    int i;
+
+    for (i = 0; i < len; ++i) {
+	keys[i].mkvno               = NULL;
+	keys[i].salt                = NULL;
+	keys[i].key.keyvalue.length = 0;
+	keys[i].key.keyvalue.data   = NULL;
+    }
+}
+
+/*
+ * the known and used DES enctypes
+ */
+
+static krb5_enctype des_types[] = { ETYPE_DES_CBC_CRC,
+				    ETYPE_DES_CBC_MD4,
+				    ETYPE_DES_CBC_MD5 };
+
+static unsigned n_des_types = 3;
+
+/*
+ * Set the keys of `ent' to the string-to-key of `password'
+ */
+
+kadm5_ret_t
+_kadm5_set_keys(kadm5_server_context *context,
+		hdb_entry *ent, 
+		const char *password)
+{
+    kadm5_ret_t ret = 0;
+    int i;
+    unsigned len;
+    Key *keys;
+    krb5_salt salt;
+    krb5_boolean v4_salt = FALSE;
+
+    len  = n_des_types + 1;
+    keys = malloc (len * sizeof(*keys));
+    if (keys == NULL)
+	return ENOMEM;
+
+    init_keys (keys, len);
+
+    salt.salttype         = KRB5_PW_SALT;
+    salt.saltvalue.length = 0;
+    salt.saltvalue.data   = NULL;
+
+    if (krb5_config_get_bool (context->context,
+			      NULL, "kadmin", "use_v4_salt", NULL)) {
+	v4_salt = TRUE;
+    } else {
+	ret = krb5_get_pw_salt (context->context, ent->principal, &salt);
+	if (ret)
+	    goto out;
+    }
+
+    for (i = 0; i < n_des_types; ++i) {
+	ret = krb5_string_to_key_salt (context->context,
+				       des_types[i],
+				       password,
+				       salt,
+				       &keys[i].key);
+	if (ret)
+	    goto out;
+	if (v4_salt) {
+	    keys[i].salt = malloc (sizeof(*keys[i].salt));
+	    if (keys[i].salt == NULL) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    keys[i].salt->type = salt.salttype;
+	    ret = copy_octet_string (&salt.saltvalue, &keys[i].salt->salt);
+	    if (ret)
+		goto out;
+	}
+    }
+
+    ret = krb5_string_to_key (context->context,
+			      ETYPE_DES3_CBC_SHA1,
+			      password,
+			      ent->principal,
+			      &keys[n_des_types].key);
+    if (ret)
+	goto out;
+
+    free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.len = len;
+    ent->keys.val = keys;
+    ent->kvno++;
+    return ret;
+out:
+    krb5_data_free (&salt.saltvalue);
+    free_keys (context, len, keys);
+    return ret;
+}
+
+/*
+ * Set the keys of `ent' to (`n_key_data', `key_data')
+ */
+
+kadm5_ret_t
+_kadm5_set_keys2(hdb_entry *ent, 
+		 int16_t n_key_data, 
+		 krb5_key_data *key_data)
+{
+    krb5_error_code ret;
+    int i;
+
+    ent->keys.len = n_key_data;
+    ent->keys.val = malloc(ent->keys.len * sizeof(*ent->keys.val));
+    if(ent->keys.val == NULL)
+	return ENOMEM;
+    for(i = 0; i < n_key_data; i++) {
+	ent->keys.val[i].mkvno = NULL;
+	ent->keys.val[i].key.keytype = key_data[i].key_data_type[0];
+	ret = krb5_data_copy(&ent->keys.val[i].key.keyvalue,
+			     key_data[i].key_data_contents[0],
+			     key_data[i].key_data_length[0]);
+	if(ret)
+	    return ret;
+	if(key_data[i].key_data_ver == 2) {
+	    Salt *salt;
+	    salt = malloc(sizeof(*salt));
+	    if(salt == NULL)
+		return ENOMEM;
+	    ent->keys.val[i].salt = salt;
+	    salt->type = key_data[i].key_data_type[1];
+	    krb5_data_copy(&salt->salt, 
+			   key_data[i].key_data_contents[1],
+			   key_data[i].key_data_length[1]);
+	} else
+	    ent->keys.val[i].salt = NULL;
+    }
+    ent->kvno++;
+    return 0;
+}
+
+/*
+ * Set the keys of `ent' to random keys and return them in `n_keys'
+ * and `new_keys'.
+ */
+
+kadm5_ret_t
+_kadm5_set_keys_randomly (kadm5_server_context *context,
+			  hdb_entry *ent,
+			  krb5_keyblock **new_keys,
+			  int *n_keys)
+{
+    kadm5_ret_t ret = 0;
+    int i;
+    unsigned len;
+    krb5_keyblock *keys;
+    Key *hkeys;
+
+    len  = n_des_types + 1;
+    keys = malloc (len * sizeof(*keys));
+    if (keys == NULL)
+	return ENOMEM;
+
+    for (i = 0; i < len; ++i) {
+	keys[i].keyvalue.length = 0;
+	keys[i].keyvalue.data   = NULL;
+    }
+
+    hkeys = malloc (len * sizeof(*hkeys));
+    if (hkeys == NULL) {
+	free (keys);
+	return ENOMEM;
+    }
+
+    init_keys (hkeys, len);
+
+    ret = krb5_generate_random_keyblock (context->context,
+					 des_types[0],
+					 &keys[0]);
+    if (ret)
+	goto out;
+
+    ret = krb5_copy_keyblock_contents (context->context,
+				       &keys[0],
+				       &hkeys[0].key);
+    if (ret)
+	goto out;
+
+    for (i = 1; i < n_des_types; ++i) {
+	ret = krb5_copy_keyblock_contents (context->context,
+					   &keys[0],
+					   &keys[i]);
+	if (ret)
+	    goto out;
+	keys[i].keytype = des_types[i];
+	ret = krb5_copy_keyblock_contents (context->context,
+					   &keys[0],
+					   &hkeys[i].key);
+	if (ret)
+	    goto out;
+	hkeys[i].key.keytype = des_types[i];
+    }
+
+    ret = krb5_generate_random_keyblock (context->context,
+					 ETYPE_DES3_CBC_SHA1,
+					 &keys[n_des_types]);
+    if (ret)
+	goto out;
+
+    ret = krb5_copy_keyblock_contents (context->context,
+				       &keys[n_des_types],
+				       &hkeys[n_des_types].key);
+    if (ret)
+	goto out;
+
+    free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.len = len;
+    ent->keys.val = hkeys;
+    ent->kvno++;
+    *new_keys     = keys;
+    *n_keys       = len;
+    return ret;
+out:
+    for (i = 0; i < len; ++i)
+	krb5_free_keyblock_contents (context->context, &keys[i]);
+    free (keys);
+    free_keys (context, len, hkeys);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/set_modifier.c b/crypto/heimdal/lib/kadm5/set_modifier.c
new file mode 100644
index 0000000..2b09745
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/set_modifier.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: set_modifier.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+_kadm5_set_modifier(kadm5_server_context *context,
+		    hdb_entry *ent)
+{
+    kadm5_ret_t ret;
+    if(ent->modified_by == NULL){
+	ent->modified_by = malloc(sizeof(*ent->modified_by));
+	if(ent->modified_by == NULL)
+	    return ENOMEM;
+    } else
+	free_Event(ent->modified_by);
+    ent->modified_by->time = time(NULL);
+    ret = krb5_copy_principal(context->context, context->caller, 
+			      &ent->modified_by->principal);
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/kafs/ChangeLog b/crypto/heimdal/lib/kafs/ChangeLog
new file mode 100644
index 0000000..09ea01e
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/ChangeLog
@@ -0,0 +1,169 @@
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:2:1
+
+1999-11-22  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (afslog_uid_int): handle d->realm == NULL
+	
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (afslog_uid_int): don't look at the local realm at
+ 	all.  just use the realm from the ticket file.
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:1:1
+
+	* afskrb5.c (get_cred): always request a DES key
+
+Mon Oct 18 17:40:21 1999  Bjoern Groenvall  <bg@mummel.sics.se>
+
+	* common.c (find_cells): Trim trailing whitespace from
+ 	cellname. Lines starting with # are regarded as comments.
+
+Fri Oct  8 18:17:22 1999  Bjoern Groenvall  <bg@mummel.sics.se>
+
+	* afskrb.c, common.c : Change code to make a clear distinction
+ 	between hinted realm and ticket realm.
+
+	* kafs_locl.h: Added argument realm_hint.
+
+	* common.c (_kafs_get_cred): Change code to acquire the ``best''
+ 	possible ticket. Use cross-cell authentication only as method of
+ 	last resort.
+
+	* afskrb.c (afslog_uid_int): Add realm_hint argument and extract
+ 	realm from ticket file.
+
+	* afskrb5.c (afslog_uid_int): Added argument realm_hint.
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (get_cred): update to new krb524_convert_creds_kdc
+
+1999-08-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: ignore the comlicated aix construct if !krb4
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: define AFS_SYSCALL to 73 for Solaris 2.7
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (krb5_realm_of_cell): new function
+
+	* afskrb.c (krb_realm_of_cell): new function
+	(afslog_uid_int): call krb_get_lrealm correctly
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* common.c (realm_of_cell): rename to _kafs_realm_of_cell and
+ 	un-staticize
+
+Fri Mar 19 14:52:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add version-info
+
+Thu Mar 18 11:24:02 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Sat Feb 27 19:46:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: remove EXTRA_DATA (as of autoconf 2.13/automake
+ 	1.4)
+
+Thu Feb 11 22:57:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: set AIX_SRC also if !AIX
+
+Tue Dec  1 14:45:15 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: fix AIX linkage
+
+Sun Nov 22 10:40:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Sat Nov 21 16:55:19 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* afskrb5.c: add homedir support
+
+Sun Sep  6 20:16:27 1998  Assar Westerlund  <assar@sics.se>
+
+	* add new functionality for specifying the homedir to krb_afslog
+ 	et al
+
+Thu Jul 16 01:27:19 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c: reorganize order of definitions.
+	(try_one, try_two): conditionalize
+
+Thu Jul  9 18:31:52 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c (realm_of_cell): make the dns fallback work
+
+Wed Jul  8 01:39:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c (map_syscall_name_to_number): new function for finding
+ 	the number of a syscall given the name on solaris
+	(k_hasafs): try using map_syscall_name_to_number
+
+Tue Jun 30 17:19:00 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c: rewrite and add support for environment variable
+ 	AFS_SYSCALL
+
+	* Makefile.in (distclean): don't remove roken_rename.h
+
+Fri May 29 19:03:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (roken_rename.h): remove dependency
+
+Mon May 25 05:25:54 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sun Apr 19 09:58:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sat Apr  4 15:08:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* kafs.h: add arla paths
+
+	* common.c (_kafs_afslog_all_local_cells): Try _PATH_ARLA_*
+	(_realm_of_cell): Try _PATH_ARLA_CELLSERVDB
+
+Thu Feb 19 14:50:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c: Don't store expired tokens (this broke when using
+ 	pag-less rsh-sessions, and `non-standard' ticket files).
+
+Thu Feb 12 11:20:15 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.in: Install/uninstall one library at a time.
+
+Thu Feb 12 05:38:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (install): one library at a time.
+
+Mon Feb  9 23:40:32 1998  Assar Westerlund  <assar@sics.se>
+
+	* common.c (find_cells): ignore empty lines
+
+Tue Jan  6 04:25:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h (AFS_SYSCALL): add FreeBSD
+
+Fri Jan  2 17:08:24 1998  Assar Westerlund  <assar@sics.se>
+
+	* kafs.h: new VICEIOCTL's.  From <rb@stacken.kth.se>
+
+	* afssysdefs.h: Add OpenBSD
diff --git a/crypto/heimdal/lib/kafs/Makefile.am b/crypto/heimdal/lib/kafs/Makefile.am
new file mode 100644
index 0000000..2460e55
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/Makefile.am
@@ -0,0 +1,71 @@
+# $Id: Makefile.am,v 1.19 2000/01/06 15:14:27 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(AFS_EXTRA_DEFS)
+
+if KRB4
+AFSLIBS = libkafs.la
+
+if AIX
+AFSL_EXP = $(srcdir)/afsl.exp
+
+if AIX4
+AFS_EXTRA_LD = -bnoentry
+else
+AFS_EXTRA_LD = -e _nostart
+endif
+
+if AIX_DYNAMIC_AFS
+if HAVE_DLOPEN
+AIX_SRC = 
+else
+AIX_SRC = dlfcn.c
+endif
+AFS_EXTRA_LIBS = afslib.so
+AFS_EXTRA_DEFS =
+else
+AIX_SRC = afslib.c
+AFS_EXTRA_LIBS = 
+AFS_EXTRA_DEFS = -DSTATIC_AFS
+endif
+
+else
+AFSL_EXP =
+AIX_SRC =
+endif # AIX
+
+else
+AFSLIBS = 
+endif # KRB4
+
+
+lib_LTLIBRARIES = $(AFSLIBS)
+libkafs_la_LDFLAGS = -version-info 1:2:1
+foodir = $(libdir)
+foo_DATA = $(AFS_EXTRA_LIBS)
+# EXTRA_DATA = afslib.so
+
+CLEANFILES= $(AFS_EXTRA_LIBS)
+
+include_HEADERS = kafs.h
+
+if KRB5
+afskrb5_c = afskrb5.c
+endif
+
+libkafs_la_SOURCES = afssys.c afskrb.c $(afskrb5_c) common.c $(AIX_SRC) kafs_locl.h afssysdefs.h
+#afslib_so_SOURCES = afslib.c
+
+EXTRA_libkafs_la_SOURCES = afskrb5.c dlfcn.c afslib.c dlfcn.h
+
+EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
+
+man_MANS = kafs.3
+
+# AIX: this almost works with gcc, but somehow it fails to use the
+# correct ld, use ld instead
+afslib.so: afslib.o
+	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc
+
+$(OBJECTS): ../../include/config.h
diff --git a/crypto/heimdal/lib/kafs/Makefile.in b/crypto/heimdal/lib/kafs/Makefile.in
new file mode 100644
index 0000000..32b69cb
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/Makefile.in
@@ -0,0 +1,898 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.19 2000/01/06 15:14:27 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) $(AFS_EXTRA_DEFS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@KRB4_TRUE@AFSLIBS = libkafs.la
+@KRB4_FALSE@AFSLIBS = 
+
+@KRB4_TRUE@@AIX_TRUE@AFSL_EXP = $(srcdir)/afsl.exp
+@KRB4_TRUE@@AIX_FALSE@AFSL_EXP = 
+@KRB4_TRUE@@AIX_TRUE@@AIX4_TRUE@AFS_EXTRA_LD = -bnoentry
+@KRB4_TRUE@@AIX_TRUE@@AIX4_FALSE@AFS_EXTRA_LD = -e _nostart
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_TRUE@AIX_SRC = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_FALSE@AIX_SRC = dlfcn.c
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AIX_SRC = afslib.c
+@KRB4_TRUE@@AIX_FALSE@AIX_SRC = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@AFS_EXTRA_LIBS = afslib.so
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AFS_EXTRA_LIBS = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@AFS_EXTRA_DEFS = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AFS_EXTRA_DEFS = -DSTATIC_AFS
+
+lib_LTLIBRARIES = $(AFSLIBS)
+libkafs_la_LDFLAGS = -version-info 1:2:1
+foodir = $(libdir)
+foo_DATA = $(AFS_EXTRA_LIBS)
+# EXTRA_DATA = afslib.so
+
+CLEANFILES = $(AFS_EXTRA_LIBS)
+
+include_HEADERS = kafs.h
+
+@KRB5_TRUE@afskrb5_c = afskrb5.c
+
+libkafs_la_SOURCES = afssys.c afskrb.c $(afskrb5_c) common.c $(AIX_SRC) kafs_locl.h afssysdefs.h
+#afslib_so_SOURCES = afslib.c
+
+EXTRA_libkafs_la_SOURCES = afskrb5.c dlfcn.c afslib.c dlfcn.h
+
+EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
+
+man_MANS = kafs.3
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libkafs_la_LIBADD = 
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_FALSE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@dlfcn.lo
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@dlfcn.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@afskrb5.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_TRUE@common.lo
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_TRUE@@KRB4_FALSE@@KRB5_TRUE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_FALSE@@HAVE_DLOPEN_TRUE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb5.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo \
+@AIX_TRUE@@KRB4_TRUE@@KRB5_TRUE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afslib.lo
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@libkafs_la_OBJECTS =  \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afssys.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@afskrb.lo \
+@AIX_FALSE@@KRB4_FALSE@@KRB5_FALSE@@HAVE_DLOPEN_FALSE@@AIX_DYNAMIC_AFS_FALSE@common.lo
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man3dir = $(mandir)/man3
+MANS = $(man_MANS)
+DATA =  $(foo_DATA)
+
+HEADERS =  $(include_HEADERS)
+
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES)
+OBJECTS = $(libkafs_la_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/kafs/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libkafs.la: $(libkafs_la_OBJECTS) $(libkafs_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkafs_la_LDFLAGS) $(libkafs_la_OBJECTS) $(libkafs_la_LIBADD) $(LIBS)
+
+install-man3:
+	$(mkinstalldirs) $(DESTDIR)$(man3dir)
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \
+	done
+
+uninstall-man3:
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man3dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man3
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man3
+
+install-fooDATA: $(foo_DATA)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(foodir)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  if test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p"; \
+	    $(INSTALL_DATA) $(srcdir)/$$p $(DESTDIR)$(foodir)/$$p; \
+	  else if test -f $$p; then \
+	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p"; \
+	    $(INSTALL_DATA) $$p $(DESTDIR)$(foodir)/$$p; \
+	  fi; fi; \
+	done
+
+uninstall-fooDATA:
+	@$(NORMAL_UNINSTALL)
+	list='$(foo_DATA)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(foodir)/$$p; \
+	done
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/kafs
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-fooDATA install-includeHEADERS \
+		install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-man uninstall-fooDATA \
+		uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(mandir)/man3 \
+		$(DESTDIR)$(foodir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man3 uninstall-man3 install-man \
+uninstall-man uninstall-fooDATA install-fooDATA \
+uninstall-includeHEADERS install-includeHEADERS tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# AIX: this almost works with gcc, but somehow it fails to use the
+# correct ld, use ld instead
+afslib.so: afslib.o
+	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc
+
+$(OBJECTS): ../../include/config.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/kafs/README.dlfcn b/crypto/heimdal/lib/kafs/README.dlfcn
new file mode 100644
index 0000000..cee1b75
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/README.dlfcn
@@ -0,0 +1,246 @@
+Copyright (c) 1992,1993,1995,1996, Jens-Uwe Mager, Helios Software GmbH
+Not derived from licensed software.
+
+Permission is granted to freely use, copy, modify, and redistribute
+this software, provided that the author is not construed to be liable
+for any results of using the software, alterations are clearly marked
+as such, and this notice is not modified.
+
+libdl.a
+-------
+
+This is an emulation library to emulate the SunOS/System V.4 functions
+to access the runtime linker. The functions are emulated by using the
+AIX load() function and by reading the .loader section of the loaded
+module to find the exports. The to be loaded module should be linked as
+follows (if using AIX 3):
+
+	cc -o module.so -bM:SRE -bE:module.exp -e _nostart $(OBJS)
+
+For AIX 4:
+
+	cc -o module.so -bM:SRE -bE:module.exp -bnoentry $(OBJS)
+
+If you want to reference symbols from the main part of the program in a
+loaded module, you will have to link against the export file of the
+main part:
+
+	cc -o main -bE:main.exp $(MAIN_OBJS)
+	cc -o module.so -bM:SRE -bI:main.exp -bE:module.exp -bnoentry $(OBJS)
+
+Note that you explicitely have to specify what functions are supposed
+to be accessible from your loaded modules, this is different from
+SunOS/System V.4 where any global is automatically exported. If you
+want to export all globals, the following script might be of help:
+
+#!/bin/sh
+/usr/ucb/nm -g $* | awk '$2 == "B" || $2 == "D" { print $3 }'
+
+The module export file contains the symbols to be exported. Because
+this library uses the loader section, the final module.so file can be
+stripped. C++ users should build their shared objects using the script
+makeC++SharedLib (part of the IBM C++ compiler), this will make sure
+that constructors and destructors for static and global objects will be
+called upon loading and unloading the module. GNU C++ users should use
+the -shared option to g++ to link the shared object:
+
+	g++ -o module.so -shared $(OBJS)
+
+If the shared object does have permissions for anybody, the shared
+object will be loaded into the shared library segment and it will stay
+there even if the main application terminates. If you rebuild your
+shared object after a bugfix and you want to make sure that you really
+get the newest version you will have to use the "slibclean" command
+before starting the application again to garbage collect the shared
+library segment. If the performance utilities (bosperf) are installed
+you can use the following command to see what shared objects are
+loaded:
+
+/usr/lpp/bosperf/genkld | sort | uniq
+
+For easier debugging you can avoid loading the shared object into the
+shared library segment alltogether by removing permissions for others
+from the module.so file:
+
+chmod o-rwx module.so
+
+This will ensure you get a fresh copy of the shared object for every
+dlopen() call which is loaded into the application's data segment.
+
+Usage
+-----
+
+void *dlopen(const char *path, int mode);
+
+This routine loads the module pointed to by path and reads its export
+table. If the path does not contain a '/' character, dlopen will search
+for the module using the LIBPATH environment variable. It returns an
+opaque handle to the module or NULL on error. The mode parameter can be
+either RTLD_LAZY (for lazy function binding) or RTLD_NOW for immediate
+function binding. The AIX implementation currently does treat RTLD_NOW
+the same as RTLD_LAZY. The flag RTLD_GLOBAL might be or'ed into the
+mode parameter to allow loaded modules to bind to global variables or
+functions in other loaded modules loaded by dlopen(). If RTLD_GLOBAL is
+not specified, only globals from the main part of the executable or
+shared libraries are used to look for undefined symbols in loaded
+modules.
+
+
+void *dlsym(void *handle, const char *symbol);
+
+This routine searches for the symbol in the module referred to by
+handle and returns its address. If the symbol could not be found, the
+function returns NULL. The return value must be casted to a proper
+function pointer before it can be used. SunOS/System V.4 allows handle
+to be a NULL pointer to refer to the module the call is made from, this
+is not implemented.
+
+int dlclose(void *handle);
+
+This routine unloads the module referred to by the handle and disposes
+of any local storage. this function returns -1 on failure. Any function
+pointers obtained through dlsym() should be considered invalid after
+closing a module.
+
+As AIX caches shared objects in the shared library segment, function
+pointers obtained through dlsym() might still work even though the
+module has been unloaded. This can introduce subtle bugs that will
+segment fault later if AIX garbage collects or immediatly on
+SunOS/System V.4 as the text segment is unmapped.
+
+char *dlerror(void);
+
+This routine can be used to retrieve a text message describing the most
+recent error that occured on on of the above routines. This function
+returns NULL if there is no error information.
+
+Initialization and termination handlers
+---------------------------------------
+
+The emulation provides for an initialization and a termination
+handler.  The dlfcn.h file contains a structure declaration named
+dl_info with following members:
+
+	void (*init)(void);
+	void (*fini)(void);
+
+The init function is called upon first referencing the library. The
+fini function is called at dlclose() time or when the process exits.
+The module should declare a variable named dl_info that contains this
+structure which must be exported.  These functions correspond to the
+documented _init() and _fini() functions of SunOS 4.x, but these are
+appearently not implemented in SunOS.  When using SunOS 5.0, these
+correspond to #pragma init and #pragma fini respectively. At the same
+time any static or global C++ object's constructors or destructors will
+be called.
+
+BUGS
+----
+
+Please note that there is currently a problem with implicitely loaded
+shared C++ libaries: if you refer to a shared C++ library from a loaded
+module that is not yet used by the main program, the dlopen() emulator
+does not notice this and does not call the static constructors for the
+implicitely loaded library. This can be easily demonstrated by
+referencing the C++ standard streams from a loaded module if the main
+program is a plain C program.
+
+Jens-Uwe Mager
+
+HELIOS Software GmbH
+Lavesstr. 80
+30159 Hannover
+Germany
+
+Phone:		+49 511 36482-0
+FAX:		+49 511 36482-69
+AppleLink:	helios.de/jum
+Internet:	jum@helios.de
+
+Revison History
+---------------
+
+SCCS/s.dlfcn.h:
+
+D 1.4 95/04/25 09:36:52 jum 4 3	00018/00004/00028
+MRs:
+COMMENTS:
+added RTLD_GLOBAL, include and C++ guards
+
+D 1.3 92/12/27 20:58:32 jum 3 2	00001/00001/00031
+MRs:
+COMMENTS:
+we always have prototypes on RS/6000
+
+D 1.2 92/08/16 17:45:11 jum 2 1	00009/00000/00023
+MRs:
+COMMENTS:
+added dl_info structure to implement initialize and terminate functions
+
+D 1.1 92/08/02 18:08:45 jum 1 0	00023/00000/00000
+MRs:
+COMMENTS:
+Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum
+
+SCCS/s.dlfcn.c:
+
+D 1.11 96/04/10 20:12:51 jum 13 12	00037/00000/00533
+MRs:
+COMMENTS:
+Integrated the changes from John W. Eaton <jwe@bevo.che.wisc.edu> to initialize
+g++ generated shared objects.
+
+D 1.10 96/02/15 17:42:44 jum 12 10	00012/00007/00521
+MRs:
+COMMENTS:
+the C++ constructor and destructor chains are now called properly for either
+xlC 2 or xlC 3 (CSet++).
+
+D 1.9 95/09/22 11:09:38 markus 10 9	00001/00008/00527
+MRs:
+COMMENTS:
+Fix version number
+
+D 1.8 95/09/22 10:14:34 markus 9 8	00008/00001/00527
+MRs:
+COMMENTS:
+Added version number for dl lib
+
+D 1.7 95/08/14 19:08:38 jum 8 6	00026/00004/00502
+MRs:
+COMMENTS:
+Integrated the fixes from Kirk Benell (kirk@rsinc.com) to allow loading of
+shared objects generated under AIX 4. Fixed bug that symbols with exactly
+8 characters would use garbage characters from the following symbol value.
+
+D 1.6 95/04/25 09:38:03 jum 6 5	00046/00006/00460
+MRs:
+COMMENTS:
+added handling of C++ static constructors and destructors, added RTLD_GLOBAL to bind against other loaded modules
+
+D 1.5 93/02/14 20:14:17 jum 5 4	00002/00000/00464
+MRs:
+COMMENTS:
+added path to dlopen error message to make clear where there error occured.
+
+D 1.4 93/01/03 19:13:56 jum 4 3	00061/00005/00403
+MRs:
+COMMENTS:
+to allow calling symbols in the main module call load with L_NOAUTODEFER and 
+do a loadbind later with the main module.
+
+D 1.3 92/12/27 20:59:55 jum 3 2	00066/00008/00342
+MRs:
+COMMENTS:
+added search by L_GETINFO if module got loaded by LIBPATH
+
+D 1.2 92/08/16 17:45:43 jum 2 1	00074/00006/00276
+MRs:
+COMMENTS:
+implemented initialize and terminate functions, added reference counting to avoid multiple loads of the same library
+
+D 1.1 92/08/02 18:08:45 jum 1 0	00282/00000/00000
+MRs:
+COMMENTS:
+Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum
+
diff --git a/crypto/heimdal/lib/kafs/afskrb.c b/crypto/heimdal/lib/kafs/afskrb.c
new file mode 100644
index 0000000..805750d
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afskrb.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afskrb.c,v 1.13 1999/12/02 16:58:39 joda Exp $");
+
+struct krb_kafs_data {
+    const char *realm;
+};
+
+static int
+get_cred(kafs_data *data, const char *name, const char *inst, 
+	 const char *realm, CREDENTIALS *c)
+{
+    KTEXT_ST tkt;
+    int ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c);
+    
+    if (ret) {
+	ret = krb_mk_req(&tkt, (char*)name, (char*)inst, (char*)realm, 0);
+	if (ret == KSUCCESS)
+	    ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c);
+    }
+    return ret;
+}
+
+static int
+afslog_uid_int(kafs_data *data,
+	       const char *cell,
+	       const char *realm_hint,
+	       uid_t uid,
+	       const char *homedir)
+{
+    int ret;
+    CREDENTIALS c;
+    char realm[REALM_SZ];
+    
+    if (cell == 0 || cell[0] == 0)
+	return _kafs_afslog_all_local_cells (data, uid, homedir);
+
+    /* Extract realm from ticket file. */
+    {
+        char name[ANAME_SZ], inst[INST_SZ];
+
+	ret = krb_get_default_principal(name, inst, realm);
+	if (ret != KSUCCESS)
+	    return ret;
+    }
+
+    ret = _kafs_get_cred(data, cell, realm_hint, realm, &c);
+    
+    if (ret == 0)
+	ret = kafs_settoken(cell, uid, &c);
+    return ret;
+}
+
+static char *
+get_realm(kafs_data *data, const char *host)
+{
+    char *r = krb_realmofhost(host);
+    if(r != NULL)
+	return strdup(r);
+    else
+	return NULL;
+}
+
+int
+krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid,
+		    const char *homedir)
+{
+    kafs_data kd;
+
+    kd.afslog_uid = afslog_uid_int;
+    kd.get_cred = get_cred;
+    kd.get_realm = get_realm;
+    kd.data = 0;
+    return afslog_uid_int(&kd, cell, realm_hint, uid, homedir);
+}
+
+int
+krb_afslog_uid(const char *cell, const char *realm_hint, uid_t uid)
+{
+    return krb_afslog_uid_home(cell, realm_hint, uid, NULL);
+}
+
+int
+krb_afslog(const char *cell, const char *realm_hint)
+{
+    return krb_afslog_uid(cell, realm_hint, getuid());
+}
+
+int
+krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir)
+{
+    return krb_afslog_uid_home(cell, realm_hint, getuid(), homedir);
+}
+
+/*
+ *
+ */
+
+int
+krb_realm_of_cell(const char *cell, char **realm)
+{
+    kafs_data kd;
+
+    kd.get_realm = get_realm;
+    return _kafs_realm_of_cell(&kd, cell, realm);
+}
diff --git a/crypto/heimdal/lib/kafs/afskrb5.c b/crypto/heimdal/lib/kafs/afskrb5.c
new file mode 100644
index 0000000..4c35ea7
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afskrb5.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afskrb5.c,v 1.13 1999/12/02 16:58:39 joda Exp $");
+
+struct krb5_kafs_data {
+    krb5_context context;
+    krb5_ccache id;
+    krb5_const_realm realm;
+};
+
+static int
+get_cred(kafs_data *data, const char *name, const char *inst, 
+	 const char *realm, CREDENTIALS *c)
+{
+    krb5_error_code ret;
+    krb5_creds in_creds, *out_creds;
+    struct krb5_kafs_data *d = data->data;
+
+    memset(&in_creds, 0, sizeof(in_creds));
+    ret = krb5_425_conv_principal(d->context, name, inst, realm, 
+				  &in_creds.server);
+    if(ret)
+	return ret;
+    ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
+    if(ret){
+	krb5_free_principal(d->context, in_creds.server);
+	return ret;
+    }
+    in_creds.session.keytype = KEYTYPE_DES;
+    ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
+    krb5_free_principal(d->context, in_creds.server);
+    krb5_free_principal(d->context, in_creds.client);
+    if(ret)
+	return ret;
+    ret = krb524_convert_creds_kdc(d->context, d->id, out_creds, c);
+    krb5_free_creds(d->context, out_creds);
+    return ret;
+}
+
+static krb5_error_code
+afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid,
+	       const char *homedir)
+{
+    krb5_error_code ret;
+    CREDENTIALS c;
+    krb5_principal princ;
+    krb5_realm *trealm; /* ticket realm */
+    struct krb5_kafs_data *d = data->data;
+    
+    if (cell == 0 || cell[0] == 0)
+	return _kafs_afslog_all_local_cells (data, uid, homedir);
+
+    ret = krb5_cc_get_principal (d->context, d->id, &princ);
+    if (ret)
+	return ret;
+
+    trealm = krb5_princ_realm (d->context, princ);
+
+    if (d->realm != NULL && strcmp (d->realm, *trealm) == 0) {
+	trealm = NULL;
+	krb5_free_principal (d->context, princ);
+    }
+
+    ret = _kafs_get_cred(data, cell, d->realm, *trealm, &c);
+    if(trealm)
+	krb5_free_principal (d->context, princ);
+    
+    if(ret == 0)
+	ret = kafs_settoken(cell, uid, &c);
+    return ret;
+}
+
+static char *
+get_realm(kafs_data *data, const char *host)
+{
+    struct krb5_kafs_data *d = data->data;
+    krb5_realm *realms;
+    char *r;
+    if(krb5_get_host_realm(d->context, host, &realms))
+	return NULL;
+    r = strdup(realms[0]);
+    krb5_free_host_realm(d->context, realms);
+    return r;
+}
+
+krb5_error_code
+krb5_afslog_uid_home(krb5_context context,
+		     krb5_ccache id,
+		     const char *cell,
+		     krb5_const_realm realm,
+		     uid_t uid,
+		     const char *homedir)
+{
+    kafs_data kd;
+    struct krb5_kafs_data d;
+    kd.afslog_uid = afslog_uid_int;
+    kd.get_cred = get_cred;
+    kd.get_realm = get_realm;
+    kd.data = &d;
+    d.context = context;
+    d.id = id;
+    d.realm = realm;
+    return afslog_uid_int(&kd, cell, 0, uid, homedir);
+}
+
+krb5_error_code
+krb5_afslog_uid(krb5_context context,
+		krb5_ccache id,
+		const char *cell,
+		krb5_const_realm realm,
+		uid_t uid)
+{
+    return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL);
+}
+
+krb5_error_code
+krb5_afslog(krb5_context context,
+	    krb5_ccache id, 
+	    const char *cell,
+	    krb5_const_realm realm)
+{
+    return krb5_afslog_uid (context, id, cell, realm, getuid());
+}
+
+krb5_error_code
+krb5_afslog_home(krb5_context context,
+		 krb5_ccache id, 
+		 const char *cell,
+		 krb5_const_realm realm,
+		 const char *homedir)
+{
+    return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir);
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_realm_of_cell(const char *cell, char **realm)
+{
+    kafs_data kd;
+
+    kd.get_realm = get_realm;
+    return _kafs_realm_of_cell(&kd, cell, realm);
+}
diff --git a/crypto/heimdal/lib/kafs/afsl.exp b/crypto/heimdal/lib/kafs/afsl.exp
new file mode 100644
index 0000000..4d2b00e
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afsl.exp
@@ -0,0 +1,6 @@
+#!/unix
+
+* This mumbo jumbo creates entry points to syscalls in _AIX
+
+lpioctl	syscall
+lsetpag	syscall
diff --git a/crypto/heimdal/lib/kafs/afslib.c b/crypto/heimdal/lib/kafs/afslib.c
new file mode 100644
index 0000000..ae3b5a5
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afslib.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* 
+ * This file is only used with AIX 
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afslib.c,v 1.6 1999/12/02 16:58:40 joda Exp $");
+
+int
+aix_pioctl(char *a_path,
+	   int o_opcode,
+	   struct ViceIoctl *a_paramsP,
+	   int a_followSymlinks)
+{
+    return lpioctl(a_path, o_opcode, a_paramsP, a_followSymlinks);
+}
+
+int
+aix_setpag(void)
+{
+    return lsetpag();
+}
diff --git a/crypto/heimdal/lib/kafs/afslib.exp b/crypto/heimdal/lib/kafs/afslib.exp
new file mode 100644
index 0000000..f288717
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afslib.exp
@@ -0,0 +1,3 @@
+#!
+aix_pioctl
+aix_setpag
diff --git a/crypto/heimdal/lib/kafs/afssys.c b/crypto/heimdal/lib/kafs/afssys.c
new file mode 100644
index 0000000..d49a65a
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afssys.c
@@ -0,0 +1,395 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afssys.c,v 1.65 1999/12/02 16:58:40 joda Exp $");
+
+int _kafs_debug; /* this should be done in a better way */
+
+#define NO_ENTRY_POINT		0
+#define SINGLE_ENTRY_POINT	1
+#define MULTIPLE_ENTRY_POINT	2
+#define SINGLE_ENTRY_POINT2	3
+#define SINGLE_ENTRY_POINT3	4
+#define AIX_ENTRY_POINTS	5
+#define UNKNOWN_ENTRY_POINT	6
+static int afs_entry_point = UNKNOWN_ENTRY_POINT;
+static int afs_syscalls[2];
+
+/* Magic to get AIX syscalls to work */
+#ifdef _AIX
+
+static int (*Pioctl)(char*, int, struct ViceIoctl*, int);
+static int (*Setpag)(void);
+
+#include "dlfcn.h"
+
+/*
+ *
+ */
+
+static int
+try_aix(void)
+{
+#ifdef STATIC_AFS_SYSCALLS
+    Pioctl = aix_pioctl;
+    Setpag = aix_setpag;
+#else
+    void *ptr;
+    char path[MaxPathLen], *p;
+    /*
+     * If we are root or running setuid don't trust AFSLIBPATH!
+     */
+    if (getuid() != 0 && !issuid() && (p = getenv("AFSLIBPATH")) != NULL)
+	strlcpy(path, p, sizeof(path));
+    else
+	snprintf(path, sizeof(path), "%s/afslib.so", LIBDIR);
+	
+    ptr = dlopen(path, RTLD_NOW);
+    if(ptr == NULL) {
+	if(_kafs_debug) {
+	    if(errno == ENOEXEC && (p = dlerror()) != NULL)
+		fprintf(stderr, "dlopen(%s): %s\n", path, p);
+	    else if (errno != ENOENT)
+		fprintf(stderr, "dlopen(%s): %s\n", path, strerror(errno));
+	}
+	return 1;
+    }
+    Setpag = (int (*)(void))dlsym(ptr, "aix_setpag");
+    Pioctl = (int (*)(char*, int, 
+		      struct ViceIoctl*, int))dlsym(ptr, "aix_pioctl");
+#endif
+    afs_entry_point = AIX_ENTRY_POINTS;
+    return 0;
+}
+#endif /* _AIX */
+
+/* 
+ * This probably only works under Solaris and could get confused if
+ * there's a /etc/name_to_sysnum file.  
+ */
+
+#define _PATH_ETC_NAME_TO_SYSNUM "/etc/name_to_sysnum"
+
+static int
+map_syscall_name_to_number (const char *str, int *res)
+{
+    FILE *f;
+    char buf[256];
+    size_t str_len = strlen (str);
+
+    f = fopen (_PATH_ETC_NAME_TO_SYSNUM, "r");
+    if (f == NULL)
+	return -1;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (strncmp (str, buf, str_len) == 0) {
+	    char *begptr = buf + str_len;
+	    char *endptr;
+	    long val = strtol (begptr, &endptr, 0);
+
+	    if (val != 0 && endptr != begptr) {
+		fclose (f);
+		*res = val;
+		return 0;
+	    }
+	}
+    }
+    fclose (f);
+    return -1;
+}
+
+int
+k_pioctl(char *a_path,
+	 int o_opcode,
+	 struct ViceIoctl *a_paramsP,
+	 int a_followSymlinks)
+{
+#ifndef NO_AFS
+    switch(afs_entry_point){
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    case SINGLE_ENTRY_POINT:
+    case SINGLE_ENTRY_POINT2:
+    case SINGLE_ENTRY_POINT3:
+	return syscall(afs_syscalls[0], AFSCALL_PIOCTL,
+		       a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+#if defined(AFS_PIOCTL)
+    case MULTIPLE_ENTRY_POINT:
+	return syscall(afs_syscalls[0],
+		       a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+#ifdef _AIX
+    case AIX_ENTRY_POINTS:
+	return Pioctl(a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+    }
+    
+    errno = ENOSYS;
+#ifdef SIGSYS
+    kill(getpid(), SIGSYS);	/* You loose! */
+#endif
+#endif /* NO_AFS */
+    return -1;
+}
+
+int
+k_afs_cell_of_file(const char *path, char *cell, int len)
+{
+    struct ViceIoctl parms;
+    parms.in = NULL;
+    parms.in_size = 0;
+    parms.out = cell;
+    parms.out_size = len;
+    return k_pioctl((char*)path, VIOC_FILE_CELL_NAME, &parms, 1);
+}
+
+int
+k_unlog(void)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+    return k_pioctl(0, VIOCUNLOG, &parms, 0);
+}
+
+int
+k_setpag(void)
+{
+#ifndef NO_AFS
+    switch(afs_entry_point){
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    case SINGLE_ENTRY_POINT:
+    case SINGLE_ENTRY_POINT2:
+    case SINGLE_ENTRY_POINT3:
+	return syscall(afs_syscalls[0], AFSCALL_SETPAG);
+#endif
+#if defined(AFS_PIOCTL)
+    case MULTIPLE_ENTRY_POINT:
+	return syscall(afs_syscalls[1]);
+#endif
+#ifdef _AIX
+    case AIX_ENTRY_POINTS:
+	return Setpag();
+#endif
+    }
+    
+    errno = ENOSYS;
+#ifdef SIGSYS
+    kill(getpid(), SIGSYS);	/* You loose! */
+#endif
+#endif /* NO_AFS */
+    return -1;
+}
+
+static jmp_buf catch_SIGSYS;
+
+#ifdef SIGSYS
+
+static RETSIGTYPE
+SIGSYS_handler(int sig)
+{
+    errno = 0;
+    signal(SIGSYS, SIGSYS_handler); /* Need to reinstall handler on SYSV */
+    longjmp(catch_SIGSYS, 1);
+}
+
+#endif
+
+/*
+ * Try to see if `syscall' is a pioctl.  Return 0 iff succesful.
+ */
+
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+static int
+try_one (int syscall_num)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+
+    if (setjmp(catch_SIGSYS) == 0) {
+	syscall(syscall_num, AFSCALL_PIOCTL,
+		0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	if (errno == EINVAL) {
+	    afs_entry_point = SINGLE_ENTRY_POINT;
+	    afs_syscalls[0] = syscall_num;
+	    return 0;
+	}
+    }
+    return 1;
+}
+#endif
+
+/*
+ * Try to see if `syscall_pioctl' is a pioctl syscall.  Return 0 iff
+ * succesful.
+ *
+ */
+
+#ifdef AFS_PIOCTL
+static int
+try_two (int syscall_pioctl, int syscall_setpag)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+
+    if (setjmp(catch_SIGSYS) == 0) {
+	syscall(syscall_pioctl,
+		0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	if (errno == EINVAL) {
+	    afs_entry_point = MULTIPLE_ENTRY_POINT;
+	    afs_syscalls[0] = syscall_pioctl;
+	    afs_syscalls[1] = syscall_setpag;
+	    return 0;
+	}
+    }
+    return 1;
+}
+#endif
+
+int
+k_hasafs(void)
+{
+#if !defined(NO_AFS) && defined(SIGSYS)
+    RETSIGTYPE (*saved_func)();
+#endif
+    int saved_errno;
+    char *env = getenv ("AFS_SYSCALL");
+  
+    /*
+     * Already checked presence of AFS syscalls?
+     */
+    if (afs_entry_point != UNKNOWN_ENTRY_POINT)
+	return afs_entry_point != NO_ENTRY_POINT;
+
+    /*
+     * Probe kernel for AFS specific syscalls,
+     * they (currently) come in two flavors.
+     * If the syscall is absent we recive a SIGSYS.
+     */
+    afs_entry_point = NO_ENTRY_POINT;
+  
+    saved_errno = errno;
+#ifndef NO_AFS
+#ifdef SIGSYS
+    saved_func = signal(SIGSYS, SIGSYS_handler);
+#endif
+
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    {
+	int tmp;
+
+	if (env != NULL) {
+	    if (sscanf (env, "%d", &tmp) == 1) {
+		if (try_one (tmp) == 0)
+		    goto done;
+	    } else {
+		char *end = NULL;
+		char *p;
+		char *s = strdup (env);
+
+		if (s != NULL) {
+		    for (p = strtok_r (s, ",", &end);
+			 p != NULL;
+			 p = strtok_r (NULL, ",", &end)) {
+			if (map_syscall_name_to_number (p, &tmp) == 0)
+			    if (try_one (tmp) == 0) {
+				free (s);
+				goto done;
+			    }
+		    }
+		    free (s);
+		}
+	    }
+	}
+    }
+#endif /* AFS_SYSCALL || AFS_SYSCALL2 || AFS_SYSCALL3 */
+
+#ifdef AFS_SYSCALL
+    if (try_one (AFS_SYSCALL) == 0)
+	goto done;
+#endif /* AFS_SYSCALL */
+
+#ifdef AFS_PIOCTL
+    {
+	int tmp[2];
+
+	if (env != NULL && sscanf (env, "%d%d", &tmp[0], &tmp[1]) == 2)
+	    if (try_two (tmp[0], tmp[1]) == 2)
+		goto done;
+    }
+#endif /* AFS_PIOCTL */
+
+#ifdef AFS_PIOCTL
+    if (try_two (AFS_PIOCTL, AFS_SETPAG) == 0)
+	goto done;
+#endif /* AFS_PIOCTL */
+
+#ifdef AFS_SYSCALL2
+    if (try_one (AFS_SYSCALL2) == 0)
+	goto done;
+#endif /* AFS_SYSCALL2 */
+
+#ifdef AFS_SYSCALL3
+    if (try_one (AFS_SYSCALL3) == 0)
+	goto done;
+#endif /* AFS_SYSCALL3 */
+
+#ifdef _AIX
+#if 0
+    if (env != NULL) {
+	char *pos = NULL;
+	char *pioctl_name;
+	char *setpag_name;
+
+	pioctl_name = strtok_r (env, ", \t", &pos);
+	if (pioctl_name != NULL) {
+	    setpag_name = strtok_r (NULL, ", \t", &pos);
+	    if (setpag_name != NULL)
+		if (try_aix (pioctl_name, setpag_name) == 0)
+		    goto done;
+	}
+    }
+#endif
+
+    if(try_aix() == 0)
+	goto done;
+#endif
+
+done:
+#ifdef SIGSYS
+    signal(SIGSYS, saved_func);
+#endif
+#endif /* NO_AFS */
+    errno = saved_errno;
+    return afs_entry_point != NO_ENTRY_POINT;
+}
diff --git a/crypto/heimdal/lib/kafs/afssysdefs.h b/crypto/heimdal/lib/kafs/afssysdefs.h
new file mode 100644
index 0000000..574b33f
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afssysdefs.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: afssysdefs.h,v 1.21 1999/12/02 16:58:40 joda Exp $ */
+
+/*
+ * This section is for machines using single entry point AFS syscalls!
+ * and/or
+ * This section is for machines using multiple entry point AFS syscalls!
+ *
+ * SunOS 4 is an example of single entry point and sgi of multiple
+ * entry point syscalls.
+ */
+
+#if SunOS == 40
+#define AFS_SYSCALL	31
+#endif
+
+#if SunOS >= 50 && SunOS < 57
+#define AFS_SYSCALL	105
+#endif
+
+#if SunOS == 57
+#define AFS_SYSCALL	73
+#endif
+
+#if defined(__hpux)
+#define AFS_SYSCALL	50
+#define AFS_SYSCALL2	49
+#define AFS_SYSCALL3	48
+#endif
+
+#if defined(_AIX)
+/* _AIX is too weird */
+#endif
+
+#if defined(__sgi)
+#define AFS_PIOCTL      (64+1000)
+#define AFS_SETPAG      (65+1000)
+#endif
+
+#if defined(__osf__)
+#define AFS_SYSCALL	232
+#define AFS_SYSCALL2	258
+#endif
+
+#if defined(__ultrix)
+#define AFS_SYSCALL	31
+#endif
+
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
+#define AFS_SYSCALL 210
+#endif
+
+#ifdef SYS_afs_syscall
+#define AFS_SYSCALL3	SYS_afs_syscall
+#endif
diff --git a/crypto/heimdal/lib/kafs/common.c b/crypto/heimdal/lib/kafs/common.c
new file mode 100644
index 0000000..207b9b6
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/common.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: common.c,v 1.19 1999/12/02 16:58:40 joda Exp $");
+
+#define AUTH_SUPERUSER "afs"
+
+/*
+ * Here only ASCII characters are relevant.
+ */
+
+#define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z')
+
+#define ToAsciiUpper(c) ((c) - 'a' + 'A')
+
+static void
+foldup(char *a, const char *b)
+{
+  for (; *b; a++, b++)
+    if (IsAsciiLower(*b))
+      *a = ToAsciiUpper(*b);
+    else
+      *a = *b;
+  *a = '\0';
+}
+
+int
+kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c)
+{
+    struct ViceIoctl parms;
+    struct ClearToken ct;
+    int32_t sizeof_x;
+    char buf[2048], *t;
+    int ret;
+    
+    /*
+     * Build a struct ClearToken
+     */
+    ct.AuthHandle = c->kvno;
+    memcpy (ct.HandShakeKey, c->session, sizeof(c->session));
+    ct.ViceId = uid;
+    ct.BeginTimestamp = c->issue_date;
+    ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
+    if(ct.EndTimestamp < time(NULL))
+	return 0; /* don't store tokens that has expired (and possibly
+		     overwriting valid tokens)*/
+
+#define ODD(x) ((x) & 1)
+    /* According to Transarc conventions ViceId is valid iff
+     * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
+     * the transformations:
+     *
+     * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
+     * preserves the original values.
+     */
+    if (uid != 0)		/* valid ViceId */
+      {
+	if (!ODD(ct.EndTimestamp - ct.BeginTimestamp))
+	  ct.EndTimestamp--;
+      }
+    else			/* not valid ViceId */
+      {
+	if (ODD(ct.EndTimestamp - ct.BeginTimestamp))
+	  ct.EndTimestamp--;
+      }
+
+    t = buf;
+    /*
+     * length of secret token followed by secret token
+     */
+    sizeof_x = c->ticket_st.length;
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    memcpy(t, c->ticket_st.dat, sizeof_x);
+    t += sizeof_x;
+    /*
+     * length of clear token followed by clear token
+     */
+    sizeof_x = sizeof(ct);
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    memcpy(t, &ct, sizeof_x);
+    t += sizeof_x;
+
+    /*
+     * do *not* mark as primary cell
+     */
+    sizeof_x = 0;
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    /*
+     * follow with cell name
+     */
+    sizeof_x = strlen(cell) + 1;
+    memcpy(t, cell, sizeof_x);
+    t += sizeof_x;
+
+    /*
+     * Build argument block
+     */
+    parms.in = buf;
+    parms.in_size = t - buf;
+    parms.out = 0;
+    parms.out_size = 0;
+    ret = k_pioctl(0, VIOCSETTOK, &parms, 0);
+    return ret;
+}
+
+/* Try to get a db-server for an AFS cell from a AFSDB record */
+
+static int
+dns_find_cell(const char *cell, char *dbserver, size_t len)
+{
+    struct dns_reply *r;
+    int ok = -1;
+    r = dns_lookup(cell, "afsdb");
+    if(r){
+	struct resource_record *rr = r->head;
+	while(rr){
+	    if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){
+		strlcpy(dbserver,
+				rr->u.afsdb->domain,
+				len);
+		ok = 0;
+		break;
+	    }
+	    rr = rr->next;
+	}
+	dns_free_data(r);
+    }
+    return ok;
+}
+
+
+/*
+ * Try to find the cells we should try to klog to in "file".
+ */
+static void
+find_cells(char *file, char ***cells, int *index)
+{
+    FILE *f;
+    char cell[64];
+    int i;
+    int ind = *index;
+
+    f = fopen(file, "r");
+    if (f == NULL)
+	return;
+    while (fgets(cell, sizeof(cell), f)) {
+	char *t;
+	t = cell + strlen(cell);
+	for (; t >= cell; t--)
+	  if (*t == '\n' || *t == '\t' || *t == ' ')
+	    *t = 0;
+	if (cell[0] == '\0' || cell[0] == '#')
+	    continue;
+	for(i = 0; i < ind; i++)
+	    if(strcmp((*cells)[i], cell) == 0)
+		break;
+	if(i == ind){
+	    char **tmp;
+
+	    tmp = realloc(*cells, (ind + 1) * sizeof(**cells));
+	    if (tmp == NULL)
+		break;
+	    *cells = tmp;
+	    (*cells)[ind] = strdup(cell);
+	    if ((*cells)[ind] == NULL)
+		break;
+	    ++ind;
+	}
+    }
+    fclose(f);
+    *index = ind;
+}
+
+/*
+ * Get tokens for all cells[]
+ */
+static int
+afslog_cells(kafs_data *data, char **cells, int max, uid_t uid,
+	     const char *homedir)
+{
+    int ret = 0;
+    int i;
+    for (i = 0; i < max; i++) {
+        int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir);
+	if (er)
+	    ret = er;
+    }
+    return ret;
+}
+
+int
+_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir)
+{
+    int ret;
+    char **cells = NULL;
+    int index = 0;
+
+    if (homedir == NULL)
+	homedir = getenv("HOME");
+    if (homedir != NULL) {
+	char home[MaxPathLen];
+	snprintf(home, sizeof(home), "%s/.TheseCells", homedir);
+	find_cells(home, &cells, &index);
+    }
+    find_cells(_PATH_THESECELLS, &cells, &index);
+    find_cells(_PATH_THISCELL, &cells, &index);
+    find_cells(_PATH_ARLA_THESECELLS, &cells, &index);
+    find_cells(_PATH_ARLA_THISCELL, &cells, &index);
+    
+    ret = afslog_cells(data, cells, index, uid, homedir);
+    while(index > 0)
+	free(cells[--index]);
+    free(cells);
+    return ret;
+}
+
+
+/* Find the realm associated with cell. Do this by opening
+   /usr/vice/etc/CellServDB and getting the realm-of-host for the
+   first VL-server for the cell.
+
+   This does not work when the VL-server is living in one realm, but
+   the cell it is serving is living in another realm.
+
+   Return 0 on success, -1 otherwise.
+   */
+
+int
+_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
+{
+    FILE *F;
+    char buf[1024];
+    char *p;
+    int ret = -1;
+
+    if ((F = fopen(_PATH_CELLSERVDB, "r"))
+	|| (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))) {
+	while (fgets(buf, sizeof(buf), F)) {
+	    if (buf[0] != '>')
+		continue; /* Not a cell name line, try next line */
+	    if (strncmp(buf + 1, cell, strlen(cell)) == 0) {
+		/*
+		 * We found the cell name we're looking for.
+		 * Read next line on the form ip-address '#' hostname
+		 */
+		if (fgets(buf, sizeof(buf), F) == NULL)
+		    break;	/* Read failed, give up */
+		p = strchr(buf, '#');
+		if (p == NULL)
+		    break;	/* No '#', give up */
+		p++;
+		if (buf[strlen(buf) - 1] == '\n')
+		    buf[strlen(buf) - 1] = '\0';
+		*realm = (*data->get_realm)(data, p);
+		if (*realm && **realm != '\0')
+		    ret = 0;
+		break;		/* Won't try any more */
+	    }
+	}
+	fclose(F);
+    }
+    if (*realm == NULL && dns_find_cell(cell, buf, sizeof(buf)) == 0) {
+	*realm = strdup(krb_realmofhost(buf));
+	if(*realm != NULL)
+	    ret = 0;
+    }
+    return ret;
+}
+
+int
+_kafs_get_cred(kafs_data *data,
+	      const char *cell, 
+	      const char *realm_hint,
+	      const char *realm,
+	      CREDENTIALS *c)
+{
+    int ret = -1;
+    char *vl_realm;
+    char CELL[64];
+
+    /* We're about to find the the realm that holds the key for afs in
+     * the specified cell. The problem is that null-instance
+     * afs-principals are common and that hitting the wrong realm might
+     * yield the wrong afs key. The following assumptions were made.
+     *
+     * Any realm passed to us is preferred.
+     *
+     * If there is a realm with the same name as the cell, it is most
+     * likely the correct realm to talk to.
+     *
+     * In most (maybe even all) cases the database servers of the cell
+     * will live in the realm we are looking for.
+     *
+     * Try the local realm, but if the previous cases fail, this is
+     * really a long shot.
+     *
+     */
+  
+    /* comments on the ordering of these tests */
+
+    /* If the user passes a realm, she probably knows something we don't
+     * know and we should try afs@realm_hint (otherwise we're talking with a
+     * blondino and she might as well have it.)
+     */
+  
+    if (realm_hint) {
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c);
+	if (ret == 0) return 0;
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c);
+	if (ret == 0) return 0;
+    }
+
+    foldup(CELL, cell);
+
+    /*
+     * If cell == realm we don't need no cross-cell authentication.
+     * Try afs@REALM.
+     */
+    if (strcmp(CELL, realm) == 0) {
+        ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c);
+	if (ret == 0) return 0;
+	/* Try afs.cell@REALM below. */
+    }
+
+    /*
+     * If the AFS servers have a file /usr/afs/etc/krb.conf containing
+     * REALM we still don't have to resort to cross-cell authentication.
+     * Try afs.cell@REALM.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c);
+    if (ret == 0) return 0;
+
+    /*
+     * We failed to get ``first class tickets'' for afs,
+     * fall back to cross-cell authentication.
+     * Try afs@CELL.
+     * Try afs.cell@CELL.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
+    if (ret == 0) return 0;
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c);
+    if (ret == 0) return 0;
+
+    /*
+     * Perhaps the cell doesn't correspond to any realm?
+     * Use realm of first volume location DB server.
+     * Try afs.cell@VL_REALM.
+     * Try afs@VL_REALM???
+     */
+    if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
+	&& strcmp(vl_realm, realm) != 0
+	&& strcmp(vl_realm, CELL) != 0) {
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c);
+	if (ret)
+	    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c);
+	free(vl_realm);
+	if (ret == 0) return 0;
+    }
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kafs/dlfcn.c b/crypto/heimdal/lib/kafs/dlfcn.c
new file mode 100644
index 0000000..e664fe3
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/dlfcn.c
@@ -0,0 +1,581 @@
+/*
+ * @(#)dlfcn.c	1.11 revision of 96/04/10  20:12:51
+ * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH
+ * 30159 Hannover, Germany
+ */
+
+/*
+ * Changes marked with `--jwe' were made on April 7 1996 by John W. Eaton
+ * <jwe@bevo.che.wisc.edu> to support g++ and/or use with Octave.
+ */
+
+/*
+ * This makes my life easier with Octave.  --jwe
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/ldr.h>
+#include <a.out.h>
+#include <ldfcn.h>
+#include "dlfcn.h"
+
+/*
+ * We simulate dlopen() et al. through a call to load. Because AIX has
+ * no call to find an exported symbol we read the loader section of the
+ * loaded module and build a list of exported symbols and their virtual
+ * address.
+ */
+
+typedef struct {
+	char		*name;		/* the symbols's name */
+	void		*addr;		/* its relocated virtual address */
+} Export, *ExportPtr;
+
+/*
+ * xlC uses the following structure to list its constructors and
+ * destructors. This is gleaned from the output of munch.
+ */
+typedef struct {
+	void (*init)(void);		/* call static constructors */
+	void (*term)(void);		/* call static destructors */
+} Cdtor, *CdtorPtr;
+
+typedef void (*GccCDtorPtr)(void);
+
+/*
+ * The void * handle returned from dlopen is actually a ModulePtr.
+ */
+typedef struct Module {
+	struct Module	*next;
+	char		*name;		/* module name for refcounting */
+	int		refCnt;		/* the number of references */
+	void		*entry;		/* entry point from load */
+	struct dl_info	*info;		/* optional init/terminate functions */
+	CdtorPtr	cdtors;		/* optional C++ constructors */
+	GccCDtorPtr	gcc_ctor;	/* g++ constructors  --jwe */
+	GccCDtorPtr	gcc_dtor;	/* g++ destructors  --jwe */
+	int		nExports;	/* the number of exports found */
+	ExportPtr	exports;	/* the array of exports */
+} Module, *ModulePtr;
+
+/*
+ * We keep a list of all loaded modules to be able to call the fini
+ * handlers and destructors at atexit() time.
+ */
+static ModulePtr modList;
+
+/*
+ * The last error from one of the dl* routines is kept in static
+ * variables here. Each error is returned only once to the caller.
+ */
+static char errbuf[BUFSIZ];
+static int errvalid;
+
+/*
+ * The `fixed' gcc header files on AIX 3.2.5 provide a prototype for
+ * strdup().  --jwe
+ */
+#ifndef HAVE_STRDUP
+extern char *strdup(const char *);
+#endif
+static void caterr(char *);
+static int readExports(ModulePtr);
+static void terminate(void);
+static void *findMain(void);
+
+void *dlopen(const char *path, int mode)
+{
+	ModulePtr mp;
+	static void *mainModule;
+
+	/*
+	 * Upon the first call register a terminate handler that will
+	 * close all libraries. Also get a reference to the main module
+	 * for use with loadbind.
+	 */
+	if (!mainModule) {
+		if ((mainModule = findMain()) == NULL)
+			return NULL;
+		atexit(terminate);
+	}
+	/*
+	 * Scan the list of modules if we have the module already loaded.
+	 */
+	for (mp = modList; mp; mp = mp->next)
+		if (strcmp(mp->name, path) == 0) {
+			mp->refCnt++;
+			return mp;
+		}
+	if ((mp = (ModulePtr)calloc(1, sizeof(*mp))) == NULL) {
+		errvalid++;
+		snprintf (errbuf, "calloc: %s", strerror(errno));
+		return NULL;
+	}
+	if ((mp->name = strdup(path)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, "strdup: %s", strerror(errno));
+		free(mp);
+		return NULL;
+	}
+	/*
+	 * load should be declared load(const char *...). Thus we
+	 * cast the path to a normal char *. Ugly.
+	 */
+	if ((mp->entry = (void *)load((char *)path, L_NOAUTODEFER, NULL)) == NULL) {
+		free(mp->name);
+		free(mp);
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "dlopen: %s: ", path);
+		/*
+		 * If AIX says the file is not executable, the error
+		 * can be further described by querying the loader about
+		 * the last error.
+		 */
+		if (errno == ENOEXEC) {
+			char *tmp[BUFSIZ/sizeof(char *)];
+			if (loadquery(L_GETMESSAGES, tmp, sizeof(tmp)) == -1)
+				strlcpy(errbuf,
+						strerror(errno),
+						sizeof(errbuf));
+			else {
+				char **p;
+				for (p = tmp; *p; p++)
+					caterr(*p);
+			}
+		} else
+			strlcat(errbuf,
+					strerror(errno),
+					sizeof(errbuf));
+		return NULL;
+	}
+	mp->refCnt = 1;
+	mp->next = modList;
+	modList = mp;
+	if (loadbind(0, mainModule, mp->entry) == -1) {
+		dlclose(mp);
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "loadbind: %s", strerror(errno));
+		return NULL;
+	}
+	/*
+	 * If the user wants global binding, loadbind against all other
+	 * loaded modules.
+	 */
+	if (mode & RTLD_GLOBAL) {
+		ModulePtr mp1;
+		for (mp1 = mp->next; mp1; mp1 = mp1->next)
+			if (loadbind(0, mp1->entry, mp->entry) == -1) {
+				dlclose(mp);
+				errvalid++;
+				snprintf (errbuf, sizeof(errbuf),
+					  "loadbind: %s",
+					  strerror(errno));
+				return NULL;
+			}
+	}
+	if (readExports(mp) == -1) {
+		dlclose(mp);
+		return NULL;
+	}
+	/*
+	 * If there is a dl_info structure, call the init function.
+	 */
+	if (mp->info = (struct dl_info *)dlsym(mp, "dl_info")) {
+		if (mp->info->init)
+			(*mp->info->init)();
+	} else
+		errvalid = 0;
+	/*
+	 * If the shared object was compiled using xlC we will need
+	 * to call static constructors (and later on dlclose destructors).
+	 */
+	if (mp->cdtors = (CdtorPtr)dlsym(mp, "__cdtors")) {
+		CdtorPtr cp = mp->cdtors;
+		while (cp->init || cp->term) {
+			if (cp->init && cp->init != (void (*)(void))0xffffffff)
+				(*cp->init)();
+			cp++;
+		}
+	/*
+	 * If the shared object was compiled using g++, we will need
+	 * to call global constructors using the _GLOBAL__DI function,
+	 * and later, global destructors using the _GLOBAL_DD
+	 * funciton.  --jwe
+	 */
+	} else if (mp->gcc_ctor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DI")) {
+		(*mp->gcc_ctor)();
+		mp->gcc_dtor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DD"); 
+	} else
+		errvalid = 0;
+	return mp;
+}
+
+/*
+ * Attempt to decipher an AIX loader error message and append it
+ * to our static error message buffer.
+ */
+static void caterr(char *s)
+{
+	char *p = s;
+
+	while (*p >= '0' && *p <= '9')
+		p++;
+	switch(atoi(s)) {
+	case L_ERROR_TOOMANY:
+		strlcat(errbuf, "to many errors", sizeof(errbuf));
+		break;
+	case L_ERROR_NOLIB:
+		strlcat(errbuf, "can't load library", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_UNDEF:
+		strlcat(errbuf, "can't find symbol", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_RLDBAD:
+		strlcat(errbuf, "bad RLD", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_FORMAT:
+		strlcat(errbuf, "bad exec format in", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_ERRNO:
+		strlcat(errbuf, strerror(atoi(++p)), sizeof(errbuf));
+		break;
+	default:
+		strlcat(errbuf, s, sizeof(errbuf));
+		break;
+	}
+}
+
+void *dlsym(void *handle, const char *symbol)
+{
+	ModulePtr mp = (ModulePtr)handle;
+	ExportPtr ep;
+	int i;
+
+	/*
+	 * Could speed up the search, but I assume that one assigns
+	 * the result to function pointers anyways.
+	 */
+	for (ep = mp->exports, i = mp->nExports; i; i--, ep++)
+		if (strcmp(ep->name, symbol) == 0)
+			return ep->addr;
+	errvalid++;
+	snprintf (errbuf, sizeof(errbuf),
+		  "dlsym: undefined symbol %s", symbol);		  
+	return NULL;
+}
+
+char *dlerror(void)
+{
+	if (errvalid) {
+		errvalid = 0;
+		return errbuf;
+	}
+	return NULL;
+}
+
+int dlclose(void *handle)
+{
+	ModulePtr mp = (ModulePtr)handle;
+	int result;
+	ModulePtr mp1;
+
+	if (--mp->refCnt > 0)
+		return 0;
+	if (mp->info && mp->info->fini)
+		(*mp->info->fini)();
+	if (mp->cdtors) {
+		CdtorPtr cp = mp->cdtors;
+		while (cp->init || cp->term) {
+			if (cp->term && cp->init != (void (*)(void))0xffffffff)
+				(*cp->term)();
+			cp++;
+		}
+	/*
+	 * If the function to handle global destructors for g++
+	 * exists, call it.  --jwe
+	 */
+	} else if (mp->gcc_dtor) {
+	        (*mp->gcc_dtor)();
+	}
+	result = unload(mp->entry);
+	if (result == -1) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "%s", strerror(errno));
+	}
+	if (mp->exports) {
+		ExportPtr ep;
+		int i;
+		for (ep = mp->exports, i = mp->nExports; i; i--, ep++)
+			if (ep->name)
+				free(ep->name);
+		free(mp->exports);
+	}
+	if (mp == modList)
+		modList = mp->next;
+	else {
+		for (mp1 = modList; mp1; mp1 = mp1->next)
+			if (mp1->next == mp) {
+				mp1->next = mp->next;
+				break;
+			}
+	}
+	free(mp->name);
+	free(mp);
+	return result;
+}
+
+static void terminate(void)
+{
+	while (modList)
+		dlclose(modList);
+}
+
+/*
+ * Build the export table from the XCOFF .loader section.
+ */
+static int readExports(ModulePtr mp)
+{
+	LDFILE *ldp = NULL;
+	SCNHDR sh, shdata;
+	LDHDR *lhp;
+	char *ldbuf;
+	LDSYM *ls;
+	int i;
+	ExportPtr ep;
+
+	if ((ldp = ldopen(mp->name, ldp)) == NULL) {
+		struct ld_info *lp;
+		char *buf;
+		int size = 4*1024;
+		if (errno != ENOENT) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			return -1;
+		}
+		/*
+		 * The module might be loaded due to the LIBPATH
+		 * environment variable. Search for the loaded
+		 * module using L_GETINFO.
+		 */
+		if ((buf = malloc(size)) == NULL) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			return -1;
+		}
+		while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) {
+			free(buf);
+			size += 4*1024;
+			if ((buf = malloc(size)) == NULL) {
+				errvalid++;
+				snprintf(errbuf, sizeof(errbuf),
+					 "readExports: %s",
+					 strerror(errno));
+				return -1;
+			}
+		}
+		if (i == -1) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			free(buf);
+			return -1;
+		}
+		/*
+		 * Traverse the list of loaded modules. The entry point
+		 * returned by load() does actually point to the data
+		 * segment origin.
+		 */
+		lp = (struct ld_info *)buf;
+		while (lp) {
+			if (lp->ldinfo_dataorg == mp->entry) {
+				ldp = ldopen(lp->ldinfo_filename, ldp);
+				break;
+			}
+			if (lp->ldinfo_next == 0)
+				lp = NULL;
+			else
+				lp = (struct ld_info *)((char *)lp + lp->ldinfo_next);
+		}
+		free(buf);
+		if (!ldp) {
+			errvalid++;
+			snprintf (errbuf, sizeof(errbuf),
+				  "readExports: %s", strerror(errno));
+			return -1;
+		}
+	}
+	if (TYPE(ldp) != U802TOCMAGIC) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf), "readExports: bad magic");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * Get the padding for the data section. This is needed for
+	 * AIX 4.1 compilers. This is used when building the final
+	 * function pointer to the exported symbol.
+	 */
+	if (ldnshread(ldp, _DATA, &shdata) != SUCCESS) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read data section header");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (ldnshread(ldp, _LOADER, &sh) != SUCCESS) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read loader section header");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * We read the complete loader section in one chunk, this makes
+	 * finding long symbol names residing in the string table easier.
+	 */
+	if ((ldbuf = (char *)malloc(sh.s_size)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "readExports: %s", strerror(errno));
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (FSEEK(ldp, sh.s_scnptr, BEGINNING) != OKFSEEK) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot seek to loader section");
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (FREAD(ldbuf, sh.s_size, 1, ldp) != 1) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read loader section");
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	lhp = (LDHDR *)ldbuf;
+	ls = (LDSYM *)(ldbuf+LDHDRSZ);
+	/*
+	 * Count the number of exports to include in our export table.
+	 */
+	for (i = lhp->l_nsyms; i; i--, ls++) {
+		if (!LDR_EXPORT(*ls))
+			continue;
+		mp->nExports++;
+	}
+	if ((mp->exports = (ExportPtr)calloc(mp->nExports, sizeof(*mp->exports))) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "readExports: %s", strerror(errno));
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * Fill in the export table. All entries are relative to
+	 * the entry point we got from load.
+	 */
+	ep = mp->exports;
+	ls = (LDSYM *)(ldbuf+LDHDRSZ);
+	for (i = lhp->l_nsyms; i; i--, ls++) {
+		char *symname;
+		char tmpsym[SYMNMLEN+1];
+		if (!LDR_EXPORT(*ls))
+			continue;
+		if (ls->l_zeroes == 0)
+			symname = ls->l_offset+lhp->l_stoff+ldbuf;
+		else {
+			/*
+			 * The l_name member is not zero terminated, we
+			 * must copy the first SYMNMLEN chars and make
+			 * sure we have a zero byte at the end.
+			 */
+		        strlcpy (tmpsym, ls->l_name,
+					 SYMNMLEN + 1);
+			symname = tmpsym;
+		}
+		ep->name = strdup(symname);
+		ep->addr = (void *)((unsigned long)mp->entry +
+					ls->l_value - shdata.s_vaddr);
+		ep++;
+	}
+	free(ldbuf);
+	while(ldclose(ldp) == FAILURE)
+		;
+	return 0;
+}
+
+/*
+ * Find the main modules entry point. This is used as export pointer
+ * for loadbind() to be able to resolve references to the main part.
+ */
+static void * findMain(void)
+{
+	struct ld_info *lp;
+	char *buf;
+	int size = 4*1024;
+	int i;
+	void *ret;
+
+	if ((buf = malloc(size)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "findMail: %s", strerror(errno));
+		return NULL;
+	}
+	while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) {
+		free(buf);
+		size += 4*1024;
+		if ((buf = malloc(size)) == NULL) {
+			errvalid++;
+			snprintf (errbuf, sizeof(errbuf),
+				  "findMail: %s", strerror(errno));
+			return NULL;
+		}
+	}
+	if (i == -1) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "findMail: %s", strerror(errno));
+		free(buf);
+		return NULL;
+	}
+	/*
+	 * The first entry is the main module. The entry point
+	 * returned by load() does actually point to the data
+	 * segment origin.
+	 */
+	lp = (struct ld_info *)buf;
+	ret = lp->ldinfo_dataorg;
+	free(buf);
+	return ret;
+}
diff --git a/crypto/heimdal/lib/kafs/dlfcn.h b/crypto/heimdal/lib/kafs/dlfcn.h
new file mode 100644
index 0000000..5671e9c
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/dlfcn.h
@@ -0,0 +1,46 @@
+/*
+ * @(#)dlfcn.h	1.4 revision of 95/04/25  09:36:52
+ * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH
+ * 30159 Hannover, Germany
+ */
+
+#ifndef __dlfcn_h__
+#define __dlfcn_h__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Mode flags for the dlopen routine.
+ */
+#define RTLD_LAZY	1	/* lazy function call binding */
+#define RTLD_NOW	2	/* immediate function call binding */
+#define RTLD_GLOBAL	0x100	/* allow symbols to be global */
+
+/*
+ * To be able to intialize, a library may provide a dl_info structure
+ * that contains functions to be called to initialize and terminate.
+ */
+struct dl_info {
+	void (*init)(void);
+	void (*fini)(void);
+};
+
+#if __STDC__ || defined(_IBMR2)
+void *dlopen(const char *path, int mode);
+void *dlsym(void *handle, const char *symbol);
+char *dlerror(void);
+int dlclose(void *handle);
+#else
+void *dlopen();
+void *dlsym();
+char *dlerror();
+int dlclose();
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __dlfcn_h__ */
diff --git a/crypto/heimdal/lib/kafs/kafs.3 b/crypto/heimdal/lib/kafs/kafs.3
new file mode 100644
index 0000000..4a7b5ef
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/kafs.3
@@ -0,0 +1,158 @@
+.\"	$Id: kafs.3,v 1.3 1998/06/30 15:41:52 assar Exp $
+.\"
+.Dd May 7, 1997
+.Os KTH-KRB
+.Dt KAFS 3
+.Sh NAME
+.Nm k_hasafs ,
+.Nm k_pioctl ,
+.Nm k_unlog ,
+.Nm k_setpag ,
+.Nm k_afs_cell_of_file ,
+.Nm krb_afslog ,
+.Nm krb_afslog_uid
+\" .Nm krb5_afslog ,
+\" .Nm krb5_afslog_uid
+.Nd AFS library
+.Sh SYNOPSIS
+.Fd #include <kafs.h>
+.Ft int
+.Fn k_afs_cell_of_file "const char *path" "char *cell" "int len"
+.Ft int
+.Fn k_hasafs
+.Ft int
+.Fn k_pioctl "char *a_path" "int o_opcode" "struct ViceIoctl *a_paramsP" "int a_followSymlinks"
+.Ft int
+.Fn k_setpag
+.Ft int
+.Fn k_unlog
+.Ft int
+.Fn krb_afslog "char *cell" "char *realm"
+.Ft int
+.Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid"
+\" .Ft krb5_error_code
+\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid"
+\" .Ft krb5_error_code
+\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm"
+.Sh DESCRIPTION
+.Fn k_hasafs
+initializes some library internal structures, and tests for the
+presense of AFS in the kernel, none of the other functions should be
+called before 
+.Fn k_hasafs
+is called, or if it fails.
+
+.Fn krb_afslog ,
+and
+.Fn krb_afslog_uid
+obtains new tokens (and possibly tickets) for the specified
+.Fa cell
+and
+.Fa realm .
+If 
+.Fa cell
+is 
+.Dv NULL ,
+the local cell is used. If 
+.Fa realm 
+is
+.Dv NULL ,
+the function tries to guess what realm to use. Unless you  have some good knowledge of what cell or realm to use, you should pass
+.Dv NULL . 
+.Fn krb_afslog 
+will use the real user-id for the
+.Dv ViceId
+field in the token, 
+.Fn krb_afslog_uid
+will use
+.Fa uid .
+
+\" .Fn krb5_afslog ,
+\" and 
+\" .Fn krb5_afslog_uid
+\" are the Kerberos 5 equivalents of
+\" .Fn krb_afslog ,
+\" and
+\" .Fn krb_afslog_uid .
+\" The extra arguments are the ubiquitous context, and the cache id where
+\" to store any obtained tickets. Since AFS servers normally can't handle
+\" Kerberos 5 tickets directly, these functions will first obtain version
+\" 5 tickets for the requested cells, and then convert them to version 4
+\" tickets, that can be stashed in the kernel. To convert tickets the
+\" .Fn krb524_convert_creds_kdc
+\" function will be used.
+
+.Fn k_afs_cell_of_file
+will in 
+.Fa cell
+return the cell of a specified file, no more than
+.Fa len
+characters is put in 
+.Fa cell .
+
+.Fn k_pioctl
+does a 
+.Fn pioctl
+syscall with the specified arguments. This function is equivalent to
+.Fn lpioctl .
+
+.Fn k_setpag
+initializes a new PAG.
+
+.Fn k_unlog
+removes destroys all tokens in the current PAG.
+
+.Sh ENVIRONMENT
+The following environment variable affect the mode of operation of
+.Nm kafs :
+.Bl -tag
+.It Ev AFS_SYSCALL
+Normally,
+.Nm kafs
+will try to figure out the correct system call(s) that are used by AFS
+by itself.  If it does not manage to do that, or does it incorrectly,
+you can set this variable to the system call number or list of system
+call numbers that should be used.
+.El
+.Sh RETURN VALUES
+.Fn k_hasafs
+returns 1 if AFS is present in the kernel, 0 otherwise.
+.Fn krb_afslog
+and
+.Fn krb_afslog_uid
+returns 0 on success, or a kerberos error number on failure.
+.Fn k_afs_cell_of_file ,
+.Fn k_pioctl , 
+.Fn k_setpag ,
+and
+.Fn k_unlog
+all return the value of the underlaying system call, 0 on success.
+.Sh EXAMPLES
+The following code from
+.Nm login 
+will obtain a new PAG and tokens for the local cell and the cell of
+the users home directory.
+.Bd -literal
+if (k_hasafs()) {
+	char cell[64];
+	k_setpag();
+	if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0)
+		krb_afslog(cell, NULL);
+	krb_afslog(NULL, NULL);
+}
+.Ed
+.Sh ERRORS
+If any of these functions (appart from 
+.Fn k_hasafs )
+is called without AFS beeing present in the kernel, the process will
+usually (depending on the operating system) receive a SIGSYS signal.
+.Sh SEE ALSO
+.Rs
+.%A Transarc Corporation
+.%J AFS-3 Programmer's Reference
+.%T File Server/Cache Manager Interface
+.%D 1991
+.Re
+.Sh BUGS
+.Ev AFS_SYSCALL
+has no effect under AIX.
diff --git a/crypto/heimdal/lib/kafs/kafs.h b/crypto/heimdal/lib/kafs/kafs.h
new file mode 100644
index 0000000..0fb969e
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/kafs.h
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kafs.h,v 1.32 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef __KAFS_H
+#define __KAFS_H
+
+/* XXX must include krb5.h or krb.h */
+
+/* sys/ioctl.h must be included manually before kafs.h */
+
+/*
+ */
+#define AFSCALL_PIOCTL 20
+#define AFSCALL_SETPAG 21
+
+#ifndef _VICEIOCTL
+#define _VICEIOCTL(id)  ((unsigned int ) _IOW('V', id, struct ViceIoctl))
+#endif /* _VICEIOCTL */
+
+#define VIOCSETAL		_VICEIOCTL(1)
+#define VIOCGETAL		_VICEIOCTL(2)
+#define VIOCSETTOK		_VICEIOCTL(3)
+#define VIOCGETVOLSTAT		_VICEIOCTL(4)
+#define VIOCSETVOLSTAT		_VICEIOCTL(5)
+#define VIOCFLUSH		_VICEIOCTL(6)
+#define VIOCGETTOK		_VICEIOCTL(8)
+#define VIOCUNLOG		_VICEIOCTL(9)
+#define VIOCCKSERV		_VICEIOCTL(10)
+#define VIOCCKBACK		_VICEIOCTL(11)
+#define VIOCCKCONN		_VICEIOCTL(12)
+#define VIOCWHEREIS		_VICEIOCTL(14)
+#define VIOCACCESS		_VICEIOCTL(20)
+#define VIOCUNPAG		_VICEIOCTL(21)
+#define VIOCGETFID		_VICEIOCTL(22)
+#define VIOCSETCACHESIZE	_VICEIOCTL(24)
+#define VIOCFLUSHCB		_VICEIOCTL(25)
+#define VIOCNEWCELL		_VICEIOCTL(26)
+#define VIOCGETCELL		_VICEIOCTL(27)
+#define VIOC_AFS_DELETE_MT_PT	_VICEIOCTL(28)
+#define VIOC_AFS_STAT_MT_PT	_VICEIOCTL(29)
+#define VIOC_FILE_CELL_NAME	_VICEIOCTL(30)
+#define VIOC_GET_WS_CELL	_VICEIOCTL(31)
+#define VIOC_AFS_MARINER_HOST	_VICEIOCTL(32)
+#define VIOC_GET_PRIMARY_CELL	_VICEIOCTL(33)
+#define VIOC_VENUSLOG		_VICEIOCTL(34)
+#define VIOC_GETCELLSTATUS	_VICEIOCTL(35)
+#define VIOC_SETCELLSTATUS	_VICEIOCTL(36)
+#define VIOC_FLUSHVOLUME	_VICEIOCTL(37)
+#define VIOC_AFS_SYSNAME	_VICEIOCTL(38)
+#define VIOC_EXPORTAFS		_VICEIOCTL(39)
+#define VIOCGETCACHEPARAMS	_VICEIOCTL(40)
+#define VIOC_GCPAGS		_VICEIOCTL(48) 
+
+struct ViceIoctl {
+  caddr_t in, out;
+  short in_size;
+  short out_size;
+};
+
+struct ClearToken {
+  int32_t AuthHandle;
+  char HandShakeKey[8];
+  int32_t ViceId;
+  int32_t BeginTimestamp;
+  int32_t EndTimestamp;
+};
+
+#ifdef __STDC__
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+/* Use k_hasafs() to probe if the machine supports AFS syscalls.
+   The other functions will generate a SIGSYS if AFS is not supported */
+
+int k_hasafs __P((void));
+
+int krb_afslog __P((const char *cell, const char *realm));
+int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid));
+int krb_afslog_home __P((const char *cell, const char *realm,
+			 const char *homedir));
+int krb_afslog_uid_home __P((const char *cell, const char *realm, uid_t uid,
+			     const char *homedir));
+
+int krb_realm_of_cell __P((const char *cell, char **realm));
+
+/* compat */
+#define k_afsklog krb_afslog
+#define k_afsklog_uid krb_afslog_uid
+
+int k_pioctl __P((char *a_path,
+		  int o_opcode,
+		  struct ViceIoctl *a_paramsP,
+		  int a_followSymlinks));
+int k_unlog __P((void));
+int k_setpag __P((void));
+int k_afs_cell_of_file __P((const char *path, char *cell, int len));
+
+
+
+/* XXX */
+#ifdef KFAILURE
+#define KRB_H_INCLUDED
+#endif
+
+#ifdef KRB5_RECVAUTH_IGNORE_VERSION
+#define KRB5_H_INCLUDED
+#endif
+
+#ifdef KRB_H_INCLUDED
+int kafs_settoken __P((const char*, uid_t, CREDENTIALS*));
+#endif
+
+#ifdef KRB5_H_INCLUDED
+krb5_error_code krb5_afslog_uid __P((krb5_context context,
+				     krb5_ccache id,
+				     const char *cell,
+				     krb5_const_realm realm,
+				     uid_t uid));
+krb5_error_code krb5_afslog __P((krb5_context context,
+				 krb5_ccache id, 
+				 const char *cell,
+				 krb5_const_realm realm));
+krb5_error_code krb5_afslog_uid_home __P((krb5_context context,
+					  krb5_ccache id,
+					  const char *cell,
+					  krb5_const_realm realm,
+					  uid_t uid,
+					  const char *homedir));
+
+krb5_error_code krb5_afslog_home __P((krb5_context context,
+				      krb5_ccache id,
+				      const char *cell,
+				      krb5_const_realm realm,
+				      const char *homedir));
+
+krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm));
+
+#endif
+
+
+#define _PATH_VICE		"/usr/vice/etc/"
+#define _PATH_THISCELL 		_PATH_VICE "ThisCell"
+#define _PATH_CELLSERVDB 	_PATH_VICE "CellServDB"
+#define _PATH_THESECELLS	_PATH_VICE "TheseCells"
+
+#define _PATH_ARLA_VICE		"/usr/arla/etc/"
+#define _PATH_ARLA_THISCELL	_PATH_ARLA_VICE "ThisCell"
+#define _PATH_ARLA_CELLSERVDB 	_PATH_ARLA_VICE "CellServDB"
+#define _PATH_ARLA_THESECELLS	_PATH_ARLA_VICE "TheseCells"
+
+extern int _kafs_debug;
+
+#endif /* __KAFS_H */
diff --git a/crypto/heimdal/lib/kafs/kafs_locl.h b/crypto/heimdal/lib/kafs/kafs_locl.h
new file mode 100644
index 0000000..ac1c2f6
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/kafs_locl.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kafs_locl.h,v 1.15 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef __KAFS_LOCL_H__
+#define __KAFS_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <errno.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#ifdef HAVE_SYS_SYSCALL_H
+#include <sys/syscall.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+#include <roken.h>
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#endif
+#include <kafs.h>
+
+#include <resolve.h>
+
+#include "afssysdefs.h"
+
+struct kafs_data;
+typedef int (*afslog_uid_func_t)(struct kafs_data *,
+				 const char *cell,
+				 const char *realm_hint,
+				 uid_t,
+				 const char *homedir);
+
+typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, 
+				    const char*, CREDENTIALS*);
+
+typedef char* (*get_realm_func_t)(struct kafs_data*, const char*);
+
+typedef struct kafs_data {
+    afslog_uid_func_t afslog_uid;
+    get_cred_func_t get_cred;
+    get_realm_func_t get_realm;
+    void *data;
+} kafs_data;
+
+int _kafs_afslog_all_local_cells(kafs_data*, uid_t, const char*);
+
+int _kafs_get_cred(kafs_data*, const char*, const char*, const char *, 
+		  CREDENTIALS*);
+
+int
+_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm);
+
+#ifdef _AIX
+int aix_pioctl(char*, int, struct ViceIoctl*, int);
+int aix_setpag(void);
+#endif
+
+#endif /* __KAFS_LOCL_H__ */
diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am
new file mode 100644
index 0000000..df8ac6d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/Makefile.am
@@ -0,0 +1,148 @@
+# $Id: Makefile.am,v 1.98 2000/02/19 18:53:56 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = verify_krb5_conf
+
+noinst_PROGRAMS = dump_config
+
+check_PROGRAMS = n-fold-test string-to-key-test
+TESTS = n-fold-test string-to-key-test
+
+if KRB4
+KRB4LIB = $(LIB_krb4)
+keytab_krb4_c = keytab_krb4.c
+endif
+
+LDADD = libkrb5.la \
+	$(KRB4LIB) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+lib_LTLIBRARIES = libkrb5.la
+
+ERR_FILES = krb5_err.c heim_err.c
+
+libkrb5_la_SOURCES = \
+	add_et_list.c \
+	addr_families.c \
+	address.c \
+	aname_to_localname.c \
+	asn1_glue.c \
+	auth_context.c \
+	build_ap_req.c \
+	build_auth.c \
+	cache.c \
+	changepw.c \
+	codec.c \
+	config_file.c \
+	config_file_netinfo.c \
+	convert_creds.c \
+	constants.c \
+	context.c \
+	copy_host_realm.c \
+	crc.c \
+	creds.c \
+	crypto.c \
+	data.c \
+	expand_hostname.c \
+	fcache.c \
+	free.c \
+	free_host_realm.c \
+	generate_seq_number.c \
+	generate_subkey.c \
+	get_addrs.c \
+	get_cred.c \
+	get_default_principal.c \
+	get_default_realm.c \
+	get_for_creds.c \
+	get_host_realm.c \
+	get_in_tkt.c \
+	get_in_tkt_pw.c \
+	get_in_tkt_with_keytab.c \
+	get_in_tkt_with_skey.c \
+	get_port.c \
+	init_creds.c \
+	init_creds_pw.c \
+	keyblock.c \
+	keytab.c \
+	keytab_file.c \
+	keytab_memory.c \
+	$(keytab_krb4_c) \
+	keytab_keyfile.c \
+	krbhst.c \
+	kuserok.c \
+	log.c \
+	mcache.c \
+	misc.c \
+	mk_error.c \
+	mk_priv.c \
+	mk_rep.c \
+	mk_req.c \
+	mk_req_ext.c \
+	mk_safe.c \
+	net_read.c \
+	net_write.c \
+	n-fold.c \
+	padata.c \
+	principal.c \
+	prog_setup.c \
+	prompter_posix.c \
+	rd_cred.c \
+	rd_error.c \
+	rd_priv.c \
+	rd_rep.c \
+	rd_req.c \
+	rd_safe.c \
+	read_message.c \
+	recvauth.c \
+	send_to_kdc.c \
+	sendauth.c \
+	set_default_realm.c \
+	sock_principal.c \
+	store.c \
+	store_emem.c \
+	store_fd.c \
+	store_mem.c \
+	ticket.c \
+	time.c \
+	transited.c \
+	verify_init.c \
+	verify_user.c \
+	version.c \
+	warn.c \
+	write_message.c \
+	$(ERR_FILES)
+
+EXTRA_libkrb5_la_SOURCES = keytab_krb4.c
+
+libkrb5_la_LDFLAGS = -version-info 9:1:0
+
+$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+
+$(srcdir)/krb5-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h
+
+$(srcdir)/krb5-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h
+
+libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+
+man_MANS = krb5.conf.5 krb5_warn.3 krb5_openlog.3 \
+	krb5_425_conv_principal.3 krb5_build_principal.3 krb5_free_principal.3 \
+	krb5_parse_name.3 krb5_sname_to_principal.3 krb5_unparse_name.3
+
+include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h
+
+CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h
+
+$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h
+
+# to help stupid solaris make
+
+krb5_err.h: krb5_err.et
+
+heim_err.h: heim_err.et
diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in
new file mode 100644
index 0000000..dbca9de
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/Makefile.in
@@ -0,0 +1,956 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.98 2000/02/19 18:53:56 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = verify_krb5_conf
+
+noinst_PROGRAMS = dump_config
+
+check_PROGRAMS = n-fold-test string-to-key-test
+TESTS = n-fold-test string-to-key-test
+
+@KRB4_TRUE@KRB4LIB = $(LIB_krb4)
+@KRB4_TRUE@keytab_krb4_c = keytab_krb4.c
+
+LDADD = libkrb5.la 	$(KRB4LIB) 	$(top_builddir)/lib/des/libdes.la 	$(top_builddir)/lib/asn1/libasn1.la 	$(LIB_roken)
+
+
+lib_LTLIBRARIES = libkrb5.la
+
+ERR_FILES = krb5_err.c heim_err.c
+
+libkrb5_la_SOURCES =  	add_et_list.c 	addr_families.c 	address.c 	aname_to_localname.c 	asn1_glue.c 	auth_context.c 	build_ap_req.c 	build_auth.c 	cache.c 	changepw.c 	codec.c 	config_file.c 	config_file_netinfo.c 	convert_creds.c 	constants.c 	context.c 	copy_host_realm.c 	crc.c 	creds.c 	crypto.c 	data.c 	expand_hostname.c 	fcache.c 	free.c 	free_host_realm.c 	generate_seq_number.c 	generate_subkey.c 	get_addrs.c 	get_cred.c 	get_default_principal.c 	get_default_realm.c 	get_for_creds.c 	get_host_realm.c 	get_in_tkt.c 	get_in_tkt_pw.c 	get_in_tkt_with_keytab.c 	get_in_tkt_with_skey.c 	get_port.c 	init_creds.c 	init_creds_pw.c 	keyblock.c 	keytab.c 	keytab_file.c 	keytab_memory.c 	$(keytab_krb4_c) 	keytab_keyfile.c 	krbhst.c 	kuserok.c 	log.c 	mcache.c 	misc.c 	mk_error.c 	mk_priv.c 	mk_rep.c 	mk_req.c 	mk_req_ext.c 	mk_safe.c 	net_read.c 	net_write.c 	n-fold.c 	padata.c 	principal.c 	prog_setup.c 	prompter_posix.c 	rd_cred.c 	rd_error.c 	rd_priv.c 	rd_rep.c 	rd_req.c 	rd_safe.c 	read_message.c 	recvauth.c 	send_to_kdc.c 	sendauth.c 	set_default_realm.c 	sock_principal.c 	store.c 	store_emem.c 	store_fd.c 	store_mem.c 	ticket.c 	time.c 	transited.c 	verify_init.c 	verify_user.c 	version.c 	warn.c 	write_message.c 	$(ERR_FILES)
+
+
+EXTRA_libkrb5_la_SOURCES = keytab_krb4.c
+
+libkrb5_la_LDFLAGS = -version-info 9:1:0
+
+libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+
+man_MANS = krb5.conf.5 krb5_warn.3 krb5_openlog.3 	krb5_425_conv_principal.3 krb5_build_principal.3 krb5_free_principal.3 	krb5_parse_name.3 krb5_sname_to_principal.3 krb5_unparse_name.3
+
+
+include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h
+
+CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libkrb5_la_DEPENDENCIES =  ../com_err/error.lo ../com_err/com_err.lo
+@KRB4_TRUE@libkrb5_la_OBJECTS =  add_et_list.lo addr_families.lo \
+@KRB4_TRUE@address.lo aname_to_localname.lo asn1_glue.lo \
+@KRB4_TRUE@auth_context.lo build_ap_req.lo build_auth.lo cache.lo \
+@KRB4_TRUE@changepw.lo codec.lo config_file.lo config_file_netinfo.lo \
+@KRB4_TRUE@convert_creds.lo constants.lo context.lo copy_host_realm.lo \
+@KRB4_TRUE@crc.lo creds.lo crypto.lo data.lo expand_hostname.lo \
+@KRB4_TRUE@fcache.lo free.lo free_host_realm.lo generate_seq_number.lo \
+@KRB4_TRUE@generate_subkey.lo get_addrs.lo get_cred.lo \
+@KRB4_TRUE@get_default_principal.lo get_default_realm.lo \
+@KRB4_TRUE@get_for_creds.lo get_host_realm.lo get_in_tkt.lo \
+@KRB4_TRUE@get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \
+@KRB4_TRUE@get_in_tkt_with_skey.lo get_port.lo init_creds.lo \
+@KRB4_TRUE@init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \
+@KRB4_TRUE@keytab_memory.lo keytab_krb4.lo keytab_keyfile.lo krbhst.lo \
+@KRB4_TRUE@kuserok.lo log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo \
+@KRB4_TRUE@mk_rep.lo mk_req.lo mk_req_ext.lo mk_safe.lo net_read.lo \
+@KRB4_TRUE@net_write.lo n-fold.lo padata.lo principal.lo prog_setup.lo \
+@KRB4_TRUE@prompter_posix.lo rd_cred.lo rd_error.lo rd_priv.lo \
+@KRB4_TRUE@rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \
+@KRB4_TRUE@send_to_kdc.lo sendauth.lo set_default_realm.lo \
+@KRB4_TRUE@sock_principal.lo store.lo store_emem.lo store_fd.lo \
+@KRB4_TRUE@store_mem.lo ticket.lo time.lo transited.lo verify_init.lo \
+@KRB4_TRUE@verify_user.lo version.lo warn.lo write_message.lo \
+@KRB4_TRUE@krb5_err.lo heim_err.lo
+@KRB4_FALSE@libkrb5_la_OBJECTS =  add_et_list.lo addr_families.lo \
+@KRB4_FALSE@address.lo aname_to_localname.lo asn1_glue.lo \
+@KRB4_FALSE@auth_context.lo build_ap_req.lo build_auth.lo cache.lo \
+@KRB4_FALSE@changepw.lo codec.lo config_file.lo config_file_netinfo.lo \
+@KRB4_FALSE@convert_creds.lo constants.lo context.lo copy_host_realm.lo \
+@KRB4_FALSE@crc.lo creds.lo crypto.lo data.lo expand_hostname.lo \
+@KRB4_FALSE@fcache.lo free.lo free_host_realm.lo generate_seq_number.lo \
+@KRB4_FALSE@generate_subkey.lo get_addrs.lo get_cred.lo \
+@KRB4_FALSE@get_default_principal.lo get_default_realm.lo \
+@KRB4_FALSE@get_for_creds.lo get_host_realm.lo get_in_tkt.lo \
+@KRB4_FALSE@get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \
+@KRB4_FALSE@get_in_tkt_with_skey.lo get_port.lo init_creds.lo \
+@KRB4_FALSE@init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \
+@KRB4_FALSE@keytab_memory.lo keytab_keyfile.lo krbhst.lo kuserok.lo \
+@KRB4_FALSE@log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo mk_rep.lo \
+@KRB4_FALSE@mk_req.lo mk_req_ext.lo mk_safe.lo net_read.lo net_write.lo \
+@KRB4_FALSE@n-fold.lo padata.lo principal.lo prog_setup.lo \
+@KRB4_FALSE@prompter_posix.lo rd_cred.lo rd_error.lo rd_priv.lo \
+@KRB4_FALSE@rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \
+@KRB4_FALSE@send_to_kdc.lo sendauth.lo set_default_realm.lo \
+@KRB4_FALSE@sock_principal.lo store.lo store_emem.lo store_fd.lo \
+@KRB4_FALSE@store_mem.lo ticket.lo time.lo transited.lo verify_init.lo \
+@KRB4_FALSE@verify_user.lo version.lo warn.lo write_message.lo \
+@KRB4_FALSE@krb5_err.lo heim_err.lo
+bin_PROGRAMS =  verify_krb5_conf$(EXEEXT)
+check_PROGRAMS =  n-fold-test$(EXEEXT) string-to-key-test$(EXEEXT)
+noinst_PROGRAMS =  dump_config$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(noinst_PROGRAMS)
+
+verify_krb5_conf_SOURCES = verify_krb5_conf.c
+verify_krb5_conf_OBJECTS =  verify_krb5_conf.$(OBJEXT)
+verify_krb5_conf_LDADD = $(LDADD)
+@KRB4_TRUE@verify_krb5_conf_DEPENDENCIES =  libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@verify_krb5_conf_DEPENDENCIES =  libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+verify_krb5_conf_LDFLAGS = 
+n_fold_test_SOURCES = n-fold-test.c
+n_fold_test_OBJECTS =  n-fold-test.$(OBJEXT)
+n_fold_test_LDADD = $(LDADD)
+@KRB4_TRUE@n_fold_test_DEPENDENCIES =  libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@n_fold_test_DEPENDENCIES =  libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+n_fold_test_LDFLAGS = 
+string_to_key_test_SOURCES = string-to-key-test.c
+string_to_key_test_OBJECTS =  string-to-key-test.$(OBJEXT)
+string_to_key_test_LDADD = $(LDADD)
+@KRB4_TRUE@string_to_key_test_DEPENDENCIES =  libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@string_to_key_test_DEPENDENCIES =  libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+string_to_key_test_LDFLAGS = 
+dump_config_SOURCES = dump_config.c
+dump_config_OBJECTS =  dump_config.$(OBJEXT)
+dump_config_LDADD = $(LDADD)
+@KRB4_TRUE@dump_config_DEPENDENCIES =  libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_FALSE@dump_config_DEPENDENCIES =  libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+dump_config_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+man3dir = $(mandir)/man3
+man5dir = $(mandir)/man5
+MANS = $(man_MANS)
+HEADERS =  $(include_HEADERS)
+
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libkrb5_la_SOURCES) $(EXTRA_libkrb5_la_SOURCES) verify_krb5_conf.c n-fold-test.c string-to-key-test.c dump_config.c
+OBJECTS = $(libkrb5_la_OBJECTS) verify_krb5_conf.$(OBJEXT) n-fold-test.$(OBJEXT) string-to-key-test.$(OBJEXT) dump_config.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/krb5/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkrb5_la_LDFLAGS) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-checkPROGRAMS:
+
+clean-checkPROGRAMS:
+	-test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS)
+
+distclean-checkPROGRAMS:
+
+maintainer-clean-checkPROGRAMS:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES)
+	@rm -f verify_krb5_conf$(EXEEXT)
+	$(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
+
+n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES)
+	@rm -f n-fold-test$(EXEEXT)
+	$(LINK) $(n_fold_test_LDFLAGS) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS)
+
+string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES)
+	@rm -f string-to-key-test$(EXEEXT)
+	$(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS)
+
+dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES)
+	@rm -f dump_config$(EXEEXT)
+	$(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS)
+
+install-man3:
+	$(mkinstalldirs) $(DESTDIR)$(man3dir)
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \
+	done
+
+uninstall-man3:
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man3dir)/$$inst; \
+	done
+
+install-man5:
+	$(mkinstalldirs) $(DESTDIR)$(man5dir)
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \
+	done
+
+uninstall-man5:
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man5dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man3 install-man5
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man3 uninstall-man5
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/krb5
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+check-TESTS: $(TESTS)
+	@failed=0; all=0; \
+	srcdir=$(srcdir); export srcdir; \
+	for tst in $(TESTS); do \
+	  if test -f $$tst; then dir=.; \
+	  else dir="$(srcdir)"; fi; \
+	  if $(TESTS_ENVIRONMENT) $$dir/$$tst; then \
+	    all=`expr $$all + 1`; \
+	    echo "PASS: $$tst"; \
+	  elif test $$? -ne 77; then \
+	    all=`expr $$all + 1`; \
+	    failed=`expr $$failed + 1`; \
+	    echo "FAIL: $$tst"; \
+	  fi; \
+	done; \
+	if test "$$failed" -eq 0; then \
+	  banner="All $$all tests passed"; \
+	else \
+	  banner="$$failed of $$all tests failed"; \
+	fi; \
+	dashes=`echo "$$banner" | sed s/./=/g`; \
+	echo "$$dashes"; \
+	echo "$$banner"; \
+	echo "$$dashes"; \
+	test "$$failed" -eq 0
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-binPROGRAMS \
+		uninstall-man uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(mandir)/man3 $(DESTDIR)$(mandir)/man5 \
+		$(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-binPROGRAMS \
+		mostlyclean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-binPROGRAMS clean-checkPROGRAMS \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-binPROGRAMS \
+		distclean-checkPROGRAMS distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-binPROGRAMS \
+		maintainer-clean-checkPROGRAMS \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-binPROGRAMS distclean-binPROGRAMS \
+clean-binPROGRAMS maintainer-clean-binPROGRAMS uninstall-binPROGRAMS \
+install-binPROGRAMS mostlyclean-checkPROGRAMS distclean-checkPROGRAMS \
+clean-checkPROGRAMS maintainer-clean-checkPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS install-man3 \
+uninstall-man3 install-man5 uninstall-man5 install-man uninstall-man \
+uninstall-includeHEADERS install-includeHEADERS tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir check-TESTS \
+info-am info dvi-am dvi check-local check check-am installcheck-am \
+installcheck install-exec-am install-exec install-data-local \
+install-data-am install-data install-am install uninstall-am uninstall \
+all-local all-redirect all-am all installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+
+$(srcdir)/krb5-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h
+
+$(srcdir)/krb5-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h
+
+$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h
+
+# to help stupid solaris make
+
+krb5_err.h: krb5_err.et
+
+heim_err.h: heim_err.et
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/krb5/add_et_list.c b/crypto/heimdal/lib/krb5/add_et_list.c
new file mode 100644
index 0000000..cfc42f4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/add_et_list.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: add_et_list.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+
+/*
+ * Add a specified list of error messages to the et list in context.
+ * Call func (probably a comerr-generated function) with a pointer to
+ * the current et_list.
+ */
+
+krb5_error_code
+krb5_add_et_list (krb5_context context,
+		  void (*func)(struct et_list **))
+{
+    (*func)(&context->et_list);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/addr_families.c b/crypto/heimdal/lib/krb5/addr_families.c
new file mode 100644
index 0000000..9b17abd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/addr_families.c
@@ -0,0 +1,539 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: addr_families.c,v 1.23 2000/02/16 02:09:00 assar Exp $");
+
+struct addr_operations {
+    int af;
+    krb5_address_type atype;
+    size_t max_sockaddr_size;
+    krb5_error_code (*sockaddr2addr)(const struct sockaddr *, krb5_address *);
+    krb5_error_code (*sockaddr2port)(const struct sockaddr *, int16_t *);
+    void (*addr2sockaddr)(const krb5_address *, struct sockaddr *,
+			  int *sa_size, int port);
+    void (*h_addr2sockaddr)(const char *, struct sockaddr *, int *, int);
+    krb5_error_code (*h_addr2addr)(const char *, krb5_address *);
+    krb5_boolean (*uninteresting)(const struct sockaddr *);
+    void (*anyaddr)(struct sockaddr *, int *, int);
+    int (*print_addr)(const krb5_address *, char *, size_t);
+    int (*parse_addr)(const char*, krb5_address *);
+};
+
+/*
+ * AF_INET - aka IPv4 implementation
+ */
+
+static krb5_error_code
+ipv4_sockaddr2addr (const struct sockaddr *sa, krb5_address *a)
+{
+    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+    unsigned char buf[4];
+
+    a->addr_type = KRB5_ADDRESS_INET;
+    memcpy (buf, &sin->sin_addr, 4);
+    return krb5_data_copy(&a->address, buf, 4);
+}
+
+static krb5_error_code
+ipv4_sockaddr2port (const struct sockaddr *sa, int16_t *port)
+{
+    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+
+    *port = sin->sin_port;
+    return 0;
+}
+
+static void
+ipv4_addr2sockaddr (const krb5_address *a,
+		    struct sockaddr *sa,
+		    int *sa_size,
+		    int port)
+{
+    struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+    memset (sin, 0, sizeof(*sin));
+    sin->sin_family = AF_INET;
+    memcpy (&sin->sin_addr, a->address.data, 4);
+    sin->sin_port = port;
+    *sa_size = sizeof(*sin);
+}
+
+static void
+ipv4_h_addr2sockaddr(const char *addr,
+		     struct sockaddr *sa, int *sa_size, int port)
+{
+    struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+    memset (sin, 0, sizeof(*sin));
+    *sa_size = sizeof(*sin);
+    sin->sin_family = AF_INET;
+    sin->sin_port   = port;
+    sin->sin_addr   = *((const struct in_addr *)addr);
+}
+
+static krb5_error_code
+ipv4_h_addr2addr (const char *addr,
+		  krb5_address *a)
+{
+    unsigned char buf[4];
+
+    a->addr_type = KRB5_ADDRESS_INET;
+    memcpy(buf, addr, 4);
+    return krb5_data_copy(&a->address, buf, 4);
+}
+
+/*
+ * Are there any addresses that should be considered `uninteresting'?
+ */
+
+static krb5_boolean
+ipv4_uninteresting (const struct sockaddr *sa)
+{
+    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+
+    if (sin->sin_addr.s_addr == INADDR_ANY)
+	return TRUE;
+
+    return FALSE;
+}
+
+static void
+ipv4_anyaddr (struct sockaddr *sa, int *sa_size, int port)
+{
+    struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+    memset (sin, 0, sizeof(*sin));
+    *sa_size = sizeof(*sin);
+    sin->sin_family = AF_INET;
+    sin->sin_port   = port;
+    sin->sin_addr.s_addr = INADDR_ANY;
+}
+
+static int
+ipv4_print_addr (const krb5_address *addr, char *str, size_t len)
+{
+    struct in_addr ia;
+
+    memcpy (&ia, addr->address.data, 4);
+
+    return snprintf (str, len, "IPv4:%s", inet_ntoa(ia));
+}
+
+static int
+ipv4_parse_addr (const char *address, krb5_address *addr)
+{
+    const char *p;
+    struct in_addr a;
+
+    p = strchr(address, ':');
+    if(p) {
+	p++;
+	if(strncasecmp(address, "ip:", p - address) != 0 &&
+	   strncasecmp(address, "ip4:", p - address) != 0 &&
+	   strncasecmp(address, "ipv4:", p - address) != 0 &&
+	   strncasecmp(address, "inet:", p - address) != 0)
+	    return -1;
+    } else
+	p = address;
+#ifdef HAVE_INET_ATON
+    if(inet_aton(p, &a) == 0)
+	return -1;
+#elif defined(HAVE_INET_ADDR)
+    a.s_addr = inet_addr(p);
+    if(a.s_addr == INADDR_NONE)
+	return -1;
+#else
+    return -1;
+#endif
+    addr->addr_type = KRB5_ADDRESS_INET;
+    if(krb5_data_alloc(&addr->address, 4) != 0)
+	return -1;
+    _krb5_put_int(addr->address.data, ntohl(a.s_addr), addr->address.length);
+    return 0;
+}
+
+/*
+ * AF_INET6 - aka IPv6 implementation
+ */
+
+#ifdef HAVE_IPV6
+
+static krb5_error_code
+ipv6_sockaddr2addr (const struct sockaddr *sa, krb5_address *a)
+{
+    const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+
+    if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+	unsigned char buf[4];
+
+	a->addr_type      = KRB5_ADDRESS_INET;
+#ifndef IN6_ADDR_V6_TO_V4
+#ifdef IN6_EXTRACT_V4ADDR
+#define IN6_ADDR_V6_TO_V4(x) (&IN6_EXTRACT_V4ADDR(x))
+#else
+#define IN6_ADDR_V6_TO_V4(x) ((const struct in_addr *)&(x)->s6_addr[12])
+#endif
+#endif
+	memcpy (buf, IN6_ADDR_V6_TO_V4(&sin6->sin6_addr), 4);
+	return krb5_data_copy(&a->address, buf, 4);
+    } else {
+	a->addr_type = KRB5_ADDRESS_INET6;
+	return krb5_data_copy(&a->address,
+			      &sin6->sin6_addr,
+			      sizeof(sin6->sin6_addr));
+    }
+}
+
+static krb5_error_code
+ipv6_sockaddr2port (const struct sockaddr *sa, int16_t *port)
+{
+    const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+
+    *port = sin6->sin6_port;
+    return 0;
+}
+
+static void
+ipv6_addr2sockaddr (const krb5_address *a,
+		    struct sockaddr *sa,
+		    int *sa_size,
+		    int port)
+{
+    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+    memset (sin6, 0, sizeof(*sin6));
+    sin6->sin6_family = AF_INET6;
+    memcpy (&sin6->sin6_addr, a->address.data, sizeof(sin6->sin6_addr));
+    sin6->sin6_port = port;
+    *sa_size = sizeof(*sin6);
+}
+
+static void
+ipv6_h_addr2sockaddr(const char *addr,
+		     struct sockaddr *sa,
+		     int *sa_size,
+		     int port)
+{
+    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+    memset (sin6, 0, sizeof(*sin6));
+    *sa_size = sizeof(*sin6);
+    sin6->sin6_family = AF_INET6;
+    sin6->sin6_port   = port;
+    sin6->sin6_addr   = *((const struct in6_addr *)addr);
+}
+
+static krb5_error_code
+ipv6_h_addr2addr (const char *addr,
+		  krb5_address *a)
+{
+    a->addr_type = KRB5_ADDRESS_INET6;
+    return krb5_data_copy(&a->address, addr, sizeof(struct in6_addr));
+}
+
+/*
+ * 
+ */
+
+static krb5_boolean
+ipv6_uninteresting (const struct sockaddr *sa)
+{
+    const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+    const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr;
+    
+    return
+	IN6_IS_ADDR_LINKLOCAL(in6)
+	|| IN6_IS_ADDR_V4COMPAT(in6);
+}
+
+static void
+ipv6_anyaddr (struct sockaddr *sa, int *sa_size, int port)
+{
+    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+    memset (sin6, 0, sizeof(*sin6));
+    *sa_size = sizeof(*sin6);
+    sin6->sin6_family = AF_INET6;
+    sin6->sin6_port   = port;
+    sin6->sin6_addr   = in6addr_any;
+}
+
+static int
+ipv6_print_addr (const krb5_address *addr, char *str, size_t len)
+{
+    char buf[128], buf2[3];
+#ifdef HAVE_INET_NTOP
+    if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL)
+#endif
+	{
+	    /* XXX this is pretty ugly, but better than abort() */
+	    int i;
+	    unsigned char *p = addr->address.data;
+	    buf[0] = '\0';
+	    for(i = 0; i < addr->address.length; i++) {
+		snprintf(buf2, sizeof(buf2), "%02x", p[i]);
+		if(i > 0 && (i & 1) == 0)
+		    strlcat(buf, ":", sizeof(buf));
+		strlcat(buf, buf2, sizeof(buf));
+	    }
+	}
+    return snprintf(str, len, "IPv6:%s", buf);
+}
+
+static int
+ipv6_parse_addr (const char *address, krb5_address *addr)
+{
+    int ret;
+    struct in6_addr in6;
+
+    ret = inet_pton(AF_INET6, address, &in6.s6_addr);
+    if(ret == 1) {
+	addr->addr_type = KRB5_ADDRESS_INET6;
+	ret = krb5_data_alloc(&addr->address, sizeof(in6.s6_addr));
+	if (ret)
+	    return -1;
+	memcpy(addr->address.data, in6.s6_addr, sizeof(in6.s6_addr));
+	return 0;
+    }
+    return -1;
+}
+
+#endif /* IPv6 */
+
+/*
+ * table
+ */
+
+static struct addr_operations at[] = {
+    {AF_INET,	KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
+     ipv4_sockaddr2addr, 
+     ipv4_sockaddr2port,
+     ipv4_addr2sockaddr,
+     ipv4_h_addr2sockaddr,
+     ipv4_h_addr2addr,
+     ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr},
+#ifdef HAVE_IPV6
+    {AF_INET6,	KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
+     ipv6_sockaddr2addr, 
+     ipv6_sockaddr2port,
+     ipv6_addr2sockaddr,
+     ipv6_h_addr2sockaddr,
+     ipv6_h_addr2addr,
+     ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr}
+#endif
+};
+
+static int num_addrs = sizeof(at) / sizeof(at[0]);
+
+static size_t max_sockaddr_size = 0;
+
+/*
+ * generic functions
+ */
+
+static struct addr_operations *
+find_af(int af)
+{
+    struct addr_operations *a;
+
+    for (a = at; a < at + num_addrs; ++a)
+	if (af == a->af)
+	    return a;
+    return NULL;
+}
+
+static struct addr_operations *
+find_atype(int atype)
+{
+    struct addr_operations *a;
+
+    for (a = at; a < at + num_addrs; ++a)
+	if (atype == a->atype)
+	    return a;
+    return NULL;
+}
+
+krb5_error_code
+krb5_sockaddr2address (const struct sockaddr *sa, krb5_address *addr)
+{
+    struct addr_operations *a = find_af(sa->sa_family);
+    if (a == NULL)
+	return KRB5_PROG_ATYPE_NOSUPP;
+    return (*a->sockaddr2addr)(sa, addr);
+}
+
+krb5_error_code
+krb5_sockaddr2port (const struct sockaddr *sa, int16_t *port)
+{
+    struct addr_operations *a = find_af(sa->sa_family);
+    if (a == NULL)
+	return KRB5_PROG_ATYPE_NOSUPP;
+    return (*a->sockaddr2port)(sa, port);
+}
+
+krb5_error_code
+krb5_addr2sockaddr (const krb5_address *addr,
+		    struct sockaddr *sa,
+		    int *sa_size,
+		    int port)
+{
+    struct addr_operations *a = find_atype(addr->addr_type);
+
+    if (a == NULL)
+	return KRB5_PROG_ATYPE_NOSUPP;
+    (*a->addr2sockaddr)(addr, sa, sa_size, port);
+    return 0;
+}
+
+size_t
+krb5_max_sockaddr_size (void)
+{
+    if (max_sockaddr_size == 0) {
+	struct addr_operations *a;
+
+	for(a = at; a < at + num_addrs; ++a)
+	    max_sockaddr_size = max(max_sockaddr_size, a->max_sockaddr_size);
+    }
+    return max_sockaddr_size;
+}
+
+krb5_boolean
+krb5_sockaddr_uninteresting(const struct sockaddr *sa)
+{
+    struct addr_operations *a = find_af(sa->sa_family);
+    if (a == NULL)
+	return TRUE;
+    return (*a->uninteresting)(sa);
+}
+
+krb5_error_code
+krb5_h_addr2sockaddr (int af,
+		      const char *addr, struct sockaddr *sa, int *sa_size,
+		      int port)
+{
+    struct addr_operations *a = find_af(af);
+    if (a == NULL)
+	return KRB5_PROG_ATYPE_NOSUPP;
+    (*a->h_addr2sockaddr)(addr, sa, sa_size, port);
+    return 0;
+}
+
+krb5_error_code
+krb5_h_addr2addr (int af,
+		  const char *haddr, krb5_address *addr)
+{
+    struct addr_operations *a = find_af(af);
+    if (a == NULL)
+	return KRB5_PROG_ATYPE_NOSUPP;
+    return (*a->h_addr2addr)(haddr, addr);
+}
+
+krb5_error_code
+krb5_anyaddr (int af,
+	      struct sockaddr *sa,
+	      int *sa_size,
+	      int port)
+{
+    struct addr_operations *a = find_af (af);
+
+    if (a == NULL)
+	return KRB5_PROG_ATYPE_NOSUPP;
+
+    (*a->anyaddr)(sa, sa_size, port);
+    return 0;
+}
+
+krb5_error_code
+krb5_print_address (const krb5_address *addr, 
+		    char *str, size_t len, size_t *ret_len)
+{
+    struct addr_operations *a = find_atype(addr->addr_type);
+
+    if (a == NULL) {
+	char *s;
+	size_t l;
+	int i;
+	s = str;
+	l = snprintf(s, len, "TYPE_%d:", addr->addr_type);
+	s += l;
+	len -= len;
+	for(i = 0; i < addr->address.length; i++) {
+	    l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]);
+	    len -= l;
+	    s += l;
+	}
+	*ret_len = s - str;
+	return 0;
+    }
+    *ret_len = (*a->print_addr)(addr, str, len);
+    return 0;
+}
+
+krb5_error_code
+krb5_parse_address(krb5_context context,
+		   const char *string,
+		   krb5_addresses *addresses)
+{
+    int i, n;
+    struct addrinfo *ai, *a;
+    int error;
+
+    for(i = 0; i < num_addrs; i++) {
+	if(at[i].parse_addr) {
+	    krb5_address a;
+	    if((*at[i].parse_addr)(string, &a) == 0) {
+		ALLOC_SEQ(addresses, 1);
+		addresses->val[0] = a;
+		return 0;
+	    }
+	}
+    }
+
+    error = getaddrinfo (string, NULL, NULL, &ai);
+    if (error)
+	return -1;
+    
+    n = 0;
+    for (a = ai; a != NULL; a = a->ai_next)
+	++n;
+
+    ALLOC_SEQ(addresses, n);
+
+    for (a = ai, i = 0; a != NULL; a = a->ai_next, ++i) {
+	krb5_sockaddr2address (ai->ai_addr, &addresses->val[i]);
+    }
+    freeaddrinfo (ai);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/address.c b/crypto/heimdal/lib/krb5/address.c
new file mode 100644
index 0000000..8b0704f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/address.c
@@ -0,0 +1,197 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: address.c,v 1.14 1999/12/02 17:05:07 joda Exp $");
+
+#if 0
+/* This is the supposedly MIT-api version */
+
+krb5_boolean
+krb5_address_search(krb5_context context,
+		    const krb5_address *addr,
+		    krb5_address *const *addrlist)
+{
+  krb5_address *a;
+
+  while((a = *addrlist++))
+    if (krb5_address_compare (context, addr, a))
+      return TRUE;
+  return FALSE;
+}
+#endif
+
+krb5_boolean
+krb5_address_search(krb5_context context,
+		    const krb5_address *addr,
+		    const krb5_addresses *addrlist)
+{
+    int i;
+
+    for (i = 0; i < addrlist->len; ++i)
+	if (krb5_address_compare (context, addr, &addrlist->val[i]))
+	    return TRUE;
+    return FALSE;
+}
+
+int
+krb5_address_order(krb5_context context,
+		   const krb5_address *addr1,
+		   const krb5_address *addr2)
+{
+    return (addr1->addr_type - addr2->addr_type)
+	|| memcmp (addr1->address.data,
+		   addr2->address.data,
+		   addr1->address.length);
+}
+
+krb5_boolean
+krb5_address_compare(krb5_context context,
+		     const krb5_address *addr1,
+		     const krb5_address *addr2)
+{
+    return krb5_address_order (context, addr1, addr2) == 0;
+}
+
+krb5_error_code
+krb5_copy_address(krb5_context context,
+		  const krb5_address *inaddr,
+		  krb5_address *outaddr)
+{
+    copy_HostAddress(inaddr, outaddr);
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_addresses(krb5_context context,
+		    const krb5_addresses *inaddr,
+		    krb5_addresses *outaddr)
+{
+    copy_HostAddresses(inaddr, outaddr);
+    return 0;
+}
+
+krb5_error_code
+krb5_free_address(krb5_context context,
+		  krb5_address *address)
+{
+    krb5_data_free (&address->address);
+    return 0;
+}
+
+krb5_error_code
+krb5_free_addresses(krb5_context context,
+		    krb5_addresses *addresses)
+{
+    free_HostAddresses(addresses);
+    return 0;
+}
+
+krb5_error_code
+krb5_append_addresses(krb5_context context,
+		      krb5_addresses *dest,
+		      const krb5_addresses *source)
+{
+    krb5_address *tmp;
+    krb5_error_code ret;
+    int i;
+    if(source->len > 0) {
+	tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp));
+	if(tmp == NULL)
+	    return ENOMEM;
+	dest->val = tmp;
+	for(i = 0; i < source->len; i++) {
+	    /* skip duplicates */
+	    if(krb5_address_search(context, &source->val[i], dest))
+		continue;
+	    ret = krb5_copy_address(context, 
+				    &source->val[i], 
+				    &dest->val[dest->len]);
+	    if(ret)
+		return ret;
+	    dest->len++;
+	}
+    }
+    return 0;
+}
+
+/*
+ * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port)
+ */
+
+krb5_error_code
+krb5_make_addrport (krb5_address **res, const krb5_address *addr, int16_t port)
+{
+    krb5_error_code ret;
+    size_t len = addr->address.length + 2 + 4 * 4;
+    u_char *p;
+
+    *res = malloc (sizeof(**res));
+    if (*res == NULL)
+	return ENOMEM;
+    (*res)->addr_type = KRB5_ADDRESS_ADDRPORT;
+    ret = krb5_data_alloc (&(*res)->address, len);
+    if (ret) {
+	free (*res);
+	return ret;
+    }
+    p = (*res)->address.data;
+    *p++ = 0;
+    *p++ = 0;
+    *p++ = (addr->addr_type     ) & 0xFF;
+    *p++ = (addr->addr_type >> 8) & 0xFF;
+
+    *p++ = (addr->address.length      ) & 0xFF;
+    *p++ = (addr->address.length >>  8) & 0xFF;
+    *p++ = (addr->address.length >> 16) & 0xFF;
+    *p++ = (addr->address.length >> 24) & 0xFF;
+
+    memcpy (p, addr->address.data, addr->address.length);
+    p += addr->address.length;
+
+    *p++ = 0;
+    *p++ = 0;
+    *p++ = (KRB5_ADDRESS_IPPORT     ) & 0xFF;
+    *p++ = (KRB5_ADDRESS_IPPORT >> 8) & 0xFF;
+
+    *p++ = (2      ) & 0xFF;
+    *p++ = (2 >>  8) & 0xFF;
+    *p++ = (2 >> 16) & 0xFF;
+    *p++ = (2 >> 24) & 0xFF;
+
+    memcpy (p, &port, 2);
+    p += 2;
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/aname_to_localname.c b/crypto/heimdal/lib/krb5/aname_to_localname.c
new file mode 100644
index 0000000..c125580
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/aname_to_localname.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: aname_to_localname.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+
+krb5_error_code
+krb5_aname_to_localname (krb5_context context,
+			 krb5_const_principal aname,
+			 size_t lnsize,
+			 char *lname)
+{
+    krb5_error_code ret;
+    krb5_realm *lrealms, *r;
+    int foo = 1;
+    size_t len;
+    char *res;
+
+    ret = krb5_get_default_realms (context, &lrealms);
+    if (ret)
+	return ret;
+
+    for (r = lrealms; *r != NULL; ++r) {
+	foo = strcmp (*r, aname->realm);
+	if (foo == 0)
+	    break;
+    }
+    krb5_free_host_realm (context, lrealms);
+    if (foo != 0)
+	return KRB5_NO_LOCALNAME;
+
+    if (aname->name.name_string.len == 1)
+	res = aname->name.name_string.val[0];
+    else if (aname->name.name_string.len == 2
+	     && strcmp (aname->name.name_string.val[1], "root") == 0)
+	res = "root";
+    else
+	return KRB5_NO_LOCALNAME;
+
+    len = strlen (res);
+    if (len >= lnsize)
+	return ERANGE;
+    strcpy (lname, res);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/asn1_glue.c b/crypto/heimdal/lib/krb5/asn1_glue.c
new file mode 100644
index 0000000..ac83ff7
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/asn1_glue.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ *
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: asn1_glue.c,v 1.7 1999/12/02 17:05:07 joda Exp $");
+
+krb5_error_code
+krb5_principal2principalname (PrincipalName *p,
+			      const krb5_principal from)
+{
+    return copy_PrincipalName(&from->name, p);
+}
+
+krb5_error_code
+principalname2krb5_principal (krb5_principal *principal,
+			      const PrincipalName from,
+			      const Realm realm)
+{
+    krb5_principal p = malloc(sizeof(*p));
+    copy_PrincipalName(&from, &p->name);
+    p->realm = strdup(realm);
+    *principal = p;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/auth_context.c b/crypto/heimdal/lib/krb5/auth_context.c
new file mode 100644
index 0000000..94b1376
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/auth_context.c
@@ -0,0 +1,426 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: auth_context.c,v 1.50 1999/12/02 17:05:07 joda Exp $");
+
+krb5_error_code
+krb5_auth_con_init(krb5_context context,
+		   krb5_auth_context *auth_context)
+{
+    krb5_auth_context p;
+
+    ALLOC(p, 1);
+    if(!p)
+	return ENOMEM;
+    memset(p, 0, sizeof(*p));
+    ALLOC(p->authenticator, 1);
+    if (!p->authenticator) {
+	free(p);
+	return ENOMEM;
+    }
+    memset (p->authenticator, 0, sizeof(*p->authenticator));
+    p->flags = KRB5_AUTH_CONTEXT_DO_TIME;
+
+    p->local_address  = NULL;
+    p->remote_address = NULL;
+    p->local_port     = 0;
+    p->remote_port    = 0;
+    p->keytype        = KEYTYPE_NULL;
+    p->cksumtype      = CKSUMTYPE_NONE;
+    *auth_context     = p;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_free(krb5_context context,
+		   krb5_auth_context auth_context)
+{
+    krb5_free_authenticator(context, &auth_context->authenticator);
+    if(auth_context->local_address){
+	free_HostAddress(auth_context->local_address);
+	free(auth_context->local_address);
+    }
+    if(auth_context->remote_address){
+	free_HostAddress(auth_context->remote_address);
+	free(auth_context->remote_address);
+    }
+    if(auth_context->keyblock)
+	krb5_free_keyblock(context, auth_context->keyblock);
+    krb5_free_keyblock(context, auth_context->remote_subkey);
+    krb5_free_keyblock(context, auth_context->local_subkey);
+    free (auth_context);
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_setflags(krb5_context context,
+		       krb5_auth_context auth_context,
+		       int32_t flags)
+{
+    auth_context->flags = flags;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_auth_con_getflags(krb5_context context,
+		       krb5_auth_context auth_context,
+		       int32_t *flags)
+{
+    *flags = auth_context->flags;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_auth_con_setaddrs(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_address *local_addr,
+		       krb5_address *remote_addr)
+{
+    if (local_addr) {
+	if (auth_context->local_address)
+	    krb5_free_address (context, auth_context->local_address);
+	else
+	    auth_context->local_address = malloc(sizeof(krb5_address));
+	krb5_copy_address(context, local_addr, auth_context->local_address);
+    }
+    if (remote_addr) {
+	if (auth_context->remote_address)
+	    krb5_free_address (context, auth_context->remote_address);
+	else
+	    auth_context->remote_address = malloc(sizeof(krb5_address));
+	krb5_copy_address(context, remote_addr, auth_context->remote_address);
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_setaddrs_from_fd (krb5_context context,
+				krb5_auth_context auth_context,
+				void *p_fd)
+{
+    int fd = *((int *)p_fd);
+    krb5_error_code ret;
+    krb5_address local_k_address, remote_k_address;
+    krb5_address *lptr = NULL, *rptr = NULL;
+    struct sockaddr_storage ss_local, ss_remote;
+    struct sockaddr *local  = (struct sockaddr *)&ss_local;
+    struct sockaddr *remote = (struct sockaddr *)&ss_remote;
+    int len;
+
+    if (auth_context->local_address == NULL) {
+	len = sizeof(ss_local);
+	if(getsockname(fd, local, &len) < 0) {
+	    ret = errno;
+	    goto out;
+	}
+	krb5_sockaddr2address (local, &local_k_address);
+	krb5_sockaddr2port (local, &auth_context->local_port);
+	lptr = &local_k_address;
+    }
+    if (auth_context->remote_address == NULL) {
+	len = sizeof(ss_remote);
+	if(getpeername(fd, remote, &len) < 0) {
+	    ret = errno;
+	    goto out;
+	}
+	krb5_sockaddr2address (remote, &remote_k_address);
+	krb5_sockaddr2port (remote, &auth_context->remote_port);
+	rptr = &remote_k_address;
+    }
+    ret = krb5_auth_con_setaddrs (context,
+				  auth_context,
+				  lptr,
+				  rptr);
+out:
+    if (lptr)
+	krb5_free_address (context, lptr);
+    if (rptr)
+	krb5_free_address (context, rptr);
+    return ret;
+}
+
+krb5_error_code
+krb5_auth_con_getaddrs(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_address **local_addr,
+		       krb5_address **remote_addr)
+{
+    if(*local_addr)
+	krb5_free_address (context, *local_addr);
+    *local_addr = malloc (sizeof(**local_addr));
+    if (*local_addr == NULL)
+	return ENOMEM;
+    krb5_copy_address(context,
+		      auth_context->local_address,
+		      *local_addr);
+
+    if(*remote_addr)
+	krb5_free_address (context, *remote_addr);
+    *remote_addr = malloc (sizeof(**remote_addr));
+    if (*remote_addr == NULL)
+	return ENOMEM;
+    krb5_copy_address(context,
+		      auth_context->remote_address,
+		      *remote_addr);
+    return 0;
+}
+
+static krb5_error_code
+copy_key(krb5_context context,
+	 krb5_keyblock *in,
+	 krb5_keyblock **out)
+{
+    if(in)
+	return krb5_copy_keyblock(context, in, out);
+    *out = NULL; /* is this right? */
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_getkey(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_keyblock **keyblock)
+{
+    return copy_key(context, auth_context->keyblock, keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_getlocalsubkey(krb5_context context,
+			     krb5_auth_context auth_context,
+			     krb5_keyblock **keyblock)
+{
+    return copy_key(context, auth_context->local_subkey, keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_getremotesubkey(krb5_context context,
+			      krb5_auth_context auth_context,
+			      krb5_keyblock **keyblock)
+{
+    return copy_key(context, auth_context->remote_subkey, keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_setkey(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_keyblock *keyblock)
+{
+    if(auth_context->keyblock)
+	krb5_free_keyblock(context, auth_context->keyblock);
+    return copy_key(context, keyblock, &auth_context->keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_setlocalsubkey(krb5_context context,
+			     krb5_auth_context auth_context,
+			     krb5_keyblock *keyblock)
+{
+    if(auth_context->local_subkey)
+	krb5_free_keyblock(context, auth_context->local_subkey);
+    return copy_key(context, keyblock, &auth_context->local_subkey);
+}
+
+krb5_error_code
+krb5_auth_con_setremotesubkey(krb5_context context,
+			      krb5_auth_context auth_context,
+			      krb5_keyblock *keyblock)
+{
+    if(auth_context->remote_subkey)
+	krb5_free_keyblock(context, auth_context->remote_subkey);
+    return copy_key(context, keyblock, &auth_context->remote_subkey);
+}
+
+krb5_error_code
+krb5_auth_setcksumtype(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_cksumtype cksumtype)
+{
+    auth_context->cksumtype = cksumtype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_getcksumtype(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_cksumtype *cksumtype)
+{
+    *cksumtype = auth_context->cksumtype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_setkeytype (krb5_context context,
+		      krb5_auth_context auth_context,
+		      krb5_keytype keytype)
+{
+    auth_context->keytype = keytype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_getkeytype (krb5_context context,
+		      krb5_auth_context auth_context,
+		      krb5_keytype *keytype)
+{
+    *keytype = auth_context->keytype;
+    return 0;
+}
+
+#if 0
+krb5_error_code
+krb5_auth_setenctype(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_enctype etype)
+{
+    if(auth_context->keyblock)
+	krb5_free_keyblock(context, auth_context->keyblock);
+    ALLOC(auth_context->keyblock, 1);
+    if(auth_context->keyblock == NULL)
+	return ENOMEM;
+    auth_context->keyblock->keytype = etype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_getenctype(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_enctype *etype)
+{
+    krb5_abortx(context, "unimplemented krb5_auth_getenctype called");
+}
+#endif
+
+krb5_error_code
+krb5_auth_getlocalseqnumber(krb5_context context,
+			    krb5_auth_context auth_context,
+			    int32_t *seqnumber)
+{
+  *seqnumber = auth_context->local_seqnumber;
+  return 0;
+}
+
+krb5_error_code
+krb5_auth_setlocalseqnumber (krb5_context context,
+			     krb5_auth_context auth_context,
+			     int32_t seqnumber)
+{
+  auth_context->local_seqnumber = seqnumber;
+  return 0;
+}
+
+krb5_error_code
+krb5_auth_getremoteseqnumber(krb5_context context,
+			     krb5_auth_context auth_context,
+			     int32_t *seqnumber)
+{
+  *seqnumber = auth_context->remote_seqnumber;
+  return 0;
+}
+
+krb5_error_code
+krb5_auth_setremoteseqnumber (krb5_context context,
+			      krb5_auth_context auth_context,
+			      int32_t seqnumber)
+{
+  auth_context->remote_seqnumber = seqnumber;
+  return 0;
+}
+
+
+krb5_error_code
+krb5_auth_getauthenticator(krb5_context context,
+			   krb5_auth_context auth_context,
+			   krb5_authenticator *authenticator)
+{
+    *authenticator = malloc(sizeof(**authenticator));
+    if (*authenticator == NULL)
+	return ENOMEM;
+
+    copy_Authenticator(auth_context->authenticator,
+		       *authenticator);
+    return 0;
+}
+
+
+void
+krb5_free_authenticator(krb5_context context,
+			krb5_authenticator *authenticator)
+{
+    free_Authenticator (*authenticator);
+    free (*authenticator);
+    *authenticator = NULL;
+}
+
+
+krb5_error_code
+krb5_auth_con_setuserkey(krb5_context context,
+			 krb5_auth_context auth_context,
+			 krb5_keyblock *keyblock)
+{
+    if(auth_context->keyblock)
+	krb5_free_keyblock(context, auth_context->keyblock);
+    return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock);
+}
+
+#if 0 /* not implemented */
+
+krb5_error_code
+krb5_auth_con_initivector(krb5_context context,
+			  krb5_auth_context auth_context)
+{
+    krb5_abortx(context, "unimplemented krb5_auth_con_initivector called");
+}
+
+
+krb5_error_code
+krb5_auth_con_setivector(krb5_context context,
+			 krb5_auth_context auth_context,
+			 krb5_pointer ivector)
+{
+    krb5_abortx(context, "unimplemented krb5_auth_con_setivector called");
+}
+
+
+krb5_error_code
+krb5_auth_con_setrcache(krb5_context context,
+			krb5_auth_context auth_context,
+			krb5_rcache rcache)
+{
+    krb5_abortx(context, "unimplemented krb5_auth_con_setrcache called");
+}
+
+#endif /* not implemented */
diff --git a/crypto/heimdal/lib/krb5/build_ap_req.c b/crypto/heimdal/lib/krb5/build_ap_req.c
new file mode 100644
index 0000000..c8a89ca
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/build_ap_req.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: build_ap_req.c,v 1.16 1999/12/02 17:05:07 joda Exp $");
+
+krb5_error_code
+krb5_build_ap_req (krb5_context context,
+		   krb5_enctype enctype,
+		   krb5_creds *cred,
+		   krb5_flags ap_options,
+		   krb5_data authenticator,
+		   krb5_data *retdata)
+{
+  krb5_error_code ret = 0;
+  AP_REQ ap;
+  Ticket t;
+  size_t len;
+  
+  ap.pvno = 5;
+  ap.msg_type = krb_ap_req;
+  memset(&ap.ap_options, 0, sizeof(ap.ap_options));
+  ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;
+  ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;
+  
+  ap.ticket.tkt_vno = 5;
+  copy_Realm(&cred->server->realm, &ap.ticket.realm);
+  copy_PrincipalName(&cred->server->name, &ap.ticket.sname);
+
+  decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
+  copy_EncryptedData(&t.enc_part, &ap.ticket.enc_part);
+  free_Ticket(&t);
+
+  ap.authenticator.etype = enctype;
+  ap.authenticator.kvno  = NULL;
+  ap.authenticator.cipher = authenticator;
+
+  retdata->length = length_AP_REQ(&ap);
+  retdata->data   = malloc(retdata->length);
+  if(retdata->data == NULL)
+      ret = ENOMEM;
+  else
+      encode_AP_REQ((unsigned char *)retdata->data + retdata->length - 1,
+		    retdata->length, &ap, &len);
+  free_AP_REQ(&ap);
+  
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/build_auth.c b/crypto/heimdal/lib/krb5/build_auth.c
new file mode 100644
index 0000000..a38393b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/build_auth.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: build_auth.c,v 1.32 1999/12/02 17:05:08 joda Exp $");
+
+krb5_error_code
+krb5_build_authenticator (krb5_context context,
+			  krb5_auth_context auth_context,
+			  krb5_enctype enctype,
+			  krb5_creds *cred,
+			  Checksum *cksum,
+			  Authenticator **auth_result,
+			  krb5_data *result)
+{
+  Authenticator *auth;
+  u_char *buf = NULL;
+  size_t buf_size;
+  size_t len;
+  krb5_error_code ret;
+  krb5_crypto crypto;
+
+  auth = malloc(sizeof(*auth));
+  if (auth == NULL)
+      return ENOMEM;
+
+  memset (auth, 0, sizeof(*auth));
+  auth->authenticator_vno = 5;
+  copy_Realm(&cred->client->realm, &auth->crealm);
+  copy_PrincipalName(&cred->client->name, &auth->cname);
+
+  {
+      int32_t sec, usec;
+
+      krb5_us_timeofday (context, &sec, &usec);
+      auth->ctime = sec;
+      auth->cusec = usec;
+  }
+  ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey);
+  if(ret)
+      goto fail;
+
+  if(auth->subkey == NULL) {
+      krb5_generate_subkey (context, &cred->session, &auth->subkey);
+      ret = krb5_auth_con_setlocalsubkey(context, auth_context, auth->subkey);
+      if(ret)
+	  goto fail;
+  }
+
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    krb5_generate_seq_number (context,
+			      &cred->session, 
+			      &auth_context->local_seqnumber);
+    ALLOC(auth->seq_number, 1);
+    *auth->seq_number = auth_context->local_seqnumber;
+  } else
+    auth->seq_number = NULL;
+  auth->authorization_data = NULL;
+  auth->cksum = cksum;
+
+  /* XXX - Copy more to auth_context? */
+
+  if (auth_context) {
+    auth_context->authenticator->ctime = auth->ctime;
+    auth_context->authenticator->cusec = auth->cusec;
+  }
+
+  buf_size = 1024;
+  buf = malloc (buf_size);
+  if (buf == NULL) {
+      ret = ENOMEM;
+      goto fail;
+  }
+
+  do {
+      ret = krb5_encode_Authenticator (context,
+				       buf + buf_size - 1,
+				       buf_size,
+				       auth, &len);
+      if (ret) {
+	  if (ret == ASN1_OVERFLOW) {
+	      u_char *tmp;
+
+	      buf_size *= 2;
+	      tmp = realloc (buf, buf_size);
+	      if (tmp == NULL) {
+		  ret = ENOMEM;
+		  goto fail;
+	      }
+	      buf = tmp;
+	  } else {
+	      goto fail;
+	  }
+      }
+  } while(ret == ASN1_OVERFLOW);
+
+  ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
+  ret = krb5_encrypt (context,
+		      crypto,
+		      KRB5_KU_AP_REQ_AUTH,
+		      buf + buf_size - len, 
+		      len,
+		      result);
+  krb5_crypto_destroy(context, crypto);
+
+  if (ret)
+      goto fail;
+
+  free (buf);
+
+  if (auth_result)
+    *auth_result = auth;
+  else {
+    /* Don't free the `cksum', it's allocated by the caller */
+    auth->cksum = NULL;
+    free_Authenticator (auth);
+    free (auth);
+  }
+  return ret;
+fail:
+  free_Authenticator (auth);
+  free (auth);
+  free (buf);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/cache.c b/crypto/heimdal/lib/krb5/cache.c
new file mode 100644
index 0000000..e78d4de
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/cache.c
@@ -0,0 +1,422 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: cache.c,v 1.44 1999/12/02 17:05:08 joda Exp $");
+
+/*
+ * Add a new ccache type with operations `ops', overwriting any
+ * existing one if `override'.
+ * Return an error code or 0.
+ */
+
+krb5_error_code
+krb5_cc_register(krb5_context context, 
+		 const krb5_cc_ops *ops, 
+		 krb5_boolean override)
+{
+    int i;
+
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
+	if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) {
+	    if(override)
+		free(context->cc_ops[i].prefix);
+	    else
+		return KRB5_CC_TYPE_EXISTS;
+	}
+    }
+    if(i == context->num_cc_ops) {
+	krb5_cc_ops *o = realloc(context->cc_ops,
+				 (context->num_cc_ops + 1) *
+				 sizeof(*context->cc_ops));
+	if(o == NULL)
+	    return KRB5_CC_NOMEM;
+	context->num_cc_ops++;
+	context->cc_ops = o;
+	memset(context->cc_ops + i, 0, 
+	       (context->num_cc_ops - i) * sizeof(*context->cc_ops));
+    }
+    memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i]));
+    context->cc_ops[i].prefix = strdup(ops->prefix);
+    if(context->cc_ops[i].prefix == NULL)
+	return KRB5_CC_NOMEM;
+    
+    return 0;
+}
+
+/*
+ * Allocate memory for a new ccache in `id' with operations `ops'
+ * and name `residual'.
+ * Return 0 or an error code.
+ */
+
+static krb5_error_code
+allocate_ccache (krb5_context context,
+		 const krb5_cc_ops *ops,
+		 const char *residual,
+		 krb5_ccache *id)
+{
+    krb5_error_code ret;
+    krb5_ccache p;
+
+    p = malloc(sizeof(*p));
+    if(p == NULL)
+	return KRB5_CC_NOMEM;
+    p->ops = ops;
+    *id = p;
+    ret = p->ops->resolve(context, id, residual);
+    if(ret)
+	free(p);
+    return ret;
+}
+
+/*
+ * Find and allocate a ccache in `id' from the specification in `residual'.
+ * If the ccache name doesn't contain any colon, interpret it as a file name.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_resolve(krb5_context context,
+		const char *name,
+		krb5_ccache *id)
+{
+    int i;
+
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
+	size_t prefix_len = strlen(context->cc_ops[i].prefix);
+
+	if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0
+	   && name[prefix_len] == ':') {
+	    return allocate_ccache (context, &context->cc_ops[i],
+				    name + prefix_len + 1,
+				    id);
+	}
+    }
+    if (strchr (name, ':') == NULL)
+	return allocate_ccache (context, &krb5_fcc_ops, name, id);
+    else
+	return KRB5_CC_UNKNOWN_TYPE;
+}
+
+/*
+ * Generate a new ccache of type `ops' in `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_gen_new(krb5_context context,
+		const krb5_cc_ops *ops,
+		krb5_ccache *id)
+{
+    krb5_ccache p;
+
+    p = malloc (sizeof(*p));
+    if (p == NULL)
+	return KRB5_CC_NOMEM;
+    p->ops = ops;
+    *id = p;
+    return p->ops->gen_new(context, id);
+}
+
+/*
+ * Return the name of the ccache `id'
+ */
+
+const char*
+krb5_cc_get_name(krb5_context context,
+		 krb5_ccache id)
+{
+    return id->ops->get_name(context, id);
+}
+
+/*
+ * Return the type of the ccache `id'.
+ */
+
+const char*
+krb5_cc_get_type(krb5_context context,
+		 krb5_ccache id)
+{
+    return id->ops->prefix;
+}
+
+/*
+ * Return a pointer to a static string containing the default ccache name.
+ */
+
+const char*
+krb5_cc_default_name(krb5_context context)
+{
+    static char name[1024];
+    char *p;
+
+    p = getenv("KRB5CCNAME");
+    if(p)
+	strlcpy (name, p, sizeof(name));
+    else
+	snprintf(name,
+		 sizeof(name),
+		 "FILE:/tmp/krb5cc_%u",
+		 (unsigned)getuid());
+    return name;
+}
+
+/*
+ * Open the default ccache in `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_default(krb5_context context,
+		krb5_ccache *id)
+{
+    return krb5_cc_resolve(context, 
+			   krb5_cc_default_name(context), 
+			   id);
+}
+
+/*
+ * Create a new ccache in `id' for `primary_principal'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_initialize(krb5_context context,
+		   krb5_ccache id,
+		   krb5_principal primary_principal)
+{
+    return id->ops->init(context, id, primary_principal);
+}
+
+
+/*
+ * Remove the ccache `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_destroy(krb5_context context,
+		krb5_ccache id)
+{
+    krb5_error_code ret;
+
+    ret = id->ops->destroy(context, id);
+    krb5_cc_close (context, id);
+    return ret;
+}
+
+/*
+ * Stop using the ccache `id' and free the related resources.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_close(krb5_context context,
+	      krb5_ccache id)
+{
+    krb5_error_code ret;
+    ret = id->ops->close(context, id);
+    free(id);
+    return ret;
+}
+
+/*
+ * Store `creds' in the ccache `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_store_cred(krb5_context context,
+		   krb5_ccache id,
+		   krb5_creds *creds)
+{
+    return id->ops->store(context, id, creds);
+}
+
+/*
+ * Retrieve the credential identified by `mcreds' (and `whichfields')
+ * from `id' in `creds'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_retrieve_cred(krb5_context context,
+		      krb5_ccache id,
+		      krb5_flags whichfields,
+		      const krb5_creds *mcreds,
+		      krb5_creds *creds)
+{
+    krb5_error_code ret;
+    krb5_cc_cursor cursor;
+    krb5_cc_start_seq_get(context, id, &cursor);
+    while((ret = krb5_cc_next_cred(context, id, creds, &cursor)) == 0){
+	if(krb5_compare_creds(context, whichfields, mcreds, creds)){
+	    ret = 0;
+	    break;
+	}
+	krb5_free_creds_contents (context, creds);
+    }
+    krb5_cc_end_seq_get(context, id, &cursor);
+    return ret;
+}
+
+/*
+ * Return the principal of `id' in `principal'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_get_principal(krb5_context context,
+		      krb5_ccache id,
+		      krb5_principal *principal)
+{
+    return id->ops->get_princ(context, id, principal);
+}
+
+/*
+ * Start iterating over `id', `cursor' is initialized to the
+ * beginning.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_start_seq_get (krb5_context context,
+		       const krb5_ccache id,
+		       krb5_cc_cursor *cursor)
+{
+    return id->ops->get_first(context, id, cursor);
+}
+
+/*
+ * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
+ * and advance `cursor'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_next_cred (krb5_context context,
+		   const krb5_ccache id,
+		   krb5_creds *creds,
+		   krb5_cc_cursor *cursor)
+{
+    return id->ops->get_next(context, id, cursor, creds);
+}
+
+/*
+ * Destroy the cursor `cursor'.
+ */
+
+krb5_error_code
+krb5_cc_end_seq_get (krb5_context context,
+		     const krb5_ccache id,
+		     krb5_cc_cursor *cursor)
+{
+    return id->ops->end_get(context, id, cursor);
+}
+
+/*
+ * Remove the credential identified by `cred', `which' from `id'.
+ */
+
+krb5_error_code
+krb5_cc_remove_cred(krb5_context context,
+		    krb5_ccache id,
+		    krb5_flags which,
+		    krb5_creds *cred)
+{
+    return id->ops->remove_cred(context, id, which, cred);
+}
+
+/*
+ * Set the flags of `id' to `flags'.
+ */
+
+krb5_error_code
+krb5_cc_set_flags(krb5_context context,
+		  krb5_ccache id,
+		  krb5_flags flags)
+{
+    return id->ops->set_flags(context, id, flags);
+}
+		    
+/*
+ * Copy the contents of `from' to `to'.
+ */
+
+krb5_error_code
+krb5_cc_copy_cache(krb5_context context,
+		   const krb5_ccache from,
+		   krb5_ccache to)
+{
+    krb5_error_code ret;
+    krb5_cc_cursor cursor;
+    krb5_creds cred;
+    krb5_principal princ;
+
+    ret = krb5_cc_get_principal(context, from, &princ);
+    if(ret)
+	return ret;
+    ret = krb5_cc_initialize(context, to, princ);
+    if(ret){
+	krb5_free_principal(context, princ);
+	return ret;
+    }
+    ret = krb5_cc_start_seq_get(context, from, &cursor);
+    if(ret){
+	krb5_free_principal(context, princ);
+	return ret;
+    }
+    while(ret == 0 && krb5_cc_next_cred(context, from, &cred, &cursor) == 0){
+	ret = krb5_cc_store_cred(context, to, &cred);
+	krb5_free_creds_contents (context, &cred);
+    }
+    krb5_cc_end_seq_get(context, from, &cursor);
+    krb5_free_principal(context, princ);
+    return ret;
+}
+
+/*
+ * Return the version of `id'.
+ */
+
+krb5_error_code
+krb5_cc_get_version(krb5_context context,
+		    const krb5_ccache id)
+{
+    if(id->ops->get_version)
+	return id->ops->get_version(context, id);
+    else
+	return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/changepw.c b/crypto/heimdal/lib/krb5/changepw.c
new file mode 100644
index 0000000..56c89a0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/changepw.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: changepw.c,v 1.20 2000/02/07 13:40:18 joda Exp $");
+
+static krb5_error_code
+get_kdc_address (krb5_context context,
+		 krb5_realm realm,
+		 struct addrinfo **ai)
+{
+    krb5_error_code ret;
+    char **hostlist;
+    int port = 0;
+    int error;
+
+    ret = krb5_get_krb_changepw_hst (context,
+				     &realm,
+				     &hostlist);
+    if (ret)
+	return ret;
+
+    port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT));
+    error = roken_getaddrinfo_hostspec(*hostlist, port, ai);
+
+    krb5_free_krbhst (context, hostlist);
+    return error;
+}
+
+static krb5_error_code
+send_request (krb5_context context,
+	      krb5_auth_context *auth_context,
+	      krb5_creds *creds,
+	      int sock,
+	      struct sockaddr *sa,
+	      int sa_size,
+	      char *passwd)
+{
+    krb5_error_code ret;
+    krb5_data ap_req_data;
+    krb5_data krb_priv_data;
+    krb5_data passwd_data;
+    size_t len;
+    u_char header[6];
+    u_char *p;
+    struct iovec iov[3];
+    struct msghdr msghdr;
+
+    krb5_data_zero (&ap_req_data);
+
+    ret = krb5_mk_req_extended (context,
+				auth_context,
+				AP_OPTS_MUTUAL_REQUIRED,
+				NULL, /* in_data */
+				creds,
+				&ap_req_data);
+    if (ret)
+	return ret;
+
+    passwd_data.data   = passwd;
+    passwd_data.length = strlen(passwd);
+
+    krb5_data_zero (&krb_priv_data);
+
+    ret = krb5_mk_priv (context,
+			*auth_context,
+			&passwd_data,
+			&krb_priv_data,
+			NULL);
+    if (ret)
+	goto out2;
+
+    len = 6 + ap_req_data.length + krb_priv_data.length;
+    p = header;
+    *p++ = (len >> 8) & 0xFF;
+    *p++ = (len >> 0) & 0xFF;
+    *p++ = 0;
+    *p++ = 1;
+    *p++ = (ap_req_data.length >> 8) & 0xFF;
+    *p++ = (ap_req_data.length >> 0) & 0xFF;
+
+    memset(&msghdr, 0, sizeof(msghdr));
+    msghdr.msg_name       = (void *)sa;
+    msghdr.msg_namelen    = sa_size;
+    msghdr.msg_iov        = iov;
+    msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
+#if 0
+    msghdr.msg_control    = NULL;
+    msghdr.msg_controllen = 0;
+#endif
+
+    iov[0].iov_base    = (void*)header;
+    iov[0].iov_len     = 6;
+    iov[1].iov_base    = ap_req_data.data;
+    iov[1].iov_len     = ap_req_data.length;
+    iov[2].iov_base    = krb_priv_data.data;
+    iov[2].iov_len     = krb_priv_data.length;
+
+    if (sendmsg (sock, &msghdr, 0) < 0)
+	ret = errno;
+
+    krb5_data_free (&krb_priv_data);
+out2:
+    krb5_data_free (&ap_req_data);
+    return ret;
+}
+
+static void
+str2data (krb5_data *d,
+	  char *fmt,
+	  ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    d->length = vasprintf ((char **)&d->data, fmt, args);
+    va_end(args);
+}
+
+static krb5_error_code
+process_reply (krb5_context context,
+	       krb5_auth_context auth_context,
+	       int sock,
+	       int *result_code,
+	       krb5_data *result_code_string,
+	       krb5_data *result_string)
+{
+    krb5_error_code ret;
+    u_char reply[BUFSIZ];
+    size_t len;
+    u_int16_t pkt_len, pkt_ver;
+    krb5_data ap_rep_data;
+
+    ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
+    if (ret < 0)
+	return errno;
+
+    len = ret;
+    pkt_len = (reply[0] << 8) | (reply[1]);
+    pkt_ver = (reply[2] << 8) | (reply[3]);
+
+    if (pkt_len != len) {
+	str2data (result_string, "client: wrong len in reply");
+	*result_code = KRB5_KPASSWD_MALFORMED;
+	return 0;
+    }
+    if (pkt_ver != 0x0001) {
+	str2data (result_string,
+		  "client: wrong version number (%d)", pkt_ver);
+	*result_code = KRB5_KPASSWD_MALFORMED;
+	return 0;
+    }
+
+    ap_rep_data.data = reply + 6;
+    ap_rep_data.length  = (reply[4] << 8) | (reply[5]);
+  
+    if (ap_rep_data.length) {
+	krb5_ap_rep_enc_part *ap_rep;
+	krb5_data priv_data;
+	u_char *p;
+
+	ret = krb5_rd_rep (context,
+			   auth_context,
+			   &ap_rep_data,
+			   &ap_rep);
+	if (ret)
+	    return ret;
+
+	krb5_free_ap_rep_enc_part (context, ap_rep);
+
+	priv_data.data   = (u_char*)ap_rep_data.data + ap_rep_data.length;
+	priv_data.length = len - ap_rep_data.length - 6;
+
+	ret = krb5_rd_priv (context,
+			    auth_context,
+			    &priv_data,
+			    result_code_string,
+			    NULL);
+	if (ret) {
+	    krb5_data_free (result_code_string);
+	    return ret;
+	}
+
+	if (result_code_string->length < 2) {
+	    *result_code = KRB5_KPASSWD_MALFORMED;
+	    str2data (result_string,
+		      "client: bad length in result");
+	    return 0;
+	}
+	p = result_code_string->data;
+      
+	*result_code = (p[0] << 8) | p[1];
+	krb5_data_copy (result_string,
+			(unsigned char*)result_code_string->data + 2,
+			result_code_string->length - 2);
+	return 0;
+    } else {
+	KRB_ERROR error;
+	size_t size;
+	u_char *p;
+      
+	ret = decode_KRB_ERROR(reply + 6, len - 6, &error, &size);
+	if (ret) {
+	    return ret;
+	}
+	if (error.e_data->length < 2) {
+	    krb5_warnx (context, "too short e_data to print anything usable");
+	    return 1;
+	}
+
+	p = error.e_data->data;
+	*result_code = (p[0] << 8) | p[1];
+	krb5_data_copy (result_string,
+			p + 2,
+			error.e_data->length - 2);
+	return 0;
+    }
+}
+
+krb5_error_code
+krb5_change_password (krb5_context	context,
+		      krb5_creds	*creds,
+		      char		*newpw,
+		      int		*result_code,
+		      krb5_data		*result_code_string,
+		      krb5_data		*result_string)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    int sock;
+    int i;
+    struct addrinfo *ai, *a;
+
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret)
+	return ret;
+
+    ret = get_kdc_address (context, creds->client->realm, &ai);
+    if (ret)
+	goto out;
+
+    krb5_auth_con_setflags (context, auth_context,
+			    KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (sock < 0)
+	    continue;
+
+	for (i = 0; i < 5; ++i) {
+	    fd_set fdset;
+	    struct timeval tv;
+
+	    ret = send_request (context,
+				&auth_context,
+				creds,
+				sock,
+				a->ai_addr,
+				a->ai_addrlen,
+				newpw);
+	    if (ret)
+		goto out;
+
+	    FD_ZERO(&fdset);
+	    FD_SET(sock, &fdset);
+	    tv.tv_usec = 0;
+	    tv.tv_sec  = 1 << i;
+
+	    ret = select (sock + 1, &fdset, NULL, NULL, &tv);
+	    if (ret < 0 && errno != EINTR)
+		goto out;
+	    if (ret == 1)
+		break;
+	}
+	if (i == 5) {
+	    ret = KRB5_KDC_UNREACH;
+	    close (sock);
+	    continue;
+	}
+
+	ret = process_reply (context,
+			     auth_context,
+			     sock,
+			     result_code,
+			     result_code_string,
+			     result_string);
+	close (sock);
+	if (ret == 0)
+	    break;
+    }
+    freeaddrinfo (ai);
+
+out:
+    krb5_auth_con_free (context, auth_context);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/codec.c b/crypto/heimdal/lib/krb5/codec.c
new file mode 100644
index 0000000..1d94613
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/codec.c
@@ -0,0 +1,251 @@
+/*
+ * Copyright (c) 1998 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: codec.c,v 1.6 1999/12/02 17:05:08 joda Exp $");
+
+/* these functions does what the normal asn.1-functions does, but
+   converts the keytype to/from the on-the-wire enctypes */
+
+#if 1
+#define DECODE(T, K) return decode_ ## T(data, length, t, len)
+#define ENCODE(T, K) return encode_ ## T(data, length, t, len)
+#else
+#define DECODE(T, K)					\
+{							\
+    krb5_error_code ret;				\
+    ret = decode_ ## T((void*)data, length, t, len);	\
+    if(ret)						\
+	return ret;					\
+    if(K)						\
+	ret = krb5_decode_keyblock(context, (K), 1);	\
+    return ret;						\
+}
+
+#define ENCODE(T, K)					\
+{							\
+    krb5_error_code ret = 0;				\
+    if(K)						\
+	ret = krb5_decode_keyblock(context, (K), 0);	\
+    if(ret)						\
+	return ret;					\
+    return encode_ ## T(data, length, t, len);		\
+}
+#endif
+
+krb5_error_code
+krb5_decode_EncTicketPart (krb5_context context,
+			   const void *data,
+			   size_t length,
+			   EncTicketPart *t,
+			   size_t *len)
+{
+    DECODE(EncTicketPart, &t->key);
+}
+
+krb5_error_code
+krb5_encode_EncTicketPart (krb5_context context,
+			   void *data,
+			   size_t length,
+			   EncTicketPart *t,
+			   size_t *len)
+{
+    ENCODE(EncTicketPart, &t->key);
+}
+
+krb5_error_code
+krb5_decode_EncASRepPart (krb5_context context,
+			  const void *data,
+			  size_t length,
+			  EncASRepPart *t,
+			  size_t *len)
+{
+    DECODE(EncASRepPart, &t->key);
+}
+
+krb5_error_code
+krb5_encode_EncASRepPart (krb5_context context,
+			  void *data,
+			  size_t length,
+			  EncASRepPart *t,
+			  size_t *len)
+{
+    ENCODE(EncASRepPart, &t->key);
+}
+
+krb5_error_code
+krb5_decode_EncTGSRepPart (krb5_context context,
+			   const void *data,
+			   size_t length,
+			   EncTGSRepPart *t,
+			   size_t *len)
+{
+    DECODE(EncTGSRepPart, &t->key);
+}
+
+krb5_error_code
+krb5_encode_EncTGSRepPart (krb5_context context,
+			   void *data,
+			   size_t length,
+			   EncTGSRepPart *t,
+			   size_t *len)
+{
+    ENCODE(EncTGSRepPart, &t->key);
+}
+
+krb5_error_code
+krb5_decode_EncAPRepPart (krb5_context context,
+			  const void *data,
+			  size_t length,
+			  EncAPRepPart *t,
+			  size_t *len)
+{
+    DECODE(EncAPRepPart, t->subkey);
+}
+
+krb5_error_code
+krb5_encode_EncAPRepPart (krb5_context context,
+			  void *data,
+			  size_t length,
+			  EncAPRepPart *t,
+			  size_t *len)
+{
+    ENCODE(EncAPRepPart, t->subkey);
+}
+
+krb5_error_code
+krb5_decode_Authenticator (krb5_context context,
+			   const void *data,
+			   size_t length,
+			   Authenticator *t,
+			   size_t *len)
+{
+    DECODE(Authenticator, t->subkey);
+}
+
+krb5_error_code
+krb5_encode_Authenticator (krb5_context context,
+			   void *data,
+			   size_t length,
+			   Authenticator *t,
+			   size_t *len)
+{
+    ENCODE(Authenticator, t->subkey);
+}
+
+krb5_error_code
+krb5_decode_EncKrbCredPart (krb5_context context,
+			    const void *data,
+			    size_t length,
+			    EncKrbCredPart *t,
+			    size_t *len)
+{
+#if 1
+    return decode_EncKrbCredPart(data, length, t, len);
+#else
+    krb5_error_code ret;
+    int i;
+    ret = decode_EncKrbCredPart((void*)data, length, t, len);
+    if(ret)
+	return ret;
+    for(i = 0; i < t->ticket_info.len; i++)
+	if((ret = krb5_decode_keyblock(context, &t->ticket_info.val[i].key, 1)))
+	    break;
+    return ret;
+#endif
+}
+
+krb5_error_code
+krb5_encode_EncKrbCredPart (krb5_context context,
+			    void *data,
+			    size_t length,
+			    EncKrbCredPart *t,
+			    size_t *len)
+{
+#if 0
+    krb5_error_code ret = 0;
+    int i;
+
+    for(i = 0; i < t->ticket_info.len; i++)
+	if((ret = krb5_decode_keyblock(context, &t->ticket_info.val[i].key, 0)))
+	    break;
+    if(ret) return ret;
+#endif
+    return encode_EncKrbCredPart (data, length, t, len);
+}
+
+krb5_error_code
+krb5_decode_ETYPE_INFO (krb5_context context,
+			const void *data,
+			size_t length,
+			ETYPE_INFO *t,
+			size_t *len)
+{
+#if 1
+    return decode_ETYPE_INFO(data, length, t, len);
+#else
+    krb5_error_code ret;
+    int i;
+
+    ret = decode_ETYPE_INFO((void*)data, length, t, len);
+    if(ret)
+	return ret;
+    for(i = 0; i < t->len; i++) {
+	if((ret = krb5_decode_keytype(context, &t->val[i].etype, 1)))
+	    break;
+    }
+    return ret;
+#endif
+}
+
+krb5_error_code
+krb5_encode_ETYPE_INFO (krb5_context context,
+			void *data,
+			size_t length,
+			ETYPE_INFO *t,
+			size_t *len)
+{
+#if 0
+    krb5_error_code ret = 0;
+
+    int i;
+    /* XXX this will break, since we need one key-info for each enctype */
+    /* XXX or do we? */
+    for(i = 0; i < t->len; i++)
+	if((ret = krb5_decode_keytype(context, &t->val[i].etype, 0)))
+	    break;
+    if(ret) return ret;
+#endif
+    return encode_ETYPE_INFO (data, length, t, len);
+}
diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c
new file mode 100644
index 0000000..3d1ff1e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/config_file.c
@@ -0,0 +1,750 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: config_file.c,v 1.38 1999/12/02 17:05:08 joda Exp $");
+
+#ifndef HAVE_NETINFO
+
+static int parse_section(char *p, krb5_config_section **s,
+			 krb5_config_section **res,
+			 char **error_message);
+static int parse_binding(FILE *f, unsigned *lineno, char *p,
+			 krb5_config_binding **b,
+			 krb5_config_binding **parent,
+			 char **error_message);
+static int parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent,
+		      char **error_message);
+
+/*
+ * Parse a section:
+ *
+ * [section]
+ *	foo = bar
+ *	b = {
+ *		a
+ *	    }
+ * ...
+ * 
+ * starting at the line in `p', storing the resulting structure in
+ * `s' and hooking it into `parent'.
+ * Store the error message in `error_message'.
+ */
+
+static int
+parse_section(char *p, krb5_config_section **s, krb5_config_section **parent,
+	      char **error_message)
+{
+    char *p1;
+    krb5_config_section *tmp;
+
+    p1 = strchr (p + 1, ']');
+    if (p1 == NULL) {
+	*error_message = "missing ]";
+	return -1;
+    }
+    *p1 = '\0';
+    tmp = malloc(sizeof(*tmp));
+    if (tmp == NULL) {
+	*error_message = "out of memory";
+	return -1;
+    }
+    tmp->name = strdup(p+1);
+    if (tmp->name == NULL) {
+	*error_message = "out of memory";
+	return -1;
+    }
+    tmp->type = krb5_config_list;
+    tmp->u.list = NULL;
+    tmp->next = NULL;
+    if (*s)
+	(*s)->next = tmp;
+    else
+	*parent = tmp;
+    *s = tmp;
+    return 0;
+}
+
+/*
+ * Parse a brace-enclosed list from `f', hooking in the structure at
+ * `parent'.
+ * Store the error message in `error_message'.
+ */
+
+static int
+parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent,
+	   char **error_message)
+{
+    char buf[BUFSIZ];
+    int ret;
+    krb5_config_binding *b = NULL;
+    unsigned beg_lineno = *lineno;
+
+    while(fgets(buf, sizeof(buf), f) != NULL) {
+	char *p;
+
+	++*lineno;
+	if (buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	p = buf;
+	while(isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '#' || *p == ';' || *p == '\0')
+	    continue;
+	while(isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '}')
+	    return 0;
+	if (*p == '\0')
+	    continue;
+	ret = parse_binding (f, lineno, p, &b, parent, error_message);
+	if (ret)
+	    return ret;
+    }
+    *lineno = beg_lineno;
+    *error_message = "unclosed {";
+    return -1;
+}
+
+/*
+ *
+ */
+
+static int
+parse_binding(FILE *f, unsigned *lineno, char *p,
+	      krb5_config_binding **b, krb5_config_binding **parent,
+	      char **error_message)
+{
+    krb5_config_binding *tmp;
+    char *p1, *p2;
+    int ret = 0;
+
+    p1 = p;
+    while (*p && *p != '=' && !isspace((unsigned char)*p))
+	++p;
+    if (*p == '\0') {
+	*error_message = "no =";
+	return -1;
+    }
+    p2 = p;
+    while (isspace((unsigned char)*p))
+	++p;
+    if (*p != '=') {
+	*error_message = "no =";
+	return -1;
+    }
+    ++p;
+    while(isspace((unsigned char)*p))
+	++p;
+    tmp = malloc(sizeof(*tmp));
+    if (tmp == NULL) {
+	*error_message = "out of memory";
+	return -1;
+    }
+    *p2 = '\0';
+    tmp->name = strdup(p1);
+    tmp->next = NULL;
+    if (*p == '{') {
+	tmp->type = krb5_config_list;
+	tmp->u.list = NULL;
+	ret = parse_list (f, lineno, &tmp->u.list, error_message);
+    } else {
+	p1 = p;
+	p = p1 + strlen(p1);
+	while(p > p1 && isspace((unsigned char)*(p-1)))
+	    --p;
+	*p = '\0';
+	tmp->type = krb5_config_string;
+	tmp->u.string = strdup(p1);
+    }
+    if (*b)
+	(*b)->next = tmp;
+    else
+	*parent = tmp;
+    *b = tmp;
+    return ret;
+}
+
+/*
+ * Parse the config file `fname', generating the structures into `res'
+ * returning error messages in `error_message'
+ */
+
+krb5_error_code
+krb5_config_parse_file_debug (const char *fname,
+			      krb5_config_section **res,
+			      unsigned *lineno,
+			      char **error_message)
+{
+    FILE *f;
+    krb5_config_section *s;
+    krb5_config_binding *b;
+    char buf[BUFSIZ];
+    int ret;
+
+    s = NULL;
+    b = NULL;
+    *lineno = 0;
+    f = fopen (fname, "r");
+    if (f == NULL) {
+	*error_message = "cannot open file";
+	return -1;
+    }
+    *res = NULL;
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+	char *p;
+
+	++*lineno;
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	p = buf;
+	while(isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '#' || *p == ';')
+	    continue;
+	if (*p == '[') {
+	    ret = parse_section(p, &s, res, error_message);
+	    if (ret)
+		return ret;
+	    b = NULL;
+	} else if (*p == '}') {
+	    *error_message = "unmatched }";
+	    return -1;
+	} else if(*p != '\0') {
+	    ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message);
+	    if (ret)
+		return ret;
+	}
+    }
+    fclose (f);
+    return 0;
+}
+
+krb5_error_code
+krb5_config_parse_file (const char *fname, krb5_config_section **res)
+{
+    char *foo;
+    unsigned lineno;
+
+    return krb5_config_parse_file_debug (fname, res, &lineno, &foo);
+}
+
+#endif /* !HAVE_NETINFO */
+
+static void
+free_binding (krb5_context context, krb5_config_binding *b)
+{
+    krb5_config_binding *next_b;
+
+    while (b) {
+	free (b->name);
+	if (b->type == krb5_config_string)
+	    free (b->u.string);
+	else if (b->type == krb5_config_list)
+	    free_binding (context, b->u.list);
+	else
+	    krb5_abortx(context, "unknown binding type (%d) in free_binding", 
+			b->type);
+	next_b = b->next;
+	free (b);
+	b = next_b;
+    }
+}
+
+krb5_error_code
+krb5_config_file_free (krb5_context context, krb5_config_section *s)
+{
+    free_binding (context, s);
+    return 0;
+}
+
+const void *
+krb5_config_get_next (krb5_context context,
+		      krb5_config_section *c,
+		      krb5_config_binding **pointer,
+		      int type,
+		      ...)
+{
+    const char *ret;
+    va_list args;
+
+    va_start(args, type);
+    ret = krb5_config_vget_next (context, c, pointer, type, args);
+    va_end(args);
+    return ret;
+}
+
+const void *
+krb5_config_vget_next (krb5_context context,
+		       krb5_config_section *c,
+		       krb5_config_binding **pointer,
+		       int type,
+		       va_list args)
+{
+    krb5_config_binding *b;
+    const char *p;
+
+    if(c == NULL)
+	c = context->cf;
+
+    if (c == NULL)
+	return NULL;
+
+    if (*pointer == NULL) {
+	b = (c != NULL) ? c : context->cf;
+	p = va_arg(args, const char *);
+	if (p == NULL)
+	    return NULL;
+    } else {
+	b = *pointer;
+	p = b->name;
+	b = b->next;
+    }
+
+    while (b) {
+	if (strcmp (b->name, p) == 0) {
+	    if (*pointer == NULL)
+		p = va_arg(args, const char *);
+	    else
+		p = NULL;
+	    if (type == b->type && p == NULL) {
+		*pointer = b;
+		return b->u.generic;
+	    } else if(b->type == krb5_config_list && p != NULL) {
+		b = b->u.list;
+	    } else {
+		return NULL;
+	    }
+	} else {
+	    b = b->next;
+	}
+    }
+    return NULL;
+}
+
+const void *
+krb5_config_get (krb5_context context,
+		 krb5_config_section *c,
+		 int type,
+		 ...)
+{
+    const void *ret;
+    va_list args;
+
+    va_start(args, type);
+    ret = krb5_config_vget (context, c, type, args);
+    va_end(args);
+    return ret;
+}
+
+const void *
+krb5_config_vget (krb5_context context,
+		  krb5_config_section *c,
+		  int type,
+		  va_list args)
+{
+    krb5_config_binding *foo = NULL;
+
+    return krb5_config_vget_next (context, c, &foo, type, args);
+}
+
+const krb5_config_binding *
+krb5_config_get_list (krb5_context context,
+		      krb5_config_section *c,
+		      ...)
+{
+    const krb5_config_binding *ret;
+    va_list args;
+
+    va_start(args, c);
+    ret = krb5_config_vget_list (context, c, args);
+    va_end(args);
+    return ret;
+}
+
+const krb5_config_binding *
+krb5_config_vget_list (krb5_context context,
+		       krb5_config_section *c,
+		       va_list args)
+{
+    return krb5_config_vget (context, c, krb5_config_list, args);
+}
+
+const char *
+krb5_config_get_string (krb5_context context,
+			krb5_config_section *c,
+			...)
+{
+    const char *ret;
+    va_list args;
+
+    va_start(args, c);
+    ret = krb5_config_vget_string (context, c, args);
+    va_end(args);
+    return ret;
+}
+
+const char *
+krb5_config_vget_string (krb5_context context,
+			 krb5_config_section *c,
+			 va_list args)
+{
+    return krb5_config_vget (context, c, krb5_config_string, args);
+}
+
+char **
+krb5_config_vget_strings(krb5_context context,
+			 krb5_config_section *c,
+			 va_list args)
+{
+    char **strings = NULL;
+    int nstr = 0;
+    krb5_config_binding *b = NULL;
+    const char *p;
+
+    while((p = krb5_config_vget_next(context, c, &b, 
+				     krb5_config_string, args))) {
+	char *tmp = strdup(p);
+	char *pos = NULL;
+	char *s;
+	if(tmp == NULL)
+	    goto cleanup;
+	s = strtok_r(tmp, " \t", &pos);
+	while(s){
+	    char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
+	    if(tmp == NULL)
+		goto cleanup;
+	    strings = tmp;
+	    strings[nstr] = strdup(s);
+	    nstr++;
+	    if(strings[nstr-1] == NULL)
+		goto cleanup;
+	    s = strtok_r(NULL, " \t", &pos);
+	}
+	free(tmp);
+    }
+    if(nstr){
+	char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
+	if(strings == NULL)
+	    goto cleanup;
+	strings = tmp;
+	strings[nstr] = NULL;
+    }
+    return strings;
+cleanup:
+    while(nstr--)
+	free(strings[nstr]);
+    free(strings);
+    return NULL;
+
+}
+
+char**
+krb5_config_get_strings(krb5_context context,
+			krb5_config_section *c,
+			...)
+{
+    va_list ap;
+    char **ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_strings(context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+void
+krb5_config_free_strings(char **strings)
+{
+    char **s = strings;
+    while(s && *s){
+	free(*s);
+	s++;
+    }
+    free(strings);
+}
+
+krb5_boolean
+krb5_config_vget_bool_default (krb5_context context,
+			       krb5_config_section *c,
+			       krb5_boolean def_value,
+			       va_list args)
+{
+    const char *str;
+    str = krb5_config_vget_string (context, c, args);
+    if(str == NULL)
+	return def_value;
+    if(strcasecmp(str, "yes") == 0 ||
+       strcasecmp(str, "true") == 0 ||
+       atoi(str)) return TRUE;
+    return FALSE;
+}
+
+krb5_boolean
+krb5_config_vget_bool  (krb5_context context,
+			krb5_config_section *c,
+			va_list args)
+{
+    return krb5_config_vget_bool_default (context, c, FALSE, args);
+}
+
+krb5_boolean
+krb5_config_get_bool_default (krb5_context context,
+			      krb5_config_section *c,
+			      krb5_boolean def_value,
+			      ...)
+{
+    va_list ap;
+    krb5_boolean ret;
+    va_start(ap, def_value);
+    ret = krb5_config_vget_bool_default(context, c, def_value, ap);
+    va_end(ap);
+    return ret;
+}
+
+krb5_boolean
+krb5_config_get_bool (krb5_context context,
+		      krb5_config_section *c,
+		      ...)
+{
+    va_list ap;
+    krb5_boolean ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_bool (context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+krb5_config_vget_time_default (krb5_context context,
+			       krb5_config_section *c,
+			       int def_value,
+			       va_list args)
+{
+    const char *str;
+    str = krb5_config_vget_string (context, c, args);
+    if(str == NULL)
+	return def_value;
+    return parse_time (str, NULL);
+}
+
+int
+krb5_config_vget_time  (krb5_context context,
+			krb5_config_section *c,
+			va_list args)
+{
+    return krb5_config_vget_time_default (context, c, -1, args);
+}
+
+int
+krb5_config_get_time_default (krb5_context context,
+			      krb5_config_section *c,
+			      int def_value,
+			      ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, def_value);
+    ret = krb5_config_vget_time_default(context, c, def_value, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+krb5_config_get_time (krb5_context context,
+		      krb5_config_section *c,
+		      ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_time (context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+
+int
+krb5_config_vget_int_default (krb5_context context,
+			      krb5_config_section *c,
+			      int def_value,
+			      va_list args)
+{
+    const char *str;
+    str = krb5_config_vget_string (context, c, args);
+    if(str == NULL)
+	return def_value;
+    else { 
+	char *endptr; 
+	long l; 
+	l = strtol(str, &endptr, 0); 
+	if (endptr == str) 
+	    return def_value; 
+	else 
+	    return l;
+    }
+}
+
+int
+krb5_config_vget_int  (krb5_context context,
+		       krb5_config_section *c,
+		       va_list args)
+{
+    return krb5_config_vget_int_default (context, c, -1, args);
+}
+
+int
+krb5_config_get_int_default (krb5_context context,
+			     krb5_config_section *c,
+			     int def_value,
+			     ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, def_value);
+    ret = krb5_config_vget_int_default(context, c, def_value, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+krb5_config_get_int (krb5_context context,
+		     krb5_config_section *c,
+		     ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_int (context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+#ifdef TEST
+
+static int print_list (krb5_context context, FILE *f, 
+		       krb5_config_binding *l, unsigned level);
+static int print_binding (krb5_context context, FILE *f, 
+			  krb5_config_binding *b, unsigned level);
+static int print_section (krb5_context context, FILE *f, 
+			  krb5_config_section *s, unsigned level);
+static int print_config (krb5_context context, FILE *f, 
+			 krb5_config_section *c);
+
+static void
+tab (FILE *f, unsigned count)
+{
+    while(count--)
+	fprintf (f, "\t");
+}
+
+static int
+print_list (krb5_context context, 
+	    FILE *f, 
+	    krb5_config_binding *l, 
+	    unsigned level)
+{
+    while(l) {
+	print_binding (context, f, l, level);
+	l = l->next;
+    }
+    return 0;
+}
+
+static int
+print_binding (krb5_context context, 
+	       FILE *f, 
+	       krb5_config_binding *b, 
+	       unsigned level)
+{
+    tab (f, level);
+    fprintf (f, "%s = ", b->name);
+    if (b->type == krb5_config_string)
+	fprintf (f, "%s\n", b->u.string);
+    else if (b->type == krb5_config_list) {
+	fprintf (f, "{\n");
+	print_list (f, b->u.list, level + 1);
+	tab (f, level);
+	fprintf (f, "}\n");
+    } else
+	krb5_abortx(context, "unknown binding type (%d) in print_binding", 
+		    b->type);
+    return 0;
+}
+
+static int
+print_section (FILE *f, krb5_config_section *s, unsigned level)
+{
+    fprintf (f, "[%s]\n", s->name);
+    print_list (f, s->u.list, level + 1);
+    return 0;
+}
+
+static int
+print_config (FILE *f, krb5_config_section *c)
+{
+    while (c) {
+	print_section (f, c, 0);
+	c = c->next;
+    }
+    return 0;
+}
+
+
+int
+main(void)
+{
+    krb5_config_section *c;
+
+    printf ("%d\n", krb5_config_parse_file ("/etc/krb5.conf", &c));
+    print_config (stdout, c);
+    printf ("[libdefaults]ticket_lifetime = %s\n",
+	    krb5_config_get_string (context, c,
+			       "libdefaults",
+			       "ticket_lifetime",
+			       NULL));
+    printf ("[realms]foo = %s\n",
+	    krb5_config_get_string (context, c,
+			       "realms",
+			       "foo",
+			       NULL));
+    printf ("[realms]ATHENA.MIT.EDU/v4_instance_convert/lithium = %s\n",
+	    krb5_config_get_string (context, c,
+			       "realms",
+			       "ATHENA.MIT.EDU",
+			       "v4_instance_convert",
+			       "lithium",
+			       NULL));
+    return 0;
+}
+
+#endif /* TEST */
diff --git a/crypto/heimdal/lib/krb5/config_file_netinfo.c b/crypto/heimdal/lib/krb5/config_file_netinfo.c
new file mode 100644
index 0000000..aeb939a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/config_file_netinfo.c
@@ -0,0 +1,178 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: config_file_netinfo.c,v 1.2 1999/12/02 17:05:08 joda Exp $");
+
+/*
+ * Netinfo implementation from Luke Howard <lukeh@xedoc.com.au>
+ */
+
+#ifdef HAVE_NETINFO
+#include <netinfo/ni.h>
+static ni_status
+ni_proplist2binding(ni_proplist *pl, krb5_config_section **ret)
+{
+    int i, j;
+    krb5_config_section **next = NULL;
+
+    for (i = 0; i < pl->ni_proplist_len; i++) {
+	if (!strcmp(pl->nipl_val[i].nip_name, "name"))
+	    continue;
+
+	for (j = 0; j < pl->nipl_val[i].nip_val.ni_namelist_len; j++) {
+	    krb5_config_binding *b;
+
+	    b = malloc(sizeof(*b));
+	    if (b == NULL)
+		return NI_FAILED;
+	
+	    b->next = NULL;
+	    b->type = krb5_config_string;
+	    b->name = ni_name_dup(pl->nipl_val[i].nip_name);
+	    b->u.string = ni_name_dup(pl->nipl_val[i].nip_val.ninl_val[j]);
+
+	    if (next == NULL) {
+		*ret = b;
+	    } else {
+		*next = b;
+	    }
+	    next = &b->next;
+	}
+    }
+    return NI_OK;
+}
+
+static ni_status
+ni_idlist2binding(void *ni, ni_idlist *idlist, krb5_config_section **ret)
+{
+    int i;
+    ni_status nis;
+    krb5_config_section **next;
+
+    for (i = 0; i < idlist->ni_idlist_len; i++) {
+	ni_proplist pl;
+        ni_id nid;
+	ni_idlist children;
+	krb5_config_binding *b;
+	ni_index index;
+
+	nid.nii_instance = 0;
+	nid.nii_object = idlist->ni_idlist_val[i];
+
+	nis = ni_read(ni, &nid, &pl);
+
+	if (nis != NI_OK) {
+	     return nis;
+	}
+	index = ni_proplist_match(pl, "name", NULL);
+	b = malloc(sizeof(*b));
+	if (b == NULL) return NI_FAILED;
+
+	if (i == 0) {
+	    *ret = b;
+	} else {
+	    *next = b;
+	}
+
+	b->type = krb5_config_list;
+	b->name = ni_name_dup(pl.nipl_val[index].nip_val.ninl_val[0]);
+	b->next = NULL;
+	b->u.list = NULL;
+
+	/* get the child directories */
+	nis = ni_children(ni, &nid, &children);
+	if (nis == NI_OK) {
+	    nis = ni_idlist2binding(ni, &children, &b->u.list);
+	    if (nis != NI_OK) {
+		return nis;
+	    }
+	}
+
+	nis = ni_proplist2binding(&pl, b->u.list == NULL ? &b->u.list : &b->u.list->next);
+	ni_proplist_free(&pl);
+	if (nis != NI_OK) {
+	    return nis;
+	}
+	next = &b->next;
+    }
+    ni_idlist_free(idlist);
+    return NI_OK;
+}
+
+krb5_error_code
+krb5_config_parse_file (const char *fname, krb5_config_section **res)
+{
+    void *ni = NULL, *lastni = NULL;
+    int i;
+    ni_status nis;
+    ni_id nid;
+    ni_idlist children;
+
+    krb5_config_section *s;
+    int ret;
+
+    s = NULL;
+
+    for (i = 0; i < 256; i++) {
+	if (i == 0) {
+	    nis = ni_open(NULL, ".", &ni);
+	} else {
+	    if (lastni != NULL) ni_free(lastni);
+	    lastni = ni;
+	    nis = ni_open(lastni, "..", &ni);
+	}
+	if (nis != NI_OK)
+	    break;
+	nis = ni_pathsearch(ni, &nid, "/locations/kerberos");
+	if (nis == NI_OK) {
+	    nis = ni_children(ni, &nid, &children);
+	    if (nis != NI_OK)
+		break;
+	    nis = ni_idlist2binding(ni, &children, &s);
+	    break;
+	}
+    }
+
+    if (ni != NULL) ni_free(ni);
+    if (ni != lastni && lastni != NULL) ni_free(lastni);
+
+    ret = (nis == NI_OK) ? 0 : -1;
+    if (ret == 0) {
+	*res = s;
+    } else {
+	*res = NULL;
+    }
+    return ret;
+}
+#endif /* HAVE_NETINFO */
diff --git a/crypto/heimdal/lib/krb5/constants.c b/crypto/heimdal/lib/krb5/constants.c
new file mode 100644
index 0000000..8314c26
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/constants.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: constants.c,v 1.4 1999/12/02 17:05:08 joda Exp $");
+
+const char krb5_config_file[] = "/etc/krb5.conf";
+const char krb5_defkeyname[] = "/etc/v5srvtab";
diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c
new file mode 100644
index 0000000..fb3fb61
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/context.c
@@ -0,0 +1,357 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: context.c,v 1.53 2000/02/11 17:43:43 assar Exp $");
+
+#define INIT_FIELD(C, T, E, D, F)					\
+    (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
+						"libdefaults", F, NULL)
+
+#ifdef KRB4
+extern krb5_kt_ops krb4_fkt_ops;
+#endif
+
+/*
+ * Set the list of etypes `ret_etypes' from the configuration variable
+ * `name'
+ */
+
+static krb5_error_code
+set_etypes (krb5_context context,
+	    const char *name,
+	    krb5_enctype **ret_enctypes)
+{
+    char **etypes_str;
+    krb5_enctype *etypes;
+
+    etypes_str = krb5_config_get_strings(context, NULL, "libdefaults", 
+					 name, NULL);
+    if(etypes_str){
+	int i, j, k;
+	for(i = 0; etypes_str[i]; i++);
+	etypes = malloc((i+1) * sizeof(*etypes));
+	if (etypes == NULL) {
+	    krb5_config_free_strings (etypes_str);
+	    return ENOMEM;
+	}
+	for(j = 0, k = 0; j < i; j++) {
+	    if(krb5_string_to_enctype(context, etypes_str[j], &etypes[k]) == 0)
+		k++;
+	}
+	etypes[k] = ETYPE_NULL;
+	krb5_config_free_strings(etypes_str);
+	*ret_enctypes = etypes;
+    }
+    return 0;
+}
+
+/*
+ * read variables from the configuration file and set in `context'
+ */
+
+static krb5_error_code
+init_context_from_config_file(krb5_context context)
+{
+    const char * tmp;
+    INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
+    INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
+    INIT_FIELD(context, int, max_retries, 3, "max_retries");
+
+    context->http_proxy = krb5_config_get_string(context, NULL, "libdefaults", 
+					   "http_proxy", NULL);
+
+    set_etypes (context, "default_etypes", &context->etypes);
+    set_etypes (context, "default_etypes_des", &context->etypes_des);
+
+    /* default keytab name */
+    context->default_keytab = krb5_config_get_string(context, NULL, 
+					       "libdefaults", 
+					       "default_keytab_name", 
+					       NULL);
+    if(context->default_keytab == NULL)
+	context->default_keytab = KEYTAB_DEFAULT;
+
+    context->time_fmt = krb5_config_get_string(context, NULL, "libdefaults", 
+					 "time_format", NULL);
+    if(context->time_fmt == NULL)
+	context->time_fmt = "%Y-%m-%dT%H:%M:%S";
+    context->log_utc = krb5_config_get_bool(context, NULL, "libdefaults",
+					    "log_utc", NULL);
+
+    /* init dns-proxy slime */
+    tmp = krb5_config_get_string(context, NULL, "libdefaults", 
+				 "dns_proxy", NULL);
+    if(tmp) 
+	roken_gethostby_setup(context->http_proxy, tmp);
+    context->default_realms = NULL;
+
+    {
+	krb5_addresses addresses;
+	char **adr, **a;
+	adr = krb5_config_get_strings(context, NULL, 
+				      "libdefaults", 
+				      "extra_addresses", 
+				      NULL);
+	memset(&addresses, 0, sizeof(addresses));
+	for(a = adr; a && *a; a++) {
+	    krb5_parse_address(context, *a, &addresses);
+	    krb5_add_extra_addresses(context, &addresses);
+	    krb5_free_addresses(context, &addresses);
+	}
+	krb5_config_free_strings(adr);
+    }
+    
+    INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
+    INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
+    INIT_FIELD(context, bool, srv_try_txt, FALSE, "srv_try_txt");
+    INIT_FIELD(context, bool, srv_try_rfc2052, TRUE, "srv_try_rfc2052");
+    INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
+
+    context->cc_ops       = NULL;
+    context->num_cc_ops	  = 0;
+    krb5_cc_register(context, &krb5_fcc_ops, TRUE);
+    krb5_cc_register(context, &krb5_mcc_ops, TRUE);
+
+    context->num_kt_types = 0;
+    context->kt_types     = NULL;
+    krb5_kt_register (context, &krb5_fkt_ops);
+    krb5_kt_register (context, &krb5_mkt_ops);
+#ifdef KRB4
+    krb5_kt_register (context, &krb4_fkt_ops);
+#endif
+    krb5_kt_register (context, &krb5_akf_ops);
+    return 0;
+}
+
+krb5_error_code
+krb5_init_context(krb5_context *context)
+{
+    krb5_context p;
+    const char *config_file = NULL;
+    krb5_config_section *tmp_cf;
+    krb5_error_code ret;
+
+    ALLOC(p, 1);
+    if(!p)
+	return ENOMEM;
+    memset(p, 0, sizeof(krb5_context_data));
+
+    /* init error tables */
+    krb5_init_ets(p);
+
+    if(!issuid())
+	config_file = getenv("KRB5_CONFIG");
+    if (config_file == NULL)
+	config_file = krb5_config_file;
+
+    ret = krb5_config_parse_file (config_file, &tmp_cf);
+
+    if (ret == 0)
+	p->cf = tmp_cf;
+#if 0
+    else
+	krb5_warnx (p, "Unable to parse config file %s.  Ignoring.",
+		    config_file); /* XXX */
+#endif
+
+    ret = init_context_from_config_file(p);
+    if(ret)
+	return ret;
+
+    *context = p;
+    return 0;
+}
+
+void
+krb5_free_context(krb5_context context)
+{
+  int i;
+
+  free(context->etypes);
+  free(context->etypes_des);
+  krb5_free_host_realm (context, context->default_realms);
+  krb5_config_file_free (context, context->cf);
+  free_error_table (context->et_list);
+  for(i = 0; i < context->num_cc_ops; ++i)
+    free(context->cc_ops[i].prefix);
+  free(context->cc_ops);
+  free(context->kt_types);
+  free(context);
+}
+
+static krb5_error_code
+default_etypes(krb5_enctype **etype)
+{
+    krb5_enctype p[] = {
+	ETYPE_DES3_CBC_SHA1,
+	ETYPE_DES3_CBC_MD5,
+	ETYPE_DES_CBC_MD5,
+	ETYPE_DES_CBC_MD4,
+	ETYPE_DES_CBC_CRC,
+	ETYPE_NULL
+    };
+    *etype = malloc(sizeof(p));
+    if(*etype == NULL)
+	return ENOMEM;
+    memcpy(*etype, p, sizeof(p));
+    return 0;
+}
+
+krb5_error_code
+krb5_set_default_in_tkt_etypes(krb5_context context, 
+			       const krb5_enctype *etypes)
+{
+    int i;
+    krb5_enctype *p = NULL;
+
+    if(etypes) {
+	i = 0;
+	while(etypes[i])
+	    if(!krb5_enctype_valid(context, etypes[i++]))
+		return KRB5_PROG_ETYPE_NOSUPP;
+	++i;
+	ALLOC(p, i);
+	if(!p)
+	    return ENOMEM;
+	memmove(p, etypes, i * sizeof(krb5_enctype));
+    }
+    if(context->etypes)
+	free(context->etypes);
+    context->etypes = p;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_get_default_in_tkt_etypes(krb5_context context,
+			       krb5_enctype **etypes)
+{
+  krb5_enctype *p;
+  int i;
+
+  if(context->etypes) {
+    for(i = 0; context->etypes[i]; i++);
+    ++i;
+    ALLOC(p, i);
+    if(!p)
+      return ENOMEM;
+    memmove(p, context->etypes, i * sizeof(krb5_enctype));
+  } else
+    if(default_etypes(&p))
+      return ENOMEM;
+  *etypes = p;
+  return 0;
+}
+
+const char *
+krb5_get_err_text(krb5_context context, krb5_error_code code)
+{
+    const char *p = com_right(context->et_list, code);
+    if(p == NULL)
+	p = strerror(code);
+    return p;
+}
+
+void
+krb5_init_ets(krb5_context context)
+{
+    if(context->et_list == NULL){
+	initialize_krb5_error_table_r(&context->et_list);
+	initialize_asn1_error_table_r(&context->et_list);
+	initialize_heim_error_table_r(&context->et_list);
+    }
+}
+
+void
+krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
+{
+    context->use_admin_kdc = flag;
+}
+
+krb5_boolean
+krb5_get_use_admin_kdc (krb5_context context)
+{
+    return context->use_admin_kdc;
+}
+
+krb5_error_code
+krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
+{
+
+    if(context->extra_addresses)
+	return krb5_append_addresses(context, 
+				     context->extra_addresses, addresses);
+    else
+	return krb5_set_extra_addresses(context, addresses);
+}
+
+krb5_error_code
+krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
+{
+    if(context->extra_addresses) {
+	krb5_free_addresses(context, context->extra_addresses);
+	free(context->extra_addresses);
+    }
+    if(context->extra_addresses == NULL) {
+	context->extra_addresses = malloc(sizeof(*context->extra_addresses));
+	if(context->extra_addresses == NULL)
+	    return ENOMEM;
+    }
+    return krb5_copy_addresses(context, addresses, context->extra_addresses);
+}
+
+krb5_error_code
+krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
+{
+    if(context->extra_addresses == NULL) {
+	memset(addresses, 0, sizeof(*addresses));
+	return 0;
+    }
+    return copy_HostAddresses(context->extra_addresses, addresses);
+}
+
+krb5_error_code
+krb5_set_fcache_version(krb5_context context, int version)
+{
+    context->fcache_vno = version;
+    return 0;
+}
+
+krb5_error_code
+krb5_get_fcache_version(krb5_context context, int *version)
+{
+    *version = context->fcache_vno;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/convert_creds.c b/crypto/heimdal/lib/krb5/convert_creds.c
new file mode 100644
index 0000000..24dea0b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/convert_creds.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: convert_creds.c,v 1.13 1999/12/02 17:05:08 joda Exp $");
+
+static krb5_error_code
+check_ticket_flags(TicketFlags f)
+{
+    return 0; /* maybe add some more tests here? */
+}
+
+/* include this here, to avoid dependencies on libkrb */
+
+#define		MAX_KTXT_LEN	1250
+
+#define 	ANAME_SZ	40
+#define		REALM_SZ	40
+#define		SNAME_SZ	40
+#define		INST_SZ		40
+
+struct ktext {
+    unsigned int length;		/* Length of the text */
+    unsigned char dat[MAX_KTXT_LEN];	/* The data itself */
+    u_int32_t mbz;		/* zero to catch runaway strings */
+};
+
+struct credentials {
+    char    service[ANAME_SZ];	/* Service name */
+    char    instance[INST_SZ];	/* Instance */
+    char    realm[REALM_SZ];	/* Auth domain */
+    des_cblock session;		/* Session key */
+    int     lifetime;		/* Lifetime */
+    int     kvno;		/* Key version number */
+    struct ktext ticket_st;	/* The ticket itself */
+    int32_t    issue_date;	/* The issue time */
+    char    pname[ANAME_SZ];	/* Principal's name */
+    char    pinst[INST_SZ];	/* Principal's instance */
+};
+
+
+#define TKTLIFENUMFIXED 64
+#define TKTLIFEMINFIXED 0x80
+#define TKTLIFEMAXFIXED 0xBF
+#define TKTLIFENOEXPIRE 0xFF
+#define MAXTKTLIFETIME	(30*24*3600)	/* 30 days */
+#ifndef NEVERDATE
+#define NEVERDATE ((time_t)0x7fffffffL)
+#endif
+
+static const int _tkt_lifetimes[TKTLIFENUMFIXED] = {
+   38400,   41055,   43894,   46929,   50174,   53643,   57352,   61318,
+   65558,   70091,   74937,   80119,   85658,   91581,   97914,  104684,
+  111922,  119661,  127935,  136781,  146239,  156350,  167161,  178720,
+  191077,  204289,  218415,  233517,  249664,  266926,  285383,  305116,
+  326213,  348769,  372885,  398668,  426234,  455705,  487215,  520904,
+  556921,  595430,  636601,  680618,  727680,  777995,  831789,  889303,
+  950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
+ 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
+};
+
+static int
+_krb_time_to_life(time_t start, time_t end)
+{
+    int i;
+    time_t life = end - start;
+
+    if (life > MAXTKTLIFETIME || life <= 0) 
+	return 0;
+#if 0    
+    if (krb_no_long_lifetimes) 
+	return (life + 5*60 - 1)/(5*60);
+#endif
+    
+    if (end >= NEVERDATE)
+	return TKTLIFENOEXPIRE;
+    if (life < _tkt_lifetimes[0]) 
+	return (life + 5*60 - 1)/(5*60);
+    for (i=0; i<TKTLIFENUMFIXED; i++)
+	if (life <= _tkt_lifetimes[i])
+	    return i + TKTLIFEMINFIXED;
+    return 0;
+    
+}
+
+/* Convert the v5 credentials in `in_cred' to v4-dito in `v4creds'.
+ * This is done by sending them to the 524 function in the KDC.  If
+ * `in_cred' doesn't contain a DES session key, then a new one is
+ * gotten from the KDC and stored in the cred cache `ccache'.
+ */
+
+krb5_error_code
+krb524_convert_creds_kdc(krb5_context context, 
+			 krb5_ccache ccache,
+			 krb5_creds *in_cred,
+			 struct credentials *v4creds)
+{
+    krb5_error_code ret;
+    krb5_data reply;
+    krb5_storage *sp;
+    int32_t tmp;
+    krb5_data ticket;
+    char realm[REALM_SZ];
+    krb5_creds *v5_creds = in_cred;
+    krb5_keytype keytype;
+
+    ret = krb5_enctype_to_keytype (context, v5_creds->session.keytype,
+				   &keytype);
+    if (ret)
+	return ret;
+
+    if (keytype != KEYTYPE_DES) {
+	krb5_creds template;
+
+	memset (&template, 0, sizeof(template));
+	template.session.keytype = KEYTYPE_DES;
+	ret = krb5_copy_principal (context, in_cred->client, &template.client);
+	if (ret) {
+	    krb5_free_creds_contents (context, &template);
+	    return ret;
+	}
+	ret = krb5_copy_principal (context, in_cred->server, &template.server);
+	if (ret) {
+	    krb5_free_creds_contents (context, &template);
+	    return ret;
+	}
+
+	ret = krb5_get_credentials (context, 0, ccache,
+				    &template, &v5_creds);
+	krb5_free_creds_contents (context, &template);
+	if (ret)
+	    return ret;
+    }
+
+    ret = check_ticket_flags(v5_creds->flags.b);
+    if(ret)
+	goto out2;
+
+    ret = krb5_sendto_kdc (context,
+			   &v5_creds->ticket,
+			   krb5_princ_realm(context, v5_creds->server),
+			   &reply);
+    if (ret)
+	goto out2;
+    sp = krb5_storage_from_mem(reply.data, reply.length);
+    if(sp == NULL) {
+	ret = ENOMEM;
+	goto out2;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0) {
+	memset(v4creds, 0, sizeof(*v4creds));
+	ret = krb5_ret_int32(sp, &tmp);
+	if(ret) goto out;
+	v4creds->kvno = tmp;
+	ret = krb5_ret_data(sp, &ticket);
+	if(ret) goto out;
+	v4creds->ticket_st.length = ticket.length;
+	memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length);
+	krb5_data_free(&ticket);
+	ret = krb5_524_conv_principal(context, 
+				      v5_creds->server, 
+				      v4creds->service, 
+				      v4creds->instance, 
+				      v4creds->realm);
+	if(ret) goto out;
+	v4creds->issue_date = v5_creds->times.authtime;
+	v4creds->lifetime = _krb_time_to_life(v4creds->issue_date,
+					      v5_creds->times.endtime);
+	ret = krb5_524_conv_principal(context, v5_creds->client, 
+				      v4creds->pname, 
+				      v4creds->pinst, 
+				      realm);
+	if(ret) goto out;
+	memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8);
+    }
+out:
+    krb5_storage_free(sp);
+    krb5_data_free(&reply);
+out2:
+    if (v5_creds != in_cred)
+	krb5_free_creds (context, v5_creds);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/copy_host_realm.c b/crypto/heimdal/lib/krb5/copy_host_realm.c
new file mode 100644
index 0000000..4a8f3ec
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/copy_host_realm.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: copy_host_realm.c,v 1.3 1999/12/02 17:05:08 joda Exp $");
+
+/*
+ * Copy the list of realms from `from' to `to'.
+ */
+
+krb5_error_code
+krb5_copy_host_realm(krb5_context context,
+		     const krb5_realm *from,
+		     krb5_realm **to)
+{
+    int n, i;
+    const krb5_realm *p;
+
+    for (n = 0, p = from; *p != NULL; ++p)
+	++n;
+    ++n;
+    *to = malloc (n * sizeof(**to));
+    if (*to == NULL)
+	return ENOMEM;
+    for (i = 0; i < n; ++i)
+	(*to)[i] = NULL;
+    for (i = 0, p = from; *p != NULL; ++p, ++i) {
+	(*to)[i] = strdup(*p);
+	if ((*to)[i] == NULL) {
+	    krb5_free_host_realm (context, *to);
+	    return ENOMEM;
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/crc.c b/crypto/heimdal/lib/krb5/crc.c
new file mode 100644
index 0000000..2f9ef95
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/crc.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: crc.c,v 1.8 1999/12/02 17:05:08 joda Exp $");
+
+static u_long table[256];
+
+#define CRC_GEN 0xEDB88320L
+
+void
+_krb5_crc_init_table(void)
+{
+    static int flag = 0;
+    unsigned long crc, poly;
+    int     i, j;
+    
+    if(flag) return;
+    poly = CRC_GEN;
+    for (i = 0; i < 256; i++) {
+	crc = i;
+	for (j = 8; j > 0; j--) {
+	    if (crc & 1) {
+		crc = (crc >> 1) ^ poly;
+	    } else {
+		crc >>= 1;
+	    }
+	}
+	table[i] = crc;
+    }
+    flag = 1;
+}
+
+u_int32_t
+_krb5_crc_update (char *p, size_t len, u_int32_t res)
+{
+    while (len--)
+	res = table[(res ^ *p++) & 0xFF] ^ (res >> 8);
+    return res & 0xFFFFFFFF;
+}
diff --git a/crypto/heimdal/lib/krb5/creds.c b/crypto/heimdal/lib/krb5/creds.c
new file mode 100644
index 0000000..7051168
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/creds.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: creds.c,v 1.14 1999/12/02 17:05:08 joda Exp $");
+
+krb5_error_code
+krb5_free_cred_contents (krb5_context context, krb5_creds *c)
+{
+    return krb5_free_creds_contents (context, c);
+}    
+
+krb5_error_code
+krb5_free_creds_contents (krb5_context context, krb5_creds *c)
+{
+    krb5_free_principal (context, c->client);
+    c->client = NULL;
+    krb5_free_principal (context, c->server);
+    c->server = NULL;
+    krb5_free_keyblock_contents (context, &c->session);
+    krb5_data_free (&c->ticket);
+    krb5_data_free (&c->second_ticket);
+    free_AuthorizationData (&c->authdata);
+    krb5_free_addresses (context, &c->addresses);
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_creds_contents (krb5_context context,
+			  const krb5_creds *incred,
+			  krb5_creds *c)
+{
+    krb5_error_code ret;
+
+    memset(c, 0, sizeof(*c));
+    ret = krb5_copy_principal (context, incred->client, &c->client);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_principal (context, incred->server, &c->server);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_keyblock_contents (context, &incred->session, &c->session);
+    if (ret)
+	goto fail;
+    c->times = incred->times;
+    ret = krb5_data_copy (&c->ticket,
+			  incred->ticket.data,
+			  incred->ticket.length);
+    if (ret)
+	goto fail;
+    ret = krb5_data_copy (&c->second_ticket,
+			  incred->second_ticket.data,
+			  incred->second_ticket.length);
+    if (ret)
+	goto fail;
+    ret = copy_AuthorizationData(&incred->authdata, &c->authdata);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_addresses (context,
+			       &incred->addresses,
+			       &c->addresses);
+    if (ret)
+	goto fail;
+    c->flags = incred->flags;
+    return 0;
+
+fail:
+    krb5_free_creds_contents (context, c);
+    return ret;
+}
+
+krb5_error_code
+krb5_copy_creds (krb5_context context,
+		 const krb5_creds *incred,
+		 krb5_creds **outcred)
+{
+    krb5_creds *c;
+
+    c = malloc (sizeof (*c));
+    if (c == NULL)
+	return ENOMEM;
+    memset (c, 0, sizeof(*c));
+    *outcred = c;
+    return krb5_copy_creds_contents (context, incred, c);
+}
+
+krb5_error_code
+krb5_free_creds (krb5_context context, krb5_creds *c)
+{
+    krb5_free_creds_contents (context, c);
+    free (c);
+    return 0;
+}
+
+/*
+ * Return TRUE if `mcreds' and `creds' are equal (`whichfields'
+ * determines what equal means).
+ */
+
+krb5_boolean
+krb5_compare_creds(krb5_context context, krb5_flags whichfields, 
+		   const krb5_creds *mcreds, const krb5_creds *creds)
+{
+    krb5_boolean match;
+
+    if(whichfields & KRB5_TC_DONT_MATCH_REALM)
+	match = krb5_principal_compare_any_realm(context, 
+						 mcreds->server, 
+						 creds->server);
+    else
+	match = krb5_principal_compare(context, mcreds->server, creds->server);
+    if(match && (whichfields & KRB5_TC_MATCH_KEYTYPE) &&
+       !krb5_enctypes_compatible_keys (context,
+				       mcreds->session.keytype,
+				       creds->session.keytype))
+	match = FALSE;
+    return match;
+}
diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c
new file mode 100644
index 0000000..08ebdba
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/crypto.c
@@ -0,0 +1,2322 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: crypto.c,v 1.29 2000/01/25 23:06:55 assar Exp $");
+/* RCSID("$FreeBSD$"); */
+
+#undef CRYPTO_DEBUG
+#ifdef CRYPTO_DEBUG
+static void krb5_crypto_debug(krb5_context, int, size_t, krb5_keyblock*);
+#endif
+
+
+struct key_data {
+    krb5_keyblock *key;
+    krb5_data *schedule;
+};
+
+struct key_usage {
+    unsigned usage;
+    struct key_data key;
+};
+
+struct krb5_crypto_data {
+    struct encryption_type *et;
+    struct key_data key;
+    int num_key_usage;
+    struct key_usage *key_usage;
+};
+
+#define CRYPTO_ETYPE(C) ((C)->et->type)
+
+/* bits for `flags' below */
+#define F_KEYED		 1	/* checksum is keyed */
+#define F_CPROOF	 2	/* checksum is collision proof */
+#define F_DERIVED	 4	/* uses derived keys */
+#define F_VARIANT	 8	/* uses `variant' keys (6.4.3) */
+#define F_PSEUDO	16	/* not a real protocol type */
+
+struct salt_type {
+    krb5_salttype type;
+    const char *name;
+    krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data, 
+				     krb5_salt, krb5_keyblock*);
+};
+
+struct key_type {
+    krb5_keytype type; /* XXX */
+    const char *name;
+    size_t bits;
+    size_t size;
+    size_t schedule_size;
+#if 0
+    krb5_enctype best_etype;
+#endif
+    void (*random_key)(krb5_context, krb5_keyblock*);
+    void (*schedule)(krb5_context, struct key_data *);
+    struct salt_type *string_to_key;
+};
+
+struct checksum_type {
+    krb5_cksumtype type;
+    const char *name;
+    size_t blocksize;
+    size_t checksumsize;
+    unsigned flags;
+    void (*checksum)(krb5_context, struct key_data*, void*, size_t, Checksum*);
+    krb5_error_code (*verify)(krb5_context, struct key_data*, 
+			      void*, size_t, Checksum*);
+};
+
+struct encryption_type {
+    krb5_enctype type;
+    const char *name;
+    size_t blocksize;
+    size_t confoundersize;
+    struct key_type *keytype;
+    struct checksum_type *cksumtype;
+    struct checksum_type *keyed_checksum;
+    unsigned flags;
+    void (*encrypt)(struct key_data *, void *, size_t, int);
+};
+
+#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA)
+#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55)
+#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99)
+
+static struct checksum_type *_find_checksum(krb5_cksumtype type);
+static struct encryption_type *_find_enctype(krb5_enctype type);
+static struct key_type *_find_keytype(krb5_keytype type);
+static krb5_error_code _get_derived_key(krb5_context, krb5_crypto, 
+					unsigned, struct key_data**);
+static struct key_data *_new_derived_key(krb5_crypto crypto, unsigned usage);
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+static void
+DES_random_key(krb5_context context,
+	       krb5_keyblock *key)
+{
+    des_cblock *k = key->keyvalue.data;
+    do {
+	krb5_generate_random_block(k, sizeof(des_cblock));
+	des_set_odd_parity(k);
+    } while(des_is_weak_key(k));
+}
+
+static void
+DES_schedule(krb5_context context,
+	     struct key_data *key)
+{
+    des_set_key(key->key->keyvalue.data, key->schedule->data);
+}
+
+static krb5_error_code
+DES_string_to_key(krb5_context context,
+		  krb5_enctype enctype,
+		  krb5_data password,
+		  krb5_salt salt,
+		  krb5_keyblock *key)
+{
+    char *s;
+    size_t len;
+    des_cblock tmp;
+
+    len = password.length + salt.saltvalue.length + 1;
+    s = malloc(len);
+    if(s == NULL)
+	return ENOMEM;
+    memcpy(s, password.data, password.length);
+    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    s[len - 1] = '\0';
+    des_string_to_key(s, &tmp);
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
+    memset(&tmp, 0, sizeof(tmp));
+    memset(s, 0, len);
+    free(s);
+    return 0;
+}
+
+/* This defines the Andrew string_to_key function.  It accepts a password
+ * string as input and converts its via a one-way encryption algorithm to a DES
+ * encryption key.  It is compatible with the original Andrew authentication
+ * service password database.
+ */
+
+/*
+ * Short passwords, i.e 8 characters or less.
+ */
+static void
+DES_AFS3_CMU_string_to_key (krb5_data pw,
+			    krb5_data cell,
+			    des_cblock *key)
+{
+    char  password[8+1];	/* crypt is limited to 8 chars anyway */
+    int   i;
+    
+    for(i = 0; i < 8; i++) {
+	char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
+		 ((i < cell.length) ? ((char*)cell.data)[i] : 0);
+	password[i] = c ? c : 'X';
+    }
+    password[8] = '\0';
+
+    memcpy(key, crypt(password, "#~") + 2, sizeof(des_cblock));
+
+    /* parity is inserted into the LSB so left shift each byte up one
+       bit. This allows ascii characters with a zero MSB to retain as
+       much significance as possible. */
+    for (i = 0; i < sizeof(des_cblock); i++)
+	((unsigned char*)key)[i] <<= 1;
+    des_set_odd_parity (key);
+}
+
+/*
+ * Long passwords, i.e 9 characters or more.
+ */
+static void
+DES_AFS3_Transarc_string_to_key (krb5_data pw,
+				 krb5_data cell,
+				 des_cblock *key)
+{
+    des_key_schedule schedule;
+    des_cblock temp_key;
+    des_cblock ivec;
+    char password[512];
+    size_t passlen;
+
+    memcpy(password, pw.data, min(pw.length, sizeof(password)));
+    if(pw.length < sizeof(password))
+	memcpy(password + pw.length, 
+	       cell.data, min(cell.length, 
+			      sizeof(password) - pw.length));
+    passlen = min(sizeof(password), pw.length + cell.length);
+    memcpy(&ivec, "kerberos", 8);
+    memcpy(&temp_key, "kerberos", 8);
+    des_set_odd_parity (&temp_key);
+    des_set_key (&temp_key, schedule);
+    des_cbc_cksum ((const void *)password, &ivec, passlen,
+		   schedule, &ivec);
+
+    memcpy(&temp_key, &ivec, 8);
+    des_set_odd_parity (&temp_key);
+    des_set_key (&temp_key, schedule);
+    des_cbc_cksum ((const void *)password, key, passlen,
+		   schedule, &ivec);
+    memset(&schedule, 0, sizeof(schedule));
+    memset(&temp_key, 0, sizeof(temp_key));
+    memset(&ivec, 0, sizeof(ivec));
+    memset(password, 0, sizeof(password));
+
+    des_set_odd_parity (key);
+}
+
+static krb5_error_code
+DES_AFS3_string_to_key(krb5_context context,
+		       krb5_enctype enctype,
+		       krb5_data password,
+		       krb5_salt salt,
+		       krb5_keyblock *key)
+{
+    des_cblock tmp;
+    if(password.length > 8)
+	DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp);
+    else
+	DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp);
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
+    memset(&key, 0, sizeof(key));
+    return 0;
+}
+
+static void
+DES3_random_key(krb5_context context,
+		krb5_keyblock *key)
+{
+    des_cblock *k = key->keyvalue.data;
+    do {
+	krb5_generate_random_block(k, 3 * sizeof(des_cblock));
+	des_set_odd_parity(&k[0]);
+	des_set_odd_parity(&k[1]);
+	des_set_odd_parity(&k[2]);
+    } while(des_is_weak_key(&k[0]) ||
+	    des_is_weak_key(&k[1]) ||
+	    des_is_weak_key(&k[2]));
+}
+
+static void
+DES3_schedule(krb5_context context,
+	      struct key_data *key)
+{
+    des_cblock *k = key->key->keyvalue.data;
+    des_key_schedule *s = key->schedule->data;
+    des_set_key(&k[0], s[0]);
+    des_set_key(&k[1], s[1]);
+    des_set_key(&k[2], s[2]);
+}
+
+/*
+ * A = A xor B. A & B are 8 bytes.
+ */
+
+static void
+xor (des_cblock *key, const unsigned char *b)
+{
+    unsigned char *a = (unsigned char*)key;
+    a[0] ^= b[0];
+    a[1] ^= b[1];
+    a[2] ^= b[2];
+    a[3] ^= b[3];
+    a[4] ^= b[4];
+    a[5] ^= b[5];
+    a[6] ^= b[6];
+    a[7] ^= b[7];
+}
+
+static krb5_error_code
+DES3_string_to_key(krb5_context context,
+		   krb5_enctype enctype,
+		   krb5_data password,
+		   krb5_salt salt,
+		   krb5_keyblock *key)
+{
+    char *str;
+    size_t len;
+    unsigned char tmp[24];
+    des_cblock keys[3];
+    
+    len = password.length + salt.saltvalue.length;
+    str = malloc(len);
+    if(len != 0 && str == NULL)
+	return ENOMEM;
+    memcpy(str, password.data, password.length);
+    memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    {
+	des_cblock ivec;
+	des_key_schedule s[3];
+	int i;
+	
+	_krb5_n_fold(str, len, tmp, 24);
+	
+	for(i = 0; i < 3; i++){
+	    memcpy(keys + i, tmp + i * 8, sizeof(keys[i]));
+	    des_set_odd_parity(keys + i);
+	    if(des_is_weak_key(keys + i))
+		xor(keys + i, (unsigned char*)"\0\0\0\0\0\0\0\xf0");
+	    des_set_key(keys + i, s[i]);
+	}
+	memset(&ivec, 0, sizeof(ivec));
+	des_ede3_cbc_encrypt((const void *)tmp,
+			     (void *)tmp, sizeof(tmp), 
+			     s[0], s[1], s[2], &ivec, DES_ENCRYPT);
+	memset(s, 0, sizeof(s));
+	memset(&ivec, 0, sizeof(ivec));
+	for(i = 0; i < 3; i++){
+	    memcpy(keys + i, tmp + i * 8, sizeof(keys[i]));
+	    des_set_odd_parity(keys + i);
+	    if(des_is_weak_key(keys + i))
+		xor(keys + i, (unsigned char*)"\0\0\0\0\0\0\0\xf0");
+	}
+	memset(tmp, 0, sizeof(tmp));
+    }
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, keys, sizeof(keys));
+    memset(keys, 0, sizeof(keys));
+    memset(str, 0, len);
+    free(str);
+    return 0;
+}
+
+static krb5_error_code
+DES3_string_to_key_derived(krb5_context context,
+			   krb5_enctype enctype,
+			   krb5_data password,
+			   krb5_salt salt,
+			   krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    size_t len = password.length + salt.saltvalue.length;
+    char *s;
+
+    s = malloc(len);
+    if(len != 0 && s == NULL)
+	return ENOMEM;
+    memcpy(s, password.data, password.length);
+    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    ret = krb5_string_to_key_derived(context,
+				     s,
+				     len,
+				     enctype,
+				     key);
+    memset(s, 0, len);
+    free(s);
+    return ret;
+}
+
+/*
+ * ARCFOUR
+ */
+
+static void
+ARCFOUR_random_key(krb5_context context, krb5_keyblock *key)
+{
+    krb5_generate_random_block (key->keyvalue.data,
+				key->keyvalue.length);
+}
+
+static void
+ARCFOUR_schedule(krb5_context context, struct key_data *kd)
+{
+    RC4_set_key (kd->schedule->data,
+		 kd->key->keyvalue.length, kd->key->keyvalue.data);
+}
+
+static krb5_error_code
+ARCFOUR_string_to_key(krb5_context context,
+		  krb5_enctype enctype,
+		  krb5_data password,
+		  krb5_salt salt,
+		  krb5_keyblock *key)
+{
+    char *s, *p;
+    size_t len;
+    int i;
+    MD4_CTX m;
+
+    len = 2 * (password.length + salt.saltvalue.length);
+    s = malloc (len);
+    if (len != 0 && s == NULL)
+	return ENOMEM;
+    for (p = s, i = 0; i < password.length; ++i) {
+	*p++ = ((char *)password.data)[i];
+	*p++ = 0;
+    }
+    for (i = 0; i < salt.saltvalue.length; ++i) {
+	*p++ = ((char *)salt.saltvalue.data)[i];
+	*p++ = 0;
+    }
+    MD4Init (&m);
+    MD4Update (&m, s, len);
+    key->keytype = enctype;
+    krb5_data_alloc (&key->keyvalue, 16);
+    MD4Final (key->keyvalue.data, &m);
+    memset (s, 0, len);
+    free (s);
+    return 0;
+}
+
+extern struct salt_type des_salt[], 
+    des3_salt[], des3_salt_derived[], arcfour_salt[];
+
+struct key_type keytype_null = {
+    KEYTYPE_NULL,
+    "null",
+    0,
+    0,
+    0,
+    NULL,
+    NULL,
+    NULL
+};
+
+struct key_type keytype_des = {
+    KEYTYPE_DES,
+    "des",
+    56,
+    sizeof(des_cblock),
+    sizeof(des_key_schedule),
+    DES_random_key,
+    DES_schedule,
+    des_salt
+};
+
+struct key_type keytype_des3 = {
+    KEYTYPE_DES3,
+    "des3",
+    168,
+    3 * sizeof(des_cblock), 
+    3 * sizeof(des_key_schedule), 
+    DES3_random_key,
+    DES3_schedule,
+    des3_salt
+};
+
+struct key_type keytype_des3_derived = {
+    KEYTYPE_DES3,
+    "des3",
+    168,
+    3 * sizeof(des_cblock),
+    3 * sizeof(des_key_schedule), 
+    DES3_random_key,
+    DES3_schedule,
+    des3_salt_derived
+};
+
+struct key_type keytype_arcfour = {
+    KEYTYPE_ARCFOUR,
+    "arcfour",
+    128,
+    16,
+    sizeof(RC4_KEY),
+    ARCFOUR_random_key,
+    ARCFOUR_schedule,
+    arcfour_salt
+};
+
+struct key_type *keytypes[] = {
+    &keytype_null,
+    &keytype_des,
+    &keytype_des3_derived,
+    &keytype_des3,
+    &keytype_arcfour
+};
+
+static int num_keytypes = sizeof(keytypes) / sizeof(keytypes[0]);
+
+static struct key_type *
+_find_keytype(krb5_keytype type)
+{
+    int i;
+    for(i = 0; i < num_keytypes; i++)
+	if(keytypes[i]->type == type)
+	    return keytypes[i];
+    return NULL;
+}
+
+
+struct salt_type des_salt[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	DES_string_to_key
+    },
+    {
+	KRB5_AFS3_SALT,
+	"afs3-salt",
+	DES_AFS3_string_to_key
+    },
+    { 0 }
+};
+
+struct salt_type des3_salt[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	DES3_string_to_key
+    },
+    { 0 }
+};
+
+struct salt_type des3_salt_derived[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	DES3_string_to_key_derived
+    },
+    { 0 }
+};
+
+struct salt_type arcfour_salt[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	ARCFOUR_string_to_key
+    },
+    { 0 }
+};
+
+krb5_error_code
+krb5_salttype_to_string (krb5_context context,
+			 krb5_enctype etype,
+			 krb5_salttype stype,
+			 char **string)
+{
+    struct encryption_type *e;
+    struct salt_type *st;
+
+    e = _find_enctype (etype);
+    if (e == NULL)
+	return KRB5_PROG_ETYPE_NOSUPP;
+    for (st = e->keytype->string_to_key; st && st->type; st++) {
+	if (st->type == stype) {
+	    *string = strdup (st->name);
+	    if (*string == NULL)
+		return ENOMEM;
+	    return 0;
+	}
+    }
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_string_to_salttype (krb5_context context,
+			 krb5_enctype etype,
+			 const char *string,
+			 krb5_salttype *salttype)
+{
+    struct encryption_type *e;
+    struct salt_type *st;
+
+    e = _find_enctype (etype);
+    if (e == NULL)
+	return KRB5_PROG_ETYPE_NOSUPP;
+    for (st = e->keytype->string_to_key; st && st->type; st++) {
+	if (strcasecmp (st->name, string) == 0) {
+	    *salttype = st->type;
+	    return 0;
+	}
+    }
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_get_pw_salt(krb5_context context,
+		 krb5_const_principal principal,
+		 krb5_salt *salt)
+{
+    size_t len;
+    int i;
+    krb5_error_code ret;
+    char *p;
+     
+    salt->salttype = KRB5_PW_SALT;
+    len = strlen(principal->realm);
+    for (i = 0; i < principal->name.name_string.len; ++i)
+	len += strlen(principal->name.name_string.val[i]);
+    ret = krb5_data_alloc (&salt->saltvalue, len);
+    if (ret)
+	return ret;
+    p = salt->saltvalue.data;
+    memcpy (p, principal->realm, strlen(principal->realm));
+    p += strlen(principal->realm);
+    for (i = 0; i < principal->name.name_string.len; ++i) {
+	memcpy (p,
+		principal->name.name_string.val[i],
+		strlen(principal->name.name_string.val[i]));
+	p += strlen(principal->name.name_string.val[i]);
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_free_salt(krb5_context context, 
+	       krb5_salt salt)
+{
+    krb5_data_free(&salt.saltvalue);
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_key_data (krb5_context context,
+			 krb5_enctype enctype,
+			 krb5_data password,
+			 krb5_principal principal,
+			 krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    krb5_salt salt;
+
+    ret = krb5_get_pw_salt(context, principal, &salt);
+    if(ret)
+	return ret;
+    ret = krb5_string_to_key_data_salt(context, enctype, password, salt, key);
+    krb5_free_salt(context, salt);
+    return ret;
+}
+
+krb5_error_code
+krb5_string_to_key (krb5_context context,
+		    krb5_enctype enctype,
+		    const char *password,
+		    krb5_principal principal,
+		    krb5_keyblock *key)
+{
+    krb5_data pw;
+    pw.data = (void*)password;
+    pw.length = strlen(password);
+    return krb5_string_to_key_data(context, enctype, pw, principal, key);
+}
+
+krb5_error_code
+krb5_string_to_key_data_salt (krb5_context context,
+			      krb5_enctype enctype,
+			      krb5_data password,
+			      krb5_salt salt,
+			      krb5_keyblock *key)
+{
+    struct encryption_type *et =_find_enctype(enctype);
+    struct salt_type *st;
+    if(et == NULL)
+	return KRB5_PROG_ETYPE_NOSUPP;
+    for(st = et->keytype->string_to_key; st && st->type; st++) 
+	if(st->type == salt.salttype)
+	    return (*st->string_to_key)(context, enctype, password, salt, key);
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_string_to_key_salt (krb5_context context,
+			 krb5_enctype enctype,
+			 const char *password,
+			 krb5_salt salt,
+			 krb5_keyblock *key)
+{
+    krb5_data pw;
+    pw.data = (void*)password;
+    pw.length = strlen(password);
+    return krb5_string_to_key_data_salt(context, enctype, pw, salt, key);
+}
+
+krb5_error_code
+krb5_keytype_to_string(krb5_context context,
+		       krb5_keytype keytype,
+		       char **string)
+{
+    struct key_type *kt = _find_keytype(keytype);
+    if(kt == NULL)
+	return KRB5_PROG_KEYTYPE_NOSUPP;
+    *string = strdup(kt->name);
+    if(*string == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_keytype(krb5_context context,
+		       const char *string,
+		       krb5_keytype *keytype)
+{
+    int i;
+    for(i = 0; i < num_keytypes; i++)
+	if(strcasecmp(keytypes[i]->name, string) == 0){
+	    *keytype = keytypes[i]->type;
+	    return 0;
+	}
+    return KRB5_PROG_KEYTYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_generate_random_keyblock(krb5_context context,
+			      krb5_enctype type,
+			      krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    struct encryption_type *et = _find_enctype(type);
+    if(et == NULL)
+	return KRB5_PROG_ETYPE_NOSUPP;
+    ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
+    if(ret) 
+	return ret;
+    key->keytype = type;
+    if(et->keytype->random_key)
+	(*et->keytype->random_key)(context, key);
+    else
+	krb5_generate_random_block(key->keyvalue.data, 
+				   key->keyvalue.length);
+    return 0;
+}
+
+static krb5_error_code
+_key_schedule(krb5_context context,
+	      struct key_data *key)
+{
+    krb5_error_code ret;
+    struct encryption_type *et = _find_enctype(key->key->keytype);
+    struct key_type *kt = et->keytype;
+
+    if(kt->schedule == NULL)
+	return 0;
+    ALLOC(key->schedule, 1);
+    if(key->schedule == NULL)
+	return ENOMEM;
+    ret = krb5_data_alloc(key->schedule, kt->schedule_size);
+    if(ret) {
+	free(key->schedule);
+	key->schedule = NULL;
+	return ret;
+    }
+    (*kt->schedule)(context, key);
+    return 0;
+}
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+static void
+NONE_checksum(krb5_context context,
+	      struct key_data *key,
+	      void *data,
+	      size_t len,
+	      Checksum *C)
+{
+}
+
+static void
+CRC32_checksum(krb5_context context,
+	       struct key_data *key,
+	       void *data,
+	       size_t len,
+	       Checksum *C)
+{
+    u_int32_t crc;
+    unsigned char *r = C->checksum.data;
+    _krb5_crc_init_table ();
+    crc = _krb5_crc_update (data, len, 0);
+    r[0] = crc & 0xff;
+    r[1] = (crc >> 8)  & 0xff;
+    r[2] = (crc >> 16) & 0xff;
+    r[3] = (crc >> 24) & 0xff;
+}
+
+static void
+RSA_MD4_checksum(krb5_context context,
+		 struct key_data *key,
+		 void *data,
+		 size_t len,
+		 Checksum *C)
+{
+    MD4_CTX m;
+
+    MD4Init (&m);
+    MD4Update (&m, data, len);
+    MD4Final (C->checksum.data, &m);
+}
+
+static void
+RSA_MD4_DES_checksum(krb5_context context, 
+		     struct key_data *key,
+		     void *data, 
+		     size_t len, 
+		     Checksum *cksum)
+{
+    MD4_CTX md4;
+    des_cblock ivec;
+    unsigned char *p = cksum->checksum.data;
+    
+    krb5_generate_random_block(p, 8);
+    MD4Init (&md4);
+    MD4Update (&md4, p, 8);
+    MD4Update (&md4, data, len);
+    MD4Final (p + 8, &md4);
+    memset (&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt((const void *)p, 
+		    (void *)p, 
+		    24, 
+		    key->schedule->data, 
+		    &ivec, 
+		    DES_ENCRYPT);
+}
+
+static krb5_error_code
+RSA_MD4_DES_verify(krb5_context context,
+		   struct key_data *key,
+		   void *data,
+		   size_t len,
+		   Checksum *C)
+{
+    MD4_CTX md4;
+    unsigned char tmp[24];
+    unsigned char res[16];
+    des_cblock ivec;
+    krb5_error_code ret = 0;
+
+    memset(&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt(C->checksum.data,
+		    (void*)tmp, 
+		    C->checksum.length, 
+		    key->schedule->data,
+		    &ivec,
+		    DES_DECRYPT);
+    MD4Init (&md4);
+    MD4Update (&md4, tmp, 8); /* confounder */
+    MD4Update (&md4, data, len);
+    MD4Final (res, &md4);
+    if(memcmp(res, tmp + 8, sizeof(res)) != 0)
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    memset(tmp, 0, sizeof(tmp));
+    memset(res, 0, sizeof(res));
+    return ret;
+}
+
+static void
+RSA_MD5_checksum(krb5_context context,
+		 struct key_data *key,
+		 void *data,
+		 size_t len,
+		 Checksum *C)
+{
+    MD5_CTX m;
+
+    MD5Init  (&m);
+    MD5Update(&m, data, len);
+    MD5Final (C->checksum.data, &m);
+}
+
+static void
+RSA_MD5_DES_checksum(krb5_context context,
+		     struct key_data *key,
+		     void *data,
+		     size_t len,
+		     Checksum *C)
+{
+    MD5_CTX md5;
+    des_cblock ivec;
+    unsigned char *p = C->checksum.data;
+    
+    krb5_generate_random_block(p, 8);
+    MD5Init (&md5);
+    MD5Update (&md5, p, 8);
+    MD5Update (&md5, data, len);
+    MD5Final (p + 8, &md5);
+    memset (&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt((const void *)p, 
+		    (void *)p, 
+		    24, 
+		    key->schedule->data, 
+		    &ivec, 
+		    DES_ENCRYPT);
+}
+
+static krb5_error_code
+RSA_MD5_DES_verify(krb5_context context,
+		   struct key_data *key,
+		   void *data,
+		   size_t len,
+		   Checksum *C)
+{
+    MD5_CTX md5;
+    unsigned char tmp[24];
+    unsigned char res[16];
+    des_cblock ivec;
+    des_key_schedule *sched = key->schedule->data;
+    krb5_error_code ret = 0;
+
+    memset(&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt(C->checksum.data, 
+		    (void*)tmp, 
+		    C->checksum.length, 
+		    sched[0],
+		    &ivec,
+		    DES_DECRYPT);
+    MD5Init (&md5);
+    MD5Update (&md5, tmp, 8); /* confounder */
+    MD5Update (&md5, data, len);
+    MD5Final (res, &md5);
+    if(memcmp(res, tmp + 8, sizeof(res)) != 0)
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    memset(tmp, 0, sizeof(tmp));
+    memset(res, 0, sizeof(res));
+    return ret;
+}
+
+static void
+RSA_MD5_DES3_checksum(krb5_context context,
+		      struct key_data *key,
+		      void *data,
+		      size_t len,
+		      Checksum *C)
+{
+    MD5_CTX md5;
+    des_cblock ivec;
+    unsigned char *p = C->checksum.data;
+    des_key_schedule *sched = key->schedule->data;
+    
+    krb5_generate_random_block(p, 8);
+    MD5Init (&md5);
+    MD5Update (&md5, p, 8);
+    MD5Update (&md5, data, len);
+    MD5Final (p + 8, &md5);
+    memset (&ivec, 0, sizeof(ivec));
+    des_ede3_cbc_encrypt((const void *)p, 
+			 (void *)p, 
+			 24, 
+			 sched[0], sched[1], sched[2],
+			 &ivec, 
+			 DES_ENCRYPT);
+}
+
+static krb5_error_code
+RSA_MD5_DES3_verify(krb5_context context,
+		    struct key_data *key,
+		    void *data,
+		    size_t len,
+		    Checksum *C)
+{
+    MD5_CTX md5;
+    unsigned char tmp[24];
+    unsigned char res[16];
+    des_cblock ivec;
+    des_key_schedule *sched = key->schedule->data;
+    krb5_error_code ret = 0;
+
+    memset(&ivec, 0, sizeof(ivec));
+    des_ede3_cbc_encrypt(C->checksum.data, 
+			 (void*)tmp, 
+			 C->checksum.length, 
+			 sched[0], sched[1], sched[2],
+			 &ivec,
+			 DES_DECRYPT);
+    MD5Init (&md5);
+    MD5Update (&md5, tmp, 8); /* confounder */
+    MD5Update (&md5, data, len);
+    MD5Final (res, &md5);
+    if(memcmp(res, tmp + 8, sizeof(res)) != 0)
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    memset(tmp, 0, sizeof(tmp));
+    memset(res, 0, sizeof(res));
+    return ret;
+}
+
+static void
+SHA1_checksum(krb5_context context,
+	      struct key_data *key,
+	      void *data,
+	      size_t len,
+	      Checksum *C)
+{
+    SHA1_CTX m;
+
+    SHA_Init(&m);
+    SHA_Update(&m, data, len);
+    SHA_Final(C->checksum.data, &m);
+}
+
+/* HMAC according to RFC2104 */
+static void
+hmac(krb5_context context,
+     struct checksum_type *cm, 
+     void *data, 
+     size_t len, 
+     struct key_data *keyblock,
+     Checksum *result)
+{
+    unsigned char *ipad, *opad;
+    unsigned char *key;
+    size_t key_len;
+    int i;
+    
+    if(keyblock->key->keyvalue.length > cm->blocksize){
+	(*cm->checksum)(context, 
+			keyblock, 
+			keyblock->key->keyvalue.data, 
+			keyblock->key->keyvalue.length, 
+			result);
+	key = result->checksum.data;
+	key_len = result->checksum.length;
+    } else {
+	key = keyblock->key->keyvalue.data;
+	key_len = keyblock->key->keyvalue.length;
+    }
+    ipad = malloc(cm->blocksize + len);
+    opad = malloc(cm->blocksize + cm->checksumsize);
+    memset(ipad, 0x36, cm->blocksize);
+    memset(opad, 0x5c, cm->blocksize);
+    for(i = 0; i < key_len; i++){
+	ipad[i] ^= key[i];
+	opad[i] ^= key[i];
+    }
+    memcpy(ipad + cm->blocksize, data, len);
+    (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len, result);
+    memcpy(opad + cm->blocksize, result->checksum.data, 
+	   result->checksum.length);
+    (*cm->checksum)(context, keyblock, opad, 
+		    cm->blocksize + cm->checksumsize, result);
+    memset(ipad, 0, cm->blocksize + len);
+    free(ipad);
+    memset(opad, 0, cm->blocksize + cm->checksumsize);
+    free(opad);
+}
+
+static void
+HMAC_SHA1_DES3_checksum(krb5_context context,
+			struct key_data *key, 
+			void *data, 
+			size_t len, 
+			Checksum *result)
+{
+    struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1);
+
+    hmac(context, c, data, len, key, result);
+}
+
+struct checksum_type checksum_none = {
+    CKSUMTYPE_NONE, 
+    "none", 
+    1, 
+    0, 
+    0, 
+    NONE_checksum, 
+    NULL
+};
+struct checksum_type checksum_crc32 = {
+    CKSUMTYPE_CRC32,
+    "crc32",
+    1,
+    4,
+    0,
+    CRC32_checksum,
+    NULL
+};
+struct checksum_type checksum_rsa_md4 = {
+    CKSUMTYPE_RSA_MD4,
+    "rsa-md4",
+    64,
+    16,
+    F_CPROOF,
+    RSA_MD4_checksum,
+    NULL
+};
+struct checksum_type checksum_rsa_md4_des = {
+    CKSUMTYPE_RSA_MD4_DES,
+    "rsa-md4-des",
+    64,
+    24,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD4_DES_checksum,
+    RSA_MD4_DES_verify
+};
+#if 0
+struct checksum_type checksum_des_mac = { 
+    CKSUMTYPE_DES_MAC,
+    "des-mac",
+    0,
+    0,
+    0,
+    DES_MAC_checksum,
+};
+struct checksum_type checksum_des_mac_k = {
+    CKSUMTYPE_DES_MAC_K,
+    "des-mac-k",
+    0,
+    0,
+    0,
+    DES_MAC_K_checksum,
+};
+struct checksum_type checksum_rsa_md4_des_k = {
+    CKSUMTYPE_RSA_MD4_DES_K, 
+    "rsa-md4-des-k", 
+    0, 
+    0, 
+    0, 
+    RSA_MD4_DES_K_checksum, 
+    RSA_MD4_DES_K_verify,
+};
+#endif
+struct checksum_type checksum_rsa_md5 = {
+    CKSUMTYPE_RSA_MD5,
+    "rsa-md5",
+    64,
+    16,
+    F_CPROOF,
+    RSA_MD5_checksum,
+    NULL
+};
+struct checksum_type checksum_rsa_md5_des = {
+    CKSUMTYPE_RSA_MD5_DES,
+    "rsa-md5-des",
+    64,
+    24,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD5_DES_checksum,
+    RSA_MD5_DES_verify,
+};
+struct checksum_type checksum_rsa_md5_des3 = {
+    CKSUMTYPE_RSA_MD5_DES3,
+    "rsa-md5-des3",
+    64,
+    24,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD5_DES3_checksum,
+    RSA_MD5_DES3_verify,
+};
+struct checksum_type checksum_sha1 = {
+    CKSUMTYPE_SHA1,
+    "sha1",
+    64,
+    20,
+    F_CPROOF,
+    SHA1_checksum,
+    NULL
+};
+struct checksum_type checksum_hmac_sha1_des3 = {
+    CKSUMTYPE_HMAC_SHA1_DES3,
+    "hmac-sha1-des3",
+    64,
+    20,
+    F_KEYED | F_CPROOF | F_DERIVED,
+    HMAC_SHA1_DES3_checksum,
+    NULL
+};
+
+struct checksum_type *checksum_types[] = {
+    &checksum_none,
+    &checksum_crc32,
+    &checksum_rsa_md4,
+    &checksum_rsa_md4_des,
+#if 0
+    &checksum_des_mac, 
+    &checksum_des_mac_k,
+    &checksum_rsa_md4_des_k,
+#endif
+    &checksum_rsa_md5,
+    &checksum_rsa_md5_des,
+    &checksum_rsa_md5_des3,
+    &checksum_sha1,
+    &checksum_hmac_sha1_des3
+};
+
+static int num_checksums = sizeof(checksum_types) / sizeof(checksum_types[0]);
+
+static struct checksum_type *
+_find_checksum(krb5_cksumtype type)
+{
+    int i;
+    for(i = 0; i < num_checksums; i++)
+	if(checksum_types[i]->type == type)
+	    return checksum_types[i];
+    return NULL;
+}
+
+static krb5_error_code
+get_checksum_key(krb5_context context, 
+		 krb5_crypto crypto,
+		 unsigned usage,  /* not krb5_key_usage */
+		 struct checksum_type *ct, 
+		 struct key_data **key)
+{
+    krb5_error_code ret = 0;
+
+    if(ct->flags & F_DERIVED)
+	ret = _get_derived_key(context, crypto, usage, key);
+    else if(ct->flags & F_VARIANT) {
+	int i;
+
+	*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
+	if(*key == NULL)
+	    return ENOMEM;
+	ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key);
+	if(ret) 
+	    return ret;
+	for(i = 0; i < (*key)->key->keyvalue.length; i++)
+	    ((unsigned char*)(*key)->key->keyvalue.data)[i] ^= 0xF0;
+    } else {
+	*key = &crypto->key; 
+    }
+    if(ret == 0)
+	ret = _key_schedule(context, *key);
+    return ret;
+}
+
+static krb5_error_code
+do_checksum (krb5_context context,
+	     struct checksum_type *ct,
+	     krb5_crypto crypto,
+	     unsigned usage,
+	     void *data,
+	     size_t len,
+	     Checksum *result)
+{
+    krb5_error_code ret;
+    struct key_data *dkey;
+    int keyed_checksum;
+
+    keyed_checksum = (ct->flags & F_KEYED) != 0;
+    if(keyed_checksum && crypto == NULL)
+	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
+    if(keyed_checksum)
+	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
+    else
+	dkey = NULL;
+    result->cksumtype = ct->type;
+    krb5_data_alloc(&result->checksum, ct->checksumsize);
+    (*ct->checksum)(context, dkey, data, len, result);
+    return 0;
+}
+
+static krb5_error_code
+create_checksum(krb5_context context,
+		krb5_crypto crypto,
+		unsigned usage, /* not krb5_key_usage */
+		krb5_cksumtype type, /* if crypto == NULL */
+		void *data,
+		size_t len,
+		Checksum *result)
+{
+    struct checksum_type *ct;
+
+    if(crypto) {
+	ct = crypto->et->keyed_checksum;
+	if(ct == NULL)
+	    ct = crypto->et->cksumtype;
+    } else
+	ct = _find_checksum(type);
+    if(ct == NULL)
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    return do_checksum (context, ct, crypto, usage, data, len, result);
+}
+
+krb5_error_code
+krb5_create_checksum(krb5_context context,
+		     krb5_crypto crypto,
+		     unsigned usage_or_type,
+		     void *data,
+		     size_t len,
+		     Checksum *result)
+{
+    return create_checksum(context, crypto, 
+			   CHECKSUM_USAGE(usage_or_type), 
+			   usage_or_type, data, len, result);
+}
+
+static krb5_error_code
+verify_checksum(krb5_context context,
+		krb5_crypto crypto,
+		unsigned usage, /* not krb5_key_usage */
+		void *data,
+		size_t len,
+		Checksum *cksum)
+{
+    krb5_error_code ret;
+    struct key_data *dkey;
+    int keyed_checksum;
+    Checksum c;
+    struct checksum_type *ct;
+
+    ct = _find_checksum(cksum->cksumtype);
+    if(ct == NULL)
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    if(ct->checksumsize != cksum->checksum.length)
+	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
+    keyed_checksum = (ct->flags & F_KEYED) != 0;
+    if(keyed_checksum && crypto == NULL)
+	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
+    if(keyed_checksum)
+	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
+    else
+	dkey = NULL;
+    if(ct->verify)
+	return (*ct->verify)(context, dkey, data, len, cksum);
+
+    ret = krb5_data_alloc (&c.checksum, ct->checksumsize);
+    if (ret)
+	return ret;
+
+    (*ct->checksum)(context, dkey, data, len, &c);
+
+    if(c.checksum.length != cksum->checksum.length || 
+       memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length))
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    else
+	ret = 0;
+    krb5_data_free (&c.checksum);
+    return ret;
+}
+
+krb5_error_code
+krb5_verify_checksum(krb5_context context,
+		     krb5_crypto crypto,
+		     krb5_key_usage usage, 
+		     void *data,
+		     size_t len,
+		     Checksum *cksum)
+{
+    return verify_checksum(context, crypto, 
+			   CHECKSUM_USAGE(usage), data, len, cksum);
+}
+
+krb5_error_code
+krb5_checksumsize(krb5_context context,
+		  krb5_cksumtype type,
+		  size_t *size)
+{
+    struct checksum_type *ct = _find_checksum(type);
+    if(ct == NULL)
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    *size = ct->checksumsize;
+    return 0;
+}
+
+krb5_boolean
+krb5_checksum_is_keyed(krb5_context context,
+		       krb5_cksumtype type)
+{
+    struct checksum_type *ct = _find_checksum(type);
+    if(ct == NULL)
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    return ct->flags & F_KEYED;
+}
+
+krb5_boolean
+krb5_checksum_is_collision_proof(krb5_context context,
+				 krb5_cksumtype type)
+{
+    struct checksum_type *ct = _find_checksum(type);
+    if(ct == NULL)
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    return ct->flags & F_CPROOF;
+}
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+static void
+NULL_encrypt(struct key_data *key, 
+	     void *data, 
+	     size_t len, 
+	     krb5_boolean encrypt)
+{
+}
+
+static void
+DES_CBC_encrypt_null_ivec(struct key_data *key, 
+			  void *data, 
+			  size_t len, 
+			  krb5_boolean encrypt)
+{
+    des_cblock ivec;
+    des_key_schedule *s = key->schedule->data;
+    memset(&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt(data, data, len, *s, &ivec, encrypt);
+}
+
+static void
+DES_CBC_encrypt_key_ivec(struct key_data *key, 
+			 void *data, 
+			 size_t len, 
+			 krb5_boolean encrypt)
+{
+    des_cblock ivec;
+    des_key_schedule *s = key->schedule->data;
+    memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec));
+    des_cbc_encrypt(data, data, len, *s, &ivec, encrypt);
+}
+
+static void
+DES3_CBC_encrypt(struct key_data *key, 
+		 void *data, 
+		 size_t len, 
+		 krb5_boolean encrypt)
+{
+    des_cblock ivec;
+    des_key_schedule *s = key->schedule->data;
+    memset(&ivec, 0, sizeof(ivec));
+    des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], &ivec, encrypt);
+}
+
+static void
+ARCFOUR_encrypt(struct key_data *key,
+		void *data,
+		size_t len,
+		krb5_boolean encrypt)
+{
+
+}
+
+/*
+ * these should currently be in reverse preference order.
+ */
+
+static struct encryption_type etypes[] = {
+    {
+	ETYPE_NULL,
+	"null",
+	1,
+	0,
+	&keytype_null,
+	&checksum_none,
+	NULL,
+	0,
+	NULL_encrypt,
+    },
+    {
+	ETYPE_DES_CBC_CRC,
+	"des-cbc-crc",
+	8,
+	8,
+	&keytype_des,
+	&checksum_crc32,
+	NULL,
+	0,
+	DES_CBC_encrypt_key_ivec,
+    },
+    {
+	ETYPE_DES_CBC_MD4,
+	"des-cbc-md4",
+	8,
+	8,
+	&keytype_des,
+	&checksum_rsa_md4,
+	&checksum_rsa_md4_des,
+	0,
+	DES_CBC_encrypt_null_ivec,
+    },
+    {
+	ETYPE_DES_CBC_MD5,
+	"des-cbc-md5",
+	8,
+	8,
+	&keytype_des,
+	&checksum_rsa_md5,
+	&checksum_rsa_md5_des,
+	0,
+	DES_CBC_encrypt_null_ivec,
+    },
+    { 
+	ETYPE_DES3_CBC_MD5,
+	"des3-cbc-md5",
+	8,
+	8,
+	&keytype_des3,
+	&checksum_rsa_md5,
+	&checksum_rsa_md5_des3,
+	0,
+ 	DES3_CBC_encrypt,
+    },
+    {
+	ETYPE_DES3_CBC_SHA1,
+	"des3-cbc-sha1",
+	8,
+	8,
+	&keytype_des3_derived,
+	&checksum_sha1,
+	&checksum_hmac_sha1_des3,
+	F_DERIVED,
+ 	DES3_CBC_encrypt,
+    },
+    {
+	ETYPE_OLD_DES3_CBC_SHA1,
+	"old-des3-cbc-sha1",
+	8,
+	8,
+	&keytype_des3,
+	&checksum_sha1,
+	&checksum_hmac_sha1_des3,
+	0,
+ 	DES3_CBC_encrypt,
+    },
+    {
+	ETYPE_DES_CBC_NONE,
+	"des-cbc-none",
+	8,
+	0,
+	&keytype_des,
+	&checksum_none,
+	NULL,
+	F_PSEUDO,
+	DES_CBC_encrypt_null_ivec,
+    },
+    {
+	ETYPE_DES3_CBC_NONE,
+	"des3-cbc-none",
+	8,
+	0,
+	&keytype_des3_derived,
+	&checksum_none,
+	NULL,
+	F_PSEUDO,
+	DES_CBC_encrypt_null_ivec,
+    },
+};
+
+static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]);
+
+
+static struct encryption_type *
+_find_enctype(krb5_enctype type)
+{
+    int i;
+    for(i = 0; i < num_etypes; i++)
+	if(etypes[i].type == type)
+	    return &etypes[i];
+    return NULL;
+}
+
+
+krb5_error_code
+krb5_enctype_to_string(krb5_context context,
+		       krb5_enctype etype,
+		       char **string)
+{
+    struct encryption_type *e;
+    e = _find_enctype(etype);
+    if(e == NULL)
+	return KRB5_PROG_ETYPE_NOSUPP;
+    *string = strdup(e->name);
+    if(*string == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_enctype(krb5_context context,
+		       const char *string,
+		       krb5_enctype *etype)
+{
+    int i;
+    for(i = 0; i < num_etypes; i++)
+	if(strcasecmp(etypes[i].name, string) == 0){
+	    *etype = etypes[i].type;
+	    return 0;
+	}
+    return KRB5_PROG_ETYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_enctype_to_keytype(krb5_context context,
+			krb5_enctype etype,
+			krb5_keytype *keytype)
+{
+    struct encryption_type *e = _find_enctype(etype);
+    if(e == NULL)
+	return KRB5_PROG_ETYPE_NOSUPP;
+    *keytype = e->keytype->type; /* XXX */
+    return 0;
+}
+
+#if 0
+krb5_error_code
+krb5_keytype_to_enctype(krb5_context context,
+			krb5_keytype keytype,
+			krb5_enctype *etype)
+{
+    struct key_type *kt = _find_keytype(keytype);
+    krb5_warnx(context, "krb5_keytype_to_enctype(%u)", keytype);
+    if(kt == NULL)
+	return KRB5_PROG_KEYTYPE_NOSUPP;
+    *etype = kt->best_etype;
+    return 0;
+}
+#endif
+    
+krb5_error_code
+krb5_keytype_to_enctypes (krb5_context context,
+			  krb5_keytype keytype,
+			  unsigned *len,
+			  int **val)
+{
+    int i;
+    unsigned n = 0;
+    int *ret;
+
+    for (i = num_etypes - 1; i >= 0; --i) {
+	if (etypes[i].keytype->type == keytype
+	    && !(etypes[i].flags & F_PSEUDO))
+	    ++n;
+    }
+    ret = malloc(n * sizeof(int));
+    if (ret == NULL && n != 0)
+	return ENOMEM;
+    n = 0;
+    for (i = num_etypes - 1; i >= 0; --i) {
+	if (etypes[i].keytype->type == keytype
+	    && !(etypes[i].flags & F_PSEUDO))
+	    ret[n++] = etypes[i].type;
+    }
+    *len = n;
+    *val = ret;
+    return 0;
+}
+
+/*
+ * First take the configured list of etypes for `keytype' if available,
+ * else, do `krb5_keytype_to_enctypes'.
+ */
+
+krb5_error_code
+krb5_keytype_to_enctypes_default (krb5_context context,
+				  krb5_keytype keytype,
+				  unsigned *len,
+				  int **val)
+{
+    int i, n;
+    int *ret;
+
+    if (keytype != KEYTYPE_DES || context->etypes_des == NULL)
+	return krb5_keytype_to_enctypes (context, keytype, len, val);
+
+    for (n = 0; context->etypes_des[n]; ++n)
+	;
+    ret = malloc (n * sizeof(*ret));
+    if (ret == NULL && n != 0)
+	return ENOMEM;
+    for (i = 0; i < n; ++i)
+	ret[i] = context->etypes_des[i];
+    *len = n;
+    *val = ret;
+    return 0;
+}
+
+krb5_error_code
+krb5_enctype_valid(krb5_context context, 
+		 krb5_enctype etype)
+{
+    return _find_enctype(etype) != NULL;
+}
+
+/* if two enctypes have compatible keys */
+krb5_boolean
+krb5_enctypes_compatible_keys(krb5_context context,
+			      krb5_enctype etype1,
+			      krb5_enctype etype2)
+{
+    struct encryption_type *e1 = _find_enctype(etype1);
+    struct encryption_type *e2 = _find_enctype(etype2);
+    return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype;
+}
+
+static krb5_boolean
+derived_crypto(krb5_context context,
+	       krb5_crypto crypto)
+{
+    return (crypto->et->flags & F_DERIVED) != 0;
+}
+
+
+#define CHECKSUMSIZE(C) ((C)->checksumsize)
+#define CHECKSUMTYPE(C) ((C)->type)
+
+static krb5_error_code
+encrypt_internal_derived(krb5_context context,
+			 krb5_crypto crypto,
+			 unsigned usage,
+			 void *data,
+			 size_t len,
+			 krb5_data *result)
+{
+    size_t sz, block_sz, checksum_sz;
+    Checksum cksum;
+    unsigned char *p, *q;
+    krb5_error_code ret;
+    struct key_data *dkey;
+    struct encryption_type *et = crypto->et;
+    
+    checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
+
+    sz = et->confoundersize + /* 4 - length */ len;
+    block_sz = (sz + et->blocksize - 1) &~ (et->blocksize - 1); /* pad */
+    p = calloc(1, block_sz + checksum_sz);
+    if(p == NULL)
+	return ENOMEM;
+    
+    q = p;
+    krb5_generate_random_block(q, et->confoundersize); /* XXX */
+    q += et->confoundersize;
+    memcpy(q, data, len);
+    
+    ret = create_checksum(context, 
+			  crypto, 
+			  INTEGRITY_USAGE(usage),
+			  0,
+			  p, 
+			  block_sz,
+			  &cksum);
+    if(ret == 0 && cksum.checksum.length != checksum_sz)
+	ret =  KRB5_CRYPTO_INTERNAL;
+    if(ret) {
+	memset(p, 0, block_sz + checksum_sz);
+	free(p);
+	return ret;
+    }
+    memcpy(p + block_sz, cksum.checksum.data, cksum.checksum.length);
+    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
+    if(ret) {
+	memset(p, 0, block_sz + checksum_sz);
+	free(p);
+	return ret;
+    }
+    ret = _key_schedule(context, dkey);
+    if(ret) {
+	memset(p, 0, block_sz);
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 1, block_sz, dkey->key);
+#endif
+    (*et->encrypt)(dkey, p, block_sz, 1);
+    result->data = p;
+    result->length = block_sz + checksum_sz;
+    return 0;
+}
+
+static krb5_error_code
+encrypt_internal(krb5_context context,
+		 krb5_crypto crypto,
+		 void *data,
+		 size_t len,
+		 krb5_data *result)
+{
+    size_t sz, block_sz, checksum_sz;
+    Checksum cksum;
+    unsigned char *p, *q;
+    krb5_error_code ret;
+    struct encryption_type *et = crypto->et;
+    
+    checksum_sz = CHECKSUMSIZE(et->cksumtype);
+    
+    sz = et->confoundersize + checksum_sz + len;
+    block_sz = (sz + et->blocksize - 1) &~ (et->blocksize - 1); /* pad */
+    p = calloc(1, block_sz);
+    if(p == NULL)
+	return ENOMEM;
+    
+    q = p;
+    krb5_generate_random_block(q, et->confoundersize); /* XXX */
+    q += et->confoundersize;
+    memset(q, 0, checksum_sz);
+    q += checksum_sz;
+    memcpy(q, data, len);
+
+    ret = create_checksum(context, 
+			  NULL,
+			  0,
+			  CHECKSUMTYPE(et->cksumtype),
+			  p, 
+			  block_sz,
+			  &cksum);
+    if(ret == 0 && cksum.checksum.length != checksum_sz) {
+	free_Checksum (&cksum);
+	ret = KRB5_CRYPTO_INTERNAL;
+    }
+    if(ret) {
+	memset(p, 0, block_sz);
+	free(p);
+	free_Checksum(&cksum);
+	return ret;
+    }
+    memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length);
+    free_Checksum(&cksum);
+    ret = _key_schedule(context, &crypto->key);
+    if(ret) {
+	memset(p, 0, block_sz);
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 1, block_sz, crypto->key.key);
+#endif
+    (*et->encrypt)(&crypto->key, p, block_sz, 1);
+    result->data = p;
+    result->length = block_sz;
+    return 0;
+}
+
+static krb5_error_code
+decrypt_internal_derived(krb5_context context,
+			 krb5_crypto crypto,
+			 unsigned usage,
+			 void *data,
+			 size_t len,
+			 krb5_data *result)
+{
+    size_t checksum_sz;
+    Checksum cksum;
+    unsigned char *p;
+    krb5_error_code ret;
+    struct key_data *dkey;
+    struct encryption_type *et = crypto->et;
+    unsigned long l;
+    
+    p = malloc(len);
+    if(len != 0 && p == NULL)
+	return ENOMEM;
+    memcpy(p, data, len);
+
+    checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
+    len -= checksum_sz;
+
+    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+    ret = _key_schedule(context, dkey);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 0, len, dkey->key);
+#endif
+    (*et->encrypt)(dkey, p, len, 0);
+
+    cksum.checksum.data   = p + len;
+    cksum.checksum.length = checksum_sz;
+    cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
+
+    ret = verify_checksum(context,
+			  crypto,
+			  INTEGRITY_USAGE(usage),
+			  p,
+			  len,
+			  &cksum);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+    l = len - et->confoundersize;
+    memmove(p, p + et->confoundersize, l);
+    result->data = realloc(p, l);
+    if(p == NULL) {
+	free(p);
+	return ENOMEM;
+    }
+    result->length = l;
+    return 0;
+}
+
+static krb5_error_code
+decrypt_internal(krb5_context context,
+		 krb5_crypto crypto,
+		 void *data,
+		 size_t len,
+		 krb5_data *result)
+{
+    krb5_error_code ret;
+    unsigned char *p;
+    Checksum cksum;
+    size_t checksum_sz, l;
+    struct encryption_type *et = crypto->et;
+    
+    checksum_sz = CHECKSUMSIZE(et->cksumtype);
+    p = malloc(len);
+    if(len != 0 && p == NULL)
+	return ENOMEM;
+    memcpy(p, data, len);
+    
+    ret = _key_schedule(context, &crypto->key);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 0, len, crypto->key.key);
+#endif
+    (*et->encrypt)(&crypto->key, p, len, 0);
+    ret = krb5_data_copy(&cksum.checksum, p + et->confoundersize, checksum_sz);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+    memset(p + et->confoundersize, 0, checksum_sz);
+    cksum.cksumtype = CHECKSUMTYPE(et->cksumtype);
+    ret = verify_checksum(context, NULL, 0, p, len, &cksum);
+    free_Checksum(&cksum);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+    l = len - et->confoundersize - checksum_sz;
+    memmove(p, p + et->confoundersize + checksum_sz, l);
+    result->data = realloc(p, l);
+    if(result->data == NULL) {
+	free(p);
+	return ENOMEM;
+    }
+    result->length = l;
+    return 0;
+}
+
+krb5_error_code
+krb5_encrypt(krb5_context context,
+	     krb5_crypto crypto,
+	     unsigned usage,
+	     void *data,
+	     size_t len,
+	     krb5_data *result)
+{
+    if(derived_crypto(context, crypto))
+	return encrypt_internal_derived(context, crypto, usage, 
+					data, len, result);
+    else
+	return encrypt_internal(context, crypto, data, len, result);
+}
+
+krb5_error_code
+krb5_encrypt_EncryptedData(krb5_context context,
+			   krb5_crypto crypto,
+			   unsigned usage,
+			   void *data,
+			   size_t len,
+			   int kvno,
+			   EncryptedData *result)
+{
+    result->etype = CRYPTO_ETYPE(crypto);
+    if(kvno){
+	ALLOC(result->kvno, 1);
+	*result->kvno = kvno;
+    }else
+	result->kvno = NULL;
+    return krb5_encrypt(context, crypto, usage, data, len, &result->cipher);
+}
+
+krb5_error_code
+krb5_decrypt(krb5_context context,
+	     krb5_crypto crypto,
+	     unsigned usage,
+	     void *data,
+	     size_t len,
+	     krb5_data *result)
+{
+    if(derived_crypto(context, crypto))
+	return decrypt_internal_derived(context, crypto, usage, 
+					data, len, result);
+    else
+	return decrypt_internal(context, crypto, data, len, result);
+}
+
+krb5_error_code
+krb5_decrypt_EncryptedData(krb5_context context,
+			   krb5_crypto crypto,
+			   unsigned usage,
+			   EncryptedData *e,
+			   krb5_data *result)
+{
+    return krb5_decrypt(context, crypto, usage, 
+			e->cipher.data, e->cipher.length, result);
+}
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+void
+krb5_generate_random_block(void *buf, size_t len)
+{
+    des_cblock key, out;
+    static des_cblock counter;
+    static des_key_schedule schedule;
+    int i;
+    static int initialized = 0;
+
+    if(!initialized) {
+	des_new_random_key(&key);
+	des_set_key(&key, schedule);
+	memset(&key, 0, sizeof(key));
+	des_new_random_key(&counter);
+    }
+    while(len > 0) {
+	des_ecb_encrypt(&counter, &out, schedule, DES_ENCRYPT);
+	for(i = 7; i >=0; i--)
+	    if(counter[i]++)
+		break;
+	memcpy(buf, out, min(len, sizeof(out)));
+	len -= min(len, sizeof(out));
+	buf = (char*)buf + sizeof(out);
+    }
+}
+
+static void
+DES3_postproc(krb5_context context,
+	      unsigned char *k, size_t len, struct key_data *key)
+{
+    unsigned char x[24];
+    int i, j;
+
+    memset(x, 0, sizeof(x));
+    for (i = 0; i < 3; ++i) {
+	unsigned char foo;
+
+	for (j = 0; j < 7; ++j) {
+	    unsigned char b = k[7 * i + j];
+
+	    x[8 * i + j] = b;
+	}
+	foo = 0;
+	for (j = 6; j >= 0; --j) {
+	    foo |= k[7 * i + j] & 1;
+	    foo <<= 1;
+	}
+	x[8 * i + 7] = foo;
+    }
+    k = key->key->keyvalue.data;
+    memcpy(k, x, 24);
+    memset(x, 0, sizeof(x));
+    if (key->schedule) {
+	krb5_free_data(context, key->schedule);
+	key->schedule = NULL;
+    }
+    des_set_odd_parity((des_cblock*)k);
+    des_set_odd_parity((des_cblock*)(k + 8));
+    des_set_odd_parity((des_cblock*)(k + 16));
+}
+
+static krb5_error_code
+derive_key(krb5_context context,
+	   struct encryption_type *et,
+	   struct key_data *key,
+	   void *constant,
+	   size_t len)
+{
+    unsigned char *k;
+    unsigned int nblocks = 0, i;
+    krb5_error_code ret = 0;
+    
+    struct key_type *kt = et->keytype;
+    ret = _key_schedule(context, key);
+    if(ret)
+	return ret;
+    if(et->blocksize * 8 < kt->bits ||
+       len != et->blocksize) {
+	nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8);
+	k = malloc(nblocks * et->blocksize);
+	if(k == NULL)
+	    return ENOMEM;
+	_krb5_n_fold(constant, len, k, et->blocksize);
+	for(i = 0; i < nblocks; i++) {
+	    if(i > 0)
+		memcpy(k + i * et->blocksize, 
+		       k + (i - 1) * et->blocksize,
+		       et->blocksize);
+	    (*et->encrypt)(key, k + i * et->blocksize, et->blocksize, 1);
+	}
+    } else {
+	void *c = malloc(len);
+	size_t res_len = (kt->bits + 7) / 8;
+
+	if(len != 0 && c == NULL)
+	    return ENOMEM;
+	memcpy(c, constant, len);
+	(*et->encrypt)(key, c, len, 1);
+	k = malloc(res_len);
+	if(res_len != 0 && k == NULL)
+	    return ENOMEM;
+	_krb5_n_fold(c, len, k, res_len);
+	free(c);
+    }
+    
+    /* XXX keytype dependent post-processing */
+    switch(kt->type) {
+    case KEYTYPE_DES3:
+	DES3_postproc(context, k, nblocks * et->blocksize, key);
+	break;
+    default:
+	krb5_warnx(context, "derive_key() called with unknown keytype (%u)", 
+		   kt->type);
+	ret = KRB5_CRYPTO_INTERNAL;
+	break;
+    }
+    memset(k, 0, nblocks * et->blocksize);
+    free(k);
+    return ret;
+}
+
+static struct key_data *
+_new_derived_key(krb5_crypto crypto, unsigned usage)
+{
+    struct key_usage *d = crypto->key_usage;
+    d = realloc(d, (crypto->num_key_usage + 1) * sizeof(*d));
+    if(d == NULL)
+	return NULL;
+    crypto->key_usage = d;
+    d += crypto->num_key_usage++;
+    memset(d, 0, sizeof(*d));
+    d->usage = usage;
+    return &d->key;
+}
+
+static krb5_error_code
+_get_derived_key(krb5_context context, 
+		 krb5_crypto crypto, 
+		 unsigned usage, 
+		 struct key_data **key)
+{
+    int i;
+    struct key_data *d;
+    unsigned char constant[5];
+
+    for(i = 0; i < crypto->num_key_usage; i++)
+	if(crypto->key_usage[i].usage == usage) {
+	    *key = &crypto->key_usage[i].key;
+	    return 0;
+	}
+    d = _new_derived_key(crypto, usage);
+    if(d == NULL)
+	return ENOMEM;
+    krb5_copy_keyblock(context, crypto->key.key, &d->key);
+    _krb5_put_int(constant, usage, 5);
+    derive_key(context, crypto->et, d, constant, sizeof(constant));
+    *key = d;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_crypto_init(krb5_context context,
+		 krb5_keyblock *key,
+		 krb5_enctype etype,
+		 krb5_crypto *crypto)
+{
+    krb5_error_code ret;
+    ALLOC(*crypto, 1);
+    if(*crypto == NULL)
+	return ENOMEM;
+    if(etype == ETYPE_NULL)
+	etype = key->keytype;
+    (*crypto)->et = _find_enctype(etype);
+    if((*crypto)->et == NULL) {
+	free(*crypto);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key);
+    if(ret) {
+	free(*crypto);
+	return ret;
+    }
+    (*crypto)->key.schedule = NULL;
+    (*crypto)->num_key_usage = 0;
+    (*crypto)->key_usage = NULL;
+    return 0;
+}
+
+static void
+free_key_data(krb5_context context, struct key_data *key)
+{
+    krb5_free_keyblock(context, key->key);
+    if(key->schedule) {
+	memset(key->schedule->data, 0, key->schedule->length);
+	krb5_free_data(context, key->schedule);
+    }
+}
+
+static void
+free_key_usage(krb5_context context, struct key_usage *ku)
+{
+    free_key_data(context, &ku->key);
+}
+
+krb5_error_code
+krb5_crypto_destroy(krb5_context context,
+		    krb5_crypto crypto)
+{
+    int i;
+    
+    for(i = 0; i < crypto->num_key_usage; i++)
+	free_key_usage(context, &crypto->key_usage[i]);
+    free(crypto->key_usage);
+    free_key_data(context, &crypto->key);
+    free (crypto);
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_key_derived(krb5_context context,
+			   const void *str,
+			   size_t len,
+			   krb5_enctype etype,
+			   krb5_keyblock *key)
+{
+    struct encryption_type *et = _find_enctype(etype);
+    krb5_error_code ret;
+    struct key_data kd;
+    u_char *tmp;
+
+    if(et == NULL)
+	return KRB5_PROG_ETYPE_NOSUPP;
+    ALLOC(kd.key, 1);
+    kd.key->keytype = etype;
+    tmp = malloc (et->keytype->bits / 8);
+    _krb5_n_fold(str, len, tmp, et->keytype->bits / 8);
+    krb5_data_alloc(&kd.key->keyvalue, et->keytype->size);
+    kd.schedule = NULL;
+    DES3_postproc (context, tmp, et->keytype->bits / 8, &kd); /* XXX */
+    ret = derive_key(context,
+		     et,
+		     &kd,
+		     "kerberos", /* XXX well known constant */
+		     strlen("kerberos"));
+    ret = krb5_copy_keyblock_contents(context, kd.key, key);
+    free_key_data(context, &kd);
+    return ret;
+}
+
+/*
+ * Return the size of an encrypted packet of length `data_len'
+ */
+
+size_t
+krb5_get_wrapped_length (krb5_context context,
+			 krb5_crypto  crypto,
+			 size_t       data_len)
+{
+    struct encryption_type *et = crypto->et;
+    size_t blocksize = et->blocksize;
+    size_t res;
+
+    res = (data_len + blocksize - 1) / blocksize * blocksize;
+    res = res + et->confoundersize + et->cksumtype->checksumsize;
+    return res;
+}
+
+#ifdef CRYPTO_DEBUG
+
+static krb5_error_code
+krb5_get_keyid(krb5_context context,
+	       krb5_keyblock *key,
+	       u_int32_t *keyid)
+{
+    MD5_CTX md5;
+    unsigned char tmp[16];
+
+    MD5Init (&md5);
+    MD5Update (&md5, key->keyvalue.data, key->keyvalue.length);
+    MD5Final (tmp, &md5);
+    *keyid = (tmp[12] << 24) | (tmp[13] << 16) | (tmp[14] << 8) | tmp[15];
+    return 0;
+}
+
+static void
+krb5_crypto_debug(krb5_context context,
+		  int encrypt,
+		  size_t len,
+		  krb5_keyblock *key)
+{
+    u_int32_t keyid;
+    char *kt;
+    krb5_get_keyid(context, key, &keyid);
+    krb5_enctype_to_string(context, key->keytype, &kt);
+    krb5_warnx(context, "%s %lu bytes with key-id %#x (%s)", 
+	       encrypt ? "encrypting" : "decrypting",
+	       (unsigned long)len,
+	       keyid,
+	       kt);
+    free(kt);
+}
+
+#endif /* CRYPTO_DEBUG */
diff --git a/crypto/heimdal/lib/krb5/data.c b/crypto/heimdal/lib/krb5/data.c
new file mode 100644
index 0000000..21191e2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/data.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: data.c,v 1.15 1999/12/02 17:05:09 joda Exp $");
+
+void
+krb5_data_zero(krb5_data *p)
+{
+    p->length = 0;
+    p->data   = NULL;
+}
+
+void
+krb5_data_free(krb5_data *p)
+{
+    if(p->data != NULL)
+	free(p->data);
+    p->length = 0;
+}
+
+void
+krb5_free_data(krb5_context context,
+	       krb5_data *p)
+{
+    krb5_data_free(p);
+    free(p);
+}
+
+krb5_error_code
+krb5_data_alloc(krb5_data *p, int len)
+{
+    p->data = malloc(len);
+    if(len && p->data == NULL)
+	return ENOMEM;
+    p->length = len;
+    return 0;
+}
+
+krb5_error_code
+krb5_data_realloc(krb5_data *p, int len)
+{
+    void *tmp;
+    tmp = realloc(p->data, len);
+    if(len && !tmp)
+	return ENOMEM;
+    p->data = tmp;
+    p->length = len;
+    return 0;
+}
+
+krb5_error_code
+krb5_data_copy(krb5_data *p, const void *data, size_t len)
+{
+    if (len) {
+	if(krb5_data_alloc(p, len))
+	    return ENOMEM;
+	memmove(p->data, data, len);
+    } else
+	p->data = NULL;
+    p->length = len;
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_data(krb5_context context, 
+	       const krb5_data *indata, 
+	       krb5_data **outdata)
+{
+    krb5_error_code ret;
+    ALLOC(*outdata, 1);
+    if(*outdata == NULL)
+	return ENOMEM;
+    ret = copy_octet_string(indata, *outdata);
+    if(ret)
+	free(*outdata);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/dump_config.c b/crypto/heimdal/lib/krb5/dump_config.c
new file mode 100644
index 0000000..074595e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/dump_config.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: dump_config.c,v 1.2 1999/10/28 23:22:41 assar Exp $");
+
+/* print contents of krb5.conf */
+
+static void
+print_tree(struct krb5_config_binding *b, int level)
+{
+    if (b == NULL)
+	return;
+
+    printf("%*s%s%s%s", level * 4, "", 
+	   (level == 0) ? "[" : "", b->name, (level == 0) ? "]" : "");
+    if(b->type == krb5_config_list) {
+	if(level > 0)
+	    printf(" = {");
+	printf("\n");
+	print_tree(b->u.list, level + 1);
+	if(level > 0)
+	    printf("%*s}\n", level * 4, "");
+    } else if(b->type == krb5_config_string) {
+	printf(" = %s\n", b->u.string);
+    }
+    if(b->next)
+	print_tree(b->next, level);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret = krb5_init_context(&context);
+    if(ret == 0) {
+	print_tree(context->cf, 0);
+	return 0;
+    }
+    return 1;
+}
diff --git a/crypto/heimdal/lib/krb5/expand_hostname.c b/crypto/heimdal/lib/krb5/expand_hostname.c
new file mode 100644
index 0000000..3e98e88
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/expand_hostname.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: expand_hostname.c,v 1.8 2000/02/20 02:25:29 assar Exp $");
+
+static krb5_error_code
+copy_hostname(krb5_context context,
+	      const char *orig_hostname,
+	      char **new_hostname)
+{
+    *new_hostname = strdup (orig_hostname);
+    if (*new_hostname == NULL)
+	return ENOMEM;
+    strlwr (*new_hostname);
+    return 0;
+}
+
+/*
+ * Try to make `orig_hostname' into a more canonical one in the newly
+ * allocated space returned in `new_hostname'.
+ */
+
+krb5_error_code
+krb5_expand_hostname (krb5_context context,
+		      const char *orig_hostname,
+		      char **new_hostname)
+{
+    struct addrinfo *ai, *a, hints;
+    int error;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_CANONNAME;
+
+    error = getaddrinfo (orig_hostname, NULL, &hints, &ai);
+    if (error)
+	return copy_hostname (context, orig_hostname, new_hostname);
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if (a->ai_canonname != NULL) {
+	    *new_hostname = strdup (a->ai_canonname);
+	    freeaddrinfo (ai);
+	    if (*new_hostname == NULL)
+		return ENOMEM;
+	    else
+		return 0;
+	}
+    }
+    freeaddrinfo (ai);
+    return copy_hostname (context, orig_hostname, new_hostname);
+}
+
+/*
+ * handle the case of the hostname being unresolvable and thus identical
+ */
+
+static krb5_error_code
+vanilla_hostname (krb5_context context,
+		  const char *orig_hostname,
+		  char **new_hostname,
+		  char ***realms)
+{
+    krb5_error_code ret;
+
+    ret = copy_hostname (context, orig_hostname, new_hostname);
+    if (ret)
+	return ret;
+    strlwr (*new_hostname);
+
+    ret = krb5_get_host_realm (context, *new_hostname, realms);
+    if (ret) {
+	free (*new_hostname);
+	return ret;
+    }
+    return 0;
+}
+
+/*
+ * expand `hostname' to a name we believe to be a hostname in newly
+ * allocated space in `host' and return realms in `realms'.
+ */
+
+krb5_error_code
+krb5_expand_hostname_realms (krb5_context context,
+			     const char *orig_hostname,
+			     char **new_hostname,
+			     char ***realms)
+{
+    struct addrinfo *ai, *a, hints;
+    int error;
+    krb5_error_code ret = 0;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_CANONNAME;
+
+    error = getaddrinfo (orig_hostname, NULL, &hints, &ai);
+    if (error)
+	return vanilla_hostname (context, orig_hostname, new_hostname,
+				 realms);
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if (a->ai_canonname != NULL) {
+	    ret = copy_hostname (context, orig_hostname, new_hostname);
+	    if (ret) {
+		freeaddrinfo (ai);
+		return ret;
+	    }
+	    strlwr (*new_hostname);
+	    ret = krb5_get_host_realm (context, *new_hostname, realms);
+	    if (ret == 0) {
+		freeaddrinfo (ai);
+		return 0;
+	    }
+	    free (*new_hostname);
+	}
+    }
+    return vanilla_hostname (context, orig_hostname, new_hostname, realms);
+}
diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c
new file mode 100644
index 0000000..df88e6f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/fcache.c
@@ -0,0 +1,431 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: fcache.c,v 1.22 1999/12/02 17:05:09 joda Exp $");
+
+typedef struct krb5_fcache{
+    char *filename;
+    int version;
+}krb5_fcache;
+
+struct fcc_cursor {
+    int fd;
+    krb5_storage *sp;
+};
+
+#define KRB5_FCC_FVNO_1 1
+#define KRB5_FCC_FVNO_2 2
+#define KRB5_FCC_FVNO_3 3
+#define KRB5_FCC_FVNO_4 4
+
+#define FCC_TAG_DELTATIME 1
+
+#define FCACHE(X) ((krb5_fcache*)(X)->data.data)
+
+#define FILENAME(X) (FCACHE(X)->filename)
+
+#define FCC_CURSOR(C) ((struct fcc_cursor*)(C))
+
+static char*
+fcc_get_name(krb5_context context,
+	     krb5_ccache id)
+{
+    return FILENAME(id);
+}
+
+static krb5_error_code
+fcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
+    krb5_fcache *f;
+    f = malloc(sizeof(*f));
+    if(f == NULL)
+	return KRB5_CC_NOMEM;
+    f->filename = strdup(res);
+    if(f->filename == NULL){
+	free(f);
+	return KRB5_CC_NOMEM;
+    }
+    f->version = 0;
+    (*id)->data.data = f;
+    (*id)->data.length = sizeof(*f);
+    return 0;
+}
+
+static krb5_error_code
+erase_file(const char *filename)
+{
+    int fd;
+    off_t pos;
+    char buf[128];
+
+    fd = open(filename, O_RDWR | O_BINARY);
+    if(fd < 0){
+	if(errno == ENOENT)
+	    return 0;
+	else
+	    return errno;
+    }
+    pos = lseek(fd, 0, SEEK_END);
+    lseek(fd, 0, SEEK_SET);
+    memset(buf, 0, sizeof(buf));
+    while(pos > 0)
+	pos -= write(fd, buf, sizeof(buf));
+    close(fd);
+    unlink(filename);
+    return 0;
+}
+
+static krb5_error_code
+fcc_gen_new(krb5_context context, krb5_ccache *id)
+{
+    krb5_fcache *f;
+    int fd;
+    char *file;
+    f = malloc(sizeof(*f));
+    if(f == NULL)
+	return KRB5_CC_NOMEM;
+    asprintf(&file, "/tmp/krb5cc_XXXXXX"); /* XXX */
+    if(file == NULL) {
+	free(f);
+	return KRB5_CC_NOMEM;
+    }
+    fd = mkstemp(file);
+    if(fd < 0) {
+	free(f);
+	free(file);
+	return errno;
+    }
+    close(fd);
+    f->filename = file;
+    f->version = 0;
+    (*id)->data.data = f;
+    (*id)->data.length = sizeof(*f);
+    return 0;
+}
+
+static void
+storage_set_flags(krb5_context context, krb5_storage *sp, int vno)
+{
+    int flags = 0;
+    switch(vno) {
+    case KRB5_FCC_FVNO_1:
+	flags |= KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS;
+	flags |= KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE;
+	flags |= KRB5_STORAGE_HOST_BYTEORDER;
+	break;
+    case KRB5_FCC_FVNO_2:
+	flags |= KRB5_STORAGE_HOST_BYTEORDER;
+	break;
+    case KRB5_FCC_FVNO_3:
+	flags |= KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE;
+	break;
+    case KRB5_FCC_FVNO_4:
+	break;
+    default:
+	krb5_abortx(context, 
+		    "storage_set_flags called with bad vno (%x)", vno);
+    }
+    krb5_storage_set_flags(sp, flags);
+}
+
+static krb5_error_code
+fcc_initialize(krb5_context context,
+	       krb5_ccache id,
+	       krb5_principal primary_principal)
+{
+    krb5_fcache *f = FCACHE(id);
+    int ret;
+    int fd;
+    char *filename = f->filename;
+
+    if((ret = erase_file(filename)))
+	return ret;
+  
+    fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
+    if(fd == -1)
+	return errno;
+    {
+	krb5_storage *sp;    
+	sp = krb5_storage_from_fd(fd);
+	if(context->fcache_vno != 0)
+	    f->version = context->fcache_vno;
+	else
+	    f->version = KRB5_FCC_FVNO_4;
+	krb5_store_int8(sp, 5);
+	krb5_store_int8(sp, f->version);
+	storage_set_flags(context, sp, f->version);
+	if(f->version == KRB5_FCC_FVNO_4) {
+	    /* V4 stuff */
+	    if (context->kdc_sec_offset) {
+		krb5_store_int16 (sp, 12); /* length */
+		krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
+		krb5_store_int16 (sp, 8); /* length of data */
+		krb5_store_int32 (sp, context->kdc_sec_offset);
+		krb5_store_int32 (sp, context->kdc_usec_offset);
+	    } else {
+		krb5_store_int16 (sp, 0);
+	    }
+	}
+	krb5_store_principal(sp, primary_principal);
+	krb5_storage_free(sp);
+    }
+    close(fd);
+	
+    return 0;
+}
+
+static krb5_error_code
+fcc_close(krb5_context context,
+	  krb5_ccache id)
+{
+    free (FILENAME(id));
+    krb5_data_free(&id->data);
+    return 0;
+}
+
+static krb5_error_code
+fcc_destroy(krb5_context context,
+	    krb5_ccache id)
+{
+    char *f;
+    f = FILENAME(id);
+
+    erase_file(f);
+  
+    return 0;
+}
+
+static krb5_error_code
+fcc_store_cred(krb5_context context,
+	       krb5_ccache id,
+	       krb5_creds *creds)
+{
+    int fd;
+    char *f;
+
+    f = FILENAME(id);
+
+    fd = open(f, O_WRONLY | O_APPEND | O_BINARY);
+    if(fd < 0)
+	return errno;
+    {
+	krb5_storage *sp;
+	sp = krb5_storage_from_fd(fd);
+	storage_set_flags(context, sp, FCACHE(id)->version);
+	krb5_store_creds(sp, creds);
+	krb5_storage_free(sp);
+    }
+    close(fd);
+    return 0; /* XXX */
+}
+
+static krb5_error_code
+fcc_read_cred (krb5_context context,
+	       krb5_fcache *fc,
+	       krb5_storage *sp,
+	       krb5_creds *creds)
+{
+    krb5_error_code ret;
+
+    storage_set_flags(context, sp, fc->version);
+    
+    ret = krb5_ret_creds(sp, creds);
+    return ret;
+}
+
+static krb5_error_code
+init_fcc (krb5_context context,
+	  krb5_fcache *fcache,
+	  krb5_storage **ret_sp,
+	  int *ret_fd)
+{
+    int fd;
+    int8_t pvno, tag;
+    krb5_storage *sp;
+
+    fd = open(fcache->filename, O_RDONLY | O_BINARY);
+    if(fd < 0)
+	return errno;
+    sp = krb5_storage_from_fd(fd);
+    krb5_ret_int8(sp, &pvno);
+    if(pvno != 5) {
+	krb5_storage_free(sp);
+	close(fd);
+	return KRB5_CCACHE_BADVNO;
+    }
+    krb5_ret_int8(sp, &tag); /* should not be host byte order */
+    fcache->version = tag;
+    storage_set_flags(context, sp, fcache->version);
+    switch (tag) {
+    case KRB5_FCC_FVNO_4: {
+	int16_t length;
+
+	krb5_ret_int16 (sp, &length);
+	while(length > 0) {
+	    int16_t tag, data_len;
+	    int i;
+	    int8_t dummy;
+
+	    krb5_ret_int16 (sp, &tag);
+	    krb5_ret_int16 (sp, &data_len);
+	    switch (tag) {
+	    case FCC_TAG_DELTATIME :
+		krb5_ret_int32 (sp, &context->kdc_sec_offset);
+		krb5_ret_int32 (sp, &context->kdc_usec_offset);
+		break;
+	    default :
+		for (i = 0; i < data_len; ++i)
+		    krb5_ret_int8 (sp, &dummy);
+		break;
+	    }
+	    length -= 4 + data_len;
+	}
+	break;
+    }
+    case KRB5_FCC_FVNO_3:
+    case KRB5_FCC_FVNO_2:
+    case KRB5_FCC_FVNO_1:
+	break;
+    default :
+	krb5_storage_free (sp);
+	close (fd);
+	return KRB5_CCACHE_BADVNO;
+    }
+    *ret_sp = sp;
+    *ret_fd = fd;
+    return 0;
+}
+
+static krb5_error_code
+fcc_get_principal(krb5_context context,
+		  krb5_ccache id,
+		  krb5_principal *principal)
+{
+    krb5_error_code ret;
+    krb5_fcache *f = FCACHE(id);
+    int fd;
+    krb5_storage *sp;
+
+    ret = init_fcc (context, f, &sp, &fd);
+    if (ret)
+	return ret;
+    krb5_ret_principal(sp, principal);
+    krb5_storage_free(sp);
+    close(fd);
+    return 0;
+}
+
+static krb5_error_code
+fcc_get_first (krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    krb5_error_code ret;
+    krb5_principal principal;
+    krb5_fcache *f = FCACHE(id);
+
+    *cursor = malloc(sizeof(struct fcc_cursor));
+
+    ret = init_fcc (context, f, &FCC_CURSOR(*cursor)->sp, 
+		    &FCC_CURSOR(*cursor)->fd);
+    if (ret)
+	return ret;
+    krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal);
+    krb5_free_principal (context, principal);
+    return 0;
+}
+
+static krb5_error_code
+fcc_get_next (krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor,
+	      krb5_creds *creds)
+{
+    return fcc_read_cred (context, FCACHE(id), FCC_CURSOR(*cursor)->sp, creds);
+}
+
+static krb5_error_code
+fcc_end_get (krb5_context context,
+	     krb5_ccache id,
+	     krb5_cc_cursor *cursor)
+{
+    krb5_storage_free(FCC_CURSOR(*cursor)->sp);
+    close (FCC_CURSOR(*cursor)->fd);
+    free(*cursor);
+    return 0;
+}
+
+static krb5_error_code
+fcc_remove_cred(krb5_context context,
+		 krb5_ccache id,
+		 krb5_flags which,
+		 krb5_creds *cred)
+{
+    return 0; /* XXX */
+}
+
+static krb5_error_code
+fcc_set_flags(krb5_context context,
+	      krb5_ccache id,
+	      krb5_flags flags)
+{
+    return 0; /* XXX */
+}
+
+static krb5_error_code
+fcc_get_version(krb5_context context,
+		krb5_ccache id)
+{
+    return FCACHE(id)->version;
+}
+		    
+const krb5_cc_ops krb5_fcc_ops = {
+    "FILE",
+    fcc_get_name,
+    fcc_resolve,
+    fcc_gen_new,
+    fcc_initialize,
+    fcc_destroy,
+    fcc_close,
+    fcc_store_cred,
+    NULL, /* fcc_retrieve */
+    fcc_get_principal,
+    fcc_get_first,
+    fcc_get_next,
+    fcc_end_get,
+    fcc_remove_cred,
+    fcc_set_flags,
+    fcc_get_version
+};
diff --git a/crypto/heimdal/lib/krb5/free.c b/crypto/heimdal/lib/krb5/free.c
new file mode 100644
index 0000000..251ec32
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/free.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: free.c,v 1.5 1999/12/02 17:05:09 joda Exp $");
+
+krb5_error_code
+krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep)
+{
+    free_KDC_REP(&rep->kdc_rep);
+    free_EncTGSRepPart(&rep->enc_part);
+    free_KRB_ERROR(&rep->error);
+    return 0;
+}
+
+krb5_error_code
+krb5_xfree (void *ptr)
+{
+    free (ptr);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/free_host_realm.c b/crypto/heimdal/lib/krb5/free_host_realm.c
new file mode 100644
index 0000000..a69f29b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/free_host_realm.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: free_host_realm.c,v 1.4 1999/12/02 17:05:09 joda Exp $");
+
+/*
+ * Free all memory allocated by `realmlist'
+ */
+
+krb5_error_code
+krb5_free_host_realm(krb5_context context,
+		     krb5_realm *realmlist)
+{
+    krb5_realm *p;
+
+    if(realmlist == NULL)
+	return 0;
+    for (p = realmlist; *p; ++p)
+	free (*p);
+    free (realmlist);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/generate_seq_number.c b/crypto/heimdal/lib/krb5/generate_seq_number.c
new file mode 100644
index 0000000..a000ea1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/generate_seq_number.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: generate_seq_number.c,v 1.6 1999/12/02 17:05:09 joda Exp $");
+
+krb5_error_code
+krb5_generate_seq_number(krb5_context context,
+			 const krb5_keyblock *key,
+			 int32_t *seqno)
+{
+    krb5_error_code ret;
+    krb5_keyblock *subkey;
+    u_int32_t q;
+    u_char *p;
+    int i;
+
+    ret = krb5_generate_subkey (context, key, &subkey);
+    if (ret)
+	return ret;
+
+    q = 0;
+    for (p = (u_char *)subkey->keyvalue.data, i = 0;
+	 i < subkey->keyvalue.length;
+	 ++i, ++p)
+	q = (q << 8) | *p;
+    q &= 0xffffffff;
+    *seqno = q;
+    krb5_free_keyblock_contents (context, subkey);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/generate_subkey.c b/crypto/heimdal/lib/krb5/generate_subkey.c
new file mode 100644
index 0000000..a5b2e9e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/generate_subkey.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: generate_subkey.c,v 1.7 1999/12/02 17:05:09 joda Exp $");
+
+krb5_error_code
+krb5_generate_subkey(krb5_context context,
+		     const krb5_keyblock *key,
+		     krb5_keyblock **subkey)
+{
+    krb5_error_code ret;
+
+    ALLOC(*subkey, 1);
+    if (*subkey == NULL)
+	return ENOMEM;
+    ret = krb5_generate_random_keyblock(context, key->keytype, *subkey);
+    if(ret)
+	free(*subkey);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_addrs.c b/crypto/heimdal/lib/krb5/get_addrs.c
new file mode 100644
index 0000000..65a1b3c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_addrs.c
@@ -0,0 +1,310 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_addrs.c,v 1.35 1999/12/02 17:05:09 joda Exp $");
+
+#ifdef __osf__
+/* hate */
+struct rtentry;
+struct mbuf;
+#endif
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif /* HAVE_SYS_SOCKIO_H */
+
+#ifdef HAVE_NETINET_IN6_VAR_H
+#include <netinet/in6_var.h>
+#endif /* HAVE_NETINET_IN6_VAR_H */
+
+static krb5_error_code
+gethostname_fallback (krb5_addresses *res)
+{
+     krb5_error_code err;
+     char hostname[MAXHOSTNAMELEN];
+     struct hostent *hostent;
+
+     if (gethostname (hostname, sizeof(hostname)))
+	  return errno;
+     hostent = roken_gethostbyname (hostname);
+     if (hostent == NULL)
+	  return errno;
+     res->len = 1;
+     res->val = malloc (sizeof(*res->val));
+     if (res->val == NULL)
+	 return ENOMEM;
+     res->val[0].addr_type = hostent->h_addrtype;
+     res->val[0].address.data = NULL;
+     res->val[0].address.length = 0;
+     err = krb5_data_copy (&res->val[0].address,
+			   hostent->h_addr,
+			   hostent->h_length);
+     if (err) {
+	 free (res->val);
+	 return err;
+     }
+     return 0;
+}
+
+enum {
+    LOOP            = 1,	/* do include loopback interfaces */
+    LOOP_IF_NONE    = 2,	/* include loopback if no other if's */
+    EXTRA_ADDRESSES = 4,	/* include extra addresses */
+    SCAN_INTERFACES = 8		/* scan interfaces for addresses */
+};
+
+/*
+ * Try to figure out the addresses of all configured interfaces with a
+ * lot of magic ioctls.
+ */
+
+static krb5_error_code
+find_all_addresses (krb5_context context,
+		    krb5_addresses *res, int flags,
+		    int af, int siocgifconf, int siocgifflags,
+		    size_t ifreq_sz)
+{
+     krb5_error_code ret;
+     int fd;
+     size_t buf_size;
+     char *buf;
+     struct ifconf ifconf;
+     int num, j = 0;
+     char *p;
+     size_t sz;
+     struct sockaddr sa_zero;
+     struct ifreq *ifr;
+     krb5_address lo_addr;
+     int got_lo = FALSE;
+
+     buf = NULL;
+     res->val = NULL;
+
+     memset (&sa_zero, 0, sizeof(sa_zero));
+     fd = socket(af, SOCK_DGRAM, 0);
+     if (fd < 0)
+	  return -1;
+
+     buf_size = 8192;
+     for (;;) {
+	 buf = malloc(buf_size);
+	 if (buf == NULL) {
+	     ret = ENOMEM;
+	     goto error_out;
+	 }
+	 ifconf.ifc_len = buf_size;
+	 ifconf.ifc_buf = buf;
+	 if (ioctl (fd, siocgifconf, &ifconf) < 0) {
+	     ret = errno;
+	     goto error_out;
+	 }
+	 /*
+	  * Can the difference between a full and a overfull buf
+	  * be determined?
+	  */
+
+	 if (ifconf.ifc_len < buf_size)
+	     break;
+	 free (buf);
+	 buf_size *= 2;
+     }
+
+     num = ifconf.ifc_len / ifreq_sz;
+     res->len = num;
+     res->val = calloc(num, sizeof(*res->val));
+     if (res->val == NULL) {
+	 ret = ENOMEM;
+	 goto error_out;
+     }
+
+     j = 0;
+     for (p = ifconf.ifc_buf;
+	  p < ifconf.ifc_buf + ifconf.ifc_len;
+	  p += sz) {
+	 struct ifreq ifreq;
+	 struct sockaddr *sa;
+
+	 ifr = (struct ifreq *)p;
+	 sa  = &ifr->ifr_addr;
+
+	 sz = ifreq_sz;
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	 sz = max(sz, sizeof(ifr->ifr_name) + sa->sa_len);
+#endif
+#ifdef SA_LEN
+	 sz = max(sz, SA_LEN(sa));
+#endif
+	 memcpy (ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name));
+
+	 if (ioctl(fd, siocgifflags, &ifreq) < 0) {
+	     ret = errno;
+	     goto error_out;
+	 }
+
+	 if (!(ifreq.ifr_flags & IFF_UP))
+	     continue;
+	 if (memcmp (sa, &sa_zero, sizeof(sa_zero)) == 0)
+	     continue;
+	 if (krb5_sockaddr_uninteresting (sa))
+	     continue;
+
+	 if (ifreq.ifr_flags & IFF_LOOPBACK) {
+	     if (flags & LOOP_IF_NONE) {
+		 ret = krb5_sockaddr2address (sa, &lo_addr);
+		 if (ret)
+		     goto error_out;
+		 got_lo = TRUE;
+		 continue;
+	     } else if((flags & LOOP) == 0)
+		 continue;
+	 }
+
+	 ret = krb5_sockaddr2address (sa, &res->val[j]);
+	 if (ret)
+	     goto error_out;
+	 ++j;
+     }
+     if ((flags & LOOP_IF_NONE) && got_lo) {
+	 if (j == 0)
+	     res->val[j++] = lo_addr;
+	 else
+	     krb5_free_address (context, &lo_addr);
+     }
+
+     if (j != num) {
+	 void *tmp;
+
+	 res->len = j;
+	 tmp = realloc (res->val, j * sizeof(*res->val));
+	 if (j != 0 && tmp == NULL) {
+	     ret = ENOMEM;
+	     goto error_out;
+	 }
+	 res->val = tmp;
+     }
+     ret = 0;
+     goto cleanup;
+
+error_out:
+     if (got_lo)
+	     krb5_free_address (context, &lo_addr);
+     while(j--) {
+	 krb5_free_address (context, &res->val[j]);
+     }
+     free (res->val);
+cleanup:
+     close (fd);
+     free (buf);
+     return ret;
+}
+
+static krb5_error_code
+get_addrs_int (krb5_context context, krb5_addresses *res, int flags)
+{
+    krb5_error_code ret = -1;
+
+    if (flags & SCAN_INTERFACES) {
+#if defined(AF_INET6) && defined(SIOCGIF6CONF) && defined(SIOCGIF6FLAGS)
+	if (ret)
+	    ret = find_all_addresses (context, res, flags,
+				      AF_INET6, SIOCGIF6CONF, SIOCGIF6FLAGS,
+				      sizeof(struct in6_ifreq));
+#endif
+#if defined(HAVE_IPV6) && defined(SIOCGIFCONF)
+	if (ret)
+	    ret = find_all_addresses (context, res, flags,
+				      AF_INET6, SIOCGIFCONF, SIOCGIFFLAGS,
+				      sizeof(struct ifreq));
+#endif
+#if defined(AF_INET) && defined(SIOCGIFCONF) && defined(SIOCGIFFLAGS)
+	if (ret)
+	    ret = find_all_addresses (context, res, flags,
+				      AF_INET, SIOCGIFCONF, SIOCGIFFLAGS,
+				      sizeof(struct ifreq));
+	if(ret || res->len == 0)
+	    ret = gethostname_fallback (res);
+#endif
+    } else
+	ret = 0;
+
+    if(ret == 0 && (flags & EXTRA_ADDRESSES)) {
+	/* append user specified addresses */
+	krb5_addresses a;
+	ret = krb5_get_extra_addresses(context, &a);
+	if(ret) {
+	    krb5_free_addresses(context, res);
+	    return ret;
+	}
+	ret = krb5_append_addresses(context, res, &a);
+	if(ret) {
+	    krb5_free_addresses(context, res);
+	    return ret;
+	}
+	krb5_free_addresses(context, &a);
+    }
+    return ret;
+}
+
+/*
+ * Try to get all addresses, but return the one corresponding to
+ * `hostname' if we fail.
+ *
+ * Only include loopback address if there are no other.
+ */
+
+krb5_error_code
+krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res)
+{
+    int flags = LOOP_IF_NONE | EXTRA_ADDRESSES;
+
+    if (context->scan_interfaces)
+	flags |= SCAN_INTERFACES;
+
+    return get_addrs_int (context, res, flags);
+}
+
+/*
+ * Try to get all local addresses that a server should listen to.
+ * If that fails, we return the address corresponding to `hostname'.
+ */
+
+krb5_error_code
+krb5_get_all_server_addrs (krb5_context context, krb5_addresses *res)
+{
+    return get_addrs_int (context, res, LOOP | SCAN_INTERFACES);
+}
diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c
new file mode 100644
index 0000000..61951c1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_cred.c
@@ -0,0 +1,776 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: get_cred.c,v 1.75 1999/12/02 17:05:09 joda Exp $");
+
+/*
+ * Take the `body' and encode it into `padata' using the credentials
+ * in `creds'.
+ */
+
+static krb5_error_code
+make_pa_tgs_req(krb5_context context, 
+		krb5_auth_context ac,
+		KDC_REQ_BODY *body,
+		PA_DATA *padata,
+		krb5_creds *creds)
+{
+    u_char *buf;
+    size_t buf_size;
+    size_t len;
+    krb5_data in_data;
+    krb5_error_code ret;
+
+    buf_size = 1024;
+    buf = malloc (buf_size);
+    if (buf == NULL)
+	return ENOMEM;
+
+    do {
+	ret = encode_KDC_REQ_BODY(buf + buf_size - 1, buf_size,
+				  body, &len);
+	if (ret){
+	    if (ret == ASN1_OVERFLOW) {
+		u_char *tmp;
+
+		buf_size *= 2;
+		tmp = realloc (buf, buf_size);
+		if (tmp == NULL) {
+		    ret = ENOMEM;
+		    goto out;
+		}
+		buf = tmp;
+	    } else {
+		goto out;
+	    }
+	}
+    } while (ret == ASN1_OVERFLOW);
+
+    in_data.length = len;
+    in_data.data   = buf + buf_size - len;
+    ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
+			       &padata->padata_value,
+			       KRB5_KU_TGS_REQ_AUTH_CKSUM);
+out:
+    free (buf);
+    if(ret)
+	return ret;
+    padata->padata_type = pa_tgs_req;
+    return 0;
+}
+
+/*
+ * Set the `enc-authorization-data' in `req_body' based on `authdata'
+ */
+
+static krb5_error_code
+set_auth_data (krb5_context context,
+	       KDC_REQ_BODY *req_body,
+	       krb5_authdata *authdata,
+	       krb5_keyblock *key)
+{
+    if(authdata->len) {
+	size_t len;
+	unsigned char *buf;
+	krb5_crypto crypto;
+	krb5_error_code ret;
+
+	len = length_AuthorizationData(authdata);
+	buf = malloc(len);
+	if (buf == NULL)
+	    return ENOMEM;
+	ret = encode_AuthorizationData(buf + len - 1,
+				       len, authdata, &len);
+	if (ret) {
+	    free (buf);
+	    return ret;
+	}
+
+	ALLOC(req_body->enc_authorization_data, 1);
+	if (req_body->enc_authorization_data == NULL) {
+	    free (buf);
+	    return ret;
+	}
+	ret = krb5_crypto_init(context, key, 0, &crypto);
+	if (ret) {
+	    free (buf);
+	    free (req_body->enc_authorization_data);
+	    return ret;
+	}
+	krb5_encrypt_EncryptedData(context, 
+				   crypto,
+				   KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, 
+				   /* KRB5_KU_TGS_REQ_AUTH_DAT_SESSION? */
+				   buf,
+				   len,
+				   0,
+				   req_body->enc_authorization_data);
+	free (buf);
+	krb5_crypto_destroy(context, crypto);
+    } else {
+	req_body->enc_authorization_data = NULL;
+    }
+    return 0;
+}    
+
+/*
+ * Create a tgs-req in `t' with `addresses', `flags', `second_ticket'
+ * (if not-NULL), `in_creds', `krbtgt', and returning the generated
+ * subkey in `subkey'.
+ */
+
+static krb5_error_code
+init_tgs_req (krb5_context context,
+	      krb5_ccache ccache,
+	      krb5_addresses *addresses,
+	      krb5_kdc_flags flags,
+	      Ticket *second_ticket,
+	      krb5_creds *in_creds,
+	      krb5_creds *krbtgt,
+	      unsigned nonce,
+	      krb5_keyblock **subkey,
+	      TGS_REQ *t)
+{
+    krb5_error_code ret;
+
+    memset(t, 0, sizeof(*t));
+    t->pvno = 5;
+    t->msg_type = krb_tgs_req;
+    if (in_creds->session.keytype) {
+	ret = krb5_keytype_to_enctypes_default (context,
+						in_creds->session.keytype,
+						&t->req_body.etype.len,
+						&t->req_body.etype.val);
+    } else {
+	ret = krb5_init_etype(context, 
+			      &t->req_body.etype.len, 
+			      &t->req_body.etype.val, 
+			      NULL);
+    }
+    if (ret)
+	goto fail;
+    t->req_body.addresses = addresses;
+    t->req_body.kdc_options = flags.b;
+    ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
+    if (ret)
+	goto fail;
+    ALLOC(t->req_body.sname, 1);
+    if (t->req_body.sname == NULL) {
+	ret = ENOMEM;
+	goto fail;
+    }
+    ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
+    if (ret)
+	goto fail;
+
+    /* req_body.till should be NULL if there is no endtime specified,
+       but old MIT code (like DCE secd) doesn't like that */
+    ALLOC(t->req_body.till, 1);
+    if(t->req_body.till == NULL){
+	ret = ENOMEM;
+	goto fail;
+    }
+    *t->req_body.till = in_creds->times.endtime;
+    
+    t->req_body.nonce = nonce;
+    if(second_ticket){
+	ALLOC(t->req_body.additional_tickets, 1);
+	if (t->req_body.additional_tickets == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	ALLOC_SEQ(t->req_body.additional_tickets, 1);
+	if (t->req_body.additional_tickets->val == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val); 
+	if (ret)
+	    goto fail;
+    }
+    ALLOC(t->padata, 1);
+    if (t->padata == NULL) {
+	ret = ENOMEM;
+	goto fail;
+    }
+    ALLOC_SEQ(t->padata, 1);
+    if (t->padata->val == NULL) {
+	ret = ENOMEM;
+	goto fail;
+    }
+
+    {
+	krb5_auth_context ac;
+	krb5_keyblock *key;
+
+	ret = krb5_auth_con_init(context, &ac);
+	if(ret)
+	    goto fail;
+	ret = krb5_generate_subkey (context, &krbtgt->session, &key);
+	if (ret) {
+	    krb5_auth_con_free (context, ac);
+	    goto fail;
+	}
+	ret = krb5_auth_con_setlocalsubkey(context, ac, key);
+	if (ret) {
+	    krb5_free_keyblock (context, key);
+	    krb5_auth_con_free (context, ac);
+	    goto fail;
+	}
+
+	ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key);
+	if (ret) {
+	    krb5_free_keyblock (context, key);
+	    krb5_auth_con_free (context, ac);
+	    goto fail;
+	}
+
+	ret = make_pa_tgs_req(context,
+			      ac,
+			      &t->req_body, 
+			      t->padata->val,
+			      krbtgt);
+	if(ret) {
+	    krb5_free_keyblock (context, key);
+	    krb5_auth_con_free(context, ac);
+	    goto fail;
+	}
+	*subkey = key;
+	
+	krb5_auth_con_free(context, ac);
+    }
+fail:
+    if (ret)
+	free_TGS_REQ (t);
+    return ret;
+}
+
+static krb5_error_code
+get_krbtgt(krb5_context context,
+	   krb5_ccache  id,
+	   krb5_realm realm,
+	   krb5_creds **cred)
+{
+    krb5_error_code ret;
+    krb5_creds tmp_cred;
+
+    memset(&tmp_cred, 0, sizeof(tmp_cred));
+
+    ret = krb5_make_principal(context, 
+			      &tmp_cred.server,
+			      realm,
+			      KRB5_TGS_NAME,
+			      realm,
+			      NULL);
+    if(ret)
+	return ret;
+    ret = krb5_get_credentials(context,
+			       KRB5_GC_CACHED,
+			       id,
+			       &tmp_cred,
+			       cred);
+    krb5_free_principal(context, tmp_cred.server);
+    if(ret)
+	return ret;
+    return 0;
+}
+
+/* DCE compatible decrypt proc */
+static krb5_error_code
+decrypt_tkt_with_subkey (krb5_context context,
+			 krb5_keyblock *key,
+			 krb5_key_usage usage,
+			 krb5_const_pointer subkey,
+			 krb5_kdc_rep *dec_rep)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    size_t size;
+    krb5_crypto crypto;
+    
+    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      usage,
+				      &dec_rep->kdc_rep.enc_part,
+				      &data);
+    krb5_crypto_destroy(context, crypto);
+    if(ret && subkey){
+	/* DCE compat -- try to decrypt with subkey */
+	krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto);
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  KRB5_KU_TGS_REP_ENC_PART_SUB_KEY,
+					  &dec_rep->kdc_rep.enc_part,
+					  &data);
+	krb5_crypto_destroy(context, crypto);
+    }
+    if (ret)
+	return ret;
+    
+    ret = krb5_decode_EncASRepPart(context,
+				   data.data,
+				   data.length,
+				   &dec_rep->enc_part, 
+				   &size);
+    if (ret)
+	ret = krb5_decode_EncTGSRepPart(context,
+					data.data,
+					data.length,
+					&dec_rep->enc_part, 
+					&size);
+    krb5_data_free (&data);
+    return ret;
+}
+
+static krb5_error_code
+get_cred_kdc(krb5_context context, 
+	     krb5_ccache id, 
+	     krb5_kdc_flags flags,
+	     krb5_addresses *addresses, 
+	     krb5_creds *in_creds, 
+	     krb5_creds *krbtgt,
+	     krb5_creds *out_creds)
+{
+    TGS_REQ req;
+    krb5_data enc;
+    krb5_data resp;
+    krb5_kdc_rep rep;
+    KRB_ERROR error;
+    krb5_error_code ret;
+    unsigned nonce;
+    krb5_keyblock *subkey = NULL;
+    u_char *buf = NULL;
+    size_t buf_size;
+    size_t len;
+    Ticket second_ticket;
+    
+    krb5_generate_random_block(&nonce, sizeof(nonce));
+    nonce &= 0xffffffff;
+    
+    if(flags.b.enc_tkt_in_skey){
+	ret = decode_Ticket(in_creds->second_ticket.data, 
+			    in_creds->second_ticket.length, 
+			    &second_ticket, &len);
+	if(ret)
+	    return ret;
+    }
+
+    ret = init_tgs_req (context,
+			id,
+			addresses,
+			flags,
+			flags.b.enc_tkt_in_skey ? &second_ticket : NULL,
+			in_creds,
+			krbtgt,
+			nonce,
+			&subkey, 
+			&req);
+    if(flags.b.enc_tkt_in_skey)
+	free_Ticket(&second_ticket);
+    if (ret)
+	goto out;
+
+    buf_size = 1024;
+    buf = malloc (buf_size);
+    if (buf == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    do {
+	ret = encode_TGS_REQ  (buf + buf_size - 1, buf_size,
+			       &req, &enc.length);
+	if (ret) {
+	    if (ret == ASN1_OVERFLOW) {
+		u_char *tmp;
+
+		buf_size *= 2;
+		tmp = realloc (buf, buf_size);
+		if (tmp == NULL) {
+		    ret = ENOMEM;
+		    goto out;
+		}
+		buf = tmp;
+	    } else {
+		goto out;
+	    }
+	}
+    } while (ret == ASN1_OVERFLOW);
+
+    /* don't free addresses */
+    req.req_body.addresses = NULL;
+    free_TGS_REQ(&req);
+
+    enc.data = buf + buf_size - enc.length;
+    if (ret)
+	goto out;
+    
+    /*
+     * Send and receive
+     */
+
+    ret = krb5_sendto_kdc (context, &enc, 
+			   &krbtgt->server->name.name_string.val[1], &resp);
+    if(ret)
+	goto out;
+
+    memset(&rep, 0, sizeof(rep));
+    if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0){
+	ret = krb5_copy_principal(context, 
+				  in_creds->client, 
+				  &out_creds->client);
+	if(ret)
+	    goto out;
+	ret = krb5_copy_principal(context, 
+				  in_creds->server, 
+				  &out_creds->server);
+	if(ret)
+	    goto out;
+	/* this should go someplace else */
+	out_creds->times.endtime = in_creds->times.endtime;
+
+	ret = _krb5_extract_ticket(context,
+				   &rep,
+				   out_creds,
+				   &krbtgt->session,
+				   NULL,
+				   KRB5_KU_TGS_REP_ENC_PART_SESSION,
+				   &krbtgt->addresses,
+				   nonce,
+				   TRUE,
+				   decrypt_tkt_with_subkey,
+				   subkey);
+	krb5_free_kdc_rep(context, &rep);
+	if (ret)
+	    goto out;
+    }else if(krb5_rd_error(context, &resp, &error) == 0){
+	ret = error.error_code;
+	free_KRB_ERROR(&error);
+    }else if(resp.data && ((char*)resp.data)[0] == 4)
+	ret = KRB5KRB_AP_ERR_V4_REPLY;
+    else
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+    krb5_data_free(&resp);
+out:
+    if(subkey){
+	krb5_free_keyblock_contents(context, subkey);
+	free(subkey);
+    }
+    if (buf)
+	free (buf);
+    return ret;
+    
+}
+
+/* same as above, just get local addresses first */
+
+static krb5_error_code
+get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, 
+		krb5_creds *in_creds, krb5_creds *krbtgt, 
+		krb5_creds *out_creds)
+{
+    krb5_error_code ret;
+    krb5_addresses addresses;
+    
+    krb5_get_all_client_addrs(context, &addresses);
+    ret = get_cred_kdc(context, id, flags, &addresses, 
+		       in_creds, krbtgt, out_creds);
+    krb5_free_addresses(context, &addresses);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_kdc_cred(krb5_context context,
+		  krb5_ccache id,
+		  krb5_kdc_flags flags,
+		  krb5_addresses *addresses,
+		  Ticket  *second_ticket,
+		  krb5_creds *in_creds,
+		  krb5_creds **out_creds
+		  )
+{
+    krb5_error_code ret;
+    krb5_creds *krbtgt;
+    *out_creds = calloc(1, sizeof(**out_creds));
+    if(*out_creds == NULL)
+	return ENOMEM;
+    ret = get_krbtgt (context,
+		      id,
+		      in_creds->server->realm,
+		      &krbtgt);
+    if(ret) {
+	free(*out_creds);
+	return ret;
+    }
+    ret = get_cred_kdc(context, id, flags, addresses, 
+		       in_creds, krbtgt, *out_creds);
+    krb5_free_creds (context, krbtgt);
+    if(ret)
+	free(*out_creds);
+    return ret;
+}
+
+
+static krb5_error_code
+find_cred(krb5_context context,
+	  krb5_ccache id,
+	  krb5_principal server,
+	  krb5_creds **tgts,
+	  krb5_creds *out_creds)
+{
+    krb5_error_code ret;
+    krb5_creds mcreds;
+    mcreds.server = server;
+    ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, 
+				&mcreds, out_creds);
+    if(ret == 0)
+	return 0;
+    while(tgts && *tgts){
+	if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM, 
+			      &mcreds, *tgts)){
+	    ret = krb5_copy_creds_contents(context, *tgts, out_creds);
+	    return ret;
+	}
+	tgts++;
+    }
+    return KRB5_CC_NOTFOUND;
+}
+
+static krb5_error_code
+add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_creds **tmp = *tgts;
+    for(i = 0; tmp && tmp[i]; i++); /* XXX */
+    tmp = realloc(tmp, (i+2)*sizeof(*tmp));
+    if(tmp == NULL)
+	return ENOMEM;
+    *tgts = tmp;
+    ret = krb5_copy_creds(context, tkt, &tmp[i]);
+    tmp[i+1] = NULL;
+    return ret;
+}
+
+/*
+get_cred(server)
+	creds = cc_get_cred(server)
+	if(creds) return creds
+	tgt = cc_get_cred(krbtgt/server_realm@any_realm)
+	if(tgt)
+		return get_cred_tgt(server, tgt)
+	if(client_realm == server_realm)
+		return NULL
+	tgt = get_cred(krbtgt/server_realm@client_realm)
+	while(tgt_inst != server_realm)
+		tgt = get_cred(krbtgt/server_realm@tgt_inst)
+	return get_cred_tgt(server, tgt)
+	*/
+
+static krb5_error_code
+get_cred_from_kdc_flags(krb5_context context,
+			krb5_kdc_flags flags,
+			krb5_ccache ccache,
+			krb5_creds *in_creds,
+			krb5_creds **out_creds,
+			krb5_creds ***ret_tgts)
+{
+    krb5_error_code ret;
+    krb5_creds *tgt, tmp_creds;
+    krb5_realm client_realm, server_realm;
+
+    *out_creds = NULL;
+
+    client_realm = *krb5_princ_realm(context, in_creds->client);
+    server_realm = *krb5_princ_realm(context, in_creds->server);
+    memset(&tmp_creds, 0, sizeof(tmp_creds));
+    ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client);
+    if(ret)
+	return ret;
+    ret = krb5_make_principal(context,
+			      &tmp_creds.server,
+			      client_realm,
+			      KRB5_TGS_NAME,
+			      server_realm,
+			      NULL);
+    if(ret){
+	krb5_free_principal(context, tmp_creds.client);
+	return ret;
+    }
+    {
+	krb5_creds tgts;
+	/* XXX try krb5_cc_retrieve_cred first? */
+	ret = find_cred(context, ccache, tmp_creds.server, 
+			*ret_tgts, &tgts);
+	if(ret == 0){
+	    *out_creds = calloc(1, sizeof(**out_creds));
+	    if(*out_creds == NULL)
+		ret = ENOMEM;
+	    else {
+		ret = get_cred_kdc_la(context, ccache, flags, 
+				      in_creds, &tgts, *out_creds);
+		if (ret)
+		    free (*out_creds);
+	    }
+	    krb5_free_creds_contents(context, &tgts);
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+    }
+    if(krb5_realm_compare(context, in_creds->client, in_creds->server))
+	return KRB5_CC_NOTFOUND;
+    /* XXX this can loop forever */
+    while(1){
+	general_string tgt_inst;
+	krb5_kdc_flags f;
+	f.i = 0;
+	ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, 
+				      &tgt, ret_tgts);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+	ret = add_cred(context, ret_tgts, tgt);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+	tgt_inst = tgt->server->name.name_string.val[1];
+	if(strcmp(tgt_inst, server_realm) == 0)
+	    break;
+	krb5_free_principal(context, tmp_creds.server);
+	ret = krb5_make_principal(context, &tmp_creds.server, 
+				  tgt_inst, KRB5_TGS_NAME, server_realm, NULL);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+	ret = krb5_free_creds(context, tgt);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+    }
+	
+    krb5_free_principal(context, tmp_creds.server);
+    krb5_free_principal(context, tmp_creds.client);
+    *out_creds = calloc(1, sizeof(**out_creds));
+    if(*out_creds == NULL)
+	ret = ENOMEM;
+    else {
+	ret = get_cred_kdc_la(context, ccache, flags, 
+				      in_creds, tgt, *out_creds);
+	if (ret)
+	    free (*out_creds);
+    }
+    krb5_free_creds(context, tgt);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_cred_from_kdc(krb5_context context,
+		       krb5_ccache ccache,
+		       krb5_creds *in_creds,
+		       krb5_creds **out_creds,
+		       krb5_creds ***ret_tgts)
+{
+    krb5_kdc_flags f;
+    f.i = 0;
+    return get_cred_from_kdc_flags(context, f, ccache, 
+				   in_creds, out_creds, ret_tgts);
+}
+     
+
+krb5_error_code
+krb5_get_credentials_with_flags(krb5_context context,
+				krb5_flags options,
+				krb5_kdc_flags flags,
+				krb5_ccache ccache,
+				krb5_creds *in_creds,
+				krb5_creds **out_creds)
+{
+    krb5_error_code ret;
+    krb5_creds **tgts;
+    int i;
+    
+    *out_creds = calloc(1, sizeof(**out_creds));
+    if (*out_creds == NULL)
+	return ENOMEM;
+
+    ret = krb5_cc_retrieve_cred(context,
+				ccache,
+				in_creds->session.keytype ?
+				KRB5_TC_MATCH_KEYTYPE : 0,
+				in_creds, *out_creds);
+    if(ret == 0)
+	return 0;
+    free(*out_creds);
+    if(ret != KRB5_CC_END)
+	return ret;
+    if(options & KRB5_GC_CACHED)
+	return KRB5_CC_NOTFOUND;
+    if(options & KRB5_GC_USER_USER)
+	flags.b.enc_tkt_in_skey = 1;
+    tgts = NULL;
+    ret = get_cred_from_kdc_flags(context, flags, ccache, 
+				  in_creds, out_creds, &tgts);
+    for(i = 0; tgts && tgts[i]; i++){
+	krb5_cc_store_cred(context, ccache, tgts[i]);
+	krb5_free_creds(context, tgts[i]);
+    }
+    free(tgts);
+    if(ret == 0 && flags.b.enc_tkt_in_skey == 0)
+	krb5_cc_store_cred(context, ccache, *out_creds);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_credentials(krb5_context context,
+		     krb5_flags options,
+		     krb5_ccache ccache,
+		     krb5_creds *in_creds,
+		     krb5_creds **out_creds)
+{
+    krb5_kdc_flags flags;
+    flags.i = 0;
+    return krb5_get_credentials_with_flags(context, options, flags,
+					   ccache, in_creds, out_creds);
+}
diff --git a/crypto/heimdal/lib/krb5/get_default_principal.c b/crypto/heimdal/lib/krb5/get_default_principal.c
new file mode 100644
index 0000000..84d7a5e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_default_principal.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_default_principal.c,v 1.5 1999/12/02 17:05:09 joda Exp $");
+
+/*
+ * Try to find out what's a reasonable default principal.
+ */
+
+krb5_error_code
+krb5_get_default_principal (krb5_context context,
+			    krb5_principal *princ)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+    const char *user;
+
+    ret = krb5_cc_default (context, &id);
+    if (ret == 0) {
+	ret = krb5_cc_get_principal (context, id, princ);
+	krb5_cc_close (context, id);
+	if (ret == 0)
+	    return 0;
+    }
+
+    user = get_default_username ();
+    if (user == NULL)
+	return ENOTTY;
+    if (getuid () == 0) {
+	ret = krb5_make_principal(context, princ, NULL, user, "root", NULL);
+    } else {
+	ret = krb5_make_principal(context, princ, NULL, user, NULL);
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_default_realm.c b/crypto/heimdal/lib/krb5/get_default_realm.c
new file mode 100644
index 0000000..3f9b901
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_default_realm.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_default_realm.c,v 1.8 1999/12/02 17:05:09 joda Exp $");
+
+/*
+ * Return a NULL-terminated list of default realms in `realms'.
+ * Free this memory with krb5_free_host_realm.
+ */
+
+krb5_error_code
+krb5_get_default_realms (krb5_context context,
+			 krb5_realm **realms)
+{
+    if (context->default_realms == NULL) {
+	krb5_error_code ret = krb5_set_default_realm (context, NULL);
+	if (ret)
+	    return KRB5_CONFIG_NODEFREALM;
+    }
+
+    return krb5_copy_host_realm (context,
+				 context->default_realms,
+				 realms);
+}
+
+/*
+ * Return the first default realm.  For compatability.
+ */
+
+krb5_error_code
+krb5_get_default_realm(krb5_context context,
+		       krb5_realm *realm)
+{
+    char *res;
+
+    if (context->default_realms == NULL
+	|| context->default_realms[0] == NULL) {
+	krb5_error_code ret = krb5_set_default_realm (context, NULL);
+	if (ret)
+	    return KRB5_CONFIG_NODEFREALM;
+    }
+
+    res = strdup (context->default_realms[0]);
+    if (res == NULL)
+	return ENOMEM;
+    *realm = res;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c
new file mode 100644
index 0000000..977515f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_for_creds.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: get_for_creds.c,v 1.21 1999/12/20 00:57:37 assar Exp $");
+
+static krb5_error_code
+add_addrs(krb5_context context,
+	  krb5_addresses *addr,
+	  struct addrinfo *ai)
+{
+    krb5_error_code ret;
+    unsigned n, i;
+    void *tmp;
+    struct addrinfo *a;
+
+    n = 0;
+    for (a = ai; a != NULL; a = a->ai_next)
+	++n;
+
+    i = addr->len;
+    addr->len += n;
+    tmp = realloc(addr->val, addr->len * sizeof(*addr->val));
+    if (tmp == NULL) {
+	ret = ENOMEM;
+	goto fail;
+    }
+    addr->val = tmp;
+    for (a = ai; a != NULL; a = a->ai_next) {
+	ret = krb5_sockaddr2address (a->ai_addr, &addr->val[i++]);
+	if (ret)
+	    goto fail;
+    }
+    return 0;
+fail:
+    krb5_free_addresses (context, addr);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_fwd_tgt_creds (krb5_context	context,
+		    krb5_auth_context	auth_context,
+		    const char		*hostname,
+		    krb5_principal	client,
+		    krb5_principal	server,
+		    krb5_ccache		ccache,
+		    int			forwardable,
+		    krb5_data		*out_data)
+{
+    krb5_flags flags = 0;
+    krb5_creds creds;
+    krb5_error_code ret;
+
+    flags |= KDC_OPT_FORWARDED;
+
+    if (forwardable)
+	flags |= KDC_OPT_FORWARDABLE;
+
+    
+    memset (&creds, 0, sizeof(creds));
+    creds.client = client;
+    creds.server = server;
+
+    ret = krb5_get_forwarded_creds (context,
+				    auth_context,
+				    ccache,
+				    flags,
+				    hostname,
+				    &creds,
+				    out_data);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_get_forwarded_creds (krb5_context	    context,
+			  krb5_auth_context auth_context,
+			  krb5_ccache       ccache,
+			  krb5_flags        flags,
+			  const char        *hostname,
+			  krb5_creds        *in_creds,
+			  krb5_data         *out_data)
+{
+    krb5_error_code ret;
+    krb5_creds *out_creds;
+    krb5_addresses addrs;
+    KRB_CRED cred;
+    KrbCredInfo *krb_cred_info;
+    EncKrbCredPart enc_krb_cred_part;
+    size_t len;
+    u_char buf[1024];
+    int32_t sec, usec;
+    krb5_kdc_flags kdc_flags;
+    krb5_crypto crypto;
+    struct addrinfo *ai;
+
+    addrs.len = 0;
+    addrs.val = NULL;
+
+    ret = getaddrinfo (hostname, NULL, NULL, &ai);
+    if (ret)
+	return ret;
+
+    ret = add_addrs (context, &addrs, ai);
+    freeaddrinfo (ai);
+    if (ret)
+	return ret;
+
+    kdc_flags.i = flags;
+
+    ret = krb5_get_kdc_cred (context,
+			     ccache,
+			     kdc_flags,
+			     &addrs,
+			     NULL,
+			     in_creds,
+			     &out_creds);
+    krb5_free_addresses (context, &addrs);
+    if (ret) {
+	return ret;
+    }
+
+    memset (&cred, 0, sizeof(cred));
+    cred.pvno = 5;
+    cred.msg_type = krb_cred;
+    ALLOC_SEQ(&cred.tickets, 1);
+    if (cred.tickets.val == NULL) {
+	ret = ENOMEM;
+	goto out2;
+    }
+    ret = decode_Ticket(out_creds->ticket.data,
+			out_creds->ticket.length,
+			cred.tickets.val, &len);
+    if (ret)
+	goto out3;
+
+    memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
+    ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1);
+    if (enc_krb_cred_part.ticket_info.val == NULL) {
+	ret = ENOMEM;
+	goto out4;
+    }
+    
+    krb5_us_timeofday (context, &sec, &usec);
+
+    ALLOC(enc_krb_cred_part.timestamp, 1);
+    if (enc_krb_cred_part.timestamp == NULL) {
+	ret = ENOMEM;
+	goto out4;
+    }
+    *enc_krb_cred_part.timestamp = sec;
+    ALLOC(enc_krb_cred_part.usec, 1);
+    if (enc_krb_cred_part.usec == NULL) {
+ 	ret = ENOMEM;
+	goto out4;
+    }
+    *enc_krb_cred_part.usec      = usec;
+
+    ret = krb5_make_addrport (&enc_krb_cred_part.s_address,
+			      auth_context->local_address,
+			      auth_context->local_port);
+    if (ret)
+	goto out4;
+
+    ALLOC(enc_krb_cred_part.r_address, 1);
+    if (enc_krb_cred_part.r_address == NULL) {
+	ret = ENOMEM;
+	goto out4;
+    }
+
+    ret = krb5_copy_address (context, auth_context->remote_address,
+			     enc_krb_cred_part.r_address);
+    if (ret)
+	goto out4;
+
+    /* fill ticket_info.val[0] */
+
+    enc_krb_cred_part.ticket_info.len = 1;
+
+    krb_cred_info = enc_krb_cred_part.ticket_info.val;
+
+    copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
+    ALLOC(krb_cred_info->prealm, 1);
+    copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
+    ALLOC(krb_cred_info->pname, 1);
+    copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
+    ALLOC(krb_cred_info->flags, 1);
+    *krb_cred_info->flags          = out_creds->flags.b;
+    ALLOC(krb_cred_info->authtime, 1);
+    *krb_cred_info->authtime       = out_creds->times.authtime;
+    ALLOC(krb_cred_info->starttime, 1);
+    *krb_cred_info->starttime      = out_creds->times.starttime;
+    ALLOC(krb_cred_info->endtime, 1);
+    *krb_cred_info->endtime        = out_creds->times.endtime;
+    ALLOC(krb_cred_info->renew_till, 1);
+    *krb_cred_info->renew_till = out_creds->times.renew_till;
+    ALLOC(krb_cred_info->srealm, 1);
+    copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
+    ALLOC(krb_cred_info->sname, 1);
+    copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
+    ALLOC(krb_cred_info->caddr, 1);
+    copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
+
+    krb5_free_creds (context, out_creds);
+
+    /* encode EncKrbCredPart */
+
+    ret = krb5_encode_EncKrbCredPart (context,
+				      buf + sizeof(buf) - 1, sizeof(buf),
+				      &enc_krb_cred_part, &len);
+    free_EncKrbCredPart (&enc_krb_cred_part);
+    if (ret) {
+	free_KRB_CRED(&cred);
+	return ret;
+    }    
+
+    krb5_crypto_init(context, auth_context->local_subkey, 0, &crypto);
+    ret = krb5_encrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_KRB_CRED,
+				      buf + sizeof(buf) - len,
+				      len,
+				      0,
+				      &cred.enc_part);
+    krb5_crypto_destroy(context, crypto);
+    if (ret) {
+	free_KRB_CRED(&cred);
+	return ret;
+    }
+
+    ret = encode_KRB_CRED (buf + sizeof(buf) - 1, sizeof(buf),
+			   &cred, &len);
+    free_KRB_CRED (&cred);
+    if (ret)
+	return ret;
+    out_data->length = len;
+    out_data->data   = malloc(len);
+    if (out_data->data == NULL)
+	return ENOMEM;
+    memcpy (out_data->data, buf + sizeof(buf) - len, len);
+    return 0;
+out4:
+    free_EncKrbCredPart(&enc_krb_cred_part);
+out3:
+    free_KRB_CRED(&cred);
+out2:
+    krb5_free_creds (context, out_creds);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_host_realm.c b/crypto/heimdal/lib/krb5/get_host_realm.c
new file mode 100644
index 0000000..e8522cb
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_host_realm.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <resolve.h>
+
+RCSID("$Id: get_host_realm.c,v 1.25 1999/12/11 23:14:07 assar Exp $");
+
+/* To automagically find the correct realm of a host (without
+ * [domain_realm] in krb5.conf) add a text record for your domain with
+ * the name of your realm, like this:
+ *
+ * krb5-realm	IN	TXT	FOO.SE
+ *
+ * The search is recursive, so you can add entries for specific
+ * hosts. To find the realm of host a.b.c, it first tries
+ * krb5-realm.a.b.c, then krb5-realm.b.c and so on.
+ *
+ * Also supported is _kerberos (following draft-ietf-cat-krb-dns-locate-01.txt)
+ *
+ */
+
+static int
+copy_txt_to_realms (struct resource_record *head,
+		    krb5_realm **realms)
+{
+    struct resource_record *rr;
+    int n, i;
+
+    for(n = 0, rr = head; rr; rr = rr->next)
+	if (rr->type == T_TXT)
+	    ++n;
+
+    if (n == 0)
+	return -1;
+
+    *realms = malloc ((n + 1) * sizeof(krb5_realm));
+    if (*realms == NULL)
+	return -1;
+
+    for (i = 0; i < n + 1; ++i)
+	(*realms)[i] = NULL;
+
+    for (i = 0, rr = head; rr; rr = rr->next) {
+	if (rr->type == T_TXT) {
+	    char *tmp;
+
+	    tmp = strdup(rr->u.txt);
+	    if (tmp == NULL) {
+		for (i = 0; i < n; ++i)
+		    free ((*realms)[i]);
+		free (*realms);
+		return -1;
+	    }
+	    (*realms)[i] = tmp;
+	    ++i;
+	}
+    }
+    return 0;
+}
+
+static int
+dns_find_realm(krb5_context context,
+	       const char *domain,
+	       const char *dom_string,
+	       krb5_realm **realms)
+{
+    char dom[MAXHOSTNAMELEN];
+    struct dns_reply *r;
+    int ret;
+    
+    if(*domain == '.')
+	domain++;
+    snprintf(dom, sizeof(dom), "%s.%s.", dom_string, domain);
+    r = dns_lookup(dom, "TXT");
+    if(r == NULL)
+	return -1;
+
+    ret = copy_txt_to_realms (r->head, realms);
+    dns_free_data(r);
+    return ret;
+}
+
+/*
+ * Try to figure out what realms host in `domain' belong to from the
+ * configuration file.
+ */
+
+static int
+config_find_realm(krb5_context context, 
+		  const char *domain, 
+		  krb5_realm **realms)
+{
+    char **tmp = krb5_config_get_strings (context, NULL,
+					  "domain_realm",
+					  domain,
+					  NULL);
+
+    if (tmp == NULL)
+	return -1;
+    *realms = tmp;
+    return 0;
+}
+
+/*
+ * This function assumes that `host' is a FQDN (and doesn't handle the
+ * special case of host == NULL either).
+ * Try to find mapping in the config file or DNS and it that fails,
+ * fall back to guessing
+ */
+
+krb5_error_code
+krb5_get_host_realm_int (krb5_context context,
+			 const char *host,
+			 krb5_realm **realms)
+{
+    const char *p;
+
+    for (p = host; p != NULL; p = strchr (p + 1, '.')) {
+	if(config_find_realm(context, p, realms) == 0)
+	    return 0;
+	else if(dns_find_realm(context, p, "krb5-realm", realms) == 0)
+	    return 0;
+	else if(dns_find_realm(context, p, "_kerberos", realms) == 0)
+	    return 0;
+    }
+    p = strchr(host, '.');
+    if(p != NULL) {
+	p++;
+	*realms = malloc(2 * sizeof(krb5_realm));
+	if (*realms == NULL)
+	    return ENOMEM;
+
+	(*realms)[0] = strdup(p);
+	if((*realms)[0] == NULL) {
+	    free(*realms);
+	    return ENOMEM;
+	}
+	strupr((*realms)[0]);
+	(*realms)[1] = NULL;
+	return 0;
+    }
+    return KRB5_ERR_HOST_REALM_UNKNOWN;
+}
+
+/*
+ * Return the realm(s) of `host' as a NULL-terminated list in `realms'.
+ */
+
+krb5_error_code
+krb5_get_host_realm(krb5_context context,
+		    const char *host,
+		    krb5_realm **realms)
+{
+    char hostname[MAXHOSTNAMELEN];
+
+    if (host == NULL) {
+	if (gethostname (hostname, sizeof(hostname)))
+	    return errno;
+	host = hostname;
+    }
+
+    return krb5_get_host_realm_int (context, host, realms);
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c
new file mode 100644
index 0000000..e043d1d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt.c
@@ -0,0 +1,794 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt.c,v 1.94 2000/02/06 05:18:20 assar Exp $");
+
+krb5_error_code
+krb5_init_etype (krb5_context context,
+		 unsigned *len,
+		 int **val,
+		 const krb5_enctype *etypes)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_enctype *tmp;
+
+    ret = 0;
+    if (etypes)
+	tmp = (krb5_enctype*)etypes;
+    else {
+	ret = krb5_get_default_in_tkt_etypes(context,
+					     &tmp);
+	if (ret)
+	    return ret;
+    }
+
+    for (i = 0; tmp[i]; ++i)
+	;
+    *len = i;
+    *val = malloc(i * sizeof(int));
+    if (i != 0 && *val == NULL) {
+	ret = ENOMEM;
+	goto cleanup;
+    }
+    memmove (*val,
+	     tmp,
+	     i * sizeof(*tmp));
+cleanup:
+    if (etypes == NULL)
+	free (tmp);
+    return ret;
+}
+
+
+static krb5_error_code
+decrypt_tkt (krb5_context context,
+	     krb5_keyblock *key,
+	     krb5_key_usage usage,
+	     krb5_const_pointer decrypt_arg,
+	     krb5_kdc_rep *dec_rep)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    size_t size;
+    krb5_crypto crypto;
+
+    krb5_crypto_init(context, key, 0, &crypto);
+
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      usage,
+				      &dec_rep->kdc_rep.enc_part,
+				      &data);
+    krb5_crypto_destroy(context, crypto);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_decode_EncASRepPart(context,
+				   data.data,
+				   data.length,
+				   &dec_rep->enc_part, 
+				   &size);
+    if (ret)
+	ret = krb5_decode_EncTGSRepPart(context,
+					data.data,
+					data.length,
+					&dec_rep->enc_part, 
+					&size);
+    krb5_data_free (&data);
+    if (ret)
+	return ret;
+    return 0;
+}
+
+int
+_krb5_extract_ticket(krb5_context context, 
+		     krb5_kdc_rep *rep, 
+		     krb5_creds *creds,		
+		     krb5_keyblock *key,
+		     krb5_const_pointer keyseed,
+		     krb5_key_usage key_usage,
+		     krb5_addresses *addrs,
+		     unsigned nonce,
+		     krb5_boolean allow_server_mismatch,
+		     krb5_decrypt_proc decrypt_proc,
+		     krb5_const_pointer decryptarg)
+{
+    krb5_error_code ret;
+    krb5_principal tmp_principal;
+    int tmp;
+    time_t tmp_time;
+    krb5_timestamp sec_now;
+
+    /* compare client */
+
+    ret = principalname2krb5_principal (&tmp_principal,
+					rep->kdc_rep.cname,
+					rep->kdc_rep.crealm);
+    if (ret)
+	goto out;
+    tmp = krb5_principal_compare (context, tmp_principal, creds->client);
+    krb5_free_principal (context, tmp_principal);
+    if (!tmp) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+    
+    /* extract ticket */
+    {
+	unsigned char *buf;
+	size_t len;
+	len = length_Ticket(&rep->kdc_rep.ticket);
+	buf = malloc(len);
+	if(buf == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	encode_Ticket(buf + len - 1, len, &rep->kdc_rep.ticket, &len);
+	creds->ticket.data = buf;
+	creds->ticket.length = len;
+	creds->second_ticket.length = 0;
+	creds->second_ticket.data   = NULL;
+    }
+
+    /* compare server */
+
+    ret = principalname2krb5_principal (&tmp_principal,
+					rep->kdc_rep.ticket.sname,
+					rep->kdc_rep.ticket.realm);
+    if (ret)
+	goto out;
+    if(allow_server_mismatch){
+	krb5_free_principal(context, creds->server);
+	creds->server = tmp_principal;
+	tmp_principal = NULL;
+    }else{
+	tmp = krb5_principal_compare (context, tmp_principal, creds->server);
+	krb5_free_principal (context, tmp_principal);
+	if (!tmp) {
+	    ret = KRB5KRB_AP_ERR_MODIFIED;
+	    goto out;
+	}
+    }
+    
+    /* decrypt */
+
+    if (decrypt_proc == NULL)
+	decrypt_proc = decrypt_tkt;
+    
+    ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
+    if (ret)
+	goto out;
+
+#if 0
+    /* XXX should this decode be here, or in the decrypt_proc? */
+    ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
+    if(ret)
+	goto out;
+#endif
+
+    /* compare nonces */
+
+    if (nonce != rep->enc_part.nonce) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    /* set kdc-offset */
+
+    krb5_timeofday (context, &sec_now);
+    if (context->kdc_sec_offset == 0
+	&& krb5_config_get_bool (context, NULL,
+				 "libdefaults",
+				 "kdc_timesync",
+				 NULL)) {
+	context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
+	krb5_timeofday (context, &sec_now);
+    }
+
+    /* check all times */
+
+    if (rep->enc_part.starttime) {
+	tmp_time = *rep->enc_part.starttime;
+    } else
+	tmp_time = rep->enc_part.authtime;
+
+    if (creds->times.starttime == 0
+	&& abs(tmp_time - sec_now) > context->max_skew) {
+	ret = KRB5KRB_AP_ERR_SKEW;
+	goto out;
+    }
+
+    if (creds->times.starttime != 0
+	&& tmp_time != creds->times.starttime) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    creds->times.starttime = tmp_time;
+
+    if (rep->enc_part.renew_till) {
+	tmp_time = *rep->enc_part.renew_till;
+    } else
+	tmp_time = 0;
+
+    if (creds->times.renew_till != 0
+	&& tmp_time > creds->times.renew_till) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    creds->times.renew_till = tmp_time;
+
+    creds->times.authtime = rep->enc_part.authtime;
+
+    if (creds->times.endtime != 0
+	&& rep->enc_part.endtime > creds->times.endtime) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    creds->times.endtime  = rep->enc_part.endtime;
+
+    if(rep->enc_part.caddr)
+	krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
+    else if(addrs)
+	krb5_copy_addresses (context, addrs, &creds->addresses);
+    else {
+	creds->addresses.len = 0;
+	creds->addresses.val = NULL;
+    }
+    creds->flags.b = rep->enc_part.flags;
+	  
+    creds->authdata.len = 0;
+    creds->authdata.val = NULL;
+    creds->session.keyvalue.length = 0;
+    creds->session.keyvalue.data   = NULL;
+    creds->session.keytype = rep->enc_part.key.keytype;
+    ret = krb5_data_copy (&creds->session.keyvalue,
+			  rep->enc_part.key.keyvalue.data,
+			  rep->enc_part.key.keyvalue.length);
+
+out:
+    memset (rep->enc_part.key.keyvalue.data, 0,
+	    rep->enc_part.key.keyvalue.length);
+    return ret;
+}
+
+
+static krb5_error_code
+make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, 
+		      krb5_enctype etype, krb5_keyblock *key)
+{
+    PA_ENC_TS_ENC p;
+    u_char buf[1024];
+    size_t len;
+    EncryptedData encdata;
+    krb5_error_code ret;
+    int32_t sec, usec;
+    int usec2;
+    krb5_crypto crypto;
+    
+    krb5_us_timeofday (context, &sec, &usec);
+    p.patimestamp = sec;
+    usec2         = usec;
+    p.pausec      = &usec2;
+
+    ret = encode_PA_ENC_TS_ENC(buf + sizeof(buf) - 1,
+			       sizeof(buf),
+			       &p,
+			       &len);
+    if (ret)
+	return ret;
+
+    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_encrypt_EncryptedData(context, 
+				     crypto,
+				     KRB5_KU_PA_ENC_TIMESTAMP,
+				     buf + sizeof(buf) - len,
+				     len,
+				     0,
+				     &encdata);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+		    
+    ret = encode_EncryptedData(buf + sizeof(buf) - 1,
+			       sizeof(buf),
+			       &encdata, 
+			       &len);
+    free_EncryptedData(&encdata);
+    if (ret)
+	return ret;
+    pa->padata_type = pa_enc_timestamp;
+    pa->padata_value.length = 0;
+    krb5_data_copy(&pa->padata_value,
+		   buf + sizeof(buf) - len,
+		   len);
+    return 0;
+}
+
+static krb5_error_code
+add_padata(krb5_context context,
+	   METHOD_DATA *md, 
+	   krb5_principal client,
+	   krb5_key_proc key_proc,
+	   krb5_const_pointer keyseed,
+	   int *enctypes, 
+	   unsigned netypes,
+	   krb5_salt *salt)
+{
+    krb5_error_code ret;
+    PA_DATA *pa2;
+    krb5_salt salt2;
+    int *ep;
+    int i;
+    
+    if(salt == NULL) {
+	/* default to standard salt */
+	ret = krb5_get_pw_salt (context, client, &salt2);
+	salt = &salt2;
+    }
+    if (!enctypes) {
+	enctypes = (int *)context->etypes; /* XXX */
+	netypes = 0;
+	for (ep = enctypes; *ep != ETYPE_NULL; ep++)
+	    netypes++;
+    }
+    pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
+    if (pa2 == NULL)
+	return ENOMEM;
+    md->val = pa2;
+
+    for (i = 0; i < netypes; ++i) {
+	krb5_keyblock *key;
+
+	ret = (*key_proc)(context, enctypes[i], *salt, keyseed, &key);
+	if (ret)
+	    continue;
+	ret = make_pa_enc_timestamp (context, &md->val[md->len],
+				     enctypes[i], key);
+	krb5_free_keyblock (context, key);
+	if (ret)
+	    return ret;
+	++md->len;
+    }
+    if(salt == &salt2)
+	krb5_free_salt(context, salt2);
+    return 0;
+}
+
+static krb5_error_code
+init_as_req (krb5_context context,
+	     krb5_kdc_flags opts,
+	     krb5_creds *creds,
+	     const krb5_addresses *addrs,
+	     const krb5_enctype *etypes,
+	     const krb5_preauthtype *ptypes,
+	     const krb5_preauthdata *preauth,
+	     krb5_key_proc key_proc,
+	     krb5_const_pointer keyseed,
+	     unsigned nonce,
+	     AS_REQ *a)
+{
+    krb5_error_code ret;
+    krb5_salt salt;
+
+    memset(a, 0, sizeof(*a));
+
+    a->pvno = 5;
+    a->msg_type = krb_as_req;
+    a->req_body.kdc_options = opts.b;
+    a->req_body.cname = malloc(sizeof(*a->req_body.cname));
+    if (a->req_body.cname == NULL) {
+	ret = ENOMEM;
+	goto fail;
+    }
+    a->req_body.sname = malloc(sizeof(*a->req_body.sname));
+    if (a->req_body.sname == NULL) {
+	ret = ENOMEM;
+	goto fail;
+    }
+    ret = krb5_principal2principalname (a->req_body.cname, creds->client);
+    if (ret)
+	goto fail;
+    ret = krb5_principal2principalname (a->req_body.sname, creds->server);
+    if (ret)
+	goto fail;
+    ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
+    if (ret)
+	goto fail;
+
+    if(creds->times.starttime) {
+	a->req_body.from = malloc(sizeof(*a->req_body.from));
+	if (a->req_body.from == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	*a->req_body.from = creds->times.starttime;
+    }
+    if(creds->times.endtime){
+	ALLOC(a->req_body.till, 1);
+	*a->req_body.till = creds->times.endtime;
+    }
+    if(creds->times.renew_till){
+	a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
+	if (a->req_body.rtime == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	*a->req_body.rtime = creds->times.renew_till;
+    }
+    a->req_body.nonce = nonce;
+    ret = krb5_init_etype (context,
+			   &a->req_body.etype.len,
+			   &a->req_body.etype.val,
+			   etypes);
+    if (ret)
+	goto fail;
+
+    /*
+     * This means no addresses
+     */
+
+    if (addrs && addrs->len == 0) {
+	a->req_body.addresses = NULL;
+    } else {
+	a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
+	if (a->req_body.addresses == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+
+	if (addrs)
+	    ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
+	else
+	    ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
+	if (ret)
+	    return ret;
+    }
+
+    a->req_body.enc_authorization_data = NULL;
+    a->req_body.additional_tickets = NULL;
+
+    if(preauth != NULL) {
+	int i;
+	ALLOC(a->padata, 1);
+	if(a->padata == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	for(i = 0; i < preauth->len; i++) {
+	    if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
+		int j;
+		PA_DATA *tmp = realloc(a->padata->val, 
+				       (a->padata->len + 
+					preauth->val[i].info.len) * 
+				       sizeof(*a->padata->val));
+		if(tmp == NULL) {
+		    ret = ENOMEM;
+		    goto fail;
+		}
+		a->padata->val = tmp;
+		for(j = 0; j < preauth->val[i].info.len; j++) {
+		    krb5_salt *sp = &salt;
+		    if(preauth->val[i].info.val[j].salttype)
+			salt.salttype = *preauth->val[i].info.val[j].salttype;
+		    else
+			salt.salttype = KRB5_PW_SALT;
+		    if(preauth->val[i].info.val[j].salt)
+			salt.saltvalue = *preauth->val[i].info.val[j].salt;
+		    else
+			if(salt.salttype == KRB5_PW_SALT)
+			    sp = NULL;
+			else
+			    krb5_data_zero(&salt.saltvalue);
+		    add_padata(context, a->padata, creds->client, 
+			       key_proc, keyseed, 
+			       &preauth->val[i].info.val[j].etype, 1,
+			       sp);
+		}
+	    }
+	}
+    } else 
+    /* not sure this is the way to use `ptypes' */
+    if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
+	a->padata = NULL;
+    else if (*ptypes ==  KRB5_PADATA_ENC_TIMESTAMP) {
+	ALLOC(a->padata, 1);
+	if (a->padata == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	a->padata->len = 0;
+	a->padata->val = NULL;
+
+	/* make a v5 salted pa-data */
+	add_padata(context, a->padata, creds->client, 
+		   key_proc, keyseed, a->req_body.etype.val,
+		   a->req_body.etype.len, NULL);
+	
+	/* make a v4 salted pa-data */
+	salt.salttype = KRB5_PW_SALT;
+	krb5_data_zero(&salt.saltvalue);
+	add_padata(context, a->padata, creds->client, 
+		   key_proc, keyseed, a->req_body.etype.val,
+		   a->req_body.etype.len, &salt);
+    } else {
+	ret = KRB5_PREAUTH_BAD_TYPE;
+	goto fail;
+    }
+    return 0;
+fail:
+    free_AS_REQ(a);
+    return ret;
+}
+
+static int
+set_ptypes(krb5_context context,
+	   KRB_ERROR *error, 
+	   krb5_preauthtype **ptypes,
+	   krb5_preauthdata **preauth)
+{
+    static krb5_preauthdata preauth2;
+    static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
+
+    if(error->e_data) {
+	METHOD_DATA md;
+	int i;
+	decode_METHOD_DATA(error->e_data->data, 
+			   error->e_data->length, 
+			   &md, 
+			   NULL);
+	for(i = 0; i < md.len; i++){
+	    switch(md.val[i].padata_type){
+	    case pa_enc_timestamp:
+		*ptypes = ptypes2;
+		break;
+	    case pa_etype_info:
+		*preauth = &preauth2;
+		ALLOC_SEQ(*preauth, 1);
+		(*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
+		krb5_decode_ETYPE_INFO(context,
+				       md.val[i].padata_value.data, 
+				       md.val[i].padata_value.length,
+				       &(*preauth)->val[0].info,
+				       NULL);
+		break;
+	    }
+	}
+	free_METHOD_DATA(&md);
+    } else {
+	*ptypes = ptypes2;
+    }
+    return(1);
+}
+
+krb5_error_code
+krb5_get_in_cred(krb5_context context,
+		 krb5_flags options,
+		 const krb5_addresses *addrs,
+		 const krb5_enctype *etypes,
+		 const krb5_preauthtype *ptypes,
+		 const krb5_preauthdata *preauth,
+		 krb5_key_proc key_proc,
+		 krb5_const_pointer keyseed,
+		 krb5_decrypt_proc decrypt_proc,
+		 krb5_const_pointer decryptarg,
+		 krb5_creds *creds,
+		 krb5_kdc_rep *ret_as_reply)
+{
+    krb5_error_code ret;
+    AS_REQ a;
+    krb5_kdc_rep rep;
+    krb5_data req, resp;
+    char buf[BUFSIZ];
+    krb5_salt salt;
+    krb5_keyblock *key;
+    size_t size;
+    krb5_kdc_flags opts;
+    PA_DATA *pa;
+    krb5_enctype etype;
+    krb5_preauthdata *my_preauth = NULL;
+    unsigned nonce;
+    int done;
+
+    opts.i = options;
+
+    krb5_generate_random_block (&nonce, sizeof(nonce));
+    nonce &= 0xffffffff;
+
+    do {
+	done = 1;
+	ret = init_as_req (context,
+			   opts,
+			   creds,
+			   addrs,
+			   etypes,
+			   ptypes,
+			   preauth,
+			   key_proc,
+			   keyseed,
+			   nonce,
+			   &a);
+	if (my_preauth) {
+	    free_ETYPE_INFO(&my_preauth->val[0].info);
+	    free (my_preauth->val);
+	}
+	if (ret)
+	    return ret;
+
+	ret = encode_AS_REQ ((unsigned char*)buf + sizeof(buf) - 1,
+			     sizeof(buf),
+			     &a,
+			     &req.length);
+	free_AS_REQ(&a);
+	if (ret)
+	    return ret;
+
+	req.data = buf + sizeof(buf) - req.length;
+
+	ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
+	if (ret)
+	    return ret;
+
+	memset (&rep, 0, sizeof(rep));
+	ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
+	if(ret) {
+	    /* let's try to parse it as a KRB-ERROR */
+	    KRB_ERROR error;
+	    int ret2;
+
+	    ret2 = krb5_rd_error(context, &resp, &error);
+	    if(ret2 && resp.data && ((char*)resp.data)[0] == 4)
+		ret = KRB5KRB_AP_ERR_V4_REPLY;
+	    krb5_data_free(&resp);
+	    if (ret2 == 0) {
+		ret = error.error_code;
+		/* if no preauth was set and KDC requires it, give it
+                   one more try */
+		if (!ptypes && !preauth
+		    && ret == KRB5KDC_ERR_PREAUTH_REQUIRED
+#if 0
+			|| ret == KRB5KDC_ERR_BADOPTION
+#endif
+		    && set_ptypes(context, &error, &ptypes, &my_preauth)) {
+		    done = 0;
+		    preauth = my_preauth;
+		    free_KRB_ERROR(&error);
+		    continue;
+		}
+		if(ret_as_reply)
+		    ret_as_reply->error = error;
+		else
+		    free_KRB_ERROR (&error);
+		return ret;
+	    }
+	    return ret;
+	}
+	krb5_data_free(&resp);
+    } while(!done);
+    
+    pa = NULL;
+    etype = rep.kdc_rep.enc_part.etype;
+    if(rep.kdc_rep.padata){
+	int index = 0;
+	pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, 
+			      pa_pw_salt, &index);
+	if(pa == NULL) {
+	    index = 0;
+	    pa = krb5_find_padata(rep.kdc_rep.padata->val, 
+				  rep.kdc_rep.padata->len, 
+				  pa_afs3_salt, &index);
+	}
+    }
+    if(pa) {
+	salt.salttype = pa->padata_type;
+	salt.saltvalue = pa->padata_value;
+	
+	ret = (*key_proc)(context, etype, salt, keyseed, &key);
+    } else {
+	/* make a v5 salted pa-data */
+	ret = krb5_get_pw_salt (context, creds->client, &salt);
+	
+	if (ret)
+	    goto out;
+	ret = (*key_proc)(context, etype, salt, keyseed, &key);
+	krb5_free_salt(context, salt);
+    }
+    if (ret)
+	goto out;
+	
+    ret = _krb5_extract_ticket(context, 
+			       &rep, 
+			       creds, 
+			       key, 
+			       keyseed, 
+			       KRB5_KU_AS_REP_ENC_PART,
+			       NULL, 
+			       nonce, 
+			       FALSE, 
+			       decrypt_proc, 
+			       decryptarg);
+    memset (key->keyvalue.data, 0, key->keyvalue.length);
+    krb5_free_keyblock_contents (context, key);
+    free (key);
+
+out:
+    if (ret == 0 && ret_as_reply)
+	*ret_as_reply = rep;
+    else
+	krb5_free_kdc_rep (context, &rep);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_in_tkt(krb5_context context,
+		krb5_flags options,
+		const krb5_addresses *addrs,
+		const krb5_enctype *etypes,
+		const krb5_preauthtype *ptypes,
+		krb5_key_proc key_proc,
+		krb5_const_pointer keyseed,
+		krb5_decrypt_proc decrypt_proc,
+		krb5_const_pointer decryptarg,
+		krb5_creds *creds,
+		krb5_ccache ccache,
+		krb5_kdc_rep *ret_as_reply)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags opts;
+    opts.i = 0;
+    opts.b = int2KDCOptions(options);
+    
+    ret = krb5_get_in_cred (context,
+			    opts.i,
+			    addrs,
+			    etypes,
+			    ptypes,
+			    NULL,
+			    key_proc,
+			    keyseed,
+			    decrypt_proc,
+			    decryptarg,
+			    creds,
+			    ret_as_reply);
+    if(ret) 
+	return ret;
+    ret = krb5_cc_store_cred (context, ccache, creds);
+    krb5_free_creds_contents (context, creds);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c
new file mode 100644
index 0000000..4fb8800
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt_pw.c,v 1.15 1999/12/02 17:05:10 joda Exp $");
+
+krb5_error_code
+krb5_password_key_proc (krb5_context context,
+			krb5_enctype type,
+			krb5_salt salt,
+			krb5_const_pointer keyseed,
+			krb5_keyblock **key)
+{
+    krb5_error_code ret;
+    const char *password = (const char *)keyseed;
+    char buf[BUFSIZ];
+     
+    *key = malloc (sizeof (**key));
+    if (*key == NULL)
+	return ENOMEM;
+    if (password == NULL) {
+	if(des_read_pw_string (buf, sizeof(buf), "Password: ", 0)) {
+	    free (*key);
+	    return KRB5_LIBOS_PWDINTR;
+	}
+	password = buf;
+    }
+    ret = krb5_string_to_key_salt (context, type, password, salt, *key);
+    memset (buf, 0, sizeof(buf));
+    return ret;
+}
+
+krb5_error_code
+krb5_get_in_tkt_with_password (krb5_context context,
+			       krb5_flags options,
+			       krb5_addresses *addrs,
+			       const krb5_enctype *etypes,
+			       const krb5_preauthtype *pre_auth_types,
+			       const char *password,
+			       krb5_ccache ccache,
+			       krb5_creds *creds,
+			       krb5_kdc_rep *ret_as_reply)
+{
+     return krb5_get_in_tkt (context,
+			     options,
+			     addrs,
+			     etypes,
+			     pre_auth_types,
+			     krb5_password_key_proc,
+			     password,
+			     NULL,
+			     NULL,
+			     creds,
+			     ccache,
+			     ret_as_reply);
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c
new file mode 100644
index 0000000..d78ef35
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt_with_keytab.c,v 1.5 1999/12/02 17:05:10 joda Exp $");
+
+krb5_error_code
+krb5_keytab_key_proc (krb5_context context,
+		      krb5_enctype enctype,
+		      krb5_salt salt,
+		      krb5_const_pointer keyseed,
+		      krb5_keyblock **key)
+{
+    krb5_keytab_key_proc_args *args  = (krb5_keytab_key_proc_args *)keyseed;
+    krb5_keytab keytab = args->keytab;
+    krb5_principal principal  = args->principal;
+    krb5_error_code ret;
+    krb5_keytab real_keytab;
+    krb5_keytab_entry entry;
+
+    if(keytab == NULL)
+	krb5_kt_default(context, &real_keytab);
+    else
+	real_keytab = keytab;
+
+    ret = krb5_kt_get_entry (context, real_keytab, principal,
+			     0, enctype, &entry);
+
+    if (keytab == NULL)
+	krb5_kt_close (context, real_keytab);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_copy_keyblock (context, &entry.keyblock, key);
+    krb5_kt_free_entry(context, &entry);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_in_tkt_with_keytab (krb5_context context,
+			     krb5_flags options,
+			     krb5_addresses *addrs,
+			     const krb5_enctype *etypes,
+			     const krb5_preauthtype *pre_auth_types,
+			     krb5_keytab keytab,
+			     krb5_ccache ccache,
+			     krb5_creds *creds,
+			     krb5_kdc_rep *ret_as_reply)
+{
+    krb5_keytab_key_proc_args *a;
+
+    a = malloc(sizeof(*a));
+    if (a == NULL)
+	return ENOMEM;
+
+    a->principal = creds->client;
+    a->keytab    = keytab;
+
+    return krb5_get_in_tkt (context,
+			    options,
+			    addrs,
+			    etypes,
+			    pre_auth_types,
+			    krb5_keytab_key_proc,
+			    a,
+			    NULL,
+			    NULL,
+			    creds,
+			    ccache,
+			    ret_as_reply);
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c
new file mode 100644
index 0000000..773d361
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt_with_skey.c,v 1.3 1999/12/02 17:05:10 joda Exp $");
+
+static krb5_error_code
+krb5_skey_key_proc (krb5_context context,
+		    krb5_enctype type,
+		    krb5_salt salt,
+		    krb5_const_pointer keyseed,
+		    krb5_keyblock **key)
+{
+    return krb5_copy_keyblock (context, keyseed, key);
+}
+
+krb5_error_code
+krb5_get_in_tkt_with_skey (krb5_context context,
+			   krb5_flags options,
+			   krb5_addresses *addrs,
+			   const krb5_enctype *etypes,
+			   const krb5_preauthtype *pre_auth_types,
+			   const krb5_keyblock *key,
+			   krb5_ccache ccache,
+			   krb5_creds *creds,
+			   krb5_kdc_rep *ret_as_reply)
+{
+    if(key == NULL)
+	return krb5_get_in_tkt_with_keytab (context,
+					    options,
+					    addrs,
+					    etypes,
+					    pre_auth_types,
+					    NULL,
+					    ccache,
+					    creds,
+					    ret_as_reply);
+    else
+	return krb5_get_in_tkt (context,
+				options,
+				addrs,
+				etypes,
+				pre_auth_types,
+				krb5_skey_key_proc,
+				key,
+				NULL,
+				NULL,
+				creds,
+				ccache,
+				ret_as_reply);
+}
diff --git a/crypto/heimdal/lib/krb5/get_port.c b/crypto/heimdal/lib/krb5/get_port.c
new file mode 100644
index 0000000..17bb45f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_port.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: get_port.c,v 1.7 1999/12/02 17:05:10 joda Exp $");
+
+int
+krb5_getportbyname (krb5_context context,
+		    const char *service,
+		    const char *proto,
+		    int default_port)
+{
+    struct servent *sp;
+
+    if ((sp = roken_getservbyname (service, proto)) == NULL) {
+	krb5_warnx(context, "%s/%s unknown service, using default port %d", 
+		   service, proto, default_port);
+	return htons(default_port);
+    } else
+	return sp->s_port;
+}
diff --git a/crypto/heimdal/lib/krb5/heim_err.et b/crypto/heimdal/lib/krb5/heim_err.et
new file mode 100644
index 0000000..5ec3543
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/heim_err.et
@@ -0,0 +1,18 @@
+#
+# Error messages for the krb5 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: heim_err.et,v 1.7 1999/08/25 20:49:17 joda Exp $"
+
+error_table heim
+
+prefix HEIM_ERR
+
+error_code LOG_PARSE,		"Error parsing log destination"
+error_code V4_PRINC_NO_CONV,	"Failed to convert v4 principal"
+error_code SALTTYPE_NOSUPP,	"Salt type is not supported by enctype"
+error_code NOHOST,		"Host not found"
+error_code OPNOTSUPP,		"Operation not supported"
+
+end
diff --git a/crypto/heimdal/lib/krb5/init_creds.c b/crypto/heimdal/lib/krb5/init_creds.c
new file mode 100644
index 0000000..404fa5a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/init_creds.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: init_creds.c,v 1.2 1999/12/02 17:05:10 joda Exp $");
+
+void
+krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
+{
+    memset (opt, 0, sizeof(*opt));
+    opt->flags = 0;
+}
+
+void
+krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
+				     krb5_deltat tkt_life)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE;
+    opt->tkt_life = tkt_life;
+}
+
+void
+krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
+				       krb5_deltat renew_life)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE;
+    opt->renew_life = renew_life;
+}
+
+void
+krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
+					int forwardable)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE;
+    opt->forwardable = forwardable;
+}
+
+void
+krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
+				      int proxiable)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE;
+    opt->proxiable = proxiable;
+}
+
+void
+krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
+				       krb5_enctype *etype_list,
+				       int etype_list_length)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST;
+    opt->etype_list = etype_list;
+    opt->etype_list_length = etype_list_length;
+}
+
+void
+krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
+					 krb5_addresses *addresses)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST;
+    opt->address_list = addresses;
+}
+
+void
+krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
+					 krb5_preauthtype *preauth_list,
+					 int preauth_list_length)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST;
+    opt->preauth_list_length = preauth_list_length;
+    opt->preauth_list = preauth_list;
+}
+
+void
+krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
+				 krb5_data *salt)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
+    opt->salt = salt;
+}
diff --git a/crypto/heimdal/lib/krb5/init_creds_pw.c b/crypto/heimdal/lib/krb5/init_creds_pw.c
new file mode 100644
index 0000000..3caf939
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/init_creds_pw.c
@@ -0,0 +1,547 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: init_creds_pw.c,v 1.38 2000/02/07 03:17:20 assar Exp $");
+
+static int
+get_config_time (krb5_context context,
+		 char *realm,
+		 char *name,
+		 int def)
+{
+    int ret;
+
+    ret = krb5_config_get_time (context, NULL,
+				"realms",
+				realm,
+				name,
+				NULL);
+    if (ret >= 0)
+	return ret;
+    ret = krb5_config_get_time (context, NULL,
+				"libdefaults",
+				name,
+				NULL);
+    if (ret >= 0)
+	return ret;
+    return def;
+}
+
+static krb5_boolean
+get_config_bool (krb5_context context,
+		 char *realm,
+		 char *name)
+{
+    return krb5_config_get_bool (context,
+				 NULL,
+				 "realms",
+				 realm,
+				 name,
+				 NULL)
+	|| krb5_config_get_bool (context,
+				 NULL,
+				 "libdefaults",
+				 name,
+				 NULL);
+}
+
+static krb5_error_code
+init_cred (krb5_context context,
+	   krb5_creds *cred,
+	   krb5_principal client,
+	   krb5_deltat start_time,
+	   const char *in_tkt_service,
+	   krb5_get_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_realm *client_realm;
+    int tmp;
+    krb5_timestamp now;
+
+    krb5_timeofday (context, &now);
+
+    memset (cred, 0, sizeof(*cred));
+    
+    if (client)
+	krb5_copy_principal(context, client, &cred->client);
+    else {
+	ret = krb5_get_default_principal (context,
+					  &cred->client);
+	if (ret)
+	    goto out;
+    }
+
+    client_realm = krb5_princ_realm (context, cred->client);
+
+    if (start_time)
+	cred->times.starttime  = now + start_time;
+
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)
+	tmp = options->tkt_life;
+    else
+	tmp = get_config_time (context,
+			       *client_realm,
+			       "ticket_lifetime",
+			       10 * 60 * 60);
+    cred->times.endtime = now + tmp;
+
+    tmp = 0;
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)
+	tmp = options->renew_life;
+    else
+	tmp = get_config_time (context,
+			       *client_realm,
+			       "renew_lifetime",
+			       0);
+    if (tmp)
+	cred->times.renew_till = now + tmp;
+
+    if (in_tkt_service) {
+	krb5_realm server_realm;
+
+	ret = krb5_parse_name (context, in_tkt_service, &cred->server);
+	if (ret)
+	    goto out;
+	server_realm = strdup (*client_realm);
+	free (cred->server->realm);
+	krb5_princ_set_realm (context, cred->server, &server_realm);
+    } else {
+	ret = krb5_make_principal(context, &cred->server, 
+				  *client_realm, KRB5_TGS_NAME, *client_realm,
+				  NULL);
+	if (ret)
+	    goto out;
+    }
+    return 0;
+
+out:
+    krb5_free_creds_contents (context, cred);
+    return ret;
+}
+
+/*
+ * Parse the last_req data and show it to the user if it's interesting
+ */
+
+static void
+print_expire (krb5_context context,
+	      krb5_realm *realm,
+	      krb5_kdc_rep *rep,
+	      krb5_prompter_fct prompter,
+	      krb5_data *data)
+{
+    int i;
+    LastReq *lr = &rep->enc_part.last_req;
+    krb5_timestamp sec;
+    time_t t;
+
+    krb5_timeofday (context, &sec);
+
+    t = sec + get_config_time (context,
+			       *realm,
+			       "warn_pwexpire",
+			       7 * 24 * 60 * 60);
+
+    for (i = 0; i < lr->len; ++i) {
+	if (lr->val[i].lr_type == 6
+	    && lr->val[i].lr_value <= t) {
+	    char *p;
+	    
+	    asprintf (&p, "Your password will expire at %s",
+		      ctime(&lr->val[i].lr_value));
+	    (*prompter) (context, data, p, 0, NULL);
+	    free (p);
+	    return;
+	}
+    }
+
+    if (rep->enc_part.key_expiration
+	&& *rep->enc_part.key_expiration <= t) {
+	char *p;
+
+	asprintf (&p, "Your password/account will expire at %s",
+		  ctime(rep->enc_part.key_expiration));
+	(*prompter) (context, data, p, 0, NULL);
+	free (p);
+    }
+}
+
+static krb5_error_code
+get_init_creds_common(krb5_context context,
+		      krb5_creds *creds,
+		      krb5_principal client,
+		      krb5_deltat start_time,
+		      const char *in_tkt_service,
+		      krb5_get_init_creds_opt *options,
+		      krb5_addresses **addrs,
+		      krb5_enctype **etypes,
+		      krb5_creds *cred,
+		      krb5_preauthtype **pre_auth_types,
+		      krb5_kdc_flags *flags)
+{
+    krb5_error_code ret;
+    krb5_realm *client_realm;
+
+    ret = init_cred (context, cred, client, start_time,
+		     in_tkt_service, options);
+    if (ret)
+	return ret;
+
+    client_realm = krb5_princ_realm (context, cred->client);
+
+    flags->i = 0;
+
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)
+	flags->b.forwardable = options->forwardable;
+    else
+	flags->b.forwardable = get_config_bool (context,
+						*client_realm,
+						"forwardable");
+
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)
+	flags->b.proxiable = options->proxiable;
+    else
+	flags->b.proxiable = get_config_bool (context,
+					      *client_realm,
+					      "proxiable");
+
+    if (start_time)
+	flags->b.postdated = 1;
+    if (cred->times.renew_till)
+	flags->b.renewable = 1;
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)
+	*addrs = options->address_list;
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) {
+	*etypes = malloc((options->etype_list_length + 1)
+			* sizeof(krb5_enctype));
+	if (*etypes == NULL)
+	    return ENOMEM;
+	memcpy (*etypes, options->etype_list,
+		options->etype_list_length * sizeof(krb5_enctype));
+	(*etypes)[options->etype_list_length] = ETYPE_NULL;
+    }
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) {
+	*pre_auth_types = malloc((options->preauth_list_length + 1)
+				 * sizeof(krb5_preauthtype));
+	if (*pre_auth_types == NULL)
+	    return ENOMEM;
+	memcpy (*pre_auth_types, options->preauth_list,
+		options->preauth_list_length * sizeof(krb5_preauthtype));
+	(*pre_auth_types)[options->preauth_list_length] = KRB5_PADATA_NONE;
+    }
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)
+	;			/* XXX */
+    return 0;
+}
+
+static krb5_error_code
+change_password (krb5_context context,
+		 krb5_principal client,
+		 const char *password,
+		 char *newpw,
+		 size_t newpw_sz,
+		 krb5_prompter_fct prompter,
+		 void *data,
+		 krb5_get_init_creds_opt *old_options)
+{
+    krb5_prompt prompt;
+    krb5_error_code ret;
+    krb5_creds cpw_cred;
+    char buf1[BUFSIZ], buf2[BUFSIZ];
+    krb5_data password_data;
+    int result_code;
+    krb5_data result_code_string;
+    krb5_data result_string;
+    char *p;
+    krb5_get_init_creds_opt options;
+
+    memset (&cpw_cred, 0, sizeof(cpw_cred));
+
+    krb5_get_init_creds_opt_init (&options);
+    krb5_get_init_creds_opt_set_tkt_life (&options, 60);
+    krb5_get_init_creds_opt_set_preauth_list (&options,
+					      old_options->preauth_list,
+					      old_options->preauth_list_length);					      
+
+    krb5_data_zero (&result_code_string);
+    krb5_data_zero (&result_string);
+
+    ret = krb5_get_init_creds_password (context,
+					&cpw_cred,
+					client,
+					password,
+					prompter,
+					data,
+					0,
+					"kadmin/changepw",
+					&options);
+    if (ret)
+	goto out;
+
+    for(;;) {
+	password_data.data   = buf1;
+	password_data.length = sizeof(buf1);
+
+	prompt.hidden = 1;
+	prompt.prompt = "New password: ";
+	prompt.reply  = &password_data;
+
+	ret = (*prompter) (context, data, "Changing password", 1, &prompt);
+	if (ret)
+	    goto out;
+
+	password_data.data   = buf2;
+	password_data.length = sizeof(buf2);
+
+	prompt.hidden = 1;
+	prompt.prompt = "Repeat new password: ";
+	prompt.reply  = &password_data;
+
+	ret = (*prompter) (context, data, "Changing password", 1, &prompt);
+	if (ret)
+	    goto out;
+
+	if (strcmp (buf1, buf2) == 0)
+	    break;
+    }
+    
+    ret = krb5_change_password (context,
+				&cpw_cred,
+				buf1,
+				&result_code,
+				&result_code_string,
+				&result_string);
+    if (ret)
+	goto out;
+    asprintf (&p, "%s: %.*s\n",
+	      result_code ? "Error" : "Success",
+	      (int)result_string.length,
+	      (char*)result_string.data);
+
+    ret = (*prompter) (context, data, p, 0, NULL);
+    free (p);
+    if (result_code == 0) {
+	strlcpy (newpw, buf1, newpw_sz);
+	ret = 0;
+    } else
+	ret = ENOTTY;
+
+out:
+    memset (buf1, 0, sizeof(buf1));
+    memset (buf2, 0, sizeof(buf2));
+    krb5_data_free (&result_string);
+    krb5_data_free (&result_code_string);
+    krb5_free_creds_contents (context, &cpw_cred);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_init_creds_password(krb5_context context,
+			     krb5_creds *creds,
+			     krb5_principal client,
+			     const char *password,
+			     krb5_prompter_fct prompter,
+			     void *data,
+			     krb5_deltat start_time,
+			     const char *in_tkt_service,
+			     krb5_get_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags flags;
+    krb5_addresses *addrs = NULL;
+    krb5_enctype *etypes = NULL;
+    krb5_preauthtype *pre_auth_types = NULL;
+    krb5_creds this_cred;
+    krb5_kdc_rep kdc_reply;
+    char buf[BUFSIZ];
+    krb5_data password_data;
+    int done;
+
+    ret = get_init_creds_common(context, creds, client, start_time,
+				in_tkt_service, options,
+				&addrs, &etypes, &this_cred, &pre_auth_types,
+				&flags);
+    if(ret)
+	goto out;
+
+    if (password == NULL) {
+	krb5_prompt prompt;
+	char *p;
+
+	krb5_unparse_name (context, this_cred.client, &p);
+	asprintf (&prompt.prompt, "%s's Password: ", p);
+	free (p);
+	password_data.data   = buf;
+	password_data.length = sizeof(buf);
+	prompt.hidden = 1;
+	prompt.reply  = &password_data;
+
+	ret = (*prompter) (context, data, NULL, 1, &prompt);
+	free (prompt.prompt);
+	if (ret) {
+	    memset (buf, 0, sizeof(buf));
+	    ret = KRB5_LIBOS_PWDINTR;
+	    goto out;
+	}
+	password = password_data.data;
+    }
+
+    done = 0;
+    while(!done) {
+	memset(&kdc_reply, 0, sizeof(kdc_reply));
+	ret = krb5_get_in_cred (context,
+				flags.i,
+				addrs,
+				etypes,
+				pre_auth_types,
+				NULL,
+				krb5_password_key_proc,
+				password,
+				NULL,
+				NULL,
+				&this_cred,
+				&kdc_reply);
+	switch (ret) {
+	case 0 :
+	    done = 1;
+	    break;
+	case KRB5KDC_ERR_KEY_EXPIRED :
+	    ret = change_password (context,
+				   client,
+				   password,
+				   buf,
+				   sizeof(buf),
+				   prompter,
+				   data,
+				   options);
+	    if (ret)
+		goto out;
+	    password = buf;
+	    break;
+	default:
+	    goto out;
+	}
+    }
+
+    if (prompter)
+	print_expire (context,
+		      krb5_princ_realm (context, this_cred.client),
+		      &kdc_reply,
+		      prompter,
+		      data);
+out:
+    memset (buf, 0, sizeof(buf));
+    if (ret == 0)
+	krb5_free_kdc_rep (context, &kdc_reply);
+
+    free (pre_auth_types);
+    free (etypes);
+    if (ret == 0 && creds)
+	*creds = this_cred;
+    else
+	krb5_free_creds_contents (context, &this_cred);
+    return ret;
+}
+
+krb5_error_code
+krb5_keyblock_key_proc (krb5_context context,
+			krb5_keytype type,
+			krb5_data *salt,
+			krb5_const_pointer keyseed,
+			krb5_keyblock **key)
+{
+    return krb5_copy_keyblock (context, keyseed, key);
+}
+
+krb5_error_code
+krb5_get_init_creds_keytab(krb5_context context,
+			   krb5_creds *creds,
+			   krb5_principal client,
+			   krb5_keytab keytab,
+			   krb5_deltat start_time,
+			   const char *in_tkt_service,
+			   krb5_get_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags flags;
+    krb5_addresses *addrs = NULL;
+    krb5_enctype *etypes = NULL;
+    krb5_preauthtype *pre_auth_types = NULL;
+    krb5_creds this_cred;
+    krb5_keytab_key_proc_args *a;
+    
+    ret = get_init_creds_common(context, creds, client, start_time,
+				in_tkt_service, options,
+				&addrs, &etypes, &this_cred, &pre_auth_types,
+				&flags);
+    if(ret)
+	goto out;
+
+    a = malloc (sizeof(*a));
+    if (a == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    a->principal = this_cred.client;
+    a->keytab    = keytab;
+
+    ret = krb5_get_in_cred (context,
+			    flags.i,
+			    addrs,
+			    etypes,
+			    pre_auth_types,
+			    NULL,
+			    krb5_keytab_key_proc,
+			    a,
+			    NULL,
+			    NULL,
+			    &this_cred,
+			    NULL);
+    if (ret)
+	goto out;
+    free (pre_auth_types);
+    free (etypes);
+    if (creds)
+	*creds = this_cred;
+    else
+	krb5_free_creds_contents (context, &this_cred);
+    return 0;
+
+out:
+    free (pre_auth_types);
+    free (etypes);
+    krb5_free_creds_contents (context, &this_cred);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/keyblock.c b/crypto/heimdal/lib/krb5/keyblock.c
new file mode 100644
index 0000000..89732a0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keyblock.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+void
+krb5_free_keyblock_contents(krb5_context context,
+			    krb5_keyblock *keyblock)
+{
+    if(keyblock) {
+	if (keyblock->keyvalue.data != NULL)
+	    memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length);
+	krb5_data_free (&keyblock->keyvalue);
+    }
+}
+
+void
+krb5_free_keyblock(krb5_context context,
+		   krb5_keyblock *keyblock)
+{
+    if(keyblock){
+	krb5_free_keyblock_contents(context, keyblock);
+	free(keyblock);
+    }
+}
+
+krb5_error_code
+krb5_copy_keyblock_contents (krb5_context context,
+			     const krb5_keyblock *inblock,
+			     krb5_keyblock *to)
+{
+    return copy_EncryptionKey(inblock, to);
+}
+
+krb5_error_code
+krb5_copy_keyblock (krb5_context context,
+		    const krb5_keyblock *inblock,
+		    krb5_keyblock **to)
+{
+    krb5_keyblock *k;
+
+    k = malloc (sizeof(*k));
+    if (k == NULL)
+	return ENOMEM;
+    *to = k;
+    return krb5_copy_keyblock_contents (context, inblock, k);
+}
diff --git a/crypto/heimdal/lib/krb5/keytab.c b/crypto/heimdal/lib/krb5/keytab.c
new file mode 100644
index 0000000..36ef2f5
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab.c
@@ -0,0 +1,407 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab.c,v 1.46 2000/02/07 03:18:05 assar Exp $");
+
+/*
+ * Register a new keytab in `ops'
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_register(krb5_context context,
+		 const krb5_kt_ops *ops)
+{
+    struct krb5_keytab_data *tmp;
+
+    tmp = realloc(context->kt_types,
+		  (context->num_kt_types + 1) * sizeof(*context->kt_types));
+    if(tmp == NULL)
+	return ENOMEM;
+    memcpy(&tmp[context->num_kt_types], ops,
+	   sizeof(tmp[context->num_kt_types]));
+    context->kt_types = tmp;
+    context->num_kt_types++;
+    return 0;
+}
+
+/*
+ * Resolve the keytab name (of the form `type:residual') in `name'
+ * into a keytab in `id'.
+ * Return 0 or an error
+ */
+
+krb5_error_code
+krb5_kt_resolve(krb5_context context,
+		const char *name,
+		krb5_keytab *id)
+{
+    krb5_keytab k;
+    int i;
+    const char *type, *residual;
+    size_t type_len;
+    krb5_error_code ret;
+
+    residual = strchr(name, ':');
+    if(residual == NULL) {
+	type = "FILE";
+	type_len = strlen(type);
+	residual = name;
+    } else {
+	type = name;
+	type_len = residual - name;
+	residual++;
+    }
+    
+    for(i = 0; i < context->num_kt_types; i++) {
+	if(strncmp(type, context->kt_types[i].prefix, type_len) == 0)
+	    break;
+    }
+    if(i == context->num_kt_types)
+	return KRB5_KT_UNKNOWN_TYPE;
+    
+    k = malloc (sizeof(*k));
+    if (k == NULL)
+	return ENOMEM;
+    memcpy(k, &context->kt_types[i], sizeof(*k));
+    k->data = NULL;
+    ret = (*k->resolve)(context, residual, k);
+    if(ret) {
+	free(k);
+	k = NULL;
+    }
+    *id = k;
+    return ret;
+}
+
+/*
+ * copy the name of the default keytab into `name'.
+ * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
+ */
+
+krb5_error_code
+krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
+{
+    if (strlcpy (name, context->default_keytab, namesize) >= namesize)
+	return KRB5_CONFIG_NOTENUFSPACE;
+    return 0;
+}
+
+/*
+ * Set `id' to the default keytab.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_default(krb5_context context, krb5_keytab *id)
+{
+    return krb5_kt_resolve (context, context->default_keytab, id);
+}
+
+/*
+ * Read the key identified by `(principal, vno, enctype)' from the
+ * keytab in `keyprocarg' (the default if == NULL) into `*key'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_read_service_key(krb5_context context,
+			 krb5_pointer keyprocarg,
+			 krb5_principal principal,
+			 krb5_kvno vno,
+			 krb5_enctype enctype,
+			 krb5_keyblock **key)
+{
+    krb5_keytab keytab;
+    krb5_keytab_entry entry;
+    krb5_error_code ret;
+
+    if (keyprocarg)
+	ret = krb5_kt_resolve (context, keyprocarg, &keytab);
+    else
+	ret = krb5_kt_default (context, &keytab);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
+    krb5_kt_close (context, keytab);
+    if (ret)
+	return ret;
+    ret = krb5_copy_keyblock (context, &entry.keyblock, key);
+    krb5_kt_free_entry(context, &entry);
+    return ret;
+}
+
+/*
+ * Retrieve the name of the keytab `keytab' into `name', `namesize'
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_get_name(krb5_context context, 
+		 krb5_keytab keytab,
+		 char *name,
+		 size_t namesize)
+{
+    return (*keytab->get_name)(context, keytab, name, namesize);
+}
+
+/*
+ * Finish using the keytab in `id'.  All resources will be released.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_close(krb5_context context, 
+	      krb5_keytab id)
+{
+    krb5_error_code ret;
+
+    ret = (*id->close)(context, id);
+    if(ret == 0)
+	free(id);
+    return ret;
+}
+
+/*
+ * Compare `entry' against `principal, vno, enctype'.
+ * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
+ * Return TRUE if they compare the same, FALSE otherwise.
+ */
+
+krb5_boolean
+krb5_kt_compare(krb5_context context,
+		krb5_keytab_entry *entry, 
+		krb5_const_principal principal,
+		krb5_kvno vno,
+		krb5_enctype enctype)
+{
+    if(principal != NULL && 
+       !krb5_principal_compare(context, entry->principal, principal))
+	return FALSE;
+    if(vno && vno != entry->vno)
+	return FALSE;
+    if(enctype && enctype != entry->keyblock.keytype)
+	return FALSE;
+    return TRUE;
+}
+
+/*
+ * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
+ * from the keytab `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_get_entry(krb5_context context,
+		  krb5_keytab id,
+		  krb5_const_principal principal,
+		  krb5_kvno kvno,
+		  krb5_enctype enctype,
+		  krb5_keytab_entry *entry)
+{
+    krb5_keytab_entry tmp;
+    krb5_error_code ret;
+    krb5_kt_cursor cursor;
+
+    if(id->get)
+	return (*id->get)(context, id, principal, kvno, enctype, entry);
+
+    ret = krb5_kt_start_seq_get (context, id, &cursor);
+    if (ret)
+	return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */
+
+    entry->vno = 0;
+    while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
+	if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) {
+	    if (kvno == tmp.vno) {
+		krb5_kt_copy_entry_contents (context, &tmp, entry);
+		krb5_kt_free_entry (context, &tmp);
+		krb5_kt_end_seq_get(context, id, &cursor);
+		return 0;
+	    } else if (kvno == 0 && tmp.vno > entry->vno) {
+		if (entry->vno)
+		    krb5_kt_free_entry (context, entry);
+		krb5_kt_copy_entry_contents (context, &tmp, entry);
+	    }
+	}
+	krb5_kt_free_entry(context, &tmp);
+    }
+    krb5_kt_end_seq_get (context, id, &cursor);
+    if (entry->vno)
+	return 0;
+    else
+	return KRB5_KT_NOTFOUND;
+}
+
+/*
+ * Copy the contents of `in' into `out'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_copy_entry_contents(krb5_context context,
+			    const krb5_keytab_entry *in,
+			    krb5_keytab_entry *out)
+{
+    krb5_error_code ret;
+
+    memset(out, 0, sizeof(*out));
+    out->vno = in->vno;
+
+    ret = krb5_copy_principal (context, in->principal, &out->principal);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_keyblock_contents (context,
+				       &in->keyblock,
+				       &out->keyblock);
+    if (ret)
+	goto fail;
+    out->timestamp = in->timestamp;
+    return 0;
+fail:
+    krb5_kt_free_entry (context, out);
+    return ret;
+}
+
+/*
+ * Free the contents of `entry'.
+ */
+
+krb5_error_code
+krb5_kt_free_entry(krb5_context context,
+		   krb5_keytab_entry *entry)
+{
+  krb5_free_principal (context, entry->principal);
+  krb5_free_keyblock_contents (context, &entry->keyblock);
+  return 0;
+}
+
+#if 0
+static int
+xxxlock(int fd, int write)
+{
+    if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) {
+	sleep(1);
+	if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) 
+	    return -1;
+    }
+    return 0;
+}
+
+static void
+xxxunlock(int fd)
+{
+    flock(fd, LOCK_UN);
+}
+#endif
+
+/*
+ * Set `cursor' to point at the beginning of `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_start_seq_get(krb5_context context,
+		      krb5_keytab id,
+		      krb5_kt_cursor *cursor)
+{
+    if(id->start_seq_get == NULL)
+	return HEIM_ERR_OPNOTSUPP;
+    return (*id->start_seq_get)(context, id, cursor);
+}
+
+/*
+ * Get the next entry from `id' pointed to by `cursor' and advance the
+ * `cursor'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_next_entry(krb5_context context,
+		   krb5_keytab id,
+		   krb5_keytab_entry *entry,
+		   krb5_kt_cursor *cursor)
+{
+    if(id->next_entry == NULL)
+	return HEIM_ERR_OPNOTSUPP;
+    return (*id->next_entry)(context, id, entry, cursor);
+}
+
+/*
+ * Release all resources associated with `cursor'.
+ */
+
+krb5_error_code
+krb5_kt_end_seq_get(krb5_context context,
+		    krb5_keytab id,
+		    krb5_kt_cursor *cursor)
+{
+    if(id->end_seq_get == NULL)
+	return HEIM_ERR_OPNOTSUPP;
+    return (*id->end_seq_get)(context, id, cursor);
+}
+
+/*
+ * Add the entry in `entry' to the keytab `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_add_entry(krb5_context context,
+		  krb5_keytab id,
+		  krb5_keytab_entry *entry)
+{
+    if(id->add == NULL)
+	return KRB5_KT_NOWRITE;
+    entry->timestamp = time(NULL);
+    return (*id->add)(context, id,entry);
+}
+
+/*
+ * Remove the entry `entry' from the keytab `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_remove_entry(krb5_context context,
+		     krb5_keytab id,
+		     krb5_keytab_entry *entry)
+{
+    if(id->remove == NULL)
+	return KRB5_KT_NOWRITE;
+    return (*id->remove)(context, id, entry);
+}
diff --git a/crypto/heimdal/lib/krb5/keytab_file.c b/crypto/heimdal/lib/krb5/keytab_file.c
new file mode 100644
index 0000000..c6c35e5
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_file.c
@@ -0,0 +1,540 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_file.c,v 1.6 2000/01/02 00:20:22 assar Exp $");
+
+#define KRB5_KT_VNO_1 1
+#define KRB5_KT_VNO_2 2
+#define KRB5_KT_VNO   KRB5_KT_VNO_2
+
+/* file operations -------------------------------------------- */
+
+struct fkt_data {
+    char *filename;
+};
+
+static krb5_error_code
+krb5_kt_ret_data(krb5_storage *sp,
+		 krb5_data *data)
+{
+    int ret;
+    int16_t size;
+    ret = krb5_ret_int16(sp, &size);
+    if(ret)
+	return ret;
+    data->length = size;
+    data->data = malloc(size);
+    if (data->data == NULL)
+	return ENOMEM;
+    ret = sp->fetch(sp, data->data, size);
+    if(ret != size)
+	return (ret < 0)? errno : KRB5_KT_END;
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_ret_string(krb5_storage *sp,
+		   general_string *data)
+{
+    int ret;
+    int16_t size;
+    ret = krb5_ret_int16(sp, &size);
+    if(ret)
+	return ret;
+    *data = malloc(size + 1);
+    if (*data == NULL)
+	return ENOMEM;
+    ret = sp->fetch(sp, *data, size);
+    (*data)[size] = '\0';
+    if(ret != size)
+	return (ret < 0)? errno : KRB5_KT_END;
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_store_data(krb5_storage *sp,
+		   krb5_data data)
+{
+    int ret;
+    ret = krb5_store_int16(sp, data.length);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data.data, data.length);
+    if(ret != data.length){
+	if(ret < 0)
+	    return errno;
+	return KRB5_KT_END;
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_store_string(krb5_storage *sp,
+		     general_string data)
+{
+    int ret;
+    size_t len = strlen(data);
+    ret = krb5_store_int16(sp, len);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data, len);
+    if(ret != len){
+	if(ret < 0)
+	    return errno;
+	return KRB5_KT_END;
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_ret_keyblock(krb5_storage *sp, krb5_keyblock *p)
+{
+    int ret;
+    int16_t tmp;
+
+    ret = krb5_ret_int16(sp, &tmp); /* keytype + etype */
+    if(ret) return ret;
+    p->keytype = tmp;
+    ret = krb5_kt_ret_data(sp, &p->keyvalue);
+    return ret;
+}
+
+static krb5_error_code
+krb5_kt_store_keyblock(krb5_storage *sp, 
+		       krb5_keyblock *p)
+{
+    int ret;
+
+    ret = krb5_store_int16(sp, p->keytype); /* keytype + etype */
+    if(ret) return ret;
+    ret = krb5_kt_store_data(sp, p->keyvalue);
+    return ret;
+}
+
+
+static krb5_error_code
+krb5_kt_ret_principal(krb5_storage *sp,
+		      krb5_principal *princ)
+{
+    int i;
+    int ret;
+    krb5_principal p;
+    int16_t tmp;
+    
+    ALLOC(p, 1);
+    if(p == NULL)
+	return ENOMEM;
+
+    ret = krb5_ret_int16(sp, &tmp);
+    if(ret)
+	return ret;
+    if (sp->flags & KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)
+	tmp--;
+    p->name.name_string.len = tmp;
+    ret = krb5_kt_ret_string(sp, &p->realm);
+    if(ret) return ret;
+    p->name.name_string.val = calloc(p->name.name_string.len, 
+				     sizeof(*p->name.name_string.val));
+    if(p->name.name_string.val == NULL)
+	return ENOMEM;
+    for(i = 0; i < p->name.name_string.len; i++){
+	ret = krb5_kt_ret_string(sp, p->name.name_string.val + i);
+	if(ret) return ret;
+    }
+    if (krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE))
+	p->name.name_type = KRB5_NT_UNKNOWN;
+    else {
+	int32_t tmp32;
+	ret = krb5_ret_int32(sp, &tmp32);
+	p->name.name_type = tmp32;
+	if (ret)
+	    return ret;
+    }
+    *princ = p;
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_store_principal(krb5_storage *sp,
+			krb5_principal p)
+{
+    int i;
+    int ret;
+    
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
+	ret = krb5_store_int16(sp, p->name.name_string.len + 1);
+    else
+	ret = krb5_store_int16(sp, p->name.name_string.len);
+    if(ret) return ret;
+    ret = krb5_kt_store_string(sp, p->realm);
+    if(ret) return ret;
+    for(i = 0; i < p->name.name_string.len; i++){
+	ret = krb5_kt_store_string(sp, p->name.name_string.val[i]);
+	if(ret) return ret;
+    }
+    if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
+	ret = krb5_store_int32(sp, p->name.name_type);
+	if(ret)
+	    return ret;
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+fkt_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct fkt_data *d;
+    d = malloc(sizeof(*d));
+    if(d == NULL)
+	return ENOMEM;
+    d->filename = strdup(name);
+    if(d->filename == NULL) {
+	free(d);
+	return ENOMEM;
+    }
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+fkt_close(krb5_context context, krb5_keytab id)
+{
+    struct fkt_data *d = id->data;
+    free(d->filename);
+    free(d);
+    return 0;
+}
+
+static krb5_error_code 
+fkt_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t namesize)
+{
+    /* This function is XXX */
+    struct fkt_data *d = id->data;
+    strlcpy(name, d->filename, namesize);
+    return 0;
+}
+
+static void
+storage_set_flags(krb5_context context, krb5_storage *sp, int vno)
+{
+    int flags = 0;
+    switch(vno) {
+    case KRB5_KT_VNO_1:
+	flags |= KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS;
+	flags |= KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE;
+	flags |= KRB5_STORAGE_HOST_BYTEORDER;
+	break;
+    case KRB5_KT_VNO_2:
+	break;
+    default:
+	krb5_abortx(context, 
+		    "storage_set_flags called with bad vno (%x)", vno);
+    }
+    krb5_storage_set_flags(sp, flags);
+}
+
+static krb5_error_code
+fkt_start_seq_get_int(krb5_context context, 
+		      krb5_keytab id, 
+		      int flags,
+		      krb5_kt_cursor *c)
+{
+    int8_t pvno, tag;
+    krb5_error_code ret;
+    struct fkt_data *d = id->data;
+    
+    c->fd = open (d->filename, flags);
+    if (c->fd < 0)
+	return errno;
+    c->sp = krb5_storage_from_fd(c->fd);
+    ret = krb5_ret_int8(c->sp, &pvno);
+    if(ret) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	return ret;
+    }
+    if(pvno != 5) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	return KRB5_KEYTAB_BADVNO;
+    }
+    ret = krb5_ret_int8(c->sp, &tag);
+    if (ret) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	return ret;
+    }
+    id->version = tag;
+    storage_set_flags(context, c->sp, id->version);
+    return 0;
+}
+
+static krb5_error_code
+fkt_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, c);
+}
+
+static krb5_error_code
+fkt_next_entry_int(krb5_context context, 
+		   krb5_keytab id, 
+		   krb5_keytab_entry *entry, 
+		   krb5_kt_cursor *cursor,
+		   off_t *start,
+		   off_t *end)
+{
+    int32_t len;
+    int ret;
+    int8_t tmp8;
+    int32_t tmp32;
+    off_t pos;
+
+    pos = cursor->sp->seek(cursor->sp, 0, SEEK_CUR);
+loop:
+    ret = krb5_ret_int32(cursor->sp, &len);
+    if (ret)
+	return ret;
+    if(len < 0) {
+	pos = cursor->sp->seek(cursor->sp, -len, SEEK_CUR);
+	goto loop;
+    }
+    ret = krb5_kt_ret_principal (cursor->sp, &entry->principal);
+    if (ret)
+	goto out;
+    ret = krb5_ret_int32(cursor->sp, &tmp32);
+    entry->timestamp = tmp32;
+    if (ret)
+	goto out;
+    ret = krb5_ret_int8(cursor->sp, &tmp8);
+    if (ret)
+	goto out;
+    entry->vno = tmp8;
+    ret = krb5_kt_ret_keyblock (cursor->sp, &entry->keyblock);
+    if (ret)
+	goto out;
+    if(start) *start = pos;
+    if(end) *end = *start + 4 + len;
+ out:
+    cursor->sp->seek(cursor->sp, pos + 4 + len, SEEK_SET);
+    return ret;
+}
+
+static krb5_error_code
+fkt_next_entry(krb5_context context, 
+	       krb5_keytab id, 
+	       krb5_keytab_entry *entry, 
+	       krb5_kt_cursor *cursor)
+{
+    return fkt_next_entry_int(context, id, entry, cursor, NULL, NULL);
+}
+
+static krb5_error_code
+fkt_end_seq_get(krb5_context context, 
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    krb5_storage_free(cursor->sp);
+    close(cursor->fd);
+    return 0;
+}
+
+static krb5_error_code
+fkt_add_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_keytab_entry *entry)
+{
+    int ret;
+    int fd;
+    krb5_storage *sp;
+    struct fkt_data *d = id->data;
+    krb5_data keytab;
+    int32_t len;
+    
+    fd = open (d->filename, O_RDWR | O_BINARY);
+    if (fd < 0) {
+	fd = open (d->filename, O_RDWR | O_CREAT | O_BINARY, 0600);
+	if (fd < 0)
+	    return errno;
+	sp = krb5_storage_from_fd(fd);
+	ret = krb5_store_int8(sp, 5);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	if(id->version == 0)
+	    id->version = KRB5_KT_VNO;
+	ret = krb5_store_int8 (sp, id->version);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	storage_set_flags(context, sp, id->version);
+    } else {
+	int8_t pvno, tag;
+	sp = krb5_storage_from_fd(fd);
+	ret = krb5_ret_int8(sp, &pvno);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	if(pvno != 5) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return KRB5_KEYTAB_BADVNO;
+	}
+	ret = krb5_ret_int8 (sp, &tag);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	id->version = tag;
+	storage_set_flags(context, sp, id->version);
+    }
+
+    {
+	krb5_storage *emem;
+	emem = krb5_storage_emem();
+	if(emem == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = krb5_kt_store_principal(emem, entry->principal);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_store_int32 (emem, entry->timestamp);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_store_int8 (emem, entry->vno);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_kt_store_keyblock (emem, &entry->keyblock);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_storage_to_data(emem, &keytab);
+	krb5_storage_free(emem);
+	if(ret)
+	    goto out;
+    }
+    
+    while(1) {
+	ret = krb5_ret_int32(sp, &len);
+	if(ret == KRB5_CC_END) {
+	    len = keytab.length;
+	    break;
+	}
+	if(len < 0) {
+	    len = -len;
+	    if(len >= keytab.length) {
+		sp->seek(sp, -4, SEEK_CUR);
+		break;
+	    }
+	}
+	sp->seek(sp, len, SEEK_CUR);
+    }
+    ret = krb5_store_int32(sp, len);
+    if(sp->store(sp, keytab.data, keytab.length) < 0)
+	ret = errno;
+    memset(keytab.data, 0, keytab.length);
+    krb5_data_free(&keytab);
+ out:
+    krb5_storage_free(sp);
+    close(fd);
+    return ret;
+}
+
+static krb5_error_code
+fkt_remove_entry(krb5_context context,
+		 krb5_keytab id,
+		 krb5_keytab_entry *entry)
+{
+    krb5_keytab_entry e;
+    krb5_kt_cursor cursor;
+    off_t pos_start, pos_end;
+    int found = 0;
+    
+    fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, &cursor);
+    while(fkt_next_entry_int(context, id, &e, &cursor, 
+			     &pos_start, &pos_end) == 0) {
+	if(krb5_kt_compare(context, &e, entry->principal, 
+			   entry->vno, entry->keyblock.keytype)) {
+	    int32_t len;
+	    unsigned char buf[128];
+	    found = 1;
+	    cursor.sp->seek(cursor.sp, pos_start, SEEK_SET);
+	    len = pos_end - pos_start - 4;
+	    krb5_store_int32(cursor.sp, -len);
+	    memset(buf, 0, sizeof(buf));
+	    while(len > 0) {
+		cursor.sp->store(cursor.sp, buf, min(len, sizeof(buf)));
+		len -= min(len, sizeof(buf));
+	    }
+	}
+    }
+    krb5_kt_end_seq_get(context, id, &cursor);
+    if (!found)
+	return KRB5_KT_NOTFOUND;
+    return 0;
+}
+
+const krb5_kt_ops krb5_fkt_ops = {
+    "FILE",
+    fkt_resolve,
+    fkt_get_name,
+    fkt_close,
+    NULL, /* get */
+    fkt_start_seq_get,
+    fkt_next_entry,
+    fkt_end_seq_get,
+    fkt_add_entry,
+    fkt_remove_entry
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_keyfile.c b/crypto/heimdal/lib/krb5/keytab_keyfile.c
new file mode 100644
index 0000000..fa14e62
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_keyfile.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_keyfile.c,v 1.7 2000/01/02 04:00:22 assar Exp $");
+
+/* afs keyfile operations --------------------------------------- */
+
+/*
+ * Minimum tools to handle the AFS KeyFile.
+ * 
+ * Format of the KeyFile is:
+ * <int32_t numkeys> {[<int32_t kvno> <char[8] deskey>] * numkeys}
+ *
+ * It just adds to the end of the keyfile, deleting isn't implemented.
+ * Use your favorite text/hex editor to delete keys.
+ *
+ */
+
+#define AFS_SERVERTHISCELL "/usr/afs/etc/ThisCell"
+#define AFS_SERVERMAGICKRBCONF "/usr/afs/etc/krb.conf"
+
+struct akf_data {
+    int num_entries;
+    char *filename;
+    char *cell;
+    char *realm;
+};
+
+/*
+ * set `d->cell' and `d->realm'
+ */
+
+static int
+get_cell_and_realm (struct akf_data *d)
+{
+    FILE *f;
+    char buf[BUFSIZ], *cp;
+
+    f = fopen (AFS_SERVERTHISCELL, "r");
+    if (f == NULL)
+	return errno;
+    if (fgets (buf, sizeof(buf), f) == NULL) {
+	fclose (f);
+	return EINVAL;
+    }
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    fclose(f);
+
+    d->cell = strdup (buf);
+    if (d->cell == NULL)
+	return errno;
+
+    f = fopen (AFS_SERVERMAGICKRBCONF, "r");
+    if (f != NULL) {
+	if (fgets (buf, sizeof(buf), f) == NULL) {
+	    fclose (f);
+	    return EINVAL;
+	}
+	if (buf[strlen(buf)-1] == '\n')
+	    buf[strlen(buf)-1] = '\0';
+	fclose(f);
+    }
+    /* uppercase */
+    for (cp = buf; *cp != '\0'; cp++)
+	*cp = toupper(*cp);
+    
+    d->realm = strdup (buf);
+    if (d->realm == NULL) {
+	free (d->cell);
+	return errno;
+    }
+    return 0;
+}
+
+/*
+ * init and get filename
+ */
+
+static krb5_error_code
+akf_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    int ret;
+    struct akf_data *d = malloc(sizeof (struct akf_data));
+
+    if (d == NULL)
+	return errno;
+    
+    d->num_entries = 0;
+    ret = get_cell_and_realm (d);
+    if (ret) {
+	free (d);
+	return ret;
+    }
+    d->filename = strdup (name);
+    if (d->filename == NULL) {
+	free (d->cell);
+	free (d->realm);
+	free (d);
+	return ENOMEM;
+    }
+    id->data = d;
+    
+    return 0;
+}
+
+/*
+ * cleanup
+ */
+
+static krb5_error_code
+akf_close(krb5_context context, krb5_keytab id)
+{
+    struct akf_data *d = id->data;
+
+    free (d->filename);
+    free (d->cell);
+    free (d);
+    return 0;
+}
+
+/*
+ * Return filename
+ */
+
+static krb5_error_code 
+akf_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t name_sz)
+{
+    struct akf_data *d = id->data;
+
+    strlcpy (name, d->filename, name_sz);
+    return 0;
+}
+
+/*
+ * Init 
+ */
+
+static krb5_error_code
+akf_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    int32_t ret;
+    struct akf_data *d = id->data;
+
+    c->fd = open (d->filename, O_RDONLY|O_BINARY, 0600);
+    if (c->fd < 0)
+	return errno;
+
+    c->sp = krb5_storage_from_fd(c->fd);
+    ret = krb5_ret_int32(c->sp, &d->num_entries);
+    if(ret) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	return ret;
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+akf_next_entry(krb5_context context, 
+	       krb5_keytab id, 
+	       krb5_keytab_entry *entry, 
+	       krb5_kt_cursor *cursor)
+{
+    struct akf_data *d = id->data;
+    int32_t kvno;
+    off_t pos;
+    int ret;
+
+    pos = cursor->sp->seek(cursor->sp, 0, SEEK_CUR);
+
+    if ((pos - 4) / (4 + 8) >= d->num_entries)
+	return KRB5_KT_END;
+
+    ret = krb5_make_principal (context, &entry->principal,
+			       d->realm, "afs", d->cell, NULL);
+    if (ret)
+	goto out;
+
+    ret = krb5_ret_int32(cursor->sp, &kvno);
+    if (ret) {
+	krb5_free_principal (context, entry->principal);
+	goto out;
+    }
+
+    entry->vno = (int8_t) kvno;
+
+    entry->keyblock.keytype         = ETYPE_DES_CBC_MD5;
+    entry->keyblock.keyvalue.length = 8;
+    entry->keyblock.keyvalue.data   = malloc (8);
+    if (entry->keyblock.keyvalue.data == NULL) {
+	krb5_free_principal (context, entry->principal);
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = cursor->sp->fetch(cursor->sp, entry->keyblock.keyvalue.data, 8);
+    if(ret != 8)
+	ret = (ret < 0) ? errno : KRB5_KT_END;
+
+    entry->timestamp = time(NULL);
+
+ out:
+    cursor->sp->seek(cursor->sp, pos + 4 + 8, SEEK_SET);
+    return ret;
+}
+
+static krb5_error_code
+akf_end_seq_get(krb5_context context, 
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    krb5_storage_free(cursor->sp);
+    close(cursor->fd);
+    return 0;
+}
+
+static krb5_error_code
+akf_add_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_keytab_entry *entry)
+{
+    struct akf_data *d = id->data;
+    int fd, created = 0;
+    int32_t kvno;
+
+    fd = open (d->filename, O_RDWR | O_BINARY);
+    if (fd < 0) {
+	fd = open (d->filename,
+		   O_RDWR | O_BINARY | O_CREAT, 0600);
+	if (fd < 0)
+	    return errno;
+	created = 1;
+    }
+
+    if (entry->keyblock.keyvalue.length == 8
+	&& entry->keyblock.keytype == ETYPE_DES_CBC_MD5) {
+
+	int32_t len = 0;
+
+	if (!created) {
+	    if (lseek (fd, 0, SEEK_SET))
+		return errno;
+	    
+	    if (read (fd, &len, sizeof(len)) != sizeof(len))
+		return errno;
+	}
+	len += 1;
+
+	if (lseek (fd, 0, SEEK_SET))
+	    return errno;
+
+	if (write (fd, &len, sizeof(len)) != sizeof(len))
+	    return errno;
+
+	if (lseek (fd, 4 + (len-1) * (8+4), SEEK_SET))
+	    return errno;
+
+	kvno = entry->vno;
+	write(fd, &kvno, sizeof(kvno));
+	write(fd, entry->keyblock.keyvalue.data, 8);
+    }
+    close (fd);
+    return 0;
+}
+
+const krb5_kt_ops krb5_akf_ops = {
+    "AFSKEYFILE",
+    akf_resolve,
+    akf_get_name,
+    akf_close,
+    NULL, /* get */
+    akf_start_seq_get,
+    akf_next_entry,
+    akf_end_seq_get,
+    akf_add_entry,
+    NULL /* remove */
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_krb4.c b/crypto/heimdal/lib/krb5/keytab_krb4.c
new file mode 100644
index 0000000..b1f425c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_krb4.c
@@ -0,0 +1,272 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <krb.h>
+
+RCSID("$Id: keytab_krb4.c,v 1.5 2000/01/06 08:04:58 assar Exp $");
+
+struct krb4_kt_data {
+    char *filename;
+};
+
+static krb5_error_code
+krb4_kt_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct krb4_kt_data *d;
+
+    d = malloc (sizeof(*d));
+    if (d == NULL)
+	return ENOMEM;
+    d->filename = strdup (name);
+    if (d->filename == NULL) {
+	free(d);
+	return ENOMEM;
+    }
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_get_name (krb5_context context,
+		  krb5_keytab id,
+		  char *name,
+		  size_t name_sz)
+{
+    struct krb4_kt_data *d = id->data;
+
+    strlcpy (name, d->filename, name_sz);
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_close (krb5_context context,
+	       krb5_keytab id)
+{
+    struct krb4_kt_data *d = id->data;
+
+    free (d->filename);
+    free (d);
+    return 0;
+}
+
+struct krb4_cursor_extra_data {
+    krb5_keytab_entry entry;
+    int num;
+};
+
+static krb5_error_code
+krb4_kt_start_seq_get_int (krb5_context context,
+			   krb5_keytab id,
+			   int flags,
+			   krb5_kt_cursor *c)
+{
+    struct krb4_kt_data *d = id->data;
+    struct krb4_cursor_extra_data *ed;
+
+    ed = malloc (sizeof(*ed));
+    if (ed == NULL)
+	return ENOMEM;
+    ed->entry.principal = NULL;
+    ed->num = -1;
+    c->data = ed;
+    c->fd = open (d->filename, flags);
+    if (c->fd < 0) {
+	free (ed);
+	return errno;
+    }
+    c->sp = krb5_storage_from_fd(c->fd);
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_start_seq_get (krb5_context context,
+		       krb5_keytab id,
+		       krb5_kt_cursor *c)
+{
+    return krb4_kt_start_seq_get_int (context, id, O_BINARY | O_RDONLY, c);
+}
+
+static krb5_error_code
+read_v4_entry (krb5_context context,
+	       struct krb4_kt_data *d,
+	       krb5_kt_cursor *c,
+	       struct krb4_cursor_extra_data *ed)
+{
+    krb5_error_code ret;
+    char *service, *instance, *realm;
+    int8_t kvno;
+    des_cblock key;
+
+    ret = krb5_ret_stringz(c->sp, &service);
+    if (ret)
+	return ret;
+    ret = krb5_ret_stringz(c->sp, &instance);
+    if (ret) {
+	free (service);
+	return ret;
+    }
+    ret = krb5_ret_stringz(c->sp, &realm);
+    if (ret) {
+	free (service);
+	free (instance);
+	return ret;
+    }
+    ret = krb5_425_conv_principal (context, service, instance, realm,
+				   &ed->entry.principal);
+    free (service);
+    free (instance);
+    free (realm);
+    if (ret)
+	return ret;
+    ret = krb5_ret_int8(c->sp, &kvno);
+    if (ret) {
+	krb5_free_principal (context, ed->entry.principal);
+	return ret;
+    }
+    ret = c->sp->fetch(c->sp, key, 8);
+    if (ret < 0) {
+	krb5_free_principal(context, ed->entry.principal);
+	return ret;
+    }
+    if (ret < 8) {
+	krb5_free_principal(context, ed->entry.principal);
+	return EINVAL;
+    }
+    ed->entry.vno = kvno;
+    ret = krb5_data_copy (&ed->entry.keyblock.keyvalue,
+			  key, 8);
+    if (ret)
+	return ret;
+    ed->entry.timestamp = time(NULL);
+    ed->num = 0;
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_next_entry (krb5_context context,
+		    krb5_keytab id,
+		    krb5_keytab_entry *entry,
+		    krb5_kt_cursor *c)
+{
+    krb5_error_code ret;
+    struct krb4_kt_data *d = id->data;
+    struct krb4_cursor_extra_data *ed = c->data;
+    const krb5_enctype keytypes[] = {ETYPE_DES_CBC_MD5,
+				     ETYPE_DES_CBC_MD4,
+				     ETYPE_DES_CBC_CRC};
+
+    if (ed->num == -1) {
+	ret = read_v4_entry (context, d, c, ed);
+	if (ret)
+	    return ret;
+    }
+    ret = krb5_kt_copy_entry_contents (context,
+				       &ed->entry,
+				       entry);
+    if (ret)
+	return ret;
+    entry->keyblock.keytype = keytypes[ed->num];
+    if (++ed->num == 3) {
+	krb5_kt_free_entry (context, &ed->entry);
+	ed->num = -1;
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_end_seq_get (krb5_context context,
+		     krb5_keytab id,
+		     krb5_kt_cursor *c)
+{
+    struct krb4_cursor_extra_data *ed = c->data;
+
+    krb5_storage_free (c->sp);
+    if (ed->num != -1)
+	krb5_kt_free_entry (context, &ed->entry);
+    free (c->data);
+    close (c->fd);
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_add_entry (krb5_context context,
+		   krb5_keytab id,
+		   krb5_keytab_entry *entry)
+{
+    struct krb4_kt_data *d = id->data;
+    krb5_error_code ret;
+    int fd;
+    char service[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+    int8_t kvno;
+
+    fd = open (d->filename, O_WRONLY | O_APPEND | O_BINARY);
+    if (fd < 0) {
+	fd = open (d->filename,
+		   O_WRONLY | O_APPEND | O_BINARY | O_CREAT, 0600);
+	if (fd < 0)
+	    return errno;
+    }
+    ret = krb5_524_conv_principal (context, entry->principal,
+				   service, instance, realm);
+    if (ret) {
+	close (fd);
+	return ret;
+    }
+    if (entry->keyblock.keyvalue.length == 8
+	&& entry->keyblock.keytype == ETYPE_DES_CBC_MD5) {
+	write(fd, service, strlen(service)+1);
+	write(fd, instance, strlen(instance)+1);
+	write(fd, realm, strlen(realm)+1);
+	kvno = entry->vno;
+	write(fd, &kvno, sizeof(kvno));
+	write(fd, entry->keyblock.keyvalue.data, 8);
+    }
+    close (fd);
+    return 0;
+}
+
+krb5_kt_ops krb4_fkt_ops = {
+    "krb4",
+    krb4_kt_resolve,
+    krb4_kt_get_name,
+    krb4_kt_close,
+    NULL,			/* get */
+    krb4_kt_start_seq_get,
+    krb4_kt_next_entry,
+    krb4_kt_end_seq_get,
+    krb4_kt_add_entry,		/* add_entry */
+    NULL			/* remove_entry */
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_memory.c b/crypto/heimdal/lib/krb5/keytab_memory.c
new file mode 100644
index 0000000..9fde8d0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_memory.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_memory.c,v 1.4 2000/02/07 03:18:39 assar Exp $");
+
+/* memory operations -------------------------------------------- */
+
+struct mkt_data {
+    krb5_keytab_entry *entries;
+    int num_entries;
+};
+
+static krb5_error_code
+mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct mkt_data *d;
+    d = malloc(sizeof(*d));
+    if(d == NULL)
+	return ENOMEM;
+    d->entries = NULL;
+    d->num_entries = 0;
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+mkt_close(krb5_context context, krb5_keytab id)
+{
+    struct mkt_data *d = id->data;
+    int i;
+    for(i = 0; i < d->num_entries; i++)
+	krb5_kt_free_entry(context, &d->entries[i]);
+    free(d->entries);
+    free(d);
+    return 0;
+}
+
+static krb5_error_code 
+mkt_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t namesize)
+{
+    strlcpy(name, "", namesize);
+    return 0;
+}
+
+static krb5_error_code
+mkt_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    /* XXX */
+    c->fd = 0;
+    return 0;
+}
+
+static krb5_error_code
+mkt_next_entry(krb5_context context, 
+	       krb5_keytab id, 
+	       krb5_keytab_entry *entry, 
+	       krb5_kt_cursor *c)
+{
+    struct mkt_data *d = id->data;
+    if(c->fd >= d->num_entries)
+	return KRB5_KT_END;
+    return krb5_kt_copy_entry_contents(context, &d->entries[c->fd++], entry);
+}
+
+static krb5_error_code
+mkt_end_seq_get(krb5_context context, 
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    return 0;
+}
+
+static krb5_error_code
+mkt_add_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_keytab_entry *entry)
+{
+    struct mkt_data *d = id->data;
+    krb5_keytab_entry *tmp;
+    tmp = realloc(d->entries, (d->num_entries + 1) * sizeof(*d->entries));
+    if(tmp == NULL)
+	return ENOMEM;
+    d->entries = tmp;
+    return krb5_kt_copy_entry_contents(context, entry, 
+				       &d->entries[d->num_entries++]);
+}
+
+static krb5_error_code
+mkt_remove_entry(krb5_context context,
+		 krb5_keytab id,
+		 krb5_keytab_entry *entry)
+{
+    struct mkt_data *d = id->data;
+    krb5_keytab_entry *e, *end;
+    
+    /* do this backwards to minimize copying */
+    for(end = d->entries + d->num_entries, e = end - 1; e >= d->entries; e--) {
+	if(krb5_kt_compare(context, e, entry->principal, 
+			   entry->vno, entry->keyblock.keytype)) {
+	    krb5_kt_free_entry(context, e);
+	    memmove(e, e + 1, (end - e - 1) * sizeof(*e));
+	    memset(end - 1, 0, sizeof(*end));
+	    d->num_entries--;
+	    end--;
+	}
+    }
+    e = realloc(d->entries, d->num_entries * sizeof(*d->entries));
+    if(e != NULL)
+	d->entries = e;
+    return 0;
+}
+
+const krb5_kt_ops krb5_mkt_ops = {
+    "MEMORY",
+    mkt_resolve,
+    mkt_get_name,
+    mkt_close,
+    NULL, /* get */
+    mkt_start_seq_get,
+    mkt_next_entry,
+    mkt_end_seq_get,
+    mkt_add_entry,
+    mkt_remove_entry
+};
diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h
new file mode 100644
index 0000000..b24328a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5-private.h
@@ -0,0 +1,58 @@
+/* This is a generated file */
+#ifndef __krb5_private_h__
+#define __krb5_private_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+void
+_krb5_crc_init_table __P((void));
+
+u_int32_t
+_krb5_crc_update __P((
+	char *p,
+	size_t len,
+	u_int32_t res));
+
+int
+_krb5_extract_ticket __P((
+	krb5_context context,
+	krb5_kdc_rep *rep,
+	krb5_creds *creds,
+	krb5_keyblock *key,
+	krb5_const_pointer keyseed,
+	krb5_key_usage key_usage,
+	krb5_addresses *addrs,
+	unsigned nonce,
+	krb5_boolean allow_server_mismatch,
+	krb5_decrypt_proc decrypt_proc,
+	krb5_const_pointer decryptarg));
+
+ssize_t
+_krb5_get_int __P((
+	void *buffer,
+	unsigned long *value,
+	size_t size));
+
+void
+_krb5_n_fold __P((
+	const void *str,
+	size_t len,
+	void *key,
+	size_t size));
+
+ssize_t
+_krb5_put_int __P((
+	void *buffer,
+	unsigned long value,
+	size_t size));
+
+#endif /* __krb5_private_h__ */
diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h
new file mode 100644
index 0000000..59402a7
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5-protos.h
@@ -0,0 +1,2366 @@
+/* This is a generated file */
+#ifndef __krb5_protos_h__
+#define __krb5_protos_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+krb5_error_code
+krb524_convert_creds_kdc __P((
+	krb5_context context,
+	krb5_ccache ccache,
+	krb5_creds *in_cred,
+	struct credentials *v4creds));
+
+krb5_error_code
+krb5_425_conv_principal __P((
+	krb5_context context,
+	const char *name,
+	const char *instance,
+	const char *realm,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_425_conv_principal_ext __P((
+	krb5_context context,
+	const char *name,
+	const char *instance,
+	const char *realm,
+	krb5_boolean (*func)(krb5_context, krb5_principal),
+	krb5_boolean resolve,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_524_conv_principal __P((
+	krb5_context context,
+	const krb5_principal principal,
+	char *name,
+	char *instance,
+	char *realm));
+
+krb5_error_code
+krb5_abort __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 3, 4)));
+
+krb5_error_code
+krb5_abortx __P((
+	krb5_context context,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 2, 3)));
+
+krb5_error_code
+krb5_add_et_list __P((
+	krb5_context context,
+	void (*func)(struct et_list **)));
+
+krb5_error_code
+krb5_add_extra_addresses __P((
+	krb5_context context,
+	krb5_addresses *addresses));
+
+krb5_error_code
+krb5_addlog_dest __P((
+	krb5_context context,
+	krb5_log_facility *f,
+	const char *p));
+
+krb5_error_code
+krb5_addlog_func __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int min,
+	int max,
+	krb5_log_log_func_t log,
+	krb5_log_close_func_t close,
+	void *data));
+
+krb5_error_code
+krb5_addr2sockaddr __P((
+	const krb5_address *addr,
+	struct sockaddr *sa,
+	int *sa_size,
+	int port));
+
+krb5_boolean
+krb5_address_compare __P((
+	krb5_context context,
+	const krb5_address *addr1,
+	const krb5_address *addr2));
+
+int
+krb5_address_order __P((
+	krb5_context context,
+	const krb5_address *addr1,
+	const krb5_address *addr2));
+
+krb5_boolean
+krb5_address_search __P((
+	krb5_context context,
+	const krb5_address *addr,
+	const krb5_addresses *addrlist));
+
+krb5_error_code
+krb5_aname_to_localname __P((
+	krb5_context context,
+	krb5_const_principal aname,
+	size_t lnsize,
+	char *lname));
+
+krb5_error_code
+krb5_anyaddr __P((
+	int af,
+	struct sockaddr *sa,
+	int *sa_size,
+	int port));
+
+krb5_error_code
+krb5_append_addresses __P((
+	krb5_context context,
+	krb5_addresses *dest,
+	const krb5_addresses *source));
+
+krb5_error_code
+krb5_auth_con_free __P((
+	krb5_context context,
+	krb5_auth_context auth_context));
+
+krb5_error_code
+krb5_auth_con_getaddrs __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_address **local_addr,
+	krb5_address **remote_addr));
+
+krb5_error_code
+krb5_auth_con_getflags __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t *flags));
+
+krb5_error_code
+krb5_auth_con_getkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock **keyblock));
+
+krb5_error_code
+krb5_auth_con_getlocalsubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock **keyblock));
+
+krb5_error_code
+krb5_auth_con_getremotesubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock **keyblock));
+
+krb5_error_code
+krb5_auth_con_init __P((
+	krb5_context context,
+	krb5_auth_context *auth_context));
+
+krb5_error_code
+krb5_auth_con_setaddrs __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_address *local_addr,
+	krb5_address *remote_addr));
+
+krb5_error_code
+krb5_auth_con_setaddrs_from_fd __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	void *p_fd));
+
+krb5_error_code
+krb5_auth_con_setflags __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t flags));
+
+krb5_error_code
+krb5_auth_con_setkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_con_setlocalsubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_con_setremotesubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_con_setuserkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_getauthenticator __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_authenticator *authenticator));
+
+krb5_error_code
+krb5_auth_getcksumtype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_cksumtype *cksumtype));
+
+krb5_error_code
+krb5_auth_getkeytype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keytype *keytype));
+
+krb5_error_code
+krb5_auth_getlocalseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t *seqnumber));
+
+krb5_error_code
+krb5_auth_getremoteseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t *seqnumber));
+
+krb5_error_code
+krb5_auth_setcksumtype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_cksumtype cksumtype));
+
+krb5_error_code
+krb5_auth_setkeytype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keytype keytype));
+
+krb5_error_code
+krb5_auth_setlocalseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t seqnumber));
+
+krb5_error_code
+krb5_auth_setremoteseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t seqnumber));
+
+krb5_error_code
+krb5_build_ap_req __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_creds *cred,
+	krb5_flags ap_options,
+	krb5_data authenticator,
+	krb5_data *retdata));
+
+krb5_error_code
+krb5_build_authenticator __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_enctype enctype,
+	krb5_creds *cred,
+	Checksum *cksum,
+	Authenticator **auth_result,
+	krb5_data *result));
+
+krb5_error_code
+krb5_build_principal __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	...));
+
+krb5_error_code
+krb5_build_principal_ext __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	...));
+
+krb5_error_code
+krb5_build_principal_va __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	va_list ap));
+
+krb5_error_code
+krb5_build_principal_va_ext __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	va_list ap));
+
+krb5_error_code
+krb5_cc_close __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_copy_cache __P((
+	krb5_context context,
+	const krb5_ccache from,
+	krb5_ccache to));
+
+krb5_error_code
+krb5_cc_default __P((
+	krb5_context context,
+	krb5_ccache *id));
+
+const char*
+krb5_cc_default_name __P((krb5_context context));
+
+krb5_error_code
+krb5_cc_destroy __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_end_seq_get __P((
+	krb5_context context,
+	const krb5_ccache id,
+	krb5_cc_cursor *cursor));
+
+krb5_error_code
+krb5_cc_gen_new __P((
+	krb5_context context,
+	const krb5_cc_ops *ops,
+	krb5_ccache *id));
+
+const char*
+krb5_cc_get_name __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_get_principal __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_principal *principal));
+
+const char*
+krb5_cc_get_type __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_get_version __P((
+	krb5_context context,
+	const krb5_ccache id));
+
+krb5_error_code
+krb5_cc_initialize __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_principal primary_principal));
+
+krb5_error_code
+krb5_cc_next_cred __P((
+	krb5_context context,
+	const krb5_ccache id,
+	krb5_creds *creds,
+	krb5_cc_cursor *cursor));
+
+krb5_error_code
+krb5_cc_register __P((
+	krb5_context context,
+	const krb5_cc_ops *ops,
+	krb5_boolean override));
+
+krb5_error_code
+krb5_cc_remove_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_flags which,
+	krb5_creds *cred));
+
+krb5_error_code
+krb5_cc_resolve __P((
+	krb5_context context,
+	const char *name,
+	krb5_ccache *id));
+
+krb5_error_code
+krb5_cc_retrieve_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_flags whichfields,
+	const krb5_creds *mcreds,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_cc_set_flags __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_flags flags));
+
+krb5_error_code
+krb5_cc_start_seq_get __P((
+	krb5_context context,
+	const krb5_ccache id,
+	krb5_cc_cursor *cursor));
+
+krb5_error_code
+krb5_cc_store_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_change_password __P((
+	krb5_context context,
+	krb5_creds *creds,
+	char *newpw,
+	int *result_code,
+	krb5_data *result_code_string,
+	krb5_data *result_string));
+
+krb5_error_code
+krb5_check_transited_realms __P((
+	krb5_context context,
+	const char *const *realms,
+	int num_realms,
+	int *bad_realm));
+
+krb5_boolean
+krb5_checksum_is_collision_proof __P((
+	krb5_context context,
+	krb5_cksumtype type));
+
+krb5_boolean
+krb5_checksum_is_keyed __P((
+	krb5_context context,
+	krb5_cksumtype type));
+
+krb5_error_code
+krb5_checksumsize __P((
+	krb5_context context,
+	krb5_cksumtype type,
+	size_t *size));
+
+krb5_error_code
+krb5_closelog __P((
+	krb5_context context,
+	krb5_log_facility *fac));
+
+krb5_boolean
+krb5_compare_creds __P((
+	krb5_context context,
+	krb5_flags whichfields,
+	const krb5_creds *mcreds,
+	const krb5_creds *creds));
+
+krb5_error_code
+krb5_config_file_free __P((
+	krb5_context context,
+	krb5_config_section *s));
+
+void
+krb5_config_free_strings __P((char **strings));
+
+const void *
+krb5_config_get __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int type,
+	...));
+
+krb5_boolean
+krb5_config_get_bool __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+krb5_boolean
+krb5_config_get_bool_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_boolean def_value,
+	...));
+
+int
+krb5_config_get_int __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+int
+krb5_config_get_int_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	...));
+
+const krb5_config_binding *
+krb5_config_get_list __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+const void *
+krb5_config_get_next __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_config_binding **pointer,
+	int type,
+	...));
+
+const char *
+krb5_config_get_string __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+char**
+krb5_config_get_strings __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+int
+krb5_config_get_time __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+int
+krb5_config_get_time_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	...));
+
+krb5_error_code
+krb5_config_parse_file __P((
+	const char *fname,
+	krb5_config_section **res));
+
+krb5_error_code
+krb5_config_parse_file_debug __P((
+	const char *fname,
+	krb5_config_section **res,
+	unsigned *lineno,
+	char **error_message));
+
+const void *
+krb5_config_vget __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int type,
+	va_list args));
+
+krb5_boolean
+krb5_config_vget_bool __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+krb5_boolean
+krb5_config_vget_bool_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_boolean def_value,
+	va_list args));
+
+int
+krb5_config_vget_int __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+int
+krb5_config_vget_int_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	va_list args));
+
+const krb5_config_binding *
+krb5_config_vget_list __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+const void *
+krb5_config_vget_next __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_config_binding **pointer,
+	int type,
+	va_list args));
+
+const char *
+krb5_config_vget_string __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+char **
+krb5_config_vget_strings __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+int
+krb5_config_vget_time __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+int
+krb5_config_vget_time_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	va_list args));
+
+krb5_error_code
+krb5_copy_address __P((
+	krb5_context context,
+	const krb5_address *inaddr,
+	krb5_address *outaddr));
+
+krb5_error_code
+krb5_copy_addresses __P((
+	krb5_context context,
+	const krb5_addresses *inaddr,
+	krb5_addresses *outaddr));
+
+krb5_error_code
+krb5_copy_creds __P((
+	krb5_context context,
+	const krb5_creds *incred,
+	krb5_creds **outcred));
+
+krb5_error_code
+krb5_copy_creds_contents __P((
+	krb5_context context,
+	const krb5_creds *incred,
+	krb5_creds *c));
+
+krb5_error_code
+krb5_copy_data __P((
+	krb5_context context,
+	const krb5_data *indata,
+	krb5_data **outdata));
+
+krb5_error_code
+krb5_copy_host_realm __P((
+	krb5_context context,
+	const krb5_realm *from,
+	krb5_realm **to));
+
+krb5_error_code
+krb5_copy_keyblock __P((
+	krb5_context context,
+	const krb5_keyblock *inblock,
+	krb5_keyblock **to));
+
+krb5_error_code
+krb5_copy_keyblock_contents __P((
+	krb5_context context,
+	const krb5_keyblock *inblock,
+	krb5_keyblock *to));
+
+krb5_error_code
+krb5_copy_principal __P((
+	krb5_context context,
+	krb5_const_principal inprinc,
+	krb5_principal *outprinc));
+
+krb5_error_code
+krb5_copy_ticket __P((
+	krb5_context context,
+	const krb5_ticket *from,
+	krb5_ticket **to));
+
+krb5_error_code
+krb5_create_checksum __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage_or_type,
+	void *data,
+	size_t len,
+	Checksum *result));
+
+krb5_error_code
+krb5_crypto_destroy __P((
+	krb5_context context,
+	krb5_crypto crypto));
+
+krb5_error_code
+krb5_crypto_init __P((
+	krb5_context context,
+	krb5_keyblock *key,
+	krb5_enctype etype,
+	krb5_crypto *crypto));
+
+krb5_error_code
+krb5_data_alloc __P((
+	krb5_data *p,
+	int len));
+
+krb5_error_code
+krb5_data_copy __P((
+	krb5_data *p,
+	const void *data,
+	size_t len));
+
+void
+krb5_data_free __P((krb5_data *p));
+
+krb5_error_code
+krb5_data_realloc __P((
+	krb5_data *p,
+	int len));
+
+void
+krb5_data_zero __P((krb5_data *p));
+
+krb5_error_code
+krb5_decode_Authenticator __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	Authenticator *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_ETYPE_INFO __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	ETYPE_INFO *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncAPRepPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncAPRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncASRepPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncASRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncKrbCredPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncKrbCredPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncTGSRepPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncTGSRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncTicketPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncTicketPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_ap_req __P((
+	krb5_context context,
+	const krb5_data *inbuf,
+	krb5_ap_req *ap_req));
+
+krb5_error_code
+krb5_decrypt __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result));
+
+krb5_error_code
+krb5_decrypt_EncryptedData __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	EncryptedData *e,
+	krb5_data *result));
+
+krb5_error_code
+krb5_decrypt_ticket __P((
+	krb5_context context,
+	Ticket *ticket,
+	krb5_keyblock *key,
+	EncTicketPart *out,
+	krb5_flags flags));
+
+krb5_error_code
+krb5_domain_x500_decode __P((
+	krb5_data tr,
+	char ***realms,
+	int *num_realms,
+	const char *client_realm,
+	const char *server_realm));
+
+krb5_error_code
+krb5_domain_x500_encode __P((
+	char **realms,
+	int num_realms,
+	krb5_data *encoding));
+
+krb5_error_code
+krb5_encode_Authenticator __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	Authenticator *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_ETYPE_INFO __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	ETYPE_INFO *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncAPRepPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncAPRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncASRepPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncASRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncKrbCredPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncKrbCredPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncTGSRepPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncTGSRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncTicketPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncTicketPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encrypt __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result));
+
+krb5_error_code
+krb5_encrypt_EncryptedData __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	int kvno,
+	EncryptedData *result));
+
+krb5_error_code
+krb5_enctype_to_keytype __P((
+	krb5_context context,
+	krb5_enctype etype,
+	krb5_keytype *keytype));
+
+krb5_error_code
+krb5_enctype_to_string __P((
+	krb5_context context,
+	krb5_enctype etype,
+	char **string));
+
+krb5_error_code
+krb5_enctype_valid __P((
+	krb5_context context,
+	krb5_enctype etype));
+
+krb5_boolean
+krb5_enctypes_compatible_keys __P((
+	krb5_context context,
+	krb5_enctype etype1,
+	krb5_enctype etype2));
+
+krb5_error_code
+krb5_err __P((
+	krb5_context context,
+	int eval,
+	krb5_error_code code,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 4, 5)));
+
+krb5_error_code
+krb5_errx __P((
+	krb5_context context,
+	int eval,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 3, 4)));
+
+krb5_error_code
+krb5_expand_hostname __P((
+	krb5_context context,
+	const char *orig_hostname,
+	char **new_hostname));
+
+krb5_error_code
+krb5_expand_hostname_realms __P((
+	krb5_context context,
+	const char *orig_hostname,
+	char **new_hostname,
+	char ***realms));
+
+PA_DATA *
+krb5_find_padata __P((
+	PA_DATA *val,
+	unsigned len,
+	int type,
+	int *index));
+
+krb5_error_code
+krb5_free_address __P((
+	krb5_context context,
+	krb5_address *address));
+
+krb5_error_code
+krb5_free_addresses __P((
+	krb5_context context,
+	krb5_addresses *addresses));
+
+void
+krb5_free_ap_rep_enc_part __P((
+	krb5_context context,
+	krb5_ap_rep_enc_part *val));
+
+void
+krb5_free_authenticator __P((
+	krb5_context context,
+	krb5_authenticator *authenticator));
+
+void
+krb5_free_context __P((krb5_context context));
+
+krb5_error_code
+krb5_free_cred_contents __P((
+	krb5_context context,
+	krb5_creds *c));
+
+krb5_error_code
+krb5_free_creds __P((
+	krb5_context context,
+	krb5_creds *c));
+
+krb5_error_code
+krb5_free_creds_contents __P((
+	krb5_context context,
+	krb5_creds *c));
+
+void
+krb5_free_data __P((
+	krb5_context context,
+	krb5_data *p));
+
+void
+krb5_free_error __P((
+	krb5_context context,
+	krb5_error *error));
+
+void
+krb5_free_error_contents __P((
+	krb5_context context,
+	krb5_error *error));
+
+krb5_error_code
+krb5_free_host_realm __P((
+	krb5_context context,
+	krb5_realm *realmlist));
+
+krb5_error_code
+krb5_free_kdc_rep __P((
+	krb5_context context,
+	krb5_kdc_rep *rep));
+
+void
+krb5_free_keyblock __P((
+	krb5_context context,
+	krb5_keyblock *keyblock));
+
+void
+krb5_free_keyblock_contents __P((
+	krb5_context context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_free_krbhst __P((
+	krb5_context context,
+	char **hostlist));
+
+void
+krb5_free_principal __P((
+	krb5_context context,
+	krb5_principal p));
+
+krb5_error_code
+krb5_free_salt __P((
+	krb5_context context,
+	krb5_salt salt));
+
+krb5_error_code
+krb5_free_ticket __P((
+	krb5_context context,
+	krb5_ticket *ticket));
+
+krb5_error_code
+krb5_fwd_tgt_creds __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const char *hostname,
+	krb5_principal client,
+	krb5_principal server,
+	krb5_ccache ccache,
+	int forwardable,
+	krb5_data *out_data));
+
+void
+krb5_generate_random_block __P((
+	void *buf,
+	size_t len));
+
+krb5_error_code
+krb5_generate_random_keyblock __P((
+	krb5_context context,
+	krb5_enctype type,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_generate_seq_number __P((
+	krb5_context context,
+	const krb5_keyblock *key,
+	int32_t *seqno));
+
+krb5_error_code
+krb5_generate_subkey __P((
+	krb5_context context,
+	const krb5_keyblock *key,
+	krb5_keyblock **subkey));
+
+krb5_error_code
+krb5_get_all_client_addrs __P((
+	krb5_context context,
+	krb5_addresses *res));
+
+krb5_error_code
+krb5_get_all_server_addrs __P((
+	krb5_context context,
+	krb5_addresses *res));
+
+krb5_error_code
+krb5_get_cred_from_kdc __P((
+	krb5_context context,
+	krb5_ccache ccache,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds,
+	krb5_creds ***ret_tgts));
+
+krb5_error_code
+krb5_get_credentials __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_ccache ccache,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds));
+
+krb5_error_code
+krb5_get_credentials_with_flags __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_kdc_flags flags,
+	krb5_ccache ccache,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds));
+
+krb5_error_code
+krb5_get_default_in_tkt_etypes __P((
+	krb5_context context,
+	krb5_enctype **etypes));
+
+krb5_error_code
+krb5_get_default_principal __P((
+	krb5_context context,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_get_default_realm __P((
+	krb5_context context,
+	krb5_realm *realm));
+
+krb5_error_code
+krb5_get_default_realms __P((
+	krb5_context context,
+	krb5_realm **realms));
+
+const char *
+krb5_get_err_text __P((
+	krb5_context context,
+	krb5_error_code code));
+
+krb5_error_code
+krb5_get_extra_addresses __P((
+	krb5_context context,
+	krb5_addresses *addresses));
+
+krb5_error_code
+krb5_get_fcache_version __P((
+	krb5_context context,
+	int *version));
+
+krb5_error_code
+krb5_get_forwarded_creds __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_ccache ccache,
+	krb5_flags flags,
+	const char *hostname,
+	krb5_creds *in_creds,
+	krb5_data *out_data));
+
+krb5_error_code
+krb5_get_host_realm __P((
+	krb5_context context,
+	const char *host,
+	krb5_realm **realms));
+
+krb5_error_code
+krb5_get_host_realm_int __P((
+	krb5_context context,
+	const char *host,
+	krb5_realm **realms));
+
+krb5_error_code
+krb5_get_in_cred __P((
+	krb5_context context,
+	krb5_flags options,
+	const krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *ptypes,
+	const krb5_preauthdata *preauth,
+	krb5_key_proc key_proc,
+	krb5_const_pointer keyseed,
+	krb5_decrypt_proc decrypt_proc,
+	krb5_const_pointer decryptarg,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt __P((
+	krb5_context context,
+	krb5_flags options,
+	const krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *ptypes,
+	krb5_key_proc key_proc,
+	krb5_const_pointer keyseed,
+	krb5_decrypt_proc decrypt_proc,
+	krb5_const_pointer decryptarg,
+	krb5_creds *creds,
+	krb5_ccache ccache,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt_with_keytab __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *pre_auth_types,
+	krb5_keytab keytab,
+	krb5_ccache ccache,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt_with_password __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *pre_auth_types,
+	const char *password,
+	krb5_ccache ccache,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt_with_skey __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *pre_auth_types,
+	const krb5_keyblock *key,
+	krb5_ccache ccache,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_init_creds_keytab __P((
+	krb5_context context,
+	krb5_creds *creds,
+	krb5_principal client,
+	krb5_keytab keytab,
+	krb5_deltat start_time,
+	const char *in_tkt_service,
+	krb5_get_init_creds_opt *options));
+
+void
+krb5_get_init_creds_opt_init __P((krb5_get_init_creds_opt *opt));
+
+void
+krb5_get_init_creds_opt_set_address_list __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_addresses *addresses));
+
+void
+krb5_get_init_creds_opt_set_etype_list __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_enctype *etype_list,
+	int etype_list_length));
+
+void
+krb5_get_init_creds_opt_set_forwardable __P((
+	krb5_get_init_creds_opt *opt,
+	int forwardable));
+
+void
+krb5_get_init_creds_opt_set_preauth_list __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_preauthtype *preauth_list,
+	int preauth_list_length));
+
+void
+krb5_get_init_creds_opt_set_proxiable __P((
+	krb5_get_init_creds_opt *opt,
+	int proxiable));
+
+void
+krb5_get_init_creds_opt_set_renew_life __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_deltat renew_life));
+
+void
+krb5_get_init_creds_opt_set_salt __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_data *salt));
+
+void
+krb5_get_init_creds_opt_set_tkt_life __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_deltat tkt_life));
+
+krb5_error_code
+krb5_get_init_creds_password __P((
+	krb5_context context,
+	krb5_creds *creds,
+	krb5_principal client,
+	const char *password,
+	krb5_prompter_fct prompter,
+	void *data,
+	krb5_deltat start_time,
+	const char *in_tkt_service,
+	krb5_get_init_creds_opt *options));
+
+krb5_error_code
+krb5_get_kdc_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_kdc_flags flags,
+	krb5_addresses *addresses,
+	Ticket *second_ticket,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds ));
+
+krb5_error_code
+krb5_get_krb_admin_hst __P((
+	krb5_context context,
+	const krb5_realm *realm,
+	char ***hostlist));
+
+krb5_error_code
+krb5_get_krb_changepw_hst __P((
+	krb5_context context,
+	const krb5_realm *realm,
+	char ***hostlist));
+
+krb5_error_code
+krb5_get_krbhst __P((
+	krb5_context context,
+	const krb5_realm *realm,
+	char ***hostlist));
+
+krb5_error_code
+krb5_get_pw_salt __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	krb5_salt *salt));
+
+krb5_boolean
+krb5_get_use_admin_kdc __P((krb5_context context));
+
+size_t
+krb5_get_wrapped_length __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	size_t data_len));
+
+int
+krb5_getportbyname __P((
+	krb5_context context,
+	const char *service,
+	const char *proto,
+	int default_port));
+
+krb5_error_code
+krb5_h_addr2addr __P((
+	int af,
+	const char *haddr,
+	krb5_address *addr));
+
+krb5_error_code
+krb5_h_addr2sockaddr __P((
+	int af,
+	const char *addr,
+	struct sockaddr *sa,
+	int *sa_size,
+	int port));
+
+krb5_error_code
+krb5_init_context __P((krb5_context *context));
+
+void
+krb5_init_ets __P((krb5_context context));
+
+krb5_error_code
+krb5_init_etype __P((
+	krb5_context context,
+	unsigned *len,
+	int **val,
+	const krb5_enctype *etypes));
+
+krb5_error_code
+krb5_initlog __P((
+	krb5_context context,
+	const char *program,
+	krb5_log_facility **fac));
+
+krb5_error_code
+krb5_keyblock_key_proc __P((
+	krb5_context context,
+	krb5_keytype type,
+	krb5_data *salt,
+	krb5_const_pointer keyseed,
+	krb5_keyblock **key));
+
+krb5_error_code
+krb5_keytab_key_proc __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_salt salt,
+	krb5_const_pointer keyseed,
+	krb5_keyblock **key));
+
+krb5_error_code
+krb5_keytype_to_enctypes __P((
+	krb5_context context,
+	krb5_keytype keytype,
+	unsigned *len,
+	int **val));
+
+krb5_error_code
+krb5_keytype_to_enctypes_default __P((
+	krb5_context context,
+	krb5_keytype keytype,
+	unsigned *len,
+	int **val));
+
+krb5_error_code
+krb5_keytype_to_string __P((
+	krb5_context context,
+	krb5_keytype keytype,
+	char **string));
+
+krb5_error_code
+krb5_kt_add_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_close __P((
+	krb5_context context,
+	krb5_keytab id));
+
+krb5_boolean
+krb5_kt_compare __P((
+	krb5_context context,
+	krb5_keytab_entry *entry,
+	krb5_const_principal principal,
+	krb5_kvno vno,
+	krb5_enctype enctype));
+
+krb5_error_code
+krb5_kt_copy_entry_contents __P((
+	krb5_context context,
+	const krb5_keytab_entry *in,
+	krb5_keytab_entry *out));
+
+krb5_error_code
+krb5_kt_default __P((
+	krb5_context context,
+	krb5_keytab *id));
+
+krb5_error_code
+krb5_kt_default_name __P((
+	krb5_context context,
+	char *name,
+	size_t namesize));
+
+krb5_error_code
+krb5_kt_end_seq_get __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_kt_cursor *cursor));
+
+krb5_error_code
+krb5_kt_free_entry __P((
+	krb5_context context,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_get_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_const_principal principal,
+	krb5_kvno kvno,
+	krb5_enctype enctype,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_get_name __P((
+	krb5_context context,
+	krb5_keytab keytab,
+	char *name,
+	size_t namesize));
+
+krb5_error_code
+krb5_kt_next_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_keytab_entry *entry,
+	krb5_kt_cursor *cursor));
+
+krb5_error_code
+krb5_kt_read_service_key __P((
+	krb5_context context,
+	krb5_pointer keyprocarg,
+	krb5_principal principal,
+	krb5_kvno vno,
+	krb5_enctype enctype,
+	krb5_keyblock **key));
+
+krb5_error_code
+krb5_kt_register __P((
+	krb5_context context,
+	const krb5_kt_ops *ops));
+
+krb5_error_code
+krb5_kt_remove_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_resolve __P((
+	krb5_context context,
+	const char *name,
+	krb5_keytab *id));
+
+krb5_error_code
+krb5_kt_start_seq_get __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_kt_cursor *cursor));
+
+krb5_boolean
+krb5_kuserok __P((
+	krb5_context context,
+	krb5_principal principal,
+	const char *luser));
+
+krb5_error_code
+krb5_log __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int level,
+	const char *fmt,
+	...))
+    __attribute__((format (printf, 4, 5)));
+
+krb5_error_code
+krb5_log_msg __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int level,
+	char **reply,
+	const char *fmt,
+	...))
+    __attribute__((format (printf, 5, 6)));
+
+krb5_error_code
+krb5_make_addrport __P((
+	krb5_address **res,
+	const krb5_address *addr,
+	int16_t port));
+
+krb5_error_code
+krb5_make_principal __P((
+	krb5_context context,
+	krb5_principal *principal,
+	krb5_const_realm realm,
+	...));
+
+size_t
+krb5_max_sockaddr_size __P((void));
+
+krb5_error_code
+krb5_mk_error __P((
+	krb5_context context,
+	krb5_error_code error_code,
+	const char *e_text,
+	const krb5_data *e_data,
+	const krb5_principal client,
+	const krb5_principal server,
+	time_t ctime,
+	krb5_data *reply));
+
+krb5_error_code
+krb5_mk_priv __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *userdata,
+	krb5_data *outbuf,
+	void *outdata));
+
+krb5_error_code
+krb5_mk_rep __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_data *outbuf));
+
+krb5_error_code
+krb5_mk_req __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	const char *service,
+	const char *hostname,
+	krb5_data *in_data,
+	krb5_ccache ccache,
+	krb5_data *outbuf));
+
+krb5_error_code
+krb5_mk_req_extended __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	krb5_data *in_data,
+	krb5_creds *in_creds,
+	krb5_data *outbuf));
+
+krb5_error_code
+krb5_mk_req_internal __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	krb5_data *in_data,
+	krb5_creds *in_creds,
+	krb5_data *outbuf,
+	krb5_key_usage usage));
+
+krb5_error_code
+krb5_mk_safe __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *userdata,
+	krb5_data *outbuf,
+	void *outdata));
+
+ssize_t
+krb5_net_read __P((
+	krb5_context context,
+	void *p_fd,
+	void *buf,
+	size_t len));
+
+ssize_t
+krb5_net_write __P((
+	krb5_context context,
+	void *p_fd,
+	const void *buf,
+	size_t len));
+
+krb5_error_code
+krb5_openlog __P((
+	krb5_context context,
+	const char *program,
+	krb5_log_facility **fac));
+
+krb5_error_code
+krb5_parse_address __P((
+	krb5_context context,
+	const char *string,
+	krb5_addresses *addresses));
+
+krb5_error_code
+krb5_parse_name __P((
+	krb5_context context,
+	const char *name,
+	krb5_principal *principal));
+
+krb5_error_code
+krb5_password_key_proc __P((
+	krb5_context context,
+	krb5_enctype type,
+	krb5_salt salt,
+	krb5_const_pointer keyseed,
+	krb5_keyblock **key));
+
+krb5_realm*
+krb5_princ_realm __P((
+	krb5_context context,
+	krb5_principal principal));
+
+void
+krb5_princ_set_realm __P((
+	krb5_context context,
+	krb5_principal principal,
+	krb5_realm *realm));
+
+krb5_error_code
+krb5_principal2principalname __P((
+	PrincipalName *p,
+	const krb5_principal from));
+
+krb5_boolean
+krb5_principal_compare __P((
+	krb5_context context,
+	krb5_const_principal princ1,
+	krb5_const_principal princ2));
+
+krb5_boolean
+krb5_principal_compare_any_realm __P((
+	krb5_context context,
+	krb5_const_principal princ1,
+	krb5_const_principal princ2));
+
+krb5_error_code
+krb5_print_address __P((
+	const krb5_address *addr,
+	char *str,
+	size_t len,
+	size_t *ret_len));
+
+int
+krb5_program_setup __P((
+	krb5_context *context,
+	int argc,
+	char **argv,
+	struct getargs *args,
+	int num_args,
+	void (*usage)(int, struct getargs*, int)));
+
+int
+krb5_prompter_posix __P((
+	krb5_context context,
+	void *data,
+	const char *banner,
+	int num_prompts,
+	krb5_prompt prompts[]));
+
+krb5_error_code
+krb5_rd_cred __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_ccache ccache,
+	krb5_data *in_data));
+
+krb5_error_code
+krb5_rd_error __P((
+	krb5_context context,
+	krb5_data *msg,
+	KRB_ERROR *result));
+
+krb5_error_code
+krb5_rd_priv __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *inbuf,
+	krb5_data *outbuf,
+	void *outdata));
+
+krb5_error_code
+krb5_rd_rep __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *inbuf,
+	krb5_ap_rep_enc_part **repl));
+
+krb5_error_code
+krb5_rd_req __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_data *inbuf,
+	krb5_const_principal server,
+	krb5_keytab keytab,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_rd_req_with_keyblock __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_data *inbuf,
+	krb5_const_principal server,
+	krb5_keyblock *keyblock,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_rd_safe __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *inbuf,
+	krb5_data *outbuf,
+	void *outdata));
+
+krb5_error_code
+krb5_read_message __P((
+	krb5_context context,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_boolean
+krb5_realm_compare __P((
+	krb5_context context,
+	krb5_const_principal princ1,
+	krb5_const_principal princ2));
+
+krb5_error_code
+krb5_recvauth __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_pointer p_fd,
+	char *appl_version,
+	krb5_principal server,
+	int32_t flags,
+	krb5_keytab keytab,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_recvauth_match_version __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_pointer p_fd,
+	krb5_boolean (*match_appl_version)(void *, const char*),
+	void *match_data,
+	krb5_principal server,
+	int32_t flags,
+	krb5_keytab keytab,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_ret_address __P((
+	krb5_storage *sp,
+	krb5_address *adr));
+
+krb5_error_code
+krb5_ret_addrs __P((
+	krb5_storage *sp,
+	krb5_addresses *adr));
+
+krb5_error_code
+krb5_ret_authdata __P((
+	krb5_storage *sp,
+	krb5_authdata *auth));
+
+krb5_error_code
+krb5_ret_creds __P((
+	krb5_storage *sp,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_ret_data __P((
+	krb5_storage *sp,
+	krb5_data *data));
+
+krb5_error_code
+krb5_ret_int16 __P((
+	krb5_storage *sp,
+	int16_t *value));
+
+krb5_error_code
+krb5_ret_int32 __P((
+	krb5_storage *sp,
+	int32_t *value));
+
+krb5_error_code
+krb5_ret_int8 __P((
+	krb5_storage *sp,
+	int8_t *value));
+
+krb5_error_code
+krb5_ret_keyblock __P((
+	krb5_storage *sp,
+	krb5_keyblock *p));
+
+krb5_error_code
+krb5_ret_principal __P((
+	krb5_storage *sp,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_ret_string __P((
+	krb5_storage *sp,
+	char **string));
+
+krb5_error_code
+krb5_ret_stringz __P((
+	krb5_storage *sp,
+	char **string));
+
+krb5_error_code
+krb5_ret_times __P((
+	krb5_storage *sp,
+	krb5_times *times));
+
+krb5_error_code
+krb5_salttype_to_string __P((
+	krb5_context context,
+	krb5_enctype etype,
+	krb5_salttype stype,
+	char **string));
+
+krb5_error_code
+krb5_sendauth __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_pointer p_fd,
+	const char *appl_version,
+	krb5_principal client,
+	krb5_principal server,
+	krb5_flags ap_req_options,
+	krb5_data *in_data,
+	krb5_creds *in_creds,
+	krb5_ccache ccache,
+	krb5_error **ret_error,
+	krb5_ap_rep_enc_part **rep_result,
+	krb5_creds **out_creds));
+
+krb5_error_code
+krb5_sendto_kdc __P((
+	krb5_context context,
+	const krb5_data *send,
+	const krb5_realm *realm,
+	krb5_data *receive));
+
+krb5_error_code
+krb5_set_default_in_tkt_etypes __P((
+	krb5_context context,
+	const krb5_enctype *etypes));
+
+krb5_error_code
+krb5_set_default_realm __P((
+	krb5_context context,
+	char *realm));
+
+krb5_error_code
+krb5_set_extra_addresses __P((
+	krb5_context context,
+	const krb5_addresses *addresses));
+
+krb5_error_code
+krb5_set_fcache_version __P((
+	krb5_context context,
+	int version));
+
+void
+krb5_set_use_admin_kdc __P((
+	krb5_context context,
+	krb5_boolean flag));
+
+krb5_error_code
+krb5_set_warn_dest __P((
+	krb5_context context,
+	krb5_log_facility *fac));
+
+krb5_error_code
+krb5_sname_to_principal __P((
+	krb5_context context,
+	const char *hostname,
+	const char *sname,
+	int32_t type,
+	krb5_principal *ret_princ));
+
+krb5_error_code
+krb5_sock_to_principal __P((
+	krb5_context context,
+	int sock,
+	const char *sname,
+	int32_t type,
+	krb5_principal *ret_princ));
+
+krb5_error_code
+krb5_sockaddr2address __P((
+	const struct sockaddr *sa,
+	krb5_address *addr));
+
+krb5_error_code
+krb5_sockaddr2port __P((
+	const struct sockaddr *sa,
+	int16_t *port));
+
+krb5_boolean
+krb5_sockaddr_uninteresting __P((const struct sockaddr *sa));
+
+void
+krb5_std_usage __P((
+	int code,
+	struct getargs *args,
+	int num_args));
+
+void
+krb5_storage_clear_flags __P((
+	krb5_storage *sp,
+	krb5_flags flags));
+
+krb5_storage *
+krb5_storage_emem __P((void));
+
+krb5_error_code
+krb5_storage_free __P((krb5_storage *sp));
+
+krb5_storage *
+krb5_storage_from_data __P((krb5_data *data));
+
+krb5_storage *
+krb5_storage_from_fd __P((int fd));
+
+krb5_storage *
+krb5_storage_from_mem __P((
+	void *buf,
+	size_t len));
+
+krb5_boolean
+krb5_storage_is_flags __P((
+	krb5_storage *sp,
+	krb5_flags flags));
+
+void
+krb5_storage_set_flags __P((
+	krb5_storage *sp,
+	krb5_flags flags));
+
+krb5_error_code
+krb5_storage_to_data __P((
+	krb5_storage *sp,
+	krb5_data *data));
+
+krb5_error_code
+krb5_store_address __P((
+	krb5_storage *sp,
+	krb5_address p));
+
+krb5_error_code
+krb5_store_addrs __P((
+	krb5_storage *sp,
+	krb5_addresses p));
+
+krb5_error_code
+krb5_store_authdata __P((
+	krb5_storage *sp,
+	krb5_authdata auth));
+
+krb5_error_code
+krb5_store_creds __P((
+	krb5_storage *sp,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_store_data __P((
+	krb5_storage *sp,
+	krb5_data data));
+
+krb5_error_code
+krb5_store_int16 __P((
+	krb5_storage *sp,
+	int16_t value));
+
+krb5_error_code
+krb5_store_int32 __P((
+	krb5_storage *sp,
+	int32_t value));
+
+krb5_error_code
+krb5_store_int8 __P((
+	krb5_storage *sp,
+	int8_t value));
+
+krb5_error_code
+krb5_store_keyblock __P((
+	krb5_storage *sp,
+	krb5_keyblock p));
+
+krb5_error_code
+krb5_store_principal __P((
+	krb5_storage *sp,
+	krb5_principal p));
+
+krb5_error_code
+krb5_store_string __P((
+	krb5_storage *sp,
+	const char *s));
+
+krb5_error_code
+krb5_store_stringz __P((
+	krb5_storage *sp,
+	char *s));
+
+krb5_error_code
+krb5_store_times __P((
+	krb5_storage *sp,
+	krb5_times times));
+
+krb5_error_code
+krb5_string_to_enctype __P((
+	krb5_context context,
+	const char *string,
+	krb5_enctype *etype));
+
+krb5_error_code
+krb5_string_to_key __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	const char *password,
+	krb5_principal principal,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_data __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_data password,
+	krb5_principal principal,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_data_salt __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_data password,
+	krb5_salt salt,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_derived __P((
+	krb5_context context,
+	const void *str,
+	size_t len,
+	krb5_enctype etype,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_salt __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	const char *password,
+	krb5_salt salt,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_keytype __P((
+	krb5_context context,
+	const char *string,
+	krb5_keytype *keytype));
+
+krb5_error_code
+krb5_string_to_salttype __P((
+	krb5_context context,
+	krb5_enctype etype,
+	const char *string,
+	krb5_salttype *salttype));
+
+krb5_error_code
+krb5_timeofday __P((
+	krb5_context context,
+	krb5_timestamp *timeret));
+
+krb5_error_code
+krb5_unparse_name __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char **name));
+
+krb5_error_code
+krb5_unparse_name_fixed __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char *name,
+	size_t len));
+
+krb5_error_code
+krb5_unparse_name_fixed_short __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char *name,
+	size_t len));
+
+krb5_error_code
+krb5_unparse_name_short __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char **name));
+
+krb5_error_code
+krb5_us_timeofday __P((
+	krb5_context context,
+	int32_t *sec,
+	int32_t *usec));
+
+krb5_error_code
+krb5_vabort __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 3, 0)));
+
+krb5_error_code
+krb5_vabortx __P((
+	krb5_context context,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 2, 0)));
+
+krb5_error_code
+krb5_verify_ap_req __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_ap_req *ap_req,
+	krb5_const_principal server,
+	krb5_keyblock *keyblock,
+	krb5_flags flags,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_verify_authenticator_checksum __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	void *data,
+	size_t len));
+
+krb5_error_code
+krb5_verify_checksum __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	krb5_key_usage usage,
+	void *data,
+	size_t len,
+	Checksum *cksum));
+
+krb5_error_code
+krb5_verify_init_creds __P((
+	krb5_context context,
+	krb5_creds *creds,
+	krb5_principal ap_req_server,
+	krb5_keytab ap_req_keytab,
+	krb5_ccache *ccache,
+	krb5_verify_init_creds_opt *options));
+
+void
+krb5_verify_init_creds_opt_init __P((krb5_verify_init_creds_opt *options));
+
+void
+krb5_verify_init_creds_opt_set_ap_req_nofail __P((
+	krb5_verify_init_creds_opt *options,
+	int ap_req_nofail));
+
+krb5_error_code
+krb5_verify_user __P((
+	krb5_context context,
+	krb5_principal principal,
+	krb5_ccache ccache,
+	const char *password,
+	krb5_boolean secure,
+	const char *service));
+
+krb5_error_code
+krb5_verify_user_lrealm __P((
+	krb5_context context,
+	krb5_principal principal,
+	krb5_ccache ccache,
+	const char *password,
+	krb5_boolean secure,
+	const char *service));
+
+krb5_error_code
+krb5_verr __P((
+	krb5_context context,
+	int eval,
+	krb5_error_code code,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 4, 0)));
+
+krb5_error_code
+krb5_verrx __P((
+	krb5_context context,
+	int eval,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 3, 0)));
+
+krb5_error_code
+krb5_vlog __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int level,
+	const char *fmt,
+	va_list ap))
+    __attribute__((format (printf, 4, 0)));
+
+krb5_error_code
+krb5_vlog_msg __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	char **reply,
+	int level,
+	const char *fmt,
+	va_list ap))
+    __attribute__((format (printf, 5, 0)));
+
+krb5_error_code
+krb5_vwarn __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((format (printf, 3, 0)));
+
+krb5_error_code
+krb5_vwarnx __P((
+	krb5_context context,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((format (printf, 2, 0)));
+
+krb5_error_code
+krb5_warn __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	...))
+    __attribute__ ((format (printf, 3, 4)));
+
+krb5_error_code
+krb5_warnx __P((
+	krb5_context context,
+	const char *fmt,
+	...))
+    __attribute__ ((format (printf, 2, 3)));
+
+krb5_error_code
+krb5_write_message __P((
+	krb5_context context,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_xfree __P((void *ptr));
+
+krb5_error_code
+principalname2krb5_principal __P((
+	krb5_principal *principal,
+	const PrincipalName from,
+	const Realm realm));
+
+#endif /* __krb5_protos_h__ */
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
new file mode 100644
index 0000000..2a0adb6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5.conf.5
@@ -0,0 +1,167 @@
+.\" $Id: krb5.conf.5,v 1.7 1999/11/04 01:57:28 assar Exp $
+.\"
+.Dd April 11, 1999
+.Dt KRB5.CONF 5
+.Os HEIMDAL
+.Sh NAME
+.Nm /etc/krb5.conf
+.Nd
+Configuration file for Kerberos 5
+.Sh DESCRIPTION
+The 
+.Nm
+file specifies several configuration parameters for the Kerberos 5
+library, as well as for some programs.
+.Pp
+The file consists of one or more sections, containing a number of
+bindings. The value of each binding can be either a string or a list
+of other bindings. The grammar looks like:
+.Bd -literal -offset indent
+file:
+	/* empty */
+	sections
+
+sections:
+	section sections
+	section
+
+section:
+	'[' section_name ']' bindings
+
+section_name:
+	STRING
+
+bindings:
+	binding bindings
+	binding
+
+binding:
+	name '=' STRING
+	name '=' '{' bindings '}'
+
+name:
+	STRING
+
+.Ed
+.Li STRINGs
+consists of one or more non-white space characters.
+Currently recognised sections and bindings are:
+
+.Bl -tag -width "xxx" -offset indent
+.It Li [libdefaults]
+.Bl -tag -width "xxx" -offset indent
+.It Li default_realm = Va REALM
+Default realm to use, this is also known as your 
+.Dq local realm .
+The default is the result of
+.Fn krb5_get_host_realm "local hostname" .
+.It Li clockskew = Va time
+Maximum time differential (in seconds) allowed when comparing
+times. Default is 300 seconds (five minutes).
+.It Li kdc_timeout = Va time
+Maximum time to wait for a reply from the kdc, default is 3 seconds.
+.It v4_name_convert
+.It v4_instance_resolve
+These are decribed in the 
+.Xr krb5_425_conv_principal  3
+manual page.
+.It Li capath = Va realm-routing-table
+.It Li default_etypes = Va etypes...
+A list of default etypes to use.
+.It Li default_etypes_des = Va etypes...
+A list of default etypes to use when requesting a DES credential.
+.It Li default_keytab_name = Va keytab
+The keytab to use if none other is specified, default is
+.Dq FILE:/etc/krb5.keytab .
+.It Li kdc_timesync = Va boolean
+Try to keep track of the time differential between the local machine
+and the KDC, and then compensate for that when issuing requests.
+.It Li max_retries = Va number
+The max number of times to try to contact each KDC.
+.It Li ticket_lifetime = Va time
+Default ticket lifetime.
+.It Li renew_lifetime = Va time
+Default renewable ticket lifetime.
+.It Li verify_ap_req_nofail = Va boolean
+Enable to make a failure to verify obtained credentials
+non-fatal. This can be useful if there is no keytab on a host.
+.It Li warn_pwexpire = Va time
+How soon to warn for expiring password. Default is seven days.
+.It Li http_proxy = Va proxy-spec
+A HTTP-proxy to use when talking to the KDC via HTTP.
+.It Li dns_proxy = Va proxy-spec
+Enable using DNS via HTTP.
+.It Li extra_addresses = Va address...
+A list of addresses to get tickets for along with all local addresses.
+.It Li time_format = Va string
+How to print time strings in logs, this string is passed to
+.Xr strftime 3 .
+.It Li log_utc = Va boolean
+Write log-entries using UTC instead of your local time zone.
+.El
+.It Li [domain_realm]
+This is a list of mappings from DNS domain to Kerberos realm. Each
+binding in this section looks like:
+.Pp
+.Dl domain = realm
+.Pp
+The domain can be either a full name of a host or a trailing
+component, in the latter case the domain-string should start with a
+perid.
+.It Li [realms]
+.Bl -tag -width "xxx" -offset indent
+.It Va REALM Li = {
+.Bl -tag -width "xxx" -offset indent
+.It Li kdc = Va host[:port]
+Specifies a kdc for this realm. If the optional port is absent, the
+default value for the
+.Dq kerberos/udp
+service will be used.
+.It Li v4_instance_convert
+.It Li v4_name_convert
+.It Li default_domain
+See
+.Xr krb5_425_conv_principal 3 .
+.El
+.It Li }
+.El
+.It Li [logging]
+.Bl -tag -width "xxx" -offset indent
+.It Va entity Li = Va destination
+Specifies that
+.Va entity
+should use the specified
+.Li destination
+for logging. See the
+.Xr krb5_openlog 3
+manual page for a list of defined destinations.
+.El
+.El
+.Sh EXAMPLE
+.Bd -literal -offset indent
+[lib_defaults]
+	default_domain = FOO.SE
+[domain_realm]
+	.foo.se = FOO.SE
+	.bar.se = FOO.SE
+[realms]
+	FOO.SE = {
+		kdc = kerberos.foo.se
+		v4_name_convert = {
+			rcmd = host
+		}
+		v4_instance_convert = {
+			xyz = xyz.bar.se
+		}
+		default_domain = foo.se
+	}
+[logging]
+	kdc = FILE:/var/heimdal/kdc.log
+	kdc = SYSLOG:INFO
+	default = SYSLOG:INFO:USER
+.Ed
+.Sh SEE ALSO
+.Xr krb5_openlog 3 ,
+.Xr krb5_425_conv_principal 3 ,
+.Xr strftime 3 ,
+.Xr Source tm
diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h
new file mode 100644
index 0000000..15837e0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5.h
@@ -0,0 +1,604 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: krb5.h,v 1.164 2000/02/06 07:40:57 assar Exp $ */
+
+#ifndef __KRB5_H__
+#define __KRB5_H__
+
+#include <time.h>
+#include <krb5-types.h>
+
+#include <asn1_err.h>
+#include <krb5_err.h>
+#include <heim_err.h>
+
+#include <asn1.h>
+
+/* simple constants */
+
+#ifndef TRUE
+#define TRUE  1
+#define FALSE 0
+#endif
+
+typedef int krb5_boolean;
+
+typedef int32_t krb5_error_code;
+
+typedef int krb5_kvno;
+
+typedef u_int32_t krb5_flags;
+
+typedef void *krb5_pointer;
+typedef const void *krb5_const_pointer;
+
+typedef octet_string krb5_data;
+
+struct krb5_crypto_data;
+typedef struct krb5_crypto_data *krb5_crypto;
+
+typedef enum krb5_cksumtype { 
+  CKSUMTYPE_NONE		= 0,
+  CKSUMTYPE_CRC32		= 1,
+  CKSUMTYPE_RSA_MD4		= 2,
+  CKSUMTYPE_RSA_MD4_DES		= 3,
+  CKSUMTYPE_DES_MAC		= 4,
+  CKSUMTYPE_DES_MAC_K		= 5,
+  CKSUMTYPE_RSA_MD4_DES_K	= 6,
+  CKSUMTYPE_RSA_MD5		= 7,
+  CKSUMTYPE_RSA_MD5_DES		= 8,
+  CKSUMTYPE_RSA_MD5_DES3	= 9,
+/*  CKSUMTYPE_SHA1		= 10,*/
+  CKSUMTYPE_HMAC_SHA1_DES3	= 12,
+  CKSUMTYPE_SHA1		= 1000, /* correct value? */
+  CKSUMTYPE_HMAC_MD5		= -138, /* unofficial microsoft number */
+  CKSUMTYPE_HMAC_MD5_ENC	= -1138 /* even more unofficial */
+} krb5_cksumtype;
+
+
+typedef enum krb5_enctype { 
+  ETYPE_NULL			= 0,
+  ETYPE_DES_CBC_CRC		= 1,
+  ETYPE_DES_CBC_MD4		= 2,
+  ETYPE_DES_CBC_MD5		= 3,
+  ETYPE_DES3_CBC_MD5		= 5,
+  ETYPE_OLD_DES3_CBC_SHA1	= 7,
+  ETYPE_SIGN_DSA_GENERATE	= 8,
+  ETYPE_ENCRYPT_RSA_PRIV	= 9,
+  ETYPE_ENCRYPT_RSA_PUB		= 10,
+  ETYPE_DES3_CBC_SHA1		= 16, /* with key derivation */
+  ETYPE_ARCFOUR_HMAC_MD5	= 23,
+  ETYPE_ARCFOUR_HMAC_MD5_56	= 24,
+  ETYPE_ENCTYPE_PK_CROSS	= 48,
+  ETYPE_DES_CBC_NONE		= 0x1000,
+  ETYPE_DES3_CBC_NONE		= 0x1001
+} krb5_enctype;
+
+typedef enum krb5_preauthtype {
+  KRB5_PADATA_NONE		= 0,
+  KRB5_PADATA_AP_REQ,
+  KRB5_PADATA_TGS_REQ		= 1,
+  KRB5_PADATA_ENC_TIMESTAMP	= 2,
+  KRB5_PADATA_ENC_SECURID
+} krb5_preauthtype;
+
+typedef enum krb5_key_usage {
+    KRB5_KU_PA_ENC_TIMESTAMP = 1,
+    /* AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+       client key (section 5.4.1) */
+    KRB5_KU_TICKET = 2,
+    /* AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+       application session key), encrypted with the service key
+       (section 5.4.2) */
+    KRB5_KU_AS_REP_ENC_PART = 3,
+    /* AS-REP encrypted part (includes tgs session key or application
+       session key), encrypted with the client key (section 5.4.2) */
+    KRB5_KU_TGS_REQ_AUTH_DAT_SESSION = 4,
+    /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+       session key (section 5.4.1) */
+    KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY = 5,
+    /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          authenticator subkey (section 5.4.1) */
+    KRB5_KU_TGS_REQ_AUTH_CKSUM = 6,
+    /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+       with the tgs session key (sections 5.3.2, 5.4.1) */
+    KRB5_KU_TGS_REQ_AUTH = 7,
+    /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+       authenticator subkey), encrypted with the tgs session key
+       (section 5.3.2) */
+    KRB5_KU_TGS_REP_ENC_PART_SESSION = 8,
+    /* TGS-REP encrypted part (includes application session key),
+       encrypted with the tgs session key (section 5.4.2) */
+    KRB5_KU_TGS_REP_ENC_PART_SUB_KEY = 9,
+    /* TGS-REP encrypted part (includes application session key),
+       encrypted with the tgs authenticator subkey (section 5.4.2) */
+    KRB5_KU_AP_REQ_AUTH_CKSUM = 10,
+    /* AP-REQ Authenticator cksum, keyed with the application session
+       key (section 5.3.2) */
+    KRB5_KU_AP_REQ_AUTH = 11,
+    /* AP-REQ Authenticator (includes application authenticator
+       subkey), encrypted with the application session key (section
+       5.3.2) */
+    KRB5_KU_AP_REQ_ENC_PART = 12,
+    /* AP-REP encrypted part (includes application session subkey),
+       encrypted with the application session key (section 5.5.2) */
+    KRB5_KU_KRB_PRIV = 13,
+    /* KRB-PRIV encrypted part, encrypted with a key chosen by the
+       application (section 5.7.1) */
+    KRB5_KU_KRB_CRED = 14,
+    /* KRB-CRED encrypted part, encrypted with a key chosen by the
+       application (section 5.8.1) */
+    KRB5_KU_KRB_SAFE_CKSUM = 15,
+    /* KRB-SAFE cksum, keyed with a key chosen by the application
+       (section 5.6.1) */
+    KRB5_KU_OTHER_ENCRYPTED = 16,
+    /* Data which is defined in some specification outside of
+       Kerberos to be encrypted using an RFC1510 encryption type. */
+    KRB5_KU_OTHER_CKSUM = 17
+    /* Data which is defined in some specification outside of
+       Kerberos to be checksummed using an RFC1510 checksum type. */
+} krb5_key_usage;
+
+typedef enum krb5_salttype {
+    KRB5_PW_SALT = pa_pw_salt,
+    KRB5_AFS3_SALT = pa_afs3_salt
+}krb5_salttype;
+
+typedef struct krb5_salt {
+    krb5_salttype salttype;
+    krb5_data saltvalue;
+} krb5_salt;
+
+typedef ETYPE_INFO krb5_preauthinfo;
+
+typedef struct {
+    krb5_preauthtype type;
+    krb5_preauthinfo info; /* list of preauthinfo for this type */
+} krb5_preauthdata_entry;
+
+typedef struct krb5_preauthdata {
+    unsigned len;
+    krb5_preauthdata_entry *val;
+}krb5_preauthdata;
+
+typedef enum krb5_address_type { 
+    KRB5_ADDRESS_INET     =   2,
+    KRB5_ADDRESS_INET6    =  24,
+    KRB5_ADDRESS_ADDRPORT = 256,
+    KRB5_ADDRESS_IPPORT   = 257
+} krb5_address_type;
+
+enum {
+  AP_OPTS_USE_SESSION_KEY = 1,
+  AP_OPTS_MUTUAL_REQUIRED = 2
+};
+
+typedef HostAddress krb5_address;
+
+typedef HostAddresses krb5_addresses;
+
+typedef enum krb5_keytype { 
+    KEYTYPE_NULL	= 0,
+    KEYTYPE_DES		= 1,
+    KEYTYPE_DES3	= 7,
+    KEYTYPE_ARCFOUR	= 23
+} krb5_keytype;
+
+typedef EncryptionKey krb5_keyblock;
+
+typedef AP_REQ krb5_ap_req;
+
+struct krb5_cc_ops;
+
+#define KRB5_DEFAULT_CCROOT "FILE:/tmp/krb5cc_"
+
+typedef void *krb5_cc_cursor;
+
+typedef struct krb5_ccache_data {
+    const struct krb5_cc_ops *ops;
+    krb5_data data;
+}krb5_ccache_data;
+
+typedef struct krb5_ccache_data *krb5_ccache;
+
+typedef struct krb5_context_data *krb5_context;
+
+typedef Realm krb5_realm;
+typedef const char *krb5_const_realm; /* stupid language */
+
+#define krb5_realm_length(r) strlen(r)
+#define krb5_realm_data(r) (r)
+
+typedef Principal krb5_principal_data;
+typedef struct Principal *krb5_principal;
+typedef const struct Principal *krb5_const_principal;
+
+typedef time_t krb5_deltat;
+typedef time_t krb5_timestamp;
+
+typedef struct krb5_times {
+  krb5_timestamp authtime;
+  krb5_timestamp starttime;
+  krb5_timestamp endtime;
+  krb5_timestamp renew_till;
+} krb5_times;
+
+typedef union {
+    TicketFlags b;
+    krb5_flags i;
+} krb5_ticket_flags;
+
+/* options for krb5_get_in_tkt() */
+#define KDC_OPT_FORWARDABLE		(1 << 1)
+#define KDC_OPT_FORWARDED		(1 << 2)
+#define KDC_OPT_PROXIABLE		(1 << 3)
+#define KDC_OPT_PROXY			(1 << 4)
+#define KDC_OPT_ALLOW_POSTDATE		(1 << 5)
+#define KDC_OPT_POSTDATED		(1 << 6)
+#define KDC_OPT_RENEWABLE		(1 << 8)
+#define KDC_OPT_REQUEST_ANONYMOUS	(1 << 14)
+#define KDC_OPT_DISABLE_TRANSITED_CHECK	(1 << 26)
+#define KDC_OPT_RENEWABLE_OK		(1 << 27)
+#define KDC_OPT_ENC_TKT_IN_SKEY		(1 << 28)
+#define KDC_OPT_RENEW			(1 << 30)
+#define KDC_OPT_VALIDATE		(1 << 31)
+
+typedef union {
+    KDCOptions b;
+    krb5_flags i;
+} krb5_kdc_flags;
+
+/* flags for krb5_verify_ap_req */
+
+#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID	(1 << 0)
+
+#define KRB5_GC_CACHED		1
+#define KRB5_GC_USER_USER	2
+
+/* constants for compare_creds (and cc_retrieve_cred) */
+#define KRB5_TC_DONT_MATCH_REALM	(1U << 31)
+#define KRB5_TC_MATCH_KEYTYPE		(1U << 30)
+
+typedef AuthorizationData krb5_authdata;
+
+typedef KRB_ERROR krb5_error;
+
+typedef struct krb5_creds {
+    krb5_principal client;
+    krb5_principal server;
+    krb5_keyblock session;
+    krb5_times times;
+    krb5_data ticket;
+    krb5_data second_ticket;
+    krb5_authdata authdata;
+    krb5_addresses addresses;
+    krb5_ticket_flags flags;
+} krb5_creds;
+
+typedef struct krb5_cc_ops {
+    char *prefix;
+    char* (*get_name)(krb5_context, krb5_ccache);
+    krb5_error_code (*resolve)(krb5_context, krb5_ccache *, const char *);
+    krb5_error_code (*gen_new)(krb5_context, krb5_ccache *);
+    krb5_error_code (*init)(krb5_context, krb5_ccache, krb5_principal);
+    krb5_error_code (*destroy)(krb5_context, krb5_ccache);
+    krb5_error_code (*close)(krb5_context, krb5_ccache);
+    krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*);
+    krb5_error_code (*retrieve)(krb5_context, krb5_ccache, 
+				krb5_flags, krb5_creds*, krb5_creds);
+    krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*);
+    krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *);
+    krb5_error_code (*get_next)(krb5_context, krb5_ccache, 
+				krb5_cc_cursor*, krb5_creds*);
+    krb5_error_code (*end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*);
+    krb5_error_code (*remove_cred)(krb5_context, krb5_ccache, 
+				   krb5_flags, krb5_creds*);
+    krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags);
+    int (*get_version)(krb5_context, krb5_ccache);
+} krb5_cc_ops;
+
+struct krb5_log_facility;
+
+struct krb5_config_binding {
+    enum { krb5_config_string, krb5_config_list } type;
+    char *name;
+    struct krb5_config_binding *next;
+    union {
+	char *string;
+	struct krb5_config_binding *list;
+	void *generic;
+    } u;
+};
+
+typedef struct krb5_config_binding krb5_config_binding;
+
+typedef krb5_config_binding krb5_config_section;
+
+typedef struct krb5_context_data {
+    krb5_enctype *etypes;
+    krb5_enctype *etypes_des;
+    char **default_realms;
+    time_t max_skew;
+    time_t kdc_timeout;
+    unsigned max_retries;
+    int32_t kdc_sec_offset;
+    int32_t kdc_usec_offset;
+    krb5_config_section *cf;
+    struct et_list *et_list;
+    struct krb5_log_facility *warn_dest;
+    krb5_cc_ops *cc_ops;
+    int num_cc_ops;
+    const char *http_proxy;
+    const char *time_fmt;
+    krb5_boolean log_utc;
+    const char *default_keytab;
+    krb5_boolean use_admin_kdc;
+    krb5_addresses *extra_addresses;
+    krb5_boolean scan_interfaces;	/* `ifconfig -a' */
+    krb5_boolean srv_lookup;		/* do SRV lookups */
+    krb5_boolean srv_try_txt;		/* try TXT records also */
+    krb5_boolean srv_try_rfc2052;	/* try RFC2052 compatible records */
+    int32_t fcache_vno;			/* create cache files w/ this
+                                           version */
+    int num_kt_types;			/* # of registered keytab types */
+    struct krb5_keytab_data *kt_types;  /* registered keytab types */
+} krb5_context_data;
+
+enum {
+  KRB5_NT_UNKNOWN	= 0,
+  KRB5_NT_PRINCIPAL	= 1,
+  KRB5_NT_SRV_INST	= 2,
+  KRB5_NT_SRV_HST	= 3,
+  KRB5_NT_SRV_XHST	= 4,
+  KRB5_NT_UID		= 5
+};
+
+
+typedef struct krb5_ticket {
+    EncTicketPart ticket;
+    krb5_principal client;
+    krb5_principal server;
+} krb5_ticket;
+
+typedef Authenticator krb5_authenticator_data;
+
+typedef krb5_authenticator_data *krb5_authenticator;
+
+struct krb5_rcache_data;
+typedef struct krb5_rcache_data *krb5_rcache;
+typedef Authenticator krb5_donot_reply;
+
+#define KRB5_STORAGE_HOST_BYTEORDER			0x01
+#define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS	0x02
+#define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE		0x04
+#define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE		0x08
+
+typedef struct krb5_storage {
+    void *data;
+    ssize_t (*fetch)(struct krb5_storage*, void*, size_t);
+    ssize_t (*store)(struct krb5_storage*, void*, size_t);
+    off_t (*seek)(struct krb5_storage*, off_t, int);
+    void (*free)(struct krb5_storage*);
+    krb5_flags flags;
+} krb5_storage;
+
+typedef struct krb5_keytab_entry {
+    krb5_principal principal;
+    krb5_kvno vno;
+    krb5_keyblock keyblock;
+    u_int32_t timestamp;
+} krb5_keytab_entry;
+
+typedef struct krb5_kt_cursor {
+    int fd;
+    krb5_storage *sp;
+    void *data;
+} krb5_kt_cursor;
+
+struct krb5_keytab_data;
+
+typedef struct krb5_keytab_data *krb5_keytab;
+
+struct krb5_keytab_data {
+    char *prefix;
+    krb5_error_code (*resolve)(krb5_context, const char*, krb5_keytab);
+    krb5_error_code (*get_name)(krb5_context, krb5_keytab, char*, size_t);
+    krb5_error_code (*close)(krb5_context, krb5_keytab);
+    krb5_error_code (*get)(krb5_context, krb5_keytab, krb5_const_principal, 
+			   krb5_kvno, krb5_enctype, krb5_keytab_entry*);
+    krb5_error_code (*start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
+    krb5_error_code (*next_entry)(krb5_context, krb5_keytab, 
+				  krb5_keytab_entry*, krb5_kt_cursor*);
+    krb5_error_code (*end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
+    krb5_error_code (*add)(krb5_context, krb5_keytab, krb5_keytab_entry*);
+    krb5_error_code (*remove)(krb5_context, krb5_keytab, krb5_keytab_entry*);
+    void *data;
+    int32_t version;
+};
+
+typedef struct krb5_keytab_data krb5_kt_ops;
+
+struct krb5_keytab_key_proc_args {
+    krb5_keytab keytab;
+    krb5_principal principal;
+};
+
+typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
+
+enum {
+    KRB5_AUTH_CONTEXT_DO_TIME      = 1,
+    KRB5_AUTH_CONTEXT_RET_TIME     = 2,
+    KRB5_AUTH_CONTEXT_DO_SEQUENCE  = 4,
+    KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8
+};
+
+typedef struct krb5_auth_context_data {
+    unsigned int flags;
+
+    krb5_address *local_address;
+    krb5_address *remote_address;
+    int16_t local_port;
+    int16_t remote_port;
+    krb5_keyblock *keyblock;
+    krb5_keyblock *local_subkey;
+    krb5_keyblock *remote_subkey;
+
+    int32_t local_seqnumber;
+    int32_t remote_seqnumber;
+
+    krb5_authenticator authenticator;
+  
+    krb5_pointer i_vector;
+  
+    krb5_rcache rcache;
+
+    krb5_keytype keytype;	/* ¿requested key type ? */
+    krb5_cksumtype cksumtype;	/* ¡requested checksum type! */
+  
+}krb5_auth_context_data, *krb5_auth_context;
+
+typedef struct {
+    KDC_REP kdc_rep;
+    EncKDCRepPart enc_part;
+    KRB_ERROR error;
+} krb5_kdc_rep;
+
+extern char *heimdal_version, *heimdal_long_version;
+
+typedef void (*krb5_log_log_func_t)(const char*, const char*, void*);
+typedef void (*krb5_log_close_func_t)(void*);
+
+typedef struct krb5_log_facility {
+    const char *program;
+    int len;
+    struct facility *val;
+} krb5_log_facility;
+
+typedef EncAPRepPart krb5_ap_rep_enc_part;
+
+#define KRB5_RECVAUTH_IGNORE_VERSION 1
+
+#define KRB5_SENDAUTH_VERSION "KRB5_SENDAUTH_V1.0"
+
+#define KRB5_TGS_NAME_SIZE (6)
+#define KRB5_TGS_NAME ("krbtgt")
+
+/* variables */
+
+extern const char krb5_config_file[];
+extern const char krb5_defkeyname[];
+
+typedef struct _krb5_prompt {
+    char *prompt;
+    int hidden;
+    krb5_data *reply;
+} krb5_prompt;
+
+typedef int (*krb5_prompter_fct)(krb5_context context,
+				 void *data,
+				 const char *banner,
+				 int num_prompts,
+				 krb5_prompt prompts[]);
+
+typedef krb5_error_code (*krb5_key_proc)(krb5_context context,
+					 krb5_enctype type,
+					 krb5_salt salt,
+					 krb5_const_pointer keyseed,
+					 krb5_keyblock **key);
+typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context,
+					     krb5_keyblock *key,
+					     krb5_key_usage usage,
+					     krb5_const_pointer decrypt_arg,
+					     krb5_kdc_rep *dec_rep);
+
+
+typedef struct _krb5_get_init_creds_opt {
+    krb5_flags flags;
+    krb5_deltat tkt_life;
+    krb5_deltat renew_life;
+    int forwardable;
+    int proxiable;
+    krb5_enctype *etype_list;
+    int etype_list_length;
+    krb5_addresses *address_list;
+#if 0 /* this is the MIT-way */
+    krb5_address **address_list;
+#endif
+    /* XXX the next three should not be used, as they may be
+       removed later */
+    krb5_preauthtype *preauth_list;
+    int preauth_list_length;
+    krb5_data *salt;
+} krb5_get_init_creds_opt;
+
+#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE	0x0001
+#define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE	0x0002
+#define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE	0x0004
+#define KRB5_GET_INIT_CREDS_OPT_PROXIABLE	0x0008
+#define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST	0x0010
+#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST	0x0020
+#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
+#define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
+
+typedef struct _krb5_verify_init_creds_opt {
+    krb5_flags flags;
+    int ap_req_nofail;
+} krb5_verify_init_creds_opt;
+
+#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL	0x0001
+
+extern const krb5_cc_ops krb5_fcc_ops;
+extern const krb5_cc_ops krb5_mcc_ops;
+
+extern const krb5_kt_ops krb5_fkt_ops;
+extern const krb5_kt_ops krb5_mkt_ops;
+extern const krb5_kt_ops krb5_akf_ops;
+
+#define KRB5_KPASSWD_SUCCESS	0
+#define KRB5_KPASSWD_MALFORMED	0
+#define KRB5_KPASSWD_HARDERROR	0
+#define KRB5_KPASSWD_AUTHERROR	0
+#define KRB5_KPASSWD_SOFTERROR	0
+
+#define KPASSWD_PORT 464
+
+struct credentials; /* this is to keep the compiler happy */
+struct getargs;
+
+struct sockaddr;
+
+#include <krb5-protos.h>
+
+#endif /* __KRB5_H__ */
+
diff --git a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
new file mode 100644
index 0000000..231c3ff
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
@@ -0,0 +1,198 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_425_conv_principal.3,v 1.3 1999/04/11 01:47:22 joda Exp $
+.Dd April 11, 1999
+.Dt KRB5_425_CONV_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_425_conv_principal ,
+.Nm krb5_425_conv_principal_ext ,
+.Nm krb5_524_conv_principal
+.Nd Converts to and from version 4 principals
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_425_conv_principal "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_principal *principal"
+
+.Ft krb5_error_code
+.Fn krb5_425_conv_principal_ext "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_boolean (*func)(krb5_context, krb5_principal)" "krb5_boolean resolve" "krb5_principal *principal"
+
+.Ft krb5_error_code
+.Fn krb5_524_conv_principal "krb5_context context" "const krb5_principal principal" "char *name" "char *instance" "char *realm"
+
+.Sh DESCRIPTION
+
+Converting between version 4 and version 5 principals can at best be
+described as a mess.
+.Pp
+A version 4 principal consists of a name, an instance, and a realm. A
+version 5 principal consists of one or more components, and a
+realm. In some cases also the first component/name will differ between
+version 4 and version 5.  Furthermore the second component of a host
+principal will be the fully qualified domain name of the host in
+question, while the instance of a version 4 principal will only
+contain the first component.  Because of these problems the conversion
+between principals will have to be site customized.
+.Pp
+.Fn krb5_425_conv_principal_ext
+will try to convert a version 4 principal, given by
+.Fa name ,
+.Fa instance ,
+and
+.Fa realm ,
+to a version 5 principal. This can result in several possible
+principals, and if
+.Fa func
+is non-NULL, it will be called for each candidate principal.
+.Fa func
+should return true if the principal was
+.Dq good .
+To accomplish this, 
+.Fn krb5_425_conv_principal_ext 
+will look up the name in
+.Pa krb5.conf .
+It first looks in the 
+.Li v4_name_convert/host
+subsection, which should contain a list of version 4 names whose
+instance should be treated as a hostname. This list can be specified
+for each realm (in the
+.Li realms
+section), or in the
+.Li libdefaults
+section.  If the name is found the resulting name of the principal
+will be the value of this binding. The instance is then first looked
+up in
+.Li v4_instance_convert 
+for the specified realm. If found the resulting value will be used as
+instance (this can be used for special cases), no further attempts
+will be made to find a conversion if this fails (with
+.Fa func ) .
+If the
+.Fa resolve
+parameter is true, the instance will be looked up with
+.Fn gethostbyname .
+This can be a time consuming, error prone, and unsafe operation.  Next
+a list of hostnames will be created from the instance and the
+.Li v4_domains
+variable, which should contain a list of possible domains for the
+specific realm.
+.Pp
+On the other hand, if the name is not found in a
+.Li host
+section, it is looked up in a 
+.Li v4_name_convert/plain
+binding. If found here the name will be converted, but the instance
+will be untouched.
+.Pp
+This list of default host-type conversions is compiled-in:
+.Bd -literal -offset indent
+v4_name_convert = {
+	host = {
+		ftp = ftp
+		hprop = hprop
+		pop = pop
+		rcmd = host
+	}
+}
+.Ed
+.Pp
+It will only be used if there isn't an entry for these names in the
+config file, so you can override these defaults.
+.Pp
+.Fn krb5_425_conv_principal
+will call
+.Fn krb5_425_conv_principal_ext
+with 
+.Dv NULL
+as 
+.Fa func ,
+and the value of
+.Li v4_instance_resolve
+(from the
+.Li libdefaults
+section) as
+.Fa resolve .
+.Pp
+.Fn krb5_524_conv_principal
+basically does the opposite of 
+.Fn krb5_425_conv_principal ,
+it just doesn't have to look up any names, but will instead truncate
+instances found to belong to a host principal. The
+.Fa name , 
+.Fa instance , 
+and 
+.Fa realm
+should be at least 40 characters long.
+
+.Sh EXAMPLES
+
+Since this is confusing an example is in place.
+.Pp
+Assume that we have the 
+.Dq foo.com , 
+and 
+.Dq bar.com  
+domains that have shared a single version 4 realm, FOO.COM. The version 4 
+.Pa krb.realms 
+file looked like:
+.Bd -literal -offset indent
+foo.com		FOO.COM
+\&.foo.com	FOO.COM
+\&.bar.com	FOO.COM
+.Ed
+.Pp
+A
+.Pa krb5.conf
+file that covers this case might look like:
+.Bd -literal -offset indent
+[libdefaults]
+	v4_instance_resolve = yes
+[realms]
+	FOO.COM = {
+		kdc = kerberos.foo.com
+		v4_instance_convert = {
+			foo = foo.com
+		}
+		v4_domains = foo.com
+	}
+.Ed
+.Pp
+With this setup and the following host table:
+.Bd -literal -offset indent
+foo.com
+a-host.foo.com
+b-host.bar.com
+.Ed
+the following conversions will be made:
+.Bd -literal -offset indent
+rcmd.a-host	\(-> host/a-host.foo.com
+ftp.b-host	\(-> ftp/b-host.bar.com
+pop.foo		\(-> pop/foo.com
+ftp.other	\(-> ftp/other.foo.com
+other.a-host	\(-> other/a-host
+.Ed
+.Pp
+The first three are what you expect. If you remove the 
+.Dq v4_domains ,
+the fourth entry will result in an error (since the host
+.Dq other
+can't be found). Even if 
+.Dq a-host 
+is a valid host name, the last entry will not be converted, since the
+.Dq other
+name is not known to represent a host-type principal.
+If you turn off
+.Dq v4_instance_resolve
+the second example will result in
+.Dq ftp/b-host.foo.com 
+(because of the default domain). And all of this is of course only
+valid if you have working name resolving.
+
+.Sh SEE ALSO
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_build_principal.3 b/crypto/heimdal/lib/krb5/krb5_build_principal.3
new file mode 100644
index 0000000..16ccf72
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_build_principal.3
@@ -0,0 +1,78 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_build_principal.3,v 1.1 1997/08/14 00:03:16 joda Exp $
+.Dd August 8, 1997
+.Dt KRB5_BUILD_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_build_principal ,
+.Nm krb5_build_principal_ext ,
+.Nm krb5_build_principal_va ,
+.Nm krb5_build_principal_va_ext ,
+.Nm krb5_make_principal
+.Nd Principal creation functions
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..."
+
+.Ft krb5_error_code
+.Fn krb5_build_principal_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..."
+
+.Ft krb5_error_code
+.Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap"
+
+.Ft krb5_error_code
+.Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap"
+
+.Ft krb5_error_code
+.Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..."
+
+
+.Sh DESCRIPTION
+
+These functions create a Kerberos 5 principal from a realm and a list
+of components.
+All of these functions return an allocated principal in the 
+.Fa principal
+parameter, this should be freed with
+.Fn krb5_free_principal
+after use.
+.Pp
+The
+.Dq build
+functions take a
+.Fa realm
+and the length of the realm.  The
+.Fn krb5_build_principal 
+and
+.Fn krb5_build_principal_va
+also takes a list of components (zero-terminated strings), terminated
+with
+.Dv NULL .
+The
+.Fn krb5_build_principal_ext 
+and 
+.Fn krb5_build_principal_va_ext 
+takes a list of length-value pairs, the list is terminated with a zero
+length.
+.Pp
+The 
+.Fn krb5_make_principal
+is a wrapper around 
+.Fn krb5_build_principal .
+If the realm is
+.Dv NULL ,
+the default realm will be used.
+
+.Sh BUGS
+You can not have a NUL in a component. Until someone can give a good
+example of where it would be a good idea to have NUL's in a component,
+this will not be fixed.
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
new file mode 100644
index 0000000..e2362a9
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
@@ -0,0 +1,68 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: krb5_create_checksum.3,v 1.1 1999/04/18 13:47:11 joda Exp $
+.Dd April  7, 1999
+.Dt NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_checksum_is_collision_proof , 
+.Nm krb5_checksum_is_keyed , 
+.Nm krb5_checksumsize , 
+.Nm krb5_create_checksum , 
+.Nm krb5_verify_checksum
+.Nd creates and verifies checksums
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result"
+
+.Ft krb5_error_code
+.Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum"
+
+.Ft krb5_boolean
+.Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type"
+
+.Ft krb5_boolean
+.Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type"
+
+.Sh DESCRIPTION
+These functions are used to create and verify checksums.
+.Fn krb5_create_checksum 
+creates a checksum of the specified data, and puts it in
+.Fa result .
+If
+.Fa crypto
+is 
+.Dv NULL ,
+.Fa usage_or_type 
+specifies the checksum type to use; it must not be keyed. Otherwise 
+.Fa crypto
+is an encryption context created by
+.Fn krb5_crypto_init ,
+and
+.Fa usage_or_type
+specifies a key-usage.
+.Pp
+.Fn krb5_verify_checksum
+verifies the
+.Fa checksum ,
+against the provided data. 
+.Pp
+.Fn krb5_checksum_is_collision_proof
+returns true is the specified checksum is collision proof (that it's
+very unlikely that two strings has the same hash value, and that it's
+hard to find two strings that has the same hash). Examples of
+collision proof checksums are MD5, and SHA1, while CRC32 is not.
+.Pp
+.Fn krb5_checksum_is_keyed
+returns true if the specified checksum type is keyed (that the hash
+value is a function of both the data, and a separate key). Examples of
+keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The 
+.Dq plain
+hash functions MD5, and SHA1 are not keyed.
+
+.\" .Sh EXAMPLE
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_crypto_init 3 ,
+.Xr krb5_encrypt 3
diff --git a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
new file mode 100644
index 0000000..29db8c1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
@@ -0,0 +1,41 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: krb5_crypto_init.3,v 1.1 1999/04/18 13:47:21 joda Exp $
+.Dd April  7, 1999
+.Dt NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_crypto_init , 
+.Nm krb5_crypto_destroy
+.Nd initialize encryption context
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_crypto_init "krb5_context context" "krb5_keyblock *key" "krb5_enctype enctype" "krb5_crypto *crypto"
+
+.Ft krb5_error_code
+.Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto"
+
+.Sh DESCRIPTION
+These functions are used to initialize an encryption context that can
+be used to encrypt or checksum data.
+.Pp
+The
+.Fn krb5_crypt_init
+initializes the encrytion context
+.Fa crypto .
+The
+.Fa key
+parameter is the key to use for encryption, and checksums. The
+encryption type to use is taken from the key, but can be overridden
+with the
+.Fa enctype parameter .
+.Pp
+.Fn krb5_crypto_destroy
+frees a previously allocated encrypion context.
+
+.\" .Sh EXAMPLE
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_create_checksum 3 ,
+.Xr krb5_encrypt 3
diff --git a/crypto/heimdal/lib/krb5/krb5_encrypt.3 b/crypto/heimdal/lib/krb5/krb5_encrypt.3
new file mode 100644
index 0000000..d8cc89e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_encrypt.3
@@ -0,0 +1,60 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: krb5_encrypt.3,v 1.1 1999/04/18 13:47:30 joda Exp $
+.Dd April  7, 1999
+.Dt KRB5_ENCRYPT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_decrypt , 
+.Nm krb5_decrypt_EncryptedData , 
+.Nm krb5_encrypt , 
+.Nm krb5_encrypt_EncryptedData
+.Nd encrypt and decrypt data
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
+
+.Ft krb5_error_code
+.Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result"
+
+.Ft krb5_error_code
+.Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
+
+.Ft krb5_error_code
+.Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result"
+
+.Sh DESCRIPTION
+These functions are used to encrypt and decrypt data.
+.Pp
+.Fn krb5_encrypt
+puts the encrypted version of 
+.Fa data
+(of size
+.Fa len )
+in
+.Fa result .
+If the encryption type supports using derived keys, 
+.Fa usage
+should be the appropriate key-usage.
+.Fn krb5_encrypt_EncryptedData
+does the same as
+.Fn krb5_encrypt ,
+but it puts the encrypted data in a
+.Fa EncryptedData 
+structure instead. If 
+.Fa kvno 
+is not zero, it will be put in the 
+.Fa kvno field in the
+.Fa EncryptedData .
+.Pp
+.Fn krb5_decrypt ,
+and
+.Fn krb5_decrypt_EncryptedData
+works similarly.
+
+.\" .Sh EXAMPLE
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_crypto_init 3 ,
+.Xr krb5_create_checksum 3
diff --git a/crypto/heimdal/lib/krb5/krb5_err.et b/crypto/heimdal/lib/krb5/krb5_err.et
new file mode 100644
index 0000000..895ae66
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_err.et
@@ -0,0 +1,215 @@
+#
+# Error messages for the krb5 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: krb5_err.et,v 1.8 2000/02/07 12:54:17 joda Exp $"
+
+error_table krb5
+
+prefix KRB5KDC_ERR
+error_code NONE,		"No error"
+error_code NAME_EXP,		"Client's entry in database has expired"
+error_code SERVICE_EXP,		"Server's entry in database has expired"
+error_code BAD_PVNO,		"Requested protocol version not supported"
+error_code C_OLD_MAST_KVNO,	"Client's key is encrypted in an old master key"
+error_code S_OLD_MAST_KVNO,	"Server's key is encrypted in an old master key"
+error_code C_PRINCIPAL_UNKNOWN,	"Client not found in Kerberos database"
+error_code S_PRINCIPAL_UNKNOWN,	"Server not found in Kerberos database"
+error_code PRINCIPAL_NOT_UNIQUE,"Principal has multiple entries in Kerberos database"
+error_code NULL_KEY,		"Client or server has a null key"
+error_code CANNOT_POSTDATE,	"Ticket is ineligible for postdating"
+error_code NEVER_VALID,		"Requested effective lifetime is negative or too short"
+error_code POLICY,		"KDC policy rejects request"
+error_code BADOPTION,		"KDC can't fulfill requested option"
+error_code ETYPE_NOSUPP,	"KDC has no support for encryption type"
+error_code SUMTYPE_NOSUPP,	"KDC has no support for checksum type"
+error_code PADATA_TYPE_NOSUPP,	"KDC has no support for padata type"
+error_code TRTYPE_NOSUPP,	"KDC has no support for transited type"
+error_code CLIENT_REVOKED,	"Clients credentials have been revoked"
+error_code SERVICE_REVOKED,	"Credentials for server have been revoked"
+error_code TGT_REVOKED,		"TGT has been revoked"
+error_code CLIENT_NOTYET,	"Client not yet valid - try again later"
+error_code SERVICE_NOTYET,	"Server not yet valid - try again later"
+error_code KEY_EXPIRED,		"Password has expired"
+error_code PREAUTH_FAILED,	"Preauthentication failed"
+error_code PREAUTH_REQUIRED,	"Additional pre-authentication required"
+error_code SERVER_NOMATCH,	"Requested server and ticket don't match"
+
+# 27-30 are reserved
+index 31
+prefix KRB5KRB_AP
+error_code ERR_BAD_INTEGRITY,	"Decrypt integrity check failed"
+error_code ERR_TKT_EXPIRED,	"Ticket expired"
+error_code ERR_TKT_NYV,		"Ticket not yet valid"
+error_code ERR_REPEAT,		"Request is a replay"
+error_code ERR_NOT_US,		"The ticket isn't for us"
+error_code ERR_BADMATCH,	"Ticket/authenticator don't match"
+error_code ERR_SKEW,		"Clock skew too great"
+error_code ERR_BADADDR,		"Incorrect net address"
+error_code ERR_BADVERSION,	"Protocol version mismatch"
+error_code ERR_MSG_TYPE,	"Invalid message type"
+error_code ERR_MODIFIED,	"Message stream modified"
+error_code ERR_BADORDER,	"Message out of order"
+error_code ERR_ILL_CR_TKT,	"Invalid cross-realm ticket"
+error_code ERR_BADKEYVER,	"Key version is not available"
+error_code ERR_NOKEY,		"Service key not available"
+error_code ERR_MUT_FAIL,	"Mutual authentication failed"
+error_code ERR_BADDIRECTION,	"Incorrect message direction"
+error_code ERR_METHOD,		"Alternative authentication method required"
+error_code ERR_BADSEQ,		"Incorrect sequence number in message"
+error_code ERR_INAPP_CKSUM,	"Inappropriate type of checksum in message"
+error_code PATH_NOT_ACCEPTED,	"Policy rejects transited path"
+
+prefix KRB5KRB_ERR
+error_code RESPONSE_TOO_BIG,	"Response too big for UDP, retry with TCP"
+# 53-59 are reserved
+index 60
+error_code GENERIC,		"Generic error (see e-text)"
+error_code FIELD_TOOLONG,	"Field is too long for this implementation"
+
+# 62-127 are reserved
+index 128
+prefix
+error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et,v 1.8 2000/02/07 12:54:17 joda Exp $"
+
+error_code KRB5_LIBOS_BADLOCKFLAG,	"Invalid flag for file lock mode"
+error_code KRB5_LIBOS_CANTREADPWD,	"Cannot read password"
+error_code KRB5_LIBOS_BADPWDMATCH,	"Password mismatch"
+error_code KRB5_LIBOS_PWDINTR,		"Password read interrupted"
+
+error_code KRB5_PARSE_ILLCHAR,		"Invalid character in component name"
+error_code KRB5_PARSE_MALFORMED,	"Malformed representation of principal"
+
+error_code KRB5_CONFIG_CANTOPEN,	"Can't open/find configuration file"
+error_code KRB5_CONFIG_BADFORMAT,	"Improper format of configuration file"
+error_code KRB5_CONFIG_NOTENUFSPACE,	"Insufficient space to return complete information"
+
+error_code KRB5_BADMSGTYPE,		"Invalid message type specified for encoding"
+
+error_code KRB5_CC_BADNAME,		"Credential cache name malformed"
+error_code KRB5_CC_UNKNOWN_TYPE,	"Unknown credential cache type" 
+error_code KRB5_CC_NOTFOUND,		"Matching credential not found"
+error_code KRB5_CC_END,			"End of credential cache reached"
+
+error_code KRB5_NO_TKT_SUPPLIED,	"Request did not supply a ticket"
+
+error_code KRB5KRB_AP_WRONG_PRINC,		"Wrong principal in request"
+error_code KRB5KRB_AP_ERR_TKT_INVALID,	"Ticket has invalid flag set"
+
+error_code KRB5_PRINC_NOMATCH,		"Requested principal and ticket don't match"
+error_code KRB5_KDCREP_MODIFIED,	"KDC reply did not match expectations"
+error_code KRB5_KDCREP_SKEW,		"Clock skew too great in KDC reply"
+error_code KRB5_IN_TKT_REALM_MISMATCH,	"Client/server realm mismatch in initial ticket request"
+
+error_code KRB5_PROG_ETYPE_NOSUPP,	"Program lacks support for encryption type"
+error_code KRB5_PROG_KEYTYPE_NOSUPP,	"Program lacks support for key type"
+error_code KRB5_WRONG_ETYPE,		"Requested encryption type not used in message"
+error_code KRB5_PROG_SUMTYPE_NOSUPP,	"Program lacks support for checksum type"
+
+error_code KRB5_REALM_UNKNOWN,		"Cannot find KDC for requested realm"
+error_code KRB5_SERVICE_UNKNOWN,	"Kerberos service unknown"
+error_code KRB5_KDC_UNREACH,		"Cannot contact any KDC for requested realm"
+error_code KRB5_NO_LOCALNAME,		"No local name found for principal name"
+
+error_code KRB5_MUTUAL_FAILED,		"Mutual authentication failed"
+
+# some of these should be combined/supplanted by system codes
+
+error_code KRB5_RC_TYPE_EXISTS,		"Replay cache type is already registered"
+error_code KRB5_RC_MALLOC,		"No more memory to allocate (in replay cache code)"
+error_code KRB5_RC_TYPE_NOTFOUND,	"Replay cache type is unknown"
+error_code KRB5_RC_UNKNOWN,		"Generic unknown RC error"
+error_code KRB5_RC_REPLAY,		"Message is a replay"
+error_code KRB5_RC_IO,			"Replay I/O operation failed XXX"
+error_code KRB5_RC_NOIO,		"Replay cache type does not support non-volatile storage"
+error_code KRB5_RC_PARSE,		"Replay cache name parse/format error"
+
+error_code KRB5_RC_IO_EOF,		"End-of-file on replay cache I/O"
+error_code KRB5_RC_IO_MALLOC,		"No more memory to allocate (in replay cache I/O code)"
+error_code KRB5_RC_IO_PERM,		"Permission denied in replay cache code"
+error_code KRB5_RC_IO_IO,		"I/O error in replay cache i/o code"
+error_code KRB5_RC_IO_UNKNOWN,		"Generic unknown RC/IO error"
+error_code KRB5_RC_IO_SPACE,		"Insufficient system space to store replay information"
+
+error_code KRB5_TRANS_CANTOPEN,		"Can't open/find realm translation file"
+error_code KRB5_TRANS_BADFORMAT,	"Improper format of realm translation file"
+
+error_code KRB5_LNAME_CANTOPEN,		"Can't open/find lname translation database"
+error_code KRB5_LNAME_NOTRANS,		"No translation available for requested principal"
+error_code KRB5_LNAME_BADFORMAT,	"Improper format of translation database entry"
+
+error_code KRB5_CRYPTO_INTERNAL,	"Cryptosystem internal error"
+
+error_code KRB5_KT_BADNAME,		"Key table name malformed"
+error_code KRB5_KT_UNKNOWN_TYPE,	"Unknown Key table type" 
+error_code KRB5_KT_NOTFOUND,		"Key table entry not found"
+error_code KRB5_KT_END,			"End of key table reached"
+error_code KRB5_KT_NOWRITE,		"Cannot write to specified key table"
+error_code KRB5_KT_IOERR,		"Error writing to key table"
+
+error_code KRB5_NO_TKT_IN_RLM,		"Cannot find ticket for requested realm"
+error_code KRB5DES_BAD_KEYPAR,		"DES key has bad parity"
+error_code KRB5DES_WEAK_KEY,		"DES key is a weak key"
+
+error_code KRB5_BAD_ENCTYPE,		"Bad encryption type"
+error_code KRB5_BAD_KEYSIZE,		"Key size is incompatible with encryption type"
+error_code KRB5_BAD_MSIZE,		"Message size is incompatible with encryption type"
+
+error_code KRB5_CC_TYPE_EXISTS,		"Credentials cache type is already registered."
+error_code KRB5_KT_TYPE_EXISTS,		"Key table type is already registered."
+
+error_code KRB5_CC_IO,			"Credentials cache I/O operation failed XXX"
+error_code KRB5_FCC_PERM,		"Credentials cache file permissions incorrect"
+error_code KRB5_FCC_NOFILE,		"No credentials cache file found"
+error_code KRB5_FCC_INTERNAL,		"Internal file credentials cache error"
+error_code KRB5_CC_WRITE,		"Error writing to credentials cache file"
+error_code KRB5_CC_NOMEM,		"No more memory to allocate (in credentials cache code)"
+error_code KRB5_CC_FORMAT,		"Bad format in credentials cache"
+
+# errors for dual tgt library calls
+error_code KRB5_INVALID_FLAGS,		"Invalid KDC option combination (library internal error)"
+error_code KRB5_NO_2ND_TKT,		"Request missing second ticket"
+
+error_code KRB5_NOCREDS_SUPPLIED,	"No credentials supplied to library routine"
+
+# errors for sendauth (and recvauth)
+
+error_code KRB5_SENDAUTH_BADAUTHVERS,	"Bad sendauth version was sent"
+error_code KRB5_SENDAUTH_BADAPPLVERS,	"Bad application version was sent (via sendauth)"
+error_code KRB5_SENDAUTH_BADRESPONSE,	"Bad response (during sendauth exchange)"
+error_code KRB5_SENDAUTH_REJECTED,	"Server rejected authentication (during sendauth exchange)"
+
+# errors for preauthentication
+
+error_code KRB5_PREAUTH_BAD_TYPE,	"Unsupported preauthentication type"
+error_code KRB5_PREAUTH_NO_KEY,		"Required preauthentication key not supplied"
+error_code KRB5_PREAUTH_FAILED,		"Generic preauthentication failure"
+
+# version number errors
+
+error_code KRB5_RCACHE_BADVNO,	"Unsupported replay cache format version number"
+error_code KRB5_CCACHE_BADVNO,	"Unsupported credentials cache format version number"
+error_code KRB5_KEYTAB_BADVNO,	"Unsupported key table format version number"
+
+#
+#
+
+error_code KRB5_PROG_ATYPE_NOSUPP,	"Program lacks support for address type"
+error_code KRB5_RC_REQUIRED,	"Message replay detection requires rcache parameter"
+error_code KRB5_ERR_BAD_HOSTNAME,	"Hostname cannot be canonicalized"
+error_code KRB5_ERR_HOST_REALM_UNKNOWN,	"Cannot determine realm for host"
+error_code KRB5_SNAME_UNSUPP_NAMETYPE,	"Conversion to service principal undefined for name type"
+
+error_code KRB5KRB_AP_ERR_V4_REPLY, "Initial Ticket response appears to be Version 4"
+error_code KRB5_REALM_CANT_RESOLVE,	"Cannot resolve KDC for requested realm"
+error_code KRB5_TKT_NOT_FORWARDABLE,	"Requesting ticket can't get forwardable tickets"
+error_code KRB5_FWD_BAD_PRINCIPAL, "Bad principal name while trying to forward credentials"
+
+error_code KRB5_GET_IN_TKT_LOOP,  "Looping detected inside krb5_get_in_tkt"
+error_code KRB5_CONFIG_NODEFREALM,	"Configuration file does not specify default realm"
+
+error_code KRB5_SAM_UNSUPPORTED,  "Bad SAM flags in obtain_sam_padata"
+error_code KRB5_KT_NAME_TOOLONG,	"Keytab name too long"
+
+end
diff --git a/crypto/heimdal/lib/krb5/krb5_free_principal.3 b/crypto/heimdal/lib/krb5/krb5_free_principal.3
new file mode 100644
index 0000000..ba5888a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_free_principal.3
@@ -0,0 +1,30 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_free_principal.3,v 1.1 1997/08/14 00:03:17 joda Exp $
+.Dd August 8, 1997
+.Dt KRB5_FREE_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_free_principal
+.Nd Principal free function
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft void
+.Fn krb5_free_principal "krb5_context context" "krb5_principal principal"
+
+.Sh DESCRIPTION
+
+The 
+.Fn krb5_free_principal
+will free a principal that has been created with
+.Fn krb5_build_principal ,
+.Fn krb5_parse_name ,
+or with some other function. 
+
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h
new file mode 100644
index 0000000..6a4c7fd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_locl.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: krb5_locl.h,v 1.63 1999/12/02 17:05:11 joda Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __KRB5_LOCL_H__
+#define __KRB5_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <errno.h>
+#include <ctype.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <time.h>
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef _AIX
+struct ether_addr;
+struct mbuf;
+struct sockaddr_dl;
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+#include <roken.h>
+#include <parse_time.h>
+#include <base64.h>
+
+#include <openssl/des.h>
+#include <md4.h>
+#include <md5.h>
+#include <sha.h>
+#include <rc4.h>
+
+#include <asn1.h>
+#include <der.h>
+
+#include <krb5.h>
+#include <krb5_err.h>
+#include <asn1_err.h>
+#include <krb5-private.h>
+
+#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
+#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
+
+/* should this be public? */
+#define KEYTAB_DEFAULT "FILE:/etc/krb5.keytab"
+
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+#endif /* __KRB5_LOCL_H__ */
diff --git a/crypto/heimdal/lib/krb5/krb5_openlog.3 b/crypto/heimdal/lib/krb5/krb5_openlog.3
new file mode 100644
index 0000000..87040ba
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_openlog.3
@@ -0,0 +1,225 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_openlog.3,v 1.4 1999/04/07 14:06:32 joda Exp $
+.Dd August 6, 1997
+.Dt KRB5_OPENLOG 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_initlog ,
+.Nm krb5_openlog ,
+.Nm krb5_closelog ,
+.Nm krb5_addlog_dest ,
+.Nm krb5_addlog_func ,
+.Nm krb5_log ,
+.Nm krb5_vlog ,
+.Nm krb5_log_msg ,
+.Nm krb5_vlog_msg 
+.Nd Heimdal logging functions
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.\" ouch!
+.ds xx \\*(fP\fR(\fP\\*(lI*\\*(fP
+.ds xy \fR)\|\fP
+.Fn "\\*(lItypedef void \\*(xxkrb5_log_log_func_t\\*(xy" "const char *time" "const char *message" "void *data" 
+.Fn "\\*(lItypedef void \\*(xxkrb5_log_close_func_t\\*(xy" "void *data" 
+
+.Ft krb5_error_code
+.Fn krb5_addlog_dest "krb5_context context" "krb5_log_facility *facility" "const char *destination"
+
+.Ft krb5_error_code
+.Fn krb5_addlog_func "krb5_context context" "krb5_log_facility *facility" "int min" "int max" "krb5_log_log_func_t log" "krb5_log_close_func_t close" "void *data"
+
+.Ft krb5_error_code
+.Fn krb5_closelog "krb5_context context" "krb5_log_facility *facility"
+
+.Ft krb5_error_code
+.Fn krb5_initlog "krb5_context context" "const char *program" "krb5_log_facility **facility"
+
+.Ft krb5_error_code
+.Fn krb5_log "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "..."
+
+.Ft krb5_error_code
+.Fn krb5_log_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "..."
+
+.Ft krb5_error_code
+.Fn krb5_openlog "krb5_context context" "const char *program" "krb5_log_facility **facility"
+
+.Ft krb5_error_code
+.Fn krb5_vlog "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "va_list arglist"
+
+.Ft krb5_error_code
+.Fn krb5_vlog_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "va_list arglist"
+
+.Sh DESCRIPTION
+These functions logs messages to one or more destinations.
+.Pp
+The
+.Fn krb5_openlog
+function creates a logging 
+.Fa facility ,
+that is used to log messages. A facility consists of one or more
+destinations (which can be files or syslog or some other device). The
+.Fa program
+parameter should be the generic name of the program that is doing the
+logging. This name is used to lookup which destinations to use. This
+information is contained in the
+.Li logging
+section of the
+.Pa krb5.conf
+configuration file.  If no entry is found for
+.Fa program ,
+the entry for
+.Li default
+is used, or if that is missing too,
+.Li SYSLOG 
+will be used as destination.
+.Pp
+To close a logging facility, use the
+.Fn krb5_closelog
+function.
+.Pp
+To log a message to a facility use one of the functions
+.Fn krb5_log ,
+.Fn krb5_log_msg ,
+.Fn krb5_vlog ,
+or
+.Fn krb5_vlog_msg .
+The functions ending in 
+.Li _msg
+return in
+.Fa reply
+a pointer to the message that just got logged. This string is allocated,
+and should be freed with
+.Fn free .
+The
+.Fa format
+is a standard 
+.Fn printf
+style format string (but see the BUGS section).
+.Pp
+
+If you want better control of where things gets logged, you can instead of using 
+.Fn krb5_openlog
+call 
+.Fn krb5_initlog ,
+which just initializes a facility, but doesn't define any actual logging
+destinations. You can then add destinations with the
+.Fn krb5_addlog_dest
+and
+.Fn krb5_addlog_func 
+functions.  The first of these takes a string specifying a logging
+destination, and adds this to the facility. If you want to do some
+non-standard logging you can use the
+.Fn krb5_addlog_func
+function, which takes a function to use when logging.
+The 
+.Fa log
+function is called for each message with
+.Fa time
+being a string specifying the current time, and
+.Fa message
+the message to log. 
+.Fa close
+is called when the facility is closed. You can pass application specific data in the 
+.Fa data 
+parameter. The
+.Fa min
+and 
+.Fa max
+parameter are the same as in a destination (defined below). To specify a
+max of infinity, pass -1.
+.Pp
+.Fn krb5_openlog
+calls 
+.Fn krb5_initlog
+and then calls 
+.Fn krb5_addlog_dest
+for each destination found.
+
+.Ss Destinations
+
+The defined destinations (as specified in
+.Pa krb5.conf )
+follows:
+.Bl -tag -width "xxx" -offset indent
+.It Li STDERR
+This logs to the program's stderr.
+.It Li FILE: Ns Pa /file
+.It Li FILE= Ns Pa /file
+Log to the specified file. The form using a colon appends to the file, the
+form with an equal truncates the file. The truncating form keeps the file
+open, while the appending form closes it after each log message (which
+makes it possible to rotate logs). The truncating form is mainly for
+compatibility with the MIT libkrb5.
+.It Li DEVICE= Ns Pa /device
+This logs to the specified device, at present this is the same as
+.Li FILE:/device .
+.It Li CONSOLE
+Log to the console, this is the same as
+.Li DEVICE=/dev/console .
+.It Li SYSLOG Ns Op :priority Ns Op :facility
+Send messages to the syslog system, using priority, and facility. To
+get the name for one of these, you take the name of the macro passed
+to
+.Xr syslog 3 ,
+and remove the leading
+.Li LOG_ 
+.No ( Li LOG_NOTICE
+becomes 
+.Li NOTICE ) .
+The default values (as well as the values used for unrecognised
+values), are
+.Li ERR ,
+and
+.Li AUTH ,
+respectively.  See
+.Xr syslog 3
+for a list of priorities and facilities.
+.El
+.Pp
+Each destination may optionally be prepended with a range of logging
+levels, specified as
+.Li min-max/ .
+If the
+.Fa level
+parameter to
+.Fn krb5_log
+is within this range (inclusive) the message gets logged to this
+destination, otherwise not. Either of the min and max valued may be
+omitted, in this case min is assumed to be zero, and max is assumed to be
+infinity.  If you don't include a dash, both min and max gets set to the
+specified value. If no range is specified, all messages gets logged.
+.Sh EXAMPLE
+.Bd -literal -offset indent
+[logging]
+	kdc = 0/FILE:/var/log/kdc.log
+	kdc = 1-/SYSLOG:INFO:USER
+	default = STDERR
+.Ed
+.Pp
+This will log all messages from the 
+.Nm kdc 
+program with level 0 to
+.Pa /var/log/kdc.log ,
+other messages will be logged to syslog with priority
+.Li LOG_INFO ,
+and facility
+.Li LOG_USER .
+All other programs will log all messages to their stderr.
+.Sh BUGS
+These functions use
+.Fn asprintf
+to format the message. If your operating system does not have a working
+.Fn asprintf ,
+a replacement will be used. At present this replacement does not handle
+some correct conversion specifications (like floating point numbers). Until
+this is fixed, the use of these conversions should be avoided.
+.Pp
+If logging is done to the syslog facility, these functions might not be
+thread-safe, depending on the implementation of
+.Fn openlog ,
+and
+.Fn syslog .
+.Sh SEE ALSO
+.Xr syslog 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_parse_name.3 b/crypto/heimdal/lib/krb5/krb5_parse_name.3
new file mode 100644
index 0000000..db9236c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_parse_name.3
@@ -0,0 +1,39 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_parse_name.3,v 1.1 1997/08/14 00:03:17 joda Exp $
+.Dd August 8, 1997
+.Dt KRB5_PARSE_NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_parse_name
+.Nd String to principal conversion
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_parse_name "krb5_context context" "const char *name" "krb5_principal *principal"
+
+.Sh DESCRIPTION
+
+.Fn krb5_parse_name
+converts a string representation of a princpal name to
+.Nm krb5_principal .
+The
+.Fa principal 
+will point to allocated data that should be freed with
+.Fn krb5_free_principal .
+.Pp
+The string should consist of one or more name components separated with slashes
+.Pq Dq / , 
+optionally followed with an
+.Dq @
+and a realm name. A slash or @ may be contained in a name component by
+quoting it with a back-slash
+.Pq Dq \ .
+A realm should not contain slashes or colons.
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3
new file mode 100644
index 0000000..aea4150
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3
@@ -0,0 +1,58 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_sname_to_principal.3,v 1.1 1997/08/14 00:03:18 joda Exp $
+.Dd August 8, 1997
+.Dt KRB5_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_sname_to_principal ,
+.Nm krb5_sock_to_principal
+.Nd Create a service principal
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_sname_to_principal "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *principal"
+
+.Ft krb5_error_code
+.Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal"
+
+.Sh DESCRIPTION
+
+These functions create a 
+.Dq service
+principal that can, for instance, be used to lookup a key in a keytab. For both these function the
+.Fa sname 
+parameter will be used for the first component of the created principal. If 
+.Fa sname
+is
+.Dv NULL ,
+.Dq host
+will be used instead.
+.Fn krb5_sname_to_principal 
+will use the passed 
+.Fa hostname
+for the second component. If type 
+.Dv KRB5_NT_SRV_HST
+this name will be looked up with
+.Fn gethostbyname .
+If 
+.Fa hostname is
+.Dv NULL ,
+the local hostname will be used.
+.Pp
+.Fn krb5_sock_to_principal 
+will use the 
+.Dq sockname
+of the passed
+.Fa socket ,
+which should be a bound
+.Dv AF_INET
+socket.
+
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
new file mode 100644
index 0000000..13277d6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
@@ -0,0 +1,34 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_unparse_name.3,v 1.1 1997/08/14 00:03:19 joda Exp $
+.Dd August 8, 1997
+.Dt KRB5_UNPARSE_NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_unparse_name
+.\" .Nm krb5_unparse_name_ext
+.Nd Principal to string conversion
+
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_unparse_name "krb5_context context" "krb5_principal principal" "char **name"
+
+.\" .Ft krb5_error_code
+.\" .Fn krb5_unparse_name_ext "krb5_context context" "krb5_const_principal principal" "char **name" "size_t *size"
+
+.Sh DESCRIPTION
+
+This function takes a
+.Fa principal ,
+and will convert in to a printable representation with the same syntax as decribed in
+.Xr krb5_parse_name 3 .
+.Fa *name 
+will point to allocated data and should be freed by the caller.
+
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3
diff --git a/crypto/heimdal/lib/krb5/krb5_warn.3 b/crypto/heimdal/lib/krb5/krb5_warn.3
new file mode 100644
index 0000000..521da0e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_warn.3
@@ -0,0 +1,73 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_warn.3,v 1.2 1997/08/08 03:45:55 joda Exp $
+.Dd August 8, 1997
+.Dt KRB5_WARN 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_warn ,
+.Nm krb5_warnx ,
+.Nm krb5_vwarn ,
+.Nm krb5_vwarnx ,
+.Nm krb5_err ,
+.Nm krb5_errx ,
+.Nm krb5_verr ,
+.Nm krb5_verrx ,
+.Nm krb5_set_warn_dest
+.Nd Heimdal warning and error functions
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..."
+
+.Ft krb5_error_code
+.Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..."
+
+.Ft krb5_error_code
+.Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap"
+
+.Ft krb5_error_code
+.Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap"
+
+.Ft krb5_error_code
+.Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap"
+
+.Ft krb5_error_code
+.Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap"
+
+.Ft krb5_error_code
+.Fn krb5_warn "krb5_context context" "krb5_error_code code" "const char *format" "..."
+
+.Ft krb5_error_code
+.Fn krb5_warnx "krb5_context context" "const char *format" "..."
+
+.Ft krb5_error_code
+.Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility"
+
+.Sh DESCRIPTION
+
+These functions prints a warning message to some destination.
+.Fa format
+is a printf style format specifying the message to print. The forms not ending in an
+.Dq x
+prints the error string associated with
+.Fa code 
+along with the message.
+The
+.Dq err
+functions exits with exit status
+.Fa eval
+after printing the message.
+.Pp
+The
+.Fn krb5_set_warn_func
+function sets the destination for warning messages to the specified 
+.Fa facility .
+Messages logged with the
+.Dq warn
+functions have a log level of 1, while the
+.Dq err
+functions logs with level 0.
+
+.Sh SEE ALSO
+.Xr krb5_openlog 3
diff --git a/crypto/heimdal/lib/krb5/krbhst.c b/crypto/heimdal/lib/krb5/krbhst.c
new file mode 100644
index 0000000..8d5c4e4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krbhst.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <resolve.h>
+
+RCSID("$Id: krbhst.c,v 1.23 1999/12/11 23:14:25 assar Exp $");
+
+/*
+ * assuming that `*res' contains `*count' strings, add a copy of `string'.
+ */
+
+static int
+add_string(char ***res, int *count, const char *string)
+{
+    char **tmp = realloc(*res, (*count + 1) * sizeof(**res));
+
+    if(tmp == NULL)
+	return ENOMEM;
+    *res = tmp;
+    if(string) {
+	tmp[*count] = strdup(string);
+	if(tmp[*count] == NULL)
+	    return ENOMEM;
+    } else
+	tmp[*count] = NULL;
+    (*count)++;
+    return 0;
+}
+
+static krb5_error_code
+srv_find_realm(krb5_context context, char ***res, int *count, 
+	       const char *realm, const char *proto, const char *service)
+{
+    char domain[1024];
+    char alt_domain[1024];
+    krb5_error_code ret;
+    struct dns_reply *r;
+    struct resource_record *rr;
+
+    snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
+    
+    r = dns_lookup(domain, "srv");
+    if(r == NULL && context->srv_try_rfc2052) {
+	snprintf(alt_domain, sizeof(alt_domain), "%s.%s.%s.", 
+		 service, proto, realm);
+	r = dns_lookup(alt_domain, "srv");
+    }
+    if(r == NULL && context->srv_try_txt)
+	r = dns_lookup(domain, "txt");
+    if(r == NULL && context->srv_try_rfc2052 && context->srv_try_txt)
+	r = dns_lookup(alt_domain, "txt");
+    if(r == NULL)
+	return 0;
+
+    for(rr = r->head; rr; rr = rr->next){
+	if(rr->type == T_SRV){
+	    char buf[1024];
+	    char **tmp;
+
+	    tmp = realloc(*res, (*count + 1) * sizeof(**res));
+	    if (tmp == NULL)
+		return ENOMEM;
+	    *res = tmp;
+	    snprintf (buf, sizeof(buf),
+		      "%s/%s:%u",
+		      proto,
+		      rr->u.srv->target,
+		      rr->u.srv->port);
+	    ret = add_string(res, count, buf);
+	    if(ret)
+		return ret;
+	}else if(rr->type == T_TXT) {
+	    ret = add_string(res, count, rr->u.txt);
+	    if(ret)
+		return ret;
+	}
+    }
+    dns_free_data(r);
+    return 0;
+}
+
+/*
+ * lookup the servers for realm `realm', looking for the config string
+ * `conf_string' in krb5.conf or for `serv_string' in SRV records.
+ * return a malloc-ed list of servers in hostlist.
+ */
+
+static krb5_error_code
+get_krbhst (krb5_context context,
+	    const krb5_realm *realm,
+	    const char *conf_string,
+	    const char *serv_string,
+	    char ***hostlist)
+{
+    char **res, **r;
+    int count;
+    krb5_error_code ret;
+
+    res = krb5_config_get_strings(context, NULL, 
+				  "realms", *realm, conf_string, NULL);
+    for(r = res, count = 0; r && *r; r++, count++);
+
+    if(context->srv_lookup) {
+	char *s[] = { "udp", "tcp", "http" }, **q;
+	for(q = s; q < s + sizeof(s) / sizeof(s[0]); q++) {
+	    ret = srv_find_realm(context, &res, &count, *realm, *q,
+				 serv_string);
+	    if(ret) {
+		krb5_config_free_strings(res);
+		return ret;
+	    }
+	}
+    }
+
+    if(count == 0) {
+	char buf[1024];
+	snprintf(buf, sizeof(buf), "kerberos.%s", *realm);
+	ret = add_string(&res, &count, buf);
+	if(ret) {
+	    krb5_config_free_strings(res);
+	    return ret;
+	}
+    }
+    add_string(&res, &count, NULL);
+    *hostlist = res;
+    return 0;
+}
+
+krb5_error_code
+krb5_get_krb_admin_hst (krb5_context context,
+			const krb5_realm *realm,
+			char ***hostlist)
+{
+    return get_krbhst (context, realm, "admin_server", "kerberos-adm",
+		       hostlist);
+}
+
+krb5_error_code
+krb5_get_krb_changepw_hst (krb5_context context,
+			   const krb5_realm *realm,
+			   char ***hostlist)
+{
+    return get_krbhst (context, realm, "admin_server", "kpasswd",
+		       hostlist);
+}
+
+krb5_error_code
+krb5_get_krbhst (krb5_context context,
+		 const krb5_realm *realm,
+		 char ***hostlist)
+{
+    return get_krbhst (context, realm, "kdc", "kerberos", hostlist);
+}
+
+krb5_error_code
+krb5_free_krbhst (krb5_context context,
+		  char **hostlist)
+{
+    char **p;
+
+    for (p = hostlist; *p; ++p)
+	free (*p);
+    free (hostlist);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/kuserok.c b/crypto/heimdal/lib/krb5/kuserok.c
new file mode 100644
index 0000000..ae8ddec
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/kuserok.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: kuserok.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
+
+/*
+ * Return TRUE iff `principal' is allowed to login as `luser'.
+ */
+
+krb5_boolean
+krb5_kuserok (krb5_context context,
+	      krb5_principal principal,
+	      const char *luser)
+{
+    char buf[BUFSIZ];
+    struct passwd *pwd;
+    FILE *f;
+    krb5_realm *realms, *r;
+    krb5_error_code ret;
+    krb5_boolean b;
+
+    ret = krb5_get_default_realms (context, &realms);
+    if (ret)
+	return FALSE;
+
+    for (r = realms; *r != NULL; ++r) {
+	krb5_principal local_principal;
+
+	ret = krb5_build_principal (context,
+				    &local_principal,
+				    strlen(*r),
+				    *r,
+				    luser,
+				    NULL);
+	if (ret) {
+	    krb5_free_host_realm (context, realms);
+	    return FALSE;
+	}
+
+	b = krb5_principal_compare (context, principal, local_principal);
+	krb5_free_principal (context, local_principal);
+	if (b) {
+	    krb5_free_host_realm (context, realms);
+	    return TRUE;
+	}
+    }
+    krb5_free_host_realm (context, realms);
+
+    pwd = getpwnam (luser);	/* XXX - Should use k_getpwnam? */
+    if (pwd == NULL)
+	return FALSE;
+    snprintf (buf, sizeof(buf), "%s/.k5login", pwd->pw_dir);
+    f = fopen (buf, "r");
+    if (f == NULL)
+	return FALSE;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	krb5_principal tmp;
+
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+
+	ret = krb5_parse_name (context, buf, &tmp);
+	if (ret) {
+	    fclose (f);
+	    return FALSE;
+	}
+	b = krb5_principal_compare (context, principal, tmp);
+	krb5_free_principal (context, tmp);
+	if (b) {
+	    fclose (f);
+	    return TRUE;
+	}
+    }
+    fclose (f);
+    return FALSE;
+}
diff --git a/crypto/heimdal/lib/krb5/log.c b/crypto/heimdal/lib/krb5/log.c
new file mode 100644
index 0000000..e1511e2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/log.c
@@ -0,0 +1,426 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: log.c,v 1.21 1999/12/02 17:05:11 joda Exp $");
+
+struct facility {
+    int min;
+    int max;
+    krb5_log_log_func_t log;
+    krb5_log_close_func_t close;
+    void *data;
+};
+
+static struct facility*
+log_realloc(krb5_log_facility *f)
+{
+    struct facility *fp;
+    f->len++;
+    fp = realloc(f->val, f->len * sizeof(*f->val));
+    if(fp == NULL)
+	return NULL;
+    f->val = fp;
+    fp += f->len - 1;
+    return fp;
+}
+
+struct s2i{
+    char *s;
+    int val;
+};
+
+#define L(X) { #X, LOG_ ## X }
+
+struct s2i syslogvals[] = {
+    L(EMERG),
+    L(ALERT),
+    L(CRIT),
+    L(ERR),
+    L(WARNING),
+    L(NOTICE),
+    L(INFO),
+    L(DEBUG),
+
+    L(AUTH),
+#ifdef LOG_AUTHPRIV
+    L(AUTHPRIV),
+#endif
+#ifdef LOG_CRON
+    L(CRON),
+#endif
+    L(DAEMON),
+#ifdef LOG_FTP
+    L(FTP),
+#endif
+    L(KERN),
+    L(LPR),
+    L(MAIL),
+#ifdef LOG_NEWS
+    L(NEWS),
+#endif
+    L(SYSLOG),
+    L(USER),
+#ifdef LOG_UUCP
+    L(UUCP),
+#endif
+    L(LOCAL0),
+    L(LOCAL1),
+    L(LOCAL2),
+    L(LOCAL3),
+    L(LOCAL4),
+    L(LOCAL5),
+    L(LOCAL6),
+    L(LOCAL7),
+    { NULL, -1 }
+};
+
+static int
+find_value(const char *s, struct s2i *table)
+{
+    while(table->s && strcasecmp(table->s, s))
+	table++;
+    return table->val;
+}
+
+krb5_error_code
+krb5_initlog(krb5_context context,
+	     const char *program,
+	     krb5_log_facility **fac)
+{
+    krb5_log_facility *f = calloc(1, sizeof(*f));
+    if(f == NULL)
+	return ENOMEM;
+    f->program = strdup(program);
+    if(f->program == NULL){
+	free(f);
+	return ENOMEM;
+    }
+    *fac = f;
+    return 0;
+}
+
+krb5_error_code
+krb5_addlog_func(krb5_context context,
+		 krb5_log_facility *fac,
+		 int min,
+		 int max,
+		 krb5_log_log_func_t log,
+		 krb5_log_close_func_t close,
+		 void *data)
+{
+    struct facility *fp = log_realloc(fac);
+    if(fp == NULL)
+	return ENOMEM;
+    fp->min = min;
+    fp->max = max;
+    fp->log = log;
+    fp->close = close;
+    fp->data = data;
+    return 0;
+}
+
+
+struct syslog_data{
+    int priority;
+};
+
+static void
+log_syslog(const char *time,
+	   const char *msg,
+	   void *data)
+     
+{
+    struct syslog_data *s = data;
+    syslog(s->priority, "%s", msg);
+}
+
+static void
+close_syslog(void *data)
+{
+    free(data);
+    closelog();
+}
+
+static krb5_error_code
+open_syslog(krb5_context context,
+	    krb5_log_facility *facility, int min, int max,
+	    const char *sev, const char *fac)
+{
+    struct syslog_data *sd = malloc(sizeof(*sd));
+    int i;
+
+    if(sd == NULL)
+	return ENOMEM;
+    i = find_value(sev, syslogvals);
+    if(i == -1)
+	i = LOG_ERR;
+    sd->priority = i;
+    i = find_value(fac, syslogvals);
+    if(i == -1)
+	i = LOG_AUTH;
+    sd->priority |= i;
+    roken_openlog(facility->program, LOG_PID | LOG_NDELAY, i);
+    return krb5_addlog_func(context, facility, min, max,
+			    log_syslog, close_syslog, sd);
+}
+
+struct file_data{
+    char *filename;
+    char *mode;
+    FILE *fd;
+    int keep_open;
+};
+
+static void
+log_file(const char *time,
+	 const char *msg,
+	 void *data)
+{
+    struct file_data *f = data;
+    if(f->keep_open == 0)
+	f->fd = fopen(f->filename, f->mode);
+    if(f->fd == NULL)
+	return;
+    fprintf(f->fd, "%s %s\n", time, msg);
+    if(f->keep_open == 0)
+	fclose(f->fd);
+}
+
+static void
+close_file(void *data)
+{
+    struct file_data *f = data;
+    if(f->keep_open && f->filename)
+	fclose(f->fd);
+    free(data);
+}
+
+static krb5_error_code
+open_file(krb5_context context, krb5_log_facility *fac, int min, int max,
+	  char *filename, char *mode, FILE *f, int keep_open)
+{
+    struct file_data *fd = malloc(sizeof(*fd));
+    if(fd == NULL)
+	return ENOMEM;
+    fd->filename = filename;
+    fd->mode = mode;
+    fd->fd = f;
+    fd->keep_open = keep_open;
+
+    return krb5_addlog_func(context, fac, min, max, log_file, close_file, fd);
+}
+
+
+
+krb5_error_code
+krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *p)
+{
+    krb5_error_code ret = 0;
+    int min = 0, max = -1, n;
+    char c;
+    n = sscanf(p, "%d%c%d/", &min, &c, &max);
+    if(n == 2){
+	if(c == '/') {
+	    if(min < 0){
+		max = -min;
+		min = 0;
+	    }else{
+		max = min;
+	    }
+	}
+    }
+    if(n){
+	p = strchr(p, '/');
+	if(p == NULL) return HEIM_ERR_LOG_PARSE;
+	p++;
+    }
+    if(strcmp(p, "STDERR") == 0){
+	ret = open_file(context, f, min, max, NULL, NULL, stderr, 1);
+    }else if(strcmp(p, "CONSOLE") == 0){
+	ret = open_file(context, f, min, max, "/dev/console", "w", NULL, 0);
+    }else if(strncmp(p, "FILE:", 4) == 0 && (p[4] == ':' || p[4] == '=')){
+	char *fn;
+	FILE *file = NULL;
+	int keep_open = 0;
+	fn = strdup(p + 5);
+	if(fn == NULL)
+	    return ENOMEM;
+	if(p[4] == '='){
+	    int i = open(fn, O_WRONLY | O_CREAT | 
+			 O_TRUNC | O_APPEND, 0666);
+	    if(i < 0)
+		return errno;
+	    file = fdopen(i, "a");
+	    if(file == NULL){
+		close(i);
+		return errno;
+	    }
+	    keep_open = 1;
+	}
+	ret = open_file(context, f, min, max, fn, "a", file, keep_open);
+    }else if(strncmp(p, "DEVICE=", 6) == 0){
+	ret = open_file(context, f, min, max, strdup(p + 7), "w", NULL, 0);
+    }else if(strncmp(p, "SYSLOG", 6) == 0){
+	char *severity;
+	char *facility;
+	severity = strchr(p, ':');
+	if(severity == NULL)
+	    severity = "ERR";
+	facility = strchr(severity, ':');
+	if(facility == NULL)
+	    facility = "AUTH";
+	ret = open_syslog(context, f, min, max, severity, facility);
+    }else{
+	ret = HEIM_ERR_LOG_PARSE; /* XXX */
+    }
+    return ret;
+}
+
+
+krb5_error_code
+krb5_openlog(krb5_context context,
+	     const char *program,
+	     krb5_log_facility **fac)
+{
+    krb5_error_code ret;
+    char **p, **q;
+
+    ret = krb5_initlog(context, program, fac);
+    if(ret)
+	return ret;
+
+    p = krb5_config_get_strings(context, NULL, "logging", program, NULL);
+    if(p == NULL)
+	p = krb5_config_get_strings(context, NULL, "logging", "default", NULL);
+    if(p){
+	for(q = p; *q; q++)
+	    ret = krb5_addlog_dest(context, *fac, *q);
+	krb5_config_free_strings(p);
+    }else
+	ret = krb5_addlog_dest(context, *fac, "SYSLOG");
+    return 0;
+}
+
+krb5_error_code
+krb5_closelog(krb5_context context,
+	      krb5_log_facility *fac)
+{
+    int i;
+    for(i = 0; i < fac->len; i++)
+	(*fac->val[i].close)(&fac->val[i].data);
+    return 0;
+}
+
+#undef __attribute__
+#define __attribute__(X)
+
+krb5_error_code
+krb5_vlog_msg(krb5_context context,
+	      krb5_log_facility *fac,
+	      char **reply,
+	      int level,
+	      const char *fmt,
+	      va_list ap)
+     __attribute__((format (printf, 5, 0)))
+{
+    char *msg;
+    char buf[64];
+    time_t t;
+    int i;
+
+    vasprintf(&msg, fmt, ap);
+    t = time(NULL);
+    strftime(buf, sizeof(buf), context->time_fmt, 
+	     context->log_utc ? gmtime(&t) : localtime(&t));
+    for(i = 0; i < fac->len; i++)
+	if(fac->val[i].min <= level && 
+	   (fac->val[i].max < 0 || fac->val[i].max >= level))
+	    (*fac->val[i].log)(buf, msg, fac->val[i].data);
+    *reply = msg;
+    return 0;
+}
+
+krb5_error_code
+krb5_vlog(krb5_context context,
+	  krb5_log_facility *fac,
+	  int level,
+	  const char *fmt,
+	  va_list ap)
+     __attribute__((format (printf, 4, 0)))
+{
+    char *msg;
+    krb5_error_code ret;
+
+    ret = krb5_vlog_msg(context, fac, &msg, level, fmt, ap);
+    free(msg);
+    return ret;
+}
+
+krb5_error_code
+krb5_log_msg(krb5_context context,
+	     krb5_log_facility *fac,
+	     int level,
+	     char **reply,
+	     const char *fmt,
+	     ...)
+     __attribute__((format (printf, 5, 6)))
+{
+    va_list ap;
+    krb5_error_code ret;
+
+    va_start(ap, fmt);
+    ret = krb5_vlog_msg(context, fac, reply, level, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+
+krb5_error_code
+krb5_log(krb5_context context,
+	 krb5_log_facility *fac,
+	 int level,
+	 const char *fmt,
+	 ...)
+     __attribute__((format (printf, 4, 5)))
+{
+    va_list ap;
+    krb5_error_code ret;
+
+    va_start(ap, fmt);
+    ret = krb5_vlog(context, fac, level, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c
new file mode 100644
index 0000000..d45deea
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mcache.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: mcache.c,v 1.10 1999/12/02 17:05:11 joda Exp $");
+
+typedef struct krb5_mcache {
+    krb5_principal primary_principal;
+    struct link {
+	krb5_creds cred;
+	struct link *next;
+    } *creds;
+} krb5_mcache;
+
+#define MCC_CURSOR(C) ((struct link*)(C))
+
+static char*
+mcc_get_name(krb5_context context,
+	     krb5_ccache id)
+{
+    return "";			/* XXX */
+}
+
+static krb5_error_code
+mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
+    krb5_abortx(context, "unimplemented mcc_resolve called");
+}
+
+static krb5_error_code
+mcc_gen_new(krb5_context context, krb5_ccache *id)
+{
+    krb5_mcache *m;
+
+    m = malloc (sizeof(*m));
+    if (m == NULL)
+	return KRB5_CC_NOMEM;
+    m->primary_principal = NULL;
+    m->creds = NULL;
+    (*id)->data.data = m;
+    (*id)->data.length = sizeof(*m);
+    return 0;
+}
+
+static krb5_error_code
+mcc_initialize(krb5_context context,
+	       krb5_ccache id,
+	       krb5_principal primary_principal)
+{
+    krb5_error_code ret;
+    krb5_mcache *m;
+
+    m = (krb5_mcache *)id->data.data;
+
+    ret = krb5_copy_principal (context,
+			       primary_principal,
+			       &m->primary_principal);
+    if (ret)
+	return ret;
+    return 0;
+}
+
+static krb5_error_code
+mcc_close(krb5_context context,
+	  krb5_ccache id)
+{
+    krb5_mcache *m = (krb5_mcache *)id->data.data;
+    struct link *l;
+
+    krb5_free_principal (context, m->primary_principal);
+    l = m->creds;
+    while (l != NULL) {
+	struct link *old;
+
+	krb5_free_creds_contents (context, &l->cred);
+	old = l;
+	l = l->next;
+	free (old);
+    }
+    krb5_data_free(&id->data);
+    return 0;
+}
+
+static krb5_error_code
+mcc_destroy(krb5_context context,
+	    krb5_ccache id)
+{
+    return 0;
+}
+
+static krb5_error_code
+mcc_store_cred(krb5_context context,
+	       krb5_ccache id,
+	       krb5_creds *creds)
+{
+    krb5_error_code ret;
+    krb5_mcache *m = (krb5_mcache *)id->data.data;
+    struct link *l;
+
+    l = malloc (sizeof(*l));
+    if (l == NULL)
+	return KRB5_CC_NOMEM;
+    l->next = m->creds;
+    m->creds = l;
+    memset (&l->cred, 0, sizeof(l->cred));
+    ret = krb5_copy_creds_contents (context, creds, &l->cred);
+    if (ret) {
+	m->creds = l->next;
+	free (l);
+	return ret;
+    }
+    return 0;
+}
+
+static krb5_error_code
+mcc_get_principal(krb5_context context,
+		  krb5_ccache id,
+		  krb5_principal *principal)
+{
+    krb5_mcache *m = (krb5_mcache *)id->data.data;
+
+    return krb5_copy_principal (context,
+				m->primary_principal,
+				principal);
+}
+
+static krb5_error_code
+mcc_get_first (krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    krb5_mcache *m = (krb5_mcache *)id->data.data;
+    *cursor = m->creds;
+    return 0;
+}
+
+static krb5_error_code
+mcc_get_next (krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor,
+	      krb5_creds *creds)
+{
+    struct link *l;
+
+    l = *cursor;
+    if (l != NULL) {
+	*cursor = l->next;
+	return krb5_copy_creds_contents (context,
+					 &l->cred,
+					 creds);
+    } else
+	return KRB5_CC_END;
+}
+
+static krb5_error_code
+mcc_end_get (krb5_context context,
+	     krb5_ccache id,
+	     krb5_cc_cursor *cursor)
+{
+    return 0;
+}
+
+static krb5_error_code
+mcc_remove_cred(krb5_context context,
+		 krb5_ccache id,
+		 krb5_flags which,
+		 krb5_creds *cred)
+{
+    return 0; /* XXX */
+}
+
+static krb5_error_code
+mcc_set_flags(krb5_context context,
+	      krb5_ccache id,
+	      krb5_flags flags)
+{
+    return 0; /* XXX */
+}
+		    
+const krb5_cc_ops krb5_mcc_ops = {
+    "MEMORY",
+    mcc_get_name,
+    mcc_resolve,
+    mcc_gen_new,
+    mcc_initialize,
+    mcc_destroy,
+    mcc_close,
+    mcc_store_cred,
+    NULL, /* mcc_retrieve */
+    mcc_get_principal,
+    mcc_get_first,
+    mcc_get_next,
+    mcc_end_get,
+    mcc_remove_cred,
+    mcc_set_flags
+};
diff --git a/crypto/heimdal/lib/krb5/misc.c b/crypto/heimdal/lib/krb5/misc.c
new file mode 100644
index 0000000..baf63f6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/misc.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: misc.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
diff --git a/crypto/heimdal/lib/krb5/mk_error.c b/crypto/heimdal/lib/krb5/mk_error.c
new file mode 100644
index 0000000..2b173db
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_error.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: mk_error.c,v 1.14 1999/12/02 17:05:11 joda Exp $");
+
+krb5_error_code
+krb5_mk_error(krb5_context context,
+	      krb5_error_code error_code,
+	      const char *e_text,
+	      const krb5_data *e_data,
+	      const krb5_principal client,
+	      const krb5_principal server,
+	      time_t ctime,
+	      krb5_data *reply)
+{
+    KRB_ERROR msg;
+    u_char *buf;
+    size_t buf_size;
+    int32_t sec, usec;
+    size_t len;
+    krb5_error_code ret = 0;
+
+    krb5_us_timeofday (context, &sec, &usec);
+
+    memset(&msg, 0, sizeof(msg));
+    msg.pvno     = 5;
+    msg.msg_type = krb_error;
+    msg.stime    = sec;
+    msg.susec    = usec;
+    if(ctime) {
+	msg.ctime = &ctime;
+    }
+    /* Make sure we only send `protocol' error codes */
+    if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) {
+	if(e_text == NULL)
+	    e_text = krb5_get_err_text(context, error_code);
+	error_code = KRB5KRB_ERR_GENERIC;
+    }
+    msg.error_code = error_code - KRB5KDC_ERR_NONE;
+    if (e_text)
+	msg.e_text = (general_string*)&e_text;
+    if (e_data)
+	msg.e_data = (octet_string*)e_data;
+    if(server){
+	msg.realm = server->realm;
+	msg.sname = server->name;
+    }else{
+	msg.realm = "<unspecified realm>";
+    }
+    if(client){
+	msg.crealm = &client->realm;
+	msg.cname = &client->name;
+    }
+
+    buf_size = 1024;
+    buf = malloc (buf_size);
+    if (buf == NULL)
+	return ENOMEM;
+
+    do {
+	ret = encode_KRB_ERROR(buf + buf_size - 1,
+			       buf_size,
+			       &msg,
+			       &len);
+	if (ret) {
+	    if (ret == ASN1_OVERFLOW) {
+		u_char *tmp;
+
+		buf_size *= 2;
+		tmp = realloc (buf, buf_size);
+		if (tmp == NULL) {
+		    ret = ENOMEM;
+		    goto out;
+		}
+		buf = tmp;
+	    } else {
+		goto out;
+	    }
+	}
+    } while (ret == ASN1_OVERFLOW);
+
+    reply->length = len;
+    reply->data = malloc(len);
+    if (reply->data == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    memcpy (reply->data, buf + buf_size - len, len);
+out:
+    free (buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_priv.c b/crypto/heimdal/lib/krb5/mk_priv.c
new file mode 100644
index 0000000..1ee2bed
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_priv.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_priv.c,v 1.25 1999/12/02 17:05:11 joda Exp $");
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_mk_priv(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *userdata,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_PRIV s;
+  EncKrbPrivPart part;
+  u_char *buf;
+  size_t buf_size;
+  size_t len;
+  int tmp_seq;
+  krb5_keyblock *key;
+  int32_t sec, usec;
+  KerberosTime sec2;
+  int usec2;
+  krb5_crypto crypto;
+
+  /* XXX - Is this right? */
+
+  if (auth_context->local_subkey)
+      key = auth_context->local_subkey;
+  else if (auth_context->remote_subkey)
+      key = auth_context->remote_subkey;
+  else
+      key = auth_context->keyblock;
+
+  krb5_us_timeofday (context, &sec, &usec);
+
+  part.user_data = *userdata;
+  sec2           = sec;
+  part.timestamp = &sec2;
+  usec2          = usec;
+  part.usec      = &usec2;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    tmp_seq = ++auth_context->local_seqnumber;
+    part.seq_number = &tmp_seq;
+  } else {
+    part.seq_number = NULL;
+  }
+
+  part.s_address = auth_context->local_address;
+  part.r_address = auth_context->remote_address;
+
+  buf_size = 1024;
+  buf = malloc (buf_size);
+  if (buf == NULL)
+      return ENOMEM;
+
+  krb5_data_zero (&s.enc_part.cipher);
+
+  do {
+      ret = encode_EncKrbPrivPart (buf + buf_size - 1, buf_size,
+				   &part, &len);
+      if (ret) {
+	  if (ret == ASN1_OVERFLOW) {
+	      u_char *tmp;
+
+	      buf_size *= 2;
+	      tmp = realloc (buf, buf_size);
+	      if (tmp == NULL) {
+		  ret = ENOMEM;
+		  goto fail;
+	      }
+	      buf = tmp;
+	  } else {
+	      goto fail;
+	  }
+      }
+  } while(ret == ASN1_OVERFLOW);
+
+  s.pvno = 5;
+  s.msg_type = krb_priv;
+  s.enc_part.etype = key->keytype;
+  s.enc_part.kvno = NULL;
+
+  krb5_crypto_init(context, key, 0, &crypto);
+  ret = krb5_encrypt (context, 
+		      crypto,
+		      KRB5_KU_KRB_PRIV,
+		      buf + buf_size - len, 
+		      len,
+		      &s.enc_part.cipher);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) {
+      free(buf);
+      return ret;
+  }
+
+  do {
+      ret = encode_KRB_PRIV (buf + buf_size - 1, buf_size, &s, &len);
+
+      if (ret){
+	  if (ret == ASN1_OVERFLOW) {
+	      u_char *tmp;
+
+	      buf_size *= 2;
+	      tmp = realloc (buf, buf_size);
+	      if (tmp == NULL) {
+		  ret = ENOMEM;
+		  goto fail;
+	      }
+	      buf = tmp;
+	  } else {
+	      goto fail;
+	  }
+      }
+  } while(ret == ASN1_OVERFLOW);
+  krb5_data_free (&s.enc_part.cipher);
+
+  outbuf->length = len;
+  outbuf->data   = malloc (len);
+  if (outbuf->data == NULL) {
+      free(buf);
+      return ENOMEM;
+  }
+  memcpy (outbuf->data, buf + buf_size - len, len);
+  free (buf);
+  return 0;
+
+fail:
+  free (buf);
+  krb5_data_free (&s.enc_part.cipher);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_rep.c b/crypto/heimdal/lib/krb5/mk_rep.c
new file mode 100644
index 0000000..060be03
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_rep.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_rep.c,v 1.16 1999/12/02 17:05:11 joda Exp $");
+
+krb5_error_code
+krb5_mk_rep(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    krb5_data *outbuf)
+{
+  krb5_error_code ret;
+  AP_REP ap;
+  EncAPRepPart body;
+  u_char *buf = NULL;
+  size_t buf_size;
+  size_t len;
+  krb5_crypto crypto;
+
+  ap.pvno = 5;
+  ap.msg_type = krb_ap_rep;
+
+  memset (&body, 0, sizeof(body));
+
+  body.ctime = (*auth_context)->authenticator->ctime;
+  body.cusec = (*auth_context)->authenticator->cusec;
+  body.subkey = NULL;
+  if ((*auth_context)->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    krb5_generate_seq_number (context,
+			      (*auth_context)->keyblock,
+			      &(*auth_context)->local_seqnumber);
+    body.seq_number = malloc (sizeof(*body.seq_number));
+    if (body.seq_number == NULL)
+	return ENOMEM;
+    *(body.seq_number) = (*auth_context)->local_seqnumber;
+  } else
+    body.seq_number = NULL;
+
+  ap.enc_part.etype = (*auth_context)->keyblock->keytype;
+  ap.enc_part.kvno  = NULL;
+
+  buf_size = length_EncAPRepPart(&body);
+  buf = malloc (buf_size);
+  if (buf == NULL) {
+      free_EncAPRepPart (&body);
+      return ENOMEM;
+  }
+
+  ret = krb5_encode_EncAPRepPart (context, 
+				  buf + buf_size - 1,
+				  buf_size,
+				  &body, 
+				  &len);
+
+  free_EncAPRepPart (&body);
+  krb5_crypto_init(context, (*auth_context)->keyblock, 
+		   0 /* ap.enc_part.etype */, &crypto);
+  ret = krb5_encrypt (context,
+		      crypto,
+		      KRB5_KU_AP_REQ_ENC_PART,
+		      buf + buf_size - len, 
+		      len,
+		      &ap.enc_part.cipher);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) {
+      free(buf);
+      return ret;
+  }
+
+  buf_size = length_AP_REP(&ap);
+  buf = realloc(buf, buf_size);
+  if(buf == NULL) {
+      free_AP_REP (&ap);
+      return ENOMEM;
+  }
+  ret = encode_AP_REP (buf + buf_size - 1, buf_size, &ap, &len);
+  
+  free_AP_REP (&ap);
+
+  if(len != buf_size)
+      krb5_abortx(context, "krb5_mk_rep: encoded length != calculated length");
+  outbuf->data = buf;
+  outbuf->length = len;
+  return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_req.c b/crypto/heimdal/lib/krb5/mk_req.c
new file mode 100644
index 0000000..55ecd46
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_req.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_req.c,v 1.20 2000/01/16 10:22:42 assar Exp $");
+
+krb5_error_code
+krb5_mk_req(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    const krb5_flags ap_req_options,
+	    const char *service,
+	    const char *hostname,
+	    krb5_data *in_data,
+	    krb5_ccache ccache,
+	    krb5_data *outbuf)
+{
+    krb5_error_code ret;
+    krb5_creds this_cred, *cred;
+    char **realms;
+    krb5_data realm_data;
+    char *real_hostname;
+
+    memset(&this_cred, 0, sizeof(this_cred));
+
+    ret = krb5_cc_get_principal(context, ccache, &this_cred.client);
+  
+    if(ret)
+	return ret;
+
+    ret = krb5_expand_hostname_realms (context, hostname,
+				       &real_hostname, &realms);
+    if (ret) {
+	krb5_free_principal (context, this_cred.client);
+	return ret;
+    }
+
+    realm_data.length = strlen(*realms);
+    realm_data.data   = *realms;
+
+    ret = krb5_build_principal (context, &this_cred.server,
+				strlen(*realms),
+				*realms,
+				service,
+				real_hostname,
+				NULL);
+    free (real_hostname);
+    krb5_free_host_realm (context, realms);
+
+    if (ret) {
+	krb5_free_principal (context, this_cred.client);
+	return ret;
+    }
+    this_cred.times.endtime = 0;
+    if (auth_context && *auth_context && (*auth_context)->keytype)
+	this_cred.session.keytype = (*auth_context)->keytype;
+
+    ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
+    if (ret)
+	return ret;
+
+    return krb5_mk_req_extended (context,
+				 auth_context,
+				 ap_req_options,
+				 in_data,
+				 cred,
+				 outbuf);
+}
diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c
new file mode 100644
index 0000000..2b7b886
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_req_ext.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_req_ext.c,v 1.21 1999/12/02 17:05:11 joda Exp $");
+
+krb5_error_code
+krb5_mk_req_internal(krb5_context context,
+		     krb5_auth_context *auth_context,
+		     const krb5_flags ap_req_options,
+		     krb5_data *in_data,
+		     krb5_creds *in_creds,
+		     krb5_data *outbuf,
+		     krb5_key_usage usage)
+{
+  krb5_error_code ret;
+  krb5_data authenticator;
+  Checksum c;
+  Checksum *c_opt;
+  krb5_auth_context ac;
+
+  if(auth_context) {
+      if(*auth_context == NULL)
+	  ret = krb5_auth_con_init(context, auth_context);
+      else
+	  ret = 0;
+      ac = *auth_context;
+  } else
+      ret = krb5_auth_con_init(context, &ac);
+  if(ret)
+      return ret;
+      
+#if 0
+  {
+      /* This is somewhat bogus since we're possibly overwriting a
+         value specified by the user, but it's the easiest way to make
+         the code use a compatible enctype */
+      Ticket ticket;
+      krb5_keytype ticket_keytype;
+
+      ret = decode_Ticket(in_creds->ticket.data, 
+			  in_creds->ticket.length, 
+			  &ticket, 
+			  NULL);
+      krb5_enctype_to_keytype (context,
+			       ticket.enc_part.etype,
+			       &ticket_keytype);
+
+      if (ticket_keytype == in_creds->session.keytype)
+	  krb5_auth_setenctype(context, 
+			       ac,
+			       ticket.enc_part.etype);
+      free_Ticket(&ticket);
+  }
+#endif
+
+  krb5_free_keyblock(context, ac->keyblock);
+  krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
+  
+  if (in_data) {
+      if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
+	  /* this is to make DCE secd (and older MIT kdcs?) happy */
+	  ret = krb5_create_checksum(context, 
+				     NULL,
+				     CKSUMTYPE_RSA_MD4,
+				     in_data->data,
+				     in_data->length,
+				     &c);
+      } else {
+	  krb5_crypto crypto;
+	  krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+	  ret = krb5_create_checksum(context, 
+				     crypto,
+				     usage,
+				     in_data->data,
+				     in_data->length,
+				     &c);
+      
+	  krb5_crypto_destroy(context, crypto);
+      }
+      c_opt = &c;
+  } else {
+      c_opt = NULL;
+  }
+  
+  ret = krb5_build_authenticator (context,
+				  ac,
+				  ac->keyblock->keytype,
+				  in_creds,
+				  c_opt,
+				  NULL,
+				  &authenticator);
+  if (c_opt)
+      free_Checksum (c_opt);
+  if (ret)
+    return ret;
+
+  ret = krb5_build_ap_req (context, ac->keyblock->keytype, 
+			   in_creds, ap_req_options, authenticator, outbuf);
+  if(auth_context == NULL)
+      krb5_auth_con_free(context, ac);
+  return ret;
+}
+
+krb5_error_code
+krb5_mk_req_extended(krb5_context context,
+		     krb5_auth_context *auth_context,
+		     const krb5_flags ap_req_options,
+		     krb5_data *in_data,
+		     krb5_creds *in_creds,
+		     krb5_data *outbuf)
+{
+    return krb5_mk_req_internal (context,
+				 auth_context,
+				 ap_req_options,
+				 in_data,
+				 in_creds,
+				 outbuf,
+				 KRB5_KU_AP_REQ_AUTH_CKSUM);
+}
diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c
new file mode 100644
index 0000000..4d848a6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_safe.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_safe.c,v 1.20 1999/12/02 17:05:11 joda Exp $");
+
+krb5_error_code
+krb5_mk_safe(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *userdata,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_SAFE s;
+  int32_t sec, usec;
+  KerberosTime sec2;
+  int usec2;
+  u_char *buf = NULL;
+  size_t buf_size;
+  size_t len;
+  int tmp_seq;
+  krb5_crypto crypto;
+
+  s.pvno = 5;
+  s.msg_type = krb_safe;
+
+  s.safe_body.user_data = *userdata;
+  krb5_us_timeofday (context, &sec, &usec);
+
+  sec2                   = sec;
+  s.safe_body.timestamp  = &sec2;
+  usec2                  = usec2;
+  s.safe_body.usec       = &usec2;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+      tmp_seq = ++auth_context->local_seqnumber;
+      s.safe_body.seq_number = &tmp_seq;
+  } else 
+      s.safe_body.seq_number = NULL;
+
+  s.safe_body.s_address = auth_context->local_address;
+  s.safe_body.r_address = auth_context->remote_address;
+
+  s.cksum.cksumtype       = 0;
+  s.cksum.checksum.data   = NULL;
+  s.cksum.checksum.length = 0;
+
+
+  buf_size = length_KRB_SAFE(&s);
+  buf = malloc(buf_size + 128); /* add some for checksum */
+  if(buf == NULL)
+      return ENOMEM;
+  ret = encode_KRB_SAFE (buf + buf_size - 1, buf_size, &s, &len);
+  ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  ret = krb5_create_checksum(context, 
+			     crypto,
+			     KRB5_KU_KRB_SAFE_CKSUM,
+			     buf + buf_size - len,
+			     len,
+			     &s.cksum);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
+
+  buf_size = length_KRB_SAFE(&s);
+  buf = realloc(buf, buf_size);
+  if(buf == NULL)
+      return ENOMEM;
+  
+  ret = encode_KRB_SAFE (buf + buf_size - 1, buf_size, &s, &len);
+  free_Checksum (&s.cksum);
+
+  outbuf->length = len;
+  outbuf->data   = malloc (len);
+  if (outbuf->data == NULL) {
+      free (buf);
+      return ENOMEM;
+  }
+  memcpy (outbuf->data, buf + buf_size - len, len);
+  free (buf);
+  return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/n-fold-test.c b/crypto/heimdal/lib/krb5/n-fold-test.c
new file mode 100644
index 0000000..814dc6f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/n-fold-test.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: n-fold-test.c,v 1.3 1999/07/22 11:45:33 assar Exp $");
+
+enum { MAXSIZE = 24 };
+
+static struct testcase {
+    const char *str;
+    unsigned n;
+    unsigned char res[MAXSIZE];
+} tests[] = {
+    {"012345",		8,
+     {0xbe, 0x07, 0x26, 0x31, 0x27, 0x6b, 0x19, 0x55}
+    },
+    {"basch",		24,
+     {0x1a, 0xab, 0x6b, 0x42, 0x96, 0x4b, 0x98, 0xb2, 0x1f, 0x8c, 0xde,
+      0x2d, 0x24, 0x48, 0xba, 0x34, 0x55, 0xd7, 0x86, 0x2c, 0x97, 0x31,
+      0x64, 0x3f}
+    },
+    {"eichin",		24,
+     {0x65, 0x69, 0x63, 0x68, 0x69, 0x6e, 0x4b, 0x73, 0x2b, 0x4b,
+      0x1b, 0x43, 0xda, 0x1a, 0x5b, 0x99, 0x5a, 0x58, 0xd2, 0xc6, 0xd0,
+      0xd2, 0xdc, 0xca}
+    },
+    {"sommerfeld",	24,
+     {0x2f, 0x7a, 0x98, 0x55, 0x7c, 0x6e, 0xe4, 0xab, 0xad, 0xf4,
+      0xe7, 0x11, 0x92, 0xdd, 0x44, 0x2b, 0xd4, 0xff, 0x53, 0x25, 0xa5,
+      0xde, 0xf7, 0x5c}
+    },
+    {"MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 24,
+     {0xdb, 0x3b, 0x0d, 0x8f, 0x0b, 0x06, 0x1e, 0x60, 0x32, 0x82,
+      0xb3, 0x08, 0xa5, 0x08, 0x41, 0x22, 0x9a, 0xd7, 0x98, 0xfa, 0xb9,
+      0x54, 0x0c, 0x1b}
+    },
+    {"assar@NADA.KTH.SE", 24,
+     {0x5c, 0x06, 0xc3, 0x4d, 0x2c, 0x89, 0x05, 0xbe, 0x7a, 0x51,
+      0x83, 0x6c, 0xd6, 0xf8, 0x1c, 0x4b, 0x7a, 0x93, 0x49, 0x16, 0x5a,
+      0xb3, 0xfa, 0xa9}
+    },
+    {"testKRBTEST.MIT.EDUtestkey", 24,
+     {0x50, 0x2c, 0xf8, 0x29, 0x78, 0xe5, 0xfb, 0x1a, 0x29, 0x06,
+      0xbd, 0x22, 0x28, 0x91, 0x56, 0xc0, 0x06, 0xa0, 0xdc, 0xf5, 0xb6,
+      0xc2, 0xda, 0x6c}
+    },
+    {NULL, 0}
+};
+
+int
+main(int argc, char **argv)
+{
+    unsigned char data[MAXSIZE];
+    struct testcase *t;
+    int ret = 0;
+
+    for (t = tests; t->str; ++t) {
+	int i;
+
+	_krb5_n_fold (t->str, strlen(t->str), data, t->n);
+	if (memcmp (data, t->res, t->n) != 0) {
+	    printf ("n-fold(\"%s\", %d) failed\n", t->str, t->n);
+	    printf ("should be: ");
+	    for (i = 0; i < t->n; ++i)
+		printf ("%02x", t->res[i]);
+	    printf ("\nresult was: ");
+	    for (i = 0; i < t->n; ++i)
+		printf ("%02x", data[i]);
+	    printf ("\n");
+	    ret = 1;
+	}
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/n-fold.c b/crypto/heimdal/lib/krb5/n-fold.c
new file mode 100644
index 0000000..d0db5e8
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/n-fold.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: n-fold.c,v 1.6 1999/08/27 09:03:41 joda Exp $");
+
+static void
+rr13(unsigned char *buf, size_t len)
+{
+    unsigned char *tmp;
+    int bytes = (len + 7) / 8;
+    int i;
+    if(len == 0)
+	return;
+    {
+	const int bits = 13 % len;
+	const int lbit = len % 8;
+    
+	tmp = malloc(bytes);
+	memcpy(tmp, buf, bytes);
+	if(lbit) {
+	    /* pad final byte with inital bits */
+	    tmp[bytes - 1] &= 0xff << (8 - lbit);
+	    for(i = lbit; i < 8; i += len)
+		tmp[bytes - 1] |= buf[0] >> i;
+	}
+	for(i = 0; i < bytes; i++) {
+	    int bb;
+	    int b1, s1, b2, s2;
+	    /* calculate first bit position of this byte */
+	    bb = 8 * i - bits;
+	    while(bb < 0)
+		bb += len;
+	    /* byte offset and shift count */
+	    b1 = bb / 8;
+	    s1 = bb % 8;
+	
+	    if(bb + 8 > bytes * 8) 
+		/* watch for wraparound */
+		s2 = (len + 8 - s1) % 8;
+	    else 
+		s2 = 8 - s1;
+	    b2 = (b1 + 1) % bytes;
+	    buf[i] = (tmp[b1] << s1) | (tmp[b2] >> s2);
+	}
+	free(tmp);
+    }
+}
+
+/* Add `b' to `a', both beeing one's complement numbers. */
+static void
+add1(unsigned char *a, unsigned char *b, size_t len)
+{
+    int i;
+    int carry = 0;
+    for(i = len - 1; i >= 0; i--){
+	int x = a[i] + b[i] + carry;
+	carry = x > 0xff;
+	a[i] = x & 0xff;
+    }
+    for(i = len - 1; carry && i >= 0; i--){
+	int x = a[i] + carry;
+	carry = x > 0xff;
+	a[i] = x & 0xff;
+    }
+}
+
+void
+_krb5_n_fold(const void *str, size_t len, void *key, size_t size)
+{
+    /* if len < size we need at most N * len bytes, ie < 2 * size;
+       if len > size we need at most 2 * len */
+    size_t maxlen = 2 * max(size, len);
+    size_t l = 0;
+    unsigned char *tmp = malloc(maxlen);
+    unsigned char *buf = malloc(len);
+    
+    memcpy(buf, str, len);
+    memset(key, 0, size);
+    do {
+	memcpy(tmp + l, buf, len);
+	l += len;
+	rr13(buf, len * 8);
+	while(l >= size) {
+	    add1(key, tmp, size);
+	    l -= size;
+	    if(l == 0)
+		break;
+	    memmove(tmp, tmp + size, l);
+	}
+    } while(l != 0);
+    memset(buf, 0, len);
+    free(buf);
+    memset(tmp, 0, maxlen);
+    free(tmp);
+}
diff --git a/crypto/heimdal/lib/krb5/net_read.c b/crypto/heimdal/lib/krb5/net_read.c
new file mode 100644
index 0000000..8cb1dc4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/net_read.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: net_read.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
+
+ssize_t
+krb5_net_read (krb5_context context,
+	       void *p_fd,
+	       void *buf,
+	       size_t len)
+{
+  int fd = *((int *)p_fd);
+
+  return net_read (fd, buf, len);
+}
diff --git a/crypto/heimdal/lib/krb5/net_write.c b/crypto/heimdal/lib/krb5/net_write.c
new file mode 100644
index 0000000..5cc719b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/net_write.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: net_write.c,v 1.6 1999/12/02 17:05:11 joda Exp $");
+
+ssize_t
+krb5_net_write (krb5_context context,
+		void *p_fd,
+		const void *buf,
+		size_t len)
+{
+  int fd = *((int *)p_fd);
+
+  return net_write (fd, buf, len);
+}
diff --git a/crypto/heimdal/lib/krb5/padata.c b/crypto/heimdal/lib/krb5/padata.c
new file mode 100644
index 0000000..bcf7952
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/padata.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: padata.c,v 1.2 1999/12/02 17:05:11 joda Exp $");
+
+PA_DATA *
+krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index)
+{
+    for(; *index < len; (*index)++)
+	if(val[*index].padata_type == type)
+	    return val + *index;
+    return NULL;    
+}
diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c
new file mode 100644
index 0000000..2999868
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/principal.c
@@ -0,0 +1,903 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#ifdef HAVE_RES_SEARCH
+#define USE_RESOLVER
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#include "resolve.h"
+
+RCSID("$Id: principal.c,v 1.63 2000/02/07 03:19:05 assar Exp $");
+
+#define princ_num_comp(P) ((P)->name.name_string.len)
+#define princ_type(P) ((P)->name.name_type)
+#define princ_comp(P) ((P)->name.name_string.val)
+#define princ_ncomp(P, N) ((P)->name.name_string.val[(N)])
+#define princ_realm(P) ((P)->realm)
+
+void
+krb5_free_principal(krb5_context context,
+		    krb5_principal p)
+{
+    if(p){
+	free_Principal(p);
+	free(p);
+    }
+}
+
+krb5_error_code
+krb5_parse_name(krb5_context context,
+		const char *name,
+		krb5_principal *principal)
+{
+    krb5_error_code ret;
+    general_string *comp;
+    general_string realm;
+    int ncomp;
+
+    char *p;
+    char *q;
+    char *s;
+    char *start;
+
+    int n;
+    char c;
+    int got_realm = 0;
+  
+    /* count number of component */
+    ncomp = 1;
+    for(p = (char*)name; *p; p++){
+	if(*p=='\\'){
+	    if(!p[1])
+		return KRB5_PARSE_MALFORMED;
+	    p++;
+	} else if(*p == '/')
+	    ncomp++;
+    }
+    comp = calloc(ncomp, sizeof(*comp));
+    if (comp == NULL)
+	return ENOMEM;
+  
+    n = 0;
+    start = q = p = s = strdup(name);
+    if (start == NULL) {
+	free (comp);
+	return ENOMEM;
+    }
+    while(*p){
+	c = *p++;
+	if(c == '\\'){
+	    c = *p++;
+	    if(c == 'n')
+		c = '\n';
+	    else if(c == 't')
+		c = '\t';
+	    else if(c == 'b')
+		c = '\b';
+	    else if(c == '0')
+		c = '\0';
+	}else if(c == '/' || c == '@'){
+	    if(got_realm){
+		ret = KRB5_PARSE_MALFORMED;
+		goto exit;
+	    }else{
+		comp[n] = malloc(q - start + 1);
+		if (comp[n] == NULL) {
+		    ret = ENOMEM;
+		    goto exit;
+		}
+		memcpy(comp[n], start, q - start);
+		comp[n][q - start] = 0;
+		n++;
+	    }
+	    if(c == '@')
+		got_realm = 1;
+	    start = q;
+	    continue;
+	}
+	if(got_realm && (c == ':' || c == '/' || c == '\0')) {
+	    ret = KRB5_PARSE_MALFORMED;
+	    goto exit;
+	}
+	*q++ = c;
+    }
+    if(got_realm){
+	realm = malloc(q - start + 1);
+	if (realm == NULL) {
+	    ret = ENOMEM;
+	    goto exit;
+	}
+	memcpy(realm, start, q - start);
+	realm[q - start] = 0;
+    }else{
+	ret = krb5_get_default_realm (context, &realm);
+	if (ret)
+	    goto exit;
+
+	comp[n] = malloc(q - start + 1);
+	if (comp[n] == NULL) {
+	    ret = ENOMEM;
+	    goto exit;
+	}
+	memcpy(comp[n], start, q - start);
+	comp[n][q - start] = 0;
+	n++;
+    }
+    *principal = malloc(sizeof(**principal));
+    if (*principal == NULL) {
+	ret = ENOMEM;
+	goto exit;
+    }
+    (*principal)->name.name_type = KRB5_NT_PRINCIPAL;
+    (*principal)->name.name_string.val = comp;
+    princ_num_comp(*principal) = n;
+    (*principal)->realm = realm;
+    free(s);
+    return 0;
+exit:
+    while(n>0){
+	free(comp[--n]);
+    }
+    free(comp);
+    free(s);
+    return ret;
+}
+
+static const char quotable_chars[] = " \n\t\b\\/@";
+static const char replace_chars[] = " ntb\\/@";
+
+#define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0);
+
+static size_t
+quote_string(const char *s, char *out, size_t index, size_t len)
+{
+    const char *p, *q;
+    for(p = s; *p && index < len; p++){
+	if((q = strchr(quotable_chars, *p))){
+	    add_char(out, index, len, '\\');
+	    add_char(out, index, len, replace_chars[q - quotable_chars]);
+	}else
+	    add_char(out, index, len, *p);
+    }
+    if(index < len)
+	out[index] = '\0';
+    return index;
+}
+
+
+static krb5_error_code
+unparse_name_fixed(krb5_context context,
+		   krb5_const_principal principal,
+		   char *name,
+		   size_t len,
+		   krb5_boolean short_form)
+{
+    size_t index = 0;
+    int i;
+    for(i = 0; i < princ_num_comp(principal); i++){
+	if(i)
+	    add_char(name, index, len, '/');
+	index = quote_string(princ_ncomp(principal, i), name, index, len);
+	if(index == len)
+	    return ERANGE;
+    } 
+    /* add realm if different from default realm */
+    if(short_form) {
+	krb5_realm r;
+	krb5_error_code ret;
+	ret = krb5_get_default_realm(context, &r);
+	if(ret)
+	    return ret;
+	if(strcmp(princ_realm(principal), r) != 0)
+	    short_form = 0;
+	free(r);
+    }
+    if(!short_form) {
+	add_char(name, index, len, '@');
+	index = quote_string(princ_realm(principal), name, index, len);
+	if(index == len)
+	    return ERANGE;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_unparse_name_fixed(krb5_context context,
+			krb5_const_principal principal,
+			char *name,
+			size_t len)
+{
+    return unparse_name_fixed(context, principal, name, len, FALSE);
+}
+
+krb5_error_code
+krb5_unparse_name_fixed_short(krb5_context context,
+			      krb5_const_principal principal,
+			      char *name,
+			      size_t len)
+{
+    return unparse_name_fixed(context, principal, name, len, TRUE);
+}
+
+static krb5_error_code
+unparse_name(krb5_context context,
+	     krb5_const_principal principal,
+	     char **name,
+	     krb5_boolean short_flag)
+{
+    size_t len = 0, plen;
+    int i;
+    krb5_error_code ret;
+    /* count length */
+    plen = strlen(princ_realm(principal));
+    if(strcspn(princ_realm(principal), quotable_chars) == plen)
+	len += plen;
+    else
+	len += 2*plen;
+    len++;
+    for(i = 0; i < princ_num_comp(principal); i++){
+	plen = strlen(princ_ncomp(principal, i));
+	if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen)
+	    len += plen;
+	else
+	    len += 2*plen;
+	len++;
+    }
+    *name = malloc(len);
+    if(len != 0 && *name == NULL)
+	return ENOMEM;
+    ret = unparse_name_fixed(context, principal, *name, len, short_flag);
+    if(ret)
+	free(*name);
+    return ret;
+}
+
+krb5_error_code
+krb5_unparse_name(krb5_context context,
+		  krb5_const_principal principal,
+		  char **name)
+{
+    return unparse_name(context, principal, name, FALSE);
+}
+
+krb5_error_code
+krb5_unparse_name_short(krb5_context context,
+			krb5_const_principal principal,
+			char **name)
+{
+    return unparse_name(context, principal, name, TRUE);
+}
+
+#if 0 /* not implemented */
+
+krb5_error_code
+krb5_unparse_name_ext(krb5_context context,
+		      krb5_const_principal principal,
+		      char **name,
+		      size_t *size)
+{
+    krb5_abortx(context, "unimplemented krb5_unparse_name_ext called");
+}
+
+#endif
+
+krb5_realm*
+krb5_princ_realm(krb5_context context,
+		 krb5_principal principal)
+{
+    return &princ_realm(principal);
+}
+
+
+void
+krb5_princ_set_realm(krb5_context context,
+		     krb5_principal principal,
+		     krb5_realm *realm)
+{
+    princ_realm(principal) = *realm;
+}
+
+
+krb5_error_code
+krb5_build_principal(krb5_context context,
+		     krb5_principal *principal,
+		     int rlen,
+		     krb5_const_realm realm,
+		     ...)
+{
+    krb5_error_code ret;
+    va_list ap;
+    va_start(ap, realm);
+    ret = krb5_build_principal_va(context, principal, rlen, realm, ap);
+    va_end(ap);
+    return ret;
+}
+
+static krb5_error_code
+append_component(krb5_context context, krb5_principal p, 
+		 const char *comp,
+		 size_t comp_len)
+{
+    general_string *tmp;
+    size_t len = princ_num_comp(p);
+
+    tmp = realloc(princ_comp(p), (len + 1) * sizeof(*tmp));
+    if(tmp == NULL)
+	return ENOMEM;
+    princ_comp(p) = tmp;
+    princ_ncomp(p, len) = malloc(comp_len + 1);
+    if (princ_ncomp(p, len) == NULL)
+	return ENOMEM;
+    memcpy (princ_ncomp(p, len), comp, comp_len);
+    princ_ncomp(p, len)[comp_len] = '\0';
+    princ_num_comp(p)++;
+    return 0;
+}
+
+static void
+va_ext_princ(krb5_context context, krb5_principal p, va_list ap)
+{
+    while(1){
+	const char *s;
+	int len;
+	len = va_arg(ap, int);
+	if(len == 0)
+	    break;
+	s = va_arg(ap, const char*);
+	append_component(context, p, s, len);
+    }
+}
+
+static void
+va_princ(krb5_context context, krb5_principal p, va_list ap)
+{
+    while(1){
+	const char *s;
+	s = va_arg(ap, const char*);
+	if(s == NULL)
+	    break;
+	append_component(context, p, s, strlen(s));
+    }
+}
+
+
+static krb5_error_code
+build_principal(krb5_context context,
+		krb5_principal *principal,
+		int rlen,
+		krb5_const_realm realm,
+		void (*func)(krb5_context, krb5_principal, va_list),
+		va_list ap)
+{
+    krb5_principal p;
+  
+    p = calloc(1, sizeof(*p));
+    if (p == NULL)
+	return ENOMEM;
+    princ_type(p) = KRB5_NT_PRINCIPAL;
+
+    princ_realm(p) = strdup(realm);
+    if(p->realm == NULL){
+	free(p);
+	return ENOMEM;
+    }
+  
+    (*func)(context, p, ap);
+    *principal = p;
+    return 0;
+}
+
+krb5_error_code
+krb5_make_principal(krb5_context context,
+		    krb5_principal *principal,
+		    krb5_const_realm realm,
+		    ...)
+{
+    krb5_error_code ret;
+    krb5_realm r = NULL;
+    va_list ap;
+    if(realm == NULL) {
+	ret = krb5_get_default_realm(context, &r);
+	if(ret)
+	    return ret;
+	realm = r;
+    }
+    va_start(ap, realm);
+    ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
+    va_end(ap);
+    if(r)
+	free(r);
+    return ret;
+}
+
+krb5_error_code
+krb5_build_principal_va(krb5_context context, 
+			krb5_principal *principal, 
+			int rlen,
+			krb5_const_realm realm,
+			va_list ap)
+{
+    return build_principal(context, principal, rlen, realm, va_princ, ap);
+}
+
+krb5_error_code
+krb5_build_principal_va_ext(krb5_context context, 
+			    krb5_principal *principal, 
+			    int rlen,
+			    krb5_const_realm realm,
+			    va_list ap)
+{
+    return build_principal(context, principal, rlen, realm, va_ext_princ, ap);
+}
+
+
+krb5_error_code
+krb5_build_principal_ext(krb5_context context,
+			 krb5_principal *principal,
+			 int rlen,
+			 krb5_const_realm realm,
+			 ...)
+{
+    krb5_error_code ret;
+    va_list ap;
+    va_start(ap, realm);
+    ret = krb5_build_principal_va_ext(context, principal, rlen, realm, ap);
+    va_end(ap);
+    return ret;
+}
+
+
+krb5_error_code
+krb5_copy_principal(krb5_context context,
+		    krb5_const_principal inprinc,
+		    krb5_principal *outprinc)
+{
+    krb5_principal p = malloc(sizeof(*p));
+    if (p == NULL)
+	return ENOMEM;
+    if(copy_Principal(inprinc, p))
+	return ENOMEM;
+    *outprinc = p;
+    return 0;
+}
+
+
+krb5_boolean
+krb5_principal_compare_any_realm(krb5_context context,
+				 krb5_const_principal princ1,
+				 krb5_const_principal princ2)
+{
+    int i;
+    if(princ_num_comp(princ1) != princ_num_comp(princ2))
+	return FALSE;
+    for(i = 0; i < princ_num_comp(princ1); i++){
+	if(strcmp(princ_ncomp(princ1, i), princ_ncomp(princ2, i)) != 0)
+	    return FALSE;
+    }
+    return TRUE;
+}
+
+krb5_boolean
+krb5_principal_compare(krb5_context context,
+		       krb5_const_principal princ1,
+		       krb5_const_principal princ2)
+{
+    if(!krb5_realm_compare(context, princ1, princ2))
+	return FALSE;
+    return krb5_principal_compare_any_realm(context, princ1, princ2);
+}
+
+
+krb5_boolean
+krb5_realm_compare(krb5_context context,
+		   krb5_const_principal princ1,
+		   krb5_const_principal princ2)
+{
+    return strcmp(princ_realm(princ1), princ_realm(princ2)) == 0;
+}
+
+struct v4_name_convert {
+    const char *from;
+    const char *to; 
+} default_v4_name_convert[] = {
+    { "ftp", "ftp" },
+    { "hprop", "hprop" },
+    { "pop", "pop" },
+    { "rcmd", "host" },
+    { NULL, NULL }
+};
+
+static const char*
+get_name_conversion(krb5_context context, const char *realm, const char *name)
+{
+    struct v4_name_convert *q;
+    const char *p;
+    p = krb5_config_get_string(context, NULL, "realms", realm,
+			       "v4_name_convert", "host", name, NULL);
+    if(p == NULL)
+	p = krb5_config_get_string(context, NULL, "libdefaults", 
+				   "v4_name_convert", "host", name, NULL);
+    if(p)
+	return p;
+
+    /* XXX should be possible to override default list */
+    p = krb5_config_get_string(context, NULL,
+			       "realms",
+			       realm,
+			       "v4_name_convert",
+			       "plain",
+			       name,
+			       NULL);
+    if(p)
+	return NULL;
+    p = krb5_config_get_string(context, NULL,
+			       "libdefaults",
+			       "v4_name_convert",
+			       "plain",
+			       name,
+			       NULL);
+    if(p)
+	return NULL;
+    for(q = default_v4_name_convert; q->from; q++)
+	if(strcmp(q->from, name) == 0)
+	    return q->to;
+    return NULL;
+}
+
+krb5_error_code
+krb5_425_conv_principal_ext(krb5_context context,
+			    const char *name,
+			    const char *instance,
+			    const char *realm,
+			    krb5_boolean (*func)(krb5_context, krb5_principal),
+			    krb5_boolean resolve,
+			    krb5_principal *princ)
+{
+    const char *p;
+    krb5_error_code ret;
+    krb5_principal pr;
+    char host[128];
+
+    /* do the following: if the name is found in the
+       `v4_name_convert:host' part, is is assumed to be a `host' type
+       principal, and the instance is looked up in the
+       `v4_instance_convert' part. if not found there the name is
+       (optionally) looked up as a hostname, and if that doesn't yield
+       anything, the `default_domain' is appended to the instance
+       */
+
+    if(instance == NULL)
+	goto no_host;
+    if(instance[0] == 0){
+	instance = NULL;
+	goto no_host;
+    }
+    p = get_name_conversion(context, realm, name);
+    if(p == NULL)
+	goto no_host;
+    name = p;
+    p = krb5_config_get_string(context, NULL, "realms", realm, 
+			       "v4_instance_convert", instance, NULL);
+    if(p){
+	instance = p;
+	ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
+	if(func == NULL || (*func)(context, pr)){
+	    *princ = pr;
+	    return 0;
+	}
+	krb5_free_principal(context, pr);
+	*princ = NULL;
+	return HEIM_ERR_V4_PRINC_NO_CONV;
+    }
+    if(resolve){
+	const char *inst = NULL;
+#ifdef USE_RESOLVER
+	struct dns_reply *r;
+	r = dns_lookup(instance, "a");
+	if(r && r->head && r->head->type == T_A)
+	    inst = r->head->domain;
+#else
+	struct hostent *hp = roken_gethostbyname(instance);
+	if(hp)
+	    inst = hp->h_name;
+#endif
+	if(inst) {
+	    ret = krb5_make_principal(context, &pr, realm, name, inst, NULL);
+	    if(ret == 0) {
+		if(func == NULL || (*func)(context, pr)){
+		    *princ = pr;
+#ifdef USE_RESOLVER
+		    dns_free_data(r);
+#endif
+		    return 0;
+		}
+		krb5_free_principal(context, pr);
+	    }
+	}
+#ifdef USE_RESOLVER
+	if(r) 
+	    dns_free_data(r);
+#endif
+    }
+    {
+	char **domains, **d;
+	domains = krb5_config_get_strings(context, NULL, "realms", realm,
+					  "v4_domains", NULL);
+	for(d = domains; d && *d; d++){
+	    snprintf(host, sizeof(host), "%s.%s", instance, *d);
+	    ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
+	    if(func == NULL || (*func)(context, pr)){
+		*princ = pr;
+		krb5_config_free_strings(domains);
+		return 0;
+	    }
+	    krb5_free_principal(context, pr);
+	}
+	krb5_config_free_strings(domains);
+    }
+    
+    
+    p = krb5_config_get_string(context, NULL, "realms", realm, 
+			       "default_domain", NULL);
+    if(p == NULL){
+	/* should this be an error or should it silently
+	   succeed? */
+	return HEIM_ERR_V4_PRINC_NO_CONV;
+    }
+	
+    if (*p == '.')
+	++p;
+    snprintf(host, sizeof(host), "%s.%s", instance, p);
+    ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
+    if(func == NULL || (*func)(context, pr)){
+	*princ = pr;
+	return 0;
+    }
+    krb5_free_principal(context, pr);
+    return HEIM_ERR_V4_PRINC_NO_CONV;
+no_host:
+    p = krb5_config_get_string(context, NULL,
+			       "realms",
+			       realm,
+			       "v4_name_convert",
+			       "plain",
+			       name,
+			       NULL);
+    if(p == NULL)
+	p = krb5_config_get_string(context, NULL,
+				   "libdefaults",
+				   "v4_name_convert",
+				   "plain",
+				   name,
+				   NULL);
+    if(p)
+	name = p;
+    
+    ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
+    if(func == NULL || (*func)(context, pr)){
+	*princ = pr;
+	return 0;
+    }
+    krb5_free_principal(context, pr);
+    return HEIM_ERR_V4_PRINC_NO_CONV;
+}
+
+krb5_error_code
+krb5_425_conv_principal(krb5_context context,
+			const char *name,
+			const char *instance,
+			const char *realm,
+			krb5_principal *princ)
+{
+    krb5_boolean resolve = krb5_config_get_bool(context,
+						NULL,
+						"libdefaults", 
+						"v4_instance_resolve", 
+						NULL);
+
+    return krb5_425_conv_principal_ext(context, name, instance, realm, 
+				       NULL, resolve, princ);
+}
+
+
+static int
+check_list(const krb5_config_binding *l, const char *name, const char **out)
+{
+    while(l){
+	if (l->type != krb5_config_string)
+	    continue;
+	if(strcmp(name, l->u.string) == 0) {
+	    *out = l->name;
+	    return 1;
+	}
+	l = l->next;
+    }
+    return 0;
+}
+
+static int
+name_convert(krb5_context context, const char *name, const char *realm, 
+	     const char **out)
+{
+    const krb5_config_binding *l;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "realms",
+			      realm,
+			      "v4_name_convert",
+			      "host",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_SRV_HST;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "libdefaults",
+			      "v4_name_convert",
+			      "host",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_SRV_HST;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "realms",
+			      realm,
+			      "v4_name_convert",
+			      "plain",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_UNKNOWN;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "libdefaults",
+			      "v4_name_convert",
+			      "host",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_UNKNOWN;
+    
+    /* didn't find it in config file, try built-in list */
+    {
+	struct v4_name_convert *q;
+	for(q = default_v4_name_convert; q->from; q++) {
+	    if(strcmp(name, q->to) == 0) {
+		*out = q->from;
+		return KRB5_NT_SRV_HST;
+	    }
+	}
+    }
+    return -1;
+}
+
+krb5_error_code
+krb5_524_conv_principal(krb5_context context,
+			const krb5_principal principal,
+			char *name, 
+			char *instance,
+			char *realm)
+{
+    const char *n, *i, *r;
+    char tmpinst[40];
+    int type = princ_type(principal);
+
+    r = principal->realm;
+
+    switch(principal->name.name_string.len){
+    case 1:
+	n = principal->name.name_string.val[0];
+	i = "";
+	break;
+    case 2:
+	n = principal->name.name_string.val[0];
+	i = principal->name.name_string.val[1];
+	break;
+    default:
+	return KRB5_PARSE_MALFORMED;
+    }
+
+    {
+	const char *tmp;
+	int t = name_convert(context, n, r, &tmp);
+	if(t >= 0) {
+	    type = t;
+	    n = tmp;
+	}
+    }
+
+    if(type == KRB5_NT_SRV_HST){
+	char *p;
+
+	strlcpy (tmpinst, i, sizeof(tmpinst));
+	p = strchr(tmpinst, '.');
+	if(p)
+	    *p = 0;
+	i = tmpinst;
+    }
+    
+    if(strlen(r) >= 40)
+	return KRB5_PARSE_MALFORMED;
+    if(strlen(n) >= 40)
+	return KRB5_PARSE_MALFORMED;
+    if(strlen(i) >= 40)
+	return KRB5_PARSE_MALFORMED;
+    strcpy(realm, r);
+    strcpy(name, n);
+    strcpy(instance, i);
+    return 0;
+}
+
+/*
+ * Create a principal in `ret_princ' for the service `sname' running
+ * on host `hostname'.  */
+			
+krb5_error_code
+krb5_sname_to_principal (krb5_context context,
+			 const char *hostname,
+			 const char *sname,
+			 int32_t type,
+			 krb5_principal *ret_princ)
+{
+    krb5_error_code ret;
+    char localhost[128];
+    char **realms, *host = NULL;
+	
+    if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN)
+	return KRB5_SNAME_UNSUPP_NAMETYPE;
+    if(hostname == NULL) {
+	gethostname(localhost, sizeof(localhost));
+	hostname = localhost;
+    }
+    if(sname == NULL)
+	sname = "host";
+    if(type == KRB5_NT_SRV_HST) {
+	ret = krb5_expand_hostname_realms (context, hostname,
+					   &host, &realms);
+	if (ret)
+	    return ret;
+	strlwr(host);
+	hostname = host;
+    } else {
+	ret = krb5_get_host_realm(context, hostname, &realms);
+	if(ret)
+	    return ret;
+    }
+
+    ret = krb5_make_principal(context, ret_princ, realms[0], sname,
+			      hostname, NULL);
+    if(host)
+	free(host);
+    krb5_free_host_realm(context, realms);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/prog_setup.c b/crypto/heimdal/lib/krb5/prog_setup.c
new file mode 100644
index 0000000..4693d08
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/prog_setup.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: prog_setup.c,v 1.6 1999/12/02 17:05:11 joda Exp $");
+
+void
+krb5_std_usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+int
+krb5_program_setup(krb5_context *context, int argc, char **argv,
+		   struct getargs *args, int num_args, 
+		   void (*usage)(int, struct getargs*, int))
+{
+    int optind = 0;
+
+    if(usage == NULL)
+	usage = krb5_std_usage;
+
+    set_progname(argv[0]);
+    krb5_init_context(context);
+    
+    if(getarg(args, num_args, argc, argv, &optind))
+	(*usage)(1, args, num_args);
+    return optind;
+}
diff --git a/crypto/heimdal/lib/krb5/prompter_posix.c b/crypto/heimdal/lib/krb5/prompter_posix.c
new file mode 100644
index 0000000..a849254
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/prompter_posix.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: prompter_posix.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
+
+int
+krb5_prompter_posix (krb5_context context,
+		     void *data,
+		     const char *banner,
+		     int num_prompts,
+		     krb5_prompt prompts[])
+{
+    int i;
+
+    if (banner)
+	fprintf (stderr, "%s\n", banner);
+    for (i = 0; i < num_prompts; ++i) {
+	if (prompts[i].hidden) {
+	    if(des_read_pw_string(prompts[i].reply->data,
+				  prompts[i].reply->length,
+				  prompts[i].prompt,
+				  0))
+	       return 1;
+	} else {
+	    char *s = prompts[i].reply->data;
+
+	    fputs (prompts[i].prompt, stdout);
+	    fflush (stdout);
+	    if(fgets(prompts[i].reply->data,
+		     prompts[i].reply->length,
+		     stdin) == NULL)
+		return 1;
+	    if(s[strlen(s) - 1] == '\n')
+		s[strlen(s) - 1] = '\0';
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c
new file mode 100644
index 0000000..71b79b1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_cred.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_cred.c,v 1.9 2000/02/06 05:19:52 assar Exp $");
+
+krb5_error_code
+krb5_rd_cred (krb5_context      context,
+	      krb5_auth_context auth_context,
+	      krb5_ccache       ccache,
+	      krb5_data         *in_data)
+{
+    krb5_error_code ret;
+    size_t len;
+    KRB_CRED cred;
+    EncKrbCredPart enc_krb_cred_part;
+    krb5_data enc_krb_cred_part_data;
+    krb5_crypto crypto;
+    int i;
+
+    ret = decode_KRB_CRED (in_data->data, in_data->length,
+			   &cred, &len);
+    if (ret)
+	return ret;
+
+    if (cred.pvno != 5) {
+	ret = KRB5KRB_AP_ERR_BADVERSION;
+	goto out;
+    }
+
+    if (cred.msg_type != krb_cred) {
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	goto out;
+    }
+
+    krb5_crypto_init(context, auth_context->remote_subkey, 0, &crypto);
+    ret = krb5_decrypt_EncryptedData(context,
+				     crypto,
+				     KRB5_KU_KRB_CRED,
+				     &cred.enc_part,
+				     &enc_krb_cred_part_data);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	goto out;
+    
+
+    ret = krb5_decode_EncKrbCredPart (context,
+				      enc_krb_cred_part_data.data,
+				      enc_krb_cred_part_data.length,
+				      &enc_krb_cred_part,
+				      &len);
+    if (ret)
+	goto out;
+
+    /* check sender address */
+
+    if (enc_krb_cred_part.s_address
+	&& auth_context->remote_address) {
+	krb5_address *a;
+	int cmp;
+
+	ret = krb5_make_addrport (&a,
+				  auth_context->remote_address,
+				  auth_context->remote_port);
+	if (ret)
+	    goto out;
+
+
+	cmp = krb5_address_compare (context,
+				    a,
+				    enc_krb_cred_part.s_address);
+
+	krb5_free_address (context, a);
+	free (a);
+
+	if (cmp == 0) {
+	    ret = KRB5KRB_AP_ERR_BADADDR;
+	    goto out;
+	}
+    }
+
+    /* check receiver address */
+
+    if (enc_krb_cred_part.r_address
+	&& !krb5_address_compare (context,
+				  auth_context->local_address,
+				  enc_krb_cred_part.r_address)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	goto out;
+    }
+
+    /* check timestamp */
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	krb5_timestamp sec;
+
+	krb5_timeofday (context, &sec);
+
+	if (enc_krb_cred_part.timestamp == NULL ||
+	    enc_krb_cred_part.usec      == NULL ||
+	    abs(*enc_krb_cred_part.timestamp - sec)
+	    > context->max_skew) {
+	    ret = KRB5KRB_AP_ERR_SKEW;
+	    goto out;
+	}
+    }
+
+    /* XXX - check replay cache */
+
+    /* Store the creds in the ccache */
+
+    for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
+	KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
+	krb5_creds creds;
+	u_char buf[1024];
+	size_t len;
+
+	memset (&creds, 0, sizeof(creds));
+
+	ret = encode_Ticket (buf + sizeof(buf) - 1, sizeof(buf),
+			     &cred.tickets.val[i],
+			     &len);
+	if (ret)
+	    goto out;
+	krb5_data_copy (&creds.ticket, buf + sizeof(buf) - len, len);
+	copy_EncryptionKey (&kci->key, &creds.session);
+	if (kci->prealm && kci->pname)
+	    principalname2krb5_principal (&creds.client,
+					  *kci->pname,
+					  *kci->prealm);
+	if (kci->flags)
+	    creds.flags.b = *kci->flags;
+	if (kci->authtime)
+	    creds.times.authtime = *kci->authtime;
+	if (kci->starttime)
+	    creds.times.starttime = *kci->starttime;
+	if (kci->endtime)
+	    creds.times.endtime = *kci->endtime;
+	if (kci->renew_till)
+	    creds.times.renew_till = *kci->renew_till;
+	if (kci->srealm && kci->sname)
+	    principalname2krb5_principal (&creds.server,
+					  *kci->sname,
+					  *kci->srealm);
+	if (kci->caddr)
+	    krb5_copy_addresses (context,
+				 kci->caddr,
+				 &creds.addresses);
+	krb5_cc_store_cred (context, ccache, &creds);
+    }
+
+out:
+    free_KRB_CRED (&cred);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_error.c b/crypto/heimdal/lib/krb5/rd_error.c
new file mode 100644
index 0000000..df9b45e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_error.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: rd_error.c,v 1.4 1999/12/02 17:05:12 joda Exp $");
+
+krb5_error_code
+krb5_rd_error(krb5_context context,
+	      krb5_data *msg,
+	      KRB_ERROR *result)
+{
+    
+    size_t len;
+    krb5_error_code ret;
+    ret = decode_KRB_ERROR(msg->data, msg->length, result, &len);
+    if(ret)
+	return ret;
+    result->error_code += KRB5KDC_ERR_NONE;
+    return 0;    
+}
+
+void
+krb5_free_error_contents (krb5_context context,
+			  krb5_error *error)
+{
+    free_KRB_ERROR(error);
+}
+
+void
+krb5_free_error (krb5_context context,
+		 krb5_error *error)
+{
+    krb5_free_error_contents (context, error);
+    free (error);
+}
diff --git a/crypto/heimdal/lib/krb5/rd_priv.c b/crypto/heimdal/lib/krb5/rd_priv.c
new file mode 100644
index 0000000..c4d7bea
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_priv.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_priv.c,v 1.23 2000/02/06 05:20:13 assar Exp $");
+
+krb5_error_code
+krb5_rd_priv(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *inbuf,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_PRIV priv;
+  EncKrbPrivPart part;
+  size_t len;
+  krb5_data plain;
+  krb5_keyblock *key;
+  krb5_crypto crypto;
+
+  memset(&priv, 0, sizeof(priv));
+  ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
+  if (ret) 
+      goto failure;
+  if (priv.pvno != 5) {
+      ret = KRB5KRB_AP_ERR_BADVERSION;
+      goto failure;
+  }
+  if (priv.msg_type != krb_priv) {
+      ret = KRB5KRB_AP_ERR_MSG_TYPE;
+      goto failure;
+  }
+
+  /* XXX - Is this right? */
+
+  if (auth_context->local_subkey)
+      key = auth_context->local_subkey;
+  else if (auth_context->remote_subkey)
+      key = auth_context->remote_subkey;
+  else
+      key = auth_context->keyblock;
+
+  krb5_crypto_init(context, key, 0, &crypto);
+  ret = krb5_decrypt_EncryptedData(context,
+				   crypto,
+				   KRB5_KU_KRB_PRIV,
+				   &priv.enc_part,
+				   &plain);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) 
+      goto failure;
+
+  ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len);
+  krb5_data_free (&plain);
+  if (ret) 
+      goto failure;
+  
+  /* check sender address */
+
+  if (part.s_address
+      && auth_context->remote_address
+      && !krb5_address_compare (context,
+				auth_context->remote_address,
+				part.s_address)) {
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      goto failure_part;
+  }
+
+  /* check receiver address */
+
+  if (part.r_address
+      && auth_context->local_address
+      && !krb5_address_compare (context,
+				auth_context->local_address,
+				part.r_address)) {
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      goto failure_part;
+  }
+
+  /* check timestamp */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+      krb5_timestamp sec;
+
+      krb5_timeofday (context, &sec);
+      if (part.timestamp == NULL ||
+	  part.usec      == NULL ||
+	  abs(*part.timestamp - sec) > context->max_skew) {
+	  ret = KRB5KRB_AP_ERR_SKEW;
+	  goto failure_part;
+      }
+  }
+
+  /* XXX - check replay cache */
+
+  /* check sequence number */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    if (part.seq_number == NULL ||
+	*part.seq_number != ++auth_context->remote_seqnumber) {
+      ret = KRB5KRB_AP_ERR_BADORDER;
+      goto failure_part;
+    }
+  }
+
+  ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length);
+  if (ret)
+      goto failure_part;
+
+  free_EncKrbPrivPart (&part);
+  free_KRB_PRIV (&priv);
+  return 0;
+
+failure_part:
+  free_EncKrbPrivPart (&part);
+
+failure:
+  free_KRB_PRIV (&priv);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_rep.c b/crypto/heimdal/lib/krb5/rd_rep.c
new file mode 100644
index 0000000..e2c401c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_rep.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_rep.c,v 1.19 1999/12/02 17:05:12 joda Exp $");
+
+krb5_error_code
+krb5_rd_rep(krb5_context context,
+	    krb5_auth_context auth_context,
+	    const krb5_data *inbuf,
+	    krb5_ap_rep_enc_part **repl)
+{
+  krb5_error_code ret;
+  AP_REP ap_rep;
+  size_t len;
+  krb5_data data;
+  krb5_crypto crypto;
+
+  krb5_data_zero (&data);
+  ret = 0;
+
+  ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
+  if (ret)
+      return ret;
+  if (ap_rep.pvno != 5) {
+    ret = KRB5KRB_AP_ERR_BADVERSION;
+    goto out;
+  }
+  if (ap_rep.msg_type != krb_ap_rep) {
+    ret = KRB5KRB_AP_ERR_MSG_TYPE;
+    goto out;
+  }
+
+  krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  ret = krb5_decrypt_EncryptedData (context, 
+				    crypto,	
+				    KRB5_KU_AP_REQ_ENC_PART,
+				    &ap_rep.enc_part,
+				    &data);
+  krb5_crypto_destroy(context, crypto);
+  if (ret)
+      goto out;
+
+  *repl = malloc(sizeof(**repl));
+  if (*repl == NULL) {
+    ret = ENOMEM;
+    goto out;
+  }
+  ret = krb5_decode_EncAPRepPart(context,
+				 data.data,
+				 data.length,
+				 *repl, 
+				 &len);
+  if (ret)
+      return ret;
+  
+  if ((*repl)->ctime != auth_context->authenticator->ctime ||
+      (*repl)->cusec != auth_context->authenticator->cusec) {
+    ret = KRB5KRB_AP_ERR_MUT_FAIL;
+    goto out;
+  }
+  if ((*repl)->seq_number)
+    auth_context->remote_seqnumber = *((*repl)->seq_number);
+  
+out:
+  krb5_data_free (&data);
+  free_AP_REP (&ap_rep);
+  return ret;
+}
+
+void
+krb5_free_ap_rep_enc_part (krb5_context context,
+			   krb5_ap_rep_enc_part *val)
+{
+    free_EncAPRepPart (val);
+    free (val);
+}
diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c
new file mode 100644
index 0000000..bcf4ecf
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_req.c
@@ -0,0 +1,465 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_req.c,v 1.41 2000/02/07 13:31:55 joda Exp $");
+
+static krb5_error_code
+decrypt_tkt_enc_part (krb5_context context,
+		      krb5_keyblock *key,
+		      EncryptedData *enc_part,
+		      EncTicketPart *decr_part)
+{
+    krb5_error_code ret;
+    krb5_data plain;
+    size_t len;
+    krb5_crypto crypto;
+
+    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_TICKET,
+				      enc_part,
+				      &plain);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_decode_EncTicketPart(context, plain.data, plain.length, 
+				    decr_part, &len);
+    krb5_data_free (&plain);
+    return ret;
+}
+
+static krb5_error_code
+decrypt_authenticator (krb5_context context,
+		       EncryptionKey *key,
+		       EncryptedData *enc_part,
+		       Authenticator *authenticator)
+{
+    krb5_error_code ret;
+    krb5_data plain;
+    size_t len;
+    krb5_crypto crypto;
+
+    krb5_crypto_init(context, key, 0, &crypto);
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_AP_REQ_AUTH,
+				      enc_part,
+				      &plain);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_decode_Authenticator(context, plain.data, plain.length, 
+				    authenticator, &len);
+    krb5_data_free (&plain);
+    return ret;
+}
+
+krb5_error_code
+krb5_decode_ap_req(krb5_context context,
+		   const krb5_data *inbuf,
+		   krb5_ap_req *ap_req)
+{
+    krb5_error_code ret;
+    size_t len;
+    ret = decode_AP_REQ(inbuf->data, inbuf->length, ap_req, &len);
+    if (ret)
+	return ret;
+    if (ap_req->pvno != 5){
+	free_AP_REQ(ap_req);
+	return KRB5KRB_AP_ERR_BADVERSION;
+    }
+    if (ap_req->msg_type != krb_ap_req){
+	free_AP_REQ(ap_req);
+	return KRB5KRB_AP_ERR_MSG_TYPE;
+    }
+    if (ap_req->ticket.tkt_vno != 5){
+	free_AP_REQ(ap_req);
+	return KRB5KRB_AP_ERR_BADVERSION;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_decrypt_ticket(krb5_context context,
+		    Ticket *ticket,
+		    krb5_keyblock *key,
+		    EncTicketPart *out,
+		    krb5_flags flags)
+{
+    EncTicketPart t;
+    krb5_error_code ret;
+    ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t);
+    if (ret)
+	return ret;
+    
+    {
+	krb5_timestamp now;
+	time_t start = t.authtime;
+
+	krb5_timeofday (context, &now);
+	if(t.starttime)
+	    start = *t.starttime;
+	if(start - now > context->max_skew
+	   || (t.flags.invalid
+	       && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID)))
+	    return KRB5KRB_AP_ERR_TKT_NYV;
+	if(now - t.endtime > context->max_skew)
+	    return KRB5KRB_AP_ERR_TKT_EXPIRED;
+    }
+    
+    if(out)
+	*out = t;
+    else
+	free_EncTicketPart(&t);
+    return 0;
+}
+
+krb5_error_code
+krb5_verify_authenticator_checksum(krb5_context context,
+				   krb5_auth_context ac,
+				   void *data,
+				   size_t len)
+{
+    krb5_error_code ret;
+    krb5_keyblock *key;
+    krb5_authenticator authenticator;
+    krb5_crypto crypto;
+    
+    ret = krb5_auth_getauthenticator (context,
+				      ac,
+				      &authenticator);
+    if(ret)
+	return ret;
+    if(authenticator->cksum == NULL)
+	return -17;
+    ret = krb5_auth_con_getkey(context, ac, &key);
+    if(ret) {
+	krb5_free_authenticator(context, &authenticator);
+	return ret;
+    }
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if(ret)
+	goto out;
+    ret = krb5_verify_checksum (context,
+				crypto,
+				KRB5_KU_AP_REQ_AUTH_CKSUM,
+				data,
+				len,
+				authenticator->cksum);
+    krb5_crypto_destroy(context, crypto);
+out:
+    krb5_free_authenticator(context, &authenticator);
+    krb5_free_keyblock(context, key);
+    return ret;
+}
+
+#if 0
+static krb5_error_code
+check_transited(krb5_context context,
+		krb5_ticket *ticket)
+{
+    char **realms;
+    int num_realms;
+    krb5_error_code ret;
+
+    if(ticket->ticket.transited.tr_type != DOMAIN_X500_COMPRESS)
+	return KRB5KDC_ERR_TRTYPE_NOSUPP;
+
+    ret = krb5_domain_x500_decode(ticket->ticket.transited.contents, 
+				  &realms, &num_realms, 
+				  ticket->client->realm,
+				  ticket->server->realm);
+    if(ret)
+	return ret;
+    ret = krb5_check_transited_realms(context, realms, num_realms, NULL);
+    free(realms);
+    return ret;
+}
+#endif
+
+krb5_error_code
+krb5_verify_ap_req(krb5_context context,
+		   krb5_auth_context *auth_context,
+		   krb5_ap_req *ap_req,
+		   krb5_const_principal server,
+		   krb5_keyblock *keyblock,
+		   krb5_flags flags,
+		   krb5_flags *ap_req_options,
+		   krb5_ticket **ticket)
+{
+    krb5_ticket t;
+    krb5_auth_context ac;
+    krb5_error_code ret;
+    
+    if(auth_context) {
+	if(*auth_context == NULL){
+	    krb5_auth_con_init(context, &ac);
+	    *auth_context = ac;
+	}else
+	    ac = *auth_context;
+    } else
+	krb5_auth_con_init(context, &ac);
+	
+    if (ap_req->ap_options.use_session_key && ac->keyblock){
+	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
+				  ac->keyblock, 
+				  &t.ticket,
+				  flags);
+	krb5_free_keyblock(context, ac->keyblock);
+	ac->keyblock = NULL;
+    }else
+	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
+				  keyblock, 
+				  &t.ticket,
+				  flags);
+    
+    if(ret)
+	return ret;
+
+    principalname2krb5_principal(&t.server, ap_req->ticket.sname, 
+				 ap_req->ticket.realm);
+    principalname2krb5_principal(&t.client, t.ticket.cname, 
+				 t.ticket.crealm);
+
+    /* save key */
+
+    krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock);
+
+    ret = decrypt_authenticator (context,
+				 &t.ticket.key,
+				 &ap_req->authenticator,
+				 ac->authenticator);
+    if (ret){
+	/* XXX free data */
+	return ret;
+    }
+
+    {
+	krb5_principal p1, p2;
+	krb5_boolean res;
+	
+	principalname2krb5_principal(&p1,
+				     ac->authenticator->cname,
+				     ac->authenticator->crealm);
+	principalname2krb5_principal(&p2, 
+				     t.ticket.cname,
+				     t.ticket.crealm);
+	res = krb5_principal_compare (context, p1, p2);
+	krb5_free_principal (context, p1);
+	krb5_free_principal (context, p2);
+	if (!res)
+	    return KRB5KRB_AP_ERR_BADMATCH;
+    }
+
+    /* check addresses */
+
+    if (t.ticket.caddr
+	&& ac->remote_address
+	&& !krb5_address_search (context,
+				 ac->remote_address,
+				 t.ticket.caddr))
+	return KRB5KRB_AP_ERR_BADADDR;
+
+    if (ac->authenticator->seq_number)
+	ac->remote_seqnumber = *ac->authenticator->seq_number;
+
+    /* XXX - Xor sequence numbers */
+
+    /* XXX - subkeys? */
+    /* And where should it be stored? */
+
+    if (ac->authenticator->subkey) {
+	krb5_copy_keyblock(context, 
+			   ac->authenticator->subkey,
+			   &ac->remote_subkey);
+    }
+
+    if (ap_req_options) {
+	*ap_req_options = 0;
+	if (ap_req->ap_options.use_session_key)
+	    *ap_req_options |= AP_OPTS_USE_SESSION_KEY;
+	if (ap_req->ap_options.mutual_required)
+	    *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
+    }
+
+    if(ticket){
+	*ticket = malloc(sizeof(**ticket));
+	**ticket = t;
+    } else
+	krb5_free_ticket (context, &t);
+    return 0;
+}
+		   
+
+krb5_error_code
+krb5_rd_req_with_keyblock(krb5_context context,
+			  krb5_auth_context *auth_context,
+			  const krb5_data *inbuf,
+			  krb5_const_principal server,
+			  krb5_keyblock *keyblock,
+			  krb5_flags *ap_req_options,
+			  krb5_ticket **ticket)
+{
+    krb5_error_code ret;
+    krb5_ap_req ap_req;
+
+    if (*auth_context == NULL) {
+	ret = krb5_auth_con_init(context, auth_context);
+	if (ret)
+	    return ret;
+    }
+
+    ret = krb5_decode_ap_req(context, inbuf, &ap_req);
+    if(ret)
+	return ret;
+
+    ret = krb5_verify_ap_req(context,
+			     auth_context,
+			     &ap_req,
+			     server,
+			     keyblock,
+			     0,
+			     ap_req_options,
+			     ticket);
+
+    free_AP_REQ(&ap_req);
+    return ret;
+}
+
+static krb5_error_code
+get_key_from_keytab(krb5_context context,
+		    krb5_auth_context *auth_context,
+		    krb5_ap_req *ap_req,
+		    krb5_const_principal server,
+		    krb5_keytab keytab,
+		    krb5_keyblock **out_key)
+{
+    krb5_keytab_entry entry;
+    krb5_error_code ret;
+    int kvno;
+    krb5_keytab real_keytab;
+
+    if(keytab == NULL)
+	krb5_kt_default(context, &real_keytab);
+    else
+	real_keytab = keytab;
+    
+    if (ap_req->ticket.enc_part.kvno)
+	kvno = *ap_req->ticket.enc_part.kvno;
+    else
+	kvno = 0;
+
+    ret = krb5_kt_get_entry (context,
+			     real_keytab,
+			     server,
+			     kvno,
+			     ap_req->ticket.enc_part.etype,
+			     &entry);
+    if(ret)
+	goto out;
+    ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
+    krb5_kt_free_entry (context, &entry);
+out:    
+    if(keytab == NULL)
+	krb5_kt_close(context, real_keytab);
+    
+    return ret;
+}
+
+krb5_error_code
+krb5_rd_req(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    const krb5_data *inbuf,
+	    krb5_const_principal server,
+	    krb5_keytab keytab,
+	    krb5_flags *ap_req_options,
+	    krb5_ticket **ticket)
+{
+    krb5_error_code ret;
+    krb5_ap_req ap_req;
+    krb5_keyblock *keyblock = NULL;
+    krb5_principal service = NULL;
+
+    if (*auth_context == NULL) {
+	ret = krb5_auth_con_init(context, auth_context);
+	if (ret)
+	    return ret;
+    }
+
+    ret = krb5_decode_ap_req(context, inbuf, &ap_req);
+    if(ret)
+	return ret;
+
+    if(server == NULL){
+	principalname2krb5_principal(&service,
+				     ap_req.ticket.sname,
+				     ap_req.ticket.realm);
+	server = service;
+    }
+
+    if(ap_req.ap_options.use_session_key == 0 || 
+       (*auth_context)->keyblock == NULL){
+	ret = get_key_from_keytab(context, 
+				  auth_context, 
+				  &ap_req,
+				  server,
+				  keytab,
+				  &keyblock);
+	if(ret)
+	    goto out;
+    }
+	
+
+    ret = krb5_verify_ap_req(context,
+			     auth_context,
+			     &ap_req,
+			     server,
+			     keyblock,
+			     0,
+			     ap_req_options,
+			     ticket);
+
+    if(keyblock != NULL)
+	krb5_free_keyblock(context, keyblock);
+
+out:
+    free_AP_REQ(&ap_req);
+    if(service)
+	krb5_free_principal(context, service);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c
new file mode 100644
index 0000000..fb7cc2d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_safe.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_safe.c,v 1.19 2000/02/06 05:20:51 assar Exp $");
+
+static krb5_error_code
+verify_checksum(krb5_context context,
+		krb5_auth_context auth_context,
+		KRB_SAFE *safe)
+{
+    krb5_error_code ret;
+    u_char *buf;
+    size_t buf_size;
+    size_t len;
+    Checksum c;
+    krb5_crypto crypto;
+
+    c = safe->cksum;
+    safe->cksum.cksumtype       = 0;
+    safe->cksum.checksum.data   = NULL;
+    safe->cksum.checksum.length = 0;
+
+
+    buf_size = length_KRB_SAFE(safe);
+    buf = malloc(buf_size);
+
+    if (buf == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = encode_KRB_SAFE (buf + buf_size - 1,
+			   buf_size,
+			   safe,
+			   &len);
+    krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+    ret = krb5_verify_checksum (context,
+				crypto,
+				KRB5_KU_KRB_SAFE_CKSUM,
+				buf + buf_size - len,
+				len,
+				&c);
+    krb5_crypto_destroy(context, crypto);
+out:
+    safe->cksum = c;
+    free (buf);
+    return ret;
+}
+
+krb5_error_code
+krb5_rd_safe(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *inbuf,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_SAFE safe;
+  size_t len;
+
+  ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
+  if (ret) 
+      return ret;
+  if (safe.pvno != 5) {
+      ret = KRB5KRB_AP_ERR_BADVERSION;
+      goto failure;
+  }
+  if (safe.msg_type != krb_safe) {
+      ret = KRB5KRB_AP_ERR_MSG_TYPE;
+      goto failure;
+  }
+  if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype)
+      || !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) {
+      ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+      goto failure;
+  }
+
+  /* check sender address */
+
+  if (safe.safe_body.s_address
+      && auth_context->remote_address
+      && !krb5_address_compare (context,
+				auth_context->remote_address,
+				safe.safe_body.s_address)) {
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      goto failure;
+  }
+
+  /* check receiver address */
+
+  if (safe.safe_body.r_address
+      && auth_context->local_address
+      && !krb5_address_compare (context,
+				auth_context->local_address,
+				safe.safe_body.r_address)) {
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      goto failure;
+  }
+
+  /* check timestamp */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+      krb5_timestamp sec;
+
+      krb5_timeofday (context, &sec);
+
+      if (safe.safe_body.timestamp == NULL ||
+	  safe.safe_body.usec      == NULL ||
+	  abs(*safe.safe_body.timestamp - sec) > context->max_skew) {
+	  ret = KRB5KRB_AP_ERR_SKEW;
+	  goto failure;
+      }
+  }
+  /* XXX - check replay cache */
+
+  /* check sequence number */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+      if (safe.safe_body.seq_number == NULL ||
+	  *safe.safe_body.seq_number != ++auth_context->remote_seqnumber) {
+	  ret = KRB5KRB_AP_ERR_BADORDER;
+	  goto failure;
+      }
+  }
+
+  ret = verify_checksum (context, auth_context, &safe);
+  if (ret)
+      goto failure;
+  
+  outbuf->length = safe.safe_body.user_data.length;
+  outbuf->data   = malloc(outbuf->length);
+  if (outbuf->data == NULL) {
+      ret = ENOMEM;
+      goto failure;
+  }
+  memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
+  free_KRB_SAFE (&safe);
+  return 0;
+failure:
+  free_KRB_SAFE (&safe);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/read_message.c b/crypto/heimdal/lib/krb5/read_message.c
new file mode 100644
index 0000000..f2cae03
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/read_message.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: read_message.c,v 1.5 1999/12/02 17:05:12 joda Exp $");
+
+krb5_error_code
+krb5_read_message (krb5_context context,
+		   krb5_pointer p_fd,
+		   krb5_data *data)
+{
+    krb5_error_code ret;
+    u_int32_t len;
+    u_int8_t buf[4];
+
+    ret = krb5_net_read (context, p_fd, buf, 4);
+    if(ret == -1)
+	return errno;
+    if(ret < 4) {
+	data->length = 0;
+	return 0;
+    }
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
+    ret = krb5_data_alloc (data, len);
+    if (ret)
+	return ret;
+    if (krb5_net_read (context, p_fd, data->data, len) != len) {
+	krb5_data_free (data);
+	return errno;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c
new file mode 100644
index 0000000..49fe7b6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/recvauth.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: recvauth.c,v 1.12 1999/12/02 17:05:12 joda Exp $");
+
+/*
+ * See `sendauth.c' for the format.
+ */
+
+static krb5_boolean
+match_exact(void *data, const char *appl_version)
+{
+    return strcmp(data, appl_version) == 0;
+}
+
+krb5_error_code
+krb5_recvauth(krb5_context context,
+	      krb5_auth_context *auth_context,
+	      krb5_pointer p_fd,
+	      char *appl_version,
+	      krb5_principal server,
+	      int32_t flags,
+	      krb5_keytab keytab,
+	      krb5_ticket **ticket)
+{
+    return krb5_recvauth_match_version(context, auth_context, p_fd,
+				       match_exact, appl_version,
+				       server, flags,
+				       keytab, ticket);
+}
+
+krb5_error_code
+krb5_recvauth_match_version(krb5_context context,
+			    krb5_auth_context *auth_context,
+			    krb5_pointer p_fd,
+			    krb5_boolean (*match_appl_version)(void *, 
+							       const char*),
+			    void *match_data,
+			    krb5_principal server,
+			    int32_t flags,
+			    krb5_keytab keytab,
+			    krb5_ticket **ticket)
+{
+  krb5_error_code ret;
+  const char *version = KRB5_SENDAUTH_VERSION;
+  char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
+  char *her_appl_version;
+  u_int32_t len;
+  u_char repl;
+  krb5_data data;
+  krb5_flags ap_options;
+  ssize_t n;
+
+  /*
+   * If there are no addresses in auth_context, get them from `fd'.
+   */
+
+  if (*auth_context == NULL) {
+      ret = krb5_auth_con_init (context, auth_context);
+      if (ret)
+	  return ret;
+  }
+
+  ret = krb5_auth_con_setaddrs_from_fd (context,
+					*auth_context,
+					p_fd);
+  if (ret)
+      return ret;
+
+  if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
+    n = krb5_net_read (context, p_fd, &len, 4);
+    if (n < 0)
+	return errno;
+    if (n == 0)
+	return KRB5_SENDAUTH_BADAUTHVERS;
+    len = ntohl(len);
+    if (len != sizeof(her_version)
+	|| krb5_net_read (context, p_fd, her_version, len) != len
+	|| strncmp (version, her_version, len)) {
+      repl = 1;
+      krb5_net_write (context, p_fd, &repl, 1);
+      return KRB5_SENDAUTH_BADAUTHVERS;
+    }
+  }
+
+  n = krb5_net_read (context, p_fd, &len, 4);
+  if (n < 0)
+      return errno;
+  if (n == 0)
+      return KRB5_SENDAUTH_BADAPPLVERS;
+  len = ntohl(len);
+  her_appl_version = malloc (len);
+  if (her_appl_version == NULL) {
+      repl = 2;
+      krb5_net_write (context, p_fd, &repl, 1);
+      return ENOMEM;
+  }
+  if (krb5_net_read (context, p_fd, her_appl_version, len) != len
+      || !(*match_appl_version)(match_data, her_appl_version)) {
+    repl = 2;
+    krb5_net_write (context, p_fd, &repl, 1);
+    free (her_appl_version);
+    return KRB5_SENDAUTH_BADAPPLVERS;
+  }
+  free (her_appl_version);
+
+  repl = 0;
+  if (krb5_net_write (context, p_fd, &repl, 1) != 1)
+    return errno;
+
+  krb5_data_zero (&data);
+  ret = krb5_read_message (context, p_fd, &data);
+  if (ret)
+      return ret;
+
+  ret = krb5_rd_req (context,
+		     auth_context,
+		     &data,
+		     server,
+		     keytab,
+		     &ap_options,
+		     ticket);
+  krb5_data_free (&data);
+  if (ret) {
+      krb5_data error_data;
+      krb5_error_code ret2;
+
+      ret2 = krb5_mk_error (context,
+			    ret,
+			    NULL,
+			    NULL,
+			    NULL,
+			    server,
+			    0,
+			    &error_data);
+      if (ret2 == 0) {
+	  krb5_write_message (context, p_fd, &error_data);
+	  krb5_data_free (&error_data);
+      }
+      return ret;
+  }      
+
+  len = 0;
+  if (krb5_net_write (context, p_fd, &len, 4) != 4)
+    return errno;
+
+  if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
+    ret = krb5_mk_rep (context, auth_context, &data);
+    if (ret)
+      return ret;
+
+    ret = krb5_write_message (context, p_fd, &data);
+    if (ret)
+	return ret;
+    krb5_data_free (&data);
+  }
+  return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/replay.c b/crypto/heimdal/lib/krb5/replay.c
new file mode 100644
index 0000000..3ca68e8
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/replay.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+struct krb5_rcache_data {
+    char *name;
+};
+
+krb5_error_code
+krb5_rc_resolve(krb5_context context,
+		krb5_rcache id,
+		const char *name)
+{
+    id->name = strdup(name);
+    if(id->name == NULL)
+	return KRB5_RC_MALLOC;
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_resolve_type(krb5_context context,
+		     krb5_rcache *id,
+		     const char *type)
+{
+    if(strcmp(type, "FILE"))
+	return KRB5_RC_TYPE_NOTFOUND;
+    *id = calloc(1, sizeof(**id));
+    if(*id == NULL)
+	return KRB5_RC_MALLOC;
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_resolve_full(krb5_context context,
+		     krb5_rcache *id,
+		     const char *string_name)
+{
+    krb5_error_code ret;
+    if(strncmp(string_name, "FILE:", 5))
+	return KRB5_RC_TYPE_NOTFOUND;
+    ret = krb5_rc_resolve_type(context, id, "FILE");
+    if(ret)
+	return ret;
+    ret = krb5_rc_resolve(context, *id, string_name + 5);
+    return ret;
+}
+
+const char *
+krb5_rc_default_name(krb5_context context)
+{
+    return "FILE:/var/run/default_rcache";
+}
+
+krb5_error_code
+krb5_rc_default(krb5_context context,
+		krb5_rcache *id)
+{
+    return krb5_rc_resolve_full(context, id, krb5_rc_default_name(context));
+}
+
+struct rc_entry{
+    time_t stamp;
+    unsigned char data[16];
+};
+
+krb5_error_code
+krb5_rc_initialize(krb5_context context,
+		   krb5_rcache id,
+		   krb5_deltat auth_lifespan)
+{
+    FILE *f = fopen(id->name, "w");
+    struct rc_entry tmp;
+    if(f == NULL)
+	return errno;
+    tmp.stamp = auth_lifespan;
+    fwrite(&tmp, 1, sizeof(tmp), f);
+    fclose(f);
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_recover(krb5_context context,
+		krb5_rcache id)
+{
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_destroy(krb5_context context,
+		krb5_rcache id)
+{
+    if(remove(id->name) < 0)
+	return errno;
+    return krb5_rc_close(context, id);
+}
+
+krb5_error_code
+krb5_rc_close(krb5_context context,
+	      krb5_rcache id)
+{
+    free(id->name);
+    free(id);
+    return 0;
+}
+
+static void
+checksum_authenticator(Authenticator *auth, void *data)
+{
+    MD5_CTX md5;
+    int i;
+
+    MD5Init (&md5);
+    MD5Update (&md5, auth->crealm, strlen(auth->crealm));
+    for(i = 0; i < auth->cname.name_string.len; i++)
+	MD5Update(&md5, auth->cname.name_string.val[i], 
+		  strlen(auth->cname.name_string.val[i]));
+    MD5Update (&md5, &auth->ctime, sizeof(auth->ctime));
+    MD5Update (&md5, &auth->cusec, sizeof(auth->cusec));
+    MD5Final (&md5, data);
+}
+
+krb5_error_code
+krb5_rc_store(krb5_context context,
+	      krb5_rcache id,
+	      krb5_donot_reply *rep)
+{
+    struct rc_entry ent, tmp;
+    time_t t;
+    FILE *f;
+    ent.stamp = time(NULL);
+    checksum_authenticator(rep, ent.data);
+    f = fopen(id->name, "r");
+    if(f == NULL)
+	return errno;
+    fread(&tmp, sizeof(ent), 1, f);
+    t = ent.stamp - tmp.stamp;
+    while(fread(&tmp, sizeof(ent), 1, f)){
+	if(tmp.stamp < t)
+	    continue;
+	if(memcmp(tmp.data, ent.data, sizeof(ent.data)) == 0){
+	    fclose(f);
+	    return KRB5_RC_REPLAY;
+	}
+    }
+    if(ferror(f)){
+	fclose(f);
+	return errno;
+    }
+    fclose(f);
+    f = fopen(id->name, "a");
+    if(f == NULL)
+	return KRB5_RC_IO_UNKNOWN;
+    fwrite(&ent, 1, sizeof(ent), f);
+    fclose(f);
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_expunge(krb5_context context,
+		krb5_rcache id)
+{
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_get_lifespan(krb5_context context,
+		     krb5_rcache id,
+		     krb5_deltat *auth_lifespan)
+{
+    FILE *f = fopen(id->name, "r");
+    int r;
+    struct rc_entry ent;
+    r = fread(&ent, sizeof(ent), 1, f);
+    fclose(f);
+    if(r){
+	*auth_lifespan = ent.stamp;
+	return 0;
+    }
+    return KRB5_RC_IO_UNKNOWN;
+}
+const char*
+krb5_rc_get_name(krb5_context context,
+		 krb5_rcache id)
+{
+    return id->name;
+}
+		 
+const char*
+krb5_rc_get_type(krb5_context context,
+		 krb5_rcache id)
+{
+    return "FILE";
+}
+		 
diff --git a/crypto/heimdal/lib/krb5/send_to_kdc.c b/crypto/heimdal/lib/krb5/send_to_kdc.c
new file mode 100644
index 0000000..2872322
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/send_to_kdc.c
@@ -0,0 +1,395 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: send_to_kdc.c,v 1.36 2000/01/06 07:59:11 assar Exp $");
+
+/*
+ * send the data in `req' on the socket `fd' (which is datagram iff udp)
+ * waiting `tmout' for a reply and returning the reply in `rep'.
+ * iff limit read up to this many bytes
+ * returns 0 and data in `rep' if succesful, otherwise -1
+ */
+
+static int
+recv_loop (int fd,
+	   time_t tmout,
+	   int udp,
+	   size_t limit,
+	   krb5_data *rep)
+{
+     fd_set fdset;
+     struct timeval timeout;
+     int ret;
+     int nbytes;
+
+     krb5_data_zero(rep);
+     do {
+	 FD_ZERO(&fdset);
+	 FD_SET(fd, &fdset);
+	 timeout.tv_sec  = tmout;
+	 timeout.tv_usec = 0;
+	 ret = select (fd + 1, &fdset, NULL, NULL, &timeout);
+	 if (ret < 0) {
+	     if (errno == EINTR)
+		 continue;
+	     return -1;
+	 } else if (ret == 0) {
+	     return 0;
+	 } else {
+	     void *tmp;
+
+	     if (ioctl (fd, FIONREAD, &nbytes) < 0) {
+		 krb5_data_free (rep);
+		 return -1;
+	     }
+	     if(nbytes == 0)
+		 return 0;
+
+	     if (limit)
+		 nbytes = min(nbytes, limit - rep->length);
+
+	     tmp = realloc (rep->data, rep->length + nbytes);
+	     if (tmp == NULL) {
+		 krb5_data_free (rep);
+		 return -1;
+	     }
+	     rep->data = tmp;
+	     ret = recv (fd, (char*)tmp + rep->length, nbytes, 0);
+	     if (ret < 0) {
+		 krb5_data_free (rep);
+		 return -1;
+	     }
+	     rep->length += ret;
+	 }
+     } while(!udp && (limit == 0 || rep->length < limit));
+     return 0;
+}
+
+/*
+ * Send kerberos requests and receive a reply on a udp or any other kind
+ * of a datagram socket.  See `recv_loop'.
+ */
+
+static int
+send_and_recv_udp(int fd, 
+		  time_t tmout,
+		  const krb5_data *req,
+		  krb5_data *rep)
+{
+    if (send (fd, req->data, req->length, 0) < 0)
+	return -1;
+
+    return recv_loop(fd, tmout, 1, 0, rep);
+}
+
+/*
+ * `send_and_recv' for a TCP (or any other stream) socket.
+ * Since there are no record limits on a stream socket the protocol here
+ * is to prepend the request with 4 bytes of its length and the reply
+ * is similarly encoded.
+ */
+
+static int
+send_and_recv_tcp(int fd, 
+		  time_t tmout,
+		  const krb5_data *req,
+		  krb5_data *rep)
+{
+    unsigned char len[4];
+    unsigned long rep_len;
+    krb5_data len_data;
+
+    _krb5_put_int(len, req->length, 4);
+    if(net_write(fd, len, sizeof(len)) < 0)
+	return -1;
+    if(net_write(fd, req->data, req->length) < 0)
+	return -1;
+    if (recv_loop (fd, tmout, 0, 4, &len_data) < 0)
+	return -1;
+    if (len_data.length != 4) {
+	krb5_data_free (&len_data);
+	return -1;
+    }
+    _krb5_get_int(len_data.data, &rep_len, 4);
+    krb5_data_free (&len_data);
+    if (recv_loop (fd, tmout, 0, rep_len, rep) < 0)
+	return -1;
+    if(rep->length != rep_len) {
+	krb5_data_free (rep);
+	return -1;
+    }
+    return 0;
+}
+
+/*
+ * `send_and_recv' tailored for the HTTP protocol.
+ */
+
+static int
+send_and_recv_http(int fd, 
+		   time_t tmout,
+		   const char *prefix,
+		   const krb5_data *req,
+		   krb5_data *rep)
+{
+    char *request;
+    char *str;
+    int ret;
+    int len = base64_encode(req->data, req->length, &str);
+
+    if(len < 0)
+	return -1;
+    asprintf(&request, "GET %s%s HTTP/1.0\r\n\r\n", prefix, str);
+    free(str);
+    if (request == NULL)
+	return -1;
+    ret = net_write (fd, request, strlen(request));
+    free (request);
+    if (ret < 0)
+	return ret;
+    ret = recv_loop(fd, tmout, 0, 0, rep);
+    if(ret)
+	return ret;
+    {
+	unsigned long rep_len;
+	char *s, *p;
+
+	s = realloc(rep->data, rep->length + 1);
+	if (s == NULL) {
+	    krb5_data_free (rep);
+	    return -1;
+	}
+	s[rep->length] = 0;
+	p = strstr(s, "\r\n\r\n");
+	if(p == NULL) {
+	    free(s);
+	    return -1;
+	}
+	p += 4;
+	rep->data = s;
+	rep->length -= p - s;
+	if(rep->length < 4) { /* remove length */
+	    free(s);
+	    return -1;
+	}
+	rep->length -= 4;
+	_krb5_get_int(p, &rep_len, 4);
+	if (rep_len != rep->length) {
+	    free(s);
+	    return -1;
+	}
+	memmove(rep->data, p + 4, rep->length);
+    }
+    return 0;
+}
+
+static int
+init_port(const char *s, int fallback)
+{
+    if (s) {
+	int tmp;
+
+	sscanf (s, "%d", &tmp);
+	return htons(tmp);
+    } else
+	return fallback;
+}
+
+/*
+ * Return 0 if succesful, otherwise 1
+ */
+
+static int
+send_via_proxy (krb5_context context,
+		const char *hostname,
+		const krb5_data *send,
+		krb5_data *receive)
+{
+    char *proxy = strdup(context->http_proxy);
+    char *prefix;
+    char *colon;
+    struct addrinfo hints;
+    struct addrinfo *ai, *a;
+    int ret;
+    int s;
+    char portstr[NI_MAXSERV];
+		 
+    colon = strchr(proxy, ':');
+    if(colon != NULL)
+	*colon++ = '\0';
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_family   = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    snprintf (portstr, sizeof(portstr), "%d",
+	      ntohs(init_port (colon, htons(80))));
+    ret = getaddrinfo (proxy, portstr, NULL, &ai);
+    free (proxy);
+    if (ret)
+	return ret;
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+    if (a == NULL) {
+	freeaddrinfo (ai);
+	return 1;
+    }
+    freeaddrinfo (ai);
+
+    asprintf(&prefix, "http://%s/", hostname);
+    if(prefix == NULL) {
+	close(s);
+	return 1;
+    }
+    ret = send_and_recv_http(s, context->kdc_timeout,
+			     prefix, send, receive);
+    close (s);
+    free(prefix);
+    if(ret == 0 && receive->length != 0)
+	return 0;
+    return 1;
+}
+
+/*
+ * Send the data `send' to one KDC in `realm' and get back the reply
+ * in `receive'.
+ */
+
+krb5_error_code
+krb5_sendto_kdc (krb5_context context,
+		 const krb5_data *send,
+		 const krb5_realm *realm,
+		 krb5_data *receive)
+{
+     krb5_error_code ret;
+     char **hostlist, **hp, *p;
+     int fd;
+     int port;
+     int i;
+
+     port = krb5_getportbyname (context, "kerberos", "udp", 88);
+
+     if (context->use_admin_kdc)
+	 ret = krb5_get_krb_admin_hst (context, realm, &hostlist);
+     else
+	 ret = krb5_get_krbhst (context, realm, &hostlist);
+     if (ret)
+	  return ret;
+
+     for (i = 0; i < context->max_retries; ++i)
+	 for (hp = hostlist; (p = *hp); ++hp) {
+	     char *colon;
+	     int http_flag = 0;
+	     int tcp_flag = 0;
+	     struct addrinfo *ai, *a;
+	     struct addrinfo hints;
+	     char portstr[NI_MAXSERV];
+
+	     if(strncmp(p, "http://", 7) == 0){
+		 p += 7;
+		 http_flag = 1;
+		 port = htons(80);
+	     } else if(strncmp(p, "http/", 5) == 0) {
+		 p += 5;
+		 http_flag = 1;
+		 port = htons(80);
+	     }else if(strncmp(p, "tcp/", 4) == 0){
+		 p += 4;
+		 tcp_flag = 1;
+	     } else if(strncmp(p, "udp/", 4) == 0) {
+		 p += 4;
+	     }
+	     if(http_flag && context->http_proxy) {
+		 if (send_via_proxy (context, p, send, receive))
+		     continue;
+		 else
+		     goto out;
+	     }
+	     colon = strchr (p, ':');
+	     if (colon)
+		 *colon++ = '\0';
+
+	     memset (&hints, 0, sizeof(hints));
+	     hints.ai_family = PF_UNSPEC;
+	     if (tcp_flag || http_flag)
+		 hints.ai_socktype = SOCK_STREAM;
+	     else
+		 hints.ai_socktype = SOCK_DGRAM;
+	     snprintf (portstr, sizeof(portstr), "%d",
+		       ntohs(init_port (colon, port)));
+	     ret = getaddrinfo (p, portstr, &hints, &ai);
+	     if (ret)
+		 continue;
+	     for (a = ai; a != NULL; a = a->ai_next) {
+		 fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+		 if (fd < 0)
+		     continue;
+		 if (connect (fd, a->ai_addr, a->ai_addrlen) < 0) {
+		     close (fd);
+		     continue;
+		 }
+		 break;
+	     }
+	     if (a == NULL) {
+		 freeaddrinfo (ai);
+		 continue;
+	     }
+	     freeaddrinfo (ai);
+
+	     if(http_flag)
+		 ret = send_and_recv_http(fd, context->kdc_timeout,
+					  "", send, receive);
+	     else if(tcp_flag)
+		 ret = send_and_recv_tcp (fd, context->kdc_timeout,
+					  send, receive);
+	     else
+		 ret = send_and_recv_udp (fd, context->kdc_timeout,
+					  send, receive);
+	     close (fd);
+	     if(ret == 0 && receive->length != 0)
+		 goto out;
+	 }
+     ret = KRB5_KDC_UNREACH;
+out:
+     krb5_free_krbhst (context, hostlist);
+     return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/sendauth.c b/crypto/heimdal/lib/krb5/sendauth.c
new file mode 100644
index 0000000..b9e8dd0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/sendauth.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: sendauth.c,v 1.17 1999/12/02 17:05:12 joda Exp $");
+
+/*
+ * The format seems to be:
+ * client -> server
+ *
+ * 4 bytes - length
+ * KRB5_SENDAUTH_V1.0 (including zero)
+ * 4 bytes - length
+ * protocol string (with terminating zero)
+ *
+ * server -> client
+ * 1 byte - (0 = OK, else some kind of error)
+ *
+ * client -> server
+ * 4 bytes - length
+ * AP-REQ
+ *
+ * server -> client
+ * 4 bytes - length (0 = OK, else length of error)
+ * (error)
+ *
+ * if(mutual) {
+ * server -> client
+ * 4 bytes - length
+ * AP-REP
+ * }
+ */
+
+krb5_error_code
+krb5_sendauth(krb5_context context,
+	      krb5_auth_context *auth_context,
+	      krb5_pointer p_fd,
+	      const char *appl_version,
+	      krb5_principal client,
+	      krb5_principal server,
+	      krb5_flags ap_req_options,
+	      krb5_data *in_data,
+	      krb5_creds *in_creds,
+	      krb5_ccache ccache,
+	      krb5_error **ret_error,
+	      krb5_ap_rep_enc_part **rep_result,
+	      krb5_creds **out_creds)
+{
+    krb5_error_code ret;
+    u_int32_t len, net_len;
+    const char *version = KRB5_SENDAUTH_VERSION;
+    u_char repl;
+    krb5_data ap_req, error_data;
+    krb5_creds this_cred;
+    krb5_principal this_client = NULL;
+    krb5_creds *creds;
+    ssize_t sret;
+
+    len = strlen(version) + 1;
+    net_len = htonl(len);
+    if (krb5_net_write (context, p_fd, &net_len, 4) != 4
+	|| krb5_net_write (context, p_fd, version, len) != len)
+	return errno;
+
+    len = strlen(appl_version) + 1;
+    net_len = htonl(len);
+    if (krb5_net_write (context, p_fd, &net_len, 4) != 4
+	|| krb5_net_write (context, p_fd, appl_version, len) != len)
+	return errno;
+
+    sret = krb5_net_read (context, p_fd, &repl, sizeof(repl));
+    if (sret < 0)
+	return errno;
+    else if (sret != sizeof(repl))
+	return KRB5_SENDAUTH_BADRESPONSE;
+
+    if (repl != 0)
+	return KRB5_SENDAUTH_REJECTED;
+
+    if (in_creds == NULL) {
+	if (ccache == NULL) {
+	    ret = krb5_cc_default (context, &ccache);
+	    if (ret)
+		return ret;
+	}
+
+	if (client == NULL) {
+	    ret = krb5_cc_get_principal (context, ccache, &this_client);
+	    if (ret)
+		return ret;
+	    client = this_client;
+	}
+	memset(&this_cred, 0, sizeof(this_cred));
+	this_cred.client = client;
+	this_cred.server = server;
+	this_cred.times.endtime = 0;
+	this_cred.ticket.length = 0;
+	in_creds = &this_cred;
+    }
+    if (in_creds->ticket.length == 0) {
+	ret = krb5_get_credentials (context, 0, ccache, in_creds, &creds);
+	if (ret)
+	    return ret;
+    } else {
+	creds = in_creds;
+    }
+    ret = krb5_mk_req_extended (context,
+				auth_context,
+				ap_req_options,
+				in_data,
+				creds,
+				&ap_req);
+
+    if (out_creds)
+	*out_creds = creds;
+    else
+	krb5_free_creds(context, creds);
+    if(this_client)
+	krb5_free_principal(context, this_client);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_write_message (context,
+			      p_fd,
+			      &ap_req);
+    if (ret)
+	return ret;
+
+    krb5_data_free (&ap_req);
+
+    ret = krb5_read_message (context, p_fd, &error_data);
+    if (ret)
+	return ret;
+
+    if (error_data.length != 0) {
+	KRB_ERROR error;
+
+	ret = krb5_rd_error (context, &error_data, &error);
+	krb5_data_free (&error_data);
+	if (ret == 0) {
+	    if (ret_error != NULL) {
+		*ret_error = malloc (sizeof(krb5_error));
+		if (*ret_error == NULL) {
+		    free_KRB_ERROR(&error);
+		} else {
+		    **ret_error = error;
+		}
+	    } else {
+		free_KRB_ERROR(&error);
+	    }
+	    return error.error_code;
+	} else
+	    return ret;
+    }
+
+    if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
+	krb5_data ap_rep;
+	krb5_ap_rep_enc_part *ignore;
+
+	krb5_data_zero (&ap_rep);
+	ret = krb5_read_message (context,
+				 p_fd,
+				 &ap_rep);
+	if (ret)
+	    return ret;
+
+	ret = krb5_rd_rep (context, *auth_context, &ap_rep,
+			   rep_result ? rep_result : &ignore);
+	if (ret)
+	    return ret;
+	if (rep_result == NULL)
+	    krb5_free_ap_rep_enc_part (context, ignore);
+	krb5_data_free (&ap_rep);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/set_default_realm.c b/crypto/heimdal/lib/krb5/set_default_realm.c
new file mode 100644
index 0000000..b917a92
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/set_default_realm.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: set_default_realm.c,v 1.11 1999/12/02 17:05:12 joda Exp $");
+
+/*
+ * Convert the simple string `s' into a NULL-terminated and freshly allocated 
+ * list in `list'.  Return an error code.
+ */
+
+static krb5_error_code
+string_to_list (const char *s, krb5_realm **list)
+{
+
+    *list = malloc (2 * sizeof(**list));
+    if (*list == NULL)
+	return ENOMEM;
+    (*list)[0] = strdup (s);
+    if ((*list)[0] == NULL) {
+	free (*list);
+	return ENOMEM;
+    }
+    (*list)[1] = NULL;
+    return 0;
+}
+
+/*
+ * Set the knowledge of the default realm(s) in `context'.
+ * If realm != NULL, that's the new default realm.
+ * Otherwise, the realm(s) are figured out from configuration or DNS.  
+ */
+
+krb5_error_code
+krb5_set_default_realm(krb5_context context,
+		       char *realm)
+{
+    krb5_error_code ret = 0;
+    krb5_realm *realms = NULL;
+
+    if (realm == NULL) {
+	realms = krb5_config_get_strings (context, NULL,
+					  "libdefaults",
+					  "default_realm",
+					  NULL);
+	if (realms == NULL)
+	    ret = krb5_get_host_realm(context, NULL, &realms);
+    } else {
+	ret = string_to_list (realm, &realms);
+    }
+    if (ret)
+	return ret;
+    krb5_free_host_realm (context, context->default_realms);
+    context->default_realms = realms;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/sock_principal.c b/crypto/heimdal/lib/krb5/sock_principal.c
new file mode 100644
index 0000000..bfd4eb4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/sock_principal.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: sock_principal.c,v 1.9 1999/12/02 17:05:12 joda Exp $");
+			
+krb5_error_code
+krb5_sock_to_principal (krb5_context context,
+			int sock,
+			const char *sname,
+			int32_t type,
+			krb5_principal *ret_princ)
+{
+    krb5_error_code ret;
+    krb5_address address;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    int len = sizeof(__ss);
+    struct hostent *hostent;
+    int family;
+    char hname[256];
+
+    if (getsockname (sock, sa, &len) < 0)
+	return errno;
+    family = sa->sa_family;
+    
+    ret = krb5_sockaddr2address (sa, &address);
+    if (ret)
+	return ret;
+
+    hostent = roken_gethostbyaddr (address.address.data,
+				   address.address.length,
+				   family);
+
+    if (hostent == NULL)
+	return h_errno;
+    strlcpy(hname, hostent->h_name, sizeof(hname));
+    return krb5_sname_to_principal (context,
+				    hname,
+				    sname,
+				    type,
+				    ret_princ);
+}
diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c
new file mode 100644
index 0000000..17b1547
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store.c
@@ -0,0 +1,609 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store.c,v 1.32 1999/12/02 17:05:12 joda Exp $");
+
+void
+krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags)
+{
+    sp->flags |= flags;
+}
+
+void
+krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags)
+{
+    sp->flags &= ~flags;
+}
+
+krb5_boolean
+krb5_storage_is_flags(krb5_storage *sp, krb5_flags flags)
+{
+    return (sp->flags & flags) == flags;
+}
+
+ssize_t
+_krb5_put_int(void *buffer, unsigned long value, size_t size)
+{
+    unsigned char *p = buffer;
+    int i;
+    for (i = size - 1; i >= 0; i--) {
+	p[i] = value & 0xff;
+	value >>= 8;
+    }
+    return size;
+}
+
+ssize_t
+_krb5_get_int(void *buffer, unsigned long *value, size_t size)
+{
+    unsigned char *p = buffer;
+    unsigned long v = 0;
+    int i;
+    for (i = 0; i < size; i++)
+	v = (v << 8) + p[i];
+    *value = v;
+    return size;
+}
+
+krb5_error_code
+krb5_storage_free(krb5_storage *sp)
+{
+    if(sp->free)
+	(*sp->free)(sp);
+    free(sp->data);
+    free(sp);
+    return 0;
+}
+
+krb5_error_code
+krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
+{
+    off_t pos;
+    size_t size;
+    krb5_error_code ret;
+
+    pos = sp->seek(sp, 0, SEEK_CUR);
+    size = (size_t)sp->seek(sp, 0, SEEK_END);
+    ret = krb5_data_alloc (data, size);
+    if (ret) {
+	sp->seek(sp, pos, SEEK_SET);
+	return ret;
+    }
+    if (size) {
+	sp->seek(sp, 0, SEEK_SET);
+	sp->fetch(sp, data->data, data->length);
+	sp->seek(sp, pos, SEEK_SET);
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb5_store_int(krb5_storage *sp,
+	       int32_t value,
+	       size_t len)
+{
+    int ret;
+    unsigned char v[4];
+
+    _krb5_put_int(v, value, len);
+    ret = sp->store(sp, v, len);
+    if (ret != len)
+	return (ret<0)?errno:KRB5_CC_END;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_int32(krb5_storage *sp,
+		 int32_t value)
+{
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_HOST_BYTEORDER))
+	value = htonl(value);
+    return krb5_store_int(sp, value, 4);
+}
+
+static krb5_error_code
+krb5_ret_int(krb5_storage *sp,
+	     int32_t *value,
+	     size_t len)
+{
+    int ret;
+    unsigned char v[4];
+    unsigned long w;
+    ret = sp->fetch(sp, v, len);
+    if(ret != len)
+	return (ret<0)?errno:KRB5_CC_END;
+    _krb5_get_int(v, &w, len);
+    *value = w;
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_int32(krb5_storage *sp,
+	       int32_t *value)
+{
+    krb5_error_code ret = krb5_ret_int(sp, value, 4);
+    if(ret)
+	return ret;
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_HOST_BYTEORDER))
+	*value = ntohl(*value);
+    return 0;
+}
+
+krb5_error_code
+krb5_store_int16(krb5_storage *sp,
+		 int16_t value)
+{
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_HOST_BYTEORDER))
+	value = htons(value);
+    return krb5_store_int(sp, value, 2);
+}
+
+krb5_error_code
+krb5_ret_int16(krb5_storage *sp,
+	       int16_t *value)
+{
+    int32_t v;
+    int ret;
+    ret = krb5_ret_int(sp, &v, 2);
+    if(ret)
+	return ret;
+    *value = v;
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_HOST_BYTEORDER))
+	*value = ntohs(*value);
+    return 0;
+}
+
+krb5_error_code
+krb5_store_int8(krb5_storage *sp,
+		int8_t value)
+{
+    int ret;
+
+    ret = sp->store(sp, &value, sizeof(value));
+    if (ret != sizeof(value))
+	return (ret<0)?errno:KRB5_CC_END;
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_int8(krb5_storage *sp,
+	      int8_t *value)
+{
+    int ret;
+
+    ret = sp->fetch(sp, value, sizeof(*value));
+    if (ret != sizeof(*value))
+	return (ret<0)?errno:KRB5_CC_END;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_data(krb5_storage *sp,
+		krb5_data data)
+{
+    int ret;
+    ret = krb5_store_int32(sp, data.length);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data.data, data.length);
+    if(ret != data.length){
+	if(ret < 0)
+	    return errno;
+	return KRB5_CC_END;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_data(krb5_storage *sp,
+	      krb5_data *data)
+{
+    int ret;
+    int32_t size;
+
+    ret = krb5_ret_int32(sp, &size);
+    if(ret)
+	return ret;
+    ret = krb5_data_alloc (data, size);
+    if (ret)
+	return ret;
+    if (size) {
+	ret = sp->fetch(sp, data->data, size);
+	if(ret != size)
+	    return (ret < 0)? errno : KRB5_CC_END;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_store_string(krb5_storage *sp, const char *s)
+{
+    krb5_data data;
+    data.length = strlen(s);
+    data.data = (void*)s;
+    return krb5_store_data(sp, data);
+}
+
+krb5_error_code
+krb5_ret_string(krb5_storage *sp,
+		char **string)
+{
+    int ret;
+    krb5_data data;
+    ret = krb5_ret_data(sp, &data);
+    if(ret)
+	return ret;
+    *string = realloc(data.data, data.length + 1);
+    if(*string == NULL){
+	free(data.data);
+	return ENOMEM;
+    }
+    (*string)[data.length] = 0;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_stringz(krb5_storage *sp,
+		  char *s)
+{
+    size_t len = strlen(s) + 1;
+    ssize_t ret;
+
+    ret = sp->store(sp, s, len);
+    if(ret != len) {
+	if(ret < 0)
+	    return ret;
+	else
+	    return KRB5_CC_END;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_stringz(krb5_storage *sp,
+		char **string)
+{
+    char c;
+    char *s = NULL;
+    size_t len = 0;
+    ssize_t ret;
+
+    while((ret = sp->fetch(sp, &c, 1)) == 1){
+	char *tmp;
+
+	len++;
+	tmp = realloc (s, len);
+	if (tmp == NULL) {
+	    free (s);
+	    return ENOMEM;
+	}
+	s = tmp;
+	s[len - 1] = c;
+	if(c == 0)
+	    break;
+    }
+    if(ret != 1){
+	free(s);
+	if(ret == 0)
+	    return KRB5_CC_END;
+	return ret;
+    }
+    *string = s;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_store_principal(krb5_storage *sp,
+		     krb5_principal p)
+{
+    int i;
+    int ret;
+
+    if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
+    ret = krb5_store_int32(sp, p->name.name_type);
+    if(ret) return ret;
+    }
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
+	ret = krb5_store_int32(sp, p->name.name_string.len + 1);
+    else
+    ret = krb5_store_int32(sp, p->name.name_string.len);
+    
+    if(ret) return ret;
+    ret = krb5_store_string(sp, p->realm);
+    if(ret) return ret;
+    for(i = 0; i < p->name.name_string.len; i++){
+	ret = krb5_store_string(sp, p->name.name_string.val[i]);
+	if(ret) return ret;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_principal(krb5_storage *sp,
+		   krb5_principal *princ)
+{
+    int i;
+    int ret;
+    krb5_principal p;
+    int32_t type;
+    int32_t ncomp;
+    
+    p = calloc(1, sizeof(*p));
+    if(p == NULL)
+	return ENOMEM;
+
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE))
+	type = KRB5_NT_UNKNOWN;
+    else 	if((ret = krb5_ret_int32(sp, &type))){
+	free(p);
+	return ret;
+    }
+    if((ret = krb5_ret_int32(sp, &ncomp))){
+	free(p);
+	return ret;
+    }
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
+	ncomp--;
+    p->name.name_type = type;
+    p->name.name_string.len = ncomp;
+    ret = krb5_ret_string(sp, &p->realm);
+    if(ret) return ret;
+    p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val));
+    if(p->name.name_string.val == NULL){
+	free(p->realm);
+	return ENOMEM;
+    }
+    for(i = 0; i < ncomp; i++){
+	ret = krb5_ret_string(sp, &p->name.name_string.val[i]);
+	if(ret) return ret; /* XXX */
+    }
+    *princ = p;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p)
+{
+    int ret;
+    ret = krb5_store_int16(sp, p.keytype);
+    if(ret) return ret;
+
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE)){
+	/* this should really be enctype, but it is the same as
+           keytype nowadays */
+    ret = krb5_store_int16(sp, p.keytype);
+    if(ret) return ret;
+    }
+
+    ret = krb5_store_data(sp, p.keyvalue);
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p)
+{
+    int ret;
+    int16_t tmp;
+
+    ret = krb5_ret_int16(sp, &tmp);
+    if(ret) return ret;
+    p->keytype = tmp;
+
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE)){
+    ret = krb5_ret_int16(sp, &tmp);
+    if(ret) return ret;
+    }
+
+    ret = krb5_ret_data(sp, &p->keyvalue);
+    return ret;
+}
+
+krb5_error_code
+krb5_store_times(krb5_storage *sp, krb5_times times)
+{
+    int ret;
+    ret = krb5_store_int32(sp, times.authtime);
+    if(ret) return ret;
+    ret = krb5_store_int32(sp, times.starttime);
+    if(ret) return ret;
+    ret = krb5_store_int32(sp, times.endtime);
+    if(ret) return ret;
+    ret = krb5_store_int32(sp, times.renew_till);
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_times(krb5_storage *sp, krb5_times *times)
+{
+    int ret;
+    int32_t tmp;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->authtime = tmp;
+    if(ret) return ret;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->starttime = tmp;
+    if(ret) return ret;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->endtime = tmp;
+    if(ret) return ret;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->renew_till = tmp;
+    return ret;
+}
+
+krb5_error_code
+krb5_store_address(krb5_storage *sp, krb5_address p)
+{
+    int ret;
+    ret = krb5_store_int16(sp, p.addr_type);
+    if(ret) return ret;
+    ret = krb5_store_data(sp, p.address);
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_address(krb5_storage *sp, krb5_address *adr)
+{
+    int16_t t;
+    int ret;
+    ret = krb5_ret_int16(sp, &t);
+    if(ret) return ret;
+    adr->addr_type = t;
+    ret = krb5_ret_data(sp, &adr->address);
+    return ret;
+}
+
+krb5_error_code
+krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
+{
+    int i;
+    int ret;
+    ret = krb5_store_int32(sp, p.len);
+    if(ret) return ret;
+    for(i = 0; i<p.len; i++){
+	ret = krb5_store_address(sp, p.val[i]);
+	if(ret) break;
+    }
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
+{
+    int i;
+    int ret;
+    int32_t tmp;
+
+    ret = krb5_ret_int32(sp, &tmp);
+    if(ret) return ret;
+    adr->len = tmp;
+    ALLOC(adr->val, adr->len);
+    for(i = 0; i < adr->len; i++){
+	ret = krb5_ret_address(sp, &adr->val[i]);
+	if(ret) break;
+    }
+    return ret;
+}
+
+krb5_error_code
+krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
+{
+    krb5_error_code ret;
+    int i;
+    ret = krb5_store_int32(sp, auth.len);
+    if(ret) return ret;
+    for(i = 0; i < auth.len; i++){
+	ret = krb5_store_int16(sp, auth.val[i].ad_type);
+	if(ret) break;
+	ret = krb5_store_data(sp, auth.val[i].ad_data);
+	if(ret) break;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
+{
+    krb5_error_code ret;
+    int32_t tmp;
+    int16_t tmp2;
+    int i;
+    ret = krb5_ret_int32(sp, &tmp);
+    if(ret) return ret;
+    ALLOC_SEQ(auth, tmp);
+    for(i = 0; i < tmp; i++){
+	ret = krb5_ret_int16(sp, &tmp2);
+	if(ret) break;
+	auth->val[i].ad_type = tmp2;
+	ret = krb5_ret_data(sp, &auth->val[i].ad_data);
+	if(ret) break;
+    }
+    return ret;
+}
+
+krb5_error_code
+krb5_store_creds(krb5_storage *sp, krb5_creds *creds)
+{
+    krb5_store_principal(sp, creds->client);
+    krb5_store_principal(sp, creds->server);
+    krb5_store_keyblock(sp, creds->session);
+    krb5_store_times(sp, creds->times);
+    krb5_store_int8(sp, 0);  /* this is probably the
+				enc-tkt-in-skey bit from KDCOptions */
+    krb5_store_int32(sp, creds->flags.i);
+    krb5_store_addrs(sp, creds->addresses);
+    krb5_store_authdata(sp, creds->authdata);
+    krb5_store_data(sp, creds->ticket);
+    krb5_store_data(sp, creds->second_ticket);
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
+{
+    krb5_error_code ret;
+    int8_t dummy8;
+    int32_t dummy32;
+
+    memset(creds, 0, sizeof(*creds));
+    ret = krb5_ret_principal (sp,  &creds->client);
+    if(ret) goto cleanup;
+    ret = krb5_ret_principal (sp,  &creds->server);
+    if(ret) goto cleanup;
+    ret = krb5_ret_keyblock (sp,  &creds->session);
+    if(ret) goto cleanup;
+    ret = krb5_ret_times (sp,  &creds->times);
+    if(ret) goto cleanup;
+    ret = krb5_ret_int8 (sp,  &dummy8);
+    if(ret) goto cleanup;
+    ret = krb5_ret_int32 (sp,  &dummy32);
+    if(ret) goto cleanup;
+    creds->flags.i = dummy32;
+    ret = krb5_ret_addrs (sp,  &creds->addresses);
+    if(ret) goto cleanup;
+    ret = krb5_ret_authdata (sp,  &creds->authdata);
+    if(ret) goto cleanup;
+    ret = krb5_ret_data (sp,  &creds->ticket);
+    if(ret) goto cleanup;
+    ret = krb5_ret_data (sp,  &creds->second_ticket);
+cleanup:
+    if(ret)
+#if 0	
+	krb5_free_creds_contents(context, creds) /* XXX */
+#endif
+	    ;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/store_emem.c b/crypto/heimdal/lib/krb5/store_emem.c
new file mode 100644
index 0000000..d2497ef
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store_emem.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store_emem.c,v 1.9 1999/12/02 17:05:12 joda Exp $");
+
+typedef struct emem_storage{
+    unsigned char *base;
+    size_t size;
+    size_t len;
+    unsigned char *ptr;
+}emem_storage;
+
+static ssize_t
+emem_fetch(krb5_storage *sp, void *data, size_t size)
+{
+    emem_storage *s = (emem_storage*)sp->data;
+    if(s->base + s->len - s->ptr < size)
+	size = s->base + s->len - s->ptr;
+    memmove(data, s->ptr, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static ssize_t
+emem_store(krb5_storage *sp, void *data, size_t size)
+{
+    emem_storage *s = (emem_storage*)sp->data;
+    if(size > s->base + s->size - s->ptr){
+	void *base;
+	size_t sz, off;
+	sz = 2 * (size + (s->ptr - s->base)); /* XXX */
+	off = s->ptr - s->base;
+	base = realloc(s->base, sz);
+	if(base == NULL)
+	    return 0;
+	s->size = sz;
+	s->base = base;
+	s->ptr = (unsigned char*)base + off;
+    }
+    memmove(s->ptr, data, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static off_t
+emem_seek(krb5_storage *sp, off_t offset, int whence)
+{
+    emem_storage *s = (emem_storage*)sp->data;
+    switch(whence){
+    case SEEK_SET:
+	if(offset > s->size)
+	    offset = s->size;
+	if(offset < 0)
+	    offset = 0;
+	s->ptr = s->base + offset;
+	if(offset > s->len)
+	    s->len = offset;
+	break;
+    case SEEK_CUR:
+	sp->seek(sp,s->ptr - s->base + offset, SEEK_SET);
+	break;
+    case SEEK_END:
+	sp->seek(sp, s->len + offset, SEEK_SET);
+	break;
+    default:
+	errno = EINVAL;
+	return -1;
+    }
+    return s->ptr - s->base;
+}
+
+static void
+emem_free(krb5_storage *sp)
+{
+    free(((emem_storage*)sp->data)->base);
+}
+
+krb5_storage *
+krb5_storage_emem(void)
+{
+    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    emem_storage *s = malloc(sizeof(*s));
+    sp->data = s;
+    sp->flags = 0;
+    s->size = 1024;
+    s->base = malloc(s->size);
+    s->len = 0;
+    s->ptr = s->base;
+    sp->fetch = emem_fetch;
+    sp->store = emem_store;
+    sp->seek = emem_seek;
+    sp->free = emem_free;
+    return sp;
+}
diff --git a/crypto/heimdal/lib/krb5/store_fd.c b/crypto/heimdal/lib/krb5/store_fd.c
new file mode 100644
index 0000000..e4c507c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store_fd.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store_fd.c,v 1.6 1999/12/02 17:05:13 joda Exp $");
+
+typedef struct fd_storage{
+    int fd;
+}fd_storage;
+
+#define FD(S) (((fd_storage*)(S)->data)->fd)
+
+static ssize_t
+fd_fetch(krb5_storage *sp, void *data, size_t size)
+{
+    return read(FD(sp), data, size);
+}
+
+static ssize_t
+fd_store(krb5_storage *sp, void *data, size_t size)
+{
+    return write(FD(sp), data, size);
+}
+
+static off_t
+fd_seek(krb5_storage *sp, off_t offset, int whence)
+{
+    return lseek(FD(sp), offset, whence);
+}
+
+krb5_storage *
+krb5_storage_from_fd(int fd)
+{
+    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    sp->data = malloc(sizeof(fd_storage));
+    sp->flags = 0;
+    FD(sp) = fd;
+    sp->fetch = fd_fetch;
+    sp->store = fd_store;
+    sp->seek = fd_seek;
+    sp->free = NULL;
+    return sp;
+}
diff --git a/crypto/heimdal/lib/krb5/store_mem.c b/crypto/heimdal/lib/krb5/store_mem.c
new file mode 100644
index 0000000..a8019e6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store_mem.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store_mem.c,v 1.9 1999/12/02 17:05:13 joda Exp $");
+
+typedef struct mem_storage{
+    unsigned char *base;
+    size_t size;
+    unsigned char *ptr;
+}mem_storage;
+
+static ssize_t
+mem_fetch(krb5_storage *sp, void *data, size_t size)
+{
+    mem_storage *s = (mem_storage*)sp->data;
+    if(size > s->base + s->size - s->ptr)
+	size = s->base + s->size - s->ptr;
+    memmove(data, s->ptr, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static ssize_t
+mem_store(krb5_storage *sp, void *data, size_t size)
+{
+    mem_storage *s = (mem_storage*)sp->data;
+    if(size > s->base + s->size - s->ptr)
+	size = s->base + s->size - s->ptr;
+    memmove(s->ptr, data, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static off_t
+mem_seek(krb5_storage *sp, off_t offset, int whence)
+{
+    mem_storage *s = (mem_storage*)sp->data;
+    switch(whence){
+    case SEEK_SET:
+	if(offset > s->size)
+	    offset = s->size;
+	if(offset < 0)
+	    offset = 0;
+	s->ptr = s->base + offset;
+	break;
+    case SEEK_CUR:
+	return sp->seek(sp, s->ptr - s->base + offset, SEEK_SET);
+    case SEEK_END:
+	return sp->seek(sp, s->size + offset, SEEK_SET);
+    default:
+	errno = EINVAL;
+	return -1;
+    }
+    return s->ptr - s->base;
+}
+
+krb5_storage *
+krb5_storage_from_mem(void *buf, size_t len)
+{
+    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    mem_storage *s;
+    if(sp == NULL)
+	return NULL;
+    s = malloc(sizeof(*s));
+    if(s == NULL) {
+	free(sp);
+	return NULL;
+    }
+    sp->data = s;
+    sp->flags = 0;
+    s->base = buf;
+    s->size = len;
+    s->ptr = buf;
+    sp->fetch = mem_fetch;
+    sp->store = mem_store;
+    sp->seek = mem_seek;
+    sp->free = NULL;
+    return sp;
+}
+
+krb5_storage *
+krb5_storage_from_data(krb5_data *data)
+{
+	return krb5_storage_from_mem(data->data, data->length);
+}
diff --git a/crypto/heimdal/lib/krb5/string-to-key-test.c b/crypto/heimdal/lib/krb5/string-to-key-test.c
new file mode 100644
index 0000000..0e884d0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/string-to-key-test.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: string-to-key-test.c,v 1.2 1999/10/28 23:10:38 assar Exp $");
+
+enum { MAXSIZE = 24 };
+
+static struct testcase {
+    const char *principal_name;
+    const char *password;
+    krb5_enctype enctype;
+    unsigned char res[MAXSIZE];
+} tests[] = {
+    {"@", "", ETYPE_DES_CBC_MD5,
+     {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}},
+    {"nisse@FOO.SE", "hej", ETYPE_DES_CBC_MD5,
+     {0xfe, 0x67, 0xbf, 0x9e, 0x57, 0x6b, 0xfe, 0x52}},
+    {"assar/liten@FOO.SE", "hemligt", ETYPE_DES_CBC_MD5,
+     {0x5b, 0x9b, 0xcb, 0xf2, 0x97, 0x43, 0xc8, 0x40}},
+    {"@", "", ETYPE_DES3_CBC_SHA1,
+     {0xce, 0xa2, 0x2f, 0x9b, 0x52, 0x2c, 0xb0, 0x15, 0x6e, 0x6b, 0x64,
+      0x73, 0x62, 0x64, 0x73, 0x4f, 0x6e, 0x73, 0xce, 0xa2, 0x2f, 0x9b,
+      0x52, 0x57}},
+    {"nisse@FOO.SE", "hej", ETYPE_DES3_CBC_SHA1,
+     {0x0e, 0xbc, 0x23, 0x9d, 0x68, 0x46, 0xf2, 0xd5, 0x51, 0x98, 0x5b,
+      0x57, 0xc1, 0x57, 0x01, 0x79, 0x04, 0xc4, 0xe9, 0xfe, 0xc1, 0x0e,
+      0x13, 0xd0}},
+    {"assar/liten@FOO.SE", "hemligt", ETYPE_DES3_CBC_SHA1,
+     {0x7f, 0x40, 0x67, 0xb9, 0xbc, 0xc4, 0x40, 0xfb, 0x43, 0x73, 0xd9,
+      0xd3, 0xcd, 0x7c, 0xc7, 0x67, 0xe6, 0x79, 0x94, 0xd0, 0xa8, 0x34,
+      0xdf, 0x62}},
+    {NULL}
+};
+
+int
+main(int argc, char **argv)
+{
+    struct testcase *t;
+    krb5_context context;
+    krb5_error_code ret;
+    int val = 0;
+
+    krb5_init_context (&context);
+
+    for (t = tests; t->principal_name; ++t) {
+	krb5_keyblock key;
+	krb5_principal principal;
+	int i;
+
+	ret = krb5_parse_name (context, t->principal_name, &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name %s",
+		      t->principal_name);
+	ret = krb5_string_to_key (context, t->enctype, t->password,
+				  principal, &key);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_string_to_key");
+	krb5_free_principal (context, principal);
+	if (memcmp (key.keyvalue.data, t->res, key.keyvalue.length) != 0) {
+	    const unsigned char *p = key.keyvalue.data;
+
+	    printf ("string_to_key(%s, %s) failed\n",
+		    t->principal_name, t->password);
+	    printf ("should be: ");
+	    for (i = 0; i < key.keyvalue.length; ++i)
+		printf ("%02x", t->res[i]);
+	    printf ("\nresult was: ");
+	    for (i = 0; i < key.keyvalue.length; ++i)
+		printf ("%02x", p[i]);
+	    printf ("\n");
+	    val = 1;
+	}
+    }
+    return val;
+}
diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
new file mode 100644
index 0000000..ecb5821
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: ticket.c,v 1.4 1999/12/02 17:05:13 joda Exp $");
+
+krb5_error_code
+krb5_free_ticket(krb5_context context,
+		 krb5_ticket *ticket)
+{
+    free_EncTicketPart(&ticket->ticket);
+    krb5_free_principal(context, ticket->client);
+    krb5_free_principal(context, ticket->server);
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_ticket(krb5_context context,
+		 const krb5_ticket *from,
+		 krb5_ticket **to)
+{
+    krb5_error_code ret;
+    krb5_ticket *tmp = malloc(sizeof(*tmp));
+    if(tmp == NULL)
+	return ENOMEM;
+    if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){
+	free(tmp);
+	return ret;
+    }
+    ret = krb5_copy_principal(context, from->client, &tmp->client);
+    if(ret){
+	free_EncTicketPart(&tmp->ticket);
+	return ret;
+    }
+    ret = krb5_copy_principal(context, from->server, &(*to)->server);
+    if(ret){
+	krb5_free_principal(context, tmp->client);
+	free_EncTicketPart(&tmp->ticket);
+	return ret;
+    }
+    *to = tmp;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/time.c b/crypto/heimdal/lib/krb5/time.c
new file mode 100644
index 0000000..e5a1185
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/time.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: time.c,v 1.3 2000/02/06 05:21:53 assar Exp $");
+
+/*
+ * return ``corrected'' time in `timeret'.
+ */
+
+krb5_error_code
+krb5_timeofday (krb5_context context,
+		krb5_timestamp *timeret)
+{
+    *timeret = time(NULL) + context->kdc_sec_offset;
+    return 0;
+}
+
+/*
+ * like gettimeofday but with time correction to the KDC
+ */
+
+krb5_error_code
+krb5_us_timeofday (krb5_context context,
+		   int32_t *sec,
+		   int32_t *usec)
+{
+    struct timeval tv;
+
+    gettimeofday (&tv, NULL);
+
+    *sec  = tv.tv_sec + context->kdc_sec_offset;
+    *usec = tv.tv_usec;		/* XXX */
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/transited.c b/crypto/heimdal/lib/krb5/transited.c
new file mode 100644
index 0000000..1faf378
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/transited.c
@@ -0,0 +1,411 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: transited.c,v 1.7 2000/02/07 13:30:41 joda Exp $");
+
+/* this is an attempt at one of the most horrible `compression'
+   schemes that has ever been invented; it's so amazingly brain-dead
+   that words can not describe it, and all this just to save a few
+   silly bytes */
+
+struct tr_realm {
+    char *realm;
+    unsigned leading_space:1;
+    unsigned leading_slash:1;
+    unsigned trailing_dot:1;
+    struct tr_realm *next;
+};
+
+static void
+free_realms(struct tr_realm *r)
+{
+    struct tr_realm *p;
+    while(r){
+	p = r;
+	r = r->next;
+	free(p->realm);
+	free(p);
+    }	
+}
+
+static int
+make_path(struct tr_realm *r, const char *from, const char *to)
+{
+    const char *p;
+    struct tr_realm *path = r->next;
+    struct tr_realm *tmp;
+
+    if(strlen(from) < strlen(to)){
+	const char *tmp;
+	tmp = from;
+	from = to;
+	to = tmp;
+    }
+	
+    if(strcmp(from + strlen(from) - strlen(to), to) == 0){
+	p = from;
+	while(1){
+	    p = strchr(p, '.');
+	    if(p == NULL)
+		return KRB5KDC_ERR_POLICY;
+	    p++;
+	    if(strcmp(p, to) == 0)
+		break;
+	    tmp = calloc(1, sizeof(*tmp));
+	    tmp->next = path;
+	    path = tmp;
+	    path->realm = strdup(p);
+	    if(path->realm == NULL){
+		r->next = path; /* XXX */
+		return ENOMEM;;
+	    }
+	}
+    }else if(strncmp(from, to, strlen(to)) == 0){
+	p = from + strlen(from);
+	while(1){
+	    while(p >= from && *p != '/') p--;
+	    if(p == from)
+		return KRB5KDC_ERR_POLICY;
+	    if(strncmp(to, from, p - from) == 0)
+		break;
+	    tmp = calloc(1, sizeof(*tmp));
+	    tmp->next = path;
+	    path = tmp;
+	    path->realm = malloc(p - from + 1);
+	    if(path->realm == NULL){
+		r->next = path; /* XXX */
+		return ENOMEM;
+	    }
+	    memcpy(path->realm, from, p - from);
+	    path->realm[p - from] = '\0';
+	    p--;
+	}
+    }else
+	return KRB5KDC_ERR_POLICY;
+    r->next = path;
+    
+    return 0;
+}
+
+static int
+make_paths(struct tr_realm *realms, const char *client_realm, 
+	   const char *server_realm)
+{
+    struct tr_realm *r;
+    int ret;
+    const char *prev_realm = client_realm;
+    const char *next_realm = NULL;
+    for(r = realms; r; r = r->next){
+	/* it *might* be that you can have more than one empty
+	   component in a row, at least that's how I interpret the
+	   "," exception in 1510 */
+	if(r->realm[0] == '\0'){
+	    while(r->next && r->next->realm[0] == '\0')
+		r = r->next;
+	    if(r->next)
+		next_realm = r->next->realm;
+	    else
+		next_realm = server_realm;
+	    ret = make_path(r, prev_realm, next_realm);
+	    if(ret){
+		free_realms(realms);
+		return ret;
+	    }
+	}
+	prev_realm = r->realm;
+    }
+    return 0;
+}
+
+static int
+expand_realms(struct tr_realm *realms, const char *client_realm)
+{
+    struct tr_realm *r;
+    const char *prev_realm = NULL;
+    for(r = realms; r; r = r->next){
+	if(r->trailing_dot){
+	    char *tmp;
+	    if(prev_realm == NULL)
+		prev_realm = client_realm;
+	    tmp = realloc(r->realm, strlen(r->realm) + strlen(prev_realm) + 1);
+	    if(tmp == NULL){
+		free_realms(realms);
+		return ENOMEM;
+	    }
+	    r->realm = tmp;
+	    strcat(r->realm, prev_realm);
+	}else if(r->leading_slash && !r->leading_space && prev_realm){
+	    /* yet another exception: if you use x500-names, the
+               leading realm doesn't have to be "quoted" with a space */
+	    char *tmp;
+	    tmp = malloc(strlen(r->realm) + strlen(prev_realm) + 1);
+	    if(tmp == NULL){
+		free_realms(realms);
+		return ENOMEM;
+	    }
+	    strcpy(tmp, prev_realm);
+	    strcat(tmp, r->realm);
+	    free(r->realm);
+	    r->realm = tmp;
+	}
+	prev_realm = r->realm;
+    }
+    return 0;
+}
+
+static struct tr_realm *
+make_realm(char *realm)
+{
+    struct tr_realm *r;
+    char *p, *q;
+    int quote = 0;
+    r = calloc(1, sizeof(*r));
+    if(r == NULL){
+	free(realm);
+	return NULL;
+    }
+    r->realm = realm;
+    for(p = q = r->realm; *p; p++){
+	if(p == r->realm && *p == ' '){
+	    r->leading_space = 1;
+	    continue;
+	}
+	if(q == r->realm && *p == '/')
+	    r->leading_slash = 1;
+	if(quote){
+	    *q++ = *p;
+	    quote = 0;
+	    continue;
+	}
+	if(*p == '\\'){
+	    quote = 1;
+	    continue;
+	}
+	if(p[0] == '.' && p[1] == '\0')
+	    r->trailing_dot = 1;
+	*q++ = *p;
+    }
+    *q = '\0';
+    return r;
+}
+
+static struct tr_realm*
+append_realm(struct tr_realm *head, struct tr_realm *r)
+{
+    struct tr_realm *p;
+    if(head == NULL){
+	r->next = NULL;
+	return r;
+    }
+    p = head;
+    while(p->next) p = p->next;
+    p->next = r;
+    return head;
+}
+
+static int
+decode_realms(const char *tr, int length, struct tr_realm **realms)
+{
+    struct tr_realm *r = NULL;
+
+    char *tmp;
+    int quote = 0;
+    const char *start = tr;
+    int i;
+
+    for(i = 0; i < length; i++){
+	if(quote){
+	    quote = 0;
+	    continue;
+	}
+	if(tr[i] == '\\'){
+	    quote = 1;
+	    continue;
+	}
+	if(tr[i] == ','){
+	    tmp = malloc(tr + i - start + 1);
+	    memcpy(tmp, start, tr + i - start);
+	    tmp[tr + i - start] = '\0';
+	    r = make_realm(tmp);
+	    if(r == NULL){
+		free_realms(*realms);
+		return ENOMEM;
+	    }
+	    *realms = append_realm(*realms, r);
+	    start = tr + i + 1;
+	}
+    }
+    tmp = malloc(tr + i - start + 1);
+    memcpy(tmp, start, tr + i - start);
+    tmp[tr + i - start] = '\0';
+    r = make_realm(tmp);
+    if(r == NULL){
+	free_realms(*realms);
+	return ENOMEM;
+    }
+    *realms = append_realm(*realms, r);
+    
+    return 0;
+}
+
+
+krb5_error_code
+krb5_domain_x500_decode(krb5_data tr, char ***realms, int *num_realms, 
+			const char *client_realm, const char *server_realm)
+{
+    struct tr_realm *r = NULL;
+    struct tr_realm *p, **q;
+    int ret;
+    
+    /* split string in components */
+    ret = decode_realms(tr.data, tr.length, &r);
+    if(ret)
+	return ret;
+    
+    /* apply prefix rule */
+    ret = expand_realms(r, client_realm);
+    if(ret)
+	return ret;
+    
+    ret = make_paths(r, client_realm, server_realm);
+    if(ret)
+	return ret;
+    
+    /* remove empty components */
+    q = &r;
+    for(p = r; p; ){
+	if(p->realm[0] == '\0'){
+	    free(p->realm);
+	    *q = p->next;
+	    free(p);
+	    p = *q;
+	}else{
+	    q = &p->next;
+	    p = p->next;
+	}
+    }
+    {
+	char **R;
+	*realms = NULL;
+	*num_realms = 0;
+	while(r){
+	    R = realloc(*realms, (*num_realms + 1) * sizeof(**realms));
+	    if(R == NULL) {
+		free(*realms);
+		return ENOMEM;
+	    }
+	    R[*num_realms] = r->realm;
+	    (*num_realms)++;
+	    *realms = R;
+	    p = r->next;
+	    free(r);
+	    r = p;
+	}
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding)
+{
+    char *s = NULL;
+    int len = 0;
+    int i;
+    for(i = 0; i < num_realms; i++){
+	len += strlen(realms[i]);
+	if(realms[i][0] == '/')
+	    len++;
+    }
+    len += num_realms - 1;
+    s = malloc(len + 1);
+    *s = '\0';
+    for(i = 0; i < num_realms; i++){
+	if(i && i < num_realms - 1)
+	    strcat(s, ",");
+	if(realms[i][0] == '/')
+	    strcat(s, " ");
+	strcat(s, realms[i]);
+    }
+    encoding->data = s;
+    encoding->length = strlen(s);
+    return 0;
+}
+
+krb5_error_code
+krb5_check_transited_realms(krb5_context context,
+			    const char *const *realms, 
+			    int num_realms, 
+			    int *bad_realm)
+{
+    int i;
+    int ret = 0;
+    char **bad_realms = krb5_config_get_strings(context, NULL, 
+						"libdefaults", 
+						"transited_realms_reject", 
+						NULL);
+    if(bad_realms == NULL)
+	return 0;
+
+    for(i = 0; i < num_realms; i++) {
+	char **p;
+	for(p = bad_realms; *p; p++)
+	    if(strcmp(*p, realms[i]) == 0) {
+		ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+		if(bad_realm)
+		    *bad_realm = i;
+		break;
+	    }
+    }
+    krb5_config_free_strings(bad_realms);
+    return ret;
+}
+
+#if 0
+int
+main(int argc, char **argv)
+{
+    krb5_data x;
+    char **r;
+    int num, i;
+    x.data = argv[1];
+    x.length = strlen(x.data);
+    if(domain_expand(x, &r, &num, argv[2], argv[3]))
+	exit(1);
+    for(i = 0; i < num; i++)
+	printf("%s\n", r[i]);
+    return 0;
+}
+#endif
+
diff --git a/crypto/heimdal/lib/krb5/verify_init.c b/crypto/heimdal/lib/krb5/verify_init.c
new file mode 100644
index 0000000..e7945ad
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_init.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: verify_init.c,v 1.12 2000/01/21 05:47:35 assar Exp $");
+
+void
+krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options)
+{
+    memset (options, 0, sizeof(*options));
+}
+
+void
+krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options,
+					     int ap_req_nofail)
+{
+    options->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+    options->ap_req_nofail = ap_req_nofail;
+}
+
+/*
+ *
+ */
+
+static krb5_boolean
+fail_verify_is_ok (krb5_context context,
+		   krb5_verify_init_creds_opt *options)
+{
+    if ((options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL
+	&& options->ap_req_nofail == 1)
+	|| krb5_config_get_bool (context,
+				 NULL,
+				 "libdefaults",
+				 "verify_ap_req_nofail",
+				 NULL))
+	return FALSE;
+    else
+	return TRUE;
+}
+
+krb5_error_code
+krb5_verify_init_creds(krb5_context context,
+		       krb5_creds *creds,
+		       krb5_principal ap_req_server,
+		       krb5_keytab ap_req_keytab,
+		       krb5_ccache *ccache,
+		       krb5_verify_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_data req;
+    krb5_ccache local_ccache;
+    krb5_keytab_entry entry;
+    krb5_creds *new_creds = NULL;
+    krb5_auth_context auth_context = NULL;
+    krb5_principal server = NULL;
+    krb5_keytab keytab = NULL;
+
+    krb5_data_zero (&req);
+    memset (&entry, 0, sizeof(entry));
+
+    if (ap_req_server == NULL) {
+	char local_hostname[MAXHOSTNAMELEN];
+
+	if (gethostname (local_hostname, sizeof(local_hostname)) < 0)
+	    return errno;
+
+	ret = krb5_sname_to_principal (context,
+				       local_hostname,
+				       "host",
+				       KRB5_NT_SRV_HST,
+				       &server);
+	if (ret)
+	    goto cleanup;
+    } else
+	server = ap_req_server;
+
+    if (ap_req_keytab == NULL) {
+	ret = krb5_kt_default (context, &keytab);
+	if (ret)
+	    goto cleanup;
+    } else
+	keytab = ap_req_keytab;
+
+    if (ccache && *ccache)
+	local_ccache = *ccache;
+    else {
+	ret = krb5_cc_gen_new (context, &krb5_mcc_ops, &local_ccache);
+	if (ret)
+	    goto cleanup;
+	ret = krb5_cc_initialize (context,
+				  local_ccache,
+				  creds->client);
+	if (ret)
+	    goto cleanup;
+	ret = krb5_cc_store_cred (context,
+				  local_ccache,
+				  creds);
+	if (ret)
+	    goto cleanup;
+    }
+
+    if (!krb5_principal_compare (context, server, creds->server)) {
+	krb5_creds match_cred;
+
+	memset (&match_cred, 0, sizeof(match_cred));
+
+	match_cred.client = creds->client;
+	match_cred.server = server;
+
+	ret = krb5_get_credentials (context,
+				    0,
+				    local_ccache,
+				    &match_cred,
+				    &new_creds);
+	if (ret) {
+	    if (fail_verify_is_ok (context, options))
+		ret = 0;
+	    goto cleanup;
+	}
+	creds = new_creds;
+    }
+
+    ret = krb5_mk_req_extended (context,
+				&auth_context,
+				0,
+				NULL,
+				creds,
+				&req);
+    
+    krb5_auth_con_free (context, auth_context);
+    auth_context = NULL;
+
+    if (ret)
+	goto cleanup;
+
+    ret = krb5_rd_req (context,
+		       &auth_context,
+		       &req,
+		       server,
+		       keytab,
+		       0,
+		       NULL);
+
+    if (ret == KRB5_KT_NOTFOUND && fail_verify_is_ok (context, options))
+	ret = 0;
+cleanup:
+    if (auth_context)
+	krb5_auth_con_free (context, auth_context);
+    krb5_data_free (&req);
+    krb5_kt_free_entry (context, &entry);
+    if (new_creds != NULL)
+	krb5_free_creds (context, new_creds);
+    if (ap_req_server == NULL && server)
+	krb5_free_principal (context, server);
+    if (ap_req_keytab == NULL && keytab)
+	krb5_kt_close (context, keytab);
+    if (ccache == NULL
+	|| (ret != 0 && *ccache == NULL))
+	krb5_cc_destroy (context, local_ccache);
+
+    if (ret == 0 && ccache != NULL && *ccache == NULL)
+	*ccache = local_ccache;
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
new file mode 100644
index 0000000..2b9ce28
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <getarg.h>
+RCSID("$Id: verify_krb5_conf.c,v 1.3 1999/12/02 17:05:13 joda Exp $");
+
+/* verify krb5.conf */
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[config-file]");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    const char *config_file = NULL;
+    krb5_error_code ret;
+    krb5_config_section *tmp_cf;
+    unsigned lineno;
+    char *error_message;
+    int optind = 0;
+
+    set_progname (argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc == 0) {
+	config_file = getenv("KRB5_CONFIG");
+	if (config_file == NULL)
+	    config_file = krb5_config_file;
+    } else if (argc == 1) {
+	config_file = argv[0];
+    } else {
+	usage (1);
+    }
+    
+    ret = krb5_config_parse_file_debug (config_file, &tmp_cf, &lineno,
+					&error_message);
+    if (ret == 0)
+	return 0;
+    fprintf (stderr, "%s:%u: %s\n", config_file, lineno, error_message);
+    return 1;
+}
diff --git a/crypto/heimdal/lib/krb5/verify_user.c b/crypto/heimdal/lib/krb5/verify_user.c
new file mode 100644
index 0000000..10c22cb
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_user.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: verify_user.c,v 1.11 1999/12/02 17:05:13 joda Exp $");
+
+static krb5_error_code
+verify_common (krb5_context context,
+	       krb5_principal principal,
+	       krb5_ccache ccache,
+	       krb5_boolean secure,
+	       const char *service,
+	       krb5_creds cred)
+{
+    krb5_error_code ret;
+    krb5_principal server;
+    krb5_verify_init_creds_opt vopt;
+    krb5_ccache id;
+
+    ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST,
+				   &server);
+    if(ret) return ret;
+
+    krb5_verify_init_creds_opt_init(&vopt);
+    krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
+
+    ret = krb5_verify_init_creds(context,
+				 &cred,
+				 server,
+				 NULL,
+				 NULL,
+				 &vopt);
+    krb5_free_principal(context, server);
+    if(ret) return ret;
+    if(ccache == NULL)
+	ret = krb5_cc_default (context, &id);
+    else
+	id = ccache;
+    if(ret == 0){
+	ret = krb5_cc_initialize(context, id, principal);
+	if(ret == 0){
+	    ret = krb5_cc_store_cred(context, id, &cred);
+	}
+	if(ccache == NULL)
+	    krb5_cc_close(context, id);
+    }
+    krb5_free_creds_contents(context, &cred);
+    return ret;
+}
+
+/*
+ * Verify user `principal' with `password'.
+ *
+ * If `secure', also verify against local service key for `service'.
+ *
+ * As a side effect, fresh tickets are obtained and stored in `ccache'.
+ */
+
+krb5_error_code
+krb5_verify_user(krb5_context context, 
+		 krb5_principal principal,
+		 krb5_ccache ccache,
+		 const char *password,
+		 krb5_boolean secure,
+		 const char *service)
+{
+
+    krb5_error_code ret;
+    krb5_get_init_creds_opt opt;
+    krb5_creds cred;
+    
+    krb5_get_init_creds_opt_init (&opt);
+
+    ret = krb5_get_init_creds_password (context,
+					&cred,
+					principal,
+					(char*)password,
+					krb5_prompter_posix,
+					NULL,
+					0,
+					NULL,
+					&opt);
+    
+    if(ret)
+	return ret;
+    return verify_common (context, principal, ccache, secure, service, cred);
+}
+
+/*
+ * A variant of `krb5_verify_user'.  The realm of `principal' is
+ * ignored and all the local realms are tried.
+ */
+
+krb5_error_code
+krb5_verify_user_lrealm(krb5_context context, 
+			krb5_principal principal,
+			krb5_ccache ccache,
+			const char *password,
+			krb5_boolean secure,
+			const char *service)
+{
+    krb5_error_code ret;
+    krb5_get_init_creds_opt opt;
+    krb5_realm *realms, *r;
+    krb5_creds cred;
+    
+    krb5_get_init_creds_opt_init (&opt);
+
+    ret = krb5_get_default_realms (context, &realms);
+    if (ret)
+	return ret;
+    ret = KRB5_CONFIG_NODEFREALM;
+
+    for (r = realms; *r != NULL && ret != 0; ++r) {
+	char *tmp = strdup (*r);
+
+	if (tmp == NULL) {
+	    krb5_free_host_realm (context, realms);
+	    return ENOMEM;
+	}
+	free (*krb5_princ_realm (context, principal));
+	krb5_princ_set_realm (context, principal, &tmp);
+
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    principal,
+					    (char*)password,
+					    krb5_prompter_posix,
+					    NULL,
+					    0,
+					    NULL,
+					    &opt);
+    }
+    krb5_free_host_realm (context, realms);
+    if(ret)
+	return ret;
+
+    return verify_common (context, principal, ccache, secure, service, cred);
+}
diff --git a/crypto/heimdal/lib/krb5/version.c b/crypto/heimdal/lib/krb5/version.c
new file mode 100644
index 0000000..5f0fd66
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/version.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: version.c,v 1.3 1999/12/02 17:05:13 joda Exp $");
+
+/* this is just to get a version stamp in the library file */
+
+#define heimdal_version __heimdal_version
+#define heimdal_long_version __heimdal_long_version
+#include "version.h"
+
diff --git a/crypto/heimdal/lib/krb5/warn.c b/crypto/heimdal/lib/krb5/warn.c
new file mode 100644
index 0000000..b202f7d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/warn.c
@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: warn.c,v 1.10 1999/12/02 17:05:13 joda Exp $");
+
+static krb5_error_code
+_warnerr(krb5_context context, int do_errtext, 
+	 krb5_error_code code, int level, const char *fmt, va_list ap)
+{
+    char xfmt[7] = "";
+    const char *args[2], **arg;
+    char *msg = NULL;
+    
+    arg = args;
+    if(fmt){
+	strcat(xfmt, "%s");
+	if(do_errtext)
+	    strcat(xfmt, ": ");
+	vasprintf(&msg, fmt, ap);
+	if(msg == NULL)
+	    return ENOMEM;
+	*arg++ = msg;
+    }
+    if(context && do_errtext){
+	const char *err_msg;
+
+	strcat(xfmt, "%s");
+
+	err_msg = krb5_get_err_text(context, code);
+	if (err_msg)
+	    *arg++ = err_msg;
+	else
+	    *arg++ = "<unknown error>";
+    }
+	
+    if(context && context->warn_dest)
+	krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]);
+    else
+	warnx(xfmt, args[0], args[1]);
+    free(msg);
+    return 0;
+}
+
+#define FUNC(ETEXT, CODE, LEVEL)					\
+    krb5_error_code ret;						\
+    va_list ap;								\
+    va_start(ap, fmt);							\
+    ret = _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); 		\
+    va_end(ap);
+
+#undef __attribute__
+#define __attribute__(X)
+
+krb5_error_code
+krb5_vwarn(krb5_context context, krb5_error_code code, 
+	   const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 3, 0)))
+{
+    return _warnerr(context, 1, code, 1, fmt, ap);
+}
+
+
+krb5_error_code
+krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...)
+     __attribute__ ((format (printf, 3, 4)))
+{
+    FUNC(1, code, 1);
+    return ret;
+}
+
+krb5_error_code
+krb5_vwarnx(krb5_context context, const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 2, 0)))
+{
+    return _warnerr(context, 0, 0, 1, fmt, ap);
+}
+
+krb5_error_code
+krb5_warnx(krb5_context context, const char *fmt, ...)
+     __attribute__ ((format (printf, 2, 3)))
+{
+    FUNC(0, 0, 1);
+    return ret;
+}
+
+krb5_error_code
+krb5_verr(krb5_context context, int eval, krb5_error_code code, 
+	  const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 4, 0)))
+{
+    _warnerr(context, 1, code, 0, fmt, ap);
+    exit(eval);
+}
+
+
+krb5_error_code
+krb5_err(krb5_context context, int eval, krb5_error_code code, 
+	 const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 4, 5)))
+{
+    FUNC(1, code, 0);
+    exit(eval);
+}
+
+krb5_error_code
+krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 3, 0)))
+{
+    _warnerr(context, 0, 0, 0, fmt, ap);
+    exit(eval);
+}
+
+krb5_error_code
+krb5_errx(krb5_context context, int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 3, 4)))
+{
+    FUNC(0, 0, 0);
+    exit(eval);
+}
+
+krb5_error_code
+krb5_vabort(krb5_context context, krb5_error_code code, 
+	    const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 3, 0)))
+{
+    _warnerr(context, 1, code, 0, fmt, ap);
+    abort();
+}
+
+
+krb5_error_code
+krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 3, 4)))
+{
+    FUNC(1, code, 0);
+    abort();
+}
+
+krb5_error_code
+krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)))
+{
+    _warnerr(context, 0, 0, 0, fmt, ap);
+    abort();
+}
+
+krb5_error_code
+krb5_abortx(krb5_context context, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)))
+{
+    FUNC(0, 0, 0);
+    abort();
+}
+
+krb5_error_code
+krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
+{
+    context->warn_dest = fac;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/write_message.c b/crypto/heimdal/lib/krb5/write_message.c
new file mode 100644
index 0000000..b7f2c28
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/write_message.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: write_message.c,v 1.4 1999/12/02 17:05:13 joda Exp $");
+
+krb5_error_code
+krb5_write_message (krb5_context context,
+		    krb5_pointer p_fd,
+		    krb5_data *data)
+{
+    u_int32_t len;
+    u_int8_t buf[4];
+
+    len = data->length;
+    buf[0] = (len >> 24) & 0xFF;
+    buf[1] = (len >> 16) & 0xFF;
+    buf[2] = (len >>  8) & 0xFF;
+    buf[3] = (len >>  0) & 0xFF;
+    if (krb5_net_write (context, p_fd, buf, 4) != 4
+	|| krb5_net_write (context, p_fd, data->data, len) != len)
+	return errno;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/ChangeLog b/crypto/heimdal/lib/roken/ChangeLog
new file mode 100644
index 0000000..6da4be0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ChangeLog
@@ -0,0 +1,764 @@
+2000-02-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 7:1:2
+	
+2000-02-16  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c (PARSE_INT_FORMAT): note that shorts are actually
+	transmitted as ints
+	(according to the integer protomotion rules) in variable arguments
+	lists.  Therefore, we should not call va_arg with short but rather
+	with int.  See <http://www.debian.org/Bugs/db/57/57919.html> for
+	original bug report
+
+2000-02-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 7:0:2
+
+	* getarg.c (mandoc_template): also fix no- prefix in .Sh OPTIONS
+	* getarg.c (mandoc_template): better man-stuff for negative
+	options
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 6:0:1
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: hopefully catch a few more declarations by including
+	<ndbm.h> even if <db.h> was found
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): separate number of allocated sockets
+	and number of actual ones
+	* mini_inetd.c (mini_inetd): count sockets properly.  and fail if
+	we cannot bind any
+	* mini_inetd.c (mini_inetd): make failing to create a socket
+	non-fatal
+
+2000-01-09  Assar Westerlund  <assar@sics.se>
+
+ 	* Makefile.am(libroken_la_SOURCES): add strcollect.c
+	* Makefile.in: add strcollect.[co]
+	* simple_exec.c: use vstrcollect
+	* roken-common.h (_PATH_DEV): add
+	(strcollect, vstrcollect): add prototypes
+	* strcollect.c: new file.  functions for collapsing an `va_list'
+	into an `char **'
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 5:0:0
+
+1999-12-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (strpftime_test_SOURCES): correct source file name
+
+	* roken.h.in (sockaddr_storage): change padding so that we have
+ 	one char[] of pad and then an unsigned long[] (for alignment and
+ 	padding).  this works much better in practice.
+
+1999-12-22  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (sockaddr_storage): drop leading underscore on
+ 	`public' fields.  this was the consensus on the ipng mailing list
+
+1999-12-21  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (strpftime-test): define sources to avoid having
+ 	'.o'
+	* Makefile.am (print_version.h): use $(EXEEXT)
+	* Makefile.am (roken.h): add $(EXEEXT) to make this work on cygwin
+ 	et al
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): bump version to 4:3:0
+
+	* getaddrinfo.c (get_nodes): use getipnodebyname instead of
+	gethostbyname(2)
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): bump version to 4:2:0
+
+	* roken.h.in (struct sockaddr_storage): redefine with the example
+ 	code from rfc2553
+
+	* getaddrinfo.c (get_null): set loopback with correct endianess
+	for v4.  dunno about v6.
+
+1999-12-13  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: add prototypes for str[pf]time
+
+	* signal.c: macosx = rhapsody ~= nextstep also can't handle
+ 	various definitions of the same symbol.
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 4:1:0
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 4:0:0
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: replace inaddr2str with getnameinfo_verified
+
+	* roken-common.h (INADDR_LOOPBACK): add fallback definition
+
+	* roken-common.h: move getnameinfo_verified to roken.h.in
+	* roken.h.in (inaddr2str): remove
+	* Makefile.am (libroken_la_SOURCES); removed inaddr2str
+	* roken-common.h (getnameinfo_verified): add prototype
+	* getnameinfo_verified.c: new file
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add constants for getaddrinfo, getnameinfo
+	* roken.h.in (socklen_t): make independent of sockaddr_storage
+	(AI_*, NI_*, EAI_*): move to roken-common.h
+
+1999-12-03  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inted): rewrite to use `getaddrinfo'
+	* getaddrinfo.c (const_v*): no sizeof(sizeof())
+	* getaddrinfo.c (add_hostent): search for the canonical name among
+	all aliases
+	(getaddrinfo): handle AI_NUMERICHOST correctly
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add freeaddinfo,
+	getaddrinfo, getnameinfo, gai_strerror
+	(getaddrinfo_test): add
+	* Makefile.in (SOURCES): add freeaddinfo, getaddrinfo,
+	getnameinfo, gai_strerror
+	(getaddrinfo_test): add
+	* roken.h.in: arpa/inet.h: include
+	(socklen_t): add
+	(struct addrinfo): add
+	(EAI_*): add
+	(NI_*): add
+	(AI_*): add
+	(getaddrinfo, getnameinfo, freeaddrinfo, gai_strerror): add
+	* getnameinfo.c: new file
+	* getaddrinfo-test.c: new file
+	* gai_strerror.c: new file
+	* getaddrinfo.c: new file
+	* freeaddrinfo.c: new file
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* getopt.c (getopt): return -1 instead of EOF.  From
+	<art@stacken.kth.se>
+
+1999-11-13  Assar Westerlund  <assar@sics.se>
+
+	* strftime.c (strftime): handle `%z' and `%Z' in a tm_gmtoff-less
+	world
+
+	* getcap.c: make sure to use db only if we have both the library
+	and the header file
+	
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* getarg.h: add arg_counter
+	* getarg.c: add a new type of argument: `arg_counter' re-organize
+	the code somewhat
+	
+	* Makefile.am: add strptime and strpftime-test
+	
+	* snprintf.c (xyzprintf): try to do the right thing with an % at
+	the end of the format string
+	
+	* strptime.c (strptime): implement '%U', '%V', '%W'
+	* strftime.c (strftime): implement '%U', '%V', '%W', '%z'
+	
+	* strftime.c (strftime): correct %E and %O handling.  do something
+ 	reasonable with "...%"
+
+	* strftime.c: replace the BSD implementation by one of our own
+	coding
+
+	* strptime.c : new file
+	* strpftime-test.c: new file
+
+1999-11-07  Assar Westerlund  <assar@sics.se>
+
+	* parse_bytes-test.c: new file
+
+	* Makefile.am: add parse_bytes-test
+
+	* parse_units.c (parse_something): try to handle the case of no
+ 	value specified a little bit better
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 3:2:0
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c (PARSE_INT_FORMAT): add redundant casts to work
+ 	around a gcc-bug that manifests itself on Linux-PPC.  From Tom
+ 	Rini <trini@kernel.crashing.org>
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 3:1:0
+
+	* roken.h.in: use `unsigned char' instead of `u_int8_t' to avoid
+ 	having to have that definition.  this is the easy way out instead
+ 	of getting the definition here where it's needed.  flame me.
+
+Fri Oct 22 15:39:31 1999  Bjoern Groenvall  <bg@sics.se>
+
+	* k_getpwuid.c (k_getpwuid): getspuid() does not exist (even
+ 	though it should), use getspnam().
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 3:0:0
+
+1999-10-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.3: document arg_collect
+
+	* getarg.c: change the way arg_collect works; it's still quite
+	horrible though
+
+	* getarg.h: change type of the collect function
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: undo last commit
+
+	* xdbm.h: reorder db includes
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* socket.c: const-ize and comment
+
+	* net_write.c: const-ize
+
+	* base64.c: const-ize
+
+1999-10-06  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (getarg): also set optind when returning error
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add parse_bytes.[ch]
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.3: getarg manpage
+
+	* getarg.{c,h}: add a callback type to do more complicated processing
+
+	* getarg.{c,h}: add floating point support
+
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* strlcat.c (strlcat): call strlcpy
+
+	* strlcpy.c: update name and prototype
+
+	* strlcat.c: update name and prototype
+
+	* roken.h.in: rename strc{py,at}_truncate to strlc{py,at}
+
+	* Makefile.am: rename strc{py,at}_truncate -> strlc{py,at}
+
+	* Makefile.in: rename strc{py,at}_truncate -> strlc{py,at}
+
+ 	* strcpy_truncate.c (strcpy_truncate): change return value to be
+ 	the length of `src'
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* getcap.c: try to make this work on systems with DB
+
+1999-08-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getcap.c: protect from db-less systems
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* simple_exec.c: add simple_exec{ve,le}
+
+	* getcap.c: getcap from NetBSD
+
+1999-08-06  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (sockaddr_storage): cater for those that have
+ 	v6-support also
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* inet_ntop.c (inet_ntop_v4): remember to call ntohl
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add shutdown constants
+
+	* mini_inetd.c (listen_v4, listen_v6): handle the case of the
+ 	protocol not being supported
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (socket_set_reuseaddr): remove duplicate
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): fix my stupid bugs
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add socket* functions
+
+	* Makefile.am (libroken_la_SOURCES): add socket.c
+
+	* socket.c: new file, originally from appl/ftp/common
+
+	* Makefile.am: set version to 2:0:2
+
+	* roken.h.in (inet_pton): add prototype
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add inet_pton
+
+	* inet_pton.c: new file
+
+	* getipnodebyname.c (getipnodebyname): try gethostbyname2 if we
+ 	have it
+
+1999-07-27  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c: support IPv6
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+	* roken.h.in (inet_ntop): add prototype
+
+ 	* roken-common.h: (INET{,6}_ADDRSTRLEN): add
+
+	* inet_ntop.c: new file
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add inet_ntop.c
+
+	* Makefile.am: move some files from libroken_la_SOURCES to
+ 	EXTRA_libroken_la_SOURCES
+
+	* snprintf.c: some signed vs unsigned casts
+	
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (struct sockaddr_storage): define it needed
+
+1999-07-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_SOURCES): add copyhostent.c,
+ 	freehostent.c, getipnodebyname.c, getipnodebyaddr.c
+	
+	* roken.h.in: <netdb.h>: include
+	(copyhostent, freehostent, getipnodebyname, getipnodebyaddr): add
+	prototypes
+
+	* roken-common.h: new constants for getipnodeby*
+
+	* Makefile.in (SOURCES): add freehostent, copyhostent,
+ 	getipnodebyname, getipnodebyaddr
+
+	* freehostent.c: new file
+
+	* copyhostent.c: new file
+
+	* getipnodebyaddr.c: new file
+
+	* getipnodebyname.c: new file
+
+1999-07-13  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (k_getpwnam): update prototype
+
+	* k_getpwnam.c (k_getpwnam): const-ize
+
+	* get_default_username.c (get_default_username): a better way of
+ 	guessing when the user has su:ed
+
+1999-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.awk: use puts, as suggested by Jeffrey Hutzelman
+	<jhutz+@cmu.edu>
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* readv.c (readv): typo
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* writev.c (writev): error check malloc properly
+
+	* sendmsg.c (sendmsg): error check malloc properly
+
+	* resolve.c (parse_reply): error check malloc properly
+
+	* recvmsg.c (recvmsg): error check malloc properly
+
+	* readv.c (readv): error check malloc properly
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (acc_units): move the special case of 0 -> 1 to
+ 	parse_something to avoid having it happen at the end of the string
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add get_default_username
+
+	* get_default_username.c: new file
+
+	* roken.h.in (get_default_username): add prototype
+
+	* Makefile.am: add get_default_username
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: also try <db.h> with DB_DBM_HSEARCH == 1
+
+	* strnlen.c (strnlen): update prototype
+
+	* Makefile.am: strndup.c: add
+
+	* Makefile.in: strndup.c: add
+
+	* roken.h.in (strndup): add
+	(strnlen): update prototype
+
+	* strndup.c: new file
+
+Fri Apr 16 17:59:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: include strsep prototype if needed
+
+Thu Apr 15 14:04:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: make make-print-version.o depend on version.h
+
+Wed Apr  7 14:11:00 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: make it compile w/o krb4
+
+Sat Mar 27 17:33:03 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* snprintf.c (vasnprintf): correct check if realloc returns NULL
+
+Sat Mar 27 12:37:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: link print_version with -ldes to avoid unresolved
+ 	references if -lkrb is shared
+
+Sat Mar 20 03:42:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h (eread, ewrite): add
+
+	* simple_exec.c: add <roken.h>
+
+Fri Mar 19 21:29:58 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add eread, ewrite
+
+	* eread.c, ewrite.c: new files
+
+	* Makefile.am (libroken_la_SOURCES): add eread and ewrite
+
+Fri Mar 19 14:52:57 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add version-info
+
+Thu Mar 18 12:53:32 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: remove include_dir hack
+
+	* Makefile.am: parse_units.h
+
+	* Makefile.am: include Makefile.am.common
+
+Sat Mar 13 23:31:35 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add glob.c
+
+Thu Mar 11 15:02:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* iruserok.c: move innetgr() to separate file
+
+	* innetgr.c: move innetgr() to separate file
+
+	* hstrerror.c (hstrerror): add const to return type
+
+	* erealloc.c: fix types in format string
+
+	* emalloc.c: fix types in format string
+
+Wed Mar 10 16:36:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* resolve.c: ugly fix for crays
+
+Mon Mar  8 11:52:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* roken.h.in: protos for {un,}setenv
+
+1999-02-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add fnmatch
+
+	* roken-common.h (abs): add
+
+Sat Feb 13 17:12:53 1999  Assar Westerlund  <assar@sics.se>
+
+	* emalloc.c, erealloc.c, estrup.c: new files
+
+	* roken.h.in (mkstemp, gethostname): also includes prototypes if
+ 	they are needed.
+
+1998-12-23  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: mkstemp: add prototype
+
+1998-12-20  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c, iruserok.c, parse-units.c: unsigned char-correctness
+
+	* roken.h.in (inet_aton): also chedk NEED_INET_ATON_PROTO
+
+	* roken-common.h: __attribute__: check for autoconf'd
+	HAVE___ATTRIBUTE__ instead of GNUC
+
+Sun Dec  6 19:53:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (parse_something): func is called with val == 0 if
+ 	no unit was given
+	(acc_flags, acc_units): update to new standard
+
+Fri Nov 27 03:09:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (stot): constify
+	(type_to_string): always declare
+	(dns_lookup_int): correct debug output
+
+Thu Nov 26 23:43:55 1998  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (dns_lookup_int): send rr_class to res_search
+
+Thu Nov 26 17:09:47 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* resolve.c: some cleanup
+
+	* resolve.h: add T_NAPTR
+
+Sun Nov 22 10:23:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+	* k_getpwnam.c (k_getpwnam): check for `struct spwd'
+
+	* k_getpwuid.c (k_getpwuid): check for `struct spwd'
+
+Tue Sep  8 05:18:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* recvmsg.c (recvmsg): patch from bpreece@unity.ncsu.edu
+
+Fri Sep  4 16:29:27 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* vsyslog.c: asprintf -> vasprintf
+
+Tue Aug 18 22:25:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* getarg.h (arg_printusage): new signature
+
+	* getarg.c (arg_printusage): new parameter `progname'.  NULL means
+ 	__progname.
+
+Sun Aug  9 14:53:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: net_{read,write}.c
+
+Fri Jul 24 21:56:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* simple_exec.c (simple_execvp): loop around waitpid when errno ==
+ 	EINTR
+
+Thu Jul 23 20:24:35 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: net_{read,write}.c
+
+Wed Jul 22 21:38:35 1998  Assar Westerlund  <assar@sics.se>
+
+	* simple_exec.c (simple_execlp): initialize `argv'
+
+Mon Jul 13 23:01:22 1998  Assar Westerlund  <assar@sics.se>
+
+	* inaddr2str.c (inaddr2str): don't advance hostent->h_addr_list,
+ 	use a copy instead
+
+Fri Jul 10 01:20:08 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (net_write, net_read): add prototypes
+
+	* Makefile.in: net_{read,write}.c: add
+
+	* net_{read,write}.c: new files
+
+Tue Jun 30 17:29:09 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (issuid): add
+
+	* get_window_size.c: fix misspelling of TIOCGWINSZ and bad use of
+ 	fields
+
+Sun May 31 03:24:34 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Put short and long options in
+ 	SYNOPSIS within the same [ ] pair.
+
+Sat May 30 00:13:01 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (arg_printusage): try to keep options shorter than
+ 	column width
+
+	* get_window_size.c (get_window_size): check COLUMNS and LINES
+
+Fri May 29 00:05:04 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Put short and long options in
+ 	DESCRIPTION on the same line.
+
+	* getarg.c (arg_match_long): make sure you only get an exact match
+ 	if the strings are the same length
+
+Thu May 14 02:23:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.awk: stupid cray awk wants \#
+
+Fri May  1 01:29:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* print_version.c (print_version): according to ISO/ANSI C the
+ 	elements of `arg' are not constant and therefore not settable at
+ 	compile-time.  Set the at run-time instead.
+
+Sun Apr 19 10:00:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: include paths.h
+
+Sun Apr  5 12:30:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add roken_gethostby.c to make solaris
+ 	make happy
+
+Thu Mar 19 20:41:25 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* simple_exec.c: Simple fork+exec system() replacement.
+
+Fri Mar  6 00:21:53 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* roken_gethostby.c: Make `roken_gethostby_setup' take url-like
+ 	specification instead of split up versions. Makes it easier for
+ 	calling applications.
+
+	* roken_gethostby.c: Another miracle of the 20th century:
+ 	gethostby* over HTTP.
+
+Sat Feb 21 15:18:36 1998  assar westerlund  <assar@sics.se>
+
+	* parse_time.c (unparse_time_approx): new function that calls
+ 	`unparse_units_approx'
+
+	* parse_units.c (unparse_units_approx): new function that will
+ 	only print the first unit.
+
+	* Makefile.in: include parse_{time,units}
+
+Thu Feb 12 03:30:08 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse_time.c (print_time_table): don't return a void value.
+
+Tue Feb  3 11:06:24 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Change date format to full month
+ 	name, and day of month without leading zero.
+
+Thu Jan 22 21:23:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c: Fix long form of negative flags.
+
+Mon Dec 29 23:31:10 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* roken.h.in: Include <err.h>, to get linux __progname.
+
+Sun Dec 21 09:45:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* parse_time.c (print_time_table): new function
+
+	* parse_units.c (print_flags_table, print_units_table): new
+ 	functions.
+
+Thu Dec  4 02:51:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* iruserok.c: moved here.
+
+	* snprintf.c (sn_append_char): don't write any terminating zero.
+	(as_reserve): don't loop.  better heuristic for how much space to
+ 	realloc.
+	(vasnprintf): simplify initializing to one.
+
+Sun Nov 30 14:56:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c: Add mandoc help back-end to getarg.
+
+Wed Nov 12 01:09:17 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* verr.c, verrx.c: Fix warnings by moving exit from.
+
+Tue Nov 11 21:12:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* parse_units.c: Change the list of separating characters (between
+ 	units) to comma, space, and tab, removing digits. Having digits in
+ 	this list makes a flag like `T42 generate a parse error. This
+ 	change makes `17m3s' an invalid time-spec (you need a space).
+
+Tue Nov 11 02:38:44 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: add <sys/socket.h>
+
+Sun Nov  9 04:48:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* fnmatch.c: Add fnmatch from NetBSD
+
+Sun Nov  9 02:00:08 1997  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (parse_something): ignore white-space and ','
+
+Mon Nov  3 22:38:32 1997  Assar Westerlund  <assar@sics.se>
+	
+	* roken.h: fclose prototype
+
+	* roken.h: add prototype for vsyslog
+
+	* Makefile.in: add some more source files to make soriasis make
+ 	happy
+
+Sat Nov  1 00:19:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: include <sys/uio.h> and <errno.h>.
+	prototypes for readv and writev
+
+	* readv.c, writev.c: new files
+
+Wed Oct 29 02:21:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: Add ugly macros for openlog, gethostbyname,
+ 	gethostbyaddr, and getservbyname for the benefit of Crays.  Add
+ 	default definition of MAXPATHLEN
diff --git a/crypto/heimdal/lib/roken/Makefile.am b/crypto/heimdal/lib/roken/Makefile.am
new file mode 100644
index 0000000..3d303f8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/Makefile.am
@@ -0,0 +1,179 @@
+# $Id: Makefile.am,v 1.70 2000/02/19 18:53:13 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES = roken.h make-roken.c print_version.h
+
+lib_LTLIBRARIES = libroken.la
+libroken_la_LDFLAGS = -version-info 7:1:2
+
+noinst_PROGRAMS = make-roken make-print-version
+
+check_PROGRAMS = parse_bytes-test strpftime-test getaddrinfo-test
+TESTS = $(check_PROGRAMS)
+
+getaddrinfo_test_LDADD = libroken.la
+parse_bytes_test_LDADD = libroken.la
+strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+
+if KRB4
+if KRB5
+## need to link with des here; otherwise, if krb4 is shared the link
+## will fail with unresolved references
+make_print_version_LDADD += $(LIB_krb4) -ldes
+endif
+endif
+
+libroken_la_SOURCES =		\
+	base64.c		\
+	concat.c		\
+	emalloc.c		\
+	eread.c			\
+	erealloc.c		\
+	estrdup.c		\
+	ewrite.c		\
+	getaddrinfo_hostspec.c	\
+	get_default_username.c	\
+	get_window_size.c	\
+	getarg.c		\
+	getnameinfo_verified.c	\
+	issuid.c		\
+	k_getpwnam.c		\
+	k_getpwuid.c		\
+	mini_inetd.c		\
+	net_read.c		\
+	net_write.c		\
+	parse_bytes.c		\
+	parse_time.c		\
+	parse_units.c		\
+	print_version.c		\
+	resolve.c		\
+	roken_gethostby.c	\
+	signal.c		\
+	simple_exec.c		\
+	snprintf.c		\
+	socket.c		\
+	strcollect.c		\
+	tm2time.c		\
+	verify.c		\
+	warnerr.c		\
+	xdbm.h
+
+EXTRA_libroken_la_SOURCES =	\
+	chown.c			\
+	copyhostent.c		\
+	daemon.c		\
+	err.c			\
+	err.h			\
+	errx.c			\
+	fchown.c		\
+	flock.c			\
+	fnmatch.c		\
+	fnmatch.h		\
+	freeaddrinfo.c		\
+	freehostent.c		\
+	gai_strerror.c		\
+	getaddrinfo.c		\
+	getdtablesize.c		\
+	getegid.c		\
+	geteuid.c		\
+	getgid.c		\
+	gethostname.c		\
+	getipnodebyaddr.c	\
+	getipnodebyname.c	\
+	getnameinfo.c		\
+	getopt.c		\
+	gettimeofday.c		\
+	getuid.c		\
+	getusershell.c		\
+	glob.h			\
+	hstrerror.c		\
+	inet_aton.c		\
+	inet_ntop.c		\
+	inet_pton.c		\
+	initgroups.c		\
+	innetgr.c		\
+	iruserok.c		\
+	lstat.c			\
+	memmove.c		\
+	mkstemp.c		\
+	putenv.c		\
+	rcmd.c			\
+	readv.c			\
+	recvmsg.c		\
+	sendmsg.c		\
+	setegid.c		\
+	setenv.c		\
+	seteuid.c		\
+	strcasecmp.c		\
+	strdup.c		\
+	strerror.c		\
+	strftime.c		\
+	strlcat.c		\
+	strlcpy.c		\
+	strlwr.c		\
+	strncasecmp.c		\
+	strndup.c		\
+	strnlen.c		\
+	strptime.c		\
+	strsep.c		\
+	strtok_r.c		\
+	strupr.c		\
+	swab.c			\
+	unsetenv.c		\
+	verr.c			\
+	verrx.c			\
+	vsyslog.c		\
+	vwarn.c			\
+	vwarnx.c		\
+	warn.c			\
+	warnx.c			\
+	writev.c
+
+EXTRA_DIST = resource.h roken.awk roken.def roken.dsp roken.h.in \
+	roken.mak roken.rc
+
+
+
+libroken_la_LIBADD = @LTLIBOBJS@
+
+$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h
+
+include_HEADERS = $(err_h) base64.h getarg.h \
+	parse_bytes.h parse_time.h parse_units.h \
+	resolve.h roken.h roken-common.h
+
+build_HEADERZ = $(err_h) $(fnmatch_h) $(glob_h) xdbm.h
+
+if have_err_h
+err_h =
+else
+err_h = err.h
+endif
+
+if have_fnmatch_h
+fnmatch_h =
+else
+fnmatch_h = fnmatch.h
+endif
+
+if have_glob_h
+glob_h =
+else
+glob_h = glob.h
+endif
+
+roken.h: make-roken$(EXEEXT)
+	@./make-roken$(EXEEXT) > tmp.h ;\
+	if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \
+	else rm -f roken.h; mv tmp.h roken.h; fi
+
+make-roken.c: roken.h.in roken.awk
+	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
+
+print_version.lo: print_version.h
+
+print_version.h: make-print-version$(EXEEXT)
+	./make-print-version$(EXEEXT) print_version.h
+
+make-print-version.o: $(top_builddir)/include/version.h
diff --git a/crypto/heimdal/lib/roken/Makefile.in b/crypto/heimdal/lib/roken/Makefile.in
new file mode 100644
index 0000000..6db3973
--- /dev/null
+++ b/crypto/heimdal/lib/roken/Makefile.in
@@ -0,0 +1,801 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.70 2000/02/19 18:53:13 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+CLEANFILES = roken.h make-roken.c print_version.h
+
+lib_LTLIBRARIES = libroken.la
+libroken_la_LDFLAGS = -version-info 7:1:2
+
+noinst_PROGRAMS = make-roken make-print-version
+
+check_PROGRAMS = parse_bytes-test strpftime-test getaddrinfo-test
+TESTS = $(check_PROGRAMS)
+
+getaddrinfo_test_LDADD = libroken.la
+parse_bytes_test_LDADD = libroken.la
+strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+
+@KRB4_TRUE@@KRB5_TRUE@make_print_version_LDADD =  $(LIB_krb4) -ldes
+
+libroken_la_SOURCES =  	base64.c			concat.c			emalloc.c			eread.c				erealloc.c			estrdup.c			ewrite.c			getaddrinfo_hostspec.c		get_default_username.c		get_window_size.c		getarg.c			getnameinfo_verified.c		issuid.c			k_getpwnam.c			k_getpwuid.c			mini_inetd.c			net_read.c			net_write.c			parse_bytes.c			parse_time.c			parse_units.c			print_version.c			resolve.c			roken_gethostby.c		signal.c			simple_exec.c			snprintf.c			socket.c			strcollect.c			tm2time.c			verify.c			warnerr.c			xdbm.h
+
+
+EXTRA_libroken_la_SOURCES =  	chown.c				copyhostent.c			daemon.c			err.c				err.h				errx.c				fchown.c			flock.c				fnmatch.c			fnmatch.h			freeaddrinfo.c			freehostent.c			gai_strerror.c			getaddrinfo.c			getdtablesize.c			getegid.c			geteuid.c			getgid.c			gethostname.c			getipnodebyaddr.c		getipnodebyname.c		getnameinfo.c			getopt.c			gettimeofday.c			getuid.c			getusershell.c			glob.h				hstrerror.c			inet_aton.c			inet_ntop.c			inet_pton.c			initgroups.c			innetgr.c			iruserok.c			lstat.c				memmove.c			mkstemp.c			putenv.c			rcmd.c				readv.c				recvmsg.c			sendmsg.c			setegid.c			setenv.c			seteuid.c			strcasecmp.c			strdup.c			strerror.c			strftime.c			strlcat.c			strlcpy.c			strlwr.c			strncasecmp.c			strndup.c			strnlen.c			strptime.c			strsep.c			strtok_r.c			strupr.c			swab.c				unsetenv.c			verr.c				verrx.c				vsyslog.c			vwarn.c				vwarnx.c			warn.c				warnx.c				writev.c
+
+
+EXTRA_DIST = resource.h roken.awk roken.def roken.dsp roken.h.in 	roken.mak roken.rc
+
+
+libroken_la_LIBADD = @LTLIBOBJS@
+
+include_HEADERS = $(err_h) base64.h getarg.h 	parse_bytes.h parse_time.h parse_units.h 	resolve.h roken.h roken-common.h
+
+
+build_HEADERZ = $(err_h) $(fnmatch_h) $(glob_h) xdbm.h
+@have_err_h_TRUE@err_h = 
+@have_err_h_FALSE@err_h = err.h
+@have_fnmatch_h_TRUE@fnmatch_h = 
+@have_fnmatch_h_FALSE@fnmatch_h = fnmatch.h
+@have_glob_h_TRUE@glob_h = 
+@have_glob_h_FALSE@glob_h = glob.h
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libroken_la_DEPENDENCIES =  @LTLIBOBJS@
+libroken_la_OBJECTS =  base64.lo concat.lo emalloc.lo eread.lo \
+erealloc.lo estrdup.lo ewrite.lo getaddrinfo_hostspec.lo \
+get_default_username.lo get_window_size.lo getarg.lo \
+getnameinfo_verified.lo issuid.lo k_getpwnam.lo k_getpwuid.lo \
+mini_inetd.lo net_read.lo net_write.lo parse_bytes.lo parse_time.lo \
+parse_units.lo print_version.lo resolve.lo roken_gethostby.lo signal.lo \
+simple_exec.lo snprintf.lo socket.lo strcollect.lo tm2time.lo verify.lo \
+warnerr.lo
+check_PROGRAMS =  parse_bytes-test$(EXEEXT) strpftime-test$(EXEEXT) \
+getaddrinfo-test$(EXEEXT)
+noinst_PROGRAMS =  make-roken$(EXEEXT) make-print-version$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+parse_bytes_test_SOURCES = parse_bytes-test.c
+parse_bytes_test_OBJECTS =  parse_bytes-test.$(OBJEXT)
+parse_bytes_test_DEPENDENCIES =  libroken.la
+parse_bytes_test_LDFLAGS = 
+strpftime_test_OBJECTS =  strpftime-test.$(OBJEXT) strftime.$(OBJEXT) \
+strptime.$(OBJEXT) snprintf.$(OBJEXT)
+strpftime_test_LDADD = $(LDADD)
+strpftime_test_DEPENDENCIES = 
+strpftime_test_LDFLAGS = 
+getaddrinfo_test_SOURCES = getaddrinfo-test.c
+getaddrinfo_test_OBJECTS =  getaddrinfo-test.$(OBJEXT)
+getaddrinfo_test_DEPENDENCIES =  libroken.la
+getaddrinfo_test_LDFLAGS = 
+make_roken_SOURCES = make-roken.c
+make_roken_OBJECTS =  make-roken.$(OBJEXT)
+make_roken_LDADD = $(LDADD)
+make_roken_DEPENDENCIES = 
+make_roken_LDFLAGS = 
+make_print_version_SOURCES = make-print-version.c
+make_print_version_OBJECTS =  make-print-version.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@make_print_version_DEPENDENCIES = 
+make_print_version_LDFLAGS = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+HEADERS =  $(include_HEADERS)
+
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in getcap.c glob.c \
+make-print-version.c
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) parse_bytes-test.c $(strpftime_test_SOURCES) getaddrinfo-test.c make-roken.c make-print-version.c
+OBJECTS = $(libroken_la_OBJECTS) parse_bytes-test.$(OBJEXT) $(strpftime_test_OBJECTS) getaddrinfo-test.$(OBJEXT) make-roken.$(OBJEXT) make-print-version.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/roken/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libroken.la: $(libroken_la_OBJECTS) $(libroken_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libroken_la_LDFLAGS) $(libroken_la_OBJECTS) $(libroken_la_LIBADD) $(LIBS)
+
+mostlyclean-checkPROGRAMS:
+
+clean-checkPROGRAMS:
+	-test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS)
+
+distclean-checkPROGRAMS:
+
+maintainer-clean-checkPROGRAMS:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+parse_bytes-test$(EXEEXT): $(parse_bytes_test_OBJECTS) $(parse_bytes_test_DEPENDENCIES)
+	@rm -f parse_bytes-test$(EXEEXT)
+	$(LINK) $(parse_bytes_test_LDFLAGS) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS)
+
+strpftime-test$(EXEEXT): $(strpftime_test_OBJECTS) $(strpftime_test_DEPENDENCIES)
+	@rm -f strpftime-test$(EXEEXT)
+	$(LINK) $(strpftime_test_LDFLAGS) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS)
+
+getaddrinfo-test$(EXEEXT): $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_DEPENDENCIES)
+	@rm -f getaddrinfo-test$(EXEEXT)
+	$(LINK) $(getaddrinfo_test_LDFLAGS) $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_LDADD) $(LIBS)
+
+make-roken$(EXEEXT): $(make_roken_OBJECTS) $(make_roken_DEPENDENCIES)
+	@rm -f make-roken$(EXEEXT)
+	$(LINK) $(make_roken_LDFLAGS) $(make_roken_OBJECTS) $(make_roken_LDADD) $(LIBS)
+
+make-print-version$(EXEEXT): $(make_print_version_OBJECTS) $(make_print_version_DEPENDENCIES)
+	@rm -f make-print-version$(EXEEXT)
+	$(LINK) $(make_print_version_LDFLAGS) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS)
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/roken
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+check-TESTS: $(TESTS)
+	@failed=0; all=0; \
+	srcdir=$(srcdir); export srcdir; \
+	for tst in $(TESTS); do \
+	  if test -f $$tst; then dir=.; \
+	  else dir="$(srcdir)"; fi; \
+	  if $(TESTS_ENVIRONMENT) $$dir/$$tst; then \
+	    all=`expr $$all + 1`; \
+	    echo "PASS: $$tst"; \
+	  elif test $$? -ne 77; then \
+	    all=`expr $$all + 1`; \
+	    failed=`expr $$failed + 1`; \
+	    echo "FAIL: $$tst"; \
+	  fi; \
+	done; \
+	if test "$$failed" -eq 0; then \
+	  banner="All $$all tests passed"; \
+	else \
+	  banner="$$failed of $$all tests failed"; \
+	fi; \
+	dashes=`echo "$$banner" | sed s/./=/g`; \
+	echo "$$dashes"; \
+	echo "$$banner"; \
+	echo "$$dashes"; \
+	test "$$failed" -eq 0
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-checkPROGRAMS \
+		mostlyclean-noinstPROGRAMS mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-checkPROGRAMS clean-noinstPROGRAMS clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-checkPROGRAMS \
+		distclean-noinstPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-checkPROGRAMS \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-checkPROGRAMS \
+distclean-checkPROGRAMS clean-checkPROGRAMS \
+maintainer-clean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir check-TESTS info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h
+
+roken.h: make-roken$(EXEEXT)
+	@./make-roken$(EXEEXT) > tmp.h ;\
+	if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \
+	else rm -f roken.h; mv tmp.h roken.h; fi
+
+make-roken.c: roken.h.in roken.awk
+	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
+
+print_version.lo: print_version.h
+
+print_version.h: make-print-version$(EXEEXT)
+	./make-print-version$(EXEEXT) print_version.h
+
+make-print-version.o: $(top_builddir)/include/version.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/kerberosIV/lib/kdb/base64.c b/crypto/heimdal/lib/roken/base64.c
index d7e89c4..daed869 100644
--- a/crypto/kerberosIV/lib/kdb/base64.c
+++ b/crypto/heimdal/lib/roken/base64.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -38,113 +33,114 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: base64.c,v 1.7 1997/04/01 08:18:16 joda Exp $");
+RCSID("$Id: base64.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
 #endif
-
 #include <stdlib.h>
-#include <ctype.h>
 #include <string.h>
 #include "base64.h"
 
 static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
-static int POS(char c)
+static int pos(char c)
 {
-  if(c == '=') return 64;
-  if(isupper(c))
-    return c - 'A';
-  if(islower(c))
-    return c - 'a' + 26;
-  if(isdigit(c))
-    return c - '0' + 52;
-  if(c == '+')
-    return 62;
-  if(c == '/')
-    return 63;
+  char *p;
+  for(p = base64; *p; p++)
+    if(*p == c)
+      return p - base64;
   return -1;
 }
 
-char *base64_encode(const void *buf, int size)
+int base64_encode(const void *data, int size, char **str)
 {
-  char *str = (char*)malloc((size+3)*4/3+1);
-  char *p=str;
-  unsigned char *q = (unsigned char*)buf;
+  char *s, *p;
   int i;
   int c;
+  const unsigned char *q;
+
+  p = s = (char*)malloc(size*4/3+4);
+  if (p == NULL)
+      return -1;
+  q = (const unsigned char*)data;
   i=0;
-  while(i<size){
+  for(i = 0; i < size;){
     c=q[i++];
     c*=256;
-    if(i<size)
+    if(i < size)
       c+=q[i];
     i++;
     c*=256;
-    if(i<size)
+    if(i < size)
       c+=q[i];
     i++;
     p[0]=base64[(c&0x00fc0000) >> 18];
     p[1]=base64[(c&0x0003f000) >> 12];
     p[2]=base64[(c&0x00000fc0) >> 6];
     p[3]=base64[(c&0x0000003f) >> 0];
-    if(i>size)
+    if(i > size)
       p[3]='=';
-    if(i>size+1)
+    if(i > size+1)
       p[2]='=';
     p+=4;
   }
   *p=0;
-  return str;
+  *str = s;
+  return strlen(s);
 }
 
-/* convert string in s to binary data. s should be a multiple of 4
- * bytes long. data should be at least len(s) * 3 / 4 bytes long.
- * returns 
- */
-int base64_decode(char *s, void *data)
+int base64_decode(const char *str, void *data)
 {
-  char *p;
+  const char *p;
   unsigned char *q;
-  int n[4];
-
-  if(strlen(s) % 4)
-    return -1;
+  int c;
+  int x;
+  int done = 0;
   q=(unsigned char*)data;
-  for(p=s; *p; p+=4){
-    n[0] = POS(p[0]);
-    n[1] = POS(p[1]);
-    n[2] = POS(p[2]);
-    n[3] = POS(p[3]);
-    if((n[0] | n[1] | n[2] | n[3]) < 0)
-      return -1;
-
-    if(n[0] == 64 || n[1] == 64)
-      return -1;
-    if(n[2] == 64 && n[3] < 64)
+  for(p=str; *p && !done; p+=4){
+    x = pos(p[0]);
+    if(x >= 0)
+      c = x;
+    else{
+      done = 3;
+      break;
+    }
+    c*=64;
+    
+    x = pos(p[1]);
+    if(x >= 0)
+      c += x;
+    else
       return -1;
-    q[0] = (n[0] << 2) + (n[1] >> 4);
-    if(n[2] < 64){
-      q[1] = ((n[1] & 15) << 4) + (n[2] >> 2);
+    c*=64;
+    
+    if(p[2] == '=')
+      done++;
+    else{
+      x = pos(p[2]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
     }
-    if(n[3] < 64){
-      q[2] = ((n[2] & 3) << 6) + n[3];
+    c*=64;
+    
+    if(p[3] == '=')
+      done++;
+    else{
+      if(done)
+	return -1;
+      x = pos(p[3]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
     }
-    q+=3;
+    if(done < 3)
+      *q++=(c&0x00ff0000)>>16;
+      
+    if(done < 2)
+      *q++=(c&0x0000ff00)>>8;
+    if(done < 1)
+      *q++=(c&0x000000ff)>>0;
   }
-  q -= (n[2] == 64) + (n[3] == 64);
   return q - (unsigned char*)data;
 }
-
-#ifdef TEST
-int main(int argc, char **argv)
-{
-  char str[128];
-  char buf[128];
-  char *p;
-  printf("base64_encode(\"%s\") = \"%s\"\n", argv[1], 
-	 p=base64_encode(argv[1], strlen(argv[1])));
-  printf("base64_decode(\"%s\") = %d", p, base64_decode(p, buf));
-  printf(" (\"%s\")\n", buf);
-  printf("base64_decode(\"%s\") = %d", argv[1], base64_decode(argv[1], buf));
-  printf(" (\"%s\")\n", buf);
-}
-#endif
diff --git a/crypto/kerberosIV/lib/kdb/base64.h b/crypto/heimdal/lib/roken/base64.h
index edfb344..5ad1e3b 100644
--- a/crypto/kerberosIV/lib/kdb/base64.h
+++ b/crypto/heimdal/lib/roken/base64.h
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -36,12 +31,12 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: base64.h,v 1.5 1997/04/01 08:18:16 joda Exp $ */
+/* $Id: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */
 
 #ifndef _BASE64_H_
 #define _BASE64_H_
 
-char *base64_encode(const void *buf, int size);
-int base64_decode(char *s, void *data);
+int base64_encode(const void *data, int size, char **str);
+int base64_decode(const char *str, void *data);
 
 #endif
diff --git a/crypto/heimdal/lib/roken/chown.c b/crypto/heimdal/lib/roken/chown.c
new file mode 100644
index 0000000..f3d34e3
--- /dev/null
+++ b/crypto/heimdal/lib/roken/chown.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: chown.c,v 1.3 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+chown(const char *path, uid_t owner, gid_t group)
+{
+  return 0;
+}
diff --git a/crypto/kerberosIV/lib/krb/k_concat.c b/crypto/heimdal/lib/roken/concat.c
index e7daa5f..ca295c0 100644
--- a/crypto/kerberosIV/lib/krb/k_concat.c
+++ b/crypto/heimdal/lib/roken/concat.c
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -36,24 +31,26 @@
  * SUCH DAMAGE.
  */
 
-#include "krb_locl.h"
-
-RCSID("$Id: k_concat.c,v 1.5 1997/05/02 08:56:39 joda Exp $");
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: concat.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+#include "roken.h"
 
 int
-k_concat (char *s, size_t len, ...)
+roken_concat (char *s, size_t len, ...)
 {
     int ret;
     va_list args;
 
     va_start(args, len);
-    ret = k_vconcat (s, len, args);
+    ret = roken_vconcat (s, len, args);
     va_end(args);
     return ret;
 }
 
 int
-k_vconcat (char *s, size_t len, va_list args)
+roken_vconcat (char *s, size_t len, va_list args)
 {
     const char *a;
 
@@ -62,7 +59,7 @@ k_vconcat (char *s, size_t len, va_list args)
 
 	if (n >= len)
 	    return -1;
-	strncpy (s, a, n);
+	memcpy (s, a, n);
 	s += n;
 	len -= n;
     }
@@ -71,7 +68,7 @@ k_vconcat (char *s, size_t len, va_list args)
 }
 
 size_t
-k_vmconcat (char **s, size_t max_len, va_list args)
+roken_vmconcat (char **s, size_t max_len, va_list args)
 {
     const char *a;
     char *p, *q;
@@ -80,7 +77,6 @@ k_vmconcat (char **s, size_t max_len, va_list args)
     p = malloc(1);
     if(p == NULL)
 	return 0;
-    *p = 0;
     len = 1;
     while ((a = va_arg(args, const char*))) {
 	size_t n = strlen (a);
@@ -95,22 +91,22 @@ k_vmconcat (char **s, size_t max_len, va_list args)
 	    return 0;
 	}
 	p = q;
+	memcpy (p + len - 1, a, n);
 	len += n;
-	strcat(p, a);
     }
+    p[len - 1] = '\0';
     *s = p;
     return len;
 }
 
 size_t
-k_mconcat (char **s, size_t max_len, ...)
+roken_mconcat (char **s, size_t max_len, ...)
 {
     int ret;
     va_list args;
 
     va_start(args, max_len);
-    ret = k_vmconcat (s, max_len, args);
+    ret = roken_vmconcat (s, max_len, args);
     va_end(args);
     return ret;
 }
-
diff --git a/crypto/heimdal/lib/roken/copyhostent.c b/crypto/heimdal/lib/roken/copyhostent.c
new file mode 100644
index 0000000..a3be6db
--- /dev/null
+++ b/crypto/heimdal/lib/roken/copyhostent.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: copyhostent.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * return a malloced copy of `h'
+ */
+
+struct hostent *
+copyhostent (const struct hostent *h)
+{
+    struct hostent *res;
+    char **p;
+    int i, n;
+
+    res = malloc (sizeof (*res));
+    if (res == NULL)
+	return NULL;
+    res->h_name      = NULL;
+    res->h_aliases   = NULL;
+    res->h_addrtype  = h->h_addrtype;
+    res->h_length    = h->h_length;
+    res->h_addr_list = NULL;
+    res->h_name = strdup (h->h_name);
+    if (res->h_name == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (n = 0, p = h->h_aliases; *p != NULL; ++p)
+	++n;
+    res->h_aliases = malloc ((n + 1) * sizeof(*res->h_aliases));
+    if (res->h_aliases == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (i = 0; i < n + 1; ++i)
+	res->h_aliases[i] = NULL;
+    for (i = 0; i < n; ++i) {
+	res->h_aliases[i] = strdup (h->h_aliases[i]);
+	if (res->h_aliases[i] == NULL) {
+	    freehostent (res);
+	    return NULL;
+	}
+    }
+
+    for (n = 0, p = h->h_addr_list; *p != NULL; ++p)
+	++n;
+    res->h_addr_list = malloc ((n + 1) * sizeof(*res->h_addr_list));
+    if (res->h_addr_list == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (i = 0; i < n + 1; ++i) {
+	res->h_addr_list[i] = NULL;
+    }
+    for (i = 0; i < n; ++i) {
+	res->h_addr_list[i] = malloc (h->h_length);
+	if (res->h_addr_list[i] == NULL) {
+	    freehostent (res);
+	    return NULL;
+	}
+	memcpy (res->h_addr_list[i], h->h_addr_list[i], h->h_length);
+    }
+    return res;
+}
+
diff --git a/crypto/heimdal/lib/roken/daemon.c b/crypto/heimdal/lib/roken/daemon.c
new file mode 100644
index 0000000..758856c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/daemon.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $");
+
+#ifndef HAVE_DAEMON
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+daemon(int nochdir, int noclose)
+{
+    int fd;
+
+    switch (fork()) {
+    case -1:
+	return (-1);
+    case 0:
+	break;
+    default:
+	_exit(0);
+    }
+
+    if (setsid() == -1)
+	return (-1);
+
+    if (!nochdir)
+	chdir("/");
+
+    if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+	dup2(fd, STDIN_FILENO);
+	dup2(fd, STDOUT_FILENO);
+	dup2(fd, STDERR_FILENO);
+	if (fd > 2)
+	    close (fd);
+    }
+    return (0);
+}
+
+#endif /* HAVE_DAEMON */
diff --git a/crypto/heimdal/lib/roken/emalloc.c b/crypto/heimdal/lib/roken/emalloc.c
new file mode 100644
index 0000000..bbea1e0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/emalloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: emalloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like malloc but never fails.
+ */
+
+void *
+emalloc (size_t sz)
+{
+    void *tmp = malloc (sz);
+
+    if (tmp == NULL && sz != 0)
+	err (1, "malloc %lu", (unsigned long)sz);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/eread.c b/crypto/heimdal/lib/roken/eread.c
new file mode 100644
index 0000000..9a1b24b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/eread.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: eread.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <unistd.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like read but never fails (and never returns partial data).
+ */
+
+ssize_t
+eread (int fd, void *buf, size_t nbytes)
+{
+    ssize_t ret;
+
+    ret = net_read (fd, buf, nbytes);
+    if (ret < 0)
+	err (1, "read");
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/erealloc.c b/crypto/heimdal/lib/roken/erealloc.c
new file mode 100644
index 0000000..8afa8f3
--- /dev/null
+++ b/crypto/heimdal/lib/roken/erealloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: erealloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like realloc but never fails.
+ */
+
+void *
+erealloc (void *ptr, size_t sz)
+{
+    void *tmp = realloc (ptr, sz);
+
+    if (tmp == NULL && sz != 0)
+	err (1, "realloc %lu", (unsigned long)sz);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/err.c b/crypto/heimdal/lib/roken/err.c
new file mode 100644
index 0000000..29b1f7b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/err.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: err.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+err(int eval, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  verr(eval, fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/err.h b/crypto/heimdal/lib/roken/err.h
new file mode 100644
index 0000000..b0b649f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/err.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: err.h,v 1.15 1999/12/02 16:58:45 joda Exp $ */
+
+#ifndef __ERR_H__
+#define __ERR_H__
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+extern const char *__progname;
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+void warnerr(int doerrno, const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 2, 0)));
+
+void verr(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void err(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void verrx(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void errx(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void vwarn(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warn(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+void vwarnx(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warnx(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+
+#endif /* __ERR_H__ */
diff --git a/crypto/heimdal/lib/roken/errx.c b/crypto/heimdal/lib/roken/errx.c
new file mode 100644
index 0000000..2f8ec18
--- /dev/null
+++ b/crypto/heimdal/lib/roken/errx.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: errx.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+errx(int eval, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  verrx(eval, fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/estrdup.c b/crypto/heimdal/lib/roken/estrdup.c
new file mode 100644
index 0000000..8c0d9a7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/estrdup.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: estrdup.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like strdup but never fails.
+ */
+
+char *
+estrdup (const char *str)
+{
+    char *tmp = strdup (str);
+
+    if (tmp == NULL)
+	err (1, "strdup");
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/ewrite.c b/crypto/heimdal/lib/roken/ewrite.c
new file mode 100644
index 0000000..b2c43de
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ewrite.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: ewrite.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <unistd.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like write but never fails (and never returns partial data).
+ */
+
+ssize_t
+ewrite (int fd, const void *buf, size_t nbytes)
+{
+    ssize_t ret;
+
+    ret = net_write (fd, buf, nbytes);
+    if (ret < 0)
+	err (1, "write");
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/fchown.c b/crypto/heimdal/lib/roken/fchown.c
new file mode 100644
index 0000000..61e8546
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fchown.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: fchown.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+fchown(int fd, uid_t owner, gid_t group)
+{
+  return 0;
+}
diff --git a/crypto/kerberosIV/lib/krb/k_flock.c b/crypto/heimdal/lib/roken/flock.c
index 844c34c..13da4f4 100644
--- a/crypto/kerberosIV/lib/krb/k_flock.c
+++ b/crypto/heimdal/lib/roken/flock.c
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -36,28 +31,22 @@
  * SUCH DAMAGE.
  */
 
-#include "krb_locl.h"
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifndef HAVE_FLOCK
+RCSID("$Id: flock.c,v 1.4 1999/12/02 16:58:46 joda Exp $");
+
+#include "roken.h"
 
-RCSID("$Id: k_flock.c,v 1.8 1997/04/01 08:18:30 joda Exp $");
 
-#define K_OP_MASK (K_LOCK_SH | K_LOCK_EX | K_LOCK_UN)
+#define OP_MASK (LOCK_SH | LOCK_EX | LOCK_UN)
 
 int
-k_flock(int fd, int operation)
+flock(int fd, int operation)
 {
-#ifdef HAVE_FLOCK
-  int op = 0;
-  if (operation & K_LOCK_SH)
-    op |= LOCK_SH;
-  if (operation & K_LOCK_EX)
-    op |= LOCK_EX;
-  if (operation & K_LOCK_UN)
-    op |= LOCK_UN;
-  if (operation & K_LOCK_NB)
-    op |= LOCK_NB;
-
-  return flock(fd, op);
-#elif defined(HAVE_FCNTL) && defined(F_SETLK)
+#if defined(HAVE_FCNTL) && defined(F_SETLK)
   struct flock arg;
   int code, cmd;
   
@@ -65,21 +54,21 @@ k_flock(int fd, int operation)
   arg.l_start = 0;
   arg.l_len = 0;		/* means to EOF */
 
-  if (operation & K_LOCK_NB)
+  if (operation & LOCK_NB)
     cmd = F_SETLK;
   else
     cmd = F_SETLKW;		/* Blocking */
 
-  switch (operation & K_OP_MASK) {
-  case K_LOCK_UN:
+  switch (operation & OP_MASK) {
+  case LOCK_UN:
     arg.l_type = F_UNLCK;
     code = fcntl(fd, F_SETLK, &arg);
     break;
-  case K_LOCK_SH:
+  case LOCK_SH:
     arg.l_type = F_RDLCK;
     code = fcntl(fd, cmd, &arg);
     break;
-  case K_LOCK_EX:
+  case LOCK_EX:
     arg.l_type = F_WRLCK;
     code = fcntl(fd, cmd, &arg);
     break;
@@ -91,5 +80,8 @@ k_flock(int fd, int operation)
   return code;
 #else
   return -1;
-#endif /* !HAVE_FLOCK */
+#endif
 }
+
+#endif
+
diff --git a/crypto/heimdal/lib/roken/fnmatch.c b/crypto/heimdal/lib/roken/fnmatch.c
new file mode 100644
index 0000000..dc01d6e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fnmatch.c
@@ -0,0 +1,173 @@
+/*	$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $	*/
+
+/*
+ * Copyright (c) 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+#if 0
+static char sccsid[] = "@(#)fnmatch.c	8.2 (Berkeley) 4/16/94";
+#else
+static char rcsid[] = "$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $";
+#endif
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Function fnmatch() as specified in POSIX 1003.2-1992, section B.6.
+ * Compares a filename or pathname to a pattern.
+ */
+
+#include <fnmatch.h>
+#include <string.h>
+
+#define	EOS	'\0'
+
+static const char *rangematch (const char *, int, int);
+
+int
+fnmatch(const char *pattern, const char *string, int flags)
+{
+	const char *stringstart;
+	char c, test;
+
+	for (stringstart = string;;)
+		switch (c = *pattern++) {
+		case EOS:
+			return (*string == EOS ? 0 : FNM_NOMATCH);
+		case '?':
+			if (*string == EOS)
+				return (FNM_NOMATCH);
+			if (*string == '/' && (flags & FNM_PATHNAME))
+				return (FNM_NOMATCH);
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			    ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+				return (FNM_NOMATCH);
+			++string;
+			break;
+		case '*':
+			c = *pattern;
+			/* Collapse multiple stars. */
+			while (c == '*')
+				c = *++pattern;
+
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			    ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+				return (FNM_NOMATCH);
+
+			/* Optimize for pattern with * at end or before /. */
+			if (c == EOS)
+				if (flags & FNM_PATHNAME)
+					return (strchr(string, '/') == NULL ?
+					    0 : FNM_NOMATCH);
+				else
+					return (0);
+			else if (c == '/' && flags & FNM_PATHNAME) {
+				if ((string = strchr(string, '/')) == NULL)
+					return (FNM_NOMATCH);
+				break;
+			}
+
+			/* General case, use recursion. */
+			while ((test = *string) != EOS) {
+				if (!fnmatch(pattern, string, flags & ~FNM_PERIOD))
+					return (0);
+				if (test == '/' && flags & FNM_PATHNAME)
+					break;
+				++string;
+			}
+			return (FNM_NOMATCH);
+		case '[':
+			if (*string == EOS)
+				return (FNM_NOMATCH);
+			if (*string == '/' && flags & FNM_PATHNAME)
+				return (FNM_NOMATCH);
+			if ((pattern =
+			    rangematch(pattern, *string, flags)) == NULL)
+				return (FNM_NOMATCH);
+			++string;
+			break;
+		case '\\':
+			if (!(flags & FNM_NOESCAPE)) {
+				if ((c = *pattern++) == EOS) {
+					c = '\\';
+					--pattern;
+				}
+			}
+			/* FALLTHROUGH */
+		default:
+			if (c != *string++)
+				return (FNM_NOMATCH);
+			break;
+		}
+	/* NOTREACHED */
+}
+
+static const char *
+rangematch(const char *pattern, int test, int flags)
+{
+	int negate, ok;
+	char c, c2;
+
+	/*
+	 * A bracket expression starting with an unquoted circumflex
+	 * character produces unspecified results (IEEE 1003.2-1992,
+	 * 3.13.2).  This implementation treats it like '!', for
+	 * consistency with the regular expression syntax.
+	 * J.T. Conklin (conklin@ngai.kaleida.com)
+	 */
+	if (negate = (*pattern == '!' || *pattern == '^'))
+		++pattern;
+	
+	for (ok = 0; (c = *pattern++) != ']';) {
+		if (c == '\\' && !(flags & FNM_NOESCAPE))
+			c = *pattern++;
+		if (c == EOS)
+			return (NULL);
+		if (*pattern == '-' 
+		    && (c2 = *(pattern+1)) != EOS && c2 != ']') {
+			pattern += 2;
+			if (c2 == '\\' && !(flags & FNM_NOESCAPE))
+				c2 = *pattern++;
+			if (c2 == EOS)
+				return (NULL);
+			if (c <= test && test <= c2)
+				ok = 1;
+		} else if (c == test)
+			ok = 1;
+	}
+	return (ok == negate ? NULL : pattern);
+}
diff --git a/crypto/heimdal/lib/roken/fnmatch.h b/crypto/heimdal/lib/roken/fnmatch.h
new file mode 100644
index 0000000..95c91d6
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fnmatch.h
@@ -0,0 +1,49 @@
+/*	$NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)fnmatch.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef	_FNMATCH_H_
+#define	_FNMATCH_H_
+
+#define	FNM_NOMATCH	1	/* Match failed. */
+
+#define	FNM_NOESCAPE	0x01	/* Disable backslash escaping. */
+#define	FNM_PATHNAME	0x02	/* Slash must be matched by slash. */
+#define	FNM_PERIOD	0x04	/* Period must be matched by period. */
+
+int	 fnmatch (const char *, const char *, int);
+
+#endif /* !_FNMATCH_H_ */
diff --git a/crypto/heimdal/lib/roken/freeaddrinfo.c b/crypto/heimdal/lib/roken/freeaddrinfo.c
new file mode 100644
index 0000000..f963d15
--- /dev/null
+++ b/crypto/heimdal/lib/roken/freeaddrinfo.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: freeaddrinfo.c,v 1.2 1999/12/03 04:10:06 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * free the list of `struct addrinfo' starting at `ai'
+ */
+
+void
+freeaddrinfo(struct addrinfo *ai)
+{
+    for (; ai != NULL; ai = ai->ai_next) {
+	free (ai->ai_canonname);
+	free (ai->ai_addr);
+    }
+}
diff --git a/crypto/heimdal/lib/roken/freehostent.c b/crypto/heimdal/lib/roken/freehostent.c
new file mode 100644
index 0000000..0cd92cd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/freehostent.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: freehostent.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * free a malloced hostent
+ */
+
+void
+freehostent (struct hostent *h)
+{
+    char **p;
+
+    free (h->h_name);
+    if (h->h_aliases != NULL) {
+	for (p = h->h_aliases; *p != NULL; ++p)
+	    free (*p);
+	free (h->h_aliases);
+    }
+    if (h->h_addr_list != NULL) {
+	for (p = h->h_addr_list; *p != NULL; ++p)
+	    free (*p);
+	free (h->h_addr_list);
+    }
+    free (h);
+}
diff --git a/crypto/heimdal/lib/roken/gai_strerror.c b/crypto/heimdal/lib/roken/gai_strerror.c
new file mode 100644
index 0000000..07f7c39
--- /dev/null
+++ b/crypto/heimdal/lib/roken/gai_strerror.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: gai_strerror.c,v 1.2 1999/12/03 04:10:06 assar Exp $");
+#endif
+
+#include "roken.h"
+
+static struct gai_error {
+    int code;
+    char *str;
+} errors[] = {
+{EAI_NOERROR,		"no error"},
+{EAI_ADDRFAMILY,	"address family for nodename not supported"},
+{EAI_AGAIN,		"temporary failure in name resolution"},
+{EAI_BADFLAGS,		"invalid value for ai_flags"},
+{EAI_FAIL,		"non-recoverable failure in name resolution"},
+{EAI_FAMILY,		"ai_family not supported"},
+{EAI_MEMORY,		"memory allocation failure"},
+{EAI_NODATA,		"no address associated with nodename"},
+{EAI_NONAME,		"nodename nor servname provided, or not known"},
+{EAI_SERVICE,		"servname not supported for ai_socktype"},
+{EAI_SOCKTYPE,		"ai_socktype not supported"},
+{EAI_SYSTEM,		"system error returned in errno"},
+{0,			NULL},
+};
+
+/*
+ *
+ */
+
+char *
+gai_strerror(int ecode)
+{
+    struct gai_error *g;
+
+    for (g = errors; g->str != NULL; ++g)
+	if (g->code == ecode)
+	    return g->str;
+    return "unknown error code in gai_strerror";
+}
diff --git a/crypto/heimdal/lib/roken/get_default_username.c b/crypto/heimdal/lib/roken/get_default_username.c
new file mode 100644
index 0000000..10b0863
--- /dev/null
+++ b/crypto/heimdal/lib/roken/get_default_username.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: get_default_username.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+
+/*
+ * Try to return what should be considered the default username or
+ * NULL if we can't guess at all.
+ */
+
+const char *
+get_default_username (void)
+{
+    const char *user;
+
+    user = getenv ("USER");
+    if (user == NULL)
+	user = getenv ("LOGNAME");
+    if (user == NULL)
+	user = getenv ("USERNAME");
+
+#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
+    if (user == NULL) {
+	user = (const char *)getlogin ();
+	if (user != NULL)
+	    return user;
+    }
+#endif
+#ifdef HAVE_PWD_H
+    {
+	uid_t uid = getuid ();
+	struct passwd *pwd;
+
+	if (user != NULL) {
+	    pwd = k_getpwnam (user);
+	    if (pwd != NULL && pwd->pw_uid == uid)
+		return user;
+	}
+	pwd = k_getpwuid (uid);
+	if (pwd != NULL)
+	    return pwd->pw_name;
+    }
+#endif
+    return user;
+}
diff --git a/crypto/heimdal/lib/roken/get_window_size.c b/crypto/heimdal/lib/roken/get_window_size.c
new file mode 100644
index 0000000..4eff8d2
--- /dev/null
+++ b/crypto/heimdal/lib/roken/get_window_size.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: get_window_size.c,v 1.9 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#if 0 /* Where were those needed? /confused */
+#ifdef HAVE_SYS_PROC_H
+#include <sys/proc.h>
+#endif
+
+#ifdef HAVE_SYS_TTY_H
+#include <sys/tty.h>
+#endif
+#endif
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#include <roken.h>
+
+int
+get_window_size(int fd, struct winsize *wp)
+{
+    int ret = -1;
+    
+    memset(wp, 0, sizeof(*wp));
+
+#if defined(TIOCGWINSZ)
+    ret = ioctl(fd, TIOCGWINSZ, wp);
+#elif defined(TIOCGSIZE)
+    {
+	struct ttysize ts;
+	
+	ret = ioctl(fd, TIOCGSIZE, &ts);
+	if(ret == 0) {
+	    wp->ws_row = ts.ts_lines;
+	    wp->ws_col = ts.ts_cols;
+	}
+    }
+#elif defined(HAVE__SCRSIZE)
+    {
+	int dst[2];
+	
+	_scrsize(dst);
+	wp->ws_row = dst[1];
+	wp->ws_col = dst[0];
+	ret = 0;
+    }
+#endif
+    if (ret != 0) {
+        char *s;
+        if((s = getenv("COLUMNS")))
+	    wp->ws_col = atoi(s);
+	if((s = getenv("LINES")))
+	    wp->ws_row = atoi(s);
+	if(wp->ws_col > 0 && wp->ws_row > 0)
+	    ret = 0;
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getaddrinfo-test.c b/crypto/heimdal/lib/roken/getaddrinfo-test.c
new file mode 100644
index 0000000..ede9c95
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getaddrinfo-test.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getaddrinfo-test.c,v 1.2 1999/12/03 04:10:07 assar Exp $");
+#endif
+
+#include "roken.h"
+#include "getarg.h"
+
+static int flags;
+static int family;
+static int socktype;
+
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
+    {"flags",	0,	arg_integer,	&flags,		"flags",	NULL},
+    {"family",	0,	arg_integer,	&family,	"family",	NULL},
+    {"socktype",0,	arg_integer,	&socktype,	"socktype",	NULL},
+    {"version",	0,	arg_flag,	&version_flag,	"print version",NULL},
+    {"help",	0,	arg_flag,	&help_flag,	NULL,		NULL}
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "[nodename servname...]");
+    exit (ret);
+}
+
+static void
+doit (const char *nodename, const char *servname)
+{
+    struct addrinfo hints;
+    struct addrinfo *res, *r;
+    int ret;
+
+    printf ("(%s,%s)... ", nodename ? nodename : "null", servname);
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags    = flags;
+    hints.ai_family   = family;
+    hints.ai_socktype = socktype;
+
+    ret = getaddrinfo (nodename, servname, &hints, &res);
+    if (ret) {
+	printf ("error: %s\n", gai_strerror(ret));
+	return;
+    }
+    printf ("\n");
+
+    for (r = res; r != NULL; r = r->ai_next) {
+	char addrstr[256];
+
+	if (inet_ntop (r->ai_family, 
+		       socket_get_address (r->ai_addr),
+		       addrstr, sizeof(addrstr)) == NULL) {
+	    printf ("\tbad address?\n");
+	    continue;
+	} 
+	printf ("\t(family = %d, socktype = %d, protocol = %d, "
+		"address = \"%s\", port = %d",
+		r->ai_family, r->ai_socktype, r->ai_protocol,
+		addrstr,
+		ntohs(socket_get_port (r->ai_addr)));
+	if (r->ai_canonname)
+	    printf (", canonname = \"%s\"", r->ai_canonname);
+	printf ("\n");
+    }
+    freeaddrinfo (res);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int i;
+
+    set_progname (argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc % 2 != 0)
+	usage (1);
+
+    for (i = 0; i < argc; i += 2) {
+	const char *nodename = argv[i];
+
+	if (strcmp (nodename, "null") == 0)
+	    nodename = NULL;
+
+	doit (nodename, argv[i+1]);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/getaddrinfo.c b/crypto/heimdal/lib/roken/getaddrinfo.c
new file mode 100644
index 0000000..db18742
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getaddrinfo.c
@@ -0,0 +1,400 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getaddrinfo.c,v 1.6 1999/12/20 00:56:44 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * uses hints->ai_socktype and hints->ai_protocol
+ */
+
+static int
+get_port_protocol_socktype (const char *servname,
+			    const struct addrinfo *hints,
+			    int *port,
+			    int *protocol,
+			    int *socktype)
+{
+    struct servent *se;
+    const char *proto_str = NULL;
+
+    *socktype = 0;
+
+    if (hints != NULL && hints->ai_protocol != 0) {
+	struct protoent *protoent = getprotobynumber (hints->ai_protocol);
+
+	if (protoent == NULL)
+	    return EAI_SOCKTYPE; /* XXX */
+
+	proto_str = protoent->p_name;
+	*protocol = protoent->p_proto;
+    }
+
+    if (hints != NULL)
+	*socktype = hints->ai_socktype;
+
+    if (*socktype == SOCK_STREAM) {
+	se = getservbyname (servname, proto_str ? proto_str : "tcp");
+	if (proto_str == NULL)
+	    *protocol = IPPROTO_TCP;
+    } else if (*socktype == SOCK_DGRAM) {
+	se = getservbyname (servname, proto_str ? proto_str : "udp");
+	if (proto_str == NULL)
+	    *protocol = IPPROTO_UDP;
+    } else if (*socktype == 0) {
+	if (proto_str != NULL) {
+	    se = getservbyname (servname, proto_str);
+	} else {
+	    se = getservbyname (servname, "tcp");
+	    *protocol = IPPROTO_TCP;
+	    *socktype = SOCK_STREAM;
+	    if (se == NULL) {
+		se = getservbyname (servname, "udp");
+		*protocol = IPPROTO_UDP;
+		*socktype = SOCK_DGRAM;
+	    }
+	}
+    } else
+	return EAI_SOCKTYPE;
+
+    if (se == NULL) {
+	char *endstr;
+
+	*port = htons(strtol (servname, &endstr, 10));
+	if (servname == endstr)
+	    return EAI_NONAME;
+    } else {
+	*port = se->s_port;
+    }
+    return 0;
+}
+
+static int
+add_one (int port, int protocol, int socktype,
+	 struct addrinfo ***ptr,
+	 int (*func)(struct addrinfo *, void *data, int port),
+	 void *data,
+	 char *canonname)
+{
+    struct addrinfo *a;
+    int ret;
+
+    a = malloc (sizeof (*a));
+    if (a == NULL)
+	return EAI_MEMORY;
+    memset (a, 0, sizeof(*a));
+    a->ai_flags     = 0;
+    a->ai_next      = NULL;
+    a->ai_protocol  = protocol;
+    a->ai_socktype  = socktype;
+    a->ai_canonname = canonname;
+    ret = (*func)(a, data, port);
+    if (ret) {
+	free (a);
+	return ret;
+    }
+    **ptr = a;
+    *ptr = &a->ai_next;
+    return 0;
+}
+
+static int
+const_v4 (struct addrinfo *a, void *data, int port)
+{
+    struct sockaddr_in *sin;
+    struct in_addr *addr = (struct in_addr *)data;
+
+    a->ai_family  = PF_INET;
+    a->ai_addrlen = sizeof(*sin);
+    a->ai_addr    = malloc (sizeof(*sin));
+    if (a->ai_addr == NULL)
+	return EAI_MEMORY;
+    sin = (struct sockaddr_in *)a->ai_addr;
+    memset (sin, 0, sizeof(*sin));
+    sin->sin_family = AF_INET;
+    sin->sin_port   = port;
+    sin->sin_addr   = *addr;
+    return 0;
+}
+
+#ifdef HAVE_IPV6
+static int
+const_v6 (struct addrinfo *a, void *data, int port)
+{
+    struct sockaddr_in6 *sin6;
+    struct in6_addr *addr = (struct in6_addr *)data;
+
+    a->ai_family  = PF_INET6;
+    a->ai_addrlen = sizeof(*sin6);
+    a->ai_addr    = malloc (sizeof(*sin6));
+    if (a->ai_addr == NULL)
+	return EAI_MEMORY;
+    sin6 = (struct sockaddr_in6 *)a->ai_addr;
+    memset (sin6, 0, sizeof(*sin6));
+    sin6->sin6_family = AF_INET6;
+    sin6->sin6_port   = port;
+    sin6->sin6_addr   = *addr;
+    return 0;
+}
+#endif
+
+static int
+get_null (const struct addrinfo *hints,
+	  int port, int protocol, int socktype,
+	  struct addrinfo **res)
+{
+    struct in_addr v4_addr;
+#ifdef HAVE_IPV6
+    struct in6_addr v6_addr;
+#endif
+    struct addrinfo *first = NULL;
+    struct addrinfo **current = &first;
+    int family = PF_UNSPEC;
+    int ret;
+
+    if (hints != NULL)
+	family = hints->ai_family;
+
+    if (hints && hints->ai_flags & AI_PASSIVE) {
+	v4_addr.s_addr = INADDR_ANY;
+#ifdef HAVE_IPV6
+	v6_addr        = in6addr_any;
+#endif
+    } else {
+	v4_addr.s_addr = htonl(INADDR_LOOPBACK);
+#ifdef HAVE_IPV6
+	v6_addr        = in6addr_loopback;
+#endif
+    }
+
+#ifdef HAVE_IPV6
+    if (family == PF_INET6 || family == PF_UNSPEC) {
+	ret = add_one (port, protocol, socktype,
+		       &current, const_v6, &v6_addr, NULL);
+    }
+#endif
+    if (family == PF_INET || family == PF_UNSPEC) {
+	ret = add_one (port, protocol, socktype,
+		       &current, const_v4, &v4_addr, NULL);
+    }
+    *res = first;
+    return 0;
+}
+
+static int
+add_hostent (int port, int protocol, int socktype,
+	     struct addrinfo ***current,
+	     int (*func)(struct addrinfo *, void *data, int port),
+	     struct hostent *he, int *flags)
+{
+    char **h;
+    int ret;
+    char *canonname = NULL;
+
+    if (*flags & AI_CANONNAME) {
+	canonname = he->h_name;
+
+	if (strchr (he->h_name, '.') == NULL)
+	    for (h = he->h_aliases; *h; ++h) {
+		if (strchr (*h, '.') != NULL) {
+		    canonname = *h;
+		    break;
+		}
+	    }
+	canonname = strdup (canonname);
+	if (canonname == NULL)
+	    return EAI_MEMORY;
+    }
+
+    for (h = he->h_addr_list; *h != NULL; ++h) {
+	ret = add_one (port, protocol, socktype,
+		       current, func, *h, canonname);
+	if (ret)
+	    return ret;
+	if (*flags & AI_CANONNAME) {
+	    *flags &= ~AI_CANONNAME;
+	    canonname = NULL;
+	}
+    }
+    return 0;
+}
+
+static int
+get_number (const char *nodename,
+	    const struct addrinfo *hints,
+	    int port, int protocol, int socktype,
+	    struct addrinfo **res)
+{
+    struct addrinfo *first = NULL;
+    struct addrinfo **current = &first;
+    int family = PF_UNSPEC;
+    int ret;
+
+    if (hints != NULL) {
+	family = hints->ai_family;
+    }
+
+#ifdef HAVE_IPV6
+    if (family == PF_INET6 || family == PF_UNSPEC) {
+	struct in6_addr v6_addr;
+
+	if (inet_pton (PF_INET6, nodename, &v6_addr) == 1) {
+	    ret = add_one (port, protocol, socktype,
+			   &current, const_v6, &v6_addr, NULL);
+	    *res = first;
+	    return ret;
+	}
+    }
+#endif
+    if (family == PF_INET || family == PF_UNSPEC) {
+	struct in_addr v4_addr;
+
+	if (inet_pton (PF_INET, nodename, &v4_addr) == 1) {
+	    ret = add_one (port, protocol, socktype,
+			   &current, const_v4, &v4_addr, NULL);
+	    *res = first;
+	    return ret;
+	}
+    }
+    return EAI_NONAME;
+}
+
+static int
+get_nodes (const char *nodename,
+	   const struct addrinfo *hints,
+	   int port, int protocol, int socktype,
+	   struct addrinfo **res)
+{
+    struct addrinfo *first = NULL;
+    struct addrinfo **current = &first;
+    int family = PF_UNSPEC;
+    int flags  = 0;
+    int ret = EAI_NONAME;
+    int error;
+
+    if (hints != NULL) {
+	family = hints->ai_family;
+	flags  = hints->ai_flags;
+    }
+
+#ifdef HAVE_IPV6
+    if (family == PF_INET6 || family == PF_UNSPEC) {
+	struct hostent *he;
+
+	he = getipnodebyname (nodename, PF_INET6, 0, &error);
+
+	if (he != NULL) {
+	    ret = add_hostent (port, protocol, socktype,
+			       &current, const_v6, he, &flags);
+	    freehostent (he);
+	}
+    }
+#endif
+    if (family == PF_INET || family == PF_UNSPEC) {
+	struct hostent *he;
+
+	he = getipnodebyname (nodename, PF_INET, 0, &error);
+
+	if (he != NULL) {
+	    ret = add_hostent (port, protocol, socktype,
+			       &current, const_v4, he, &flags);
+	    freehostent (he);
+	}
+    }
+    *res = first;
+    return ret;
+}
+
+/*
+ * hints:
+ *
+ * struct addrinfo {
+ *     int    ai_flags;
+ *     int    ai_family;
+ *     int    ai_socktype;
+ *     int    ai_protocol;
+ * ...
+ * };
+ */
+
+int
+getaddrinfo(const char *nodename,
+	    const char *servname,
+	    const struct addrinfo *hints,
+	    struct addrinfo **res)
+{
+    int ret;
+    int port     = 0;
+    int protocol = 0;
+    int socktype = 0;
+
+    *res = NULL;
+
+    if (servname == NULL && nodename == NULL)
+	return EAI_NONAME;
+
+    if (hints != NULL
+	&& hints->ai_family != PF_UNSPEC
+	&& hints->ai_family != PF_INET
+#ifdef HAVE_IPV6
+	&& hints->ai_family != PF_INET6
+#endif
+	)
+	return EAI_FAMILY;
+
+    if (servname != NULL) {
+	ret = get_port_protocol_socktype (servname, hints,
+					  &port, &protocol, &socktype);
+	if (ret)
+	    return ret;
+    }
+    if (nodename != NULL) {
+	ret = get_number (nodename, hints, port, protocol, socktype, res);
+	if (ret) {
+	    if(hints && hints->ai_flags & AI_NUMERICHOST)
+		ret = EAI_NONAME;
+	    else
+		ret = get_nodes (nodename, hints, port, protocol, socktype,
+				 res);
+	}
+    } else {
+	ret = get_null (hints, port, protocol, socktype, res);
+    }
+    if (ret)
+	freeaddrinfo (*res);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
new file mode 100644
index 0000000..76e5d2b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getaddrinfo_hostspec.c,v 1.1 2000/02/07 13:38:22 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/* getaddrinfo via string specifying host and port */
+
+int
+roken_getaddrinfo_hostspec(const char *hostspec, 
+			   int port,
+			   struct addrinfo **ai)
+{
+    const char *p;
+    char portstr[NI_MAXSERV];
+    char host[MAXHOSTNAMELEN];
+    struct addrinfo hints;
+
+    struct hst {
+	const char *prefix;
+	int socktype;
+	int protocol;
+	int port;
+    } *hstp, hst[] = {
+	{ "http://", SOCK_STREAM, IPPROTO_TCP, 80 },
+	{ "http/", SOCK_STREAM, IPPROTO_TCP, 80 },
+	{ "tcp/", SOCK_STREAM, IPPROTO_TCP },
+	{ "udp/", SOCK_DGRAM, IPPROTO_UDP },
+	{ NULL }
+    };
+
+    memset(&hints, 0, sizeof(hints));
+	
+    for(hstp = hst; hstp->prefix; hstp++) {
+	if(strncmp(hostspec, hstp->prefix, strlen(hstp->prefix)) == 0) {
+	    hints.ai_socktype = hstp->socktype;
+	    hints.ai_protocol = hstp->protocol;
+	    if(port == 0)
+		port = hstp->port;
+	    hostspec += strlen(hstp->prefix);
+	    break;
+	}
+    }
+    
+    p = strchr (hostspec, ':');
+    if (p != NULL) {
+	char *end;
+
+	port = strtol (p + 1, &end, 0);
+    }
+    snprintf (portstr, sizeof(portstr), "%u", port);
+    
+    snprintf (host, sizeof(host), "%.*s", p - hostspec, hostspec);
+    return getaddrinfo (host, portstr, &hints, ai);
+}
diff --git a/crypto/heimdal/lib/roken/getarg.3 b/crypto/heimdal/lib/roken/getarg.3
new file mode 100644
index 0000000..78a8802
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getarg.3
@@ -0,0 +1,317 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: getarg.3,v 1.2 1999/10/18 17:14:31 joda Exp $
+.Dd September 24, 1999
+.Dt GETARG 3
+.Os ROKEN
+.Sh NAME
+.Nm getarg , 
+.Nm arg_printusage
+.Nd collect command line options
+.Sh SYNOPSIS
+.Fd #include <getarg.h>
+
+.Ft int
+.Fn getarg "struct getargs *args" "size_t num_args" "int argc" "char **argv" "int *optind"
+
+.Ft void
+.Fn arg_printusage "struct getargs *args" "size_t num_args" "const char *progname" "const char *extra_string"
+
+.Sh DESCRIPTION
+.Fn getarg
+collects any command line options given to a program in an easily used way. 
+.Fn arg_printusage 
+pretty-prints the available options, with a short help text.
+.Pp
+.Fa args
+is the option specification to use, and it's an array of 
+.Fa struct getargs
+elements.
+.Fa num_args
+is the size of
+.Fa args
+(in elements).
+.Fa argc
+and
+.Fa argv
+are the argument count and argument vector to extract option from.
+.Fa optind
+is a pointer to an integer where the index to the last processed
+argument is stored, it must be initialised to the first index (minus
+one) to process (normally 0) before the first call.
+.Pp
+.Fa arg_printusage
+take the same
+.Fa args
+and
+.Fa num_args
+as getarg;
+.Fa progname is the name of the program (to be used in the help text), and 
+.Fa extra_string
+is a string to print after the actual options to indicate more
+arguments. The usefulness of this function is realised only be people
+who has used programs that has help strings that doesn't match what
+the code does.
+.Pp
+The
+.Fa getargs
+struct has the following elements.
+
+.Bd -literal
+struct getargs{
+    const char *long_name;
+    char short_name;
+    enum { arg_integer, 
+	   arg_string, 
+	   arg_flag, 
+	   arg_negative_flag, 
+	   arg_strings,
+	   arg_double,
+           arg_collect
+    } type;
+    void *value;
+    const char *help;
+    const char *arg_help;
+};
+.Ed
+.Pp
+.Fa long_name
+is the long name of the option, it can be 
+.Dv NULL ,
+if you don't want a long name.
+.Fa short_name 
+is the characted to use as short option, it can be zero. If the option
+has a value the
+.Fa value
+field gets filled in with that value interpreted as specified by the 
+.Fa type
+field.
+.Fa help
+is a longer help string for the option as a whole, if it's
+.Dv NULL
+the help text for the option is omitted (but it's still displayed in
+the synopsis).
+.Fa arg_help
+is a description of the argument, if
+.Dv NULL
+a default value will be used, depending on the type of the option:
+.Pp
+.Bl -hang -width arg_negative_flag
+.It arg_integer
+the argument is a signed integer, and
+.Fa value
+should point to an
+.Fa int .
+.It Fa arg_string
+the argument is a string, and
+.Fa value
+should point to a
+.Fa char* .
+.It Fa arg_flag
+the argument is a flag, and
+.Fa value
+should point to a
+.Fa int . 
+It gets filled in with either zero or one, depending on how the option
+is given, the normal case beeing one. Note that if the option isn't
+given, the value isn't altered, so it should be initialised to some
+useful default.
+.It Fa arg_negative_flag
+this is the same as 
+.Fa arg_flag
+but it reverses the meaning of the flag (a given short option clears
+the flag), and the synopsis of a long option is negated.
+.It Fa arg_strings
+the argument can be given multiple times, and the values are collected
+in an array;
+.Fa value
+should be a pointer to a 
+.Fa struct getarg_strings
+structure, which holds a length and a string pointer.
+.It Fa arg_double
+argument is a double precision floating point value, and
+.Fa value
+should point to a
+.Fa double .
+.It Fa arg_collect
+allows more fine-grained control of the option parsing process.
+.Fa value
+should be a pointer to a 
+.Fa getarg_collect_info
+structure:
+.Bd -literal
+typedef int (*getarg_collect_func)(int short_opt,
+				   int argc,
+				   char **argv,
+				   int *optind,
+				   int *optarg,
+				   void *data);
+
+typedef struct getarg_collect_info {
+    getarg_collect_func func;
+    void *data;
+} getarg_collect_info;
+.Ed
+.Pp
+With the
+.Fa func
+member set to a function to call, and 
+.Fa data
+to some application specific data. The parameters to the collect function are:
+.Bl -inset
+.It Fa short_flag
+non-zero if this call is via a short option flag, zero otherwise
+.It Fa argc , argv
+the whole argument list
+.It Fa optind
+pointer to the index in argv where the flag is
+.It Fa optarg
+pointer to the index in argv[*optind] where the flag name starts
+.It Fa data
+application specific data
+.El
+.Pp
+You can modify
+.Fa *optind ,
+and 
+.Fa *optarg ,
+but to do this correct you (more or less) have to know about the inner
+workings of getarg.
+ 
+You can skip parts of arguments by increasing
+.Fa *optarg
+(you could
+implement the 
+.Fl z Ns Ar 3
+set of flags from
+.Nm gzip
+with this), or whole argument strings by increasing
+.Fa *optind
+(let's say you want a flag 
+.Fl c Ar x y z
+to specify a coordinate); if you also have to set
+.Fa *optarg
+to a sane value.
+.Pp
+The collect function should return one of 
+.Dv ARG_ERR_NO_MATCH , ARG_ERR_BAD_ARG , ARG_ERR_NO_ARG
+on error, zero otherwise.
+.Pp
+For your convenience there is a function,
+.Fn getarg_optarg ,
+that returns the traditional argument string, and you pass it all
+arguments, sans data, that where given to the collection function.
+.Pp
+Don't use this more this unless you absolutely have to.
+.El
+.Pp
+Option parsing is similar to what 
+.Xr getopt
+uses. Short options without arguments can be compressed
+.Pf ( Fl xyz
+is the same as
+.Fl x y z ) ,
+and short
+options with arguments take these as either the rest of the
+argv-string or as the next option
+.Pf ( Fl o Ns Ar foo ,
+or
+.Fl o Ar foo ) .
+.Pp
+Long option names are prefixed with -- (double dash), and the value
+with a = (equal),
+.Fl -foo= Ns Ar bar .
+Long option flags can either be specified as they are 
+.Pf ( Fl -help ) ,
+or with an (boolean parsable) option
+.Pf ( Fl -help= Ns Ar yes ,
+.Fl -help= Ns Ar true ,
+or similar), or they can also be negated 
+.Pf ( Fl -no-help
+is the same as 
+.Fl -help= Ns no ) ,
+and if you're really confused you can do it multiple times
+.Pf ( Fl -no-no-help= Ns Ar false ,
+or even 
+.Fl -no-no-help= Ns Ar maybe ) .
+
+.Pp
+.Sh EXAMPLE
+.Bd -literal
+#include <stdio.h>
+#include <string.h>
+#include <getarg.h>
+
+char *source = "Ouagadougou";
+char *destination;
+int weight;
+int include_catalog = 1;
+int help_flag;
+
+struct getargs args[] = {
+    { "source",      's', arg_string,  &source, 
+      "source of shippment", "city" },
+    { "destination", 'd', arg_string,  &destination, 
+      "destination of shippment", "city" },
+    { "weight",      'w', arg_integer, &weight, 
+      "weight of shippment", "tons" },
+    { "catalog",     'c', arg_negative_flag, &include_catalog, 
+      "include product catalog" },
+    { "help",        'h', arg_flag, &help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]); /* number of elements in args */
+
+const char *progname = "ship++";
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    if (getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, progname, "stuff...");
+	exit (1);
+    }
+    if (help_flag) {
+	arg_printusage(args, num_args, progname, "stuff...");
+	exit (0);
+    }
+    if (destination == NULL) {
+	fprintf(stderr, "%s: must specify destination\n", progname);
+	exit(1);
+    }
+    if (strcmp(source, destination) == 0) {
+	fprintf(stderr, "%s: destination must be different from source\n");
+	exit(1);
+    }
+    /* include more stuff here ... */
+    exit(2);
+}
+.Ed
+.Pp
+The output help output from this program looks like this:
+.Bd -literal
+$ ship++ --help                                            
+Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city]
+   [--weight=tons] [-w tons] [--no-catalog] [-c] [--help] [-h] stuff...
+-s city, --source=city      source of shippment
+-d city, --destination=city destination of shippment
+-w tons, --weight=tons      weight of shippment
+-c, --no-catalog            include product catalog
+.Ed
+
+.Sh BUGS
+It should be more flexible, so it would be possible to use other more
+complicated option syntaxes, such as what
+.Xr ps 1 ,
+and 
+.Xr tar 1 ,
+uses, or the AFS model where you can skip the flag names as long as
+the options come in the correct order.
+.Pp
+Options with multiple arguments should be handled better.
+.Pp
+Should be integreated with SL.
+.Pp
+It's very confusing that the struct you pass in is called getargS.
+.Sh SEE ALSO
+.Xr getopt 3
diff --git a/crypto/heimdal/lib/roken/getarg.c b/crypto/heimdal/lib/roken/getarg.c
new file mode 100644
index 0000000..d9a03a5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getarg.c
@@ -0,0 +1,551 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getarg.c,v 1.34 2000/02/13 21:06:43 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <roken.h>
+#include "getarg.h"
+
+#define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag)
+
+static size_t
+print_arg (char *string, size_t len, int mdoc, int longp, struct getargs *arg)
+{
+    const char *s;
+
+    *string = '\0';
+
+    if (ISFLAG(*arg) || (!longp && arg->type == arg_counter))
+	return 0;
+
+    if(mdoc){
+	if(longp)
+	    strlcat(string, "= Ns", len);
+	strlcat(string, " Ar ", len);
+    }else
+	if (longp)
+	    strlcat (string, "=", len);
+	else
+	    strlcat (string, " ", len);
+
+    if (arg->arg_help)
+	s = arg->arg_help;
+    else if (arg->type == arg_integer || arg->type == arg_counter)
+	s = "integer";
+    else if (arg->type == arg_string)
+	s = "string";
+    else if (arg->type == arg_double)
+	s = "float";
+    else
+	s = "<undefined>";
+
+    strlcat(string, s, len);
+    return 1 + strlen(s);
+}
+
+static void
+mandoc_template(struct getargs *args,
+		size_t num_args,
+		const char *progname,
+		const char *extra_string)
+{
+    int i;
+    char timestr[64], cmd[64];
+    char buf[128];
+    const char *p;
+    time_t t;
+
+    printf(".\\\" Things to fix:\n");
+    printf(".\\\"   * correct section, and operating system\n");
+    printf(".\\\"   * remove Op from mandatory flags\n");
+    printf(".\\\"   * use better macros for arguments (like .Pa for files)\n");
+    printf(".\\\"\n");
+    t = time(NULL);
+    strftime(timestr, sizeof(timestr), "%B %e, %Y", localtime(&t));
+    printf(".Dd %s\n", timestr);
+    p = strrchr(progname, '/');
+    if(p) p++; else p = progname;
+    strlcpy(cmd, p, sizeof(cmd));
+    strupr(cmd);
+       
+    printf(".Dt %s SECTION\n", cmd);
+    printf(".Os OPERATING_SYSTEM\n");
+    printf(".Sh NAME\n");
+    printf(".Nm %s\n", p);
+    printf(".Nd\n");
+    printf("in search of a description\n");
+    printf(".Sh SYNOPSIS\n");
+    printf(".Nm\n");
+    for(i = 0; i < num_args; i++){
+	/* we seem to hit a limit on number of arguments if doing
+           short and long flags with arguments -- split on two lines */
+	if(ISFLAG(args[i]) || 
+	   args[i].short_name == 0 || args[i].long_name == NULL) {
+	    printf(".Op ");
+
+	    if(args[i].short_name) {
+		print_arg(buf, sizeof(buf), 1, 0, args + i);
+		printf("Fl %c%s", args[i].short_name, buf);
+		if(args[i].long_name)
+		    printf(" | ");
+	    }
+	    if(args[i].long_name) {
+		print_arg(buf, sizeof(buf), 1, 1, args + i);
+		printf("Fl -%s%s%s",
+		       args[i].type == arg_negative_flag ? "no-" : "",
+		       args[i].long_name, buf);
+	    }
+	    printf("\n");
+	} else {
+	    print_arg(buf, sizeof(buf), 1, 0, args + i);
+	    printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf);
+	    print_arg(buf, sizeof(buf), 1, 1, args + i);
+	    printf(".Fl -%s%s Oc\n.Xc\n", args[i].long_name, buf);
+	}
+    /*
+	    if(args[i].type == arg_strings)
+		fprintf (stderr, "...");
+		*/
+    }
+    if (extra_string && *extra_string)
+	printf (".Ar %s\n", extra_string);
+    printf(".Sh DESCRIPTION\n");
+    printf("Supported options:\n");
+    printf(".Bl -tag -width Ds\n");
+    for(i = 0; i < num_args; i++){
+	printf(".It Xo\n");
+	if(args[i].short_name){
+	    printf(".Fl %c", args[i].short_name);
+	    print_arg(buf, sizeof(buf), 1, 0, args + i);
+	    printf("%s", buf);
+	    if(args[i].long_name)
+		printf(" Ns ,");
+	    printf("\n");
+	}
+	if(args[i].long_name){
+	    printf(".Fl -%s%s",
+		   args[i].type == arg_negative_flag ? "no-" : "",
+		   args[i].long_name);
+	    print_arg(buf, sizeof(buf), 1, 1, args + i);
+	    printf("%s\n", buf);
+	}
+	printf(".Xc\n");
+	if(args[i].help)
+	    printf("%s\n", args[i].help);
+    /*
+	    if(args[i].type == arg_strings)
+		fprintf (stderr, "...");
+		*/
+    }
+    printf(".El\n");
+    printf(".\\\".Sh ENVIRONMENT\n");
+    printf(".\\\".Sh FILES\n");
+    printf(".\\\".Sh EXAMPLES\n");
+    printf(".\\\".Sh DIAGNOSTICS\n");
+    printf(".\\\".Sh SEE ALSO\n");
+    printf(".\\\".Sh STANDARDS\n");
+    printf(".\\\".Sh HISTORY\n");
+    printf(".\\\".Sh AUTHORS\n");
+    printf(".\\\".Sh BUGS\n");
+}
+
+static int
+check_column(FILE *f, int col, int len, int columns)
+{
+    if(col + len > columns) {
+	fprintf(f, "\n");
+	col = fprintf(f, "  ");
+    }
+    return col;
+}
+
+void
+arg_printusage (struct getargs *args,
+		size_t num_args,
+		const char *progname,
+		const char *extra_string)
+{
+    int i;
+    size_t max_len = 0;
+    char buf[128];
+    int col = 0, columns;
+    struct winsize ws;
+
+    if (progname == NULL)
+	progname = __progname;
+
+    if(getenv("GETARGMANDOC")){
+	mandoc_template(args, num_args, progname, extra_string);
+	return;
+    }
+    if(get_window_size(2, &ws) == 0)
+	columns = ws.ws_col;
+    else
+	columns = 80;
+    col = 0;
+    col += fprintf (stderr, "Usage: %s", progname);
+    for (i = 0; i < num_args; ++i) {
+	size_t len = 0;
+
+	if (args[i].long_name) {
+	    buf[0] = '\0';
+	    strlcat(buf, "[--", sizeof(buf));
+	    len += 2;
+	    if(args[i].type == arg_negative_flag) {
+		strlcat(buf, "no-", sizeof(buf));
+		len += 3;
+	    }
+	    strlcat(buf, args[i].long_name, sizeof(buf));
+	    len += strlen(args[i].long_name);
+	    len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), 
+			     0, 1, &args[i]);
+	    strlcat(buf, "]", sizeof(buf));
+	    if(args[i].type == arg_strings)
+		strlcat(buf, "...", sizeof(buf));
+	    col = check_column(stderr, col, strlen(buf) + 1, columns);
+	    col += fprintf(stderr, " %s", buf);
+	}
+	if (args[i].short_name) {
+	    snprintf(buf, sizeof(buf), "[-%c", args[i].short_name);
+	    len += 2;
+	    len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), 
+			     0, 0, &args[i]);
+	    strlcat(buf, "]", sizeof(buf));
+	    if(args[i].type == arg_strings)
+		strlcat(buf, "...", sizeof(buf));
+	    col = check_column(stderr, col, strlen(buf) + 1, columns);
+	    col += fprintf(stderr, " %s", buf);
+	}
+	if (args[i].long_name && args[i].short_name)
+	    len += 2; /* ", " */
+	max_len = max(max_len, len);
+    }
+    if (extra_string) {
+	col = check_column(stderr, col, strlen(extra_string) + 1, columns);
+	fprintf (stderr, " %s\n", extra_string);
+    } else
+	fprintf (stderr, "\n");
+    for (i = 0; i < num_args; ++i) {
+	if (args[i].help) {
+	    size_t count = 0;
+
+	    if (args[i].short_name) {
+		count += fprintf (stderr, "-%c", args[i].short_name);
+		print_arg (buf, sizeof(buf), 0, 0, &args[i]);
+		count += fprintf(stderr, "%s", buf);
+	    }
+	    if (args[i].short_name && args[i].long_name)
+		count += fprintf (stderr, ", ");
+	    if (args[i].long_name) {
+		count += fprintf (stderr, "--");
+		if (args[i].type == arg_negative_flag)
+		    count += fprintf (stderr, "no-");
+		count += fprintf (stderr, "%s", args[i].long_name);
+		print_arg (buf, sizeof(buf), 0, 1, &args[i]);
+		count += fprintf(stderr, "%s", buf);
+	    }
+	    while(count++ <= max_len)
+		putc (' ', stderr);
+	    fprintf (stderr, "%s\n", args[i].help);
+	}
+    }
+}
+
+static void
+add_string(getarg_strings *s, char *value)
+{
+    s->strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings));
+    s->strings[s->num_strings] = value;
+    s->num_strings++;
+}
+
+static int
+arg_match_long(struct getargs *args, size_t num_args,
+	       char *argv, int argc, char **rargv, int *optind)
+{
+    int i;
+    char *optarg = NULL;
+    int negate = 0;
+    int partial_match = 0;
+    struct getargs *partial = NULL;
+    struct getargs *current = NULL;
+    int argv_len;
+    char *p;
+
+    argv_len = strlen(argv);
+    p = strchr (argv, '=');
+    if (p != NULL)
+	argv_len = p - argv;
+
+    for (i = 0; i < num_args; ++i) {
+	if(args[i].long_name) {
+	    int len = strlen(args[i].long_name);
+	    char *p = argv;
+	    int p_len = argv_len;
+	    negate = 0;
+
+	    for (;;) {
+		if (strncmp (args[i].long_name, p, p_len) == 0) {
+		    if(p_len == len)
+			current = &args[i];
+		    else {
+			++partial_match;
+			partial = &args[i];
+		    }
+		    optarg  = p + p_len;
+		} else if (ISFLAG(args[i]) && strncmp (p, "no-", 3) == 0) {
+		    negate = !negate;
+		    p += 3;
+		    p_len -= 3;
+		    continue;
+		}
+		break;
+	    }
+	    if (current)
+		break;
+	}
+    }
+    if (current == NULL) {
+	if (partial_match == 1)
+	    current = partial;
+	else
+	    return ARG_ERR_NO_MATCH;
+    }
+    
+    if(*optarg == '\0'
+       && !ISFLAG(*current)
+       && current->type != arg_collect
+       && current->type != arg_counter)
+	return ARG_ERR_NO_MATCH;
+    switch(current->type){
+    case arg_integer:
+    {
+	int tmp;
+	if(sscanf(optarg + 1, "%d", &tmp) != 1)
+	    return ARG_ERR_BAD_ARG;
+	*(int*)current->value = tmp;
+	return 0;
+    }
+    case arg_string:
+    {
+	*(char**)current->value = optarg + 1;
+	return 0;
+    }
+    case arg_strings:
+    {
+	add_string((getarg_strings*)current->value, optarg + 1);
+	return 0;
+    }
+    case arg_flag:
+    case arg_negative_flag:
+    {
+	int *flag = current->value;
+	if(*optarg == '\0' ||
+	   strcmp(optarg + 1, "yes") == 0 || 
+	   strcmp(optarg + 1, "true") == 0){
+	    *flag = !negate;
+	    return 0;
+	} else if (*optarg && strcmp(optarg + 1, "maybe") == 0) {
+	    *flag = rand() & 1;
+	} else {
+	    *flag = negate;
+	    return 0;
+	}
+	return ARG_ERR_BAD_ARG;
+    }
+    case arg_counter :
+    {
+	int val;
+
+	if (*optarg == '\0')
+	    val = 1;
+	else {
+	    char *endstr;
+
+	    val = strtol (optarg, &endstr, 0);
+	    if (endstr == optarg)
+		return ARG_ERR_BAD_ARG;
+	}
+	*(int *)current->value += val;
+	return 0;
+    }
+    case arg_double:
+    {
+	double tmp;
+	if(sscanf(optarg + 1, "%lf", &tmp) != 1)
+	    return ARG_ERR_BAD_ARG;
+	*(double*)current->value = tmp;
+	return 0;
+    }
+    case arg_collect:{
+	struct getarg_collect_info *c = current->value;
+	int o = argv - rargv[*optind];
+	return (*c->func)(FALSE, argc, rargv, optind, &o, c->data);
+    }
+
+    default:
+	abort ();
+    }
+}
+
+static int
+arg_match_short (struct getargs *args, size_t num_args,
+		 char *argv, int argc, char **rargv, int *optind)
+{
+    int j, k;
+
+    for(j = 1; j > 0 && j < strlen(rargv[*optind]); j++) {
+	for(k = 0; k < num_args; k++) {
+	    char *optarg;
+
+	    if(args[k].short_name == 0)
+		continue;
+	    if(argv[j] == args[k].short_name) {
+		if(args[k].type == arg_flag) {
+		    *(int*)args[k].value = 1;
+		    break;
+		}
+		if(args[k].type == arg_negative_flag) {
+		    *(int*)args[k].value = 0;
+		    break;
+		} 
+		if(args[k].type == arg_counter) {
+		    ++*(int *)args[k].value;
+		    break;
+		}
+		if(args[k].type == arg_collect) {
+		    struct getarg_collect_info *c = args[k].value;
+
+		    if((*c->func)(TRUE, argc, rargv, optind, &j, c->data))
+			return ARG_ERR_BAD_ARG;
+		    break;
+		}
+
+		if(argv[j + 1])
+		    optarg = &argv[j + 1];
+		else {
+		    ++*optind;
+		    optarg = rargv[*optind];
+		}
+		if(optarg == NULL)
+		    return ARG_ERR_NO_ARG;
+		if(args[k].type == arg_integer) {
+		    int tmp;
+		    if(sscanf(optarg, "%d", &tmp) != 1)
+			return ARG_ERR_BAD_ARG;
+		    *(int*)args[k].value = tmp;
+		    return 0;
+		} else if(args[k].type == arg_string) {
+		    *(char**)args[k].value = optarg;
+		    return 0;
+		} else if(args[k].type == arg_strings) {
+		    add_string((getarg_strings*)args[k].value, optarg);
+		    return 0;
+		} else if(args[k].type == arg_double) {
+		    double tmp;
+		    if(sscanf(optarg, "%lf", &tmp) != 1)
+			return ARG_ERR_BAD_ARG;
+		    *(double*)args[k].value = tmp;
+		    return 0;
+		}
+		return ARG_ERR_BAD_ARG;
+	    }
+	}
+	if (k == num_args)
+	    return ARG_ERR_NO_MATCH;
+    }
+    return 0;
+}
+
+int
+getarg(struct getargs *args, size_t num_args, 
+       int argc, char **argv, int *optind)
+{
+    int i;
+    int ret = 0;
+
+    srand (time(NULL));
+    (*optind)++;
+    for(i = *optind; i < argc; i++) {
+	if(argv[i][0] != '-')
+	    break;
+	if(argv[i][1] == '-'){
+	    if(argv[i][2] == 0){
+		i++;
+		break;
+	    }
+	    ret = arg_match_long (args, num_args, argv[i] + 2, 
+				  argc, argv, &i);
+	} else {
+	    ret = arg_match_short (args, num_args, argv[i],
+				   argc, argv, &i);
+	}
+	if(ret)
+	    break;
+    }
+    *optind = i;
+    return ret;
+}
+
+#if TEST
+int foo_flag = 2;
+int flag1 = 0;
+int flag2 = 0;
+int bar_int;
+char *baz_string;
+
+struct getargs args[] = {
+    { NULL, '1', arg_flag, &flag1, "one", NULL },
+    { NULL, '2', arg_flag, &flag2, "two", NULL },
+    { "foo", 'f', arg_negative_flag, &foo_flag, "foo", NULL },
+    { "bar", 'b', arg_integer, &bar_int, "bar", "seconds"},
+    { "baz", 'x', arg_string, &baz_string, "baz", "name" },
+};
+
+int main(int argc, char **argv)
+{
+    int optind = 0;
+    while(getarg(args, 5, argc, argv, &optind))
+	printf("Bad arg: %s\n", argv[optind]);
+    printf("flag1 = %d\n", flag1);  
+    printf("flag2 = %d\n", flag2);  
+    printf("foo_flag = %d\n", foo_flag);  
+    printf("bar_int = %d\n", bar_int);
+    printf("baz_flag = %s\n", baz_string);
+    arg_printusage (args, 5, argv[0], "nothing here");
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/getarg.h b/crypto/heimdal/lib/roken/getarg.h
new file mode 100644
index 0000000..7fd374b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getarg.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: getarg.h,v 1.10 1999/12/02 16:58:46 joda Exp $ */
+
+#ifndef __GETARG_H__
+#define __GETARG_H__
+
+#include <stddef.h>
+
+struct getargs{
+    const char *long_name;
+    char short_name;
+    enum { arg_integer, 
+	   arg_string, 
+	   arg_flag, 
+	   arg_negative_flag, 
+	   arg_strings,
+	   arg_double,
+	   arg_collect,
+	   arg_counter
+    } type;
+    void *value;
+    const char *help;
+    const char *arg_help;
+};
+
+enum {
+    ARG_ERR_NO_MATCH  = 1,
+    ARG_ERR_BAD_ARG,
+    ARG_ERR_NO_ARG
+};
+
+typedef struct getarg_strings {
+    int num_strings;
+    char **strings;
+} getarg_strings;
+
+typedef int (*getarg_collect_func)(int short_opt,
+				   int argc,
+				   char **argv,
+				   int *optind,
+				   int *optarg,
+				   void *data);
+
+typedef struct getarg_collect_info {
+    getarg_collect_func func;
+    void *data;
+} getarg_collect_info;
+
+int getarg(struct getargs *args, size_t num_args, 
+	   int argc, char **argv, int *optind);
+
+void arg_printusage (struct getargs *args,
+		     size_t num_args,
+		     const char *progname,
+		     const char *extra_string);
+
+#endif /* __GETARG_H__ */
diff --git a/crypto/heimdal/lib/roken/getcap.c b/crypto/heimdal/lib/roken/getcap.c
new file mode 100644
index 0000000..997fabf
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getcap.c
@@ -0,0 +1,1118 @@
+/*	$NetBSD: getcap.c,v 1.29 1999/03/29 09:27:29 abs Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Casey Leedom of Lawrence Livermore National Laboratory.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+RCSID("$Id: getcap.c,v 1.7 1999/11/17 21:11:58 assar Exp $");
+
+#include <sys/types.h>
+#include <ctype.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+#include <errno.h>	
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define	BFRAG		1024
+#if 0
+#define	BSIZE		1024
+#endif
+#define	ESC		('[' & 037)	/* ASCII ESC */
+#define	MAX_RECURSION	32		/* maximum getent recursion */
+#define	SFRAG		100		/* cgetstr mallocs in SFRAG chunks */
+
+#define RECOK	(char)0
+#define TCERR	(char)1
+#define	SHADOW	(char)2
+
+static size_t	 topreclen;	/* toprec length */
+static char	*toprec;	/* Additional record specified by cgetset() */
+static int	 gottoprec;	/* Flag indicating retrieval of toprecord */
+
+#if defined(HAVE_DBOPEN) && defined(HAVE_DB_H)
+#define USE_DB
+#endif
+
+#ifdef USE_DB
+static int	cdbget (DB *, char **, const char *);
+#endif
+static int 	getent (char **, size_t *, char **, int, const char *, int, char *);
+static int	nfcmp (char *, char *);
+
+
+int cgetset(const char *ent);
+char *cgetcap(char *buf, const char *cap, int type);
+int cgetent(char **buf, char **db_array, const char *name);
+int cgetmatch(const char *buf, const char *name);
+int cgetclose(void);
+#if 0
+int cgetfirst(char **buf, char **db_array);
+int cgetnext(char **bp, char **db_array);
+#endif
+int cgetstr(char *buf, const char *cap, char **str);
+int cgetustr(char *buf, const char *cap, char **str);
+int cgetnum(char *buf, const char *cap, long *num);
+/*
+ * Cgetset() allows the addition of a user specified buffer to be added
+ * to the database array, in effect "pushing" the buffer on top of the
+ * virtual database. 0 is returned on success, -1 on failure.
+ */
+int
+cgetset(const char *ent)
+{
+    const char *source, *check;
+    char *dest;
+
+    if (ent == NULL) {
+	if (toprec)
+	    free(toprec);
+	toprec = NULL;
+	topreclen = 0;
+	return (0);
+    }
+    topreclen = strlen(ent);
+    if ((toprec = malloc (topreclen + 1)) == NULL) {
+	errno = ENOMEM;
+	return (-1);
+    }
+    gottoprec = 0;
+
+    source=ent;
+    dest=toprec;
+    while (*source) { /* Strip whitespace */
+	*dest++ = *source++; /* Do not check first field */
+	while (*source == ':') {
+	    check=source+1;
+	    while (*check && (isspace((unsigned char)*check) ||
+			      (*check=='\\' && isspace((unsigned char)check[1]))))
+		++check;
+	    if( *check == ':' )
+		source=check;
+	    else
+		break;
+
+	}
+    }
+    *dest=0;
+
+    return (0);
+}
+
+/*
+ * Cgetcap searches the capability record buf for the capability cap with
+ * type `type'.  A pointer to the value of cap is returned on success, NULL
+ * if the requested capability couldn't be found.
+ *
+ * Specifying a type of ':' means that nothing should follow cap (:cap:).
+ * In this case a pointer to the terminating ':' or NUL will be returned if
+ * cap is found.
+ *
+ * If (cap, '@') or (cap, terminator, '@') is found before (cap, terminator)
+ * return NULL.
+ */
+char *
+cgetcap(char *buf, const char *cap, int type)
+{
+    char *bp;
+    const char *cp;
+
+    bp = buf;
+    for (;;) {
+	/*
+	 * Skip past the current capability field - it's either the
+	 * name field if this is the first time through the loop, or
+	 * the remainder of a field whose name failed to match cap.
+	 */
+	for (;;)
+	    if (*bp == '\0')
+		return (NULL);
+	    else
+		if (*bp++ == ':')
+		    break;
+
+	/*
+	 * Try to match (cap, type) in buf.
+	 */
+	for (cp = cap; *cp == *bp && *bp != '\0'; cp++, bp++)
+	    continue;
+	if (*cp != '\0')
+	    continue;
+	if (*bp == '@')
+	    return (NULL);
+	if (type == ':') {
+	    if (*bp != '\0' && *bp != ':')
+		continue;
+	    return(bp);
+	}
+	if (*bp != type)
+	    continue;
+	bp++;
+	return (*bp == '@' ? NULL : bp);
+    }
+    /* NOTREACHED */
+}
+
+/*
+ * Cgetent extracts the capability record name from the NULL terminated file
+ * array db_array and returns a pointer to a malloc'd copy of it in buf.
+ * Buf must be retained through all subsequent calls to cgetcap, cgetnum,
+ * cgetflag, and cgetstr, but may then be free'd.  0 is returned on success,
+ * -1 if the requested record couldn't be found, -2 if a system error was
+ * encountered (couldn't open/read a file, etc.), and -3 if a potential
+ * reference loop is detected.
+ */
+int
+cgetent(char **buf, char **db_array, const char *name)
+{
+    size_t dummy;
+
+    return (getent(buf, &dummy, db_array, -1, name, 0, NULL));
+}
+
+/*
+ * Getent implements the functions of cgetent.  If fd is non-negative,
+ * *db_array has already been opened and fd is the open file descriptor.  We
+ * do this to save time and avoid using up file descriptors for tc=
+ * recursions.
+ *
+ * Getent returns the same success/failure codes as cgetent.  On success, a
+ * pointer to a malloc'ed capability record with all tc= capabilities fully
+ * expanded and its length (not including trailing ASCII NUL) are left in
+ * *cap and *len.
+ *
+ * Basic algorithm:
+ *	+ Allocate memory incrementally as needed in chunks of size BFRAG
+ *	  for capability buffer.
+ *	+ Recurse for each tc=name and interpolate result.  Stop when all
+ *	  names interpolated, a name can't be found, or depth exceeds
+ *	  MAX_RECURSION.
+ */
+static int
+getent(char **cap, size_t *len, char **db_array, int fd, 
+       const char *name, int depth, char *nfield)
+{
+    char *r_end, *rp = NULL, **db_p;	/* pacify gcc */
+    int myfd = 0, eof, foundit;
+    char *record;
+    int tc_not_resolved;
+	
+    /*
+     * Return with ``loop detected'' error if we've recursed more than
+     * MAX_RECURSION times.
+     */
+    if (depth > MAX_RECURSION)
+	return (-3);
+
+    /*
+     * Check if we have a top record from cgetset().
+     */
+    if (depth == 0 && toprec != NULL && cgetmatch(toprec, name) == 0) {
+	if ((record = malloc (topreclen + BFRAG)) == NULL) {
+	    errno = ENOMEM;
+	    return (-2);
+	}
+	(void)strcpy(record, toprec);	/* XXX: strcpy is safe */
+	db_p = db_array;
+	rp = record + topreclen + 1;
+	r_end = rp + BFRAG;
+	goto tc_exp;
+    }
+    /*
+     * Allocate first chunk of memory.
+     */
+    if ((record = malloc(BFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);
+    }
+    r_end = record + BFRAG;
+    foundit = 0;
+    /*
+     * Loop through database array until finding the record.
+     */
+
+    for (db_p = db_array; *db_p != NULL; db_p++) {
+	eof = 0;
+
+	/*
+	 * Open database if not already open.
+	 */
+
+	if (fd >= 0) {
+	    (void)lseek(fd, (off_t)0, SEEK_SET);
+	} else {
+#ifdef USE_DB
+	    char pbuf[_POSIX_PATH_MAX];
+	    char *cbuf;
+	    size_t clen;
+	    int retval;
+	    DB *capdbp;
+
+	    (void)snprintf(pbuf, sizeof(pbuf), "%s.db", *db_p);
+	    if ((capdbp = dbopen(pbuf, O_RDONLY, 0, DB_HASH, 0))
+		!= NULL) {
+		free(record);
+		retval = cdbget(capdbp, &record, name);
+		if (retval < 0) {
+		    /* no record available */
+		    (void)capdbp->close(capdbp);
+		    return (retval);
+		}
+				/* save the data; close frees it */
+		clen = strlen(record);
+		cbuf = malloc(clen + 1);
+		memmove(cbuf, record, clen + 1);
+		if (capdbp->close(capdbp) < 0) {
+		    free(cbuf);
+		    return (-2);
+		}
+		*len = clen;
+		*cap = cbuf;
+		return (retval);
+	    } else
+#endif
+	    {
+		fd = open(*db_p, O_RDONLY, 0);
+		if (fd < 0) {
+		    /* No error on unfound file. */
+		    continue;
+		}
+		myfd = 1;
+	    }
+	}
+	/*
+	 * Find the requested capability record ...
+	 */
+	{
+	    char buf[BUFSIZ];
+	    char *b_end, *bp, *cp;
+	    int c, slash;
+
+	    /*
+	     * Loop invariants:
+	     *	There is always room for one more character in record.
+	     *	R_end always points just past end of record.
+	     *	Rp always points just past last character in record.
+	     *	B_end always points just past last character in buf.
+	     *	Bp always points at next character in buf.
+	     *	Cp remembers where the last colon was.
+	     */
+	    b_end = buf;
+	    bp = buf;
+	    cp = 0;
+	    slash = 0;
+	    for (;;) {
+
+		/*
+		 * Read in a line implementing (\, newline)
+		 * line continuation.
+		 */
+		rp = record;
+		for (;;) {
+		    if (bp >= b_end) {
+			int n;
+		
+			n = read(fd, buf, sizeof(buf));
+			if (n <= 0) {
+			    if (myfd)
+				(void)close(fd);
+			    if (n < 0) {
+				free(record);
+				return (-2);
+			    } else {
+				fd = -1;
+				eof = 1;
+				break;
+			    }
+			}
+			b_end = buf+n;
+			bp = buf;
+		    }
+	
+		    c = *bp++;
+		    if (c == '\n') {
+			if (slash) {
+			    slash = 0;
+			    rp--;
+			    continue;
+			} else
+			    break;
+		    }
+		    if (slash) {
+			slash = 0;
+			cp = 0;
+		    }
+		    if (c == ':') {
+			/*
+			 * If the field was `empty' (i.e.
+			 * contained only white space), back up
+			 * to the colon (eliminating the
+			 * field).
+			 */
+			if (cp)
+			    rp = cp;
+			else
+			    cp = rp;
+		    } else if (c == '\\') {
+			slash = 1;
+		    } else if (c != ' ' && c != '\t') {
+			/*
+			 * Forget where the colon was, as this
+			 * is not an empty field.
+			 */
+			cp = 0;
+		    }
+		    *rp++ = c;
+
+				/*
+				 * Enforce loop invariant: if no room 
+				 * left in record buffer, try to get
+				 * some more.
+				 */
+		    if (rp >= r_end) {
+			u_int pos;
+			size_t newsize;
+
+			pos = rp - record;
+			newsize = r_end - record + BFRAG;
+			record = realloc(record, newsize);
+			if (record == NULL) {
+			    errno = ENOMEM;
+			    if (myfd)
+				(void)close(fd);
+			    return (-2);
+			}
+			r_end = record + newsize;
+			rp = record + pos;
+		    }
+		}
+		/* Eliminate any white space after the last colon. */
+		if (cp)
+		    rp = cp + 1;
+		/* Loop invariant lets us do this. */
+		*rp++ = '\0';
+
+		/*
+		 * If encountered eof check next file.
+		 */
+		if (eof)
+		    break;
+				
+		/*
+		 * Toss blank lines and comments.
+		 */
+		if (*record == '\0' || *record == '#')
+		    continue;
+	
+		/*
+		 * See if this is the record we want ...
+		 */
+		if (cgetmatch(record, name) == 0) {
+		    if (nfield == NULL || !nfcmp(nfield, record)) {
+			foundit = 1;
+			break;	/* found it! */
+		    }
+		}
+	    }
+	}
+	if (foundit)
+	    break;
+    }
+
+    if (!foundit)
+	return (-1);
+
+    /*
+     * Got the capability record, but now we have to expand all tc=name
+     * references in it ...
+     */
+ tc_exp:	{
+	char *newicap, *s;
+	size_t ilen, newilen;
+	int diff, iret, tclen;
+	char *icap, *scan, *tc, *tcstart, *tcend;
+
+	/*
+	 * Loop invariants:
+	 *	There is room for one more character in record.
+	 *	R_end points just past end of record.
+	 *	Rp points just past last character in record.
+	 *	Scan points at remainder of record that needs to be
+	 *	scanned for tc=name constructs.
+	 */
+	scan = record;
+	tc_not_resolved = 0;
+	for (;;) {
+	    if ((tc = cgetcap(scan, "tc", '=')) == NULL)
+		break;
+
+	    /*
+	     * Find end of tc=name and stomp on the trailing `:'
+	     * (if present) so we can use it to call ourselves.
+	     */
+	    s = tc;
+	    for (;;)
+		if (*s == '\0')
+		    break;
+		else
+		    if (*s++ == ':') {
+			*(s - 1) = '\0';
+			break;
+		    }
+	    tcstart = tc - 3;
+	    tclen = s - tcstart;
+	    tcend = s;
+
+	    iret = getent(&icap, &ilen, db_p, fd, tc, depth+1, 
+			  NULL);
+	    newicap = icap;		/* Put into a register. */
+	    newilen = ilen;
+	    if (iret != 0) {
+				/* an error */
+		if (iret < -1) {
+		    if (myfd)
+			(void)close(fd);
+		    free(record);
+		    return (iret);
+		}
+		if (iret == 1)
+		    tc_not_resolved = 1;
+				/* couldn't resolve tc */
+		if (iret == -1) {
+		    *(s - 1) = ':';			
+		    scan = s - 1;
+		    tc_not_resolved = 1;
+		    continue;
+					
+		}
+	    }
+	    /* not interested in name field of tc'ed record */
+	    s = newicap;
+	    for (;;)
+		if (*s == '\0')
+		    break;
+		else
+		    if (*s++ == ':')
+			break;
+	    newilen -= s - newicap;
+	    newicap = s;
+
+	    /* make sure interpolated record is `:'-terminated */
+	    s += newilen;
+	    if (*(s-1) != ':') {
+		*s = ':';	/* overwrite NUL with : */
+		newilen++;
+	    }
+
+	    /*
+	     * Make sure there's enough room to insert the
+	     * new record.
+	     */
+	    diff = newilen - tclen;
+	    if (diff >= r_end - rp) {
+		u_int pos, tcpos, tcposend;
+		size_t newsize;
+
+		pos = rp - record;
+		newsize = r_end - record + diff + BFRAG;
+		tcpos = tcstart - record;
+		tcposend = tcend - record;
+		record = realloc(record, newsize);
+		if (record == NULL) {
+		    errno = ENOMEM;
+		    if (myfd)
+			(void)close(fd);
+		    free(icap);
+		    return (-2);
+		}
+		r_end = record + newsize;
+		rp = record + pos;
+		tcstart = record + tcpos;
+		tcend = record + tcposend;
+	    }
+
+	    /*
+	     * Insert tc'ed record into our record.
+	     */
+	    s = tcstart + newilen;
+	    memmove(s, tcend,  (size_t)(rp - tcend));
+	    memmove(tcstart, newicap, newilen);
+	    rp += diff;
+	    free(icap);
+
+	    /*
+	     * Start scan on `:' so next cgetcap works properly
+	     * (cgetcap always skips first field).
+	     */
+	    scan = s-1;
+	}
+	
+    }
+    /*
+     * Close file (if we opened it), give back any extra memory, and
+     * return capability, length and success.
+     */
+    if (myfd)
+	(void)close(fd);
+    *len = rp - record - 1;	/* don't count NUL */
+    if (r_end > rp)
+	if ((record = 
+	     realloc(record, (size_t)(rp - record))) == NULL) {
+	    errno = ENOMEM;
+	    return (-2);
+	}
+		
+    *cap = record;
+    if (tc_not_resolved)
+	return (1);
+    return (0);
+}	
+
+#ifdef USE_DB
+static int
+cdbget(DB *capdbp, char **bp, const char *name)
+{
+	DBT key;
+	DBT data;
+
+	/* LINTED key is not modified */
+	key.data = (char *)name;
+	key.size = strlen(name);
+
+	for (;;) {
+		/* Get the reference. */
+		switch(capdbp->get(capdbp, &key, &data, 0)) {
+		case -1:
+			return (-2);
+		case 1:
+			return (-1);
+		}
+
+		/* If not an index to another record, leave. */
+		if (((char *)data.data)[0] != SHADOW)
+			break;
+
+		key.data = (char *)data.data + 1;
+		key.size = data.size - 1;
+	}
+	
+	*bp = (char *)data.data + 1;
+	return (((char *)(data.data))[0] == TCERR ? 1 : 0);
+}
+#endif /* USE_DB */
+
+/*
+ * Cgetmatch will return 0 if name is one of the names of the capability
+ * record buf, -1 if not.
+ */
+int
+cgetmatch(const char *buf, const char *name)
+{
+    const char *np, *bp;
+
+    /*
+     * Start search at beginning of record.
+     */
+    bp = buf;
+    for (;;) {
+	/*
+	 * Try to match a record name.
+	 */
+	np = name;
+	for (;;)
+	    if (*np == '\0') {
+		if (*bp == '|' || *bp == ':' || *bp == '\0')
+		    return (0);
+		else
+		    break;
+	    } else
+		if (*bp++ != *np++)
+		    break;
+
+	/*
+	 * Match failed, skip to next name in record.
+	 */
+	bp--;	/* a '|' or ':' may have stopped the match */
+	for (;;)
+	    if (*bp == '\0' || *bp == ':')
+		return (-1);	/* match failed totally */
+	    else
+		if (*bp++ == '|')
+		    break;	/* found next name */
+    }
+}
+
+#if 0
+int
+cgetfirst(char **buf, char **db_array)
+{
+    (void)cgetclose();
+    return (cgetnext(buf, db_array));
+}
+#endif
+
+static FILE *pfp;
+static int slash;
+static char **dbp;
+
+int
+cgetclose(void)
+{
+    if (pfp != NULL) {
+	(void)fclose(pfp);
+	pfp = NULL;
+    }
+    dbp = NULL;
+    gottoprec = 0;
+    slash = 0;
+    return(0);
+}
+
+#if 0
+/*
+ * Cgetnext() gets either the first or next entry in the logical database 
+ * specified by db_array.  It returns 0 upon completion of the database, 1
+ * upon returning an entry with more remaining, and -1 if an error occurs.
+ */
+int
+cgetnext(char **bp, char **db_array)
+{
+    size_t len;
+    int status, done;
+    char *cp, *line, *rp, *np, buf[BSIZE], nbuf[BSIZE];
+    size_t dummy;
+
+    if (dbp == NULL)
+	dbp = db_array;
+
+    if (pfp == NULL && (pfp = fopen(*dbp, "r")) == NULL) {
+	(void)cgetclose();
+	return (-1);
+    }
+    for(;;) {
+	if (toprec && !gottoprec) {
+	    gottoprec = 1;
+	    line = toprec;
+	} else {
+	    line = fgetln(pfp, &len);
+	    if (line == NULL && pfp) {
+		if (ferror(pfp)) {
+		    (void)cgetclose();
+		    return (-1);
+		} else {
+		    (void)fclose(pfp);
+		    pfp = NULL;
+		    if (*++dbp == NULL) {
+			(void)cgetclose();
+			return (0);
+		    } else if ((pfp =
+				fopen(*dbp, "r")) == NULL) {
+			(void)cgetclose();
+			return (-1);
+		    } else
+			continue;
+		}
+	    } else
+		line[len - 1] = '\0';
+	    if (len == 1) {
+		slash = 0;
+		continue;
+	    }
+	    if (isspace((unsigned char)*line) ||
+		*line == ':' || *line == '#' || slash) {
+		if (line[len - 2] == '\\')
+		    slash = 1;
+		else
+		    slash = 0;
+		continue;
+	    }
+	    if (line[len - 2] == '\\')
+		slash = 1;
+	    else
+		slash = 0;
+	}			
+
+
+	/* 
+	 * Line points to a name line.
+	 */
+	done = 0;
+	np = nbuf;
+	for (;;) {
+	    for (cp = line; *cp != '\0'; cp++) {
+		if (*cp == ':') {
+		    *np++ = ':';
+		    done = 1;
+		    break;
+		}
+		if (*cp == '\\')
+		    break;
+		*np++ = *cp;
+	    }
+	    if (done) {
+		*np = '\0';
+		break;
+	    } else { /* name field extends beyond the line */
+		line = fgetln(pfp, &len);
+		if (line == NULL && pfp) {
+		    if (ferror(pfp)) {
+			(void)cgetclose();
+			return (-1);
+		    }
+		    (void)fclose(pfp);
+		    pfp = NULL;
+		    *np = '\0';
+		    break;
+		} else
+		    line[len - 1] = '\0';
+	    }
+	}
+	rp = buf;
+	for(cp = nbuf; *cp != '\0'; cp++)
+	    if (*cp == '|' || *cp == ':')
+		break;
+	    else
+		*rp++ = *cp;
+
+	*rp = '\0';
+	/* 
+	 * XXX 
+	 * Last argument of getent here should be nbuf if we want true
+	 * sequential access in the case of duplicates.  
+	 * With NULL, getent will return the first entry found
+	 * rather than the duplicate entry record.  This is a 
+	 * matter of semantics that should be resolved.
+	 */
+	status = getent(bp, &dummy, db_array, -1, buf, 0, NULL);
+	if (status == -2 || status == -3)
+	    (void)cgetclose();
+
+	return (status + 1);
+    }
+    /* NOTREACHED */
+}
+#endif
+
+/*
+ * Cgetstr retrieves the value of the string capability cap from the
+ * capability record pointed to by buf.  A pointer to a decoded, NUL
+ * terminated, malloc'd copy of the string is returned in the char *
+ * pointed to by str.  The length of the string not including the trailing
+ * NUL is returned on success, -1 if the requested string capability
+ * couldn't be found, -2 if a system error was encountered (storage
+ * allocation failure).
+ */
+int
+cgetstr(char *buf, const char *cap, char **str)
+{
+    u_int m_room;
+    const char *bp;
+    char *mp;
+    int len;
+    char *mem;
+
+    /*
+     * Find string capability cap
+     */
+    bp = cgetcap(buf, cap, '=');
+    if (bp == NULL)
+	return (-1);
+
+    /*
+     * Conversion / storage allocation loop ...  Allocate memory in
+     * chunks SFRAG in size.
+     */
+    if ((mem = malloc(SFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);	/* couldn't even allocate the first fragment */
+    }
+    m_room = SFRAG;
+    mp = mem;
+
+    while (*bp != ':' && *bp != '\0') {
+	/*
+	 * Loop invariants:
+	 *	There is always room for one more character in mem.
+	 *	Mp always points just past last character in mem.
+	 *	Bp always points at next character in buf.
+	 */
+	if (*bp == '^') {
+	    bp++;
+	    if (*bp == ':' || *bp == '\0')
+		break;	/* drop unfinished escape */
+	    *mp++ = *bp++ & 037;
+	} else if (*bp == '\\') {
+	    bp++;
+	    if (*bp == ':' || *bp == '\0')
+		break;	/* drop unfinished escape */
+	    if ('0' <= *bp && *bp <= '7') {
+		int n, i;
+
+		n = 0;
+		i = 3;	/* maximum of three octal digits */
+		do {
+		    n = n * 8 + (*bp++ - '0');
+		} while (--i && '0' <= *bp && *bp <= '7');
+		*mp++ = n;
+	    }
+	    else switch (*bp++) {
+	    case 'b': case 'B':
+		*mp++ = '\b';
+		break;
+	    case 't': case 'T':
+		*mp++ = '\t';
+		break;
+	    case 'n': case 'N':
+		*mp++ = '\n';
+		break;
+	    case 'f': case 'F':
+		*mp++ = '\f';
+		break;
+	    case 'r': case 'R':
+		*mp++ = '\r';
+		break;
+	    case 'e': case 'E':
+		*mp++ = ESC;
+		break;
+	    case 'c': case 'C':
+		*mp++ = ':';
+		break;
+	    default:
+		/*
+		 * Catches '\', '^', and
+		 *  everything else.
+		 */
+		*mp++ = *(bp-1);
+		break;
+	    }
+	} else
+	    *mp++ = *bp++;
+	m_room--;
+
+	/*
+	 * Enforce loop invariant: if no room left in current
+	 * buffer, try to get some more.
+	 */
+	if (m_room == 0) {
+	    size_t size = mp - mem;
+
+	    if ((mem = realloc(mem, size + SFRAG)) == NULL)
+		return (-2);
+	    m_room = SFRAG;
+	    mp = mem + size;
+	}
+    }
+    *mp++ = '\0';	/* loop invariant let's us do this */
+    m_room--;
+    len = mp - mem - 1;
+
+    /*
+     * Give back any extra memory and return value and success.
+     */
+    if (m_room != 0)
+	if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL)
+	    return (-2);
+    *str = mem;
+    return (len);
+}
+
+/*
+ * Cgetustr retrieves the value of the string capability cap from the
+ * capability record pointed to by buf.  The difference between cgetustr()
+ * and cgetstr() is that cgetustr does not decode escapes but rather treats
+ * all characters literally.  A pointer to a  NUL terminated malloc'd 
+ * copy of the string is returned in the char pointed to by str.  The 
+ * length of the string not including the trailing NUL is returned on success,
+ * -1 if the requested string capability couldn't be found, -2 if a system 
+ * error was encountered (storage allocation failure).
+ */
+int
+cgetustr(char *buf, const char *cap, char **str)
+{
+    u_int m_room;
+    const char *bp;
+    char *mp;
+    int len;
+    char *mem;
+
+    /*
+     * Find string capability cap
+     */
+    if ((bp = cgetcap(buf, cap, '=')) == NULL)
+	return (-1);
+
+    /*
+     * Conversion / storage allocation loop ...  Allocate memory in
+     * chunks SFRAG in size.
+     */
+    if ((mem = malloc(SFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);	/* couldn't even allocate the first fragment */
+    }
+    m_room = SFRAG;
+    mp = mem;
+
+    while (*bp != ':' && *bp != '\0') {
+	/*
+	 * Loop invariants:
+	 *	There is always room for one more character in mem.
+	 *	Mp always points just past last character in mem.
+	 *	Bp always points at next character in buf.
+	 */
+	*mp++ = *bp++;
+	m_room--;
+
+	/*
+	 * Enforce loop invariant: if no room left in current
+	 * buffer, try to get some more.
+	 */
+	if (m_room == 0) {
+	    size_t size = mp - mem;
+
+	    if ((mem = realloc(mem, size + SFRAG)) == NULL)
+		return (-2);
+	    m_room = SFRAG;
+	    mp = mem + size;
+	}
+    }
+    *mp++ = '\0';	/* loop invariant let's us do this */
+    m_room--;
+    len = mp - mem - 1;
+
+    /*
+     * Give back any extra memory and return value and success.
+     */
+    if (m_room != 0)
+	if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL)
+	    return (-2);
+    *str = mem;
+    return (len);
+}
+
+/*
+ * Cgetnum retrieves the value of the numeric capability cap from the
+ * capability record pointed to by buf.  The numeric value is returned in
+ * the long pointed to by num.  0 is returned on success, -1 if the requested
+ * numeric capability couldn't be found.
+ */
+int
+cgetnum(char *buf, const char *cap, long *num)
+{
+    long n;
+    int base, digit;
+    const char *bp;
+
+    /*
+     * Find numeric capability cap
+     */
+    bp = cgetcap(buf, cap, '#');
+    if (bp == NULL)
+	return (-1);
+
+    /*
+     * Look at value and determine numeric base:
+     *	0x... or 0X...	hexadecimal,
+     * else	0...		octal,
+     * else			decimal.
+     */
+    if (*bp == '0') {
+	bp++;
+	if (*bp == 'x' || *bp == 'X') {
+	    bp++;
+	    base = 16;
+	} else
+	    base = 8;
+    } else
+	base = 10;
+
+    /*
+     * Conversion loop ...
+     */
+    n = 0;
+    for (;;) {
+	if ('0' <= *bp && *bp <= '9')
+	    digit = *bp - '0';
+	else if ('a' <= *bp && *bp <= 'f')
+	    digit = 10 + *bp - 'a';
+	else if ('A' <= *bp && *bp <= 'F')
+	    digit = 10 + *bp - 'A';
+	else
+	    break;
+
+	if (digit >= base)
+	    break;
+
+	n = n * base + digit;
+	bp++;
+    }
+
+    /*
+     * Return value and success.
+     */
+    *num = n;
+    return (0);
+}
+
+
+/*
+ * Compare name field of record.
+ */
+static int
+nfcmp(char *nf, char *rec)
+{
+    char *cp, tmp;
+    int ret;
+	
+    for (cp = rec; *cp != ':'; cp++)
+	;
+	
+    tmp = *(cp + 1);
+    *(cp + 1) = '\0';
+    ret = strcmp(nf, rec);
+    *(cp + 1) = tmp;
+
+    return (ret);
+}
diff --git a/crypto/heimdal/lib/roken/getcwd.c b/crypto/heimdal/lib/roken/getcwd.c
new file mode 100644
index 0000000..c1f2610
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getcwd.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getcwd.c,v 1.12 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#include "roken.h"
+
+char*
+getcwd(char *path, size_t size)
+{
+    char xxx[MaxPathLen];
+    char *ret;
+    ret = getwd(xxx);
+    if(ret)
+	strlcpy(path, xxx, size);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getdtablesize.c b/crypto/heimdal/lib/roken/getdtablesize.c
new file mode 100644
index 0000000..9f9c74b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getdtablesize.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getdtablesize.c,v 1.10 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+
+#ifdef HAVE_SYS_SYSCTL_H
+#include <sys/sysctl.h>
+#endif
+
+int getdtablesize(void)
+{
+  int files = -1;
+#if defined(HAVE_SYSCONF) && defined(_SC_OPEN_MAX)
+  files = sysconf(_SC_OPEN_MAX);
+#else /* !defined(HAVE_SYSCONF) */
+#if defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE)
+  struct rlimit res;
+  if (getrlimit(RLIMIT_NOFILE, &res) == 0)
+    files = res.rlim_cur;
+#else /* !definded(HAVE_GETRLIMIT) */
+#if defined(HAVE_SYSCTL) && defined(CTL_KERN) && defined(KERN_MAXFILES)
+  int mib[2];
+  size_t len;
+    
+  mib[0] = CTL_KERN;
+  mib[1] = KERN_MAXFILES;
+  len = sizeof(files);
+  sysctl(&mib, 2, &files, sizeof(nfil), NULL, 0);
+#endif /* defined(HAVE_SYSCTL) */
+#endif /* !definded(HAVE_GETRLIMIT) */
+#endif /* !defined(HAVE_SYSCONF) */
+
+#ifdef OPEN_MAX
+  if (files < 0)
+    files = OPEN_MAX;
+#endif
+
+#ifdef NOFILE
+  if (files < 0)
+    files = NOFILE;
+#endif    
+    
+  return files;
+}
diff --git a/crypto/heimdal/lib/roken/getegid.c b/crypto/heimdal/lib/roken/getegid.c
new file mode 100644
index 0000000..b6eab85
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getegid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETEGID
+
+RCSID("$Id: getegid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int getegid(void)
+{
+    return getgid();
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/geteuid.c b/crypto/heimdal/lib/roken/geteuid.c
new file mode 100644
index 0000000..4bdf531
--- /dev/null
+++ b/crypto/heimdal/lib/roken/geteuid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETEUID
+
+RCSID("$Id: geteuid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int geteuid(void)
+{
+    return getuid();
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/getgid.c b/crypto/heimdal/lib/roken/getgid.c
new file mode 100644
index 0000000..f2ca01a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getgid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETGID
+
+RCSID("$Id: getgid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int getgid(void)
+{
+    return 17;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/gethostname.c b/crypto/heimdal/lib/roken/gethostname.c
new file mode 100644
index 0000000..753ba9f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/gethostname.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETHOSTNAME
+
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+/*
+ * Return the local host's name in "name", up to "namelen" characters.
+ * "name" will be null-terminated if "namelen" is big enough.
+ * The return code is 0 on success, -1 on failure.  (The calling
+ * interface is identical to gethostname(2).)
+ */
+
+int
+gethostname(char *name, int namelen)
+{
+#if defined(HAVE_UNAME)
+    {
+	struct utsname utsname;
+	int ret;
+
+	ret = uname (&utsname);
+	if (ret < 0)
+	    return ret;
+	strlcpy (name, utsname.nodename, namelen);
+	return 0;
+    }
+#else
+    strlcpy (name, "some.random.host", namelen);
+    return 0;
+#endif
+}
+
+#endif /* GETHOSTNAME */
diff --git a/crypto/heimdal/lib/roken/getipnodebyaddr.c b/crypto/heimdal/lib/roken/getipnodebyaddr.c
new file mode 100644
index 0000000..f22aad7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getipnodebyaddr.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getipnodebyaddr.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * lookup `src, len' (address family `af') in DNS and return a pointer
+ * to a malloced struct hostent or NULL.
+ */
+
+struct hostent *
+getipnodebyaddr (const void *src, size_t len, int af, int *error_num)
+{
+    struct hostent *tmp;
+
+    tmp = gethostbyaddr (src, len, af);
+    if (tmp == NULL) {
+	switch (h_errno) {
+	case HOST_NOT_FOUND :
+	case TRY_AGAIN :
+	case NO_RECOVERY :
+	    *error_num = h_errno;
+	    break;
+	case NO_DATA :
+	    *error_num = NO_ADDRESS;
+	    break;
+	default :
+	    *error_num = NO_RECOVERY;
+	    break;
+	}
+	return NULL;
+    }
+    tmp = copyhostent (tmp);
+    if (tmp == NULL) {
+	*error_num = TRY_AGAIN;
+	return NULL;
+    }
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/getipnodebyname.c b/crypto/heimdal/lib/roken/getipnodebyname.c
new file mode 100644
index 0000000..576feef
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getipnodebyname.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getipnodebyname.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#ifndef HAVE_H_ERRNO
+static int h_errno = NO_RECOVERY;
+#endif
+
+/*
+ * lookup `name' (address family `af') in DNS and return a pointer
+ * to a malloced struct hostent or NULL.
+ */
+
+struct hostent *
+getipnodebyname (const char *name, int af, int flags, int *error_num)
+{
+    struct hostent *tmp;
+
+#ifdef HAVE_GETHOSTBYNAME2
+    tmp = gethostbyname2 (name, af);
+#else
+    if (af != AF_INET) {
+	*error_num = NO_ADDRESS;
+	return NULL;
+    }
+    tmp = gethostbyname (name);
+#endif
+    if (tmp == NULL) {
+	switch (h_errno) {
+	case HOST_NOT_FOUND :
+	case TRY_AGAIN :
+	case NO_RECOVERY :
+	    *error_num = h_errno;
+	    break;
+	case NO_DATA :
+	    *error_num = NO_ADDRESS;
+	    break;
+	default :
+	    *error_num = NO_RECOVERY;
+	    break;
+	}
+	return NULL;
+    }
+    tmp = copyhostent (tmp);
+    if (tmp == NULL) {
+	*error_num = TRY_AGAIN;
+	return NULL;
+    }
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/getnameinfo.c b/crypto/heimdal/lib/roken/getnameinfo.c
new file mode 100644
index 0000000..7e2d232
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getnameinfo.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getnameinfo.c,v 1.2 1999/12/03 04:10:07 assar Exp $");
+#endif
+
+#include "roken.h"
+
+static int
+doit (int af,
+      const void *addr,
+      size_t addrlen,
+      int port,
+      char *host, size_t hostlen,
+      char *serv, size_t servlen,
+      int flags)
+{
+    if (host != NULL) {
+	if (flags & NI_NUMERICHOST) {
+	    if (inet_ntop (af, addr, host, hostlen) == NULL)
+		return EAI_SYSTEM;
+	} else {
+	    struct hostent *he = gethostbyaddr (addr,
+						addrlen,
+						af);
+	    if (he != NULL) {
+		strlcpy (host, he->h_name, hostlen);
+		if (flags & NI_NOFQDN) {
+		    char *dot = strchr (host, '.');
+		    if (dot != NULL)
+			*dot = '\0';
+		}
+	    } else if (flags & NI_NAMEREQD) {
+		return EAI_NONAME;
+	    } else if (inet_ntop (AF_INET, addr, host, hostlen) == NULL)
+		return EAI_SYSTEM;
+	}
+    }
+
+    if (serv != NULL) {
+	if (flags & NI_NUMERICSERV) {
+	    snprintf (serv, servlen, "%u", ntohs(port));
+	} else {
+	    const char *proto = "tcp";
+	    struct servent *se;
+
+	    if (flags & NI_DGRAM)
+		proto = "udp";
+
+	    se = getservbyport (port, proto);
+	    if (se == NULL) {
+		snprintf (serv, servlen, "%u", ntohs(port));
+	    } else {
+		strlcpy (serv, se->s_name, servlen);
+	    }
+	}
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+int
+getnameinfo(const struct sockaddr *sa, socklen_t salen,
+	    char *host, size_t hostlen,
+	    char *serv, size_t servlen,
+	    int flags)
+{
+    switch (sa->sa_family) {
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+
+	return doit (AF_INET6, &sin6->sin6_addr, sizeof(sin6->sin6_addr),
+		     sin6->sin6_port,
+		     host, hostlen,
+		     serv, servlen,
+		     flags);
+    }
+#endif
+    case AF_INET : {
+	const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+
+	return doit (AF_INET, &sin->sin_addr, sizeof(sin->sin_addr),
+		     sin->sin_port,
+		     host, hostlen,
+		     serv, servlen,
+		     flags);
+    }
+    default :
+	return EAI_FAMILY;
+    }
+}
diff --git a/crypto/heimdal/lib/roken/getnameinfo_verified.c b/crypto/heimdal/lib/roken/getnameinfo_verified.c
new file mode 100644
index 0000000..2a23d24
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getnameinfo_verified.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getnameinfo_verified.c,v 1.2 1999/12/05 10:52:09 assar Exp $");
+#endif
+
+#include "roken.h"
+
+int
+getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
+		     char *host, size_t hostlen,
+		     char *serv, size_t servlen,
+		     int flags)
+{
+    int ret;
+    struct addrinfo *ai, *a;
+
+    if (host == NULL)
+	return EAI_NONAME;
+
+    ret = getnameinfo (sa, salen, host, hostlen, serv, servlen, flags);
+    if (ret)
+	return ret;
+    ret = getaddrinfo (host, serv, NULL, &ai);
+    if (ret)
+	return ret;
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if (a->ai_addrlen == salen
+	    && memcmp (a->ai_addr, sa, salen) == 0)
+	    return 0;
+    }
+    if (flags & NI_NAMEREQD)
+	return EAI_NONAME;
+    ret = getnameinfo (sa, salen, host, hostlen, serv, servlen,
+		       flags | NI_NUMERICSERV | NI_NUMERICHOST);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getopt.c b/crypto/heimdal/lib/roken/getopt.c
new file mode 100644
index 0000000..45fc350
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getopt.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 1987, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)getopt.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#ifndef __STDC__
+#define const
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/*
+ * get option letter from argument vector
+ */
+int	opterr = 1,		/* if error message should be printed */
+	optind = 1,		/* index into parent argv vector */
+	optopt,			/* character checked for validity */
+	optreset;		/* reset getopt */
+char	*optarg;		/* argument associated with option */
+
+#define	BADCH	(int)'?'
+#define	BADARG	(int)':'
+#define	EMSG	""
+
+int
+getopt(nargc, nargv, ostr)
+	int nargc;
+	char * const *nargv;
+	const char *ostr;
+{
+	static char *place = EMSG;		/* option letter processing */
+	char *oli;			/* option letter list index */
+	char *p;
+
+	if (optreset || !*place) {		/* update scanning pointer */
+		optreset = 0;
+		if (optind >= nargc || *(place = nargv[optind]) != '-') {
+			place = EMSG;
+			return(-1);
+		}
+		if (place[1] && *++place == '-') {	/* found "--" */
+			++optind;
+			place = EMSG;
+			return(-1);
+		}
+	}					/* option letter okay? */
+	if ((optopt = (int)*place++) == (int)':' ||
+	    !(oli = strchr(ostr, optopt))) {
+		/*
+		 * if the user didn't specify '-' as an option,
+		 * assume it means -1 (EOF).
+		 */
+		if (optopt == (int)'-')
+			return(-1);
+		if (!*place)
+			++optind;
+		if (opterr && *ostr != ':') {
+			if (!(p = strrchr(*nargv, '/')))
+				p = *nargv;
+			else
+				++p;
+			fprintf(stderr, "%s: illegal option -- %c\n",
+			    p, optopt);
+		}
+		return(BADCH);
+	}
+	if (*++oli != ':') {			/* don't need argument */
+		optarg = NULL;
+		if (!*place)
+			++optind;
+	}
+	else {					/* need an argument */
+		if (*place)			/* no white space */
+			optarg = place;
+		else if (nargc <= ++optind) {	/* no arg */
+			place = EMSG;
+			if (!(p = strrchr(*nargv, '/')))
+				p = *nargv;
+			else
+				++p;
+			if (*ostr == ':')
+				return(BADARG);
+			if (opterr)
+				fprintf(stderr,
+				    "%s: option requires an argument -- %c\n",
+				    p, optopt);
+			return(BADCH);
+		}
+	 	else				/* white space */
+			optarg = nargv[optind];
+		place = EMSG;
+		++optind;
+	}
+	return(optopt);				/* dump back option letter */
+}
diff --git a/crypto/kerberosIV/lib/krb/gettimeofday.c b/crypto/heimdal/lib/roken/gettimeofday.c
index 734ca59..ec8b62f 100644
--- a/crypto/kerberosIV/lib/krb/gettimeofday.c
+++ b/crypto/heimdal/lib/roken/gettimeofday.c
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -36,10 +31,14 @@
  * SUCH DAMAGE.
  */
 
-#include "krb_locl.h"
-RCSID("$Id: gettimeofday.c,v 1.5 1997/04/01 08:18:29 joda Exp $");
-
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
 #ifndef HAVE_GETTIMEOFDAY
+
+RCSID("$Id: gettimeofday.c,v 1.8 1999/12/02 16:58:46 joda Exp $");
+
 /*
  * Simple gettimeofday that only returns seconds.
  */
diff --git a/crypto/heimdal/lib/roken/getuid.c b/crypto/heimdal/lib/roken/getuid.c
new file mode 100644
index 0000000..6ebce0a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getuid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETUID
+
+RCSID("$Id: getuid.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+
+int getuid(void)
+{
+    return 17;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/getusershell.c b/crypto/heimdal/lib/roken/getusershell.c
new file mode 100644
index 0000000..87a48ec
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getusershell.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 1985, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: getusershell.c,v 1.8 1997/04/20 06:18:03 assar Exp $");
+
+#ifndef HAVE_GETUSERSHELL
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifndef _PATH_SHELLS
+#define _PATH_SHELLS "/etc/shells"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#ifndef _PATH_CSHELL
+#define _PATH_CSHELL "/bin/csh"
+#endif
+
+/*
+ * Local shells should NOT be added here.  They should be added in
+ * /etc/shells.
+ */
+
+static char *okshells[] = { _PATH_BSHELL, _PATH_CSHELL, NULL };
+static char **curshell, **shells, *strings;
+static char **initshells (void);
+
+/*
+ * Get a list of shells from _PATH_SHELLS, if it exists.
+ */
+char *
+getusershell()
+{
+	char *ret;
+
+	if (curshell == NULL)
+		curshell = initshells();
+	ret = *curshell;
+	if (ret != NULL)
+		curshell++;
+	return (ret);
+}
+
+void
+endusershell()
+{
+	
+	if (shells != NULL)
+		free(shells);
+	shells = NULL;
+	if (strings != NULL)
+		free(strings);
+	strings = NULL;
+	curshell = NULL;
+}
+
+void
+setusershell()
+{
+
+	curshell = initshells();
+}
+
+static char **
+initshells()
+{
+	char **sp, *cp;
+	FILE *fp;
+	struct stat statb;
+
+	if (shells != NULL)
+		free(shells);
+	shells = NULL;
+	if (strings != NULL)
+		free(strings);
+	strings = NULL;
+	if ((fp = fopen(_PATH_SHELLS, "r")) == NULL)
+		return (okshells);
+	if (fstat(fileno(fp), &statb) == -1) {
+		fclose(fp);
+		return (okshells);
+	}
+	if ((strings = malloc((u_int)statb.st_size)) == NULL) {
+		fclose(fp);
+		return (okshells);
+	}
+	shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
+	if (shells == NULL) {
+		fclose(fp);
+		free(strings);
+		strings = NULL;
+		return (okshells);
+	}
+	sp = shells;
+	cp = strings;
+	while (fgets(cp, MaxPathLen + 1, fp) != NULL) {
+		while (*cp != '#' && *cp != '/' && *cp != '\0')
+			cp++;
+		if (*cp == '#' || *cp == '\0')
+			continue;
+		*sp++ = cp;
+		while (!isspace(*cp) && *cp != '#' && *cp != '\0')
+			cp++;
+		*cp++ = '\0';
+	}
+	*sp = NULL;
+	fclose(fp);
+	return (shells);
+}
+#endif /* HAVE_GETUSERSHELL */
diff --git a/crypto/heimdal/lib/roken/glob.c b/crypto/heimdal/lib/roken/glob.c
new file mode 100644
index 0000000..66e8ec6
--- /dev/null
+++ b/crypto/heimdal/lib/roken/glob.c
@@ -0,0 +1,835 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * glob(3) -- a superset of the one defined in POSIX 1003.2.
+ *
+ * The [!...] convention to negate a range is supported (SysV, Posix, ksh).
+ *
+ * Optional extra services, controlled by flags not defined by POSIX:
+ *
+ * GLOB_QUOTE:
+ *	Escaping convention: \ inhibits any special meaning the following
+ *	character might have (except \ at end of string is retained).
+ * GLOB_MAGCHAR:
+ *	Set in gl_flags if pattern contained a globbing character.
+ * GLOB_NOMAGIC:
+ *	Same as GLOB_NOCHECK, but it will only append pattern if it did
+ *	not contain any magic characters.  [Used in csh style globbing]
+ * GLOB_ALTDIRFUNC:
+ *	Use alternately specified directory access functions.
+ * GLOB_TILDE:
+ *	expand ~user/foo to the /home/dir/of/user/foo
+ * GLOB_BRACE:
+ *	expand {1,2}{a,b} to 1a 1b 2a 2b 
+ * gl_matchc:
+ *	Number of matches in the current invocation of glob.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#include <ctype.h>
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "glob.h"
+#include "roken.h"
+
+#define	CHAR_DOLLAR		'$'
+#define	CHAR_DOT		'.'
+#define	CHAR_EOS		'\0'
+#define	CHAR_LBRACKET		'['
+#define	CHAR_NOT		'!'
+#define	CHAR_QUESTION		'?'
+#define	CHAR_QUOTE		'\\'
+#define	CHAR_RANGE		'-'
+#define	CHAR_RBRACKET		']'
+#define	CHAR_SEP		'/'
+#define	CHAR_STAR		'*'
+#define	CHAR_TILDE		'~'
+#define	CHAR_UNDERSCORE		'_'
+#define	CHAR_LBRACE		'{'
+#define	CHAR_RBRACE		'}'
+#define	CHAR_SLASH		'/'
+#define	CHAR_COMMA		','
+
+#ifndef DEBUG
+
+#define	M_QUOTE		0x8000
+#define	M_PROTECT	0x4000
+#define	M_MASK		0xffff
+#define	M_ASCII		0x00ff
+
+typedef u_short Char;
+
+#else
+
+#define	M_QUOTE		0x80
+#define	M_PROTECT	0x40
+#define	M_MASK		0xff
+#define	M_ASCII		0x7f
+
+typedef char Char;
+
+#endif
+
+
+#define	CHAR(c)		((Char)((c)&M_ASCII))
+#define	META(c)		((Char)((c)|M_QUOTE))
+#define	M_ALL		META('*')
+#define	M_END		META(']')
+#define	M_NOT		META('!')
+#define	M_ONE		META('?')
+#define	M_RNG		META('-')
+#define	M_SET		META('[')
+#define	ismeta(c)	(((c)&M_QUOTE) != 0)
+
+
+static int	 compare (const void *, const void *);
+static void	 g_Ctoc (const Char *, char *);
+static int	 g_lstat (Char *, struct stat *, glob_t *);
+static DIR	*g_opendir (Char *, glob_t *);
+static Char	*g_strchr (Char *, int);
+#ifdef notdef
+static Char	*g_strcat (Char *, const Char *);
+#endif
+static int	 g_stat (Char *, struct stat *, glob_t *);
+static int	 glob0 (const Char *, glob_t *);
+static int	 glob1 (Char *, glob_t *);
+static int	 glob2 (Char *, Char *, Char *, glob_t *);
+static int	 glob3 (Char *, Char *, Char *, Char *, glob_t *);
+static int	 globextend (const Char *, glob_t *);
+static const Char *	 globtilde (const Char *, Char *, glob_t *);
+static int	 globexp1 (const Char *, glob_t *);
+static int	 globexp2 (const Char *, const Char *, glob_t *, int *);
+static int	 match (Char *, Char *, Char *);
+#ifdef DEBUG
+static void	 qprintf (const char *, Char *);
+#endif
+
+int
+glob(const char *pattern, 
+     int flags, 
+     int (*errfunc)(const char *, int), 
+     glob_t *pglob)
+{
+	const u_char *patnext;
+	int c;
+	Char *bufnext, *bufend, patbuf[MaxPathLen+1];
+
+	patnext = (u_char *) pattern;
+	if (!(flags & GLOB_APPEND)) {
+		pglob->gl_pathc = 0;
+		pglob->gl_pathv = NULL;
+		if (!(flags & GLOB_DOOFFS))
+			pglob->gl_offs = 0;
+	}
+	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+	pglob->gl_errfunc = errfunc;
+	pglob->gl_matchc = 0;
+
+	bufnext = patbuf;
+	bufend = bufnext + MaxPathLen;
+	if (flags & GLOB_QUOTE) {
+		/* Protect the quoted characters. */
+		while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+			if (c == CHAR_QUOTE) {
+				if ((c = *patnext++) == CHAR_EOS) {
+					c = CHAR_QUOTE;
+					--patnext;
+				}
+				*bufnext++ = c | M_PROTECT;
+			}
+			else
+				*bufnext++ = c;
+	}
+	else 
+	    while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+		    *bufnext++ = c;
+	*bufnext = CHAR_EOS;
+
+	if (flags & GLOB_BRACE)
+	    return globexp1(patbuf, pglob);
+	else
+	    return glob0(patbuf, pglob);
+}
+
+/*
+ * Expand recursively a glob {} pattern. When there is no more expansion
+ * invoke the standard globbing routine to glob the rest of the magic
+ * characters
+ */
+static int globexp1(const Char *pattern, glob_t *pglob)
+{
+	const Char* ptr = pattern;
+	int rv;
+
+	/* Protect a single {}, for find(1), like csh */
+	if (pattern[0] == CHAR_LBRACE && pattern[1] == CHAR_RBRACE && pattern[2] == CHAR_EOS)
+		return glob0(pattern, pglob);
+
+	while ((ptr = (const Char *) g_strchr((Char *) ptr, CHAR_LBRACE)) != NULL)
+		if (!globexp2(ptr, pattern, pglob, &rv))
+			return rv;
+
+	return glob0(pattern, pglob);
+}
+
+
+/*
+ * Recursive brace globbing helper. Tries to expand a single brace.
+ * If it succeeds then it invokes globexp1 with the new pattern.
+ * If it fails then it tries to glob the rest of the pattern and returns.
+ */
+static int globexp2(const Char *ptr, const Char *pattern, 
+		    glob_t *pglob, int *rv)
+{
+	int     i;
+	Char   *lm, *ls;
+	const Char *pe, *pm, *pl;
+	Char    patbuf[MaxPathLen + 1];
+
+	/* copy part up to the brace */
+	for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
+		continue;
+	ls = lm;
+
+	/* Find the balanced brace */
+	for (i = 0, pe = ++ptr; *pe; pe++)
+		if (*pe == CHAR_LBRACKET) {
+			/* Ignore everything between [] */
+			for (pm = pe++; *pe != CHAR_RBRACKET && *pe != CHAR_EOS; pe++)
+				continue;
+			if (*pe == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pe = pm;
+			}
+		}
+		else if (*pe == CHAR_LBRACE)
+			i++;
+		else if (*pe == CHAR_RBRACE) {
+			if (i == 0)
+				break;
+			i--;
+		}
+
+	/* Non matching braces; just glob the pattern */
+	if (i != 0 || *pe == CHAR_EOS) {
+		*rv = glob0(patbuf, pglob);
+		return 0;
+	}
+
+	for (i = 0, pl = pm = ptr; pm <= pe; pm++)
+		switch (*pm) {
+		case CHAR_LBRACKET:
+			/* Ignore everything between [] */
+			for (pl = pm++; *pm != CHAR_RBRACKET && *pm != CHAR_EOS; pm++)
+				continue;
+			if (*pm == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pm = pl;
+			}
+			break;
+
+		case CHAR_LBRACE:
+			i++;
+			break;
+
+		case CHAR_RBRACE:
+			if (i) {
+			    i--;
+			    break;
+			}
+			/* FALLTHROUGH */
+		case CHAR_COMMA:
+			if (i && *pm == CHAR_COMMA)
+				break;
+			else {
+				/* Append the current string */
+				for (lm = ls; (pl < pm); *lm++ = *pl++)
+					continue;
+				/* 
+				 * Append the rest of the pattern after the
+				 * closing brace
+				 */
+				for (pl = pe + 1; (*lm++ = *pl++) != CHAR_EOS;)
+					continue;
+
+				/* Expand the current pattern */
+#ifdef DEBUG
+				qprintf("globexp2:", patbuf);
+#endif
+				*rv = globexp1(patbuf, pglob);
+
+				/* move after the comma, to the next string */
+				pl = pm + 1;
+			}
+			break;
+
+		default:
+			break;
+		}
+	*rv = 0;
+	return 0;
+}
+
+
+
+/*
+ * expand tilde from the passwd file.
+ */
+static const Char *
+globtilde(const Char *pattern, Char *patbuf, glob_t *pglob)
+{
+	struct passwd *pwd;
+	char *h;
+	const Char *p;
+	Char *b;
+
+	if (*pattern != CHAR_TILDE || !(pglob->gl_flags & GLOB_TILDE))
+		return pattern;
+
+	/* Copy up to the end of the string or / */
+	for (p = pattern + 1, h = (char *) patbuf; *p && *p != CHAR_SLASH; 
+	     *h++ = *p++)
+		continue;
+
+	*h = CHAR_EOS;
+
+	if (((char *) patbuf)[0] == CHAR_EOS) {
+		/* 
+		 * handle a plain ~ or ~/ by expanding $HOME 
+		 * first and then trying the password file
+		 */
+		if ((h = getenv("HOME")) == NULL) {
+			if ((pwd = k_getpwuid(getuid())) == NULL)
+				return pattern;
+			else
+				h = pwd->pw_dir;
+		}
+	}
+	else {
+		/*
+		 * Expand a ~user
+		 */
+		if ((pwd = k_getpwnam((char*) patbuf)) == NULL)
+			return pattern;
+		else
+			h = pwd->pw_dir;
+	}
+
+	/* Copy the home directory */
+	for (b = patbuf; *h; *b++ = *h++)
+		continue;
+	
+	/* Append the rest of the pattern */
+	while ((*b++ = *p++) != CHAR_EOS)
+		continue;
+
+	return patbuf;
+}
+	
+
+/*
+ * The main glob() routine: compiles the pattern (optionally processing
+ * quotes), calls glob1() to do the real pattern matching, and finally
+ * sorts the list (unless unsorted operation is requested).  Returns 0
+ * if things went well, nonzero if errors occurred.  It is not an error
+ * to find no matches.
+ */
+static int
+glob0(const Char *pattern, glob_t *pglob)
+{
+	const Char *qpatnext;
+	int c, err, oldpathc;
+	Char *bufnext, patbuf[MaxPathLen+1];
+
+	qpatnext = globtilde(pattern, patbuf, pglob);
+	oldpathc = pglob->gl_pathc;
+	bufnext = patbuf;
+
+	/* We don't need to check for buffer overflow any more. */
+	while ((c = *qpatnext++) != CHAR_EOS) {
+		switch (c) {
+		case CHAR_LBRACKET:
+			c = *qpatnext;
+			if (c == CHAR_NOT)
+				++qpatnext;
+			if (*qpatnext == CHAR_EOS ||
+			    g_strchr((Char *) qpatnext+1, CHAR_RBRACKET) == NULL) {
+				*bufnext++ = CHAR_LBRACKET;
+				if (c == CHAR_NOT)
+					--qpatnext;
+				break;
+			}
+			*bufnext++ = M_SET;
+			if (c == CHAR_NOT)
+				*bufnext++ = M_NOT;
+			c = *qpatnext++;
+			do {
+				*bufnext++ = CHAR(c);
+				if (*qpatnext == CHAR_RANGE &&
+				    (c = qpatnext[1]) != CHAR_RBRACKET) {
+					*bufnext++ = M_RNG;
+					*bufnext++ = CHAR(c);
+					qpatnext += 2;
+				}
+			} while ((c = *qpatnext++) != CHAR_RBRACKET);
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_END;
+			break;
+		case CHAR_QUESTION:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_ONE;
+			break;
+		case CHAR_STAR:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			/* collapse adjacent stars to one, 
+			 * to avoid exponential behavior
+			 */
+			if (bufnext == patbuf || bufnext[-1] != M_ALL)
+			    *bufnext++ = M_ALL;
+			break;
+		default:
+			*bufnext++ = CHAR(c);
+			break;
+		}
+	}
+	*bufnext = CHAR_EOS;
+#ifdef DEBUG
+	qprintf("glob0:", patbuf);
+#endif
+
+	if ((err = glob1(patbuf, pglob)) != 0)
+		return(err);
+
+	/*
+	 * If there was no match we are going to append the pattern 
+	 * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified
+	 * and the pattern did not contain any magic characters
+	 * GLOB_NOMAGIC is there just for compatibility with csh.
+	 */
+	if (pglob->gl_pathc == oldpathc && 
+	    ((pglob->gl_flags & GLOB_NOCHECK) || 
+	      ((pglob->gl_flags & GLOB_NOMAGIC) &&
+	       !(pglob->gl_flags & GLOB_MAGCHAR))))
+		return(globextend(pattern, pglob));
+	else if (!(pglob->gl_flags & GLOB_NOSORT)) 
+		qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
+		    pglob->gl_pathc - oldpathc, sizeof(char *), compare);
+	return(0);
+}
+
+static int
+compare(const void *p, const void *q)
+{
+	return(strcmp(*(char **)p, *(char **)q));
+}
+
+static int
+glob1(Char *pattern, glob_t *pglob)
+{
+	Char pathbuf[MaxPathLen+1];
+
+	/* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
+	if (*pattern == CHAR_EOS)
+		return(0);
+	return(glob2(pathbuf, pathbuf, pattern, pglob));
+}
+
+/*
+ * The functions glob2 and glob3 are mutually recursive; there is one level
+ * of recursion for each segment in the pattern that contains one or more
+ * meta characters.
+ */
+
+#ifndef S_ISLNK
+#if defined(S_IFLNK) && defined(S_IFMT)
+#define S_ISLNK(mode) (((mode) & S_IFMT) == S_IFLNK)
+#else
+#define S_ISLNK(mode) 0
+#endif
+#endif
+
+static int
+glob2(Char *pathbuf, Char *pathend, Char *pattern, glob_t *pglob)
+{
+	struct stat sb;
+	Char *p, *q;
+	int anymeta;
+
+	/*
+	 * Loop over pattern segments until end of pattern or until
+	 * segment with meta character found.
+	 */
+	for (anymeta = 0;;) {
+		if (*pattern == CHAR_EOS) {		/* End of pattern? */
+			*pathend = CHAR_EOS;
+			if (g_lstat(pathbuf, &sb, pglob))
+				return(0);
+		
+			if (((pglob->gl_flags & GLOB_MARK) &&
+			    pathend[-1] != CHAR_SEP) && (S_ISDIR(sb.st_mode)
+			    || (S_ISLNK(sb.st_mode) &&
+			    (g_stat(pathbuf, &sb, pglob) == 0) &&
+			    S_ISDIR(sb.st_mode)))) {
+				*pathend++ = CHAR_SEP;
+				*pathend = CHAR_EOS;
+			}
+			++pglob->gl_matchc;
+			return(globextend(pathbuf, pglob));
+		}
+
+		/* Find end of next segment, copy tentatively to pathend. */
+		q = pathend;
+		p = pattern;
+		while (*p != CHAR_EOS && *p != CHAR_SEP) {
+			if (ismeta(*p))
+				anymeta = 1;
+			*q++ = *p++;
+		}
+
+		if (!anymeta) {		/* No expansion, do next segment. */
+			pathend = q;
+			pattern = p;
+			while (*pattern == CHAR_SEP)
+				*pathend++ = *pattern++;
+		} else			/* Need expansion, recurse. */
+			return(glob3(pathbuf, pathend, pattern, p, pglob));
+	}
+	/* CHAR_NOTREACHED */
+}
+
+static int
+glob3(Char *pathbuf, Char *pathend, Char *pattern, Char *restpattern, 
+      glob_t *pglob)
+{
+	struct dirent *dp;
+	DIR *dirp;
+	int err;
+	char buf[MaxPathLen];
+
+	/*
+	 * The readdirfunc declaration can't be prototyped, because it is
+	 * assigned, below, to two functions which are prototyped in glob.h
+	 * and dirent.h as taking pointers to differently typed opaque
+	 * structures.
+	 */
+	struct dirent *(*readdirfunc)(void *);
+
+	*pathend = CHAR_EOS;
+	errno = 0;
+	    
+	if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
+		/* TODO: don't call for ENOENT or ENOTDIR? */
+		if (pglob->gl_errfunc) {
+			g_Ctoc(pathbuf, buf);
+			if (pglob->gl_errfunc(buf, errno) ||
+			    pglob->gl_flags & GLOB_ERR)
+				return (GLOB_ABEND);
+		}
+		return(0);
+	}
+
+	err = 0;
+
+	/* Search directory for matching names. */
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		readdirfunc = pglob->gl_readdir;
+	else
+		readdirfunc = (struct dirent *(*)(void *))readdir;
+	while ((dp = (*readdirfunc)(dirp))) {
+		u_char *sc;
+		Char *dc;
+
+		/* Initial CHAR_DOT must be matched literally. */
+		if (dp->d_name[0] == CHAR_DOT && *pattern != CHAR_DOT)
+			continue;
+		for (sc = (u_char *) dp->d_name, dc = pathend; 
+		     (*dc++ = *sc++) != CHAR_EOS;)
+			continue;
+		if (!match(pathend, pattern, restpattern)) {
+			*pathend = CHAR_EOS;
+			continue;
+		}
+		err = glob2(pathbuf, --dc, restpattern, pglob);
+		if (err)
+			break;
+	}
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		(*pglob->gl_closedir)(dirp);
+	else
+		closedir(dirp);
+	return(err);
+}
+
+
+/*
+ * Extend the gl_pathv member of a glob_t structure to accomodate a new item,
+ * add the new item, and update gl_pathc.
+ *
+ * This assumes the BSD realloc, which only copies the block when its size
+ * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
+ * behavior.
+ *
+ * Return 0 if new item added, error code if memory couldn't be allocated.
+ *
+ * Invariant of the glob_t structure:
+ *	Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
+ *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
+ */
+static int
+globextend(const Char *path, glob_t *pglob)
+{
+	char **pathv;
+	int i;
+	u_int newsize;
+	char *copy;
+	const Char *p;
+
+	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
+	pathv = pglob->gl_pathv ? 
+		    realloc(pglob->gl_pathv, newsize) :
+		    malloc(newsize);
+	if (pathv == NULL)
+		return(GLOB_NOSPACE);
+
+	if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
+		/* first time around -- clear initial gl_offs items */
+		pathv += pglob->gl_offs;
+		for (i = pglob->gl_offs; --i >= 0; )
+			*--pathv = NULL;
+	}
+	pglob->gl_pathv = pathv;
+
+	for (p = path; *p++;)
+		continue;
+	if ((copy = malloc(p - path)) != NULL) {
+		g_Ctoc(path, copy);
+		pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
+	}
+	pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
+	return(copy == NULL ? GLOB_NOSPACE : 0);
+}
+
+
+/*
+ * pattern matching function for filenames.  Each occurrence of the *
+ * pattern causes a recursion level.
+ */
+static int
+match(Char *name, Char *pat, Char *patend)
+{
+	int ok, negate_range;
+	Char c, k;
+
+	while (pat < patend) {
+		c = *pat++;
+		switch (c & M_MASK) {
+		case M_ALL:
+			if (pat == patend)
+				return(1);
+			do 
+			    if (match(name, pat, patend))
+				    return(1);
+			while (*name++ != CHAR_EOS);
+			return(0);
+		case M_ONE:
+			if (*name++ == CHAR_EOS)
+				return(0);
+			break;
+		case M_SET:
+			ok = 0;
+			if ((k = *name++) == CHAR_EOS)
+				return(0);
+			if ((negate_range = ((*pat & M_MASK) == M_NOT)) != CHAR_EOS)
+				++pat;
+			while (((c = *pat++) & M_MASK) != M_END)
+				if ((*pat & M_MASK) == M_RNG) {
+					if (c <= k && k <= pat[1])
+						ok = 1;
+					pat += 2;
+				} else if (c == k)
+					ok = 1;
+			if (ok == negate_range)
+				return(0);
+			break;
+		default:
+			if (*name++ != c)
+				return(0);
+			break;
+		}
+	}
+	return(*name == CHAR_EOS);
+}
+
+/* Free allocated data belonging to a glob_t structure. */
+void
+globfree(glob_t *pglob)
+{
+	int i;
+	char **pp;
+
+	if (pglob->gl_pathv != NULL) {
+		pp = pglob->gl_pathv + pglob->gl_offs;
+		for (i = pglob->gl_pathc; i--; ++pp)
+			if (*pp)
+				free(*pp);
+		free(pglob->gl_pathv);
+	}
+}
+
+static DIR *
+g_opendir(Char *str, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	if (!*str)
+		strlcpy(buf, ".", sizeof(buf));
+	else
+		g_Ctoc(str, buf);
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_opendir)(buf));
+
+	return(opendir(buf));
+}
+
+static int
+g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_lstat)(buf, sb));
+	return(lstat(buf, sb));
+}
+
+static int
+g_stat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_stat)(buf, sb));
+	return(stat(buf, sb));
+}
+
+static Char *
+g_strchr(Char *str, int ch)
+{
+	do {
+		if (*str == ch)
+			return (str);
+	} while (*str++);
+	return (NULL);
+}
+
+#ifdef notdef
+static Char *
+g_strcat(Char *dst, const Char *src)
+{
+	Char *sdst = dst;
+
+	while (*dst++)
+		continue;
+	--dst;
+	while((*dst++ = *src++) != CHAR_EOS)
+	    continue;
+
+	return (sdst);
+}
+#endif
+
+static void
+g_Ctoc(const Char *str, char *buf)
+{
+	char *dc;
+
+	for (dc = buf; (*dc++ = *str++) != CHAR_EOS;)
+		continue;
+}
+
+#ifdef DEBUG
+static void 
+qprintf(const Char *str, Char *s)
+{
+	Char *p;
+
+	printf("%s:\n", str);
+	for (p = s; *p; p++)
+		printf("%c", CHAR(*p));
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", *p & M_PROTECT ? '"' : ' ');
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", ismeta(*p) ? '_' : ' ');
+	printf("\n");
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/glob.h b/crypto/heimdal/lib/roken/glob.h
new file mode 100644
index 0000000..bece48a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/glob.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)glob.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _GLOB_H_
+#define	_GLOB_H_
+
+struct stat;
+typedef struct {
+	int gl_pathc;		/* Count of total paths so far. */
+	int gl_matchc;		/* Count of paths matching pattern. */
+	int gl_offs;		/* Reserved at beginning of gl_pathv. */
+	int gl_flags;		/* Copy of flags parameter to glob. */
+	char **gl_pathv;	/* List of paths matching pattern. */
+				/* Copy of errfunc parameter to glob. */
+	int (*gl_errfunc) (const char *, int);
+
+	/*
+	 * Alternate filesystem access methods for glob; replacement
+	 * versions of closedir(3), readdir(3), opendir(3), stat(2)
+	 * and lstat(2).
+	 */
+	void (*gl_closedir) (void *);
+	struct dirent *(*gl_readdir) (void *);	
+	void *(*gl_opendir) (const char *);
+	int (*gl_lstat) (const char *, struct stat *);
+	int (*gl_stat) (const char *, struct stat *);
+} glob_t;
+
+#define	GLOB_APPEND	0x0001	/* Append to output from previous call. */
+#define	GLOB_DOOFFS	0x0002	/* Use gl_offs. */
+#define	GLOB_ERR	0x0004	/* Return on error. */
+#define	GLOB_MARK	0x0008	/* Append / to matching directories. */
+#define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
+#define	GLOB_NOSORT	0x0020	/* Don't sort. */
+
+#define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
+#define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
+#define	GLOB_MAGCHAR	0x0100	/* Pattern had globbing characters. */
+#define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
+#define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
+#define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
+
+#define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
+#define	GLOB_ABEND	(-2)	/* Unignored error. */
+
+int	glob (const char *, int, int (*)(const char *, int), glob_t *);
+void	globfree (glob_t *);
+
+#endif /* !_GLOB_H_ */
diff --git a/crypto/heimdal/lib/roken/hstrerror.c b/crypto/heimdal/lib/roken/hstrerror.c
new file mode 100644
index 0000000..11b6a03
--- /dev/null
+++ b/crypto/heimdal/lib/roken/hstrerror.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: hstrerror.c,v 1.23 1999/12/05 13:18:55 assar Exp $");
+#endif
+
+#ifndef HAVE_HSTRERROR
+
+#if (defined(SunOS) && (SunOS >= 50))
+#define hstrerror broken_proto
+#endif
+#include "roken.h"
+#if (defined(SunOS) && (SunOS >= 50))
+#undef hstrerror
+#endif
+
+#ifndef HAVE_H_ERRNO
+int h_errno = -17; /* Some magic number */
+#endif
+
+#if !(defined(HAVE_H_ERRLIST) && defined(HAVE_H_NERR))
+static const char *const h_errlist[] = {
+    "Resolver Error 0 (no error)",
+    "Unknown host",		/* 1 HOST_NOT_FOUND */
+    "Host name lookup failure",	/* 2 TRY_AGAIN */
+    "Unknown server error",	/* 3 NO_RECOVERY */
+    "No address associated with name", /* 4 NO_ADDRESS */
+};
+
+static
+const
+int h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
+#else
+
+#ifndef HAVE_H_ERRLIST_DECLARATION
+extern const char *h_errlist[];
+extern int h_nerr;
+#endif
+
+#endif
+
+const char *
+hstrerror(int herr)
+{
+    if (0 <= herr && herr < h_nerr)
+	return h_errlist[herr];
+    else if(herr == -17)
+	return "unknown error";
+    else
+	return "Error number out of range (hstrerror)";
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/inet_aton.c b/crypto/heimdal/lib/roken/inet_aton.c
new file mode 100644
index 0000000..cdc6bdd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/inet_aton.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_aton.c,v 1.13 1999/12/05 13:26:20 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/* Minimal implementation of inet_aton.
+ * Cannot distinguish between failure and a local broadcast address. */
+
+int
+inet_aton(const char *cp, struct in_addr *addr)
+{
+  addr->s_addr = inet_addr(cp);
+  return (addr->s_addr == INADDR_NONE) ? 0 : 1;
+}
diff --git a/crypto/heimdal/lib/roken/inet_ntop.c b/crypto/heimdal/lib/roken/inet_ntop.c
new file mode 100644
index 0000000..f79a35e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/inet_ntop.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_ntop.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#include <roken.h>
+
+/*
+ *
+ */
+
+static const char *
+inet_ntop_v4 (const void *src, char *dst, size_t size)
+{
+    const char digits[] = "0123456789";
+    int i;
+    struct in_addr *addr = (struct in_addr *)src;
+    u_long a = ntohl(addr->s_addr);
+    const char *orig_dst = dst;
+
+    if (size < INET_ADDRSTRLEN) {
+	errno = ENOSPC;
+	return NULL;
+    }
+    for (i = 0; i < 4; ++i) {
+	int n = (a >> (24 - i * 8)) & 0xFF;
+	int non_zerop = 0;
+
+	if (non_zerop || n / 100 > 0) {
+	    *dst++ = digits[n / 100];
+	    n %= 100;
+	    non_zerop = 1;
+	}
+	if (non_zerop || n / 10 > 0) {
+	    *dst++ = digits[n / 10];
+	    n %= 10;
+	    non_zerop = 1;
+	}
+	*dst++ = digits[n];
+	if (i != 3)
+	    *dst++ = '.';
+    }
+    *dst++ = '\0';
+    return orig_dst;
+}
+
+#ifdef HAVE_IPV6
+static const char *
+inet_ntop_v6 (const void *src, char *dst, size_t size)
+{
+    const char xdigits[] = "0123456789abcdef";
+    int i;
+    const struct in6_addr *addr = (struct in6_addr *)src;
+    const u_char *ptr = addr->s6_addr;
+    const char *orig_dst = dst;
+
+    if (size < INET6_ADDRSTRLEN) {
+	errno = ENOSPC;
+	return NULL;
+    }
+    for (i = 0; i < 8; ++i) {
+	int non_zerop = 1;
+
+	if (non_zerop || (ptr[0] >> 4)) {
+	    *dst++ = xdigits[ptr[0] >> 4];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[0] & 0x0F)) {
+	    *dst++ = xdigits[ptr[0] & 0x0F];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[1] >> 4)) {
+	    *dst++ = xdigits[ptr[1] >> 4];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[1] & 0x0F)) {
+	    *dst++ = xdigits[ptr[1] & 0x0F];
+	    non_zerop = 1;
+	}
+	if (i != 7)
+	    *dst++ = ':';
+	ptr += 2;
+    }
+    *dst++ = '\0';
+    return orig_dst;
+}
+#endif /* HAVE_IPV6 */
+
+const char *
+inet_ntop(int af, const void *src, char *dst, size_t size)
+{
+    switch (af) {
+    case AF_INET :
+	return inet_ntop_v4 (src, dst, size);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return inet_ntop_v6 (src, dst, size);
+#endif
+    default :
+	errno = EAFNOSUPPORT;
+	return NULL;
+    }
+}
diff --git a/crypto/heimdal/lib/roken/inet_pton.c b/crypto/heimdal/lib/roken/inet_pton.c
new file mode 100644
index 0000000..9b195c2
--- /dev/null
+++ b/crypto/heimdal/lib/roken/inet_pton.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_pton.c,v 1.2 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#include <roken.h>
+
+int
+inet_pton(int af, const char *src, void *dst)
+{
+    if (af != AF_INET) {
+	errno = EAFNOSUPPORT;
+	return -1;
+    }
+    return inet_aton (src, dst);
+}
diff --git a/crypto/heimdal/lib/roken/initgroups.c b/crypto/heimdal/lib/roken/initgroups.c
new file mode 100644
index 0000000..dcf1d08
--- /dev/null
+++ b/crypto/heimdal/lib/roken/initgroups.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: initgroups.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+initgroups(const char *name, gid_t basegid)
+{
+  return 0;
+}
diff --git a/crypto/heimdal/lib/roken/innetgr.c b/crypto/heimdal/lib/roken/innetgr.c
new file mode 100644
index 0000000..4bc57f9
--- /dev/null
+++ b/crypto/heimdal/lib/roken/innetgr.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_INNETGR
+
+RCSID("$Id: innetgr.c,v 1.1 1999/03/11 14:04:01 joda Exp $");
+
+int
+innetgr(const char *netgroup, const char *machine, 
+	const char *user, const char *domain)
+{
+    return 0;
+}
+#endif
+
diff --git a/crypto/kerberosIV/appl/bsd/iruserok.c b/crypto/heimdal/lib/roken/iruserok.c
index 8349d85..3b3880b 100644
--- a/crypto/kerberosIV/appl/bsd/iruserok.c
+++ b/crypto/heimdal/lib/roken/iruserok.c
@@ -31,11 +31,30 @@
  * SUCH DAMAGE.
  */
 
-#include "bsd_locl.h"
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: iruserok.c,v 1.23 1999/12/05 13:27:05 assar Exp $");
+#endif
 
-RCSID("$Id: iruserok.c,v 1.15 1997/03/23 04:54:00 assar Exp $");
+#include <stdio.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_RPCSVC_YPCLNT_H
+#include <rpcsvc/ypclnt.h>
+#endif
 
-#ifndef HAVE_IRUSEROK
+#include "roken.h"
 
 int     __check_rhosts_file = 1;
 char    *__rcmd_errstr = 0;
@@ -45,14 +64,15 @@ char    *__rcmd_errstr = 0;
  */
 static
 int
-__icheckhost(u_int32_t raddr, const char *lhost)
+__icheckhost(unsigned raddr, const char *lhost)
 {
 	struct hostent *hp;
 	u_long laddr;
 	char **pp;
 
 	/* Try for raw ip address first. */
-	if (isdigit(*lhost) && (long)(laddr = inet_addr(lhost)) != -1)
+	if (isdigit((unsigned char)*lhost)
+	    && (long)(laddr = inet_addr(lhost)) != -1)
 		return (raddr == laddr);
 
 	/* Better be a hostname. */
@@ -68,21 +88,12 @@ __icheckhost(u_int32_t raddr, const char *lhost)
 	return (0);
 }
 
-#ifndef HAVE_INNETGR
-static int
-innetgr(const char *netgroup, const char *machine, 
-	const char *user, const char *domain)
-{
-    return 0;
-}
-#endif
-
 /*
  * Returns 0 if ok, -1 if not ok.
  */
 static
 int
-__ivaliduser(FILE *hostf, u_int32_t raddr, const char *luser,
+__ivaliduser(FILE *hostf, unsigned raddr, const char *luser,
 	     const char *ruser)
 {
 	char *user, *p;
@@ -105,8 +116,7 @@ __ivaliduser(FILE *hostf, u_int32_t raddr, const char *luser,
 				sizeof(u_long),
 				AF_INET)) == NULL)
 		return (-1);
-	strncpy(hname, hp->h_name, sizeof(hname));
-	hname[sizeof(hname) - 1] = '\0';
+	strlcpy(hname, hp->h_name, sizeof(hname));
 
 	while (fgets(buf, sizeof(buf), hostf)) {
 		p = buf;
@@ -120,7 +130,8 @@ __ivaliduser(FILE *hostf, u_int32_t raddr, const char *luser,
 			continue;
 		}
 		while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') {
-			*p = isupper(*p) ? tolower(*p) : *p;
+		        if (isupper((unsigned char)*p))
+			    *p = tolower((unsigned char)*p);
 			p++;
 		}
 		if (*p == ' ' || *p == '\t') {
@@ -211,7 +222,7 @@ __ivaliduser(FILE *hostf, u_int32_t raddr, const char *luser,
  * Returns 0 if ok, -1 if not ok.
  */
 int
-iruserok(u_int32_t raddr, int superuser, const char *ruser, const char *luser)
+iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser)
 {
 	char *cp;
 	struct stat sbuf;
@@ -235,8 +246,7 @@ again:
 		first = 0;
 		if ((pwd = k_getpwnam((char*)luser)) == NULL)
 			return (-1);
-		strcpy(pbuf, pwd->pw_dir);
-		strcat(pbuf, "/.rhosts");
+		snprintf (pbuf, sizeof(pbuf), "%s/.rhosts", pwd->pw_dir);
 
 		/*
 		 * Change effective uid while opening .rhosts.  If root and
@@ -275,5 +285,3 @@ again:
 	}
 	return (-1);
 }
-
-#endif /* !HAVE_IRUSEROK */
diff --git a/crypto/heimdal/lib/roken/issuid.c b/crypto/heimdal/lib/roken/issuid.c
new file mode 100644
index 0000000..af2aae5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/issuid.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: issuid.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+issuid(void)
+{
+#if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
+    if(getuid() != geteuid())
+	return 1;
+#endif
+#if defined(HAVE_GETGID) && defined(HAVE_GETEGID)
+    if(getgid() != getegid())
+	return 2;
+#endif
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/k_getpwnam.c b/crypto/heimdal/lib/roken/k_getpwnam.c
new file mode 100644
index 0000000..40681cd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/k_getpwnam.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: k_getpwnam.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+struct passwd *
+k_getpwnam (const char *user)
+{
+     struct passwd *p;
+
+     p = getpwnam (user);
+#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD)
+     if(p)
+     {
+	  struct spwd *spwd;
+
+	  spwd = getspnam (user);
+	  if (spwd)
+	       p->pw_passwd = spwd->sp_pwdp;
+	  endspent ();
+     }
+#else
+     endpwent ();
+#endif
+     return p;
+}
diff --git a/crypto/heimdal/lib/roken/k_getpwuid.c b/crypto/heimdal/lib/roken/k_getpwuid.c
new file mode 100644
index 0000000..1e2ca54
--- /dev/null
+++ b/crypto/heimdal/lib/roken/k_getpwuid.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: k_getpwuid.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+struct passwd *
+k_getpwuid (uid_t uid)
+{
+     struct passwd *p;
+
+     p = getpwuid (uid);
+#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD)
+     if (p)
+     {
+	  struct spwd *spwd;
+
+	  spwd = getspnam (p->pw_name);
+	  if (spwd)
+	       p->pw_passwd = spwd->sp_pwdp;
+	  endspent ();
+     }
+#else
+     endpwent ();
+#endif
+     return p;
+}
diff --git a/crypto/heimdal/lib/roken/lstat.c b/crypto/heimdal/lib/roken/lstat.c
new file mode 100644
index 0000000..2f03e19
--- /dev/null
+++ b/crypto/heimdal/lib/roken/lstat.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: lstat.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+lstat(const char *path, struct stat *buf)
+{
+  return stat(path, buf);
+}
diff --git a/crypto/heimdal/lib/roken/make-print-version.c b/crypto/heimdal/lib/roken/make-print-version.c
new file mode 100644
index 0000000..d08e023
--- /dev/null
+++ b/crypto/heimdal/lib/roken/make-print-version.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: make-print-version.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <stdio.h>
+
+#ifdef KRB5
+extern char *heimdal_version;
+#endif
+#ifdef KRB4
+extern char *krb4_version;
+#endif
+#include <version.h>
+
+int
+main(int argc, char **argv)
+{
+    FILE *f;
+    if(argc != 2)
+	return 1;
+    f = fopen(argv[1], "w");
+    if(f == NULL)
+	return 1;
+    fprintf(f, "#define VERSIONLIST { ");
+#ifdef KRB5
+    fprintf(f, "\"%s\", ", heimdal_version);
+#endif
+#ifdef KRB4
+    fprintf(f, "\"%s\", ", krb4_version);
+#endif
+    fprintf(f, "}\n");
+    fclose(f);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/memmove.c b/crypto/heimdal/lib/roken/memmove.c
new file mode 100644
index 0000000..b77d56a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/memmove.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: memmove.c,v 1.7 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+/* 
+ * memmove for systems that doesn't have it 
+ */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+void* memmove(void *s1, const void *s2, size_t n)
+{
+  char *s=(char*)s2, *d=(char*)s1;
+
+  if(d > s){
+    s+=n-1;
+    d+=n-1;
+    while(n){
+      *d--=*s--;
+      n--;
+    }
+  }else if(d < s)
+    while(n){
+      *d++=*s++;
+      n--;
+    }
+  return s1;
+}
diff --git a/crypto/heimdal/lib/roken/mini_inetd.c b/crypto/heimdal/lib/roken/mini_inetd.c
new file mode 100644
index 0000000..9b8a650
--- /dev/null
+++ b/crypto/heimdal/lib/roken/mini_inetd.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: mini_inetd.c,v 1.25 2000/01/26 00:54:48 assar Exp $");
+#endif
+
+#include <stdio.h>
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#include <err.h>
+#include <roken.h>
+
+/*
+ * accept a connection on `s' and pretend it's served by inetd.
+ */
+
+static void
+accept_it (int s)
+{
+    int s2;
+
+    s2 = accept(s, NULL, 0);
+    if(s2 < 0)
+	err (1, "accept");
+    close(s);
+    dup2(s2, STDIN_FILENO);
+    dup2(s2, STDOUT_FILENO);
+    /* dup2(s2, STDERR_FILENO); */
+    close(s2);
+}
+
+/*
+ * Listen on `port' emulating inetd.
+ */
+
+void
+mini_inetd (int port)
+{
+    int error, ret;
+    struct addrinfo *ai, *a, hints;
+    char portstr[NI_MAXSERV];
+    int n, nalloc, i;
+    int *fds;
+    fd_set orig_read_set, read_set;
+    int max_fd = -1;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags    = AI_PASSIVE;
+    hints.ai_socktype = SOCK_STREAM;
+
+    snprintf (portstr, sizeof(portstr), "%d", ntohs(port));
+
+    error = getaddrinfo (NULL, portstr, &hints, &ai);
+    if (error)
+	errx (1, "getaddrinfo: %s", gai_strerror (error));
+
+    for (nalloc = 0, a = ai; a != NULL; a = a->ai_next)
+	++nalloc;
+
+    fds = malloc (nalloc * sizeof(*fds));
+    if (fds == NULL)
+	errx (1, "mini_inetd: out of memory");
+
+    FD_ZERO(&orig_read_set);
+
+    for (i = 0, a = ai; a != NULL; a = a->ai_next) {
+	fds[i] = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (fds[i] < 0) {
+	    warn ("socket");
+	    continue;
+	}
+	socket_set_reuseaddr (fds[i], 1);
+	if (bind (fds[i], a->ai_addr, a->ai_addrlen) < 0)
+	    err (1, "bind");
+	if (listen (fds[i], SOMAXCONN) < 0)
+	    err (1, "listen");
+	FD_SET(fds[i], &orig_read_set);
+	max_fd = max(max_fd, fds[i]);
+	++i;
+    }
+    freeaddrinfo (ai);
+    if (i == 0)
+	errx (1, "no sockets");
+    n = i;
+
+    do {
+	read_set = orig_read_set;
+
+	ret = select (max_fd + 1, &read_set, NULL, NULL, NULL);
+	if (ret < 0 && errno != EINTR)
+	    err (1, "select");
+    } while (ret <= 0);
+
+    for (i = 0; i < n; ++i)
+	if (FD_ISSET (fds[i], &read_set)) {
+	    accept_it (fds[i]);
+	    return;
+	}
+    abort ();
+}
diff --git a/crypto/heimdal/lib/roken/mkstemp.c b/crypto/heimdal/lib/roken/mkstemp.c
new file mode 100644
index 0000000..350f4cb
--- /dev/null
+++ b/crypto/heimdal/lib/roken/mkstemp.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+
+RCSID("$Id: mkstemp.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+
+#ifndef HAVE_MKSTEMP
+
+int
+mkstemp(char *template)
+{
+    int start, i;
+    pid_t val;
+    val = getpid();
+    start = strlen(template) - 1;
+    while(template[start] == 'X') {
+	template[start] = '0' + val % 10;
+	val /= 10;
+	start--;
+    }
+    
+    do{
+	int fd;
+	fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600);
+	if(fd >= 0 || errno != EEXIST)
+	    return fd;
+	i = start + 1;
+	do{
+	    if(template[i] == 0)
+		return -1;
+	    template[i]++;
+	    if(template[i] == '9' + 1)
+		template[i] = 'a';
+	    if(template[i] <= 'z')
+		break;
+	    template[i] = 'a';
+	    i++;
+	}while(1);
+    }while(1);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/net_read.c b/crypto/heimdal/lib/roken/net_read.c
new file mode 100644
index 0000000..6d45bfa
--- /dev/null
+++ b/crypto/heimdal/lib/roken/net_read.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: net_read.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <roken.h>
+
+/*
+ * Like read but never return partial data.
+ */
+
+ssize_t
+net_read (int fd, void *buf, size_t nbytes)
+{
+    char *cbuf = (char *)buf;
+    ssize_t count;
+    size_t rem = nbytes;
+
+    while (rem > 0) {
+#ifdef WIN32
+	count = recv (fd, cbuf, rem, 0);
+#else
+	count = read (fd, cbuf, rem);
+#endif
+	if (count < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return count;
+	} else if (count == 0) {
+	    return count;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    return nbytes;
+}
diff --git a/crypto/heimdal/lib/roken/net_write.c b/crypto/heimdal/lib/roken/net_write.c
new file mode 100644
index 0000000..2f63dbe
--- /dev/null
+++ b/crypto/heimdal/lib/roken/net_write.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: net_write.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <roken.h>
+
+/*
+ * Like write but never return partial data.
+ */
+
+ssize_t
+net_write (int fd, const void *buf, size_t nbytes)
+{
+    const char *cbuf = (const char *)buf;
+    ssize_t count;
+    size_t rem = nbytes;
+
+    while (rem > 0) {
+#ifdef WIN32
+	count = send (fd, cbuf, rem, 0);
+#else
+	count = write (fd, cbuf, rem);
+#endif
+	if (count < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return count;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    return nbytes;
+}
diff --git a/crypto/heimdal/lib/roken/parse_bytes-test.c b/crypto/heimdal/lib/roken/parse_bytes-test.c
new file mode 100644
index 0000000..499d942
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_bytes-test.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_bytes-test.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+#include "parse_bytes.h"
+
+static struct testcase {
+    int canonicalp;
+    int val;
+    const char *def_unit;
+    const char *str;
+} tests[] = {
+    {0, 0, NULL, "0 bytes"},
+    {1, 0, NULL, "0"},
+    {0, 1, NULL, "1"},
+    {1, 1, NULL, "1 byte"},
+    {0, 0, "kilobyte", "0"},
+    {0, 1024, "kilobyte", "1"},
+    {1, 1024, "kilobyte", "1 kilobyte"},
+    {1, 1024 * 1024, NULL, "1 megabyte"},
+    {0, 1025, NULL, "1 kilobyte 1"},
+    {1, 1025, NULL, "1 kilobyte 1 byte"},
+};
+
+int
+main(int argc, char **argv)
+{
+    int i;
+    int ret = 0;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
+	char buf[256];
+	int val = parse_bytes (tests[i].str, tests[i].def_unit);
+	size_t len;
+
+	if (val != tests[i].val) {
+	    printf ("parse_bytes (%s, %s) = %d != %d\n",
+		    tests[i].str,
+		    tests[i].def_unit ? tests[i].def_unit : "none",
+		    val, tests[i].val);
+	    ++ret;
+	}
+	if (tests[i].canonicalp) {
+	    len = unparse_bytes (tests[i].val, buf, sizeof(buf));
+	    if (strcmp (tests[i].str, buf) != 0) {
+		printf ("unparse_bytes (%d) = \"%s\" != \"%s\"\n",
+			tests[i].val, buf, tests[i].str);
+		++ret;
+	    }
+	}    
+    }
+    if (ret) {
+	printf ("%d errors\n", ret);
+	return 1;
+    } else
+	return 0;
+}
diff --git a/crypto/heimdal/lib/roken/parse_bytes.c b/crypto/heimdal/lib/roken/parse_bytes.c
new file mode 100644
index 0000000..f3c514f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_bytes.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_bytes.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <parse_units.h>
+#include "parse_bytes.h"
+
+static units bytes_units[] = {
+    { "gigabyte", 1024 * 1024 * 1024 },
+    { "gbyte", 1024 * 1024 * 1024 },
+    { "GB", 1024 * 1024 * 1024 },
+    { "megabyte", 1024 * 1024 },
+    { "mbyte", 1024 * 1024 },
+    { "MB", 1024 * 1024 },
+    { "kilobyte", 1024 },
+    { "KB", 1024 },
+    { "byte", 1 },
+    { NULL, 0 }
+};
+
+static units bytes_short_units[] = {
+    { "GB", 1024 * 1024 * 1024 },
+    { "MB", 1024 * 1024 },
+    { "KB", 1024 },
+    { NULL, 0 }
+};
+
+int
+parse_bytes (const char *s, const char *def_unit)
+{
+    return parse_units (s, bytes_units, def_unit);
+}
+
+size_t
+unparse_bytes (int t, char *s, size_t len)
+{
+    return unparse_units (t, bytes_units, s, len);
+}
+
+size_t
+unparse_bytes_short (int t, char *s, size_t len)
+{
+    return unparse_units_approx (t, bytes_short_units, s, len);
+}
diff --git a/crypto/heimdal/lib/roken/parse_bytes.h b/crypto/heimdal/lib/roken/parse_bytes.h
new file mode 100644
index 0000000..8116c1c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_bytes.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_bytes.h,v 1.2 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_BYTES_H__
+#define __PARSE_BYTES_H__
+
+int
+parse_bytes (const char *s, const char *def_unit);
+
+size_t
+unparse_bytes (int t, char *s, size_t len);
+
+size_t
+unparse_bytes_short (int t, char *s, size_t len);
+
+#endif /* __PARSE_BYTES_H__ */
diff --git a/crypto/heimdal/lib/roken/parse_time.c b/crypto/heimdal/lib/roken/parse_time.c
new file mode 100644
index 0000000..a09ded7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_time.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_time.c,v 1.5 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <parse_units.h>
+#include "parse_time.h"
+
+static units time_units[] = {
+    {"year",	365 * 24 * 60 * 60},
+    {"month",	30 * 24 * 60 * 60},
+    {"week",	7 * 24 * 60 * 60},
+    {"day",	24 * 60 * 60},
+    {"hour",	60 * 60},
+    {"h",	60 * 60},
+    {"minute",	60},
+    {"m",	60},
+    {"second",	1},
+    {"s",	1},
+    {NULL, 0},
+};
+
+int
+parse_time (const char *s, const char *def_unit)
+{
+    return parse_units (s, time_units, def_unit);
+}
+
+size_t
+unparse_time (int t, char *s, size_t len)
+{
+    return unparse_units (t, time_units, s, len);
+}
+
+size_t
+unparse_time_approx (int t, char *s, size_t len)
+{
+    return unparse_units_approx (t, time_units, s, len);
+}
+
+void
+print_time_table (FILE *f)
+{
+    print_units_table (time_units, f);
+}
diff --git a/crypto/heimdal/lib/roken/parse_time.h b/crypto/heimdal/lib/roken/parse_time.h
new file mode 100644
index 0000000..55de505
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_time.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_time.h,v 1.4 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_TIME_H__
+#define __PARSE_TIME_H__
+
+int
+parse_time (const char *s, const char *def_unit);
+
+size_t
+unparse_time (int t, char *s, size_t len);
+
+size_t
+unparse_time_approx (int t, char *s, size_t len);
+
+void
+print_time_table (FILE *f);
+
+#endif /* __PARSE_TIME_H__ */
diff --git a/crypto/heimdal/lib/roken/parse_units.c b/crypto/heimdal/lib/roken/parse_units.c
new file mode 100644
index 0000000..34c5030
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_units.c
@@ -0,0 +1,324 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_units.c,v 1.12 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <ctype.h>
+#include <string.h>
+#include <roken.h>
+#include "parse_units.h"
+
+/*
+ * Parse string in `s' according to `units' and return value.
+ * def_unit defines the default unit.
+ */
+
+static int
+parse_something (const char *s, const struct units *units,
+		 const char *def_unit,
+		 int (*func)(int res, int val, unsigned mult),
+		 int init,
+		 int accept_no_val_p)
+{
+    const char *p;
+    int res = init;
+    unsigned def_mult = 1;
+
+    if (def_unit != NULL) {
+	const struct units *u;
+
+	for (u = units; u->name; ++u) {
+	    if (strcasecmp (u->name, def_unit) == 0) {
+		def_mult = u->mult;
+		break;
+	    }
+	}
+	if (u->name == NULL)
+	    return -1;
+    }
+
+    p = s;
+    while (*p) {
+	double val;
+	char *next;
+	const struct units *u, *partial_unit;
+	size_t u_len;
+	unsigned partial;
+	int no_val_p = 0;
+
+	while(isspace((unsigned char)*p) || *p == ',')
+	    ++p;
+
+	val = strtod (p, &next); /* strtol(p, &next, 0); */
+	if (val == 0 && p == next) {
+	    if(!accept_no_val_p)
+		return -1;
+	    no_val_p = 1;
+	}
+	p = next;
+	while (isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '\0') {
+	    res = (*func)(res, val, def_mult);
+	    if (res < 0)
+		return res;
+	    break;
+	} else if (*p == '+') {
+	    ++p;
+	    val = 1;
+	} else if (*p == '-') {
+	    ++p;
+	    val = -1;
+	}
+	if (no_val_p && val == 0)
+	    val = 1;
+	u_len = strcspn (p, ", \t");
+	partial = 0;
+	partial_unit = NULL;
+	if (u_len > 1 && p[u_len - 1] == 's')
+	    --u_len;
+	for (u = units; u->name; ++u) {
+	    if (strncasecmp (p, u->name, u_len) == 0) {
+		if (u_len == strlen (u->name)) {
+		    p += u_len;
+		    res = (*func)(res, val, u->mult);
+		    if (res < 0)
+			return res;
+		    break;
+		} else {
+		    ++partial;
+		    partial_unit = u;
+		}
+	    }
+	}
+	if (u->name == NULL) {
+	    if (partial == 1) {
+		p += u_len;
+		res = (*func)(res, val, partial_unit->mult);
+		if (res < 0)
+		    return res;
+	    } else {
+		return -1;
+	    }
+	}
+	if (*p == 's')
+	    ++p;
+    }
+    return res;
+}
+
+/*
+ * The string consists of a sequence of `n unit'
+ */
+
+static int
+acc_units(int res, int val, unsigned mult)
+{
+    return res + val * mult;
+}
+
+int
+parse_units (const char *s, const struct units *units,
+	     const char *def_unit)
+{
+    return parse_something (s, units, def_unit, acc_units, 0, 0);
+}
+
+/*
+ * The string consists of a sequence of `[+-]flag'.  `orig' consists
+ * the original set of flags, those are then modified and returned as
+ * the function value.
+ */
+
+static int
+acc_flags(int res, int val, unsigned mult)
+{
+    if(val == 1)
+	return res | mult;
+    else if(val == -1)
+	return res & ~mult;
+    else if (val == 0)
+	return mult;
+    else
+	return -1;
+}
+
+int
+parse_flags (const char *s, const struct units *units,
+	     int orig)
+{
+    return parse_something (s, units, NULL, acc_flags, orig, 1);
+}
+
+/*
+ * Return a string representation according to `units' of `num' in `s'
+ * with maximum length `len'.  The actual length is the function value.
+ */
+
+static size_t
+unparse_something (int num, const struct units *units, char *s, size_t len,
+		   int (*print) (char *s, size_t len, int div,
+				const char *name, int rem),
+		   int (*update) (int in, unsigned mult),
+		   const char *zero_string)
+{
+    const struct units *u;
+    size_t ret = 0, tmp;
+
+    if (num == 0)
+	return snprintf (s, len, "%s", zero_string);
+
+    for (u = units; num > 0 && u->name; ++u) {
+	int div;
+
+	div = num / u->mult;
+	if (div) {
+	    num = (*update) (num, u->mult);
+	    tmp = (*print) (s, len, div, u->name, num);
+
+	    len -= tmp;
+	    s += tmp;
+	    ret += tmp;
+	}
+    }
+    return ret;
+}
+
+static int
+print_unit (char *s, size_t len, int div, const char *name, int rem)
+{
+    return snprintf (s, len, "%u %s%s%s",
+		     div, name,
+		     div == 1 ? "" : "s",
+		     rem > 0 ? " " : "");
+}
+
+static int
+update_unit (int in, unsigned mult)
+{
+    return in % mult;
+}
+
+static int
+update_unit_approx (int in, unsigned mult)
+{
+    if (in / mult > 0)
+	return 0;
+    else
+	return update_unit (in, mult);
+}
+
+size_t
+unparse_units (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_unit,
+			      update_unit,
+			      "0");
+}
+
+size_t
+unparse_units_approx (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_unit,
+			      update_unit_approx,
+			      "0");
+}
+
+void
+print_units_table (const struct units *units, FILE *f)
+{
+    const struct units *u, *u2;
+    unsigned max_sz = 0;
+
+    for (u = units; u->name; ++u) {
+	max_sz = max(max_sz, strlen(u->name));
+    }
+
+    for (u = units; u->name;) {
+	char buf[1024];
+	const struct units *next;
+
+	for (next = u + 1; next->name && next->mult == u->mult; ++next)
+	    ;
+
+	if (next->name) {
+	    for (u2 = next;
+		 u2->name && u->mult % u2->mult != 0;
+		 ++u2)
+		;
+	    if (u2->name == NULL)
+		--u2;
+	    unparse_units (u->mult, u2, buf, sizeof(buf));
+	    fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf);
+	} else {
+	    fprintf (f, "1 %s\n", u->name);
+	}
+	u = next;
+    }
+}
+
+static int
+print_flag (char *s, size_t len, int div, const char *name, int rem)
+{
+    return snprintf (s, len, "%s%s", name, rem > 0 ? ", " : "");
+}
+
+static int
+update_flag (int in, unsigned mult)
+{
+    return in - mult;
+}
+
+size_t
+unparse_flags (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_flag,
+			      update_flag,
+			      "");
+}
+
+void
+print_flags_table (const struct units *units, FILE *f)
+{
+    const struct units *u;
+
+    for(u = units; u->name; ++u)
+	fprintf(f, "%s%s", u->name, (u+1)->name ? ", " : "\n");
+}
diff --git a/crypto/heimdal/lib/roken/parse_units.h b/crypto/heimdal/lib/roken/parse_units.h
new file mode 100644
index 0000000..f159d30
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_units.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_units.h,v 1.6 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_UNITS_H__
+#define __PARSE_UNITS_H__
+
+#include <stdio.h>
+#include <stddef.h>
+
+struct units {
+    const char *name;
+    unsigned mult;
+};
+
+typedef struct units units;
+
+int
+parse_units (const char *s, const struct units *units,
+	     const char *def_unit);
+
+void
+print_units_table (const struct units *units, FILE *f);
+
+int
+parse_flags (const char *s, const struct units *units,
+	     int orig);
+
+size_t
+unparse_units (int num, const struct units *units, char *s, size_t len);
+
+size_t
+unparse_units_approx (int num, const struct units *units, char *s,
+		      size_t len);
+
+size_t
+unparse_flags (int num, const struct units *units, char *s, size_t len);
+
+void
+print_flags_table (const struct units *units, FILE *f);
+
+#endif /* __PARSE_UNITS_H__ */
diff --git a/crypto/heimdal/lib/roken/print_version.c b/crypto/heimdal/lib/roken/print_version.c
new file mode 100644
index 0000000..3b35ee1
--- /dev/null
+++ b/crypto/heimdal/lib/roken/print_version.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: print_version.c,v 1.6 2000/02/06 06:52:32 assar Exp $");
+#endif
+#include "roken.h"
+
+#include "print_version.h"
+
+void
+print_version(const char *progname)
+{
+    const char *arg[] = VERSIONLIST;
+    const int num_args = sizeof(arg) / sizeof(arg[0]);
+    char *msg;
+    size_t len = 0;
+    int i;
+    
+    if(progname == NULL)
+	progname = __progname;
+    
+    if(num_args == 0)
+	msg = "no version information";
+    else {
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		len += 2;
+	    len += strlen(arg[i]);
+	}
+	msg = malloc(len + 1);
+	if(msg == NULL) {
+	    fprintf(stderr, "%s: out of memory\n", progname);
+	    return;
+	}
+	msg[0] = '\0';
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		strcat(msg, ", ");
+	    strcat(msg, arg[i]);
+	}
+    }
+    fprintf(stderr, "%s (%s)\n", progname, msg);
+    fprintf(stderr, "Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan\n");
+    if(num_args != 0)
+	free(msg);
+}
diff --git a/crypto/heimdal/lib/roken/putenv.c b/crypto/heimdal/lib/roken/putenv.c
new file mode 100644
index 0000000..80951d1
--- /dev/null
+++ b/crypto/heimdal/lib/roken/putenv.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: putenv.c,v 1.6 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <stdlib.h>
+
+extern char **environ;
+
+/*
+ * putenv --
+ *	String points to a string of the form name=value.
+ *
+ *      Makes the value of the environment variable name equal to
+ *      value by altering an existing variable or creating a new one.
+ */
+int putenv(const char *string)
+{
+    int i;
+    int len;
+    
+    len = string - strchr(string, '=') + 1;
+
+    if(environ == NULL){
+	environ = malloc(sizeof(char*));
+	if(environ == NULL)
+	    return 1;
+	environ[0] = NULL;
+    }
+
+    for(i = 0; environ[i]; i++)
+	if(strncmp(string, environ[i], len)){
+	    environ[len] = string;
+	    return 0;
+	}
+    environ = realloc(environ, sizeof(char*) * (i + 1));
+    if(environ == NULL)
+	return 1;
+    environ[i] = string;
+    environ[i+1] = NULL;
+    return 0;
+}
+
diff --git a/crypto/heimdal/lib/roken/rcmd.c b/crypto/heimdal/lib/roken/rcmd.c
new file mode 100644
index 0000000..4117948
--- /dev/null
+++ b/crypto/heimdal/lib/roken/rcmd.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: rcmd.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+#include <stdio.h>
+
+int
+rcmd(char **ahost,
+     unsigned short inport,
+     const char *locuser,
+     const char *remuser,
+     const char *cmd,
+     int *fd2p)
+{
+  fprintf(stderr, "Only kerberized services are implemented\n");
+  return -1;
+}
diff --git a/crypto/heimdal/lib/roken/readv.c b/crypto/heimdal/lib/roken/readv.c
new file mode 100644
index 0000000..de2f9ea
--- /dev/null
+++ b/crypto/heimdal/lib/roken/readv.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: readv.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+readv(int d, const struct iovec *iov, int iovcnt)
+{
+    ssize_t ret, nb;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+
+    for(i = 0; i < iovcnt; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    nb = ret = read (d, buf, tot);
+    p = buf;
+    while (nb > 0) {
+	ssize_t cnt = min(nb, iov->iov_len);
+
+	memcpy (iov->iov_base, p, cnt);
+	p += cnt;
+	nb -= cnt;
+    }
+    free(buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/recvmsg.c b/crypto/heimdal/lib/roken/recvmsg.c
new file mode 100644
index 0000000..e94ad68
--- /dev/null
+++ b/crypto/heimdal/lib/roken/recvmsg.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: recvmsg.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+recvmsg(int s, struct msghdr *msg, int flags)
+{
+    ssize_t ret, nb;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+    struct iovec *iov = msg->msg_iov;
+
+    for(i = 0; i < msg->msg_iovlen; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    nb = ret = recvfrom (s, buf, tot, flags, msg->msg_name, &msg->msg_namelen);
+    p = buf;
+    while (nb > 0) {
+	ssize_t cnt = min(nb, iov->iov_len);
+
+	memcpy (iov->iov_base, p, cnt);
+	p += cnt;
+	nb -= cnt;
+	++iov;
+    }
+    free(buf);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/krb/resolve.c b/crypto/heimdal/lib/roken/resolve.c
index 7777c0e..8840740 100644
--- a/crypto/kerberosIV/lib/krb/resolve.c
+++ b/crypto/heimdal/lib/roken/resolve.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -36,17 +31,26 @@
  * SUCH DAMAGE.
  */
 
-#include "krb_locl.h"
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
 #include "resolve.h"
 
-RCSID("$Id: resolve.c,v 1.11 1997/06/01 04:19:20 assar Exp $");
+RCSID("$Id: resolve.c,v 1.22 1999/12/02 16:58:52 joda Exp $");
 
 #if defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND)
 
 #define DECL(X) {#X, T_##X}
 
 static struct stot{
-    char *name;
+    const char *name;
     int type;
 }stot[] = {
     DECL(A),
@@ -60,6 +64,8 @@ static struct stot{
     {NULL, 	0}
 };
 
+int _resolve_debug;
+
 static int
 string_to_type(const char *name)
 {
@@ -70,8 +76,7 @@ string_to_type(const char *name)
     return -1;
 }
 
-#if 0
-static char *
+static const char *
 type_to_string(int type)
 {
     struct stot *p = stot;
@@ -80,7 +85,6 @@ type_to_string(int type)
 	    return p->name;
     return NULL;
 }
-#endif
 
 void
 dns_free_data(struct dns_reply *r)
@@ -110,18 +114,29 @@ parse_reply(unsigned char *data, int len)
     struct dns_reply *r;
     struct resource_record **rr;
     
-    r = (struct dns_reply*)malloc(sizeof(struct dns_reply));
-    memset(r, 0, sizeof(struct dns_reply));
+    r = calloc(1, sizeof(*r));
+    if (r == NULL)
+	return NULL;
 
     p = data;
+#if 0
+    /* doesn't work on Crays */
     memcpy(&r->h, p, sizeof(HEADER));
     p += sizeof(HEADER);
+#else
+    memcpy(&r->h, p, 12); /* XXX this will probably be mostly garbage */
+    p += 12;
+#endif
     status = dn_expand(data, data + len, p, host, sizeof(host));
     if(status < 0){
 	dns_free_data(r);
 	return NULL;
     }
     r->q.domain = strdup(host);
+    if(r->q.domain == NULL) {
+	dns_free_data(r);
+	return NULL;
+    }
     p += status;
     r->q.type = (p[0] << 8 | p[1]);
     p += 2;
@@ -146,7 +161,15 @@ parse_reply(unsigned char *data, int len)
 	p += 2;
 	*rr = (struct resource_record*)calloc(1, 
 					      sizeof(struct resource_record));
+	if(*rr == NULL) {
+	    dns_free_data(r);
+	    return NULL;
+	}
 	(*rr)->domain = strdup(host);
+	if((*rr)->domain == NULL) {
+	    dns_free_data(r);
+	    return NULL;
+	}
 	(*rr)->type = type;
 	(*rr)->class = class;
 	(*rr)->ttl = ttl;
@@ -161,6 +184,10 @@ parse_reply(unsigned char *data, int len)
 		return NULL;
 	    }
 	    (*rr)->u.txt = strdup(host);
+	    if((*rr)->u.txt == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
 	    break;
 	case T_MX:
 	case T_AFSDB:{
@@ -171,6 +198,10 @@ parse_reply(unsigned char *data, int len)
 	    }
 	    (*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + 
 						    strlen(host));
+	    if((*rr)->u.mx == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
 	    (*rr)->u.mx->preference = (p[0] << 8) | p[1];
 	    strcpy((*rr)->u.mx->domain, host);
 	    break;
@@ -184,6 +215,10 @@ parse_reply(unsigned char *data, int len)
 	    (*rr)->u.srv = 
 		(struct srv_record*)malloc(sizeof(struct srv_record) + 
 					   strlen(host));
+	    if((*rr)->u.srv == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
 	    (*rr)->u.srv->priority = (p[0] << 8) | p[1];
 	    (*rr)->u.srv->weight = (p[2] << 8) | p[3];
 	    (*rr)->u.srv->port = (p[4] << 8) | p[5];
@@ -192,6 +227,10 @@ parse_reply(unsigned char *data, int len)
 	}
 	case T_TXT:{
 	    (*rr)->u.txt = (char*)malloc(size + 1);
+	    if((*rr)->u.txt == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
 	    strncpy((*rr)->u.txt, (char*)p + 1, *p);
 	    (*rr)->u.txt[*p] = 0;
 	    break;
@@ -199,6 +238,10 @@ parse_reply(unsigned char *data, int len)
 	    
 	default:
 	    (*rr)->u.data = (unsigned char*)malloc(size);
+	    if(size != 0 && (*rr)->u.data == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
 	    memcpy((*rr)->u.data, p, size);
 	}
 	p += size;
@@ -208,24 +251,47 @@ parse_reply(unsigned char *data, int len)
     return r;
 }
 
-
-
-struct dns_reply *
-dns_lookup(const char *domain, const char *type_name)
+static struct dns_reply *
+dns_lookup_int(const char *domain, int rr_class, int rr_type)
 {
     unsigned char reply[1024];
     int len;
-    int type;
     struct dns_reply *r = NULL;
+    u_long old_options = 0;
     
-    type = string_to_type(type_name);
-    len = res_search(domain, C_IN, type, reply, sizeof(reply));
-    if(len >= 0)
+    if (_resolve_debug) {
+        old_options = _res.options;
+	_res.options |= RES_DEBUG;
+	fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain,
+		rr_class, type_to_string(rr_type));
+    }
+    len = res_search(domain, rr_class, rr_type, reply, sizeof(reply));
+    if (_resolve_debug) {
+        _res.options = old_options;
+	fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n",
+		domain, rr_class, type_to_string(rr_type), len);
+    }
+    if (len >= 0)
 	r = parse_reply(reply, len);
     return r;
 }
 
-#else /* defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */
+struct dns_reply *
+dns_lookup(const char *domain, const char *type_name)
+{
+    int type;
+    
+    type = string_to_type(type_name);
+    if(type == -1) {
+	if(_resolve_debug)
+	    fprintf(stderr, "dns_lookup: unknown resource type: `%s'\n", 
+		    type_name);
+	return NULL;
+    }
+    return dns_lookup_int(domain, C_IN, type);
+}
+
+#else /* NOT defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */
 
 struct dns_reply *
 dns_lookup(const char *domain, const char *type_name)
@@ -241,7 +307,6 @@ dns_free_data(struct dns_reply *r)
 #endif
 
 #ifdef TEST
-
 int 
 main(int argc, char **argv)
 {
@@ -256,23 +321,23 @@ main(int argc, char **argv)
 	printf("%s %s %d ", rr->domain, type_to_string(rr->type), rr->ttl);
 	switch(rr->type){
 	case T_NS:
-	    printf("%s\n", (char*)rr->data);
+	    printf("%s\n", (char*)rr->u.data);
 	    break;
 	case T_A:
 	    printf("%d.%d.%d.%d\n", 
-		   ((unsigned char*)rr->data)[0],
-		   ((unsigned char*)rr->data)[1],
-		   ((unsigned char*)rr->data)[2],
-		   ((unsigned char*)rr->data)[3]);
+		   ((unsigned char*)rr->u.data)[0],
+		   ((unsigned char*)rr->u.data)[1],
+		   ((unsigned char*)rr->u.data)[2],
+		   ((unsigned char*)rr->u.data)[3]);
 	    break;
 	case T_MX:
 	case T_AFSDB:{
-	    struct mx_record *mx = (struct mx_record*)rr->data;
+	    struct mx_record *mx = (struct mx_record*)rr->u.data;
 	    printf("%d %s\n", mx->preference, mx->domain);
 	    break;
 	}
 	case T_SRV:{
-	    struct srv_record *srv = (struct srv_record*)rr->data;
+	    struct srv_record *srv = (struct srv_record*)rr->u.data;
 	    printf("%d %d %d %s\n", srv->priority, srv->weight, 
 		   srv->port, srv->target);
 	    break;
diff --git a/crypto/kerberosIV/lib/krb/resolve.h b/crypto/heimdal/lib/roken/resolve.h
index dac9993..c90f6b5 100644
--- a/crypto/kerberosIV/lib/krb/resolve.h
+++ b/crypto/heimdal/lib/roken/resolve.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -36,10 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: resolve.h,v 1.5 1997/05/14 17:41:25 joda Exp $ */
-
-/* THIS IS NOT (yet) A PUBLIC INTERFACE */
-
+/* $Id: resolve.h,v 1.8 1999/12/02 16:58:52 joda Exp $ */
 
 #ifndef __RESOLVE_H__
 #define __RESOLVE_H__
@@ -53,7 +45,10 @@
 #define T_AFSDB		18
 #endif
 #ifndef T_SRV
-#define T_SRV		 33
+#define T_SRV		33
+#endif
+#ifndef T_NAPTR
+#define T_NAPTR		35
 #endif
 
 struct dns_query{
@@ -91,8 +86,7 @@ struct resource_record{
     struct resource_record *next;
 };
 
-
-#ifndef HAVE_ARPA_NAMESER_H /* XXX */
+#ifndef T_A /* XXX if <arpa/nameser.h> isn't included */
 typedef int HEADER; /* will never be used */
 #endif
 
@@ -104,7 +98,6 @@ struct dns_reply{
 
 
 struct dns_reply* dns_lookup(const char *, const char *);
-
-void dns_free_data(struct dns_reply *r);
+void dns_free_data(struct dns_reply *);
 
 #endif /* __RESOLVE_H__ */
diff --git a/crypto/heimdal/lib/roken/resource.h b/crypto/heimdal/lib/roken/resource.h
new file mode 100644
index 0000000..01cd01d
--- /dev/null
+++ b/crypto/heimdal/lib/roken/resource.h
@@ -0,0 +1,15 @@
+//{{NO_DEPENDENCIES}}

+// Microsoft Developer Studio generated include file.

+// Used by roken.rc

+//

+

+// Next default values for new objects

+// 

+#ifdef APSTUDIO_INVOKED

+#ifndef APSTUDIO_READONLY_SYMBOLS

+#define _APS_NEXT_RESOURCE_VALUE        101

+#define _APS_NEXT_COMMAND_VALUE         40001

+#define _APS_NEXT_CONTROL_VALUE         1000

+#define _APS_NEXT_SYMED_VALUE           101

+#endif

+#endif

diff --git a/crypto/heimdal/lib/roken/roken-common.h b/crypto/heimdal/lib/roken/roken-common.h
new file mode 100644
index 0000000..8bdc986
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken-common.h
@@ -0,0 +1,294 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: roken-common.h,v 1.27 2000/02/14 02:24:44 assar Exp $ */
+
+#ifndef __ROKEN_COMMON_H__
+#define __ROKEN_COMMON_H__
+
+#ifndef INADDR_NONE
+#define INADDR_NONE 0xffffffff
+#endif
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001
+#endif
+
+#ifndef SOMAXCONN
+#define SOMAXCONN 5
+#endif
+
+#ifndef STDIN_FILENO
+#define STDIN_FILENO 0
+#endif
+
+#ifndef STDOUT_FILENO
+#define STDOUT_FILENO 1
+#endif
+
+#ifndef STDERR_FILENO
+#define STDERR_FILENO 2
+#endif
+
+#ifndef max
+#define max(a,b) (((a)>(b))?(a):(b))
+#endif
+
+#ifndef min
+#define min(a,b) (((a)<(b))?(a):(b))
+#endif
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#ifndef LOG_DAEMON
+#define openlog(id,option,facility) openlog((id),(option))
+#define	LOG_DAEMON	0
+#endif
+#ifndef LOG_ODELAY
+#define LOG_ODELAY 0
+#endif
+#ifndef LOG_NDELAY
+#define LOG_NDELAY 0x08
+#endif
+#ifndef LOG_CONS
+#define LOG_CONS 0
+#endif
+#ifndef LOG_AUTH
+#define LOG_AUTH 0
+#endif
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
+#ifndef F_OK
+#define F_OK 0
+#endif
+
+#ifndef O_ACCMODE
+#define O_ACCMODE	003
+#endif
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif
+
+#ifndef _PATH_HEQUIV
+#define _PATH_HEQUIV "/etc/hosts.equiv"
+#endif
+
+#ifndef MAXPATHLEN
+#define MAXPATHLEN (1024+4)
+#endif
+
+#ifndef SIG_ERR
+#define SIG_ERR ((RETSIGTYPE (*)())-1)
+#endif
+
+/*
+ * error code for getipnodeby{name,addr}
+ */
+
+#ifndef HOST_NOT_FOUND
+#define HOST_NOT_FOUND 1
+#endif
+
+#ifndef TRY_AGAIN
+#define TRY_AGAIN 2
+#endif
+
+#ifndef NO_RECOVERY
+#define NO_RECOVERY 3
+#endif
+
+#ifndef NO_DATA
+#define NO_DATA 4
+#endif
+
+#ifndef NO_ADDRESS
+#define NO_ADDRESS NO_DATA
+#endif
+
+/*
+ * error code for getaddrinfo
+ */
+
+#ifndef EAI_NOERROR
+#define EAI_NOERROR	0	/* no error */
+#endif
+
+#ifndef EAI_ADDRFAMILY
+
+#define EAI_ADDRFAMILY	1	/* address family for nodename not supported */
+#define EAI_AGAIN	2	/* temporary failure in name resolution */
+#define EAI_BADFLAGS	3	/* invalid value for ai_flags */
+#define EAI_FAIL	4	/* non-recoverable failure in name resolution */
+#define EAI_FAMILY	5	/* ai_family not supported */
+#define EAI_MEMORY	6	/* memory allocation failure */
+#define EAI_NODATA	7	/* no address associated with nodename */
+#define EAI_NONAME	8	/* nodename nor servname provided, or not known */
+#define EAI_SERVICE	9	/* servname not supported for ai_socktype */
+#define EAI_SOCKTYPE   10	/* ai_socktype not supported */
+#define EAI_SYSTEM     11	/* system error returned in errno */
+
+#endif /* EAI_ADDRFAMILY */
+
+/* flags for getaddrinfo() */
+
+#ifndef AI_PASSIVE
+
+#define AI_PASSIVE	0x01
+#define AI_CANONNAME	0x02
+#define AI_NUMERICHOST	0x04
+
+#endif /* AI_PASSIVE */
+
+/* flags for getnameinfo() */
+
+#ifndef NI_DGRAM
+#define NI_DGRAM	0x01
+#define NI_NAMEREQD	0x02
+#define NI_NOFQDN	0x04
+#define NI_NUMERICHOST	0x08
+#define NI_NUMERICSERV	0x10
+#endif
+
+/*
+ * constants for getnameinfo
+ */
+
+#ifndef NI_MAXHOST
+#define NI_MAXHOST  1025
+#define NI_MAXSERV    32
+#endif
+
+/*
+ * constants for inet_ntop
+ */
+
+#ifndef INET_ADDRSTRLEN
+#define INET_ADDRSTRLEN    16
+#endif
+
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN   46
+#endif
+
+/*
+ * for shutdown(2)
+ */
+
+#ifndef SHUT_RD
+#define SHUT_RD 0
+#endif
+
+#ifndef SHUT_WR
+#define SHUT_WR 1
+#endif
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 2
+#endif
+
+#ifndef HAVE___ATTRIBUTE__
+#define __attribute__(x)
+#endif
+
+#if IRIX != 4 /* fix for compiler bug */
+#ifdef RETSIGTYPE
+typedef RETSIGTYPE (*SigAction)(/* int??? */);
+SigAction signal(int iSig, SigAction pAction); /* BSD compatible */
+#endif
+#endif
+
+int ROKEN_LIB_FUNCTION simple_execve(const char*, char*const[], char*const[]);
+int ROKEN_LIB_FUNCTION simple_execvp(const char*, char *const[]);
+int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...);
+int ROKEN_LIB_FUNCTION simple_execle(const char*, ...);
+
+void ROKEN_LIB_FUNCTION print_version(const char *);
+
+void *ROKEN_LIB_FUNCTION emalloc (size_t);
+void *ROKEN_LIB_FUNCTION erealloc (void *, size_t);
+char *ROKEN_LIB_FUNCTION estrdup (const char *);
+
+ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes);
+ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes);
+
+void
+socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port);
+
+size_t
+socket_addr_size (const struct sockaddr *sa);
+
+void
+socket_set_any (struct sockaddr *sa, int af);
+
+size_t
+socket_sockaddr_size (const struct sockaddr *sa);
+
+void *
+socket_get_address (struct sockaddr *sa);
+
+int
+socket_get_port (const struct sockaddr *sa);
+
+void
+socket_set_port (struct sockaddr *sa, int port);
+
+void
+socket_set_debug (int sock);
+
+void
+socket_set_tos (int sock, int tos);
+
+void
+socket_set_reuseaddr (int sock, int val);
+
+char **
+vstrcollect(va_list *ap);
+
+char **
+strcollect(char *first, ...);
+
+
+#endif /* __ROKEN_COMMON_H__ */
diff --git a/crypto/heimdal/lib/roken/roken.awk b/crypto/heimdal/lib/roken/roken.awk
new file mode 100644
index 0000000..626fae5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.awk
@@ -0,0 +1,35 @@
+BEGIN {
+	print "#include <stdio.h>"
+	print "#ifdef HAVE_CONFIG_H"
+	print "#include <config.h>"
+	print "#endif"
+	print ""
+	print "int main()"
+	print "{"
+	    print "puts(\"/* This is an OS dependent, generated file */\");"
+	print "puts(\"\\n\");"
+	print "puts(\"#ifndef __ROKEN_H__\");"
+	print "puts(\"#define __ROKEN_H__\");"
+	print "puts(\"\");"
+}
+END {
+	print "puts(\"#endif /* __ROKEN_H__ */\");"
+	print "exit(0);"
+	print "}"
+}
+
+$1 == "\#ifdef" || $1 == "\#ifndef" || $1 == "\#if" || $1 == "\#else" || $1 == "\#elif" || $1 == "\#endif" || $1 == "#ifdef" || $1 == "#ifndef" || $1 == "#if" || $1 == "#else" || $1 == "#elif" || $1 == "#endif" {
+	print $0;
+	next
+}
+
+{
+	s = ""
+	for(i = 1; i <= length; i++){
+		x = substr($0, i, 1)
+		if(x == "\"" || x == "\\")
+			s = s "\\";
+		s = s x;
+	}
+	print "puts(\"" s "\");"
+}
diff --git a/crypto/heimdal/lib/roken/roken.def b/crypto/heimdal/lib/roken/roken.def
new file mode 100644
index 0000000..f9b0369
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.def
@@ -0,0 +1,17 @@
+LIBRARY roken BASE=0x68f0000
+EXPORTS
+	gettimeofday
+	strcasecmp
+	strtok_r
+	snprintf
+	asprintf
+	vsnprintf
+	base64_decode
+	base64_encode
+	roken_concat
+	roken_vconcat
+	roken_vmconcat
+	roken_mconcat
+	getuid
+	dns_free_data
+	dns_lookup
diff --git a/crypto/heimdal/lib/roken/roken.dsp b/crypto/heimdal/lib/roken/roken.dsp
new file mode 100644
index 0000000..d84854e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.dsp
@@ -0,0 +1,156 @@
+# Microsoft Developer Studio Project File - Name="roken" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 5.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=roken - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir ".\Release"
+# PROP BASE Intermediate_Dir ".\Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir ".\Release"
+# PROP Intermediate_Dir ".\Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "NDEBUG" /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x68e7780" /subsystem:windows /dll /machine:I386
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir ".\Debug"
+# PROP BASE Intermediate_Dir ".\Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir ".\Debug"
+# PROP Intermediate_Dir ".\Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "_DEBUG" /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /debug /machine:I386 /def:".\roken.def"
+# SUBTRACT LINK32 /pdb:none
+
+!ENDIF 
+
+# Begin Target
+
+# Name "roken - Win32 Release"
+# Name "roken - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;hpj;bat;for;f90"
+# Begin Source File
+
+SOURCE=.\base64.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\concat.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\gettimeofday.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\getuid.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\resolve.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\roken.def
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+# PROP Exclude_From_Build 1
+
+!ENDIF 
+
+# End Source File
+# Begin Source File
+
+SOURCE=.\snprintf.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\strcasecmp.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\strtok_r.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl;fi;fd"
+# Begin Source File
+
+SOURCE=.\resolve.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;cnt;rtf;gif;jpg;jpeg;jpe"
+# Begin Source File
+
+SOURCE=.\roken.rc
+# End Source File
+# End Group
+# End Target
+# End Project
diff --git a/crypto/heimdal/lib/roken/roken.h.in b/crypto/heimdal/lib/roken/roken.h.in
new file mode 100644
index 0000000..3abe6eb
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.h.in
@@ -0,0 +1,576 @@
+/* -*- C -*- */
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: roken.h.in,v 1.135 2000/02/14 02:24:20 assar Exp $ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <signal.h>
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_WINSOCK_H
+#include <winsock.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#ifdef HAVE_ERR_H
+#include <err.h>
+#endif
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef ROKEN_LIB_FUNCTION
+#if defined(__BORLANDC__)
+#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet */
+#elif defined(_MSC_VER)
+#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet2 */
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+#include <roken-common.h>
+
+#if !defined(HAVE_SETSID) && defined(HAVE__SETSID)
+#define setsid _setsid
+#endif
+
+#ifndef HAVE_PUTENV
+int putenv(const char *string);
+#endif
+
+#if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO)
+int setenv(const char *var, const char *val, int rewrite);
+#endif
+
+#if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO)
+void unsetenv(const char *name);
+#endif
+
+#if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO)
+char *getusershell(void);
+void endusershell(void);
+#endif
+
+#if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO)
+int snprintf (char *str, size_t sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+#endif
+
+#if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO)
+int vsnprintf (char *str, size_t sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+#endif
+
+#if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO)
+int asprintf (char **ret, const char *format, ...)
+     __attribute__ ((format (printf, 2, 3)));
+#endif
+
+#if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO)
+int vasprintf (char **ret, const char *format, va_list ap)
+     __attribute__((format (printf, 2, 0)));
+#endif
+
+#if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO)
+int asnprintf (char **ret, size_t max_sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+#endif
+
+#if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO)
+int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+#endif
+
+#ifndef HAVE_STRDUP
+char * strdup(const char *old);
+#endif
+
+#ifndef HAVE_STRNDUP
+char * strndup(const char *old, size_t sz);
+#endif
+
+#ifndef HAVE_STRLWR
+char * strlwr(char *);
+#endif
+
+#ifndef HAVE_STRNLEN
+size_t strnlen(const char*, size_t);
+#endif
+
+#if !defined(HAVE_STRSEP) || defined(NEED_STRSEP_PROTO)
+char *strsep(char**, const char*);
+#endif
+
+#ifndef HAVE_STRCASECMP
+int strcasecmp(const char *s1, const char *s2);
+#endif
+
+#ifdef NEED_FCLOSE_PROTO
+int fclose(FILE *);
+#endif
+
+#ifdef NEED_STRTOK_R_PROTO
+char *strtok_r(char *s1, const char *s2, char **lasts);
+#endif
+
+#ifndef HAVE_STRUPR
+char * strupr(char *);
+#endif
+
+#ifndef HAVE_STRLCPY
+size_t strlcpy (char *dst, const char *src, size_t dst_sz);
+#endif
+
+#ifndef HAVE_STRLCAT
+size_t strlcat (char *dst, const char *src, size_t dst_sz);
+#endif
+
+#ifndef HAVE_GETDTABLESIZE
+int getdtablesize(void);
+#endif
+
+#if !defined(HAVE_STRERROR) && !defined(strerror)
+char *strerror(int eno);
+#endif
+
+#if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO)
+/* This causes a fatal error under Psoriasis */
+#if !(defined(SunOS) && (SunOS >= 50))
+const char *hstrerror(int herr);
+#endif
+#endif
+
+#ifndef HAVE_H_ERRNO_DECLARATION
+extern int h_errno;
+#endif
+
+#if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO)
+int inet_aton(const char *cp, struct in_addr *adr);
+#endif
+
+#ifndef HAVE_INET_NTOP
+const char *
+inet_ntop(int af, const void *src, char *dst, size_t size);
+#endif
+
+#ifndef HAVE_INET_PTON
+int
+inet_pton(int af, const char *src, void *dst);
+#endif
+
+#if !defined(HAVE_GETCWD)
+char* getcwd(char *path, size_t size);
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+struct passwd *k_getpwnam (const char *user);
+struct passwd *k_getpwuid (uid_t uid);
+#endif
+
+const char *get_default_username (void);
+
+#ifndef HAVE_SETEUID
+int seteuid(uid_t euid);
+#endif
+
+#ifndef HAVE_SETEGID
+int setegid(gid_t egid);
+#endif
+
+#ifndef HAVE_LSTAT
+int lstat(const char *path, struct stat *buf);
+#endif
+
+#if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO)
+int mkstemp(char *);
+#endif
+
+#ifndef HAVE_CGETENT
+int cgetent(char **buf, char **db_array, const char *name);
+int cgetstr(char *buf, const char *cap, char **str);
+#endif
+
+#ifndef HAVE_INITGROUPS
+int initgroups(const char *name, gid_t basegid);
+#endif
+
+#ifndef HAVE_FCHOWN
+int fchown(int fd, uid_t owner, gid_t group);
+#endif
+
+#ifndef HAVE_DAEMON
+int daemon(int nochdir, int noclose);
+#endif
+
+#ifndef HAVE_INNETGR
+int innetgr(const char *netgroup, const char *machine, 
+	    const char *user, const char *domain);
+#endif
+
+#ifndef HAVE_CHOWN
+int chown(const char *path, uid_t owner, gid_t group);
+#endif
+
+#ifndef HAVE_RCMD
+int rcmd(char **ahost, unsigned short inport, const char *locuser,
+	 const char *remuser, const char *cmd, int *fd2p);
+#endif
+
+#if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO)
+int innetgr(const char*, const char*, const char*, const char*);
+#endif
+
+#ifndef HAVE_IRUSEROK
+int iruserok(unsigned raddr, int superuser, const char *ruser,
+	     const char *luser);
+#endif
+
+#if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO)
+int gethostname(char *name, int namelen);
+#endif
+
+#ifndef HAVE_WRITEV
+ssize_t
+writev(int d, const struct iovec *iov, int iovcnt);
+#endif
+
+#ifndef HAVE_READV
+ssize_t
+readv(int d, const struct iovec *iov, int iovcnt);
+#endif
+
+#ifndef HAVE_MKSTEMP
+int
+mkstemp(char *template);
+#endif
+
+#ifndef HAVE_FLOCK
+#ifndef LOCK_SH
+#define LOCK_SH   1		/* Shared lock */
+#endif
+#ifndef	LOCK_EX
+#define LOCK_EX   2		/* Exclusive lock */
+#endif
+#ifndef LOCK_NB
+#define LOCK_NB   4		/* Don't block when locking */
+#endif
+#ifndef LOCK_UN
+#define LOCK_UN   8		/* Unlock */
+#endif
+
+int flock(int fd, int operation);
+#endif /* HAVE_FLOCK */
+
+time_t tm2time (struct tm tm, int local);
+
+int unix_verify_user(char *user, char *password);
+
+void mini_inetd (int port);
+
+int roken_concat (char *s, size_t len, ...);
+
+size_t roken_mconcat (char **s, size_t max_len, ...);
+
+int roken_vconcat (char *s, size_t len, va_list args);
+
+size_t roken_vmconcat (char **s, size_t max_len, va_list args);
+
+ssize_t net_write (int fd, const void *buf, size_t nbytes);
+
+ssize_t net_read (int fd, void *buf, size_t nbytes);
+
+int issuid(void);
+
+#ifndef HAVE_STRUCT_WINSIZE
+struct winsize {
+	unsigned short ws_row, ws_col;
+	unsigned short ws_xpixel, ws_ypixel;
+};
+#endif
+
+int get_window_size(int fd, struct winsize *);
+
+#ifndef HAVE_VSYSLOG
+void vsyslog(int pri, const char *fmt, va_list ap);
+#endif
+
+#ifndef HAVE_OPTARG_DECLARATION
+extern char *optarg;
+#endif
+#ifndef HAVE_OPTIND_DECLARATION
+extern int optind;
+#endif
+#ifndef HAVE_OPTERR_DECLARATION
+extern int opterr;
+#endif
+
+#ifndef HAVE___PROGNAME_DECLARATION
+extern const char *__progname;
+#endif
+
+#ifndef HAVE_ENVIRON_DECLARATION
+extern char **environ;
+#endif
+
+#ifndef HAVE_GETIPNODEBYNAME
+struct hostent *
+getipnodebyname (const char *name, int af, int flags, int *error_num);
+#endif
+
+#ifndef HAVE_GETIPNODEBYADDR
+struct hostent *
+getipnodebyaddr (const void *src, size_t len, int af, int *error_num);
+#endif
+
+#ifndef HAVE_FREEHOSTENT
+void
+freehostent (struct hostent *h);
+#endif
+
+#ifndef HAVE_COPYHOSTENT
+struct hostent *
+copyhostent (const struct hostent *h);
+#endif
+
+#ifndef HAVE_SOCKLEN_T
+typedef int socklen_t;
+#endif
+
+#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
+
+#ifndef HAVE_SA_FAMILY_T
+typedef unsigned short sa_family_t;
+#endif
+
+#ifdef HAVE_IPV6
+#define _SS_MAXSIZE sizeof(struct sockaddr_in6)
+#else
+#define _SS_MAXSIZE sizeof(struct sockaddr_in)
+#endif
+
+#define _SS_ALIGNSIZE	sizeof(unsigned long)
+
+#if HAVE_STRUCT_SOCKADDR_SA_LEN
+
+typedef unsigned char roken_sa_family_t;
+
+#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char))
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + sizeof(unsigned char) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
+
+struct sockaddr_storage {
+    unsigned char	ss_len;
+    roken_sa_family_t	ss_family;
+    char		__ss_pad1[_SS_PAD1SIZE];
+    unsigned long	__ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];
+};
+
+#else /* !HAVE_STRUCT_SOCKADDR_SA_LEN */
+
+typedef unsigned short roken_sa_family_t;
+
+#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (roken_sa_family_t))
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
+
+struct sockaddr_storage {
+    roken_sa_family_t	ss_family;
+    char		__ss_pad1[_SS_PAD1SIZE];
+    unsigned long	__ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];
+};
+
+#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */
+
+#endif /* HAVE_STRUCT_SOCKADDR_STORAGE */
+
+#ifndef HAVE_STRUCT_ADDRINFO
+struct addrinfo {
+    int    ai_flags;
+    int    ai_family;
+    int    ai_socktype;
+    int    ai_protocol;
+    size_t ai_addrlen;
+    char  *ai_canonname;
+    struct sockaddr *ai_addr;
+    struct addrinfo *ai_next;
+};
+#endif
+
+#ifndef HAVE_GETADDRINFO
+int
+getaddrinfo(const char *nodename,
+	    const char *servname,
+	    const struct addrinfo *hints,
+	    struct addrinfo **res);
+#endif
+
+#ifndef HAVE_GETNAMEINFO
+int getnameinfo(const struct sockaddr *sa, socklen_t salen,
+		char *host, size_t hostlen,
+		char *serv, size_t servlen,
+		int flags);
+#endif
+
+#ifndef HAVE_FREEADDRINFO
+void
+freeaddrinfo(struct addrinfo *ai);
+#endif
+
+#ifndef HAVE_GAI_STRERROR
+char *
+gai_strerror(int ecode);
+#endif
+
+int
+getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
+		     char *host, size_t hostlen,
+		     char *serv, size_t servlen,
+		     int flags);
+
+int
+roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **);
+
+#ifndef HAVE_STRFTIME
+size_t
+strftime (char *buf, size_t maxsize, const char *format,
+	  const struct tm *tm);
+#endif
+
+#ifndef HAVE_STRPTIME
+char *
+strptime (const char *buf, const char *format, struct tm *timeptr);
+#endif
+
+/*
+ * kludges and such
+ */
+
+#if 1
+int roken_gethostby_setup(const char*, const char*);
+struct hostent* roken_gethostbyname(const char*);
+struct hostent* roken_gethostbyaddr(const void*, size_t, int);
+#else
+#ifdef GETHOSTBYNAME_PROTO_COMPATIBLE
+#define roken_gethostbyname(x) gethostbyname(x)
+#else
+#define roken_gethostbyname(x) gethostbyname((char *)x)
+#endif
+
+#ifdef GETHOSTBYADDR_PROTO_COMPATIBLE
+#define roken_gethostbyaddr(a, l, t) gethostbyaddr(a, l, t)
+#else
+#define roken_gethostbyaddr(a, l, t) gethostbyaddr((char *)a, l, t)
+#endif
+#endif
+
+#ifdef GETSERVBYNAME_PROTO_COMPATIBLE
+#define roken_getservbyname(x,y) getservbyname(x,y)
+#else
+#define roken_getservbyname(x,y) getservbyname((char *)x, (char *)y)
+#endif
+
+#ifdef OPENLOG_PROTO_COMPATIBLE
+#define roken_openlog(a,b,c) openlog(a,b,c)
+#else
+#define roken_openlog(a,b,c) openlog((char *)a,b,c)
+#endif
+
+void set_progname(char *argv0);
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/roken.mak b/crypto/heimdal/lib/roken/roken.mak
new file mode 100644
index 0000000..da9a834
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.mak
@@ -0,0 +1,316 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on roken.dsp
+!IF "$(CFG)" == ""
+CFG=roken - Win32 Release
+!MESSAGE No configuration specified. Defaulting to roken - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "roken - Win32 Release" && "$(CFG)" != "roken - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line.  For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+# Begin Custom Macros
+OutDir=.\.\Release
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ENDIF 
+
+CLEAN : 
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\concat.obj"
+	-@erase "$(INTDIR)\gettimeofday.obj"
+	-@erase "$(INTDIR)\getuid.obj"
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\roken.res"
+	-@erase "$(INTDIR)\snprintf.obj"
+	-@erase "$(INTDIR)\strcasecmp.obj"
+	-@erase "$(INTDIR)\strtok_r.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(OUTDIR)\roken.dll"
+	-@erase "$(OUTDIR)\roken.exp"
+	-@erase "$(OUTDIR)\roken.lib"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I\
+ "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D\
+ "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\"\
+ /FD /c 
+CPP_OBJS=.\Release/
+CPP_SBRS=.
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "NDEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\
+ /base:"0x68e7780" /subsystem:windows /dll /incremental:no\
+ /pdb:"$(OUTDIR)\roken.pdb" /machine:I386 /def:".\roken.def"\
+ /out:"$(OUTDIR)\roken.dll" /implib:"$(OUTDIR)\roken.lib" 
+DEF_FILE= \
+	".\roken.def"
+LINK32_OBJS= \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\concat.obj" \
+	"$(INTDIR)\gettimeofday.obj" \
+	"$(INTDIR)\getuid.obj" \
+	"$(INTDIR)\resolve.obj" \
+	"$(INTDIR)\roken.res" \
+	"$(INTDIR)\snprintf.obj" \
+	"$(INTDIR)\strcasecmp.obj" \
+	"$(INTDIR)\strtok_r.obj"
+
+"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ENDIF 
+
+CLEAN : 
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\concat.obj"
+	-@erase "$(INTDIR)\gettimeofday.obj"
+	-@erase "$(INTDIR)\getuid.obj"
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\roken.res"
+	-@erase "$(INTDIR)\snprintf.obj"
+	-@erase "$(INTDIR)\strcasecmp.obj"
+	-@erase "$(INTDIR)\strtok_r.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(INTDIR)\vc50.pdb"
+	-@erase "$(OUTDIR)\roken.dll"
+	-@erase "$(OUTDIR)\roken.exp"
+	-@erase "$(OUTDIR)\roken.ilk"
+	-@erase "$(OUTDIR)\roken.lib"
+	-@erase "$(OUTDIR)\roken.pdb"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I\
+ "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D\
+ "_WINDOWS" /D "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\"\
+ /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\Debug/
+CPP_SBRS=.
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "_DEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\
+ /subsystem:windows /dll /incremental:yes /pdb:"$(OUTDIR)\roken.pdb" /debug\
+ /machine:I386 /def:".\roken.def" /out:"$(OUTDIR)\roken.dll"\
+ /implib:"$(OUTDIR)\roken.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\concat.obj" \
+	"$(INTDIR)\gettimeofday.obj" \
+	"$(INTDIR)\getuid.obj" \
+	"$(INTDIR)\resolve.obj" \
+	"$(INTDIR)\roken.res" \
+	"$(INTDIR)\snprintf.obj" \
+	"$(INTDIR)\strcasecmp.obj" \
+	"$(INTDIR)\strtok_r.obj"
+
+"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(CFG)" == "roken - Win32 Release" || "$(CFG)" == "roken - Win32 Debug"
+SOURCE=.\base64.c
+DEP_CPP_BASE6=\
+	"..\..\include\win32\config.h"\
+	".\base64.h"\
+
+
+"$(INTDIR)\base64.obj" : $(SOURCE) $(DEP_CPP_BASE6) "$(INTDIR)"
+
+
+SOURCE=.\concat.c
+DEP_CPP_CONCA=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\concat.obj" : $(SOURCE) $(DEP_CPP_CONCA) "$(INTDIR)"
+
+
+SOURCE=.\gettimeofday.c
+DEP_CPP_GETTI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\gettimeofday.obj" : $(SOURCE) $(DEP_CPP_GETTI) "$(INTDIR)"
+
+
+SOURCE=.\getuid.c
+DEP_CPP_GETUI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\getuid.obj" : $(SOURCE) $(DEP_CPP_GETUI) "$(INTDIR)"
+
+
+SOURCE=.\resolve.c
+DEP_CPP_RESOL=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\resolve.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\resolve.obj" : $(SOURCE) $(DEP_CPP_RESOL) "$(INTDIR)"
+
+
+SOURCE=.\snprintf.c
+DEP_CPP_SNPRI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\snprintf.obj" : $(SOURCE) $(DEP_CPP_SNPRI) "$(INTDIR)"
+
+
+SOURCE=.\strcasecmp.c
+DEP_CPP_STRCA=\
+	"..\..\include\win32\config.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\strcasecmp.obj" : $(SOURCE) $(DEP_CPP_STRCA) "$(INTDIR)"
+
+
+SOURCE=.\strtok_r.c
+DEP_CPP_STRTO=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\strtok_r.obj" : $(SOURCE) $(DEP_CPP_STRTO) "$(INTDIR)"
+
+
+SOURCE=.\roken.rc
+
+"$(INTDIR)\roken.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+	
+
+
+!ENDIF 
+
diff --git a/crypto/heimdal/lib/roken/roken.rc b/crypto/heimdal/lib/roken/roken.rc
new file mode 100644
index 0000000..e7e2f3e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.rc
@@ -0,0 +1,105 @@
+//Microsoft Developer Studio generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "afxres.h"
+
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// Swedish resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_SVE)
+#ifdef _WIN32
+LANGUAGE LANG_SWEDISH, SUBLANG_DEFAULT
+#pragma code_page(1252)
+#endif //_WIN32
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "#include ""afxres.h""\r\n"
+    "\0"
+END
+
+3 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+
+#ifndef _MAC
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 1,0,0,1
+ PRODUCTVERSION 1,0,0,1
+ FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+ FILEFLAGS 0x1L
+#else
+ FILEFLAGS 0x0L
+#endif
+ FILEOS 0x40004L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904b0"
+        BEGIN
+            VALUE "CompanyName", "Royal Institute of Technology (KTH)\0"
+            VALUE "FileDescription", "roken\0"
+            VALUE "FileVersion", "4, 0, 9, 9\0"
+            VALUE "InternalName", "roken\0"
+            VALUE "LegalCopyright", "Copyright © 1996 - 1998  Royal Institute of Technology (KTH)\0"
+            VALUE "OriginalFilename", "roken.dll\0"
+            VALUE "ProductName", "KTH Kerberos\0"
+            VALUE "ProductVersion", "4,0,9,9\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
+
+#endif    // !_MAC
+
+#endif    // Swedish resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+
diff --git a/crypto/heimdal/lib/roken/roken_gethostby.c b/crypto/heimdal/lib/roken/roken_gethostby.c
new file mode 100644
index 0000000..6df6c57
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken_gethostby.c
@@ -0,0 +1,274 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: roken_gethostby.c,v 1.5 1999/12/05 13:16:44 assar Exp $");
+#endif
+
+#include <roken.h>
+
+#undef roken_gethostbyname
+#undef roken_gethostbyaddr
+
+static struct sockaddr_in dns_addr;
+static char *dns_req;
+
+static int
+make_address(const char *address, struct in_addr *ip)
+{
+    if(inet_aton(address, ip) == 0){
+	/* try to resolve as hostname, it might work if the address we
+           are trying to lookup is local, for instance a web proxy */
+	struct hostent *he = gethostbyname(address);
+	if(he) {
+	    unsigned char *p = (unsigned char*)he->h_addr;
+	    ip->s_addr = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	} else {
+	    return -1;
+	}
+    }
+    return 0;
+}
+
+static int
+setup_int(const char *proxy_host, short proxy_port,
+	  const char *dns_host, short dns_port,
+	  const char *dns_path)
+{
+    memset(&dns_addr, 0, sizeof(dns_addr));
+    if(dns_req)
+	free(dns_req);
+    if(proxy_host) {
+	if(make_address(proxy_host, &dns_addr.sin_addr) != 0)
+	    return -1;
+	dns_addr.sin_port = htons(proxy_port);
+	asprintf(&dns_req, "http://%s:%d%s", dns_host, dns_port, dns_path);
+    } else {
+	if(make_address(dns_host, &dns_addr.sin_addr) != 0)
+	    return -1;
+	dns_addr.sin_port = htons(dns_port);
+	asprintf(&dns_req, "%s", dns_path);
+    }
+    dns_addr.sin_family = AF_INET;
+    return 0;
+}
+
+static void
+split_spec(const char *spec, char **host, int *port, char **path, int def_port)
+{
+    char *p;
+    *host = strdup(spec);
+    p = strchr(*host, ':');
+    if(p) {
+	*p++ = '\0';
+	if(sscanf(p, "%d", port) != 1)
+	    *port = def_port;
+    } else
+	*port = def_port;
+    p = strchr(p ? p : *host, '/');
+    if(p) {
+	if(path) 
+	    *path = strdup(p);
+	*p = '\0';
+    }else
+	if(path) 
+	    *path = NULL;
+}
+
+
+int
+roken_gethostby_setup(const char *proxy_spec, const char *dns_spec)
+{
+    char *proxy_host = NULL;
+    int proxy_port;
+    char *dns_host, *dns_path;
+    int dns_port;
+    
+    int ret = -1;
+    
+    split_spec(dns_spec, &dns_host, &dns_port, &dns_path, 80);
+    if(dns_path == NULL)
+	goto out;
+    if(proxy_spec)
+	split_spec(proxy_spec, &proxy_host, &proxy_port, NULL, 80);
+    ret = setup_int(proxy_host, proxy_port, dns_host, dns_port, dns_path);
+out:
+    free(proxy_host);
+    free(dns_host);
+    free(dns_path);
+    return ret;
+}
+    
+
+/* Try to lookup a name or an ip-address using http as transport
+   mechanism. See the end of this file for an example program. */
+static struct hostent*
+roken_gethostby(const char *hostname)
+{
+    int s;
+    struct sockaddr_in sin;
+    char *request;
+    char buf[1024];
+    int offset = 0;
+    int n;
+    char *p, *foo;
+    
+    if(dns_addr.sin_family == 0)
+	return NULL; /* no configured host */
+    sin = dns_addr;
+    asprintf(&request, "GET %s?%s HTTP/1.0\r\n\r\n", dns_req, hostname);
+    if(request == NULL)
+	return NULL;
+    s  = socket(AF_INET, SOCK_STREAM, 0);
+    if(s < 0) {
+	free(request);
+	return NULL;
+    }
+    if(connect(s, (struct sockaddr*)&sin, sizeof(sin)) < 0) {
+	close(s);
+	free(request);
+	return NULL;
+    }
+    if(write(s, request, strlen(request)) != strlen(request)) {
+	close(s);
+	free(request);
+	return NULL;
+    }
+    free(request);
+    while(1) {
+	n = read(s, buf + offset, sizeof(buf) - offset);
+	if(n <= 0)
+	    break;
+	offset += n;
+    }
+    buf[offset] = '\0';
+    close(s);
+    p = strstr(buf, "\r\n\r\n"); /* find end of header */
+    if(p) p += 4;
+    else return NULL;
+    foo = NULL;
+    p = strtok_r(p, " \t\r\n", &foo);
+    if(p == NULL)
+	return NULL;
+    {
+	/* make a hostent to return */
+#define MAX_ADDRS 16
+	static struct hostent he;
+	static char addrs[4 * MAX_ADDRS];
+	static char *addr_list[MAX_ADDRS];
+	int num_addrs = 0;
+	
+	he.h_name = p;
+	he.h_aliases = NULL;
+	he.h_addrtype = AF_INET;
+	he.h_length = 4;
+	
+	while((p = strtok_r(NULL, " \t\r\n", &foo)) && num_addrs < MAX_ADDRS) {
+	    struct in_addr ip;
+	    inet_aton(p, &ip);
+	    ip.s_addr = ntohl(ip.s_addr);
+	    addr_list[num_addrs] = &addrs[num_addrs * 4];
+	    addrs[num_addrs * 4 + 0] = (ip.s_addr >> 24) & 0xff;
+	    addrs[num_addrs * 4 + 1] = (ip.s_addr >> 16) & 0xff;
+	    addrs[num_addrs * 4 + 2] = (ip.s_addr >> 8) & 0xff;
+	    addrs[num_addrs * 4 + 3] = (ip.s_addr >> 0) & 0xff;
+	    addr_list[++num_addrs] = NULL;
+	}
+	he.h_addr_list = addr_list;
+	return &he;
+    }
+}
+
+struct hostent*
+roken_gethostbyname(const char *hostname)
+{
+    struct hostent *he;
+    he = gethostbyname(hostname);
+    if(he)
+	return he;
+    return roken_gethostby(hostname);
+}
+
+struct hostent*
+roken_gethostbyaddr(const void *addr, size_t len, int type)
+{
+    struct in_addr a;
+    const char *p;
+    struct hostent *he;
+    he = gethostbyaddr(addr, len, type);
+    if(he)
+	return he;
+    if(type != AF_INET || len != 4)
+	return NULL;
+    p = addr;
+    a.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+    return roken_gethostby(inet_ntoa(a));
+}
+
+#if 0
+
+/* this program can be used as a cgi `script' to lookup names and
+   ip-addresses */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <sys/param.h>
+
+int
+main(int argc, char **argv)
+{
+    char *query = getenv("QUERY_STRING");
+    char host[MAXHOSTNAMELEN];
+    int i;
+    struct hostent *he;
+    
+    printf("Content-type: text/plain\n\n");
+    if(query == NULL)
+	exit(0);
+    he = gethostbyname(query);
+    strncpy(host, he->h_name, sizeof(host));
+    host[sizeof(host) - 1] = '\0';
+    he = gethostbyaddr(he->h_addr, he->h_length, AF_INET);
+    printf("%s\n", he->h_name);
+    for(i = 0; he->h_addr_list[i]; i++) {
+	struct in_addr ip;
+	unsigned char *p = (unsigned char*)he->h_addr_list[i];
+	ip.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+	printf("%s\n", inet_ntoa(ip));
+    }
+    exit(0);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/sendmsg.c b/crypto/heimdal/lib/roken/sendmsg.c
new file mode 100644
index 0000000..7075bf2
--- /dev/null
+++ b/crypto/heimdal/lib/roken/sendmsg.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: sendmsg.c,v 1.4 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+sendmsg(int s, const struct msghdr *msg, int flags)
+{
+    ssize_t ret;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+    struct iovec *iov = msg->msg_iov;
+
+    for(i = 0; i < msg->msg_iovlen; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    p = buf;
+    for (i = 0; i < msg->msg_iovlen; ++i) {
+	memcpy (p, iov[i].iov_base, iov[i].iov_len);
+	p += iov[i].iov_len;
+    }
+    ret = sendto (s, buf, tot, flags, msg->msg_name, msg->msg_namelen);
+    free (buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/setegid.c b/crypto/heimdal/lib/roken/setegid.c
new file mode 100644
index 0000000..2f46fe4
--- /dev/null
+++ b/crypto/heimdal/lib/roken/setegid.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: setegid.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+setegid(gid_t egid)
+{
+#ifdef HAVE_SETREGID
+    return setregid(-1, egid);
+#endif
+
+#ifdef HAVE_SETRESGID
+    return setresgid(-1, egid, -1);
+#endif
+
+    return -1;
+}
diff --git a/crypto/heimdal/lib/roken/setenv.c b/crypto/heimdal/lib/roken/setenv.c
new file mode 100644
index 0000000..15b5811
--- /dev/null
+++ b/crypto/heimdal/lib/roken/setenv.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: setenv.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+/*
+ * This is the easy way out, use putenv to implement setenv. We might
+ * leak some memory but that is ok since we are usally about to exec
+ * anyway.
+ */
+
+int
+setenv(const char *var, const char *val, int rewrite)
+{
+    char *t;
+
+    if (!rewrite && getenv(var) != 0)
+	return 0;
+  
+    asprintf (&t, "%s=%s", var, val);
+    if (t == NULL)
+	return -1;
+
+    if (putenv(t) == 0)
+	return 0;
+    else
+	return -1;
+}
diff --git a/crypto/heimdal/lib/roken/seteuid.c b/crypto/heimdal/lib/roken/seteuid.c
new file mode 100644
index 0000000..ee68ba7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/seteuid.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: seteuid.c,v 1.10 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+seteuid(uid_t euid)
+{
+#ifdef HAVE_SETREUID
+    return setreuid(-1, euid);
+#endif
+
+#ifdef HAVE_SETRESUID
+    return setresuid(-1, euid, -1);
+#endif
+
+    return -1;
+}
diff --git a/crypto/kerberosIV/lib/krb/et_list.c b/crypto/heimdal/lib/roken/signal.c
index 69d1c89..85f36ee 100644
--- a/crypto/kerberosIV/lib/krb/et_list.c
+++ b/crypto/heimdal/lib/roken/signal.c
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -36,39 +31,51 @@
  * SUCH DAMAGE.
  */
 
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: signal.c,v 1.10 1999/12/14 01:37:58 assar Exp $");
+#endif
+
+#include <signal.h>
+
 /*
- * This is a hack to resolve the reference to _et_list when making a
- * shared library under Psoriasis and possibly other systems. Presumably
- * they define __ELF__, some people say Linux does so.
+ * We would like to always use this signal but there is a link error
+ * on NEXTSTEP
+ */
+#if !defined(NeXT) && !defined(__APPLE__)
+/*
+ * Bugs:
+ *
+ * Do we need any extra hacks for SIGCLD and/or SIGCHLD?
  */
 
-#include "config.h"
-
-RCSID("$Id: et_list.c,v 1.12 1997/05/13 09:45:01 bg Exp $");
+typedef RETSIGTYPE (*SigAction)(/* int??? */);
 
-struct et_list {
-    struct et_list *next;
-    const struct error_table *table;
-};
+SigAction
+signal(int iSig, SigAction pAction)
+{
+    struct sigaction saNew, saOld;
 
-#if defined(__GNUC__)
+    saNew.sa_handler = pAction;
+    sigemptyset(&saNew.sa_mask);
+    saNew.sa_flags = 0;
 
-#ifdef __FreeBSD__
-asm(".globl __et_list");	/* FreeBSD bug workaround */
+    if (iSig == SIGALRM)
+	{
+#ifdef SA_INTERRUPT
+	    saNew.sa_flags |= SA_INTERRUPT;
 #endif
-struct et_list * _et_list __attribute__ ((weak)) = 0;
-
-#else /* !__GNUC__ */
-
-#ifdef HAVE_PRAGMA_WEAK
-
-#pragma weak _et_list = __et_list
-struct et_list * __et_list = 0;
-
-#else /* !HAVE_PRAGMA_WEAK */
-
-struct et_list * _et_list = 0;
+	}
+    else
+	{
+#ifdef SA_RESTART
+	    saNew.sa_flags |= SA_RESTART;
+#endif
+	}
 
-#endif /* !HAVE_PRAGMA_WEAK */
+    if (sigaction(iSig, &saNew, &saOld) < 0)
+	return(SIG_ERR);
 
-#endif /* !__GNUC__ */
+    return(saOld.sa_handler);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/simple_exec.c b/crypto/heimdal/lib/roken/simple_exec.c
new file mode 100644
index 0000000..4aa22fa
--- /dev/null
+++ b/crypto/heimdal/lib/roken/simple_exec.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: simple_exec.c,v 1.7 2000/01/09 10:58:51 assar Exp $");
+#endif
+
+#include <stdarg.h>
+#include <stdlib.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <errno.h>
+
+#include <roken.h>
+
+#define EX_NOEXEC	126
+#define EX_NOTFOUND	127
+
+/* return values:
+   -1   on `unspecified' system errors
+   -2   on fork failures
+   -3   on waitpid errors
+   0-   is return value from subprocess
+   126  if the program couldn't be executed
+   127  if the program couldn't be found
+   128- is 128 + signal that killed subprocess
+   */
+
+static int
+check_status(pid_t pid)
+{
+    while(1) {
+	int status;
+
+	while(waitpid(pid, &status, 0) < 0)
+	    if (errno != EINTR)
+		return -3;
+	if(WIFSTOPPED(status))
+	    continue;
+	if(WIFEXITED(status))
+	    return WEXITSTATUS(status);
+	if(WIFSIGNALED(status))
+	    return WTERMSIG(status) + 128;
+    }
+}
+
+int
+simple_execvp(const char *file, char *const args[])
+{
+    pid_t pid = fork();
+    switch(pid){
+    case -1:
+	return -2;
+    case 0:
+	execvp(file, args);
+	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
+    default: 
+	return check_status(pid);
+    }
+}
+
+/* gee, I'd like a execvpe */
+int
+simple_execve(const char *file, char *const args[], char *const envp[])
+{
+    pid_t pid = fork();
+    switch(pid){
+    case -1:
+	return -2;
+    case 0:
+	execve(file, args, envp);
+	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
+    default: 
+	return check_status(pid);
+    }
+}
+
+int
+simple_execlp(const char *file, ...)
+{
+    va_list ap;
+    char **argv;
+    int ret;
+
+    va_start(ap, file);
+    argv = vstrcollect(&ap);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execvp(file, argv);
+    free(argv);
+    return ret;
+}
+
+int
+simple_execle(const char *file, ... /* ,char *const envp[] */)
+{
+    va_list ap;
+    char **argv;
+    char *const* envp;
+    int ret;
+
+    va_start(ap, file);
+    argv = vstrcollect(&ap);
+    envp = va_arg(ap, char **);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execve(file, argv, envp);
+    free(argv);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/snprintf.c b/crypto/heimdal/lib/roken/snprintf.c
new file mode 100644
index 0000000..4f69e66
--- /dev/null
+++ b/crypto/heimdal/lib/roken/snprintf.c
@@ -0,0 +1,619 @@
+/*
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: snprintf.c,v 1.25 2000/02/16 01:38:52 assar Exp $");
+#endif
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <roken.h>
+
+enum format_flags {
+    minus_flag     =  1,
+    plus_flag      =  2,
+    space_flag     =  4,
+    alternate_flag =  8,
+    zero_flag      = 16
+};
+
+/*
+ * Common state
+ */
+
+struct state {
+  unsigned char *str;
+  unsigned char *s;
+  unsigned char *theend;
+  size_t sz;
+  size_t max_sz;
+  int (*append_char)(struct state *, unsigned char);
+  int (*reserve)(struct state *, size_t);
+  /* XXX - methods */
+};
+
+#ifndef HAVE_VSNPRINTF
+static int
+sn_reserve (struct state *state, size_t n)
+{
+  return state->s + n > state->theend;
+}
+
+static int
+sn_append_char (struct state *state, unsigned char c)
+{
+  if (sn_reserve (state, 1)) {
+    return 1;
+  } else {
+    *state->s++ = c;
+    return 0;
+  }
+}
+#endif
+
+static int
+as_reserve (struct state *state, size_t n)
+{
+  if (state->s + n > state->theend) {
+    int off = state->s - state->str;
+    unsigned char *tmp;
+
+    if (state->max_sz && state->sz >= state->max_sz)
+      return 1;
+
+    state->sz = max(state->sz * 2, state->sz + n);
+    if (state->max_sz)
+      state->sz = min(state->sz, state->max_sz);
+    tmp = realloc (state->str, state->sz);
+    if (tmp == NULL)
+      return 1;
+    state->str = tmp;
+    state->s = state->str + off;
+    state->theend = state->str + state->sz - 1;
+  }
+  return 0;
+}
+
+static int
+as_append_char (struct state *state, unsigned char c)
+{
+  if(as_reserve (state, 1))
+    return 1;
+  else {
+    *state->s++ = c;
+    return 0;
+  }
+}
+
+static int
+append_number(struct state *state,
+	      unsigned long num, unsigned base, char *rep,
+	      int width, int prec, int flags, int minusp)
+{
+  int len = 0;
+  int i;
+
+  /* given precision, ignore zero flag */
+  if(prec != -1)
+    flags &= ~zero_flag;
+  else
+    prec = 1;
+  /* zero value with zero precision -> "" */
+  if(prec == 0 && num == 0)
+    return 0;
+  do{
+    if((*state->append_char)(state, rep[num % base]))
+      return 1;
+    len++;
+    num /= base;
+  }while(num);
+  prec -= len;
+  /* pad with prec zeros */
+  while(prec-- > 0){
+    if((*state->append_char)(state, '0'))
+      return 1;
+    len++;
+  }
+  /* add length of alternate prefix (added later) to len */
+  if(flags & alternate_flag && (base == 16 || base == 8))
+    len += base / 8;
+  /* pad with zeros */
+  if(flags & zero_flag){
+    width -= len;
+    if(minusp || (flags & space_flag) || (flags & plus_flag))
+      width--;
+    while(width-- > 0){
+      if((*state->append_char)(state, '0'))
+	return 1;
+      len++;
+    }
+  }
+  /* add alternate prefix */
+  if(flags & alternate_flag && (base == 16 || base == 8)){
+    if(base == 16)
+      if((*state->append_char)(state, rep[10] + 23)) /* XXX */
+	return 1;
+    if((*state->append_char)(state, '0'))
+      return 1;
+  }
+  /* add sign */
+  if(minusp){
+    if((*state->append_char)(state, '-'))
+      return 1;
+    len++;
+  } else if(flags & plus_flag) {
+    if((*state->append_char)(state, '+'))
+      return 1;
+    len++;
+  } else if(flags & space_flag) {
+    if((*state->append_char)(state, ' '))
+      return 1;
+    len++;
+  }
+  if(flags & minus_flag)
+    /* swap before padding with spaces */
+    for(i = 0; i < len / 2; i++){
+      char c = state->s[-i-1];
+      state->s[-i-1] = state->s[-len+i];
+      state->s[-len+i] = c;
+    }
+  width -= len;
+  while(width-- > 0){
+    if((*state->append_char)(state,  ' '))
+      return 1;
+    len++;
+  }
+  if(!(flags & minus_flag))
+    /* swap after padding with spaces */
+    for(i = 0; i < len / 2; i++){
+      char c = state->s[-i-1];
+      state->s[-i-1] = state->s[-len+i];
+      state->s[-len+i] = c;
+    }
+    
+  return 0;
+}
+
+static int
+append_string (struct state *state,
+	       unsigned char *arg,
+	       int width,
+	       int prec,
+	       int flags)
+{
+  if(prec != -1)
+    width -= prec;
+  else
+    width -= strlen((char *)arg);
+  if(!(flags & minus_flag))
+    while(width-- > 0)
+      if((*state->append_char) (state, ' '))
+	return 1;
+  if (prec != -1) {
+    while (*arg && prec--)
+      if ((*state->append_char) (state, *arg++))
+	return 1;
+  } else {
+    while (*arg)
+      if ((*state->append_char) (state, *arg++))
+	return 1;
+  }
+  if(flags & minus_flag)
+    while(width-- > 0)
+      if((*state->append_char) (state, ' '))
+	return 1;
+  return 0;
+}
+
+static int
+append_char(struct state *state,
+	    unsigned char arg,
+	    int width,
+	    int flags)
+{
+  while(!(flags & minus_flag) && --width > 0)
+    if((*state->append_char) (state, ' '))
+      return 1;
+    
+  if((*state->append_char) (state, arg))
+    return 1;
+  while((flags & minus_flag) && --width > 0)
+    if((*state->append_char) (state, ' '))
+      return 1;
+    
+  return 0;
+}
+
+/*
+ * This can't be made into a function...
+ */
+
+#define PARSE_INT_FORMAT(res, arg, unsig) \
+if (long_flag) \
+     res = (unsig long)va_arg(arg, unsig long); \
+else if (short_flag) \
+     res = (unsig short)va_arg(arg, unsig int); \
+else \
+     res = (unsig int)va_arg(arg, unsig int)
+
+/*
+ * zyxprintf - return 0 or -1
+ */
+
+static int
+xyzprintf (struct state *state, const char *char_format, va_list ap)
+{
+  const unsigned char *format = (const unsigned char *)char_format;
+  unsigned char c;
+
+  while((c = *format++)) {
+    if (c == '%') {
+      int flags      = 0;
+      int width      = 0;
+      int prec       = -1;
+      int long_flag  = 0;
+      int short_flag = 0;
+
+      /* flags */
+      while((c = *format++)){
+	if(c == '-')
+	  flags |= minus_flag;
+	else if(c == '+')
+	  flags |= plus_flag;
+	else if(c == ' ')
+	  flags |= space_flag;
+	else if(c == '#')
+	  flags |= alternate_flag;
+	else if(c == '0')
+	  flags |= zero_flag;
+	else
+	  break;
+      }
+      
+      if((flags & space_flag) && (flags & plus_flag))
+	flags ^= space_flag;
+
+      if((flags & minus_flag) && (flags & zero_flag))
+	flags ^= zero_flag;
+
+      /* width */
+      if (isdigit(c))
+	do {
+	  width = width * 10 + c - '0';
+	  c = *format++;
+	} while(isdigit(c));
+      else if(c == '*') {
+	width = va_arg(ap, int);
+	c = *format++;
+      }
+
+      /* precision */
+      if (c == '.') {
+	prec = 0;
+	c = *format++;
+	if (isdigit(c))
+	  do {
+	    prec = prec * 10 + c - '0';
+	    c = *format++;
+	  } while(isdigit(c));
+	else if (c == '*') {
+	  prec = va_arg(ap, int);
+	  c = *format++;
+	}
+      }
+
+      /* size */
+
+      if (c == 'h') {
+	short_flag = 1;
+	c = *format++;
+      } else if (c == 'l') {
+	long_flag = 1;
+	c = *format++;
+      }
+
+      switch (c) {
+      case 'c' :
+	if(append_char(state, va_arg(ap, int), width, flags))
+	  return -1;
+	break;
+      case 's' :
+	if (append_string(state,
+			  va_arg(ap, unsigned char*),
+			  width,
+			  prec, 
+			  flags))
+	  return -1;
+	break;
+      case 'd' :
+      case 'i' : {
+	long arg;
+	unsigned long num;
+	int minusp = 0;
+
+	PARSE_INT_FORMAT(arg, ap, signed);
+
+	if (arg < 0) {
+	  minusp = 1;
+	  num = -arg;
+	} else
+	  num = arg;
+
+	if (append_number (state, num, 10, "0123456789",
+			   width, prec, flags, minusp))
+	  return -1;
+	break;
+      }
+      case 'u' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 10, "0123456789",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'o' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 010, "01234567",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'x' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 0x10, "0123456789abcdef",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'X' :{
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 0x10, "0123456789ABCDEF",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'p' : {
+	unsigned long arg = (unsigned long)va_arg(ap, void*);
+
+	if (append_number (state, arg, 0x10, "0123456789ABCDEF",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'n' : {
+	int *arg = va_arg(ap, int*);
+	*arg = state->s - state->str;
+	break;
+      }
+      case '\0' :
+	  --format;
+	  /* FALLTHROUGH */
+      case '%' :
+	if ((*state->append_char)(state, c))
+	  return -1;
+	break;
+      default :
+	if (   (*state->append_char)(state, '%')
+	    || (*state->append_char)(state, c))
+	  return -1;
+	break;
+      }
+    } else
+      if ((*state->append_char) (state, c))
+	return -1;
+  }
+  return 0;
+}
+
+#ifndef HAVE_SNPRINTF
+int
+snprintf (char *str, size_t sz, const char *format, ...)
+{
+  va_list args;
+  int ret;
+
+  va_start(args, format);
+  ret = vsnprintf (str, sz, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+
+    tmp = malloc (sz);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (ret != ret2 || strcmp(str, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return ret;
+}
+#endif
+
+#ifndef HAVE_ASPRINTF
+int
+asprintf (char **ret, const char *format, ...)
+{
+  va_list args;
+  int val;
+
+  va_start(args, format);
+  val = vasprintf (ret, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+    tmp = malloc (val + 1);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (val != ret2 || strcmp(*ret, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return val;
+}
+#endif
+
+#ifndef HAVE_ASNPRINTF
+int
+asnprintf (char **ret, size_t max_sz, const char *format, ...)
+{
+  va_list args;
+  int val;
+
+  va_start(args, format);
+  val = vasnprintf (ret, max_sz, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+    tmp = malloc (val + 1);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (val != ret2 || strcmp(*ret, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return val;
+}
+#endif
+
+#ifndef HAVE_VASPRINTF
+int
+vasprintf (char **ret, const char *format, va_list args)
+{
+  return vasnprintf (ret, 0, format, args);
+}
+#endif
+
+
+#ifndef HAVE_VASNPRINTF
+int
+vasnprintf (char **ret, size_t max_sz, const char *format, va_list args)
+{
+  int st;
+  size_t len;
+  struct state state;
+
+  state.max_sz = max_sz;
+  state.sz     = 1;
+  state.str    = malloc(state.sz);
+  if (state.str == NULL) {
+    *ret = NULL;
+    return -1;
+  }
+  state.s = state.str;
+  state.theend = state.s + state.sz - 1;
+  state.append_char = as_append_char;
+  state.reserve     = as_reserve;
+
+  st = xyzprintf (&state, format, args);
+  if (st) {
+    free (state.str);
+    *ret = NULL;
+    return -1;
+  } else {
+    char *tmp;
+
+    *state.s = '\0';
+    len = state.s - state.str;
+    tmp = realloc (state.str, len+1);
+    if (tmp == NULL) {
+      free (state.str);
+      *ret = NULL;
+      return -1;
+    }
+    *ret = tmp;
+    return len;
+  }
+}
+#endif
+
+#ifndef HAVE_VSNPRINTF
+int
+vsnprintf (char *str, size_t sz, const char *format, va_list args)
+{
+  struct state state;
+  int ret;
+  unsigned char *ustr = (unsigned char *)str;
+
+  state.max_sz = 0;
+  state.sz     = sz;
+  state.str    = ustr;
+  state.s      = ustr;
+  state.theend = ustr + sz - 1;
+  state.append_char = sn_append_char;
+  state.reserve     = sn_reserve;
+
+  ret = xyzprintf (&state, format, args);
+  *state.s = '\0';
+  if (ret)
+    return sz;
+  else
+    return state.s - state.str;
+}
+#endif
+
diff --git a/crypto/heimdal/lib/roken/socket.c b/crypto/heimdal/lib/roken/socket.c
new file mode 100644
index 0000000..6e9c3df
--- /dev/null
+++ b/crypto/heimdal/lib/roken/socket.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: socket.c,v 1.3 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#include <roken.h>
+
+#include <err.h>
+
+/*
+ * Set `sa' to the unitialized address of address family `af'
+ */
+
+void
+socket_set_any (struct sockaddr *sa, int af)
+{
+    switch (af) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	memset (sin, 0, sizeof(*sin));
+	sin->sin_family = AF_INET;
+	sin->sin_port   = 0;
+	sin->sin_addr.s_addr = INADDR_ANY;
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	memset (sin6, 0, sizeof(*sin6));
+	sin6->sin6_family = AF_INET6;
+	sin6->sin6_port   = 0;
+	sin6->sin6_addr   = in6addr_any;
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * set `sa' to (`ptr', `port')
+ */
+
+void
+socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	memset (sin, 0, sizeof(*sin));
+	sin->sin_family = AF_INET;
+	sin->sin_port   = port;
+	memcpy (&sin->sin_addr, ptr, sizeof(struct in_addr));
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	memset (sin6, 0, sizeof(*sin6));
+	sin6->sin6_family = AF_INET6;
+	sin6->sin6_port   = port;
+	memcpy (&sin6->sin6_addr, ptr, sizeof(struct in6_addr));
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the size of an address of the type in `sa'
+ */
+
+size_t
+socket_addr_size (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET :
+	return sizeof(struct in_addr);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return sizeof(struct in6_addr);
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the size of a `struct sockaddr' in `sa'.
+ */
+
+size_t
+socket_sockaddr_size (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET :
+	return sizeof(struct sockaddr_in);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return sizeof(struct sockaddr_in6);
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the binary address of `sa'.
+ */
+
+void *
+socket_get_address (struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	return &sin->sin_addr;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+	return &sin6->sin6_addr;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the port number from `sa'.
+ */
+
+int
+socket_get_port (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+	return sin->sin_port;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+	return sin6->sin6_port;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Set the port in `sa' to `port'.
+ */
+
+void
+socket_set_port (struct sockaddr *sa, int port)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	sin->sin_port = port;
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+	sin6->sin6_port = port;
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Enable debug on `sock'.
+ */
+
+void
+socket_set_debug (int sock)
+{
+    int on = 1;
+
+#if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt (sock, SOL_SOCKET, SO_DEBUG, (void *) &on, sizeof (on)) < 0)
+	warn ("setsockopt SO_DEBUG (ignored)");
+#endif
+}
+
+/*
+ * Set the type-of-service of `sock' to `tos'.
+ */
+
+void
+socket_set_tos (int sock, int tos)
+{
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt (sock, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof (int)) < 0)
+	warn ("setsockopt TOS (ignored)");
+#endif
+}
+
+/*
+ * set the reuse of addresses on `sock' to `val'.
+ */
+
+void
+socket_set_reuseaddr (int sock, int val)
+{
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+    if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&val,
+		  sizeof(val)) < 0)
+	err (1, "setsockopt SO_REUSEADDR");
+#endif
+}
diff --git a/crypto/heimdal/lib/roken/strcasecmp.c b/crypto/heimdal/lib/roken/strcasecmp.c
new file mode 100644
index 0000000..b5e20e7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strcasecmp.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strcasecmp.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include <string.h>
+#include <ctype.h>
+#include <stddef.h>
+#include "roken.h"
+
+#ifndef HAVE_STRCASECMP
+
+int
+strcasecmp(const char *s1, const char *s2)
+{
+    while(toupper(*s1) == toupper(*s2)) {
+	if(*s1 == '\0')
+	    return 0;
+	s1++;
+	s2++;
+    }
+    return toupper(*s1) - toupper(*s2);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strcollect.c b/crypto/heimdal/lib/roken/strcollect.c
new file mode 100644
index 0000000..1e82ad0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strcollect.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strcollect.c,v 1.1 2000/01/09 10:57:43 assar Exp $");
+#endif
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <roken.h>
+
+enum { initial = 10, increment = 5 };
+
+static char **
+sub (char **argv, int i, int argc, va_list *ap)
+{
+    do {
+	if(i == argc) {
+	    /* realloc argv */
+	    char **tmp = realloc(argv, (argc + increment) * sizeof(*argv));
+	    if(tmp == NULL) {
+		free(argv);
+		errno = ENOMEM;
+		return NULL;
+	    }
+	    argv  = tmp;
+	    argc += increment;
+	}
+	argv[i++] = va_arg(*ap, char*);
+    } while(argv[i - 1] != NULL);
+    return argv;
+}
+
+/*
+ * return a malloced vector of pointers to the strings in `ap'
+ * terminated by NULL.
+ */
+
+char **
+vstrcollect(va_list *ap)
+{
+    return sub (NULL, 0, 0, ap);
+}
+
+/*
+ *
+ */
+
+char **
+strcollect(char *first, ...)
+{
+    va_list ap;
+    char **ret = malloc (initial * sizeof(char *));
+
+    if (ret == NULL)
+	return ret;
+
+    ret[0] = first;
+    va_start(ap, first);
+    ret = sub (ret, 1, initial, &ap);
+    va_end(ap);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/strdup.c b/crypto/heimdal/lib/roken/strdup.c
new file mode 100644
index 0000000..87fb43e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strdup.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strdup.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef HAVE_STRDUP
+char *
+strdup(const char *old)
+{
+	char *t = malloc(strlen(old)+1);
+	if (t != 0)
+		strcpy(t, old);
+	return t;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/strerror.c b/crypto/heimdal/lib/roken/strerror.c
new file mode 100644
index 0000000..21936d7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strerror.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strerror.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+extern int sys_nerr;
+extern char *sys_errlist[];
+
+char*
+strerror(int eno)
+{
+    static char emsg[1024];
+
+    if(eno < 0 || eno >= sys_nerr)
+	snprintf(emsg, sizeof(emsg), "Error %d occurred.", eno);
+    else
+	snprintf(emsg, sizeof(emsg), "%s", sys_errlist[eno]);
+
+    return emsg;
+}
diff --git a/crypto/heimdal/lib/roken/strftime.c b/crypto/heimdal/lib/roken/strftime.c
new file mode 100644
index 0000000..b90614b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strftime.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strftime.c,v 1.10 1999/11/13 04:18:33 assar Exp $");
+
+static const char *abb_weekdays[] = {
+    "Sun",
+    "Mon",
+    "Tue",
+    "Wed",
+    "Thu",
+    "Fri",
+    "Sat",
+};
+
+static const char *full_weekdays[] = {
+    "Sunday",
+    "Monday",
+    "Tuesday",
+    "Wednesday",
+    "Thursday",
+    "Friday",
+    "Saturday",
+};
+
+static const char *abb_month[] = {
+    "Jan",
+    "Feb",
+    "Mar",
+    "Apr",
+    "May",
+    "Jun",
+    "Jul",
+    "Aug",
+    "Sep",
+    "Oct",
+    "Nov",
+    "Dec"
+};
+
+static const char *full_month[] = {
+    "January",
+    "February",
+    "Mars",
+    "April",
+    "May",
+    "June",
+    "July",
+    "August",
+    "September",
+    "October",
+    "November",
+    "December"
+};
+
+static const char *ampm[] = {
+    "AM",
+    "PM"
+};
+
+/*
+ * Convert hour in [0, 24] to [12 1 - 11 12 1 - 11 12]
+ */
+
+static int
+hour_24to12 (int hour)
+{
+    int ret = hour % 12;
+
+    if (ret == 0)
+	ret = 12;
+    return ret;
+}
+
+/*
+ * Return AM or PM for `hour'
+ */
+
+static const char *
+hour_to_ampm (int hour)
+{
+    return ampm[hour / 12];
+}
+
+/*
+ * Return the week number of `tm' (Sunday being the first day of the week)
+ * as [0, 53]
+ */
+
+static int
+week_number_sun (const struct tm *tm)
+{
+    return (tm->tm_yday + 7 - (tm->tm_yday % 7 - tm->tm_wday + 7) % 7) / 7;
+}
+
+/*
+ * Return the week number of `tm' (Monday being the first day of the week)
+ * as [0, 53]
+ */
+
+static int
+week_number_mon (const struct tm *tm)
+{
+    int wday = (tm->tm_wday + 6) % 7;
+
+    return (tm->tm_yday + 7 - (tm->tm_yday % 7 - wday + 7) % 7) / 7;
+}
+
+/*
+ * Return the week number of `tm' (Monday being the first day of the
+ * week) as [01, 53].  Week number one is the one that has four or more
+ * days in that year.
+ */
+
+static int
+week_number_mon4 (const struct tm *tm)
+{
+    int wday  = (tm->tm_wday + 6) % 7;
+    int w1day = (wday - tm->tm_yday % 7 + 7) % 7;
+    int ret;
+    
+    ret = (tm->tm_yday + w1day) / 7;
+    if (w1day >= 4)
+	--ret;
+    if (ret == -1)
+	ret = 53;
+    else
+	++ret;
+    return ret;
+}
+
+/*
+ *
+ */
+
+size_t
+strftime (char *buf, size_t maxsize, const char *format,
+	  const struct tm *tm)
+{
+    size_t n = 0;
+    size_t ret;
+
+    while (*format != '\0' && n < maxsize) {
+	if (*format == '%') {
+	    ++format;
+	    if(*format == 'E' || *format == 'O')
+		++format;
+	    switch (*format) {
+	    case 'a' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", abb_weekdays[tm->tm_wday]);
+		break;
+	    case 'A' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", full_weekdays[tm->tm_wday]);
+		break;
+	    case 'h' :
+	    case 'b' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", abb_month[tm->tm_mon]);
+		break;
+	    case 'B' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", full_month[tm->tm_mon]);
+		break;
+	    case 'c' :
+		ret = snprintf (buf, maxsize - n,
+				"%d:%02d:%02d %02d:%02d:%02d",
+				tm->tm_year,
+				tm->tm_mon + 1,
+				tm->tm_mday,
+				tm->tm_hour,
+				tm->tm_min,
+				tm->tm_sec);
+		break;
+	    case 'C' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", (tm->tm_year + 1900) / 100);
+		break;
+	    case 'd' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_mday);
+		break;
+	    case 'D' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d/%02d/%02d",
+				tm->tm_mon + 1,
+				tm->tm_mday,
+				(tm->tm_year + 1900) % 100);
+		break;
+	    case 'e' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d", tm->tm_mday);
+		break;
+	    case 'F':
+		ret = snprintf (buf, maxsize - n,
+				"%04d-%02d-%02d", tm->tm_year + 1900,
+				tm->tm_mon + 1, tm->tm_mday);
+		break;
+	    case 'g':
+		/* last two digits of week-based year */
+		abort();
+	    case 'G':
+		/* week-based year */
+		abort();
+	    case 'H' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_hour);
+		break;
+	    case 'I' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d",
+				hour_24to12 (tm->tm_hour));
+		break;
+	    case 'j' :
+		ret = snprintf (buf, maxsize - n,
+				"%03d", tm->tm_yday + 1);
+		break;
+	    case 'k' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d", tm->tm_hour);
+		break;
+	    case 'l' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d",
+				hour_24to12 (tm->tm_hour));
+		break;
+	    case 'm' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_mon + 1);
+		break;
+	    case 'M' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_min);
+		break;
+	    case 'n' :
+		ret = snprintf (buf, maxsize - n, "\n");
+		break;
+	    case 'p' :
+		ret = snprintf (buf, maxsize - n, "%s",
+				hour_to_ampm (tm->tm_hour));
+		break;
+	    case 'r' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d:%02d %s",
+				hour_24to12 (tm->tm_hour),
+				tm->tm_min,
+				tm->tm_sec,
+				hour_to_ampm (tm->tm_hour));
+		break;
+	    case 'R' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d",
+				tm->tm_hour,
+				tm->tm_min);
+		    
+	    case 's' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", (int)mktime((struct tm *)tm));
+		break;
+	    case 'S' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_sec);
+		break;
+	    case 't' :
+		ret = snprintf (buf, maxsize - n, "\t");
+		break;
+	    case 'T' :
+	    case 'X' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d:%02d",
+				tm->tm_hour,
+				tm->tm_min,
+				tm->tm_sec);
+		break;
+	    case 'u' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", (tm->tm_wday == 0) ? 7 : tm->tm_wday);
+		break;
+	    case 'U' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_sun (tm));
+		break;
+	    case 'V' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_mon4 (tm));
+		break;
+	    case 'w' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", tm->tm_wday);
+		break;
+	    case 'W' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_mon (tm));
+		break;
+	    case 'x' :
+		ret = snprintf (buf, maxsize - n,
+				"%d:%02d:%02d",
+				tm->tm_year,
+				tm->tm_mon + 1,
+				tm->tm_mday);
+		break;
+	    case 'y' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", (tm->tm_year + 1900) % 100);
+		break;
+	    case 'Y' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", tm->tm_year + 1900);
+		break;
+	    case 'z':
+		ret = snprintf (buf, maxsize - n,
+				"%ld",
+#if defined(HAVE_STRUCT_TM_TM_GMTOFF)
+				(long)tm->tm_gmtoff
+#elif defined(HAVE_TIMEZONE)
+				tm->tm_isdst ?
+				(long)altzone :
+				(long)timezone
+#else
+#error Where in timezone chaos are you?
+#endif    
+				);
+		break;
+	    case 'Z' :
+		ret = snprintf (buf, maxsize - n,
+				"%s",
+
+#if defined(HAVE_STRUCT_TM_TM_ZONE)
+				tm->tm_zone
+#elif defined(HAVE_TIMEZONE)
+				tzname[tm->tm_isdst]
+#else
+#error what?
+#endif
+		    );
+		break;
+	    case '\0' :
+		--format;
+		/* FALLTHROUGH */
+	    case '%' :
+		ret = snprintf (buf, maxsize - n,
+				"%%");
+		break;
+	    default :
+		ret = snprintf (buf, maxsize - n,
+				"%%%c", *format);
+		break;
+	    }
+	    if (ret >= maxsize - n)
+		return 0;
+	    n   += ret;
+	    buf += ret;
+	    ++format;
+	} else {
+	    *buf++ = *format++;
+	    ++n;
+	}
+    }
+    *buf++ = '\0';
+    return n;
+}
diff --git a/crypto/heimdal/lib/roken/strlcat.c b/crypto/heimdal/lib/roken/strlcat.c
new file mode 100644
index 0000000..d3c8baa
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strlcat.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strlcat.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+
+#ifndef HAVE_STRLCAT
+
+size_t
+strlcat (char *dst, const char *src, size_t dst_sz)
+{
+    size_t len = strlen(dst);
+
+    return len + strlcpy (dst + len, src, dst_sz - len);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/strlcpy.c b/crypto/heimdal/lib/roken/strlcpy.c
new file mode 100644
index 0000000..33cd9cb
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strlcpy.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strlcpy.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+
+#ifndef HAVE_STRLCPY
+
+size_t
+strlcpy (char *dst, const char *src, size_t dst_sz)
+{
+    size_t n;
+    char *p;
+
+    for (p = dst, n = 0;
+	 n + 1 < dst_sz && *src != '\0';
+	 ++p, ++src, ++n)
+	*p = *src;
+    *p = '\0';
+    if (*src == '\0')
+	return n;
+    else
+	return n + strlen (src);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strlwr.c b/crypto/heimdal/lib/roken/strlwr.c
new file mode 100644
index 0000000..cb36789
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strlwr.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strlwr.c,v 1.4 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <string.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRLWR
+char *
+strlwr(char *str)
+{
+  char *s;
+
+  for(s = str; *s; s++)
+    *s = tolower(*s);
+  return str;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/strncasecmp.c b/crypto/heimdal/lib/roken/strncasecmp.c
new file mode 100644
index 0000000..7c6474f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strncasecmp.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strncasecmp.c,v 1.2 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+#include <ctype.h>
+#include <stddef.h>
+
+#ifndef HAVE_STRNCASECMP
+
+int
+strncasecmp(const char *s1, const char *s2, size_t n)
+{
+    while(n > 0 && toupper(*s1) == toupper(*s2)) {
+	if(*s1 == '\0')
+	    return 0;
+	s1++;
+	s2++;
+	n--;
+    }
+    if(n == 0)
+	return 0;
+    return toupper(*s1) - toupper(*s2);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strndup.c b/crypto/heimdal/lib/roken/strndup.c
new file mode 100644
index 0000000..31e7e9f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strndup.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strndup.c,v 1.2 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRNDUP
+char *
+strndup(const char *old, size_t sz)
+{
+    size_t len = strnlen (old, sz);
+    char *t    = malloc(len + 1);
+
+    if (t != NULL) {
+	memcpy (t, old, len);
+	t[len] = '\0';
+    }
+    return t;
+}
+#endif /* HAVE_STRNDUP */
diff --git a/crypto/heimdal/lib/roken/strnlen.c b/crypto/heimdal/lib/roken/strnlen.c
new file mode 100644
index 0000000..fffb3b7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strnlen.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strnlen.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include "roken.h"
+
+size_t
+strnlen(const char *s, size_t len)
+{
+    size_t i;
+
+    for(i = 0; i < len && s[i]; i++)
+	;
+    return i;
+}
diff --git a/crypto/heimdal/lib/roken/strpftime-test.c b/crypto/heimdal/lib/roken/strpftime-test.c
new file mode 100644
index 0000000..7eb8fb8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strpftime-test.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strpftime-test.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+
+enum { MAXSIZE = 26 };
+
+static struct testcase {
+    time_t t;
+    struct {
+	const char *format;
+	const char *result;
+    } vals[MAXSIZE];
+} tests[] = {
+    {0,
+     {
+	 {"%A", "Thursday"},
+	 {"%a", "Thu"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "01"},
+	 {"%e", " 1"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "001"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "4"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}}
+    },
+    {90000,
+     {
+	 {"%A", "Friday"},
+	 {"%a", "Fri"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "02"},
+	 {"%e", " 2"},
+	 {"%H", "01"},
+	 {"%I", "01"},
+	 {"%j", "002"},
+	 {"%k", " 1"},
+	 {"%l", " 1"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "5"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {216306,
+     {
+	 {"%A", "Saturday"},
+	 {"%a", "Sat"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "03"},
+	 {"%e", " 3"},
+	 {"%H", "12"},
+	 {"%I", "12"},
+	 {"%j", "003"},
+	 {"%k", "12"},
+	 {"%l", "12"},
+	 {"%M", "05"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "PM"},
+	 {"%S", "06"},
+	 {"%t", "\t"},
+	 {"%w", "6"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {259200,
+     {
+	 {"%A", "Sunday"},
+	 {"%a", "Sun"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "04"},
+	 {"%e", " 4"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "004"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "0"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "01"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {915148800,
+     {
+	 {"%A", "Friday"},
+	 {"%a", "Fri"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "01"},
+	 {"%e", " 1"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "001"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "5"},
+	 {"%Y", "1999"},
+	 {"%y", "99"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "53"},
+	 {"%%", "%"},
+	 {NULL, NULL}}
+    },
+    {942161105,
+     {
+
+	 {"%A", "Tuesday"},
+	 {"%a", "Tue"},
+	 {"%B", "November"},
+	 {"%b", "Nov"},
+	 {"%C", "19"},
+	 {"%d", "09"},
+	 {"%e", " 9"},
+	 {"%H", "15"},
+	 {"%I", "03"},
+	 {"%j", "313"},
+	 {"%k", "15"},
+	 {"%l", " 3"},
+	 {"%M", "25"},
+	 {"%m", "11"},
+	 {"%n", "\n"},
+	 {"%p", "PM"},
+	 {"%S", "05"},
+	 {"%t", "\t"},
+	 {"%w", "2"},
+	 {"%Y", "1999"},
+	 {"%y", "99"},
+	 {"%U", "45"},
+	 {"%W", "45"},
+	 {"%V", "45"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    }
+};
+
+int
+main(int argc, char **argv)
+{
+    int i, j;
+    int ret = 0;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
+	struct tm *tm;
+
+	tm = gmtime (&tests[i].t);
+
+	for (j = 0; tests[i].vals[j].format != NULL; ++j) {
+	    char buf[128];
+	    size_t len;
+	    struct tm tm2;
+	    char *ptr;
+
+	    len = strftime (buf, sizeof(buf), tests[i].vals[j].format, tm);
+	    if (len != strlen (buf)) {
+		printf ("length of strftime(\"%s\") = %d (\"%s\")\n",
+			tests[i].vals[j].format, len,
+			buf);
+		++ret;
+		continue;
+	    }
+	    if (strcmp (buf, tests[i].vals[j].result) != 0) {
+		printf ("result of strftime(\"%s\") = \"%s\" != \"%s\"\n",
+			tests[i].vals[j].format, buf,
+			tests[i].vals[j].result);
+		++ret;
+		continue;
+	    }
+	    memset (&tm2, 0, sizeof(tm2));
+	    ptr = strptime (tests[i].vals[j].result,
+			    tests[i].vals[j].format,
+			    &tm2);
+	    if (ptr == NULL || *ptr != '\0') {
+		printf ("bad return value from strptime("
+			"\"%s\", \"%s\")\n",
+			tests[i].vals[j].result,
+			tests[i].vals[j].format);
+		++ret;
+	    }
+	    strftime (buf, sizeof(buf), tests[i].vals[j].format, &tm2);
+	    if (strcmp (buf, tests[i].vals[j].result) != 0) {
+		printf ("reverse of \"%s\" failed: \"%s\" vs \"%s\"\n",
+			tests[i].vals[j].format,
+			buf, tests[i].vals[j].result);
+		++ret;
+	    }
+	}
+    }
+    if (ret) {
+	printf ("%d errors\n", ret);
+	return 1;
+    } else
+	return 0;
+}
diff --git a/crypto/heimdal/lib/roken/strptime.c b/crypto/heimdal/lib/roken/strptime.c
new file mode 100644
index 0000000..36f0822
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strptime.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <ctype.h>
+#include "roken.h"
+
+RCSID("$Id: strptime.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+
+static const char *abb_weekdays[] = {
+    "Sun",
+    "Mon",
+    "Tue",
+    "Wed",
+    "Thu",
+    "Fri",
+    "Sat",
+    NULL
+};
+
+static const char *full_weekdays[] = {
+    "Sunday",
+    "Monday",
+    "Tuesday",
+    "Wednesday",
+    "Thursday",
+    "Friday",
+    "Saturday",
+    NULL
+};
+
+static const char *abb_month[] = {
+    "Jan",
+    "Feb",
+    "Mar",
+    "Apr",
+    "May",
+    "Jun",
+    "Jul",
+    "Aug",
+    "Sep",
+    "Oct",
+    "Nov",
+    "Dec",
+    NULL
+};
+
+static const char *full_month[] = {
+    "January",
+    "February",
+    "Mars",
+    "April",
+    "May",
+    "June",
+    "July",
+    "August",
+    "September",
+    "October",
+    "November",
+    "December",
+    NULL,
+};
+
+static const char *ampm[] = {
+    "am",
+    "pm",
+    NULL
+};
+
+/*
+ * Try to match `*buf' to one of the strings in `strs'.  Return the
+ * index of the matching string (or -1 if none).  Also advance buf.
+ */
+
+static int
+match_string (const char **buf, const char **strs)
+{
+    int i = 0;
+
+    for (i = 0; strs[i] != NULL; ++i) {
+	int len = strlen (strs[i]);
+
+	if (strncasecmp (*buf, strs[i], len) == 0) {
+	    *buf += len;
+	    return i;
+	}
+    }
+    return -1;
+}
+
+/*
+ * tm_year is relative this year */
+
+const int tm_year_base = 1900;
+
+/*
+ * Return TRUE iff `year' was a leap year.
+ */
+
+static int
+is_leap_year (int year)
+{
+    return (year % 4) == 0 && ((year % 100) != 0 || (year % 400) == 0);
+}
+
+/*
+ * Return the weekday [0,6] (0 = Sunday) of the first day of `year'
+ */
+
+static int
+first_day (int year)
+{
+    int ret = 4;
+
+    for (; year > 1970; --year)
+	ret = (ret + 365 + is_leap_year (year) ? 1 : 0) % 7;
+    return ret;
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_sun (struct tm *timeptr, int wnum)
+{
+    int fday = first_day (timeptr->tm_year + tm_year_base);
+
+    timeptr->tm_yday = wnum * 7 + timeptr->tm_wday - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = fday;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_mon (struct tm *timeptr, int wnum)
+{
+    int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7;
+
+    timeptr->tm_yday = wnum * 7 + (timeptr->tm_wday + 6) % 7 - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = (fday + 1) % 7;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_mon4 (struct tm *timeptr, int wnum)
+{
+    int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7;
+    int offset = 0;
+
+    if (fday < 4)
+	offset += 7;
+
+    timeptr->tm_yday = offset + (wnum - 1) * 7 + timeptr->tm_wday - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = fday;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ *
+ */
+
+char *
+strptime (const char *buf, const char *format, struct tm *timeptr)
+{
+    char c;
+
+    for (; (c = *format) != '\0'; ++format) {
+	char *s;
+	int ret;
+
+	if (isspace (c)) {
+	    while (isspace (*buf))
+		++buf;
+	} else if (c == '%' && format[1] != '\0') {
+	    c = *++format;
+	    if (c == 'E' || c == 'O')
+		c = *++format;
+	    switch (c) {
+	    case 'A' :
+		ret = match_string (&buf, full_weekdays);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		break;
+	    case 'a' :
+		ret = match_string (&buf, abb_weekdays);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		break;
+	    case 'B' :
+		ret = match_string (&buf, full_month);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_mon = ret;
+		break;
+	    case 'b' :
+	    case 'h' :
+		ret = match_string (&buf, abb_month);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_mon = ret;
+		break;
+	    case 'C' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_year = (ret * 100) - tm_year_base;
+		buf = s;
+		break;
+	    case 'c' :
+		abort ();
+	    case 'D' :		/* %m/%d/%y */
+		s = strptime (buf, "%m/%d/%y", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'd' :
+	    case 'e' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_mday = ret;
+		buf = s;
+		break;
+	    case 'H' :
+	    case 'k' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_hour = ret;
+		buf = s;
+		break;
+	    case 'I' :
+	    case 'l' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		if (ret == 12)
+		    timeptr->tm_hour = 0;
+		else
+		    timeptr->tm_hour = ret;
+		buf = s;
+		break;
+	    case 'j' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_yday = ret - 1;
+		buf = s;
+		break;
+	    case 'm' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_mon = ret - 1;
+		buf = s;
+		break;
+	    case 'M' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_min = ret;
+		buf = s;
+		break;
+	    case 'n' :
+		if (*buf == '\n')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    case 'p' :
+		ret = match_string (&buf, ampm);
+		if (ret < 0)
+		    return NULL;
+		if (timeptr->tm_hour == 0) {
+		    if (ret == 1)
+			timeptr->tm_hour = 12;
+		} else
+		    timeptr->tm_hour += 12;
+		break;
+	    case 'r' :		/* %I:%M:%S %p */
+		s = strptime (buf, "%I:%M:%S %p", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'R' :		/* %H:%M */
+		s = strptime (buf, "%H:%M", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'S' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_sec = ret;
+		buf = s;
+		break;
+	    case 't' :
+		if (*buf == '\t')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    case 'T' :		/* %H:%M:%S */
+	    case 'X' :
+		s = strptime (buf, "%H:%M:%S", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'u' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_wday = ret - 1;
+		buf = s;
+		break;
+	    case 'w' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		buf = s;
+		break;
+	    case 'U' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_sun (timeptr, ret);
+		buf = s;
+		break;
+	    case 'V' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_mon4 (timeptr, ret);
+		buf = s;
+		break;
+	    case 'W' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_mon (timeptr, ret);
+		buf = s;
+		break;
+	    case 'x' :
+		s = strptime (buf, "%Y:%m:%d", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'y' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		if (ret < 70)
+		    timeptr->tm_year = 100 + ret;
+		else
+		    timeptr->tm_year = ret;
+		buf = s;
+		break;
+	    case 'Y' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_year = ret - tm_year_base;
+		buf = s;
+		break;
+	    case 'Z' :
+		abort ();
+	    case '\0' :
+		--format;
+		/* FALLTHROUGH */
+	    case '%' :
+		if (*buf == '%')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    default :
+		if (*buf == '%' || *++buf == c)
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    }
+	} else {
+	    if (*buf == c)
+		++buf;
+	    else
+		return NULL;
+	}
+    }
+    return (char *)buf;
+}
diff --git a/crypto/heimdal/lib/roken/strsep.c b/crypto/heimdal/lib/roken/strsep.c
new file mode 100644
index 0000000..efc714a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strsep.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strsep.c,v 1.3 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRSEP
+
+char *
+strsep(char **str, const char *delim)
+{
+    char *save = *str;
+    if(*str == NULL)
+	return NULL;
+    *str = *str + strcspn(*str, delim);
+    if(**str == 0)
+	*str = NULL;
+    else{
+	**str = 0;
+	(*str)++;
+    }
+    return save;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strtok_r.c b/crypto/heimdal/lib/roken/strtok_r.c
new file mode 100644
index 0000000..45b036a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strtok_r.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strtok_r.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRTOK_R
+
+char *
+strtok_r(char *s1, const char *s2, char **lasts)
+{
+  char *ret;
+
+  if (s1 == NULL)
+    s1 = *lasts;
+  while(*s1 && strchr(s2, *s1))
+    ++s1;
+  if(*s1 == '\0')
+    return NULL;
+  ret = s1;
+  while(*s1 && !strchr(s2, *s1))
+    ++s1;
+  if(*s1)
+    *s1++ = '\0';
+  *lasts = s1;
+  return ret;
+}
+
+#endif /* HAVE_STRTOK_R */
diff --git a/crypto/heimdal/lib/roken/strupr.c b/crypto/heimdal/lib/roken/strupr.c
new file mode 100644
index 0000000..96dd042
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strupr.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strupr.c,v 1.4 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <string.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRUPR
+char *
+strupr(char *str)
+{
+  char *s;
+
+  for(s = str; *s; s++)
+    *s = toupper(*s);
+  return str;
+}
+#endif
diff --git a/crypto/kerberosIV/lib/krb/swab.c b/crypto/heimdal/lib/roken/swab.c
index d68ce3d..c623bd0 100644
--- a/crypto/kerberosIV/lib/krb/swab.c
+++ b/crypto/heimdal/lib/roken/swab.c
@@ -14,12 +14,7 @@
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
+ * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  * 
@@ -38,10 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: swab.c,v 1.4 1997/04/01 08:18:45 joda Exp $");
 #endif
+#include "roken.h"
 
 #ifndef HAVE_SWAB
+
+RCSID("$Id: swab.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+
 void
 swab (char *from, char *to, int nbytes)
 {
diff --git a/crypto/heimdal/lib/roken/tm2time.c b/crypto/heimdal/lib/roken/tm2time.c
new file mode 100644
index 0000000..b912e32
--- /dev/null
+++ b/crypto/heimdal/lib/roken/tm2time.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: tm2time.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#include "roken.h"
+
+time_t
+tm2time (struct tm tm, int local)
+{
+     time_t t;
+
+     tm.tm_isdst = -1;
+
+     t = mktime (&tm);
+
+     if (!local)
+       t += t - mktime (gmtime (&t));
+     return t;
+}
diff --git a/crypto/heimdal/lib/roken/unsetenv.c b/crypto/heimdal/lib/roken/unsetenv.c
new file mode 100644
index 0000000..6d95a51
--- /dev/null
+++ b/crypto/heimdal/lib/roken/unsetenv.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: unsetenv.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "roken.h"
+
+extern char **environ;
+
+/*
+ * unsetenv --
+ */
+void
+unsetenv(const char *name)
+{
+  int len;
+  const char *np;
+  char **p;
+
+  if (name == 0 || environ == 0)
+    return;
+
+  for (np = name; *np && *np != '='; np++)
+    /* nop */;
+  len = np - name;
+  
+  for (p = environ; *p != 0; p++)
+    if (strncmp(*p, name, len) == 0 && (*p)[len] == '=')
+      break;
+
+  for (; *p != 0; p++)
+    *p = *(p + 1);
+}
+
diff --git a/crypto/heimdal/lib/roken/verify.c b/crypto/heimdal/lib/roken/verify.c
new file mode 100644
index 0000000..842fa9a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/verify.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verify.c,v 1.13 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#include "roken.h"
+
+int
+unix_verify_user(char *user, char *password)
+{
+    struct passwd *pw;
+    
+    pw = k_getpwnam(user);
+    if(pw == NULL)
+	return -1;
+    if(strlen(pw->pw_passwd) == 0 && strlen(password) == 0)
+	return 0;
+    if(strcmp(crypt(password, pw->pw_passwd), pw->pw_passwd) == 0)
+        return 0;
+    return -1;
+}
+
diff --git a/crypto/heimdal/lib/roken/verr.c b/crypto/heimdal/lib/roken/verr.c
new file mode 100644
index 0000000..511e640
--- /dev/null
+++ b/crypto/heimdal/lib/roken/verr.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verr.c,v 1.8 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+verr(int eval, const char *fmt, va_list ap)
+{
+    warnerr(1, fmt, ap);
+    exit(eval);
+}
diff --git a/crypto/heimdal/lib/roken/verrx.c b/crypto/heimdal/lib/roken/verrx.c
new file mode 100644
index 0000000..f4578d3
--- /dev/null
+++ b/crypto/heimdal/lib/roken/verrx.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verrx.c,v 1.8 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+verrx(int eval, const char *fmt, va_list ap)
+{
+    warnerr(0, fmt, ap);
+    exit(eval);
+}
diff --git a/crypto/heimdal/lib/roken/vsyslog.c b/crypto/heimdal/lib/roken/vsyslog.c
new file mode 100644
index 0000000..22e6a35
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vsyslog.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vsyslog.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#ifndef HAVE_VSYSLOG
+
+#include <stdio.h>
+#include <syslog.h>
+#include <stdarg.h>
+
+#include "roken.h"
+
+void
+vsyslog(int pri, const char *fmt, va_list ap)
+{
+    char *p;
+
+    vasprintf (&p, fmt, ap);
+    syslog (pri, "%s", p);
+    free (p);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/vwarn.c b/crypto/heimdal/lib/roken/vwarn.c
new file mode 100644
index 0000000..15f9a38
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vwarn.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vwarn.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+vwarn(const char *fmt, va_list ap)
+{
+    warnerr(1, fmt, ap);
+}
diff --git a/crypto/heimdal/lib/roken/vwarnx.c b/crypto/heimdal/lib/roken/vwarnx.c
new file mode 100644
index 0000000..48f1ffd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vwarnx.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vwarnx.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+vwarnx(const char *fmt, va_list ap)
+{
+    warnerr(0, fmt, ap);
+}
+
diff --git a/crypto/heimdal/lib/roken/warn.c b/crypto/heimdal/lib/roken/warn.c
new file mode 100644
index 0000000..d8ee335
--- /dev/null
+++ b/crypto/heimdal/lib/roken/warn.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warn.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+warn(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  vwarn(fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/warnerr.c b/crypto/heimdal/lib/roken/warnerr.c
new file mode 100644
index 0000000..4df375d
--- /dev/null
+++ b/crypto/heimdal/lib/roken/warnerr.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warnerr.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "roken.h"
+#include "err.h"
+
+#ifndef HAVE___PROGNAME
+const char *__progname;
+#endif
+
+void
+set_progname(char *argv0)
+{
+#ifndef HAVE___PROGNAME
+    char *p;
+    if(argv0 == NULL)
+	return;
+    p = strrchr(argv0, '/');
+    if(p == NULL)
+	p = argv0;
+    else
+	p++;
+    __progname = p;
+#endif
+}
+
+void
+warnerr(int doerrno, const char *fmt, va_list ap)
+{
+    int sverrno = errno;
+    if(__progname != NULL){
+	fprintf(stderr, "%s", __progname);
+	if(fmt != NULL || doerrno)
+	    fprintf(stderr, ": ");
+    }
+    if (fmt != NULL){
+	vfprintf(stderr, fmt, ap);
+	if(doerrno)
+	    fprintf(stderr, ": ");
+    }
+    if(doerrno)
+	fprintf(stderr, "%s", strerror(sverrno));
+    fprintf(stderr, "\n");
+}
diff --git a/crypto/heimdal/lib/roken/warnx.c b/crypto/heimdal/lib/roken/warnx.c
new file mode 100644
index 0000000..c991176
--- /dev/null
+++ b/crypto/heimdal/lib/roken/warnx.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warnx.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+warnx(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  vwarnx(fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/writev.c b/crypto/heimdal/lib/roken/writev.c
new file mode 100644
index 0000000..e3859bf
--- /dev/null
+++ b/crypto/heimdal/lib/roken/writev.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: writev.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+writev(int d, const struct iovec *iov, int iovcnt)
+{
+    ssize_t ret;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+
+    for(i = 0; i < iovcnt; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    p = buf;
+    for (i = 0; i < iovcnt; ++i) {
+	memcpy (p, iov[i].iov_base, iov[i].iov_len);
+	p += iov[i].iov_len;
+    }
+    ret = write (d, buf, tot);
+    free (buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/xdbm.h b/crypto/heimdal/lib/roken/xdbm.h
new file mode 100644
index 0000000..78d7330
--- /dev/null
+++ b/crypto/heimdal/lib/roken/xdbm.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: xdbm.h,v 1.8 2000/02/06 05:03:27 assar Exp $ */
+
+/* Generic *dbm include file */
+
+#ifndef __XDBM_H__
+#define __XDBM_H__
+
+#if defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#endif
+
+/* Macros to convert ndbm names to dbm names.
+ * Note that dbm_nextkey() cannot be simply converted using a macro, since
+ * it is invoked giving the database, and nextkey() needs the previous key.
+ *
+ * Instead, all routines call "dbm_next" instead.
+ */
+
+#ifndef NDBM
+typedef char DBM;
+
+#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
+#define dbm_fetch(db, key) fetch(key)
+#define dbm_store(db, key, content, flag) store(key, content)
+#define dbm_delete(db, key) delete(key)
+#define dbm_firstkey(db) firstkey()
+#define dbm_next(db,key) nextkey(key)
+#define dbm_close(db) dbmclose()
+#else
+#define dbm_next(db,key) dbm_nextkey(db)
+#endif
+
+#endif /* __XDBM_H__ */
diff --git a/crypto/heimdal/lib/sl/ChangeLog b/crypto/heimdal/lib/sl/ChangeLog
new file mode 100644
index 0000000..eca7217
--- /dev/null
+++ b/crypto/heimdal/lib/sl/ChangeLog
@@ -0,0 +1,120 @@
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump both versions to 0:1:0
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* parse.y (name2number): not used here.  remove.
+
+Thu Apr  1 17:03:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* make_cmds.c: use getarg
+
+Tue Mar 23 14:36:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: don't rename
+
+Sun Mar 21 14:13:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: don't roken-rename
+
+Sat Mar 20 03:43:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: replace return with YYACCEPT
+
+Fri Mar 19 14:53:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add libss; add version-info
+
+Thu Mar 18 15:07:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: clean lex.c parse.c parse.h
+
+	* Makefile.am: install ss.h
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar 11 15:01:01 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* parse.y: prototype for error_message
+
+Tue Feb  9 23:45:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.in: add snprintf.o to make_cmds
+
+Sun Nov 22 10:46:23 1998  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_command_loop): remove unused variable
+
+	* ss.c (ss_error): remove unused variable
+
+	* make_cmds.c: include err.h
+	(main): remove unused variable
+
+	* Makefile.in (WFLAGS): set
+
+Sun Sep 27 01:28:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* make_cmds.c: clean-up and simplification
+
+Mon May 25 02:54:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+	* Makefile.in: make symlink magic work
+
+Sun Apr 19 10:00:26 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sun Apr  5 09:21:43 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: define alloca to malloc in case we're using bison but
+ 	don't have alloca
+
+Sat Mar 28 11:39:00 1998  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_loop): s/2/1
+
+Sat Mar 21 00:46:51 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c (sl_loop): check that there is at least one argument before
+ 	calling sl_command
+
+Sun Mar  1 05:14:37 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c (sl_loop): Fix general broken-ness.
+
+	* sl.c: Cleanup printing of help strings.
+
+Thu Feb 26 02:22:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: @LEXLIB@
+
+Sat Feb 21 15:18:21 1998  assar westerlund  <assar@sics.se>
+
+	* Makefile.in: set YACC and LEX
+
+Mon Feb 16 16:08:25 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: Some fixes for ss/mk_cmds.
+
+Sun Feb 15 05:12:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.in: Install libsl under the `libss' name too. Install
+ 	mk_cmds, and ss.h.
+
+	* make_cmds.c: A mk_cmds clone that creates SL structures.
+
+	* ss.c: SS compatibility functions.
+
+	* sl.c: Move command line split to function `sl_make_argv'.
+
+Tue Feb  3 16:45:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c: Add sl_command_loop, that is the loop body of sl_loop.
+
+Mon Oct 20 01:13:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_help): actually use the `help' field of `SL_cmd'
+
diff --git a/crypto/heimdal/lib/sl/Makefile.am b/crypto/heimdal/lib/sl/Makefile.am
new file mode 100644
index 0000000..e572e21
--- /dev/null
+++ b/crypto/heimdal/lib/sl/Makefile.am
@@ -0,0 +1,44 @@
+# $Id: Makefile.am,v 1.15 2000/01/06 21:52:20 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+YFLAGS = -d
+
+include_HEADERS = sl.h
+
+lib_LTLIBRARIES = libsl.la libss.la
+libsl_la_LDFLAGS = -version-info 0:1:0
+libss_la_LDFLAGS = -version-info 0:1:0
+
+RENAME_SRC = roken_rename.h strtok_r.c snprintf.c
+
+libsl_la_SOURCES = sl_locl.h sl.c
+libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h
+
+EXTRA_libsl_la_SOURCES = strtok_r.c snprintf.c roken_rename.h
+
+# install these?
+
+noinst_PROGRAMS = mk_cmds
+
+mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l
+
+RENAME_mk_cmds_SRC = roken_rename.h snprintf.c
+
+EXTRA_mk_cmds_SOURCES = snprintf.c roken_rename.h
+
+ssincludedir = $(includedir)/ss
+ssinclude_HEADERS = ss.h
+
+CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c
+
+$(mk_cmds_OBJECTS): parse.h
+
+LDADD = \
+	$(LIB_roken) \
+	$(LEXLIB)
+
+strtok_r.c:
+	$(LN_S) $(srcdir)/../roken/strtok_r.c .
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
diff --git a/crypto/heimdal/lib/sl/Makefile.in b/crypto/heimdal/lib/sl/Makefile.in
new file mode 100644
index 0000000..634cd74
--- /dev/null
+++ b/crypto/heimdal/lib/sl/Makefile.in
@@ -0,0 +1,737 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.15 2000/01/06 21:52:20 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+YFLAGS = -d
+
+include_HEADERS = sl.h
+
+lib_LTLIBRARIES = libsl.la libss.la
+libsl_la_LDFLAGS = -version-info 0:1:0
+libss_la_LDFLAGS = -version-info 0:1:0
+
+RENAME_SRC = roken_rename.h strtok_r.c snprintf.c
+
+libsl_la_SOURCES = sl_locl.h sl.c
+libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h
+
+EXTRA_libsl_la_SOURCES = strtok_r.c snprintf.c roken_rename.h
+
+# install these?
+
+noinst_PROGRAMS = mk_cmds
+
+mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l
+
+RENAME_mk_cmds_SRC = roken_rename.h snprintf.c
+
+EXTRA_mk_cmds_SOURCES = snprintf.c roken_rename.h
+
+ssincludedir = $(includedir)/ss
+ssinclude_HEADERS = ss.h
+
+CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c
+
+LDADD =  	$(LIB_roken) 	$(LEXLIB)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libsl_la_LIBADD = 
+libsl_la_OBJECTS =  sl.lo
+libss_la_LIBADD = 
+libss_la_OBJECTS =  sl.lo ss.lo
+noinst_PROGRAMS =  mk_cmds$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+mk_cmds_OBJECTS =  make_cmds.$(OBJEXT) parse.$(OBJEXT) lex.$(OBJEXT)
+mk_cmds_LDADD = $(LDADD)
+mk_cmds_DEPENDENCIES = 
+mk_cmds_LDFLAGS = 
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+HEADERS =  $(include_HEADERS) $(ssinclude_HEADERS)
+
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in lex.c parse.c
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(libsl_la_SOURCES) $(EXTRA_libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES) $(EXTRA_mk_cmds_SOURCES)
+OBJECTS = $(libsl_la_OBJECTS) $(libss_la_OBJECTS) $(mk_cmds_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .l .lo .o .obj .s .x .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/sl/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo "$(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libsl.la: $(libsl_la_OBJECTS) $(libsl_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libsl_la_LDFLAGS) $(libsl_la_OBJECTS) $(libsl_la_LIBADD) $(LIBS)
+
+libss.la: $(libss_la_OBJECTS) $(libss_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libss_la_LDFLAGS) $(libss_la_OBJECTS) $(libss_la_LIBADD) $(LIBS)
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mk_cmds$(EXEEXT): $(mk_cmds_OBJECTS) $(mk_cmds_DEPENDENCIES)
+	@rm -f mk_cmds$(EXEEXT)
+	$(LINK) $(mk_cmds_LDFLAGS) $(mk_cmds_OBJECTS) $(mk_cmds_LDADD) $(LIBS)
+.l.c:
+	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+parse.h: parse.c
+
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(include_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(includedir)/$$p; \
+	done
+
+install-ssincludeHEADERS: $(ssinclude_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(ssincludedir)
+	@list='$(ssinclude_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$p"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$p; \
+	done
+
+uninstall-ssincludeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	list='$(ssinclude_HEADERS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(ssincludedir)/$$p; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = lib/sl
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-ssincludeHEADERS \
+		install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS \
+		uninstall-ssincludeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) \
+		$(DESTDIR)$(ssincludedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-test -z "lexlparsehparsec" || rm -f lexl parseh parsec
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS uninstall-ssincludeHEADERS \
+install-ssincludeHEADERS tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(mk_cmds_OBJECTS): parse.h
+
+strtok_r.c:
+	$(LN_S) $(srcdir)/../roken/strtok_r.c .
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/sl/lex.l b/crypto/heimdal/lib/sl/lex.l
new file mode 100644
index 0000000..b7c1c44
--- /dev/null
+++ b/crypto/heimdal/lib/sl/lex.l
@@ -0,0 +1,114 @@
+%{
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+#include "parse.h"
+
+RCSID("$Id: lex.l,v 1.3 1999/12/02 16:58:55 joda Exp $");
+
+static unsigned lineno = 1;
+void error_message(char *, ...);
+int getstring(void);
+
+%}
+
+
+%%
+command_table		{ return TABLE; }
+request			{ return REQUEST; }
+unknown			{ return UNKNOWN; }
+unimplemented		{ return UNIMPLEMENTED; }
+end			{ return END; }
+#[^\n]*			;
+[ \t]			;
+\n			{ lineno++; }
+\"			{ return getstring(); }
+[a-zA-Z0-9_]+		{ yylval.string = strdup(yytext); return STRING; }
+.			{ return *yytext; }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int backslash = 0;
+    while((c = input()) != EOF){
+	if(backslash) {
+	    if(c == 'n')
+		c = '\n';
+	    else if(c == 't')
+		c = '\t';
+	    x[i++] = c;
+	    backslash = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    backslash++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    return STRING;
+}
+
+void
+error_message (char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d: ", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
diff --git a/crypto/heimdal/lib/sl/make_cmds.c b/crypto/heimdal/lib/sl/make_cmds.c
new file mode 100644
index 0000000..492e9e6
--- /dev/null
+++ b/crypto/heimdal/lib/sl/make_cmds.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 1998-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+#include <getarg.h>
+
+RCSID("$Id: make_cmds.c,v 1.6 1999/12/02 16:58:55 joda Exp $");
+
+#include <roken.h>
+#include <err.h>
+#include "parse.h"
+
+int numerror;
+extern FILE *yyin;
+FILE *c_file;
+
+extern void yyparse(void);
+
+#ifdef YYDEBUG
+extern int yydebug = 1;
+#endif
+
+char *filename;
+char *table_name;
+
+static struct command_list *commands;
+
+void
+add_command(char *function, 
+	    char *help, 
+	    struct string_list *aliases, 
+	    unsigned flags)
+{
+    struct command_list *cl = malloc(sizeof(*cl));
+
+    if (cl == NULL)
+	err (1, "malloc");
+    cl->function = function;
+    cl->help = help;
+    cl->aliases = aliases;
+    cl->flags = flags;
+    cl->next = NULL;
+    if(commands) {
+	*commands->tail = cl;
+	commands->tail = &cl->next;
+	return;
+    }
+    cl->tail = &cl->next;
+    commands = cl;
+}
+
+static char *
+quote(const char *str)
+{
+    char buf[1024]; /* XXX */
+    const char *p;
+    char *q;
+    q = buf;
+    
+    *q++ = '\"';
+    for(p = str; *p != '\0'; p++) {
+	if(*p == '\n') {
+	    *q++ = '\\';
+	    *q++ = 'n';
+	    continue;
+	}
+	if(*p == '\t') {
+	    *q++ = '\\';
+	    *q++ = 't';
+	    continue;
+	}
+	if(*p == '\"' || *p == '\\')
+	    *q++ = '\\';
+	*q++ = *p;
+    }
+    *q++ = '\"';
+    *q++ = '\0';
+    return strdup(buf);
+}
+
+static void
+generate_commands(void)
+{
+    char *base;
+    char *cfn;
+    char *p;
+
+    p = strrchr(table_name, '/');
+    if(p == NULL)
+	p = table_name;
+    else
+	p++;
+
+    base = strdup (p);
+    if (base == NULL)
+	err (1, "strdup");
+
+    p = strrchr(base, '.');
+    if(p)
+	*p = '\0';
+    
+    asprintf(&cfn, "%s.c", base);
+    if (cfn == NULL)
+	err (1, "asprintf");
+
+    c_file = fopen(cfn, "w");
+    if (c_file == NULL)
+	err (1, "cannot fopen %s", cfn);
+    
+    fprintf(c_file, "/* Generated from %s */\n", filename);
+    fprintf(c_file, "\n");
+    fprintf(c_file, "#include <stddef.h>\n");
+    fprintf(c_file, "#include <sl.h>\n");
+    fprintf(c_file, "\n");
+
+    {
+	struct command_list *cl, *xl;
+	char *p, *q;
+
+	for(cl = commands; cl; cl = cl->next) {
+	    for(xl = commands; xl != cl; xl = xl->next)
+		if(strcmp(cl->function, xl->function) == 0)
+		    break;
+	    if(xl != cl)
+		continue;
+	    /* XXX hack for ss_quit */
+	    if(strcmp(cl->function, "ss_quit") == 0) {
+		fprintf(c_file, "int %s (int, char**);\n", cl->function);
+		fprintf(c_file, "#define _ss_quit_wrap ss_quit\n\n"); 
+		continue;
+	    }
+	    fprintf(c_file, "void %s (int, char**);\n", cl->function);
+	    fprintf(c_file, "static int _%s_wrap (int argc, char **argv)\n", 
+		    cl->function);
+	    fprintf(c_file, "{\n");
+	    fprintf(c_file, "  %s (argc, argv);\n", cl->function);
+	    fprintf(c_file, "  return 0;\n");
+	    fprintf(c_file, "}\n\n");
+	}
+
+	fprintf(c_file, "SL_cmd %s[] = {\n", table_name);
+	for(cl = commands; cl; cl = cl->next) {
+	    struct string_list *sl;
+	    sl = cl->aliases;
+	    p = quote(sl->string);
+	    q = quote(cl->help);
+	    fprintf(c_file, "  { %s, _%s_wrap, %s },\n", p, cl->function, q);
+	    free(p);
+	    free(q);
+    
+	    for(sl = sl->next; sl; sl = sl->next) {
+		p = quote(sl->string);
+		fprintf(c_file, "  { %s },\n", p);
+		free(p);
+	    }
+	}
+	fprintf(c_file, "  { NULL },\n");
+	fprintf(c_file, "};\n");
+	fprintf(c_file, "\n");
+    }
+    fclose(c_file);
+    free(base);
+    free(cfn);
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "command-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+
+    set_progname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(argc == optind)
+	usage(1);
+    filename = argv[optind];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+    
+    yyparse();
+    
+    generate_commands();
+
+    if(numerror)
+	return 1;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/sl/make_cmds.h b/crypto/heimdal/lib/sl/make_cmds.h
new file mode 100644
index 0000000..24dbd60
--- /dev/null
+++ b/crypto/heimdal/lib/sl/make_cmds.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: make_cmds.h,v 1.2 1999/12/02 16:58:55 joda Exp $ */
+
+#ifndef __MAKE_CMDS_H__
+#define __MAKE_CMDS_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+extern char *filename;
+extern char *table_name;
+extern int numerror;
+
+struct command_list {
+    char *function;
+    char *help;
+    struct string_list *aliases;
+    unsigned flags;
+    struct command_list *next;
+    struct command_list **tail;
+};
+
+struct string_list {
+    char *string;
+    struct string_list *next;
+    struct string_list **tail;
+};
+
+void add_command(char*, char*, struct string_list*, unsigned);
+
+#endif /* __MAKE_CMDS_H__ */
diff --git a/crypto/heimdal/lib/sl/parse.y b/crypto/heimdal/lib/sl/parse.y
new file mode 100644
index 0000000..18ef5ca
--- /dev/null
+++ b/crypto/heimdal/lib/sl/parse.y
@@ -0,0 +1,168 @@
+%{
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+RCSID("$Id: parse.y,v 1.6 1999/12/16 10:34:11 assar Exp $");
+
+void yyerror (char *s);
+void error_message(char *, ...);
+
+struct string_list* append_string(struct string_list*, char*);
+void free_string_list(struct string_list *list);
+unsigned string_to_flag(const char *);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+  char *string;
+  unsigned number;
+  struct string_list *list;
+}
+
+%token TABLE REQUEST UNKNOWN UNIMPLEMENTED END
+%token <string> STRING
+%type <number> flag flags
+%type <list> aliases
+
+%%
+
+file		: /* */ 
+		| statements
+		;
+
+statements	: statement
+		| statements statement
+		;
+
+statement	: TABLE STRING ';'
+		{
+		    table_name = $2;
+		}
+		| REQUEST STRING ',' STRING ',' aliases ',' '(' flags ')' ';'
+		{
+		    add_command($2, $4, $6, $9);
+		}
+		| REQUEST STRING ',' STRING ',' aliases ';'
+		{
+		    add_command($2, $4, $6, 0);
+		}
+		| UNIMPLEMENTED STRING ',' STRING ',' aliases ';'
+		{
+		    free($2);
+		    free($4);
+		    free_string_list($6);
+		}
+		| UNKNOWN aliases ';'
+		{
+		    free_string_list($2);
+		}
+		| END ';'
+		{
+		    YYACCEPT;
+		}
+		;
+
+aliases		: STRING
+		{
+		    $$ = append_string(NULL, $1);
+		}
+		| aliases ',' STRING
+		{
+		    $$ = append_string($1, $3);
+		}
+		;
+
+flags		: flag
+		{
+		    $$ = $1;
+		}
+		| flags ',' flag
+		{
+		    $$ = $1 | $3;
+		}
+		;
+flag		: STRING
+		{
+		    $$ = string_to_flag($1);
+		    free($1);
+		}
+		;
+
+
+
+%%
+
+void
+yyerror (char *s)
+{
+    error_message ("%s\n", s);
+}
+
+struct string_list*
+append_string(struct string_list *list, char *str)
+{
+    struct string_list *sl = malloc(sizeof(*sl));
+    sl->string = str;
+    sl->next = NULL;
+    if(list) {
+	*list->tail = sl;
+	list->tail = &sl->next;
+	return list;
+    }
+    sl->tail = &sl->next;
+    return sl;
+}
+
+void
+free_string_list(struct string_list *list)
+{
+    while(list) {
+	struct string_list *sl = list->next;
+	free(list->string);
+	free(list);
+	list = sl;
+    }
+}
+
+unsigned
+string_to_flag(const char *string)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/sl/roken_rename.h b/crypto/heimdal/lib/sl/roken_rename.h
new file mode 100644
index 0000000..c668802
--- /dev/null
+++ b/crypto/heimdal/lib/sl/roken_rename.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:55 joda Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#ifndef HAVE_STRTOK_R
+#define strtok_r _sl_strtok_r
+#endif
+#ifndef HAVE_SNPRINTF
+#define snprintf _sl_snprintf
+#endif
+#ifndef HAVE_ASPRINTF
+#define asprintf _sl_asprintf
+#endif
+#ifndef HAVE_ASNPRINTF
+#define asnprintf _sl_asnprintf
+#endif
+#ifndef HAVE_VASPRINTF
+#define vasprintf _sl_vasprintf
+#endif
+#ifndef HAVE_VASNPRINTF
+#define vasnprintf _sl_vasnprintf
+#endif
+#ifndef HAVE_VSNPRINTF
+#define vsnprintf _sl_vsnprintf
+#endif
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/sl/sl.c b/crypto/heimdal/lib/sl/sl.c
new file mode 100644
index 0000000..688ca8b
--- /dev/null
+++ b/crypto/heimdal/lib/sl/sl.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: sl.c,v 1.25 1999/12/02 16:58:55 joda Exp $");
+#endif
+
+#include "sl_locl.h"
+
+static SL_cmd *
+sl_match (SL_cmd *cmds, char *cmd, int exactp)
+{
+    SL_cmd *c, *current = NULL, *partial_cmd = NULL;
+    int partial_match = 0;
+
+    for (c = cmds; c->name; ++c) {
+	if (c->func)
+	    current = c;
+	if (strcmp (cmd, c->name) == 0)
+	    return current;
+	else if (strncmp (cmd, c->name, strlen(cmd)) == 0 &&
+		 partial_cmd != current) {
+	    ++partial_match;
+	    partial_cmd = current;
+	}
+    }
+    if (partial_match == 1 && !exactp)
+	return partial_cmd;
+    else
+	return NULL;
+}
+
+void
+sl_help (SL_cmd *cmds, int argc, char **argv)
+{
+    SL_cmd *c, *prev_c;
+
+    if (argc == 1) {
+	prev_c = NULL;
+	for (c = cmds; c->name; ++c) {
+	    if (c->func) {
+		if(prev_c)
+		    printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "",
+			    prev_c->usage ? "\n" : "");
+		prev_c = c;
+		printf ("%s", c->name);
+	    } else
+		printf (", %s", c->name);
+	}
+	if(prev_c)
+	    printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "",
+		    prev_c->usage ? "\n" : "");
+    } else { 
+	c = sl_match (cmds, argv[1], 0);
+	if (c == NULL)
+	    printf ("No such command: %s. "
+		    "Try \"help\" for a list of all commands\n",
+		    argv[1]);
+	else {
+	    printf ("%s\t%s\n", c->name, c->usage);
+	    if(c->help && *c->help)
+		printf ("%s\n", c->help);
+	    if((++c)->name && c->func == NULL) {
+		printf ("Synonyms:");
+		while (c->name && c->func == NULL)
+		    printf ("\t%s", (c++)->name);
+		printf ("\n");
+	    }
+	}
+    }
+}
+
+#ifdef HAVE_READLINE
+
+char *readline(char *prompt);
+void add_history(char *p);
+
+#else
+
+static char *
+readline(char *prompt)
+{
+    char buf[BUFSIZ];
+    printf ("%s", prompt);
+    fflush (stdout);
+    if(fgets(buf, sizeof(buf), stdin) == NULL)
+	return NULL;
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    return strdup(buf);
+}
+
+static void
+add_history(char *p)
+{
+}
+
+#endif
+
+int
+sl_command(SL_cmd *cmds, int argc, char **argv)
+{
+    SL_cmd *c;
+    c = sl_match (cmds, argv[0], 0);
+    if (c == NULL)
+	return -1;
+    return (*c->func)(argc, argv);
+}
+
+struct sl_data {
+    int max_count;
+    char **ptr;
+};
+
+int
+sl_make_argv(char *line, int *ret_argc, char ***ret_argv)
+{
+    char *foo = NULL;
+    char *p;
+    int argc, nargv;
+    char **argv;
+    
+    nargv = 10;
+    argv = malloc(nargv * sizeof(*argv));
+    if(argv == NULL)
+	return ENOMEM;
+    argc = 0;
+
+    for(p = strtok_r (line, " \t", &foo);
+	p;
+	p = strtok_r (NULL, " \t", &foo)) {
+	if(argc == nargv - 1) {
+	    char **tmp;
+	    nargv *= 2;
+	    tmp = realloc (argv, nargv * sizeof(*argv));
+	    if (tmp == NULL) {
+		free(argv);
+		return ENOMEM;
+	    }
+	    argv = tmp;
+	}
+	argv[argc++] = p;
+    }
+    argv[argc] = NULL;
+    *ret_argc = argc;
+    *ret_argv = argv;
+    return 0;
+}
+
+/* return values: 0 on success, -1 on fatal error, or return value of command */
+int
+sl_command_loop(SL_cmd *cmds, char *prompt, void **data)
+{
+    int ret = 0;
+    char *buf;
+    int argc;
+    char **argv;
+	
+    ret = 0;
+    buf = readline(prompt);
+    if(buf == NULL)
+	return 1;
+
+    if(*buf)
+	add_history(buf);
+    ret = sl_make_argv(buf, &argc, &argv);
+    if(ret) {
+	fprintf(stderr, "sl_loop: out of memory\n");
+	free(buf);
+	return -1;
+    }
+    if (argc >= 1) {
+	ret = sl_command(cmds, argc, argv);
+	if(ret == -1) {
+	    printf ("Unrecognized command: %s\n", argv[0]);
+	    ret = 0;
+	}
+    }
+    free(buf);
+    free(argv);
+    return ret;
+}
+
+int 
+sl_loop(SL_cmd *cmds, char *prompt)
+{
+    void *data = NULL;
+    int ret;
+    while((ret = sl_command_loop(cmds, prompt, &data)) == 0)
+	;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/sl/sl.h b/crypto/heimdal/lib/sl/sl.h
new file mode 100644
index 0000000..1a6d3fa
--- /dev/null
+++ b/crypto/heimdal/lib/sl/sl.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: sl.h,v 1.7 1999/12/02 16:58:55 joda Exp $ */
+
+#ifndef _SL_H
+#define _SL_H
+
+typedef int (*cmd_func)(int, char **);
+
+struct sl_cmd {
+  char *name;
+  cmd_func func;
+  char *usage;
+  char *help;
+};
+
+typedef struct sl_cmd SL_cmd;
+
+void sl_help (SL_cmd *, int argc, char **argv);
+int  sl_loop (SL_cmd *, char *prompt);
+int  sl_command_loop (SL_cmd *cmds, char *prompt, void **data);
+int  sl_command (SL_cmd *cmds, int argc, char **argv);
+int sl_make_argv(char*, int*, char***);
+
+
+#endif /* _SL_H */
diff --git a/crypto/heimdal/lib/sl/sl_locl.h b/crypto/heimdal/lib/sl/sl_locl.h
new file mode 100644
index 0000000..4bd9660
--- /dev/null
+++ b/crypto/heimdal/lib/sl/sl_locl.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: sl_locl.h,v 1.6 1999/12/02 16:58:55 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+#include <roken.h>
+
+#include <sl.h>
diff --git a/crypto/heimdal/lib/sl/ss.c b/crypto/heimdal/lib/sl/ss.c
new file mode 100644
index 0000000..f3c0546
--- /dev/null
+++ b/crypto/heimdal/lib/sl/ss.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "sl_locl.h"
+#include <com_err.h>
+#include "ss.h"
+
+RCSID("$Id: ss.c,v 1.4 1999/12/02 16:58:55 joda Exp $");
+
+struct ss_subst {
+    char *name;
+    char *version;
+    char *info;
+    ss_request_table *table;
+};
+
+static struct ss_subst subsystems[2];
+static int num_subsystems;
+
+int
+ss_create_invocation(const char *subsystem, 
+		     const char *version, 
+		     const char *info, 
+		     ss_request_table *table, 
+		     int *code)
+{
+    struct ss_subst *ss;
+    if(num_subsystems >= sizeof(subsystems) / sizeof(subsystems[0])) {
+	*code = 17;
+	return 0;
+    }
+    ss = &subsystems[num_subsystems];
+    ss->name = subsystem ? strdup(subsystem) : NULL;
+    ss->version = version ? strdup(version) : NULL;
+    ss->info = info ? strdup(info) : NULL;
+    ss->table = table;
+    *code = 0;
+    return num_subsystems++;
+}
+
+void
+ss_error (int index, long code, const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    com_err_va (subsystems[index].name, code, fmt, ap);
+    va_end(ap);
+}
+
+void
+ss_perror (int index, long code, const char *msg)
+{
+    ss_error(index, code, "%s", msg);
+}
+
+int
+ss_execute_command(int index, char **argv)
+{
+    int argc = 0;
+    while(argv[argc++]);
+    sl_command(subsystems[index].table, argc, argv);
+    return 0;
+}
+
+int
+ss_execute_line (int index, const char *line)
+{
+    char *buf = strdup(line);
+    int argc;
+    char **argv;
+    
+    sl_make_argv(buf, &argc, &argv);
+    sl_command(subsystems[index].table, argc, argv);
+    free(buf);
+    return 0;
+}
+
+int
+ss_listen (int index)
+{
+    char *prompt = malloc(strlen(subsystems[index].name) + 3);
+    if(prompt == NULL) {
+	abort();
+    }
+    strcpy(prompt, subsystems[index].name);
+    strcat(prompt, ": ");
+    sl_loop(subsystems[index].table, prompt);
+    free(prompt);
+    return 0;
+}
+
+int
+ss_list_requests(int argc, char **argv /* , int index, void *info */)
+{
+    sl_help(subsystems[0 /* index */].table, argc, argv);
+    return 0;
+}
+
+int
+ss_quit(int argc, char **argv)
+{
+    return 1;
+}
diff --git a/crypto/heimdal/lib/sl/ss.h b/crypto/heimdal/lib/sl/ss.h
new file mode 100644
index 0000000..0d9d297
--- /dev/null
+++ b/crypto/heimdal/lib/sl/ss.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: ss.h,v 1.2 1999/12/02 16:58:55 joda Exp $ */
+
+/* SS compatibility for SL */
+
+#ifndef __ss_h__
+#define __ss_h__
+
+#include <sl.h>
+
+typedef SL_cmd ss_request_table;
+
+int ss_create_invocation (const char *, const char *, const char*, 
+			  ss_request_table*, int*);
+
+void ss_error (int, long, const char*, ...);
+int ss_execute_command (int, char**);
+int ss_execute_line (int, const char*);
+int ss_list_requests (int argc, char**);
+int ss_listen (int);
+void ss_perror (int, long, const char*);
+int ss_quit (int argc, char**);
+
+#endif /* __ss_h__ */
diff --git a/crypto/heimdal/ltconfig b/crypto/heimdal/ltconfig
new file mode 100755
index 0000000..62ac479
--- /dev/null
+++ b/crypto/heimdal/ltconfig
@@ -0,0 +1,2101 @@
+#! /bin/sh
+
+# ltconfig - Create a system-specific libtool.
+# Copyright (C) 1996-1998 Free Software Foundation, Inc.
+# Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A lot of this script is taken from autoconf-2.10.
+
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+echo=echo
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec "$SHELL" "$0" --no-reexec ${1+"$@"}
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "${CDPATH+set}" = set; then CDPATH=; export CDPATH; fi
+
+if test "X${echo_test_string+set}" != "Xset"; then
+  # find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
+       echo_test_string="`eval $cmd`" &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null; then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" != 'X\t' ||
+   test "X`($echo "$echo_test_string") 2>/dev/null`" != X"$echo_test_string"; then
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
+  for dir in $PATH /usr/ucb; do
+    if test -f $dir/echo &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       test "X`($dir/echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       test "X`(print -r "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif test -f /bin/ksh && test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running ltconfig again with it.
+      ORIGINAL_CONFIG_SHELL="${CONFIG_SHELL-/bin/sh}"
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec "$CONFIG_SHELL" "$0" --no-reexec ${1+"$@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+         test "X`($echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+        # Cool, printf works
+	:
+      elif test "X`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null`" = 'X\t' &&
+	   test "X`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+	CONFIG_SHELL="$ORIGINAL_CONFIG_SHELL"
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      elif test "X`("$CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null`" = 'X\t' &&
+	   test "X`("$CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null`" = X"$echo_test_string"; then
+        echo="$CONFIG_SHELL $0 --fallback-echo"
+      else
+        # maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null; then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "$0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec "${ORIGINAL_CONFIG_SHELL}" "$0" ${1+"$@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
+
+# The name of this program.
+progname=`$echo "X$0" | $Xsed -e 's%^.*/%%'`
+
+# Constants:
+PROGRAM=ltconfig
+PACKAGE=libtool
+VERSION=1.2d
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.c 1>&5'
+ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.c $LIBS 1>&5'
+rm="rm -f"
+
+help="Try \`$progname --help' for more information."
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+enable_shared=yes
+# All known linkers require a `.a' archive for static linking.
+enable_static=yes
+ltmain=
+silent=
+srcdir=
+ac_config_guess=
+ac_config_sub=
+host=
+nonopt=
+ofile="$default_ofile"
+verify_host=yes
+with_gcc=no
+with_gnu_ld=no
+need_locks=yes
+objext=o
+libext=a
+
+old_AR="$AR"
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+old_CPPFLAGS="$CPPFLAGS"
+old_LD="$LD"
+old_LN_S="$LN_S"
+old_NM="$NM"
+old_RANLIB="$RANLIB"
+old_DLLTOOL="$DLLTOOL"
+old_AS="$AS"
+
+# Parse the command line options.
+args=
+prev=
+for option
+do
+  case "$option" in
+  -*=*) optarg=`echo "$option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    eval "$prev=\$option"
+    prev=
+    continue
+  fi
+
+  case "$option" in
+  --help) cat <<EOM
+Usage: $progname [OPTION]... [HOST [LTMAIN]]
+
+Generate a system-specific libtool script.
+
+    --debug                enable verbose shell tracing
+    --disable-shared       do not build shared libraries
+    --disable-static       do not build static libraries
+    --help                 display this help and exit
+    --no-verify            do not verify that HOST is a valid host type
+-o, --output=FILE          specify the output file [default=$default_ofile]
+    --quiet                same as \`--silent'
+    --silent               do not print informational messages
+    --srcdir=DIR           find \`config.guess' in DIR
+    --version              output version information and exit
+    --with-gcc             assume that the GNU C compiler will be used
+    --with-gnu-ld          assume that the C compiler uses the GNU linker
+    --disable-lock         disable file locking
+
+LTMAIN is the \`ltmain.sh' shell script fragment or \`ltmain.c' program
+that provides basic libtool functionality.
+
+HOST is the canonical host system name [default=guessed].
+EOM
+  exit 0
+  ;;
+
+  --debug)
+    echo "$progname: enabling shell trace mode"
+    set -x
+    ;;
+
+  --disable-shared) enable_shared=no ;;
+
+  --disable-static) enable_static=no ;;
+
+  --quiet | --silent) silent=yes ;;
+
+  --srcdir) prev=srcdir ;;
+  --srcdir=*) srcdir="$optarg" ;;
+
+  --no-verify) verify_host=no ;;
+
+  --output | -o) prev=ofile ;;
+  --output=*) ofile="$optarg" ;;
+
+  --version) echo "$PROGRAM (GNU $PACKAGE) $VERSION"; exit 0 ;;
+
+  --with-gcc) with_gcc=yes ;;
+  --with-gnu-ld) with_gnu_ld=yes ;;
+
+  --disable-lock) need_locks=no ;;
+
+  -*)
+    echo "$progname: unrecognized option \`$option'" 1>&2
+    echo "$help" 1>&2
+    exit 1
+    ;;
+
+  *)
+    if test -z "$ltmain"; then
+      ltmain="$option"
+    elif test -z "$host"; then
+# This generates an unnecessary warning for sparc-sun-solaris4.1.3_U1
+#      if test -n "`echo $option| sed 's/[-a-z0-9.]//g'`"; then
+#        echo "$progname: warning \`$option' is not a valid host type" 1>&2
+#      fi
+      host="$option"
+    else
+      echo "$progname: too many arguments" 1>&2
+      echo "$help" 1>&2
+      exit 1
+    fi ;;
+  esac
+done
+
+if test -z "$ltmain"; then
+  echo "$progname: you must specify a LTMAIN file" 1>&2
+  echo "$help" 1>&2
+  exit 1
+fi
+
+if test ! -f "$ltmain"; then
+  echo "$progname: \`$ltmain' does not exist" 1>&2
+  echo "$help" 1>&2
+  exit 1
+fi
+
+# Quote any args containing shell metacharacters.
+ltconfig_args=
+for arg
+do
+  case "$arg" in
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
+  ltconfig_args="$ltconfig_args '$arg'" ;;
+  *) ltconfig_args="$ltconfig_args $arg" ;;
+  esac
+done
+
+# A relevant subset of AC_INIT.
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 5 compiler messages saved in config.log
+# 6 checking for... messages and results
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>>./config.log
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
+if test "${LANG+set}"   = set; then LANG=C;   export LANG;   fi
+
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+  # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
+  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+    ac_n= ac_c='
+' ac_t='	'
+  else
+    ac_n=-n ac_c= ac_t=
+  fi
+else
+  ac_n= ac_c='\c' ac_t=
+fi
+
+if test -z "$srcdir"; then
+  # Assume the source directory is the same one as the path to LTMAIN.
+  srcdir=`$echo "$ltmain" | $Xsed -e 's%/[^/]*$%%'`
+  test "$srcdir" = "$ltmain" && srcdir=.
+fi
+
+trap "$rm conftest*; exit 1" 1 2 15
+if test "$verify_host" = yes; then
+  # Check for config.guess and config.sub.
+  ac_aux_dir=
+  for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+    if test -f $ac_dir/config.guess; then
+      ac_aux_dir=$ac_dir
+      break
+    fi
+  done
+  if test -z "$ac_aux_dir"; then
+    echo "$progname: cannot find config.guess in $srcdir $srcdir/.. $srcdir/../.." 1>&2
+    echo "$help" 1>&2
+    exit 1
+  fi
+  ac_config_guess=$ac_aux_dir/config.guess
+  ac_config_sub=$ac_aux_dir/config.sub
+
+  # Make sure we can run config.sub.
+  if $SHELL $ac_config_sub sun4 >/dev/null 2>&1; then :
+  else
+    echo "$progname: cannot run $ac_config_sub" 1>&2
+    echo "$help" 1>&2
+    exit 1
+  fi
+
+  echo $ac_n "checking host system type""... $ac_c" 1>&6
+
+  host_alias=$host
+  case "$host_alias" in
+  "")
+    if host_alias=`$SHELL $ac_config_guess`; then :
+    else
+      echo "$progname: cannot guess host type; you must specify one" 1>&2
+      echo "$help" 1>&2
+      exit 1
+    fi ;;
+  esac
+  host=`$SHELL $ac_config_sub $host_alias`
+  echo "$ac_t$host" 1>&6
+
+  # Make sure the host verified.
+  test -z "$host" && exit 1
+
+elif test -z "$host"; then
+  echo "$progname: you must specify a host type if you use \`--no-verify'" 1>&2
+  echo "$help" 1>&2
+  exit 1
+else
+  host_alias=$host
+fi
+
+# Transform linux* to *-*-linux-gnu*, to support old configure scripts.
+case "$host_os" in
+linux-gnu*) ;;
+linux*) host=`echo $host | sed 's/^\(.*-.*-linux\)\(.*\)$/\1-gnu\2/'`
+esac
+
+host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+case "$host_os" in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "${COLLECT_NAMES+set}" != set; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR cru $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+# Set a sane default for `AR'.
+test -z "$AR" && AR=ar
+
+# If RANLIB is not set, then run the test.
+if test "${RANLIB+set}" != "set"; then
+  result=no
+
+  echo $ac_n "checking for ranlib... $ac_c" 1>&6
+  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
+  for dir in $PATH; do
+    test -z "$dir" && dir=.
+    if test -f $dir/ranlib; then
+      RANLIB="ranlib"
+      result="ranlib"
+      break
+    fi
+  done
+  IFS="$save_ifs"
+
+  echo "$ac_t$result" 1>&6
+fi
+
+if test -n "$RANLIB"; then
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+fi
+
+# Set sane defaults for `DLLTOOL' and `AS', used on cygwin32.
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$AS" && AS=as
+
+# Check to see if we are using GCC.
+if test "$with_gcc" != yes || test -z "$CC"; then
+  # If CC is not set, then try to find GCC or a usable CC.
+  if test -z "$CC"; then
+    echo $ac_n "checking for gcc... $ac_c" 1>&6
+    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
+    for dir in $PATH; do
+      IFS="$save_ifs"
+      test -z "$dir" && dir=.
+      if test -f $dir/gcc; then
+	CC="gcc"
+	break
+      fi
+    done
+    IFS="$save_ifs"
+
+    if test -n "$CC"; then
+      echo "$ac_t$CC" 1>&6
+    else
+      echo "$ac_t"no 1>&6
+    fi
+  fi
+
+  # Not "gcc", so try "cc", rejecting "/usr/ucb/cc".
+  if test -z "$CC"; then
+    echo $ac_n "checking for cc... $ac_c" 1>&6
+    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}:"
+    cc_rejected=no
+    for dir in $PATH; do
+      test -z "$dir" && dir=.
+      if test -f $dir/cc; then
+	if test "$dir/cc" = "/usr/ucb/cc"; then
+	  cc_rejected=yes
+	  continue
+	fi
+	CC="cc"
+	break
+      fi
+    done
+    IFS="$save_ifs"
+    if test $cc_rejected = yes; then
+      # We found a bogon in the path, so make sure we never use it.
+      set dummy $CC
+      shift
+      if test $# -gt 0; then
+	# We chose a different compiler from the bogus one.
+	# However, it has the same name, so the bogon will be chosen
+	# first if we set CC to just the name; use the full file name.
+	shift
+	set dummy "$dir/cc" "$@"
+	shift
+	CC="$@"
+      fi
+    fi
+
+    if test -n "$CC"; then
+      echo "$ac_t$CC" 1>&6
+    else
+      echo "$ac_t"no 1>&6
+    fi
+
+    if test -z "$CC"; then
+      echo "$progname: error: no acceptable cc found in \$PATH" 1>&2
+      exit 1
+    fi
+  fi
+
+  # Now see if the compiler is really GCC.
+  with_gcc=no
+  echo $ac_n "checking whether we are using GNU C... $ac_c" 1>&6
+  echo "$progname:530: checking whether we are using GNU C" >&5
+
+  $rm conftest.c
+  cat > conftest.c <<EOF
+#ifdef __GNUC__
+  yes;
+#endif
+EOF
+  if { ac_try='${CC-cc} -E conftest.c'; { (eval echo $progname:538: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+    with_gcc=yes
+  fi
+  $rm conftest.c
+  echo "$ac_t$with_gcc" 1>&6
+fi
+
+# Allow CC to be a program name with arguments.
+set dummy $CC
+compiler="$2"
+
+echo $ac_n "checking for object suffix... $ac_c" 1>&6
+$rm conftest*
+echo 'int i = 1;' > conftest.c
+echo "$progname:552: checking for object suffix" >& 5
+if { (eval echo $progname:553: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; }; then
+  # Append any warnings to the config.log.
+  cat conftest.err 1>&5
+
+  for ac_file in conftest.*; do
+    case $ac_file in
+    *.c) ;;
+    *) objext=`echo $ac_file | sed -e s/conftest.//` ;;
+    esac
+  done
+else
+  cat conftest.err 1>&5
+  echo "$progname: failed program was:" >&5
+  cat conftest.c >&5
+fi
+$rm conftest*
+echo "$ac_t$objext" 1>&6
+
+echo $ac_n "checking for $compiler option to produce PIC... $ac_c" 1>&6
+pic_flag=
+special_shlib_compile_flags=
+wl=
+link_static_flag=
+no_builtin_flag=
+
+if test "$with_gcc" = yes; then
+  wl='-Wl,'
+  link_static_flag='-static'
+
+  case "$host_os" in
+  aix3* | aix4* | irix5* | irix6* | osf3* | osf4*)
+    # PIC is the default for these OSes.
+    ;;
+  cygwin32* | mingw32* | os2*)
+    # We can build DLLs from non-PIC.
+    ;;
+  amigaos*)
+    # FIXME: we need at least 68020 code to build shared libraries, but
+    # adding the `-m68020' flag to GCC prevents building anything better,
+    # like `-m68040'.
+    pic_flag='-m68020 -resident32 -malways-restore-a4'
+    ;;
+  *)
+    pic_flag='-fPIC'
+    ;;
+  esac
+else
+  # PORTME Check for PIC flags for the system compiler.
+  case "$host_os" in
+  aix3* | aix4*)
+    # All AIX code is PIC.
+    link_static_flag='-bnso -bI:/lib/syscalls.exp'
+    ;;
+
+  hpux9* | hpux10* | hpux11*)
+    # Is there a better link_static_flag that works with the bundled CC?
+    wl='-Wl,'
+    link_static_flag="${wl}-a ${wl}archive"
+    pic_flag='+Z'
+    ;;
+
+  irix5* | irix6*)
+    wl='-Wl,'
+    link_static_flag='-non_shared'
+    # PIC (with -KPIC) is the default.
+    ;;
+
+  cygwin32* | mingw32* | os2*)
+    # We can build DLLs from non-PIC.
+    ;;
+
+  osf3* | osf4*)
+    # All OSF/1 code is PIC.
+    wl='-Wl,'
+    link_static_flag='-non_shared'
+    ;;
+
+  sco3.2v5*)
+    pic_flag='-Kpic'
+    link_static_flag='-dn'
+    special_shlib_compile_flags='-belf'
+    ;;
+
+  solaris*)
+    pic_flag='-KPIC'
+    link_static_flag='-Bstatic'
+    wl='-Wl,'
+    ;;
+
+  sunos4*)
+    pic_flag='-PIC'
+    link_static_flag='-Bstatic'
+    wl='-Qoption ld '
+    ;;
+
+  sysv4.2uw2* | sysv5*)
+    pic_flag='-KPIC'
+    link_static_flag='-Bstatic'
+    wl='-Wl,'
+    ;;
+
+  uts4*)
+    pic_flag='-pic'
+    link_static_flag='-Bstatic'
+    ;;
+
+  *)
+    can_build_shared=no
+    ;;
+  esac
+fi
+
+if test -n "$pic_flag"; then
+  echo "$ac_t$pic_flag" 1>&6
+
+  # Check to make sure the pic_flag actually works.
+  echo $ac_n "checking if $compiler PIC flag $pic_flag works... $ac_c" 1>&6
+  $rm conftest*
+  echo "int some_variable = 0;" > conftest.c
+  save_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS $pic_flag -DPIC"
+  echo "$progname:674: checking if $compiler PIC flag $pic_flag works" >&5
+  if { (eval echo $progname:675: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then
+    # Append any warnings to the config.log.
+    cat conftest.err 1>&5
+
+    # On HP-UX, both CC and GCC only warn that PIC is supported... then they
+    # create non-PIC objects.  So, if there were any warnings, we assume that
+    # PIC is not supported.
+    if test -s conftest.err; then
+      echo "$ac_t"no 1>&6
+      can_build_shared=no
+      pic_flag=
+    else
+      echo "$ac_t"yes 1>&6
+      pic_flag=" $pic_flag"
+    fi
+  else
+    # Append any errors to the config.log.
+    cat conftest.err 1>&5
+    can_build_shared=no
+    pic_flag=
+    echo "$ac_t"no 1>&6
+  fi
+  CFLAGS="$save_CFLAGS"
+  $rm conftest*
+else
+  echo "$ac_t"none 1>&6
+fi
+
+# Check to see if options -o and -c are simultaneously supported by compiler
+echo $ac_n "checking if $compiler supports -c -o file.o... $ac_c" 1>&6
+$rm conftest*
+echo "int some_variable = 0;" > conftest.c
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -c -o conftest2.o"
+echo "$progname:709: checking if $compiler supports -c -o file.o" >&5
+if { (eval echo $progname:710: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest2.o; then
+
+  # The compiler can only warn and ignore the option if not recognized
+  # So say no if there are warnings
+    if test -s conftest.err; then
+      echo "$ac_t"no 1>&6
+      compiler_c_o=no
+    else
+      echo "$ac_t"yes 1>&6
+      compiler_c_o=yes
+    fi
+else
+  # Append any errors to the config.log.
+  cat conftest.err 1>&5
+  compiler_c_o=no
+  echo "$ac_t"no 1>&6
+fi
+CFLAGS="$save_CFLAGS"
+$rm conftest*
+
+if test x"$compiler_c_o" = x"yes"; then
+  # Check to see if we can write to a .lo
+  echo $ac_n "checking if $compiler supports -c -o file.lo... $ac_c" 1>&6
+  $rm conftest*
+  echo "int some_variable = 0;" > conftest.c
+  save_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -c -o conftest.lo"
+  echo "$progname:737: checking if $compiler supports -c -o file.lo" >&5
+if { (eval echo $progname:738: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.lo; then
+
+    # The compiler can only warn and ignore the option if not recognized
+    # So say no if there are warnings
+      if test -s conftest.err; then
+	echo "$ac_t"no 1>&6
+	compiler_o_lo=no
+      else
+        echo "$ac_t"yes 1>&6
+        compiler_o_lo=yes
+      fi
+  else
+    # Append any errors to the config.log.
+    cat conftest.err 1>&5
+    compiler_o_lo=no
+    echo "$ac_t"no 1>&6
+  fi
+  CFLAGS="$save_CFLAGS"
+  $rm conftest*
+else
+  compiler_o_lo=no
+fi
+
+# Check to see if we can do hard links to lock some files if needed
+hard_links="nottested"
+if test "$compiler_c_o" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  echo $ac_n "checking if we can lock with hard links... $ac_c" 1>&6
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  echo "$ac_t$hard_links" 1>&6
+  $rm conftest*
+  if test "$hard_links" = no; then
+    echo "*** WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+if test "$with_gcc" = yes; then
+  # Check to see if options -fno-rtti -fno-exceptions are supported by compiler
+  echo $ac_n "checking if $compiler supports -fno-rtti -fno-exceptions ... $ac_c" 1>&6
+  $rm conftest*
+  echo "int some_variable = 0;" > conftest.c
+  save_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.c"
+  echo "$progname:789: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+  if { (eval echo $progname:790: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.o; then
+
+    # The compiler can only warn and ignore the option if not recognized
+    # So say no if there are warnings
+      if test -s conftest.err; then
+        echo "$ac_t"no 1>&6
+        compiler_rtti_exceptions=no
+      else
+        echo "$ac_t"yes 1>&6
+        compiler_rtti_exceptions=yes
+      fi
+  else
+    # Append any errors to the config.log.
+    cat conftest.err 1>&5
+    compiler_rtti_exceptions=no
+    echo "$ac_t"no 1>&6
+  fi
+  CFLAGS="$save_CFLAGS"
+  $rm conftest*
+
+  if test "$compiler_rtti_exceptions" = "yes"; then
+    no_builtin_flag=' -fno-builtin -fno-rtti -fno-exceptions'
+  else
+    no_builtin_flag=' -fno-builtin'
+  fi
+  
+fi
+
+# Check for any special shared library compilation flags.
+if test -n "$special_shlib_compile_flags"; then
+  echo "$progname: warning: \`$CC' requires \`$special_shlib_compile_flags' to build shared libraries" 1>&2
+  if echo "$old_CC $old_CFLAGS " | egrep -e "[ 	]$special_shlib_compile_flags[ 	]" >/dev/null; then :
+  else
+    echo "$progname: add \`$special_shlib_compile_flags' to the CC or CFLAGS env variable and reconfigure" 1>&2
+    can_build_shared=no
+  fi
+fi
+
+echo $ac_n "checking if $compiler static flag $link_static_flag works... $ac_c" 1>&6
+$rm conftest*
+echo 'main(){return(0);}' > conftest.c
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $link_static_flag"
+echo "$progname:833: checking if $compiler static flag $link_static_flag works" >&5
+if { (eval echo $progname:834: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+  echo "$ac_t$link_static_flag" 1>&6
+else
+  echo "$ac_t"none 1>&6
+  link_static_flag=
+fi
+LDFLAGS="$save_LDFLAGS"
+$rm conftest*
+
+if test -z "$LN_S"; then
+  # Check to see if we can use ln -s, or we need hard links.
+  echo $ac_n "checking whether ln -s works... $ac_c" 1>&6
+  $rm conftestdata
+  if ln -s X conftestdata 2>/dev/null; then
+    $rm conftestdata
+    LN_S="ln -s"
+  else
+    LN_S=ln
+  fi
+  if test "$LN_S" = "ln -s"; then
+    echo "$ac_t"yes 1>&6
+  else
+    echo "$ac_t"no 1>&6
+  fi
+fi
+
+# Make sure LD is an absolute path.
+if test -z "$LD"; then
+  ac_prog=ld
+  if test "$with_gcc" = yes; then
+    # Check if gcc -print-prog-name=ld gives a path.
+    echo $ac_n "checking for ld used by GCC... $ac_c" 1>&6
+    echo "$progname:866: checking for ld used by GCC" >&5
+    ac_prog=`($CC -print-prog-name=ld) 2>&5`
+    case "$ac_prog" in
+    # Accept absolute paths.
+    /* | [A-Za-z]:/*)
+      re_direlt='/[^/][^/]*/\.\./'
+      sub_uncdrive='s%^\([A-Za-z]\):/%//\1/%'
+      # Canonicalize the path of ld
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+        ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
+      done
+      case "$host_os" in
+      cygwin*)
+        # Convert to a UNC path for cygwin
+        test -z "$LD" && LD=`echo X$ac_prog | $Xsed -e "$sub_uncdrive"`
+	;;
+      *)
+        test -z "$LD" && LD="$ac_prog"
+	;;
+      esac
+      ;;
+    ##
+    ## FIXME:  The code fails later on if we try to use an $LD with
+    ##         '\\' path separators.
+    ##
+    [A-Za-z]:[\\]*)
+      re_direlt='\\[^\\][^\\]*\\\.\.\(\\\)'
+      sub_uncdrive='s%^\([A-Za-z]\):\\%//\1/%'
+      sub_uncdir='s%\\%/%g'
+      # Canonicalize the path of ld
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+        ac_prog=`echo $ac_prog| sed "s%$re_direlt%\1%"`
+      done
+      case "$host_os" in
+      cygwin*)
+        # Convert to a UNC path for cygwin
+        test -z "$LD" && LD=`echo X$ac_prog | $Xsed -e "$sub_uncdrive" -e "$sub_uncdir"`
+	;;
+      *)
+        test -z "$LD" && LD="$ac_prog"
+	;;
+      esac
+      ;;
+    "")
+      # If it fails, then pretend we are not using GCC.
+      ac_prog=ld
+      ;;
+    *)
+      # If it is relative, then search for the first ld in PATH.
+      with_gnu_ld=unknown
+      ;;
+    esac
+  elif test "$with_gnu_ld" = yes; then
+    echo $ac_n "checking for GNU ld... $ac_c" 1>&6
+    echo "$progname:920: checking for GNU ld" >&5
+  else
+    echo $ac_n "checking for non-GNU ld""... $ac_c" 1>&6
+    echo "$progname:923: checking for non-GNU ld" >&5
+  fi
+
+  if test -z "$LD"; then
+    IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+    for ac_dir in $PATH; do
+      test -z "$ac_dir" && ac_dir=.
+      if test -f "$ac_dir/$ac_prog"; then
+	LD="$ac_dir/$ac_prog"
+	# Check to see if the program is GNU ld.  I'd rather use --version,
+	# but apparently some GNU ld's only accept -v.
+	# Break only if it was the GNU/non-GNU ld that we prefer.
+	if "$LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
+	  test "$with_gnu_ld" != no && break
+	else
+	  test "$with_gnu_ld" != yes && break
+	fi
+      fi
+    done
+    IFS="$ac_save_ifs"
+  fi
+
+  if test -n "$LD"; then
+    echo "$ac_t$LD" 1>&6
+  else
+    echo "$ac_t"no 1>&6
+  fi
+
+  if test -z "$LD"; then
+    echo "$progname: error: no acceptable ld found in \$PATH" 1>&2
+    exit 1
+  fi
+fi
+
+# Check to see if it really is or is not GNU ld.
+echo $ac_n "checking if the linker ($LD) is GNU ld... $ac_c" 1>&6
+# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
+  with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+echo "$ac_t$with_gnu_ld" 1>&6
+
+# See if the linker supports building shared libraries.
+echo $ac_n "checking whether the linker ($LD) supports shared libraries... $ac_c" 1>&6
+
+allow_undefined_flag=
+no_undefined_flag=
+archive_cmds=
+archive_sym_cmds=
+old_archive_from_new_cmds=
+export_dynamic_flag_spec=
+whole_archive_flag_spec=
+hardcode_libdir_flag_spec=
+hardcode_libdir_separator=
+hardcode_direct=no
+hardcode_minus_L=no
+hardcode_shlibpath_var=unsupported
+runpath_var=
+
+case "$host_os" in
+aix3* | aix4*)
+  # On AIX, the GNU linker works like the native linker.
+  with_gnu_ld=no
+  ;;
+esac
+
+ld_shlibs=yes
+if test "$with_gnu_ld" = yes; then
+
+  # See if GNU ld supports shared libraries.
+  case "$host_os" in
+  amigaos*)
+    archive_cmds='$rm $objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $objdir/a2ixlibrary.data~$AR cru $lib$libobjs~$RANLIB $lib~(cd $objdir && a2ixlibrary -32)'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_minus_L=yes
+    ;;
+
+  sunos4*)
+    archive_cmds='$LD -assert pure-text -Bstatic -o $lib$libobjs$deplibs'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  cygwin32* | mingw32*)
+    if test "$with_gcc" = yes; then
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      allow_undefined_flag=unsupported
+      # Very, very bogus.
+      echo '
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#undef WIN32_LEAN_AND_MEAN
+#include <stdio.h>
+
+BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+
+#include <cygwin/cygwin_dll.h>
+DECLARE_CYGWIN_DLL( DllMain );
+HINSTANCE __hDllInstance_base;
+
+BOOL APIENTRY
+DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+{
+  __hDllInstance_base = hInst;
+  return TRUE;
+}
+' > ltdll.c
+      archive_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
+      $DLLTOOL --export-all --output-def $lib-def $libobjs ltdll.$objext~
+      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $rm ltdll.$objext $soname-base $soname-exp'
+      archive_sym_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
+      cat "$export_symbols" >> $lib-def~
+      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $rm ltdll.$objext $soname-base $soname-exp'
+      old_archive_from_new_cmds='$DLLTOOL --as=$AS --dllname $soname --def $lib-def --output-lib $objdir/$libname.a~$rm $lib.exp'
+   else
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      with_gnu_ld=no
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec=' '
+      allow_undefined_flag=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds='$CC -o $lib$libobjs`echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_from_new_cmds='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds='lib /OUT:$oldlib$oldobjs'
+      fix_srcfile_path='`cygpath -w $srcfile`'
+    fi
+    ;;
+
+  *)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared ${wl}-soname $wl$soname -o $lib$libobjs$deplibs'
+      archive_sym_cmds='$CC -shared ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib$libobjs$deplibs'
+    else
+      ld_shlibs=no
+    fi
+    ;;
+  esac
+
+  if test "$ld_shlibs" = yes && test "$with_gnu_ld" = yes; then
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec='${wl}--export-dynamic'
+    whole_archive_flag_spec='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+  fi
+else
+  # PORTME fill in a description of your system's linker (not GNU ld)
+  case "$host_os" in
+  aix3*)
+    allow_undefined_flag=unsupported
+    archive_cmds='$NM$libobjs | $global_symbol_pipe | sed '\''s/.* //'\' | sort | uniq' > $lib.exp~
+        $LD -o $objdir/$soname$libobjs$deplibs -bE:$lib.exp -T512 -H512 -bM:SRE~$AR cru $lib $objdir/$soname'
+    archive_sym_cmds='$LD -o $objdir/$soname$libobjs$deplibs -bE:$export_symbols -T512 -H512 -bM:SRE~$AR cru $lib $objdir/$soname'
+    # Note: this linker hardcodes the directories in LIBPATH if there
+    # are no directories specified by -L.
+    hardcode_minus_L=yes
+    if test "$with_gcc" = yes && test -z "$link_static_flag"; then
+      # Neither direct hardcoding nor static linking is supported with a
+      # broken collect2.
+      hardcode_direct=unsupported
+    fi
+    ;;
+
+  aix4*)
+    allow_undefined_flag=unsupported
+    archive_cmds='$NM$libobjs | $global_symbol_pipe | sed '\''s/.* //'\' | sort | uniq' > $lib.exp        else cat $export_symbols > $lib.exp~
+    	$CC -o $objdir/$soname$libobjs$deplibs ${wl}-bE:$lib.exp ${wl}-bM:SRE ${wl}-bnoentry~$AR cru $lib $objdir/$soname'
+    archive_sym_cmds='$CC -o $objdir/$soname$libobjs$deplibs ${wl}-bE:$export_symbols ${wl}-bM:SRE ${wl}-bnoentry~$AR cru $lib $objdir/$soname'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    ;;
+
+  amigaos*)
+    archive_cmds='$rm $objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $objdir/a2ixlibrary.data~$AR cru $lib$libobjs~$RANLIB $lib~(cd $objdir && a2ixlibrary -32)'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_minus_L=yes
+    ;;
+
+  cygwin32* | mingw32*)
+    if test "$with_gcc" = yes; then
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      allow_undefined_flag=unsupported
+      # Very, very bogus.
+      echo '
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#undef WIN32_LEAN_AND_MEAN
+#include <stdio.h>
+
+BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+
+#include <cygwin/cygwin_dll.h>
+DECLARE_CYGWIN_DLL( DllMain );
+HINSTANCE __hDllInstance_base;
+
+BOOL APIENTRY
+DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+{
+  __hDllInstance_base = hInst;
+  return TRUE;
+}
+' > ltdll.c
+      archive_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
+      $DLLTOOL --export-all --output-def $lib-def $libobjs ltdll.$objext~
+      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $rm ltdll.$objext $soname-base $soname-exp'
+      archive_sym_cmds='$CC -c '"`pwd`"'/ltdll.c~echo EXPORTS > $lib-def~
+      cat "$export_symbols" >> $lib-def~
+      $CC -Wl,--base-file,$soname-base -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 $libobjs ltdll.$objext~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC -Wl,--base-file,$soname-base $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbol=_cygwin_dll_entry@12 --def $lib-def --base-file $soname-base --output-exp $soname-exp~
+      $CC $soname-exp -Wl,--dll -nostartfiles -Wl,-e,__cygwin_dll_entry@12 -o $lib $libobjs ltdll.$objext$deplibs~
+      $rm ltdll.$objext $soname-base $soname-exp'
+      old_archive_from_new_cmds='$DLLTOOL --as=$AS --dllname $soname --def $lib-def --output-lib $objdir/$libname.a~$rm $lib.exp'
+    else
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec=' '
+      allow_undefined_flag=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds='$CC -o $lib$libobjs`echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_from_new_cmds='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds='lib /OUT:$oldlib$oldobjs'
+      fix_srcfile_path='`cygpath -w $srcfile`'
+    fi
+    ;;
+
+  # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+  # support.  Future versions do this automatically, but an explicit c++rt0.o
+  # does not break anything, and helps significantly (at the cost of a little
+  # extra space).
+  freebsd2.2*)
+    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs /usr/lib/c++rt0.o'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+  freebsd2*)
+    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  # FreeBSD 3, at last, uses gcc -shared to do shared libraries.
+  freebsd3*)
+    archive_cmds='$CC -shared -o $lib$libobjs$deplibs'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_direct=yes
+    hardcode_minus_L=no
+    hardcode_shlibpath_var=no
+    ;;
+
+  hpux9*)
+    archive_cmds='$rm $objdir/$soname~$LD -b +s +b $install_libdir -o $objdir/$soname$libobjs$deplibs~test $objdir/$soname = $lib || mv $objdir/$soname $lib'
+    hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    export_dynamic_flag_spec='${wl}-E'
+    ;;
+
+  hpux10* | hpux11*)
+    archive_cmds='$LD -b +h $soname +s +b $install_libdir -o $lib$libobjs$deplibs'
+    hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    export_dynamic_flag_spec='${wl}-E'
+    ;;
+
+  irix5* | irix6*)
+    if test "$with_gcc" = yes; then
+      archive_cmds='$CC -shared -o $lib ${wl}-soname ${wl}$soname ${wl}-set_version ${wl}$verstring$libobjs$deplibs'
+    else
+      archive_cmds='$LD -shared -o $lib -soname $soname -set_version $verstring$libobjs$deplibs'
+    fi
+    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    ;;
+
+  netbsd*)
+    # Tested with NetBSD 1.2 ld
+    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  openbsd*)
+    archive_cmds='$LD -Bshareable -o $lib$libobjs$deplibs'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  os2*)
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_minus_L=yes
+    allow_undefined_flag=unsupported
+    archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $objdir/$libname.def~$echo DATA >> $objdir/$libname.def~$echo " SINGLE NONSHARED" >> $objdir/$libname.def~$echo EXPORTS >> $objdir/$libname.def~emxexp$libobjs >> $objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib$libobjs$deplibs $objdir/$libname.def'
+    old_archive_from_new_cmds='emximp -o $objdir/$libname.a $objdir/$libname.def'
+    ;;
+
+  osf3* | osf4*)
+    if test "$with_gcc" = yes; then
+      allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+      archive_cmds='$CC -shared${allow_undefined_flag} -o $lib ${wl}-soname ${wl}$soname ${wl}-set_version ${wl}$verstring$libobjs$deplibs'
+    else
+      allow_undefined_flag=' -expect_unresolved \*'
+      archive_cmds='$LD -shared${allow_undefined_flag} -o $lib -soname $soname -set_version $verstring$libobjs$deplibs'
+    fi
+    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator=:
+    ;;
+
+  sco3.2v5*)
+    archive_cmds='$LD -G -o $lib$libobjs$deplibs'
+    hardcode_direct=yes
+    ;;
+
+  solaris*)
+    no_undefined_flag=' -z text'
+    # $CC -shared without GNU ld will not create a library from C++
+    # object files and a static libstdc++, better avoid it by now
+    archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib$libobjs$deplibs'
+    archive_sym_cmds='$echo "{ global:" > $lib.exp~sed $export_symbols -e "s/.*/\1;/" >> $lib.exp~$echo "local: * }" >> $lib.exp~
+		$LD -G${allow_undefined_flag} -M $export_symbols -h $soname -o $lib$libobjs$deplibs~$rm $lib.exp'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_shlibpath_var=no
+
+    # Solaris 2 before 2.5 hardcodes -L paths.
+    case "$host_os" in
+    solaris2.[0-4]*)
+      hardcode_minus_L=yes
+      ;;
+    esac
+    ;;
+
+  sunos4*)
+    # Why do we need -Bstatic?  To avoid inter-library dependencies, maybe...
+    if test "$with_gcc" = yes; then
+      archive_cmds='$CC -shared ${wl}-Bstatic -o $lib$libobjs$deplibs'
+    else
+      archive_cmds='$LD -assert pure-text -Bstatic -o $lib$libobjs$deplibs'
+    fi
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  uts4*)
+    archive_cmds='$LD -G -h $soname -o $lib$libobjs$deplibs'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_direct=no
+    hardcode_minus_L=no
+    hardcode_shlibpath_var=no
+    ;;
+
+  dgux*)
+    archive_cmds='$LD -G -h $soname -o $lib$libobjs$deplibs'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_direct=no
+    hardcode_minus_L=no
+    hardcode_shlibpath_var=no
+    ;;
+
+  *)
+    ld_shlibs=no
+    can_build_shared=no
+    ;;
+  esac
+fi
+echo "$ac_t$ld_shlibs" 1>&6
+
+if test -z "$NM"; then
+  echo $ac_n "checking for BSD-compatible nm... $ac_c" 1>&6
+  case "$NM" in
+  /* | [A-Za-z]:[/\\]*) ;; # Let the user override the test with a path.
+  *)
+    IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:"
+    for ac_dir in /usr/ucb /usr/ccs/bin $PATH /bin; do
+      test -z "$ac_dir" && ac_dir=.
+      if test -f $ac_dir/nm; then
+        # Check to see if the nm accepts a BSD-compat flag.
+        # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+        #   nm: unknown option "B" ignored
+        if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+          NM="$ac_dir/nm -B"
+        elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+          NM="$ac_dir/nm -p"
+	else
+          NM="$ac_dir/nm"
+	fi
+        break
+      fi
+    done
+    IFS="$ac_save_ifs"
+    test -z "$NM" && NM=nm
+    ;;
+  esac
+  echo "$ac_t$NM" 1>&6
+fi
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+echo $ac_n "checking command to parse $NM output... $ac_c" 1>&6
+
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[BCDEGRSTU]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
+
+# Transform the above into a raw symbol and a C symbol.
+symxfrm='\1 \1'
+
+# Define system-specific variables.
+case "$host_os" in
+aix*)
+  symcode='[BCDTU]'
+  ;;
+sunos* | cygwin32* | mingw32*)
+  sympat='_\([_A-Za-z][_A-Za-z0-9]*\)'
+  symxfrm='_\1 \1'
+  ;;
+irix*)
+  # Cannot use undefined symbols on IRIX because inlined functions mess us up.
+  symcode='[BCDEGRST]'
+  ;;
+solaris*)
+  symcode='[BDTU]'
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then
+  symcode='[ABCDGISTUW]'
+fi
+
+case "$host_os" in
+cygwin32* | mingw32*)
+  # We do not want undefined symbols on cygwin32.  The user must
+  # arrange to define them via -l arguments.
+  symcode='[ABCDGISTW]'
+  ;;
+esac
+
+# Write the raw and C identifiers.
+global_symbol_pipe="sed -n -e 's/^.* $symcode $sympat$/$symxfrm/p'"
+
+# Check to see that the pipe works correctly.
+pipe_works=no
+$rm conftest*
+cat > conftest.c <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+echo "$progname:1425: checking if global_symbol_pipe works" >&5
+if { (eval echo $progname:1426: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then
+  # Now try to grab the symbols.
+  nlist=conftest.nm
+  if { echo "$progname:1429: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then
+
+    # Try sorting and uniquifying the output.
+    if sort "$nlist" | uniq > "$nlist"T; then
+      mv -f "$nlist"T "$nlist"
+      wcout=`wc "$nlist" 2>/dev/null`
+      count=`$echo "X$wcout" | $Xsed -e 's/^[ 	]*\([0-9][0-9]*\).*$/\1/'`
+      (test "$count" -ge 0) 2>/dev/null || count=-1
+    else
+      rm -f "$nlist"T
+      count=-1
+    fi
+
+    # Make sure that we snagged all the symbols we need.
+    if egrep ' nm_test_var$' "$nlist" >/dev/null; then
+      if egrep ' nm_test_func$' "$nlist" >/dev/null; then
+	cat <<EOF > conftest.c
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+        # Now generate the symbol file.
+        sed 's/^.* \(.*\)$/extern char \1;/' < "$nlist" >> conftest.c
+
+	cat <<EOF >> conftest.c
+#if defined (__STDC__) && __STDC__
+# define __ptr_t void *
+#else
+# define __ptr_t char *
+#endif
+
+/* The number of symbols in dld_preloaded_symbols, -1 if unsorted. */
+int dld_preloaded_symbol_count = $count;
+
+/* The mapping between symbol names and symbols. */
+struct {
+  char *name;
+  __ptr_t address;
+}
+dld_preloaded_symbols[] =
+{
+EOF
+        sed 's/^\(.*\) \(.*\)$/  {"\1", (__ptr_t) \&\2},/' < "$nlist" >> conftest.c
+        cat <<\EOF >> conftest.c
+  {0, (__ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+        # Now try linking the two files.
+        mv conftest.$objext conftestm.$objext
+	save_LIBS="$LIBS"
+	save_CFLAGS="$CFLAGS"
+        LIBS="conftestm.$objext"
+	CFLAGS="$CFLAGS$no_builtin_flag"
+        if { (eval echo $progname:1487: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+          pipe_works=yes
+        else
+          echo "$progname: failed program was:" >&5
+          cat conftest.c >&5
+        fi
+        LIBS="$save_LIBS"
+      else
+        echo "cannot find nm_test_func in $nlist" >&5
+      fi
+    else
+      echo "cannot find nm_test_var in $nlist" >&5
+    fi
+  else
+    echo "cannot run $global_symbol_pipe" >&5
+  fi
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.c >&5
+fi
+$rm conftest*
+
+# Do not use the global_symbol_pipe unless it works.
+echo "$ac_t$pipe_works" 1>&6
+test "$pipe_works" = yes || global_symbol_pipe=
+
+# Check hardcoding attributes.
+echo $ac_n "checking how to hardcode library paths into programs... $ac_c" 1>&6
+hardcode_action=
+if test -n "$hardcode_libdir_flag_spec" || \
+   test -n "$runpath_var"; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct" != no && \
+     test "$hardcode_minus_L" != no && \
+     test "$hardcode_shlibpath_var" != no; then
+
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action=unsupported
+fi
+echo "$ac_t$hardcode_action" 1>&6
+
+
+reload_flag=
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+echo $ac_n "checking for $LD option to reload object files... $ac_c" 1>&6
+# PORTME Some linkers may need a different reload flag.
+reload_flag='-r'
+echo "$ac_t$reload_flag" 1>&6
+test -n "$reload_flag" && reload_flag=" $reload_flag"
+
+# PORTME Fill in your ld.so characteristics
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_search_path="/lib /usr/lib /usr/local/lib"
+check_shared_deplibs_method='none'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_regex' -- check by looking for filenames that look like the shared
+# library in the library path.
+# 'file_magic [regex]' -- check by looking for files in library path which
+# responds to the "file" command with a given regex.  This is actually a
+# superset of the file_regex command.  If you have file on your system, you'll
+# want to use this instead.
+# Notes: regexes are run through expr.
+
+echo $ac_n "checking dynamic linker characteristics... $ac_c" 1>&6
+case "$host_os" in
+aix3* | aix4*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}.so$major'
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "(cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a)"; (cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a) || exit 1; done'
+  ;;
+
+bsdi4*)
+  version_type=linux
+  library_names_spec='${libname}.so.$major ${libname}.so'
+  soname_spec='${libname}.so'
+  finish_cmds='PATH="$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+cygwin32* | mingw32*)
+  version_type=windows
+  if test "$with_gcc" = yes; then
+    library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.a'
+  else
+    library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.lib'
+  fi
+  dynamic_linker='Win32 ld.exe'
+  libname_spec='$name'
+  shlibpath_var=PATH
+  ;;
+
+freebsd2* | freebsd3*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  library_names_spec='${libname}${release}.so$versuffix $libname.so'
+  finish_cmds='PATH="$PATH:/sbin" OBJFORMAT="$objformat" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+gnu*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix ${libname}.so'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  dynamic_linker="$host_os dld.sl"
+  version_type=sunos
+  shlibpath_var=SHLIB_PATH
+  library_names_spec='${libname}${release}.sl$versuffix ${libname}${release}.sl$major $libname.sl'
+  soname_spec='${libname}${release}.sl$major'
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5*)
+  version_type=osf
+  soname_spec='${libname}${release}.so'
+  library_names_spec='${libname}${release}.so$versuffix $libname.so'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+irix6*)
+  version_type=osf
+  soname_spec='${libname}${release}.so'
+  library_names_spec='${libname}${release}.so$versuffix $libname.so'
+  shlibpath_var=LD_LIBRARYN32_PATH
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux-gnuoldld* | linux-gnuaout* | linux-gnucoff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux-gnu*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  check_shared_deplibs_method='file_magic ELF 32-bit LSB shared object'
+  sys_lib_search_path="/lib /usr/lib /usr/local/lib `echo $LD_LIBRARY_PATH | sed -e 's/:/ /g'`"
+
+  if test -f /lib/ld.so.1; then
+    dynamic_linker='GNU ld.so'
+  else
+    # Only the GNU ld.so supports shared libraries on MkLinux.
+    case "$host_cpu" in
+    powerpc*) dynamic_linker=no ;;
+    *) dynamic_linker='Linux ld.so' ;;
+    esac
+  fi
+  ;;
+
+netbsd* | openbsd*)
+  version_type=sunos
+  library_names_spec='${libname}${release}.so$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+os2*)
+  libname_spec='$name'
+  library_names_spec='$libname.dll $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4*)
+  version_type=osf
+  soname_spec='${libname}${release}.so'
+  library_names_spec='${libname}${release}.so$versuffix $libname.so'
+  shlibpath_var=LD_LIBRARY_PATH
+  check_shared_deplibs_method='pass_all'
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}.so$major'
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+sysv4.2uw2*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so.$versuffix ${libname}${release}.so.$major $libname.so'
+  soname_spec='${libname}${release}.so.$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+dgux*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+echo "$ac_t$dynamic_linker" 1>&6
+test "$dynamic_linker" = no && can_build_shared=no
+
+# Report the final consequences.
+echo "checking if libtool supports shared libraries... $can_build_shared" 1>&6
+
+echo $ac_n "checking whether to build shared libraries... $ac_c" 1>&6
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+esac
+
+echo "$ac_t$enable_shared" 1>&6
+
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+
+echo "checking whether to build static libraries... $enable_static" 1>&6
+
+echo $ac_n "checking for objdir... $ac_c" 1>&6
+rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  objdir=_libs
+fi
+rmdir .libs 2>/dev/null
+echo "$ac_t$objdir" 1>&6
+
+# Copy echo and quote the copy, instead of the original, because it is
+# used later.
+ltecho="$echo"
+if test "X$ltecho" = "X$CONFIG_SHELL $0 --fallback-echo"; then
+   ltecho="$CONFIG_SHELL \$0 --fallback-echo"
+fi
+LTSHELL="$SHELL"
+
+# Only quote variables if we're using ltmain.sh.
+case "$ltmain" in
+*.sh)
+  # Now quote all the things that may contain metacharacters.
+  for var in ltecho old_CC old_CFLAGS old_CPPFLAGS old_LD old_NM old_RANLIB \
+    old_LN_S old_DLLTOOL old_AS AR CC LD LN_S NM LTSHELL VERSION \
+    reload_flag reload_cmds wl \
+    pic_flag link_static_flag no_builtin_flag export_dynamic_flag_spec \
+    whole_archive_flag_spec libname_spec library_names_spec soname_spec \
+    RANLIB old_archive_cmds old_archive_from_new_cmds old_postinstall_cmds \
+    old_postuninstall_cmds archive_cmds archive_sym_cmds postinstall_cmds postuninstall_cmds \
+    check_shared_deplibs_method allow_undefined_flag no_undefined_flag \
+    finish_cmds finish_eval global_symbol_pipe \
+    hardcode_libdir_flag_spec hardcode_libdir_separator sys_lib_search_path \
+    compiler_c_o compiler_o_lo need_locks; do
+
+    case "$var" in
+    reload_cmds | old_archive_cmds | old_archive_from_new_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    archive_cmds | archive_sym_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    finish_cmds | sys_lib_search_path)
+      # Double-quote double-evaled strings.
+      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    *)
+      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case "$ltecho" in
+  *'\$0 --fallback-echo"')
+    ltecho=`$echo "X$ltecho" |
+	    $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+  trap "$rm \"$ofile\"; exit 1" 1 2 15
+  echo "creating $ofile"
+  $rm "$ofile"
+  cat <<EOF > "$ofile"
+#! $SHELL
+
+# `$echo "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION)
+# NOTE: Changes made to this file will be lost: look at ltconfig or ltmain.sh.
+#
+# Copyright (C) 1996-1998 Free Software Foundation, Inc.
+# Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="sed -e s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "\${CDPATH+set}" = set; then CDPATH=; export CDPATH; fi
+
+### BEGIN LIBTOOL CONFIG
+EOF
+  cfgfile="$ofile"
+  ;;
+
+*)
+  # Double-quote the variables that need it (for aesthetics).
+  for var in old_CC old_CFLAGS old_CPPFLAGS old_LD old_NM old_RANLIB \
+    old_LN_S old_DLLTOOL old_AS; do
+    eval "$var=\\\"\$var\\\""
+  done
+
+  # Just create a config file.
+  cfgfile="$ofile.cfg"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  echo "creating $cfgfile"
+  $rm "$cfgfile"
+  cat <<EOF > "$cfgfile"
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Libtool configuration file.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION)
+EOF
+  ;;
+esac
+
+cat <<EOF >> "$cfgfile"
+# Libtool was configured as follows, on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+#
+# CC=$old_CC CFLAGS=$old_CFLAGS CPPFLAGS=$old_CPPFLAGS \\
+# LD=$old_LD NM=$old_NM RANLIB=$old_RANLIB LN_S=$old_LN_S \\
+# DLLTOOL="$old_DLLTOOL" AS="$old_AS" \\
+#   $0$ltconfig_args
+#
+# Compiler and other test output produced by $progname, useful for
+# debugging $progname, is in ./config.log if it exists.
+
+# The version of $progname that generated this script.
+LTCONFIG_VERSION=$VERSION
+
+# Shell to use when invoking shell scripts.
+SHELL=$LTSHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$ltecho
+
+# The archiver.
+AR=$AR
+
+# The default C compiler.
+CC=$CC
+
+# The linker used to build libraries.
+LD=$LD
+
+# Whether we need hard or soft links.
+LN_S=$LN_S
+
+# A BSD-compatible nm program.
+NM=$NM
+
+# Used on cygwin32: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin32: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$reload_flag
+reload_cmds=$reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$wl
+
+# Object file suffix (normally "o").
+objext="$objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$pic_flag
+
+# Does compiler simultaneously support -c and -o options
+compiler_c_o=$compiler_c_o
+
+# Can we write directly to a .lo ?
+compiler_o_lo=$compiler_o_lo
+
+# Must we lock files when doing compilation ?
+need_locks=$need_locks
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$link_static_flag
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$no_builtin_flag
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$export_dynamic_flag_spec
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$whole_archive_flag_spec
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$RANLIB
+old_archive_cmds=$old_archive_cmds
+old_postinstall_cmds=$old_postinstall_cmds
+old_postuninstall_cmds=$old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$old_archive_from_new_cmds
+
+# Commands used to build and install a shared archive.
+archive_cmds=$archive_cmds
+archive_sym_cmds=$archive_sym_cmds
+postinstall_cmds=$postinstall_cmds
+postuninstall_cmds=$postuninstall_cmds
+
+# Method to check whether dependent libraries are shared objects.
+check_shared_deplibs_method=$check_shared_deplibs_method
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$allow_undefined_flag
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$no_undefined_flag
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$global_symbol_pipe
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$hardcode_libdir_flag_spec
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$hardcode_libdir_separator
+
+# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var
+
+# System search path for libraries
+sys_lib_search_path=$sys_lib_search_path
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path"
+EOF
+
+case "$ltmain" in
+*.sh)
+  echo '### END LIBTOOL CONFIG' >> "$ofile"
+  echo >> "$ofile"
+  case "$host_os" in
+  aix3*)
+    cat <<\EOF >> "$ofile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "${COLLECT_NAMES+set}" != set; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # Append the ltmain.sh script.
+  cat "$ltmain" >> "$ofile" || (rm -f "$ofile"; exit 1)
+
+  chmod +x "$ofile"
+  ;;
+
+*)
+  # Compile the libtool program.
+  echo "FIXME: would compile $ltmain"
+  ;;
+esac
+exit 0
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/crypto/heimdal/ltmain.sh b/crypto/heimdal/ltmain.sh
new file mode 100644
index 0000000..397cc1e
--- /dev/null
+++ b/crypto/heimdal/ltmain.sh
@@ -0,0 +1,3079 @@
+# ltmain.sh - Provide generalized library-building support services.
+# NOTE: Changing this file will not affect anything until you rerun ltconfig.
+#
+# Copyright (C) 1996-1998 Free Software Foundation, Inc.
+# Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Check that we have a working $echo.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell, and then maybe $echo will work.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+# The name of this program.
+progname=`$echo "$0" | sed 's%^.*/%%'`
+modename="$progname"
+
+# Constants.
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.2d
+
+default_mode=
+help="Try \`$progname --help' for more information."
+magic="%%%MAGIC variable%%%"
+mkdir="mkdir"
+mv="mv -f"
+rm="rm -f"
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+# We save the old values to restore during execute mode.
+if test "${LC_ALL+set}" = set; then
+  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
+fi
+if test "${LANG+set}" = set; then
+  save_LANG="$LANG"; LANG=C; export LANG
+fi
+
+if test "$LTCONFIG_VERSION" != "$VERSION"; then
+  echo "$modename: ltconfig version \`$LTCONFIG_VERSION' does not match $PROGRAM version \`$VERSION'" 1>&2
+  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit 1
+fi
+
+if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+  echo "$modename: not configured to build any kind of library" 1>&2
+  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit 1
+fi
+
+# Global variables.
+mode=$default_mode
+nonopt=
+prev=
+prevopt=
+run=
+show="$echo"
+show_help=
+execute_dlfiles=
+lo2o="s/\\.lo\$/.${objext}/"
+los2o="s/\\.lo /.${objext} /g"
+
+# Parse our command line options once, thoroughly.
+while test $# -gt 0
+do
+  arg="$1"
+  shift
+
+  case "$arg" in
+  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    case "$prev" in
+    execute_dlfiles)
+      eval "$prev=\"\$$prev \$arg\""
+      ;;
+    *)
+      eval "$prev=\$arg"
+      ;;
+    esac
+
+    prev=
+    prevopt=
+    continue
+  fi
+
+  # Have we seen a non-optional argument yet?
+  case "$arg" in
+  --help)
+    show_help=yes
+    ;;
+
+  --version)
+    echo "$PROGRAM (GNU $PACKAGE) $VERSION"
+    exit 0
+    ;;
+
+  --config)
+    sed -e '1,/^### BEGIN LIBTOOL CONFIG/d' -e '/^### END LIBTOOL CONFIG/,$d' $0
+    exit 0
+    ;;
+
+  --debug)
+    echo "$progname: enabling shell trace mode"
+    set -x
+    ;;
+
+  --dry-run | -n)
+    run=:
+    ;;
+
+  --features)
+    echo "host: $host"
+    if test "$build_libtool_libs" = yes; then
+      echo "enable shared libraries"
+    else
+      echo "disable shared libraries"
+    fi
+    if test "$build_old_libs" = yes; then
+      echo "enable static libraries"
+    else
+      echo "disable static libraries"
+    fi
+    exit 0
+    ;;
+
+  --finish) mode="finish" ;;
+
+  --mode) prevopt="--mode" prev=mode ;;
+  --mode=*) mode="$optarg" ;;
+
+  --quiet | --silent)
+    show=:
+    ;;
+
+  -dlopen)
+    prevopt="-dlopen"
+    prev=execute_dlfiles
+    ;;
+
+  -*)
+    $echo "$modename: unrecognized option \`$arg'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+    ;;
+
+  *)
+    nonopt="$arg"
+    break
+    ;;
+  esac
+done
+
+if test -n "$prevopt"; then
+  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+fi
+
+if test -z "$show_help"; then
+
+  # Infer the operation mode.
+  if test -z "$mode"; then
+    case "$nonopt" in
+    *cc | *++ | gcc* | *-gcc*)
+      mode=link
+      for arg
+      do
+        case "$arg" in
+        -c)
+           mode=compile
+           break
+           ;;
+        esac
+      done
+      ;;
+    *db | *dbx | *strace | *truss)
+      mode=execute
+      ;;
+    *install*|cp|mv)
+      mode=install
+      ;;
+    *rm)
+      mode=uninstall
+      ;;
+    *)
+      # If we have no mode, but dlfiles were specified, then do execute mode.
+      test -n "$execute_dlfiles" && mode=execute
+
+      # Just use the default operation mode.
+      if test -z "$mode"; then
+        if test -n "$nonopt"; then
+          $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+        else
+          $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+        fi
+      fi
+      ;;
+    esac
+  fi
+
+  # Only execute mode is allowed to have -dlopen flags.
+  if test -n "$execute_dlfiles" && test "$mode" != execute; then
+    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+  fi
+
+  # Change the help message to a mode-specific one.
+  generic_help="$help"
+  help="Try \`$modename --help --mode=$mode' for more information."
+
+  # These modes are in order of execution frequency so that they run quickly.
+  case "$mode" in
+  # libtool compile mode
+  compile)
+    modename="$modename: compile"
+    # Get the compilation command and the source file.
+    base_compile=
+    lastarg=
+    srcfile="$nonopt"
+    suppress_output=
+    force_static=no
+
+    user_target=no
+    for arg
+    do
+      # Accept any command-line options.
+      case "$arg" in
+      -o)
+        if test "$user_target" != "no"; then
+          $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	  exit 1
+        fi
+        user_target=next
+	;;
+
+      -force-static)
+        force_static=yes
+        continue
+        ;;
+	
+      -static)
+        build_old_libs=yes
+        continue
+        ;;
+      esac
+
+      case "$user_target" in
+      next)
+        # The next one is the -o target name
+        user_target=yes
+        continue
+        ;;
+      yes)
+        # We got the output file
+        user_target=set
+        libobj="$arg"
+        continue
+        ;;
+      esac
+
+      # Accept the current argument as the source file.
+      lastarg="$srcfile"
+      srcfile="$arg"
+
+      # Aesthetically quote the previous argument.
+
+      # Backslashify any backslashes, double quotes, and dollar signs.
+      # These are the only characters that are still specially
+      # interpreted inside of double-quoted scrings.
+      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
+
+      # Double-quote args containing other shell metacharacters.
+      # Many Bourne shells cannot handle close brackets correctly in scan
+      # sets, so we specify it separately.
+      case "$lastarg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+        lastarg="\"$lastarg\""
+        ;;
+      esac
+
+      # Add the previous argument to base_compile.
+      if test -z "$base_compile"; then
+        base_compile="$lastarg"
+      else
+        base_compile="$base_compile $lastarg"
+      fi
+    done
+
+    case "$user_target" in
+    set)
+      ;;
+    no)
+      # Get the name of the library object.
+      libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      ;;
+    *)
+      $echo "$modename: you must specify a target with \`-o'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    xform='[cCFSfmso]'
+    case "$libobj" in
+    *.ada) xform=ada ;;
+    *.adb) xform=adb ;;
+    *.ads) xform=ads ;;
+    *.asm) xform=asm ;;
+    *.c++) xform=c++ ;;
+    *.cc) xform=cc ;;
+    *.cpp) xform=cpp ;;
+    *.cxx) xform=cxx ;;
+    *.f90) xform=f90 ;;
+    *.for) xform=for ;;
+    esac
+
+    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
+
+    case "$libobj" in
+    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *)
+      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    if test -z "$base_compile"; then
+      $echo "$modename: you must specify a compilation command" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Delete any leftover library objects.
+    if test "$build_old_libs" = yes; then
+      removelist="$obj $libobj $lockfile"
+    else
+      removelist="$libobj $lockfile"
+    fi
+
+    $run $rm $removelist
+    trap "$run $rm $removelist; exit 1" 1 2 15
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test "$compiler_c_o" = no; then
+      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\..*$%%'`.${objext}
+      lockfile="$output_obj.lock"
+      removelist="$removelist $output_obj $lockfile"
+      trap "$run $rm $removelist; exit 1" 1 2 15
+    else
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test "$need_locks" = yes; then
+      until ln "$0" "$lockfile" 2>/dev/null; do
+        $show "Waiting for $lockfile to be removed"
+        sleep 2
+      done
+    elif test "$need_locks" = warn; then
+      if test -f "$lockfile"; then
+	echo "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+      echo $srcfile > "$lockfile"
+    fi
+
+    if test -n "$fix_srcfile_path"; then
+      eval srcfile=\"$fix_srcfile_path\"
+    fi
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test "$build_libtool_libs" = yes; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      # All platforms use -DPIC, to notify preprocessed assembler code.
+      command="$base_compile$pic_flag -DPIC $srcfile"
+      if test "$compiler_o_lo" = yes; then
+        command="$command -o $libobj"
+        output_obj="$libobj"
+      elif test "$compiler_c_o" = yes; then
+        command="$command -o $obj"
+        output_obj="$obj"
+      fi
+
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+        test -n "$output_obj" && $run $rm $removelist
+        exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test "$compiler_o_lo" = no && test x"$output_obj" != x"$libobj"; then
+        $show "$mv $output_obj $libobj"
+        if $run $mv $output_obj $libobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # If we have no pic_flag and do not have -force-static, 
+      # then copy the object into place and finish.
+      if test -z "$pic_flag" && test "$force_static" = no; then
+        $show "$LN_S $libobj $obj"
+        if $run $LN_S $libobj $obj; then
+	  exit 0
+	else
+          error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Allow error messages only from the first compilation.
+      suppress_output=' >/dev/null 2>&1'
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test "$build_old_libs" = yes; then
+      command="$base_compile $srcfile"
+      if test "$force_static" = yes; then
+        command="$command -DLIBTOOL_STATIC"
+      fi
+      if test "$compiler_c_o" = yes; then
+        command="$command -o $obj"
+        output_obj="$obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      command="$command$suppress_output"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+        $run $rm $removelist
+        exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed
+      if test "$compiler_c_o" = no && test x"$output_obj" != x"$obj"; then
+        $show "$mv $output_obj $obj"
+        if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+    fi
+
+    # Unlock the critical section if it was locked
+    if test "$need_locks" != no; then
+      $rm "$lockfile"
+    fi
+
+    # Create an invalid libtool object if no PIC, so that we do not
+    # accidentally link it into a program.
+    if test "$build_libtool_libs" != yes; then
+      $show "echo timestamp > $libobj"
+      $run eval "echo timestamp > \$libobj" || exit $?
+    fi
+
+    exit 0
+    ;;
+
+  # libtool link mode
+  link)
+    modename="$modename: link"
+    C_compiler="$CC" # save it, to compile generated C sources
+    CC="$nonopt"
+    allow_undefined=yes
+    compile_command="$CC"
+    finalize_command="$CC"
+
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    eval lib_search_path=\"$sys_lib_search_path\"
+    
+    dlfiles=
+    dlprefiles=
+    export_dynamic=no
+    export_symbols=
+    generated=
+    hardcode_libdirs=
+    libobjs=
+    link_against_libtool_libs=
+    ltlibs=
+    module=no
+    objs=
+    prev=
+    prevarg=
+    release=
+    rpath=
+    perm_rpath=
+    temp_rpath=
+    vinfo=
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case "$arg" in
+      -all-static | -static)
+        if test "X$arg" = "X-all-static" && test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
+        fi
+        build_libtool_libs=no
+	build_old_libs=yes
+        break
+        ;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test $# -gt 0; do
+      arg="$1"
+      shift
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+        case "$prev" in
+        output)
+          compile_command="$compile_command @OUTPUT@"
+          finalize_command="$finalize_command @OUTPUT@"
+          ;;
+        esac
+
+        case "$prev" in
+        dlfiles|dlprefiles)
+          case "$arg" in
+          *.la | *.lo) ;;  # We handle these cases below.
+          *)
+            dlprefiles="$dlprefiles $arg"
+            test "$prev" = dlfiles && dlfiles="$dlfiles $arg"
+            prev=
+            ;;
+          esac
+          ;;
+	exportsyms)
+	  export_symbols="$arg"
+          if test ! -f "$arg"; then
+            $echo "$modename: symbol file \`$arg' does not exist"
+            exit 1
+          fi
+	  prev=
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+        rpath)
+          rpath="$rpath $arg"
+	  prev=
+	  continue
+	  ;;
+        *)
+          eval "$prev=\"\$arg\""
+          prev=
+          continue
+          ;;
+        esac
+      fi
+
+      prevarg="$arg"
+
+      case "$arg" in
+      -all-static)
+	if test -n "$link_static_flag"; then
+          compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+        fi
+        continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
+	continue
+	;;
+
+      -dlopen)
+        prev=dlfiles
+        continue
+        ;;
+
+      -dlpreopen)
+        prev=dlprefiles
+        continue
+        ;;
+
+      -export-dynamic)
+        if test "$export_dynamic" != yes; then
+          export_dynamic=yes
+	  if test -n "$export_dynamic_flag_spec"; then
+	    eval arg=\"$export_dynamic_flag_spec\"
+	  else
+	    arg=
+	  fi
+
+          # Add the symbol object into the linking commands.
+	  compile_command="$compile_command @SYMFILE@"
+	  finalize_command="$finalize_command @SYMFILE@"
+        fi
+        ;;
+
+      -export-symbols)
+        if test -n "$export_symbols"; then
+          $echo "$modename: cannot have more than one -exported-symbols"
+          exit 1
+        fi
+	prev=exportsyms
+	continue
+        ;;
+
+      -L*)
+        dir=`$echo "X$arg" | $Xsed -e 's%^-L\(.*\)$%\1%'`
+        case "$dir" in
+        /* | [A-Za-z]:[/\\]*)
+	  # Add the corresponding hardcode_libdir_flag, if it is not identical.
+          ;;
+        *)
+          $echo "$modename: \`-L$dir' cannot specify a relative directory" 1>&2
+          exit 1
+          ;;
+        esac
+        deplibs="$deplibs $arg"
+        lib_search_path="$lib_search_path `expr $arg : '-L\(.*\)'`"
+        ;;
+
+      -l*) deplibs="$deplibs $arg" ;;
+
+      -module)
+        if test "$module" != yes; then
+          module=yes
+	  if test -n "$export_dynamic_flag_spec"; then
+	    eval arg=\"$export_dynamic_flag_spec\"
+	  else
+	    arg=
+	  fi
+	fi
+        ;;
+	
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+        prev=rpath
+        continue
+        ;;
+
+      -static)
+	# If we have no pic_flag, then this is the same as -all-static.
+	if test -z "$pic_flag" && test -n "$link_static_flag"; then
+          compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+        fi
+	continue
+	;;
+
+      -version-info)
+        prev=vinfo
+        continue
+        ;;
+
+      # Some other compiler flag.
+      -* | +*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case "$arg" in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	  arg="\"$arg\""
+	  ;;
+	esac
+        ;;
+
+      *.o | *.obj | *.a | *.lib)
+        # A standard object.
+        objs="$objs $arg"
+        ;;
+
+      *.lo)
+        # A library object.
+	if test "$prev" = dlfiles; then
+	  dlfiles="$dlfiles $arg"
+	  if test "$build_libtool_libs" = yes; then
+	    prev=
+	    continue
+	  else
+	    # If libtool objects are unsupported, then we need to preload.
+	    prev=dlprefiles
+	  fi
+	fi
+
+	if test "$prev" = dlprefiles; then
+	  # Preload the old-style object.
+	  dlprefiles="$dlprefiles "`$echo "X$arg" | $Xsed -e "$lo2o"`
+	  prev=
+	fi
+	libobjs="$libobjs $arg"
+        ;;
+
+      *.la)
+        # A libtool-controlled library.
+
+        dlname=
+        libdir=
+        library_names=
+        old_library=
+
+        # Check to see that this really is a libtool archive.
+        if (sed -e '2q' $arg | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+        else
+          $echo "$modename: \`$arg' is not a valid libtool archive" 1>&2
+          exit 1
+        fi
+
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variable installed.
+	installed=yes
+
+        # If there is no directory component, then add one.
+        case "$arg" in
+        */* | *\\*) . $arg ;;
+        *) . ./$arg ;;
+        esac
+
+        # Get the name of the library we link against.
+        linklib=
+        for l in $old_library $library_names; do
+          linklib="$l"
+        done
+
+        if test -z "$linklib"; then
+          $echo "$modename: cannot find name of link library for \`$arg'" 1>&2
+          exit 1
+        fi
+
+        # Find the relevant object directory and library name.
+        name=`$echo "X$arg" | $Xsed -e 's%^.*/%%' -e 's/\.la$//' -e 's/^lib//'`
+
+	if test "X$installed" = Xyes; then
+	  dir="$libdir"
+	else
+	  dir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$dir" = "X$arg"; then
+	    dir="$objdir"
+	  else
+	    dir="$dir/$objdir"
+	  fi
+	fi
+
+        if test -z "$libdir"; then
+	  # It is a libtool convenience library, so add in its objects.
+	  convenience="$convenience $dir/$old_library"
+	  old_convenience="$old_convenience $dir/$old_library"
+	  deplibs="$deplibs$dependency_libs"
+	  compile_command="$compile_command $dir/$old_library$dependency_libs"
+	  finalize_command="$finalize_command $dir/$old_library$dependency_libs"
+	  continue
+	fi
+
+        # This library was specified with -dlopen.
+        if test "$prev" = dlfiles; then
+          dlfiles="$dlfiles $arg"
+          if test -z "$dlname" || test "$build_libtool_libs" = no; then
+            # If there is no dlname or we're linking statically,
+            # we need to preload.
+            prev=dlprefiles
+          else
+            # We should not create a dependency on this library, but we
+	    # may need any libraries it requires.
+	    compile_command="$compile_command$dependency_libs"
+	    finalize_command="$finalize_command$dependency_libs"
+            prev=
+            continue
+          fi
+        fi
+
+        # The library was specified with -dlpreopen.
+        if test "$prev" = dlprefiles; then
+          # Prefer using a static library (so that no silly _DYNAMIC symbols
+          # are required to link).
+          if test -n "$old_library"; then
+            dlprefiles="$dlprefiles $dir/$old_library"
+          else
+            dlprefiles="$dlprefiles $dir/$linklib"
+          fi
+          prev=
+        fi
+
+        if test "$build_libtool_libs" = yes && test -n "$library_names"; then
+          link_against_libtool_libs="$link_against_libtool_libs $arg"
+          if test -n "$shlibpath_var"; then
+            # Make sure the rpath contains only unique directories.
+            case "$temp_rpath " in
+            *" $dir "*) ;;
+            *) temp_rpath="$temp_rpath $dir" ;;
+            esac
+          fi
+
+	  # This is the magic to use -rpath.
+          if test -n "$hardcode_libdir_flag_spec"; then
+            if test -n "$hardcode_libdir_separator"; then
+              if test -z "$hardcode_libdirs"; then
+                # Put the magic libdir with the hardcode flag.
+                hardcode_libdirs="$libdir"
+                libdir="@HARDCODE_LIBDIRS@"
+              else
+                # Just accumulate the unique libdirs.
+		case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+		*"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		  ;;
+		*)
+		  hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		  ;;
+		esac
+                libdir=
+              fi
+            fi
+
+            if test -n "$libdir"; then
+              eval flag=\"$hardcode_libdir_flag_spec\"
+
+              compile_command="$compile_command $flag"
+              finalize_command="$finalize_command $flag"
+            fi
+          elif test -n "$runpath_var"; then
+            # Do the same for the permanent run path.
+            case "$perm_rpath " in
+            *" $libdir "*) ;;
+            *) perm_rpath="$perm_rpath $libdir" ;;
+            esac
+          fi
+
+
+	  lib_linked=yes
+          case "$hardcode_action" in
+          immediate | unsupported)
+            if test "$hardcode_direct" = no; then
+              compile_command="$compile_command $dir/$linklib"
+            elif test "$hardcode_minus_L" = no; then
+	      case "$host" in
+	      *-*-sunos*)
+                compile_shlibpath="$compile_shlibpath$dir:"
+		;;
+	      esac
+              compile_command="$compile_command -L$dir -l$name"
+            elif test "$hardcode_shlibpath_var" = no; then
+              compile_shlibpath="$compile_shlibpath$dir:"
+              compile_command="$compile_command -l$name"
+	    else
+	      lib_linked=no
+            fi
+            ;;
+
+          relink)
+            # We need an absolute path.
+            case "$dir" in
+            /* | [A-Za-z]:[/\\]*) ;;
+            *)
+              absdir=`cd "$dir" && pwd`
+              if test -z "$absdir"; then
+                $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+                exit 1
+              fi
+              dir="$absdir"
+              ;;
+            esac
+
+            if test "$hardcode_direct" = yes; then
+              compile_command="$compile_command $dir/$linklib"
+            elif test "$hardcode_minus_L" = yes; then
+              compile_command="$compile_command -L$dir -l$name"
+            elif test "$hardcode_shlibpath_var" = yes; then
+              compile_shlibpath="$compile_shlibpath$dir:"
+              compile_command="$compile_command -l$name"
+	    else
+	      lib_linked=no
+            fi
+            ;;
+
+	  *)
+	    lib_linked=no
+	    ;;
+          esac
+
+	  if test "$lib_linked" != yes; then
+	    $echo "$modename: configuration error: unsupported hardcode properties"
+	    exit 1
+	  fi
+
+          # Finalize command for both is simple: just hardcode it.
+          if test "$hardcode_direct" = yes; then
+            finalize_command="$finalize_command $libdir/$linklib"
+          elif test "$hardcode_minus_L" = yes; then
+            finalize_command="$finalize_command -L$libdir -l$name"
+          elif test "$hardcode_shlibpath_var" = yes; then
+            finalize_shlibpath="$finalize_shlibpath$libdir:"
+            finalize_command="$finalize_command -l$name"
+          else
+            # We cannot seem to hardcode it, guess we'll fake it.
+            finalize_command="$finalize_command -L$libdir -l$name"
+          fi
+        else
+          # Transform directly to old archives if we don't build new libraries.
+          if test -n "$pic_flag" && test -z "$old_library"; then
+            $echo "$modename: cannot find static library for \`$arg'" 1>&2
+            exit 1
+          fi
+
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_command="$compile_command $dir/$linklib"
+	    finalize_command="$finalize_command $dir/$linklib"
+	  else
+	    compile_command="$compile_command -L$dir -l$name"
+	    finalize_command="$finalize_command -L$dir -l$name"
+	  fi
+        fi
+
+	# Add in any libraries that this one depends upon.
+	compile_command="$compile_command$dependency_libs"
+	finalize_command="$finalize_command$dependency_libs"
+	continue
+        ;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case "$arg" in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	  arg="\"$arg\""
+	  ;;
+	esac
+        ;;
+      esac
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+      fi
+    done
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -n "$export_symbols" && test "$module" = yes; then
+      $echo "$modename: \`-export-symbols' is not supported for modules"
+      exit 1
+    fi
+    
+    oldlibs=
+    # calculate the name of the file, without its directory
+    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+
+    case "$output" in
+    "")
+      $echo "$modename: you must specify an output file" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+      ;;
+
+    *.a | *.lib)
+      if test -n "$link_against_libtool_libs"; then
+        $echo "$modename: error: cannot link libtool libraries into archives" 1>&2
+        exit 1
+      fi
+
+      if test -n "$deplibs"; then
+        $echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles"; then
+        $echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+        $echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+        $echo "$modename: warning: \`-version-info' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$release"; then
+        $echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$export_symbols"; then
+        $echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      fi
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      ;;
+
+    *.la)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case "$outputname" in
+      lib*) ;;
+      *)
+	$echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+	;;
+      esac
+
+      name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+      eval libname=\"$libname_spec\"
+
+      output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$output_objdir" = "X$output"; then
+        output_objdir="$objdir"
+      else
+        output_objdir="$output_objdir/$objdir"
+      fi
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      if test -n "$objs"; then
+        $echo "$modename: cannot build libtool library \`$output' from non-libtool objects:$objs" 2>&1
+        exit 1
+      fi
+
+      # How the heck are we supposed to write a wrapper for a shared library?
+      if test -n "$link_against_libtool_libs"; then
+        $echo "$modename: error: cannot link shared libraries into libtool libraries" 1>&2
+        exit 1
+      fi
+
+      if test -n "$dlfiles$dlprefiles"; then
+        $echo "$modename: warning: \`-dlopen' is ignored for libtool libraries" 1>&2
+      fi
+
+      set dummy $rpath
+      if test $# -gt 2; then
+	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
+      fi
+      install_libdir="$2"
+
+      oldlibs=
+      if test -z "$rpath"; then
+	# Building a libtool convenience library.
+        libext=al
+	oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	build_libtool_libs=convenience
+	dependency_libs="$deplibs"
+
+	if test -n "$vinfo"; then
+	  $echo "$modename: warning: \`-version-info' is ignored for convenience libraries" 1>&2
+	fi
+
+	if test -n "$release"; then
+	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+	fi
+      else
+
+	# Parse the version information argument.
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	IFS="$save_ifs"
+
+	if test -n "$8"; then
+	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	current="$2"
+	revision="$3"
+	age="$4"
+
+	# Check that each of the things are valid numbers.
+	case "$current" in
+	0 | [1-9] | [1-9][0-9]*) ;;
+	*)
+	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case "$revision" in
+	0 | [1-9] | [1-9][0-9]*) ;;
+	*)
+	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case "$age" in
+	0 | [1-9] | [1-9][0-9]*) ;;
+	*)
+	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	if test $age -gt $current; then
+	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case "$version_type" in
+	none) ;;
+
+	linux)
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  major=`expr $current - $age`
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test $loop != 0; do
+	    iface=`expr $current - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current";
+	  ;;
+
+	windows)
+	  # Like Linux, but with '-' rather than '.', since we only
+	  # want one extension on Windows 95.
+	  major=`expr $current - $age`
+	  versuffix="-$major-$age-$revision"
+	  ;;
+
+	*)
+	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  versuffix=
+	  verstring="0.0"
+	  case "$host" in
+	  *-*-sunos*)
+	    versuffix=".0.0"
+	    ;;
+	  esac
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
+
+	# Add libc to deplibs on all systems.
+	dependency_libs="$deplibs"
+	deplibs="$deplibs -lc"
+      fi
+
+      # Create the output directory, or remove our outputs if we need to.
+      if test -d $output_objdir; then
+        $show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*"
+	$run ${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*
+      else
+        $show "$mkdir $output_objdir"
+        $run $mkdir $output_objdir
+        status=$?
+        if test $status -ne 0 && test ! -d $output_objdir; then
+          exit $status
+        fi
+      fi
+
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs"`$echo "X$libobjs " | $Xsed -e 's/[^   ]*\.'${libext}' //g' -e "$los2o" -e 's/ $//g'`
+      fi
+
+      if test "$build_libtool_libs" = yes; then
+        # Transform deplibs into only deplibs that can be linked in shared.
+        ## Gordon: Do you check for the existence of the libraries in deplibs
+        ## on the system?  That should maybe be merged in here someplace....
+        ## Actually: I think test_compile and file_magic do this... file_regex
+        ## sorta does this. Only pas_all needs to be changed.  -Toshio
+        name_save=$name
+        libname_save=$libname
+        release_save=$release
+        versuffix_save=$versuffix
+        major_save=$major
+        # I'm not sure if I'm treating the release correctly.  I think
+        # release should show up in the -l (ie -lgmp5) so we don't want to
+        # add it in twice.  Is that correct?
+        release=""
+        versuffix=""
+        major=""
+        newdeplibs=
+        case "$check_shared_deplibs_method" in
+        pass_all)  
+          newdeplibs=$deplibs 
+                    ;; # Don't check for shared/static.  Everything works.
+                       # This might be a little naive.  We might want to check
+                       # whether the library exists or not.  But this is on
+                       # osf3 & osf4 and I'm not really sure... Just
+                       # implementing what was already the behaviour.
+        test_compile)
+          # This code stresses the "libraries are programs" paradigm to its
+          # limits. Maybe even breaks it.  We compile a program, linking it
+          # against the deplibs as a proxy for the library.  Then we can check
+          # whether they linked in statically or dynamically with ldd.
+          $rm conftest.c
+          cat > conftest.c <<EOF
+          int main() { return 0; }
+EOF
+          $rm a.out
+          $C_compiler conftest.c $deplibs
+          if test $? -eq 0 ; then
+            ldd_output=`ldd a.out`
+            for i in $deplibs; do
+              name="`expr $i : '-l\(.*\)'`"
+              # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" ; then
+                libname=`eval \\$echo \"$libname_spec\"`
+                deplib_matches=`eval \\$echo \"$library_names_spec\"`
+                set dummy $deplib_matches
+                deplib_match=$2
+                if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+                  newdeplibs="$newdeplibs $i"
+                else
+                  echo
+                  echo "*** Warning: This library needs some functionality provided by $i."
+                  echo "*** I have the capability to make that library automatically link in when"
+                  echo "*** you link to this library.  But I can only do this if you have a"
+                  echo "*** shared version of the library, which you do not appear to have."
+                fi
+              else
+                newdeplibs="$newdeplibs $i"
+              fi
+            done
+          else
+            # Error occured in the first compile.  Let's try to salvage the situation:
+            # Compile a seperate program for each library.
+            for i in $deplibs; do
+              name="`expr $i : '-l\(.*\)'`"
+             # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" ; then
+                $rm a.out
+                $C_compiler conftest.c $i
+                # Did it work?
+                if test $? -eq 0 ; then
+                  ldd_output=`ldd a.out`
+                    libname=`eval \\$echo \"$libname_spec\"`
+                    deplib_matches=`eval \\$echo \"$library_names_spec\"`
+                    set dummy $deplib_matches
+                    deplib_match=$2
+                    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+                      newdeplibs="$newdeplibs $i"
+                    else
+                      echo
+                      echo "*** Warning: This library needs some functionality provided by $i."
+                      echo "*** I have the capability to make that library automatically link in when"
+                      echo "*** you link to this library.  But I can only do this if you have a"
+                      echo "*** shared version of the library, which you do not appear to have."
+                    fi
+                else
+                  echo
+                  echo "*** Warning!  Library $i is needed by this library but I was not able to"
+                  echo "***  make it link in!  You will probably need to install it or some"
+                  echo "*** library that it depends on before this library will be fully"
+                  echo "*** functional.  Installing it before continuing would be even better."
+                fi
+              else
+                newdeplibs="$newdeplibs $i"
+              fi
+            done
+          fi
+          deplibs=$newdeplibs
+          ;;
+        file_magic* | file_regex)
+          set dummy $check_shared_deplibs_method
+          file_magic_regex="`expr \"$check_shared_deplibs_method\" : \"$2\(.*\)\"`"
+          for a_deplib in $deplibs; do
+            name="`expr $a_deplib : '-l\(.*\)'`"
+            # If $name is empty we are operating on a -L argument.
+            if test "$name" != "" ; then
+              libname=`eval \\$echo \"$libname_spec\"`
+              case "$check_shared_deplibs_method" in
+                file_magic*)
+                  for i in $lib_search_path; do
+                   # This needs to be more general than file_regex in order to
+                   # catch things like glibc on linux.  Maybe file_regex
+                   # should be more general as well, but maybe not.  Since
+                   # library names are supposed to conform to
+                   # library_name_spec, I think file_regex should remain
+                   # strict.  What do you think Gordon?
+                    potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+                    for potent_lib in $potential_libs; do
+                      file_output=`file $potent_lib`
+                      if test `expr "$file_output" : ".*$file_magic_regex"` -ne 0 ; then
+                        newdeplibs="$newdeplibs $a_deplib"
+                        a_deplib=""
+                        break 2
+                      fi
+                    done
+                  done
+                  ;;
+                file_regex)
+                  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+                  set dummy $deplib_matches
+                  deplib_match=$2
+                  for i in $lib_search_path; do
+                    potential_libs=`ls $i/$deplib_match* 2>/dev/null`
+                    if test "$potential_libs" != "" ; then
+                      newdeplibs="$newdeplibs $a_deplib"
+                      a_deplib=""
+                      break
+                    fi
+                  done
+                  ;;
+              esac
+              if test "$a_deplib" != "" ; then
+                echo
+                echo "*** Warning: This library needs some functionality provided by $a_deplib."
+                echo "*** I have the capability to make that library automatically link in when"
+                echo "*** you link to this library.  But I can only do this if you have a"
+                echo "*** shared version of the library, which you do not appear to have."
+              fi
+            else
+              # Add a -L argument.
+              newdeplibs="$newdeplibs $a_deplib"
+            fi
+          done # Gone through all deplibs.
+          ;;
+        none | *)  deplibs="" ;;
+        esac
+        versuffix=$versuffix_save
+        major=$major_save
+        release=$release_save
+        libname=$libname_save
+        name=$name_save
+        deplibs=$newdeplibs
+        # Done checking deplibs!
+ 
+	# Get the real and link names of the library.
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	realname="$2"
+	shift; shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+
+	lib="$output_objdir/$realname"
+	for link
+	do
+	  linknames="$linknames $link"
+	done
+
+	# Use standard objects if they are PIC.
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs " | $Xsed -e "$los2o" -e 's/ $//g'`
+
+	if test -n "$whole_archive_flag_spec"; then
+	  if test -n "$convenience"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  fi
+	else
+	  for xlib in $convenience; do
+	    # Extract the objects.
+	    xdir="$xlib"x
+	    generated="$generated $xdir"
+	    xlib=`echo "$xlib" | $Xsed -e 's%^.*/%%'`
+
+	    $show "${rm}r $xdir"
+	    $run ${rm}r "$xdir"
+	    $show "mkdir $xdir"
+	    $run mkdir "$xdir"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$xdir"; then
+	      exit $status
+	    fi
+	    $show "(cd $xdir && $AR x ../$xlib)"
+	    $run eval "(cd \$xdir && $AR x ../\$xlib)" || exit $?
+
+	    libobjs="$libobjs `echo $xdir/*`"
+	  done
+	fi
+
+	# Do each of the archive commands.
+	if test -n "$export_symbols" && test -n "$archive_sym_cmds"; then
+	  eval cmds=\"$archive_sym_cmds\"
+	else
+	  eval cmds=\"$archive_cmds\"
+	fi
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    $show "(cd $output_objdir && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $LN_S $realname $linkname)' || exit $?
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
+      ;;
+
+    *.lo | *.o | *.obj)
+      if test -n "$link_against_libtool_libs"; then
+        $echo "$modename: error: cannot link libtool libraries into objects" 1>&2
+        exit 1
+      fi
+
+      if test -n "$deplibs"; then
+        $echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles"; then
+        $echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+        $echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+        $echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$release"; then
+        $echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+      fi
+
+      case "$output" in
+      *.lo)
+        if test -n "$objs"; then
+          $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+          exit 1
+        fi
+        libobj="$output"
+        obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+        ;;
+      *)
+        libobj=
+        obj="$output"
+        ;;
+      esac
+
+      # Delete the old objects.
+      $run $rm $obj $libobj
+
+      # Create the old-style object.
+      reload_objs="$objs"`$echo "X$libobjs " | $Xsed -e 's/[^       ]*\.'${libext}' //g' -e 's/[^       ]*\.lib //g' -e "$los2o" -e 's/ $//g'`
+
+      output="$obj"
+      eval cmds=\"$reload_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+        IFS="$save_ifs"
+        $show "$cmd"
+        $run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+
+      # Exit if we aren't doing a library object file.
+      test -z "$libobj" && exit 0
+
+      if test "$build_libtool_libs" != yes; then
+        # Create an invalid libtool object if no PIC, so that we don't
+        # accidentally link it into a program.
+        $show "echo timestamp > $libobj"
+        $run eval "echo timestamp > $libobj" || exit $?
+        exit 0
+      fi
+
+      if test -n "$pic_flag"; then
+        # Only do commands if we really have different PIC objects.
+        reload_objs="$libobjs"
+        output="$libobj"
+        eval cmds=\"$reload_cmds\"
+        IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+        for cmd in $cmds; do
+          IFS="$save_ifs"
+          $show "$cmd"
+          $run eval "$cmd" || exit $?
+        done
+        IFS="$save_ifs"
+      else
+        # Just create a symlink.
+        $show "$LN_S $obj $libobj"
+        $run $LN_S $obj $libobj || exit $?
+      fi
+
+      exit 0
+      ;;
+
+    # Anything else should be a program.
+    *)
+      if test -n "$vinfo"; then
+        $echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$release"; then
+        $echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath; do
+          if test -n "$hardcode_libdir_flag_spec"; then
+            if test -n "$hardcode_libdir_separator"; then
+              if test -z "$hardcode_libdirs"; then
+                # Put the magic libdir with the hardcode flag.
+                hardcode_libdirs="$libdir"
+                libdir="@HARDCODE_LIBDIRS@"
+              else
+                # Just accumulate the unique libdirs.
+		case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+		*"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		  ;;
+		*)
+		  hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		  ;;
+		esac
+                libdir=
+              fi
+            fi
+
+            if test -n "$libdir"; then
+              eval flag=\"$hardcode_libdir_flag_spec\"
+
+              compile_command="$compile_command $flag"
+              finalize_command="$finalize_command $flag"
+            fi
+          elif test -n "$runpath_var"; then
+            case "$perm_rpath " in
+            *" $libdir "*) ;;
+            *) perm_rpath="$perm_rpath $libdir" ;;
+            esac
+          fi
+	done
+      fi
+
+      # Substitute the hardcoded libdirs into the compile commands.
+      if test -n "$hardcode_libdir_separator"; then
+	compile_command=`$echo "X$compile_command" | $Xsed -e "s%@HARDCODE_LIBDIRS@%$hardcode_libdirs%g"`
+	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@HARDCODE_LIBDIRS@%$hardcode_libdirs%g"`
+      fi
+
+      output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$output_objdir" = "X$output"; then
+        output_objdir="$objdir"
+      else
+        output_objdir="$output_objdir/$objdir"
+      fi
+
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+        # Transform all the library objects into standard objects.
+        compile_command=`$echo "X$compile_command " | $Xsed -e "$los2o" -e 's/ $//'`
+        finalize_command=`$echo "X$finalize_command " | $Xsed -e "$los2o" -e 's/ $//'`
+      fi
+
+      if test "$export_dynamic" = yes && test -n "$NM" && test -n "$global_symbol_pipe"; then
+        dlsyms="${outputname}S.c"
+      else
+        dlsyms=
+      fi
+
+      if test -n "$dlsyms"; then
+        case "$dlsyms" in
+        "") ;;
+        *.c)
+          if test -z "$export_symbols"; then
+            # Add our own program objects to the preloaded list.
+            dlprefiles=`$echo "X$objs$dlprefiles " | $Xsed -e "$los2o" -e 's/ $//'`
+          fi
+
+          # Discover the nlist of each of the dlfiles.
+          nlist="$objdir/${output}.nm"
+
+	  if test -d $objdir; then
+	    $show "$rm $nlist ${nlist}T"
+	    $run $rm "$nlist" "${nlist}T"
+	  else
+	    $show "$mkdir $objdir"
+	    $run $mkdir $objdir
+	    status=$?
+	    if test $status -ne 0 && test ! -d $objdir; then
+	      exit $status
+	    fi
+	  fi
+
+          # Parse the name list into a source file.
+          $show "creating $objdir/$dlsyms"
+
+          $echo > "$objdir/$dlsyms" "\
+/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* Prevent the only kind of declaration conflicts we can make. */
+#define dld_preloaded_symbols some_other_symbol
+
+/* External symbol declarations for the compiler. */\
+"
+
+          if test -n "$export_symbols"; then
+	    sed -e 's/^\(.*\)/\1 \1/' < "$export_symbols" > "$nlist"
+          fi
+
+          for arg in $dlprefiles; do
+	    $show "extracting global C symbols from \`$arg'"
+	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+          done
+
+          if test -z "$run"; then
+	    # Make sure we at least have an empty file.
+	    test -f "$nlist" || : > "$nlist"
+
+	    # Try sorting and uniquifying the output.
+	    if sort "$nlist" | uniq > "$nlist"T; then
+	      mv -f "$nlist"T "$nlist"
+	    else
+	      $rm "$nlist"T
+	    fi
+
+	    if test -f "$nlist"; then
+	      sed -e 's/^.* \(.*\)$/extern char \1;/' < "$nlist" >> "$output_objdir/$dlsyms"
+  	    else
+	      echo '/* NONE */' >> "$output_objdir/$dlsyms"
+  	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+
+#undef dld_preloaded_symbols
+
+#if defined (__STDC__) && __STDC__
+# define __ptr_t void *
+#else
+# define __ptr_t char *
+#endif
+
+/* The mapping between symbol names and symbols. */
+struct {
+  char *name;
+  __ptr_t address;
+}
+dld_preloaded_symbols[] =
+{\
+"
+
+            if test -n "$export_symbols"; then
+              echo >> "$objdir/$dlsyms" "\
+  {\"${output}\", (__ptr_t) 0},"
+	      sed 's/^\(.*\)/  {"\1", (__ptr_t) \&\1},/' < "$export_symbols" >> "$objdir/$dlsyms"
+            fi
+
+            for arg in $dlprefiles; do
+	      name=`echo "$arg" | sed -e 's%^.*/%%'`
+              echo >> "$objdir/$dlsyms" "\
+  {\"$name\", (__ptr_t) 0},"
+	      eval "$NM $arg | $global_symbol_pipe > '$nlist'"
+
+	      if test -f "$nlist"; then
+	        sed 's/^\(.*\) \(.*\)$/  {"\1", (__ptr_t) \&\2},/' < "$nlist" >> "$objdir/$dlsyms"
+	      else
+		echo '/* NONE */' >> "$output_objdir/$dlsyms"
+	      fi
+
+            done
+
+	    if test -f "$nlist"; then
+	      sed 's/^\(.*\) \(.*\)$/  {"\1", (__ptr_t) \&\2},/' < "$nlist" >> "$output_objdir/$dlsyms"
+	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+  {0, (__ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif\
+"
+          fi
+
+          # Now compile the dynamic symbol file.
+          $show "(cd $objdir && $C_compiler -c$no_builtin_flag \"$dlsyms\")"
+          $run eval '(cd $objdir && $C_compiler -c$no_builtin_flag "$dlsyms")' || exit $?
+
+          # Transform the symbol file into the correct name.
+          compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$objdir/${output}S.${objext}%"`
+          finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$objdir/${output}S.${objext}%"`
+	  ;;
+        *)
+          $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+          exit 1
+          ;;
+        esac
+      elif test "$export_dynamic" != yes; then
+        test -n "$dlfiles$dlprefiles" && $echo "$modename: warning: \`-dlopen' and \`-dlpreopen' are ignored without \`-export-dynamic'" 1>&2
+      else
+        # We keep going just in case the user didn't refer to
+        # dld_preloaded_symbols.  The linker will fail if global_symbol_pipe
+        # really was required.
+        $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+
+        # Nullify the symbol file.
+        compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+        finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      fi
+
+      if test -z "$link_against_libtool_libs" || test "$build_libtool_libs" != yes; then
+        # Replace the output file specification.
+        compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+        finalize_command=`$echo "X$finalize_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+
+        # We have no uninstalled library dependencies, so finalize right now.
+        $show "$compile_command"
+        $run eval "$compile_command"
+        exit $?
+      fi
+
+      # Replace the output file specification.
+      compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+      finalize_command=`$echo "X$finalize_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'T%g'`
+
+      # Create the binary in the object directory, then wrap it.
+      if test ! -d $output_objdir; then
+        $show "$mkdir $output_objdir"
+	$run $mkdir $output_objdir
+	status=$?
+	if test $status -ne 0 && test ! -d $objdir; then
+	  exit $status
+	fi
+      fi
+
+      if test -n "$shlibpath_var"; then
+        # We should set the shlibpath_var
+        rpath=
+        for dir in $temp_rpath; do
+          case "$dir" in
+          /* | [A-Za-z]:[/\\]*)
+            # Absolute path.
+            rpath="$rpath$dir:"
+            ;;
+          *)
+            # Relative path: add a thisdir entry.
+            rpath="$rpath\$thisdir/$dir:"
+            ;;
+          esac
+        done
+        temp_rpath="$rpath"
+      fi
+
+      # Delete the old output file.
+      $run $rm $output
+
+      if test -n "$compile_shlibpath"; then
+        compile_command="$shlibpath_var=\"$compile_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+        finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      if test -n "$runpath_var" && test -n "$perm_rpath"; then
+        # We should set the runpath_var.
+        rpath=
+        for dir in $perm_rpath; do
+          rpath="$rpath$dir:"
+        done
+        compile_command="$runpath_var=\"$rpath\$$runpath_var\" $compile_command"
+        finalize_command="$runpath_var=\"$rpath\$$runpath_var\" $finalize_command"
+      fi
+
+      if test "$hardcode_action" = relink; then
+        # AGH! Flame the AIX and HP-UX people for me, will ya?
+        $echo "$modename: warning: this platform doesn\'t like uninstalled shared libraries" 1>&2
+        $echo "$modename: \`$output' will be relinked during installation" 1>&2
+      fi
+
+      $show "$compile_command"
+      $run eval "$compile_command" || exit $?
+
+      # Now create the wrapper script.
+      $show "creating $output"
+
+      # Quote the finalize command for shipping.
+      finalize_command=`$echo "X$finalize_command" | $Xsed -e "$sed_quote_subst"`
+
+      # Quote $echo for shipping.
+      if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
+	case "$0" in
+	/* | [A-Za-z]:[/\\]*) qecho="$SHELL $0 --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
+	esac
+	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+        qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if our run command is non-null.
+      if test -z "$run"; then
+        $rm $output
+        trap "$rm $output; exit 1" 1 2 15
+
+        $echo > $output "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test \"\${CDPATH+set}\" = set; then CDPATH=; export CDPATH; fi
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variables:
+  link_against_libtool_libs='$link_against_libtool_libs'
+  finalize_command=\"cd `pwd | sed -e $sed_quote_subst`; $finalize_command\"
+else
+  # When we are sourced in execute mode, \$file and \$echo are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    echo=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$echo works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$echo will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
+    fi
+  fi\
+"
+        $echo >> $output "\
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | sed -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      /* | [A-Za-z]:[/\\]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | sed -n 's/.*-> //p'\`
+  done
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+
+  progdir=\"\$thisdir/$objdir\"
+  program='$outputname'
+
+  if test -f \"\$progdir/\$program\"; then"
+
+        # Export our shlibpath_var if we have one.
+        if test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+          $echo >> $output "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/:*\$//'\`
+
+    export $shlibpath_var
+"
+        fi
+
+        $echo >> $output "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+
+      # Export the path to the program.
+      PATH=\"\$progdir:\$PATH\"
+      export PATH
+
+      exec \$program \${1+\"\$@\"}
+
+      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      exit 1
+    fi
+  else
+    # The program doesn't exist.
+    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
+    \$echo \"This script is just a wrapper for \$program.\" 1>&2
+    echo \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit 1
+  fi
+fi\
+"
+        chmod +x $output
+      fi
+      exit 0
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	oldobjs="$objs"`$echo "X$libobjs " | $Xsed -e 's/[^   ]*\.'${libext}' //g' -e 's/[^   ]*\.lib //g' -e "$los2o" -e 's/ $//g'`
+	addlibs="$old_convenience"
+      fi
+
+      # Add in members from convenience archives.
+      for xlib in $addlibs; do
+	# Extract the objects.
+	xdir="$xlib"x
+	generated="$generated $xdir"
+	xlib=`echo "$xlib" | $Xsed -e 's%^.*/%%'`
+
+	$show "${rm}r $xdir"
+	$run ${rm}r "$xdir"
+	$show "mkdir $xdir"
+	$run mkdir "$xdir"
+	status=$?
+	if test $status -ne 0 && test ! -d "$xdir"; then
+	  exit $status
+	fi
+	$show "(cd $xdir && $AR x ../$xlib)"
+	$run eval "(cd \$xdir && $AR x ../\$xlib)" || exit $?
+
+	oldobjs="$oldobjs `echo $xdir/*`"
+      done
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+	eval cmds=\"$old_archive_from_new_cmds\"
+      else
+	eval cmds=\"$old_archive_cmds\"
+      fi
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+        IFS="$save_ifs"
+        $show "$cmd"
+        $run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$generated"; then
+      $show "${rm}r$generated"
+      $run ${rm}r$generated
+    fi
+
+    # Now create the libtool archive.
+    case "$output" in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      $show "creating $output"
+
+      # Only create the output if not a dry run.
+      if test -z "$run"; then
+        $echo > $output "\
+# $output - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION
+
+# The name that we can dlopen(3).
+dlname='$dlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=no
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'\
+"
+      fi
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      $show "(cd $output_objdir && $LN_S ../$outputname $outputname)"
+      $run eval "(cd $output_objdir && $LN_S ../$outputname $outputname)" || exit $?
+      ;;
+    esac
+    exit 0
+    ;;
+
+  # libtool install mode
+  install)
+    modename="$modename: install"
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh; then
+      # Aesthetically quote it.
+      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
+      case "$arg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$arg "
+      arg="$1"
+      shift
+    else
+      install_prog=
+      arg="$nonopt"
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+    case "$arg" in
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      arg="\"$arg\""
+      ;;
+    esac
+    install_prog="$install_prog$arg"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+        files="$files $dest"
+        dest="$arg"
+        continue
+      fi
+
+      case "$arg" in
+      -d) isdir=yes ;;
+      -f) prev="-f" ;;
+      -g) prev="-g" ;;
+      -m) prev="-m" ;;
+      -o) prev="-o" ;;
+      -s)
+        stripme=" -s"
+        continue
+        ;;
+      -*) ;;
+
+      *)
+        # If the previous option needed an argument, then skip it.
+        if test -n "$prev"; then
+          prev=
+        else
+          dest="$arg"
+          continue
+        fi
+        ;;
+      esac
+
+      # Aesthetically quote the argument.
+      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+      case "$arg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$install_prog $arg"
+    done
+
+    if test -z "$install_prog"; then
+      $echo "$modename: you must specify an install program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prev' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+        $echo "$modename: no file or destination specified" 1>&2
+      else
+        $echo "$modename: you must specify a destination" 1>&2
+      fi
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Strip any trailing slash from the destination.
+    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
+    else
+      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$destdir" = "X$dest" && destdir=.
+      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files
+      if test $# -gt 2; then
+        $echo "$modename: \`$dest' is not a directory" 1>&2
+        $echo "$help" 1>&2
+        exit 1
+      fi
+    fi
+    case "$destdir" in
+    /* | [A-Za-z]:[/\\]*) ;;
+    *)
+      for file in $files; do
+        case "$file" in
+        *.lo) ;;
+        *)
+          $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+          $echo "$help" 1>&2
+          exit 1
+          ;;
+        esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case "$file" in
+      *.a | *.lib)
+        # Do the static libraries later.
+        staticlibs="$staticlibs $file"
+        ;;
+
+      *.la)
+        # Check to see that this really is a libtool archive.
+        if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+        else
+          $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+          $echo "$help" 1>&2
+          exit 1
+        fi
+
+        library_names=
+        old_library=
+        # If there is no directory component, then add one.
+        case "$file" in
+        */* | *\\*) . $file ;;
+        *) . ./$file ;;
+        esac
+
+        # Add the libdir to current_libdirs if it is the destination.
+        if test "X$destdir" = "X$libdir"; then
+          case "$current_libdirs " in
+          *" $libdir "*) ;;
+          *) current_libdirs="$current_libdirs $libdir" ;;
+          esac
+        else
+          # Note the libdir as a future libdir.
+          case "$future_libdirs " in
+          *" $libdir "*) ;;
+          *) future_libdirs="$future_libdirs $libdir" ;;
+          esac
+        fi
+
+        dir="`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/"
+        test "X$dir" = "X$file/" && dir=
+        dir="$dir$objdir"
+
+        # See the names of the shared library.
+        set dummy $library_names
+        if test -n "$2"; then
+          realname="$2"
+          shift
+          shift
+
+          # Install the shared library and build the symlinks.
+          $show "$install_prog $dir/$realname $destdir/$realname"
+          $run eval "$install_prog $dir/$realname $destdir/$realname" || exit $?
+          test "X$dlname" = "X$realname" && dlname=
+
+          if test $# -gt 0; then
+            # Delete the old symlinks, and create new ones.
+            for linkname
+            do
+              test "X$dlname" = "X$linkname" && dlname=
+	      if test "$linkname" != "$realname"; then
+		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+	      fi
+            done
+          fi
+
+          if test -n "$dlname"; then
+            # Install the dynamically-loadable library.
+            $show "$install_prog $dir/$dlname $destdir/$dlname"
+            $run eval "$install_prog $dir/$dlname $destdir/$dlname" || exit $?
+          fi
+
+          # Do each command in the postinstall commands.
+          lib="$destdir/$realname"
+          eval cmds=\"$postinstall_cmds\"
+          IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+          for cmd in $cmds; do
+            IFS="$save_ifs"
+            $show "$cmd"
+            $run eval "$cmd" || exit $?
+          done
+          IFS="$save_ifs"
+        fi
+
+        # Install the pseudo-library for information purposes.
+        name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	instname="$dir/$name"i
+	$show "Creating $instname"
+	$rm "$instname"
+	sed 's/^installed=no$/installed=yes/' "$file" > "$instname"
+        $show "$install_prog $instname $destdir/$name"
+        $run eval "$install_prog $instname $destdir/$name" || exit $?
+	$show "$rm $instname"
+	$rm "$instname"
+
+        # Maybe install the static library, too.
+        test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+        ;;
+
+      *.lo)
+        # Install (i.e. copy) a libtool object.
+
+        # Figure out destination file name, if it wasn't already specified.
+        if test -n "$destname"; then
+          destfile="$destdir/$destname"
+        else
+          destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+          destfile="$destdir/$destfile"
+        fi
+
+        # Deduce the name of the destination old-style object file.
+        case "$destfile" in
+        *.lo)
+          staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+          ;;
+        *.o | *.obj)
+          staticdest="$destfile"
+          destfile=
+          ;;
+        *)
+          $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+          $echo "$help" 1>&2
+          exit 1
+          ;;
+        esac
+
+        # Install the libtool object if requested.
+        if test -n "$destfile"; then
+          $show "$install_prog $file $destfile"
+          $run eval "$install_prog $file $destfile" || exit $?
+        fi
+
+        # Install the old object if enabled.
+        if test "$build_old_libs" = yes; then
+          # Deduce the name of the old-style object file.
+          staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+          $show "$install_prog $staticobj $staticdest"
+          $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+        fi
+        exit 0
+        ;;
+
+      *)
+        # Figure out destination file name, if it wasn't already specified.
+        if test -n "$destname"; then
+          destfile="$destdir/$destname"
+        else
+          destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+          destfile="$destdir/$destfile"
+        fi
+
+        # Do a test to see if this is really a libtool program.
+        if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+          link_against_libtool_libs=
+          finalize_command=
+
+          # If there is no directory component, then add one.
+          case "$file" in
+          */* | *\\*) . $file ;;
+          *) . ./$file ;;
+          esac
+
+          # Check the variables that should have been set.
+          if test -z "$link_against_libtool_libs" || test -z "$finalize_command"; then
+            $echo "$modename: invalid libtool wrapper script \`$file'" 1>&2
+            exit 1
+          fi
+
+          finalize=yes
+          for lib in $link_against_libtool_libs; do
+            # Check to see that each library is installed.
+            libdir=
+            if test -f "$lib"; then
+              # If there is no directory component, then add one.
+              case "$lib" in
+              */* | *\\*) . $lib ;;
+              *) . ./$lib ;;
+              esac
+            fi
+            libfile="$libdir/`$echo "X$lib" | $Xsed -e 's%^.*/%%g'`"
+            if test -n "$libdir" && test ! -f "$libfile"; then
+              $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+              finalize=no
+            fi
+          done
+
+          if test "$hardcode_action" = relink; then
+            if test "$finalize" = yes; then
+              $echo "$modename: warning: relinking \`$file' on behalf of your buggy system linker" 1>&2
+              $show "$finalize_command"
+              if $run eval "$finalize_command"; then :
+              else
+                $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+                continue
+              fi
+              file="$objdir/$file"T
+            else
+              $echo "$modename: warning: cannot relink \`$file' on behalf of your buggy system linker" 1>&2
+            fi
+          else
+            # Install the binary that we compiled earlier.
+	    file=`$echo "X$file" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+          fi
+        fi
+
+        $show "$install_prog$stripme $file $destfile"
+        $run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+        ;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      $show "$install_prog $file $oldlib"
+      $run eval "$install_prog \$file \$oldlib" || exit $?
+
+      # Do each command in the postinstall commands.
+      eval cmds=\"$old_postinstall_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+        IFS="$save_ifs"
+        $show "$cmd"
+        $run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$future_libdirs"; then
+      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
+    fi
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      test -n "$run" && current_libdirs=" -n$current_libdirs"
+      exec $SHELL $0 --finish$current_libdirs
+      exit 1
+    fi
+
+    exit 0
+    ;;
+
+  # libtool finish mode
+  finish)
+    modename="$modename: finish"
+    libdirs="$nonopt"
+    admincmds=
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+        libdirs="$libdirs $dir"
+      done
+
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  eval cmds=\"$finish_cmds\"
+          IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+          for cmd in $cmds; do
+            IFS="$save_ifs"
+            $show "$cmd"
+            $run eval "$cmd" || admincmds="$admincmds
+       $cmd"
+          done
+          IFS="$save_ifs"
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $run eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    test "$show" = : && exit 0
+
+    echo "----------------------------------------------------------------------"
+    echo "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      echo "   $libdir"
+    done
+    echo
+    echo "To link against installed libraries in a given directory, LIBDIR,"
+    echo "you must use the \`-LLIBDIR' flag during linking."
+    echo
+    echo " You will also need to do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      echo "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+      echo "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
+
+      echo "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      echo "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    echo
+    echo "See any operating system documentation about shared libraries for"
+    echo "more information, such as the ld(1) and ld.so(8) manual pages."
+    echo "----------------------------------------------------------------------"
+    exit 0
+    ;;
+
+  # libtool execute mode
+  execute)
+    modename="$modename: execute"
+
+    # The first argument is the command name.
+    cmd="$nonopt"
+    if test -z "$cmd"; then
+      $echo "$modename: you must specify a COMMAND" 1>&2
+      $echo "$help"
+      exit 1
+    fi
+
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      if test ! -f "$file"; then
+	$echo "$modename: \`$file' is not a file" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+
+      dir=
+      case "$file" in
+      *.la)
+        # Check to see that this really is a libtool archive.
+        if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+        else
+          $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+          $echo "$help" 1>&2
+          exit 1
+        fi
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+
+        # If there is no directory component, then add one.
+	case "$file" in
+	*/* | *\\*) . $file ;;
+        *) . ./$file ;;
+	esac
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	  exit 1
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+	;;
+
+      *)
+	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
+        continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case "$file" in
+      -*) ;;
+      *)
+        # Do a test to see if this is really a libtool program.
+        if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  # If there is no directory component, then add one.
+	  case "$file" in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+        ;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
+      args="$args \"$file\""
+    done
+
+    if test -z "$run"; then
+      # Export the shlibpath_var.
+      eval "export $shlibpath_var"
+
+      # Restore saved enviroment variables
+      if test "${save_LC_ALL+set}" = set; then
+        LC_ALL="$save_LC_ALL"; export LC_ALL
+      fi
+      if test "${save_LANG+set}" = set; then
+        LANG="$save_LANG"; export LANG
+      fi
+
+      # Now actually exec the command.
+      eval "exec \$cmd$args"
+
+      $echo "$modename: cannot exec \$cmd$args"
+      exit 1
+    else
+      # Display what would be done.
+      eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+      $echo "export $shlibpath_var"
+      $echo "$cmd$args"
+      exit 0
+    fi
+    ;;
+
+  # libtool uninstall mode
+  uninstall)
+    modename="$modename: uninstall"
+    rm="$nonopt"
+    files=
+
+    for arg
+    do
+      case "$arg" in
+      -*) rm="$rm $arg" ;;
+      *) files="$files $arg" ;;
+      esac
+    done
+
+    if test -z "$rm"; then
+      $echo "$modename: you must specify an RM program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    for file in $files; do
+      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$dir" = "X$file" && dir=.
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      rmfiles="$file"
+
+      case "$name" in
+      *.la)
+        # Possibly a libtool archive, so verify it.
+        if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+          . $dir/$name
+
+          # Delete the libtool libraries and symlinks.
+          for n in $library_names; do
+            rmfiles="$rmfiles $dir/$n"
+            test "X$n" = "X$dlname" && dlname=
+          done
+          test -n "$dlname" && rmfiles="$rmfiles $dir/$dlname"
+          test -n "$old_library" && rmfiles="$rmfiles $dir/$old_library"
+
+	  $show "$rm $rmfiles"
+	  $run $rm $rmfiles
+
+	  if test -n "$library_names"; then
+	    # Do each command in the postuninstall commands.
+	    eval cmds=\"$postuninstall_cmds\"
+	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      $show "$cmd"
+	      $run eval "$cmd"
+	    done
+	    IFS="$save_ifs"
+	  fi
+
+          if test -n "$old_library"; then
+	    # Do each command in the old_postuninstall commands.
+	    eval cmds=\"$old_postuninstall_cmds\"
+	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      $show "$cmd"
+	      $run eval "$cmd"
+	    done
+	    IFS="$save_ifs"
+	  fi
+
+          # FIXME: should reinstall the best remaining shared library.
+        fi
+        ;;
+
+      *.lo)
+        if test "$build_old_libs" = yes; then
+          oldobj=`$echo "X$name" | $Xsed -e "$lo2o"`
+          rmfiles="$rmfiles $dir/$oldobj"
+        fi
+	$show "$rm $rmfiles"
+	$run $rm $rmfiles
+        ;;
+
+      *)
+      	$show "$rm $rmfiles"
+	$run $rm $rmfiles
+	;;
+      esac
+    done
+    exit 0
+    ;;
+
+  "")
+    $echo "$modename: you must specify a MODE" 1>&2
+    $echo "$generic_help" 1>&2
+    exit 1
+    ;;
+  esac
+
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$generic_help" 1>&2
+  exit 1
+fi # test -z "$show_help"
+
+# We need to display help for each of the modes.
+case "$mode" in
+"") $echo \
+"Usage: $modename [OPTION]... [MODE-ARG]...
+
+Provide generalized library-building support services.
+
+    --config          show all configuration variables
+    --debug           enable verbose shell tracing
+-n, --dry-run         display commands without modifying any files
+    --features        display basic configuration information and exit
+    --finish          same as \`--mode=finish'
+    --help            display this help message and exit
+    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
+    --quiet           same as \`--silent'
+    --silent          don't print informational messages
+    --version         print version information
+
+MODE must be one of the following:
+
+      compile         compile a source file into a libtool object
+      execute         automatically set library path, then run a program
+      finish          complete the installation of libtool libraries
+      install         install libraries or executables
+      link            create a library or an executable
+      uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
+a more detailed description of MODE."
+  exit 0
+  ;;
+
+compile)
+  $echo \
+"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -static           always build a \`.o' file suitable for static linking
+
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+  ;;
+
+execute)
+  $echo \
+"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+  ;;
+
+finish)
+  $echo \
+"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+  ;;
+
+install)
+  $echo \
+"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+  ;;
+
+link)
+  $echo \
+"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to dld_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -static           do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+                    specify library version info [each variable defaults to 0]
+
+All other options (arguments beginning with \`-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created, only
+library objects (\`.lo' files) may be specified, and \`-rpath' is required.
+
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
+
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
+  ;;
+
+uninstall)
+  $echo
+"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+*)
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+  ;;
+esac
+
+echo
+$echo "Try \`$modename --help' for more information about other modes."
+
+exit 0
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/crypto/heimdal/missing b/crypto/heimdal/missing
new file mode 100644
index 0000000..bdf90f5
--- /dev/null
+++ b/crypto/heimdal/missing
@@ -0,0 +1,2 @@
+#! /bin/sh
+# This is a silly file that automake needs
diff --git a/crypto/heimdal/mkinstalldirs b/crypto/heimdal/mkinstalldirs
new file mode 100755
index 0000000..018b680
--- /dev/null
+++ b/crypto/heimdal/mkinstalldirs
@@ -0,0 +1,40 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+# $Id: mkinstalldirs,v 1.1 1996/10/22 22:25:14 joda Exp $
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp" 1>&2
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/crypto/kerberosIV/admin/adm_locl.h b/crypto/kerberosIV/admin/adm_locl.h
index 9a41b4b..8004d0a 100644
--- a/crypto/kerberosIV/admin/adm_locl.h
+++ b/crypto/kerberosIV/admin/adm_locl.h
@@ -32,6 +32,7 @@
  */
 
 /* $Id: adm_locl.h,v 1.17 1999/12/02 16:58:27 joda Exp $ */
+/* $FreeBSD$ */
 
 #ifndef __adm_locl_h
 #define __adm_locl_h
@@ -77,7 +78,7 @@
 
 #include <roken.h>
 
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 #include <krb_db.h>
 #include <kdc.h>
diff --git a/crypto/kerberosIV/appl/afsutil/kstring2key.c b/crypto/kerberosIV/appl/afsutil/kstring2key.c
index c0c76ae..70246f9 100644
--- a/crypto/kerberosIV/appl/afsutil/kstring2key.c
+++ b/crypto/kerberosIV/appl/afsutil/kstring2key.c
@@ -30,6 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
+/* $FreeBSD$ */
 
 #include "config.h"
 
@@ -42,7 +43,7 @@ RCSID("$Id: kstring2key.c,v 1.16 1999/12/02 16:58:28 joda Exp $");
 
 #include <roken.h>
 
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 
 #define VERIFY 0
diff --git a/crypto/kerberosIV/appl/bsd/bsd_locl.h b/crypto/kerberosIV/appl/bsd/bsd_locl.h
index e39bc36..19285e9 100644
--- a/crypto/kerberosIV/appl/bsd/bsd_locl.h
+++ b/crypto/kerberosIV/appl/bsd/bsd_locl.h
@@ -32,9 +32,12 @@
  */
 
 /* $Id: bsd_locl.h,v 1.111 1999/12/02 16:58:28 joda Exp $ */
+/* $FreeBSD$ */
 
 #define LOGALL
+#ifndef KERBEROS
 #define KERBEROS
+#endif
 #define KLOGIN_PARANOID
 #define LOGIN_ACCESS
 #define PASSWD_FALLBACK
@@ -267,7 +270,7 @@ struct tm *localtime(const time_t *);
 struct hostent  *gethostbyname(const char *);
 #endif
 
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 #include <kafs.h>
 
@@ -287,10 +290,12 @@ int krcmd_mutual(char **ahost, u_int16_t rport, char *remuser,
 
 int klogin(struct passwd *pw, char *instance, char *localhost, char *password);
 
+#if 0
 typedef struct {
         int cnt;
         char *buf;
 } BUF;
+#endif
 
 char *colon(char *cp);
 int okname(char *cp0);
@@ -327,10 +332,6 @@ int login_access(struct passwd *user, char *from);
 void fatal(int f, const char *msg, int syserr);
 
 extern int LEFT_JUSTIFIED;
-int des_enc_read(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv);
-int des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv);
 
 /* used in des_read and des_write */
 #define DES_RW_MAXWRITE	(1024*16)
diff --git a/crypto/kerberosIV/appl/bsd/pathnames.h b/crypto/kerberosIV/appl/bsd/pathnames.h_
index 671f663..6db8f68 100644
--- a/crypto/kerberosIV/appl/bsd/pathnames.h
+++ b/crypto/kerberosIV/appl/bsd/pathnames.h_
@@ -32,6 +32,7 @@
  *
  *	from: @(#)pathnames.h	5.2 (Berkeley) 4/9/90
  *	$Id: pathnames.h,v 1.25 1998/02/03 23:29:30 assar Exp $
+ * $FreeBSD$
  */
 
 /******* First fix default path, we stick to _PATH_DEFPATH everywhere */
diff --git a/crypto/kerberosIV/appl/ftp/ftp/ftp_locl.h b/crypto/kerberosIV/appl/ftp/ftp/ftp_locl.h
index 49c2b2f..c0d6cae 100644
--- a/crypto/kerberosIV/appl/ftp/ftp/ftp_locl.h
+++ b/crypto/kerberosIV/appl/ftp/ftp/ftp_locl.h
@@ -32,6 +32,7 @@
  */
 
 /* $Id: ftp_locl.h,v 1.34 1999/12/02 16:58:29 joda Exp $ */
+/* $FreeBSD$ */
 
 #ifndef __FTP_LOCL_H__
 #define __FTP_LOCL_H__
@@ -129,7 +130,7 @@ struct hostent  *gethostbyname(const char *);
 
 #include "roken.h"
 #include "security.h"
-#include <des.h> /* for des_read_pw_string */
+#include <openssl/des.h> /* for des_read_pw_string */
 
 #if defined(__sun__) && !defined(__svr4)
 int fclose(FILE*);
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/ftpd.c b/crypto/kerberosIV/appl/ftp/ftpd/ftpd.c
index d3c9a6a..518b5bf 100644
--- a/crypto/kerberosIV/appl/ftp/ftpd/ftpd.c
+++ b/crypto/kerberosIV/appl/ftp/ftpd/ftpd.c
@@ -29,6 +29,8 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
+ * $FreeBSD$
  */
 
 #define	FTP_NAMES
@@ -243,8 +245,6 @@ main(int argc, char **argv)
 
     int optind = 0;
 
-    set_progname (argv[0]);
-
 #ifdef KRB4
     /* detach from any tickets and tokens */
     {
@@ -786,7 +786,7 @@ int do_login(int code, char *passwd)
 		  "%s: anonymous/%s",
 		  remotehost,
 		  passwd);
-	setproctitle(proctitle);
+	setproctitle("%s", proctitle);
 #endif /* HAVE_SETPROCTITLE */
 	if (logging) {
 	    char data_addr[256];
@@ -807,7 +807,7 @@ int do_login(int code, char *passwd)
 	reply(code, "User %s logged in.", pw->pw_name);
 #ifdef HAVE_SETPROCTITLE
 	snprintf(proctitle, sizeof(proctitle), "%s: %s", remotehost, pw->pw_name);
-	setproctitle(proctitle);
+	setproctitle("%s", proctitle);
 #endif /* HAVE_SETPROCTITLE */
 	if (logging) {
 	    char data_addr[256];
@@ -1782,7 +1782,7 @@ dolog(struct sockaddr *sa)
 	inaddr2str (sin->sin_addr, remotehost, sizeof(remotehost));
 #ifdef HAVE_SETPROCTITLE
 	snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost);
-	setproctitle(proctitle);
+	setproctitle("%s", proctitle);
 #endif /* HAVE_SETPROCTITLE */
 
 	if (logging) {
diff --git a/crypto/kerberosIV/appl/kauth/kauthd.c b/crypto/kerberosIV/appl/kauth/kauthd.c
index 8dae4d0..d0b61ec 100644
--- a/crypto/kerberosIV/appl/kauth/kauthd.c
+++ b/crypto/kerberosIV/appl/kauth/kauthd.c
@@ -1,3 +1,5 @@
+/* $FreeBSD$ */
+
 /*
  * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
@@ -33,7 +35,7 @@
 
 #include "kauth.h"
 
-RCSID("$Id: kauthd.c,v 1.25 1999/12/02 16:58:31 joda Exp $");
+RCSID("$Id: kauthd.c,v 1.25.2.1 2000/06/28 19:07:58 assar Exp $");
 
 krb_principal princ;
 static char locuser[SNAME_SZ];
@@ -128,7 +130,7 @@ doit(int sock)
      if( kuserok(&auth, locuser) != 0) {
 	 snprintf(buf, sizeof(buf), "%s cannot get tickets for %s",
 		  locuser, krb_unparse_name(&princ));
-	 syslog (LOG_ERR, buf);
+	 syslog (LOG_ERR, "%s", buf);
 	 write_encrypted (sock, buf, strlen(buf), schedule,
 			  &auth.session, &thisaddr, &thataddr);
 	 return 1;
@@ -136,7 +138,7 @@ doit(int sock)
      passwd = k_getpwnam (locuser);
      if (passwd == NULL) {
 	  snprintf (buf, sizeof(buf), "No user '%s'", locuser);
-	  syslog (LOG_ERR, buf);
+	  syslog (LOG_ERR, "%s", buf);
 	  write_encrypted (sock, buf, strlen(buf), schedule,
 			   &auth.session, &thisaddr, &thataddr);
 	  return 1;
@@ -145,7 +147,7 @@ doit(int sock)
 	 initgroups(passwd->pw_name, passwd->pw_gid) ||
 	 setuid(passwd->pw_uid)) {
 	  snprintf (buf, sizeof(buf), "Could not change user");
-	  syslog (LOG_ERR, buf);
+	  syslog (LOG_ERR, "%s", buf);
 	  write_encrypted (sock, buf, strlen(buf), schedule,
 			   &auth.session, &thisaddr, &thataddr);
 	  return 1;
@@ -182,7 +184,7 @@ doit(int sock)
 	  return 0;
      } else {
 	  snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status));
-	  syslog (LOG_NOTICE, buf);
+	  syslog (LOG_NOTICE, "%s", buf);
 	  write_encrypted (sock, buf, strlen(buf), schedule,
 			   &auth.session, &thisaddr, &thataddr);
 	  return 1;
diff --git a/crypto/kerberosIV/appl/kauth/ksrvtgt.in b/crypto/kerberosIV/appl/kauth/ksrvtgt.in
index c2f33bb..7a520fd 100644
--- a/crypto/kerberosIV/appl/kauth/ksrvtgt.in
+++ b/crypto/kerberosIV/appl/kauth/ksrvtgt.in
@@ -1,5 +1,6 @@
 #! /bin/sh
 # $Id: ksrvtgt.in,v 1.3 1997/09/13 03:39:03 joda Exp $
+# $FreeBSD$
 
 usage="Usage: `basename $0` name instance [[realm] srvtab]"
 
@@ -8,7 +9,7 @@ if [ $# -lt 2 -o $# -gt 4 ]; then
 	exit 1
 fi
 
-srvtab="${4-${3-/etc/srvtab}}"
+srvtab="${4-${3-/etc/kerberosIV/srvtab}}"
 realm="${4+@$3}"
 
 %bindir%/kauth -n "$1.$2$realm" -l 5 -f "$srvtab"
diff --git a/crypto/kerberosIV/appl/kip/kipd.c b/crypto/kerberosIV/appl/kip/kipd.c
index 429f815..f0e74c9 100644
--- a/crypto/kerberosIV/appl/kip/kipd.c
+++ b/crypto/kerberosIV/appl/kip/kipd.c
@@ -1,3 +1,5 @@
+/* $FreeBSD$ */
+
 /*
  * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
@@ -42,7 +44,7 @@ fatal (int fd, char *s)
 
      write (fd, &err, sizeof(err));
      write (fd, s, strlen(s)+1);
-     syslog(LOG_ERR, s);
+     syslog(LOG_ERR, "%s", s);
      return err;
 }
 
diff --git a/crypto/kerberosIV/appl/sample/sample_server.c b/crypto/kerberosIV/appl/sample/sample_server.c
index 5442562..65b61ae 100644
--- a/crypto/kerberosIV/appl/sample/sample_server.c
+++ b/crypto/kerberosIV/appl/sample/sample_server.c
@@ -1,3 +1,5 @@
+/* $FreeBSD$ */
+
 /*
  *
  * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
@@ -18,7 +20,7 @@
 
 #include "sample.h"
 
-RCSID("$Id: sample_server.c,v 1.14 1999/11/13 06:28:49 assar Exp $");
+RCSID("$Id: sample_server.c,v 1.14.2.1 2000/06/28 19:08:00 assar Exp $");
 
 static void
 usage (void)
@@ -108,7 +110,7 @@ main(int argc, char **argv)
 	snprintf(retbuf, sizeof(retbuf),
 		 "Kerberos error: %s\n",
 		 krb_get_err_text(status));
-	syslog(LOG_ERR, retbuf);
+	syslog(LOG_ERR, "%s", retbuf);
     } else {
 	/* Check the version string (KRB_SENDAUTH_VLEN chars) */
 	if (strncmp(version, SAMPLE_VERSION, KRB_SENDAUTH_VLEN)) {
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/enc_des.c b/crypto/kerberosIV/appl/telnet/libtelnet/enc_des.c
index a24bfa7..ec13b3f 100644
--- a/crypto/kerberosIV/appl/telnet/libtelnet/enc_des.c
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/enc_des.c
@@ -30,6 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
+/* $FreeBSD$ */
 
 #include <config.h>
 
@@ -50,7 +51,7 @@ RCSID("$Id: enc_des.c,v 1.16 1998/07/09 23:16:23 assar Exp $");
 #include "encrypt.h"
 #include "misc-proto.h"
 
-#include <des.h>
+#include <openssl/des.h>
 
 extern int encrypt_debug_mode;
 
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/kerberos.c b/crypto/kerberosIV/appl/telnet/libtelnet/kerberos.c
index b5c0953..0dade62 100644
--- a/crypto/kerberosIV/appl/telnet/libtelnet/kerberos.c
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/kerberos.c
@@ -30,6 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
+/* $FreeBSD$ */
 
 /*
  * Copyright (C) 1990 by the Massachusetts Institute of Technology
@@ -65,7 +66,7 @@ RCSID("$Id: kerberos.c,v 1.45 1999/03/13 21:18:55 assar Exp $");
 #include <arpa/telnet.h>
 #endif
 #include <stdio.h>
-#include <des.h>	/* BSD wont include this in krb.h, so we do it here */
+#include <openssl/des.h>	/* BSD wont include this in krb.h, so we do it here */
 #include <krb.h>
 #include <pwd.h>
 #include <stdlib.h>
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/krb4encpwd.c b/crypto/kerberosIV/appl/telnet/libtelnet/krb4encpwd.c
index ee1eee2..9e66d6f 100644
--- a/crypto/kerberosIV/appl/telnet/libtelnet/krb4encpwd.c
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/krb4encpwd.c
@@ -30,6 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
+/* $FreeBSD$ */
 
 #include <config.h>
 
@@ -74,7 +75,7 @@ RCSID("$Id: krb4encpwd.c,v 1.17 1998/07/09 23:16:29 assar Exp $");
 #include <pwd.h>
 #include <stdio.h>
 
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/telnetd.h b/crypto/kerberosIV/appl/telnet/telnetd/telnetd.h
index 5ad5bd8..82402b5 100644
--- a/crypto/kerberosIV/appl/telnet/telnetd/telnetd.h
+++ b/crypto/kerberosIV/appl/telnet/telnetd/telnetd.h
@@ -32,6 +32,7 @@
  *
  *	@(#)telnetd.h	8.1 (Berkeley) 6/4/93
  */
+/* $FreeBSD$ */
 
 
 #include <config.h>
@@ -166,7 +167,7 @@ struct hostent  *gethostbyname(const char *);
 #endif
 
 #ifdef KRB4
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 #endif
 
diff --git a/crypto/kerberosIV/doc/kth-krb.texi b/crypto/kerberosIV/doc/kth-krb.texi
index 82820e3..7898dff 100644
--- a/crypto/kerberosIV/doc/kth-krb.texi
+++ b/crypto/kerberosIV/doc/kth-krb.texi
@@ -1,6 +1,7 @@
 \input texinfo @c -*- texinfo -*-
 @c %**start of header
 @c $Id: kth-krb.texi,v 1.80 1999/12/02 16:58:35 joda Exp $
+@c $FreeBSD$
 @setfilename kth-krb.info
 @settitle KTH-KRB
 @iftex
diff --git a/crypto/kerberosIV/doc/otp.texi b/crypto/kerberosIV/doc/otp.texi
deleted file mode 100644
index 0a5929f..0000000
--- a/crypto/kerberosIV/doc/otp.texi
+++ /dev/null
@@ -1,127 +0,0 @@
-@node  One-Time Passwords, Resolving frequent problems, How to set up a realm, Top
-@chapter One-Time Passwords
-
-@cindex OTP
-@cindex One time passwords
-There is also support for using @dfn{one time passwords} (OTP) in this
-package.  Specifically @code{login}, @code{ftpd}, and @code{popper} have
-support for using them.
-
-@menu
-* What are one time passwords?::  
-* When to use one time passwords?::  
-* Configuring OTPs::            
-@end menu
-
-@node  What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords
-@comment  node-name,  next,  previous,  up
-@section What are one time passwords?
-
-One time passwords are, as the name implies, passwords that can only
-be used once.  This means that even if someone is eavesdropping on the
-network, they will not be able to make use of the passwords they steal.
-
-The OTPs used in this package support @cite{RFC 1938}.  This standard is
-also backwards compatible with the well-known S/Key.  There are lots of
-programs for generating these on everything from HP 48's to Crays.
-@cindex S/Key
-
-@node  When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords
-@comment  node-name,  next,  previous,  up
-@section When to use one time passwords?
-
-Why would you want to use OTPs instead of Kerberos?  The advantage of
-OTPs is that they don't require a computer to operate.  You can print
-out a list of passwords and take with you, or you could use your
-calculator or hand-held computer to generate them.
-
-The downside is that they only protect you against passive attacks.
-Only the initial connection is authenticated.  After that, anyone can
-eavesdrop on your session, so you should not send or view any sensitive
-data (e.g. passwords) over a OTP-initiated link.  You are also
-vulnerable to active attacks where intruders try to take over your
-TCP-session and/or introduce data in the middle of it.  In other words,
-they provide initial authentication, but neither integrity nor
-confidentiality.
-
-The OTPs are generated from the tuple (@var{seed}, @var{sequence
-number}, @var{pass-phrase}).  The seed and the sequence number will be
-printed as part of the @dfn{challenge} and you will have to generate the
-corresponding password or pick it from a list.
-
-In conclusion, they are simple and can be used everywhere but don't
-protect against all threats that Kerberos does.  Use them when you can't
-use Kerberos.
-
-@node  Configuring OTPs,  , When to use one time passwords?, One-Time Passwords
-@comment  node-name,  next,  previous,  up
-@section Configuring OTPs
-
-@heading Initializing
-
-To initialize your OTPs use the @code{otp} program.  This program will
-write an entry in a local file on this host with your current password
-(in this case the 100th) and the corresponding seed (@samp{foobar}).
-@pindex otp
-
-@example
-@cartouche
-datan:>otp 100 foobar
-Pass-phrase: <pass-phrase>
-Verifying password Pass-phrase: <pass-phrase>
-@end cartouche
-@end example
-
-@heading Generating
-
-To print out a list of them there is a program called
-@code{otpprint}.
-@pindex otpprint
-
-@example
-@cartouche
-datan:>otpprint 100 foobar
-Pass-phrase: <pass-phrase>
-91: SLAM BUY SUP DUSK SKY BEST
-92: DEEM SIGH ROB RASH JUG MAT
-93: DUET FISK HERS AREA TOLL SUP
-94: WOW RAIN LEAK SARA MARK WING
-95: COG YELL MILK CART ABE BAWL
-96: GROW SILK GIST OMEN CAM ANNE
-97: JAG QUAD NUT BEAT BHOY MAGI
-98: ADAM USED GENE NIP EYE SIS
-99: MY SUNG HERO AT DASH RAKE
-100: CORN KNIT BOTH TOGO SOUL BOG
-@end cartouche
-@end example
-
-@heading Using the OTPs
-
-When you try to use one and have initialized a series of
-one-time passwords for yourself you will get a challenge with the
-algorithm being used, the sequence number, and the seed.  Enter those in
-your generator or find the corresponding password in your list.
-
-@example
-@cartouche
-login: assar
-assar's [ otp-md5 99 foobar ] Password: <MY SUNG HERO AT DASH RAKE>
-@end cartouche
-@end example
-
-The sequence number of the password will start at one less that the
-number you gave to @code{otp} and decrease by one every time you use it.
-You should try to keep track of which should be the current one so that
-you can be assured that nobody has stolen some of your passwords and
-used them.  When the number has reached zero you need to acquire a new
-series of passwords.
-
-Once you have initialized your series of passwords, you can always use
-them at any password prompt where you get the challenge as shown above.
-
-@heading Configuring servers
-
-@code{ftpd}, @code{telnetd}, and @code{popper} can be configured to
-require one-time passwords when the connection has not been kerberos
-authenticated.  Check the man pages for these programs for the correct
-options.
diff --git a/crypto/kerberosIV/include/ktypes.c b/crypto/kerberosIV/include/ktypes.c
deleted file mode 100644
index eb6ad48..0000000
--- a/crypto/kerberosIV/include/ktypes.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-RCSID("$Id: ktypes.c,v 1.4 1997/05/31 08:52:09 bg Exp $");
-#endif
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_BITYPES_H
-#include <sys/bitypes.h>
-#endif
-#ifdef HAVE_BIND_BITYPES_H
-#include <bind/bitypes.h>
-#endif
-#ifdef HAVE_NETINET_IN6_MACHTYPES_H
-#include <netinet/in6_machtypes.h>
-#endif
-
-int
-main(void)
-{
-    printf ("/*\n"
-	    " * This file was automatically generated by\n"
-	    " * $Id: ktypes.c,v 1.4 1997/05/31 08:52:09 bg Exp $.\n"
-	    " * Please do not edit\n"
-	    " */\n\n");
-
-    printf ("#ifndef __KTYPES_H__\n"
-	    "#define __KTYPES_H__\n\n");
-
-#ifdef HAVE_SYS_TYPES_H
-    printf("#include <sys/types.h>\n");
-#endif
-#ifdef HAVE_SYS_BITYPES_H
-    printf("#include <sys/bitypes.h>\n");
-#endif
-#ifdef HAVE_BIND_BITYPES_H
-    printf("#include <bind/bitypes.h>\n");
-#endif
-#ifdef HAVE_NETINET_IN6_MACHTYPES_H
-    printf("#include <netinet/in6_machtypes.h>\n");
-#endif
-    
-#ifndef HAVE_INT8_T
-    printf("typedef signed char int8_t;\n");
-#endif
-#ifndef HAVE_U_INT8_T
-    printf("typedef unsigned char u_int8_t;\n");
-#endif
-#ifndef HAVE_INT16_T
-    printf("typedef short int16_t;\n");
-#endif
-#ifndef HAVE_U_INT16_T
-    printf("typedef unsigned short u_int16_t;\n");
-#endif
-#ifndef HAVE_INT32_T
-    printf("typedef int int32_t;\n");
-#endif
-#ifndef HAVE_U_INT32_T
-    printf("typedef unsigned int u_int32_t;\n");
-#endif
-
-    printf("\n#endif /* __KTYPES_H__ */\n");
-    return 0;
-}
diff --git a/crypto/kerberosIV/include/protos.h b/crypto/kerberosIV/include/protos.h
deleted file mode 100644
index 0ceb122..0000000
--- a/crypto/kerberosIV/include/protos.h
+++ /dev/null
@@ -1,276 +0,0 @@
-/* -*- C -*-
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Add here functions that don't have a prototype on your system.
- *
- * $Id: protos.H,v 1.43 1997/05/28 01:09:36 assar Exp $
- */
-
-#ifdef NEED_CRYPT_PROTO
-char *crypt(const char*, const char*);
-#endif
-
-#ifdef NEED_STRTOK_R_PROTO
-char *strtok_r (char *s1, const char *s2, char **lasts);
-#endif
-
-#ifndef HAVE_OPTARG_DECLARATION
-extern char *optarg;
-#endif
-#ifndef HAVE_OPTERR_DECLARATION
-extern int opterr;
-#endif
-#ifndef HAVE_OPTIND_DECLARATION
-extern int optind;
-#endif
-#ifndef HAVE_OPTOPT_DECLARATION
-extern int optopt;
-#endif
-
-#if defined(__GNUC__) && SunOS == 4
-
-/* To get type fd_set */
-#include <sys/types.h>
-#include <sys/time.h>
-
-/* To get struct sockaddr, struct in_addr and struct hostent */
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-
-/* To get struct stat */
-#include <sys/stat.h>
-
-/* To get struct utimbuf */
-#include <utime.h>
-
-int utime(const char *, struct utimbuf *);
-int syscall(int, ...);
-pid_t getpid(void);
-int ftruncate(int, off_t);
-int fchmod(int, mode_t);
-int fchown(int fd, int owner, int group);
-int fsync(int);
-int seteuid(uid_t);
-int setreuid(int, int);
-int flock(int, int);
-int gettimeofday(struct timeval *tp, struct timezone *tzp);
-int lstat(const char *, struct stat *);
-int ioctl(int, int, void *); 
-int getpriority(int which, int who);
-int setpriority(int which, int who, int priority);
-int getdtablesize(void);
-int initgroups(const char *name, int basegid);
-long ulimit(int cmd, long newlimit);
-int vhangup(void);
-
-int sigblock(int);
-int sigsetmask(int);
-int setitimer(int which, struct itimerval *value, struct itimerval *ovalue);
-
-int munmap(caddr_t addr, int len);
-
-int socket(int, int, int);
-int setsockopt(int, int, int, void *, int);
-int bind(int, void *, int);
-int getsockname(int, struct sockaddr *, int *);
-int accept(int, struct sockaddr *, int *);
-int connect(int, struct sockaddr *, int);
-int listen(int, int);
-int recv(int s, void *buf, int len, int flags);
-int recvfrom(int, char *, int, int, void *, int *);
-int sendto(int, const char *, int, int, void *, int);
-int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
-int shutdown(int, int);
-int getpeername(int, struct sockaddr *, int *);
-int getsockopt(int, int, int, void *, int *);
-int send(int s, const void *msg, int len, int flags);
-struct strbuf;
-int getmsg(int fd, struct strbuf *ctlptr, struct strbuf *dataptr, int *flags);
-
-char *inet_ntoa(struct in_addr in);
-unsigned long inet_addr(const char *cp);
-int gethostname(char *, int);
-struct hostent *gethostbyname(const char *);
-int dn_expand(const u_char *msg,
-	      const u_char *eomorig,
-	      const u_char *comp_dn,
-	      char *exp_dn,
-	      int length);
-int res_search(const char *dname,
-	       int class,
-	       int type,
-	       u_char *answer,
-	       int anslen);
-
-int yp_get_default_domain (char **outdomain);
-int innetgr(const char *netgroup, const char *machine,
-	    const char *user, const char *domain);
-
-char *getwd(char *pathname);
-
-void bzero(char *b, int length);
-int strcasecmp(const char *, const char *);
-void swab(const char *, char *, int);
-int atoi(const char *str);
-char *mktemp(char *);
-void srandom(int seed);
-int random(void);
-
-int rcmd(char **, unsigned short, char *, char *, char *, int *);
-int rresvport(int *);
-int openlog(const char *ident, int logopt, int facility);
-int syslog(int priority, const char *message, ...);
-int ttyslot(void);
-
-char *getpass(const char *);
-
-char *getusershell(void);
-void setpwent();
-void endpwent();
-
-#include <stdio.h>
-int fclose(FILE *);
-
-#endif /* SunOS4 */
-
-#if SunOS == 5
-
-#include <sys/types.h>
-#include <sys/resource.h>
-
-char *getusershell(void);
-char *strtok_r(char *, const char *, char **);
-int getpriority (int which, id_t who);
-int setpriority (int which, id_t who, int prio);
-int getdtablesize (void);
-char *getusershell(void);
-void setusershell(void);
-void endusershell(void);
-
-#if defined(__GNUC__)
-
-int syscall(int, ...);
-int gethostname(char *, int);
-
-struct timeval;
-int gettimeofday(struct timeval *tp, void *);
-
-#endif
-#endif
-
-#if defined(__osf__) /* OSF/1 */
-
-#if 0
-/* To get type fd_set */
-#include <sys/types.h>
-#include <sys/time.h>
-
-int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
-int fsync(int fildes);
-int gethostname(char *address, int address_len);
-int setreuid(int ruid, int euid);
-int ioctl(int d, unsigned long request, void * arg);
-#endif
-int flock(int fildes, int operation);
-int syscall(int, ...);
-
-unsigned short htons(unsigned short hostshort);
-unsigned int   htonl(unsigned int hostint);
-unsigned short ntohs(unsigned short netshort);
-unsigned int   ntohl(unsigned int netint);
-
-char *mktemp(char *template);
-char *getusershell(void);
-
-int rcmd(char **, unsigned short, char *, char *, char *, int *);
-int rresvport (int *port);
-
-#endif /* OSF/1 */
-
-#if defined(__sgi)
-#include <sys/types.h>
-
-char *ptsname(int fd);
-struct spwd *getspuid(uid_t);
-#endif /* IRIX */
-
-#if defined(__GNUC__) && defined(_AIX) /* AIX */
-
-struct timeval;
-struct timezone;
-int gettimeofday (struct timeval *Tp, void *Tzp);
-
-#endif /* AIX */
-
-#if defined(__GNUC__) && defined(__hpux) /* HP-UX */
-
-int syscall(int, ...);
-
-int vhangup(void);
-
-char *ptsname(int fildes);
-
-void utmpname(const char *file);
-
-int innetgr(const char *netgroup, const char *machine,
-	    const char *user, const char *domain);
-
-int dn_comp(char *exp_dn, char *comp_dn, int length,
-	    char **dnptrs, char **lastdnptr);
-
-int res_query(char *dname, int class, int type,
-	      unsigned char *answer, int anslen);
-
-int dn_expand(char *msg, char *eomorig, char *comp_dn,
-	      char *exp_dn, int length);
-
-int res_search(char *dname, int class, int type,
-	       unsigned char *answer, int anslen);
-
-#endif /* HP-UX */
-
-#if defined(WIN32)	/* Visual C++ 4.0 (Windows95/NT) */
-
-int open(const char *, int, ...);
-int close(int);
-int	read(int, void *, unsigned int);
-int write(int, const void *, unsigned int);
-
-#endif /* WIN32 */
diff --git a/crypto/kerberosIV/include/sys/cdefs.H b/crypto/kerberosIV/include/sys/cdefs.H
deleted file mode 100644
index 196d476..0000000
--- a/crypto/kerberosIV/include/sys/cdefs.H
+++ /dev/null
@@ -1,149 +0,0 @@
-/* -*- C -*-
- *
- * ++Copyright++ 1991, 1993
- * -
- * Copyright (c) 1991, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-
-/*
- *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.H,v 1.2 1995/09/10 20:18:56 d91-jda Exp $
- */
-
-#ifndef	_CDEFS_H_
-#define	_CDEFS_H_
-
-#if defined(__cplusplus)
-#define	__BEGIN_DECLS	extern "C" {
-#define	__END_DECLS	};
-#else
-#define	__BEGIN_DECLS
-#define	__END_DECLS
-#endif
-
-/*
- * The __CONCAT macro is used to concatenate parts of symbol names, e.g.
- * with "#define OLD(foo) __CONCAT(old,foo)", OLD(foo) produces oldfoo.
- * The __CONCAT macro is a bit tricky -- make sure you don't put spaces
- * in between its arguments.  __CONCAT can also concatenate double-quoted
- * strings produced by the __STRING macro, but this only works with ANSI C.
- */
-#if defined(__STDC__) || defined(__cplusplus)
-#ifndef __P /* it's quite popular to define this */
-#define	__P(protos)	protos		/* full-blown ANSI C */
-#endif
-#define	__CONCAT(x,y)	x ## y
-#define	__STRING(x)	#x
-
-#define	__const		const		/* define reserved names to standard */
-#define	__signed	signed
-#define	__volatile	volatile
-#if defined(__cplusplus)
-#define	__inline	inline		/* convert to C++ keyword */
-#else
-#ifndef __GNUC__
-#define	__inline			/* delete GCC keyword */
-#endif /* !__GNUC__ */
-#endif /* !__cplusplus */
-
-#else	/* !(__STDC__ || __cplusplus) */
-#ifndef __P
-#define	__P(protos)	()		/* traditional C preprocessor */
-#endif
-#define	__CONCAT(x,y)	x/**/y
-#define	__STRING(x)	"x"
-
-#ifndef __GNUC__
-#define	__const				/* delete pseudo-ANSI C keywords */
-#define	__inline
-#define	__signed
-#define	__volatile
-/*
- * In non-ANSI C environments, new programs will want ANSI-only C keywords
- * deleted from the program and old programs will want them left alone.
- * When using a compiler other than gcc, programs using the ANSI C keywords
- * const, inline etc. as normal identifiers should define -DNO_ANSI_KEYWORDS.
- * When using "gcc -traditional", we assume that this is the intent; if
- * __GNUC__ is defined but __STDC__ is not, we leave the new keywords alone.
- */
-#ifndef	NO_ANSI_KEYWORDS
-#define	const				/* delete ANSI C keywords */
-#define	inline
-#define	signed
-#define	volatile
-#endif
-#endif	/* !__GNUC__ */
-#endif	/* !(__STDC__ || __cplusplus) */
-
-/*
- * GCC1 and some versions of GCC2 declare dead (non-returning) and
- * pure (no side effects) functions using "volatile" and "const";
- * unfortunately, these then cause warnings under "-ansi -pedantic".
- * GCC2 uses a new, peculiar __attribute__((attrs)) style.  All of
- * these work for GNU C++ (modulo a slight glitch in the C++ grammar
- * in the distribution version of 2.5.5).
- */
-#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
-#define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
-#if defined(__GNUC__) && !defined(__STRICT_ANSI__)
-#define	__dead		__volatile
-#define	__pure		__const
-#endif
-#endif
-
-/* Delete pseudo-keywords wherever they are not available or needed. */
-#ifndef __dead
-#define	__dead
-#define	__pure
-#endif
-
-#endif /* !_CDEFS_H_ */
diff --git a/crypto/kerberosIV/kadmin/kadm_locl.h b/crypto/kerberosIV/kadmin/kadm_locl.h
index 960c564..98d07ae 100644
--- a/crypto/kerberosIV/kadmin/kadm_locl.h
+++ b/crypto/kerberosIV/kadmin/kadm_locl.h
@@ -32,6 +32,7 @@
  */
 
 /* $Id: kadm_locl.h,v 1.31 1999/12/02 16:58:36 joda Exp $ */
+/* $FreeBSD$ */
 
 #include "config.h"
 #include "protos.h"
@@ -111,7 +112,7 @@ struct hostent  *gethostbyname(const char *);
 #include <com_err.h>
 #include <sl.h>
 
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 #include <krb_err.h>
 #include <krb_db.h>
diff --git a/crypto/kerberosIV/kadmin/kpasswd_standalone.c b/crypto/kerberosIV/kadmin/kpasswd_standalone.c
new file mode 100644
index 0000000..7e072ba
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kpasswd_standalone.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * Copyright.MIT.
+ *
+ * change your password with kerberos
+ */
+
+#ifndef	lint
+#if 0
+static char rcsid_kpasswd_c[] =
+    "BonesHeader: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kpasswd.c,v 4.3 89/09/26 09:33:02 jtkohl Exp ";
+#endif
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif	lint
+
+/*
+ * kpasswd
+ * change your password with kerberos
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <com_err.h>
+#include <err.h>
+#include <krb.h>
+#include <string.h>
+#include <pwd.h>
+#include <unistd.h>
+#include "kadm.h"
+
+#include "extern.h"
+
+extern void krb_set_tkt_string();
+static void go_home(char *, int);
+
+
+int krb_passwd(char *uname, char *iflag, char *rflag, char *uflag)
+{
+    char name[ANAME_SZ];	/* name of user */
+    char inst[INST_SZ];		/* instance of user */
+    char realm[REALM_SZ];	/* realm of user */
+    char default_name[ANAME_SZ];
+    char default_inst[INST_SZ];
+    char default_realm[REALM_SZ];
+    int realm_given = 0;	/* True if realm was give on cmdline */
+    int use_default = 1;	/* True if we should use default name */
+    struct passwd *pw;
+    int status;			/* return code */
+    des_cblock new_key;
+    extern char *optarg;
+    extern int optind;
+    char tktstring[MAXPATHLEN];
+
+    void get_pw_new_key();
+
+#ifdef NOENCRYPTION
+#define read_long_pw_string placebo_read_pw_string
+#else
+#define read_long_pw_string des_read_pw_string
+#endif
+    int read_long_pw_string();
+
+    bzero(name, sizeof(name));
+    bzero(inst, sizeof(inst));
+    bzero(realm, sizeof(realm));
+
+    if (krb_get_tf_fullname(TKT_FILE, default_name, default_inst,
+			    default_realm) != KSUCCESS) {
+	pw = getpwuid((int) getuid());
+	if (pw) {
+		strcpy(default_name, pw->pw_name);
+	} else {
+	    /* seems like a null name is kinda silly */
+		strcpy(default_name, "");
+	}
+	strcpy(default_inst, "");
+	if (krb_get_lrealm(default_realm, 1) != KSUCCESS)
+	    strcpy(default_realm, KRB_REALM);
+    }
+
+    if(uflag) {
+	    if ((status = kname_parse(name, inst, realm, uflag))) {
+		    errx(2, "Kerberos error: %s", krb_err_txt[status]);
+	    }
+	    if (realm[0])
+		realm_given++;
+	    else
+		if (krb_get_lrealm(realm, 1) != KSUCCESS)
+		    strcpy(realm, KRB_REALM);
+    }
+
+    if(uname) {
+	    if (k_isname(uname)) {
+		    strncpy(name, uname, sizeof(name) - 1);
+	    } else {
+		    errx(1, "bad name: %s", uname);
+	    }
+    }
+
+    if(iflag) {
+	    if (k_isinst(iflag)) {
+		    strncpy(inst, iflag, sizeof(inst) - 1);
+	    } else {
+		    errx(1, "bad instance: %s", iflag);
+	    }
+    }
+
+    if(rflag) {
+	    if (k_isrealm(rflag)) {
+		    strncpy(realm, rflag, sizeof(realm) - 1);
+		    realm_given++;
+	    } else {
+		    errx(1, "bad realm: %s", rflag);
+	    }
+    }
+
+    if(uname || iflag || rflag || uflag) use_default = 0;
+
+    if (use_default) {
+	strcpy(name, default_name);
+	strcpy(inst, default_inst);
+	strcpy(realm, default_realm);
+    } else {
+	if (!name[0])
+	    strcpy(name, default_name);
+	if (!realm[0])
+	    strcpy(realm, default_realm);
+    }
+
+    (void) sprintf(tktstring, "/tmp/tkt_cpw_%d",getpid());
+    krb_set_tkt_string(tktstring);
+
+    get_pw_new_key(new_key, name, inst, realm, realm_given);
+
+    if ((status = kadm_init_link("changepw", KRB_MASTER, realm))
+	!= KADM_SUCCESS)
+	com_err("kpasswd", status, "while initializing");
+    else if ((status = kadm_change_pw(new_key)) != KADM_SUCCESS)
+	com_err("kpasswd", status, " attempting to change password.");
+
+    if (status != KADM_SUCCESS)
+	fprintf(stderr,"Password NOT changed.\n");
+    else
+	printf("Password changed.\n");
+
+    (void) dest_tkt();
+    if (status)
+	exit(2);
+    else
+	exit(0);
+}
+
+void get_pw_new_key(new_key, name, inst, realm, print_realm)
+  des_cblock new_key;
+  char *name;
+  char *inst;
+  char *realm;
+  int print_realm;		/* True if realm was give on cmdline */
+{
+    char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+    char pword[MAX_KPW_LEN];	               /* storage for the password */
+    char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+
+    char local_realm[REALM_SZ];
+    int status;
+
+    /*
+     * We don't care about failure; this is to determine whether or
+     * not to print the realm in the prompt for a new password.
+     */
+    (void) krb_get_lrealm(local_realm, 1);
+
+    if (strcmp(local_realm, realm))
+	print_realm++;
+
+    (void) sprintf(ppromp,"Old password for %s%s%s%s%s:",
+		   name, *inst ? "." : "", inst,
+		   print_realm ? "@" : "", print_realm ? realm : "");
+    if (read_long_pw_string(pword, sizeof(pword)-1, ppromp, 0)) {
+	fprintf(stderr, "Error reading old password.\n");
+	exit(1);
+    }
+
+    if ((status = krb_get_pw_in_tkt(name, inst, realm, PWSERV_NAME,
+				    KADM_SINST, 1, pword)) != KSUCCESS) {
+	if (status == INTK_BADPW) {
+	    printf("Incorrect old password.\n");
+	    exit(0);
+	}
+	else {
+	    fprintf(stderr, "Kerberos error: %s\n", krb_err_txt[status]);
+	    exit(1);
+	}
+    }
+    bzero(pword, sizeof(pword));
+    do {
+	(void) sprintf(npromp,"New Password for %s%s%s%s%s:",
+		       name, *inst ? "." : "", inst,
+		       print_realm ? "@" : "", print_realm ? realm : "");
+	if (read_long_pw_string(pword, sizeof(pword)-1, npromp, 1))
+	    go_home("Error reading new password, password unchanged.\n",0);
+	if (strlen(pword) == 0)
+	    printf("Null passwords are not allowed; try again.\n");
+    } while (strlen(pword) == 0);
+
+#ifdef NOENCRYPTION
+    bzero((char *) new_key, sizeof(des_cblock));
+    new_key[0] = (unsigned char) 1;
+#else
+    (void) des_string_to_key(pword, (des_cblock *)new_key);
+#endif
+    bzero(pword, sizeof(pword));
+}
+
+static void
+go_home(str,x)
+  char *str;
+  int x;
+{
+    fprintf(stderr, str, x);
+    (void) dest_tkt();
+    exit(1);
+}
diff --git a/crypto/kerberosIV/kuser/kinit.c b/crypto/kerberosIV/kuser/kinit.c
index 8aa5544..96c0e4f 100644
--- a/crypto/kerberosIV/kuser/kinit.c
+++ b/crypto/kerberosIV/kuser/kinit.c
@@ -15,6 +15,8 @@
  *   -v[erbose]
  *   -l[ifetime]
  *   -p
+ *
+ * $FreeBSD$
  */
 
 #include "kuser_locl.h"
diff --git a/crypto/kerberosIV/lib/kadm/kadm_err.et b/crypto/kerberosIV/lib/kadm/kadm_err.et
index 7a247c5..097e87c 100644
--- a/crypto/kerberosIV/lib/kadm/kadm_err.et
+++ b/crypto/kerberosIV/lib/kadm/kadm_err.et
@@ -7,6 +7,8 @@
 #
 # Kerberos administration server error table
 #
+# $FreeBSD$
+#
 	et	kadm
 
 # KADM_SUCCESS, as all success codes should be, is zero
diff --git a/crypto/kerberosIV/lib/kadm/kadm_locl.h b/crypto/kerberosIV/lib/kadm/kadm_locl.h
index 709a224..6740709 100644
--- a/crypto/kerberosIV/lib/kadm/kadm_locl.h
+++ b/crypto/kerberosIV/lib/kadm/kadm_locl.h
@@ -32,6 +32,7 @@
  */
 
 /* $Id: kadm_locl.h,v 1.12 1999/12/02 16:58:39 joda Exp $ */
+/* $FreeBSD$ */
 
 #include "config.h"
 #include "protos.h"
@@ -69,7 +70,7 @@ struct hostent  *gethostbyname(const char *);
 
 #include <roken.h>
 
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 #include <krb_err.h>
 #include <krb_db.h>
diff --git a/crypto/kerberosIV/lib/kafs/kafs.h b/crypto/kerberosIV/lib/kafs/kafs.h
index 0fb969e..cb4b000 100644
--- a/crypto/kerberosIV/lib/kafs/kafs.h
+++ b/crypto/kerberosIV/lib/kafs/kafs.h
@@ -32,6 +32,7 @@
  */
 
 /* $Id: kafs.h,v 1.32 1999/12/02 16:58:40 joda Exp $ */
+/* $FreeBSD$ */
 
 #ifndef __KAFS_H
 #define __KAFS_H
diff --git a/crypto/kerberosIV/lib/kdb/kdc.h b/crypto/kerberosIV/lib/kdb/kdc.h
index f404d11..968775d 100644
--- a/crypto/kerberosIV/lib/kdb/kdc.h
+++ b/crypto/kerberosIV/lib/kdb/kdc.h
@@ -1,5 +1,6 @@
 /*
  * $Id: kdc.h,v 1.8 1997/04/01 03:59:05 assar Exp $
+ * $FreeBSD$
  *
  * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
  *
@@ -14,8 +15,8 @@
 
 /* Don't depend on this! */
 #ifndef MKEYFILE
-#if 0
-#define MKEYFILE	"/var/kerberos/master-key"
+#if 1
+#define MKEYFILE	"/etc/kerberosIV/master-key"
 #else
 #define MKEYFILE	"/.k"
 #endif
diff --git a/crypto/kerberosIV/lib/kdb/krb_db.h b/crypto/kerberosIV/lib/kdb/krb_db.h
index 1a08b83..d0fc260 100644
--- a/crypto/kerberosIV/lib/kdb/krb_db.h
+++ b/crypto/kerberosIV/lib/kdb/krb_db.h
@@ -1,5 +1,6 @@
 /*
  * $Id: krb_db.h,v 1.15 1996/12/17 20:34:32 assar Exp $ 
+ * $FreeBSD$ 
  *
  * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
  *
@@ -24,7 +25,7 @@
 #define KERB_DEFAULT_NAME	"default"
 #define KERB_DEFAULT_INST	""
 #ifndef DB_DIR
-#define DB_DIR			"/var/kerberos"
+#define DB_DIR			"/var/db/kerberos"
 #endif
 #ifndef DBM_FILE
 #define	DBM_FILE		DB_DIR "/principal"
diff --git a/crypto/kerberosIV/lib/krb/getaddrs.c b/crypto/kerberosIV/lib/krb/getaddrs.c
index d157690..c2e12b1 100644
--- a/crypto/kerberosIV/lib/krb/getaddrs.c
+++ b/crypto/kerberosIV/lib/krb/getaddrs.c
@@ -29,6 +29,8 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
+ * $FreeBSD$
  */
 
 #include "krb_locl.h"
@@ -128,7 +130,7 @@ k_get_all_addrs (struct in_addr **l)
 		      continue;
 		  (*l)[j++] = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
 	       }
-	      ifreq = *ifr;
+	      memcpy(&ifreq, ifr, sizeof(ifreq));
 	  }
      }
      if (j != num) {
diff --git a/crypto/kerberosIV/lib/krb/k_gethostname.c b/crypto/kerberosIV/lib/krb/k_gethostname.c
deleted file mode 100644
index 0f4d57f..0000000
--- a/crypto/kerberosIV/lib/krb/k_gethostname.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/* 
-  Copyright (C) 1989 by the Massachusetts Institute of Technology
-
-   Export of this software from the United States of America is assumed
-   to require a specific license from the United States Government.
-   It is the responsibility of any person or organization contemplating
-   export to obtain such a license before exporting.
-
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-distribute this software and its documentation for any purpose and
-without fee is hereby granted, provided that the above copyright
-notice appear in all copies and that both that copyright notice and
-this permission notice appear in supporting documentation, and that
-the name of M.I.T. not be used in advertising or publicity pertaining
-to distribution of the software without specific, written prior
-permission.  M.I.T. makes no representations about the suitability of
-this software for any purpose.  It is provided "as is" without express
-or implied warranty.
-
-  */
-
-#include "krb_locl.h"
-RCSID("$Id: k_gethostname.c,v 1.10 1997/03/23 03:53:12 joda Exp $");
-
-#ifdef HAVE_SYS_UTSNAME_H
-#include <sys/utsname.h>
-#endif
-
-/*
- * Return the local host's name in "name", up to "namelen" characters.
- * "name" will be null-terminated if "namelen" is big enough.
- * The return code is 0 on success, -1 on failure.  (The calling
- * interface is identical to gethostname(2).)
- */
-
-int
-k_gethostname(char *name, int namelen)
-{
-#if defined(HAVE_GETHOSTNAME)
-    return gethostname(name, namelen);
-#elif defined(HAVE_UNAME)
-    {
-	struct utsname utsname;
-	int ret;
-
-	ret = uname (&utsname);
-	if (ret < 0)
-	    return ret;
-	strncpy (name, utsname.nodename, namelen);
-	name[namelen-1] = '\0';
-	return 0;
-    }
-#else
-    strncpy (name, "some.random.host", namelen);
-    name[namelen-1] = '\0';
-    return 0;
-#endif
-}
diff --git a/crypto/kerberosIV/lib/krb/krb.h b/crypto/kerberosIV/lib/krb/krb.h
index fca0bba..6f7386f 100644
--- a/crypto/kerberosIV/lib/krb/krb.h
+++ b/crypto/kerberosIV/lib/krb/krb.h
@@ -1,5 +1,6 @@
 /*
  * $Id: krb.h,v 1.99 1999/11/16 14:02:47 bg Exp $
+ * $FreeBSD$
  *
  * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
  *
@@ -14,7 +15,7 @@
 #define signed
 #endif
 
-#include <ktypes.h>
+#include <sys/types.h>
 #include <time.h>
 
 #ifndef __KRB_H__
@@ -47,7 +48,7 @@ __BEGIN_DECLS
 #if !defined(NOPROTO) && !defined(__STDC__)
 #define NOPROTO
 #endif
-#include <des.h>
+#include <openssl/des.h>
 
 /* CNS compatibility ahead! */
 #ifndef KRB_INT32
@@ -92,19 +93,19 @@ extern const char *krb_err_txt[MAX_KRB_ERRORS];
 
 /* /etc/kerberosIV is only for backwards compatibility, don't use it! */
 #ifndef KRB_CONF
-#define KRB_CONF	"/etc/krb.conf"
+#define KRB_CONF	"/etc/kerberosIV/krb.conf"
 #endif
 #ifndef KRB_RLM_TRANS
-#define KRB_RLM_TRANS   "/etc/krb.realms"
+#define KRB_RLM_TRANS   "/etc/kerberosIV/krb.realms"
 #endif
 #ifndef KRB_CNF_FILES
-#define KRB_CNF_FILES	{ KRB_CONF,   "/etc/kerberosIV/krb.conf", 0}
+#define KRB_CNF_FILES	{ KRB_CONF,   "/etc/krb.conf", 0}
 #endif
 #ifndef KRB_RLM_FILES
-#define KRB_RLM_FILES	{ KRB_RLM_TRANS, "/etc/kerberosIV/krb.realms", 0}
+#define KRB_RLM_FILES	{ KRB_RLM_TRANS, "/etc/krb.realms", 0}
 #endif
 #ifndef KRB_EQUIV
-#define KRB_EQUIV	"/etc/krb.equiv"
+#define KRB_EQUIV	"/etc/kerberosIV/krb.equiv"
 #endif
 #define KRB_MASTER	"kerberos"
 #ifndef KRB_REALM
diff --git a/crypto/kerberosIV/lib/krb/lsb_addr_comp.h b/crypto/kerberosIV/lib/krb/lsb_addr_comp.h
deleted file mode 100644
index 21adf06..0000000
--- a/crypto/kerberosIV/lib/krb/lsb_addr_comp.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * $Id: lsb_addr_comp.h,v 1.6 1996/10/05 00:18:02 joda Exp $
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Comparison macros to emulate LSBFIRST comparison results of network
- * byte-order quantities
- */
-
-#ifndef LSB_ADDR_COMP_DEFS
-#define LSB_ADDR_COMP_DEFS
-
-/* Compare x and y in VAX byte order, result is -1, 0 or 1. */
-
-#define krb_lsb_antinet_ulong_less(x, y) (((x) == (y)) ? 0 :  krb_lsb_antinet_ulong_cmp(x, y))
-
-#define krb_lsb_antinet_ushort_less(x, y) (((x) == (y)) ? 0 : krb_lsb_antinet_ushort_cmp(x, y))
-
-int krb_lsb_antinet_ulong_cmp(u_int32_t x, u_int32_t y);
-int krb_lsb_antinet_ushort_cmp(u_int16_t x, u_int16_t y);
-u_int32_t lsb_time(time_t t, struct sockaddr_in *src, struct sockaddr_in *dst);
-
-#endif /*  LSB_ADDR_COMP_DEFS */
diff --git a/crypto/kerberosIV/lib/krb/netread.c b/crypto/kerberosIV/lib/krb/netread.c
deleted file mode 100644
index cbc1bd1..0000000
--- a/crypto/kerberosIV/lib/krb/netread.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/* 
-  Copyright (C) 1989 by the Massachusetts Institute of Technology
-
-   Export of this software from the United States of America is assumed
-   to require a specific license from the United States Government.
-   It is the responsibility of any person or organization contemplating
-   export to obtain such a license before exporting.
-
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-distribute this software and its documentation for any purpose and
-without fee is hereby granted, provided that the above copyright
-notice appear in all copies and that both that copyright notice and
-this permission notice appear in supporting documentation, and that
-the name of M.I.T. not be used in advertising or publicity pertaining
-to distribution of the software without specific, written prior
-permission.  M.I.T. makes no representations about the suitability of
-this software for any purpose.  It is provided "as is" without express
-or implied warranty.
-
-  */
-
-#include "krb_locl.h"
-
-RCSID("$Id: netread.c,v 1.6 1997/03/23 03:53:15 joda Exp $");
-
-/*
- * krb_net_read() reads from the file descriptor "fd" to the buffer
- * "buf", until either 1) "len" bytes have been read or 2) cannot
- * read anymore from "fd".  It returns the number of bytes read
- * or a read() error.  (The calling interface is identical to
- * read(2).)
- *
- * XXX must not use non-blocking I/O
- */
-
-int
-krb_net_read (int fd, void *v, size_t len)
-{
-    int cc, len2 = 0;
-    char *buf = v;
-
-    do {
-	cc = read(fd, buf, len);
-	if (cc < 0)
-	    return(cc);		 /* errno is already set */
-	else if (cc == 0) {
-	    return(len2);
-	} else {
-	    buf += cc;
-	    len2 += cc;
-	    len -= cc;
-	}
-    } while (len > 0);
-    return(len2);
-}
diff --git a/crypto/kerberosIV/lib/krb/netwrite.c b/crypto/kerberosIV/lib/krb/netwrite.c
deleted file mode 100644
index 0703d91..0000000
--- a/crypto/kerberosIV/lib/krb/netwrite.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/* 
-  Copyright (C) 1989 by the Massachusetts Institute of Technology
-
-   Export of this software from the United States of America is assumed
-   to require a specific license from the United States Government.
-   It is the responsibility of any person or organization contemplating
-   export to obtain such a license before exporting.
-
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-distribute this software and its documentation for any purpose and
-without fee is hereby granted, provided that the above copyright
-notice appear in all copies and that both that copyright notice and
-this permission notice appear in supporting documentation, and that
-the name of M.I.T. not be used in advertising or publicity pertaining
-to distribution of the software without specific, written prior
-permission.  M.I.T. makes no representations about the suitability of
-this software for any purpose.  It is provided "as is" without express
-or implied warranty.
-
-  */
-
-#include "krb_locl.h"
-
-RCSID("$Id: netwrite.c,v 1.7 1997/03/23 03:53:15 joda Exp $");
-
-/*
- * krb_net_write() writes "len" bytes from "buf" to the file
- * descriptor "fd".  It returns the number of bytes written or
- * a write() error.  (The calling interface is identical to
- * write(2).)
- *
- * XXX must not use non-blocking I/O
- */
-
-int
-krb_net_write(int fd, const void *v, size_t len)
-{
-    int cc;
-    int wrlen = len;
-    const char *buf = (const char*)v;
-
-    do {
-	cc = write(fd, buf, wrlen);
-	if (cc < 0)
-	    return(cc);
-	else {
-	    buf += cc;
-	    wrlen -= cc;
-	}
-    } while (wrlen > 0);
-    return(len);
-}
diff --git a/crypto/kerberosIV/lib/krb/util.c b/crypto/kerberosIV/lib/krb/util.c
deleted file mode 100644
index 7b77bb8..0000000
--- a/crypto/kerberosIV/lib/krb/util.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Miscellaneous debug printing utilities
- */
-
-#include "krb_locl.h"
-
-RCSID("$Id: util.c,v 1.6 1996/10/05 00:18:34 joda Exp $");
-
-/*
- * Print some of the contents of the given authenticator structure
- * (AUTH_DAT defined in "krb.h").  Fields printed are:
- *
- * pname, pinst, prealm, netaddr, flags, cksum, timestamp, session
- */
-
-void
-ad_print(AUTH_DAT *x)
-{
-    /*
-     * Print the contents of an auth_dat struct.
-     */
-    struct in_addr address;
-    address.s_addr = x->address;
-    printf("\n%s %s %s %s flags %u cksum 0x%X\n\ttkt_tm 0x%X sess_key",
-           x->pname, x->pinst, x->prealm,
-           inet_ntoa(address), x->k_flags,
-           x->checksum, x->time_sec);
-    printf("[8] =");
-#ifdef NOENCRYPTION
-    placebo_cblock_print(x->session);
-#else
-    des_cblock_print_file(&x->session,stdout);
-#endif
-    /* skip reply for now */
-}
-
-/*
- * Print in hex the 8 bytes of the given session key.
- *
- * Printed format is:  " 0x { x, x, x, x, x, x, x, x }"
- */
-
-#ifdef NOENCRYPTION
-placebo_cblock_print(x)
-    des_cblock x;
-{
-    unsigned char *y = (unsigned char *) x;
-    int i = 0;
-
-    printf(" 0x { ");
-
-    while (i++ <8) {
-        printf("%x",*y++);
-        if (i<8) printf(", ");
-    }
-    printf(" }");
-}
-#endif
diff --git a/crypto/kerberosIV/lib/roken/roken.h b/crypto/kerberosIV/lib/roken/roken.h
deleted file mode 100644
index 1204e3e..0000000
--- a/crypto/kerberosIV/lib/roken/roken.h
+++ /dev/null
@@ -1,338 +0,0 @@
-/*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the Kungliga Tekniska
- *      Högskolan and its contributors.
- * 
- * 4. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id: roken.h,v 1.63 1997/05/28 05:38:09 assar Exp $ */
-
-#ifndef __ROKEN_H__
-#define __ROKEN_H__
-
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <signal.h>
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#ifdef HAVE_GRP_H
-#include <grp.h>
-#endif
-#ifdef HAVE_SYS_STAT_H
-#include <sys/stat.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-
-#ifdef HAVE_TERMIOS_H
-#include <termios.h>
-#endif
-
-#if defined(HAVE_SYS_IOCTL_H) && SunOS != 4
-#include <sys/ioctl.h>
-#endif
-
-#include "protos.h"
-
-#if !defined(HAVE_SETSID) && defined(HAVE__SETSID)
-#define setsid _setsid
-#endif
-
-#ifndef HAVE_PUTENV
-int putenv(const char *string);
-#endif
-
-#ifndef HAVE_SETENV
-int setenv(const char *var, const char *val, int rewrite);
-#endif
-
-#ifndef HAVE_UNSETENV
-void unsetenv(const char *name);
-#endif
-
-#ifndef HAVE_GETUSERSHELL
-char *getusershell(void);
-#endif
-
-#if !defined(__GNUC__) && !defined(__attribute__)
-#define __attribute__(x)
-#endif
-
-#ifndef HAVE_SNPRINTF
-int snprintf (char *str, size_t sz, const char *format, ...)
-     __attribute__ ((format (printf, 3, 4)));
-#endif
-
-#ifndef HAVE_VSNPRINTF
-int vsnprintf (char *str, size_t sz, const char *format, va_list ap)
-     __attribute__((format (printf, 3, 0)));
-#endif
-
-#ifndef HAVE_ASPRINTF
-int asprintf (char **ret, const char *format, ...)
-     __attribute__ ((format (printf, 2, 3)));
-#endif
-
-#ifndef HAVE_VASPRINTF
-int vasprintf (char **ret, const char *format, va_list ap)
-     __attribute__((format (printf, 2, 0)));
-#endif
-
-#ifndef HAVE_ASNPRINTF
-int asnprintf (char **ret, size_t max_sz, const char *format, ...)
-     __attribute__ ((format (printf, 3, 4)));
-#endif
-
-#ifndef HAVE_VASNPRINTF
-int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)
-     __attribute__((format (printf, 3, 0)));
-#endif
-
-#ifndef HAVE_STRDUP
-char * strdup(const char *old);
-#endif
-
-#ifndef HAVE_STRLWR
-char * strlwr(char *);
-#endif
-
-#ifndef HAVE_STRNLEN
-int strnlen(char*, int);
-#endif
-
-#ifndef HAVE_STRTOK_R
-char *strtok_r(char *s1, const char *s2, char **lasts);
-#endif
-
-#ifndef HAVE_STRUPR
-char * strupr(char *);
-#endif
-
-#ifndef HAVE_GETDTABLESIZE
-int getdtablesize(void);
-#endif
-
-#if IRIX != 4 /* fix for compiler bug */
-#ifdef RETSIGTYPE
-typedef RETSIGTYPE (*SigAction)(/* int??? */);
-SigAction signal(int iSig, SigAction pAction); /* BSD compatible */
-#endif
-#endif
-
-#ifndef SIG_ERR
-#define SIG_ERR ((RETSIGTYPE (*)())-1)
-#endif
-
-#if !defined(HAVE_STRERROR) && !defined(strerror)
-char *strerror(int eno);
-#endif
-
-#ifndef HAVE_HSTRERROR
-char *hstrerror(int herr);
-#endif
-
-#ifndef HAVE_H_ERRNO_DECLARATION
-extern int h_errno;
-#endif
-
-#ifndef HAVE_INET_ATON
-/* Minimal implementation of inet_aton. Doesn't handle hex numbers. */
-int inet_aton(const char *cp, struct in_addr *adr);
-#endif
-
-#if !defined(HAVE_GETCWD)
-char* getcwd(char *path, size_t size);
-#endif
-
-#ifndef HAVE_GETENT
-int getent(char *cp, char *name);
-#endif
-
-#ifdef HAVE_PWD_H
-#include <pwd.h>
-struct passwd *k_getpwnam (char *user);
-struct passwd *k_getpwuid (uid_t uid);
-#endif
-
-#ifndef HAVE_SETEUID
-int seteuid(int euid);
-#endif
-
-#ifndef HAVE_SETEGID
-int setegid(int egid);
-#endif
-
-#ifndef HAVE_LSTAT
-int lstat(const char *path, struct stat *buf);
-#endif
-
-#ifndef HAVE_MKSTEMP
-int mkstemp(char *);
-#endif
-
-#ifndef HAVE_INITGROUPS
-int initgroups(const char *name, gid_t basegid);
-#endif
-
-#ifndef HAVE_FCHOWN
-int fchown(int fd, uid_t owner, gid_t group);
-#endif
-
-#ifndef HAVE_CHOWN
-int chown(const char *path, uid_t owner, gid_t group);
-#endif
-
-#ifndef HAVE_RCMD
-int rcmd(char **ahost, unsigned short inport, const char *locuser,
-	 const char *remuser, const char *cmd, int *fd2p);
-#endif
-
-#ifdef TIME_WITH_SYS_TIME
-#include <sys/time.h>
-#include <time.h>
-#elif defined(HAVE_SYS_TIME_H)
-#include <sys/time.h>
-#else
-#include <time.h>
-#endif
-
-time_t tm2time (struct tm tm, int local);
-
-int unix_verify_user(char *user, char *password);
-
-void inaddr2str(struct in_addr addr, char *s, size_t len);
-
-void mini_inetd (int port);
-
-#ifndef HAVE_STRUCT_WINSIZE
-struct winsize {
-	unsigned short ws_row, ws_col;
-	unsigned short ws_xpixel, ws_ypixel;
-};
-#endif
-
-int get_window_size(int fd, struct winsize *);
-
-#ifndef INADDR_NONE
-#define INADDR_NONE 0xffffffff
-#endif
-
-#ifndef SOMAXCONN
-#define SOMAXCONN 5
-#endif
-
-#ifndef STDIN_FILENO
-#define STDIN_FILENO 0
-#endif
-
-#ifndef STDOUT_FILENO
-#define STDOUT_FILENO 1
-#endif
-
-#ifndef STDERR_FILENO
-#define STDERR_FILENO 2
-#endif
-
-#ifndef max
-#define max(a,b) (((a)>(b))?(a):(b))
-#endif
-
-#ifndef min
-#define min(a,b) (((a)<(b))?(a):(b))
-#endif
-
-#ifndef TRUE
-#define TRUE 1
-#endif
-
-#ifndef FALSE
-#define FALSE 0
-#endif
-
-#ifdef HAVE_SYSLOG_H
-#include <syslog.h>
-/* Misc definitions for old syslogs */
-
-#ifndef LOG_DAEMON
-#define openlog(id,option,facility) openlog((id),(option))
-#define	LOG_DAEMON	0
-#endif
-#ifndef LOG_ODELAY
-#define LOG_ODELAY 0
-#endif
-#ifndef LOG_NDELAY
-#define LOG_NDELAY 0x08
-#endif
-#ifndef LOG_CONS
-#define LOG_CONS 0
-#endif
-#ifndef LOG_AUTH
-#define LOG_AUTH 0
-#endif
-#ifndef LOG_AUTHPRIV
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-#endif
-
-#ifndef HAVE_OPTARG_DECLARATION
-extern char *optarg;
-#endif
-#ifndef HAVE_OPTIND_DECLARATION
-extern int optind;
-#endif
-#ifndef HAVE_OPTERR_DECLARATION
-extern int opterr;
-#endif
-
-#ifndef HAVE___PROGNAME_DECLARATION
-extern const char *__progname;
-#endif
-
-void set_progname(char *argv0);
-
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-
-#ifndef _PATH_DEVNULL
-#define _PATH_DEVNULL "/dev/null"
-#endif
-
-#endif /*  __ROKEN_H__ */
diff --git a/crypto/kerberosIV/man/kerberos.3 b/crypto/kerberosIV/man/kerberos.3
index 71da54d..deff91d 100644
--- a/crypto/kerberosIV/man/kerberos.3
+++ b/crypto/kerberosIV/man/kerberos.3
@@ -1,4 +1,5 @@
 .\" $Id: kerberos.3,v 1.2 1996/06/12 21:29:18 bg Exp $
+.\" $FreeBSD$
 .\" Copyright 1989 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
@@ -13,7 +14,7 @@ krb_rd_err, krb_ck_repl \- Kerberos authentication library
 .nf
 .nj
 .ft B
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 .PP
 .ft B
diff --git a/crypto/kerberosIV/man/kinit.1 b/crypto/kerberosIV/man/kinit.1
index d8b4a27..7d05b30 100644
--- a/crypto/kerberosIV/man/kinit.1
+++ b/crypto/kerberosIV/man/kinit.1
@@ -1,4 +1,5 @@
 .\" $Id: kinit.1,v 1.4 1998/12/18 16:57:29 assar Exp $
+.\" $FreeBSD$
 .\" Copyright 1989 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
diff --git a/crypto/kerberosIV/man/kprop.8 b/crypto/kerberosIV/man/kprop.8
index 376f715..62761e5 100644
--- a/crypto/kerberosIV/man/kprop.8
+++ b/crypto/kerberosIV/man/kprop.8
@@ -1,4 +1,5 @@
 .\" $Id: kprop.8,v 1.2 1996/06/15 17:03:22 assar Exp $
+.\" $FreeBSD$
 .\"
 .Dd June 7, 1996
 .Dt KPROP 8
diff --git a/crypto/kerberosIV/man/kpropd.8 b/crypto/kerberosIV/man/kpropd.8
index d1dbd16..be46ca3 100644
--- a/crypto/kerberosIV/man/kpropd.8
+++ b/crypto/kerberosIV/man/kpropd.8
@@ -1,4 +1,5 @@
 .\" $Id: kpropd.8,v 1.2 1997/02/07 22:04:55 assar Exp $
+.\" $FreeBSD$
 .\"
 .Dd June 7, 1996
 .Dt KPROPD 8
@@ -49,11 +50,11 @@ default is
 Realm if other than the default realm.
 .It Fl s
 Srvtab if other than
-.Pa /etc/srvtab .
+.Pa /etc/kerberosIV/srvtab .
 .El
 .Sh FILES
 .Bl -tag -width indent -compact
-.It Pa /var/kerberos/principal.{db,dir,pag}
+.It Pa /var/db/kerberos/principal.{db,dir,pag}
 .It Pa /var/log/kpropd.log
 .It Pa /etc/srvtab
 .El
diff --git a/crypto/kerberosIV/man/krb_realmofhost.3 b/crypto/kerberosIV/man/krb_realmofhost.3
index ddbda74..d7c0ea6 100644
--- a/crypto/kerberosIV/man/krb_realmofhost.3
+++ b/crypto/kerberosIV/man/krb_realmofhost.3
@@ -1,4 +1,5 @@
 .\" $Id: krb_realmofhost.3,v 1.2 1996/06/12 21:29:23 bg Exp $
+.\" $FreeBSD$
 .\" Copyright 1989 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
@@ -13,7 +14,7 @@ krb_get_lrealm \- additional Kerberos utility routines
 .nj
 .ft B
 #include <krb.h>
-#include <des.h>
+#include <openssl/des.h>
 #include <netinet/in.h>
 .PP
 .ft B
diff --git a/crypto/kerberosIV/man/krb_sendauth.3 b/crypto/kerberosIV/man/krb_sendauth.3
index 208b6bc..cc99d4e 100644
--- a/crypto/kerberosIV/man/krb_sendauth.3
+++ b/crypto/kerberosIV/man/krb_sendauth.3
@@ -1,4 +1,5 @@
 .\" $Id: krb_sendauth.3,v 1.2 1996/06/12 21:29:24 bg Exp $
+.\" $FreeBSD$
 .\" Copyright 1988 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
@@ -13,7 +14,7 @@ Kerberos routines for sending authentication via network stream sockets
 .nj
 .ft B
 #include <krb.h>
-#include <des.h>
+#include <openssl/des.h>
 #include <netinet/in.h>
 .PP
 .fi
diff --git a/crypto/kerberosIV/man/ksrvutil.8 b/crypto/kerberosIV/man/ksrvutil.8
index fdc99e6..23db919 100644
--- a/crypto/kerberosIV/man/ksrvutil.8
+++ b/crypto/kerberosIV/man/ksrvutil.8
@@ -1,4 +1,5 @@
 .\" $Id: ksrvutil.8,v 1.3 1996/06/12 21:29:27 bg Exp $
+.\" $FreeBSD$
 .\" Copyright 1989 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
diff --git a/crypto/kerberosIV/server/kerberos.c b/crypto/kerberosIV/server/kerberos.c
index 5ecc4f8..32f34e2 100644
--- a/crypto/kerberosIV/server/kerberos.c
+++ b/crypto/kerberosIV/server/kerberos.c
@@ -5,6 +5,7 @@
  * For copying and distribution information, please see the file
  * <mit-copyright.h>.
  */
+/* $FreeBSD$ */
 
 #include "config.h"
 #include "protos.h"
@@ -73,7 +74,7 @@ RCSID("$Id: kerberos.c,v 1.87 1999/11/13 06:35:39 assar Exp $");
 #include <roken.h>
 #include <base64.h>
 
-#include <des.h>
+#include <openssl/des.h>
 #include <krb.h>
 #include <krb_db.h>
 #include <prot.h>
diff --git a/crypto/openssh/COPYING.Ylonen b/crypto/openssh/COPYING.Ylonen
new file mode 100644
index 0000000..5e681ed
--- /dev/null
+++ b/crypto/openssh/COPYING.Ylonen
@@ -0,0 +1,70 @@
+This file is part of the ssh software, Copyright (c) 1995 Tatu Ylonen, Finland
+
+
+COPYING POLICY AND OTHER LEGAL ISSUES
+
+As far as I am concerned, the code I have written for this software
+can be used freely for any purpose.  Any derived versions of this
+software must be clearly marked as such, and if the derived work is
+incompatible with the protocol description in the RFC file, it must be
+called by a name other than "ssh" or "Secure Shell".
+
+However, I am not implying to give any licenses to any patents or
+copyrights held by third parties, and the software includes parts that
+are not under my direct control.  As far as I know, all included
+source code is used in accordance with the relevant license agreements
+and can be used freely for any purpose (the GNU license being the most
+restrictive); see below for details.
+
+[ RSA is no longer included. ]
+[ IDEA is no longer included. ]
+[ DES is now external. ]
+[ GMP is now external. No more GNU licence. ]
+[ Zlib is now external. ]
+[ The make-ssh-known-hosts script is no longer included. ]
+[ TSS has been removed. ]
+[ MD5 is now external. ]
+[ RC4 support has been removed. ]
+[ Blowfish is now external. ]
+
+The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
+Comments in the file indicate it may be used for any purpose without
+restrictions.
+
+The 32-bit CRC compensation attack detector in deattack.c was
+contributed by CORE SDI S.A. under a BSD-style license. See
+http://www.core-sdi.com/english/ssh/ for details.
+
+Note that any information and cryptographic algorithms used in this
+software are publicly available on the Internet and at any major
+bookstore, scientific library, and patent office worldwide.  More
+information can be found e.g. at "http://www.cs.hut.fi/crypto".
+
+The legal status of this program is some combination of all these
+permissions and restrictions.  Use only at your own responsibility.
+You will be responsible for any legal consequences yourself; I am not
+making any claims whether possessing or using this is legal or not in
+your country, and I am not taking any responsibility on your behalf.
+
+
+			    NO WARRANTY
+
+BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
diff --git a/crypto/openssh/Makefile b/crypto/openssh/Makefile
new file mode 100644
index 0000000..668900c
--- /dev/null
+++ b/crypto/openssh/Makefile
@@ -0,0 +1,13 @@
+#	$OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $
+
+.include <bsd.own.mk>
+
+SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp
+
+distribution:
+	install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \
+	    ${DESTDIR}/etc/ssh_config
+	install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \
+	    ${DESTDIR}/etc/sshd_config
+
+.include <bsd.subdir.mk>
diff --git a/crypto/openssh/Makefile.inc b/crypto/openssh/Makefile.inc
new file mode 100644
index 0000000..fddf3da
--- /dev/null
+++ b/crypto/openssh/Makefile.inc
@@ -0,0 +1,11 @@
+CFLAGS+=	-I${.CURDIR}/..
+
+.include <bsd.obj.mk>
+
+.if exists(${.CURDIR}/../lib/${__objdir})
+LDADD+=         -L${.CURDIR}/../lib/${__objdir} -lssh
+DPADD+=         ${.CURDIR}/../lib/${__objdir}/libssh.a
+.else
+LDADD+=         -L${.CURDIR}/../lib -lssh
+DPADD+=         ${.CURDIR}/../lib/libssh.a
+.endif
diff --git a/crypto/openssh/OVERVIEW b/crypto/openssh/OVERVIEW
new file mode 100644
index 0000000..7f34ac4
--- /dev/null
+++ b/crypto/openssh/OVERVIEW
@@ -0,0 +1,164 @@
+This document is intended for those who wish to read the ssh source
+code.  This tries to give an overview of the structure of the code.
+      
+Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>
+Updated 17 Nov 1995.
+Updated 19 Oct 1999 for OpenSSH-1.2
+
+The software consists of ssh (client), sshd (server), scp, sdist, and
+the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and
+make-ssh-known-hosts.  The main program for each of these is in a .c
+file with the same name.
+
+There are some subsystems/abstractions that are used by a number of
+these programs.
+
+  Buffer manipulation routines
+      
+    - These provide an arbitrary size buffer, where data can be appended.
+      Data can be consumed from either end.  The code is used heavily
+      throughout ssh.  The basic buffer manipulation functions are in
+      buffer.c (header buffer.h), and additional code to manipulate specific
+      data types is in bufaux.c.
+
+  Compression Library
+  
+    - Ssh uses the GNU GZIP compression library (ZLIB).
+
+  Encryption/Decryption
+
+    - Ssh contains several encryption algorithms.  These are all
+      accessed through the cipher.h interface.  The interface code is
+      in cipher.c, and the implementations are in libc.
+
+  Multiple Precision Integer Library
+
+    - Uses the SSLeay BIGNUM sublibrary.
+    - Some auxiliary functions for mp-int manipulation are in mpaux.c.
+
+  Random Numbers
+
+    - Uses arc4random() and such.
+
+  RSA key generation, encryption, decryption
+
+    - Ssh uses the RSA routines in libssl.
+
+  RSA key files
+
+    - RSA keys are stored in files with a special format.  The code to
+      read/write these files is in authfile.c.  The files are normally
+      encrypted with a passphrase.  The functions to read passphrases
+      are in readpass.c (the same code is used to read passwords).
+
+  Binary packet protocol
+
+    - The ssh binary packet protocol is implemented in packet.c.  The
+      code in packet.c does not concern itself with packet types or their
+      execution; it contains code to build packets, to receive them and
+      extract data from them, and the code to compress and/or encrypt
+      packets.  CRC code comes from crc32.c.
+
+    - The code in packet.c calls the buffer manipulation routines
+      (buffer.c, bufaux.c), compression routines (compress.c, zlib),
+      and the encryption routines.
+
+  X11, TCP/IP, and Agent forwarding
+
+    - Code for various types of channel forwarding is in channels.c.
+      The file defines a generic framework for arbitrary communication
+      channels inside the secure channel, and uses this framework to
+      implement X11 forwarding, TCP/IP forwarding, and authentication
+      agent forwarding.
+      The new, Protocol 1.5, channel close implementation is in nchan.c
+
+  Authentication agent
+
+    - Code to communicate with the authentication agent is in authfd.c.
+
+  Authentication methods
+
+    - Code for various authentication methods resides in auth-*.c
+      (auth-passwd.c, auth-rh-rsa.c, auth-rhosts.c, auth-rsa.c).  This
+      code is linked into the server.  The routines also manipulate
+      known hosts files using code in hostfile.c.  Code in canohost.c
+      is used to retrieve the canonical host name of the remote host.
+      Code in match.c is used to match host names.  
+
+    - In the client end, authentication code is in sshconnect.c.  It
+      reads Passwords/passphrases using code in readpass.c.  It reads
+      RSA key files with authfile.c.  It communicates the
+      authentication agent using authfd.c.
+
+  The ssh client
+
+    - The client main program is in ssh.c.  It first parses arguments
+      and reads configuration (readconf.c), then calls ssh_connect (in
+      sshconnect.c) to open a connection to the server (possibly via a
+      proxy), and performs authentication (ssh_login in sshconnect.c).
+      It then makes any pty, forwarding, etc. requests.  It may call
+      code in ttymodes.c to encode current tty modes.  Finally it
+      calls client_loop in clientloop.c.  This does the real work for
+      the session.
+
+    - The client is suid root.  It tries to temporarily give up this
+      rights while reading the configuration data.  The root
+      privileges are only used to make the connection (from a
+      privileged socket).  Any extra privileges are dropped before
+      calling ssh_login.
+
+  Pseudo-tty manipulation and tty modes
+
+    - Code to allocate and use a pseudo tty is in pty.c.  Code to
+      encode and set terminal modes is in ttymodes.c.
+
+  Logging in (updating utmp, lastlog, etc.)
+
+    - The code to do things that are done when a user logs in are in
+      login.c.  This includes things such as updating the utmp, wtmp,
+      and lastlog files.  Some of the code is in sshd.c.
+
+  Writing to the system log and terminal
+
+    - The programs use the functions fatal(), log(), debug(), error()
+      in many places to write messages to system log or user's
+      terminal.  The implementation that logs to system log is in
+      log-server.c; it is used in the server program.  The other
+      programs use an implementation that sends output to stderr; it
+      is in log-client.c.  The definitions are in ssh.h.
+
+  The sshd server (daemon)
+
+    - The sshd daemon starts by processing arguments and reading the
+      configuration file (servconf.c).  It then reads the host key,
+      starts listening for connections, and generates the server key.
+      The server key will be regenerated every hour by an alarm.
+
+    - When the server receives a connection, it forks, disables the
+      regeneration alarm, and starts communicating with the client.
+      They first perform identification string exchange, then
+      negotiate encryption, then perform authentication, preparatory
+      operations, and finally the server enters the normal session
+      mode by calling server_loop in serverloop.c.  This does the real
+      work, calling functions in other modules.
+      
+    - The code for the server is in sshd.c.  It contains a lot of
+      stuff, including:
+        - server main program
+	- waiting for connections
+	- processing new connection
+	- authentication
+	- preparatory operations
+	- building up the execution environment for the user program
+	- starting the user program.
+
+  Auxiliary files
+
+    - There are several other files in the distribution that contain
+      various auxiliary routines:
+        ssh.h	     the main header file for ssh (various definitions)
+        getput.h     byte-order independent storage of integers
+        includes.h   includes most system headers.  Lots of #ifdefs.
+	tildexpand.c expand tilde in file names
+	uidswap.c    uid-swapping
+	xmalloc.c    "safe" malloc routines
diff --git a/crypto/openssh/README b/crypto/openssh/README
new file mode 100644
index 0000000..70dd612
--- /dev/null
+++ b/crypto/openssh/README
@@ -0,0 +1,567 @@
+
+[ Please note that this file has not been updated for OpenSSH and 
+  covers the ssh-1.2.12 release from Dec 1995 only. ]
+
+Ssh (Secure Shell) is a program to log into another computer over a
+network, to execute commands in a remote machine, and to move files
+from one machine to another.  It provides strong authentication and
+secure communications over insecure channels.  It is intended as a
+replacement for rlogin, rsh, rcp, and rdist.
+
+See the file INSTALL for installation instructions.  See COPYING for
+license terms and other legal issues.  See RFC for a description of
+the protocol.  There is a WWW page for ssh; see http://www.cs.hut.fi/ssh.
+
+This file has been updated to match ssh-1.2.12.
+
+
+FEATURES
+
+ o  Strong authentication.  Closes several security holes (e.g., IP,
+    routing, and DNS spoofing).  New authentication methods: .rhosts
+    together with RSA based host authentication, and pure RSA
+    authentication.
+
+ o  Improved privacy.  All communications are automatically and
+    transparently encrypted.  RSA is used for key exchange, and a
+    conventional cipher (normally IDEA, DES, or triple-DES) for
+    encrypting the session.  Encryption is started before
+    authentication, and no passwords or other information is
+    transmitted in the clear.  Encryption is also used to protect
+    against spoofed packets.
+
+ o  Secure X11 sessions.  The program automatically sets DISPLAY on
+    the server machine, and forwards any X11 connections over the
+    secure channel.  Fake Xauthority information is automatically
+    generated and forwarded to the remote machine; the local client
+    automatically examines incoming X11 connections and replaces the
+    fake authorization data with the real data (never telling the 
+    remote machine the real information).
+
+ o  Arbitrary TCP/IP ports can be redirected through the encrypted channel
+    in both directions (e.g., for e-cash transactions).
+
+ o  No retraining needed for normal users; everything happens
+    automatically, and old .rhosts files will work with strong
+    authentication if administration installs host key files.
+
+ o  Never trusts the network.  Minimal trust on the remote side of
+    the connection.  Minimal trust on domain name servers.  Pure RSA
+    authentication never trusts anything but the private key.
+
+ o  Client RSA-authenticates the server machine in the beginning of
+    every connection to prevent trojan horses (by routing or DNS
+    spoofing) and man-in-the-middle attacks, and the server
+    RSA-authenticates the client machine before accepting .rhosts or
+    /etc/hosts.equiv authentication (to prevent DNS, routing, or
+    IP-spoofing).
+
+ o  Host authentication key distribution can be centrally by the
+    administration, automatically when the first connection is made
+    to a machine (the key obtained on the first connection will be
+    recorded and used for authentication in the future), or manually
+    by each user for his/her own use.  The central and per-user host
+    key repositories are both used and complement each other.  Host
+    keys can be generated centrally or automatically when the software
+    is installed.  Host authentication keys are typically 1024 bits.
+
+ o  Any user can create any number of user authentication RSA keys for
+    his/her own use.  Each user has a file which lists the RSA public
+    keys for which proof of possession of the corresponding private
+    key is accepted as authentication.  User authentication keys are
+    typically 1024 bits.
+
+ o  The server program has its own server RSA key which is
+    automatically regenerated every hour.  This key is never saved in
+    any file.  Exchanged session keys are encrypted using both the
+    server key and the server host key.  The purpose of the separate
+    server key is to make it impossible to decipher a captured session by
+    breaking into the server machine at a later time; one hour from
+    the connection even the server machine cannot decipher the session
+    key.  The key regeneration interval is configurable.  The server
+    key is normally 768 bits.
+
+ o  An authentication agent, running in the user's laptop or local
+    workstation, can be used to hold the user's RSA authentication
+    keys.  Ssh automatically forwards the connection to the
+    authentication agent over any connections, and there is no need to
+    store the RSA authentication keys on any machine in the network
+    (except the user's own local machine).  The authentication
+    protocols never reveal the keys; they can only be used to verify
+    that the user's agent has a certain key.  Eventually the agent
+    could rely on a smart card to perform all authentication
+    computations.
+
+ o  The software can be installed and used (with restricted
+    functionality) even without root privileges.
+
+ o  The client is customizable in system-wide and per-user
+    configuration files.  Most aspects of the client's operation can
+    be configured.  Different options can be specified on a per-host basis.
+
+ o  Automatically executes conventional rsh (after displaying a
+    warning) if the server machine is not running sshd.
+
+ o  Optional compression of all data with gzip (including forwarded X11
+    and TCP/IP port data), which may result in significant speedups on
+    slow connections.
+
+ o  Complete replacement for rlogin, rsh, and rcp.
+
+
+WHY TO USE SECURE SHELL
+
+Currently, almost all communications in computer networks are done
+without encryption.  As a consequence, anyone who has access to any
+machine connected to the network can listen in on any communication.
+This is being done by hackers, curious administrators, employers,
+criminals, industrial spies, and governments.  Some networks leak off
+enough electromagnetic radiation that data may be captured even from a
+distance.
+
+When you log in, your password goes in the network in plain
+text.  Thus, any listener can then use your account to do any evil he
+likes.  Many incidents have been encountered worldwide where crackers
+have started programs on workstations without the owners knowledge
+just to listen to the network and collect passwords.  Programs for
+doing this are available on the Internet, or can be built by a
+competent programmer in a few hours.
+
+Any information that you type or is printed on your screen can be
+monitored, recorded, and analyzed.  For example, an intruder who has
+penetrated a host connected to a major network can start a program
+that listens to all data flowing in the network, and whenever it
+encounters a 16-digit string, it checks if it is a valid credit card
+number (using the check digit), and saves the number plus any
+surrounding text (to catch expiration date and holder) in a file.
+When the intruder has collected a few thousand credit card numbers, he
+makes smallish mail-order purchases from a few thousand stores around
+the world, and disappears when the goods arrive but before anyone
+suspects anything.
+
+Businesses have trade secrets, patent applications in preparation,
+pricing information, subcontractor information, client data, personnel
+data, financial information, etc.  Currently, anyone with access to
+the network (any machine on the network) can listen to anything that
+goes in the network, without any regard to normal access restrictions.
+
+Many companies are not aware that information can so easily be
+recovered from the network.  They trust that their data is safe
+since nobody is supposed to know that there is sensitive information
+in the network, or because so much other data is transferred in the
+network.  This is not a safe policy.
+
+Individual persons also have confidential information, such as
+diaries, love letters, health care documents, information about their
+personal interests and habits, professional data, job applications,
+tax reports, political documents, unpublished manuscripts, etc.
+
+One should also be aware that economical intelligence and industrial
+espionage has recently become a major priority of the intelligence
+agencies of major governments.  President Clinton recently assigned
+economical espionage as the primary task of the CIA, and the French
+have repeatedly been publicly boasting about their achievements on
+this field.
+
+
+There is also another frightening aspect about the poor security of
+communications.  Computer storage and analysis capability has
+increased so much that it is feasible for governments, major
+companies, and criminal organizations to automatically analyze,
+identify, classify, and file information about millions of people over
+the years.  Because most of the work can be automated, the cost of
+collecting this information is getting very low.  
+
+Government agencies may be able to monitor major communication
+systems, telephones, fax, computer networks, etc., and passively
+collect huge amounts of information about all people with any
+significant position in the society.  Most of this information is not
+sensitive, and many people would say there is no harm in someone
+getting that information.  However, the information starts to get
+sensitive when someone has enough of it.  You may not mind someone
+knowing what you bought from the shop one random day, but you might
+not like someone knowing every small thing you have bought in the last
+ten years.
+
+If the government some day starts to move into a more totalitarian
+direction (one should remember that Nazi Germany was created by
+democratic elections), there is considerable danger of an ultimate
+totalitarian state.  With enough information (the automatically
+collected records of an individual can be manually analyzed when the
+person becomes interesting), one can form a very detailed picture of
+the individual's interests, opinions, beliefs, habits, friends,
+lovers, weaknesses, etc.  This information can be used to 1) locate
+any persons who might oppose the new system 2) use deception to
+disturb any organizations which might rise against the government 3)
+eliminate difficult individuals without anyone understanding what
+happened.  Additionally, if the government can monitor communications
+too effectively, it becomes too easy to locate and eliminate any
+persons distributing information contrary to the official truth.
+
+Fighting crime and terrorism are often used as grounds for domestic
+surveillance and restricting encryption.  These are good goals, but
+there is considerable danger that the surveillance data starts to get
+used for questionable purposes.  I find that it is better to tolerate
+a small amount of crime in the society than to let the society become
+fully controlled.  I am in favor of a fairly strong state, but the
+state must never get so strong that people become unable to spread
+contra-offical information and unable to overturn the government if it
+is bad.  The danger is that when you notice that the government is
+too powerful, it is too late.  Also, the real power may not be where
+the official government is.
+
+For these reasons (privacy, protecting trade secrets, and making it
+more difficult to create a totalitarian state), I think that strong
+cryptography should be integrated to the tools we use every day.
+Using it causes no harm (except for those who wish to monitor
+everything), but not using it can cause huge problems.  If the society
+changes in undesirable ways, then it will be to late to start
+encrypting.
+
+Encryption has had a "military" or "classified" flavor to it.  There
+are no longer any grounds for this.  The military can and will use its
+own encryption; that is no excuse to prevent the civilians from
+protecting their privacy and secrets.  Information on strong
+encryption is available in every major bookstore, scientific library,
+and patent office around the world, and strong encryption software is
+available in every country on the Internet.
+
+Some people would like to make it illegal to use encryption, or to
+force people to use encryption that governments can break.  This
+approach offers no protection if the government turns bad.  Also, the
+"bad guys" will be using true strong encryption anyway.  Good
+encryption techniques are too widely known to make them disappear.
+Thus, any "key escrow encryption" or other restrictions will only help
+monitor ordinary people and petty criminals.  It does not help against
+powerful criminals, terrorists, or espionage, because they will know
+how to use strong encryption anyway.  (One source for internationally
+available encryption software is http://www.cs.hut.fi/crypto.)
+
+
+OVERVIEW OF SECURE SHELL
+
+The software consists of a number of programs.
+
+   sshd		Server program run on the server machine.  This
+   		listens for connections from client machines, and
+		whenever it receives a connection, it performs
+		authentication and starts serving the client.
+
+   ssh		This is the client program used to log into another
+		machine or to execute commands on the other machine.
+		"slogin" is another name for this program.
+
+   scp		Securely copies files from one machine to another.
+
+   ssh-keygen	Used to create RSA keys (host keys and user
+   		authentication keys).
+
+   ssh-agent	Authentication agent.  This can be used to hold RSA
+   		keys for authentication.
+
+   ssh-add	Used to register new keys with the agent.
+
+   make-ssh-known-hosts
+   		Used to create the /etc/ssh_known_hosts file.
+
+
+Ssh is the program users normally use.  It is started as
+
+  ssh host
+
+or
+
+  ssh host command
+
+The first form opens a new shell on the remote machine (after
+authentication).  The latter form executes the command on the remote
+machine.
+
+When started, the ssh connects sshd on the server machine, verifies
+that the server machine really is the machine it wanted to connect,
+exchanges encryption keys (in a manner which prevents an outside
+listener from getting the keys), performs authentication using .rhosts
+and /etc/hosts.equiv, RSA authentication, or conventional password
+based authentication.  The server then (normally) allocates a
+pseudo-terminal and starts an interactive shell or user program.
+
+The TERM environment variable (describing the type of the user's
+terminal) is passed from the client side to the remote side.  Also,
+terminal modes will be copied from the client side to the remote side
+to preserve user preferences (e.g., the erase character).
+
+If the DISPLAY variable is set on the client side, the server will
+create a dummy X server and set DISPLAY accordingly.  Any connections
+to the dummy X server will be forwarded through the secure channel,
+and will be made to the real X server from the client side.  An
+arbitrary number of X programs can be started during the session, and
+starting them does not require anything special from the user.  (Note
+that the user must not manually set DISPLAY, because then it would
+connect directly to the real display instead of going through the
+encrypted channel).  This behavior can be disabled in the
+configuration file or by giving the -x option to the client.
+
+Arbitrary IP ports can be forwarded over the secure channel.  The
+program then creates a port on one side, and whenever a connection is
+opened to this port, it will be passed over the secure channel, and a
+connection will be made from the other side to a specified host:port
+pair.  Arbitrary IP forwarding must always be explicitly requested,
+and cannot be used to forward privileged ports (unless the user is
+root).  It is possible to specify automatic forwards in a per-user
+configuration file, for example to make electronic cash systems work
+securely.
+
+If there is an authentication agent on the client side, connection to
+it will be automatically forwarded to the server side.
+
+For more infomation, see the manual pages ssh(1), sshd(8), scp(1),
+ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1)
+included in this distribution.
+
+
+X11 CONNECTION FORWARDING
+
+X11 forwarding serves two purposes: it is a convenience to the user
+because there is no need to set the DISPLAY variable, and it provides
+encrypted X11 connections.  I cannot think of any other easy way to
+make X11 connections encrypted; modifying the X server, clients or
+libraries would require special work for each machine, vendor and
+application.  Widely used IP-level encryption does not seem likely for
+several years.  Thus what we have left is faking an X server on the
+same machine where the clients are run, and forwarding the connections
+to a real X server over the secure channel.
+
+X11 forwarding works as follows.  The client extracts Xauthority
+information for the server.  It then creates random authorization
+data, and sends the random data to the server.  The server allocates
+an X11 display number, and stores the (fake) Xauthority data for this
+display.  Whenever an X11 connection is opened, the server forwards
+the connection over the secure channel to the client, and the client
+parses the first packet of the X11 protocol, substitutes real
+authentication data for the fake data (if the fake data matched), and
+forwards the connection to the real X server.
+
+If the display does not have Xauthority data, the server will create a
+unix domain socket in /tmp/.X11-unix, and use the unix domain socket
+as the display.  No authentication information is forwarded in this
+case.  X11 connections are again forwarded over the secure channel.
+To the X server the connections appear to come from the client
+machine, and the server must have connections allowed from the local
+machine.  Using authentication data is always recommended because not
+using it makes the display insecure.  If XDM is used, it automatically
+generates the authentication data.
+
+One should be careful not to use "xin" or "xstart" or other similar
+scripts that explicitly set DISPLAY to start X sessions in a remote
+machine, because the connection will then not go over the secure
+channel.  The recommended way to start a shell in a remote machine is
+
+  xterm -e ssh host &
+
+and the recommended way to execute an X11 application in a remote
+machine is
+
+  ssh -n host emacs &
+
+If you need to type a password/passphrase for the remote machine,
+
+  ssh -f host emacs
+
+may be useful.
+
+
+
+RSA AUTHENTICATION
+
+RSA authentication is based on public key cryptograpy.  The idea is
+that there are two encryption keys, one for encryption and another for
+decryption.  It is not possible (on human timescale) to derive the
+decryption key from the encryption key.  The encryption key is called
+the public key, because it can be given to anyone and it is not
+secret.  The decryption key, on the other hand, is secret, and is
+called the private key.
+
+RSA authentication is based on the impossibility of deriving the
+private key from the public key.  The public key is stored on the
+server machine in the user's $HOME/.ssh/authorized_keys file.  The
+private key is only kept on the user's local machine, laptop, or other
+secure storage.  Then the user tries to log in, the client tells the
+server the public key that the user wishes to use for authentication.
+The server then checks if this public key is admissible.  If so, it
+generates a 256 bit random number, encrypts it with the public key,
+and sends the value to the client.  The client then decrypts the
+number with its private key, computes a 128 bit MD5 checksum from the
+resulting data, and sends the checksum back to the server.  (Only a
+checksum is sent to prevent chosen-plaintext attacks against RSA.)
+The server checks computes a checksum from the correct data,
+and compares the checksums.  Authentication is accepted if the
+checksums match.  (Theoretically this indicates that the client
+only probably knows the correct key, but for all practical purposes
+there is no doubt.)
+
+The RSA private key can be protected with a passphrase.  The
+passphrase can be any string; it is hashed with MD5 to produce an
+encryption key for IDEA, which is used to encrypt the private part of
+the key file.  With passphrase, authorization requires access to the key
+file and the passphrase.  Without passphrase, authorization only
+depends on possession of the key file.
+
+RSA authentication is the most secure form of authentication supported
+by this software.  It does not rely on the network, routers, domain
+name servers, or the client machine.  The only thing that matters is
+access to the private key.  
+
+All this, of course, depends on the security of the RSA algorithm
+itself.  RSA has been widely known since about 1978, and no effective
+methods for breaking it are known if it is used properly.  Care has
+been taken to avoid the well-known pitfalls.  Breaking RSA is widely
+believed to be equivalent to factoring, which is a very hard
+mathematical problem that has received considerable public research.
+So far, no effective methods are known for numbers bigger than about
+512 bits.  However, as computer speeds and factoring methods are
+increasing, 512 bits can no longer be considered secure.  The
+factoring work is exponential, and 768 or 1024 bits are widely
+considered to be secure in the near future.
+
+
+RHOSTS AUTHENTICATION
+
+Conventional .rhosts and hosts.equiv based authentication mechanisms
+are fundamentally insecure due to IP, DNS (domain name server) and
+routing spoofing attacks.  Additionally this authentication method
+relies on the integrity of the client machine.  These weaknesses is
+tolerable, and been known and exploited for a long time.
+
+Ssh provides an improved version of these types of authentication,
+because they are very convenient for the user (and allow easy
+transition from rsh and rlogin).  It permits these types of
+authentication, but additionally requires that the client host be
+authenticated using RSA.  
+
+The server has a list of host keys stored in /etc/ssh_known_host, and
+additionally each user has host keys in $HOME/.ssh/known_hosts.  Ssh
+uses the name servers to obtain the canonical name of the client host,
+looks for its public key in its known host files, and requires the
+client to prove that it knows the private host key.  This prevents IP
+and routing spoofing attacks (as long as the client machine private
+host key has not been compromized), but is still vulnerable to DNS
+attacks (to a limited extent), and relies on the integrity of the
+client machine as to who is requesting to log in.  This prevents
+outsiders from attacking, but does not protect against very powerful
+attackers.  If maximal security is desired, only RSA authentication
+should be used.
+
+It is possible to enable conventional .rhosts and /etc/hosts.equiv
+authentication (without host authentication) at compile time by giving
+the option --with-rhosts to configure.  However, this is not
+recommended, and is not done by default.
+
+These weaknesses are present in rsh and rlogin.  No improvement in
+security will be obtained unless rlogin and rsh are completely
+disabled (commented out in /etc/inetd.conf).  This is highly
+recommended.
+
+
+WEAKEST LINKS IN SECURITY
+
+One should understand that while this software may provide
+cryptographically secure communications, it may be easy to
+monitor the communications at their endpoints.
+
+Basically, anyone with root access on the local machine on which you
+are running the software may be able to do anything.  Anyone with root
+access on the server machine may be able to monitor your
+communications, and a very talented root user might even be able to
+send his/her own requests to your authentication agent.
+
+One should also be aware that computers send out electromagnetic
+radition that can sometimes be picked up hundreds of meters away.
+Your keyboard is particularly easy to listen to.  The image on your
+monitor might also be seen on another monitor in a van parked behind
+your house.
+
+Beware that unwanted visitors might come to your home or office and
+use your machine while you are away.  They might also make
+modifications or install bugs in your hardware or software.
+
+Beware that the most effective way for someone to decrypt your data
+may be with a rubber hose.
+
+
+LEGAL ISSUES
+
+As far as I am concerned, anyone is permitted to use this software
+freely.  However, see the file COPYING for detailed copying,
+licensing, and distribution information.
+
+In some countries, particularly France, Russia, Iraq, and Pakistan,
+it may be illegal to use any encryption at all without a special
+permit, and the rumor has it that you cannot get a permit for any
+strong encryption.
+
+This software may be freely imported into the United States; however,
+the United States Government may consider re-exporting it a criminal
+offence.
+
+Note that any information and cryptographic algorithms used in this
+software are publicly available on the Internet and at any major
+bookstore, scientific library, or patent office worldwide.
+
+THERE IS NO WARRANTY FOR THIS PROGRAM.  Please consult the file
+COPYING for more information.
+
+
+MAILING LISTS AND OTHER INFORMATION
+
+There is a mailing list for ossh.  It is ossh@sics.se.  If you would
+like to join, send a message to majordomo@sics.se with "subscribe
+ssh" in body.
+
+The WWW home page for ssh is http://www.cs.hut.fi/ssh.  It contains an
+archive of the mailing list, and detailed information about new
+releases, mailing lists, and other relevant issues.
+
+Bug reports should be sent to ossh-bugs@sics.se.
+
+
+ABOUT THE AUTHOR
+
+This software was written by Tatu Ylonen <ylo@cs.hut.fi>.  I work as a
+researcher at Helsinki University of Technology, Finland.  For more
+information, see http://www.cs.hut.fi/~ylo/.  My PGP public key is
+available via finger from ylo@cs.hut.fi and from the key servers.  I
+prefer PGP encrypted mail.
+
+The author can be contacted via ordinary mail at
+  Tatu Ylonen
+  Helsinki University of Technology
+  Otakaari 1
+  FIN-02150 ESPOO
+  Finland
+
+  Fax. +358-0-4513293
+
+
+ACKNOWLEDGEMENTS
+
+I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for
+their help and comments in the design, implementation and porting of
+this software.  I also thank numerous contributors, including but not
+limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane
+Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome
+Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson,
+Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar
+Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald
+McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan
+O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz
+Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and
+Cristophe Wolfhugel.
+
+Thanks also go to Philip Zimmermann, whose PGP software and the
+associated legal battle provided inspiration, motivation, and many
+useful techniques, and to Bruce Schneier whose book Applied
+Cryptography has done a great service in widely distributing knowledge
+about cryptographic methods.
+
+
+Copyright (c) 1995 Tatu Ylonen, Espoo, Finland.
diff --git a/crypto/openssh/README.openssh2 b/crypto/openssh/README.openssh2
new file mode 100644
index 0000000..d312dbd
--- /dev/null
+++ b/crypto/openssh/README.openssh2
@@ -0,0 +1,45 @@
+$FreeBSD$
+$Id: README.openssh2,v 1.8 2000/05/07 18:30:03 markus Exp $
+
+howto:
+	1) generate server key:
+		$ ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N ''
+	2) enable ssh2:
+		server: add 'Protocol 2,1' to /etc/ssh/sshd_config
+		client: ssh -o 'Protocol 2,1', or add to .ssh/config
+	3) DSA authentication similar to RSA (add keys to ~/.ssh/authorized_keys2)
+	   interop w/ ssh.com dsa-keys:
+		ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
+	   and vice versa
+		ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
+		echo Key mykey.pub >> ~/.ssh2/authorization
+
+works:
+	secsh-transport: works w/o rekey
+		proposal exchange, i.e. different enc/mac/comp per direction
+		encryption: blowfish-cbc, 3des-cbc, arcfour, cast128-cbc
+		mac: hmac-md5, hmac-sha1, (hmac-ripemd160)
+		compression: zlib, none
+	secsh-userauth: passwd and pubkey with DSA
+	secsh-connection: pty+shell or command, flow control works (window adjust)
+		tcp-forwarding: -L works, -R incomplete
+		x11-fwd
+	dss/dsa: host key database in ~/.ssh/known_hosts2
+	client interops w/ sshd2, lshd
+	server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT, F-Secure SSH Client 4.0, SecureFX (secure ftp)
+	server supports multiple concurrent sessions (e.g. with SSH.com Windows client)
+todo:
+	re-keying
+	secsh-connection features:
+		 tcp-forwarding, agent-fwd
+	auth other than passwd, and DSA-pubkey:
+		 keyboard-interactive, (PGP-pubkey?)
+	config
+	server-auth w/ old host-keys
+	cleanup
+	advanced key storage?
+	keynote
+	sftp
+
+-markus
+$Date: 2000/05/07 18:30:03 $
diff --git a/crypto/openssh/RFC.nroff b/crypto/openssh/RFC.nroff
new file mode 100644
index 0000000..dccc954
--- /dev/null
+++ b/crypto/openssh/RFC.nroff
@@ -0,0 +1,1780 @@
+.\" -*- nroff -*-
+.\"
+.\" $Id: RFC.nroff,v 1.1 1999/09/26 20:53:32 deraadt Exp $
+.\"
+.pl 10.0i
+.po 0
+.ll 7.2i
+.lt 7.2i
+.nr LL 7.2i
+.nr LT 7.2i
+.ds LF Ylonen
+.ds RF FORMFEED[Page %]
+.ds CF
+.ds LH Internet-Draft
+.ds RH 15 November 1995
+.ds CH SSH (Secure Shell) Remote Login Protocol
+.na
+.hy 0
+.in 0
+Network Working Group					       T. Ylonen
+Internet-Draft			       Helsinki University of Technology
+draft-ylonen-ssh-protocol-00.txt			15 November 1995
+Expires: 15 May 1996
+
+.in 3
+
+.ce
+The SSH (Secure Shell) Remote Login Protocol
+
+.ti 0
+Status of This Memo
+
+This document is an Internet-Draft.   Internet-Drafts  are  working
+documents of the Internet Engineering Task Force (IETF), its areas,
+and its working groups.  Note that other groups may also distribute
+working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid  for  a  maximum  of  six
+months  and  may  be updated, replaced, or obsoleted by other docu-
+ments at any time.  It is inappropriate to use  Internet-Drafts  as
+reference  material  or  to  cite them other than as ``work in pro-
+gress.''
+
+To learn the current status of any Internet-Draft, please check the
+``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
+Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
+munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+ftp.isi.edu (US West Coast).
+
+The distribution of  this  memo  is  unlimited.
+
+.ti 0
+Introduction
+
+SSH (Secure Shell) is a program to log into another computer over a
+network, to execute commands in a remote machine, and to move files
+from one machine to another.  It provides strong authentication and
+secure communications over insecure networks.  Its features include
+the following:
+.IP o
+Closes several security holes (e.g., IP, routing, and DNS spoofing).
+New authentication methods: .rhosts together with RSA [RSA] based host
+authentication, and pure RSA authentication.
+.IP o
+All communications are automatically and transparently encrypted.
+Encryption is also used to protect integrity.
+.IP o
+X11 connection forwarding provides secure X11 sessions.
+.IP o
+Arbitrary TCP/IP ports can be redirected over the encrypted channel
+in both directions.
+.IP o
+Client RSA-authenticates the server machine in the beginning of every
+connection to prevent trojan horses (by routing or DNS spoofing) and
+man-in-the-middle attacks, and the server RSA-authenticates the client
+machine before accepting .rhosts or /etc/hosts.equiv authentication
+(to prevent DNS, routing, or IP spoofing).
+.IP o
+An authentication agent, running in the user's local workstation or
+laptop, can be used to hold the user's RSA authentication keys.
+.RT
+
+The goal has been to make the software as easy to use as possible for
+ordinary users.  The protocol has been designed to be as secure as
+possible while making it possible to create implementations that
+are easy to use and install.  The sample implementation has a number
+of convenient features that are not described in this document as they
+are not relevant for the protocol.
+
+
+.ti 0
+Overview of the Protocol
+
+The software consists of a server program running on a server machine,
+and a client program running on a client machine (plus a few auxiliary
+programs).  The machines are connected by an insecure IP [RFC0791]
+network (that can be monitored, tampered with, and spoofed by hostile
+parties).
+
+A connection is always initiated by the client side.  The server
+listens on a specific port waiting for connections.  Many clients may
+connect to the same server machine.
+
+The client and the server are connected via a TCP/IP [RFC0793] socket
+that is used for bidirectional communication.  Other types of
+transport can be used but are currently not defined.
+
+When the client connects the server, the server accepts the connection
+and responds by sending back its version identification string.  The
+client parses the server's identification, and sends its own
+identification.  The purpose of the identification strings is to
+validate that the connection was to the correct port, declare the
+protocol version number used, and to declare the software version used
+on each side (for debugging purposes).  The identification strings are
+human-readable.  If either side fails to understand or support the
+other side's version, it closes the connection.
+
+After the protocol identification phase, both sides switch to a packet
+based binary protocol.  The server starts by sending its host key
+(every host has an RSA key used to authenticate the host), server key
+(an RSA key regenerated every hour), and other information to the
+client.  The client then generates a 256 bit session key, encrypts it
+using both RSA keys (see below for details), and sends the encrypted
+session key and selected cipher type to the server.  Both sides then
+turn on encryption using the selected algorithm and key.  The server
+sends an encrypted confirmation message to the client.
+
+The client then authenticates itself using any of a number of
+authentication methods.  The currently supported authentication
+methods are .rhosts or /etc/hosts.equiv authentication (disabled by
+default), the same with RSA-based host authentication, RSA
+authentication, and password authentication.
+
+After successful authentication, the client makes a number of requests
+to prepare for the session.  Typical requests include allocating a
+pseudo tty, starting X11 [X11] or TCP/IP port forwarding, starting
+authentication agent forwarding, and executing the shell or a command.
+
+When a shell or command is executed, the connection enters interactive
+session mode.  In this mode, data is passed in both directions, 
+new forwarded connections may be opened, etc.  The interactive session
+normally terminates when the server sends the exit status of the
+program to the client.
+
+
+The protocol makes several reservations for future extensibility.
+First of all, the initial protocol identification messages include the
+protocol version number.  Second, the first packet by both sides
+includes a protocol flags field, which can be used to agree on
+extensions in a compatible manner.  Third, the authentication and
+session preparation phases work so that the client sends requests to
+the server, and the server responds with success or failure.  If the
+client sends a request that the server does not support, the server
+simply returns failure for it.  This permits compatible addition of
+new authentication methods and preparation operations.  The
+interactive session phase, on the other hand, works asynchronously and
+does not permit the use of any extensions (because there is no easy
+and reliable way to signal rejection to the other side and problems
+would be hard to debug).  Any compatible extensions to this phase must
+be agreed upon during any of the earlier phases.
+
+.ti 0
+The Binary Packet Protocol
+
+After the protocol identification strings, both sides only send
+specially formatted packets.  The packet layout is as follows:
+.IP o
+Packet length: 32 bit unsigned integer, coded as four 8-bit bytes, msb
+first.  Gives the length of the packet, not including the length field
+and padding.  The maximum length of a packet (not including the length
+field and padding) is 262144 bytes.
+.IP o
+Padding: 1-8 bytes of random data (or zeroes if not encrypting).  The
+amount of padding is (8 - (length % 8)) bytes (where % stands for the
+modulo operator).  The rationale for always having some random padding
+at the beginning of each packet is to make known plaintext attacks
+more difficult.
+.IP o
+Packet type: 8-bit unsigned byte.  The value 255 is reserved for
+future extension.
+.IP o
+Data: binary data bytes, depending on the packet type.  The number of
+data bytes is the "length" field minus 5.
+.IP o
+Check bytes: 32-bit crc, four 8-bit bytes, msb first.  The crc is the
+Cyclic Redundancy Check, with the polynomial 0xedb88320, of the
+Padding, Packet type, and Data fields.  The crc is computed before
+any encryption.
+.RT
+
+The packet, except for the length field, may be encrypted using any of
+a number of algorithms.  The length of the encrypted part (Padding +
+Type + Data + Check) is always a multiple of 8 bytes.  Typically the
+cipher is used in a chained mode, with all packets chained together as
+if it was a single data stream (the length field is never included in
+the encryption process).  Details of encryption are described below.
+
+When the session starts, encryption is turned off.  Encryption is
+enabled after the client has sent the session key.  The encryption
+algorithm to use is selected by the client.
+
+
+.ti 0
+Packet Compression
+
+If compression is supported (it is an optional feature, see
+SSH_CMSG_REQUEST_COMPRESSION below), the packet type and data fields
+of the packet are compressed using the gzip deflate algorithm [GZIP].
+If compression is in effect, the packet length field indicates the
+length of the compressed data, plus 4 for the crc.  The amount of
+padding is computed from the compressed data, so that the amount of
+data to be encrypted becomes a multiple of 8 bytes.
+
+When compressing, the packets (type + data portions) in each direction
+are compressed as if they formed a continuous data stream, with only the
+current compression block flushed between packets.  This corresponds
+to the GNU ZLIB library Z_PARTIAL_FLUSH option.  The compression
+dictionary is not flushed between packets.  The two directions are
+compressed independently of each other.
+
+
+.ti 0
+Packet Encryption
+
+The protocol supports several encryption methods.  During session
+initialization, the server sends a bitmask of all encryption methods
+that it supports, and the client selects one of these methods.  The
+client also generates a 256-bit random session key (32 8-bit bytes) and
+sends it to the server.
+
+The encryption methods supported by the current implementation, and
+their codes are:
+.TS
+center;
+l r l.
+SSH_CIPHER_NONE	0	   No encryption
+SSH_CIPHER_IDEA	1	   IDEA in CFB mode
+SSH_CIPHER_DES	2	   DES in CBC mode
+SSH_CIPHER_3DES	3	   Triple-DES in CBC mode
+SSH_CIPHER_TSS	4	   An experimental stream cipher
+SSH_CIPHER_RC4	5	   RC4
+.TE
+
+All implementations are required to support SSH_CIPHER_DES and
+SSH_CIPHER_3DES.  Supporting SSH_CIPHER_IDEA, SSH_CIPHER_RC4, and
+SSH_CIPHER_NONE is recommended.  Support for SSH_CIPHER_TSS is
+optional (and it is not described in this document).  Other ciphers
+may be added at a later time; support for them is optional.
+
+For encryption, the encrypted portion of the packet is considered a
+linear byte stream.  The length of the stream is always a multiple of
+8.  The encrypted portions of consecutive packets (in the same
+direction) are encrypted as if they were a continuous buffer (that is,
+any initialization vectors are passed from the previous packet to the
+next packet).  Data in each direction is encrypted independently.
+.IP SSH_CIPHER_DES
+The key is taken from the first 8 bytes of the session key.  The least
+significant bit of each byte is ignored.  This results in 56 bits of
+key data.  DES [DES] is used in CBC mode.  The iv (initialization vector) is
+initialized to all zeroes.
+.IP SSH_CIPHER_3DES
+The variant of triple-DES used here works as follows: there are three
+independent DES-CBC ciphers, with independent initialization vectors.
+The data (the whole encrypted data stream) is first encrypted with the
+first cipher, then decrypted with the second cipher, and finally
+encrypted with the third cipher.  All these operations are performed
+in CBC mode.
+
+The key for the first cipher is taken from the first 8 bytes of the
+session key; the key for the next cipher from the next 8 bytes, and
+the key for the third cipher from the following 8 bytes.  All three
+initialization vectors are initialized to zero.
+
+(Note: the variant of 3DES used here differs from some other
+descriptions.)
+.IP SSH_CIPHER_IDEA
+The key is taken from the first 16 bytes of the session key.  IDEA
+[IDEA] is used in CFB mode.  The initialization vector is initialized
+to all zeroes.
+.IP SSH_CIPHER_TSS
+All 32 bytes of the session key are used as the key.
+
+There is no reference available for the TSS algorithm; it is currently
+only documented in the sample implementation source code.  The
+security of this cipher is unknown (but it is quite fast).  The cipher
+is basically a stream cipher that uses MD5 as a random number
+generator and takes feedback from the data.
+.IP SSH_CIPHER_RC4
+The first 16 bytes of the session key are used as the key for the
+server to client direction.  The remaining 16 bytes are used as the
+key for the client to server direction.  This gives independent
+128-bit keys for each direction.
+
+This algorithm is the alleged RC4 cipher posted to the Usenet in 1995.
+It is widely believed to be equivalent with the original RSADSI RC4
+cipher.  This is a very fast algorithm.
+.RT
+
+
+.ti 0
+Data Type Encodings
+
+The Data field of each packet contains data encoded as described in
+this section.  There may be several data items; each item is coded as
+described here, and their representations are concatenated together
+(without any alignment or padding).
+
+Each data type is stored as follows:
+.IP "8-bit byte"
+The byte is stored directly as a single byte.
+.IP "32-bit unsigned integer"
+Stored in 4 bytes, msb first.
+.IP "Arbitrary length binary string"
+First 4 bytes are the length of the string, msb first (not including
+the length itself).  The following "length" bytes are the string
+value.  There are no terminating null characters.
+.IP "Multiple-precision integer"
+First 2 bytes are the number of bits in the integer, msb first (for
+example, the value 0x00012345 would have 17 bits).  The value zero has
+zero bits.  It is permissible that the number of bits be larger than the
+real number of bits.
+
+The number of bits is followed by (bits + 7) / 8 bytes of binary data,
+msb first, giving the value of the integer.
+.RT
+
+
+.ti 0
+TCP/IP Port Number and Other Options
+
+The server listens for connections on TCP/IP port 22.
+
+The client may connect the server from any port.  However, if the
+client wishes to use any form of .rhosts or /etc/hosts.equiv
+authentication, it must connect from a privileged port (less than
+1024).
+
+For the IP Type of Service field [RFC0791], it is recommended that
+interactive sessions (those having a user terminal or forwarding X11
+connections) use the IPTOS_LOWDELAY, and non-interactive connections
+use IPTOS_THROUGHPUT.
+
+It is recommended that keepalives are used, because otherwise programs
+on the server may never notice if the other end of the connection is
+rebooted.
+
+
+.ti 0
+Protocol Version Identification
+
+After the socket is opened, the server sends an identification string,
+which is of the form
+"SSH-<protocolmajor>.<protocolminor>-<version>\\n", where
+<protocolmajor> and <protocolminor> are integers and specify the
+protocol version number (not software distribution version).
+<version> is server side software version string (max 40 characters);
+it is not interpreted by the remote side but may be useful for
+debugging.
+
+The client parses the server's string, and sends a corresponding
+string with its own information in response.  If the server has lower
+version number, and the client contains special code to emulate it,
+the client responds with the lower number; otherwise it responds with
+its own number.  The server then compares the version number the
+client sent with its own, and determines whether they can work
+together.  The server either disconnects, or sends the first packet
+using the binary packet protocol and both sides start working
+according to the lower of the protocol versions.
+
+By convention, changes which keep the protocol compatible with
+previous versions keep the same major protocol version; changes that
+are not compatible increment the major version (which will hopefully
+never happen).  The version described in this document is 1.3.
+
+The client will 
+
+.ti 0
+Key Exchange and Server Host Authentication
+
+The first message sent by the server using the packet protocol is
+SSH_SMSG_PUBLIC_KEY.  It declares the server's host key, server public
+key, supported ciphers, supported authentication methods, and flags
+for protocol extensions.  It also contains a 64-bit random number
+(cookie) that must be returned in the client's reply (to make IP
+spoofing more difficult).  No encryption is used for this message.
+
+Both sides compute a session id as follows.  The modulus of the server
+key is interpreted as a byte string (without explicit length field,
+with minimum length able to hold the whole value), most significant
+byte first.  This string is concatenated with the server host key
+interpreted the same way.  Additionally, the cookie is concatenated
+with this.  Both sides compute MD5 of the resulting string.  The
+resulting 16 bytes (128 bits) are stored by both parties and are
+called the session id.
+
+The client responds with a SSH_CMSG_SESSION_KEY message, which
+contains the selected cipher type, a copy of the 64-bit cookie sent by
+the server, client's protocol flags, and a session key encrypted
+with both the server's host key and server key.  No encryption is used
+for this message.
+
+The session key is 32 8-bit bytes (a total of 256 random bits
+generated by the client).  The client first xors the 16 bytes of the
+session id with the first 16 bytes of the session key.  The resulting
+string is then encrypted using the smaller key (one with smaller
+modulus), and the result is then encrypted using the other key.  The
+number of bits in the public modulus of the two keys must differ by at
+least 128 bits.
+
+At each encryption step, a multiple-precision integer is constructed
+from the data to be encrypted as follows (the integer is here
+interpreted as a sequence of bytes, msb first; the number of bytes is
+the number of bytes needed to represent the modulus).
+
+The most significant byte (which is only partial as the value must be
+less than the public modulus, which is never a power of two) is zero.
+
+The next byte contains the value 2 (which stands for public-key
+encrypted data in the PKCS standard [PKCS#1]).  Then, there are
+non-zero random bytes to fill any unused space, a zero byte, and the
+data to be encrypted in the least significant bytes, the last byte of
+the data in the least significant byte.
+
+This algorithm is used twice.  First, it is used to encrypt the 32
+random bytes generated by the client to be used as the session key
+(xored by the session id).  This value is converted to an integer as
+described above, and encrypted with RSA using the key with the smaller
+modulus.  The resulting integer is converted to a byte stream, msb
+first.  This byte stream is padded and encrypted identically using the
+key with the larger modulus.
+
+After the client has sent the session key, it starts to use the
+selected algorithm and key for decrypting any received packets, and
+for encrypting any sent packets.  Separate ciphers are used for
+different directions (that is, both directions have separate
+initialization vectors or other state for the ciphers).
+
+When the server has received the session key message, and has turned
+on encryption, it sends a SSH_SMSG_SUCCESS message to the client.
+
+The recommended size of the host key is 1024 bits, and 768 bits for
+the server key.  The minimum size is 512 bits for the smaller key.
+
+
+.ti 0
+Declaring the User Name
+
+The client then sends a SSH_CMSG_USER message to the server.  This
+message specifies the user name to log in as.
+
+The server validates that such a user exists, checks whether
+authentication is needed, and responds with either SSH_SMSG_SUCCESS or
+SSH_SMSG_FAILURE.  SSH_SMSG_SUCCESS indicates that no authentication
+is needed for this user (no password), and authentication phase has
+now been completed.  SSH_SMSG_FAILURE indicates that authentication is
+needed (or the user does not exist).
+
+If the user does not exist, it is recommended that this returns
+failure, but the server keeps reading messages from the client, and
+responds to any messages (except SSH_MSG_DISCONNECT, SSH_MSG_IGNORE,
+and SSH_MSG_DEBUG) with SSH_SMSG_FAILURE.  This way the client cannot
+be certain whether the user exists.
+
+
+.ti 0
+Authentication Phase
+
+Provided the server didn't immediately accept the login, an
+authentication exchange begins.  The client sends messages to the
+server requesting different types of authentication in arbitrary order as
+many times as desired (however, the server may close the connection
+after a timeout).  The server always responds with SSH_SMSG_SUCCESS if
+it has accepted the authentication, and with SSH_SMSG_FAILURE if it has
+denied authentication with the requested method or it does not
+recognize the message.  Some authentication methods cause an exchange
+of further messages before the final result is sent.  The
+authentication phase ends when the server responds with success.
+
+The recommended value for the authentication timeout (timeout before
+disconnecting if no successful authentication has been made) is 5
+minutes.
+
+The following authentication methods are currently supported:
+.TS
+center;
+l r l.
+SSH_AUTH_RHOSTS	1	.rhosts or /etc/hosts.equiv
+SSH_AUTH_RSA	2	pure RSA authentication
+SSH_AUTH_PASSWORD	3	password authentication
+SSH_AUTH_RHOSTS_RSA	4	.rhosts with RSA host authentication
+.TE
+.IP SSH_AUTH_RHOSTS
+
+This is the authentication method used by rlogin and rsh [RFC1282].
+
+The client sends SSH_CMSG_AUTH_RHOSTS with the client-side user name
+as an argument.
+
+The server checks whether to permit authentication.  On UNIX systems,
+this is usually done by checking /etc/hosts.equiv, and .rhosts in the
+user's home directory.  The connection must come from a privileged
+port.
+
+It is recommended that the server checks that there are no IP options
+(such as source routing) specified for the socket before accepting
+this type of authentication.  The client host name should be
+reverse-mapped and then forward mapped to ensure that it has the
+proper IP-address.
+
+This authentication method trusts the remote host (root on the remote
+host can pretend to be any other user on that host), the name
+services, and partially the network: anyone who can see packets coming
+out from the server machine can do IP-spoofing and pretend to be any
+machine; however, the protocol prevents blind IP-spoofing (which used
+to be possible with rlogin).
+
+Many sites probably want to disable this authentication method because
+of the fundamental insecurity of conventional .rhosts or
+/etc/hosts.equiv authentication when faced with spoofing.  It is
+recommended that this method not be supported by the server by
+default.
+.IP SSH_AUTH_RHOSTS_RSA
+
+In addition to conventional .rhosts and hosts.equiv authentication,
+this method additionally requires that the client host be
+authenticated using RSA.
+
+The client sends SSH_CMSG_AUTH_RHOSTS_RSA specifying the client-side
+user name, and the public host key of the client host.
+
+The server first checks if normal .rhosts or /etc/hosts.equiv
+authentication would be accepted, and if not, responds with
+SSH_SMSG_FAILURE.  Otherwise, it checks whether it knows the host key
+for the client machine (using the same name for the host that was used
+for checking the .rhosts and /etc/hosts.equiv files).  If it does not
+know the RSA key for the client, access is denied and SSH_SMSG_FAILURE
+is sent.
+
+If the server knows the host key of the client machine, it verifies
+that the given host key matches that known for the client.  If not,
+access is denied and SSH_SMSG_FAILURE is sent.
+
+The server then sends a SSH_SMSG_AUTH_RSA_CHALLENGE message containing
+an encrypted challenge for the client.  The challenge is 32 8-bit
+random bytes (256 bits).  When encrypted, the highest (partial) byte
+is left as zero, the next byte contains the value 2, the following are
+non-zero random bytes, followed by a zero byte, and the challenge put
+in the remaining bytes.  This is then encrypted using RSA with the
+client host's public key.  (The padding and encryption algorithm is
+the same as that used for the session key.)
+
+The client decrypts the challenge using its private host key,
+concatenates this with the session id, and computes an MD5 checksum
+of the resulting 48 bytes.  The MD5 output is returned as 16 bytes in
+a SSH_CMSG_AUTH_RSA_RESPONSE message.  (MD5 is used to deter chosen
+plaintext attacks against RSA; the session id binds it to a specific
+session).
+
+The server verifies that the MD5 of the decrypted challenge returned by
+the client matches that of the original value, and sends SSH_SMSG_SUCCESS if
+so.  Otherwise it sends SSH_SMSG_FAILURE and refuses the
+authentication attempt.
+
+This authentication method trusts the client side machine in that root
+on that machine can pretend to be any user on that machine.
+Additionally, it trusts the client host key.  The name and/or IP
+address of the client host is only used to select the public host key.
+The same host name is used when scanning .rhosts or /etc/hosts.equiv
+and when selecting the host key.  It would in principle be possible to
+eliminate the host name entirely and substitute it directly by the
+host key.  IP and/or DNS [RFC1034] spoofing can only be used
+to pretend to be a host for which the attacker has the private host
+key.
+.IP SSH_AUTH_RSA
+
+The idea behind RSA authentication is that the server recognizes the
+public key offered by the client, generates a random challenge, and
+encrypts the challenge with the public key.  The client must then
+prove that it has the corresponding private key by decrypting the
+challenge.
+
+The client sends SSH_CMSG_AUTH_RSA with public key modulus (n) as an
+argument.
+
+The server may respond immediately with SSH_SMSG_FAILURE if it does
+not permit authentication with this key.  Otherwise it generates a
+challenge, encrypts it using the user's public key (stored on the
+server and identified using the modulus), and sends
+SSH_SMSG_AUTH_RSA_CHALLENGE with the challenge (mp-int) as an
+argument.
+
+The challenge is 32 8-bit random bytes (256 bits).  When encrypted,
+the highest (partial) byte is left as zero, the next byte contains the
+value 2, the following are non-zero random bytes, followed by a zero
+byte, and the challenge put in the remaining bytes.  This is then
+encrypted with the public key.  (The padding and encryption algorithm
+is the same as that used for the session key.)
+
+The client decrypts the challenge using its private key, concatenates
+it with the session id, and computes an MD5 checksum of the resulting
+48 bytes.  The MD5 output is returned as 16 bytes in a
+SSH_CMSG_AUTH_RSA_RESPONSE message.  (Note that the MD5 is necessary
+to avoid chosen plaintext attacks against RSA; the session id binds it
+to a specific session.)
+
+The server verifies that the MD5 of the decrypted challenge returned
+by the client matches that of the original value, and sends
+SSH_SMSG_SUCCESS if so.  Otherwise it sends SSH_SMSG_FAILURE and
+refuses the authentication attempt.
+
+This authentication method does not trust the remote host, the
+network, name services, or anything else.  Authentication is based
+solely on the possession of the private identification keys.  Anyone
+in possession of the private keys can log in, but nobody else.
+
+The server may have additional requirements for a successful
+authentiation.  For example, to limit damage due to a compromised RSA
+key, a server might restrict access to a limited set of hosts.
+.IP SSH_AUTH_PASSWORD
+
+The client sends a SSH_CMSG_AUTH_PASSWORD message with the plain text
+password.  (Note that even though the password is plain text inside
+the message, it is normally encrypted by the packet mechanism.)
+
+The server verifies the password, and sends SSH_SMSG_SUCCESS if
+authentication was accepted and SSH_SMSG_FAILURE otherwise.
+
+Note that the password is read from the user by the client; the user
+never interacts with a login program.
+
+This authentication method does not trust the remote host, the
+network, name services or anything else.  Authentication is based
+solely on the possession of the password.  Anyone in possession of the
+password can log in, but nobody else.
+.RT
+
+.ti 0
+Preparatory Operations
+
+After successful authentication, the server waits for a request from
+the client, processes the request, and responds with SSH_SMSG_SUCCESS
+whenever a request has been successfully processed.  If it receives a
+message that it does not recognize or it fails to honor a request, it
+returns SSH_SMSG_FAILURE.  It is expected that new message types might
+be added to this phase in future.
+
+The following messages are currently defined for this phase.
+.IP SSH_CMSG_REQUEST_COMPRESSION
+Requests that compression be enabled for this session.  A
+gzip-compatible compression level (1-9) is passed as an argument.
+.IP SSH_CMSG_REQUEST_PTY
+Requests that a pseudo terminal device be allocated for this session.
+The user terminal type and terminal modes are supplied as arguments.
+.IP SSH_CMSG_X11_REQUEST_FORWARDING
+Requests forwarding of X11 connections from the remote machine to the
+local machine over the secure channel.  Causes an internet-domain
+socket to be allocated and the DISPLAY variable to be set on the server.
+X11 authentication data is automatically passed to the server, and the
+client may implement spoofing of authentication data for added
+security.  The authentication data is passed as arguments.
+.IP SSH_CMSG_PORT_FORWARD_REQUEST
+Requests forwarding of a TCP/IP port on the server host over the
+secure channel.  What happens is that whenever a connection is made to
+the port on the server, a connection will be made from the client end
+to the specified host/port.  Any user can forward unprivileged ports;
+only the root can forward privileged ports (as determined by
+authentication done earlier).
+.IP SSH_CMSG_AGENT_REQUEST_FORWARDING
+Requests forwarding of the connection to the authentication agent.
+.IP SSH_CMSG_EXEC_SHELL
+Starts a shell (command interpreter) for the user, and moves into
+interactive session mode.
+.IP SSH_CMSG_EXEC_CMD
+Executes the given command (actually "<shell> -c <command>" or
+equivalent) for the user, and moves into interactive session mode.
+.RT
+
+
+.ti 0
+Interactive Session and Exchange of Data
+
+During the interactive session, any data written by the shell or
+command running on the server machine is forwarded to stdin or
+stderr on the client machine, and any input available from stdin on
+the client machine is forwarded to the program on the server machine.
+
+All exchange is asynchronous; either side can send at any time, and
+there are no acknowledgements (TCP/IP already provides reliable
+transport, and the packet protocol protects against tampering or IP
+spoofing).
+
+When the client receives EOF from its standard input, it will send
+SSH_CMSG_EOF; however, this in no way terminates the exchange.  The
+exchange terminates and interactive mode is left when the server sends
+SSH_SMSG_EXITSTATUS to indicate that the client program has
+terminated.  Alternatively, either side may disconnect at any time by
+sending SSH_MSG_DISCONNECT or closing the connection.
+
+The server may send any of the following messages:
+.IP SSH_SMSG_STDOUT_DATA
+Data written to stdout by the program running on the server.  The data
+is passed as a string argument.  The client writes this data to
+stdout.
+.IP SSH_SMSG_STDERR_DATA
+Data written to stderr by the program running on the server.  The data
+is passed as a string argument.  The client writes this data to
+stderr.  (Note that if the program is running on a tty, it is not
+possible to separate stdout and stderr data, and all data will be sent
+as stdout data.)
+.IP SSH_SMSG_EXITSTATUS
+Indicates that the shell or command has exited.  Exit status is passed
+as an integer argument.  This message causes termination of the
+interactive session.
+.IP SSH_SMSG_AGENT_OPEN
+Indicates that someone on the server side is requesting a connection
+to the authentication agent.  The server-side channel number is passed
+as an argument.  The client must respond with either
+SSH_CHANNEL_OPEN_CONFIRMATION or SSH_CHANNEL_OPEN_FAILURE.
+.IP SSH_SMSG_X11_OPEN
+Indicates that a connection has been made to the X11 socket on the
+server side and should be forwarded to the real X server.  An integer
+argument indicates the channel number allocated for this connection on
+the server side.  The client should send back either
+SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
+the same server side channel number.
+.IP SSH_MSG_PORT_OPEN
+Indicates that a connection has been made to a port on the server side
+for which forwarding has been requested.  Arguments are server side
+channel number, host name to connect to, and port to connect to.  The
+client should send back either
+SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
+the same server side channel number.
+.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
+This is sent by the server to indicate that it has opened a connection
+as requested in a previous message.  The first argument indicates the
+client side channel number, and the second argument is the channel number
+that the server has allocated for this connection.
+.IP SSH_MSG_CHANNEL_OPEN_FAILURE
+This is sent by the server to indicate that it failed to open a
+connection as requested in a previous message.  The client-side
+channel number is passed as an argument.  The client will close the
+descriptor associated with the channel and free the channel.
+.IP SSH_MSG_CHANNEL_DATA
+This packet contains data for a channel from the server.  The first
+argument is the client-side channel number, and the second argument (a
+string) is the data.
+.IP SSH_MSG_CHANNEL_CLOSE
+This is sent by the server to indicate that whoever was in the other
+end of the channel has closed it.  The argument is the client side channel
+number.  The client will let all buffered data in the channel to
+drain, and when ready, will close the socket, free the channel, and
+send the server a SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the
+channel.
+.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+This is send by the server to indicate that a channel previously
+closed by the client has now been closed on the server side as well.
+The argument indicates the client channel number.  The client frees
+the channel.
+.RT
+
+The client may send any of the following messages:
+.IP SSH_CMSG_STDIN_DATA
+This is data to be sent as input to the program running on the server.
+The data is passed as a string.
+.IP SSH_CMSG_EOF
+Indicates that the client has encountered EOF while reading standard
+input.  The server will allow any buffered input data to drain, and
+will then close the input to the program.
+.IP SSH_CMSG_WINDOW_SIZE
+Indicates that window size on the client has been changed.  The server
+updates the window size of the tty and causes SIGWINCH to be sent to
+the program.  The new window size is passed as four integer arguments:
+row, col, xpixel, ypixel.
+.IP SSH_MSG_PORT_OPEN
+Indicates that a connection has been made to a port on the client side
+for which forwarding has been requested.  Arguments are client side
+channel number, host name to connect to, and port to connect to.  The
+server should send back either SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
+SSH_MSG_CHANNEL_OPEN_FAILURE with the same client side channel number.
+.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
+This is sent by the client to indicate that it has opened a connection
+as requested in a previous message.  The first argument indicates the
+server side channel number, and the second argument is the channel
+number that the client has allocated for this connection.
+.IP SSH_MSG_CHANNEL_OPEN_FAILURE
+This is sent by the client to indicate that it failed to open a
+connection as requested in a previous message.  The server side
+channel number is passed as an argument.  The server will close the
+descriptor associated with the channel and free the channel.
+.IP SSH_MSG_CHANNEL_DATA
+This packet contains data for a channel from the client.  The first
+argument is the server side channel number, and the second argument (a
+string) is the data.
+.IP SSH_MSG_CHANNEL_CLOSE
+This is sent by the client to indicate that whoever was in the other
+end of the channel has closed it.  The argument is the server channel
+number.  The server will allow buffered data to drain, and when ready,
+will close the socket, free the channel, and send the client a
+SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the channel.
+.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+This is send by the client to indicate that a channel previously
+closed by the server has now been closed on the client side as well.
+The argument indicates the server channel number.  The server frees
+the channel.
+.RT
+
+Any unsupported messages during interactive mode cause the connection
+to be terminated with SSH_MSG_DISCONNECT and an error message.
+Compatible protocol upgrades should agree about any extensions during
+the preparation phase or earlier.
+
+
+.ti 0
+Termination of the Connection
+
+Normal termination of the connection is always initiated by the server
+by sending SSH_SMSG_EXITSTATUS after the program has exited.  The
+client responds to this message by sending SSH_CMSG_EXIT_CONFIRMATION
+and closes the socket; the server then closes the socket.  There are
+two purposes for the confirmation: some systems may lose previously
+sent data when the socket is closed, and closing the client side first
+causes any TCP/IP TIME_WAIT [RFC0793] waits to occur on the client side, not
+consuming server resources.
+
+If the program terminates due to a signal, the server will send
+SSH_MSG_DISCONNECT with an appropriate message.  If the connection is
+closed, all file descriptors to the program will be closed and the
+server will exit.  If the program runs on a tty, the kernel sends it
+the SIGHUP signal when the pty master side is closed.
+
+.ti 0
+Protocol Flags
+
+Both the server and the client pass 32 bits of protocol flags to the
+other side.  The flags are intended for compatible protocol extension;
+the server first announces which added capabilities it supports, and
+the client then sends the capabilities that it supports.
+
+The following flags are currently defined (the values are bit masks):
+.IP "1 SSH_PROTOFLAG_SCREEN_NUMBER"
+This flag can only be sent by the client.  It indicates that the X11
+forwarding requests it sends will include the screen number.
+.IP "2 SSH_PROTOFLAG_HOST_IN_FWD_OPEN"
+If both sides specify this flag, SSH_SMSG_X11_OPEN and
+SSH_MSG_PORT_OPEN messages will contain an additional field containing
+a description of the host at the other end of the connection.
+.RT
+
+.ti 0
+Detailed Description of Packet Types and Formats
+
+The supported packet types and the corresponding message numbers are
+given in the following table.  Messages with _MSG_ in their name may
+be sent by either side.  Messages with _CMSG_ are only sent by the
+client, and messages with _SMSG_ only by the server.
+
+A packet may contain additional data after the arguments specified
+below.  Any such data should be ignored by the receiver.  However, it
+is recommended that no such data be stored without good reason.  (This
+helps build compatible extensions.)
+.IP "0 SSH_MSG_NONE"
+This code is reserved.  This message type is never sent.
+.IP "1 SSH_MSG_DISCONNECT"
+.TS
+;
+l l.
+string	Cause of disconnection
+.TE
+This message may be sent by either party at any time.  It causes the
+immediate disconnection of the connection.  The message is intended to
+be displayed to a human, and describes the reason for disconnection.
+.IP "2 SSH_SMSG_PUBLIC_KEY"
+.TS
+;
+l l.
+8 bytes	anti_spoofing_cookie
+32-bit int	server_key_bits
+mp-int	server_key_public_exponent
+mp-int	server_key_public_modulus
+32-bit int	host_key_bits
+mp-int	host_key_public_exponent
+mp-int	host_key_public_modulus
+32-bit int	protocol_flags
+32-bit int	supported_ciphers_mask
+32-bit int	supported_authentications_mask
+.TE
+Sent as the first message by the server.  This message gives the
+server's host key, server key, protocol flags (intended for compatible
+protocol extension), supported_ciphers_mask (which is the
+bitwise or of (1 << cipher_number), where << is the left shift
+operator, for all supported ciphers), and
+supported_authentications_mask (which is the bitwise or of (1 <<
+authentication_type) for all supported authentication types).  The
+anti_spoofing_cookie is 64 random bytes, and must be sent back
+verbatim by the client in its reply.  It is used to make IP-spoofing
+more difficult (encryption and host keys are the real defense against
+spoofing).
+.IP "3 SSH_CMSG_SESSION_KEY"
+.TS
+;
+l l.
+1 byte	cipher_type (must be one of the supported values)
+8 bytes	anti_spoofing_cookie (must match data sent by the server)
+mp-int	double-encrypted session key
+32-bit int	protocol_flags
+.TE
+Sent by the client as the first message in the session.  Selects the
+cipher to use, and sends the encrypted session key to the server.  The
+anti_spoofing_cookie must be the same bytes that were sent by the
+server.  Protocol_flags is intended for negotiating compatible
+protocol extensions.
+.IP "4 SSH_CMSG_USER"
+.TS
+;
+l l.
+string	user login name on server
+.TE
+Sent by the client to begin authentication.  Specifies the user name
+on the server to log in as.  The server responds with SSH_SMSG_SUCCESS
+if no authentication is needed for this user, or SSH_SMSG_FAILURE if
+authentication is needed (or the user does not exist).  [Note to the
+implementator: the user name is of arbitrary size.  The implementation
+must be careful not to overflow internal buffers.]
+.IP "5 SSH_CMSG_AUTH_RHOSTS"
+.TS
+;
+l l.
+string	client-side user name
+.TE
+Requests authentication using /etc/hosts.equiv and .rhosts (or
+equivalent mechanisms).  This authentication method is normally
+disabled in the server because it is not secure (but this is the
+method used by rsh and rlogin).  The server responds with
+SSH_SMSG_SUCCESS if authentication was successful, and
+SSH_SMSG_FAILURE if access was not granted.  The server should check
+that the client side port number is less than 1024 (a privileged
+port), and immediately reject authentication if it is not.  Supporting
+this authentication method is optional.  This method should normally
+not be enabled in the server because it is not safe.  (However, not
+enabling this only helps if rlogind and rshd are disabled.)
+.IP "6 SSH_CMSG_AUTH_RSA"
+.TS
+;
+l l.
+mp-int	identity_public_modulus
+.TE
+Requests authentication using pure RSA authentication.  The server
+checks if the given key is permitted to log in, and if so, responds
+with SSH_SMSG_AUTH_RSA_CHALLENGE.  Otherwise, it responds with
+SSH_SMSG_FAILURE.  The client often tries several different keys in
+sequence until one supported by the server is found.  Authentication
+is accepted if the client gives the correct response to the challenge.
+The server is free to add other criteria for authentication, such as a
+requirement that the connection must come from a certain host.  Such
+additions are not visible at the protocol level.  Supporting this
+authentication method is optional but recommended.
+.IP "7 SSH_SMSG_AUTH_RSA_CHALLENGE"
+.TS
+;
+l l.
+mp-int	encrypted challenge
+.TE
+Presents an RSA authentication challenge to the client.  The challenge
+is a 256-bit random value encrypted as described elsewhere in this
+document.  The client must decrypt the challenge using the RSA private
+key, compute MD5 of the challenge plus session id, and send back the
+resulting 16 bytes using SSH_CMSG_AUTH_RSA_RESPONSE.
+.IP "8 SSH_CMSG_AUTH_RSA_RESPONSE"
+.TS
+;
+l l.
+16 bytes	MD5 of decrypted challenge
+.TE
+This message is sent by the client in response to an RSA challenge.
+The MD5 checksum is returned instead of the decrypted challenge to
+deter known-plaintext attacks against the RSA key.  The server
+responds to this message with either SSH_SMSG_SUCCESS or
+SSH_SMSG_FAILURE.
+.IP "9 SSH_CMSG_AUTH_PASSWORD"
+.TS
+;
+l l.
+string	plain text password
+.TE
+Requests password authentication using the given password.  Note that
+even though the password is plain text inside the packet, the whole
+packet is normally encrypted by the packet layer.  It would not be
+possible for the client to perform password encryption/hashing,
+because it cannot know which kind of encryption/hashing, if any, the
+server uses.  The server responds to this message with
+SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE.
+.IP "10 SSH_CMSG_REQUEST_PTY"
+.TS
+;
+l l.
+string	TERM environment variable value (e.g. vt100)
+32-bit int	terminal height, rows (e.g., 24)
+32-bit int	terminal width, columns (e.g., 80)
+32-bit int	terminal width, pixels (0 if no graphics) (e.g., 480)
+32-bit int	terminal height, pixels (0 if no graphics) (e.g., 640)
+n bytes	tty modes encoded in binary
+.TE
+Requests a pseudo-terminal to be allocated for this command.  This
+message can be used regardless of whether the session will later
+execute the shell or a command.  If a pty has been requested with this
+message, the shell or command will run on a pty.  Otherwise it will
+communicate with the server using pipes, sockets or some other similar
+mechanism.
+
+The terminal type gives the type of the user's terminal.  In the UNIX
+environment it is passed to the shell or command in the TERM
+environment variable.
+
+The width and height values give the initial size of the user's
+terminal or window.  All values can be zero if not supported by the
+operating system.  The server will pass these values to the kernel if
+supported.
+
+Terminal modes are encoded into a byte stream in a portable format.
+The exact format is described later in this document.
+
+The server responds to the request with either SSH_SMSG_SUCCESS or
+SSH_SMSG_FAILURE.  If the server does not have the concept of pseudo
+terminals, it should return success if it is possible to execute a
+shell or a command so that it looks to the client as if it was running
+on a pseudo terminal.
+.IP "11 SSH_CMSG_WINDOW_SIZE"
+.TS
+;
+l l.
+32-bit int	terminal height, rows
+32-bit int	terminal width, columns
+32-bit int	terminal width, pixels
+32-bit int	terminal height, pixels
+.TE
+This message can only be sent by the client during the interactive
+session.  This indicates that the size of the user's window has
+changed, and provides the new size.  The server will update the
+kernel's notion of the window size, and a SIGWINCH signal or
+equivalent will be sent to the shell or command (if supported by the
+operating system).
+.IP "12 SSH_CMSG_EXEC_SHELL"
+
+(no arguments)
+
+Starts a shell (command interpreter), and enters interactive session
+mode.
+.IP "13 SSH_CMSG_EXEC_CMD"
+.TS
+;
+l l.
+string	command to execute
+.TE
+Starts executing the given command, and enters interactive session
+mode.  On UNIX, the command is run as "<shell> -c <command>", where
+<shell> is the user's login shell.
+.IP "14 SSH_SMSG_SUCCESS"
+
+(no arguments)
+
+This message is sent by the server in response to the session key, a
+successful authentication request, and a successfully completed
+preparatory operation.
+.IP "15 SSH_SMSG_FAILURE"
+
+(no arguments)
+
+This message is sent by the server in response to a failed
+authentication operation to indicate that the user has not yet been
+successfully authenticated, and in response to a failed preparatory
+operation.  This is also sent in response to an authentication or
+preparatory operation request that is not recognized or supported.
+.IP "16 SSH_CMSG_STDIN_DATA"
+.TS
+;
+l l.
+string	data
+.TE
+Delivers data from the client to be supplied as input to the shell or
+program running on the server side.  This message can only be used in
+the interactive session mode.  No acknowledgement is sent for this
+message.
+.IP "17 SSH_SMSG_STDOUT_DATA"
+.TS
+;
+l l.
+string	data
+.TE
+Delivers data from the server that was read from the standard output of
+the shell or program running on the server side.  This message can
+only be used in the interactive session mode.  No acknowledgement is
+sent for this message.
+.IP "18 SSH_SMSG_STDERR_DATA"
+.TS
+;
+l l.
+string	data
+.TE
+Delivers data from the server that was read from the standard error of
+the shell or program running on the server side.  This message can
+only be used in the interactive session mode.  No acknowledgement is
+sent for this message.
+.IP "19 SSH_CMSG_EOF"
+
+(no arguments)
+
+This message is sent by the client to indicate that EOF has been
+reached on the input.  Upon receiving this message, and after all
+buffered input data has been sent to the shell or program, the server
+will close the input file descriptor to the program.  This message can
+only be used in the interactive session mode.  No acknowledgement is
+sent for this message.
+.IP "20 SSH_SMSG_EXITSTATUS"
+.TS
+;
+l l.
+32-bit int	exit status of the command
+.TE
+Returns the exit status of the shell or program after it has exited.
+The client should respond with SSH_CMSG_EXIT_CONFIRMATION when it has
+received this message.  This will be the last message sent by the
+server.  If the program being executed dies with a signal instead of
+exiting normally, the server should terminate the session with
+SSH_MSG_DISCONNECT (which can be used to pass a human-readable string
+indicating that the program died due to a signal) instead of using
+this message.
+.IP "21 SSH_MSG_CHANNEL_OPEN_CONFIRMATION"
+.TS
+;
+l l.
+32-bit int	remote_channel
+32-bit int	local_channel
+.TE
+This is sent in response to any channel open request if the channel
+has been successfully opened.  Remote_channel is the channel number
+received in the initial open request; local_channel is the channel
+number the side sending this message has allocated for the channel.
+Data can be transmitted on the channel after this message.
+.IP "22 SSH_MSG_CHANNEL_OPEN_FAILURE"
+.TS
+;
+l l.
+32-bit int	remote_channel
+.TE
+This message indicates that an earlier channel open request by the
+other side has failed or has been denied.  Remote_channel is the
+channel number given in the original request.
+.IP "23 SSH_MSG_CHANNEL_DATA"
+.TS
+;
+l l.
+32-bit int	remote_channel
+string	data
+.TE
+Data is transmitted in a channel in these messages.  A channel is
+bidirectional, and both sides can send these messages.  There is no
+acknowledgement for these messages.  It is possible that either side
+receives these messages after it has sent SSH_MSG_CHANNEL_CLOSE for
+the channel.  These messages cannot be received after the party has
+sent or received SSH_MSG_CHANNEL_CLOSE_CONFIRMATION.
+.IP "24 SSH_MSG_CHANNEL_CLOSE"
+.TS
+;
+l l.
+32-bit int	remote_channel
+.TE
+When a channel is closed at one end of the connection, that side sends
+this message.  Upon receiving this message, the channel should be
+closed.  When this message is received, if the channel is already
+closed (the receiving side has sent this message for the same channel
+earlier), the channel is freed and no further action is taken;
+otherwise the channel is freed and SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+is sent in response.  (It is possible that the channel is closed
+simultaneously at both ends.)
+.IP "25 SSH_MSG_CHANNEL_CLOSE_CONFIRMATION"
+.TS
+;
+l l.
+32-bit int	remote_channel
+.TE
+This message is sent in response to SSH_MSG_CHANNEL_CLOSE unless the
+channel was already closed.  When this message is sent or received,
+the channel is freed.
+.IP "26 (OBSOLETED; was unix-domain X11 forwarding)
+.IP "27 SSH_SMSG_X11_OPEN"
+.TS
+;
+l l.
+32-bit int	local_channel
+string	originator_string (see below)
+.TE
+This message can be sent by the server during the interactive session
+mode to indicate that a client has connected the fake X server.
+Local_channel is the channel number that the server has allocated for
+the connection.  The client should try to open a connection to the
+real X server, and respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
+SSH_MSG_CHANNEL_OPEN_FAILURE.
+
+The field originator_string is present if both sides
+specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
+contains a description of the host originating the connection.
+.IP "28 SSH_CMSG_PORT_FORWARD_REQUEST"
+.TS
+;
+l l.
+32-bit int	server_port
+string	host_to_connect
+32-bit int	port_to_connect
+.TE
+Sent by the client in the preparatory phase, this message requests
+that server_port on the server machine be forwarded over the secure
+channel to the client machine, and from there to the specified host
+and port.  The server should start listening on the port, and send
+SSH_MSG_PORT_OPEN whenever a connection is made to it.  Supporting
+this message is optional, and the server is free to reject any forward
+request.  For example, it is highly recommended that unless the user
+has been authenticated as root, forwarding any privileged port numbers
+(below 1024) is denied.
+.IP "29 SSH_MSG_PORT_OPEN"
+.TS
+;
+l l.
+32-bit int	local_channel
+string	host_name
+32-bit int	port
+string	originator_string (see below)
+.TE
+Sent by either party in interactive session mode, this message
+indicates that a connection has been opened to a forwarded TCP/IP
+port.  Local_channel is the channel number that the sending party has
+allocated for the connection.  Host_name is the host the connection
+should be be forwarded to, and the port is the port on that host to
+connect.  The receiving party should open the connection, and respond
+with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
+SSH_MSG_CHANNEL_OPEN_FAILURE.  It is recommended that the receiving
+side check the host_name and port for validity to avoid compromising
+local security by compromised remote side software.  Particularly, it
+is recommended that the client permit connections only to those ports
+for which it has requested forwarding with SSH_CMSG_PORT_FORWARD_REQUEST.
+
+The field originator_string is present if both sides
+specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
+contains a description of the host originating the connection.
+.IP "30 SSH_CMSG_AGENT_REQUEST_FORWARDING"
+
+(no arguments)
+
+Requests that the connection to the authentication agent be forwarded
+over the secure channel.  The method used by clients to contact the
+authentication agent within each machine is implementation and machine
+dependent.  If the server accepts this request, it should arrange that
+any clients run from this session will actually contact the server
+program when they try to contact the authentication agent.  The server
+should then send a SSH_SMSG_AGENT_OPEN to open a channel to the agent,
+and the client should forward the connection to the real
+authentication agent.  Supporting this message is optional.
+.IP "31 SSH_SMSG_AGENT_OPEN"
+.TS
+;
+l l.
+32-bit int	local_channel
+.TE
+Sent by the server in interactive session mode, this message requests
+opening a channel to the authentication agent.  The client should open
+a channel, and respond with either SSH_MSG_CHANNEL_OPEN_CONFIRMATION
+or SSH_MSG_CHANNEL_OPEN_FAILURE.
+.IP "32 SSH_MSG_IGNORE"
+.TS
+;
+l l.
+string	data
+.TE
+Either party may send this message at any time.  This message, and the
+argument string, is silently ignored.  This message might be used in
+some implementations to make traffic analysis more difficult.  This
+message is not currently sent by the implementation, but all
+implementations are required to recognize and ignore it.
+.IP "33 SSH_CMSG_EXIT_CONFIRMATION"
+
+(no arguments)
+
+Sent by the client in response to SSH_SMSG_EXITSTATUS.  This is the
+last message sent by the client.
+.IP "34 SSH_CMSG_X11_REQUEST_FORWARDING"
+.TS
+;
+l l.
+string	x11_authentication_protocol
+string	x11_authentication_data
+32-bit int	screen number (if SSH_PROTOFLAG_SCREEN_NUMBER)
+.TE
+Sent by the client during the preparatory phase, this message requests
+that the server create a fake X11 display and set the DISPLAY
+environment variable accordingly.  An internet-domain display is
+preferable.  The given authentication protocol and the associated data
+should be recorded by the server so that it is used as authentication
+on connections (e.g., in .Xauthority).  The authentication protocol
+must be one of the supported X11 authentication protocols, e.g.,
+"MIT-MAGIC-COOKIE-1".  Authentication data must be a lowercase hex
+string of even length.  Its interpretation is protocol dependent.
+The data is in a format that can be used with e.g. the xauth program.
+Supporting this message is optional.
+
+The client is permitted (and recommended) to generate fake
+authentication information and send fake information to the server.
+This way, a corrupt server will not have access to the user's terminal
+after the connection has terminated.  The correct authorization codes
+will also not be left hanging around in files on the server (many
+users keep the same X session for months, thus protecting the
+authorization data becomes important).
+
+X11 authentication spoofing works by initially sending fake (random)
+authentication data to the server, and interpreting the first packet
+sent by the X11 client after the connection has been opened.  The
+first packet contains the client's authentication.  If the packet
+contains the correct fake data, it is replaced by the client by the
+correct authentication data, and then sent to the X server.
+.IP "35 SSH_CMSG_AUTH_RHOSTS_RSA"
+.TS
+;
+l l.
+string	clint-side user name
+32-bit int	client_host_key_bits
+mp-int	client_host_key_public_exponent
+mp-int	client_host_key_public_modulus
+.TE
+Requests authentication using /etc/hosts.equiv and .rhosts (or
+equivalent) together with RSA host authentication.  The server should
+check that the client side port number is less than 1024 (a privileged
+port), and immediately reject authentication if it is not.  The server
+responds with SSH_SMSG_FAILURE or SSH_SMSG_AUTH_RSA_CHALLENGE.  The
+client must respond to the challenge with the proper
+SSH_CMSG_AUTH_RSA_RESPONSE.  The server then responds with success if
+access was granted, or failure if the client gave a wrong response.
+Supporting this authentication method is optional but recommended in
+most environments.
+.IP "36 SSH_MSG_DEBUG"
+.TS
+;
+l l.
+string	debugging message sent to the other side
+.TE
+This message may be sent by either party at any time.  It is used to
+send debugging messages that may be informative to the user in
+solving various problems.  For example, if authentication fails
+because of some configuration error (e.g., incorrect permissions for
+some file), it can be very helpful for the user to make the cause of
+failure available.  On the other hand, one should not make too much
+information available for security reasons.  It is recommended that
+the client provides an option to display the debugging information
+sent by the sender (the user probably does not want to see it by default).
+The server can log debugging data sent by the client (if any).  Either
+party is free to ignore any received debugging data.  Every
+implementation must be able to receive this message, but no
+implementation is required to send these.
+.IP "37 SSH_CMSG_REQUEST_COMPRESSION"
+.TS
+;
+l l.
+32-bit int	gzip compression level (1-9)
+.TE
+This message can be sent by the client in the preparatory operations
+phase.  The server responds with SSH_SMSG_FAILURE if it does not
+support compression or does not want to compress; it responds with
+SSH_SMSG_SUCCESS if it accepted the compression request.  In the
+latter case the response to this packet will still be uncompressed,
+but all further packets in either direction will be compressed by gzip.
+.RT
+
+
+.ti 0
+Encoding of Terminal Modes
+
+Terminal modes (as passed in SSH_CMSG_REQUEST_PTY) are encoded into a
+byte stream.  It is intended that the coding be portable across
+different environments.
+
+The tty mode description is a stream of bytes.  The stream consists of
+opcode-argument pairs.  It is terminated by opcode TTY_OP_END (0).
+Opcodes 1-127 have one-byte arguments.  Opcodes 128-159 have 32-bit
+integer arguments (stored msb first).  Opcodes 160-255 are not yet
+defined, and cause parsing to stop (they should only be used after any
+other data).
+
+The client puts in the stream any modes it knows about, and the server
+ignores any modes it does not know about.  This allows some degree of
+machine-independence, at least between systems that use a POSIX-like
+[POSIX] tty interface.  The protocol can support other systems as
+well, but the client may need to fill reasonable values for a number
+of parameters so the server pty gets set to a reasonable mode (the
+server leaves all unspecified mode bits in their default values, and
+only some combinations make sense).
+
+The following opcodes have been defined.  The naming of opcodes mostly
+follows the POSIX terminal mode flags.
+.IP "0 TTY_OP_END"
+Indicates end of options.
+.IP "1 VINTR"
+Interrupt character; 255 if none.  Similarly for the other characters.
+Not all of these characters are supported on all systems.
+.IP "2 VQUIT"
+The quit character (sends SIGQUIT signal on UNIX systems).
+.IP "3 VERASE"
+Erase the character to left of the cursor.
+.IP "4 VKILL"
+Kill the current input line.
+.IP "5 VEOF "
+End-of-file character (sends EOF from the terminal).
+.IP "6 VEOL "
+End-of-line character in addition to carriage return and/or linefeed.
+.IP "7 VEOL2"
+Additional end-of-line character.
+.IP "8 VSTART"
+Continues paused output (normally ^Q).
+.IP "9 VSTOP"
+Pauses output (^S).
+.IP "10 VSUSP"
+Suspends the current program.
+.IP "11 VDSUSP"
+Another suspend character.
+.IP "12 VREPRINT"
+Reprints the current input line.
+.IP "13 VWERASE"
+Erases a word left of cursor.
+.IP "14 VLNEXT"
+More special input characters; these are probably not supported on
+most systems.
+.IP "15 VFLUSH"
+.IP "16 VSWTCH"
+.IP "17 VSTATUS"
+.IP "18 VDISCARD"
+
+.IP "30 IGNPAR"
+The ignore parity flag.  The next byte should be 0 if this flag is not
+set, and 1 if it is set.
+.IP "31 PARMRK"
+More flags.  The exact definitions can be found in the POSIX standard.
+.IP "32 INPCK"
+.IP "33 ISTRIP"
+.IP "34 INLCR"
+.IP "35 IGNCR"
+.IP "36 ICRNL"
+.IP "37 IUCLC"
+.IP "38 IXON"
+.IP "39 IXANY"
+.IP "40 IXOFF"
+.IP "41 IMAXBEL"
+
+.IP "50 ISIG"
+.IP "51 ICANON"
+.IP "52 XCASE"
+.IP "53 ECHO"
+.IP "54 ECHOE"
+.IP "55 ECHOK"
+.IP "56 ECHONL"
+.IP "57 NOFLSH"
+.IP "58 TOSTOP"
+.IP "59 IEXTEN"
+.IP "60 ECHOCTL"
+.IP "61 ECHOKE"
+.IP "62 PENDIN"
+
+.IP "70 OPOST"
+.IP "71 OLCUC"
+.IP "72 ONLCR"
+.IP "73 OCRNL"
+.IP "74 ONOCR"
+.IP "75 ONLRET"
+
+.IP "90 CS7"
+.IP "91 CS8"
+.IP "92 PARENB"
+.IP "93 PARODD"
+
+.IP "192 TTY_OP_ISPEED"
+Specifies the input baud rate in bits per second.
+.IP "193 TTY_OP_OSPEED"
+Specifies the output baud rate in bits per second.
+.RT
+
+
+.ti 0
+The Authentication Agent Protocol
+
+The authentication agent is a program that can be used to hold RSA
+authentication keys for the user (in future, it might hold data for
+other authentication types as well).  An authorized program can send
+requests to the agent to generate a proper response to an RSA
+challenge.  How the connection is made to the agent (or its
+representative) inside a host and how access control is done inside a
+host is implementation-dependent; however, how it is forwarded and how
+one interacts with it is specified in this protocol.  The connection
+to the agent is normally automatically forwarded over the secure
+channel.
+
+A program that wishes to use the agent first opens a connection to its
+local representative (typically, the agent itself or an SSH server).
+It then writes a request to the connection, and waits for response.
+It is recommended that at least five minutes of timeout are provided
+waiting for the agent to respond to an authentication challenge (this
+gives sufficient time for the user to cut-and-paste the challenge to a
+separate machine, perform the computation there, and cut-and-paste the
+result back if so desired).
+
+Messages sent to and by the agent are in the following format:
+.TS
+;
+l l.
+4 bytes	Length, msb first.  Does not include length itself.
+1 byte	Packet type.  The value 255 is reserved for future extensions.
+data	Any data, depending on packet type.  Encoding as in the ssh packet
+protocol.
+.TE
+
+The following message types are currently defined:
+.IP "1 SSH_AGENTC_REQUEST_RSA_IDENTITIES"
+
+(no arguments)
+
+Requests the agent to send a list of all RSA keys for which it can
+answer a challenge.
+.IP "2 SSH_AGENT_RSA_IDENTITIES_ANSWER"
+.TS
+;
+l l.
+32-bit int	howmany
+howmany times:
+32-bit int	bits
+mp-int	public exponent
+mp-int	public modulus
+string	comment
+.TE
+The agent sends this message in response to the to
+SSH_AGENTC_REQUEST_RSA_IDENTITIES.  The answer lists all RSA keys for
+which the agent can answer a challenge.  The comment field is intended
+to help identify each key; it may be printed by an application to
+indicate which key is being used.  If the agent is not holding any
+keys, howmany will be zero.
+.IP "3 SSH_AGENTC_RSA_CHALLENGE
+.TS
+;
+l l.
+32-bit int	bits
+mp-int	public exponent
+mp-int	public modulus
+mp-int	challenge
+16 bytes	session_id
+32-bit int	response_type
+.TE
+Requests RSA decryption of random challenge to authenticate the other
+side.  The challenge will be decrypted with the RSA private key
+corresponding to the given public key.
+
+The decrypted challenge must contain a zero in the highest (partial)
+byte, 2 in the next byte, followed by non-zero random bytes, a zero
+byte, and then the real challenge value in the lowermost bytes.  The
+real challenge must be 32 8-bit bytes (256 bits).
+
+Response_type indicates the format of the response to be returned.
+Currently the only supported value is 1, which means to compute MD5 of
+the real challenge plus session id, and return the resulting 16 bytes
+in a SSH_AGENT_RSA_RESPONSE message.
+.IP "4 SSH_AGENT_RSA_RESPONSE"
+.TS
+;
+l l.
+16 bytes	MD5 of decrypted challenge
+.TE
+Answers an RSA authentication challenge.  The response is 16 bytes:
+the MD5 checksum of the 32-byte challenge.
+.IP "5 SSH_AGENT_FAILURE"
+
+(no arguments)
+
+This message is sent whenever the agent fails to answer a request
+properly.  For example, if the agent cannot answer a challenge (e.g.,
+no longer has the proper key), it can respond with this.  The agent
+also responds with this message if it receives a message it does not
+recognize.
+.IP "6 SSH_AGENT_SUCCESS"
+
+(no arguments)
+
+This message is sent by the agent as a response to certain requests
+that do not otherwise cause a message be sent.  Currently, this is
+only sent in response to SSH_AGENTC_ADD_RSA_IDENTITY and
+SSH_AGENTC_REMOVE_RSA_IDENTITY.
+.IP "7 SSH_AGENTC_ADD_RSA_IDENTITY"
+.TS
+;
+l l.
+32-bit int	bits
+mp-int	public modulus
+mp-int	public exponent
+mp-int	private exponent
+mp-int	multiplicative inverse of p mod q
+mp-int	p
+mp-int	q
+string	comment
+.TE
+Registers an RSA key with the agent.  After this request, the agent can
+use this RSA key to answer requests.  The agent responds with
+SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
+.IP "8 SSH_AGENT_REMOVE_RSA_IDENTITY"
+.TS
+;
+l l.
+32-bit int	bits
+mp-int	public exponent
+mp-int	public modulus
+.TE
+Removes an RSA key from the agent.  The agent will no longer accept
+challenges for this key and will not list it as a supported identity.
+The agent responds with SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
+.RT
+
+If the agent receives a message that it does not understand, it
+responds with SSH_AGENT_FAILURE.  This permits compatible future
+extensions.
+
+It is possible that several clients have a connection open to the
+authentication agent simultaneously.  Each client will use a separate
+connection (thus, any SSH connection can have multiple agent
+connections active simultaneously).
+
+
+.ti 0
+References
+
+.IP "[DES] "
+FIPS PUB 46-1: Data Encryption Standard.  National Bureau of
+Standards, January 1988.  FIPS PUB 81: DES Modes of Operation.
+National Bureau of Standards, December 1980.  Bruce Schneier: Applied
+Cryptography.  John Wiley & Sons, 1994.  J. Seberry and J. Pieprzyk:
+Cryptography: An Introduction to Computer Security.  Prentice-Hall,
+1989.
+.IP "[GZIP] "
+The GNU GZIP program; available for anonymous ftp at prep.ai.mit.edu.
+Please let me know if you know a paper describing the algorithm.
+.IP "[IDEA] "
+Xuejia Lai: On the Design and Security of Block Ciphers, ETH Series in
+Information Processing, vol. 1, Hartung-Gorre Verlag, Konstanz,
+Switzerland, 1992.  Bruce Schneier: Applied Cryptography, John Wiley &
+Sons, 1994.  See also the following patents: PCT/CH91/00117, EP 0 482
+154 B1, US Pat. 5,214,703.
+.IP [PKCS#1]
+PKCS #1: RSA Encryption Standard.  Version 1.5, RSA Laboratories,
+November 1993.  Available for anonymous ftp at ftp.rsa.com.
+.IP [POSIX]
+Portable Operating System Interface (POSIX) - Part 1: Application
+Program Interface (API) [C language], ISO/IEC 9945-1, IEEE Std 1003.1,
+1990.
+.IP [RFC0791]
+J. Postel: Internet Protocol, RFC 791, USC/ISI, September 1981.
+.IP [RFC0793]
+J. Postel: Transmission Control Protocol, RFC 793, USC/ISI, September
+1981.
+.IP [RFC1034]
+P. Mockapetris: Domain Names - Concepts and Facilities, RFC 1034,
+USC/ISI, November 1987.
+.IP [RFC1282]
+B. Kantor: BSD Rlogin, RFC 1258, UCSD, December 1991.
+.IP "[RSA] "
+Bruce Schneier: Applied Cryptography.  John Wiley & Sons, 1994.  See
+also R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic
+Communications System and Method.  US Patent 4,405,829, 1983.
+.IP "[X11] "
+R. Scheifler: X Window System Protocol, X Consortium Standard, Version
+11, Release 6.  Massachusetts Institute of Technology, Laboratory of
+Computer Science, 1994.
+.RT
+
+
+.ti 0
+Security Considerations
+
+This protocol deals with the very issue of user authentication and
+security.
+
+First of all, as an implementation issue, the server program will have
+to run as root (or equivalent) on the server machine.  This is because
+the server program will need be able to change to an arbitrary user
+id.  The server must also be able to create a privileged TCP/IP port.
+
+The client program will need to run as root if any variant of .rhosts
+authentication is to be used.  This is because the client program will
+need to create a privileged port.  The client host key is also usually
+stored in a file which is readable by root only.  The client needs the
+host key in .rhosts authentication only.  Root privileges can be
+dropped as soon as the privileged port has been created and the host
+key has been read.
+
+The SSH protocol offers major security advantages over existing telnet
+and rlogin protocols.
+.IP o
+IP spoofing is restricted to closing a connection (by encryption, host
+keys, and the special random cookie).  If encryption is not used, IP
+spoofing is possible for those who can hear packets going out from the
+server.
+.IP o
+DNS spoofing is made ineffective (by host keys).
+.IP o
+Routing spoofing is made ineffective (by host keys).
+.IP o
+All data is encrypted with strong algorithms to make eavesdropping as
+difficult as possible.  This includes encrypting any authentication
+information such as passwords.  The information for decrypting session
+keys is destroyed every hour.
+.IP o
+Strong authentication methods: .rhosts combined with RSA host
+authentication, and pure RSA authentication.
+.IP o
+X11 connections and arbitrary TCP/IP ports can be forwarded securely.
+.IP o
+Man-in-the-middle attacks are deterred by using the server host key to
+encrypt the session key.
+.IP o
+Trojan horses to catch a password by routing manipulation are deterred
+by checking that the host key of the server machine matches that
+stored on the client host.
+.RT
+
+The security of SSH against man-in-the-middle attacks and the security
+of the new form of .rhosts authentication, as well as server host
+validation, depends on the integrity of the host key and the files
+containing known host keys.
+
+The host key is normally stored in a root-readable file.  If the host
+key is compromised, it permits attackers to use IP, DNS and routing
+spoofing as with current rlogin and rsh.  It should never be any worse
+than the current situation.
+
+The files containing known host keys are not sensitive.  However, if an
+attacker gets to modify the known host key files, it has the same
+consequences as a compromised host key, because the attacker can then
+change the recorded host key.
+
+The security improvements obtained by this protocol for X11 are of
+particular significance.  Previously, there has been no way to protect
+data communicated between an X server and a client running on a remote
+machine.  By creating a fake display on the server, and forwarding all
+X11 requests over the secure channel, SSH can be used to run any X11
+applications securely without any cooperation with the vendors of the
+X server or the application.
+
+Finally, the security of this program relies on the strength of the
+underlying cryptographic algorithms.  The RSA algorithm is used for
+authentication key exchange.  It is widely believed to be secure.  Of
+the algorithms used to encrypt the session, DES has a rather small key
+these days, probably permitting governments and organized criminals to
+break it in very short time with specialized hardware.  3DES is
+probably safe (but slower).  IDEA is widely believed to be secure.
+People have varying degrees of confidence in the other algorithms.
+This program is not secure if used with no encryption at all.
+
+
+.ti 0
+Additional Information
+
+Additional information (especially on the implementation and mailing
+lists) is available via WWW at http://www.cs.hut.fi/ssh.
+
+Comments should be sent to Tatu Ylonen <ylo@cs.hut.fi> or the SSH
+Mailing List <ssh@clinet.fi>.
+
+.ti 0
+Author's Address
+
+.TS
+;
+l.
+Tatu Ylonen
+Helsinki University of Technology
+Otakaari 1
+FIN-02150 Espoo, Finland
+
+Phone: +358-0-451-3374
+Fax: +358-0-451-3293
+EMail: ylo@cs.hut.fi
+.TE
diff --git a/crypto/openssh/atomicio.c b/crypto/openssh/atomicio.c
new file mode 100644
index 0000000..668d490
--- /dev/null
+++ b/crypto/openssh/atomicio.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1999 Theo de Raadt
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: atomicio.c,v 1.3 2000/03/16 20:56:13 markus Exp $");
+
+#include "xmalloc.h"
+#include "ssh.h"
+
+/*
+ * ensure all of data on socket comes through. f==read || f==write
+ */
+ssize_t
+atomicio(f, fd, _s, n)
+	ssize_t (*f) ();
+	int fd;
+	void *_s;
+	size_t n;
+{
+	char *s = _s;
+	ssize_t res, pos = 0;
+
+	while (n > pos) {
+		res = (f) (fd, s + pos, n - pos);
+		switch (res) {
+		case -1:
+			if (errno == EINTR || errno == EAGAIN)
+				continue;
+		case 0:
+			return (res);
+		default:
+			pos += res;
+		}
+	}
+	return (pos);
+}
diff --git a/crypto/openssh/auth-krb4.c b/crypto/openssh/auth-krb4.c
new file mode 100644
index 0000000..b3fcfafb
--- /dev/null
+++ b/crypto/openssh/auth-krb4.c
@@ -0,0 +1,351 @@
+/*
+ *    Dug Song <dugsong@UMICH.EDU>
+ *    Kerberos v4 authentication and ticket-passing routines.
+ * 
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "ssh.h"
+#include "servconf.h"
+
+#ifdef KRB4
+char *ticket = NULL;
+
+extern ServerOptions options;
+
+/*
+ * try krb4 authentication,
+ * return 1 on success, 0 on failure, -1 if krb4 is not available
+ */
+
+int
+auth_krb4_password(struct passwd * pw, const char *password)
+{
+	AUTH_DAT adata;
+	KTEXT_ST tkt;
+	struct hostent *hp;
+	unsigned long faddr;
+	char localhost[MAXHOSTNAMELEN];
+	char phost[INST_SZ];
+	char realm[REALM_SZ];
+	int r;
+
+	/*
+	 * Try Kerberos password authentication only for non-root
+	 * users and only if Kerberos is installed.
+	 */
+	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
+
+		/* Set up our ticket file. */
+		if (!krb4_init(pw->pw_uid)) {
+			log("Couldn't initialize Kerberos ticket file for %s!",
+			    pw->pw_name);
+			goto kerberos_auth_failure;
+		}
+		/* Try to get TGT using our password. */
+		r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
+		    realm, "krbtgt", realm,
+		    DEFAULT_TKT_LIFE, (char *) password);
+		if (r != INTK_OK) {
+			packet_send_debug("Kerberos V4 password "
+			    "authentication for %s failed: %s",
+			    pw->pw_name, krb_err_txt[r]);
+			goto kerberos_auth_failure;
+		}
+		/* Successful authentication. */
+		chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+
+		/*
+		 * Now that we have a TGT, try to get a local
+		 * "rcmd" ticket to ensure that we are not talking
+		 * to a bogus Kerberos server.
+		 */
+		(void) gethostname(localhost, sizeof(localhost));
+		(void) strlcpy(phost, (char *) krb_get_phost(localhost),
+		    INST_SZ);
+		r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
+
+		if (r == KSUCCESS) {
+			if (!(hp = gethostbyname(localhost))) {
+				log("Couldn't get local host address!");
+				goto kerberos_auth_failure;
+			}
+			memmove((void *) &faddr, (void *) hp->h_addr,
+			    sizeof(faddr));
+
+			/* Verify our "rcmd" ticket. */
+			r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
+			    faddr, &adata, "");
+			if (r == RD_AP_UNDEC) {
+				/*
+				 * Probably didn't have a srvtab on
+				 * localhost. Allow login.
+				 */
+				log("Kerberos V4 TGT for %s unverifiable, "
+				    "no srvtab installed? krb_rd_req: %s",
+				    pw->pw_name, krb_err_txt[r]);
+			} else if (r != KSUCCESS) {
+				log("Kerberos V4 %s ticket unverifiable: %s",
+				    KRB4_SERVICE_NAME, krb_err_txt[r]);
+				goto kerberos_auth_failure;
+			}
+		} else if (r == KDC_PR_UNKNOWN) {
+			/*
+			 * Allow login if no rcmd service exists, but
+			 * log the error.
+			 */
+			log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
+			    "not registered, or srvtab is wrong?", pw->pw_name,
+			krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+		} else {
+			/*
+			 * TGT is bad, forget it. Possibly spoofed!
+			 */
+			packet_send_debug("WARNING: Kerberos V4 TGT "
+			    "possibly spoofed for %s: %s",
+			    pw->pw_name, krb_err_txt[r]);
+			goto kerberos_auth_failure;
+		}
+
+		/* Authentication succeeded. */
+		return 1;
+
+kerberos_auth_failure:
+		krb4_cleanup_proc(NULL);
+
+		if (!options.krb4_or_local_passwd)
+			return 0;
+	} else {
+		/* Logging in as root or no local Kerberos realm. */
+		packet_send_debug("Unable to authenticate to Kerberos.");
+	}
+	/* Fall back to ordinary passwd authentication. */
+	return -1;
+}
+
+void
+krb4_cleanup_proc(void *ignore)
+{
+	debug("krb4_cleanup_proc called");
+	if (ticket) {
+		(void) dest_tkt();
+		xfree(ticket);
+		ticket = NULL;
+	}
+}
+
+int
+krb4_init(uid_t uid)
+{
+	static int cleanup_registered = 0;
+	const char *tkt_root = TKT_ROOT;
+	struct stat st;
+	int fd;
+
+	if (!ticket) {
+		/* Set unique ticket string manually since we're still root. */
+		ticket = xmalloc(MAXPATHLEN);
+#ifdef AFS
+		if (lstat("/ticket", &st) != -1)
+			tkt_root = "/ticket/";
+#endif /* AFS */
+		snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
+		(void) krb_set_tkt_string(ticket);
+	}
+	/* Register ticket cleanup in case of fatal error. */
+	if (!cleanup_registered) {
+		fatal_add_cleanup(krb4_cleanup_proc, NULL);
+		cleanup_registered = 1;
+	}
+	/* Try to create our ticket file. */
+	if ((fd = mkstemp(ticket)) != -1) {
+		close(fd);
+		return 1;
+	}
+	/* Ticket file exists - make sure user owns it (just passed ticket). */
+	if (lstat(ticket, &st) != -1) {
+		if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
+		    st.st_uid == uid)
+			return 1;
+	}
+	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */
+	log("WARNING: bad ticket file %s", ticket);
+	fatal_remove_cleanup(krb4_cleanup_proc, NULL);
+	cleanup_registered = 0;
+	xfree(ticket);
+	ticket = NULL;
+
+	return 0;
+}
+
+int
+auth_krb4(const char *server_user, KTEXT auth, char **client)
+{
+	AUTH_DAT adat = {0};
+	KTEXT_ST reply;
+	char instance[INST_SZ];
+	int r, s;
+	socklen_t slen;
+	u_int cksum;
+	Key_schedule schedule;
+	struct sockaddr_in local, foreign;
+
+	s = packet_get_connection_in();
+
+	slen = sizeof(local);
+	memset(&local, 0, sizeof(local));
+	if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
+		debug("getsockname failed: %.100s", strerror(errno));
+	slen = sizeof(foreign);
+	memset(&foreign, 0, sizeof(foreign));
+	if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
+		debug("getpeername failed: %.100s", strerror(errno));
+		fatal_cleanup();
+	}
+	instance[0] = '*';
+	instance[1] = 0;
+
+	/* Get the encrypted request, challenge, and session key. */
+	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
+		packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
+		return 0;
+	}
+	des_key_sched((des_cblock *) adat.session, schedule);
+
+	*client = xmalloc(MAX_K_NAME_SZ);
+	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
+	    *adat.pinst ? "." : "", adat.pinst, adat.prealm);
+
+	/* Check ~/.klogin authorization now. */
+	if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
+		packet_send_debug("Kerberos V4 .klogin authorization failed!");
+		log("Kerberos V4 .klogin authorization failed for %s to account %s",
+		    *client, server_user);
+		xfree(*client);
+		return 0;
+	}
+	/* Increment the checksum, and return it encrypted with the
+	   session key. */
+	cksum = adat.checksum + 1;
+	cksum = htonl(cksum);
+
+	/* If we can't successfully encrypt the checksum, we send back an
+	   empty message, admitting our failure. */
+	if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
+	    schedule, &adat.session, &local, &foreign)) < 0) {
+		packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
+		reply.dat[0] = 0;
+		reply.length = 0;
+	} else
+		reply.length = r;
+
+	/* Clear session key. */
+	memset(&adat.session, 0, sizeof(&adat.session));
+
+	packet_start(SSH_SMSG_AUTH_KRB4_RESPONSE);
+	packet_put_string((char *) reply.dat, reply.length);
+	packet_send();
+	packet_write_wait();
+	return 1;
+}
+#endif /* KRB4 */
+
+#ifdef AFS
+int
+auth_krb4_tgt(struct passwd *pw, const char *string)
+{
+	CREDENTIALS creds;
+
+	if (!radix_to_creds(string, &creds)) {
+		log("Protocol error decoding Kerberos V4 tgt");
+		packet_send_debug("Protocol error decoding Kerberos V4 tgt");
+		goto auth_kerberos_tgt_failure;
+	}
+	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
+		strlcpy(creds.service, "krbtgt", sizeof creds.service);
+
+	if (strcmp(creds.service, "krbtgt")) {
+		log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
+		    creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
+		    pw->pw_name);
+		packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
+		    creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
+		    creds.realm, pw->pw_name);
+		goto auth_kerberos_tgt_failure;
+	}
+	if (!krb4_init(pw->pw_uid))
+		goto auth_kerberos_tgt_failure;
+
+	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
+		goto auth_kerberos_tgt_failure;
+
+	if (save_credentials(creds.service, creds.instance, creds.realm,
+	    creds.session, creds.lifetime, creds.kvno,
+	    &creds.ticket_st, creds.issue_date) != KSUCCESS) {
+		packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
+		goto auth_kerberos_tgt_failure;
+	}
+	/* Successful authentication, passed all checks. */
+	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+
+	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
+	    creds.service, creds.instance, creds.realm, creds.pname,
+	    creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
+	memset(&creds, 0, sizeof(creds));
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+	return 1;
+
+auth_kerberos_tgt_failure:
+	krb4_cleanup_proc(NULL);
+	memset(&creds, 0, sizeof(creds));
+	packet_start(SSH_SMSG_FAILURE);
+	packet_send();
+	packet_write_wait();
+	return 0;
+}
+
+int
+auth_afs_token(struct passwd *pw, const char *token_string)
+{
+	CREDENTIALS creds;
+	uid_t uid = pw->pw_uid;
+
+	if (!radix_to_creds(token_string, &creds)) {
+		log("Protocol error decoding AFS token");
+		packet_send_debug("Protocol error decoding AFS token");
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+		return 0;
+	}
+	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
+		strlcpy(creds.service, "afs", sizeof creds.service);
+
+	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
+		uid = atoi(creds.pname + 7);
+
+	if (kafs_settoken(creds.realm, uid, &creds)) {
+		log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
+		    pw->pw_name);
+		packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
+		    creds.realm, pw->pw_name);
+		memset(&creds, 0, sizeof(creds));
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+		return 0;
+	}
+	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
+	    creds.realm, creds.pname, creds.realm);
+	memset(&creds, 0, sizeof(creds));
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+	return 1;
+}
+#endif /* AFS */
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
new file mode 100644
index 0000000..183243e
--- /dev/null
+++ b/crypto/openssh/auth-krb5.c
@@ -0,0 +1,249 @@
+/*
+ *    Kerberos v5 authentication and ticket-passing routines.
+ * 
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+#include "ssh.h"
+#include "packet.h"
+#include "xmalloc.h"
+
+#ifdef KRB5
+
+krb5_context ssh_context = NULL;
+krb5_auth_context auth_context;
+krb5_ccache mem_ccache = NULL; /* Credential cache for acquired ticket */
+
+/* Try krb5 authentication. server_user is passed for logging purposes only,
+   in auth is received ticket, in client is returned principal from the
+   ticket */
+int 
+auth_krb5(const char* server_user, krb5_data *auth, krb5_principal *client)
+{
+	krb5_error_code problem;
+	krb5_principal server = NULL;
+	krb5_principal tkt_client = NULL;
+	krb5_data reply;
+	krb5_ticket *ticket = NULL;
+	int fd;
+	int ret;
+	
+	reply.length = 0;
+	
+	problem = krb5_init();
+	if (problem) 
+	   return 0;
+	
+	problem = krb5_auth_con_init(ssh_context, &auth_context);
+	if (problem) {
+	  log("Kerberos v5 authentication failed: %.100s",
+	       krb5_get_err_text(ssh_context, problem));
+
+	  return 0;
+	}
+	
+       fd = packet_get_connection_in();
+       problem = krb5_auth_con_setaddrs_from_fd(ssh_context, auth_context, &fd);
+       if (problem) {
+	 ret = 0;
+	 goto err; 
+       }
+	
+	problem = krb5_sname_to_principal(ssh_context,  NULL, NULL ,
+	    KRB5_NT_SRV_HST, &server);
+	if (problem) {
+	    ret = 0;
+	    goto err;
+	}
+	
+	problem = krb5_rd_req(ssh_context, &auth_context, auth, server, NULL,
+	    NULL, &ticket);
+	if (problem) {
+	  ret = 0;
+	  goto err;
+	}
+	
+	problem = krb5_copy_principal(ssh_context, ticket->client, &tkt_client);
+	if (problem) {
+	  ret = 0;
+	  goto err;
+	}
+	
+	/* if client wants mutual auth */
+	problem = krb5_mk_rep(ssh_context, &auth_context, &reply);
+	if (problem) {
+	  ret = 0;
+	  goto err;
+	}
+	
+	*client = tkt_client;
+	
+	packet_start(SSH_SMSG_AUTH_KRB5_RESPONSE);
+	packet_put_string((char *) reply.data, reply.length);
+	packet_send();
+	packet_write_wait();
+	ret = 1;
+	  
+err:
+	if (server)
+	  krb5_free_principal(ssh_context, server);
+	if (ticket)
+	  krb5_free_ticket(ssh_context, ticket);
+	if (reply.length)
+	  xfree(reply.data);
+	return ret;
+}
+
+int
+auth_krb5_tgt(char *server_user, krb5_data *tgt, krb5_principal tkt_client)
+{
+  krb5_error_code problem;
+  krb5_ccache ccache = NULL;
+  
+  if (ssh_context == NULL) {
+     goto fail;
+  }
+  
+  problem = krb5_cc_gen_new(ssh_context, &krb5_mcc_ops, &ccache);
+  if (problem) {
+     goto fail;
+  }
+  
+  problem = krb5_cc_initialize(ssh_context, ccache, tkt_client);
+  if (problem) {
+     goto fail;
+  }
+    
+  problem = krb5_rd_cred(ssh_context, auth_context, ccache, tgt);
+  if (problem) {
+     goto fail;
+  }
+  
+  mem_ccache = ccache;
+  ccache = NULL;
+  
+  /*
+  problem = krb5_cc_copy_cache(ssh_context, ccache, mem_ccache);
+  if (problem) {
+     mem_ccache = NULL;
+     goto fail; 
+  }
+  
+  
+  problem = krb5_cc_destroy(ssh_context, ccache);
+  if (problem)
+     goto fail;
+     */
+  
+#if 0
+  packet_start(SSH_SMSG_SUCCESS);
+  packet_send();
+  packet_write_wait();
+#endif 
+  return 1;
+  
+fail:
+  if (ccache)
+     krb5_cc_destroy(ssh_context, ccache);
+#if 0
+  packet_start(SSH_SMSG_FAILURE);
+  packet_send();
+  packet_write_wait();
+#endif
+  return 0;
+}
+
+int
+auth_krb5_password(struct passwd *pw, const char *password)
+{
+  krb5_error_code problem;
+  krb5_ccache ccache = NULL;
+  krb5_principal client = NULL; 
+  int ret;
+  
+  problem = krb5_init();
+  if (problem)
+     return 0;
+  
+  problem = krb5_parse_name(ssh_context, pw->pw_name, &client);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+
+  problem = krb5_cc_gen_new(ssh_context, &krb5_mcc_ops, &ccache);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+ 
+  problem = krb5_cc_initialize(ssh_context, ccache, client);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+  problem = krb5_verify_user(ssh_context, client, ccache, password, 1, NULL);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+/*
+  problem = krb5_cc_copy_cache(ssh_context, ccache, mem_ccache);
+  if (problem) { 
+     ret = 0;
+     mem_ccache = NULL;
+     goto out;
+  }
+  */
+  mem_ccache = ccache;
+  ccache = NULL;
+  
+  ret = 1;
+out:
+  if (client != NULL)
+     krb5_free_principal(ssh_context, client);
+  if (ccache != NULL)
+     krb5_cc_destroy(ssh_context, ccache);
+  return ret;
+}
+
+void
+krb5_cleanup_proc(void *ignore)
+{
+   extern krb5_principal tkt_client;
+   
+   debug("krb5_cleanup_proc() called");
+   if (mem_ccache)
+      krb5_cc_destroy(ssh_context, mem_ccache);
+   if (tkt_client)
+      krb5_free_principal(ssh_context, tkt_client);
+   if (auth_context)
+      krb5_auth_con_free(ssh_context, auth_context);
+   if (ssh_context)
+      krb5_free_context(ssh_context);
+}
+ 
+int
+krb5_init(void)
+{  
+   krb5_error_code problem;
+   static cleanup_registered = 0;
+   
+   if (ssh_context == NULL) {
+      problem = krb5_init_context(&ssh_context);
+      if (problem)
+	 return problem;
+      krb5_init_ets(ssh_context);
+   }
+  
+   if (!cleanup_registered) {
+      fatal_add_cleanup(krb5_cleanup_proc, NULL);
+     cleanup_registered = 1;
+   }
+   return 0;
+}
+   
+#endif /* KRB5 */
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
new file mode 100644
index 0000000..73f43f9
--- /dev/null
+++ b/crypto/openssh/auth-passwd.c
@@ -0,0 +1,72 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Sat Mar 18 05:11:38 1995 ylo
+ * Password authentication.  This file contains the functions to check whether
+ * the password is valid for the user.
+ * 
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: auth-passwd.c,v 1.15 2000/04/14 10:30:29 markus Exp $");
+
+#include "packet.h"
+#include "ssh.h"
+#include "servconf.h"
+#include "xmalloc.h"
+
+/*
+ * Tries to authenticate the user using password.  Returns true if
+ * authentication succeeds.
+ */
+int 
+auth_password(struct passwd * pw, const char *password)
+{
+	extern ServerOptions options;
+	char *encrypted_password;
+
+	/* deny if no user. */
+	if (pw == NULL)
+		return 0;
+	if (pw->pw_uid == 0 && options.permit_root_login == 2)
+		return 0;
+	if (*password == '\0' && options.permit_empty_passwd == 0)
+		return 0;
+
+#ifdef SKEY
+	if (options.skey_authentication == 1) {
+		int ret = auth_skey_password(pw, password);
+		if (ret == 1 || ret == 0)
+			return ret;
+		/* Fall back to ordinary passwd authentication. */
+	}
+#endif
+#ifdef KRB5
+	if (options.krb5_authentication == 1) {
+	  	if (auth_krb5_password(pw, password))
+		  	return 1;
+		/* Fall back to ordinary passwd authentication. */
+	}
+
+#endif /* KRB5 */
+#ifdef KRB4
+	if (options.krb4_authentication == 1) {
+		int ret = auth_krb4_password(pw, password);
+		if (ret == 1 || ret == 0)
+			return ret;
+		/* Fall back to ordinary passwd authentication. */
+	}
+#endif
+
+	/* Check for users with no password. */
+	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
+		return 1;
+	/* Encrypt the candidate password using the proper salt. */
+	encrypted_password = crypt(password,
+	    (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx");
+
+	/* Authentication is accepted if the encrypted passwords are identical. */
+	return (strcmp(encrypted_password, pw->pw_passwd) == 0);
+}
diff --git a/crypto/openssh/auth-rh-rsa.c b/crypto/openssh/auth-rh-rsa.c
new file mode 100644
index 0000000..92405bb
--- /dev/null
+++ b/crypto/openssh/auth-rh-rsa.c
@@ -0,0 +1,116 @@
+/*
+ *
+ * auth-rh-rsa.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sun May  7 03:08:06 1995 ylo
+ *
+ * Rhosts or /etc/hosts.equiv authentication combined with RSA host
+ * authentication.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: auth-rh-rsa.c,v 1.13 2000/04/14 10:30:29 markus Exp $");
+
+#include "packet.h"
+#include "ssh.h"
+#include "xmalloc.h"
+#include "uidswap.h"
+#include "servconf.h"
+
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include "key.h"
+#include "hostfile.h"
+
+/*
+ * Tries to authenticate the user using the .rhosts file and the host using
+ * its host key.  Returns true if authentication succeeds.
+ */
+
+int
+auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key)
+{
+	extern ServerOptions options;
+	const char *canonical_hostname;
+	HostStatus host_status;
+	Key *client_key, *found;
+
+	debug("Trying rhosts with RSA host authentication for %.100s", client_user);
+
+	if (client_host_key == NULL)
+		return 0;
+
+	/* Check if we would accept it using rhosts authentication. */
+	if (!auth_rhosts(pw, client_user))
+		return 0;
+
+	canonical_hostname = get_canonical_hostname();
+
+	debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
+
+	/* wrap the RSA key into a 'generic' key */
+	client_key = key_new(KEY_RSA);
+	BN_copy(client_key->rsa->e, client_host_key->e);
+	BN_copy(client_key->rsa->n, client_host_key->n);
+	found = key_new(KEY_RSA);
+
+	/* Check if we know the host and its host key. */
+	host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
+	    client_key, found);
+
+	/* Check user host file unless ignored. */
+	if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
+		struct stat st;
+		char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
+		/*
+		 * Check file permissions of SSH_USER_HOSTFILE, auth_rsa()
+		 * did already check pw->pw_dir, but there is a race XXX
+		 */
+		if (options.strict_modes &&
+		    (stat(user_hostfile, &st) == 0) &&
+		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		     (st.st_mode & 022) != 0)) {
+			log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
+			    pw->pw_name, user_hostfile);
+		} else {
+			/* XXX race between stat and the following open() */
+			temporarily_use_uid(pw->pw_uid);
+			host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
+			    client_key, found);
+			restore_uid();
+		}
+		xfree(user_hostfile);
+	}
+	key_free(client_key);
+	key_free(found);
+
+	if (host_status != HOST_OK) {
+		debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
+		packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
+		return 0;
+	}
+	/* A matching host key was found and is known. */
+
+	/* Perform the challenge-response dialog with the client for the host key. */
+	if (!auth_rsa_challenge_dialog(client_host_key)) {
+		log("Client on %.800s failed to respond correctly to host authentication.",
+		    canonical_hostname);
+		return 0;
+	}
+	/*
+	 * We have authenticated the user using .rhosts or /etc/hosts.equiv,
+	 * and the host using RSA. We accept the authentication.
+	 */
+
+	verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
+	   pw->pw_name, client_user, canonical_hostname);
+	packet_send_debug("Rhosts with RSA host authentication accepted.");
+	return 1;
+}
diff --git a/crypto/openssh/auth-rhosts.c b/crypto/openssh/auth-rhosts.c
new file mode 100644
index 0000000..3393b86
--- /dev/null
+++ b/crypto/openssh/auth-rhosts.c
@@ -0,0 +1,266 @@
+/*
+ *
+ * auth-rhosts.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar 17 05:12:18 1995 ylo
+ *
+ * Rhosts authentication.  This file contains code to check whether to admit
+ * the login based on rhosts authentication.  This file also processes
+ * /etc/hosts.equiv.
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: auth-rhosts.c,v 1.13 2000/04/14 10:30:29 markus Exp $");
+
+#include "packet.h"
+#include "ssh.h"
+#include "xmalloc.h"
+#include "uidswap.h"
+#include "servconf.h"
+
+/*
+ * This function processes an rhosts-style file (.rhosts, .shosts, or
+ * /etc/hosts.equiv).  This returns true if authentication can be granted
+ * based on the file, and returns zero otherwise.
+ */
+
+int
+check_rhosts_file(const char *filename, const char *hostname,
+		  const char *ipaddr, const char *client_user,
+		  const char *server_user)
+{
+	FILE *f;
+	char buf[1024];	/* Must not be larger than host, user, dummy below. */
+
+	/* Open the .rhosts file, deny if unreadable */
+	f = fopen(filename, "r");
+	if (!f)
+		return 0;
+
+	while (fgets(buf, sizeof(buf), f)) {
+		/* All three must be at least as big as buf to avoid overflows. */
+		char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
+		int negated;
+
+		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (*cp == '#' || *cp == '\n' || !*cp)
+			continue;
+
+		/*
+		 * NO_PLUS is supported at least on OSF/1.  We skip it (we
+		 * don't ever support the plus syntax).
+		 */
+		if (strncmp(cp, "NO_PLUS", 7) == 0)
+			continue;
+
+		/*
+		 * This should be safe because each buffer is as big as the
+		 * whole string, and thus cannot be overwritten.
+		 */
+		switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) {
+		case 0:
+			packet_send_debug("Found empty line in %.100s.", filename);
+			continue;
+		case 1:
+			/* Host name only. */
+			strlcpy(userbuf, server_user, sizeof(userbuf));
+			break;
+		case 2:
+			/* Got both host and user name. */
+			break;
+		case 3:
+			packet_send_debug("Found garbage in %.100s.", filename);
+			continue;
+		default:
+			/* Weird... */
+			continue;
+		}
+
+		host = hostbuf;
+		user = userbuf;
+		negated = 0;
+
+		/* Process negated host names, or positive netgroups. */
+		if (host[0] == '-') {
+			negated = 1;
+			host++;
+		} else if (host[0] == '+')
+			host++;
+
+		if (user[0] == '-') {
+			negated = 1;
+			user++;
+		} else if (user[0] == '+')
+			user++;
+
+		/* Check for empty host/user names (particularly '+'). */
+		if (!host[0] || !user[0]) {
+			/* We come here if either was '+' or '-'. */
+			packet_send_debug("Ignoring wild host/user names in %.100s.",
+					  filename);
+			continue;
+		}
+		/* Verify that host name matches. */
+		if (host[0] == '@') {
+			if (!innetgr(host + 1, hostname, NULL, NULL) &&
+			    !innetgr(host + 1, ipaddr, NULL, NULL))
+				continue;
+		} else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
+			continue;	/* Different hostname. */
+
+		/* Verify that user name matches. */
+		if (user[0] == '@') {
+			if (!innetgr(user + 1, NULL, client_user, NULL))
+				continue;
+		} else if (strcmp(user, client_user) != 0)
+			continue;	/* Different username. */
+
+		/* Found the user and host. */
+		fclose(f);
+
+		/* If the entry was negated, deny access. */
+		if (negated) {
+			packet_send_debug("Matched negative entry in %.100s.",
+					  filename);
+			return 0;
+		}
+		/* Accept authentication. */
+		return 1;
+	}
+
+	/* Authentication using this file denied. */
+	fclose(f);
+	return 0;
+}
+
+/*
+ * Tries to authenticate the user using the .shosts or .rhosts file. Returns
+ * true if authentication succeeds.  If ignore_rhosts is true, only
+ * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
+ */
+
+int
+auth_rhosts(struct passwd *pw, const char *client_user)
+{
+	extern ServerOptions options;
+	char buf[1024];
+	const char *hostname, *ipaddr;
+	struct stat st;
+	static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
+	unsigned int rhosts_file_index;
+
+	/* Switch to the user's uid. */
+	temporarily_use_uid(pw->pw_uid);
+	/*
+	 * Quick check: if the user has no .shosts or .rhosts files, return
+	 * failure immediately without doing costly lookups from name
+	 * servers.
+	 */
+	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
+	     rhosts_file_index++) {
+		/* Check users .rhosts or .shosts. */
+		snprintf(buf, sizeof buf, "%.500s/%.100s",
+			 pw->pw_dir, rhosts_files[rhosts_file_index]);
+		if (stat(buf, &st) >= 0)
+			break;
+	}
+	/* Switch back to privileged uid. */
+	restore_uid();
+
+	/* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */
+	if (!rhosts_files[rhosts_file_index] &&
+	    stat("/etc/hosts.equiv", &st) < 0 &&
+	    stat(SSH_HOSTS_EQUIV, &st) < 0)
+		return 0;
+
+	hostname = get_canonical_hostname();
+	ipaddr = get_remote_ipaddr();
+
+	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
+	if (pw->pw_uid != 0) {
+		if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user,
+				      pw->pw_name)) {
+			packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
+					  hostname, ipaddr);
+			return 1;
+		}
+		if (check_rhosts_file(SSH_HOSTS_EQUIV, hostname, ipaddr, client_user,
+				      pw->pw_name)) {
+			packet_send_debug("Accepted for %.100s [%.100s] by %.100s.",
+				      hostname, ipaddr, SSH_HOSTS_EQUIV);
+			return 1;
+		}
+	}
+	/*
+	 * Check that the home directory is owned by root or the user, and is
+	 * not group or world writable.
+	 */
+	if (stat(pw->pw_dir, &st) < 0) {
+		log("Rhosts authentication refused for %.100s: no home directory %.200s",
+		    pw->pw_name, pw->pw_dir);
+		packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s",
+				  pw->pw_name, pw->pw_dir);
+		return 0;
+	}
+	if (options.strict_modes &&
+	    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+	     (st.st_mode & 022) != 0)) {
+		log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
+		    pw->pw_name);
+		packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
+				  pw->pw_name);
+		return 0;
+	}
+	/* Temporarily use the user's uid. */
+	temporarily_use_uid(pw->pw_uid);
+
+	/* Check all .rhosts files (currently .shosts and .rhosts). */
+	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
+	     rhosts_file_index++) {
+		/* Check users .rhosts or .shosts. */
+		snprintf(buf, sizeof buf, "%.500s/%.100s",
+			 pw->pw_dir, rhosts_files[rhosts_file_index]);
+		if (stat(buf, &st) < 0)
+			continue;
+
+		/*
+		 * Make sure that the file is either owned by the user or by
+		 * root, and make sure it is not writable by anyone but the
+		 * owner.  This is to help avoid novices accidentally
+		 * allowing access to their account by anyone.
+		 */
+		if (options.strict_modes &&
+		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		     (st.st_mode & 022) != 0)) {
+			log("Rhosts authentication refused for %.100s: bad modes for %.200s",
+			    pw->pw_name, buf);
+			packet_send_debug("Bad file modes for %.200s", buf);
+			continue;
+		}
+		/* Check if we have been configured to ignore .rhosts and .shosts files. */
+		if (options.ignore_rhosts) {
+			packet_send_debug("Server has been configured to ignore %.100s.",
+					  rhosts_files[rhosts_file_index]);
+			continue;
+		}
+		/* Check if authentication is permitted by the file. */
+		if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
+			packet_send_debug("Accepted by %.100s.",
+					  rhosts_files[rhosts_file_index]);
+			/* Restore the privileged uid. */
+			restore_uid();
+			return 1;
+		}
+	}
+
+	/* Restore the privileged uid. */
+	restore_uid();
+	return 0;
+}
diff --git a/crypto/openssh/auth-rsa.c b/crypto/openssh/auth-rsa.c
new file mode 100644
index 0000000..b28d629
--- /dev/null
+++ b/crypto/openssh/auth-rsa.c
@@ -0,0 +1,471 @@
+/*
+ *
+ * auth-rsa.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Mon Mar 27 01:46:52 1995 ylo
+ *
+ * RSA-based authentication.  This code determines whether to admit a login
+ * based on RSA authentication.  This file also contains functions to check
+ * validity of the host key.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: auth-rsa.c,v 1.23 2000/04/29 18:11:51 markus Exp $");
+
+#include "rsa.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "ssh.h"
+#include "mpaux.h"
+#include "uidswap.h"
+#include "match.h"
+#include "servconf.h"
+
+#include <openssl/rsa.h>
+#include <openssl/md5.h>
+
+/* Flags that may be set in authorized_keys options. */
+extern int no_port_forwarding_flag;
+extern int no_agent_forwarding_flag;
+extern int no_x11_forwarding_flag;
+extern int no_pty_flag;
+extern char *forced_command;
+extern struct envstring *custom_environment;
+
+/*
+ * Session identifier that is used to bind key exchange and authentication
+ * responses to a particular session.
+ */
+extern unsigned char session_id[16];
+
+/*
+ * The .ssh/authorized_keys file contains public keys, one per line, in the
+ * following format:
+ *   options bits e n comment
+ * where bits, e and n are decimal numbers,
+ * and comment is any string of characters up to newline.  The maximum
+ * length of a line is 8000 characters.  See the documentation for a
+ * description of the options.
+ */
+
+/*
+ * Performs the RSA authentication challenge-response dialog with the client,
+ * and returns true (non-zero) if the client gave the correct answer to
+ * our challenge; returns zero if the client gives a wrong answer.
+ */
+
+int
+auth_rsa_challenge_dialog(RSA *pk)
+{
+	BIGNUM *challenge, *encrypted_challenge;
+	BN_CTX *ctx;
+	unsigned char buf[32], mdbuf[16], response[16];
+	MD5_CTX md;
+	unsigned int i;
+	int plen, len;
+
+	encrypted_challenge = BN_new();
+	challenge = BN_new();
+
+	/* Generate a random challenge. */
+	BN_rand(challenge, 256, 0, 0);
+	ctx = BN_CTX_new();
+	BN_mod(challenge, challenge, pk->n, ctx);
+	BN_CTX_free(ctx);
+
+	/* Encrypt the challenge with the public key. */
+	rsa_public_encrypt(encrypted_challenge, challenge, pk);
+
+	/* Send the encrypted challenge to the client. */
+	packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
+	packet_put_bignum(encrypted_challenge);
+	packet_send();
+	BN_clear_free(encrypted_challenge);
+	packet_write_wait();
+
+	/* Wait for a response. */
+	packet_read_expect(&plen, SSH_CMSG_AUTH_RSA_RESPONSE);
+	packet_integrity_check(plen, 16, SSH_CMSG_AUTH_RSA_RESPONSE);
+	for (i = 0; i < 16; i++)
+		response[i] = packet_get_char();
+
+	/* The response is MD5 of decrypted challenge plus session id. */
+	len = BN_num_bytes(challenge);
+	if (len <= 0 || len > 32)
+		fatal("auth_rsa_challenge_dialog: bad challenge length %d", len);
+	memset(buf, 0, 32);
+	BN_bn2bin(challenge, buf + 32 - len);
+	MD5_Init(&md);
+	MD5_Update(&md, buf, 32);
+	MD5_Update(&md, session_id, 16);
+	MD5_Final(mdbuf, &md);
+	BN_clear_free(challenge);
+
+	/* Verify that the response is the original challenge. */
+	if (memcmp(response, mdbuf, 16) != 0) {
+		/* Wrong answer. */
+		return 0;
+	}
+	/* Correct answer. */
+	return 1;
+}
+
+/*
+ * Performs the RSA authentication dialog with the client.  This returns
+ * 0 if the client could not be authenticated, and 1 if authentication was
+ * successful.  This may exit if there is a serious protocol violation.
+ */
+
+int
+auth_rsa(struct passwd *pw, BIGNUM *client_n)
+{
+	extern ServerOptions options;
+	char line[8192], file[1024];
+	int authenticated;
+	unsigned int bits;
+	FILE *f;
+	unsigned long linenum = 0;
+	struct stat st;
+	RSA *pk;
+
+	/* Temporarily use the user's uid. */
+	temporarily_use_uid(pw->pw_uid);
+
+	/* The authorized keys. */
+	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
+		 SSH_USER_PERMITTED_KEYS);
+
+	/* Fail quietly if file does not exist */
+	if (stat(file, &st) < 0) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		return 0;
+	}
+	/* Open the file containing the authorized keys. */
+	f = fopen(file, "r");
+	if (!f) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		packet_send_debug("Could not open %.900s for reading.", file);
+		packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
+		return 0;
+	}
+	if (options.strict_modes) {
+		int fail = 0;
+		char buf[1024];
+		/* Check open file in order to avoid open/stat races */
+		if (fstat(fileno(f), &st) < 0 ||
+		    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		    (st.st_mode & 022) != 0) {
+			snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
+				 "bad ownership or modes for '%s'.", pw->pw_name, file);
+			fail = 1;
+		} else {
+			/* Check path to SSH_USER_PERMITTED_KEYS */
+			int i;
+			static const char *check[] = {
+				"", SSH_USER_DIR, NULL
+			};
+			for (i = 0; check[i]; i++) {
+				snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]);
+				if (stat(line, &st) < 0 ||
+				    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+				    (st.st_mode & 022) != 0) {
+					snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
+						 "bad ownership or modes for '%s'.", pw->pw_name, line);
+					fail = 1;
+					break;
+				}
+			}
+		}
+		if (fail) {
+			fclose(f);
+			log(buf);
+			packet_send_debug(buf);
+			restore_uid();
+			return 0;
+		}
+	}
+	/* Flag indicating whether authentication has succeeded. */
+	authenticated = 0;
+
+	pk = RSA_new();
+	pk->e = BN_new();
+	pk->n = BN_new();
+
+	/*
+	 * Go though the accepted keys, looking for the current key.  If
+	 * found, perform a challenge-response dialog to verify that the
+	 * user really has the corresponding private key.
+	 */
+	while (fgets(line, sizeof(line), f)) {
+		char *cp;
+		char *options;
+
+		linenum++;
+
+		/* Skip leading whitespace, empty and comment lines. */
+		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '\n' || *cp == '#')
+			continue;
+
+		/*
+		 * Check if there are options for this key, and if so,
+		 * save their starting address and skip the option part
+		 * for now.  If there are no options, set the starting
+		 * address to NULL.
+		 */
+		if (*cp < '0' || *cp > '9') {
+			int quoted = 0;
+			options = cp;
+			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+				if (*cp == '\\' && cp[1] == '"')
+					cp++;	/* Skip both */
+				else if (*cp == '"')
+					quoted = !quoted;
+			}
+		} else
+			options = NULL;
+
+		/* Parse the key from the line. */
+		if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
+			debug("%.100s, line %lu: bad key syntax",
+			      SSH_USER_PERMITTED_KEYS, linenum);
+			packet_send_debug("%.100s, line %lu: bad key syntax",
+					  SSH_USER_PERMITTED_KEYS, linenum);
+			continue;
+		}
+		/* cp now points to the comment part. */
+
+		/* Check if the we have found the desired key (identified by its modulus). */
+		if (BN_cmp(pk->n, client_n) != 0)
+			continue;
+
+		/* check the real bits  */
+		if (bits != BN_num_bits(pk->n))
+			log("Warning: %s, line %ld: keysize mismatch: "
+			    "actual %d vs. announced %d.",
+			    file, linenum, BN_num_bits(pk->n), bits);
+
+		/* We have found the desired key. */
+
+		/* Perform the challenge-response dialog for this key. */
+		if (!auth_rsa_challenge_dialog(pk)) {
+			/* Wrong response. */
+			verbose("Wrong response to RSA authentication challenge.");
+			packet_send_debug("Wrong response to RSA authentication challenge.");
+			continue;
+		}
+		/*
+		 * Correct response.  The client has been successfully
+		 * authenticated. Note that we have not yet processed the
+		 * options; this will be reset if the options cause the
+		 * authentication to be rejected.
+		 */
+		authenticated = 1;
+
+		/* RSA part of authentication was accepted.  Now process the options. */
+		if (options) {
+			while (*options && *options != ' ' && *options != '\t') {
+				cp = "no-port-forwarding";
+				if (strncmp(options, cp, strlen(cp)) == 0) {
+					packet_send_debug("Port forwarding disabled.");
+					no_port_forwarding_flag = 1;
+					options += strlen(cp);
+					goto next_option;
+				}
+				cp = "no-agent-forwarding";
+				if (strncmp(options, cp, strlen(cp)) == 0) {
+					packet_send_debug("Agent forwarding disabled.");
+					no_agent_forwarding_flag = 1;
+					options += strlen(cp);
+					goto next_option;
+				}
+				cp = "no-X11-forwarding";
+				if (strncmp(options, cp, strlen(cp)) == 0) {
+					packet_send_debug("X11 forwarding disabled.");
+					no_x11_forwarding_flag = 1;
+					options += strlen(cp);
+					goto next_option;
+				}
+				cp = "no-pty";
+				if (strncmp(options, cp, strlen(cp)) == 0) {
+					packet_send_debug("Pty allocation disabled.");
+					no_pty_flag = 1;
+					options += strlen(cp);
+					goto next_option;
+				}
+				cp = "command=\"";
+				if (strncmp(options, cp, strlen(cp)) == 0) {
+					int i;
+					options += strlen(cp);
+					forced_command = xmalloc(strlen(options) + 1);
+					i = 0;
+					while (*options) {
+						if (*options == '"')
+							break;
+						if (*options == '\\' && options[1] == '"') {
+							options += 2;
+							forced_command[i++] = '"';
+							continue;
+						}
+						forced_command[i++] = *options++;
+					}
+					if (!*options) {
+						debug("%.100s, line %lu: missing end quote",
+						      SSH_USER_PERMITTED_KEYS, linenum);
+						packet_send_debug("%.100s, line %lu: missing end quote",
+								  SSH_USER_PERMITTED_KEYS, linenum);
+						continue;
+					}
+					forced_command[i] = 0;
+					packet_send_debug("Forced command: %.900s", forced_command);
+					options++;
+					goto next_option;
+				}
+				cp = "environment=\"";
+				if (strncmp(options, cp, strlen(cp)) == 0) {
+					int i;
+					char *s;
+					struct envstring *new_envstring;
+					options += strlen(cp);
+					s = xmalloc(strlen(options) + 1);
+					i = 0;
+					while (*options) {
+						if (*options == '"')
+							break;
+						if (*options == '\\' && options[1] == '"') {
+							options += 2;
+							s[i++] = '"';
+							continue;
+						}
+						s[i++] = *options++;
+					}
+					if (!*options) {
+						debug("%.100s, line %lu: missing end quote",
+						      SSH_USER_PERMITTED_KEYS, linenum);
+						packet_send_debug("%.100s, line %lu: missing end quote",
+								  SSH_USER_PERMITTED_KEYS, linenum);
+						continue;
+					}
+					s[i] = 0;
+					packet_send_debug("Adding to environment: %.900s", s);
+					debug("Adding to environment: %.900s", s);
+					options++;
+					new_envstring = xmalloc(sizeof(struct envstring));
+					new_envstring->s = s;
+					new_envstring->next = custom_environment;
+					custom_environment = new_envstring;
+					goto next_option;
+				}
+				cp = "from=\"";
+				if (strncmp(options, cp, strlen(cp)) == 0) {
+					char *patterns = xmalloc(strlen(options) + 1);
+					int i;
+					options += strlen(cp);
+					i = 0;
+					while (*options) {
+						if (*options == '"')
+							break;
+						if (*options == '\\' && options[1] == '"') {
+							options += 2;
+							patterns[i++] = '"';
+							continue;
+						}
+						patterns[i++] = *options++;
+					}
+					if (!*options) {
+						debug("%.100s, line %lu: missing end quote",
+						      SSH_USER_PERMITTED_KEYS, linenum);
+						packet_send_debug("%.100s, line %lu: missing end quote",
+								  SSH_USER_PERMITTED_KEYS, linenum);
+						continue;
+					}
+					patterns[i] = 0;
+					options++;
+					if (!match_hostname(get_canonical_hostname(), patterns,
+						     strlen(patterns)) &&
+					    !match_hostname(get_remote_ipaddr(), patterns,
+						     strlen(patterns))) {
+						log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
+						    pw->pw_name, get_canonical_hostname(),
+						    get_remote_ipaddr());
+						packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
+						get_canonical_hostname());
+						xfree(patterns);
+						/* key invalid for this host, reset flags */
+						authenticated = 0;
+						no_agent_forwarding_flag = 0;
+						no_port_forwarding_flag = 0;
+						no_pty_flag = 0;
+						no_x11_forwarding_flag = 0;
+						while (custom_environment) {
+							struct envstring *ce = custom_environment;
+							custom_environment = ce->next;
+							xfree(ce->s);
+							xfree(ce);
+						}
+						if (forced_command) {
+							xfree(forced_command);
+							forced_command = NULL;
+						}
+						break;
+					}
+					xfree(patterns);
+					/* Host name matches. */
+					goto next_option;
+				}
+		bad_option:
+				log("Bad options in %.100s file, line %lu: %.50s",
+				    SSH_USER_PERMITTED_KEYS, linenum, options);
+				packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
+						  SSH_USER_PERMITTED_KEYS, linenum, options);
+				authenticated = 0;
+				break;
+
+		next_option:
+				/*
+				 * Skip the comma, and move to the next option
+				 * (or break out if there are no more).
+				 */
+				if (!*options)
+					fatal("Bugs in auth-rsa.c option processing.");
+				if (*options == ' ' || *options == '\t')
+					break;		/* End of options. */
+				if (*options != ',')
+					goto bad_option;
+				options++;
+				/* Process the next option. */
+				continue;
+			}
+		}
+		/*
+		 * Break out of the loop if authentication was successful;
+		 * otherwise continue searching.
+		 */
+		if (authenticated)
+			break;
+	}
+
+	/* Restore the privileged uid. */
+	restore_uid();
+
+	/* Close the file. */
+	fclose(f);
+
+	RSA_free(pk);
+
+	if (authenticated)
+		packet_send_debug("RSA authentication accepted.");
+
+	/* Return authentication result. */
+	return authenticated;
+}
diff --git a/crypto/openssh/auth-skey.c b/crypto/openssh/auth-skey.c
new file mode 100644
index 0000000..59e6ea2
--- /dev/null
+++ b/crypto/openssh/auth-skey.c
@@ -0,0 +1,186 @@
+/* $FreeBSD$ */
+
+#include "includes.h"
+RCSID("$Id: auth-skey.c,v 1.6 2000/04/14 10:30:29 markus Exp $");
+
+#include <sys/sysctl.h>
+#include "ssh.h"
+#include "packet.h"
+#include <sha.h>
+
+/*
+ * try skey authentication,
+ * return 1 on success, 0 on failure, -1 if skey is not available
+ */
+
+int
+auth_skey_password(struct passwd * pw, const char *password)
+{
+	if (strncasecmp(password, "s/key", 5) == 0) {
+		char *skeyinfo = opie_keyinfo(pw->pw_name);
+		if (skeyinfo == NULL) {
+			debug("generating fake skeyinfo for %.100s.",
+			    pw->pw_name);
+			skeyinfo = skey_fake_keyinfo(pw->pw_name);
+		}
+		if (skeyinfo != NULL)
+			packet_send_debug(skeyinfo);
+		/* Try again. */
+		return 0;
+	} else if (opie_haskey(pw->pw_name) == 0 &&
+		   opie_passverify(pw->pw_name, (char *) password) != -1) {
+		/* Authentication succeeded. */
+		return 1;
+	}
+	/* Fall back to ordinary passwd authentication. */
+	return -1;
+}
+
+/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */
+
+#define ROUND(x)   (((x)[0] << 24) + (((x)[1]) << 16) + (((x)[2]) << 8) + \
+		    ((x)[3]))
+
+/*
+ * hash_collapse()
+ */
+static u_int32_t
+hash_collapse(s)
+	u_char *s;
+{
+	int len, target;
+	u_int32_t i;
+	
+	if ((strlen(s) % sizeof(u_int32_t)) == 0)
+		target = strlen(s);    /* Multiple of 4 */
+	else
+		target = strlen(s) - (strlen(s) % sizeof(u_int32_t));
+
+	for (i = 0, len = 0; len < target; len += 4)
+		i ^= ROUND(s + len);
+
+	return i;
+}
+
+char *
+skey_fake_keyinfo(char *username)
+{
+	int i;
+	u_int ptr;
+	u_char hseed[OPIE_SEED_MAX], flg = 1, *up;
+	char pbuf[OPIE_SECRET_MAX+1];
+	static char skeyprompt[OPIE_CHALLENGE_MAX+1];
+	char *secret = NULL;
+	size_t secretlen = 0;
+	SHA1_CTX ctx;
+	char *p, *u;
+	int mib[2];
+	size_t size;
+	struct timeval boottime;
+
+	/*
+	 * Base first 2 chars of seed on hostname.
+	 * Add some filler for short hostnames if necessary.
+	 */
+	if (gethostname(pbuf, sizeof(pbuf)) == -1)
+		*(p = pbuf) = '.';
+	else
+		for (p = pbuf; *p && isalnum(*p); p++)
+			if (isalpha(*p) && isupper(*p))
+				*p = tolower(*p);
+	if (*p && pbuf - p < 2)
+		(void)strncpy(p, "asjd", 2 - (pbuf - p));
+	pbuf[2] = '\0';
+
+	/* Hash the username if possible */
+	if ((up = SHA1_Data(username, strlen(username), NULL)) != NULL) {
+		struct stat sb;
+		time_t t;
+
+		/* Collapse the hash */
+		ptr = hash_collapse(up);
+		memset(up, 0, strlen(up));
+
+		/*
+		 * Seed the fake challenge with the system boot time,
+		 * otherwise use ctime.
+		 *
+		 * XXX This should be a random source which is constant
+		 * over short time periods, but changes over timescales on
+		 * the order of a week.
+		 */
+		mib[0] = CTL_KERN;
+		mib[1] = KERN_BOOTTIME;
+		size = sizeof(boottime);
+		if (sysctl(mib, 2, &boottime, &size, NULL, 0) != -1 &&
+			boottime.tv_sec != 0) {
+			secret = (char *)&boottime;
+			secretlen = size/sizeof(char); 
+			flg = 0;
+		} else if (!stat(_PATH_MEM, &sb) || !stat("/", &sb)) {
+			t = sb.st_ctime;
+			secret = ctime(&t);
+			secretlen = strlen(secret);
+			flg = 0;
+		}
+	}
+
+	/* Put that in your pipe and smoke it */
+	if (flg == 0) {
+		/* Hash secret value with username */
+		SHA1_Init(&ctx);
+		SHA1_Update(&ctx, secret, secretlen);
+		SHA1_Update(&ctx, username, strlen(username));
+		SHA1_End(&ctx, up);
+		
+		/* Zero out */
+		memset(secret, 0, secretlen);
+
+		/* Now hash the hash */
+		SHA1_Init(&ctx);
+		SHA1_Update(&ctx, up, strlen(up));
+		SHA1_End(&ctx, up);
+		
+		ptr = hash_collapse(up + 4);
+		
+		for (i = 2; i < 6; i++) {
+			pbuf[i] = (ptr % 10) + '0';
+			ptr /= 10;
+		}
+		pbuf[i] = '\0';
+
+		/* Sequence number */
+		ptr = ((up[2] + up[3]) % 499) + 1;
+
+		memset(up, 0, 20); /* SHA1 specific */
+		free(up);
+
+		(void)snprintf(skeyprompt, sizeof skeyprompt,
+			      "opt-%.*s %d %.*s ext",
+			      OPIE_HASHNAME_MAX,
+			      opie_get_algorithm(),
+			      ptr, OPIE_SEED_MAX,
+			      pbuf);
+	} else {
+		/* Base last 4 chars of seed on username */
+		u = username;
+		i = 4;
+		p = &pbuf[2];
+		do {
+			if (*u == 0) {
+				/* Pad remainder with zeros */
+				while (--i >= 0)
+					*p++ = '0';
+				break;
+			}
+
+			*p++ = (*u++ % 10) + '0';
+		} while (--i != 0);
+		pbuf[6] = '\0';
+
+		(void)snprintf(skeyprompt, sizeof skeyprompt,
+			      "opt-md5 %d %.*s ext",
+			      499, OPIE_SEED_MAX, pbuf);
+	}
+	return skeyprompt;
+}
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
new file mode 100644
index 0000000..5e64cf0
--- /dev/null
+++ b/crypto/openssh/auth.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth.c,v 1.7 2000/05/17 21:37:24 deraadt Exp $");
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh.h"
+#include "pty.h"
+#include "packet.h"
+#include "buffer.h"
+#include "cipher.h"
+#include "mpaux.h"
+#include "servconf.h"
+#include "compat.h"
+#include "channels.h"
+#include "match.h"
+
+#include "bufaux.h"
+#include "ssh2.h"
+#include "auth.h"
+#include "session.h"
+#include "dispatch.h"
+
+
+/* import */
+extern ServerOptions options;
+extern char *forced_command;
+
+/*
+ * Check if the user is allowed to log in via ssh. If user is listed in
+ * DenyUsers or user's primary group is listed in DenyGroups, false will
+ * be returned. If AllowUsers isn't empty and user isn't listed there, or
+ * if AllowGroups isn't empty and user isn't listed there, false will be
+ * returned.
+ * If the user's shell is not executable, false will be returned.
+ * Otherwise true is returned.
+ */
+int
+allowed_user(struct passwd * pw)
+{
+	struct stat st;
+	struct group *grp;
+	char *shell;
+	int i;
+
+	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
+	if (!pw)
+		return 0;
+
+	/*
+	 * Get the shell from the password data.  An empty shell field is
+	 * legal, and means /bin/sh.
+	 */
+	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
+
+	/* deny if shell does not exists or is not executable */
+	if (stat(shell, &st) != 0)
+		return 0;
+	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
+		return 0;
+
+	/* Return false if user is listed in DenyUsers */
+	if (options.num_deny_users > 0) {
+		if (!pw->pw_name)
+			return 0;
+		for (i = 0; i < options.num_deny_users; i++)
+			if (match_pattern(pw->pw_name, options.deny_users[i]))
+				return 0;
+	}
+	/* Return false if AllowUsers isn't empty and user isn't listed there */
+	if (options.num_allow_users > 0) {
+		if (!pw->pw_name)
+			return 0;
+		for (i = 0; i < options.num_allow_users; i++)
+			if (match_pattern(pw->pw_name, options.allow_users[i]))
+				break;
+		/* i < options.num_allow_users iff we break for loop */
+		if (i >= options.num_allow_users)
+			return 0;
+	}
+	/* Get the primary group name if we need it. Return false if it fails */
+	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
+		grp = getgrgid(pw->pw_gid);
+		if (!grp)
+			return 0;
+
+		/* Return false if user's group is listed in DenyGroups */
+		if (options.num_deny_groups > 0) {
+			if (!grp->gr_name)
+				return 0;
+			for (i = 0; i < options.num_deny_groups; i++)
+				if (match_pattern(grp->gr_name, options.deny_groups[i]))
+					return 0;
+		}
+		/*
+		 * Return false if AllowGroups isn't empty and user's group
+		 * isn't listed there
+		 */
+		if (options.num_allow_groups > 0) {
+			if (!grp->gr_name)
+				return 0;
+			for (i = 0; i < options.num_allow_groups; i++)
+				if (match_pattern(grp->gr_name, options.allow_groups[i]))
+					break;
+			/* i < options.num_allow_groups iff we break for
+			   loop */
+			if (i >= options.num_allow_groups)
+				return 0;
+		}
+	}
+#ifndef __FreeBSD__     /* FreeBSD handle it later */
+	/* Fail if the account's expiration time has passed. */
+	if (pw->pw_expire != 0) {
+		struct timeval tv;
+
+		(void)gettimeofday(&tv, NULL);
+		if (tv.tv_sec >= pw->pw_expire)
+			return 0;
+	}
+#endif /* !__FreeBSD__ */
+	/* We found no reason not to let this user try to log on... */
+	return 1;
+}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
new file mode 100644
index 0000000..72126e0
--- /dev/null
+++ b/crypto/openssh/auth.h
@@ -0,0 +1,17 @@
+#ifndef AUTH_H
+#define AUTH_H
+
+void	do_authentication(void);
+void	do_authentication2(void);
+
+struct passwd *
+auth_get_user(void);
+
+int allowed_user(struct passwd * pw);;
+
+#define AUTH_FAIL_MAX 6
+#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
+#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
+
+#endif
+
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
new file mode 100644
index 0000000..c4f0d5b
--- /dev/null
+++ b/crypto/openssh/auth1.c
@@ -0,0 +1,591 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth1.c,v 1.2 2000/04/29 18:11:52 markus Exp $");
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh.h"
+#include "packet.h"
+#include "buffer.h"
+#include "cipher.h"
+#include "mpaux.h"
+#include "servconf.h"
+#include "compat.h"
+#include "auth.h"
+#include "session.h"
+
+#ifdef KRB5
+extern krb5_context ssh_context;
+krb5_principal tkt_client = NULL;    /* Principal from the received ticket. 
+Also is used as an indication of succesful krb5 authentization. */
+#endif
+
+/* import */
+extern ServerOptions options;
+extern char *forced_command;
+
+/*
+ * convert ssh auth msg type into description
+ */
+char *
+get_authname(int type)
+{
+	static char buf[1024];
+	switch (type) {
+	case SSH_CMSG_AUTH_PASSWORD:
+		return "password";
+	case SSH_CMSG_AUTH_RSA:
+		return "rsa";
+	case SSH_CMSG_AUTH_RHOSTS_RSA:
+		return "rhosts-rsa";
+	case SSH_CMSG_AUTH_RHOSTS:
+		return "rhosts";
+#ifdef KRB4
+	case SSH_CMSG_AUTH_KRB4:
+		return "kerberosV4";
+#endif
+#ifdef KRB5
+	case SSH_CMSG_AUTH_KRB5:
+		return "kerberosV5";
+#endif /* KRB5 */
+#ifdef SKEY
+	case SSH_CMSG_AUTH_TIS_RESPONSE:
+		return "s/key";
+#endif
+	}
+	snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
+	return buf;
+}
+
+/*
+ * The user does not exist or access is denied,
+ * but fake indication that authentication is needed.
+ */
+void
+do_fake_authloop1(char *user)
+{
+	int attempt = 0;
+
+	log("Faking authloop for illegal user %.200s from %.200s port %d",
+	    user,
+	    get_remote_ipaddr(),
+	    get_remote_port());
+
+	/* Indicate that authentication is needed. */
+	packet_start(SSH_SMSG_FAILURE);
+	packet_send();
+	packet_write_wait();
+
+	/*
+	 * Keep reading packets, and always respond with a failure.  This is
+	 * to avoid disclosing whether such a user really exists.
+	 */
+	for (attempt = 1;; attempt++) {
+		/* Read a packet.  This will not return if the client disconnects. */
+		int plen;
+		int type = packet_read(&plen);
+#ifdef SKEY
+		unsigned int dlen;
+		char *password, *skeyinfo;
+		password = NULL;
+		/* Try to send a fake s/key challenge. */
+		if (options.skey_authentication == 1 &&
+		    (skeyinfo = skey_fake_keyinfo(user)) != NULL) {
+			if (type == SSH_CMSG_AUTH_TIS) {
+				packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+				packet_put_string(skeyinfo, strlen(skeyinfo));
+				packet_send();
+				packet_write_wait();
+				continue;
+			} else if (type == SSH_CMSG_AUTH_PASSWORD &&
+				   options.password_authentication &&
+				   (password = packet_get_string(&dlen)) != NULL &&
+				   dlen == 5 &&
+				   strncasecmp(password, "s/key", 5) == 0 ) {
+				packet_send_debug(skeyinfo);
+			}
+		}
+		if (password != NULL)
+			xfree(password);
+#endif
+		if (attempt > AUTH_FAIL_MAX)
+			packet_disconnect(AUTH_FAIL_MSG, user);
+
+		/*
+		 * Send failure.  This should be indistinguishable from a
+		 * failed authentication.
+		 */
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+	}
+	/* NOTREACHED */
+	abort();
+}
+
+/*
+ * read packets and try to authenticate local user *pw.
+ * return if authentication is successfull
+ */
+void
+do_authloop(struct passwd * pw)
+{
+	int attempt = 0;
+	unsigned int bits;
+	RSA *client_host_key;
+	BIGNUM *n;
+	char *client_user, *password;
+	char user[1024];
+	unsigned int dlen;
+	int plen, nlen, elen;
+	unsigned int ulen;
+	int type = 0;
+	void (*authlog) (const char *fmt,...) = verbose;
+#ifdef LOGIN_CAP
+	login_cap_t *lc;
+#endif /* LOGIN_CAP */
+#if defined(LOGIN_CAP) || defined(LOGIN_ACCESS)
+	const char *from_host, *from_ip;
+
+	from_host = get_canonical_hostname();
+	from_ip = get_remote_ipaddr();
+#endif /* LOGIN_CAP || LOGIN_ACCESS */
+#ifdef HAVE_LIBPAM
+	int pam_retval;
+#endif /* HAVE_LIBPAM */
+#if 0
+#ifdef KRB5
+	{
+	  	krb5_error_code ret;
+		
+		ret = krb5_init_context(&ssh_context);
+		if (ret)
+		 	verbose("Error while initializing Kerberos V5."); 
+		krb5_init_ets(ssh_context);
+		
+	}
+#endif /* KRB5 */
+#endif
+
+	/* Indicate that authentication is needed. */
+	packet_start(SSH_SMSG_FAILURE);
+	packet_send();
+	packet_write_wait();
+
+	for (attempt = 1;; attempt++) {
+		int authenticated = 0;
+		strlcpy(user, "", sizeof user);
+
+		/* Get a packet from the client. */
+		type = packet_read(&plen);
+
+		/* Process the packet. */
+		switch (type) {
+#ifdef AFS
+		case SSH_CMSG_HAVE_KRB4_TGT:
+			if (!options.krb4_tgt_passing) {
+				/* packet_get_all(); */
+				verbose("Kerberos v4 tgt passing disabled.");
+				break;
+			} else {
+				/* Accept Kerberos v4 tgt. */
+				char *tgt = packet_get_string(&dlen);
+				packet_integrity_check(plen, 4 + dlen, type);
+				if (!auth_krb4_tgt(pw, tgt))
+					verbose("Kerberos v4 tgt REFUSED for %s", pw->pw_name);
+				xfree(tgt);
+			}
+			continue;
+
+		case SSH_CMSG_HAVE_AFS_TOKEN:
+			if (!options.afs_token_passing || !k_hasafs()) {
+				/* packet_get_all(); */
+				verbose("AFS token passing disabled.");
+				break;
+			} else {
+				/* Accept AFS token. */
+				char *token_string = packet_get_string(&dlen);
+				packet_integrity_check(plen, 4 + dlen, type);
+				if (!auth_afs_token(pw, token_string))
+					verbose("AFS token REFUSED for %s", pw->pw_name);
+				xfree(token_string);
+			}
+			continue;
+#endif /* AFS */
+#ifdef KRB4
+		case SSH_CMSG_AUTH_KRB4:
+			if (!options.krb4_authentication) {
+				/* packet_get_all(); */
+				verbose("Kerberos v4 authentication disabled.");
+			} else {
+				/* Try Kerberos v4 authentication. */
+				KTEXT_ST auth;
+				char *tkt_user = NULL;
+				char *kdata = packet_get_string((unsigned int *) &auth.length);
+				packet_integrity_check(plen, 4 + auth.length, type);
+
+				if (auth.length < MAX_KTXT_LEN)
+					memcpy(auth.dat, kdata, auth.length);
+				xfree(kdata);
+
+				authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
+
+				if (authenticated) {
+					snprintf(user, sizeof user, " tktuser %s", tkt_user);
+					xfree(tkt_user);
+				}
+			}
+			break;
+#endif /* KRB4 */
+#ifdef KRB5
+		case SSH_CMSG_AUTH_KRB5:
+			if (!options.krb5_authentication) {
+			  	verbose("Kerberos v5 authentication disabled.");
+				break;
+			} else {
+			  	krb5_data k5data; 
+#if 0	
+				if (krb5_init_context(&ssh_context)) {
+				  verbose("Error while initializing Kerberos V5.");
+				  break;
+				}
+				krb5_init_ets(ssh_context);
+#endif
+				
+				k5data.data = packet_get_string(&k5data.length);
+				packet_integrity_check(plen, 4 + k5data.length, type);
+				if (auth_krb5(pw->pw_name, &k5data, &tkt_client)) {
+				  /* pw->name is passed just for logging purposes
+				   * */
+				  	/* authorize client against .k5login */
+				  	if (krb5_kuserok(ssh_context,
+					      tkt_client,
+					      pw->pw_name))
+					  	authenticated = 1;
+				}
+				xfree(k5data.data);
+			}
+			break;
+#endif /* KRB5 */
+
+		case SSH_CMSG_AUTH_RHOSTS:
+			if (!options.rhosts_authentication) {
+				verbose("Rhosts authentication disabled.");
+				break;
+			}
+			/*
+			 * Get client user name.  Note that we just have to
+			 * trust the client; this is one reason why rhosts
+			 * authentication is insecure. (Another is
+			 * IP-spoofing on a local network.)
+			 */
+			client_user = packet_get_string(&ulen);
+			packet_integrity_check(plen, 4 + ulen, type);
+
+			/* Try to authenticate using /etc/hosts.equiv and
+			   .rhosts. */
+			authenticated = auth_rhosts(pw, client_user);
+
+			snprintf(user, sizeof user, " ruser %s", client_user);
+			xfree(client_user);
+			break;
+
+		case SSH_CMSG_AUTH_RHOSTS_RSA:
+			if (!options.rhosts_rsa_authentication) {
+				verbose("Rhosts with RSA authentication disabled.");
+				break;
+			}
+			/*
+			 * Get client user name.  Note that we just have to
+			 * trust the client; root on the client machine can
+			 * claim to be any user.
+			 */
+			client_user = packet_get_string(&ulen);
+
+			/* Get the client host key. */
+			client_host_key = RSA_new();
+			if (client_host_key == NULL)
+				fatal("RSA_new failed");
+			client_host_key->e = BN_new();
+			client_host_key->n = BN_new();
+			if (client_host_key->e == NULL || client_host_key->n == NULL)
+				fatal("BN_new failed");
+			bits = packet_get_int();
+			packet_get_bignum(client_host_key->e, &elen);
+			packet_get_bignum(client_host_key->n, &nlen);
+
+			if (bits != BN_num_bits(client_host_key->n))
+				log("Warning: keysize mismatch for client_host_key: "
+				    "actual %d, announced %d", BN_num_bits(client_host_key->n), bits);
+			packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
+
+			authenticated = auth_rhosts_rsa(pw, client_user, client_host_key);
+			RSA_free(client_host_key);
+
+			snprintf(user, sizeof user, " ruser %s", client_user);
+			xfree(client_user);
+			break;
+
+		case SSH_CMSG_AUTH_RSA:
+			if (!options.rsa_authentication) {
+				verbose("RSA authentication disabled.");
+				break;
+			}
+			/* RSA authentication requested. */
+			n = BN_new();
+			packet_get_bignum(n, &nlen);
+			packet_integrity_check(plen, nlen, type);
+			authenticated = auth_rsa(pw, n);
+			BN_clear_free(n);
+			break;
+
+		case SSH_CMSG_AUTH_PASSWORD:
+			if (!options.password_authentication) {
+				verbose("Password authentication disabled.");
+				break;
+			}
+			/*
+			 * Read user password.  It is in plain text, but was
+			 * transmitted over the encrypted channel so it is
+			 * not visible to an outside observer.
+			 */
+			password = packet_get_string(&dlen);
+			packet_integrity_check(plen, 4 + dlen, type);
+
+			/* Try authentication with the password. */
+			authenticated = auth_password(pw, password);
+
+			memset(password, 0, strlen(password));
+			xfree(password);
+			break;
+
+#ifdef SKEY
+		case SSH_CMSG_AUTH_TIS:
+			debug("rcvd SSH_CMSG_AUTH_TIS");
+			if (options.skey_authentication == 1) {
+				char *skeyinfo = opie_keyinfo(pw->pw_name);
+				if (skeyinfo == NULL) {
+					debug("generating fake skeyinfo for %.100s.", pw->pw_name);
+					skeyinfo = skey_fake_keyinfo(pw->pw_name);
+				}
+				if (skeyinfo != NULL) {
+					/* we send our s/key- in tis-challenge messages */
+					debug("sending challenge '%s'", skeyinfo);
+					packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+					packet_put_string(skeyinfo, strlen(skeyinfo));
+					packet_send();
+					packet_write_wait();
+					continue;
+				}
+			}
+			break;
+		case SSH_CMSG_AUTH_TIS_RESPONSE:
+			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
+			if (options.skey_authentication == 1) {
+				char *response = packet_get_string(&dlen);
+				debug("skey response == '%s'", response);
+				packet_integrity_check(plen, 4 + dlen, type);
+				authenticated = (opie_haskey(pw->pw_name) == 0 &&
+						 opie_passverify(pw->pw_name, response) != -1);
+				xfree(response);
+			}
+			break;
+#else
+		case SSH_CMSG_AUTH_TIS:
+			/* TIS Authentication is unsupported */
+			log("TIS authentication unsupported.");
+			break;
+#endif
+#ifdef KRB5
+		case SSH_CMSG_HAVE_KRB5_TGT:
+			/* Passing krb5 ticket */
+			if (!options.krb5_tgt_passing 
+                            /*|| !options.krb5_authentication */) {
+
+			}
+			
+			if (tkt_client == NULL) {
+			  /* passing tgt without krb5 authentication */
+			}
+			
+			{
+			  krb5_data tgt;
+			  tgt.data = packet_get_string(&tgt.length);
+			  
+			  if (!auth_krb5_tgt(pw->pw_name, &tgt, tkt_client))
+			    verbose ("Kerberos V5 TGT refused for %.100s", pw->pw_name);
+			  xfree(tgt.data);
+			      
+			  break;
+			}
+#endif /* KRB5 */
+
+		default:
+			/*
+			 * Any unknown messages will be ignored (and failure
+			 * returned) during authentication.
+			 */
+			log("Unknown message during authentication: type %d", type);
+			break;
+		}
+
+		/*
+		 * Check if the user is logging in as root and root logins
+		 * are disallowed.
+		 * Note that root login is allowed for forced commands.
+		 */
+		if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {
+			if (forced_command) {
+				log("Root login accepted for forced command.");
+			} else {
+				authenticated = 0;
+				log("ROOT LOGIN REFUSED FROM %.200s",
+				    get_canonical_hostname());
+			}
+
+#ifdef LOGIN_CAP
+			lc = login_getpwclass(pw);
+			if (lc == NULL)
+			  lc = login_getclassbyname(NULL, pw);
+			if (!auth_hostok(lc, from_host, from_ip)) {
+			  log("Denied connection for %.200s from %.200s [%.200s].",
+			      pw->pw_name, from_host, from_ip);
+			  packet_disconnect("Sorry, you are not allowed to connect.");
+			}
+			if (!auth_timeok(lc, time(NULL))) {
+			  log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+			      pw->pw_name, from_host);
+			  packet_disconnect("Logins not available right now.");
+			}
+			login_close(lc);
+#endif  /* LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+			if (!login_access(pw->pw_name, from_host)) {
+			  log("Denied connection for %.200s from %.200s [%.200s].",
+			      pw->pw_name, from_host, from_ip);
+			  packet_disconnect("Sorry, you are not allowed to connect.");
+			}
+#endif /* LOGIN_ACCESS */
+
+			if (pw->pw_uid == 0)
+			  log("ROOT LOGIN as '%.100s' from %.100s",
+			      pw->pw_name, get_canonical_hostname());
+		}
+
+		/* Raise logging level */
+		if (authenticated ||
+		    attempt == AUTH_FAIL_LOG ||
+		    type == SSH_CMSG_AUTH_PASSWORD)
+			authlog = log;
+
+		authlog("%s %s for %.200s from %.200s port %d%s",
+			authenticated ? "Accepted" : "Failed",
+			get_authname(type),
+			pw->pw_uid == 0 ? "ROOT" : pw->pw_name,
+			get_remote_ipaddr(),
+			get_remote_port(),
+			user);
+
+		if (authenticated)
+			return;
+
+		if (attempt > AUTH_FAIL_MAX)
+			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
+
+		/* Send a message indicating that the authentication attempt failed. */
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+	}
+}
+
+/*
+ * Performs authentication of an incoming connection.  Session key has already
+ * been exchanged and encryption is enabled.
+ */
+void
+do_authentication()
+{
+	struct passwd *pw, pwcopy;
+	int plen;
+	unsigned int ulen;
+	char *user;
+
+	/* Get the name of the user that we wish to log in as. */
+	packet_read_expect(&plen, SSH_CMSG_USER);
+
+	/* Get the user name. */
+	user = packet_get_string(&ulen);
+	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
+
+	setproctitle("%s", user);
+
+#ifdef AFS
+	/* If machine has AFS, set process authentication group. */
+	if (k_hasafs()) {
+		k_setpag();
+		k_unlog();
+	}
+#endif /* AFS */
+
+	/* Verify that the user is a valid user. */
+	pw = getpwnam(user);
+	if (!pw || !allowed_user(pw))
+		do_fake_authloop1(user);
+	xfree(user);
+
+	/* Take a copy of the returned structure. */
+	memset(&pwcopy, 0, sizeof(pwcopy));
+	pwcopy.pw_name = xstrdup(pw->pw_name);
+	pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
+	pwcopy.pw_uid = pw->pw_uid;
+	pwcopy.pw_gid = pw->pw_gid;
+	pwcopy.pw_dir = xstrdup(pw->pw_dir);
+	pwcopy.pw_shell = xstrdup(pw->pw_shell);
+	pwcopy.pw_class = xstrdup(pw->pw_class);
+	pwcopy.pw_expire = pw->pw_expire;
+	pwcopy.pw_change = pw->pw_change;
+	pw = &pwcopy;
+
+	/*
+	 * If we are not running as root, the user must have the same uid as
+	 * the server.
+	 */
+	if (getuid() != 0 && pw->pw_uid != getuid())
+		packet_disconnect("Cannot change user when server not running as root.");
+
+	debug("Attempting authentication for %.100s.", pw->pw_name);
+
+	/* If the user has no password, accept authentication immediately. */
+	if (options.password_authentication &&
+#ifdef KRB5
+	    !options.krb5_authentication &&
+#endif /* KRB5 */
+#ifdef KRB4
+	    (!options.krb4_authentication || options.krb4_or_local_passwd) &&
+#endif /* KRB4 */
+	    auth_password(pw, "")) {
+		/* Authentication with empty password succeeded. */
+		log("Login for user %s from %.100s, accepted without authentication.",
+		    pw->pw_name, get_remote_ipaddr());
+	} else {
+		/* Loop until the user has been authenticated or the
+		   connection is closed, do_authloop() returns only if
+		   authentication is successfull */
+		do_authloop(pw);
+	}
+
+	/* The user has been authenticated and accepted. */
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+
+	/* Perform session preparation. */
+	do_authenticated(pw);
+}
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
new file mode 100644
index 0000000..a663eca
--- /dev/null
+++ b/crypto/openssh/auth2.c
@@ -0,0 +1,472 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+#include "includes.h"
+RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $");
+
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh.h"
+#include "pty.h"
+#include "packet.h"
+#include "buffer.h"
+#include "cipher.h"
+#include "servconf.h"
+#include "compat.h"
+#include "channels.h"
+#include "bufaux.h"
+#include "ssh2.h"
+#include "auth.h"
+#include "session.h"
+#include "dispatch.h"
+#include "auth.h"
+#include "key.h"
+#include "kex.h"
+
+#include "dsa.h"
+#include "uidswap.h"
+
+/* import */
+extern ServerOptions options;
+extern unsigned char *session_id2;
+extern int session_id2_len;
+
+/* protocol */
+
+void	input_service_request(int type, int plen);
+void	input_userauth_request(int type, int plen);
+void	protocol_error(int type, int plen);
+
+/* auth */
+int	ssh2_auth_none(struct passwd *pw);
+int	ssh2_auth_password(struct passwd *pw);
+int	ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen);
+
+/* helper */
+struct passwd*	 auth_set_user(char *u, char *s);
+int	user_dsa_key_allowed(struct passwd *pw, Key *key);
+
+typedef struct Authctxt Authctxt;
+struct Authctxt {
+	char *user;
+	char *service;
+	struct passwd pw;
+	int valid;
+};
+static Authctxt	*authctxt = NULL;
+static int userauth_success = 0;
+
+/*
+ * loop until userauth_success == TRUE
+ */
+
+void
+do_authentication2()
+{
+	/* turn off skey/kerberos, not supported by SSH2 */
+#ifdef SKEY
+	options.skey_authentication = 0;
+#endif
+#ifdef KRB4
+	options.krb4_authentication = 0;
+#endif
+
+	dispatch_init(&protocol_error);
+	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
+	dispatch_run(DISPATCH_BLOCK, &userauth_success);
+	do_authenticated2();
+}
+
+void
+protocol_error(int type, int plen)
+{
+	log("auth: protocol error: type %d plen %d", type, plen);
+	packet_start(SSH2_MSG_UNIMPLEMENTED);
+	packet_put_int(0);
+	packet_send();
+	packet_write_wait();
+}
+
+void
+input_service_request(int type, int plen)
+{
+	unsigned int len;
+	int accept = 0;
+	char *service = packet_get_string(&len);
+	packet_done();
+
+	if (strcmp(service, "ssh-userauth") == 0) {
+		if (!userauth_success) {
+			accept = 1;
+			/* now we can handle user-auth requests */
+			dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
+		}
+	}
+	/* XXX all other service requests are denied */
+
+	if (accept) {
+		packet_start(SSH2_MSG_SERVICE_ACCEPT);
+		packet_put_cstring(service);
+		packet_send();
+		packet_write_wait();
+	} else {
+		debug("bad service request %s", service);
+		packet_disconnect("bad service request %s", service);
+	}
+	xfree(service);
+}
+
+void
+input_userauth_request(int type, int plen)
+{
+	static void (*authlog) (const char *fmt,...) = verbose;
+	static int attempt = 0;
+	unsigned int len, rlen;
+	int authenticated = 0;
+	char *raw, *user, *service, *method, *authmsg = NULL;
+	struct passwd *pw;
+
+	if (++attempt == AUTH_FAIL_MAX)
+		packet_disconnect("too many failed userauth_requests");
+
+	raw = packet_get_raw(&rlen);
+	if (plen != rlen)
+		fatal("plen != rlen");
+	user = packet_get_string(&len);
+	service = packet_get_string(&len);
+	method = packet_get_string(&len);
+	debug("userauth-request for user %s service %s method %s", user, service, method);
+
+	/* XXX we only allow the ssh-connection service */
+	pw = auth_set_user(user, service);
+	if (pw && strcmp(service, "ssh-connection")==0) {
+		if (strcmp(method, "none") == 0) {
+			authenticated =	ssh2_auth_none(pw);
+		} else if (strcmp(method, "password") == 0) {
+			authenticated =	ssh2_auth_password(pw);
+		} else if (strcmp(method, "publickey") == 0) {
+			authenticated =	ssh2_auth_pubkey(pw, raw, rlen);
+		}
+	}
+	if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
+		authenticated = 0;
+		log("ROOT LOGIN REFUSED FROM %.200s",
+		    get_canonical_hostname());
+	}
+
+	/* Raise logging level */
+	if (authenticated == 1 ||
+	    attempt == AUTH_FAIL_LOG ||
+	    strcmp(method, "password") == 0)
+		authlog = log;
+
+	/* Log before sending the reply */
+	if (authenticated == 1) {
+		authmsg = "Accepted";
+	} else if (authenticated == 0) {
+		authmsg = "Failed";
+	} else {
+		authmsg = "Postponed";
+	}
+	authlog("%s %s for %.200s from %.200s port %d ssh2",
+		authmsg,
+		method,
+		pw && pw->pw_uid == 0 ? "ROOT" : user,
+		get_remote_ipaddr(),
+		get_remote_port());
+
+	/* XXX todo: check if multiple auth methods are needed */
+	if (authenticated == 1) {
+		/* turn off userauth */
+		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
+		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
+		packet_send();
+		packet_write_wait();
+		/* now we can break out */
+		userauth_success = 1;
+	} else if (authenticated == 0) {
+		packet_start(SSH2_MSG_USERAUTH_FAILURE);
+		packet_put_cstring("publickey,password");	/* XXX dynamic */
+		packet_put_char(0);				/* XXX partial success, unused */
+		packet_send();
+		packet_write_wait();
+	}
+
+	xfree(service);
+	xfree(user);
+	xfree(method);
+}
+
+int
+ssh2_auth_none(struct passwd *pw)
+{
+	packet_done();
+	return auth_password(pw, "");
+}
+int
+ssh2_auth_password(struct passwd *pw)
+{
+	char *password;
+	int authenticated = 0;
+	int change;
+	unsigned int len;
+	change = packet_get_char();
+	if (change)
+		log("password change not supported");
+	password = packet_get_string(&len);
+	packet_done();
+	if (options.password_authentication &&
+	    auth_password(pw, password) == 1)
+		authenticated = 1;
+	memset(password, 0, len);
+	xfree(password);
+	return authenticated;
+}
+int
+ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
+{
+	Buffer b;
+	Key *key;
+	char *pkalg, *pkblob, *sig;
+	unsigned int alen, blen, slen;
+	int have_sig;
+	int authenticated = 0;
+
+	if (options.dsa_authentication == 0) {
+		debug("pubkey auth disabled");
+		return 0;
+	}
+	if (datafellows & SSH_BUG_PUBKEYAUTH) {
+		log("bug compatibility with ssh-2.0.13 pubkey not implemented");
+		return 0;
+	}
+	have_sig = packet_get_char();
+	pkalg = packet_get_string(&alen);
+	if (strcmp(pkalg, KEX_DSS) != 0) {
+		xfree(pkalg);
+		log("bad pkalg %s", pkalg);	/*XXX*/
+		return 0;
+	}
+	pkblob = packet_get_string(&blen);
+	key = dsa_key_from_blob(pkblob, blen);
+	if (key != NULL) {
+		if (have_sig) {
+			sig = packet_get_string(&slen);
+			packet_done();
+			buffer_init(&b);
+			buffer_append(&b, session_id2, session_id2_len);
+			buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+			if (slen + 4 > rlen)
+				fatal("bad rlen/slen");
+			buffer_append(&b, raw, rlen - slen - 4);
+#ifdef DEBUG_DSS
+			buffer_dump(&b);
+#endif
+			/* test for correct signature */
+			if (user_dsa_key_allowed(pw, key) &&
+			    dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+				authenticated = 1;
+			buffer_clear(&b);
+			xfree(sig);
+		} else {
+			packet_done();
+			debug("test key...");
+			/* test whether pkalg/pkblob are acceptable */
+			/* XXX fake reply and always send PK_OK ? */
+			/*
+			 * XXX this allows testing whether a user is allowed
+			 * to login: if you happen to have a valid pubkey this
+			 * message is sent. the message is NEVER sent at all
+			 * if a user is not allowed to login. is this an
+			 * issue? -markus
+			 */
+			if (user_dsa_key_allowed(pw, key)) {
+				packet_start(SSH2_MSG_USERAUTH_PK_OK);
+				packet_put_string(pkalg, alen);
+				packet_put_string(pkblob, blen);
+				packet_send();
+				packet_write_wait();
+				authenticated = -1;
+			}
+		}
+		key_free(key);
+	}
+	xfree(pkalg);
+	xfree(pkblob);
+	return authenticated;
+}
+
+/* set and get current user */
+
+struct passwd*
+auth_get_user(void)
+{
+	return (authctxt != NULL && authctxt->valid) ? &authctxt->pw : NULL;
+}
+
+struct passwd*
+auth_set_user(char *u, char *s)
+{
+	struct passwd *pw, *copy;
+
+	if (authctxt == NULL) {
+		authctxt = xmalloc(sizeof(*authctxt));
+		authctxt->valid = 0;
+		authctxt->user = xstrdup(u);
+		authctxt->service = xstrdup(s);
+		setproctitle("%s", u);
+		pw = getpwnam(u);
+		if (!pw || !allowed_user(pw)) {
+			log("auth_set_user: illegal user %s", u);
+			return NULL;
+		}
+		copy = &authctxt->pw;
+		memset(copy, 0, sizeof(*copy));
+		copy->pw_name = xstrdup(pw->pw_name);
+		copy->pw_passwd = xstrdup(pw->pw_passwd);
+		copy->pw_uid = pw->pw_uid;
+		copy->pw_gid = pw->pw_gid;
+		copy->pw_dir = xstrdup(pw->pw_dir);
+		copy->pw_shell = xstrdup(pw->pw_shell);
+		copy->pw_class = xstrdup(pw->pw_class);
+		copy->pw_expire = pw->pw_expire;
+		copy->pw_change = pw->pw_change;
+		authctxt->valid = 1;
+	} else {
+		if (strcmp(u, authctxt->user) != 0 ||
+		    strcmp(s, authctxt->service) != 0) {
+			log("auth_set_user: missmatch: (%s,%s)!=(%s,%s)",
+			    u, s, authctxt->user, authctxt->service);
+			return NULL;
+		}
+	}
+	return auth_get_user();
+}
+
+/* return 1 if user allows given key */
+int
+user_dsa_key_allowed(struct passwd *pw, Key *key)
+{
+	char line[8192], file[1024];
+	int found_key = 0;
+	unsigned int bits = -1;
+	FILE *f;
+	unsigned long linenum = 0;
+	struct stat st;
+	Key *found;
+
+	/* Temporarily use the user's uid. */
+	temporarily_use_uid(pw->pw_uid);
+
+	/* The authorized keys. */
+	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
+	    SSH_USER_PERMITTED_KEYS2);
+
+	/* Fail quietly if file does not exist */
+	if (stat(file, &st) < 0) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		return 0;
+	}
+	/* Open the file containing the authorized keys. */
+	f = fopen(file, "r");
+	if (!f) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		return 0;
+	}
+	if (options.strict_modes) {
+		int fail = 0;
+		char buf[1024];
+		/* Check open file in order to avoid open/stat races */
+		if (fstat(fileno(f), &st) < 0 ||
+		    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		    (st.st_mode & 022) != 0) {
+			snprintf(buf, sizeof buf, "DSA authentication refused for %.100s: "
+			    "bad ownership or modes for '%s'.", pw->pw_name, file);
+			fail = 1;
+		} else {
+			/* Check path to SSH_USER_PERMITTED_KEYS */
+			int i;
+			static const char *check[] = {
+				"", SSH_USER_DIR, NULL
+			};
+			for (i = 0; check[i]; i++) {
+				snprintf(line, sizeof line, "%.500s/%.100s",
+				    pw->pw_dir, check[i]);
+				if (stat(line, &st) < 0 ||
+				    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+				    (st.st_mode & 022) != 0) {
+					snprintf(buf, sizeof buf,
+					    "DSA authentication refused for %.100s: "
+					    "bad ownership or modes for '%s'.",
+					    pw->pw_name, line);
+					fail = 1;
+					break;
+				}
+			}
+		}
+		if (fail) {
+			log(buf);
+			fclose(f);
+			restore_uid();
+			return 0;
+		}
+	}
+	found_key = 0;
+	found = key_new(KEY_DSA);
+
+	while (fgets(line, sizeof(line), f)) {
+		char *cp;
+		linenum++;
+		/* Skip leading whitespace, empty and comment lines. */
+		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '\n' || *cp == '#')
+			continue;
+		bits = key_read(found, &cp);
+		if (bits == 0)
+			continue;
+		if (key_equal(found, key)) {
+			found_key = 1;
+			debug("matching key found: file %s, line %ld",
+			    file, linenum);
+			break;
+		}
+	}
+	restore_uid();
+	fclose(f);
+	key_free(found);
+	return found_key;
+}
diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c
new file mode 100644
index 0000000..6b4952e
--- /dev/null
+++ b/crypto/openssh/authfd.c
@@ -0,0 +1,580 @@
+/*
+ *
+ * authfd.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Mar 29 01:30:28 1995 ylo
+ *
+ * Functions for connecting the local authentication agent.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: authfd.c,v 1.19 2000/04/29 18:11:52 markus Exp $");
+
+#include "ssh.h"
+#include "rsa.h"
+#include "authfd.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "xmalloc.h"
+#include "getput.h"
+
+#include <openssl/rsa.h>
+
+/* Returns the number of the authentication fd, or -1 if there is none. */
+
+int
+ssh_get_authentication_socket()
+{
+	const char *authsocket;
+	int sock, len;
+	struct sockaddr_un sunaddr;
+
+	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
+	if (!authsocket)
+		return -1;
+
+	sunaddr.sun_family = AF_UNIX;
+	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
+	sunaddr.sun_len = len = SUN_LEN(&sunaddr)+1;
+
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0)
+		return -1;
+
+	/* close on exec */
+	if (fcntl(sock, F_SETFD, 1) == -1) {
+		close(sock);
+		return -1;
+	}
+	if (connect(sock, (struct sockaddr *) & sunaddr, len) < 0) {
+		close(sock);
+		return -1;
+	}
+	return sock;
+}
+
+/*
+ * Closes the agent socket if it should be closed (depends on how it was
+ * obtained).  The argument must have been returned by
+ * ssh_get_authentication_socket().
+ */
+
+void
+ssh_close_authentication_socket(int sock)
+{
+	if (getenv(SSH_AUTHSOCKET_ENV_NAME))
+		close(sock);
+}
+
+/*
+ * Opens and connects a private socket for communication with the
+ * authentication agent.  Returns the file descriptor (which must be
+ * shut down and closed by the caller when no longer needed).
+ * Returns NULL if an error occurred and the connection could not be
+ * opened.
+ */
+
+AuthenticationConnection *
+ssh_get_authentication_connection()
+{
+	AuthenticationConnection *auth;
+	int sock;
+
+	sock = ssh_get_authentication_socket();
+
+	/*
+	 * Fail if we couldn't obtain a connection.  This happens if we
+	 * exited due to a timeout.
+	 */
+	if (sock < 0)
+		return NULL;
+
+	auth = xmalloc(sizeof(*auth));
+	auth->fd = sock;
+	buffer_init(&auth->packet);
+	buffer_init(&auth->identities);
+	auth->howmany = 0;
+
+	return auth;
+}
+
+/*
+ * Closes the connection to the authentication agent and frees any associated
+ * memory.
+ */
+
+void
+ssh_close_authentication_connection(AuthenticationConnection *ac)
+{
+	buffer_free(&ac->packet);
+	buffer_free(&ac->identities);
+	close(ac->fd);
+	xfree(ac);
+}
+
+/*
+ * Returns the first authentication identity held by the agent.
+ * Returns true if an identity is available, 0 otherwise.
+ * The caller must initialize the integers before the call, and free the
+ * comment after a successful call (before calling ssh_get_next_identity).
+ */
+
+int
+ssh_get_first_identity(AuthenticationConnection *auth,
+		       BIGNUM *e, BIGNUM *n, char **comment)
+{
+	unsigned char msg[8192];
+	int len, l;
+
+	/*
+	 * Send a message to the agent requesting for a list of the
+	 * identities it can represent.
+	 */
+	msg[0] = 0;
+	msg[1] = 0;
+	msg[2] = 0;
+	msg[3] = 1;
+	msg[4] = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
+	if (atomicio(write, auth->fd, msg, 5) != 5) {
+		error("write auth->fd: %.100s", strerror(errno));
+		return 0;
+	}
+	/* Read the length of the response.  XXX implement timeouts here. */
+	len = 4;
+	while (len > 0) {
+		l = read(auth->fd, msg + 4 - len, len);
+		if (l <= 0) {
+			error("read auth->fd: %.100s", strerror(errno));
+			return 0;
+		}
+		len -= l;
+	}
+
+	/*
+	 * Extract the length, and check it for sanity.  (We cannot trust
+	 * authentication agents).
+	 */
+	len = GET_32BIT(msg);
+	if (len < 1 || len > 256 * 1024)
+		fatal("Authentication reply message too long: %d\n", len);
+
+	/* Read the packet itself. */
+	buffer_clear(&auth->identities);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(msg))
+			l = sizeof(msg);
+		l = read(auth->fd, msg, l);
+		if (l <= 0)
+			fatal("Incomplete authentication reply.");
+		buffer_append(&auth->identities, (char *) msg, l);
+		len -= l;
+	}
+
+	/* Get message type, and verify that we got a proper answer. */
+	buffer_get(&auth->identities, (char *) msg, 1);
+	if (msg[0] != SSH_AGENT_RSA_IDENTITIES_ANSWER)
+		fatal("Bad authentication reply message type: %d", msg[0]);
+
+	/* Get the number of entries in the response and check it for sanity. */
+	auth->howmany = buffer_get_int(&auth->identities);
+	if (auth->howmany > 1024)
+		fatal("Too many identities in authentication reply: %d\n", auth->howmany);
+
+	/* Return the first entry (if any). */
+	return ssh_get_next_identity(auth, e, n, comment);
+}
+
+/*
+ * Returns the next authentication identity for the agent.  Other functions
+ * can be called between this and ssh_get_first_identity or two calls of this
+ * function.  This returns 0 if there are no more identities.  The caller
+ * must free comment after a successful return.
+ */
+
+int
+ssh_get_next_identity(AuthenticationConnection *auth,
+		      BIGNUM *e, BIGNUM *n, char **comment)
+{
+	unsigned int bits;
+
+	/* Return failure if no more entries. */
+	if (auth->howmany <= 0)
+		return 0;
+
+	/*
+	 * Get the next entry from the packet.  These will abort with a fatal
+	 * error if the packet is too short or contains corrupt data.
+	 */
+	bits = buffer_get_int(&auth->identities);
+	buffer_get_bignum(&auth->identities, e);
+	buffer_get_bignum(&auth->identities, n);
+	*comment = buffer_get_string(&auth->identities, NULL);
+
+	if (bits != BN_num_bits(n))
+		log("Warning: identity keysize mismatch: actual %d, announced %u",
+		    BN_num_bits(n), bits);
+
+	/* Decrement the number of remaining entries. */
+	auth->howmany--;
+
+	return 1;
+}
+
+/*
+ * Generates a random challenge, sends it to the agent, and waits for
+ * response from the agent.  Returns true (non-zero) if the agent gave the
+ * correct answer, zero otherwise.  Response type selects the style of
+ * response desired, with 0 corresponding to protocol version 1.0 (no longer
+ * supported) and 1 corresponding to protocol version 1.1.
+ */
+
+int
+ssh_decrypt_challenge(AuthenticationConnection *auth,
+		      BIGNUM* e, BIGNUM *n, BIGNUM *challenge,
+		      unsigned char session_id[16],
+		      unsigned int response_type,
+		      unsigned char response[16])
+{
+	Buffer buffer;
+	unsigned char buf[8192];
+	int len, l, i;
+
+	/* Response type 0 is no longer supported. */
+	if (response_type == 0)
+		fatal("Compatibility with ssh protocol version 1.0 no longer supported.");
+
+	/* Format a message to the agent. */
+	buf[0] = SSH_AGENTC_RSA_CHALLENGE;
+	buffer_init(&buffer);
+	buffer_append(&buffer, (char *) buf, 1);
+	buffer_put_int(&buffer, BN_num_bits(n));
+	buffer_put_bignum(&buffer, e);
+	buffer_put_bignum(&buffer, n);
+	buffer_put_bignum(&buffer, challenge);
+	buffer_append(&buffer, (char *) session_id, 16);
+	buffer_put_int(&buffer, response_type);
+
+	/* Get the length of the message, and format it in the buffer. */
+	len = buffer_len(&buffer);
+	PUT_32BIT(buf, len);
+
+	/* Send the length and then the packet to the agent. */
+	if (atomicio(write, auth->fd, buf, 4) != 4 ||
+	    atomicio(write, auth->fd, buffer_ptr(&buffer),
+	    buffer_len(&buffer)) != buffer_len(&buffer)) {
+		error("Error writing to authentication socket.");
+error_cleanup:
+		buffer_free(&buffer);
+		return 0;
+	}
+	/*
+	 * Wait for response from the agent.  First read the length of the
+	 * response packet.
+	 */
+	len = 4;
+	while (len > 0) {
+		l = read(auth->fd, buf + 4 - len, len);
+		if (l <= 0) {
+			error("Error reading response length from authentication socket.");
+			goto error_cleanup;
+		}
+		len -= l;
+	}
+
+	/* Extract the length, and check it for sanity. */
+	len = GET_32BIT(buf);
+	if (len > 256 * 1024)
+		fatal("Authentication response too long: %d", len);
+
+	/* Read the rest of the response in tothe buffer. */
+	buffer_clear(&buffer);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(buf))
+			l = sizeof(buf);
+		l = read(auth->fd, buf, l);
+		if (l <= 0) {
+			error("Error reading response from authentication socket.");
+			goto error_cleanup;
+		}
+		buffer_append(&buffer, (char *) buf, l);
+		len -= l;
+	}
+
+	/* Get the type of the packet. */
+	buffer_get(&buffer, (char *) buf, 1);
+
+	/* Check for agent failure message. */
+	if (buf[0] == SSH_AGENT_FAILURE) {
+		log("Agent admitted failure to authenticate using the key.");
+		goto error_cleanup;
+	}
+	/* Now it must be an authentication response packet. */
+	if (buf[0] != SSH_AGENT_RSA_RESPONSE)
+		fatal("Bad authentication response: %d", buf[0]);
+
+	/*
+	 * Get the response from the packet.  This will abort with a fatal
+	 * error if the packet is corrupt.
+	 */
+	for (i = 0; i < 16; i++)
+		response[i] = buffer_get_char(&buffer);
+
+	/* The buffer containing the packet is no longer needed. */
+	buffer_free(&buffer);
+
+	/* Correct answer. */
+	return 1;
+}
+
+/*
+ * Adds an identity to the authentication server.  This call is not meant to
+ * be used by normal applications.
+ */
+
+int
+ssh_add_identity(AuthenticationConnection *auth,
+		 RSA * key, const char *comment)
+{
+	Buffer buffer;
+	unsigned char buf[8192];
+	int len, l, type;
+
+	/* Format a message to the agent. */
+	buffer_init(&buffer);
+	buffer_put_char(&buffer, SSH_AGENTC_ADD_RSA_IDENTITY);
+	buffer_put_int(&buffer, BN_num_bits(key->n));
+	buffer_put_bignum(&buffer, key->n);
+	buffer_put_bignum(&buffer, key->e);
+	buffer_put_bignum(&buffer, key->d);
+	/* To keep within the protocol: p < q for ssh. in SSL p > q */
+	buffer_put_bignum(&buffer, key->iqmp);	/* ssh key->u */
+	buffer_put_bignum(&buffer, key->q);	/* ssh key->p, SSL key->q */
+	buffer_put_bignum(&buffer, key->p);	/* ssh key->q, SSL key->p */
+	buffer_put_string(&buffer, comment, strlen(comment));
+
+	/* Get the length of the message, and format it in the buffer. */
+	len = buffer_len(&buffer);
+	PUT_32BIT(buf, len);
+
+	/* Send the length and then the packet to the agent. */
+	if (atomicio(write, auth->fd, buf, 4) != 4 ||
+	    atomicio(write, auth->fd, buffer_ptr(&buffer),
+	    buffer_len(&buffer)) != buffer_len(&buffer)) {
+		error("Error writing to authentication socket.");
+error_cleanup:
+		buffer_free(&buffer);
+		return 0;
+	}
+	/* Wait for response from the agent.  First read the length of the
+	   response packet. */
+	len = 4;
+	while (len > 0) {
+		l = read(auth->fd, buf + 4 - len, len);
+		if (l <= 0) {
+			error("Error reading response length from authentication socket.");
+			goto error_cleanup;
+		}
+		len -= l;
+	}
+
+	/* Extract the length, and check it for sanity. */
+	len = GET_32BIT(buf);
+	if (len > 256 * 1024)
+		fatal("Add identity response too long: %d", len);
+
+	/* Read the rest of the response in tothe buffer. */
+	buffer_clear(&buffer);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(buf))
+			l = sizeof(buf);
+		l = read(auth->fd, buf, l);
+		if (l <= 0) {
+			error("Error reading response from authentication socket.");
+			goto error_cleanup;
+		}
+		buffer_append(&buffer, (char *) buf, l);
+		len -= l;
+	}
+
+	/* Get the type of the packet. */
+	type = buffer_get_char(&buffer);
+	switch (type) {
+	case SSH_AGENT_FAILURE:
+		buffer_free(&buffer);
+		return 0;
+	case SSH_AGENT_SUCCESS:
+		buffer_free(&buffer);
+		return 1;
+	default:
+		fatal("Bad response to add identity from authentication agent: %d",
+		      type);
+	}
+	/* NOTREACHED */
+	return 0;
+}
+
+/*
+ * Removes an identity from the authentication server.  This call is not
+ * meant to be used by normal applications.
+ */
+
+int
+ssh_remove_identity(AuthenticationConnection *auth, RSA *key)
+{
+	Buffer buffer;
+	unsigned char buf[8192];
+	int len, l, type;
+
+	/* Format a message to the agent. */
+	buffer_init(&buffer);
+	buffer_put_char(&buffer, SSH_AGENTC_REMOVE_RSA_IDENTITY);
+	buffer_put_int(&buffer, BN_num_bits(key->n));
+	buffer_put_bignum(&buffer, key->e);
+	buffer_put_bignum(&buffer, key->n);
+
+	/* Get the length of the message, and format it in the buffer. */
+	len = buffer_len(&buffer);
+	PUT_32BIT(buf, len);
+
+	/* Send the length and then the packet to the agent. */
+	if (atomicio(write, auth->fd, buf, 4) != 4 ||
+	    atomicio(write, auth->fd, buffer_ptr(&buffer),
+	    buffer_len(&buffer)) != buffer_len(&buffer)) {
+		error("Error writing to authentication socket.");
+error_cleanup:
+		buffer_free(&buffer);
+		return 0;
+	}
+	/*
+	 * Wait for response from the agent.  First read the length of the
+	 * response packet.
+	 */
+	len = 4;
+	while (len > 0) {
+		l = read(auth->fd, buf + 4 - len, len);
+		if (l <= 0) {
+			error("Error reading response length from authentication socket.");
+			goto error_cleanup;
+		}
+		len -= l;
+	}
+
+	/* Extract the length, and check it for sanity. */
+	len = GET_32BIT(buf);
+	if (len > 256 * 1024)
+		fatal("Remove identity response too long: %d", len);
+
+	/* Read the rest of the response in tothe buffer. */
+	buffer_clear(&buffer);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(buf))
+			l = sizeof(buf);
+		l = read(auth->fd, buf, l);
+		if (l <= 0) {
+			error("Error reading response from authentication socket.");
+			goto error_cleanup;
+		}
+		buffer_append(&buffer, (char *) buf, l);
+		len -= l;
+	}
+
+	/* Get the type of the packet. */
+	type = buffer_get_char(&buffer);
+	switch (type) {
+	case SSH_AGENT_FAILURE:
+		buffer_free(&buffer);
+		return 0;
+	case SSH_AGENT_SUCCESS:
+		buffer_free(&buffer);
+		return 1;
+	default:
+		fatal("Bad response to remove identity from authentication agent: %d",
+		      type);
+	}
+	/* NOTREACHED */
+	return 0;
+}
+
+/*
+ * Removes all identities from the agent.  This call is not meant to be used
+ * by normal applications.
+ */
+
+int
+ssh_remove_all_identities(AuthenticationConnection *auth)
+{
+	Buffer buffer;
+	unsigned char buf[8192];
+	int len, l, type;
+
+	/* Get the length of the message, and format it in the buffer. */
+	PUT_32BIT(buf, 1);
+	buf[4] = SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES;
+
+	/* Send the length and then the packet to the agent. */
+	if (atomicio(write, auth->fd, buf, 5) != 5) {
+		error("Error writing to authentication socket.");
+		return 0;
+	}
+	/*
+	 * Wait for response from the agent.  First read the length of the
+	 * response packet.
+	 */
+	len = 4;
+	while (len > 0) {
+		l = read(auth->fd, buf + 4 - len, len);
+		if (l <= 0) {
+			error("Error reading response length from authentication socket.");
+			return 0;
+		}
+		len -= l;
+	}
+
+	/* Extract the length, and check it for sanity. */
+	len = GET_32BIT(buf);
+	if (len > 256 * 1024)
+		fatal("Remove identity response too long: %d", len);
+
+	/* Read the rest of the response into the buffer. */
+	buffer_init(&buffer);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(buf))
+			l = sizeof(buf);
+		l = read(auth->fd, buf, l);
+		if (l <= 0) {
+			error("Error reading response from authentication socket.");
+			buffer_free(&buffer);
+			return 0;
+		}
+		buffer_append(&buffer, (char *) buf, l);
+		len -= l;
+	}
+
+	/* Get the type of the packet. */
+	type = buffer_get_char(&buffer);
+	switch (type) {
+	case SSH_AGENT_FAILURE:
+		buffer_free(&buffer);
+		return 0;
+	case SSH_AGENT_SUCCESS:
+		buffer_free(&buffer);
+		return 1;
+	default:
+		fatal("Bad response to remove identity from authentication agent: %d",
+		      type);
+	}
+	/* NOTREACHED */
+	return 0;
+}
diff --git a/crypto/openssh/authfd.h b/crypto/openssh/authfd.h
new file mode 100644
index 0000000..fbeea23
--- /dev/null
+++ b/crypto/openssh/authfd.h
@@ -0,0 +1,119 @@
+/*
+ *
+ * authfd.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Mar 29 01:17:41 1995 ylo
+ *
+ * Functions to interface with the SSH_AUTHENTICATION_FD socket.
+ *
+ */
+
+/* RCSID("$Id: authfd.h,v 1.7 2000/04/14 10:30:30 markus Exp $"); */
+
+#ifndef AUTHFD_H
+#define AUTHFD_H
+
+#include "buffer.h"
+
+/* Messages for the authentication agent connection. */
+#define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
+#define SSH_AGENT_RSA_IDENTITIES_ANSWER		2
+#define SSH_AGENTC_RSA_CHALLENGE		3
+#define SSH_AGENT_RSA_RESPONSE			4
+#define SSH_AGENT_FAILURE			5
+#define SSH_AGENT_SUCCESS			6
+#define SSH_AGENTC_ADD_RSA_IDENTITY		7
+#define SSH_AGENTC_REMOVE_RSA_IDENTITY		8
+#define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES	9
+
+typedef struct {
+	int     fd;
+	Buffer  packet;
+	Buffer  identities;
+	int     howmany;
+}       AuthenticationConnection;
+/* Returns the number of the authentication fd, or -1 if there is none. */
+int     ssh_get_authentication_socket();
+
+/*
+ * This should be called for any descriptor returned by
+ * ssh_get_authentication_socket().  Depending on the way the descriptor was
+ * obtained, this may close the descriptor.
+ */
+void    ssh_close_authentication_socket(int authfd);
+
+/*
+ * Opens and connects a private socket for communication with the
+ * authentication agent.  Returns NULL if an error occurred and the
+ * connection could not be opened.  The connection should be closed by the
+ * caller by calling ssh_close_authentication_connection().
+ */
+AuthenticationConnection *ssh_get_authentication_connection();
+
+/*
+ * Closes the connection to the authentication agent and frees any associated
+ * memory.
+ */
+void    ssh_close_authentication_connection(AuthenticationConnection * ac);
+
+/*
+ * Returns the first authentication identity held by the agent. Returns true
+ * if an identity is available, 0 otherwise. The caller must initialize the
+ * integers before the call, and free the comment after a successful call
+ * (before calling ssh_get_next_identity).
+ */
+int
+ssh_get_first_identity(AuthenticationConnection * connection,
+    BIGNUM * e, BIGNUM * n, char **comment);
+
+/*
+ * Returns the next authentication identity for the agent.  Other functions
+ * can be called between this and ssh_get_first_identity or two calls of this
+ * function.  This returns 0 if there are no more identities.  The caller
+ * must free comment after a successful return.
+ */
+int
+ssh_get_next_identity(AuthenticationConnection * connection,
+    BIGNUM * e, BIGNUM * n, char **comment);
+
+/* Requests the agent to decrypt the given challenge.  Returns true if
+   the agent claims it was able to decrypt it. */
+int
+ssh_decrypt_challenge(AuthenticationConnection * auth,
+    BIGNUM * e, BIGNUM * n, BIGNUM * challenge,
+    unsigned char session_id[16],
+    unsigned int response_type,
+    unsigned char response[16]);
+
+/*
+ * Adds an identity to the authentication server.  This call is not meant to
+ * be used by normal applications.  This returns true if the identity was
+ * successfully added.
+ */
+int
+ssh_add_identity(AuthenticationConnection * connection, RSA * key,
+    const char *comment);
+
+/*
+ * Removes the identity from the authentication server.  This call is not
+ * meant to be used by normal applications.  This returns true if the
+ * identity was successfully added.
+ */
+int     ssh_remove_identity(AuthenticationConnection * connection, RSA * key);
+
+/*
+ * Removes all identities from the authentication agent.  This call is not
+ * meant to be used by normal applications.  This returns true if the
+ * operation was successful.
+ */
+int     ssh_remove_all_identities(AuthenticationConnection * connection);
+
+/* Closes the connection to the authentication agent. */
+void    ssh_close_authentication(AuthenticationConnection * connection);
+
+#endif				/* AUTHFD_H */
diff --git a/crypto/openssh/authfile.c b/crypto/openssh/authfile.c
new file mode 100644
index 0000000..b8bc9e5
--- /dev/null
+++ b/crypto/openssh/authfile.c
@@ -0,0 +1,494 @@
+/*
+ *
+ * authfile.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Mon Mar 27 03:52:05 1995 ylo
+ *
+ * This file contains functions for reading and writing identity files, and
+ * for reading the passphrase from the user.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: authfile.c,v 1.16 2000/04/26 21:28:32 markus Exp $");
+
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "cipher.h"
+#include "ssh.h"
+#include "key.h"
+
+/* Version identification string for identity files. */
+#define AUTHFILE_ID_STRING "SSH PRIVATE KEY FILE FORMAT 1.1\n"
+
+/*
+ * Saves the authentication (private) key in a file, encrypting it with
+ * passphrase.  The identification of the file (lowest 64 bits of n) will
+ * precede the key to provide identification of the key without needing a
+ * passphrase.
+ */
+
+int
+save_private_key_rsa(const char *filename, const char *passphrase,
+    RSA *key, const char *comment)
+{
+	Buffer buffer, encrypted;
+	char buf[100], *cp;
+	int fd, i;
+	CipherContext cipher;
+	int cipher_type;
+	u_int32_t rand;
+
+	/*
+	 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
+	 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
+	 */
+	if (strcmp(passphrase, "") == 0)
+		cipher_type = SSH_CIPHER_NONE;
+	else
+		cipher_type = SSH_AUTHFILE_CIPHER;
+
+	/* This buffer is used to built the secret part of the private key. */
+	buffer_init(&buffer);
+
+	/* Put checkbytes for checking passphrase validity. */
+	rand = arc4random();
+	buf[0] = rand & 0xff;
+	buf[1] = (rand >> 8) & 0xff;
+	buf[2] = buf[0];
+	buf[3] = buf[1];
+	buffer_append(&buffer, buf, 4);
+
+	/*
+	 * Store the private key (n and e will not be stored because they
+	 * will be stored in plain text, and storing them also in encrypted
+	 * format would just give known plaintext).
+	 */
+	buffer_put_bignum(&buffer, key->d);
+	buffer_put_bignum(&buffer, key->iqmp);
+	buffer_put_bignum(&buffer, key->q);	/* reverse from SSL p */
+	buffer_put_bignum(&buffer, key->p);	/* reverse from SSL q */
+
+	/* Pad the part to be encrypted until its size is a multiple of 8. */
+	while (buffer_len(&buffer) % 8 != 0)
+		buffer_put_char(&buffer, 0);
+
+	/* This buffer will be used to contain the data in the file. */
+	buffer_init(&encrypted);
+
+	/* First store keyfile id string. */
+	cp = AUTHFILE_ID_STRING;
+	for (i = 0; cp[i]; i++)
+		buffer_put_char(&encrypted, cp[i]);
+	buffer_put_char(&encrypted, 0);
+
+	/* Store cipher type. */
+	buffer_put_char(&encrypted, cipher_type);
+	buffer_put_int(&encrypted, 0);	/* For future extension */
+
+	/* Store public key.  This will be in plain text. */
+	buffer_put_int(&encrypted, BN_num_bits(key->n));
+	buffer_put_bignum(&encrypted, key->n);
+	buffer_put_bignum(&encrypted, key->e);
+	buffer_put_string(&encrypted, comment, strlen(comment));
+
+	/* Allocate space for the private part of the key in the buffer. */
+	buffer_append_space(&encrypted, &cp, buffer_len(&buffer));
+
+	cipher_set_key_string(&cipher, cipher_type, passphrase);
+	cipher_encrypt(&cipher, (unsigned char *) cp,
+		       (unsigned char *) buffer_ptr(&buffer),
+		       buffer_len(&buffer));
+	memset(&cipher, 0, sizeof(cipher));
+
+	/* Destroy temporary data. */
+	memset(buf, 0, sizeof(buf));
+	buffer_free(&buffer);
+
+	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (fd < 0)
+		return 0;
+	if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
+	    buffer_len(&encrypted)) {
+		debug("Write to key file %.200s failed: %.100s", filename,
+		      strerror(errno));
+		buffer_free(&encrypted);
+		close(fd);
+		remove(filename);
+		return 0;
+	}
+	close(fd);
+	buffer_free(&encrypted);
+	return 1;
+}
+
+/* save DSA key in OpenSSL PEM format */
+
+int
+save_private_key_dsa(const char *filename, const char *passphrase,
+    DSA *dsa, const char *comment)
+{
+	FILE *fp;
+	int fd;
+	int success = 1;
+	int len = strlen(passphrase);
+
+	if (len > 0 && len <= 4) {
+		error("passphrase too short: %d bytes", len);
+		errno = 0;
+		return 0;
+	}
+	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (fd < 0) {
+		debug("open %s failed", filename);
+		return 0;
+	}
+	fp = fdopen(fd, "w");
+	if (fp == NULL ) {
+		debug("fdopen %s failed", filename);
+		close(fd);
+		return 0;
+	}
+	if (len > 0) {
+		if (!PEM_write_DSAPrivateKey(fp, dsa, EVP_des_ede3_cbc(),
+		    (char *)passphrase, strlen(passphrase), NULL, NULL))
+			success = 0;
+	} else {
+		if (!PEM_write_DSAPrivateKey(fp, dsa, NULL,
+		    NULL, 0, NULL, NULL))
+			success = 0;
+	}
+	fclose(fp);
+	return success;
+}
+
+int
+save_private_key(const char *filename, const char *passphrase, Key *key,
+    const char *comment)
+{
+	switch (key->type) {
+	case KEY_RSA:
+		return save_private_key_rsa(filename, passphrase, key->rsa, comment);
+		break;
+	case KEY_DSA:
+		return save_private_key_dsa(filename, passphrase, key->dsa, comment);
+		break;
+	default:
+		break;
+	}
+	return 0;
+}
+
+/*
+ * Loads the public part of the key file.  Returns 0 if an error was
+ * encountered (the file does not exist or is not readable), and non-zero
+ * otherwise.
+ */
+
+int
+load_public_key_rsa(const char *filename, RSA * pub, char **comment_return)
+{
+	int fd, i;
+	off_t len;
+	Buffer buffer;
+	char *cp;
+
+	fd = open(filename, O_RDONLY);
+	if (fd < 0)
+		return 0;
+	len = lseek(fd, (off_t) 0, SEEK_END);
+	lseek(fd, (off_t) 0, SEEK_SET);
+
+	buffer_init(&buffer);
+	buffer_append_space(&buffer, &cp, len);
+
+	if (read(fd, cp, (size_t) len) != (size_t) len) {
+		debug("Read from key file %.200s failed: %.100s", filename,
+		    strerror(errno));
+		buffer_free(&buffer);
+		close(fd);
+		return 0;
+	}
+	close(fd);
+
+	/* Check that it is at least big enought to contain the ID string. */
+	if (len < strlen(AUTHFILE_ID_STRING) + 1) {
+		debug("Bad key file %.200s.", filename);
+		buffer_free(&buffer);
+		return 0;
+	}
+	/*
+	 * Make sure it begins with the id string.  Consume the id string
+	 * from the buffer.
+	 */
+	for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++)
+		if (buffer_get_char(&buffer) != (u_char) AUTHFILE_ID_STRING[i]) {
+			debug("Bad key file %.200s.", filename);
+			buffer_free(&buffer);
+			return 0;
+		}
+	/* Skip cipher type and reserved data. */
+	(void) buffer_get_char(&buffer);	/* cipher type */
+	(void) buffer_get_int(&buffer);		/* reserved */
+
+	/* Read the public key from the buffer. */
+	buffer_get_int(&buffer);
+	/* XXX alloc */
+	if (pub->n == NULL)
+		pub->n = BN_new();
+	buffer_get_bignum(&buffer, pub->n);
+	/* XXX alloc */
+	if (pub->e == NULL)
+		pub->e = BN_new();
+	buffer_get_bignum(&buffer, pub->e);
+	if (comment_return)
+		*comment_return = buffer_get_string(&buffer, NULL);
+	/* The encrypted private part is not parsed by this function. */
+
+	buffer_free(&buffer);
+
+	return 1;
+}
+
+int
+load_public_key(const char *filename, Key * key, char **comment_return)
+{
+	switch (key->type) {
+	case KEY_RSA:
+		return load_public_key_rsa(filename, key->rsa, comment_return);
+		break;
+	case KEY_DSA:
+	default:
+		break;
+	}
+	return 0;
+}
+
+/*
+ * Loads the private key from the file.  Returns 0 if an error is encountered
+ * (file does not exist or is not readable, or passphrase is bad). This
+ * initializes the private key.
+ * Assumes we are called under uid of the owner of the file.
+ */
+
+int
+load_private_key_rsa(int fd, const char *filename,
+    const char *passphrase, RSA * prv, char **comment_return)
+{
+	int i, check1, check2, cipher_type;
+	off_t len;
+	Buffer buffer, decrypted;
+	char *cp;
+	CipherContext cipher;
+	BN_CTX *ctx;
+	BIGNUM *aux;
+
+	len = lseek(fd, (off_t) 0, SEEK_END);
+	lseek(fd, (off_t) 0, SEEK_SET);
+
+	buffer_init(&buffer);
+	buffer_append_space(&buffer, &cp, len);
+
+	if (read(fd, cp, (size_t) len) != (size_t) len) {
+		debug("Read from key file %.200s failed: %.100s", filename,
+		      strerror(errno));
+		buffer_free(&buffer);
+		close(fd);
+		return 0;
+	}
+	close(fd);
+
+	/* Check that it is at least big enought to contain the ID string. */
+	if (len < strlen(AUTHFILE_ID_STRING) + 1) {
+		debug("Bad key file %.200s.", filename);
+		buffer_free(&buffer);
+		return 0;
+	}
+	/*
+	 * Make sure it begins with the id string.  Consume the id string
+	 * from the buffer.
+	 */
+	for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++)
+		if (buffer_get_char(&buffer) != (unsigned char) AUTHFILE_ID_STRING[i]) {
+			debug("Bad key file %.200s.", filename);
+			buffer_free(&buffer);
+			return 0;
+		}
+	/* Read cipher type. */
+	cipher_type = buffer_get_char(&buffer);
+	(void) buffer_get_int(&buffer);	/* Reserved data. */
+
+	/* Read the public key from the buffer. */
+	buffer_get_int(&buffer);
+	prv->n = BN_new();
+	buffer_get_bignum(&buffer, prv->n);
+	prv->e = BN_new();
+	buffer_get_bignum(&buffer, prv->e);
+	if (comment_return)
+		*comment_return = buffer_get_string(&buffer, NULL);
+	else
+		xfree(buffer_get_string(&buffer, NULL));
+
+	/* Check that it is a supported cipher. */
+	if (((cipher_mask1() | SSH_CIPHER_NONE | SSH_AUTHFILE_CIPHER) &
+	     (1 << cipher_type)) == 0) {
+		debug("Unsupported cipher %.100s used in key file %.200s.",
+		      cipher_name(cipher_type), filename);
+		buffer_free(&buffer);
+		goto fail;
+	}
+	/* Initialize space for decrypted data. */
+	buffer_init(&decrypted);
+	buffer_append_space(&decrypted, &cp, buffer_len(&buffer));
+
+	/* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
+	cipher_set_key_string(&cipher, cipher_type, passphrase);
+	cipher_decrypt(&cipher, (unsigned char *) cp,
+		       (unsigned char *) buffer_ptr(&buffer),
+		       buffer_len(&buffer));
+
+	buffer_free(&buffer);
+
+	check1 = buffer_get_char(&decrypted);
+	check2 = buffer_get_char(&decrypted);
+	if (check1 != buffer_get_char(&decrypted) ||
+	    check2 != buffer_get_char(&decrypted)) {
+		if (strcmp(passphrase, "") != 0)
+			debug("Bad passphrase supplied for key file %.200s.", filename);
+		/* Bad passphrase. */
+		buffer_free(&decrypted);
+fail:
+		BN_clear_free(prv->n);
+		prv->n = NULL;
+		BN_clear_free(prv->e);
+		prv->e = NULL;
+		if (comment_return)
+			xfree(*comment_return);
+		return 0;
+	}
+	/* Read the rest of the private key. */
+	prv->d = BN_new();
+	buffer_get_bignum(&decrypted, prv->d);
+	prv->iqmp = BN_new();
+	buffer_get_bignum(&decrypted, prv->iqmp);	/* u */
+	/* in SSL and SSH p and q are exchanged */
+	prv->q = BN_new();
+	buffer_get_bignum(&decrypted, prv->q);		/* p */
+	prv->p = BN_new();
+	buffer_get_bignum(&decrypted, prv->p);		/* q */
+
+	ctx = BN_CTX_new();
+	aux = BN_new();
+
+	BN_sub(aux, prv->q, BN_value_one());
+	prv->dmq1 = BN_new();
+	BN_mod(prv->dmq1, prv->d, aux, ctx);
+
+	BN_sub(aux, prv->p, BN_value_one());
+	prv->dmp1 = BN_new();
+	BN_mod(prv->dmp1, prv->d, aux, ctx);
+
+	BN_clear_free(aux);
+	BN_CTX_free(ctx);
+
+	buffer_free(&decrypted);
+
+	return 1;
+}
+
+int
+load_private_key_dsa(int fd, const char *passphrase, Key *k, char **comment_return)
+{
+	DSA *dsa;
+	BIO *in;
+	FILE *fp;
+
+	in = BIO_new(BIO_s_file());
+	if (in == NULL) {
+		error("BIO_new failed");
+		return 0;
+	}
+	fp = fdopen(fd, "r");
+	if (fp == NULL) {
+		error("fdopen failed");
+		return 0;
+	}
+	BIO_set_fp(in, fp, BIO_NOCLOSE);
+	dsa = PEM_read_bio_DSAPrivateKey(in, NULL, NULL, (char *)passphrase);
+	if (dsa == NULL) {
+		debug("PEM_read_bio_DSAPrivateKey failed");
+	} else {
+		/* replace k->dsa with loaded key */
+		DSA_free(k->dsa);
+		k->dsa = dsa;
+	}
+	BIO_free(in);
+	fclose(fp);
+	if (comment_return)
+		*comment_return = xstrdup("dsa w/o comment");
+	debug("read DSA private key done");
+#ifdef DEBUG_DSS
+	DSA_print_fp(stderr, dsa, 8);
+#endif
+	return dsa != NULL ? 1 : 0;
+}
+
+int
+load_private_key(const char *filename, const char *passphrase, Key *key,
+    char **comment_return)
+{
+	int fd;
+	int ret = 0;
+	struct stat st;
+
+	fd = open(filename, O_RDONLY);
+	if (fd < 0)
+		return 0;
+
+	/* check owner and modes */
+	if (fstat(fd, &st) < 0 ||
+	    (st.st_uid != 0 && st.st_uid != getuid()) ||
+	    (st.st_mode & 077) != 0) {
+		close(fd);
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("Bad ownership or mode(0%3.3o) for '%s'.",
+		      st.st_mode & 0777, filename);
+		error("It is recommended that your private key files are NOT accessible by others.");
+		return 0;
+	}
+	switch (key->type) {
+	case KEY_RSA:
+		if (key->rsa->e != NULL) {
+			BN_clear_free(key->rsa->e);
+			key->rsa->e = NULL;
+		}
+		if (key->rsa->n != NULL) {
+			BN_clear_free(key->rsa->n);
+			key->rsa->n = NULL;
+		}
+		ret = load_private_key_rsa(fd, filename, passphrase,
+		     key->rsa, comment_return);
+		break;
+	case KEY_DSA:
+		ret = load_private_key_dsa(fd, passphrase, key, comment_return);
+	default:
+		break;
+	}
+	close(fd);
+	return ret;
+}
diff --git a/crypto/openssh/authfile.h b/crypto/openssh/authfile.h
new file mode 100644
index 0000000..afec27d
--- /dev/null
+++ b/crypto/openssh/authfile.h
@@ -0,0 +1,36 @@
+#ifndef AUTHFILE_H
+#define AUTHFILE_H
+
+/*
+ * Saves the authentication (private) key in a file, encrypting it with
+ * passphrase.
+ * For RSA keys: The identification of the file (lowest 64 bits of n)
+ * will precede the key to provide identification of the key without
+ * needing a passphrase.
+ */
+int
+save_private_key(const char *filename, const char *passphrase,
+    Key * private_key, const char *comment);
+
+/*
+ * Loads the public part of the key file (public key and comment). Returns 0
+ * if an error occurred; zero if the public key was successfully read.  The
+ * comment of the key is returned in comment_return if it is non-NULL; the
+ * caller must free the value with xfree.
+ */
+int
+load_public_key(const char *filename, Key * pub,
+    char **comment_return);
+
+/*
+ * Loads the private key from the file.  Returns 0 if an error is encountered
+ * (file does not exist or is not readable, or passphrase is bad). This
+ * initializes the private key.  The comment of the key is returned in
+ * comment_return if it is non-NULL; the caller must free the value with
+ * xfree.
+ */
+int
+load_private_key(const char *filename, const char *passphrase,
+    Key * private_key, char **comment_return);
+
+#endif
diff --git a/crypto/openssh/aux.c b/crypto/openssh/aux.c
new file mode 100644
index 0000000..899142d
--- /dev/null
+++ b/crypto/openssh/aux.c
@@ -0,0 +1,36 @@
+#include "includes.h"
+RCSID("$OpenBSD: aux.c,v 1.2 2000/05/17 09:47:59 markus Exp $");
+
+#include "ssh.h"
+
+char *
+chop(char *s)
+{
+	char *t = s;
+	while (*t) {
+		if(*t == '\n' || *t == '\r') {
+			*t = '\0';
+			return s;
+		}
+		t++;
+	}
+	return s;
+
+}
+
+void
+set_nonblock(int fd)
+{
+	int val;
+	val = fcntl(fd, F_GETFL, 0);
+	if (val < 0) {
+		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
+		return;
+	}
+	if (val & O_NONBLOCK)
+		return;
+	debug("fd %d setting O_NONBLOCK", fd);
+	val |= O_NONBLOCK;
+	if (fcntl(fd, F_SETFL, val) == -1)
+		error("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd, strerror(errno));
+}
diff --git a/crypto/openssh/bufaux.c b/crypto/openssh/bufaux.c
new file mode 100644
index 0000000..d813594
--- /dev/null
+++ b/crypto/openssh/bufaux.c
@@ -0,0 +1,210 @@
+/*
+ *
+ * bufaux.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Mar 29 02:24:47 1995 ylo
+ *
+ * Auxiliary functions for storing and retrieving various data types to/from
+ * Buffers.
+ *
+ * SSH2 packet format added by Markus Friedl
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: bufaux.c,v 1.11 2000/04/14 10:30:30 markus Exp $");
+
+#include "ssh.h"
+#include <openssl/bn.h>
+#include "bufaux.h"
+#include "xmalloc.h"
+#include "getput.h"
+
+/*
+ * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
+ * by (bits+7)/8 bytes of binary data, msb first.
+ */
+void
+buffer_put_bignum(Buffer *buffer, BIGNUM *value)
+{
+	int bits = BN_num_bits(value);
+	int bin_size = (bits + 7) / 8;
+	char unsigned *buf = xmalloc(bin_size);
+	int oi;
+	char msg[2];
+
+	/* Get the value of in binary */
+	oi = BN_bn2bin(value, buf);
+	if (oi != bin_size)
+		fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
+		      oi, bin_size);
+
+	/* Store the number of bits in the buffer in two bytes, msb first. */
+	PUT_16BIT(msg, bits);
+	buffer_append(buffer, msg, 2);
+	/* Store the binary data. */
+	buffer_append(buffer, (char *)buf, oi);
+
+	memset(buf, 0, bin_size);
+	xfree(buf);
+}
+
+/*
+ * Retrieves an BIGNUM from the buffer.
+ */
+int
+buffer_get_bignum(Buffer *buffer, BIGNUM *value)
+{
+	int bits, bytes;
+	unsigned char buf[2], *bin;
+
+	/* Get the number for bits. */
+	buffer_get(buffer, (char *) buf, 2);
+	bits = GET_16BIT(buf);
+	/* Compute the number of binary bytes that follow. */
+	bytes = (bits + 7) / 8;
+	if (buffer_len(buffer) < bytes)
+		fatal("buffer_get_bignum: input buffer too small");
+	bin = (unsigned char*) buffer_ptr(buffer);
+	BN_bin2bn(bin, bytes, value);
+	buffer_consume(buffer, bytes);
+
+	return 2 + bytes;
+}
+
+/*
+ * Stores an BIGNUM in the buffer in SSH2 format.
+ */
+void
+buffer_put_bignum2(Buffer *buffer, BIGNUM *value)
+{
+	int bytes = BN_num_bytes(value) + 1;
+	unsigned char *buf = xmalloc(bytes);
+	int oi;
+	int hasnohigh = 0;
+	buf[0] = '\0';
+	/* Get the value of in binary */
+	oi = BN_bn2bin(value, buf+1);
+	if (oi != bytes-1)
+		fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
+		      oi, bytes);
+	hasnohigh = (buf[1] & 0x80) ? 0 : 1;
+	if (value->neg) {
+		/**XXX should be two's-complement */
+		int i, carry;
+		unsigned char *uc = buf;
+		log("negativ!");
+		for(i = bytes-1, carry = 1; i>=0; i--) {
+			uc[i] ^= 0xff;
+			if(carry)
+				carry = !++uc[i];
+		}
+	}
+	buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
+	memset(buf, 0, bytes);
+	xfree(buf);
+}
+
+int
+buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
+{
+	/**XXX should be two's-complement */
+	int len;
+	unsigned char *bin = (unsigned char *)buffer_get_string(buffer, (unsigned int *)&len);
+	BN_bin2bn(bin, len, value);
+	xfree(bin);
+	return len;
+}
+
+/*
+ * Returns an integer from the buffer (4 bytes, msb first).
+ */
+unsigned int
+buffer_get_int(Buffer *buffer)
+{
+	unsigned char buf[4];
+	buffer_get(buffer, (char *) buf, 4);
+	return GET_32BIT(buf);
+}
+
+/*
+ * Stores an integer in the buffer in 4 bytes, msb first.
+ */
+void
+buffer_put_int(Buffer *buffer, unsigned int value)
+{
+	char buf[4];
+	PUT_32BIT(buf, value);
+	buffer_append(buffer, buf, 4);
+}
+
+/*
+ * Returns an arbitrary binary string from the buffer.  The string cannot
+ * be longer than 256k.  The returned value points to memory allocated
+ * with xmalloc; it is the responsibility of the calling function to free
+ * the data.  If length_ptr is non-NULL, the length of the returned data
+ * will be stored there.  A null character will be automatically appended
+ * to the returned string, and is not counted in length.
+ */
+char *
+buffer_get_string(Buffer *buffer, unsigned int *length_ptr)
+{
+	unsigned int len;
+	char *value;
+	/* Get the length. */
+	len = buffer_get_int(buffer);
+	if (len > 256 * 1024)
+		fatal("Received packet with bad string length %d", len);
+	/* Allocate space for the string.  Add one byte for a null character. */
+	value = xmalloc(len + 1);
+	/* Get the string. */
+	buffer_get(buffer, value, len);
+	/* Append a null character to make processing easier. */
+	value[len] = 0;
+	/* Optionally return the length of the string. */
+	if (length_ptr)
+		*length_ptr = len;
+	return value;
+}
+
+/*
+ * Stores and arbitrary binary string in the buffer.
+ */
+void
+buffer_put_string(Buffer *buffer, const void *buf, unsigned int len)
+{
+	buffer_put_int(buffer, len);
+	buffer_append(buffer, buf, len);
+}
+void
+buffer_put_cstring(Buffer *buffer, const char *s)
+{
+	buffer_put_string(buffer, s, strlen(s));
+}
+
+/*
+ * Returns a character from the buffer (0 - 255).
+ */
+int
+buffer_get_char(Buffer *buffer)
+{
+	char ch;
+	buffer_get(buffer, &ch, 1);
+	return (unsigned char) ch;
+}
+
+/*
+ * Stores a character in the buffer.
+ */
+void
+buffer_put_char(Buffer *buffer, int value)
+{
+	char ch = value;
+	buffer_append(buffer, &ch, 1);
+}
diff --git a/crypto/openssh/bufaux.h b/crypto/openssh/bufaux.h
new file mode 100644
index 0000000..8ba92f8
--- /dev/null
+++ b/crypto/openssh/bufaux.h
@@ -0,0 +1,58 @@
+/*
+ *
+ * bufaux.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Mar 29 02:18:23 1995 ylo
+ *
+ */
+
+/* RCSID("$Id: bufaux.h,v 1.6 2000/04/14 10:30:30 markus Exp $"); */
+
+#ifndef BUFAUX_H
+#define BUFAUX_H
+
+#include "buffer.h"
+
+/*
+ * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
+ * by (bits+7)/8 bytes of binary data, msb first.
+ */
+void    buffer_put_bignum(Buffer * buffer, BIGNUM * value);
+void    buffer_put_bignum2(Buffer * buffer, BIGNUM * value);
+
+/* Retrieves an BIGNUM from the buffer. */
+int     buffer_get_bignum(Buffer * buffer, BIGNUM * value);
+int	buffer_get_bignum2(Buffer *buffer, BIGNUM * value);
+
+/* Returns an integer from the buffer (4 bytes, msb first). */
+unsigned int buffer_get_int(Buffer * buffer);
+
+/* Stores an integer in the buffer in 4 bytes, msb first. */
+void    buffer_put_int(Buffer * buffer, unsigned int value);
+
+/* Returns a character from the buffer (0 - 255). */
+int     buffer_get_char(Buffer * buffer);
+
+/* Stores a character in the buffer. */
+void    buffer_put_char(Buffer * buffer, int value);
+
+/*
+ * Returns an arbitrary binary string from the buffer.  The string cannot be
+ * longer than 256k.  The returned value points to memory allocated with
+ * xmalloc; it is the responsibility of the calling function to free the
+ * data.  If length_ptr is non-NULL, the length of the returned data will be
+ * stored there.  A null character will be automatically appended to the
+ * returned string, and is not counted in length.
+ */
+char   *buffer_get_string(Buffer * buffer, unsigned int *length_ptr);
+
+/* Stores and arbitrary binary string in the buffer. */
+void    buffer_put_string(Buffer * buffer, const void *buf, unsigned int len);
+void	buffer_put_cstring(Buffer *buffer, const char *s);
+
+#endif				/* BUFAUX_H */
diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
new file mode 100644
index 0000000..4d83433
--- /dev/null
+++ b/crypto/openssh/buffer.c
@@ -0,0 +1,161 @@
+/*
+ *
+ * buffer.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sat Mar 18 04:15:33 1995 ylo
+ *
+ * Functions for manipulating fifo buffers (that can grow if needed).
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: buffer.c,v 1.6 2000/04/14 10:30:30 markus Exp $");
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "ssh.h"
+
+/* Initializes the buffer structure. */
+
+void
+buffer_init(Buffer *buffer)
+{
+	buffer->alloc = 4096;
+	buffer->buf = xmalloc(buffer->alloc);
+	buffer->offset = 0;
+	buffer->end = 0;
+}
+
+/* Frees any memory used for the buffer. */
+
+void
+buffer_free(Buffer *buffer)
+{
+	memset(buffer->buf, 0, buffer->alloc);
+	xfree(buffer->buf);
+}
+
+/*
+ * Clears any data from the buffer, making it empty.  This does not actually
+ * zero the memory.
+ */
+
+void
+buffer_clear(Buffer *buffer)
+{
+	buffer->offset = 0;
+	buffer->end = 0;
+}
+
+/* Appends data to the buffer, expanding it if necessary. */
+
+void
+buffer_append(Buffer *buffer, const char *data, unsigned int len)
+{
+	char *cp;
+	buffer_append_space(buffer, &cp, len);
+	memcpy(cp, data, len);
+}
+
+/*
+ * Appends space to the buffer, expanding the buffer if necessary. This does
+ * not actually copy the data into the buffer, but instead returns a pointer
+ * to the allocated region.
+ */
+
+void
+buffer_append_space(Buffer *buffer, char **datap, unsigned int len)
+{
+	/* If the buffer is empty, start using it from the beginning. */
+	if (buffer->offset == buffer->end) {
+		buffer->offset = 0;
+		buffer->end = 0;
+	}
+restart:
+	/* If there is enough space to store all data, store it now. */
+	if (buffer->end + len < buffer->alloc) {
+		*datap = buffer->buf + buffer->end;
+		buffer->end += len;
+		return;
+	}
+	/*
+	 * If the buffer is quite empty, but all data is at the end, move the
+	 * data to the beginning and retry.
+	 */
+	if (buffer->offset > buffer->alloc / 2) {
+		memmove(buffer->buf, buffer->buf + buffer->offset,
+			buffer->end - buffer->offset);
+		buffer->end -= buffer->offset;
+		buffer->offset = 0;
+		goto restart;
+	}
+	/* Increase the size of the buffer and retry. */
+	buffer->alloc += len + 32768;
+	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+	goto restart;
+}
+
+/* Returns the number of bytes of data in the buffer. */
+
+unsigned int
+buffer_len(Buffer *buffer)
+{
+	return buffer->end - buffer->offset;
+}
+
+/* Gets data from the beginning of the buffer. */
+
+void
+buffer_get(Buffer *buffer, char *buf, unsigned int len)
+{
+	if (len > buffer->end - buffer->offset)
+		fatal("buffer_get: trying to get more bytes than in buffer");
+	memcpy(buf, buffer->buf + buffer->offset, len);
+	buffer->offset += len;
+}
+
+/* Consumes the given number of bytes from the beginning of the buffer. */
+
+void
+buffer_consume(Buffer *buffer, unsigned int bytes)
+{
+	if (bytes > buffer->end - buffer->offset)
+		fatal("buffer_consume: trying to get more bytes than in buffer");
+	buffer->offset += bytes;
+}
+
+/* Consumes the given number of bytes from the end of the buffer. */
+
+void
+buffer_consume_end(Buffer *buffer, unsigned int bytes)
+{
+	if (bytes > buffer->end - buffer->offset)
+		fatal("buffer_consume_end: trying to get more bytes than in buffer");
+	buffer->end -= bytes;
+}
+
+/* Returns a pointer to the first used byte in the buffer. */
+
+char *
+buffer_ptr(Buffer *buffer)
+{
+	return buffer->buf + buffer->offset;
+}
+
+/* Dumps the contents of the buffer to stderr. */
+
+void
+buffer_dump(Buffer *buffer)
+{
+	int i;
+	unsigned char *ucp = (unsigned char *) buffer->buf;
+
+	for (i = buffer->offset; i < buffer->end; i++)
+		fprintf(stderr, " %02x", ucp[i]);
+	fprintf(stderr, "\n");
+}
diff --git a/crypto/openssh/buffer.h b/crypto/openssh/buffer.h
new file mode 100644
index 0000000..be4fdc3
--- /dev/null
+++ b/crypto/openssh/buffer.h
@@ -0,0 +1,68 @@
+/*
+ *
+ * buffer.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sat Mar 18 04:12:25 1995 ylo
+ *
+ * Code for manipulating FIFO buffers.
+ *
+ */
+
+/* RCSID("$Id: buffer.h,v 1.4 2000/04/14 10:30:30 markus Exp $"); */
+
+#ifndef BUFFER_H
+#define BUFFER_H
+
+typedef struct {
+	char   *buf;		/* Buffer for data. */
+	unsigned int alloc;	/* Number of bytes allocated for data. */
+	unsigned int offset;	/* Offset of first byte containing data. */
+	unsigned int end;	/* Offset of last byte containing data. */
+}       Buffer;
+/* Initializes the buffer structure. */
+void    buffer_init(Buffer * buffer);
+
+/* Frees any memory used for the buffer. */
+void    buffer_free(Buffer * buffer);
+
+/* Clears any data from the buffer, making it empty.  This does not actually
+   zero the memory. */
+void    buffer_clear(Buffer * buffer);
+
+/* Appends data to the buffer, expanding it if necessary. */
+void    buffer_append(Buffer * buffer, const char *data, unsigned int len);
+
+/*
+ * Appends space to the buffer, expanding the buffer if necessary. This does
+ * not actually copy the data into the buffer, but instead returns a pointer
+ * to the allocated region.
+ */
+void    buffer_append_space(Buffer * buffer, char **datap, unsigned int len);
+
+/* Returns the number of bytes of data in the buffer. */
+unsigned int buffer_len(Buffer * buffer);
+
+/* Gets data from the beginning of the buffer. */
+void    buffer_get(Buffer * buffer, char *buf, unsigned int len);
+
+/* Consumes the given number of bytes from the beginning of the buffer. */
+void    buffer_consume(Buffer * buffer, unsigned int bytes);
+
+/* Consumes the given number of bytes from the end of the buffer. */
+void    buffer_consume_end(Buffer * buffer, unsigned int bytes);
+
+/* Returns a pointer to the first used byte in the buffer. */
+char   *buffer_ptr(Buffer * buffer);
+
+/*
+ * Dumps the contents of the buffer to stderr in hex.  This intended for
+ * debugging purposes only.
+ */
+void    buffer_dump(Buffer * buffer);
+
+#endif				/* BUFFER_H */
diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c
new file mode 100644
index 0000000..306ec06
--- /dev/null
+++ b/crypto/openssh/canohost.c
@@ -0,0 +1,304 @@
+/*
+ *
+ * canohost.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sun Jul  2 17:52:22 1995 ylo
+ *
+ * Functions for returning the canonical host name of the remote site.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: canohost.c,v 1.12 2000/04/14 10:30:30 markus Exp $");
+
+#include "packet.h"
+#include "xmalloc.h"
+#include "ssh.h"
+
+/*
+ * Return the canonical name of the host at the other end of the socket. The
+ * caller should free the returned string with xfree.
+ */
+
+char *
+get_remote_hostname(int socket)
+{
+	struct sockaddr_storage from;
+	int i;
+	socklen_t fromlen;
+	struct addrinfo hints, *ai, *aitop;
+	char name[MAXHOSTNAMELEN];
+	char ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
+
+	/* Get IP address of client. */
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) {
+		debug("getpeername failed: %.100s", strerror(errno));
+		fatal_cleanup();
+	}
+	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
+	     NULL, 0, NI_NUMERICHOST) != 0)
+		fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+
+	/* Map the IP address to a host name. */
+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+	     NULL, 0, NI_NAMEREQD) == 0) {
+		/* Got host name. */
+		name[sizeof(name) - 1] = '\0';
+		/*
+		 * Convert it to all lowercase (which is expected by the rest
+		 * of this software).
+		 */
+		for (i = 0; name[i]; i++)
+			if (isupper(name[i]))
+				name[i] = tolower(name[i]);
+
+		/*
+		 * Map it back to an IP address and check that the given
+		 * address actually is an address of this host.  This is
+		 * necessary because anyone with access to a name server can
+		 * define arbitrary names for an IP address. Mapping from
+		 * name to IP address can be trusted better (but can still be
+		 * fooled if the intruder has access to the name server of
+		 * the domain).
+		 */
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = from.ss_family;
+		hints.ai_socktype = SOCK_STREAM;
+		if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+			log("reverse mapping checking getaddrinfo for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
+			strlcpy(name, ntop, sizeof name);
+			goto check_ip_options;
+		}
+		/* Look for the address from the list of addresses. */
+		for (ai = aitop; ai; ai = ai->ai_next) {
+			if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+			    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+			    (strcmp(ntop, ntop2) == 0))
+					break;
+		}
+		freeaddrinfo(aitop);
+		/* If we reached the end of the list, the address was not there. */
+		if (!ai) {
+			/* Address not found for the host name. */
+			log("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
+			    ntop, name);
+			strlcpy(name, ntop, sizeof name);
+			goto check_ip_options;
+		}
+		/* Address was found for the host name.  We accept the host name. */
+	} else {
+		/* Host name not found.  Use ascii representation of the address. */
+		strlcpy(name, ntop, sizeof name);
+		log("Could not reverse map address %.100s.", name);
+	}
+
+check_ip_options:
+
+	/*
+	 * If IP options are supported, make sure there are none (log and
+	 * disconnect them if any are found).  Basically we are worried about
+	 * source routing; it can be used to pretend you are somebody
+	 * (ip-address) you are not. That itself may be "almost acceptable"
+	 * under certain circumstances, but rhosts autentication is useless
+	 * if source routing is accepted. Notice also that if we just dropped
+	 * source routing here, the other side could use IP spoofing to do
+	 * rest of the interaction and could still bypass security.  So we
+	 * exit here if we detect any IP options.
+	 */
+	/* IP options -- IPv4 only */
+	if (from.ss_family == AF_INET) {
+		unsigned char options[200], *ucp;
+		char text[1024], *cp;
+		socklen_t option_size;
+		int ipproto;
+		struct protoent *ip;
+
+		if ((ip = getprotobyname("ip")) != NULL)
+			ipproto = ip->p_proto;
+		else
+			ipproto = IPPROTO_IP;
+		option_size = sizeof(options);
+		if (getsockopt(0, ipproto, IP_OPTIONS, (char *) options,
+		    &option_size) >= 0 && option_size != 0) {
+			cp = text;
+			/* Note: "text" buffer must be at least 3x as big as options. */
+			for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
+				sprintf(cp, " %2.2x", *ucp);
+			log("Connection from %.100s with IP options:%.800s",
+			    ntop, text);
+			packet_disconnect("Connection from %.100s with IP options:%.800s",
+					  ntop, text);
+		}
+	}
+
+	return xstrdup(name);
+}
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection.  The host name is cached, so it is efficient to call this
+ * several times.
+ */
+
+const char *
+get_canonical_hostname()
+{
+	static char *canonical_host_name = NULL;
+
+	/* Check if we have previously retrieved this same name. */
+	if (canonical_host_name != NULL)
+		return canonical_host_name;
+
+	/* Get the real hostname if socket; otherwise return UNKNOWN. */
+	if (packet_connection_is_on_socket())
+		canonical_host_name = get_remote_hostname(packet_get_connection_in());
+	else
+		canonical_host_name = xstrdup("UNKNOWN");
+
+	return canonical_host_name;
+}
+
+/*
+ * Returns the IP-address of the remote host as a string.  The returned
+ * string must not be freed.
+ */
+
+const char *
+get_remote_ipaddr()
+{
+	static char *canonical_host_ip = NULL;
+	struct sockaddr_storage from;
+	socklen_t fromlen;
+	int socket;
+	char ntop[NI_MAXHOST];
+
+	/* Check whether we have chached the name. */
+	if (canonical_host_ip != NULL)
+		return canonical_host_ip;
+
+	/* If not a socket, return UNKNOWN. */
+	if (!packet_connection_is_on_socket()) {
+		canonical_host_ip = xstrdup("UNKNOWN");
+		return canonical_host_ip;
+	}
+	/* Get client socket. */
+	socket = packet_get_connection_in();
+
+	/* Get IP address of client. */
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) {
+		debug("getpeername failed: %.100s", strerror(errno));
+		fatal_cleanup();
+	}
+	/* Get the IP address in ascii. */
+	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
+	     NULL, 0, NI_NUMERICHOST) != 0)
+		fatal("get_remote_ipaddr: getnameinfo NI_NUMERICHOST failed");
+
+	canonical_host_ip = xstrdup(ntop);
+
+	/* Return ip address string. */
+	return canonical_host_ip;
+}
+
+/*
+ * Returns the IP-address of the local host as a string.  The returned
+ * string must be freed.
+ */
+
+const char *
+get_ipaddr(int socket)
+{
+	static char *canonical_host_ip = NULL;
+	struct sockaddr_storage from;
+	socklen_t fromlen;
+	char ntop[NI_MAXHOST];
+
+	/* Get IP address of server. */
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (getsockname(socket, (struct sockaddr *)&from, &fromlen) < 0) {
+		debug("getsockname failed: %.100s", strerror(errno));
+		fatal_cleanup();
+	}
+	/* Get the IP address in ascii. */
+	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
+	     NULL, 0, NI_NUMERICHOST) != 0)
+		fatal("get_local_ipaddr: getnameinfo NI_NUMERICHOST failed");
+
+	/* Return ip address string. */
+	return xstrdup(ntop);
+}
+
+/* Returns the local/remote port for the socket. */
+
+int
+get_sock_port(int sock, int local)
+{
+	struct sockaddr_storage from;
+	socklen_t fromlen;
+	char strport[NI_MAXSERV];
+
+	/* Get IP address of client. */
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (local) {
+		if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) {
+			error("getsockname failed: %.100s", strerror(errno));
+			return 0;
+		}
+	} else {
+		if (getpeername(sock, (struct sockaddr *) & from, &fromlen) < 0) {
+			debug("getpeername failed: %.100s", strerror(errno));
+			fatal_cleanup();
+		}
+	}
+	/* Return port number. */
+	if (getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
+	     strport, sizeof(strport), NI_NUMERICSERV) != 0)
+		fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed");
+	return atoi(strport);
+}
+
+/* Returns remote/local port number for the current connection. */
+
+int
+get_port(int local)
+{
+	/*
+	 * If the connection is not a socket, return 65535.  This is
+	 * intentionally chosen to be an unprivileged port number.
+	 */
+	if (!packet_connection_is_on_socket())
+		return 65535;
+
+	/* Get socket and return the port number. */
+	return get_sock_port(packet_get_connection_in(), local);
+}
+
+int
+get_peer_port(int sock)
+{
+	return get_sock_port(sock, 0);
+}
+
+int
+get_remote_port()
+{
+	return get_port(0);
+}
+
+int
+get_local_port()
+{
+	return get_port(1);
+}
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
new file mode 100644
index 0000000..871dcb8
--- /dev/null
+++ b/crypto/openssh/channels.c
@@ -0,0 +1,2269 @@
+/*
+ *
+ * channels.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar 24 16:35:24 1995 ylo
+ *
+ * This file contains functions for generic socket connection forwarding.
+ * There is also code for initiating connection forwarding for X11 connections,
+ * arbitrary tcp/ip connections, and the authentication agent connection.
+ *
+ * SSH2 support added by Markus Friedl.
+ */
+
+#include "includes.h"
+RCSID("$Id: channels.c,v 1.59 2000/05/30 17:23:36 markus Exp $");
+
+#include "ssh.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "authfd.h"
+#include "uidswap.h"
+#include "readconf.h"
+#include "servconf.h"
+
+#include "channels.h"
+#include "nchan.h"
+#include "compat.h"
+
+#include "ssh2.h"
+
+/* Maximum number of fake X11 displays to try. */
+#define MAX_DISPLAYS  1000
+
+/* Max len of agent socket */
+#define MAX_SOCKET_NAME 100
+
+/* default window/packet sizes for tcp/x11-fwd-channel */
+#define CHAN_TCP_WINDOW_DEFAULT	(8*1024)
+#define CHAN_TCP_PACKET_DEFAULT	(CHAN_TCP_WINDOW_DEFAULT/2)
+#define CHAN_X11_WINDOW_DEFAULT	(4*1024)
+#define CHAN_X11_PACKET_DEFAULT	(CHAN_X11_WINDOW_DEFAULT/2)
+
+/*
+ * Pointer to an array containing all allocated channels.  The array is
+ * dynamically extended as needed.
+ */
+static Channel *channels = NULL;
+
+/*
+ * Size of the channel array.  All slots of the array must always be
+ * initialized (at least the type field); unused slots are marked with type
+ * SSH_CHANNEL_FREE.
+ */
+static int channels_alloc = 0;
+
+/*
+ * Maximum file descriptor value used in any of the channels.  This is
+ * updated in channel_allocate.
+ */
+static int channel_max_fd_value = 0;
+
+/* Name and directory of socket for authentication agent forwarding. */
+static char *channel_forwarded_auth_socket_name = NULL;
+static char *channel_forwarded_auth_socket_dir = NULL;
+
+/* Saved X11 authentication protocol name. */
+char *x11_saved_proto = NULL;
+
+/* Saved X11 authentication data.  This is the real data. */
+char *x11_saved_data = NULL;
+unsigned int x11_saved_data_len = 0;
+
+/*
+ * Fake X11 authentication data.  This is what the server will be sending us;
+ * we should replace any occurrences of this by the real data.
+ */
+char *x11_fake_data = NULL;
+unsigned int x11_fake_data_len;
+
+/*
+ * Data structure for storing which hosts are permitted for forward requests.
+ * The local sides of any remote forwards are stored in this array to prevent
+ * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
+ * network (which might be behind a firewall).
+ */
+typedef struct {
+	char *host_to_connect;		/* Connect to 'host'. */
+	u_short port_to_connect;	/* Connect to 'port'. */
+	u_short listen_port;		/* Remote side should listen port number. */
+} ForwardPermission;
+
+/* List of all permitted host/port pairs to connect. */
+static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
+/* Number of permitted host/port pairs in the array. */
+static int num_permitted_opens = 0;
+/*
+ * If this is true, all opens are permitted.  This is the case on the server
+ * on which we have to trust the client anyway, and the user could do
+ * anything after logging in anyway.
+ */
+static int all_opens_permitted = 0;
+
+/* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
+static int have_hostname_in_open = 0;
+
+/* Sets specific protocol options. */
+
+void
+channel_set_options(int hostname_in_open)
+{
+	have_hostname_in_open = hostname_in_open;
+}
+
+/*
+ * Permits opening to any host/port in SSH_MSG_PORT_OPEN.  This is usually
+ * called by the server, because the user could connect to any port anyway,
+ * and the server has no way to know but to trust the client anyway.
+ */
+
+void
+channel_permit_all_opens()
+{
+	all_opens_permitted = 1;
+}
+
+/* lookup channel by id */
+
+Channel *
+channel_lookup(int id)
+{
+	Channel *c;
+	if (id < 0 && id > channels_alloc) {
+		log("channel_lookup: %d: bad id", id);
+		return NULL;
+	}
+	c = &channels[id];
+	if (c->type == SSH_CHANNEL_FREE) {
+		log("channel_lookup: %d: bad id: channel free", id);
+		return NULL;
+	}
+	return c;
+}
+
+/*
+ * Register filedescriptors for a channel, used when allocating a channel or
+ * when the channel consumer/producer is ready, e.g. shell exec'd
+ */
+
+void
+channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
+{
+	/* Update the maximum file descriptor value. */
+	if (rfd > channel_max_fd_value)
+		channel_max_fd_value = rfd;
+	if (wfd > channel_max_fd_value)
+		channel_max_fd_value = wfd;
+	if (efd > channel_max_fd_value)
+		channel_max_fd_value = efd;
+	/* XXX set close-on-exec -markus */
+
+	c->rfd = rfd;
+	c->wfd = wfd;
+	c->sock = (rfd == wfd) ? rfd : -1;
+	c->efd = efd;
+	c->extended_usage = extusage;
+	if (rfd != -1)
+		set_nonblock(rfd);
+	if (wfd != -1)
+		set_nonblock(wfd);
+	if (efd != -1)
+		set_nonblock(efd);
+}
+
+/*
+ * Allocate a new channel object and set its type and socket. This will cause
+ * remote_name to be freed.
+ */
+
+int
+channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+    int window, int maxpack, int extusage, char *remote_name)
+{
+	int i, found;
+	Channel *c;
+
+	/* Do initial allocation if this is the first call. */
+	if (channels_alloc == 0) {
+		chan_init();
+		channels_alloc = 10;
+		channels = xmalloc(channels_alloc * sizeof(Channel));
+		for (i = 0; i < channels_alloc; i++)
+			channels[i].type = SSH_CHANNEL_FREE;
+		/*
+		 * Kludge: arrange a call to channel_stop_listening if we
+		 * terminate with fatal().
+		 */
+		fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
+	}
+	/* Try to find a free slot where to put the new channel. */
+	for (found = -1, i = 0; i < channels_alloc; i++)
+		if (channels[i].type == SSH_CHANNEL_FREE) {
+			/* Found a free slot. */
+			found = i;
+			break;
+		}
+	if (found == -1) {
+		/* There are no free slots.  Take last+1 slot and expand the array.  */
+		found = channels_alloc;
+		channels_alloc += 10;
+		debug("channel: expanding %d", channels_alloc);
+		channels = xrealloc(channels, channels_alloc * sizeof(Channel));
+		for (i = found; i < channels_alloc; i++)
+			channels[i].type = SSH_CHANNEL_FREE;
+	}
+	/* Initialize and return new channel number. */
+	c = &channels[found];
+	buffer_init(&c->input);
+	buffer_init(&c->output);
+	buffer_init(&c->extended);
+	chan_init_iostates(c);
+	channel_register_fds(c, rfd, wfd, efd, extusage);
+	c->self = found;
+	c->type = type;
+	c->ctype = ctype;
+	c->local_window = window;
+	c->local_window_max = window;
+	c->local_consumed = 0;
+	c->local_maxpacket = maxpack;
+	c->remote_id = -1;
+	c->remote_name = remote_name;
+	c->remote_window = 0;
+	c->remote_maxpacket = 0;
+	c->cb_fn = NULL;
+	c->cb_arg = NULL;
+	c->cb_event = 0;
+	c->dettach_user = NULL;
+	debug("channel %d: new [%s]", found, remote_name);
+	return found;
+}
+/* old interface XXX */
+int
+channel_allocate(int type, int sock, char *remote_name)
+{
+	return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
+}
+
+
+/* Close all channel fd/socket. */
+
+void
+channel_close_fds(Channel *c)
+{
+	if (c->sock != -1) {
+		close(c->sock);
+		c->sock = -1;
+	}
+	if (c->rfd != -1) {
+		close(c->rfd);
+		c->rfd = -1;
+	}
+	if (c->wfd != -1) {
+		close(c->wfd);
+		c->wfd = -1;
+	}
+	if (c->efd != -1) {
+		close(c->efd);
+		c->efd = -1;
+	}
+}
+
+/* Free the channel and close its fd/socket. */
+
+void
+channel_free(int id)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL)
+		packet_disconnect("channel free: bad local channel %d", id);
+	debug("channel_free: channel %d: status: %s", id, channel_open_message());
+	if (c->dettach_user != NULL) {
+		debug("channel_free: channel %d: dettaching channel user", id);
+		c->dettach_user(c->self, NULL);
+	}
+	if (c->sock != -1)
+		shutdown(c->sock, SHUT_RDWR);
+	channel_close_fds(c);
+	buffer_free(&c->input);
+	buffer_free(&c->output);
+	buffer_free(&c->extended);
+	c->type = SSH_CHANNEL_FREE;
+	if (c->remote_name) {
+		xfree(c->remote_name);
+		c->remote_name = NULL;
+	}
+}
+
+/*
+ * 'channel_pre*' are called just before select() to add any bits relevant to
+ * channels in the select bitmasks.
+ */
+/*
+ * 'channel_post*': perform any appropriate operations for channels which
+ * have events pending.
+ */
+typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
+chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
+chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
+
+void
+channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	FD_SET(c->sock, readset);
+}
+
+void
+channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (buffer_len(&c->input) < packet_get_maxsize())
+		FD_SET(c->sock, readset);
+	if (buffer_len(&c->output) > 0)
+		FD_SET(c->sock, writeset);
+}
+
+void
+channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	/* test whether sockets are 'alive' for read/write */
+	if (c->istate == CHAN_INPUT_OPEN)
+		if (buffer_len(&c->input) < packet_get_maxsize())
+			FD_SET(c->sock, readset);
+	if (c->ostate == CHAN_OUTPUT_OPEN ||
+	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+		if (buffer_len(&c->output) > 0) {
+			FD_SET(c->sock, writeset);
+		} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+			chan_obuf_empty(c);
+		}
+	}
+}
+
+void
+channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (c->istate == CHAN_INPUT_OPEN &&
+	    c->remote_window > 0 &&
+	    buffer_len(&c->input) < c->remote_window)
+		FD_SET(c->rfd, readset);
+	if (c->ostate == CHAN_OUTPUT_OPEN ||
+	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+		if (buffer_len(&c->output) > 0) {
+			FD_SET(c->wfd, writeset);
+		} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+			chan_obuf_empty(c);
+		}
+	}
+	/** XXX check close conditions, too */
+	if (c->efd != -1) {
+		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
+		    buffer_len(&c->extended) > 0)
+			FD_SET(c->efd, writeset);
+		else if (c->extended_usage == CHAN_EXTENDED_READ &&
+		    buffer_len(&c->extended) < c->remote_window)
+			FD_SET(c->efd, readset);
+	}
+}
+
+void
+channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (buffer_len(&c->input) == 0) {
+		packet_start(SSH_MSG_CHANNEL_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+		c->type = SSH_CHANNEL_CLOSED;
+		debug("Closing channel %d after input drain.", c->self);
+	}
+}
+
+void
+channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (buffer_len(&c->output) == 0)
+		channel_free(c->self);
+	else
+		FD_SET(c->sock, writeset);
+}
+
+/*
+ * This is a special state for X11 authentication spoofing.  An opened X11
+ * connection (when authentication spoofing is being done) remains in this
+ * state until the first packet has been completely read.  The authentication
+ * data in that packet is then substituted by the real data if it matches the
+ * fake data, and the channel is put into normal mode.
+ * XXX All this happens at the client side.
+ */
+int
+x11_open_helper(Channel *c)
+{
+	unsigned char *ucp;
+	unsigned int proto_len, data_len;
+
+	/* Check if the fixed size part of the packet is in buffer. */
+	if (buffer_len(&c->output) < 12)
+		return 0;
+
+	/* Parse the lengths of variable-length fields. */
+	ucp = (unsigned char *) buffer_ptr(&c->output);
+	if (ucp[0] == 0x42) {	/* Byte order MSB first. */
+		proto_len = 256 * ucp[6] + ucp[7];
+		data_len = 256 * ucp[8] + ucp[9];
+	} else if (ucp[0] == 0x6c) {	/* Byte order LSB first. */
+		proto_len = ucp[6] + 256 * ucp[7];
+		data_len = ucp[8] + 256 * ucp[9];
+	} else {
+		debug("Initial X11 packet contains bad byte order byte: 0x%x",
+		      ucp[0]);
+		return -1;
+	}
+
+	/* Check if the whole packet is in buffer. */
+	if (buffer_len(&c->output) <
+	    12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
+		return 0;
+
+	/* Check if authentication protocol matches. */
+	if (proto_len != strlen(x11_saved_proto) ||
+	    memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
+		debug("X11 connection uses different authentication protocol.");
+		return -1;
+	}
+	/* Check if authentication data matches our fake data. */
+	if (data_len != x11_fake_data_len ||
+	    memcmp(ucp + 12 + ((proto_len + 3) & ~3),
+		x11_fake_data, x11_fake_data_len) != 0) {
+		debug("X11 auth data does not match fake data.");
+		return -1;
+	}
+	/* Check fake data length */
+	if (x11_fake_data_len != x11_saved_data_len) {
+		error("X11 fake_data_len %d != saved_data_len %d",
+		    x11_fake_data_len, x11_saved_data_len);
+		return -1;
+	}
+	/*
+	 * Received authentication protocol and data match
+	 * our fake data. Substitute the fake data with real
+	 * data.
+	 */
+	memcpy(ucp + 12 + ((proto_len + 3) & ~3),
+	    x11_saved_data, x11_saved_data_len);
+	return 1;
+}
+
+void
+channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	int ret = x11_open_helper(c);
+	if (ret == 1) {
+		/* Start normal processing for the channel. */
+		c->type = SSH_CHANNEL_OPEN;
+		channel_pre_open_13(c, readset, writeset);
+	} else if (ret == -1) {
+		/*
+		 * We have received an X11 connection that has bad
+		 * authentication information.
+		 */
+		log("X11 connection rejected because of wrong authentication.\r\n");
+		buffer_clear(&c->input);
+		buffer_clear(&c->output);
+		close(c->sock);
+		c->sock = -1;
+		c->type = SSH_CHANNEL_CLOSED;
+		packet_start(SSH_MSG_CHANNEL_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+	}
+}
+
+void
+channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	int ret = x11_open_helper(c);
+	if (ret == 1) {
+		c->type = SSH_CHANNEL_OPEN;
+		if (compat20)
+			channel_pre_open_20(c, readset, writeset);
+		else
+			channel_pre_open_15(c, readset, writeset);
+	} else if (ret == -1) {
+		debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
+		chan_read_failed(c);	/** force close? */
+		chan_write_failed(c);
+		debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
+	}
+}
+
+/* This is our fake X11 server socket. */
+void
+channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	struct sockaddr addr;
+	int newsock, newch;
+	socklen_t addrlen;
+	char buf[16384], *remote_hostname;
+	int remote_port;
+
+	if (FD_ISSET(c->sock, readset)) {
+		debug("X11 connection requested.");
+		addrlen = sizeof(addr);
+		newsock = accept(c->sock, &addr, &addrlen);
+		if (newsock < 0) {
+			error("accept: %.100s", strerror(errno));
+			return;
+		}
+		remote_hostname = get_remote_hostname(newsock);
+		remote_port = get_peer_port(newsock);
+		snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
+		    remote_hostname, remote_port);
+
+		newch = channel_new("x11",
+		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
+		    c->local_window_max, c->local_maxpacket,
+		    0, xstrdup(buf));
+		if (compat20) {
+			packet_start(SSH2_MSG_CHANNEL_OPEN);
+			packet_put_cstring("x11");
+			packet_put_int(newch);
+			packet_put_int(c->local_window_max);
+			packet_put_int(c->local_maxpacket);
+			/* originator host and port */
+			packet_put_cstring(remote_hostname);
+			if (datafellows & SSH_BUG_X11FWD) {
+				debug("ssh2 x11 bug compat mode");
+			} else {
+				packet_put_int(remote_port);
+			}
+			packet_send();
+		} else {
+			packet_start(SSH_SMSG_X11_OPEN);
+			packet_put_int(newch);
+			if (have_hostname_in_open)
+				packet_put_string(buf, strlen(buf));
+			packet_send();
+		}
+		xfree(remote_hostname);
+	}
+}
+
+/*
+ * This socket is listening for connections to a forwarded TCP/IP port.
+ */
+void
+channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	struct sockaddr addr;
+	int newsock, newch;
+	socklen_t addrlen;
+	char buf[1024], *remote_hostname;
+	int remote_port;
+
+	if (FD_ISSET(c->sock, readset)) {
+		debug("Connection to port %d forwarding "
+		    "to %.100s port %d requested.",
+		    c->listening_port, c->path, c->host_port);
+		addrlen = sizeof(addr);
+		newsock = accept(c->sock, &addr, &addrlen);
+		if (newsock < 0) {
+			error("accept: %.100s", strerror(errno));
+			return;
+		}
+		remote_hostname = get_remote_hostname(newsock);
+		remote_port = get_peer_port(newsock);
+		snprintf(buf, sizeof buf,
+		    "listen port %d for %.100s port %d, "
+		    "connect from %.200s port %d",
+		    c->listening_port, c->path, c->host_port,
+		    remote_hostname, remote_port);
+		newch = channel_new("direct-tcpip",
+		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
+		    c->local_window_max, c->local_maxpacket,
+		    0, xstrdup(buf));
+		if (compat20) {
+			packet_start(SSH2_MSG_CHANNEL_OPEN);
+			packet_put_cstring("direct-tcpip");
+			packet_put_int(newch);
+			packet_put_int(c->local_window_max);
+			packet_put_int(c->local_maxpacket);
+			/* target host and port */
+			packet_put_string(c->path, strlen(c->path));
+			packet_put_int(c->host_port);
+			/* originator host and port */
+			packet_put_cstring(remote_hostname);
+			packet_put_int(remote_port);
+			packet_send();
+		} else {
+			packet_start(SSH_MSG_PORT_OPEN);
+			packet_put_int(newch);
+			packet_put_string(c->path, strlen(c->path));
+			packet_put_int(c->host_port);
+			if (have_hostname_in_open) {
+				packet_put_string(buf, strlen(buf));
+			}
+			packet_send();
+		}
+		xfree(remote_hostname);
+	}
+}
+
+/*
+ * This is the authentication agent socket listening for connections from
+ * clients.
+ */
+void
+channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	struct sockaddr addr;
+	int newsock, newch;
+	socklen_t addrlen;
+
+	if (FD_ISSET(c->sock, readset)) {
+		addrlen = sizeof(addr);
+		newsock = accept(c->sock, &addr, &addrlen);
+		if (newsock < 0) {
+			error("accept from auth socket: %.100s", strerror(errno));
+			return;
+		}
+		newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
+		    xstrdup("accepted auth socket"));
+		packet_start(SSH_SMSG_AGENT_OPEN);
+		packet_put_int(newch);
+		packet_send();
+	}
+}
+
+int
+channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	char buf[16*1024];
+	int len;
+
+	if (c->rfd != -1 &&
+	    FD_ISSET(c->rfd, readset)) {
+		len = read(c->rfd, buf, sizeof(buf));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN))
+			return 1;
+		if (len <= 0) {
+			debug("channel %d: read<=0 rfd %d len %d",
+			    c->self, c->rfd, len);
+			if (compat13) {
+				buffer_consume(&c->output, buffer_len(&c->output));
+				c->type = SSH_CHANNEL_INPUT_DRAINING;
+				debug("Channel %d status set to input draining.", c->self);
+			} else {
+				chan_read_failed(c);
+			}
+			return -1;
+		}
+		buffer_append(&c->input, buf, len);
+	}
+	return 1;
+}
+int
+channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	int len;
+
+	/* Send buffered output data to the socket. */
+	if (c->wfd != -1 &&
+	    FD_ISSET(c->wfd, writeset) &&
+	    buffer_len(&c->output) > 0) {
+		len = write(c->wfd, buffer_ptr(&c->output),
+		    buffer_len(&c->output));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN))
+			return 1;
+		if (len <= 0) {
+			if (compat13) {
+				buffer_consume(&c->output, buffer_len(&c->output));
+				debug("Channel %d status set to input draining.", c->self);
+				c->type = SSH_CHANNEL_INPUT_DRAINING;
+			} else {
+				chan_write_failed(c);
+			}
+			return -1;
+		}
+		buffer_consume(&c->output, len);
+		if (compat20 && len > 0) {
+			c->local_consumed += len;
+		}
+	}
+	return 1;
+}
+int
+channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	char buf[16*1024];
+	int len;
+
+/** XXX handle drain efd, too */
+	if (c->efd != -1) {
+		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
+		    FD_ISSET(c->efd, writeset) &&
+		    buffer_len(&c->extended) > 0) {
+			len = write(c->efd, buffer_ptr(&c->extended),
+			    buffer_len(&c->extended));
+			debug("channel %d: written %d to efd %d",
+			    c->self, len, c->efd);
+			if (len > 0) {
+				buffer_consume(&c->extended, len);
+				c->local_consumed += len;
+			}
+		} else if (c->extended_usage == CHAN_EXTENDED_READ &&
+		    FD_ISSET(c->efd, readset)) {
+			len = read(c->efd, buf, sizeof(buf));
+			debug("channel %d: read %d from efd %d",
+			     c->self, len, c->efd);
+			if (len == 0) {
+				debug("channel %d: closing efd %d",
+				    c->self, c->efd);
+				close(c->efd);
+				c->efd = -1;
+			} else if (len > 0)
+				buffer_append(&c->extended, buf, len);
+		}
+	}
+	return 1;
+}
+int
+channel_check_window(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+	    c->local_window < c->local_window_max/2 &&
+	    c->local_consumed > 0) {
+		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+		packet_put_int(c->remote_id);
+		packet_put_int(c->local_consumed);
+		packet_send();
+		debug("channel %d: window %d sent adjust %d",
+		    c->self, c->local_window,
+		    c->local_consumed);
+		c->local_window += c->local_consumed;
+		c->local_consumed = 0;
+	}
+	return 1;
+}
+
+void
+channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	channel_handle_rfd(c, readset, writeset);
+	channel_handle_wfd(c, readset, writeset);
+}
+
+void
+channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	channel_handle_rfd(c, readset, writeset);
+	channel_handle_wfd(c, readset, writeset);
+	channel_handle_efd(c, readset, writeset);
+	channel_check_window(c, readset, writeset);
+}
+
+void
+channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	int len;
+	/* Send buffered output data to the socket. */
+	if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
+		len = write(c->sock, buffer_ptr(&c->output),
+			    buffer_len(&c->output));
+		if (len <= 0)
+			buffer_consume(&c->output, buffer_len(&c->output));
+		else
+			buffer_consume(&c->output, len);
+	}
+}
+
+void
+channel_handler_init_20(void)
+{
+	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_20;
+	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
+	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
+
+	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open_2;
+	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
+	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
+}
+
+void
+channel_handler_init_13(void)
+{
+	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_13;
+	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open_13;
+	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_INPUT_DRAINING] =	&channel_pre_input_draining;
+	channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_pre_output_draining;
+
+	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open_1;
+	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
+	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
+	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
+	channel_post[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_post_output_drain_13;
+}
+
+void
+channel_handler_init_15(void)
+{
+	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_15;
+	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
+	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
+
+	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
+	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
+	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
+	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open_1;
+}
+
+void
+channel_handler_init(void)
+{
+	int i;
+	for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
+		channel_pre[i] = NULL;
+		channel_post[i] = NULL;
+	}
+	if (compat20)
+		channel_handler_init_20();
+	else if (compat13)
+		channel_handler_init_13();
+	else
+		channel_handler_init_15();
+}
+
+void
+channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
+{
+	static int did_init = 0;
+	int i;
+	Channel *c;
+
+	if (!did_init) {
+		channel_handler_init();
+		did_init = 1;
+	}
+	for (i = 0; i < channels_alloc; i++) {
+		c = &channels[i];
+		if (c->type == SSH_CHANNEL_FREE)
+			continue;
+		if (ftab[c->type] == NULL)
+			continue;
+		(*ftab[c->type])(c, readset, writeset);
+		chan_delete_if_full_closed(c);
+	}
+}
+
+void
+channel_prepare_select(fd_set * readset, fd_set * writeset)
+{
+	channel_handler(channel_pre, readset, writeset);
+}
+
+void
+channel_after_select(fd_set * readset, fd_set * writeset)
+{
+	channel_handler(channel_post, readset, writeset);
+}
+
+/* If there is data to send to the connection, send some of it now. */
+
+void
+channel_output_poll()
+{
+	int len, i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = &channels[i];
+
+		/* We are only interested in channels that can have buffered incoming data. */
+		if (compat13) {
+			if (c->type != SSH_CHANNEL_OPEN &&
+			    c->type != SSH_CHANNEL_INPUT_DRAINING)
+				continue;
+		} else {
+			if (c->type != SSH_CHANNEL_OPEN)
+				continue;
+			if (c->istate != CHAN_INPUT_OPEN &&
+			    c->istate != CHAN_INPUT_WAIT_DRAIN)
+				continue;
+		}
+		if (compat20 &&
+		    (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
+			debug("channel: %d: no data after CLOSE", c->self);
+			continue;
+		}
+
+		/* Get the amount of buffered data for this channel. */
+		len = buffer_len(&c->input);
+		if (len > 0) {
+			/* Send some data for the other side over the secure connection. */
+			if (compat20) {
+				if (len > c->remote_window)
+					len = c->remote_window;
+				if (len > c->remote_maxpacket)
+					len = c->remote_maxpacket;
+			} else {
+				if (packet_is_interactive()) {
+					if (len > 1024)
+						len = 512;
+				} else {
+					/* Keep the packets at reasonable size. */
+					if (len > packet_get_maxsize()/2)
+						len = packet_get_maxsize()/2;
+				}
+			}
+			if (len > 0) {
+				packet_start(compat20 ?
+				    SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
+				packet_put_int(c->remote_id);
+				packet_put_string(buffer_ptr(&c->input), len);
+				packet_send();
+				buffer_consume(&c->input, len);
+				c->remote_window -= len;
+				debug("channel %d: send data len %d", c->self, len);
+			}
+		} else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
+			if (compat13)
+				fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
+			/*
+			 * input-buffer is empty and read-socket shutdown:
+			 * tell peer, that we will not send more data: send IEOF
+			 */
+			chan_ibuf_empty(c);
+		}
+		/* Send extended data, i.e. stderr */
+		if (compat20 &&
+		    c->remote_window > 0 &&
+		    (len = buffer_len(&c->extended)) > 0 &&
+		    c->extended_usage == CHAN_EXTENDED_READ) {
+			if (len > c->remote_window)
+				len = c->remote_window;
+			if (len > c->remote_maxpacket)
+				len = c->remote_maxpacket;
+			packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
+			packet_put_int(c->remote_id);
+			packet_put_int(SSH2_EXTENDED_DATA_STDERR);
+			packet_put_string(buffer_ptr(&c->extended), len);
+			packet_send();
+			buffer_consume(&c->extended, len);
+			c->remote_window -= len;
+		}
+	}
+}
+
+/*
+ * This is called when a packet of type CHANNEL_DATA has just been received.
+ * The message type has already been consumed, but channel number and data is
+ * still there.
+ */
+
+void
+channel_input_data(int type, int plen)
+{
+	int id;
+	char *data;
+	unsigned int data_len;
+	Channel *c;
+
+	/* Get the channel number and verify it. */
+	id = packet_get_int();
+	c = channel_lookup(id);
+	if (c == NULL)
+		packet_disconnect("Received data for nonexistent channel %d.", id);
+
+	/* Ignore any data for non-open channels (might happen on close) */
+	if (c->type != SSH_CHANNEL_OPEN &&
+	    c->type != SSH_CHANNEL_X11_OPEN)
+		return;
+
+	/* same for protocol 1.5 if output end is no longer open */
+	if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
+		return;
+
+	/* Get the data. */
+	data = packet_get_string(&data_len);
+	packet_done();
+
+	if (compat20){
+		if (data_len > c->local_maxpacket) {
+			log("channel %d: rcvd big packet %d, maxpack %d",
+			    c->self, data_len, c->local_maxpacket);
+		}
+		if (data_len > c->local_window) {
+			log("channel %d: rcvd too much data %d, win %d",
+			    c->self, data_len, c->local_window);
+			xfree(data);
+			return;
+		}
+		c->local_window -= data_len;
+	}else{
+		packet_integrity_check(plen, 4 + 4 + data_len, type);
+	}
+	buffer_append(&c->output, data, data_len);
+	xfree(data);
+}
+void
+channel_input_extended_data(int type, int plen)
+{
+	int id;
+	int tcode;
+	char *data;
+	unsigned int data_len;
+	Channel *c;
+
+	/* Get the channel number and verify it. */
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c == NULL)
+		packet_disconnect("Received extended_data for bad channel %d.", id);
+	if (c->type != SSH_CHANNEL_OPEN) {
+		log("channel %d: ext data for non open", id);
+		return;
+	}
+	tcode = packet_get_int();
+	if (c->efd == -1 ||
+	    c->extended_usage != CHAN_EXTENDED_WRITE ||
+	    tcode != SSH2_EXTENDED_DATA_STDERR) {
+		log("channel %d: bad ext data", c->self);
+		return;
+	}
+	data = packet_get_string(&data_len);
+	packet_done();
+	if (data_len > c->local_window) {
+		log("channel %d: rcvd too much extended_data %d, win %d",
+		    c->self, data_len, c->local_window);
+		xfree(data);
+		return;
+	}
+	debug("channel %d: rcvd ext data %d", c->self, data_len);
+	c->local_window -= data_len;
+	buffer_append(&c->extended, data, data_len);
+	xfree(data);
+}
+
+
+/*
+ * Returns true if no channel has too much buffered data, and false if one or
+ * more channel is overfull.
+ */
+
+int
+channel_not_very_much_buffered_data()
+{
+	unsigned int i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = &channels[i];
+		if (c->type == SSH_CHANNEL_OPEN) {
+			if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
+				debug("channel %d: big input buffer %d",
+				    c->self, buffer_len(&c->input));
+				return 0;
+			}
+			if (buffer_len(&c->output) > packet_get_maxsize()) {
+				debug("channel %d: big output buffer %d",
+				    c->self, buffer_len(&c->output));
+				return 0;
+			}
+		}
+	}
+	return 1;
+}
+
+void
+channel_input_ieof(int type, int plen)
+{
+	int id;
+	Channel *c;
+
+	packet_integrity_check(plen, 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+	if (c == NULL)
+		packet_disconnect("Received ieof for nonexistent channel %d.", id);
+	chan_rcvd_ieof(c);
+}
+
+void
+channel_input_close(int type, int plen)
+{
+	int id;
+	Channel *c;
+
+	packet_integrity_check(plen, 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+	if (c == NULL)
+		packet_disconnect("Received close for nonexistent channel %d.", id);
+
+	/*
+	 * Send a confirmation that we have closed the channel and no more
+	 * data is coming for it.
+	 */
+	packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
+	packet_put_int(c->remote_id);
+	packet_send();
+
+	/*
+	 * If the channel is in closed state, we have sent a close request,
+	 * and the other side will eventually respond with a confirmation.
+	 * Thus, we cannot free the channel here, because then there would be
+	 * no-one to receive the confirmation.  The channel gets freed when
+	 * the confirmation arrives.
+	 */
+	if (c->type != SSH_CHANNEL_CLOSED) {
+		/*
+		 * Not a closed channel - mark it as draining, which will
+		 * cause it to be freed later.
+		 */
+		buffer_consume(&c->input, buffer_len(&c->input));
+		c->type = SSH_CHANNEL_OUTPUT_DRAINING;
+	}
+}
+
+/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
+void
+channel_input_oclose(int type, int plen)
+{
+	int id = packet_get_int();
+	Channel *c = channel_lookup(id);
+	packet_integrity_check(plen, 4, type);
+	if (c == NULL)
+		packet_disconnect("Received oclose for nonexistent channel %d.", id);
+	chan_rcvd_oclose(c);
+}
+
+void
+channel_input_close_confirmation(int type, int plen)
+{
+	int id = packet_get_int();
+	Channel *c = channel_lookup(id);
+
+	packet_done();
+	if (c == NULL)
+		packet_disconnect("Received close confirmation for "
+		    "out-of-range channel %d.", id);
+	if (c->type != SSH_CHANNEL_CLOSED)
+		packet_disconnect("Received close confirmation for "
+		    "non-closed channel %d (type %d).", id, c->type);
+	channel_free(c->self);
+}
+
+void
+channel_input_open_confirmation(int type, int plen)
+{
+	int id, remote_id;
+	Channel *c;
+
+	if (!compat20)
+		packet_integrity_check(plen, 4 + 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
+		packet_disconnect("Received open confirmation for "
+		    "non-opening channel %d.", id);
+	remote_id = packet_get_int();
+	/* Record the remote channel number and mark that the channel is now open. */
+	c->remote_id = remote_id;
+	c->type = SSH_CHANNEL_OPEN;
+
+	if (compat20) {
+		c->remote_window = packet_get_int();
+		c->remote_maxpacket = packet_get_int();
+		packet_done();
+		if (c->cb_fn != NULL && c->cb_event == type) {
+			debug("callback start");
+			c->cb_fn(c->self, c->cb_arg);
+			debug("callback done");
+		}
+		debug("channel %d: open confirm rwindow %d rmax %d", c->self,
+		    c->remote_window, c->remote_maxpacket);
+	}
+}
+
+void
+channel_input_open_failure(int type, int plen)
+{
+	int id;
+	Channel *c;
+
+	if (!compat20)
+		packet_integrity_check(plen, 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
+		packet_disconnect("Received open failure for "
+		    "non-opening channel %d.", id);
+	if (compat20) {
+		int reason = packet_get_int();
+		char *msg  = packet_get_string(NULL);
+		char *lang  = packet_get_string(NULL);
+		log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
+		packet_done();
+		xfree(msg);
+		xfree(lang);
+	}
+	/* Free the channel.  This will also close the socket. */
+	channel_free(id);
+}
+
+void
+channel_input_channel_request(int type, int plen)
+{
+	int id;
+	Channel *c;
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c == NULL ||
+	    (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
+		packet_disconnect("Received request for "
+		    "non-open channel %d.", id);
+	if (c->cb_fn != NULL && c->cb_event == type) {
+		debug("callback start");
+		c->cb_fn(c->self, c->cb_arg);
+		debug("callback done");
+	} else {
+		char *service = packet_get_string(NULL);
+		debug("channel: %d rcvd request for %s", c->self, service);
+debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
+		xfree(service);
+	}
+}
+
+void
+channel_input_window_adjust(int type, int plen)
+{
+	Channel *c;
+	int id, adjust;
+
+	if (!compat20)
+		return;
+
+	/* Get the channel number and verify it. */
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
+		log("Received window adjust for "
+		    "non-open channel %d.", id);
+		return;
+	}
+	adjust = packet_get_int();
+	packet_done();
+	debug("channel %d: rcvd adjust %d", id, adjust);
+	c->remote_window += adjust;
+}
+
+/*
+ * Stops listening for channels, and removes any unix domain sockets that we
+ * might have.
+ */
+
+void
+channel_stop_listening()
+{
+	int i;
+	for (i = 0; i < channels_alloc; i++) {
+		switch (channels[i].type) {
+		case SSH_CHANNEL_AUTH_SOCKET:
+			close(channels[i].sock);
+			remove(channels[i].path);
+			channel_free(i);
+			break;
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_X11_LISTENER:
+			close(channels[i].sock);
+			channel_free(i);
+			break;
+		default:
+			break;
+		}
+	}
+}
+
+/*
+ * Closes the sockets/fds of all channels.  This is used to close extra file
+ * descriptors after a fork.
+ */
+
+void
+channel_close_all()
+{
+	int i;
+	for (i = 0; i < channels_alloc; i++)
+		if (channels[i].type != SSH_CHANNEL_FREE)
+			channel_close_fds(&channels[i]);
+}
+
+/* Returns the maximum file descriptor number used by the channels. */
+
+int
+channel_max_fd()
+{
+	return channel_max_fd_value;
+}
+
+/* Returns true if any channel is still open. */
+
+int
+channel_still_open()
+{
+	unsigned int i;
+	for (i = 0; i < channels_alloc; i++)
+		switch (channels[i].type) {
+		case SSH_CHANNEL_FREE:
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_AUTH_SOCKET:
+			continue;
+		case SSH_CHANNEL_LARVAL:
+			if (!compat20)
+				fatal("cannot happen: SSH_CHANNEL_LARVAL");
+			continue;
+		case SSH_CHANNEL_OPENING:
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+			return 1;
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			if (!compat13)
+				fatal("cannot happen: OUT_DRAIN");
+			return 1;
+		default:
+			fatal("channel_still_open: bad channel type %d", channels[i].type);
+			/* NOTREACHED */
+		}
+	return 0;
+}
+
+/*
+ * Returns a message describing the currently open forwarded connections,
+ * suitable for sending to the client.  The message contains crlf pairs for
+ * newlines.
+ */
+
+char *
+channel_open_message()
+{
+	Buffer buffer;
+	int i;
+	char buf[512], *cp;
+
+	buffer_init(&buffer);
+	snprintf(buf, sizeof buf, "The following connections are open:\r\n");
+	buffer_append(&buffer, buf, strlen(buf));
+	for (i = 0; i < channels_alloc; i++) {
+		Channel *c = &channels[i];
+		switch (c->type) {
+		case SSH_CHANNEL_FREE:
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_AUTH_SOCKET:
+			continue;
+		case SSH_CHANNEL_LARVAL:
+		case SSH_CHANNEL_OPENING:
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			snprintf(buf, sizeof buf, "  #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
+			    c->self, c->remote_name,
+			    c->type, c->remote_id,
+			    c->istate, buffer_len(&c->input),
+			    c->ostate, buffer_len(&c->output),
+			    c->rfd, c->wfd);
+			buffer_append(&buffer, buf, strlen(buf));
+			continue;
+		default:
+			fatal("channel_open_message: bad channel type %d", c->type);
+			/* NOTREACHED */
+		}
+	}
+	buffer_append(&buffer, "\0", 1);
+	cp = xstrdup(buffer_ptr(&buffer));
+	buffer_free(&buffer);
+	return cp;
+}
+
+/*
+ * Initiate forwarding of connections to local port "port" through the secure
+ * channel to host:port from remote side.
+ */
+
+void
+channel_request_local_forwarding(u_short port, const char *host,
+				 u_short host_port, int gateway_ports)
+{
+	int success, ch, sock, on = 1;
+	struct addrinfo hints, *ai, *aitop;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	struct linger linger;
+
+	if (strlen(host) > sizeof(channels[0].path) - 1)
+		packet_disconnect("Forward host name too long.");
+
+	/*
+	 * getaddrinfo returns a loopback address if the hostname is
+	 * set to NULL and hints.ai_flags is not AI_PASSIVE
+	 */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", port);
+	if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
+		packet_disconnect("getaddrinfo: fatal error");
+
+	success = 0;
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+			continue;
+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
+		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+			error("channel_request_local_forwarding: getnameinfo failed");
+			continue;
+		}
+		/* Create a port to listen for the host. */
+		sock = socket(ai->ai_family, SOCK_STREAM, 0);
+		if (sock < 0) {
+			/* this is no error since kernel may not support ipv6 */
+			verbose("socket: %.100s", strerror(errno));
+			continue;
+		}
+		/*
+		 * Set socket options.  We would like the socket to disappear
+		 * as soon as it has been closed for whatever reason.
+		 */
+		setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
+		linger.l_onoff = 1;
+		linger.l_linger = 5;
+		setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
+		debug("Local forwarding listening on %s port %s.", ntop, strport);
+
+		/* Bind the socket to the address. */
+		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+			/* address can be in use ipv6 address is already bound */
+			verbose("bind: %.100s", strerror(errno));
+			close(sock);
+			continue;
+		}
+		/* Start listening for connections on the socket. */
+		if (listen(sock, 5) < 0) {
+			error("listen: %.100s", strerror(errno));
+			close(sock);
+			continue;
+		}
+		/* Allocate a channel number for the socket. */
+		ch = channel_new(
+		    "port listener", SSH_CHANNEL_PORT_LISTENER,
+		    sock, sock, -1,
+		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+		    0, xstrdup("port listener"));
+		strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
+		channels[ch].host_port = host_port;
+		channels[ch].listening_port = port;
+		success = 1;
+	}
+	if (success == 0)
+		packet_disconnect("cannot listen port: %d", port);
+	freeaddrinfo(aitop);
+}
+
+/*
+ * Initiate forwarding of connections to port "port" on remote host through
+ * the secure channel to host:port from local side.
+ */
+
+void
+channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
+				  u_short port_to_connect)
+{
+	int payload_len;
+	/* Record locally that connection to this host/port is permitted. */
+	if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("channel_request_remote_forwarding: too many forwards");
+
+	permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
+	permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
+	permitted_opens[num_permitted_opens].listen_port = listen_port;
+	num_permitted_opens++;
+
+	/* Send the forward request to the remote side. */
+	if (compat20) {
+		const char *address_to_bind = "0.0.0.0";
+		packet_start(SSH2_MSG_GLOBAL_REQUEST);
+		packet_put_cstring("tcpip-forward");
+		packet_put_char(0);			/* boolean: want reply */
+		packet_put_cstring(address_to_bind);
+		packet_put_int(listen_port);
+	} else {
+		packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
+		packet_put_int(listen_port);
+		packet_put_cstring(host_to_connect);
+		packet_put_int(port_to_connect);
+		packet_send();
+		packet_write_wait();
+		/*
+		 * Wait for response from the remote side.  It will send a disconnect
+		 * message on failure, and we will never see it here.
+		 */
+		packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
+	}
+}
+
+/*
+ * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
+ * listening for the port, and sends back a success reply (or disconnect
+ * message if there was an error).  This never returns if there was an error.
+ */
+
+void
+channel_input_port_forward_request(int is_root, int gateway_ports)
+{
+	u_short port, host_port;
+	char *hostname;
+
+	/* Get arguments from the packet. */
+	port = packet_get_int();
+	hostname = packet_get_string(NULL);
+	host_port = packet_get_int();
+
+	/*
+	 * Check that an unprivileged user is not trying to forward a
+	 * privileged port.
+	 */
+	if (port < IPPORT_RESERVED && !is_root)
+		packet_disconnect("Requested forwarding of port %d but user is not root.",
+				  port);
+	/*
+	 * Initiate forwarding,
+	 */
+	channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
+
+	/* Free the argument string. */
+	xfree(hostname);
+}
+
+/* XXX move to aux.c */
+int
+channel_connect_to(const char *host, u_short host_port)
+{
+	struct addrinfo hints, *ai, *aitop;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	int gaierr;
+	int sock = -1;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", host_port);
+	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
+		error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
+		return -1;
+	}
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+			continue;
+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
+		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+			error("channel_connect_to: getnameinfo failed");
+			continue;
+		}
+		/* Create the socket. */
+		sock = socket(ai->ai_family, SOCK_STREAM, 0);
+		if (sock < 0) {
+			error("socket: %.100s", strerror(errno));
+			continue;
+		}
+		/* Connect to the host/port. */
+		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+			error("connect %.100s port %s: %.100s", ntop, strport,
+			    strerror(errno));
+			close(sock);
+			continue;	/* fail -- try next */	
+		}
+		break; /* success */
+
+	}
+	freeaddrinfo(aitop);
+	if (!ai) {
+		error("connect %.100s port %d: failed.", host, host_port);	
+		return -1;
+	}
+	/* success */
+	return sock;
+}
+/*
+ * This is called after receiving PORT_OPEN message.  This attempts to
+ * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
+ * or CHANNEL_OPEN_FAILURE.
+ */
+
+void
+channel_input_port_open(int type, int plen)
+{
+	u_short host_port;
+	char *host, *originator_string;
+	int remote_channel, sock = -1, newch, i, denied;
+	unsigned int host_len, originator_len;
+
+	/* Get remote channel number. */
+	remote_channel = packet_get_int();
+
+	/* Get host name to connect to. */
+	host = packet_get_string(&host_len);
+
+	/* Get port to connect to. */
+	host_port = packet_get_int();
+
+	/* Get remote originator name. */
+	if (have_hostname_in_open) {
+		originator_string = packet_get_string(&originator_len);
+		originator_len += 4;	/* size of packet_int */
+	} else {
+		originator_string = xstrdup("unknown (remote did not supply name)");
+		originator_len = 0;	/* no originator supplied */
+	}
+
+	packet_integrity_check(plen,
+	    4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
+
+	/* Check if opening that port is permitted. */
+	denied = 0;
+	if (!all_opens_permitted) {
+		/* Go trough all permitted ports. */
+		for (i = 0; i < num_permitted_opens; i++)
+			if (permitted_opens[i].port_to_connect == host_port &&
+			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
+				break;
+
+		/* Check if we found the requested port among those permitted. */
+		if (i >= num_permitted_opens) {
+			/* The port is not permitted. */
+			log("Received request to connect to %.100s:%d, but the request was denied.",
+			    host, host_port);
+			denied = 1;
+		}
+	}
+	sock = denied ? -1 : channel_connect_to(host, host_port);
+	if (sock > 0) {
+		/* Allocate a channel for this connection. */
+		newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
+		channels[newch].remote_id = remote_channel;
+
+		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(remote_channel);
+		packet_put_int(newch);
+		packet_send();
+	} else {
+		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(remote_channel);
+		packet_send();
+	}
+	xfree(host);
+}
+
+/*
+ * Creates an internet domain socket for listening for X11 connections.
+ * Returns a suitable value for the DISPLAY variable, or NULL if an error
+ * occurs.
+ */
+
+#define	NUM_SOCKS	10
+
+char *
+x11_create_display_inet(int screen_number, int x11_display_offset)
+{
+	int display_number, sock;
+	u_short port;
+	struct addrinfo hints, *ai, *aitop;
+	char strport[NI_MAXSERV];
+	int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
+	char display[512];
+	char hostname[MAXHOSTNAMELEN];
+
+	for (display_number = x11_display_offset;
+	     display_number < MAX_DISPLAYS;
+	     display_number++) {
+		port = 6000 + display_number;
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = IPv4or6;
+		hints.ai_flags = AI_PASSIVE;		/* XXX loopback only ? */
+		hints.ai_socktype = SOCK_STREAM;
+		snprintf(strport, sizeof strport, "%d", port);
+		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
+			error("getaddrinfo: %.100s", gai_strerror(gaierr));
+			return NULL;
+		}
+		for (ai = aitop; ai; ai = ai->ai_next) {
+			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+				continue;
+			sock = socket(ai->ai_family, SOCK_STREAM, 0);
+			if (sock < 0) {
+				error("socket: %.100s", strerror(errno));
+				return NULL;
+			}
+			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+				debug("bind port %d: %.100s", port, strerror(errno));
+				shutdown(sock, SHUT_RDWR);
+				close(sock);
+				for (n = 0; n < num_socks; n++) {
+					shutdown(socks[n], SHUT_RDWR);
+					close(socks[n]);
+				}
+				num_socks = 0;
+				break;
+			}
+			socks[num_socks++] = sock;
+			if (num_socks == NUM_SOCKS)
+				break;
+		}
+		if (num_socks > 0)
+			break;
+	}
+	if (display_number >= MAX_DISPLAYS) {
+		error("Failed to allocate internet-domain X11 display socket.");
+		return NULL;
+	}
+	/* Start listening for connections on the socket. */
+	for (n = 0; n < num_socks; n++) {
+		sock = socks[n];
+		if (listen(sock, 5) < 0) {
+			error("listen: %.100s", strerror(errno));
+			shutdown(sock, SHUT_RDWR);
+			close(sock);
+			return NULL;
+		}
+	}
+
+	/* Set up a suitable value for the DISPLAY variable. */
+	if (gethostname(hostname, sizeof(hostname)) < 0)
+		fatal("gethostname: %.100s", strerror(errno));
+	snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
+		 display_number, screen_number);
+
+	/* Allocate a channel for each socket. */
+	for (n = 0; n < num_socks; n++) {
+		sock = socks[n];
+		(void) channel_new("x11 listener",
+		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+		    0, xstrdup("X11 inet listener"));
+	}
+
+	/* Return a suitable value for the DISPLAY environment variable. */
+	return xstrdup(display);
+}
+
+#ifndef X_UNIX_PATH
+#define X_UNIX_PATH "/tmp/.X11-unix/X"
+#endif
+
+static
+int
+connect_local_xsocket(unsigned int dnr)
+{
+	static const char *const x_sockets[] = {
+		X_UNIX_PATH "%u",
+		"/var/X/.X11-unix/X" "%u",
+		"/usr/spool/sockets/X11/" "%u",
+		NULL
+	};
+	int sock;
+	struct sockaddr_un addr;
+	const char *const * path;
+
+	for (path = x_sockets; *path; ++path) {
+		sock = socket(AF_UNIX, SOCK_STREAM, 0);
+		if (sock < 0)
+			error("socket: %.100s", strerror(errno));
+		memset(&addr, 0, sizeof(addr));
+		addr.sun_family = AF_UNIX;
+		snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
+		if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
+			return sock;
+		close(sock);
+	}
+	error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
+	return -1;
+}
+
+int
+x11_connect_display(void)
+{
+	int display_number, sock = 0;
+	const char *display;
+	char buf[1024], *cp;
+	struct addrinfo hints, *ai, *aitop;
+	char strport[NI_MAXSERV];
+	int gaierr;
+
+	/* Try to open a socket for the local X server. */
+	display = getenv("DISPLAY");
+	if (!display) {
+		error("DISPLAY not set.");
+		return -1;
+	}
+	/*
+	 * Now we decode the value of the DISPLAY variable and make a
+	 * connection to the real X server.
+	 */
+
+	/*
+	 * Check if it is a unix domain socket.  Unix domain displays are in
+	 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
+	 */
+	if (strncmp(display, "unix:", 5) == 0 ||
+	    display[0] == ':') {
+		/* Connect to the unix domain socket. */
+		if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
+			error("Could not parse display number from DISPLAY: %.100s",
+			      display);
+			return -1;
+		}
+		/* Create a socket. */
+		sock = connect_local_xsocket(display_number);
+		if (sock < 0)
+			return -1;
+
+		/* OK, we now have a connection to the display. */
+		return sock;
+	}
+	/*
+	 * Connect to an inet socket.  The DISPLAY value is supposedly
+	 * hostname:d[.s], where hostname may also be numeric IP address.
+	 */
+	strncpy(buf, display, sizeof(buf));
+	buf[sizeof(buf) - 1] = 0;
+	cp = strchr(buf, ':');
+	if (!cp) {
+		error("Could not find ':' in DISPLAY: %.100s", display);
+		return -1;
+	}
+	*cp = 0;
+	/* buf now contains the host name.  But first we parse the display number. */
+	if (sscanf(cp + 1, "%d", &display_number) != 1) {
+		error("Could not parse display number from DISPLAY: %.100s",
+		      display);
+		return -1;
+	}
+
+	/* Look up the host address */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", 6000 + display_number);
+	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
+		error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
+		return -1;
+	}
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		/* Create a socket. */
+		sock = socket(ai->ai_family, SOCK_STREAM, 0);
+		if (sock < 0) {
+			debug("socket: %.100s", strerror(errno));
+			continue;
+		}
+		/* Connect it to the display. */
+		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+			debug("connect %.100s port %d: %.100s", buf,
+			    6000 + display_number, strerror(errno));
+			close(sock);
+			continue;
+		}
+		/* Success */
+		break;
+	}
+	freeaddrinfo(aitop);
+	if (!ai) {
+		error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
+		    strerror(errno));
+		return -1;
+	}
+	return sock;
+}
+
+/*
+ * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
+ * the remote channel number.  We should do whatever we want, and respond
+ * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
+ */
+
+void
+x11_input_open(int type, int plen)
+{
+	int remote_channel, sock = 0, newch;
+	char *remote_host;
+	unsigned int remote_len;
+
+	/* Get remote channel number. */
+	remote_channel = packet_get_int();
+
+	/* Get remote originator name. */
+	if (have_hostname_in_open) {
+		remote_host = packet_get_string(&remote_len);
+		remote_len += 4;
+	} else {
+		remote_host = xstrdup("unknown (remote did not supply name)");
+		remote_len = 0;
+	}
+
+	debug("Received X11 open request.");
+	packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
+
+	/* Obtain a connection to the real X display. */
+	sock = x11_connect_display();
+	if (sock == -1) {
+		/* Send refusal to the remote host. */
+		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(remote_channel);
+		packet_send();
+	} else {
+		/* Allocate a channel for this connection. */
+		newch = channel_allocate(
+		     (x11_saved_proto == NULL) ?
+		     SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
+		     sock, remote_host);
+		channels[newch].remote_id = remote_channel;
+
+		/* Send a confirmation to the remote host. */
+		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(remote_channel);
+		packet_put_int(newch);
+		packet_send();
+	}
+}
+
+/*
+ * Requests forwarding of X11 connections, generates fake authentication
+ * data, and enables authentication spoofing.
+ */
+
+void
+x11_request_forwarding_with_spoofing(int client_session_id,
+    const char *proto, const char *data)
+{
+	unsigned int data_len = (unsigned int) strlen(data) / 2;
+	unsigned int i, value;
+	char *new_data;
+	int screen_number;
+	const char *cp;
+	u_int32_t rand = 0;
+
+	cp = getenv("DISPLAY");
+	if (cp)
+		cp = strchr(cp, ':');
+	if (cp)
+		cp = strchr(cp, '.');
+	if (cp)
+		screen_number = atoi(cp + 1);
+	else
+		screen_number = 0;
+
+	/* Save protocol name. */
+	x11_saved_proto = xstrdup(proto);
+
+	/*
+	 * Extract real authentication data and generate fake data of the
+	 * same length.
+	 */
+	x11_saved_data = xmalloc(data_len);
+	x11_fake_data = xmalloc(data_len);
+	for (i = 0; i < data_len; i++) {
+		if (sscanf(data + 2 * i, "%2x", &value) != 1)
+			fatal("x11_request_forwarding: bad authentication data: %.100s", data);
+		if (i % 4 == 0)
+			rand = arc4random();
+		x11_saved_data[i] = value;
+		x11_fake_data[i] = rand & 0xff;
+		rand >>= 8;
+	}
+	x11_saved_data_len = data_len;
+	x11_fake_data_len = data_len;
+
+	/* Convert the fake data into hex. */
+	new_data = xmalloc(2 * data_len + 1);
+	for (i = 0; i < data_len; i++)
+		sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
+
+	/* Send the request packet. */
+	if (compat20) {
+		channel_request_start(client_session_id, "x11-req", 0);
+		packet_put_char(0);	/* XXX bool single connection */
+	} else {
+		packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
+	}
+	packet_put_cstring(proto);
+	packet_put_cstring(new_data);
+	packet_put_int(screen_number);
+	packet_send();
+	packet_write_wait();
+	xfree(new_data);
+}
+
+/* Sends a message to the server to request authentication fd forwarding. */
+
+void
+auth_request_forwarding()
+{
+	packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
+	packet_send();
+	packet_write_wait();
+}
+
+/*
+ * Returns the name of the forwarded authentication socket.  Returns NULL if
+ * there is no forwarded authentication socket.  The returned value points to
+ * a static buffer.
+ */
+
+char *
+auth_get_socket_name()
+{
+	return channel_forwarded_auth_socket_name;
+}
+
+/* removes the agent forwarding socket */
+
+void
+cleanup_socket(void)
+{
+	remove(channel_forwarded_auth_socket_name);
+	rmdir(channel_forwarded_auth_socket_dir);
+}
+
+/*
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This starts forwarding authentication requests.
+ */
+
+int
+auth_input_request_forwarding(struct passwd * pw)
+{
+	int sock, newch;
+	struct sockaddr_un sunaddr;
+
+	if (auth_get_socket_name() != NULL)
+		fatal("Protocol error: authentication forwarding requested twice.");
+
+	/* Temporarily drop privileged uid for mkdir/bind. */
+	temporarily_use_uid(pw->pw_uid);
+
+	/* Allocate a buffer for the socket name, and format the name. */
+	channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
+	channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
+	strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
+
+	/* Create private directory for socket */
+	if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
+		packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
+		    strerror(errno));
+		restore_uid();
+		xfree(channel_forwarded_auth_socket_name);
+		xfree(channel_forwarded_auth_socket_dir);
+		channel_forwarded_auth_socket_name = NULL;
+		channel_forwarded_auth_socket_dir = NULL;
+		return 0;
+	}
+	snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
+		 channel_forwarded_auth_socket_dir, (int) getpid());
+
+	if (atexit(cleanup_socket) < 0) {
+		int saved = errno;
+		cleanup_socket();
+		packet_disconnect("socket: %.100s", strerror(saved));
+	}
+	/* Create the socket. */
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0)
+		packet_disconnect("socket: %.100s", strerror(errno));
+
+	/* Bind it to the name. */
+	memset(&sunaddr, 0, sizeof(sunaddr));
+	sunaddr.sun_family = AF_UNIX;
+	strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
+		sizeof(sunaddr.sun_path));
+
+	if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
+		packet_disconnect("bind: %.100s", strerror(errno));
+
+	/* Restore the privileged uid. */
+	restore_uid();
+
+	/* Start listening on the socket. */
+	if (listen(sock, 5) < 0)
+		packet_disconnect("listen: %.100s", strerror(errno));
+
+	/* Allocate a channel for the authentication agent socket. */
+	newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
+				 xstrdup("auth socket"));
+	strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
+	    sizeof(channels[newch].path));
+	return 1;
+}
+
+/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
+
+void
+auth_input_open_request(int type, int plen)
+{
+	int remch, sock, newch;
+	char *dummyname;
+
+	packet_integrity_check(plen, 4, type);
+
+	/* Read the remote channel number from the message. */
+	remch = packet_get_int();
+
+	/*
+	 * Get a connection to the local authentication agent (this may again
+	 * get forwarded).
+	 */
+	sock = ssh_get_authentication_socket();
+
+	/*
+	 * If we could not connect the agent, send an error message back to
+	 * the server. This should never happen unless the agent dies,
+	 * because authentication forwarding is only enabled if we have an
+	 * agent.
+	 */
+	if (sock < 0) {
+		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(remch);
+		packet_send();
+		return;
+	}
+	debug("Forwarding authentication connection.");
+
+	/*
+	 * Dummy host name.  This will be freed when the channel is freed; it
+	 * will still be valid in the packet_put_string below since the
+	 * channel cannot yet be freed at that point.
+	 */
+	dummyname = xstrdup("authentication agent connection");
+
+	newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
+	channels[newch].remote_id = remch;
+
+	/* Send a confirmation to the remote host. */
+	packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
+	packet_put_int(remch);
+	packet_put_int(newch);
+	packet_send();
+}
+
+void
+channel_start_open(int id)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_open: %d: bad id", id);
+		return;
+	}
+	debug("send channel open %d", id);
+	packet_start(SSH2_MSG_CHANNEL_OPEN);
+	packet_put_cstring(c->ctype);
+	packet_put_int(c->self);
+	packet_put_int(c->local_window);
+	packet_put_int(c->local_maxpacket);
+}
+void
+channel_open(int id)
+{
+	/* XXX REMOVE ME */
+	channel_start_open(id);
+	packet_send();
+}
+void
+channel_request(int id, char *service, int wantconfirm)
+{
+	channel_request_start(id, service, wantconfirm);
+	packet_send();
+	debug("channel request %d: %s", id, service) ;
+}
+void
+channel_request_start(int id, char *service, int wantconfirm)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_request: %d: bad id", id);
+		return;
+	}
+	packet_start(SSH2_MSG_CHANNEL_REQUEST);
+	packet_put_int(c->remote_id);
+	packet_put_cstring(service);
+	packet_put_char(wantconfirm);
+}
+void
+channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_callback: %d: bad id", id);
+		return;
+	}
+	c->cb_event = mtype;
+	c->cb_fn = fn;
+	c->cb_arg = arg;
+}
+void
+channel_register_cleanup(int id, channel_callback_fn *fn)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_cleanup: %d: bad id", id);
+		return;
+	}
+	c->dettach_user = fn;
+}
+void
+channel_cancel_cleanup(int id)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_cancel_cleanup: %d: bad id", id);
+		return;
+	}
+	c->dettach_user = NULL;
+}
+
+void
+channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
+		fatal("channel_activate for non-larval channel %d.", id);
+
+	channel_register_fds(c, rfd, wfd, efd, extusage);
+	c->type = SSH_CHANNEL_OPEN;
+	/* XXX window size? */
+	c->local_window = c->local_window_max = c->local_maxpacket/2;
+	packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+	packet_put_int(c->remote_id);
+	packet_put_int(c->local_window);
+	packet_send();
+}
diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h
new file mode 100644
index 0000000..4cafdb9
--- /dev/null
+++ b/crypto/openssh/channels.h
@@ -0,0 +1,237 @@
+/* RCSID("$Id: channels.h,v 1.13 2000/05/30 17:23:37 markus Exp $"); */
+
+#ifndef CHANNELS_H
+#define CHANNELS_H
+
+/* Definitions for channel types. */
+#define SSH_CHANNEL_FREE		0	/* This channel is free (unused). */
+#define SSH_CHANNEL_X11_LISTENER	1	/* Listening for inet X11 conn. */
+#define SSH_CHANNEL_PORT_LISTENER	2	/* Listening on a port. */
+#define SSH_CHANNEL_OPENING		3	/* waiting for confirmation */
+#define SSH_CHANNEL_OPEN		4	/* normal open two-way channel */
+#define SSH_CHANNEL_CLOSED		5	/* waiting for close confirmation */
+#define SSH_CHANNEL_AUTH_SOCKET		6	/* authentication socket */
+#define SSH_CHANNEL_X11_OPEN		7	/* reading first X11 packet */
+#define SSH_CHANNEL_INPUT_DRAINING	8	/* sending remaining data to conn */
+#define SSH_CHANNEL_OUTPUT_DRAINING	9	/* sending remaining data to app */
+#define SSH_CHANNEL_LARVAL		10	/* larval session */
+#define SSH_CHANNEL_MAX_TYPE		11
+
+/*
+ * Data structure for channel data.  This is iniailized in channel_allocate
+ * and cleared in channel_free.
+ */
+typedef void channel_callback_fn(int id, void *arg);
+
+typedef struct Channel {
+	int     type;		/* channel type/state */
+	int     self;		/* my own channel identifier */
+	int     remote_id;	/* channel identifier for remote peer */
+	/* peer can be reached over encrypted connection, via packet-sent */
+	int     istate;		/* input from channel (state of receive half) */
+	int     ostate;		/* output to channel  (state of transmit half) */
+	int     flags;		/* close sent/rcvd */
+	int     rfd;		/* read fd */
+	int     wfd;		/* write fd */
+	int     efd;		/* extended fd */
+	int     sock;		/* sock fd */
+	Buffer  input;		/* data read from socket, to be sent over
+				 * encrypted connection */
+	Buffer  output;		/* data received over encrypted connection for
+				 * send on socket */
+	Buffer  extended;
+	char    path[200];	/* path for unix domain sockets, or host name
+				 * for forwards */
+	int     listening_port;	/* port being listened for forwards */
+	int     host_port;	/* remote port to connect for forwards */
+	char   *remote_name;	/* remote hostname */
+
+	int	remote_window;
+	int	remote_maxpacket;
+	int	local_window;
+	int	local_window_max;
+	int	local_consumed;
+	int	local_maxpacket;
+	int     extended_usage;
+
+	char   *ctype;		/* type */
+
+	/* callback */
+	channel_callback_fn	*cb_fn;
+	void	*cb_arg;
+	int	cb_event;
+	channel_callback_fn	*dettach_user;
+}       Channel;
+
+#define CHAN_EXTENDED_IGNORE		0
+#define CHAN_EXTENDED_READ		1
+#define CHAN_EXTENDED_WRITE		2
+
+void	channel_set_fds(int id, int rfd, int wfd, int efd, int extusage);
+void	channel_open(int id);
+void	channel_request(int id, char *service, int wantconfirm);
+void	channel_request_start(int id, char *service, int wantconfirm);
+void	channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg);
+void	channel_register_cleanup(int id, channel_callback_fn *fn);
+void	channel_cancel_cleanup(int id);
+Channel	*channel_lookup(int id);
+
+int
+channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+    int window, int maxpack, int extended_usage, char *remote_name);
+
+void	channel_input_channel_request(int type, int plen);
+void	channel_input_close(int type, int plen);
+void	channel_input_close_confirmation(int type, int plen);
+void	channel_input_data(int type, int plen);
+void	channel_input_extended_data(int type, int plen);
+void	channel_input_ieof(int type, int plen);
+void	channel_input_oclose(int type, int plen);
+void	channel_input_open_confirmation(int type, int plen);
+void	channel_input_open_failure(int type, int plen);
+void	channel_input_port_open(int type, int plen);
+void	channel_input_window_adjust(int type, int plen);
+void	channel_input_open(int type, int plen);
+
+/* Sets specific protocol options. */
+void    channel_set_options(int hostname_in_open);
+
+/*
+ * Allocate a new channel object and set its type and socket.  Remote_name
+ * must have been allocated with xmalloc; this will free it when the channel
+ * is freed.
+ */
+int     channel_allocate(int type, int sock, char *remote_name);
+
+/* Free the channel and close its socket. */
+void    channel_free(int channel);
+
+/* Add any bits relevant to channels in select bitmasks. */
+void    channel_prepare_select(fd_set * readset, fd_set * writeset);
+
+/*
+ * After select, perform any appropriate operations for channels which have
+ * events pending.
+ */
+void    channel_after_select(fd_set * readset, fd_set * writeset);
+
+/* If there is data to send to the connection, send some of it now. */
+void    channel_output_poll(void);
+
+/* Returns true if no channel has too much buffered data. */
+int     channel_not_very_much_buffered_data(void);
+
+/* This closes any sockets that are listening for connections; this removes
+   any unix domain sockets. */
+void    channel_stop_listening(void);
+
+/*
+ * Closes the sockets of all channels.  This is used to close extra file
+ * descriptors after a fork.
+ */
+void    channel_close_all(void);
+
+/* Returns the maximum file descriptor number used by the channels. */
+int     channel_max_fd(void);
+
+/* Returns true if there is still an open channel over the connection. */
+int     channel_still_open(void);
+
+/*
+ * Returns a string containing a list of all open channels.  The list is
+ * suitable for displaying to the user.  It uses crlf instead of newlines.
+ * The caller should free the string with xfree.
+ */
+char   *channel_open_message(void);
+
+/*
+ * Initiate forwarding of connections to local port "port" through the secure
+ * channel to host:port from remote side.  This never returns if there was an
+ * error.
+ */
+void
+channel_request_local_forwarding(u_short port, const char *host,
+    u_short remote_port, int gateway_ports);
+
+/*
+ * Initiate forwarding of connections to port "port" on remote host through
+ * the secure channel to host:port from local side.  This never returns if
+ * there was an error.  This registers that open requests for that port are
+ * permitted.
+ */
+void
+channel_request_remote_forwarding(u_short port, const char *host,
+    u_short remote_port);
+
+/*
+ * Permits opening to any host/port in SSH_MSG_PORT_OPEN.  This is usually
+ * called by the server, because the user could connect to any port anyway,
+ * and the server has no way to know but to trust the client anyway.
+ */
+void    channel_permit_all_opens(void);
+
+/*
+ * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
+ * listening for the port, and sends back a success reply (or disconnect
+ * message if there was an error).  This never returns if there was an error.
+ */
+void    channel_input_port_forward_request(int is_root, int gateway_ports);
+
+/*
+ * Creates a port for X11 connections, and starts listening for it. Returns
+ * the display name, or NULL if an error was encountered.
+ */
+char   *x11_create_display(int screen);
+
+/*
+ * Creates an internet domain socket for listening for X11 connections.
+ * Returns a suitable value for the DISPLAY variable, or NULL if an error
+ * occurs.
+ */
+char   *x11_create_display_inet(int screen, int x11_display_offset);
+
+/*
+ * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
+ * the remote channel number.  We should do whatever we want, and respond
+ * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
+ */
+void    x11_input_open(int type, int plen);
+
+/*
+ * Requests forwarding of X11 connections.  This should be called on the
+ * client only.
+ */
+void    x11_request_forwarding(void);
+
+/*
+ * Requests forwarding for X11 connections, with authentication spoofing.
+ * This should be called in the client only.
+ */
+void
+x11_request_forwarding_with_spoofing(int client_session_id,
+    const char *proto, const char *data);
+
+/* Sends a message to the server to request authentication fd forwarding. */
+void    auth_request_forwarding(void);
+
+/*
+ * Returns the name of the forwarded authentication socket.  Returns NULL if
+ * there is no forwarded authentication socket.  The returned value points to
+ * a static buffer.
+ */
+char   *auth_get_socket_name(void);
+
+/*
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This starts forwarding authentication requests.
+ */
+int     auth_input_request_forwarding(struct passwd * pw);
+
+/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
+void    auth_input_open_request(int type, int plen);
+
+/* XXX */
+int	channel_connect_to(const char *host, u_short host_port);
+int	x11_connect_display(void);
+
+#endif
diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c
new file mode 100644
index 0000000..0f0f0d0
--- /dev/null
+++ b/crypto/openssh/cipher.c
@@ -0,0 +1,464 @@
+/*
+ *
+ * cipher.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Apr 19 17:41:39 1995 ylo
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: cipher.c,v 1.27 2000/05/22 18:42:00 markus Exp $");
+
+#include "ssh.h"
+#include "cipher.h"
+#include "xmalloc.h"
+
+#include <openssl/md5.h>
+
+/*
+ * This is used by SSH1:
+ *
+ * What kind of triple DES are these 2 routines?
+ *
+ * Why is there a redundant initialization vector?
+ *
+ * If only iv3 was used, then, this would till effect have been
+ * outer-cbc. However, there is also a private iv1 == iv2 which
+ * perhaps makes differential analysis easier. On the other hand, the
+ * private iv1 probably makes the CRC-32 attack ineffective. This is a
+ * result of that there is no longer any known iv1 to use when
+ * choosing the X block.
+ */
+void
+SSH_3CBC_ENCRYPT(des_key_schedule ks1,
+		 des_key_schedule ks2, des_cblock * iv2,
+		 des_key_schedule ks3, des_cblock * iv3,
+		 unsigned char *dest, unsigned char *src,
+		 unsigned int len)
+{
+	des_cblock iv1;
+
+	memcpy(&iv1, iv2, 8);
+
+	des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
+	memcpy(&iv1, dest + len - 8, 8);
+
+	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
+	memcpy(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */
+
+	des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
+	memcpy(iv3, dest + len - 8, 8);
+}
+
+void
+SSH_3CBC_DECRYPT(des_key_schedule ks1,
+		 des_key_schedule ks2, des_cblock * iv2,
+		 des_key_schedule ks3, des_cblock * iv3,
+		 unsigned char *dest, unsigned char *src,
+		 unsigned int len)
+{
+	des_cblock iv1;
+
+	memcpy(&iv1, iv2, 8);
+
+	des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
+	memcpy(iv3, src + len - 8, 8);
+
+	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
+	memcpy(iv2, dest + len - 8, 8);
+
+	des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
+	/* memcpy(&iv1, iv2, 8); */
+	/* Note how iv1 == iv2 on entry and exit. */
+}
+
+/*
+ * SSH1 uses a variation on Blowfish, all bytes must be swapped before
+ * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
+ */
+static void
+swap_bytes(const unsigned char *src, unsigned char *dst_, int n)
+{
+	/* dst must be properly aligned. */
+	u_int32_t *dst = (u_int32_t *) dst_;
+	union {
+		u_int32_t i;
+		char c[4];
+	} t;
+
+	/* Process 8 bytes every lap. */
+	for (n = n / 8; n > 0; n--) {
+		t.c[3] = *src++;
+		t.c[2] = *src++;
+		t.c[1] = *src++;
+		t.c[0] = *src++;
+		*dst++ = t.i;
+
+		t.c[3] = *src++;
+		t.c[2] = *src++;
+		t.c[1] = *src++;
+		t.c[0] = *src++;
+		*dst++ = t.i;
+	}
+}
+
+/*
+ * Names of all encryption algorithms.
+ * These must match the numbers defined in cipher.h.
+ */
+static char *cipher_names[] =
+{
+	"none",
+	"idea",
+	"des",
+	"3des",
+	"tss",
+	"rc4",
+	"blowfish",
+	"reserved",
+	"blowfish-cbc",
+	"3des-cbc",
+	"arcfour",
+	"cast128-cbc"
+};
+
+/*
+ * Returns a bit mask indicating which ciphers are supported by this
+ * implementation.  The bit mask has the corresponding bit set of each
+ * supported cipher.
+ */
+
+unsigned int
+cipher_mask1()
+{
+	unsigned int mask = 0;
+	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
+	mask |= 1 << SSH_CIPHER_BLOWFISH;
+	return mask;
+}
+unsigned int
+cipher_mask2()
+{
+	unsigned int mask = 0;
+	mask |= 1 << SSH_CIPHER_BLOWFISH_CBC;
+	mask |= 1 << SSH_CIPHER_3DES_CBC;
+	mask |= 1 << SSH_CIPHER_ARCFOUR;
+	mask |= 1 << SSH_CIPHER_CAST128_CBC;
+	return mask;
+}
+unsigned int
+cipher_mask()
+{
+	return cipher_mask1() | cipher_mask2();
+}
+
+/* Returns the name of the cipher. */
+
+const char *
+cipher_name(int cipher)
+{
+	if (cipher < 0 || cipher >= sizeof(cipher_names) / sizeof(cipher_names[0]) ||
+	    cipher_names[cipher] == NULL)
+		fatal("cipher_name: bad cipher name: %d", cipher);
+	return cipher_names[cipher];
+}
+
+/* Returns 1 if the name of the ciphers are valid. */
+
+#define	CIPHER_SEP	","
+int
+ciphers_valid(const char *names)
+{
+	char *ciphers;
+	char *p;
+	int i;
+
+	if (names == NULL || strcmp(names, "") == 0)
+		return 0;
+	ciphers = xstrdup(names);
+	for ((p = strtok(ciphers, CIPHER_SEP)); p; (p = strtok(NULL, CIPHER_SEP))) {
+		i = cipher_number(p);
+		if (i == -1 || !(cipher_mask2() & (1 << i))) {
+			xfree(ciphers);
+			return 0;
+		}
+	}
+	xfree(ciphers);
+	return 1;
+}
+
+/*
+ * Parses the name of the cipher.  Returns the number of the corresponding
+ * cipher, or -1 on error.
+ */
+
+int
+cipher_number(const char *name)
+{
+	int i;
+	if (name == NULL)
+		return -1;
+	for (i = 0; i < sizeof(cipher_names) / sizeof(cipher_names[0]); i++)
+		if (strcmp(cipher_names[i], name) == 0 &&
+		    (cipher_mask() & (1 << i)))
+			return i;
+	return -1;
+}
+
+/*
+ * Selects the cipher, and keys if by computing the MD5 checksum of the
+ * passphrase and using the resulting 16 bytes as the key.
+ */
+
+void
+cipher_set_key_string(CipherContext *context, int cipher, const char *passphrase)
+{
+	MD5_CTX md;
+	unsigned char digest[16];
+
+	MD5_Init(&md);
+	MD5_Update(&md, (const unsigned char *) passphrase, strlen(passphrase));
+	MD5_Final(digest, &md);
+
+	cipher_set_key(context, cipher, digest, 16);
+
+	memset(digest, 0, sizeof(digest));
+	memset(&md, 0, sizeof(md));
+}
+
+/* Selects the cipher to use and sets the key. */
+
+void
+cipher_set_key(CipherContext *context, int cipher, const unsigned char *key,
+    int keylen)
+{
+	unsigned char padded[32];
+
+	/* Set cipher type. */
+	context->type = cipher;
+
+	/* Get 32 bytes of key data.  Pad if necessary.  (So that code
+	   below does not need to worry about key size). */
+	memset(padded, 0, sizeof(padded));
+	memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
+
+	/* Initialize the initialization vector. */
+	switch (cipher) {
+	case SSH_CIPHER_NONE:
+		/*
+		 * Has to stay for authfile saving of private key with no
+		 * passphrase
+		 */
+		break;
+
+	case SSH_CIPHER_3DES:
+		/*
+		 * Note: the least significant bit of each byte of key is
+		 * parity, and must be ignored by the implementation.  16
+		 * bytes of key are used (first and last keys are the same).
+		 */
+		if (keylen < 16)
+			error("Key length %d is insufficient for 3DES.", keylen);
+		des_set_key((void *) padded, context->u.des3.key1);
+		des_set_key((void *) (padded + 8), context->u.des3.key2);
+		if (keylen <= 16)
+			des_set_key((void *) padded, context->u.des3.key3);
+		else
+			des_set_key((void *) (padded + 16), context->u.des3.key3);
+		memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2));
+		memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3));
+		break;
+
+	case SSH_CIPHER_BLOWFISH:
+		if (keylen < 16)
+			error("Key length %d is insufficient for blowfish.", keylen);
+		BF_set_key(&context->u.bf.key, keylen, padded);
+		memset(context->u.bf.iv, 0, 8);
+		break;
+
+	case SSH_CIPHER_3DES_CBC:
+	case SSH_CIPHER_BLOWFISH_CBC:
+	case SSH_CIPHER_ARCFOUR:
+	case SSH_CIPHER_CAST128_CBC:
+		fatal("cipher_set_key: illegal cipher: %s", cipher_name(cipher));
+		break;
+
+	default:
+		fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
+	}
+	memset(padded, 0, sizeof(padded));
+}
+
+void
+cipher_set_key_iv(CipherContext * context, int cipher,
+    const unsigned char *key, int keylen,
+    const unsigned char *iv, int ivlen)
+{
+	/* Set cipher type. */
+	context->type = cipher;
+
+	/* Initialize the initialization vector. */
+	switch (cipher) {
+	case SSH_CIPHER_NONE:
+		break;
+
+	case SSH_CIPHER_3DES:
+	case SSH_CIPHER_BLOWFISH:
+		fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(cipher));
+		break;
+
+	case SSH_CIPHER_3DES_CBC:
+		if (keylen < 24)
+			error("Key length %d is insufficient for 3des-cbc.", keylen);
+		des_set_key((void *) key, context->u.des3.key1);
+		des_set_key((void *) (key+8), context->u.des3.key2);
+		des_set_key((void *) (key+16), context->u.des3.key3);
+		if (ivlen < 8)
+			error("IV length %d is insufficient for 3des-cbc.", ivlen);
+		memcpy(context->u.des3.iv3, (char *)iv, 8);
+		break;
+
+	case SSH_CIPHER_BLOWFISH_CBC:
+		if (keylen < 16)
+			error("Key length %d is insufficient for blowfish.", keylen);
+		if (ivlen < 8)
+			error("IV length %d is insufficient for blowfish.", ivlen);
+		BF_set_key(&context->u.bf.key, keylen, (unsigned char *)key);
+		memcpy(context->u.bf.iv, (char *)iv, 8);
+		break;
+
+	case SSH_CIPHER_ARCFOUR:
+		if (keylen < 16)
+			error("Key length %d is insufficient for arcfour.", keylen);
+		RC4_set_key(&context->u.rc4, keylen, (unsigned char *)key);
+		break;
+
+	case SSH_CIPHER_CAST128_CBC:
+		if (keylen < 16)
+			error("Key length %d is insufficient for cast128.", keylen);
+		if (ivlen < 8)
+			error("IV length %d is insufficient for cast128.", ivlen);
+		CAST_set_key(&context->u.cast.key, keylen, (unsigned char *) key);
+		memcpy(context->u.cast.iv, (char *)iv, 8);
+		break;
+
+	default:
+		fatal("cipher_set_key: unknown cipher: %s", cipher_name(cipher));
+	}
+}
+
+/* Encrypts data using the cipher. */
+
+void
+cipher_encrypt(CipherContext *context, unsigned char *dest,
+	       const unsigned char *src, unsigned int len)
+{
+	if ((len & 7) != 0)
+		fatal("cipher_encrypt: bad plaintext length %d", len);
+
+	switch (context->type) {
+	case SSH_CIPHER_NONE:
+		memcpy(dest, src, len);
+		break;
+
+	case SSH_CIPHER_3DES:
+		SSH_3CBC_ENCRYPT(context->u.des3.key1,
+				 context->u.des3.key2, &context->u.des3.iv2,
+				 context->u.des3.key3, &context->u.des3.iv3,
+				 dest, (unsigned char *) src, len);
+		break;
+
+	case SSH_CIPHER_BLOWFISH:
+		swap_bytes(src, dest, len);
+		BF_cbc_encrypt(dest, dest, len,
+			       &context->u.bf.key, context->u.bf.iv,
+			       BF_ENCRYPT);
+		swap_bytes(dest, dest, len);
+		break;
+
+	case SSH_CIPHER_BLOWFISH_CBC:
+		BF_cbc_encrypt((void *)src, dest, len,
+			       &context->u.bf.key, context->u.bf.iv,
+			       BF_ENCRYPT);
+		break;
+
+	case SSH_CIPHER_3DES_CBC:
+		des_ede3_cbc_encrypt(src, dest, len,
+		    context->u.des3.key1, context->u.des3.key2,
+		    context->u.des3.key3, &context->u.des3.iv3, DES_ENCRYPT);
+		break;
+
+	case SSH_CIPHER_ARCFOUR:
+		RC4(&context->u.rc4, len, (unsigned char *)src, dest);
+		break;
+
+	case SSH_CIPHER_CAST128_CBC:
+		CAST_cbc_encrypt(src, dest, len,
+		    &context->u.cast.key, context->u.cast.iv, CAST_ENCRYPT);
+		break;
+
+	default:
+		fatal("cipher_encrypt: unknown cipher: %s", cipher_name(context->type));
+	}
+}
+
+/* Decrypts data using the cipher. */
+
+void
+cipher_decrypt(CipherContext *context, unsigned char *dest,
+	       const unsigned char *src, unsigned int len)
+{
+	if ((len & 7) != 0)
+		fatal("cipher_decrypt: bad ciphertext length %d", len);
+
+	switch (context->type) {
+	case SSH_CIPHER_NONE:
+		memcpy(dest, src, len);
+		break;
+
+	case SSH_CIPHER_3DES:
+		SSH_3CBC_DECRYPT(context->u.des3.key1,
+				 context->u.des3.key2, &context->u.des3.iv2,
+				 context->u.des3.key3, &context->u.des3.iv3,
+				 dest, (unsigned char *) src, len);
+		break;
+
+	case SSH_CIPHER_BLOWFISH:
+		swap_bytes(src, dest, len);
+		BF_cbc_encrypt((void *) dest, dest, len,
+			       &context->u.bf.key, context->u.bf.iv,
+			       BF_DECRYPT);
+		swap_bytes(dest, dest, len);
+		break;
+
+	case SSH_CIPHER_BLOWFISH_CBC:
+		BF_cbc_encrypt((void *) src, dest, len,
+			       &context->u.bf.key, context->u.bf.iv,
+			       BF_DECRYPT);
+		break;
+
+	case SSH_CIPHER_3DES_CBC:
+		des_ede3_cbc_encrypt(src, dest, len,
+		    context->u.des3.key1, context->u.des3.key2,
+		    context->u.des3.key3, &context->u.des3.iv3, DES_DECRYPT);
+		break;
+
+	case SSH_CIPHER_ARCFOUR:
+		RC4(&context->u.rc4, len, (unsigned char *)src, dest);
+		break;
+
+	case SSH_CIPHER_CAST128_CBC:
+		CAST_cbc_encrypt(src, dest, len,
+		    &context->u.cast.key, context->u.cast.iv, CAST_DECRYPT);
+		break;
+
+	default:
+		fatal("cipher_decrypt: unknown cipher: %s", cipher_name(context->type));
+	}
+}
diff --git a/crypto/openssh/cipher.h b/crypto/openssh/cipher.h
new file mode 100644
index 0000000..c973564
--- /dev/null
+++ b/crypto/openssh/cipher.h
@@ -0,0 +1,116 @@
+/*
+ *
+ * cipher.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Apr 19 16:50:42 1995 ylo
+ *
+ * $FreeBSD$
+ */
+
+/* RCSID("$Id: cipher.h,v 1.17 2000/05/08 17:12:15 markus Exp $"); */
+
+#ifndef CIPHER_H
+#define CIPHER_H
+
+#include <openssl/des.h>
+#include <openssl/blowfish.h>
+#include <openssl/rc4.h>
+#include <openssl/cast.h>
+
+/* Cipher types.  New types can be added, but old types should not be removed
+   for compatibility.  The maximum allowed value is 31. */
+#define SSH_CIPHER_ILLEGAL	-2	/* No valid cipher selected. */
+#define SSH_CIPHER_NOT_SET	-1	/* None selected (invalid number). */
+#define SSH_CIPHER_NONE		0	/* no encryption */
+#define SSH_CIPHER_IDEA		1	/* IDEA CFB */
+#define SSH_CIPHER_DES		2	/* DES CBC */
+#define SSH_CIPHER_3DES		3	/* 3DES CBC */
+#define SSH_CIPHER_BROKEN_TSS	4	/* TRI's Simple Stream encryption CBC */
+#define SSH_CIPHER_BROKEN_RC4	5	/* Alleged RC4 */
+#define SSH_CIPHER_BLOWFISH	6
+#define SSH_CIPHER_RESERVED	7
+
+/* these ciphers are used in SSH2: */
+#define SSH_CIPHER_BLOWFISH_CBC	8
+#define SSH_CIPHER_3DES_CBC	9
+#define SSH_CIPHER_ARCFOUR	10	/* Alleged RC4 */
+#define SSH_CIPHER_CAST128_CBC	11
+
+typedef struct {
+	unsigned int type;
+	union {
+		struct {
+			des_key_schedule key1;
+			des_key_schedule key2;
+			des_cblock iv2;
+			des_key_schedule key3;
+			des_cblock iv3;
+		}       des3;
+		struct {
+			struct bf_key_st key;
+			unsigned char iv[8];
+		}       bf;
+		struct {
+			CAST_KEY key;
+			unsigned char iv[8];
+		} cast;
+		RC4_KEY rc4;
+	}       u;
+}       CipherContext;
+/*
+ * Returns a bit mask indicating which ciphers are supported by this
+ * implementation.  The bit mask has the corresponding bit set of each
+ * supported cipher.
+ */
+unsigned int cipher_mask();
+unsigned int cipher_mask1();
+unsigned int cipher_mask2();
+
+/* Returns the name of the cipher. */
+const char *cipher_name(int cipher);
+
+/*
+ * Parses the name of the cipher.  Returns the number of the corresponding
+ * cipher, or -1 on error.
+ */
+int     cipher_number(const char *name);
+
+/* returns 1 if all ciphers are supported (ssh2 only) */
+int     ciphers_valid(const char *names);
+
+/*
+ * Selects the cipher to use and sets the key.  If for_encryption is true,
+ * the key is setup for encryption; otherwise it is setup for decryption.
+ */
+void
+cipher_set_key(CipherContext * context, int cipher,
+    const unsigned char *key, int keylen);
+void
+cipher_set_key_iv(CipherContext * context, int cipher,
+    const unsigned char *key, int keylen,
+    const unsigned char *iv, int ivlen);
+
+/*
+ * Sets key for the cipher by computing the MD5 checksum of the passphrase,
+ * and using the resulting 16 bytes as the key.
+ */
+void
+cipher_set_key_string(CipherContext * context, int cipher,
+    const char *passphrase);
+
+/* Encrypts data using the cipher. */
+void
+cipher_encrypt(CipherContext * context, unsigned char *dest,
+    const unsigned char *src, unsigned int len);
+
+/* Decrypts data using the cipher. */
+void
+cipher_decrypt(CipherContext * context, unsigned char *dest,
+    const unsigned char *src, unsigned int len);
+
+#endif				/* CIPHER_H */
diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c
new file mode 100644
index 0000000..b4c7b28
--- /dev/null
+++ b/crypto/openssh/clientloop.c
@@ -0,0 +1,1117 @@
+/*
+ *
+ * clientloop.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ *
+ * Created: Sat Sep 23 12:23:57 1995 ylo
+ *
+ * The main loop for the interactive session (client side).
+ *
+ * SSH2 support added by Markus Friedl.
+ */
+
+#include "includes.h"
+RCSID("$Id: clientloop.c,v 1.26 2000/05/08 17:42:24 markus Exp $");
+
+#include "xmalloc.h"
+#include "ssh.h"
+#include "packet.h"
+#include "buffer.h"
+#include "authfd.h"
+#include "readconf.h"
+
+#include "ssh2.h"
+#include "compat.h"
+#include "channels.h"
+#include "dispatch.h"
+
+
+/* Flag indicating that stdin should be redirected from /dev/null. */
+extern int stdin_null_flag;
+
+/*
+ * Name of the host we are connecting to.  This is the name given on the
+ * command line, or the HostName specified for the user-supplied name in a
+ * configuration file.
+ */
+extern char *host;
+
+/*
+ * Flag to indicate that we have received a window change signal which has
+ * not yet been processed.  This will cause a message indicating the new
+ * window size to be sent to the server a little later.  This is volatile
+ * because this is updated in a signal handler.
+ */
+static volatile int received_window_change_signal = 0;
+
+/* Terminal modes, as saved by enter_raw_mode. */
+static struct termios saved_tio;
+
+/*
+ * Flag indicating whether we are in raw mode.  This is used by
+ * enter_raw_mode and leave_raw_mode.
+ */
+static int in_raw_mode = 0;
+
+/* Flag indicating whether the user\'s terminal is in non-blocking mode. */
+static int in_non_blocking_mode = 0;
+
+/* Common data for the client loop code. */
+static int escape_pending;	/* Last character was the escape character */
+static int last_was_cr;		/* Last character was a newline. */
+static int exit_status;		/* Used to store the exit status of the command. */
+static int stdin_eof;		/* EOF has been encountered on standard error. */
+static Buffer stdin_buffer;	/* Buffer for stdin data. */
+static Buffer stdout_buffer;	/* Buffer for stdout data. */
+static Buffer stderr_buffer;	/* Buffer for stderr data. */
+static unsigned int buffer_high;/* Soft max buffer size. */
+static int max_fd;		/* Maximum file descriptor number in select(). */
+static int connection_in;	/* Connection to server (input). */
+static int connection_out;	/* Connection to server (output). */
+static unsigned long stdin_bytes, stdout_bytes, stderr_bytes;
+static int quit_pending;	/* Set to non-zero to quit the client loop. */
+static int escape_char;		/* Escape character. */
+
+
+void	client_init_dispatch(void);
+int	session_ident = -1;
+
+/* Returns the user\'s terminal to normal mode if it had been put in raw mode. */
+
+void
+leave_raw_mode()
+{
+	if (!in_raw_mode)
+		return;
+	in_raw_mode = 0;
+	if (tcsetattr(fileno(stdin), TCSADRAIN, &saved_tio) < 0)
+		perror("tcsetattr");
+
+	fatal_remove_cleanup((void (*) (void *)) leave_raw_mode, NULL);
+}
+
+/* Puts the user\'s terminal in raw mode. */
+
+void
+enter_raw_mode()
+{
+	struct termios tio;
+
+	if (tcgetattr(fileno(stdin), &tio) < 0)
+		perror("tcgetattr");
+	saved_tio = tio;
+	tio.c_iflag |= IGNPAR;
+	tio.c_iflag &= ~(ISTRIP | INLCR | IGNCR | ICRNL | IXON | IXANY | IXOFF);
+	tio.c_lflag &= ~(ISIG | ICANON | ECHO | ECHOE | ECHOK | ECHONL);
+#ifdef IEXTEN
+	tio.c_lflag &= ~IEXTEN;
+#endif				/* IEXTEN */
+	tio.c_oflag &= ~OPOST;
+	tio.c_cc[VMIN] = 1;
+	tio.c_cc[VTIME] = 0;
+	if (tcsetattr(fileno(stdin), TCSADRAIN, &tio) < 0)
+		perror("tcsetattr");
+	in_raw_mode = 1;
+
+	fatal_add_cleanup((void (*) (void *)) leave_raw_mode, NULL);
+}
+
+/* Restores stdin to blocking mode. */
+
+void
+leave_non_blocking()
+{
+	if (in_non_blocking_mode) {
+		(void) fcntl(fileno(stdin), F_SETFL, 0);
+		in_non_blocking_mode = 0;
+		fatal_remove_cleanup((void (*) (void *)) leave_non_blocking, NULL);
+	}
+}
+
+/* Puts stdin terminal in non-blocking mode. */
+
+void
+enter_non_blocking()
+{
+	in_non_blocking_mode = 1;
+	(void) fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
+	fatal_add_cleanup((void (*) (void *)) leave_non_blocking, NULL);
+}
+
+/*
+ * Signal handler for the window change signal (SIGWINCH).  This just sets a
+ * flag indicating that the window has changed.
+ */
+
+void
+window_change_handler(int sig)
+{
+	received_window_change_signal = 1;
+	signal(SIGWINCH, window_change_handler);
+}
+
+/*
+ * Signal handler for signals that cause the program to terminate.  These
+ * signals must be trapped to restore terminal modes.
+ */
+
+void
+signal_handler(int sig)
+{
+	if (in_raw_mode)
+		leave_raw_mode();
+	if (in_non_blocking_mode)
+		leave_non_blocking();
+	channel_stop_listening();
+	packet_close();
+	fatal("Killed by signal %d.", sig);
+}
+
+/*
+ * Returns current time in seconds from Jan 1, 1970 with the maximum
+ * available resolution.
+ */
+
+double
+get_current_time()
+{
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+	return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
+}
+
+/*
+ * This is called when the interactive is entered.  This checks if there is
+ * an EOF coming on stdin.  We must check this explicitly, as select() does
+ * not appear to wake up when redirecting from /dev/null.
+ */
+
+void
+client_check_initial_eof_on_stdin()
+{
+	int len;
+	char buf[1];
+
+	/*
+	 * If standard input is to be "redirected from /dev/null", we simply
+	 * mark that we have seen an EOF and send an EOF message to the
+	 * server. Otherwise, we try to read a single character; it appears
+	 * that for some files, such /dev/null, select() never wakes up for
+	 * read for this descriptor, which means that we never get EOF.  This
+	 * way we will get the EOF if stdin comes from /dev/null or similar.
+	 */
+	if (stdin_null_flag) {
+		/* Fake EOF on stdin. */
+		debug("Sending eof.");
+		stdin_eof = 1;
+		packet_start(SSH_CMSG_EOF);
+		packet_send();
+	} else {
+		enter_non_blocking();
+
+		/* Check for immediate EOF on stdin. */
+		len = read(fileno(stdin), buf, 1);
+		if (len == 0) {
+			/* EOF.  Record that we have seen it and send EOF to server. */
+			debug("Sending eof.");
+			stdin_eof = 1;
+			packet_start(SSH_CMSG_EOF);
+			packet_send();
+		} else if (len > 0) {
+			/*
+			 * Got data.  We must store the data in the buffer,
+			 * and also process it as an escape character if
+			 * appropriate.
+			 */
+			if ((unsigned char) buf[0] == escape_char)
+				escape_pending = 1;
+			else {
+				buffer_append(&stdin_buffer, buf, 1);
+				stdin_bytes += 1;
+			}
+		}
+		leave_non_blocking();
+	}
+}
+
+
+/*
+ * Make packets from buffered stdin data, and buffer them for sending to the
+ * connection.
+ */
+
+void
+client_make_packets_from_stdin_data()
+{
+	unsigned int len;
+
+	/* Send buffered stdin data to the server. */
+	while (buffer_len(&stdin_buffer) > 0 &&
+	       packet_not_very_much_data_to_write()) {
+		len = buffer_len(&stdin_buffer);
+		/* Keep the packets at reasonable size. */
+		if (len > packet_get_maxsize())
+			len = packet_get_maxsize();
+		packet_start(SSH_CMSG_STDIN_DATA);
+		packet_put_string(buffer_ptr(&stdin_buffer), len);
+		packet_send();
+		buffer_consume(&stdin_buffer, len);
+		/* If we have a pending EOF, send it now. */
+		if (stdin_eof && buffer_len(&stdin_buffer) == 0) {
+			packet_start(SSH_CMSG_EOF);
+			packet_send();
+		}
+	}
+}
+
+/*
+ * Checks if the client window has changed, and sends a packet about it to
+ * the server if so.  The actual change is detected elsewhere (by a software
+ * interrupt on Unix); this just checks the flag and sends a message if
+ * appropriate.
+ */
+
+void
+client_check_window_change()
+{
+	struct winsize ws;
+
+	if (! received_window_change_signal)
+		return;
+	/** XXX race */
+	received_window_change_signal = 0;
+
+	if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
+		return;
+
+	debug("client_check_window_change: changed");
+
+	if (compat20) {
+		channel_request_start(session_ident, "window-change", 0);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+		packet_send();
+	} else {
+		packet_start(SSH_CMSG_WINDOW_SIZE);
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+		packet_send();
+	}
+}
+
+/*
+ * Waits until the client can do something (some data becomes available on
+ * one of the file descriptors).
+ */
+
+void
+client_wait_until_can_do_something(fd_set * readset, fd_set * writeset)
+{
+	/*debug("client_wait_until_can_do_something"); */
+
+	/* Initialize select masks. */
+	FD_ZERO(readset);
+	FD_ZERO(writeset);
+
+	if (!compat20) {
+		/* Read from the connection, unless our buffers are full. */
+		if (buffer_len(&stdout_buffer) < buffer_high &&
+		    buffer_len(&stderr_buffer) < buffer_high &&
+		    channel_not_very_much_buffered_data())
+			FD_SET(connection_in, readset);
+		/*
+		 * Read from stdin, unless we have seen EOF or have very much
+		 * buffered data to send to the server.
+		 */
+		if (!stdin_eof && packet_not_very_much_data_to_write())
+			FD_SET(fileno(stdin), readset);
+
+		/* Select stdout/stderr if have data in buffer. */
+		if (buffer_len(&stdout_buffer) > 0)
+			FD_SET(fileno(stdout), writeset);
+		if (buffer_len(&stderr_buffer) > 0)
+			FD_SET(fileno(stderr), writeset);
+	} else {
+		FD_SET(connection_in, readset);
+	}
+
+	/* Add any selections by the channel mechanism. */
+	channel_prepare_select(readset, writeset);
+
+	/* Select server connection if have data to write to the server. */
+	if (packet_have_data_to_write())
+		FD_SET(connection_out, writeset);
+
+/* move UP XXX */
+	/* Update maximum file descriptor number, if appropriate. */
+	if (channel_max_fd() > max_fd)
+		max_fd = channel_max_fd();
+
+	/*
+	 * Wait for something to happen.  This will suspend the process until
+	 * some selected descriptor can be read, written, or has some other
+	 * event pending. Note: if you want to implement SSH_MSG_IGNORE
+	 * messages to fool traffic analysis, this might be the place to do
+	 * it: just have a random timeout for the select, and send a random
+	 * SSH_MSG_IGNORE packet when the timeout expires.
+	 */
+
+	if (select(max_fd + 1, readset, writeset, NULL, NULL) < 0) {
+		char buf[100];
+		/* Some systems fail to clear these automatically. */
+		FD_ZERO(readset);
+		FD_ZERO(writeset);
+		if (errno == EINTR)
+			return;
+		/* Note: we might still have data in the buffers. */
+		snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
+		buffer_append(&stderr_buffer, buf, strlen(buf));
+		stderr_bytes += strlen(buf);
+		quit_pending = 1;
+	}
+}
+
+void
+client_suspend_self()
+{
+	struct winsize oldws, newws;
+
+	/* Flush stdout and stderr buffers. */
+	if (buffer_len(&stdout_buffer) > 0)
+		atomicio(write, fileno(stdout), buffer_ptr(&stdout_buffer),
+		    buffer_len(&stdout_buffer));
+	if (buffer_len(&stderr_buffer) > 0)
+		atomicio(write, fileno(stderr), buffer_ptr(&stderr_buffer),
+		    buffer_len(&stderr_buffer));
+
+	leave_raw_mode();
+
+	/*
+	 * Free (and clear) the buffer to reduce the amount of data that gets
+	 * written to swap.
+	 */
+	buffer_free(&stdin_buffer);
+	buffer_free(&stdout_buffer);
+	buffer_free(&stderr_buffer);
+
+	/* Save old window size. */
+	ioctl(fileno(stdin), TIOCGWINSZ, &oldws);
+
+	/* Send the suspend signal to the program itself. */
+	kill(getpid(), SIGTSTP);
+
+	/* Check if the window size has changed. */
+	if (ioctl(fileno(stdin), TIOCGWINSZ, &newws) >= 0 &&
+	    (oldws.ws_row != newws.ws_row ||
+	     oldws.ws_col != newws.ws_col ||
+	     oldws.ws_xpixel != newws.ws_xpixel ||
+	     oldws.ws_ypixel != newws.ws_ypixel))
+		received_window_change_signal = 1;
+
+	/* OK, we have been continued by the user. Reinitialize buffers. */
+	buffer_init(&stdin_buffer);
+	buffer_init(&stdout_buffer);
+	buffer_init(&stderr_buffer);
+
+	enter_raw_mode();
+}
+
+void
+client_process_net_input(fd_set * readset)
+{
+	int len;
+	char buf[8192];
+
+	/*
+	 * Read input from the server, and add any such data to the buffer of
+	 * the packet subsystem.
+	 */
+	if (FD_ISSET(connection_in, readset)) {
+		/* Read as much as possible. */
+		len = read(connection_in, buf, sizeof(buf));
+/*debug("read connection_in len %d", len); XXX */
+		if (len == 0) {
+			/* Received EOF.  The remote host has closed the connection. */
+			snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n",
+				 host);
+			buffer_append(&stderr_buffer, buf, strlen(buf));
+			stderr_bytes += strlen(buf);
+			quit_pending = 1;
+			return;
+		}
+		/*
+		 * There is a kernel bug on Solaris that causes select to
+		 * sometimes wake up even though there is no data available.
+		 */
+		if (len < 0 && errno == EAGAIN)
+			len = 0;
+
+		if (len < 0) {
+			/* An error has encountered.  Perhaps there is a network problem. */
+			snprintf(buf, sizeof buf, "Read from remote host %.300s: %.100s\r\n",
+				 host, strerror(errno));
+			buffer_append(&stderr_buffer, buf, strlen(buf));
+			stderr_bytes += strlen(buf);
+			quit_pending = 1;
+			return;
+		}
+		packet_process_incoming(buf, len);
+	}
+}
+
+void
+client_process_input(fd_set * readset)
+{
+	int len;
+	pid_t pid;
+	char buf[8192], *s;
+
+	/* Read input from stdin. */
+	if (FD_ISSET(fileno(stdin), readset)) {
+		/* Read as much as possible. */
+		len = read(fileno(stdin), buf, sizeof(buf));
+		if (len <= 0) {
+			/*
+			 * Received EOF or error.  They are treated
+			 * similarly, except that an error message is printed
+			 * if it was an error condition.
+			 */
+			if (len < 0) {
+				snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno));
+				buffer_append(&stderr_buffer, buf, strlen(buf));
+				stderr_bytes += strlen(buf);
+			}
+			/* Mark that we have seen EOF. */
+			stdin_eof = 1;
+			/*
+			 * Send an EOF message to the server unless there is
+			 * data in the buffer.  If there is data in the
+			 * buffer, no message will be sent now.  Code
+			 * elsewhere will send the EOF when the buffer
+			 * becomes empty if stdin_eof is set.
+			 */
+			if (buffer_len(&stdin_buffer) == 0) {
+				packet_start(SSH_CMSG_EOF);
+				packet_send();
+			}
+		} else if (escape_char == -1) {
+			/*
+			 * Normal successful read, and no escape character.
+			 * Just append the data to buffer.
+			 */
+			buffer_append(&stdin_buffer, buf, len);
+			stdin_bytes += len;
+		} else {
+			/*
+			 * Normal, successful read.  But we have an escape character
+			 * and have to process the characters one by one.
+			 */
+			unsigned int i;
+			for (i = 0; i < len; i++) {
+				unsigned char ch;
+				/* Get one character at a time. */
+				ch = buf[i];
+
+				if (escape_pending) {
+					/* We have previously seen an escape character. */
+					/* Clear the flag now. */
+					escape_pending = 0;
+					/* Process the escaped character. */
+					switch (ch) {
+					case '.':
+						/* Terminate the connection. */
+						snprintf(buf, sizeof buf, "%c.\r\n", escape_char);
+						buffer_append(&stderr_buffer, buf, strlen(buf));
+						stderr_bytes += strlen(buf);
+						quit_pending = 1;
+						return;
+
+					case 'Z' - 64:
+						/* Suspend the program. */
+						/* Print a message to that effect to the user. */
+						snprintf(buf, sizeof buf, "%c^Z\r\n", escape_char);
+						buffer_append(&stderr_buffer, buf, strlen(buf));
+						stderr_bytes += strlen(buf);
+
+						/* Restore terminal modes and suspend. */
+						client_suspend_self();
+
+						/* We have been continued. */
+						continue;
+
+					case '&':
+						/*
+						 * Detach the program (continue to serve connections,
+						 * but put in background and no more new connections).
+						 */
+						if (!stdin_eof) {
+							/*
+							 * Sending SSH_CMSG_EOF alone does not always appear
+							 * to be enough.  So we try to send an EOF character
+							 * first.
+							 */
+							packet_start(SSH_CMSG_STDIN_DATA);
+							packet_put_string("\004", 1);
+							packet_send();
+							/* Close stdin. */
+							stdin_eof = 1;
+							if (buffer_len(&stdin_buffer) == 0) {
+								packet_start(SSH_CMSG_EOF);
+								packet_send();
+							}
+						}
+						/* Restore tty modes. */
+						leave_raw_mode();
+
+						/* Stop listening for new connections. */
+						channel_stop_listening();
+
+						printf("%c& [backgrounded]\n", escape_char);
+
+						/* Fork into background. */
+						pid = fork();
+						if (pid < 0) {
+							error("fork: %.100s", strerror(errno));
+							continue;
+						}
+						if (pid != 0) {	/* This is the parent. */
+							/* The parent just exits. */
+							exit(0);
+						}
+						/* The child continues serving connections. */
+						continue;
+
+					case '?':
+						snprintf(buf, sizeof buf,
+"%c?\r\n\
+Supported escape sequences:\r\n\
+~.  - terminate connection\r\n\
+~^Z - suspend ssh\r\n\
+~#  - list forwarded connections\r\n\
+~&  - background ssh (when waiting for connections to terminate)\r\n\
+~?  - this message\r\n\
+~~  - send the escape character by typing it twice\r\n\
+(Note that escapes are only recognized immediately after newline.)\r\n",
+							 escape_char);
+						buffer_append(&stderr_buffer, buf, strlen(buf));
+						continue;
+
+					case '#':
+						snprintf(buf, sizeof buf, "%c#\r\n", escape_char);
+						buffer_append(&stderr_buffer, buf, strlen(buf));
+						s = channel_open_message();
+						buffer_append(&stderr_buffer, s, strlen(s));
+						xfree(s);
+						continue;
+
+					default:
+						if (ch != escape_char) {
+							/*
+							 * Escape character followed by non-special character.
+							 * Append both to the input buffer.
+							 */
+							buf[0] = escape_char;
+							buf[1] = ch;
+							buffer_append(&stdin_buffer, buf, 2);
+							stdin_bytes += 2;
+							continue;
+						}
+						/*
+						 * Note that escape character typed twice
+						 * falls through here; the latter gets processed
+						 * as a normal character below.
+						 */
+						break;
+					}
+				} else {
+					/*
+					 * The previous character was not an escape char. Check if this
+					 * is an escape.
+					 */
+					if (last_was_cr && ch == escape_char) {
+						/* It is. Set the flag and continue to next character. */
+						escape_pending = 1;
+						continue;
+					}
+				}
+
+				/*
+				 * Normal character.  Record whether it was a newline,
+				 * and append it to the buffer.
+				 */
+				last_was_cr = (ch == '\r' || ch == '\n');
+				buf[0] = ch;
+				buffer_append(&stdin_buffer, buf, 1);
+				stdin_bytes += 1;
+				continue;
+			}
+		}
+	}
+}
+
+void
+client_process_output(fd_set * writeset)
+{
+	int len;
+	char buf[100];
+
+	/* Write buffered output to stdout. */
+	if (FD_ISSET(fileno(stdout), writeset)) {
+		/* Write as much data as possible. */
+		len = write(fileno(stdout), buffer_ptr(&stdout_buffer),
+		    buffer_len(&stdout_buffer));
+		if (len <= 0) {
+			if (errno == EAGAIN)
+				len = 0;
+			else {
+				/*
+				 * An error or EOF was encountered.  Put an
+				 * error message to stderr buffer.
+				 */
+				snprintf(buf, sizeof buf, "write stdout: %.50s\r\n", strerror(errno));
+				buffer_append(&stderr_buffer, buf, strlen(buf));
+				stderr_bytes += strlen(buf);
+				quit_pending = 1;
+				return;
+			}
+		}
+		/* Consume printed data from the buffer. */
+		buffer_consume(&stdout_buffer, len);
+	}
+	/* Write buffered output to stderr. */
+	if (FD_ISSET(fileno(stderr), writeset)) {
+		/* Write as much data as possible. */
+		len = write(fileno(stderr), buffer_ptr(&stderr_buffer),
+		    buffer_len(&stderr_buffer));
+		if (len <= 0) {
+			if (errno == EAGAIN)
+				len = 0;
+			else {
+				/* EOF or error, but can't even print error message. */
+				quit_pending = 1;
+				return;
+			}
+		}
+		/* Consume printed characters from the buffer. */
+		buffer_consume(&stderr_buffer, len);
+	}
+}
+
+/*
+ * Get packets from the connection input buffer, and process them as long as
+ * there are packets available.
+ *
+ * Any unknown packets received during the actual
+ * session cause the session to terminate.  This is
+ * intended to make debugging easier since no
+ * confirmations are sent.  Any compatible protocol
+ * extensions must be negotiated during the
+ * preparatory phase.
+ */
+
+void
+client_process_buffered_input_packets()
+{
+	dispatch_run(DISPATCH_NONBLOCK, &quit_pending);
+}
+
+/*
+ * Implements the interactive session with the server.  This is called after
+ * the user has been authenticated, and a command has been started on the
+ * remote host.  If escape_char != -1, it is the character used as an escape
+ * character for terminating or suspending the session.
+ */
+
+int
+client_loop(int have_pty, int escape_char_arg)
+{
+	extern Options options;
+	double start_time, total_time;
+	int len;
+	char buf[100];
+
+	debug("Entering interactive session.");
+
+	start_time = get_current_time();
+
+	/* Initialize variables. */
+	escape_pending = 0;
+	last_was_cr = 1;
+	exit_status = -1;
+	stdin_eof = 0;
+	buffer_high = 64 * 1024;
+	connection_in = packet_get_connection_in();
+	connection_out = packet_get_connection_out();
+	max_fd = connection_in;
+	if (connection_out > max_fd)
+		max_fd = connection_out;
+	stdin_bytes = 0;
+	stdout_bytes = 0;
+	stderr_bytes = 0;
+	quit_pending = 0;
+	escape_char = escape_char_arg;
+
+	/* Initialize buffers. */
+	buffer_init(&stdin_buffer);
+	buffer_init(&stdout_buffer);
+	buffer_init(&stderr_buffer);
+
+	client_init_dispatch();
+
+	/* Set signal handlers to restore non-blocking mode.  */
+	signal(SIGINT, signal_handler);
+	signal(SIGQUIT, signal_handler);
+	signal(SIGTERM, signal_handler);
+	signal(SIGPIPE, SIG_IGN);
+	if (have_pty)
+		signal(SIGWINCH, window_change_handler);
+
+	if (have_pty)
+		enter_raw_mode();
+
+	/* Check if we should immediately send of on stdin. */
+	if (!compat20)
+		client_check_initial_eof_on_stdin();
+
+	/* Main loop of the client for the interactive session mode. */
+	while (!quit_pending) {
+		fd_set readset, writeset;
+
+		/* Process buffered packets sent by the server. */
+		client_process_buffered_input_packets();
+
+		if (compat20 && !channel_still_open()) {
+			debug("!channel_still_open.");
+			break;
+		}
+
+		/*
+		 * Make packets of buffered stdin data, and buffer them for
+		 * sending to the server.
+		 */
+		if (!compat20)
+			client_make_packets_from_stdin_data();
+
+		/*
+		 * Make packets from buffered channel data, and buffer them
+		 * for sending to the server.
+		 */
+		if (packet_not_very_much_data_to_write())
+			channel_output_poll();
+
+		/*
+		 * Check if the window size has changed, and buffer a message
+		 * about it to the server if so.
+		 */
+		client_check_window_change();
+
+		if (quit_pending)
+			break;
+
+		/*
+		 * Wait until we have something to do (something becomes
+		 * available on one of the descriptors).
+		 */
+		client_wait_until_can_do_something(&readset, &writeset);
+
+		if (quit_pending)
+			break;
+
+		/* Do channel operations. */
+		channel_after_select(&readset, &writeset);
+
+		/* Buffer input from the connection.  */
+		client_process_net_input(&readset);
+
+		if (quit_pending)
+			break;
+
+		if (!compat20) {
+			/* Buffer data from stdin */
+			client_process_input(&readset);
+			/*
+			 * Process output to stdout and stderr.  Output to
+			 * the connection is processed elsewhere (above).
+			 */
+			client_process_output(&writeset);
+		}
+
+		/* Send as much buffered packet data as possible to the sender. */
+		if (FD_ISSET(connection_out, &writeset))
+			packet_write_poll();
+	}
+
+	/* Terminate the session. */
+
+	/* Stop watching for window change. */
+	if (have_pty)
+		signal(SIGWINCH, SIG_DFL);
+
+	/* Stop listening for connections. */
+	channel_stop_listening();
+
+	/*
+	 * In interactive mode (with pseudo tty) display a message indicating
+	 * that the connection has been closed.
+	 */
+	if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) {
+		snprintf(buf, sizeof buf, "Connection to %.64s closed.\r\n", host);
+		buffer_append(&stderr_buffer, buf, strlen(buf));
+		stderr_bytes += strlen(buf);
+	}
+	/* Output any buffered data for stdout. */
+	while (buffer_len(&stdout_buffer) > 0) {
+		len = write(fileno(stdout), buffer_ptr(&stdout_buffer),
+		    buffer_len(&stdout_buffer));
+		if (len <= 0) {
+			error("Write failed flushing stdout buffer.");
+			break;
+		}
+		buffer_consume(&stdout_buffer, len);
+	}
+
+	/* Output any buffered data for stderr. */
+	while (buffer_len(&stderr_buffer) > 0) {
+		len = write(fileno(stderr), buffer_ptr(&stderr_buffer),
+		    buffer_len(&stderr_buffer));
+		if (len <= 0) {
+			error("Write failed flushing stderr buffer.");
+			break;
+		}
+		buffer_consume(&stderr_buffer, len);
+	}
+
+	if (have_pty)
+		leave_raw_mode();
+
+	/* Clear and free any buffers. */
+	memset(buf, 0, sizeof(buf));
+	buffer_free(&stdin_buffer);
+	buffer_free(&stdout_buffer);
+	buffer_free(&stderr_buffer);
+
+	/* Report bytes transferred, and transfer rates. */
+	total_time = get_current_time() - start_time;
+	debug("Transferred: stdin %lu, stdout %lu, stderr %lu bytes in %.1f seconds",
+	      stdin_bytes, stdout_bytes, stderr_bytes, total_time);
+	if (total_time > 0)
+		debug("Bytes per second: stdin %.1f, stdout %.1f, stderr %.1f",
+		      stdin_bytes / total_time, stdout_bytes / total_time,
+		      stderr_bytes / total_time);
+
+	/* Return the exit status of the program. */
+	debug("Exit status %d", exit_status);
+	return exit_status;
+}
+
+/*********/
+
+void
+client_input_stdout_data(int type, int plen)
+{
+	unsigned int data_len;
+	char *data = packet_get_string(&data_len);
+	packet_integrity_check(plen, 4 + data_len, type);
+	buffer_append(&stdout_buffer, data, data_len);
+	stdout_bytes += data_len;
+	memset(data, 0, data_len);
+	xfree(data);
+}
+void
+client_input_stderr_data(int type, int plen)
+{
+	unsigned int data_len;
+	char *data = packet_get_string(&data_len);
+	packet_integrity_check(plen, 4 + data_len, type);
+	buffer_append(&stderr_buffer, data, data_len);
+	stdout_bytes += data_len;
+	memset(data, 0, data_len);
+	xfree(data);
+}
+void
+client_input_exit_status(int type, int plen)
+{
+	packet_integrity_check(plen, 4, type);
+	exit_status = packet_get_int();
+	/* Acknowledge the exit. */
+	packet_start(SSH_CMSG_EXIT_CONFIRMATION);
+	packet_send();
+	/*
+	 * Must wait for packet to be sent since we are
+	 * exiting the loop.
+	 */
+	packet_write_wait();
+	/* Flag that we want to exit. */
+	quit_pending = 1;
+}
+
+/* XXXX move to generic input handler */
+void
+client_input_channel_open(int type, int plen)
+{
+	Channel *c = NULL;
+	char *ctype;
+	int id;
+	unsigned int len;
+	int rchan;
+	int rmaxpack;
+	int rwindow;
+
+	ctype = packet_get_string(&len);
+	rchan = packet_get_int();
+	rwindow = packet_get_int();
+	rmaxpack = packet_get_int();
+
+	debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
+	    ctype, rchan, rwindow, rmaxpack);
+
+	if (strcmp(ctype, "x11") == 0) {
+		int sock;
+		char *originator;
+		int originator_port;
+		originator = packet_get_string(NULL);
+		if (datafellows & SSH_BUG_X11FWD) {
+			debug("buggy server: x11 request w/o originator_port");
+			originator_port = 0;
+		} else {
+			originator_port = packet_get_int();
+		}
+		packet_done();
+		/* XXX check permission */
+		xfree(originator);
+		/* XXX move to channels.c */
+		sock = x11_connect_display();
+		if (sock >= 0) {
+			id = channel_new("x11", SSH_CHANNEL_X11_OPEN,
+			    sock, sock, -1, 4*1024, 32*1024, 0,
+			    xstrdup("x11"));
+			c = channel_lookup(id);
+		}
+	}
+/* XXX duplicate : */
+	if (c != NULL) {
+		debug("confirm %s", ctype);
+		c->remote_id = rchan;
+		c->remote_window = rwindow;
+		c->remote_maxpacket = rmaxpack;
+
+		packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(c->remote_id);
+		packet_put_int(c->self);
+		packet_put_int(c->local_window);
+		packet_put_int(c->local_maxpacket);
+		packet_send();
+	} else {
+		debug("failure %s", ctype);
+		packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(rchan);
+		packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
+		packet_put_cstring("bla bla");
+		packet_put_cstring("");
+		packet_send();
+	}
+	xfree(ctype);
+}
+
+void
+client_init_dispatch_20()
+{
+	dispatch_init(&dispatch_protocol_error);
+	dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
+	dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
+	dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
+	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+}
+void
+client_init_dispatch_13()
+{
+	dispatch_init(NULL);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
+	dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
+	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
+	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
+	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
+	dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
+}
+void
+client_init_dispatch_15()
+{
+	client_init_dispatch_13();
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, & channel_input_oclose);
+}
+void
+client_init_dispatch()
+{
+	if (compat20)
+		client_init_dispatch_20();
+	else if (compat13)
+		client_init_dispatch_13();
+	else
+		client_init_dispatch_15();
+}
+
+void
+client_input_channel_req(int id, void *arg)
+{
+	Channel *c = NULL;
+	unsigned int len;
+	int success = 0;
+	int reply;
+	char *rtype;
+
+	rtype = packet_get_string(&len);
+	reply = packet_get_char();
+
+	debug("client_input_channel_req: rtype %s reply %d", rtype, reply);
+
+	c = channel_lookup(id);
+	if (c == NULL)
+		fatal("session_input_channel_req: channel %d: bad channel", id);
+
+	if (session_ident == -1) {
+		error("client_input_channel_req: no channel %d", id);
+	} else if (id != session_ident) {
+		error("client_input_channel_req: bad channel %d != %d",
+		    id, session_ident);
+	} else if (strcmp(rtype, "exit-status") == 0) {
+		success = 1;
+		exit_status = packet_get_int();
+		packet_done();
+	}
+	if (reply) {
+		packet_start(success ?
+		    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
+		packet_put_int(c->remote_id);
+		packet_send();
+	}
+	xfree(rtype);
+}
+
+void
+client_set_session_ident(int id)
+{
+	debug("client_set_session_ident: id %d", id);
+	session_ident = id;
+	channel_register_callback(id, SSH2_MSG_CHANNEL_REQUEST,
+	    client_input_channel_req, (void *)0);
+}
diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c
new file mode 100644
index 0000000..1dd0c39
--- /dev/null
+++ b/crypto/openssh/compat.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: compat.c,v 1.14 2000/05/22 18:42:01 markus Exp $");
+
+#include "ssh.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "compat.h"
+
+int compat13 = 0;
+int compat20 = 0;
+int datafellows = 0;
+
+void
+enable_compat20(void)
+{
+	verbose("Enabling compatibility mode for protocol 2.0");
+	compat20 = 1;
+}
+void
+enable_compat13(void)
+{
+	verbose("Enabling compatibility mode for protocol 1.3");
+	compat13 = 1;
+}
+/* datafellows bug compatibility */
+void
+compat_datafellows(const char *version)
+{
+	int i;
+	size_t len;
+	struct {
+		char	*version;
+		int	bugs;
+	} check[] = {
+		{"2.1.0",	SSH_BUG_SIGBLOB|SSH_BUG_HMAC},
+		{"2.0.1",	SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD},
+		{NULL,		0}
+	};
+	for (i = 0; check[i].version; i++) {
+		len = strlen(check[i].version);
+		if (strlen(version) >= len &&
+		   (strncmp(version, check[i].version, len) == 0)) {
+			verbose("datafellows: %.200s", version);
+			datafellows = check[i].bugs;
+			return;
+		}
+	}
+}
+
+#define	SEP	","
+int
+proto_spec(const char *spec)
+{
+	char *s, *p;
+	int ret = SSH_PROTO_UNKNOWN;
+
+	if (spec == NULL)
+		return ret;
+	s = xstrdup(spec);
+	for ((p = strtok(s, SEP)); p; (p = strtok(NULL, SEP))) {
+		switch(atoi(p)) {
+		case 1:
+			if (ret == SSH_PROTO_UNKNOWN)
+				ret |= SSH_PROTO_1_PREFERRED;
+			ret |= SSH_PROTO_1;
+			break;
+		case 2:
+			ret |= SSH_PROTO_2;
+			break;
+		default:
+			log("ignoring bad proto spec: '%s'.", p);
+			break;
+		}
+	}
+	xfree(s);
+	return ret;
+}
diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h
new file mode 100644
index 0000000..9308a6d
--- /dev/null
+++ b/crypto/openssh/compat.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/* RCSID("$Id: compat.h,v 1.7 2000/05/08 17:42:24 markus Exp $"); */
+
+#ifndef COMPAT_H
+#define COMPAT_H
+
+#define	SSH_PROTO_UNKNOWN 	0x00
+#define	SSH_PROTO_1		0x01
+#define	SSH_PROTO_1_PREFERRED	0x02
+#define	SSH_PROTO_2		0x04
+
+#define SSH_BUG_SIGBLOB		0x01
+#define SSH_BUG_PUBKEYAUTH	0x02
+#define SSH_BUG_HMAC		0x04
+#define SSH_BUG_X11FWD		0x08
+
+void    enable_compat13(void);
+void    enable_compat20(void);
+void    compat_datafellows(const char *s);
+int	proto_spec(const char *spec);
+extern int compat13;
+extern int compat20;
+extern int datafellows;
+#endif
diff --git a/crypto/openssh/compress.c b/crypto/openssh/compress.c
new file mode 100644
index 0000000..86ccaa2
--- /dev/null
+++ b/crypto/openssh/compress.c
@@ -0,0 +1,143 @@
+/*
+ *
+ * compress.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Oct 25 22:12:46 1995 ylo
+ *
+ * Interface to packet compression for ssh.
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: compress.c,v 1.7 2000/04/14 10:30:31 markus Exp $");
+
+#include "ssh.h"
+#include "buffer.h"
+#include "zlib.h"
+
+static z_stream incoming_stream;
+static z_stream outgoing_stream;
+
+/*
+ * Initializes compression; level is compression level from 1 to 9
+ * (as in gzip).
+ */
+
+void
+buffer_compress_init(int level)
+{
+	debug("Enabling compression at level %d.", level);
+	if (level < 1 || level > 9)
+		fatal("Bad compression level %d.", level);
+	inflateInit(&incoming_stream);
+	deflateInit(&outgoing_stream, level);
+}
+
+/* Frees any data structures allocated for compression. */
+
+void
+buffer_compress_uninit()
+{
+	debug("compress outgoing: raw data %lu, compressed %lu, factor %.2f",
+	      outgoing_stream.total_in, outgoing_stream.total_out,
+	      outgoing_stream.total_in == 0 ? 0.0 :
+	      (double) outgoing_stream.total_out / outgoing_stream.total_in);
+	debug("compress incoming: raw data %lu, compressed %lu, factor %.2f",
+	      incoming_stream.total_out, incoming_stream.total_in,
+	      incoming_stream.total_out == 0 ? 0.0 :
+	      (double) incoming_stream.total_in / incoming_stream.total_out);
+	inflateEnd(&incoming_stream);
+	deflateEnd(&outgoing_stream);
+}
+
+/*
+ * Compresses the contents of input_buffer into output_buffer.  All packets
+ * compressed using this function will form a single compressed data stream;
+ * however, data will be flushed at the end of every call so that each
+ * output_buffer can be decompressed independently (but in the appropriate
+ * order since they together form a single compression stream) by the
+ * receiver.  This appends the compressed data to the output buffer.
+ */
+
+void
+buffer_compress(Buffer * input_buffer, Buffer * output_buffer)
+{
+	char buf[4096];
+	int status;
+
+	/* This case is not handled below. */
+	if (buffer_len(input_buffer) == 0)
+		return;
+
+	/* Input is the contents of the input buffer. */
+	outgoing_stream.next_in = (unsigned char *) buffer_ptr(input_buffer);
+	outgoing_stream.avail_in = buffer_len(input_buffer);
+
+	/* Loop compressing until deflate() returns with avail_out != 0. */
+	do {
+		/* Set up fixed-size output buffer. */
+		outgoing_stream.next_out = (unsigned char *)buf;
+		outgoing_stream.avail_out = sizeof(buf);
+
+		/* Compress as much data into the buffer as possible. */
+		status = deflate(&outgoing_stream, Z_PARTIAL_FLUSH);
+		switch (status) {
+		case Z_OK:
+			/* Append compressed data to output_buffer. */
+			buffer_append(output_buffer, buf,
+			    sizeof(buf) - outgoing_stream.avail_out);
+			break;
+		default:
+			fatal("buffer_compress: deflate returned %d", status);
+			/* NOTREACHED */
+		}
+	} while (outgoing_stream.avail_out == 0);
+}
+
+/*
+ * Uncompresses the contents of input_buffer into output_buffer.  All packets
+ * uncompressed using this function will form a single compressed data
+ * stream; however, data will be flushed at the end of every call so that
+ * each output_buffer.  This must be called for the same size units that the
+ * buffer_compress was called, and in the same order that buffers compressed
+ * with that.  This appends the uncompressed data to the output buffer.
+ */
+
+void
+buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer)
+{
+	char buf[4096];
+	int status;
+
+	incoming_stream.next_in = (unsigned char *) buffer_ptr(input_buffer);
+	incoming_stream.avail_in = buffer_len(input_buffer);
+
+	for (;;) {
+		/* Set up fixed-size output buffer. */
+		incoming_stream.next_out = (unsigned char *) buf;
+		incoming_stream.avail_out = sizeof(buf);
+
+		status = inflate(&incoming_stream, Z_PARTIAL_FLUSH);
+		switch (status) {
+		case Z_OK:
+			buffer_append(output_buffer, buf,
+			    sizeof(buf) - incoming_stream.avail_out);
+			break;
+		case Z_BUF_ERROR:
+			/*
+			 * Comments in zlib.h say that we should keep calling
+			 * inflate() until we get an error.  This appears to
+			 * be the error that we get.
+			 */
+			return;
+		default:
+			fatal("buffer_uncompress: inflate returned %d", status);
+			/* NOTREACHED */
+		}
+	}
+}
diff --git a/crypto/openssh/compress.h b/crypto/openssh/compress.h
new file mode 100644
index 0000000..f975613
--- /dev/null
+++ b/crypto/openssh/compress.h
@@ -0,0 +1,50 @@
+/*
+ *
+ * compress.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Oct 25 22:12:46 1995 ylo
+ *
+ * Interface to packet compression for ssh.
+ *
+ */
+
+/* RCSID("$Id: compress.h,v 1.4 2000/04/14 10:30:31 markus Exp $"); */
+
+#ifndef COMPRESS_H
+#define COMPRESS_H
+
+/*
+ * Initializes compression; level is compression level from 1 to 9 (as in
+ * gzip).
+ */
+void    buffer_compress_init(int level);
+
+/* Frees any data structures allocated by buffer_compress_init. */
+void    buffer_compress_uninit();
+
+/*
+ * Compresses the contents of input_buffer into output_buffer.  All packets
+ * compressed using this function will form a single compressed data stream;
+ * however, data will be flushed at the end of every call so that each
+ * output_buffer can be decompressed independently (but in the appropriate
+ * order since they together form a single compression stream) by the
+ * receiver.  This appends the compressed data to the output buffer.
+ */
+void    buffer_compress(Buffer * input_buffer, Buffer * output_buffer);
+
+/*
+ * Uncompresses the contents of input_buffer into output_buffer.  All packets
+ * uncompressed using this function will form a single compressed data
+ * stream; however, data will be flushed at the end of every call so that
+ * each output_buffer.  This must be called for the same size units that the
+ * buffer_compress was called, and in the same order that buffers compressed
+ * with that.  This appends the uncompressed data to the output buffer.
+ */
+void    buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer);
+
+#endif				/* COMPRESS_H */
diff --git a/crypto/openssh/crc32.c b/crypto/openssh/crc32.c
new file mode 100644
index 0000000..42c99da
--- /dev/null
+++ b/crypto/openssh/crc32.c
@@ -0,0 +1,121 @@
+/*
+ * The implementation here was originally done by Gary S. Brown.
+ * I have borrowed the tables directly, and made some minor changes
+ * to the crc32-function (including changing the interface).
+ * //ylo
+ */
+
+#include "includes.h"
+RCSID("$Id: crc32.c,v 1.4 1999/11/24 00:26:01 deraadt Exp $");
+
+#include "crc32.h"
+
+  /* ============================================================= */
+  /*  COPYRIGHT (C) 1986 Gary S. Brown.  You may use this program, or       */
+  /*  code or tables extracted from it, as desired without restriction.     */
+  /*                                                                        */
+  /*  First, the polynomial itself and its table of feedback terms.  The    */
+  /*  polynomial is                                                         */
+  /*  X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0   */
+  /*                                                                        */
+  /*  Note that we take it "backwards" and put the highest-order term in    */
+  /*  the lowest-order bit.  The X^32 term is "implied"; the LSB is the     */
+  /*  X^31 term, etc.  The X^0 term (usually shown as "+1") results in      */
+  /*  the MSB being 1.                                                      */
+  /*                                                                        */
+  /*  Note that the usual hardware shift register implementation, which     */
+  /*  is what we're using (we're merely optimizing it by doing eight-bit    */
+  /*  chunks at a time) shifts bits into the lowest-order term.  In our     */
+  /*  implementation, that means shifting towards the right.  Why do we     */
+  /*  do it this way?  Because the calculated CRC must be transmitted in    */
+  /*  order from highest-order term to lowest-order term.  UARTs transmit   */
+  /*  characters in order from LSB to MSB.  By storing the CRC this way,    */
+  /*  we hand it to the UART in the order low-byte to high-byte; the UART   */
+  /*  sends each low-bit to hight-bit; and the result is transmission bit   */
+  /*  by bit from highest- to lowest-order term without requiring any bit   */
+  /*  shuffling on our part.  Reception works similarly.                    */
+  /*                                                                        */
+  /*  The feedback terms table consists of 256, 32-bit entries.  Notes:     */
+  /*                                                                        */
+  /*      The table can be generated at runtime if desired; code to do so   */
+  /*      is shown later.  It might not be obvious, but the feedback        */
+  /*      terms simply represent the results of eight shift/xor opera-      */
+  /*      tions for all combinations of data and CRC register values.       */
+  /*                                                                        */
+  /*      The values must be right-shifted by eight bits by the "updcrc"    */
+  /*      logic; the shift must be unsigned (bring in zeroes).  On some     */
+  /*      hardware you could probably optimize the shift in assembler by    */
+  /*      using byte-swap instructions.                                     */
+  /*      polynomial $edb88320                                              */
+  /*                                                                        */
+  /*  --------------------------------------------------------------------  */
+
+static unsigned int crc32_tab[] = {
+	0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
+	0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
+	0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
+	0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
+	0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
+	0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
+	0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
+	0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
+	0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
+	0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
+	0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
+	0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
+	0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
+	0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
+	0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
+	0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
+	0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
+	0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
+	0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
+	0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
+	0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
+	0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
+	0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
+	0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
+	0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
+	0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
+	0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
+	0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
+	0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
+	0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
+	0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
+	0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
+	0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
+	0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
+	0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
+	0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
+	0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
+	0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
+	0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
+	0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
+	0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
+	0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
+	0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
+	0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
+	0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
+	0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
+	0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
+	0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
+	0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
+	0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
+	0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
+	0x2d02ef8dL
+};
+
+/* Return a 32-bit CRC of the contents of the buffer. */
+
+unsigned int
+crc32(const unsigned char *s, unsigned int len)
+{
+	unsigned int i;
+	unsigned int crc32val;
+
+	crc32val = 0;
+	for (i = 0;  i < len;  i ++) {
+		crc32val = crc32_tab[(crc32val ^ s[i]) & 0xff] ^ (crc32val >> 8);
+	}
+	return crc32val;
+}
diff --git a/crypto/openssh/crc32.h b/crypto/openssh/crc32.h
new file mode 100644
index 0000000..4176e8a
--- /dev/null
+++ b/crypto/openssh/crc32.h
@@ -0,0 +1,27 @@
+/*
+ *
+ * crc32.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1992 Tatu Ylonen, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Tue Feb 11 14:37:27 1992 ylo
+ *
+ * Functions for computing 32-bit CRC.
+ *
+ */
+
+/* RCSID("$Id: crc32.h,v 1.5 2000/04/14 10:30:31 markus Exp $"); */
+
+#ifndef CRC32_H
+#define CRC32_H
+
+/*
+ * This computes a 32 bit CRC of the data in the buffer, and returns the CRC.
+ * The polynomial used is 0xedb88320.
+ */
+unsigned int crc32(const unsigned char *buf, unsigned int len);
+
+#endif				/* CRC32_H */
diff --git a/crypto/openssh/deattack.c b/crypto/openssh/deattack.c
new file mode 100644
index 0000000..263e039
--- /dev/null
+++ b/crypto/openssh/deattack.c
@@ -0,0 +1,155 @@
+/*
+ * $Id: deattack.c,v 1.6 1999/11/24 00:26:01 deraadt Exp $
+ * Cryptographic attack detector for ssh - source code
+ *
+ * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
+ *
+ * All rights reserved. Redistribution and use in source and binary
+ * forms, with or without modification, are permitted provided that
+ * this copyright notice is retained.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
+ * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
+ * SOFTWARE.
+ *
+ * Ariel Futoransky <futo@core-sdi.com>
+ * <http://www.core-sdi.com>
+ */
+
+#include "includes.h"
+#include "deattack.h"
+#include "ssh.h"
+#include "crc32.h"
+#include "getput.h"
+#include "xmalloc.h"
+
+/* SSH Constants */
+#define SSH_MAXBLOCKS	(32 * 1024)
+#define SSH_BLOCKSIZE	(8)
+
+/* Hashing constants */
+#define HASH_MINSIZE	(8 * 1024)
+#define HASH_ENTRYSIZE	(2)
+#define HASH_FACTOR(x)	((x)*3/2)
+#define HASH_UNUSEDCHAR	(0xff)
+#define HASH_UNUSED	(0xffff)
+#define HASH_IV     	(0xfffe)
+
+#define HASH_MINBLOCKS	(7*SSH_BLOCKSIZE)
+
+
+/* Hash function (Input keys are cipher results) */
+#define HASH(x)		GET_32BIT(x)
+
+#define CMP(a,b)	(memcmp(a, b, SSH_BLOCKSIZE))
+
+
+void
+crc_update(u_int32_t *a, u_int32_t b)
+{
+	b ^= *a;
+	*a = crc32((unsigned char *) &b, sizeof(b));
+}
+
+/* detect if a block is used in a particular pattern */
+int
+check_crc(unsigned char *S, unsigned char *buf, u_int32_t len,
+	  unsigned char *IV)
+{
+	u_int32_t crc;
+	unsigned char *c;
+
+	crc = 0;
+	if (IV && !CMP(S, IV)) {
+		crc_update(&crc, 1);
+		crc_update(&crc, 0);
+	}
+	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+		if (!CMP(S, c)) {
+			crc_update(&crc, 1);
+			crc_update(&crc, 0);
+		} else {
+			crc_update(&crc, 0);
+			crc_update(&crc, 0);
+		}
+	}
+	return (crc == 0);
+}
+
+
+/* Detect a crc32 compensation attack on a packet */
+int
+detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
+{
+	static u_int16_t *h = (u_int16_t *) NULL;
+	static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+	register u_int32_t i, j;
+	u_int32_t l;
+	register unsigned char *c;
+	unsigned char *d;
+
+	if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) ||
+	    len % SSH_BLOCKSIZE != 0) {
+		fatal("detect_attack: bad length %d", len);
+	}
+	for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
+		;
+
+	if (h == NULL) {
+		debug("Installing crc compensation attack detector.");
+		n = l;
+		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+	} else {
+		if (l > n) {
+			n = l;
+			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+		}
+	}
+
+	if (len <= HASH_MINBLOCKS) {
+		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+			if (IV && (!CMP(c, IV))) {
+				if ((check_crc(c, buf, len, IV)))
+					return (DEATTACK_DETECTED);
+				else
+					break;
+			}
+			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
+				if (!CMP(c, d)) {
+					if ((check_crc(c, buf, len, IV)))
+						return (DEATTACK_DETECTED);
+					else
+						break;
+				}
+			}
+		}
+		return (DEATTACK_OK);
+	}
+	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
+
+	if (IV)
+		h[HASH(IV) & (n - 1)] = HASH_IV;
+
+	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+		     i = (i + 1) & (n - 1)) {
+			if (h[i] == HASH_IV) {
+				if (!CMP(c, IV)) {
+					if (check_crc(c, buf, len, IV))
+						return (DEATTACK_DETECTED);
+					else
+						break;
+				}
+			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+				if (check_crc(c, buf, len, IV))
+					return (DEATTACK_DETECTED);
+				else
+					break;
+			}
+		}
+		h[i] = j;
+	}
+	return (DEATTACK_OK);
+}
diff --git a/crypto/openssh/deattack.h b/crypto/openssh/deattack.h
new file mode 100644
index 0000000..6ce54de
--- /dev/null
+++ b/crypto/openssh/deattack.h
@@ -0,0 +1,28 @@
+/*
+ * Cryptographic attack detector for ssh - Header file
+ *
+ * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
+ *
+ * All rights reserved. Redistribution and use in source and binary
+ * forms, with or without modification, are permitted provided that
+ * this copyright notice is retained.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
+ * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
+ * SOFTWARE.
+ *
+ * Ariel Futoransky <futo@core-sdi.com>
+ * <http://www.core-sdi.com>
+ */
+
+#ifndef _DEATTACK_H
+#define _DEATTACK_H
+
+/* Return codes */
+#define DEATTACK_OK		0
+#define DEATTACK_DETECTED	1
+
+int     detect_attack(unsigned char *buf, u_int32_t len, unsigned char IV[8]);
+#endif
diff --git a/crypto/openssh/dispatch.c b/crypto/openssh/dispatch.c
new file mode 100644
index 0000000..9b7def7
--- /dev/null
+++ b/crypto/openssh/dispatch.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$Id: dispatch.c,v 1.2 2000/04/14 10:30:31 markus Exp $");
+#include "ssh.h"
+#include "dispatch.h"
+#include "packet.h"
+
+#define DISPATCH_MIN	0
+#define DISPATCH_MAX	255
+
+dispatch_fn *dispatch[DISPATCH_MAX];
+
+void
+dispatch_protocol_error(int type, int plen)
+{
+	error("Hm, dispatch protocol error: type %d plen %d", type, plen);
+}
+void
+dispatch_init(dispatch_fn *dflt)
+{
+	int i;
+	for (i = 0; i < DISPATCH_MAX; i++)
+		dispatch[i] = dflt;
+}
+void
+dispatch_set(int type, dispatch_fn *fn)
+{
+	dispatch[type] = fn;
+}
+void
+dispatch_run(int mode, int *done)
+{
+	for (;;) {
+		int plen;
+		int type;
+
+		if (mode == DISPATCH_BLOCK) {
+			type = packet_read(&plen);
+		} else {
+			type = packet_read_poll(&plen);
+			if (type == SSH_MSG_NONE)
+				return;
+		}
+		if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL)
+			(*dispatch[type])(type, plen);
+		else
+			packet_disconnect("protocol error: rcvd type %d", type);	
+		if (done != NULL && *done)
+			return;
+	}
+}
diff --git a/crypto/openssh/dispatch.h b/crypto/openssh/dispatch.h
new file mode 100644
index 0000000..12084aa
--- /dev/null
+++ b/crypto/openssh/dispatch.h
@@ -0,0 +1,11 @@
+enum {
+	DISPATCH_BLOCK,
+	DISPATCH_NONBLOCK
+};
+
+typedef void dispatch_fn(int type, int plen);
+
+void	dispatch_init(dispatch_fn *dflt);
+void	dispatch_set(int type, dispatch_fn *fn);
+void	dispatch_run(int mode, int *done);
+void	dispatch_protocol_error(int type, int plen);
diff --git a/crypto/openssh/dsa.c b/crypto/openssh/dsa.c
new file mode 100644
index 0000000..51d7ff2
--- /dev/null
+++ b/crypto/openssh/dsa.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: dsa.c,v 1.7 2000/05/08 17:42:24 markus Exp $");
+
+#include "ssh.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "compat.h"
+
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+
+#include <openssl/hmac.h>
+#include "kex.h"
+#include "key.h"
+#include "uuencode.h"
+
+#define INTBLOB_LEN	20
+#define SIGBLOB_LEN	(2*INTBLOB_LEN)
+
+Key *
+dsa_key_from_blob(
+    char *blob, int blen)
+{
+	Buffer b;
+	char *ktype;
+	int rlen;
+	DSA *dsa;
+	Key *key;
+
+#ifdef DEBUG_DSS
+	dump_base64(stderr, blob, blen);
+#endif
+	/* fetch & parse DSA/DSS pubkey */
+	key = key_new(KEY_DSA);
+	dsa = key->dsa;
+	buffer_init(&b);
+	buffer_append(&b, blob, blen);
+	ktype = buffer_get_string(&b, NULL);
+	if (strcmp(KEX_DSS, ktype) != 0) {
+		error("dsa_key_from_blob: cannot handle type  %s", ktype);
+		key_free(key);
+		return NULL;
+	}
+	buffer_get_bignum2(&b, dsa->p);
+	buffer_get_bignum2(&b, dsa->q);
+	buffer_get_bignum2(&b, dsa->g);
+	buffer_get_bignum2(&b, dsa->pub_key);
+	rlen = buffer_len(&b);
+	if(rlen != 0)
+		error("dsa_key_from_blob: remaining bytes in key blob %d", rlen);
+	buffer_free(&b);
+
+	debug("keytype %s", ktype);
+#ifdef DEBUG_DSS
+	DSA_print_fp(stderr, dsa, 8);
+#endif
+	return key;
+}
+int
+dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp)
+{
+	Buffer b;
+	int len;
+	unsigned char *buf;
+
+	if (key == NULL || key->type != KEY_DSA)
+		return 0;
+	buffer_init(&b);
+	buffer_put_cstring(&b, KEX_DSS);
+	buffer_put_bignum2(&b, key->dsa->p);
+	buffer_put_bignum2(&b, key->dsa->q);
+	buffer_put_bignum2(&b, key->dsa->g);
+	buffer_put_bignum2(&b, key->dsa->pub_key);
+	len = buffer_len(&b);
+	buf = xmalloc(len);
+	memcpy(buf, buffer_ptr(&b), len);
+	memset(buffer_ptr(&b), 0, len);
+	buffer_free(&b);
+	if (lenp != NULL)
+		*lenp = len;
+	if (blobp != NULL)
+		*blobp = buf;
+	return len;
+}
+int
+dsa_sign(
+    Key *key,
+    unsigned char **sigp, int *lenp,
+    unsigned char *data, int datalen)
+{
+	unsigned char *digest;
+	unsigned char *ret;
+	DSA_SIG *sig;
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+	unsigned int rlen;
+	unsigned int slen;
+	unsigned int len;
+	unsigned char sigblob[SIGBLOB_LEN];
+	Buffer b;
+
+	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+		error("dsa_sign: no DSA key");
+		return -1;
+	}
+	digest = xmalloc(evp_md->md_size);
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, data, datalen);
+	EVP_DigestFinal(&md, digest, NULL);
+
+	sig = DSA_do_sign(digest, evp_md->md_size, key->dsa);
+	if (sig == NULL) {
+		fatal("dsa_sign: cannot sign");
+	}
+
+	rlen = BN_num_bytes(sig->r);
+	slen = BN_num_bytes(sig->s);
+	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
+		error("bad sig size %d %d", rlen, slen);
+		DSA_SIG_free(sig);
+		return -1;
+	}
+	debug("sig size %d %d", rlen, slen);
+
+	memset(sigblob, 0, SIGBLOB_LEN);
+	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
+	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
+	DSA_SIG_free(sig);
+
+	if (datafellows & SSH_BUG_SIGBLOB) {
+		debug("datafellows");
+		ret = xmalloc(SIGBLOB_LEN);
+		memcpy(ret, sigblob, SIGBLOB_LEN);
+		if (lenp != NULL)
+			*lenp = SIGBLOB_LEN;
+		if (sigp != NULL)
+			*sigp = ret;
+	} else {
+		/* ietf-drafts */
+		buffer_init(&b);
+		buffer_put_cstring(&b, KEX_DSS);
+		buffer_put_string(&b, sigblob, SIGBLOB_LEN);
+		len = buffer_len(&b);
+		ret = xmalloc(len);
+		memcpy(ret, buffer_ptr(&b), len);
+		buffer_free(&b);
+		if (lenp != NULL)
+			*lenp = len;
+		if (sigp != NULL)
+			*sigp = ret;
+	}
+	return 0;
+}
+int
+dsa_verify(
+    Key *key,
+    unsigned char *signature, int signaturelen,
+    unsigned char *data, int datalen)
+{
+	Buffer b;
+	unsigned char *digest;
+	DSA_SIG *sig;
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+	char *ktype;
+	unsigned char *sigblob;
+	char *txt;
+	unsigned int len;
+	int rlen;
+	int ret;
+
+	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+		error("dsa_verify: no DSA key");
+		return -1;
+	}
+
+	if (!(datafellows & SSH_BUG_SIGBLOB) &&
+	    signaturelen == SIGBLOB_LEN) {
+		datafellows |= ~SSH_BUG_SIGBLOB;
+		log("autodetect SSH_BUG_SIGBLOB");
+	} else if ((datafellows & SSH_BUG_SIGBLOB) &&
+	    signaturelen != SIGBLOB_LEN) {
+		log("autoremove SSH_BUG_SIGBLOB");
+		datafellows &= ~SSH_BUG_SIGBLOB;
+	}
+
+	debug("len %d datafellows %d", signaturelen, datafellows);
+
+	/* fetch signature */
+	if (datafellows & SSH_BUG_SIGBLOB) {
+		sigblob = signature;
+		len = signaturelen;
+	} else {
+		/* ietf-drafts */
+		buffer_init(&b);
+		buffer_append(&b, (char *) signature, signaturelen);
+		ktype = buffer_get_string(&b, NULL);
+		sigblob = (unsigned char *)buffer_get_string(&b, &len);
+		rlen = buffer_len(&b);
+		if(rlen != 0)
+			error("remaining bytes in signature %d", rlen);
+		buffer_free(&b);
+	}
+
+	if (len != SIGBLOB_LEN) {
+		fatal("bad sigbloblen %d != SIGBLOB_LEN", len);
+	}
+
+	/* parse signature */
+	sig = DSA_SIG_new();
+	sig->r = BN_new();
+	sig->s = BN_new();
+	BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
+	BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
+
+	if (!(datafellows & SSH_BUG_SIGBLOB)) {
+		memset(sigblob, 0, len);
+		xfree(sigblob);
+	}
+	
+	/* sha1 the data */
+	digest = xmalloc(evp_md->md_size);
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, data, datalen);
+	EVP_DigestFinal(&md, digest, NULL);
+
+	ret = DSA_do_verify(digest, evp_md->md_size, sig, key->dsa);
+
+	memset(digest, 0, evp_md->md_size);
+	xfree(digest);
+	DSA_SIG_free(sig);
+
+	switch (ret) {
+	case 1:
+		txt = "correct";
+		break;
+	case 0:
+		txt = "incorrect";
+		break;
+	case -1:
+	default:
+		txt = "error";
+		break;
+	}
+	debug("dsa_verify: signature %s", txt);
+	return ret;
+}
+
+Key *
+dsa_generate_key(unsigned int bits)
+{
+	DSA *dsa = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
+	Key *k;
+	if (dsa == NULL) {
+		fatal("DSA_generate_parameters failed");
+	}
+	if (!DSA_generate_key(dsa)) {
+		fatal("DSA_generate_keys failed");
+	}
+
+	k = key_new(KEY_EMPTY);
+	k->type = KEY_DSA;
+	k->dsa = dsa;
+	return k;
+}
diff --git a/crypto/openssh/dsa.h b/crypto/openssh/dsa.h
new file mode 100644
index 0000000..3cece7c
--- /dev/null
+++ b/crypto/openssh/dsa.h
@@ -0,0 +1,22 @@
+#ifndef DSA_H
+#define DSA_H
+
+Key	*dsa_key_from_blob(char *blob, int blen);
+int	dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp);
+
+int
+dsa_sign(
+    Key *key,
+    unsigned char **sigp, int *lenp,
+    unsigned char *data, int datalen);
+
+int
+dsa_verify(
+    Key *key,
+    unsigned char *signature, int signaturelen,
+    unsigned char *data, int datalen);
+
+Key *
+dsa_generate_key(unsigned int bits);
+
+#endif
diff --git a/crypto/openssh/fingerprint.c b/crypto/openssh/fingerprint.c
new file mode 100644
index 0000000..38a2e64
--- /dev/null
+++ b/crypto/openssh/fingerprint.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: fingerprint.c,v 1.6 2000/04/12 09:39:10 markus Exp $");
+
+#include "ssh.h"
+#include "xmalloc.h"
+#include <openssl/md5.h>
+
+#define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x"
+
+/*
+ * Generate key fingerprint in ascii format.
+ * Based on ideas and code from Bjoern Groenvall <bg@sics.se>
+ */
+char *
+fingerprint(BIGNUM *e, BIGNUM *n)
+{
+	static char retval[80];
+	MD5_CTX md;
+	unsigned char d[16];
+	unsigned char *buf;
+	int nlen, elen;
+
+	nlen = BN_num_bytes(n);
+	elen = BN_num_bytes(e);
+
+	buf = xmalloc(nlen + elen);
+
+	BN_bn2bin(n, buf);
+	BN_bn2bin(e, buf + nlen);
+
+	MD5_Init(&md);
+	MD5_Update(&md, buf, nlen + elen);
+	MD5_Final(d, &md);
+	snprintf(retval, sizeof(retval), FPRINT,
+	    d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7],
+	    d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+	memset(buf, 0, nlen + elen);
+	xfree(buf);
+	return retval;
+}
diff --git a/crypto/openssh/fingerprint.h b/crypto/openssh/fingerprint.h
new file mode 100644
index 0000000..fbb0d4c
--- /dev/null
+++ b/crypto/openssh/fingerprint.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/* RCSID("$Id: fingerprint.h,v 1.3 1999/11/24 16:15:25 markus Exp $"); */
+
+#ifndef FINGERPRINT_H
+#define FINGERPRINT_H
+char   *fingerprint(BIGNUM * e, BIGNUM * n);
+#endif
diff --git a/crypto/openssh/getput.h b/crypto/openssh/getput.h
new file mode 100644
index 0000000..e1aa9bb
--- /dev/null
+++ b/crypto/openssh/getput.h
@@ -0,0 +1,63 @@
+/*
+ *
+ * getput.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Wed Jun 28 22:36:30 1995 ylo
+ *
+ * Macros for storing and retrieving data in msb first and lsb first order.
+ *
+ */
+
+/* RCSID("$Id: getput.h,v 1.3 2000/04/14 10:30:31 markus Exp $"); */
+
+#ifndef GETPUT_H
+#define GETPUT_H
+
+/*------------ macros for storing/extracting msb first words -------------*/
+
+#define GET_32BIT(cp) (((unsigned long)(unsigned char)(cp)[0] << 24) | \
+		       ((unsigned long)(unsigned char)(cp)[1] << 16) | \
+		       ((unsigned long)(unsigned char)(cp)[2] << 8) | \
+		       ((unsigned long)(unsigned char)(cp)[3]))
+
+#define GET_16BIT(cp) (((unsigned long)(unsigned char)(cp)[0] << 8) | \
+		       ((unsigned long)(unsigned char)(cp)[1]))
+
+#define PUT_32BIT(cp, value) do { \
+  (cp)[0] = (value) >> 24; \
+  (cp)[1] = (value) >> 16; \
+  (cp)[2] = (value) >> 8; \
+  (cp)[3] = (value); } while (0)
+
+#define PUT_16BIT(cp, value) do { \
+  (cp)[0] = (value) >> 8; \
+  (cp)[1] = (value); } while (0)
+
+/*------------ macros for storing/extracting lsb first words -------------*/
+
+#define GET_32BIT_LSB_FIRST(cp) \
+  (((unsigned long)(unsigned char)(cp)[0]) | \
+  ((unsigned long)(unsigned char)(cp)[1] << 8) | \
+  ((unsigned long)(unsigned char)(cp)[2] << 16) | \
+  ((unsigned long)(unsigned char)(cp)[3] << 24))
+
+#define GET_16BIT_LSB_FIRST(cp) \
+  (((unsigned long)(unsigned char)(cp)[0]) | \
+  ((unsigned long)(unsigned char)(cp)[1] << 8))
+
+#define PUT_32BIT_LSB_FIRST(cp, value) do { \
+  (cp)[0] = (value); \
+  (cp)[1] = (value) >> 8; \
+  (cp)[2] = (value) >> 16; \
+  (cp)[3] = (value) >> 24; } while (0)
+
+#define PUT_16BIT_LSB_FIRST(cp, value) do { \
+  (cp)[0] = (value); \
+  (cp)[1] = (value) >> 8; } while (0)
+
+#endif				/* GETPUT_H */
diff --git a/crypto/openssh/hmac.c b/crypto/openssh/hmac.c
new file mode 100644
index 0000000..fe53aa4
--- /dev/null
+++ b/crypto/openssh/hmac.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: hmac.c,v 1.2 2000/04/12 09:39:10 markus Exp $");
+
+#include "xmalloc.h"
+#include "ssh.h"
+#include "getput.h"
+
+#include <openssl/hmac.h>
+
+unsigned char *
+hmac(
+    EVP_MD *evp_md,
+    unsigned int seqno,
+    unsigned char *data, int datalen,
+    unsigned char *key, int keylen)
+{
+	HMAC_CTX c;
+	static unsigned char m[EVP_MAX_MD_SIZE];
+	unsigned char b[4];
+
+	if (key == NULL)
+		fatal("hmac: no key");
+	HMAC_Init(&c, key, keylen, evp_md);
+	PUT_32BIT(b, seqno);
+	HMAC_Update(&c, b, sizeof b);
+	HMAC_Update(&c, data, datalen);
+	HMAC_Final(&c, m, NULL);
+	HMAC_cleanup(&c);
+	return(m);
+}
diff --git a/crypto/openssh/hmac.h b/crypto/openssh/hmac.h
new file mode 100644
index 0000000..fb68029
--- /dev/null
+++ b/crypto/openssh/hmac.h
@@ -0,0 +1,11 @@
+#ifndef HMAC_H
+#define HMAC_H
+
+unsigned char *
+hmac(
+    EVP_MD *evp_md,
+    unsigned int seqno,
+    unsigned char *data, int datalen,
+    unsigned char *key, int len);
+
+#endif
diff --git a/crypto/openssh/hostfile.c b/crypto/openssh/hostfile.c
new file mode 100644
index 0000000..e80643c
--- /dev/null
+++ b/crypto/openssh/hostfile.c
@@ -0,0 +1,195 @@
+/*
+ *
+ * hostfile.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Thu Jun 29 07:10:56 1995 ylo
+ *
+ * Functions for manipulating the known hosts files.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $");
+
+#include "packet.h"
+#include "match.h"
+#include "ssh.h"
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include "key.h"
+#include "hostfile.h"
+
+/*
+ * Parses an RSA (number of bits, e, n) or DSA key from a string.  Moves the
+ * pointer over the key.  Skips any whitespace at the beginning and at end.
+ */
+
+int
+hostfile_read_key(char **cpp, unsigned int *bitsp, Key *ret)
+{
+	unsigned int bits;
+	char *cp;
+
+	/* Skip leading whitespace. */
+	for (cp = *cpp; *cp == ' ' || *cp == '\t'; cp++)
+		;
+
+	bits = key_read(ret, &cp);
+	if (bits == 0)
+		return 0;
+
+	/* Skip trailing whitespace. */
+	for (; *cp == ' ' || *cp == '\t'; cp++)
+		;
+
+	/* Return results. */
+	*cpp = cp;
+	*bitsp = bits;
+	return 1;
+}
+
+int
+auth_rsa_read_key(char **cpp, unsigned int *bitsp, BIGNUM * e, BIGNUM * n)
+{
+	Key *k = key_new(KEY_RSA);
+	int ret = hostfile_read_key(cpp, bitsp, k);
+	BN_copy(e, k->rsa->e);
+	BN_copy(n, k->rsa->n);
+	key_free(k);
+	return ret;
+}
+
+int
+hostfile_check_key(int bits, Key *key, const char *host, const char *filename, int linenum)
+{
+	if (key == NULL || key->type != KEY_RSA || key->rsa == NULL)
+		return 1;
+	if (bits != BN_num_bits(key->rsa->n)) {
+		log("Warning: %s, line %d: keysize mismatch for host %s: "
+		    "actual %d vs. announced %d.",
+		    filename, linenum, host, BN_num_bits(key->rsa->n), bits);
+		log("Warning: replace %d with %d in %s, line %d.",
+		    bits, BN_num_bits(key->rsa->n), filename, linenum);
+	}
+	return 1;
+}
+
+/*
+ * Checks whether the given host (which must be in all lowercase) is already
+ * in the list of our known hosts. Returns HOST_OK if the host is known and
+ * has the specified key, HOST_NEW if the host is not known, and HOST_CHANGED
+ * if the host is known but used to have a different host key.
+ */
+
+HostStatus
+check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *found)
+{
+	FILE *f;
+	char line[8192];
+	int linenum = 0;
+	unsigned int kbits, hostlen;
+	char *cp, *cp2;
+	HostStatus end_return;
+
+	if (key == NULL)
+		fatal("no key to look up");
+	/* Open the file containing the list of known hosts. */
+	f = fopen(filename, "r");
+	if (!f)
+		return HOST_NEW;
+
+	/* Cache the length of the host name. */
+	hostlen = strlen(host);
+
+	/*
+	 * Return value when the loop terminates.  This is set to
+	 * HOST_CHANGED if we have seen a different key for the host and have
+	 * not found the proper one.
+	 */
+	end_return = HOST_NEW;
+
+	/* Go trough the file. */
+	while (fgets(line, sizeof(line), f)) {
+		cp = line;
+		linenum++;
+
+		/* Skip any leading whitespace, comments and empty lines. */
+		for (; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '#' || *cp == '\n')
+			continue;
+
+		/* Find the end of the host name portion. */
+		for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++)
+			;
+
+		/* Check if the host name matches. */
+		if (!match_hostname(host, cp, (unsigned int) (cp2 - cp)))
+			continue;
+
+		/* Got a match.  Skip host name. */
+		cp = cp2;
+
+		/*
+		 * Extract the key from the line.  This will skip any leading
+		 * whitespace.  Ignore badly formatted lines.
+		 */
+		if (!hostfile_read_key(&cp, &kbits, found))
+			continue;
+		if (!hostfile_check_key(kbits, found, host, filename, linenum))
+			continue;
+
+		/* Check if the current key is the same as the given key. */
+		if (key_equal(key, found)) {
+			/* Ok, they match. */
+			fclose(f);
+			return HOST_OK;
+		}
+		/*
+		 * They do not match.  We will continue to go through the
+		 * file; however, we note that we will not return that it is
+		 * new.
+		 */
+		end_return = HOST_CHANGED;
+	}
+	/* Clear variables and close the file. */
+	fclose(f);
+
+	/*
+	 * Return either HOST_NEW or HOST_CHANGED, depending on whether we
+	 * saw a different key for the host.
+	 */
+	return end_return;
+}
+
+/*
+ * Appends an entry to the host file.  Returns false if the entry could not
+ * be appended.
+ */
+
+int
+add_host_to_hostfile(const char *filename, const char *host, Key *key)
+{
+	FILE *f;
+	int success = 0;
+	if (key == NULL)
+		return 1;	/* XXX ? */
+	f = fopen(filename, "a");
+	if (!f)
+		return 0;
+	fprintf(f, "%s ", host);
+	if (key_write(key, f)) {
+		success = 1;
+	} else {
+		error("add_host_to_hostfile: saving key in %s failed", filename);
+	}
+	fprintf(f, "\n");
+	fclose(f);
+	return success;
+}
diff --git a/crypto/openssh/hostfile.h b/crypto/openssh/hostfile.h
new file mode 100644
index 0000000..c9bdd7f
--- /dev/null
+++ b/crypto/openssh/hostfile.h
@@ -0,0 +1,22 @@
+#ifndef HOSTFILE_H
+#define HOSTFILE_H
+
+/*
+ * Checks whether the given host is already in the list of our known hosts.
+ * Returns HOST_OK if the host is known and has the specified key, HOST_NEW
+ * if the host is not known, and HOST_CHANGED if the host is known but used
+ * to have a different host key.  The host must be in all lowercase.
+ */
+typedef enum {
+	HOST_OK, HOST_NEW, HOST_CHANGED
+}       HostStatus;
+HostStatus
+check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *found);
+
+/*
+ * Appends an entry to the host file.  Returns false if the entry could not
+ * be appended.
+ */
+int	add_host_to_hostfile(const char *filename, const char *host, Key *key);
+
+#endif
diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h
new file mode 100644
index 0000000..848a82f
--- /dev/null
+++ b/crypto/openssh/includes.h
@@ -0,0 +1,71 @@
+/*
+ *
+ * includes.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Thu Mar 23 16:29:37 1995 ylo
+ *
+ * This file includes most of the needed system headers.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef INCLUDES_H
+#define INCLUDES_H
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/select.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/un.h>
+#include <sys/resource.h>
+#include <machine/endian.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/tcp.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <stdio.h>
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <termios.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <grp.h>
+#include <unistd.h>
+#include <time.h>
+#include <paths.h>
+#include <dirent.h>
+
+#include "version.h"
+
+/* Define this to be the path of the xauth program. */
+#define XAUTH_PATH "/usr/X11R6/bin/xauth"
+
+/*
+ * Define this to use pipes instead of socketpairs for communicating with the
+ * client program.  Socketpairs do not seem to work on all systems.
+ * Although pipes are bi-directional in FreeBSD, using pipes here will
+ * make <stdin> uni-directional !
+ */
+/* #define USE_PIPES 1 */
+
+#endif				/* INCLUDES_H */
diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c
new file mode 100644
index 0000000..a6c8174
--- /dev/null
+++ b/crypto/openssh/kex.c
@@ -0,0 +1,468 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: kex.c,v 1.7 2000/05/25 20:45:20 markus Exp $");
+
+#include "ssh.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "packet.h"
+#include "cipher.h"
+#include "compat.h"
+
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/pem.h>
+
+#include "kex.h"
+
+#define KEX_COOKIE_LEN	16
+
+Buffer *
+kex_init(char *myproposal[PROPOSAL_MAX])
+{
+	int first_kex_packet_follows = 0;
+	unsigned char cookie[KEX_COOKIE_LEN];
+	u_int32_t rand = 0;
+	int i;
+	Buffer *ki = xmalloc(sizeof(*ki));
+	for (i = 0; i < KEX_COOKIE_LEN; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		cookie[i] = rand & 0xff;
+		rand >>= 8;
+	}
+	buffer_init(ki);
+	buffer_append(ki, (char *)cookie, sizeof cookie);
+	for (i = 0; i < PROPOSAL_MAX; i++)
+		buffer_put_cstring(ki, myproposal[i]);
+	buffer_put_char(ki, first_kex_packet_follows);
+	buffer_put_int(ki, 0);				/* uint32 reserved */
+	return ki;
+}
+
+/* send kexinit, parse and save reply */
+void
+kex_exchange_kexinit(
+    Buffer *my_kexinit, Buffer *peer_kexint,
+    char *peer_proposal[PROPOSAL_MAX])
+{
+	int i;
+	char *ptr;
+	int plen;
+
+	debug("send KEXINIT");
+	packet_start(SSH2_MSG_KEXINIT);
+	packet_put_raw(buffer_ptr(my_kexinit), buffer_len(my_kexinit));	
+	packet_send();
+	packet_write_wait();
+	debug("done");
+
+	/*
+	 * read and save raw KEXINIT payload in buffer. this is used during
+	 * computation of the session_id and the session keys.
+	 */
+	debug("wait KEXINIT");
+	packet_read_expect(&plen, SSH2_MSG_KEXINIT);
+	ptr = packet_get_raw(&plen);
+	buffer_append(peer_kexint, ptr, plen);
+
+	/* parse packet and save algorithm proposal */
+	/* skip cookie */
+	for (i = 0; i < KEX_COOKIE_LEN; i++)
+		packet_get_char();
+	/* extract kex init proposal strings */
+	for (i = 0; i < PROPOSAL_MAX; i++) {
+		peer_proposal[i] = packet_get_string(NULL);
+		debug("got kexinit: %s", peer_proposal[i]);
+	}
+	/* first kex follow / reserved */
+	i = packet_get_char();
+	debug("first kex follow: %d ", i);
+	i = packet_get_int();
+	debug("reserved: %d ", i);
+	packet_done();
+	debug("done");
+}
+
+/* diffie-hellman-group1-sha1 */
+
+int
+dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
+{
+	int i;
+	int n = BN_num_bits(dh_pub);
+	int bits_set = 0;
+
+	/* we only accept g==2 */
+	if (!BN_is_word(dh->g, 2)) {
+		log("invalid DH base != 2");
+		return 0;
+	}
+	if (dh_pub->neg) {
+		log("invalid public DH value: negativ");
+		return 0;
+	}
+	for (i = 0; i <= n; i++)
+		if (BN_is_bit_set(dh_pub, i))
+			bits_set++;
+	debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
+
+	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
+	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
+		return 1;
+	log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
+	return 0;
+}
+
+DH *
+dh_new_group1()
+{
+	static char *group1 =
+	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
+	    "FFFFFFFF" "FFFFFFFF";
+	DH *dh;
+	int ret, tries = 0;
+	dh = DH_new();
+	if(dh == NULL)
+		fatal("DH_new");
+	ret = BN_hex2bn(&dh->p, group1);
+	if(ret<0)
+		fatal("BN_hex2bn");
+	dh->g = BN_new();
+	if(dh->g == NULL)
+		fatal("DH_new g");
+	BN_set_word(dh->g, 2);
+	do {
+		if (DH_generate_key(dh) == 0)
+			fatal("DH_generate_key");
+		if (tries++ > 10)
+			fatal("dh_new_group1: too many bad keys: giving up");
+	} while (!dh_pub_is_valid(dh, dh->pub_key));
+	return dh;
+}
+
+void
+dump_digest(unsigned char *digest, int len)
+{
+	int i;
+	for (i = 0; i< len; i++){
+		fprintf(stderr, "%02x", digest[i]);
+		if(i%2!=0)
+			fprintf(stderr, " ");
+	}
+	fprintf(stderr, "\n");
+}
+
+unsigned char *
+kex_hash(
+    char *client_version_string,
+    char *server_version_string,
+    char *ckexinit, int ckexinitlen,
+    char *skexinit, int skexinitlen,
+    char *serverhostkeyblob, int sbloblen,
+    BIGNUM *client_dh_pub,
+    BIGNUM *server_dh_pub,
+    BIGNUM *shared_secret)
+{
+	Buffer b;
+	static unsigned char digest[EVP_MAX_MD_SIZE];
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+
+	buffer_init(&b);
+	buffer_put_string(&b, client_version_string, strlen(client_version_string));
+	buffer_put_string(&b, server_version_string, strlen(server_version_string));
+
+	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+	buffer_put_int(&b, ckexinitlen+1);
+	buffer_put_char(&b, SSH2_MSG_KEXINIT);
+	buffer_append(&b, ckexinit, ckexinitlen);
+	buffer_put_int(&b, skexinitlen+1);
+	buffer_put_char(&b, SSH2_MSG_KEXINIT);
+	buffer_append(&b, skexinit, skexinitlen);
+
+	buffer_put_string(&b, serverhostkeyblob, sbloblen);
+	buffer_put_bignum2(&b, client_dh_pub);
+	buffer_put_bignum2(&b, server_dh_pub);
+	buffer_put_bignum2(&b, shared_secret);
+	
+#ifdef DEBUG_KEX
+	buffer_dump(&b);
+#endif
+
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+	EVP_DigestFinal(&md, digest, NULL);
+
+	buffer_free(&b);
+
+#ifdef DEBUG_KEX
+	dump_digest(digest, evp_md->md_size);
+#endif
+	return digest;
+}
+
+unsigned char *
+derive_key(int id, int need, char unsigned *hash, BIGNUM *shared_secret)
+{
+	Buffer b;
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+	char c = id;
+	int have;
+	int mdsz = evp_md->md_size;
+	unsigned char *digest = xmalloc(((need+mdsz-1)/mdsz)*mdsz);
+
+	buffer_init(&b);
+	buffer_put_bignum2(&b, shared_secret);
+
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));	/* shared_secret K */
+	EVP_DigestUpdate(&md, hash, mdsz);		/* transport-06 */
+	EVP_DigestUpdate(&md, &c, 1);			/* key id */
+	EVP_DigestUpdate(&md, hash, mdsz);		/* session id */
+	EVP_DigestFinal(&md, digest, NULL);
+
+	/* expand */
+	for (have = mdsz; need > have; have += mdsz) {
+		EVP_DigestInit(&md, evp_md);
+		EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+		EVP_DigestUpdate(&md, hash, mdsz);
+		EVP_DigestUpdate(&md, digest, have);
+		EVP_DigestFinal(&md, digest + have, NULL);
+	}
+	buffer_free(&b);
+#ifdef DEBUG_KEX
+	fprintf(stderr, "Digest '%c'== ", c);
+	dump_digest(digest, need);
+#endif
+	return digest;
+}
+
+#define NKEYS	6
+
+#define	MAX_PROP	20
+#define	SEP	","
+
+char *
+get_match(char *client, char *server)
+{
+	char *sproposals[MAX_PROP];
+	char *c, *s, *p, *ret;
+	int i, j, nproposals;
+
+	c = xstrdup(client);
+	s = xstrdup(server);
+
+	for ((p = strtok(s, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
+		if (i < MAX_PROP)
+			sproposals[i] = p;
+		else
+			break;
+	}
+	nproposals = i;
+
+	for ((p = strtok(c, SEP)), i=0; p; (p = strtok(NULL, SEP)), i++) {
+		for (j = 0; j < nproposals; j++) {
+			if (strcmp(p, sproposals[j]) == 0) {
+				ret = xstrdup(p);
+				xfree(c);
+				xfree(s);
+				return ret;
+			}
+		}
+	}
+	xfree(c);
+	xfree(s);
+	return NULL;
+}
+void
+choose_enc(Enc *enc, char *client, char *server)
+{
+	char *name = get_match(client, server);
+	if (name == NULL)
+		fatal("no matching cipher found: client %s server %s", client, server);
+	enc->type = cipher_number(name);
+
+	switch (enc->type) {
+	case SSH_CIPHER_3DES_CBC:
+		enc->key_len = 24;
+		enc->iv_len = 8;
+		enc->block_size = 8;
+		break;
+	case SSH_CIPHER_BLOWFISH_CBC:
+	case SSH_CIPHER_CAST128_CBC:
+		enc->key_len = 16;
+		enc->iv_len = 8;
+		enc->block_size = 8;
+		break;
+	case SSH_CIPHER_ARCFOUR:
+		enc->key_len = 16;
+		enc->iv_len = 0;
+		enc->block_size = 8;
+		break;
+	default:
+		fatal("unsupported cipher %s", name);
+	}
+	enc->name = name;
+	enc->enabled = 0;
+	enc->iv = NULL;
+	enc->key = NULL;
+}
+void
+choose_mac(Mac *mac, char *client, char *server)
+{
+	char *name = get_match(client, server);
+	if (name == NULL)
+		fatal("no matching mac found: client %s server %s", client, server);
+	if (strcmp(name, "hmac-md5") == 0) {
+		mac->md = EVP_md5();
+	} else if (strcmp(name, "hmac-sha1") == 0) {
+		mac->md = EVP_sha1();
+	} else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
+		mac->md = EVP_ripemd160();
+	} else {
+		fatal("unsupported mac %s", name);
+	}
+	mac->name = name;
+	mac->mac_len = mac->md->md_size;
+	mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len;
+	mac->key = NULL;
+	mac->enabled = 0;
+}
+void
+choose_comp(Comp *comp, char *client, char *server)
+{
+	char *name = get_match(client, server);
+	if (name == NULL)
+		fatal("no matching comp found: client %s server %s", client, server);
+	if (strcmp(name, "zlib") == 0) {
+		comp->type = 1;
+	} else if (strcmp(name, "none") == 0) {
+		comp->type = 0;
+	} else {
+		fatal("unsupported comp %s", name);
+	}
+	comp->name = name;
+}
+void
+choose_kex(Kex *k, char *client, char *server)
+{
+	k->name = get_match(client, server);
+	if (k->name == NULL)
+		fatal("no kex alg");
+	if (strcmp(k->name, KEX_DH1) != 0)
+		fatal("bad kex alg %s", k->name);
+}
+void
+choose_hostkeyalg(Kex *k, char *client, char *server)
+{
+	k->hostkeyalg = get_match(client, server);
+	if (k->hostkeyalg == NULL)
+		fatal("no hostkey alg");
+	if (strcmp(k->hostkeyalg, KEX_DSS) != 0)
+		fatal("bad hostkey alg %s", k->hostkeyalg);
+}
+
+Kex *
+kex_choose_conf(char *cprop[PROPOSAL_MAX], char *sprop[PROPOSAL_MAX], int server)
+{
+	int mode;
+	int ctos;				/* direction: if true client-to-server */
+	int need;
+	Kex *k;
+
+	k = xmalloc(sizeof(*k));
+	memset(k, 0, sizeof(*k));
+	k->server = server;
+
+	for (mode = 0; mode < MODE_MAX; mode++) {
+		int nenc, nmac, ncomp;
+		ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
+		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
+		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
+		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
+		choose_enc (&k->enc [mode], cprop[nenc],  sprop[nenc]);
+		choose_mac (&k->mac [mode], cprop[nmac],  sprop[nmac]);
+		choose_comp(&k->comp[mode], cprop[ncomp], sprop[ncomp]);
+		debug("kex: %s %s %s %s",
+		    ctos ? "client->server" : "server->client",
+		    k->enc[mode].name,
+		    k->mac[mode].name,
+		    k->comp[mode].name);
+	}
+	choose_kex(k, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
+	choose_hostkeyalg(k, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
+	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
+	need = 0;
+	for (mode = 0; mode < MODE_MAX; mode++) {
+	    if (need < k->enc[mode].key_len)
+		    need = k->enc[mode].key_len;
+	    if (need < k->enc[mode].iv_len)
+		    need = k->enc[mode].iv_len;
+	    if (need < k->mac[mode].key_len)
+		    need = k->mac[mode].key_len;
+	}
+	/* XXX need runden? */
+	k->we_need = need;
+	return k;
+}
+
+int
+kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret)
+{
+	int i;
+	int mode;
+	int ctos;
+	unsigned char *keys[NKEYS];
+
+	for (i = 0; i < NKEYS; i++)
+		keys[i] = derive_key('A'+i, k->we_need, hash, shared_secret);
+
+	for (mode = 0; mode < MODE_MAX; mode++) {
+		ctos = (!k->server && mode == MODE_OUT) || (k->server && mode == MODE_IN);
+		k->enc[mode].iv  = keys[ctos ? 0 : 1];
+		k->enc[mode].key = keys[ctos ? 2 : 3];
+		k->mac[mode].key = keys[ctos ? 4 : 5];
+	}
+	return 0;
+}
diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h
new file mode 100644
index 0000000..7e5c670
--- /dev/null
+++ b/crypto/openssh/kex.h
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef KEX_H
+#define KEX_H
+
+#define	KEX_DH1	"diffie-hellman-group1-sha1"
+#define KEX_DSS	"ssh-dss"
+
+enum kex_init_proposals {
+	PROPOSAL_KEX_ALGS,
+	PROPOSAL_SERVER_HOST_KEY_ALGS,
+	PROPOSAL_ENC_ALGS_CTOS,
+	PROPOSAL_ENC_ALGS_STOC,
+	PROPOSAL_MAC_ALGS_CTOS,
+	PROPOSAL_MAC_ALGS_STOC,
+	PROPOSAL_COMP_ALGS_CTOS,
+	PROPOSAL_COMP_ALGS_STOC,
+	PROPOSAL_LANG_CTOS,
+	PROPOSAL_LANG_STOC,
+	PROPOSAL_MAX
+};
+
+enum kex_modes {
+	MODE_IN,
+	MODE_OUT,
+	MODE_MAX
+};
+
+typedef struct Kex Kex;
+typedef struct Mac Mac;
+typedef struct Comp Comp;
+typedef struct Enc Enc;
+
+struct Enc {
+	int		type;
+	int		enabled;
+	int		block_size;
+	unsigned char	*key;
+	unsigned char	*iv;
+	int		key_len;
+	int		iv_len;
+	char		*name;
+};
+struct Mac {
+	EVP_MD		*md;
+	int		enabled;
+	int		mac_len;
+	unsigned char	*key;
+	int		key_len;
+	char		*name;
+};
+struct Comp {
+	int		type;
+	int		enabled;
+	char		*name;
+};
+struct Kex {
+	Enc		enc [MODE_MAX];
+	Mac		mac [MODE_MAX];
+	Comp		comp[MODE_MAX];
+	int		we_need;
+	int		server;
+	char		*name;
+	char		*hostkeyalg;
+};
+
+Buffer	*kex_init(char *myproposal[PROPOSAL_MAX]);
+void
+kex_exchange_kexinit(
+    Buffer *my_kexinit, Buffer *peer_kexint,
+    char *peer_proposal[PROPOSAL_MAX]);
+Kex *
+kex_choose_conf(char *cprop[PROPOSAL_MAX],
+    char *sprop[PROPOSAL_MAX], int server);
+int	kex_derive_keys(Kex *k, unsigned char *hash, BIGNUM *shared_secret);
+void	packet_set_kex(Kex *k);
+int	dh_pub_is_valid(DH *dh, BIGNUM *dh_pub);
+DH	*dh_new_group1();
+
+unsigned char *
+kex_hash(
+    char *client_version_string,
+    char *server_version_string,
+    char *ckexinit, int ckexinitlen,
+    char *skexinit, int skexinitlen,
+    char *serverhostkeyblob, int sbloblen,
+    BIGNUM *client_dh_pub,
+    BIGNUM *server_dh_pub,
+    BIGNUM *shared_secret);
+
+#endif
diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c
new file mode 100644
index 0000000..b91bd21
--- /dev/null
+++ b/crypto/openssh/key.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+/*
+ * read_bignum():
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ */
+
+#include "includes.h"
+#include "ssh.h"
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include "xmalloc.h"
+#include "key.h"
+#include "dsa.h"
+#include "uuencode.h"
+
+#define SSH_DSS "ssh-dss"
+
+Key *
+key_new(int type)
+{
+	Key *k;
+	RSA *rsa;
+	DSA *dsa;
+	k = xmalloc(sizeof(*k));
+	k->type = type;
+	k->dsa = NULL;
+	k->rsa = NULL;
+	switch (k->type) {
+	case KEY_RSA:
+		rsa = RSA_new();
+		rsa->n = BN_new();
+		rsa->e = BN_new();
+		k->rsa = rsa;
+		break;
+	case KEY_DSA:
+		dsa = DSA_new();
+		dsa->p = BN_new();
+		dsa->q = BN_new();
+		dsa->g = BN_new();
+		dsa->pub_key = BN_new();
+		k->dsa = dsa;
+		break;
+	case KEY_EMPTY:
+		break;
+	default:
+		fatal("key_new: bad key type %d", k->type);
+		break;
+	}
+	return k;
+}
+void
+key_free(Key *k)
+{
+	switch (k->type) {
+	case KEY_RSA:
+		if (k->rsa != NULL)
+			RSA_free(k->rsa);
+		k->rsa = NULL;
+		break;
+	case KEY_DSA:
+		if (k->dsa != NULL)
+			DSA_free(k->dsa);
+		k->dsa = NULL;
+		break;
+	default:
+		fatal("key_free: bad key type %d", k->type);
+		break;
+	}
+	xfree(k);
+}
+int
+key_equal(Key *a, Key *b)
+{
+	if (a == NULL || b == NULL || a->type != b->type)
+		return 0;
+	switch (a->type) {
+	case KEY_RSA:
+		return a->rsa != NULL && b->rsa != NULL &&
+		    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
+		    BN_cmp(a->rsa->n, b->rsa->n) == 0;
+		break;
+	case KEY_DSA:
+		return a->dsa != NULL && b->dsa != NULL &&
+		    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
+		    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
+		    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
+		    BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
+		break;
+	default:
+		fatal("key_equal: bad key type %d", a->type);
+		break;
+	}
+	return 0;
+}
+
+#define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x"
+
+/*
+ * Generate key fingerprint in ascii format.
+ * Based on ideas and code from Bjoern Groenvall <bg@sics.se>
+ */
+char *
+key_fingerprint(Key *k)
+{
+	static char retval[80];
+	unsigned char *blob = NULL;
+	int len = 0;
+	int nlen, elen;
+
+	switch (k->type) {
+	case KEY_RSA:
+		nlen = BN_num_bytes(k->rsa->n);
+		elen = BN_num_bytes(k->rsa->e);
+		len = nlen + elen;
+		blob = xmalloc(len);
+		BN_bn2bin(k->rsa->n, blob);
+		BN_bn2bin(k->rsa->e, blob + nlen);
+		break;
+	case KEY_DSA:
+		dsa_make_key_blob(k, &blob, &len);
+		break;
+	default:
+		fatal("key_fingerprint: bad key type %d", k->type);
+		break;
+	}
+	if (blob != NULL) {
+		unsigned char d[16];
+		EVP_MD_CTX md;
+		EVP_DigestInit(&md, EVP_md5());
+		EVP_DigestUpdate(&md, blob, len);
+		EVP_DigestFinal(&md, d, NULL);
+		snprintf(retval, sizeof(retval), FPRINT,
+		    d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7],
+		    d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
+		memset(blob, 0, len);
+		xfree(blob);
+	}
+	return retval;
+}
+
+/*
+ * Reads a multiple-precision integer in decimal from the buffer, and advances
+ * the pointer.  The integer must already be initialized.  This function is
+ * permitted to modify the buffer.  This leaves *cpp to point just beyond the
+ * last processed (and maybe modified) character.  Note that this may modify
+ * the buffer containing the number.
+ */
+int
+read_bignum(char **cpp, BIGNUM * value)
+{
+	char *cp = *cpp;
+	int old;
+
+	/* Skip any leading whitespace. */
+	for (; *cp == ' ' || *cp == '\t'; cp++)
+		;
+
+	/* Check that it begins with a decimal digit. */
+	if (*cp < '0' || *cp > '9')
+		return 0;
+
+	/* Save starting position. */
+	*cpp = cp;
+
+	/* Move forward until all decimal digits skipped. */
+	for (; *cp >= '0' && *cp <= '9'; cp++)
+		;
+
+	/* Save the old terminating character, and replace it by \0. */
+	old = *cp;
+	*cp = 0;
+
+	/* Parse the number. */
+	if (BN_dec2bn(&value, *cpp) == 0)
+		return 0;
+
+	/* Restore old terminating character. */
+	*cp = old;
+
+	/* Move beyond the number and return success. */
+	*cpp = cp;
+	return 1;
+}
+int
+write_bignum(FILE *f, BIGNUM *num)
+{
+	char *buf = BN_bn2dec(num);
+	if (buf == NULL) {
+		error("write_bignum: BN_bn2dec() failed");
+		return 0;
+	}
+	fprintf(f, " %s", buf);
+	free(buf);
+	return 1;
+}
+unsigned int
+key_read(Key *ret, char **cpp)
+{
+	Key *k;
+	unsigned int bits = 0;
+	char *cp;
+	int len, n;
+	unsigned char *blob;
+
+	cp = *cpp;
+
+	switch(ret->type) {
+	case KEY_RSA:
+		/* Get number of bits. */
+		if (*cp < '0' || *cp > '9')
+			return 0;	/* Bad bit count... */
+		for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
+			bits = 10 * bits + *cp - '0';
+		if (bits == 0)
+			return 0;
+		*cpp = cp;
+		/* Get public exponent, public modulus. */
+		if (!read_bignum(cpp, ret->rsa->e))
+			return 0;
+		if (!read_bignum(cpp, ret->rsa->n))
+			return 0;
+		break;
+	case KEY_DSA:
+		if (strncmp(cp, SSH_DSS " ", 7) != 0)
+			return 0;
+		cp += 7;
+		len = 2*strlen(cp);
+		blob = xmalloc(len);
+		n = uudecode(cp, blob, len);
+		if (n < 0) {
+			error("key_read: uudecode %s failed", cp);
+			return 0;
+		}
+		k = dsa_key_from_blob(blob, n);
+		if (k == NULL) {
+			error("key_read: dsa_key_from_blob %s failed", cp);
+			return 0;
+		}
+		xfree(blob);
+		if (ret->dsa != NULL)
+			DSA_free(ret->dsa);
+		ret->dsa = k->dsa;
+		k->dsa = NULL;
+		key_free(k);
+		bits = BN_num_bits(ret->dsa->p);
+		/* advance cp: skip whitespace and data */
+		while (*cp == ' ' || *cp == '\t')
+			cp++;
+		while (*cp != '\0' && *cp != ' ' && *cp != '\t')
+			cp++;
+		*cpp = cp;
+		break;
+	default:
+		fatal("key_read: bad key type: %d", ret->type);
+		break;
+	}
+	return bits;
+}
+int
+key_write(Key *key, FILE *f)
+{
+	int success = 0;
+	unsigned int bits = 0;
+
+	if (key->type == KEY_RSA && key->rsa != NULL) {
+		/* size of modulus 'n' */
+		bits = BN_num_bits(key->rsa->n);
+		fprintf(f, "%u", bits);
+		if (write_bignum(f, key->rsa->e) &&
+		    write_bignum(f, key->rsa->n)) {
+			success = 1;
+		} else {
+			error("key_write: failed for RSA key");
+		}
+	} else if (key->type == KEY_DSA && key->dsa != NULL) {
+		int len, n;
+		unsigned char *blob, *uu;
+		dsa_make_key_blob(key, &blob, &len);
+		uu = xmalloc(2*len);
+		n = uuencode(blob, len, uu, 2*len);
+		if (n > 0) {
+			fprintf(f, "%s %s", SSH_DSS, uu);
+			success = 1;
+		}
+		xfree(blob);
+		xfree(uu);
+	}
+	return success;
+}
+char *
+key_type(Key *k)
+{
+	switch (k->type) {
+	case KEY_RSA:
+		return "RSA";
+		break;
+	case KEY_DSA:
+		return "DSA";
+		break;
+	}
+	return "unknown";
+}
diff --git a/crypto/openssh/key.h b/crypto/openssh/key.h
new file mode 100644
index 0000000..ed3f770
--- /dev/null
+++ b/crypto/openssh/key.h
@@ -0,0 +1,25 @@
+#ifndef KEY_H
+#define KEY_H
+
+typedef struct Key Key;
+enum types {
+	KEY_RSA,
+	KEY_DSA,
+	KEY_EMPTY
+};
+struct Key {
+	int	type;
+	RSA	*rsa;
+	DSA	*dsa;
+};
+
+Key	*key_new(int type);
+void	key_free(Key *k);
+int	key_equal(Key *a, Key *b);
+char	*key_fingerprint(Key *k);
+char	*key_type(Key *k);
+int	key_write(Key *key, FILE *f);
+unsigned int
+key_read(Key *key, char **cpp);
+
+#endif
diff --git a/crypto/openssh/lib/Makefile b/crypto/openssh/lib/Makefile
new file mode 100644
index 0000000..aae1677
--- /dev/null
+++ b/crypto/openssh/lib/Makefile
@@ -0,0 +1,26 @@
+.PATH:		${.CURDIR}/..
+
+LIB=	ssh
+SRCS=   authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
+	cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \
+	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
+	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
+	key.c dispatch.c dsa.c kex.c hmac.c uuencode.c aux.c
+
+NOPROFILE= yes
+NOPIC=	yes
+
+install:
+	@echo -n
+
+.include <bsd.own.mk>
+
+.if (${KERBEROS} == "yes")
+CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
+.if (${AFS} == "yes")
+CFLAGS+= -DAFS
+SRCS+=  radix.c
+.endif # AFS
+.endif # KERBEROS
+
+.include <bsd.lib.mk>
diff --git a/crypto/openssh/log-client.c b/crypto/openssh/log-client.c
new file mode 100644
index 0000000..1e3c162
--- /dev/null
+++ b/crypto/openssh/log-client.c
@@ -0,0 +1,62 @@
+/*
+ *
+ * log-client.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Mon Mar 20 21:13:40 1995 ylo
+ *
+ * Client-side versions of debug(), log(), etc.  These print to stderr.
+ * This is a stripped down version of log-server.c.
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: log-client.c,v 1.8 2000/04/14 10:30:31 markus Exp $");
+
+#include "xmalloc.h"
+#include "ssh.h"
+
+static LogLevel log_level = SYSLOG_LEVEL_INFO;
+
+/* Initialize the log.
+ *   av0	program name (should be argv[0])
+ *   level	logging level
+ */
+
+void
+log_init(char *av0, LogLevel level, SyslogFacility ignored1, int ignored2)
+{
+	switch (level) {
+	case SYSLOG_LEVEL_QUIET:
+	case SYSLOG_LEVEL_ERROR:
+	case SYSLOG_LEVEL_FATAL:
+	case SYSLOG_LEVEL_INFO:
+	case SYSLOG_LEVEL_VERBOSE:
+	case SYSLOG_LEVEL_DEBUG:
+		log_level = level;
+		break;
+	default:
+		/* unchanged */
+		break;
+	}
+}
+
+#define MSGBUFSIZ 1024
+
+void
+do_log(LogLevel level, const char *fmt, va_list args)
+{
+	char msgbuf[MSGBUFSIZ];
+
+	if (level > log_level)
+		return;
+	if (level == SYSLOG_LEVEL_DEBUG)
+		fprintf(stderr, "debug: ");
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
+	fprintf(stderr, "%s", msgbuf);
+	fprintf(stderr, "\r\n");
+}
diff --git a/crypto/openssh/log-server.c b/crypto/openssh/log-server.c
new file mode 100644
index 0000000..81ba673
--- /dev/null
+++ b/crypto/openssh/log-server.c
@@ -0,0 +1,142 @@
+/*
+ *
+ * log-server.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Mon Mar 20 21:19:30 1995 ylo
+ *
+ * Server-side versions of debug(), log(), etc.  These normally send the output
+ * to the system log.
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: log-server.c,v 1.14 2000/04/14 10:30:31 markus Exp $");
+
+#include <syslog.h>
+#include "packet.h"
+#include "xmalloc.h"
+#include "ssh.h"
+
+static LogLevel log_level = SYSLOG_LEVEL_INFO;
+static int log_on_stderr = 0;
+static int log_facility = LOG_AUTH;
+
+/* Initialize the log.
+ *   av0	program name (should be argv[0])
+ *   on_stderr	print also on stderr
+ *   level	logging level
+ */
+
+void
+log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+{
+	switch (level) {
+	case SYSLOG_LEVEL_QUIET:
+	case SYSLOG_LEVEL_ERROR:
+	case SYSLOG_LEVEL_FATAL:
+	case SYSLOG_LEVEL_INFO:
+	case SYSLOG_LEVEL_VERBOSE:
+	case SYSLOG_LEVEL_DEBUG:
+		log_level = level;
+		break;
+	default:
+		fprintf(stderr, "Unrecognized internal syslog level code %d\n",
+			(int) level);
+		exit(1);
+	}
+	switch (facility) {
+	case SYSLOG_FACILITY_DAEMON:
+		log_facility = LOG_DAEMON;
+		break;
+	case SYSLOG_FACILITY_USER:
+		log_facility = LOG_USER;
+		break;
+	case SYSLOG_FACILITY_AUTH:
+		log_facility = LOG_AUTH;
+		break;
+	case SYSLOG_FACILITY_LOCAL0:
+		log_facility = LOG_LOCAL0;
+		break;
+	case SYSLOG_FACILITY_LOCAL1:
+		log_facility = LOG_LOCAL1;
+		break;
+	case SYSLOG_FACILITY_LOCAL2:
+		log_facility = LOG_LOCAL2;
+		break;
+	case SYSLOG_FACILITY_LOCAL3:
+		log_facility = LOG_LOCAL3;
+		break;
+	case SYSLOG_FACILITY_LOCAL4:
+		log_facility = LOG_LOCAL4;
+		break;
+	case SYSLOG_FACILITY_LOCAL5:
+		log_facility = LOG_LOCAL5;
+		break;
+	case SYSLOG_FACILITY_LOCAL6:
+		log_facility = LOG_LOCAL6;
+		break;
+	case SYSLOG_FACILITY_LOCAL7:
+		log_facility = LOG_LOCAL7;
+		break;
+	default:
+		fprintf(stderr, "Unrecognized internal syslog facility code %d\n",
+			(int) facility);
+		exit(1);
+	}
+	log_on_stderr = on_stderr;
+}
+
+#define MSGBUFSIZ 1024
+
+void
+do_log(LogLevel level, const char *fmt, va_list args)
+{
+	char msgbuf[MSGBUFSIZ];
+	char fmtbuf[MSGBUFSIZ];
+	char *txt = NULL;
+	int pri = LOG_INFO;
+	extern char *__progname;
+
+	if (level > log_level)
+		return;
+	switch (level) {
+	case SYSLOG_LEVEL_ERROR:
+		txt = "error";
+		pri = LOG_ERR;
+		break;
+	case SYSLOG_LEVEL_FATAL:
+		txt = "fatal";
+		pri = LOG_ERR;
+		break;
+	case SYSLOG_LEVEL_INFO:
+	case SYSLOG_LEVEL_VERBOSE:
+		pri = LOG_INFO;
+		break;
+	case SYSLOG_LEVEL_DEBUG:
+		txt = "debug";
+		pri = LOG_DEBUG;
+		break;
+	default:
+		txt = "internal error";
+		pri = LOG_ERR;
+		break;
+	}
+	if (txt != NULL) {
+		snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
+		vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
+	} else {
+		vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
+	}
+	if (log_on_stderr) {
+		fprintf(stderr, "%s\n", msgbuf);
+	} else {
+		openlog(__progname, LOG_PID, log_facility);
+		syslog(pri, "%.500s", msgbuf);
+		closelog();
+	}
+}
diff --git a/crypto/openssh/log.c b/crypto/openssh/log.c
new file mode 100644
index 0000000..03038b2
--- /dev/null
+++ b/crypto/openssh/log.c
@@ -0,0 +1,184 @@
+/*
+ * Shared versions of debug(), log(), etc.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: log.c,v 1.7 2000/01/04 00:07:59 markus Exp $");
+
+#include "ssh.h"
+#include "xmalloc.h"
+
+/* Fatal messages.  This function never returns. */
+
+void
+fatal(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_FATAL, fmt, args);
+	va_end(args);
+	fatal_cleanup();
+}
+
+/* Error messages that should be logged. */
+
+void
+error(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_ERROR, fmt, args);
+	va_end(args);
+}
+
+/* Log this message (information that usually should go to the log). */
+
+void
+log(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_INFO, fmt, args);
+	va_end(args);
+}
+
+/* More detailed messages (information that does not need to go to the log). */
+
+void
+verbose(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_VERBOSE, fmt, args);
+	va_end(args);
+}
+
+/* Debugging messages that should not be logged during normal operation. */
+
+void
+debug(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_DEBUG, fmt, args);
+	va_end(args);
+}
+
+/* Fatal cleanup */
+
+struct fatal_cleanup {
+	struct fatal_cleanup *next;
+	void (*proc) (void *);
+	void *context;
+};
+
+static struct fatal_cleanup *fatal_cleanups = NULL;
+
+/* Registers a cleanup function to be called by fatal() before exiting. */
+
+void
+fatal_add_cleanup(void (*proc) (void *), void *context)
+{
+	struct fatal_cleanup *cu;
+
+	cu = xmalloc(sizeof(*cu));
+	cu->proc = proc;
+	cu->context = context;
+	cu->next = fatal_cleanups;
+	fatal_cleanups = cu;
+}
+
+/* Removes a cleanup frunction to be called at fatal(). */
+
+void
+fatal_remove_cleanup(void (*proc) (void *context), void *context)
+{
+	struct fatal_cleanup **cup, *cu;
+
+	for (cup = &fatal_cleanups; *cup; cup = &cu->next) {
+		cu = *cup;
+		if (cu->proc == proc && cu->context == context) {
+			*cup = cu->next;
+			xfree(cu);
+			return;
+		}
+	}
+	fatal("fatal_remove_cleanup: no such cleanup function: 0x%lx 0x%lx\n",
+	      (unsigned long) proc, (unsigned long) context);
+}
+
+/* Cleanup and exit */
+void
+fatal_cleanup(void)
+{
+	struct fatal_cleanup *cu, *next_cu;
+	static int called = 0;
+
+	if (called)
+		exit(255);
+	called = 1;
+	/* Call cleanup functions. */
+	for (cu = fatal_cleanups; cu; cu = next_cu) {
+		next_cu = cu->next;
+		debug("Calling cleanup 0x%lx(0x%lx)",
+		      (unsigned long) cu->proc, (unsigned long) cu->context);
+		(*cu->proc) (cu->context);
+	}
+	exit(255);
+}
+
+/* textual representation of log-facilities/levels */
+
+static struct {
+	const char *name;
+	SyslogFacility val;
+} log_facilities[] = {
+	{ "DAEMON",	SYSLOG_FACILITY_DAEMON },
+	{ "USER",	SYSLOG_FACILITY_USER },
+	{ "AUTH",	SYSLOG_FACILITY_AUTH },
+	{ "LOCAL0",	SYSLOG_FACILITY_LOCAL0 },
+	{ "LOCAL1",	SYSLOG_FACILITY_LOCAL1 },
+	{ "LOCAL2",	SYSLOG_FACILITY_LOCAL2 },
+	{ "LOCAL3",	SYSLOG_FACILITY_LOCAL3 },
+	{ "LOCAL4",	SYSLOG_FACILITY_LOCAL4 },
+	{ "LOCAL5",	SYSLOG_FACILITY_LOCAL5 },
+	{ "LOCAL6",	SYSLOG_FACILITY_LOCAL6 },
+	{ "LOCAL7",	SYSLOG_FACILITY_LOCAL7 },
+	{ NULL, 0 }
+};
+
+static struct {
+	const char *name;
+	LogLevel val;
+} log_levels[] =
+{
+	{ "QUIET",	SYSLOG_LEVEL_QUIET },
+	{ "FATAL",	SYSLOG_LEVEL_FATAL },
+	{ "ERROR",	SYSLOG_LEVEL_ERROR },
+	{ "INFO",	SYSLOG_LEVEL_INFO },
+	{ "VERBOSE",	SYSLOG_LEVEL_VERBOSE },
+	{ "DEBUG",	SYSLOG_LEVEL_DEBUG },
+	{ NULL, 0 }
+};
+
+SyslogFacility
+log_facility_number(char *name)
+{
+	int i;
+	if (name != NULL)
+		for (i = 0; log_facilities[i].name; i++)
+			if (strcasecmp(log_facilities[i].name, name) == 0)
+				return log_facilities[i].val;
+	return (SyslogFacility) - 1;
+}
+
+LogLevel
+log_level_number(char *name)
+{
+	int i;
+	if (name != NULL)
+		for (i = 0; log_levels[i].name; i++)
+			if (strcasecmp(log_levels[i].name, name) == 0)
+				return log_levels[i].val;
+	return (LogLevel) - 1;
+}
diff --git a/crypto/openssh/login.c b/crypto/openssh/login.c
new file mode 100644
index 0000000..42a7af5
--- /dev/null
+++ b/crypto/openssh/login.c
@@ -0,0 +1,129 @@
+/*
+ *
+ * login.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar 24 14:51:08 1995 ylo
+ *
+ * This file performs some of the things login(1) normally does.  We cannot
+ * easily use something like login -p -h host -f user, because there are
+ * several different logins around, and it is hard to determined what kind of
+ * login the current system has.  Also, we want to be able to execute commands
+ * on a tty.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: login.c,v 1.13 2000/04/19 07:05:49 deraadt Exp $");
+
+#ifdef __FreeBSD__
+#include <libutil.h>
+#else
+#include <util.h>
+#endif /* __FreeBSD__ */
+#include <utmp.h>
+#include "ssh.h"
+
+/*
+ * Returns the time when the user last logged in.  Returns 0 if the
+ * information is not available.  This must be called before record_login.
+ * The host the user logged in from will be returned in buf.
+ */
+
+/*
+ * Returns the time when the user last logged in (or 0 if no previous login
+ * is found).  The name of the host used last time is returned in buf.
+ */
+
+unsigned long
+get_last_login_time(uid_t uid, const char *logname,
+		    char *buf, unsigned int bufsize)
+{
+	struct lastlog ll;
+	char *lastlog;
+	int fd;
+
+	lastlog = _PATH_LASTLOG;
+	buf[0] = '\0';
+
+	fd = open(lastlog, O_RDONLY);
+	if (fd < 0)
+		return 0;
+	lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
+	if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) {
+		close(fd);
+		return 0;
+	}
+	close(fd);
+	if (bufsize > sizeof(ll.ll_host) + 1)
+		bufsize = sizeof(ll.ll_host) + 1;
+	strncpy(buf, ll.ll_host, bufsize - 1);
+	buf[bufsize - 1] = 0;
+	return ll.ll_time;
+}
+
+/*
+ * Records that the user has logged in.  I these parts of operating systems
+ * were more standardized.
+ */
+
+void
+record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
+	     const char *host, struct sockaddr * addr)
+{
+	int fd;
+	struct lastlog ll;
+	char *lastlog;
+	struct utmp u;
+	const char *utmp, *wtmp;
+
+	/* Construct an utmp/wtmp entry. */
+	memset(&u, 0, sizeof(u));
+	strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line));
+	u.ut_time = time(NULL);
+	strncpy(u.ut_name, user, sizeof(u.ut_name));
+	realhostname_sa(u.ut_host, sizeof(u.ut_host), addr, addr->sa_len);
+
+	/* Figure out the file names. */
+	utmp = _PATH_UTMP;
+	wtmp = _PATH_WTMP;
+
+	login(&u);
+	lastlog = _PATH_LASTLOG;
+
+	/* Update lastlog unless actually recording a logout. */
+	if (strcmp(user, "") != 0) {
+		/*
+		 * It is safer to bzero the lastlog structure first because
+		 * some systems might have some extra fields in it (e.g. SGI)
+		 */
+		memset(&ll, 0, sizeof(ll));
+
+		/* Update lastlog. */
+		ll.ll_time = time(NULL);
+		strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line));
+		strncpy(ll.ll_host, host, sizeof(ll.ll_host));
+		fd = open(lastlog, O_RDWR);
+		if (fd >= 0) {
+			lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
+			if (write(fd, &ll, sizeof(ll)) != sizeof(ll))
+				log("Could not write %.100s: %.100s", lastlog, strerror(errno));
+			close(fd);
+		}
+	}
+}
+
+/* Records that the user has logged out. */
+
+void
+record_logout(pid_t pid, const char *ttyname)
+{
+	const char *line = ttyname + 5;	/* /dev/ttyq8 -> ttyq8 */
+	if (logout(line))
+		logwtmp(line, "", "");
+}
diff --git a/crypto/openssh/match.c b/crypto/openssh/match.c
new file mode 100644
index 0000000..00dff8a
--- /dev/null
+++ b/crypto/openssh/match.c
@@ -0,0 +1,141 @@
+/*
+ *
+ * match.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Thu Jun 22 01:17:50 1995 ylo
+ *
+ * Simple pattern matching, with '*' and '?' as wildcards.
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: match.c,v 1.6 2000/04/14 10:30:31 markus Exp $");
+
+#include "ssh.h"
+
+/*
+ * Returns true if the given string matches the pattern (which may contain ?
+ * and * as wildcards), and zero if it does not match.
+ */
+
+int
+match_pattern(const char *s, const char *pattern)
+{
+	for (;;) {
+		/* If at end of pattern, accept if also at end of string. */
+		if (!*pattern)
+			return !*s;
+
+		if (*pattern == '*') {
+			/* Skip the asterisk. */
+			pattern++;
+
+			/* If at end of pattern, accept immediately. */
+			if (!*pattern)
+				return 1;
+
+			/* If next character in pattern is known, optimize. */
+			if (*pattern != '?' && *pattern != '*') {
+				/*
+				 * Look instances of the next character in
+				 * pattern, and try to match starting from
+				 * those.
+				 */
+				for (; *s; s++)
+					if (*s == *pattern &&
+					    match_pattern(s + 1, pattern + 1))
+						return 1;
+				/* Failed. */
+				return 0;
+			}
+			/*
+			 * Move ahead one character at a time and try to
+			 * match at each position.
+			 */
+			for (; *s; s++)
+				if (match_pattern(s, pattern))
+					return 1;
+			/* Failed. */
+			return 0;
+		}
+		/*
+		 * There must be at least one more character in the string.
+		 * If we are at the end, fail.
+		 */
+		if (!*s)
+			return 0;
+
+		/* Check if the next character of the string is acceptable. */
+		if (*pattern != '?' && *pattern != *s)
+			return 0;
+
+		/* Move to the next character, both in string and in pattern. */
+		s++;
+		pattern++;
+	}
+	/* NOTREACHED */
+}
+
+/*
+ * Tries to match the host name (which must be in all lowercase) against the
+ * comma-separated sequence of subpatterns (each possibly preceded by ! to
+ * indicate negation).  Returns true if there is a positive match; zero
+ * otherwise.
+ */
+
+int
+match_hostname(const char *host, const char *pattern, unsigned int len)
+{
+	char sub[1024];
+	int negated;
+	int got_positive;
+	unsigned int i, subi;
+
+	got_positive = 0;
+	for (i = 0; i < len;) {
+		/* Check if the subpattern is negated. */
+		if (pattern[i] == '!') {
+			negated = 1;
+			i++;
+		} else
+			negated = 0;
+
+		/*
+		 * Extract the subpattern up to a comma or end.  Convert the
+		 * subpattern to lowercase.
+		 */
+		for (subi = 0;
+		     i < len && subi < sizeof(sub) - 1 && pattern[i] != ',';
+		     subi++, i++)
+			sub[subi] = isupper(pattern[i]) ? tolower(pattern[i]) : pattern[i];
+		/* If subpattern too long, return failure (no match). */
+		if (subi >= sizeof(sub) - 1)
+			return 0;
+
+		/* If the subpattern was terminated by a comma, skip the comma. */
+		if (i < len && pattern[i] == ',')
+			i++;
+
+		/* Null-terminate the subpattern. */
+		sub[subi] = '\0';
+
+		/* Try to match the subpattern against the host name. */
+		if (match_pattern(host, sub)) {
+			if (negated)
+				return 0;	/* Fail */
+			else
+				got_positive = 1;
+		}
+	}
+
+	/*
+	 * Return success if got a positive match.  If there was a negative
+	 * match, we have already returned zero and never get here.
+	 */
+	return got_positive;
+}
diff --git a/crypto/openssh/match.h b/crypto/openssh/match.h
new file mode 100644
index 0000000..4625d97
--- /dev/null
+++ b/crypto/openssh/match.h
@@ -0,0 +1,18 @@
+#ifndef MATCH_H
+#define MATCH_H
+
+/*
+ * Returns true if the given string matches the pattern (which may contain ?
+ * and * as wildcards), and zero if it does not match.
+ */
+int     match_pattern(const char *s, const char *pattern);
+
+/*
+ * Tries to match the host name (which must be in all lowercase) against the
+ * comma-separated sequence of subpatterns (each possibly preceded by ! to
+ * indicate negation).  Returns true if there is a positive match; zero
+ * otherwise.
+ */
+int     match_hostname(const char *host, const char *pattern, unsigned int len);
+
+#endif
diff --git a/crypto/openssh/mpaux.c b/crypto/openssh/mpaux.c
new file mode 100644
index 0000000..dc51419
--- /dev/null
+++ b/crypto/openssh/mpaux.c
@@ -0,0 +1,47 @@
+/*
+ *
+ * mpaux.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sun Jul 16 04:29:30 1995 ylo
+ *
+ * This file contains various auxiliary functions related to multiple
+ * precision integers.
+ *
+ * $FreeBSD$
+*/
+
+#include "includes.h"
+RCSID("$Id: mpaux.c,v 1.12 2000/04/14 10:30:32 markus Exp $");
+
+#include <openssl/bn.h>
+#include "getput.h"
+#include "xmalloc.h"
+
+#include <openssl/md5.h>
+
+void
+compute_session_id(unsigned char session_id[16],
+    unsigned char cookie[8],
+    BIGNUM* host_key_n,
+    BIGNUM* session_key_n)
+{
+	unsigned int host_key_bytes = BN_num_bytes(host_key_n);
+	unsigned int session_key_bytes = BN_num_bytes(session_key_n);
+	unsigned int bytes = host_key_bytes + session_key_bytes;
+	unsigned char *buf = xmalloc(bytes);
+	MD5_CTX md;
+
+	BN_bn2bin(host_key_n, buf);
+	BN_bn2bin(session_key_n, buf + host_key_bytes);
+	MD5_Init(&md);
+	MD5_Update(&md, buf, bytes);
+	MD5_Update(&md, cookie, 8);
+	MD5_Final(session_id, &md);
+	memset(buf, 0, bytes);
+	xfree(buf);
+}
diff --git a/crypto/openssh/mpaux.h b/crypto/openssh/mpaux.h
new file mode 100644
index 0000000..671fc51
--- /dev/null
+++ b/crypto/openssh/mpaux.h
@@ -0,0 +1,32 @@
+/*
+ *
+ * mpaux.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sun Jul 16 04:29:30 1995 ylo
+ *
+ * This file contains various auxiliary functions related to multiple
+ * precision integers.
+ */
+
+/* RCSID("$Id: mpaux.h,v 1.6 2000/04/14 10:30:32 markus Exp $"); */
+
+#ifndef MPAUX_H
+#define MPAUX_H
+
+/*
+ * Computes a 16-byte session id in the global variable session_id. The
+ * session id is computed by concatenating the linearized, msb first
+ * representations of host_key_n, session_key_n, and the cookie.
+ */
+void
+compute_session_id(unsigned char session_id[16],
+    unsigned char cookie[8],
+    BIGNUM * host_key_n,
+    BIGNUM * session_key_n);
+
+#endif				/* MPAUX_H */
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
new file mode 100644
index 0000000..9611d89
--- /dev/null
+++ b/crypto/openssh/myproposal.h
@@ -0,0 +1,20 @@
+#define KEX_DEFAULT_KEX		"diffie-hellman-group1-sha1"
+#define	KEX_DEFAULT_PK_ALG	"ssh-dss"
+#define	KEX_DEFAULT_ENCRYPT	"3des-cbc,blowfish-cbc,arcfour,cast128-cbc"
+#define	KEX_DEFAULT_MAC		"hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com"
+#define	KEX_DEFAULT_COMP	"zlib,none"
+#define	KEX_DEFAULT_LANG	""
+
+
+static char *myproposal[PROPOSAL_MAX] = {
+	KEX_DEFAULT_KEX,
+	KEX_DEFAULT_PK_ALG,
+	KEX_DEFAULT_ENCRYPT,
+	KEX_DEFAULT_ENCRYPT,
+	KEX_DEFAULT_MAC,
+	KEX_DEFAULT_MAC,
+	KEX_DEFAULT_COMP,
+	KEX_DEFAULT_COMP,
+	KEX_DEFAULT_LANG,
+	KEX_DEFAULT_LANG
+};
diff --git a/crypto/openssh/nchan.c b/crypto/openssh/nchan.c
new file mode 100644
index 0000000..fd92fe8
--- /dev/null
+++ b/crypto/openssh/nchan.c
@@ -0,0 +1,495 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: nchan.c,v 1.17 2000/05/08 17:44:54 markus Exp $");
+
+#include "ssh.h"
+
+#include "buffer.h"
+#include "packet.h"
+#include "channels.h"
+#include "nchan.h"
+
+#include "ssh2.h"
+#include "compat.h"
+
+/* functions manipulating channel states */
+/*
+ * EVENTS update channel input/output states execute ACTIONS
+ */
+/* events concerning the INPUT from socket for channel (istate) */
+chan_event_fn *chan_rcvd_oclose			= NULL;
+chan_event_fn *chan_read_failed			= NULL;
+chan_event_fn *chan_ibuf_empty			= NULL;
+/* events concerning the OUTPUT from channel for socket (ostate) */
+chan_event_fn *chan_rcvd_ieof			= NULL;
+chan_event_fn *chan_write_failed		= NULL;
+chan_event_fn *chan_obuf_empty			= NULL;
+/*
+ * ACTIONS: should never update the channel states
+ */
+static void	chan_send_ieof1(Channel *c);
+static void	chan_send_oclose1(Channel *c);
+static void	chan_send_close2(Channel *c);
+static void	chan_send_eof2(Channel *c);
+
+/* channel cleanup */
+chan_event_fn *chan_delete_if_full_closed	= NULL;
+
+/* helper */
+static void	chan_shutdown_write(Channel *c);
+static void	chan_shutdown_read(Channel *c);
+
+/*
+ * SSH1 specific implementation of event functions
+ */
+
+static void
+chan_rcvd_oclose1(Channel *c)
+{
+	debug("channel %d: rcvd oclose", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_OCLOSE:
+		debug("channel %d: input wait_oclose -> closed", c->self);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	case CHAN_INPUT_OPEN:
+		debug("channel %d: input open -> closed", c->self);
+		chan_shutdown_read(c);
+		chan_send_ieof1(c);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	case CHAN_INPUT_WAIT_DRAIN:
+		/* both local read_failed and remote write_failed  */
+		log("channel %d: input drain -> closed", c->self);
+		chan_send_ieof1(c);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: protocol error: chan_rcvd_oclose for istate %d",
+		    c->self, c->istate);
+		return;
+	}
+}
+static void
+chan_read_failed_12(Channel *c)
+{
+	debug("channel %d: read failed", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_OPEN:
+		debug("channel %d: input open -> drain", c->self);
+		chan_shutdown_read(c);
+		c->istate = CHAN_INPUT_WAIT_DRAIN;
+		if (buffer_len(&c->input) == 0) {
+			debug("channel %d: input: no drain shortcut", c->self);
+			chan_ibuf_empty(c);
+		}
+		break;
+	default:
+		error("channel %d: internal error: we do not read, but chan_read_failed for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_ibuf_empty1(Channel *c)
+{
+	debug("channel %d: ibuf empty", c->self);
+	if (buffer_len(&c->input)) {
+		error("channel %d: internal error: chan_ibuf_empty for non empty buffer",
+		    c->self);
+		return;
+	}
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_DRAIN:
+		debug("channel %d: input drain -> wait_oclose", c->self);
+		chan_send_ieof1(c);
+		c->istate = CHAN_INPUT_WAIT_OCLOSE;
+		break;
+	default:
+		error("channel %d: internal error: chan_ibuf_empty for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_rcvd_ieof1(Channel *c)
+{
+	debug("channel %d: rcvd ieof", c->self);
+	if (c->type != SSH_CHANNEL_OPEN) {
+		debug("channel %d: non-open", c->self);
+		if (c->istate == CHAN_INPUT_OPEN) {
+			debug("channel %d: non-open: input open -> wait_oclose", c->self);
+			chan_shutdown_read(c);
+			chan_send_ieof1(c);
+			c->istate = CHAN_INPUT_WAIT_OCLOSE;
+		} else {
+			error("channel %d: istate %d != open", c->self, c->istate);
+		}
+		if (c->ostate == CHAN_OUTPUT_OPEN) {
+			debug("channel %d: non-open: output open -> closed", c->self);
+			chan_send_oclose1(c);
+			c->ostate = CHAN_OUTPUT_CLOSED;
+		} else {
+			error("channel %d: ostate %d != open", c->self, c->ostate);
+		}
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		debug("channel %d: output open -> drain", c->self);
+		c->ostate = CHAN_OUTPUT_WAIT_DRAIN;
+		break;
+	case CHAN_OUTPUT_WAIT_IEOF:
+		debug("channel %d: output wait_ieof -> closed", c->self);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: protocol error: chan_rcvd_ieof for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_write_failed1(Channel *c)
+{
+	debug("channel %d: write failed", c->self);
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		debug("channel %d: output open -> wait_ieof", c->self);
+		chan_send_oclose1(c);
+		c->ostate = CHAN_OUTPUT_WAIT_IEOF;
+		break;
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output wait_drain -> closed", c->self);
+		chan_send_oclose1(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_write_failed for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_obuf_empty1(Channel *c)
+{
+	debug("channel %d: obuf empty", c->self);
+	if (buffer_len(&c->output)) {
+		error("channel %d: internal error: chan_obuf_empty for non empty buffer",
+		    c->self);
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output drain -> closed", c->self);
+		chan_send_oclose1(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_obuf_empty for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_send_ieof1(Channel *c)
+{
+	debug("channel %d: send ieof", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_OPEN:
+	case CHAN_INPUT_WAIT_DRAIN:
+		packet_start(SSH_MSG_CHANNEL_INPUT_EOF);
+		packet_put_int(c->remote_id);
+		packet_send();
+		break;
+	default:
+		error("channel %d: internal error: cannot send ieof for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_send_oclose1(Channel *c)
+{
+	debug("channel %d: send oclose", c->self);
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		chan_shutdown_write(c);
+		buffer_consume(&c->output, buffer_len(&c->output));
+		packet_start(SSH_MSG_CHANNEL_OUTPUT_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+		break;
+	default:
+		error("channel %d: internal error: cannot send oclose for ostate %d",
+		     c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_delete_if_full_closed1(Channel *c)
+{
+	if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) {
+		debug("channel %d: full closed", c->self);
+		channel_free(c->self);
+	}
+}
+
+/*
+ * the same for SSH2
+ */
+static void
+chan_rcvd_oclose2(Channel *c)
+{
+	debug("channel %d: rcvd close", c->self);
+	if (c->flags & CHAN_CLOSE_RCVD)
+		error("channel %d: protocol error: close rcvd twice", c->self);
+	c->flags |= CHAN_CLOSE_RCVD;
+	if (c->type == SSH_CHANNEL_LARVAL) {
+		/* tear down larval channels immediately */
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		c->istate = CHAN_INPUT_CLOSED;
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		/* wait until a data from the channel is consumed if a CLOSE is received */
+		debug("channel %d: output open -> drain", c->self);
+		c->ostate = CHAN_OUTPUT_WAIT_DRAIN;
+		break;
+	}
+	switch (c->istate) {
+	case CHAN_INPUT_OPEN:
+		debug("channel %d: input open -> closed", c->self);
+		chan_shutdown_read(c);
+		break;
+	case CHAN_INPUT_WAIT_DRAIN:
+		debug("channel %d: input drain -> closed", c->self);
+		chan_send_eof2(c);
+		break;
+	}
+	c->istate = CHAN_INPUT_CLOSED;
+}
+static void
+chan_ibuf_empty2(Channel *c)
+{
+	debug("channel %d: ibuf empty", c->self);
+	if (buffer_len(&c->input)) {
+		error("channel %d: internal error: chan_ibuf_empty for non empty buffer",
+		     c->self);
+		return;
+	}
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_DRAIN:
+		debug("channel %d: input drain -> closed", c->self);
+		if (!(c->flags & CHAN_CLOSE_SENT))
+			chan_send_eof2(c);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_ibuf_empty for istate %d",
+		     c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_rcvd_ieof2(Channel *c)
+{
+	debug("channel %d: rcvd eof", c->self);
+	if (c->ostate == CHAN_OUTPUT_OPEN) {
+		debug("channel %d: output open -> drain", c->self);
+		c->ostate = CHAN_OUTPUT_WAIT_DRAIN;
+	}
+}
+static void
+chan_write_failed2(Channel *c)
+{
+	debug("channel %d: write failed", c->self);
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		debug("channel %d: output open -> closed", c->self);
+		chan_shutdown_write(c); /* ?? */
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output drain -> closed", c->self);
+		chan_shutdown_write(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_write_failed for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_obuf_empty2(Channel *c)
+{
+	debug("channel %d: obuf empty", c->self);
+	if (buffer_len(&c->output)) {
+		error("internal error: chan_obuf_empty %d for non empty buffer",
+		    c->self);
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output drain -> closed", c->self);
+		chan_shutdown_write(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_obuf_empty for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_send_eof2(Channel *c)
+{
+	debug("channel %d: send eof", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_DRAIN:
+		packet_start(SSH2_MSG_CHANNEL_EOF);
+		packet_put_int(c->remote_id);
+		packet_send();
+		break;
+	default:
+		error("channel %d: internal error: cannot send eof for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_send_close2(Channel *c)
+{
+	debug("channel %d: send close", c->self);
+	if (c->ostate != CHAN_OUTPUT_CLOSED ||
+	    c->istate != CHAN_INPUT_CLOSED) {
+		error("channel %d: internal error: cannot send close for istate/ostate %d/%d",
+		    c->self, c->istate, c->ostate);
+	} else if (c->flags & CHAN_CLOSE_SENT) {
+		error("channel %d: internal error: already sent close", c->self);
+	} else {
+		packet_start(SSH2_MSG_CHANNEL_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+		c->flags |= CHAN_CLOSE_SENT;
+	}
+}
+static void
+chan_delete_if_full_closed2(Channel *c)
+{
+	if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) {
+		if (!(c->flags & CHAN_CLOSE_SENT)) {
+			chan_send_close2(c);
+		}
+		if ((c->flags & CHAN_CLOSE_SENT) &&
+		    (c->flags & CHAN_CLOSE_RCVD)) {
+			debug("channel %d: full closed2", c->self);
+			channel_free(c->self);
+		}
+	}
+}
+
+/* shared */
+void
+chan_init_iostates(Channel *c)
+{
+	c->ostate = CHAN_OUTPUT_OPEN;
+	c->istate = CHAN_INPUT_OPEN;
+	c->flags = 0;
+}
+
+/* init */
+void
+chan_init(void)
+{
+	if (compat20) {
+		chan_rcvd_oclose		= chan_rcvd_oclose2;
+		chan_read_failed		= chan_read_failed_12;
+		chan_ibuf_empty			= chan_ibuf_empty2;
+
+		chan_rcvd_ieof			= chan_rcvd_ieof2;
+		chan_write_failed		= chan_write_failed2;
+		chan_obuf_empty			= chan_obuf_empty2;
+
+		chan_delete_if_full_closed	= chan_delete_if_full_closed2;
+	} else {
+		chan_rcvd_oclose		= chan_rcvd_oclose1;
+		chan_read_failed		= chan_read_failed_12;
+		chan_ibuf_empty			= chan_ibuf_empty1;
+
+		chan_rcvd_ieof			= chan_rcvd_ieof1;
+		chan_write_failed		= chan_write_failed1;
+		chan_obuf_empty			= chan_obuf_empty1;
+
+		chan_delete_if_full_closed	= chan_delete_if_full_closed1;
+	}
+}
+
+/* helper */
+static void
+chan_shutdown_write(Channel *c)
+{
+	buffer_consume(&c->output, buffer_len(&c->output));
+	if (compat20 && c->type == SSH_CHANNEL_LARVAL)
+		return;
+	/* shutdown failure is allowed if write failed already */
+	debug("channel %d: close_write", c->self);
+	if (c->sock != -1) {
+		if (shutdown(c->sock, SHUT_WR) < 0)
+			debug("channel %d: chan_shutdown_write: shutdown() failed for fd%d: %.100s",
+			    c->self, c->sock, strerror(errno));
+	} else {
+		if (close(c->wfd) < 0)
+			log("channel %d: chan_shutdown_write: close() failed for fd%d: %.100s",
+			    c->self, c->wfd, strerror(errno));
+		c->wfd = -1;
+	}
+}
+static void
+chan_shutdown_read(Channel *c)
+{
+	if (compat20 && c->type == SSH_CHANNEL_LARVAL)
+		return;
+	debug("channel %d: close_read", c->self);
+	if (c->sock != -1) {
+		if (shutdown(c->sock, SHUT_RD) < 0)
+			error("channel %d: chan_shutdown_read: shutdown() failed for fd%d [i%d o%d]: %.100s",
+			    c->self, c->sock, c->istate, c->ostate, strerror(errno));
+	} else {
+		if (close(c->rfd) < 0)
+			log("channel %d: chan_shutdown_read: close() failed for fd%d: %.100s",
+			    c->self, c->rfd, strerror(errno));
+		c->rfd = -1;
+	}
+}
diff --git a/crypto/openssh/nchan.h b/crypto/openssh/nchan.h
new file mode 100644
index 0000000..0a2cf35
--- /dev/null
+++ b/crypto/openssh/nchan.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* RCSID("$Id: nchan.h,v 1.7 2000/04/03 07:07:15 markus Exp $"); */
+
+#ifndef NCHAN_H
+#define NCHAN_H
+
+/*
+ * SSH Protocol 1.5 aka New Channel Protocol
+ * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored.
+ * Written by Markus Friedl in October 1999
+ *
+ * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the
+ * tear down of channels:
+ *
+ * 1.3:	strict request-ack-protocol:
+ * 	CLOSE	->
+ * 		<-  CLOSE_CONFIRM
+ *
+ * 1.5:	uses variations of:
+ * 	IEOF	->
+ * 		<-  OCLOSE
+ * 		<-  IEOF
+ * 	OCLOSE	->
+ * 	i.e. both sides have to close the channel
+ *
+ * See the debugging output from 'ssh -v' and 'sshd -d' of
+ * ssh-1.2.27 as an example.
+ *
+ */
+
+/* ssh-proto-1.5 overloads prot-1.3-message-types */
+#define SSH_MSG_CHANNEL_INPUT_EOF	SSH_MSG_CHANNEL_CLOSE
+#define SSH_MSG_CHANNEL_OUTPUT_CLOSE	SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+
+/* possible input states */
+#define CHAN_INPUT_OPEN			0x01
+#define CHAN_INPUT_WAIT_DRAIN		0x02
+#define CHAN_INPUT_WAIT_OCLOSE		0x04
+#define CHAN_INPUT_CLOSED		0x08
+
+/* possible output states */
+#define CHAN_OUTPUT_OPEN		0x10
+#define CHAN_OUTPUT_WAIT_DRAIN		0x20
+#define CHAN_OUTPUT_WAIT_IEOF		0x40
+#define CHAN_OUTPUT_CLOSED		0x80
+
+#define CHAN_CLOSE_SENT			0x01
+#define CHAN_CLOSE_RCVD			0x02
+
+
+/* Channel EVENTS */
+typedef void    chan_event_fn(Channel * c);
+
+/* for the input state */
+extern chan_event_fn	*chan_rcvd_oclose;
+extern chan_event_fn	*chan_read_failed;
+extern chan_event_fn	*chan_ibuf_empty;
+
+/* for the output state */
+extern chan_event_fn	*chan_rcvd_ieof;
+extern chan_event_fn	*chan_write_failed;
+extern chan_event_fn	*chan_obuf_empty;
+
+extern chan_event_fn	*chan_delete_if_full_closed;
+
+void    chan_init_iostates(Channel * c);
+void	chan_init(void);
+#endif
diff --git a/crypto/openssh/nchan.ms b/crypto/openssh/nchan.ms
new file mode 100644
index 0000000..eb49cd3
--- /dev/null
+++ b/crypto/openssh/nchan.ms
@@ -0,0 +1,102 @@
+.\" 
+.\" Copyright (c) 1999 Markus Friedl.  All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Markus Friedl.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.TL
+OpenSSH Channel Close Protocol 1.5 Implementation
+.SH
+Channel Input State Diagram
+.PS
+reset
+l=1
+s=1.2
+ellipsewid=s*ellipsewid
+boxwid=s*boxwid
+ellipseht=s*ellipseht
+S1: ellipse "INPUT" "OPEN"
+move right 2*l from last ellipse.e
+S4: ellipse "INPUT" "CLOSED"
+move down l from last ellipse.s
+S3: ellipse "INPUT" "WAIT" "OCLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "INPUT" "WAIT" "DRAIN"
+arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w
+arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w
+arrow from S1.s to S2.n
+box invis "read_failed/" "shutdown_read" with .e at last arrow.c
+arrow  from S3.n to S4.s
+box invis "rcvd OCLOSE/" "-" with .w at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+arrow from S2.ne to S4.sw
+box invis "rcvd OCLOSE/     " with .e at last arrow.c
+box invis " send IEOF" with .w at last arrow.c
+.PE
+.SH
+Channel Output State Diagram
+.PS
+S1: ellipse "OUTPUT" "OPEN"
+move right 2*l from last ellipse.e
+S3: ellipse "OUTPUT" "WAIT" "IEOF"
+move down l from last ellipse.s
+S4: ellipse "OUTPUT" "CLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "OUTPUT" "WAIT" "DRAIN"
+arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w
+arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w
+arrow from S1.s to S2.n
+box invis "rcvd IEOF/" "-" with .e at last arrow.c
+arrow from S3.s to S4.n
+box invis "rcvd IEOF/" "-" with .w at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+.PE
+.SH
+Notes
+.PP
+The input buffer is filled with data from the socket
+(the socket represents the local consumer/producer of the
+forwarded channel).
+The data is then sent over the INPUT-end (transmit-end) of the channel to the
+remote peer.
+Data sent by the peer is received on the OUTPUT-end (receive-end),
+saved in the output buffer and written to the socket.
+.PP
+If the local protocol instance has forwarded all data on the
+INPUT-end of the channel, it sends an IEOF message to the peer.
+If the peer receives the IEOF and has consumed all
+data he replies with an OCLOSE.
+When the local instance receives the OCLOSE
+he considers the INPUT-half of the channel closed.
+The peer has his OUTOUT-half closed.
+.PP
+A channel can be deallocated by a protocol instance
+if both the INPUT- and the OUTOUT-half on his
+side of the channel are closed.
+Note that when an instance is unable to consume the
+received data, he is permitted to send an OCLOSE
+before the matching IEOF is received.
diff --git a/crypto/openssh/nchan2.ms b/crypto/openssh/nchan2.ms
new file mode 100644
index 0000000..1b119d1
--- /dev/null
+++ b/crypto/openssh/nchan2.ms
@@ -0,0 +1,64 @@
+.TL
+OpenSSH Channel Close Protocol 2.0 Implementation
+.SH
+Channel Input State Diagram
+.PS
+reset
+l=1
+s=1.2
+ellipsewid=s*ellipsewid
+boxwid=s*boxwid
+ellipseht=s*ellipseht
+S1: ellipse "INPUT" "OPEN"
+move right 2*l from last ellipse.e
+S3: ellipse invis
+move down l from last ellipse.s
+S4: ellipse "INPUT" "CLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "INPUT" "WAIT" "DRAIN"
+arrow from S1.e to S4.n
+box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c
+arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w
+arrow from S1.s to S2.n
+box invis "read_failed/" "shutdown_read" with .e at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+.PE
+.SH
+Channel Output State Diagram
+.PS
+S1: ellipse "OUTPUT" "OPEN"
+move right 2*l from last ellipse.e
+S3: ellipse invis
+move down l from last ellipse.s
+S4: ellipse "OUTPUT" "CLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "OUTPUT" "WAIT" "DRAIN"
+arrow from S1.e to S4.n
+box invis "write_failed/" "shutdown_write" with .sw at last arrow.c
+arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w
+arrow from S1.s to S2.n
+box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+.PE
+.SH
+Notes
+.PP
+The input buffer is filled with data from the socket
+(the socket represents the local consumer/producer of the
+forwarded channel).
+The data is then sent over the INPUT-end (transmit-end) of the channel to the
+remote peer.
+Data sent by the peer is received on the OUTPUT-end (receive-end),
+saved in the output buffer and written to the socket.
+.PP
+If the local protocol instance has forwarded all data on the
+INPUT-end of the channel, it sends an EOF message to the peer.
+.PP
+A CLOSE message is sent to the peer if
+both the INPUT- and the OUTOUT-half of the local
+end of the channel are closed.
+.PP
+The channel can be deallocated by a protocol instance
+if a CLOSE message he been both sent and received.
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
new file mode 100644
index 0000000..5fa76a3
--- /dev/null
+++ b/crypto/openssh/packet.c
@@ -0,0 +1,1283 @@
+/*
+ *
+ * packet.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sat Mar 18 02:40:40 1995 ylo
+ *
+ * This file contains code implementing the packet protocol and communication
+ * with the other side.  This same code is used both on client and server side.
+ *
+ * SSH2 packet format added by Markus Friedl.
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: packet.c,v 1.32 2000/05/04 22:22:43 markus Exp $");
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "packet.h"
+#include "bufaux.h"
+#include "ssh.h"
+#include "crc32.h"
+#include "cipher.h"
+#include "getput.h"
+
+#include "compress.h"
+#include "deattack.h"
+#include "channels.h"
+
+#include "compat.h"
+#include "ssh2.h"
+
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/hmac.h>
+#include "buffer.h"
+#include "kex.h"
+#include "hmac.h"
+
+#ifdef PACKET_DEBUG
+#define DBG(x) x
+#else
+#define DBG(x)
+#endif
+
+/*
+ * This variable contains the file descriptors used for communicating with
+ * the other side.  connection_in is used for reading; connection_out for
+ * writing.  These can be the same descriptor, in which case it is assumed to
+ * be a socket.
+ */
+static int connection_in = -1;
+static int connection_out = -1;
+
+/*
+ * Cipher type.  This value is only used to determine whether to pad the
+ * packets with zeroes or random data.
+ */
+static int cipher_type = SSH_CIPHER_NONE;
+
+/* Protocol flags for the remote side. */
+static unsigned int remote_protocol_flags = 0;
+
+/* Encryption context for receiving data.  This is only used for decryption. */
+static CipherContext receive_context;
+
+/* Encryption context for sending data.  This is only used for encryption. */
+static CipherContext send_context;
+
+/* Buffer for raw input data from the socket. */
+static Buffer input;
+
+/* Buffer for raw output data going to the socket. */
+static Buffer output;
+
+/* Buffer for the partial outgoing packet being constructed. */
+static Buffer outgoing_packet;
+
+/* Buffer for the incoming packet currently being processed. */
+static Buffer incoming_packet;
+
+/* Scratch buffer for packet compression/decompression. */
+static Buffer compression_buffer;
+
+/* Flag indicating whether packet compression/decompression is enabled. */
+static int packet_compression = 0;
+
+/* default maximum packet size */
+int max_packet_size = 32768;
+
+/* Flag indicating whether this module has been initialized. */
+static int initialized = 0;
+
+/* Set to true if the connection is interactive. */
+static int interactive_mode = 0;
+
+/* True if SSH2 packet format is used */
+int use_ssh2_packet_format = 0;
+
+/* Session key information for Encryption and MAC */
+Kex	*kex = NULL;
+
+void
+packet_set_kex(Kex *k)
+{
+	if( k->mac[MODE_IN ].key == NULL ||
+	    k->enc[MODE_IN ].key == NULL ||
+	    k->enc[MODE_IN ].iv  == NULL ||
+	    k->mac[MODE_OUT].key == NULL ||
+	    k->enc[MODE_OUT].key == NULL ||
+	    k->enc[MODE_OUT].iv  == NULL)
+		fatal("bad KEX");
+	kex = k;
+}
+void
+clear_enc_keys(Enc *enc, int len)
+{
+	memset(enc->iv,  0, len);
+	memset(enc->key, 0, len);
+	xfree(enc->iv);
+	xfree(enc->key);
+	enc->iv = NULL;
+	enc->key = NULL;
+}
+void
+packet_set_ssh2_format(void)
+{
+	DBG(debug("use_ssh2_packet_format"));
+	use_ssh2_packet_format = 1;
+}
+
+/*
+ * Sets the descriptors used for communication.  Disables encryption until
+ * packet_set_encryption_key is called.
+ */
+void
+packet_set_connection(int fd_in, int fd_out)
+{
+	connection_in = fd_in;
+	connection_out = fd_out;
+	cipher_type = SSH_CIPHER_NONE;
+	cipher_set_key(&send_context, SSH_CIPHER_NONE, (unsigned char *) "", 0);
+	cipher_set_key(&receive_context, SSH_CIPHER_NONE, (unsigned char *) "", 0);
+	if (!initialized) {
+		initialized = 1;
+		buffer_init(&input);
+		buffer_init(&output);
+		buffer_init(&outgoing_packet);
+		buffer_init(&incoming_packet);
+	}
+	/* Kludge: arrange the close function to be called from fatal(). */
+	fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
+}
+
+/* Returns 1 if remote host is connected via socket, 0 if not. */
+
+int
+packet_connection_is_on_socket()
+{
+	struct sockaddr_storage from, to;
+	socklen_t fromlen, tolen;
+
+	/* filedescriptors in and out are the same, so it's a socket */
+	if (connection_in == connection_out)
+		return 1;
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
+		return 0;
+	tolen = sizeof(to);
+	memset(&to, 0, sizeof(to));
+	if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
+		return 0;
+	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
+		return 0;
+	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
+		return 0;
+	return 1;
+}
+
+/* returns 1 if connection is via ipv4 */
+
+int
+packet_connection_is_ipv4()
+{
+	struct sockaddr_storage to;
+	socklen_t tolen = sizeof(to);
+
+	memset(&to, 0, sizeof(to));
+	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
+		return 0;
+	if (to.ss_family != AF_INET)
+		return 0;
+	return 1;
+}
+
+/* Sets the connection into non-blocking mode. */
+
+void
+packet_set_nonblocking()
+{
+	/* Set the socket into non-blocking mode. */
+	if (fcntl(connection_in, F_SETFL, O_NONBLOCK) < 0)
+		error("fcntl O_NONBLOCK: %.100s", strerror(errno));
+
+	if (connection_out != connection_in) {
+		if (fcntl(connection_out, F_SETFL, O_NONBLOCK) < 0)
+			error("fcntl O_NONBLOCK: %.100s", strerror(errno));
+	}
+}
+
+/* Returns the socket used for reading. */
+
+int
+packet_get_connection_in()
+{
+	return connection_in;
+}
+
+/* Returns the descriptor used for writing. */
+
+int
+packet_get_connection_out()
+{
+	return connection_out;
+}
+
+/* Closes the connection and clears and frees internal data structures. */
+
+void
+packet_close()
+{
+	if (!initialized)
+		return;
+	initialized = 0;
+	if (connection_in == connection_out) {
+		shutdown(connection_out, SHUT_RDWR);
+		close(connection_out);
+	} else {
+		close(connection_in);
+		close(connection_out);
+	}
+	buffer_free(&input);
+	buffer_free(&output);
+	buffer_free(&outgoing_packet);
+	buffer_free(&incoming_packet);
+	if (packet_compression) {
+		buffer_free(&compression_buffer);
+		buffer_compress_uninit();
+	}
+}
+
+/* Sets remote side protocol flags. */
+
+void
+packet_set_protocol_flags(unsigned int protocol_flags)
+{
+	remote_protocol_flags = protocol_flags;
+	channel_set_options((protocol_flags & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) != 0);
+}
+
+/* Returns the remote protocol flags set earlier by the above function. */
+
+unsigned int
+packet_get_protocol_flags()
+{
+	return remote_protocol_flags;
+}
+
+/*
+ * Starts packet compression from the next packet on in both directions.
+ * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
+ */
+
+/*** XXXXX todo: kex means re-init */
+void
+packet_start_compression(int level)
+{
+	if (packet_compression)
+		fatal("Compression already enabled.");
+	packet_compression = 1;
+	buffer_init(&compression_buffer);
+	buffer_compress_init(level);
+}
+
+/*
+ * Encrypts the given number of bytes, copying from src to dest. bytes is
+ * known to be a multiple of 8.
+ */
+
+void
+packet_encrypt(CipherContext * cc, void *dest, void *src,
+    unsigned int bytes)
+{
+	cipher_encrypt(cc, dest, src, bytes);
+}
+
+/*
+ * Decrypts the given number of bytes, copying from src to dest. bytes is
+ * known to be a multiple of 8.
+ */
+
+void
+packet_decrypt(CipherContext * cc, void *dest, void *src,
+    unsigned int bytes)
+{
+	int i;
+
+	if ((bytes % 8) != 0)
+		fatal("packet_decrypt: bad ciphertext length %d", bytes);
+
+	/*
+	 * Cryptographic attack detector for ssh - Modifications for packet.c
+	 * (C)1998 CORE-SDI, Buenos Aires Argentina Ariel Futoransky(futo@core-sdi.com)
+	 */
+
+	if (cc->type == SSH_CIPHER_NONE || compat20) {
+		i = DEATTACK_OK;
+	} else {
+		i = detect_attack(src, bytes, NULL);
+	}
+	if (i == DEATTACK_DETECTED)
+		packet_disconnect("crc32 compensation attack: network attack detected");
+
+	cipher_decrypt(cc, dest, src, bytes);
+}
+
+/*
+ * Causes any further packets to be encrypted using the given key.  The same
+ * key is used for both sending and reception.  However, both directions are
+ * encrypted independently of each other.
+ */
+
+void
+packet_set_encryption_key(const unsigned char *key, unsigned int keylen,
+    int cipher)
+{
+	if (keylen < 20)
+		fatal("keylen too small: %d", keylen);
+
+	/* All other ciphers use the same key in both directions for now. */
+	cipher_set_key(&receive_context, cipher, key, keylen);
+	cipher_set_key(&send_context, cipher, key, keylen);
+}
+
+/* Starts constructing a packet to send. */
+
+void
+packet_start1(int type)
+{
+	char buf[9];
+
+	buffer_clear(&outgoing_packet);
+	memset(buf, 0, 8);
+	buf[8] = type;
+	buffer_append(&outgoing_packet, buf, 9);
+}
+
+void
+packet_start2(int type)
+{
+	char buf[4+1+1];
+
+	buffer_clear(&outgoing_packet);
+	memset(buf, 0, sizeof buf);
+	/* buf[0..3] = payload_len; */
+	/* buf[4] =    pad_len; */
+	buf[5] = type & 0xff;
+	buffer_append(&outgoing_packet, buf, sizeof buf);
+}
+
+void
+packet_start(int type)
+{
+	DBG(debug("packet_start[%d]",type));
+	if (use_ssh2_packet_format)
+		packet_start2(type);
+	else
+		packet_start1(type);
+}
+
+/* Appends a character to the packet data. */
+
+void
+packet_put_char(int value)
+{
+	char ch = value;
+	buffer_append(&outgoing_packet, &ch, 1);
+}
+
+/* Appends an integer to the packet data. */
+
+void
+packet_put_int(unsigned int value)
+{
+	buffer_put_int(&outgoing_packet, value);
+}
+
+/* Appends a string to packet data. */
+
+void
+packet_put_string(const char *buf, unsigned int len)
+{
+	buffer_put_string(&outgoing_packet, buf, len);
+}
+void
+packet_put_cstring(const char *str)
+{
+	buffer_put_string(&outgoing_packet, str, strlen(str));
+}
+
+void
+packet_put_raw(const char *buf, unsigned int len)
+{
+	buffer_append(&outgoing_packet, buf, len);
+}
+
+
+/* Appends an arbitrary precision integer to packet data. */
+
+void
+packet_put_bignum(BIGNUM * value)
+{
+	buffer_put_bignum(&outgoing_packet, value);
+}
+void
+packet_put_bignum2(BIGNUM * value)
+{
+	buffer_put_bignum2(&outgoing_packet, value);
+}
+
+/*
+ * Finalizes and sends the packet.  If the encryption key has been set,
+ * encrypts the packet before sending.
+ */
+
+void
+packet_send1()
+{
+	char buf[8], *cp;
+	int i, padding, len;
+	unsigned int checksum;
+	u_int32_t rand = 0;
+
+	/*
+	 * If using packet compression, compress the payload of the outgoing
+	 * packet.
+	 */
+	if (packet_compression) {
+		buffer_clear(&compression_buffer);
+		/* Skip padding. */
+		buffer_consume(&outgoing_packet, 8);
+		/* padding */
+		buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
+		buffer_compress(&outgoing_packet, &compression_buffer);
+		buffer_clear(&outgoing_packet);
+		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
+			      buffer_len(&compression_buffer));
+	}
+	/* Compute packet length without padding (add checksum, remove padding). */
+	len = buffer_len(&outgoing_packet) + 4 - 8;
+
+	/* Insert padding. Initialized to zero in packet_start1() */
+	padding = 8 - len % 8;
+	if (cipher_type != SSH_CIPHER_NONE) {
+		cp = buffer_ptr(&outgoing_packet);
+		for (i = 0; i < padding; i++) {
+			if (i % 4 == 0)
+				rand = arc4random();
+			cp[7 - i] = rand & 0xff;
+			rand >>= 8;
+		}
+	}
+	buffer_consume(&outgoing_packet, 8 - padding);
+
+	/* Add check bytes. */
+	checksum = crc32((unsigned char *) buffer_ptr(&outgoing_packet),
+			 buffer_len(&outgoing_packet));
+	PUT_32BIT(buf, checksum);
+	buffer_append(&outgoing_packet, buf, 4);
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "packet_send plain: ");
+	buffer_dump(&outgoing_packet);
+#endif
+
+	/* Append to output. */
+	PUT_32BIT(buf, len);
+	buffer_append(&output, buf, 4);
+	buffer_append_space(&output, &cp, buffer_len(&outgoing_packet));
+	packet_encrypt(&send_context, cp, buffer_ptr(&outgoing_packet),
+		       buffer_len(&outgoing_packet));
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "encrypted: ");
+	buffer_dump(&output);
+#endif
+
+	buffer_clear(&outgoing_packet);
+
+	/*
+	 * Note that the packet is now only buffered in output.  It won\'t be
+	 * actually sent until packet_write_wait or packet_write_poll is
+	 * called.
+	 */
+}
+
+/*
+ * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
+ */
+void
+packet_send2()
+{
+	unsigned char *macbuf = NULL;
+	char *cp;
+	unsigned int packet_length = 0;
+	unsigned int i, padlen, len;
+	u_int32_t rand = 0;
+	static unsigned int seqnr = 0;
+	int type;
+	Enc *enc   = NULL;
+	Mac *mac   = NULL;
+	Comp *comp = NULL;
+	int block_size;
+
+	if (kex != NULL) {
+		enc  = &kex->enc[MODE_OUT];
+		mac  = &kex->mac[MODE_OUT];
+		comp = &kex->comp[MODE_OUT];
+	}
+	block_size = enc ? enc->block_size : 8;
+
+	cp = buffer_ptr(&outgoing_packet);
+	type = cp[5] & 0xff;
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "plain:     ");
+	buffer_dump(&outgoing_packet);
+#endif
+
+	if (comp && comp->enabled) {
+		len = buffer_len(&outgoing_packet);
+		/* skip header, compress only payload */
+		buffer_consume(&outgoing_packet, 5);
+		buffer_clear(&compression_buffer);
+		buffer_compress(&outgoing_packet, &compression_buffer);
+		buffer_clear(&outgoing_packet);
+		buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
+		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
+		    buffer_len(&compression_buffer));
+		DBG(debug("compression: raw %d compressed %d", len,
+		    buffer_len(&outgoing_packet)));
+	}
+
+	/* sizeof (packet_len + pad_len + payload) */
+	len = buffer_len(&outgoing_packet);
+
+	/*
+	 * calc size of padding, alloc space, get random data,
+	 * minimum padding is 4 bytes
+	 */
+	padlen = block_size - (len % block_size);
+	if (padlen < 4)
+		padlen += block_size;
+	buffer_append_space(&outgoing_packet, &cp, padlen);
+	if (enc && enc->type != SSH_CIPHER_NONE) {
+		/* random padding */
+		for (i = 0; i < padlen; i++) {
+			if (i % 4 == 0)
+				rand = arc4random();
+			cp[i] = rand & 0xff;
+			rand <<= 8;
+		}
+	} else {
+		/* clear padding */
+		memset(cp, 0, padlen);
+	}
+	/* packet_length includes payload, padding and padding length field */
+	packet_length = buffer_len(&outgoing_packet) - 4;
+	cp = buffer_ptr(&outgoing_packet);
+	PUT_32BIT(cp, packet_length);
+	cp[4] = padlen & 0xff;
+	DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
+
+	/* compute MAC over seqnr and packet(length fields, payload, padding) */
+	if (mac && mac->enabled) {
+		macbuf = hmac( mac->md, seqnr,
+		    (unsigned char *) buffer_ptr(&outgoing_packet),
+		    buffer_len(&outgoing_packet),
+		    mac->key, mac->key_len
+		);
+		DBG(debug("done calc HMAC out #%d", seqnr));
+	}
+	/* encrypt packet and append to output buffer. */
+	buffer_append_space(&output, &cp, buffer_len(&outgoing_packet));
+	packet_encrypt(&send_context, cp, buffer_ptr(&outgoing_packet),
+	    buffer_len(&outgoing_packet));
+	/* append unencrypted MAC */
+	if (mac && mac->enabled)
+		buffer_append(&output, (char *)macbuf, mac->mac_len);
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "encrypted: ");
+	buffer_dump(&output);
+#endif
+	/* increment sequence number for outgoing packets */
+	if (++seqnr == 0)
+		log("outgoing seqnr wraps around");
+	buffer_clear(&outgoing_packet);
+
+	if (type == SSH2_MSG_NEWKEYS) {
+		if (kex==NULL || mac==NULL || enc==NULL || comp==NULL)
+			fatal("packet_send2: no KEX");
+		if (mac->md != NULL)
+			mac->enabled = 1;
+		DBG(debug("cipher_set_key_iv send_context"));
+		cipher_set_key_iv(&send_context, enc->type,
+		    enc->key, enc->key_len,
+		    enc->iv, enc->iv_len);
+		clear_enc_keys(enc, kex->we_need);
+		if (comp->type != 0 && comp->enabled == 0) {
+			comp->enabled = 1;
+			if (! packet_compression)
+				packet_start_compression(6);
+		}
+	}
+}
+
+void
+packet_send()
+{
+	if (use_ssh2_packet_format)
+		packet_send2();
+	else
+		packet_send1();
+	DBG(debug("packet_send done"));
+}
+
+/*
+ * Waits until a packet has been received, and returns its type.  Note that
+ * no other data is processed until this returns, so this function should not
+ * be used during the interactive session.
+ */
+
+int
+packet_read(int *payload_len_ptr)
+{
+	int type, len;
+	fd_set set;
+	char buf[8192];
+	DBG(debug("packet_read()"));
+
+	/* Since we are blocking, ensure that all written packets have been sent. */
+	packet_write_wait();
+
+	/* Stay in the loop until we have received a complete packet. */
+	for (;;) {
+		/* Try to read a packet from the buffer. */
+		type = packet_read_poll(payload_len_ptr);
+		if (!use_ssh2_packet_format && (
+		    type == SSH_SMSG_SUCCESS
+		    || type == SSH_SMSG_FAILURE
+		    || type == SSH_CMSG_EOF
+		    || type == SSH_CMSG_EXIT_CONFIRMATION))
+			packet_integrity_check(*payload_len_ptr, 0, type);
+		/* If we got a packet, return it. */
+		if (type != SSH_MSG_NONE)
+			return type;
+		/*
+		 * Otherwise, wait for some data to arrive, add it to the
+		 * buffer, and try again.
+		 */
+		FD_ZERO(&set);
+		FD_SET(connection_in, &set);
+
+		/* Wait for some data to arrive. */
+		select(connection_in + 1, &set, NULL, NULL, NULL);
+
+		/* Read data from the socket. */
+		len = read(connection_in, buf, sizeof(buf));
+		if (len == 0) {
+			log("Connection closed by %.200s", get_remote_ipaddr());
+			fatal_cleanup();
+		}
+		if (len < 0)
+			fatal("Read from socket failed: %.100s", strerror(errno));
+		/* Append it to the buffer. */
+		packet_process_incoming(buf, len);
+	}
+	/* NOTREACHED */
+}
+
+/*
+ * Waits until a packet has been received, verifies that its type matches
+ * that given, and gives a fatal error and exits if there is a mismatch.
+ */
+
+void
+packet_read_expect(int *payload_len_ptr, int expected_type)
+{
+	int type;
+
+	type = packet_read(payload_len_ptr);
+	if (type != expected_type)
+		packet_disconnect("Protocol error: expected packet type %d, got %d",
+		    expected_type, type);
+}
+
+/* Checks if a full packet is available in the data received so far via
+ * packet_process_incoming.  If so, reads the packet; otherwise returns
+ * SSH_MSG_NONE.  This does not wait for data from the connection.
+ *
+ * SSH_MSG_DISCONNECT is handled specially here.  Also,
+ * SSH_MSG_IGNORE messages are skipped by this function and are never returned
+ * to higher levels.
+ *
+ * The returned payload_len does include space consumed by:
+ * 	Packet length
+ * 	Padding
+ * 	Packet type
+ * 	Check bytes
+ */
+
+int
+packet_read_poll1(int *payload_len_ptr)
+{
+	unsigned int len, padded_len;
+	unsigned char *ucp;
+	char buf[8], *cp;
+	unsigned int checksum, stored_checksum;
+
+	/* Check if input size is less than minimum packet size. */
+	if (buffer_len(&input) < 4 + 8)
+		return SSH_MSG_NONE;
+	/* Get length of incoming packet. */
+	ucp = (unsigned char *) buffer_ptr(&input);
+	len = GET_32BIT(ucp);
+	if (len < 1 + 2 + 2 || len > 256 * 1024)
+		packet_disconnect("Bad packet length %d.", len);
+	padded_len = (len + 8) & ~7;
+
+	/* Check if the packet has been entirely received. */
+	if (buffer_len(&input) < 4 + padded_len)
+		return SSH_MSG_NONE;
+
+	/* The entire packet is in buffer. */
+
+	/* Consume packet length. */
+	buffer_consume(&input, 4);
+
+	/* Copy data to incoming_packet. */
+	buffer_clear(&incoming_packet);
+	buffer_append_space(&incoming_packet, &cp, padded_len);
+	packet_decrypt(&receive_context, cp, buffer_ptr(&input), padded_len);
+	buffer_consume(&input, padded_len);
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "read_poll plain: ");
+	buffer_dump(&incoming_packet);
+#endif
+
+	/* Compute packet checksum. */
+	checksum = crc32((unsigned char *) buffer_ptr(&incoming_packet),
+	    buffer_len(&incoming_packet) - 4);
+
+	/* Skip padding. */
+	buffer_consume(&incoming_packet, 8 - len % 8);
+
+	/* Test check bytes. */
+
+	if (len != buffer_len(&incoming_packet))
+		packet_disconnect("packet_read_poll: len %d != buffer_len %d.",
+		    len, buffer_len(&incoming_packet));
+
+	ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
+	stored_checksum = GET_32BIT(ucp);
+	if (checksum != stored_checksum)
+		packet_disconnect("Corrupted check bytes on input.");
+	buffer_consume_end(&incoming_packet, 4);
+
+	/* If using packet compression, decompress the packet. */
+	if (packet_compression) {
+		buffer_clear(&compression_buffer);
+		buffer_uncompress(&incoming_packet, &compression_buffer);
+		buffer_clear(&incoming_packet);
+		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
+		    buffer_len(&compression_buffer));
+	}
+	/* Get packet type. */
+	buffer_get(&incoming_packet, &buf[0], 1);
+
+	/* Return length of payload (without type field). */
+	*payload_len_ptr = buffer_len(&incoming_packet);
+
+	/* Return type. */
+	return (unsigned char) buf[0];
+}
+
+int
+packet_read_poll2(int *payload_len_ptr)
+{
+	unsigned int padlen, need;
+	unsigned char buf[8], *macbuf;
+	unsigned char *ucp;
+	char *cp;
+	static unsigned int packet_length = 0;
+	static unsigned int seqnr = 0;
+	int type;
+	int maclen, block_size;
+	Enc *enc   = NULL;
+	Mac *mac   = NULL;
+	Comp *comp = NULL;
+
+	if (kex != NULL) {
+		enc  = &kex->enc[MODE_IN];
+		mac  = &kex->mac[MODE_IN];
+		comp = &kex->comp[MODE_IN];
+	}
+	maclen = mac && mac->enabled ? mac->mac_len : 0;
+	block_size = enc ? enc->block_size : 8;
+
+	if (packet_length == 0) {
+		/*
+		 * check if input size is less than the cipher block size,
+		 * decrypt first block and extract length of incoming packet
+		 */
+		if (buffer_len(&input) < block_size)
+			return SSH_MSG_NONE;
+		buffer_clear(&incoming_packet);
+		buffer_append_space(&incoming_packet, &cp, block_size);
+		packet_decrypt(&receive_context, cp, buffer_ptr(&input),
+		    block_size);
+		ucp = (unsigned char *) buffer_ptr(&incoming_packet);
+		packet_length = GET_32BIT(ucp);
+		if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
+			buffer_dump(&incoming_packet);
+			packet_disconnect("Bad packet length %d.", packet_length);
+		}
+		DBG(debug("input: packet len %d", packet_length+4));
+		buffer_consume(&input, block_size);
+	}
+	/* we have a partial packet of block_size bytes */
+	need = 4 + packet_length - block_size;
+	DBG(debug("partial packet %d, need %d, maclen %d", block_size,
+	    need, maclen));
+	if (need % block_size != 0)
+		fatal("padding error: need %d block %d mod %d",
+		    need, block_size, need % block_size);
+	/*
+	 * check if the entire packet has been received and
+	 * decrypt into incoming_packet
+	 */
+	if (buffer_len(&input) < need + maclen)
+		return SSH_MSG_NONE;
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "read_poll enc/full: ");
+	buffer_dump(&input);
+#endif
+	buffer_append_space(&incoming_packet, &cp, need);
+	packet_decrypt(&receive_context, cp, buffer_ptr(&input), need);
+	buffer_consume(&input, need);
+	/*
+	 * compute MAC over seqnr and packet,
+	 * increment sequence number for incoming packet
+	 */
+	if (mac && mac->enabled) {
+		macbuf = hmac( mac->md, seqnr,
+		    (unsigned char *) buffer_ptr(&incoming_packet),
+		    buffer_len(&incoming_packet),
+		    mac->key, mac->key_len
+		);
+		if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
+			packet_disconnect("Corrupted HMAC on input.");
+		DBG(debug("HMAC #%d ok", seqnr));
+		buffer_consume(&input, mac->mac_len);
+	}
+	if (++seqnr == 0)
+		log("incoming seqnr wraps around");
+
+	/* get padlen */
+	cp = buffer_ptr(&incoming_packet) + 4;
+	padlen = *cp & 0xff;
+	DBG(debug("input: padlen %d", padlen));
+	if (padlen < 4)
+		packet_disconnect("Corrupted padlen %d on input.", padlen);
+
+	/* skip packet size + padlen, discard padding */
+	buffer_consume(&incoming_packet, 4 + 1);
+	buffer_consume_end(&incoming_packet, padlen);
+
+	DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
+	if (comp && comp->enabled) {
+		buffer_clear(&compression_buffer);
+		buffer_uncompress(&incoming_packet, &compression_buffer);
+		buffer_clear(&incoming_packet);
+		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
+		    buffer_len(&compression_buffer));
+		DBG(debug("input: len after de-compress %d", buffer_len(&incoming_packet)));
+	}
+	/*
+	 * get packet type, implies consume.
+	 * return length of payload (without type field)
+	 */
+	buffer_get(&incoming_packet, (char *)&buf[0], 1);
+	*payload_len_ptr = buffer_len(&incoming_packet);
+
+	/* reset for next packet */
+	packet_length = 0;
+
+	/* extract packet type */
+	type = (unsigned char)buf[0];
+
+	if (type == SSH2_MSG_NEWKEYS) {
+		if (kex==NULL || mac==NULL || enc==NULL || comp==NULL)
+			fatal("packet_read_poll2: no KEX");
+		if (mac->md != NULL)
+			mac->enabled = 1;
+		DBG(debug("cipher_set_key_iv receive_context"));
+		cipher_set_key_iv(&receive_context, enc->type,
+		    enc->key, enc->key_len,
+		    enc->iv, enc->iv_len);
+		clear_enc_keys(enc, kex->we_need);
+		if (comp->type != 0 && comp->enabled == 0) {
+			comp->enabled = 1;
+			if (! packet_compression)
+				packet_start_compression(6);
+		}
+	}
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "read/plain[%d]:\r\n",type);
+	buffer_dump(&incoming_packet);
+#endif
+	return (unsigned char)type;
+}
+
+int
+packet_read_poll(int *payload_len_ptr)
+{
+	char *msg;
+	for (;;) {
+		int type = use_ssh2_packet_format ?
+		    packet_read_poll2(payload_len_ptr):
+		    packet_read_poll1(payload_len_ptr);
+
+		if(compat20) {
+			int reason;
+			if (type != 0)
+				DBG(debug("received packet type %d", type));
+			switch(type) {
+			case SSH2_MSG_IGNORE:
+				break;
+			case SSH2_MSG_DEBUG:
+				packet_get_char();
+				msg = packet_get_string(NULL);
+				debug("Remote: %.900s", msg);
+				xfree(msg);
+				msg = packet_get_string(NULL);
+				xfree(msg);
+				break;
+			case SSH2_MSG_DISCONNECT:
+				reason = packet_get_int();
+				msg = packet_get_string(NULL);
+				log("Received disconnect: %d: %.900s", reason, msg);
+				xfree(msg);
+				fatal_cleanup();
+				break;
+			default:
+				return type;
+				break;
+			}	
+		} else {
+			switch(type) {
+			case SSH_MSG_IGNORE:
+				break;
+			case SSH_MSG_DEBUG:
+				msg = packet_get_string(NULL);
+				debug("Remote: %.900s", msg);
+				xfree(msg);
+				break;
+			case SSH_MSG_DISCONNECT:
+				msg = packet_get_string(NULL);
+				log("Received disconnect: %.900s", msg);
+				fatal_cleanup();
+				xfree(msg);
+				break;
+			default:
+				if (type != 0)
+					DBG(debug("received packet type %d", type));
+				return type;
+				break;
+			}	
+		}
+	}
+}
+
+/*
+ * Buffers the given amount of input characters.  This is intended to be used
+ * together with packet_read_poll.
+ */
+
+void
+packet_process_incoming(const char *buf, unsigned int len)
+{
+	buffer_append(&input, buf, len);
+}
+
+/* Returns a character from the packet. */
+
+unsigned int
+packet_get_char()
+{
+	char ch;
+	buffer_get(&incoming_packet, &ch, 1);
+	return (unsigned char) ch;
+}
+
+/* Returns an integer from the packet data. */
+
+unsigned int
+packet_get_int()
+{
+	return buffer_get_int(&incoming_packet);
+}
+
+/*
+ * Returns an arbitrary precision integer from the packet data.  The integer
+ * must have been initialized before this call.
+ */
+
+void
+packet_get_bignum(BIGNUM * value, int *length_ptr)
+{
+	*length_ptr = buffer_get_bignum(&incoming_packet, value);
+}
+
+void
+packet_get_bignum2(BIGNUM * value, int *length_ptr)
+{
+	*length_ptr = buffer_get_bignum2(&incoming_packet, value);
+}
+
+char *
+packet_get_raw(int *length_ptr)
+{
+	int bytes = buffer_len(&incoming_packet);
+	if (length_ptr != NULL)
+		*length_ptr = bytes;
+	return buffer_ptr(&incoming_packet);
+}
+
+int
+packet_remaining(void)
+{
+	return buffer_len(&incoming_packet);
+}
+
+/*
+ * Returns a string from the packet data.  The string is allocated using
+ * xmalloc; it is the responsibility of the calling program to free it when
+ * no longer needed.  The length_ptr argument may be NULL, or point to an
+ * integer into which the length of the string is stored.
+ */
+
+char *
+packet_get_string(unsigned int *length_ptr)
+{
+	return buffer_get_string(&incoming_packet, length_ptr);
+}
+
+/*
+ * Sends a diagnostic message from the server to the client.  This message
+ * can be sent at any time (but not while constructing another message). The
+ * message is printed immediately, but only if the client is being executed
+ * in verbose mode.  These messages are primarily intended to ease debugging
+ * authentication problems.   The length of the formatted message must not
+ * exceed 1024 bytes.  This will automatically call packet_write_wait.
+ */
+
+void
+packet_send_debug(const char *fmt,...)
+{
+	char buf[1024];
+	va_list args;
+
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+
+	if (compat20) {
+		packet_start(SSH2_MSG_DEBUG);
+		packet_put_char(0);	/* bool: always display */
+		packet_put_cstring(buf);
+		packet_put_cstring("");
+	} else {
+		packet_start(SSH_MSG_DEBUG);
+		packet_put_cstring(buf);
+	}
+	packet_send();
+	packet_write_wait();
+}
+
+/*
+ * Logs the error plus constructs and sends a disconnect packet, closes the
+ * connection, and exits.  This function never returns. The error message
+ * should not contain a newline.  The length of the formatted message must
+ * not exceed 1024 bytes.
+ */
+
+void
+packet_disconnect(const char *fmt,...)
+{
+	char buf[1024];
+	va_list args;
+	static int disconnecting = 0;
+	if (disconnecting)	/* Guard against recursive invocations. */
+		fatal("packet_disconnect called recursively.");
+	disconnecting = 1;
+
+	/*
+	 * Format the message.  Note that the caller must make sure the
+	 * message is of limited size.
+	 */
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+
+	/* Send the disconnect message to the other side, and wait for it to get sent. */
+	if (compat20) {
+		packet_start(SSH2_MSG_DISCONNECT);
+		packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR);
+		packet_put_cstring(buf);
+		packet_put_cstring("");
+	} else {
+		packet_start(SSH_MSG_DISCONNECT);
+		packet_put_string(buf, strlen(buf));
+	}
+	packet_send();
+	packet_write_wait();
+
+	/* Stop listening for connections. */
+	channel_stop_listening();
+
+	/* Close the connection. */
+	packet_close();
+
+	/* Display the error locally and exit. */
+	log("Disconnecting: %.100s", buf);
+	fatal_cleanup();
+}
+
+/* Checks if there is any buffered output, and tries to write some of the output. */
+
+void
+packet_write_poll()
+{
+	int len = buffer_len(&output);
+	if (len > 0) {
+		len = write(connection_out, buffer_ptr(&output), len);
+		if (len <= 0) {
+			if (errno == EAGAIN)
+				return;
+			else
+				fatal("Write failed: %.100s", strerror(errno));
+		}
+		buffer_consume(&output, len);
+	}
+}
+
+/*
+ * Calls packet_write_poll repeatedly until all pending output data has been
+ * written.
+ */
+
+void
+packet_write_wait()
+{
+	packet_write_poll();
+	while (packet_have_data_to_write()) {
+		fd_set set;
+		FD_ZERO(&set);
+		FD_SET(connection_out, &set);
+		select(connection_out + 1, NULL, &set, NULL, NULL);
+		packet_write_poll();
+	}
+}
+
+/* Returns true if there is buffered data to write to the connection. */
+
+int
+packet_have_data_to_write()
+{
+	return buffer_len(&output) != 0;
+}
+
+/* Returns true if there is not too much data to write to the connection. */
+
+int
+packet_not_very_much_data_to_write()
+{
+	if (interactive_mode)
+		return buffer_len(&output) < 16384;
+	else
+		return buffer_len(&output) < 128 * 1024;
+}
+
+/* Informs that the current session is interactive.  Sets IP flags for that. */
+
+void
+packet_set_interactive(int interactive, int keepalives)
+{
+	int on = 1;
+
+	/* Record that we are in interactive mode. */
+	interactive_mode = interactive;
+
+	/* Only set socket options if using a socket.  */
+	if (!packet_connection_is_on_socket())
+		return;
+	if (keepalives) {
+		/* Set keepalives if requested. */
+		if (setsockopt(connection_in, SOL_SOCKET, SO_KEEPALIVE, (void *) &on,
+		    sizeof(on)) < 0)
+			error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+	}
+	/*
+	 * IPTOS_LOWDELAY, TCP_NODELAY and IPTOS_THROUGHPUT are IPv4 only
+	 */
+	if (!packet_connection_is_ipv4())
+		return;
+	if (interactive) {
+		/*
+		 * Set IP options for an interactive connection.  Use
+		 * IPTOS_LOWDELAY and TCP_NODELAY.
+		 */
+		int lowdelay = IPTOS_LOWDELAY;
+		if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &lowdelay,
+		    sizeof(lowdelay)) < 0)
+			error("setsockopt IPTOS_LOWDELAY: %.100s", strerror(errno));
+		if (setsockopt(connection_in, IPPROTO_TCP, TCP_NODELAY, (void *) &on,
+		    sizeof(on)) < 0)
+			error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
+	} else {
+		/*
+		 * Set IP options for a non-interactive connection.  Use
+		 * IPTOS_THROUGHPUT.
+		 */
+		int throughput = IPTOS_THROUGHPUT;
+		if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &throughput,
+		    sizeof(throughput)) < 0)
+			error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno));
+	}
+}
+
+/* Returns true if the current connection is interactive. */
+
+int
+packet_is_interactive()
+{
+	return interactive_mode;
+}
+
+int
+packet_set_maxsize(int s)
+{
+	static int called = 0;
+	if (called) {
+		log("packet_set_maxsize: called twice: old %d new %d",
+		    max_packet_size, s);
+		return -1;
+	}
+	if (s < 4 * 1024 || s > 1024 * 1024) {
+		log("packet_set_maxsize: bad size %d", s);
+		return -1;
+	}
+	log("packet_set_maxsize: setting to %d", s);
+	max_packet_size = s;
+	return s;
+}
diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h
new file mode 100644
index 0000000..876f8cb
--- /dev/null
+++ b/crypto/openssh/packet.h
@@ -0,0 +1,220 @@
+/*
+ *
+ * packet.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sat Mar 18 02:02:14 1995 ylo
+ *
+ * Interface for the packet protocol functions.
+ *
+ * $FreeBSD$
+ */
+
+/* RCSID("$Id: packet.h,v 1.15 2000/04/14 10:30:32 markus Exp $"); */
+
+#ifndef PACKET_H
+#define PACKET_H
+
+#include <openssl/bn.h>
+
+/*
+ * Sets the socket used for communication.  Disables encryption until
+ * packet_set_encryption_key is called.  It is permissible that fd_in and
+ * fd_out are the same descriptor; in that case it is assumed to be a socket.
+ */
+void    packet_set_connection(int fd_in, int fd_out);
+
+/* Puts the connection file descriptors into non-blocking mode. */
+void    packet_set_nonblocking(void);
+
+/* Returns the file descriptor used for input. */
+int     packet_get_connection_in(void);
+
+/* Returns the file descriptor used for output. */
+int     packet_get_connection_out(void);
+
+/*
+ * Closes the connection (both descriptors) and clears and frees internal
+ * data structures.
+ */
+void    packet_close(void);
+
+/*
+ * Causes any further packets to be encrypted using the given key.  The same
+ * key is used for both sending and reception.  However, both directions are
+ * encrypted independently of each other.  Cipher types are defined in ssh.h.
+ */
+void
+packet_set_encryption_key(const unsigned char *key, unsigned int keylen,
+    int cipher_type);
+
+/*
+ * Sets remote side protocol flags for the current connection.  This can be
+ * called at any time.
+ */
+void    packet_set_protocol_flags(unsigned int flags);
+
+/* Returns the remote protocol flags set earlier by the above function. */
+unsigned int packet_get_protocol_flags(void);
+
+/* Enables compression in both directions starting from the next packet. */
+void    packet_start_compression(int level);
+
+/*
+ * Informs that the current session is interactive.  Sets IP flags for
+ * optimal performance in interactive use.
+ */
+void    packet_set_interactive(int interactive, int keepalives);
+
+/* Returns true if the current connection is interactive. */
+int     packet_is_interactive(void);
+
+/* Starts constructing a packet to send. */
+void    packet_start(int type);
+
+/* Appends a character to the packet data. */
+void    packet_put_char(int ch);
+
+/* Appends an integer to the packet data. */
+void    packet_put_int(unsigned int value);
+
+/* Appends an arbitrary precision integer to packet data. */
+void    packet_put_bignum(BIGNUM * value);
+void    packet_put_bignum2(BIGNUM * value);
+
+/* Appends a string to packet data. */
+void    packet_put_string(const char *buf, unsigned int len);
+void    packet_put_cstring(const char *str);
+void    packet_put_raw(const char *buf, unsigned int len);
+
+/*
+ * Finalizes and sends the packet.  If the encryption key has been set,
+ * encrypts the packet before sending.
+ */
+void    packet_send(void);
+
+/* Waits until a packet has been received, and returns its type. */
+int     packet_read(int *payload_len_ptr);
+
+/*
+ * Waits until a packet has been received, verifies that its type matches
+ * that given, and gives a fatal error and exits if there is a mismatch.
+ */
+void    packet_read_expect(int *payload_len_ptr, int type);
+
+/*
+ * Checks if a full packet is available in the data received so far via
+ * packet_process_incoming.  If so, reads the packet; otherwise returns
+ * SSH_MSG_NONE.  This does not wait for data from the connection.
+ * SSH_MSG_DISCONNECT is handled specially here.  Also, SSH_MSG_IGNORE
+ * messages are skipped by this function and are never returned to higher
+ * levels.
+ */
+int     packet_read_poll(int *packet_len_ptr);
+
+/*
+ * Buffers the given amount of input characters.  This is intended to be used
+ * together with packet_read_poll.
+ */
+void    packet_process_incoming(const char *buf, unsigned int len);
+
+/* Returns a character (0-255) from the packet data. */
+unsigned int packet_get_char(void);
+
+/* Returns an integer from the packet data. */
+unsigned int packet_get_int(void);
+
+/*
+ * Returns an arbitrary precision integer from the packet data.  The integer
+ * must have been initialized before this call.
+ */
+void    packet_get_bignum(BIGNUM * value, int *length_ptr);
+void    packet_get_bignum2(BIGNUM * value, int *length_ptr);
+char	*packet_get_raw(int *length_ptr);
+
+/*
+ * Returns a string from the packet data.  The string is allocated using
+ * xmalloc; it is the responsibility of the calling program to free it when
+ * no longer needed.  The length_ptr argument may be NULL, or point to an
+ * integer into which the length of the string is stored.
+ */
+char   *packet_get_string(unsigned int *length_ptr);
+
+/*
+ * Logs the error in syslog using LOG_INFO, constructs and sends a disconnect
+ * packet, closes the connection, and exits.  This function never returns.
+ * The error message should not contain a newline.  The total length of the
+ * message must not exceed 1024 bytes.
+ */
+void    packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+
+/*
+ * Sends a diagnostic message to the other side.  This message can be sent at
+ * any time (but not while constructing another message). The message is
+ * printed immediately, but only if the client is being executed in verbose
+ * mode.  These messages are primarily intended to ease debugging
+ * authentication problems.  The total length of the message must not exceed
+ * 1024 bytes.  This will automatically call packet_write_wait.  If the
+ * remote side protocol flags do not indicate that it supports SSH_MSG_DEBUG,
+ * this will do nothing.
+ */
+void    packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+
+/* Checks if there is any buffered output, and tries to write some of the output. */
+void    packet_write_poll(void);
+
+/* Waits until all pending output data has been written. */
+void    packet_write_wait(void);
+
+/* Returns true if there is buffered data to write to the connection. */
+int     packet_have_data_to_write(void);
+
+/* Returns true if there is not too much data to write to the connection. */
+int     packet_not_very_much_data_to_write(void);
+
+/* maximum packet size, requested by client with SSH_CMSG_MAX_PACKET_SIZE */
+extern int max_packet_size;
+int     packet_set_maxsize(int s);
+#define packet_get_maxsize() max_packet_size
+
+/* Stores tty modes from the fd into current packet. */
+void    tty_make_modes(int fd);
+
+/* Parses tty modes for the fd from the current packet. */
+void    tty_parse_modes(int fd, int *n_bytes_ptr);
+
+#define packet_integrity_check(payload_len, expected_len, type) \
+do { \
+  int _p = (payload_len), _e = (expected_len); \
+  if (_p != _e) { \
+    log("Packet integrity error (%d != %d) at %s:%d", \
+	_p, _e, __FILE__, __LINE__); \
+    packet_disconnect("Packet integrity error. (%d)", (type)); \
+  } \
+} while (0)
+
+#define packet_done() \
+do { \
+	int _len = packet_remaining(); \
+	if (_len > 0) { \
+		log("Packet integrity error (%d bytes remaining) at %s:%d", \
+		    _len ,__FILE__, __LINE__); \
+		packet_disconnect("Packet integrity error."); \
+	} \
+} while (0)
+
+/* remote host is connected via a socket/ipv4 */
+int	packet_connection_is_on_socket(void);
+int	packet_connection_is_ipv4(void);
+
+/* enable SSH2 packet format */
+void	packet_set_ssh2_format(void);
+
+/* returns remaining payload bytes */
+int	packet_remaining(void);
+
+#endif				/* PACKET_H */
diff --git a/crypto/openssh/pam_ssh/pam_ssh.c b/crypto/openssh/pam_ssh/pam_ssh.c
new file mode 100644
index 0000000..cdf2e55
--- /dev/null
+++ b/crypto/openssh/pam_ssh/pam_ssh.c
@@ -0,0 +1,496 @@
+/*-
+ * Copyright (c) 1999, 2000 Andrew J. Korty
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ *
+ */
+
+
+#include <sys/param.h>
+#include <sys/queue.h>
+
+#include <fcntl.h>
+#include <paths.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define	PAM_SM_AUTH
+#define	PAM_SM_SESSION
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+#include <openssl/dsa.h>
+
+#include "includes.h"
+#include "rsa.h"
+#include "key.h"
+#include "ssh.h"
+#include "authfd.h"
+#include "authfile.h"
+
+#define	MODULE_NAME	"pam_ssh"
+#define	NEED_PASSPHRASE	"Need passphrase for %s (%s).\nEnter passphrase: "
+#define	PATH_SSH_AGENT	"/usr/bin/ssh-agent"
+
+
+void
+rsa_cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+	if (data)
+		RSA_free(data);
+}
+
+
+void
+ssh_cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+	if (data)
+		free(data);
+}
+
+
+/*
+ * The following set of functions allow the module to manipulate the
+ * environment without calling the putenv() or setenv() stdlib functions.
+ * At least one version of these functions, on the first call, copies
+ * the environment into dynamically-allocated memory and then augments
+ * it.  On subsequent calls, the realloc() call is used to grow the
+ * previously allocated buffer.  Problems arise when the "environ"
+ * variable is changed to point to static memory after putenv()/setenv()
+ * have been called.
+ * 
+ * We don't use putenv() or setenv() in case the application subsequently
+ * manipulates environ, (e.g., to clear the environment by pointing
+ * environ at an array of one element equal to NULL).
+ */
+
+SLIST_HEAD(env_head, env_entry);
+
+struct env_entry {
+	char			*ee_env;
+	SLIST_ENTRY(env_entry)	 ee_entries;
+};
+
+typedef struct env {
+	char		**e_environ_orig;
+	char		**e_environ_new;
+	int		  e_count;
+	struct env_head	  e_head;
+	int		  e_committed;
+} ENV;
+
+extern char **environ;
+
+
+static ENV *
+env_new(void)
+{
+	ENV	*self;
+
+	if (!(self = malloc(sizeof (ENV)))) {
+		syslog(LOG_CRIT, "%m");
+		return NULL;
+	}
+	SLIST_INIT(&self->e_head);
+	self->e_count = 0;
+	self->e_committed = 0;
+	return self;
+}
+
+
+static int
+env_put(ENV *self, char *s)
+{
+	struct env_entry	*env;
+
+	if (!(env = malloc(sizeof (struct env_entry))) ||
+	    !(env->ee_env = strdup(s))) {
+		syslog(LOG_CRIT, "%m");
+		return PAM_SERVICE_ERR;
+	}
+	SLIST_INSERT_HEAD(&self->e_head, env, ee_entries);
+	++self->e_count;
+	return PAM_SUCCESS;
+}
+
+
+static void
+env_swap(ENV *self, int which)
+{
+	environ = which ? self->e_environ_new : self->e_environ_orig;
+}
+
+
+static int
+env_commit(ENV *self)
+{
+	int			  n;
+	struct env_entry	 *p;
+	char 			**v;
+
+	for (v = environ, n = 0; v && *v; v++, n++)
+		;
+	if (!(v = malloc((n + self->e_count + 1) * sizeof (char *)))) {
+		syslog(LOG_CRIT, "%m");
+		return PAM_SERVICE_ERR;
+	}
+	self->e_committed = 1;
+	(void)memcpy(v, environ, n * sizeof (char *));
+	SLIST_FOREACH(p, &self->e_head, ee_entries)
+		v[n++] = p->ee_env;
+	v[n] = NULL;
+	self->e_environ_orig = environ;
+	self->e_environ_new = v;
+	env_swap(self, 1);
+	return PAM_SUCCESS;
+}
+
+
+static void
+env_destroy(ENV *self)
+{
+	struct env_entry	 *p;
+
+	env_swap(self, 0);
+	SLIST_FOREACH(p, &self->e_head, ee_entries) {
+		free(p->ee_env);
+		free(p);
+	}
+	if (self->e_committed)
+		free(self->e_environ_new);
+	free(self);
+}
+
+
+void
+env_cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+	if (data)
+		env_destroy(data);
+}
+
+
+typedef struct passwd PASSWD;
+
+PAM_EXTERN int
+pam_sm_authenticate(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	char		*comment_priv;		/* on private key */
+	char		*comment_pub;		/* on public key */
+	char		*identity;		/* user's identity file */
+	Key		 key;			/* user's private key */
+	int		 options;		/* module options */
+	const char	*pass;			/* passphrase */
+	char		*prompt;		/* passphrase prompt */
+	Key		 public_key;		/* user's public key */
+	const PASSWD	*pwent;			/* user's passwd entry */
+	PASSWD		*pwent_keep;		/* our own copy */
+	int		 retval;		/* from calls */
+	uid_t		 saved_uid;		/* caller's uid */
+	const char	*user;			/* username */
+
+	options = 0;
+	while (argc--)
+		pam_std_option(&options, *argv++);
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		return retval;
+	if (!((pwent = getpwnam(user)) && pwent->pw_dir)) {
+		/* delay? */
+		return PAM_AUTH_ERR;
+	}
+	/* locate the user's private key file */
+	if (!asprintf(&identity, "%s/%s", pwent->pw_dir,
+	    SSH_CLIENT_IDENTITY)) {
+		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+		return PAM_SERVICE_ERR;
+	}
+	/*
+	 * Fail unless we can load the public key.  Change to the
+	 * owner's UID to appease load_public_key().
+	 */
+	key.type = KEY_RSA;
+	key.rsa = RSA_new();
+	public_key.type = KEY_RSA;
+	public_key.rsa = RSA_new();
+	saved_uid = getuid();
+	(void)setreuid(pwent->pw_uid, saved_uid);
+	retval = load_public_key(identity, &public_key, &comment_pub);
+	(void)setuid(saved_uid);
+	if (!retval) {
+		free(identity);
+		return PAM_AUTH_ERR;
+	}
+	RSA_free(public_key.rsa);
+	/* build the passphrase prompt */
+	retval = asprintf(&prompt, NEED_PASSPHRASE, identity, comment_pub);
+	free(comment_pub);
+	if (!retval) {
+		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+		free(identity);
+		return PAM_SERVICE_ERR;
+	}
+	/* pass prompt message to application and receive passphrase */
+	retval = pam_get_pass(pamh, &pass, prompt, options);
+	free(prompt);
+	if (retval != PAM_SUCCESS) {
+		free(identity);
+		return retval;
+	}
+	/*
+	 * Try to decrypt the private key with the passphrase provided.
+	 * If success, the user is authenticated.
+	 */
+	(void)setreuid(pwent->pw_uid, saved_uid);
+	retval = load_private_key(identity, pass, &key, &comment_priv);
+	free(identity);
+	(void)setuid(saved_uid);
+	if (!retval)
+		return PAM_AUTH_ERR;
+	/*
+	 * Save the key and comment to pass to ssh-agent in the session
+	 * phase.
+	 */
+	if ((retval = pam_set_data(pamh, "ssh_private_key", key.rsa,
+	    rsa_cleanup)) != PAM_SUCCESS) {
+		RSA_free(key.rsa);
+		free(comment_priv);
+		return retval;
+	}
+	if ((retval = pam_set_data(pamh, "ssh_key_comment", comment_priv,
+	    ssh_cleanup)) != PAM_SUCCESS) {
+		free(comment_priv);
+		return retval;
+	}
+	/*
+	 * Copy the passwd entry (in case successive calls are made)
+	 * and save it for the session phase.
+	 */
+	if (!(pwent_keep = malloc(sizeof *pwent))) {
+		syslog(LOG_CRIT, "%m");
+		return PAM_SERVICE_ERR;
+	}
+	(void)memcpy(pwent_keep, pwent, sizeof *pwent_keep);
+	if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
+	    ssh_cleanup)) != PAM_SUCCESS) {
+		free(pwent_keep);
+		return retval;
+	}
+	return PAM_SUCCESS;
+}
+
+
+PAM_EXTERN int
+pam_sm_setcred(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	return PAM_SUCCESS;
+}
+
+
+typedef AuthenticationConnection AC;
+
+PAM_EXTERN int
+pam_sm_open_session(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	AC		*ac;			/* to ssh-agent */
+	char		*comment;		/* on private key */
+	char		*env_end;		/* end of env */
+	char		*env_file;		/* to store env */
+	FILE		*env_fp;		/* env_file handle */
+	Key		 key;			/* user's private key */
+	FILE		*pipe;			/* ssh-agent handle */
+	const PASSWD	*pwent;			/* user's passwd entry */
+	int		 retval;		/* from calls */
+	uid_t		 saved_uid;		/* caller's uid */
+	ENV		*ssh_env;		/* env handle */
+	const char	*tty;			/* tty or display name */
+	char		 hname[MAXHOSTNAMELEN];	/* local hostname */
+	char		 parse[BUFSIZ];		/* commands output */
+
+	/* dump output of ssh-agent in ~/.ssh */
+	if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
+	    (const void **)&pwent)) != PAM_SUCCESS)
+		return retval;
+	/* use the tty or X display name in the filename */
+	if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty))
+	    != PAM_SUCCESS)
+		return retval;
+	if (*tty == ':' && gethostname(hname, sizeof hname) == 0) {
+		if (asprintf(&env_file, "%s/.ssh/agent-%s%s",
+		    pwent->pw_dir, hname, tty) == -1) {
+			syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+			return PAM_SERVICE_ERR;
+		}
+	} else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwent->pw_dir,
+	    tty) == -1) {
+		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+		return PAM_SERVICE_ERR;
+	}
+	/* save the filename so we can delete the file on session close */
+	if ((retval = pam_set_data(pamh, "ssh_agent_env", env_file,
+	    ssh_cleanup)) != PAM_SUCCESS) {
+		free(env_file);
+		return retval;
+	}
+	/* start the agent as the user */
+	saved_uid = geteuid();
+	(void)seteuid(pwent->pw_uid);
+	env_fp = fopen(env_file, "w");
+	pipe = popen(PATH_SSH_AGENT, "r");
+	(void)seteuid(saved_uid);
+	if (!pipe) {
+		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT);
+		if (env_fp)
+			(void)fclose(env_fp);
+		return PAM_SESSION_ERR;
+	}
+	if (!(ssh_env = env_new()))
+		return PAM_SESSION_ERR;
+	if ((retval = pam_set_data(pamh, "ssh_env_handle", ssh_env,
+	    env_cleanup)) != PAM_SUCCESS)
+		return retval;
+	while (fgets(parse, sizeof parse, pipe)) {
+		if (env_fp)
+			(void)fputs(parse, env_fp);
+		/*
+		 * Save environment for application with pam_putenv()
+		 * but also with env_* functions for our own call to
+		 * ssh_get_authentication_connection().
+		 */
+		if (strchr(parse, '=') && (env_end = strchr(parse, ';'))) {
+			*env_end = '\0';
+			/* pass to the application ... */
+			if (!((retval = pam_putenv(pamh, parse)) ==
+			    PAM_SUCCESS)) {
+				(void)pclose(pipe);
+				if (env_fp)
+					(void)fclose(env_fp);
+				env_destroy(ssh_env);
+				return PAM_SERVICE_ERR;
+			}
+			env_put(ssh_env, parse);
+		}
+	}
+	if (env_fp)
+		(void)fclose(env_fp);
+	switch (retval = pclose(pipe)) {
+	case -1:
+		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT);
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	case 0:
+		break;
+	case 127:
+		syslog(LOG_ERR, "%s: cannot execute %s", MODULE_NAME,
+		    PATH_SSH_AGENT);
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	default:
+		syslog(LOG_ERR, "%s: %s exited with status %d",
+		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval));
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	}
+	key.type = KEY_RSA;
+	/* connect to the agent and hand off the private key */
+	if ((retval = pam_get_data(pamh, "ssh_private_key",
+	    (const void **)&key.rsa)) != PAM_SUCCESS ||
+	    (retval = pam_get_data(pamh, "ssh_key_comment",
+	    (const void **)&comment)) != PAM_SUCCESS ||
+	    (retval = env_commit(ssh_env)) != PAM_SUCCESS) {
+		env_destroy(ssh_env);
+		return retval;
+	}
+	if (!(ac = ssh_get_authentication_connection())) {
+		syslog(LOG_ERR, "%s: could not connect to agent",
+		    MODULE_NAME);
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	}
+	retval = ssh_add_identity(ac, key.rsa, comment);
+	ssh_close_authentication_connection(ac);
+	env_swap(ssh_env, 0);
+	return retval ? PAM_SUCCESS : PAM_SESSION_ERR;
+}
+
+
+PAM_EXTERN int
+pam_sm_close_session(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	const char	*env_file;	/* ssh-agent environment */
+	int	 	 retval;	/* from calls */
+	ENV		*ssh_env;	/* env handle */
+
+	if ((retval = pam_get_data(pamh, "ssh_env_handle",
+	    (const void **)&ssh_env)) != PAM_SUCCESS)
+		return retval;
+	env_swap(ssh_env, 1);
+	/* kill the agent */
+	retval = system(PATH_SSH_AGENT " -k");
+	env_destroy(ssh_env);
+	switch (retval) {
+	case -1:
+		syslog(LOG_ERR, "%s: %s -k: %m", MODULE_NAME,
+		    PATH_SSH_AGENT);
+		return PAM_SESSION_ERR;
+	case 0:
+		break;
+	case 127:
+		syslog(LOG_ERR, "%s: cannot execute %s -k", MODULE_NAME,
+		    PATH_SSH_AGENT);
+		return PAM_SESSION_ERR;
+	default:
+		syslog(LOG_ERR, "%s: %s -k exited with status %d",
+		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval));
+		return PAM_SESSION_ERR;
+	}
+	/* retrieve environment filename, then remove the file */
+	if ((retval = pam_get_data(pamh, "ssh_agent_env",
+	    (const void **)&env_file)) != PAM_SUCCESS)
+		return retval;
+	(void)unlink(env_file);
+	return PAM_SUCCESS;
+}
+
+
+PAM_MODULE_ENTRY(MODULE_NAME);
diff --git a/crypto/openssh/pty.c b/crypto/openssh/pty.c
new file mode 100644
index 0000000..d14a03f
--- /dev/null
+++ b/crypto/openssh/pty.c
@@ -0,0 +1,282 @@
+/*
+ *
+ * pty.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar 17 04:37:25 1995 ylo
+ *
+ * Allocating a pseudo-terminal, and making it the controlling tty.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: pty.c,v 1.13 2000/04/14 10:30:32 markus Exp $");
+
+#ifdef __FreeBSD__
+#include <libutil.h>
+#else
+#include <util.h>
+#endif /* __FreeBSD__ */
+#include "pty.h"
+#include "ssh.h"
+
+/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
+#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
+#undef HAVE_DEV_PTMX
+#endif
+
+#ifndef O_NOCTTY
+#define O_NOCTTY 0
+#endif
+
+/*
+ * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
+ * nonzero if a pty was successfully allocated.  On success, open file
+ * descriptors for the pty and tty sides and the name of the tty side are
+ * returned (the buffer must be able to hold at least 64 characters).
+ */
+
+int
+pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
+{
+#if defined(HAVE_OPENPTY) || defined(BSD4_4)
+	/* openpty(3) exists in OSF/1 and some other os'es */
+	char buf[64];
+	int i;
+
+	i = openpty(ptyfd, ttyfd, buf, NULL, NULL);
+	if (i < 0) {
+		error("openpty: %.100s", strerror(errno));
+		return 0;
+	}
+	strlcpy(namebuf, buf, namebuflen);	/* possible truncation */
+	return 1;
+#else /* HAVE_OPENPTY */
+#ifdef HAVE__GETPTY
+	/*
+	 * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
+	 * pty's automagically when needed
+	 */
+	char *slave;
+
+	slave = _getpty(ptyfd, O_RDWR, 0622, 0);
+	if (slave == NULL) {
+		error("_getpty: %.100s", strerror(errno));
+		return 0;
+	}
+	strlcpy(namebuf, slave, namebuflen);
+	/* Open the slave side. */
+	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
+	if (*ttyfd < 0) {
+		error("%.200s: %.100s", namebuf, strerror(errno));
+		close(*ptyfd);
+		return 0;
+	}
+	return 1;
+#else /* HAVE__GETPTY */
+#ifdef HAVE_DEV_PTMX
+	/*
+	 * This code is used e.g. on Solaris 2.x.  (Note that Solaris 2.3
+	 * also has bsd-style ptys, but they simply do not work.)
+	 */
+	int ptm;
+	char *pts;
+
+	ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY);
+	if (ptm < 0) {
+		error("/dev/ptmx: %.100s", strerror(errno));
+		return 0;
+	}
+	if (grantpt(ptm) < 0) {
+		error("grantpt: %.100s", strerror(errno));
+		return 0;
+	}
+	if (unlockpt(ptm) < 0) {
+		error("unlockpt: %.100s", strerror(errno));
+		return 0;
+	}
+	pts = ptsname(ptm);
+	if (pts == NULL)
+		error("Slave pty side name could not be obtained.");
+	strlcpy(namebuf, pts, namebuflen);
+	*ptyfd = ptm;
+
+	/* Open the slave side. */
+	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
+	if (*ttyfd < 0) {
+		error("%.100s: %.100s", namebuf, strerror(errno));
+		close(*ptyfd);
+		return 0;
+	}
+	/* Push the appropriate streams modules, as described in Solaris pts(7). */
+	if (ioctl(*ttyfd, I_PUSH, "ptem") < 0)
+		error("ioctl I_PUSH ptem: %.100s", strerror(errno));
+	if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0)
+		error("ioctl I_PUSH ldterm: %.100s", strerror(errno));
+	if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0)
+		error("ioctl I_PUSH ttcompat: %.100s", strerror(errno));
+	return 1;
+#else /* HAVE_DEV_PTMX */
+#ifdef HAVE_DEV_PTS_AND_PTC
+	/* AIX-style pty code. */
+	const char *name;
+
+	*ptyfd = open("/dev/ptc", O_RDWR | O_NOCTTY);
+	if (*ptyfd < 0) {
+		error("Could not open /dev/ptc: %.100s", strerror(errno));
+		return 0;
+	}
+	name = ttyname(*ptyfd);
+	if (!name)
+		fatal("Open of /dev/ptc returns device for which ttyname fails.");
+	strlcpy(namebuf, name, namebuflen);
+	*ttyfd = open(name, O_RDWR | O_NOCTTY);
+	if (*ttyfd < 0) {
+		error("Could not open pty slave side %.100s: %.100s",
+		      name, strerror(errno));
+		close(*ptyfd);
+		return 0;
+	}
+	return 1;
+#else /* HAVE_DEV_PTS_AND_PTC */
+	/* BSD-style pty code. */
+	char buf[64];
+	int i;
+	const char *ptymajors = "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	const char *ptyminors = "0123456789abcdef";
+	int num_minors = strlen(ptyminors);
+	int num_ptys = strlen(ptymajors) * num_minors;
+
+	for (i = 0; i < num_ptys; i++) {
+		snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors],
+			 ptyminors[i % num_minors]);
+		*ptyfd = open(buf, O_RDWR | O_NOCTTY);
+		if (*ptyfd < 0)
+			continue;
+		snprintf(namebuf, namebuflen, "/dev/tty%c%c",
+		    ptymajors[i / num_minors], ptyminors[i % num_minors]);
+
+		/* Open the slave side. */
+		*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
+		if (*ttyfd < 0) {
+			error("%.100s: %.100s", namebuf, strerror(errno));
+			close(*ptyfd);
+			return 0;
+		}
+		return 1;
+	}
+	return 0;
+#endif /* HAVE_DEV_PTS_AND_PTC */
+#endif /* HAVE_DEV_PTMX */
+#endif /* HAVE__GETPTY */
+#endif /* HAVE_OPENPTY */
+}
+
+/* Releases the tty.  Its ownership is returned to root, and permissions to 0666. */
+
+void
+pty_release(const char *ttyname)
+{
+	if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
+		error("chown %.100s 0 0 failed: %.100s", ttyname, strerror(errno));
+	if (chmod(ttyname, (mode_t) 0666) < 0)
+		error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno));
+}
+
+/* Makes the tty the processes controlling tty and sets it to sane modes. */
+
+void
+pty_make_controlling_tty(int *ttyfd, const char *ttyname)
+{
+	int fd;
+
+	/* First disconnect from the old controlling tty. */
+#ifdef TIOCNOTTY
+	fd = open("/dev/tty", O_RDWR | O_NOCTTY);
+	if (fd >= 0) {
+		(void) ioctl(fd, TIOCNOTTY, NULL);
+		close(fd);
+	}
+#endif /* TIOCNOTTY */
+	if (setsid() < 0)
+		error("setsid: %.100s", strerror(errno));
+
+	/*
+	 * Verify that we are successfully disconnected from the controlling
+	 * tty.
+	 */
+	fd = open("/dev/tty", O_RDWR | O_NOCTTY);
+	if (fd >= 0) {
+		error("Failed to disconnect from controlling tty.");
+		close(fd);
+	}
+	/* Make it our controlling tty. */
+#ifdef TIOCSCTTY
+	debug("Setting controlling tty using TIOCSCTTY.");
+	/*
+	 * We ignore errors from this, because HPSUX defines TIOCSCTTY, but
+	 * returns EINVAL with these arguments, and there is absolutely no
+	 * documentation.
+	 */
+	ioctl(*ttyfd, TIOCSCTTY, NULL);
+#endif /* TIOCSCTTY */
+	fd = open(ttyname, O_RDWR);
+	if (fd < 0)
+		error("%.100s: %.100s", ttyname, strerror(errno));
+	else
+		close(fd);
+
+	/* Verify that we now have a controlling tty. */
+	fd = open("/dev/tty", O_WRONLY);
+	if (fd < 0)
+		error("open /dev/tty failed - could not set controlling tty: %.100s",
+		      strerror(errno));
+	else {
+		close(fd);
+	}
+}
+
+/* Changes the window size associated with the pty. */
+
+void
+pty_change_window_size(int ptyfd, int row, int col,
+		       int xpixel, int ypixel)
+{
+	struct winsize w;
+	w.ws_row = row;
+	w.ws_col = col;
+	w.ws_xpixel = xpixel;
+	w.ws_ypixel = ypixel;
+	(void) ioctl(ptyfd, TIOCSWINSZ, &w);
+}
+
+void
+pty_setowner(struct passwd *pw, const char *ttyname)
+{
+	struct group *grp;
+	gid_t gid;
+	mode_t mode;
+
+	/* Determine the group to make the owner of the tty. */
+	grp = getgrnam("tty");
+	if (grp) {
+		gid = grp->gr_gid;
+		mode = S_IRUSR | S_IWUSR | S_IWGRP;
+	} else {
+		gid = pw->pw_gid;
+		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+	}
+
+	/* Change ownership of the tty. */
+	if (chown(ttyname, pw->pw_uid, gid) < 0)
+		fatal("chown(%.100s, %d, %d) failed: %.100s",
+		    ttyname, pw->pw_uid, gid, strerror(errno));
+	if (chmod(ttyname, mode) < 0)
+		fatal("chmod(%.100s, 0%o) failed: %.100s",
+		    ttyname, mode, strerror(errno));
+}
diff --git a/crypto/openssh/pty.h b/crypto/openssh/pty.h
new file mode 100644
index 0000000..a5f9cb2
--- /dev/null
+++ b/crypto/openssh/pty.h
@@ -0,0 +1,48 @@
+/*
+ *
+ * pty.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar 17 05:03:28 1995 ylo
+ *
+ * Functions for allocating a pseudo-terminal and making it the controlling
+ * tty.
+ */
+
+/* RCSID("$Id: pty.h,v 1.6 2000/04/14 10:30:32 markus Exp $"); */
+
+#ifndef PTY_H
+#define PTY_H
+
+/*
+ * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
+ * nonzero if a pty was successfully allocated.  On success, open file
+ * descriptors for the pty and tty sides and the name of the tty side are
+ * returned (the buffer must be able to hold at least 64 characters).
+ */
+int     pty_allocate(int *ptyfd, int *ttyfd, char *ttyname, int ttynamelen);
+
+/*
+ * Releases the tty.  Its ownership is returned to root, and permissions to
+ * 0666.
+ */
+void    pty_release(const char *ttyname);
+
+/*
+ * Makes the tty the processes controlling tty and sets it to sane modes.
+ * This may need to reopen the tty to get rid of possible eavesdroppers.
+ */
+void    pty_make_controlling_tty(int *ttyfd, const char *ttyname);
+
+/* Changes the window size associated with the pty. */
+void
+pty_change_window_size(int ptyfd, int row, int col,
+    int xpixel, int ypixel);
+
+void	pty_setowner(struct passwd *pw, const char *ttyname);
+
+#endif				/* PTY_H */
diff --git a/crypto/openssh/radix.c b/crypto/openssh/radix.c
new file mode 100644
index 0000000..0337733
--- /dev/null
+++ b/crypto/openssh/radix.c
@@ -0,0 +1,192 @@
+/*
+ *   radix.c
+ *
+ *   Dug Song <dugsong@UMICH.EDU>
+ */
+
+#include "includes.h"
+#include "uuencode.h"
+
+#ifdef AFS
+#include <krb.h>
+
+typedef unsigned char my_u_char;
+typedef unsigned int my_u_int32_t;
+typedef unsigned short my_u_short;
+
+/* Nasty macros from BIND-4.9.2 */
+
+#define GETSHORT(s, cp) { \
+	register my_u_char *t_cp = (my_u_char*)(cp); \
+	(s) = (((my_u_short)t_cp[0]) << 8) \
+	    | (((my_u_short)t_cp[1])) \
+	    ; \
+	(cp) += 2; \
+}
+
+#define GETLONG(l, cp) { \
+	register my_u_char *t_cp = (my_u_char*)(cp); \
+	(l) = (((my_u_int32_t)t_cp[0]) << 24) \
+	    | (((my_u_int32_t)t_cp[1]) << 16) \
+	    | (((my_u_int32_t)t_cp[2]) << 8) \
+	    | (((my_u_int32_t)t_cp[3])) \
+	    ; \
+	(cp) += 4; \
+}
+
+#define PUTSHORT(s, cp) { \
+	register my_u_short t_s = (my_u_short)(s); \
+	register my_u_char *t_cp = (my_u_char*)(cp); \
+	*t_cp++ = t_s >> 8; \
+	*t_cp   = t_s; \
+	(cp) += 2; \
+}
+
+#define PUTLONG(l, cp) { \
+	register my_u_int32_t t_l = (my_u_int32_t)(l); \
+	register my_u_char *t_cp = (my_u_char*)(cp); \
+	*t_cp++ = t_l >> 24; \
+	*t_cp++ = t_l >> 16; \
+	*t_cp++ = t_l >> 8; \
+	*t_cp   = t_l; \
+	(cp) += 4; \
+}
+
+#define GETSTRING(s, p, p_l) {			\
+    register char* p_targ = (p) + p_l;		\
+    register char* s_c = (s);			\
+    register char* p_c = (p);			\
+    while (*p_c && (p_c < p_targ)) {		\
+	*s_c++ = *p_c++;			\
+    }						\
+    if (p_c == p_targ) {			\
+	return 1;				\
+    }						\
+    *s_c = *p_c++;				\
+    (p_l) = (p_l) - (p_c - (p));		\
+    (p) = p_c;					\
+}
+
+
+int
+creds_to_radix(CREDENTIALS *creds, unsigned char *buf, size_t buflen)
+{
+	char *p, *s;
+	int len;
+	char temp[2048];
+
+	p = temp;
+	*p++ = 1;		/* version */
+	s = creds->service;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	s = creds->instance;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	s = creds->realm;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+
+	s = creds->pname;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	s = creds->pinst;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	/* Null string to repeat the realm. */
+	*p++ = '\0';
+
+	PUTLONG(creds->issue_date, p);
+	{
+		unsigned int endTime;
+		endTime = (unsigned int) krb_life_to_time(creds->issue_date,
+							  creds->lifetime);
+		PUTLONG(endTime, p);
+	}
+
+	memcpy(p, &creds->session, sizeof(creds->session));
+	p += sizeof(creds->session);
+
+	PUTSHORT(creds->kvno, p);
+	PUTLONG(creds->ticket_st.length, p);
+
+	memcpy(p, creds->ticket_st.dat, creds->ticket_st.length);
+	p += creds->ticket_st.length;
+	len = p - temp;
+
+	return (uuencode((unsigned char *)temp, len, (char *)buf, buflen));
+}
+
+int
+radix_to_creds(const char *buf, CREDENTIALS *creds)
+{
+
+	char *p;
+	int len, tl;
+	char version;
+	char temp[2048];
+
+	len = uudecode(buf, (unsigned char *)temp, sizeof(temp));
+	if (len < 0)
+		return 0;
+
+	p = temp;
+
+	/* check version and length! */
+	if (len < 1)
+		return 0;
+	version = *p;
+	p++;
+	len--;
+
+	GETSTRING(creds->service, p, len);
+	GETSTRING(creds->instance, p, len);
+	GETSTRING(creds->realm, p, len);
+
+	GETSTRING(creds->pname, p, len);
+	GETSTRING(creds->pinst, p, len);
+	/* Ignore possibly different realm. */
+	while (*p && len)
+		p++, len--;
+	if (len == 0)
+		return 0;
+	p++, len--;
+
+	/* Enough space for remaining fixed-length parts? */
+	if (len < (4 + 4 + sizeof(creds->session) + 2 + 4))
+		return 0;
+
+	GETLONG(creds->issue_date, p);
+	len -= 4;
+	{
+		unsigned int endTime;
+		GETLONG(endTime, p);
+		len -= 4;
+		creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
+	}
+
+	memcpy(&creds->session, p, sizeof(creds->session));
+	p += sizeof(creds->session);
+	len -= sizeof(creds->session);
+
+	GETSHORT(creds->kvno, p);
+	len -= 2;
+	GETLONG(creds->ticket_st.length, p);
+	len -= 4;
+
+	tl = creds->ticket_st.length;
+	if (tl < 0 || tl > len || tl > sizeof(creds->ticket_st.dat))
+		return 0;
+
+	memcpy(creds->ticket_st.dat, p, tl);
+	p += tl;
+	len -= tl;
+
+	return 1;
+}
+#endif /* AFS */
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
new file mode 100644
index 0000000..887d151
--- /dev/null
+++ b/crypto/openssh/readconf.c
@@ -0,0 +1,812 @@
+/*
+ *
+ * readconf.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sat Apr 22 00:03:10 1995 ylo
+ *
+ * Functions for reading the configuration files.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: readconf.c,v 1.33 2000/05/29 20:20:46 markus Exp $");
+
+#include "ssh.h"
+#include "cipher.h"
+#include "readconf.h"
+#include "match.h"
+#include "xmalloc.h"
+#include "compat.h"
+
+/* Format of the configuration file:
+
+   # Configuration data is parsed as follows:
+   #  1. command line options
+   #  2. user-specific file
+   #  3. system-wide file
+   # Any configuration value is only changed the first time it is set.
+   # Thus, host-specific definitions should be at the beginning of the
+   # configuration file, and defaults at the end.
+
+   # Host-specific declarations.  These may override anything above.  A single
+   # host may match multiple declarations; these are processed in the order
+   # that they are given in.
+
+   Host *.ngs.fi ngs.fi
+     FallBackToRsh no
+
+   Host fake.com
+     HostName another.host.name.real.org
+     User blaah
+     Port 34289
+     ForwardX11 no
+     ForwardAgent no
+
+   Host books.com
+     RemoteForward 9999 shadows.cs.hut.fi:9999
+     Cipher 3des
+
+   Host fascist.blob.com
+     Port 23123
+     User tylonen
+     RhostsAuthentication no
+     PasswordAuthentication no
+
+   Host puukko.hut.fi
+     User t35124p
+     ProxyCommand ssh-proxy %h %p
+
+   Host *.fr
+     UseRsh yes
+
+   Host *.su
+     Cipher none
+     PasswordAuthentication no
+
+   # Defaults for various options
+   Host *
+     ForwardAgent no
+     ForwardX11 yes
+     RhostsAuthentication yes
+     PasswordAuthentication yes
+     RSAAuthentication yes
+     RhostsRSAAuthentication yes
+     FallBackToRsh no
+     UseRsh no
+     StrictHostKeyChecking yes
+     KeepAlives no
+     IdentityFile ~/.ssh/identity
+     Port 22
+     EscapeChar ~
+
+*/
+
+/* Keyword tokens. */
+
+typedef enum {
+	oBadOption,
+	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
+	oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
+	oSkeyAuthentication,
+#ifdef KRB4
+	oKrb4Authentication,
+#endif /* KRB4 */
+#ifdef KRB5
+	oKrb5Authentication, oKrb5TgtPassing,
+#endif /* KRB5 */
+#ifdef AFS
+	oKrb4TgtPassing, oAFSTokenPassing,
+#endif
+	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
+	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
+	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
+	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
+	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication,
+	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oIdentityFile2,
+	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication
+} OpCodes;
+
+/* Textual representations of the tokens. */
+
+static struct {
+	const char *name;
+	OpCodes opcode;
+} keywords[] = {
+	{ "forwardagent", oForwardAgent },
+	{ "forwardx11", oForwardX11 },
+	{ "gatewayports", oGatewayPorts },
+	{ "useprivilegedport", oUsePrivilegedPort },
+	{ "rhostsauthentication", oRhostsAuthentication },
+	{ "passwordauthentication", oPasswordAuthentication },
+	{ "rsaauthentication", oRSAAuthentication },
+	{ "dsaauthentication", oDSAAuthentication },
+	{ "skeyauthentication", oSkeyAuthentication },
+#ifdef KRB4
+	{ "kerberos4authentication", oKrb4Authentication },
+#endif /* KRB4 */
+#ifdef KRB5
+	{ "kerberos5authentication", oKrb5Authentication },
+	{ "kerberos5tgtpassing", oKrb5TgtPassing },
+#endif /* KRB5 */
+#ifdef AFS
+	{ "kerberos4tgtpassing", oKrb4TgtPassing },
+	{ "afstokenpassing", oAFSTokenPassing },
+#endif
+	{ "fallbacktorsh", oFallBackToRsh },
+	{ "usersh", oUseRsh },
+	{ "identityfile", oIdentityFile },
+	{ "identityfile2", oIdentityFile2 },
+	{ "hostname", oHostName },
+	{ "proxycommand", oProxyCommand },
+	{ "port", oPort },
+	{ "cipher", oCipher },
+	{ "ciphers", oCiphers },
+	{ "protocol", oProtocol },
+	{ "remoteforward", oRemoteForward },
+	{ "localforward", oLocalForward },
+	{ "user", oUser },
+	{ "host", oHost },
+	{ "escapechar", oEscapeChar },
+	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
+	{ "globalknownhostsfile", oGlobalKnownHostsFile },
+	{ "userknownhostsfile", oUserKnownHostsFile },
+	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },
+	{ "userknownhostsfile2", oUserKnownHostsFile2 },
+	{ "connectionattempts", oConnectionAttempts },
+	{ "batchmode", oBatchMode },
+	{ "checkhostip", oCheckHostIP },
+	{ "stricthostkeychecking", oStrictHostKeyChecking },
+	{ "compression", oCompression },
+	{ "compressionlevel", oCompressionLevel },
+	{ "keepalive", oKeepAlives },
+	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
+	{ "tisauthentication", oTISAuthentication },
+	{ "loglevel", oLogLevel },
+	{ NULL, 0 }
+};
+
+/* Characters considered whitespace in strtok calls. */
+#define WHITESPACE " \t\r\n"
+
+
+/*
+ * Adds a local TCP/IP port forward to options.  Never returns if there is an
+ * error.
+ */
+
+void
+add_local_forward(Options *options, u_short port, const char *host,
+		  u_short host_port)
+{
+	Forward *fwd;
+	extern uid_t original_real_uid;
+	if (port < IPPORT_RESERVED && original_real_uid != 0)
+		fatal("Privileged ports can only be forwarded by root.\n");
+	if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
+	fwd = &options->local_forwards[options->num_local_forwards++];
+	fwd->port = port;
+	fwd->host = xstrdup(host);
+	fwd->host_port = host_port;
+}
+
+/*
+ * Adds a remote TCP/IP port forward to options.  Never returns if there is
+ * an error.
+ */
+
+void
+add_remote_forward(Options *options, u_short port, const char *host,
+		   u_short host_port)
+{
+	Forward *fwd;
+	if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("Too many remote forwards (max %d).",
+		      SSH_MAX_FORWARDS_PER_DIRECTION);
+	fwd = &options->remote_forwards[options->num_remote_forwards++];
+	fwd->port = port;
+	fwd->host = xstrdup(host);
+	fwd->host_port = host_port;
+}
+
+/*
+ * Returns the number of the token pointed to by cp of length len. Never
+ * returns if the token is not known.
+ */
+
+static OpCodes
+parse_token(const char *cp, const char *filename, int linenum)
+{
+	unsigned int i;
+
+	for (i = 0; keywords[i].name; i++)
+		if (strcasecmp(cp, keywords[i].name) == 0)
+			return keywords[i].opcode;
+
+	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
+		filename, linenum, cp);
+	return oBadOption;
+}
+
+/*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set.
+ */
+
+int
+process_config_line(Options *options, const char *host,
+		    char *line, const char *filename, int linenum,
+		    int *activep)
+{
+	char buf[256], *cp, *string, **charptr, *cp2;
+	int opcode, *intptr, value;
+	u_short fwd_port, fwd_host_port;
+
+	/* Skip leading whitespace. */
+	cp = line + strspn(line, WHITESPACE);
+	if (!*cp || *cp == '\n' || *cp == '#')
+		return 0;
+
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
+	cp = strtok(cp, WHITESPACE);
+	opcode = parse_token(cp, filename, linenum);
+
+	switch (opcode) {
+	case oBadOption:
+		/* don't panic, but count bad options */
+		return -1;
+		/* NOTREACHED */
+	case oForwardAgent:
+		intptr = &options->forward_agent;
+parse_flag:
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcmp(cp, "yes") == 0 || strcmp(cp, "true") == 0)
+			value = 1;
+		else if (strcmp(cp, "no") == 0 || strcmp(cp, "false") == 0)
+			value = 0;
+		else
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oForwardX11:
+		intptr = &options->forward_x11;
+		goto parse_flag;
+
+	case oGatewayPorts:
+		intptr = &options->gateway_ports;
+		goto parse_flag;
+
+	case oUsePrivilegedPort:
+		intptr = &options->use_privileged_port;
+		goto parse_flag;
+
+	case oRhostsAuthentication:
+		intptr = &options->rhosts_authentication;
+		goto parse_flag;
+
+	case oPasswordAuthentication:
+		intptr = &options->password_authentication;
+		goto parse_flag;
+
+	case oDSAAuthentication:
+		intptr = &options->dsa_authentication;
+		goto parse_flag;
+
+	case oRSAAuthentication:
+		intptr = &options->rsa_authentication;
+		goto parse_flag;
+
+	case oRhostsRSAAuthentication:
+		intptr = &options->rhosts_rsa_authentication;
+		goto parse_flag;
+
+	case oTISAuthentication:
+		/* fallthrough, there is no difference on the client side */
+	case oSkeyAuthentication:
+		intptr = &options->skey_authentication;
+		goto parse_flag;
+
+#ifdef KRB4
+	case oKrb4Authentication:
+		intptr = &options->krb4_authentication;
+		goto parse_flag;
+#endif /* KRB4 */
+
+#ifdef KRB5
+	case oKrb5Authentication:
+		intptr = &options->krb5_authentication;
+		goto parse_flag;
+
+	case oKrb5TgtPassing:
+		intptr = &options->krb5_tgt_passing;
+		goto parse_flag;
+#endif /* KRB5 */
+
+#ifdef AFS
+	case oKrb4TgtPassing:
+		intptr = &options->krb4_tgt_passing;
+		goto parse_flag;
+
+	case oAFSTokenPassing:
+		intptr = &options->afs_token_passing;
+		goto parse_flag;
+#endif
+
+	case oFallBackToRsh:
+		intptr = &options->fallback_to_rsh;
+		goto parse_flag;
+
+	case oUseRsh:
+		intptr = &options->use_rsh;
+		goto parse_flag;
+
+	case oBatchMode:
+		intptr = &options->batch_mode;
+		goto parse_flag;
+
+	case oCheckHostIP:
+		intptr = &options->check_host_ip;
+		goto parse_flag;
+
+	case oStrictHostKeyChecking:
+		intptr = &options->strict_host_key_checking;
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing yes/no argument.",
+			      filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcmp(cp, "yes") == 0 || strcmp(cp, "true") == 0)
+			value = 1;
+		else if (strcmp(cp, "no") == 0 || strcmp(cp, "false") == 0)
+			value = 0;
+		else if (strcmp(cp, "ask") == 0)
+			value = 2;
+		else
+			fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oCompression:
+		intptr = &options->compression;
+		goto parse_flag;
+
+	case oKeepAlives:
+		intptr = &options->keepalives;
+		goto parse_flag;
+
+	case oNumberOfPasswordPrompts:
+		intptr = &options->number_of_password_prompts;
+		goto parse_int;
+
+	case oCompressionLevel:
+		intptr = &options->compression_level;
+		goto parse_int;
+
+	case oIdentityFile:
+	case oIdentityFile2:
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (*activep) {
+			intptr = (opcode == oIdentityFile) ?
+			    &options->num_identity_files :
+			    &options->num_identity_files2;
+			if (*intptr >= SSH_MAX_IDENTITY_FILES)
+				fatal("%.200s line %d: Too many identity files specified (max %d).",
+				      filename, linenum, SSH_MAX_IDENTITY_FILES);
+			charptr = (opcode == oIdentityFile) ?
+			    &options->identity_files[*intptr] :
+			    &options->identity_files2[*intptr];
+			*charptr = xstrdup(cp);
+			*intptr = *intptr + 1;
+		}
+		break;
+
+	case oUser:
+		charptr = &options->user;
+parse_string:
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (*activep && *charptr == NULL)
+			*charptr = xstrdup(cp);
+		break;
+
+	case oGlobalKnownHostsFile:
+		charptr = &options->system_hostfile;
+		goto parse_string;
+
+	case oUserKnownHostsFile:
+		charptr = &options->user_hostfile;
+		goto parse_string;
+
+	case oGlobalKnownHostsFile2:
+		charptr = &options->system_hostfile2;
+		goto parse_string;
+
+	case oUserKnownHostsFile2:
+		charptr = &options->user_hostfile2;
+		goto parse_string;
+
+	case oHostName:
+		charptr = &options->hostname;
+		goto parse_string;
+
+	case oProxyCommand:
+		charptr = &options->proxy_command;
+		string = xstrdup("");
+		while ((cp = strtok(NULL, WHITESPACE)) != NULL) {
+			string = xrealloc(string, strlen(string) + strlen(cp) + 2);
+			strcat(string, " ");
+			strcat(string, cp);
+		}
+		if (*activep && *charptr == NULL)
+			*charptr = string;
+		else
+			xfree(string);
+		return 0;
+
+	case oPort:
+		intptr = &options->port;
+parse_int:
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (cp[0] < '0' || cp[0] > '9')
+			fatal("%.200s line %d: Bad number.", filename, linenum);
+
+		/* Octal, decimal, or hex format? */
+		value = strtol(cp, &cp2, 0);
+		if (cp == cp2)
+			fatal("%.200s line %d: Bad number.", filename, linenum);
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oConnectionAttempts:
+		intptr = &options->connection_attempts;
+		goto parse_int;
+
+	case oCipher:
+		intptr = &options->cipher;
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		value = cipher_number(cp);
+		if (value == -1)
+			fatal("%.200s line %d: Bad cipher '%s'.",
+			      filename, linenum, cp ? cp : "<NONE>");
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oCiphers:
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (!ciphers_valid(cp))
+			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
+			      filename, linenum, cp ? cp : "<NONE>");
+		if (*activep && options->ciphers == NULL)
+			options->ciphers = xstrdup(cp);
+		break;
+
+	case oProtocol:
+		intptr = &options->protocol;
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		value = proto_spec(cp);
+		if (value == SSH_PROTO_UNKNOWN)
+			fatal("%.200s line %d: Bad protocol spec '%s'.",
+			      filename, linenum, cp ? cp : "<NONE>");
+		if (*activep && *intptr == SSH_PROTO_UNKNOWN)
+			*intptr = value;
+		break;
+
+	case oLogLevel:
+		intptr = (int *) &options->log_level;
+		cp = strtok(NULL, WHITESPACE);
+		value = log_level_number(cp);
+		if (value == (LogLevel) - 1)
+			fatal("%.200s line %d: unsupported log level '%s'\n",
+			      filename, linenum, cp ? cp : "<NONE>");
+		if (*activep && (LogLevel) * intptr == -1)
+			*intptr = (LogLevel) value;
+		break;
+
+	case oRemoteForward:
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (cp[0] < '0' || cp[0] > '9')
+			fatal("%.200s line %d: Badly formatted port number.",
+			      filename, linenum);
+		fwd_port = atoi(cp);
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing second argument.",
+			      filename, linenum);
+		if (sscanf(cp, "%255[^:]:%hu", buf, &fwd_host_port) != 2)
+			fatal("%.200s line %d: Badly formatted host:port.",
+			      filename, linenum);
+		if (*activep)
+			add_remote_forward(options, fwd_port, buf, fwd_host_port);
+		break;
+
+	case oLocalForward:
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (cp[0] < '0' || cp[0] > '9')
+			fatal("%.200s line %d: Badly formatted port number.",
+			      filename, linenum);
+		fwd_port = atoi(cp);
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing second argument.",
+			      filename, linenum);
+		if (sscanf(cp, "%255[^:]:%hu", buf, &fwd_host_port) != 2)
+			fatal("%.200s line %d: Badly formatted host:port.",
+			      filename, linenum);
+		if (*activep)
+			add_local_forward(options, fwd_port, buf, fwd_host_port);
+		break;
+
+	case oHost:
+		*activep = 0;
+		while ((cp = strtok(NULL, WHITESPACE)) != NULL)
+			if (match_pattern(host, cp)) {
+				debug("Applying options for %.100s", cp);
+				*activep = 1;
+				break;
+			}
+		/* Avoid garbage check below, as strtok already returned NULL. */
+		return 0;
+
+	case oEscapeChar:
+		intptr = &options->escape_char;
+		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (cp[0] == '^' && cp[2] == 0 &&
+		    (unsigned char) cp[1] >= 64 && (unsigned char) cp[1] < 128)
+			value = (unsigned char) cp[1] & 31;
+		else if (strlen(cp) == 1)
+			value = (unsigned char) cp[0];
+		else if (strcmp(cp, "none") == 0)
+			value = -2;
+		else {
+			fatal("%.200s line %d: Bad escape character.",
+			      filename, linenum);
+			/* NOTREACHED */
+			value = 0;	/* Avoid compiler warning. */
+		}
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	default:
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
+	}
+
+	/* Check that there is no garbage at end of line. */
+	if (strtok(NULL, WHITESPACE) != NULL)
+		fatal("%.200s line %d: garbage at end of line.",
+		      filename, linenum);
+	return 0;
+}
+
+
+/*
+ * Reads the config file and modifies the options accordingly.  Options
+ * should already be initialized before this call.  This never returns if
+ * there is an error.  If the file does not exist, this returns immediately.
+ */
+
+void
+read_config_file(const char *filename, const char *host, Options *options)
+{
+	FILE *f;
+	char line[1024];
+	int active, linenum;
+	int bad_options = 0;
+
+	/* Open the file. */
+	f = fopen(filename, "r");
+	if (!f)
+		return;
+
+	debug("Reading configuration data %.200s", filename);
+
+	/*
+	 * Mark that we are now processing the options.  This flag is turned
+	 * on/off by Host specifications.
+	 */
+	active = 1;
+	linenum = 0;
+	while (fgets(line, sizeof(line), f)) {
+		/* Update line number counter. */
+		linenum++;
+		if (process_config_line(options, host, line, filename, linenum, &active) != 0)
+			bad_options++;
+	}
+	fclose(f);
+	if (bad_options > 0)
+		fatal("%s: terminating, %d bad configuration options\n",
+		      filename, bad_options);
+}
+
+/*
+ * Initializes options to special values that indicate that they have not yet
+ * been set.  Read_config_file will only set options with this value. Options
+ * are processed in the following order: command line, user config file,
+ * system config file.  Last, fill_default_options is called.
+ */
+
+void
+initialize_options(Options * options)
+{
+	memset(options, 'X', sizeof(*options));
+	options->forward_agent = -1;
+	options->forward_x11 = -1;
+	options->gateway_ports = -1;
+	options->use_privileged_port = -1;
+	options->rhosts_authentication = -1;
+	options->rsa_authentication = -1;
+	options->dsa_authentication = -1;
+	options->skey_authentication = -1;
+#ifdef KRB4
+	options->krb4_authentication = -1;
+#endif
+#ifdef KRB5
+	options->krb5_authentication = -1;
+	options->krb5_tgt_passing = -1;
+#endif /* KRB5 */
+#ifdef AFS
+	options->krb4_tgt_passing = -1;
+	options->afs_token_passing = -1;
+#endif
+	options->password_authentication = -1;
+	options->rhosts_rsa_authentication = -1;
+	options->fallback_to_rsh = -1;
+	options->use_rsh = -1;
+	options->batch_mode = -1;
+	options->check_host_ip = -1;
+	options->strict_host_key_checking = -1;
+	options->compression = -1;
+	options->keepalives = -1;
+	options->compression_level = -1;
+	options->port = -1;
+	options->connection_attempts = -1;
+	options->number_of_password_prompts = -1;
+	options->cipher = -1;
+	options->ciphers = NULL;
+	options->protocol = SSH_PROTO_UNKNOWN;
+	options->num_identity_files = 0;
+	options->num_identity_files2 = 0;
+	options->hostname = NULL;
+	options->proxy_command = NULL;
+	options->user = NULL;
+	options->escape_char = -1;
+	options->system_hostfile = NULL;
+	options->user_hostfile = NULL;
+	options->system_hostfile2 = NULL;
+	options->user_hostfile2 = NULL;
+	options->num_local_forwards = 0;
+	options->num_remote_forwards = 0;
+	options->log_level = (LogLevel) - 1;
+}
+
+/*
+ * Called after processing other sources of option data, this fills those
+ * options for which no value has been specified with their default values.
+ */
+
+void
+fill_default_options(Options * options)
+{
+	if (options->forward_agent == -1)
+		options->forward_agent = 0;
+	if (options->forward_x11 == -1)
+		options->forward_x11 = 0;
+	if (options->gateway_ports == -1)
+		options->gateway_ports = 0;
+	if (options->use_privileged_port == -1)
+		options->use_privileged_port = 1;
+	if (options->rhosts_authentication == -1)
+		options->rhosts_authentication = 1;
+	if (options->rsa_authentication == -1)
+		options->rsa_authentication = 1;
+	if (options->dsa_authentication == -1)
+		options->dsa_authentication = 1;
+	if (options->skey_authentication == -1)
+		options->skey_authentication = 0;
+#ifdef KRB4
+	if (options->krb4_authentication == -1)
+		options->krb4_authentication = 1;
+#endif /* KRB4 */
+#ifdef KRB5
+	if (options->krb5_authentication == -1)
+		options->krb5_authentication = 1;
+	if (options->krb5_tgt_passing == -1)
+		options->krb5_tgt_passing = 1;
+#endif /* KRB5 */
+#ifdef AFS
+	if (options->krb4_tgt_passing == -1)
+		options->krb4_tgt_passing = 1;
+	if (options->afs_token_passing == -1)
+		options->afs_token_passing = 1;
+#endif /* AFS */
+	if (options->password_authentication == -1)
+		options->password_authentication = 1;
+	if (options->rhosts_rsa_authentication == -1)
+		options->rhosts_rsa_authentication = 1;
+	if (options->fallback_to_rsh == -1)
+		options->fallback_to_rsh = 0;
+	if (options->use_rsh == -1)
+		options->use_rsh = 0;
+	if (options->batch_mode == -1)
+		options->batch_mode = 0;
+	if (options->check_host_ip == -1)
+		options->check_host_ip = 0;
+	if (options->strict_host_key_checking == -1)
+		options->strict_host_key_checking = 2;	/* 2 is default */
+	if (options->compression == -1)
+		options->compression = 0;
+	if (options->keepalives == -1)
+		options->keepalives = 1;
+	if (options->compression_level == -1)
+		options->compression_level = 6;
+	if (options->port == -1)
+		options->port = 0;	/* Filled in ssh_connect. */
+	if (options->connection_attempts == -1)
+		options->connection_attempts = 4;
+	if (options->number_of_password_prompts == -1)
+		options->number_of_password_prompts = 3;
+	/* Selected in ssh_login(). */
+	if (options->cipher == -1)
+		options->cipher = SSH_CIPHER_NOT_SET;
+	/* options->ciphers, default set in myproposals.h */
+	if (options->protocol == SSH_PROTO_UNKNOWN)
+		options->protocol = SSH_PROTO_1|SSH_PROTO_2|SSH_PROTO_1_PREFERRED;
+	if (options->num_identity_files == 0) {
+		options->identity_files[0] =
+			xmalloc(2 + strlen(SSH_CLIENT_IDENTITY) + 1);
+		sprintf(options->identity_files[0], "~/%.100s", SSH_CLIENT_IDENTITY);
+		options->num_identity_files = 1;
+	}
+	if (options->num_identity_files2 == 0) {
+		options->identity_files2[0] =
+			xmalloc(2 + strlen(SSH_CLIENT_ID_DSA) + 1);
+		sprintf(options->identity_files2[0], "~/%.100s", SSH_CLIENT_ID_DSA);
+		options->num_identity_files2 = 1;
+	}
+	if (options->escape_char == -1)
+		options->escape_char = '~';
+	if (options->system_hostfile == NULL)
+		options->system_hostfile = SSH_SYSTEM_HOSTFILE;
+	if (options->user_hostfile == NULL)
+		options->user_hostfile = SSH_USER_HOSTFILE;
+	if (options->system_hostfile2 == NULL)
+		options->system_hostfile2 = SSH_SYSTEM_HOSTFILE2;
+	if (options->user_hostfile2 == NULL)
+		options->user_hostfile2 = SSH_USER_HOSTFILE2;
+	if (options->log_level == (LogLevel) - 1)
+		options->log_level = SYSLOG_LEVEL_INFO;
+	/* options->proxy_command should not be set by default */
+	/* options->user will be set in the main program if appropriate */
+	/* options->hostname will be set in the main program if appropriate */
+}
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
new file mode 100644
index 0000000..d7f44be
--- /dev/null
+++ b/crypto/openssh/readconf.h
@@ -0,0 +1,151 @@
+/*
+ *
+ * readconf.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sat Apr 22 00:25:29 1995 ylo
+ *
+ * Functions for reading the configuration file.
+ *
+ * $FreeBSD$
+ */
+
+/* RCSID("$Id: readconf.h,v 1.18 2000/05/08 17:12:15 markus Exp $"); */
+
+#ifndef READCONF_H
+#define READCONF_H
+
+/* Data structure for representing a forwarding request. */
+
+typedef struct {
+	u_short	  port;		/* Port to forward. */
+	char	 *host;		/* Host to connect. */
+	u_short	  host_port;	/* Port to connect on host. */
+}       Forward;
+/* Data structure for representing option data. */
+
+typedef struct {
+	int     forward_agent;	/* Forward authentication agent. */
+	int     forward_x11;	/* Forward X11 display. */
+	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
+	int     use_privileged_port;	/* Don't use privileged port if false. */
+	int     rhosts_authentication;	/* Try rhosts authentication. */
+	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
+						 * authentication. */
+	int     rsa_authentication;	/* Try RSA authentication. */
+	int     dsa_authentication;	/* Try DSA authentication. */
+	int     skey_authentication;	/* Try S/Key or TIS authentication. */
+#ifdef KRB4
+	int     krb4_authentication;		/* Try Kerberos v4
+						 * authentication. */
+#endif
+
+#ifdef KRB5
+	int	krb5_authentication;
+	int	krb5_tgt_passing;
+#endif /* KRB5 */
+
+#ifdef AFS
+	int     krb4_tgt_passing;	/* Try Kerberos v4 tgt passing. */
+	int     afs_token_passing;	/* Try AFS token passing. */
+#endif
+	int     password_authentication;	/* Try password
+						 * authentication. */
+	int     fallback_to_rsh;/* Use rsh if cannot connect with ssh. */
+	int     use_rsh;	/* Always use rsh (don\'t try ssh). */
+	int     batch_mode;	/* Batch mode: do not ask for passwords. */
+	int     check_host_ip;	/* Also keep track of keys for IP address */
+	int     strict_host_key_checking;	/* Strict host key checking. */
+	int     compression;	/* Compress packets in both directions. */
+	int     compression_level;	/* Compression level 1 (fast) to 9
+					 * (best). */
+	int     keepalives;	/* Set SO_KEEPALIVE. */
+	LogLevel log_level;	/* Level for logging. */
+
+	int     port;		/* Port to connect. */
+	int     connection_attempts;	/* Max attempts (seconds) before
+					 * giving up */
+	int     number_of_password_prompts;	/* Max number of password
+						 * prompts. */
+	int     cipher;		/* Cipher to use. */
+	char   *ciphers;	/* SSH2 ciphers in order of preference. */
+	int	protocol;	/* Protocol in order of preference. */
+	char   *hostname;	/* Real host to connect. */
+	char   *proxy_command;	/* Proxy command for connecting the host. */
+	char   *user;		/* User to log in as. */
+	int     escape_char;	/* Escape character; -2 = none */
+
+	char   *system_hostfile;/* Path for /etc/ssh_known_hosts. */
+	char   *user_hostfile;	/* Path for $HOME/.ssh/known_hosts. */
+	char   *system_hostfile2;
+	char   *user_hostfile2;
+
+	int     num_identity_files;	/* Number of files for RSA identities. */
+	int     num_identity_files2;	/* DSA identities. */
+	char   *identity_files[SSH_MAX_IDENTITY_FILES];
+	char   *identity_files2[SSH_MAX_IDENTITY_FILES];
+
+	/* Local TCP/IP forward requests. */
+	int     num_local_forwards;
+	Forward local_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
+
+	/* Remote TCP/IP forward requests. */
+	int     num_remote_forwards;
+	Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
+}       Options;
+
+
+/*
+ * Initializes options to special values that indicate that they have not yet
+ * been set.  Read_config_file will only set options with this value. Options
+ * are processed in the following order: command line, user config file,
+ * system config file.  Last, fill_default_options is called.
+ */
+void    initialize_options(Options * options);
+
+/*
+ * Called after processing other sources of option data, this fills those
+ * options for which no value has been specified with their default values.
+ */
+void    fill_default_options(Options * options);
+
+/*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set. Returns 0 for legal
+ * options
+ */
+int
+process_config_line(Options * options, const char *host,
+    char *line, const char *filename, int linenum,
+    int *activep);
+
+/*
+ * Reads the config file and modifies the options accordingly.  Options
+ * should already be initialized before this call.  This never returns if
+ * there is an error.  If the file does not exist, this returns immediately.
+ */
+void
+read_config_file(const char *filename, const char *host,
+    Options * options);
+
+/*
+ * Adds a local TCP/IP port forward to options.  Never returns if there is an
+ * error.
+ */
+void
+add_local_forward(Options * options, u_short port, const char *host,
+    u_short host_port);
+
+/*
+ * Adds a remote TCP/IP port forward to options.  Never returns if there is
+ * an error.
+ */
+void
+add_remote_forward(Options * options, u_short port, const char *host,
+    u_short host_port);
+
+#endif				/* READCONF_H */
diff --git a/crypto/openssh/readpass.c b/crypto/openssh/readpass.c
new file mode 100644
index 0000000..85d88f8
--- /dev/null
+++ b/crypto/openssh/readpass.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 1988, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$Id: readpass.c,v 1.10 2000/04/14 10:30:32 markus Exp $");
+
+#include "xmalloc.h"
+#include "ssh.h"
+
+volatile int intr;
+
+void
+intcatch()
+{
+	intr = 1;
+}
+
+/*
+ * Reads a passphrase from /dev/tty with echo turned off.  Returns the
+ * passphrase (allocated with xmalloc), being very careful to ensure that
+ * no other userland buffer is storing the password.
+ */
+char *
+read_passphrase(const char *prompt, int from_stdin)
+{
+	char buf[1024], *p, ch;
+	struct termios tio, saved_tio;
+	sigset_t oset, nset;
+	struct sigaction sa, osa;
+	int input, output, echo = 0;
+
+	if (from_stdin) {
+		input = STDIN_FILENO;
+		output = STDERR_FILENO;
+	} else
+		input = output = open("/dev/tty", O_RDWR);
+
+	if (input == -1)
+		fatal("You have no controlling tty.  Cannot read passphrase.\n");
+
+	/* block signals, get terminal modes and turn off echo */
+	sigemptyset(&nset);
+	sigaddset(&nset, SIGTSTP);
+	(void) sigprocmask(SIG_BLOCK, &nset, &oset);
+	memset(&sa, 0, sizeof(sa));
+	sa.sa_handler = intcatch;
+	(void) sigaction(SIGINT, &sa, &osa);
+
+	intr = 0;
+
+	if (tcgetattr(input, &saved_tio) == 0 && (saved_tio.c_lflag & ECHO)) {
+		echo = 1;
+		tio = saved_tio;
+		tio.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
+		(void) tcsetattr(input, TCSANOW, &tio);
+	}
+
+	fflush(stdout);
+
+	(void)write(output, prompt, strlen(prompt));
+	for (p = buf; read(input, &ch, 1) == 1 && ch != '\n';) {
+		if (intr)
+			break;
+		if (p < buf + sizeof(buf) - 1)
+			*p++ = ch;
+	}
+	*p = '\0';
+	if (!intr)
+		(void)write(output, "\n", 1);
+
+	/* restore terminal modes and allow signals */
+	if (echo)
+		tcsetattr(input, TCSANOW, &saved_tio);
+	(void) sigprocmask(SIG_SETMASK, &oset, NULL);
+	(void) sigaction(SIGINT, &osa, NULL);
+
+	if (intr) {
+		kill(getpid(), SIGINT);
+		sigemptyset(&nset);
+		/* XXX tty has not neccessarily drained by now? */
+		sigsuspend(&nset);
+	}
+
+	if (!from_stdin)
+		(void)close(input);
+	p = xstrdup(buf);
+	memset(buf, 0, sizeof(buf));
+	return (p);
+}
diff --git a/crypto/openssh/rsa.c b/crypto/openssh/rsa.c
new file mode 100644
index 0000000..725da1b
--- /dev/null
+++ b/crypto/openssh/rsa.c
@@ -0,0 +1,176 @@
+/*
+ *
+ * rsa.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar  3 22:07:06 1995 ylo
+ *
+ * Description of the RSA algorithm can be found e.g. from the following sources:
+ *
+ *   Bruce Schneier: Applied Cryptography.  John Wiley & Sons, 1994.
+ *
+ *   Jennifer Seberry and Josed Pieprzyk: Cryptography: An Introduction to
+ *   Computer Security.  Prentice-Hall, 1989.
+ *
+ *   Man Young Rhee: Cryptography and Secure Data Communications.  McGraw-Hill,
+ *   1994.
+ *
+ *   R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic Communications
+ *   System and Method.  US Patent 4,405,829, 1983.
+ *
+ *   Hans Riesel: Prime Numbers and Computer Methods for Factorization.
+ *   Birkhauser, 1994.
+ *
+ *   The RSA Frequently Asked Questions document by RSA Data Security, Inc., 1995.
+ *
+ *   RSA in 3 lines of perl by Adam Back <aba@atlax.ex.ac.uk>, 1995, as included
+ *   below:
+ *
+ *     [gone - had to be deleted - what a pity]
+ *
+ * $FreeBSD$
+*/
+
+#include "includes.h"
+RCSID("$Id: rsa.c,v 1.14 2000/04/14 10:30:32 markus Exp $");
+
+#include "rsa.h"
+#include "ssh.h"
+#include "xmalloc.h"
+
+int rsa_verbose = 1;
+
+int
+rsa_alive()
+{
+	RSA *key;
+
+	key = RSA_generate_key(32, 3, NULL, NULL);
+	if (key == NULL)
+		return (0);
+	RSA_free(key);
+	return (1);
+}
+
+/*
+ * Generates RSA public and private keys.  This initializes the data
+ * structures; they should be freed with rsa_clear_private_key and
+ * rsa_clear_public_key.
+ */
+
+void
+rsa_generate_key(RSA *prv, RSA *pub, unsigned int bits)
+{
+	RSA *key;
+
+	if (rsa_verbose) {
+		printf("Generating RSA keys:  ");
+		fflush(stdout);
+	}
+	key = RSA_generate_key(bits, 35, NULL, NULL);
+	if (key == NULL)
+		fatal("rsa_generate_key: key generation failed.");
+
+	/* Copy public key parameters */
+	pub->n = BN_new();
+	BN_copy(pub->n, key->n);
+	pub->e = BN_new();
+	BN_copy(pub->e, key->e);
+
+	/* Copy private key parameters */
+	prv->n = BN_new();
+	BN_copy(prv->n, key->n);
+	prv->e = BN_new();
+	BN_copy(prv->e, key->e);
+	prv->d = BN_new();
+	BN_copy(prv->d, key->d);
+	prv->p = BN_new();
+	BN_copy(prv->p, key->p);
+	prv->q = BN_new();
+	BN_copy(prv->q, key->q);
+
+	prv->dmp1 = BN_new();
+	BN_copy(prv->dmp1, key->dmp1);
+
+	prv->dmq1 = BN_new();
+	BN_copy(prv->dmq1, key->dmq1);
+
+	prv->iqmp = BN_new();
+	BN_copy(prv->iqmp, key->iqmp);
+
+	RSA_free(key);
+
+	if (rsa_verbose)
+		printf("Key generation complete.\n");
+}
+
+void
+rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
+{
+	unsigned char *inbuf, *outbuf;
+	int len, ilen, olen;
+
+	if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e))
+		fatal("rsa_public_encrypt() exponent too small or not odd");
+
+	olen = BN_num_bytes(key->n);
+	outbuf = xmalloc(olen);
+
+	ilen = BN_num_bytes(in);
+	inbuf = xmalloc(ilen);
+	BN_bn2bin(in, inbuf);
+
+	if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key,
+	    RSA_PKCS1_PADDING)) <= 0)
+	    if (BN_num_bits(key->n) > 1024 && RSA_libversion() == RSALIB_RSAREF)
+		fatal("rsa_private_encrypt() failed: RSAREF cannot handle keys larger than 1024 bits.");
+	    else
+		fatal("rsa_private_encrypt() failed.");
+
+	BN_bin2bn(outbuf, len, out);
+
+	memset(outbuf, 0, olen);
+	memset(inbuf, 0, ilen);
+	xfree(outbuf);
+	xfree(inbuf);
+}
+
+void
+rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
+{
+	unsigned char *inbuf, *outbuf;
+	int len, ilen, olen;
+
+	olen = BN_num_bytes(key->n);
+	outbuf = xmalloc(olen);
+
+	ilen = BN_num_bytes(in);
+	inbuf = xmalloc(ilen);
+	BN_bn2bin(in, inbuf);
+
+	if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
+	    RSA_PKCS1_PADDING)) <= 0)
+	    if (BN_num_bits(key->n) > 1024 && RSA_libversion() == RSALIB_RSAREF)
+		fatal("rsa_private_decrypt() failed: RSAREF cannot handle keys larger than 1024 bits.");
+	    else
+		fatal("rsa_private_decrypt() failed.");
+
+	BN_bin2bn(outbuf, len, out);
+
+	memset(outbuf, 0, olen);
+	memset(inbuf, 0, ilen);
+	xfree(outbuf);
+	xfree(inbuf);
+}
+
+/* Set whether to output verbose messages during key generation. */
+
+void
+rsa_set_verbose(int verbose)
+{
+	rsa_verbose = verbose;
+}
diff --git a/crypto/openssh/rsa.h b/crypto/openssh/rsa.h
new file mode 100644
index 0000000..878e9b0
--- /dev/null
+++ b/crypto/openssh/rsa.h
@@ -0,0 +1,39 @@
+/*
+ *
+ * rsa.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar  3 22:01:06 1995 ylo
+ *
+ * RSA key generation, encryption and decryption.
+ *
+ * $FreeBSD$
+*/
+
+/* RCSID("$Id: rsa.h,v 1.6 2000/04/14 10:30:32 markus Exp $"); */
+
+#ifndef RSA_H
+#define RSA_H
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+
+/* Calls SSL RSA_generate_key, only copies to prv and pub */
+void    rsa_generate_key(RSA * prv, RSA * pub, unsigned int bits);
+
+/*
+ * Indicates whether the rsa module is permitted to show messages on the
+ * terminal.
+ */
+void rsa_set_verbose __P((int verbose));
+
+int rsa_alive __P((void));
+
+void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
+void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
+
+#endif				/* RSA_H */
diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1
new file mode 100644
index 0000000..51de6c5
--- /dev/null
+++ b/crypto/openssh/scp.1
@@ -0,0 +1,123 @@
+.\"  -*- nroff -*-
+.\"
+.\" scp.1
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\"
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" Created: Sun May  7 00:14:37 1995 ylo
+.\"
+.\" $Id: scp.1,v 1.7 2000/04/12 21:47:50 aaron Exp $
+.\"
+.Dd September 25, 1999
+.Dt SCP 1
+.Os
+.Sh NAME
+.Nm scp
+.Nd secure copy (remote file copy program)
+.Sh SYNOPSIS
+.Nm scp
+.Op Fl pqrvC46
+.Op Fl P Ar port
+.Op Fl c Ar cipher
+.Op Fl i Ar identity_file
+.Sm off
+.Oo
+.Op Ar user@
+.Ar host1 No :
+.Oc Ns Ar file1
+.Sm on
+.Op Ar ...
+.Sm off
+.Oo
+.Op Ar user@
+.Ar host2 No :
+.Oc Ar file2
+.Sm on
+.Sh DESCRIPTION
+.Nm
+copies files between hosts on a network.
+It uses
+.Xr ssh 1
+for data transfer, and uses the same authentication and provides the
+same security as
+.Xr ssh 1 .
+Unlike
+.Xr rcp 1 ,
+.Nm
+will ask for passwords or passphrases if they are needed for
+authentication.
+.Pp
+Any file name may contain a host and user specification to indicate
+that the file is to be copied to/from that host.
+Copies between two remote hosts are permitted.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl c Ar cipher
+Selects the cipher to use for encrypting the data transfer.
+This option is directly passed to
+.Xr ssh 1 .
+.It Fl i Ar identity_file
+Selects the file from which the identity (private key) for RSA
+authentication is read.
+This option is directly passed to
+.Xr ssh 1 .
+.It Fl p
+Preserves modification times, access times, and modes from the
+original file.
+.It Fl r
+Recursively copy entire directories.
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+and
+.Xr ssh 1
+to print debugging messages about their progress.
+This is helpful in
+debugging connection, authentication, and configuration problems.
+.It Fl B
+Selects batch mode (prevents asking for passwords or passphrases).
+.It Fl q
+Disables the progress meter.
+.It Fl C
+Compression enable.
+Passes the
+.Fl C
+flag to
+.Xr ssh 1
+to enable compression.
+.It Fl P Ar port
+Specifies the port to connect to on the remote host.
+Note that this option is written with a capital
+.Sq P ,
+because
+.Fl p
+is already reserved for preserving the times and modes of the file in
+.Xr rcp 1 .
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.Sh AUTHORS
+Timo Rinne <tri@iki.fi> and Tatu Ylonen <ylo@cs.hut.fi>
+.Sh HISTORY
+.Nm
+is based on the
+.Xr rcp 1
+program in BSD source code from the Regents of the University of
+California.
+.Sh SEE ALSO
+.Xr rcp 1 ,
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
diff --git a/crypto/openssh/scp.c b/crypto/openssh/scp.c
new file mode 100644
index 0000000..491a789
--- /dev/null
+++ b/crypto/openssh/scp.c
@@ -0,0 +1,1251 @@
+/*
+ *
+ * scp - secure remote copy.  This is basically patched BSD rcp which uses ssh
+ * to do the data transfer (instead of using rcmd).
+ *
+ * NOTE: This version should NOT be suid root.  (This uses ssh to do the transfer
+ * and ssh has the necessary privileges.)
+ *
+ * 1995 Timo Rinne <tri@iki.fi>, Tatu Ylonen <ylo@cs.hut.fi>
+ *
+*/
+
+/*
+ * Copyright (c) 1983, 1990, 1992, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include "includes.h"
+RCSID("$Id: scp.c,v 1.30 2000/05/02 18:21:48 deraadt Exp $");
+
+#include "ssh.h"
+#include "xmalloc.h"
+#include <utime.h>
+
+#define _PATH_CP "cp"
+
+/* For progressmeter() -- number of seconds before xfer considered "stalled" */
+#define STALLTIME	5
+
+/* Visual statistics about files as they are transferred. */
+void progressmeter(int);
+
+/* Returns width of the terminal (for progress meter calculations). */
+int getttywidth(void);
+
+/* Time a transfer started. */
+static struct timeval start;
+
+/* Number of bytes of current file transferred so far. */
+volatile unsigned long statbytes;
+
+/* Total size of current file. */
+off_t totalbytes = 0;
+
+/* Name of current file being transferred. */
+char *curfile;
+
+/* This is set to non-zero if IPv4 is desired. */
+int IPv4 = 0;
+
+/* This is set to non-zero if IPv6 is desired. */
+int IPv6 = 0;
+
+/* This is set to non-zero to enable verbose mode. */
+int verbose_mode = 0;
+
+/* This is set to non-zero if compression is desired. */
+int compress = 0;
+
+/* This is set to zero if the progressmeter is not desired. */
+int showprogress = 1;
+
+/* This is set to non-zero if running in batch mode (that is, password
+   and passphrase queries are not allowed). */
+int batchmode = 0;
+
+/* This is set to the cipher type string if given on the command line. */
+char *cipher = NULL;
+
+/* This is set to the RSA authentication identity file name if given on
+   the command line. */
+char *identity = NULL;
+
+/* This is the port to use in contacting the remote site (is non-NULL). */
+char *port = NULL;
+
+/*
+ * This function executes the given command as the specified user on the
+ * given host.  This returns < 0 if execution fails, and >= 0 otherwise. This
+ * assigns the input and output file descriptors on success.
+ */
+
+int
+do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
+{
+	int pin[2], pout[2], reserved[2];
+
+	if (verbose_mode)
+		fprintf(stderr, "Executing: host %s, user %s, command %s\n",
+			host, remuser ? remuser : "(unspecified)", cmd);
+
+	/*
+	 * Reserve two descriptors so that the real pipes won't get
+	 * descriptors 0 and 1 because that will screw up dup2 below.
+	 */
+	pipe(reserved);
+
+	/* Create a socket pair for communicating with ssh. */
+	if (pipe(pin) < 0)
+		fatal("pipe: %s", strerror(errno));
+	if (pipe(pout) < 0)
+		fatal("pipe: %s", strerror(errno));
+
+	/* Free the reserved descriptors. */
+	close(reserved[0]);
+	close(reserved[1]);
+
+	/* For a child to execute the command on the remote host using ssh. */
+	if (fork() == 0) {
+		char *args[100];
+		unsigned int i;
+
+		/* Child. */
+		close(pin[1]);
+		close(pout[0]);
+		dup2(pin[0], 0);
+		dup2(pout[1], 1);
+		close(pin[0]);
+		close(pout[1]);
+
+		i = 0;
+		args[i++] = SSH_PROGRAM;
+		args[i++] = "-x";
+		args[i++] = "-oFallBackToRsh no";
+		if (IPv4)
+			args[i++] = "-4";
+		if (IPv6)
+			args[i++] = "-6";
+		args[i++] = "-oFallBackToRsh no";
+		if (verbose_mode)
+			args[i++] = "-v";
+		if (compress)
+			args[i++] = "-C";
+		if (batchmode)
+			args[i++] = "-oBatchMode yes";
+		if (cipher != NULL) {
+			args[i++] = "-c";
+			args[i++] = cipher;
+		}
+		if (identity != NULL) {
+			args[i++] = "-i";
+			args[i++] = identity;
+		}
+		if (port != NULL) {
+			args[i++] = "-p";
+			args[i++] = port;
+		}
+		if (remuser != NULL) {
+			args[i++] = "-l";
+			args[i++] = remuser;
+		}
+		args[i++] = host;
+		args[i++] = cmd;
+		args[i++] = NULL;
+
+		execvp(SSH_PROGRAM, args);
+		perror(SSH_PROGRAM);
+		exit(1);
+	}
+	/* Parent.  Close the other side, and return the local side. */
+	close(pin[0]);
+	*fdout = pin[1];
+	close(pout[1]);
+	*fdin = pout[0];
+	return 0;
+}
+
+void
+fatal(const char *fmt,...)
+{
+	va_list ap;
+	char buf[1024];
+
+	va_start(ap, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
+	va_end(ap);
+	fprintf(stderr, "%s\n", buf);
+	exit(255);
+}
+
+/* This stuff used to be in BSD rcp extern.h. */
+
+typedef struct {
+	int cnt;
+	char *buf;
+} BUF;
+
+extern int iamremote;
+
+BUF *allocbuf(BUF *, int, int);
+char *colon(char *);
+void lostconn(int);
+void nospace(void);
+int okname(char *);
+void run_err(const char *,...);
+void verifydir(char *);
+
+/* Stuff from BSD rcp.c continues. */
+
+struct passwd *pwd;
+uid_t userid;
+int errs, remin, remout;
+int pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+#define	CMDNEEDS	64
+char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
+
+int response(void);
+void rsource(char *, struct stat *);
+void sink(int, char *[]);
+void source(int, char *[]);
+void tolocal(int, char *[]);
+void toremote(char *, int, char *[]);
+void usage(void);
+
+int
+main(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int ch, fflag, tflag;
+	char *targ;
+	extern char *optarg;
+	extern int optind;
+
+	fflag = tflag = 0;
+	while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46")) != EOF)
+		switch (ch) {
+		/* User-visible flags. */
+		case '4':
+			IPv4 = 1;
+			break;
+		case '6':
+			IPv6 = 1;
+			break;
+		case 'p':
+			pflag = 1;
+			break;
+		case 'P':
+			port = optarg;
+			break;
+		case 'r':
+			iamrecursive = 1;
+			break;
+		/* Server options. */
+		case 'd':
+			targetshouldbedirectory = 1;
+			break;
+		case 'f':	/* "from" */
+			iamremote = 1;
+			fflag = 1;
+			break;
+		case 't':	/* "to" */
+			iamremote = 1;
+			tflag = 1;
+			break;
+		case 'c':
+			cipher = optarg;
+			break;
+		case 'i':
+			identity = optarg;
+			break;
+		case 'v':
+			verbose_mode = 1;
+			break;
+		case 'B':
+			batchmode = 1;
+			break;
+		case 'C':
+			compress = 1;
+			break;
+		case 'q':
+			showprogress = 0;
+			break;
+		case '?':
+		default:
+			usage();
+		}
+	argc -= optind;
+	argv += optind;
+
+	if ((pwd = getpwuid(userid = getuid())) == NULL)
+		fatal("unknown user %d", (int) userid);
+
+	if (!isatty(STDERR_FILENO))
+		showprogress = 0;
+
+	remin = STDIN_FILENO;
+	remout = STDOUT_FILENO;
+
+	if (fflag) {	
+		/* Follow "protocol", send data. */
+		(void) response();
+		source(argc, argv);
+		exit(errs != 0);
+	}
+	if (tflag) {
+		/* Receive data. */
+		sink(argc, argv);
+		exit(errs != 0);
+	}
+	if (argc < 2)
+		usage();
+	if (argc > 2)
+		targetshouldbedirectory = 1;
+
+	remin = remout = -1;
+	/* Command to be executed on remote system using "ssh". */
+	(void) sprintf(cmd, "scp%s%s%s%s", verbose_mode ? " -v" : "",
+		       iamrecursive ? " -r" : "", pflag ? " -p" : "",
+		       targetshouldbedirectory ? " -d" : "");
+
+	(void) signal(SIGPIPE, lostconn);
+
+	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
+		toremote(targ, argc, argv);
+	else {
+		tolocal(argc, argv);	/* Dest is local host. */
+		if (targetshouldbedirectory)
+			verifydir(argv[argc - 1]);
+	}
+	exit(errs != 0);
+}
+
+char *
+cleanhostname(host)
+	char *host;
+{
+	if (*host == '[' && host[strlen(host) - 1] == ']') {
+		host[strlen(host) - 1] = '\0';
+		return (host + 1);
+	} else
+		return host;
+}
+
+void
+toremote(targ, argc, argv)
+	char *targ, *argv[];
+	int argc;
+{
+	int i, len;
+	char *bp, *host, *src, *suser, *thost, *tuser;
+
+	*targ++ = 0;
+	if (*targ == 0)
+		targ = ".";
+
+	if ((thost = strchr(argv[argc - 1], '@'))) {
+		/* user@host */
+		*thost++ = 0;
+		tuser = argv[argc - 1];
+		if (*tuser == '\0')
+			tuser = NULL;
+		else if (!okname(tuser))
+			exit(1);
+	} else {
+		thost = argv[argc - 1];
+		tuser = NULL;
+	}
+
+	for (i = 0; i < argc - 1; i++) {
+		src = colon(argv[i]);
+		if (src) {	/* remote to remote */
+			*src++ = 0;
+			if (*src == 0)
+				src = ".";
+			host = strchr(argv[i], '@');
+			len = strlen(SSH_PROGRAM) + strlen(argv[i]) +
+				strlen(src) + (tuser ? strlen(tuser) : 0) +
+				strlen(thost) + strlen(targ) + CMDNEEDS + 32;
+			bp = xmalloc(len);
+			if (host) {
+				*host++ = 0;
+				host = cleanhostname(host);
+				suser = argv[i];
+				if (*suser == '\0')
+					suser = pwd->pw_name;
+				else if (!okname(suser))
+					continue;
+				(void) sprintf(bp,
+					       "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'",
+					       SSH_PROGRAM, verbose_mode ? " -v" : "",
+					       suser, host, cmd, src,
+					       tuser ? tuser : "", tuser ? "@" : "",
+					       thost, targ);
+			} else {
+				host = cleanhostname(argv[i]);
+				(void) sprintf(bp,
+					       "exec %s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'",
+					       SSH_PROGRAM, verbose_mode ? " -v" : "",
+					       host, cmd, src,
+					       tuser ? tuser : "", tuser ? "@" : "",
+					       thost, targ);
+			}
+			if (verbose_mode)
+				fprintf(stderr, "Executing: %s\n", bp);
+			(void) system(bp);
+			(void) xfree(bp);
+		} else {	/* local to remote */
+			if (remin == -1) {
+				len = strlen(targ) + CMDNEEDS + 20;
+				bp = xmalloc(len);
+				(void) sprintf(bp, "%s -t %s", cmd, targ);
+				host = cleanhostname(thost);
+				if (do_cmd(host, tuser,
+					   bp, &remin, &remout) < 0)
+					exit(1);
+				if (response() < 0)
+					exit(1);
+				(void) xfree(bp);
+			}
+			source(1, argv + i);
+		}
+	}
+}
+
+void
+tolocal(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int i, len;
+	char *bp, *host, *src, *suser;
+
+	for (i = 0; i < argc - 1; i++) {
+		if (!(src = colon(argv[i]))) {	/* Local to local. */
+			len = strlen(_PATH_CP) + strlen(argv[i]) +
+				     strlen(argv[argc - 1]) + 20;
+			bp = xmalloc(len);
+			(void) sprintf(bp, "exec %s%s%s %s %s", _PATH_CP,
+				       iamrecursive ? " -r" : "", pflag ? " -p" : "",
+				       argv[i], argv[argc - 1]);
+			if (verbose_mode)
+				fprintf(stderr, "Executing: %s\n", bp);
+			if (system(bp))
+				++errs;
+			(void) xfree(bp);
+			continue;
+		}
+		*src++ = 0;
+		if (*src == 0)
+			src = ".";
+		if ((host = strchr(argv[i], '@')) == NULL) {
+			host = argv[i];
+			suser = NULL;
+		} else {
+			*host++ = 0;
+			suser = argv[i];
+			if (*suser == '\0')
+				suser = pwd->pw_name;
+			else if (!okname(suser))
+				continue;
+		}
+		host = cleanhostname(host);
+		len = strlen(src) + CMDNEEDS + 20;
+		bp = xmalloc(len);
+		(void) sprintf(bp, "%s -f %s", cmd, src);
+		if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
+			(void) xfree(bp);
+			++errs;
+			continue;
+		}
+		xfree(bp);
+		sink(1, argv + argc - 1);
+		(void) close(remin);
+		remin = remout = -1;
+	}
+}
+
+void
+source(argc, argv)
+	int argc;
+	char *argv[];
+{
+	struct stat stb;
+	static BUF buffer;
+	BUF *bp;
+	off_t i;
+	int amt, fd, haderr, indx, result;
+	char *last, *name, buf[2048];
+
+	for (indx = 0; indx < argc; ++indx) {
+		name = argv[indx];
+		statbytes = 0;
+		if ((fd = open(name, O_RDONLY, 0)) < 0)
+			goto syserr;
+		if (fstat(fd, &stb) < 0) {
+syserr:			run_err("%s: %s", name, strerror(errno));
+			goto next;
+		}
+		switch (stb.st_mode & S_IFMT) {
+		case S_IFREG:
+			break;
+		case S_IFDIR:
+			if (iamrecursive) {
+				rsource(name, &stb);
+				goto next;
+			}
+			/* FALLTHROUGH */
+		default:
+			run_err("%s: not a regular file", name);
+			goto next;
+		}
+		if ((last = strrchr(name, '/')) == NULL)
+			last = name;
+		else
+			++last;
+		curfile = last;
+		if (pflag) {
+			/*
+			 * Make it compatible with possible future
+			 * versions expecting microseconds.
+			 */
+			(void) sprintf(buf, "T%lu 0 %lu 0\n",
+				       (unsigned long) stb.st_mtime,
+				       (unsigned long) stb.st_atime);
+			(void) atomicio(write, remout, buf, strlen(buf));
+			if (response() < 0)
+				goto next;
+		}
+#define	FILEMODEMASK	(S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
+		(void) sprintf(buf, "C%04o %lu %s\n",
+			     (unsigned int) (stb.st_mode & FILEMODEMASK),
+			       (unsigned long) stb.st_size,
+			       last);
+		if (verbose_mode) {
+			fprintf(stderr, "Sending file modes: %s", buf);
+			fflush(stderr);
+		}
+		(void) atomicio(write, remout, buf, strlen(buf));
+		if (response() < 0)
+			goto next;
+		if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
+next:			(void) close(fd);
+			continue;
+		}
+		if (showprogress) {
+			totalbytes = stb.st_size;
+			progressmeter(-1);
+		}
+		/* Keep writing after an error so that we stay sync'd up. */
+		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
+			amt = bp->cnt;
+			if (i + amt > stb.st_size)
+				amt = stb.st_size - i;
+			if (!haderr) {
+				result = atomicio(read, fd, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+			if (haderr)
+				(void) atomicio(write, remout, bp->buf, amt);
+			else {
+				result = atomicio(write, remout, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+				statbytes += result;
+			}
+		}
+		if (showprogress)
+			progressmeter(1);
+
+		if (close(fd) < 0 && !haderr)
+			haderr = errno;
+		if (!haderr)
+			(void) atomicio(write, remout, "", 1);
+		else
+			run_err("%s: %s", name, strerror(haderr));
+		(void) response();
+	}
+}
+
+void
+rsource(name, statp)
+	char *name;
+	struct stat *statp;
+{
+	DIR *dirp;
+	struct dirent *dp;
+	char *last, *vect[1], path[1100];
+
+	if (!(dirp = opendir(name))) {
+		run_err("%s: %s", name, strerror(errno));
+		return;
+	}
+	last = strrchr(name, '/');
+	if (last == 0)
+		last = name;
+	else
+		last++;
+	if (pflag) {
+		(void) sprintf(path, "T%lu 0 %lu 0\n",
+			       (unsigned long) statp->st_mtime,
+			       (unsigned long) statp->st_atime);
+		(void) atomicio(write, remout, path, strlen(path));
+		if (response() < 0) {
+			closedir(dirp);
+			return;
+		}
+	}
+	(void) sprintf(path, "D%04o %d %.1024s\n",
+		       (unsigned int) (statp->st_mode & FILEMODEMASK),
+		       0, last);
+	if (verbose_mode)
+		fprintf(stderr, "Entering directory: %s", path);
+	(void) atomicio(write, remout, path, strlen(path));
+	if (response() < 0) {
+		closedir(dirp);
+		return;
+	}
+	while ((dp = readdir(dirp))) {
+		if (dp->d_ino == 0)
+			continue;
+		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+			continue;
+		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
+			run_err("%s/%s: name too long", name, dp->d_name);
+			continue;
+		}
+		(void) sprintf(path, "%s/%s", name, dp->d_name);
+		vect[0] = path;
+		source(1, vect);
+	}
+	(void) closedir(dirp);
+	(void) atomicio(write, remout, "E\n", 2);
+	(void) response();
+}
+
+void
+sink(argc, argv)
+	int argc;
+	char *argv[];
+{
+	static BUF buffer;
+	struct stat stb;
+	enum {
+		YES, NO, DISPLAYED
+	} wrerr;
+	BUF *bp;
+	off_t i, j;
+	int amt, count, exists, first, mask, mode, ofd, omode;
+	int setimes, size, targisdir, wrerrno = 0;
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
+	struct utimbuf ut;
+	int dummy_usec;
+
+#define	SCREWUP(str)	{ why = str; goto screwup; }
+
+	setimes = targisdir = 0;
+	mask = umask(0);
+	if (!pflag)
+		(void) umask(mask);
+	if (argc != 1) {
+		run_err("ambiguous target");
+		exit(1);
+	}
+	targ = *argv;
+	if (targetshouldbedirectory)
+		verifydir(targ);
+
+	(void) atomicio(write, remout, "", 1);
+	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+		targisdir = 1;
+	for (first = 1;; first = 0) {
+		cp = buf;
+		if (atomicio(read, remin, cp, 1) <= 0)
+			return;
+		if (*cp++ == '\n')
+			SCREWUP("unexpected <newline>");
+		do {
+			if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch))
+				SCREWUP("lost connection");
+			*cp++ = ch;
+		} while (cp < &buf[sizeof(buf) - 1] && ch != '\n');
+		*cp = 0;
+
+		if (buf[0] == '\01' || buf[0] == '\02') {
+			if (iamremote == 0)
+				(void) atomicio(write, STDERR_FILENO,
+					     buf + 1, strlen(buf + 1));
+			if (buf[0] == '\02')
+				exit(1);
+			++errs;
+			continue;
+		}
+		if (buf[0] == 'E') {
+			(void) atomicio(write, remout, "", 1);
+			return;
+		}
+		if (ch == '\n')
+			*--cp = 0;
+
+#define getnum(t) (t) = 0; \
+  while (*cp >= '0' && *cp <= '9') (t) = (t) * 10 + (*cp++ - '0');
+		cp = buf;
+		if (*cp == 'T') {
+			setimes++;
+			cp++;
+			getnum(ut.modtime);
+			if (*cp++ != ' ')
+				SCREWUP("mtime.sec not delimited");
+			getnum(dummy_usec);
+			if (*cp++ != ' ')
+				SCREWUP("mtime.usec not delimited");
+			getnum(ut.actime);
+			if (*cp++ != ' ')
+				SCREWUP("atime.sec not delimited");
+			getnum(dummy_usec);
+			if (*cp++ != '\0')
+				SCREWUP("atime.usec not delimited");
+			(void) atomicio(write, remout, "", 1);
+			continue;
+		}
+		if (*cp != 'C' && *cp != 'D') {
+			/*
+			 * Check for the case "rcp remote:foo\* local:bar".
+			 * In this case, the line "No match." can be returned
+			 * by the shell before the rcp command on the remote is
+			 * executed so the ^Aerror_message convention isn't
+			 * followed.
+			 */
+			if (first) {
+				run_err("%s", cp);
+				exit(1);
+			}
+			SCREWUP("expected control record");
+		}
+		mode = 0;
+		for (++cp; cp < buf + 5; cp++) {
+			if (*cp < '0' || *cp > '7')
+				SCREWUP("bad mode");
+			mode = (mode << 3) | (*cp - '0');
+		}
+		if (*cp++ != ' ')
+			SCREWUP("mode not delimited");
+
+		for (size = 0; *cp >= '0' && *cp <= '9';)
+			size = size * 10 + (*cp++ - '0');
+		if (*cp++ != ' ')
+			SCREWUP("size not delimited");
+		if (targisdir) {
+			static char *namebuf;
+			static int cursize;
+			size_t need;
+
+			need = strlen(targ) + strlen(cp) + 250;
+			if (need > cursize)
+				namebuf = xmalloc(need);
+			(void) sprintf(namebuf, "%s%s%s", targ,
+				       *targ ? "/" : "", cp);
+			np = namebuf;
+		} else
+			np = targ;
+		curfile = cp;
+		exists = stat(np, &stb) == 0;
+		if (buf[0] == 'D') {
+			int mod_flag = pflag;
+			if (exists) {
+				if (!S_ISDIR(stb.st_mode)) {
+					errno = ENOTDIR;
+					goto bad;
+				}
+				if (pflag)
+					(void) chmod(np, mode);
+			} else {
+				/* Handle copying from a read-only
+				   directory */
+				mod_flag = 1;
+				if (mkdir(np, mode | S_IRWXU) < 0)
+					goto bad;
+			}
+			vect[0] = np;
+			sink(1, vect);
+			if (setimes) {
+				setimes = 0;
+				if (utime(np, &ut) < 0)
+					run_err("%s: set times: %s",
+						np, strerror(errno));
+			}
+			if (mod_flag)
+				(void) chmod(np, mode);
+			continue;
+		}
+		omode = mode;
+		mode |= S_IWRITE;
+		if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) {
+bad:			run_err("%s: %s", np, strerror(errno));
+			continue;
+		}
+		(void) atomicio(write, remout, "", 1);
+		if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) {
+			(void) close(ofd);
+			continue;
+		}
+		cp = bp->buf;
+		wrerr = NO;
+
+		if (showprogress) {
+			totalbytes = size;
+			progressmeter(-1);
+		}
+		statbytes = 0;
+		for (count = i = 0; i < size; i += 4096) {
+			amt = 4096;
+			if (i + amt > size)
+				amt = size - i;
+			count += amt;
+			do {
+				j = atomicio(read, remin, cp, amt);
+				if (j <= 0) {
+					run_err("%s", j ? strerror(errno) :
+						"dropped connection");
+					exit(1);
+				}
+				amt -= j;
+				cp += j;
+				statbytes += j;
+			} while (amt > 0);
+			if (count == bp->cnt) {
+				/* Keep reading so we stay sync'd up. */
+				if (wrerr == NO) {
+					j = atomicio(write, ofd, bp->buf, count);
+					if (j != count) {
+						wrerr = YES;
+						wrerrno = j >= 0 ? EIO : errno;
+					}
+				}
+				count = 0;
+				cp = bp->buf;
+			}
+		}
+		if (showprogress)
+			progressmeter(1);
+		if (count != 0 && wrerr == NO &&
+		    (j = atomicio(write, ofd, bp->buf, count)) != count) {
+			wrerr = YES;
+			wrerrno = j >= 0 ? EIO : errno;
+		}
+#if 0
+		if (ftruncate(ofd, size)) {
+			run_err("%s: truncate: %s", np, strerror(errno));
+			wrerr = DISPLAYED;
+		}
+#endif
+		if (pflag) {
+			if (exists || omode != mode)
+				if (fchmod(ofd, omode))
+					run_err("%s: set mode: %s",
+						np, strerror(errno));
+		} else {
+			if (!exists && omode != mode)
+				if (fchmod(ofd, omode & ~mask))
+					run_err("%s: set mode: %s",
+						np, strerror(errno));
+		}
+		(void) close(ofd);
+		(void) response();
+		if (setimes && wrerr == NO) {
+			setimes = 0;
+			if (utime(np, &ut) < 0) {
+				run_err("%s: set times: %s",
+					np, strerror(errno));
+				wrerr = DISPLAYED;
+			}
+		}
+		switch (wrerr) {
+		case YES:
+			run_err("%s: %s", np, strerror(wrerrno));
+			break;
+		case NO:
+			(void) atomicio(write, remout, "", 1);
+			break;
+		case DISPLAYED:
+			break;
+		}
+	}
+screwup:
+	run_err("protocol error: %s", why);
+	exit(1);
+}
+
+int
+response()
+{
+	char ch, *cp, resp, rbuf[2048];
+
+	if (atomicio(read, remin, &resp, sizeof(resp)) != sizeof(resp))
+		lostconn(0);
+
+	cp = rbuf;
+	switch (resp) {
+	case 0:		/* ok */
+		return (0);
+	default:
+		*cp++ = resp;
+		/* FALLTHROUGH */
+	case 1:		/* error, followed by error msg */
+	case 2:		/* fatal error, "" */
+		do {
+			if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch))
+				lostconn(0);
+			*cp++ = ch;
+		} while (cp < &rbuf[sizeof(rbuf) - 1] && ch != '\n');
+
+		if (!iamremote)
+			(void) atomicio(write, STDERR_FILENO, rbuf, cp - rbuf);
+		++errs;
+		if (resp == 1)
+			return (-1);
+		exit(1);
+	}
+	/* NOTREACHED */
+}
+
+void
+usage()
+{
+	(void) fprintf(stderr,
+		       "usage: scp [-pqrvC46] [-P port] [-c cipher] [-i identity] f1 f2; or:\n       scp [options] f1 ... fn directory\n");
+	exit(1);
+}
+
+void
+run_err(const char *fmt,...)
+{
+	static FILE *fp;
+	va_list ap;
+	va_start(ap, fmt);
+
+	++errs;
+	if (fp == NULL && !(fp = fdopen(remout, "w")))
+		return;
+	(void) fprintf(fp, "%c", 0x01);
+	(void) fprintf(fp, "scp: ");
+	(void) vfprintf(fp, fmt, ap);
+	(void) fprintf(fp, "\n");
+	(void) fflush(fp);
+
+	if (!iamremote) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, "\n");
+	}
+	va_end(ap);
+}
+
+/* Stuff below is from BSD rcp util.c. */
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$Id: scp.c,v 1.30 2000/05/02 18:21:48 deraadt Exp $
+ */
+
+char *
+colon(cp)
+	char *cp;
+{
+	int flag = 0;
+
+	if (*cp == ':')		/* Leading colon is part of file name. */
+		return (0);
+	if (*cp == '[')
+		flag = 1;
+
+	for (; *cp; ++cp) {
+		if (*cp == '@' && *(cp+1) == '[')
+			flag = 1;
+		if (*cp == ']' && *(cp+1) == ':' && flag)
+			return (cp+1);
+		if (*cp == ':' && !flag)
+			return (cp);
+		if (*cp == '/')
+			return (0);
+	}
+	return (0);
+}
+
+void
+verifydir(cp)
+	char *cp;
+{
+	struct stat stb;
+
+	if (!stat(cp, &stb)) {
+		if (S_ISDIR(stb.st_mode))
+			return;
+		errno = ENOTDIR;
+	}
+	run_err("%s: %s", cp, strerror(errno));
+	exit(1);
+}
+
+int
+okname(cp0)
+	char *cp0;
+{
+	int c;
+	char *cp;
+
+	cp = cp0;
+	do {
+		c = *cp;
+		if (c & 0200)
+			goto bad;
+		if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-' && c != '.')
+			goto bad;
+	} while (*++cp);
+	return (1);
+
+bad:	fprintf(stderr, "%s: invalid user name\n", cp0);
+	return (0);
+}
+
+BUF *
+allocbuf(bp, fd, blksize)
+	BUF *bp;
+	int fd, blksize;
+{
+	size_t size;
+	struct stat stb;
+
+	if (fstat(fd, &stb) < 0) {
+		run_err("fstat: %s", strerror(errno));
+		return (0);
+	}
+	if (stb.st_blksize == 0)
+		size = blksize;
+	else
+		size = blksize + (stb.st_blksize - blksize % stb.st_blksize) %
+			stb.st_blksize;
+	if (bp->cnt >= size)
+		return (bp);
+	if (bp->buf == NULL)
+		bp->buf = xmalloc(size);
+	else
+		bp->buf = xrealloc(bp->buf, size);
+	bp->cnt = size;
+	return (bp);
+}
+
+void
+lostconn(signo)
+	int signo;
+{
+	if (!iamremote)
+		fprintf(stderr, "lost connection\n");
+	exit(1);
+}
+
+
+void
+alarmtimer(int wait)
+{
+	struct itimerval itv;
+
+	itv.it_value.tv_sec = wait;
+	itv.it_value.tv_usec = 0;
+	itv.it_interval = itv.it_value;
+	setitimer(ITIMER_REAL, &itv, NULL);
+}
+
+void
+updateprogressmeter(int ignore)
+{
+	int save_errno = errno;
+
+	progressmeter(0);
+	errno = save_errno;
+}
+
+int
+foregroundproc()
+{
+	static pid_t pgrp = -1;
+	int ctty_pgrp;
+
+	if (pgrp == -1)
+		pgrp = getpgrp();
+
+	return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 &&
+		 ctty_pgrp == pgrp));
+}
+
+void
+progressmeter(int flag)
+{
+	static const char prefixes[] = " KMGTP";
+	static struct timeval lastupdate;
+	static off_t lastsize;
+	struct timeval now, td, wait;
+	off_t cursize, abbrevsize;
+	double elapsed;
+	int ratio, barlength, i, remaining;
+	char buf[256];
+
+	if (flag == -1) {
+		(void) gettimeofday(&start, (struct timezone *) 0);
+		lastupdate = start;
+		lastsize = 0;
+	}
+	if (foregroundproc() == 0)
+		return;
+
+	(void) gettimeofday(&now, (struct timezone *) 0);
+	cursize = statbytes;
+	if (totalbytes != 0) {
+		ratio = 100.0 * cursize / totalbytes;
+		ratio = MAX(ratio, 0);
+		ratio = MIN(ratio, 100);
+	} else
+		ratio = 100;
+
+	snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio);
+
+	barlength = getttywidth() - 51;
+	if (barlength > 0) {
+		i = barlength * ratio / 100;
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+			 "|%.*s%*s|", i,
+			 "*****************************************************************************"
+			 "*****************************************************************************",
+			 barlength - i, "");
+	}
+	i = 0;
+	abbrevsize = cursize;
+	while (abbrevsize >= 100000 && i < sizeof(prefixes)) {
+		i++;
+		abbrevsize >>= 10;
+	}
+	snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5qd %c%c ",
+	     (quad_t) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' :
+		 'B');
+
+	timersub(&now, &lastupdate, &wait);
+	if (cursize > lastsize) {
+		lastupdate = now;
+		lastsize = cursize;
+		if (wait.tv_sec >= STALLTIME) {
+			start.tv_sec += wait.tv_sec;
+			start.tv_usec += wait.tv_usec;
+		}
+		wait.tv_sec = 0;
+	}
+	timersub(&now, &start, &td);
+	elapsed = td.tv_sec + (td.tv_usec / 1000000.0);
+
+	if (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes) {
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+			 "   --:-- ETA");
+	} else if (wait.tv_sec >= STALLTIME) {
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+			 " - stalled -");
+	} else {
+		if (flag != 1)
+			remaining =
+			    (int)(totalbytes / (statbytes / elapsed) - elapsed);
+		else
+			remaining = elapsed;
+
+		i = remaining / 3600;
+		if (i)
+			snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+				 "%2d:", i);
+		else
+			snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+				 "   ");
+		i = remaining % 3600;
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+			 "%02d:%02d%s", i / 60, i % 60,
+			 (flag != 1) ? " ETA" : "    ");
+	}
+	atomicio(write, fileno(stdout), buf, strlen(buf));
+
+	if (flag == -1) {
+		signal(SIGALRM, updateprogressmeter);
+		alarmtimer(1);
+	} else if (flag == 1) {
+		alarmtimer(0);
+		atomicio(write, fileno(stdout), "\n", 1);
+		statbytes = 0;
+	}
+}
+
+int
+getttywidth(void)
+{
+	struct winsize winsize;
+
+	if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1)
+		return (winsize.ws_col ? winsize.ws_col : 80);
+	else
+		return (80);
+}
diff --git a/crypto/openssh/scp/Makefile b/crypto/openssh/scp/Makefile
new file mode 100644
index 0000000..3f59a9f
--- /dev/null
+++ b/crypto/openssh/scp/Makefile
@@ -0,0 +1,18 @@
+.PATH:		${.CURDIR}/..
+
+PROG=	scp
+BINOWN=	root
+
+.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+	${MACHINE_ARCH} == "hppa")
+BINMODE=0000
+.else
+BINMODE?=555
+.endif
+
+BINDIR=	/usr/bin
+MAN=	scp.1
+
+SRCS=	scp.c
+
+.include <bsd.prog.mk>
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
new file mode 100644
index 0000000..b3d78f7
--- /dev/null
+++ b/crypto/openssh/servconf.c
@@ -0,0 +1,677 @@
+/*
+ *
+ * servconf.c
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Mon Aug 21 15:48:58 1995 ylo
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: servconf.c,v 1.41 2000/05/22 18:42:01 markus Exp $");
+
+#include "ssh.h"
+#include "servconf.h"
+#include "xmalloc.h"
+#include "compat.h"
+
+/* add listen address */
+void add_listen_addr(ServerOptions *options, char *addr);
+
+/* Initializes the server options to their default values. */
+
+void
+initialize_server_options(ServerOptions *options)
+{
+	memset(options, 0, sizeof(*options));
+	options->num_ports = 0;
+	options->ports_from_cmdline = 0;
+	options->listen_addrs = NULL;
+	options->host_key_file = NULL;
+	options->host_dsa_key_file = NULL;
+	options->pid_file = NULL;
+	options->server_key_bits = -1;
+	options->login_grace_time = -1;
+	options->key_regeneration_time = -1;
+	options->permit_root_login = -1;
+	options->ignore_rhosts = -1;
+	options->ignore_user_known_hosts = -1;
+	options->print_motd = -1;
+	options->check_mail = -1;
+	options->x11_forwarding = -1;
+	options->x11_display_offset = -1;
+	options->strict_modes = -1;
+	options->keepalives = -1;
+	options->log_facility = (SyslogFacility) - 1;
+	options->log_level = (LogLevel) - 1;
+	options->rhosts_authentication = -1;
+	options->rhosts_rsa_authentication = -1;
+	options->rsa_authentication = -1;
+	options->dsa_authentication = -1;
+#ifdef KRB4
+	options->krb4_authentication = -1;
+	options->krb4_or_local_passwd = -1;
+	options->krb4_ticket_cleanup = -1;
+#endif
+#ifdef KRB5
+	options->krb5_authentication = -1;
+	options->krb5_tgt_passing = -1;
+#endif /* KRB5 */
+#ifdef AFS
+	options->krb4_tgt_passing = -1;
+	options->afs_token_passing = -1;
+#endif
+	options->password_authentication = -1;
+#ifdef SKEY
+	options->skey_authentication = -1;
+#endif
+	options->permit_empty_passwd = -1;
+	options->use_login = -1;
+	options->num_allow_users = 0;
+	options->num_deny_users = 0;
+	options->num_allow_groups = 0;
+	options->num_deny_groups = 0;
+	options->ciphers = NULL;
+	options->protocol = SSH_PROTO_UNKNOWN;
+	options->gateway_ports = -1;
+	options->connections_per_period = 0;
+	options->connections_period = 0;
+}
+
+void
+fill_default_server_options(ServerOptions *options)
+{
+	if (options->num_ports == 0)
+		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+	if (options->listen_addrs == NULL)
+		add_listen_addr(options, NULL);
+	if (options->host_key_file == NULL)
+		options->host_key_file = HOST_KEY_FILE;
+	if (options->host_dsa_key_file == NULL)
+		options->host_dsa_key_file = HOST_DSA_KEY_FILE;
+	if (options->pid_file == NULL)
+		options->pid_file = SSH_DAEMON_PID_FILE;
+	if (options->server_key_bits == -1)
+		options->server_key_bits = 768;
+	if (options->login_grace_time == -1)
+		options->login_grace_time = 60;
+	if (options->key_regeneration_time == -1)
+		options->key_regeneration_time = 3600;
+	if (options->permit_root_login == -1)
+		options->permit_root_login = 0;			/* no */
+	if (options->ignore_rhosts == -1)
+		options->ignore_rhosts = 1;
+	if (options->ignore_user_known_hosts == -1)
+		options->ignore_user_known_hosts = 0;
+	if (options->check_mail == -1)
+		options->check_mail = 1;
+	if (options->print_motd == -1)
+		options->print_motd = 1;
+	if (options->x11_forwarding == -1)
+		options->x11_forwarding = 0;
+	if (options->x11_display_offset == -1)
+		options->x11_display_offset = 10;
+	if (options->strict_modes == -1)
+		options->strict_modes = 1;
+	if (options->keepalives == -1)
+		options->keepalives = 1;
+	if (options->log_facility == (SyslogFacility) (-1))
+		options->log_facility = SYSLOG_FACILITY_AUTH;
+	if (options->log_level == (LogLevel) (-1))
+		options->log_level = SYSLOG_LEVEL_INFO;
+	if (options->rhosts_authentication == -1)
+		options->rhosts_authentication = 0;
+	if (options->rhosts_rsa_authentication == -1)
+		options->rhosts_rsa_authentication = 0;
+	if (options->rsa_authentication == -1)
+		options->rsa_authentication = 1;
+	if (options->dsa_authentication == -1)
+		options->dsa_authentication = 1;
+#ifdef KRB4
+	if (options->krb4_authentication == -1)
+		options->krb4_authentication = (access(KEYFILE, R_OK) == 0);
+	if (options->krb4_or_local_passwd == -1)
+		options->krb4_or_local_passwd = 1;
+	if (options->krb4_ticket_cleanup == -1)
+		options->krb4_ticket_cleanup = 1;
+#endif /* KRB4 */
+#ifdef KRB5
+	if (options->krb5_authentication == -1)
+	  	options->krb5_authentication = 1;
+	if (options->krb5_tgt_passing == -1)
+	  	options->krb5_tgt_passing = 1;
+#endif /* KRB5 */
+#ifdef AFS
+	if (options->krb4_tgt_passing == -1)
+		options->krb4_tgt_passing = 0;
+	if (options->afs_token_passing == -1)
+		options->afs_token_passing = k_hasafs();
+#endif /* AFS */
+	if (options->password_authentication == -1)
+		options->password_authentication = 1;
+#ifdef SKEY
+	if (options->skey_authentication == -1)
+		options->skey_authentication = 1;
+#endif
+	if (options->permit_empty_passwd == -1)
+		options->permit_empty_passwd = 0;
+	if (options->use_login == -1)
+		options->use_login = 0;
+	if (options->protocol == SSH_PROTO_UNKNOWN)
+		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+	if (options->gateway_ports == -1)
+		options->gateway_ports = 0;
+}
+
+#define WHITESPACE " \t\r\n"
+
+/* Keyword tokens. */
+typedef enum {
+	sBadOption,		/* == unknown option */
+	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+	sPermitRootLogin, sLogFacility, sLogLevel,
+	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+#ifdef KRB4
+	sKrb4Authentication, sKrb4OrLocalPasswd, sKrb4TicketCleanup,
+#endif
+#ifdef KRB5
+	sKrb5Authentication, sKrb5TgtPassing,
+#endif /* KRB5 */
+#ifdef AFS
+	sKrb4TgtPassing, sAFSTokenPassing,
+#endif
+#ifdef SKEY
+	sSkeyAuthentication,
+#endif
+	sPasswordAuthentication, sListenAddress,
+	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
+	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
+	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
+	sGatewayPorts, sDSAAuthentication, sConnectionsPerPeriod
+} ServerOpCodes;
+
+/* Textual representation of the tokens. */
+static struct {
+	const char *name;
+	ServerOpCodes opcode;
+} keywords[] = {
+	{ "port", sPort },
+	{ "hostkey", sHostKeyFile },
+	{ "hostdsakey", sHostDSAKeyFile },
+ 	{ "pidfile", sPidFile },
+	{ "serverkeybits", sServerKeyBits },
+	{ "logingracetime", sLoginGraceTime },
+	{ "keyregenerationinterval", sKeyRegenerationTime },
+	{ "permitrootlogin", sPermitRootLogin },
+	{ "syslogfacility", sLogFacility },
+	{ "loglevel", sLogLevel },
+	{ "rhostsauthentication", sRhostsAuthentication },
+	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
+	{ "rsaauthentication", sRSAAuthentication },
+	{ "dsaauthentication", sDSAAuthentication },
+#ifdef KRB4
+	{ "kerberos4authentication", sKrb4Authentication },
+	{ "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
+	{ "kerberos4ticketcleanup", sKrb4TicketCleanup },
+#endif
+#ifdef KRB5
+	{ "kerberos5authentication", sKrb5Authentication },
+	{ "kerberos5tgtpassing", sKrb5TgtPassing },
+#endif /* KRB5 */
+#ifdef AFS
+	{ "kerberos4tgtpassing", sKrb4TgtPassing },
+	{ "afstokenpassing", sAFSTokenPassing },
+#endif
+	{ "passwordauthentication", sPasswordAuthentication },
+#ifdef SKEY
+	{ "skeyauthentication", sSkeyAuthentication },
+#endif
+	{ "checkmail", sCheckMail },
+	{ "listenaddress", sListenAddress },
+	{ "printmotd", sPrintMotd },
+	{ "ignorerhosts", sIgnoreRhosts },
+	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
+	{ "x11forwarding", sX11Forwarding },
+	{ "x11displayoffset", sX11DisplayOffset },
+	{ "strictmodes", sStrictModes },
+	{ "permitemptypasswords", sEmptyPasswd },
+	{ "uselogin", sUseLogin },
+	{ "randomseed", sRandomSeedFile },
+	{ "keepalive", sKeepAlives },
+	{ "allowusers", sAllowUsers },
+	{ "denyusers", sDenyUsers },
+	{ "allowgroups", sAllowGroups },
+	{ "denygroups", sDenyGroups },
+	{ "ciphers", sCiphers },
+	{ "protocol", sProtocol },
+	{ "gatewayports", sGatewayPorts },
+	{ "connectionsperperiod", sConnectionsPerPeriod },
+	{ NULL, 0 }
+};
+
+/*
+ * Returns the number of the token pointed to by cp of length len. Never
+ * returns if the token is not known.
+ */
+
+static ServerOpCodes
+parse_token(const char *cp, const char *filename,
+	    int linenum)
+{
+	unsigned int i;
+
+	for (i = 0; keywords[i].name; i++)
+		if (strcasecmp(cp, keywords[i].name) == 0)
+			return keywords[i].opcode;
+
+	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
+		filename, linenum, cp);
+	return sBadOption;
+}
+
+/*
+ * add listen address
+ */
+void
+add_listen_addr(ServerOptions *options, char *addr)
+{
+	extern int IPv4or6;
+	struct addrinfo hints, *ai, *aitop;
+	char strport[NI_MAXSERV];
+	int gaierr;
+	int i;
+
+	if (options->num_ports == 0)
+		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+	for (i = 0; i < options->num_ports; i++) {
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = IPv4or6;
+		hints.ai_socktype = SOCK_STREAM;
+		hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
+		snprintf(strport, sizeof strport, "%d", options->ports[i]);
+		if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
+			fatal("bad addr or host: %s (%s)\n",
+			    addr ? addr : "<NULL>",
+			    gai_strerror(gaierr));
+		for (ai = aitop; ai->ai_next; ai = ai->ai_next)
+			;
+		ai->ai_next = options->listen_addrs;
+		options->listen_addrs = aitop;
+	}
+}
+
+/* Reads the server configuration file. */
+
+void
+read_server_config(ServerOptions *options, const char *filename)
+{
+	FILE *f;
+	char line[1024];
+	char *cp, **charptr;
+	int linenum, *intptr, value;
+	int bad_options = 0;
+	ServerOpCodes opcode;
+
+	f = fopen(filename, "r");
+	if (!f) {
+		perror(filename);
+		exit(1);
+	}
+	linenum = 0;
+	while (fgets(line, sizeof(line), f)) {
+		linenum++;
+		cp = line + strspn(line, WHITESPACE);
+		if (!*cp || *cp == '#')
+			continue;
+		cp = strtok(cp, WHITESPACE);
+		opcode = parse_token(cp, filename, linenum);
+		switch (opcode) {
+		case sBadOption:
+			bad_options++;
+			continue;
+		case sPort:
+			/* ignore ports from configfile if cmdline specifies ports */
+			if (options->ports_from_cmdline)
+				continue;
+			if (options->listen_addrs != NULL)
+				fatal("%s line %d: ports must be specified before "
+				    "ListenAdress.\n", filename, linenum);
+			if (options->num_ports >= MAX_PORTS)
+				fatal("%s line %d: too many ports.\n",
+				    filename, linenum);
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp)
+				fatal("%s line %d: missing port number.\n",
+				    filename, linenum);
+			options->ports[options->num_ports++] = atoi(cp);
+			break;
+
+		case sServerKeyBits:
+			intptr = &options->server_key_bits;
+parse_int:
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp) {
+				fprintf(stderr, "%s line %d: missing integer value.\n",
+					filename, linenum);
+				exit(1);
+			}
+			if (sscanf(cp, " %d ", &value) != 1) {
+				fprintf(stderr, "%s line %d: invalid integer value.\n",
+					filename, linenum);
+				exit(1);
+			}
+			if (*intptr == -1)
+				*intptr = value;
+			break;
+
+		case sLoginGraceTime:
+			intptr = &options->login_grace_time;
+			goto parse_int;
+
+		case sKeyRegenerationTime:
+			intptr = &options->key_regeneration_time;
+			goto parse_int;
+
+		case sListenAddress:
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp)
+				fatal("%s line %d: missing inet addr.\n",
+				    filename, linenum);
+			add_listen_addr(options, cp);
+			break;
+
+		case sHostKeyFile:
+		case sHostDSAKeyFile:
+			charptr = (opcode == sHostKeyFile ) ?
+			    &options->host_key_file : &options->host_dsa_key_file;
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp) {
+				fprintf(stderr, "%s line %d: missing file name.\n",
+				    filename, linenum);
+				exit(1);
+			}
+			if (*charptr == NULL)
+				*charptr = tilde_expand_filename(cp, getuid());
+			break;
+
+		case sPidFile:
+			charptr = &options->pid_file;
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp) {
+				fprintf(stderr, "%s line %d: missing file name.\n",
+				    filename, linenum);
+				exit(1);
+			}
+			if (*charptr == NULL)
+				*charptr = tilde_expand_filename(cp, getuid());
+			break;
+
+		case sRandomSeedFile:
+			fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
+				filename, linenum);
+			cp = strtok(NULL, WHITESPACE);
+			break;
+
+		case sPermitRootLogin:
+			intptr = &options->permit_root_login;
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp) {
+				fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
+					filename, linenum);
+				exit(1);
+			}
+			if (strcmp(cp, "without-password") == 0)
+				value = 2;
+			else if (strcmp(cp, "yes") == 0)
+				value = 1;
+			else if (strcmp(cp, "no") == 0)
+				value = 0;
+			else {
+				fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
+					filename, linenum, cp);
+				exit(1);
+			}
+			if (*intptr == -1)
+				*intptr = value;
+			break;
+
+		case sIgnoreRhosts:
+			intptr = &options->ignore_rhosts;
+parse_flag:
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp) {
+				fprintf(stderr, "%s line %d: missing yes/no argument.\n",
+					filename, linenum);
+				exit(1);
+			}
+			if (strcmp(cp, "yes") == 0)
+				value = 1;
+			else if (strcmp(cp, "no") == 0)
+				value = 0;
+			else {
+				fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
+					filename, linenum, cp);
+				exit(1);
+			}
+			if (*intptr == -1)
+				*intptr = value;
+			break;
+
+		case sIgnoreUserKnownHosts:
+			intptr = &options->ignore_user_known_hosts;
+			goto parse_flag;
+
+		case sRhostsAuthentication:
+			intptr = &options->rhosts_authentication;
+			goto parse_flag;
+
+		case sRhostsRSAAuthentication:
+			intptr = &options->rhosts_rsa_authentication;
+			goto parse_flag;
+
+		case sRSAAuthentication:
+			intptr = &options->rsa_authentication;
+			goto parse_flag;
+
+		case sDSAAuthentication:
+			intptr = &options->dsa_authentication;
+			goto parse_flag;
+
+#ifdef KRB4
+		case sKrb4Authentication:
+			intptr = &options->krb4_authentication;
+			goto parse_flag;
+
+		case sKrb4OrLocalPasswd:
+			intptr = &options->krb4_or_local_passwd;
+			goto parse_flag;
+
+		case sKrb4TicketCleanup:
+			intptr = &options->krb4_ticket_cleanup;
+			goto parse_flag;
+#endif
+
+#ifdef KRB5
+		case sKrb5Authentication:
+			intptr = &options->krb5_authentication;
+			goto parse_flag;
+			
+		case sKrb5TgtPassing:
+			intptr = &options->krb5_tgt_passing;
+			goto parse_flag;
+#endif /* KRB5 */
+
+#ifdef AFS
+		case sKrb4TgtPassing:
+			intptr = &options->krb4_tgt_passing;
+			goto parse_flag;
+
+		case sAFSTokenPassing:
+			intptr = &options->afs_token_passing;
+			goto parse_flag;
+#endif
+
+		case sPasswordAuthentication:
+			intptr = &options->password_authentication;
+			goto parse_flag;
+
+		case sCheckMail:
+			intptr = &options->check_mail;
+			goto parse_flag;
+
+#ifdef SKEY
+		case sSkeyAuthentication:
+			intptr = &options->skey_authentication;
+			goto parse_flag;
+#endif
+
+		case sPrintMotd:
+			intptr = &options->print_motd;
+			goto parse_flag;
+
+		case sX11Forwarding:
+			intptr = &options->x11_forwarding;
+			goto parse_flag;
+
+		case sX11DisplayOffset:
+			intptr = &options->x11_display_offset;
+			goto parse_int;
+
+		case sStrictModes:
+			intptr = &options->strict_modes;
+			goto parse_flag;
+
+		case sKeepAlives:
+			intptr = &options->keepalives;
+			goto parse_flag;
+
+		case sEmptyPasswd:
+			intptr = &options->permit_empty_passwd;
+			goto parse_flag;
+
+		case sUseLogin:
+			intptr = &options->use_login;
+			goto parse_flag;
+
+		case sGatewayPorts:
+			intptr = &options->gateway_ports;
+			goto parse_flag;
+
+		case sLogFacility:
+			intptr = (int *) &options->log_facility;
+			cp = strtok(NULL, WHITESPACE);
+			value = log_facility_number(cp);
+			if (value == (SyslogFacility) - 1)
+				fatal("%.200s line %d: unsupported log facility '%s'\n",
+				    filename, linenum, cp ? cp : "<NONE>");
+			if (*intptr == -1)
+				*intptr = (SyslogFacility) value;
+			break;
+
+		case sLogLevel:
+			intptr = (int *) &options->log_level;
+			cp = strtok(NULL, WHITESPACE);
+			value = log_level_number(cp);
+			if (value == (LogLevel) - 1)
+				fatal("%.200s line %d: unsupported log level '%s'\n",
+				    filename, linenum, cp ? cp : "<NONE>");
+			if (*intptr == -1)
+				*intptr = (LogLevel) value;
+			break;
+
+		case sAllowUsers:
+			while ((cp = strtok(NULL, WHITESPACE))) {
+				if (options->num_allow_users >= MAX_ALLOW_USERS)
+					fatal("%.200s line %d: too many allow users.\n",
+					    filename, linenum);
+				options->allow_users[options->num_allow_users++] = xstrdup(cp);
+			}
+			break;
+
+		case sDenyUsers:
+			while ((cp = strtok(NULL, WHITESPACE))) {
+				if (options->num_deny_users >= MAX_DENY_USERS)
+					fatal("%.200s line %d: too many deny users.\n",
+					    filename, linenum);
+				options->deny_users[options->num_deny_users++] = xstrdup(cp);
+			}
+			break;
+
+		case sAllowGroups:
+			while ((cp = strtok(NULL, WHITESPACE))) {
+				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
+					fatal("%.200s line %d: too many allow groups.\n",
+					    filename, linenum);
+				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
+			}
+			break;
+
+		case sDenyGroups:
+			while ((cp = strtok(NULL, WHITESPACE))) {
+				if (options->num_deny_groups >= MAX_DENY_GROUPS)
+					fatal("%.200s line %d: too many deny groups.\n",
+					    filename, linenum);
+				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
+			}
+			break;
+
+		case sCiphers:
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp)
+				fatal("%s line %d: Missing argument.", filename, linenum);
+			if (!ciphers_valid(cp))
+				fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
+				    filename, linenum, cp ? cp : "<NONE>");
+			if (options->ciphers == NULL)
+				options->ciphers = xstrdup(cp);
+			break;
+
+		case sProtocol:
+			intptr = &options->protocol;
+			cp = strtok(NULL, WHITESPACE);
+			if (!cp)
+				fatal("%s line %d: Missing argument.", filename, linenum);
+			value = proto_spec(cp);
+			if (value == SSH_PROTO_UNKNOWN)
+				fatal("%s line %d: Bad protocol spec '%s'.",
+				      filename, linenum, cp ? cp : "<NONE>");
+			if (*intptr == SSH_PROTO_UNKNOWN)
+				*intptr = value;
+			break;
+
+		case sConnectionsPerPeriod:
+			cp = strtok(NULL, WHITESPACE);
+			if (cp == NULL)
+				fatal("%.200s line %d: missing (>= 0) number argument.\n",
+					filename, linenum);
+			if (sscanf(cp, " %u/%u ", &options->connections_per_period,
+			    &options->connections_period) != 2)
+				fatal("%.200s line %d: invalid numerical argument(s).\n",
+				    filename, linenum);
+			if (options->connections_per_period != 0 &&
+			    options->connections_period == 0)
+				fatal("%.200s line %d: invalid connections period.\n",
+				    filename, linenum);
+			break;
+
+		default:
+			fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
+				filename, linenum, cp, opcode);
+		}
+		if (strtok(NULL, WHITESPACE) != NULL) {
+			fatal("%.200s line %d: garbage at end of line.\n",
+				filename, linenum);
+		}
+	}
+	fclose(f);
+	if (bad_options > 0) {
+		fatal("%.200s: terminating, %d bad configuration options\n",
+			filename, bad_options);
+	}
+}
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
new file mode 100644
index 0000000..fedc9ab
--- /dev/null
+++ b/crypto/openssh/servconf.h
@@ -0,0 +1,124 @@
+/*
+ *
+ * servconf.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Mon Aug 21 15:35:03 1995 ylo
+ *
+ * Definitions for server configuration data and for the functions reading it.
+ *
+ * $FreeBSD$
+ */
+
+/* RCSID("$Id: servconf.h,v 1.22 2000/05/06 17:45:37 markus Exp $"); */
+
+#ifndef SERVCONF_H
+#define SERVCONF_H
+
+#define MAX_PORTS		256	/* Max # ports. */
+
+#define MAX_ALLOW_USERS		256	/* Max # users on allow list. */
+#define MAX_DENY_USERS		256	/* Max # users on deny list. */
+#define MAX_ALLOW_GROUPS	256	/* Max # groups on allow list. */
+#define MAX_DENY_GROUPS		256	/* Max # groups on deny list. */
+
+typedef struct {
+	unsigned int num_ports;
+	unsigned int ports_from_cmdline;
+	u_short ports[MAX_PORTS];	/* Port number to listen on. */
+	char   *listen_addr;		/* Address on which the server listens. */
+	struct addrinfo *listen_addrs;	/* Addresses on which the server listens. */
+	char   *host_key_file;	/* File containing host key. */
+	char   *host_dsa_key_file;	/* File containing dsa host key. */
+	char   *pid_file;	/* Where to put our pid */
+	int     server_key_bits;/* Size of the server key. */
+	int     login_grace_time;	/* Disconnect if no auth in this time
+					 * (sec). */
+	int     key_regeneration_time;	/* Server key lifetime (seconds). */
+	int     permit_root_login;	/* If true, permit root login. */
+	int     ignore_rhosts;	/* Ignore .rhosts and .shosts. */
+	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
+						 * for RhostsRsaAuth */
+	int     print_motd;	/* If true, print /etc/motd. */
+	int     check_mail;	/* If true, check for new mail. */
+	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
+	int     x11_display_offset;	/* What DISPLAY number to start
+					 * searching at */
+	int     strict_modes;	/* If true, require string home dir modes. */
+	int     keepalives;	/* If true, set SO_KEEPALIVE. */
+	char   *ciphers;	/* Ciphers in order of preference. */
+	int	protocol;	/* Protocol in order of preference. */
+	int     gateway_ports;	/* If true, allow remote connects to forwarded ports. */
+	SyslogFacility log_facility;	/* Facility for system logging. */
+	LogLevel log_level;	/* Level for system logging. */
+	int     rhosts_authentication;	/* If true, permit rhosts
+					 * authentication. */
+	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
+						 * authentication. */
+	int     rsa_authentication;	/* If true, permit RSA authentication. */
+	int     dsa_authentication;	/* If true, permit DSA authentication. */
+#ifdef KRB4
+	int     krb4_authentication;		/* If true, permit Kerberos v4
+						 * authentication. */
+	int     krb4_or_local_passwd;		/* If true, permit kerberos v4
+						 * and any other password
+						 * authentication mechanism,
+						 * such as SecurID or
+						 * /etc/passwd */
+	int     krb4_ticket_cleanup;		/* If true, destroy ticket
+						 * file on logout. */
+#endif
+#ifdef KRB5
+	int     krb5_authentication;
+	int     krb5_tgt_passing;
+
+#endif /* KRB5 */
+#ifdef AFS
+	int     krb4_tgt_passing;	/* If true, permit Kerberos v4 tgt
+					 * passing. */
+	int     afs_token_passing;	/* If true, permit AFS token passing. */
+#endif
+	int     password_authentication;	/* If true, permit password
+						 * authentication. */
+#ifdef SKEY
+	int     skey_authentication;	/* If true, permit s/key
+					 * authentication. */
+#endif
+	int     permit_empty_passwd;	/* If false, do not permit empty
+					 * passwords. */
+	int     use_login;	/* If true, login(1) is used */
+	unsigned int num_allow_users;
+	char   *allow_users[MAX_ALLOW_USERS];
+	unsigned int num_deny_users;
+	char   *deny_users[MAX_DENY_USERS];
+	unsigned int num_allow_groups;
+	char   *allow_groups[MAX_ALLOW_GROUPS];
+	unsigned int num_deny_groups;
+	char   *deny_groups[MAX_DENY_GROUPS];
+	unsigned int connections_per_period;	/*
+						 * If not 0, number of sshd
+						 * connections accepted per
+						 * connections_period.
+						 */
+	unsigned int connections_period;
+}       ServerOptions;
+/*
+ * Initializes the server options to special values that indicate that they
+ * have not yet been set.
+ */
+void    initialize_server_options(ServerOptions * options);
+
+/*
+ * Reads the server configuration file.  This only sets the values for those
+ * options that have the special value indicating they have not been set.
+ */
+void    read_server_config(ServerOptions * options, const char *filename);
+
+/* Sets values for those values that have not yet been set. */
+void    fill_default_server_options(ServerOptions * options);
+
+#endif				/* SERVCONF_H */
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
new file mode 100644
index 0000000..74a800b
--- /dev/null
+++ b/crypto/openssh/serverloop.c
@@ -0,0 +1,835 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Sun Sep 10 00:30:37 1995 ylo
+ * Server main loop for handling the interactive session.
+ */
+/*
+ * SSH2 support by Markus Friedl.
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ */
+
+#include "includes.h"
+#include "xmalloc.h"
+#include "ssh.h"
+#include "packet.h"
+#include "buffer.h"
+#include "servconf.h"
+#include "pty.h"
+#include "channels.h"
+
+#include "compat.h"
+#include "ssh2.h"
+#include "session.h"
+#include "dispatch.h"
+
+static Buffer stdin_buffer;	/* Buffer for stdin data. */
+static Buffer stdout_buffer;	/* Buffer for stdout data. */
+static Buffer stderr_buffer;	/* Buffer for stderr data. */
+static int fdin;		/* Descriptor for stdin (for writing) */
+static int fdout;		/* Descriptor for stdout (for reading);
+				   May be same number as fdin. */
+static int fderr;		/* Descriptor for stderr.  May be -1. */
+static long stdin_bytes = 0;	/* Number of bytes written to stdin. */
+static long stdout_bytes = 0;	/* Number of stdout bytes sent to client. */
+static long stderr_bytes = 0;	/* Number of stderr bytes sent to client. */
+static long fdout_bytes = 0;	/* Number of stdout bytes read from program. */
+static int stdin_eof = 0;	/* EOF message received from client. */
+static int fdout_eof = 0;	/* EOF encountered reading from fdout. */
+static int fderr_eof = 0;	/* EOF encountered readung from fderr. */
+static int connection_in;	/* Connection to client (input). */
+static int connection_out;	/* Connection to client (output). */
+static unsigned int buffer_high;/* "Soft" max buffer size. */
+static int max_fd;		/* Max file descriptor number for select(). */
+
+/*
+ * This SIGCHLD kludge is used to detect when the child exits.  The server
+ * will exit after that, as soon as forwarded connections have terminated.
+ */
+
+static pid_t child_pid;			/* Pid of the child. */
+static volatile int child_terminated;	/* The child has terminated. */
+static volatile int child_wait_status;	/* Status from wait(). */
+
+void	server_init_dispatch(void);
+
+void
+sigchld_handler(int sig)
+{
+	int save_errno = errno;
+	pid_t wait_pid;
+
+	debug("Received SIGCHLD.");
+	wait_pid = wait((int *) &child_wait_status);
+	if (wait_pid != -1) {
+		if (wait_pid != child_pid)
+			error("Strange, got SIGCHLD and wait returned pid %d but child is %d",
+			      wait_pid, child_pid);
+		if (WIFEXITED(child_wait_status) ||
+		    WIFSIGNALED(child_wait_status))
+			child_terminated = 1;
+	}
+	signal(SIGCHLD, sigchld_handler);
+	errno = save_errno;
+}
+void
+sigchld_handler2(int sig)
+{
+	int save_errno = errno;
+	debug("Received SIGCHLD.");
+	child_terminated = 1;
+	signal(SIGCHLD, sigchld_handler2);
+	errno = save_errno;
+}
+
+/*
+ * Make packets from buffered stderr data, and buffer it for sending
+ * to the client.
+ */
+void
+make_packets_from_stderr_data()
+{
+	int len;
+
+	/* Send buffered stderr data to the client. */
+	while (buffer_len(&stderr_buffer) > 0 &&
+	    packet_not_very_much_data_to_write()) {
+		len = buffer_len(&stderr_buffer);
+		if (packet_is_interactive()) {
+			if (len > 512)
+				len = 512;
+		} else {
+			/* Keep the packets at reasonable size. */
+			if (len > packet_get_maxsize())
+				len = packet_get_maxsize();
+		}
+		packet_start(SSH_SMSG_STDERR_DATA);
+		packet_put_string(buffer_ptr(&stderr_buffer), len);
+		packet_send();
+		buffer_consume(&stderr_buffer, len);
+		stderr_bytes += len;
+	}
+}
+
+/*
+ * Make packets from buffered stdout data, and buffer it for sending to the
+ * client.
+ */
+void
+make_packets_from_stdout_data()
+{
+	int len;
+
+	/* Send buffered stdout data to the client. */
+	while (buffer_len(&stdout_buffer) > 0 &&
+	    packet_not_very_much_data_to_write()) {
+		len = buffer_len(&stdout_buffer);
+		if (packet_is_interactive()) {
+			if (len > 512)
+				len = 512;
+		} else {
+			/* Keep the packets at reasonable size. */
+			if (len > packet_get_maxsize())
+				len = packet_get_maxsize();	
+		}
+		packet_start(SSH_SMSG_STDOUT_DATA);
+		packet_put_string(buffer_ptr(&stdout_buffer), len);
+		packet_send();
+		buffer_consume(&stdout_buffer, len);
+		stdout_bytes += len;
+	}
+}
+
+/*
+ * Sleep in select() until we can do something.  This will initialize the
+ * select masks.  Upon return, the masks will indicate which descriptors
+ * have data or can accept data.  Optionally, a maximum time can be specified
+ * for the duration of the wait (0 = infinite).
+ */
+void
+wait_until_can_do_something(fd_set * readset, fd_set * writeset,
+			    unsigned int max_time_milliseconds)
+{
+	struct timeval tv, *tvp;
+	int ret;
+
+	/* When select fails we restart from here. */
+retry_select:
+
+	/* Initialize select() masks. */
+	FD_ZERO(readset);
+	FD_ZERO(writeset);
+
+	if (compat20) {
+		/* wrong: bad condition XXX */
+		if (channel_not_very_much_buffered_data())
+			FD_SET(connection_in, readset);
+	} else {
+		/*
+		 * Read packets from the client unless we have too much
+		 * buffered stdin or channel data.
+		 */
+		if (buffer_len(&stdin_buffer) < buffer_high &&
+		    channel_not_very_much_buffered_data())
+			FD_SET(connection_in, readset);
+		/*
+		 * If there is not too much data already buffered going to
+		 * the client, try to get some more data from the program.
+		 */
+		if (packet_not_very_much_data_to_write()) {
+			if (!fdout_eof)
+				FD_SET(fdout, readset);
+			if (!fderr_eof)
+				FD_SET(fderr, readset);
+		}
+		/*
+		 * If we have buffered data, try to write some of that data
+		 * to the program.
+		 */
+		if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
+			FD_SET(fdin, writeset);
+	}
+	/* Set masks for channel descriptors. */
+	channel_prepare_select(readset, writeset);
+
+	/*
+	 * If we have buffered packet data going to the client, mark that
+	 * descriptor.
+	 */
+	if (packet_have_data_to_write())
+		FD_SET(connection_out, writeset);
+
+	/* Update the maximum descriptor number if appropriate. */
+	if (channel_max_fd() > max_fd)
+		max_fd = channel_max_fd();
+
+	/*
+	 * If child has terminated and there is enough buffer space to read
+	 * from it, then read as much as is available and exit.
+	 */
+	if (child_terminated && packet_not_very_much_data_to_write())
+		if (max_time_milliseconds == 0)
+			max_time_milliseconds = 100;
+
+	if (max_time_milliseconds == 0)
+		tvp = NULL;
+	else {
+		tv.tv_sec = max_time_milliseconds / 1000;
+		tv.tv_usec = 1000 * (max_time_milliseconds % 1000);
+		tvp = &tv;
+	}
+	if (tvp!=NULL)
+		debug("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds);
+
+	/* Wait for something to happen, or the timeout to expire. */
+	ret = select(max_fd + 1, readset, writeset, NULL, tvp);
+
+	if (ret < 0) {
+		if (errno != EINTR)
+			error("select: %.100s", strerror(errno));
+		else
+			goto retry_select;
+	}
+}
+
+/*
+ * Processes input from the client and the program.  Input data is stored
+ * in buffers and processed later.
+ */
+void
+process_input(fd_set * readset)
+{
+	int len;
+	char buf[16384];
+
+	/* Read and buffer any input data from the client. */
+	if (FD_ISSET(connection_in, readset)) {
+		len = read(connection_in, buf, sizeof(buf));
+		if (len == 0) {
+			verbose("Connection closed by remote host.");
+			fatal_cleanup();
+		} else if (len < 0) {
+			if (errno != EINTR && errno != EAGAIN) {
+				verbose("Read error from remote host: %.100s", strerror(errno));
+				fatal_cleanup();
+			}
+		} else {
+			/* Buffer any received data. */
+			packet_process_incoming(buf, len);
+		}
+	}
+	if (compat20)
+		return;
+
+	/* Read and buffer any available stdout data from the program. */
+	if (!fdout_eof && FD_ISSET(fdout, readset)) {
+		len = read(fdout, buf, sizeof(buf));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+			/* do nothing */
+		} else if (len <= 0) {
+			fdout_eof = 1;
+		} else {
+			buffer_append(&stdout_buffer, buf, len);
+			fdout_bytes += len;
+		}
+	}
+	/* Read and buffer any available stderr data from the program. */
+	if (!fderr_eof && FD_ISSET(fderr, readset)) {
+		len = read(fderr, buf, sizeof(buf));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+			/* do nothing */
+		} else if (len <= 0) {
+			fderr_eof = 1;
+		} else {
+			buffer_append(&stderr_buffer, buf, len);
+		}
+	}
+}
+
+/*
+ * Sends data from internal buffers to client program stdin.
+ */
+void
+process_output(fd_set * writeset)
+{
+	int len;
+
+	/* Write buffered data to program stdin. */
+	if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
+		len = write(fdin, buffer_ptr(&stdin_buffer),
+		    buffer_len(&stdin_buffer));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+			/* do nothing */
+		} else if (len <= 0) {
+#ifdef USE_PIPES
+			close(fdin);
+#else
+			if (fdin != fdout)
+				close(fdin);
+			else
+				shutdown(fdin, SHUT_WR); /* We will no longer send. */
+#endif
+			fdin = -1;
+		} else {
+			/* Successful write.  Consume the data from the buffer. */
+			buffer_consume(&stdin_buffer, len);
+			/* Update the count of bytes written to the program. */
+			stdin_bytes += len;
+		}
+	}
+	/* Send any buffered packet data to the client. */
+	if (FD_ISSET(connection_out, writeset))
+		packet_write_poll();
+}
+
+/*
+ * Wait until all buffered output has been sent to the client.
+ * This is used when the program terminates.
+ */
+void
+drain_output()
+{
+	/* Send any buffered stdout data to the client. */
+	if (buffer_len(&stdout_buffer) > 0) {
+		packet_start(SSH_SMSG_STDOUT_DATA);
+		packet_put_string(buffer_ptr(&stdout_buffer),
+				  buffer_len(&stdout_buffer));
+		packet_send();
+		/* Update the count of sent bytes. */
+		stdout_bytes += buffer_len(&stdout_buffer);
+	}
+	/* Send any buffered stderr data to the client. */
+	if (buffer_len(&stderr_buffer) > 0) {
+		packet_start(SSH_SMSG_STDERR_DATA);
+		packet_put_string(buffer_ptr(&stderr_buffer),
+				  buffer_len(&stderr_buffer));
+		packet_send();
+		/* Update the count of sent bytes. */
+		stderr_bytes += buffer_len(&stderr_buffer);
+	}
+	/* Wait until all buffered data has been written to the client. */
+	packet_write_wait();
+}
+
+void
+process_buffered_input_packets()
+{
+	dispatch_run(DISPATCH_NONBLOCK, NULL);
+}
+
+/*
+ * Performs the interactive session.  This handles data transmission between
+ * the client and the program.  Note that the notion of stdin, stdout, and
+ * stderr in this function is sort of reversed: this function writes to
+ * stdin (of the child program), and reads from stdout and stderr (of the
+ * child program).
+ */
+void
+server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+{
+	fd_set readset, writeset;
+	int wait_status;	/* Status returned by wait(). */
+	pid_t wait_pid;		/* pid returned by wait(). */
+	int waiting_termination = 0;	/* Have displayed waiting close message. */
+	unsigned int max_time_milliseconds;
+	unsigned int previous_stdout_buffer_bytes;
+	unsigned int stdout_buffer_bytes;
+	int type;
+
+	debug("Entering interactive session.");
+
+	/* Initialize the SIGCHLD kludge. */
+	child_pid = pid;
+	child_terminated = 0;
+	signal(SIGCHLD, sigchld_handler);
+
+	/* Initialize our global variables. */
+	fdin = fdin_arg;
+	fdout = fdout_arg;
+	fderr = fderr_arg;
+
+	/* nonblocking IO */
+	set_nonblock(fdin);
+	set_nonblock(fdout);
+	/* we don't have stderr for interactive terminal sessions, see below */
+	if (fderr != -1)
+		set_nonblock(fderr);
+
+	connection_in = packet_get_connection_in();
+	connection_out = packet_get_connection_out();
+
+	previous_stdout_buffer_bytes = 0;
+
+	/* Set approximate I/O buffer size. */
+	if (packet_is_interactive())
+		buffer_high = 4096;
+	else
+		buffer_high = 64 * 1024;
+
+	/* Initialize max_fd to the maximum of the known file descriptors. */
+	max_fd = fdin;
+	if (fdout > max_fd)
+		max_fd = fdout;
+	if (fderr != -1 && fderr > max_fd)
+		max_fd = fderr;
+	if (connection_in > max_fd)
+		max_fd = connection_in;
+	if (connection_out > max_fd)
+		max_fd = connection_out;
+
+	/* Initialize Initialize buffers. */
+	buffer_init(&stdin_buffer);
+	buffer_init(&stdout_buffer);
+	buffer_init(&stderr_buffer);
+
+	/*
+	 * If we have no separate fderr (which is the case when we have a pty
+	 * - there we cannot make difference between data sent to stdout and
+	 * stderr), indicate that we have seen an EOF from stderr.  This way
+	 * we don\'t need to check the descriptor everywhere.
+	 */
+	if (fderr == -1)
+		fderr_eof = 1;
+
+	server_init_dispatch();
+
+	/* Main loop of the server for the interactive session mode. */
+	for (;;) {
+
+		/* Process buffered packets from the client. */
+		process_buffered_input_packets();
+
+		/*
+		 * If we have received eof, and there is no more pending
+		 * input data, cause a real eof by closing fdin.
+		 */
+		if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
+#ifdef USE_PIPES
+			close(fdin);
+#else
+			if (fdin != fdout)
+				close(fdin);
+			else
+				shutdown(fdin, SHUT_WR); /* We will no longer send. */
+#endif
+			fdin = -1;
+		}
+		/* Make packets from buffered stderr data to send to the client. */
+		make_packets_from_stderr_data();
+
+		/*
+		 * Make packets from buffered stdout data to send to the
+		 * client. If there is very little to send, this arranges to
+		 * not send them now, but to wait a short while to see if we
+		 * are getting more data. This is necessary, as some systems
+		 * wake up readers from a pty after each separate character.
+		 */
+		max_time_milliseconds = 0;
+		stdout_buffer_bytes = buffer_len(&stdout_buffer);
+		if (stdout_buffer_bytes != 0 && stdout_buffer_bytes < 256 &&
+		    stdout_buffer_bytes != previous_stdout_buffer_bytes) {
+			/* try again after a while */
+			max_time_milliseconds = 10;
+		} else {
+			/* Send it now. */
+			make_packets_from_stdout_data();
+		}
+		previous_stdout_buffer_bytes = buffer_len(&stdout_buffer);
+
+		/* Send channel data to the client. */
+		if (packet_not_very_much_data_to_write())
+			channel_output_poll();
+
+		/*
+		 * Bail out of the loop if the program has closed its output
+		 * descriptors, and we have no more data to send to the
+		 * client, and there is no pending buffered data.
+		 */
+		if (fdout_eof && fderr_eof && !packet_have_data_to_write() &&
+		    buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) {
+			if (!channel_still_open())
+				break;
+			if (!waiting_termination) {
+				const char *s = "Waiting for forwarded connections to terminate...\r\n";
+				char *cp;
+				waiting_termination = 1;
+				buffer_append(&stderr_buffer, s, strlen(s));
+
+				/* Display list of open channels. */
+				cp = channel_open_message();
+				buffer_append(&stderr_buffer, cp, strlen(cp));
+				xfree(cp);
+			}
+		}
+		/* Sleep in select() until we can do something. */
+		wait_until_can_do_something(&readset, &writeset,
+					    max_time_milliseconds);
+
+		/* Process any channel events. */
+		channel_after_select(&readset, &writeset);
+
+		/* Process input from the client and from program stdout/stderr. */
+		process_input(&readset);
+
+		/* Process output to the client and to program stdin. */
+		process_output(&writeset);
+	}
+
+	/* Cleanup and termination code. */
+
+	/* Wait until all output has been sent to the client. */
+	drain_output();
+
+	debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.",
+	      stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes);
+
+	/* Free and clear the buffers. */
+	buffer_free(&stdin_buffer);
+	buffer_free(&stdout_buffer);
+	buffer_free(&stderr_buffer);
+
+	/* Close the file descriptors. */
+	if (fdout != -1)
+		close(fdout);
+	fdout = -1;
+	fdout_eof = 1;
+	if (fderr != -1)
+		close(fderr);
+	fderr = -1;
+	fderr_eof = 1;
+	if (fdin != -1)
+		close(fdin);
+	fdin = -1;
+
+	/* Stop listening for channels; this removes unix domain sockets. */
+	channel_stop_listening();
+
+	/* Wait for the child to exit.  Get its exit status. */
+	wait_pid = wait(&wait_status);
+	if (wait_pid < 0) {
+		/*
+		 * It is possible that the wait was handled by SIGCHLD
+		 * handler.  This may result in either: this call
+		 * returning with EINTR, or: this call returning ECHILD.
+		 */
+		if (child_terminated)
+			wait_status = child_wait_status;
+		else
+			packet_disconnect("wait: %.100s", strerror(errno));
+	} else {
+		/* Check if it matches the process we forked. */
+		if (wait_pid != pid)
+			error("Strange, wait returned pid %d, expected %d",
+			       wait_pid, pid);
+	}
+
+	/* We no longer want our SIGCHLD handler to be called. */
+	signal(SIGCHLD, SIG_DFL);
+
+	/* Check if it exited normally. */
+	if (WIFEXITED(wait_status)) {
+		/* Yes, normal exit.  Get exit status and send it to the client. */
+		debug("Command exited with status %d.", WEXITSTATUS(wait_status));
+		packet_start(SSH_SMSG_EXITSTATUS);
+		packet_put_int(WEXITSTATUS(wait_status));
+		packet_send();
+		packet_write_wait();
+
+		/*
+		 * Wait for exit confirmation.  Note that there might be
+		 * other packets coming before it; however, the program has
+		 * already died so we just ignore them.  The client is
+		 * supposed to respond with the confirmation when it receives
+		 * the exit status.
+		 */
+		do {
+			int plen;
+			type = packet_read(&plen);
+		}
+		while (type != SSH_CMSG_EXIT_CONFIRMATION);
+
+		debug("Received exit confirmation.");
+		return;
+	}
+	/* Check if the program terminated due to a signal. */
+	if (WIFSIGNALED(wait_status))
+		packet_disconnect("Command terminated on signal %d.",
+				  WTERMSIG(wait_status));
+
+	/* Some weird exit cause.  Just exit. */
+	packet_disconnect("wait returned status %04x.", wait_status);
+	/* NOTREACHED */
+}
+
+void
+server_loop2(void)
+{
+	fd_set readset, writeset;
+	int had_channel = 0;
+	int status;
+	pid_t pid;
+
+	debug("Entering interactive session for SSH2.");
+
+	signal(SIGCHLD, sigchld_handler2);
+	child_terminated = 0;
+	connection_in = packet_get_connection_in();
+	connection_out = packet_get_connection_out();
+	max_fd = connection_in;
+	if (connection_out > max_fd)
+		max_fd = connection_out;
+	server_init_dispatch();
+
+	for (;;) {
+		process_buffered_input_packets();
+		if (!had_channel && channel_still_open())
+			had_channel = 1;
+		if (had_channel && !channel_still_open()) {
+			debug("!channel_still_open.");
+			break;
+		}
+		if (packet_not_very_much_data_to_write())
+			channel_output_poll();
+		wait_until_can_do_something(&readset, &writeset, 0);
+		if (child_terminated) {
+			while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
+				session_close_by_pid(pid, status);
+			child_terminated = 0;
+		}
+		channel_after_select(&readset, &writeset);
+		process_input(&readset);
+		process_output(&writeset);
+	}
+	signal(SIGCHLD, SIG_DFL);
+	while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
+		session_close_by_pid(pid, status);
+	channel_stop_listening();
+}
+
+void
+server_input_stdin_data(int type, int plen)
+{
+	char *data;
+	unsigned int data_len;
+
+	/* Stdin data from the client.  Append it to the buffer. */
+	/* Ignore any data if the client has closed stdin. */
+	if (fdin == -1)
+		return;
+	data = packet_get_string(&data_len);
+	packet_integrity_check(plen, (4 + data_len), type);
+	buffer_append(&stdin_buffer, data, data_len);
+	memset(data, 0, data_len);
+	xfree(data);
+}
+
+void
+server_input_eof(int type, int plen)
+{
+	/*
+	 * Eof from the client.  The stdin descriptor to the
+	 * program will be closed when all buffered data has
+	 * drained.
+	 */
+	debug("EOF received for stdin.");
+	packet_integrity_check(plen, 0, type);
+	stdin_eof = 1;
+}
+
+void
+server_input_window_size(int type, int plen)
+{
+	int row = packet_get_int();
+	int col = packet_get_int();
+	int xpixel = packet_get_int();
+	int ypixel = packet_get_int();
+
+	debug("Window change received.");
+	packet_integrity_check(plen, 4 * 4, type);
+	if (fdin != -1)
+		pty_change_window_size(fdin, row, col, xpixel, ypixel);
+}
+
+int
+input_direct_tcpip(void)
+{
+	int sock;
+	char *target, *originator;
+	int target_port, originator_port;
+
+	target = packet_get_string(NULL);
+	target_port = packet_get_int();
+	originator = packet_get_string(NULL);
+	originator_port = packet_get_int();
+	packet_done();
+
+	debug("open direct-tcpip: from %s port %d to %s port %d",
+	   originator, originator_port, target, target_port);
+	/* XXX check permission */
+	sock = channel_connect_to(target, target_port);
+	xfree(target);
+	xfree(originator);
+	if (sock < 0)
+		return -1;
+	return channel_new("direct-tcpip", SSH_CHANNEL_OPEN,
+	    sock, sock, -1, 4*1024, 32*1024, 0, xstrdup("direct-tcpip"));
+}
+
+void
+server_input_channel_open(int type, int plen)
+{
+	Channel *c = NULL;
+	char *ctype;
+	int id;
+	unsigned int len;
+	int rchan;
+	int rmaxpack;
+	int rwindow;
+
+	ctype = packet_get_string(&len);
+	rchan = packet_get_int();
+	rwindow = packet_get_int();
+	rmaxpack = packet_get_int();
+
+	debug("channel_input_open: ctype %s rchan %d win %d max %d",
+	    ctype, rchan, rwindow, rmaxpack);
+
+	if (strcmp(ctype, "session") == 0) {
+		debug("open session");
+		packet_done();
+		/*
+		 * A server session has no fd to read or write
+		 * until a CHANNEL_REQUEST for a shell is made,
+		 * so we set the type to SSH_CHANNEL_LARVAL.
+		 * Additionally, a callback for handling all
+		 * CHANNEL_REQUEST messages is registered.
+		 */
+		id = channel_new(ctype, SSH_CHANNEL_LARVAL,
+		    -1, -1, -1, 0, 32*1024, 0, xstrdup("server-session"));
+		if (session_open(id) == 1) {
+			channel_register_callback(id, SSH2_MSG_CHANNEL_REQUEST,
+			    session_input_channel_req, (void *)0);
+			channel_register_cleanup(id, session_close_by_channel);
+			c = channel_lookup(id);
+		} else {
+			debug("session open failed, free channel %d", id);
+			channel_free(id);
+		}
+	} else if (strcmp(ctype, "direct-tcpip") == 0) {
+		id = input_direct_tcpip();
+		if (id >= 0)
+			c = channel_lookup(id);
+	}
+	if (c != NULL) {
+		debug("confirm %s", ctype);
+		c->remote_id = rchan;
+		c->remote_window = rwindow;
+		c->remote_maxpacket = rmaxpack;
+
+		packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(c->remote_id);
+		packet_put_int(c->self);
+		packet_put_int(c->local_window);
+		packet_put_int(c->local_maxpacket);
+		packet_send();
+	} else {
+		debug("failure %s", ctype);
+		packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(rchan);
+		packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
+		packet_put_cstring("bla bla");
+		packet_put_cstring("");
+		packet_send();
+	}
+	xfree(ctype);
+}
+
+void
+server_init_dispatch_20()
+{
+	debug("server_init_dispatch_20");
+	dispatch_init(&dispatch_protocol_error);
+	dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
+	dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
+	dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
+	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+}
+void
+server_init_dispatch_13()
+{
+	debug("server_init_dispatch_13");
+	dispatch_init(NULL);
+	dispatch_set(SSH_CMSG_EOF, &server_input_eof);
+	dispatch_set(SSH_CMSG_STDIN_DATA, &server_input_stdin_data);
+	dispatch_set(SSH_CMSG_WINDOW_SIZE, &server_input_window_size);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
+}
+void
+server_init_dispatch_15()
+{
+	server_init_dispatch_13();
+	debug("server_init_dispatch_15");
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_oclose);
+}
+void
+server_init_dispatch()
+{
+	if (compat20)
+		server_init_dispatch_20();
+	else if (compat13)
+		server_init_dispatch_13();
+	else
+		server_init_dispatch_15();
+}
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
new file mode 100644
index 0000000..1cd8e21
--- /dev/null
+++ b/crypto/openssh/session.c
@@ -0,0 +1,1777 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ */
+/*
+ * SSH2 support by Markus Friedl.
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: session.c,v 1.15 2000/05/30 17:23:37 markus Exp $");
+
+#include "xmalloc.h"
+#include "ssh.h"
+#include "pty.h"
+#include "packet.h"
+#include "buffer.h"
+#include "cipher.h"
+#include "mpaux.h"
+#include "servconf.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "channels.h"
+#include "nchan.h"
+
+#include "bufaux.h"
+#include "ssh2.h"
+#include "auth.h"
+
+#ifdef __FreeBSD__
+#define	LOGIN_CAP
+#define _PATH_CHPASS "/usr/bin/passwd"
+#endif /* __FreeBSD__ */
+
+#ifdef LOGIN_CAP
+#include <login_cap.h>
+#endif /* LOGIN_CAP */
+
+#ifdef KRB5
+extern krb5_context ssh_context;
+#endif
+
+/* types */
+
+#define TTYSZ 64
+typedef struct Session Session;
+struct Session {
+	int	used;
+	int	self;
+	int	extended;
+	struct	passwd *pw;
+	pid_t	pid;
+	/* tty */
+	char	*term;
+	int	ptyfd, ttyfd, ptymaster;
+	int	row, col, xpixel, ypixel;
+	char	tty[TTYSZ];
+	/* X11 */
+	char	*display;
+	int	screen;
+	char	*auth_proto;
+	char	*auth_data;
+	int	single_connection;
+	/* proto 2 */
+	int	chanid;
+};
+
+/* func */
+
+Session *session_new(void);
+void	session_set_fds(Session *s, int fdin, int fdout, int fderr);
+void	session_pty_cleanup(Session *s);
+void	session_proctitle(Session *s);
+void	do_exec_pty(Session *s, const char *command, struct passwd * pw);
+void	do_exec_no_pty(Session *s, const char *command, struct passwd * pw);
+
+void
+do_child(const char *command, struct passwd * pw, const char *term,
+    const char *display, const char *auth_proto,
+    const char *auth_data, const char *ttyname);
+
+/* import */
+extern ServerOptions options;
+extern char *__progname;
+extern int log_stderr;
+extern int debug_flag;
+
+/* Local Xauthority file. */
+static char *xauthfile;
+
+/* data */
+#define MAX_SESSIONS 10
+Session	sessions[MAX_SESSIONS];
+
+/* Flags set in auth-rsa from authorized_keys flags.  These are set in auth-rsa.c. */
+int no_port_forwarding_flag = 0;
+int no_agent_forwarding_flag = 0;
+int no_x11_forwarding_flag = 0;
+int no_pty_flag = 0;
+
+/* RSA authentication "command=" option. */
+char *forced_command = NULL;
+
+/* RSA authentication "environment=" options. */
+struct envstring *custom_environment = NULL;
+
+/*
+ * Remove local Xauthority file.
+ */
+void
+xauthfile_cleanup_proc(void *ignore)
+{
+	debug("xauthfile_cleanup_proc called");
+
+	if (xauthfile != NULL) {
+		char *p;
+		unlink(xauthfile);
+		p = strrchr(xauthfile, '/');
+		if (p != NULL) {
+			*p = '\0';
+			rmdir(xauthfile);
+		}
+		xfree(xauthfile);
+		xauthfile = NULL;
+	}
+}
+
+/*
+ * Function to perform cleanup if we get aborted abnormally (e.g., due to a
+ * dropped connection).
+ */
+void
+pty_cleanup_proc(void *session)
+{
+	Session *s=session;
+	if (s == NULL)
+		fatal("pty_cleanup_proc: no session");
+	debug("pty_cleanup_proc: %s", s->tty);
+
+	if (s->pid != 0) {
+		/* Record that the user has logged out. */
+		record_logout(s->pid, s->tty);
+	}
+
+	/* Release the pseudo-tty. */
+	pty_release(s->tty);
+}
+
+/*
+ * Prepares for an interactive session.  This is called after the user has
+ * been successfully authenticated.  During this message exchange, pseudo
+ * terminals are allocated, X11, TCP/IP, and authentication agent forwardings
+ * are requested, etc.
+ */
+void
+do_authenticated(struct passwd * pw)
+{
+	Session *s;
+	int type;
+	int compression_level = 0, enable_compression_after_reply = 0;
+	int have_pty = 0;
+	char *command;
+	int n_bytes;
+	int plen;
+	unsigned int proto_len, data_len, dlen;
+
+	/*
+	 * Cancel the alarm we set to limit the time taken for
+	 * authentication.
+	 */
+	alarm(0);
+
+	/*
+	 * Inform the channel mechanism that we are the server side and that
+	 * the client may request to connect to any port at all. (The user
+	 * could do it anyway, and we wouldn\'t know what is permitted except
+	 * by the client telling us, so we can equally well trust the client
+	 * not to request anything bogus.)
+	 */
+	if (!no_port_forwarding_flag)
+		channel_permit_all_opens();
+
+	s = session_new();
+	s->pw = pw;
+
+	/*
+	 * We stay in this loop until the client requests to execute a shell
+	 * or a command.
+	 */
+	for (;;) {
+		int success = 0;
+
+		/* Get a packet from the client. */
+		type = packet_read(&plen);
+
+		/* Process the packet. */
+		switch (type) {
+		case SSH_CMSG_REQUEST_COMPRESSION:
+			packet_integrity_check(plen, 4, type);
+			compression_level = packet_get_int();
+			if (compression_level < 1 || compression_level > 9) {
+				packet_send_debug("Received illegal compression level %d.",
+				     compression_level);
+				break;
+			}
+			/* Enable compression after we have responded with SUCCESS. */
+			enable_compression_after_reply = 1;
+			success = 1;
+			break;
+
+		case SSH_CMSG_REQUEST_PTY:
+			if (no_pty_flag) {
+				debug("Allocating a pty not permitted for this authentication.");
+				break;
+			}
+			if (have_pty)
+				packet_disconnect("Protocol error: you already have a pty.");
+
+			debug("Allocating pty.");
+
+			/* Allocate a pty and open it. */
+			if (!pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
+			    sizeof(s->tty))) {
+				error("Failed to allocate pty.");
+				break;
+			}
+			fatal_add_cleanup(pty_cleanup_proc, (void *)s);
+			pty_setowner(pw, s->tty);
+
+			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
+			s->term = packet_get_string(&dlen);
+			packet_integrity_check(dlen, strlen(s->term), type);
+			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
+			/* Remaining bytes */
+			n_bytes = plen - (4 + dlen + 4 * 4);
+
+			if (strcmp(s->term, "") == 0) {
+				xfree(s->term);
+				s->term = NULL;
+			}
+			/* Get window size from the packet. */
+			s->row = packet_get_int();
+			s->col = packet_get_int();
+			s->xpixel = packet_get_int();
+			s->ypixel = packet_get_int();
+			pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+
+			/* Get tty modes from the packet. */
+			tty_parse_modes(s->ttyfd, &n_bytes);
+			packet_integrity_check(plen, 4 + dlen + 4 * 4 + n_bytes, type);
+
+			session_proctitle(s);
+
+			/* Indicate that we now have a pty. */
+			success = 1;
+			have_pty = 1;
+			break;
+
+		case SSH_CMSG_X11_REQUEST_FORWARDING:
+			if (!options.x11_forwarding) {
+				packet_send_debug("X11 forwarding disabled in server configuration file.");
+				break;
+			}
+#ifdef XAUTH_PATH
+			if (no_x11_forwarding_flag) {
+				packet_send_debug("X11 forwarding not permitted for this authentication.");
+				break;
+			}
+			debug("Received request for X11 forwarding with auth spoofing.");
+			if (s->display != NULL)
+				packet_disconnect("Protocol error: X11 display already set.");
+
+			s->auth_proto = packet_get_string(&proto_len);
+			s->auth_data = packet_get_string(&data_len);
+			packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
+
+			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
+				s->screen = packet_get_int();
+			else
+				s->screen = 0;
+			s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
+
+			if (s->display == NULL)
+				break;
+
+			/* Setup to always have a local .Xauthority. */
+			xauthfile = xmalloc(MAXPATHLEN);
+			strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
+			temporarily_use_uid(pw->pw_uid);
+			if (mkdtemp(xauthfile) == NULL) {
+				restore_uid();
+				error("private X11 dir: mkdtemp %s failed: %s",
+				    xauthfile, strerror(errno));
+				xfree(xauthfile);
+				xauthfile = NULL;
+				/* XXXX remove listening channels */
+				break;
+			}
+			strlcat(xauthfile, "/cookies", MAXPATHLEN);
+			open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600);
+			restore_uid();
+			fatal_add_cleanup(xauthfile_cleanup_proc, NULL);
+			success = 1;
+			break;
+#else /* XAUTH_PATH */
+			packet_send_debug("No xauth program; cannot forward with spoofing.");
+			break;
+#endif /* XAUTH_PATH */
+
+		case SSH_CMSG_AGENT_REQUEST_FORWARDING:
+			if (no_agent_forwarding_flag || compat13) {
+				debug("Authentication agent forwarding not permitted for this authentication.");
+				break;
+			}
+			debug("Received authentication agent forwarding request.");
+			success = auth_input_request_forwarding(pw);
+			break;
+
+		case SSH_CMSG_PORT_FORWARD_REQUEST:
+			if (no_port_forwarding_flag) {
+				debug("Port forwarding not permitted for this authentication.");
+				break;
+			}
+			debug("Received TCP/IP port forwarding request.");
+			channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
+			success = 1;
+			break;
+
+		case SSH_CMSG_MAX_PACKET_SIZE:
+			if (packet_set_maxsize(packet_get_int()) > 0)
+				success = 1;
+			break;
+
+		case SSH_CMSG_EXEC_SHELL:
+		case SSH_CMSG_EXEC_CMD:
+			/* Set interactive/non-interactive mode. */
+			packet_set_interactive(have_pty || s->display != NULL,
+			    options.keepalives);
+
+			if (type == SSH_CMSG_EXEC_CMD) {
+				command = packet_get_string(&dlen);
+				debug("Exec command '%.500s'", command);
+				packet_integrity_check(plen, 4 + dlen, type);
+			} else {
+				command = NULL;
+				packet_integrity_check(plen, 0, type);
+			}
+			if (forced_command != NULL) {
+				command = forced_command;
+				debug("Forced command '%.500s'", forced_command);
+			}
+			if (have_pty)
+				do_exec_pty(s, command, pw);
+			else
+				do_exec_no_pty(s, command, pw);
+
+			if (command != NULL)
+				xfree(command);
+			/* Cleanup user's local Xauthority file. */
+			if (xauthfile)
+				xauthfile_cleanup_proc(NULL);
+			return;
+
+		default:
+			/*
+			 * Any unknown messages in this phase are ignored,
+			 * and a failure message is returned.
+			 */
+			log("Unknown packet type received after authentication: %d", type);
+		}
+		packet_start(success ? SSH_SMSG_SUCCESS : SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+
+		/* Enable compression now that we have replied if appropriate. */
+		if (enable_compression_after_reply) {
+			enable_compression_after_reply = 0;
+			packet_start_compression(compression_level);
+		}
+	}
+}
+
+/*
+ * This is called to fork and execute a command when we have no tty.  This
+ * will call do_child from the child, and server_loop from the parent after
+ * setting up file descriptors and such.
+ */
+void
+do_exec_no_pty(Session *s, const char *command, struct passwd * pw)
+{
+	int pid;
+
+#ifdef USE_PIPES
+	int pin[2], pout[2], perr[2];
+	/* Allocate pipes for communicating with the program. */
+	if (pipe(pin) < 0 || pipe(pout) < 0 || pipe(perr) < 0)
+		packet_disconnect("Could not create pipes: %.100s",
+				  strerror(errno));
+#else /* USE_PIPES */
+	int inout[2], err[2];
+	/* Uses socket pairs to communicate with the program. */
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0 ||
+	    socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0)
+		packet_disconnect("Could not create socket pairs: %.100s",
+				  strerror(errno));
+#endif /* USE_PIPES */
+	if (s == NULL)
+		fatal("do_exec_no_pty: no session");
+
+	session_proctitle(s);
+
+	/* Fork the child. */
+	if ((pid = fork()) == 0) {
+		/* Child.  Reinitialize the log since the pid has changed. */
+		log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+		/*
+		 * Create a new session and process group since the 4.4BSD
+		 * setlogin() affects the entire process group.
+		 */
+		if (setsid() < 0)
+			error("setsid failed: %.100s", strerror(errno));
+
+#ifdef USE_PIPES
+		/*
+		 * Redirect stdin.  We close the parent side of the socket
+		 * pair, and make the child side the standard input.
+		 */
+		close(pin[1]);
+		if (dup2(pin[0], 0) < 0)
+			perror("dup2 stdin");
+		close(pin[0]);
+
+		/* Redirect stdout. */
+		close(pout[0]);
+		if (dup2(pout[1], 1) < 0)
+			perror("dup2 stdout");
+		close(pout[1]);
+
+		/* Redirect stderr. */
+		close(perr[0]);
+		if (dup2(perr[1], 2) < 0)
+			perror("dup2 stderr");
+		close(perr[1]);
+#else /* USE_PIPES */
+		/*
+		 * Redirect stdin, stdout, and stderr.  Stdin and stdout will
+		 * use the same socket, as some programs (particularly rdist)
+		 * seem to depend on it.
+		 */
+		close(inout[1]);
+		close(err[1]);
+		if (dup2(inout[0], 0) < 0)	/* stdin */
+			perror("dup2 stdin");
+		if (dup2(inout[0], 1) < 0)	/* stdout.  Note: same socket as stdin. */
+			perror("dup2 stdout");
+		if (dup2(err[0], 2) < 0)	/* stderr */
+			perror("dup2 stderr");
+#endif /* USE_PIPES */
+
+		/* Do processing for the child (exec command etc). */
+		do_child(command, pw, NULL, s->display, s->auth_proto, s->auth_data, NULL);
+		/* NOTREACHED */
+	}
+	if (pid < 0)
+		packet_disconnect("fork failed: %.100s", strerror(errno));
+	s->pid = pid;
+#ifdef USE_PIPES
+	/* We are the parent.  Close the child sides of the pipes. */
+	close(pin[0]);
+	close(pout[1]);
+	close(perr[1]);
+
+	if (compat20) {
+		session_set_fds(s, pin[1], pout[0], s->extended ? perr[0] : -1);
+	} else {
+		/* Enter the interactive session. */
+		server_loop(pid, pin[1], pout[0], perr[0]);
+		/* server_loop has closed pin[1], pout[1], and perr[1]. */
+	}
+#else /* USE_PIPES */
+	/* We are the parent.  Close the child sides of the socket pairs. */
+	close(inout[0]);
+	close(err[0]);
+
+	/*
+	 * Enter the interactive session.  Note: server_loop must be able to
+	 * handle the case that fdin and fdout are the same.
+	 */
+	if (compat20) {
+		session_set_fds(s, inout[1], inout[1], s->extended ? err[1] : -1);
+	} else {
+		server_loop(pid, inout[1], inout[1], err[1]);
+		/* server_loop has closed inout[1] and err[1]. */
+	}
+#endif /* USE_PIPES */
+}
+
+/*
+ * This is called to fork and execute a command when we have a tty.  This
+ * will call do_child from the child, and server_loop from the parent after
+ * setting up file descriptors, controlling tty, updating wtmp, utmp,
+ * lastlog, and other such operations.
+ */
+void
+do_exec_pty(Session *s, const char *command, struct passwd * pw)
+{
+	FILE *f;
+	char buf[100], *time_string;
+	char line[256];
+	const char *hostname;
+	int fdout, ptyfd, ttyfd, ptymaster;
+	int quiet_login;
+	pid_t pid;
+	socklen_t fromlen;
+	struct sockaddr_storage from;
+	struct stat st;
+	time_t last_login_time;
+#ifdef LOGIN_CAP
+	login_cap_t *lc;
+	char *fname;
+#endif /* LOGIN_CAP */
+#ifdef __FreeBSD__
+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
+	struct timeval tv;
+	time_t warntime = DEFAULT_WARN;
+#endif /* __FreeBSD__ */
+
+	if (s == NULL)
+		fatal("do_exec_pty: no session");
+	ptyfd = s->ptyfd;
+	ttyfd = s->ttyfd;
+
+	/* Get remote host name. */
+	hostname = get_canonical_hostname();
+
+	/*
+	 * Get the time when the user last logged in.  Buf will be set to
+	 * contain the hostname the last login was from.
+	 */
+	if (!options.use_login) {
+		last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name,
+						      buf, sizeof(buf));
+	}
+
+	/* Fork the child. */
+	if ((pid = fork()) == 0) {
+		pid = getpid();
+
+		/* Child.  Reinitialize the log because the pid has
+		   changed. */
+		log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+		/* Close the master side of the pseudo tty. */
+		close(ptyfd);
+
+		/* Make the pseudo tty our controlling tty. */
+		pty_make_controlling_tty(&ttyfd, s->tty);
+
+		/* Redirect stdin from the pseudo tty. */
+		if (dup2(ttyfd, fileno(stdin)) < 0)
+			error("dup2 stdin failed: %.100s", strerror(errno));
+
+		/* Redirect stdout to the pseudo tty. */
+		if (dup2(ttyfd, fileno(stdout)) < 0)
+			error("dup2 stdin failed: %.100s", strerror(errno));
+
+		/* Redirect stderr to the pseudo tty. */
+		if (dup2(ttyfd, fileno(stderr)) < 0)
+			error("dup2 stdin failed: %.100s", strerror(errno));
+
+		/* Close the extra descriptor for the pseudo tty. */
+		close(ttyfd);
+
+/* XXXX ? move to do_child() ??*/
+		/*
+		 * Get IP address of client.  This is needed because we want
+		 * to record where the user logged in from.  If the
+		 * connection is not a socket, let the ip address be 0.0.0.0.
+		 */
+		memset(&from, 0, sizeof(from));
+		if (packet_connection_is_on_socket()) {
+			fromlen = sizeof(from);
+			if (getpeername(packet_get_connection_in(),
+			     (struct sockaddr *) & from, &fromlen) < 0) {
+				debug("getpeername: %.100s", strerror(errno));
+				fatal_cleanup();
+			}
+		}
+		/* Record that there was a login on that terminal. */
+		record_login(pid, s->tty, pw->pw_name, pw->pw_uid, hostname,
+			     (struct sockaddr *)&from);
+
+		/* Check if .hushlogin exists. */
+		snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
+		quiet_login = stat(line, &st) >= 0;
+
+#ifdef LOGIN_CAP
+		lc = login_getpwclass(pw);
+		if (lc == NULL)
+			lc = login_getclassbyname(NULL, pw);
+		quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
+#endif /* LOGIN_CAP */
+
+#ifdef __FreeBSD__
+		if (pw->pw_change || pw->pw_expire)
+			(void)gettimeofday(&tv, NULL);
+#ifdef LOGIN_CAP
+		warntime = login_getcaptime(lc, "warnpassword",
+					    DEFAULT_WARN, DEFAULT_WARN);
+#endif /* LOGIN_CAP */
+		/*
+		 * If the password change time is set and has passed, give the
+		 * user a password expiry notice and chance to change it.
+		 */
+		if (pw->pw_change != 0) {
+			if (tv.tv_sec >= pw->pw_change) {
+				(void)printf(
+				    "Sorry -- your password has expired.\n");
+				log("%s Password expired - forcing change",
+				    pw->pw_name);
+				command = _PATH_CHPASS;
+			} else if (pw->pw_change - tv.tv_sec < warntime &&
+				   !quiet_login)
+				(void)printf(
+				    "Warning: your password expires on %s",
+				     ctime(&pw->pw_change));
+		}
+#ifdef LOGIN_CAP
+		warntime = login_getcaptime(lc, "warnexpire",
+					    DEFAULT_WARN, DEFAULT_WARN);
+#endif /* LOGIN_CAP */
+		if (pw->pw_expire) {
+			if (tv.tv_sec >= pw->pw_expire) {
+				(void)printf(
+				    "Sorry -- your account has expired.\n");
+				log(
+		   "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
+					pw->pw_name, hostname, ttyname);
+				exit(254);
+			} else if (pw->pw_expire - tv.tv_sec < warntime &&
+				   !quiet_login)
+				(void)printf(
+				    "Warning: your account expires on %s",
+				     ctime(&pw->pw_expire));
+		}
+#endif /* __FreeBSD__ */
+#ifdef LOGIN_CAP
+		if (!auth_ttyok(lc, ttyname)) {
+			(void)printf("Permission denied.\n");
+			log(
+		       "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+			    pw->pw_name, hostname, ttyname);
+			exit(254);
+		}
+#endif /* LOGIN_CAP */
+
+		/*
+		 * If the user has logged in before, display the time of last
+		 * login. However, don't display anything extra if a command
+		 * has been specified (so that ssh can be used to execute
+		 * commands on a remote machine without users knowing they
+		 * are going to another machine). Login(1) will do this for
+		 * us as well, so check if login(1) is used
+		 */
+		if (command == NULL && last_login_time != 0 && !quiet_login &&
+		    !options.use_login) {
+			/* Convert the date to a string. */
+			time_string = ctime(&last_login_time);
+			/* Remove the trailing newline. */
+			if (strchr(time_string, '\n'))
+				*strchr(time_string, '\n') = 0;
+			/* Display the last login time.  Host if displayed
+			   if known. */
+			if (strcmp(buf, "") == 0)
+				printf("Last login: %s\r\n", time_string);
+			else
+				printf("Last login: %s from %s\r\n", time_string, buf);
+		}
+
+#ifdef LOGIN_CAP
+		if (command == NULL && !quiet_login && !options.use_login) {
+			fname = login_getcapstr(lc, "copyright", NULL, NULL);
+			if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+				while (fgets(line, sizeof(line), f) != NULL)
+					fputs(line, stdout);
+				fclose(f);
+			} else
+				(void)printf("%s\n\t%s %s\n",
+		"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+		    "The Regents of the University of California. ",
+		    "All rights reserved.");
+		}
+#endif /* LOGIN_CAP */
+
+		/*
+		 * Print /etc/motd unless a command was specified or printing
+		 * it was disabled in server options or login(1) will be
+		 * used.  Note that some machines appear to print it in
+		 * /etc/profile or similar.
+		 */
+		if (command == NULL && options.print_motd && !quiet_login &&
+		    !options.use_login) {
+#ifdef LOGIN_CAP
+			fname = login_getcapstr(lc, "welcome", NULL, NULL);
+			if (fname == NULL || (f = fopen(fname, "r")) == NULL)
+				f = fopen("/etc/motd", "r");
+#else /* !LOGIN_CAP */
+			f = fopen("/etc/motd", "r");
+#endif /* LOGIN_CAP */
+			/* Print /etc/motd if it exists. */
+			if (f) {
+				while (fgets(line, sizeof(line), f))
+					fputs(line, stdout);
+				fclose(f);
+			}
+		}
+#ifdef LOGIN_CAP
+		login_close(lc);
+#endif /* LOGIN_CAP */
+
+		/* Do common processing for the child, such as execing the command. */
+		do_child(command, pw, s->term, s->display, s->auth_proto,
+		    s->auth_data, s->tty);
+		/* NOTREACHED */
+	}
+	if (pid < 0)
+		packet_disconnect("fork failed: %.100s", strerror(errno));
+	s->pid = pid;
+
+	/* Parent.  Close the slave side of the pseudo tty. */
+	close(ttyfd);
+
+	/*
+	 * Create another descriptor of the pty master side for use as the
+	 * standard input.  We could use the original descriptor, but this
+	 * simplifies code in server_loop.  The descriptor is bidirectional.
+	 */
+	fdout = dup(ptyfd);
+	if (fdout < 0)
+		packet_disconnect("dup #1 failed: %.100s", strerror(errno));
+
+	/* we keep a reference to the pty master */
+	ptymaster = dup(ptyfd);
+	if (ptymaster < 0)
+		packet_disconnect("dup #2 failed: %.100s", strerror(errno));
+	s->ptymaster = ptymaster;
+
+	/* Enter interactive session. */
+	if (compat20) {
+		session_set_fds(s, ptyfd, fdout, -1);
+	} else {
+		server_loop(pid, ptyfd, fdout, -1);
+		/* server_loop _has_ closed ptyfd and fdout. */
+		session_pty_cleanup(s);
+	}
+}
+
+/*
+ * Sets the value of the given variable in the environment.  If the variable
+ * already exists, its value is overriden.
+ */
+void
+child_set_env(char ***envp, unsigned int *envsizep, const char *name,
+	      const char *value)
+{
+	unsigned int i, namelen;
+	char **env;
+
+	/*
+	 * Find the slot where the value should be stored.  If the variable
+	 * already exists, we reuse the slot; otherwise we append a new slot
+	 * at the end of the array, expanding if necessary.
+	 */
+	env = *envp;
+	namelen = strlen(name);
+	for (i = 0; env[i]; i++)
+		if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=')
+			break;
+	if (env[i]) {
+		/* Reuse the slot. */
+		xfree(env[i]);
+	} else {
+		/* New variable.  Expand if necessary. */
+		if (i >= (*envsizep) - 1) {
+			(*envsizep) += 50;
+			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+		}
+		/* Need to set the NULL pointer at end of array beyond the new slot. */
+		env[i + 1] = NULL;
+	}
+
+	/* Allocate space and format the variable in the appropriate slot. */
+	env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1);
+	snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value);
+}
+
+/*
+ * Reads environment variables from the given file and adds/overrides them
+ * into the environment.  If the file does not exist, this does nothing.
+ * Otherwise, it must consist of empty lines, comments (line starts with '#')
+ * and assignments of the form name=value.  No other forms are allowed.
+ */
+void
+read_environment_file(char ***env, unsigned int *envsize,
+		      const char *filename)
+{
+	FILE *f;
+	char buf[4096];
+	char *cp, *value;
+
+	f = fopen(filename, "r");
+	if (!f)
+		return;
+
+	while (fgets(buf, sizeof(buf), f)) {
+		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '#' || *cp == '\n')
+			continue;
+		if (strchr(cp, '\n'))
+			*strchr(cp, '\n') = '\0';
+		value = strchr(cp, '=');
+		if (value == NULL) {
+			fprintf(stderr, "Bad line in %.100s: %.200s\n", filename, buf);
+			continue;
+		}
+		/*
+		 * Replace the equals sign by nul, and advance value to
+		 * the value string.
+		 */
+		*value = '\0';
+		value++;
+		child_set_env(env, envsize, cp, value);
+	}
+	fclose(f);
+}
+
+/*
+ * Performs common processing for the child, such as setting up the
+ * environment, closing extra file descriptors, setting the user and group
+ * ids, and executing the command or shell.
+ */
+void
+do_child(const char *command, struct passwd * pw, const char *term,
+	 const char *display, const char *auth_proto,
+	 const char *auth_data, const char *ttyname)
+{
+	char *shell;
+	const char *cp = NULL;
+	char buf[256];
+	FILE *f;
+	unsigned int envsize, i;
+	char **env = NULL;
+	extern char **environ;
+	struct stat st;
+	char *argv[10];
+#ifdef LOGIN_CAP
+	login_cap_t *lc;
+#endif
+
+	/* login(1) is only called if we execute the login shell */
+	if (options.use_login && command != NULL)
+		options.use_login = 0;
+
+#ifdef LOGIN_CAP
+	lc = login_getpwclass(pw);
+	if (lc == NULL)
+		lc = login_getclassbyname(NULL, pw);
+	if (pw->pw_uid != 0)
+		auth_checknologin(lc);
+#else /* !LOGIN_CAP */
+	f = fopen("/etc/nologin", "r");
+	if (f) {
+		/* /etc/nologin exists.  Print its contents and exit. */
+		while (fgets(buf, sizeof(buf), f))
+			fputs(buf, stderr);
+		fclose(f);
+		if (pw->pw_uid != 0)
+			exit(254);
+	}
+#endif /* LOGIN_CAP */
+
+#ifdef LOGIN_CAP
+	if (options.use_login)
+#endif /* LOGIN_CAP */
+	/* Set login name in the kernel. */
+	if (setlogin(pw->pw_name) < 0)
+		error("setlogin failed: %s", strerror(errno));
+
+	/* Set uid, gid, and groups. */
+	/* Login(1) does this as well, and it needs uid 0 for the "-h"
+	   switch, so we let login(1) to this for us. */
+	if (!options.use_login) {
+#ifdef LOGIN_CAP
+		char **tmpenv;
+
+		/* Initialize temp environment */
+		envsize = 64;
+		env = xmalloc(envsize * sizeof(char *));
+		env[0] = NULL;
+
+		child_set_env(&env, &envsize, "PATH",
+			      (pw->pw_uid == 0) ?
+			      _PATH_STDPATH : _PATH_DEFPATH);
+
+		snprintf(buf, sizeof buf, "%.200s/%.50s",
+			 _PATH_MAILDIR, pw->pw_name);
+		child_set_env(&env, &envsize, "MAIL", buf);
+
+		if (getenv("TZ"))
+			child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+		/* Save parent environment */
+		tmpenv = environ;
+		environ = env;
+
+		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0)
+			fatal("setusercontext failed: %s", strerror(errno));
+
+		/* Restore parent environment */
+		env = environ;
+		environ = tmpenv;
+
+		for (envsize = 0; env[envsize] != NULL; ++envsize)
+			;
+		envsize = (envsize < 100) ? 100 : envsize + 16;
+		env = xrealloc(env, envsize * sizeof(char *));
+
+#else /* !LOGIN_CAP */
+		if (getuid() == 0 || geteuid() == 0) {
+			if (setgid(pw->pw_gid) < 0) {
+				perror("setgid");
+				exit(1);
+			}
+			/* Initialize the group list. */
+			if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
+				perror("initgroups");
+				exit(1);
+			}
+			endgrent();
+
+			/* Permanently switch to the desired uid. */
+			permanently_set_uid(pw->pw_uid);
+		}
+		if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+			fatal("Failed to set uids to %d.", (int) pw->pw_uid);
+#endif /* LOGIN_CAP */
+	}
+	/*
+	 * Get the shell from the password data.  An empty shell field is
+	 * legal, and means /bin/sh.
+	 */
+	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
+#ifdef LOGIN_CAP
+	shell = login_getcapstr(lc, "shell", shell, shell);
+#endif /* LOGIN_CAP */
+
+#ifdef AFS
+	/* Try to get AFS tokens for the local cell. */
+	if (k_hasafs()) {
+		char cell[64];
+
+		if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
+			krb_afslog(cell, 0);
+
+		krb_afslog(0, 0);
+	}
+#endif /* AFS */
+
+	/* Initialize the environment. */
+	if (env == NULL) {
+		envsize = 100;
+		env = xmalloc(envsize * sizeof(char *));
+		env[0] = NULL;
+	}
+
+	if (!options.use_login) {
+		/* Set basic environment. */
+		child_set_env(&env, &envsize, "USER", pw->pw_name);
+		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
+		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+#ifndef LOGIN_CAP
+		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+
+		snprintf(buf, sizeof buf, "%.200s/%.50s",
+			 _PATH_MAILDIR, pw->pw_name);
+		child_set_env(&env, &envsize, "MAIL", buf);
+#endif /* !LOGIN_CAP */
+
+		/* Normal systems set SHELL by default. */
+		child_set_env(&env, &envsize, "SHELL", shell);
+	}
+#ifdef LOGIN_CAP
+	if (options.use_login)
+#endif /* LOGIN_CAP */
+	if (getenv("TZ"))
+		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+	/* Set custom environment options from RSA authentication. */
+	while (custom_environment) {
+		struct envstring *ce = custom_environment;
+		char *s = ce->s;
+		int i;
+		for (i = 0; s[i] != '=' && s[i]; i++);
+		if (s[i] == '=') {
+			s[i] = 0;
+			child_set_env(&env, &envsize, s, s + i + 1);
+		}
+		custom_environment = ce->next;
+		xfree(ce->s);
+		xfree(ce);
+	}
+
+	snprintf(buf, sizeof buf, "%.50s %d %d",
+		 get_remote_ipaddr(), get_remote_port(), get_local_port());
+	child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+
+	if (ttyname)
+		child_set_env(&env, &envsize, "SSH_TTY", ttyname);
+	if (term)
+		child_set_env(&env, &envsize, "TERM", term);
+	if (display)
+		child_set_env(&env, &envsize, "DISPLAY", display);
+
+#ifdef KRB4
+	{
+		extern char *ticket;
+
+		if (ticket)
+			child_set_env(&env, &envsize, "KRBTKFILE", ticket);
+	}
+#endif /* KRB4 */
+#ifdef KRB5
+{
+	  extern krb5_ccache mem_ccache;
+
+	   if (mem_ccache) {
+	     krb5_error_code problem;
+	      krb5_ccache ccache;
+#ifdef AFS
+	      if (k_hasafs())
+		krb5_afslog(ssh_context, mem_ccache, NULL, NULL);
+#endif /* AFS */
+
+	      problem = krb5_cc_default(ssh_context, &ccache);
+	      if (problem) {}
+	      else {
+		problem = krb5_cc_copy_cache(ssh_context, mem_ccache, ccache);
+		 if (problem) {}
+	      }
+
+	      krb5_cc_close(ssh_context, ccache);
+	   }
+
+	   krb5_cleanup_proc(NULL);
+	}
+#endif /* KRB5 */
+
+	if (xauthfile)
+		child_set_env(&env, &envsize, "XAUTHORITY", xauthfile);
+	if (auth_get_socket_name() != NULL)
+		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
+			      auth_get_socket_name());
+
+	/* read $HOME/.ssh/environment. */
+	if (!options.use_login) {
+		snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
+		    pw->pw_dir);
+		read_environment_file(&env, &envsize, buf);
+	}
+	if (debug_flag) {
+		/* dump the environment */
+		fprintf(stderr, "Environment:\n");
+		for (i = 0; env[i]; i++)
+			fprintf(stderr, "  %.200s\n", env[i]);
+	}
+	/*
+	 * Close the connection descriptors; note that this is the child, and
+	 * the server will still have the socket open, and it is important
+	 * that we do not shutdown it.  Note that the descriptors cannot be
+	 * closed before building the environment, as we call
+	 * get_remote_ipaddr there.
+	 */
+	if (packet_get_connection_in() == packet_get_connection_out())
+		close(packet_get_connection_in());
+	else {
+		close(packet_get_connection_in());
+		close(packet_get_connection_out());
+	}
+	/*
+	 * Close all descriptors related to channels.  They will still remain
+	 * open in the parent.
+	 */
+	/* XXX better use close-on-exec? -markus */
+	channel_close_all();
+
+	/*
+	 * Close any extra file descriptors.  Note that there may still be
+	 * descriptors left by system functions.  They will be closed later.
+	 */
+	endpwent();
+
+	/*
+	 * Close any extra open file descriptors so that we don\'t have them
+	 * hanging around in clients.  Note that we want to do this after
+	 * initgroups, because at least on Solaris 2.3 it leaves file
+	 * descriptors open.
+	 */
+	for (i = 3; i < getdtablesize(); i++)
+		close(i);
+
+	/* Change current directory to the user\'s home directory. */
+	if (
+#ifdef __FreeBSD__
+		!*pw->pw_dir ||
+#endif /* __FreeBSD__ */
+		chdir(pw->pw_dir) < 0
+	   ) {
+#ifdef __FreeBSD__
+		int quiet_login = 0;
+#endif /* __FreeBSD__ */
+#ifdef LOGIN_CAP
+		if (login_getcapbool(lc, "requirehome", 0)) {
+			(void)printf("Home directory not available\n");
+			log("LOGIN %.200s REFUSED (HOMEDIR) ON TTY %.200s",
+				pw->pw_name, ttyname);
+			exit(254);
+		}
+#endif /* LOGIN_CAP */
+#ifdef __FreeBSD__
+		if (chdir("/") < 0) {
+			(void)printf("Cannot find root directory\n");
+			log("LOGIN %.200s REFUSED (ROOTDIR) ON TTY %.200s",
+				pw->pw_name, ttyname);
+			exit(254);
+		}
+#ifdef LOGIN_CAP
+		quiet_login = login_getcapbool(lc, "hushlogin", 0);
+#endif /* LOGIN_CAP */
+		if (!quiet_login || *pw->pw_dir)
+			(void)printf(
+		       "No home directory.\nLogging in with home = \"/\".\n");
+
+#else /* !__FreeBSD__ */
+
+		fprintf(stderr, "Could not chdir to home directory %s: %s\n",
+			pw->pw_dir, strerror(errno));
+#endif /* __FreeBSD__ */
+	}
+#ifdef LOGIN_CAP
+	login_close(lc);
+#endif /* LOGIN_CAP */
+
+	/*
+	 * Must take new environment into use so that .ssh/rc, /etc/sshrc and
+	 * xauth are run in the proper environment.
+	 */
+	environ = env;
+
+	/*
+	 * Run $HOME/.ssh/rc, /etc/sshrc, or xauth (whichever is found first
+	 * in this order).
+	 */
+	if (!options.use_login) {
+		if (stat(SSH_USER_RC, &st) >= 0) {
+			if (debug_flag)
+				fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);
+
+			f = popen("/bin/sh " SSH_USER_RC, "w");
+			if (f) {
+				if (auth_proto != NULL && auth_data != NULL)
+					fprintf(f, "%s %s\n", auth_proto, auth_data);
+				pclose(f);
+			} else
+				fprintf(stderr, "Could not run %s\n", SSH_USER_RC);
+		} else if (stat(SSH_SYSTEM_RC, &st) >= 0) {
+			if (debug_flag)
+				fprintf(stderr, "Running /bin/sh %s\n", SSH_SYSTEM_RC);
+
+			f = popen("/bin/sh " SSH_SYSTEM_RC, "w");
+			if (f) {
+				if (auth_proto != NULL && auth_data != NULL)
+					fprintf(f, "%s %s\n", auth_proto, auth_data);
+				pclose(f);
+			} else
+				fprintf(stderr, "Could not run %s\n", SSH_SYSTEM_RC);
+		}
+#ifdef XAUTH_PATH
+		else {
+			/* Add authority data to .Xauthority if appropriate. */
+			if (auth_proto != NULL && auth_data != NULL) {
+				char *screen = strchr(display, ':');
+				if (debug_flag) {
+					fprintf(stderr,
+					    "Running %.100s add %.100s %.100s %.100s\n",
+					    XAUTH_PATH, display, auth_proto, auth_data);
+					if (screen != NULL)
+						fprintf(stderr,
+						    "Adding %.*s/unix%s %s %s\n",
+						    screen-display, display,
+						    screen, auth_proto, auth_data);
+				}
+				f = popen(XAUTH_PATH " -q -", "w");
+				if (f) {
+					fprintf(f, "add %s %s %s\n", display,
+					    auth_proto, auth_data);
+					if (screen != NULL) 
+						fprintf(f, "add %.*s/unix%s %s %s\n",
+						    screen-display, display,
+						    screen, auth_proto, auth_data);
+					pclose(f);
+				} else
+					fprintf(stderr, "Could not run %s -q -\n",
+					    XAUTH_PATH);
+			}
+		}
+#endif /* XAUTH_PATH */
+
+		/* Get the last component of the shell name. */
+		cp = strrchr(shell, '/');
+		if (cp)
+			cp++;
+		else
+			cp = shell;
+	}
+	/*
+	 * If we have no command, execute the shell.  In this case, the shell
+	 * name to be passed in argv[0] is preceded by '-' to indicate that
+	 * this is a login shell.
+	 */
+	if (!command) {
+		if (!options.use_login) {
+			char buf[256];
+
+			/*
+			 * Check for mail if we have a tty and it was enabled
+			 * in server options.
+			 */
+			if (ttyname && options.check_mail) {
+				char *mailbox;
+				struct stat mailstat;
+				mailbox = getenv("MAIL");
+				if (mailbox != NULL) {
+					if (stat(mailbox, &mailstat) != 0 ||
+					    mailstat.st_size == 0)
+#ifdef __FreeBSD__
+						;
+#else /* !__FreeBSD__ */
+						printf("No mail.\n");
+#endif /* __FreeBSD__ */
+					else if (mailstat.st_mtime < mailstat.st_atime)
+						printf("You have mail.\n");
+					else
+						printf("You have new mail.\n");
+				}
+			}
+			/* Start the shell.  Set initial character to '-'. */
+			buf[0] = '-';
+			strncpy(buf + 1, cp, sizeof(buf) - 1);
+			buf[sizeof(buf) - 1] = 0;
+
+			/* Execute the shell. */
+			argv[0] = buf;
+			argv[1] = NULL;
+			execve(shell, argv, env);
+
+			/* Executing the shell failed. */
+			perror(shell);
+			exit(1);
+
+		} else {
+			/* Launch login(1). */
+
+			execl("/usr/bin/login", "login", "-h", get_remote_ipaddr(),
+			      "-p", "-f", "--", pw->pw_name, NULL);
+
+			/* Login couldn't be executed, die. */
+
+			perror("login");
+			exit(1);
+		}
+	}
+	/*
+	 * Execute the command using the user's shell.  This uses the -c
+	 * option to execute the command.
+	 */
+	argv[0] = (char *) cp;
+	argv[1] = "-c";
+	argv[2] = (char *) command;
+	argv[3] = NULL;
+	execve(shell, argv, env);
+	perror(shell);
+	exit(1);
+}
+
+Session *
+session_new(void)
+{
+	int i;
+	static int did_init = 0;
+	if (!did_init) {
+		debug("session_new: init");
+		for(i = 0; i < MAX_SESSIONS; i++) {
+			sessions[i].used = 0;
+			sessions[i].self = i;
+		}
+		did_init = 1;
+	}
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (! s->used) {
+			s->pid = 0;
+			s->extended = 0;
+			s->chanid = -1;
+			s->ptyfd = -1;
+			s->ttyfd = -1;
+			s->term = NULL;
+			s->pw = NULL;
+			s->display = NULL;
+			s->screen = 0;
+			s->auth_data = NULL;
+			s->auth_proto = NULL;
+			s->used = 1;
+			s->pw = NULL;
+			debug("session_new: session %d", i);
+			return s;
+		}
+	}
+	return NULL;
+}
+
+void
+session_dump(void)
+{
+	int i;
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		debug("dump: used %d session %d %p channel %d pid %d",
+		    s->used,
+		    s->self,
+		    s,
+		    s->chanid,
+		    s->pid);
+	}
+}
+
+int
+session_open(int chanid)
+{
+	Session *s = session_new();
+	debug("session_open: channel %d", chanid);
+	if (s == NULL) {
+		error("no more sessions");
+		return 0;
+	}
+	s->pw = auth_get_user();
+	if (s->pw == NULL)
+		fatal("no user for session %i", s->self);
+	debug("session_open: session %d: link with channel %d", s->self, chanid);
+	s->chanid = chanid;
+	return 1;
+}
+
+Session *
+session_by_channel(int id)
+{
+	int i;
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (s->used && s->chanid == id) {
+			debug("session_by_channel: session %d channel %d", i, id);
+			return s;
+		}
+	}
+	debug("session_by_channel: unknown channel %d", id);
+	session_dump();
+	return NULL;
+}
+
+Session *
+session_by_pid(pid_t pid)
+{
+	int i;
+	debug("session_by_pid: pid %d", pid);
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (s->used && s->pid == pid)
+			return s;
+	}
+	error("session_by_pid: unknown pid %d", pid);
+	session_dump();
+	return NULL;
+}
+
+int
+session_window_change_req(Session *s)
+{
+	s->col = packet_get_int();
+	s->row = packet_get_int();
+	s->xpixel = packet_get_int();
+	s->ypixel = packet_get_int();
+	packet_done();
+	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+	return 1;
+}
+
+int
+session_pty_req(Session *s)
+{
+	unsigned int len;
+	char *term_modes;	/* encoded terminal modes */
+
+	if (s->ttyfd != -1)
+		return 0;
+	s->term = packet_get_string(&len);
+	s->col = packet_get_int();
+	s->row = packet_get_int();
+	s->xpixel = packet_get_int();
+	s->ypixel = packet_get_int();
+	term_modes = packet_get_string(&len);
+	packet_done();
+
+	if (strcmp(s->term, "") == 0) {
+		xfree(s->term);
+		s->term = NULL;
+	}
+	/* Allocate a pty and open it. */
+	if (!pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty))) {
+		xfree(s->term);
+		s->term = NULL;
+		s->ptyfd = -1;
+		s->ttyfd = -1;
+		error("session_pty_req: session %d alloc failed", s->self);
+		xfree(term_modes);
+		return 0;
+	}
+	debug("session_pty_req: session %d alloc %s", s->self, s->tty);
+	/*
+	 * Add a cleanup function to clear the utmp entry and record logout
+	 * time in case we call fatal() (e.g., the connection gets closed).
+	 */
+	fatal_add_cleanup(pty_cleanup_proc, (void *)s);
+	pty_setowner(s->pw, s->tty);
+	/* Get window size from the packet. */
+	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+
+	session_proctitle(s);
+
+	/* XXX parse and set terminal modes */
+	xfree(term_modes);
+	return 1;
+}
+
+int
+session_subsystem_req(Session *s)
+{
+	unsigned int len;
+	int success = 0;
+	char *subsys = packet_get_string(&len);
+
+	packet_done();
+	log("subsystem request for %s", subsys);
+
+	xfree(subsys);
+	return success;
+}
+
+int
+session_x11_req(Session *s)
+{
+	if (!options.x11_forwarding) {
+		debug("X11 forwarding disabled in server configuration file.");
+		return 0;
+	}
+	if (xauthfile != NULL) {
+		debug("X11 fwd already started.");
+		return 0;
+	}
+
+	debug("Received request for X11 forwarding with auth spoofing.");
+	if (s->display != NULL)
+		packet_disconnect("Protocol error: X11 display already set.");
+
+	s->single_connection = packet_get_char();
+	s->auth_proto = packet_get_string(NULL);
+	s->auth_data = packet_get_string(NULL);
+	s->screen = packet_get_int();
+	packet_done();
+
+	s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
+	if (s->display == NULL) {
+		xfree(s->auth_proto);
+		xfree(s->auth_data);
+		return 0;
+	}
+	xauthfile = xmalloc(MAXPATHLEN);
+	strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
+	temporarily_use_uid(s->pw->pw_uid);
+	if (mkdtemp(xauthfile) == NULL) {
+		restore_uid();
+		error("private X11 dir: mkdtemp %s failed: %s",
+		    xauthfile, strerror(errno));
+		xfree(xauthfile);
+		xauthfile = NULL;
+		xfree(s->auth_proto);
+		xfree(s->auth_data);
+		/* XXXX remove listening channels */
+		return 0;
+	}
+	strlcat(xauthfile, "/cookies", MAXPATHLEN);
+	open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600);
+	restore_uid();
+	fatal_add_cleanup(xauthfile_cleanup_proc, s);
+	return 1;
+}
+
+void
+session_input_channel_req(int id, void *arg)
+{
+	unsigned int len;
+	int reply;
+	int success = 0;
+	char *rtype;
+	Session *s;
+	Channel *c;
+
+	rtype = packet_get_string(&len);
+	reply = packet_get_char();
+
+	s = session_by_channel(id);
+	if (s == NULL)
+		fatal("session_input_channel_req: channel %d: no session", id);
+	c = channel_lookup(id);
+	if (c == NULL)
+		fatal("session_input_channel_req: channel %d: bad channel", id);
+
+	debug("session_input_channel_req: session %d channel %d request %s reply %d",
+	    s->self, id, rtype, reply);
+
+	/*
+	 * a session is in LARVAL state until a shell
+	 * or programm is executed
+	 */
+	if (c->type == SSH_CHANNEL_LARVAL) {
+		if (strcmp(rtype, "shell") == 0) {
+			packet_done();
+			s->extended = 1;
+			if (s->ttyfd == -1)
+				do_exec_no_pty(s, NULL, s->pw);
+			else
+				do_exec_pty(s, NULL, s->pw);
+			success = 1;
+		} else if (strcmp(rtype, "exec") == 0) {
+			char *command = packet_get_string(&len);
+			packet_done();
+			s->extended = 1;
+			if (s->ttyfd == -1)
+				do_exec_no_pty(s, command, s->pw);
+			else
+				do_exec_pty(s, command, s->pw);
+			xfree(command);
+			success = 1;
+		} else if (strcmp(rtype, "pty-req") == 0) {
+			success =  session_pty_req(s);
+		} else if (strcmp(rtype, "x11-req") == 0) {
+			success = session_x11_req(s);
+		} else if (strcmp(rtype, "subsystem") == 0) {
+			success = session_subsystem_req(s);
+		}
+	}
+	if (strcmp(rtype, "window-change") == 0) {
+		success = session_window_change_req(s);
+	}
+
+	if (reply) {
+		packet_start(success ?
+		    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
+		packet_put_int(c->remote_id);
+		packet_send();
+	}
+	xfree(rtype);
+}
+
+void
+session_set_fds(Session *s, int fdin, int fdout, int fderr)
+{
+	if (!compat20)
+		fatal("session_set_fds: called for proto != 2.0");
+	/*
+	 * now that have a child and a pipe to the child,
+	 * we can activate our channel and register the fd's
+	 */
+	if (s->chanid == -1)
+		fatal("no channel for session %d", s->self);
+	channel_set_fds(s->chanid,
+	    fdout, fdin, fderr,
+	    fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ);
+}
+
+void
+session_pty_cleanup(Session *s)
+{
+	if (s == NULL || s->ttyfd == -1)
+		return;
+
+	debug("session_pty_cleanup: session %i release %s", s->self, s->tty);
+
+	/* Cancel the cleanup function. */
+	fatal_remove_cleanup(pty_cleanup_proc, (void *)s);
+
+	/* Record that the user has logged out. */
+	record_logout(s->pid, s->tty);
+
+	/* Release the pseudo-tty. */
+	pty_release(s->tty);
+
+	/*
+	 * Close the server side of the socket pairs.  We must do this after
+	 * the pty cleanup, so that another process doesn't get this pty
+	 * while we're still cleaning up.
+	 */
+	if (close(s->ptymaster) < 0)
+		error("close(s->ptymaster): %s", strerror(errno));
+}
+
+void
+session_exit_message(Session *s, int status)
+{
+	Channel *c;
+	if (s == NULL)
+		fatal("session_close: no session");
+	c = channel_lookup(s->chanid);
+	if (c == NULL)
+		fatal("session_close: session %d: no channel %d",
+		    s->self, s->chanid);
+	debug("session_exit_message: session %d channel %d pid %d",
+	    s->self, s->chanid, s->pid);
+
+	if (WIFEXITED(status)) {
+		channel_request_start(s->chanid,
+		    "exit-status", 0);
+		packet_put_int(WEXITSTATUS(status));
+		packet_send();
+	} else if (WIFSIGNALED(status)) {
+		channel_request_start(s->chanid,
+		    "exit-signal", 0);
+		packet_put_int(WTERMSIG(status));
+		packet_put_char(WCOREDUMP(status));
+		packet_put_cstring("");
+		packet_put_cstring("");
+		packet_send();
+	} else {
+		/* Some weird exit cause.  Just exit. */
+		packet_disconnect("wait returned status %04x.", status);
+	}
+
+	/* disconnect channel */
+	debug("session_exit_message: release channel %d", s->chanid);
+	channel_cancel_cleanup(s->chanid);
+	/*
+	 * emulate a write failure with 'chan_write_failed', nobody will be
+	 * interested in data we write.
+	 * Note that we must not call 'chan_read_failed', since there could
+	 * be some more data waiting in the pipe.
+	 */
+	if (c->ostate != CHAN_OUTPUT_CLOSED)
+		chan_write_failed(c);
+	s->chanid = -1;
+}
+
+void
+session_free(Session *s)
+{
+	debug("session_free: session %d pid %d", s->self, s->pid);
+	if (s->term)
+		xfree(s->term);
+	if (s->display)
+		xfree(s->display);
+	if (s->auth_data)
+		xfree(s->auth_data);
+	if (s->auth_proto)
+		xfree(s->auth_proto);
+	s->used = 0;
+}
+
+void
+session_close(Session *s)
+{
+	session_pty_cleanup(s);
+	session_free(s);
+	session_proctitle(s);
+}
+
+void
+session_close_by_pid(pid_t pid, int status)
+{
+	Session *s = session_by_pid(pid);
+	if (s == NULL) {
+		debug("session_close_by_pid: no session for pid %d", s->pid);
+		return;
+	}
+	if (s->chanid != -1)
+		session_exit_message(s, status);
+	session_close(s);
+}
+
+/*
+ * this is called when a channel dies before
+ * the session 'child' itself dies
+ */
+void
+session_close_by_channel(int id, void *arg)
+{
+	Session *s = session_by_channel(id);
+	if (s == NULL) {
+		debug("session_close_by_channel: no session for channel %d", id);
+		return;
+	}
+	/* disconnect channel */
+	channel_cancel_cleanup(s->chanid);
+	s->chanid = -1;
+
+	debug("session_close_by_channel: channel %d kill %d", id, s->pid);
+	if (s->pid == 0) {
+		/* close session immediately */
+		session_close(s);
+	} else {
+		/* notify child, delay session cleanup */
+		if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0)
+			error("session_close_by_channel: kill %d: %s",
+			    s->pid, strerror(errno));
+	}
+}
+
+char *
+session_tty_list(void)
+{
+	static char buf[1024];
+	int i;
+	buf[0] = '\0';
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (s->used && s->ttyfd != -1) {
+			if (buf[0] != '\0')
+				strlcat(buf, ",", sizeof buf);
+			strlcat(buf, strrchr(s->tty, '/') + 1, sizeof buf);
+		}
+	}
+	if (buf[0] == '\0')
+		strlcpy(buf, "notty", sizeof buf);
+	return buf;
+}
+
+void
+session_proctitle(Session *s)
+{
+	if (s->pw == NULL)
+		error("no user for session %d", s->self);
+	else
+		setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
+}
+
+void
+do_authenticated2(void)
+{
+	/*
+	 * Cancel the alarm we set to limit the time taken for
+	 * authentication.
+	 */
+	alarm(0);
+	server_loop2();
+	if (xauthfile)
+		xauthfile_cleanup_proc(NULL);
+}
diff --git a/crypto/openssh/session.h b/crypto/openssh/session.h
new file mode 100644
index 0000000..a3427bc
--- /dev/null
+++ b/crypto/openssh/session.h
@@ -0,0 +1,14 @@
+#ifndef SESSION_H
+#define SESSION_H
+
+/* SSH1 */
+void	do_authenticated(struct passwd * pw);
+
+/* SSH2 */
+void	do_authenticated2(void);
+int	session_open(int id);
+void	session_input_channel_req(int id, void *arg);
+void	session_close_by_pid(pid_t pid, int status);
+void	session_close_by_channel(int id, void *arg);
+
+#endif
diff --git a/crypto/openssh/ssh-add.1 b/crypto/openssh/ssh-add.1
new file mode 100644
index 0000000..1036395
--- /dev/null
+++ b/crypto/openssh/ssh-add.1
@@ -0,0 +1,127 @@
+.\"  -*- nroff -*-
+.\"
+.\" ssh-add.1
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\"
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" Created: Sat Apr 22 23:55:14 1995 ylo
+.\"
+.\" $Id: ssh-add.1,v 1.13 2000/05/03 18:04:38 markus Exp $
+.\"
+.Dd September 25, 1999
+.Dt SSH-ADD 1
+.Os
+.Sh NAME
+.Nm ssh-add
+.Nd adds RSA identities for the authentication agent
+.Sh SYNOPSIS
+.Nm ssh-add
+.Op Fl lLdD
+.Op Ar
+.Sh DESCRIPTION
+.Nm
+adds RSA identities to the authentication agent,
+.Xr ssh-agent 1 .
+When run without arguments, it adds the file
+.Pa $HOME/.ssh/identity .
+Alternative file names can be given on the command line.
+If any file requires a passphrase,
+.Nm
+asks for the passphrase from the user.
+The Passphrase it is read from the user's tty.
+.Pp
+The authentication agent must be running and must be an ancestor of
+the current process for
+.Nm
+to work.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl l
+Lists fingerprints of all identities currently represented by the agent.
+.It Fl L
+Lists public key parameters of all identities currently represented by the agent.
+.It Fl d
+Instead of adding the identity, removes the identity from the agent.
+.It Fl D
+Deletes all identities from the agent.
+.El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/identity
+Contains the RSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+Note that
+.Nm
+ignores this file if it is accessible by others.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file.
+This is the default file added by
+.Nm
+when no other files have been specified.
+.Pp
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.It Ev "DISPLAY" and "SSH_ASKPASS"
+If
+.Nm
+needs a passphrase, it will read the passphrase from the current
+terminal if it was run from a terminal.
+If
+.Nm
+does not have a terminal associated with it but
+.Ev DISPLAY
+and
+.Ev SSH_ASKPASS
+are set, it will execute the program specified by
+.Ev SSH_ASKPASS
+and open an X11 window to read the passphrase.
+This is particularly useful when calling
+.Nm
+from a
+.Pa .Xsession
+or related script.
+(Note that on some machines it
+may be necessary to redirect the input from
+.Pa /dev/null
+to make this work.)
+.Sh AUTHOR
+Tatu Ylonen <ylo@cs.hut.fi>
+.Pp
+OpenSSH
+is a derivative of the original (free) ssh 1.2.12 release, but with bugs
+removed and newer features re-added.
+Rapidly after the 1.2.12 release,
+newer versions bore successively more restrictive licenses.
+This version of OpenSSH
+.Bl -bullet
+.It
+has all components of a restrictive nature (i.e., patents, see
+.Xr ssl 8 )
+directly removed from the source code; any licensed or patented components
+are chosen from
+external libraries.
+.It
+has been updated to support ssh protocol 1.5.
+.It
+contains added support for
+.Xr kerberos 8
+authentication and ticket passing.
+.It
+supports one-time password authentication with
+.Xr skey 1 .
+.El
+.Pp
+The libraries described in
+.Xr ssl 8
+are required for proper operation.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8 ,
+.Xr ssl 8
diff --git a/crypto/openssh/ssh-add.c b/crypto/openssh/ssh-add.c
new file mode 100644
index 0000000..b7a385c
--- /dev/null
+++ b/crypto/openssh/ssh-add.c
@@ -0,0 +1,260 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Thu Apr  6 00:52:24 1995 ylo
+ * Adds an identity to the authentication server, or removes an identity.
+ */
+
+#include "includes.h"
+RCSID("$Id: ssh-add.c,v 1.16 2000/04/26 20:56:29 markus Exp $");
+
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+
+#include "rsa.h"
+#include "ssh.h"
+#include "xmalloc.h"
+#include "authfd.h"
+#include "fingerprint.h"
+#include "key.h"
+#include "authfile.h"
+
+void
+delete_file(AuthenticationConnection *ac, const char *filename)
+{
+	Key *public;
+	char *comment;
+
+	public = key_new(KEY_RSA);
+	if (!load_public_key(filename, public, &comment)) {
+		printf("Bad key file %s: %s\n", filename, strerror(errno));
+		return;
+	}
+	if (ssh_remove_identity(ac, public->rsa))
+		fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment);
+	else
+		fprintf(stderr, "Could not remove identity: %s\n", filename);
+	key_free(public);
+	xfree(comment);
+}
+
+void
+delete_all(AuthenticationConnection *ac)
+{
+	/* Send a request to remove all identities. */
+	if (ssh_remove_all_identities(ac))
+		fprintf(stderr, "All identities removed.\n");
+	else
+		fprintf(stderr, "Failed to remove all identitities.\n");
+}
+
+char *
+ssh_askpass(char *askpass, char *msg)
+{
+	pid_t pid;
+	size_t len;
+	char *nl, *pass;
+	int p[2], status;
+	char buf[1024];
+
+	if (askpass == NULL)
+		fatal("internal error: askpass undefined");
+	if (pipe(p) < 0)
+		fatal("ssh_askpass: pipe: %s", strerror(errno));
+	if ((pid = fork()) < 0)
+		fatal("ssh_askpass: fork: %s", strerror(errno));
+	if (pid == 0) {
+		close(p[0]);
+		if (dup2(p[1], STDOUT_FILENO) < 0)
+			fatal("ssh_askpass: dup2: %s", strerror(errno));
+		execlp(askpass, askpass, msg, (char *) 0);
+		fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno));
+	}
+	close(p[1]);
+	len = read(p[0], buf, sizeof buf);
+	close(p[0]);
+	while (waitpid(pid, &status, 0) < 0)
+		if (errno != EINTR)
+			break;
+	if (len <= 1)
+		return xstrdup("");
+	nl = strchr(buf, '\n');
+	if (nl)
+		*nl = '\0';
+	pass = xstrdup(buf);
+	memset(buf, 0, sizeof(buf));
+	return pass;
+}
+
+void
+add_file(AuthenticationConnection *ac, const char *filename)
+{
+	Key *public;
+	Key *private;
+	char *saved_comment, *comment, *askpass = NULL;
+	char buf[1024], msg[1024];
+	int success;
+	int interactive = isatty(STDIN_FILENO);
+
+	public = key_new(KEY_RSA);
+	if (!load_public_key(filename, public, &saved_comment)) {
+		printf("Bad key file %s: %s\n", filename, strerror(errno));
+		return;
+	}
+	key_free(public);
+
+	if (!interactive && getenv("DISPLAY")) {
+		if (getenv(SSH_ASKPASS_ENV))
+			askpass = getenv(SSH_ASKPASS_ENV);
+		else
+			askpass = SSH_ASKPASS_DEFAULT;
+	}
+
+	/* At first, try empty passphrase */
+	private = key_new(KEY_RSA);
+	success = load_private_key(filename, "", private, &comment);
+	if (!success) {
+		printf("Need passphrase for %.200s\n", filename);
+		if (!interactive && askpass == NULL) {
+			xfree(saved_comment);
+			return;
+		}
+		snprintf(msg, sizeof msg, "Enter passphrase for %.200s", saved_comment);
+		for (;;) {
+			char *pass;
+			if (interactive) {
+				snprintf(buf, sizeof buf, "%s: ", msg);
+				pass = read_passphrase(buf, 1);
+			} else {
+				pass = ssh_askpass(askpass, msg);
+			}
+			if (strcmp(pass, "") == 0) {
+				xfree(pass);
+				xfree(saved_comment);
+				return;
+			}
+			success = load_private_key(filename, pass, private, &comment);
+			memset(pass, 0, strlen(pass));
+			xfree(pass);
+			if (success)
+				break;
+			strlcpy(msg, "Bad passphrase, try again", sizeof msg);
+		}
+	}
+	xfree(saved_comment);
+
+	if (ssh_add_identity(ac, private->rsa, comment))
+		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
+	else
+		fprintf(stderr, "Could not add identity: %s\n", filename);
+	key_free(private);
+	xfree(comment);
+}
+
+void
+list_identities(AuthenticationConnection *ac, int fp)
+{
+	BIGNUM *e, *n;
+	int status;
+	char *comment;
+	int had_identities;
+
+	e = BN_new();
+	n = BN_new();
+	had_identities = 0;
+	for (status = ssh_get_first_identity(ac, e, n, &comment);
+	     status;
+	     status = ssh_get_next_identity(ac, e, n, &comment)) {
+		unsigned int bits = BN_num_bits(n);
+		had_identities = 1;
+		if (fp) {
+			printf("%d %s %s\n", bits, fingerprint(e, n), comment);
+		} else {
+			char *ebuf, *nbuf;
+			ebuf = BN_bn2dec(e);
+			if (ebuf == NULL) {
+				error("list_identities: BN_bn2dec(e) failed.");
+			} else {
+				nbuf = BN_bn2dec(n);
+				if (nbuf == NULL) {
+					error("list_identities: BN_bn2dec(n) failed.");
+				} else {
+					printf("%d %s %s %s\n", bits, ebuf, nbuf, comment);
+					free(nbuf);
+				}
+				free(ebuf);
+			}
+		}
+		xfree(comment);
+	}
+	BN_clear_free(e);
+	BN_clear_free(n);
+	if (!had_identities)
+		printf("The agent has no identities.\n");
+}
+
+int
+main(int argc, char **argv)
+{
+	AuthenticationConnection *ac = NULL;
+	struct passwd *pw;
+	char buf[1024];
+	int no_files = 1;
+	int i;
+	int deleting = 0;
+
+	/* check if RSA support exists */
+	if (rsa_alive() == 0) {
+		extern char *__progname;
+
+		fprintf(stderr,
+			"%s: no RSA support in libssl and libcrypto.  See ssl(8).\n",
+			__progname);
+		exit(1);
+	}
+	/* At first, get a connection to the authentication agent. */
+	ac = ssh_get_authentication_connection();
+	if (ac == NULL) {
+		fprintf(stderr, "Could not open a connection to your authentication agent.\n");
+		exit(1);
+	}
+	for (i = 1; i < argc; i++) {
+		if ((strcmp(argv[i], "-l") == 0) ||
+		    (strcmp(argv[i], "-L") == 0)) {
+			list_identities(ac, argv[i][1] == 'l' ? 1 : 0);
+			/* Don't default-add/delete if -l. */
+			no_files = 0;
+			continue;
+		}
+		if (strcmp(argv[i], "-d") == 0) {
+			deleting = 1;
+			continue;
+		}
+		if (strcmp(argv[i], "-D") == 0) {
+			delete_all(ac);
+			no_files = 0;
+			continue;
+		}
+		no_files = 0;
+		if (deleting)
+			delete_file(ac, argv[i]);
+		else
+			add_file(ac, argv[i]);
+	}
+	if (no_files) {
+		pw = getpwuid(getuid());
+		if (!pw) {
+			fprintf(stderr, "No user found with uid %d\n", (int) getuid());
+			ssh_close_authentication_connection(ac);
+			exit(1);
+		}
+		snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_IDENTITY);
+		if (deleting)
+			delete_file(ac, buf);
+		else
+			add_file(ac, buf);
+	}
+	ssh_close_authentication_connection(ac);
+	exit(0);
+}
diff --git a/crypto/openssh/ssh-add/Makefile b/crypto/openssh/ssh-add/Makefile
new file mode 100644
index 0000000..5451e7d
--- /dev/null
+++ b/crypto/openssh/ssh-add/Makefile
@@ -0,0 +1,21 @@
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh-add
+BINOWN=	root
+
+.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+	${MACHINE_ARCH} == "hppa")
+BINMODE=0000
+.else
+BINMODE?=555
+.endif
+
+BINDIR=	/usr/bin
+MAN=	ssh-add.1
+
+SRCS=	ssh-add.c log-client.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto -lutil -lz
+DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
new file mode 100644
index 0000000..9f7299d
--- /dev/null
+++ b/crypto/openssh/ssh-agent.1
@@ -0,0 +1,171 @@
+.\" $OpenBSD: ssh-agent.1,v 1.12 2000/05/03 18:04:39 markus Exp $
+.\"
+.\"  -*- nroff -*-
+.\"
+.\" ssh-agent.1
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\"
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" Created: Sat Apr 23 20:10:43 1995 ylo
+.\"
+.Dd September 25, 1999
+.Dt SSH-AGENT 1
+.Os
+.Sh NAME
+.Nm ssh-agent
+.Nd authentication agent
+.Sh SYNOPSIS
+.Nm ssh-agent
+.Op Fl c Li | Fl s
+.Op Fl k
+.Oo
+.Ar command
+.Op Ar args ...
+.Oc
+.Sh DESCRIPTION
+.Nm
+is a program to hold private keys used for RSA authentication.
+The idea is that
+.Nm
+is started in the beginning of an X-session or a login session, and
+all other windows or programs are started as clients to the ssh-agent
+program.
+Through use of environment variables the agent can be located
+and automatically used for RSA authentication when logging in to other
+machines using
+.Xr ssh 1 .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl c
+Generate C-shell commands on
+.Dv stdout .
+This is the default if
+.Ev SHELL
+looks like it's a csh style of shell.
+.It Fl s
+Generate Bourne shell commands on
+.Dv stdout .
+This is the default if
+.Ev SHELL
+does not look like it's a csh style of shell.
+.It Fl k
+Kill the current agent (given by the
+.Ev SSH_AGENT_PID
+environment variable).
+.El
+.Pp
+If a commandline is given, this is executed as a subprocess of the agent.
+When the command dies, so does the agent.
+.Pp
+The agent initially does not have any private keys.
+Keys are added using
+.Xr ssh-add 1 .
+When executed without arguments,
+.Xr ssh-add 1
+adds the
+.Pa $HOME/.ssh/identity
+file.
+If the identity has a passphrase,
+.Xr ssh-add 1
+asks for the passphrase (using a small X11 application if running
+under X11, or from the terminal if running without X).
+It then sends the identity to the agent.
+Several identities can be stored in the
+agent; the agent can automatically use any of these identities.
+.Ic ssh-add -l
+displays the identities currently held by the agent.
+.Pp
+The idea is that the agent is run in the user's local PC, laptop, or
+terminal.
+Authentication data need not be stored on any other
+machine, and authentication passphrases never go over the network.
+However, the connection to the agent is forwarded over SSH
+remote logins, and the user can thus use the privileges given by the
+identities anywhere in the network in a secure way.
+.Pp
+There are two main ways to get an agent setup:
+Either you let the agent
+start a new subcommand into which some environment variables are exported, or
+you let the agent print the needed shell commands (either
+.Xr sh 1
+or
+.Xr csh 1
+syntax can be generated) which can be evalled in the calling shell.
+Later
+.Xr ssh 1
+look at these variables and use them to establish a connection to the agent.
+.Pp
+A unix-domain socket is created
+.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
+and the name of this socket is stored in the
+.Ev SSH_AUTH_SOCK
+environment
+variable.
+The socket is made accessible only to the current user.
+This method is easily abused by root or another instance of the same
+user.
+.Pp
+The
+.Ev SSH_AGENT_PID
+environment variable holds the agent's PID.
+.Pp
+The agent exits automatically when the command given on the command
+line terminates.
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/identity
+Contains the RSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file.
+This file is not used by
+.Nm
+but is normally added to the agent using
+.Xr ssh-add 1
+at login time.
+.It Pa /tmp/ssh-XXXX/agent.<pid> ,
+Unix-domain sockets used to contain the connection to the
+authentication agent.
+These sockets should only be readable by the owner.
+The sockets should get automatically removed when the agent exits.
+.Sh AUTHOR
+Tatu Ylonen <ylo@cs.hut.fi>
+.Pp
+OpenSSH
+is a derivative of the original (free) ssh 1.2.12 release, but with bugs
+removed and newer features re-added.
+Rapidly after the 1.2.12 release,
+newer versions bore successively more restrictive licenses.
+This version of OpenSSH
+.Bl -bullet
+.It
+has all components of a restrictive nature (i.e., patents, see
+.Xr ssl 8 )
+directly removed from the source code; any licensed or patented components
+are chosen from
+external libraries.
+.It
+has been updated to support ssh protocol 1.5.
+.It
+contains added support for
+.Xr kerberos 8
+authentication and ticket passing.
+.It
+supports one-time password authentication with
+.Xr skey 1 .
+.El
+.Pp
+The libraries described in
+.Xr ssl 8
+are required for proper operation.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8 ,
+.Xr ssl 8
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
new file mode 100644
index 0000000..7714542
--- /dev/null
+++ b/crypto/openssh/ssh-agent.c
@@ -0,0 +1,660 @@
+/*	$FreeBSD$	*/
+/*	$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Wed Mar 29 03:46:59 1995 ylo
+ * The authentication agent program.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $");
+
+#include "ssh.h"
+#include "rsa.h"
+#include "authfd.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "xmalloc.h"
+#include "packet.h"
+#include "getput.h"
+#include "mpaux.h"
+
+#include <openssl/md5.h>
+
+typedef struct {
+	int fd;
+	enum {
+		AUTH_UNUSED, AUTH_SOCKET, AUTH_CONNECTION
+	} type;
+	Buffer input;
+	Buffer output;
+} SocketEntry;
+
+unsigned int sockets_alloc = 0;
+SocketEntry *sockets = NULL;
+
+typedef struct {
+	RSA *key;
+	char *comment;
+} Identity;
+
+unsigned int num_identities = 0;
+Identity *identities = NULL;
+
+int max_fd = 0;
+
+/* pid of shell == parent of agent */
+pid_t parent_pid = -1;
+
+/* pathname and directory for AUTH_SOCKET */
+char socket_name[1024];
+char socket_dir[1024];
+
+extern char *__progname;
+
+void
+process_request_identity(SocketEntry *e)
+{
+	Buffer msg;
+	int i;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH_AGENT_RSA_IDENTITIES_ANSWER);
+	buffer_put_int(&msg, num_identities);
+	for (i = 0; i < num_identities; i++) {
+		buffer_put_int(&msg, BN_num_bits(identities[i].key->n));
+		buffer_put_bignum(&msg, identities[i].key->e);
+		buffer_put_bignum(&msg, identities[i].key->n);
+		buffer_put_string(&msg, identities[i].comment,
+				  strlen(identities[i].comment));
+	}
+	buffer_put_int(&e->output, buffer_len(&msg));
+	buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg));
+	buffer_free(&msg);
+}
+
+void
+process_authentication_challenge(SocketEntry *e)
+{
+	int i, pub_bits, len;
+	BIGNUM *pub_e, *pub_n, *challenge;
+	Buffer msg;
+	MD5_CTX md;
+	unsigned char buf[32], mdbuf[16], session_id[16];
+	unsigned int response_type;
+
+	buffer_init(&msg);
+	pub_e = BN_new();
+	pub_n = BN_new();
+	challenge = BN_new();
+	pub_bits = buffer_get_int(&e->input);
+	buffer_get_bignum(&e->input, pub_e);
+	buffer_get_bignum(&e->input, pub_n);
+	buffer_get_bignum(&e->input, challenge);
+	if (buffer_len(&e->input) == 0) {
+		/* Compatibility code for old servers. */
+		memset(session_id, 0, 16);
+		response_type = 0;
+	} else {
+		/* New code. */
+		buffer_get(&e->input, (char *) session_id, 16);
+		response_type = buffer_get_int(&e->input);
+	}
+	for (i = 0; i < num_identities; i++)
+		if (pub_bits == BN_num_bits(identities[i].key->n) &&
+		    BN_cmp(pub_e, identities[i].key->e) == 0 &&
+		    BN_cmp(pub_n, identities[i].key->n) == 0) {
+			/* Decrypt the challenge using the private key. */
+			rsa_private_decrypt(challenge, challenge, identities[i].key);
+
+			/* Compute the desired response. */
+			switch (response_type) {
+			case 0:/* As of protocol 1.0 */
+				/* This response type is no longer supported. */
+				log("Compatibility with ssh protocol 1.0 no longer supported.");
+				buffer_put_char(&msg, SSH_AGENT_FAILURE);
+				goto send;
+
+			case 1:/* As of protocol 1.1 */
+				/* The response is MD5 of decrypted challenge plus session id. */
+				len = BN_num_bytes(challenge);
+
+				if (len <= 0 || len > 32) {
+					fatal("process_authentication_challenge: "
+					 "bad challenge length %d", len);
+				}
+				memset(buf, 0, 32);
+				BN_bn2bin(challenge, buf + 32 - len);
+				MD5_Init(&md);
+				MD5_Update(&md, buf, 32);
+				MD5_Update(&md, session_id, 16);
+				MD5_Final(mdbuf, &md);
+				break;
+
+			default:
+				fatal("process_authentication_challenge: bad response_type %d",
+				      response_type);
+				break;
+			}
+
+			/* Send the response. */
+			buffer_put_char(&msg, SSH_AGENT_RSA_RESPONSE);
+			for (i = 0; i < 16; i++)
+				buffer_put_char(&msg, mdbuf[i]);
+
+			goto send;
+		}
+	/* Unknown identity.  Send failure. */
+	buffer_put_char(&msg, SSH_AGENT_FAILURE);
+send:
+	buffer_put_int(&e->output, buffer_len(&msg));
+	buffer_append(&e->output, buffer_ptr(&msg),
+		      buffer_len(&msg));
+	buffer_free(&msg);
+	BN_clear_free(pub_e);
+	BN_clear_free(pub_n);
+	BN_clear_free(challenge);
+}
+
+void
+process_remove_identity(SocketEntry *e)
+{
+	unsigned int bits;
+	unsigned int i;
+	BIGNUM *dummy, *n;
+
+	dummy = BN_new();
+	n = BN_new();
+
+	/* Get the key from the packet. */
+	bits = buffer_get_int(&e->input);
+	buffer_get_bignum(&e->input, dummy);
+	buffer_get_bignum(&e->input, n);
+
+	if (bits != BN_num_bits(n))
+		log("Warning: identity keysize mismatch: actual %d, announced %d",
+		      BN_num_bits(n), bits);
+
+	/* Check if we have the key. */
+	for (i = 0; i < num_identities; i++)
+		if (BN_cmp(identities[i].key->n, n) == 0) {
+			/*
+			 * We have this key.  Free the old key.  Since we
+			 * don\'t want to leave empty slots in the middle of
+			 * the array, we actually free the key there and copy
+			 * data from the last entry.
+			 */
+			RSA_free(identities[i].key);
+			xfree(identities[i].comment);
+			if (i < num_identities - 1)
+				identities[i] = identities[num_identities - 1];
+			num_identities--;
+			BN_clear_free(dummy);
+			BN_clear_free(n);
+
+			/* Send success. */
+			buffer_put_int(&e->output, 1);
+			buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
+			return;
+		}
+	/* We did not have the key. */
+	BN_clear(dummy);
+	BN_clear(n);
+
+	/* Send failure. */
+	buffer_put_int(&e->output, 1);
+	buffer_put_char(&e->output, SSH_AGENT_FAILURE);
+}
+
+/*
+ * Removes all identities from the agent.
+ */
+void
+process_remove_all_identities(SocketEntry *e)
+{
+	unsigned int i;
+
+	/* Loop over all identities and clear the keys. */
+	for (i = 0; i < num_identities; i++) {
+		RSA_free(identities[i].key);
+		xfree(identities[i].comment);
+	}
+
+	/* Mark that there are no identities. */
+	num_identities = 0;
+
+	/* Send success. */
+	buffer_put_int(&e->output, 1);
+	buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
+	return;
+}
+
+/*
+ * Adds an identity to the agent.
+ */
+void
+process_add_identity(SocketEntry *e)
+{
+	RSA *k;
+	int i;
+	BIGNUM *aux;
+	BN_CTX *ctx;
+
+	if (num_identities == 0)
+		identities = xmalloc(sizeof(Identity));
+	else
+		identities = xrealloc(identities, (num_identities + 1) * sizeof(Identity));
+
+	identities[num_identities].key = RSA_new();
+	k = identities[num_identities].key;
+	buffer_get_int(&e->input);	/* bits */
+	k->n = BN_new();
+	buffer_get_bignum(&e->input, k->n);
+	k->e = BN_new();
+	buffer_get_bignum(&e->input, k->e);
+	k->d = BN_new();
+	buffer_get_bignum(&e->input, k->d);
+	k->iqmp = BN_new();
+	buffer_get_bignum(&e->input, k->iqmp);
+	/* SSH and SSL have p and q swapped */
+	k->q = BN_new();
+	buffer_get_bignum(&e->input, k->q);	/* p */
+	k->p = BN_new();
+	buffer_get_bignum(&e->input, k->p);	/* q */
+
+	/* Generate additional parameters */
+	aux = BN_new();
+	ctx = BN_CTX_new();
+
+	BN_sub(aux, k->q, BN_value_one());
+	k->dmq1 = BN_new();
+	BN_mod(k->dmq1, k->d, aux, ctx);
+
+	BN_sub(aux, k->p, BN_value_one());
+	k->dmp1 = BN_new();
+	BN_mod(k->dmp1, k->d, aux, ctx);
+
+	BN_clear_free(aux);
+	BN_CTX_free(ctx);
+
+	identities[num_identities].comment = buffer_get_string(&e->input, NULL);
+
+	/* Check if we already have the key. */
+	for (i = 0; i < num_identities; i++)
+		if (BN_cmp(identities[i].key->n, k->n) == 0) {
+			/*
+			 * We already have this key.  Clear and free the new
+			 * data and return success.
+			 */
+			RSA_free(k);
+			xfree(identities[num_identities].comment);
+
+			/* Send success. */
+			buffer_put_int(&e->output, 1);
+			buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
+			return;
+		}
+	/* Increment the number of identities. */
+	num_identities++;
+
+	/* Send a success message. */
+	buffer_put_int(&e->output, 1);
+	buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
+}
+
+void
+process_message(SocketEntry *e)
+{
+	unsigned int msg_len;
+	unsigned int type;
+	unsigned char *cp;
+	if (buffer_len(&e->input) < 5)
+		return;		/* Incomplete message. */
+	cp = (unsigned char *) buffer_ptr(&e->input);
+	msg_len = GET_32BIT(cp);
+	if (msg_len > 256 * 1024) {
+		shutdown(e->fd, SHUT_RDWR);
+		close(e->fd);
+		e->type = AUTH_UNUSED;
+		return;
+	}
+	if (buffer_len(&e->input) < msg_len + 4)
+		return;
+	buffer_consume(&e->input, 4);
+	type = buffer_get_char(&e->input);
+
+	switch (type) {
+	case SSH_AGENTC_REQUEST_RSA_IDENTITIES:
+		process_request_identity(e);
+		break;
+	case SSH_AGENTC_RSA_CHALLENGE:
+		process_authentication_challenge(e);
+		break;
+	case SSH_AGENTC_ADD_RSA_IDENTITY:
+		process_add_identity(e);
+		break;
+	case SSH_AGENTC_REMOVE_RSA_IDENTITY:
+		process_remove_identity(e);
+		break;
+	case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
+		process_remove_all_identities(e);
+		break;
+	default:
+		/* Unknown message.  Respond with failure. */
+		error("Unknown message %d", type);
+		buffer_clear(&e->input);
+		buffer_put_int(&e->output, 1);
+		buffer_put_char(&e->output, SSH_AGENT_FAILURE);
+		break;
+	}
+}
+
+void
+new_socket(int type, int fd)
+{
+	unsigned int i, old_alloc;
+	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+		error("fcntl O_NONBLOCK: %s", strerror(errno));
+
+	if (fd > max_fd)
+		max_fd = fd;
+
+	for (i = 0; i < sockets_alloc; i++)
+		if (sockets[i].type == AUTH_UNUSED) {
+			sockets[i].fd = fd;
+			sockets[i].type = type;
+			buffer_init(&sockets[i].input);
+			buffer_init(&sockets[i].output);
+			return;
+		}
+	old_alloc = sockets_alloc;
+	sockets_alloc += 10;
+	if (sockets)
+		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+	else
+		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+	for (i = old_alloc; i < sockets_alloc; i++)
+		sockets[i].type = AUTH_UNUSED;
+	sockets[old_alloc].type = type;
+	sockets[old_alloc].fd = fd;
+	buffer_init(&sockets[old_alloc].input);
+	buffer_init(&sockets[old_alloc].output);
+}
+
+void
+prepare_select(fd_set *readset, fd_set *writeset)
+{
+	unsigned int i;
+	for (i = 0; i < sockets_alloc; i++)
+		switch (sockets[i].type) {
+		case AUTH_SOCKET:
+		case AUTH_CONNECTION:
+			FD_SET(sockets[i].fd, readset);
+			if (buffer_len(&sockets[i].output) > 0)
+				FD_SET(sockets[i].fd, writeset);
+			break;
+		case AUTH_UNUSED:
+			break;
+		default:
+			fatal("Unknown socket type %d", sockets[i].type);
+			break;
+		}
+}
+
+void
+after_select(fd_set *readset, fd_set *writeset)
+{
+	unsigned int i;
+	int len, sock;
+	socklen_t slen;
+	char buf[1024];
+	struct sockaddr_un sunaddr;
+
+	for (i = 0; i < sockets_alloc; i++)
+		switch (sockets[i].type) {
+		case AUTH_UNUSED:
+			break;
+		case AUTH_SOCKET:
+			if (FD_ISSET(sockets[i].fd, readset)) {
+				slen = sizeof(sunaddr);
+				sock = accept(sockets[i].fd, (struct sockaddr *) & sunaddr, &slen);
+				if (sock < 0) {
+					perror("accept from AUTH_SOCKET");
+					break;
+				}
+				new_socket(AUTH_CONNECTION, sock);
+			}
+			break;
+		case AUTH_CONNECTION:
+			if (buffer_len(&sockets[i].output) > 0 &&
+			    FD_ISSET(sockets[i].fd, writeset)) {
+				len = write(sockets[i].fd, buffer_ptr(&sockets[i].output),
+					 buffer_len(&sockets[i].output));
+				if (len <= 0) {
+					shutdown(sockets[i].fd, SHUT_RDWR);
+					close(sockets[i].fd);
+					sockets[i].type = AUTH_UNUSED;
+					buffer_free(&sockets[i].input);
+					buffer_free(&sockets[i].output);
+					break;
+				}
+				buffer_consume(&sockets[i].output, len);
+			}
+			if (FD_ISSET(sockets[i].fd, readset)) {
+				len = read(sockets[i].fd, buf, sizeof(buf));
+				if (len <= 0) {
+					shutdown(sockets[i].fd, SHUT_RDWR);
+					close(sockets[i].fd);
+					sockets[i].type = AUTH_UNUSED;
+					buffer_free(&sockets[i].input);
+					buffer_free(&sockets[i].output);
+					break;
+				}
+				buffer_append(&sockets[i].input, buf, len);
+				process_message(&sockets[i]);
+			}
+			break;
+		default:
+			fatal("Unknown type %d", sockets[i].type);
+		}
+}
+
+void
+check_parent_exists(int sig)
+{
+	if (parent_pid != -1 && kill(parent_pid, 0) < 0) {
+		/* printf("Parent has died - Authentication agent exiting.\n"); */
+		exit(1);
+	}
+	signal(SIGALRM, check_parent_exists);
+	alarm(10);
+}
+
+void
+cleanup_socket(void)
+{
+	remove(socket_name);
+	rmdir(socket_dir);
+}
+
+void
+cleanup_exit(int i)
+{
+	cleanup_socket();
+	exit(i);
+}
+
+void
+usage()
+{
+	fprintf(stderr, "ssh-agent version %s\n", SSH_VERSION);
+	fprintf(stderr, "Usage: %s [-c | -s] [-k] [command {args...]]\n",
+		__progname);
+	exit(1);
+}
+
+int
+main(int ac, char **av)
+{
+	fd_set readset, writeset;
+	int sock, c_flag = 0, k_flag = 0, s_flag = 0, ch;
+	struct sockaddr_un sunaddr;
+	pid_t pid;
+	char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid];
+
+	/* check if RSA support exists */
+	if (rsa_alive() == 0) {
+		fprintf(stderr,
+			"%s: no RSA support in libssl and libcrypto.  See ssl(8).\n",
+			__progname);
+		exit(1);
+	}
+	while ((ch = getopt(ac, av, "cks")) != -1) {
+		switch (ch) {
+		case 'c':
+			if (s_flag)
+				usage();
+			c_flag++;
+			break;
+		case 'k':
+			k_flag++;
+			break;
+		case 's':
+			if (c_flag)
+				usage();
+			s_flag++;
+			break;
+		default:
+			usage();
+		}
+	}
+	ac -= optind;
+	av += optind;
+
+	if (ac > 0 && (c_flag || k_flag || s_flag))
+		usage();
+
+	if (ac == 0 && !c_flag && !s_flag) {
+		shell = getenv("SHELL");
+		if (shell != NULL && strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
+			c_flag = 1;
+	}
+	if (k_flag) {
+		pidstr = getenv(SSH_AGENTPID_ENV_NAME);
+		if (pidstr == NULL) {
+			fprintf(stderr, "%s not set, cannot kill agent\n",
+				SSH_AGENTPID_ENV_NAME);
+			exit(1);
+		}
+		pid = atoi(pidstr);
+		if (pid < 1) {	/* XXX PID_MAX check too */
+		/* Yes, PID_MAX check please */
+			fprintf(stderr, "%s=\"%s\", which is not a good PID\n",
+				SSH_AGENTPID_ENV_NAME, pidstr);
+			exit(1);
+		}
+		if (kill(pid, SIGTERM) == -1) {
+			perror("kill");
+			exit(1);
+		}
+		format = c_flag ? "unsetenv %s;\n" : "unset %s;\n";
+		printf(format, SSH_AUTHSOCKET_ENV_NAME);
+		printf(format, SSH_AGENTPID_ENV_NAME);
+		printf("echo Agent pid %d killed;\n", pid);
+		exit(0);
+	}
+	parent_pid = getpid();
+
+	/* Create private directory for agent socket */
+	strlcpy(socket_dir, "/tmp/ssh-XXXXXXXX", sizeof socket_dir);
+	if (mkdtemp(socket_dir) == NULL) {
+		perror("mkdtemp: private socket dir");
+		exit(1);
+	}
+	snprintf(socket_name, sizeof socket_name, "%s/agent.%d", socket_dir,
+		 parent_pid);
+
+	/*
+	 * Create socket early so it will exist before command gets run from
+	 * the parent.
+	 */
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0) {
+		perror("socket");
+		cleanup_exit(1);
+	}
+	memset(&sunaddr, 0, sizeof(sunaddr));
+	sunaddr.sun_family = AF_UNIX;
+	strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
+	if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) {
+		perror("bind");
+		cleanup_exit(1);
+	}
+	if (listen(sock, 5) < 0) {
+		perror("listen");
+		cleanup_exit(1);
+	}
+	/*
+	 * Fork, and have the parent execute the command, if any, or present
+	 * the socket data.  The child continues as the authentication agent.
+	 */
+	pid = fork();
+	if (pid == -1) {
+		perror("fork");
+		exit(1);
+	}
+	if (pid != 0) {		/* Parent - execute the given command. */
+		close(sock);
+		snprintf(pidstrbuf, sizeof pidstrbuf, "%d", pid);
+		if (ac == 0) {
+			format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
+			printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
+			       SSH_AUTHSOCKET_ENV_NAME);
+			printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf,
+			       SSH_AGENTPID_ENV_NAME);
+			printf("echo Agent pid %d;\n", pid);
+			exit(0);
+		}
+		setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1);
+		setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1);
+		execvp(av[0], av);
+		perror(av[0]);
+		exit(1);
+	}
+	close(0);
+	close(1);
+	close(2);
+
+	if (setsid() == -1) {
+		perror("setsid");
+		cleanup_exit(1);
+	}
+	if (atexit(cleanup_socket) < 0) {
+		perror("atexit");
+		cleanup_exit(1);
+	}
+	new_socket(AUTH_SOCKET, sock);
+	if (ac > 0) {
+		signal(SIGALRM, check_parent_exists);
+		alarm(10);
+	}
+	signal(SIGINT, SIG_IGN);
+	signal(SIGPIPE, SIG_IGN);
+	signal(SIGHUP, cleanup_exit);
+	signal(SIGTERM, cleanup_exit);
+	while (1) {
+		FD_ZERO(&readset);
+		FD_ZERO(&writeset);
+		prepare_select(&readset, &writeset);
+		if (select(max_fd + 1, &readset, &writeset, NULL, NULL) < 0) {
+			if (errno == EINTR)
+				continue;
+			exit(1);
+		}
+		after_select(&readset, &writeset);
+	}
+	/* NOTREACHED */
+}
diff --git a/crypto/openssh/ssh-agent/Makefile b/crypto/openssh/ssh-agent/Makefile
new file mode 100644
index 0000000..ba78521
--- /dev/null
+++ b/crypto/openssh/ssh-agent/Makefile
@@ -0,0 +1,21 @@
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh-agent
+BINOWN=	root
+
+.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+	${MACHINE_ARCH} == "hppa")
+BINMODE=0000
+.else
+BINMODE?=555
+.endif
+
+BINDIR=	/usr/bin
+MAN=	ssh-agent.1
+
+SRCS=	ssh-agent.c log-client.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto -lutil -lz
+DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/crypto/openssh/ssh-keygen.1 b/crypto/openssh/ssh-keygen.1
new file mode 100644
index 0000000..ea81532
--- /dev/null
+++ b/crypto/openssh/ssh-keygen.1
@@ -0,0 +1,226 @@
+.\"  -*- nroff -*-
+.\"
+.\" ssh-keygen.1
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\"
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" Created: Sat Apr 22 23:55:14 1995 ylo
+.\"
+.\" $Id: ssh-keygen.1,v 1.18 2000/05/08 17:26:04 hugh Exp $
+.\"
+.Dd September 25, 1999
+.Dt SSH-KEYGEN 1
+.Os
+.Sh NAME
+.Nm ssh-keygen
+.Nd authentication key generation
+.Sh SYNOPSIS
+.Nm ssh-keygen
+.Op Fl dq
+.Op Fl b Ar bits
+.Op Fl N Ar new_passphrase
+.Op Fl C Ar comment
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl p
+.Op Fl P Ar old_passphrase
+.Op Fl N Ar new_passphrase
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl x
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl X
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl y
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl c
+.Op Fl P Ar passphrase
+.Op Fl C Ar comment
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl l
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl R
+.Sh DESCRIPTION
+.Nm
+generates and manages authentication keys for
+.Xr ssh 1 .
+.Nm
+defaults to generating an RSA key for use by protocols 1.3 and 1.5;
+specifying the
+.Fl d
+flag will create a DSA key instead for use by protocol 2.0.
+.Pp
+Normally each user wishing to use SSH
+with RSA or DSA authentication runs this once to create the authentication
+key in
+.Pa $HOME/.ssh/identity
+or
+.Pa $HOME/.ssh/id_dsa .
+Additionally, the system administrator may use this to generate host keys,
+as seen in
+.Pa /etc/rc .
+.Pp
+Normally this program generates the key and asks for a file in which
+to store the private key.
+The public key is stored in a file with the same name but
+.Dq .pub
+appended.
+The program also asks for a passphrase.
+The passphrase may be empty to indicate no passphrase
+(host keys must have empty passphrase), or it may be a string of
+arbitrary length.
+Good passphrases are 10-30 characters long and are
+not simple sentences or otherwise easily guessable (English
+prose has only 1-2 bits of entropy per word, and provides very bad
+passphrases).
+The passphrase can be changed later by using the
+.Fl p
+option.
+.Pp
+There is no way to recover a lost passphrase.
+If the passphrase is
+lost or forgotten, you will have to generate a new key and copy the
+corresponding public key to other machines.
+.Pp
+For RSA, there is also a comment field in the key file that is only for
+convenience to the user to help identify the key.
+The comment can tell what the key is for, or whatever is useful.
+The comment is initialized to
+.Dq user@host
+when the key is created, but can be changed using the
+.Fl c
+option.
+.Pp
+After a key is generated, instructions below detail where the keys
+should be placed to be activated.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl b Ar bits
+Specifies the number of bits in the key to create.
+Minimum is 512 bits.
+Generally 1024 bits is considered sufficient, and key sizes
+above that no longer improve security but make things slower.
+The default is 1024 bits.
+.It Fl c
+Requests changing the comment in the private and public key files.
+The program will prompt for the file containing the private keys, for
+passphrase if the key has one, and for the new comment.
+.It Fl f
+Specifies the filename of the key file.
+.It Fl l
+Show fingerprint of specified private or public key file.
+.It Fl p
+Requests changing the passphrase of a private key file instead of
+creating a new private key.
+The program will prompt for the file
+containing the private key, for the old passphrase, and twice for the
+new passphrase.
+.It Fl q
+Silence
+.Nm ssh-keygen .
+Used by
+.Pa /etc/rc
+when creating a new key.
+.It Fl C Ar comment
+Provides the new comment.
+.It Fl N Ar new_passphrase
+Provides the new passphrase.
+.It Fl P Ar passphrase
+Provides the (old) passphrase.
+.It Fl R
+If RSA support is functional, immediately exits with code 0.  If RSA
+support is not functional, exits with code 1.  This flag will be
+removed once the RSA patent expires.
+.It Fl x
+This option will read a private
+OpenSSH DSA format file and print a SSH2-compatible public key to stdout.
+.It Fl X
+This option will read a
+SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout.
+.It Fl y
+This option will read a private
+OpenSSH DSA format file and print an OpenSSH DSA public key to stdout.
+.El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/identity
+Contains the RSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file using 3DES.
+This file is not automatically accessed by
+.Nm
+but it is offered as the default file for the private key.
+.Xr sshd 8
+will read this file when a login attempt is made.
+.It Pa $HOME/.ssh/identity.pub
+Contains the public key for authentication.
+The contents of this file should be added to
+.Pa $HOME/.ssh/authorized_keys
+on all machines
+where you wish to log in using RSA authentication.
+There is no need to keep the contents of this file secret.
+.It Pa $HOME/.ssh/id_dsa
+Contains the DSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file using 3DES.
+This file is not automatically accessed by
+.Nm
+but it is offered as the default file for the private key.
+.Xr sshd 8
+will read this file when a login attempt is made.
+.It Pa $HOME/.ssh/id_dsa.pub
+Contains the public key for authentication.
+The contents of this file should be added to
+.Pa $HOME/.ssh/authorized_keys2
+on all machines
+where you wish to log in using DSA authentication.
+There is no need to keep the contents of this file secret.
+.Sh AUTHOR
+Tatu Ylonen <ylo@cs.hut.fi>
+.Pp
+OpenSSH
+is a derivative of the original (free) ssh 1.2.12 release, but with bugs
+removed and newer features re-added.
+Rapidly after the 1.2.12 release,
+newer versions bore successively more restrictive licenses.
+This version of OpenSSH
+.Bl -bullet
+.It
+has all components of a restrictive nature (i.e., patents, see
+.Xr ssl 8 )
+directly removed from the source code; any licensed or patented components
+are chosen from
+external libraries.
+.It
+has been updated to support ssh protocol 1.5.
+.It
+contains added support for
+.Xr kerberos 8
+authentication and ticket passing.
+.It
+supports one-time password authentication with
+.Xr skey 1 .
+.El
+.Pp
+The libraries described in
+.Xr ssl 8
+are required for proper operation.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr sshd 8 ,
+.Xr ssl 8
diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c
new file mode 100644
index 0000000..874acfe
--- /dev/null
+++ b/crypto/openssh/ssh-keygen.c
@@ -0,0 +1,745 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Mon Mar 27 02:26:40 1995 ylo
+ * Identity and host key generation and maintenance.
+ */
+
+#include "includes.h"
+RCSID("$Id: ssh-keygen.c,v 1.26 2000/05/30 17:32:06 markus Exp $");
+
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+
+#include "ssh.h"
+#include "xmalloc.h"
+#include "fingerprint.h"
+#include "key.h"
+#include "rsa.h"
+#include "dsa.h"
+#include "authfile.h"
+#include "uuencode.h"
+
+/* Number of bits in the RSA/DSA key.  This value can be changed on the command line. */
+int bits = 1024;
+
+/*
+ * Flag indicating that we just want to change the passphrase.  This can be
+ * set on the command line.
+ */
+int change_passphrase = 0;
+
+/*
+ * Flag indicating that we just want to change the comment.  This can be set
+ * on the command line.
+ */
+int change_comment = 0;
+
+int quiet = 0;
+
+/* Flag indicating that we just want to see the key fingerprint */
+int print_fingerprint = 0;
+
+/* The identity file name, given on the command line or entered by the user. */
+char identity_file[1024];
+int have_identity = 0;
+
+/* This is set to the passphrase if given on the command line. */
+char *identity_passphrase = NULL;
+
+/* This is set to the new passphrase if given on the command line. */
+char *identity_new_passphrase = NULL;
+
+/* This is set to the new comment if given on the command line. */
+char *identity_comment = NULL;
+
+/* Dump public key file in format used by real and the original SSH 2 */
+int convert_to_ssh2 = 0;
+int convert_from_ssh2 = 0;
+int print_public = 0;
+int dsa_mode = 0;
+
+/* argv0 */
+extern char *__progname;
+
+char hostname[MAXHOSTNAMELEN];
+
+void
+ask_filename(struct passwd *pw, const char *prompt)
+{
+	char buf[1024];
+	snprintf(identity_file, sizeof(identity_file), "%s/%s",
+	    pw->pw_dir,
+	    dsa_mode ? SSH_CLIENT_ID_DSA: SSH_CLIENT_IDENTITY);
+	printf("%s (%s): ", prompt, identity_file);
+	fflush(stdout);
+	if (fgets(buf, sizeof(buf), stdin) == NULL)
+		exit(1);
+	if (strchr(buf, '\n'))
+		*strchr(buf, '\n') = 0;
+	if (strcmp(buf, "") != 0)
+		strlcpy(identity_file, buf, sizeof(identity_file));
+	have_identity = 1;
+}
+
+int
+try_load_key(char *filename, Key *k)
+{
+	int success = 1;
+	if (!load_private_key(filename, "", k, NULL)) {
+		char *pass = read_passphrase("Enter passphrase: ", 1);
+		if (!load_private_key(filename, pass, k, NULL)) {
+			success = 0;
+		}
+		memset(pass, 0, strlen(pass));
+		xfree(pass);
+	}
+	return success;
+}
+
+#define SSH_COM_MAGIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
+#define SSH_COM_MAGIC_END   "---- END SSH2 PUBLIC KEY ----"
+
+void
+do_convert_to_ssh2(struct passwd *pw)
+{
+	Key *k;
+	int len;
+	unsigned char *blob;
+	struct stat st;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	k = key_new(KEY_DSA);
+	if (!try_load_key(identity_file, k)) {
+		fprintf(stderr, "load failed\n");
+		exit(1);
+	}
+	dsa_make_key_blob(k, &blob, &len);
+	fprintf(stdout, SSH_COM_MAGIC_BEGIN "\n");
+	fprintf(stdout,
+	    "Comment: \"%d-bit DSA, converted from openssh by %s@%s\"\n",
+	    BN_num_bits(k->dsa->p),
+	    pw->pw_name, hostname);
+	dump_base64(stdout, blob, len);
+	fprintf(stdout, SSH_COM_MAGIC_END "\n");
+	key_free(k);
+	xfree(blob);
+	exit(0);
+}
+
+void
+do_convert_from_ssh2(struct passwd *pw)
+{
+	Key *k;
+	int blen;
+	char line[1024], *p;
+	char blob[8096];
+	char encoded[8096];
+	struct stat st;
+	int escaped = 0;
+	FILE *fp;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	fp = fopen(identity_file, "r");
+	if (fp == NULL) {
+		perror(identity_file);
+		exit(1);
+	}
+	encoded[0] = '\0';
+	while (fgets(line, sizeof(line), fp)) {
+		if (!(p = strchr(line, '\n'))) {
+			fprintf(stderr, "input line too long.\n");
+			exit(1);
+		}
+		if (p > line && p[-1] == '\\')
+			escaped++;
+		if (strncmp(line, "----", 4) == 0 ||
+		    strstr(line, ": ") != NULL) {
+			fprintf(stderr, "ignore: %s", line);
+			continue;
+		}
+		if (escaped) {
+			escaped--;
+			fprintf(stderr, "escaped: %s", line);
+			continue;
+		}
+		*p = '\0';
+		strlcat(encoded, line, sizeof(encoded));
+	}
+	blen = uudecode(encoded, (unsigned char *)blob, sizeof(blob));
+	if (blen < 0) {
+		fprintf(stderr, "uudecode failed.\n");
+		exit(1);
+	}
+	k = dsa_key_from_blob(blob, blen);
+	if (!key_write(k, stdout))
+		fprintf(stderr, "key_write failed");
+	key_free(k);
+	fprintf(stdout, "\n");
+	fclose(fp);
+	exit(0);
+}
+
+void
+do_print_public(struct passwd *pw)
+{
+	Key *k;
+	int len;
+	unsigned char *blob;
+	struct stat st;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	k = key_new(KEY_DSA);
+	if (!try_load_key(identity_file, k)) {
+		fprintf(stderr, "load failed\n");
+		exit(1);
+	}
+	dsa_make_key_blob(k, &blob, &len);
+	if (!key_write(k, stdout))
+		fprintf(stderr, "key_write failed");
+	key_free(k);
+	xfree(blob);
+	fprintf(stdout, "\n");
+	exit(0);
+}
+
+void
+do_fingerprint(struct passwd *pw)
+{
+	FILE *f;
+	BIGNUM *e, *n;
+	Key *public;
+	char *comment = NULL, *cp, *ep, line[16*1024];
+	int i, skip = 0, num = 1, invalid = 1;
+	unsigned int ignore;
+	struct stat st;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	public = key_new(KEY_RSA);
+	if (load_public_key(identity_file, public, &comment)) {
+		printf("%d %s %s\n", BN_num_bits(public->rsa->n),
+		    key_fingerprint(public), comment);
+		key_free(public);
+		exit(0);
+	}
+	key_free(public);
+
+	/* XXX */
+	f = fopen(identity_file, "r");
+	if (f != NULL) {
+		n = BN_new();
+		e = BN_new();
+		while (fgets(line, sizeof(line), f)) {
+			i = strlen(line) - 1;
+			if (line[i] != '\n') {
+				error("line %d too long: %.40s...", num, line);
+				skip = 1;
+				continue;
+			}
+			num++;
+			if (skip) {
+				skip = 0;
+				continue;
+			}
+			line[i] = '\0';
+
+			/* Skip leading whitespace, empty and comment lines. */
+			for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+				;
+			if (!*cp || *cp == '\n' || *cp == '#')
+				continue ;
+			i = strtol(cp, &ep, 10);
+			if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
+				int quoted = 0;
+				comment = cp;
+				for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+					if (*cp == '\\' && cp[1] == '"')
+						cp++;	/* Skip both */
+					else if (*cp == '"')
+						quoted = !quoted;
+				}
+				if (!*cp)
+					continue;
+				*cp++ = '\0';
+			}
+			ep = cp;
+			if (auth_rsa_read_key(&cp, &ignore, e, n)) {
+				invalid = 0;
+				comment = *cp ? cp : comment;
+				printf("%d %s %s\n", BN_num_bits(n),
+				    fingerprint(e, n),
+				    comment ? comment : "no comment");
+			}
+		}
+		BN_free(e);
+		BN_free(n);
+		fclose(f);
+	}
+	if (invalid) {
+		printf("%s is not a valid key file.\n", identity_file);
+		exit(1);
+	}
+	exit(0);
+}
+
+/*
+ * Perform changing a passphrase.  The argument is the passwd structure
+ * for the current user.
+ */
+void
+do_change_passphrase(struct passwd *pw)
+{
+	char *comment;
+	char *old_passphrase, *passphrase1, *passphrase2;
+	struct stat st;
+	Key *private;
+	Key *public;
+	int type = dsa_mode ? KEY_DSA : KEY_RSA;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+
+	if (type == KEY_RSA) {
+		/* XXX this works currently only for RSA */
+		public = key_new(type);
+		if (!load_public_key(identity_file, public, NULL)) {
+			printf("%s is not a valid key file.\n", identity_file);
+			exit(1);
+		}
+		/* Clear the public key since we are just about to load the whole file. */
+		key_free(public);
+	}
+
+	/* Try to load the file with empty passphrase. */
+	private = key_new(type);
+	if (!load_private_key(identity_file, "", private, &comment)) {
+		if (identity_passphrase)
+			old_passphrase = xstrdup(identity_passphrase);
+		else
+			old_passphrase = read_passphrase("Enter old passphrase: ", 1);
+		if (!load_private_key(identity_file, old_passphrase, private, &comment)) {
+			memset(old_passphrase, 0, strlen(old_passphrase));
+			xfree(old_passphrase);
+			printf("Bad passphrase.\n");
+			exit(1);
+		}
+		memset(old_passphrase, 0, strlen(old_passphrase));
+		xfree(old_passphrase);
+	}
+	printf("Key has comment '%s'\n", comment);
+
+	/* Ask the new passphrase (twice). */
+	if (identity_new_passphrase) {
+		passphrase1 = xstrdup(identity_new_passphrase);
+		passphrase2 = NULL;
+	} else {
+		passphrase1 =
+			read_passphrase("Enter new passphrase (empty for no passphrase): ", 1);
+		passphrase2 = read_passphrase("Enter same passphrase again: ", 1);
+
+		/* Verify that they are the same. */
+		if (strcmp(passphrase1, passphrase2) != 0) {
+			memset(passphrase1, 0, strlen(passphrase1));
+			memset(passphrase2, 0, strlen(passphrase2));
+			xfree(passphrase1);
+			xfree(passphrase2);
+			printf("Pass phrases do not match.  Try again.\n");
+			exit(1);
+		}
+		/* Destroy the other copy. */
+		memset(passphrase2, 0, strlen(passphrase2));
+		xfree(passphrase2);
+	}
+
+	/* Save the file using the new passphrase. */
+	if (!save_private_key(identity_file, passphrase1, private, comment)) {
+		printf("Saving the key failed: %s: %s.\n",
+		       identity_file, strerror(errno));
+		memset(passphrase1, 0, strlen(passphrase1));
+		xfree(passphrase1);
+		key_free(private);
+		xfree(comment);
+		exit(1);
+	}
+	/* Destroy the passphrase and the copy of the key in memory. */
+	memset(passphrase1, 0, strlen(passphrase1));
+	xfree(passphrase1);
+	key_free(private);		 /* Destroys contents */
+	xfree(comment);
+
+	printf("Your identification has been saved with the new passphrase.\n");
+	exit(0);
+}
+
+/*
+ * Change the comment of a private key file.
+ */
+void
+do_change_comment(struct passwd *pw)
+{
+	char new_comment[1024], *comment;
+	Key *private;
+	Key *public;
+	char *passphrase;
+	struct stat st;
+	FILE *f;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	/*
+	 * Try to load the public key from the file the verify that it is
+	 * readable and of the proper format.
+	 */
+	public = key_new(KEY_RSA);
+	if (!load_public_key(identity_file, public, NULL)) {
+		printf("%s is not a valid key file.\n", identity_file);
+		exit(1);
+	}
+
+	private = key_new(KEY_RSA);
+	if (load_private_key(identity_file, "", private, &comment))
+		passphrase = xstrdup("");
+	else {
+		if (identity_passphrase)
+			passphrase = xstrdup(identity_passphrase);
+		else if (identity_new_passphrase)
+			passphrase = xstrdup(identity_new_passphrase);
+		else
+			passphrase = read_passphrase("Enter passphrase: ", 1);
+		/* Try to load using the passphrase. */
+		if (!load_private_key(identity_file, passphrase, private, &comment)) {
+			memset(passphrase, 0, strlen(passphrase));
+			xfree(passphrase);
+			printf("Bad passphrase.\n");
+			exit(1);
+		}
+	}
+	printf("Key now has comment '%s'\n", comment);
+
+	if (identity_comment) {
+		strlcpy(new_comment, identity_comment, sizeof(new_comment));
+	} else {
+		printf("Enter new comment: ");
+		fflush(stdout);
+		if (!fgets(new_comment, sizeof(new_comment), stdin)) {
+			memset(passphrase, 0, strlen(passphrase));
+			key_free(private);
+			exit(1);
+		}
+		if (strchr(new_comment, '\n'))
+			*strchr(new_comment, '\n') = 0;
+	}
+
+	/* Save the file using the new passphrase. */
+	if (!save_private_key(identity_file, passphrase, private, new_comment)) {
+		printf("Saving the key failed: %s: %s.\n",
+		       identity_file, strerror(errno));
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+		key_free(private);
+		xfree(comment);
+		exit(1);
+	}
+	memset(passphrase, 0, strlen(passphrase));
+	xfree(passphrase);
+	key_free(private);
+
+	strlcat(identity_file, ".pub", sizeof(identity_file));
+	f = fopen(identity_file, "w");
+	if (!f) {
+		printf("Could not save your public key in %s\n", identity_file);
+		exit(1);
+	}
+	if (!key_write(public, f))
+		fprintf(stderr, "write key failed");
+	key_free(public);
+	fprintf(f, " %s\n", new_comment);
+	fclose(f);
+
+	xfree(comment);
+
+	printf("The comment in your key file has been changed.\n");
+	exit(0);
+}
+
+void
+usage(void)
+{
+	printf("Usage: %s [-lpqxXydc] [-b bits] [-f file] [-C comment] [-N new-pass] [-P pass]\n", __progname);
+	exit(1);
+}
+
+/*
+ * Main program for key management.
+ */
+int
+main(int ac, char **av)
+{
+	char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2;
+	struct passwd *pw;
+	int opt;
+	struct stat st;
+	FILE *f;
+	Key *private;
+	Key *public;
+	extern int optind;
+	extern char *optarg;
+
+	SSLeay_add_all_algorithms();
+
+	/* we need this for the home * directory.  */
+	pw = getpwuid(getuid());
+	if (!pw) {
+		printf("You don't exist, go away!\n");
+		exit(1);
+	}
+	if (gethostname(hostname, sizeof(hostname)) < 0) {
+		perror("gethostname");
+		exit(1);
+	}
+
+	while ((opt = getopt(ac, av, "dqpclRxXyb:f:P:N:C:")) != EOF) {
+		switch (opt) {
+		case 'b':
+			bits = atoi(optarg);
+			if (bits < 512 || bits > 32768) {
+				printf("Bits has bad value.\n");
+				exit(1);
+			}
+			break;
+
+		case 'l':
+			print_fingerprint = 1;
+			break;
+
+		case 'p':
+			change_passphrase = 1;
+			break;
+
+		case 'c':
+			change_comment = 1;
+			break;
+
+		case 'f':
+			strlcpy(identity_file, optarg, sizeof(identity_file));
+			have_identity = 1;
+			break;
+
+		case 'P':
+			identity_passphrase = optarg;
+			break;
+
+		case 'N':
+			identity_new_passphrase = optarg;
+			break;
+
+		case 'C':
+			identity_comment = optarg;
+			break;
+
+		case 'q':
+			quiet = 1;
+			break;
+
+		case 'R':
+			if (rsa_alive() == 0)
+				exit(1);
+			else
+				exit(0);
+			break;
+
+		case 'x':
+			convert_to_ssh2 = 1;
+			break;
+
+		case 'X':
+			convert_from_ssh2 = 1;
+			break;
+
+		case 'y':
+			print_public = 1;
+			break;
+
+		case 'd':
+			dsa_mode = 1;
+			break;
+
+		case '?':
+		default:
+			usage();
+		}
+	}
+	if (optind < ac) {
+		printf("Too many arguments.\n");
+		usage();
+	}
+	if (change_passphrase && change_comment) {
+		printf("Can only have one of -p and -c.\n");
+		usage();
+	}
+	/* check if RSA support is needed and exists */
+	if (dsa_mode == 0 && rsa_alive() == 0) {
+		fprintf(stderr,
+			"%s: no RSA support in libssl and libcrypto.  See ssl(8).\n",
+			__progname);
+		exit(1);
+	}
+	if (print_fingerprint)
+		do_fingerprint(pw);
+	if (change_passphrase)
+		do_change_passphrase(pw);
+	if (change_comment)
+		do_change_comment(pw);
+	if (convert_to_ssh2)
+		do_convert_to_ssh2(pw);
+	if (convert_from_ssh2)
+		do_convert_from_ssh2(pw);
+	if (print_public)
+		do_print_public(pw);
+
+	arc4random_stir();
+
+	if (dsa_mode != 0) {
+		if (!quiet)
+			printf("Generating DSA parameter and key.\n");
+		public = private = dsa_generate_key(bits);
+		if (private == NULL) {
+			fprintf(stderr, "dsa_generate_keys failed");
+			exit(1);
+		}
+	} else {
+		if (quiet)
+			rsa_set_verbose(0);
+		/* Generate the rsa key pair. */
+		public = key_new(KEY_RSA);
+		private = key_new(KEY_RSA);
+		rsa_generate_key(private->rsa, public->rsa, bits);
+	}
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which to save the key");
+
+	/* Create ~/.ssh directory if it doesn\'t already exist. */
+	snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, SSH_USER_DIR);
+	if (strstr(identity_file, dotsshdir) != NULL &&
+	    stat(dotsshdir, &st) < 0) {
+		if (mkdir(dotsshdir, 0755) < 0)
+			error("Could not create directory '%s'.", dotsshdir);
+		else if (!quiet)
+			printf("Created directory '%s'.\n", dotsshdir);
+	}
+	/* If the file already exists, ask the user to confirm. */
+	if (stat(identity_file, &st) >= 0) {
+		char yesno[3];
+		printf("%s already exists.\n", identity_file);
+		printf("Overwrite (y/n)? ");
+		fflush(stdout);
+		if (fgets(yesno, sizeof(yesno), stdin) == NULL)
+			exit(1);
+		if (yesno[0] != 'y' && yesno[0] != 'Y')
+			exit(1);
+	}
+	/* Ask for a passphrase (twice). */
+	if (identity_passphrase)
+		passphrase1 = xstrdup(identity_passphrase);
+	else if (identity_new_passphrase)
+		passphrase1 = xstrdup(identity_new_passphrase);
+	else {
+passphrase_again:
+		passphrase1 =
+			read_passphrase("Enter passphrase (empty for no passphrase): ", 1);
+		passphrase2 = read_passphrase("Enter same passphrase again: ", 1);
+		if (strcmp(passphrase1, passphrase2) != 0) {
+			/* The passphrases do not match.  Clear them and retry. */
+			memset(passphrase1, 0, strlen(passphrase1));
+			memset(passphrase2, 0, strlen(passphrase2));
+			xfree(passphrase1);
+			xfree(passphrase2);
+			printf("Passphrases do not match.  Try again.\n");
+			goto passphrase_again;
+		}
+		/* Clear the other copy of the passphrase. */
+		memset(passphrase2, 0, strlen(passphrase2));
+		xfree(passphrase2);
+	}
+
+	if (identity_comment) {
+		strlcpy(comment, identity_comment, sizeof(comment));
+	} else {
+		/* Create default commend field for the passphrase. */
+		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
+	}
+
+	/* Save the key with the given passphrase and comment. */
+	if (!save_private_key(identity_file, passphrase1, private, comment)) {
+		printf("Saving the key failed: %s: %s.\n",
+		    identity_file, strerror(errno));
+		memset(passphrase1, 0, strlen(passphrase1));
+		xfree(passphrase1);
+		exit(1);
+	}
+	/* Clear the passphrase. */
+	memset(passphrase1, 0, strlen(passphrase1));
+	xfree(passphrase1);
+
+	/* Clear the private key and the random number generator. */
+	if (private != public) {
+		key_free(private);
+	}
+	arc4random_stir();
+
+	if (!quiet)
+		printf("Your identification has been saved in %s.\n", identity_file);
+
+	strlcat(identity_file, ".pub", sizeof(identity_file));
+	f = fopen(identity_file, "w");
+	if (!f) {
+		printf("Could not save your public key in %s\n", identity_file);
+		exit(1);
+	}
+	if (!key_write(public, f))
+		fprintf(stderr, "write key failed");
+	fprintf(f, " %s\n", comment);
+	fclose(f);
+
+	if (!quiet) {
+		printf("Your public key has been saved in %s.\n",
+		    identity_file);
+		printf("The key fingerprint is:\n");
+		printf("%s %s\n", key_fingerprint(public), comment);
+	}
+
+	key_free(public);
+	exit(0);
+}
diff --git a/crypto/openssh/ssh-keygen/Makefile b/crypto/openssh/ssh-keygen/Makefile
new file mode 100644
index 0000000..1f92059
--- /dev/null
+++ b/crypto/openssh/ssh-keygen/Makefile
@@ -0,0 +1,21 @@
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh-keygen
+BINOWN=	root
+
+.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+	${MACHINE_ARCH} == "hppa")
+BINMODE=0000
+.else
+BINMODE?=555
+.endif
+
+BINDIR=	/usr/bin
+MAN=	ssh-keygen.1
+
+SRCS=	ssh-keygen.c log-client.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto -lutil -lz
+DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1
new file mode 100644
index 0000000..1689ade
--- /dev/null
+++ b/crypto/openssh/ssh.1
@@ -0,0 +1,1234 @@
+.\"  -*- nroff -*-
+.\"
+.\" ssh.1.in
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\"
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" Created: Sat Apr 22 21:55:14 1995 ylo
+.\"
+.\" $Id: ssh.1,v 1.54 2000/05/29 20:20:46 markus Exp $
+.\" $FreeBSD$
+.\"
+.Dd September 25, 1999
+.Dt SSH 1
+.Os
+.Sh NAME
+.Nm ssh
+.Nd OpenSSH secure shell client (remote login program)
+.Sh SYNOPSIS
+.Nm ssh
+.Op Fl l Ar login_name
+.Op Ar hostname | user@hostname
+.Op Ar command
+.Pp
+.Nm ssh
+.Op Fl afgknqtvxACNPTX246
+.Op Fl c Ar cipher_spec
+.Op Fl e Ar escape_char
+.Op Fl i Ar identity_file
+.Op Fl l Ar login_name
+.Op Fl o Ar option
+.Op Fl p Ar port
+.Oo Fl L Xo
+.Sm off
+.Ar port :
+.Ar host :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
+.Oo Fl R Xo
+.Sm off
+.Ar port :
+.Ar host :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
+.Op Ar hostname | user@hostname
+.Op Ar command
+.Sh DESCRIPTION
+.Nm
+(Secure Shell) is a program for logging into a remote machine and for
+executing commands on a remote machine.
+It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network.
+X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+.Pp
+.Nm
+connects and logs into the specified
+.Ar hostname .
+The user must prove
+his/her identity to the remote machine using one of several methods
+depending on the protocol version used:
+.Pp
+.Ss SSH protocol version 1
+.Pp
+First, if the machine the user logs in from is listed in
+.Pa /etc/hosts.equiv
+or
+.Pa /etc/ssh/shosts.equiv
+on the remote machine, and the user names are
+the same on both sides, the user is immediately permitted to log in.
+Second, if
+.Pa \&.rhosts
+or
+.Pa \&.shosts
+exists in the user's home directory on the
+remote machine and contains a line containing the name of the client
+machine and the name of the user on that machine, the user is
+permitted to log in.
+This form of authentication alone is normally not
+allowed by the server because it is not secure.
+.Pp
+The second (and primary) authentication method is the
+.Pa rhosts
+or
+.Pa hosts.equiv
+method combined with RSA-based host authentication.
+It means that if the login would be permitted by
+.Pa $HOME/.rhosts ,
+.Pa $HOME/.shosts ,
+.Pa /etc/hosts.equiv ,
+or
+.Pa /etc/ssh/shosts.equiv ,
+and if additionally the server can verify the client's
+host key (see
+.Pa /etc/ssh/ssh_known_hosts
+and
+.Pa $HOME/.ssh/known_hosts
+in the
+.Sx FILES
+section), only then login is permitted.
+This authentication method closes security holes due to IP
+spoofing, DNS spoofing and routing spoofing.
+[Note to the administrator:
+.Pa /etc/hosts.equiv ,
+.Pa $HOME/.rhosts ,
+and the rlogin/rsh protocol in general, are inherently insecure and should be
+disabled if security is desired.]
+.Pp
+As a third authentication method,
+.Nm
+supports RSA based authentication.
+The scheme is based on public-key cryptography: there are cryptosystems
+where encryption and decryption are done using separate keys, and it
+is not possible to derive the decryption key from the encryption key.
+RSA is one such system.
+The idea is that each user creates a public/private
+key pair for authentication purposes.
+The server knows the public key, and only the user knows the private key.
+The file
+.Pa $HOME/.ssh/authorized_keys
+lists the public keys that are permitted for logging
+in.
+When the user logs in, the
+.Nm
+program tells the server which key pair it would like to use for
+authentication.
+The server checks if this key is permitted, and if
+so, sends the user (actually the
+.Nm
+program running on behalf of the user) a challenge, a random number,
+encrypted by the user's public key.
+The challenge can only be
+decrypted using the proper private key.
+The user's client then decrypts the
+challenge using the private key, proving that he/she knows the private
+key but without disclosing it to the server.
+.Pp
+.Nm
+implements the RSA authentication protocol automatically.
+The user creates his/her RSA key pair by running
+.Xr ssh-keygen 1 .
+This stores the private key in
+.Pa $HOME/.ssh/identity
+and the public key in
+.Pa $HOME/.ssh/identity.pub
+in the user's home directory.
+The user should then copy the
+.Pa identity.pub
+to
+.Pa $HOME/.ssh/authorized_keys
+in his/her home directory on the remote machine (the
+.Pa authorized_keys
+file corresponds to the conventional
+.Pa $HOME/.rhosts
+file, and has one key
+per line, though the lines can be very long).
+After this, the user can log in without giving the password.
+RSA authentication is much
+more secure than rhosts authentication.
+.Pp
+The most convenient way to use RSA authentication may be with an
+authentication agent.
+See
+.Xr ssh-agent 1
+for more information.
+.Pp
+If other authentication methods fail,
+.Nm
+prompts the user for a password.
+The password is sent to the remote
+host for checking; however, since all communications are encrypted,
+the password cannot be seen by someone listening on the network.
+.Pp
+.Ss SSH protocol version 2
+.Pp
+When a user connects using the protocol version 2
+different authentication methods are available:
+At first, the client attempts to authenticate using the public key method.
+If this method fails password authentication is tried.
+.Pp
+The public key method is similar to RSA authentication described
+in the previous section except that the DSA algorithm is used
+instead of the patented RSA algorithm.
+The client uses his private DSA key
+.Pa $HOME/.ssh/id_dsa
+to sign the session identifier and sends the result to the server.
+The server checks whether the matching public key is listed in
+.Pa $HOME/.ssh/authorized_keys2
+and grants access if both the key is found and the signature is correct.
+The session identifier is derived from a shared Diffie-Hellman value
+and is only known to the client and the server.
+.Pp
+If public key authentication fails or is not available a password
+can be sent encrypted to the remote host for proving the user's identity.
+This protocol 2 implementation does not yet support Kerberos or
+OPIE authentication.
+.Pp
+Protocol 2 provides additional mechanisms for confidentiality
+(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
+and integrity (hmac-sha1, hmac-md5).
+Note that protocol 1 lacks a strong mechanism for ensuring the
+integrity of the connection.
+.Pp
+.Ss Login session and remote execution
+.Pp
+When the user's identity has been accepted by the server, the server
+either executes the given command, or logs into the machine and gives
+the user a normal shell on the remote machine.
+All communication with
+the remote command or shell will be automatically encrypted.
+.Pp
+If a pseudo-terminal has been allocated (normal login session), the
+user can disconnect with
+.Ic ~. ,
+and suspend
+.Nm
+with
+.Ic ~^Z .
+All forwarded connections can be listed with
+.Ic ~#
+and if
+the session blocks waiting for forwarded X11 or TCP/IP
+connections to terminate, it can be backgrounded with
+.Ic ~&
+(this should not be used while the user shell is active, as it can cause the
+shell to hang).
+All available escapes can be listed with
+.Ic ~? .
+.Pp
+A single tilde character can be sent as
+.Ic ~~
+(or by following the tilde by a character other than those described above).
+The escape character must always follow a newline to be interpreted as
+special.
+The escape character can be changed in configuration files
+or on the command line.
+.Pp
+If no pseudo tty has been allocated, the
+session is transparent and can be used to reliably transfer binary
+data.
+On most systems, setting the escape character to
+.Dq none
+will also make the session transparent even if a tty is used.
+.Pp
+The session terminates when the command or shell in on the remote
+machine exists and all X11 and TCP/IP connections have been closed.
+The exit status of the remote program is returned as the exit status
+of
+.Nm ssh .
+.Pp
+.Ss X11 and TCP forwarding
+.Pp
+If the user is using X11 (the
+.Ev DISPLAY
+environment variable is set), the connection to the X11 display can
+be forwarded to the remote side in such a way that any X11
+programs started from the shell (or command) will go through the
+encrypted channel, and the connection to the real X server will be made
+from the local machine.
+The user should not manually set
+.Ev DISPLAY .
+Forwarding of X11 connections weakens the security of ssh and is
+disabled by default.  X11 forwarding can be enabled on the command line
+or in configuration files.
+.Pp
+The
+.Ev DISPLAY
+value set by
+.Nm
+will point to the server machine, but with a display number greater
+than zero.
+This is normal, and happens because
+.Nm
+creates a
+.Dq proxy
+X server on the server machine for forwarding the
+connections over the encrypted channel.
+.Pp
+.Nm
+will also automatically set up Xauthority data on the server machine.
+For this purpose, it will generate a random authorization cookie,
+store it in Xauthority on the server, and verify that any forwarded
+connections carry this cookie and replace it by the real cookie when
+the connection is opened.
+The real authentication cookie is never
+sent to the server machine (and no cookies are sent in the plain).
+.Pp
+If the user is using an authentication agent, the connection to the agent
+is automatically forwarded to the remote side unless disabled on
+command line or in a configuration file.
+.Pp
+Forwarding of arbitrary TCP/IP connections over the secure channel can
+be specified either on command line or in a configuration file.
+One possible application of TCP/IP forwarding is a secure connection to an
+electronic purse; another is going trough firewalls.
+.Pp
+.Ss Server authentication
+.Pp
+.Nm
+automatically maintains and checks a database containing
+identifications for all hosts it has ever been used with.
+RSA host keys are stored in
+.Pa $HOME/.ssh/known_hosts
+and
+DSA host keys are stored in
+.Pa $HOME/.ssh/known_hosts2
+in the user's home directory.
+Additionally, the files
+.Pa /etc/ssh/ssh_known_hosts
+and
+.Pa /etc/ssh/ssh_known_hosts2
+are automatically checked for known hosts.
+Any new hosts are automatically added to the user's file.
+If a host's identification
+ever changes,
+.Nm
+warns about this and disables password authentication to prevent a
+trojan horse from getting the user's password.
+Another purpose of
+this mechanism is to prevent man-in-the-middle attacks which could
+otherwise be used to circumvent the encryption.
+The
+.Cm StrictHostKeyChecking
+option (see below) can be used to prevent logins to machines whose
+host key is not known or has changed.
+.Sh OPTIONS
+.Bl -tag -width Ds
+.It Fl a
+Disables forwarding of the authentication agent connection.
+.It Fl A
+Enables forwarding of the authentication agent connection.
+This can also be specified on a per-host basis in a configuration file.
+.It Fl c Ar blowfish|3des
+Selects the cipher to use for encrypting the session.
+.Ar 3des
+is used by default.
+It is believed to be secure.
+.Ar 3des
+(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
+It is presumably more secure than the
+.Ar des
+cipher which is no longer supported in
+.Nm ssh .
+.Ar blowfish
+is a fast block cipher, it appears very secure and is much faster than
+.Ar 3des .
+.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc"
+Additionally, for protocol version 2 a comma-separated list of ciphers can
+be specified in order of preference. Protocol version 2 supports
+3DES, Blowfish and CAST128 in CBC mode and Arcfour.
+.It Fl e Ar ch|^ch|none
+Sets the escape character for sessions with a pty (default:
+.Ql ~ ) .
+The escape character is only recognized at the beginning of a line.
+The escape character followed by a dot
+.Pq Ql \&.
+closes the connection, followed
+by control-Z suspends the connection, and followed by itself sends the
+escape character once.
+Setting the character to
+.Dq none
+disables any escapes and makes the session fully transparent.
+.It Fl f
+Requests
+.Nm
+to go to background just before command execution.
+This is useful if
+.Nm
+is going to ask for passwords or passphrases, but the user
+wants it in the background.
+This implies
+.Fl n .
+The recommended way to start X11 programs at a remote site is with
+something like
+.Ic ssh -f host xterm .
+.It Fl g
+Allows remote hosts to connect to local forwarded ports.
+.It Fl i Ar identity_file
+Selects the file from which the identity (private key) for
+RSA authentication is read.
+Default is
+.Pa $HOME/.ssh/identity
+in the user's home directory.
+Identity files may also be specified on
+a per-host basis in the configuration file.
+It is possible to have multiple
+.Fl i
+options (and multiple identities specified in
+configuration files).
+.It Fl k
+Disables forwarding of Kerberos tickets and AFS tokens.
+This may also be specified on a per-host basis in the configuration file.
+.It Fl l Ar login_name
+Specifies the user to log in as on the remote machine.
+This also may be specified on a per-host basis in the configuration file.
+.It Fl n
+Redirects stdin from
+.Pa /dev/null
+(actually, prevents reading from stdin).
+This must be used when
+.Nm
+is run in the background.
+A common trick is to use this to run X11 programs on a remote machine.
+For example,
+.Ic ssh -n shadows.cs.hut.fi emacs &
+will start an emacs on shadows.cs.hut.fi, and the X11
+connection will be automatically forwarded over an encrypted channel.
+The
+.Nm
+program will be put in the background.
+(This does not work if
+.Nm
+needs to ask for a password or passphrase; see also the
+.Fl f
+option.)
+.It Fl N
+Do not execute a remote command.
+This is usefull if you just want to forward ports
+(protocol version 2 only).
+.It Fl o Ar option
+Can be used to give options in the format used in the config file.
+This is useful for specifying options for which there is no separate
+command-line flag.
+The option has the same format as a line in the configuration file.
+.It Fl p Ar port
+Port to connect to on the remote host.
+This can be specified on a
+per-host basis in the configuration file.
+.It Fl P
+Use a non-privileged port for outgoing connections.
+This can be used if your firewall does
+not permit connections from privileged ports.
+Note that this option turns off
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication .
+.It Fl q
+Quiet mode.
+Causes all warning and diagnostic messages to be suppressed.
+Only fatal errors are displayed.
+.It Fl t
+Force pseudo-tty allocation.
+This can be used to execute arbitrary
+screen-based programs on a remote machine, which can be very useful,
+e.g., when implementing menu services.
+.It Fl T
+Disable pseudo-tty allocation (protocol version 2 only).
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+to print debugging messages about its progress.
+This is helpful in
+debugging connection, authentication, and configuration problems.
+The verbose mode is also used to display
+.Xr skey 1
+challenges, if the user entered "s/key" as password.
+.It Fl x
+Disables X11 forwarding.
+.It Fl X
+Enables X11 forwarding.
+This can also be specified on a per-host basis in a configuration file.
+.It Fl C
+Requests compression of all data (including stdin, stdout, stderr, and
+data for forwarded X11 and TCP/IP connections).
+The compression algorithm is the same used by
+.Xr gzip 1 ,
+and the
+.Dq level
+can be controlled by the
+.Cm CompressionLevel
+option (see below).
+Compression is desirable on modem lines and other
+slow connections, but will only slow down things on fast networks.
+The default value can be set on a host-by-host basis in the
+configuration files; see the
+.Cm Compress
+option below.
+.It Fl L Ar port:host:hostport
+Specifies that the given port on the local (client) host is to be
+forwarded to the given host and port on the remote side.
+This works by allocating a socket to listen to
+.Ar port
+on the local side, and whenever a connection is made to this port, the
+connection is forwarded over the secure channel, and a connection is
+made to
+.Ar host
+port
+.Ar hostport
+from the remote machine.
+Port forwardings can also be specified in the configuration file.
+Only root can forward privileged ports.
+IPv6 addresses can be specified with an alternative syntax:
+.Ar port/host/hostport
+.It Fl R Ar port:host:hostport
+Specifies that the given port on the remote (server) host is to be
+forwarded to the given host and port on the local side.
+This works by allocating a socket to listen to
+.Ar port
+on the remote side, and whenever a connection is made to this port, the
+connection is forwarded over the secure channel, and a connection is
+made to
+.Ar host
+port
+.Ar hostport
+from the local machine.
+Port forwardings can also be specified in the configuration file.
+Privileged ports can be forwarded only when
+logging in as root on the remote machine.
+.It Fl 2
+Forces
+.Nm
+to try protocol version 2 only.
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.El
+.Sh CONFIGURATION FILES
+.Nm
+obtains configuration data from the following sources (in this order):
+command line options, user's configuration file
+.Pq Pa $HOME/.ssh/config ,
+and system-wide configuration file
+.Pq Pa /etc/ssh/ssh_config .
+For each parameter, the first obtained value
+will be used.
+The configuration files contain sections bracketed by
+.Dq Host
+specifications, and that section is only applied for hosts that
+match one of the patterns given in the specification.
+The matched host name is the one given on the command line.
+.Pp
+Since the first obtained value for each parameter is used, more
+host-specific declarations should be given near the beginning of the
+file, and general defaults at the end.
+.Pp
+The configuration file has the following format:
+.Pp
+Empty lines and lines starting with
+.Ql #
+are comments.
+.Pp
+Otherwise a line is of the format
+.Dq keyword arguments .
+The possible
+keywords and their meanings are as follows (note that the
+configuration files are case-sensitive):
+.Bl -tag -width Ds
+.It Cm Host
+Restricts the following declarations (up to the next
+.Cm Host
+keyword) to be only for those hosts that match one of the patterns
+given after the keyword.
+.Ql \&*
+and
+.Ql ?
+can be used as wildcards in the
+patterns.
+A single
+.Ql \&*
+as a pattern can be used to provide global
+defaults for all hosts.
+The host is the
+.Ar hostname
+argument given on the command line (i.e., the name is not converted to
+a canonicalized host name before matching).
+.It Cm AFSTokenPassing
+Specifies whether to pass AFS tokens to remote host.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm BatchMode
+If set to
+.Dq yes ,
+passphrase/password querying will be disabled.
+This option is useful in scripts and other batch jobs where you have no
+user to supply the password.
+The argument must be
+.Dq yes
+or
+.Dq no .
+.It Cm CheckHostIP
+If this flag is set to
+.Dq yes ,
+ssh will additionally check the host ip address in the
+.Pa known_hosts
+file.
+This allows ssh to detect if a host key changed due to DNS spoofing.
+If the option is set to
+.Dq no ,
+the check will not be executed.
+.It Cm Cipher
+Specifies the cipher to use for encrypting the session.
+Currently,
+.Dq blowfish ,
+and
+.Dq 3des
+are supported.
+The default is
+.Dq 3des .
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2
+in order of preference.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
+.It Cm Compression
+Specifies whether to use compression.
+The argument must be
+.Dq yes
+or
+.Dq no .
+.It Cm CompressionLevel
+Specifies the compression level to use if compression is enable.
+The argument must be an integer from 1 (fast) to 9 (slow, best).
+The default level is 6, which is good for most applications.
+The meaning of the values is the same as in
+.Xr gzip 1 .
+.It Cm ConnectionAttempts
+Specifies the number of tries (one per second) to make before falling
+back to rsh or exiting.
+The argument must be an integer.
+This may be useful in scripts if the connection sometimes fails.
+.It Cm DSAAuthentication
+Specifies whether to try DSA authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+DSA authentication will only be
+attempted if a DSA identity file exists.
+Note that this option applies to protocol version 2 only.
+.It Cm EscapeChar
+Sets the escape character (default:
+.Ql ~ ) .
+The escape character can also
+be set on the command line.
+The argument should be a single character,
+.Ql ^
+followed by a letter, or
+.Dq none
+to disable the escape
+character entirely (making the connection transparent for binary
+data).
+.It Cm FallBackToRsh
+Specifies that if connecting via
+.Nm
+fails due to a connection refused error (there is no
+.Xr sshd 8
+listening on the remote host),
+.Xr rsh 1
+should automatically be used instead (after a suitable warning about
+the session being unencrypted).
+The argument must be
+.Dq yes
+or
+.Dq no .
+.It Cm ForwardAgent
+Specifies whether the connection to the authentication agent (if any)
+will be forwarded to the remote machine.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm ForwardX11
+Specifies whether X11 connections will be automatically redirected
+over the secure channel and
+.Ev DISPLAY
+set.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to local
+forwarded ports.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm GlobalKnownHostsFile
+Specifies a file to use instead of
+.Pa /etc/ssh/ssh_known_hosts .
+.It Cm HostName
+Specifies the real host name to log into.
+This can be used to specify nicknames or abbreviations for hosts.
+Default is the name given on the command line.
+Numeric IP addresses are also permitted (both on the command line and in
+.Cm HostName
+specifications).
+.It Cm IdentityFile
+Specifies the file from which the user's RSA authentication identity
+is read (default
+.Pa $HOME/.ssh/identity
+in the user's home directory).
+Additionally, any identities represented by the authentication agent
+will be used for authentication.
+The file name may use the tilde
+syntax to refer to a user's home directory.
+It is possible to have
+multiple identity files specified in configuration files; all these
+identities will be tried in sequence.
+.It Cm IdentityFile2
+Specifies the file from which the user's DSA authentication identity
+is read (default
+.Pa $HOME/.ssh/id_dsa
+in the user's home directory).
+The file name may use the tilde
+syntax to refer to a user's home directory.
+It is possible to have
+multiple identity files specified in configuration files; all these
+identities will be tried in sequence.
+.It Cm KeepAlive
+Specifies whether the system should send keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+.Pp
+The default is
+.Dq yes
+(to send keepalives), and the client will notice
+if the network goes down or the remote host dies.
+This is important in scripts, and many users want it too.
+.Pp
+To disable keepalives, the value should be set to
+.Dq no
+in both the server and the client configuration files.
+.It Cm KerberosAuthentication
+Specifies whether Kerberos authentication will be used.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm KerberosTgtPassing
+Specifies whether a Kerberos TGT will be forwarded to the server.
+This will only work if the Kerberos server is actually an AFS kaserver.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm LocalForward
+Specifies that a TCP/IP port on the local machine be forwarded over
+the secure channel to given host:port from the remote machine.
+The first argument must be a port number, and the second must be
+host:port.
+Multiple forwardings may be specified, and additional
+forwardings can be given on the command line.
+Only the superuser can forward privileged ports.
+.It Cm LogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm ssh .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
+The default is INFO.
+.It Cm NumberOfPasswordPrompts
+Specifies the number of password prompts before giving up.
+The argument to this keyword must be an integer.
+Default is 3.
+.It Cm PasswordAuthentication
+Specifies whether to use password authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+Note that this option applies to both protocol version 1 and 2.
+.It Cm Port
+Specifies the port number to connect on the remote host.
+Default is 22.
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support in order of preference.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 1,2 .
+This means that
+.Nm
+tries version 1 and falls back to version 2
+if version 1 is not available.
+.It Cm ProxyCommand
+Specifies the command to use to connect to the server.
+The command
+string extends to the end of the line, and is executed with
+.Pa /bin/sh .
+In the command string,
+.Ql %h
+will be substituted by the host name to
+connect and
+.Ql %p
+by the port.
+The command can be basically anything,
+and should read from its standard input and write to its standard output.
+It should eventually connect an
+.Xr sshd 8
+server running on some machine, or execute
+.Ic sshd -i
+somewhere.
+Host key management will be done using the
+HostName of the host being connected (defaulting to the name typed by
+the user).
+Note that
+.Cm CheckHostIP
+is not available for connects with a proxy command.
+.Pp
+.It Cm RemoteForward
+Specifies that a TCP/IP port on the remote machine be forwarded over
+the secure channel to given host:port from the local machine.
+The first argument must be a port number, and the second must be
+host:port.
+Multiple forwardings may be specified, and additional
+forwardings can be given on the command line.
+Only the superuser can forward privileged ports.
+.It Cm RhostsAuthentication
+Specifies whether to try rhosts based authentication.
+Note that this
+declaration only affects the client side and has no effect whatsoever
+on security.
+Disabling rhosts authentication may reduce
+authentication time on slow connections when rhosts authentication is
+not used.
+Most servers do not permit RhostsAuthentication because it
+is not secure (see RhostsRSAAuthentication).
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm RhostsRSAAuthentication
+Specifies whether to try rhosts based authentication with RSA host
+authentication.
+This is the primary authentication method for most sites.
+The argument must be
+.Dq yes
+or
+.Dq no .
+.It Cm RSAAuthentication
+Specifies whether to try RSA authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+RSA authentication will only be
+attempted if the identity file exists, or an authentication agent is
+running.
+Note that this option applies to protocol version 1 only.
+.It Cm SkeyAuthentication
+Specifies whether to use
+.Xr skey 1
+authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm StrictHostKeyChecking
+If this flag is set to
+.Dq yes ,
+.Nm
+ssh will never automatically add host keys to the
+.Pa $HOME/.ssh/known_hosts
+and
+.Pa $HOME/.ssh/known_hosts2
+files, and refuses to connect hosts whose host key has changed.
+This provides maximum protection against trojan horse attacks.
+However, it can be somewhat annoying if you don't have good
+.Pa /etc/ssh/ssh_known_hosts
+and
+.Pa /etc/ssh/ssh_known_hosts2
+files installed and frequently
+connect new hosts.
+Basically this option forces the user to manually
+add any new hosts.
+Normally this option is disabled, and new hosts
+will automatically be added to the known host files.
+The host keys of
+known hosts will be verified automatically in either case.
+The argument must be
+.Dq yes
+or
+.Dq no .
+.It Cm UsePrivilegedPort
+Specifies whether to use a privileged port for outgoing connections.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+Note that setting this option to
+.Dq no
+turns off
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication .
+.It Cm User
+Specifies the user to log in as.
+This can be useful if you have a different user name on different machines.
+This saves the trouble of
+having to remember to give the user name on the command line.
+.It Cm UserKnownHostsFile
+Specifies a file to use instead of
+.Pa $HOME/.ssh/known_hosts .
+.It Cm UseRsh
+Specifies that rlogin/rsh should be used for this host.
+It is possible that the host does not at all support the
+.Nm
+protocol.
+This causes
+.Nm
+to immediately execute
+.Xr rsh 1 .
+All other options (except
+.Cm HostName )
+are ignored if this has been specified.
+The argument must be
+.Dq yes
+or
+.Dq no .
+.Sh ENVIRONMENT
+.Nm
+will normally set the following environment variables:
+.Bl -tag -width Ds
+.It Ev DISPLAY
+The
+.Ev DISPLAY
+variable indicates the location of the X11 server.
+It is automatically set by
+.Nm
+to point to a value of the form
+.Dq hostname:n
+where hostname indicates
+the host where the shell runs, and n is an integer \*(>= 1.
+.Nm
+uses this special value to forward X11 connections over the secure
+channel.
+The user should normally not set DISPLAY explicitly, as that
+will render the X11 connection insecure (and will require the user to
+manually copy any required authorization cookies).
+.It Ev HOME
+Set to the path of the user's home directory.
+.It Ev LOGNAME
+Synonym for
+.Ev USER ;
+set for compatibility with systems that use this variable.
+.It Ev MAIL
+Set to point the user's mailbox.
+.It Ev PATH
+Set to the default
+.Ev PATH ,
+as specified when compiling
+.Nm ssh .
+.It Ev SSH_AUTH_SOCK
+indicates the path of a unix-domain socket used to communicate with the
+agent.
+.It Ev SSH_CLIENT
+Identifies the client end of the connection.
+The variable contains
+three space-separated values: client ip-address, client port number,
+and server port number.
+.It Ev SSH_TTY
+This is set to the name of the tty (path to the device) associated
+with the current shell or command.
+If the current session has no tty,
+this variable is not set.
+.It Ev TZ
+The timezone variable is set to indicate the present timezone if it
+was set when the daemon was started (i.e., the daemon passes the value
+on to new connections).
+.It Ev USER
+Set to the name of the user logging in.
+.El
+.Pp
+Additionally,
+.Nm
+reads
+.Pa $HOME/.ssh/environment ,
+and adds lines of the format
+.Dq VARNAME=value
+to the environment.
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/known_hosts
+Records host keys for all hosts the user has logged into (that are not
+in
+.Pa /etc/ssh/ssh_known_hosts ) .
+See
+.Xr sshd 8 .
+.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa
+Contains the RSA and the DSA authentication identity of the user.
+These files
+contain sensitive data and should be readable by the user but not
+accessible by others (read/write/execute).
+Note that
+.Nm
+ignores a private key file if it is accessible by others.
+It is possible to specify a passphrase when
+generating the key; the passphrase will be used to encrypt the
+sensitive part of this file using 3DES.
+.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub
+Contains the public key for authentication (public part of the
+identity file in human-readable form).
+The contents of the
+.Pa $HOME/.ssh/identity.pub
+file should be added to
+.Pa $HOME/.ssh/authorized_keys
+on all machines
+where you wish to log in using RSA authentication.
+The contents of the
+.Pa $HOME/.ssh/id_dsa.pub
+file should be added to
+.Pa $HOME/.ssh/authorized_keys2
+on all machines
+where you wish to log in using DSA authentication.
+These files are not
+sensitive and can (but need not) be readable by anyone.
+These files are
+never used automatically and are not necessary; they are only provided for
+the convenience of the user.
+.It Pa $HOME/.ssh/config
+This is the per-user configuration file.
+The format of this file is described above.
+This file is used by the
+.Nm
+client.
+This file does not usually contain any sensitive information,
+but the recommended permissions are read/write for the user, and not
+accessible by others.
+.It Pa $HOME/.ssh/authorized_keys
+Lists the RSA keys that can be used for logging in as this user.
+The format of this file is described in the
+.Xr sshd 8
+manual page.
+In the simplest form the format is the same as the .pub
+identity files (that is, each line contains the number of bits in
+modulus, public exponent, modulus, and comment fields, separated by
+spaces).
+This file is not highly sensitive, but the recommended
+permissions are read/write for the user, and not accessible by others.
+.It Pa $HOME/.ssh/authorized_keys2
+Lists the DSA keys that can be used for logging in as this user.
+This file is not highly sensitive, but the recommended
+permissions are read/write for the user, and not accessible by others.
+.It Pa /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2
+Systemwide list of known host keys.
+.Pa /etc/ssh_known_hosts
+contains RSA and
+.Pa /etc/ssh_known_hosts2
+contains DSA keys.
+These files should be prepared by the
+system administrator to contain the public host keys of all machines in the
+organization.
+This file should be world-readable.
+This file contains
+public keys, one per line, in the following format (fields separated
+by spaces): system name, number of bits in modulus, public exponent,
+modulus, and optional comment field.
+When different names are used
+for the same machine, all such names should be listed, separated by
+commas.
+The format is described on the
+.Xr sshd 8
+manual page.
+.Pp
+The canonical system name (as returned by name servers) is used by
+.Xr sshd 8
+to verify the client host when logging in; other names are needed because
+.Nm
+does not convert the user-supplied name to a canonical name before
+checking the key, because someone with access to the name servers
+would then be able to fool host authentication.
+.It Pa /etc/ssh/ssh_config
+Systemwide configuration file.
+This file provides defaults for those
+values that are not specified in the user's configuration file, and
+for those users who do not have a configuration file.
+This file must be world-readable.
+.It Pa $HOME/.rhosts
+This file is used in
+.Pa \&.rhosts
+authentication to list the
+host/user pairs that are permitted to log in.
+(Note that this file is
+also used by rlogin and rsh, which makes using this file insecure.)
+Each line of the file contains a host name (in the canonical form
+returned by name servers), and then a user name on that host,
+separated by a space.
+One some machines this file may need to be
+world-readable if the user's home directory is on a NFS partition,
+because
+.Xr sshd 8
+reads it as root.
+Additionally, this file must be owned by the user,
+and must not have write permissions for anyone else.
+The recommended
+permission for most machines is read/write for the user, and not
+accessible by others.
+.Pp
+Note that by default
+.Xr sshd 8
+will be installed so that it requires successful RSA host
+authentication before permitting \s+2.\s0rhosts authentication.
+If your server machine does not have the client's host key in
+.Pa /etc/ssh/ssh_known_hosts ,
+you can store it in
+.Pa $HOME/.ssh/known_hosts .
+The easiest way to do this is to
+connect back to the client from the server machine using ssh; this
+will automatically add the host key to
+.Pa $HOME/.ssh/known_hosts .
+.It Pa $HOME/.shosts
+This file is used exactly the same way as
+.Pa \&.rhosts .
+The purpose for
+having this file is to be able to use rhosts authentication with
+.Nm
+without permitting login with
+.Xr rlogin 1
+or
+.Xr rsh 1 .
+.It Pa /etc/hosts.equiv
+This file is used during
+.Pa \&.rhosts
+authentication.
+It contains
+canonical hosts names, one per line (the full format is described on
+the
+.Xr sshd 8
+manual page).
+If the client host is found in this file, login is
+automatically permitted provided client and server user names are the
+same.
+Additionally, successful RSA host authentication is normally
+required.
+This file should only be writable by root.
+.It Pa /etc/ssh/shosts.equiv
+This file is processed exactly as
+.Pa /etc/hosts.equiv .
+This file may be useful to permit logins using
+.Nm
+but not using rsh/rlogin.
+.It Pa /etc/ssh/sshrc
+Commands in this file are executed by
+.Nm
+when the user logs in just before the user's shell (or command) is started.
+See the
+.Xr sshd 8
+manual page for more information.
+.It Pa $HOME/.ssh/rc
+Commands in this file are executed by
+.Nm
+when the user logs in just before the user's shell (or command) is
+started.
+See the
+.Xr sshd 8
+manual page for more information.
+.It Pa $HOME/.ssh/environment
+Contains additional definitions for environment variables, see section
+.Sx ENVIRONMENT
+above.
+.It Pa libcrypto.so.X.1
+A version of this library which includes support for the RSA algorithm
+is required for proper operation.
+.Sh AUTHOR
+OpenSSH
+is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen,
+but with bugs removed and newer features re-added.
+Rapidly after the
+1.2.12 release, newer versions of the original ssh bore successively
+more restrictive licenses, and thus demand for a free version was born.
+.Pp
+This version of OpenSSH
+.Bl -bullet
+.It
+has all components of a restrictive nature (i.e., patents, see
+.Xr ssl 8 )
+directly removed from the source code; any licensed or patented components
+are chosen from
+external libraries.
+.It
+has been updated to support SSH protocol 1.5 and 2, making it compatible with
+all other SSH clients and servers.
+.It
+contains added support for
+.Xr kerberos 8
+authentication and ticket passing.
+.It
+supports one-time password authentication with
+.Xr skey 1 .
+.El
+.Pp
+The libraries described in
+.Xr ssl 8
+are required for proper operation.
+.Pp
+OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl,
+Niels Provos, Theo de Raadt, and Dug Song.
+.Pp
+The support for SSH protocol 2 was written by Markus Friedl.
+.Sh SEE ALSO
+.Xr rlogin 1 ,
+.Xr rsh 1 ,
+.Xr scp 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr telnet 1 ,
+.Xr sshd 8 ,
+.Xr ssl 8
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
new file mode 100644
index 0000000..5708897
--- /dev/null
+++ b/crypto/openssh/ssh.c
@@ -0,0 +1,984 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Sat Mar 18 16:36:11 1995 ylo
+ * Ssh client program.  This program can be used to log into a remote machine.
+ * The software supports strong authentication, encryption, and forwarding
+ * of X11, TCP/IP, and authentication connections.
+ *
+ * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$Id: ssh.c,v 1.54 2000/05/30 17:32:06 markus Exp $");
+
+#include <openssl/evp.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+
+#include "xmalloc.h"
+#include "ssh.h"
+#include "packet.h"
+#include "buffer.h"
+#include "authfd.h"
+#include "readconf.h"
+#include "uidswap.h"
+
+#include "ssh2.h"
+#include "compat.h"
+#include "channels.h"
+#include "key.h"
+#include "authfile.h"
+
+extern char *__progname;
+
+/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
+   Default value is AF_UNSPEC means both IPv4 and IPv6. */
+int IPv4or6 = AF_UNSPEC;
+
+/* Flag indicating whether debug mode is on.  This can be set on the command line. */
+int debug_flag = 0;
+
+/* Flag indicating whether a tty should be allocated */
+int tty_flag = 0;
+
+/* don't exec a shell */
+int no_shell_flag = 0;
+int no_tty_flag = 0;
+
+/*
+ * Flag indicating that nothing should be read from stdin.  This can be set
+ * on the command line.
+ */
+int stdin_null_flag = 0;
+
+/*
+ * Flag indicating that ssh should fork after authentication.  This is useful
+ * so that the pasphrase can be entered manually, and then ssh goes to the
+ * background.
+ */
+int fork_after_authentication_flag = 0;
+
+/*
+ * General data structure for command line options and options configurable
+ * in configuration files.  See readconf.h.
+ */
+Options options;
+
+/*
+ * Name of the host we are connecting to.  This is the name given on the
+ * command line, or the HostName specified for the user-supplied name in a
+ * configuration file.
+ */
+char *host;
+
+/* socket address the host resolves to */
+struct sockaddr_storage hostaddr;
+
+/*
+ * Flag to indicate that we have received a window change signal which has
+ * not yet been processed.  This will cause a message indicating the new
+ * window size to be sent to the server a little later.  This is volatile
+ * because this is updated in a signal handler.
+ */
+volatile int received_window_change_signal = 0;
+
+/* Value of argv[0] (set in the main program). */
+char *av0;
+
+/* Flag indicating whether we have a valid host private key loaded. */
+int host_private_key_loaded = 0;
+
+/* Host private key. */
+RSA *host_private_key = NULL;
+
+/* Original real UID. */
+uid_t original_real_uid;
+
+/* command to be executed */
+Buffer command;
+
+/* Prints a help message to the user.  This function never returns. */
+
+void
+usage()
+{
+	fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "  -l user     Log in using this user name.\n");
+	fprintf(stderr, "  -n          Redirect input from /dev/null.\n");
+	fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
+	fprintf(stderr, "  -a          Disable authentication agent forwarding.\n");
+#ifdef AFS
+	fprintf(stderr, "  -k          Disable Kerberos ticket and AFS token forwarding.\n");
+#endif				/* AFS */
+        fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
+	fprintf(stderr, "  -x          Disable X11 connection forwarding.\n");
+	fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
+	fprintf(stderr, "  -i file     Identity for RSA authentication (default: ~/.ssh/identity).\n");
+	fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
+	fprintf(stderr, "  -T          Do not allocate a tty.\n");
+	fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
+	fprintf(stderr, "  -V          Display version number only.\n");
+	fprintf(stderr, "  -P          Don't allocate a privileged port.\n");
+	fprintf(stderr, "  -q          Quiet; don't display any warning messages.\n");
+	fprintf(stderr, "  -f          Fork into background after authentication.\n");
+	fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
+
+	fprintf(stderr, "  -c cipher   Select encryption algorithm: "
+			"``3des'', "
+			"``blowfish''\n");
+	fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
+	fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
+	fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");
+	fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", av0);
+	fprintf(stderr, "              forward them to the other side by connecting to host:port.\n");
+	fprintf(stderr, "  -C          Enable compression.\n");
+	fprintf(stderr, "  -N          Do not execute a shell or command.\n");
+	fprintf(stderr, "  -g          Allow remote hosts to connect to forwarded ports.\n");
+	fprintf(stderr, "  -4          Use IPv4 only.\n");
+	fprintf(stderr, "  -6          Use IPv6 only.\n");
+	fprintf(stderr, "  -2          Force protocol version 2.\n");
+	fprintf(stderr, "  -o 'option' Process the option as if it was read from a configuration file.\n");
+	exit(1);
+}
+
+/*
+ * Connects to the given host using rsh (or prints an error message and exits
+ * if rsh is not available).  This function never returns.
+ */
+void
+rsh_connect(char *host, char *user, Buffer * command)
+{
+	char *args[10];
+	int i;
+
+	log("Using rsh.  WARNING: Connection will not be encrypted.");
+	/* Build argument list for rsh. */
+	i = 0;
+#ifndef	_PATH_RSH
+#define	_PATH_RSH	"/usr/bin/rsh"
+#endif
+	args[i++] = _PATH_RSH;
+	/* host may have to come after user on some systems */
+	args[i++] = host;
+	if (user) {
+		args[i++] = "-l";
+		args[i++] = user;
+	}
+	if (buffer_len(command) > 0) {
+		buffer_append(command, "\0", 1);
+		args[i++] = buffer_ptr(command);
+	}
+	args[i++] = NULL;
+	if (debug_flag) {
+		for (i = 0; args[i]; i++) {
+			if (i != 0)
+				fprintf(stderr, " ");
+			fprintf(stderr, "%s", args[i]);
+		}
+		fprintf(stderr, "\n");
+	}
+	execv(_PATH_RSH, args);
+	perror(_PATH_RSH);
+	exit(1);
+}
+
+int ssh_session(void);
+int ssh_session2(void);
+
+/*
+ * Main program for the ssh client.
+ */
+int
+main(int ac, char **av)
+{
+	int i, opt, optind, exit_status, ok;
+	u_short fwd_port, fwd_host_port;
+	char *optarg, *cp, buf[256];
+	struct stat st;
+	struct passwd *pw, pwcopy;
+	int dummy;
+	uid_t original_effective_uid;
+
+	/*
+	 * Save the original real uid.  It will be needed later (uid-swapping
+	 * may clobber the real uid).
+	 */
+	original_real_uid = getuid();
+	original_effective_uid = geteuid();
+
+	/* If we are installed setuid root be careful to not drop core. */
+	if (original_real_uid != original_effective_uid) {
+		struct rlimit rlim;
+		rlim.rlim_cur = rlim.rlim_max = 0;
+		if (setrlimit(RLIMIT_CORE, &rlim) < 0)
+			fatal("setrlimit failed: %.100s", strerror(errno));
+	}
+	/*
+	 * Use uid-swapping to give up root privileges for the duration of
+	 * option processing.  We will re-instantiate the rights when we are
+	 * ready to create the privileged port, and will permanently drop
+	 * them when the port has been created (actually, when the connection
+	 * has been made, as we may need to create the port several times).
+	 */
+	temporarily_use_uid(original_real_uid);
+
+	/*
+	 * Set our umask to something reasonable, as some files are created
+	 * with the default umask.  This will make them world-readable but
+	 * writable only by the owner, which is ok for all files for which we
+	 * don't set the modes explicitly.
+	 */
+	umask(022);
+
+	/* Save our own name. */
+	av0 = av[0];
+
+	/* Initialize option structure to indicate that no values have been set. */
+	initialize_options(&options);
+
+	/* Parse command-line arguments. */
+	host = NULL;
+
+	/* If program name is not one of the standard names, use it as host name. */
+	if (strchr(av0, '/'))
+		cp = strrchr(av0, '/') + 1;
+	else
+		cp = av0;
+	if (strcmp(cp, "rsh") != 0 && strcmp(cp, "ssh") != 0 &&
+	    strcmp(cp, "rlogin") != 0 && strcmp(cp, "slogin") != 0)
+		host = cp;
+
+	for (optind = 1; optind < ac; optind++) {
+		if (av[optind][0] != '-') {
+			if (host)
+				break;
+			if ((cp = strchr(av[optind], '@'))) {
+				if(cp == av[optind])
+					usage();
+				options.user = av[optind];
+				*cp = '\0';
+				host = ++cp;
+			} else
+				host = av[optind];
+			continue;
+		}
+		opt = av[optind][1];
+		if (!opt)
+			usage();
+		if (strchr("eilcpLRo", opt)) {	/* options with arguments */
+			optarg = av[optind] + 2;
+			if (strcmp(optarg, "") == 0) {
+				if (optind >= ac - 1)
+					usage();
+				optarg = av[++optind];
+			}
+		} else {
+			if (av[optind][2])
+				usage();
+			optarg = NULL;
+		}
+		switch (opt) {
+		case '2':
+			options.protocol = SSH_PROTO_2;
+			break;
+		case '4':
+			IPv4or6 = AF_INET;
+			break;
+		case '6':
+			IPv4or6 = AF_INET6;
+			break;
+		case 'n':
+			stdin_null_flag = 1;
+			break;
+		case 'f':
+			fork_after_authentication_flag = 1;
+			stdin_null_flag = 1;
+			break;
+		case 'x':
+			options.forward_x11 = 0;
+			break;
+		case 'X':
+			options.forward_x11 = 1;
+			break;
+		case 'g':
+			options.gateway_ports = 1;
+			break;
+		case 'P':
+			options.use_privileged_port = 0;
+			break;
+		case 'a':
+			options.forward_agent = 0;
+			break;
+		case 'A':
+			options.forward_agent = 1;
+			break;
+#ifdef AFS
+		case 'k':
+			options.krb4_tgt_passing = 0;
+			options.krb5_tgt_passing = 0;
+			options.afs_token_passing = 0;
+			break;
+#endif
+		case 'i':
+			if (stat(optarg, &st) < 0) {
+				fprintf(stderr, "Warning: Identity file %s does not exist.\n",
+					optarg);
+				break;
+			}
+			if (options.num_identity_files >= SSH_MAX_IDENTITY_FILES)
+				fatal("Too many identity files specified (max %d)",
+				      SSH_MAX_IDENTITY_FILES);
+			options.identity_files[options.num_identity_files++] =
+				xstrdup(optarg);
+			break;
+		case 't':
+			tty_flag = 1;
+			break;
+		case 'v':
+		case 'V':
+			fprintf(stderr, "SSH Version %s, protocol versions %d.%d/%d.%d.\n",
+			    SSH_VERSION,
+			    PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
+			    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2);
+			fprintf(stderr, "Compiled with SSL (0x%8.8lx).\n", SSLeay());
+			if (opt == 'V')
+				exit(0);
+			debug_flag = 1;
+			options.log_level = SYSLOG_LEVEL_DEBUG;
+			break;
+		case 'q':
+			options.log_level = SYSLOG_LEVEL_QUIET;
+			break;
+		case 'e':
+			if (optarg[0] == '^' && optarg[2] == 0 &&
+			    (unsigned char) optarg[1] >= 64 && (unsigned char) optarg[1] < 128)
+				options.escape_char = (unsigned char) optarg[1] & 31;
+			else if (strlen(optarg) == 1)
+				options.escape_char = (unsigned char) optarg[0];
+			else if (strcmp(optarg, "none") == 0)
+				options.escape_char = -2;
+			else {
+				fprintf(stderr, "Bad escape character '%s'.\n", optarg);
+				exit(1);
+			}
+			break;
+		case 'c':
+			if (ciphers_valid(optarg)) {
+				/* SSH2 only */
+				options.ciphers = xstrdup(optarg);
+				options.cipher = SSH_CIPHER_ILLEGAL;
+			} else {
+				/* SSH1 only */
+				options.cipher = cipher_number(optarg);
+				if (options.cipher == -1) {
+					fprintf(stderr, "Unknown cipher type '%s'\n", optarg);
+					exit(1);
+				}
+			}
+			break;
+		case 'p':
+			options.port = atoi(optarg);
+			break;
+		case 'l':
+			options.user = optarg;
+			break;
+		case 'R':
+			if (sscanf(optarg, "%hu/%255[^/]/%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3 &&
+			    sscanf(optarg, "%hu:%255[^:]:%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3) {
+				fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg);
+				usage();
+				/* NOTREACHED */
+			}
+			add_remote_forward(&options, fwd_port, buf, fwd_host_port);
+			break;
+		case 'L':
+			if (sscanf(optarg, "%hu/%255[^/]/%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3 &&
+			    sscanf(optarg, "%hu:%255[^:]:%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3) {
+				fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg);
+				usage();
+				/* NOTREACHED */
+			}
+			add_local_forward(&options, fwd_port, buf, fwd_host_port);
+			break;
+		case 'C':
+			options.compression = 1;
+			break;
+		case 'N':
+			no_shell_flag = 1;
+			no_tty_flag = 1;
+			break;
+		case 'T':
+			no_tty_flag = 1;
+			break;
+		case 'o':
+			dummy = 1;
+			if (process_config_line(&options, host ? host : "", optarg,
+					 "command-line", 0, &dummy) != 0)
+				exit(1);
+			break;
+		default:
+			usage();
+		}
+	}
+
+	/* Check that we got a host name. */
+	if (!host)
+		usage();
+
+	SSLeay_add_all_algorithms();
+
+	/* Initialize the command to execute on remote host. */
+	buffer_init(&command);
+
+	/*
+	 * Save the command to execute on the remote host in a buffer. There
+	 * is no limit on the length of the command, except by the maximum
+	 * packet size.  Also sets the tty flag if there is no command.
+	 */
+	if (optind == ac) {
+		/* No command specified - execute shell on a tty. */
+		tty_flag = 1;
+	} else {
+		/* A command has been specified.  Store it into the
+		   buffer. */
+		for (i = optind; i < ac; i++) {
+			if (i > optind)
+				buffer_append(&command, " ", 1);
+			buffer_append(&command, av[i], strlen(av[i]));
+		}
+	}
+
+	/* Cannot fork to background if no command. */
+	if (fork_after_authentication_flag && buffer_len(&command) == 0)
+		fatal("Cannot fork into background without a command to execute.");
+
+	/* Allocate a tty by default if no command specified. */
+	if (buffer_len(&command) == 0)
+		tty_flag = 1;
+
+	/* Do not allocate a tty if stdin is not a tty. */
+	if (!isatty(fileno(stdin))) {
+		if (tty_flag)
+			fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n");
+		tty_flag = 0;
+	}
+	/* force */
+	if (no_tty_flag)
+		tty_flag = 0;
+
+	/* Get user data. */
+	pw = getpwuid(original_real_uid);
+	if (!pw) {
+		fprintf(stderr, "You don't exist, go away!\n");
+		exit(1);
+	}
+	/* Take a copy of the returned structure. */
+	memset(&pwcopy, 0, sizeof(pwcopy));
+	pwcopy.pw_name = xstrdup(pw->pw_name);
+	pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
+	pwcopy.pw_uid = pw->pw_uid;
+	pwcopy.pw_gid = pw->pw_gid;
+	pwcopy.pw_dir = xstrdup(pw->pw_dir);
+	pwcopy.pw_shell = xstrdup(pw->pw_shell);
+	pwcopy.pw_class = xstrdup(pw->pw_class);
+	pwcopy.pw_expire = pw->pw_expire;
+	pwcopy.pw_change = pw->pw_change;
+	pw = &pwcopy;
+
+	/* Initialize "log" output.  Since we are the client all output
+	   actually goes to the terminal. */
+	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0);
+
+	/* Read per-user configuration file. */
+	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_CONFFILE);
+	read_config_file(buf, host, &options);
+
+	/* Read systemwide configuration file. */
+	read_config_file(HOST_CONFIG_FILE, host, &options);
+
+	/* Fill configuration defaults. */
+	fill_default_options(&options);
+
+	/* reinit */
+	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0);
+
+	/* check if RSA support exists */
+	if ((options.protocol & SSH_PROTO_1) &&
+	    rsa_alive() == 0) {
+		log("%s: no RSA support in libssl and libcrypto.  See ssl(8).",
+		    __progname);
+		log("Disabling protocol version 1");
+		options.protocol &= ~ (SSH_PROTO_1|SSH_PROTO_1_PREFERRED);
+	}
+	if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) {
+		fprintf(stderr, "%s: No protocol version available.\n",
+		    __progname);
+ 		exit(1);
+	}
+
+	if (options.user == NULL)
+		options.user = xstrdup(pw->pw_name);
+
+	if (options.hostname != NULL)
+		host = options.hostname;
+
+	/* Find canonic host name. */
+	if (strchr(host, '.') == 0) {
+		struct addrinfo hints;
+		struct addrinfo *ai = NULL;
+		int errgai;
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = IPv4or6;
+		hints.ai_flags = AI_CANONNAME;
+		hints.ai_socktype = SOCK_STREAM;
+		errgai = getaddrinfo(host, NULL, &hints, &ai);
+		if (errgai == 0) {
+			if (ai->ai_canonname != NULL)
+				host = xstrdup(ai->ai_canonname);
+			freeaddrinfo(ai);
+		}
+	}
+	/* Disable rhosts authentication if not running as root. */
+	if (original_effective_uid != 0 || !options.use_privileged_port) {
+		options.rhosts_authentication = 0;
+		options.rhosts_rsa_authentication = 0;
+	}
+	/*
+	 * If using rsh has been selected, exec it now (without trying
+	 * anything else).  Note that we must release privileges first.
+	 */
+	if (options.use_rsh) {
+		/*
+		 * Restore our superuser privileges.  This must be done
+		 * before permanently setting the uid.
+		 */
+		restore_uid();
+
+		/* Switch to the original uid permanently. */
+		permanently_set_uid(original_real_uid);
+
+		/* Execute rsh. */
+		rsh_connect(host, options.user, &command);
+		fatal("rsh_connect returned");
+	}
+	/* Restore our superuser privileges. */
+	restore_uid();
+
+	/*
+	 * Open a connection to the remote host.  This needs root privileges
+	 * if rhosts_{rsa_}authentication is enabled.
+	 */
+
+	ok = ssh_connect(host, &hostaddr, options.port,
+			 options.connection_attempts,
+			 !options.rhosts_authentication &&
+			 !options.rhosts_rsa_authentication,
+			 original_real_uid,
+			 options.proxy_command);
+
+	/*
+	 * If we successfully made the connection, load the host private key
+	 * in case we will need it later for combined rsa-rhosts
+	 * authentication. This must be done before releasing extra
+	 * privileges, because the file is only readable by root.
+	 */
+	if (ok && (options.protocol & SSH_PROTO_1)) {
+		Key k;
+		host_private_key = RSA_new();
+		k.type = KEY_RSA;
+		k.rsa = host_private_key;
+		if (load_private_key(HOST_KEY_FILE, "", &k, NULL))
+			host_private_key_loaded = 1;
+	}
+	/*
+	 * Get rid of any extra privileges that we may have.  We will no
+	 * longer need them.  Also, extra privileges could make it very hard
+	 * to read identity files and other non-world-readable files from the
+	 * user's home directory if it happens to be on a NFS volume where
+	 * root is mapped to nobody.
+	 */
+
+	/*
+	 * Note that some legacy systems need to postpone the following call
+	 * to permanently_set_uid() until the private hostkey is destroyed
+	 * with RSA_free().  Otherwise the calling user could ptrace() the
+	 * process, read the private hostkey and impersonate the host.
+	 * OpenBSD does not allow ptracing of setuid processes.
+	 */
+	permanently_set_uid(original_real_uid);
+
+	/*
+	 * Now that we are back to our own permissions, create ~/.ssh
+	 * directory if it doesn\'t already exist.
+	 */
+	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, SSH_USER_DIR);
+	if (stat(buf, &st) < 0)
+		if (mkdir(buf, 0755) < 0)
+			error("Could not create directory '%.200s'.", buf);
+
+	/* Check if the connection failed, and try "rsh" if appropriate. */
+	if (!ok) {
+		if (options.port != 0)
+			log("Secure connection to %.100s on port %hu refused%.100s.",
+			    host, options.port,
+			    options.fallback_to_rsh ? "; reverting to insecure method" : "");
+		else
+			log("Secure connection to %.100s refused%.100s.", host,
+			    options.fallback_to_rsh ? "; reverting to insecure method" : "");
+
+		if (options.fallback_to_rsh) {
+			rsh_connect(host, options.user, &command);
+			fatal("rsh_connect returned");
+		}
+		exit(1);
+	}
+	/* Expand ~ in options.identity_files. */
+	/* XXX mem-leaks */
+	for (i = 0; i < options.num_identity_files; i++)
+		options.identity_files[i] =
+			tilde_expand_filename(options.identity_files[i], original_real_uid);
+	for (i = 0; i < options.num_identity_files2; i++)
+		options.identity_files2[i] =
+			tilde_expand_filename(options.identity_files2[i], original_real_uid);
+	/* Expand ~ in known host file names. */
+	options.system_hostfile = tilde_expand_filename(options.system_hostfile,
+	    original_real_uid);
+	options.user_hostfile = tilde_expand_filename(options.user_hostfile,
+	    original_real_uid);
+	options.system_hostfile2 = tilde_expand_filename(options.system_hostfile2,
+	    original_real_uid);
+	options.user_hostfile2 = tilde_expand_filename(options.user_hostfile2,
+	    original_real_uid);
+
+	/* Log into the remote system.  This never returns if the login fails. */
+	ssh_login(host_private_key_loaded, host_private_key,
+		  host, (struct sockaddr *)&hostaddr, original_real_uid);
+
+	/* We no longer need the host private key.  Clear it now. */
+	if (host_private_key_loaded)
+		RSA_free(host_private_key);	/* Destroys contents safely */
+
+	exit_status = compat20 ? ssh_session2() : ssh_session();
+	packet_close();
+	return exit_status;
+}
+
+void
+x11_get_proto(char *proto, int proto_len, char *data, int data_len)
+{
+	char line[512];
+	FILE *f;
+	int got_data = 0, i;
+
+#ifdef XAUTH_PATH
+	/* Try to get Xauthority information for the display. */
+	snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+		 XAUTH_PATH, getenv("DISPLAY"));
+	f = popen(line, "r");
+	if (f && fgets(line, sizeof(line), f) &&
+	    sscanf(line, "%*s %s %s", proto, data) == 2)
+		got_data = 1;
+	if (f)
+		pclose(f);
+#endif /* XAUTH_PATH */
+	/*
+	 * If we didn't get authentication data, just make up some
+	 * data.  The forwarding code will check the validity of the
+	 * response anyway, and substitute this data.  The X11
+	 * server, however, will ignore this fake data and use
+	 * whatever authentication mechanisms it was using otherwise
+	 * for the local connection.
+	 */
+	if (!got_data) {
+		u_int32_t rand = 0;
+
+		strlcpy(proto, "MIT-MAGIC-COOKIE-1", proto_len);
+		for (i = 0; i < 16; i++) {
+			if (i % 4 == 0)
+				rand = arc4random();
+			snprintf(data + 2 * i, data_len - 2 * i, "%02x", rand & 0xff);
+			rand >>= 8;
+		}
+	}
+}
+
+int
+ssh_session(void)
+{
+	int type;
+	int i;
+	int plen;
+	int interactive = 0;
+	int have_tty = 0;
+	struct winsize ws;
+	int authfd;
+	char *cp;
+
+	/* Enable compression if requested. */
+	if (options.compression) {
+		debug("Requesting compression at level %d.", options.compression_level);
+
+		if (options.compression_level < 1 || options.compression_level > 9)
+			fatal("Compression level must be from 1 (fast) to 9 (slow, best).");
+
+		/* Send the request. */
+		packet_start(SSH_CMSG_REQUEST_COMPRESSION);
+		packet_put_int(options.compression_level);
+		packet_send();
+		packet_write_wait();
+		type = packet_read(&plen);
+		if (type == SSH_SMSG_SUCCESS)
+			packet_start_compression(options.compression_level);
+		else if (type == SSH_SMSG_FAILURE)
+			log("Warning: Remote host refused compression.");
+		else
+			packet_disconnect("Protocol error waiting for compression response.");
+	}
+	/* Allocate a pseudo tty if appropriate. */
+	if (tty_flag) {
+		debug("Requesting pty.");
+
+		/* Start the packet. */
+		packet_start(SSH_CMSG_REQUEST_PTY);
+
+		/* Store TERM in the packet.  There is no limit on the
+		   length of the string. */
+		cp = getenv("TERM");
+		if (!cp)
+			cp = "";
+		packet_put_string(cp, strlen(cp));
+
+		/* Store window size in the packet. */
+		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
+			memset(&ws, 0, sizeof(ws));
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+
+		/* Store tty modes in the packet. */
+		tty_make_modes(fileno(stdin));
+
+		/* Send the packet, and wait for it to leave. */
+		packet_send();
+		packet_write_wait();
+
+		/* Read response from the server. */
+		type = packet_read(&plen);
+		if (type == SSH_SMSG_SUCCESS) {
+			interactive = 1;
+			have_tty = 1;
+		} else if (type == SSH_SMSG_FAILURE)
+			log("Warning: Remote host failed or refused to allocate a pseudo tty.");
+		else
+			packet_disconnect("Protocol error waiting for pty request response.");
+	}
+	/* Request X11 forwarding if enabled and DISPLAY is set. */
+	if (options.forward_x11 && getenv("DISPLAY") != NULL) {
+		char proto[512], data[512];
+		/* Get reasonable local authentication information. */
+		x11_get_proto(proto, sizeof proto, data, sizeof data);
+		/* Request forwarding with authentication spoofing. */
+		debug("Requesting X11 forwarding with authentication spoofing.");
+		x11_request_forwarding_with_spoofing(0, proto, data);
+
+		/* Read response from the server. */
+		type = packet_read(&plen);
+		if (type == SSH_SMSG_SUCCESS) {
+			interactive = 1;
+		} else if (type == SSH_SMSG_FAILURE) {
+			log("Warning: Remote host denied X11 forwarding.");
+		} else {
+			packet_disconnect("Protocol error waiting for X11 forwarding");
+		}
+	}
+	/* Tell the packet module whether this is an interactive session. */
+	packet_set_interactive(interactive, options.keepalives);
+
+	/* Clear agent forwarding if we don\'t have an agent. */
+	authfd = ssh_get_authentication_socket();
+	if (authfd < 0)
+		options.forward_agent = 0;
+	else
+		ssh_close_authentication_socket(authfd);
+
+	/* Request authentication agent forwarding if appropriate. */
+	if (options.forward_agent) {
+		debug("Requesting authentication agent forwarding.");
+		auth_request_forwarding();
+
+		/* Read response from the server. */
+		type = packet_read(&plen);
+		packet_integrity_check(plen, 0, type);
+		if (type != SSH_SMSG_SUCCESS)
+			log("Warning: Remote host denied authentication agent forwarding.");
+	}
+	/* Initiate local TCP/IP port forwardings. */
+	for (i = 0; i < options.num_local_forwards; i++) {
+		debug("Connections to local port %d forwarded to remote address %.200s:%d",
+		      options.local_forwards[i].port,
+		      options.local_forwards[i].host,
+		      options.local_forwards[i].host_port);
+		channel_request_local_forwarding(options.local_forwards[i].port,
+						 options.local_forwards[i].host,
+						 options.local_forwards[i].host_port,
+						 options.gateway_ports);
+	}
+
+	/* Initiate remote TCP/IP port forwardings. */
+	for (i = 0; i < options.num_remote_forwards; i++) {
+		debug("Connections to remote port %d forwarded to local address %.200s:%d",
+		      options.remote_forwards[i].port,
+		      options.remote_forwards[i].host,
+		      options.remote_forwards[i].host_port);
+		channel_request_remote_forwarding(options.remote_forwards[i].port,
+						  options.remote_forwards[i].host,
+						  options.remote_forwards[i].host_port);
+	}
+
+	/* If requested, let ssh continue in the background. */
+	if (fork_after_authentication_flag)
+		if (daemon(1, 1) < 0)
+			fatal("daemon() failed: %.200s", strerror(errno));
+
+	/*
+	 * If a command was specified on the command line, execute the
+	 * command now. Otherwise request the server to start a shell.
+	 */
+	if (buffer_len(&command) > 0) {
+		int len = buffer_len(&command);
+		if (len > 900)
+			len = 900;
+		debug("Sending command: %.*s", len, buffer_ptr(&command));
+		packet_start(SSH_CMSG_EXEC_CMD);
+		packet_put_string(buffer_ptr(&command), buffer_len(&command));
+		packet_send();
+		packet_write_wait();
+	} else {
+		debug("Requesting shell.");
+		packet_start(SSH_CMSG_EXEC_SHELL);
+		packet_send();
+		packet_write_wait();
+	}
+
+	/* Enter the interactive session. */
+	return client_loop(have_tty, tty_flag ? options.escape_char : -1);
+}
+
+void
+init_local_fwd(void)
+{
+	int i;
+	/* Initiate local TCP/IP port forwardings. */
+	for (i = 0; i < options.num_local_forwards; i++) {
+		debug("Connections to local port %d forwarded to remote address %.200s:%d",
+		      options.local_forwards[i].port,
+		      options.local_forwards[i].host,
+		      options.local_forwards[i].host_port);
+		channel_request_local_forwarding(options.local_forwards[i].port,
+						 options.local_forwards[i].host,
+						 options.local_forwards[i].host_port,
+						 options.gateway_ports);
+	}
+}
+
+extern void client_set_session_ident(int id);
+
+void
+client_init(int id, void *arg)
+{
+	int len;
+	debug("client_init id %d arg %d", id, (int)arg);
+
+	if (no_shell_flag)
+		goto done;
+
+	if (tty_flag) {
+		struct winsize ws;
+		char *cp;
+		cp = getenv("TERM");
+		if (!cp)
+			cp = "";
+		/* Store window size in the packet. */
+		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
+			memset(&ws, 0, sizeof(ws));
+
+		channel_request_start(id, "pty-req", 0);
+		packet_put_cstring(cp);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+		packet_put_cstring("");		/* XXX: encode terminal modes */
+		packet_send();
+		/* XXX wait for reply */
+	}
+	if (options.forward_x11 &&
+	    getenv("DISPLAY") != NULL) {
+		char proto[512], data[512];
+		/* Get reasonable local authentication information. */
+		x11_get_proto(proto, sizeof proto, data, sizeof data);
+		/* Request forwarding with authentication spoofing. */
+		debug("Requesting X11 forwarding with authentication spoofing.");
+		x11_request_forwarding_with_spoofing(id, proto, data);
+		/* XXX wait for reply */
+	}
+
+	len = buffer_len(&command);
+	if (len > 0) {
+		if (len > 900)
+			len = 900;
+		debug("Sending command: %.*s", len, buffer_ptr(&command));
+		channel_request_start(id, "exec", 0);
+		packet_put_string(buffer_ptr(&command), len);
+		packet_send();
+	} else {
+		channel_request(id, "shell", 0);
+	}
+	/* channel_callback(id, SSH2_MSG_OPEN_CONFIGMATION, client_init, 0); */
+done:
+	/* register different callback, etc. XXX */
+	client_set_session_ident(id);
+}
+
+int
+ssh_session2(void)
+{
+	int window, packetmax, id;
+	int in  = dup(STDIN_FILENO);
+	int out = dup(STDOUT_FILENO);
+	int err = dup(STDERR_FILENO);
+
+	if (in < 0 || out < 0 || err < 0)
+		fatal("dump in/out/err failed");
+
+	/* should be pre-session */
+	init_local_fwd();
+	
+	window = 32*1024;
+	if (tty_flag) {
+		packetmax = window/8;
+	} else {
+		window *= 2;
+		packetmax = window/2;
+	}
+
+	id = channel_new(
+	    "session", SSH_CHANNEL_OPENING, in, out, err,
+	    window, packetmax, CHAN_EXTENDED_WRITE, xstrdup("client-session"));
+
+
+	channel_open(id);
+	channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, client_init, (void *)0);
+
+	return client_loop(tty_flag, tty_flag ? options.escape_char : -1);
+}
diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h
new file mode 100644
index 0000000..bdc54a2
--- /dev/null
+++ b/crypto/openssh/ssh.h
@@ -0,0 +1,536 @@
+/*
+ *
+ * ssh.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Fri Mar 17 17:09:37 1995 ylo
+ *
+ * Generic header file for ssh.
+ *
+ * $FreeBSD$
+ */
+
+/* RCSID("$Id: ssh.h,v 1.46 2000/05/17 08:20:15 markus Exp $"); */
+
+#ifndef SSH_H
+#define SSH_H
+
+#include "rsa.h"
+#include "cipher.h"
+
+/*
+ * XXX
+ * The default cipher used if IDEA is not supported by the remote host. It is
+ * recommended that this be one of the mandatory ciphers (DES, 3DES), though
+ * that is not required.
+ */
+#define SSH_FALLBACK_CIPHER	SSH_CIPHER_3DES
+
+/* Cipher used for encrypting authentication files. */
+#define SSH_AUTHFILE_CIPHER	SSH_CIPHER_3DES
+
+/* Default port number. */
+#define SSH_DEFAULT_PORT	22
+
+/* Maximum number of TCP/IP ports forwarded per direction. */
+#define SSH_MAX_FORWARDS_PER_DIRECTION	100
+
+/*
+ * Maximum number of RSA authentication identity files that can be specified
+ * in configuration files or on the command line.
+ */
+#define SSH_MAX_IDENTITY_FILES		100
+
+/*
+ * Major protocol version.  Different version indicates major incompatiblity
+ * that prevents communication.
+ *
+ * Minor protocol version.  Different version indicates minor incompatibility
+ * that does not prevent interoperation.
+ */
+#define PROTOCOL_MAJOR_1	1
+#define PROTOCOL_MINOR_1	5
+
+/* We support both SSH1 and SSH2 */
+#define PROTOCOL_MAJOR_2	2
+#define PROTOCOL_MINOR_2	0
+
+/*
+ * Name for the service.  The port named by this service overrides the
+ * default port if present.
+ */
+#define SSH_SERVICE_NAME	"ssh"
+
+#define ETCDIR			"/etc/ssh"
+#define PIDDIR			"/var/run"
+
+/*
+ * System-wide file containing host keys of known hosts.  This file should be
+ * world-readable.
+ */
+#define SSH_SYSTEM_HOSTFILE	ETCDIR "/ssh_known_hosts"
+#define SSH_SYSTEM_HOSTFILE2	ETCDIR "/ssh_known_hosts2"
+
+/*
+ * Of these, ssh_host_key must be readable only by root, whereas ssh_config
+ * should be world-readable.
+ */
+#define HOST_KEY_FILE		ETCDIR "/ssh_host_key"
+#define SERVER_CONFIG_FILE	ETCDIR "/sshd_config"
+#define HOST_CONFIG_FILE	ETCDIR "/ssh_config"
+#define HOST_DSA_KEY_FILE	ETCDIR "/ssh_host_dsa_key"
+
+#define SSH_PROGRAM		"/usr/bin/ssh"
+
+/*
+ * The process id of the daemon listening for connections is saved here to
+ * make it easier to kill the correct daemon when necessary.
+ */
+#define SSH_DAEMON_PID_FILE	PIDDIR "/sshd.pid"
+
+/*
+ * The directory in user\'s home directory in which the files reside. The
+ * directory should be world-readable (though not all files are).
+ */
+#define SSH_USER_DIR		".ssh"
+
+/*
+ * Per-user file containing host keys of known hosts.  This file need not be
+ * readable by anyone except the user him/herself, though this does not
+ * contain anything particularly secret.
+ */
+#define SSH_USER_HOSTFILE	"~/.ssh/known_hosts"
+#define SSH_USER_HOSTFILE2	"~/.ssh/known_hosts2"
+
+/*
+ * Name of the default file containing client-side authentication key. This
+ * file should only be readable by the user him/herself.
+ */
+#define SSH_CLIENT_IDENTITY	".ssh/identity"
+#define SSH_CLIENT_ID_DSA	".ssh/id_dsa"
+
+/*
+ * Configuration file in user\'s home directory.  This file need not be
+ * readable by anyone but the user him/herself, but does not contain anything
+ * particularly secret.  If the user\'s home directory resides on an NFS
+ * volume where root is mapped to nobody, this may need to be world-readable.
+ */
+#define SSH_USER_CONFFILE	".ssh/config"
+
+/*
+ * File containing a list of those rsa keys that permit logging in as this
+ * user.  This file need not be readable by anyone but the user him/herself,
+ * but does not contain anything particularly secret.  If the user\'s home
+ * directory resides on an NFS volume where root is mapped to nobody, this
+ * may need to be world-readable.  (This file is read by the daemon which is
+ * running as root.)
+ */
+#define SSH_USER_PERMITTED_KEYS	".ssh/authorized_keys"
+#define SSH_USER_PERMITTED_KEYS2	".ssh/authorized_keys2"
+
+/*
+ * Per-user and system-wide ssh "rc" files.  These files are executed with
+ * /bin/sh before starting the shell or command if they exist.  They will be
+ * passed "proto cookie" as arguments if X11 forwarding with spoofing is in
+ * use.  xauth will be run if neither of these exists.
+ */
+#define SSH_USER_RC		".ssh/rc"
+#define SSH_SYSTEM_RC		ETCDIR "/sshrc"
+
+/*
+ * Ssh-only version of /etc/hosts.equiv.  Additionally, the daemon may use
+ * ~/.rhosts and /etc/hosts.equiv if rhosts authentication is enabled.
+ */
+#define SSH_HOSTS_EQUIV		ETCDIR "/shosts.equiv"
+
+/*
+ * Name of the environment variable containing the pathname of the
+ * authentication socket.
+ */
+#define SSH_AUTHSOCKET_ENV_NAME	"SSH_AUTH_SOCK"
+
+/*
+ * Name of the environment variable containing the pathname of the
+ * authentication socket.
+ */
+#define SSH_AGENTPID_ENV_NAME	"SSH_AGENT_PID"
+
+/*
+ * Default path to ssh-askpass used by ssh-add,
+ * environment variable for overwriting the default location
+ */
+#define SSH_ASKPASS_DEFAULT	"/usr/X11R6/bin/ssh-askpass"
+#define SSH_ASKPASS_ENV		"SSH_ASKPASS"
+
+/*
+ * Force host key length and server key length to differ by at least this
+ * many bits.  This is to make double encryption with rsaref work.
+ */
+#define SSH_KEY_BITS_RESERVED		128
+
+/*
+ * Length of the session key in bytes.  (Specified as 256 bits in the
+ * protocol.)
+ */
+#define SSH_SESSION_KEY_LENGTH		32
+
+/* Name of Kerberos service for SSH to use. */
+#define KRB4_SERVICE_NAME		"rcmd"
+
+/*
+ * Authentication methods.  New types can be added, but old types should not
+ * be removed for compatibility.  The maximum allowed value is 31.
+ */
+#define SSH_AUTH_RHOSTS		1
+#define SSH_AUTH_RSA		2
+#define SSH_AUTH_PASSWORD	3
+#define SSH_AUTH_RHOSTS_RSA	4
+#define SSH_AUTH_TIS		5
+#define SSH_AUTH_KRB4		6
+#define SSH_PASS_KRB4_TGT	7
+				/* 8 to 15 are reserved */
+#define SSH_PASS_AFS_TOKEN	21
+
+#define SSH_AUTH_KRB5		29
+#define SSH_PASS_KRB5_TGT	30
+
+/* Protocol flags.  These are bit masks. */
+#define SSH_PROTOFLAG_SCREEN_NUMBER	1	/* X11 forwarding includes screen */
+#define SSH_PROTOFLAG_HOST_IN_FWD_OPEN	2	/* forwarding opens contain host */
+
+/*
+ * Definition of message types.  New values can be added, but old values
+ * should not be removed or without careful consideration of the consequences
+ * for compatibility.  The maximum value is 254; value 255 is reserved for
+ * future extension.
+ */
+/* Message name */			/* msg code */	/* arguments */
+#define SSH_MSG_NONE				0	/* no message */
+#define SSH_MSG_DISCONNECT			1	/* cause (string) */
+#define SSH_SMSG_PUBLIC_KEY			2	/* ck,msk,srvk,hostk */
+#define SSH_CMSG_SESSION_KEY			3	/* key (BIGNUM) */
+#define SSH_CMSG_USER				4	/* user (string) */
+#define SSH_CMSG_AUTH_RHOSTS			5	/* user (string) */
+#define SSH_CMSG_AUTH_RSA			6	/* modulus (BIGNUM) */
+#define SSH_SMSG_AUTH_RSA_CHALLENGE		7	/* int (BIGNUM) */
+#define SSH_CMSG_AUTH_RSA_RESPONSE		8	/* int (BIGNUM) */
+#define SSH_CMSG_AUTH_PASSWORD			9	/* pass (string) */
+#define SSH_CMSG_REQUEST_PTY		        10	/* TERM, tty modes */
+#define SSH_CMSG_WINDOW_SIZE		        11	/* row,col,xpix,ypix */
+#define SSH_CMSG_EXEC_SHELL			12	/* */
+#define SSH_CMSG_EXEC_CMD			13	/* cmd (string) */
+#define SSH_SMSG_SUCCESS			14	/* */
+#define SSH_SMSG_FAILURE			15	/* */
+#define SSH_CMSG_STDIN_DATA			16	/* data (string) */
+#define SSH_SMSG_STDOUT_DATA			17	/* data (string) */
+#define SSH_SMSG_STDERR_DATA			18	/* data (string) */
+#define SSH_CMSG_EOF				19	/* */
+#define SSH_SMSG_EXITSTATUS			20	/* status (int) */
+#define SSH_MSG_CHANNEL_OPEN_CONFIRMATION	21	/* channel (int) */
+#define SSH_MSG_CHANNEL_OPEN_FAILURE		22	/* channel (int) */
+#define SSH_MSG_CHANNEL_DATA			23	/* ch,data (int,str) */
+#define SSH_MSG_CHANNEL_CLOSE			24	/* channel (int) */
+#define SSH_MSG_CHANNEL_CLOSE_CONFIRMATION	25	/* channel (int) */
+/*      SSH_CMSG_X11_REQUEST_FORWARDING         26         OBSOLETE */
+#define SSH_SMSG_X11_OPEN			27	/* channel (int) */
+#define SSH_CMSG_PORT_FORWARD_REQUEST		28	/* p,host,hp (i,s,i) */
+#define SSH_MSG_PORT_OPEN			29	/* ch,h,p (i,s,i) */
+#define SSH_CMSG_AGENT_REQUEST_FORWARDING	30	/* */
+#define SSH_SMSG_AGENT_OPEN			31	/* port (int) */
+#define SSH_MSG_IGNORE				32	/* string */
+#define SSH_CMSG_EXIT_CONFIRMATION		33	/* */
+#define SSH_CMSG_X11_REQUEST_FORWARDING		34	/* proto,data (s,s) */
+#define SSH_CMSG_AUTH_RHOSTS_RSA		35	/* user,mod (s,mpi) */
+#define SSH_MSG_DEBUG				36	/* string */
+#define SSH_CMSG_REQUEST_COMPRESSION		37	/* level 1-9 (int) */
+#define SSH_CMSG_MAX_PACKET_SIZE		38	/* size 4k-1024k (int) */
+#define SSH_CMSG_AUTH_TIS			39	/* we use this for s/key */
+#define SSH_SMSG_AUTH_TIS_CHALLENGE		40	/* challenge (string) */
+#define SSH_CMSG_AUTH_TIS_RESPONSE		41	/* response (string) */
+#define SSH_CMSG_AUTH_KRB4			42	/* (KTEXT) */
+#define SSH_SMSG_AUTH_KRB4_RESPONSE		43	/* (KTEXT) */
+#define SSH_CMSG_HAVE_KRB4_TGT			44	/* credentials (s) */
+#define SSH_CMSG_HAVE_AFS_TOKEN			65	/* token (s) */
+
+#define SSH_CMSG_AUTH_KRB5			110
+#define SSH_SMSG_AUTH_KRB5_RESPONSE		111
+#define	SSH_CMSG_HAVE_KRB5_TGT			112
+
+/*------------ definitions for login.c -------------*/
+
+/*
+ * Returns the time when the user last logged in.  Returns 0 if the
+ * information is not available.  This must be called before record_login.
+ * The host from which the user logged in is stored in buf.
+ */
+unsigned long
+get_last_login_time(uid_t uid, const char *logname,
+    char *buf, unsigned int bufsize);
+
+/*
+ * Records that the user has logged in.  This does many things normally done
+ * by login(1).
+ */
+void
+record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
+    const char *host, struct sockaddr *addr);
+
+/*
+ * Records that the user has logged out.  This does many thigs normally done
+ * by login(1) or init.
+ */
+void    record_logout(pid_t pid, const char *ttyname);
+
+/*------------ definitions for sshconnect.c ----------*/
+
+/*
+ * Opens a TCP/IP connection to the remote server on the given host.  If port
+ * is 0, the default port will be used.  If anonymous is zero, a privileged
+ * port will be allocated to make the connection. This requires super-user
+ * privileges if anonymous is false. Connection_attempts specifies the
+ * maximum number of tries, one per second.  This returns true on success,
+ * and zero on failure.  If the connection is successful, this calls
+ * packet_set_connection for the connection.
+ */
+int
+ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
+    u_short port, int connection_attempts,
+    int anonymous, uid_t original_real_uid,
+    const char *proxy_command);
+
+/*
+ * Starts a dialog with the server, and authenticates the current user on the
+ * server.  This does not need any extra privileges.  The basic connection to
+ * the server must already have been established before this is called. If
+ * login fails, this function prints an error and never returns. This
+ * initializes the random state, and leaves it initialized (it will also have
+ * references from the packet module).
+ */
+
+void
+ssh_login(int host_key_valid, RSA * host_key, const char *host,
+    struct sockaddr * hostaddr, uid_t original_real_uid);
+
+/*------------ Definitions for various authentication methods. -------*/
+
+/*
+ * Tries to authenticate the user using the .rhosts file.  Returns true if
+ * authentication succeeds.  If ignore_rhosts is non-zero, this will not
+ * consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
+ */
+int     auth_rhosts(struct passwd * pw, const char *client_user);
+
+/*
+ * Tries to authenticate the user using the .rhosts file and the host using
+ * its host key.  Returns true if authentication succeeds.
+ */
+int
+auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_key);
+
+/*
+ * Tries to authenticate the user using password.  Returns true if
+ * authentication succeeds.
+ */
+int     auth_password(struct passwd * pw, const char *password);
+
+/*
+ * Performs the RSA authentication dialog with the client.  This returns 0 if
+ * the client could not be authenticated, and 1 if authentication was
+ * successful.  This may exit if there is a serious protocol violation.
+ */
+int     auth_rsa(struct passwd * pw, BIGNUM * client_n);
+
+/*
+ * Parses an RSA key (number of bits, e, n) from a string.  Moves the pointer
+ * over the key.  Skips any whitespace at the beginning and at end.
+ */
+int     auth_rsa_read_key(char **cpp, unsigned int *bitsp, BIGNUM * e, BIGNUM * n);
+
+/*
+ * Returns the name of the machine at the other end of the socket.  The
+ * returned string should be freed by the caller.
+ */
+char   *get_remote_hostname(int socket);
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection (as returned by packet_get_connection).  The host name is
+ * cached, so it is efficient to call this several times.
+ */
+const char *get_canonical_hostname(void);
+
+/*
+ * Returns the local IP address as an ascii string.
+ */
+const char *get_ipaddr(int socket);
+
+/*
+ * Returns the remote IP address as an ascii string.  The value need not be
+ * freed by the caller.
+ */
+const char *get_remote_ipaddr(void);
+
+/* Returns the port number of the peer of the socket. */
+int     get_peer_port(int sock);
+
+/* Returns the port number of the remote/local host. */
+int     get_remote_port(void);
+int	get_local_port(void);
+
+
+/*
+ * Performs the RSA authentication challenge-response dialog with the client,
+ * and returns true (non-zero) if the client gave the correct answer to our
+ * challenge; returns zero if the client gives a wrong answer.
+ */
+int     auth_rsa_challenge_dialog(RSA *pk);
+
+/*
+ * Reads a passphrase from /dev/tty with echo turned off.  Returns the
+ * passphrase (allocated with xmalloc).  Exits if EOF is encountered. If
+ * from_stdin is true, the passphrase will be read from stdin instead.
+ */
+char   *read_passphrase(const char *prompt, int from_stdin);
+
+
+/*------------ Definitions for logging. -----------------------*/
+
+/* Supported syslog facilities and levels. */
+typedef enum {
+	SYSLOG_FACILITY_DAEMON,
+	SYSLOG_FACILITY_USER,
+	SYSLOG_FACILITY_AUTH,
+	SYSLOG_FACILITY_LOCAL0,
+	SYSLOG_FACILITY_LOCAL1,
+	SYSLOG_FACILITY_LOCAL2,
+	SYSLOG_FACILITY_LOCAL3,
+	SYSLOG_FACILITY_LOCAL4,
+	SYSLOG_FACILITY_LOCAL5,
+	SYSLOG_FACILITY_LOCAL6,
+	SYSLOG_FACILITY_LOCAL7
+}       SyslogFacility;
+
+typedef enum {
+	SYSLOG_LEVEL_QUIET,
+	SYSLOG_LEVEL_FATAL,
+	SYSLOG_LEVEL_ERROR,
+	SYSLOG_LEVEL_INFO,
+	SYSLOG_LEVEL_VERBOSE,
+	SYSLOG_LEVEL_DEBUG
+}       LogLevel;
+/* Initializes logging. */
+void    log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr);
+
+/* Logging implementation, depending on server or client */
+void    do_log(LogLevel level, const char *fmt, va_list args);
+
+/* name to facility/level */
+SyslogFacility log_facility_number(char *name);
+LogLevel log_level_number(char *name);
+
+/* Output a message to syslog or stderr */
+void    fatal(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    error(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    log(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    verbose(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+
+/* same as fatal() but w/o logging */
+void    fatal_cleanup(void);
+
+/*
+ * Registers a cleanup function to be called by fatal()/fatal_cleanup()
+ * before exiting. It is permissible to call fatal_remove_cleanup for the
+ * function itself from the function.
+ */
+void    fatal_add_cleanup(void (*proc) (void *context), void *context);
+
+/* Removes a cleanup function to be called at fatal(). */
+void    fatal_remove_cleanup(void (*proc) (void *context), void *context);
+
+/* ---- misc */
+
+/*
+ * Expands tildes in the file name.  Returns data allocated by xmalloc.
+ * Warning: this calls getpw*.
+ */
+char   *tilde_expand_filename(const char *filename, uid_t my_uid);
+
+/* remove newline at end of string */
+char	*chop(char *s);
+
+/* set filedescriptor to non-blocking */
+void	set_nonblock(int fd);
+
+/*
+ * Performs the interactive session.  This handles data transmission between
+ * the client and the program.  Note that the notion of stdin, stdout, and
+ * stderr in this function is sort of reversed: this function writes to stdin
+ * (of the child program), and reads from stdout and stderr (of the child
+ * program).
+ */
+void    server_loop(pid_t pid, int fdin, int fdout, int fderr);
+void    server_loop2(void);
+
+/* Client side main loop for the interactive session. */
+int     client_loop(int have_pty, int escape_char);
+
+/* Linked list of custom environment strings (see auth-rsa.c). */
+struct envstring {
+	struct envstring *next;
+	char   *s;
+};
+
+/*
+ * Ensure all of data on socket comes through. f==read || f==write
+ */
+ssize_t	atomicio(ssize_t (*f)(), int fd, void *s, size_t n);
+
+#ifdef KRB5
+#include <krb5.h>
+int	auth_krb5();  /* XXX Doplnit prototypy */
+int	auth_krb5_tgt();
+int	krb5_init();
+void	krb5_cleanup_proc(void *ignore);
+int	auth_krb5_password(struct passwd *pw, const char *password);
+#endif /* KRB5 */
+
+#ifdef KRB4
+#include <krb.h>
+/*
+ * Performs Kerberos v4 mutual authentication with the client. This returns 0
+ * if the client could not be authenticated, and 1 if authentication was
+ * successful.  This may exit if there is a serious protocol violation.
+ */
+int     auth_krb4(const char *server_user, KTEXT auth, char **client);
+int     krb4_init(uid_t uid);
+void    krb4_cleanup_proc(void *ignore);
+int	auth_krb4_password(struct passwd * pw, const char *password);
+
+#ifdef AFS
+#include <kafs.h>
+
+/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
+int     auth_krb4_tgt(struct passwd * pw, const char *string);
+int     auth_afs_token(struct passwd * pw, const char *token_string);
+
+int     creds_to_radix(CREDENTIALS * creds, unsigned char *buf, size_t buflen);
+int     radix_to_creds(const char *buf, CREDENTIALS * creds);
+#endif				/* AFS */
+
+#endif				/* KRB4 */
+
+#ifdef SKEY
+#include <opie.h>
+char   *skey_fake_keyinfo(char *username);
+int	auth_skey_password(struct passwd * pw, const char *password);
+#endif				/* SKEY */
+
+/* AF_UNSPEC or AF_INET or AF_INET6 */
+extern int IPv4or6;
+
+#endif				/* SSH_H */
diff --git a/crypto/openssh/ssh/Makefile b/crypto/openssh/ssh/Makefile
new file mode 100644
index 0000000..a87d5dc
--- /dev/null
+++ b/crypto/openssh/ssh/Makefile
@@ -0,0 +1,37 @@
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh
+BINOWN=	root
+
+.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+	${MACHINE_ARCH} == "hppa")
+BINMODE=0000
+.else
+BINMODE?=4555
+.endif
+
+BINDIR=	/usr/bin
+MAN=	ssh.1
+LINKS=	${BINDIR}/ssh ${BINDIR}/slogin
+MLINKS=	ssh.1 slogin.1
+
+SRCS=	ssh.c log-client.c readconf.c clientloop.c \
+	sshconnect.c sshconnect1.c sshconnect2.c
+
+.include <bsd.own.mk> # for AFS
+
+.if (${KERBEROS} == "yes")
+CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
+LDADD+=	 -lkrb
+DPADD+=	 ${LIBKRB}
+.if (${AFS} == "yes")
+CFLAGS+= -DAFS
+LDADD+=  -lkafs
+DPADD+=  ${LIBKRBAFS}
+.endif # AFS
+.endif # KERBEROS
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lutil -lz -lcrypto
+DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
diff --git a/crypto/openssh/ssh2.h b/crypto/openssh/ssh2.h
new file mode 100644
index 0000000..1fa4c0a
--- /dev/null
+++ b/crypto/openssh/ssh2.h
@@ -0,0 +1,112 @@
+/*
+ * draft-ietf-secsh-architecture-05.txt
+ *
+ *   Transport layer protocol:
+ *
+ *     1-19     Transport layer generic (e.g. disconnect, ignore, debug,
+ *              etc)
+ *     20-29    Algorithm negotiation
+ *     30-49    Key exchange method specific (numbers can be reused for
+ *              different authentication methods)
+ *
+ *   User authentication protocol:
+ *
+ *     50-59    User authentication generic
+ *     60-79    User authentication method specific (numbers can be reused
+ *              for different authentication methods)
+ *
+ *   Connection protocol:
+ *
+ *     80-89    Connection protocol generic
+ *     90-127   Channel related messages
+ *
+ *   Reserved for client protocols:
+ *
+ *     128-191  Reserved
+ *
+ *   Local extensions:
+ *
+ *     192-255  Local extensions
+ */
+/* RCSID("$OpenBSD: ssh2.h,v 1.3 2000/05/15 07:03:12 markus Exp $"); */
+
+/* transport layer: generic */
+
+#define SSH2_MSG_DISCONNECT				1
+#define SSH2_MSG_IGNORE					2
+#define SSH2_MSG_UNIMPLEMENTED				3
+#define SSH2_MSG_DEBUG					4
+#define SSH2_MSG_SERVICE_REQUEST			5
+#define SSH2_MSG_SERVICE_ACCEPT				6
+
+/* transport layer: alg negotiation */
+
+#define SSH2_MSG_KEXINIT				20
+#define SSH2_MSG_NEWKEYS				21
+
+/* transport layer: kex specific messages, can be reused */
+
+#define SSH2_MSG_KEXDH_INIT				30
+#define SSH2_MSG_KEXDH_REPLY				31
+
+/* user authentication: generic */
+
+#define SSH2_MSG_USERAUTH_REQUEST			50
+#define SSH2_MSG_USERAUTH_FAILURE			51
+#define SSH2_MSG_USERAUTH_SUCCESS			52
+#define SSH2_MSG_USERAUTH_BANNER			53
+
+/* user authentication: method specific, can be reused */
+
+#define SSH2_MSG_USERAUTH_PK_OK				60
+#define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ		60
+#define SSH2_MSG_USERAUTH_INFO_REQUEST			60
+#define SSH2_MSG_USERAUTH_INFO_RESPONSE			61
+
+/* connection protocol: generic */
+
+#define SSH2_MSG_GLOBAL_REQUEST				80
+#define SSH2_MSG_REQUEST_SUCCESS			81
+#define SSH2_MSG_REQUEST_FAILURE			82
+
+/* channel related messages */
+
+#define SSH2_MSG_CHANNEL_OPEN				90
+#define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION		91
+#define SSH2_MSG_CHANNEL_OPEN_FAILURE			92
+#define SSH2_MSG_CHANNEL_WINDOW_ADJUST			93
+#define SSH2_MSG_CHANNEL_DATA				94
+#define SSH2_MSG_CHANNEL_EXTENDED_DATA			95
+#define SSH2_MSG_CHANNEL_EOF				96
+#define SSH2_MSG_CHANNEL_CLOSE				97
+#define SSH2_MSG_CHANNEL_REQUEST			98
+#define SSH2_MSG_CHANNEL_SUCCESS			99
+#define SSH2_MSG_CHANNEL_FAILURE			100
+
+/* disconnect reason code */
+
+#define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT	1
+#define SSH2_DISCONNECT_PROTOCOL_ERROR			2
+#define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED		3
+#define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED	4
+#define SSH2_DISCONNECT_RESERVED			4
+#define SSH2_DISCONNECT_MAC_ERROR			5
+#define SSH2_DISCONNECT_COMPRESSION_ERROR		6
+#define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE		7
+#define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED	8
+#define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE		9
+#define SSH2_DISCONNECT_CONNECTION_LOST			10
+#define SSH2_DISCONNECT_BY_APPLICATION			11
+#define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS		12
+#define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER		13
+#define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE	14
+#define SSH2_DISCONNECT_ILLEGAL_USER_NAME		15
+
+/* misc */
+
+#define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED		1
+#define SSH2_OPEN_CONNECT_FAILED			2
+#define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE			3
+#define SSH2_OPEN_RESOURCE_SHORTAGE			4
+
+#define SSH2_EXTENDED_DATA_STDERR			1
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
new file mode 100644
index 0000000..9a09310
--- /dev/null
+++ b/crypto/openssh/ssh_config
@@ -0,0 +1,33 @@
+# This is ssh client systemwide configuration file.  This file provides 
+# defaults for users, and the values can be changed in per-user configuration
+# files or on the command line.
+#
+# $FreeBSD$
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for various options
+
+# Host *
+#   ForwardAgent yes
+#   ForwardX11 yes
+#   RhostsAuthentication yes
+#   RhostsRSAAuthentication yes
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   FallBackToRsh no
+#   UseRsh no
+#   BatchMode no
+#   CheckHostIP yes
+#   StrictHostKeyChecking no
+#   IdentityFile ~/.ssh/identity
+#   Port 22
+#   Protocol 2,1
+#   Cipher blowfish
+#   EscapeChar ~
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
new file mode 100644
index 0000000..eb8e1ed
--- /dev/null
+++ b/crypto/openssh/sshconnect.c
@@ -0,0 +1,927 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Sat Mar 18 22:15:47 1995 ylo
+ * Code to connect to a remote host, and to perform the client side of the
+ * login (authentication) dialog.
+ * 
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshconnect.c,v 1.74 2000/05/17 16:57:02 markus Exp $");
+
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh.h"
+#include "buffer.h"
+#include "packet.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "readconf.h"
+#include "key.h"
+#include "sshconnect.h"
+#include "hostfile.h"
+
+char *client_version_string = NULL;
+char *server_version_string = NULL;
+
+extern Options options;
+extern char *__progname;
+
+/*
+ * Connect to the given ssh server using a proxy command.
+ */
+int
+ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid,
+		  const char *proxy_command)
+{
+	Buffer command;
+	const char *cp;
+	char *command_string;
+	int pin[2], pout[2];
+	pid_t pid;
+	char strport[NI_MAXSERV];
+
+	/* Convert the port number into a string. */
+	snprintf(strport, sizeof strport, "%hu", port);
+
+	/* Build the final command string in the buffer by making the
+	   appropriate substitutions to the given proxy command. */
+	buffer_init(&command);
+	for (cp = proxy_command; *cp; cp++) {
+		if (cp[0] == '%' && cp[1] == '%') {
+			buffer_append(&command, "%", 1);
+			cp++;
+			continue;
+		}
+		if (cp[0] == '%' && cp[1] == 'h') {
+			buffer_append(&command, host, strlen(host));
+			cp++;
+			continue;
+		}
+		if (cp[0] == '%' && cp[1] == 'p') {
+			buffer_append(&command, strport, strlen(strport));
+			cp++;
+			continue;
+		}
+		buffer_append(&command, cp, 1);
+	}
+	buffer_append(&command, "\0", 1);
+
+	/* Get the final command string. */
+	command_string = buffer_ptr(&command);
+
+	/* Create pipes for communicating with the proxy. */
+	if (pipe(pin) < 0 || pipe(pout) < 0)
+		fatal("Could not create pipes to communicate with the proxy: %.100s",
+		      strerror(errno));
+
+	debug("Executing proxy command: %.500s", command_string);
+
+	/* Fork and execute the proxy command. */
+	if ((pid = fork()) == 0) {
+		char *argv[10];
+
+		/* Child.  Permanently give up superuser privileges. */
+		permanently_set_uid(original_real_uid);
+
+		/* Redirect stdin and stdout. */
+		close(pin[1]);
+		if (pin[0] != 0) {
+			if (dup2(pin[0], 0) < 0)
+				perror("dup2 stdin");
+			close(pin[0]);
+		}
+		close(pout[0]);
+		if (dup2(pout[1], 1) < 0)
+			perror("dup2 stdout");
+		/* Cannot be 1 because pin allocated two descriptors. */
+		close(pout[1]);
+
+		/* Stderr is left as it is so that error messages get
+		   printed on the user's terminal. */
+		argv[0] = "/bin/sh";
+		argv[1] = "-c";
+		argv[2] = command_string;
+		argv[3] = NULL;
+
+		/* Execute the proxy command.  Note that we gave up any
+		   extra privileges above. */
+		execv("/bin/sh", argv);
+		perror("/bin/sh");
+		exit(1);
+	}
+	/* Parent. */
+	if (pid < 0)
+		fatal("fork failed: %.100s", strerror(errno));
+
+	/* Close child side of the descriptors. */
+	close(pin[0]);
+	close(pout[1]);
+
+	/* Free the command name. */
+	buffer_free(&command);
+
+	/* Set the connection file descriptors. */
+	packet_set_connection(pout[0], pin[1]);
+
+	return 1;
+}
+
+/*
+ * Creates a (possibly privileged) socket for use as the ssh connection.
+ */
+int
+ssh_create_socket(uid_t original_real_uid, int privileged, int family)
+{
+	int sock;
+
+	/*
+	 * If we are running as root and want to connect to a privileged
+	 * port, bind our own socket to a privileged port.
+	 */
+	if (privileged) {
+		int p = IPPORT_RESERVED - 1;
+		sock = rresvport_af(&p, family);
+		if (sock < 0)
+			error("rresvport: af=%d %.100s", family, strerror(errno));
+		else
+			debug("Allocated local port %d.", p);
+	} else {
+		/*
+		 * Just create an ordinary socket on arbitrary port.  We use
+		 * the user's uid to create the socket.
+		 */
+		temporarily_use_uid(original_real_uid);
+		sock = socket(family, SOCK_STREAM, 0);
+		if (sock < 0)
+			error("socket: %.100s", strerror(errno));
+		restore_uid();
+	}
+	return sock;
+}
+
+/*
+ * Opens a TCP/IP connection to the remote server on the given host.
+ * The address of the remote host will be returned in hostaddr.
+ * If port is 0, the default port will be used.  If anonymous is zero,
+ * a privileged port will be allocated to make the connection.
+ * This requires super-user privileges if anonymous is false.
+ * Connection_attempts specifies the maximum number of tries (one per
+ * second).  If proxy_command is non-NULL, it specifies the command (with %h
+ * and %p substituted for host and port, respectively) to use to contact
+ * the daemon.
+ */
+int
+ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
+	    u_short port, int connection_attempts,
+	    int anonymous, uid_t original_real_uid,
+	    const char *proxy_command)
+{
+	int sock = -1, attempt;
+	struct servent *sp;
+	struct addrinfo hints, *ai, *aitop;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	int gaierr;
+	struct linger linger;
+
+	debug("ssh_connect: getuid %d geteuid %d anon %d",
+	      (int) getuid(), (int) geteuid(), anonymous);
+
+	/* Get default port if port has not been set. */
+	if (port == 0) {
+		sp = getservbyname(SSH_SERVICE_NAME, "tcp");
+		if (sp)
+			port = ntohs(sp->s_port);
+		else
+			port = SSH_DEFAULT_PORT;
+	}
+	/* If a proxy command is given, connect using it. */
+	if (proxy_command != NULL)
+		return ssh_proxy_connect(host, port, original_real_uid, proxy_command);
+
+	/* No proxy command. */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", port);
+	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+		fatal("%s: %.100s: %s", __progname, host,
+		    gai_strerror(gaierr));
+
+	/*
+	 * Try to connect several times.  On some machines, the first time
+	 * will sometimes fail.  In general socket code appears to behave
+	 * quite magically on many machines.
+	 */
+	for (attempt = 0; attempt < connection_attempts; attempt++) {
+		if (attempt > 0)
+			debug("Trying again...");
+
+		/* Loop through addresses for this host, and try each one in
+		   sequence until the connection succeeds. */
+		for (ai = aitop; ai; ai = ai->ai_next) {
+			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+				continue;
+			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
+			    ntop, sizeof(ntop), strport, sizeof(strport),
+			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+				error("ssh_connect: getnameinfo failed");
+				continue;
+			}
+			debug("Connecting to %.200s [%.100s] port %s.",
+				host, ntop, strport);
+
+			/* Create a socket for connecting. */
+			sock = ssh_create_socket(original_real_uid,
+			    !anonymous && geteuid() == 0 && port < IPPORT_RESERVED,
+			    ai->ai_family);
+			if (sock < 0)
+				continue;
+
+			/* Connect to the host.  We use the user's uid in the
+			 * hope that it will help with tcp_wrappers showing
+			 * the remote uid as root.
+			 */
+			temporarily_use_uid(original_real_uid);
+			if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
+				/* Successful connection. */
+				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); 
+				restore_uid();
+				break;
+			} else {
+				debug("connect: %.100s", strerror(errno));
+				restore_uid();
+				/*
+				 * Close the failed socket; there appear to
+				 * be some problems when reusing a socket for
+				 * which connect() has already returned an
+				 * error.
+				 */
+				shutdown(sock, SHUT_RDWR);
+				close(sock);
+			}
+		}
+		if (ai)
+			break;	/* Successful connection. */
+
+		/* Sleep a moment before retrying. */
+		sleep(1);
+	}
+
+	freeaddrinfo(aitop);
+
+	/* Return failure if we didn't get a successful connection. */
+	if (attempt >= connection_attempts)
+		return 0;
+
+	debug("Connection established.");
+
+	/*
+	 * Set socket options.  We would like the socket to disappear as soon
+	 * as it has been closed for whatever reason.
+	 */
+	/* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
+	linger.l_onoff = 1;
+	linger.l_linger = 5;
+	setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
+
+	/* Set the connection. */
+	packet_set_connection(sock, sock);
+
+	return 1;
+}
+
+/*
+ * Waits for the server identification string, and sends our own
+ * identification string.
+ */
+void
+ssh_exchange_identification()
+{
+	char buf[256], remote_version[256];	/* must be same size! */
+	int remote_major, remote_minor, i, mismatch;
+	int connection_in = packet_get_connection_in();
+	int connection_out = packet_get_connection_out();
+
+	/* Read other side\'s version identification. */
+	for (i = 0; i < sizeof(buf) - 1; i++) {
+		int len = read(connection_in, &buf[i], 1);
+		if (len < 0)
+			fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
+		if (len != 1)
+			fatal("ssh_exchange_identification: Connection closed by remote host");
+		if (buf[i] == '\r') {
+			buf[i] = '\n';
+			buf[i + 1] = 0;
+			continue;		/**XXX wait for \n */
+		}
+		if (buf[i] == '\n') {
+			buf[i + 1] = 0;
+			break;
+		}
+	}
+	buf[sizeof(buf) - 1] = 0;
+	server_version_string = xstrdup(buf);
+
+	/*
+	 * Check that the versions match.  In future this might accept
+	 * several versions and set appropriate flags to handle them.
+	 */
+	if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
+	    &remote_major, &remote_minor, remote_version) != 3)
+		fatal("Bad remote protocol version identification: '%.100s'", buf);
+	debug("Remote protocol version %d.%d, remote software version %.100s",
+	      remote_major, remote_minor, remote_version);
+
+	compat_datafellows(remote_version);
+	mismatch = 0;
+
+	switch(remote_major) {
+	case 1:
+		if (remote_minor == 99 &&
+		    (options.protocol & SSH_PROTO_2) &&
+		    !(options.protocol & SSH_PROTO_1_PREFERRED)) {
+			enable_compat20();
+			break;
+		}
+		if (!(options.protocol & SSH_PROTO_1)) {
+			mismatch = 1;
+			break;
+		}
+		if (remote_minor < 3) {
+			fatal("Remote machine has too old SSH software version.");
+		} else if (remote_minor == 3) {
+			/* We speak 1.3, too. */
+			enable_compat13();
+			if (options.forward_agent) {
+				log("Agent forwarding disabled for protocol 1.3");
+				options.forward_agent = 0;
+			}
+		}
+		break;
+	case 2:
+		if (options.protocol & SSH_PROTO_2) {
+			enable_compat20();
+			break;
+		}
+		/* FALLTHROUGH */
+	default:
+		mismatch = 1;
+		break;
+	}
+	if (mismatch)
+		fatal("Protocol major versions differ: %d vs. %d",
+		    (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+		    remote_major);
+	if (compat20)
+		packet_set_ssh2_format();
+	/* Send our own protocol version identification. */
+	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
+	    compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+	    compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1,
+	    SSH_VERSION);
+	if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
+		fatal("write: %.100s", strerror(errno));
+	client_version_string = xstrdup(buf);
+	chop(client_version_string);
+	chop(server_version_string);
+	debug("Local version string %.100s", client_version_string);
+}
+
+int
+read_yes_or_no(const char *prompt, int defval)
+{
+	char buf[1024];
+	FILE *f;
+	int retval = -1;
+
+	if (isatty(0))
+		f = stdin;
+	else
+		f = fopen("/dev/tty", "rw");
+
+	if (f == NULL)
+		return 0;
+
+	fflush(stdout);
+
+	while (1) {
+		fprintf(stderr, "%s", prompt);
+		if (fgets(buf, sizeof(buf), f) == NULL) {
+			/* Print a newline (the prompt probably didn\'t have one). */
+			fprintf(stderr, "\n");
+			strlcpy(buf, "no", sizeof buf);
+		}
+		/* Remove newline from response. */
+		if (strchr(buf, '\n'))
+			*strchr(buf, '\n') = 0;
+
+		if (buf[0] == 0)
+			retval = defval;
+		if (strcmp(buf, "yes") == 0)
+			retval = 1;
+		if (strcmp(buf, "no") == 0)
+			retval = 0;
+
+		if (retval != -1) {
+			if (f != stdin)
+				fclose(f);
+			return retval;
+		}
+	}
+}
+
+/*
+ * check whether the supplied host key is valid, return only if ok.
+ */
+
+void
+check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
+	const char *user_hostfile, const char *system_hostfile)
+{
+	Key *file_key;
+	char *type = key_type(host_key);
+	char *ip = NULL;
+	char hostline[1000], *hostp;
+	HostStatus host_status;
+	HostStatus ip_status;
+	int local = 0, host_ip_differ = 0;
+	char ntop[NI_MAXHOST];
+
+	/*
+	 * Force accepting of the host key for loopback/localhost. The
+	 * problem is that if the home directory is NFS-mounted to multiple
+	 * machines, localhost will refer to a different machine in each of
+	 * them, and the user will get bogus HOST_CHANGED warnings.  This
+	 * essentially disables host authentication for localhost; however,
+	 * this is probably not a real problem.
+	 */
+	/**  hostaddr == 0! */
+	switch (hostaddr->sa_family) {
+	case AF_INET:
+		local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
+		break;
+	case AF_INET6:
+		local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
+		break;
+	default:
+		local = 0;
+		break;
+	}
+	if (local) {
+		debug("Forcing accepting of host key for loopback/localhost.");
+		return;
+	}
+
+	/*
+	 * Turn off check_host_ip for proxy connects, since
+	 * we don't have the remote ip-address
+	 */
+	if (options.proxy_command != NULL && options.check_host_ip)
+		options.check_host_ip = 0;
+
+	if (options.check_host_ip) {
+		if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop),
+		    NULL, 0, NI_NUMERICHOST) != 0)
+			fatal("check_host_key: getnameinfo failed");
+		ip = xstrdup(ntop);
+	}
+
+	/*
+	 * Store the host key from the known host file in here so that we can
+	 * compare it with the key for the IP address.
+	 */
+	file_key = key_new(host_key->type);
+
+	/*
+	 * Check if the host key is present in the user\'s list of known
+	 * hosts or in the systemwide list.
+	 */
+	host_status = check_host_in_hostfile(user_hostfile, host, host_key, file_key);
+	if (host_status == HOST_NEW)
+		host_status = check_host_in_hostfile(system_hostfile, host, host_key, file_key);
+	/*
+	 * Also perform check for the ip address, skip the check if we are
+	 * localhost or the hostname was an ip address to begin with
+	 */
+	if (options.check_host_ip && !local && strcmp(host, ip)) {
+		Key *ip_key = key_new(host_key->type);
+		ip_status = check_host_in_hostfile(user_hostfile, ip, host_key, ip_key);
+
+		if (ip_status == HOST_NEW)
+			ip_status = check_host_in_hostfile(system_hostfile, ip, host_key, ip_key);
+		if (host_status == HOST_CHANGED &&
+		    (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key)))
+			host_ip_differ = 1;
+
+		key_free(ip_key);
+	} else
+		ip_status = host_status;
+
+	key_free(file_key);
+
+	switch (host_status) {
+	case HOST_OK:
+		/* The host is known and the key matches. */
+		debug("Host '%.200s' is known and matches the %s host key.",
+		    host, type);
+		if (options.check_host_ip) {
+			if (ip_status == HOST_NEW) {
+				if (!add_host_to_hostfile(user_hostfile, ip, host_key))
+					log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).",
+					    type, ip, user_hostfile);
+				else
+					log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.",
+					    type, ip);
+			} else if (ip_status != HOST_OK)
+				log("Warning: the %s host key for '%.200s' differs from the key for the IP address '%.30s'",
+				    type, host, ip);
+		}
+		break;
+	case HOST_NEW:
+		/* The host is new. */
+		if (options.strict_host_key_checking == 1) {
+			/* User has requested strict host key checking.  We will not add the host key
+			   automatically.  The only alternative left is to abort. */
+			fatal("No %s host key is known for %.200s and you have requested strict checking.", type, host);
+		} else if (options.strict_host_key_checking == 2) {
+			/* The default */
+			char prompt[1024];
+			char *fp = key_fingerprint(host_key);
+			snprintf(prompt, sizeof(prompt),
+			    "The authenticity of host '%.200s' can't be established.\n"
+			    "%s key fingerprint is %s.\n"
+			    "Are you sure you want to continue connecting (yes/no)? ",
+			    host, type, fp);
+			if (!read_yes_or_no(prompt, -1))
+				fatal("Aborted by user!\n");
+		}
+		if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) {
+			snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
+			hostp = hostline;
+		} else
+			hostp = host;
+
+		/* If not in strict mode, add the key automatically to the local known_hosts file. */
+		if (!add_host_to_hostfile(user_hostfile, hostp, host_key))
+			log("Failed to add the host to the list of known hosts (%.500s).",
+			    user_hostfile);
+		else
+			log("Warning: Permanently added '%.200s' (%s) to the list of known hosts.",
+			    hostp, type);
+		break;
+	case HOST_CHANGED:
+		if (options.check_host_ip && host_ip_differ) {
+			char *msg;
+			if (ip_status == HOST_NEW)
+				msg = "is unknown";
+			else if (ip_status == HOST_OK)
+				msg = "is unchanged";
+			else
+				msg = "has a different value";
+			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+			error("@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @");
+			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+			error("The %s host key for %s has changed,", type, host);
+			error("and the key for the according IP address %s", ip);
+			error("%s. This could either mean that", msg);
+			error("DNS SPOOFING is happening or the IP address for the host");
+			error("and its host key have changed at the same time");
+		}
+		/* The host key has changed. */
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+		error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+		error("It is also possible that the %s host key has just been changed.", type);
+		error("Please contact your system administrator.");
+		error("Add correct host key in %.100s to get rid of this message.",
+		      user_hostfile);
+
+		/*
+		 * If strict host key checking is in use, the user will have
+		 * to edit the key manually and we can only abort.
+		 */
+		if (options.strict_host_key_checking)
+			fatal("%s host key for %.200s has changed and you have requested strict checking.", type, host);
+
+		/*
+		 * If strict host key checking has not been requested, allow
+		 * the connection but without password authentication or
+		 * agent forwarding.
+		 */
+		if (options.password_authentication) {
+			error("Password authentication is disabled to avoid trojan horses.");
+			options.password_authentication = 0;
+		}
+		if (options.forward_agent) {
+			error("Agent forwarding is disabled to avoid trojan horses.");
+			options.forward_agent = 0;
+		}
+		/*
+		 * XXX Should permit the user to change to use the new id.
+		 * This could be done by converting the host key to an
+		 * identifying sentence, tell that the host identifies itself
+		 * by that sentence, and ask the user if he/she whishes to
+		 * accept the authentication.
+		 */
+		break;
+	}
+	if (options.check_host_ip)
+		xfree(ip);
+}
+
+#ifdef KRB5
+int
+try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
+{
+  krb5_error_code problem;
+  const char *tkfile; 
+  struct stat buf;
+  krb5_ccache ccache = NULL;
+  krb5_creds req_creds;
+  krb5_creds *new_creds = NULL;
+  const char *remotehost;
+  krb5_data ap;
+  int type, payload_len;
+  krb5_ap_rep_enc_part *reply = NULL; 
+  int ret;
+
+  memset(&ap, 0, sizeof(ap));
+  
+  problem = krb5_init_context(context);
+  if (problem) {
+     ret = 0;
+     goto out;
+  }
+  
+  tkfile = krb5_cc_default_name(*context);
+  if (strncmp(tkfile, "FILE:", 5) == 0)
+     tkfile += 5;
+  
+  if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+    debug("Kerberos V5: could not get default ccache (permission denied).");
+    ret = 0;
+    goto out;
+  }
+  
+  problem = krb5_cc_default(*context, &ccache);
+  if (problem) { 
+     ret = 0; 
+     goto out;
+  }
+  
+  memset(&req_creds, 0, sizeof(req_creds));
+  
+  remotehost = get_canonical_hostname();
+  
+  problem = krb5_sname_to_principal(*context, remotehost, 
+      				    "host", KRB5_NT_SRV_HST,
+				    &req_creds.server);
+  if (problem) { 
+     ret = 0;
+     goto out;
+	
+  }
+  
+  problem = krb5_cc_get_principal(*context, ccache, &req_creds.client);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+  /* creds.session.keytype=ETYPE_DES_CBC_CRC; */
+  
+  problem = krb5_get_credentials(*context, 0, ccache, &req_creds, &new_creds);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+  problem = krb5_auth_con_init(*context, auth_context);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+  /* krb5_auth_con_setflags(ssh_context, auth_context,
+                                  KRB5_AUTH_CONTEXT_RET_TIME); 
+	*/
+  problem = krb5_mk_req_extended(*context, auth_context, 
+    AP_OPTS_MUTUAL_REQUIRED /*| AP_OPTS_USE_SUBKEY*/ ,
+                                NULL, new_creds, &ap);  
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+  packet_start(SSH_CMSG_AUTH_KRB5);
+  packet_put_string((char *) ap.data, ap.length);
+  packet_send();
+  packet_write_wait();
+
+  xfree(ap.data);
+  ap.length = 0;
+
+  type = packet_read(&payload_len);
+   switch (type) {
+        case SSH_SMSG_FAILURE:
+                /* Should really be SSH_SMSG_AUTH_KRB5_FAILURE */
+                debug("Kerberos V5 authentication failed.");
+                ret = 0;
+                break;
+
+         case SSH_SMSG_AUTH_KRB5_RESPONSE:
+                /* SSH_SMSG_AUTH_KRB5_SUCCESS */
+                debug("Kerberos V5 authentication accepted.");
+
+                /* Get server's response. */
+                ap.data = packet_get_string((unsigned int *) &ap.length);
+
+                packet_integrity_check(payload_len, 4 + ap.length, type);
+                /* XXX je to dobre? */
+
+                problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
+                if (problem) { 
+		   ret = 0;
+                } 
+		ret = 1;
+		break;
+	
+	default:
+		packet_disconnect("Protocol error on Kerberos V5 response: %d", type);
+		ret = 0; 
+		break;
+
+   }
+ 
+out:  
+   if (req_creds.server != NULL)
+      krb5_free_principal(*context, req_creds.server);
+   if (req_creds.client != NULL)
+      krb5_free_principal(*context, req_creds.client);
+   if (new_creds != NULL)
+      krb5_free_creds(*context, new_creds);
+   if (ccache != NULL)
+      krb5_cc_close(*context, ccache);
+   if (reply != NULL)
+      krb5_free_ap_rep_enc_part(*context, reply); 
+   if (ap.length > 0)
+      krb5_data_free(&ap);
+	
+   return ret;
+  
+}
+
+void
+send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) 
+{
+  int fd; 
+  int type, payload_len;
+  krb5_error_code problem; 
+  krb5_data outbuf;
+  krb5_ccache ccache = NULL;
+  krb5_creds creds; 
+  krb5_kdc_flags flags; 
+  const char* remotehost = get_canonical_hostname(); 
+ 
+  memset(&creds, 0, sizeof(creds)); 
+  memset(&outbuf, 0, sizeof(outbuf));
+  
+  fd = packet_get_connection_in(); 
+  problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
+  if (problem) {
+     goto out;
+  }
+  
+#if 0
+  tkfile = krb5_cc_default_name(context);
+  if (strncmp(tkfile, "FILE:", 5) == 0)
+     tkfile += 5;
+  
+  if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+     debug("Kerberos V5: could not get default ccache (permission denied).");
+     goto out;
+  }
+#endif
+  
+  problem = krb5_cc_default(context, &ccache);  
+  if (problem) {
+     goto out;
+  }
+  
+  problem = krb5_cc_get_principal(context, ccache, &creds.client);
+  if (problem) {
+     goto out;
+  }
+  
+  problem = krb5_build_principal(context, &creds.server,
+	                         strlen(creds.client->realm),
+				 creds.client->realm,
+				 "krbtgt",
+				 creds.client->realm,
+				 NULL);
+  if (problem) {
+     goto out;
+  }
+  
+  creds.times.endtime = 0;
+  
+  flags.i = 0;
+  flags.b.forwarded = 1;
+  flags.b.forwardable = krb5_config_get_bool(context,  NULL,
+	                  "libdefaults", "forwardable", NULL);
+  
+  problem = krb5_get_forwarded_creds (context,
+	                              auth_context,
+				      ccache,
+				      flags.i,
+				      remotehost,
+				      &creds,
+				      &outbuf);
+  if (problem) {
+     goto out;
+  }
+  
+  packet_start(SSH_CMSG_HAVE_KRB5_TGT);
+  packet_put_string((char *)outbuf.data, outbuf.length);
+  packet_send();
+  packet_write_wait();
+  
+  type = packet_read(&payload_len);
+  switch (type) {
+     case SSH_SMSG_SUCCESS:
+	break;
+     case SSH_SMSG_FAILURE:
+	break;
+     default:
+	break;
+  }
+
+out:
+  if (creds.client)
+     krb5_free_principal(context, creds.client);
+  if (creds.server)
+     krb5_free_principal(context, creds.server);
+  if (ccache)
+     krb5_cc_close(context, ccache); 
+  if (outbuf.data)
+     xfree(outbuf.data);
+  
+  return;
+}
+#endif /* KRB5 */
+
+/*
+ * Starts a dialog with the server, and authenticates the current user on the
+ * server.  This does not need any extra privileges.  The basic connection
+ * to the server must already have been established before this is called.
+ * If login fails, this function prints an error and never returns.
+ * This function does not require super-user privileges.
+ */
+void
+ssh_login(int host_key_valid, RSA *own_host_key, const char *orighost,
+    struct sockaddr *hostaddr, uid_t original_real_uid)
+{
+	struct passwd *pw;
+	char *host, *cp;
+	char *server_user, *local_user;
+
+	/* Get local user name.  Use it as server user if no user name was given. */
+	pw = getpwuid(original_real_uid);
+	if (!pw)
+		fatal("User id %d not found from user database.", original_real_uid);
+	local_user = xstrdup(pw->pw_name);
+	server_user = options.user ? options.user : local_user;
+
+	/* Convert the user-supplied hostname into all lowercase. */
+	host = xstrdup(orighost);
+	for (cp = host; *cp; cp++)
+		if (isupper(*cp))
+			*cp = tolower(*cp);
+
+	/* Exchange protocol version identification strings with the server. */
+	ssh_exchange_identification();
+
+	/* Put the connection into non-blocking mode. */
+	packet_set_nonblocking();
+
+	/* key exchange */
+	/* authenticate user */
+	if (compat20) {
+		ssh_kex2(host, hostaddr);
+		ssh_userauth2(server_user, host);
+	} else {
+		ssh_kex(host, hostaddr);
+		ssh_userauth(local_user, server_user, host, host_key_valid, own_host_key);
+	}
+}
diff --git a/crypto/openssh/sshconnect.h b/crypto/openssh/sshconnect.h
new file mode 100644
index 0000000..13d395f
--- /dev/null
+++ b/crypto/openssh/sshconnect.h
@@ -0,0 +1,16 @@
+#ifndef SSHCONNECT_H
+#define SSHCONNECT_H
+
+void
+check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
+    const char *user_hostfile, const char *system_hostfile);
+
+void	ssh_kex(char *host, struct sockaddr *hostaddr);
+void
+ssh_userauth(const char* local_user, const char* server_user, char *host,
+    int host_key_valid, RSA *own_host_key);
+
+void	ssh_kex2(char *host, struct sockaddr *hostaddr);
+void	ssh_userauth2(const char *server_user, char *host);
+
+#endif
diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c
new file mode 100644
index 0000000..929581c
--- /dev/null
+++ b/crypto/openssh/sshconnect1.c
@@ -0,0 +1,1054 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Sat Mar 18 22:15:47 1995 ylo
+ * Code to connect to a remote host, and to perform the client side of the
+ * login (authentication) dialog.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshconnect1.c,v 1.3 2000/05/08 17:12:16 markus Exp $");
+
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh.h"
+#include "buffer.h"
+#include "packet.h"
+#include "authfd.h"
+#include "cipher.h"
+#include "mpaux.h"
+#include "uidswap.h"
+#include "readconf.h"
+#include "key.h"
+#include "sshconnect.h"
+#include "authfile.h"
+
+/* Session id for the current session. */
+unsigned char session_id[16];
+unsigned int supported_authentications = 0;
+
+extern Options options;
+extern char *__progname;
+
+/*
+ * Checks if the user has an authentication agent, and if so, tries to
+ * authenticate using the agent.
+ */
+int
+try_agent_authentication()
+{
+	int status, type;
+	char *comment;
+	AuthenticationConnection *auth;
+	unsigned char response[16];
+	unsigned int i;
+	BIGNUM *e, *n, *challenge;
+
+	/* Get connection to the agent. */
+	auth = ssh_get_authentication_connection();
+	if (!auth)
+		return 0;
+
+	e = BN_new();
+	n = BN_new();
+	challenge = BN_new();
+
+	/* Loop through identities served by the agent. */
+	for (status = ssh_get_first_identity(auth, e, n, &comment);
+	     status;
+	     status = ssh_get_next_identity(auth, e, n, &comment)) {
+		int plen, clen;
+
+		/* Try this identity. */
+		debug("Trying RSA authentication via agent with '%.100s'", comment);
+		xfree(comment);
+
+		/* Tell the server that we are willing to authenticate using this key. */
+		packet_start(SSH_CMSG_AUTH_RSA);
+		packet_put_bignum(n);
+		packet_send();
+		packet_write_wait();
+
+		/* Wait for server's response. */
+		type = packet_read(&plen);
+
+		/* The server sends failure if it doesn\'t like our key or
+		   does not support RSA authentication. */
+		if (type == SSH_SMSG_FAILURE) {
+			debug("Server refused our key.");
+			continue;
+		}
+		/* Otherwise it should have sent a challenge. */
+		if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
+			packet_disconnect("Protocol error during RSA authentication: %d",
+					  type);
+
+		packet_get_bignum(challenge, &clen);
+
+		packet_integrity_check(plen, clen, type);
+
+		debug("Received RSA challenge from server.");
+
+		/* Ask the agent to decrypt the challenge. */
+		if (!ssh_decrypt_challenge(auth, e, n, challenge,
+					   session_id, 1, response)) {
+			/* The agent failed to authenticate this identifier although it
+			   advertised it supports this.  Just return a wrong value. */
+			log("Authentication agent failed to decrypt challenge.");
+			memset(response, 0, sizeof(response));
+		}
+		debug("Sending response to RSA challenge.");
+
+		/* Send the decrypted challenge back to the server. */
+		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+		for (i = 0; i < 16; i++)
+			packet_put_char(response[i]);
+		packet_send();
+		packet_write_wait();
+
+		/* Wait for response from the server. */
+		type = packet_read(&plen);
+
+		/* The server returns success if it accepted the authentication. */
+		if (type == SSH_SMSG_SUCCESS) {
+			debug("RSA authentication accepted by server.");
+			BN_clear_free(e);
+			BN_clear_free(n);
+			BN_clear_free(challenge);
+			return 1;
+		}
+		/* Otherwise it should return failure. */
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error waiting RSA auth response: %d",
+					  type);
+	}
+
+	BN_clear_free(e);
+	BN_clear_free(n);
+	BN_clear_free(challenge);
+
+	debug("RSA authentication using agent refused.");
+	return 0;
+}
+
+/*
+ * Computes the proper response to a RSA challenge, and sends the response to
+ * the server.
+ */
+void
+respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
+{
+	unsigned char buf[32], response[16];
+	MD5_CTX md;
+	int i, len;
+
+	/* Decrypt the challenge using the private key. */
+	rsa_private_decrypt(challenge, challenge, prv);
+
+	/* Compute the response. */
+	/* The response is MD5 of decrypted challenge plus session id. */
+	len = BN_num_bytes(challenge);
+	if (len <= 0 || len > sizeof(buf))
+		packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
+				  len);
+
+	memset(buf, 0, sizeof(buf));
+	BN_bn2bin(challenge, buf + sizeof(buf) - len);
+	MD5_Init(&md);
+	MD5_Update(&md, buf, 32);
+	MD5_Update(&md, session_id, 16);
+	MD5_Final(response, &md);
+
+	debug("Sending response to host key RSA challenge.");
+
+	/* Send the response back to the server. */
+	packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+	for (i = 0; i < 16; i++)
+		packet_put_char(response[i]);
+	packet_send();
+	packet_write_wait();
+
+	memset(buf, 0, sizeof(buf));
+	memset(response, 0, sizeof(response));
+	memset(&md, 0, sizeof(md));
+}
+
+/*
+ * Checks if the user has authentication file, and if so, tries to authenticate
+ * the user using it.
+ */
+int
+try_rsa_authentication(const char *authfile)
+{
+	BIGNUM *challenge;
+	Key *public;
+	Key *private;
+	char *passphrase, *comment;
+	int type, i;
+	int plen, clen;
+
+	/* Try to load identification for the authentication key. */
+	public = key_new(KEY_RSA);
+	if (!load_public_key(authfile, public, &comment)) {
+		key_free(public);
+		/* Could not load it.  Fail. */
+		return 0;
+	}
+	debug("Trying RSA authentication with key '%.100s'", comment);
+
+	/* Tell the server that we are willing to authenticate using this key. */
+	packet_start(SSH_CMSG_AUTH_RSA);
+	packet_put_bignum(public->rsa->n);
+	packet_send();
+	packet_write_wait();
+
+	/* We no longer need the public key. */
+	key_free(public);
+
+	/* Wait for server's response. */
+	type = packet_read(&plen);
+
+	/*
+	 * The server responds with failure if it doesn\'t like our key or
+	 * doesn\'t support RSA authentication.
+	 */
+	if (type == SSH_SMSG_FAILURE) {
+		debug("Server refused our key.");
+		xfree(comment);
+		return 0;
+	}
+	/* Otherwise, the server should respond with a challenge. */
+	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
+		packet_disconnect("Protocol error during RSA authentication: %d", type);
+
+	/* Get the challenge from the packet. */
+	challenge = BN_new();
+	packet_get_bignum(challenge, &clen);
+
+	packet_integrity_check(plen, clen, type);
+
+	debug("Received RSA challenge from server.");
+
+	private = key_new(KEY_RSA);
+	/*
+	 * Load the private key.  Try first with empty passphrase; if it
+	 * fails, ask for a passphrase.
+	 */
+	if (!load_private_key(authfile, "", private, NULL)) {
+		char buf[300];
+		snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",
+		    comment);
+		if (!options.batch_mode)
+			passphrase = read_passphrase(buf, 0);
+		else {
+			debug("Will not query passphrase for %.100s in batch mode.",
+			      comment);
+			passphrase = xstrdup("");
+		}
+
+		/* Load the authentication file using the pasphrase. */
+		if (!load_private_key(authfile, passphrase, private, NULL)) {
+			memset(passphrase, 0, strlen(passphrase));
+			xfree(passphrase);
+			error("Bad passphrase.");
+
+			/* Send a dummy response packet to avoid protocol error. */
+			packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+			for (i = 0; i < 16; i++)
+				packet_put_char(0);
+			packet_send();
+			packet_write_wait();
+
+			/* Expect the server to reject it... */
+			packet_read_expect(&plen, SSH_SMSG_FAILURE);
+			xfree(comment);
+			return 0;
+		}
+		/* Destroy the passphrase. */
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+	}
+	/* We no longer need the comment. */
+	xfree(comment);
+
+	/* Compute and send a response to the challenge. */
+	respond_to_rsa_challenge(challenge, private->rsa);
+
+	/* Destroy the private key. */
+	key_free(private);
+
+	/* We no longer need the challenge. */
+	BN_clear_free(challenge);
+
+	/* Wait for response from the server. */
+	type = packet_read(&plen);
+	if (type == SSH_SMSG_SUCCESS) {
+		debug("RSA authentication accepted by server.");
+		return 1;
+	}
+	if (type != SSH_SMSG_FAILURE)
+		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
+	debug("RSA authentication refused.");
+	return 0;
+}
+
+/*
+ * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
+ * authentication and RSA host authentication.
+ */
+int
+try_rhosts_rsa_authentication(const char *local_user, RSA * host_key)
+{
+	int type;
+	BIGNUM *challenge;
+	int plen, clen;
+
+	debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
+
+	/* Tell the server that we are willing to authenticate using this key. */
+	packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
+	packet_put_string(local_user, strlen(local_user));
+	packet_put_int(BN_num_bits(host_key->n));
+	packet_put_bignum(host_key->e);
+	packet_put_bignum(host_key->n);
+	packet_send();
+	packet_write_wait();
+
+	/* Wait for server's response. */
+	type = packet_read(&plen);
+
+	/* The server responds with failure if it doesn't admit our
+	   .rhosts authentication or doesn't know our host key. */
+	if (type == SSH_SMSG_FAILURE) {
+		debug("Server refused our rhosts authentication or host key.");
+		return 0;
+	}
+	/* Otherwise, the server should respond with a challenge. */
+	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
+		packet_disconnect("Protocol error during RSA authentication: %d", type);
+
+	/* Get the challenge from the packet. */
+	challenge = BN_new();
+	packet_get_bignum(challenge, &clen);
+
+	packet_integrity_check(plen, clen, type);
+
+	debug("Received RSA challenge for host key from server.");
+
+	/* Compute a response to the challenge. */
+	respond_to_rsa_challenge(challenge, host_key);
+
+	/* We no longer need the challenge. */
+	BN_clear_free(challenge);
+
+	/* Wait for response from the server. */
+	type = packet_read(&plen);
+	if (type == SSH_SMSG_SUCCESS) {
+		debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
+		return 1;
+	}
+	if (type != SSH_SMSG_FAILURE)
+		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
+	debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
+	return 0;
+}
+
+#ifdef KRB4
+int
+try_krb4_authentication()
+{
+	KTEXT_ST auth;		/* Kerberos data */
+	char *reply;
+	char inst[INST_SZ];
+	char *realm;
+	CREDENTIALS cred;
+	int r, type, plen;
+	socklen_t slen;
+	Key_schedule schedule;
+	u_long checksum, cksum;
+	MSG_DAT msg_data;
+	struct sockaddr_in local, foreign;
+	struct stat st;
+
+	/* Don't do anything if we don't have any tickets. */
+	if (stat(tkt_string(), &st) < 0)
+		return 0;
+
+	strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ);
+
+	realm = (char *) krb_realmofhost(get_canonical_hostname());
+	if (!realm) {
+		debug("Kerberos V4: no realm for %s", get_canonical_hostname());
+		return 0;
+	}
+	/* This can really be anything. */
+	checksum = (u_long) getpid();
+
+	r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
+	if (r != KSUCCESS) {
+		debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	/* Get session key to decrypt the server's reply with. */
+	r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
+	if (r != KSUCCESS) {
+		debug("get_cred failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	des_key_sched((des_cblock *) cred.session, schedule);
+
+	/* Send authentication info to server. */
+	packet_start(SSH_CMSG_AUTH_KRB4);
+	packet_put_string((char *) auth.dat, auth.length);
+	packet_send();
+	packet_write_wait();
+
+	/* Zero the buffer. */
+	(void) memset(auth.dat, 0, MAX_KTXT_LEN);
+
+	slen = sizeof(local);
+	memset(&local, 0, sizeof(local));
+	if (getsockname(packet_get_connection_in(),
+			(struct sockaddr *) & local, &slen) < 0)
+		debug("getsockname failed: %s", strerror(errno));
+
+	slen = sizeof(foreign);
+	memset(&foreign, 0, sizeof(foreign));
+	if (getpeername(packet_get_connection_in(),
+			(struct sockaddr *) & foreign, &slen) < 0) {
+		debug("getpeername failed: %s", strerror(errno));
+		fatal_cleanup();
+	}
+	/* Get server reply. */
+	type = packet_read(&plen);
+	switch (type) {
+	case SSH_SMSG_FAILURE:
+		/* Should really be SSH_SMSG_AUTH_KRB4_FAILURE */
+		debug("Kerberos V4 authentication failed.");
+		return 0;
+		break;
+
+	case SSH_SMSG_AUTH_KRB4_RESPONSE:
+		/* SSH_SMSG_AUTH_KRB4_SUCCESS */
+		debug("Kerberos V4 authentication accepted.");
+
+		/* Get server's response. */
+		reply = packet_get_string((unsigned int *) &auth.length);
+		memcpy(auth.dat, reply, auth.length);
+		xfree(reply);
+
+		packet_integrity_check(plen, 4 + auth.length, type);
+
+		/*
+		 * If his response isn't properly encrypted with the session
+		 * key, and the decrypted checksum fails to match, he's
+		 * bogus. Bail out.
+		 */
+		r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
+				&foreign, &local, &msg_data);
+		if (r != KSUCCESS) {
+			debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]);
+			packet_disconnect("Kerberos V4 challenge failed!");
+		}
+		/* Fetch the (incremented) checksum that we supplied in the request. */
+		(void) memcpy((char *) &cksum, (char *) msg_data.app_data, sizeof(cksum));
+		cksum = ntohl(cksum);
+
+		/* If it matches, we're golden. */
+		if (cksum == checksum + 1) {
+			debug("Kerberos V4 challenge successful.");
+			return 1;
+		} else
+			packet_disconnect("Kerberos V4 challenge failed!");
+		break;
+
+	default:
+		packet_disconnect("Protocol error on Kerberos V4 response: %d", type);
+	}
+	return 0;
+}
+
+#endif /* KRB4 */
+
+#ifdef AFS
+int
+send_krb4_tgt()
+{
+	CREDENTIALS *creds;
+	char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
+	int r, type, plen;
+	char buffer[8192];
+	struct stat st;
+
+	/* Don't do anything if we don't have any tickets. */
+	if (stat(tkt_string(), &st) < 0)
+		return 0;
+
+	creds = xmalloc(sizeof(*creds));
+
+	if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) {
+		debug("Kerberos V4 tf_fullname failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) {
+		debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
+		debug("Kerberos V4 ticket expired: %s", TKT_FILE);
+		return 0;
+	}
+	creds_to_radix(creds, (unsigned char *)buffer, sizeof buffer);
+	xfree(creds);
+
+	packet_start(SSH_CMSG_HAVE_KRB4_TGT);
+	packet_put_string(buffer, strlen(buffer));
+	packet_send();
+	packet_write_wait();
+
+	type = packet_read(&plen);
+
+	if (type == SSH_SMSG_FAILURE)
+		debug("Kerberos TGT for realm %s rejected.", prealm);
+	else if (type != SSH_SMSG_SUCCESS)
+		packet_disconnect("Protocol error on Kerberos TGT response: %d", type);
+
+	return 1;
+}
+
+void
+send_afs_tokens(void)
+{
+	CREDENTIALS creds;
+	struct ViceIoctl parms;
+	struct ClearToken ct;
+	int i, type, len, plen;
+	char buf[2048], *p, *server_cell;
+	char buffer[8192];
+
+	/* Move over ktc_GetToken, here's something leaner. */
+	for (i = 0; i < 100; i++) {	/* just in case */
+		parms.in = (char *) &i;
+		parms.in_size = sizeof(i);
+		parms.out = buf;
+		parms.out_size = sizeof(buf);
+		if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
+			break;
+		p = buf;
+
+		/* Get secret token. */
+		memcpy(&creds.ticket_st.length, p, sizeof(unsigned int));
+		if (creds.ticket_st.length > MAX_KTXT_LEN)
+			break;
+		p += sizeof(unsigned int);
+		memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
+		p += creds.ticket_st.length;
+
+		/* Get clear token. */
+		memcpy(&len, p, sizeof(len));
+		if (len != sizeof(struct ClearToken))
+			break;
+		p += sizeof(len);
+		memcpy(&ct, p, len);
+		p += len;
+		p += sizeof(len);	/* primary flag */
+		server_cell = p;
+
+		/* Flesh out our credentials. */
+		strlcpy(creds.service, "afs", sizeof creds.service);
+		creds.instance[0] = '\0';
+		strlcpy(creds.realm, server_cell, REALM_SZ);
+		memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
+		creds.issue_date = ct.BeginTimestamp;
+		creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp);
+		creds.kvno = ct.AuthHandle;
+		snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
+		creds.pinst[0] = '\0';
+
+		/* Encode token, ship it off. */
+		if (creds_to_radix(&creds, (unsigned char*) buffer, sizeof buffer) <= 0)
+			break;
+		packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
+		packet_put_string(buffer, strlen(buffer));
+		packet_send();
+		packet_write_wait();
+
+		/* Roger, Roger. Clearance, Clarence. What's your vector,
+		   Victor? */
+		type = packet_read(&plen);
+
+		if (type == SSH_SMSG_FAILURE)
+			debug("AFS token for cell %s rejected.", server_cell);
+		else if (type != SSH_SMSG_SUCCESS)
+			packet_disconnect("Protocol error on AFS token response: %d", type);
+	}
+}
+
+#endif /* AFS */
+
+/*
+ * Tries to authenticate with any string-based challenge/response system.
+ * Note that the client code is not tied to s/key or TIS.
+ */
+int
+try_skey_authentication()
+{
+	int type, i;
+	int payload_len;
+	unsigned int clen;
+	char *challenge, *response;
+
+	debug("Doing skey authentication.");
+
+	/* request a challenge */
+	packet_start(SSH_CMSG_AUTH_TIS);
+	packet_send();
+	packet_write_wait();
+
+	type = packet_read(&payload_len);
+	if (type != SSH_SMSG_FAILURE &&
+	    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+		packet_disconnect("Protocol error: got %d in response "
+				  "to skey-auth", type);
+	}
+	if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+		debug("No challenge for skey authentication.");
+		return 0;
+	}
+	challenge = packet_get_string(&clen);
+	packet_integrity_check(payload_len, (4 + clen), type);
+	if (options.cipher == SSH_CIPHER_NONE)
+		log("WARNING: Encryption is disabled! "
+		    "Reponse will be transmitted in clear text.");
+	fprintf(stderr, "%s\n", challenge);
+	xfree(challenge);
+	fflush(stderr);
+	for (i = 0; i < options.number_of_password_prompts; i++) {
+		if (i != 0)
+			error("Permission denied, please try again.");
+		response = read_passphrase("Response: ", 0);
+		packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
+		packet_put_string(response, strlen(response));
+		memset(response, 0, strlen(response));
+		xfree(response);
+		packet_send();
+		packet_write_wait();
+		type = packet_read(&payload_len);
+		if (type == SSH_SMSG_SUCCESS)
+			return 1;
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error: got %d in response "
+					  "to skey-auth-reponse", type);
+	}
+	/* failure */
+	return 0;
+}
+
+/*
+ * Tries to authenticate with plain passwd authentication.
+ */
+int
+try_password_authentication(char *prompt)
+{
+	int type, i, payload_len;
+	char *password;
+
+	debug("Doing password authentication.");
+	if (options.cipher == SSH_CIPHER_NONE)
+		log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
+	for (i = 0; i < options.number_of_password_prompts; i++) {
+		if (i != 0)
+			error("Permission denied, please try again.");
+		password = read_passphrase(prompt, 0);
+		packet_start(SSH_CMSG_AUTH_PASSWORD);
+		packet_put_string(password, strlen(password));
+		memset(password, 0, strlen(password));
+		xfree(password);
+		packet_send();
+		packet_write_wait();
+
+		type = packet_read(&payload_len);
+		if (type == SSH_SMSG_SUCCESS)
+			return 1;
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error: got %d in response to passwd auth", type);
+	}
+	/* failure */
+	return 0;
+}
+
+/*
+ * SSH1 key exchange
+ */
+void
+ssh_kex(char *host, struct sockaddr *hostaddr)
+{
+	int i;
+	BIGNUM *key;
+	RSA *host_key;
+	RSA *public_key;
+	Key k;
+	int bits, rbits;
+	int ssh_cipher_default = SSH_CIPHER_3DES;
+	unsigned char session_key[SSH_SESSION_KEY_LENGTH];
+	unsigned char cookie[8];
+	unsigned int supported_ciphers;
+	unsigned int server_flags, client_flags;
+	int payload_len, clen, sum_len = 0;
+	u_int32_t rand = 0;
+
+	debug("Waiting for server public key.");
+
+	/* Wait for a public key packet from the server. */
+	packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
+
+	/* Get cookie from the packet. */
+	for (i = 0; i < 8; i++)
+		cookie[i] = packet_get_char();
+
+	/* Get the public key. */
+	public_key = RSA_new();
+	bits = packet_get_int();/* bits */
+	public_key->e = BN_new();
+	packet_get_bignum(public_key->e, &clen);
+	sum_len += clen;
+	public_key->n = BN_new();
+	packet_get_bignum(public_key->n, &clen);
+	sum_len += clen;
+
+	rbits = BN_num_bits(public_key->n);
+	if (bits != rbits) {
+		log("Warning: Server lies about size of server public key: "
+		    "actual size is %d bits vs. announced %d.", rbits, bits);
+		log("Warning: This may be due to an old implementation of ssh.");
+	}
+	/* Get the host key. */
+	host_key = RSA_new();
+	bits = packet_get_int();/* bits */
+	host_key->e = BN_new();
+	packet_get_bignum(host_key->e, &clen);
+	sum_len += clen;
+	host_key->n = BN_new();
+	packet_get_bignum(host_key->n, &clen);
+	sum_len += clen;
+
+	rbits = BN_num_bits(host_key->n);
+	if (bits != rbits) {
+		log("Warning: Server lies about size of server host key: "
+		    "actual size is %d bits vs. announced %d.", rbits, bits);
+		log("Warning: This may be due to an old implementation of ssh.");
+	}
+
+	/* Get protocol flags. */
+	server_flags = packet_get_int();
+	packet_set_protocol_flags(server_flags);
+
+	supported_ciphers = packet_get_int();
+	supported_authentications = packet_get_int();
+
+	debug("Received server public key (%d bits) and host key (%d bits).",
+	      BN_num_bits(public_key->n), BN_num_bits(host_key->n));
+
+	packet_integrity_check(payload_len,
+			       8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
+			       SSH_SMSG_PUBLIC_KEY);
+	k.type = KEY_RSA;
+	k.rsa = host_key;
+	check_host_key(host, hostaddr, &k,
+	    options.user_hostfile, options.system_hostfile);
+
+	client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
+
+	compute_session_id(session_id, cookie, host_key->n, public_key->n);
+
+	/* Generate a session key. */
+	arc4random_stir();
+
+	/*
+	 * Generate an encryption key for the session.   The key is a 256 bit
+	 * random number, interpreted as a 32-byte key, with the least
+	 * significant 8 bits being the first byte of the key.
+	 */
+	for (i = 0; i < 32; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		session_key[i] = rand & 0xff;
+		rand >>= 8;
+	}
+
+	/*
+	 * According to the protocol spec, the first byte of the session key
+	 * is the highest byte of the integer.  The session key is xored with
+	 * the first 16 bytes of the session id.
+	 */
+	key = BN_new();
+	BN_set_word(key, 0);
+	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
+		BN_lshift(key, key, 8);
+		if (i < 16)
+			BN_add_word(key, session_key[i] ^ session_id[i]);
+		else
+			BN_add_word(key, session_key[i]);
+	}
+
+	/*
+	 * Encrypt the integer using the public key and host key of the
+	 * server (key with smaller modulus first).
+	 */
+	if (BN_cmp(public_key->n, host_key->n) < 0) {
+		/* Public key has smaller modulus. */
+		if (BN_num_bits(host_key->n) <
+		    BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("respond_to_rsa_challenge: host_key %d < public_key %d + "
+			      "SSH_KEY_BITS_RESERVED %d",
+			      BN_num_bits(host_key->n),
+			      BN_num_bits(public_key->n),
+			      SSH_KEY_BITS_RESERVED);
+		}
+		rsa_public_encrypt(key, key, public_key);
+		rsa_public_encrypt(key, key, host_key);
+	} else {
+		/* Host key has smaller modulus (or they are equal). */
+		if (BN_num_bits(public_key->n) <
+		    BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("respond_to_rsa_challenge: public_key %d < host_key %d + "
+			      "SSH_KEY_BITS_RESERVED %d",
+			      BN_num_bits(public_key->n),
+			      BN_num_bits(host_key->n),
+			      SSH_KEY_BITS_RESERVED);
+		}
+		rsa_public_encrypt(key, key, host_key);
+		rsa_public_encrypt(key, key, public_key);
+	}
+
+	/* Destroy the public keys since we no longer need them. */
+	RSA_free(public_key);
+	RSA_free(host_key);
+
+	if (options.cipher == SSH_CIPHER_ILLEGAL) {
+		log("No valid SSH1 cipher, using %.100s instead.",
+		    cipher_name(SSH_FALLBACK_CIPHER));
+		options.cipher = SSH_FALLBACK_CIPHER;
+	} else if (options.cipher == SSH_CIPHER_NOT_SET) {
+		if (cipher_mask1() & supported_ciphers & (1 << ssh_cipher_default))
+			options.cipher = ssh_cipher_default;
+		else {
+			debug("Cipher %s not supported, using %.100s instead.",
+			    cipher_name(ssh_cipher_default),
+			    cipher_name(SSH_FALLBACK_CIPHER));
+			options.cipher = SSH_FALLBACK_CIPHER;
+		}
+	}
+	/* Check that the selected cipher is supported. */
+	if (!(supported_ciphers & (1 << options.cipher)))
+		fatal("Selected cipher type %.100s not supported by server.",
+		      cipher_name(options.cipher));
+
+	debug("Encryption type: %.100s", cipher_name(options.cipher));
+
+	/* Send the encrypted session key to the server. */
+	packet_start(SSH_CMSG_SESSION_KEY);
+	packet_put_char(options.cipher);
+
+	/* Send the cookie back to the server. */
+	for (i = 0; i < 8; i++)
+		packet_put_char(cookie[i]);
+
+	/* Send and destroy the encrypted encryption key integer. */
+	packet_put_bignum(key);
+	BN_clear_free(key);
+
+	/* Send protocol flags. */
+	packet_put_int(client_flags);
+
+	/* Send the packet now. */
+	packet_send();
+	packet_write_wait();
+
+	debug("Sent encrypted session key.");
+
+	/* Set the encryption key. */
+	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
+
+	/* We will no longer need the session key here.  Destroy any extra copies. */
+	memset(session_key, 0, sizeof(session_key));
+
+	/*
+	 * Expect a success message from the server.  Note that this message
+	 * will be received in encrypted form.
+	 */
+	packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
+
+	debug("Received encrypted confirmation.");
+}
+
+/*
+ * Authenticate user
+ */
+void
+ssh_userauth(
+    const char* local_user,
+    const char* server_user,
+    char *host,
+    int host_key_valid, RSA *own_host_key)
+{
+	int i, type;
+	int payload_len;
+
+	if (supported_authentications == 0)
+		fatal("ssh_userauth: server supports no auth methods");
+
+	/* Send the name of the user to log in as on the server. */
+	packet_start(SSH_CMSG_USER);
+	packet_put_string(server_user, strlen(server_user));
+	packet_send();
+	packet_write_wait();
+
+	/*
+	 * The server should respond with success if no authentication is
+	 * needed (the user has no password).  Otherwise the server responds
+	 * with failure.
+	 */
+	type = packet_read(&payload_len);
+
+	/* check whether the connection was accepted without authentication. */
+	if (type == SSH_SMSG_SUCCESS)
+		return;
+	if (type != SSH_SMSG_FAILURE)
+		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
+				  type);
+
+#ifdef AFS
+	/* Try Kerberos tgt passing if the server supports it. */
+	if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) &&
+	    options.krb4_tgt_passing) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+		(void) send_krb4_tgt();
+	}
+	/* Try AFS token passing if the server supports it. */
+	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
+	    options.afs_token_passing && k_hasafs()) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
+		send_afs_tokens();
+	}
+#endif /* AFS */
+
+#ifdef KRB4
+	if ((supported_authentications & (1 << SSH_AUTH_KRB4)) &&
+	    options.krb4_authentication) {
+		debug("Trying Kerberos authentication.");
+		if (try_krb4_authentication()) {
+			/* The server should respond with success or failure. */
+			type = packet_read(&payload_len);
+			if (type == SSH_SMSG_SUCCESS)
+				return;
+			if (type != SSH_SMSG_FAILURE)
+				packet_disconnect("Protocol error: got %d in response to Kerberos auth", type);
+		}
+	}
+#endif /* KRB4 */
+
+#ifdef KRB5
+	if ((supported_authentications & (1 << SSH_AUTH_KRB5)) &&
+	     options.krb5_authentication){
+		krb5_context ssh_context = NULL;
+		krb5_auth_context auth_context = NULL;
+
+		debug("Trying Kerberos V5 authentication.");
+
+	if (try_krb5_authentication(&ssh_context, &auth_context)) {
+	  type = packet_read(&payload_len);
+	  if (type == SSH_SMSG_SUCCESS) {
+	     if ((supported_authentications & (1 << SSH_PASS_KRB5_TGT)) &&
+	          options.krb5_tgt_passing) {
+   	                if (options.cipher == SSH_CIPHER_NONE)
+      				log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+   			send_krb5_tgt(ssh_context, auth_context);
+
+	     } 
+	     krb5_auth_con_free(ssh_context, auth_context); 
+	     krb5_free_context(ssh_context); 
+	     return;
+	  }
+	  if (type != SSH_SMSG_FAILURE)
+               	packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type);
+
+	}
+        }
+#endif /* KRB5 */
+
+	/*
+	 * Use rhosts authentication if running in privileged socket and we
+	 * do not wish to remain anonymous.
+	 */
+	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
+	    options.rhosts_authentication) {
+		debug("Trying rhosts authentication.");
+		packet_start(SSH_CMSG_AUTH_RHOSTS);
+		packet_put_string(local_user, strlen(local_user));
+		packet_send();
+		packet_write_wait();
+
+		/* The server should respond with success or failure. */
+		type = packet_read(&payload_len);
+		if (type == SSH_SMSG_SUCCESS)
+			return;
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error: got %d in response to rhosts auth",
+					  type);
+	}
+	/*
+	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
+	 * authentication.
+	 */
+	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
+	    options.rhosts_rsa_authentication && host_key_valid) {
+		if (try_rhosts_rsa_authentication(local_user, own_host_key))
+			return;
+	}
+	/* Try RSA authentication if the server supports it. */
+	if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
+	    options.rsa_authentication) {
+		/*
+		 * Try RSA authentication using the authentication agent. The
+		 * agent is tried first because no passphrase is needed for
+		 * it, whereas identity files may require passphrases.
+		 */
+		if (try_agent_authentication())
+			return;
+
+		/* Try RSA authentication for each identity. */
+		for (i = 0; i < options.num_identity_files; i++)
+			if (try_rsa_authentication(options.identity_files[i]))
+				return;
+	}
+	/* Try skey authentication if the server supports it. */
+	if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
+	    options.skey_authentication && !options.batch_mode) {
+		if (try_skey_authentication())
+			return;
+	}
+	/* Try password authentication if the server supports it. */
+	if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
+	    options.password_authentication && !options.batch_mode) {
+		char prompt[80];
+
+		snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
+		    server_user, host);
+		if (try_password_authentication(prompt))
+			return;
+	}
+	/* All authentication methods have failed.  Exit with an error message. */
+	fatal("Permission denied.");
+	/* NOTREACHED */
+}
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
new file mode 100644
index 0000000..0abcf89
--- /dev/null
+++ b/crypto/openssh/sshconnect2.c
@@ -0,0 +1,451 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Markus Friedl.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshconnect2.c,v 1.11 2000/05/25 20:45:20 markus Exp $");
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/md5.h>
+#include <openssl/dh.h>
+#include <openssl/hmac.h>
+
+#include "ssh.h"
+#include "xmalloc.h"
+#include "rsa.h"
+#include "buffer.h"
+#include "packet.h"
+#include "cipher.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "readconf.h"
+#include "bufaux.h"
+#include "ssh2.h"
+#include "kex.h"
+#include "myproposal.h"
+#include "key.h"
+#include "dsa.h"
+#include "sshconnect.h"
+#include "authfile.h"
+
+/* import */
+extern char *client_version_string;
+extern char *server_version_string;
+extern Options options;
+
+/*
+ * SSH2 key exchange
+ */
+
+unsigned char *session_id2 = NULL;
+int session_id2_len = 0;
+
+void
+ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr,
+    Buffer *client_kexinit, Buffer *server_kexinit)
+{
+	int i;
+	int plen, dlen;
+	unsigned int klen, kout;
+	char *signature = NULL;
+	unsigned int slen;
+	char *server_host_key_blob = NULL;
+	Key *server_host_key;
+	unsigned int sbloblen;
+	DH *dh;
+	BIGNUM *dh_server_pub = 0;
+	BIGNUM *shared_secret = 0;
+	unsigned char *kbuf;
+	unsigned char *hash;
+
+	debug("Sending SSH2_MSG_KEXDH_INIT.");
+	/* generate and send 'e', client DH public key */
+	dh = dh_new_group1();
+	packet_start(SSH2_MSG_KEXDH_INIT);
+	packet_put_bignum2(dh->pub_key);
+	packet_send();
+	packet_write_wait();
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "\np= ");
+	bignum_print(dh->p);
+	fprintf(stderr, "\ng= ");
+	bignum_print(dh->g);
+	fprintf(stderr, "\npub= ");
+	bignum_print(dh->pub_key);
+	fprintf(stderr, "\n");
+	DHparams_print_fp(stderr, dh);
+#endif
+
+	debug("Wait SSH2_MSG_KEXDH_REPLY.");
+
+	packet_read_expect(&plen, SSH2_MSG_KEXDH_REPLY);
+
+	debug("Got SSH2_MSG_KEXDH_REPLY.");
+
+	/* key, cert */
+	server_host_key_blob = packet_get_string(&sbloblen);
+	server_host_key = dsa_key_from_blob(server_host_key_blob, sbloblen);
+	if (server_host_key == NULL)
+		fatal("cannot decode server_host_key_blob");
+
+	check_host_key(host, hostaddr, server_host_key,
+	    options.user_hostfile2, options.system_hostfile2);
+
+	/* DH paramter f, server public DH key */
+	dh_server_pub = BN_new();
+	if (dh_server_pub == NULL)
+		fatal("dh_server_pub == NULL");
+	packet_get_bignum2(dh_server_pub, &dlen);
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "\ndh_server_pub= ");
+	bignum_print(dh_server_pub);
+	fprintf(stderr, "\n");
+	debug("bits %d", BN_num_bits(dh_server_pub));
+#endif
+
+	/* signed H */
+	signature = packet_get_string(&slen);
+	packet_done();
+
+	if (!dh_pub_is_valid(dh, dh_server_pub))
+		packet_disconnect("bad server public DH value");
+
+	klen = DH_size(dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_server_pub, dh);
+#ifdef DEBUG_KEXDH
+	debug("shared secret: len %d/%d", klen, kout);
+	fprintf(stderr, "shared secret == ");
+	for (i = 0; i< kout; i++)
+		fprintf(stderr, "%02x", (kbuf[i])&0xff);
+	fprintf(stderr, "\n");
+#endif
+	shared_secret = BN_new();
+
+	BN_bin2bn(kbuf, kout, shared_secret);
+	memset(kbuf, 0, klen);
+	xfree(kbuf);
+
+	/* calc and verify H */
+	hash = kex_hash(
+	    client_version_string,
+	    server_version_string,
+	    buffer_ptr(client_kexinit), buffer_len(client_kexinit),
+	    buffer_ptr(server_kexinit), buffer_len(server_kexinit),
+	    server_host_key_blob, sbloblen,
+	    dh->pub_key,
+	    dh_server_pub,
+	    shared_secret
+	);
+	xfree(server_host_key_blob);
+	DH_free(dh);
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "hash == ");
+	for (i = 0; i< 20; i++)
+		fprintf(stderr, "%02x", (hash[i])&0xff);
+	fprintf(stderr, "\n");
+#endif
+	if (dsa_verify(server_host_key, (unsigned char *)signature, slen, hash, 20) != 1)
+		fatal("dsa_verify failed for server_host_key");
+	key_free(server_host_key);
+
+	kex_derive_keys(kex, hash, shared_secret);
+	packet_set_kex(kex);
+
+	/* save session id */
+	session_id2_len = 20;
+	session_id2 = xmalloc(session_id2_len);
+	memcpy(session_id2, hash, session_id2_len);
+}
+
+void
+ssh_kex2(char *host, struct sockaddr *hostaddr)
+{
+	int i, plen;
+	Kex *kex;
+	Buffer *client_kexinit, *server_kexinit;
+	char *sprop[PROPOSAL_MAX];
+
+	if (options.ciphers != NULL) {
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+	} else if (options.cipher == SSH_CIPHER_3DES) {
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+		myproposal[PROPOSAL_ENC_ALGS_STOC] =
+		    (char *) cipher_name(SSH_CIPHER_3DES_CBC);
+	} else if (options.cipher == SSH_CIPHER_BLOWFISH) {
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+		myproposal[PROPOSAL_ENC_ALGS_STOC] =
+		    (char *) cipher_name(SSH_CIPHER_BLOWFISH_CBC);
+	}
+	if (options.compression) {
+		myproposal[PROPOSAL_COMP_ALGS_CTOS] = "zlib";
+		myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib";
+	} else {
+		myproposal[PROPOSAL_COMP_ALGS_CTOS] = "none";
+		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
+	}
+
+	/* buffers with raw kexinit messages */
+	server_kexinit = xmalloc(sizeof(*server_kexinit));
+	buffer_init(server_kexinit);
+	client_kexinit = kex_init(myproposal);
+
+	/* algorithm negotiation */
+	kex_exchange_kexinit(client_kexinit, server_kexinit, sprop);
+	kex = kex_choose_conf(myproposal, sprop, 0);
+	for (i = 0; i < PROPOSAL_MAX; i++)
+		xfree(sprop[i]);
+
+	/* server authentication and session key agreement */
+	ssh_kex_dh(kex, host, hostaddr, client_kexinit, server_kexinit);
+
+	buffer_free(client_kexinit);
+	buffer_free(server_kexinit);
+	xfree(client_kexinit);
+	xfree(server_kexinit);
+
+	debug("Wait SSH2_MSG_NEWKEYS.");
+	packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
+	packet_done();
+	debug("GOT SSH2_MSG_NEWKEYS.");
+
+	debug("send SSH2_MSG_NEWKEYS.");
+	packet_start(SSH2_MSG_NEWKEYS);
+	packet_send();
+	packet_write_wait();
+	debug("done: send SSH2_MSG_NEWKEYS.");
+
+#ifdef DEBUG_KEXDH
+	/* send 1st encrypted/maced/compressed message */
+	packet_start(SSH2_MSG_IGNORE);
+	packet_put_cstring("markus");
+	packet_send();
+	packet_write_wait();
+#endif
+	debug("done: KEX2.");
+}
+
+/*
+ * Authenticate user
+ */
+int
+ssh2_try_passwd(const char *server_user, const char *host, const char *service)
+{
+	static int attempt = 0;
+	char prompt[80];
+	char *password;
+
+	if (attempt++ > options.number_of_password_prompts)
+		return 0;
+
+	snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
+	    server_user, host);
+	password = read_passphrase(prompt, 0);
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(server_user);
+	packet_put_cstring(service);
+	packet_put_cstring("password");
+	packet_put_char(0);
+	packet_put_cstring(password);
+	memset(password, 0, strlen(password));
+	xfree(password);
+	packet_send();
+	packet_write_wait();
+	return 1;
+}
+
+int
+ssh2_try_pubkey(char *filename,
+    const char *server_user, const char *host, const char *service)
+{
+	Buffer b;
+	Key *k;
+	unsigned char *blob, *signature;
+	int bloblen, slen;
+	struct stat st;
+
+	if (stat(filename, &st) != 0) {
+		debug("key does not exist: %s", filename);
+		return 0;
+	}
+	debug("try pubkey: %s", filename);
+
+	k = key_new(KEY_DSA);
+	if (!load_private_key(filename, "", k, NULL)) {
+		int success = 0;
+		char *passphrase;
+		char prompt[300];
+		snprintf(prompt, sizeof prompt,
+		     "Enter passphrase for DSA key '%.100s': ",
+		     filename);
+		passphrase = read_passphrase(prompt, 0);
+		success = load_private_key(filename, passphrase, k, NULL);
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+		if (!success)
+			return 0;
+	}
+	dsa_make_key_blob(k, &blob, &bloblen);
+
+	/* data to be signed */
+	buffer_init(&b);
+	buffer_append(&b, session_id2, session_id2_len);
+	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+	buffer_put_cstring(&b, server_user);
+	buffer_put_cstring(&b,
+	    datafellows & SSH_BUG_PUBKEYAUTH ?
+	    "ssh-userauth" :
+	    service);
+	buffer_put_cstring(&b, "publickey");
+	buffer_put_char(&b, 1);
+	buffer_put_cstring(&b, KEX_DSS); 
+	buffer_put_string(&b, blob, bloblen);
+
+	/* generate signature */
+	dsa_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
+	key_free(k);
+#ifdef DEBUG_DSS
+	buffer_dump(&b);
+#endif
+	if (datafellows & SSH_BUG_PUBKEYAUTH) {
+		/* e.g. ssh-2.0.13: data-to-be-signed != data-on-the-wire */
+		buffer_clear(&b);
+		buffer_append(&b, session_id2, session_id2_len);
+		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+		buffer_put_cstring(&b, server_user);
+		buffer_put_cstring(&b, service);
+		buffer_put_cstring(&b, "publickey");
+		buffer_put_char(&b, 1);
+		buffer_put_cstring(&b, KEX_DSS); 
+		buffer_put_string(&b, blob, bloblen);
+	}
+	xfree(blob);
+	/* append signature */
+	buffer_put_string(&b, signature, slen);
+	xfree(signature);
+
+	/* skip session id and packet type */
+	if (buffer_len(&b) < session_id2_len + 1)
+		fatal("ssh2_try_pubkey: internal error");
+	buffer_consume(&b, session_id2_len + 1);
+
+	/* put remaining data from buffer into packet */
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_raw(buffer_ptr(&b), buffer_len(&b));
+	buffer_free(&b);
+
+	/* send */
+	packet_send();
+	packet_write_wait();
+	return 1;
+}
+
+void
+ssh_userauth2(const char *server_user, char *host)
+{
+	int type;
+	int plen;
+	int sent;
+	unsigned int dlen;
+	int partial;
+	int i = 0;
+	char *auths;
+	char *service = "ssh-connection";		/* service name */
+
+	debug("send SSH2_MSG_SERVICE_REQUEST");
+	packet_start(SSH2_MSG_SERVICE_REQUEST);
+	packet_put_cstring("ssh-userauth");
+	packet_send();
+	packet_write_wait();
+
+	type = packet_read(&plen);
+	if (type != SSH2_MSG_SERVICE_ACCEPT) {
+		fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type);
+	}
+	if (packet_remaining() > 0) {
+		char *reply = packet_get_string(&plen);
+		debug("service_accept: %s", reply);
+		xfree(reply);
+	} else {
+		/* payload empty for ssh-2.0.13 ?? */
+		debug("buggy server: service_accept w/o service");
+	}
+	packet_done();
+	debug("got SSH2_MSG_SERVICE_ACCEPT");
+
+	/* INITIAL request for auth */
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(server_user);
+	packet_put_cstring(service);
+	packet_put_cstring("none");
+	packet_send();
+	packet_write_wait();
+
+	for (;;) {
+		sent = 0;
+		type = packet_read(&plen);
+		if (type == SSH2_MSG_USERAUTH_SUCCESS)
+			break;
+		if (type != SSH2_MSG_USERAUTH_FAILURE)
+			fatal("access denied: %d", type);
+		/* SSH2_MSG_USERAUTH_FAILURE means: try again */
+		auths = packet_get_string(&dlen);
+		debug("authentications that can continue: %s", auths);
+		partial = packet_get_char();
+		packet_done();
+		if (partial)
+			debug("partial success");
+		if (options.dsa_authentication &&
+		    strstr(auths, "publickey") != NULL) {
+			while (i < options.num_identity_files2) {
+				sent = ssh2_try_pubkey(
+				    options.identity_files2[i++],
+				    server_user, host, service);
+				if (sent)
+					break;
+			}
+		}
+		if (!sent) {
+			if (options.password_authentication &&
+			    !options.batch_mode &&
+			    strstr(auths, "password") != NULL) {
+				sent = ssh2_try_passwd(server_user, host, service);
+			}
+		}
+		if (!sent)
+			fatal("Permission denied (%s).", auths);
+		xfree(auths);
+	}
+	packet_done();
+	debug("ssh-userauth2 successfull");
+}
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8
new file mode 100644
index 0000000..87add4d
--- /dev/null
+++ b/crypto/openssh/sshd.8
@@ -0,0 +1,1030 @@
+.\"  -*- nroff -*-
+.\"
+.\" sshd.8.in
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\"
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" Created: Sat Apr 22 21:55:14 1995 ylo
+.\"
+.\" $Id: sshd.8,v 1.51 2000/05/08 17:42:31 hugh Exp $
+.\" $FreeBSD$
+.\"
+.Dd September 25, 1999
+.Dt SSHD 8
+.Os
+.Sh NAME
+.Nm sshd
+.Nd secure shell daemon
+.Sh SYNOPSIS
+.Nm sshd
+.Op Fl diqQ46
+.Op Fl b Ar bits
+.Op Fl f Ar config_file
+.Op Fl g Ar login_grace_time
+.Op Fl h Ar host_key_file
+.Op Fl k Ar key_gen_time
+.Op Fl p Ar port
+.Op Fl V Ar client_protocol_id
+.Sh DESCRIPTION
+.Nm
+(Secure Shell Daemon) is the daemon program for
+.Xr ssh 1 .
+Together these programs replace rlogin and rsh, and
+provide secure encrypted communications between two untrusted hosts
+over an insecure network.
+The programs are intended to be as easy to
+install and use as possible.
+.Pp
+.Nm
+is the daemon that listens for connections from clients.
+It is normally started at boot from 
+.Pa /etc/rc.network .
+It forks a new
+daemon for each incoming connection.
+The forked daemons handle
+key exchange, encryption, authentication, command execution,
+and data exchange.
+This implementation of
+.Nm
+supports both SSH protocol version 1 and 2 simultaneously.
+.Nm
+works as follows.
+.Pp
+.Ss SSH protocol version 1
+.Pp
+Each host has a host-specific RSA key
+(normally 1024 bits) used to identify the host.
+Additionally, when
+the daemon starts, it generates a server RSA key (normally 768 bits).
+This key is normally regenerated every hour if it has been used, and
+is never stored on disk.
+.Pp
+Whenever a client connects the daemon responds with its public
+host and server keys.
+The client compares the
+RSA host key against its own database to verify that it has not changed.
+The client then generates a 256 bit random number.
+It encrypts this
+random number using both the host key and the server key, and sends
+the encrypted number to the server.
+Both sides then use this
+random number as a session key which is used to encrypt all further
+communications in the session.
+The rest of the session is encrypted
+using a conventional cipher, currently Blowfish or 3DES, with 3DES
+being used by default.
+The client selects the encryption algorithm
+to use from those offered by the server.
+.Pp
+Next, the server and the client enter an authentication dialog.
+The client tries to authenticate itself using
+.Pa .rhosts
+authentication,
+.Pa .rhosts
+authentication combined with RSA host
+authentication, RSA challenge-response authentication, or password
+based authentication.
+.Pp
+Rhosts authentication is normally disabled
+because it is fundamentally insecure, but can be enabled in the server
+configuration file if desired.
+System security is not improved unless
+.Xr rshd 8 ,
+.Xr rlogind 8 ,
+.Xr rexecd 8 ,
+and
+.Xr rexd 8
+are disabled (thus completely disabling
+.Xr rlogin 1
+and
+.Xr rsh 1
+into the machine).
+.Pp
+.Ss SSH protocol version 2
+.Pp
+Version 2 works similar:
+Each host has a host-specific DSA key used to identify the host.
+However, when the daemon starts, it does not generate a server key.
+Forward security is provided through a Diffie-Hellman key agreement.
+This key agreement results in a shared session key.
+The rest of the session is encrypted
+using a symmetric cipher, currently
+Blowfish, 3DES or CAST128 in CBC mode or Arcfour.
+The client selects the encryption algorithm
+to use from those offered by the server.
+Additionally, session integrity is provided
+through a cryptographic message authentication code
+(hmac-sha1 or hmac-md5).
+.Pp
+Protocol version 2 provides a public key based
+user authentication method (DSAAuthentication)
+and conventional password authentication.
+.Pp
+.Ss Command execution and data forwarding
+.Pp
+If the client successfully authenticates itself, a dialog for
+preparing the session is entered.
+At this time the client may request
+things like allocating a pseudo-tty, forwarding X11 connections,
+forwarding TCP/IP connections, or forwarding the authentication agent
+connection over the secure channel.
+.Pp
+Finally, the client either requests a shell or execution of a command.
+The sides then enter session mode.
+In this mode, either side may send
+data at any time, and such data is forwarded to/from the shell or
+command on the server side, and the user terminal in the client side.
+.Pp
+When the user program terminates and all forwarded X11 and other
+connections have been closed, the server sends command exit status to
+the client, and both sides exit.
+.Pp
+.Nm
+can be configured using command-line options or a configuration
+file.
+Command-line options override values specified in the
+configuration file.
+.Pp
+.Nm
+rereads its configuration file when it receives a hangup signal,
+.Dv SIGHUP .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl b Ar bits
+Specifies the number of bits in the server key (default 768).
+.Pp
+.It Fl d
+Debug mode.
+The server sends verbose debug output to the system
+log, and does not put itself in the background.
+The server also will not fork and will only process one connection.
+This option is only intended for debugging for the server.
+.It Fl f Ar configuration_file
+Specifies the name of the configuration file.
+The default is
+.Pa /etc/ssh/sshd_config .
+.Nm
+refuses to start if there is no configuration file.
+.It Fl g Ar login_grace_time
+Gives the grace time for clients to authenticate themselves (default
+300 seconds).
+If the client fails to authenticate the user within
+this many seconds, the server disconnects and exits.
+A value of zero indicates no limit.
+.It Fl h Ar host_key_file
+Specifies the file from which the RSA host key is read (default
+.Pa /etc/ssh/ssh_host_key ) .
+This option must be given if
+.Nm
+is not run as root (as the normal
+host file is normally not readable by anyone but root).
+.It Fl i
+Specifies that
+.Nm
+is being run from inetd.
+.Nm
+is normally not run
+from inetd because it needs to generate the server key before it can
+respond to the client, and this may take tens of seconds.
+Clients would have to wait too long if the key was regenerated every time.
+However, with small key sizes (e.g., 512) using
+.Nm
+from inetd may
+be feasible.
+.It Fl k Ar key_gen_time
+Specifies how often the server key is regenerated (default 3600
+seconds, or one hour).
+The motivation for regenerating the key fairly
+often is that the key is not stored anywhere, and after about an hour,
+it becomes impossible to recover the key for decrypting intercepted
+communications even if the machine is cracked into or physically
+seized.
+A value of zero indicates that the key will never be regenerated.
+.It Fl p Ar port
+Specifies the port on which the server listens for connections
+(default 22).
+.It Fl q
+Quiet mode.
+Nothing is sent to the system log.
+Normally the beginning,
+authentication, and termination of each connection is logged.
+.It Fl Q
+Do not print an error message if RSA support is missing.
+.It Fl V Ar client_protocol_id
+SSH2 compatibility mode.
+When this option is specified
+.Nm
+assumes the client has sent the supplied version string
+and skips the
+Protocol Version Identification Exchange.
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.El
+.Sh CONFIGURATION FILE
+.Nm
+reads configuration data from
+.Pa /etc/ssh/sshd_config
+(or the file specified with
+.Fl f
+on the command line).
+The file contains keyword-value pairs, one per line.
+Lines starting with
+.Ql #
+and empty lines are interpreted as comments.
+.Pp
+The following keywords are possible.
+.Bl -tag -width Ds
+.It Cm AFSTokenPassing
+Specifies whether an AFS token may be forwarded to the server.
+Default is
+.Dq yes .
+.It Cm AllowGroups
+This keyword can be followed by a number of group names, separated
+by spaces.
+If specified, login is allowed only for users whose primary
+group matches one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only group names are valid, a numerical group ID isn't recognized.
+By default login is allowed regardless of the primary group.
+.Pp
+.It Cm AllowUsers
+This keyword can be followed by a number of user names, separated
+by spaces.
+If specified, login is allowed only for users names that
+match one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only user names are valid, a numerical user ID isn't recognized.
+By default login is allowed regardless of the user name.
+.Pp
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
+.It Cm CheckMail
+Specifies whether
+.Nm
+should check for new mail for interactive logins.
+The default is
+.Dq yes .
+.It Cm ConnectionsPerPeriod
+This keyword allows for rate-limiting of connections, and
+is followed by two numbers in the format
+.Dq n/s ,
+where
+.Ar n
+is the number of connections from a certain address group
+accepted per period of
+.Ar s
+seconds.  Any connection after the number
+.Ar n
+connection in the period of
+.Ar s
+seconds will be dropped, and an informational message will be logged.
+A connection will belong to a certain group, of which there are 13
+by default, according to its IP address.
+The default for this keyword is
+.Dq 0/0 ,
+and rate-limiting can be explicitly turned off by using an
+.Ar n
+parameter of
+.Ql 0
+and any
+.Ar s
+parameter.
+.It Cm DenyGroups
+This keyword can be followed by a number of group names, separated
+by spaces.
+Users whose primary group matches one of the patterns
+aren't allowed to log in.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only group names are valid, a numerical group ID isn't recognized.
+By default login is allowed regardless of the primary group.
+.Pp
+.It Cm DenyUsers
+This keyword can be followed by a number of user names, separated
+by spaces.
+Login is disallowed for user names that match one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as wildcards in the patterns.
+Only user names are valid, a numerical user ID isn't recognized.
+By default login is allowed regardless of the user name.
+.It Cm DSAAuthentication
+Specifies whether DSA authentication is allowed.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to ports
+forwarded for the client.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm HostDsaKey
+Specifies the file containing the private DSA host key (default
+.Pa /etc/ssh/ssh_host_dsa_key )
+used by SSH protocol 2.0.
+Note that
+.Nm
+disables protocol 2.0 if this file is group/world-accessible.
+.It Cm HostKey
+Specifies the file containing the private RSA host key (default
+.Pa /etc/ssh/ssh_host_key )
+used by SSH protocols 1.3 and 1.5.
+Note that
+.Nm
+disables protocols 1.3 and 1.5 if this file is group/world-accessible.
+.It Cm IgnoreRhosts
+Specifies that
+.Pa .rhosts
+and
+.Pa .shosts
+files will not be used in authentication.
+.Pa /etc/hosts.equiv
+and
+.Pa /etc/ssh/shosts.equiv 
+are still used.
+The default is
+.Dq yes .
+.It Cm IgnoreUserKnownHosts
+Specifies whether
+.Nm
+should ignore the user's
+.Pa $HOME/.ssh/known_hosts
+during
+.Cm RhostsRSAAuthentication .
+The default is
+.Dq no .
+.It Cm KeepAlive
+Specifies whether the system should send keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+On the other hand, if keepalives are not sent,
+sessions may hang indefinitely on the server, leaving
+.Dq ghost
+users and consuming server resources.
+.Pp
+The default is
+.Dq yes
+(to send keepalives), and the server will notice
+if the network goes down or the client host reboots.
+This avoids infinitely hanging sessions.
+.Pp
+To disable keepalives, the value should be set to
+.Dq no
+in both the server and the client configuration files.
+.It Cm KerberosAuthentication
+Specifies whether Kerberos authentication is allowed.
+This can be in the form of a Kerberos ticket, or if
+.Cm PasswordAuthentication
+is yes, the password provided by the user will be validated through
+the Kerberos KDC.
+Default is
+.Dq yes .
+.It Cm KerberosOrLocalPasswd
+If set then if password authentication through Kerberos fails then
+the password will be validated via any additional local mechanism
+such as
+.Pa /etc/passwd
+or SecurID.
+Default is
+.Dq yes .
+.It Cm KerberosTgtPassing
+Specifies whether a Kerberos TGT may be forwarded to the server.
+Default is
+.Dq no ,
+as this only works when the Kerberos KDC is actually an AFS kaserver.
+.It Cm KerberosTicketCleanup
+Specifies whether to automatically destroy the user's ticket cache
+file on logout.
+Default is
+.Dq yes .
+.It Cm KeyRegenerationInterval
+The server key is automatically regenerated after this many seconds
+(if it has been used).
+The purpose of regeneration is to prevent
+decrypting captured sessions by later breaking into the machine and
+stealing the keys.
+The key is never stored anywhere.
+If the value is 0, the key is never regenerated.
+The default is 3600 (seconds).
+.It Cm ListenAddress
+Specifies what local address
+.Nm
+should listen on.
+The default is to listen to all local addresses.
+Multiple options of this type are permitted.
+Additionally, the
+.Cm Ports
+options must precede this option.
+.It Cm LoginGraceTime
+The server disconnects after this time if the user has not
+successfully logged in.
+If the value is 0, there is no time limit.
+The default is 60 (seconds).
+.It Cm LogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm sshd .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
+The default is INFO.
+Logging with level DEBUG violates the privacy of users
+and is not recommended.
+.It Cm PasswordAuthentication
+Specifies whether password authentication is allowed.
+The default is
+.Dq yes .
+Note that this option applies to both protocol version 1 and 2.
+.It Cm PermitEmptyPasswords
+When password authentication is allowed, it specifies whether the
+server allows login to accounts with empty password strings.
+The default is
+.Dq no .
+.It Cm PermitRootLogin
+Specifies whether the root can log in using
+.Xr ssh 1 .
+The argument must be
+.Dq yes ,
+.Dq without-password
+or
+.Dq no .
+The default is
+.Dq no .
+If this options is set to
+.Dq without-password
+only password authentication is disabled for root.
+.Pp
+Root login with RSA authentication when the
+.Ar command
+option has been
+specified will be allowed regardless of the value of this setting
+(which may be useful for taking remote backups even if root login is
+normally not allowed).
+.It Cm PidFile
+Specifies the file that contains the process identifier of the
+.Nm
+daemon.
+The default is
+.Pa /var/run/sshd.pid .
+.It Cm Port
+Specifies the port number that
+.Nm
+listens on.
+The default is 22.
+Multiple options of this type are permitted.
+.It Cm PrintMotd
+Specifies whether
+.Nm
+should print
+.Pa /etc/motd
+when a user logs in interactively.
+(On some systems it is also printed by the shell,
+.Pa /etc/profile ,
+or equivalent.)
+The default is
+.Dq yes .
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 1 .
+.It Cm RandomSeed
+Obsolete - accepted and ignored with a warning.
+Random number generation uses other techniques.
+.It Cm RhostsAuthentication
+Specifies whether authentication using rhosts or
+.Pa /etc/hosts.equiv
+files is sufficient.
+Normally, this method should not be permitted because it is insecure.
+.Cm RhostsRSAAuthentication
+should be used
+instead, because it performs RSA-based host authentication in addition
+to normal rhosts or
+.Pa /etc/hosts.equiv
+authentication.
+The default is
+.Dq no .
+.It Cm RhostsRSAAuthentication
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
+with successful RSA host authentication is allowed.
+The default is
+.Dq no .
+.It Cm RSAAuthentication
+Specifies whether pure RSA authentication is allowed.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 1 only.
+.It Cm ServerKeyBits
+Defines the number of bits in the server key.
+The minimum value is 512, and the default is 768.
+.It Cm SkeyAuthentication
+Specifies whether
+.Xr skey 1
+authentication is allowed.
+The default is
+.Dq yes .
+Note that OPIE authentication is enabled only if
+.Cm PasswordAuthentication
+is allowed, too.
+.It Cm StrictModes
+Specifies whether
+.Nm
+should check file modes and ownership of the
+user's files and home directory before accepting login.
+This is normally desirable because novices sometimes accidentally leave their
+directory or files world-writable.
+The default is
+.Dq yes .
+.It Cm SyslogFacility
+Gives the facility code that is used when logging messages from
+.Nm sshd .
+The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is AUTH.
+.It Cm UseLogin
+Specifies whether
+.Xr login 1
+is used.
+The default is
+.Dq no .
+.It Cm X11DisplayOffset
+Specifies the first display number available for
+.Nm sshd Ns 's
+X11 forwarding.
+This prevents
+.Nm
+from interfering with real X11 servers.
+The default is 10.
+.It Cm X11Forwarding
+Specifies whether X11 forwarding is permitted.
+The default is
+.Dq no .
+Note that disabling X11 forwarding does not improve security in any
+way, as users can always install their own forwarders.
+.El
+.Sh LOGIN PROCESS
+When a user successfully logs in,
+.Nm
+does the following:
+.Bl -enum -offset indent
+.It
+If the login is on a tty, and no command has been specified,
+prints last login time and
+.Pa /etc/motd
+(unless prevented in the configuration file or by
+.Pa $HOME/.hushlogin ;
+see the
+.Sx FILES
+section).
+.It
+If the login is on a tty, records login time.
+.It
+Checks
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
+(unless root).
+.It
+Changes to run with normal user privileges.
+.It
+Sets up basic environment.
+.It
+Reads
+.Pa $HOME/.ssh/environment
+if it exists.
+.It
+Changes to user's home directory.
+.It
+If
+.Pa $HOME/.ssh/rc
+exists, runs it; else if
+.Pa /etc/ssh/sshrc
+exists, runs
+it; otherwise runs
+.Xr xauth 1 .
+The
+.Dq rc
+files are given the X11
+authentication protocol and cookie (if applicable) in standard input.
+.It
+Runs user's shell or command.
+.El
+.Sh AUTHORIZED_KEYS FILE FORMAT
+The
+.Pa $HOME/.ssh/authorized_keys
+file lists the RSA keys that are
+permitted for RSA authentication in SSH protocols 1.3 and 1.5
+Similarly, the
+.Pa $HOME/.ssh/authorized_keys2
+file lists the DSA keys that are
+permitted for DSA authentication in SSH protocol 2.0.
+Each line of the file contains one
+key (empty lines and lines starting with a
+.Ql #
+are ignored as
+comments).
+Each line consists of the following fields, separated by
+spaces: options, bits, exponent, modulus, comment.
+The options field
+is optional; its presence is determined by whether the line starts
+with a number or not (the option field never starts with a number).
+The bits, exponent, modulus and comment fields give the RSA key; the
+comment field is not used for anything (but may be convenient for the
+user to identify the key).
+.Pp
+Note that lines in this file are usually several hundred bytes long
+(because of the size of the RSA key modulus).
+You don't want to type them in; instead, copy the
+.Pa identity.pub
+file and edit it.
+.Pp
+The options (if present) consists of comma-separated option
+specifications.
+No spaces are permitted, except within double quotes.
+The following option specifications are supported:
+.Bl -tag -width Ds
+.It Cm from="pattern-list"
+Specifies that in addition to RSA authentication, the canonical name
+of the remote host must be present in the comma-separated list of
+patterns
+.Pf ( Ql *
+and
+.Ql ?
+serve as wildcards).
+The list may also contain
+patterns negated by prefixing them with
+.Ql ! ;
+if the canonical host name matches a negated pattern, the key is not accepted.
+The purpose
+of this option is to optionally increase security: RSA authentication
+by itself does not trust the network or name servers or anything (but
+the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
+.It Cm command="command"
+Specifies that the command is executed whenever this key is used for
+authentication.
+The command supplied by the user (if any) is ignored.
+The command is run on a pty if the connection requests a pty;
+otherwise it is run without a tty.
+A quote may be included in the command by quoting it with a backslash.
+This option might be useful
+to restrict certain RSA keys to perform just a specific operation.
+An example might be a key that permits remote backups but nothing else.
+Note that the client may specify TCP/IP and/or X11
+forwarding unless they are explicitly prohibited.
+.It Cm environment="NAME=value"
+Specifies that the string is to be added to the environment when
+logging in using this key.
+Environment variables set this way
+override other default environment values.
+Multiple options of this type are permitted.
+.It Cm no-port-forwarding
+Forbids TCP/IP forwarding when this key is used for authentication.
+Any port forward requests by the client will return an error.
+This might be used, e.g., in connection with the
+.Cm command
+option.
+.It Cm no-X11-forwarding
+Forbids X11 forwarding when this key is used for authentication.
+Any X11 forward requests by the client will return an error.
+.It Cm no-agent-forwarding
+Forbids authentication agent forwarding when this key is used for
+authentication.
+.It Cm no-pty
+Prevents tty allocation (a request to allocate a pty will fail).
+.El
+.Ss Examples
+.Bd -literal
+1024 33 12121...312314325 ylo@foo.bar
+from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
+command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
+.Ed
+.Sh SSH_KNOWN_HOSTS FILE FORMAT
+The
+.Pa /etc/ssh/ssh_known_hosts ,
+.Pa /etc/ssh/ssh_known_hosts2 ,
+.Pa $HOME/.ssh/known_hosts ,
+and
+.Pa $HOME/.ssh/known_hosts2
+files contain host public keys for all known hosts.
+The global file should
+be prepared by the administrator (optional), and the per-user file is
+maintained automatically: whenever the user connects an unknown host
+its key is added to the per-user file.
+.Pp
+Each line in these files contains the following fields: hostnames,
+bits, exponent, modulus, comment.
+The fields are separated by spaces.
+.Pp
+Hostnames is a comma-separated list of patterns ('*' and '?' act as
+wildcards); each pattern in turn is matched against the canonical host
+name (when authenticating a client) or against the user-supplied
+name (when authenticating a server).
+A pattern may also be preceded by
+.Ql !
+to indicate negation: if the host name matches a negated
+pattern, it is not accepted (by that line) even if it matched another
+pattern on the line.
+.Pp
+Bits, exponent, and modulus are taken directly from the RSA host key; they
+can be obtained, e.g., from
+.Pa /etc/ssh/ssh_host_key.pub .
+The optional comment field continues to the end of the line, and is not used.
+.Pp
+Lines starting with
+.Ql #
+and empty lines are ignored as comments.
+.Pp
+When performing host authentication, authentication is accepted if any
+matching line has the proper key.
+It is thus permissible (but not
+recommended) to have several lines or different host keys for the same
+names.
+This will inevitably happen when short forms of host names
+from different domains are put in the file.
+It is possible
+that the files contain conflicting information; authentication is
+accepted if valid information can be found from either file.
+.Pp
+Note that the lines in these files are typically hundreds of characters
+long, and you definitely don't want to type in the host keys by hand.
+Rather, generate them by a script
+or by taking
+.Pa /etc/ssh/ssh_host_key.pub
+and adding the host names at the front.
+.Ss Examples
+.Bd -literal
+closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
+.Ed
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa /etc/ssh/sshd_config
+Contains configuration data for
+.Nm sshd .
+This file should be writable by root only, but it is recommended
+(though not necessary) that it be world-readable.
+.It Pa /etc/ssh/ssh_host_key
+Contains the private part of the host key.
+This file should only be owned by root, readable only by root, and not
+accessible to others.
+Note that
+.Nm
+does not start if this file is group/world-accessible.
+.It Pa /etc/ssh/ssh_host_key.pub
+Contains the public part of the host key.
+This file should be world-readable but writable only by
+root.
+Its contents should match the private part.
+This file is not
+really used for anything; it is only provided for the convenience of
+the user so its contents can be copied to known hosts files.
+These two files are created using
+.Xr ssh-keygen 1 .
+.It Pa /var/run/sshd.pid
+Contains the process ID of the
+.Nm
+listening for connections (if there are several daemons running
+concurrently for different ports, this contains the pid of the one
+started last).
+The contents of this file are not sensitive; it can be world-readable.
+.It Pa $HOME/.ssh/authorized_keys
+Lists the RSA keys that can be used to log into the user's account.
+This file must be readable by root (which may on some machines imply
+it being world-readable if the user's home directory resides on an NFS
+volume).
+It is recommended that it not be accessible by others.
+The format of this file is described above.
+Users will place the contents of their
+.Pa identity.pub
+files into this file, as described in
+.Xr ssh-keygen 1 .
+.It Pa $HOME/.ssh/authorized_keys2
+Lists the DSA keys that can be used to log into the user's account.
+This file must be readable by root (which may on some machines imply
+it being world-readable if the user's home directory resides on an NFS
+volume).
+It is recommended that it not be accessible by others.
+The format of this file is described above.
+Users will place the contents of their
+.Pa id_dsa.pub
+files into this file, as described in
+.Xr ssh-keygen 1 .
+.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
+These files are consulted when using rhosts with RSA host
+authentication to check the public key of the host.
+The key must be listed in one of these files to be accepted.
+The client uses the same files
+to verify that the remote host is the one we intended to connect.
+These files should be writable only by root/the owner.
+.Pa /etc/ssh/ssh_known_hosts
+should be world-readable, and
+.Pa $HOME/.ssh/known_hosts
+can but need not be world-readable.
+.It Pa /etc/nologin
+If this file exists,
+.Nm
+refuses to let anyone except root log in.
+The contents of the file
+are displayed to anyone trying to log in, and non-root connections are
+refused.
+The file should be world-readable.
+.It Pa /etc/hosts.allow
+If compiled with
+.Sy LIBWRAP
+support, tcp-wrappers access controls may be defined here as described in
+.Xr hosts_access 5 .
+.It Pa $HOME/.rhosts
+This file contains host-username pairs, separated by a space, one per
+line.
+The given user on the corresponding host is permitted to log in
+without password.
+The same file is used by rlogind and rshd.
+The file must
+be writable only by the user; it is recommended that it not be
+accessible by others.
+.Pp
+If is also possible to use netgroups in the file.
+Either host or user
+name may be of the form +@groupname to specify all hosts or all users
+in the group.
+.It Pa $HOME/.shosts
+For ssh,
+this file is exactly the same as for
+.Pa .rhosts .
+However, this file is
+not used by rlogin and rshd, so using this permits access using SSH only.
+.It Pa /etc/hosts.equiv
+This file is used during
+.Pa .rhosts
+authentication.
+In the simplest form, this file contains host names, one per line.
+Users on
+those hosts are permitted to log in without a password, provided they
+have the same user name on both machines.
+The host name may also be
+followed by a user name; such users are permitted to log in as
+.Em any
+user on this machine (except root).
+Additionally, the syntax
+.Dq +@group
+can be used to specify netgroups.
+Negated entries start with
+.Ql \&- .
+.Pp
+If the client host/user is successfully matched in this file, login is
+automatically permitted provided the client and server user names are the
+same.
+Additionally, successful RSA host authentication is normally required.
+This file must be writable only by root; it is recommended
+that it be world-readable.
+.Pp
+.Sy "Warning: It is almost never a good idea to use user names in"
+.Pa hosts.equiv .
+Beware that it really means that the named user(s) can log in as
+.Em anybody ,
+which includes bin, daemon, adm, and other accounts that own critical
+binaries and directories.
+Using a user name practically grants the user root access.
+The only valid use for user names that I can think
+of is in negative entries.
+.Pp
+Note that this warning also applies to rsh/rlogin.
+.It Pa /etc/ssh/shosts.equiv
+This is processed exactly as
+.Pa /etc/hosts.equiv .
+However, this file may be useful in environments that want to run both
+rsh/rlogin and ssh.
+.It Pa $HOME/.ssh/environment
+This file is read into the environment at login (if it exists).
+It can only contain empty lines, comment lines (that start with
+.Ql # ) ,
+and assignment lines of the form name=value.
+The file should be writable
+only by the user; it need not be readable by anyone else.
+.It Pa $HOME/.ssh/rc
+If this file exists, it is run with
+.Pa /bin/sh
+after reading the
+environment files but before starting the user's shell or command.
+If X11 spoofing is in use, this will receive the "proto cookie" pair in
+standard input (and
+.Ev DISPLAY
+in environment).
+This must call
+.Xr xauth 1
+in that case.
+.Pp
+The primary purpose of this file is to run any initialization routines
+which may be needed before the user's home directory becomes
+accessible; AFS is a particular example of such an environment.
+.Pp
+This file will probably contain some initialization code followed by
+something similar to:
+.Bd -literal -offset indent
+if [ -n "$DISPLAY" ] && read proto cookie; then
+    echo add $DISPLAY $proto $cookie | xauth -q -
+fi
+.Ed
+.Pp
+If this file does not exist,
+.Pa /etc/ssh/sshrc
+is run, and if that
+does not exist either,
+.Xr xauth 1
+is used to store the cookie.
+.Pp
+This file should be writable only by the user, and need not be
+readable by anyone else.
+.It Pa /etc/ssh/sshrc
+Like
+.Pa $HOME/.ssh/rc .
+This can be used to specify
+machine-specific login-time initializations globally.
+This file should be writable only by root, and should be world-readable.
+.Sh AUTHOR
+OpenSSH
+is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen,
+but with bugs removed and newer features re-added.
+Rapidly after the
+1.2.12 release, newer versions of the original ssh bore successively
+more restrictive licenses, and thus demand for a free version was born.
+.Pp
+This version of OpenSSH
+.Bl -bullet
+.It
+has all components of a restrictive nature (i.e., patents, see
+.Xr ssl 8 )
+directly removed from the source code; any licensed or patented components
+are chosen from
+external libraries.
+.It
+has been updated to support SSH protocol 1.5 and 2, making it compatible with
+all other SSH clients and servers.
+.It
+contains added support for
+.Xr kerberos 8
+authentication and ticket passing.
+.It
+supports one-time password authentication with
+.Xr skey 1 .
+.El
+.Pp
+The libraries described in
+.Xr ssl 8
+are required for proper operation.
+.Pp
+OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl,
+Niels Provos, Theo de Raadt, and Dug Song.
+.Pp
+The support for SSH protocol 2 was written by Markus Friedl.
+.Sh SEE ALSO
+.Xr scp 1 ,
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr ssl 8 ,
+.Xr rlogin 1 ,
+.Xr rsh 1
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
new file mode 100644
index 0000000..54306ef
--- /dev/null
+++ b/crypto/openssh/sshd.c
@@ -0,0 +1,1383 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Fri Mar 17 17:09:28 1995 ylo
+ * This program is the ssh daemon.  It listens for connections from clients, and
+ * performs authentication, executes use commands or shell, and forwards
+ * information to/from the application to the user client over an encrypted
+ * connection.  This can also handle forwarding of X11, TCP/IP, and authentication
+ * agent connections.
+ *
+ * SSH2 implementation,
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshd.c,v 1.118 2000/05/25 20:45:20 markus Exp $");
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh.h"
+#include "pty.h"
+#include "packet.h"
+#include "cipher.h"
+#include "mpaux.h"
+#include "servconf.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "buffer.h"
+#include <poll.h>
+#include <time.h>
+
+#include "ssh2.h"
+#include <openssl/dh.h>
+#include <openssl/bn.h>
+#include <openssl/hmac.h>
+#include "kex.h"
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include "key.h"
+#include "dsa.h"
+
+#include "auth.h"
+#include "myproposal.h"
+#include "authfile.h"
+
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+#endif /* LIBWRAP */
+
+#ifndef O_NOCTTY
+#define O_NOCTTY	0
+#endif
+
+#ifdef KRB5
+#include <krb5.h>
+#endif /* KRB5 */
+
+/* Server configuration options. */
+ServerOptions options;
+
+/* Name of the server configuration file. */
+char *config_file_name = SERVER_CONFIG_FILE;
+
+/*
+ * Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
+ * Default value is AF_UNSPEC means both IPv4 and IPv6.
+ */
+int IPv4or6 = AF_UNSPEC;
+
+/*
+ * Debug mode flag.  This can be set on the command line.  If debug
+ * mode is enabled, extra debugging output will be sent to the system
+ * log, the daemon will not go to background, and will exit after processing
+ * the first connection.
+ */
+int debug_flag = 0;
+
+/* Flag indicating that the daemon is being started from inetd. */
+int inetd_flag = 0;
+
+/* debug goes to stderr unless inetd_flag is set */
+int log_stderr = 0;
+
+/* argv[0] without path. */
+char *av0;
+
+/* Saved arguments to main(). */
+char **saved_argv;
+
+/*
+ * The sockets that the server is listening; this is used in the SIGHUP
+ * signal handler.
+ */
+#define	MAX_LISTEN_SOCKS	16
+int listen_socks[MAX_LISTEN_SOCKS];
+int num_listen_socks = 0;
+
+/*
+ * the client's version string, passed by sshd2 in compat mode. if != NULL,
+ * sshd will skip the version-number exchange
+ */
+char *client_version_string = NULL;
+char *server_version_string = NULL;
+
+/*
+ * Any really sensitive data in the application is contained in this
+ * structure. The idea is that this structure could be locked into memory so
+ * that the pages do not get written into swap.  However, there are some
+ * problems. The private key contains BIGNUMs, and we do not (in principle)
+ * have access to the internals of them, and locking just the structure is
+ * not very useful.  Currently, memory locking is not implemented.
+ */
+struct {
+	RSA *private_key;	 /* Private part of empheral server key. */
+	RSA *host_key;		 /* Private part of host key. */
+	Key *dsa_host_key;       /* Private DSA host key. */
+} sensitive_data;
+
+/*
+ * Flag indicating whether the current session key has been used.  This flag
+ * is set whenever the key is used, and cleared when the key is regenerated.
+ */
+int key_used = 0;
+
+/* This is set to true when SIGHUP is received. */
+int received_sighup = 0;
+
+/* Public side of the server key.  This value is regenerated regularly with
+   the private key. */
+RSA *public_key;
+
+/* session identifier, used by RSA-auth */
+unsigned char session_id[16];
+
+/* same for ssh2 */
+unsigned char *session_id2 = NULL;
+int session_id2_len = 0;
+
+/* These are used to implement connections_per_period. */
+struct ratelim_connection {
+		struct timeval connections_begin;
+		unsigned int connections_this_period;
+} *ratelim_connections;
+
+static void
+ratelim_init(void) {
+		ratelim_connections = calloc(num_listen_socks,
+		    sizeof(struct ratelim_connection));
+		if (ratelim_connections == NULL)
+			fatal("calloc: %s", strerror(errno));
+}
+
+static __inline struct timeval
+timevaldiff(struct timeval *tv1, struct timeval *tv2) {
+	struct timeval diff;
+	int carry;
+
+	carry = tv1->tv_usec > tv2->tv_usec;
+	diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1);
+	diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0);
+
+	return diff;
+}
+
+/* Prototypes for various functions defined later in this file. */
+void do_ssh1_kex();
+void do_ssh2_kex();
+
+/*
+ * Close all listening sockets
+ */
+void
+close_listen_socks(void)
+{
+	int i;
+	for (i = 0; i < num_listen_socks; i++)
+		close(listen_socks[i]);
+	num_listen_socks = -1;
+}
+
+/*
+ * Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
+ * the effect is to reread the configuration file (and to regenerate
+ * the server key).
+ */
+void
+sighup_handler(int sig)
+{
+	received_sighup = 1;
+	signal(SIGHUP, sighup_handler);
+}
+
+/*
+ * Called from the main program after receiving SIGHUP.
+ * Restarts the server.
+ */
+void
+sighup_restart()
+{
+	log("Received SIGHUP; restarting.");
+	close_listen_socks();
+	execv(saved_argv[0], saved_argv);
+	execv("/proc/curproc/file", saved_argv);
+	log("RESTART FAILED: av0='%s', error: %s.", av0, strerror(errno));
+	exit(1);
+}
+
+/*
+ * Generic signal handler for terminating signals in the master daemon.
+ * These close the listen socket; not closing it seems to cause "Address
+ * already in use" problems on some machines, which is inconvenient.
+ */
+void
+sigterm_handler(int sig)
+{
+	log("Received signal %d; terminating.", sig);
+	close_listen_socks();
+	unlink(options.pid_file);
+	exit(255);
+}
+
+/*
+ * SIGCHLD handler.  This is called whenever a child dies.  This will then
+ * reap any zombies left by exited c.
+ */
+void
+main_sigchld_handler(int sig)
+{
+	int save_errno = errno;
+	int status;
+
+	while (waitpid(-1, &status, WNOHANG) > 0)
+		;
+
+	signal(SIGCHLD, main_sigchld_handler);
+	errno = save_errno;
+}
+
+/*
+ * Signal handler for the alarm after the login grace period has expired.
+ */
+void
+grace_alarm_handler(int sig)
+{
+	/* Close the connection. */
+	packet_close();
+
+	/* Log error and exit. */
+	fatal("Timeout before authentication for %s.", get_remote_ipaddr());
+}
+
+/*
+ * Signal handler for the key regeneration alarm.  Note that this
+ * alarm only occurs in the daemon waiting for connections, and it does not
+ * do anything with the private key or random state before forking.
+ * Thus there should be no concurrency control/asynchronous execution
+ * problems.
+ */
+/* XXX do we really want this work to be done in a signal handler ? -m */
+void
+key_regeneration_alarm(int sig)
+{
+	int save_errno = errno;
+
+	/* Check if we should generate a new key. */
+	if (key_used) {
+		/* This should really be done in the background. */
+		log("Generating new %d bit RSA key.", options.server_key_bits);
+
+		if (sensitive_data.private_key != NULL)
+			RSA_free(sensitive_data.private_key);
+		sensitive_data.private_key = RSA_new();
+
+		if (public_key != NULL)
+			RSA_free(public_key);
+		public_key = RSA_new();
+
+		rsa_generate_key(sensitive_data.private_key, public_key,
+				 options.server_key_bits);
+		arc4random_stir();
+		key_used = 0;
+		log("RSA key generation complete.");
+	}
+	/* Reschedule the alarm. */
+	signal(SIGALRM, key_regeneration_alarm);
+	alarm(options.key_regeneration_time);
+	errno = save_errno;
+}
+
+void
+sshd_exchange_identification(int sock_in, int sock_out)
+{
+	int i, mismatch;
+	int remote_major, remote_minor;
+	int major, minor;
+	char *s;
+	char buf[256];			/* Must not be larger than remote_version. */
+	char remote_version[256];	/* Must be at least as big as buf. */
+
+	if ((options.protocol & SSH_PROTO_1) &&
+	    (options.protocol & SSH_PROTO_2)) {
+		major = PROTOCOL_MAJOR_1;
+		minor = 99;
+	} else if (options.protocol & SSH_PROTO_2) {
+		major = PROTOCOL_MAJOR_2;
+		minor = PROTOCOL_MINOR_2;
+	} else {
+		major = PROTOCOL_MAJOR_1;
+		minor = PROTOCOL_MINOR_1;
+	}
+	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+	server_version_string = xstrdup(buf);
+
+	if (client_version_string == NULL) {
+		/* Send our protocol version identification. */
+		if (atomicio(write, sock_out, server_version_string, strlen(server_version_string))
+		    != strlen(server_version_string)) {
+			log("Could not write ident string to %s.", get_remote_ipaddr());
+			fatal_cleanup();
+		}
+
+		/* Read other side\'s version identification. */
+		for (i = 0; i < sizeof(buf) - 1; i++) {
+			if (read(sock_in, &buf[i], 1) != 1) {
+				log("Did not receive ident string from %s.", get_remote_ipaddr());
+				fatal_cleanup();
+			}
+			if (buf[i] == '\r') {
+				buf[i] = '\n';
+				buf[i + 1] = 0;
+				continue;
+			}
+			if (buf[i] == '\n') {
+				/* buf[i] == '\n' */
+				buf[i + 1] = 0;
+				break;
+			}
+		}
+		buf[sizeof(buf) - 1] = 0;
+		client_version_string = xstrdup(buf);
+	}
+
+	/*
+	 * Check that the versions match.  In future this might accept
+	 * several versions and set appropriate flags to handle them.
+	 */
+	if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
+	    &remote_major, &remote_minor, remote_version) != 3) {
+		s = "Protocol mismatch.\n";
+		(void) atomicio(write, sock_out, s, strlen(s));
+		close(sock_in);
+		close(sock_out);
+		log("Bad protocol version identification '%.100s' from %s",
+		    client_version_string, get_remote_ipaddr());
+		fatal_cleanup();
+	}
+	debug("Client protocol version %d.%d; client software version %.100s",
+	      remote_major, remote_minor, remote_version);
+
+	compat_datafellows(remote_version);
+
+	mismatch = 0;
+	switch(remote_major) {
+	case 1:
+		if (remote_minor == 99) {
+			if (options.protocol & SSH_PROTO_2)
+				enable_compat20();
+			else
+				mismatch = 1;
+			break;
+		}
+		if (!(options.protocol & SSH_PROTO_1)) {
+			mismatch = 1;
+			break;
+		}
+		if (remote_minor < 3) {
+			packet_disconnect("Your ssh version is too old and"
+			    "is no longer supported.  Please install a newer version.");
+		} else if (remote_minor == 3) {
+			/* note that this disables agent-forwarding */
+			enable_compat13();
+		}
+		break;
+	case 2:
+		if (options.protocol & SSH_PROTO_2) {
+			enable_compat20();
+			break;
+		}
+		/* FALLTHROUGH */
+	default:
+		mismatch = 1;
+		break;
+	}
+	chop(server_version_string);
+	chop(client_version_string);
+	debug("Local version string %.200s", server_version_string);
+
+	if (mismatch) {
+		s = "Protocol major versions differ.\n";
+		(void) atomicio(write, sock_out, s, strlen(s));
+		close(sock_in);
+		close(sock_out);
+		log("Protocol major versions differ for %s: %.200s vs. %.200s",
+		    get_remote_ipaddr(),
+		    server_version_string, client_version_string);
+		fatal_cleanup();
+	}
+	if (compat20)
+		packet_set_ssh2_format();
+}
+
+
+void
+destroy_sensitive_data(void)
+{
+	/* Destroy the private and public keys.  They will no longer be needed. */
+	if (public_key)
+		RSA_free(public_key);
+	if (sensitive_data.private_key)
+		RSA_free(sensitive_data.private_key);
+	if (sensitive_data.host_key)
+		RSA_free(sensitive_data.host_key);
+	if (sensitive_data.dsa_host_key != NULL)
+		key_free(sensitive_data.dsa_host_key);
+}
+
+/*
+ * Main program for the daemon.
+ */
+int
+main(int ac, char **av)
+{
+	extern char *optarg;
+	extern int optind;
+	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1;
+	pid_t pid;
+	socklen_t fromlen;
+ 	int ratelim_exceeded = 0;
+	int silent = 0;
+	fd_set *fdset;
+	struct sockaddr_storage from;
+	const char *remote_ip;
+	int remote_port;
+	FILE *f;
+	struct linger linger;
+	struct addrinfo *ai;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	int listen_sock, maxfd;
+
+	/* Save argv[0]. */
+	saved_argv = av;
+	if (strchr(av[0], '/'))
+		av0 = strrchr(av[0], '/') + 1;
+	else
+		av0 = av[0];
+
+	/* Initialize configuration options to their default values. */
+	initialize_server_options(&options);
+
+	/* Parse command-line arguments. */
+	while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:diqQ46")) != EOF) {
+		switch (opt) {
+		case '4':
+			IPv4or6 = AF_INET;
+			break;
+		case '6':
+			IPv4or6 = AF_INET6;
+			break;
+		case 'f':
+			config_file_name = optarg;
+			break;
+		case 'd':
+			debug_flag = 1;
+			options.log_level = SYSLOG_LEVEL_DEBUG;
+			break;
+		case 'i':
+			inetd_flag = 1;
+			break;
+		case 'Q':
+			silent = 1;
+			break;
+		case 'q':
+			options.log_level = SYSLOG_LEVEL_QUIET;
+			break;
+		case 'b':
+			options.server_key_bits = atoi(optarg);
+			break;
+		case 'p':
+			options.ports_from_cmdline = 1;
+			if (options.num_ports >= MAX_PORTS)
+				fatal("too many ports.\n");
+			options.ports[options.num_ports++] = atoi(optarg);
+			break;
+		case 'g':
+			options.login_grace_time = atoi(optarg);
+			break;
+		case 'k':
+			options.key_regeneration_time = atoi(optarg);
+			break;
+		case 'h':
+			options.host_key_file = optarg;
+			break;
+		case 'V':
+			client_version_string = optarg;
+			/* only makes sense with inetd_flag, i.e. no listen() */
+			inetd_flag = 1;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "sshd version %s\n", SSH_VERSION);
+			fprintf(stderr, "Usage: %s [options]\n", av0);
+			fprintf(stderr, "Options:\n");
+			fprintf(stderr, "  -f file    Configuration file (default %s)\n", SERVER_CONFIG_FILE);
+			fprintf(stderr, "  -d         Debugging mode\n");
+			fprintf(stderr, "  -i         Started from inetd\n");
+			fprintf(stderr, "  -q         Quiet (no logging)\n");
+			fprintf(stderr, "  -p port    Listen on the specified port (default: 22)\n");
+			fprintf(stderr, "  -k seconds Regenerate server key every this many seconds (default: 3600)\n");
+			fprintf(stderr, "  -g seconds Grace period for authentication (default: 300)\n");
+			fprintf(stderr, "  -b bits    Size of server RSA key (default: 768 bits)\n");
+			fprintf(stderr, "  -h file    File from which to read host key (default: %s)\n",
+			    HOST_KEY_FILE);
+			fprintf(stderr, "  -4         Use IPv4 only\n");
+			fprintf(stderr, "  -6         Use IPv6 only\n");
+			exit(1);
+		}
+	}
+
+	/*
+	 * Force logging to stderr until we have loaded the private host
+	 * key (unless started from inetd)
+	 */
+	log_init(av0,
+	    options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
+	    options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
+	    !silent && !inetd_flag);
+
+	/* Read server configuration options from the configuration file. */
+	read_server_config(&options, config_file_name);
+
+	/* Fill in default values for those options not explicitly set. */
+	fill_default_server_options(&options);
+
+	/* Check that there are no remaining arguments. */
+	if (optind < ac) {
+		fprintf(stderr, "Extra argument %s.\n", av[optind]);
+		exit(1);
+	}
+
+	debug("sshd version %.100s", SSH_VERSION);
+
+	sensitive_data.dsa_host_key = NULL;
+	sensitive_data.host_key = NULL;
+
+	/* check if RSA support exists */
+	if ((options.protocol & SSH_PROTO_1) &&
+	    rsa_alive() == 0) {
+		log("no RSA support in libssl and libcrypto.  See ssl(8)");
+		log("Disabling protocol version 1");
+		options.protocol &= ~SSH_PROTO_1;
+	}
+	/* Load the RSA/DSA host key.  It must have empty passphrase. */
+	if (options.protocol & SSH_PROTO_1) {
+		Key k;
+		sensitive_data.host_key = RSA_new();
+		k.type = KEY_RSA;
+		k.rsa = sensitive_data.host_key;
+		errno = 0;
+		if (!load_private_key(options.host_key_file, "", &k, NULL)) {
+			error("Could not load host key: %.200s: %.100s",
+			    options.host_key_file, strerror(errno));
+			log("Disabling protocol version 1");
+			options.protocol &= ~SSH_PROTO_1;
+		}
+		k.rsa = NULL;
+	}
+	if (options.protocol & SSH_PROTO_2) {
+		sensitive_data.dsa_host_key = key_new(KEY_DSA);
+		if (!load_private_key(options.host_dsa_key_file, "", sensitive_data.dsa_host_key, NULL)) {
+
+			error("Could not load DSA host key: %.200s", options.host_dsa_key_file);
+			log("Disabling protocol version 2");
+			options.protocol &= ~SSH_PROTO_2;
+		}
+	}
+	if (! options.protocol & (SSH_PROTO_1|SSH_PROTO_2)) {
+		if (silent == 0)
+			fprintf(stderr, "sshd: no hostkeys available -- exiting.\n");
+		log("sshd: no hostkeys available -- exiting.\n");
+		exit(1);
+	}
+
+	/* Check certain values for sanity. */
+	if (options.protocol & SSH_PROTO_1) {
+		if (options.server_key_bits < 512 ||
+		    options.server_key_bits > 32768) {
+			fprintf(stderr, "Bad server key size.\n");
+			exit(1);
+		}
+		/*
+		 * Check that server and host key lengths differ sufficiently. This
+		 * is necessary to make double encryption work with rsaref. Oh, I
+		 * hate software patents. I dont know if this can go? Niels
+		 */
+		if (options.server_key_bits >
+		    BN_num_bits(sensitive_data.host_key->n) - SSH_KEY_BITS_RESERVED &&
+		    options.server_key_bits <
+		    BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
+			options.server_key_bits =
+			    BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED;
+			debug("Forcing server key to %d bits to make it differ from host key.",
+			    options.server_key_bits);
+		}
+	}
+
+	/* Initialize the log (it is reinitialized below in case we forked). */
+	if (debug_flag && !inetd_flag)
+		log_stderr = 1;
+	log_init(av0, options.log_level, options.log_facility, log_stderr);
+
+	/*
+	 * If not in debugging mode, and not started from inetd, disconnect
+	 * from the controlling terminal, and fork.  The original process
+	 * exits.
+	 */
+	if (!debug_flag && !inetd_flag) {
+#ifdef TIOCNOTTY
+		int fd;
+#endif /* TIOCNOTTY */
+		if (daemon(0, 0) < 0)
+			fatal("daemon() failed: %.200s", strerror(errno));
+
+		/* Disconnect from the controlling tty. */
+#ifdef TIOCNOTTY
+		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
+		if (fd >= 0) {
+			(void) ioctl(fd, TIOCNOTTY, NULL);
+			close(fd);
+		}
+#endif /* TIOCNOTTY */
+	}
+	/* Reinitialize the log (because of the fork above). */
+	log_init(av0, options.log_level, options.log_facility, log_stderr);
+
+	/* Do not display messages to stdout in RSA code. */
+	rsa_set_verbose(0);
+
+	/* Initialize the random number generator. */
+	arc4random_stir();
+
+	/* Chdir to the root directory so that the current disk can be
+	   unmounted if desired. */
+	chdir("/");
+
+	/* Start listening for a socket, unless started from inetd. */
+	if (inetd_flag) {
+		int s1, s2;
+		s1 = dup(0);	/* Make sure descriptors 0, 1, and 2 are in use. */
+		s2 = dup(s1);
+		sock_in = dup(0);
+		sock_out = dup(1);
+		/*
+		 * We intentionally do not close the descriptors 0, 1, and 2
+		 * as our code for setting the descriptors won\'t work if
+		 * ttyfd happens to be one of those.
+		 */
+		debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
+
+		if (options.protocol & SSH_PROTO_1) {
+			public_key = RSA_new();
+			sensitive_data.private_key = RSA_new();
+			log("Generating %d bit RSA key.", options.server_key_bits);
+			rsa_generate_key(sensitive_data.private_key, public_key,
+			    options.server_key_bits);
+			arc4random_stir();
+			log("RSA key generation complete.");
+		}
+	} else {
+		for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+				continue;
+			if (num_listen_socks >= MAX_LISTEN_SOCKS)
+				fatal("Too many listen sockets. "
+				    "Enlarge MAX_LISTEN_SOCKS");
+			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
+			    ntop, sizeof(ntop), strport, sizeof(strport),
+			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+				error("getnameinfo failed");
+				continue;
+			}
+			/* Create socket for listening. */
+			listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
+			if (listen_sock < 0) {
+				/* kernel may not support ipv6 */
+				verbose("socket: %.100s", strerror(errno));
+				continue;
+			}
+			if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
+				error("listen_sock O_NONBLOCK: %s", strerror(errno));
+				close(listen_sock);
+				continue;
+			}
+			/*
+			 * Set socket options.  We try to make the port
+			 * reusable and have it close as fast as possible
+			 * without waiting in unnecessary wait states on
+			 * close.
+			 */
+			setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
+			    (void *) &on, sizeof(on));
+			linger.l_onoff = 1;
+			linger.l_linger = 5;
+			setsockopt(listen_sock, SOL_SOCKET, SO_LINGER,
+			    (void *) &linger, sizeof(linger));
+
+			debug("Bind to port %s on %s.", strport, ntop);
+
+			/* Bind the socket to the desired port. */
+			if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+				error("Bind to port %s on %s failed: %.200s.",
+				    strport, ntop, strerror(errno));
+				close(listen_sock);
+				continue;
+			}
+			listen_socks[num_listen_socks] = listen_sock;
+			num_listen_socks++;
+
+			/* Start listening on the port. */
+			log("Server listening on %s port %s.", ntop, strport);
+			if (listen(listen_sock, 5) < 0)
+				fatal("listen: %.100s", strerror(errno));
+
+		}
+		freeaddrinfo(options.listen_addrs);
+
+		if (!num_listen_socks)
+			fatal("Cannot bind any address.");
+
+		if (!debug_flag) {
+			/*
+			 * Record our pid in /etc/sshd_pid to make it easier
+			 * to kill the correct sshd.  We don\'t want to do
+			 * this before the bind above because the bind will
+			 * fail if there already is a daemon, and this will
+			 * overwrite any old pid in the file.
+			 */
+			f = fopen(options.pid_file, "w");
+			if (f) {
+				fprintf(f, "%u\n", (unsigned int) getpid());
+				fclose(f);
+			}
+		}
+		if (options.protocol & SSH_PROTO_1) {
+			public_key = RSA_new();
+			sensitive_data.private_key = RSA_new();
+
+			log("Generating %d bit RSA key.", options.server_key_bits);
+			rsa_generate_key(sensitive_data.private_key, public_key,
+			    options.server_key_bits);
+			arc4random_stir();
+			log("RSA key generation complete.");
+
+			/* Schedule server key regeneration alarm. */
+			signal(SIGALRM, key_regeneration_alarm);
+			alarm(options.key_regeneration_time);
+		}
+
+		/* Arrange to restart on SIGHUP.  The handler needs listen_sock. */
+		signal(SIGHUP, sighup_handler);
+		signal(SIGTERM, sigterm_handler);
+		signal(SIGQUIT, sigterm_handler);
+
+		/* Arrange SIGCHLD to be caught. */
+		signal(SIGCHLD, main_sigchld_handler);
+
+		/* setup fd set for listen */
+		maxfd = 0;
+		for (i = 0; i < num_listen_socks; i++)
+			if (listen_socks[i] > maxfd)
+				maxfd = listen_socks[i];
+		fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
+		fdset = (fd_set *)xmalloc(fdsetsz);
+
+		ratelim_init();
+
+		/*
+		 * Stay listening for connections until the system crashes or
+		 * the daemon is killed with a signal.
+		 */
+		for (;;) {
+			if (received_sighup)
+				sighup_restart();
+			/* Wait in select until there is a connection. */
+			memset(fdset, 0, fdsetsz);
+			for (i = 0; i < num_listen_socks; i++)
+				FD_SET(listen_socks[i], fdset);
+			if (select(maxfd + 1, fdset, NULL, NULL, NULL) < 0) {
+				if (errno != EINTR)
+					error("select: %.100s", strerror(errno));
+				continue;
+			}
+			for (i = 0; i < num_listen_socks; i++) {
+				if (!FD_ISSET(listen_socks[i], fdset))
+					continue;
+			fromlen = sizeof(from);
+			newsock = accept(listen_socks[i], (struct sockaddr *)&from,
+			    &fromlen);
+			if (newsock < 0) {
+				if (errno != EINTR && errno != EWOULDBLOCK)
+					error("accept: %.100s", strerror(errno));
+				continue;
+			}
+			if (fcntl(newsock, F_SETFL, 0) < 0) {
+				error("newsock del O_NONBLOCK: %s", strerror(errno));
+				continue;
+			}
+			if (options.connections_per_period != 0) {
+				struct timeval diff, connections_end;
+				struct ratelim_connection *rc;
+
+				(void)gettimeofday(&connections_end, NULL);
+				rc = &ratelim_connections[i];
+				diff = timevaldiff(&rc->connections_begin,
+				    &connections_end);
+				if (diff.tv_sec >= options.connections_period) {
+					/*
+					 * Slide the window forward only after
+					 * completely leaving it.
+					 */
+					rc->connections_begin = connections_end;
+					rc->connections_this_period = 1;
+				} else {
+					if (++rc->connections_this_period >
+					    options.connections_per_period)
+						ratelim_exceeded = 1;
+				}
+			}
+					
+			/*
+			 * Got connection.  Fork a child to handle it unless
+			 * we are in debugging mode or the maximum number of
+			 * connections per period has been exceeded.
+			 */
+			if (debug_flag) {
+				/*
+				 * In debugging mode.  Close the listening
+				 * socket, and start processing the
+				 * connection without forking.
+				 */
+				debug("Server will not fork when running in debugging mode.");
+				close_listen_socks();
+				sock_in = newsock;
+				sock_out = newsock;
+				pid = getpid();
+				break;
+			} else if (ratelim_exceeded) {
+				const char *myaddr;
+
+				myaddr = get_ipaddr(newsock);
+				log("rate limit (%u/%u) on %s port %d "
+				    "exceeded by %s",
+				    options.connections_per_period,
+				    options.connections_period, myaddr,
+				    get_sock_port(newsock, 1), ntop);
+				free((void *)myaddr);
+				close(newsock);
+				ratelim_exceeded = 0;
+				continue;
+			} else {
+				/*
+				 * Normal production daemon.  Fork, and have
+				 * the child process the connection. The
+				 * parent continues listening.
+				 */
+				if ((pid = fork()) == 0) {
+					/*
+					 * Child.  Close the listening socket, and start using the
+					 * accepted socket.  Reinitialize logging (since our pid has
+					 * changed).  We break out of the loop to handle the connection.
+					 */
+					close_listen_socks();
+					sock_in = newsock;
+					sock_out = newsock;
+					log_init(av0, options.log_level, options.log_facility, log_stderr);
+					break;
+				}
+			}
+
+			/* Parent.  Stay in the loop. */
+			if (pid < 0)
+				error("fork: %.100s", strerror(errno));
+			else
+				debug("Forked child %d.", pid);
+
+			/* Mark that the key has been used (it was "given" to the child). */
+			key_used = 1;
+
+			arc4random_stir();
+
+			/* Close the new socket (the child is now taking care of it). */
+			close(newsock);
+			} /* for (i = 0; i < num_listen_socks; i++) */
+			/* child process check (or debug mode) */
+			if (num_listen_socks < 0)
+				break;
+		}
+	}
+
+	/* This is the child processing a new connection. */
+
+	/*
+	 * Disable the key regeneration alarm.  We will not regenerate the
+	 * key since we are no longer in a position to give it to anyone. We
+	 * will not restart on SIGHUP since it no longer makes sense.
+	 */
+	alarm(0);
+	signal(SIGALRM, SIG_DFL);
+	signal(SIGHUP, SIG_DFL);
+	signal(SIGTERM, SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+	signal(SIGCHLD, SIG_DFL);
+
+	/*
+	 * Set socket options for the connection.  We want the socket to
+	 * close as fast as possible without waiting for anything.  If the
+	 * connection is not a socket, these will do nothing.
+	 */
+	/* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
+	linger.l_onoff = 1;
+	linger.l_linger = 5;
+	setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
+
+	/*
+	 * Register our connection.  This turns encryption off because we do
+	 * not have a key.
+	 */
+	packet_set_connection(sock_in, sock_out);
+
+	remote_port = get_remote_port();
+	remote_ip = get_remote_ipaddr();
+
+	/* Check whether logins are denied from this host. */
+#ifdef LIBWRAP
+	{
+		struct request_info req;
+
+		request_init(&req, RQ_DAEMON, av0, RQ_FILE, sock_in, NULL);
+		fromhost(&req);
+
+		if (!hosts_access(&req)) {
+			close(sock_in);
+			close(sock_out);
+			refuse(&req);
+		}
+		verbose("Connection from %.500s port %d", eval_client(&req), remote_port);
+	}
+#endif /* LIBWRAP */
+	/* Log the connection. */
+	verbose("Connection from %.500s port %d", remote_ip, remote_port);
+
+	/*
+	 * We don\'t want to listen forever unless the other side
+	 * successfully authenticates itself.  So we set up an alarm which is
+	 * cleared after successful authentication.  A limit of zero
+	 * indicates no limit. Note that we don\'t set the alarm in debugging
+	 * mode; it is just annoying to have the server exit just when you
+	 * are about to discover the bug.
+	 */
+	signal(SIGALRM, grace_alarm_handler);
+	if (!debug_flag)
+		alarm(options.login_grace_time);
+
+	sshd_exchange_identification(sock_in, sock_out);
+	/*
+	 * Check that the connection comes from a privileged port.  Rhosts-
+	 * and Rhosts-RSA-Authentication only make sense from priviledged
+	 * programs.  Of course, if the intruder has root access on his local
+	 * machine, he can connect from any port.  So do not use these
+	 * authentication methods from machines that you do not trust.
+	 */
+	if (remote_port >= IPPORT_RESERVED ||
+	    remote_port < IPPORT_RESERVED / 2) {
+		options.rhosts_authentication = 0;
+		options.rhosts_rsa_authentication = 0;
+	}
+#ifdef KRB4
+	if (!packet_connection_is_ipv4() &&
+	    options.krb4_authentication) {
+		debug("Kerberos Authentication disabled, only available for IPv4.");
+		options.krb4_authentication = 0;
+	}
+#endif /* KRB4 */
+
+	packet_set_nonblocking();
+
+	/* perform the key exchange */
+	/* authenticate user and start session */
+	if (compat20) {
+		do_ssh2_kex();
+		do_authentication2();
+	} else {
+		do_ssh1_kex();
+		do_authentication();
+	}
+
+#ifdef KRB4
+	/* Cleanup user's ticket cache file. */
+	if (options.krb4_ticket_cleanup)
+		(void) dest_tkt();
+#endif /* KRB4 */
+
+	/* The connection has been terminated. */
+	verbose("Closing connection to %.100s", remote_ip);
+	packet_close();
+	exit(0);
+}
+
+/*
+ * SSH1 key exchange
+ */
+void
+do_ssh1_kex()
+{
+	int i, len;
+	int plen, slen;
+	BIGNUM *session_key_int;
+	unsigned char session_key[SSH_SESSION_KEY_LENGTH];
+	unsigned char cookie[8];
+	unsigned int cipher_type, auth_mask, protocol_flags;
+	u_int32_t rand = 0;
+
+	/*
+	 * Generate check bytes that the client must send back in the user
+	 * packet in order for it to be accepted; this is used to defy ip
+	 * spoofing attacks.  Note that this only works against somebody
+	 * doing IP spoofing from a remote machine; any machine on the local
+	 * network can still see outgoing packets and catch the random
+	 * cookie.  This only affects rhosts authentication, and this is one
+	 * of the reasons why it is inherently insecure.
+	 */
+	for (i = 0; i < 8; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		cookie[i] = rand & 0xff;
+		rand >>= 8;
+	}
+
+	/*
+	 * Send our public key.  We include in the packet 64 bits of random
+	 * data that must be matched in the reply in order to prevent IP
+	 * spoofing.
+	 */
+	packet_start(SSH_SMSG_PUBLIC_KEY);
+	for (i = 0; i < 8; i++)
+		packet_put_char(cookie[i]);
+
+	/* Store our public server RSA key. */
+	packet_put_int(BN_num_bits(public_key->n));
+	packet_put_bignum(public_key->e);
+	packet_put_bignum(public_key->n);
+
+	/* Store our public host RSA key. */
+	packet_put_int(BN_num_bits(sensitive_data.host_key->n));
+	packet_put_bignum(sensitive_data.host_key->e);
+	packet_put_bignum(sensitive_data.host_key->n);
+
+	/* Put protocol flags. */
+	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
+
+	/* Declare which ciphers we support. */
+	packet_put_int(cipher_mask1());
+
+	/* Declare supported authentication types. */
+	auth_mask = 0;
+	if (options.rhosts_authentication)
+		auth_mask |= 1 << SSH_AUTH_RHOSTS;
+	if (options.rhosts_rsa_authentication)
+		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
+	if (options.rsa_authentication)
+		auth_mask |= 1 << SSH_AUTH_RSA;
+#ifdef KRB4
+	if (options.krb4_authentication)
+		auth_mask |= 1 << SSH_AUTH_KRB4;
+#endif
+#ifdef KRB5
+	if (options.krb5_authentication) {
+	  	auth_mask |= 1 << SSH_AUTH_KRB5;
+                /* compatibility with MetaCentre ssh */
+		auth_mask |= 1 << SSH_AUTH_KRB4;
+        }
+	if (options.krb5_tgt_passing)
+	  	auth_mask |= 1 << SSH_PASS_KRB5_TGT;
+#endif /* KRB5 */
+
+#ifdef AFS
+	if (options.krb4_tgt_passing)
+		auth_mask |= 1 << SSH_PASS_KRB4_TGT;
+	if (options.afs_token_passing)
+		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
+#endif
+#ifdef SKEY
+	if (options.skey_authentication == 1)
+		auth_mask |= 1 << SSH_AUTH_TIS;
+#endif
+	if (options.password_authentication)
+		auth_mask |= 1 << SSH_AUTH_PASSWORD;
+	packet_put_int(auth_mask);
+
+	/* Send the packet and wait for it to be sent. */
+	packet_send();
+	packet_write_wait();
+
+	debug("Sent %d bit public key and %d bit host key.",
+	      BN_num_bits(public_key->n), BN_num_bits(sensitive_data.host_key->n));
+
+	/* Read clients reply (cipher type and session key). */
+	packet_read_expect(&plen, SSH_CMSG_SESSION_KEY);
+
+	/* Get cipher type and check whether we accept this. */
+	cipher_type = packet_get_char();
+
+	if (!(cipher_mask() & (1 << cipher_type)))
+		packet_disconnect("Warning: client selects unsupported cipher.");
+
+	/* Get check bytes from the packet.  These must match those we
+	   sent earlier with the public key packet. */
+	for (i = 0; i < 8; i++)
+		if (cookie[i] != packet_get_char())
+			packet_disconnect("IP Spoofing check bytes do not match.");
+
+	debug("Encryption type: %.200s", cipher_name(cipher_type));
+
+	/* Get the encrypted integer. */
+	session_key_int = BN_new();
+	packet_get_bignum(session_key_int, &slen);
+
+	protocol_flags = packet_get_int();
+	packet_set_protocol_flags(protocol_flags);
+
+	packet_integrity_check(plen, 1 + 8 + slen + 4, SSH_CMSG_SESSION_KEY);
+
+	/*
+	 * Decrypt it using our private server key and private host key (key
+	 * with larger modulus first).
+	 */
+	if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) {
+		/* Private key has bigger modulus. */
+		if (BN_num_bits(sensitive_data.private_key->n) <
+		    BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
+			      get_remote_ipaddr(),
+			      BN_num_bits(sensitive_data.private_key->n),
+			      BN_num_bits(sensitive_data.host_key->n),
+			      SSH_KEY_BITS_RESERVED);
+		}
+		rsa_private_decrypt(session_key_int, session_key_int,
+				    sensitive_data.private_key);
+		rsa_private_decrypt(session_key_int, session_key_int,
+				    sensitive_data.host_key);
+	} else {
+		/* Host key has bigger modulus (or they are equal). */
+		if (BN_num_bits(sensitive_data.host_key->n) <
+		    BN_num_bits(sensitive_data.private_key->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("do_connection: %s: host_key %d < private_key %d + SSH_KEY_BITS_RESERVED %d",
+			      get_remote_ipaddr(),
+			      BN_num_bits(sensitive_data.host_key->n),
+			      BN_num_bits(sensitive_data.private_key->n),
+			      SSH_KEY_BITS_RESERVED);
+		}
+		rsa_private_decrypt(session_key_int, session_key_int,
+				    sensitive_data.host_key);
+		rsa_private_decrypt(session_key_int, session_key_int,
+				    sensitive_data.private_key);
+	}
+
+	compute_session_id(session_id, cookie,
+			   sensitive_data.host_key->n,
+			   sensitive_data.private_key->n);
+
+	/* Destroy the private and public keys.  They will no longer be needed. */
+	destroy_sensitive_data();
+
+	/*
+	 * Extract session key from the decrypted integer.  The key is in the
+	 * least significant 256 bits of the integer; the first byte of the
+	 * key is in the highest bits.
+	 */
+	BN_mask_bits(session_key_int, sizeof(session_key) * 8);
+	len = BN_num_bytes(session_key_int);
+	if (len < 0 || len > sizeof(session_key))
+		fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d",
+		      get_remote_ipaddr(),
+		      len, sizeof(session_key));
+	memset(session_key, 0, sizeof(session_key));
+	BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);
+
+	/* Destroy the decrypted integer.  It is no longer needed. */
+	BN_clear_free(session_key_int);
+
+	/* Xor the first 16 bytes of the session key with the session id. */
+	for (i = 0; i < 16; i++)
+		session_key[i] ^= session_id[i];
+
+	/* Set the session key.  From this on all communications will be encrypted. */
+	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
+
+	/* Destroy our copy of the session key.  It is no longer needed. */
+	memset(session_key, 0, sizeof(session_key));
+
+	debug("Received session key; encryption turned on.");
+
+	/* Send an acknowledgement packet.  Note that this packet is sent encrypted. */
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+}
+
+/*
+ * SSH2 key exchange: diffie-hellman-group1-sha1
+ */
+void
+do_ssh2_kex()
+{
+	Buffer *server_kexinit;
+	Buffer *client_kexinit;
+	int payload_len, dlen;
+	int slen;
+	unsigned int klen, kout;
+	unsigned char *signature = NULL;
+	unsigned char *server_host_key_blob = NULL;
+	unsigned int sbloblen;
+	DH *dh;
+	BIGNUM *dh_client_pub = 0;
+	BIGNUM *shared_secret = 0;
+	int i;
+	unsigned char *kbuf;
+	unsigned char *hash;
+	Kex *kex;
+	char *cprop[PROPOSAL_MAX];
+
+/* KEXINIT */
+
+	if (options.ciphers != NULL) {
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+	}
+	server_kexinit = kex_init(myproposal);
+	client_kexinit = xmalloc(sizeof(*client_kexinit));
+	buffer_init(client_kexinit);
+
+	/* algorithm negotiation */
+	kex_exchange_kexinit(server_kexinit, client_kexinit, cprop);
+	kex = kex_choose_conf(cprop, myproposal, 1);
+	for (i = 0; i < PROPOSAL_MAX; i++)
+		xfree(cprop[i]);
+
+/* KEXDH */
+
+	debug("Wait SSH2_MSG_KEXDH_INIT.");
+	packet_read_expect(&payload_len, SSH2_MSG_KEXDH_INIT);
+
+	/* key, cert */
+	dh_client_pub = BN_new();
+	if (dh_client_pub == NULL)
+		fatal("dh_client_pub == NULL");
+	packet_get_bignum2(dh_client_pub, &dlen);
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "\ndh_client_pub= ");
+	bignum_print(dh_client_pub);
+	fprintf(stderr, "\n");
+	debug("bits %d", BN_num_bits(dh_client_pub));
+#endif
+
+	/* generate DH key */
+	dh = dh_new_group1();			/* XXX depends on 'kex' */
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "\np= ");
+	bignum_print(dh->p);
+	fprintf(stderr, "\ng= ");
+	bignum_print(dh->g);
+	fprintf(stderr, "\npub= ");
+	bignum_print(dh->pub_key);
+	fprintf(stderr, "\n");
+#endif
+	if (!dh_pub_is_valid(dh, dh_client_pub))
+		packet_disconnect("bad client public DH value");
+
+	klen = DH_size(dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_client_pub, dh);
+
+#ifdef DEBUG_KEXDH
+	debug("shared secret: len %d/%d", klen, kout);
+	fprintf(stderr, "shared secret == ");
+	for (i = 0; i< kout; i++)
+		fprintf(stderr, "%02x", (kbuf[i])&0xff);
+	fprintf(stderr, "\n");
+#endif
+	shared_secret = BN_new();
+
+	BN_bin2bn(kbuf, kout, shared_secret);
+	memset(kbuf, 0, klen);
+	xfree(kbuf);
+
+	/* XXX precompute? */
+	dsa_make_key_blob(sensitive_data.dsa_host_key, &server_host_key_blob, &sbloblen);
+
+	/* calc H */			/* XXX depends on 'kex' */
+	hash = kex_hash(
+	    client_version_string,
+	    server_version_string,
+	    buffer_ptr(client_kexinit), buffer_len(client_kexinit),
+	    buffer_ptr(server_kexinit), buffer_len(server_kexinit),
+	    (char *)server_host_key_blob, sbloblen,
+	    dh_client_pub,
+	    dh->pub_key,
+	    shared_secret
+	);
+	buffer_free(client_kexinit);
+	buffer_free(server_kexinit);
+	xfree(client_kexinit);
+	xfree(server_kexinit);
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "hash == ");
+	for (i = 0; i< 20; i++)
+		fprintf(stderr, "%02x", (hash[i])&0xff);
+	fprintf(stderr, "\n");
+#endif
+	/* save session id := H */
+	/* XXX hashlen depends on KEX */
+	session_id2_len = 20;
+	session_id2 = xmalloc(session_id2_len);
+	memcpy(session_id2, hash, session_id2_len);
+
+	/* sign H */
+	/* XXX hashlen depends on KEX */
+	dsa_sign(sensitive_data.dsa_host_key, &signature, &slen, hash, 20);
+
+	destroy_sensitive_data();
+
+	/* send server hostkey, DH pubkey 'f' and singed H */
+	packet_start(SSH2_MSG_KEXDH_REPLY);
+	packet_put_string((char *)server_host_key_blob, sbloblen);
+	packet_put_bignum2(dh->pub_key);	/* f */
+	packet_put_string((char *)signature, slen);
+	packet_send();
+	xfree(signature);
+	xfree(server_host_key_blob);
+	packet_write_wait();
+
+	kex_derive_keys(kex, hash, shared_secret);
+	packet_set_kex(kex);
+
+	/* have keys, free DH */
+	DH_free(dh);
+
+	debug("send SSH2_MSG_NEWKEYS.");
+	packet_start(SSH2_MSG_NEWKEYS);
+	packet_send();
+	packet_write_wait();
+	debug("done: send SSH2_MSG_NEWKEYS.");
+
+	debug("Wait SSH2_MSG_NEWKEYS.");
+	packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS);
+	debug("GOT SSH2_MSG_NEWKEYS.");
+
+#ifdef DEBUG_KEXDH
+	/* send 1st encrypted/maced/compressed message */
+	packet_start(SSH2_MSG_IGNORE);
+	packet_put_cstring("markus");
+	packet_send();
+	packet_write_wait();
+#endif
+	debug("done: KEX2.");
+}
diff --git a/crypto/openssh/sshd/Makefile b/crypto/openssh/sshd/Makefile
new file mode 100644
index 0000000..f74a032
--- /dev/null
+++ b/crypto/openssh/sshd/Makefile
@@ -0,0 +1,46 @@
+.PATH:		${.CURDIR}/..
+
+PROG=	sshd
+BINOWN=	root
+BINMODE=555
+BINDIR=	/usr/sbin
+MAN=	sshd.8
+
+SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
+	pty.c log-server.c login.c servconf.c serverloop.c \
+	auth.c auth1.c auth2.c session.c
+
+.include <bsd.own.mk> # for KERBEROS and AFS
+
+.if (${KERBEROS} == "yes")
+.if (${AFS} == "yes")
+CFLAGS+= -DAFS
+LDADD+=  -lkafs
+DPADD+=  ${LIBKRBAFS}
+.endif # AFS
+CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
+SRCS+=	auth-krb4.c
+LDADD+=	 -lkrb
+DPADD+=	 ${LIBKRB}
+.endif # KERBEROS
+
+.if (${SKEY} == "yes")
+SRCS+=	auth-skey.c
+.endif
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto -lutil -lz
+DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
+
+.if (${TCP_WRAPPERS} == "yes")
+CFLAGS+= -DLIBWRAP
+LDADD+= -lwrap
+DPADD+= ${LIBWRAP}
+.endif
+
+.if (${SKEY} == "yes")
+CFLAGS+= -DSKEY
+LDADD+= -lskey
+DPADD+= ${SKEY}
+.endif
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
new file mode 100644
index 0000000..46ebc1f
--- /dev/null
+++ b/crypto/openssh/sshd_config
@@ -0,0 +1,55 @@
+# This is ssh server systemwide configuration file.
+#
+# $FreeBSD$
+
+Port 22
+#Protocol 2,1
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+HostKey /etc/ssh/ssh_host_key
+HostDsaKey /etc/ssh/ssh_host_dsa_key
+ServerKeyBits 768
+LoginGraceTime 60
+KeyRegenerationInterval 3600
+PermitRootLogin no
+# Rate-limit sshd connections to 5 connections per 10 seconds
+ConnectionsPerPeriod 5/10
+# Don't read ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+StrictModes yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd yes
+KeepAlive yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+#obsoletes QuietMode and FascistLogging
+
+RhostsAuthentication no
+#
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+#
+RSAAuthentication yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+PermitEmptyPasswords no
+# Uncomment to disable s/key passwords 
+#SkeyAuthentication no
+
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+
+CheckMail yes
+#UseLogin no
diff --git a/crypto/openssh/tildexpand.c b/crypto/openssh/tildexpand.c
new file mode 100644
index 0000000..4ecb785
--- /dev/null
+++ b/crypto/openssh/tildexpand.c
@@ -0,0 +1,66 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Wed Jul 12 01:07:36 1995 ylo
+ */
+
+#include "includes.h"
+RCSID("$Id: tildexpand.c,v 1.6 1999/12/06 19:10:38 deraadt Exp $");
+
+#include "xmalloc.h"
+#include "ssh.h"
+
+/*
+ * Expands tildes in the file name.  Returns data allocated by xmalloc.
+ * Warning: this calls getpw*.
+ */
+char *
+tilde_expand_filename(const char *filename, uid_t my_uid)
+{
+	const char *cp;
+	unsigned int userlen;
+	char *expanded;
+	struct passwd *pw;
+	char user[100];
+	int len;
+
+	/* Return immediately if no tilde. */
+	if (filename[0] != '~')
+		return xstrdup(filename);
+
+	/* Skip the tilde. */
+	filename++;
+
+	/* Find where the username ends. */
+	cp = strchr(filename, '/');
+	if (cp)
+		userlen = cp - filename;	/* Something after username. */
+	else
+		userlen = strlen(filename);	/* Nothing after username. */
+	if (userlen == 0)
+		pw = getpwuid(my_uid);		/* Own home directory. */
+	else {
+		/* Tilde refers to someone elses home directory. */
+		if (userlen > sizeof(user) - 1)
+			fatal("User name after tilde too long.");
+		memcpy(user, filename, userlen);
+		user[userlen] = 0;
+		pw = getpwnam(user);
+	}
+	if (!pw)
+		fatal("Unknown user %100s.", user);
+
+	/* If referring to someones home directory, return it now. */
+	if (!cp) {
+		/* Only home directory specified */
+		return xstrdup(pw->pw_dir);
+	}
+	/* Build a path combining the specified directory and path. */
+	len = strlen(pw->pw_dir) + strlen(cp + 1) + 2;
+	if (len > MAXPATHLEN)
+		fatal("Home directory too long (%d > %d", len-1, MAXPATHLEN-1);
+	expanded = xmalloc(len);
+	snprintf(expanded, len, "%s/%s", pw->pw_dir, cp + 1);
+	return expanded;
+}
diff --git a/crypto/openssh/ttymodes.c b/crypto/openssh/ttymodes.c
new file mode 100644
index 0000000..25f5013
--- /dev/null
+++ b/crypto/openssh/ttymodes.c
@@ -0,0 +1,359 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Tue Mar 21 15:59:15 1995 ylo
+ * Encoding and decoding of terminal modes in a portable way.
+ * Much of the format is defined in ttymodes.h; it is included multiple times
+ * into this file with the appropriate macro definitions to generate the
+ * suitable code.
+ */
+
+#include "includes.h"
+RCSID("$Id: ttymodes.c,v 1.6 2000/04/14 10:30:34 markus Exp $");
+
+#include "packet.h"
+#include "ssh.h"
+
+#define TTY_OP_END	0
+#define TTY_OP_ISPEED	192	/* int follows */
+#define TTY_OP_OSPEED	193	/* int follows */
+
+/*
+ * Converts POSIX speed_t to a baud rate.  The values of the
+ * constants for speed_t are not themselves portable.
+ */
+static int
+speed_to_baud(speed_t speed)
+{
+	switch (speed) {
+	case B0:
+		return 0;
+	case B50:
+		return 50;
+	case B75:
+		return 75;
+	case B110:
+		return 110;
+	case B134:
+		return 134;
+	case B150:
+		return 150;
+	case B200:
+		return 200;
+	case B300:
+		return 300;
+	case B600:
+		return 600;
+	case B1200:
+		return 1200;
+	case B1800:
+		return 1800;
+	case B2400:
+		return 2400;
+	case B4800:
+		return 4800;
+	case B9600:
+		return 9600;
+
+#ifdef B19200
+	case B19200:
+		return 19200;
+#else /* B19200 */
+#ifdef EXTA
+	case EXTA:
+		return 19200;
+#endif /* EXTA */
+#endif /* B19200 */
+
+#ifdef B38400
+	case B38400:
+		return 38400;
+#else /* B38400 */
+#ifdef EXTB
+	case EXTB:
+		return 38400;
+#endif /* EXTB */
+#endif /* B38400 */
+
+#ifdef B7200
+	case B7200:
+		return 7200;
+#endif /* B7200 */
+#ifdef B14400
+	case B14400:
+		return 14400;
+#endif /* B14400 */
+#ifdef B28800
+	case B28800:
+		return 28800;
+#endif /* B28800 */
+#ifdef B57600
+	case B57600:
+		return 57600;
+#endif /* B57600 */
+#ifdef B76800
+	case B76800:
+		return 76800;
+#endif /* B76800 */
+#ifdef B115200
+	case B115200:
+		return 115200;
+#endif /* B115200 */
+#ifdef B230400
+	case B230400:
+		return 230400;
+#endif /* B230400 */
+	default:
+		return 9600;
+	}
+}
+
+/*
+ * Converts a numeric baud rate to a POSIX speed_t.
+ */
+static speed_t
+baud_to_speed(int baud)
+{
+	switch (baud) {
+		case 0:
+		return B0;
+	case 50:
+		return B50;
+	case 75:
+		return B75;
+	case 110:
+		return B110;
+	case 134:
+		return B134;
+	case 150:
+		return B150;
+	case 200:
+		return B200;
+	case 300:
+		return B300;
+	case 600:
+		return B600;
+	case 1200:
+		return B1200;
+	case 1800:
+		return B1800;
+	case 2400:
+		return B2400;
+	case 4800:
+		return B4800;
+	case 9600:
+		return B9600;
+
+#ifdef B19200
+	case 19200:
+		return B19200;
+#else /* B19200 */
+#ifdef EXTA
+	case 19200:
+		return EXTA;
+#endif /* EXTA */
+#endif /* B19200 */
+
+#ifdef B38400
+	case 38400:
+		return B38400;
+#else /* B38400 */
+#ifdef EXTB
+	case 38400:
+		return EXTB;
+#endif /* EXTB */
+#endif /* B38400 */
+
+#ifdef B7200
+	case 7200:
+		return B7200;
+#endif /* B7200 */
+#ifdef B14400
+	case 14400:
+		return B14400;
+#endif /* B14400 */
+#ifdef B28800
+	case 28800:
+		return B28800;
+#endif /* B28800 */
+#ifdef B57600
+	case 57600:
+		return B57600;
+#endif /* B57600 */
+#ifdef B76800
+	case 76800:
+		return B76800;
+#endif /* B76800 */
+#ifdef B115200
+	case 115200:
+		return B115200;
+#endif /* B115200 */
+#ifdef B230400
+	case 230400:
+		return B230400;
+#endif /* B230400 */
+	default:
+		return B9600;
+	}
+}
+
+/*
+ * Encodes terminal modes for the terminal referenced by fd
+ * in a portable manner, and appends the modes to a packet
+ * being constructed.
+ */
+void
+tty_make_modes(int fd)
+{
+	struct termios tio;
+	int baud;
+
+	if (tcgetattr(fd, &tio) < 0) {
+		packet_put_char(TTY_OP_END);
+		log("tcgetattr: %.100s", strerror(errno));
+		return;
+	}
+	/* Store input and output baud rates. */
+	baud = speed_to_baud(cfgetospeed(&tio));
+	packet_put_char(TTY_OP_OSPEED);
+	packet_put_int(baud);
+	baud = speed_to_baud(cfgetispeed(&tio));
+	packet_put_char(TTY_OP_ISPEED);
+	packet_put_int(baud);
+
+	/* Store values of mode flags. */
+#define TTYCHAR(NAME, OP) \
+  packet_put_char(OP); packet_put_char(tio.c_cc[NAME]);
+#define TTYMODE(NAME, FIELD, OP) \
+  packet_put_char(OP); packet_put_char((tio.FIELD & NAME) != 0);
+#define SGTTYCHAR(NAME, OP)
+#define SGTTYMODE(NAME, FIELD, OP)
+#define SGTTYMODEN(NAME, FIELD, OP)
+
+#include "ttymodes.h"
+
+#undef TTYCHAR
+#undef TTYMODE
+#undef SGTTYCHAR
+#undef SGTTYMODE
+#undef SGTTYMODEN
+
+	/* Mark end of mode data. */
+	packet_put_char(TTY_OP_END);
+}
+
+/*
+ * Decodes terminal modes for the terminal referenced by fd in a portable
+ * manner from a packet being read.
+ */
+void
+tty_parse_modes(int fd, int *n_bytes_ptr)
+{
+	struct termios tio;
+	int opcode, baud;
+	int n_bytes = 0;
+	int failure = 0;
+
+	/*
+	 * Get old attributes for the terminal.  We will modify these
+	 * flags. I am hoping that if there are any machine-specific
+	 * modes, they will initially have reasonable values.
+	 */
+	if (tcgetattr(fd, &tio) < 0)
+		failure = -1;
+
+	for (;;) {
+		n_bytes += 1;
+		opcode = packet_get_char();
+		switch (opcode) {
+		case TTY_OP_END:
+			goto set;
+
+		case TTY_OP_ISPEED:
+			n_bytes += 4;
+			baud = packet_get_int();
+			if (failure != -1 && cfsetispeed(&tio, baud_to_speed(baud)) < 0)
+				error("cfsetispeed failed for %d", baud);
+			break;
+
+		case TTY_OP_OSPEED:
+			n_bytes += 4;
+			baud = packet_get_int();
+			if (failure != -1 && cfsetospeed(&tio, baud_to_speed(baud)) < 0)
+				error("cfsetospeed failed for %d", baud);
+			break;
+
+#define TTYCHAR(NAME, OP) 				\
+	case OP:					\
+	  n_bytes += 1;					\
+	  tio.c_cc[NAME] = packet_get_char();		\
+	  break;
+#define TTYMODE(NAME, FIELD, OP)		       	\
+	case OP:					\
+	  n_bytes += 1;					\
+	  if (packet_get_char())			\
+	    tio.FIELD |= NAME;				\
+	  else						\
+	    tio.FIELD &= ~NAME;				\
+	  break;
+#define SGTTYCHAR(NAME, OP)
+#define SGTTYMODE(NAME, FIELD, OP)
+#define SGTTYMODEN(NAME, FIELD, OP)
+
+#include "ttymodes.h"
+
+#undef TTYCHAR
+#undef TTYMODE
+#undef SGTTYCHAR
+#undef SGTTYMODE
+#undef SGTTYMODEN
+
+		default:
+			debug("Ignoring unsupported tty mode opcode %d (0x%x)",
+			      opcode, opcode);
+			/*
+			 * Opcodes 0 to 127 are defined to have
+			 * a one-byte argument.
+			 */
+			if (opcode >= 0 && opcode < 128) {
+				n_bytes += 1;
+				(void) packet_get_char();
+				break;
+			} else {
+				/*
+				 * Opcodes 128 to 159 are defined to have
+				 * an integer argument.
+				 */
+				if (opcode >= 128 && opcode < 160) {
+					n_bytes += 4;
+					(void) packet_get_int();
+					break;
+				}
+			}
+			/*
+			 * It is a truly undefined opcode (160 to 255).
+			 * We have no idea about its arguments.  So we
+			 * must stop parsing.  Note that some data may be
+			 * left in the packet; hopefully there is nothing
+			 * more coming after the mode data.
+			 */
+			log("parse_tty_modes: unknown opcode %d", opcode);
+			packet_integrity_check(0, 1, SSH_CMSG_REQUEST_PTY);
+			goto set;
+		}
+	}
+
+set:
+	if (*n_bytes_ptr != n_bytes) {
+		*n_bytes_ptr = n_bytes;
+		return;		/* Don't process bytes passed */
+	}
+	if (failure == -1)
+		return;		/* Packet parsed ok but tty stuff failed */
+
+	/* Set the new modes for the terminal. */
+	if (tcsetattr(fd, TCSANOW, &tio) < 0)
+		log("Setting tty modes failed: %.100s", strerror(errno));
+	return;
+}
diff --git a/crypto/openssh/ttymodes.h b/crypto/openssh/ttymodes.h
new file mode 100644
index 0000000..f8243f6
--- /dev/null
+++ b/crypto/openssh/ttymodes.h
@@ -0,0 +1,141 @@
+/*
+ *
+ * ttymodes.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * 	SGTTY stuff contributed by Janne Snabb <snabb@niksula.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Tue Mar 21 15:42:09 1995 ylo
+ *
+ */
+
+/* RCSID("$Id: ttymodes.h,v 1.7 2000/04/14 10:30:34 markus Exp $"); */
+
+/* The tty mode description is a stream of bytes.  The stream consists of
+ * opcode-arguments pairs.  It is terminated by opcode TTY_OP_END (0).
+ * Opcodes 1-127 have one-byte arguments.  Opcodes 128-159 have integer
+ * arguments.  Opcodes 160-255 are not yet defined, and cause parsing to
+ * stop (they should only be used after any other data).
+ *
+ * The client puts in the stream any modes it knows about, and the
+ * server ignores any modes it does not know about.  This allows some degree
+ * of machine-independence, at least between systems that use a posix-like
+ * tty interface.  The protocol can support other systems as well, but might
+ * require reimplementing as mode names would likely be different.
+ */
+
+/*
+ * Some constants and prototypes are defined in packet.h; this file
+ * is only intended for including from ttymodes.c.
+ */
+
+/* termios macro */		/* sgtty macro */
+/* name, op */
+TTYCHAR(VINTR, 1) 		SGTTYCHAR(tiotc.t_intrc, 1)
+TTYCHAR(VQUIT, 2)		SGTTYCHAR(tiotc.t_quitc, 2)
+TTYCHAR(VERASE, 3)		SGTTYCHAR(tio.sg_erase, 3)
+#if defined(VKILL)
+TTYCHAR(VKILL, 4)		SGTTYCHAR(tio.sg_kill, 4)
+#endif /* VKILL */
+TTYCHAR(VEOF, 5)		SGTTYCHAR(tiotc.t_eofc, 5)
+#if defined(VEOL)
+TTYCHAR(VEOL, 6)		SGTTYCHAR(tiotc.t_brkc, 6)
+#endif /* VEOL */
+#ifdef VEOL2			/* n/a */
+TTYCHAR(VEOL2, 7)
+#endif /* VEOL2 */
+TTYCHAR(VSTART, 8)		SGTTYCHAR(tiotc.t_startc, 8)
+TTYCHAR(VSTOP, 9)		SGTTYCHAR(tiotc.t_stopc, 9)
+#if defined(VSUSP)
+TTYCHAR(VSUSP, 10)		SGTTYCHAR(tioltc.t_suspc, 10)
+#endif /* VSUSP */
+#if defined(VDSUSP)
+TTYCHAR(VDSUSP, 11)		SGTTYCHAR(tioltc.t_dsuspc, 11)
+#endif /* VDSUSP */
+#if defined(VREPRINT)
+TTYCHAR(VREPRINT, 12)		SGTTYCHAR(tioltc.t_rprntc, 12)
+#endif /* VREPRINT */
+#if defined(VWERASE)
+TTYCHAR(VWERASE, 13)		SGTTYCHAR(tioltc.t_werasc, 13)
+#endif /* VWERASE */
+#if defined(VLNEXT)
+TTYCHAR(VLNEXT, 14)		SGTTYCHAR(tioltc.t_lnextc, 14)
+#endif /* VLNEXT */
+#if defined(VFLUSH)
+TTYCHAR(VFLUSH, 15)		SGTTYCHAR(tioltc.t_flushc, 15)
+#endif /* VFLUSH */
+#ifdef VSWTCH
+TTYCHAR(VSWTCH, 16)		/* n/a */
+#endif /* VSWTCH */
+#if defined(VSTATUS)
+TTYCHAR(VSTATUS, 17)		SGTTYCHAR(tiots.tc_statusc, 17)
+#endif /* VSTATUS */
+#ifdef VDISCARD
+TTYCHAR(VDISCARD, 18)		/* n/a */
+#endif /* VDISCARD */
+
+/* name, field, op */
+TTYMODE(IGNPAR,	c_iflag, 30)	/* n/a */
+TTYMODE(PARMRK,	c_iflag, 31)	/* n/a */
+TTYMODE(INPCK, 	c_iflag, 32)	SGTTYMODEN(ANYP, tio.sg_flags, 32)
+TTYMODE(ISTRIP,	c_iflag, 33)	SGTTYMODEN(LPASS8, tiolm, 33)
+TTYMODE(INLCR, 	c_iflag, 34)	/* n/a */
+TTYMODE(IGNCR, 	c_iflag, 35)	/* n/a */
+TTYMODE(ICRNL, 	c_iflag, 36)	SGTTYMODE(CRMOD, tio.sg_flags, 36)
+#if defined(IUCLC)
+TTYMODE(IUCLC, 	c_iflag, 37)	SGTTYMODE(LCASE, tio.sg_flags, 37)
+#endif
+TTYMODE(IXON,  	c_iflag, 38)	/* n/a */
+TTYMODE(IXANY, 	c_iflag, 39)	SGTTYMODEN(LDECCTQ, tiolm, 39)
+TTYMODE(IXOFF, 	c_iflag, 40)	SGTTYMODE(TANDEM, tio.sg_flags, 40)
+#ifdef IMAXBEL
+TTYMODE(IMAXBEL,c_iflag, 41)	/* n/a */
+#endif /* IMAXBEL */
+
+TTYMODE(ISIG,	c_lflag, 50)	/* n/a */
+TTYMODE(ICANON,	c_lflag, 51)	SGTTYMODEN(CBREAK, tio.sg_flags, 51)
+#ifdef XCASE
+TTYMODE(XCASE,	c_lflag, 52)	/* n/a */
+#endif
+TTYMODE(ECHO,	c_lflag, 53)	SGTTYMODE(ECHO, tio.sg_flags, 53)
+TTYMODE(ECHOE,	c_lflag, 54)	SGTTYMODE(LCRTERA, tiolm, 54)
+TTYMODE(ECHOK,	c_lflag, 55)	SGTTYMODE(LCRTKIL, tiolm, 55)
+TTYMODE(ECHONL,	c_lflag, 56)	/* n/a */
+TTYMODE(NOFLSH,	c_lflag, 57)	SGTTYMODE(LNOFLSH, tiolm, 57)
+TTYMODE(TOSTOP,	c_lflag, 58)	SGTTYMODE(LTOSTOP, tiolm, 58)
+#ifdef IEXTEN
+TTYMODE(IEXTEN, c_lflag, 59)	/* n/a */
+#endif /* IEXTEN */
+#if defined(ECHOCTL)
+TTYMODE(ECHOCTL,c_lflag, 60)	SGTTYMODE(LCTLECH, tiolm, 60)
+#endif /* ECHOCTL */
+#ifdef ECHOKE
+TTYMODE(ECHOKE,	c_lflag, 61)	/* n/a */
+#endif /* ECHOKE */
+#if defined(PENDIN)
+TTYMODE(PENDIN,	c_lflag, 62)	SGTTYMODE(LPENDIN, tiolm, 62)
+#endif /* PENDIN */
+
+TTYMODE(OPOST,	c_oflag, 70)	/* n/a */
+#if defined(OLCUC)
+TTYMODE(OLCUC,	c_oflag, 71)	SGTTYMODE(LCASE, tio.sg_flags, 71)
+#endif
+TTYMODE(ONLCR,	c_oflag, 72)	SGTTYMODE(CRMOD, tio.sg_flags, 72)
+#ifdef OCRNL
+TTYMODE(OCRNL,	c_oflag, 73)	/* n/a */
+#endif
+#ifdef ONOCR
+TTYMODE(ONOCR,	c_oflag, 74)	/* n/a */
+#endif
+#ifdef ONLRET
+TTYMODE(ONLRET,	c_oflag, 75)	/* n/a */
+#endif
+
+TTYMODE(CS7,	c_cflag, 90)	/* n/a */
+TTYMODE(CS8,	c_cflag, 91)	SGTTYMODE(LPASS8, tiolm, 91)
+TTYMODE(PARENB,	c_cflag, 92)	/* n/a */
+TTYMODE(PARODD,	c_cflag, 93)	SGTTYMODE(ODDP, tio.sg_flags, 93)
+
diff --git a/crypto/openssh/uidswap.c b/crypto/openssh/uidswap.c
new file mode 100644
index 0000000..20f04cf
--- /dev/null
+++ b/crypto/openssh/uidswap.c
@@ -0,0 +1,87 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Sat Sep  9 01:56:14 1995 ylo
+ * Code for uid-swapping.
+ */
+
+#include "includes.h"
+RCSID("$Id: uidswap.c,v 1.6 2000/04/14 10:30:34 markus Exp $");
+
+#include "ssh.h"
+#include "uidswap.h"
+
+/*
+ * Note: all these functions must work in all of the following cases:
+ *    1. euid=0, ruid=0
+ *    2. euid=0, ruid!=0
+ *    3. euid!=0, ruid!=0
+ * Additionally, they must work regardless of whether the system has
+ * POSIX saved uids or not.
+ */
+
+#ifdef _POSIX_SAVED_IDS
+/* Lets assume that posix saved ids also work with seteuid, even though that
+   is not part of the posix specification. */
+#define SAVED_IDS_WORK_WITH_SETEUID
+#endif /* _POSIX_SAVED_IDS */
+
+/* Saved effective uid. */
+static uid_t saved_euid = 0;
+
+/*
+ * Temporarily changes to the given uid.  If the effective user
+ * id is not root, this does nothing.  This call cannot be nested.
+ */
+void
+temporarily_use_uid(uid_t uid)
+{
+#ifdef SAVED_IDS_WORK_WITH_SETEUID
+	/* Save the current euid. */
+	saved_euid = geteuid();
+
+	/* Set the effective uid to the given (unprivileged) uid. */
+	if (seteuid(uid) == -1)
+		debug("seteuid %d: %.100s", (int) uid, strerror(errno));
+#else /* SAVED_IDS_WORK_WITH_SETUID */
+	/* Propagate the privileged uid to all of our uids. */
+	if (setuid(geteuid()) < 0)
+		debug("setuid %d: %.100s", (int) geteuid(), strerror(errno));
+
+	/* Set the effective uid to the given (unprivileged) uid. */
+	if (seteuid(uid) == -1)
+		debug("seteuid %d: %.100s", (int) uid, strerror(errno));
+#endif /* SAVED_IDS_WORK_WITH_SETEUID */
+}
+
+/*
+ * Restores to the original uid.
+ */
+void
+restore_uid()
+{
+#ifdef SAVED_IDS_WORK_WITH_SETEUID
+	/* Set the effective uid back to the saved uid. */
+	if (seteuid(saved_euid) < 0)
+		debug("seteuid %d: %.100s", (int) saved_euid, strerror(errno));
+#else /* SAVED_IDS_WORK_WITH_SETEUID */
+	/*
+	 * We are unable to restore the real uid to its unprivileged value.
+	 * Propagate the real uid (usually more privileged) to effective uid
+	 * as well.
+	 */
+	setuid(getuid());
+#endif /* SAVED_IDS_WORK_WITH_SETEUID */
+}
+
+/*
+ * Permanently sets all uids to the given uid.  This cannot be
+ * called while temporarily_use_uid is effective.
+ */
+void
+permanently_set_uid(uid_t uid)
+{
+	if (setuid(uid) < 0)
+		debug("setuid %d: %.100s", (int) uid, strerror(errno));
+}
diff --git a/crypto/openssh/uidswap.h b/crypto/openssh/uidswap.h
new file mode 100644
index 0000000..c08a370
--- /dev/null
+++ b/crypto/openssh/uidswap.h
@@ -0,0 +1,36 @@
+/*
+ *
+ * uidswap.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Sat Sep  9 01:43:15 1995 ylo
+ * Last modified: Sat Sep  9 02:34:04 1995 ylo
+ *
+ */
+
+#ifndef UIDSWAP_H
+#define UIDSWAP_H
+
+/*
+ * Temporarily changes to the given uid.  If the effective user id is not
+ * root, this does nothing.  This call cannot be nested.
+ */
+void    temporarily_use_uid(uid_t uid);
+
+/*
+ * Restores the original effective user id after temporarily_use_uid().
+ * This should only be called while temporarily_use_uid is effective.
+ */
+void    restore_uid();
+
+/*
+ * Permanently sets all uids to the given uid.  This cannot be called while
+ * temporarily_use_uid is effective.  This must also clear any saved uids.
+ */
+void    permanently_set_uid(uid_t uid);
+
+#endif				/* UIDSWAP_H */
diff --git a/crypto/openssh/uuencode.c b/crypto/openssh/uuencode.c
new file mode 100644
index 0000000..fc84d5a
--- /dev/null
+++ b/crypto/openssh/uuencode.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ */
+#include "includes.h"
+#include "xmalloc.h"
+
+#include <resolv.h>
+
+int
+uuencode(unsigned char *src, unsigned int srclength,
+    char *target, size_t targsize)
+{
+	return __b64_ntop(src, srclength, target, targsize);
+}
+
+int
+uudecode(const char *src, unsigned char *target, size_t targsize)
+{
+	int len;
+	char *encoded, *p;
+
+	/* copy the 'readonly' source */
+	encoded = xstrdup(src);
+	/* skip whitespace and data */
+	for (p = encoded; *p == ' ' || *p == '\t'; p++)
+		;
+	for (; *p != '\0' && *p != ' ' && *p != '\t'; p++)
+		;
+	/* and remote trailing whitespace because __b64_pton needs this */
+	*p = '\0';
+	len = __b64_pton(encoded, target, targsize);
+	xfree(encoded);
+	return len;
+}
+
+void
+dump_base64(FILE *fp, unsigned char *data, int len)
+{
+	unsigned char *buf = xmalloc(2*len);
+	int i, n;
+	n = uuencode(data, len, buf, 2*len);
+	for (i = 0; i < n; i++) {
+		fprintf(fp, "%c", buf[i]);
+		if (i % 70 == 69)
+			fprintf(fp, "\n");
+	}
+	if (i % 70 != 69)
+		fprintf(fp, "\n");
+	xfree(buf);
+}
diff --git a/crypto/openssh/uuencode.h b/crypto/openssh/uuencode.h
new file mode 100644
index 0000000..c92c627
--- /dev/null
+++ b/crypto/openssh/uuencode.h
@@ -0,0 +1,6 @@
+#ifndef UUENCODE_H
+#define UUENCODE_H
+int	uuencode(unsigned char *src, unsigned int srclength, char *target, size_t targsize);
+int	uudecode(const char *src, unsigned char *target, size_t targsize);
+void	dump_base64(FILE *fp, unsigned char *data, int len);
+#endif
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
new file mode 100644
index 0000000..d577644
--- /dev/null
+++ b/crypto/openssh/version.h
@@ -0,0 +1 @@
+#define SSH_VERSION	"OpenSSH-2.1"
diff --git a/crypto/openssh/xmalloc.c b/crypto/openssh/xmalloc.c
new file mode 100644
index 0000000..3155099
--- /dev/null
+++ b/crypto/openssh/xmalloc.c
@@ -0,0 +1,53 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Mon Mar 20 21:23:10 1995 ylo
+ * Versions of malloc and friends that check their results, and never return
+ * failure (they call fatal if they encounter an error).
+ */
+
+#include "includes.h"
+RCSID("$Id: xmalloc.c,v 1.6 2000/04/14 10:30:34 markus Exp $");
+
+#include "ssh.h"
+
+void *
+xmalloc(size_t size)
+{
+	void *ptr = malloc(size);
+	if (ptr == NULL)
+		fatal("xmalloc: out of memory (allocating %d bytes)", (int) size);
+	return ptr;
+}
+
+void *
+xrealloc(void *ptr, size_t new_size)
+{
+	void *new_ptr;
+
+	if (ptr == NULL)
+		fatal("xrealloc: NULL pointer given as argument");
+	new_ptr = realloc(ptr, new_size);
+	if (new_ptr == NULL)
+		fatal("xrealloc: out of memory (new_size %d bytes)", (int) new_size);
+	return new_ptr;
+}
+
+void
+xfree(void *ptr)
+{
+	if (ptr == NULL)
+		fatal("xfree: NULL pointer given as argument");
+	free(ptr);
+}
+
+char *
+xstrdup(const char *str)
+{
+	int len = strlen(str) + 1;
+
+	char *cp = xmalloc(len);
+	strlcpy(cp, str, len);
+	return cp;
+}
diff --git a/crypto/openssh/xmalloc.h b/crypto/openssh/xmalloc.h
new file mode 100644
index 0000000..31291ea
--- /dev/null
+++ b/crypto/openssh/xmalloc.h
@@ -0,0 +1,34 @@
+/*
+ *
+ * xmalloc.h
+ *
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * Created: Mon Mar 20 22:09:17 1995 ylo
+ *
+ * Versions of malloc and friends that check their results, and never return
+ * failure (they call fatal if they encounter an error).
+ *
+ */
+
+/* RCSID("$Id: xmalloc.h,v 1.3 2000/04/14 10:30:34 markus Exp $"); */
+
+#ifndef XMALLOC_H
+#define XMALLOC_H
+
+/* Like malloc, but calls fatal() if out of memory. */
+void   *xmalloc(size_t size);
+
+/* Like realloc, but calls fatal() if out of memory. */
+void   *xrealloc(void *ptr, size_t new_size);
+
+/* Frees memory allocated using xmalloc or xrealloc. */
+void    xfree(void *ptr);
+
+/* Allocates memory using xmalloc, and copies the string into that memory. */
+char   *xstrdup(const char *str);
+
+#endif				/* XMALLOC_H */
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
new file mode 100644
index 0000000..29f3c28
--- /dev/null
+++ b/crypto/openssl/CHANGES
@@ -0,0 +1,2855 @@
+
+ OpenSSL CHANGES
+ _______________
+
+ Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
+
+  *) Make sure _lrotl and _lrotr are only used with MSVC.
+
+  *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
+     (the default implementation of RAND_status).
+
+  *) Rename openssl x509 option '-crlext', which was added in 0.9.5,
+     to '-clrext' (= clear extensions), as intended and documented.
+     [Bodo Moeller; inconsistency pointed out by Michael Attili
+     <attili@amaxo.com>]
+
+  *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
+     was larger than the MD block size.      
+     [Steve Henson, pointed out by Yost William <YostW@tce.com>]
+
+  *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
+     fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
+     using the passed key: if the passed key was a private key the result
+     of X509_print(), for example, would be to print out all the private key
+     components.
+     [Steve Henson]
+
+  *) des_quad_cksum() byte order bug fix.
+     [Ulf Möller, using the problem description in krb4-0.9.7, where
+      the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
+
+  *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
+     discouraged.
+     [Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>]
+
+  *) For easily testing in shell scripts whether some command
+     'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
+     returns with exit code 0 iff no command of the given name is available.
+     'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
+     the output goes to stdout and nothing is printed to stderr.
+     Additional arguments are always ignored.
+
+     Since for each cipher there is a command of the same name,
+     the 'no-cipher' compilation switches can be tested this way.
+
+     ('openssl no-XXX' is not able to detect pseudo-commands such
+     as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
+     [Bodo Moeller]
+
+  *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
+     [Bodo Moeller]
+
+  *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
+     is set; it will be thrown away anyway because each handshake creates
+     its own key.
+     ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
+     to parameters -- in previous versions (since OpenSSL 0.9.3) the
+     'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining
+     you effectivly got SSL_OP_SINGLE_DH_USE when using this macro.
+     [Bodo Moeller]
+
+  *) New s_client option -ign_eof: EOF at stdin is ignored, and
+     'Q' and 'R' lose their special meanings (quit/renegotiate).
+     This is part of what -quiet does; unlike -quiet, -ign_eof
+     does not suppress any output.
+     [Richard Levitte]
+
+  *) Add compatibility options to the purpose and trust code. The
+     purpose X509_PURPOSE_ANY is "any purpose" which automatically
+     accepts a certificate or CA, this was the previous behaviour,
+     with all the associated security issues.
+
+     X509_TRUST_COMPAT is the old trust behaviour: only and
+     automatically trust self signed roots in certificate store. A
+     new trust setting X509_TRUST_DEFAULT is used to specify that
+     a purpose has no associated trust setting and it should instead
+     use the value in the default purpose.
+     [Steve Henson]
+
+  *) Fix the PKCS#8 DSA private key code so it decodes keys again
+     and fix a memory leak.
+     [Steve Henson]
+
+  *) In util/mkerr.pl (which implements 'make errors'), preserve
+     reason strings from the previous version of the .c file, as
+     the default to have only downcase letters (and digits) in
+     automatically generated reasons codes is not always appropriate.
+     [Bodo Moeller]
+
+  *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
+     using strerror.  Previously, ERR_reason_error_string() returned
+     library names as reason strings for SYSerr; but SYSerr is a special
+     case where small numbers are errno values, not library numbers.
+     [Bodo Moeller]
+
+  *) Add '-dsaparam' option to 'openssl dhparam' application.  This
+     converts DSA parameters into DH parameters. (When creating parameters,
+     DSA_generate_parameters is used.)
+     [Bodo Moeller]
+
+  *) Include 'length' (recommended exponent length) in C code generated
+     by 'openssl dhparam -C'.
+     [Bodo Moeller]
+
+  *) The second argument to set_label in perlasm was already being used
+     so couldn't be used as a "file scope" flag. Moved to third argument
+     which was free.
+     [Steve Henson]
+
+  *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
+     instead of RAND_bytes for encryption IVs and salts.
+     [Bodo Moeller]
+
+  *) Include RAND_status() into RAND_METHOD instead of implementing
+     it only for md_rand.c  Otherwise replacing the PRNG by calling
+     RAND_set_rand_method would be impossible.
+     [Bodo Moeller]
+
+  *) Don't let DSA_generate_key() enter an infinite loop if the random
+     number generation fails.
+     [Bodo Moeller]
+
+  *) New 'rand' application for creating pseudo-random output.
+     [Bodo Moeller]
+
+  *) Added configuration support for Linux/IA64
+     [Rolf Haberrecker <rolf@suse.de>]
+
+  *) Assembler module support for Mingw32.
+     [Ulf Möller]
+
+  *) Shared library support for HPUX (in shlib/).
+     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]
+
+  *) Shared library support for Solaris gcc.
+     [Lutz Behnke <behnke@trustcenter.de>]
+
+ Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
+
+  *) PKCS7_encrypt() was adding text MIME headers twice because they
+     were added manually and by SMIME_crlf_copy().
+     [Steve Henson]
+
+  *) In bntest.c don't call BN_rand with zero bits argument.
+     [Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>]
+
+  *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
+     case was implemented. This caused BN_div_recp() to fail occasionally.
+     [Ulf Möller]
+
+  *) Add an optional second argument to the set_label() in the perl
+     assembly language builder. If this argument exists and is set
+     to 1 it signals that the assembler should use a symbol whose 
+     scope is the entire file, not just the current function. This
+     is needed with MASM which uses the format label:: for this scope.
+     [Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]
+
+  *) Change the ASN1 types so they are typedefs by default. Before
+     almost all types were #define'd to ASN1_STRING which was causing
+     STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
+     for example.
+     [Steve Henson]
+
+  *) Change names of new functions to the new get1/get0 naming
+     convention: After 'get1', the caller owns a reference count
+     and has to call ..._free; 'get0' returns a pointer to some
+     data structure without incrementing reference counters.
+     (Some of the existing 'get' functions increment a reference
+     counter, some don't.)
+     Similarly, 'set1' and 'add1' functions increase reference
+     counters or duplicate objects.
+     [Steve Henson]
+
+  *) Allow for the possibility of temp RSA key generation failure:
+     the code used to assume it always worked and crashed on failure.
+     [Steve Henson]
+
+  *) Fix potential buffer overrun problem in BIO_printf().
+     [Ulf Möller, using public domain code by Patrick Powell; problem
+      pointed out by David Sacerdote <das33@cornell.edu>]
+
+  *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
+     RAND_egd() and RAND_status().  In the command line application,
+     the EGD socket can be specified like a seed file using RANDFILE
+     or -rand.
+     [Ulf Möller]
+
+  *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
+     Some CAs (e.g. Verisign) distribute certificates in this form.
+     [Steve Henson]
+
+  *) Remove the SSL_ALLOW_ADH compile option and set the default cipher
+     list to exclude them. This means that no special compilation option
+     is needed to use anonymous DH: it just needs to be included in the
+     cipher list.
+     [Steve Henson]
+
+  *) Change the EVP_MD_CTX_type macro so its meaning consistent with
+     EVP_MD_type. The old functionality is available in a new macro called
+     EVP_MD_md(). Change code that uses it and update docs.
+     [Steve Henson]
+
+  *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
+     where the 'void *' argument is replaced by a function pointer argument.
+     Previously 'void *' was abused to point to functions, which works on
+     many platforms, but is not correct.  As these functions are usually
+     called by macros defined in OpenSSL header files, most source code
+     should work without changes.
+     [Richard Levitte]
+
+  *) <openssl/opensslconf.h> (which is created by Configure) now contains
+     sections with information on -D... compiler switches used for
+     compiling the library so that applications can see them.  To enable
+     one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
+     must be defined.  E.g.,
+        #define OPENSSL_ALGORITHM_DEFINES
+        #include <openssl/opensslconf.h>
+     defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
+     [Richard Levitte, Ulf and Bodo Möller]
+
+  *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
+     record layer.
+     [Bodo Moeller]
+
+  *) Change the 'other' type in certificate aux info to a STACK_OF
+     X509_ALGOR. Although not an AlgorithmIdentifier as such it has
+     the required ASN1 format: arbitrary types determined by an OID.
+     [Steve Henson]
+
+  *) Add some PEM_write_X509_REQ_NEW() functions and a command line
+     argument to 'req'. This is not because the function is newer or
+     better than others it just uses the work 'NEW' in the certificate
+     request header lines. Some software needs this.
+     [Steve Henson]
+
+  *) Reorganise password command line arguments: now passwords can be
+     obtained from various sources. Delete the PEM_cb function and make
+     it the default behaviour: i.e. if the callback is NULL and the
+     usrdata argument is not NULL interpret it as a null terminated pass
+     phrase. If usrdata and the callback are NULL then the pass phrase
+     is prompted for as usual.
+     [Steve Henson]
+
+  *) Add support for the Compaq Atalla crypto accelerator. If it is installed,
+     the support is automatically enabled. The resulting binaries will
+     autodetect the card and use it if present.
+     [Ben Laurie and Compaq Inc.]
+
+  *) Work around for Netscape hang bug. This sends certificate request
+     and server done in one record. Since this is perfectly legal in the
+     SSL/TLS protocol it isn't a "bug" option and is on by default. See
+     the bugs/SSLv3 entry for more info.
+     [Steve Henson]
+
+  *) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
+     [Andy Polyakov]
+
+  *) Add -rand argument to smime and pkcs12 applications and read/write
+     of seed file.
+     [Steve Henson]
+
+  *) New 'passwd' tool for crypt(3) and apr1 password hashes.
+     [Bodo Moeller]
+
+  *) Add command line password options to the remaining applications.
+     [Steve Henson]
+
+  *) Bug fix for BN_div_recp() for numerators with an even number of
+     bits.
+     [Ulf Möller]
+
+  *) More tests in bntest.c, and changed test_bn output.
+     [Ulf Möller]
+
+  *) ./config recognizes MacOS X now.
+     [Andy Polyakov]
+
+  *) Bug fix for BN_div() when the first words of num and divsor are
+     equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
+     [Ulf Möller]
+
+  *) Add support for various broken PKCS#8 formats, and command line
+     options to produce them.
+     [Steve Henson]
+
+  *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
+     get temporary BIGNUMs from a BN_CTX.
+     [Ulf Möller]
+
+  *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
+     for p == 0.
+     [Ulf Möller]
+
+  *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
+     include a #define from the old name to the new. The original intent
+     was that statically linked binaries could for example just call
+     SSLeay_add_all_ciphers() to just add ciphers to the table and not
+     link with digests. This never worked becayse SSLeay_add_all_digests()
+     and SSLeay_add_all_ciphers() were in the same source file so calling
+     one would link with the other. They are now in separate source files.
+     [Steve Henson]
+
+  *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
+     [Steve Henson]
+
+  *) Use a less unusual form of the Miller-Rabin primality test (it used
+     a binary algorithm for exponentiation integrated into the Miller-Rabin
+     loop, our standard modexp algorithms are faster).
+     [Bodo Moeller]
+
+  *) Support for the EBCDIC character set completed.
+     [Martin Kraemer <Martin.Kraemer@Mch.SNI.De>]
+
+  *) Source code cleanups: use const where appropriate, eliminate casts,
+     use void * instead of char * in lhash.
+     [Ulf Möller] 
+
+  *) Bugfix: ssl3_send_server_key_exchange was not restartable
+     (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
+     this the server could overwrite ephemeral keys that the client
+     has already seen).
+     [Bodo Moeller]
+
+  *) Turn DSA_is_prime into a macro that calls BN_is_prime,
+     using 50 iterations of the Rabin-Miller test.
+
+     DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
+     iterations of the Rabin-Miller test as required by the appendix
+     to FIPS PUB 186[-1]) instead of DSA_is_prime.
+     As BN_is_prime_fasttest includes trial division, DSA parameter
+     generation becomes much faster.
+
+     This implies a change for the callback functions in DSA_is_prime
+     and DSA_generate_parameters: The callback function is called once
+     for each positive witness in the Rabin-Miller test, not just
+     occasionally in the inner loop; and the parameters to the
+     callback function now provide an iteration count for the outer
+     loop rather than for the current invocation of the inner loop.
+     DSA_generate_parameters additionally can call the callback
+     function with an 'iteration count' of -1, meaning that a
+     candidate has passed the trial division test (when q is generated 
+     from an application-provided seed, trial division is skipped).
+     [Bodo Moeller]
+
+  *) New function BN_is_prime_fasttest that optionally does trial
+     division before starting the Rabin-Miller test and has
+     an additional BN_CTX * argument (whereas BN_is_prime always
+     has to allocate at least one BN_CTX).
+     'callback(1, -1, cb_arg)' is called when a number has passed the
+     trial division stage.
+     [Bodo Moeller]
+
+  *) Fix for bug in CRL encoding. The validity dates weren't being handled
+     as ASN1_TIME.
+     [Steve Henson]
+
+  *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
+     [Steve Henson]
+
+  *) New function BN_pseudo_rand().
+     [Ulf Möller]
+
+  *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
+     bignum version of BN_from_montgomery() with the working code from
+     SSLeay 0.9.0 (the word based version is faster anyway), and clean up
+     the comments.
+     [Ulf Möller]
+
+  *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
+     made it impossible to use the same SSL_SESSION data structure in
+     SSL2 clients in multiple threads.
+     [Bodo Moeller]
+
+  *) The return value of RAND_load_file() no longer counts bytes obtained
+     by stat().  RAND_load_file(..., -1) is new and uses the complete file
+     to seed the PRNG (previously an explicit byte count was required).
+     [Ulf Möller, Bodo Möller]
+
+  *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
+     used (char *) instead of (void *) and had casts all over the place.
+     [Steve Henson]
+
+  *) Make BN_generate_prime() return NULL on error if ret!=NULL.
+     [Ulf Möller]
+
+  *) Retain source code compatibility for BN_prime_checks macro:
+     BN_is_prime(..., BN_prime_checks, ...) now uses
+     BN_prime_checks_for_size to determine the appropriate number of
+     Rabin-Miller iterations.
+     [Ulf Möller]
+
+  *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
+     DH_CHECK_P_NOT_SAFE_PRIME.
+     (Check if this is true? OpenPGP calls them "strong".)
+     [Ulf Möller]
+
+  *) Merge the functionality of "dh" and "gendh" programs into a new program
+     "dhparam". The old programs are retained for now but will handle DH keys
+     (instead of parameters) in future.
+     [Steve Henson]
+
+  *) Make the ciphers, s_server and s_client programs check the return values
+     when a new cipher list is set.
+     [Steve Henson]
+
+  *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
+     ciphers. Before when the 56bit ciphers were enabled the sorting was
+     wrong.
+
+     The syntax for the cipher sorting has been extended to support sorting by
+     cipher-strength (using the strength_bits hard coded in the tables).
+     The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
+
+     Fix a bug in the cipher-command parser: when supplying a cipher command
+     string with an "undefined" symbol (neither command nor alphanumeric
+     [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
+     an error is flagged.
+
+     Due to the strength-sorting extension, the code of the
+     ssl_create_cipher_list() function was completely rearranged. I hope that
+     the readability was also increased :-)
+     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
+
+  *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
+     for the first serial number and places 2 in the serial number file. This
+     avoids problems when the root CA is created with serial number zero and
+     the first user certificate has the same issuer name and serial number
+     as the root CA.
+     [Steve Henson]
+
+  *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
+     the new code. Add documentation for this stuff.
+     [Steve Henson]
+
+  *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
+     X509_*() to X509at_*() on the grounds that they don't handle X509
+     structures and behave in an analagous way to the X509v3 functions:
+     they shouldn't be called directly but wrapper functions should be used
+     instead.
+
+     So we also now have some wrapper functions that call the X509at functions
+     when passed certificate requests. (TO DO: similar things can be done with
+     PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
+     things. Some of these need some d2i or i2d and print functionality
+     because they handle more complex structures.)
+     [Steve Henson]
+
+  *) Add missing #ifndefs that caused missing symbols when building libssl
+     as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
+     NO_RSA in ssl/s2*.c. 
+     [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
+
+  *) Precautions against using the PRNG uninitialized: RAND_bytes() now
+     has a return value which indicates the quality of the random data
+     (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
+     error queue. New function RAND_pseudo_bytes() generates output that is
+     guaranteed to be unique but not unpredictable. RAND_add is like
+     RAND_seed, but takes an extra argument for an entropy estimate
+     (RAND_seed always assumes full entropy).
+     [Ulf Möller]
+
+  *) Do more iterations of Rabin-Miller probable prime test (specifically,
+     3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
+     instead of only 2 for all lengths; see BN_prime_checks_for_size definition
+     in crypto/bn/bn_prime.c for the complete table).  This guarantees a
+     false-positive rate of at most 2^-80 for random input.
+     [Bodo Moeller]
+
+  *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
+     [Bodo Moeller]
+
+  *) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain
+     in the 0.9.5 release), this returns the chain
+     from an X509_CTX structure with a dup of the stack and all
+     the X509 reference counts upped: so the stack will exist
+     after X509_CTX_cleanup() has been called. Modify pkcs12.c
+     to use this.
+
+     Also make SSL_SESSION_print() print out the verify return
+     code.
+     [Steve Henson]
+
+  *) Add manpage for the pkcs12 command. Also change the default
+     behaviour so MAC iteration counts are used unless the new
+     -nomaciter option is used. This improves file security and
+     only older versions of MSIE (4.0 for example) need it.
+     [Steve Henson]
+
+  *) Honor the no-xxx Configure options when creating .DEF files.
+     [Ulf Möller]
+
+  *) Add PKCS#10 attributes to field table: challengePassword, 
+     unstructuredName and unstructuredAddress. These are taken from
+     draft PKCS#9 v2.0 but are compatible with v1.2 provided no 
+     international characters are used.
+
+     More changes to X509_ATTRIBUTE code: allow the setting of types
+     based on strings. Remove the 'loc' parameter when adding
+     attributes because these will be a SET OF encoding which is sorted
+     in ASN1 order.
+     [Steve Henson]
+
+  *) Initial changes to the 'req' utility to allow request generation
+     automation. This will allow an application to just generate a template
+     file containing all the field values and have req construct the
+     request.
+
+     Initial support for X509_ATTRIBUTE handling. Stacks of these are
+     used all over the place including certificate requests and PKCS#7
+     structures. They are currently handled manually where necessary with
+     some primitive wrappers for PKCS#7. The new functions behave in a
+     manner analogous to the X509 extension functions: they allow
+     attributes to be looked up by NID and added.
+
+     Later something similar to the X509V3 code would be desirable to
+     automatically handle the encoding, decoding and printing of the
+     more complex types. The string types like challengePassword can
+     be handled by the string table functions.
+
+     Also modified the multi byte string table handling. Now there is
+     a 'global mask' which masks out certain types. The table itself
+     can use the flag STABLE_NO_MASK to ignore the mask setting: this
+     is useful when for example there is only one permissible type
+     (as in countryName) and using the mask might result in no valid
+     types at all.
+     [Steve Henson]
+
+  *) Clean up 'Finished' handling, and add functions SSL_get_finished and
+     SSL_get_peer_finished to allow applications to obtain the latest
+     Finished messages sent to the peer or expected from the peer,
+     respectively.  (SSL_get_peer_finished is usually the Finished message
+     actually received from the peer, otherwise the protocol will be aborted.)
+
+     As the Finished message are message digests of the complete handshake
+     (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
+     be used for external authentication procedures when the authentication
+     provided by SSL/TLS is not desired or is not enough.
+     [Bodo Moeller]
+
+  *) Enhanced support for Alpha Linux is added. Now ./config checks if
+     the host supports BWX extension and if Compaq C is present on the
+     $PATH. Just exploiting of the BWX extension results in 20-30%
+     performance kick for some algorithms, e.g. DES and RC4 to mention
+     a couple. Compaq C in turn generates ~20% faster code for MD5 and
+     SHA1.
+     [Andy Polyakov]
+
+  *) Add support for MS "fast SGC". This is arguably a violation of the
+     SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
+     weak crypto and after checking the certificate is SGC a second one
+     with strong crypto. MS SGC stops the first handshake after receiving
+     the server certificate message and sends a second client hello. Since
+     a server will typically do all the time consuming operations before
+     expecting any further messages from the client (server key exchange
+     is the most expensive) there is little difference between the two.
+
+     To get OpenSSL to support MS SGC we have to permit a second client
+     hello message after we have sent server done. In addition we have to
+     reset the MAC if we do get this second client hello.
+     [Steve Henson]
+
+  *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide
+     if a DER encoded private key is RSA or DSA traditional format. Changed
+     d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
+     format DER encoded private key. Newer code should use PKCS#8 format which
+     has the key type encoded in the ASN1 structure. Added DER private key
+     support to pkcs8 application.
+     [Steve Henson]
+
+  *) SSL 3/TLS 1 servers now don't request certificates when an anonymous
+     ciphersuites has been selected (as required by the SSL 3/TLS 1
+     specifications).  Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
+     is set, we interpret this as a request to violate the specification
+     (the worst that can happen is a handshake failure, and 'correct'
+     behaviour would result in a handshake failure anyway).
+     [Bodo Moeller]
+
+  *) In SSL_CTX_add_session, take into account that there might be multiple
+     SSL_SESSION structures with the same session ID (e.g. when two threads
+     concurrently obtain them from an external cache).
+     The internal cache can handle only one SSL_SESSION with a given ID,
+     so if there's a conflict, we now throw out the old one to achieve
+     consistency.
+     [Bodo Moeller]
+
+  *) Add OIDs for idea and blowfish in CBC mode. This will allow both
+     to be used in PKCS#5 v2.0 and S/MIME.  Also add checking to
+     some routines that use cipher OIDs: some ciphers do not have OIDs
+     defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
+     example.
+     [Steve Henson]
+
+  *) Simplify the trust setting structure and code. Now we just have
+     two sequences of OIDs for trusted and rejected settings. These will
+     typically have values the same as the extended key usage extension
+     and any application specific purposes.
+
+     The trust checking code now has a default behaviour: it will just
+     check for an object with the same NID as the passed id. Functions can
+     be provided to override either the default behaviour or the behaviour
+     for a given id. SSL client, server and email already have functions
+     in place for compatibility: they check the NID and also return "trusted"
+     if the certificate is self signed.
+     [Steve Henson]
+
+  *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the
+     traditional format into an EVP_PKEY structure.
+     [Steve Henson]
+
+  *) Add a password callback function PEM_cb() which either prompts for
+     a password if usr_data is NULL or otherwise assumes it is a null
+     terminated password. Allow passwords to be passed on command line
+     environment or config files in a few more utilities.
+     [Steve Henson]
+
+  *) Add a bunch of DER and PEM functions to handle PKCS#8 format private
+     keys. Add some short names for PKCS#8 PBE algorithms and allow them
+     to be specified on the command line for the pkcs8 and pkcs12 utilities.
+     Update documentation.
+     [Steve Henson]
+
+  *) Support for ASN1 "NULL" type. This could be handled before by using
+     ASN1_TYPE but there wasn't any function that would try to read a NULL
+     and produce an error if it couldn't. For compatibility we also have
+     ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
+     don't allocate anything because they don't need to.
+     [Steve Henson]
+
+  *) Initial support for MacOS is now provided. Examine INSTALL.MacOS
+     for details.
+     [Andy Polyakov, Roy Woods <roy@centicsystems.ca>]
+
+  *) Rebuild of the memory allocation routines used by OpenSSL code and
+     possibly others as well.  The purpose is to make an interface that
+     provide hooks so anyone can build a separate set of allocation and
+     deallocation routines to be used by OpenSSL, for example memory
+     pool implementations, or something else, which was previously hard
+     since Malloc(), Realloc() and Free() were defined as macros having
+     the values malloc, realloc and free, respectively (except for Win32
+     compilations).  The same is provided for memory debugging code.
+     OpenSSL already comes with functionality to find memory leaks, but
+     this gives people a chance to debug other memory problems.
+
+     With these changes, a new set of functions and macros have appeared:
+
+       CRYPTO_set_mem_debug_functions()		[F]
+       CRYPTO_get_mem_debug_functions()		[F]
+       CRYPTO_dbg_set_options()			[F]
+       CRYPTO_dbg_get_options()			[F]
+       CRYPTO_malloc_debug_init()		[M]
+
+     The memory debug functions are NULL by default, unless the library
+     is compiled with CRYPTO_MDEBUG or friends is defined.  If someone
+     wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
+     gives the standard debugging functions that come with OpenSSL) or
+     CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
+     provided by the library user) must be used.  When the standard
+     debugging functions are used, CRYPTO_dbg_set_options can be used to
+     request additional information:
+     CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
+     the CRYPTO_MDEBUG_xxx macro when compiling the library.   
+
+     Also, things like CRYPTO_set_mem_functions will always give the
+     expected result (the new set of functions is used for allocation
+     and deallocation) at all times, regardless of platform and compiler
+     options.
+
+     To finish it up, some functions that were never use in any other
+     way than through macros have a new API and new semantic:
+
+       CRYPTO_dbg_malloc()
+       CRYPTO_dbg_realloc()
+       CRYPTO_dbg_free()
+
+     All macros of value have retained their old syntax.
+     [Richard Levitte and Bodo Moeller]
+
+  *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
+     ordering of SMIMECapabilities wasn't in "strength order" and there
+     was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
+     algorithm.
+     [Steve Henson]
+
+  *) Some ASN1 types with illegal zero length encoding (INTEGER,
+     ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
+     [Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson]
+
+  *) Merge in my S/MIME library for OpenSSL. This provides a simple
+     S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
+     functionality to handle multipart/signed properly) and a utility
+     called 'smime' to call all this stuff. This is based on code I
+     originally wrote for Celo who have kindly allowed it to be
+     included in OpenSSL.
+     [Steve Henson]
+
+  *) Add variants des_set_key_checked and des_set_key_unchecked of
+     des_set_key (aka des_key_sched).  Global variable des_check_key
+     decides which of these is called by des_set_key; this way
+     des_check_key behaves as it always did, but applications and
+     the library itself, which was buggy for des_check_key == 1,
+     have a cleaner way to pick the version they need.
+     [Bodo Moeller]
+
+  *) New function PKCS12_newpass() which changes the password of a
+     PKCS12 structure.
+     [Steve Henson]
+
+  *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and
+     dynamic mix. In both cases the ids can be used as an index into the
+     table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
+     functions so they accept a list of the field values and the
+     application doesn't need to directly manipulate the X509_TRUST
+     structure.
+     [Steve Henson]
+
+  *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
+     need initialising.
+     [Steve Henson]
+
+  *) Modify the way the V3 extension code looks up extensions. This now
+     works in a similar way to the object code: we have some "standard"
+     extensions in a static table which is searched with OBJ_bsearch()
+     and the application can add dynamic ones if needed. The file
+     crypto/x509v3/ext_dat.h now has the info: this file needs to be
+     updated whenever a new extension is added to the core code and kept
+     in ext_nid order. There is a simple program 'tabtest.c' which checks
+     this. New extensions are not added too often so this file can readily
+     be maintained manually.
+
+     There are two big advantages in doing things this way. The extensions
+     can be looked up immediately and no longer need to be "added" using
+     X509V3_add_standard_extensions(): this function now does nothing.
+     [Side note: I get *lots* of email saying the extension code doesn't
+      work because people forget to call this function]
+     Also no dynamic allocation is done unless new extensions are added:
+     so if we don't add custom extensions there is no need to call
+     X509V3_EXT_cleanup().
+     [Steve Henson]
+
+  *) Modify enc utility's salting as follows: make salting the default. Add a
+     magic header, so unsalted files fail gracefully instead of just decrypting
+     to garbage. This is because not salting is a big security hole, so people
+     should be discouraged from doing it.
+     [Ben Laurie]
+
+  *) Fixes and enhancements to the 'x509' utility. It allowed a message
+     digest to be passed on the command line but it only used this
+     parameter when signing a certificate. Modified so all relevant
+     operations are affected by the digest parameter including the
+     -fingerprint and -x509toreq options. Also -x509toreq choked if a
+     DSA key was used because it didn't fix the digest.
+     [Steve Henson]
+
+  *) Initial certificate chain verify code. Currently tests the untrusted
+     certificates for consistency with the verify purpose (which is set
+     when the X509_STORE_CTX structure is set up) and checks the pathlength.
+
+     There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
+     this is because it will reject chains with invalid extensions whereas
+     every previous version of OpenSSL and SSLeay made no checks at all.
+
+     Trust code: checks the root CA for the relevant trust settings. Trust
+     settings have an initial value consistent with the verify purpose: e.g.
+     if the verify purpose is for SSL client use it expects the CA to be
+     trusted for SSL client use. However the default value can be changed to
+     permit custom trust settings: one example of this would be to only trust
+     certificates from a specific "secure" set of CAs.
+
+     Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
+     which should be used for version portability: especially since the
+     verify structure is likely to change more often now.
+
+     SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
+     to set them. If not set then assume SSL clients will verify SSL servers
+     and vice versa.
+
+     Two new options to the verify program: -untrusted allows a set of
+     untrusted certificates to be passed in and -purpose which sets the
+     intended purpose of the certificate. If a purpose is set then the
+     new chain verify code is used to check extension consistency.
+     [Steve Henson]
+
+  *) Support for the authority information access extension.
+     [Steve Henson]
+
+  *) Modify RSA and DSA PEM read routines to transparently handle
+     PKCS#8 format private keys. New *_PUBKEY_* functions that handle
+     public keys in a format compatible with certificate
+     SubjectPublicKeyInfo structures. Unfortunately there were already
+     functions called *_PublicKey_* which used various odd formats so
+     these are retained for compatibility: however the DSA variants were
+     never in a public release so they have been deleted. Changed dsa/rsa
+     utilities to handle the new format: note no releases ever handled public
+     keys so we should be OK.
+
+     The primary motivation for this change is to avoid the same fiasco
+     that dogs private keys: there are several incompatible private key
+     formats some of which are standard and some OpenSSL specific and
+     require various evil hacks to allow partial transparent handling and
+     even then it doesn't work with DER formats. Given the option anything
+     other than PKCS#8 should be dumped: but the other formats have to
+     stay in the name of compatibility.
+
+     With public keys and the benefit of hindsight one standard format 
+     is used which works with EVP_PKEY, RSA or DSA structures: though
+     it clearly returns an error if you try to read the wrong kind of key.
+
+     Added a -pubkey option to the 'x509' utility to output the public key.
+     Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*()
+     (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add
+     EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*())
+     that do the same as the EVP_PKEY_assign_*() except they up the
+     reference count of the added key (they don't "swallow" the
+     supplied key).
+     [Steve Henson]
+
+  *) Fixes to crypto/x509/by_file.c the code to read in certificates and
+     CRLs would fail if the file contained no certificates or no CRLs:
+     added a new function to read in both types and return the number
+     read: this means that if none are read it will be an error. The
+     DER versions of the certificate and CRL reader would always fail
+     because it isn't possible to mix certificates and CRLs in DER format
+     without choking one or the other routine. Changed this to just read
+     a certificate: this is the best we can do. Also modified the code
+     in apps/verify.c to take notice of return codes: it was previously
+     attempting to read in certificates from NULL pointers and ignoring
+     any errors: this is one reason why the cert and CRL reader seemed
+     to work. It doesn't check return codes from the default certificate
+     routines: these may well fail if the certificates aren't installed.
+     [Steve Henson]
+
+  *) Code to support otherName option in GeneralName.
+     [Steve Henson]
+
+  *) First update to verify code. Change the verify utility
+     so it warns if it is passed a self signed certificate:
+     for consistency with the normal behaviour. X509_verify
+     has been modified to it will now verify a self signed
+     certificate if *exactly* the same certificate appears
+     in the store: it was previously impossible to trust a
+     single self signed certificate. This means that:
+     openssl verify ss.pem
+     now gives a warning about a self signed certificate but
+     openssl verify -CAfile ss.pem ss.pem
+     is OK.
+     [Steve Henson]
+
+  *) For servers, store verify_result in SSL_SESSION data structure
+     (and add it to external session representation).
+     This is needed when client certificate verifications fails,
+     but an application-provided verification callback (set by
+     SSL_CTX_set_cert_verify_callback) allows accepting the session
+     anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
+     but returns 1): When the session is reused, we have to set
+     ssl->verify_result to the appropriate error code to avoid
+     security holes.
+     [Bodo Moeller, problem pointed out by Lutz Jaenicke]
+
+  *) Fix a bug in the new PKCS#7 code: it didn't consider the
+     case in PKCS7_dataInit() where the signed PKCS7 structure
+     didn't contain any existing data because it was being created.
+     [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson]
+
+  *) Add a salt to the key derivation routines in enc.c. This
+     forms the first 8 bytes of the encrypted file. Also add a
+     -S option to allow a salt to be input on the command line.
+     [Steve Henson]
+
+  *) New function X509_cmp(). Oddly enough there wasn't a function
+     to compare two certificates. We do this by working out the SHA1
+     hash and comparing that. X509_cmp() will be needed by the trust
+     code.
+     [Steve Henson]
+
+  *) SSL_get1_session() is like SSL_get_session(), but increments
+     the reference count in the SSL_SESSION returned.
+     [Geoff Thorpe <geoff@eu.c2.net>]
+
+  *) Fix for 'req': it was adding a null to request attributes.
+     Also change the X509_LOOKUP and X509_INFO code to handle
+     certificate auxiliary information.
+     [Steve Henson]
+
+  *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document
+     the 'enc' command.
+     [Steve Henson]
+
+  *) Add the possibility to add extra information to the memory leak
+     detecting output, to form tracebacks, showing from where each
+     allocation was originated: CRYPTO_push_info("constant string") adds
+     the string plus current file name and line number to a per-thread
+     stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
+     is like calling CYRPTO_pop_info() until the stack is empty.
+     Also updated memory leak detection code to be multi-thread-safe.
+     [Richard Levitte]
+
+  *) Add options -text and -noout to pkcs7 utility and delete the
+     encryption options which never did anything. Update docs.
+     [Steve Henson]
+
+  *) Add options to some of the utilities to allow the pass phrase
+     to be included on either the command line (not recommended on
+     OSes like Unix) or read from the environment. Update the
+     manpages and fix a few bugs.
+     [Steve Henson]
+
+  *) Add a few manpages for some of the openssl commands.
+     [Steve Henson]
+
+  *) Fix the -revoke option in ca. It was freeing up memory twice,
+     leaking and not finding already revoked certificates.
+     [Steve Henson]
+
+  *) Extensive changes to support certificate auxiliary information.
+     This involves the use of X509_CERT_AUX structure and X509_AUX
+     functions. An X509_AUX function such as PEM_read_X509_AUX()
+     can still read in a certificate file in the usual way but it
+     will also read in any additional "auxiliary information". By
+     doing things this way a fair degree of compatibility can be
+     retained: existing certificates can have this information added
+     using the new 'x509' options. 
+
+     Current auxiliary information includes an "alias" and some trust
+     settings. The trust settings will ultimately be used in enhanced
+     certificate chain verification routines: currently a certificate
+     can only be trusted if it is self signed and then it is trusted
+     for all purposes.
+     [Steve Henson]
+
+  *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD).
+     The problem was that one of the replacement routines had not been working
+     since SSLeay releases.  For now the offending routine has been replaced
+     with non-optimised assembler.  Even so, this now gives around 95%
+     performance improvement for 1024 bit RSA signs.
+     [Mark Cox]
+
+  *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 
+     handling. Most clients have the effective key size in bits equal to
+     the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
+     A few however don't do this and instead use the size of the decrypted key
+     to determine the RC2 key length and the AlgorithmIdentifier to determine
+     the effective key length. In this case the effective key length can still
+     be 40 bits but the key length can be 168 bits for example. This is fixed
+     by manually forcing an RC2 key into the EVP_PKEY structure because the
+     EVP code can't currently handle unusual RC2 key sizes: it always assumes
+     the key length and effective key length are equal.
+     [Steve Henson]
+
+  *) Add a bunch of functions that should simplify the creation of 
+     X509_NAME structures. Now you should be able to do:
+     X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
+     and have it automatically work out the correct field type and fill in
+     the structures. The more adventurous can try:
+     X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
+     and it will (hopefully) work out the correct multibyte encoding.
+     [Steve Henson]
+
+  *) Change the 'req' utility to use the new field handling and multibyte
+     copy routines. Before the DN field creation was handled in an ad hoc
+     way in req, ca, and x509 which was rather broken and didn't support
+     BMPStrings or UTF8Strings. Since some software doesn't implement
+     BMPStrings or UTF8Strings yet, they can be enabled using the config file
+     using the dirstring_type option. See the new comment in the default
+     openssl.cnf for more info.
+     [Steve Henson]
+
+  *) Make crypto/rand/md_rand.c more robust:
+     - Assure unique random numbers after fork().
+     - Make sure that concurrent threads access the global counter and
+       md serializably so that we never lose entropy in them
+       or use exactly the same state in multiple threads.
+       Access to the large state is not always serializable because
+       the additional locking could be a performance killer, and
+       md should be large enough anyway.
+     [Bodo Moeller]
+
+  *) New file apps/app_rand.c with commonly needed functionality
+     for handling the random seed file.
+
+     Use the random seed file in some applications that previously did not:
+          ca,
+          dsaparam -genkey (which also ignored its '-rand' option), 
+          s_client,
+          s_server,
+          x509 (when signing).
+     Except on systems with /dev/urandom, it is crucial to have a random
+     seed file at least for key creation, DSA signing, and for DH exchanges;
+     for RSA signatures we could do without one.
+
+     gendh and gendsa (unlike genrsa) used to read only the first byte
+     of each file listed in the '-rand' option.  The function as previously
+     found in genrsa is now in app_rand.c and is used by all programs
+     that support '-rand'.
+     [Bodo Moeller]
+
+  *) In RAND_write_file, use mode 0600 for creating files;
+     don't just chmod when it may be too late.
+     [Bodo Moeller]
+
+  *) Report an error from X509_STORE_load_locations
+     when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed.
+     [Bill Perry]
+
+  *) New function ASN1_mbstring_copy() this copies a string in either
+     ASCII, Unicode, Universal (4 bytes per character) or UTF8 format
+     into an ASN1_STRING type. A mask of permissible types is passed
+     and it chooses the "minimal" type to use or an error if not type
+     is suitable.
+     [Steve Henson]
+
+  *) Add function equivalents to the various macros in asn1.h. The old
+     macros are retained with an M_ prefix. Code inside the library can
+     use the M_ macros. External code (including the openssl utility)
+     should *NOT* in order to be "shared library friendly".
+     [Steve Henson]
+
+  *) Add various functions that can check a certificate's extensions
+     to see if it usable for various purposes such as SSL client,
+     server or S/MIME and CAs of these types. This is currently 
+     VERY EXPERIMENTAL but will ultimately be used for certificate chain
+     verification. Also added a -purpose flag to x509 utility to
+     print out all the purposes.
+     [Steve Henson]
+
+  *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated
+     functions.
+     [Steve Henson]
+
+  *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search
+     for, obtain and decode and extension and obtain its critical flag.
+     This allows all the necessary extension code to be handled in a
+     single function call.
+     [Steve Henson]
+
+  *) RC4 tune-up featuring 30-40% performance improvement on most RISC
+     platforms. See crypto/rc4/rc4_enc.c for further details.
+     [Andy Polyakov]
+
+  *) New -noout option to asn1parse. This causes no output to be produced
+     its main use is when combined with -strparse and -out to extract data
+     from a file (which may not be in ASN.1 format).
+     [Steve Henson]
+
+  *) Fix for pkcs12 program. It was hashing an invalid certificate pointer
+     when producing the local key id.
+     [Richard Levitte <levitte@stacken.kth.se>]
+
+  *) New option -dhparam in s_server. This allows a DH parameter file to be
+     stated explicitly. If it is not stated then it tries the first server
+     certificate file. The previous behaviour hard coded the filename
+     "server.pem".
+     [Steve Henson]
+
+  *) Add -pubin and -pubout options to the rsa and dsa commands. These allow
+     a public key to be input or output. For example:
+     openssl rsa -in key.pem -pubout -out pubkey.pem
+     Also added necessary DSA public key functions to handle this.
+     [Steve Henson]
+
+  *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained
+     in the message. This was handled by allowing
+     X509_find_by_issuer_and_serial() to tolerate a NULL passed to it.
+     [Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>]
+
+  *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null
+     to the end of the strings whereas this didn't. This would cause problems
+     if strings read with d2i_ASN1_bytes() were later modified.
+     [Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>]
+
+  *) Fix for base64 decode bug. When a base64 bio reads only one line of
+     data and it contains EOF it will end up returning an error. This is
+     caused by input 46 bytes long. The cause is due to the way base64
+     BIOs find the start of base64 encoded data. They do this by trying a
+     trial decode on each line until they find one that works. When they
+     do a flag is set and it starts again knowing it can pass all the
+     data directly through the decoder. Unfortunately it doesn't reset
+     the context it uses. This means that if EOF is reached an attempt
+     is made to pass two EOFs through the context and this causes the
+     resulting error. This can also cause other problems as well. As is
+     usual with these problems it takes *ages* to find and the fix is
+     trivial: move one line.
+     [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ]
+
+  *) Ugly workaround to get s_client and s_server working under Windows. The
+     old code wouldn't work because it needed to select() on sockets and the
+     tty (for keypresses and to see if data could be written). Win32 only
+     supports select() on sockets so we select() with a 1s timeout on the
+     sockets and then see if any characters are waiting to be read, if none
+     are present then we retry, we also assume we can always write data to
+     the tty. This isn't nice because the code then blocks until we've
+     received a complete line of data and it is effectively polling the
+     keyboard at 1s intervals: however it's quite a bit better than not
+     working at all :-) A dedicated Windows application might handle this
+     with an event loop for example.
+     [Steve Henson]
+
+  *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign
+     and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
+     will be called when RSA_sign() and RSA_verify() are used. This is useful
+     if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
+     For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
+     should *not* be used: RSA_sign() and RSA_verify() must be used instead.
+     This necessitated the support of an extra signature type NID_md5_sha1
+     for SSL signatures and modifications to the SSL library to use it instead
+     of calling RSA_public_decrypt() and RSA_private_encrypt().
+     [Steve Henson]
+
+  *) Add new -verify -CAfile and -CApath options to the crl program, these
+     will lookup a CRL issuers certificate and verify the signature in a
+     similar way to the verify program. Tidy up the crl program so it
+     no longer accesses structures directly. Make the ASN1 CRL parsing a bit
+     less strict. It will now permit CRL extensions even if it is not
+     a V2 CRL: this will allow it to tolerate some broken CRLs.
+     [Steve Henson]
+
+  *) Initialize all non-automatic variables each time one of the openssl
+     sub-programs is started (this is necessary as they may be started
+     multiple times from the "OpenSSL>" prompt).
+     [Lennart Bang, Bodo Moeller]
+
+  *) Preliminary compilation option RSA_NULL which disables RSA crypto without
+     removing all other RSA functionality (this is what NO_RSA does). This
+     is so (for example) those in the US can disable those operations covered
+     by the RSA patent while allowing storage and parsing of RSA keys and RSA
+     key generation.
+     [Steve Henson]
+
+  *) Non-copying interface to BIO pairs.
+     (still largely untested)
+     [Bodo Moeller]
+
+  *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive
+     ASCII string. This was handled independently in various places before.
+     [Steve Henson]
+
+  *) New functions UTF8_getc() and UTF8_putc() that parse and generate
+     UTF8 strings a character at a time.
+     [Steve Henson]
+
+  *) Use client_version from client hello to select the protocol
+     (s23_srvr.c) and for RSA client key exchange verification
+     (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications.
+     [Bodo Moeller]
+
+  *) Add various utility functions to handle SPKACs, these were previously
+     handled by poking round in the structure internals. Added new function
+     NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
+     print, verify and generate SPKACs. Based on an original idea from
+     Massimiliano Pala <madwolf@comune.modena.it> but extensively modified.
+     [Steve Henson]
+
+  *) RIPEMD160 is operational on all platforms and is back in 'make test'.
+     [Andy Polyakov]
+
+  *) Allow the config file extension section to be overwritten on the
+     command line. Based on an original idea from Massimiliano Pala
+     <madwolf@comune.modena.it>. The new option is called -extensions
+     and can be applied to ca, req and x509. Also -reqexts to override
+     the request extensions in req and -crlexts to override the crl extensions
+     in ca.
+     [Steve Henson]
+
+  *) Add new feature to the SPKAC handling in ca.  Now you can include
+     the same field multiple times by preceding it by "XXXX." for example:
+     1.OU="Unit name 1"
+     2.OU="Unit name 2"
+     this is the same syntax as used in the req config file.
+     [Steve Henson]
+
+  *) Allow certificate extensions to be added to certificate requests. These
+     are specified in a 'req_extensions' option of the req section of the
+     config file. They can be printed out with the -text option to req but
+     are otherwise ignored at present.
+     [Steve Henson]
+
+  *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first
+     data read consists of only the final block it would not decrypted because
+     EVP_CipherUpdate() would correctly report zero bytes had been decrypted.
+     A misplaced 'break' also meant the decrypted final block might not be
+     copied until the next read.
+     [Steve Henson]
+
+  *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added
+     a few extra parameters to the DH structure: these will be useful if
+     for example we want the value of 'q' or implement X9.42 DH.
+     [Steve Henson]
+
+  *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and
+     provides hooks that allow the default DSA functions or functions on a
+     "per key" basis to be replaced. This allows hardware acceleration and
+     hardware key storage to be handled without major modification to the
+     library. Also added low level modexp hooks and CRYPTO_EX structure and 
+     associated functions.
+     [Steve Henson]
+
+  *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO
+     as "read only": it can't be written to and the buffer it points to will
+     not be freed. Reading from a read only BIO is much more efficient than
+     a normal memory BIO. This was added because there are several times when
+     an area of memory needs to be read from a BIO. The previous method was
+     to create a memory BIO and write the data to it, this results in two
+     copies of the data and an O(n^2) reading algorithm. There is a new
+     function BIO_new_mem_buf() which creates a read only memory BIO from
+     an area of memory. Also modified the PKCS#7 routines to use read only
+     memory BIOs.
+     [Steve Henson]
+
+  *) Bugfix: ssl23_get_client_hello did not work properly when called in
+     state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
+     a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
+     but a retry condition occured while trying to read the rest.
+     [Bodo Moeller]
+
+  *) The PKCS7_ENC_CONTENT_new() function was setting the content type as
+     NID_pkcs7_encrypted by default: this was wrong since this should almost
+     always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle
+     the encrypted data type: this is a more sensible place to put it and it
+     allows the PKCS#12 code to be tidied up that duplicated this
+     functionality.
+     [Steve Henson]
+
+  *) Changed obj_dat.pl script so it takes its input and output files on
+     the command line. This should avoid shell escape redirection problems
+     under Win32.
+     [Steve Henson]
+
+  *) Initial support for certificate extension requests, these are included
+     in things like Xenroll certificate requests. Included functions to allow
+     extensions to be obtained and added.
+     [Steve Henson]
+
+  *) -crlf option to s_client and s_server for sending newlines as
+     CRLF (as required by many protocols).
+     [Bodo Moeller]
+
+ Changes between 0.9.3a and 0.9.4  [09 Aug 1999]
+  
+  *) Install libRSAglue.a when OpenSSL is built with RSAref.
+     [Ralf S. Engelschall]
+
+  *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
+     [Andrija Antonijevic <TheAntony2@bigfoot.com>]
+
+  *) Fix -startdate and -enddate (which was missing) arguments to 'ca'
+     program.
+     [Steve Henson]
+
+  *) New function DSA_dup_DH, which duplicates DSA parameters/keys as
+     DH parameters/keys (q is lost during that conversion, but the resulting
+     DH parameters contain its length).
+
+     For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
+     much faster than DH_generate_parameters (which creates parameters
+     where p = 2*q + 1), and also the smaller q makes DH computations
+     much more efficient (160-bit exponentiation instead of 1024-bit
+     exponentiation); so this provides a convenient way to support DHE
+     ciphersuites in SSL/TLS servers (see ssl/ssltest.c).  It is of
+     utter importance to use
+         SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+     or
+         SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+     when such DH parameters are used, because otherwise small subgroup
+     attacks may become possible!
+     [Bodo Moeller]
+
+  *) Avoid memory leak in i2d_DHparams.
+     [Bodo Moeller]
+
+  *) Allow the -k option to be used more than once in the enc program:
+     this allows the same encrypted message to be read by multiple recipients.
+     [Steve Henson]
+
+  *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
+     an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
+     it will always use the numerical form of the OID, even if it has a short
+     or long name.
+     [Steve Henson]
+
+  *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
+     method only got called if p,q,dmp1,dmq1,iqmp components were present,
+     otherwise bn_mod_exp was called. In the case of hardware keys for example
+     no private key components need be present and it might store extra data
+     in the RSA structure, which cannot be accessed from bn_mod_exp.
+     By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for
+     private key operations.
+     [Steve Henson]
+
+  *) Added support for SPARC Linux.
+     [Andy Polyakov]
+
+  *) pem_password_cb function type incompatibly changed from
+          typedef int pem_password_cb(char *buf, int size, int rwflag);
+     to
+          ....(char *buf, int size, int rwflag, void *userdata);
+     so that applications can pass data to their callbacks:
+     The PEM[_ASN1]_{read,write}... functions and macros now take an
+     additional void * argument, which is just handed through whenever
+     the password callback is called.
+     [Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller]
+
+     New function SSL_CTX_set_default_passwd_cb_userdata.
+
+     Compatibility note: As many C implementations push function arguments
+     onto the stack in reverse order, the new library version is likely to
+     interoperate with programs that have been compiled with the old
+     pem_password_cb definition (PEM_whatever takes some data that
+     happens to be on the stack as its last argument, and the callback
+     just ignores this garbage); but there is no guarantee whatsoever that
+     this will work.
+
+  *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
+     (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
+     problems not only on Windows, but also on some Unix platforms.
+     To avoid problematic command lines, these definitions are now in an
+     auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
+     for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
+     [Bodo Moeller]
+
+  *) MIPS III/IV assembler module is reimplemented.
+     [Andy Polyakov]
+
+  *) More DES library cleanups: remove references to srand/rand and
+     delete an unused file.
+     [Ulf Möller]
+
+  *) Add support for the the free Netwide assembler (NASM) under Win32,
+     since not many people have MASM (ml) and it can be hard to obtain.
+     This is currently experimental but it seems to work OK and pass all
+     the tests. Check out INSTALL.W32 for info.
+     [Steve Henson]
+
+  *) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
+     without temporary keys kept an extra copy of the server key,
+     and connections with temporary keys did not free everything in case
+     of an error.
+     [Bodo Moeller]
+
+  *) New function RSA_check_key and new openssl rsa option -check
+     for verifying the consistency of RSA keys.
+     [Ulf Moeller, Bodo Moeller]
+
+  *) Various changes to make Win32 compile work: 
+     1. Casts to avoid "loss of data" warnings in p5_crpt2.c
+     2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
+        comparison" warnings.
+     3. Add sk_<TYPE>_sort to DEF file generator and do make update.
+     [Steve Henson]
+
+  *) Add a debugging option to PKCS#5 v2 key generation function: when
+     you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
+     derived keys are printed to stderr.
+     [Steve Henson]
+
+  *) Copy the flags in ASN1_STRING_dup().
+     [Roman E. Pavlov <pre@mo.msk.ru>]
+
+  *) The x509 application mishandled signing requests containing DSA
+     keys when the signing key was also DSA and the parameters didn't match.
+
+     It was supposed to omit the parameters when they matched the signing key:
+     the verifying software was then supposed to automatically use the CA's
+     parameters if they were absent from the end user certificate.
+
+     Omitting parameters is no longer recommended. The test was also
+     the wrong way round! This was probably due to unusual behaviour in
+     EVP_cmp_parameters() which returns 1 if the parameters match. 
+     This meant that parameters were omitted when they *didn't* match and
+     the certificate was useless. Certificates signed with 'ca' didn't have
+     this bug.
+     [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]
+
+  *) Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
+     The interface is as follows:
+     Applications can use
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
+     "off" is now the default.
+     The library internally uses
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
+     to disable memory-checking temporarily.
+
+     Some inconsistent states that previously were possible (and were
+     even the default) are now avoided.
+
+     -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
+     with each memory chunk allocated; this is occasionally more helpful
+     than just having a counter.
+
+     -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
+
+     -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
+     extensions.
+     [Bodo Moeller]
+
+  *) Introduce "mode" for SSL structures (with defaults in SSL_CTX),
+     which largely parallels "options", but is for changing API behaviour,
+     whereas "options" are about protocol behaviour.
+     Initial "mode" flags are:
+
+     SSL_MODE_ENABLE_PARTIAL_WRITE   Allow SSL_write to report success when
+                                     a single record has been written.
+     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER  Don't insist that SSL_write
+                                     retries use the same buffer location.
+                                     (But all of the contents must be
+                                     copied!)
+     [Bodo Moeller]
+
+  *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode
+     worked.
+
+  *) Fix problems with no-hmac etc.
+     [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
+
+  *) New functions RSA_get_default_method(), RSA_set_method() and
+     RSA_get_method(). These allows replacement of RSA_METHODs without having
+     to mess around with the internals of an RSA structure.
+     [Steve Henson]
+
+  *) Fix memory leaks in DSA_do_sign and DSA_is_prime.
+     Also really enable memory leak checks in openssl.c and in some
+     test programs.
+     [Chad C. Mulligan, Bodo Moeller]
+
+  *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
+     up the length of negative integers. This has now been simplified to just
+     store the length when it is first determined and use it later, rather
+     than trying to keep track of where data is copied and updating it to
+     point to the end.
+     [Steve Henson, reported by Brien Wheeler
+      <bwheeler@authentica-security.com>]
+
+  *) Add a new function PKCS7_signatureVerify. This allows the verification
+     of a PKCS#7 signature but with the signing certificate passed to the
+     function itself. This contrasts with PKCS7_dataVerify which assumes the
+     certificate is present in the PKCS#7 structure. This isn't always the
+     case: certificates can be omitted from a PKCS#7 structure and be
+     distributed by "out of band" means (such as a certificate database).
+     [Steve Henson]
+
+  *) Complete the PEM_* macros with DECLARE_PEM versions to replace the
+     function prototypes in pem.h, also change util/mkdef.pl to add the
+     necessary function names. 
+     [Steve Henson]
+
+  *) mk1mf.pl (used by Windows builds) did not properly read the
+     options set by Configure in the top level Makefile, and Configure
+     was not even able to write more than one option correctly.
+     Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
+     [Bodo Moeller]
+
+  *) New functions CONF_load_bio() and CONF_load_fp() to allow a config
+     file to be loaded from a BIO or FILE pointer. The BIO version will
+     for example allow memory BIOs to contain config info.
+     [Steve Henson]
+
+  *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
+     Whoever hopes to achieve shared-library compatibility across versions
+     must use this, not the compile-time macro.
+     (Exercise 0.9.4: Which is the minimum library version required by
+     such programs?)
+     Note: All this applies only to multi-threaded programs, others don't
+     need locks.
+     [Bodo Moeller]
+
+  *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
+     through a BIO pair triggered the default case, i.e.
+     SSLerr(...,SSL_R_UNKNOWN_STATE).
+     [Bodo Moeller]
+
+  *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
+     can use the SSL library even if none of the specific BIOs is
+     appropriate.
+     [Bodo Moeller]
+
+  *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
+     for the encoded length.
+     [Jeon KyoungHo <khjeon@sds.samsung.co.kr>]
+
+  *) Add initial documentation of the X509V3 functions.
+     [Steve Henson]
+
+  *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and 
+     PEM_write_bio_PKCS8PrivateKey() that are equivalent to
+     PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
+     secure PKCS#8 private key format with a high iteration count.
+     [Steve Henson]
+
+  *) Fix determination of Perl interpreter: A perl or perl5
+     _directory_ in $PATH was also accepted as the interpreter.
+     [Ralf S. Engelschall]
+
+  *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
+     wrong with it but it was very old and did things like calling
+     PEM_ASN1_read() directly and used MD5 for the hash not to mention some
+     unusual formatting.
+     [Steve Henson]
+
+  *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
+     to use the new extension code.
+     [Steve Henson]
+
+  *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
+     with macros. This should make it easier to change their form, add extra
+     arguments etc. Fix a few PEM prototypes which didn't have cipher as a
+     constant.
+     [Steve Henson]
+
+  *) Add to configuration table a new entry that can specify an alternative
+     name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
+     according to Mark Crispin <MRC@Panda.COM>.
+     [Bodo Moeller]
+
+#if 0
+  *) DES CBC did not update the IV. Weird.
+     [Ben Laurie]
+#else
+     des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
+     Changing the behaviour of the former might break existing programs --
+     where IV updating is needed, des_ncbc_encrypt can be used.
+#endif
+
+  *) When bntest is run from "make test" it drives bc to check its
+     calculations, as well as internally checking them. If an internal check
+     fails, it needs to cause bc to give a non-zero result or make test carries
+     on without noticing the failure. Fixed.
+     [Ben Laurie]
+
+  *) DES library cleanups.
+     [Ulf Möller]
+
+  *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
+     used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
+     ciphers. NOTE: although the key derivation function has been verified
+     against some published test vectors it has not been extensively tested
+     yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
+     of v2.0.
+     [Steve Henson]
+
+  *) Instead of "mkdir -p", which is not fully portable, use new
+     Perl script "util/mkdir-p.pl".
+     [Bodo Moeller]
+
+  *) Rewrite the way password based encryption (PBE) is handled. It used to
+     assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter
+     structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
+     but doesn't apply to PKCS#5 v2.0 where it can be something else. Now
+     the 'parameter' field of the AlgorithmIdentifier is passed to the
+     underlying key generation function so it must do its own ASN1 parsing.
+     This has also changed the EVP_PBE_CipherInit() function which now has a
+     'parameter' argument instead of literal salt and iteration count values
+     and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
+     [Steve Henson]
+
+  *) Support for PKCS#5 v1.5 compatible password based encryption algorithms
+     and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
+     Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE
+     KEY" because this clashed with PKCS#8 unencrypted string. Since this
+     value was just used as a "magic string" and not used directly its
+     value doesn't matter.
+     [Steve Henson]
+
+  *) Introduce some semblance of const correctness to BN. Shame C doesn't
+     support mutable.
+     [Ben Laurie]
+
+  *) "linux-sparc64" configuration (ultrapenguin).
+     [Ray Miller <ray.miller@oucs.ox.ac.uk>]
+     "linux-sparc" configuration.
+     [Christian Forster <fo@hawo.stw.uni-erlangen.de>]
+
+  *) config now generates no-xxx options for missing ciphers.
+     [Ulf Möller]
+
+  *) Support the EBCDIC character set (work in progress).
+     File ebcdic.c not yet included because it has a different license.
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
+
+  *) Support BS2000/OSD-POSIX.
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
+
+  *) Make callbacks for key generation use void * instead of char *.
+     [Ben Laurie]
+
+  *) Make S/MIME samples compile (not yet tested).
+     [Ben Laurie]
+
+  *) Additional typesafe stacks.
+     [Ben Laurie]
+
+  *) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
+     [Bodo Moeller]
+
+
+ Changes between 0.9.3 and 0.9.3a  [29 May 1999]
+
+  *) New configuration variant "sco5-gcc".
+
+  *) Updated some demos.
+     [Sean O Riordain, Wade Scholine]
+
+  *) Add missing BIO_free at exit of pkcs12 application.
+     [Wu Zhigang]
+
+  *) Fix memory leak in conf.c.
+     [Steve Henson]
+
+  *) Updates for Win32 to assembler version of MD5.
+     [Steve Henson]
+
+  *) Set #! path to perl in apps/der_chop to where we found it
+     instead of using a fixed path.
+     [Bodo Moeller]
+
+  *) SHA library changes for irix64-mips4-cc.
+     [Andy Polyakov]
+
+  *) Improvements for VMS support.
+     [Richard Levitte]
+
+
+ Changes between 0.9.2b and 0.9.3  [24 May 1999]
+
+  *) Bignum library bug fix. IRIX 6 passes "make test" now!
+     This also avoids the problems with SC4.2 and unpatched SC5.  
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) New functions sk_num, sk_value and sk_set to replace the previous macros.
+     These are required because of the typesafe stack would otherwise break 
+     existing code. If old code used a structure member which used to be STACK
+     and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
+     sk_num or sk_value it would produce an error because the num, data members
+     are not present in STACK_OF. Now it just produces a warning. sk_set
+     replaces the old method of assigning a value to sk_value
+     (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
+     that does this will no longer work (and should use sk_set instead) but
+     this could be regarded as a "questionable" behaviour anyway.
+     [Steve Henson]
+
+  *) Fix most of the other PKCS#7 bugs. The "experimental" code can now
+     correctly handle encrypted S/MIME data.
+     [Steve Henson]
+
+  *) Change type of various DES function arguments from des_cblock
+     (which means, in function argument declarations, pointer to char)
+     to des_cblock * (meaning pointer to array with 8 char elements),
+     which allows the compiler to do more typechecking; it was like
+     that back in SSLeay, but with lots of ugly casts.
+
+     Introduce new type const_des_cblock.
+     [Bodo Moeller]
+
+  *) Reorganise the PKCS#7 library and get rid of some of the more obvious
+     problems: find RecipientInfo structure that matches recipient certificate
+     and initialise the ASN1 structures properly based on passed cipher.
+     [Steve Henson]
+
+  *) Belatedly make the BN tests actually check the results.
+     [Ben Laurie]
+
+  *) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
+     to and from BNs: it was completely broken. New compilation option
+     NEG_PUBKEY_BUG to allow for some broken certificates that encode public
+     key elements as negative integers.
+     [Steve Henson]
+
+  *) Reorganize and speed up MD5.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) VMS support.
+     [Richard Levitte <richard@levitte.org>]
+
+  *) New option -out to asn1parse to allow the parsed structure to be
+     output to a file. This is most useful when combined with the -strparse
+     option to examine the output of things like OCTET STRINGS.
+     [Steve Henson]
+
+  *) Make SSL library a little more fool-proof by not requiring any longer
+     that SSL_set_{accept,connect}_state be called before
+     SSL_{accept,connect} may be used (SSL_set_..._state is omitted
+     in many applications because usually everything *appeared* to work as
+     intended anyway -- now it really works as intended).
+     [Bodo Moeller]
+
+  *) Move openssl.cnf out of lib/.
+     [Ulf Möller]
+
+  *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
+     -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
+     -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ 
+     [Ralf S. Engelschall]
+
+  *) Various fixes to the EVP and PKCS#7 code. It may now be able to
+     handle PKCS#7 enveloped data properly.
+     [Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve]
+
+  *) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
+     copying pointers.  The cert_st handling is changed by this in
+     various ways (and thus what used to be known as ctx->default_cert
+     is now called ctx->cert, since we don't resort to s->ctx->[default_]cert
+     any longer when s->cert does not give us what we need).
+     ssl_cert_instantiate becomes obsolete by this change.
+     As soon as we've got the new code right (possibly it already is?),
+     we have solved a couple of bugs of the earlier code where s->cert
+     was used as if it could not have been shared with other SSL structures.
+
+     Note that using the SSL API in certain dirty ways now will result
+     in different behaviour than observed with earlier library versions:
+     Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx)
+     does not influence s as it used to.
+     
+     In order to clean up things more thoroughly, inside SSL_SESSION
+     we don't use CERT any longer, but a new structure SESS_CERT
+     that holds per-session data (if available); currently, this is
+     the peer's certificate chain and, for clients, the server's certificate
+     and temporary key.  CERT holds only those values that can have
+     meaningful defaults in an SSL_CTX.
+     [Bodo Moeller]
+
+  *) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure
+     from the internal representation. Various PKCS#7 fixes: remove some
+     evil casts and set the enc_dig_alg field properly based on the signing
+     key type.
+     [Steve Henson]
+
+  *) Allow PKCS#12 password to be set from the command line or the
+     environment. Let 'ca' get its config file name from the environment
+     variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
+     and 'x509').
+     [Steve Henson]
+
+  *) Allow certificate policies extension to use an IA5STRING for the
+     organization field. This is contrary to the PKIX definition but
+     VeriSign uses it and IE5 only recognises this form. Document 'x509'
+     extension option.
+     [Steve Henson]
+
+  *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
+     without disallowing inline assembler and the like for non-pedantic builds.
+     [Ben Laurie]
+
+  *) Support Borland C++ builder.
+     [Janez Jere <jj@void.si>, modified by Ulf Möller]
+
+  *) Support Mingw32.
+     [Ulf Möller]
+
+  *) SHA-1 cleanups and performance enhancements.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Sparc v8plus assembler for the bignum library.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Accept any -xxx and +xxx compiler options in Configure.
+     [Ulf Möller]
+
+  *) Update HPUX configuration.
+     [Anonymous]
+  
+  *) Add missing sk_<type>_unshift() function to safestack.h
+     [Ralf S. Engelschall]
+
+  *) New function SSL_CTX_use_certificate_chain_file that sets the
+     "extra_cert"s in addition to the certificate.  (This makes sense
+     only for "PEM" format files, as chains as a whole are not
+     DER-encoded.)
+     [Bodo Moeller]
+
+  *) Support verify_depth from the SSL API.
+     x509_vfy.c had what can be considered an off-by-one-error:
+     Its depth (which was not part of the external interface)
+     was actually counting the number of certificates in a chain;
+     now it really counts the depth.
+     [Bodo Moeller]
+
+  *) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used
+     instead of X509err, which often resulted in confusing error
+     messages since the error codes are not globally unique
+     (e.g. an alleged error in ssl3_accept when a certificate
+     didn't match the private key).
+
+  *) New function SSL_CTX_set_session_id_context that allows to set a default
+     value (so that you don't need SSL_set_session_id_context for each
+     connection using the SSL_CTX).
+     [Bodo Moeller]
+
+  *) OAEP decoding bug fix.
+     [Ulf Möller]
+
+  *) Support INSTALL_PREFIX for package builders, as proposed by
+     David Harris.
+     [Bodo Moeller]
+
+  *) New Configure options "threads" and "no-threads".  For systems
+     where the proper compiler options are known (currently Solaris
+     and Linux), "threads" is the default.
+     [Bodo Moeller]
+
+  *) New script util/mklink.pl as a faster substitute for util/mklink.sh.
+     [Bodo Moeller]
+
+  *) Install various scripts to $(OPENSSLDIR)/misc, not to
+     $(INSTALLTOP)/bin -- they shouldn't clutter directories
+     such as /usr/local/bin.
+     [Bodo Moeller]
+
+  *) "make linux-shared" to build shared libraries.
+     [Niels Poppe <niels@netbox.org>]
+
+  *) New Configure option no-<cipher> (rsa, idea, rc5, ...).
+     [Ulf Möller]
+
+  *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
+     extension adding in x509 utility.
+     [Steve Henson]
+
+  *) Remove NOPROTO sections and error code comments.
+     [Ulf Möller]
+
+  *) Partial rewrite of the DEF file generator to now parse the ANSI
+     prototypes.
+     [Steve Henson]
+
+  *) New Configure options --prefix=DIR and --openssldir=DIR.
+     [Ulf Möller]
+
+  *) Complete rewrite of the error code script(s). It is all now handled
+     by one script at the top level which handles error code gathering,
+     header rewriting and C source file generation. It should be much better
+     than the old method: it now uses a modified version of Ulf's parser to
+     read the ANSI prototypes in all header files (thus the old K&R definitions
+     aren't needed for error creation any more) and do a better job of
+     translating function codes into names. The old 'ASN1 error code imbedded
+     in a comment' is no longer necessary and it doesn't use .err files which
+     have now been deleted. Also the error code call doesn't have to appear all
+     on one line (which resulted in some large lines...).
+     [Steve Henson]
+
+  *) Change #include filenames from <foo.h> to <openssl/foo.h>.
+     [Bodo Moeller]
+
+  *) Change behaviour of ssl2_read when facing length-0 packets: Don't return
+     0 (which usually indicates a closed connection), but continue reading.
+     [Bodo Moeller]
+
+  *) Fix some race conditions.
+     [Bodo Moeller]
+
+  *) Add support for CRL distribution points extension. Add Certificate
+     Policies and CRL distribution points documentation.
+     [Steve Henson]
+
+  *) Move the autogenerated header file parts to crypto/opensslconf.h.
+     [Ulf Möller]
+
+  *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
+     8 of keying material. Merlin has also confirmed interop with this fix
+     between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
+     [Merlin Hughes <merlin@baltimore.ie>]
+
+  *) Fix lots of warnings.
+     [Richard Levitte <levitte@stacken.kth.se>]
+ 
+  *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if
+     the directory spec didn't end with a LIST_SEPARATOR_CHAR.
+     [Richard Levitte <levitte@stacken.kth.se>]
+ 
+  *) Fix problems with sizeof(long) == 8.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Change functions to ANSI C.
+     [Ulf Möller]
+
+  *) Fix typos in error codes.
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
+
+  *) Remove defunct assembler files from Configure.
+     [Ulf Möller]
+
+  *) SPARC v8 assembler BIGNUM implementation.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Support for Certificate Policies extension: both print and set.
+     Various additions to support the r2i method this uses.
+     [Steve Henson]
+
+  *) A lot of constification, and fix a bug in X509_NAME_oneline() that could
+     return a const string when you are expecting an allocated buffer.
+     [Ben Laurie]
+
+  *) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
+     types DirectoryString and DisplayText.
+     [Steve Henson]
+
+  *) Add code to allow r2i extensions to access the configuration database,
+     add an LHASH database driver and add several ctx helper functions.
+     [Steve Henson]
+
+  *) Fix an evil bug in bn_expand2() which caused various BN functions to
+     fail when they extended the size of a BIGNUM.
+     [Steve Henson]
+
+  *) Various utility functions to handle SXNet extension. Modify mkdef.pl to
+     support typesafe stack.
+     [Steve Henson]
+
+  *) Fix typo in SSL_[gs]et_options().
+     [Nils Frostberg <nils@medcom.se>]
+
+  *) Delete various functions and files that belonged to the (now obsolete)
+     old X509V3 handling code.
+     [Steve Henson]
+
+  *) New Configure option "rsaref".
+     [Ulf Möller]
+
+  *) Don't auto-generate pem.h.
+     [Bodo Moeller]
+
+  *) Introduce type-safe ASN.1 SETs.
+     [Ben Laurie]
+
+  *) Convert various additional casted stacks to type-safe STACK_OF() variants.
+     [Ben Laurie, Ralf S. Engelschall, Steve Henson]
+
+  *) Introduce type-safe STACKs. This will almost certainly break lots of code
+     that links with OpenSSL (well at least cause lots of warnings), but fear
+     not: the conversion is trivial, and it eliminates loads of evil casts. A
+     few STACKed things have been converted already. Feel free to convert more.
+     In the fullness of time, I'll do away with the STACK type altogether.
+     [Ben Laurie]
+
+  *) Add `openssl ca -revoke <certfile>' facility which revokes a certificate
+     specified in <certfile> by updating the entry in the index.txt file.
+     This way one no longer has to edit the index.txt file manually for
+     revoking a certificate. The -revoke option does the gory details now.
+     [Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall]
+
+  *) Fix `openssl crl -noout -text' combination where `-noout' killed the
+     `-text' option at all and this way the `-noout -text' combination was
+     inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'.
+     [Ralf S. Engelschall]
+
+  *) Make sure a corresponding plain text error message exists for the
+     X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
+     verify callback function determined that a certificate was revoked.
+     [Ralf S. Engelschall]
+
+  *) Bugfix: In test/testenc, don't test "openssl <cipher>" for
+     ciphers that were excluded, e.g. by -DNO_IDEA.  Also, test
+     all available cipers including rc5, which was forgotten until now.
+     In order to let the testing shell script know which algorithms
+     are available, a new (up to now undocumented) command
+     "openssl list-cipher-commands" is used.
+     [Bodo Moeller]
+
+  *) Bugfix: s_client occasionally would sleep in select() when
+     it should have checked SSL_pending() first.
+     [Bodo Moeller]
+
+  *) New functions DSA_do_sign and DSA_do_verify to provide access to
+     the raw DSA values prior to ASN.1 encoding.
+     [Ulf Möller]
+
+  *) Tweaks to Configure
+     [Niels Poppe <niels@netbox.org>]
+
+  *) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support,
+     yet...
+     [Steve Henson]
+
+  *) New variables $(RANLIB) and $(PERL) in the Makefiles.
+     [Ulf Möller]
+
+  *) New config option to avoid instructions that are illegal on the 80386.
+     The default code is faster, but requires at least a 486.
+     [Ulf Möller]
+  
+  *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
+     SSL2_SERVER_VERSION (not used at all) macros, which are now the
+     same as SSL2_VERSION anyway.
+     [Bodo Moeller]
+
+  *) New "-showcerts" option for s_client.
+     [Bodo Moeller]
+
+  *) Still more PKCS#12 integration. Add pkcs12 application to openssl
+     application. Various cleanups and fixes.
+     [Steve Henson]
+
+  *) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
+     modify error routines to work internally. Add error codes and PBE init
+     to library startup routines.
+     [Steve Henson]
+
+  *) Further PKCS#12 integration. Added password based encryption, PKCS#8 and
+     packing functions to asn1 and evp. Changed function names and error
+     codes along the way.
+     [Steve Henson]
+
+  *) PKCS12 integration: and so it begins... First of several patches to
+     slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12
+     objects to objects.h
+     [Steve Henson]
+
+  *) Add a new 'indent' option to some X509V3 extension code. Initial ASN1
+     and display support for Thawte strong extranet extension.
+     [Steve Henson]
+
+  *) Add LinuxPPC support.
+     [Jeff Dubrule <igor@pobox.org>]
+
+  *) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
+     bn_div_words in alpha.s.
+     [Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie]
+
+  *) Make sure the RSA OAEP test is skipped under -DRSAref because
+     OAEP isn't supported when OpenSSL is built with RSAref.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h 
+     so they no longer are missing under -DNOPROTO. 
+     [Soren S. Jorvang <soren@t.dk>]
+
+
+ Changes between 0.9.1c and 0.9.2b  [22 Mar 1999]
+
+  *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
+     doesn't work when the session is reused. Coming soon!
+     [Ben Laurie]
+
+  *) Fix a security hole, that allows sessions to be reused in the wrong
+     context thus bypassing client cert protection! All software that uses
+     client certs and session caches in multiple contexts NEEDS PATCHING to
+     allow session reuse! A fuller solution is in the works.
+     [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)]
+
+  *) Some more source tree cleanups (removed obsolete files
+     crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
+     permission on "config" script to be executable) and a fix for the INSTALL
+     document.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Remove some legacy and erroneous uses of malloc, free instead of
+     Malloc, Free.
+     [Lennart Bang <lob@netstream.se>, with minor changes by Steve]
+
+  *) Make rsa_oaep_test return non-zero on error.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Add support for native Solaris shared libraries. Configure
+     solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
+     if someone would make that last step automatic.
+     [Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>]
+
+  *) ctx_size was not built with the right compiler during "make links". Fixed.
+     [Ben Laurie]
+
+  *) Change the meaning of 'ALL' in the cipher list. It now means "everything
+     except NULL ciphers". This means the default cipher list will no longer
+     enable NULL ciphers. They need to be specifically enabled e.g. with
+     the string "DEFAULT:eNULL".
+     [Steve Henson]
+
+  *) Fix to RSA private encryption routines: if p < q then it would
+     occasionally produce an invalid result. This will only happen with
+     externally generated keys because OpenSSL (and SSLeay) ensure p > q.
+     [Steve Henson]
+
+  *) Be less restrictive and allow also `perl util/perlpath.pl
+     /path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin',
+     because this way one can also use an interpreter named `perl5' (which is
+     usually the name of Perl 5.xxx on platforms where an Perl 4.x is still
+     installed as `perl').
+     [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
+
+  *) Let util/clean-depend.pl work also with older Perl 5.00x versions.
+     [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
+
+  *) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
+     advapi32.lib to Win32 build and change the pem test comparision
+     to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
+     suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
+     and crypto/des/ede_cbcm_enc.c.
+     [Steve Henson]
+
+  *) DES quad checksum was broken on big-endian architectures. Fixed.
+     [Ben Laurie]
+
+  *) Comment out two functions in bio.h that aren't implemented. Fix up the
+     Win32 test batch file so it (might) work again. The Win32 test batch file
+     is horrible: I feel ill....
+     [Steve Henson]
+
+  *) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected
+     in e_os.h. Audit of header files to check ANSI and non ANSI
+     sections: 10 functions were absent from non ANSI section and not exported
+     from Windows DLLs. Fixed up libeay.num for new functions.
+     [Steve Henson]
+
+  *) Make `openssl version' output lines consistent.
+     [Ralf S. Engelschall]
+
+  *) Fix Win32 symbol export lists for BIO functions: Added
+     BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
+     to ms/libeay{16,32}.def.
+     [Ralf S. Engelschall]
+
+  *) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled
+     fine under Unix and passes some trivial tests I've now added. But the
+     whole stuff is horribly incomplete, so a README.1ST with a disclaimer was
+     added to make sure no one expects that this stuff really works in the
+     OpenSSL 0.9.2 release.  Additionally I've started to clean the XS sources
+     up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
+     openssl_bio.xs.
+     [Ralf S. Engelschall]
+
+  *) Fix the generation of two part addresses in perl.
+     [Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie]
+
+  *) Add config entry for Linux on MIPS.
+     [John Tobey <jtobey@channel1.com>]
+
+  *) Make links whenever Configure is run, unless we are on Windoze.
+     [Ben Laurie]
+
+  *) Permit extensions to be added to CRLs using crl_section in openssl.cnf.
+     Currently only issuerAltName and AuthorityKeyIdentifier make any sense
+     in CRLs.
+     [Steve Henson]
+
+  *) Add a useful kludge to allow package maintainers to specify compiler and
+     other platforms details on the command line without having to patch the
+     Configure script everytime: One now can use ``perl Configure
+     <id>:<details>'', i.e. platform ids are allowed to have details appended
+     to them (seperated by colons). This is treated as there would be a static
+     pre-configured entry in Configure's %table under key <id> with value
+     <details> and ``perl Configure <id>'' is called.  So, when you want to
+     perform a quick test-compile under FreeBSD 3.1 with pgcc and without
+     assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"''
+     now, which overrides the FreeBSD-elf entry on-the-fly.
+     [Ralf S. Engelschall]
+
+  *) Disable new TLS1 ciphersuites by default: they aren't official yet.
+     [Ben Laurie]
+
+  *) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
+     on the `perl Configure ...' command line. This way one can compile
+     OpenSSL libraries with Position Independent Code (PIC) which is needed
+     for linking it into DSOs.
+     [Ralf S. Engelschall]
+
+  *) Remarkably, export ciphers were totally broken and no-one had noticed!
+     Fixed.
+     [Ben Laurie]
+
+  *) Cleaned up the LICENSE document: The official contact for any license
+     questions now is the OpenSSL core team under openssl-core@openssl.org.
+     And add a paragraph about the dual-license situation to make sure people
+     recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply
+     to the OpenSSL toolkit.
+     [Ralf S. Engelschall]
+
+  *) General source tree makefile cleanups: Made `making xxx in yyy...'
+     display consistent in the source tree and replaced `/bin/rm' by `rm'.
+     Additonally cleaned up the `make links' target: Remove unnecessary
+     semicolons, subsequent redundant removes, inline point.sh into mklink.sh
+     to speed processing and no longer clutter the display with confusing
+     stuff. Instead only the actually done links are displayed.
+     [Ralf S. Engelschall]
+
+  *) Permit null encryption ciphersuites, used for authentication only. It used
+     to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this.
+     It is now necessary to set SSL_FORBID_ENULL to prevent the use of null
+     encryption.
+     [Ben Laurie]
+
+  *) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
+     signed attributes when verifying signatures (this would break them), 
+     the detached data encoding was wrong and public keys obtained using
+     X509_get_pubkey() weren't freed.
+     [Steve Henson]
+
+  *) Add text documentation for the BUFFER functions. Also added a work around
+     to a Win95 console bug. This was triggered by the password read stuff: the
+     last character typed gets carried over to the next fread(). If you were 
+     generating a new cert request using 'req' for example then the last
+     character of the passphrase would be CR which would then enter the first
+     field as blank.
+     [Steve Henson]
+
+  *) Added the new `Includes OpenSSL Cryptography Software' button as
+     doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
+     button and can be used by applications based on OpenSSL to show the
+     relationship to the OpenSSL project.  
+     [Ralf S. Engelschall]
+
+  *) Remove confusing variables in function signatures in files
+     ssl/ssl_lib.c and ssl/ssl.h.
+     [Lennart Bong <lob@kulthea.stacken.kth.se>]
+
+  *) Don't install bss_file.c under PREFIX/include/
+     [Lennart Bong <lob@kulthea.stacken.kth.se>]
+
+  *) Get the Win32 compile working again. Modify mkdef.pl so it can handle
+     functions that return function pointers and has support for NT specific
+     stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
+     #ifdef WIN32 and WINNTs sprinkled about the place and some changes from
+     unsigned to signed types: this was killing the Win32 compile.
+     [Steve Henson]
+
+  *) Add new certificate file to stack functions,
+     SSL_add_dir_cert_subjects_to_stack() and
+     SSL_add_file_cert_subjects_to_stack().  These largely supplant
+     SSL_load_client_CA_file(), and can be used to add multiple certs easily
+     to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()).
+     This means that Apache-SSL and similar packages don't have to mess around
+     to add as many CAs as they want to the preferred list.
+     [Ben Laurie]
+
+  *) Experiment with doxygen documentation. Currently only partially applied to
+     ssl/ssl_lib.c.
+     See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with
+     openssl.doxy as the configuration file.
+     [Ben Laurie]
+  
+  *) Get rid of remaining C++-style comments which strict C compilers hate.
+     [Ralf S. Engelschall, pointed out by Carlos Amengual]
+
+  *) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not
+     compiled in by default: it has problems with large keys.
+     [Steve Henson]
+
+  *) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
+     DH private keys and/or callback functions which directly correspond to
+     their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
+     is needed for applications which have to configure certificates on a
+     per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
+     (e.g. s_server). 
+        For the RSA certificate situation is makes no difference, but
+     for the DSA certificate situation this fixes the "no shared cipher"
+     problem where the OpenSSL cipher selection procedure failed because the
+     temporary keys were not overtaken from the context and the API provided
+     no way to reconfigure them. 
+        The new functions now let applications reconfigure the stuff and they
+     are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
+     SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback.  Additionally a new
+     non-public-API function ssl_cert_instantiate() is used as a helper
+     function and also to reduce code redundancy inside ssl_rsa.c.
+     [Ralf S. Engelschall]
+
+  *) Move s_server -dcert and -dkey options out of the undocumented feature
+     area because they are useful for the DSA situation and should be
+     recognized by the users.
+     [Ralf S. Engelschall]
+
+  *) Fix the cipher decision scheme for export ciphers: the export bits are
+     *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within
+     SSL_EXP_MASK.  So, the original variable has to be used instead of the
+     already masked variable.
+     [Richard Levitte <levitte@stacken.kth.se>]
+
+  *) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c
+     [Richard Levitte <levitte@stacken.kth.se>]
+
+  *) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
+     from `int' to `unsigned int' because it's a length and initialized by
+     EVP_DigestFinal() which expects an `unsigned int *'.
+     [Richard Levitte <levitte@stacken.kth.se>]
+
+  *) Don't hard-code path to Perl interpreter on shebang line of Configure
+     script. Instead use the usual Shell->Perl transition trick.
+     [Ralf S. Engelschall]
+
+  *) Make `openssl x509 -noout -modulus' functional also for DSA certificates
+     (in addition to RSA certificates) to match the behaviour of `openssl dsa
+     -noout -modulus' as it's already the case for `openssl rsa -noout
+     -modulus'.  For RSA the -modulus is the real "modulus" while for DSA
+     currently the public key is printed (a decision which was already done by
+     `openssl dsa -modulus' in the past) which serves a similar purpose.
+     Additionally the NO_RSA no longer completely removes the whole -modulus
+     option; it now only avoids using the RSA stuff. Same applies to NO_DSA
+     now, too.
+     [Ralf S.  Engelschall]
+
+  *) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
+     BIO. See the source (crypto/evp/bio_ok.c) for more info.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) Dump the old yucky req code that tried (and failed) to allow raw OIDs
+     to be added. Now both 'req' and 'ca' can use new objects defined in the
+     config file.
+     [Steve Henson]
+
+  *) Add cool BIO that does syslog (or event log on NT).
+     [Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie]
+
+  *) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5,
+     TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
+     TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
+     Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
+     [Ben Laurie]
+
+  *) Add preliminary config info for new extension code.
+     [Steve Henson]
+
+  *) Make RSA_NO_PADDING really use no padding.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Generate errors when private/public key check is done.
+     [Ben Laurie]
+
+  *) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support
+     for some CRL extensions and new objects added.
+     [Steve Henson]
+
+  *) Really fix the ASN1 IMPLICIT bug this time... Partial support for private
+     key usage extension and fuller support for authority key id.
+     [Steve Henson]
+
+  *) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved
+     padding method for RSA, which is recommended for new applications in PKCS
+     #1 v2.0 (RFC 2437, October 1998).
+     OAEP (Optimal Asymmetric Encryption Padding) has better theoretical
+     foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
+     against Bleichbacher's attack on RSA.
+     [Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
+      Ben Laurie]
+
+  *) Updates to the new SSL compression code
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Fix so that the version number in the master secret, when passed
+     via RSA, checks that if TLS was proposed, but we roll back to SSLv3
+     (because the server will not accept higher), that the version number
+     is 0x03,0x01, not 0x03,0x00
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
+     leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
+     in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c
+     [Steve Henson]
+
+  *) Support for RAW extensions where an arbitrary extension can be
+     created by including its DER encoding. See apps/openssl.cnf for
+     an example.
+     [Steve Henson]
+
+  *) Make sure latest Perl versions don't interpret some generated C array
+     code as Perl array code in the crypto/err/err_genc.pl script.
+     [Lars Weber <3weber@informatik.uni-hamburg.de>]
+
+  *) Modify ms/do_ms.bat to not generate assembly language makefiles since
+     not many people have the assembler. Various Win32 compilation fixes and
+     update to the INSTALL.W32 file with (hopefully) more accurate Win32
+     build instructions.
+     [Steve Henson]
+
+  *) Modify configure script 'Configure' to automatically create crypto/date.h
+     file under Win32 and also build pem.h from pem.org. New script
+     util/mkfiles.pl to create the MINFO file on environments that can't do a
+     'make files': perl util/mkfiles.pl >MINFO should work.
+     [Steve Henson]
+
+  *) Major rework of DES function declarations, in the pursuit of correctness
+     and purity. As a result, many evil casts evaporated, and some weirdness,
+     too. You may find this causes warnings in your code. Zapping your evil
+     casts will probably fix them. Mostly.
+     [Ben Laurie]
+
+  *) Fix for a typo in asn1.h. Bug fix to object creation script
+     obj_dat.pl. It considered a zero in an object definition to mean
+     "end of object": none of the objects in objects.h have any zeros
+     so it wasn't spotted.
+     [Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>]
+
+  *) Add support for Triple DES Cipher Block Chaining with Output Feedback
+     Masking (CBCM). In the absence of test vectors, the best I have been able
+     to do is check that the decrypt undoes the encrypt, so far. Send me test
+     vectors if you have them.
+     [Ben Laurie]
+
+  *) Correct calculation of key length for export ciphers (too much space was
+     allocated for null ciphers). This has not been tested!
+     [Ben Laurie]
+
+  *) Modifications to the mkdef.pl for Win32 DEF file creation. The usage
+     message is now correct (it understands "crypto" and "ssl" on its
+     command line). There is also now an "update" option. This will update
+     the util/ssleay.num and util/libeay.num files with any new functions.
+     If you do a: 
+     perl util/mkdef.pl crypto ssl update
+     it will update them.
+     [Steve Henson]
+
+  *) Overhauled the Perl interface (perl/*):
+     - ported BN stuff to OpenSSL's different BN library
+     - made the perl/ source tree CVS-aware
+     - renamed the package from SSLeay to OpenSSL (the files still contain
+       their history because I've copied them in the repository)
+     - removed obsolete files (the test scripts will be replaced
+       by better Test::Harness variants in the future)
+     [Ralf S. Engelschall]
+
+  *) First cut for a very conservative source tree cleanup:
+     1. merge various obsolete readme texts into doc/ssleay.txt
+     where we collect the old documents and readme texts.
+     2. remove the first part of files where I'm already sure that we no
+     longer need them because of three reasons: either they are just temporary
+     files which were left by Eric or they are preserved original files where
+     I've verified that the diff is also available in the CVS via "cvs diff
+     -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
+     the crypto/md/ stuff).
+     [Ralf S. Engelschall]
+
+  *) More extension code. Incomplete support for subject and issuer alt
+     name, issuer and authority key id. Change the i2v function parameters
+     and add an extra 'crl' parameter in the X509V3_CTX structure: guess
+     what that's for :-) Fix to ASN1 macro which messed up
+     IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
+     [Steve Henson]
+
+  *) Preliminary support for ENUMERATED type. This is largely copied from the
+     INTEGER code.
+     [Steve Henson]
+
+  *) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy.
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Make sure `make rehash' target really finds the `openssl' program.
+     [Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
+
+  *) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd
+     like to hear about it if this slows down other processors.
+     [Ben Laurie]
+
+  *) Add CygWin32 platform information to Configure script.
+     [Alan Batie <batie@aahz.jf.intel.com>]
+
+  *) Fixed ms/32all.bat script: `no_asm' -> `no-asm'
+     [Rainer W. Gerling <gerling@mpg-gv.mpg.de>]
+  
+  *) New program nseq to manipulate netscape certificate sequences
+     [Steve Henson]
+
+  *) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
+     few typos.
+     [Steve Henson]
+
+  *) Fixes to BN code.  Previously the default was to define BN_RECURSION
+     but the BN code had some problems that would cause failures when
+     doing certificate verification and some other functions.
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Add ASN1 and PEM code to support netscape certificate sequences.
+     [Steve Henson]
+
+  *) Add ASN1 and PEM code to support netscape certificate sequences.
+     [Steve Henson]
+
+  *) Add several PKIX and private extended key usage OIDs.
+     [Steve Henson]
+
+  *) Modify the 'ca' program to handle the new extension code. Modify
+     openssl.cnf for new extension format, add comments.
+     [Steve Henson]
+
+  *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
+     and add a sample to openssl.cnf so req -x509 now adds appropriate
+     CA extensions.
+     [Steve Henson]
+
+  *) Continued X509 V3 changes. Add to other makefiles, integrate with the
+     error code, add initial support to X509_print() and x509 application.
+     [Steve Henson]
+
+  *) Takes a deep breath and start addding X509 V3 extension support code. Add
+     files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
+     stuff is currently isolated and isn't even compiled yet.
+     [Steve Henson]
+
+  *) Continuing patches for GeneralizedTime. Fix up certificate and CRL
+     ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
+     Removed the versions check from X509 routines when loading extensions:
+     this allows certain broken certificates that don't set the version
+     properly to be processed.
+     [Steve Henson]
+
+  *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another
+     Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
+     can still be regenerated with "make depend".
+     [Ben Laurie]
+
+  *) Spelling mistake in C version of CAST-128.
+     [Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>]
+
+  *) Changes to the error generation code. The perl script err-code.pl 
+     now reads in the old error codes and retains the old numbers, only
+     adding new ones if necessary. It also only changes the .err files if new
+     codes are added. The makefiles have been modified to only insert errors
+     when needed (to avoid needlessly modifying header files). This is done
+     by only inserting errors if the .err file is newer than the auto generated
+     C file. To rebuild all the error codes from scratch (the old behaviour)
+     either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
+     or delete all the .err files.
+     [Steve Henson]
+
+  *) CAST-128 was incorrectly implemented for short keys. The C version has
+     been fixed, but is untested. The assembler versions are also fixed, but
+     new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
+     to regenerate it if needed.
+     [Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
+      Hagino <itojun@kame.net>]
+
+  *) File was opened incorrectly in randfile.c.
+     [Ulf Möller <ulf@fitug.de>]
+
+  *) Beginning of support for GeneralizedTime. d2i, i2d, check and print
+     functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
+     GeneralizedTime. ASN1_TIME is the proper type used in certificates et
+     al: it's just almost always a UTCTime. Note this patch adds new error
+     codes so do a "make errors" if there are problems.
+     [Steve Henson]
+
+  *) Correct Linux 1 recognition in config.
+     [Ulf Möller <ulf@fitug.de>]
+
+  *) Remove pointless MD5 hash when using DSA keys in ca.
+     [Anonymous <nobody@replay.com>]
+
+  *) Generate an error if given an empty string as a cert directory. Also
+     generate an error if handed NULL (previously returned 0 to indicate an
+     error, but didn't set one).
+     [Ben Laurie, reported by Anonymous <nobody@replay.com>]
+
+  *) Add prototypes to SSL methods. Make SSL_write's buffer const, at last.
+     [Ben Laurie]
+
+  *) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct
+     parameters. This was causing a warning which killed off the Win32 compile.
+     [Steve Henson]
+
+  *) Remove C++ style comments from crypto/bn/bn_local.h.
+     [Neil Costigan <neil.costigan@celocom.com>]
+
+  *) The function OBJ_txt2nid was broken. It was supposed to return a nid
+     based on a text string, looking up short and long names and finally
+     "dot" format. The "dot" format stuff didn't work. Added new function
+     OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote 
+     OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the
+     OID is not part of the table.
+     [Steve Henson]
+
+  *) Add prototypes to X509 lookup/verify methods, fixing a bug in
+     X509_LOOKUP_by_alias().
+     [Ben Laurie]
+
+  *) Sort openssl functions by name.
+     [Ben Laurie]
+
+  *) Get the gendsa program working (hopefully) and add it to app list. Remove
+     encryption from sample DSA keys (in case anyone is interested the password
+     was "1234").
+     [Steve Henson]
+
+  *) Make _all_ *_free functions accept a NULL pointer.
+     [Frans Heymans <fheymans@isaserver.be>]
+
+  *) If a DH key is generated in s3_srvr.c, don't blow it by trying to use
+     NULL pointers.
+     [Anonymous <nobody@replay.com>]
+
+  *) s_server should send the CAfile as acceptable CAs, not its own cert.
+     [Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
+
+  *) Don't blow it for numeric -newkey arguments to apps/req.
+     [Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
+
+  *) Temp key "for export" tests were wrong in s3_srvr.c.
+     [Anonymous <nobody@replay.com>]
+
+  *) Add prototype for temp key callback functions
+     SSL_CTX_set_tmp_{rsa,dh}_callback().
+     [Ben Laurie]
+
+  *) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
+     DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey().
+     [Steve Henson]
+
+  *) X509_name_add_entry() freed the wrong thing after an error.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) rsa_eay.c would attempt to free a NULL context.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) BIO_s_socket() had a broken should_retry() on Windoze.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) Make sure the already existing X509_STORE->depth variable is initialized
+     in X509_STORE_new(), but document the fact that this variable is still
+     unused in the certificate verification process.
+     [Ralf S. Engelschall]
+
+  *) Fix the various library and apps files to free up pkeys obtained from
+     X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions.
+     [Steve Henson]
+
+  *) Fix reference counting in X509_PUBKEY_get(). This makes
+     demos/maurice/example2.c work, amongst others, probably.
+     [Steve Henson and Ben Laurie]
+
+  *) First cut of a cleanup for apps/. First the `ssleay' program is now named
+     `openssl' and second, the shortcut symlinks for the `openssl <command>'
+     are no longer created. This way we have a single and consistent command
+     line interface `openssl <command>', similar to `cvs <command>'.
+     [Ralf S. Engelschall, Paul Sutton and Ben Laurie]
+
+  *) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey
+     BIT STRING wrapper always have zero unused bits.
+     [Steve Henson]
+
+  *) Add CA.pl, perl version of CA.sh, add extended key usage OID.
+     [Steve Henson]
+
+  *) Make the top-level INSTALL documentation easier to understand.
+     [Paul Sutton]
+
+  *) Makefiles updated to exit if an error occurs in a sub-directory
+     make (including if user presses ^C) [Paul Sutton]
+
+  *) Make Montgomery context stuff explicit in RSA data structure.
+     [Ben Laurie]
+
+  *) Fix build order of pem and err to allow for generated pem.h.
+     [Ben Laurie]
+
+  *) Fix renumbering bug in X509_NAME_delete_entry().
+     [Ben Laurie]
+
+  *) Enhanced the err-ins.pl script so it makes the error library number 
+     global and can add a library name. This is needed for external ASN1 and
+     other error libraries.
+     [Steve Henson]
+
+  *) Fixed sk_insert which never worked properly.
+     [Steve Henson]
+
+  *) Fix ASN1 macros so they can handle indefinite length construted 
+     EXPLICIT tags. Some non standard certificates use these: they can now
+     be read in.
+     [Steve Henson]
+
+  *) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
+     into a single doc/ssleay.txt bundle. This way the information is still
+     preserved but no longer messes up this directory. Now it's new room for
+     the new set of documenation files.
+     [Ralf S. Engelschall]
+
+  *) SETs were incorrectly DER encoded. This was a major pain, because they
+     shared code with SEQUENCEs, which aren't coded the same. This means that
+     almost everything to do with SETs or SEQUENCEs has either changed name or
+     number of arguments.
+     [Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>]
+
+  *) Fix test data to work with the above.
+     [Ben Laurie]
+
+  *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
+     was already fixed by Eric for 0.9.1 it seems.
+     [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
+
+  *) Autodetect FreeBSD3.
+     [Ben Laurie]
+
+  *) Fix various bugs in Configure. This affects the following platforms:
+     nextstep
+     ncr-scde
+     unixware-2.0
+     unixware-2.0-pentium
+     sco5-cc.
+     [Ben Laurie]
+
+  *) Eliminate generated files from CVS. Reorder tests to regenerate files
+     before they are needed.
+     [Ben Laurie]
+
+  *) Generate Makefile.ssl from Makefile.org (to keep CVS happy).
+     [Ben Laurie]
+
+
+ Changes between 0.9.1b and 0.9.1c  [23-Dec-1998]
+
+  *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and 
+     changed SSLeay to OpenSSL in version strings.
+     [Ralf S. Engelschall]
+  
+  *) Some fixups to the top-level documents.
+     [Paul Sutton]
+
+  *) Fixed the nasty bug where rsaref.h was not found under compile-time
+     because the symlink to include/ was missing.
+     [Ralf S. Engelschall]
+
+  *) Incorporated the popular no-RSA/DSA-only patches 
+     which allow to compile a RSA-free SSLeay.
+     [Andrew Cooke / Interrader Ldt., Ralf S. Engelschall]
+
+  *) Fixed nasty rehash problem under `make -f Makefile.ssl links'
+     when "ssleay" is still not found.
+     [Ralf S. Engelschall]
+
+  *) Added more platforms to Configure: Cray T3E, HPUX 11, 
+     [Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>]
+
+  *) Updated the README file.
+     [Ralf S. Engelschall]
+
+  *) Added various .cvsignore files in the CVS repository subdirs
+     to make a "cvs update" really silent.
+     [Ralf S. Engelschall]
+
+  *) Recompiled the error-definition header files and added
+     missing symbols to the Win32 linker tables.
+     [Ralf S. Engelschall]
+
+  *) Cleaned up the top-level documents;
+     o new files: CHANGES and LICENSE
+     o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay 
+     o merged COPYRIGHT into LICENSE
+     o removed obsolete TODO file
+     o renamed MICROSOFT to INSTALL.W32
+     [Ralf S. Engelschall]
+
+  *) Removed dummy files from the 0.9.1b source tree: 
+     crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
+     crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
+     crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
+     crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
+     util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
+     [Ralf S. Engelschall]
+
+  *) Added various platform portability fixes.
+     [Mark J. Cox]
+
+  *) The Genesis of the OpenSSL rpject:
+     We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A.
+     Young and Tim J. Hudson created while they were working for C2Net until
+     summer 1998.
+     [The OpenSSL Project]
+ 
+
+ Changes between 0.9.0b and 0.9.1b  [not released]
+
+  *) Updated a few CA certificates under certs/
+     [Eric A. Young]
+
+  *) Changed some BIGNUM api stuff.
+     [Eric A. Young]
+
+  *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, 
+     DGUX x86, Linux Alpha, etc.
+     [Eric A. Young]
+
+  *) New COMP library [crypto/comp/] for SSL Record Layer Compression: 
+     RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
+     available).
+     [Eric A. Young]
+
+  *) Add -strparse option to asn1pars program which parses nested 
+     binary structures 
+     [Dr Stephen Henson <shenson@bigfoot.com>]
+
+  *) Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
+     [Eric A. Young]
+
+  *) DSA fix for "ca" program.
+     [Eric A. Young]
+
+  *) Added "-genkey" option to "dsaparam" program.
+     [Eric A. Young]
+
+  *) Added RIPE MD160 (rmd160) message digest.
+     [Eric A. Young]
+
+  *) Added -a (all) option to "ssleay version" command.
+     [Eric A. Young]
+
+  *) Added PLATFORM define which is the id given to Configure.
+     [Eric A. Young]
+
+  *) Added MemCheck_XXXX functions to crypto/mem.c for memory checking.
+     [Eric A. Young]
+
+  *) Extended the ASN.1 parser routines.
+     [Eric A. Young]
+
+  *) Extended BIO routines to support REUSEADDR, seek, tell, etc.
+     [Eric A. Young]
+
+  *) Added a BN_CTX to the BN library.
+     [Eric A. Young]
+
+  *) Fixed the weak key values in DES library
+     [Eric A. Young]
+
+  *) Changed API in EVP library for cipher aliases.
+     [Eric A. Young]
+
+  *) Added support for RC2/64bit cipher.
+     [Eric A. Young]
+
+  *) Converted the lhash library to the crypto/mem.c functions.
+     [Eric A. Young]
+
+  *) Added more recognized ASN.1 object ids.
+     [Eric A. Young]
+
+  *) Added more RSA padding checks for SSL/TLS.
+     [Eric A. Young]
+
+  *) Added BIO proxy/filter functionality.
+     [Eric A. Young]
+
+  *) Added extra_certs to SSL_CTX which can be used
+     send extra CA certificates to the client in the CA cert chain sending
+     process. It can be configured with SSL_CTX_add_extra_chain_cert().
+     [Eric A. Young]
+
+  *) Now Fortezza is denied in the authentication phase because
+     this is key exchange mechanism is not supported by SSLeay at all.
+     [Eric A. Young]
+
+  *) Additional PKCS1 checks.
+     [Eric A. Young]
+
+  *) Support the string "TLSv1" for all TLS v1 ciphers.
+     [Eric A. Young]
+
+  *) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the
+     ex_data index of the SSL context in the X509_STORE_CTX ex_data.
+     [Eric A. Young]
+
+  *) Fixed a few memory leaks.
+     [Eric A. Young]
+
+  *) Fixed various code and comment typos.
+     [Eric A. Young]
+
+  *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 
+     bytes sent in the client random.
+     [Edward Bishop <ebishop@spyglass.com>]
+
diff --git a/crypto/openssl/CHANGES.SSLeay b/crypto/openssl/CHANGES.SSLeay
new file mode 100644
index 0000000..dbb80b0
--- /dev/null
+++ b/crypto/openssl/CHANGES.SSLeay
@@ -0,0 +1,968 @@
+This file contains the changes for the SSLeay library up to version
+0.9.0b. For later changes, see the file "CHANGES".
+
+  SSLeay CHANGES
+  ______________
+
+Changes between 0.8.x and 0.9.0b
+
+10-Apr-1998
+
+I said the next version would go out at easter, and so it shall.
+I expect a 0.9.1 will follow with portability fixes in the next few weeks.
+
+This is a quick, meet the deadline.  Look to ssl-users for comments on what
+is new etc.
+
+eric (about to go bushwalking for the 4 day easter break :-)
+
+16-Mar-98
+    - Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
+    - Lots and lots of changes
+
+29-Jan-98
+    - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
+      Goetz Babin-Ebell <babinebell@trustcenter.de>.
+    - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
+      TLS1_VERSION.
+
+7-Jan-98
+    - Finally reworked the cipher string to ciphers again, so it
+      works correctly
+    - All the app_data stuff is now ex_data with funcion calls to access.
+      The index is supplied by a function and 'methods' can be setup
+      for the types that are called on XXX_new/XXX_free.  This lets
+      applications get notified on creation and destruction.  Some of
+      the RSA methods could be implemented this way and I may do so.
+    - Oh yes, SSL under perl5 is working at the basic level.
+
+15-Dec-97
+    - Warning - the gethostbyname cache is not fully thread safe,
+      but it should work well enough.
+    - Major internal reworking of the app_data stuff.  More functions
+      but if you were accessing ->app_data directly, things will
+      stop working.
+    - The perlv5 stuff is working.  Currently on message digests,
+      ciphers and the bignum library.
+
+9-Dec-97
+    - Modified re-negotiation so that server initated re-neg
+      will cause a SSL_read() to return -1 should retry.
+      The danger otherwise was that the server and the
+      client could end up both trying to read when using non-blocking
+      sockets.
+
+4-Dec-97
+    - Lots of small changes
+    - Fix for binaray mode in Windows for the FILE BIO, thanks to
+      Bob Denny <rdenny@dc3.com>
+
+17-Nov-97
+    - Quite a few internal cleanups, (removal of errno, and using macros
+      defined in e_os.h).
+    - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
+      the automactic naming out output files was being stuffed up.
+
+29-Oct-97
+    - The Cast5 cipher has been added.  MD5 and SHA-1 are now in assember
+      for x86.
+
+21-Oct-97
+    - Fixed a bug in the BIO_gethostbyname() cache.
+
+15-Oct-97
+    - cbc mode for blowfish/des/3des is now in assember.  Blowfish asm
+      has also been improved.  At this point in time, on the pentium,
+      md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
+      des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
+      is %62 faster.
+
+12-Oct-97
+    - MEM_BUF_grow() has been fixed so that it always sets the buf->length
+      to the value we are 'growing' to.  Think of MEM_BUF_grow() as the
+      way to set the length value correctly.
+
+10-Oct-97
+    - I now hash for certificate lookup on the raw DER encoded RDN (md5).
+      This breaks things again :-(.  This is efficent since I cache
+      the DER encoding of the RDN.
+    - The text DN now puts in the numeric OID instead of UNKNOWN.
+    - req can now process arbitary OIDs in the config file.
+    - I've been implementing md5 in x86 asm, much faster :-).
+    - Started sha1 in x86 asm, needs more work.
+    - Quite a few speedups in the BN stuff.  RSA public operation
+      has been made faster by caching the BN_MONT_CTX structure.
+      The calulating of the Ai where A*Ai === 1 mod m was rather
+      expensive.  Basically a 40-50% speedup on public operations.
+      The RSA speedup is now 15% on pentiums and %20 on pentium
+      pro.
+
+30-Sep-97
+    - After doing some profiling, I added x86 adm for bn_add_words(),
+      which just adds 2 arrays of longs together.  A %10 speedup
+      for 512 and 1024 bit RSA on the pentium pro.
+
+29-Sep-97
+    - Converted the x86 bignum assembler to us the perl scripts
+      for generation.
+
+23-Sep-97
+    - If SSL_set_session() is passed a NULL session, it now clears the
+      current session-id.
+
+22-Sep-97
+    - Added a '-ss_cert file' to apps/ca.c.  This will sign selfsigned
+      certificates.
+    - Bug in crypto/evp/encode.c where by decoding of 65 base64
+      encoded lines, one line at a time (via a memory BIO) would report
+      EOF after the first line was decoded.
+    - Fix in X509_find_by_issuer_and_serial() from
+      Dr Stephen Henson <shenson@bigfoot.com>
+
+19-Sep-97
+    - NO_FP_API and NO_STDIO added.
+    - Put in sh config command.  It auto runs Configure with the correct
+      parameters.
+
+18-Sep-97
+    - Fix x509.c so if a DSA cert has different parameters to its parent,
+      they are left in place.  Not tested yet.
+
+16-Sep-97
+    - ssl_create_cipher_list() had some bugs, fixes from
+      Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
+    - Fixed a bug in the Base64 BIO, where it would return 1 instead
+      of -1 when end of input was encountered but should retry.
+      Basically a Base64/Memory BIO interaction problem.
+    - Added a HMAC set of functions in preporarion for TLS work.
+
+15-Sep-97
+    - Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
+    - Prime generation spead up %25 (512 bit prime, pentium pro linux)
+      by using montgomery multiplication in the prime number test.
+
+11-Sep-97
+    - Ugly bug in ssl3_write_bytes().  Basically if application land
+      does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
+      did not check the size and tried to copy the entire buffer.
+      This would tend to cause memory overwrites since SSLv3 has
+      a maximum packet size of 16k.  If your program uses
+      buffers <= 16k, you would probably never see this problem.
+    - Fixed a new errors that were cause by malloc() not returning
+      0 initialised memory..
+    - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
+      SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
+      since this flags stops SSLeay being able to handle client
+      cert requests correctly.
+
+08-Sep-97
+    - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added.  When switched
+      on, the SSL server routines will not use a SSL_SESSION that is
+      held in it's cache.  This in intended to be used with the session-id
+      callbacks so that while the session-ids are still stored in the
+      cache, the decision to use them and how to look them up can be
+      done by the callbacks.  The are the 'new', 'get' and 'remove'
+      callbacks.  This can be used to determine the session-id
+      to use depending on information like which port/host the connection
+      is coming from.  Since the are also SSL_SESSION_set_app_data() and
+      SSL_SESSION_get_app_data() functions, the application can hold
+      information against the session-id as well.
+
+03-Sep-97
+    - Added lookup of CRLs to the by_dir method,
+      X509_load_crl_file() also added.  Basically it means you can
+      lookup CRLs via the same system used to lookup certificates.
+    - Changed things so that the X509_NAME structure can contain
+      ASN.1 BIT_STRINGS which is required for the unique
+      identifier OID.
+    - Fixed some problems with the auto flushing of the session-id
+      cache.  It was not occuring on the server side.
+
+02-Sep-97
+    - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
+      which is the maximum number of entries allowed in the
+      session-id cache.  This is enforced with a simple FIFO list.
+      The default size is 20*1024 entries which is rather large :-).
+      The Timeout code is still always operating.
+
+01-Sep-97
+    - Added an argument to all the 'generate private key/prime`
+      callbacks.  It is the last parameter so this should not
+      break existing code but it is needed for C++.
+    - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
+      BIO.  This lets the BIO read and write base64 encoded data
+      without inserting or looking for '\n' characters.  The '-A'
+      flag turns this on when using apps/enc.c.
+    - RSA_NO_PADDING added to help BSAFE functionality.  This is a
+      very dangerous thing to use, since RSA private key
+      operations without random padding bytes (as PKCS#1 adds) can
+      be attacked such that the private key can be revealed.
+    - ASN.1 bug and rc2-40-cbc and rc4-40 added by
+      Dr Stephen Henson <shenson@bigfoot.com>
+
+31-Aug-97 (stuff added while I was away)    
+    - Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
+    - RSA_flags() added allowing bypass of pub/priv match check
+      in ssl/ssl_rsa.c - Tim Hudson.
+    - A few minor bugs.
+
+SSLeay 0.8.1 released.
+
+19-Jul-97
+    - Server side initated dynamic renegotiation is broken.  I will fix
+      it when I get back from holidays.
+
+15-Jul-97
+    - Quite a few small changes.
+    - INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
+
+09-Jul-97
+    - Added 2 new values to the SSL info callback.
+      SSL_CB_START which is passed when the SSL protocol is started
+      and SSL_CB_DONE when it has finished sucsessfully.
+
+08-Jul-97
+    - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
+      that related to DSA public/private keys.
+    - Added all the relevent PEM and normal IO functions to support
+      reading and writing RSAPublic keys.
+    - Changed makefiles to use ${AR} instead of 'ar r'
+
+07-Jul-97
+    - Error in ERR_remove_state() that would leave a dangling reference
+      to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
+    - s_client now prints the X509_NAMEs passed from the server
+      when requesting a client cert.
+    - Added a ssl->type, which is one of SSL_ST_CONNECT or
+      SSL_ST_ACCEPT.  I had to add it so I could tell if I was
+      a connect or an accept after the handshake had finished.
+    - SSL_get_client_CA_list(SSL *s) now returns the CA names
+      passed by the server if called by a client side SSL.
+
+05-Jul-97
+    - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
+      0, not -1 :-(  Fix from Tim Hudson (tjh@cryptsoft.com).
+
+04-Jul-97
+    - Fixed some things in X509_NAME_add_entry(), thanks to
+      Matthew Donald <matthew@world.net>.
+    - I had a look at the cipher section and though that it was a
+      bit confused, so I've changed it.
+    - I was not setting up the RC4-64-MD5 cipher correctly.  It is
+      a MS special that appears in exported MS Money.
+    - Error in all my DH ciphers.  Section 7.6.7.3 of the SSLv3
+      spec.  I was missing the two byte length header for the
+      ClientDiffieHellmanPublic value.  This is a packet sent from
+      the client to the server.  The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+      option will enable SSLeay server side SSLv3 accept either
+      the correct or my 080 packet format.
+    - Fixed a few typos in crypto/pem.org.
+
+02-Jul-97
+    - Alias mapping for EVP_get_(digest|cipher)byname is now
+      performed before a lookup for actual cipher.  This means
+      that an alias can be used to 're-direct' a cipher or a
+      digest.
+    - ASN1_read_bio() had a bug that only showed up when using a
+      memory BIO.  When EOF is reached in the memory BIO, it is
+      reported as a -1 with BIO_should_retry() set to true.
+
+01-Jul-97
+    - Fixed an error in X509_verify_cert() caused by my
+      miss-understanding how 'do { contine } while(0);' works.
+      Thanks to Emil Sit <sit@mit.edu> for educating me :-)
+
+30-Jun-97
+    - Base64 decoding error.  If the last data line did not end with
+      a '=', sometimes extra data would be returned.
+    - Another 'cut and paste' bug in x509.c related to setting up the
+      STDout BIO.
+
+27-Jun-97
+    - apps/ciphers.c was not printing due to an editing error.
+    - Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
+      a library build error in util/mk1mf.pl
+
+26-Jun-97
+    - Still did not have the auto 'experimental' code removal
+      script correct.
+    - A few header tweaks for Watcom 11.0 under Win32 from
+      Rolf Lindemann <Lindemann@maz-hh.de>
+    - 0 length OCTET_STRING bug in asn1_parse
+    - A minor fix with an non-existent function in the MS .def files.
+    - A few changes to the PKCS7 stuff.
+
+25-Jun-97
+    SSLeay 0.8.0 finally it gets released.
+
+24-Jun-97
+    Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
+    use a temporary RSA key.  This is experimental and needs some more work.
+    Fixed a few Win16 build problems.
+
+23-Jun-97
+    SSLv3 bug. I was not doing the 'lookup' of the CERT structure
+    correctly. I was taking the SSL->ctx->default_cert when I should
+    have been using SSL->cert. The bug was in ssl/s3_srvr.c
+
+20-Jun-97
+    X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
+    rest of the library. Even though I had the code required to do
+    it correctly, apps/req.c was doing the wrong thing.  I have fixed
+    and tested everything.
+
+    Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
+
+19-Jun-97
+    Fixed a bug in the SSLv2 server side first packet handling. When
+    using the non-blocking test BIO, the ssl->s2->first_packet flag
+    was being reset when a would-block failure occurred when reading
+    the first 5 bytes of the first packet. This caused the checking
+    logic to run at the wrong time and cause an error.
+
+    Fixed a problem with specifying cipher. If RC4-MD5 were used,
+    only the SSLv3 version would be picked up.  Now this will pick
+    up both SSLv2 and SSLv3 versions. This required changing the
+    SSL_CIPHER->mask values so that they only mask the ciphers,
+    digests, authentication, export type and key-exchange algorithms.
+
+    I found that when a SSLv23 session is established, a reused
+    session, of type SSLv3 was attempting to write the SSLv2 
+    ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char 
+    method has been modified so it will only write out cipher which
+    that method knows about.  
+
+
+ Changes between 0.8.0 and 0.8.1
+
+  *) Mostly bug fixes. 
+     There is an Ephemeral DH cipher problem which is fixed.
+
+ SSLeay 0.8.0
+
+This version of SSLeay has quite a lot of things different from the
+previous version.
+
+Basically check all callback parameters, I will be producing documentation
+about how to use things in th future.  Currently I'm just getting 080 out
+the door.  Please not that there are several ways to do everything, and
+most of the applications in the apps directory are hybrids, some using old
+methods and some using new methods.
+
+Have a look in demos/bio for some very simple programs and
+apps/s_client.c and apps/s_server.c for some more advanced versions.
+Notes are definitly needed but they are a week or so away.
+
+Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
+---
+Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
+get those people that want to move to using the new code base off to
+a quick start.
+
+Note that Eric has tidied up a lot of the areas of the API that were
+less than desirable and renamed quite a few things (as he had to break
+the API in lots of places anyrate). There are a whole pile of additional
+functions for making dealing with (and creating) certificates a lot
+cleaner.
+
+01-Jul-97
+Tim Hudson
+tjh@cryptsoft.com
+
+---8<---
+
+To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
+use something like the following (assuming you #include "crypto.h" which
+is something that you really should be doing).
+
+#if SSLEAY_VERSION_NUMBER >= 0x0800
+#define SSLEAY8
+#endif
+
+buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
+            too if you are working with BIO internal stuff (as distinct
+        from simply using the interface in an opaque manner)
+
+#include "bio.h"    - required along with "buffer.h" if you write
+              your own BIO routines as the buffer and bio
+              stuff that was intermixed has been separated
+              out 
+            
+envelope.h -> evp.h  (which should have been done ages ago)
+
+Initialisation ... don't forget these or you end up with code that
+is missing the bits required to do useful things (like ciphers):
+
+SSLeay_add_ssl_algorithms()
+(probably also want SSL_load_error_strings() too but you should have
+ already had that call in place)
+
+SSL_CTX_new()   - requires an extra method parameter
+              SSL_CTX_new(SSLv23_method()) 
+              SSL_CTX_new(SSLv2_method()) 
+              SSL_CTX_new(SSLv3_method()) 
+
+          OR to only have the server or the client code
+              SSL_CTX_new(SSLv23_server_method()) 
+              SSL_CTX_new(SSLv2_server_method()) 
+              SSL_CTX_new(SSLv3_server_method()) 
+          or  
+              SSL_CTX_new(SSLv23_client_method()) 
+              SSL_CTX_new(SSLv2_client_method()) 
+              SSL_CTX_new(SSLv3_client_method()) 
+
+SSL_set_default_verify_paths() ... renamed to the more appropriate
+SSL_CTX_set_default_verify_paths()
+
+If you want to use client certificates then you have to add in a bit
+of extra stuff in that a SSLv3 server sends a list of those CAs that
+it will accept certificates from ... so you have to provide a list to
+SSLeay otherwise certain browsers will not send client certs.
+
+SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
+
+
+X509_NAME_oneline(X)    -> X509_NAME_oneline(X,NULL,0)  
+               or provide a buffer and size to copy the
+               result into
+
+X509_add_cert ->  X509_STORE_add_cert (and you might want to read the
+          notes on X509_NAME structure changes too)
+
+
+VERIFICATION CODE
+=================
+
+The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
+more accurately reflect things.
+
+The verification callback args are now packaged differently so that
+extra fields for verification can be added easily in future without
+having to break things by adding extra parameters each release :-)
+
+X509_cert_verify_error_string -> X509_verify_cert_error_string
+
+
+BIO INTERNALS
+=============
+
+Eric has fixed things so that extra flags can be introduced in
+the BIO layer in future without having to play with all the BIO
+modules by adding in some macros.
+
+The ugly stuff using 
+    b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
+becomes
+    BIO_clear_retry_flags(b)
+
+    b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
+becomes
+    BIO_set_retry_read(b)
+
+Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
+
+
+
+OTHER THINGS
+============
+
+X509_NAME has been altered so that it isn't just a STACK ... the STACK
+is now in the "entries" field ... and there are a pile of nice functions
+for getting at the details in a much cleaner manner.
+
+SSL_CTX has been altered ... "cert" is no longer a direct member of this
+structure ... things are now down under "cert_store" (see x509_vfy.h) and
+things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
+If your code "knows" about this level of detail then it will need some 
+surgery.
+
+If you depending on the incorrect spelling of a number of the error codes
+then you will have to change your code as these have been fixed.
+
+ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
+has been all along so this makes things clearer.
+ify_cert_error_string(ctx->error));
+
+SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
+            and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
+
+
+
+ Changes between 0.7.x and 0.8.0
+  
+  *) There have been lots of changes, mostly the addition of SSLv3.
+     There have been many additions from people and amongst
+     others, C2Net has assisted greatly.
+ 
+ Changes between 0.7.x and 0.7.x
+
+  *) Internal development version only
+
+SSLeay 0.6.6 13-Jan-1997
+
+The main additions are
+
+- assember for x86 DES improvments.
+  From 191,000 per second on a pentium 100, I now get 281,000.  The inner
+  loop and the IP/FP modifications are from
+  Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  Many thanks for his
+  contribution.
+- The 'DES macros' introduced in 0.6.5 now have 3 types.
+  DES_PTR1, DES_PTR2 and 'normal'.  As per before, des_opts reports which
+  is best and there is a summery of mine in crypto/des/options.txt
+- A few bug fixes.
+- Added blowfish.  It is not used by SSL but all the other stuff that
+  deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
+  There are 3 options for optimising Blowfish.  BF_PTR, BF_PTR2 and 'normal'.
+  BF_PTR2 is pentium/x86 specific.  The correct option is setup in
+  the 'Configure' script.
+- There is now a 'get client certificate' callback which can be
+  'non-blocking'.  If more details are required, let me know.  It will
+  documented more in SSLv3 when I finish it.
+- Bug fixes from 0.6.5 including the infamous 'ca' bug.  The 'make test'
+  now tests the ca program.
+- Lots of little things modified and tweaked.
+
+ SSLeay 0.6.5
+
+After quite some time (3 months), the new release.  I have been very busy
+for the last few months and so this is mostly bug fixes and improvments.
+
+The main additions are
+
+- assember for x86 DES.  For all those gcc based systems, this is a big
+  improvement.  From 117,000 DES operation a second on a pentium 100,
+  I now get 191,000.  I have also reworked the C version so it
+  now gives 148,000 DESs per second.  
+- As mentioned above, the inner DES macros now have some more variant that
+  sometimes help, sometimes hinder performance.  There are now 3 options
+  DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
+  and DES_RISC (a more register intensive version of the inner macro).
+  The crypto/des/des_opts.c program, when compiled and run, will give
+  an indication of the correct options to use.
+- The BIO stuff has been improved.  Read doc/bio.doc.  There are now
+  modules for encryption and base64 encoding and a BIO_printf() function.
+- The CA program will accept simple one line X509v3 extensions in the
+  ssleay.cnf file.  Have a look at the example.  Currently this just
+  puts the text into the certificate as an OCTET_STRING so currently
+  the more advanced X509v3 data types are not handled but this is enough
+  for the netscape extensions.
+- There is the start of a nicer higher level interface to the X509
+  strucutre.
+- Quite a lot of bug fixes.
+- CRYPTO_malloc_init()  (or CRYPTO_set_mem_functions()) can be used
+  to define the malloc(), free() and realloc() routines to use
+  (look in crypto/crypto.h).  This is mostly needed for Windows NT/95 when
+  using DLLs and mixing CRT libraries.
+
+In general, read the 'VERSION' file for changes and be aware that some of
+the new stuff may not have been tested quite enough yet, so don't just plonk
+in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
+
+SSLeay 0.6.4 30/08/96 eay
+
+I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
+Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
+
+The main changes in this release
+
+- Thread safe.  have a read of doc/threads.doc and play in the mt directory.
+  For anyone using 0.6.3 with threads, I found 2 major errors so consider
+  moving to 0.6.4.  I have a test program that builds under NT and
+  solaris.
+- The get session-id callback has changed.  Have a read of doc/callback.doc.
+- The X509_cert_verify callback (the SSL_verify callback) now
+  has another argument.  Have a read of doc/callback.doc
+- 'ca -preserve', sign without re-ordering the DN.  Not tested much.
+- VMS support.
+- Compile time memory leak detection can now be built into SSLeay.
+  Read doc/memory.doc
+- CONF routines now understand '\', '\n', '\r' etc.  What this means is that
+  the  SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
+- 'ssleay ciphers' added, lists the default cipher list for SSLeay.
+- RC2 key setup is now compatable with Netscape.
+- Modifed server side of SSL implementation, big performance difference when
+      using session-id reuse.
+
+0.6.3
+
+Bug fixes and the addition of some nice stuff to the 'ca' program.
+Have a read of doc/ns-ca.doc for how hit has been modified so
+it can be driven from a CGI script.  The CGI script is not provided,
+but that is just being left as an excersize for the reader :-).
+
+0.6.2
+
+This is most bug fixes and functionality improvements.
+
+Additions are
+- More thread debugging patches, the thread stuff is still being
+  tested, but for those keep to play with stuff, have a look in
+  crypto/cryptlib.c.  The application needs to define 1 (or optionaly
+  a second) callback that is used to implement locking.  Compiling
+  with LOCK_DEBUG spits out lots of locking crud :-).
+  This is what I'm currently working on.
+- SSL_CTX_set_default_passwd_cb() can be used to define the callback
+  function used in the SSL*_file() functions used to load keys.  I was
+  always of the opinion that people should call
+  PEM_read_RSAPrivateKey() and pass the callback they want to use, but
+  it appears they just want to use the SSL_*_file() function() :-(.
+- 'enc' now has a -kfile so a key can be read from a file.  This is
+  mostly used so that the passwd does not appear when using 'ps',
+  which appears imposible to stop under solaris.
+- X509v3 certificates now work correctly.  I even have more examples
+  in my tests :-).  There is now a X509_EXTENSION type that is used in
+  X509v3 certificates and CRLv2.
+- Fixed that signature type error :-(
+- Fixed quite a few potential memory leaks and problems when reusing
+  X509, CRL and REQ structures.
+- EVP_set_pw_prompt() now sets the library wide default password
+  prompt.
+- The 'pkcs7' command will now, given the -print_certs flag, output in
+  pem format, all certificates and CRL contained within.  This is more
+  of a pre-emtive thing for the new verisign distribution method.  I
+  should also note, that this also gives and example in code, of how
+  to do this :-), or for that matter, what is involved in going the
+  other way (list of certs and crl -> pkcs7).
+- Added RSA's DESX to the DES library.  It is also available via the
+  EVP_desx_cbc() method and via 'enc desx'. 
+
+SSLeay 0.6.1
+
+The main functional changes since 0.6.0 are as follows
+- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
+  that from now on, I'll keep the .def numbers the same so they will be.
+- RSA private key operations are about 2 times faster that 0.6.0
+- The SSL_CTX now has more fields so default values can be put against
+  it.  When an SSL structure is created, these default values are used
+  but can be overwritten.  There are defaults for cipher, certificate,
+  private key, verify mode and callback.  This means SSL session
+  creation can now be
+  ssl=SSL_new()
+  SSL_set_fd(ssl,sock);
+  SSL_accept(ssl)
+  ....
+  All the other uglyness with having to keep a global copy of the
+  private key and certificate/verify mode in the server is now gone.
+- ssl/ssltest.c - one process talking SSL to its self for testing.
+- Storage of Session-id's can be controled via a session_cache_mode
+  flag.  There is also now an automatic default flushing of 
+  old session-id's.
+- The X509_cert_verify() function now has another parameter, this
+  should not effect most people but it now means that the reason for
+  the failure to verify is now available via SSL_get_verify_result(ssl).
+  You don't have to use a global variable.
+- SSL_get_app_data() and SSL_set_app_data() can be used to keep some
+  application data against the SSL structure.  It is upto the application
+  to free the data.  I don't use it, but it is available.
+- SSL_CTX_set_cert_verify_callback() can be used to specify a
+  verify callback function that completly replaces my certificate
+  verification code.  Xcert should be able to use this :-).
+  The callback is of the form int app_verify_callback(arg,ssl,cert).
+  This needs to be documented more.
+- I have started playing with shared library builds, have a look in
+  the shlib directory.  It is very simple.  If you need a numbered
+  list of functions, have a look at misc/crypto.num and misc/ssl.num.
+- There is some stuff to do locking to make the library thread safe.
+  I have only started this stuff and have not finished.  If anyone is
+  keen to do so, please send me the patches when finished.
+
+So I have finally made most of the additions to the SSL interface that
+I thought were needed.
+
+There will probably be a pause before I make any non-bug/documentation
+related changes to SSLeay since I'm feeling like a bit of a break.
+
+eric - 12 Jul 1996
+I saw recently a comment by some-one that we now seem to be entering
+the age of perpetual Beta software.
+Pioneered by packages like linux but refined to an art form by
+netscape.
+
+I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
+
+There are quite a large number of sections that are 'works in
+progress' in this package.  I will also list the major changes and
+what files you should read.
+
+BIO - this is the new IO structure being used everywhere in SSLeay.  I
+started out developing this because of microsoft, I wanted a mechanism
+to callback to the application for all IO, so Windows 3.1 DLL
+perversion could be hidden from me and the 15 different ways to write
+to a file under NT would also not be dictated by me at library build
+time.  What the 'package' is is an API for a data structure containing
+functions.  IO interfaces can be written to conform to the
+specification.  This in not intended to hide the underlying data type
+from the application, but to hide it from SSLeay :-).
+I have only really finished testing the FILE * and socket/fd modules.
+There are also 'filter' BIO's.  Currently I have only implemented
+message digests, and it is in use in the dgst application.  This
+functionality will allow base64/encrypto/buffering modules to be
+'push' into a BIO without it affecting the semantics.  I'm also
+working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
+from an event loop which uses the interface.
+It is also possible to 'attach' callbacks to a BIO so they get called
+before and after each operation, alowing extensive debug output
+to be generated (try running dgst with -d).
+
+Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
+functions that used to take FILE *, now take BIO *.
+The wrappers are easy to write
+
+function_fp(fp,x)
+FILE *fp;
+    {
+    BIO *b;
+    int ret;
+
+    if ((b=BIO_new(BIO_s_file())) == NULL) error.....
+    BIO_set_fp(b,fp,BIO_NOCLOSE);
+    ret=function_bio(b,x);
+    BIO_free(b);
+    return(ret);
+    }
+Remember, there are no functions that take FILE * in SSLeay when
+compiled for Windows 3.1 DLL's.
+
+--
+I have added a general EVP_PKEY type that can hold a public/private
+key.  This is now what is used by the EVP_ functions and is passed
+around internally.  I still have not done the PKCS#8 stuff, but
+X509_PKEY is defined and waiting :-)
+
+--
+For a full function name listings, have a look at ms/crypt32.def and
+ms/ssl32.def.  These are auto-generated but are complete.
+Things like ASN1_INTEGER_get() have been added and are in here if you
+look.  I have renamed a few things, again, have a look through the
+function list and you will probably find what you are after.  I intend
+to at least put a one line descrition for each one.....
+
+--
+Microsoft - thats what this release is about, read the MICROSOFT file.
+
+--
+Multi-threading support.  I have started hunting through the code and
+flaging where things need to be done.  In a state of work but high on
+the list.
+
+--
+For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
+be be you random data device, otherwise 'RFILE' in e_os.h
+will be used, in your home directory.  It will be updated
+periodically.  The environment variable RANDFILE will override this
+choice and read/write to that file instead.  DEVRANDOM is used in
+conjunction to the RFILE/RANDFILE.  If you wish to 'seed' the random
+number generator, pick on one of these files.
+
+--
+
+The list of things to read and do
+
+dgst -d
+s_client -state (this uses a callback placed in the SSL state loop and
+        will be used else-where to help debug/monitor what
+        is happening.)
+
+doc/why.doc
+doc/bio.doc <- hmmm, needs lots of work.
+doc/bss_file.doc <- one that is working :-)
+doc/session.doc <- it has changed
+doc/speed.doc
+ also play with ssleay version -a.  I have now added a SSLeay()
+ function that returns a version number, eg 0600 for this release
+ which is primarily to be used to check DLL version against the
+ application.
+util/*  Quite a few will not interest people, but some may, like
+ mk1mf.pl, mkdef.pl,
+util/do_ms.sh
+
+try
+cc -Iinclude -Icrypto -c crypto/crypto.c
+cc -Iinclude -Issl -c ssl/ssl.c
+You have just built the SSLeay libraries as 2 object files :-)
+
+Have a general rummage around in the bin stall directory and look at
+what is in there, like CA.sh and c_rehash
+
+There are lots more things but it is 12:30am on a Friday night and I'm
+heading home :-).
+
+eric 22-Jun-1996
+This version has quite a few major bug fixes and improvements.  It DOES NOT
+do SSLv3 yet.
+
+The main things changed
+- A Few days ago I added the s_mult application to ssleay which is
+  a demo of an SSL server running in an event loop type thing.
+  It supports non-blocking IO, I have finally gotten it right, SSL_accept()
+  can operate in non-blocking IO mode, look at the code to see how :-).
+  Have a read of doc/s_mult as well.  This program leaks memory and
+  file descriptors everywhere but I have not cleaned it up yet.
+  This is a demo of how to do non-blocking IO.
+- The SSL session management has been 'worked over' and there is now
+  quite an expansive set of functions to manipulate them.  Have a read of
+  doc/session.doc for some-things I quickly whipped up about how it now works.
+  This assume you know the SSLv2 protocol :-)
+- I can now read/write the netscape certificate format, use the
+  -inform/-outform  'net' options to the x509 command.  I have not put support
+  for this type in the other demo programs, but it would be easy to add.
+- asn1parse and 'enc' have been modified so that when reading base64
+  encoded files (pem format), they do not require '-----BEGIN' header lines.
+  The 'enc' program had a buffering bug fixed, it can be used as a general
+  base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
+  respecivly.  Leaving out the '-a' flag in this case makes the 'enc' command
+  into a form of 'cat'.
+- The 'x509' and 'req' programs have been fixed and modified a little so
+  that they generate self-signed certificates correctly.  The test
+  script actually generates a 'CA' certificate and then 'signs' a
+  'user' certificate.  Have a look at this shell script (test/sstest)
+  to see how things work, it tests most possible combinations of what can
+  be done.
+- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
+  of SSL_set_cipher_list() is now the correct API (stops confusion :-).
+  If this function is used in the client, only the specified ciphers can
+  be used, with preference given to the order the ciphers were listed.
+  For the server, if this is used, only the specified ciphers will be used
+  to accept connections.  If this 'option' is not used, a default set of
+  ciphers will be used.  The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
+  list for all ciphers started against the SSL_CTX.  So the order is
+  SSL cipher_list, if not present, SSL_CTX cipher list, if not
+  present, then the library default.
+  What this means is that normally ciphers like
+  NULL-MD5 will never be used.  The only way this cipher can be used
+  for both ends to specify to use it.
+  To enable or disable ciphers in the library at build time, modify the
+  first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
+  This file also contains the 'pref_cipher' list which is the default
+  cipher preference order.
+- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
+  options work.  They should, and they enable loading and writing the
+  netscape rsa private key format.  I will be re-working this section of
+  SSLeay for the next version.  What is currently in place is a quick and
+  dirty hack.
+- I've re-written parts of the bignum library.  This gives speedups
+  for all platforms.  I now provide assembler for use under Windows NT.
+  I have not tested the Windows 3.1 assembler but it is quite simple code.
+  This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
+  and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
+  Basically the times available under linux/solaris x86 can be achieve under
+  Windows NT.  I still don't know how these times compare to RSA's BSAFE
+  library but I have been emailing with people and with their help, I should
+  be able to get my library's quite a bit faster still (more algorithm changes).
+  The object file crypto/bn/asm/x86-32.obj should be used when linking
+  under NT.
+- 'make makefile.one' in the top directory will generate a single makefile
+  called 'makefile.one'  This makefile contains no perl references and
+  will build the SSLeay library into the 'tmp' and 'out' directories.
+  util/mk1mf.pl >makefile.one is how this makefile is
+  generated.  The mk1mf.pl command take several option to generate the
+  makefile for use with cc, gcc, Visual C++ and Borland C++.  This is
+  still under development.  I have only build .lib's for NT and MSDOS
+  I will be working on this more.  I still need to play with the
+  correct compiler setups for these compilers and add some more stuff but
+  basically if you just want to compile the library
+  on a 'non-unix' platform, this is a very very good file to start with :-).
+  Have a look in the 'microsoft' directory for my current makefiles.
+  I have not yet modified things to link with sockets under Windows NT.
+  You guys should be able to do this since this is actually outside of the
+  SSLeay scope :-).  I will be doing it for myself soon.
+  util/mk1mf.pl takes quite a few options including no-rc, rsaref  and no-sock
+  to build without RC2/RC4, to require RSAref for linking, and to
+  build with no socket code.
+
+- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
+  that was posted to sci.crypt has been added to the library and SSL.
+  I take the view that if RC2 is going to be included in a standard,
+  I'll include the cipher to make my package complete.
+  There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
+  at compile time.  I have not tested this recently but it should all work
+  and if you are in the USA and don't want RSA threatening to sue you,
+  you could probably remove the RC4/RC2 code inside these sections.
+  I may in the future include a perl script that does this code
+  removal automatically for those in the USA :-).
+- I have removed all references to sed in the makefiles.  So basically,
+  the development environment requires perl and sh.  The build environment
+  does not (use the makefile.one makefile).
+  The Configure script still requires perl, this will probably stay that way
+  since I have perl for Windows NT :-).
+
+eric (03-May-1996)
+
+PS Have a look in the VERSION file for more details on the changes and
+   bug fixes.
+I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
+things up.  This version will be quite stable, mostly because I'm on
+holidays until 10-March-1996.  For any problems in the interum, send email
+to Tim Hudson <tjh@mincom.oz.au>.
+
+SSLeay 0.5.0
+
+12-12-95
+This is going out before it should really be released.
+
+I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
+this for 11 weeks or get things out.  It is still going to change a
+lot in the next week so if you do grab this version, please test and
+give me feed back ASAP, inculuding questions on how to do things with
+the library.  This will prompt me to write documentation so I don't
+have to answer the same question again :-).
+
+This 'pre' release version is for people who are interested in the
+library.  The applications will have to be changed to use
+the new version of the SSL interface.  I intend to finish more
+documentation before I leave but until then, look at the programs in
+the apps directory.  As far as code goes, it is much much nicer than
+the old version.
+
+The current library works, has no memory leaks (as far as I can tell)
+and is far more bug free that 0.4.5d.  There are no global variable of
+consequence (I believe) and I will produce some documentation that
+tell where to look for those people that do want to do multi-threaded
+stuff.
+
+There should be more documentation.  Have a look in the
+doc directory.  I'll be adding more before I leave, it is a start
+by mostly documents the crypto library.  Tim Hudson will update
+the web page ASAP.  The spelling and grammar are crap but
+it is better than nothing :-)
+
+Reasons to start playing with version 0.5.0
+- All the programs in the apps directory build into one ssleay binary.
+- There is a new version of the 'req' program that generates certificate
+  requests, there is even documentation for this one :-)
+- There is a demo certification authorithy program.  Currently it will
+  look at the simple database and update it.  It will generate CRL from
+  the data base.  You need to edit the database by hand to revoke a
+  certificate, it is my aim to use perl5/Tk but I don't have time to do
+  this right now.  It will generate the certificates but the management
+  scripts still need to be written.  This is not a hard task.
+- Things have been cleaned up alot.
+- Have a look at the enc and dgst programs in the apps directory.
+- It supports v3 of x509 certiticates.
+
+
+Major things missing.
+- I have been working on (and thinging about) the distributed x509
+  hierachy problem.  I have not had time to put my solution in place.
+  It will have to wait until I come back.
+- I have not put in CRL checking in the certificate verification but
+  it would not be hard to do.  I was waiting until I could generate my
+  own CRL (which has only been in the last week) and I don't have time
+  to put it in correctly.
+- Montgomery multiplication need to be implemented.  I know the
+  algorithm, just ran out of time.
+- PKCS#7.  I can load and write the DER version.  I need to re-work
+  things to support BER (if that means nothing, read the ASN1 spec :-).
+- Testing of the higher level digital envelope routines.  I have not
+  played with the *_seal() and *_open() type functions.  They are
+  written but need testing.  The *_sign() and *_verify() functions are
+  rock solid. 
+- PEM.  Doing this and PKCS#7 have been dependant on the distributed
+  x509 heirachy problem.  I started implementing my ideas, got
+  distracted writing a CA program and then ran out of time.  I provide
+  the functionality of RSAref at least.
+- Re work the asm. code for the x86.  I've changed by low level bignum
+  interface again, so I really need to tweak the x86 stuff.  gcc is
+  good enough for the other boxes.
+
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
new file mode 100755
index 0000000..273b7b7
--- /dev/null
+++ b/crypto/openssl/Configure
@@ -0,0 +1,977 @@
+:
+eval 'exec perl -S $0 ${1+"$@"}'
+    if $running_under_some_shell;
+##
+##  Configure -- OpenSSL source tree configuration script
+##
+
+require 5.000;
+use strict;
+
+# see INSTALL for instructions.
+
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no-threads] [no-asm] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
+
+# Options:
+#
+# --openssldir  install OpenSSL in OPENSSLDIR (Default: DIR/ssl if the
+#               --prefix option is given; /usr/local/ssl otherwise)
+# --prefix      prefix for the OpenSSL include, lib and bin directories
+#               (Default: the OPENSSLDIR directory)
+#
+# --install_prefix  Additional prefix for package builders (empty by
+#               default).  This needn't be set in advance, you can
+#               just as well use "make INSTALL_PREFIX=/whatever install".
+#
+# rsaref        use RSAref
+# [no-]threads  [don't] try to create a library that is suitable for
+#               multithreaded applications (default is "threads" if we
+#               know how to do it)
+# no-asm        do not use assembler
+# 386           generate 80386 code
+# no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
+# -<xxx> +<xxx> compiler options are passed through 
+# 
+# DES_PTR	use pointer lookup vs arrays in the DES in crypto/des/des_locl.h
+# DES_RISC1	use different DES_ENCRYPT macro that helps reduce register
+#		dependancies but needs to more registers, good for RISC CPU's
+# DES_RISC2	A different RISC variant.
+# DES_UNROLL	unroll the inner DES loop, sometimes helps, somtimes hinders.
+# DES_INT	use 'int' instead of 'long' for DES_LONG in crypto/des/des.h
+#		This is used on the DEC Alpha where long is 8 bytes
+#		and int is 4
+# BN_LLONG	use the type 'long long' in crypto/bn/bn.h
+# MD2_CHAR	use 'char' instead of 'int' for MD2_INT in crypto/md2/md2.h
+# MD2_LONG	use 'long' instead of 'int' for MD2_INT in crypto/md2/md2.h
+# IDEA_SHORT	use 'short' instead of 'int' for IDEA_INT in crypto/idea/idea.h
+# IDEA_LONG	use 'long' instead of 'int' for IDEA_INT in crypto/idea/idea.h
+# RC2_SHORT	use 'short' instead of 'int' for RC2_INT in crypto/rc2/rc2.h
+# RC2_LONG	use 'long' instead of 'int' for RC2_INT in crypto/rc2/rc2.h
+# RC4_CHAR	use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h
+# RC4_LONG	use 'long' instead of 'int' for RC4_INT in crypto/rc4/rc4.h
+# RC4_INDEX	define RC4_INDEX in crypto/rc4/rc4_locl.h.  This turns on
+#		array lookups instead of pointer use.
+# RC4_CHUNK	enables code that handles data aligned at long (natural CPU
+#		word) boundary.
+# RC4_CHUNK_LL	enables code that handles data aligned at long long boundary
+#		(intended for 64-bit CPUs running 32-bit OS).
+# BF_PTR	use 'pointer arithmatic' for Blowfish (unsafe on Alpha).
+# BF_PTR2	intel specific version (generic version is more efficient).
+# MD5_ASM	use some extra md5 assember,
+# SHA1_ASM	use some extra sha1 assember, must define L_ENDIAN for x86
+# RMD160_ASM	use some extra ripemd160 assember,
+
+my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
+
+# MD2_CHAR slags pentium pros
+my $x86_gcc_opts="RC4_INDEX MD2_INT";
+
+# MODIFY THESE PARAMETERS IF YOU ARE GOING TO USE THE 'util/speed.sh SCRIPT
+# Don't worry about these normally
+
+my $tcc="cc";
+my $tflags="-fast -Xa";
+my $tbn_mul="";
+my $tlib="-lnsl -lsocket";
+#$bits1="SIXTEEN_BIT ";
+#$bits2="THIRTY_TWO_BIT ";
+my $bits1="THIRTY_TWO_BIT ";
+my $bits2="SIXTY_FOUR_BIT ";
+
+my $x86_sol_asm="asm/bn86-sol.o asm/co86-sol.o:asm/dx86-sol.o asm/yx86-sol.o:asm/bx86-sol.o:asm/mx86-sol.o:asm/sx86-sol.o:asm/cx86-sol.o:asm/rx86-sol.o:asm/rm86-sol.o:asm/r586-sol.o";
+my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o";
+my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o";
+my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o";
+
+# -DB_ENDIAN slows things down on a sparc for md5, but helps sha1.
+# So the md5_locl.h file has an undef B_ENDIAN if sun is defined
+
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj
+
+my %table=(
+#"b",		"${tcc}:${tflags}::${tlib}:${bits1}:${tbn_mul}::",
+#"bl-4c-2c",	"${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:${tbn_mul}::",
+#"bl-4c-ri",	"${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR RC4_INDEX:${tbn_mul}::",
+#"b2-is-ri-dp",	"${tcc}:${tflags}::${tlib}:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:${tbn_mul}::",
+
+# Our development configs
+"purify",	"purify gcc:-g -DPURIFY -Wall::(unknown):-lsocket -lnsl::::",
+"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::",
+"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
+"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
+"debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
+"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-bodo",	"gcc:-DBIO_PAIR_DEBUG -DL_ENDIAN -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:::",
+"dist",		"cc:-O::(unknown):::::",
+
+# Basic configs that should work on any (32 and less bit) box
+"gcc",		"gcc:-O3::(unknown)::BN_LLONG:::",
+"cc",		"cc:-O::(unknown):::::",
+
+#### Solaris x86 setups
+# -DNO_INLINE_ASM switches off inline assembler. We have to do it
+# here because whenever GNU C instantiates an assembler template it
+# surrounds it with #APP #NO_APP comment pair which (at least Solaris
+# 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
+# error message.
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}",
+
+#### SPARC Solaris with GNU C setups
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+# gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
+# but keep the assembler modules.
+"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o:",
+####
+"debug-solaris-sparcv8-gcc","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"debug-solaris-sparcv9-gcc","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o::",
+
+#### SPARC Solaris with Sun C setups
+# DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
+"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:::",
+# SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
+# SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
+# SC5.0 note: Compiler common patch 107357-01 or later is required!
+"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::",
+"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
+####
+"debug-solaris-sparcv8-cc","cc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"debug-solaris-sparcv9-cc","cc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+
+#### SPARC Linux setups
+"linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
+# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+# assisted with debugging of following two configs.
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::",
+# it's a real mess with -mcpu=ultrasparc option under Linux, but
+# -Wa,-Av8plus should do the trick no matter what.
+"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+# !!!Folowing can't be even tested yet!!!
+#    We have to wait till 64-bit glibc for SPARC is operational!!!
+#"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
+
+# Sunos configs, assuming sparc for the gcc one.
+##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown)::DES_UNROLL:::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
+
+#### IRIX 5.x configs
+# -mips2 flag is added by ./config when appropriate.
+"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::",
+"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::",
+#### IRIX 6.x configs
+# Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
+# './Configure irix-[g]cc' manually.
+# -mips4 flag is added by ./config when appropriate.
+"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
+"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
+# N64 ABI builds.
+"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
+
+#### Unified HP-UX ANSI C configs.
+# Special notes:
+# - Originally we were optimizing at +O4 level. It should be noted
+#   that the only difference between +O3 and +O4 is global inter-
+#   procedural analysis. As it has to be performed during the link
+#   stage the compiler leaves behind certain pseudo-code in lib*.a
+#   which might be release or even patch level specific. Generating
+#   the machine code for and analyzing the *whole* program appears
+#   to be *extremely* memory demanding while the performance gain is
+#   actually questionable. The situation is intensified by the default
+#   HP-UX data set size limit (infamous 'maxdsiz' tunable) of 64MB
+#   which is way too low for +O4. In other words, doesn't +O3 make
+#   more sense?
+# - Keep in mind that the HP compiler by default generates code
+#   suitable for execution on the host you're currently compiling at.
+#   If the toolkit is ment to be used on various PA-RISC processors
+#   consider './config +Dportable'.
+# - +DD64 is chosen in favour of +DA2.0W because it's ment to be
+#   compatible with *future* releases.
+# - If you run ./Configure hpux-parisc-[g]cc manually don't forget to
+#   pass -D_REENTRANT on HP-UX 10 and later.
+# - -DMD32_XARRAY triggers workaround for compiler bug we ran into in
+#   32-bit message digests. (For the moment of this writing) HP C
+#   doesn't seem to "digest" too many local variables (they make "him"
+#   chew forever:-). For more details look-up MD32_XARRAY comment in
+#   crypto/sha/sha_lcl.h.
+#					<appro@fy.chalmers.se>
+#
+"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+# Since there is mention of this in shlib/hpux10-cc.sh
+"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:::",
+
+# HPUX 9.X config.
+# Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
+# egcs.  gcc 2.8.1 is also broken.
+
+"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+# If hpux-cc fails (e.g. during "make test"), try the next one; otherwise,
+# please report your OS and compiler version to the openssl-bugs@openssl.org
+# mailing list.
+"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::",
+
+"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+# If hpux-gcc fails, try this one:
+"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::",
+
+# HPUX 10.X config.  Supports threads.
+"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+# If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG):
+"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+
+"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+# If hpux10-gcc fails, try this one:
+"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::",
+
+# HPUX 11.X from www.globus.org.
+# Only works on PA-RISC 2.0 cpus, and not optimized.  Why?
+#"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::",
+#"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::",
+# Use unified settings above instead.
+
+# Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with
+# the new compiler
+# For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
+"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o::",
+"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o::",
+"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o::",
+"FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::",
+
+#### Alpha Linux with GNU C and Compaq C setups
+# Special notes:
+# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+#   ought to run './Configure linux-alpha+bwx-gcc' manually, do
+#   complement the command line with -mcpu=ev56, -mcpu=ev6 or whatever
+#   which is appropriate.
+# - If you use ccc keep in mind that -fast implies -arch host and the
+#   compiler is free to issue instructions which gonna make elder CPU
+#   choke. If you wish to build "blended" toolkit, add -arch generic
+#   *after* -fast and invoke './Configure linux-alpha-ccc' manually.
+#
+#					<appro@fy.chalmers.se>
+#
+"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
+
+# assembler versions -- currently defunct:
+##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:asm/alpha.o::",
+
+# The intel boxes :-), It would be worth seeing if bsdi-gcc can use the
+# bn86-elf.o file file since it is hand tweaked assembler.
+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-linux-elf","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"linux-mips",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
+"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
+"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::",
+"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
+"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
+"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:",
+"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
+"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"nextstep",	"cc:-O -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
+"nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
+# NCR MP-RAS UNIX ver 02.03.01
+"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
+
+# UnixWare 2.0
+"unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread::(unknown):-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+
+# UnixWare 7
+"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+
+# IBM's AIX.
+"aix-cc",   "cc:-O -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
+"aix-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
+
+#
+# Cray T90 (SDSC)
+# It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT
+# defined.  The T90 ints and longs are 8 bytes long, and apparently the
+# B_ENDIAN code assumes 4 byte ints.  Fortunately, the non-B_ENDIAN and
+# non L_ENDIAN code aligns the bytes in each word correctly.
+#
+# The BIT_FIELD_LIMITS define is to avoid two fatal compiler errors:
+#'Taking the address of a bit field is not allowed. '
+#'An expression with bit field exists as the operand of "sizeof" '
+# (written by Wayne Schroeder <schroede@SDSC.EDU>)
+"cray-t90-cc", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT:::",
+
+#
+# Cray T3E (Research Center Juelich, beckman@acl.lanl.gov)
+#
+# The BIT_FIELD_LIMITS define was written for the C90 (it seems).  I added
+# another use.  Basically, the problem is that the T3E uses some bit fields
+# for some st_addr stuff, and then sizeof and address-of fails
+# I could not use the ams/alpha.o option because the Cray assembler, 'cam'
+# did not like it.
+"cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::",
+
+# DGUX, 88100.
+"dgux-R3-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::",
+"dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::",
+"dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+
+# SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the
+# SCO cc.
+"sco5-cc",  "cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
+"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
+
+# Sinix/ReliantUNIX RM400
+# NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
+"ReliantUNIX","cc:-KPIC -g -DSNI -DTERMIOS -DB_ENDIAN::-Kthread:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::",
+"SINIX","cc:-O -DSNI::(unknown):-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
+"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown):-lucb:RC4_INDEX RC4_CHAR:::",
+
+# SIEMENS BS2000/OSD: an EBCDIC-based mainframe
+"BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown):-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
+
+# Windows NT, Microsoft Visual C++ 4.0
+
+"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::",
+"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::",
+"VC-WIN16","cl:::(unknown)::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
+"VC-W31-16","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+"VC-W31-32","cl:::::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
+"VC-MSDOS","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+
+# Borland C++ 4.5
+"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX:::",
+"BC-16","bcc:::(unknown)::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+
+# CygWin32
+# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl
+# and its library files in util/pl/*)
+"CygWin32", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:",
+"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:",
+
+# Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
+"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::",
+"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown)::::::",
+# K&R C is no longer supported; you need gcc on old Ultrix installations
+##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::",
+
+# Some OpenBSD from Bob Beck <beck@obtuse.com>
+"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::",
+"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::",
+"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::",
+
+##### MacOS X (a.k.a. Rhapsody) setup
+"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+
+);
+
+my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
+	BC-16 CygWin32 Mingw32);
+
+my $prefix="";
+my $openssldir="";
+my $install_prefix="";
+my $no_threads=0;
+my $threads=0;
+my $no_asm=0;
+my @skip=();
+my $Makefile="Makefile.ssl";
+my $des_locl="crypto/des/des_locl.h";
+my $des	="crypto/des/des.h";
+my $bn	="crypto/bn/bn.h";
+my $md2	="crypto/md2/md2.h";
+my $rc4	="crypto/rc4/rc4.h";
+my $rc4_locl="crypto/rc4/rc4_locl.h";
+my $idea	="crypto/idea/idea.h";
+my $rc2	="crypto/rc2/rc2.h";
+my $bf	="crypto/bf/bf_locl.h";
+my $bn_asm	="bn_asm.o";
+my $des_enc="des_enc.o fcrypt_b.o";
+my $bf_enc	="bf_enc.o";
+my $cast_enc="c_enc.o";
+my $rc4_enc="rc4_enc.o";
+my $rc5_enc="rc5_enc.o";
+my $md5_obj="";
+my $sha1_obj="";
+my $rmd160_obj="";
+my $processor="";
+my $ranlib;
+my $perl;
+
+$ranlib=&which("ranlib") or $ranlib="true";
+$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
+  or $perl="perl";
+
+&usage if ($#ARGV < 0);
+
+my $flags="";
+my $depflags="";
+my $openssl_algorithm_defines="";
+my $openssl_thread_defines="";
+my $openssl_other_defines="";
+my $libs="";
+my $target="";
+my $options="";
+foreach (@ARGV)
+	{
+	s /^-no-/no-/; # some people just can't read the instructions
+	if (/^no-asm$/)
+	 	{
+		$no_asm=1;
+		$flags .= "-DNO_ASM ";
+		$openssl_other_defines .= "#define NO_ASM\n";
+		}
+	elsif (/^no-threads$/)
+		{ $no_threads=1; }
+	elsif (/^threads$/)
+		{ $threads=1; }
+	elsif (/^no-(.+)$/)
+		{
+		my $algo=$1;
+		push @skip,$algo;
+		$algo =~ tr/[a-z]/[A-Z]/;
+		$flags .= "-DNO_$algo ";
+		$depflags .= "-DNO_$algo ";
+		$openssl_algorithm_defines .= "#define NO_$algo\n";
+		if ($algo eq "DES")
+			{
+			push @skip, "mdc2";
+			$options .= " no-mdc2";
+			$flags .= "-DNO_MDC2 ";
+			$depflags .= "-DNO_MDC2 ";
+			$openssl_algorithm_defines .= "#define NO_MDC2\n";
+			}
+		}
+	elsif (/^386$/)
+		{ $processor=386; }
+	elsif (/^rsaref$/)
+		{
+		$libs.= "-lRSAglue -lrsaref ";
+		$flags.= "-DRSAref ";
+		$openssl_other_defines .= "#define RSAref\n";
+		}
+	elsif (/^[-+]/)
+		{
+		if (/^-[lL](.*)$/)
+			{
+			$libs.=$_." ";
+			}
+		elsif (/^-[^-]/ or /^\+/)
+			{
+			$flags.=$_." ";
+			}
+		elsif (/^--prefix=(.*)$/)
+			{
+			$prefix=$1;
+			}
+		elsif (/^--openssldir=(.*)$/)
+			{
+			$openssldir=$1;
+			}
+		elsif (/^--install.prefix=(.*)$/)
+			{
+			$install_prefix=$1;
+			}
+		else
+			{
+			print STDERR $usage;
+			exit(1);
+			}
+		}
+	elsif ($_ =~ /^([^:]+):(.+)$/)
+		{
+		eval "\$table{\$1} = \"$2\""; # allow $xxx constructs in the string
+		$target=$1;
+		}
+	else
+		{
+		die "target already defined - $target\n" if ($target ne "");
+		$target=$_;
+		}
+	unless ($_ eq $target) {
+		if ($options eq "") {
+			$options = $_;
+		} else {
+			$options .= " ".$_;
+		}
+	}
+}
+
+if ($target eq "TABLE") {
+	foreach $target (sort keys %table) {
+		print_table_entry($target);
+	}
+	exit 0;
+}
+
+if ($target eq "LIST") {
+	foreach (sort keys %table) {
+		print;
+		print "\n";
+	}
+	exit 0;
+}
+
+&usage if (!defined($table{$target}));
+
+my $IsWindows=scalar grep /^$target$/,@WinTargets;
+
+$openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
+$prefix=$openssldir if $prefix eq "";
+
+chop $openssldir if $openssldir =~ /\/$/;
+chop $prefix if $prefix =~ /\/$/;
+
+$openssldir=$prefix . "/ssl" if $openssldir eq "";
+$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
+
+
+print "IsWindows=$IsWindows\n";
+
+(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
+ $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)=
+	split(/\s*:\s*/,$table{$target} . ":" x 20 , -1);
+$cflags="$flags$cflags" if ($flags ne "");
+
+my $thread_cflags;
+my $thread_defines;
+if ($thread_cflag ne "(unknown)" && !$no_threads)
+	{
+	# If we know how to do it, support threads by default.
+	$threads = 1;
+	}
+if ($thread_cflag eq "(unknown)")
+	{
+	# If the user asked for "threads", hopefully they also provided
+	# any system-dependent compiler options that are necessary.
+	$thread_cflags="-DTHREADS $cflags" ;
+	$thread_defines .= "#define THREADS\n";
+	}
+else
+	{
+	$thread_cflags="-DTHREADS $thread_cflag $cflags";
+	$thread_defines .= "#define THREADS\n";
+#	my $def;
+#	foreach $def (split ' ',$thread_cflag)
+#		{
+#		if ($def =~ s/^-D// && $def !~ /^_/)
+#			{
+#			$thread_defines .= "#define $def\n";
+#			}
+#		}
+	}	
+
+$lflags="$libs$lflags"if ($libs ne "");
+
+if ($no_asm)
+	{
+	$bn_obj=$des_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj="";
+	$sha1_obj=$md5_obj=$rmd160_obj="";
+	}
+
+if ($threads)
+	{
+		$cflags=$thread_cflags;
+		$openssl_thread_defines .= $thread_defines;
+	}
+
+#my ($bn1)=split(/\s+/,$bn_obj);
+#$bn1 = "" unless defined $bn1;
+#$bn1=$bn_asm unless ($bn1 =~ /\.o$/);
+#$bn_obj="$bn1";
+
+$bn_obj = $bn_asm unless $bn_obj ne "";
+
+$des_obj=$des_enc	unless ($des_obj =~ /\.o$/);
+$bf_obj=$bf_enc		unless ($bf_obj =~ /\.o$/);
+$cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
+$rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
+$rc5_obj=$rc5_enc	unless ($rc5_obj =~ /\.o$/);
+if ($sha1_obj =~ /\.o$/)
+	{
+#	$sha1_obj=$sha1_enc;
+	$cflags.=" -DSHA1_ASM";
+	}
+if ($md5_obj =~ /\.o$/)
+	{
+#	$md5_obj=$md5_enc;
+	$cflags.=" -DMD5_ASM";
+	}
+if ($rmd160_obj =~ /\.o$/)
+	{
+#	$rmd160_obj=$rmd160_enc;
+	$cflags.=" -DRMD160_ASM";
+	}
+
+my $version = "unknown";
+my $major = "unknown";
+my $minor = "unknown";
+
+open(IN,'<crypto/opensslv.h') || die "unable to read opensslv.h:$!\n";
+while (<IN>)
+	{
+	$version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /;
+	}
+close(IN);
+
+if ($version =~ /(^[0-9]*)\.([0-9\.]*)/)
+	{
+	$major=$1;
+	$minor=$2;
+	}
+
+open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
+open(OUT,">$Makefile") || die "unable to create $Makefile:$!\n";
+print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
+my $sdirs=0;
+while (<IN>)
+	{
+	chop;
+	$sdirs = 1 if /^SDIRS=/;
+	if ($sdirs) {
+		my $dir;
+		foreach $dir (@skip) {
+			s/$dir//;
+			}
+		}
+	$sdirs = 0 unless /\\$/;
+	s/^VERSION=.*/VERSION=$version/;
+	s/^MAJOR=.*/MAJOR=$major/;
+	s/^MINOR=.*/MINOR=$minor/;
+	s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
+	s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
+	s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
+	s/^PLATFORM=.*$/PLATFORM=$target/;
+	s/^OPTIONS=.*$/OPTIONS=$options/;
+	s/^CC=.*$/CC= $cc/;
+	s/^CFLAG=.*$/CFLAG= $cflags/;
+	s/^DEPFLAG=.*$/DEPFLAG= $depflags/;
+	s/^EX_LIBS=.*$/EX_LIBS= $lflags/;
+	s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
+	s/^DES_ENC=.*$/DES_ENC= $des_obj/;
+	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
+	s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/;
+	s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/;
+	s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/;
+	s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/;
+	s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
+	s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
+	s/^PROCESSOR=.*/PROCESSOR= $processor/;
+	s/^RANLIB=.*/RANLIB= $ranlib/;
+	s/^PERL=.*/PERL= $perl/;
+	print OUT $_."\n";
+	}
+close(IN);
+close(OUT);
+
+print "CC            =$cc\n";
+print "CFLAG         =$cflags\n";
+print "EX_LIBS       =$lflags\n";
+print "BN_ASM        =$bn_obj\n";
+print "DES_ENC       =$des_obj\n";
+print "BF_ENC        =$bf_obj\n";
+print "CAST_ENC      =$cast_obj\n";
+print "RC4_ENC       =$rc4_obj\n";
+print "RC5_ENC       =$rc5_obj\n";
+print "MD5_OBJ_ASM   =$md5_obj\n";
+print "SHA1_OBJ_ASM  =$sha1_obj\n";
+print "RMD160_OBJ_ASM=$rmd160_obj\n";
+print "PROCESSOR     =$processor\n";
+print "RANLIB        =$ranlib\n";
+print "PERL          =$perl\n";
+
+my $des_ptr=0;
+my $des_risc1=0;
+my $des_risc2=0;
+my $des_unroll=0;
+my $bn_ll=0;
+my $def_int=2;
+my $rc4_int=$def_int;
+my $md2_int=$def_int;
+my $idea_int=$def_int;
+my $rc2_int=$def_int;
+my $rc4_idx=0;
+my $rc4_chunk=0;
+my $bf_ptr=0;
+my @type=("char","short","int","long");
+my ($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0);
+
+my $des_int;
+
+foreach (sort split(/\s+/,$bn_ops))
+	{
+	$des_ptr=1 if /DES_PTR/;
+	$des_risc1=1 if /DES_RISC1/;
+	$des_risc2=1 if /DES_RISC2/;
+	$des_unroll=1 if /DES_UNROLL/;
+	$des_int=1 if /DES_INT/;
+	$bn_ll=1 if /BN_LLONG/;
+	$rc4_int=0 if /RC4_CHAR/;
+	$rc4_int=3 if /RC4_LONG/;
+	$rc4_idx=1 if /RC4_INDEX/;
+	$rc4_chunk=1 if /RC4_CHUNK/;
+	$rc4_chunk=2 if /RC4_CHUNK_LL/;
+	$md2_int=0 if /MD2_CHAR/;
+	$md2_int=3 if /MD2_LONG/;
+	$idea_int=1 if /IDEA_SHORT/;
+	$idea_int=3 if /IDEA_LONG/;
+	$rc2_int=1 if /RC2_SHORT/;
+	$rc2_int=3 if /RC2_LONG/;
+	$bf_ptr=1 if $_ eq "BF_PTR";
+	$bf_ptr=2 if $_ eq "BF_PTR2";
+	($b64l,$b64,$b32,$b16,$b8)=(0,1,0,0,0) if /SIXTY_FOUR_BIT/;
+	($b64l,$b64,$b32,$b16,$b8)=(1,0,0,0,0) if /SIXTY_FOUR_BIT_LONG/;
+	($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0) if /THIRTY_TWO_BIT/;
+	($b64l,$b64,$b32,$b16,$b8)=(0,0,0,1,0) if /SIXTEEN_BIT/;
+	($b64l,$b64,$b32,$b16,$b8)=(0,0,0,0,1) if /EIGHT_BIT/;
+	}
+
+open(IN,'<crypto/opensslconf.h.in') || die "unable to read crypto/opensslconf.h.in:$!\n";
+open(OUT,'>crypto/opensslconf.h') || die "unable to create crypto/opensslconf.h:$!\n";
+print OUT "/* opensslconf.h */\n";
+print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
+
+print OUT "/* OpenSSL was configured with the following options: */\n";
+$openssl_algorithm_defines =~ s/^\s*#\s*define\s+(.*)/# ifndef $1\n#  define $1\n# endif/mg;
+$openssl_algorithm_defines = "   /* no ciphers excluded */\n" if $openssl_algorithm_defines eq "";
+$openssl_thread_defines =~ s/^\s*#\s*define\s+(.*)/# ifndef $1\n#  define $1\n# endif/mg;
+$openssl_other_defines =~ s/^\s*#\s*define\s+(.*)/# ifndef $1\n#  define $1\n# endif/mg;
+print OUT "#ifdef OPENSSL_ALGORITHM_DEFINES\n$openssl_algorithm_defines#endif\n";
+print OUT "#ifdef OPENSSL_THREAD_DEFINES\n$openssl_thread_defines#endif\n";
+print OUT "#ifdef OPENSSL_OTHER_DEFINES\n$openssl_other_defines#endif\n\n";
+
+while (<IN>)
+	{
+	if	(/^#define\s+OPENSSLDIR/)
+		{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
+	elsif	(/^#define\s+OPENSSL_UNISTD/)
+		{
+		$unistd = "<unistd.h>" if $unistd eq "";
+		print OUT "#define OPENSSL_UNISTD $unistd\n";
+		}
+	elsif	(/^#((define)|(undef))\s+SIXTY_FOUR_BIT_LONG/)
+		{ printf OUT "#%s SIXTY_FOUR_BIT_LONG\n",($b64l)?"define":"undef"; }
+	elsif	(/^#((define)|(undef))\s+SIXTY_FOUR_BIT/)
+		{ printf OUT "#%s SIXTY_FOUR_BIT\n",($b64)?"define":"undef"; }
+	elsif	(/^#((define)|(undef))\s+THIRTY_TWO_BIT/)
+		{ printf OUT "#%s THIRTY_TWO_BIT\n",($b32)?"define":"undef"; }
+	elsif	(/^#((define)|(undef))\s+SIXTEEN_BIT/)
+		{ printf OUT "#%s SIXTEEN_BIT\n",($b16)?"define":"undef"; }
+	elsif	(/^#((define)|(undef))\s+EIGHT_BIT/)
+		{ printf OUT "#%s EIGHT_BIT\n",($b8)?"define":"undef"; }
+	elsif	(/^#((define)|(undef))\s+BN_LLONG\s*$/)
+		{ printf OUT "#%s BN_LLONG\n",($bn_ll)?"define":"undef"; }
+	elsif	(/^\#define\s+DES_LONG\s+.*/)
+		{ printf OUT "#define DES_LONG unsigned %s\n",
+			($des_int)?'int':'long'; }
+	elsif	(/^\#(define|undef)\s+DES_PTR/)
+		{ printf OUT "#%s DES_PTR\n",($des_ptr)?'define':'undef'; }
+	elsif	(/^\#(define|undef)\s+DES_RISC1/)
+		{ printf OUT "#%s DES_RISC1\n",($des_risc1)?'define':'undef'; }
+	elsif	(/^\#(define|undef)\s+DES_RISC2/)
+		{ printf OUT "#%s DES_RISC2\n",($des_risc2)?'define':'undef'; }
+	elsif	(/^\#(define|undef)\s+DES_UNROLL/)
+		{ printf OUT "#%s DES_UNROLL\n",($des_unroll)?'define':'undef'; }
+	elsif	(/^#define\s+RC4_INT\s/)
+		{ printf OUT "#define RC4_INT unsigned %s\n",$type[$rc4_int]; }
+	elsif	(/^#undef\s+RC4_CHUNK/)
+		{
+		printf OUT "#undef RC4_CHUNK\n" if $rc4_chunk==0;
+		printf OUT "#define RC4_CHUNK unsigned long\n" if $rc4_chunk==1;
+		printf OUT "#define RC4_CHUNK unsigned long long\n" if $rc4_chunk==2;
+		}
+	elsif	(/^#((define)|(undef))\s+RC4_INDEX/)
+		{ printf OUT "#%s RC4_INDEX\n",($rc4_idx)?"define":"undef"; }
+	elsif (/^#(define|undef)\s+I386_ONLY/)
+		{ printf OUT "#%s I386_ONLY\n", ($processor == 386)?
+			"define":"undef"; }
+	elsif	(/^#define\s+MD2_INT\s/)
+		{ printf OUT "#define MD2_INT unsigned %s\n",$type[$md2_int]; }
+	elsif	(/^#define\s+IDEA_INT\s/)
+		{printf OUT "#define IDEA_INT unsigned %s\n",$type[$idea_int];}
+	elsif	(/^#define\s+RC2_INT\s/)
+		{printf OUT "#define RC2_INT unsigned %s\n",$type[$rc2_int];}
+	elsif (/^#(define|undef)\s+BF_PTR/)
+		{
+		printf OUT "#undef BF_PTR\n" if $bf_ptr == 0;
+		printf OUT "#define BF_PTR\n" if $bf_ptr == 1;
+		printf OUT "#define BF_PTR2\n" if $bf_ptr == 2;
+	        }
+	else
+		{ print OUT $_; }
+	}
+close(IN);
+close(OUT);
+
+
+# Fix the date
+
+print "SIXTY_FOUR_BIT_LONG mode\n" if $b64l;
+print "SIXTY_FOUR_BIT mode\n" if $b64;
+print "THIRTY_TWO_BIT mode\n" if $b32;
+print "SIXTEEN_BIT mode\n" if $b16;
+print "EIGHT_BIT mode\n" if $b8;
+print "DES_PTR used\n" if $des_ptr;
+print "DES_RISC1 used\n" if $des_risc1;
+print "DES_RISC2 used\n" if $des_risc2;
+print "DES_UNROLL used\n" if $des_unroll;
+print "DES_INT used\n" if $des_int;
+print "BN_LLONG mode\n" if $bn_ll;
+print "RC4 uses u$type[$rc4_int]\n" if $rc4_int != $def_int;
+print "RC4_INDEX mode\n" if $rc4_idx;
+print "RC4_CHUNK is undefined\n" if $rc4_chunk==0;
+print "RC4_CHUNK is unsigned long\n" if $rc4_chunk==1;
+print "RC4_CHUNK is unsigned long long\n" if $rc4_chunk==2;
+print "MD2 uses u$type[$md2_int]\n" if $md2_int != $def_int;
+print "IDEA uses u$type[$idea_int]\n" if $idea_int != $def_int;
+print "RC2 uses u$type[$rc2_int]\n" if $rc2_int != $def_int;
+print "BF_PTR used\n" if $bf_ptr == 1; 
+print "BF_PTR2 used\n" if $bf_ptr == 2; 
+
+if($IsWindows) {
+	open (OUT,">crypto/buildinf.h") || die "Can't open buildinf.h";
+	printf OUT <<EOF;
+#ifndef MK1MF_BUILD
+  /* auto-generated by Configure for crypto/cversion.c:
+   * for Unix builds, crypto/Makefile.ssl generates functional definitions;
+   * Windows builds (and other mk1mf builds) compile cversion.c with
+   * -DMK1MF_BUILD and use definitions added to this file by util/mk1mf.pl. */
+  #error "Windows builds (PLATFORM=$target) use mk1mf.pl-created Makefiles"
+#endif
+EOF
+	close(OUT);
+} else {
+	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?;
+	### (system 'make depend') == 0 or exit $? if $depflags ne "";
+	# Run "make depend" manually if you want to be able to delete
+	# the source code files of ciphers you left out.
+	&dofile("tools/c_rehash",$openssldir,'^DIR=',	'DIR=%s',);
+	if ( $perl =~ m@^/@) {
+	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
+	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
+	} else {
+	    # No path for Perl known ...
+	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
+	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
+	}	    
+}
+
+print <<EOF;
+
+Configured for $target.
+EOF
+
+print <<\EOF if (!$no_threads && !$threads);
+
+The library could not be configured for supporting multi-threaded
+applications as the compiler options required on this system are not known.
+See file INSTALL for details if you need multi-threading.
+EOF
+
+exit(0);
+
+sub usage
+	{
+	print STDERR $usage;
+	print STDERR "\npick os/compiler from:\n";
+	my $j=0;
+	my $i;
+        my $k=0;
+	foreach $i (sort keys %table)
+		{
+		next if $i =~ /^debug/;
+		$k += length($i) + 1;
+		if ($k > 78)
+			{
+			print STDERR "\n";
+			$k=length($i);
+			}
+		print STDERR $i . " ";
+		}
+	foreach $i (sort keys %table)
+		{
+		next if $i !~ /^debug/;
+		$k += length($i) + 1;
+		if ($k > 78)
+			{
+			print STDERR "\n";
+			$k=length($i);
+			}
+		print STDERR $i . " ";
+		}
+	print STDERR "\n\nNOTE: If in doubt, on Unix-ish systems use './config'.\n";
+	exit(1);
+	}
+
+sub which
+	{
+	my($name)=@_;
+	my $path;
+	foreach $path (split /:/, $ENV{PATH})
+		{
+		if (-f "$path/$name" and -x _)
+			{
+			return "$path/$name" unless ($name eq "perl" and
+			 system("$path/$name -e " . '\'exit($]<5.0);\''));
+			}
+		}
+	}
+
+sub dofile
+	{
+	my $f; my $p; my %m; my @a; my $k; my $ff;
+	($f,$p,%m)=@_;
+
+	open(IN,"<$f.in") || open(IN,"<$f") || die "unable to open $f:$!\n";
+	@a=<IN>;
+	close(IN);
+	foreach $k (keys %m)
+		{
+		grep(/$k/ && ($_=sprintf($m{$k}."\n",$p)),@a);
+		}
+	open(OUT,">$f.new") || die "unable to open $f.new:$!\n";
+	print OUT @a;
+	close(OUT);
+	rename($f,"$f.bak") || die "unable to rename $f\n" if -e $f;
+	rename("$f.new",$f) || die "unable to rename $f.new\n";
+	}
+
+sub print_table_entry
+	{
+	my $target = shift;
+
+	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,
+	my $bn_obj,my $des_obj,my $bf_obj,
+	$md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)=
+	split(/\s*:\s*/,$table{$target} . ":" x 20 , -1);
+			
+	print <<EOF
+
+*** $target
+\$cc           = $cc
+\$cflags       = $cflags
+\$unistd       = $unistd
+\$thread_cflag = $thread_cflag
+\$lflags       = $lflags
+\$bn_ops       = $bn_ops
+\$bn_obj       = $bn_obj
+\$des_obj      = $des_obj
+\$bf_obj       = $bf_obj
+\$md5_obj      = $md5_obj
+\$sha1_obj     = $sha1_obj
+\$cast_obj     = $cast_obj
+\$rc4_obj      = $rc4_obj
+\$rmd160_obj   = $rmd160_obj
+\$rc5_obj      = $rc5_obj
+EOF
+	}
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ
new file mode 100644
index 0000000..7a27c14
--- /dev/null
+++ b/crypto/openssl/FAQ
@@ -0,0 +1,287 @@
+OpenSSL  -  Frequently Asked Questions
+--------------------------------------
+
+* Which is the current version of OpenSSL?
+* Where is the documentation?
+* How can I contact the OpenSSL developers?
+* Do I need patent licenses to use OpenSSL?
+* Is OpenSSL thread-safe?
+* Why do I get a "PRNG not seeded" error message?
+* Why does the linker complain about undefined symbols?
+* Where can I get a compiled version of OpenSSL?
+* I've compiled a program under Windows and it crashes: why?
+* I've called <some function> and it fails, why?
+* I just get a load of numbers for the error output, what do they mean?
+* Why do I get errors about unknown algorithms?
+* How do I create certificates or certificate requests?
+* Why can't I create certificate requests?
+* Why does <SSL program> fail with a certificate verify error?
+* How can I create DSA certificates?
+* Why can't I make an SSL connection using a DSA certificate?
+* Why can't the OpenSSH configure script detect OpenSSL?
+
+
+* Which is the current version of OpenSSL?
+
+The current version is available from <URL: http://www.openssl.org>.
+OpenSSL 0.9.5a was released on April 1st, 2000.
+
+In addition to the current stable release, you can also access daily
+snapshots of the OpenSSL development version at <URL:
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+
+
+* Where is the documentation?
+
+OpenSSL is a library that provides cryptographic functionality to
+applications such as secure web servers.  Be sure to read the
+documentation of the application you want to use.  The INSTALL file
+explains how to install this library.
+
+OpenSSL includes a command line utility that can be used to perform a
+variety of cryptographic functions.  It is described in the openssl(1)
+manpage.  Documentation for developers is currently being written.  A
+few manual pages already are available; overviews over libcrypto and
+libssl are given in the crypto(3) and ssl(3) manpages.
+
+The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
+different directory if you specified one as described in INSTALL).
+In addition, you can read the most current versions at
+<URL: http://www.openssl.org/docs/>.
+
+For information on parts of libcrypto that are not yet documented, you
+might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
+predecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>.  Much
+of this still applies to OpenSSL.
+
+There is some documentation about certificate extensions and PKCS#12
+in doc/openssl.txt
+
+The original SSLeay documentation is included in OpenSSL as
+doc/ssleay.txt.  It may be useful when none of the other resources
+help, but please note that it reflects the obsolete version SSLeay
+0.6.6.
+
+
+* How can I contact the OpenSSL developers?
+
+The README file describes how to submit bug reports and patches to
+OpenSSL.  Information on the OpenSSL mailing lists is available from
+<URL: http://www.openssl.org>.
+
+
+* Do I need patent licenses to use OpenSSL?
+
+The patents section of the README file lists patents that may apply to
+you if you want to use OpenSSL.  For information on intellectual
+property rights, please consult a lawyer.  The OpenSSL team does not
+offer legal advice.
+
+You can configure OpenSSL so as not to use RC5 and IDEA by using
+ ./config no-rc5 no-idea
+
+Until the RSA patent expires, U.S. users may want to use
+ ./config no-rc5 no-idea no-rsa
+
+Please note that you will *not* be able to communicate with most of
+the popular web browsers without RSA support.
+
+
+* Is OpenSSL thread-safe?
+
+Yes (with limitations: an SSL connection may not concurrently be used
+by multiple threads).  On Windows and many Unix systems, OpenSSL
+automatically uses the multi-threaded versions of the standard
+libraries.  If your platform is not one of these, consult the INSTALL
+file.
+
+Multi-threaded applications must provide two callback functions to
+OpenSSL.  This is described in the threads(3) manpage.
+
+
+* Why do I get a "PRNG not seeded" error message?
+
+Cryptographic software needs a source of unpredictable data to work
+correctly.  Many open source operating systems provide a "randomness
+device" that serves this purpose.  On other systems, applications have
+to call the RAND_add() or RAND_seed() function with appropriate data
+before generating keys or performing public key encryption.
+
+Some broken applications do not do this.  As of version 0.9.5, the
+OpenSSL functions that need randomness report an error if the random
+number generator has not been seeded with at least 128 bits of
+randomness.  If this error occurs, please contact the author of the
+application you are using.  It is likely that it never worked
+correctly.  OpenSSL 0.9.5 and later make the error visible by refusing
+to perform potentially insecure encryption.
+
+On systems without /dev/urandom, it is a good idea to use the Entropy
+Gathering Demon; see the RAND_egd() manpage for details.
+
+Most components of the openssl command line tool try to use the
+file $HOME/.rnd (or $RANDFILE, if this environment variable is set)
+for seeding the PRNG.  If this file does not exist or is too short,
+the "PRNG not seeded" error message may occur.
+
+[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version
+0.9.5 does not do this and will fail on systems without /dev/urandom
+when trying to password-encrypt an RSA key!  This is a bug in the
+library; try a later version instead.]
+
+
+* Why does the linker complain about undefined symbols?
+
+Maybe the compilation was interrupted, and make doesn't notice that
+something is missing.  Run "make clean; make".
+
+If you used ./Configure instead of ./config, make sure that you
+selected the right target.  File formats may differ slightly between
+OS versions (for example sparcv8/sparcv9, or a.out/elf).
+
+In case you get errors about the following symbols, use the config
+option "no-asm", as described in INSTALL:
+
+ BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
+ CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
+ RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
+ bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
+ bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
+ des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
+ des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
+
+If none of these helps, you may want to try using the current snapshot.
+If the problem persists, please submit a bug report.
+
+
+* Where can I get a compiled version of OpenSSL?
+
+Some applications that use OpenSSL are distributed in binary form.
+When using such an application, you don't need to install OpenSSL
+yourself; the application will include the required parts (e.g. DLLs).
+
+If you want to install OpenSSL on a Windows system and you don't have
+a C compiler, read the "Mingw32" section of INSTALL.W32 for information
+on how to obtain and install the free GNU C compiler.
+
+A number of Linux and *BSD distributions include OpenSSL.
+
+
+* I've compiled a program under Windows and it crashes: why?
+
+This is usually because you've missed the comment in INSTALL.W32. You
+must link with the multithreaded DLL version of the VC++ runtime library
+otherwise the conflict will cause a program to crash: typically on the
+first BIO related read or write operation.
+
+
+* I've called <some function> and it fails, why?
+
+Before submitting a report or asking in one of the mailing lists you
+should try to determine the cause. In particular you should call
+ERR_print_errors() or ERR_print_errors_fp() after the failed call
+and see if the message helps. 
+
+
+* I just get a load of numbers for the error output, what do they mean?
+
+The actual format is described in the ERR_print_errors() manual page.
+You should call the function ERR_load_crypto_strings() before hand and
+the message will be output in text form. If you can't do this (for example
+it is a pre-compiled binary) you can use the errstr utility on the error
+code itself (the hex digits after the second colon).
+
+
+* Why do I get errors about unknown algorithms?
+
+This can happen under several circumstances such as reading in an
+encrypted private key or attempting to decrypt a PKCS#12 file. The cause
+is forgetting to load OpenSSL's table of algorithms with
+OpenSSL_add_all_algorithms(). See the manual page for more information.
+
+
+* How do I create certificates or certificate requests?
+
+Check out the CA.pl(1) manual page. This provides a simple wrapper round
+the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
+out the manual pages for the individual utilities and the certificate
+extensions documentation (currently in doc/openssl.txt).
+
+
+* Why can't I create certificate requests?
+
+You typically get the error:
+
+	unable to find 'distinguished_name' in config
+	problems making Certificate Request
+
+This is because it can't find the configuration file. Check out the
+DIAGNOSTICS section of req(1) for more information.
+
+
+* Why does <SSL program> fail with a certificate verify error?
+
+This problem is usually indicated by log messages saying something like
+"unable to get local issuer certificate" or "self signed certificate".
+When a certificate is verified its root CA must be "trusted" by OpenSSL
+this typically means that the CA certificate must be placed in a directory
+or file and the relevant program configured to read it. The OpenSSL program
+'verify' behaves in a similar way and issues similar error messages: check
+the verify(1) program manual page for more information.
+
+
+* How can I create DSA certificates?
+
+Check the CA.pl(1) manual page for a DSA certificate example.
+
+
+* Why can't I make an SSL connection to a server using a DSA certificate?
+
+Typically you'll see a message saying there are no shared ciphers when
+the same setup works fine with an RSA certificate. There are two possible
+causes. The client may not support connections to DSA servers most web
+browsers only support connections to servers supporting RSA cipher suites.
+The other cause is that a set of DH parameters has not been supplied to
+the server. DH parameters can be created with the dhparam(1) command and
+loaded using the SSL_CTX_set_tmp_dh() for example: check the source to
+s_server in apps/s_server.c for an example.
+
+
+* Why can't the OpenSSH configure script detect OpenSSL?
+
+There is a problem with OpenSSH 1.2.2p1, in that the configure script
+can't find the installed OpenSSL libraries.  The problem is actually
+a small glitch that is easily solved with the following patch to be
+applied to the OpenSSH distribution:
+
+----- snip:start -----
+--- openssh-1.2.2p1/configure.in.orig	Thu Mar 23 18:56:58 2000
++++ openssh-1.2.2p1/configure.in	Thu Mar 23 18:55:05 2000
+@@ -152,10 +152,10 @@
+ AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
+ for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
+ 	if test ! -z "$ssldir" ; then
+-		LIBS="$saved_LIBS -L$ssldir"
++		LIBS="$saved_LIBS -L$ssldir/lib"
+ 		CFLAGS="$CFLAGS -I$ssldir/include"
+ 		if test "x$need_dash_r" = "x1" ; then
+-			LIBS="$LIBS -R$ssldir"
++			LIBS="$LIBS -R$ssldir/lib"
+ 		fi
+ 	fi
+ 	LIBS="$LIBS -lcrypto"
+--- openssh-1.2.2p1/configure.orig	Thu Mar 23 18:55:02 2000
++++ openssh-1.2.2p1/configure	Thu Mar 23 18:57:08 2000
+@@ -1890,10 +1890,10 @@
+ echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5
+ for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
+ 	if test ! -z "$ssldir" ; then
+-		LIBS="$saved_LIBS -L$ssldir"
++		LIBS="$saved_LIBS -L$ssldir/lib"
+ 		CFLAGS="$CFLAGS -I$ssldir/include"
+ 		if test "x$need_dash_r" = "x1" ; then
+-			LIBS="$LIBS -R$ssldir"
++			LIBS="$LIBS -R$ssldir/lib"
+ 		fi
+ 	fi
+ 	LIBS="$LIBS -lcrypto"
+----- snip:end -----
diff --git a/crypto/openssl/FREEBSD-Xlist b/crypto/openssl/FREEBSD-Xlist
new file mode 100644
index 0000000..2721c7a
--- /dev/null
+++ b/crypto/openssl/FREEBSD-Xlist
@@ -0,0 +1,25 @@
+$FreeBSD$
+*INSTALL.VMS
+*INSTALL.W32
+*VMS/
+*.bat
+*.com
+*/*.bat
+*/*.com
+*apps/openssl-vms.cnf
+*crypto/bf/asm/b-win32.asm
+*crypto/bn/asm/bn-win32.asm
+*crypto/bn/asm/vms.mar
+*crypto/bn/asm/x86w16.asm
+*crypto/bn/asm/x86w32.asm
+*crypto/bn/vms-helper.c
+*crypto/cast/asm/c-win32.asm
+*crypto/des/asm/d-win32.asm
+*crypto/des/asm/y-win32.asm
+*crypto/des/des-lib.com
+*crypto/md5/asm/m5-win32.asm
+*crypto/rc4/asm/r4-win32.asm
+*crypto/rc5/asm/r5-win32.asm
+*crypto/ripemd/asm/rm-win32.asm
+*crypto/sha/asm/s1-win32.asm
+*ms/
diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL
new file mode 100644
index 0000000..7cbde16
--- /dev/null
+++ b/crypto/openssl/INSTALL
@@ -0,0 +1,255 @@
+
+ INSTALLATION ON THE UNIX PLATFORM
+ ---------------------------------
+
+ [Installation on Windows, OpenVMS and MacOS (before MacOS X) is described
+  in INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.]
+
+ To install OpenSSL, you will need:
+
+  * Perl 5
+  * an ANSI C compiler
+  * a supported Unix operating system
+
+ Quick Start
+ -----------
+
+ If you want to just get on with it, do:
+
+  $ ./config
+  $ make
+  $ make test
+  $ make install
+
+ [If any of these steps fails, see section Installation in Detail below.]
+
+ This will build and install OpenSSL in the default location, which is (for
+ historical reasons) /usr/local/ssl. If you want to install it anywhere else,
+ run config like this:
+
+  $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
+
+
+ Configuration Options
+ ---------------------
+
+ There are several options to ./config (or ./Configure) to customize
+ the build:
+
+  --prefix=DIR  Install in DIR/bin, DIR/lib, DIR/include/openssl.
+	        Configuration files used by OpenSSL will be in DIR/ssl
+                or the directory specified by --openssldir.
+
+  --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
+                the library files and binaries are also installed there.
+
+  rsaref        Build with RSADSI's RSAREF toolkit (this assumes that
+                librsaref.a is in the library search path).
+
+  no-threads    Don't try to build with support for multi-threaded
+                applications.
+
+  threads       Build with support for multi-threaded applications.
+                This will usually require additional system-dependent options!
+                See "Note on multi-threading" below.
+
+  no-asm        Do not use assembler code.
+
+  386           Use the 80386 instruction set only (the default x86 code is
+                more efficient, but requires at least a 486).
+
+  no-<cipher>   Build without the specified cipher (bf, cast, des, dh, dsa,
+                hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
+                The crypto/<cipher> directory can be removed after running
+                "make depend".
+
+  -Dxxx, -lxxx, -Lxxx, -fxxx, -Kxxx These system specific options will
+                be passed through to the compiler to allow you to
+                define preprocessor symbols, specify additional libraries,
+                library directories or other compiler options.
+
+
+ Installation in Detail
+ ----------------------
+
+ 1a. Configure OpenSSL for your operation system automatically:
+
+       $ ./config [options]
+
+     This guesses at your operating system (and compiler, if necessary) and
+     configures OpenSSL based on this guess. Run ./config -t to see
+     if it guessed correctly. If you want to use a different compiler, you
+     are cross-compiling for another platform, or the ./config guess was
+     wrong for other reasons, go to step 1b. Otherwise go to step 2.
+
+     On some systems, you can include debugging information as follows:
+
+       $ ./config -d [options]
+
+ 1b. Configure OpenSSL for your operating system manually
+
+     OpenSSL knows about a range of different operating system, hardware and
+     compiler combinations. To see the ones it knows about, run
+
+       $ ./Configure
+
+     Pick a suitable name from the list that matches your system. For most
+     operating systems there is a choice between using "cc" or "gcc".  When
+     you have identified your system (and if necessary compiler) use this name
+     as the argument to ./Configure. For example, a "linux-elf" user would
+     run:
+
+       $ ./Configure linux-elf [options]
+
+     If your system is not available, you will have to edit the Configure
+     program and add the correct configuration for your system. The
+     generic configurations "cc" or "gcc" should usually work on 32 bit
+     systems.
+
+     Configure creates the file Makefile.ssl from Makefile.org and
+     defines various macros in crypto/opensslconf.h (generated from
+     crypto/opensslconf.h.in).
+
+  2. Build OpenSSL by running:
+
+       $ make
+
+     This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the
+     OpenSSL binary ("openssl"). The libraries will be built in the top-level
+     directory, and the binary will be in the "apps" directory.
+
+     If "make" fails, please report the problem to <openssl-bugs@openssl.org>
+     (note that your message will be forwarded to a public mailing list).
+     Include the output of "make report" in your message.
+
+     [If you encounter assembler error messages, try the "no-asm"
+     configuration option as an immediate fix.]
+
+     Compiling parts of OpenSSL with gcc and others with the system
+     compiler will result in unresolved symbols on some systems.
+
+  3. After a successful build, the libraries should be tested. Run:
+
+       $ make test
+
+    If a test fails, try removing any compiler optimization flags from
+    the CFLAGS line in Makefile.ssl and run "make clean; make". Please
+    send a bug report to <openssl-bugs@openssl.org>, including the
+    output of "make report".
+
+  4. If everything tests ok, install OpenSSL with
+
+       $ make install
+
+     This will create the installation directory (if it does not exist) and
+     then the following subdirectories:
+
+       certs           Initially empty, this is the default location
+                       for certificate files.
+       man/man1        Manual pages for the 'openssl' command line tool
+       man/man3        Manual pages for the libraries (very incomplete)
+       misc            Various scripts.
+       private         Initially empty, this is the default location
+                       for private key files.
+
+     If you didn't choose a different installation prefix, the
+     following additional subdirectories will be created:
+
+       bin             Contains the openssl binary and a few other 
+                       utility programs. 
+       include/openssl Contains the header files needed if you want to
+                       compile programs with libcrypto or libssl.
+       lib             Contains the OpenSSL library files themselves.
+
+     Package builders who want to configure the library for standard
+     locations, but have the package installed somewhere else so that
+     it can easily be packaged, can use
+
+       $ make INSTALL_PREFIX=/tmp/package-root install
+
+     (or specify "--install_prefix=/tmp/package-root" as a configure
+     option).  The specified prefix will be prepended to all
+     installation target filenames.
+
+
+  NOTE: The header files used to reside directly in the include
+  directory, but have now been moved to include/openssl so that
+  OpenSSL can co-exist with other libraries which use some of the
+  same filenames.  This means that applications that use OpenSSL
+  should now use C preprocessor directives of the form
+
+       #include <openssl/ssl.h>
+
+  instead of "#include <ssl.h>", which was used with library versions
+  up to OpenSSL 0.9.2b.
+
+  If you install a new version of OpenSSL over an old library version,
+  you should delete the old header files in the include directory.
+
+  Compatibility issues:
+
+  *  COMPILING existing applications
+
+     To compile an application that uses old filenames -- e.g.
+     "#include <ssl.h>" --, it will usually be enough to find
+     the CFLAGS definition in the application's Makefile and
+     add a C option such as
+
+          -I/usr/local/ssl/include/openssl
+
+     to it.
+
+     But don't delete the existing -I option that points to
+     the ..../include directory!  Otherwise, OpenSSL header files
+     could not #include each other.
+
+  *  WRITING applications
+
+     To write an application that is able to handle both the new
+     and the old directory layout, so that it can still be compiled
+     with library versions up to OpenSSL 0.9.2b without bothering
+     the user, you can proceed as follows:
+
+     -  Always use the new filename of OpenSSL header files,
+        e.g. #include <openssl/ssl.h>.
+
+     -  Create a directory "incl" that contains only a symbolic
+        link named "openssl", which points to the "include" directory
+        of OpenSSL.
+        For example, your application's Makefile might contain the
+        following rule, if OPENSSLDIR is a pathname (absolute or
+        relative) of the directory where OpenSSL resides:
+
+        incl/openssl:
+        	-mkdir incl
+        	cd $(OPENSSLDIR) # Check whether the directory really exists
+        	-ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl
+
+        You will have to add "incl/openssl" to the dependencies
+        of those C files that include some OpenSSL header file.
+
+     -  Add "-Iincl" to your CFLAGS.
+
+     With these additions, the OpenSSL header files will be available
+     under both name variants if an old library version is used:
+     Your application can reach them under names like <openssl/foo.h>,
+     while the header files still are able to #include each other
+     with names of the form <foo.h>.
+
+
+ Note on multi-threading
+ -----------------------
+
+ For some systems, the OpenSSL Configure script knows what compiler options
+ are needed to generate a library that is suitable for multi-threaded
+ applications.  On these systems, support for multi-threading is enabled
+ by default; use the "no-threads" option to disable (this should never be
+ necessary).
+
+ On other systems, to enable support for multi-threading, you will have
+ to specify at least two options: "threads", and a system-dependent option.
+ (The latter is "-D_REENTRANT" on various systems.)  The default in this
+ case, obviously, is not to include support for multi-threading (but
+ you can still use "no-threads" to suppress an annoying warning message
+ from the Configure script.)
+
diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE
new file mode 100644
index 0000000..bdd5f7b
--- /dev/null
+++ b/crypto/openssl/LICENSE
@@ -0,0 +1,127 @@
+
+  LICENSE ISSUES
+  ==============
+
+  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+  the OpenSSL License and the original SSLeay license apply to the toolkit.
+  See below for the actual license texts. Actually both licenses are BSD-style
+  Open Source licenses. In case of any license issues related to OpenSSL
+  please contact openssl-core@openssl.org.
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
new file mode 100644
index 0000000..5b997fd
--- /dev/null
+++ b/crypto/openssl/Makefile.org
@@ -0,0 +1,393 @@
+##
+## Makefile for OpenSSL
+##
+
+VERSION=
+MAJOR=
+MINOR=
+PLATFORM=dist
+OPTIONS=
+# INSTALL_PREFIX is for package builders so that they can configure
+# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
+# Normally it is left empty.
+INSTALL_PREFIX=
+INSTALLTOP=/usr/local/ssl
+
+# Do not edit this manually. Use Configure --openssldir=DIR do change this!
+OPENSSLDIR=/usr/local/ssl
+
+# RSAref  - Define if we are to link with RSAref.
+# NO_IDEA - Define to build without the IDEA algorithm
+# NO_RC4  - Define to build without the RC4 algorithm
+# NO_RC2  - Define to build without the RC2 algorithm
+# THREADS - Define when building with threads, you will probably also need any
+#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
+# TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
+# TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
+# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
+# DEVRANDOM - Give this the value of the 'random device' if your OS supports
+#           one.  32 bytes will be read from this when the random
+#           number generator is initalised.
+# SSL_FORBID_ENULL - define if you want the server to be not able to use the
+#           NULL encryption ciphers.
+#
+# LOCK_DEBUG - turns on lots of lock debug output :-)
+# REF_CHECK - turn on some xyz_free() assertions.
+# REF_PRINT - prints some stuff on structure free.
+# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
+# MFUNC - Make all Malloc/Free/Realloc calls call
+#       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
+#       call application defined callbacks via CRYPTO_set_mem_functions()
+# MD5_ASM needs to be defined to use the x86 assembler for MD5
+# SHA1_ASM needs to be defined to use the x86 assembler for SHA1
+# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
+# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8.  It must
+# equal 4.
+# PKCS1_CHECK - pkcs1 tests.
+
+CC= gcc
+#CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+DEPFLAG= 
+PEX_LIBS= -L. -L.. -L../.. -L../../..
+EX_LIBS= 
+AR=ar r
+RANLIB= ranlib
+PERL= perl
+TAR= tar
+TARFLAGS= --norecurse
+
+# Set BN_ASM to bn_asm.o if you want to use the C version
+BN_ASM= bn_asm.o
+#BN_ASM= bn_asm.o
+#BN_ASM= asm/bn86-elf.o	# elf, linux-elf
+#BN_ASM= asm/bn86-sol.o # solaris
+#BN_ASM= asm/bn86-out.o # a.out, FreeBSD
+#BN_ASM= asm/bn86bsdi.o # bsdi
+#BN_ASM= asm/alpha.o    # DEC Alpha
+#BN_ASM= asm/pa-risc2.o # HP-UX PA-RISC
+#BN_ASM= asm/r3000.o    # SGI MIPS cpu
+#BN_ASM= asm/sparc.o    # Sun solaris/SunOS
+#BN_ASM= asm/bn-win32.o # Windows 95/NT
+#BN_ASM= asm/x86w16.o   # 16 bit code for Windows 3.1/DOS
+#BN_ASM= asm/x86w32.o   # 32 bit code for Windows 3.1
+
+# For x86 assembler: Set PROCESSOR to 386 if you want to support
+# the 80386.
+PROCESSOR=
+
+# Set DES_ENC to des_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+DES_ENC= asm/dx86-out.o asm/yx86-out.o
+#DES_ENC= des_enc.o fcrypt_b.o          # C
+#DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
+#DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
+#DES_ENC= asm/dx86-out.o asm/yx86-out.o # a.out, FreeBSD
+#DES_ENC= asm/dx86bsdi.o asm/yx86bsdi.o # bsdi
+
+# Set BF_ENC to bf_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+BF_ENC= asm/bx86-out.o
+#BF_ENC= bf_enc.o
+#BF_ENC= asm/bx86-elf.o # elf
+#BF_ENC= asm/bx86-sol.o # solaris
+#BF_ENC= asm/bx86-out.o # a.out, FreeBSD
+#BF_ENC= asm/bx86bsdi.o # bsdi
+
+# Set CAST_ENC to c_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+CAST_ENC= asm/cx86-out.o
+#CAST_ENC= c_enc.o
+#CAST_ENC= asm/cx86-elf.o # elf
+#CAST_ENC= asm/cx86-sol.o # solaris
+#CAST_ENC= asm/cx86-out.o # a.out, FreeBSD
+#CAST_ENC= asm/cx86bsdi.o # bsdi
+
+# Set RC4_ENC to rc4_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+RC4_ENC= asm/rx86-out.o
+#RC4_ENC= rc4_enc.o
+#RC4_ENC= asm/rx86-elf.o # elf
+#RC4_ENC= asm/rx86-sol.o # solaris
+#RC4_ENC= asm/rx86-out.o # a.out, FreeBSD
+#RC4_ENC= asm/rx86bsdi.o # bsdi
+
+# Set RC5_ENC to rc5_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+RC5_ENC= asm/r586-out.o
+#RC5_ENC= rc5_enc.o
+#RC5_ENC= asm/r586-elf.o # elf
+#RC5_ENC= asm/r586-sol.o # solaris
+#RC5_ENC= asm/r586-out.o # a.out, FreeBSD
+#RC5_ENC= asm/r586bsdi.o # bsdi
+
+# Also need MD5_ASM defined
+MD5_ASM_OBJ= asm/mx86-out.o
+#MD5_ASM_OBJ= asm/mx86-elf.o        # elf
+#MD5_ASM_OBJ= asm/mx86-sol.o        # solaris
+#MD5_ASM_OBJ= asm/mx86-out.o        # a.out, FreeBSD
+#MD5_ASM_OBJ= asm/mx86bsdi.o        # bsdi
+
+# Also need SHA1_ASM defined
+SHA1_ASM_OBJ= asm/sx86-out.o
+#SHA1_ASM_OBJ= asm/sx86-elf.o       # elf
+#SHA1_ASM_OBJ= asm/sx86-sol.o       # solaris
+#SHA1_ASM_OBJ= asm/sx86-out.o       # a.out, FreeBSD
+#SHA1_ASM_OBJ= asm/sx86bsdi.o       # bsdi
+
+# Also need RMD160_ASM defined
+RMD160_ASM_OBJ= asm/rm86-out.o
+#RMD160_ASM_OBJ= asm/rm86-elf.o       # elf
+#RMD160_ASM_OBJ= asm/rm86-sol.o       # solaris
+#RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
+#RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
+
+DIRS=   crypto ssl rsaref apps test tools
+SHLIBDIRS= crypto ssl
+
+# dirs in crypto to build
+SDIRS=  \
+	md2 md5 sha mdc2 hmac ripemd \
+	des rc2 rc4 rc5 idea bf cast \
+	bn rsa dsa dh \
+	buffer bio stack lhash rand err objects \
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+
+MAKEFILE= Makefile.ssl
+MAKE=     make -f Makefile.ssl
+
+MANDIR=$(OPENSSLDIR)/man
+MAN1=1
+MAN3=3
+SHELL=/bin/sh
+
+TOP=    .
+ONEDIRS=out tmp
+EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
+WDIRS=  windows
+LIBS=   libcrypto.a libssl.a 
+
+GENERAL=        Makefile
+BASENAME=       openssl
+NAME=           $(BASENAME)-$(VERSION)
+TARFILE=        $(NAME).tar
+WTARFILE=       $(NAME)-win.tar
+EXHEADER=       e_os.h e_os2.h
+HEADER=         e_os.h
+
+all: Makefile.ssl
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making all in $$i..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+	done
+	-@# cd crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
+	-@# cd perl; $(PERL) Makefile.PL; make
+
+sub_all:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making all in $$i..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+	done;
+
+linux-shared:
+	for i in ${SHLIBDIRS}; do \
+	rm -f lib$$i.a lib$$i.so \
+		lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
+	${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
+	( set -x; ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
+		-Wl,-S,-soname=lib$$i.so.${MAJOR} \
+		-Wl,--whole-archive lib$$i.a \
+		-Wl,--no-whole-archive -lc ) || exit 1; \
+	rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
+	done;
+	@set -x; \
+	for i in ${SHLIBDIRS}; do \
+	ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
+	ln -s lib$$i.so.${MAJOR} lib$$i.so; \
+	done;
+
+Makefile.ssl: Makefile.org
+	@echo "Makefile.ssl is older than Makefile.org."
+	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
+	@false
+
+libclean:
+	rm -f *.a */lib */*/lib
+
+clean:
+	rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making clean in $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
+	rm -f $(LIBS); \
+	done;
+	rm -f *.a *.o speed.* *.map *.so .pure core
+	rm -f $(TARFILE)
+	@for i in $(ONEDIRS) ;\
+	do \
+	rm -fr $$i/*; \
+	done
+
+makefile.one: files
+	$(PERL) util/mk1mf.pl >makefile.one; \
+	sh util/do_ms.sh
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making 'files' in $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
+	done;
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
+	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
+	@for i in $(DIRS); do \
+	(cd $$i && echo "making links in $$i..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
+	done;
+
+dclean:
+	rm -f *.bak
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making dclean in $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
+	done;
+
+rehash: rehash.time
+rehash.time: certs
+	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; sh tools/c_rehash certs)
+	touch rehash.time
+
+test:   tests
+
+tests: rehash
+	@(cd test && echo "testing..." && \
+	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests );
+	@apps/openssl version -a
+
+report:
+	@$(PERL) util/selftest.pl
+
+depend:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making dependencies $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \
+	done;
+
+lint:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making lint $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
+	done;
+
+tags:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making tags $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
+	done;
+
+errors:
+	perl util/mkerr.pl -recurse -write
+
+util/libeay.num::
+	perl util/mkdef.pl crypto update
+
+util/ssleay.num::
+	perl util/mkdef.pl ssl update
+
+crypto/objects/obj_dat.h: crypto/objects/objects.h crypto/objects/obj_dat.pl
+	perl crypto/objects/obj_dat.pl crypto/objects/objects.h crypto/objects/obj_dat.h
+
+TABLE: Configure
+	(echo 'Output of `Configure TABLE'"':"; \
+	perl Configure TABLE) > TABLE
+
+update: depend errors util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
+
+tar:
+	@$(TAR) $(TARFLAGS) -cvf - \
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\
+	tardy --user_number=0  --user_name=openssl \
+	      --group_number=0 --group_name=openssl \
+	      --prefix=openssl-$(VERSION) - |\
+	gzip --best >../$(TARFILE).gz; \
+	ls -l ../$(TARFILE).gz
+
+dist:   
+	$(PERL) Configure dist
+	@$(MAKE) dist_pem_h
+	@$(MAKE) SDIRS='${SDIRS}' clean
+	@$(MAKE) tar
+
+dist_pem_h:
+	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
+
+install: all install_docs
+	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/private \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/lib
+	@for i in $(EXHEADER) ;\
+	do \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i; echo "installing $$i..."; \
+	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \
+	done
+	@for i in $(LIBS) ;\
+	do \
+	(       echo installing $$i; \
+		cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+		$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+		chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+	done
+
+install_docs:
+	@$(PERL) $(TOP)/util/mkdir-p.pl \
+		$(INSTALL_PREFIX)$(MANDIR)/man1 \
+		$(INSTALL_PREFIX)$(MANDIR)/man3 \
+		$(INSTALL_PREFIX)$(MANDIR)/man5 \
+		$(INSTALL_PREFIX)$(MANDIR)/man7
+	@echo installing man 1 and man 5
+	@for i in doc/apps/*.pod; do \
+		fn=`basename $$i .pod`; \
+		sec=`[ "$$fn" = "config" ] && echo 5 || echo 1`; \
+		(cd `dirname $$i`; \
+		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+			 --release=$(VERSION) `basename $$i`) \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+	done
+	@echo installing man 3 and man 7
+	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+		fn=`basename $$i .pod`; \
+		sec=`[ "$$fn" = "des_modes" ] && echo 7 || echo 3`; \
+		(cd `dirname $$i`; \
+		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+			--release=$(VERSION) `basename $$i`) \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+	done
+
+shlib: all
+	if [ ! -d shlib_dir ] ; then mkdir shlib_dir ; else rm -f shlib_dir/* ; fi
+	cd shlib_dir ; ar -x ../libcrypto.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libcrypto.so.0.9 \
+            -o ./libcrypto.so.0.9.4 && rm *.o
+	cd shlib_dir ; ar -x ../libssl.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libssl.so.0.9 \
+            -o ./libssl.so.0.9.4 && rm *.o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl
new file mode 100644
index 0000000..5f36971
--- /dev/null
+++ b/crypto/openssl/Makefile.ssl
@@ -0,0 +1,395 @@
+### Generated automatically from Makefile.org by Configure.
+
+##
+## Makefile for OpenSSL
+##
+
+VERSION=0.9.5a
+MAJOR=0
+MINOR=9.5
+PLATFORM=dist
+OPTIONS=
+# INSTALL_PREFIX is for package builders so that they can configure
+# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
+# Normally it is left empty.
+INSTALL_PREFIX=
+INSTALLTOP=/usr/local/ssl
+
+# Do not edit this manually. Use Configure --openssldir=DIR do change this!
+OPENSSLDIR=/usr/local/ssl
+
+# RSAref  - Define if we are to link with RSAref.
+# NO_IDEA - Define to build without the IDEA algorithm
+# NO_RC4  - Define to build without the RC4 algorithm
+# NO_RC2  - Define to build without the RC2 algorithm
+# THREADS - Define when building with threads, you will probably also need any
+#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
+# TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
+# TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
+# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
+# DEVRANDOM - Give this the value of the 'random device' if your OS supports
+#           one.  32 bytes will be read from this when the random
+#           number generator is initalised.
+# SSL_FORBID_ENULL - define if you want the server to be not able to use the
+#           NULL encryption ciphers.
+#
+# LOCK_DEBUG - turns on lots of lock debug output :-)
+# REF_CHECK - turn on some xyz_free() assertions.
+# REF_PRINT - prints some stuff on structure free.
+# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
+# MFUNC - Make all Malloc/Free/Realloc calls call
+#       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
+#       call application defined callbacks via CRYPTO_set_mem_functions()
+# MD5_ASM needs to be defined to use the x86 assembler for MD5
+# SHA1_ASM needs to be defined to use the x86 assembler for SHA1
+# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
+# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8.  It must
+# equal 4.
+# PKCS1_CHECK - pkcs1 tests.
+
+CC= cc
+#CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+CFLAG= -O
+DEPFLAG= 
+PEX_LIBS= -L. -L.. -L../.. -L../../..
+EX_LIBS= 
+AR=ar r
+RANLIB= /usr/bin/ranlib
+PERL= /usr/local/bin/perl
+TAR= tar
+TARFLAGS= --norecurse
+
+# Set BN_ASM to bn_asm.o if you want to use the C version
+BN_ASM= bn_asm.o
+#BN_ASM= bn_asm.o
+#BN_ASM= asm/bn86-elf.o	# elf, linux-elf
+#BN_ASM= asm/bn86-sol.o # solaris
+#BN_ASM= asm/bn86-out.o # a.out, FreeBSD
+#BN_ASM= asm/bn86bsdi.o # bsdi
+#BN_ASM= asm/alpha.o    # DEC Alpha
+#BN_ASM= asm/pa-risc2.o # HP-UX PA-RISC
+#BN_ASM= asm/r3000.o    # SGI MIPS cpu
+#BN_ASM= asm/sparc.o    # Sun solaris/SunOS
+#BN_ASM= asm/bn-win32.o # Windows 95/NT
+#BN_ASM= asm/x86w16.o   # 16 bit code for Windows 3.1/DOS
+#BN_ASM= asm/x86w32.o   # 32 bit code for Windows 3.1
+
+# For x86 assembler: Set PROCESSOR to 386 if you want to support
+# the 80386.
+PROCESSOR= 
+
+# Set DES_ENC to des_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+DES_ENC= des_enc.o fcrypt_b.o
+#DES_ENC= des_enc.o fcrypt_b.o          # C
+#DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
+#DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
+#DES_ENC= asm/dx86-out.o asm/yx86-out.o # a.out, FreeBSD
+#DES_ENC= asm/dx86bsdi.o asm/yx86bsdi.o # bsdi
+
+# Set BF_ENC to bf_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+BF_ENC= bf_enc.o
+#BF_ENC= bf_enc.o
+#BF_ENC= asm/bx86-elf.o # elf
+#BF_ENC= asm/bx86-sol.o # solaris
+#BF_ENC= asm/bx86-out.o # a.out, FreeBSD
+#BF_ENC= asm/bx86bsdi.o # bsdi
+
+# Set CAST_ENC to c_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+CAST_ENC= c_enc.o
+#CAST_ENC= c_enc.o
+#CAST_ENC= asm/cx86-elf.o # elf
+#CAST_ENC= asm/cx86-sol.o # solaris
+#CAST_ENC= asm/cx86-out.o # a.out, FreeBSD
+#CAST_ENC= asm/cx86bsdi.o # bsdi
+
+# Set RC4_ENC to rc4_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+RC4_ENC= rc4_enc.o
+#RC4_ENC= rc4_enc.o
+#RC4_ENC= asm/rx86-elf.o # elf
+#RC4_ENC= asm/rx86-sol.o # solaris
+#RC4_ENC= asm/rx86-out.o # a.out, FreeBSD
+#RC4_ENC= asm/rx86bsdi.o # bsdi
+
+# Set RC5_ENC to rc5_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+RC5_ENC= rc5_enc.o
+#RC5_ENC= rc5_enc.o
+#RC5_ENC= asm/r586-elf.o # elf
+#RC5_ENC= asm/r586-sol.o # solaris
+#RC5_ENC= asm/r586-out.o # a.out, FreeBSD
+#RC5_ENC= asm/r586bsdi.o # bsdi
+
+# Also need MD5_ASM defined
+MD5_ASM_OBJ= 
+#MD5_ASM_OBJ= asm/mx86-elf.o        # elf
+#MD5_ASM_OBJ= asm/mx86-sol.o        # solaris
+#MD5_ASM_OBJ= asm/mx86-out.o        # a.out, FreeBSD
+#MD5_ASM_OBJ= asm/mx86bsdi.o        # bsdi
+
+# Also need SHA1_ASM defined
+SHA1_ASM_OBJ= 
+#SHA1_ASM_OBJ= asm/sx86-elf.o       # elf
+#SHA1_ASM_OBJ= asm/sx86-sol.o       # solaris
+#SHA1_ASM_OBJ= asm/sx86-out.o       # a.out, FreeBSD
+#SHA1_ASM_OBJ= asm/sx86bsdi.o       # bsdi
+
+# Also need RMD160_ASM defined
+RMD160_ASM_OBJ= 
+#RMD160_ASM_OBJ= asm/rm86-elf.o       # elf
+#RMD160_ASM_OBJ= asm/rm86-sol.o       # solaris
+#RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
+#RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
+
+DIRS=   crypto ssl rsaref apps test tools
+SHLIBDIRS= crypto ssl
+
+# dirs in crypto to build
+SDIRS=  \
+	md2 md5 sha mdc2 hmac ripemd \
+	des rc2 rc4 rc5 idea bf cast \
+	bn rsa dsa dh \
+	buffer bio stack lhash rand err objects \
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+
+MAKEFILE= Makefile.ssl
+MAKE=     make -f Makefile.ssl
+
+MANDIR=$(OPENSSLDIR)/man
+MAN1=1
+MAN3=3
+SHELL=/bin/sh
+
+TOP=    .
+ONEDIRS=out tmp
+EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
+WDIRS=  windows
+LIBS=   libcrypto.a libssl.a 
+
+GENERAL=        Makefile
+BASENAME=       openssl
+NAME=           $(BASENAME)-$(VERSION)
+TARFILE=        $(NAME).tar
+WTARFILE=       $(NAME)-win.tar
+EXHEADER=       e_os.h e_os2.h
+HEADER=         e_os.h
+
+all: Makefile.ssl
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making all in $$i..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+	done
+	-@# cd crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
+	-@# cd perl; $(PERL) Makefile.PL; make
+
+sub_all:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making all in $$i..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+	done;
+
+linux-shared:
+	for i in ${SHLIBDIRS}; do \
+	rm -f lib$$i.a lib$$i.so \
+		lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
+	${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
+	( set -x; ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
+		-Wl,-S,-soname=lib$$i.so.${MAJOR} \
+		-Wl,--whole-archive lib$$i.a \
+		-Wl,--no-whole-archive -lc ) || exit 1; \
+	rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
+	done;
+	@set -x; \
+	for i in ${SHLIBDIRS}; do \
+	ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
+	ln -s lib$$i.so.${MAJOR} lib$$i.so; \
+	done;
+
+Makefile.ssl: Makefile.org
+	@echo "Makefile.ssl is older than Makefile.org."
+	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
+	@false
+
+libclean:
+	rm -f *.a */lib */*/lib
+
+clean:
+	rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making clean in $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
+	rm -f $(LIBS); \
+	done;
+	rm -f *.a *.o speed.* *.map *.so .pure core
+	rm -f $(TARFILE)
+	@for i in $(ONEDIRS) ;\
+	do \
+	rm -fr $$i/*; \
+	done
+
+makefile.one: files
+	$(PERL) util/mk1mf.pl >makefile.one; \
+	sh util/do_ms.sh
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making 'files' in $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
+	done;
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
+	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
+	@for i in $(DIRS); do \
+	(cd $$i && echo "making links in $$i..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
+	done;
+
+dclean:
+	rm -f *.bak
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making dclean in $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
+	done;
+
+rehash: rehash.time
+rehash.time: certs
+	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; sh tools/c_rehash certs)
+	touch rehash.time
+
+test:   tests
+
+tests: rehash
+	@(cd test && echo "testing..." && \
+	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests );
+	@apps/openssl version -a
+
+report:
+	@$(PERL) util/selftest.pl
+
+depend:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making dependencies $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \
+	done;
+
+lint:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making lint $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
+	done;
+
+tags:
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i && echo "making tags $$i..." && \
+	$(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
+	done;
+
+errors:
+	perl util/mkerr.pl -recurse -write
+
+util/libeay.num::
+	perl util/mkdef.pl crypto update
+
+util/ssleay.num::
+	perl util/mkdef.pl ssl update
+
+crypto/objects/obj_dat.h: crypto/objects/objects.h crypto/objects/obj_dat.pl
+	perl crypto/objects/obj_dat.pl crypto/objects/objects.h crypto/objects/obj_dat.h
+
+TABLE: Configure
+	(echo 'Output of `Configure TABLE'"':"; \
+	perl Configure TABLE) > TABLE
+
+update: depend errors util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
+
+tar:
+	@$(TAR) $(TARFLAGS) -cvf - \
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\
+	tardy --user_number=0  --user_name=openssl \
+	      --group_number=0 --group_name=openssl \
+	      --prefix=openssl-$(VERSION) - |\
+	gzip --best >../$(TARFILE).gz; \
+	ls -l ../$(TARFILE).gz
+
+dist:   
+	$(PERL) Configure dist
+	@$(MAKE) dist_pem_h
+	@$(MAKE) SDIRS='${SDIRS}' clean
+	@$(MAKE) tar
+
+dist_pem_h:
+	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
+
+install: all install_docs
+	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/private \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/lib
+	@for i in $(EXHEADER) ;\
+	do \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+	@for i in $(DIRS) ;\
+	do \
+	(cd $$i; echo "installing $$i..."; \
+	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \
+	done
+	@for i in $(LIBS) ;\
+	do \
+	(       echo installing $$i; \
+		cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+		$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+		chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+	done
+
+install_docs:
+	@$(PERL) $(TOP)/util/mkdir-p.pl \
+		$(INSTALL_PREFIX)$(MANDIR)/man1 \
+		$(INSTALL_PREFIX)$(MANDIR)/man3 \
+		$(INSTALL_PREFIX)$(MANDIR)/man5 \
+		$(INSTALL_PREFIX)$(MANDIR)/man7
+	@echo installing man 1 and man 5
+	@for i in doc/apps/*.pod; do \
+		fn=`basename $$i .pod`; \
+		sec=`[ "$$fn" = "config" ] && echo 5 || echo 1`; \
+		(cd `dirname $$i`; \
+		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+			 --release=$(VERSION) `basename $$i`) \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+	done
+	@echo installing man 3 and man 7
+	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+		fn=`basename $$i .pod`; \
+		sec=`[ "$$fn" = "des_modes" ] && echo 7 || echo 3`; \
+		(cd `dirname $$i`; \
+		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+			--release=$(VERSION) `basename $$i`) \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+	done
+
+shlib: all
+	if [ ! -d shlib_dir ] ; then mkdir shlib_dir ; else rm -f shlib_dir/* ; fi
+	cd shlib_dir ; ar -x ../libcrypto.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libcrypto.so.0.9 \
+            -o ./libcrypto.so.0.9.4 && rm *.o
+	cd shlib_dir ; ar -x ../libssl.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libssl.so.0.9 \
+            -o ./libssl.so.0.9.4 && rm *.o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
new file mode 100644
index 0000000..7c30b76
--- /dev/null
+++ b/crypto/openssl/NEWS
@@ -0,0 +1,110 @@
+
+  NEWS
+  ====
+
+  This file gives a brief overview of the major changes between each OpenSSL
+  release. For more details please read the CHANGES file.
+
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
+
+      o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
+      o Shared library support for HPUX and Solaris-gcc
+      o Support of Linux/IA64
+      o Assembler support for Mingw32
+      o New 'rand' application
+      o New way to check for existence of algorithms from scripts
+
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
+
+      o S/MIME support in new 'smime' command
+      o Documentation for the OpenSSL command line application
+      o Automation of 'req' application
+      o Fixes to make s_client, s_server work under Windows
+      o Support for multiple fieldnames in SPKACs
+      o New SPKAC command line utilty and associated library functions
+      o Options to allow passwords to be obtained from various sources
+      o New public key PEM format and options to handle it
+      o Many other fixes and enhancements to command line utilities
+      o Usable certificate chain verification
+      o Certificate purpose checking
+      o Certificate trust settings
+      o Support of authority information access extension
+      o Extensions in certificate requests
+      o Simplified X509 name and attribute routines
+      o Initial (incomplete) support for international character sets
+      o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD
+      o Read only memory BIOs and simplified creation function
+      o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0
+        record; allow fragmentation and interleaving of handshake and other
+        data
+      o TLS/SSL code now "tolerates" MS SGC
+      o Work around for Netscape client certificate hang bug
+      o RSA_NULL option that removes RSA patent code but keeps other
+        RSA functionality
+      o Memory leak detection now allows applications to add extra information
+        via a per-thread stack
+      o PRNG robustness improved
+      o EGD support
+      o BIGNUM library bug fixes
+      o Faster DSA parameter generation
+      o Enhanced support for Alpha Linux
+      o Experimental MacOS support
+
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+
+      o Transparent support for PKCS#8 format private keys: these are used
+        by several software packages and are more secure than the standard
+        form
+      o PKCS#5 v2.0 implementation
+      o Password callbacks have a new void * argument for application data
+      o Avoid various memory leaks
+      o New pipe-like BIO that allows using the SSL library when actual I/O
+        must be handled by the application (BIO pair)
+
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+      o Lots of enhancements and cleanups to the Configuration mechanism
+      o RSA OEAP related fixes
+      o Added `openssl ca -revoke' option for revoking a certificate
+      o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs
+      o Source tree cleanups: removed lots of obsolete files
+      o Thawte SXNet, certificate policies and CRL distribution points
+        extension support
+      o Preliminary (experimental) S/MIME support
+      o Support for ASN.1 UTF8String and VisibleString
+      o Full integration of PKCS#12 code
+      o Sparc assembler bignum implementation, optimized hash functions
+      o Option to disable selected ciphers
+
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+      o Fixed a security hole related to session resumption
+      o Fixed RSA encryption routines for the p < q case
+      o "ALL" in cipher lists now means "everything except NULL ciphers"
+      o Support for Triple-DES CBCM cipher
+      o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA
+      o First support for new TLSv1 ciphers
+      o Added a few new BIOs (syslog BIO, reliable BIO)
+      o Extended support for DSA certificate/keys.
+      o Extended support for Certificate Signing Requests (CSR)
+      o Initial support for X.509v3 extensions
+      o Extended support for compression inside the SSL record layer
+      o Overhauled Win32 builds
+      o Cleanups and fixes to the Big Number (BN) library
+      o Support for ASN.1 GeneralizedTime
+      o Splitted ASN.1 SETs from SEQUENCEs
+      o ASN1 and PEM support for Netscape Certificate Sequences
+      o Overhauled Perl interface
+      o Lots of source tree cleanups.
+      o Lots of memory leak fixes.
+      o Lots of bug fixes.
+
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+      o Integration of the popular NO_RSA/NO_DSA patches
+      o Initial support for compression inside the SSL record layer
+      o Added BIO proxy and filtering functionality
+      o Extended Big Number (BN) library
+      o Added RIPE MD160 message digest
+      o Addeed support for RC2/64bit cipher
+      o Extended ASN.1 parser routines
+      o Adjustations of the source tree for CVS
+      o Support for various new platforms
+
diff --git a/crypto/openssl/README b/crypto/openssl/README
new file mode 100644
index 0000000..320ac1b
--- /dev/null
+++ b/crypto/openssl/README
@@ -0,0 +1,177 @@
+
+ OpenSSL 0.9.5a  1 Apr 2000
+
+ Copyright (c) 1998-2000 The OpenSSL Project
+ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+ All rights reserved.
+
+ DESCRIPTION
+ -----------
+
+ The OpenSSL Project is a collaborative effort to develop a robust,
+ commercial-grade, fully featured, and Open Source toolkit implementing the
+ Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
+ protocols as well as a full-strength general purpose cryptography library.
+ The project is managed by a worldwide community of volunteers that use the
+ Internet to communicate, plan, and develop the OpenSSL toolkit and its
+ related documentation. 
+
+ OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
+ and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
+ OpenSSL license plus the SSLeay license) situation, which basically means
+ that you are free to get and use it for commercial and non-commercial
+ purposes as long as you fulfill the conditions of both licenses. 
+
+ OVERVIEW
+ --------
+
+ The OpenSSL toolkit includes:
+
+ libssl.a:
+     Implementation of SSLv2, SSLv3, TLSv1 and the required code to support
+     both SSLv2, SSLv3 and TLSv1 in the one server and client.
+
+ libcrypto.a:
+     General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not
+     actually logically part of it. It includes routines for the following:
+
+     Ciphers
+        libdes - EAY's libdes DES encryption package which has been floating
+                 around the net for a few years.  It includes 15
+                 'modes/variations' of DES (1, 2 and 3 key versions of ecb,
+                 cbc, cfb and ofb; pcbc and a more general form of cfb and
+                 ofb) including desx in cbc mode, a fast crypt(3), and
+                 routines to read passwords from the keyboard.
+        RC4 encryption,
+        RC2 encryption      - 4 different modes, ecb, cbc, cfb and ofb.
+        Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
+        IDEA encryption     - 4 different modes, ecb, cbc, cfb and ofb.
+
+     Digests
+        MD5 and MD2 message digest algorithms, fast implementations,
+        SHA (SHA-0) and SHA-1 message digest algorithms,
+        MDC2 message digest. A DES based hash that is popular on smart cards.
+
+     Public Key
+        RSA encryption/decryption/generation.  
+            There is no limit on the number of bits.
+        DSA encryption/decryption/generation.   
+            There is no limit on the number of bits.
+        Diffie-Hellman key-exchange/key generation.  
+            There is no limit on the number of bits.
+
+     X.509v3 certificates
+        X509 encoding/decoding into/from binary ASN1 and a PEM
+             based ascii-binary encoding which supports encryption with a
+             private key.  Program to generate RSA and DSA certificate
+             requests and to generate RSA and DSA certificates.
+
+     Systems
+        The normal digital envelope routines and base64 encoding.  Higher
+        level access to ciphers and digests by name.  New ciphers can be
+        loaded at run time.  The BIO io system which is a simple non-blocking
+        IO abstraction.  Current methods supported are file descriptors,
+        sockets, socket accept, socket connect, memory buffer, buffering, SSL
+        client/server, file pointer, encryption, digest, non-blocking testing
+        and null.
+
+     Data structures
+        A dynamically growing hashing system
+        A simple stack.
+        A Configuration loader that uses a format similar to MS .ini files.
+
+ openssl: 
+     A command line tool that can be used for:
+        Creation of RSA, DH and DSA key parameters
+        Creation of X.509 certificates, CSRs and CRLs 
+        Calculation of Message Digests
+        Encryption and Decryption with Ciphers
+        SSL/TLS Client and Server Tests
+        Handling of S/MIME signed or encrypted mail
+
+        
+ PATENTS
+ -------
+
+ Various companies hold various patents for various algorithms in various
+ locations around the world. _YOU_ are responsible for ensuring that your use
+ of any algorithms is legal by checking if there are any patents in your
+ country.  The file contains some of the patents that we know about or are
+ rumoured to exist. This is not a definitive list.
+
+ RSA Data Security holds software patents on the RSA and RC5 algorithms.  If
+ their ciphers are used used inside the USA (and Japan?), you must contact RSA
+ Data Security for licensing conditions. Their web page is
+ http://www.rsa.com/.
+
+ RC4 is a trademark of RSA Data Security, so use of this label should perhaps
+ only be used with RSA Data Security's permission. 
+
+ The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
+ Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They should
+ be contacted if that algorithm is to be used, their web page is
+ http://www.ascom.ch/.
+
+ INSTALLATION
+ ------------
+
+ To install this package under a Unix derivative, read the INSTALL file.  For
+ a Win32 platform, read the INSTALL.W32 file.  For OpenVMS systems, read
+ INSTALL.VMS.
+
+ For people in the USA, it is possible to compile OpenSSL to use RSA Inc.'s
+ public key library, RSAREF, by configuring OpenSSL with the option "rsaref".
+
+ Read the documentation in the doc/ directory.  It is quite rough, but it
+ lists the functions, you will probably have to look at the code to work out
+ how to used them. Look at the example programs.
+
+ SUPPORT 
+ -------
+
+ If you have any problems with OpenSSL then please take the following steps
+ first:
+
+    - Download the current snapshot from ftp://ftp.openssl.org/snapshot/
+      to see if the problem has already been addressed
+    - Remove ASM versions of libraries
+    - Remove compiler optimisation flags 
+
+ If you wish to report a bug then please include the following information in
+ any bug report:
+
+    - On Unix systems:
+        Self-test report generated by 'make report'
+    - On other systems:
+        OpenSSL version: output of 'openssl version -a'
+        OS Name, Version, Hardware platform
+        Compiler Details (name, version)
+    - Application Details (name, version)
+    - Problem Description (steps that will reproduce the problem, if known)
+    - Stack Traceback (if the application dumps core)
+
+ Report the bug to the OpenSSL project at:
+
+    openssl-bugs@openssl.org
+
+ Note that mail to openssl-bugs@openssl.org is forwarded to a public
+ mailing list. Confidential mail may be sent to openssl-security@openssl.org
+ (PGP key available from the key servers).
+
+ HOW TO CONTRIBUTE TO OpenSSL
+ ----------------------------
+
+ Development is coordinated on the openssl-dev mailing list (see
+ http://www.openssl.org for information on subscribing). If you
+ would like to submit a patch, send it to openssl-dev@openssl.org with
+ the string "[PATCH]" in the subject. Please be sure to include a
+ textual explanation of what your patch does.
+
+ The preferred format for changes is "diff -u" output. You might
+ generate it like this:
+
+ # cd openssl-work
+ # [your changes]
+ # ./Configure dist; make clean
+ # cd ..
+ # diff -urN openssl-orig openssl-work > mydiffs.patch
diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl
new file mode 100755
index 0000000..4eef57e
--- /dev/null
+++ b/crypto/openssl/apps/CA.pl
@@ -0,0 +1,162 @@
+#!/usr/local/bin/perl
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq ... will generate a certificate request 
+# CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#		   environment variable so this can be driven from
+#		   a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
+#
+#
+# Steve Henson
+# shenson@bigfoot.com
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+
+$DAYS="-days 365";
+$REQ="openssl req $SSLEAY_CONFIG";
+$CA="openssl ca $SSLEAY_CONFIG";
+$VERIFY="openssl verify";
+$X509="openssl x509";
+$PKCS12="openssl pkcs12";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+	if ( /^(-\?|-h|-help)$/ ) {
+	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    exit 0;
+	} elsif (/^-newcert$/) {
+	    # create a certificate
+	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Certificate (and private key) is in newreq.pem\n"
+	} elsif (/^-newreq$/) {
+	    # create a certificate request
+	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request (and private key) is in newreq.pem\n";
+	} elsif (/^-newca$/) {
+		# if explicitly asked for or it doesn't exist then setup the
+		# directory structure that Eric likes to manage things 
+	    $NEW="1";
+	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+		# create the directory hierarchy
+		mkdir $CATOP, $DIRMODE;
+		mkdir "${CATOP}/certs", $DIRMODE;
+		mkdir "${CATOP}/crl", $DIRMODE ;
+		mkdir "${CATOP}/newcerts", $DIRMODE;
+		mkdir "${CATOP}/private", $DIRMODE;
+		open OUT, ">${CATOP}/serial";
+		print OUT "01\n";
+		close OUT;
+		open OUT, ">${CATOP}/index.txt";
+		close OUT;
+	    }
+	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
+		print "CA certificate filename (or enter to create)\n";
+		$FILE = <STDIN>;
+
+		chop $FILE;
+
+		# ask user for existing CA certificate
+		if ($FILE) {
+		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+		    $RET=$?;
+		} else {
+		    print "Making CA certificate ...\n";
+		    system ("$REQ -new -x509 -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+		    $RET=$?;
+		}
+	    }
+	} elsif (/^-pkcs12$/) {
+	    my $cname = $ARGV[1];
+	    $cname = "My Certificate" unless defined $cname;
+	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+			"-export -name \"$cname\"");
+	    $RET=$?;
+	    exit $RET;
+	} elsif (/^-xsign$/) {
+	    system ("$CA -policy policy_anything -infiles newreq.pem");
+	    $RET=$?;
+	} elsif (/^(-sign|-signreq)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-signcert$/) {
+	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+								"-out tmp.pem");
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles tmp.pem");
+	    $RET = $?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-verify$/) {
+	    if (shift) {
+		foreach $j (@ARGV) {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+		    $RET=$? if ($? != 0);
+		}
+		exit $RET;
+	    } else {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+		    $RET=$?;
+	    	    exit 0;
+	    }
+	} else {
+	    print STDERR "Unknown arg $_\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    exit 1;
+	}
+}
+
+exit $RET;
+
+sub cp_pem {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
+	$flag = 1 if (/^-----BEGIN.*$bound/) ;
+	print OUT $_ if ($flag);
+	if (/^-----END.*$bound/) {
+		close IN;
+		close OUT;
+		return;
+	}
+}
+}
+
diff --git a/crypto/openssl/apps/CA.pl.in b/crypto/openssl/apps/CA.pl.in
new file mode 100644
index 0000000..4eef57e
--- /dev/null
+++ b/crypto/openssl/apps/CA.pl.in
@@ -0,0 +1,162 @@
+#!/usr/local/bin/perl
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq ... will generate a certificate request 
+# CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#		   environment variable so this can be driven from
+#		   a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
+#
+#
+# Steve Henson
+# shenson@bigfoot.com
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+
+$DAYS="-days 365";
+$REQ="openssl req $SSLEAY_CONFIG";
+$CA="openssl ca $SSLEAY_CONFIG";
+$VERIFY="openssl verify";
+$X509="openssl x509";
+$PKCS12="openssl pkcs12";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+	if ( /^(-\?|-h|-help)$/ ) {
+	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    exit 0;
+	} elsif (/^-newcert$/) {
+	    # create a certificate
+	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Certificate (and private key) is in newreq.pem\n"
+	} elsif (/^-newreq$/) {
+	    # create a certificate request
+	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request (and private key) is in newreq.pem\n";
+	} elsif (/^-newca$/) {
+		# if explicitly asked for or it doesn't exist then setup the
+		# directory structure that Eric likes to manage things 
+	    $NEW="1";
+	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+		# create the directory hierarchy
+		mkdir $CATOP, $DIRMODE;
+		mkdir "${CATOP}/certs", $DIRMODE;
+		mkdir "${CATOP}/crl", $DIRMODE ;
+		mkdir "${CATOP}/newcerts", $DIRMODE;
+		mkdir "${CATOP}/private", $DIRMODE;
+		open OUT, ">${CATOP}/serial";
+		print OUT "01\n";
+		close OUT;
+		open OUT, ">${CATOP}/index.txt";
+		close OUT;
+	    }
+	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
+		print "CA certificate filename (or enter to create)\n";
+		$FILE = <STDIN>;
+
+		chop $FILE;
+
+		# ask user for existing CA certificate
+		if ($FILE) {
+		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+		    $RET=$?;
+		} else {
+		    print "Making CA certificate ...\n";
+		    system ("$REQ -new -x509 -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+		    $RET=$?;
+		}
+	    }
+	} elsif (/^-pkcs12$/) {
+	    my $cname = $ARGV[1];
+	    $cname = "My Certificate" unless defined $cname;
+	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+			"-export -name \"$cname\"");
+	    $RET=$?;
+	    exit $RET;
+	} elsif (/^-xsign$/) {
+	    system ("$CA -policy policy_anything -infiles newreq.pem");
+	    $RET=$?;
+	} elsif (/^(-sign|-signreq)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-signcert$/) {
+	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+								"-out tmp.pem");
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles tmp.pem");
+	    $RET = $?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-verify$/) {
+	    if (shift) {
+		foreach $j (@ARGV) {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+		    $RET=$? if ($? != 0);
+		}
+		exit $RET;
+	    } else {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+		    $RET=$?;
+	    	    exit 0;
+	    }
+	} else {
+	    print STDERR "Unknown arg $_\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    exit 1;
+	}
+}
+
+exit $RET;
+
+sub cp_pem {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
+	$flag = 1 if (/^-----BEGIN.*$bound/) ;
+	print OUT $_ if ($flag);
+	if (/^-----END.*$bound/) {
+		close IN;
+		close OUT;
+		return;
+	}
+}
+}
+
diff --git a/crypto/openssl/apps/CA.sh b/crypto/openssl/apps/CA.sh
new file mode 100644
index 0000000..d9f3069
--- /dev/null
+++ b/crypto/openssl/apps/CA.sh
@@ -0,0 +1,132 @@
+#!/bin/sh
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq ... will generate a certificate request 
+# CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#		   environment variable so this can be driven from
+#		   a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+
+DAYS="-days 365"
+REQ="openssl req $SSLEAY_CONFIG"
+CA="openssl ca $SSLEAY_CONFIG"
+VERIFY="openssl verify"
+X509="openssl x509"
+
+CATOP=./demoCA
+CAKEY=./cakey.pem
+CACERT=./cacert.pem
+
+for i
+do
+case $i in
+-\?|-h|-help)
+    echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2
+    exit 0
+    ;;
+-newcert) 
+    # create a certificate
+    $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
+    RET=$?
+    echo "Certificate (and private key) is in newreq.pem"
+    ;;
+-newreq) 
+    # create a certificate request
+    $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
+    RET=$?
+    echo "Request (and private key) is in newreq.pem"
+    ;;
+-newca)     
+    # if explicitly asked for or it doesn't exist then setup the directory
+    # structure that Eric likes to manage things 
+    NEW="1"
+    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
+	# create the directory hierarchy
+	mkdir ${CATOP} 
+	mkdir ${CATOP}/certs 
+	mkdir ${CATOP}/crl 
+	mkdir ${CATOP}/newcerts
+	mkdir ${CATOP}/private
+	echo "01" > ${CATOP}/serial
+	touch ${CATOP}/index.txt
+    fi
+    if [ ! -f ${CATOP}/private/$CAKEY ]; then
+	echo "CA certificate filename (or enter to create)"
+	read FILE
+
+	# ask user for existing CA certificate
+	if [ "$FILE" ]; then
+	    cp $FILE ${CATOP}/private/$CAKEY
+	    RET=$?
+	else
+	    echo "Making CA certificate ..."
+	    $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
+			   -out ${CATOP}/$CACERT $DAYS
+	    RET=$?
+	fi
+    fi
+    ;;
+-xsign)
+    $CA -policy policy_anything -infiles newreq.pem 
+    RET=$?
+    ;;
+-sign|-signreq) 
+    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
+    RET=$?
+    cat newcert.pem
+    echo "Signed certificate is in newcert.pem"
+    ;;
+-signcert) 
+    echo "Cert passphrase will be requested twice - bug?"
+    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
+    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
+    cat newcert.pem
+    echo "Signed certificate is in newcert.pem"
+    ;;
+-verify) 
+    shift
+    if [ -z "$1" ]; then
+	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
+	    RET=$?
+    else
+	for j
+	do
+	    $VERIFY -CAfile $CATOP/$CACERT $j
+	    if [ $? != 0 ]; then
+		    RET=$?
+	    fi
+	done
+    fi
+    exit 0
+    ;;
+*)
+    echo "Unknown arg $i";
+    exit 1
+    ;;
+esac
+done
+exit $RET
+
diff --git a/crypto/openssl/apps/Makefile.save b/crypto/openssl/apps/Makefile.save
new file mode 100644
index 0000000..b8d0b1b
--- /dev/null
+++ b/crypto/openssl/apps/Makefile.save
@@ -0,0 +1,818 @@
+#
+#  apps/Makefile.ssl
+#
+
+DIR=		apps
+TOP=		..
+CC=		cc
+INCLUDES=	-I../include
+CFLAG=		-g -static
+INSTALL_PREFIX=
+INSTALLTOP=	/usr/local/ssl
+OPENSSLDIR=	/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+PERL=/usr/local/bin/perl
+RM=		rm -f
+
+PEX_LIBS=
+EX_LIBS= 
+
+CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile makeapps.com install.com
+
+DLIBCRYPTO=../libcrypto.a
+DLIBSSL=../libssl.a
+LIBCRYPTO=-L.. -lcrypto
+LIBSSL=-L.. -lssl
+
+PROGRAM= openssl
+
+SCRIPTS=CA.sh CA.pl der_chop
+
+EXE= $(PROGRAM)
+
+E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
+	ca crl rsa dsa dsaparam \
+	x509 genrsa gendsa s_server s_client speed \
+	s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \
+	pkcs8 spkac smime rand
+
+PROGS= $(PROGRAM).c
+
+A_OBJ=apps.o
+A_SRC=apps.c
+S_OBJ=	s_cb.o s_socket.o
+S_SRC=	s_cb.c s_socket.c
+RAND_OBJ=app_rand.o
+RAND_SRC=app_rand.c
+
+E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \
+	ca.o pkcs7.o crl2p7.o crl.o \
+	rsa.o dsa.o dsaparam.o \
+	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \
+	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
+	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o
+
+E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
+	pkcs7.c crl2p7.c crl.c \
+	rsa.c dsa.c dsaparam.c \
+	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \
+	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
+	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c
+
+SRC=$(E_SRC)
+
+EXHEADER=
+HEADER=	apps.h progs.h s_apps.h \
+	testdsa.h testrsa.h \
+	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	exe
+
+exe:	$(EXE)
+
+req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
+	$(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+sreq.o: req.c 
+	$(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+install:
+	@for i in $(EXE); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 done;
+	@for i in $(SCRIPTS); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
+	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 done
+	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR); \
+	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
+	rm -f req
+
+$(DLIBSSL):
+	(cd ../ssl; $(MAKE))
+
+$(DLIBCRYPTO):
+	(cd ../crypto; $(MAKE))
+
+$(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
+	$(RM) $(PROGRAM)
+	$(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
+	@(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; sh tools/c_rehash certs)
+
+progs.h: progs.pl
+	$(PERL) progs.pl $(E_EXE) >progs.h
+	$(RM) $(PROGRAM).o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+app_rand.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+app_rand.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+app_rand.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+app_rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
+app_rand.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+app_rand.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+app_rand.o: ../include/openssl/evp.h ../include/openssl/idea.h
+app_rand.o: ../include/openssl/md2.h ../include/openssl/md5.h
+app_rand.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+app_rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+app_rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+app_rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+app_rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
+app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+apps.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+apps.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+apps.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+apps.o: ../include/openssl/crypto.h ../include/openssl/des.h
+apps.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+apps.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+apps.o: ../include/openssl/evp.h ../include/openssl/idea.h
+apps.o: ../include/openssl/md2.h ../include/openssl/md5.h
+apps.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+apps.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+apps.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+apps.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+apps.o: ../include/openssl/stack.h ../include/openssl/x509.h
+apps.o: ../include/openssl/x509_vfy.h apps.h
+asn1pars.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+asn1pars.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+asn1pars.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+asn1pars.o: ../include/openssl/crypto.h ../include/openssl/des.h
+asn1pars.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+asn1pars.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h
+asn1pars.o: ../include/openssl/idea.h ../include/openssl/md2.h
+asn1pars.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+asn1pars.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+asn1pars.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+asn1pars.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+asn1pars.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+asn1pars.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h
+asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+ca.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ca.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ca.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ca.o: ../include/openssl/des.h ../include/openssl/dh.h ../include/openssl/dsa.h
+ca.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ca.o: ../include/openssl/err.h ../include/openssl/evp.h
+ca.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ca.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ca.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ca.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ca.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ca.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ca.o: ../include/openssl/stack.h ../include/openssl/txt_db.h
+ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ca.o: ../include/openssl/x509v3.h apps.h
+ciphers.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ciphers.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ciphers.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ciphers.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ciphers.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ciphers.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
+ciphers.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ciphers.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ciphers.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ciphers.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ciphers.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ciphers.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+crl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+crl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+crl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+crl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+crl.o: ../include/openssl/des.h ../include/openssl/dh.h
+crl.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+crl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+crl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+crl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+crl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+crl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+crl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+crl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+crl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+crl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+crl.o: ../include/openssl/sha.h ../include/openssl/stack.h
+crl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+crl.o: ../include/openssl/x509v3.h apps.h
+crl2p7.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+crl2p7.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+crl2p7.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+crl2p7.o: ../include/openssl/crypto.h ../include/openssl/des.h
+crl2p7.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+crl2p7.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h
+crl2p7.o: ../include/openssl/idea.h ../include/openssl/md2.h
+crl2p7.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+crl2p7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+crl2p7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl2p7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+crl2p7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+crl2p7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h
+crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dgst.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dgst.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dgst.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dgst.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dgst.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dgst.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dgst.o: ../include/openssl/err.h ../include/openssl/evp.h
+dgst.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dgst.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dgst.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dgst.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dgst.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dgst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dh.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dh.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dh.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dh.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dh.o: ../include/openssl/err.h ../include/openssl/evp.h
+dh.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dh.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dh.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dh.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dsaparam.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dsaparam.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dsaparam.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dsaparam.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dsaparam.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dsaparam.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsaparam.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dsaparam.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dsaparam.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsaparam.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dsaparam.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dsaparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
+enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+enc.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+enc.o: ../include/openssl/idea.h ../include/openssl/md2.h
+enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+enc.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+enc.o: ../include/openssl/stack.h ../include/openssl/x509.h
+enc.o: ../include/openssl/x509_vfy.h apps.h
+errstr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+errstr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+errstr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+errstr.o: ../include/openssl/crypto.h ../include/openssl/des.h
+errstr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+errstr.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
+errstr.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+errstr.o: ../include/openssl/md2.h ../include/openssl/md5.h
+errstr.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+errstr.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+errstr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+errstr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+errstr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+gendh.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+gendh.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+gendh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+gendh.o: ../include/openssl/crypto.h ../include/openssl/des.h
+gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+gendh.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+gendh.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendh.o: ../include/openssl/idea.h ../include/openssl/md2.h
+gendh.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+gendh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+gendh.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendh.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+gendh.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+gendh.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+gendh.o: ../include/openssl/stack.h ../include/openssl/x509.h
+gendh.o: ../include/openssl/x509_vfy.h apps.h
+gendsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+gendsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+gendsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+gendsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+gendsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+gendsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+gendsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+gendsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+gendsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+gendsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+gendsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+genrsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+genrsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+genrsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+genrsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+genrsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+genrsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+genrsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+genrsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+genrsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+genrsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+genrsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+genrsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+nseq.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+nseq.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+nseq.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+nseq.o: ../include/openssl/crypto.h ../include/openssl/des.h
+nseq.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+nseq.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+nseq.o: ../include/openssl/err.h ../include/openssl/evp.h
+nseq.o: ../include/openssl/idea.h ../include/openssl/md2.h
+nseq.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+nseq.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+nseq.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+nseq.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+nseq.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+nseq.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+nseq.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h
+nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+openssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+openssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+openssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+openssl.o: ../include/openssl/des.h ../include/openssl/dh.h
+openssl.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+openssl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+openssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+openssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+openssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+openssl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+openssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+openssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+openssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h apps.h progs.h s_apps.h
+passwd.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+passwd.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+passwd.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
+passwd.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+passwd.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+passwd.o: ../include/openssl/err.h ../include/openssl/evp.h
+passwd.o: ../include/openssl/idea.h ../include/openssl/md2.h
+passwd.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+passwd.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+passwd.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
+passwd.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+passwd.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+passwd.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+passwd.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+passwd.o: ../include/openssl/stack.h ../include/openssl/x509.h
+passwd.o: ../include/openssl/x509_vfy.h apps.h
+pkcs12.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs12.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+pkcs12.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+pkcs12.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs12.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+pkcs12.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs12.o: ../include/openssl/idea.h ../include/openssl/md2.h
+pkcs12.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs12.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
+pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs12.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+pkcs12.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkcs12.o: ../include/openssl/stack.h ../include/openssl/x509.h
+pkcs12.o: ../include/openssl/x509_vfy.h apps.h
+pkcs7.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs7.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+pkcs7.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+pkcs7.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs7.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+pkcs7.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs7.o: ../include/openssl/idea.h ../include/openssl/md2.h
+pkcs7.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkcs7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+pkcs7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+pkcs7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h
+pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+pkcs8.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs8.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+pkcs8.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+pkcs8.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs8.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+pkcs8.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs8.o: ../include/openssl/idea.h ../include/openssl/md2.h
+pkcs8.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs8.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
+pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs8.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+pkcs8.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkcs8.o: ../include/openssl/stack.h ../include/openssl/x509.h
+pkcs8.o: ../include/openssl/x509_vfy.h apps.h
+rand.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+rand.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+rand.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rand.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+rand.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rand.o: ../include/openssl/err.h ../include/openssl/evp.h
+rand.o: ../include/openssl/idea.h ../include/openssl/md2.h
+rand.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+rand.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
+rand.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+rand.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+rand.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+rand.o: ../include/openssl/stack.h ../include/openssl/x509.h
+rand.o: ../include/openssl/x509_vfy.h apps.h
+req.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+req.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+req.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+req.o: ../include/openssl/des.h ../include/openssl/dh.h
+req.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+req.o: ../include/openssl/evp.h ../include/openssl/idea.h
+req.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+req.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+req.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+req.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+req.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+req.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+req.o: ../include/openssl/sha.h ../include/openssl/stack.h
+req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+req.o: ../include/openssl/x509v3.h apps.h
+rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+rsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+rsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+rsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_cb.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_cb.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_cb.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_cb.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_cb.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_cb.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_cb.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_cb.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_cb.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_cb.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_cb.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_cb.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h s_apps.h
+s_client.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_client.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_client.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_client.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_client.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_client.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_client.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_client.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_client.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_client.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_client.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_client.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_client.o: s_apps.h
+s_server.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_server.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_server.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_server.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_server.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_server.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_server.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_server.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_server.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_server.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_server.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_server.o: s_apps.h
+s_socket.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_socket.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_socket.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_socket.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_socket.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_socket.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_socket.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s_socket.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_socket.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s_socket.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_socket.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s_socket.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s_socket.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_socket.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s_socket.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
+s_time.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_time.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_time.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_time.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_time.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_time.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_time.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_time.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_time.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_time.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_time.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_time.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_time.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_time.o: s_apps.h
+sess_id.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+sess_id.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+sess_id.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+sess_id.o: ../include/openssl/crypto.h ../include/openssl/des.h
+sess_id.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+sess_id.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
+sess_id.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+sess_id.o: ../include/openssl/md2.h ../include/openssl/md5.h
+sess_id.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+sess_id.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+sess_id.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+sess_id.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+smime.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+smime.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+smime.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+smime.o: ../include/openssl/crypto.h ../include/openssl/des.h
+smime.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+smime.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+smime.o: ../include/openssl/err.h ../include/openssl/evp.h
+smime.o: ../include/openssl/idea.h ../include/openssl/md2.h
+smime.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+smime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+smime.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+smime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+smime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+smime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+smime.o: ../include/openssl/sha.h ../include/openssl/stack.h
+smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+speed.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+speed.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+speed.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+speed.o: ../include/openssl/crypto.h ../include/openssl/des.h
+speed.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+speed.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+speed.o: ../include/openssl/err.h ../include/openssl/evp.h
+speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h
+speed.o: ../include/openssl/md2.h ../include/openssl/md5.h
+speed.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+speed.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+speed.o: ../include/openssl/sha.h ../include/openssl/stack.h
+speed.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ./testdsa.h
+speed.o: ./testrsa.h apps.h
+spkac.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+spkac.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+spkac.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+spkac.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+spkac.o: ../include/openssl/des.h ../include/openssl/dh.h
+spkac.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+spkac.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+spkac.o: ../include/openssl/evp.h ../include/openssl/idea.h
+spkac.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+spkac.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+spkac.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+spkac.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+spkac.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+spkac.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+spkac.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h
+spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+verify.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+verify.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+verify.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+verify.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+verify.o: ../include/openssl/des.h ../include/openssl/dh.h
+verify.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+verify.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+verify.o: ../include/openssl/evp.h ../include/openssl/idea.h
+verify.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+verify.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+verify.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+verify.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+verify.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+verify.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+verify.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+verify.o: ../include/openssl/sha.h ../include/openssl/stack.h
+verify.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+verify.o: ../include/openssl/x509v3.h apps.h
+version.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+version.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+version.o: ../include/openssl/crypto.h ../include/openssl/des.h
+version.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+version.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+version.o: ../include/openssl/evp.h ../include/openssl/idea.h
+version.o: ../include/openssl/md2.h ../include/openssl/md5.h
+version.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+version.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+version.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+version.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+version.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+version.o: ../include/openssl/stack.h ../include/openssl/x509.h
+version.o: ../include/openssl/x509_vfy.h apps.h
+x509.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+x509.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+x509.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+x509.o: ../include/openssl/des.h ../include/openssl/dh.h
+x509.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+x509.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+x509.o: ../include/openssl/evp.h ../include/openssl/idea.h
+x509.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+x509.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+x509.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+x509.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+x509.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+x509.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+x509.o: ../include/openssl/sha.h ../include/openssl/stack.h
+x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+x509.o: ../include/openssl/x509v3.h apps.h
diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl
new file mode 100644
index 0000000..b8d0b1b
--- /dev/null
+++ b/crypto/openssl/apps/Makefile.ssl
@@ -0,0 +1,818 @@
+#
+#  apps/Makefile.ssl
+#
+
+DIR=		apps
+TOP=		..
+CC=		cc
+INCLUDES=	-I../include
+CFLAG=		-g -static
+INSTALL_PREFIX=
+INSTALLTOP=	/usr/local/ssl
+OPENSSLDIR=	/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+PERL=/usr/local/bin/perl
+RM=		rm -f
+
+PEX_LIBS=
+EX_LIBS= 
+
+CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile makeapps.com install.com
+
+DLIBCRYPTO=../libcrypto.a
+DLIBSSL=../libssl.a
+LIBCRYPTO=-L.. -lcrypto
+LIBSSL=-L.. -lssl
+
+PROGRAM= openssl
+
+SCRIPTS=CA.sh CA.pl der_chop
+
+EXE= $(PROGRAM)
+
+E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
+	ca crl rsa dsa dsaparam \
+	x509 genrsa gendsa s_server s_client speed \
+	s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \
+	pkcs8 spkac smime rand
+
+PROGS= $(PROGRAM).c
+
+A_OBJ=apps.o
+A_SRC=apps.c
+S_OBJ=	s_cb.o s_socket.o
+S_SRC=	s_cb.c s_socket.c
+RAND_OBJ=app_rand.o
+RAND_SRC=app_rand.c
+
+E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \
+	ca.o pkcs7.o crl2p7.o crl.o \
+	rsa.o dsa.o dsaparam.o \
+	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \
+	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
+	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o
+
+E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
+	pkcs7.c crl2p7.c crl.c \
+	rsa.c dsa.c dsaparam.c \
+	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \
+	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
+	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c
+
+SRC=$(E_SRC)
+
+EXHEADER=
+HEADER=	apps.h progs.h s_apps.h \
+	testdsa.h testrsa.h \
+	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	exe
+
+exe:	$(EXE)
+
+req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
+	$(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+sreq.o: req.c 
+	$(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+install:
+	@for i in $(EXE); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 done;
+	@for i in $(SCRIPTS); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
+	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 done
+	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR); \
+	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
+	rm -f req
+
+$(DLIBSSL):
+	(cd ../ssl; $(MAKE))
+
+$(DLIBCRYPTO):
+	(cd ../crypto; $(MAKE))
+
+$(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
+	$(RM) $(PROGRAM)
+	$(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
+	@(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; sh tools/c_rehash certs)
+
+progs.h: progs.pl
+	$(PERL) progs.pl $(E_EXE) >progs.h
+	$(RM) $(PROGRAM).o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+app_rand.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+app_rand.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+app_rand.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+app_rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
+app_rand.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+app_rand.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+app_rand.o: ../include/openssl/evp.h ../include/openssl/idea.h
+app_rand.o: ../include/openssl/md2.h ../include/openssl/md5.h
+app_rand.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+app_rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+app_rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+app_rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+app_rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
+app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+apps.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+apps.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+apps.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+apps.o: ../include/openssl/crypto.h ../include/openssl/des.h
+apps.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+apps.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+apps.o: ../include/openssl/evp.h ../include/openssl/idea.h
+apps.o: ../include/openssl/md2.h ../include/openssl/md5.h
+apps.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+apps.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+apps.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+apps.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+apps.o: ../include/openssl/stack.h ../include/openssl/x509.h
+apps.o: ../include/openssl/x509_vfy.h apps.h
+asn1pars.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+asn1pars.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+asn1pars.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+asn1pars.o: ../include/openssl/crypto.h ../include/openssl/des.h
+asn1pars.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+asn1pars.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h
+asn1pars.o: ../include/openssl/idea.h ../include/openssl/md2.h
+asn1pars.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+asn1pars.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+asn1pars.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+asn1pars.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+asn1pars.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+asn1pars.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h
+asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+ca.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ca.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ca.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ca.o: ../include/openssl/des.h ../include/openssl/dh.h ../include/openssl/dsa.h
+ca.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ca.o: ../include/openssl/err.h ../include/openssl/evp.h
+ca.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ca.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ca.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ca.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ca.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ca.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ca.o: ../include/openssl/stack.h ../include/openssl/txt_db.h
+ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ca.o: ../include/openssl/x509v3.h apps.h
+ciphers.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ciphers.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ciphers.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ciphers.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ciphers.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ciphers.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
+ciphers.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ciphers.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ciphers.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ciphers.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ciphers.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ciphers.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+crl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+crl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+crl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+crl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+crl.o: ../include/openssl/des.h ../include/openssl/dh.h
+crl.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+crl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+crl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+crl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+crl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+crl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+crl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+crl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+crl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+crl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+crl.o: ../include/openssl/sha.h ../include/openssl/stack.h
+crl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+crl.o: ../include/openssl/x509v3.h apps.h
+crl2p7.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+crl2p7.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+crl2p7.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+crl2p7.o: ../include/openssl/crypto.h ../include/openssl/des.h
+crl2p7.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+crl2p7.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h
+crl2p7.o: ../include/openssl/idea.h ../include/openssl/md2.h
+crl2p7.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+crl2p7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+crl2p7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl2p7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+crl2p7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+crl2p7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h
+crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dgst.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dgst.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dgst.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dgst.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dgst.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dgst.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dgst.o: ../include/openssl/err.h ../include/openssl/evp.h
+dgst.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dgst.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dgst.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dgst.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dgst.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dgst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dh.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dh.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dh.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dh.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dh.o: ../include/openssl/err.h ../include/openssl/evp.h
+dh.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dh.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dh.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dh.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dsaparam.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dsaparam.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+dsaparam.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+dsaparam.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dsaparam.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+dsaparam.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsaparam.o: ../include/openssl/idea.h ../include/openssl/md2.h
+dsaparam.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dsaparam.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsaparam.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dsaparam.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dsaparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
+enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+enc.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+enc.o: ../include/openssl/idea.h ../include/openssl/md2.h
+enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+enc.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+enc.o: ../include/openssl/stack.h ../include/openssl/x509.h
+enc.o: ../include/openssl/x509_vfy.h apps.h
+errstr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+errstr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+errstr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+errstr.o: ../include/openssl/crypto.h ../include/openssl/des.h
+errstr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+errstr.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
+errstr.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+errstr.o: ../include/openssl/md2.h ../include/openssl/md5.h
+errstr.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+errstr.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+errstr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+errstr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+errstr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+gendh.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+gendh.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+gendh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+gendh.o: ../include/openssl/crypto.h ../include/openssl/des.h
+gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+gendh.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+gendh.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendh.o: ../include/openssl/idea.h ../include/openssl/md2.h
+gendh.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+gendh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+gendh.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendh.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+gendh.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+gendh.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+gendh.o: ../include/openssl/stack.h ../include/openssl/x509.h
+gendh.o: ../include/openssl/x509_vfy.h apps.h
+gendsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+gendsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+gendsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+gendsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+gendsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+gendsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+gendsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+gendsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+gendsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+gendsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+gendsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+genrsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+genrsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+genrsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+genrsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+genrsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+genrsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+genrsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+genrsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+genrsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+genrsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+genrsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+genrsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+nseq.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+nseq.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+nseq.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+nseq.o: ../include/openssl/crypto.h ../include/openssl/des.h
+nseq.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+nseq.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+nseq.o: ../include/openssl/err.h ../include/openssl/evp.h
+nseq.o: ../include/openssl/idea.h ../include/openssl/md2.h
+nseq.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+nseq.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+nseq.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+nseq.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+nseq.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+nseq.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+nseq.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h
+nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+openssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+openssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+openssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+openssl.o: ../include/openssl/des.h ../include/openssl/dh.h
+openssl.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+openssl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+openssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+openssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+openssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+openssl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+openssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+openssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+openssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h apps.h progs.h s_apps.h
+passwd.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+passwd.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+passwd.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
+passwd.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+passwd.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+passwd.o: ../include/openssl/err.h ../include/openssl/evp.h
+passwd.o: ../include/openssl/idea.h ../include/openssl/md2.h
+passwd.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+passwd.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+passwd.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
+passwd.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+passwd.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+passwd.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+passwd.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+passwd.o: ../include/openssl/stack.h ../include/openssl/x509.h
+passwd.o: ../include/openssl/x509_vfy.h apps.h
+pkcs12.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs12.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+pkcs12.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+pkcs12.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs12.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+pkcs12.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs12.o: ../include/openssl/idea.h ../include/openssl/md2.h
+pkcs12.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs12.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
+pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs12.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+pkcs12.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkcs12.o: ../include/openssl/stack.h ../include/openssl/x509.h
+pkcs12.o: ../include/openssl/x509_vfy.h apps.h
+pkcs7.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs7.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+pkcs7.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+pkcs7.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs7.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+pkcs7.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs7.o: ../include/openssl/idea.h ../include/openssl/md2.h
+pkcs7.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkcs7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+pkcs7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+pkcs7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h
+pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+pkcs8.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs8.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+pkcs8.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+pkcs8.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs8.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+pkcs8.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs8.o: ../include/openssl/idea.h ../include/openssl/md2.h
+pkcs8.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs8.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
+pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs8.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+pkcs8.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkcs8.o: ../include/openssl/stack.h ../include/openssl/x509.h
+pkcs8.o: ../include/openssl/x509_vfy.h apps.h
+rand.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+rand.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+rand.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rand.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+rand.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rand.o: ../include/openssl/err.h ../include/openssl/evp.h
+rand.o: ../include/openssl/idea.h ../include/openssl/md2.h
+rand.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+rand.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
+rand.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+rand.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+rand.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+rand.o: ../include/openssl/stack.h ../include/openssl/x509.h
+rand.o: ../include/openssl/x509_vfy.h apps.h
+req.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+req.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+req.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+req.o: ../include/openssl/des.h ../include/openssl/dh.h
+req.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+req.o: ../include/openssl/evp.h ../include/openssl/idea.h
+req.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+req.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+req.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+req.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+req.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+req.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+req.o: ../include/openssl/sha.h ../include/openssl/stack.h
+req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+req.o: ../include/openssl/x509v3.h apps.h
+rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+rsa.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+rsa.o: ../include/openssl/idea.h ../include/openssl/md2.h
+rsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_cb.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_cb.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_cb.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_cb.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_cb.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_cb.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_cb.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_cb.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_cb.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_cb.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_cb.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_cb.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h s_apps.h
+s_client.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_client.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_client.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_client.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_client.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_client.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_client.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_client.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_client.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_client.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_client.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_client.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_client.o: s_apps.h
+s_server.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_server.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_server.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_server.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_server.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_server.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_server.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_server.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_server.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_server.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_server.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_server.o: s_apps.h
+s_socket.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_socket.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_socket.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_socket.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_socket.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_socket.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_socket.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s_socket.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_socket.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s_socket.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_socket.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s_socket.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s_socket.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_socket.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s_socket.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
+s_time.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s_time.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s_time.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s_time.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_time.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s_time.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_time.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+s_time.o: ../include/openssl/md2.h ../include/openssl/md5.h
+s_time.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_time.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s_time.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_time.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_time.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_time.o: s_apps.h
+sess_id.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+sess_id.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+sess_id.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+sess_id.o: ../include/openssl/crypto.h ../include/openssl/des.h
+sess_id.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+sess_id.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
+sess_id.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+sess_id.o: ../include/openssl/md2.h ../include/openssl/md5.h
+sess_id.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+sess_id.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+sess_id.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+sess_id.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+smime.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+smime.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+smime.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+smime.o: ../include/openssl/crypto.h ../include/openssl/des.h
+smime.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+smime.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+smime.o: ../include/openssl/err.h ../include/openssl/evp.h
+smime.o: ../include/openssl/idea.h ../include/openssl/md2.h
+smime.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+smime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+smime.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+smime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+smime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+smime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+smime.o: ../include/openssl/sha.h ../include/openssl/stack.h
+smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+speed.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+speed.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+speed.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+speed.o: ../include/openssl/crypto.h ../include/openssl/des.h
+speed.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+speed.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+speed.o: ../include/openssl/err.h ../include/openssl/evp.h
+speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h
+speed.o: ../include/openssl/md2.h ../include/openssl/md5.h
+speed.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+speed.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+speed.o: ../include/openssl/sha.h ../include/openssl/stack.h
+speed.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ./testdsa.h
+speed.o: ./testrsa.h apps.h
+spkac.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+spkac.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+spkac.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+spkac.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+spkac.o: ../include/openssl/des.h ../include/openssl/dh.h
+spkac.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+spkac.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+spkac.o: ../include/openssl/evp.h ../include/openssl/idea.h
+spkac.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+spkac.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+spkac.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+spkac.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+spkac.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+spkac.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+spkac.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h
+spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+verify.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+verify.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+verify.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+verify.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+verify.o: ../include/openssl/des.h ../include/openssl/dh.h
+verify.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+verify.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+verify.o: ../include/openssl/evp.h ../include/openssl/idea.h
+verify.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+verify.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+verify.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+verify.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+verify.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+verify.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+verify.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+verify.o: ../include/openssl/sha.h ../include/openssl/stack.h
+verify.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+verify.o: ../include/openssl/x509v3.h apps.h
+version.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+version.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+version.o: ../include/openssl/crypto.h ../include/openssl/des.h
+version.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+version.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+version.o: ../include/openssl/evp.h ../include/openssl/idea.h
+version.o: ../include/openssl/md2.h ../include/openssl/md5.h
+version.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+version.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+version.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+version.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+version.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+version.o: ../include/openssl/stack.h ../include/openssl/x509.h
+version.o: ../include/openssl/x509_vfy.h apps.h
+x509.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+x509.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+x509.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+x509.o: ../include/openssl/des.h ../include/openssl/dh.h
+x509.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+x509.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+x509.o: ../include/openssl/evp.h ../include/openssl/idea.h
+x509.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+x509.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+x509.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+x509.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+x509.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+x509.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+x509.o: ../include/openssl/sha.h ../include/openssl/stack.h
+x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+x509.o: ../include/openssl/x509v3.h apps.h
diff --git a/crypto/openssl/apps/app_rand.c b/crypto/openssl/apps/app_rand.c
new file mode 100644
index 0000000..1146f9f
--- /dev/null
+++ b/crypto/openssl/apps/app_rand.c
@@ -0,0 +1,213 @@
+/* apps/app_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
+#include <openssl/bio.h>
+#include <openssl/rand.h>
+
+
+static int seeded = 0;
+static int egdsocket = 0;
+
+int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
+	{
+	int consider_randfile = (file == NULL);
+	char buffer[200];
+	
+#ifdef WINDOWS
+	BIO_printf(bio_e,"Loading 'screen' into random state -");
+	BIO_flush(bio_e);
+	RAND_screen();
+	BIO_printf(bio_e," done\n");
+#endif
+
+	if (file == NULL)
+		file = RAND_file_name(buffer, sizeof buffer);
+	else if (RAND_egd(file) > 0)
+		{
+		/* we try if the given filename is an EGD socket.
+		   if it is, we don't write anything back to the file. */
+		egdsocket = 1;
+		return 1;
+		}
+	if (file == NULL || !RAND_load_file(file, -1))
+		{
+		if (RAND_status() == 0 && !dont_warn)
+			{
+			BIO_printf(bio_e,"unable to load 'random state'\n");
+			BIO_printf(bio_e,"This means that the random number generator has not been seeded\n");
+			BIO_printf(bio_e,"with much random data.\n");
+			if (consider_randfile) /* explanation does not apply when a file is explicitly named */
+				{
+				BIO_printf(bio_e,"Consider setting the RANDFILE environment variable to point at a file that\n");
+				BIO_printf(bio_e,"'random' data can be kept in (the file will be overwritten).\n");
+				}
+			}
+		return 0;
+		}
+	seeded = 1;
+	return 1;
+	}
+
+long app_RAND_load_files(char *name)
+	{
+	char *p,*n;
+	int last;
+	long tot=0;
+	int egd;
+	
+	for (;;)
+		{
+		last=0;
+		for (p=name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++);
+		if (*p == '\0') last=1;
+		*p='\0';
+		n=name;
+		name=p+1;
+		if (*n == '\0') break;
+
+		egd=RAND_egd(n);
+		if (egd > 0) tot+=egd;
+		tot+=RAND_load_file(n,-1);
+		if (last) break;
+		}
+	if (tot > 512)
+		app_RAND_allow_write_file();
+	return(tot);
+	}
+
+int app_RAND_write_file(const char *file, BIO *bio_e)
+	{
+	char buffer[200];
+	
+	if (egdsocket || !seeded)
+		/* If we did not manage to read the seed file,
+		 * we should not write a low-entropy seed file back --
+		 * it would suppress a crucial warning the next time
+		 * we want to use it. */
+		return 0;
+
+	if (file == NULL)
+		file = RAND_file_name(buffer, sizeof buffer);
+	if (file == NULL || !RAND_write_file(file))
+		{
+		BIO_printf(bio_e,"unable to write 'random state'\n");
+		return 0;
+		}
+	return 1;
+	}
+
+void app_RAND_allow_write_file(void)
+	{
+	seeded = 1;
+	}
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
new file mode 100644
index 0000000..a87d23b
--- /dev/null
+++ b/crypto/openssl/apps/apps.c
@@ -0,0 +1,416 @@
+/* apps/apps.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
+
+#ifdef WINDOWS
+#  include "bss_file.c"
+#endif
+
+int app_init(long mesgwin);
+#ifdef undef /* never finished - probably never will be :-) */
+int args_from_file(char *file, int *argc, char **argv[])
+	{
+	FILE *fp;
+	int num,i;
+	unsigned int len;
+	static char *buf=NULL;
+	static char **arg=NULL;
+	char *p;
+	struct stat stbuf;
+
+	if (stat(file,&stbuf) < 0) return(0);
+
+	fp=fopen(file,"r");
+	if (fp == NULL)
+		return(0);
+
+	*argc=0;
+	*argv=NULL;
+
+	len=(unsigned int)stbuf.st_size;
+	if (buf != NULL) Free(buf);
+	buf=(char *)Malloc(len+1);
+	if (buf == NULL) return(0);
+
+	len=fread(buf,1,len,fp);
+	if (len <= 1) return(0);
+	buf[len]='\0';
+
+	i=0;
+	for (p=buf; *p; p++)
+		if (*p == '\n') i++;
+	if (arg != NULL) Free(arg);
+	arg=(char **)Malloc(sizeof(char *)*(i*2));
+
+	*argv=arg;
+	num=0;
+	p=buf;
+	for (;;)
+		{
+		if (!*p) break;
+		if (*p == '#') /* comment line */
+			{
+			while (*p && (*p != '\n')) p++;
+			continue;
+			}
+		/* else we have a line */
+		*(arg++)=p;
+		num++;
+		while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n')))
+			p++;
+		if (!*p) break;
+		if (*p == '\n')
+			{
+			*(p++)='\0';
+			continue;
+			}
+		/* else it is a tab or space */
+		p++;
+		while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
+			p++;
+		if (!*p) break;
+		if (*p == '\n')
+			{
+			p++;
+			continue;
+			}
+		*(arg++)=p++;
+		num++;
+		while (*p && (*p != '\n')) p++;
+		if (!*p) break;
+		/* else *p == '\n' */
+		*(p++)='\0';
+		}
+	*argc=num;
+	return(1);
+	}
+#endif
+
+int str2fmt(char *s)
+	{
+	if 	((*s == 'D') || (*s == 'd'))
+		return(FORMAT_ASN1);
+	else if ((*s == 'T') || (*s == 't'))
+		return(FORMAT_TEXT);
+	else if ((*s == 'P') || (*s == 'p'))
+		return(FORMAT_PEM);
+	else if ((*s == 'N') || (*s == 'n'))
+		return(FORMAT_NETSCAPE);
+	else
+		return(FORMAT_UNDEF);
+	}
+
+#if defined(MSDOS) || defined(WIN32) || defined(WIN16)
+void program_name(char *in, char *out, int size)
+	{
+	int i,n;
+	char *p=NULL;
+
+	n=strlen(in);
+	/* find the last '/', '\' or ':' */
+	for (i=n-1; i>0; i--)
+		{
+		if ((in[i] == '/') || (in[i] == '\\') || (in[i] == ':'))
+			{
+			p= &(in[i+1]);
+			break;
+			}
+		}
+	if (p == NULL)
+		p=in;
+	n=strlen(p);
+	/* strip off trailing .exe if present. */
+	if ((n > 4) && (p[n-4] == '.') &&
+		((p[n-3] == 'e') || (p[n-3] == 'E')) &&
+		((p[n-2] == 'x') || (p[n-2] == 'X')) &&
+		((p[n-1] == 'e') || (p[n-1] == 'E')))
+		n-=4;
+	if (n > size-1)
+		n=size-1;
+
+	for (i=0; i<n; i++)
+		{
+		if ((p[i] >= 'A') && (p[i] <= 'Z'))
+			out[i]=p[i]-'A'+'a';
+		else
+			out[i]=p[i];
+		}
+	out[n]='\0';
+	}
+#else
+#ifdef VMS
+void program_name(char *in, char *out, int size)
+	{
+	char *p=in, *q;
+	char *chars=":]>";
+
+	while(*chars != '\0')
+		{
+		q=strrchr(p,*chars);
+		if (q > p)
+			p = q + 1;
+		chars++;
+		}
+
+	q=strrchr(p,'.');
+	if (q == NULL)
+		q = in+size;
+	strncpy(out,p,q-p);
+	out[q-p]='\0';
+	}
+#else
+void program_name(char *in, char *out, int size)
+	{
+	char *p;
+
+	p=strrchr(in,'/');
+	if (p != NULL)
+		p++;
+	else
+		p=in;
+	strncpy(out,p,size-1);
+	out[size-1]='\0';
+	}
+#endif
+#endif
+
+#ifdef WIN32
+int WIN32_rename(char *from, char *to)
+	{
+#ifdef WINNT
+	int ret;
+/* Note: MoveFileEx() doesn't work under Win95, Win98 */
+
+	ret=MoveFileEx(from,to,MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED);
+	return(ret?0:-1);
+#else
+	unlink(to);
+	return MoveFile(from, to);
+#endif
+	}
+#endif
+
+int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
+	{
+	int num,len,i;
+	char *p;
+
+	*argc=0;
+	*argv=NULL;
+
+	len=strlen(buf);
+	i=0;
+	if (arg->count == 0)
+		{
+		arg->count=20;
+		arg->data=(char **)Malloc(sizeof(char *)*arg->count);
+		}
+	for (i=0; i<arg->count; i++)
+		arg->data[i]=NULL;
+
+	num=0;
+	p=buf;
+	for (;;)
+		{
+		/* first scan over white space */
+		if (!*p) break;
+		while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
+			p++;
+		if (!*p) break;
+
+		/* The start of something good :-) */
+		if (num >= arg->count)
+			{
+			arg->count+=20;
+			arg->data=(char **)Realloc(arg->data,
+				sizeof(char *)*arg->count);
+			if (argc == 0) return(0);
+			}
+		arg->data[num++]=p;
+
+		/* now look for the end of this */
+		if ((*p == '\'') || (*p == '\"')) /* scan for closing quote */
+			{
+			i= *(p++);
+			arg->data[num-1]++; /* jump over quote */
+			while (*p && (*p != i))
+				p++;
+			*p='\0';
+			}
+		else
+			{
+			while (*p && ((*p != ' ') &&
+				(*p != '\t') && (*p != '\n')))
+				p++;
+
+			if (*p == '\0')
+				p--;
+			else
+				*p='\0';
+			}
+		p++;
+		}
+	*argc=num;
+	*argv=arg->data;
+	return(1);
+	}
+
+#ifndef APP_INIT
+int app_init(long mesgwin)
+	{
+	return(1);
+	}
+#endif
+
+
+int dump_cert_text (BIO *out, X509 *x)
+{
+	char buf[256];
+	X509_NAME_oneline(X509_get_subject_name(x),buf,256);
+	BIO_puts(out,"subject=");
+	BIO_puts(out,buf);
+
+	X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
+	BIO_puts(out,"\nissuer= ");
+	BIO_puts(out,buf);
+	BIO_puts(out,"\n");
+        return 0;
+}
+
+static char *app_get_pass(BIO *err, char *arg, int keepbio);
+
+int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
+{
+	int same;
+	if(!arg2 || !arg1 || strcmp(arg1, arg2)) same = 0;
+	else same = 1;
+	if(arg1) {
+		*pass1 = app_get_pass(err, arg1, same);
+		if(!*pass1) return 0;
+	} else if(pass1) *pass1 = NULL;
+	if(arg2) {
+		*pass2 = app_get_pass(err, arg2, same ? 2 : 0);
+		if(!*pass2) return 0;
+	} else if(pass2) *pass2 = NULL;
+	return 1;
+}
+
+static char *app_get_pass(BIO *err, char *arg, int keepbio)
+{
+	char *tmp, tpass[APP_PASS_LEN];
+	static BIO *pwdbio = NULL;
+	int i;
+	if(!strncmp(arg, "pass:", 5)) return BUF_strdup(arg + 5);
+	if(!strncmp(arg, "env:", 4)) {
+		tmp = getenv(arg + 4);
+		if(!tmp) {
+			BIO_printf(err, "Can't read environment variable %s\n", arg + 4);
+			return NULL;
+		}
+		return BUF_strdup(tmp);
+	}
+	if(!keepbio || !pwdbio) {
+		if(!strncmp(arg, "file:", 5)) {
+			pwdbio = BIO_new_file(arg + 5, "r");
+			if(!pwdbio) {
+				BIO_printf(err, "Can't open file %s\n", arg + 5);
+				return NULL;
+			}
+		} else if(!strncmp(arg, "fd:", 3)) {
+			BIO *btmp;
+			i = atoi(arg + 3);
+			if(i >= 0) pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
+			if((i < 0) || !pwdbio) {
+				BIO_printf(err, "Can't access file descriptor %s\n", arg + 3);
+				return NULL;
+			}
+			/* Can't do BIO_gets on an fd BIO so add a buffering BIO */
+			btmp = BIO_new(BIO_f_buffer());
+			pwdbio = BIO_push(btmp, pwdbio);
+		} else if(!strcmp(arg, "stdin")) {
+			pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+			if(!pwdbio) {
+				BIO_printf(err, "Can't open BIO for stdin\n");
+				return NULL;
+			}
+		} else {
+			BIO_printf(err, "Invalid password argument \"%s\"\n", arg);
+			return NULL;
+		}
+	}
+	i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
+	if(keepbio != 1) {
+		BIO_free_all(pwdbio);
+		pwdbio = NULL;
+	}
+	if(i <= 0) {
+		BIO_printf(err, "Error reading password from BIO\n");
+		return NULL;
+	}
+	tmp = strchr(tpass, '\n');
+	if(tmp) *tmp = 0;
+	return BUF_strdup(tpass);
+}
diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h
new file mode 100644
index 0000000..2dcdb88
--- /dev/null
+++ b/crypto/openssl/apps/apps.h
@@ -0,0 +1,157 @@
+/* apps/apps.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_APPS_H
+#define HEADER_APPS_H
+
+#include "openssl/e_os.h"
+
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+
+int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
+int app_RAND_write_file(const char *file, BIO *bio_e);
+/* When `file' is NULL, use defaults.
+ * `bio_e' is for error messages. */
+void app_RAND_allow_write_file(void);
+long app_RAND_load_files(char *file); /* `file' is a list of files to read,
+                                       * separated by LIST_SEPARATOR_CHAR
+                                       * (see e_os.h).  The string is
+                                       * destroyed! */
+
+#ifdef NO_STDIO
+BIO_METHOD *BIO_s_file();
+#endif
+
+#ifdef WIN32
+#define rename(from,to) WIN32_rename((from),(to))
+int WIN32_rename(char *oldname,char *newname);
+#endif
+
+#ifndef MONOLITH
+
+#define MAIN(a,v)	main(a,v)
+
+#ifndef NON_MAIN
+BIO *bio_err=NULL;
+#else
+extern BIO *bio_err;
+#endif
+
+#else
+
+#define MAIN(a,v)	PROG(a,v)
+#include <openssl/conf.h>
+extern LHASH *config;
+extern char *default_config_file;
+extern BIO *bio_err;
+
+#endif
+
+#include <signal.h>
+
+#ifdef SIGPIPE
+#define do_pipe_sig()	signal(SIGPIPE,SIG_IGN)
+#else
+#define do_pipe_sig()
+#endif
+
+#if defined(MONOLITH) && !defined(OPENSSL_C)
+#  define apps_startup()	do_pipe_sig()
+#else
+#  if defined(MSDOS) || defined(WIN16) || defined(WIN32)
+#    ifdef _O_BINARY
+#      define apps_startup() \
+		_fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+		SSLeay_add_all_algorithms()
+#    else
+#      define apps_startup() \
+		_fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+		SSLeay_add_all_algorithms()
+#    endif
+#  else
+#    define apps_startup()	do_pipe_sig(); SSLeay_add_all_algorithms();
+#  endif
+#endif
+
+typedef struct args_st
+	{
+	char **data;
+	int count;
+	} ARGS;
+
+int should_retry(int i);
+int args_from_file(char *file, int *argc, char **argv[]);
+int str2fmt(char *s);
+void program_name(char *in,char *out,int size);
+int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
+#ifdef HEADER_X509_H
+int dump_cert_text(BIO *out, X509 *x);
+#endif
+int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
+#define FORMAT_UNDEF    0
+#define FORMAT_ASN1     1
+#define FORMAT_TEXT     2
+#define FORMAT_PEM      3
+#define FORMAT_NETSCAPE 4
+
+#define APP_PASS_LEN	1024
+
+#endif
diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c
new file mode 100644
index 0000000..f104ebc
--- /dev/null
+++ b/crypto/openssl/apps/asn1pars.c
@@ -0,0 +1,315 @@
+/* apps/asn1pars.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* A nice addition from Dr Stephen Henson <shenson@bigfoot.com> to 
+ * add the -strparse option which parses nested binary structures
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+/* -inform arg	- input format - default PEM (DER or PEM)
+ * -in arg	- input file - default stdin
+ * -i		- indent the details by depth
+ * -offset	- where in the file to start
+ * -length	- how many bytes to use
+ * -oid file	- extra oid description file
+ */
+
+#undef PROG
+#define PROG	asn1parse_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int i,badops=0,offset=0,ret=1,j;
+	unsigned int length=0;
+	long num,tmplen;
+	BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL;
+	int informat,indent=0, noout = 0;
+	char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL;
+	unsigned char *tmpbuf;
+	BUF_MEM *buf=NULL;
+	STACK *osk=NULL;
+	ASN1_TYPE *at=NULL;
+
+	informat=FORMAT_PEM;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	if ((osk=sk_new_null()) == NULL)
+		{
+		BIO_printf(bio_err,"Malloc failure\n");
+		goto end;
+		}
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			derfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-i") == 0)
+			{
+			indent=1;
+			}
+		else if (strcmp(*argv,"-noout") == 0) noout = 1;
+		else if (strcmp(*argv,"-oid") == 0)
+			{
+			if (--argc < 1) goto bad;
+			oidfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-offset") == 0)
+			{
+			if (--argc < 1) goto bad;
+			offset= atoi(*(++argv));
+			}
+		else if (strcmp(*argv,"-length") == 0)
+			{
+			if (--argc < 1) goto bad;
+			length= atoi(*(++argv));
+			if (length == 0) goto bad;
+			}
+		else if (strcmp(*argv,"-strparse") == 0)
+			{
+			if (--argc < 1) goto bad;
+			sk_push(osk,*(++argv));
+			}
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
+		BIO_printf(bio_err," -in arg       input file\n");
+		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -noout arg    don't produce any output\n");
+		BIO_printf(bio_err," -offset arg   offset into file\n");
+		BIO_printf(bio_err," -length arg   length of section in file\n");
+		BIO_printf(bio_err," -i            indent entries\n");
+		BIO_printf(bio_err," -oid file     file of extra oid definitions\n");
+		BIO_printf(bio_err," -strparse offset\n");
+		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
+		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
+		BIO_printf(bio_err," -out filename output DER encoding to file\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (oidfile != NULL)
+		{
+		if (BIO_read_filename(in,oidfile) <= 0)
+			{
+			BIO_printf(bio_err,"problems opening %s\n",oidfile);
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		OBJ_create_objects(in);
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+
+	if (derfile) {
+		if(!(derout = BIO_new_file(derfile, "wb"))) {
+			BIO_printf(bio_err,"problems opening %s\n",derfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+
+	if ((buf=BUF_MEM_new()) == NULL) goto end;
+	if (!BUF_MEM_grow(buf,BUFSIZ*8)) goto end; /* Pre-allocate :-) */
+
+	if (informat == FORMAT_PEM)
+		{
+		BIO *tmp;
+
+		if ((b64=BIO_new(BIO_f_base64())) == NULL)
+			goto end;
+		BIO_push(b64,in);
+		tmp=in;
+		in=b64;
+		b64=tmp;
+		}
+
+	num=0;
+	for (;;)
+		{
+		if (!BUF_MEM_grow(buf,(int)num+BUFSIZ)) goto end;
+		i=BIO_read(in,&(buf->data[num]),BUFSIZ);
+		if (i <= 0) break;
+		num+=i;
+		}
+	str=buf->data;
+
+	/* If any structs to parse go through in sequence */
+
+	if (sk_num(osk))
+		{
+		tmpbuf=(unsigned char *)str;
+		tmplen=num;
+		for (i=0; i<sk_num(osk); i++)
+			{
+			ASN1_TYPE *atmp;
+			j=atoi(sk_value(osk,i));
+			if (j == 0)
+				{
+				BIO_printf(bio_err,"'%s' is an invalid number\n",sk_value(osk,i));
+				continue;
+				}
+			tmpbuf+=j;
+			tmplen-=j;
+			atmp = at;
+			at = d2i_ASN1_TYPE(NULL,&tmpbuf,tmplen);
+			ASN1_TYPE_free(atmp);
+			if(!at)
+				{
+				BIO_printf(bio_err,"Error parsing structure\n");
+				ERR_print_errors(bio_err);
+				goto end;
+				}
+			/* hmm... this is a little evil but it works */
+			tmpbuf=at->value.asn1_string->data;
+			tmplen=at->value.asn1_string->length;
+			}
+		str=(char *)tmpbuf;
+		num=tmplen;
+		}
+
+	if (length == 0) length=(unsigned int)num;
+	if(derout) {
+		if(BIO_write(derout, str + offset, length) != (int)length) {
+			BIO_printf(bio_err, "Error writing output\n");
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+	if (!noout &&
+	    !ASN1_parse(out,(unsigned char *)&(str[offset]),length,indent))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	ret=0;
+end:
+	BIO_free(derout);
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (b64 != NULL) BIO_free(b64);
+	if (ret != 0)
+		ERR_print_errors(bio_err);
+	if (buf != NULL) BUF_MEM_free(buf);
+	if (at != NULL) ASN1_TYPE_free(at);
+	if (osk != NULL) sk_free(osk);
+	OBJ_cleanup();
+	EXIT(ret);
+	}
+
diff --git a/crypto/openssl/apps/ca-cert.srl b/crypto/openssl/apps/ca-cert.srl
new file mode 100644
index 0000000..eeee65e
--- /dev/null
+++ b/crypto/openssl/apps/ca-cert.srl
@@ -0,0 +1 @@
+05
diff --git a/crypto/openssl/apps/ca-key.pem b/crypto/openssl/apps/ca-key.pem
new file mode 100644
index 0000000..3a520b2
--- /dev/null
+++ b/crypto/openssl/apps/ca-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
+gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
+2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
+AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
+hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
+J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
+HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
+21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
+nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
+MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
+pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
+KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
+XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/apps/ca-req.pem b/crypto/openssl/apps/ca-req.pem
new file mode 100644
index 0000000..77bf7ec
--- /dev/null
+++ b/crypto/openssl/apps/ca-req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBmTCCAQICAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgx
+MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgy
+bTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/d
+FXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUe
+cQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKlk7
+cxu9gCJN3/iQFyJXQ6YphaiQAT5VBXTx9ftRrQIjA3vxlDzPWGDy+V5Tqa7h8PtR
+5Bn00JShII2zf0hjyjKils6x/UkWmjEiwSiFp4hR70iE8XwSNEHY2P6j6nQEIpgW
+kbfgmmUqk7dl2V+ossTJ80B8SBpEhrn81V/cHxA=
+-----END CERTIFICATE REQUEST-----
diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c
new file mode 100644
index 0000000..73df13f
--- /dev/null
+++ b/crypto/openssl/apps/ca.c
@@ -0,0 +1,2235 @@
+/* apps/ca.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "apps.h"
+#include <openssl/conf.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/txt_db.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+#include <openssl/pem.h>
+
+#ifndef W_OK
+#  ifdef VMS
+#    if defined(__DECC)
+#      include <unistd.h>
+#    else
+#      include <unixlib.h>
+#    endif
+#  else
+#    include <sys/file.h>
+#  endif
+#endif
+
+#ifndef W_OK
+#  define F_OK 0
+#  define X_OK 1
+#  define W_OK 2
+#  define R_OK 4
+#endif
+
+#undef PROG
+#define PROG ca_main
+
+#define BASE_SECTION	"ca"
+#define CONFIG_FILE "openssl.cnf"
+
+#define ENV_DEFAULT_CA		"default_ca"
+
+#define ENV_DIR			"dir"
+#define ENV_CERTS		"certs"
+#define ENV_CRL_DIR		"crl_dir"
+#define ENV_CA_DB		"CA_DB"
+#define ENV_NEW_CERTS_DIR	"new_certs_dir"
+#define ENV_CERTIFICATE 	"certificate"
+#define ENV_SERIAL		"serial"
+#define ENV_CRL			"crl"
+#define ENV_PRIVATE_KEY		"private_key"
+#define ENV_RANDFILE		"RANDFILE"
+#define ENV_DEFAULT_DAYS 	"default_days"
+#define ENV_DEFAULT_STARTDATE 	"default_startdate"
+#define ENV_DEFAULT_ENDDATE 	"default_enddate"
+#define ENV_DEFAULT_CRL_DAYS 	"default_crl_days"
+#define ENV_DEFAULT_CRL_HOURS 	"default_crl_hours"
+#define ENV_DEFAULT_MD		"default_md"
+#define ENV_PRESERVE		"preserve"
+#define ENV_POLICY      	"policy"
+#define ENV_EXTENSIONS      	"x509_extensions"
+#define ENV_CRLEXT      	"crl_extensions"
+#define ENV_MSIE_HACK		"msie_hack"
+
+#define ENV_DATABASE		"database"
+
+#define DB_type         0
+#define DB_exp_date     1
+#define DB_rev_date     2
+#define DB_serial       3       /* index - unique */
+#define DB_file         4       
+#define DB_name         5       /* index - unique for active */
+#define DB_NUMBER       6
+
+#define DB_TYPE_REV	'R'
+#define DB_TYPE_EXP	'E'
+#define DB_TYPE_VAL	'V'
+
+static char *ca_usage[]={
+"usage: ca args\n",
+"\n",
+" -verbose        - Talk alot while doing things\n",
+" -config file    - A config file\n",
+" -name arg       - The particular CA definition to use\n",
+" -gencrl         - Generate a new CRL\n",
+" -crldays days   - Days is when the next CRL is due\n",
+" -crlhours hours - Hours is when the next CRL is due\n",
+" -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n",
+" -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n",
+" -days arg       - number of days to certify the certificate for\n",
+" -md arg         - md to use, one of md2, md5, sha or sha1\n",
+" -policy arg     - The CA 'policy' to support\n",
+" -keyfile arg    - PEM private key file\n",
+" -key arg        - key to decode the private key if it is encrypted\n",
+" -cert file      - The CA certificate\n",
+" -in file        - The input PEM encoded certificate request(s)\n",
+" -out file       - Where to put the output file(s)\n",
+" -outdir dir     - Where to put output certificates\n",
+" -infiles ....   - The last argument, requests to process\n",
+" -spkac file     - File contains DN and signed public key and challenge\n",
+" -ss_cert file   - File contains a self signed cert to sign\n",
+" -preserveDN     - Don't re-order the DN\n",
+" -batch          - Don't ask questions\n",
+" -msie_hack      - msie modifications to handle all those universal strings\n",
+" -revoke file    - Revoke a certificate (given in file)\n",
+" -extensions ..  - Extension section (override value in config file)\n",
+" -crlexts ..     - CRL extension section (override value in config file)\n",
+NULL
+};
+
+#ifdef EFENCE
+extern int EF_PROTECT_FREE;
+extern int EF_PROTECT_BELOW;
+extern int EF_ALIGNMENT;
+#endif
+
+static int add_oid_section(LHASH *conf);
+static void lookup_fail(char *name,char *tag);
+static unsigned long index_serial_hash(char **a);
+static int index_serial_cmp(char **a, char **b);
+static unsigned long index_name_hash(char **a);
+static int index_name_qual(char **a);
+static int index_name_cmp(char **a,char **b);
+static BIGNUM *load_serial(char *serialfile);
+static int save_serial(char *serialfile, BIGNUM *serial);
+static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
+		   const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
+		   BIGNUM *serial, char *startdate,char *enddate, int days,
+		   int batch, char *ext_sect, LHASH *conf,int verbose);
+static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
+			const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
+			TXT_DB *db, BIGNUM *serial,char *startdate,
+			char *enddate, int days, int batch, char *ext_sect,
+			LHASH *conf,int verbose);
+static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
+			 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
+			 TXT_DB *db, BIGNUM *serial,char *startdate,
+			 char *enddate, int days, char *ext_sect,LHASH *conf,
+				int verbose);
+static int fix_data(int nid, int *type);
+static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
+static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
+	STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,
+	char *startdate, char *enddate, int days, int batch, int verbose,
+	X509_REQ *req, char *ext_sect, LHASH *conf);
+static int do_revoke(X509 *x509, TXT_DB *db);
+static int check_time_format(char *str);
+static LHASH *conf=NULL;
+static char *section=NULL;
+
+static int preserve=0;
+static int msie_hack=0;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	char *key=NULL;
+	int total=0;
+	int total_done=0;
+	int badops=0;
+	int ret=1;
+	int req=0;
+	int verbose=0;
+	int gencrl=0;
+	int dorevoke=0;
+	long crldays=0;
+	long crlhours=0;
+	long errorline= -1;
+	char *configfile=NULL;
+	char *md=NULL;
+	char *policy=NULL;
+	char *keyfile=NULL;
+	char *certfile=NULL;
+	char *infile=NULL;
+	char *spkac_file=NULL;
+	char *ss_cert_file=NULL;
+	EVP_PKEY *pkey=NULL;
+	int output_der = 0;
+	char *outfile=NULL;
+	char *outdir=NULL;
+	char *serialfile=NULL;
+	char *extensions=NULL;
+	char *crl_ext=NULL;
+	BIGNUM *serial=NULL;
+	char *startdate=NULL;
+	char *enddate=NULL;
+	int days=0;
+	int batch=0;
+	int notext=0;
+	X509 *x509=NULL;
+	X509 *x=NULL;
+	BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
+	char *dbfile=NULL;
+	TXT_DB *db=NULL;
+	X509_CRL *crl=NULL;
+	X509_CRL_INFO *ci=NULL;
+	X509_REVOKED *r=NULL;
+	char **pp,*p,*f;
+	int i,j;
+	long l;
+	const EVP_MD *dgst=NULL;
+	STACK_OF(CONF_VALUE) *attribs=NULL;
+	STACK *cert_sk=NULL;
+	BIO *hex=NULL;
+#undef BSIZE
+#define BSIZE 256
+	MS_STATIC char buf[3][BSIZE];
+	char *randfile=NULL;
+
+#ifdef EFENCE
+EF_PROTECT_FREE=1;
+EF_PROTECT_BELOW=1;
+EF_ALIGNMENT=0;
+#endif
+
+	apps_startup();
+
+	conf = NULL;
+	key = NULL;
+	section = NULL;
+
+	preserve=0;
+	msie_hack=0;
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if	(strcmp(*argv,"-verbose") == 0)
+			verbose=1;
+		else if	(strcmp(*argv,"-config") == 0)
+			{
+			if (--argc < 1) goto bad;
+			configfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-name") == 0)
+			{
+			if (--argc < 1) goto bad;
+			section= *(++argv);
+			}
+		else if (strcmp(*argv,"-startdate") == 0)
+			{
+			if (--argc < 1) goto bad;
+			startdate= *(++argv);
+			}
+		else if (strcmp(*argv,"-enddate") == 0)
+			{
+			if (--argc < 1) goto bad;
+			enddate= *(++argv);
+			}
+		else if (strcmp(*argv,"-days") == 0)
+			{
+			if (--argc < 1) goto bad;
+			days=atoi(*(++argv));
+			}
+		else if (strcmp(*argv,"-md") == 0)
+			{
+			if (--argc < 1) goto bad;
+			md= *(++argv);
+			}
+		else if (strcmp(*argv,"-policy") == 0)
+			{
+			if (--argc < 1) goto bad;
+			policy= *(++argv);
+			}
+		else if (strcmp(*argv,"-keyfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keyfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			key= *(++argv);
+			}
+		else if (strcmp(*argv,"-cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			certfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			req=1;
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-outdir") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outdir= *(++argv);
+			}
+		else if (strcmp(*argv,"-notext") == 0)
+			notext=1;
+		else if (strcmp(*argv,"-batch") == 0)
+			batch=1;
+		else if (strcmp(*argv,"-preserveDN") == 0)
+			preserve=1;
+		else if (strcmp(*argv,"-gencrl") == 0)
+			gencrl=1;
+		else if (strcmp(*argv,"-msie_hack") == 0)
+			msie_hack=1;
+		else if (strcmp(*argv,"-crldays") == 0)
+			{
+			if (--argc < 1) goto bad;
+			crldays= atol(*(++argv));
+			}
+		else if (strcmp(*argv,"-crlhours") == 0)
+			{
+			if (--argc < 1) goto bad;
+			crlhours= atol(*(++argv));
+			}
+		else if (strcmp(*argv,"-infiles") == 0)
+			{
+			argc--;
+			argv++;
+			req=1;
+			break;
+			}
+		else if (strcmp(*argv, "-ss_cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			ss_cert_file = *(++argv);
+			req=1;
+			}
+		else if (strcmp(*argv, "-spkac") == 0)
+			{
+			if (--argc < 1) goto bad;
+			spkac_file = *(++argv);
+			req=1;
+			}
+		else if (strcmp(*argv,"-revoke") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			dorevoke=1;
+			}
+		else if (strcmp(*argv,"-extensions") == 0)
+			{
+			if (--argc < 1) goto bad;
+			extensions= *(++argv);
+			}
+		else if (strcmp(*argv,"-crlexts") == 0)
+			{
+			if (--argc < 1) goto bad;
+			crl_ext= *(++argv);
+			}
+		else
+			{
+bad:
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+		for (pp=ca_usage; (*pp != NULL); pp++)
+			BIO_printf(bio_err,*pp);
+		goto err;
+		}
+
+	ERR_load_crypto_strings();
+
+	/*****************************************************************/
+	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
+	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
+	if (configfile == NULL)
+		{
+		/* We will just use 'buf[0]' as a temporary buffer.  */
+#ifdef VMS
+		strncpy(buf[0],X509_get_default_cert_area(),
+			sizeof(buf[0])-1-sizeof(CONFIG_FILE));
+#else
+		strncpy(buf[0],X509_get_default_cert_area(),
+			sizeof(buf[0])-2-sizeof(CONFIG_FILE));
+		strcat(buf[0],"/");
+#endif
+		strcat(buf[0],CONFIG_FILE);
+		configfile=buf[0];
+		}
+
+	BIO_printf(bio_err,"Using configuration from %s\n",configfile);
+	if ((conf=CONF_load(NULL,configfile,&errorline)) == NULL)
+		{
+		if (errorline <= 0)
+			BIO_printf(bio_err,"error loading the config file '%s'\n",
+				configfile);
+		else
+			BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
+				,errorline,configfile);
+		goto err;
+		}
+
+	/* Lets get the config section we are using */
+	if (section == NULL)
+		{
+		section=CONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
+		if (section == NULL)
+			{
+			lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
+			goto err;
+			}
+		}
+
+	if (conf != NULL)
+		{
+		p=CONF_get_string(conf,NULL,"oid_file");
+		if (p != NULL)
+			{
+			BIO *oid_bio;
+
+			oid_bio=BIO_new_file(p,"r");
+			if (oid_bio == NULL) 
+				{
+				/*
+				BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+				ERR_print_errors(bio_err);
+				*/
+				ERR_clear_error();
+				}
+			else
+				{
+				OBJ_create_objects(oid_bio);
+				BIO_free(oid_bio);
+				}
+			}
+		if(!add_oid_section(conf)) 
+			{
+			ERR_print_errors(bio_err);
+			goto err;
+			}
+		}
+
+	randfile = CONF_get_string(conf, BASE_SECTION, "RANDFILE");
+	app_RAND_load_file(randfile, bio_err, 0);
+	
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	Sout=BIO_new(BIO_s_file());
+	Cout=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	/*****************************************************************/
+	/* we definitely need an public key, so lets get it */
+
+	if ((keyfile == NULL) && ((keyfile=CONF_get_string(conf,
+		section,ENV_PRIVATE_KEY)) == NULL))
+		{
+		lookup_fail(section,ENV_PRIVATE_KEY);
+		goto err;
+		}
+	if (BIO_read_filename(in,keyfile) <= 0)
+		{
+		perror(keyfile);
+		BIO_printf(bio_err,"trying to load CA private key\n");
+		goto err;
+		}
+		pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key);
+		if(key) memset(key,0,strlen(key));
+	if (pkey == NULL)
+		{
+		BIO_printf(bio_err,"unable to load CA private key\n");
+		goto err;
+		}
+
+	/*****************************************************************/
+	/* we need a certificate */
+	if ((certfile == NULL) && ((certfile=CONF_get_string(conf,
+		section,ENV_CERTIFICATE)) == NULL))
+		{
+		lookup_fail(section,ENV_CERTIFICATE);
+		goto err;
+		}
+        if (BIO_read_filename(in,certfile) <= 0)
+		{
+		perror(certfile);
+		BIO_printf(bio_err,"trying to load CA certificate\n");
+		goto err;
+		}
+	x509=PEM_read_bio_X509(in,NULL,NULL,NULL);
+	if (x509 == NULL)
+		{
+		BIO_printf(bio_err,"unable to load CA certificate\n");
+		goto err;
+		}
+
+	if (!X509_check_private_key(x509,pkey))
+		{
+		BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
+		goto err;
+		}
+
+	f=CONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
+	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
+		preserve=1;
+	f=CONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
+	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
+		msie_hack=1;
+
+	/*****************************************************************/
+	/* lookup where to write new certificates */
+	if ((outdir == NULL) && (req))
+		{
+		struct stat sb;
+
+		if ((outdir=CONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
+			== NULL)
+			{
+			BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
+			goto err;
+			}
+#ifndef VMS /* outdir is a directory spec, but access() for VMS demands a
+	       filename.  In any case, stat(), below, will catch the problem
+	       if outdir is not a directory spec, and the fopen() or open()
+	       will catch an error if there is no write access.
+
+	       Presumably, this problem could also be solved by using the DEC
+	       C routines to convert the directory syntax to Unixly, and give
+	       that to access().  However, time's too short to do that just
+	       now.
+            */
+		if (access(outdir,R_OK|W_OK|X_OK) != 0)
+			{
+			BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
+			perror(outdir);
+			goto err;
+			}
+
+		if (stat(outdir,&sb) != 0)
+			{
+			BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
+			perror(outdir);
+			goto err;
+			}
+#ifdef S_IFDIR
+		if (!(sb.st_mode & S_IFDIR))
+			{
+			BIO_printf(bio_err,"%s need to be a directory\n",outdir);
+			perror(outdir);
+			goto err;
+			}
+#endif
+#endif
+		}
+
+	/*****************************************************************/
+	/* we need to load the database file */
+	if ((dbfile=CONF_get_string(conf,section,ENV_DATABASE)) == NULL)
+		{
+		lookup_fail(section,ENV_DATABASE);
+		goto err;
+		}
+	if (BIO_read_filename(in,dbfile) <= 0)
+		{
+		perror(dbfile);
+		BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
+		goto err;
+		}
+	db=TXT_DB_read(in,DB_NUMBER);
+	if (db == NULL) goto err;
+
+	/* Lets check some fields */
+	for (i=0; i<sk_num(db->data); i++)
+		{
+		pp=(char **)sk_value(db->data,i);
+		if ((pp[DB_type][0] != DB_TYPE_REV) &&
+			(pp[DB_rev_date][0] != '\0'))
+			{
+			BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
+			goto err;
+			}
+		if ((pp[DB_type][0] == DB_TYPE_REV) &&
+			!check_time_format(pp[DB_rev_date]))
+			{
+			BIO_printf(bio_err,"entry %d: invalid revocation date\n",
+				i+1);
+			goto err;
+			}
+		if (!check_time_format(pp[DB_exp_date]))
+			{
+			BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
+			goto err;
+			}
+		p=pp[DB_serial];
+		j=strlen(p);
+		if ((j&1) || (j < 2))
+			{
+			BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
+			goto err;
+			}
+		while (*p)
+			{
+			if (!(	((*p >= '0') && (*p <= '9')) ||
+				((*p >= 'A') && (*p <= 'F')) ||
+				((*p >= 'a') && (*p <= 'f')))  )
+				{
+				BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
+				goto err;
+				}
+			p++;
+			}
+		}
+	if (verbose)
+		{
+		BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
+		TXT_DB_write(out,db);
+		BIO_printf(bio_err,"%d entries loaded from the database\n",
+			db->data->num);
+		BIO_printf(bio_err,"generating index\n");
+		}
+	
+	if (!TXT_DB_create_index(db,DB_serial,NULL,index_serial_hash,
+		index_serial_cmp))
+		{
+		BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2);
+		goto err;
+		}
+
+	if (!TXT_DB_create_index(db,DB_name,index_name_qual,index_name_hash,
+		index_name_cmp))
+		{
+		BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
+			db->error,db->arg1,db->arg2);
+		goto err;
+		}
+
+	/*****************************************************************/
+	if (req || gencrl)
+		{
+		if (outfile != NULL)
+			{
+
+			if (BIO_write_filename(Sout,outfile) <= 0)
+				{
+				perror(outfile);
+				goto err;
+				}
+			}
+		else
+			BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+		}
+
+	if (req)
+		{
+		if ((md == NULL) && ((md=CONF_get_string(conf,
+			section,ENV_DEFAULT_MD)) == NULL))
+			{
+			lookup_fail(section,ENV_DEFAULT_MD);
+			goto err;
+			}
+		if ((dgst=EVP_get_digestbyname(md)) == NULL)
+			{
+			BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+			goto err;
+			}
+		if (verbose)
+			BIO_printf(bio_err,"message digest is %s\n",
+				OBJ_nid2ln(dgst->type));
+		if ((policy == NULL) && ((policy=CONF_get_string(conf,
+			section,ENV_POLICY)) == NULL))
+			{
+			lookup_fail(section,ENV_POLICY);
+			goto err;
+			}
+		if (verbose)
+			BIO_printf(bio_err,"policy is %s\n",policy);
+
+		if ((serialfile=CONF_get_string(conf,section,ENV_SERIAL))
+			== NULL)
+			{
+			lookup_fail(section,ENV_SERIAL);
+			goto err;
+			}
+		if(!extensions)
+			extensions=CONF_get_string(conf,section,ENV_EXTENSIONS);
+		if(extensions) {
+			/* Check syntax of file */
+			X509V3_CTX ctx;
+			X509V3_set_ctx_test(&ctx);
+			X509V3_set_conf_lhash(&ctx, conf);
+			if(!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL)) {
+				BIO_printf(bio_err,
+				 "Error Loading extension section %s\n",
+								 extensions);
+				ret = 1;
+				goto err;
+			}
+		}
+
+		if (startdate == NULL)
+			{
+			startdate=CONF_get_string(conf,section,
+				ENV_DEFAULT_STARTDATE);
+			}
+		if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
+			{
+			BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
+			goto err;
+			}
+		if (startdate == NULL) startdate="today";
+
+		if (enddate == NULL)
+			{
+			enddate=CONF_get_string(conf,section,
+				ENV_DEFAULT_ENDDATE);
+			}
+		if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
+			{
+			BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
+			goto err;
+			}
+
+		if (days == 0)
+			{
+			days=(int)CONF_get_number(conf,section,
+				ENV_DEFAULT_DAYS);
+			}
+		if (!enddate && (days == 0))
+			{
+			BIO_printf(bio_err,"cannot lookup how many days to certify for\n");
+			goto err;
+			}
+
+		if ((serial=load_serial(serialfile)) == NULL)
+			{
+			BIO_printf(bio_err,"error while loading serial number\n");
+			goto err;
+			}
+		if (verbose)
+			{
+			if ((f=BN_bn2hex(serial)) == NULL) goto err;
+			BIO_printf(bio_err,"next serial number is %s\n",f);
+			Free(f);
+			}
+
+		if ((attribs=CONF_get_section(conf,policy)) == NULL)
+			{
+			BIO_printf(bio_err,"unable to find 'section' for %s\n",policy);
+			goto err;
+			}
+
+		if ((cert_sk=sk_new_null()) == NULL)
+			{
+			BIO_printf(bio_err,"Malloc failure\n");
+			goto err;
+			}
+		if (spkac_file != NULL)
+			{
+			total++;
+			j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
+				serial,startdate,enddate, days,extensions,conf,
+				verbose);
+			if (j < 0) goto err;
+			if (j > 0)
+				{
+				total_done++;
+				BIO_printf(bio_err,"\n");
+				if (!BN_add_word(serial,1)) goto err;
+				if (!sk_push(cert_sk,(char *)x))
+					{
+					BIO_printf(bio_err,"Malloc failure\n");
+					goto err;
+					}
+				if (outfile)
+					{
+					output_der = 1;
+					batch = 1;
+					}
+				}
+			}
+		if (ss_cert_file != NULL)
+			{
+			total++;
+			j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
+				db,serial,startdate,enddate,days,batch,
+				extensions,conf,verbose);
+			if (j < 0) goto err;
+			if (j > 0)
+				{
+				total_done++;
+				BIO_printf(bio_err,"\n");
+				if (!BN_add_word(serial,1)) goto err;
+				if (!sk_push(cert_sk,(char *)x))
+					{
+					BIO_printf(bio_err,"Malloc failure\n");
+					goto err;
+					}
+				}
+			}
+		if (infile != NULL)
+			{
+			total++;
+			j=certify(&x,infile,pkey,x509,dgst,attribs,db,
+				serial,startdate,enddate,days,batch,
+				extensions,conf,verbose);
+			if (j < 0) goto err;
+			if (j > 0)
+				{
+				total_done++;
+				BIO_printf(bio_err,"\n");
+				if (!BN_add_word(serial,1)) goto err;
+				if (!sk_push(cert_sk,(char *)x))
+					{
+					BIO_printf(bio_err,"Malloc failure\n");
+					goto err;
+					}
+				}
+			}
+		for (i=0; i<argc; i++)
+			{
+			total++;
+			j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
+				serial,startdate,enddate,days,batch,
+				extensions,conf,verbose);
+			if (j < 0) goto err;
+			if (j > 0)
+				{
+				total_done++;
+				BIO_printf(bio_err,"\n");
+				if (!BN_add_word(serial,1)) goto err;
+				if (!sk_push(cert_sk,(char *)x))
+					{
+					BIO_printf(bio_err,"Malloc failure\n");
+					goto err;
+					}
+				}
+			}	
+		/* we have a stack of newly certified certificates
+		 * and a data base and serial number that need
+		 * updating */
+
+		if (sk_num(cert_sk) > 0)
+			{
+			if (!batch)
+				{
+				BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
+				(void)BIO_flush(bio_err);
+				buf[0][0]='\0';
+				fgets(buf[0],10,stdin);
+				if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
+					{
+					BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); 
+					ret=0;
+					goto err;
+					}
+				}
+
+			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_num(cert_sk));
+
+			strncpy(buf[0],serialfile,BSIZE-4);
+
+#ifdef VMS
+			strcat(buf[0],"-new");
+#else
+			strcat(buf[0],".new");
+#endif
+
+			if (!save_serial(buf[0],serial)) goto err;
+
+			strncpy(buf[1],dbfile,BSIZE-4);
+
+#ifdef VMS
+			strcat(buf[1],"-new");
+#else
+			strcat(buf[1],".new");
+#endif
+
+			if (BIO_write_filename(out,buf[1]) <= 0)
+				{
+				perror(dbfile);
+				BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
+				goto err;
+				}
+			l=TXT_DB_write(out,db);
+			if (l <= 0) goto err;
+			}
+	
+		if (verbose)
+			BIO_printf(bio_err,"writing new certificates\n");
+		for (i=0; i<sk_num(cert_sk); i++)
+			{
+			int k;
+			unsigned char *n;
+
+			x=(X509 *)sk_value(cert_sk,i);
+
+			j=x->cert_info->serialNumber->length;
+			p=(char *)x->cert_info->serialNumber->data;
+			
+			strncpy(buf[2],outdir,BSIZE-(j*2)-6);
+
+#ifndef VMS
+			strcat(buf[2],"/");
+#endif
+
+			n=(unsigned char *)&(buf[2][strlen(buf[2])]);
+			if (j > 0)
+				{
+				for (k=0; k<j; k++)
+					{
+					sprintf((char *)n,"%02X",(unsigned char)*(p++));
+					n+=2;
+					}
+				}
+			else
+				{
+				*(n++)='0';
+				*(n++)='0';
+				}
+			*(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
+			*n='\0';
+			if (verbose)
+				BIO_printf(bio_err,"writing %s\n",buf[2]);
+
+			if (BIO_write_filename(Cout,buf[2]) <= 0)
+				{
+				perror(buf[2]);
+				goto err;
+				}
+			write_new_certificate(Cout,x, 0, notext);
+			write_new_certificate(Sout,x, output_der, notext);
+			}
+
+		if (sk_num(cert_sk))
+			{
+			/* Rename the database and the serial file */
+			strncpy(buf[2],serialfile,BSIZE-4);
+
+#ifdef VMS
+			strcat(buf[2],"-old");
+#else
+			strcat(buf[2],".old");
+#endif
+
+			BIO_free(in);
+			BIO_free(out);
+			in=NULL;
+			out=NULL;
+			if (rename(serialfile,buf[2]) < 0)
+				{
+				BIO_printf(bio_err,"unable to rename %s to %s\n",
+					serialfile,buf[2]);
+				perror("reason");
+				goto err;
+				}
+			if (rename(buf[0],serialfile) < 0)
+				{
+				BIO_printf(bio_err,"unable to rename %s to %s\n",
+					buf[0],serialfile);
+				perror("reason");
+				rename(buf[2],serialfile);
+				goto err;
+				}
+
+			strncpy(buf[2],dbfile,BSIZE-4);
+
+#ifdef VMS
+			strcat(buf[2],"-old");
+#else
+			strcat(buf[2],".old");
+#endif
+
+			if (rename(dbfile,buf[2]) < 0)
+				{
+				BIO_printf(bio_err,"unable to rename %s to %s\n",
+					dbfile,buf[2]);
+				perror("reason");
+				goto err;
+				}
+			if (rename(buf[1],dbfile) < 0)
+				{
+				BIO_printf(bio_err,"unable to rename %s to %s\n",
+					buf[1],dbfile);
+				perror("reason");
+				rename(buf[2],dbfile);
+				goto err;
+				}
+			BIO_printf(bio_err,"Data Base Updated\n");
+			}
+		}
+	
+	/*****************************************************************/
+	if (gencrl)
+		{
+		if(!crl_ext) crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
+		if(crl_ext) {
+			/* Check syntax of file */
+			X509V3_CTX ctx;
+			X509V3_set_ctx_test(&ctx);
+			X509V3_set_conf_lhash(&ctx, conf);
+			if(!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL)) {
+				BIO_printf(bio_err,
+				 "Error Loading CRL extension section %s\n",
+								 crl_ext);
+				ret = 1;
+				goto err;
+			}
+		}
+		if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err;
+
+		if (!crldays && !crlhours)
+			{
+			crldays=CONF_get_number(conf,section,
+				ENV_DEFAULT_CRL_DAYS);
+			crlhours=CONF_get_number(conf,section,
+				ENV_DEFAULT_CRL_HOURS);
+			}
+		if ((crldays == 0) && (crlhours == 0))
+			{
+			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
+			goto err;
+			}
+
+		if (verbose) BIO_printf(bio_err,"making CRL\n");
+		if ((crl=X509_CRL_new()) == NULL) goto err;
+		ci=crl->crl;
+		X509_NAME_free(ci->issuer);
+		ci->issuer=X509_NAME_dup(x509->cert_info->subject);
+		if (ci->issuer == NULL) goto err;
+
+		X509_gmtime_adj(ci->lastUpdate,0);
+		if (ci->nextUpdate == NULL)
+			ci->nextUpdate=ASN1_UTCTIME_new();
+		X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
+
+		for (i=0; i<sk_num(db->data); i++)
+			{
+			pp=(char **)sk_value(db->data,i);
+			if (pp[DB_type][0] == DB_TYPE_REV)
+				{
+				if ((r=X509_REVOKED_new()) == NULL) goto err;
+				ASN1_STRING_set((ASN1_STRING *)
+					r->revocationDate,
+					(unsigned char *)pp[DB_rev_date],
+					strlen(pp[DB_rev_date]));
+				/* strcpy(r->revocationDate,pp[DB_rev_date]);*/
+
+				(void)BIO_reset(hex);
+				if (!BIO_puts(hex,pp[DB_serial]))
+					goto err;
+				if (!a2i_ASN1_INTEGER(hex,r->serialNumber,
+					buf[0],BSIZE)) goto err;
+
+				sk_X509_REVOKED_push(ci->revoked,r);
+				}
+			}
+		/* sort the data so it will be written in serial
+		 * number order */
+		sk_X509_REVOKED_sort(ci->revoked);
+		for (i=0; i<sk_X509_REVOKED_num(ci->revoked); i++)
+			{
+			r=sk_X509_REVOKED_value(ci->revoked,i);
+			r->sequence=i;
+			}
+
+		/* we now have a CRL */
+		if (verbose) BIO_printf(bio_err,"signing CRL\n");
+		if (md != NULL)
+			{
+			if ((dgst=EVP_get_digestbyname(md)) == NULL)
+				{
+				BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+				goto err;
+				}
+			}
+		else
+		    {
+#ifndef NO_DSA
+		    if (pkey->type == EVP_PKEY_DSA) 
+			dgst=EVP_dss1();
+		    else
+#endif
+			dgst=EVP_md5();
+		    }
+
+		/* Add any extensions asked for */
+
+		if(crl_ext) {
+		    X509V3_CTX crlctx;
+		    if (ci->version == NULL)
+		    if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
+		    ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+		    X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
+		    X509V3_set_conf_lhash(&crlctx, conf);
+
+		    if(!X509V3_EXT_CRL_add_conf(conf, &crlctx,
+						 crl_ext, crl)) goto err;
+		}
+
+		if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
+
+		PEM_write_bio_X509_CRL(Sout,crl);
+		}
+	/*****************************************************************/
+	if (dorevoke)
+		{
+		if (infile == NULL) 
+			{
+			BIO_printf(bio_err,"no input files\n");
+			goto err;
+			}
+		else
+			{
+			X509 *revcert;
+			if (BIO_read_filename(in,infile) <= 0)
+				{
+				perror(infile);
+				BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile);
+				goto err;
+				}
+			revcert=PEM_read_bio_X509(in,NULL,NULL,NULL);
+			if (revcert == NULL)
+				{
+				BIO_printf(bio_err,"unable to load '%s' certificate\n",infile);
+				goto err;
+				}
+			j=do_revoke(revcert,db);
+			if (j <= 0) goto err;
+			X509_free(revcert);
+
+			strncpy(buf[0],dbfile,BSIZE-4);
+			strcat(buf[0],".new");
+			if (BIO_write_filename(out,buf[0]) <= 0)
+				{
+				perror(dbfile);
+				BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
+				goto err;
+				}
+			j=TXT_DB_write(out,db);
+			if (j <= 0) goto err;
+			strncpy(buf[1],dbfile,BSIZE-4);
+			strcat(buf[1],".old");
+			if (rename(dbfile,buf[1]) < 0)
+				{
+				BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
+				perror("reason");
+				goto err;
+				}
+			if (rename(buf[0],dbfile) < 0)
+				{
+				BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile);
+				perror("reason");
+				rename(buf[1],dbfile);
+				goto err;
+				}
+			BIO_printf(bio_err,"Data Base Updated\n"); 
+			}
+		}
+	/*****************************************************************/
+	ret=0;
+err:
+	BIO_free(hex);
+	BIO_free(Cout);
+	BIO_free(Sout);
+	BIO_free(out);
+	BIO_free(in);
+
+	sk_pop_free(cert_sk,X509_free);
+
+	if (ret) ERR_print_errors(bio_err);
+	app_RAND_write_file(randfile, bio_err);
+	BN_free(serial);
+	TXT_DB_free(db);
+	EVP_PKEY_free(pkey);
+	X509_free(x509);
+	X509_CRL_free(crl);
+	CONF_free(conf);
+	OBJ_cleanup();
+	EXIT(ret);
+	}
+
+static void lookup_fail(char *name, char *tag)
+	{
+	BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
+	}
+
+static unsigned long index_serial_hash(char **a)
+	{
+	char *n;
+
+	n=a[DB_serial];
+	while (*n == '0') n++;
+	return(lh_strhash(n));
+	}
+
+static int index_serial_cmp(char **a, char **b)
+	{
+	char *aa,*bb;
+
+	for (aa=a[DB_serial]; *aa == '0'; aa++);
+	for (bb=b[DB_serial]; *bb == '0'; bb++);
+	return(strcmp(aa,bb));
+	}
+
+static unsigned long index_name_hash(char **a)
+	{ return(lh_strhash(a[DB_name])); }
+
+static int index_name_qual(char **a)
+	{ return(a[0][0] == 'V'); }
+
+static int index_name_cmp(char **a, char **b)
+	{ return(strcmp(a[DB_name],
+	     b[DB_name])); }
+
+static BIGNUM *load_serial(char *serialfile)
+	{
+	BIO *in=NULL;
+	BIGNUM *ret=NULL;
+	MS_STATIC char buf[1024];
+	ASN1_INTEGER *ai=NULL;
+
+	if ((in=BIO_new(BIO_s_file())) == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	if (BIO_read_filename(in,serialfile) <= 0)
+		{
+		perror(serialfile);
+		goto err;
+		}
+	ai=ASN1_INTEGER_new();
+	if (ai == NULL) goto err;
+	if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
+		{
+		BIO_printf(bio_err,"unable to load number from %s\n",
+			serialfile);
+		goto err;
+		}
+	ret=ASN1_INTEGER_to_BN(ai,NULL);
+	if (ret == NULL)
+		{
+		BIO_printf(bio_err,"error converting number from bin to BIGNUM");
+		goto err;
+		}
+err:
+	if (in != NULL) BIO_free(in);
+	if (ai != NULL) ASN1_INTEGER_free(ai);
+	return(ret);
+	}
+
+static int save_serial(char *serialfile, BIGNUM *serial)
+	{
+	BIO *out;
+	int ret=0;
+	ASN1_INTEGER *ai=NULL;
+
+	out=BIO_new(BIO_s_file());
+	if (out == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+	if (BIO_write_filename(out,serialfile) <= 0)
+		{
+		perror(serialfile);
+		goto err;
+		}
+
+	if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
+		{
+		BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
+		goto err;
+		}
+	i2a_ASN1_INTEGER(out,ai);
+	BIO_puts(out,"\n");
+	ret=1;
+err:
+	if (out != NULL) BIO_free(out);
+	if (ai != NULL) ASN1_INTEGER_free(ai);
+	return(ret);
+	}
+
+static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+	     BIGNUM *serial, char *startdate, char *enddate, int days,
+	     int batch, char *ext_sect, LHASH *lconf, int verbose)
+	{
+	X509_REQ *req=NULL;
+	BIO *in=NULL;
+	EVP_PKEY *pktmp=NULL;
+	int ok= -1,i;
+
+	in=BIO_new(BIO_s_file());
+
+	if (BIO_read_filename(in,infile) <= 0)
+		{
+		perror(infile);
+		goto err;
+		}
+	if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
+		{
+		BIO_printf(bio_err,"Error reading certificate request in %s\n",
+			infile);
+		goto err;
+		}
+	if (verbose)
+		X509_REQ_print(bio_err,req);
+
+	BIO_printf(bio_err,"Check that the request matches the signature\n");
+
+	if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
+		{
+		BIO_printf(bio_err,"error unpacking public key\n");
+		goto err;
+		}
+	i=X509_REQ_verify(req,pktmp);
+	EVP_PKEY_free(pktmp);
+	if (i < 0)
+		{
+		ok=0;
+		BIO_printf(bio_err,"Signature verification problems....\n");
+		goto err;
+		}
+	if (i == 0)
+		{
+		ok=0;
+		BIO_printf(bio_err,"Signature did not match the certificate request\n");
+		goto err;
+		}
+	else
+		BIO_printf(bio_err,"Signature ok\n");
+
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate, enddate,
+		days,batch,verbose,req,ext_sect,lconf);
+
+err:
+	if (req != NULL) X509_REQ_free(req);
+	if (in != NULL) BIO_free(in);
+	return(ok);
+	}
+
+static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+	     BIGNUM *serial, char *startdate, char *enddate, int days,
+	     int batch, char *ext_sect, LHASH *lconf, int verbose)
+	{
+	X509 *req=NULL;
+	X509_REQ *rreq=NULL;
+	BIO *in=NULL;
+	EVP_PKEY *pktmp=NULL;
+	int ok= -1,i;
+
+	in=BIO_new(BIO_s_file());
+
+	if (BIO_read_filename(in,infile) <= 0)
+		{
+		perror(infile);
+		goto err;
+		}
+	if ((req=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
+		{
+		BIO_printf(bio_err,"Error reading self signed certificate in %s\n",infile);
+		goto err;
+		}
+	if (verbose)
+		X509_print(bio_err,req);
+
+	BIO_printf(bio_err,"Check that the request matches the signature\n");
+
+	if ((pktmp=X509_get_pubkey(req)) == NULL)
+		{
+		BIO_printf(bio_err,"error unpacking public key\n");
+		goto err;
+		}
+	i=X509_verify(req,pktmp);
+	EVP_PKEY_free(pktmp);
+	if (i < 0)
+		{
+		ok=0;
+		BIO_printf(bio_err,"Signature verification problems....\n");
+		goto err;
+		}
+	if (i == 0)
+		{
+		ok=0;
+		BIO_printf(bio_err,"Signature did not match the certificate\n");
+		goto err;
+		}
+	else
+		BIO_printf(bio_err,"Signature ok\n");
+
+	if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
+		goto err;
+
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,days,
+		batch,verbose,rreq,ext_sect,lconf);
+
+err:
+	if (rreq != NULL) X509_REQ_free(rreq);
+	if (req != NULL) X509_free(req);
+	if (in != NULL) BIO_free(in);
+	return(ok);
+	}
+
+static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
+	     STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,
+	     char *startdate, char *enddate, int days, int batch, int verbose,
+	     X509_REQ *req, char *ext_sect, LHASH *lconf)
+	{
+	X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
+	ASN1_UTCTIME *tm,*tmptm;
+	ASN1_STRING *str,*str2;
+	ASN1_OBJECT *obj;
+	X509 *ret=NULL;
+	X509_CINF *ci;
+	X509_NAME_ENTRY *ne;
+	X509_NAME_ENTRY *tne,*push;
+	EVP_PKEY *pktmp;
+	int ok= -1,i,j,last,nid;
+	char *p;
+	CONF_VALUE *cv;
+	char *row[DB_NUMBER],**rrow,**irow=NULL;
+	char buf[25],*pbuf;
+
+	tmptm=ASN1_UTCTIME_new();
+	if (tmptm == NULL)
+		{
+		BIO_printf(bio_err,"malloc error\n");
+		return(0);
+		}
+
+	for (i=0; i<DB_NUMBER; i++)
+		row[i]=NULL;
+
+	BIO_printf(bio_err,"The Subjects Distinguished Name is as follows\n");
+	name=X509_REQ_get_subject_name(req);
+	for (i=0; i<X509_NAME_entry_count(name); i++)
+		{
+		ne=(X509_NAME_ENTRY *)X509_NAME_get_entry(name,i);
+		obj=X509_NAME_ENTRY_get_object(ne);
+		j=i2a_ASN1_OBJECT(bio_err,obj);
+		str=X509_NAME_ENTRY_get_data(ne);
+		pbuf=buf;
+		for (j=22-j; j>0; j--)
+			*(pbuf++)=' ';
+		*(pbuf++)=':';
+		*(pbuf++)='\0';
+		BIO_puts(bio_err,buf);
+
+		if (msie_hack)
+			{
+			/* assume all type should be strings */
+			nid=OBJ_obj2nid(ne->object);
+
+			if (str->type == V_ASN1_UNIVERSALSTRING)
+				ASN1_UNIVERSALSTRING_to_string(str);
+
+			if ((str->type == V_ASN1_IA5STRING) &&
+				(nid != NID_pkcs9_emailAddress))
+				str->type=V_ASN1_T61STRING;
+
+			if ((nid == NID_pkcs9_emailAddress) &&
+				(str->type == V_ASN1_PRINTABLESTRING))
+				str->type=V_ASN1_IA5STRING;
+			}
+
+		if (str->type == V_ASN1_PRINTABLESTRING)
+			BIO_printf(bio_err,"PRINTABLE:'");
+		else if (str->type == V_ASN1_T61STRING)
+			BIO_printf(bio_err,"T61STRING:'");
+		else if (str->type == V_ASN1_IA5STRING)
+			BIO_printf(bio_err,"IA5STRING:'");
+		else if (str->type == V_ASN1_UNIVERSALSTRING)
+			BIO_printf(bio_err,"UNIVERSALSTRING:'");
+		else
+			BIO_printf(bio_err,"ASN.1 %2d:'",str->type);
+
+		/* check some things */
+		if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
+			(str->type != V_ASN1_IA5STRING))
+			{
+			BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
+			goto err;
+			}
+		j=ASN1_PRINTABLE_type(str->data,str->length);
+		if (	((j == V_ASN1_T61STRING) &&
+			 (str->type != V_ASN1_T61STRING)) ||
+			((j == V_ASN1_IA5STRING) &&
+			 (str->type == V_ASN1_PRINTABLESTRING)))
+			{
+			BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
+			goto err;
+			}
+			
+		p=(char *)str->data;
+		for (j=str->length; j>0; j--)
+			{
+			if ((*p >= ' ') && (*p <= '~'))
+				BIO_printf(bio_err,"%c",*p);
+			else if (*p & 0x80)
+				BIO_printf(bio_err,"\\0x%02X",*p);
+			else if ((unsigned char)*p == 0xf7)
+				BIO_printf(bio_err,"^?");
+			else	BIO_printf(bio_err,"^%c",*p+'@');
+			p++;
+			}
+		BIO_printf(bio_err,"'\n");
+		}
+
+	/* Ok, now we check the 'policy' stuff. */
+	if ((subject=X509_NAME_new()) == NULL)
+		{
+		BIO_printf(bio_err,"Malloc failure\n");
+		goto err;
+		}
+
+	/* take a copy of the issuer name before we mess with it. */
+	CAname=X509_NAME_dup(x509->cert_info->subject);
+	if (CAname == NULL) goto err;
+	str=str2=NULL;
+
+	for (i=0; i<sk_CONF_VALUE_num(policy); i++)
+		{
+		cv=sk_CONF_VALUE_value(policy,i); /* get the object id */
+		if ((j=OBJ_txt2nid(cv->name)) == NID_undef)
+			{
+			BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name);
+			goto err;
+			}
+		obj=OBJ_nid2obj(j);
+
+		last= -1;
+		for (;;)
+			{
+			/* lookup the object in the supplied name list */
+			j=X509_NAME_get_index_by_OBJ(name,obj,last);
+			if (j < 0)
+				{
+				if (last != -1) break;
+				tne=NULL;
+				}
+			else
+				{
+				tne=X509_NAME_get_entry(name,j);
+				}
+			last=j;
+
+			/* depending on the 'policy', decide what to do. */
+			push=NULL;
+			if (strcmp(cv->value,"optional") == 0)
+				{
+				if (tne != NULL)
+					push=tne;
+				}
+			else if (strcmp(cv->value,"supplied") == 0)
+				{
+				if (tne == NULL)
+					{
+					BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name);
+					goto err;
+					}
+				else
+					push=tne;
+				}
+			else if (strcmp(cv->value,"match") == 0)
+				{
+				int last2;
+
+				if (tne == NULL)
+					{
+					BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name);
+					goto err;
+					}
+
+				last2= -1;
+
+again2:
+				j=X509_NAME_get_index_by_OBJ(CAname,obj,last2);
+				if ((j < 0) && (last2 == -1))
+					{
+					BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
+					goto err;
+					}
+				if (j >= 0)
+					{
+					push=X509_NAME_get_entry(CAname,j);
+					str=X509_NAME_ENTRY_get_data(tne);
+					str2=X509_NAME_ENTRY_get_data(push);
+					last2=j;
+					if (ASN1_STRING_cmp(str,str2) != 0)
+						goto again2;
+					}
+				if (j < 0)
+					{
+					BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
+					goto err;
+					}
+				}
+			else
+				{
+				BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value);
+				goto err;
+				}
+
+			if (push != NULL)
+				{
+				if (!X509_NAME_add_entry(subject,push, -1, 0))
+					{
+					if (push != NULL)
+						X509_NAME_ENTRY_free(push);
+					BIO_printf(bio_err,"Malloc failure\n");
+					goto err;
+					}
+				}
+			if (j < 0) break;
+			}
+		}
+
+	if (preserve)
+		{
+		X509_NAME_free(subject);
+		subject=X509_NAME_dup(X509_REQ_get_subject_name(req));
+		if (subject == NULL) goto err;
+		}
+
+	if (verbose)
+		BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
+
+	row[DB_name]=X509_NAME_oneline(subject,NULL,0);
+	row[DB_serial]=BN_bn2hex(serial);
+	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
+		{
+		BIO_printf(bio_err,"Malloc failure\n");
+		goto err;
+		}
+
+	rrow=TXT_DB_get_by_index(db,DB_name,row);
+	if (rrow != NULL)
+		{
+		BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
+			row[DB_name]);
+		}
+	else
+		{
+		rrow=TXT_DB_get_by_index(db,DB_serial,row);
+		if (rrow != NULL)
+			{
+			BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
+				row[DB_serial]);
+			BIO_printf(bio_err,"      check the database/serial_file for corruption\n");
+			}
+		}
+
+	if (rrow != NULL)
+		{
+		BIO_printf(bio_err,
+			"The matching entry has the following details\n");
+		if (rrow[DB_type][0] == 'E')
+			p="Expired";
+		else if (rrow[DB_type][0] == 'R')
+			p="Revoked";
+		else if (rrow[DB_type][0] == 'V')
+			p="Valid";
+		else
+			p="\ninvalid type, Data base error\n";
+		BIO_printf(bio_err,"Type	  :%s\n",p);;
+		if (rrow[DB_type][0] == 'R')
+			{
+			p=rrow[DB_exp_date]; if (p == NULL) p="undef";
+			BIO_printf(bio_err,"Was revoked on:%s\n",p);
+			}
+		p=rrow[DB_exp_date]; if (p == NULL) p="undef";
+		BIO_printf(bio_err,"Expires on    :%s\n",p);
+		p=rrow[DB_serial]; if (p == NULL) p="undef";
+		BIO_printf(bio_err,"Serial Number :%s\n",p);
+		p=rrow[DB_file]; if (p == NULL) p="undef";
+		BIO_printf(bio_err,"File name     :%s\n",p);
+		p=rrow[DB_name]; if (p == NULL) p="undef";
+		BIO_printf(bio_err,"Subject Name  :%s\n",p);
+		ok= -1; /* This is now a 'bad' error. */
+		goto err;
+		}
+
+	/* We are now totally happy, lets make and sign the certificate */
+	if (verbose)
+		BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
+
+	if ((ret=X509_new()) == NULL) goto err;
+	ci=ret->cert_info;
+
+#ifdef X509_V3
+	/* Make it an X509 v3 certificate. */
+	if (!X509_set_version(x509,2)) goto err;
+#endif
+
+	if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
+		goto err;
+	if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
+		goto err;
+
+	BIO_printf(bio_err,"Certificate is to be certified until ");
+	if (strcmp(startdate,"today") == 0)
+		X509_gmtime_adj(X509_get_notBefore(ret),0);
+	else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
+
+	if (enddate == NULL)
+		X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
+	else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
+
+	ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
+	if(days) BIO_printf(bio_err," (%d days)",days);
+	BIO_printf(bio_err, "\n");
+
+	if (!X509_set_subject_name(ret,subject)) goto err;
+
+	pktmp=X509_REQ_get_pubkey(req);
+	i = X509_set_pubkey(ret,pktmp);
+	EVP_PKEY_free(pktmp);
+	if (!i) goto err;
+
+	/* Lets add the extensions, if there are any */
+	if (ext_sect)
+		{
+		X509V3_CTX ctx;
+		if (ci->version == NULL)
+			if ((ci->version=ASN1_INTEGER_new()) == NULL)
+				goto err;
+		ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
+
+		/* Free the current entries if any, there should not
+		 * be any I believe */
+		if (ci->extensions != NULL)
+			sk_X509_EXTENSION_pop_free(ci->extensions,
+						   X509_EXTENSION_free);
+
+		ci->extensions = NULL;
+
+		X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
+		X509V3_set_conf_lhash(&ctx, lconf);
+
+		if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err;
+
+		}
+
+
+	if (!batch)
+		{
+		BIO_printf(bio_err,"Sign the certificate? [y/n]:");
+		(void)BIO_flush(bio_err);
+		buf[0]='\0';
+		fgets(buf,sizeof(buf)-1,stdin);
+		if (!((buf[0] == 'y') || (buf[0] == 'Y')))
+			{
+			BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
+			ok=0;
+			goto err;
+			}
+		}
+
+
+#ifndef NO_DSA
+	if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
+	pktmp=X509_get_pubkey(ret);
+	if (EVP_PKEY_missing_parameters(pktmp) &&
+		!EVP_PKEY_missing_parameters(pkey))
+		EVP_PKEY_copy_parameters(pktmp,pkey);
+	EVP_PKEY_free(pktmp);
+#endif
+
+	if (!X509_sign(ret,pkey,dgst))
+		goto err;
+
+	/* We now just add it to the database */
+	row[DB_type]=(char *)Malloc(2);
+
+	tm=X509_get_notAfter(ret);
+	row[DB_exp_date]=(char *)Malloc(tm->length+1);
+	memcpy(row[DB_exp_date],tm->data,tm->length);
+	row[DB_exp_date][tm->length]='\0';
+
+	row[DB_rev_date]=NULL;
+
+	/* row[DB_serial] done already */
+	row[DB_file]=(char *)Malloc(8);
+	/* row[DB_name] done already */
+
+	if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+		(row[DB_file] == NULL))
+		{
+		BIO_printf(bio_err,"Malloc failure\n");
+		goto err;
+		}
+	strcpy(row[DB_file],"unknown");
+	row[DB_type][0]='V';
+	row[DB_type][1]='\0';
+
+	if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+		{
+		BIO_printf(bio_err,"Malloc failure\n");
+		goto err;
+		}
+
+	for (i=0; i<DB_NUMBER; i++)
+		{
+		irow[i]=row[i];
+		row[i]=NULL;
+		}
+	irow[DB_NUMBER]=NULL;
+
+	if (!TXT_DB_insert(db,irow))
+		{
+		BIO_printf(bio_err,"failed to update database\n");
+		BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
+		goto err;
+		}
+	ok=1;
+err:
+	for (i=0; i<DB_NUMBER; i++)
+		if (row[i] != NULL) Free(row[i]);
+
+	if (CAname != NULL)
+		X509_NAME_free(CAname);
+	if (subject != NULL)
+		X509_NAME_free(subject);
+	if (tmptm != NULL)
+		ASN1_UTCTIME_free(tmptm);
+	if (ok <= 0)
+		{
+		if (ret != NULL) X509_free(ret);
+		ret=NULL;
+		}
+	else
+		*xret=ret;
+	return(ok);
+	}
+
+static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
+	{
+
+	if (output_der)
+		{
+		(void)i2d_X509_bio(bp,x);
+		return;
+		}
+#if 0
+	/* ??? Not needed since X509_print prints all this stuff anyway */
+	f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
+	BIO_printf(bp,"issuer :%s\n",f);
+
+	f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
+	BIO_printf(bp,"subject:%s\n",f);
+
+	BIO_puts(bp,"serial :");
+	i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
+	BIO_puts(bp,"\n\n");
+#endif
+	if(!notext)X509_print(bp,x);
+	PEM_write_bio_X509(bp,x);
+	}
+
+static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+	     BIGNUM *serial, char *startdate, char *enddate, int days,
+	     char *ext_sect, LHASH *lconf, int verbose)
+	{
+	STACK_OF(CONF_VALUE) *sk=NULL;
+	LHASH *parms=NULL;
+	X509_REQ *req=NULL;
+	CONF_VALUE *cv=NULL;
+	NETSCAPE_SPKI *spki = NULL;
+	X509_REQ_INFO *ri;
+	char *type,*buf;
+	EVP_PKEY *pktmp=NULL;
+	X509_NAME *n=NULL;
+	X509_NAME_ENTRY *ne=NULL;
+	int ok= -1,i,j;
+	long errline;
+	int nid;
+
+	/*
+	 * Load input file into a hash table.  (This is just an easy
+	 * way to read and parse the file, then put it into a convenient
+	 * STACK format).
+	 */
+	parms=CONF_load(NULL,infile,&errline);
+	if (parms == NULL)
+		{
+		BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	sk=CONF_get_section(parms, "default");
+	if (sk_CONF_VALUE_num(sk) == 0)
+		{
+		BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
+		CONF_free(parms);
+		goto err;
+		}
+
+	/*
+	 * Now create a dummy X509 request structure.  We don't actually
+	 * have an X509 request, but we have many of the components
+	 * (a public key, various DN components).  The idea is that we
+	 * put these components into the right X509 request structure
+	 * and we can use the same code as if you had a real X509 request.
+	 */
+	req=X509_REQ_new();
+	if (req == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	/*
+	 * Build up the subject name set.
+	 */
+	ri=req->req_info;
+	n = ri->subject;
+
+	for (i = 0; ; i++)
+		{
+		if (sk_CONF_VALUE_num(sk) <= i) break;
+
+		cv=sk_CONF_VALUE_value(sk,i);
+		type=cv->name;
+		/* Skip past any leading X. X: X, etc to allow for
+		 * multiple instances
+		 */
+		for(buf = cv->name; *buf ; buf++)
+			if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
+					buf++;
+					if(*buf) type = buf;
+					break;
+		}
+
+		buf=cv->value;
+		if ((nid=OBJ_txt2nid(type)) == NID_undef)
+			{
+			if (strcmp(type, "SPKAC") == 0)
+				{
+				spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
+				if (spki == NULL)
+					{
+					BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
+					ERR_print_errors(bio_err);
+					goto err;
+					}
+				}
+			continue;
+			}
+
+		j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
+		if (fix_data(nid, &j) == 0)
+			{
+			BIO_printf(bio_err,
+				"invalid characters in string %s\n",buf);
+			goto err;
+			}
+
+		if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
+			(unsigned char *)buf,
+			strlen(buf))) == NULL)
+			goto err;
+
+		if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
+		}
+	if (spki == NULL)
+		{
+		BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
+			infile);
+		goto err;
+		}
+
+	/*
+	 * Now extract the key from the SPKI structure.
+	 */
+
+	BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
+
+	if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
+		{
+		BIO_printf(bio_err,"error unpacking SPKAC public key\n");
+		goto err;
+		}
+
+	j = NETSCAPE_SPKI_verify(spki, pktmp);
+	if (j <= 0)
+		{
+		BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
+		goto err;
+		}
+	BIO_printf(bio_err,"Signature ok\n");
+
+	X509_REQ_set_pubkey(req,pktmp);
+	EVP_PKEY_free(pktmp);
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,
+		   days,1,verbose,req,ext_sect,lconf);
+err:
+	if (req != NULL) X509_REQ_free(req);
+	if (parms != NULL) CONF_free(parms);
+	if (spki != NULL) NETSCAPE_SPKI_free(spki);
+	if (ne != NULL) X509_NAME_ENTRY_free(ne);
+
+	return(ok);
+	}
+
+static int fix_data(int nid, int *type)
+	{
+	if (nid == NID_pkcs9_emailAddress)
+		*type=V_ASN1_IA5STRING;
+	if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
+		*type=V_ASN1_T61STRING;
+	if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
+		*type=V_ASN1_T61STRING;
+	if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
+		return(0);
+	if (nid == NID_pkcs9_unstructuredName)
+		*type=V_ASN1_IA5STRING;
+	return(1);
+	}
+
+static int check_time_format(char *str)
+	{
+	ASN1_UTCTIME tm;
+
+	tm.data=(unsigned char *)str;
+	tm.length=strlen(str);
+	tm.type=V_ASN1_UTCTIME;
+	return(ASN1_UTCTIME_check(&tm));
+	}
+
+static int add_oid_section(LHASH *hconf)
+{	
+	char *p;
+	STACK_OF(CONF_VALUE) *sktmp;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(p=CONF_get_string(hconf,NULL,"oid_section"))) return 1;
+	if(!(sktmp = CONF_get_section(hconf, p))) {
+		BIO_printf(bio_err, "problem loading oid section %s\n", p);
+		return 0;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
+		cnf = sk_CONF_VALUE_value(sktmp, i);
+		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
+			BIO_printf(bio_err, "problem creating object %s=%s\n",
+							 cnf->name, cnf->value);
+			return 0;
+		}
+	}
+	return 1;
+}
+
+static int do_revoke(X509 *x509, TXT_DB *db)
+{
+	ASN1_UTCTIME *tm=NULL, *revtm=NULL;
+	char *row[DB_NUMBER],**rrow,**irow;
+	BIGNUM *bn = NULL;
+	int ok=-1,i;
+
+	for (i=0; i<DB_NUMBER; i++)
+		row[i]=NULL;
+	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
+	bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
+	row[DB_serial]=BN_bn2hex(bn);
+	BN_free(bn);
+	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
+		{
+		BIO_printf(bio_err,"Malloc failure\n");
+		goto err;
+		}
+	/* We have to lookup by serial number because name lookup
+	 * skips revoked certs
+ 	 */
+	rrow=TXT_DB_get_by_index(db,DB_serial,row);
+	if (rrow == NULL)
+		{
+		BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
+
+		/* We now just add it to the database */
+		row[DB_type]=(char *)Malloc(2);
+
+		tm=X509_get_notAfter(x509);
+		row[DB_exp_date]=(char *)Malloc(tm->length+1);
+		memcpy(row[DB_exp_date],tm->data,tm->length);
+		row[DB_exp_date][tm->length]='\0';
+
+		row[DB_rev_date]=NULL;
+
+		/* row[DB_serial] done already */
+		row[DB_file]=(char *)Malloc(8);
+
+		/* row[DB_name] done already */
+
+		if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+			(row[DB_file] == NULL))
+			{
+			BIO_printf(bio_err,"Malloc failure\n");
+			goto err;
+			}
+		strcpy(row[DB_file],"unknown");
+		row[DB_type][0]='V';
+		row[DB_type][1]='\0';
+
+		if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+			{
+			BIO_printf(bio_err,"Malloc failure\n");
+			goto err;
+			}
+
+		for (i=0; i<DB_NUMBER; i++)
+			{
+			irow[i]=row[i];
+			row[i]=NULL;
+			}
+		irow[DB_NUMBER]=NULL;
+
+		if (!TXT_DB_insert(db,irow))
+			{
+			BIO_printf(bio_err,"failed to update database\n");
+			BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
+			goto err;
+			}
+
+		/* Revoke Certificate */
+		ok = do_revoke(x509,db);
+
+		goto err;
+
+		}
+	else if (index_name_cmp(row,rrow))
+		{
+		BIO_printf(bio_err,"ERROR:name does not match %s\n",
+			   row[DB_name]);
+		goto err;
+		}
+	else if (rrow[DB_type][0]=='R')
+		{
+		BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
+			   row[DB_serial]);
+		goto err;
+		}
+	else
+		{
+		BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
+		revtm = ASN1_UTCTIME_new();
+		revtm=X509_gmtime_adj(revtm,0);
+		rrow[DB_type][0]='R';
+		rrow[DB_type][1]='\0';
+		rrow[DB_rev_date]=(char *)Malloc(revtm->length+1);
+		memcpy(rrow[DB_rev_date],revtm->data,revtm->length);
+		rrow[DB_rev_date][revtm->length]='\0';
+		ASN1_UTCTIME_free(revtm);
+		}
+	ok=1;
+err:
+	for (i=0; i<DB_NUMBER; i++)
+		{
+		if (row[i] != NULL) 
+			Free(row[i]);
+		}
+	return(ok);
+}
+
diff --git a/crypto/openssl/apps/cert.pem b/crypto/openssl/apps/cert.pem
new file mode 100644
index 0000000..de4a77a
--- /dev/null
+++ b/crypto/openssl/apps/cert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoDCCAUoCAQAwDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
+VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw05NzA5MDkwMzQxMjZa
+Fw05NzEwMDkwMzQxMjZaMF4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0
+YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFzAVBgNVBAMT
+DkVyaWMgdGhlIFlvdW5nMFEwCQYFKw4DAgwFAANEAAJBALVEqPODnpI4rShlY8S7
+tB713JNvabvn6Gned7zylwLLiXQAo/PAT6mfdWPTyCX9RlId/Aroh1ou893BA32Q
+sggwDQYJKoZIhvcNAQEEBQADQQCU5SSgapJSdRXJoX+CpCvFy+JVh9HpSjCpSNKO
+19raHv98hKAUJuP9HyM+SUsffO6mAIgitUaqW8/wDMePhEC3
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/ciphers.c b/crypto/openssl/apps/ciphers.c
new file mode 100644
index 0000000..f8e9e7b
--- /dev/null
+++ b/crypto/openssl/apps/ciphers.c
@@ -0,0 +1,196 @@
+/* apps/ciphers.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef NO_STDIO
+#define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#undef PROG
+#define PROG	ciphers_main
+
+static char *ciphers_usage[]={
+"usage: ciphers args\n",
+" -v          - verbose mode, a textual listing of the ciphers in SSLeay\n",
+" -ssl2       - SSL2 mode\n",
+" -ssl3       - SSL3 mode\n",
+NULL
+};
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int ret=1,i;
+	int verbose=0;
+	char **pp;
+	const char *p;
+	int badops=0;
+	SSL_CTX *ctx=NULL;
+	SSL *ssl=NULL;
+	char *ciphers=NULL;
+	SSL_METHOD *meth=NULL;
+	STACK_OF(SSL_CIPHER) *sk;
+	char buf[512];
+	BIO *STDout=NULL;
+
+#if !defined(NO_SSL2) && !defined(NO_SSL3)
+	meth=SSLv23_server_method();
+#elif !defined(NO_SSL3)
+	meth=SSLv3_server_method();
+#elif !defined(NO_SSL2)
+	meth=SSLv2_server_method();
+#endif
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
+
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if (strcmp(*argv,"-v") == 0)
+			verbose=1;
+#ifndef NO_SSL2
+		else if (strcmp(*argv,"-ssl2") == 0)
+			meth=SSLv2_client_method();
+#endif
+#ifndef NO_SSL3
+		else if (strcmp(*argv,"-ssl3") == 0)
+			meth=SSLv3_client_method();
+#endif
+		else if ((strncmp(*argv,"-h",2) == 0) ||
+			 (strcmp(*argv,"-?") == 0))
+			{
+			badops=1;
+			break;
+			}
+		else
+			{
+			ciphers= *argv;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+		for (pp=ciphers_usage; (*pp != NULL); pp++)
+			BIO_printf(bio_err,*pp);
+		goto end;
+		}
+
+	OpenSSL_add_ssl_algorithms();
+
+	ctx=SSL_CTX_new(meth);
+	if (ctx == NULL) goto err;
+	if (ciphers != NULL) {
+		if(!SSL_CTX_set_cipher_list(ctx,ciphers)) {
+			BIO_printf(bio_err, "Error in cipher list\n");
+			goto err;
+		}
+	}
+	ssl=SSL_new(ctx);
+	if (ssl == NULL) goto err;
+
+
+	if (!verbose)
+		{
+		for (i=0; ; i++)
+			{
+			p=SSL_get_cipher_list(ssl,i);
+			if (p == NULL) break;
+			if (i != 0) BIO_printf(STDout,":");
+			BIO_printf(STDout,"%s",p);
+			}
+		BIO_printf(STDout,"\n");
+		}
+	else
+		{
+		sk=SSL_get_ciphers(ssl);
+
+		for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+			{
+			BIO_puts(STDout,SSL_CIPHER_description(
+				sk_SSL_CIPHER_value(sk,i),
+				buf,512));
+			}
+		}
+
+	ret=0;
+	if (0)
+		{
+err:
+		SSL_load_error_strings();
+		ERR_print_errors(bio_err);
+		}
+end:
+	if (ctx != NULL) SSL_CTX_free(ctx);
+	if (ssl != NULL) SSL_free(ssl);
+	if (STDout != NULL) BIO_free(STDout);
+	EXIT(ret);
+	}
+
diff --git a/crypto/openssl/apps/client.pem b/crypto/openssl/apps/client.pem
new file mode 100644
index 0000000..307910e
--- /dev/null
+++ b/crypto/openssl/apps/client.pem
@@ -0,0 +1,24 @@
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Client test cert (512 bit)
+-----BEGIN CERTIFICATE-----
+MIIB6TCCAVICAQIwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU2WhcNOTgwNjA5
+MTM1NzU2WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0IGNl
+cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALtv55QyzG6i2Plw
+Z1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexmq/R4KedLjFEIYjocDui+IXs62NNt
+XrT8odkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBwtMmI7oGUG8nKmftQssATViH5
+NRRtoEw07DxJp/LfatHdrhqQB73eGdL5WILZJXk46Xz2e9WMSUjVCSYhdKxtflU3
+UR2Ajv1Oo0sTNdfz0wDqJNirLNtzyhhsaq8qMTrLwXrCP31VxBiigFSQSUFnZyTE
+9TKwhS4GlwbtCfxSKQ==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm
+q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko
+/V86mGXQ/KrSkeKlL0r4ENxjcyeMAGoKu6J9yMY7+X9+Zm4nxShNfTsf/+Freoe1
+HQIhAPOSm5Q1YI+KIsII2GeVJx1U69+wnd71OasIPakS1L1XAiEAxQAW+J3/JWE0
+ftEYakbhUOKL8tD1OaFZS71/5GdG7E8CIQCefUMmySSvwd6kC0VlATSWbW+d+jp/
+nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw
+ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg==
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c
new file mode 100644
index 0000000..338f46d
--- /dev/null
+++ b/crypto/openssl/apps/crl.c
@@ -0,0 +1,366 @@
+/* apps/crl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	crl_main
+
+#undef POSTFIX
+#define	POSTFIX	".rvk"
+
+static char *crl_usage[]={
+"usage: crl args\n",
+"\n",
+" -inform arg     - input format - default PEM (DER or PEM)\n",
+" -outform arg    - output format - default PEM\n",
+" -text           - print out a text format version\n",
+" -in arg         - input file - default stdin\n",
+" -out arg        - output file - default stdout\n",
+" -hash           - print hash value\n",
+" -issuer         - print issuer DN\n",
+" -lastupdate     - lastUpdate field\n",
+" -nextupdate     - nextUpdate field\n",
+" -noout          - no CRL output\n",
+" -CAfile  name   - verify CRL using certificates in file \"name\"\n",
+" -CApath  dir    - verify CRL using certificates in \"dir\"\n",
+NULL
+};
+
+static X509_CRL *load_crl(char *file, int format);
+static BIO *bio_out=NULL;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	X509_CRL *x=NULL;
+	char *CAfile = NULL, *CApath = NULL;
+	int ret=1,i,num,badops=0;
+	BIO *out=NULL;
+	int informat,outformat;
+	char *infile=NULL,*outfile=NULL;
+	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
+	char **pp,buf[256];
+	X509_STORE *store = NULL;
+	X509_STORE_CTX ctx;
+	X509_LOOKUP *lookup = NULL;
+	X509_OBJECT xobj;
+	EVP_PKEY *pkey;
+	int do_ver = 0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (bio_out == NULL)
+		if ((bio_out=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	argc--;
+	argv++;
+	num=0;
+	while (argc >= 1)
+		{
+#ifdef undef
+		if	(strcmp(*argv,"-p") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if (!args_from_file(++argv,Nargc,Nargv)) { goto end; }*/
+			}
+#endif
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-CApath") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CApath = *(++argv);
+			do_ver = 1;
+			}
+		else if (strcmp(*argv,"-CAfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAfile = *(++argv);
+			do_ver = 1;
+			}
+		else if (strcmp(*argv,"-verify") == 0)
+			do_ver = 1;
+		else if (strcmp(*argv,"-text") == 0)
+			text = 1;
+		else if (strcmp(*argv,"-hash") == 0)
+			hash= ++num;
+		else if (strcmp(*argv,"-issuer") == 0)
+			issuer= ++num;
+		else if (strcmp(*argv,"-lastupdate") == 0)
+			lastupdate= ++num;
+		else if (strcmp(*argv,"-nextupdate") == 0)
+			nextupdate= ++num;
+		else if (strcmp(*argv,"-noout") == 0)
+			noout= ++num;
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		for (pp=crl_usage; (*pp != NULL); pp++)
+			BIO_printf(bio_err,*pp);
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+	x=load_crl(infile,informat);
+	if (x == NULL) { goto end; }
+
+	if(do_ver) {
+		store = X509_STORE_new();
+		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
+		if (lookup == NULL) goto end;
+		if (!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM))
+			X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+			
+		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+		if (lookup == NULL) goto end;
+		if (!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM))
+			X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+		ERR_clear_error();
+
+		X509_STORE_CTX_init(&ctx, store, NULL, NULL);
+
+		i = X509_STORE_get_by_subject(&ctx, X509_LU_X509, 
+					X509_CRL_get_issuer(x), &xobj);
+		if(i <= 0) {
+			BIO_printf(bio_err,
+				"Error getting CRL issuer certificate\n");
+			goto end;
+		}
+		pkey = X509_get_pubkey(xobj.data.x509);
+		X509_OBJECT_free_contents(&xobj);
+		if(!pkey) {
+			BIO_printf(bio_err,
+				"Error getting CRL issuer public key\n");
+			goto end;
+		}
+		i = X509_CRL_verify(x, pkey);
+		EVP_PKEY_free(pkey);
+		if(i < 0) goto end;
+		if(i == 0) BIO_printf(bio_err, "verify failure\n");
+		else BIO_printf(bio_err, "verify OK\n");
+	}
+
+	if (num)
+		{
+		for (i=1; i<=num; i++)
+			{
+			if (issuer == i)
+				{
+				X509_NAME_oneline(X509_CRL_get_issuer(x),
+								buf,256);
+				BIO_printf(bio_out,"issuer= %s\n",buf);
+				}
+
+			if (hash == i)
+				{
+				BIO_printf(bio_out,"%08lx\n",
+					X509_NAME_hash(X509_CRL_get_issuer(x)));
+				}
+			if (lastupdate == i)
+				{
+				BIO_printf(bio_out,"lastUpdate=");
+				ASN1_TIME_print(bio_out,
+						X509_CRL_get_lastUpdate(x));
+				BIO_printf(bio_out,"\n");
+				}
+			if (nextupdate == i)
+				{
+				BIO_printf(bio_out,"nextUpdate=");
+				if (X509_CRL_get_nextUpdate(x)) 
+					ASN1_TIME_print(bio_out,
+						X509_CRL_get_nextUpdate(x));
+				else
+					BIO_printf(bio_out,"NONE");
+				BIO_printf(bio_out,"\n");
+				}
+			}
+		}
+
+	out=BIO_new(BIO_s_file());
+	if (out == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (text) X509_CRL_print(out, x);
+
+	if (noout) goto end;
+
+	if 	(outformat == FORMAT_ASN1)
+		i=(int)i2d_X509_CRL_bio(out,x);
+	else if (outformat == FORMAT_PEM)
+		i=PEM_write_bio_X509_CRL(out,x);
+	else	
+		{
+		BIO_printf(bio_err,"bad output format specified for outfile\n");
+		goto end;
+		}
+	if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
+	ret=0;
+end:
+	BIO_free(out);
+	BIO_free(bio_out);
+	bio_out=NULL;
+	X509_CRL_free(x);
+	if(store) {
+		X509_STORE_CTX_cleanup(&ctx);
+		X509_STORE_free(store);
+	}
+	EXIT(ret);
+	}
+
+static X509_CRL *load_crl(char *infile, int format)
+	{
+	X509_CRL *x=NULL;
+	BIO *in=NULL;
+
+	in=BIO_new(BIO_s_file());
+	if (in == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+	if 	(format == FORMAT_ASN1)
+		x=d2i_X509_CRL_bio(in,NULL);
+	else if (format == FORMAT_PEM)
+		x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+	else	{
+		BIO_printf(bio_err,"bad input format specified for input crl\n");
+		goto end;
+		}
+	if (x == NULL)
+		{
+		BIO_printf(bio_err,"unable to load CRL\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	
+end:
+	BIO_free(in);
+	return(x);
+	}
+
diff --git a/crypto/openssl/apps/crl2p7.c b/crypto/openssl/apps/crl2p7.c
new file mode 100644
index 0000000..4056591
--- /dev/null
+++ b/crypto/openssl/apps/crl2p7.c
@@ -0,0 +1,335 @@
+/* apps/crl2p7.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu>
+ * and donated 'to the cause' along with lots and lots of other fixes to
+ * the library. */
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+#include <openssl/objects.h>
+
+static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
+#undef PROG
+#define PROG	crl2pkcs7_main
+
+/* -inform arg	- input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int i,badops=0;
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat;
+	char *infile,*outfile,*prog,*certfile;
+	PKCS7 *p7 = NULL;
+	PKCS7_SIGNED *p7s = NULL;
+	X509_CRL *crl=NULL;
+	STACK *certflst=NULL;
+	STACK_OF(X509_CRL) *crl_stack=NULL;
+	STACK_OF(X509) *cert_stack=NULL;
+	int ret=1,nocrl=0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-nocrl") == 0)
+			{
+			nocrl=1;
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-certfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if(!certflst) certflst = sk_new(NULL);
+			sk_push(certflst,*(++argv));
+			}
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg    input format - DER or PEM\n");
+		BIO_printf(bio_err," -outform arg   output format - DER or PEM\n");
+		BIO_printf(bio_err," -in arg        input file\n");
+		BIO_printf(bio_err," -out arg       output file\n");
+		BIO_printf(bio_err," -certfile arg  certificates file of chain to a trusted CA\n");
+		BIO_printf(bio_err,"                (can be used more than once)\n");
+		BIO_printf(bio_err," -nocrl         no crl to load, just certs from '-certfile'\n");
+		EXIT(1);
+		}
+
+	ERR_load_crypto_strings();
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (!nocrl)
+		{
+		if (infile == NULL)
+			BIO_set_fp(in,stdin,BIO_NOCLOSE);
+		else
+			{
+			if (BIO_read_filename(in,infile) <= 0)
+				{
+				perror(infile);
+				goto end;
+				}
+			}
+
+		if 	(informat == FORMAT_ASN1)
+			crl=d2i_X509_CRL_bio(in,NULL);
+		else if (informat == FORMAT_PEM)
+			crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+		else	{
+			BIO_printf(bio_err,"bad input format specified for input crl\n");
+			goto end;
+			}
+		if (crl == NULL)
+			{
+			BIO_printf(bio_err,"unable to load CRL\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+	
+	if ((p7=PKCS7_new()) == NULL) goto end;
+	if ((p7s=PKCS7_SIGNED_new()) == NULL) goto end;
+	p7->type=OBJ_nid2obj(NID_pkcs7_signed);
+	p7->d.sign=p7s;
+	p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
+
+	if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
+	if ((crl_stack=sk_X509_CRL_new(NULL)) == NULL) goto end;
+	p7s->crl=crl_stack;
+	if (crl != NULL)
+		{
+		sk_X509_CRL_push(crl_stack,crl);
+		crl=NULL; /* now part of p7 for Freeing */
+		}
+
+	if ((cert_stack=sk_X509_new(NULL)) == NULL) goto end;
+	p7s->cert=cert_stack;
+
+	if(certflst) for(i = 0; i < sk_num(certflst); i++) {
+		certfile = sk_value(certflst, i);
+		if (add_certs_from_file(cert_stack,certfile) < 0)
+			{
+			BIO_printf(bio_err, "error loading certificates\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+	}
+
+	sk_free(certflst);
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if 	(outformat == FORMAT_ASN1)
+		i=i2d_PKCS7_bio(out,p7);
+	else if (outformat == FORMAT_PEM)
+		i=PEM_write_bio_PKCS7(out,p7);
+	else	{
+		BIO_printf(bio_err,"bad output format specified for outfile\n");
+		goto end;
+		}
+	if (!i)
+		{
+		BIO_printf(bio_err,"unable to write pkcs7 object\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	ret=0;
+end:
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (p7 != NULL) PKCS7_free(p7);
+	if (crl != NULL) X509_CRL_free(crl);
+
+	EXIT(ret);
+	}
+
+/*
+ *----------------------------------------------------------------------
+ * int add_certs_from_file
+ *
+ *	Read a list of certificates to be checked from a file.
+ *
+ * Results:
+ *	number of certs added if successful, -1 if not.
+ *----------------------------------------------------------------------
+ */
+static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
+	{
+	struct stat st;
+	BIO *in=NULL;
+	int count=0;
+	int ret= -1;
+	STACK_OF(X509_INFO) *sk=NULL;
+	X509_INFO *xi;
+
+	if ((stat(certfile,&st) != 0))
+		{
+		BIO_printf(bio_err,"unable to load the file, %s\n",certfile);
+		goto end;
+		}
+
+	in=BIO_new(BIO_s_file());
+	if ((in == NULL) || (BIO_read_filename(in,certfile) <= 0))
+		{
+		BIO_printf(bio_err,"error opening the file, %s\n",certfile);
+		goto end;
+		}
+
+	/* This loads from a file, a stack of x509/crl/pkey sets */
+	sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL);
+	if (sk == NULL) {
+		BIO_printf(bio_err,"error reading the file, %s\n",certfile);
+		goto end;
+	}
+
+	/* scan over it and pull out the CRL's */
+	while (sk_X509_INFO_num(sk))
+		{
+		xi=sk_X509_INFO_shift(sk);
+		if (xi->x509 != NULL)
+			{
+			sk_X509_push(stack,xi->x509);
+			xi->x509=NULL;
+			count++;
+			}
+		X509_INFO_free(xi);
+		}
+
+	ret=count;
+end:
+ 	/* never need to Free x */
+	if (in != NULL) BIO_free(in);
+	if (sk != NULL) sk_X509_INFO_free(sk);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/apps/demoCA/cacert.pem b/crypto/openssl/apps/demoCA/cacert.pem
new file mode 100644
index 0000000..affbce3
--- /dev/null
+++ b/crypto/openssl/apps/demoCA/cacert.pem
@@ -0,0 +1,14 @@
+subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+-----BEGIN X509 CERTIFICATE-----
+
+MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
+BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
+MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
+RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
+BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
+LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
+/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
+DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
+IMs6ZOZB
+-----END X509 CERTIFICATE-----
diff --git a/crypto/openssl/apps/demoCA/index.txt b/crypto/openssl/apps/demoCA/index.txt
new file mode 100644
index 0000000..2cdd252
--- /dev/null
+++ b/crypto/openssl/apps/demoCA/index.txt
@@ -0,0 +1,39 @@
+R	980705233205Z	951009233205Z	01	certs/00000001	/CN=Eric Young
+E	951009233205Z		02	certs/00000002	/CN=Duncan Young
+R	980705233205Z	951201010000Z	03	certs/00000003	/CN=Tim Hudson
+V	980705233205Z		04	certs/00000004	/CN=Eric Young4
+V	980705233205Z		05	certs/00000004	/CN=Eric Young5
+V	980705233205Z		06	certs/00000004	/CN=Eric Young6
+V	980705233205Z		07	certs/00000004	/CN=Eric Young7
+V	980705233205Z		08	certs/00000004	/CN=Eric Young8
+V	980705233205Z		09	certs/00000004	/CN=Eric Young9
+V	980705233205Z		0A	certs/00000004	/CN=Eric YoungA
+V	980705233205Z		0B	certs/00000004	/CN=Eric YoungB
+V	980705233205Z		0C	certs/00000004	/CN=Eric YoungC
+V	980705233205Z		0D	certs/00000004	/CN=Eric YoungD
+V	980705233205Z		0E	certs/00000004	/CN=Eric YoungE
+V	980705233205Z		0F	certs/00000004	/CN=Eric YoungF
+V	980705233205Z		10	certs/00000004	/CN=Eric Young10
+V	980705233205Z		11	certs/00000004	/CN=Eric Young11
+V	980705233205Z		12	certs/00000004	/CN=Eric Young12
+V	980705233205Z		13	certs/00000004	/CN=Eric Young13
+V	980705233205Z		14	certs/00000004	/CN=Eric Young14
+V	980705233205Z		15	certs/00000004	/CN=Eric Young15
+V	980705233205Z		16	certs/00000004	/CN=Eric Young16
+V	980705233205Z		17	certs/00000004	/CN=Eric Young17
+V	961206150305Z		010C	unknown	/C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au
+V	961206153245Z		010D	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au
+V	970322074816Z		010E	unknown	/CN=Eric Young/Email=eay@mincom.oz.au
+V	970322075152Z		010F	unknown	/CN=Eric Young
+V	970322075906Z		0110	unknown	/CN=Eric Youngg
+V	970324092238Z		0111	unknown	/C=AU/SP=Queensland/CN=Eric Young
+V	970324221931Z		0112	unknown	/CN=Fred
+V	970324224934Z		0113	unknown	/C=AU/CN=eay
+V	971001005237Z		0114	unknown	/C=AU/SP=QLD/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test
+V	971001010331Z		0115	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test again - x509v3
+V	971001013945Z		0117	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test
+V	971014225415Z		0118	unknown	/C=AU/SP=Queensland/CN=test
+V	971015004448Z		0119	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test2
+V	971016035001Z		011A	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test64
+V	971016080129Z		011B	unknown	/C=FR/O=ALCATEL/OU=Alcatel Mobile Phones/CN=bourque/Email=bourque@art.alcatel.fr
+V	971016224000Z		011D	unknown	/L=Bedford/O=Cranfield University/OU=Computer Centre/CN=Peter R Lister/Email=P.Lister@cranfield.ac.uk
diff --git a/crypto/openssl/apps/demoCA/private/cakey.pem b/crypto/openssl/apps/demoCA/private/cakey.pem
new file mode 100644
index 0000000..48fb18c
--- /dev/null
+++ b/crypto/openssl/apps/demoCA/private/cakey.pem
@@ -0,0 +1,24 @@
+issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+-----BEGIN X509 CERTIFICATE-----
+
+MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
+BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
+MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
+RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
+BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
+LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
+/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
+DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
+IMs6ZOZB
+-----END X509 CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+
+MIIBPAIBAAJBALcsJdxJxa5rQ8UuQcEubZV6OqkDUXhFDyrRWNGI9p+PH9n9pYfe
+Kl0xW+4kZr/AVdv+cMUsOV9an6gI/CEG1U8CAwEAAQJAXJMBZ34ZXHd1vtgL/3hZ
+hexKbVTx/djZO4imXO/dxPGRzG2ylYZpHmG32/T1kaHpZlCHoEPgHoSzmxYXfxjG
+sQIhAPmZ/bQOjmRUHM/VM2X5zrjjM6z18R1P6l3ObFwt9FGdAiEAu943Yh9SqMRw
+tL0xHGxKmM/YJueUw1gB6sLkETN71NsCIQCeT3RhoqXfrpXDoEcEU+gwzjI1bpxq
+agiNTOLfqGoA5QIhAIQFYjgzONxex7FLrsKBm16N2SFl5pXsN9SpRqqL2n63AiEA
+g9VNIQ3xwpw7og3IbONifeku+J9qGMGQJMKwSTwrFtI=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/apps/demoCA/serial b/crypto/openssl/apps/demoCA/serial
new file mode 100644
index 0000000..69fa0ff
--- /dev/null
+++ b/crypto/openssl/apps/demoCA/serial
@@ -0,0 +1 @@
+011E
diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop
new file mode 100644
index 0000000..9070b03
--- /dev/null
+++ b/crypto/openssl/apps/der_chop
@@ -0,0 +1,305 @@
+#!/usr/local/bin/perl
+#
+# der_chop ... this is one total hack that Eric is really not proud of
+#              so don't look at it and don't ask for support
+#
+# The "documentation" for this (i.e. all the comments) are my fault --tjh
+#
+# This program takes the "raw" output of derparse/asn1parse and 
+# converts it into tokens and then runs regular expression matches
+# to try to figure out what to grab to get the things that are needed
+# and it is possible that this will do the wrong thing as it is a *hack*
+#
+# SSLeay 0.5.2+ should have direct read support for x509 (via -inform NET)
+# [I know ... promises promises :-)]
+#
+# To convert a Netscape Certificate:
+#    der_chop < ServerCert.der > cert.pem
+# To convert a Netscape Key (and encrypt it again to protect it)
+#    rsa -inform NET -in ServerKey.der -des > key.pem
+#
+# 23-Apr-96 eay    Added the extra ASN.1 string types, I still think this
+#		   is an evil hack.  If nothing else the parsing should
+#		   be relative, not absolute.
+# 19-Apr-96 tjh    hacked (with eay) into 0.5.x format
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+
+require 'getopts.pl';
+
+$debug=0;
+
+# this was the 0.4.x way of doing things ...
+$cmd="derparse";
+$x509_cmd="x509";
+$crl_cmd="crl";
+$rc4_cmd="rc4";
+$md2_cmd="md2";
+$md4_cmd="md4";
+$rsa_cmd="rsa -des -inform der ";
+
+# this was the 0.5.x way of doing things ...
+$cmd="openssl asn1parse";
+$x509_cmd="openssl x509";
+$crl_cmd="openssl crl";
+$rc4_cmd="openssl rc4";
+$md2_cmd="openssl md2";
+$md4_cmd="openssl md4";
+$rsa_cmd="openssl rsa -des -inform der ";
+
+&Getopts('vd:') || die "usage:$0 [-v] [-d num] file";
+$depth=($opt_d =~ /^\d+$/)?$opt_d:0;
+
+&init_der();
+
+if ($#ARGV != -1)
+	{
+	foreach $file (@ARGV)
+		{
+		print STDERR "doing $file\n";
+		&dofile($file);
+		}
+	}
+else
+	{
+	$file="/tmp/a$$.DER";
+	open(OUT,">$file") || die "unable to open $file:$!\n";
+	for (;;)
+		{
+		$i=sysread(STDIN,$b,1024*10);
+		last if ($i <= 0);
+		$i=syswrite(OUT,$b,$i);
+		}
+	&dofile($file);
+	unlink($file);
+	}
+	
+sub dofile
+	{
+	local($file)=@_;
+	local(@p);
+
+	$b=&load_file($file);
+	@p=&load_file_parse($file);
+
+	foreach $_ (@p)
+		{
+		($off,$d,$hl,$len)=&parse_line($_);
+		$d-=$depth;
+		next if ($d != 0);
+		next if ($len == 0);
+
+		$o=substr($b,$off,$len+$hl);
+		($str,@data)=&der_str($o);
+		print "$str\n" if ($opt_v);
+		if ($str =~ /^$crl/)
+			{
+			open(OUT,"|$crl_cmd -inform d -hash -issuer") ||
+				die "unable to run $crl_cmd:$!\n";
+			print OUT $o;
+			close(OUT);
+			}
+		elsif ($str =~ /^$x509/)
+			{
+			open(OUT,"|$x509_cmd -inform d -hash -subject -issuer")
+				|| die "unable to run $x509_cmd:$!\n";
+			print OUT $o;
+			close(OUT);
+			}
+		elsif ($str =~ /^$rsa/)
+			{
+			($type)=($data[3] =~ /OBJECT_IDENTIFIER :(.*)\s*$/);
+			next unless ($type eq "rsaEncryption");
+			($off,$d,$hl,$len)=&parse_line($data[5]);
+			$os=substr($o,$off+$hl,$len);
+			open(OUT,"|$rsa_cmd")
+				|| die "unable to run $rsa_cmd:$!\n";
+			print OUT $os;
+			close(OUT);
+			}
+		elsif ($str =~ /^0G-1D-1G/)
+			{
+			($off,$d,$hl,$len)=&parse_line($data[1]);
+			$os=substr($o,$off+$hl,$len);
+			print STDERR "<$os>\n" if $opt_v;
+			&do_certificate($o,@data)
+				if (($os eq "certificate") &&
+				    ($str =! /^0G-1D-1G-2G-3F-3E-2D/));
+			&do_private_key($o,@data)
+				if (($os eq "private-key") &&
+				    ($str =! /^0G-1D-1G-2G-3F-3E-2D/));
+			}
+		}
+	}
+
+sub der_str
+	{
+	local($str)=@_;
+	local(*OUT,*IN,@a,$t,$d,$ret);
+	local($file)="/tmp/b$$.DER";
+	local(@ret);
+
+	open(OUT,">$file");
+	print OUT $str;
+	close(OUT);
+	open(IN,"$cmd -inform 'd' -in $file |") ||
+		die "unable to run $cmd:$!\n";
+	$ret="";
+	while (<IN>)
+		{
+		chop;
+		push(@ret,$_);
+
+		print STDERR "$_\n" if ($debug);
+
+		@a=split(/\s*:\s*/);
+		($d)=($a[1] =~ /d=\s*(\d+)/);
+		$a[2] =~ s/\s+$//;
+		$t=$DER_s2i{$a[2]};
+		$ret.="$d$t-";
+		}
+	close(IN);
+	unlink($file);
+	chop $ret;
+	$ret =~ s/(-3H(-4G-5F-5[IJKMQRS])+)+/-NAME/g;
+	$ret =~ s/(-3G-4B-4L)+/-RCERT/g;
+	return($ret,@ret);
+	}
+
+sub init_der
+	{
+	$crl= "0G-1G-2G-3F-3E-2G-NAME-2L-2L-2G-RCERT-1G-2F-2E-1C";
+	$x509="0G-1G-2B-2G-3F-3E-2G-NAME-2G-3L-3L-2G-NAME-2G-3G-4F-4E-3C-1G-2F-2E-1C";
+	$rsa= "0G-1B-1G-2F-2E-1D";
+
+	%DER_i2s=(
+		# SSLeay 0.4.x has this list
+		"A","EOC",
+		"B","INTEGER",
+		"C","BIT STRING",
+		"D","OCTET STRING",
+		"E","NULL",
+		"F","OBJECT",
+		"G","SEQUENCE",
+		"H","SET",
+		"I","PRINTABLESTRING",
+		"J","T61STRING",
+		"K","IA5STRING",
+		"L","UTCTIME",
+		"M","NUMERICSTRING",
+		"N","VIDEOTEXSTRING",
+		"O","GENERALIZEDTIME",
+		"P","GRAPHICSTRING",
+		"Q","ISO64STRING",
+		"R","GENERALSTRING",
+		"S","UNIVERSALSTRING",
+
+		# SSLeay 0.5.x changed some things ... and I'm
+		# leaving in the old stuff but adding in these
+		# to handle the new as well --tjh
+		# - Well I've just taken them out and added the extra new
+		# ones :-) - eay
+		);
+
+	foreach (keys %DER_i2s)
+		{ $DER_s2i{$DER_i2s{$_}}=$_; }
+	}
+
+sub parse_line
+	{
+	local($_)=@_;
+
+	return(/\s*(\d+):d=\s*(\d+)\s+hl=\s*(\d+)\s+l=\s*(\d+|inf)\s/);
+	}
+
+#  0:d=0 hl=4 l=377 cons: univ: SEQUENCE          
+#  4:d=1 hl=2 l= 11 prim: univ: OCTET_STRING      
+# 17:d=1 hl=4 l=360 cons: univ: SEQUENCE          
+# 21:d=2 hl=2 l= 12 cons: univ: SEQUENCE          
+# 23:d=3 hl=2 l=  8 prim: univ: OBJECT_IDENTIFIER :rc4
+# 33:d=3 hl=2 l=  0 prim: univ: NULL              
+# 35:d=2 hl=4 l=342 prim: univ: OCTET_STRING
+sub do_private_key
+	{
+	local($data,@struct)=@_;
+	local($file)="/tmp/b$$.DER";
+	local($off,$d,$hl,$len,$_,$b,@p,$s);
+
+	($type)=($struct[4] =~ /OBJECT_IDENTIFIER :(.*)\s*$/);
+	if ($type eq "rc4")
+		{
+		($off,$d,$hl,$len)=&parse_line($struct[6]);
+		open(OUT,"|$rc4_cmd >$file") ||
+			die "unable to run $rc4_cmd:$!\n";
+		print OUT substr($data,$off+$hl,$len);
+		close(OUT);
+
+		$b=&load_file($file);
+		unlink($file);
+
+		($s,@p)=&der_str($b);
+		die "unknown rsa key type\n$s\n"
+			if ($s ne '0G-1B-1G-2F-2E-1D');
+		local($off,$d,$hl,$len)=&parse_line($p[5]);
+		$b=substr($b,$off+$hl,$len);
+		($s,@p)=&der_str($b);
+		open(OUT,"|$rsa_cmd") || die "unable to run $rsa_cmd:$!\n";
+		print OUT $b;
+		close(OUT);
+		}
+	else
+		{
+		print "'$type' is unknown\n";
+		exit(1);
+		}
+	}
+
+sub do_certificate
+	{
+	local($data,@struct)=@_;
+	local($file)="/tmp/b$$.DER";
+	local($off,$d,$hl,$len,$_,$b,@p,$s);
+
+	($off,$d,$hl,$len)=&parse_line($struct[2]);
+	$b=substr($data,$off,$len+$hl);
+
+	open(OUT,"|$x509_cmd -inform d") || die "unable to run $x509_cmd:$!\n";
+	print OUT $b;
+	close(OUT);
+	}
+
+sub load_file
+	{
+	local($file)=@_;
+	local(*IN,$r,$b,$i);
+
+	$r="";
+	open(IN,"<$file") || die "unable to open $file:$!\n";
+	for (;;)
+		{
+		$i=sysread(IN,$b,10240);
+		last if ($i <= 0);
+		$r.=$b;
+		}
+	close(IN);
+	return($r);
+	}
+
+sub load_file_parse
+	{
+	local($file)=@_;
+	local(*IN,$r,@ret,$_,$i,$n,$b);
+
+	open(IN,"$cmd -inform d -in $file|")
+		|| die "unable to run der_parse\n";
+	while (<IN>)
+		{
+		chop;
+		push(@ret,$_);
+		}
+	return($r,@ret);
+	}
+
diff --git a/crypto/openssl/apps/der_chop.in b/crypto/openssl/apps/der_chop.in
new file mode 100644
index 0000000..9070b03
--- /dev/null
+++ b/crypto/openssl/apps/der_chop.in
@@ -0,0 +1,305 @@
+#!/usr/local/bin/perl
+#
+# der_chop ... this is one total hack that Eric is really not proud of
+#              so don't look at it and don't ask for support
+#
+# The "documentation" for this (i.e. all the comments) are my fault --tjh
+#
+# This program takes the "raw" output of derparse/asn1parse and 
+# converts it into tokens and then runs regular expression matches
+# to try to figure out what to grab to get the things that are needed
+# and it is possible that this will do the wrong thing as it is a *hack*
+#
+# SSLeay 0.5.2+ should have direct read support for x509 (via -inform NET)
+# [I know ... promises promises :-)]
+#
+# To convert a Netscape Certificate:
+#    der_chop < ServerCert.der > cert.pem
+# To convert a Netscape Key (and encrypt it again to protect it)
+#    rsa -inform NET -in ServerKey.der -des > key.pem
+#
+# 23-Apr-96 eay    Added the extra ASN.1 string types, I still think this
+#		   is an evil hack.  If nothing else the parsing should
+#		   be relative, not absolute.
+# 19-Apr-96 tjh    hacked (with eay) into 0.5.x format
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+
+require 'getopts.pl';
+
+$debug=0;
+
+# this was the 0.4.x way of doing things ...
+$cmd="derparse";
+$x509_cmd="x509";
+$crl_cmd="crl";
+$rc4_cmd="rc4";
+$md2_cmd="md2";
+$md4_cmd="md4";
+$rsa_cmd="rsa -des -inform der ";
+
+# this was the 0.5.x way of doing things ...
+$cmd="openssl asn1parse";
+$x509_cmd="openssl x509";
+$crl_cmd="openssl crl";
+$rc4_cmd="openssl rc4";
+$md2_cmd="openssl md2";
+$md4_cmd="openssl md4";
+$rsa_cmd="openssl rsa -des -inform der ";
+
+&Getopts('vd:') || die "usage:$0 [-v] [-d num] file";
+$depth=($opt_d =~ /^\d+$/)?$opt_d:0;
+
+&init_der();
+
+if ($#ARGV != -1)
+	{
+	foreach $file (@ARGV)
+		{
+		print STDERR "doing $file\n";
+		&dofile($file);
+		}
+	}
+else
+	{
+	$file="/tmp/a$$.DER";
+	open(OUT,">$file") || die "unable to open $file:$!\n";
+	for (;;)
+		{
+		$i=sysread(STDIN,$b,1024*10);
+		last if ($i <= 0);
+		$i=syswrite(OUT,$b,$i);
+		}
+	&dofile($file);
+	unlink($file);
+	}
+	
+sub dofile
+	{
+	local($file)=@_;
+	local(@p);
+
+	$b=&load_file($file);
+	@p=&load_file_parse($file);
+
+	foreach $_ (@p)
+		{
+		($off,$d,$hl,$len)=&parse_line($_);
+		$d-=$depth;
+		next if ($d != 0);
+		next if ($len == 0);
+
+		$o=substr($b,$off,$len+$hl);
+		($str,@data)=&der_str($o);
+		print "$str\n" if ($opt_v);
+		if ($str =~ /^$crl/)
+			{
+			open(OUT,"|$crl_cmd -inform d -hash -issuer") ||
+				die "unable to run $crl_cmd:$!\n";
+			print OUT $o;
+			close(OUT);
+			}
+		elsif ($str =~ /^$x509/)
+			{
+			open(OUT,"|$x509_cmd -inform d -hash -subject -issuer")
+				|| die "unable to run $x509_cmd:$!\n";
+			print OUT $o;
+			close(OUT);
+			}
+		elsif ($str =~ /^$rsa/)
+			{
+			($type)=($data[3] =~ /OBJECT_IDENTIFIER :(.*)\s*$/);
+			next unless ($type eq "rsaEncryption");
+			($off,$d,$hl,$len)=&parse_line($data[5]);
+			$os=substr($o,$off+$hl,$len);
+			open(OUT,"|$rsa_cmd")
+				|| die "unable to run $rsa_cmd:$!\n";
+			print OUT $os;
+			close(OUT);
+			}
+		elsif ($str =~ /^0G-1D-1G/)
+			{
+			($off,$d,$hl,$len)=&parse_line($data[1]);
+			$os=substr($o,$off+$hl,$len);
+			print STDERR "<$os>\n" if $opt_v;
+			&do_certificate($o,@data)
+				if (($os eq "certificate") &&
+				    ($str =! /^0G-1D-1G-2G-3F-3E-2D/));
+			&do_private_key($o,@data)
+				if (($os eq "private-key") &&
+				    ($str =! /^0G-1D-1G-2G-3F-3E-2D/));
+			}
+		}
+	}
+
+sub der_str
+	{
+	local($str)=@_;
+	local(*OUT,*IN,@a,$t,$d,$ret);
+	local($file)="/tmp/b$$.DER";
+	local(@ret);
+
+	open(OUT,">$file");
+	print OUT $str;
+	close(OUT);
+	open(IN,"$cmd -inform 'd' -in $file |") ||
+		die "unable to run $cmd:$!\n";
+	$ret="";
+	while (<IN>)
+		{
+		chop;
+		push(@ret,$_);
+
+		print STDERR "$_\n" if ($debug);
+
+		@a=split(/\s*:\s*/);
+		($d)=($a[1] =~ /d=\s*(\d+)/);
+		$a[2] =~ s/\s+$//;
+		$t=$DER_s2i{$a[2]};
+		$ret.="$d$t-";
+		}
+	close(IN);
+	unlink($file);
+	chop $ret;
+	$ret =~ s/(-3H(-4G-5F-5[IJKMQRS])+)+/-NAME/g;
+	$ret =~ s/(-3G-4B-4L)+/-RCERT/g;
+	return($ret,@ret);
+	}
+
+sub init_der
+	{
+	$crl= "0G-1G-2G-3F-3E-2G-NAME-2L-2L-2G-RCERT-1G-2F-2E-1C";
+	$x509="0G-1G-2B-2G-3F-3E-2G-NAME-2G-3L-3L-2G-NAME-2G-3G-4F-4E-3C-1G-2F-2E-1C";
+	$rsa= "0G-1B-1G-2F-2E-1D";
+
+	%DER_i2s=(
+		# SSLeay 0.4.x has this list
+		"A","EOC",
+		"B","INTEGER",
+		"C","BIT STRING",
+		"D","OCTET STRING",
+		"E","NULL",
+		"F","OBJECT",
+		"G","SEQUENCE",
+		"H","SET",
+		"I","PRINTABLESTRING",
+		"J","T61STRING",
+		"K","IA5STRING",
+		"L","UTCTIME",
+		"M","NUMERICSTRING",
+		"N","VIDEOTEXSTRING",
+		"O","GENERALIZEDTIME",
+		"P","GRAPHICSTRING",
+		"Q","ISO64STRING",
+		"R","GENERALSTRING",
+		"S","UNIVERSALSTRING",
+
+		# SSLeay 0.5.x changed some things ... and I'm
+		# leaving in the old stuff but adding in these
+		# to handle the new as well --tjh
+		# - Well I've just taken them out and added the extra new
+		# ones :-) - eay
+		);
+
+	foreach (keys %DER_i2s)
+		{ $DER_s2i{$DER_i2s{$_}}=$_; }
+	}
+
+sub parse_line
+	{
+	local($_)=@_;
+
+	return(/\s*(\d+):d=\s*(\d+)\s+hl=\s*(\d+)\s+l=\s*(\d+|inf)\s/);
+	}
+
+#  0:d=0 hl=4 l=377 cons: univ: SEQUENCE          
+#  4:d=1 hl=2 l= 11 prim: univ: OCTET_STRING      
+# 17:d=1 hl=4 l=360 cons: univ: SEQUENCE          
+# 21:d=2 hl=2 l= 12 cons: univ: SEQUENCE          
+# 23:d=3 hl=2 l=  8 prim: univ: OBJECT_IDENTIFIER :rc4
+# 33:d=3 hl=2 l=  0 prim: univ: NULL              
+# 35:d=2 hl=4 l=342 prim: univ: OCTET_STRING
+sub do_private_key
+	{
+	local($data,@struct)=@_;
+	local($file)="/tmp/b$$.DER";
+	local($off,$d,$hl,$len,$_,$b,@p,$s);
+
+	($type)=($struct[4] =~ /OBJECT_IDENTIFIER :(.*)\s*$/);
+	if ($type eq "rc4")
+		{
+		($off,$d,$hl,$len)=&parse_line($struct[6]);
+		open(OUT,"|$rc4_cmd >$file") ||
+			die "unable to run $rc4_cmd:$!\n";
+		print OUT substr($data,$off+$hl,$len);
+		close(OUT);
+
+		$b=&load_file($file);
+		unlink($file);
+
+		($s,@p)=&der_str($b);
+		die "unknown rsa key type\n$s\n"
+			if ($s ne '0G-1B-1G-2F-2E-1D');
+		local($off,$d,$hl,$len)=&parse_line($p[5]);
+		$b=substr($b,$off+$hl,$len);
+		($s,@p)=&der_str($b);
+		open(OUT,"|$rsa_cmd") || die "unable to run $rsa_cmd:$!\n";
+		print OUT $b;
+		close(OUT);
+		}
+	else
+		{
+		print "'$type' is unknown\n";
+		exit(1);
+		}
+	}
+
+sub do_certificate
+	{
+	local($data,@struct)=@_;
+	local($file)="/tmp/b$$.DER";
+	local($off,$d,$hl,$len,$_,$b,@p,$s);
+
+	($off,$d,$hl,$len)=&parse_line($struct[2]);
+	$b=substr($data,$off,$len+$hl);
+
+	open(OUT,"|$x509_cmd -inform d") || die "unable to run $x509_cmd:$!\n";
+	print OUT $b;
+	close(OUT);
+	}
+
+sub load_file
+	{
+	local($file)=@_;
+	local(*IN,$r,$b,$i);
+
+	$r="";
+	open(IN,"<$file") || die "unable to open $file:$!\n";
+	for (;;)
+		{
+		$i=sysread(IN,$b,10240);
+		last if ($i <= 0);
+		$r.=$b;
+		}
+	close(IN);
+	return($r);
+	}
+
+sub load_file_parse
+	{
+	local($file)=@_;
+	local(*IN,$r,@ret,$_,$i,$n,$b);
+
+	open(IN,"$cmd -inform d -in $file|")
+		|| die "unable to run der_parse\n";
+	while (<IN>)
+		{
+		chop;
+		push(@ret,$_);
+		}
+	return($r,@ret);
+	}
+
diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c
new file mode 100644
index 0000000..1b56d6e
--- /dev/null
+++ b/crypto/openssl/apps/dgst.c
@@ -0,0 +1,222 @@
+/* apps/dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef BUFSIZE
+#define BUFSIZE	1024*8
+
+#undef PROG
+#define PROG	dgst_main
+
+void do_fp(unsigned char *buf,BIO *f,int sep);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	unsigned char *buf=NULL;
+	int i,err=0;
+	const EVP_MD *md=NULL,*m;
+	BIO *in=NULL,*inp;
+	BIO *bmd=NULL;
+	const char *name;
+#define PROG_NAME_SIZE  16
+	char pname[PROG_NAME_SIZE];
+	int separator=0;
+	int debug=0;
+
+	apps_startup();
+
+	if ((buf=(unsigned char *)Malloc(BUFSIZE)) == NULL)
+		{
+		BIO_printf(bio_err,"out of memory\n");
+		goto end;
+		}
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	/* first check the program name */
+	program_name(argv[0],pname,PROG_NAME_SIZE);
+
+	md=EVP_get_digestbyname(pname);
+
+	argc--;
+	argv++;
+	while (argc > 0)
+		{
+		if ((*argv)[0] != '-') break;
+		if (strcmp(*argv,"-c") == 0)
+			separator=1;
+		else if (strcmp(*argv,"-d") == 0)
+			debug=1;
+		else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+			md=m;
+		else
+			break;
+		argc--;
+		argv++;
+		}
+
+	if (md == NULL)
+		md=EVP_md5();
+
+	if ((argc > 0) && (argv[0][0] == '-')) /* bad option */
+		{
+		BIO_printf(bio_err,"unknown option '%s'\n",*argv);
+		BIO_printf(bio_err,"options are\n");
+		BIO_printf(bio_err,"-c   to output the digest with separating colons\n");
+		BIO_printf(bio_err,"-d   to output debug info\n");
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
+			LN_md5,LN_md5);
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_md2,LN_md2);
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_sha1,LN_sha1);
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_sha,LN_sha);
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_mdc2,LN_mdc2);
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_ripemd160,LN_ripemd160);
+		err=1;
+		goto end;
+		}
+	
+	in=BIO_new(BIO_s_file());
+	bmd=BIO_new(BIO_f_md());
+	if (debug)
+		{
+		BIO_set_callback(in,BIO_debug_callback);
+		/* needed for windows 3.1 */
+		BIO_set_callback_arg(in,bio_err);
+		}
+
+	if ((in == NULL) || (bmd == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	/* we use md as a filter, reading from 'in' */
+	BIO_set_md(bmd,md);
+	inp=BIO_push(bmd,in);
+
+	if (argc == 0)
+		{
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+		do_fp(buf,inp,separator);
+		}
+	else
+		{
+		name=OBJ_nid2sn(md->type);
+		for (i=0; i<argc; i++)
+			{
+			if (BIO_read_filename(in,argv[i]) <= 0)
+				{
+				perror(argv[i]);
+				err++;
+				continue;
+				}
+			printf("%s(%s)= ",name,argv[i]);
+			do_fp(buf,inp,separator);
+			(void)BIO_reset(bmd);
+			}
+		}
+end:
+	if (buf != NULL)
+		{
+		memset(buf,0,BUFSIZE);
+		Free(buf);
+		}
+	if (in != NULL) BIO_free(in);
+	if (bmd != NULL) BIO_free(bmd);
+	EXIT(err);
+	}
+
+void do_fp(unsigned char *buf, BIO *bp, int sep)
+	{
+	int len;
+	int i;
+
+	for (;;)
+		{
+		i=BIO_read(bp,(char *)buf,BUFSIZE);
+		if (i <= 0) break;
+		}
+	len=BIO_gets(bp,(char *)buf,BUFSIZE);
+
+	for (i=0; i<len; i++)
+		{
+		if (sep && (i != 0))
+			putc(':',stdout);
+		printf("%02x",buf[i]);
+		}
+	printf("\n");
+	}
+
diff --git a/crypto/openssl/apps/dh.c b/crypto/openssl/apps/dh.c
new file mode 100644
index 0000000..674963f
--- /dev/null
+++ b/crypto/openssl/apps/dh.c
@@ -0,0 +1,316 @@
+/* apps/dh.c */
+/* obsoleted by dhparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DH
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	dh_main
+
+/* -inform arg	- input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ * -check	- check the parameters are ok
+ * -noout
+ * -text
+ * -C
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	DH *dh=NULL;
+	int i,badops=0,text=0;
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat,check=0,noout=0,C=0,ret=1;
+	char *infile,*outfile,*prog;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-check") == 0)
+			check=1;
+		else if (strcmp(*argv,"-text") == 0)
+			text=1;
+		else if (strcmp(*argv,"-C") == 0)
+			C=1;
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
+		BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
+		BIO_printf(bio_err," -in arg       input file\n");
+		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -check        check the DH parameters\n");
+		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
+		BIO_printf(bio_err," -C            Output C code\n");
+		BIO_printf(bio_err," -noout        no output\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if	(informat == FORMAT_ASN1)
+		dh=d2i_DHparams_bio(in,NULL);
+	else if (informat == FORMAT_PEM)
+		dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
+	else
+		{
+		BIO_printf(bio_err,"bad input format specified\n");
+		goto end;
+		}
+	if (dh == NULL)
+		{
+		BIO_printf(bio_err,"unable to load DH parameters\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	
+
+	if (text)
+		{
+		DHparams_print(out,dh);
+#ifdef undef
+		printf("p=");
+		BN_print(stdout,dh->p);
+		printf("\ng=");
+		BN_print(stdout,dh->g);
+		printf("\n");
+		if (dh->length != 0)
+			printf("recommended private length=%ld\n",dh->length);
+#endif
+		}
+	
+	if (check)
+		{
+		if (!DH_check(dh,&i))
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (i & DH_CHECK_P_NOT_PRIME)
+			printf("p value is not prime\n");
+		if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+			printf("p value is not a safe prime\n");
+		if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+			printf("unable to check the generator value\n");
+		if (i & DH_NOT_SUITABLE_GENERATOR)
+			printf("the g value is not a generator\n");
+		if (i == 0)
+			printf("DH parameters appear to be ok.\n");
+		}
+	if (C)
+		{
+		unsigned char *data;
+		int len,l,bits;
+
+		len=BN_num_bytes(dh->p);
+		bits=BN_num_bits(dh->p);
+		data=(unsigned char *)Malloc(len);
+		if (data == NULL)
+			{
+			perror("Malloc");
+			goto end;
+			}
+		l=BN_bn2bin(dh->p,data);
+		printf("static unsigned char dh%d_p[]={",bits);
+		for (i=0; i<l; i++)
+			{
+			if ((i%12) == 0) printf("\n\t");
+			printf("0x%02X,",data[i]);
+			}
+		printf("\n\t};\n");
+
+		l=BN_bn2bin(dh->g,data);
+		printf("static unsigned char dh%d_g[]={",bits);
+		for (i=0; i<l; i++)
+			{
+			if ((i%12) == 0) printf("\n\t");
+			printf("0x%02X,",data[i]);
+			}
+		printf("\n\t};\n\n");
+
+		printf("DH *get_dh%d()\n\t{\n",bits);
+		printf("\tDH *dh;\n\n");
+		printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
+		printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
+			bits,bits);
+		printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
+			bits,bits);
+		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
+		printf("\t\treturn(NULL);\n");
+		printf("\treturn(dh);\n\t}\n");
+		Free(data);
+		}
+
+
+	if (!noout)
+		{
+		if 	(outformat == FORMAT_ASN1)
+			i=i2d_DHparams_bio(out,dh);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_DHparams(out,dh);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		if (!i)
+			{
+			BIO_printf(bio_err,"unable to write DH parameters\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+	ret=0;
+end:
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (dh != NULL) DH_free(dh);
+	EXIT(ret);
+	}
+#endif
diff --git a/crypto/openssl/apps/dh1024.pem b/crypto/openssl/apps/dh1024.pem
new file mode 100644
index 0000000..81d43f6
--- /dev/null
+++ b/crypto/openssl/apps/dh1024.pem
@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq
+/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx
+/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC
+-----END DH PARAMETERS-----
diff --git a/crypto/openssl/apps/dhparam.c b/crypto/openssl/apps/dhparam.c
new file mode 100644
index 0000000..709547f
--- /dev/null
+++ b/crypto/openssl/apps/dhparam.c
@@ -0,0 +1,520 @@
+/* apps/dhparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef NO_DH
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#ifndef NO_DSA
+#include <openssl/dsa.h>
+#endif
+
+#undef PROG
+#define PROG	dhparam_main
+
+#define DEFBITS	512
+
+/* -inform arg	- input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ * -dsaparam  - read or generate DSA parameters, convert to DH
+ * -check	- check the parameters are ok
+ * -noout
+ * -text
+ * -C
+ */
+
+static void MS_CALLBACK dh_cb(int p, int n, void *arg);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	DH *dh=NULL;
+	int i,badops=0,text=0;
+#ifndef NO_DSA
+	int dsaparam=0;
+#endif
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat,check=0,noout=0,C=0,ret=1;
+	char *infile,*outfile,*prog;
+	char *inrand=NULL;
+	int num = 0, g = 0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-check") == 0)
+			check=1;
+		else if (strcmp(*argv,"-text") == 0)
+			text=1;
+#ifndef NO_DSA
+		else if (strcmp(*argv,"-dsaparam") == 0)
+			dsaparam=1;
+#endif
+		else if (strcmp(*argv,"-C") == 0)
+			C=1;
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else if (strcmp(*argv,"-2") == 0)
+			g=2;
+		else if (strcmp(*argv,"-5") == 0)
+			g=5;
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
+		else if (((sscanf(*argv,"%d",&num) == 0) || (num <= 0)))
+			goto bad;
+		argv++;
+		argc--;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] [numbits]\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
+		BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
+		BIO_printf(bio_err," -in arg       input file\n");
+		BIO_printf(bio_err," -out arg      output file\n");
+#ifndef NO_DSA
+		BIO_printf(bio_err," -dsaparam     read or generate DSA parameters, convert to DH\n");
+#endif
+		BIO_printf(bio_err," -check        check the DH parameters\n");
+		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
+		BIO_printf(bio_err," -C            Output C code\n");
+		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
+		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
+		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,"               the random number generator\n");
+		BIO_printf(bio_err," -noout        no output\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+	if (g && !num)
+		num = DEFBITS;
+
+#ifndef NO_DSA
+	if (dsaparam)
+		{
+		if (g)
+			{
+			BIO_printf(bio_err, "generator may not be chosen for DSA parameters\n");
+			goto end;
+			}
+		}
+	else
+#endif
+		{
+		/* DH parameters */
+		if (num && !g)
+			g = 2;
+		}
+
+	if(num) {
+
+		if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+			{
+			BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+			}
+		if (inrand != NULL)
+			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+				app_RAND_load_files(inrand));
+
+#ifndef NO_DSA
+		if (dsaparam)
+			{
+			DSA *dsa;
+			
+			BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
+	        dsa = DSA_generate_parameters(num, NULL, 0, NULL, NULL, dh_cb, bio_err);
+			if (dsa == NULL)
+				{
+				ERR_print_errors(bio_err);
+				goto end;
+				}
+
+			dh = DSA_dup_DH(dsa);
+			DSA_free(dsa);
+			if (dh == NULL)
+				{
+				ERR_print_errors(bio_err);
+				goto end;
+				}
+			}
+		else
+#endif
+			{
+			BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
+			BIO_printf(bio_err,"This is going to take a long time\n");
+			dh=DH_generate_parameters(num,g,dh_cb,bio_err);
+			
+			if (dh == NULL)
+				{
+				ERR_print_errors(bio_err);
+				goto end;
+				}
+			}
+
+		app_RAND_write_file(NULL, bio_err);
+	} else {
+
+		in=BIO_new(BIO_s_file());
+		if (in == NULL)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (infile == NULL)
+			BIO_set_fp(in,stdin,BIO_NOCLOSE);
+		else
+			{
+			if (BIO_read_filename(in,infile) <= 0)
+				{
+				perror(infile);
+				goto end;
+				}
+			}
+
+		if	(informat != FORMAT_ASN1 && informat != FORMAT_PEM)
+			{
+			BIO_printf(bio_err,"bad input format specified\n");
+			goto end;
+			}
+
+#ifndef NO_DSA
+		if (dsaparam)
+			{
+			DSA *dsa;
+			
+			if (informat == FORMAT_ASN1)
+				dsa=d2i_DSAparams_bio(in,NULL);
+			else /* informat == FORMAT_PEM */
+				dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
+			
+			if (dsa == NULL)
+				{
+				BIO_printf(bio_err,"unable to load DSA parameters\n");
+				ERR_print_errors(bio_err);
+				goto end;
+				}
+			
+			dh = DSA_dup_DH(dsa);
+			DSA_free(dsa);
+			if (dh == NULL)
+				{
+				ERR_print_errors(bio_err);
+				goto end;
+				}
+			}
+		else
+#endif
+			{
+			if (informat == FORMAT_ASN1)
+				dh=d2i_DHparams_bio(in,NULL);
+			else /* informat == FORMAT_PEM */
+				dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
+			
+			if (dh == NULL)
+				{
+				BIO_printf(bio_err,"unable to load DH parameters\n");
+				ERR_print_errors(bio_err);
+				goto end;
+				}
+			}
+		
+		/* dh != NULL */
+	}
+	
+	out=BIO_new(BIO_s_file());
+	if (out == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+
+	if (text)
+		{
+		DHparams_print(out,dh);
+		}
+	
+	if (check)
+		{
+		if (!DH_check(dh,&i))
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (i & DH_CHECK_P_NOT_PRIME)
+			printf("p value is not prime\n");
+		if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+			printf("p value is not a safe prime\n");
+		if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+			printf("unable to check the generator value\n");
+		if (i & DH_NOT_SUITABLE_GENERATOR)
+			printf("the g value is not a generator\n");
+		if (i == 0)
+			printf("DH parameters appear to be ok.\n");
+		}
+	if (C)
+		{
+		unsigned char *data;
+		int len,l,bits;
+
+		len=BN_num_bytes(dh->p);
+		bits=BN_num_bits(dh->p);
+		data=(unsigned char *)Malloc(len);
+		if (data == NULL)
+			{
+			perror("Malloc");
+			goto end;
+			}
+		printf("#ifndef HEADER_DH_H\n"
+		       "#include <openssl/dh.h>\n"
+		       "#endif\n");
+		printf("DH *get_dh%d()\n\t{\n",bits);
+
+		l=BN_bn2bin(dh->p,data);
+		printf("\tstatic unsigned char dh%d_p[]={",bits);
+		for (i=0; i<l; i++)
+			{
+			if ((i%12) == 0) printf("\n\t\t");
+			printf("0x%02X,",data[i]);
+			}
+		printf("\n\t\t};\n");
+
+		l=BN_bn2bin(dh->g,data);
+		printf("\tstatic unsigned char dh%d_g[]={",bits);
+		for (i=0; i<l; i++)
+			{
+			if ((i%12) == 0) printf("\n\t\t");
+			printf("0x%02X,",data[i]);
+			}
+		printf("\n\t\t};\n");
+
+		printf("\tDH *dh;\n\n");
+		printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
+		printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
+			bits,bits);
+		printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
+			bits,bits);
+		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
+		printf("\t\t{ DH_free(dh); return(NULL); }\n");
+		if (dh->length)
+			printf("\tdh->length = %d;\n", dh->length);
+		printf("\treturn(dh);\n\t}\n");
+		Free(data);
+		}
+
+
+	if (!noout)
+		{
+		if 	(outformat == FORMAT_ASN1)
+			i=i2d_DHparams_bio(out,dh);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_DHparams(out,dh);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		if (!i)
+			{
+			BIO_printf(bio_err,"unable to write DH parameters\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+	ret=0;
+end:
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (dh != NULL) DH_free(dh);
+	EXIT(ret);
+	}
+
+/* dh_cb is identical to dsa_cb in apps/dsaparam.c */
+static void MS_CALLBACK dh_cb(int p, int n, void *arg)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	BIO_write((BIO *)arg,&c,1);
+	(void)BIO_flush((BIO *)arg);
+#ifdef LINT
+	p=n;
+#endif
+	}
+
+#endif
diff --git a/crypto/openssl/apps/dsa-ca.pem b/crypto/openssl/apps/dsa-ca.pem
new file mode 100644
index 0000000..cccc142
--- /dev/null
+++ b/crypto/openssl/apps/dsa-ca.pem
@@ -0,0 +1,40 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
+PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
+u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
+Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
+hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
+SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
+Mu0OArgCgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuHvSLw9YUrJahcBHmbpvt4
+94lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUqAylOVFJJJXuirVJ+o+0T
+tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77
+J6zsFbSEHaQGUmfSeoM=
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
+ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
+sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
+rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
+cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
+bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
+CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
+F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
+vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
+AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
+3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
+AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
+AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
+ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
+MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
+MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
+C1Q=
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/apps/dsa-pca.pem b/crypto/openssl/apps/dsa-pca.pem
new file mode 100644
index 0000000..d23774e
--- /dev/null
+++ b/crypto/openssl/apps/dsa-pca.pem
@@ -0,0 +1,46 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBvAIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
+PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
+u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
+Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
+hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
+SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
+Mu0OArgCgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUCFQDNvrBz
+6TicfImU7UFRn9h00j0lJQ==
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
+MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
+lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
+Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
+5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
+aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
+kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
+QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
+6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
+yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
+z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
+nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
+ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
+R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
+JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
+BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
+mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
+VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
+uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
+AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
+5rKUjNBhSg==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/apps/dsa.c b/crypto/openssl/apps/dsa.c
new file mode 100644
index 0000000..4977671
--- /dev/null
+++ b/crypto/openssl/apps/dsa.c
@@ -0,0 +1,290 @@
+/* apps/dsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	dsa_main
+
+/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ * -des		- encrypt output if PEM format with DES in cbc mode
+ * -des3	- encrypt output if PEM format
+ * -idea	- encrypt output if PEM format
+ * -text	- print a text version
+ * -modulus	- print the DSA public key
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int ret=1;
+	DSA *dsa=NULL;
+	int i,badops=0;
+	const EVP_CIPHER *enc=NULL;
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat,text=0,noout=0;
+	int pubin = 0, pubout = 0;
+	char *infile,*outfile,*prog;
+	char *passargin = NULL, *passargout = NULL;
+	char *passin = NULL, *passout = NULL;
+	int modulus=0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargin= *(++argv);
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargout= *(++argv);
+			}
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else if (strcmp(*argv,"-text") == 0)
+			text=1;
+		else if (strcmp(*argv,"-modulus") == 0)
+			modulus=1;
+		else if (strcmp(*argv,"-pubin") == 0)
+			pubin=1;
+		else if (strcmp(*argv,"-pubout") == 0)
+			pubout=1;
+		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg     input format - DER or PEM\n");
+		BIO_printf(bio_err," -outform arg    output format - DER or PEM\n");
+		BIO_printf(bio_err," -in arg         input file\n");
+		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
+		BIO_printf(bio_err," -out arg        output file\n");
+		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
+		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
+		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
+#ifndef NO_IDEA
+		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
+#endif
+		BIO_printf(bio_err," -text           print the key in text\n");
+		BIO_printf(bio_err," -noout          don't print key out\n");
+		BIO_printf(bio_err," -modulus        print the DSA public value\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+		BIO_printf(bio_err, "Error getting passwords\n");
+		goto end;
+	}
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+
+	BIO_printf(bio_err,"read DSA key\n");
+	if	(informat == FORMAT_ASN1) {
+		if(pubin) dsa=d2i_DSA_PUBKEY_bio(in,NULL);
+		else dsa=d2i_DSAPrivateKey_bio(in,NULL);
+	} else if (informat == FORMAT_PEM) {
+		if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL);
+		else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,passin);
+	} else
+		{
+		BIO_printf(bio_err,"bad input format specified for key\n");
+		goto end;
+		}
+	if (dsa == NULL)
+		{
+		BIO_printf(bio_err,"unable to load Key\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (text) 
+		if (!DSA_print(out,dsa,0))
+			{
+			perror(outfile);
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+	if (modulus)
+		{
+		fprintf(stdout,"Public Key=");
+		BN_print(out,dsa->pub_key);
+		fprintf(stdout,"\n");
+		}
+
+	if (noout) goto end;
+	BIO_printf(bio_err,"writing DSA key\n");
+	if 	(outformat == FORMAT_ASN1) {
+		if(pubin || pubout) i=i2d_DSA_PUBKEY_bio(out,dsa);
+		else i=i2d_DSAPrivateKey_bio(out,dsa);
+	} else if (outformat == FORMAT_PEM) {
+		if(pubin || pubout)
+			i=PEM_write_bio_DSA_PUBKEY(out,dsa);
+		else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
+							NULL,0,NULL, passout);
+	} else {
+		BIO_printf(bio_err,"bad output format specified for outfile\n");
+		goto end;
+		}
+	if (!i)
+		{
+		BIO_printf(bio_err,"unable to write private key\n");
+		ERR_print_errors(bio_err);
+		}
+	else
+		ret=0;
+end:
+	if(in != NULL) BIO_free(in);
+	if(out != NULL) BIO_free(out);
+	if(dsa != NULL) DSA_free(dsa);
+	if(passin) Free(passin);
+	if(passout) Free(passout);
+	EXIT(ret);
+	}
+#endif
diff --git a/crypto/openssl/apps/dsa1024.pem b/crypto/openssl/apps/dsa1024.pem
new file mode 100644
index 0000000..082dec3
--- /dev/null
+++ b/crypto/openssl/apps/dsa1024.pem
@@ -0,0 +1,9 @@
+-----BEGIN DSA PARAMETERS-----
+MIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQPnUx
+mUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtelu+Us
+OSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcHMe36
+bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLsohkj8
+3pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbuSXQH
+zlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7YMu0O
+Arg=
+-----END DSA PARAMETERS-----
diff --git a/crypto/openssl/apps/dsa512.pem b/crypto/openssl/apps/dsa512.pem
new file mode 100644
index 0000000..5f86d1a
--- /dev/null
+++ b/crypto/openssl/apps/dsa512.pem
@@ -0,0 +1,6 @@
+-----BEGIN DSA PARAMETERS-----
+MIGdAkEAnRtpjibb8isRcBmG9hnI+BnyGFOURgbQYlAzSwI8UjADizv5X9EkBk97
+TLqqQJv9luQ3M7stWtdaEUBmonZ9MQIVAPtT71C0QJIxVoZTeuiLIppJ+3GPAkEA
+gz6I5cWJc847bAFJv7PHnwrqRJHlMKrZvltftxDXibeOdPvPKR7rqCxUUbgQ3qDO
+L8wka5B33qJoplISogOdIA==
+-----END DSA PARAMETERS-----
diff --git a/crypto/openssl/apps/dsap.pem b/crypto/openssl/apps/dsap.pem
new file mode 100644
index 0000000..d4dfdb3
--- /dev/null
+++ b/crypto/openssl/apps/dsap.pem
@@ -0,0 +1,6 @@
+-----BEGIN DSA PARAMETERS-----
+MIGcAkEA+ZiKEvZmc9MtnaFZh4NiZ3oZS4J1PHvPrm9MXj5ntVheDPkdmBDTncya
+GAJcMjwsyB/GvLDGd6yGCw/8eF+09wIVAK3VagOxGd/Q4Af5NbxR5FB7CXEjAkA2
+t/q7HgVLi0KeKvcDG8BRl3wuy7bCvpjgtWiJc/tpvcuzeuAayH89UofjAGueKjXD
+ADiRffvSdhrNw5dkqdql
+-----END DSA PARAMETERS-----
diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c
new file mode 100644
index 0000000..4d4e1ad
--- /dev/null
+++ b/crypto/openssl/apps/dsaparam.c
@@ -0,0 +1,369 @@
+/* apps/dsaparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DSA
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	dsaparam_main
+
+/* -inform arg	- input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ * -noout
+ * -text
+ * -C
+ * -noout
+ * -genkey
+ */
+
+static void MS_CALLBACK dsa_cb(int p, int n, void *arg);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	DSA *dsa=NULL;
+	int i,badops=0,text=0;
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat,noout=0,C=0,ret=1;
+	char *infile,*outfile,*prog,*inrand=NULL;
+	int numbits= -1,num,genkey=0;
+	int need_rand=0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-text") == 0)
+			text=1;
+		else if (strcmp(*argv,"-C") == 0)
+			C=1;
+		else if (strcmp(*argv,"-genkey") == 0)
+			{
+			genkey=1;
+			need_rand=1;
+			}
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			need_rand=1;
+			}
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else if (sscanf(*argv,"%d",&num) == 1)
+			{
+			/* generate a key */
+			numbits=num;
+			need_rand=1;
+			}
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
+		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
+		BIO_printf(bio_err," -in arg       input file\n");
+		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -text         print the key in text\n");
+		BIO_printf(bio_err," -C            Output C code\n");
+		BIO_printf(bio_err," -noout        no output\n");
+		BIO_printf(bio_err," -rand         files to use for random number input\n");
+		BIO_printf(bio_err," number        number of bits to use for generating private key\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (need_rand)
+		{
+		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+		if (inrand != NULL)
+			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+				app_RAND_load_files(inrand));
+		}
+
+	if (numbits > 0)
+		{
+		assert(need_rand);
+		BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
+	        BIO_printf(bio_err,"This could take some time\n");
+	        dsa=DSA_generate_parameters(num,NULL,0,NULL,NULL, dsa_cb,bio_err);
+		}
+	else if	(informat == FORMAT_ASN1)
+		dsa=d2i_DSAparams_bio(in,NULL);
+	else if (informat == FORMAT_PEM)
+		dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
+	else
+		{
+		BIO_printf(bio_err,"bad input format specified\n");
+		goto end;
+		}
+	if (dsa == NULL)
+		{
+		BIO_printf(bio_err,"unable to load DSA parameters\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (text)
+		{
+		DSAparams_print(out,dsa);
+		}
+	
+	if (C)
+		{
+		unsigned char *data;
+		int l,len,bits_p,bits_q,bits_g;
+
+		len=BN_num_bytes(dsa->p);
+		bits_p=BN_num_bits(dsa->p);
+		bits_q=BN_num_bits(dsa->q);
+		bits_g=BN_num_bits(dsa->g);
+		data=(unsigned char *)Malloc(len+20);
+		if (data == NULL)
+			{
+			perror("Malloc");
+			goto end;
+			}
+		l=BN_bn2bin(dsa->p,data);
+		printf("static unsigned char dsa%d_p[]={",bits_p);
+		for (i=0; i<l; i++)
+			{
+			if ((i%12) == 0) printf("\n\t");
+			printf("0x%02X,",data[i]);
+			}
+		printf("\n\t};\n");
+
+		l=BN_bn2bin(dsa->q,data);
+		printf("static unsigned char dsa%d_q[]={",bits_p);
+		for (i=0; i<l; i++)
+			{
+			if ((i%12) == 0) printf("\n\t");
+			printf("0x%02X,",data[i]);
+			}
+		printf("\n\t};\n");
+
+		l=BN_bn2bin(dsa->g,data);
+		printf("static unsigned char dsa%d_g[]={",bits_p);
+		for (i=0; i<l; i++)
+			{
+			if ((i%12) == 0) printf("\n\t");
+			printf("0x%02X,",data[i]);
+			}
+		printf("\n\t};\n\n");
+
+		printf("DSA *get_dsa%d()\n\t{\n",bits_p);
+		printf("\tDSA *dsa;\n\n");
+		printf("\tif ((dsa=DSA_new()) == NULL) return(NULL);\n");
+		printf("\tdsa->p=BN_bin2bn(dsa%d_p,sizeof(dsa%d_p),NULL);\n",
+			bits_p,bits_p);
+		printf("\tdsa->q=BN_bin2bn(dsa%d_q,sizeof(dsa%d_q),NULL);\n",
+			bits_p,bits_p);
+		printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
+			bits_p,bits_p);
+		printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
+		printf("\t\treturn(NULL);\n");
+		printf("\treturn(dsa);\n\t}\n");
+		}
+
+
+	if (!noout)
+		{
+		if 	(outformat == FORMAT_ASN1)
+			i=i2d_DSAparams_bio(out,dsa);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_DSAparams(out,dsa);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		if (!i)
+			{
+			BIO_printf(bio_err,"unable to write DSA parameters\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+	if (genkey)
+		{
+		DSA *dsakey;
+
+		assert(need_rand);
+		if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
+		if (!DSA_generate_key(dsakey)) goto end;
+		if 	(outformat == FORMAT_ASN1)
+			i=i2d_DSAPrivateKey_bio(out,dsakey);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		DSA_free(dsakey);
+		}
+	if (need_rand)
+		app_RAND_write_file(NULL, bio_err);
+	ret=0;
+end:
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (dsa != NULL) DSA_free(dsa);
+	EXIT(ret);
+	}
+
+static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	BIO_write(arg,&c,1);
+	(void)BIO_flush(arg);
+#ifdef LINT
+	p=n;
+#endif
+	}
+#endif
diff --git a/crypto/openssl/apps/eay.c b/crypto/openssl/apps/eay.c
new file mode 100644
index 0000000..a84aa38
--- /dev/null
+++ b/crypto/openssl/apps/eay.c
@@ -0,0 +1,131 @@
+/* apps/eay.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define MONOLITH
+#define USE_SOCKETS
+
+#include "openssl/e_os.h"
+
+#include <openssl/bio.h>
+#include <openssl/stack.h>
+#include <openssl/lhash.h>
+
+#include <openssl/err.h>
+
+#include <openssl/bn.h>
+
+#include <openssl/evp.h>
+
+#include <openssl/rand.h>
+#include <openssl/conf.h>
+#include <openssl/txt_db.h>
+
+#include <openssl/err.h>
+
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+
+#define MONOLITH
+
+#include "openssl.c"
+#include "apps.c"
+#include "asn1pars.c"
+#ifndef NO_RSA
+#include "ca.c"
+#include "genrsa.c"
+#include "req.c"
+#include "rsa.c"
+#endif
+#ifndef NO_DH
+#include "gendh.c"
+#include "dh.c"
+#endif
+#include "crl.c"
+#include "crl2p7.c"
+#include "dgst.c"
+#include "enc.c"
+#include "errstr.c"
+#if !defined(NO_SSL2) || !defined(NO_SSL3)
+#ifndef NO_SOCK
+#include "s_cb.c"
+#include "s_client.c"
+#include "s_server.c"
+#include "s_socket.c"
+#include "s_time.c"
+#endif
+#endif
+#include "speed.c"
+#include "verify.c"
+#include "version.c"
+#include "x509.c"
+#include "ciphers.c"
+#include "sess_id.c"
+#include "pkcs7.c"
+#ifndef NO_DSA
+#include "dsaparam.c"
+#include "dsa.c"
+#include "gendsa.c"
+#endif
+
diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c
new file mode 100644
index 0000000..6531c58
--- /dev/null
+++ b/crypto/openssl/apps/enc.c
@@ -0,0 +1,628 @@
+/* apps/enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+#ifndef NO_MD5
+#include <openssl/md5.h>
+#endif
+#include <openssl/pem.h>
+
+int set_hex(char *in,unsigned char *out,int size);
+#undef SIZE
+#undef BSIZE
+#undef PROG
+
+#define SIZE	(512)
+#define BSIZE	(8*1024)
+#define	PROG	enc_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	static const char magic[]="Salted__";
+	char mbuf[8];	/* should be 1 smaller than magic */
+	char *strbuf=NULL;
+	unsigned char *buff=NULL,*bufsize=NULL;
+	int bsize=BSIZE,verbose=0;
+	int ret=1,inl;
+	unsigned char key[24],iv[MD5_DIGEST_LENGTH];
+	unsigned char salt[PKCS5_SALT_LEN];
+	char *str=NULL, *passarg = NULL, *pass = NULL;
+	char *hkey=NULL,*hiv=NULL,*hsalt = NULL;
+	int enc=1,printkey=0,i,base64=0;
+	int debug=0,olb64=0,nosalt=0;
+	const EVP_CIPHER *cipher=NULL,*c;
+	char *inf=NULL,*outf=NULL;
+	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
+#define PROG_NAME_SIZE  16
+	char pname[PROG_NAME_SIZE];
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	/* first check the program name */
+	program_name(argv[0],pname,PROG_NAME_SIZE);
+	if (strcmp(pname,"base64") == 0)
+		base64=1;
+
+	cipher=EVP_get_cipherbyname(pname);
+	if (!base64 && (cipher == NULL) && (strcmp(pname,"enc") != 0))
+		{
+		BIO_printf(bio_err,"%s is an unknown cipher\n",pname);
+		goto bad;
+		}
+
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if	(strcmp(*argv,"-e") == 0)
+			enc=1;
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inf= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outf= *(++argv);
+			}
+		else if (strcmp(*argv,"-pass") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passarg= *(++argv);
+			}
+		else if	(strcmp(*argv,"-d") == 0)
+			enc=0;
+		else if	(strcmp(*argv,"-p") == 0)
+			printkey=1;
+		else if	(strcmp(*argv,"-v") == 0)
+			verbose=1;
+		else if	(strcmp(*argv,"-salt") == 0)
+			nosalt=0;
+		else if	(strcmp(*argv,"-nosalt") == 0)
+			nosalt=1;
+		else if	(strcmp(*argv,"-debug") == 0)
+			debug=1;
+		else if	(strcmp(*argv,"-P") == 0)
+			printkey=2;
+		else if	(strcmp(*argv,"-A") == 0)
+			olb64=1;
+		else if	(strcmp(*argv,"-a") == 0)
+			base64=1;
+		else if	(strcmp(*argv,"-base64") == 0)
+			base64=1;
+		else if (strcmp(*argv,"-bufsize") == 0)
+			{
+			if (--argc < 1) goto bad;
+			bufsize=(unsigned char *)*(++argv);
+			}
+		else if (strcmp(*argv,"-k") == 0)
+			{
+			if (--argc < 1) goto bad;
+			str= *(++argv);
+			}
+		else if (strcmp(*argv,"-kfile") == 0)
+			{
+			static char buf[128];
+			FILE *infile;
+			char *file;
+
+			if (--argc < 1) goto bad;
+			file= *(++argv);
+			infile=fopen(file,"r");
+			if (infile == NULL)
+				{
+				BIO_printf(bio_err,"unable to read key from '%s'\n",
+					file);
+				goto bad;
+				}
+			buf[0]='\0';
+			fgets(buf,128,infile);
+			fclose(infile);
+			i=strlen(buf);
+			if ((i > 0) &&
+				((buf[i-1] == '\n') || (buf[i-1] == '\r')))
+				buf[--i]='\0';
+			if ((i > 0) &&
+				((buf[i-1] == '\n') || (buf[i-1] == '\r')))
+				buf[--i]='\0';
+			if (i < 1)
+				{
+				BIO_printf(bio_err,"zero length password\n");
+				goto bad;
+				}
+			str=buf;
+			}
+		else if (strcmp(*argv,"-K") == 0)
+			{
+			if (--argc < 1) goto bad;
+			hkey= *(++argv);
+			}
+		else if (strcmp(*argv,"-S") == 0)
+			{
+			if (--argc < 1) goto bad;
+			hsalt= *(++argv);
+			}
+		else if (strcmp(*argv,"-iv") == 0)
+			{
+			if (--argc < 1) goto bad;
+			hiv= *(++argv);
+			}
+		else if	((argv[0][0] == '-') &&
+			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
+			{
+			cipher=c;
+			}
+		else if (strcmp(*argv,"-none") == 0)
+			cipher=NULL;
+		else
+			{
+			BIO_printf(bio_err,"unknown option '%s'\n",*argv);
+bad:
+			BIO_printf(bio_err,"options are\n");
+			BIO_printf(bio_err,"%-14s input file\n","-in <file>");
+			BIO_printf(bio_err,"%-14s output file\n","-out <file>");
+			BIO_printf(bio_err,"%-14s pass phrase source\n","-pass <arg>");
+			BIO_printf(bio_err,"%-14s encrypt\n","-e");
+			BIO_printf(bio_err,"%-14s decrypt\n","-d");
+			BIO_printf(bio_err,"%-14s base64 encode/decode, depending on encryption flag\n","-a/-base64");
+			BIO_printf(bio_err,"%-14s key is the next argument\n","-k");
+			BIO_printf(bio_err,"%-14s key is the first line of the file argument\n","-kfile");
+			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
+			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
+			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
+
+			BIO_printf(bio_err,"Cipher Types\n");
+			BIO_printf(bio_err,"des     : 56 bit key DES encryption\n");
+			BIO_printf(bio_err,"des_ede :112 bit key ede DES encryption\n");
+			BIO_printf(bio_err,"des_ede3:168 bit key ede DES encryption\n");
+#ifndef NO_IDEA
+			BIO_printf(bio_err,"idea    :128 bit key IDEA encryption\n");
+#endif
+#ifndef NO_RC4
+			BIO_printf(bio_err,"rc2     :128 bit key RC2 encryption\n");
+#endif
+#ifndef NO_BF
+			BIO_printf(bio_err,"bf      :128 bit key Blowfish encryption\n");
+#endif
+#ifndef NO_RC4
+			BIO_printf(bio_err," -%-5s :128 bit key RC4 encryption\n",
+				LN_rc4);
+#endif
+
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_des_ecb,LN_des_cbc,
+				LN_des_cfb64,LN_des_ofb64);
+			BIO_printf(bio_err," -%-4s (%s)\n",
+				"des", LN_des_cbc);
+
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_des_ede,LN_des_ede_cbc,
+				LN_des_ede_cfb64,LN_des_ede_ofb64);
+			BIO_printf(bio_err," -desx -none\n");
+
+
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_des_ede3,LN_des_ede3_cbc,
+				LN_des_ede3_cfb64,LN_des_ede3_ofb64);
+			BIO_printf(bio_err," -%-4s (%s)\n",
+				"des3", LN_des_ede3_cbc);
+
+#ifndef NO_IDEA
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_idea_ecb, LN_idea_cbc,
+				LN_idea_cfb64, LN_idea_ofb64);
+			BIO_printf(bio_err," -%-4s (%s)\n","idea",LN_idea_cbc);
+#endif
+#ifndef NO_RC2
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_rc2_ecb, LN_rc2_cbc,
+				LN_rc2_cfb64, LN_rc2_ofb64);
+			BIO_printf(bio_err," -%-4s (%s)\n","rc2", LN_rc2_cbc);
+#endif
+#ifndef NO_BF
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_bf_ecb, LN_bf_cbc,
+				LN_bf_cfb64, LN_bf_ofb64);
+			BIO_printf(bio_err," -%-4s (%s)\n","bf", LN_bf_cbc);
+#endif
+#ifndef NO_CAST
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_cast5_ecb, LN_cast5_cbc,
+				LN_cast5_cfb64, LN_cast5_ofb64);
+			BIO_printf(bio_err," -%-4s (%s)\n","cast", LN_cast5_cbc);
+#endif
+#ifndef NO_RC5
+			BIO_printf(bio_err," -%-12s -%-12s -%-12s -%-12s",
+				LN_rc5_ecb, LN_rc5_cbc,
+				LN_rc5_cfb64, LN_rc5_ofb64);
+			BIO_printf(bio_err," -%-4s (%s)\n","rc5", LN_rc5_cbc);
+#endif
+			goto end;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (bufsize != NULL)
+		{
+		unsigned long n;
+
+		for (n=0; *bufsize; bufsize++)
+			{
+			i= *bufsize;
+			if ((i <= '9') && (i >= '0'))
+				n=n*10+i-'0';
+			else if (i == 'k')
+				{
+				n*=1024;
+				bufsize++;
+				break;
+				}
+			}
+		if (*bufsize != '\0')
+			{
+			BIO_printf(bio_err,"invalid 'bufsize' specified.\n");
+			goto end;
+			}
+
+		/* It must be large enough for a base64 encoded line */
+		if (n < 80) n=80;
+
+		bsize=(int)n;
+		if (verbose) BIO_printf(bio_err,"bufsize=%d\n",bsize);
+		}
+
+	strbuf=Malloc(SIZE);
+	buff=(unsigned char *)Malloc(EVP_ENCODE_LENGTH(bsize));
+	if ((buff == NULL) || (strbuf == NULL))
+		{
+		BIO_printf(bio_err,"Malloc failure %ld\n",(long)EVP_ENCODE_LENGTH(bsize));
+		goto end;
+		}
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	if (debug)
+		{
+		BIO_set_callback(in,BIO_debug_callback);
+		BIO_set_callback(out,BIO_debug_callback);
+		BIO_set_callback_arg(in,bio_err);
+		BIO_set_callback_arg(out,bio_err);
+		}
+
+	if (inf == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,inf) <= 0)
+			{
+			perror(inf);
+			goto end;
+			}
+		}
+
+	if(!str && passarg) {
+		if(!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
+			BIO_printf(bio_err, "Error getting password\n");
+			goto end;
+		}
+		str = pass;
+	}
+
+	if ((str == NULL) && (cipher != NULL) && (hkey == NULL))
+		{
+		for (;;)
+			{
+			char buf[200];
+
+			sprintf(buf,"enter %s %s password:",
+				OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
+				(enc)?"encryption":"decryption");
+			strbuf[0]='\0';
+			i=EVP_read_pw_string((char *)strbuf,SIZE,buf,enc);
+			if (i == 0)
+				{
+				if (strbuf[0] == '\0')
+					{
+					ret=1;
+					goto end;
+					}
+				str=strbuf;
+				break;
+				}
+			if (i < 0)
+				{
+				BIO_printf(bio_err,"bad password read\n");
+				goto end;
+				}
+			}
+		}
+
+
+	if (outf == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outf) <= 0)
+			{
+			perror(outf);
+			goto end;
+			}
+		}
+
+	rbio=in;
+	wbio=out;
+
+	if (base64)
+		{
+		if ((b64=BIO_new(BIO_f_base64())) == NULL)
+			goto end;
+		if (debug)
+			{
+			BIO_set_callback(b64,BIO_debug_callback);
+			BIO_set_callback_arg(b64,bio_err);
+			}
+		if (olb64)
+			BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL);
+		if (enc)
+			wbio=BIO_push(b64,wbio);
+		else
+			rbio=BIO_push(b64,rbio);
+		}
+
+	if (cipher != NULL)
+		{
+		if (str != NULL)
+			{
+			/* Salt handling: if encrypting generate a salt and
+			 * write to output BIO. If decrypting read salt from
+			 * input BIO.
+			 */
+			unsigned char *sptr;
+			if(nosalt) sptr = NULL;
+			else {
+				if(enc) {
+					if(hsalt) {
+						if(!set_hex(hsalt,salt,PKCS5_SALT_LEN)) {
+							BIO_printf(bio_err,
+								"invalid hex salt value\n");
+							goto end;
+						}
+					} else if (RAND_pseudo_bytes(salt, PKCS5_SALT_LEN) < 0)
+						goto end;
+					/* If -P option then don't bother writing */
+					if((printkey != 2)
+					   && (BIO_write(wbio,magic,
+							 sizeof magic-1) != sizeof magic-1
+					       || BIO_write(wbio,
+							    (char *)salt,
+							    PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) {
+						BIO_printf(bio_err,"error writing output file\n");
+						goto end;
+					}
+				} else if(BIO_read(rbio,mbuf,sizeof mbuf) != sizeof mbuf
+					  || BIO_read(rbio,
+						      (unsigned char *)salt,
+				    PKCS5_SALT_LEN) != PKCS5_SALT_LEN) {
+					BIO_printf(bio_err,"error reading input file\n");
+					goto end;
+				} else if(memcmp(mbuf,magic,sizeof magic-1)) {
+				    BIO_printf(bio_err,"bad magic number\n");
+				    goto end;
+				}
+
+				sptr = salt;
+			}
+
+			EVP_BytesToKey(cipher,EVP_md5(),sptr,
+				(unsigned char *)str,
+				strlen(str),1,key,iv);
+			/* zero the complete buffer or the string
+			 * passed from the command line
+			 * bug picked up by
+			 * Larry J. Hughes Jr. <hughes@indiana.edu> */
+			if (str == strbuf)
+				memset(str,0,SIZE);
+			else
+				memset(str,0,strlen(str));
+			}
+		if ((hiv != NULL) && !set_hex(hiv,iv,8))
+			{
+			BIO_printf(bio_err,"invalid hex iv value\n");
+			goto end;
+			}
+		if ((hkey != NULL) && !set_hex(hkey,key,24))
+			{
+			BIO_printf(bio_err,"invalid hex key value\n");
+			goto end;
+			}
+
+		if ((benc=BIO_new(BIO_f_cipher())) == NULL)
+			goto end;
+		BIO_set_cipher(benc,cipher,key,iv,enc);
+		if (debug)
+			{
+			BIO_set_callback(benc,BIO_debug_callback);
+			BIO_set_callback_arg(benc,bio_err);
+			}
+
+		if (printkey)
+			{
+			if (!nosalt)
+				{
+				printf("salt=");
+				for (i=0; i<PKCS5_SALT_LEN; i++)
+					printf("%02X",salt[i]);
+				printf("\n");
+				}
+			if (cipher->key_len > 0)
+				{
+				printf("key=");
+				for (i=0; i<cipher->key_len; i++)
+					printf("%02X",key[i]);
+				printf("\n");
+				}
+			if (cipher->iv_len > 0)
+				{
+				printf("iv =");
+				for (i=0; i<cipher->iv_len; i++)
+					printf("%02X",iv[i]);
+				printf("\n");
+				}
+			if (printkey == 2)
+				{
+				ret=0;
+				goto end;
+				}
+			}
+		}
+
+	/* Only encrypt/decrypt as we write the file */
+	if (benc != NULL)
+		wbio=BIO_push(benc,wbio);
+
+	for (;;)
+		{
+		inl=BIO_read(rbio,(char *)buff,bsize);
+		if (inl <= 0) break;
+		if (BIO_write(wbio,(char *)buff,inl) != inl)
+			{
+			BIO_printf(bio_err,"error writing output file\n");
+			goto end;
+			}
+		}
+	if (!BIO_flush(wbio))
+		{
+		BIO_printf(bio_err,"bad decrypt\n");
+		goto end;
+		}
+
+	ret=0;
+	if (verbose)
+		{
+		BIO_printf(bio_err,"bytes read   :%8ld\n",BIO_number_read(in));
+		BIO_printf(bio_err,"bytes written:%8ld\n",BIO_number_written(out));
+		}
+end:
+	ERR_print_errors(bio_err);
+	if (strbuf != NULL) Free(strbuf);
+	if (buff != NULL) Free(buff);
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (benc != NULL) BIO_free(benc);
+	if (b64 != NULL) BIO_free(b64);
+	if(pass) Free(pass);
+	EXIT(ret);
+	}
+
+int set_hex(char *in, unsigned char *out, int size)
+	{
+	int i,n;
+	unsigned char j;
+
+	n=strlen(in);
+	if (n > (size*2))
+		{
+		BIO_printf(bio_err,"hex string is too long\n");
+		return(0);
+		}
+	memset(out,0,size);
+	for (i=0; i<n; i++)
+		{
+		j=(unsigned char)*in;
+		*(in++)='\0';
+		if (j == 0) break;
+		if ((j >= '0') && (j <= '9'))
+			j-='0';
+		else if ((j >= 'A') && (j <= 'F'))
+			j=j-'A'+10;
+		else if ((j >= 'a') && (j <= 'f'))
+			j=j-'a'+10;
+		else
+			{
+			BIO_printf(bio_err,"non-hex digit\n");
+			return(0);
+			}
+		if (i&1)
+			out[i/2]|=j;
+		else
+			out[i/2]=(j<<4);
+		}
+	return(1);
+	}
diff --git a/crypto/openssl/apps/errstr.c b/crypto/openssl/apps/errstr.c
new file mode 100644
index 0000000..4650379
--- /dev/null
+++ b/crypto/openssl/apps/errstr.c
@@ -0,0 +1,116 @@
+/* apps/errstr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/lhash.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#undef PROG
+#define PROG	errstr_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int i,ret=0;
+	char buf[256];
+	unsigned long l;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	SSL_load_error_strings();
+
+	if ((argc > 1) && (strcmp(argv[1],"-stats") == 0))
+		{
+		BIO *out=NULL;
+
+		out=BIO_new(BIO_s_file());
+		if ((out != NULL) && BIO_set_fp(out,stdout,BIO_NOCLOSE))
+			{
+			lh_node_stats_bio((LHASH *)ERR_get_string_table(),out);
+			lh_stats_bio((LHASH *)ERR_get_string_table(),out);
+			lh_node_usage_stats_bio((LHASH *)
+				ERR_get_string_table(),out);
+			}
+		if (out != NULL) BIO_free(out);
+		argc--;
+		argv++;
+		}
+
+	for (i=1; i<argc; i++)
+		{
+		if (sscanf(argv[i],"%lx",&l))
+			printf("%s\n",ERR_error_string(l,buf));
+		else
+			{
+			printf("%s: bad error code\n",argv[i]);
+			printf("usage: errstr [-stats] <errno> ...\n");
+			ret++;
+			}
+		}
+	EXIT(ret);
+	}
diff --git a/crypto/openssl/apps/gendh.c b/crypto/openssl/apps/gendh.c
new file mode 100644
index 0000000..caf5e8d
--- /dev/null
+++ b/crypto/openssl/apps/gendh.c
@@ -0,0 +1,196 @@
+/* apps/gendh.c */
+/* obsoleted by dhparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DH
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#define DEFBITS	512
+#undef PROG
+#define PROG gendh_main
+
+static void MS_CALLBACK dh_cb(int p, int n, void *arg);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	DH *dh=NULL;
+	int ret=1,num=DEFBITS;
+	int g=2;
+	char *outfile=NULL;
+	char *inrand=NULL;
+	BIO *out=NULL;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	argv++;
+	argc--;
+	for (;;)
+		{
+		if (argc <= 0) break;
+		if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-2") == 0)
+			g=2;
+	/*	else if (strcmp(*argv,"-3") == 0)
+			g=3; */
+		else if (strcmp(*argv,"-5") == 0)
+			g=5;
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
+		else
+			break;
+		argv++;
+		argc--;
+		}
+	if ((argc >= 1) && ((sscanf(*argv,"%d",&num) == 0) || (num < 0)))
+		{
+bad:
+		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
+		BIO_printf(bio_err," -out file - output the key to 'file\n");
+		BIO_printf(bio_err," -2    use 2 as the generator value\n");
+	/*	BIO_printf(bio_err," -3    use 3 as the generator value\n"); */
+		BIO_printf(bio_err," -5    use 5 as the generator value\n");
+		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,"             the random number generator\n");
+		goto end;
+		}
+		
+	out=BIO_new(BIO_s_file());
+	if (out == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+		{
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+		}
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
+
+	BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
+	BIO_printf(bio_err,"This is going to take a long time\n");
+	dh=DH_generate_parameters(num,g,dh_cb,bio_err);
+		
+	if (dh == NULL) goto end;
+
+	app_RAND_write_file(NULL, bio_err);
+
+	if (!PEM_write_bio_DHparams(out,dh))
+		goto end;
+	ret=0;
+end:
+	if (ret != 0)
+		ERR_print_errors(bio_err);
+	if (out != NULL) BIO_free(out);
+	if (dh != NULL) DH_free(dh);
+	EXIT(ret);
+	}
+
+static void MS_CALLBACK dh_cb(int p, int n, void *arg)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	BIO_write((BIO *)arg,&c,1);
+	(void)BIO_flush((BIO *)arg);
+#ifdef LINT
+	p=n;
+#endif
+	}
+#endif
diff --git a/crypto/openssl/apps/gendsa.c b/crypto/openssl/apps/gendsa.c
new file mode 100644
index 0000000..b1a1c4f
--- /dev/null
+++ b/crypto/openssl/apps/gendsa.c
@@ -0,0 +1,217 @@
+/* apps/gendsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#define DEFBITS	512
+#undef PROG
+#define PROG gendsa_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	DSA *dsa=NULL;
+	int ret=1;
+	char *outfile=NULL;
+	char *inrand=NULL,*dsaparams=NULL;
+	char *passargout = NULL, *passout = NULL;
+	BIO *out=NULL,*in=NULL;
+	EVP_CIPHER *enc=NULL;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	argv++;
+	argc--;
+	for (;;)
+		{
+		if (argc <= 0) break;
+		if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargout= *(++argv);
+			}
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
+		else if (strcmp(*argv,"-") == 0)
+			goto bad;
+#ifndef NO_DES
+		else if (strcmp(*argv,"-des") == 0)
+			enc=EVP_des_cbc();
+		else if (strcmp(*argv,"-des3") == 0)
+			enc=EVP_des_ede3_cbc();
+#endif
+#ifndef NO_IDEA
+		else if (strcmp(*argv,"-idea") == 0)
+			enc=EVP_idea_cbc();
+#endif
+		else if (**argv != '-' && dsaparams == NULL)
+			{
+			dsaparams = *argv;
+			}
+		else
+			goto bad;
+		argv++;
+		argc--;
+		}
+
+	if (dsaparams == NULL)
+		{
+bad:
+		BIO_printf(bio_err,"usage: gendsa [args] dsaparam-file\n");
+		BIO_printf(bio_err," -out file - output the key to 'file'\n");
+#ifndef NO_DES
+		BIO_printf(bio_err," -des      - encrypt the generated key with DES in cbc mode\n");
+		BIO_printf(bio_err," -des3     - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
+#endif
+#ifndef NO_IDEA
+		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
+#endif
+		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,"             the random number generator\n");
+		BIO_printf(bio_err," dsaparam-file\n");
+		BIO_printf(bio_err,"           - a DSA parameter file as generated by the dsaparam command\n");
+		goto end;
+		}
+
+	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+	}
+
+
+	in=BIO_new(BIO_s_file());
+	if (!(BIO_read_filename(in,dsaparams)))
+		{
+		perror(dsaparams);
+		goto end;
+		}
+
+	if ((dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL)
+		{
+		BIO_printf(bio_err,"unable to load DSA parameter file\n");
+		goto end;
+		}
+	BIO_free(in);
+	in = NULL;
+		
+	out=BIO_new(BIO_s_file());
+	if (out == NULL) goto end;
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+		{
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+		}
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
+
+	BIO_printf(bio_err,"Generating DSA key, %d bits\n",
+							BN_num_bits(dsa->p));
+	if (!DSA_generate_key(dsa)) goto end;
+
+	app_RAND_write_file(NULL, bio_err);
+
+	if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,NULL, passout))
+		goto end;
+	ret=0;
+end:
+	if (ret != 0)
+		ERR_print_errors(bio_err);
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (dsa != NULL) DSA_free(dsa);
+	if(passout) Free(passout);
+	EXIT(ret);
+	}
+#endif
diff --git a/crypto/openssl/apps/genrsa.c b/crypto/openssl/apps/genrsa.c
new file mode 100644
index 0000000..6fe578d
--- /dev/null
+++ b/crypto/openssl/apps/genrsa.c
@@ -0,0 +1,242 @@
+/* apps/genrsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#define DEFBITS	512
+#undef PROG
+#define PROG genrsa_main
+
+static void MS_CALLBACK genrsa_cb(int p, int n, void *arg);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int ret=1;
+	RSA *rsa=NULL;
+	int i,num=DEFBITS;
+	long l;
+	EVP_CIPHER *enc=NULL;
+	unsigned long f4=RSA_F4;
+	char *outfile=NULL;
+	char *passargout = NULL, *passout = NULL;
+	char *inrand=NULL;
+	BIO *out=NULL;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+	if ((out=BIO_new(BIO_s_file())) == NULL)
+		{
+		BIO_printf(bio_err,"unable to create BIO for output\n");
+		goto err;
+		}
+
+	argv++;
+	argc--;
+	for (;;)
+		{
+		if (argc <= 0) break;
+		if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-3") == 0)
+			f4=3;
+		else if (strcmp(*argv,"-F4") == 0)
+			f4=RSA_F4;
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
+#ifndef NO_DES
+		else if (strcmp(*argv,"-des") == 0)
+			enc=EVP_des_cbc();
+		else if (strcmp(*argv,"-des3") == 0)
+			enc=EVP_des_ede3_cbc();
+#endif
+#ifndef NO_IDEA
+		else if (strcmp(*argv,"-idea") == 0)
+			enc=EVP_idea_cbc();
+#endif
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargout= *(++argv);
+			}
+		else
+			break;
+		argv++;
+		argc--;
+		}
+	if ((argc >= 1) && ((sscanf(*argv,"%d",&num) == 0) || (num < 0)))
+		{
+bad:
+		BIO_printf(bio_err,"usage: genrsa [args] [numbits]\n");
+		BIO_printf(bio_err," -des            encrypt the generated key with DES in cbc mode\n");
+		BIO_printf(bio_err," -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
+#ifndef NO_IDEA
+		BIO_printf(bio_err," -idea           encrypt the generated key with IDEA in cbc mode\n");
+#endif
+		BIO_printf(bio_err," -out file       output the key to 'file\n");
+		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
+		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
+		BIO_printf(bio_err," -3              use 3 for the E value\n");
+		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,"                 the random number generator\n");
+		goto err;
+		}
+		
+	ERR_load_crypto_strings();
+
+	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+		BIO_printf(bio_err, "Error getting password\n");
+		goto err;
+	}
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto err;
+			}
+		}
+
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+		{
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+		}
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
+
+	BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n",
+		num);
+	rsa=RSA_generate_key(num,f4,genrsa_cb,bio_err);
+		
+	app_RAND_write_file(NULL, bio_err);
+
+	if (rsa == NULL) goto err;
+	
+	/* We need to do the following for when the base number size is <
+	 * long, esp windows 3.1 :-(. */
+	l=0L;
+	for (i=0; i<rsa->e->top; i++)
+		{
+#ifndef SIXTY_FOUR_BIT
+		l<<=BN_BITS4;
+		l<<=BN_BITS4;
+#endif
+		l+=rsa->e->d[i];
+		}
+	BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l);
+	if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,NULL, passout))
+		goto err;
+
+	ret=0;
+err:
+	if (rsa != NULL) RSA_free(rsa);
+	if (out != NULL) BIO_free(out);
+	if(passout) Free(passout);
+	if (ret != 0)
+		ERR_print_errors(bio_err);
+	EXIT(ret);
+	}
+
+static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	BIO_write((BIO *)arg,&c,1);
+	(void)BIO_flush((BIO *)arg);
+#ifdef LINT
+	p=n;
+#endif
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/apps/nseq.c b/crypto/openssl/apps/nseq.c
new file mode 100644
index 0000000..cc88d50
--- /dev/null
+++ b/crypto/openssl/apps/nseq.c
@@ -0,0 +1,160 @@
+/* nseq.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include "apps.h"
+
+#undef PROG
+#define PROG nseq_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+	char **args, *infile = NULL, *outfile = NULL;
+	BIO *in = NULL, *out = NULL;
+	int toseq = 0;
+	X509 *x509 = NULL;
+	NETSCAPE_CERT_SEQUENCE *seq = NULL;
+	int i, ret = 1;
+	int badarg = 0;
+	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+	ERR_load_crypto_strings();
+	args = argv + 1;
+	while (!badarg && *args && *args[0] == '-') {
+		if (!strcmp (*args, "-toseq")) toseq = 1;
+		else if (!strcmp (*args, "-in")) {
+			if (args[1]) {
+				args++;
+				infile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-out")) {
+			if (args[1]) {
+				args++;
+				outfile = *args;
+			} else badarg = 1;
+		} else badarg = 1;
+		args++;
+	}
+
+	if (badarg) {
+		BIO_printf (bio_err, "Netscape certificate sequence utility\n");
+		BIO_printf (bio_err, "Usage nseq [options]\n");
+		BIO_printf (bio_err, "where options are\n");
+		BIO_printf (bio_err, "-in file  input file\n");
+		BIO_printf (bio_err, "-out file output file\n");
+		BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
+		EXIT(1);
+	}
+
+	if (infile) {
+		if (!(in = BIO_new_file (infile, "r"))) {
+			BIO_printf (bio_err,
+				 "Can't open input file %s\n", infile);
+			goto end;
+		}
+	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+	if (outfile) {
+		if (!(out = BIO_new_file (outfile, "w"))) {
+			BIO_printf (bio_err,
+				 "Can't open output file %s\n", outfile);
+			goto end;
+		}
+	} else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+	if (toseq) {
+		seq = NETSCAPE_CERT_SEQUENCE_new();
+		seq->certs = sk_X509_new(NULL);
+		while((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) 
+		    sk_X509_push(seq->certs,x509);
+
+		if(!sk_X509_num(seq->certs))
+		{
+			BIO_printf (bio_err, "Error reading certs file %s\n", infile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+		PEM_write_bio_NETSCAPE_CERT_SEQUENCE(out, seq);
+		ret = 0;
+		goto end;
+	}
+
+	if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
+		BIO_printf (bio_err, "Error reading sequence file %s\n", infile);
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	for(i = 0; i < sk_X509_num(seq->certs); i++) {
+		x509 = sk_X509_value(seq->certs, i);
+		dump_cert_text(out, x509);
+		PEM_write_bio_X509(out, x509);
+	}
+	ret = 0;
+end:
+	BIO_free(in);
+	BIO_free(out);
+	NETSCAPE_CERT_SEQUENCE_free(seq);
+
+	EXIT(ret);
+}
+
diff --git a/crypto/openssl/apps/oid.cnf b/crypto/openssl/apps/oid.cnf
new file mode 100644
index 0000000..faf425a
--- /dev/null
+++ b/crypto/openssl/apps/oid.cnf
@@ -0,0 +1,6 @@
+2.99999.1       SET.ex1         SET x509v3 extension 1
+2.99999.2       SET.ex2         SET x509v3 extension 2
+2.99999.3       SET.ex3         SET x509v3 extension 3
+2.99999.4       SET.ex4         SET x509v3 extension 4
+2.99999.5       SET.ex5         SET x509v3 extension 5
+2.99999.6       SET.ex6         SET x509v3 extension 6
diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c
new file mode 100644
index 0000000..a2a2630
--- /dev/null
+++ b/crypto/openssl/apps/openssl.c
@@ -0,0 +1,354 @@
+/* apps/openssl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#define OPENSSL_C /* tells apps.h to use complete apps_startup() */
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
+#include "apps.h"
+#include "progs.h"
+#include "s_apps.h"
+#include <openssl/err.h>
+
+static unsigned long MS_CALLBACK hash(FUNCTION *a);
+static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b);
+static LHASH *prog_init(void );
+static int do_cmd(LHASH *prog,int argc,char *argv[]);
+LHASH *config=NULL;
+char *default_config_file=NULL;
+
+/* Make sure there is only one when MONOLITH is defined */
+#ifdef MONOLITH
+BIO *bio_err=NULL;
+#endif
+
+int main(int Argc, char *Argv[])
+	{
+	ARGS arg;
+#define PROG_NAME_SIZE	16
+	char pname[PROG_NAME_SIZE];
+	FUNCTION f,*fp;
+	MS_STATIC char *prompt,buf[1024],config_name[256];
+	int n,i,ret=0;
+	int argc;
+	char **argv,*p;
+	LHASH *prog=NULL;
+	long errline;
+ 
+	arg.data=NULL;
+	arg.count=0;
+
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	ERR_load_crypto_strings();
+
+	/* Lets load up our environment a little */
+	p=getenv("OPENSSL_CONF");
+	if (p == NULL)
+		p=getenv("SSLEAY_CONF");
+	if (p == NULL)
+		{
+		strcpy(config_name,X509_get_default_cert_area());
+#ifndef VMS
+		strcat(config_name,"/");
+#endif
+		strcat(config_name,OPENSSL_CONF);
+		p=config_name;
+		}
+
+	default_config_file=p;
+
+	config=CONF_load(config,p,&errline);
+	if (config == NULL) ERR_clear_error();
+
+	prog=prog_init();
+
+	/* first check the program name */
+	program_name(Argv[0],pname,PROG_NAME_SIZE);
+
+	f.name=pname;
+	fp=(FUNCTION *)lh_retrieve(prog,&f);
+	if (fp != NULL)
+		{
+		Argv[0]=pname;
+		ret=fp->func(Argc,Argv);
+		goto end;
+		}
+
+	/* ok, now check that there are not arguments, if there are,
+	 * run with them, shifting the ssleay off the front */
+	if (Argc != 1)
+		{
+		Argc--;
+		Argv++;
+		ret=do_cmd(prog,Argc,Argv);
+		if (ret < 0) ret=0;
+		goto end;
+		}
+
+	/* ok, lets enter the old 'OpenSSL>' mode */
+	
+	for (;;)
+		{
+		ret=0;
+		p=buf;
+		n=1024;
+		i=0;
+		for (;;)
+			{
+			p[0]='\0';
+			if (i++)
+				prompt=">";
+			else	prompt="OpenSSL> ";
+			fputs(prompt,stdout);
+			fflush(stdout);
+			fgets(p,n,stdin);
+			if (p[0] == '\0') goto end;
+			i=strlen(p);
+			if (i <= 1) break;
+			if (p[i-2] != '\\') break;
+			i-=2;
+			p+=i;
+			n-=i;
+			}
+		if (!chopup_args(&arg,buf,&argc,&argv)) break;
+
+		ret=do_cmd(prog,argc,argv);
+		if (ret < 0)
+			{
+			ret=0;
+			goto end;
+			}
+		if (ret != 0)
+			BIO_printf(bio_err,"error in %s\n",argv[0]);
+		(void)BIO_flush(bio_err);
+		}
+	BIO_printf(bio_err,"bad exit\n");
+	ret=1;
+end:
+	if (config != NULL)
+		{
+		CONF_free(config);
+		config=NULL;
+		}
+	if (prog != NULL) lh_free(prog);
+	if (arg.data != NULL) Free(arg.data);
+	ERR_remove_state(0);
+
+	EVP_cleanup();
+	ERR_free_strings();
+	
+	CRYPTO_mem_leaks(bio_err);
+	if (bio_err != NULL)
+		{
+		BIO_free(bio_err);
+		bio_err=NULL;
+		}
+	EXIT(ret);
+	}
+
+#define LIST_STANDARD_COMMANDS "list-standard-commands"
+#define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands"
+#define LIST_CIPHER_COMMANDS "list-cipher-commands"
+
+static int do_cmd(LHASH *prog, int argc, char *argv[])
+	{
+	FUNCTION f,*fp;
+	int i,ret=1,tp,nl;
+
+	if ((argc <= 0) || (argv[0] == NULL))
+		{ ret=0; goto end; }
+	f.name=argv[0];
+	fp=(FUNCTION *)lh_retrieve(prog,&f);
+	if (fp != NULL)
+		{
+		ret=fp->func(argc,argv);
+		}
+	else if ((strncmp(argv[0],"no-",3)) == 0)
+		{
+		BIO *bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE);
+		f.name=argv[0]+3;
+		ret = (lh_retrieve(prog,&f) != NULL);
+		if (!ret)
+			BIO_printf(bio_stdout, "%s\n", argv[0]);
+		else
+			BIO_printf(bio_stdout, "%s\n", argv[0]+3);
+		BIO_free(bio_stdout);
+		goto end;
+		}
+	else if ((strcmp(argv[0],"quit") == 0) ||
+		(strcmp(argv[0],"q") == 0) ||
+		(strcmp(argv[0],"exit") == 0) ||
+		(strcmp(argv[0],"bye") == 0))
+		{
+		ret= -1;
+		goto end;
+		}
+	else if ((strcmp(argv[0],LIST_STANDARD_COMMANDS) == 0) ||
+		(strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0) ||
+		(strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0))
+		{
+		int list_type;
+		BIO *bio_stdout;
+
+		if (strcmp(argv[0],LIST_STANDARD_COMMANDS) == 0)
+			list_type = FUNC_TYPE_GENERAL;
+		else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0)
+			list_type = FUNC_TYPE_MD;
+		else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */
+			list_type = FUNC_TYPE_CIPHER;
+		bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE);
+		
+		for (fp=functions; fp->name != NULL; fp++)
+			if (fp->type == list_type)
+				BIO_printf(bio_stdout, "%s\n", fp->name);
+		BIO_free(bio_stdout);
+		ret=0;
+		goto end;
+		}
+	else
+		{
+		BIO_printf(bio_err,"openssl:Error: '%s' is an invalid command.\n",
+			argv[0]);
+		BIO_printf(bio_err, "\nStandard commands");
+		i=0;
+		tp=0;
+		for (fp=functions; fp->name != NULL; fp++)
+			{
+			nl=0;
+			if (((i++) % 5) == 0)
+				{
+				BIO_printf(bio_err,"\n");
+				nl=1;
+				}
+			if (fp->type != tp)
+				{
+				tp=fp->type;
+				if (!nl) BIO_printf(bio_err,"\n");
+				if (tp == FUNC_TYPE_MD)
+					{
+					i=1;
+					BIO_printf(bio_err,
+						"\nMessage Digest commands (see the `dgst' command for more details)\n");
+					}
+				else if (tp == FUNC_TYPE_CIPHER)
+					{
+					i=1;
+					BIO_printf(bio_err,"\nCipher commands (see the `enc' command for more details)\n");
+					}
+				}
+			BIO_printf(bio_err,"%-15s",fp->name);
+			}
+		BIO_printf(bio_err,"\n\n");
+		ret=0;
+		}
+end:
+	return(ret);
+	}
+
+static int SortFnByName(const void *_f1,const void *_f2)
+    {
+    const FUNCTION *f1=_f1;
+    const FUNCTION *f2=_f2;
+
+    if(f1->type != f2->type)
+	return f1->type-f2->type;
+    return strcmp(f1->name,f2->name);
+    }
+
+static LHASH *prog_init(void)
+	{
+	LHASH *ret;
+	FUNCTION *f;
+	int i;
+
+	/* Purely so it looks nice when the user hits ? */
+	for(i=0,f=functions ; f->name != NULL ; ++f,++i)
+	    ;
+	qsort(functions,i,sizeof *functions,SortFnByName);
+
+	if ((ret=lh_new(hash,cmp)) == NULL) return(NULL);
+
+	for (f=functions; f->name != NULL; f++)
+		lh_insert(ret,f);
+	return(ret);
+	}
+
+static int MS_CALLBACK cmp(FUNCTION *a, FUNCTION *b)
+	{
+	return(strncmp(a->name,b->name,8));
+	}
+
+static unsigned long MS_CALLBACK hash(FUNCTION *a)
+	{
+	return(lh_strhash(a->name));
+	}
diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf
new file mode 100644
index 0000000..dbe8cbe
--- /dev/null
+++ b/crypto/openssl/apps/openssl.cnf
@@ -0,0 +1,244 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 40
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c
new file mode 100644
index 0000000..c7e21d2
--- /dev/null
+++ b/crypto/openssl/apps/passwd.c
@@ -0,0 +1,475 @@
+/* apps/passwd.c */
+
+#if defined NO_MD5 || defined CHARSET_EBCDIC
+# define NO_APR1
+#endif
+
+#if !defined(NO_DES) || !defined(NO_APR1)
+
+#include <assert.h>
+#include <string.h>
+
+#include "apps.h"
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+#ifndef NO_DES
+# include <openssl/des.h>
+#endif
+#ifndef NO_APR1
+# include <openssl/md5.h>
+#endif
+
+
+#undef PROG
+#define PROG passwd_main
+
+
+static unsigned const char cov_2char[64]={
+	/* from crypto/des/fcrypt.c */
+	0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,0x35,
+	0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44,
+	0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,
+	0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,
+	0x55,0x56,0x57,0x58,0x59,0x5A,0x61,0x62,
+	0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,
+	0x6B,0x6C,0x6D,0x6E,0x6F,0x70,0x71,0x72,
+	0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
+};
+
+static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
+	char *passwd, BIO *out, int quiet, int table, int reverse,
+	size_t pw_maxlen, int usecrypt, int useapr1);
+
+/* -crypt        - standard Unix password algorithm (default, only choice)
+ * -apr1         - MD5-based password algorithm
+ * -salt string  - salt
+ * -in file      - read passwords from file
+ * -stdin        - read passwords from stdin
+ * -quiet        - no warnings
+ * -table        - format output as table
+ * -reverse      - switch table columns
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int ret = 1;
+	char *infile = NULL;
+	int in_stdin = 0;
+	char *salt = NULL, *passwd = NULL, **passwds = NULL;
+	char *salt_malloc = NULL, *passwd_malloc = NULL;
+	int pw_source_defined = 0;
+	BIO *in = NULL, *out = NULL;
+	int i, badopt, opt_done;
+	int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
+	int usecrypt = 0, useapr1 = 0;
+	size_t pw_maxlen = 0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+	out = BIO_new(BIO_s_file());
+	if (out == NULL)
+		goto err;
+	BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+
+	badopt = 0, opt_done = 0;
+	i = 0;
+	while (!badopt && !opt_done && argv[++i] != NULL)
+		{
+		if (strcmp(argv[i], "-crypt") == 0)
+			usecrypt = 1;
+		else if (strcmp(argv[i], "-apr1") == 0)
+			useapr1 = 1;
+		else if (strcmp(argv[i], "-salt") == 0)
+			{
+			if ((argv[i+1] != NULL) && (salt == NULL))
+				{
+				passed_salt = 1;
+				salt = argv[++i];
+				}
+			else
+				badopt = 1;
+			}
+		else if (strcmp(argv[i], "-in") == 0)
+			{
+			if ((argv[i+1] != NULL) && !pw_source_defined)
+				{
+				pw_source_defined = 1;
+				infile = argv[++i];
+				}
+			else
+				badopt = 1;
+			}
+		else if (strcmp(argv[i], "-stdin") == 0)
+			{
+			if (!pw_source_defined)
+				{
+				pw_source_defined = 1;
+				in_stdin = 1;
+				}
+			else
+				badopt = 1;
+			}
+		else if (strcmp(argv[i], "-quiet") == 0)
+			quiet = 1;
+		else if (strcmp(argv[i], "-table") == 0)
+			table = 1;
+		else if (strcmp(argv[i], "-reverse") == 0)
+			reverse = 1;
+		else if (argv[i][0] == '-')
+			badopt = 1;
+		else if (!pw_source_defined)
+			/* non-option arguments, use as passwords */
+			{
+			pw_source_defined = 1;
+			passwds = &argv[i];
+			opt_done = 1;
+			}
+		else
+			badopt = 1;
+		}
+
+	if (!usecrypt && !useapr1) /* use default */
+		usecrypt = 1;
+	if (usecrypt + useapr1 > 1) /* conflict */
+		badopt = 1;
+
+	/* reject unsupported algorithms */
+#ifdef NO_DES
+	if (usecrypt) badopt = 1;
+#endif
+#ifdef NO_APR1
+	if (useapr1) badopt = 1;
+#endif
+
+	if (badopt) 
+		{
+		BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
+		BIO_printf(bio_err, "where options are\n");
+#ifndef NO_DES
+		BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
+#endif
+#ifndef NO_APR1
+		BIO_printf(bio_err, "-apr1              MD5-based password algorithm\n");
+#endif
+		BIO_printf(bio_err, "-salt string       use provided salt\n");
+		BIO_printf(bio_err, "-in file           read passwords from file\n");
+		BIO_printf(bio_err, "-stdin             read passwords from stdin\n");
+		BIO_printf(bio_err, "-quiet             no warnings\n");
+		BIO_printf(bio_err, "-table             format output as table\n");
+		BIO_printf(bio_err, "-reverse           switch table columns\n");
+		
+		goto err;
+		}
+
+	if ((infile != NULL) || in_stdin)
+		{
+		in = BIO_new(BIO_s_file());
+		if (in == NULL)
+			goto err;
+		if (infile != NULL)
+			{
+			assert(in_stdin == 0);
+			if (BIO_read_filename(in, infile) <= 0)
+				goto err;
+			}
+		else
+			{
+			assert(in_stdin);
+			BIO_set_fp(in, stdin, BIO_NOCLOSE);
+			}
+		}
+	
+	if (usecrypt)
+		pw_maxlen = 8;
+	else if (useapr1)
+		pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */
+
+	if (passwds == NULL)
+		{
+		/* no passwords on the command line */
+		passwd = passwd_malloc = Malloc(pw_maxlen + 1);
+		if (passwd_malloc == NULL)
+			goto err;
+		}
+
+	if ((in == NULL) && (passwds == NULL))
+		{
+		/* build a null-terminated list */
+		static char *passwds_static[2] = {NULL, NULL};
+		
+		passwds = passwds_static;
+		if (in == NULL)
+			if (EVP_read_pw_string(passwd_malloc, pw_maxlen + 1, "Password: ", 0) != 0)
+				goto err;
+		passwds[0] = passwd_malloc;
+		}
+
+	if (in == NULL)
+		{
+		assert(passwds != NULL);
+		assert(*passwds != NULL);
+		
+		do /* loop over list of passwords */
+			{
+			passwd = *passwds++;
+			if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+				quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+				goto err;
+			}
+		while (*passwds != NULL);
+		}
+	else
+		/* in != NULL */
+		{
+		int done;
+
+		assert (passwd != NULL);
+		do
+			{
+			int r = BIO_gets(in, passwd, pw_maxlen + 1);
+			if (r > 0)
+				{
+				char *c = (strchr(passwd, '\n')) ;
+				if (c != NULL)
+					*c = 0; /* truncate at newline */
+				else
+					{
+					/* ignore rest of line */
+					char trash[BUFSIZ];
+					do
+						r = BIO_gets(in, trash, sizeof trash);
+					while ((r > 0) && (!strchr(trash, '\n')));
+					}
+				
+				if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+					quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+					goto err;
+				}
+			done = (r <= 0);
+			}
+		while (!done);
+		}
+
+err:
+	ERR_print_errors(bio_err);
+	if (salt_malloc)
+		Free(salt_malloc);
+	if (passwd_malloc)
+		Free(passwd_malloc);
+	if (in)
+		BIO_free(in);
+	if (out)
+		BIO_free(out);
+	EXIT(ret);
+	}
+
+
+#ifndef NO_APR1
+/* MD5-based password algorithm compatible to the one found in Apache
+ * (should probably be available as a library function;
+ * then the static buffer would not be acceptable) */
+static char *apr1_crypt(const char *passwd, const char *salt)
+	{
+	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
+	unsigned char buf[MD5_DIGEST_LENGTH];
+	char *salt_out;
+	int n, i;
+	MD5_CTX md;
+	size_t passwd_len, salt_len;
+
+	passwd_len = strlen(passwd);
+	strcpy(out_buf, "$apr1$");
+	strncat(out_buf, salt, 8);
+	assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
+	salt_out = out_buf + 6;
+	salt_len = strlen(salt_out);
+	assert(salt_len <= 8);
+	
+	MD5_Init(&md);
+	MD5_Update(&md, passwd, passwd_len);
+	MD5_Update(&md, "$apr1$", 6);
+	MD5_Update(&md, salt_out, salt_len);
+	
+	 {
+		MD5_CTX md2;
+
+		MD5_Init(&md2);
+		MD5_Update(&md2, passwd, passwd_len);
+		MD5_Update(&md2, salt_out, salt_len);
+		MD5_Update(&md2, passwd, passwd_len);
+		MD5_Final(buf, &md2);
+	 }
+	for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
+		MD5_Update(&md, buf, sizeof buf);
+	MD5_Update(&md, buf, i);
+	
+	n = passwd_len;
+	while (n)
+		{
+		MD5_Update(&md, (n & 1) ? "\0" : passwd, 1);
+		n >>= 1;
+		}
+	MD5_Final(buf, &md);
+
+	for (i = 0; i < 1000; i++)
+		{
+		MD5_CTX md2;
+
+		MD5_Init(&md2);
+		MD5_Update(&md2, (i & 1) ? (unsigned char *) passwd : buf,
+		                 (i & 1) ? passwd_len : sizeof buf);
+		if (i % 3)
+			MD5_Update(&md2, salt_out, salt_len);
+		if (i % 7)
+			MD5_Update(&md2, passwd, passwd_len);
+		MD5_Update(&md2, (i & 1) ? buf : (unsigned char *) passwd,
+		                 (i & 1) ? sizeof buf : passwd_len);
+		MD5_Final(buf, &md2);
+		}
+	
+	 {
+		/* transform buf into output string */
+	
+		unsigned char buf_perm[sizeof buf];
+		int dest, source;
+		char *output;
+
+		/* silly output permutation */
+		for (dest = 0, source = 0; dest < 14; dest++, source = (source + 6) % 17)
+			buf_perm[dest] = buf[source];
+		buf_perm[14] = buf[5];
+		buf_perm[15] = buf[11];
+#ifndef PEDANTIC /* Unfortunately, this generates a "no effect" warning */
+		assert(16 == sizeof buf_perm);
+#endif
+		
+		output = salt_out + salt_len;
+		assert(output == out_buf + strlen(out_buf));
+		
+		*output++ = '$';
+
+		for (i = 0; i < 15; i += 3)
+			{
+			*output++ = cov_2char[buf_perm[i+2] & 0x3f];
+			*output++ = cov_2char[((buf_perm[i+1] & 0xf) << 2) |
+				                  (buf_perm[i+2] >> 6)];
+			*output++ = cov_2char[((buf_perm[i] & 3) << 4) |
+				                  (buf_perm[i+1] >> 4)];
+			*output++ = cov_2char[buf_perm[i] >> 2];
+			}
+		assert(i == 15);
+		*output++ = cov_2char[buf_perm[i] & 0x3f];
+		*output++ = cov_2char[buf_perm[i] >> 6];
+		*output = 0;
+		assert(strlen(out_buf) < sizeof(out_buf));
+	 }
+
+	return out_buf;
+	}
+#endif
+
+
+static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
+	char *passwd, BIO *out,	int quiet, int table, int reverse,
+	size_t pw_maxlen, int usecrypt, int useapr1)
+	{
+	char *hash = NULL;
+
+	assert(salt_p != NULL);
+	assert(salt_malloc_p != NULL);
+
+	/* first make sure we have a salt */
+	if (!passed_salt)
+		{
+#ifndef NO_DES
+		if (usecrypt)
+			{
+			if (*salt_malloc_p == NULL)
+				{
+				*salt_p = *salt_malloc_p = Malloc(3);
+				if (*salt_malloc_p == NULL)
+					goto err;
+				}
+			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+				goto err;
+			(*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
+			(*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
+			(*salt_p)[2] = 0;
+#ifdef CHARSET_EBCDIC
+			ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert
+			                                    * back to ASCII */
+#endif
+			}
+#endif /* !NO_DES */
+
+#ifndef NO_APR1
+		if (useapr1)
+			{
+			int i;
+			
+			if (*salt_malloc_p == NULL)
+				{
+				*salt_p = *salt_malloc_p = Malloc(9);
+				if (*salt_malloc_p == NULL)
+					goto err;
+				}
+			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+				goto err;
+			
+			for (i = 0; i < 8; i++)
+				(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
+			(*salt_p)[8] = 0;
+			}
+#endif /* !NO_APR1 */
+		}
+	
+	assert(*salt_p != NULL);
+	
+	/* truncate password if necessary */
+	if ((strlen(passwd) > pw_maxlen))
+		{
+		if (!quiet)
+			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", pw_maxlen);
+		passwd[pw_maxlen] = 0;
+		}
+	assert(strlen(passwd) <= pw_maxlen);
+	
+	/* now compute password hash */
+#ifndef NO_DES
+	if (usecrypt)
+		hash = des_crypt(passwd, *salt_p);
+#endif
+#ifndef NO_APR1
+	if (useapr1)
+		hash = apr1_crypt(passwd, *salt_p);
+#endif
+	assert(hash != NULL);
+
+	if (table && !reverse)
+		BIO_printf(out, "%s\t%s\n", passwd, hash);
+	else if (table && reverse)
+		BIO_printf(out, "%s\t%s\n", hash, passwd);
+	else
+		BIO_printf(out, "%s\n", hash);
+	return 1;
+	
+err:
+	return 0;
+	}
+#else
+
+int MAIN(int argc, char **argv)
+	{
+	fputs("Program not available.\n", stderr)
+	EXIT(1);
+	}
+#endif
diff --git a/crypto/openssl/apps/pca-cert.srl b/crypto/openssl/apps/pca-cert.srl
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/crypto/openssl/apps/pca-cert.srl
@@ -0,0 +1 @@
+01
diff --git a/crypto/openssl/apps/pca-key.pem b/crypto/openssl/apps/pca-key.pem
new file mode 100644
index 0000000..20029ab
--- /dev/null
+++ b/crypto/openssl/apps/pca-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/apps/pca-req.pem b/crypto/openssl/apps/pca-req.pem
new file mode 100644
index 0000000..33f1553
--- /dev/null
+++ b/crypto/openssl/apps/pca-req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBmjCCAQMCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAo
+MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfj
+Irkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUX
+MRsp22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3
+vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAEzz
+IG8NnfpnPTQSCN5zJhOfy6p9AcDyQzuJirYv1HR/qoYWalPh/U2uiK0lAim7qMcv
+wOlK3I7A8B7/4dLqvIqgtUj9b1WT8zIrnwdvJI4osLI2BY+c1pVlp174DHLMol1L
+Cl1e3N5BTm7lCitTYjuUhsw6hiA8IcdNKDo6sktV
+-----END CERTIFICATE REQUEST-----
diff --git a/crypto/openssl/apps/pem_mail.c b/crypto/openssl/apps/pem_mail.c
new file mode 100644
index 0000000..f85c7b1
--- /dev/null
+++ b/crypto/openssl/apps/pem_mail.c
@@ -0,0 +1,170 @@
+/* apps/pem_mail.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include "apps.h"
+
+#undef PROG
+#define PROG	pem_mail_main
+
+static char *usage[]={
+"usage: pem_mail args\n",
+"\n",
+" -in arg         - input file - default stdin\n",
+" -out arg        - output file - default stdout\n",
+" -cert arg       - the certificate to use\n",
+" -key arg        - the private key to use\n",
+" -MIC           - sign the message\n",
+" -enc arg        - encrypt with one of cbc-des\n",
+NULL
+};
+
+
+typedef struct lines_St
+	{
+	char *line;
+	struct lines_st *next;
+	} LINES;
+
+int main(int argc, char **argv)
+	{
+	FILE *in;
+	RSA *rsa=NULL;
+	EVP_MD_CTX ctx;
+	unsigned int mic=0,i,n;
+	unsigned char buf[1024*15];
+	char *prog,*infile=NULL,*outfile=NULL,*key=NULL;
+	int badops=0;
+
+	apps_startup();
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if (strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			key= *(++argv);
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-mic") == 0)
+			mic=1;
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options  are\n");
+		EXIT(1);
+		}
+
+	if (key == NULL)
+		{ BIO_printf(bio_err,"you need to specify a key\n"); EXIT(1); }
+	in=fopen(key,"r");
+	if (in == NULL) { perror(key); EXIT(1); }
+	rsa=PEM_read_RSAPrivateKey(in,NULL,NULL);
+	if (rsa == NULL)
+		{
+		BIO_printf(bio_err,"unable to load Private Key\n");
+		ERR_print_errors(bio_err);
+		EXIT(1);
+		}
+	fclose(in);
+
+	PEM_SignInit(&ctx,EVP_md5());
+	for (;;)
+		{
+		i=fread(buf,1,1024*10,stdin);
+		if (i <= 0) break;
+		PEM_SignUpdate(&ctx,buf,i);
+		}
+	if (!PEM_SignFinal(&ctx,buf,&n,rsa)) goto err;
+	BIO_printf(bio_err,"%s\n",buf);
+	EXIT(0);
+err:
+	ERR_print_errors(bio_err);
+	EXIT(1);
+	}
+#endif
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
new file mode 100644
index 0000000..bf76864
--- /dev/null
+++ b/crypto/openssl/apps/pkcs12.c
@@ -0,0 +1,796 @@
+/* pkcs12.c */
+#if !defined(NO_DES) && !defined(NO_SHA1)
+
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+
+#define PROG pkcs12_main
+
+EVP_CIPHER *enc;
+
+
+#define NOKEYS		0x1
+#define NOCERTS 	0x2
+#define INFO		0x4
+#define CLCERTS		0x8
+#define CACERTS		0x10
+
+int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
+int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
+int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
+void hex_prin(BIO *out, unsigned char *buf, int len);
+int alg_print(BIO *x, X509_ALGOR *alg);
+int cert_load(BIO *in, STACK_OF(X509) *sk);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    char *infile=NULL, *outfile=NULL, *keyname = NULL;	
+    char *certfile=NULL;
+    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
+    char **args;
+    char *name = NULL;
+    PKCS12 *p12 = NULL;
+    char pass[50], macpass[50];
+    int export_cert = 0;
+    int options = 0;
+    int chain = 0;
+    int badarg = 0;
+    int iter = PKCS12_DEFAULT_ITER;
+    int maciter = PKCS12_DEFAULT_ITER;
+    int twopass = 0;
+    int keytype = 0;
+    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    int ret = 1;
+    int macver = 1;
+    int noprompt = 0;
+    STACK *canames = NULL;
+    char *cpass = NULL, *mpass = NULL;
+    char *passargin = NULL, *passargout = NULL, *passarg = NULL;
+    char *passin = NULL, *passout = NULL;
+    char *inrand = NULL;
+
+    apps_startup();
+
+    enc = EVP_des_ede3_cbc();
+    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
+    args = argv + 1;
+
+
+    while (*args) {
+	if (*args[0] == '-') {
+		if (!strcmp (*args, "-nokeys")) options |= NOKEYS;
+		else if (!strcmp (*args, "-keyex")) keytype = KEY_EX;
+		else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG;
+		else if (!strcmp (*args, "-nocerts")) options |= NOCERTS;
+		else if (!strcmp (*args, "-clcerts")) options |= CLCERTS;
+		else if (!strcmp (*args, "-cacerts")) options |= CACERTS;
+		else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS);
+		else if (!strcmp (*args, "-info")) options |= INFO;
+		else if (!strcmp (*args, "-chain")) chain = 1;
+		else if (!strcmp (*args, "-twopass")) twopass = 1;
+		else if (!strcmp (*args, "-nomacver")) macver = 0;
+		else if (!strcmp (*args, "-descert"))
+    			cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+		else if (!strcmp (*args, "-export")) export_cert = 1;
+		else if (!strcmp (*args, "-des")) enc=EVP_des_cbc();
+#ifndef NO_IDEA
+		else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
+#endif
+		else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
+		else if (!strcmp (*args, "-noiter")) iter = 1;
+		else if (!strcmp (*args, "-maciter"))
+					 maciter = PKCS12_DEFAULT_ITER;
+		else if (!strcmp (*args, "-nomaciter"))
+					 maciter = 1;
+		else if (!strcmp (*args, "-nodes")) enc=NULL;
+		else if (!strcmp (*args, "-certpbe")) {
+			if (args[1]) {
+				args++;
+				cert_pbe=OBJ_txt2nid(*args);
+				if(cert_pbe == NID_undef) {
+					BIO_printf(bio_err,
+						 "Unknown PBE algorithm %s\n", *args);
+					badarg = 1;
+				}
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-keypbe")) {
+			if (args[1]) {
+				args++;
+				key_pbe=OBJ_txt2nid(*args);
+				if(key_pbe == NID_undef) {
+					BIO_printf(bio_err,
+						 "Unknown PBE algorithm %s\n", *args);
+					badarg = 1;
+				}
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-rand")) {
+		    if (args[1]) {
+			args++;	
+			inrand = *args;
+		    } else badarg = 1;
+		} else if (!strcmp (*args, "-inkey")) {
+		    if (args[1]) {
+			args++;	
+			keyname = *args;
+		    } else badarg = 1;
+		} else if (!strcmp (*args, "-certfile")) {
+		    if (args[1]) {
+			args++;	
+			certfile = *args;
+		    } else badarg = 1;
+		} else if (!strcmp (*args, "-name")) {
+		    if (args[1]) {
+			args++;	
+			name = *args;
+		    } else badarg = 1;
+		} else if (!strcmp (*args, "-caname")) {
+		    if (args[1]) {
+			args++;	
+			if (!canames) canames = sk_new(NULL);
+			sk_push(canames, *args);
+		    } else badarg = 1;
+		} else if (!strcmp (*args, "-in")) {
+		    if (args[1]) {
+			args++;	
+			infile = *args;
+		    } else badarg = 1;
+		} else if (!strcmp (*args, "-out")) {
+		    if (args[1]) {
+			args++;	
+			outfile = *args;
+		    } else badarg = 1;
+		} else if (!strcmp(*args,"-passin")) {
+		    if (args[1]) {
+			args++;	
+			passargin = *args;
+		    } else badarg = 1;
+		} else if (!strcmp(*args,"-passout")) {
+		    if (args[1]) {
+			args++;	
+			passargout = *args;
+		    } else badarg = 1;
+		} else if (!strcmp (*args, "-password")) {
+		    if (args[1]) {
+			args++;	
+			passarg = *args;
+		    	noprompt = 1;
+		    } else badarg = 1;
+		} else badarg = 1;
+
+	} else badarg = 1;
+	args++;
+    }
+
+    if (badarg) {
+	BIO_printf (bio_err, "Usage: pkcs12 [options]\n");
+	BIO_printf (bio_err, "where options are\n");
+	BIO_printf (bio_err, "-export       output PKCS12 file\n");
+	BIO_printf (bio_err, "-chain        add certificate chain\n");
+	BIO_printf (bio_err, "-inkey file   private key if not infile\n");
+	BIO_printf (bio_err, "-certfile f   add all certs in f\n");
+	BIO_printf (bio_err, "-name \"name\"  use name as friendly name\n");
+	BIO_printf (bio_err, "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");
+	BIO_printf (bio_err, "-in  infile   input filename\n");
+	BIO_printf (bio_err, "-out outfile  output filename\n");
+	BIO_printf (bio_err, "-noout        don't output anything, just verify.\n");
+	BIO_printf (bio_err, "-nomacver     don't verify MAC.\n");
+	BIO_printf (bio_err, "-nocerts      don't output certificates.\n");
+	BIO_printf (bio_err, "-clcerts      only output client certificates.\n");
+	BIO_printf (bio_err, "-cacerts      only output CA certificates.\n");
+	BIO_printf (bio_err, "-nokeys       don't output private keys.\n");
+	BIO_printf (bio_err, "-info         give info about PKCS#12 structure.\n");
+	BIO_printf (bio_err, "-des          encrypt private keys with DES\n");
+	BIO_printf (bio_err, "-des3         encrypt private keys with triple DES (default)\n");
+#ifndef NO_IDEA
+	BIO_printf (bio_err, "-idea         encrypt private keys with idea\n");
+#endif
+	BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");
+	BIO_printf (bio_err, "-noiter       don't use encryption iteration\n");
+	BIO_printf (bio_err, "-maciter      use MAC iteration\n");
+	BIO_printf (bio_err, "-twopass      separate MAC, encryption passwords\n");
+	BIO_printf (bio_err, "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
+	BIO_printf (bio_err, "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");
+	BIO_printf (bio_err, "-keypbe alg   specify private key PBE algorithm (default 3DES)\n");
+	BIO_printf (bio_err, "-keyex        set MS key exchange type\n");
+	BIO_printf (bio_err, "-keysig       set MS key signature type\n");
+	BIO_printf (bio_err, "-password p   set import/export password source\n");
+	BIO_printf (bio_err, "-passin p     input file pass phrase source\n");
+	BIO_printf (bio_err, "-passout p    output file pass phrase source\n");
+	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
+	BIO_printf(bio_err,  "              the random number generator\n");
+    	goto end;
+    }
+
+    if(passarg) {
+	if(export_cert) passargout = passarg;
+	else passargin = passarg;
+    }
+
+    if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+	BIO_printf(bio_err, "Error getting passwords\n");
+	goto end;
+    }
+
+    if(!cpass) {
+    	if(export_cert) cpass = passout;
+    	else cpass = passin;
+    }
+
+    if(cpass) {
+	mpass = cpass;
+	noprompt = 1;
+    } else {
+	cpass = pass;
+	mpass = macpass;
+    }
+
+    if(export_cert || inrand) {
+    	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
+    }
+    ERR_load_crypto_strings();
+
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("read files");
+#endif
+
+    if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE);
+    else in = BIO_new_file(infile, "rb");
+    if (!in) {
+	    BIO_printf(bio_err, "Error opening input file %s\n",
+						infile ? infile : "<stdin>");
+	    perror (infile);
+	    goto end;
+   }
+
+   if (certfile) {
+    	if(!(certsin = BIO_new_file(certfile, "r"))) {
+	    BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
+	    perror (certfile);
+	    goto end;
+	}
+    }
+
+    if (keyname) {
+    	if(!(inkey = BIO_new_file(keyname, "r"))) {
+	    BIO_printf(bio_err, "Can't key certificate file %s\n", keyname);
+	    perror (keyname);
+	    goto end;
+	}
+     }
+
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+    CRYPTO_push_info("write files");
+#endif
+
+    if (!outfile) out = BIO_new_fp(stdout, BIO_NOCLOSE);
+    else out = BIO_new_file(outfile, "wb");
+    if (!out) {
+	BIO_printf(bio_err, "Error opening output file %s\n",
+						outfile ? outfile : "<stdout>");
+	perror (outfile);
+	goto end;
+    }
+    if (twopass) {
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("read MAC password");
+#endif
+	if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))
+	{
+    	    BIO_printf (bio_err, "Can't read Password\n");
+    	    goto end;
+       	}
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+#endif
+    }
+
+    if (export_cert) {
+	EVP_PKEY *key;
+	STACK *bags, *safes;
+	PKCS12_SAFEBAG *bag;
+	PKCS8_PRIV_KEY_INFO *p8;
+	PKCS7 *authsafe;
+	X509 *ucert = NULL;
+	STACK_OF(X509) *certs=NULL;
+	char *catmp;
+	int i;
+	unsigned char keyid[EVP_MAX_MD_SIZE];
+	unsigned int keyidlen = 0;
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_push_info("process -export_cert");
+#endif
+	key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin);
+	if (!inkey) (void) BIO_reset(in);
+	else BIO_free(inkey);
+	if (!key) {
+		BIO_printf (bio_err, "Error loading private key\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	certs = sk_X509_new(NULL);
+
+	/* Load in all certs in input file */
+	if(!cert_load(in, certs)) {
+		BIO_printf(bio_err, "Error loading certificates from input\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	for(i = 0; i < sk_X509_num(certs); i++) {
+		ucert = sk_X509_value(certs, i);
+		if(X509_check_private_key(ucert, key)) {
+			X509_digest(ucert, EVP_sha1(), keyid, &keyidlen);
+			break;
+		}
+	}
+
+	if(!keyidlen) {
+		BIO_printf(bio_err, "No certificate matches private key\n");
+		goto end;
+	}
+	
+	bags = sk_new (NULL);
+
+	/* Add any more certificates asked for */
+	if (certsin) {
+		if(!cert_load(certsin, certs)) {
+			BIO_printf(bio_err, "Error loading certificates from certfile\n");
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	    	BIO_free(certsin);
+ 	}
+
+	/* If chaining get chain from user cert */
+	if (chain) {
+        	int vret;
+		STACK_OF(X509) *chain2;
+		vret = get_cert_chain (ucert, &chain2);
+		if (vret) {
+			BIO_printf (bio_err, "Error %s getting chain.\n",
+					X509_verify_cert_error_string(vret));
+			goto end;
+		}
+		/* Exclude verified certificate */
+		for (i = 1; i < sk_X509_num (chain2) ; i++) 
+				 sk_X509_push(certs, sk_X509_value (chain2, i));
+		sk_X509_free(chain2);
+			
+    	}
+
+	/* We now have loads of certificates: include them all */
+	for(i = 0; i < sk_X509_num(certs); i++) {
+		X509 *cert = NULL;
+		cert = sk_X509_value(certs, i);
+		bag = M_PKCS12_x5092certbag(cert);
+		/* If it matches private key set id */
+		if(cert == ucert) {
+			if(name) PKCS12_add_friendlyname(bag, name, -1);
+			PKCS12_add_localkeyid(bag, keyid, keyidlen);
+		} else if((catmp = sk_shift(canames))) 
+				PKCS12_add_friendlyname(bag, catmp, -1);
+		sk_push(bags, (char *)bag);
+	}
+	sk_X509_pop_free(certs, X509_free);
+	if (canames) sk_free(canames);
+
+	if(!noprompt &&
+		EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
+	    BIO_printf (bio_err, "Can't read Password\n");
+	    goto end;
+        }
+	if (!twopass) strcpy(macpass, pass);
+	/* Turn certbags into encrypted authsafe */
+	authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
+								 iter, bags);
+	sk_pop_free(bags, PKCS12_SAFEBAG_free);
+
+	if (!authsafe) {
+		ERR_print_errors (bio_err);
+		goto end;
+	}
+
+	safes = sk_new (NULL);
+	sk_push (safes, (char *)authsafe);
+
+	/* Make a shrouded key bag */
+	p8 = EVP_PKEY2PKCS8 (key);
+	EVP_PKEY_free(key);
+	if(keytype) PKCS8_add_keyusage(p8, keytype);
+	bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8);
+	PKCS8_PRIV_KEY_INFO_free(p8);
+        if (name) PKCS12_add_friendlyname (bag, name, -1);
+	PKCS12_add_localkeyid (bag, keyid, keyidlen);
+	bags = sk_new(NULL);
+	sk_push (bags, (char *)bag);
+	/* Turn it into unencrypted safe bag */
+	authsafe = PKCS12_pack_p7data (bags);
+	sk_pop_free(bags, PKCS12_SAFEBAG_free);
+	sk_push (safes, (char *)authsafe);
+
+	p12 = PKCS12_init (NID_pkcs7_data);
+
+	M_PKCS12_pack_authsafes (p12, safes);
+
+	sk_pop_free(safes, PKCS7_free);
+
+	PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
+
+	i2d_PKCS12_bio (out, p12);
+
+	PKCS12_free(p12);
+
+	ret = 0;
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+#endif
+	goto end;
+	
+    }
+
+    if (!(p12 = d2i_PKCS12_bio (in, NULL))) {
+	ERR_print_errors(bio_err);
+	goto end;
+    }
+
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("read import password");
+#endif
+    if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
+	BIO_printf (bio_err, "Can't read Password\n");
+	goto end;
+    }
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+#endif
+
+    if (!twopass) strcpy(macpass, pass);
+
+    if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
+    if(macver) {
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("verify MAC");
+#endif
+	if (!PKCS12_verify_mac (p12, mpass, -1)) {
+	    BIO_printf (bio_err, "Mac verify error: invalid password?\n");
+	    ERR_print_errors (bio_err);
+	    goto end;
+	} else BIO_printf (bio_err, "MAC verified OK\n");
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+#endif
+    }
+
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("output keys and certificates");
+#endif
+    if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) {
+	BIO_printf(bio_err, "Error outputting keys and certificates\n");
+	ERR_print_errors (bio_err);
+	goto end;
+    }
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+#endif
+    PKCS12_free(p12);
+    ret = 0;
+    end:
+    if(export_cert || inrand) app_RAND_write_file(NULL, bio_err);
+#ifdef CRYPTO_MDEBUG
+    CRYPTO_remove_all_info();
+#endif
+    BIO_free(in);
+    BIO_free(out);
+    if(passin) Free(passin);
+    if(passout) Free(passout);
+    EXIT(ret);
+}
+
+int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
+	     int passlen, int options, char *pempass)
+{
+	STACK *asafes, *bags;
+	int i, bagnid;
+	PKCS7 *p7;
+	if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
+	for (i = 0; i < sk_num (asafes); i++) {
+		p7 = (PKCS7 *) sk_value (asafes, i);
+		bagnid = OBJ_obj2nid (p7->type);
+		if (bagnid == NID_pkcs7_data) {
+			bags = M_PKCS12_unpack_p7data (p7);
+			if (options & INFO) BIO_printf (bio_err, "PKCS7 Data\n");
+		} else if (bagnid == NID_pkcs7_encrypted) {
+			if (options & INFO) {
+				BIO_printf (bio_err, "PKCS7 Encrypted data: ");
+				alg_print (bio_err, 
+					p7->d.encrypted->enc_data->algorithm);
+			}
+			bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
+		} else continue;
+		if (!bags) return 0;
+	    	if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
+						 options, pempass)) {
+			sk_pop_free (bags, PKCS12_SAFEBAG_free);
+			return 0;
+		}
+		sk_pop_free (bags, PKCS12_SAFEBAG_free);
+	}
+	sk_pop_free (asafes, PKCS7_free);
+	return 1;
+}
+
+int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
+	     int passlen, int options, char *pempass)
+{
+	int i;
+	for (i = 0; i < sk_num (bags); i++) {
+		if (!dump_certs_pkeys_bag (out,
+			 (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
+					 	options, pempass)) return 0;
+	}
+	return 1;
+}
+
+int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
+	     int passlen, int options, char *pempass)
+{
+	EVP_PKEY *pkey;
+	PKCS8_PRIV_KEY_INFO *p8;
+	X509 *x509;
+	
+	switch (M_PKCS12_bag_type(bag))
+	{
+	case NID_keyBag:
+		if (options & INFO) BIO_printf (bio_err, "Key bag\n");
+		if (options & NOKEYS) return 1;
+		print_attribs (out, bag->attrib, "Bag Attributes");
+		p8 = bag->value.keybag;
+		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+		print_attribs (out, p8->attributes, "Key Attributes");
+		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
+		EVP_PKEY_free(pkey);
+	break;
+
+	case NID_pkcs8ShroudedKeyBag:
+		if (options & INFO) {
+			BIO_printf (bio_err, "Shrouded Keybag: ");
+			alg_print (bio_err, bag->value.shkeybag->algor);
+		}
+		if (options & NOKEYS) return 1;
+		print_attribs (out, bag->attrib, "Bag Attributes");
+		if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen)))
+				return 0;
+		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+		print_attribs (out, p8->attributes, "Key Attributes");
+		PKCS8_PRIV_KEY_INFO_free(p8);
+		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
+		EVP_PKEY_free(pkey);
+	break;
+
+	case NID_certBag:
+		if (options & INFO) BIO_printf (bio_err, "Certificate bag\n");
+		if (options & NOCERTS) return 1;
+                if (PKCS12_get_attr(bag, NID_localKeyID)) {
+			if (options & CACERTS) return 1;
+		} else if (options & CLCERTS) return 1;
+		print_attribs (out, bag->attrib, "Bag Attributes");
+		if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
+								 return 1;
+		if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
+		dump_cert_text (out, x509);
+		PEM_write_bio_X509 (out, x509);
+		X509_free(x509);
+	break;
+
+	case NID_safeContentsBag:
+		if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n");
+		print_attribs (out, bag->attrib, "Bag Attributes");
+		return dump_certs_pkeys_bags (out, bag->value.safes, pass,
+							    passlen, options, pempass);
+					
+	default:
+		BIO_printf (bio_err, "Warning unsupported bag type: ");
+		i2a_ASN1_OBJECT (bio_err, bag->type);
+		BIO_printf (bio_err, "\n");
+		return 1;
+	break;
+	}
+	return 1;
+}
+
+/* Given a single certificate return a verified chain or NULL if error */
+
+/* Hope this is OK .... */
+
+int get_cert_chain (X509 *cert, STACK_OF(X509) **chain)
+{
+	X509_STORE *store;
+	X509_STORE_CTX store_ctx;
+	STACK_OF(X509) *chn;
+	int i;
+
+	store = X509_STORE_new ();
+	X509_STORE_set_default_paths (store);
+	X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
+	if (X509_verify_cert(&store_ctx) <= 0) {
+		i = X509_STORE_CTX_get_error (&store_ctx);
+		goto err;
+	}
+	chn =  X509_STORE_CTX_get1_chain(&store_ctx);
+	i = 0;
+	*chain = chn;
+err:
+	X509_STORE_CTX_cleanup(&store_ctx);
+	X509_STORE_free(store);
+	
+	return i;
+}	
+
+int alg_print (BIO *x, X509_ALGOR *alg)
+{
+	PBEPARAM *pbe;
+	unsigned char *p;
+	p = alg->parameter->value.sequence->data;
+	pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length);
+	BIO_printf (bio_err, "%s, Iteration %d\n", 
+	OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), ASN1_INTEGER_get(pbe->iter));
+	PBEPARAM_free (pbe);
+	return 0;
+}
+
+/* Load all certificates from a given file */
+
+int cert_load(BIO *in, STACK_OF(X509) *sk)
+{
+	int ret;
+	X509 *cert;
+	ret = 0;
+	while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
+		ret = 1;
+		sk_X509_push(sk, cert);
+	}
+	if(ret) ERR_clear_error();
+	return ret;
+}
+
+/* Generalised attribute print: handle PKCS#8 and bag attributes */
+
+int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name)
+{
+	X509_ATTRIBUTE *attr;
+	ASN1_TYPE *av;
+	char *value;
+	int i, attr_nid;
+	if(!attrlst) {
+		BIO_printf(out, "%s: <No Attributes>\n", name);
+		return 1;
+	}
+	if(!sk_X509_ATTRIBUTE_num(attrlst)) {
+		BIO_printf(out, "%s: <Empty Attributes>\n", name);
+		return 1;
+	}
+	BIO_printf(out, "%s\n", name);
+	for(i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
+		attr = sk_X509_ATTRIBUTE_value(attrlst, i);
+		attr_nid = OBJ_obj2nid(attr->object);
+		BIO_printf(out, "    ");
+		if(attr_nid == NID_undef) {
+			i2a_ASN1_OBJECT (out, attr->object);
+			BIO_printf(out, ": ");
+		} else BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
+
+		if(sk_ASN1_TYPE_num(attr->value.set)) {
+			av = sk_ASN1_TYPE_value(attr->value.set, 0);
+			switch(av->type) {
+				case V_ASN1_BMPSTRING:
+        			value = uni2asc(av->value.bmpstring->data,
+                                	       av->value.bmpstring->length);
+				BIO_printf(out, "%s\n", value);
+				Free(value);
+				break;
+
+				case V_ASN1_OCTET_STRING:
+				hex_prin(out, av->value.bit_string->data,
+					av->value.bit_string->length);
+				BIO_printf(out, "\n");	
+				break;
+
+				case V_ASN1_BIT_STRING:
+				hex_prin(out, av->value.octet_string->data,
+					av->value.octet_string->length);
+				BIO_printf(out, "\n");	
+				break;
+
+				default:
+					BIO_printf(out, "<Unsupported tag %d>\n", av->type);
+				break;
+			}
+		} else BIO_printf(out, "<No Values>\n");
+	}
+	return 1;
+}
+
+void hex_prin(BIO *out, unsigned char *buf, int len)
+{
+	int i;
+	for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]);
+}
+
+#endif
diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c
new file mode 100644
index 0000000..f471cc7
--- /dev/null
+++ b/crypto/openssl/apps/pkcs7.c
@@ -0,0 +1,285 @@
+/* apps/pkcs7.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	pkcs7_main
+
+/* -inform arg	- input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ * -print_certs
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	PKCS7 *p7=NULL;
+	int i,badops=0;
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat;
+	char *infile,*outfile,*prog;
+	int print_certs=0,text=0,noout=0;
+	int ret=0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else if (strcmp(*argv,"-text") == 0)
+			text=1;
+		else if (strcmp(*argv,"-print_certs") == 0)
+			print_certs=1;
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
+		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
+		BIO_printf(bio_err," -in arg       input file\n");
+		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
+		BIO_printf(bio_err," -text         print full details of certificates\n");
+		BIO_printf(bio_err," -noout        don't output encoded data\n");
+		EXIT(1);
+		}
+
+	ERR_load_crypto_strings();
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+                goto end;
+                }
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+		if (in == NULL)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+
+	if	(informat == FORMAT_ASN1)
+		p7=d2i_PKCS7_bio(in,NULL);
+	else if (informat == FORMAT_PEM)
+		p7=PEM_read_bio_PKCS7(in,NULL,NULL,NULL);
+	else
+		{
+		BIO_printf(bio_err,"bad input format specified for pkcs7 object\n");
+		goto end;
+		}
+	if (p7 == NULL)
+		{
+		BIO_printf(bio_err,"unable to load PKCS7 object\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (print_certs)
+		{
+		STACK_OF(X509) *certs=NULL;
+		STACK_OF(X509_CRL) *crls=NULL;
+
+		i=OBJ_obj2nid(p7->type);
+		switch (i)
+			{
+		case NID_pkcs7_signed:
+			certs=p7->d.sign->cert;
+			crls=p7->d.sign->crl;
+			break;
+		case NID_pkcs7_signedAndEnveloped:
+			certs=p7->d.signed_and_enveloped->cert;
+			crls=p7->d.signed_and_enveloped->crl;
+			break;
+		default:
+			break;
+			}
+
+		if (certs != NULL)
+			{
+			X509 *x;
+
+			for (i=0; i<sk_X509_num(certs); i++)
+				{
+				x=sk_X509_value(certs,i);
+				if(text) X509_print(out, x);
+				else dump_cert_text(out, x);
+
+				if(!noout) PEM_write_bio_X509(out,x);
+				BIO_puts(out,"\n");
+				}
+			}
+		if (crls != NULL)
+			{
+			X509_CRL *crl;
+
+			for (i=0; i<sk_X509_CRL_num(crls); i++)
+				{
+				crl=sk_X509_CRL_value(crls,i);
+
+				X509_CRL_print(out, crl);
+
+				if(!noout)PEM_write_bio_X509_CRL(out,crl);
+				BIO_puts(out,"\n");
+				}
+			}
+
+		ret=0;
+		goto end;
+		}
+
+	if(!noout) {
+		if 	(outformat == FORMAT_ASN1)
+			i=i2d_PKCS7_bio(out,p7);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_PKCS7(out,p7);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+
+		if (!i)
+			{
+			BIO_printf(bio_err,"unable to write pkcs7 object\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+	}
+	ret=0;
+end:
+	if (p7 != NULL) PKCS7_free(p7);
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	EXIT(ret);
+	}
diff --git a/crypto/openssl/apps/pkcs8.c b/crypto/openssl/apps/pkcs8.c
new file mode 100644
index 0000000..3e59b74
--- /dev/null
+++ b/crypto/openssl/apps/pkcs8.c
@@ -0,0 +1,345 @@
+/* pkcs8.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+
+#include "apps.h"
+#define PROG pkcs8_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+	char **args, *infile = NULL, *outfile = NULL;
+	char *passargin = NULL, *passargout = NULL;
+	BIO *in = NULL, *out = NULL;
+	int topk8 = 0;
+	int pbe_nid = -1;
+	const EVP_CIPHER *cipher = NULL;
+	int iter = PKCS12_DEFAULT_ITER;
+	int informat, outformat;
+	int p8_broken = PKCS8_OK;
+	int nocrypt = 0;
+	X509_SIG *p8;
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	EVP_PKEY *pkey;
+	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
+	int badarg = 0;
+	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+	ERR_load_crypto_strings();
+	OpenSSL_add_all_algorithms();
+	args = argv + 1;
+	while (!badarg && *args && *args[0] == '-') {
+		if (!strcmp(*args,"-v2")) {
+			if (args[1]) {
+				args++;
+				cipher=EVP_get_cipherbyname(*args);
+				if(!cipher) {
+					BIO_printf(bio_err,
+						 "Unknown cipher %s\n", *args);
+					badarg = 1;
+				}
+			} else badarg = 1;
+		} else if (!strcmp(*args,"-v1")) {
+			if (args[1]) {
+				args++;
+				pbe_nid=OBJ_txt2nid(*args);
+				if(pbe_nid == NID_undef) {
+					BIO_printf(bio_err,
+						 "Unknown PBE algorithm %s\n", *args);
+					badarg = 1;
+				}
+			} else badarg = 1;
+		} else if (!strcmp(*args,"-inform")) {
+			if (args[1]) {
+				args++;
+				informat=str2fmt(*args);
+			} else badarg = 1;
+		} else if (!strcmp(*args,"-outform")) {
+			if (args[1]) {
+				args++;
+				outformat=str2fmt(*args);
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-topk8")) topk8 = 1;
+		else if (!strcmp (*args, "-noiter")) iter = 1;
+		else if (!strcmp (*args, "-nocrypt")) nocrypt = 1;
+		else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET;
+		else if (!strcmp (*args, "-nsdb")) p8_broken = PKCS8_NS_DB;
+		else if (!strcmp (*args, "-embed")) p8_broken = PKCS8_EMBEDDED_PARAM;
+		else if (!strcmp(*args,"-passin"))
+			{
+			if (!args[1]) goto bad;
+			passargin= *(++args);
+			}
+		else if (!strcmp(*args,"-passout"))
+			{
+			if (!args[1]) goto bad;
+			passargout= *(++args);
+			}
+		else if (!strcmp (*args, "-in")) {
+			if (args[1]) {
+				args++;
+				infile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-out")) {
+			if (args[1]) {
+				args++;
+				outfile = *args;
+			} else badarg = 1;
+		} else badarg = 1;
+		args++;
+	}
+
+	if (badarg) {
+		bad:
+		BIO_printf(bio_err, "Usage pkcs8 [options]\n");
+		BIO_printf(bio_err, "where options are\n");
+		BIO_printf(bio_err, "-in file        input file\n");
+		BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
+		BIO_printf(bio_err, "-passin arg     input file pass phrase source\n");
+		BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
+		BIO_printf(bio_err, "-out file       output file\n");
+		BIO_printf(bio_err, "-passout arg    output file pass phrase source\n");
+		BIO_printf(bio_err, "-topk8          output PKCS8 file\n");
+		BIO_printf(bio_err, "-nooct          use (nonstandard) no octet format\n");
+		BIO_printf(bio_err, "-embed          use (nonstandard) embedded DSA parameters format\n");
+		BIO_printf(bio_err, "-nsdb           use (nonstandard) DSA Netscape DB format\n");
+		BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
+		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
+		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
+		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
+		return (1);
+	}
+
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+		BIO_printf(bio_err, "Error getting passwords\n");
+		return (1);
+	}
+
+	if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC;
+
+	if (infile) {
+		if (!(in = BIO_new_file(infile, "rb"))) {
+			BIO_printf(bio_err,
+				 "Can't open input file %s\n", infile);
+			return (1);
+		}
+	} else in = BIO_new_fp (stdin, BIO_NOCLOSE);
+
+	if (outfile) {
+		if (!(out = BIO_new_file (outfile, "wb"))) {
+			BIO_printf(bio_err,
+				 "Can't open output file %s\n", outfile);
+			return (1);
+		}
+	} else out = BIO_new_fp (stdout, BIO_NOCLOSE);
+
+	if (topk8) {
+		if(informat == FORMAT_PEM)
+			pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, passin);
+		else if(informat == FORMAT_ASN1)
+			pkey = d2i_PrivateKey_bio(in, NULL);
+		else {
+			BIO_printf(bio_err, "Bad format specified for key\n");
+			return (1);
+		}
+		if (!pkey) {
+			BIO_printf(bio_err, "Error reading key\n", outfile);
+			ERR_print_errors(bio_err);
+			return (1);
+		}
+		BIO_free(in);
+		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
+			BIO_printf(bio_err, "Error converting key\n", outfile);
+			ERR_print_errors(bio_err);
+			return (1);
+		}
+		if(nocrypt) {
+			if(outformat == FORMAT_PEM) 
+				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
+			else if(outformat == FORMAT_ASN1)
+				i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
+			else {
+				BIO_printf(bio_err, "Bad format specified for key\n");
+				return (1);
+			}
+		} else {
+			if(passout) p8pass = passout;
+			else {
+				p8pass = pass;
+				EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+			}
+			app_RAND_load_file(NULL, bio_err, 0);
+			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
+					p8pass, strlen(p8pass),
+					NULL, 0, iter, p8inf))) {
+				BIO_printf(bio_err, "Error encrypting key\n",
+								 outfile);
+				ERR_print_errors(bio_err);
+				return (1);
+			}
+			app_RAND_write_file(NULL, bio_err);
+			if(outformat == FORMAT_PEM) 
+				PEM_write_bio_PKCS8(out, p8);
+			else if(outformat == FORMAT_ASN1)
+				i2d_PKCS8_bio(out, p8);
+			else {
+				BIO_printf(bio_err, "Bad format specified for key\n");
+				return (1);
+			}
+			X509_SIG_free(p8);
+		}
+		PKCS8_PRIV_KEY_INFO_free (p8inf);
+		EVP_PKEY_free(pkey);
+		BIO_free(out);
+		if(passin) Free(passin);
+		if(passout) Free(passout);
+		return (0);
+	}
+
+	if(nocrypt) {
+		if(informat == FORMAT_PEM) 
+			p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL);
+		else if(informat == FORMAT_ASN1)
+			p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
+		else {
+			BIO_printf(bio_err, "Bad format specified for key\n");
+			return (1);
+		}
+	} else {
+		if(informat == FORMAT_PEM) 
+			p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
+		else if(informat == FORMAT_ASN1)
+			p8 = d2i_PKCS8_bio(in, NULL);
+		else {
+			BIO_printf(bio_err, "Bad format specified for key\n");
+			return (1);
+		}
+
+		if (!p8) {
+			BIO_printf (bio_err, "Error reading key\n", outfile);
+			ERR_print_errors(bio_err);
+			return (1);
+		}
+		if(passin) p8pass = passin;
+		else {
+			p8pass = pass;
+			EVP_read_pw_string(pass, 50, "Enter Password:", 0);
+		}
+		p8inf = M_PKCS8_decrypt(p8, p8pass, strlen(p8pass));
+		X509_SIG_free(p8);
+	}
+
+	if (!p8inf) {
+		BIO_printf(bio_err, "Error decrypting key\n", outfile);
+		ERR_print_errors(bio_err);
+		return (1);
+	}
+
+	if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
+		BIO_printf(bio_err, "Error converting key\n", outfile);
+		ERR_print_errors(bio_err);
+		return (1);
+	}
+	
+	if (p8inf->broken) {
+		BIO_printf(bio_err, "Warning: broken key encoding: ");
+		switch (p8inf->broken) {
+			case PKCS8_NO_OCTET:
+			BIO_printf(bio_err, "No Octet String in PrivateKey\n");
+			break;
+
+			case PKCS8_EMBEDDED_PARAM:
+			BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
+			break;
+
+			case PKCS8_NS_DB:
+			BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
+			break;
+
+			default:
+			BIO_printf(bio_err, "Unknown broken type\n");
+			break;
+		}
+	}
+	
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	if(outformat == FORMAT_PEM) 
+		PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
+	else if(outformat == FORMAT_ASN1)
+		i2d_PrivateKey_bio(out, pkey);
+	else {
+		BIO_printf(bio_err, "Bad format specified for key\n");
+			return (1);
+	}
+
+	EVP_PKEY_free(pkey);
+	BIO_free(out);
+	BIO_free(in);
+	if(passin) Free(passin);
+	if(passout) Free(passout);
+
+	return (0);
+}
diff --git a/crypto/openssl/apps/privkey.pem b/crypto/openssl/apps/privkey.pem
new file mode 100644
index 0000000..0af4647
--- /dev/null
+++ b/crypto/openssl/apps/privkey.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,BA26229A1653B7FF
+
+6nhWG8PKhTPO/s3ZvjUa6226NlKdvPDZFsNXOOoSUs9ejxpb/aj5huhs6qRYzsz9
+Year47uaAZYhGD0vAagnNiBnYmjWEpN9G/wQxG7pgZThK1ZxDi63qn8aQ8UjuGHo
+F6RpnnBQIAnWTWqr/Qsybtc5EoNkrj/Cpx0OfbSr6gZsFBCxwX1R1hT3/mhJ45f3
+XMofY32Vdfx9/vtw1O7HmlHXQnXaqnbd9/nn1EpvFJG9+UjPoW7gV4jCOLuR4deE
+jS8hm+cpkwXmFtk3VGjT9tQXPpMv3JpYfBqgGQoMAJ5Toq0DWcHi6Wg08PsD8lgy
+vmTioPsRg+JGkJkJ8GnusgLpQdlQJbjzd7wGE6ElUFLfOxLo8bLlRHoriHNdWYhh
+JjY0LyeTkovcmWxVjImc6ZyBz5Ly4t0BYf1gq3OkjsV91Q1taBxnhiavfizqMCAf
+PPB3sLQnlXG77TOXkNxpqbZfEYrVZW2Nsqqdn8s07Uj4IMONZyq2odYKWFPMJBiM
+POYwXjMAOcmFMTHYsVlhcUJuV6LOuipw/FEbTtPH/MYMxLe4zx65dYo1rb4iLKLS
+gMtB0o/Wl4Xno3ZXh1ucicYnV2J7NpVcjVq+3SFiCRu2SrSkZHZ23EPS13Ec6fcz
+8X/YGA2vTJ8MAOozAzQUwHQYvLk7bIoQVekqDq4p0AZQbhdspHpArCk0Ifqqzg/v
+Uyky/zZiQYanzDenTSRVI/8wac3olxpU8QvbySxYqmbkgq6bTpXJfYFQfnAttEsC
+dA4S5UFgyOPZluxCAM4yaJF3Ft6neutNwftuJQMbgCUi9vYg2tGdSw==
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h
new file mode 100644
index 0000000..7d22384
--- /dev/null
+++ b/crypto/openssl/apps/progs.h
@@ -0,0 +1,251 @@
+/* apps/progs.h */
+/* automatically generated by progs.pl for openssl.c */
+
+extern int verify_main(int argc,char *argv[]);
+extern int asn1parse_main(int argc,char *argv[]);
+extern int req_main(int argc,char *argv[]);
+extern int dgst_main(int argc,char *argv[]);
+extern int dh_main(int argc,char *argv[]);
+extern int dhparam_main(int argc,char *argv[]);
+extern int enc_main(int argc,char *argv[]);
+extern int passwd_main(int argc,char *argv[]);
+extern int gendh_main(int argc,char *argv[]);
+extern int errstr_main(int argc,char *argv[]);
+extern int ca_main(int argc,char *argv[]);
+extern int crl_main(int argc,char *argv[]);
+extern int rsa_main(int argc,char *argv[]);
+extern int dsa_main(int argc,char *argv[]);
+extern int dsaparam_main(int argc,char *argv[]);
+extern int x509_main(int argc,char *argv[]);
+extern int genrsa_main(int argc,char *argv[]);
+extern int gendsa_main(int argc,char *argv[]);
+extern int s_server_main(int argc,char *argv[]);
+extern int s_client_main(int argc,char *argv[]);
+extern int speed_main(int argc,char *argv[]);
+extern int s_time_main(int argc,char *argv[]);
+extern int version_main(int argc,char *argv[]);
+extern int pkcs7_main(int argc,char *argv[]);
+extern int crl2pkcs7_main(int argc,char *argv[]);
+extern int sess_id_main(int argc,char *argv[]);
+extern int ciphers_main(int argc,char *argv[]);
+extern int nseq_main(int argc,char *argv[]);
+extern int pkcs12_main(int argc,char *argv[]);
+extern int pkcs8_main(int argc,char *argv[]);
+extern int spkac_main(int argc,char *argv[]);
+extern int smime_main(int argc,char *argv[]);
+extern int rand_main(int argc,char *argv[]);
+
+#define FUNC_TYPE_GENERAL	1
+#define FUNC_TYPE_MD		2
+#define FUNC_TYPE_CIPHER	3
+
+typedef struct {
+	int type;
+	char *name;
+	int (*func)();
+	} FUNCTION;
+
+FUNCTION functions[] = {
+	{FUNC_TYPE_GENERAL,"verify",verify_main},
+	{FUNC_TYPE_GENERAL,"asn1parse",asn1parse_main},
+	{FUNC_TYPE_GENERAL,"req",req_main},
+	{FUNC_TYPE_GENERAL,"dgst",dgst_main},
+#ifndef NO_DH
+	{FUNC_TYPE_GENERAL,"dh",dh_main},
+#endif
+#ifndef NO_DH
+	{FUNC_TYPE_GENERAL,"dhparam",dhparam_main},
+#endif
+	{FUNC_TYPE_GENERAL,"enc",enc_main},
+	{FUNC_TYPE_GENERAL,"passwd",passwd_main},
+#ifndef NO_DH
+	{FUNC_TYPE_GENERAL,"gendh",gendh_main},
+#endif
+	{FUNC_TYPE_GENERAL,"errstr",errstr_main},
+	{FUNC_TYPE_GENERAL,"ca",ca_main},
+	{FUNC_TYPE_GENERAL,"crl",crl_main},
+#ifndef NO_RSA
+	{FUNC_TYPE_GENERAL,"rsa",rsa_main},
+#endif
+#ifndef NO_DSA
+	{FUNC_TYPE_GENERAL,"dsa",dsa_main},
+#endif
+#ifndef NO_DSA
+	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
+#endif
+	{FUNC_TYPE_GENERAL,"x509",x509_main},
+#ifndef NO_RSA
+	{FUNC_TYPE_GENERAL,"genrsa",genrsa_main},
+#endif
+#ifndef NO_DSA
+	{FUNC_TYPE_GENERAL,"gendsa",gendsa_main},
+#endif
+#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(NO_SSL3))
+	{FUNC_TYPE_GENERAL,"s_server",s_server_main},
+#endif
+#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(NO_SSL3))
+	{FUNC_TYPE_GENERAL,"s_client",s_client_main},
+#endif
+	{FUNC_TYPE_GENERAL,"speed",speed_main},
+#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(NO_SSL3))
+	{FUNC_TYPE_GENERAL,"s_time",s_time_main},
+#endif
+	{FUNC_TYPE_GENERAL,"version",version_main},
+	{FUNC_TYPE_GENERAL,"pkcs7",pkcs7_main},
+	{FUNC_TYPE_GENERAL,"crl2pkcs7",crl2pkcs7_main},
+	{FUNC_TYPE_GENERAL,"sess_id",sess_id_main},
+#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(NO_SSL3))
+	{FUNC_TYPE_GENERAL,"ciphers",ciphers_main},
+#endif
+	{FUNC_TYPE_GENERAL,"nseq",nseq_main},
+#if !defined(NO_DES) && !defined(NO_SHA1)
+	{FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main},
+#endif
+	{FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main},
+	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
+	{FUNC_TYPE_GENERAL,"smime",smime_main},
+	{FUNC_TYPE_GENERAL,"rand",rand_main},
+	{FUNC_TYPE_MD,"md2",dgst_main},
+	{FUNC_TYPE_MD,"md5",dgst_main},
+	{FUNC_TYPE_MD,"sha",dgst_main},
+	{FUNC_TYPE_MD,"sha1",dgst_main},
+	{FUNC_TYPE_MD,"mdc2",dgst_main},
+	{FUNC_TYPE_MD,"rmd160",dgst_main},
+	{FUNC_TYPE_CIPHER,"base64",enc_main},
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des3",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"desx",enc_main},
+#endif
+#ifndef NO_IDEA
+	{FUNC_TYPE_CIPHER,"idea",enc_main},
+#endif
+#ifndef NO_RC4
+	{FUNC_TYPE_CIPHER,"rc4",enc_main},
+#endif
+#ifndef NO_RC4
+	{FUNC_TYPE_CIPHER,"rc4-40",enc_main},
+#endif
+#ifndef NO_RC2
+	{FUNC_TYPE_CIPHER,"rc2",enc_main},
+#endif
+#ifndef NO_BF
+	{FUNC_TYPE_CIPHER,"bf",enc_main},
+#endif
+#ifndef NO_CAST
+	{FUNC_TYPE_CIPHER,"cast",enc_main},
+#endif
+#ifndef NO_RC5
+	{FUNC_TYPE_CIPHER,"rc5",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ecb",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede3",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-cbc",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede-cbc",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede3-cbc",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-cfb",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede-cfb",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede3-cfb",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ofb",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede-ofb",enc_main},
+#endif
+#ifndef NO_DES
+	{FUNC_TYPE_CIPHER,"des-ede3-ofb",enc_main},
+#endif
+#ifndef NO_IDEA
+	{FUNC_TYPE_CIPHER,"idea-cbc",enc_main},
+#endif
+#ifndef NO_IDEA
+	{FUNC_TYPE_CIPHER,"idea-ecb",enc_main},
+#endif
+#ifndef NO_IDEA
+	{FUNC_TYPE_CIPHER,"idea-cfb",enc_main},
+#endif
+#ifndef NO_IDEA
+	{FUNC_TYPE_CIPHER,"idea-ofb",enc_main},
+#endif
+#ifndef NO_RC2
+	{FUNC_TYPE_CIPHER,"rc2-cbc",enc_main},
+#endif
+#ifndef NO_RC2
+	{FUNC_TYPE_CIPHER,"rc2-ecb",enc_main},
+#endif
+#ifndef NO_RC2
+	{FUNC_TYPE_CIPHER,"rc2-cfb",enc_main},
+#endif
+#ifndef NO_RC2
+	{FUNC_TYPE_CIPHER,"rc2-ofb",enc_main},
+#endif
+#ifndef NO_RC2
+	{FUNC_TYPE_CIPHER,"rc2-64-cbc",enc_main},
+#endif
+#ifndef NO_RC2
+	{FUNC_TYPE_CIPHER,"rc2-40-cbc",enc_main},
+#endif
+#ifndef NO_BF
+	{FUNC_TYPE_CIPHER,"bf-cbc",enc_main},
+#endif
+#ifndef NO_BF
+	{FUNC_TYPE_CIPHER,"bf-ecb",enc_main},
+#endif
+#ifndef NO_BF
+	{FUNC_TYPE_CIPHER,"bf-cfb",enc_main},
+#endif
+#ifndef NO_BF
+	{FUNC_TYPE_CIPHER,"bf-ofb",enc_main},
+#endif
+#ifndef NO_CAST
+	{FUNC_TYPE_CIPHER,"cast5-cbc",enc_main},
+#endif
+#ifndef NO_CAST
+	{FUNC_TYPE_CIPHER,"cast5-ecb",enc_main},
+#endif
+#ifndef NO_CAST
+	{FUNC_TYPE_CIPHER,"cast5-cfb",enc_main},
+#endif
+#ifndef NO_CAST
+	{FUNC_TYPE_CIPHER,"cast5-ofb",enc_main},
+#endif
+#ifndef NO_CAST
+	{FUNC_TYPE_CIPHER,"cast-cbc",enc_main},
+#endif
+#ifndef NO_RC5
+	{FUNC_TYPE_CIPHER,"rc5-cbc",enc_main},
+#endif
+#ifndef NO_RC5
+	{FUNC_TYPE_CIPHER,"rc5-ecb",enc_main},
+#endif
+#ifndef NO_RC5
+	{FUNC_TYPE_CIPHER,"rc5-cfb",enc_main},
+#endif
+#ifndef NO_RC5
+	{FUNC_TYPE_CIPHER,"rc5-ofb",enc_main},
+#endif
+	{0,NULL,NULL}
+	};
diff --git a/crypto/openssl/apps/progs.pl b/crypto/openssl/apps/progs.pl
new file mode 100644
index 0000000..9842d2a
--- /dev/null
+++ b/crypto/openssl/apps/progs.pl
@@ -0,0 +1,77 @@
+#!/usr/local/bin/perl
+
+print "/* apps/progs.h */\n";
+print "/* automatically generated by progs.pl for openssl.c */\n\n";
+
+grep(s/^asn1pars$/asn1parse/,@ARGV);
+
+foreach (@ARGV)
+	{ printf "extern int %s_main(int argc,char *argv[]);\n",$_; }
+
+print <<'EOF';
+
+#define FUNC_TYPE_GENERAL	1
+#define FUNC_TYPE_MD		2
+#define FUNC_TYPE_CIPHER	3
+
+typedef struct {
+	int type;
+	char *name;
+	int (*func)();
+	} FUNCTION;
+
+FUNCTION functions[] = {
+EOF
+
+foreach (@ARGV)
+	{
+	push(@files,$_);
+	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
+	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
+		{ print "#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(NO_SSL3))\n${str}#endif\n"; } 
+	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) ) 
+		{ print "#ifndef NO_RSA\n${str}#endif\n";  }
+	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
+		{ print "#ifndef NO_DSA\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
+		{ print "#ifndef NO_DH\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^pkcs12$/))
+		{ print "#if !defined(NO_DES) && !defined(NO_SHA1)\n${str}#endif\n"; }
+	else
+		{ print $str; }
+	}
+
+foreach ("md2","md5","sha","sha1","mdc2","rmd160")
+	{
+	push(@files,$_);
+	printf "\t{FUNC_TYPE_MD,\"%s\",dgst_main},\n",$_;
+	}
+
+foreach (
+	"base64",
+	"des", "des3", "desx", "idea", "rc4", "rc4-40",
+	"rc2", "bf", "cast", "rc5",
+	"des-ecb", "des-ede",    "des-ede3",
+	"des-cbc", "des-ede-cbc","des-ede3-cbc",
+	"des-cfb", "des-ede-cfb","des-ede3-cfb",
+	"des-ofb", "des-ede-ofb","des-ede3-ofb",
+	"idea-cbc","idea-ecb",   "idea-cfb", "idea-ofb",
+	"rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc",
+	"bf-cbc",  "bf-ecb",     "bf-cfb",   "bf-ofb",
+	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
+	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb")
+	{
+	push(@files,$_);
+
+	$t=sprintf("\t{FUNC_TYPE_CIPHER,\"%s\",enc_main},\n",$_);
+	if    ($_ =~ /des/)  { $t="#ifndef NO_DES\n${t}#endif\n"; }
+	elsif ($_ =~ /idea/) { $t="#ifndef NO_IDEA\n${t}#endif\n"; }
+	elsif ($_ =~ /rc4/)  { $t="#ifndef NO_RC4\n${t}#endif\n"; }
+	elsif ($_ =~ /rc2/)  { $t="#ifndef NO_RC2\n${t}#endif\n"; }
+	elsif ($_ =~ /bf/)   { $t="#ifndef NO_BF\n${t}#endif\n"; }
+	elsif ($_ =~ /cast/) { $t="#ifndef NO_CAST\n${t}#endif\n"; }
+	elsif ($_ =~ /rc5/)  { $t="#ifndef NO_RC5\n${t}#endif\n"; }
+	print $t;
+	}
+
+print "\t{0,NULL,NULL}\n\t};\n";
diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c
new file mode 100644
index 0000000..cfbba30
--- /dev/null
+++ b/crypto/openssl/apps/rand.c
@@ -0,0 +1,140 @@
+/* apps/rand.c */
+
+#include "apps.h"
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+#undef PROG
+#define PROG rand_main
+
+/* -out file         - write to file
+ * -rand file:file   - PRNG seed files
+ * -base64           - encode output
+ * num               - write 'num' bytes
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int i, r, ret = 1;
+	int badopt;
+	char *outfile = NULL;
+	char *inrand = NULL;
+	int base64 = 0;
+	BIO *out = NULL;
+	int num = -1;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+
+	badopt = 0;
+	i = 0;
+	while (!badopt && argv[++i] != NULL)
+		{
+		if (strcmp(argv[i], "-out") == 0)
+			{
+			if ((argv[i+1] != NULL) && (outfile == NULL))
+				outfile = argv[++i];
+			else
+				badopt = 1;
+			}
+		else if (strcmp(argv[i], "-rand") == 0)
+			{
+			if ((argv[i+1] != NULL) && (inrand == NULL))
+				inrand = argv[++i];
+			else
+				badopt = 1;
+			}
+		else if (strcmp(argv[i], "-base64") == 0)
+			{
+			if (!base64)
+				base64 = 1;
+			else
+				badopt = 1;
+			}
+		else if (isdigit(argv[i][0]))
+			{
+			if (num < 0)
+				{
+				r = sscanf(argv[i], "%d", &num);
+				if (r == 0 || num < 0)
+					badopt = 1;
+				}
+			else
+				badopt = 1;
+			}
+		else
+			badopt = 1;
+		}
+
+	if (num < 0)
+		badopt = 1;
+	
+	if (badopt) 
+		{
+		BIO_printf(bio_err, "Usage: rand [options] num\n");
+		BIO_printf(bio_err, "where options are\n");
+		BIO_printf(bio_err, "-out file            - write to file\n");
+		BIO_printf(bio_err, "-rand file%cfile%c...  - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err, "-base64              - encode output\n");
+		goto err;
+		}
+
+	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
+
+	out = BIO_new(BIO_s_file());
+	if (out == NULL)
+		goto err;
+	if (outfile != NULL)
+		r = BIO_write_filename(out, outfile);
+	else
+		r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+	if (r <= 0)
+		goto err;
+
+	if (base64)
+		{
+		BIO *b64 = BIO_new(BIO_f_base64());
+		if (b64 == NULL)
+			goto err;
+		out = BIO_push(b64, out);
+		}
+	
+	while (num > 0) 
+		{
+		unsigned char buf[4096];
+		int chunk;
+
+		chunk = num;
+		if (chunk > sizeof buf)
+			chunk = sizeof buf;
+		r = RAND_bytes(buf, chunk);
+		if (r <= 0)
+			goto err;
+		BIO_write(out, buf, chunk);
+		num -= chunk;
+		}
+	BIO_flush(out);
+
+	app_RAND_write_file(NULL, bio_err);
+	ret = 0;
+	
+err:
+	ERR_print_errors(bio_err);
+	if (out)
+		BIO_free_all(out);
+	EXIT(ret);
+	}
diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c
new file mode 100644
index 0000000..eb338ee
--- /dev/null
+++ b/crypto/openssl/apps/req.c
@@ -0,0 +1,1280 @@
+/* apps/req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#ifdef NO_STDIO
+#define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+#include <openssl/pem.h>
+
+#define SECTION		"req"
+
+#define BITS		"default_bits"
+#define KEYFILE		"default_keyfile"
+#define PROMPT		"prompt"
+#define DISTINGUISHED_NAME	"distinguished_name"
+#define ATTRIBUTES	"attributes"
+#define V3_EXTENSIONS	"x509_extensions"
+#define REQ_EXTENSIONS	"req_extensions"
+#define STRING_MASK	"string_mask"
+
+#define DEFAULT_KEY_LENGTH	512
+#define MIN_KEY_LENGTH		384
+
+#undef PROG
+#define PROG	req_main
+
+/* -inform arg	- input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ * -verify	- check request signature
+ * -noout	- don't print stuff out.
+ * -text	- print out human readable text.
+ * -nodes	- no des encryption
+ * -config file	- Load configuration file.
+ * -key file	- make a request using key in file (or use it for verification).
+ * -keyform	- key file format.
+ * -newkey	- make a key and a request.
+ * -modulus	- print RSA modulus.
+ * -x509	- output a self signed X509 structure instead.
+ * -asn1-kludge	- output new certificate request in a format that some CA's
+ *		  require.  This format is wrong
+ */
+
+static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,int attribs);
+static int prompt_info(X509_REQ *req,
+		STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
+		STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs);
+static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
+				STACK_OF(CONF_VALUE) *attr, int attribs);
+static int add_attribute_object(X509_REQ *req, char *text,
+				char *def, char *value, int nid, int min,
+				int max);
+static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
+	int nid,int min,int max);
+#ifndef NO_RSA
+static void MS_CALLBACK req_cb(int p,int n,void *arg);
+#endif
+static int req_check_len(int len,int min,int max);
+static int check_end(char *str, char *end);
+static int add_oid_section(LHASH *conf);
+#ifndef MONOLITH
+static char *default_config_file=NULL;
+static LHASH *config=NULL;
+#endif
+static LHASH *req_conf=NULL;
+
+#define TYPE_RSA	1
+#define TYPE_DSA	2
+#define TYPE_DH		3
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+#ifndef NO_DSA
+	DSA *dsa_params=NULL;
+#endif
+	int ex=1,x509=0,days=30;
+	X509 *x509ss=NULL;
+	X509_REQ *req=NULL;
+	EVP_PKEY *pkey=NULL;
+	int i,badops=0,newreq=0,newkey= -1,pkey_type=0;
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
+	int nodes=0,kludge=0,newhdr=0;
+	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+	char *extensions = NULL;
+	char *req_exts = NULL;
+	EVP_CIPHER *cipher=NULL;
+	int modulus=0;
+	char *passargin = NULL, *passargout = NULL;
+	char *passin = NULL, *passout = NULL;
+	char *p;
+	const EVP_MD *md_alg=NULL,*digest=EVP_md5();
+#ifndef MONOLITH
+	MS_STATIC char config_name[256];
+#endif
+
+	req_conf = NULL;
+#ifndef NO_DES
+	cipher=EVP_des_ede3_cbc();
+#endif
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keyfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-new") == 0)
+			{
+			pkey_type=TYPE_RSA;
+			newreq=1;
+			}
+		else if (strcmp(*argv,"-config") == 0)
+			{	
+			if (--argc < 1) goto bad;
+			template= *(++argv);
+			}
+		else if (strcmp(*argv,"-keyform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keyform=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-keyout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keyout= *(++argv);
+			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargin= *(++argv);
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargout= *(++argv);
+			}
+		else if (strcmp(*argv,"-newkey") == 0)
+			{
+			int is_numeric;
+
+			if (--argc < 1) goto bad;
+			p= *(++argv);
+			is_numeric = p[0] >= '0' && p[0] <= '9';
+			if (strncmp("rsa:",p,4) == 0 || is_numeric)
+				{
+				pkey_type=TYPE_RSA;
+				if(!is_numeric)
+				    p+=4;
+				newkey= atoi(p);
+				}
+			else
+#ifndef NO_DSA
+				if (strncmp("dsa:",p,4) == 0)
+				{
+				X509 *xtmp=NULL;
+				EVP_PKEY *dtmp;
+
+				pkey_type=TYPE_DSA;
+				p+=4;
+				if ((in=BIO_new_file(p,"r")) == NULL)
+					{
+					perror(p);
+					goto end;
+					}
+				if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL)
+					{
+					ERR_clear_error();
+					(void)BIO_reset(in);
+					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
+						{
+						BIO_printf(bio_err,"unable to load DSA parameters from file\n");
+						goto end;
+						}
+
+					dtmp=X509_get_pubkey(xtmp);
+					if (dtmp->type == EVP_PKEY_DSA)
+						dsa_params=DSAparams_dup(dtmp->pkey.dsa);
+					EVP_PKEY_free(dtmp);
+					X509_free(xtmp);
+					if (dsa_params == NULL)
+						{
+						BIO_printf(bio_err,"Certificate does not contain DSA parameters\n");
+						goto end;
+						}
+					}
+				BIO_free(in);
+				newkey=BN_num_bits(dsa_params->p);
+				in=NULL;
+				}
+			else 
+#endif
+#ifndef NO_DH
+				if (strncmp("dh:",p,4) == 0)
+				{
+				pkey_type=TYPE_DH;
+				p+=3;
+				}
+			else
+#endif
+				pkey_type=TYPE_RSA;
+
+			newreq=1;
+			}
+		else if (strcmp(*argv,"-newhdr") == 0)
+			newhdr=1;
+		else if (strcmp(*argv,"-modulus") == 0)
+			modulus=1;
+		else if (strcmp(*argv,"-verify") == 0)
+			verify=1;
+		else if (strcmp(*argv,"-nodes") == 0)
+			nodes=1;
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else if (strcmp(*argv,"-text") == 0)
+			text=1;
+		else if (strcmp(*argv,"-x509") == 0)
+			x509=1;
+		else if (strcmp(*argv,"-asn1-kludge") == 0)
+			kludge=1;
+		else if (strcmp(*argv,"-no-asn1-kludge") == 0)
+			kludge=0;
+		else if (strcmp(*argv,"-days") == 0)
+			{
+			if (--argc < 1) goto bad;
+			days= atoi(*(++argv));
+			if (days == 0) days=30;
+			}
+		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+			{
+			/* ok */
+			digest=md_alg;
+			}
+		else if (strcmp(*argv,"-extensions") == 0)
+			{
+			if (--argc < 1) goto bad;
+			extensions = *(++argv);
+			}
+		else if (strcmp(*argv,"-reqexts") == 0)
+			{
+			if (--argc < 1) goto bad;
+			req_exts = *(++argv);
+			}
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options  are\n");
+		BIO_printf(bio_err," -inform arg    input format - DER or PEM\n");
+		BIO_printf(bio_err," -outform arg   output format - DER or PEM\n");
+		BIO_printf(bio_err," -in arg        input file\n");
+		BIO_printf(bio_err," -out arg       output file\n");
+		BIO_printf(bio_err," -text          text form of request\n");
+		BIO_printf(bio_err," -noout         do not output REQ\n");
+		BIO_printf(bio_err," -verify        verify signature on REQ\n");
+		BIO_printf(bio_err," -modulus       RSA modulus\n");
+		BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
+		BIO_printf(bio_err," -key file	use the private key contained in file\n");
+		BIO_printf(bio_err," -keyform arg   key file format\n");
+		BIO_printf(bio_err," -keyout arg    file to send the key to\n");
+		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
+		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
+
+		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2)\n");
+		BIO_printf(bio_err," -config file   request template file.\n");
+		BIO_printf(bio_err," -new           new request.\n");
+		BIO_printf(bio_err," -x509          output a x509 structure instead of a cert. req.\n");
+		BIO_printf(bio_err," -days          number of days a x509 generated by -x509 is valid for.\n");
+		BIO_printf(bio_err," -newhdr        output \"NEW\" in the header lines\n");
+		BIO_printf(bio_err," -asn1-kludge   Output the 'request' in a format that is wrong but some CA's\n");
+		BIO_printf(bio_err,"                have been reported as requiring\n");
+		BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
+		BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+		BIO_printf(bio_err, "Error getting passwords\n");
+		goto end;
+	}
+
+#ifndef MONOLITH /* else this has happened in openssl.c (global `config') */
+	/* Lets load up our environment a little */
+	p=getenv("OPENSSL_CONF");
+	if (p == NULL)
+		p=getenv("SSLEAY_CONF");
+	if (p == NULL)
+		{
+		strcpy(config_name,X509_get_default_cert_area());
+#ifndef VMS
+		strcat(config_name,"/");
+#endif
+		strcat(config_name,OPENSSL_CONF);
+		p=config_name;
+		}
+	default_config_file=p;
+	config=CONF_load(config,p,NULL);
+#endif
+
+	if (template != NULL)
+		{
+		long errline;
+
+		BIO_printf(bio_err,"Using configuration from %s\n",template);
+		req_conf=CONF_load(NULL,template,&errline);
+		if (req_conf == NULL)
+			{
+			BIO_printf(bio_err,"error on line %ld of %s\n",errline,template);
+			goto end;
+			}
+		}
+	else
+		{
+		req_conf=config;
+		BIO_printf(bio_err,"Using configuration from %s\n",
+			default_config_file);
+		if (req_conf == NULL)
+			{
+			BIO_printf(bio_err,"Unable to load config info\n");
+			}
+		}
+
+	if (req_conf != NULL)
+		{
+		p=CONF_get_string(req_conf,NULL,"oid_file");
+		if (p != NULL)
+			{
+			BIO *oid_bio;
+
+			oid_bio=BIO_new_file(p,"r");
+			if (oid_bio == NULL) 
+				{
+				/*
+				BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+				ERR_print_errors(bio_err);
+				*/
+				}
+			else
+				{
+				OBJ_create_objects(oid_bio);
+				BIO_free(oid_bio);
+				}
+			}
+		}
+		if(!add_oid_section(req_conf)) goto end;
+
+	if ((md_alg == NULL) &&
+		((p=CONF_get_string(req_conf,SECTION,"default_md")) != NULL))
+		{
+		if ((md_alg=EVP_get_digestbyname(p)) != NULL)
+			digest=md_alg;
+		}
+
+	if(!extensions)
+		extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+	if(extensions) {
+		/* Check syntax of file */
+		X509V3_CTX ctx;
+		X509V3_set_ctx_test(&ctx);
+		X509V3_set_conf_lhash(&ctx, req_conf);
+		if(!X509V3_EXT_add_conf(req_conf, &ctx, extensions, NULL)) {
+			BIO_printf(bio_err,
+			 "Error Loading extension section %s\n", extensions);
+			goto end;
+		}
+	}
+
+	if(!passin)
+		passin = CONF_get_string(req_conf, SECTION, "input_password");
+
+	if(!passout)
+		passout = CONF_get_string(req_conf, SECTION, "output_password");
+
+	p = CONF_get_string(req_conf, SECTION, STRING_MASK);
+
+	if(p && !ASN1_STRING_set_default_mask_asc(p)) {
+		BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
+		goto end;
+	}
+
+	if(!req_exts)
+		req_exts = CONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
+	if(req_exts) {
+		/* Check syntax of file */
+		X509V3_CTX ctx;
+		X509V3_set_ctx_test(&ctx);
+		X509V3_set_conf_lhash(&ctx, req_conf);
+		if(!X509V3_EXT_add_conf(req_conf, &ctx, req_exts, NULL)) {
+			BIO_printf(bio_err,
+			 "Error Loading request extension section %s\n",
+								req_exts);
+			goto end;
+		}
+	}
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		goto end;
+
+	if (keyfile != NULL)
+		{
+		if (BIO_read_filename(in,keyfile) <= 0)
+			{
+			perror(keyfile);
+			goto end;
+			}
+
+		if (keyform == FORMAT_ASN1)
+			pkey=d2i_PrivateKey_bio(in,NULL);
+		else if (keyform == FORMAT_PEM)
+			{
+			pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,passin);
+			}
+		else
+			{
+			BIO_printf(bio_err,"bad input format specified for X509 request\n");
+			goto end;
+			}
+
+		if (pkey == NULL)
+			{
+			BIO_printf(bio_err,"unable to load Private key\n");
+			goto end;
+			}
+		}
+
+	if (newreq && (pkey == NULL))
+		{
+		char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
+		app_RAND_load_file(randfile, bio_err, 0);
+	
+		if (newkey <= 0)
+			{
+			newkey=(int)CONF_get_number(req_conf,SECTION,BITS);
+			if (newkey <= 0)
+				newkey=DEFAULT_KEY_LENGTH;
+			}
+
+		if (newkey < MIN_KEY_LENGTH)
+			{
+			BIO_printf(bio_err,"private key length is too short,\n");
+			BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
+			goto end;
+			}
+		BIO_printf(bio_err,"Generating a %d bit %s private key\n",
+			newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA");
+
+		if ((pkey=EVP_PKEY_new()) == NULL) goto end;
+
+#ifndef NO_RSA
+		if (pkey_type == TYPE_RSA)
+			{
+			if (!EVP_PKEY_assign_RSA(pkey,
+				RSA_generate_key(newkey,0x10001,
+					req_cb,bio_err)))
+				goto end;
+			}
+		else
+#endif
+#ifndef NO_DSA
+			if (pkey_type == TYPE_DSA)
+			{
+			if (!DSA_generate_key(dsa_params)) goto end;
+			if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end;
+			dsa_params=NULL;
+			}
+#endif
+
+		app_RAND_write_file(randfile, bio_err);
+
+		if (pkey == NULL) goto end;
+
+		if (keyout == NULL)
+			keyout=CONF_get_string(req_conf,SECTION,KEYFILE);
+
+		if (keyout == NULL)
+			{
+			BIO_printf(bio_err,"writing new private key to stdout\n");
+			BIO_set_fp(out,stdout,BIO_NOCLOSE);
+			}
+		else
+			{
+			BIO_printf(bio_err,"writing new private key to '%s'\n",keyout);
+			if (BIO_write_filename(out,keyout) <= 0)
+				{
+				perror(keyout);
+				goto end;
+				}
+			}
+
+		p=CONF_get_string(req_conf,SECTION,"encrypt_rsa_key");
+		if (p == NULL)
+			p=CONF_get_string(req_conf,SECTION,"encrypt_key");
+		if ((p != NULL) && (strcmp(p,"no") == 0))
+			cipher=NULL;
+		if (nodes) cipher=NULL;
+		
+		i=0;
+loop:
+		if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
+			NULL,0,NULL,passout))
+			{
+			if ((ERR_GET_REASON(ERR_peek_error()) ==
+				PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))
+				{
+				ERR_clear_error();
+				i++;
+				goto loop;
+				}
+			goto end;
+			}
+		BIO_printf(bio_err,"-----\n");
+		}
+
+	if (!newreq)
+		{
+		/* Since we are using a pre-existing certificate
+		 * request, the kludge 'format' info should not be
+		 * changed. */
+		kludge= -1;
+		if (infile == NULL)
+			BIO_set_fp(in,stdin,BIO_NOCLOSE);
+		else
+			{
+			if (BIO_read_filename(in,infile) <= 0)
+				{
+				perror(infile);
+				goto end;
+				}
+			}
+
+		if	(informat == FORMAT_ASN1)
+			req=d2i_X509_REQ_bio(in,NULL);
+		else if (informat == FORMAT_PEM)
+			req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
+		else
+			{
+			BIO_printf(bio_err,"bad input format specified for X509 request\n");
+			goto end;
+			}
+		if (req == NULL)
+			{
+			BIO_printf(bio_err,"unable to load X509 request\n");
+			goto end;
+			}
+		}
+
+	if (newreq || x509)
+		{
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+			digest=EVP_dss1();
+#endif
+
+		if (pkey == NULL)
+			{
+			BIO_printf(bio_err,"you need to specify a private key\n");
+			goto end;
+			}
+		if (req == NULL)
+			{
+			req=X509_REQ_new();
+			if (req == NULL)
+				{
+				goto end;
+				}
+
+			i=make_REQ(req,pkey,!x509);
+			if (kludge >= 0)
+				req->req_info->req_kludge=kludge;
+			if (!i)
+				{
+				BIO_printf(bio_err,"problems making Certificate Request\n");
+				goto end;
+				}
+			}
+		if (x509)
+			{
+			EVP_PKEY *tmppkey;
+			X509V3_CTX ext_ctx;
+			if ((x509ss=X509_new()) == NULL) goto end;
+
+			/* Set version to V3 */
+			if(!X509_set_version(x509ss, 2)) goto end;
+			ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L);
+
+			X509_set_issuer_name(x509ss,
+				X509_REQ_get_subject_name(req));
+			X509_gmtime_adj(X509_get_notBefore(x509ss),0);
+			X509_gmtime_adj(X509_get_notAfter(x509ss),
+				(long)60*60*24*days);
+			X509_set_subject_name(x509ss,
+				X509_REQ_get_subject_name(req));
+			tmppkey = X509_REQ_get_pubkey(req);
+			X509_set_pubkey(x509ss,tmppkey);
+			EVP_PKEY_free(tmppkey);
+
+			/* Set up V3 context struct */
+
+			X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
+			X509V3_set_conf_lhash(&ext_ctx, req_conf);
+
+			/* Add extensions */
+			if(extensions && !X509V3_EXT_add_conf(req_conf, 
+				 	&ext_ctx, extensions, x509ss))
+			    {
+			    BIO_printf(bio_err,
+				       "Error Loading extension section %s\n",
+				       extensions);
+			    goto end;
+			    }
+
+			if (!(i=X509_sign(x509ss,pkey,digest)))
+				goto end;
+			}
+		else
+			{
+			X509V3_CTX ext_ctx;
+
+			/* Set up V3 context struct */
+
+			X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
+			X509V3_set_conf_lhash(&ext_ctx, req_conf);
+
+			/* Add extensions */
+			if(req_exts && !X509V3_EXT_REQ_add_conf(req_conf, 
+				 	&ext_ctx, req_exts, req))
+			    {
+			    BIO_printf(bio_err,
+				       "Error Loading extension section %s\n",
+				       req_exts);
+			    goto end;
+			    }
+			if (!(i=X509_REQ_sign(req,pkey,digest)))
+				goto end;
+			}
+		}
+
+	if (verify && !x509)
+		{
+		int tmp=0;
+
+		if (pkey == NULL)
+			{
+			pkey=X509_REQ_get_pubkey(req);
+			tmp=1;
+			if (pkey == NULL) goto end;
+			}
+
+		i=X509_REQ_verify(req,pkey);
+		if (tmp) {
+			EVP_PKEY_free(pkey);
+			pkey=NULL;
+		}
+
+		if (i < 0)
+			{
+			goto end;
+			}
+		else if (i == 0)
+			{
+			BIO_printf(bio_err,"verify failure\n");
+			}
+		else /* if (i > 0) */
+			BIO_printf(bio_err,"verify OK\n");
+		}
+
+	if (noout && !text && !modulus)
+		{
+		ex=0;
+		goto end;
+		}
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if ((keyout != NULL) && (strcmp(outfile,keyout) == 0))
+			i=(int)BIO_append_filename(out,outfile);
+		else
+			i=(int)BIO_write_filename(out,outfile);
+		if (!i)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (text)
+		{
+		if (x509)
+			X509_print(out,x509ss);
+		else	
+			X509_REQ_print(out,req);
+		}
+
+	if (modulus)
+		{
+		EVP_PKEY *pubkey;
+
+		if (x509)
+			pubkey=X509_get_pubkey(x509ss);
+		else
+			pubkey=X509_REQ_get_pubkey(req);
+		if (pubkey == NULL)
+			{
+			fprintf(stdout,"Modulus=unavailable\n");
+			goto end; 
+			}
+		fprintf(stdout,"Modulus=");
+#ifndef NO_RSA
+		if (pubkey->type == EVP_PKEY_RSA)
+			BN_print(out,pubkey->pkey.rsa->n);
+		else
+#endif
+			fprintf(stdout,"Wrong Algorithm type");
+		fprintf(stdout,"\n");
+		}
+
+	if (!noout && !x509)
+		{
+		if 	(outformat == FORMAT_ASN1)
+			i=i2d_X509_REQ_bio(out,req);
+		else if (outformat == FORMAT_PEM) {
+			if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req);
+			else i=PEM_write_bio_X509_REQ(out,req);
+		} else {
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		if (!i)
+			{
+			BIO_printf(bio_err,"unable to write X509 request\n");
+			goto end;
+			}
+		}
+	if (!noout && x509 && (x509ss != NULL))
+		{
+		if 	(outformat == FORMAT_ASN1)
+			i=i2d_X509_bio(out,x509ss);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_X509(out,x509ss);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		if (!i)
+			{
+			BIO_printf(bio_err,"unable to write X509 certificate\n");
+			goto end;
+			}
+		}
+	ex=0;
+end:
+	if (ex)
+		{
+		ERR_print_errors(bio_err);
+		}
+	if ((req_conf != NULL) && (req_conf != config)) CONF_free(req_conf);
+	BIO_free(in);
+	BIO_free(out);
+	EVP_PKEY_free(pkey);
+	X509_REQ_free(req);
+	X509_free(x509ss);
+	if(passargin && passin) Free(passin);
+	if(passargout && passout) Free(passout);
+	OBJ_cleanup();
+#ifndef NO_DSA
+	if (dsa_params != NULL) DSA_free(dsa_params);
+#endif
+	EXIT(ex);
+	}
+
+static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, int attribs)
+	{
+	int ret=0,i;
+	char no_prompt = 0;
+	STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
+	char *tmp, *dn_sect,*attr_sect;
+
+	tmp=CONF_get_string(req_conf,SECTION,PROMPT);
+	if((tmp != NULL) && !strcmp(tmp, "no")) no_prompt = 1;
+
+	dn_sect=CONF_get_string(req_conf,SECTION,DISTINGUISHED_NAME);
+	if (dn_sect == NULL)
+		{
+		BIO_printf(bio_err,"unable to find '%s' in config\n",
+			DISTINGUISHED_NAME);
+		goto err;
+		}
+	dn_sk=CONF_get_section(req_conf,dn_sect);
+	if (dn_sk == NULL)
+		{
+		BIO_printf(bio_err,"unable to get '%s' section\n",dn_sect);
+		goto err;
+		}
+
+	attr_sect=CONF_get_string(req_conf,SECTION,ATTRIBUTES);
+	if (attr_sect == NULL)
+		attr_sk=NULL;
+	else
+		{
+		attr_sk=CONF_get_section(req_conf,attr_sect);
+		if (attr_sk == NULL)
+			{
+			BIO_printf(bio_err,"unable to get '%s' section\n",attr_sect);
+			goto err;
+			}
+		}
+
+	/* setup version number */
+	if (!X509_REQ_set_version(req,0L)) goto err; /* version 1 */
+
+	if(no_prompt) i = auto_info(req, dn_sk, attr_sk, attribs);
+	else i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs);
+	if(!i) goto err;
+
+	X509_REQ_set_pubkey(req,pkey);
+
+	ret=1;
+err:
+	return(ret);
+	}
+
+
+static int prompt_info(X509_REQ *req,
+		STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
+		STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs)
+	{
+	int i;
+	char *p,*q;
+	char buf[100];
+	int nid,min,max;
+	char *type,*def,*value;
+	CONF_VALUE *v;
+	X509_NAME *subj;
+	subj = X509_REQ_get_subject_name(req);
+	BIO_printf(bio_err,"You are about to be asked to enter information that will be incorporated\n");
+	BIO_printf(bio_err,"into your certificate request.\n");
+	BIO_printf(bio_err,"What you are about to enter is what is called a Distinguished Name or a DN.\n");
+	BIO_printf(bio_err,"There are quite a few fields but you can leave some blank\n");
+	BIO_printf(bio_err,"For some fields there will be a default value,\n");
+	BIO_printf(bio_err,"If you enter '.', the field will be left blank.\n");
+	BIO_printf(bio_err,"-----\n");
+
+
+	if (sk_CONF_VALUE_num(dn_sk))
+		{
+		i= -1;
+start:		for (;;)
+			{
+			i++;
+			if (sk_CONF_VALUE_num(dn_sk) <= i) break;
+
+			v=sk_CONF_VALUE_value(dn_sk,i);
+			p=q=NULL;
+			type=v->name;
+			if(!check_end(type,"_min") || !check_end(type,"_max") ||
+				!check_end(type,"_default") ||
+					 !check_end(type,"_value")) continue;
+			/* Skip past any leading X. X: X, etc to allow for
+			 * multiple instances 
+			 */
+			for(p = v->name; *p ; p++) 
+				if ((*p == ':') || (*p == ',') ||
+							 (*p == '.')) {
+					p++;
+					if(*p) type = p;
+					break;
+				}
+			/* If OBJ not recognised ignore it */
+			if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
+			sprintf(buf,"%s_default",v->name);
+			if ((def=CONF_get_string(req_conf,dn_sect,buf)) == NULL)
+				def="";
+				
+			sprintf(buf,"%s_value",v->name);
+			if ((value=CONF_get_string(req_conf,dn_sect,buf)) == NULL)
+				value=NULL;
+
+			sprintf(buf,"%s_min",v->name);
+			min=(int)CONF_get_number(req_conf,dn_sect,buf);
+
+			sprintf(buf,"%s_max",v->name);
+			max=(int)CONF_get_number(req_conf,dn_sect,buf);
+
+			if (!add_DN_object(subj,v->value,def,value,nid,
+				min,max))
+				return 0;
+			}
+		if (X509_NAME_entry_count(subj) == 0)
+			{
+			BIO_printf(bio_err,"error, no objects specified in config file\n");
+			return 0;
+			}
+
+		if (attribs)
+			{
+			if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0))
+				{
+				BIO_printf(bio_err,"\nPlease enter the following 'extra' attributes\n");
+				BIO_printf(bio_err,"to be sent with your certificate request\n");
+				}
+
+			i= -1;
+start2:			for (;;)
+				{
+				i++;
+				if ((attr_sk == NULL) ||
+					    (sk_CONF_VALUE_num(attr_sk) <= i))
+					break;
+
+				v=sk_CONF_VALUE_value(attr_sk,i);
+				type=v->name;
+				if ((nid=OBJ_txt2nid(type)) == NID_undef)
+					goto start2;
+
+				sprintf(buf,"%s_default",type);
+				if ((def=CONF_get_string(req_conf,attr_sect,buf))
+					== NULL)
+					def="";
+				
+				sprintf(buf,"%s_value",type);
+				if ((value=CONF_get_string(req_conf,attr_sect,buf))
+					== NULL)
+					value=NULL;
+
+				sprintf(buf,"%s_min",type);
+				min=(int)CONF_get_number(req_conf,attr_sect,buf);
+
+				sprintf(buf,"%s_max",type);
+				max=(int)CONF_get_number(req_conf,attr_sect,buf);
+
+				if (!add_attribute_object(req,
+					v->value,def,value,nid,min,max))
+					return 0;
+				}
+			}
+		}
+	else
+		{
+		BIO_printf(bio_err,"No template, please set one up.\n");
+		return 0;
+		}
+
+	return 1;
+
+	}
+
+static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
+			STACK_OF(CONF_VALUE) *attr_sk, int attribs)
+	{
+	int i;
+	char *p,*q;
+	char *type;
+	CONF_VALUE *v;
+	X509_NAME *subj;
+
+	subj = X509_REQ_get_subject_name(req);
+
+	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
+		{
+		v=sk_CONF_VALUE_value(dn_sk,i);
+		p=q=NULL;
+		type=v->name;
+		/* Skip past any leading X. X: X, etc to allow for
+		 * multiple instances 
+		 */
+		for(p = v->name; *p ; p++) 
+			if ((*p == ':') || (*p == ',') || (*p == '.')) {
+				p++;
+				if(*p) type = p;
+				break;
+			}
+		if (!X509_NAME_add_entry_by_txt(subj,type, MBSTRING_ASC,
+				(unsigned char *) v->value,-1,-1,0)) return 0;
+
+		}
+
+		if (!X509_NAME_entry_count(subj))
+			{
+			BIO_printf(bio_err,"error, no objects specified in config file\n");
+			return 0;
+			}
+		if (attribs)
+			{
+			for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++)
+				{
+				v=sk_CONF_VALUE_value(attr_sk,i);
+				if(!X509_REQ_add1_attr_by_txt(req, v->name, MBSTRING_ASC,
+					(unsigned char *)v->value, -1)) return 0;
+				}
+			}
+	return 1;
+	}
+
+
+static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
+	     int nid, int min, int max)
+	{
+	int i,ret=0;
+	MS_STATIC char buf[1024];
+start:
+	BIO_printf(bio_err,"%s [%s]:",text,def);
+	(void)BIO_flush(bio_err);
+	if (value != NULL)
+		{
+		strcpy(buf,value);
+		strcat(buf,"\n");
+		BIO_printf(bio_err,"%s\n",value);
+		}
+	else
+		{
+		buf[0]='\0';
+		fgets(buf,1024,stdin);
+		}
+
+	if (buf[0] == '\0') return(0);
+	else if (buf[0] == '\n')
+		{
+		if ((def == NULL) || (def[0] == '\0'))
+			return(1);
+		strcpy(buf,def);
+		strcat(buf,"\n");
+		}
+	else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
+
+	i=strlen(buf);
+	if (buf[i-1] != '\n')
+		{
+		BIO_printf(bio_err,"weird input :-(\n");
+		return(0);
+		}
+	buf[--i]='\0';
+
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(buf, buf, i);
+#endif
+	if(!req_check_len(i, min, max)) goto start;
+	if (!X509_NAME_add_entry_by_NID(n,nid, MBSTRING_ASC,
+				(unsigned char *) buf, -1,-1,0)) goto err;
+	ret=1;
+err:
+	return(ret);
+	}
+
+static int add_attribute_object(X509_REQ *req, char *text,
+				char *def, char *value, int nid, int min,
+				int max)
+	{
+	int i;
+	static char buf[1024];
+
+start:
+	BIO_printf(bio_err,"%s [%s]:",text,def);
+	(void)BIO_flush(bio_err);
+	if (value != NULL)
+		{
+		strcpy(buf,value);
+		strcat(buf,"\n");
+		BIO_printf(bio_err,"%s\n",value);
+		}
+	else
+		{
+		buf[0]='\0';
+		fgets(buf,1024,stdin);
+		}
+
+	if (buf[0] == '\0') return(0);
+	else if (buf[0] == '\n')
+		{
+		if ((def == NULL) || (def[0] == '\0'))
+			return(1);
+		strcpy(buf,def);
+		strcat(buf,"\n");
+		}
+	else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
+
+	i=strlen(buf);
+	if (buf[i-1] != '\n')
+		{
+		BIO_printf(bio_err,"weird input :-(\n");
+		return(0);
+		}
+	buf[--i]='\0';
+	if(!req_check_len(i, min, max)) goto start;
+
+	if(!X509_REQ_add1_attr_by_NID(req, nid, MBSTRING_ASC,
+					(unsigned char *)buf, -1)) {
+		BIO_printf(bio_err, "Error adding attribute\n");
+		ERR_print_errors(bio_err);
+		goto err;
+	}
+
+	return(1);
+err:
+	return(0);
+	}
+
+#ifndef NO_RSA
+static void MS_CALLBACK req_cb(int p, int n, void *arg)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	BIO_write((BIO *)arg,&c,1);
+	(void)BIO_flush((BIO *)arg);
+#ifdef LINT
+	p=n;
+#endif
+	}
+#endif
+
+static int req_check_len(int len, int min, int max)
+	{
+	if (len < min)
+		{
+		BIO_printf(bio_err,"string is too short, it needs to be at least %d bytes long\n",min);
+		return(0);
+		}
+	if ((max != 0) && (len > max))
+		{
+		BIO_printf(bio_err,"string is too long, it needs to be less than  %d bytes long\n",max);
+		return(0);
+		}
+	return(1);
+	}
+
+/* Check if the end of a string matches 'end' */
+static int check_end(char *str, char *end)
+{
+	int elen, slen;	
+	char *tmp;
+	elen = strlen(end);
+	slen = strlen(str);
+	if(elen > slen) return 1;
+	tmp = str + slen - elen;
+	return strcmp(tmp, end);
+}
+
+static int add_oid_section(LHASH *conf)
+{	
+	char *p;
+	STACK_OF(CONF_VALUE) *sktmp;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
+	if(!(sktmp = CONF_get_section(conf, p))) {
+		BIO_printf(bio_err, "problem loading oid section %s\n", p);
+		return 0;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
+		cnf = sk_CONF_VALUE_value(sktmp, i);
+		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
+			BIO_printf(bio_err, "problem creating object %s=%s\n",
+							 cnf->name, cnf->value);
+			return 0;
+		}
+	}
+	return 1;
+}
diff --git a/crypto/openssl/apps/req.pem b/crypto/openssl/apps/req.pem
new file mode 100644
index 0000000..5537df6
--- /dev/null
+++ b/crypto/openssl/apps/req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBlzCCAVcCAQAwXjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMORXJp
+YyB0aGUgWW91bmcwge8wgaYGBSsOAwIMMIGcAkEA+ZiKEvZmc9MtnaFZh4NiZ3oZ
+S4J1PHvPrm9MXj5ntVheDPkdmBDTncyaGAJcMjwsyB/GvLDGd6yGCw/8eF+09wIV
+AK3VagOxGd/Q4Af5NbxR5FB7CXEjAkA2t/q7HgVLi0KeKvcDG8BRl3wuy7bCvpjg
+tWiJc/tpvcuzeuAayH89UofjAGueKjXDADiRffvSdhrNw5dkqdqlA0QAAkEAtUSo
+84OekjitKGVjxLu0HvXck29pu+foad53vPKXAsuJdACj88BPqZ91Y9PIJf1GUh38
+CuiHWi7z3cEDfZCyCKAAMAkGBSsOAwIbBQADLwAwLAIUTg8amKVBE9oqC5B75dDQ
+Chy3LdQCFHKodGEj3LjuTzdm/RTe2KZL9Uzf
+-----END CERTIFICATE REQUEST-----
diff --git a/crypto/openssl/apps/rsa.c b/crypto/openssl/apps/rsa.c
new file mode 100644
index 0000000..9d4c2e6
--- /dev/null
+++ b/crypto/openssl/apps/rsa.c
@@ -0,0 +1,389 @@
+/* apps/rsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	rsa_main
+
+/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ * -des		- encrypt output if PEM format with DES in cbc mode
+ * -des3	- encrypt output if PEM format
+ * -idea	- encrypt output if PEM format
+ * -text	- print a text version
+ * -modulus	- print the RSA key modulus
+ * -check	- verify key consistency
+ * -pubin	- Expect a public key in input file.
+ * -pubout	- Output a public key.
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int ret=1;
+	RSA *rsa=NULL;
+	int i,badops=0;
+	const EVP_CIPHER *enc=NULL;
+	BIO *in=NULL,*out=NULL;
+	int informat,outformat,text=0,check=0,noout=0;
+	int pubin = 0, pubout = 0;
+	char *infile,*outfile,*prog;
+	char *passargin = NULL, *passargout = NULL;
+	char *passin = NULL, *passout = NULL;
+	int modulus=0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	infile=NULL;
+	outfile=NULL;
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargin= *(++argv);
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargout= *(++argv);
+			}
+		else if (strcmp(*argv,"-pubin") == 0)
+			pubin=1;
+		else if (strcmp(*argv,"-pubout") == 0)
+			pubout=1;
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else if (strcmp(*argv,"-text") == 0)
+			text=1;
+		else if (strcmp(*argv,"-modulus") == 0)
+			modulus=1;
+		else if (strcmp(*argv,"-check") == 0)
+			check=1;
+		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -inform arg     input format - one of DER NET PEM\n");
+		BIO_printf(bio_err," -outform arg    output format - one of DER NET PEM\n");
+		BIO_printf(bio_err," -in arg         input file\n");
+		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
+		BIO_printf(bio_err," -out arg        output file\n");
+		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
+		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
+		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
+#ifndef NO_IDEA
+		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
+#endif
+		BIO_printf(bio_err," -text           print the key in text\n");
+		BIO_printf(bio_err," -noout          don't print key out\n");
+		BIO_printf(bio_err," -modulus        print the RSA key modulus\n");
+		BIO_printf(bio_err," -check          verify key consistency\n");
+		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
+		BIO_printf(bio_err," -pubout         output a public key\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+		BIO_printf(bio_err, "Error getting passwords\n");
+		goto end;
+	}
+
+	if(check && pubin) {
+		BIO_printf(bio_err, "Only private keys can be checked\n");
+		goto end;
+	}
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+
+	BIO_printf(bio_err,"read RSA key\n");
+	if	(informat == FORMAT_ASN1) {
+		if (pubin) rsa=d2i_RSA_PUBKEY_bio(in,NULL);
+		else rsa=d2i_RSAPrivateKey_bio(in,NULL);
+	}
+#ifndef NO_RC4
+	else if (informat == FORMAT_NETSCAPE)
+		{
+		BUF_MEM *buf=NULL;
+		unsigned char *p;
+		int size=0;
+
+		buf=BUF_MEM_new();
+		for (;;)
+			{
+			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
+				goto end;
+			i=BIO_read(in,&(buf->data[size]),1024*10);
+			size+=i;
+			if (i == 0) break;
+			if (i < 0)
+				{
+				perror("reading private key");
+				BUF_MEM_free(buf);
+				goto end;
+				}
+			}
+		p=(unsigned char *)buf->data;
+		rsa=d2i_Netscape_RSA(NULL,&p,(long)size,NULL);
+		BUF_MEM_free(buf);
+		}
+#endif
+	else if (informat == FORMAT_PEM) {
+		if(pubin) rsa=PEM_read_bio_RSA_PUBKEY(in,NULL,NULL,NULL);
+		else rsa=PEM_read_bio_RSAPrivateKey(in,NULL, NULL,passin);
+	}
+	else
+		{
+		BIO_printf(bio_err,"bad input format specified for key\n");
+		goto end;
+		}
+	if (rsa == NULL)
+		{
+		BIO_printf(bio_err,"unable to load key\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (outfile == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	if (text) 
+		if (!RSA_print(out,rsa,0))
+			{
+			perror(outfile);
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+	if (modulus)
+		{
+		BIO_printf(out,"Modulus=");
+		BN_print(out,rsa->n);
+		BIO_printf(out,"\n");
+		}
+
+	if (check)
+		{
+		int r = RSA_check_key(rsa);
+
+		if (r == 1)
+			BIO_printf(out,"RSA key ok\n");
+		else if (r == 0)
+			{
+			long e;
+
+			while ((e = ERR_peek_error()) != 0 &&
+				ERR_GET_LIB(e) == ERR_LIB_RSA &&
+				ERR_GET_FUNC(e) == RSA_F_RSA_CHECK_KEY &&
+				ERR_GET_REASON(e) != ERR_R_MALLOC_FAILURE)
+				{
+				BIO_printf(out, "RSA key error: %s\n", ERR_reason_error_string(e));
+				ERR_get_error(); /* remove e from error stack */
+				}
+			}
+		
+		if (r == -1 || ERR_peek_error() != 0) /* should happen only if r == -1 */
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+		
+	if (noout)
+		{
+		ret = 0;
+		goto end;
+		}
+	BIO_printf(bio_err,"writing RSA key\n");
+	if 	(outformat == FORMAT_ASN1) {
+		if(pubout || pubin) i=i2d_RSA_PUBKEY_bio(out,rsa);
+		else i=i2d_RSAPrivateKey_bio(out,rsa);
+	}
+#ifndef NO_RC4
+	else if (outformat == FORMAT_NETSCAPE)
+		{
+		unsigned char *p,*pp;
+		int size;
+
+		i=1;
+		size=i2d_Netscape_RSA(rsa,NULL,NULL);
+		if ((p=(unsigned char *)Malloc(size)) == NULL)
+			{
+			BIO_printf(bio_err,"Malloc failure\n");
+			goto end;
+			}
+		pp=p;
+		i2d_Netscape_RSA(rsa,&p,NULL);
+		BIO_write(out,(char *)pp,size);
+		Free(pp);
+		}
+#endif
+	else if (outformat == FORMAT_PEM) {
+		if(pubout || pubin)
+		    i=PEM_write_bio_RSA_PUBKEY(out,rsa);
+		else i=PEM_write_bio_RSAPrivateKey(out,rsa,
+						enc,NULL,0,NULL,passout);
+	} else	{
+		BIO_printf(bio_err,"bad output format specified for outfile\n");
+		goto end;
+		}
+	if (!i)
+		{
+		BIO_printf(bio_err,"unable to write key\n");
+		ERR_print_errors(bio_err);
+		}
+	else
+		ret=0;
+end:
+	if(in != NULL) BIO_free(in);
+	if(out != NULL) BIO_free(out);
+	if(rsa != NULL) RSA_free(rsa);
+	if(passin) Free(passin);
+	if(passout) Free(passout);
+	EXIT(ret);
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/apps/rsa/01.pem b/crypto/openssl/apps/rsa/01.pem
new file mode 100644
index 0000000..36ec575
--- /dev/null
+++ b/crypto/openssl/apps/rsa/01.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICTjCCAbsCEGiuFKTJn6nzmiPPLxUZs1owDQYJKoZIhvcNAQEEBQAwXzELMAkG
+A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
+VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4
+MDUxODAwMDAwMFoXDTk5MDUxODIzNTk1OVowdTELMAkGA1UEBhMCVVMxETAPBgNV
+BAgTCE5ldyBZb3JrMREwDwYDVQQHFAhOZXcgWW9yazEeMBwGA1UEChQVSW5kdXN0
+cmlhbCBQcmVzcyBJbmMuMSAwHgYDVQQDFBd3d3cuaW5kdXN0cmlhbHByZXNzLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqiH9xUJNHvqCmaDon27ValJb
+qTLymF3yKKWBxbODLWjX7yKjewoqWhotaEARI6jXPqomU87gFU1tH4r/bgwh3FmU
+MK3qo92XOsvwNAHzXzWRXQNJmm54g2F1RUt00pgYiOximDse1t9RL5POCDEbfX8D
+gugrE/WwkS2FrSoc5/cCAwEAATANBgkqhkiG9w0BAQQFAAN+AIw7fvF0EtEvrNS/
+LYuqAgUw/tH0FLgCkqKLmYYm/yR+Z0hD2eP/UhF+jAwmV8rHtBnaTM7oN23RVW2k
+Cf8soiGfr2PYtfufpXtd7azUFa+WJCWnp0N29EG0BR1JOFC0Q/4dh/X9qulM8luq
+Pjrmw2eSgbdmmdumWAcNPVbV
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/rsa/1.txt b/crypto/openssl/apps/rsa/1.txt
new file mode 100644
index 0000000..95a862e
--- /dev/null
+++ b/crypto/openssl/apps/rsa/1.txt
@@ -0,0 +1,50 @@
+issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+subject=/C=US/ST=New York/L=New York/O=Industrial Press Inc./CN=www.industrialpress.com
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            68:ae:14:a4:c9:9f:a9:f3:9a:23:cf:2f:15:19:b3:5a
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
+        Validity
+            Not Before: May 18 00:00:00 1998 GMT
+            Not After : May 18 23:59:59 1999 GMT
+        Subject: C=US, ST=New York, L=New York, O=Industrial Press Inc., CN=www.industrialpress.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:aa:21:fd:c5:42:4d:1e:fa:82:99:a0:e8:9f:6e:
+                    d5:6a:52:5b:a9:32:f2:98:5d:f2:28:a5:81:c5:b3:
+                    83:2d:68:d7:ef:22:a3:7b:0a:2a:5a:1a:2d:68:40:
+                    11:23:a8:d7:3e:aa:26:53:ce:e0:15:4d:6d:1f:8a:
+                    ff:6e:0c:21:dc:59:94:30:ad:ea:a3:dd:97:3a:cb:
+                    f0:34:01:f3:5f:35:91:5d:03:49:9a:6e:78:83:61:
+                    75:45:4b:74:d2:98:18:88:ec:62:98:3b:1e:d6:df:
+                    51:2f:93:ce:08:31:1b:7d:7f:03:82:e8:2b:13:f5:
+                    b0:91:2d:85:ad:2a:1c:e7:f7
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md5WithRSAEncryption
+        8c:3b:7e:f1:74:12:d1:2f:ac:d4:bf:2d:8b:aa:02:05:30:fe:
+        d1:f4:14:b8:02:92:a2:8b:99:86:26:ff:24:7e:67:48:43:d9:
+        e3:ff:52:11:7e:8c:0c:26:57:ca:c7:b4:19:da:4c:ce:e8:37:
+        6d:d1:55:6d:a4:09:ff:2c:a2:21:9f:af:63:d8:b5:fb:9f:a5:
+        7b:5d:ed:ac:d4:15:af:96:24:25:a7:a7:43:76:f4:41:b4:05:
+        1d:49:38:50:b4:43:fe:1d:87:f5:fd:aa:e9:4c:f2:5b:aa:3e:
+        3a:e6:c3:67:92:81:b7:66:99:db:a6:58:07:0d:3d:56:d5
+-----BEGIN CERTIFICATE-----
+MIICTjCCAbsCEGiuFKTJn6nzmiPPLxUZs1owDQYJKoZIhvcNAQEEBQAwXzELMAkG
+A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
+VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4
+MDUxODAwMDAwMFoXDTk5MDUxODIzNTk1OVowdTELMAkGA1UEBhMCVVMxETAPBgNV
+BAgTCE5ldyBZb3JrMREwDwYDVQQHFAhOZXcgWW9yazEeMBwGA1UEChQVSW5kdXN0
+cmlhbCBQcmVzcyBJbmMuMSAwHgYDVQQDFBd3d3cuaW5kdXN0cmlhbHByZXNzLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqiH9xUJNHvqCmaDon27ValJb
+qTLymF3yKKWBxbODLWjX7yKjewoqWhotaEARI6jXPqomU87gFU1tH4r/bgwh3FmU
+MK3qo92XOsvwNAHzXzWRXQNJmm54g2F1RUt00pgYiOximDse1t9RL5POCDEbfX8D
+gugrE/WwkS2FrSoc5/cCAwEAATANBgkqhkiG9w0BAQQFAAN+AIw7fvF0EtEvrNS/
+LYuqAgUw/tH0FLgCkqKLmYYm/yR+Z0hD2eP/UhF+jAwmV8rHtBnaTM7oN23RVW2k
+Cf8soiGfr2PYtfufpXtd7azUFa+WJCWnp0N29EG0BR1JOFC0Q/4dh/X9qulM8luq
+Pjrmw2eSgbdmmdumWAcNPVbV
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/rsa/SecureServer.pem b/crypto/openssl/apps/rsa/SecureServer.pem
new file mode 100644
index 0000000..7c8ffb2
--- /dev/null
+++ b/crypto/openssl/apps/rsa/SecureServer.pem
@@ -0,0 +1,47 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0
+        Signature Algorithm: md2WithRSAEncryption
+        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
+        Validity
+            Not Before: Nov  9 00:00:00 1994 GMT
+            Not After : Jan  7 23:59:59 2010 GMT
+        Subject: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1000 bit)
+                Modulus (1000 bit):
+                    00:92:ce:7a:c1:ae:83:3e:5a:aa:89:83:57:ac:25:
+                    01:76:0c:ad:ae:8e:2c:37:ce:eb:35:78:64:54:03:
+                    e5:84:40:51:c9:bf:8f:08:e2:8a:82:08:d2:16:86:
+                    37:55:e9:b1:21:02:ad:76:68:81:9a:05:a2:4b:c9:
+                    4b:25:66:22:56:6c:88:07:8f:f7:81:59:6d:84:07:
+                    65:70:13:71:76:3e:9b:77:4c:e3:50:89:56:98:48:
+                    b9:1d:a7:29:1a:13:2e:4a:11:59:9c:1e:15:d5:49:
+                    54:2c:73:3a:69:82:b1:97:39:9c:6d:70:67:48:e5:
+                    dd:2d:d6:c8:1e:7b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md2WithRSAEncryption
+        65:dd:7e:e1:b2:ec:b0:e2:3a:e0:ec:71:46:9a:19:11:b8:d3:
+        c7:a0:b4:03:40:26:02:3e:09:9c:e1:12:b3:d1:5a:f6:37:a5:
+        b7:61:03:b6:5b:16:69:3b:c6:44:08:0c:88:53:0c:6b:97:49:
+        c7:3e:35:dc:6c:b9:bb:aa:df:5c:bb:3a:2f:93:60:b6:a9:4b:
+        4d:f2:20:f7:cd:5f:7f:64:7b:8e:dc:00:5c:d7:fa:77:ca:39:
+        16:59:6f:0e:ea:d3:b5:83:7f:4d:4d:42:56:76:b4:c9:5f:04:
+        f8:38:f8:eb:d2:5f:75:5f:cd:7b:fc:e5:8e:80:7c:fc:50
+-----BEGIN CERTIFICATE-----
+MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
+VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
+MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
+BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
+dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
+ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
+0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
+uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
+hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
+YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
+1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/rsa/s.txt b/crypto/openssl/apps/rsa/s.txt
new file mode 100644
index 0000000..7de7e07
--- /dev/null
+++ b/crypto/openssl/apps/rsa/s.txt
@@ -0,0 +1,49 @@
+issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0
+        Signature Algorithm: md2WithRSAEncryption
+        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
+        Validity
+            Not Before: Nov  9 00:00:00 1994 GMT
+            Not After : Jan  7 23:59:59 2010 GMT
+        Subject: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1000 bit)
+                Modulus (1000 bit):
+                    00:92:ce:7a:c1:ae:83:3e:5a:aa:89:83:57:ac:25:
+                    01:76:0c:ad:ae:8e:2c:37:ce:eb:35:78:64:54:03:
+                    e5:84:40:51:c9:bf:8f:08:e2:8a:82:08:d2:16:86:
+                    37:55:e9:b1:21:02:ad:76:68:81:9a:05:a2:4b:c9:
+                    4b:25:66:22:56:6c:88:07:8f:f7:81:59:6d:84:07:
+                    65:70:13:71:76:3e:9b:77:4c:e3:50:89:56:98:48:
+                    b9:1d:a7:29:1a:13:2e:4a:11:59:9c:1e:15:d5:49:
+                    54:2c:73:3a:69:82:b1:97:39:9c:6d:70:67:48:e5:
+                    dd:2d:d6:c8:1e:7b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md2WithRSAEncryption
+        65:dd:7e:e1:b2:ec:b0:e2:3a:e0:ec:71:46:9a:19:11:b8:d3:
+        c7:a0:b4:03:40:26:02:3e:09:9c:e1:12:b3:d1:5a:f6:37:a5:
+        b7:61:03:b6:5b:16:69:3b:c6:44:08:0c:88:53:0c:6b:97:49:
+        c7:3e:35:dc:6c:b9:bb:aa:df:5c:bb:3a:2f:93:60:b6:a9:4b:
+        4d:f2:20:f7:cd:5f:7f:64:7b:8e:dc:00:5c:d7:fa:77:ca:39:
+        16:59:6f:0e:ea:d3:b5:83:7f:4d:4d:42:56:76:b4:c9:5f:04:
+        f8:38:f8:eb:d2:5f:75:5f:cd:7b:fc:e5:8e:80:7c:fc:50
+-----BEGIN CERTIFICATE-----
+MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
+VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
+MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
+BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
+dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
+ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
+0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
+uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
+hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
+YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
+1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/rsa8192.pem b/crypto/openssl/apps/rsa8192.pem
new file mode 100644
index 0000000..946a6e5
--- /dev/null
+++ b/crypto/openssl/apps/rsa8192.pem
@@ -0,0 +1,101 @@
+-----BEGIN RSA PRIVATE KEY-----
+
+MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
+ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
+MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
+55/A20XL7tlV2opEfwhy3uVlveQBM0DnZ3MUQfrk+lRRNWv7yE4ScbOfER9fjvOm
+yJc3ZbOa3e+AMGGU9OqJ/fyOl0SGYyP2k23omy/idBV4uOs8QWdnAvq8UOzDdua3
+tuf5Tn17XBurPJ8juwyPBNispkwwn8BjxAZVPhwUIcxFBg339IxJ9cW0WdVy4nNA
+LWo/8Ahlf+kZNnFNGCPFytU9gGMLMhab9w/rLrwa9qNe4L8Fmu1JxONn1WfhMOKE
+aFmycf2olJsYLgUIGYZrjnYu0p/7P3yhTOv8JIhmK+SzmA/I0xiQoF84rpaQzH2d
+PvxICOA9oQSowou0gLuBSZWm6LiXirg1DZCziU46v33ErQlWM1dSyNaUSzihcV59
+mVD0nmzboXH75lGiyiZlp8cLbozzoCwvk9rYqpUGSBzbAy0ECCpabGpzO2Ug+oDi
+71e5z4WMpeoR4IS8MaOG/GsJnwaXhiB/gNYfK+8pRADVk5StEAZDE2alSuCbDs0z
+d9zYr4/em5T9VZsLetxRE7pm/Es9yELuViz8/Tm0/8MVdmNYc/xZU1t6qYYFdyQ2
+wlGDTiNPsjR8yXCkmBjKwqnuleu1X6LaZu3VPhEkXGcyFAquQUkSiMv0Yu74qAe0
+bQ2v+jjZzP6AM9LUo89cW4Kd8SGD96BdNlAVPNMXoBcIOsZBwsOtETBd4KAyvkXE
+Ob17u+PLl4UPnSxm9ypKZunUNFRPxtKUyjySYnvlGL+kTjAXrIrZwKJqIn0uhnfa
+Ck3o7bU6yVMK22ODxy2/Vi3E0P6k5JLwnrF0VIOBqGhts66qo6mWDP8l6MZHARFd
+pU+nofssVmr8tLKmMmjYGMM5GmKIXRNBs0ksTwFnKRs9AmpE5owC8tTSVdTAkGuS
+os7QwLvyvNzq7BGJiVr0Iy3Dhsl1vzR35acNOrCsDl3DcCQONKJ2sVXV4pD3dBah
+mG3sR/jHgjasffJJ35uiGoAua9dbT7HG/+D0z1SHYaVqH8zO4VZSOnGJh/P9rtxx
+cckFDbiag/JMWig2lbnCjebTtp/BcUsK3TNaDOb7vb0LvbAeRJadd1EFu6PSlH3K
+LykSUPm4UedvUU3cWjqkSY5lITFJkVaIYOv/EljYtK7p7kFZFTaEwMAWxgsXU3pQ
+tTzVmq1gZ4vXPwcUq0zK50Frq0F7SQc21ZsunwIDAQABAoIEADuQAkDEpBausJsS
+PgL1RXuzECPJJJCBxTE+2qx0FoY4hJICCWTORHGmU8nGPE3Ht0wBiNDsULw6KXl9
+psmzYW6D3qRbpdQebky6fu/KZ5H0XTyGpJGomaXELH5hkwo2gdKB805LSXB+m7p0
+9o96kSdMkpBLVGtf5iZ8W4rY2LsZmlI9f7taQHSLVt/M8HTz1mTnBRU92QO3zZW6
+xVa+OrWaFl18u3ZeIaSh2X40tBK68cqstXVD0r2OWuXNKobcQeJW8/XABzBShZ0c
+ihL0lzyqiN4uXrLu+Nbr22b+FU2OODy6dGk3U6/69NvI4piMCPlHsfhHOnFjd1ZW
+RIVywyUlCtLNdcn11CchuRro+0J3c2Ba+i9Cl9r3qzT11xFEGF8/XLyUBBCB+uGf
+1dR/xJQhCA7cXWWLXyI/semxcvTaGpImP6kiIl1MAjHjXZTSdvyw4JmfXyYGhSjI
+P0mw3Xn7FXxJ/os9gOfNKz2nZHjr0q4sgWRYO+4vllkeL0GteZrg4oVaVpmZb7LH
+77afhodLylhijlEtV5skfkPujbBLQk6E5Ez3U/huEt2NLg6guADmwxMxfBRliZO4
+4Ex/td4cuggpEj3FGJV74qRvdvj/MF/uF7IxC/3WapPIsFBFH4zrJsUYt6u3L68I
+/KC/bfioDeUR/8ANw1DNh+UsnPV3GJIwDkIJKdppi2uXPahJyJQQ8Inps53nn8Gg
+GifS+HnOXNgMoKOJnZ9IDGjXpfjIs8dJNrGfDHF0mH30N2WARq2v/a3cNUC+f8Bq
+HSKQ9YrZopktMunsut8u7ZYbTmjIqJpXCaM0CCrSlzSMTDHFSj2tzLk6+qnxeGxB
+ZwIdShbdeK+0ETG91lE1e9RPQs/uXQP9+uCHJV0YpqQcA6pkCLYJfYpoSMu/Bafy
+AgfVZz6l5tyEnV0wCcbopsQShc1k9xtTbYNF1h9AQHknj6zeDW4iZMvmVeh3RovT
+52OA2R8oLyauF+QaG6x2wUjEx13SJlaBarJZ4seZIOJ+a8+oNzKsbgokXc2cyC9p
+5FAZz1OsOb68o93qD1Xvl7bY97fq2q55L7G1XHPPLtZE5lGiLGDtnAuwY8UPrdpr
+7Mv2yIxB7xVGurXyHb5PvusR88XED6HMPfLBG/55ENHTal7G5mRix+IWSBAIkxA5
+KZ0j8r5Ng4+wELZhqFQai39799bIAyiV6CEz4kyDXlo0kSSexp8o4iz5sPq5vp6h
+cCb7rdRw7uRnbXrHmXahxoB+ibXaurgV/6B2yurrU/UFoxEp2sHp8LXZGfF6ztY1
+dMhSQAACK2vGy5yNagbkTHLgVaHicG5zavJBqzCE+lbPlCqhOUQPdOIwvjHNjdS/
+DL3WV/ECggIBAMbW65wPk/i43nSyeZeYwcHtR1SUJqDXavYfBPC0VRhKz+7DVMFw
+Nwnocn6gITABc445W1yl7U3uww+LGuDlSlFnd8WuiXpVYud9/jeNu6Mu4wvNsnWr
+f4f4ua8CcS03GmqmcbROD2Z6by1AblCZ2UL1kv9cUX1FLVjPP1ESAGKoePt3BmZQ
+J1uJfK8HilNT8dcUlj/5CBi2uHxttDhoG0sxXE/SVsG9OD/Pjme0mj7gdzc6Ztd+
+TALuvpNQR4pRzfo5XWDZBcEYntcEE3PxYJB1+vnZ8509ew5/yLHTbLjFxIcx71zY
+fhH0gM36Sz7mz37r0+E/QkRkc5bVIDC4LDnWmjpAde6QUx0d218ShNx6sJo4kt5c
+Dd7tEVx8nuX8AIZYgwsOb382anLyFRkkmEdK3gRvwQ6SWR36Ez5L7/mHWODpLAX5
+mVBKSG4/ccFbc633/g0xHw0Nwajir/klckdakuYPlwF0yAxJSKDLhmNctDhRmxjC
+YP+fISkl5oTvFRzJH6HEyNu8M3ybRvmpPIjM5J5JpnB2IYbohYBR+T6/97C1DKrd
+mzL5PjlrWm0c1/d7LlDoP65fOShDMmj2zCiBAHHOM0Alokx+v5LmMd8NJumZIwGJ
+Rt5OpeMOhowz6j1AjYxYgV7PmJL6Ovpfb775od/aLaUbbwHz2uWIvfF7AoICAQCw
+c7NaO7oJVLJClhYw6OCvjT6oqtgNVWaennnDiJgzY9lv5HEgV0MAG0eYuB3hvj+w
+Y1P9DJxP1D+R+cshYrAFg8yU/3kaYVNI0Bl3ygX0eW1b/0HZTdocs+8kM/9PZQDR
+WrKQoU5lHvqRt99dXlD4NWGI2YQtzdZ8iet9QLqnjwRZabgE96mF01qKisMnFcsh
+KjT7ieheU4J15TZj/mdZRNK126d7e3q/rNj73e5EJ9tkYLcolSr4gpknUMJULSEi
+JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo
+yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
+kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
+DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
+22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
+ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
+D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
+PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
+dUrYmHNEUJfHl4T1ESgkX1vkcpVFeQFruZDjk7EP3+1sgvpSroGTZkVBRFsTXbQZ
+FuCv0Pgt1TKG+zGmklxhj3TsiRy8MEjWAxBUp++ftZJnZNI4feDGnfEx7tLwVhAg
+6DWSiWDO6hgQpvOLwX5lu+0x9itc1MQsnDO/OqIDnBAJDN5k7cVVkfKlqbVjxgpz
+eqUJs3yAd81f44kDQTCB4ahYocgeIGsrOqd/WoGL1EEPPo/O9wQP7VtlIRt8UwuG
+bS18+a4sBUfAa56xYu/pnPo7YcubsgZfcSIujzFQqMpVTClJRnOnEuJ4J1+PXzRz
+XAO9fs4VJ+CMEmgAyonUz4Xadxulnknlw//sO9VKgM69oFHCDHL/XamAAbqAdwvf
+7R/+uy+Ol7romC0wMhb6SsIZazrvvH2mNtduAKZ638nAP1x/WbQp+6iVG7yJok7w
+82Q7tO7baOePTXh12Rrt4mNPor0HLYxhra4GFgfqkumJ2Mz0esuZAozxJXFOq8ly
+beo9CVtXP5zbT6qNpeNismX6PLICaev8t+1iOZSE56WSLtefuuj/cOVrTMNDz1Rr
+pUkEVV2zjUSjlcScM538A9iL2QKCAgBLbBk0r6T0ihRsK9UucMxhnYEz/Vq+UEu9
+70Vi1AciqEJv9nh4d3Q3HnH7EHANZxG4Jqzm1DYYVUQa9GfkTFeq88xFv/GW2hUM
+YY8RSfRDrIeXNEOETCe37x2AHw25dRXlZtw+wARPau91y9+Y/FCl18NqCHfcUEin
+ERjsf/eI2bPlODAlR2tZvZ7M60VBdqpN8cmV3zvI3e88z43xLfQlDyr1+v7a5Evy
+lEJnXlSTI2o+vKxtl103vjMSwA1gh63K90gBVsJWXQDZueOzi8mB9UqNRfcMmOEe
+4YHttTXPxeu0x+4cCRfam9zKShsVFgI28vRQ/ijl6qmbQ5gV8wqf18GV1j1L4z0P
+lP6iVynDA4MMrug/w9DqPsHsfK0pwekeETfSj4y0xVXyjWZBfHG2ZBrS6mDTf+RG
+LC4sJgR0hjdILLnUqIX7PzuhieBHRrjBcopwvcryVWRHnI7kslAS0+yHjiWc5oW3
+x5mtlum4HzelNYuD9cAE/95P6CeSMfp9CyIE/KSX4VvsRm6gQVkoQRKMxnQIFQ3w
+O5gl1l88vhjoo2HxYScgCp70BsDwiUNTqIR3NM+ZBHYFweVf3Gwz5LzHZT2rEZtD
+6VXRP75Q/2wOLnqCO4bK4BUs6sqxcQZmOldruPkPynrY0oPfHHExjxZDvQu4/r80
+Ls3n0L8yvQKCAgEAnYWS6EikwaQNpJEfiUnOlglgFz4EE1eVkrDbBY4J3oPU+doz
+DrqmsvgpSZIAfd2MUbkN4pOMsMTjbeIYWDnZDa1RoctKs3FhwFPHwAjQpznab4mn
+Bp81FMHM40qyb0NaNuFRwghdXvoQvBBX1p8oEnFzDRvTiuS/vTPTA8KDY8IeRp8R
+oGzKHpfziNwq/URpqj7pwi9odNjGZvR2IwYw9jCLPIqaEbMoSOdI0mg4MoYyqP4q
+nm7d4wqSDwrYxiXZ6f3nYpkhEY1lb0Wbksp1ig8sKSF4nDZRGK1RSfE+6gjBp94H
+X/Wog6Zb6NC9ZpusTiDLvuIUXcyUJvmHiWjSNqiTv8jurlwEsgSwhziEQfqLrtdV
+QI3PRMolBkD1iCk+HFE53r05LMf1bp3r4MS+naaQrLbIrl1kgDNGwVdgS+SCM7Bg
+TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c
+46C6SaWI0TD9B11nJbHGTYN3Si9n0EBgoDJEXUKeh3km9O47dgvkSug4WzhYsvrE
+rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
+I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
+-----END RSA PRIVATE KEY-----
+
diff --git a/crypto/openssl/apps/s1024key.pem b/crypto/openssl/apps/s1024key.pem
new file mode 100644
index 0000000..19e0403
--- /dev/null
+++ b/crypto/openssl/apps/s1024key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCzEfU8E+ZGTGtHXV5XhvM2Lg32fXUIjydXb34BGVPX6oN7+aNV
+S9eWayvW/+9/vUb0aCqilJrpFesgItV2T8VhhjOE++XUz46uNpcMU7wHMEAXUufP
+pztpFm8ZEk2tFKvadkSSoN8lb11juvZVkSkPlB65pFhSe4QKSp6J4HrkYwIDAQAB
+AoGBAKy8jvb0Lzby8q11yNLf7+78wCVdYi7ugMHcYA1JVFK8+zb1WfSm44FLQo/0
+dSChAjgz36TTexeLODPYxleJndjVcOMVzsLJjSM8dLpXsTS4FCeMbhw2s2u+xqKY
+bbPWfk+HOTyJjfnkcC5Nbg44eOmruq0gSmBeUXVM5UntlTnxAkEA7TGCA3h7kx5E
+Bl4zl2pc3gPAGt+dyfk5Po9mGJUUXhF5p2zueGmYWW74TmOWB1kzt4QRdYMzFePq
+zfDNXEa1CwJBAMFErdY0xp0UJ13WwBbUTk8rujqQdHtjw0klhpbuKkjxu2hN0wwM
+6p0D9qxF7JHaghqVRI0fAW/EE0OzdHMR9QkCQQDNR26dMFXKsoPu+vItljj/UEGf
+QG7gERiQ4yxaFBPHgdpGo0kT31eh9x9hQGDkxTe0GNG/YSgCRvm8+C3TMcKXAkBD
+dhGn36wkUFCddMSAM4NSJ1VN8/Z0y5HzCmI8dM3VwGtGMUQlxKxwOl30LEQzdS5M
+0SWojNYXiT2gOBfBwtbhAkEAhafl5QEOIgUz+XazS/IlZ8goNKdDVfYgK3mHHjvv
+nY5G+AuGebdNkXJr4KSWxDcN+C2i47zuj4QXA16MAOandA==
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/apps/s1024req.pem b/crypto/openssl/apps/s1024req.pem
new file mode 100644
index 0000000..bb75e7e
--- /dev/null
+++ b/crypto/openssl/apps/s1024req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBojCCAQsCAQAwZDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSQwIgYDVQQDExtTZXJ2ZXIgdGVz
+dCBjZXJ0ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALMR
+9TwT5kZMa0ddXleG8zYuDfZ9dQiPJ1dvfgEZU9fqg3v5o1VL15ZrK9b/73+9RvRo
+KqKUmukV6yAi1XZPxWGGM4T75dTPjq42lwxTvAcwQBdS58+nO2kWbxkSTa0Uq9p2
+RJKg3yVvXWO69lWRKQ+UHrmkWFJ7hApKnongeuRjAgMBAAEwDQYJKoZIhvcNAQEE
+BQADgYEAStHlk4pBbwiNeQ2/PKTPPXzITYC8Gn0XMbrU94e/6JIKiO7aArq9Espq
+nrBSvC14dHcNl6NNvnkEKdQ7hAkcACfBbnOXA/oQvMBd4GD78cH3k0jVDoVUEjil
+frLfWlckW6WzpTktt0ZPDdAjJCmKVh0ABHimi7Bo9FC3wIGIe5M=
+-----END CERTIFICATE REQUEST-----
diff --git a/crypto/openssl/apps/s512-key.pem b/crypto/openssl/apps/s512-key.pem
new file mode 100644
index 0000000..0e3ff2d
--- /dev/null
+++ b/crypto/openssl/apps/s512-key.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
+TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
+OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
+gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
+rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
+PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
+vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/apps/s512-req.pem b/crypto/openssl/apps/s512-req.pem
new file mode 100644
index 0000000..ea314be
--- /dev/null
+++ b/crypto/openssl/apps/s512-req.pem
@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBGzCBxgIBADBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEa
+MBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0
+IGNlcnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8S
+MVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8E
+y2//Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAANBAAB+uQi+qwn6qRSHB8EUTvsm
+5TNTHzYDeN39nyIbZNX2s0se3Srn2Bxft5YCwD3moFZ9QoyDHxE0h6qLX5yjD+8=
+-----END CERTIFICATE REQUEST-----
diff --git a/crypto/openssl/apps/s_apps.h b/crypto/openssl/apps/s_apps.h
new file mode 100644
index 0000000..57af7c0
--- /dev/null
+++ b/crypto/openssl/apps/s_apps.h
@@ -0,0 +1,111 @@
+/* apps/s_apps.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <sys/types.h>
+#if (defined(VMS) || defined(__VMS)) && !defined(FD_SET)
+/* VAX C does not defined fd_set and friends, but it's actually quite simple */
+/* These definitions are borrowed from SOCKETSHR.	/Richard Levitte */
+#define MAX_NOFILE	32
+#define	NBBY		 8		/* number of bits in a byte	*/
+
+#ifndef	FD_SETSIZE
+#define	FD_SETSIZE	MAX_NOFILE
+#endif	/* FD_SETSIZE */
+
+/* How many things we'll allow select to use. 0 if unlimited */
+#define MAXSELFD	MAX_NOFILE
+typedef int	fd_mask;	/* int here! VMS prototypes int, not long */
+#define NFDBITS	(sizeof(fd_mask) * NBBY)	/* bits per mask (power of 2!)*/
+#define NFDSHIFT 5				/* Shift based on above */
+
+typedef fd_mask fd_set;
+#define	FD_SET(n, p)	(*(p) |= (1 << ((n) % NFDBITS)))
+#define	FD_CLR(n, p)	(*(p) &= ~(1 << ((n) % NFDBITS)))
+#define	FD_ISSET(n, p)	(*(p) & (1 << ((n) % NFDBITS)))
+#define FD_ZERO(p)	memset((char *)(p), 0, sizeof(*(p)))
+#endif
+
+#define PORT            4433
+#define PORT_STR        "4433"
+#define PROTOCOL        "tcp"
+
+int do_server(int port, int *ret, int (*cb) (), char *context);
+#ifdef HEADER_X509_H
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+#else
+int MS_CALLBACK verify_callback(int ok, char *ctx);
+#endif
+#ifdef HEADER_SSL_H
+int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
+#else
+int set_cert_stuff(char *ctx, char *cert_file, char *key_file);
+#endif
+int init_client(int *sock, char *server, int port);
+int should_retry(int i);
+int extract_port(char *str, short *port_ptr);
+int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
+
+long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp,
+	int argi, long argl, long ret);
+
+#ifdef HEADER_SSL_H
+void MS_CALLBACK apps_ssl_info_callback(SSL *s, int where, int ret);
+#else
+void MS_CALLBACK apps_ssl_info_callback(char *s, int where, int ret);
+#endif
+
diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
new file mode 100644
index 0000000..fd62259
--- /dev/null
+++ b/crypto/openssl/apps/s_cb.c
@@ -0,0 +1,238 @@
+/* apps/s_cb.c - callback functions used by s_client, s_server, and s_time */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#define USE_SOCKETS
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
+#undef USE_SOCKETS
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include "s_apps.h"
+
+int verify_depth=0;
+int verify_error=X509_V_OK;
+
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
+	{
+	char buf[256];
+	X509 *err_cert;
+	int err,depth;
+
+	err_cert=X509_STORE_CTX_get_current_cert(ctx);
+	err=	X509_STORE_CTX_get_error(ctx);
+	depth=	X509_STORE_CTX_get_error_depth(ctx);
+
+	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
+	if (!ok)
+		{
+		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
+			X509_verify_cert_error_string(err));
+		if (verify_depth >= depth)
+			{
+			ok=1;
+			verify_error=X509_V_OK;
+			}
+		else
+			{
+			ok=0;
+			verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
+			}
+		}
+	switch (ctx->error)
+		{
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
+		BIO_printf(bio_err,"issuer= %s\n",buf);
+		break;
+	case X509_V_ERR_CERT_NOT_YET_VALID:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+		BIO_printf(bio_err,"notBefore=");
+		ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
+		BIO_printf(bio_err,"\n");
+		break;
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+		BIO_printf(bio_err,"notAfter=");
+		ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
+		BIO_printf(bio_err,"\n");
+		break;
+		}
+	BIO_printf(bio_err,"verify return:%d\n",ok);
+	return(ok);
+	}
+
+int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
+	{
+	if (cert_file != NULL)
+		{
+		/*
+		SSL *ssl;
+		X509 *x509;
+		*/
+
+		if (SSL_CTX_use_certificate_file(ctx,cert_file,
+			SSL_FILETYPE_PEM) <= 0)
+			{
+			BIO_printf(bio_err,"unable to get certificate from '%s'\n",cert_file);
+			ERR_print_errors(bio_err);
+			return(0);
+			}
+		if (key_file == NULL) key_file=cert_file;
+		if (SSL_CTX_use_PrivateKey_file(ctx,key_file,
+			SSL_FILETYPE_PEM) <= 0)
+			{
+			BIO_printf(bio_err,"unable to get private key from '%s'\n",key_file);
+			ERR_print_errors(bio_err);
+			return(0);
+			}
+
+		/*
+		In theory this is no longer needed 
+		ssl=SSL_new(ctx);
+		x509=SSL_get_certificate(ssl);
+
+		if (x509 != NULL) {
+			EVP_PKEY *pktmp;
+			pktmp = X509_get_pubkey(x509);
+			EVP_PKEY_copy_parameters(pktmp,
+						SSL_get_privatekey(ssl));
+			EVP_PKEY_free(pktmp);
+		}
+		SSL_free(ssl);
+		*/
+
+		/* If we are using DSA, we can copy the parameters from
+		 * the private key */
+		
+		
+		/* Now we know that a key and cert have been set against
+		 * the SSL context */
+		if (!SSL_CTX_check_private_key(ctx))
+			{
+			BIO_printf(bio_err,"Private key does not match the certificate public key\n");
+			return(0);
+			}
+		}
+	return(1);
+	}
+
+long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi,
+	     long argl, long ret)
+	{
+	BIO *out;
+
+	out=(BIO *)BIO_get_callback_arg(bio);
+	if (out == NULL) return(ret);
+
+	if (cmd == (BIO_CB_READ|BIO_CB_RETURN))
+		{
+		BIO_printf(out,"read from %08X [%08lX] (%d bytes => %ld (0x%X))\n",
+			bio,argp,argi,ret,ret);
+		BIO_dump(out,argp,(int)ret);
+		return(ret);
+		}
+	else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN))
+		{
+		BIO_printf(out,"write to %08X [%08lX] (%d bytes => %ld (0x%X))\n",
+			bio,argp,argi,ret,ret);
+		BIO_dump(out,argp,(int)ret);
+		}
+	return(ret);
+	}
+
+void MS_CALLBACK apps_ssl_info_callback(SSL *s, int where, int ret)
+	{
+	char *str;
+	int w;
+
+	w=where& ~SSL_ST_MASK;
+
+	if (w & SSL_ST_CONNECT) str="SSL_connect";
+	else if (w & SSL_ST_ACCEPT) str="SSL_accept";
+	else str="undefined";
+
+	if (where & SSL_CB_LOOP)
+		{
+		BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s));
+		}
+	else if (where & SSL_CB_ALERT)
+		{
+		str=(where & SSL_CB_READ)?"read":"write";
+		BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n",
+			str,
+			SSL_alert_type_string_long(ret),
+			SSL_alert_desc_string_long(ret));
+		}
+	else if (where & SSL_CB_EXIT)
+		{
+		if (ret == 0)
+			BIO_printf(bio_err,"%s:failed in %s\n",
+				str,SSL_state_string_long(s));
+		else if (ret < 0)
+			{
+			BIO_printf(bio_err,"%s:error in %s\n",
+				str,SSL_state_string_long(s));
+			}
+		}
+	}
+
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
new file mode 100644
index 0000000..e629f8e
--- /dev/null
+++ b/crypto/openssl/apps/s_client.c
@@ -0,0 +1,885 @@
+/* apps/s_client.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef NO_STDIO
+#define APPS_WIN16
+#endif
+
+/* With IPv6, it looks like Digital has mixed up the proper order of
+   recursive header file inclusion, resulting in the compiler complaining
+   that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
+   is needed to have fileno() declared correctly...  So let's define u_int */
+#if defined(VMS) && defined(__DECC) && !defined(__U_INT)
+#define __U_INT
+typedef unsigned int u_int;
+#endif
+
+#define USE_SOCKETS
+#include "apps.h"
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include "s_apps.h"
+
+#ifdef WINDOWS
+#include <conio.h>
+#endif
+
+
+#if (defined(VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+#undef FIONBIO
+#endif
+
+#undef PROG
+#define PROG	s_client_main
+
+/*#define SSL_HOST_NAME	"www.netscape.com" */
+/*#define SSL_HOST_NAME	"193.118.187.102" */
+#define SSL_HOST_NAME	"localhost"
+
+/*#define TEST_CERT "client.pem" */ /* no default cert. */
+
+#undef BUFSIZZ
+#define BUFSIZZ 1024*8
+
+extern int verify_depth;
+extern int verify_error;
+
+#ifdef FIONBIO
+static int c_nbio=0;
+#endif
+static int c_Pause=0;
+static int c_debug=0;
+static int c_showcerts=0;
+
+static void sc_usage(void);
+static void print_stuff(BIO *berr,SSL *con,int full);
+static BIO *bio_c_out=NULL;
+static int c_quiet=0;
+static int c_ign_eof=0;
+
+static void sc_usage(void)
+	{
+	BIO_printf(bio_err,"usage: s_client args\n");
+	BIO_printf(bio_err,"\n");
+	BIO_printf(bio_err," -host host     - use -connect instead\n");
+	BIO_printf(bio_err," -port port     - use -connect instead\n");
+	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
+
+	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
+	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
+	BIO_printf(bio_err," -key arg      - Private key file to use, PEM format assumed, in cert file if\n");
+	BIO_printf(bio_err,"                 not specified but cert file is.\n");
+	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
+	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
+	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
+	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
+	BIO_printf(bio_err," -debug        - extra output\n");
+	BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
+	BIO_printf(bio_err," -state        - print the 'ssl' states\n");
+#ifdef FIONBIO
+	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
+#endif
+	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
+	BIO_printf(bio_err," -quiet        - no s_client output\n");
+	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
+	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
+	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
+	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
+	BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
+	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
+	BIO_printf(bio_err,"                 command to see what is available\n");
+
+	}
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int off=0;
+	SSL *con=NULL,*con2=NULL;
+	int s,k,width,state=0;
+	char *cbuf=NULL,*sbuf=NULL;
+	int cbuf_len,cbuf_off;
+	int sbuf_len,sbuf_off;
+	fd_set readfds,writefds;
+	short port=PORT;
+	int full_log=1;
+	char *host=SSL_HOST_NAME;
+	char *cert_file=NULL,*key_file=NULL;
+	char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
+	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
+	int crlf=0;
+	int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
+	SSL_CTX *ctx=NULL;
+	int ret=1,in_init=1,i,nbio_test=0;
+	int prexit = 0;
+	SSL_METHOD *meth=NULL;
+	BIO *sbio;
+#ifdef WINDOWS
+	struct timeval tv;
+#endif
+
+#if !defined(NO_SSL2) && !defined(NO_SSL3)
+	meth=SSLv23_client_method();
+#elif !defined(NO_SSL3)
+	meth=SSLv3_client_method();
+#elif !defined(NO_SSL2)
+	meth=SSLv2_client_method();
+#endif
+
+	apps_startup();
+	c_Pause=0;
+	c_quiet=0;
+	c_ign_eof=0;
+	c_debug=0;
+	c_showcerts=0;
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+	if (	((cbuf=Malloc(BUFSIZZ)) == NULL) ||
+		((sbuf=Malloc(BUFSIZZ)) == NULL))
+		{
+		BIO_printf(bio_err,"out of memory\n");
+		goto end;
+		}
+
+	verify_depth=0;
+	verify_error=X509_V_OK;
+#ifdef FIONBIO
+	c_nbio=0;
+#endif
+
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if	(strcmp(*argv,"-host") == 0)
+			{
+			if (--argc < 1) goto bad;
+			host= *(++argv);
+			}
+		else if	(strcmp(*argv,"-port") == 0)
+			{
+			if (--argc < 1) goto bad;
+			port=atoi(*(++argv));
+			if (port == 0) goto bad;
+			}
+		else if (strcmp(*argv,"-connect") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if (!extract_host_port(*(++argv),&host,NULL,&port))
+				goto bad;
+			}
+		else if	(strcmp(*argv,"-verify") == 0)
+			{
+			verify=SSL_VERIFY_PEER;
+			if (--argc < 1) goto bad;
+			verify_depth=atoi(*(++argv));
+			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+			}
+		else if	(strcmp(*argv,"-cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			cert_file= *(++argv);
+			}
+		else if	(strcmp(*argv,"-prexit") == 0)
+			prexit=1;
+		else if	(strcmp(*argv,"-crlf") == 0)
+			crlf=1;
+		else if	(strcmp(*argv,"-quiet") == 0)
+			{
+			c_quiet=1;
+			c_ign_eof=1;
+			}
+		else if	(strcmp(*argv,"-ign_eof") == 0)
+			c_ign_eof=1;
+		else if	(strcmp(*argv,"-pause") == 0)
+			c_Pause=1;
+		else if	(strcmp(*argv,"-debug") == 0)
+			c_debug=1;
+		else if	(strcmp(*argv,"-showcerts") == 0)
+			c_showcerts=1;
+		else if	(strcmp(*argv,"-nbio_test") == 0)
+			nbio_test=1;
+		else if	(strcmp(*argv,"-state") == 0)
+			state=1;
+#ifndef NO_SSL2
+		else if	(strcmp(*argv,"-ssl2") == 0)
+			meth=SSLv2_client_method();
+#endif
+#ifndef NO_SSL3
+		else if	(strcmp(*argv,"-ssl3") == 0)
+			meth=SSLv3_client_method();
+#endif
+#ifndef NO_TLS1
+		else if	(strcmp(*argv,"-tls1") == 0)
+			meth=TLSv1_client_method();
+#endif
+		else if (strcmp(*argv,"-bugs") == 0)
+			bugs=1;
+		else if	(strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			key_file= *(++argv);
+			}
+		else if	(strcmp(*argv,"-reconnect") == 0)
+			{
+			reconnect=5;
+			}
+		else if	(strcmp(*argv,"-CApath") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CApath= *(++argv);
+			}
+		else if	(strcmp(*argv,"-CAfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-no_tls1") == 0)
+			off|=SSL_OP_NO_TLSv1;
+		else if (strcmp(*argv,"-no_ssl3") == 0)
+			off|=SSL_OP_NO_SSLv3;
+		else if (strcmp(*argv,"-no_ssl2") == 0)
+			off|=SSL_OP_NO_SSLv2;
+		else if	(strcmp(*argv,"-cipher") == 0)
+			{
+			if (--argc < 1) goto bad;
+			cipher= *(++argv);
+			}
+#ifdef FIONBIO
+		else if (strcmp(*argv,"-nbio") == 0)
+			{ c_nbio=1; }
+#endif
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badop=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+	if (badop)
+		{
+bad:
+		sc_usage();
+		goto end;
+		}
+
+	app_RAND_load_file(NULL, bio_err, 0);
+
+	if (bio_c_out == NULL)
+		{
+		if (c_quiet)
+			{
+			bio_c_out=BIO_new(BIO_s_null());
+			}
+		else
+			{
+			if (bio_c_out == NULL)
+				bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
+			}
+		}
+
+	OpenSSL_add_ssl_algorithms();
+	SSL_load_error_strings();
+	ctx=SSL_CTX_new(meth);
+	if (ctx == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (bugs)
+		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
+	else
+		SSL_CTX_set_options(ctx,off);
+
+	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
+	if (cipher != NULL)
+		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+		BIO_printf(bio_err,"error setting cipher list\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+#if 0
+	else
+		SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
+#endif
+
+	SSL_CTX_set_verify(ctx,verify,verify_callback);
+	if (!set_cert_stuff(ctx,cert_file,key_file))
+		goto end;
+
+	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(ctx)))
+		{
+		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+		ERR_print_errors(bio_err);
+		/* goto end; */
+		}
+
+
+	con=SSL_new(ctx);
+/*	SSL_set_cipher_list(con,"RC4-MD5"); */
+
+re_start:
+
+	if (init_client(&s,host,port) == 0)
+		{
+		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
+		SHUTDOWN(s);
+		goto end;
+		}
+	BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
+
+#ifdef FIONBIO
+	if (c_nbio)
+		{
+		unsigned long l=1;
+		BIO_printf(bio_c_out,"turning on non blocking io\n");
+		if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+#endif                                              
+	if (c_Pause & 0x01) con->debug=1;
+	sbio=BIO_new_socket(s,BIO_NOCLOSE);
+
+	if (nbio_test)
+		{
+		BIO *test;
+
+		test=BIO_new(BIO_f_nbio_test());
+		sbio=BIO_push(test,sbio);
+		}
+
+	if (c_debug)
+		{
+		con->debug=1;
+		BIO_set_callback(sbio,bio_dump_cb);
+		BIO_set_callback_arg(sbio,bio_c_out);
+		}
+
+	SSL_set_bio(con,sbio,sbio);
+	SSL_set_connect_state(con);
+
+	/* ok, lets connect */
+	width=SSL_get_fd(con)+1;
+
+	read_tty=1;
+	write_tty=0;
+	tty_on=0;
+	read_ssl=1;
+	write_ssl=1;
+	
+	cbuf_len=0;
+	cbuf_off=0;
+	sbuf_len=0;
+	sbuf_off=0;
+
+	for (;;)
+		{
+		FD_ZERO(&readfds);
+		FD_ZERO(&writefds);
+
+		if (SSL_in_init(con) && !SSL_total_renegotiations(con))
+			{
+			in_init=1;
+			tty_on=0;
+			}
+		else
+			{
+			tty_on=1;
+			if (in_init)
+				{
+				in_init=0;
+				print_stuff(bio_c_out,con,full_log);
+				if (full_log > 0) full_log--;
+
+				if (reconnect)
+					{
+					reconnect--;
+					BIO_printf(bio_c_out,"drop connection and then reconnect\n");
+					SSL_shutdown(con);
+					SSL_set_connect_state(con);
+					SHUTDOWN(SSL_get_fd(con));
+					goto re_start;
+					}
+				}
+			}
+
+		ssl_pending = read_ssl && SSL_pending(con);
+
+		if (!ssl_pending)
+			{
+#ifndef WINDOWS
+			if (tty_on)
+				{
+				if (read_tty)  FD_SET(fileno(stdin),&readfds);
+				if (write_tty) FD_SET(fileno(stdout),&writefds);
+				}
+			if (read_ssl)
+				FD_SET(SSL_get_fd(con),&readfds);
+			if (write_ssl)
+				FD_SET(SSL_get_fd(con),&writefds);
+#else
+			if(!tty_on || !write_tty) {
+				if (read_ssl)
+					FD_SET(SSL_get_fd(con),&readfds);
+				if (write_ssl)
+					FD_SET(SSL_get_fd(con),&writefds);
+			}
+#endif
+/*			printf("mode tty(%d %d%d) ssl(%d%d)\n",
+				tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
+
+			/* Note: under VMS with SOCKETSHR the second parameter
+			 * is currently of type (int *) whereas under other
+			 * systems it is (void *) if you don't have a cast it
+			 * will choke the compiler: if you do have a cast then
+			 * you can either go for (int *) or (void *).
+			 */
+#ifdef WINDOWS
+			/* Under Windows we make the assumption that we can
+			 * always write to the tty: therefore if we need to
+			 * write to the tty we just fall through. Otherwise
+			 * we timeout the select every second and see if there
+			 * are any keypresses. Note: this is a hack, in a proper
+			 * Windows application we wouldn't do this.
+			 */
+			i=0;
+			if(!write_tty) {
+				if(read_tty) {
+					tv.tv_sec = 1;
+					tv.tv_usec = 0;
+					i=select(width,(void *)&readfds,(void *)&writefds,
+						 NULL,&tv);
+					if(!i && (!_kbhit() || !read_tty) ) continue;
+				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
+					 NULL,NULL);
+			}
+#else
+			i=select(width,(void *)&readfds,(void *)&writefds,
+				 NULL,NULL);
+#endif
+			if ( i < 0)
+				{
+				BIO_printf(bio_err,"bad select %d\n",
+				get_last_socket_error());
+				goto shut;
+				/* goto end; */
+				}
+			}
+
+		if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
+			{
+			k=SSL_write(con,&(cbuf[cbuf_off]),
+				(unsigned int)cbuf_len);
+			switch (SSL_get_error(con,k))
+				{
+			case SSL_ERROR_NONE:
+				cbuf_off+=k;
+				cbuf_len-=k;
+				if (k <= 0) goto end;
+				/* we have done a  write(con,NULL,0); */
+				if (cbuf_len <= 0)
+					{
+					read_tty=1;
+					write_ssl=0;
+					}
+				else /* if (cbuf_len > 0) */
+					{
+					read_tty=0;
+					write_ssl=1;
+					}
+				break;
+			case SSL_ERROR_WANT_WRITE:
+				BIO_printf(bio_c_out,"write W BLOCK\n");
+				write_ssl=1;
+				read_tty=0;
+				break;
+			case SSL_ERROR_WANT_READ:
+				BIO_printf(bio_c_out,"write R BLOCK\n");
+				write_tty=0;
+				read_ssl=1;
+				write_ssl=0;
+				break;
+			case SSL_ERROR_WANT_X509_LOOKUP:
+				BIO_printf(bio_c_out,"write X BLOCK\n");
+				break;
+			case SSL_ERROR_ZERO_RETURN:
+				if (cbuf_len != 0)
+					{
+					BIO_printf(bio_c_out,"shutdown\n");
+					goto shut;
+					}
+				else
+					{
+					read_tty=1;
+					write_ssl=0;
+					break;
+					}
+				
+			case SSL_ERROR_SYSCALL:
+				if ((k != 0) || (cbuf_len != 0))
+					{
+					BIO_printf(bio_err,"write:errno=%d\n",
+						get_last_socket_error());
+					goto shut;
+					}
+				else
+					{
+					read_tty=1;
+					write_ssl=0;
+					}
+				break;
+			case SSL_ERROR_SSL:
+				ERR_print_errors(bio_err);
+				goto shut;
+				}
+			}
+#ifdef WINDOWS
+		/* Assume Windows can always write */
+		else if (!ssl_pending && write_tty)
+#else
+		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
+#endif
+			{
+#ifdef CHARSET_EBCDIC
+			ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
+#endif
+			i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len);
+
+			if (i <= 0)
+				{
+				BIO_printf(bio_c_out,"DONE\n");
+				goto shut;
+				/* goto end; */
+				}
+
+			sbuf_len-=i;;
+			sbuf_off+=i;
+			if (sbuf_len <= 0)
+				{
+				read_ssl=1;
+				write_tty=0;
+				}
+			}
+		else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
+			{
+#ifdef RENEG
+{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
+#endif
+#if 1
+			k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
+#else
+/* Demo for pending and peek :-) */
+			k=SSL_read(con,sbuf,16);
+{ char zbuf[10240]; 
+printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
+}
+#endif
+
+			switch (SSL_get_error(con,k))
+				{
+			case SSL_ERROR_NONE:
+				if (k <= 0)
+					goto end;
+				sbuf_off=0;
+				sbuf_len=k;
+
+				read_ssl=0;
+				write_tty=1;
+				break;
+			case SSL_ERROR_WANT_WRITE:
+				BIO_printf(bio_c_out,"read W BLOCK\n");
+				write_ssl=1;
+				read_tty=0;
+				break;
+			case SSL_ERROR_WANT_READ:
+				BIO_printf(bio_c_out,"read R BLOCK\n");
+				write_tty=0;
+				read_ssl=1;
+				if ((read_tty == 0) && (write_ssl == 0))
+					write_ssl=1;
+				break;
+			case SSL_ERROR_WANT_X509_LOOKUP:
+				BIO_printf(bio_c_out,"read X BLOCK\n");
+				break;
+			case SSL_ERROR_SYSCALL:
+				BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
+				goto shut;
+			case SSL_ERROR_ZERO_RETURN:
+				BIO_printf(bio_c_out,"closed\n");
+				goto shut;
+			case SSL_ERROR_SSL:
+				ERR_print_errors(bio_err);
+				goto shut;
+				/* break; */
+				}
+			}
+
+#ifdef WINDOWS
+		else if (_kbhit())
+#else
+		else if (FD_ISSET(fileno(stdin),&readfds))
+#endif
+			{
+			if (crlf)
+				{
+				int j, lf_num;
+
+				i=read(fileno(stdin),cbuf,BUFSIZZ/2);
+				lf_num = 0;
+				/* both loops are skipped when i <= 0 */
+				for (j = 0; j < i; j++)
+					if (cbuf[j] == '\n')
+						lf_num++;
+				for (j = i-1; j >= 0; j--)
+					{
+					cbuf[j+lf_num] = cbuf[j];
+					if (cbuf[j] == '\n')
+						{
+						lf_num--;
+						i++;
+						cbuf[j+lf_num] = '\r';
+						}
+					}
+				assert(lf_num == 0);
+				}
+			else
+				i=read(fileno(stdin),cbuf,BUFSIZZ);
+
+			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
+				{
+				BIO_printf(bio_err,"DONE\n");
+				goto shut;
+				}
+
+			if ((!c_ign_eof) && (cbuf[0] == 'R'))
+				{
+				BIO_printf(bio_err,"RENEGOTIATING\n");
+				SSL_renegotiate(con);
+				cbuf_len=0;
+				}
+			else
+				{
+				cbuf_len=i;
+				cbuf_off=0;
+#ifdef CHARSET_EBCDIC
+				ebcdic2ascii(cbuf, cbuf, i);
+#endif
+				}
+
+			write_ssl=1;
+			read_tty=0;
+			}
+		}
+shut:
+	SSL_shutdown(con);
+	SHUTDOWN(SSL_get_fd(con));
+	ret=0;
+end:
+	if(prexit) print_stuff(bio_c_out,con,1);
+	if (con != NULL) SSL_free(con);
+	if (con2 != NULL) SSL_free(con2);
+	if (ctx != NULL) SSL_CTX_free(ctx);
+	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); Free(cbuf); }
+	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); Free(sbuf); }
+	if (bio_c_out != NULL)
+		{
+		BIO_free(bio_c_out);
+		bio_c_out=NULL;
+		}
+	EXIT(ret);
+	}
+
+
+static void print_stuff(BIO *bio, SSL *s, int full)
+	{
+	X509 *peer=NULL;
+	char *p;
+	static char *space="                ";
+	char buf[BUFSIZ];
+	STACK_OF(X509) *sk;
+	STACK_OF(X509_NAME) *sk2;
+	SSL_CIPHER *c;
+	X509_NAME *xn;
+	int j,i;
+
+	if (full)
+		{
+		int got_a_chain = 0;
+
+		sk=SSL_get_peer_cert_chain(s);
+		if (sk != NULL)
+			{
+			got_a_chain = 1; /* we don't have it for SSL2 (yet) */
+
+			BIO_printf(bio,"---\nCertificate chain\n");
+			for (i=0; i<sk_X509_num(sk); i++)
+				{
+				X509_NAME_oneline(X509_get_subject_name(
+					sk_X509_value(sk,i)),buf,BUFSIZ);
+				BIO_printf(bio,"%2d s:%s\n",i,buf);
+				X509_NAME_oneline(X509_get_issuer_name(
+					sk_X509_value(sk,i)),buf,BUFSIZ);
+				BIO_printf(bio,"   i:%s\n",buf);
+				if (c_showcerts)
+					PEM_write_bio_X509(bio,sk_X509_value(sk,i));
+				}
+			}
+
+		BIO_printf(bio,"---\n");
+		peer=SSL_get_peer_certificate(s);
+		if (peer != NULL)
+			{
+			BIO_printf(bio,"Server certificate\n");
+			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
+				PEM_write_bio_X509(bio,peer);
+			X509_NAME_oneline(X509_get_subject_name(peer),
+				buf,BUFSIZ);
+			BIO_printf(bio,"subject=%s\n",buf);
+			X509_NAME_oneline(X509_get_issuer_name(peer),
+				buf,BUFSIZ);
+			BIO_printf(bio,"issuer=%s\n",buf);
+			}
+		else
+			BIO_printf(bio,"no peer certificate available\n");
+
+		sk2=SSL_get_client_CA_list(s);
+		if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
+			{
+			BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
+			for (i=0; i<sk_X509_NAME_num(sk2); i++)
+				{
+				xn=sk_X509_NAME_value(sk2,i);
+				X509_NAME_oneline(xn,buf,sizeof(buf));
+				BIO_write(bio,buf,strlen(buf));
+				BIO_write(bio,"\n",1);
+				}
+			}
+		else
+			{
+			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
+			}
+		p=SSL_get_shared_ciphers(s,buf,BUFSIZ);
+		if (p != NULL)
+			{
+			/* This works only for SSL 2.  In later protocol
+			 * versions, the client does not know what other
+			 * ciphers (in addition to the one to be used
+			 * in the current connection) the server supports. */
+
+			BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
+			j=i=0;
+			while (*p)
+				{
+				if (*p == ':')
+					{
+					BIO_write(bio,space,15-j%25);
+					i++;
+					j=0;
+					BIO_write(bio,((i%3)?" ":"\n"),1);
+					}
+				else
+					{
+					BIO_write(bio,p,1);
+					j++;
+					}
+				p++;
+				}
+			BIO_write(bio,"\n",1);
+			}
+
+		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
+			BIO_number_read(SSL_get_rbio(s)),
+			BIO_number_written(SSL_get_wbio(s)));
+		}
+	BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, "));
+	c=SSL_get_current_cipher(s);
+	BIO_printf(bio,"%s, Cipher is %s\n",
+		SSL_CIPHER_get_version(c),
+		SSL_CIPHER_get_name(c));
+	if (peer != NULL) {
+		EVP_PKEY *pktmp;
+		pktmp = X509_get_pubkey(peer);
+		BIO_printf(bio,"Server public key is %d bit\n",
+							 EVP_PKEY_bits(pktmp));
+		EVP_PKEY_free(pktmp);
+	}
+	SSL_SESSION_print(bio,SSL_get_session(s));
+	BIO_printf(bio,"---\n");
+	if (peer != NULL)
+		X509_free(peer);
+	}
+
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
new file mode 100644
index 0000000..af19b89
--- /dev/null
+++ b/crypto/openssl/apps/s_server.c
@@ -0,0 +1,1504 @@
+/* apps/s_server.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#ifdef NO_STDIO
+#define APPS_WIN16
+#endif
+
+/* With IPv6, it looks like Digital has mixed up the proper order of
+   recursive header file inclusion, resulting in the compiler complaining
+   that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
+   is needed to have fileno() declared correctly...  So let's define u_int */
+#if defined(VMS) && defined(__DECC) && !defined(__U_INT)
+#define __U_INT
+typedef unsigned int u_int;
+#endif
+
+#include <openssl/lhash.h>
+#include <openssl/bn.h>
+#define USE_SOCKETS
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include "s_apps.h"
+
+#ifdef WINDOWS
+#include <conio.h>
+#endif
+
+#if (defined(VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+#undef FIONBIO
+#endif
+
+#ifndef NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
+#endif
+static int sv_body(char *hostname, int s, unsigned char *context);
+static int www_body(char *hostname, int s, unsigned char *context);
+static void close_accept_socket(void );
+static void sv_usage(void);
+static int init_ssl_connection(SSL *s);
+static void print_stats(BIO *bp,SSL_CTX *ctx);
+#ifndef NO_DH
+static DH *load_dh_param(char *dhfile);
+static DH *get_dh512(void);
+#endif
+#ifdef MONOLITH
+static void s_server_init(void);
+#endif
+
+#ifndef S_ISDIR
+# if defined(_S_IFMT) && defined(_S_IFDIR)
+#  define S_ISDIR(a)	(((a) & _S_IFMT) == _S_IFDIR)
+# else
+#  define S_ISDIR(a)	(((a) & S_IFMT) == S_IFDIR)
+# endif
+#endif
+
+#ifndef NO_DH
+static unsigned char dh512_p[]={
+	0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+	0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+	0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+	0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+	0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+	0x47,0x74,0xE8,0x33,
+	};
+static unsigned char dh512_g[]={
+	0x02,
+	};
+
+static DH *get_dh512(void)
+	{
+	DH *dh=NULL;
+
+	if ((dh=DH_new()) == NULL) return(NULL);
+	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+	if ((dh->p == NULL) || (dh->g == NULL))
+		return(NULL);
+	return(dh);
+	}
+#endif
+
+/* static int load_CA(SSL_CTX *ctx, char *file);*/
+
+#undef BUFSIZZ
+#define BUFSIZZ	16*1024
+static int bufsize=BUFSIZZ;
+static int accept_socket= -1;
+
+#define TEST_CERT	"server.pem"
+#undef PROG
+#define PROG		s_server_main
+
+extern int verify_depth;
+
+static char *cipher=NULL;
+static int s_server_verify=SSL_VERIFY_NONE;
+static int s_server_session_id_context = 1; /* anything will do */
+static char *s_cert_file=TEST_CERT,*s_key_file=NULL;
+static char *s_dcert_file=NULL,*s_dkey_file=NULL;
+#ifdef FIONBIO
+static int s_nbio=0;
+#endif
+static int s_nbio_test=0;
+int s_crlf=0;
+static SSL_CTX *ctx=NULL;
+static int www=0;
+
+static BIO *bio_s_out=NULL;
+static int s_debug=0;
+static int s_quiet=0;
+
+static int hack=0;
+
+#ifdef MONOLITH
+static void s_server_init(void)
+	{
+	accept_socket=-1;
+	cipher=NULL;
+	s_server_verify=SSL_VERIFY_NONE;
+	s_dcert_file=NULL;
+	s_dkey_file=NULL;
+	s_cert_file=TEST_CERT;
+	s_key_file=NULL;
+#ifdef FIONBIO
+	s_nbio=0;
+#endif
+	s_nbio_test=0;
+	ctx=NULL;
+	www=0;
+
+	bio_s_out=NULL;
+	s_debug=0;
+	s_quiet=0;
+	hack=0;
+	}
+#endif
+
+static void sv_usage(void)
+	{
+	BIO_printf(bio_err,"usage: s_server [args ...]\n");
+	BIO_printf(bio_err,"\n");
+	BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);
+	BIO_printf(bio_err," -context arg  - set session ID context\n");
+	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
+	BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
+	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
+	BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
+	BIO_printf(bio_err," -key arg      - Private Key file to use, PEM format assumed, in cert file if\n");
+	BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT);
+	BIO_printf(bio_err," -dcert arg    - second certificate file to use (usually for DSA)\n");
+	BIO_printf(bio_err," -dkey arg     - second private key file to use (usually for DSA)\n");
+	BIO_printf(bio_err," -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
+	BIO_printf(bio_err,"                 or a default set of parameters is used\n");
+#ifdef FIONBIO
+	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
+#endif
+	BIO_printf(bio_err," -nbio_test    - test with the non-blocking test bio\n");
+	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
+	BIO_printf(bio_err," -debug        - Print more output\n");
+	BIO_printf(bio_err," -state        - Print the SSL states\n");
+	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
+	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
+	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
+	BIO_printf(bio_err," -quiet        - No server output\n");
+	BIO_printf(bio_err," -no_tmp_rsa   - Do not generate a tmp RSA key\n");
+	BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
+	BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+	BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
+	BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
+	BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
+	BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
+#ifndef NO_DH
+	BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
+#endif
+	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
+	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
+	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
+	}
+
+static int local_argc=0;
+static char **local_argv;
+
+#ifdef CHARSET_EBCDIC
+static int ebcdic_new(BIO *bi);
+static int ebcdic_free(BIO *a);
+static int ebcdic_read(BIO *b, char *out, int outl);
+static int ebcdic_write(BIO *b, char *in, int inl);
+static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr);
+static int ebcdic_gets(BIO *bp, char *buf, int size);
+static int ebcdic_puts(BIO *bp, char *str);
+
+#define BIO_TYPE_EBCDIC_FILTER	(18|0x0200)
+static BIO_METHOD methods_ebcdic=
+	{
+	BIO_TYPE_EBCDIC_FILTER,
+	"EBCDIC/ASCII filter",
+	ebcdic_write,
+	ebcdic_read,
+	ebcdic_puts,
+	ebcdic_gets,
+	ebcdic_ctrl,
+	ebcdic_new,
+	ebcdic_free,
+	};
+
+typedef struct
+{
+	size_t	alloced;
+	char	buff[1];
+} EBCDIC_OUTBUFF;
+
+BIO_METHOD *BIO_f_ebcdic_filter()
+{
+	return(&methods_ebcdic);
+}
+
+static int ebcdic_new(BIO *bi)
+{
+	EBCDIC_OUTBUFF *wbuf;
+
+	wbuf = (EBCDIC_OUTBUFF *)Malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
+	wbuf->alloced = 1024;
+	wbuf->buff[0] = '\0';
+
+	bi->ptr=(char *)wbuf;
+	bi->init=1;
+	bi->flags=0;
+	return(1);
+}
+
+static int ebcdic_free(BIO *a)
+{
+	if (a == NULL) return(0);
+	if (a->ptr != NULL)
+		Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+}
+	
+static int ebcdic_read(BIO *b, char *out, int outl)
+{
+	int ret=0;
+
+	if (out == NULL || outl == 0) return(0);
+	if (b->next_bio == NULL) return(0);
+
+	ret=BIO_read(b->next_bio,out,outl);
+	if (ret > 0)
+		ascii2ebcdic(out,out,ret);
+	return(ret);
+}
+
+static int ebcdic_write(BIO *b, char *in, int inl)
+{
+	EBCDIC_OUTBUFF *wbuf;
+	int ret=0;
+	int num;
+	unsigned char n;
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+	if (b->next_bio == NULL) return(0);
+
+	wbuf=(EBCDIC_OUTBUFF *)b->ptr;
+
+	if (inl > (num = wbuf->alloced))
+	{
+		num = num + num;  /* double the size */
+		if (num < inl)
+			num = inl;
+		Free(wbuf);
+		wbuf=(EBCDIC_OUTBUFF *)Malloc(sizeof(EBCDIC_OUTBUFF) + num);
+
+		wbuf->alloced = num;
+		wbuf->buff[0] = '\0';
+
+		b->ptr=(char *)wbuf;
+	}
+
+	ebcdic2ascii(wbuf->buff, in, inl);
+
+	ret=BIO_write(b->next_bio, wbuf->buff, inl);
+
+	return(ret);
+}
+
+static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
+{
+	long ret;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+	{
+	case BIO_CTRL_DUP:
+		ret=0L;
+		break;
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	}
+	return(ret);
+}
+
+static int ebcdic_gets(BIO *bp, char *buf, int size)
+{
+	int i, ret;
+	if (bp->next_bio == NULL) return(0);
+/*	return(BIO_gets(bp->next_bio,buf,size));*/
+	for (i=0; i<size-1; ++i)
+	{
+		ret = ebcdic_read(bp,&buf[i],1);
+		if (ret <= 0)
+			break;
+		else if (buf[i] == '\n')
+		{
+			++i;
+			break;
+		}
+	}
+	if (i < size)
+		buf[i] = '\0';
+	return (ret < 0 && i == 0) ? ret : i;
+}
+
+static int ebcdic_puts(BIO *bp, char *str)
+{
+	if (bp->next_bio == NULL) return(0);
+	return ebcdic_write(bp, str, strlen(str));
+}
+#endif
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char *argv[])
+	{
+	short port=PORT;
+	char *CApath=NULL,*CAfile=NULL;
+	char *context = NULL;
+	char *dhfile = NULL;
+	int badop=0,bugs=0;
+	int ret=1;
+	int off=0;
+	int no_tmp_rsa=0,no_dhe=0,nocert=0;
+	int state=0;
+	SSL_METHOD *meth=NULL;
+#ifndef NO_DH
+	DH *dh=NULL;
+#endif
+
+#if !defined(NO_SSL2) && !defined(NO_SSL3)
+	meth=SSLv23_server_method();
+#elif !defined(NO_SSL3)
+	meth=SSLv3_server_method();
+#elif !defined(NO_SSL2)
+	meth=SSLv2_server_method();
+#endif
+
+	local_argc=argc;
+	local_argv=argv;
+
+	apps_startup();
+#ifdef MONOLITH
+	s_server_init();
+#endif
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+	verify_depth=0;
+#ifdef FIONBIO
+	s_nbio=0;
+#endif
+	s_nbio_test=0;
+
+	argc--;
+	argv++;
+
+	while (argc >= 1)
+		{
+		if	((strcmp(*argv,"-port") == 0) ||
+			 (strcmp(*argv,"-accept") == 0))
+			{
+			if (--argc < 1) goto bad;
+			if (!extract_port(*(++argv),&port))
+				goto bad;
+			}
+		else if	(strcmp(*argv,"-verify") == 0)
+			{
+			s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
+			if (--argc < 1) goto bad;
+			verify_depth=atoi(*(++argv));
+			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+			}
+		else if	(strcmp(*argv,"-Verify") == 0)
+			{
+			s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
+				SSL_VERIFY_CLIENT_ONCE;
+			if (--argc < 1) goto bad;
+			verify_depth=atoi(*(++argv));
+			BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
+			}
+		else if	(strcmp(*argv,"-context") == 0)
+			{
+			if (--argc < 1) goto bad;
+			context= *(++argv);
+			}
+		else if	(strcmp(*argv,"-cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_cert_file= *(++argv);
+			}
+		else if	(strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_key_file= *(++argv);
+			}
+		else if	(strcmp(*argv,"-dhparam") == 0)
+			{
+			if (--argc < 1) goto bad;
+			dhfile = *(++argv);
+			}
+		else if	(strcmp(*argv,"-dcert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_dcert_file= *(++argv);
+			}
+		else if	(strcmp(*argv,"-dkey") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_dkey_file= *(++argv);
+			}
+		else if (strcmp(*argv,"-nocert") == 0)
+			{
+			nocert=1;
+			}
+		else if	(strcmp(*argv,"-CApath") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CApath= *(++argv);
+			}
+		else if	(strcmp(*argv,"-cipher") == 0)
+			{
+			if (--argc < 1) goto bad;
+			cipher= *(++argv);
+			}
+		else if	(strcmp(*argv,"-CAfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAfile= *(++argv);
+			}
+#ifdef FIONBIO	
+		else if	(strcmp(*argv,"-nbio") == 0)
+			{ s_nbio=1; }
+#endif
+		else if	(strcmp(*argv,"-nbio_test") == 0)
+			{
+#ifdef FIONBIO	
+			s_nbio=1;
+#endif
+			s_nbio_test=1;
+			}
+		else if	(strcmp(*argv,"-debug") == 0)
+			{ s_debug=1; }
+		else if	(strcmp(*argv,"-hack") == 0)
+			{ hack=1; }
+		else if	(strcmp(*argv,"-state") == 0)
+			{ state=1; }
+		else if	(strcmp(*argv,"-crlf") == 0)
+			{ s_crlf=1; }
+		else if	(strcmp(*argv,"-quiet") == 0)
+			{ s_quiet=1; }
+		else if	(strcmp(*argv,"-bugs") == 0)
+			{ bugs=1; }
+		else if	(strcmp(*argv,"-no_tmp_rsa") == 0)
+			{ no_tmp_rsa=1; }
+		else if	(strcmp(*argv,"-no_dhe") == 0)
+			{ no_dhe=1; }
+		else if	(strcmp(*argv,"-www") == 0)
+			{ www=1; }
+		else if	(strcmp(*argv,"-WWW") == 0)
+			{ www=2; }
+		else if	(strcmp(*argv,"-no_ssl2") == 0)
+			{ off|=SSL_OP_NO_SSLv2; }
+		else if	(strcmp(*argv,"-no_ssl3") == 0)
+			{ off|=SSL_OP_NO_SSLv3; }
+		else if	(strcmp(*argv,"-no_tls1") == 0)
+			{ off|=SSL_OP_NO_TLSv1; }
+#ifndef NO_SSL2
+		else if	(strcmp(*argv,"-ssl2") == 0)
+			{ meth=SSLv2_server_method(); }
+#endif
+#ifndef NO_SSL3
+		else if	(strcmp(*argv,"-ssl3") == 0)
+			{ meth=SSLv3_server_method(); }
+#endif
+#ifndef NO_TLS1
+		else if	(strcmp(*argv,"-tls1") == 0)
+			{ meth=TLSv1_server_method(); }
+#endif
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badop=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+	if (badop)
+		{
+bad:
+		sv_usage();
+		goto end;
+		}
+
+	app_RAND_load_file(NULL, bio_err, 0);
+
+	if (bio_s_out == NULL)
+		{
+		if (s_quiet && !s_debug)
+			{
+			bio_s_out=BIO_new(BIO_s_null());
+			}
+		else
+			{
+			if (bio_s_out == NULL)
+				bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE);
+			}
+		}
+
+#if !defined(NO_RSA) || !defined(NO_DSA)
+	if (nocert)
+#endif
+		{
+		s_cert_file=NULL;
+		s_key_file=NULL;
+		s_dcert_file=NULL;
+		s_dkey_file=NULL;
+		}
+
+	SSL_load_error_strings();
+	OpenSSL_add_ssl_algorithms();
+
+	ctx=SSL_CTX_new(meth);
+	if (ctx == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	SSL_CTX_set_quiet_shutdown(ctx,1);
+	if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
+	if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
+	SSL_CTX_set_options(ctx,off);
+	if (hack) SSL_CTX_set_options(ctx,SSL_OP_NON_EXPORT_FIRST);
+
+	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
+
+	SSL_CTX_sess_set_cache_size(ctx,128);
+
+#if 0
+	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
+#endif
+
+#if 0
+	if (s_cert_file == NULL)
+		{
+		BIO_printf(bio_err,"You must specify a certificate file for the server to use\n");
+		goto end;
+		}
+#endif
+
+	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(ctx)))
+		{
+		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+		ERR_print_errors(bio_err);
+		/* goto end; */
+		}
+
+#ifndef NO_DH
+	if (!no_dhe)
+		{
+		dh=load_dh_param(dhfile ? dhfile : s_cert_file);
+		if (dh != NULL)
+			{
+			BIO_printf(bio_s_out,"Setting temp DH parameters\n");
+			}
+		else
+			{
+			BIO_printf(bio_s_out,"Using default temp DH parameters\n");
+			dh=get_dh512();
+			}
+		(void)BIO_flush(bio_s_out);
+
+		SSL_CTX_set_tmp_dh(ctx,dh);
+		DH_free(dh);
+		}
+#endif
+	
+	if (!set_cert_stuff(ctx,s_cert_file,s_key_file))
+		goto end;
+	if (s_dcert_file != NULL)
+		{
+		if (!set_cert_stuff(ctx,s_dcert_file,s_dkey_file))
+			goto end;
+		}
+
+#ifndef NO_RSA
+#if 1
+	SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
+#else
+	if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
+		{
+		RSA *rsa;
+
+		BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key...");
+		BIO_flush(bio_s_out);
+
+		rsa=RSA_generate_key(512,RSA_F4,NULL);
+
+		if (!SSL_CTX_set_tmp_rsa(ctx,rsa))
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		RSA_free(rsa);
+		BIO_printf(bio_s_out,"\n");
+		}
+#endif
+#endif
+
+	if (cipher != NULL)
+		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+		BIO_printf(bio_err,"error setting cipher list\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
+	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
+		sizeof s_server_session_id_context);
+
+	if (CAfile != NULL)
+	    SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
+
+	BIO_printf(bio_s_out,"ACCEPT\n");
+	if (www)
+		do_server(port,&accept_socket,www_body, context);
+	else
+		do_server(port,&accept_socket,sv_body, context);
+	print_stats(bio_s_out,ctx);
+	ret=0;
+end:
+	if (ctx != NULL) SSL_CTX_free(ctx);
+	if (bio_s_out != NULL)
+		{
+		BIO_free(bio_s_out);
+		bio_s_out=NULL;
+		}
+	EXIT(ret);
+	}
+
+static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
+	{
+	BIO_printf(bio,"%4ld items in the session cache\n",
+		SSL_CTX_sess_number(ssl_ctx));
+	BIO_printf(bio,"%4d client connects (SSL_connect())\n",
+		SSL_CTX_sess_connect(ssl_ctx));
+	BIO_printf(bio,"%4d client renegotiates (SSL_connect())\n",
+		SSL_CTX_sess_connect_renegotiate(ssl_ctx));
+	BIO_printf(bio,"%4d client connects that finished\n",
+		SSL_CTX_sess_connect_good(ssl_ctx));
+	BIO_printf(bio,"%4d server accepts (SSL_accept())\n",
+		SSL_CTX_sess_accept(ssl_ctx));
+	BIO_printf(bio,"%4d server renegotiates (SSL_accept())\n",
+		SSL_CTX_sess_accept_renegotiate(ssl_ctx));
+	BIO_printf(bio,"%4d server accepts that finished\n",
+		SSL_CTX_sess_accept_good(ssl_ctx));
+	BIO_printf(bio,"%4d session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
+	BIO_printf(bio,"%4d session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
+	BIO_printf(bio,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
+	BIO_printf(bio,"%4d callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
+	BIO_printf(bio,"%4d cache full overflows (%d allowed)\n",
+		SSL_CTX_sess_cache_full(ssl_ctx),
+		SSL_CTX_sess_get_cache_size(ssl_ctx));
+	}
+
+static int sv_body(char *hostname, int s, unsigned char *context)
+	{
+	char *buf=NULL;
+	fd_set readfds;
+	int ret=1,width;
+	int k,i;
+	unsigned long l;
+	SSL *con=NULL;
+	BIO *sbio;
+#ifdef WINDOWS
+	struct timeval tv;
+#endif
+
+	if ((buf=Malloc(bufsize)) == NULL)
+		{
+		BIO_printf(bio_err,"out of memory\n");
+		goto err;
+		}
+#ifdef FIONBIO	
+	if (s_nbio)
+		{
+		unsigned long sl=1;
+
+		if (!s_quiet)
+			BIO_printf(bio_err,"turning on non blocking io\n");
+		if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
+			ERR_print_errors(bio_err);
+		}
+#endif
+
+	if (con == NULL) {
+		con=SSL_new(ctx);
+		if(context)
+		      SSL_set_session_id_context(con, context,
+						 strlen((char *)context));
+	}
+	SSL_clear(con);
+
+	sbio=BIO_new_socket(s,BIO_NOCLOSE);
+	if (s_nbio_test)
+		{
+		BIO *test;
+
+		test=BIO_new(BIO_f_nbio_test());
+		sbio=BIO_push(test,sbio);
+		}
+	SSL_set_bio(con,sbio,sbio);
+	SSL_set_accept_state(con);
+	/* SSL_set_fd(con,s); */
+
+	if (s_debug)
+		{
+		con->debug=1;
+		BIO_set_callback(SSL_get_rbio(con),bio_dump_cb);
+		BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out);
+		}
+
+	width=s+1;
+	for (;;)
+		{
+		int read_from_terminal;
+		int read_from_sslcon;
+
+		read_from_terminal = 0;
+		read_from_sslcon = SSL_pending(con);
+
+		if (!read_from_sslcon)
+			{
+			FD_ZERO(&readfds);
+#ifndef WINDOWS
+			FD_SET(fileno(stdin),&readfds);
+#endif
+			FD_SET(s,&readfds);
+			/* Note: under VMS with SOCKETSHR the second parameter is
+			 * currently of type (int *) whereas under other systems
+			 * it is (void *) if you don't have a cast it will choke
+			 * the compiler: if you do have a cast then you can either
+			 * go for (int *) or (void *).
+			 */
+#ifdef WINDOWS
+			/* Under Windows we can't select on stdin: only
+			 * on sockets. As a workaround we timeout the select every
+			 * second and check for any keypress. In a proper Windows
+			 * application we wouldn't do this because it is inefficient.
+			 */
+			tv.tv_sec = 1;
+			tv.tv_usec = 0;
+			i=select(width,(void *)&readfds,NULL,NULL,&tv);
+			if((i < 0) || (!i && !_kbhit() ) )continue;
+			if(_kbhit())
+				read_from_terminal = 1;
+#else
+			i=select(width,(void *)&readfds,NULL,NULL,NULL);
+			if (i <= 0) continue;
+			if (FD_ISSET(fileno(stdin),&readfds))
+				read_from_terminal = 1;
+#endif
+			if (FD_ISSET(s,&readfds))
+				read_from_sslcon = 1;
+			}
+		if (read_from_terminal)
+			{
+			if (s_crlf)
+				{
+				int j, lf_num;
+
+				i=read(fileno(stdin), buf, bufsize/2);
+				lf_num = 0;
+				/* both loops are skipped when i <= 0 */
+				for (j = 0; j < i; j++)
+					if (buf[j] == '\n')
+						lf_num++;
+				for (j = i-1; j >= 0; j--)
+					{
+					buf[j+lf_num] = buf[j];
+					if (buf[j] == '\n')
+						{
+						lf_num--;
+						i++;
+						buf[j+lf_num] = '\r';
+						}
+					}
+				assert(lf_num == 0);
+				}
+			else
+				i=read(fileno(stdin),buf,bufsize);
+			if (!s_quiet)
+				{
+				if ((i <= 0) || (buf[0] == 'Q'))
+					{
+					BIO_printf(bio_s_out,"DONE\n");
+					SHUTDOWN(s);
+					close_accept_socket();
+					ret= -11;
+					goto err;
+					}
+				if ((i <= 0) || (buf[0] == 'q'))
+					{
+					BIO_printf(bio_s_out,"DONE\n");
+					SHUTDOWN(s);
+	/*				close_accept_socket();
+					ret= -11;*/
+					goto err;
+					}
+				if ((buf[0] == 'r') && 
+					((buf[1] == '\n') || (buf[1] == '\r')))
+					{
+					SSL_renegotiate(con);
+					i=SSL_do_handshake(con);
+					printf("SSL_do_handshake -> %d\n",i);
+					i=0; /*13; */
+					continue;
+					/* strcpy(buf,"server side RE-NEGOTIATE\n"); */
+					}
+				if ((buf[0] == 'R') &&
+					((buf[1] == '\n') || (buf[1] == '\r')))
+					{
+					SSL_set_verify(con,
+						SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL);
+					SSL_renegotiate(con);
+					i=SSL_do_handshake(con);
+					printf("SSL_do_handshake -> %d\n",i);
+					i=0; /* 13; */
+					continue;
+					/* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */
+					}
+				if (buf[0] == 'P')
+					{
+					static char *str="Lets print some clear text\n";
+					BIO_write(SSL_get_wbio(con),str,strlen(str));
+					}
+				if (buf[0] == 'S')
+					{
+					print_stats(bio_s_out,SSL_get_SSL_CTX(con));
+					}
+				}
+#ifdef CHARSET_EBCDIC
+			ebcdic2ascii(buf,buf,i);
+#endif
+			l=k=0;
+			for (;;)
+				{
+				/* should do a select for the write */
+#ifdef RENEG
+{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
+#endif
+				k=SSL_write(con,&(buf[l]),(unsigned int)i);
+				switch (SSL_get_error(con,k))
+					{
+				case SSL_ERROR_NONE:
+					break;
+				case SSL_ERROR_WANT_WRITE:
+				case SSL_ERROR_WANT_READ:
+				case SSL_ERROR_WANT_X509_LOOKUP:
+					BIO_printf(bio_s_out,"Write BLOCK\n");
+					break;
+				case SSL_ERROR_SYSCALL:
+				case SSL_ERROR_SSL:
+					BIO_printf(bio_s_out,"ERROR\n");
+					ERR_print_errors(bio_err);
+					ret=1;
+					goto err;
+					/* break; */
+				case SSL_ERROR_ZERO_RETURN:
+					BIO_printf(bio_s_out,"DONE\n");
+					ret=1;
+					goto err;
+					}
+				l+=k;
+				i-=k;
+				if (i <= 0) break;
+				}
+			}
+		if (read_from_sslcon)
+			{
+			if (!SSL_is_init_finished(con))
+				{
+				i=init_ssl_connection(con);
+				
+				if (i < 0)
+					{
+					ret=0;
+					goto err;
+					}
+				else if (i == 0)
+					{
+					ret=1;
+					goto err;
+					}
+				}
+			else
+				{
+again:	
+				i=SSL_read(con,(char *)buf,bufsize);
+				switch (SSL_get_error(con,i))
+					{
+				case SSL_ERROR_NONE:
+#ifdef CHARSET_EBCDIC
+					ascii2ebcdic(buf,buf,i);
+#endif
+					write(fileno(stdout),buf,
+						(unsigned int)i);
+					if (SSL_pending(con)) goto again;
+					break;
+				case SSL_ERROR_WANT_WRITE:
+				case SSL_ERROR_WANT_READ:
+				case SSL_ERROR_WANT_X509_LOOKUP:
+					BIO_printf(bio_s_out,"Read BLOCK\n");
+					break;
+				case SSL_ERROR_SYSCALL:
+				case SSL_ERROR_SSL:
+					BIO_printf(bio_s_out,"ERROR\n");
+					ERR_print_errors(bio_err);
+					ret=1;
+					goto err;
+				case SSL_ERROR_ZERO_RETURN:
+					BIO_printf(bio_s_out,"DONE\n");
+					ret=1;
+					goto err;
+					}
+				}
+			}
+		}
+err:
+	BIO_printf(bio_s_out,"shutting down SSL\n");
+#if 1
+	SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+#else
+	SSL_shutdown(con);
+#endif
+	if (con != NULL) SSL_free(con);
+	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
+	if (buf != NULL)
+		{
+		memset(buf,0,bufsize);
+		Free(buf);
+		}
+	if (ret >= 0)
+		BIO_printf(bio_s_out,"ACCEPT\n");
+	return(ret);
+	}
+
+static void close_accept_socket(void)
+	{
+	BIO_printf(bio_err,"shutdown accept socket\n");
+	if (accept_socket >= 0)
+		{
+		SHUTDOWN2(accept_socket);
+		}
+	}
+
+static int init_ssl_connection(SSL *con)
+	{
+	int i;
+	const char *str;
+	X509 *peer;
+	long verify_error;
+	MS_STATIC char buf[BUFSIZ];
+
+	if ((i=SSL_accept(con)) <= 0)
+		{
+		if (BIO_sock_should_retry(i))
+			{
+			BIO_printf(bio_s_out,"DELAY\n");
+			return(1);
+			}
+
+		BIO_printf(bio_err,"ERROR\n");
+		verify_error=SSL_get_verify_result(con);
+		if (verify_error != X509_V_OK)
+			{
+			BIO_printf(bio_err,"verify error:%s\n",
+				X509_verify_cert_error_string(verify_error));
+			}
+		else
+			ERR_print_errors(bio_err);
+		return(0);
+		}
+
+	PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
+
+	peer=SSL_get_peer_certificate(con);
+	if (peer != NULL)
+		{
+		BIO_printf(bio_s_out,"Client certificate\n");
+		PEM_write_bio_X509(bio_s_out,peer);
+		X509_NAME_oneline(X509_get_subject_name(peer),buf,BUFSIZ);
+		BIO_printf(bio_s_out,"subject=%s\n",buf);
+		X509_NAME_oneline(X509_get_issuer_name(peer),buf,BUFSIZ);
+		BIO_printf(bio_s_out,"issuer=%s\n",buf);
+		X509_free(peer);
+		}
+
+	if (SSL_get_shared_ciphers(con,buf,BUFSIZ) != NULL)
+		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
+	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
+	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+	if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
+	if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
+		TLS1_FLAGS_TLS_PADDING_BUG)
+		BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
+
+	return(1);
+	}
+
+#ifndef NO_DH
+static DH *load_dh_param(char *dhfile)
+	{
+	DH *ret=NULL;
+	BIO *bio;
+
+	if ((bio=BIO_new_file(dhfile,"r")) == NULL)
+		goto err;
+	ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
+err:
+	if (bio != NULL) BIO_free(bio);
+	return(ret);
+	}
+#endif
+
+#if 0
+static int load_CA(SSL_CTX *ctx, char *file)
+	{
+	FILE *in;
+	X509 *x=NULL;
+
+	if ((in=fopen(file,"r")) == NULL)
+		return(0);
+
+	for (;;)
+		{
+		if (PEM_read_X509(in,&x,NULL) == NULL)
+			break;
+		SSL_CTX_add_client_CA(ctx,x);
+		}
+	if (x != NULL) X509_free(x);
+	fclose(in);
+	return(1);
+	}
+#endif
+
+static int www_body(char *hostname, int s, unsigned char *context)
+	{
+	char *buf=NULL;
+	int ret=1;
+	int i,j,k,blank,dot;
+	struct stat st_buf;
+	SSL *con;
+	SSL_CIPHER *c;
+	BIO *io,*ssl_bio,*sbio;
+	long total_bytes;
+
+	buf=Malloc(bufsize);
+	if (buf == NULL) return(0);
+	io=BIO_new(BIO_f_buffer());
+	ssl_bio=BIO_new(BIO_f_ssl());
+	if ((io == NULL) || (ssl_bio == NULL)) goto err;
+
+#ifdef FIONBIO	
+	if (s_nbio)
+		{
+		unsigned long sl=1;
+
+		if (!s_quiet)
+			BIO_printf(bio_err,"turning on non blocking io\n");
+		if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
+			ERR_print_errors(bio_err);
+		}
+#endif
+
+	/* lets make the output buffer a reasonable size */
+	if (!BIO_set_write_buffer_size(io,bufsize)) goto err;
+
+	if ((con=SSL_new(ctx)) == NULL) goto err;
+	if(context) SSL_set_session_id_context(con, context,
+					       strlen((char *)context));
+
+	sbio=BIO_new_socket(s,BIO_NOCLOSE);
+	if (s_nbio_test)
+		{
+		BIO *test;
+
+		test=BIO_new(BIO_f_nbio_test());
+		sbio=BIO_push(test,sbio);
+		}
+	SSL_set_bio(con,sbio,sbio);
+	SSL_set_accept_state(con);
+
+	/* SSL_set_fd(con,s); */
+	BIO_set_ssl(ssl_bio,con,BIO_CLOSE);
+	BIO_push(io,ssl_bio);
+#ifdef CHARSET_EBCDIC
+	io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io);
+#endif
+
+	if (s_debug)
+		{
+		con->debug=1;
+		BIO_set_callback(SSL_get_rbio(con),bio_dump_cb);
+		BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out);
+		}
+
+	blank=0;
+	for (;;)
+		{
+		if (hack)
+			{
+			i=SSL_accept(con);
+
+			switch (SSL_get_error(con,i))
+				{
+			case SSL_ERROR_NONE:
+				break;
+			case SSL_ERROR_WANT_WRITE:
+			case SSL_ERROR_WANT_READ:
+			case SSL_ERROR_WANT_X509_LOOKUP:
+				continue;
+			case SSL_ERROR_SYSCALL:
+			case SSL_ERROR_SSL:
+			case SSL_ERROR_ZERO_RETURN:
+				ret=1;
+				goto err;
+				/* break; */
+				}
+
+			SSL_renegotiate(con);
+			SSL_write(con,NULL,0);
+			}
+
+		i=BIO_gets(io,buf,bufsize-1);
+		if (i < 0) /* error */
+			{
+			if (!BIO_should_retry(io))
+				{
+				if (!s_quiet)
+					ERR_print_errors(bio_err);
+				goto err;
+				}
+			else
+				{
+				BIO_printf(bio_s_out,"read R BLOCK\n");
+#ifndef MSDOS
+				sleep(1);
+#endif
+				continue;
+				}
+			}
+		else if (i == 0) /* end of input */
+			{
+			ret=1;
+			goto end;
+			}
+
+		/* else we have data */
+		if (	((www == 1) && (strncmp("GET ",buf,4) == 0)) ||
+			((www == 2) && (strncmp("GET /stats ",buf,10) == 0)))
+			{
+			char *p;
+			X509 *peer;
+			STACK_OF(SSL_CIPHER) *sk;
+			static char *space="                          ";
+
+			BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
+			BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
+			BIO_puts(io,"<pre>\n");
+/*			BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
+			BIO_puts(io,"\n");
+			for (i=0; i<local_argc; i++)
+				{
+				BIO_puts(io,local_argv[i]);
+				BIO_write(io," ",1);
+				}
+			BIO_puts(io,"\n");
+
+			/* The following is evil and should not really
+			 * be done */
+			BIO_printf(io,"Ciphers supported in s_server binary\n");
+			sk=SSL_get_ciphers(con);
+			j=sk_SSL_CIPHER_num(sk);
+			for (i=0; i<j; i++)
+				{
+				c=sk_SSL_CIPHER_value(sk,i);
+				BIO_printf(io,"%-11s:%-25s",
+					SSL_CIPHER_get_version(c),
+					SSL_CIPHER_get_name(c));
+				if ((((i+1)%2) == 0) && (i+1 != j))
+					BIO_puts(io,"\n");
+				}
+			BIO_puts(io,"\n");
+			p=SSL_get_shared_ciphers(con,buf,bufsize);
+			if (p != NULL)
+				{
+				BIO_printf(io,"---\nCiphers common between both SSL end points:\n");
+				j=i=0;
+				while (*p)
+					{
+					if (*p == ':')
+						{
+						BIO_write(io,space,26-j);
+						i++;
+						j=0;
+						BIO_write(io,((i%3)?" ":"\n"),1);
+						}
+					else
+						{
+						BIO_write(io,p,1);
+						j++;
+						}
+					p++;
+					}
+				BIO_puts(io,"\n");
+				}
+			BIO_printf(io,((con->hit)
+				?"---\nReused, "
+				:"---\nNew, "));
+			c=SSL_get_current_cipher(con);
+			BIO_printf(io,"%s, Cipher is %s\n",
+				SSL_CIPHER_get_version(c),
+				SSL_CIPHER_get_name(c));
+			SSL_SESSION_print(io,SSL_get_session(con));
+			BIO_printf(io,"---\n");
+			print_stats(io,SSL_get_SSL_CTX(con));
+			BIO_printf(io,"---\n");
+			peer=SSL_get_peer_certificate(con);
+			if (peer != NULL)
+				{
+				BIO_printf(io,"Client certificate\n");
+				X509_print(io,peer);
+				PEM_write_bio_X509(io,peer);
+				}
+			else
+				BIO_puts(io,"no client certificate available\n");
+			BIO_puts(io,"</BODY></HTML>\r\n\r\n");
+			break;
+			}
+		else if ((www == 2) && (strncmp("GET /",buf,5) == 0))
+			{
+			BIO *file;
+			char *p,*e;
+			static char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
+
+			/* skip the '/' */
+			p= &(buf[5]);
+			dot=0;
+			for (e=p; *e != '\0'; e++)
+				{
+				if (e[0] == ' ') break;
+				if (	(e[0] == '.') &&
+					(strncmp(&(e[-1]),"/../",4) == 0))
+					dot=1;
+				}
+			
+
+			if (*e == '\0')
+				{
+				BIO_puts(io,text);
+				BIO_printf(io,"'%s' is an invalid file name\r\n",p);
+				break;
+				}
+			*e='\0';
+
+			if (dot)
+				{
+				BIO_puts(io,text);
+				BIO_printf(io,"'%s' contains '..' reference\r\n",p);
+				break;
+				}
+
+			if (*p == '/')
+				{
+				BIO_puts(io,text);
+				BIO_printf(io,"'%s' is an invalid path\r\n",p);
+				break;
+				}
+
+			/* append if a directory lookup */
+			if (e[-1] == '/')
+				strcat(p,"index.html");
+
+			/* if a directory, do the index thang */
+			if (stat(p,&st_buf) < 0)
+				{
+				BIO_puts(io,text);
+				BIO_printf(io,"Error accessing '%s'\r\n",p);
+				ERR_print_errors(io);
+				break;
+				}
+			if (S_ISDIR(st_buf.st_mode))
+				{
+				strcat(p,"/index.html");
+				}
+
+			if ((file=BIO_new_file(p,"r")) == NULL)
+				{
+				BIO_puts(io,text);
+				BIO_printf(io,"Error opening '%s'\r\n",p);
+				ERR_print_errors(io);
+				break;
+				}
+
+			if (!s_quiet)
+				BIO_printf(bio_err,"FILE:%s\n",p);
+
+			i=strlen(p);
+			if (	((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) ||
+				((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) ||
+				((i > 4) && (strcmp(&(p[i-4]),".htm") == 0)))
+				BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
+			else
+				BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
+			/* send the file */
+			total_bytes=0;
+			for (;;)
+				{
+				i=BIO_read(file,buf,bufsize);
+				if (i <= 0) break;
+
+#ifdef RENEG
+				total_bytes+=i;
+				fprintf(stderr,"%d\n",i);
+				if (total_bytes > 3*1024)
+					{
+					total_bytes=0;
+					fprintf(stderr,"RENEGOTIATE\n");
+					SSL_renegotiate(con);
+					}
+#endif
+
+				for (j=0; j<i; )
+					{
+#ifdef RENEG
+{ static count=0; if (++count == 13) { SSL_renegotiate(con); } }
+#endif
+					k=BIO_write(io,&(buf[j]),i-j);
+					if (k <= 0)
+						{
+						if (!BIO_should_retry(io))
+							goto write_error;
+						else
+							{
+							BIO_printf(bio_s_out,"rwrite W BLOCK\n");
+							}
+						}
+					else
+						{
+						j+=k;
+						}
+					}
+				}
+write_error:
+			BIO_free(file);
+			break;
+			}
+		}
+
+	for (;;)
+		{
+		i=(int)BIO_flush(io);
+		if (i <= 0)
+			{
+			if (!BIO_should_retry(io))
+				break;
+			}
+		else
+			break;
+		}
+end:
+#if 1
+	/* make sure we re-use sessions */
+	SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+#else
+	/* This kills performance */
+/*	SSL_shutdown(con); A shutdown gets sent in the
+ *	BIO_free_all(io) procession */
+#endif
+
+err:
+
+	if (ret >= 0)
+		BIO_printf(bio_s_out,"ACCEPT\n");
+
+	if (buf != NULL) Free(buf);
+	if (io != NULL) BIO_free_all(io);
+/*	if (ssl_bio != NULL) BIO_free(ssl_bio);*/
+	return(ret);
+	}
+
+#ifndef NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
+	{
+	static RSA *rsa_tmp=NULL;
+
+	if (rsa_tmp == NULL)
+		{
+		if (!s_quiet)
+			{
+			BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
+			(void)BIO_flush(bio_err);
+			}
+		rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
+		if (!s_quiet)
+			{
+			BIO_printf(bio_err,"\n");
+			(void)BIO_flush(bio_err);
+			}
+		}
+	return(rsa_tmp);
+	}
+#endif
diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c
new file mode 100644
index 0000000..081b1a5
--- /dev/null
+++ b/crypto/openssl/apps/s_socket.c
@@ -0,0 +1,540 @@
+/* apps/s_socket.c -  socket-related functions used by s_client and s_server */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+
+/* With IPv6, it looks like Digital has mixed up the proper order of
+   recursive header file inclusion, resulting in the compiler complaining
+   that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
+   is needed to have fileno() declared correctly...  So let's define u_int */
+#if defined(VMS) && defined(__DECC) && !defined(__U_INT)
+#define __U_INT
+typedef unsigned int u_int;
+#endif
+
+#define USE_SOCKETS
+#define NON_MAIN
+#include "apps.h"
+#undef USE_SOCKETS
+#undef NON_MAIN
+#include "s_apps.h"
+#include <openssl/ssl.h>
+
+static struct hostent *GetHostByName(char *name);
+#ifdef WINDOWS
+static void sock_cleanup(void);
+#endif
+static int sock_init(void);
+static int init_client_ip(int *sock,unsigned char ip[4], int port);
+static int init_server(int *sock, int port);
+static int init_server_long(int *sock, int port,char *ip);
+static int do_accept(int acc_sock, int *sock, char **host);
+static int host_ip(char *str, unsigned char ip[4]);
+
+#ifdef WIN16
+#define SOCKET_PROTOCOL	0 /* more microsoft stupidity */
+#else
+#define SOCKET_PROTOCOL	IPPROTO_TCP
+#endif
+
+#ifdef WINDOWS
+static struct WSAData wsa_state;
+static int wsa_init_done=0;
+
+#ifdef WIN16
+static HWND topWnd=0;
+static FARPROC lpTopWndProc=NULL;
+static FARPROC lpTopHookProc=NULL;
+extern HINSTANCE _hInstance;  /* nice global CRT provides */
+
+static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam,
+	     LPARAM lParam)
+	{
+	if (hwnd == topWnd)
+		{
+		switch(message)
+			{
+		case WM_DESTROY:
+		case WM_CLOSE:
+			SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopWndProc);
+			sock_cleanup();
+			break;
+			}
+		}
+	return CallWindowProc(lpTopWndProc,hwnd,message,wParam,lParam);
+	}
+
+static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam)
+	{
+	topWnd=hwnd;
+	return(FALSE);
+	}
+
+#endif /* WIN32 */
+#endif /* WINDOWS */
+
+#ifdef WINDOWS
+static void sock_cleanup(void)
+	{
+	if (wsa_init_done)
+		{
+		wsa_init_done=0;
+		WSACancelBlockingCall();
+		WSACleanup();
+		}
+	}
+#endif
+
+static int sock_init(void)
+	{
+#ifdef WINDOWS
+	if (!wsa_init_done)
+		{
+		int err;
+	  
+#ifdef SIGINT
+		signal(SIGINT,(void (*)(int))sock_cleanup);
+#endif
+		wsa_init_done=1;
+		memset(&wsa_state,0,sizeof(wsa_state));
+		if (WSAStartup(0x0101,&wsa_state)!=0)
+			{
+			err=WSAGetLastError();
+			BIO_printf(bio_err,"unable to start WINSOCK, error code=%d\n",err);
+			return(0);
+			}
+
+#ifdef WIN16
+		EnumTaskWindows(GetCurrentTask(),enumproc,0L);
+		lpTopWndProc=(FARPROC)GetWindowLong(topWnd,GWL_WNDPROC);
+		lpTopHookProc=MakeProcInstance((FARPROC)topHookProc,_hInstance);
+
+		SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopHookProc);
+#endif /* WIN16 */
+		}
+#endif /* WINDOWS */
+	return(1);
+	}
+
+int init_client(int *sock, char *host, int port)
+	{
+	unsigned char ip[4];
+	short p=0;
+
+	if (!host_ip(host,&(ip[0])))
+		{
+		return(0);
+		}
+	if (p != 0) port=p;
+	return(init_client_ip(sock,ip,port));
+	}
+
+static int init_client_ip(int *sock, unsigned char ip[4], int port)
+	{
+	unsigned long addr;
+	struct sockaddr_in them;
+	int s,i;
+
+	if (!sock_init()) return(0);
+
+	memset((char *)&them,0,sizeof(them));
+	them.sin_family=AF_INET;
+	them.sin_port=htons((unsigned short)port);
+	addr=(unsigned long)
+		((unsigned long)ip[0]<<24L)|
+		((unsigned long)ip[1]<<16L)|
+		((unsigned long)ip[2]<< 8L)|
+		((unsigned long)ip[3]);
+	them.sin_addr.s_addr=htonl(addr);
+
+	s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+
+	i=0;
+	i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+	if (i < 0) { perror("keepalive"); return(0); }
+
+	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
+		{ close(s); perror("connect"); return(0); }
+	*sock=s;
+	return(1);
+	}
+
+int do_server(int port, int *ret, int (*cb)(), char *context)
+	{
+	int sock;
+	char *name;
+	int accept_socket;
+	int i;
+
+	if (!init_server(&accept_socket,port)) return(0);
+
+	if (ret != NULL)
+		{
+		*ret=accept_socket;
+		/* return(1);*/
+		}
+	for (;;)
+		{
+		if (do_accept(accept_socket,&sock,&name) == 0)
+			{
+			SHUTDOWN(accept_socket);
+			return(0);
+			}
+		i=(*cb)(name,sock, context);
+		if (name != NULL) Free(name);
+		SHUTDOWN2(sock);
+		if (i < 0)
+			{
+			SHUTDOWN2(accept_socket);
+			return(i);
+			}
+		}
+	}
+
+static int init_server_long(int *sock, int port, char *ip)
+	{
+	int ret=0;
+	struct sockaddr_in server;
+	int s= -1,i;
+
+	if (!sock_init()) return(0);
+
+	memset((char *)&server,0,sizeof(server));
+	server.sin_family=AF_INET;
+	server.sin_port=htons((unsigned short)port);
+	if (ip == NULL)
+		server.sin_addr.s_addr=INADDR_ANY;
+	else
+/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
+#ifndef BIT_FIELD_LIMITS
+		memcpy(&server.sin_addr.s_addr,ip,4);
+#else
+		memcpy(&server.sin_addr,ip,4);
+#endif
+	s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+
+	if (s == INVALID_SOCKET) goto err;
+#if defined SOL_SOCKET && defined SO_REUSEADDR
+		{
+		int j = 1;
+		setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+			   (void *) &j, sizeof j);
+		}
+#endif
+	if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
+		{
+#ifndef WINDOWS
+		perror("bind");
+#endif
+		goto err;
+		}
+	/* Make it 128 for linux */
+	if (listen(s,128) == -1) goto err;
+	i=0;
+	*sock=s;
+	ret=1;
+err:
+	if ((ret == 0) && (s != -1))
+		{
+		SHUTDOWN(s);
+		}
+	return(ret);
+	}
+
+static int init_server(int *sock, int port)
+	{
+	return(init_server_long(sock, port, NULL));
+	}
+
+static int do_accept(int acc_sock, int *sock, char **host)
+	{
+	int ret,i;
+	struct hostent *h1,*h2;
+	static struct sockaddr_in from;
+	int len;
+/*	struct linger ling; */
+
+	if (!sock_init()) return(0);
+
+#ifndef WINDOWS
+redoit:
+#endif
+
+	memset((char *)&from,0,sizeof(from));
+	len=sizeof(from);
+	/* Note: under VMS with SOCKETSHR the fourth parameter is currently
+	 * of type (int *) whereas under other systems it is (void *) if
+	 * you don't have a cast it will choke the compiler: if you do
+	 * have a cast then you can either go for (int *) or (void *).
+	 */
+	ret=accept(acc_sock,(struct sockaddr *)&from,(void *)&len);
+	if (ret == INVALID_SOCKET)
+		{
+#ifdef WINDOWS
+		i=WSAGetLastError();
+		BIO_printf(bio_err,"accept error %d\n",i);
+#else
+		if (errno == EINTR)
+			{
+			/*check_timeout(); */
+			goto redoit;
+			}
+		fprintf(stderr,"errno=%d ",errno);
+		perror("accept");
+#endif
+		return(0);
+		}
+
+/*
+	ling.l_onoff=1;
+	ling.l_linger=0;
+	i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
+	if (i < 0) { perror("linger"); return(0); }
+	i=0;
+	i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+	if (i < 0) { perror("keepalive"); return(0); }
+*/
+
+	if (host == NULL) goto end;
+#ifndef BIT_FIELD_LIMITS
+	/* I should use WSAAsyncGetHostByName() under windows */
+	h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
+		sizeof(from.sin_addr.s_addr),AF_INET);
+#else
+	h1=gethostbyaddr((char *)&from.sin_addr,
+		sizeof(struct in_addr),AF_INET);
+#endif
+	if (h1 == NULL)
+		{
+		BIO_printf(bio_err,"bad gethostbyaddr\n");
+		*host=NULL;
+		/* return(0); */
+		}
+	else
+		{
+		if ((*host=(char *)Malloc(strlen(h1->h_name)+1)) == NULL)
+			{
+			perror("Malloc");
+			return(0);
+			}
+		strcpy(*host,h1->h_name);
+
+		h2=GetHostByName(*host);
+		if (h2 == NULL)
+			{
+			BIO_printf(bio_err,"gethostbyname failure\n");
+			return(0);
+			}
+		i=0;
+		if (h2->h_addrtype != AF_INET)
+			{
+			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+			return(0);
+			}
+		}
+end:
+	*sock=ret;
+	return(1);
+	}
+
+int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+	     short *port_ptr)
+	{
+	char *h,*p;
+
+	h=str;
+	p=strchr(str,':');
+	if (p == NULL)
+		{
+		BIO_printf(bio_err,"no port defined\n");
+		return(0);
+		}
+	*(p++)='\0';
+
+	if ((ip != NULL) && !host_ip(str,ip))
+		goto err;
+	if (host_ptr != NULL) *host_ptr=h;
+
+	if (!extract_port(p,port_ptr))
+		goto err;
+	return(1);
+err:
+	return(0);
+	}
+
+static int host_ip(char *str, unsigned char ip[4])
+	{
+	unsigned int in[4]; 
+	int i;
+
+	if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
+		{
+		for (i=0; i<4; i++)
+			if (in[i] > 255)
+				{
+				BIO_printf(bio_err,"invalid IP address\n");
+				goto err;
+				}
+		ip[0]=in[0];
+		ip[1]=in[1];
+		ip[2]=in[2];
+		ip[3]=in[3];
+		}
+	else
+		{ /* do a gethostbyname */
+		struct hostent *he;
+
+		if (!sock_init()) return(0);
+
+		he=GetHostByName(str);
+		if (he == NULL)
+			{
+			BIO_printf(bio_err,"gethostbyname failure\n");
+			goto err;
+			}
+		/* cast to short because of win16 winsock definition */
+		if ((short)he->h_addrtype != AF_INET)
+			{
+			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+			return(0);
+			}
+		ip[0]=he->h_addr_list[0][0];
+		ip[1]=he->h_addr_list[0][1];
+		ip[2]=he->h_addr_list[0][2];
+		ip[3]=he->h_addr_list[0][3];
+		}
+	return(1);
+err:
+	return(0);
+	}
+
+int extract_port(char *str, short *port_ptr)
+	{
+	int i;
+	struct servent *s;
+
+	i=atoi(str);
+	if (i != 0)
+		*port_ptr=(unsigned short)i;
+	else
+		{
+		s=getservbyname(str,"tcp");
+		if (s == NULL)
+			{
+			BIO_printf(bio_err,"getservbyname failure for %s\n",str);
+			return(0);
+			}
+		*port_ptr=ntohs((unsigned short)s->s_port);
+		}
+	return(1);
+	}
+
+#define GHBN_NUM	4
+static struct ghbn_cache_st
+	{
+	char name[128];
+	struct hostent ent;
+	unsigned long order;
+	} ghbn_cache[GHBN_NUM];
+
+static unsigned long ghbn_hits=0L;
+static unsigned long ghbn_miss=0L;
+
+static struct hostent *GetHostByName(char *name)
+	{
+	struct hostent *ret;
+	int i,lowi=0;
+	unsigned long low= (unsigned long)-1;
+
+	for (i=0; i<GHBN_NUM; i++)
+		{
+		if (low > ghbn_cache[i].order)
+			{
+			low=ghbn_cache[i].order;
+			lowi=i;
+			}
+		if (ghbn_cache[i].order > 0)
+			{
+			if (strncmp(name,ghbn_cache[i].name,128) == 0)
+				break;
+			}
+		}
+	if (i == GHBN_NUM) /* no hit*/
+		{
+		ghbn_miss++;
+		ret=gethostbyname(name);
+		if (ret == NULL) return(NULL);
+		/* else add to cache */
+		strncpy(ghbn_cache[lowi].name,name,128);
+		memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent));
+		ghbn_cache[lowi].order=ghbn_miss+ghbn_hits;
+		return(ret);
+		}
+	else
+		{
+		ghbn_hits++;
+		ret= &(ghbn_cache[i].ent);
+		ghbn_cache[i].order=ghbn_miss+ghbn_hits;
+		return(ret);
+		}
+	}
diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c
new file mode 100644
index 0000000..39fd3b8
--- /dev/null
+++ b/crypto/openssl/apps/s_time.c
@@ -0,0 +1,689 @@
+/* apps/s_time.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#define NO_SHUTDOWN
+
+/*-----------------------------------------
+   s_time - SSL client connection timer program
+   Written and donated by Larry Streepy <streepy@healthcare.com>
+  -----------------------------------------*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef NO_STDIO
+#define APPS_WIN16
+#endif
+#define USE_SOCKETS
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/pem.h>
+#include "apps.h"
+#include "s_apps.h"
+#include <openssl/err.h>
+#ifdef WIN32_STUFF
+#include "winmain.h"
+#include "wintext.h"
+#endif
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#ifdef _AIX
+#include <sys/select.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+/* The following if from times(3) man page.  It may need to be changed
+*/
+#ifndef HZ
+#ifndef CLK_TCK
+#define HZ      100.0
+#else /* CLK_TCK */
+#define HZ ((double)CLK_TCK)
+#endif
+#endif
+
+#undef PROG
+#define PROG s_time_main
+
+#undef ioctl
+#define ioctl ioctlsocket
+
+#define SSL_CONNECT_NAME	"localhost:4433"
+
+/*#define TEST_CERT "client.pem" */ /* no default cert. */
+
+#undef BUFSIZZ
+#define BUFSIZZ 1024*10
+
+#define min(a,b) (((a) < (b)) ? (a) : (b))
+#define max(a,b) (((a) > (b)) ? (a) : (b))
+
+#undef SECONDS
+#define SECONDS	30
+extern int verify_depth;
+extern int verify_error;
+
+static void s_time_usage(void);
+static int parseArgs( int argc, char **argv );
+static SSL *doConnection( SSL *scon );
+static void s_time_init(void);
+
+/***********************************************************************
+ * Static data declarations
+ */
+
+/* static char *port=PORT_STR;*/
+static char *host=SSL_CONNECT_NAME;
+static char *t_cert_file=NULL;
+static char *t_key_file=NULL;
+static char *CApath=NULL;
+static char *CAfile=NULL;
+static char *tm_cipher=NULL;
+static int tm_verify = SSL_VERIFY_NONE;
+static int maxTime = SECONDS;
+static SSL_CTX *tm_ctx=NULL;
+static SSL_METHOD *s_time_meth=NULL;
+static char *s_www_path=NULL;
+static long bytes_read=0; 
+static int st_bugs=0;
+static int perform=0;
+#ifdef FIONBIO
+static int t_nbio=0;
+#endif
+#ifdef WIN32
+static int exitNow = 0;		/* Set when it's time to exit main */
+#endif
+
+static void s_time_init(void)
+	{
+	host=SSL_CONNECT_NAME;
+	t_cert_file=NULL;
+	t_key_file=NULL;
+	CApath=NULL;
+	CAfile=NULL;
+	tm_cipher=NULL;
+	tm_verify = SSL_VERIFY_NONE;
+	maxTime = SECONDS;
+	tm_ctx=NULL;
+	s_time_meth=NULL;
+	s_www_path=NULL;
+	bytes_read=0; 
+	st_bugs=0;
+	perform=0;
+
+#ifdef FIONBIO
+	t_nbio=0;
+#endif
+#ifdef WIN32
+	exitNow = 0;		/* Set when it's time to exit main */
+#endif
+	}
+
+/***********************************************************************
+ * usage - display usage message
+ */
+static void s_time_usage(void)
+{
+	static char umsg[] = "\
+-time arg     - max number of seconds to collect data, default %d\n\
+-verify arg   - turn on peer certificate verification, arg == depth\n\
+-cert arg     - certificate file to use, PEM format assumed\n\
+-key arg      - RSA file to use, PEM format assumed, key is in cert file\n\
+                file if not specified by this option\n\
+-CApath arg   - PEM format directory of CA's\n\
+-CAfile arg   - PEM format file of CA's\n\
+-cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
+
+	printf( "usage: s_time <args>\n\n" );
+
+	printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME);
+#ifdef FIONBIO
+	printf("-nbio         - Run with non-blocking IO\n");
+	printf("-ssl2         - Just use SSLv2\n");
+	printf("-ssl3         - Just use SSLv3\n");
+	printf("-bugs         - Turn on SSL bug compatibility\n");
+	printf("-new          - Just time new connections\n");
+	printf("-reuse        - Just time connection reuse\n");
+	printf("-www page     - Retrieve 'page' from the site\n");
+#endif
+	printf( umsg,SECONDS );
+}
+
+/***********************************************************************
+ * parseArgs - Parse command line arguments and initialize data
+ *
+ * Returns 0 if ok, -1 on bad args
+ */
+static int parseArgs(int argc, char **argv)
+{
+    int badop = 0;
+
+    verify_depth=0;
+    verify_error=X509_V_OK;
+
+    argc--;
+    argv++;
+
+    while (argc >= 1) {
+	if (strcmp(*argv,"-connect") == 0)
+		{
+		if (--argc < 1) goto bad;
+		host= *(++argv);
+		}
+#if 0
+	else if( strcmp(*argv,"-host") == 0)
+		{
+		if (--argc < 1) goto bad;
+		host= *(++argv);
+		}
+	else if( strcmp(*argv,"-port") == 0)
+		{
+		if (--argc < 1) goto bad;
+		port= *(++argv);
+		}
+#endif
+	else if (strcmp(*argv,"-reuse") == 0)
+		perform=2;
+	else if (strcmp(*argv,"-new") == 0)
+		perform=1;
+	else if( strcmp(*argv,"-verify") == 0) {
+
+	    tm_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
+	    if (--argc < 1) goto bad;
+	    verify_depth=atoi(*(++argv));
+	    BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+
+	} else if( strcmp(*argv,"-cert") == 0) {
+
+	    if (--argc < 1) goto bad;
+	    t_cert_file= *(++argv);
+
+	} else if( strcmp(*argv,"-key") == 0) {
+
+	    if (--argc < 1) goto bad;
+	    t_key_file= *(++argv);
+
+	} else if( strcmp(*argv,"-CApath") == 0) {
+
+	    if (--argc < 1) goto bad;
+	    CApath= *(++argv);
+
+	} else if( strcmp(*argv,"-CAfile") == 0) {
+
+	    if (--argc < 1) goto bad;
+	    CAfile= *(++argv);
+
+	} else if( strcmp(*argv,"-cipher") == 0) {
+
+	    if (--argc < 1) goto bad;
+	    tm_cipher= *(++argv);
+	}
+#ifdef FIONBIO
+	else if(strcmp(*argv,"-nbio") == 0) {
+	    t_nbio=1;
+	}
+#endif
+	else if(strcmp(*argv,"-www") == 0)
+		{
+		if (--argc < 1) goto bad;
+		s_www_path= *(++argv);
+		}
+	else if(strcmp(*argv,"-bugs") == 0)
+	    st_bugs=1;
+#ifndef NO_SSL2
+	else if(strcmp(*argv,"-ssl2") == 0)
+	    s_time_meth=SSLv2_client_method();
+#endif
+#ifndef NO_SSL3
+	else if(strcmp(*argv,"-ssl3") == 0)
+	    s_time_meth=SSLv3_client_method();
+#endif
+	else if( strcmp(*argv,"-time") == 0) {
+
+	    if (--argc < 1) goto bad;
+	    maxTime= atoi(*(++argv));
+	}
+	else {
+	    BIO_printf(bio_err,"unknown option %s\n",*argv);
+	    badop=1;
+	    break;
+	}
+
+	argc--;
+	argv++;
+    }
+
+    if (perform == 0) perform=3;
+
+    if(badop) {
+bad:
+		s_time_usage();
+		return -1;
+    }
+
+	return 0;			/* Valid args */
+}
+
+/***********************************************************************
+ * TIME - time functions
+ */
+#define START	0
+#define STOP	1
+
+static double tm_Time_F(int s)
+	{
+	static double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if(s == START) {
+		times(&tstart);
+		return(0);
+	} else {
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+	}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if(s == START) {
+		ftime(&tstart);
+		return(0);
+	} else {
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret == 0.0)?1e-6:ret);
+	}
+#endif
+}
+
+/***********************************************************************
+ * MAIN - main processing area for client
+ *			real name depends on MONOLITH
+ */
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	double totalTime = 0.0;
+	int nConn = 0;
+	SSL *scon=NULL;
+	long finishtime=0;
+	int ret=1,i;
+	MS_STATIC char buf[1024*8];
+	int ver;
+
+	apps_startup();
+	s_time_init();
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+#if !defined(NO_SSL2) && !defined(NO_SSL3)
+	s_time_meth=SSLv23_client_method();
+#elif !defined(NO_SSL3)
+	s_time_meth=SSLv3_client_method();
+#elif !defined(NO_SSL2)
+	s_time_meth=SSLv2_client_method();
+#endif
+
+	/* parse the command line arguments */
+	if( parseArgs( argc, argv ) < 0 )
+		goto end;
+
+	OpenSSL_add_ssl_algorithms();
+	if ((tm_ctx=SSL_CTX_new(s_time_meth)) == NULL) return(1);
+
+	SSL_CTX_set_quiet_shutdown(tm_ctx,1);
+
+	if (st_bugs) SSL_CTX_set_options(tm_ctx,SSL_OP_ALL);
+	SSL_CTX_set_cipher_list(tm_ctx,tm_cipher);
+	if(!set_cert_stuff(tm_ctx,t_cert_file,t_key_file)) 
+		goto end;
+
+	SSL_load_error_strings();
+
+	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
+		{
+		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+		ERR_print_errors(bio_err);
+		/* goto end; */
+		}
+
+	if (tm_cipher == NULL)
+		tm_cipher = getenv("SSL_CIPHER");
+
+	if (tm_cipher == NULL ) {
+		fprintf( stderr, "No CIPHER specified\n" );
+/*		EXIT(1); */
+	}
+
+	if (!(perform & 1)) goto next;
+	printf( "Collecting connection statistics for %d seconds\n", maxTime );
+
+	/* Loop and time how long it takes to make connections */
+
+	bytes_read=0;
+	finishtime=(long)time(NULL)+maxTime;
+	tm_Time_F(START);
+	for (;;)
+		{
+		if (finishtime < time(NULL)) break;
+#ifdef WIN32_STUFF
+
+		if( flushWinMsgs(0) == -1 )
+			goto end;
+
+		if( waitingToDie || exitNow )		/* we're dead */
+			goto end;
+#endif
+
+		if( (scon = doConnection( NULL )) == NULL )
+			goto end;
+
+		if (s_www_path != NULL)
+			{
+			sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+			SSL_write(scon,buf,strlen(buf));
+			while ((i=SSL_read(scon,buf,sizeof(buf))) > 0)
+				bytes_read+=i;
+			}
+
+#ifdef NO_SHUTDOWN
+		SSL_set_shutdown(scon,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+#else
+		SSL_shutdown(scon);
+#endif
+		SHUTDOWN2(SSL_get_fd(scon));
+
+		nConn += 1;
+		if (SSL_session_reused(scon))
+			ver='r';
+		else
+			{
+			ver=SSL_version(scon);
+			if (ver == TLS1_VERSION)
+				ver='t';
+			else if (ver == SSL3_VERSION)
+				ver='3';
+			else if (ver == SSL2_VERSION)
+				ver='2';
+			else
+				ver='*';
+			}
+		fputc(ver,stdout);
+		fflush(stdout);
+
+		SSL_free( scon );
+		scon=NULL;
+		}
+	totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
+
+	i=(int)(time(NULL)-finishtime+maxTime);
+	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
+	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+
+	/* Now loop and time connections using the same session id over and over */
+
+next:
+	if (!(perform & 2)) goto end;
+	printf( "\n\nNow timing with session id reuse.\n" );
+
+	/* Get an SSL object so we can reuse the session id */
+	if( (scon = doConnection( NULL )) == NULL )
+		{
+		fprintf( stderr, "Unable to get connection\n" );
+		goto end;
+		}
+
+	if (s_www_path != NULL)
+		{
+		sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+		SSL_write(scon,buf,strlen(buf));
+		while (SSL_read(scon,buf,sizeof(buf)) > 0)
+			;
+		}
+#ifdef NO_SHUTDOWN
+	SSL_set_shutdown(scon,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+#else
+	SSL_shutdown(scon);
+#endif
+	SHUTDOWN2(SSL_get_fd(scon));
+
+	nConn = 0;
+	totalTime = 0.0;
+
+	finishtime=time(NULL)+maxTime;
+
+	printf( "starting\n" );
+	bytes_read=0;
+	tm_Time_F(START);
+		
+	for (;;)
+		{
+		if (finishtime < time(NULL)) break;
+
+#ifdef WIN32_STUFF
+		if( flushWinMsgs(0) == -1 )
+			goto end;
+
+		if( waitingToDie || exitNow )	/* we're dead */
+			goto end;
+#endif
+
+	 	if( (doConnection( scon )) == NULL )
+			goto end;
+
+		if (s_www_path)
+			{
+			sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+			SSL_write(scon,buf,strlen(buf));
+			while ((i=SSL_read(scon,buf,sizeof(buf))) > 0)
+				bytes_read+=i;
+			}
+
+#ifdef NO_SHUTDOWN
+		SSL_set_shutdown(scon,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+#else
+		SSL_shutdown(scon);
+#endif
+		SHUTDOWN2(SSL_get_fd(scon));
+	
+		nConn += 1;
+		if (SSL_session_reused(scon))
+			ver='r';
+		else
+			{
+			ver=SSL_version(scon);
+			if (ver == TLS1_VERSION)
+				ver='t';
+			else if (ver == SSL3_VERSION)
+				ver='3';
+			else if (ver == SSL2_VERSION)
+				ver='2';
+			else
+				ver='*';
+			}
+		fputc(ver,stdout);
+		fflush(stdout);
+		}
+	totalTime += tm_Time_F(STOP); /* Add the time for this iteration*/
+
+
+	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
+	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+
+	ret=0;
+end:
+	if (scon != NULL) SSL_free(scon);
+
+	if (tm_ctx != NULL)
+		{
+		SSL_CTX_free(tm_ctx);
+		tm_ctx=NULL;
+		}
+	EXIT(ret);
+	}
+
+/***********************************************************************
+ * doConnection - make a connection
+ * Args:
+ *		scon	= earlier ssl connection for session id, or NULL
+ * Returns:
+ *		SSL *	= the connection pointer.
+ */
+static SSL *doConnection(SSL *scon)
+	{
+	BIO *conn;
+	SSL *serverCon;
+	int width, i;
+	fd_set readfds;
+
+	if ((conn=BIO_new(BIO_s_connect())) == NULL)
+		return(NULL);
+
+/*	BIO_set_conn_port(conn,port);*/
+	BIO_set_conn_hostname(conn,host);
+
+	if (scon == NULL)
+		serverCon=SSL_new(tm_ctx);
+	else
+		{
+		serverCon=scon;
+		SSL_set_connect_state(serverCon);
+		}
+
+	SSL_set_bio(serverCon,conn,conn);
+
+#if 0
+	if( scon != NULL )
+		SSL_set_session(serverCon,SSL_get_session(scon));
+#endif
+
+	/* ok, lets connect */
+	for(;;) {
+		i=SSL_connect(serverCon);
+		if (BIO_sock_should_retry(i))
+			{
+			BIO_printf(bio_err,"DELAY\n");
+
+			i=SSL_get_fd(serverCon);
+			width=i+1;
+			FD_ZERO(&readfds);
+			FD_SET(i,&readfds);
+			/* Note: under VMS with SOCKETSHR the 2nd parameter
+			 * is currently of type (int *) whereas under other
+			 * systems it is (void *) if you don't have a cast it
+			 * will choke the compiler: if you do have a cast then
+			 * you can either go for (int *) or (void *).
+			 */
+			select(width,(void *)&readfds,NULL,NULL,NULL);
+			continue;
+			}
+		break;
+		}
+	if(i <= 0)
+		{
+		BIO_printf(bio_err,"ERROR\n");
+		if (verify_error != X509_V_OK)
+			BIO_printf(bio_err,"verify error:%s\n",
+				X509_verify_cert_error_string(verify_error));
+		else
+			ERR_print_errors(bio_err);
+		if (scon == NULL)
+			SSL_free(serverCon);
+		return NULL;
+		}
+
+	return serverCon;
+	}
+
+
diff --git a/crypto/openssl/apps/server.pem b/crypto/openssl/apps/server.pem
new file mode 100644
index 0000000..c57b325
--- /dev/null
+++ b/crypto/openssl/apps/server.pem
@@ -0,0 +1,369 @@
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+-----BEGIN CERTIFICATE-----
+MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4
+MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
+cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
+Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
+Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9
+JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO
+IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ
+FUGcPZf9ND22Etc+AQ==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
+TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
+OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
+gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
+rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
+PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
+vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
+-----END RSA PRIVATE KEY-----
+subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
+issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
+notBefore=950413210656Z
+notAfter =970412210656Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV
+BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS
+ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ
+BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD
+VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA
+MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR
+3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM
+YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI
+hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5
+dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/
+zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8=
+-----END X509 CERTIFICATE-----
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+-----BEGIN CERTIFICATE-----
+MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
+VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
+OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
+IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
+DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
+1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
+mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
+hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
+YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
+q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
+gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
+2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
+AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
+hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
+J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
+HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
+21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
+nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
+MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
+pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
+KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
+XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
+-----END RSA PRIVATE KEY-----
+-----BEGIN X509 CERTIFICATE-----
+MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT
+LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ
+MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls
+b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG
+EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk
+bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL
+ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb
+hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/
+ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb
+bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3
+fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX
+R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR
+Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK
+-----END X509 CERTIFICATE-----
+-----BEGIN X509 CERTIFICATE-----
+
+MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
+Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
+GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp
+bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE
+BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ
+BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+
+ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw
+ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI
+H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z
+WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE
+MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM
+LC7obsrHD8XAHG+ZRG==
+-----END X509 CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
+MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
+DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
+CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
+amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
+iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
+U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
+zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
+BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
+/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
+lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
+S7ELuYGtmYgYm9NZOIr7yU0=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG
+A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0
+aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB
+LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB
+gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
+ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu
+dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD
+SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL
+bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a
+OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW
+GJNMJ4L0AJ/ac+SmHZc=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
+BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
+HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
+IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
+MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
+aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
+GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
+ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
+zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
+YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
+hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
+cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
+YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
+-----END CERTIFICATE-----
+
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+-----BEGIN CERTIFICATE-----
+MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
+VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw
+OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
+NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
+40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp
+22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y
+BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S
+Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9
+xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO
+cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
+-----END RSA PRIVATE KEY-----
+subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+notBefore=941104185834Z
+notAfter =991103185834Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
+Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
+OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
+ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
+IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
+975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
+touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
+7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
+9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
+0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
+MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
+-----END X509 CERTIFICATE-----
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+notBefore=941109235417Z
+notAfter =991231235417Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
+IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
+Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
+YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
+roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
+aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
+HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
+iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
+suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
+cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
+-----END X509 CERTIFICATE-----
+subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
+	/OU=Certification Services Division/CN=Thawte Server CA
+	/Email=server-certs@thawte.com
+issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
+	/OU=Certification Services Division/CN=Thawte Server CA
+	/Email=server-certs@thawte.com
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD
+VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
+VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
+dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq
+hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1
+N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
+ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv
+bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
+aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW
+F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1
+Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A
+KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG
+SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX
+7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM
+qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD
+VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
+VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
+dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD
+QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05
+NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG
+A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT
+FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
+cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg
+Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c
+G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU
+c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH
+jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR
+w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2
+GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK
+3VZdLbCVIhNoEsysrxCpxcI=
+-----END CERTIFICATE-----
+Tims test GCI CA
+
+-----BEGIN CERTIFICATE-----
+MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
+cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
+gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
+cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
+dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
+AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
+OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
+AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
+TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
+IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
+VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
+NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
+I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
+RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
+KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
+Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
+9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
+WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0
+MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
+c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda
+Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W
+ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu
+ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
+FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
+W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari
+QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG
+9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C
+TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW
+8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA
+-----END CERTIFICATE-----
+
+ subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
+ issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
+
+-----BEGIN CERTIFICATE-----
+MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw
+YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw
+MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp
+YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI
+SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp
+U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb
+RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp
+3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv
+z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg
+hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg
+YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv
+LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
+KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ
+Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv
+ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v
+dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw
+IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS
+ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ
+TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w
+LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU
+BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs
+53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq
+2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB
+p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY=
+-----END CERTIFICATE-----
+
+ subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
+ issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
+Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
+biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ
+nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma
+AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga
+IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF
+AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ
+Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6
+NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ==
+-----END CERTIFICATE-----
+ subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
+ issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
+Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
+biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
+9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
+IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
+O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
+AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
+g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
+yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/server.srl b/crypto/openssl/apps/server.srl
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/crypto/openssl/apps/server.srl
@@ -0,0 +1 @@
+01
diff --git a/crypto/openssl/apps/server2.pem b/crypto/openssl/apps/server2.pem
new file mode 100644
index 0000000..8bb6641
--- /dev/null
+++ b/crypto/openssl/apps/server2.pem
@@ -0,0 +1,376 @@
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (1024 bit)
+-----BEGIN CERTIFICATE-----
+MIICLjCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU0WhcNOTgwNjA5
+MTM1NzU0WjBkMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxJDAiBgNVBAMTG1NlcnZlciB0ZXN0IGNl
+cnQgKDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsxH1PBPm
+RkxrR11eV4bzNi4N9n11CI8nV29+ARlT1+qDe/mjVUvXlmsr1v/vf71G9GgqopSa
+6RXrICLVdk/FYYYzhPvl1M+OrjaXDFO8BzBAF1Lnz6c7aRZvGRJNrRSr2nZEkqDf
+JW9dY7r2VZEpD5QeuaRYUnuECkqeieB65GMCAwEAATANBgkqhkiG9w0BAQQFAAOB
+gQCWsOta6C0wiVzXz8wPmJKyTrurMlgUss2iSuW9366iwofZddsNg7FXniMzkIf6
+dp7jnmWZwKZ9cXsNUS2o4OL07qOk2HOywC0YsNZQsOBu1CBTYYkIefDiKFL1zQHh
+8lwwNd4NP+OE3NzUNkCfh4DnFfg9WHkXUlD5UpxNRJ4gJA==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCzEfU8E+ZGTGtHXV5XhvM2Lg32fXUIjydXb34BGVPX6oN7+aNV
+S9eWayvW/+9/vUb0aCqilJrpFesgItV2T8VhhjOE++XUz46uNpcMU7wHMEAXUufP
+pztpFm8ZEk2tFKvadkSSoN8lb11juvZVkSkPlB65pFhSe4QKSp6J4HrkYwIDAQAB
+AoGBAKy8jvb0Lzby8q11yNLf7+78wCVdYi7ugMHcYA1JVFK8+zb1WfSm44FLQo/0
+dSChAjgz36TTexeLODPYxleJndjVcOMVzsLJjSM8dLpXsTS4FCeMbhw2s2u+xqKY
+bbPWfk+HOTyJjfnkcC5Nbg44eOmruq0gSmBeUXVM5UntlTnxAkEA7TGCA3h7kx5E
+Bl4zl2pc3gPAGt+dyfk5Po9mGJUUXhF5p2zueGmYWW74TmOWB1kzt4QRdYMzFePq
+zfDNXEa1CwJBAMFErdY0xp0UJ13WwBbUTk8rujqQdHtjw0klhpbuKkjxu2hN0wwM
+6p0D9qxF7JHaghqVRI0fAW/EE0OzdHMR9QkCQQDNR26dMFXKsoPu+vItljj/UEGf
+QG7gERiQ4yxaFBPHgdpGo0kT31eh9x9hQGDkxTe0GNG/YSgCRvm8+C3TMcKXAkBD
+dhGn36wkUFCddMSAM4NSJ1VN8/Z0y5HzCmI8dM3VwGtGMUQlxKxwOl30LEQzdS5M
+0SWojNYXiT2gOBfBwtbhAkEAhafl5QEOIgUz+XazS/IlZ8goNKdDVfYgK3mHHjvv
+nY5G+AuGebdNkXJr4KSWxDcN+C2i47zuj4QXA16MAOandA==
+-----END RSA PRIVATE KEY-----
+subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
+issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
+notBefore=950413210656Z
+notAfter =970412210656Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV
+BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS
+ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ
+BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD
+VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA
+MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR
+3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM
+YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI
+hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5
+dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/
+zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8=
+-----END X509 CERTIFICATE-----
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+-----BEGIN CERTIFICATE-----
+MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
+VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
+OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
+IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
+DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
+1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
+mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
+hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
+YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
+q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
+gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
+2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
+AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
+hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
+J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
+HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
+21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
+nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
+MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
+pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
+KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
+XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
+-----END RSA PRIVATE KEY-----
+-----BEGIN X509 CERTIFICATE-----
+MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT
+LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ
+MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls
+b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG
+EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk
+bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL
+ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb
+hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/
+ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb
+bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3
+fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX
+R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR
+Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK
+-----END X509 CERTIFICATE-----
+-----BEGIN X509 CERTIFICATE-----
+
+MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
+Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
+GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp
+bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE
+BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ
+BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+
+ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw
+ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI
+H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z
+WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE
+MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM
+LC7obsrHD8XAHG+ZRG==
+-----END X509 CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
+MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
+DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
+CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
+amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
+iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
+U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
+zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
+BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
+/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
+lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
+S7ELuYGtmYgYm9NZOIr7yU0=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG
+A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0
+aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB
+LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB
+gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
+ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu
+dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD
+SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL
+bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a
+OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW
+GJNMJ4L0AJ/ac+SmHZc=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
+BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
+HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
+IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
+MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
+aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
+GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
+ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
+zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
+YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
+hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
+cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
+YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
+-----END CERTIFICATE-----
+
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+-----BEGIN CERTIFICATE-----
+MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
+VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw
+OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
+NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
+40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp
+22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y
+BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S
+Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9
+xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO
+cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
+-----END RSA PRIVATE KEY-----
+subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+notBefore=941104185834Z
+notAfter =991103185834Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
+Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
+OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
+ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
+IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
+975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
+touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
+7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
+9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
+0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
+MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
+-----END X509 CERTIFICATE-----
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+notBefore=941109235417Z
+notAfter =991231235417Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
+IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
+Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
+YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
+roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
+aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
+HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
+iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
+suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
+cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
+-----END X509 CERTIFICATE-----
+subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
+	/OU=Certification Services Division/CN=Thawte Server CA
+	/Email=server-certs@thawte.com
+issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
+	/OU=Certification Services Division/CN=Thawte Server CA
+	/Email=server-certs@thawte.com
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD
+VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
+VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
+dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq
+hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1
+N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
+ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv
+bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
+aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW
+F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1
+Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A
+KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG
+SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX
+7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM
+qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD
+VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
+VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
+dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD
+QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05
+NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG
+A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT
+FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
+cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg
+Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c
+G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU
+c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH
+jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR
+w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2
+GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK
+3VZdLbCVIhNoEsysrxCpxcI=
+-----END CERTIFICATE-----
+Tims test GCI CA
+
+-----BEGIN CERTIFICATE-----
+MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
+cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
+gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
+cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
+dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
+AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
+OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
+AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
+TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
+IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
+VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
+NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
+I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
+RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
+KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
+Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
+9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
+WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0
+MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
+c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda
+Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W
+ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu
+ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
+FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
+W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari
+QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG
+9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C
+TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW
+8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA
+-----END CERTIFICATE-----
+
+ subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
+ issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
+
+-----BEGIN CERTIFICATE-----
+MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw
+YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw
+MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp
+YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI
+SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp
+U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb
+RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp
+3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv
+z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg
+hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg
+YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv
+LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
+KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ
+Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv
+ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v
+dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw
+IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS
+ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ
+TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w
+LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU
+BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs
+53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq
+2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB
+p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY=
+-----END CERTIFICATE-----
+
+ subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
+ issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
+Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
+biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ
+nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma
+AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga
+IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF
+AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ
+Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6
+NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ==
+-----END CERTIFICATE-----
+ subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
+ issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
+Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
+biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
+9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
+IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
+O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
+AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
+g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
+yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/sess_id.c b/crypto/openssl/apps/sess_id.c
new file mode 100644
index 0000000..71d5aa0
--- /dev/null
+++ b/crypto/openssl/apps/sess_id.c
@@ -0,0 +1,311 @@
+/* apps/sess_id.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+
+#undef PROG
+#define PROG	sess_id_main
+
+static char *sess_id_usage[]={
+"usage: sess_id args\n",
+"\n",
+" -inform arg     - input format - default PEM (DER or PEM)\n",
+" -outform arg    - output format - default PEM\n",
+" -in arg         - input file - default stdin\n",
+" -out arg        - output file - default stdout\n",
+" -text           - print ssl session id details\n",
+" -cert           - output certificate \n",
+" -noout          - no CRL output\n",
+" -context arg    - set the session ID context\n",
+NULL
+};
+
+static SSL_SESSION *load_sess_id(char *file, int format);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	SSL_SESSION *x=NULL;
+	int ret=1,i,num,badops=0;
+	BIO *out=NULL;
+	int informat,outformat;
+	char *infile=NULL,*outfile=NULL,*context=NULL;
+	int cert=0,noout=0,text=0;
+	char **pp;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	argc--;
+	argv++;
+	num=0;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-text") == 0)
+			text= ++num;
+		else if (strcmp(*argv,"-cert") == 0)
+			cert= ++num;
+		else if (strcmp(*argv,"-noout") == 0)
+			noout= ++num;
+		else if (strcmp(*argv,"-context") == 0)
+		    {
+		    if(--argc < 1) goto bad;
+		    context=*++argv;
+		    }
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		for (pp=sess_id_usage; (*pp != NULL); pp++)
+			BIO_printf(bio_err,*pp);
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+	x=load_sess_id(infile,informat);
+	if (x == NULL) { goto end; }
+
+	if(context)
+	    {
+	    x->sid_ctx_length=strlen(context);
+	    if(x->sid_ctx_length > SSL_MAX_SID_CTX_LENGTH)
+		{
+		BIO_printf(bio_err,"Context too long\n");
+		goto end;
+		}
+	    memcpy(x->sid_ctx,context,x->sid_ctx_length);
+	    }
+
+#ifdef undef
+	/* just testing for memory leaks :-) */
+	{
+	SSL_SESSION *s;
+	char buf[1024*10],*p;
+	int i;
+
+	s=SSL_SESSION_new();
+
+	p= &buf;
+	i=i2d_SSL_SESSION(x,&p);
+	p= &buf;
+	d2i_SSL_SESSION(&s,&p,(long)i);
+	p= &buf;
+	d2i_SSL_SESSION(&s,&p,(long)i);
+	p= &buf;
+	d2i_SSL_SESSION(&s,&p,(long)i);
+	SSL_SESSION_free(s);
+	}
+#endif
+
+	if (!noout || text)
+		{
+		out=BIO_new(BIO_s_file());
+		if (out == NULL)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		if (outfile == NULL)
+			BIO_set_fp(out,stdout,BIO_NOCLOSE);
+		else
+			{
+			if (BIO_write_filename(out,outfile) <= 0)
+				{
+				perror(outfile);
+				goto end;
+				}
+			}
+		}
+
+	if (text)
+		{
+		SSL_SESSION_print(out,x);
+
+		if (cert)
+			{
+			if (x->peer == NULL)
+				BIO_puts(out,"No certificate present\n");
+			else
+				X509_print(out,x->peer);
+			}
+		}
+
+	if (!noout && !cert)
+		{
+		if 	(outformat == FORMAT_ASN1)
+			i=(int)i2d_SSL_SESSION_bio(out,x);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_SSL_SESSION(out,x);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		if (!i) {
+			BIO_printf(bio_err,"unable to write SSL_SESSION\n");
+			goto end;
+			}
+		}
+	else if (!noout && (x->peer != NULL)) /* just print the certificate */
+		{
+		if 	(outformat == FORMAT_ASN1)
+			i=(int)i2d_X509_bio(out,x->peer);
+		else if (outformat == FORMAT_PEM)
+			i=PEM_write_bio_X509(out,x->peer);
+		else	{
+			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			goto end;
+			}
+		if (!i) {
+			BIO_printf(bio_err,"unable to write X509\n");
+			goto end;
+			}
+		}
+	ret=0;
+end:
+	if (out != NULL) BIO_free(out);
+	if (x != NULL) SSL_SESSION_free(x);
+	EXIT(ret);
+	}
+
+static SSL_SESSION *load_sess_id(char *infile, int format)
+	{
+	SSL_SESSION *x=NULL;
+	BIO *in=NULL;
+
+	in=BIO_new(BIO_s_file());
+	if (in == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+	if 	(format == FORMAT_ASN1)
+		x=d2i_SSL_SESSION_bio(in,NULL);
+	else if (format == FORMAT_PEM)
+		x=PEM_read_bio_SSL_SESSION(in,NULL,NULL,NULL);
+	else	{
+		BIO_printf(bio_err,"bad input format specified for input crl\n");
+		goto end;
+		}
+	if (x == NULL)
+		{
+		BIO_printf(bio_err,"unable to load SSL_SESSION\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	
+end:
+	if (in != NULL) BIO_free(in);
+	return(x);
+	}
+
diff --git a/crypto/openssl/apps/set/set-g-ca.pem b/crypto/openssl/apps/set/set-g-ca.pem
new file mode 100644
index 0000000..78499f0
--- /dev/null
+++ b/crypto/openssl/apps/set/set-g-ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAuGgAwIBAgIgYCYUeg8NJ9kO1q3z6vGCkAmPRfu5+Nur0FyGF79MADMw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
+MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
+MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtQ
+Q0ExMDIxMTgyODEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJyi5V7l1HohY6hN/2N9x6mvWeMy8rD1
+6lfXjgmiuGmhpaszWYaalesMcS2OGuG8Lq3PkaSzpVzqASKfIOjxLMsdpYyYJRub
+vRPDWi3xd8wlp9xUwWHKqn+ki8mPo0yN4eONwZZ4rcZr6K+tWd+5EJZSjuENJoQ/
+SRRmGRzdcS7XAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
+EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
+aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
+MTAyMjAxMjIwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
+SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwICBDB5
+BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
+Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
+ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBn19R2
+AgGvpJDmfXrHTDdCoYyMkaP2MPzw0hFRwh+wqnw0/pqUXa7MrLXMqtD3rUyOWaNR
+9fYpJZd0Bh/1OeIc2+U+VNfUovLLuZ8nNemdxyq2KMYnHtnh7UdO7atZ+PFLVu8x
+a+J2Mtj8MGy12CJNTJcjLSrJ/1f3AuVrwELjlQ==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/set/set-m-ca.pem b/crypto/openssl/apps/set/set-m-ca.pem
new file mode 100644
index 0000000..0e74caf
--- /dev/null
+++ b/crypto/openssl/apps/set/set-m-ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAuGgAwIBAgIgEGvcf5aUnufALdVMa/dmPdflq1CoORGeK5DUwbqhVYcw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
+MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
+MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtN
+Q0ExMDIxMTgyNzEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALuWwr63YrT1GIZpYKfIeiVFHESG/FZO
+7RAJKml/p12ZyZ7D5YPP4BBXVsa1H8e8arR1LKC4rdCArrtKKlBeBiMo9+NB+u35
+FnLnTmfzM4iZ2Syw35DXY8+Xn/LM7RJ1RG+vMNcTqpoUg7QPye7flq2Pt7vVROPn
+SZxPyVxmILe3AgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
+EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
+aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
+MTAyMjAxMjEwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
+SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIDCDB5
+BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
+Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
+ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQApaj0W
+GgyR47URZEZ7z83yivvnVErqtodub/nR1fMgJ4bDC0ofjA0SzXBP1/3eDq9VkPuS
+EKUw9BpM2XrSUKhJ6F1CbBjWpM0M7GC1nTSxMxmV+XL+Ab/Gn2SwozUApWtht29/
+x9VLB8qsi6wN2aOsVdQMl5iVCjGQYfEkyuoIgA==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/set/set_b_ca.pem b/crypto/openssl/apps/set/set_b_ca.pem
new file mode 100644
index 0000000..eba7d5c
--- /dev/null
+++ b/crypto/openssl/apps/set/set_b_ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1zCCAr+gAwIBAgIgYClSzXgB3u31VMarY+lXwPKU9DtoBMzaaivuVzV9a9kw
+DQYJKoZIhvcNAQEFBQAwIzELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1JDQTEwMTEx
+ODI5MB4XDTk2MTAxNzAwMDAwMFoXDTk2MTExNjIzNTk1OVowRTELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC0JDQTEwMTcxMTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlBy
+b2R1Y3QgVHlwZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApPewvR0BwV02
+9E12ic48pMY/aMB6SkMEWPDx2hURr0DKYGJ6qMvzZn2pSfaVH1BqDtK6oK4Ye5Mj
+ItywwQIdXXO9Ut8+TLnvtzq9ByCJ0YThjZJBc7ZcpJxSV7QAoBON/lzxZuAVq3+L
+3uc39MgRwmBpRllZEpWrkojxs6166X0CAwEAAaOCAVcwggFTMFQGA1UdIwRNMEuh
+J6QlMCMxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtSQ0ExMDExMTgyOYIgVqenwCYv
+mmxUIvi9gUMCa+uJGJ60mZecw9HrISXnLaYwDgYDVR0PAQH/BAQDAgEGMC4GA1Ud
+EAEB/wQkMCKADzE5OTYxMDE3MTc1NzAwWoEPMTk5NjExMTYyMzU5NTlaMBsGA1Ud
+IAEB/wQRMA8wDQYLYIZIAYb4RQEHAQEwEgYDVR0TAQH/BAgwBgEB/wIBATAPBgSG
+jW8DAQH/BAQDAgABMHkGBIaNbwcBAf8EbjBsMCQCAQAwCQYFKw4DAhoFAAQUMmY3
+NGIxYWY0ZmNjMDYwZjc2NzYTD3RlcnNlIHN0YXRlbWVudIAXaHR0cDovL3d3dy52
+ZXJpc2lnbi5jb22BGmdldHNldC1jZW50ZXJAdmVyaXNpZ24uY29tMA0GCSqGSIb3
+DQEBBQUAA4IBAQAWoMS8Aj2sO0LDxRoMcnWTKY8nd8Jw2vl2Mgsm+0qCvcndICM5
+43N0y9uHlP8WeCZULbFz95gTL8mfP/QTu4EctMUkQgRHJnx80f0XSF3HE/X6zBbI
+9rit/bF6yP1mhkdss/vGanReDpki7q8pLx+VIIcxWst/366HP3dW1Fb7ECW/WmVV
+VMN93f/xqk9I4sXchVZcVKQT3W4tzv+qQvugrEi1dSEkbAy1CITEAEGiaFhGUyCe
+WPox3guRXaEHoINNeajGrISe6d//alsz5EEroBoLnM2ryqWfLAtRsf4rjNzTgklw
+lbiz0fw7bNkXKp5ZVr0wlnOjQnoSM6dTI0AV
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/set/set_c_ca.pem b/crypto/openssl/apps/set/set_c_ca.pem
new file mode 100644
index 0000000..48b2cbd
--- /dev/null
+++ b/crypto/openssl/apps/set/set_c_ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAuGgAwIBAgIgOnl8J6lAYNDdTWtIojWCGnloNf4ufHjOZ4Fkxwg5xOsw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
+MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
+MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtD
+Q0ExMDIxMTYxNjEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANA3a9+U8oXU3Dv1wJf8g0A7HjCRZAXc
+Y8E4OLOdye5aUssxifCE05qTPVqHMXo6cnCYcfroMdURhjQlswyTGtjQybgUnXjp
+pchw+V4D1DkN0ThErrMCh9ZFSykC0lUhQTRLESvbIb4Gal/HMAFAF5sj0GoOFi2H
+RRj7gpzBIU3xAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
+EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
+aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
+MTAyMjAxMTAwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
+SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIEEDB5
+BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
+Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
+ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBteLaZ
+u/TASC64UWPfhxYAUdys9DQ1pG/J1qPWNTkjOmpXFvW+7l/3nkxyRPgUoFNwx1e7
+XVVPr6zhy8LaaXppwfIZvVryzAUdbtijiUf/MO0hvV3w7e9NlCVProdU5H9EvCXr
++IV8rH8fdEkirIVyw0JGHkuWhkmtS1HEwai9vg==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/set/set_d_ct.pem b/crypto/openssl/apps/set/set_d_ct.pem
new file mode 100644
index 0000000..9f8c7d8
--- /dev/null
+++ b/crypto/openssl/apps/set/set_d_ct.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAt+gAwIBAgIgRU5t24v72xVDpZ4iHpyoOAQaQmfio1yhTZAOkBfT2uUw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0NDQTEwMjEx
+NjE2MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjQw
+MDAwMDBaFw05NjExMjMyMzU5NTlaMG4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdC
+cmFuZElEMSYwJAYDVQQLEx1Jc3N1aW5nIEZpbmFuY2lhbCBJbnN0aXR1dGlvbjEl
+MCMGA1UEAxMcR2lYb0t0VjViN1V0MHZKa2hkSG5RYmNzc2JrPTBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQDIUxgpNB1aoSW585WErtN8WInCRWCqDj3RGT2mJye0F4SM
+/iT5ywdWMasmw18vpEpDlMypfZnRkUAdfyHcRABVAgMBAAGjggFwMIIBbDB2BgNV
+HSMEbzBtoUmkRzBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQkNBMTAxNzExMDQx
+IDAeBgNVBAMTF0JyYW5kIE5hbWU6UHJvZHVjdCBUeXBlgiA6eXwnqUBg0N1Na0ii
+NYIaeWg1/i58eM5ngWTHCDnE6zAOBgNVHQ8BAf8EBAMCB4AwLgYDVR0QAQH/BCQw
+IoAPMTk5NjEwMjQwMTA0MDBagQ8xOTk2MTEyMzIzNTk1OVowGAYDVR0gBBEwDzAN
+BgtghkgBhvhFAQcBATAMBgNVHRMBAf8EAjAAMA8GBIaNbwMBAf8EBAMCB4AweQYE
+ho1vBwEB/wRuMGwwJAIBADAJBgUrDgMCGgUABBQzOTgyMzk4NzIzNzg5MTM0OTc4
+MhMPdGVyc2Ugc3RhdGVtZW50gBdodHRwOi8vd3d3LnZlcmlzaWduLmNvbYEaZ2V0
+c2V0LWNlbnRlckB2ZXJpc2lnbi5jb20wDQYJKoZIhvcNAQEFBQADgYEAVHCjhxeD
+mIFSkm3DpQAq7pGfcAFPWvSM9I9bK8qeFT1M5YQ+5fbPqaWlNcQlGKIe3cHd4+0P
+ndL5lb6UBhhA0kTzEYA38+HtBxPe/lokCv0bYfyWY9asUmvfbUrTYta0yjN7ixnV
+UqvxxHQHOAwhf6bcc7xNHapOxloWzGUU0RQ=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/set/set_root.pem b/crypto/openssl/apps/set/set_root.pem
new file mode 100644
index 0000000..8dd104f
--- /dev/null
+++ b/crypto/openssl/apps/set/set_root.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIgVqenwCYvmmxUIvi9gUMCa+uJGJ60mZecw9HrISXnLaYw
+DQYJKoZIhvcNAQEFBQAwIzELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1JDQTEwMTEx
+ODI5MB4XDTk2MTAxMjAwMDAwMFoXDTk2MTExMTIzNTk1OVowIzELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC1JDQTEwMTExODI5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAukca0PVUGFIYX7EyrShi+dVi9GTNzG0V2Wtdw6DqFzKfedba/KpE
+zqnRDV/wRZlBn3oXPS6kNCFiBPRV9mEFXI7y2W+q8/vPurjRDIXMsqQ+dAhKwf4q
+rofJBTiET4NUN0YTtpx6aYuoVubjiOgKdbqnUArxAWWP2Dkco17ipEYyUtd4sTAe
+/xKR02AHpbYGYPSHjMDS/nzUJ7uX4d51phs0rt7If48ExJSnDV/KoHMfm42mdmH2
+g23005qdHKY3UXeh10tZmb3QtGTSvF6OqpRZ+e9/ALklu7ZcIjqbb944ci4QWemb
+ZNWiDFrWWUoO1k942BI/iZ8Fh8pETYSDBQIDAQABo4GGMIGDMA4GA1UdDwEB/wQE
+AwIBBjAuBgNVHRABAf8EJDAigA8xOTk2MTAxMjAxMzQwMFqBDzE5OTYxMTExMjM1
+OTU5WjAbBgNVHSABAf8EETAPMA0GC2CGSAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYB
+Af8CAQIwEAYEho1vAwEB/wQFAwMHAIAwDQYJKoZIhvcNAQEFBQADggEBAK4tntea
+y+ws7PdULwfqAS5osaoNvw73uBn5lROTpx91uhQbJyf0oZ3XG9GUuHZBpqG9qmr9
+vIL40RsvRpNMYgaNHKTxF716yx6rZmruAYZsrE3SpV63tQJCckKLPSge2E5uDhSQ
+O8UjusG+IRT9fKMXUHLv4OmZPOQVOSl1qTCN2XoJFqEPtC3Y9P4YR4xHL0P2jb1l
+DLdIbruuh+6omH+0XUZd5fKnQZTTi6gjl0iunj3wGnkcqGZtwr3j87ONiB/8tDwY
+vz8ceII4YYdX12PrNzn+fu3R5rChvPW4/ah/SaYQ2VQ0AupaIF4xrNJ/gLYYw0YO
+bxCrVJLd8tu9WgA=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c
new file mode 100644
index 0000000..7dc66d6
--- /dev/null
+++ b/crypto/openssl/apps/smime.c
@@ -0,0 +1,535 @@
+/* smime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* S/MIME utility function */
+
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+#undef PROG
+#define PROG smime_main
+static X509 *load_cert(char *file);
+static EVP_PKEY *load_key(char *file, char *pass);
+static STACK_OF(X509) *load_certs(char *file);
+static X509_STORE *setup_verify(char *CAfile, char *CApath);
+static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+
+#define SMIME_OP	0x10
+#define SMIME_ENCRYPT	(1 | SMIME_OP)
+#define SMIME_DECRYPT	2
+#define SMIME_SIGN	(3 | SMIME_OP)
+#define SMIME_VERIFY	4
+#define SMIME_PK7OUT	5
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+	int operation = 0;
+	int ret = 0;
+	char **args;
+	char *inmode = "r", *outmode = "w";
+	char *infile = NULL, *outfile = NULL;
+	char *signerfile = NULL, *recipfile = NULL;
+	char *certfile = NULL, *keyfile = NULL;
+	EVP_CIPHER *cipher = NULL;
+	PKCS7 *p7 = NULL;
+	X509_STORE *store = NULL;
+	X509 *cert = NULL, *recip = NULL, *signer = NULL;
+	EVP_PKEY *key = NULL;
+	STACK_OF(X509) *encerts = NULL, *other = NULL;
+	BIO *in = NULL, *out = NULL, *indata = NULL;
+	int badarg = 0;
+	int flags = PKCS7_DETACHED;
+	char *to = NULL, *from = NULL, *subject = NULL;
+	char *CAfile = NULL, *CApath = NULL;
+	char *passargin = NULL, *passin = NULL;
+	char *inrand = NULL;
+	int need_rand = 0;
+	args = argv + 1;
+
+	ret = 1;
+
+	while (!badarg && *args && *args[0] == '-') {
+		if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT;
+		else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT;
+		else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN;
+		else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY;
+		else if (!strcmp (*args, "-pk7out")) operation = SMIME_PK7OUT;
+#ifndef NO_DES
+		else if (!strcmp (*args, "-des3")) 
+				cipher = EVP_des_ede3_cbc();
+		else if (!strcmp (*args, "-des")) 
+				cipher = EVP_des_cbc();
+#endif
+#ifndef NO_RC2
+		else if (!strcmp (*args, "-rc2-40")) 
+				cipher = EVP_rc2_40_cbc();
+		else if (!strcmp (*args, "-rc2-128")) 
+				cipher = EVP_rc2_cbc();
+		else if (!strcmp (*args, "-rc2-64")) 
+				cipher = EVP_rc2_64_cbc();
+#endif
+		else if (!strcmp (*args, "-text")) 
+				flags |= PKCS7_TEXT;
+		else if (!strcmp (*args, "-nointern")) 
+				flags |= PKCS7_NOINTERN;
+		else if (!strcmp (*args, "-noverify")) 
+				flags |= PKCS7_NOVERIFY;
+		else if (!strcmp (*args, "-nochain")) 
+				flags |= PKCS7_NOCHAIN;
+		else if (!strcmp (*args, "-nocerts")) 
+				flags |= PKCS7_NOCERTS;
+		else if (!strcmp (*args, "-noattr")) 
+				flags |= PKCS7_NOATTR;
+		else if (!strcmp (*args, "-nodetach")) 
+				flags &= ~PKCS7_DETACHED;
+		else if (!strcmp (*args, "-binary"))
+				flags |= PKCS7_BINARY;
+		else if (!strcmp (*args, "-nosigs"))
+				flags |= PKCS7_NOSIGS;
+		else if (!strcmp(*args,"-rand")) {
+			if (args[1]) {
+				args++;
+				inrand = *args;
+			} else badarg = 1;
+			need_rand = 1;
+		} else if (!strcmp(*args,"-passin")) {
+			if (args[1]) {
+				args++;
+				passargin = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-to")) {
+			if (args[1]) {
+				args++;
+				to = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-from")) {
+			if (args[1]) {
+				args++;
+				from = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-subject")) {
+			if (args[1]) {
+				args++;
+				subject = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-signer")) {
+			if (args[1]) {
+				args++;
+				signerfile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-recip")) {
+			if (args[1]) {
+				args++;
+				recipfile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-inkey")) {
+			if (args[1]) {
+				args++;
+				keyfile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-certfile")) {
+			if (args[1]) {
+				args++;
+				certfile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-CAfile")) {
+			if (args[1]) {
+				args++;
+				CAfile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-CApath")) {
+			if (args[1]) {
+				args++;
+				CApath = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-in")) {
+			if (args[1]) {
+				args++;
+				infile = *args;
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-out")) {
+			if (args[1]) {
+				args++;
+				outfile = *args;
+			} else badarg = 1;
+		} else badarg = 1;
+		args++;
+	}
+
+	if(operation == SMIME_SIGN) {
+		if(!signerfile) {
+			BIO_printf(bio_err, "No signer certificate specified\n");
+			badarg = 1;
+		}
+		need_rand = 1;
+	} else if(operation == SMIME_DECRYPT) {
+		if(!recipfile) {
+			BIO_printf(bio_err, "No recipient certificate and key specified\n");
+			badarg = 1;
+		}
+	} else if(operation == SMIME_ENCRYPT) {
+		if(!*args) {
+			BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
+			badarg = 1;
+		}
+		need_rand = 1;
+	} else if(!operation) badarg = 1;
+
+	if (badarg) {
+		BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");
+		BIO_printf (bio_err, "where options are\n");
+		BIO_printf (bio_err, "-encrypt       encrypt message\n");
+		BIO_printf (bio_err, "-decrypt       decrypt encrypted message\n");
+		BIO_printf (bio_err, "-sign          sign message\n");
+		BIO_printf (bio_err, "-verify        verify signed message\n");
+		BIO_printf (bio_err, "-pk7out        output PKCS#7 structure\n");
+#ifndef NO_DES
+		BIO_printf (bio_err, "-des3          encrypt with triple DES\n");
+		BIO_printf (bio_err, "-des           encrypt with DES\n");
+#endif
+#ifndef NO_RC2
+		BIO_printf (bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
+		BIO_printf (bio_err, "-rc2-64        encrypt with RC2-64\n");
+		BIO_printf (bio_err, "-rc2-128       encrypt with RC2-128\n");
+#endif
+		BIO_printf (bio_err, "-nointern      don't search certificates in message for signer\n");
+		BIO_printf (bio_err, "-nosigs        don't verify message signature\n");
+		BIO_printf (bio_err, "-noverify      don't verify signers certificate\n");
+		BIO_printf (bio_err, "-nocerts       don't include signers certificate when signing\n");
+		BIO_printf (bio_err, "-nodetach      use opaque signing\n");
+		BIO_printf (bio_err, "-noattr        don't include any signed attributes\n");
+		BIO_printf (bio_err, "-binary        don't translate message to text\n");
+		BIO_printf (bio_err, "-certfile file other certificates file\n");
+		BIO_printf (bio_err, "-signer file   signer certificate file\n");
+		BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
+		BIO_printf (bio_err, "-in file       input file\n");
+		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
+		BIO_printf (bio_err, "-out file      output file\n");
+		BIO_printf (bio_err, "-to addr       to address\n");
+		BIO_printf (bio_err, "-from ad       from address\n");
+		BIO_printf (bio_err, "-subject s     subject\n");
+		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
+		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
+		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,  "               the random number generator\n");
+		BIO_printf (bio_err, "cert.pem       recipient certificate(s) for encryption\n");
+		goto end;
+	}
+
+	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+	}
+
+	if (need_rand) {
+		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+		if (inrand != NULL)
+			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+				app_RAND_load_files(inrand));
+	}
+
+	ret = 2;
+
+	if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED;
+
+	if(flags & PKCS7_BINARY) {
+		if(operation & SMIME_OP) inmode = "rb";
+		else outmode = "rb";
+	}
+
+	if(operation == SMIME_ENCRYPT) {
+		if (!cipher) {
+#ifndef NO_RC2			
+			cipher = EVP_rc2_40_cbc();
+#else
+			BIO_printf(bio_err, "No cipher selected\n");
+			goto end;
+#endif
+		}
+		encerts = sk_X509_new_null();
+		while (*args) {
+			if(!(cert = load_cert(*args))) {
+				BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
+				goto end;
+			}
+			sk_X509_push(encerts, cert);
+			cert = NULL;
+			args++;
+		}
+	}
+
+	if(signerfile && (operation == SMIME_SIGN)) {
+		if(!(signer = load_cert(signerfile))) {
+			BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
+			goto end;
+		}
+	}
+
+	if(certfile) {
+		if(!(other = load_certs(certfile))) {
+			BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+
+	if(recipfile && (operation == SMIME_DECRYPT)) {
+		if(!(recip = load_cert(recipfile))) {
+			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+
+	if(operation == SMIME_DECRYPT) {
+		if(!keyfile) keyfile = recipfile;
+	} else if(operation == SMIME_SIGN) {
+		if(!keyfile) keyfile = signerfile;
+	} else keyfile = NULL;
+
+	if(keyfile) {
+		if(!(key = load_key(keyfile, passin))) {
+			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+
+	if (infile) {
+		if (!(in = BIO_new_file(infile, inmode))) {
+			BIO_printf (bio_err,
+				 "Can't open input file %s\n", infile);
+			goto end;
+		}
+	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+	if (outfile) {
+		if (!(out = BIO_new_file(outfile, outmode))) {
+			BIO_printf (bio_err,
+				 "Can't open output file %s\n", outfile);
+			goto end;
+		}
+	} else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+	if(operation == SMIME_VERIFY) {
+		if(!(store = setup_verify(CAfile, CApath))) goto end;
+	}
+
+	ret = 3;
+
+	if(operation == SMIME_ENCRYPT) {
+		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
+	} else if(operation == SMIME_SIGN) {
+		p7 = PKCS7_sign(signer, key, other, in, flags);
+		BIO_reset(in);
+	} else {
+		if(!(p7 = SMIME_read_PKCS7(in, &indata))) {
+			BIO_printf(bio_err, "Error reading S/MIME message\n");
+			goto end;
+		}
+	}
+
+	if(!p7) {
+		BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
+		goto end;
+	}
+
+	ret = 4;
+	if(operation == SMIME_DECRYPT) {
+		if(!PKCS7_decrypt(p7, key, recip, out, flags)) {
+			BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
+			goto end;
+		}
+	} else if(operation == SMIME_VERIFY) {
+		STACK_OF(X509) *signers;
+		if(PKCS7_verify(p7, other, store, indata, out, flags)) {
+			BIO_printf(bio_err, "Verification Successful\n");
+		} else {
+			BIO_printf(bio_err, "Verification Failure\n");
+			goto end;
+		}
+		signers = PKCS7_get0_signers(p7, other, flags);
+		if(!save_certs(signerfile, signers)) {
+			BIO_printf(bio_err, "Error writing signers to %s\n",
+								signerfile);
+			ret = 5;
+			goto end;
+		}
+		sk_X509_free(signers);
+	} else if(operation == SMIME_PK7OUT) {
+		PEM_write_bio_PKCS7(out, p7);
+	} else {
+		if(to) BIO_printf(out, "To: %s\n", to);
+		if(from) BIO_printf(out, "From: %s\n", from);
+		if(subject) BIO_printf(out, "Subject: %s\n", subject);
+		SMIME_write_PKCS7(out, p7, in, flags);
+	}
+	ret = 0;
+end:
+	if (need_rand)
+		app_RAND_write_file(NULL, bio_err);
+	if(ret) ERR_print_errors(bio_err);
+	sk_X509_pop_free(encerts, X509_free);
+	sk_X509_pop_free(other, X509_free);
+	X509_STORE_free(store);
+	X509_free(cert);
+	X509_free(recip);
+	X509_free(signer);
+	EVP_PKEY_free(key);
+	PKCS7_free(p7);
+	BIO_free(in);
+	BIO_free(indata);
+	BIO_free(out);
+	if(passin) Free(passin);
+	return (ret);
+}
+
+static X509 *load_cert(char *file)
+{
+	BIO *in;
+	X509 *cert;
+	if(!(in = BIO_new_file(file, "r"))) return NULL;
+	cert = PEM_read_bio_X509(in, NULL, NULL,NULL);
+	BIO_free(in);
+	return cert;
+}
+
+static EVP_PKEY *load_key(char *file, char *pass)
+{
+	BIO *in;
+	EVP_PKEY *key;
+	if(!(in = BIO_new_file(file, "r"))) return NULL;
+	key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
+	BIO_free(in);
+	return key;
+}
+
+static STACK_OF(X509) *load_certs(char *file)
+{
+	BIO *in;
+	int i;
+	STACK_OF(X509) *othercerts;
+	STACK_OF(X509_INFO) *allcerts;
+	X509_INFO *xi;
+	if(!(in = BIO_new_file(file, "r"))) return NULL;
+	othercerts = sk_X509_new(NULL);
+	if(!othercerts) return NULL;
+	allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+	for(i = 0; i < sk_X509_INFO_num(allcerts); i++) {
+		xi = sk_X509_INFO_value (allcerts, i);
+		if (xi->x509) {
+			sk_X509_push(othercerts, xi->x509);
+			xi->x509 = NULL;
+		}
+	}
+	sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
+	BIO_free(in);
+	return othercerts;
+}
+
+static X509_STORE *setup_verify(char *CAfile, char *CApath)
+{
+	X509_STORE *store;
+	X509_LOOKUP *lookup;
+	if(!(store = X509_STORE_new())) goto end;
+	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
+	if (lookup == NULL) goto end;
+	if (CAfile) {
+		if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+			BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+			goto end;
+		}
+	} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+		
+	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+	if (lookup == NULL) goto end;
+	if (CApath) {
+		if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+			BIO_printf(bio_err, "Error loading directory %s\n", CApath);
+			goto end;
+		}
+	} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+	ERR_clear_error();
+	return store;
+	end:
+	X509_STORE_free(store);
+	return NULL;
+}
+
+static int save_certs(char *signerfile, STACK_OF(X509) *signers)
+{
+	int i;
+	BIO *tmp;
+	if(!signerfile) return 1;
+	tmp = BIO_new_file(signerfile, "w");
+	if(!tmp) return 0;
+	for(i = 0; i < sk_X509_num(signers); i++)
+		PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
+	BIO_free(tmp);
+	return 1;
+}
+	
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
new file mode 100644
index 0000000..094326c
--- /dev/null
+++ b/crypto/openssl/apps/speed.c
@@ -0,0 +1,1215 @@
+/* apps/speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+/* most of this code has been pilfered from my libdes speed.c program */
+
+#undef SECONDS
+#define SECONDS		3	
+#define RSA_SECONDS	10
+#define DSA_SECONDS	10
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#undef PROG
+#define PROG speed_main
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <math.h>
+#include "apps.h"
+#ifdef NO_STDIO
+#define APPS_WIN16
+#endif
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#ifndef NO_DES
+#include <openssl/des.h>
+#endif
+#ifndef NO_MD2
+#include <openssl/md2.h>
+#endif
+#ifndef NO_MDC2
+#include <openssl/mdc2.h>
+#endif
+#ifndef NO_MD5
+#include <openssl/md5.h>
+#endif
+#ifndef NO_HMAC
+#include <openssl/hmac.h>
+#endif
+#include <openssl/evp.h>
+#ifndef NO_SHA
+#include <openssl/sha.h>
+#endif
+#ifndef NO_RIPEMD
+#include <openssl/ripemd.h>
+#endif
+#ifndef NO_RC4
+#include <openssl/rc4.h>
+#endif
+#ifndef NO_RC5
+#include <openssl/rc5.h>
+#endif
+#ifndef NO_RC2
+#include <openssl/rc2.h>
+#endif
+#ifndef NO_IDEA
+#include <openssl/idea.h>
+#endif
+#ifndef NO_BF
+#include <openssl/blowfish.h>
+#endif
+#ifndef NO_CAST
+#include <openssl/cast.h>
+#endif
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#include "./testrsa.h"
+#endif
+#include <openssl/x509.h>
+#ifndef NO_DSA
+#include "./testdsa.h"
+#endif
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
+#   define HZ	100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#undef BUFSIZE
+#define BUFSIZE	((long)1024*8+1)
+int run=0;
+
+static double Time_F(int s);
+static void print_message(char *s,long num,int length);
+static void pkey_print_message(char *str,char *str2,long num,int bits,int sec);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif 
+
+static SIGRETTYPE sig_done(int sig);
+static SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+static double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret < 1e-3)?1e-3:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret < 0.001)?0.001:ret);
+		}
+#endif
+	}
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	unsigned char *buf=NULL,*buf2=NULL;
+	int mret=1;
+#define ALGOR_NUM	14
+#define SIZE_NUM	5
+#define RSA_NUM		4
+#define DSA_NUM		3
+	long count,rsa_count;
+	int i,j,k;
+	unsigned rsa_num,rsa_num2;
+#ifndef NO_MD2
+	unsigned char md2[MD2_DIGEST_LENGTH];
+#endif
+#ifndef NO_MDC2
+	unsigned char mdc2[MDC2_DIGEST_LENGTH];
+#endif
+#ifndef NO_MD5
+	unsigned char md5[MD5_DIGEST_LENGTH];
+	unsigned char hmac[MD5_DIGEST_LENGTH];
+#endif
+#ifndef NO_SHA
+	unsigned char sha[SHA_DIGEST_LENGTH];
+#endif
+#ifndef NO_RIPEMD
+	unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
+#endif
+#ifndef NO_RC4
+	RC4_KEY rc4_ks;
+#endif
+#ifndef NO_RC5
+	RC5_32_KEY rc5_ks;
+#endif
+#ifndef NO_RC2
+	RC2_KEY rc2_ks;
+#endif
+#ifndef NO_IDEA
+	IDEA_KEY_SCHEDULE idea_ks;
+#endif
+#ifndef NO_BF
+	BF_KEY bf_ks;
+#endif
+#ifndef NO_CAST
+	CAST_KEY cast_ks;
+#endif
+	static unsigned char key16[16]=
+		{0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+		 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+	unsigned char iv[8];
+#ifndef NO_DES
+	des_cblock *buf_as_des_cblock = NULL;
+	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+	des_key_schedule sch,sch2,sch3;
+#endif
+#define	D_MD2		0
+#define	D_MDC2		1
+#define	D_MD5		2
+#define	D_HMAC		3
+#define	D_SHA1		4
+#define D_RMD160	5
+#define	D_RC4		6
+#define	D_CBC_DES	7
+#define	D_EDE3_DES	8
+#define	D_CBC_IDEA	9
+#define	D_CBC_RC2	10
+#define	D_CBC_RC5	11
+#define	D_CBC_BF	12
+#define	D_CBC_CAST	13
+	double d,results[ALGOR_NUM][SIZE_NUM];
+	static int lengths[SIZE_NUM]={8,64,256,1024,8*1024};
+	long c[ALGOR_NUM][SIZE_NUM];
+	static char *names[ALGOR_NUM]={
+		"md2","mdc2","md5","hmac(md5)","sha1","rmd160","rc4",
+		"des cbc","des ede3","idea cbc",
+		"rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc"};
+#define	R_DSA_512	0
+#define	R_DSA_1024	1
+#define	R_DSA_2048	2
+#define	R_RSA_512	0
+#define	R_RSA_1024	1
+#define	R_RSA_2048	2
+#define	R_RSA_4096	3
+#ifndef NO_RSA
+	RSA *rsa_key[RSA_NUM];
+	long rsa_c[RSA_NUM][2];
+	double rsa_results[RSA_NUM][2];
+	static unsigned int rsa_bits[RSA_NUM]={512,1024,2048,4096};
+	static unsigned char *rsa_data[RSA_NUM]=
+		{test512,test1024,test2048,test4096};
+	static int rsa_data_length[RSA_NUM]={
+		sizeof(test512),sizeof(test1024),
+		sizeof(test2048),sizeof(test4096)};
+#endif
+#ifndef NO_DSA
+	DSA *dsa_key[DSA_NUM];
+	long dsa_c[DSA_NUM][2];
+	double dsa_results[DSA_NUM][2];
+	static unsigned int dsa_bits[DSA_NUM]={512,1024,2048};
+#endif
+	int rsa_doit[RSA_NUM];
+	int dsa_doit[DSA_NUM];
+	int doit[ALGOR_NUM];
+	int pr_header=0;
+
+	apps_startup();
+	memset(results, 0, sizeof(results));
+#ifndef NO_DSA
+	memset(dsa_key,0,sizeof(dsa_key));
+#endif
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+#ifndef NO_RSA
+	memset(rsa_key,0,sizeof(rsa_key));
+	for (i=0; i<RSA_NUM; i++)
+		rsa_key[i]=NULL;
+#endif
+
+	if ((buf=(unsigned char *)Malloc((int)BUFSIZE)) == NULL)
+		{
+		BIO_printf(bio_err,"out of memory\n");
+		goto end;
+		}
+#ifndef NO_DES
+	buf_as_des_cblock = (des_cblock *)buf;
+#endif
+	if ((buf2=(unsigned char *)Malloc((int)BUFSIZE)) == NULL)
+		{
+		BIO_printf(bio_err,"out of memory\n");
+		goto end;
+		}
+
+	memset(c,0,sizeof(c));
+	memset(iv,0,sizeof(iv));
+
+	for (i=0; i<ALGOR_NUM; i++)
+		doit[i]=0;
+	for (i=0; i<RSA_NUM; i++)
+		rsa_doit[i]=0;
+	for (i=0; i<DSA_NUM; i++)
+		dsa_doit[i]=0;
+	
+	j=0;
+	argc--;
+	argv++;
+	while (argc)
+		{
+#ifndef NO_MD2
+		if	(strcmp(*argv,"md2") == 0) doit[D_MD2]=1;
+		else
+#endif
+#ifndef NO_MDC2
+			if (strcmp(*argv,"mdc2") == 0) doit[D_MDC2]=1;
+		else
+#endif
+#ifndef NO_MD5
+			if (strcmp(*argv,"md5") == 0) doit[D_MD5]=1;
+		else
+#endif
+#ifndef NO_MD5
+			if (strcmp(*argv,"hmac") == 0) doit[D_HMAC]=1;
+		else
+#endif
+#ifndef NO_SHA
+			if (strcmp(*argv,"sha1") == 0) doit[D_SHA1]=1;
+		else
+			if (strcmp(*argv,"sha") == 0) doit[D_SHA1]=1;
+		else
+#endif
+#ifndef NO_RIPEMD
+			if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1;
+		else
+			if (strcmp(*argv,"rmd160") == 0) doit[D_RMD160]=1;
+		else
+			if (strcmp(*argv,"ripemd160") == 0) doit[D_RMD160]=1;
+		else
+#endif
+#ifndef NO_RC4
+			if (strcmp(*argv,"rc4") == 0) doit[D_RC4]=1;
+		else 
+#endif
+#ifndef NO_DES
+			if (strcmp(*argv,"des-cbc") == 0) doit[D_CBC_DES]=1;
+		else	if (strcmp(*argv,"des-ede3") == 0) doit[D_EDE3_DES]=1;
+		else
+#endif
+#ifndef NO_RSA
+#ifndef RSA_NULL
+			if (strcmp(*argv,"openssl") == 0) 
+			{
+			RSA_set_default_method(RSA_PKCS1());
+			j--;
+			}
+		else
+#endif
+#endif /* !NO_RSA */
+		     if (strcmp(*argv,"dsa512") == 0) dsa_doit[R_DSA_512]=2;
+		else if (strcmp(*argv,"dsa1024") == 0) dsa_doit[R_DSA_1024]=2;
+		else if (strcmp(*argv,"dsa2048") == 0) dsa_doit[R_DSA_2048]=2;
+		else if (strcmp(*argv,"rsa512") == 0) rsa_doit[R_RSA_512]=2;
+		else if (strcmp(*argv,"rsa1024") == 0) rsa_doit[R_RSA_1024]=2;
+		else if (strcmp(*argv,"rsa2048") == 0) rsa_doit[R_RSA_2048]=2;
+		else if (strcmp(*argv,"rsa4096") == 0) rsa_doit[R_RSA_4096]=2;
+		else
+#ifndef NO_RC2
+		     if (strcmp(*argv,"rc2-cbc") == 0) doit[D_CBC_RC2]=1;
+		else if (strcmp(*argv,"rc2") == 0) doit[D_CBC_RC2]=1;
+		else
+#endif
+#ifndef NO_RC5
+		     if (strcmp(*argv,"rc5-cbc") == 0) doit[D_CBC_RC5]=1;
+		else if (strcmp(*argv,"rc5") == 0) doit[D_CBC_RC5]=1;
+		else
+#endif
+#ifndef NO_IDEA
+		     if (strcmp(*argv,"idea-cbc") == 0) doit[D_CBC_IDEA]=1;
+		else if (strcmp(*argv,"idea") == 0) doit[D_CBC_IDEA]=1;
+		else
+#endif
+#ifndef NO_BF
+		     if (strcmp(*argv,"bf-cbc") == 0) doit[D_CBC_BF]=1;
+		else if (strcmp(*argv,"blowfish") == 0) doit[D_CBC_BF]=1;
+		else if (strcmp(*argv,"bf") == 0) doit[D_CBC_BF]=1;
+		else
+#endif
+#ifndef NO_CAST
+		     if (strcmp(*argv,"cast-cbc") == 0) doit[D_CBC_CAST]=1;
+		else if (strcmp(*argv,"cast") == 0) doit[D_CBC_CAST]=1;
+		else if (strcmp(*argv,"cast5") == 0) doit[D_CBC_CAST]=1;
+		else
+#endif
+#ifndef NO_DES
+			if (strcmp(*argv,"des") == 0)
+			{
+			doit[D_CBC_DES]=1;
+			doit[D_EDE3_DES]=1;
+			}
+		else
+#endif
+#ifndef NO_RSA
+			if (strcmp(*argv,"rsa") == 0)
+			{
+			rsa_doit[R_RSA_512]=1;
+			rsa_doit[R_RSA_1024]=1;
+			rsa_doit[R_RSA_2048]=1;
+			rsa_doit[R_RSA_4096]=1;
+			}
+		else
+#endif
+#ifndef NO_DSA
+			if (strcmp(*argv,"dsa") == 0)
+			{
+			dsa_doit[R_DSA_512]=1;
+			dsa_doit[R_DSA_1024]=1;
+			}
+		else
+#endif
+			{
+			BIO_printf(bio_err,"bad value, pick one of\n");
+			BIO_printf(bio_err,"md2      mdc2	md5      hmac      sha1    rmd160\n");
+#ifndef NO_IDEA
+			BIO_printf(bio_err,"idea-cbc ");
+#endif
+#ifndef NO_RC2
+			BIO_printf(bio_err,"rc2-cbc  ");
+#endif
+#ifndef NO_RC5
+			BIO_printf(bio_err,"rc5-cbc  ");
+#endif
+#ifndef NO_BF
+			BIO_printf(bio_err,"bf-cbc");
+#endif
+#if !defined(NO_IDEA) && !defined(NO_RC2) && !defined(NO_BF) && !defined(NO_RC5)
+			BIO_printf(bio_err,"\n");
+#endif
+			BIO_printf(bio_err,"des-cbc  des-ede3 ");
+#ifndef NO_RC4
+			BIO_printf(bio_err,"rc4");
+#endif
+#ifndef NO_RSA
+			BIO_printf(bio_err,"\nrsa512   rsa1024  rsa2048  rsa4096\n");
+#endif
+#ifndef NO_DSA
+			BIO_printf(bio_err,"\ndsa512   dsa1024  dsa2048\n");
+#endif
+			BIO_printf(bio_err,"idea     rc2      des      rsa    blowfish\n");
+			goto end;
+			}
+		argc--;
+		argv++;
+		j++;
+		}
+
+	if (j == 0)
+		{
+		for (i=0; i<ALGOR_NUM; i++)
+			doit[i]=1;
+		for (i=0; i<RSA_NUM; i++)
+			rsa_doit[i]=1;
+		for (i=0; i<DSA_NUM; i++)
+			dsa_doit[i]=1;
+		}
+	for (i=0; i<ALGOR_NUM; i++)
+		if (doit[i]) pr_header++;
+
+#ifndef TIMES
+	BIO_printf(bio_err,"To get the most accurate results, try to run this\n");
+	BIO_printf(bio_err,"program when this computer is idle.\n");
+#endif
+
+#ifndef NO_RSA
+	for (i=0; i<RSA_NUM; i++)
+		{
+		unsigned char *p;
+
+		p=rsa_data[i];
+		rsa_key[i]=d2i_RSAPrivateKey(NULL,&p,rsa_data_length[i]);
+		if (rsa_key[i] == NULL)
+			{
+			BIO_printf(bio_err,"internal error loading RSA key number %d\n",i);
+			goto end;
+			}
+#if 0
+		else
+			{
+			BIO_printf(bio_err,"Loaded RSA key, %d bit modulus and e= 0x",BN_num_bits(rsa_key[i]->n));
+			BN_print(bio_err,rsa_key[i]->e);
+			BIO_printf(bio_err,"\n");
+			}
+#endif
+		}
+#endif
+
+#ifndef NO_DSA
+	dsa_key[0]=get_dsa512();
+	dsa_key[1]=get_dsa1024();
+	dsa_key[2]=get_dsa2048();
+#endif
+
+#ifndef NO_DES
+	des_set_key_unchecked(&key,sch);
+	des_set_key_unchecked(&key2,sch2);
+	des_set_key_unchecked(&key3,sch3);
+#endif
+#ifndef NO_IDEA
+	idea_set_encrypt_key(key16,&idea_ks);
+#endif
+#ifndef NO_RC4
+	RC4_set_key(&rc4_ks,16,key16);
+#endif
+#ifndef NO_RC2
+	RC2_set_key(&rc2_ks,16,key16,128);
+#endif
+#ifndef NO_RC5
+	RC5_32_set_key(&rc5_ks,16,key16,12);
+#endif
+#ifndef NO_BF
+	BF_set_key(&bf_ks,16,key16);
+#endif
+#ifndef NO_CAST
+	CAST_set_key(&cast_ks,16,key16);
+#endif
+#ifndef NO_RSA
+	memset(rsa_c,0,sizeof(rsa_c));
+#endif
+#ifndef SIGALRM
+#ifndef NO_DES
+	BIO_printf(bio_err,"First we calculate the approximate speed ...\n");
+	count=10;
+	do	{
+		long i;
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			des_ecb_encrypt(buf_as_des_cblock,buf_as_des_cblock,
+				&(sch[0]),DES_ENCRYPT);
+		d=Time_F(STOP);
+		} while (d <3);
+	c[D_MD2][0]=count/10;
+	c[D_MDC2][0]=count/10;
+	c[D_MD5][0]=count;
+	c[D_HMAC][0]=count;
+	c[D_SHA1][0]=count;
+	c[D_RMD160][0]=count;
+	c[D_RC4][0]=count*5;
+	c[D_CBC_DES][0]=count;
+	c[D_EDE3_DES][0]=count/3;
+	c[D_CBC_IDEA][0]=count;
+	c[D_CBC_RC2][0]=count;
+	c[D_CBC_RC5][0]=count;
+	c[D_CBC_BF][0]=count;
+	c[D_CBC_CAST][0]=count;
+
+	for (i=1; i<SIZE_NUM; i++)
+		{
+		c[D_MD2][i]=c[D_MD2][0]*4*lengths[0]/lengths[i];
+		c[D_MDC2][i]=c[D_MDC2][0]*4*lengths[0]/lengths[i];
+		c[D_MD5][i]=c[D_MD5][0]*4*lengths[0]/lengths[i];
+		c[D_HMAC][i]=c[D_HMAC][0]*4*lengths[0]/lengths[i];
+		c[D_SHA1][i]=c[D_SHA1][0]*4*lengths[0]/lengths[i];
+		c[D_RMD160][i]=c[D_RMD160][0]*4*lengths[0]/lengths[i];
+		}
+	for (i=1; i<SIZE_NUM; i++)
+		{
+		long l0,l1;
+
+		l0=(long)lengths[i-1];
+		l1=(long)lengths[i];
+		c[D_RC4][i]=c[D_RC4][i-1]*l0/l1;
+		c[D_CBC_DES][i]=c[D_CBC_DES][i-1]*l0/l1;
+		c[D_EDE3_DES][i]=c[D_EDE3_DES][i-1]*l0/l1;
+		c[D_CBC_IDEA][i]=c[D_CBC_IDEA][i-1]*l0/l1;
+		c[D_CBC_RC2][i]=c[D_CBC_RC2][i-1]*l0/l1;
+		c[D_CBC_RC5][i]=c[D_CBC_RC5][i-1]*l0/l1;
+		c[D_CBC_BF][i]=c[D_CBC_BF][i-1]*l0/l1;
+		c[D_CBC_CAST][i]=c[D_CBC_CAST][i-1]*l0/l1;
+		}
+#ifndef NO_RSA
+	rsa_c[R_RSA_512][0]=count/2000;
+	rsa_c[R_RSA_512][1]=count/400;
+	for (i=1; i<RSA_NUM; i++)
+		{
+		rsa_c[i][0]=rsa_c[i-1][0]/8;
+		rsa_c[i][1]=rsa_c[i-1][1]/4;
+		if ((rsa_doit[i] <= 1) && (rsa_c[i][0] == 0))
+			rsa_doit[i]=0;
+		else
+			{
+			if (rsa_c[i][0] == 0)
+				{
+				rsa_c[i][0]=1;
+				rsa_c[i][1]=20;
+				}
+			}				
+		}
+#endif
+
+	dsa_c[R_DSA_512][0]=count/1000;
+	dsa_c[R_DSA_512][1]=count/1000/2;
+	for (i=1; i<DSA_NUM; i++)
+		{
+		dsa_c[i][0]=dsa_c[i-1][0]/4;
+		dsa_c[i][1]=dsa_c[i-1][1]/4;
+		if ((dsa_doit[i] <= 1) && (dsa_c[i][0] == 0))
+			dsa_doit[i]=0;
+		else
+			{
+			if (dsa_c[i] == 0)
+				{
+				dsa_c[i][0]=1;
+				dsa_c[i][1]=1;
+				}
+			}				
+		}
+
+#define COND(d)	(count < (d))
+#define COUNT(d) (d)
+#else
+/* not worth fixing */
+# error "You cannot disable DES on systems without SIGALRM."
+#endif /* NO_DES */
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+#endif /* SIGALRM */
+
+#ifndef NO_MD2
+	if (doit[D_MD2])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_MD2],c[D_MD2][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_MD2][j]); count++)
+				MD2(buf,(unsigned long)lengths[j],&(md2[0]));
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_MD2],d);
+			results[D_MD2][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_MDC2
+	if (doit[D_MDC2])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_MDC2],c[D_MDC2][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_MDC2][j]); count++)
+				MDC2(buf,(unsigned long)lengths[j],&(mdc2[0]));
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_MDC2],d);
+			results[D_MDC2][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+
+#ifndef NO_MD5
+	if (doit[D_MD5])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_MD5],c[D_MD5][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_MD5][j]); count++)
+				MD5(&(buf[0]),(unsigned long)lengths[j],&(md5[0]));
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_MD5],d);
+			results[D_MD5][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+
+#if !defined(NO_MD5) && !defined(NO_HMAC)
+	if (doit[D_HMAC])
+		{
+		HMAC_CTX hctx;
+		HMAC_Init(&hctx,(unsigned char *)"This is a key...",
+			16,EVP_md5());
+
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_HMAC],c[D_HMAC][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_HMAC][j]); count++)
+				{
+				HMAC_Init(&hctx,NULL,0,NULL);
+                                HMAC_Update(&hctx,buf,lengths[j]);
+                                HMAC_Final(&hctx,&(hmac[0]),NULL);
+				}
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_HMAC],d);
+			results[D_HMAC][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_SHA
+	if (doit[D_SHA1])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_SHA1],c[D_SHA1][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_SHA1][j]); count++)
+				SHA1(buf,(unsigned long)lengths[j],&(sha[0]));
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_SHA1],d);
+			results[D_SHA1][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_RIPEMD
+	if (doit[D_RMD160])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_RMD160],c[D_RMD160][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_RMD160][j]); count++)
+				RIPEMD160(buf,(unsigned long)lengths[j],&(rmd160[0]));
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_RMD160],d);
+			results[D_RMD160][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_RC4
+	if (doit[D_RC4])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_RC4],c[D_RC4][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_RC4][j]); count++)
+				RC4(&rc4_ks,(unsigned int)lengths[j],
+					buf,buf);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_RC4],d);
+			results[D_RC4][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_DES
+	if (doit[D_CBC_DES])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_CBC_DES],c[D_CBC_DES][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_CBC_DES][j]); count++)
+				des_ncbc_encrypt(buf,buf,lengths[j],sch,
+						 &iv,DES_ENCRYPT);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_CBC_DES],d);
+			results[D_CBC_DES][j]=((double)count)/d*lengths[j];
+			}
+		}
+
+	if (doit[D_EDE3_DES])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_EDE3_DES],c[D_EDE3_DES][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_EDE3_DES][j]); count++)
+				des_ede3_cbc_encrypt(buf,buf,lengths[j],
+						     sch,sch2,sch3,
+						     &iv,DES_ENCRYPT);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_EDE3_DES],d);
+			results[D_EDE3_DES][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_IDEA
+	if (doit[D_CBC_IDEA])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_CBC_IDEA],c[D_CBC_IDEA][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_CBC_IDEA][j]); count++)
+				idea_cbc_encrypt(buf,buf,
+					(unsigned long)lengths[j],&idea_ks,
+					iv,IDEA_ENCRYPT);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_CBC_IDEA],d);
+			results[D_CBC_IDEA][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_RC2
+	if (doit[D_CBC_RC2])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_CBC_RC2],c[D_CBC_RC2][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_CBC_RC2][j]); count++)
+				RC2_cbc_encrypt(buf,buf,
+					(unsigned long)lengths[j],&rc2_ks,
+					iv,RC2_ENCRYPT);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_CBC_RC2],d);
+			results[D_CBC_RC2][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_RC5
+	if (doit[D_CBC_RC5])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_CBC_RC5],c[D_CBC_RC5][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_CBC_RC5][j]); count++)
+				RC5_32_cbc_encrypt(buf,buf,
+					(unsigned long)lengths[j],&rc5_ks,
+					iv,RC5_ENCRYPT);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_CBC_RC5],d);
+			results[D_CBC_RC5][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_BF
+	if (doit[D_CBC_BF])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_CBC_BF],c[D_CBC_BF][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_CBC_BF][j]); count++)
+				BF_cbc_encrypt(buf,buf,
+					(unsigned long)lengths[j],&bf_ks,
+					iv,BF_ENCRYPT);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_CBC_BF],d);
+			results[D_CBC_BF][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+#ifndef NO_CAST
+	if (doit[D_CBC_CAST])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_CBC_CAST],c[D_CBC_CAST][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_CBC_CAST][j]); count++)
+				CAST_cbc_encrypt(buf,buf,
+					(unsigned long)lengths[j],&cast_ks,
+					iv,CAST_ENCRYPT);
+			d=Time_F(STOP);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_CBC_CAST],d);
+			results[D_CBC_CAST][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+
+	RAND_pseudo_bytes(buf,36);
+#ifndef NO_RSA
+	for (j=0; j<RSA_NUM; j++)
+		{
+		int ret;
+		if (!rsa_doit[j]) continue;
+		ret=RSA_sign(NID_md5_sha1, buf,36, buf2, &rsa_num, rsa_key[j]);
+		pkey_print_message("private","rsa",rsa_c[j][0],rsa_bits[j],
+			RSA_SECONDS);
+/*		RSA_blinding_on(rsa_key[j],NULL); */
+		Time_F(START);
+		for (count=0,run=1; COND(rsa_c[j][0]); count++)
+			{
+			ret=RSA_sign(NID_md5_sha1, buf,36, buf2, &rsa_num,
+								 rsa_key[j]);
+			if (ret <= 0)
+				{
+				BIO_printf(bio_err,"RSA private encrypt failure\n");
+				ERR_print_errors(bio_err);
+				count=1;
+				break;
+				}
+			}
+		d=Time_F(STOP);
+		BIO_printf(bio_err,"%ld %d bit private RSA's in %.2fs\n",
+			count,rsa_bits[j],d);
+		rsa_results[j][0]=d/(double)count;
+		rsa_count=count;
+
+#if 1
+		ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num, rsa_key[j]);
+		pkey_print_message("public","rsa",rsa_c[j][1],rsa_bits[j],
+			RSA_SECONDS);
+		Time_F(START);
+		for (count=0,run=1; COND(rsa_c[j][1]); count++)
+			{
+			ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num,
+								rsa_key[j]);
+			if (ret <= 0)
+				{
+				BIO_printf(bio_err,"RSA verify failure\n");
+				ERR_print_errors(bio_err);
+				count=1;
+				break;
+				}
+			}
+		d=Time_F(STOP);
+		BIO_printf(bio_err,"%ld %d bit public RSA's in %.2fs\n",
+			count,rsa_bits[j],d);
+		rsa_results[j][1]=d/(double)count;
+#endif
+
+		if (rsa_count <= 1)
+			{
+			/* if longer than 10s, don't do any more */
+			for (j++; j<RSA_NUM; j++)
+				rsa_doit[j]=0;
+			}
+		}
+#endif
+
+	RAND_pseudo_bytes(buf,20);
+#ifndef NO_DSA
+	if (RAND_status() != 1)
+		{
+		RAND_seed(rnd_seed, sizeof rnd_seed);
+		rnd_fake = 1;
+		}
+	for (j=0; j<DSA_NUM; j++)
+		{
+		unsigned int kk;
+
+		if (!dsa_doit[j]) continue;
+		DSA_generate_key(dsa_key[j]);
+/*		DSA_sign_setup(dsa_key[j],NULL); */
+		rsa_num=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
+			&kk,dsa_key[j]);
+		pkey_print_message("sign","dsa",dsa_c[j][0],dsa_bits[j],
+			DSA_SECONDS);
+		Time_F(START);
+		for (count=0,run=1; COND(dsa_c[j][0]); count++)
+			{
+			rsa_num=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
+				&kk,dsa_key[j]);
+			if (rsa_num == 0)
+				{
+				BIO_printf(bio_err,"DSA sign failure\n");
+				ERR_print_errors(bio_err);
+				count=1;
+				break;
+				}
+			}
+		d=Time_F(STOP);
+		BIO_printf(bio_err,"%ld %d bit DSA signs in %.2fs\n",
+			count,dsa_bits[j],d);
+		dsa_results[j][0]=d/(double)count;
+		rsa_count=count;
+
+		rsa_num2=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
+			kk,dsa_key[j]);
+		pkey_print_message("verify","dsa",dsa_c[j][1],dsa_bits[j],
+			DSA_SECONDS);
+		Time_F(START);
+		for (count=0,run=1; COND(dsa_c[j][1]); count++)
+			{
+			rsa_num2=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
+				kk,dsa_key[j]);
+			if (rsa_num2 == 0)
+				{
+				BIO_printf(bio_err,"DSA verify failure\n");
+				ERR_print_errors(bio_err);
+				count=1;
+				break;
+				}
+			}
+		d=Time_F(STOP);
+		BIO_printf(bio_err,"%ld %d bit DSA verify in %.2fs\n",
+			count,dsa_bits[j],d);
+		dsa_results[j][1]=d/(double)count;
+
+		if (rsa_count <= 1)
+			{
+			/* if longer than 10s, don't do any more */
+			for (j++; j<DSA_NUM; j++)
+				dsa_doit[j]=0;
+			}
+		}
+	if (rnd_fake) RAND_cleanup();
+#endif
+
+	fprintf(stdout,"%s\n",SSLeay_version(SSLEAY_VERSION));
+        fprintf(stdout,"%s\n",SSLeay_version(SSLEAY_BUILT_ON));
+	printf("options:");
+	printf("%s ",BN_options());
+#ifndef NO_MD2
+	printf("%s ",MD2_options());
+#endif
+#ifndef NO_RC4
+	printf("%s ",RC4_options());
+#endif
+#ifndef NO_DES
+	printf("%s ",des_options());
+#endif
+#ifndef NO_IDEA
+	printf("%s ",idea_options());
+#endif
+#ifndef NO_BF
+	printf("%s ",BF_options());
+#endif
+	fprintf(stdout,"\n%s\n",SSLeay_version(SSLEAY_CFLAGS));
+
+	if (pr_header)
+		{
+		fprintf(stdout,"The 'numbers' are in 1000s of bytes per second processed.\n"); 
+		fprintf(stdout,"type        ");
+		for (j=0;  j<SIZE_NUM; j++)
+			fprintf(stdout,"%7d bytes",lengths[j]);
+		fprintf(stdout,"\n");
+		}
+
+	for (k=0; k<ALGOR_NUM; k++)
+		{
+		if (!doit[k]) continue;
+		fprintf(stdout,"%-13s",names[k]);
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			if (results[k][j] > 10000)
+				fprintf(stdout," %11.2fk",results[k][j]/1e3);
+			else
+				fprintf(stdout," %11.2f ",results[k][j]);
+			}
+		fprintf(stdout,"\n");
+		}
+#ifndef NO_RSA
+	j=1;
+	for (k=0; k<RSA_NUM; k++)
+		{
+		if (!rsa_doit[k]) continue;
+		if (j)
+			{
+			printf("%18ssign    verify    sign/s verify/s\n"," ");
+			j=0;
+			}
+		fprintf(stdout,"rsa %4u bits %8.4fs %8.4fs %8.1f %8.1f",
+			rsa_bits[k],rsa_results[k][0],rsa_results[k][1],
+			1.0/rsa_results[k][0],1.0/rsa_results[k][1]);
+		fprintf(stdout,"\n");
+		}
+#endif
+#ifndef NO_DSA
+	j=1;
+	for (k=0; k<DSA_NUM; k++)
+		{
+		if (!dsa_doit[k]) continue;
+		if (j)	{
+			printf("%18ssign    verify    sign/s verify/s\n"," ");
+			j=0;
+			}
+		fprintf(stdout,"dsa %4u bits %8.4fs %8.4fs %8.1f %8.1f",
+			dsa_bits[k],dsa_results[k][0],dsa_results[k][1],
+			1.0/dsa_results[k][0],1.0/dsa_results[k][1]);
+		fprintf(stdout,"\n");
+		}
+#endif
+	mret=0;
+end:
+	if (buf != NULL) Free(buf);
+	if (buf2 != NULL) Free(buf2);
+#ifndef NO_RSA
+	for (i=0; i<RSA_NUM; i++)
+		if (rsa_key[i] != NULL)
+			RSA_free(rsa_key[i]);
+#endif
+#ifndef NO_DSA
+	for (i=0; i<DSA_NUM; i++)
+		if (dsa_key[i] != NULL)
+			DSA_free(dsa_key[i]);
+#endif
+	EXIT(mret);
+	}
+
+static void print_message(char *s, long num, int length)
+	{
+#ifdef SIGALRM
+	BIO_printf(bio_err,"Doing %s for %ds on %d size blocks: ",s,SECONDS,length);
+	(void)BIO_flush(bio_err);
+	alarm(SECONDS);
+#else
+	BIO_printf(bio_err,"Doing %s %ld times on %d size blocks: ",s,num,length);
+	(void)BIO_flush(bio_err);
+#endif
+#ifdef LINT
+	num=num;
+#endif
+	}
+
+static void pkey_print_message(char *str, char *str2, long num, int bits,
+	     int tm)
+	{
+#ifdef SIGALRM
+	BIO_printf(bio_err,"Doing %d bit %s %s's for %ds: ",bits,str,str2,tm);
+	(void)BIO_flush(bio_err);
+	alarm(RSA_SECONDS);
+#else
+	BIO_printf(bio_err,"Doing %ld %d bit %s %s's: ",num,bits,str,str2);
+	(void)BIO_flush(bio_err);
+#endif
+#ifdef LINT
+	num=num;
+#endif
+	}
+
diff --git a/crypto/openssl/apps/spkac.c b/crypto/openssl/apps/spkac.c
new file mode 100644
index 0000000..f3ee7e3
--- /dev/null
+++ b/crypto/openssl/apps/spkac.c
@@ -0,0 +1,276 @@
+/* apps/spkac.c */
+
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999. Based on an original idea by Massimiliano Pala
+ * (madwolf@openca.org).
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/lhash.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	spkac_main
+
+/* -in arg	- input file - default stdin
+ * -out arg	- output file - default stdout
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int i,badops=0, ret = 1;
+	BIO *in = NULL,*out = NULL, *key = NULL;
+	int verify=0,noout=0,pubkey=0;
+	char *infile = NULL,*outfile = NULL,*prog;
+	char *passargin = NULL, *passin = NULL;
+	char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
+	char *challenge = NULL, *keyfile = NULL;
+	LHASH *conf = NULL;
+	NETSCAPE_SPKI *spki = NULL;
+	EVP_PKEY *pkey = NULL;
+
+	apps_startup();
+
+	if (!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargin= *(++argv);
+			}
+		else if (strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keyfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-challenge") == 0)
+			{
+			if (--argc < 1) goto bad;
+			challenge= *(++argv);
+			}
+		else if (strcmp(*argv,"-spkac") == 0)
+			{
+			if (--argc < 1) goto bad;
+			spkac= *(++argv);
+			}
+		else if (strcmp(*argv,"-spksect") == 0)
+			{
+			if (--argc < 1) goto bad;
+			spksect= *(++argv);
+			}
+		else if (strcmp(*argv,"-noout") == 0)
+			noout=1;
+		else if (strcmp(*argv,"-pubkey") == 0)
+			pubkey=1;
+		else if (strcmp(*argv,"-verify") == 0)
+			verify=1;
+		else badops = 1;
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err,"%s [options]\n",prog);
+		BIO_printf(bio_err,"where options are\n");
+		BIO_printf(bio_err," -in arg        input file\n");
+		BIO_printf(bio_err," -out arg       output file\n");
+		BIO_printf(bio_err," -key arg       create SPKAC using private key\n");
+		BIO_printf(bio_err," -passin arg    input file pass phrase source\n");
+		BIO_printf(bio_err," -challenge arg challenge string\n");
+		BIO_printf(bio_err," -spkac arg     alternative SPKAC name\n");
+		BIO_printf(bio_err," -noout         don't print SPKAC\n");
+		BIO_printf(bio_err," -pubkey        output public key\n");
+		BIO_printf(bio_err," -verify        verify SPKAC signature\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+	}
+
+	if(keyfile) {
+		if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
+		else key = BIO_new_fp(stdin, BIO_NOCLOSE);
+		if(!key) {
+			BIO_printf(bio_err, "Error opening key file\n");
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+		pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, passin);
+		if(!pkey) {
+			BIO_printf(bio_err, "Error reading private key\n");
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+		spki = NETSCAPE_SPKI_new();
+		if(challenge) ASN1_STRING_set(spki->spkac->challenge,
+						 challenge, strlen(challenge));
+		NETSCAPE_SPKI_set_pubkey(spki, pkey);
+		NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
+		spkstr = NETSCAPE_SPKI_b64_encode(spki);
+
+		if (outfile) out = BIO_new_file(outfile, "w");
+		else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+		if(!out) {
+			BIO_printf(bio_err, "Error opening output file\n");
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+		BIO_printf(out, "SPKAC=%s\n", spkstr);
+		Free(spkstr);
+		ret = 0;
+		goto end;
+	}
+
+	
+
+	if (infile) in = BIO_new_file(infile, "r");
+	else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+	if(!in) {
+		BIO_printf(bio_err, "Error opening input file\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	conf = CONF_load_bio(NULL, in, NULL);
+
+	if(!conf) {
+		BIO_printf(bio_err, "Error parsing config file\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	spkstr = CONF_get_string(conf, spksect, spkac);
+		
+	if(!spkstr) {
+		BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
+	
+	if(!spki) {
+		BIO_printf(bio_err, "Error loading SPKAC\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	if (outfile) out = BIO_new_file(outfile, "w");
+	else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+	if(!out) {
+		BIO_printf(bio_err, "Error opening output file\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	if(!noout) NETSCAPE_SPKI_print(out, spki);
+	pkey = NETSCAPE_SPKI_get_pubkey(spki);
+	if(verify) {
+		i = NETSCAPE_SPKI_verify(spki, pkey);
+		if(i) BIO_printf(bio_err, "Signature OK\n");
+		else {
+			BIO_printf(bio_err, "Signature Failure\n");
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+	if(pubkey) PEM_write_bio_PUBKEY(out, pkey);
+
+	ret = 0;
+
+end:
+	CONF_free(conf);
+	NETSCAPE_SPKI_free(spki);
+	BIO_free(in);
+	BIO_free(out);
+	BIO_free(key);
+	EVP_PKEY_free(pkey);
+	if(passin) Free(passin);
+	EXIT(ret);
+	}
diff --git a/crypto/openssl/apps/testCA.pem b/crypto/openssl/apps/testCA.pem
new file mode 100644
index 0000000..dcb710a
--- /dev/null
+++ b/crypto/openssl/apps/testCA.pem
@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBBzCBsgIBADBNMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEX
+MBUGA1UEChMOTWluY29tIFB0eSBMdGQxEDAOBgNVBAMTB1RFU1QgQ0EwXDANBgkq
+hkiG9w0BAQEFAANLADBIAkEAzW9brgA8efT2ODB+NrsflJZj3KKqKsm4OrXTRqfL
+VETj1ws/zCXl42XJAxdWQMCP0liKfc9Ut4xi1qCVI7N07wIDAQABoAAwDQYJKoZI
+hvcNAQEEBQADQQBjZZ42Det9Uw0AFwJy4ufUEy5Cv74pxBp5SZnljgHY+Az0Hs2S
+uNkIegr2ITX5azKi9nOkg9ZmsmGG13FIjiC/
+-----END CERTIFICATE REQUEST-----
diff --git a/crypto/openssl/apps/testdsa.h b/crypto/openssl/apps/testdsa.h
new file mode 100644
index 0000000..f0bfbb1
--- /dev/null
+++ b/crypto/openssl/apps/testdsa.h
@@ -0,0 +1,151 @@
+/* NOCW */
+/* used by apps/speed.c */
+DSA *get_dsa512(void );
+DSA *get_dsa1024(void );
+DSA *get_dsa2048(void );
+static unsigned char dsa512_p[]={
+	0x9D,0x1B,0x69,0x8E,0x26,0xDB,0xF2,0x2B,0x11,0x70,0x19,0x86,
+	0xF6,0x19,0xC8,0xF8,0x19,0xF2,0x18,0x53,0x94,0x46,0x06,0xD0,
+	0x62,0x50,0x33,0x4B,0x02,0x3C,0x52,0x30,0x03,0x8B,0x3B,0xF9,
+	0x5F,0xD1,0x24,0x06,0x4F,0x7B,0x4C,0xBA,0xAA,0x40,0x9B,0xFD,
+	0x96,0xE4,0x37,0x33,0xBB,0x2D,0x5A,0xD7,0x5A,0x11,0x40,0x66,
+	0xA2,0x76,0x7D,0x31,
+	};
+static unsigned char dsa512_q[]={
+	0xFB,0x53,0xEF,0x50,0xB4,0x40,0x92,0x31,0x56,0x86,0x53,0x7A,
+	0xE8,0x8B,0x22,0x9A,0x49,0xFB,0x71,0x8F,
+	};
+static unsigned char dsa512_g[]={
+	0x83,0x3E,0x88,0xE5,0xC5,0x89,0x73,0xCE,0x3B,0x6C,0x01,0x49,
+	0xBF,0xB3,0xC7,0x9F,0x0A,0xEA,0x44,0x91,0xE5,0x30,0xAA,0xD9,
+	0xBE,0x5B,0x5F,0xB7,0x10,0xD7,0x89,0xB7,0x8E,0x74,0xFB,0xCF,
+	0x29,0x1E,0xEB,0xA8,0x2C,0x54,0x51,0xB8,0x10,0xDE,0xA0,0xCE,
+	0x2F,0xCC,0x24,0x6B,0x90,0x77,0xDE,0xA2,0x68,0xA6,0x52,0x12,
+	0xA2,0x03,0x9D,0x20,
+	};
+
+DSA *get_dsa512()
+	{
+	DSA *dsa;
+
+	if ((dsa=DSA_new()) == NULL) return(NULL);
+	dsa->p=BN_bin2bn(dsa512_p,sizeof(dsa512_p),NULL);
+	dsa->q=BN_bin2bn(dsa512_q,sizeof(dsa512_q),NULL);
+	dsa->g=BN_bin2bn(dsa512_g,sizeof(dsa512_g),NULL);
+	if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
+		return(NULL);
+	return(dsa);
+	}
+
+static unsigned char dsa1024_p[]={
+	0xA7,0x3F,0x6E,0x85,0xBF,0x41,0x6A,0x29,0x7D,0xF0,0x9F,0x47,
+	0x19,0x30,0x90,0x9A,0x09,0x1D,0xDA,0x6A,0x33,0x1E,0xC5,0x3D,
+	0x86,0x96,0xB3,0x15,0xE0,0x53,0x2E,0x8F,0xE0,0x59,0x82,0x73,
+	0x90,0x3E,0x75,0x31,0x99,0x47,0x7A,0x52,0xFB,0x85,0xE4,0xD9,
+	0xA6,0x7B,0x38,0x9B,0x68,0x8A,0x84,0x9B,0x87,0xC6,0x1E,0xB5,
+	0x7E,0x86,0x4B,0x53,0x5B,0x59,0xCF,0x71,0x65,0x19,0x88,0x6E,
+	0xCE,0x66,0xAE,0x6B,0x88,0x36,0xFB,0xEC,0x28,0xDC,0xC2,0xD7,
+	0xA5,0xBB,0xE5,0x2C,0x39,0x26,0x4B,0xDA,0x9A,0x70,0x18,0x95,
+	0x37,0x95,0x10,0x56,0x23,0xF6,0x15,0xED,0xBA,0x04,0x5E,0xDE,
+	0x39,0x4F,0xFD,0xB7,0x43,0x1F,0xB5,0xA4,0x65,0x6F,0xCD,0x80,
+	0x11,0xE4,0x70,0x95,0x5B,0x50,0xCD,0x49,
+	};
+static unsigned char dsa1024_q[]={
+	0xF7,0x07,0x31,0xED,0xFA,0x6C,0x06,0x03,0xD5,0x85,0x8A,0x1C,
+	0xAC,0x9C,0x65,0xE7,0x50,0x66,0x65,0x6F,
+	};
+static unsigned char dsa1024_g[]={
+	0x4D,0xDF,0x4C,0x03,0xA6,0x91,0x8A,0xF5,0x19,0x6F,0x50,0x46,
+	0x25,0x99,0xE5,0x68,0x6F,0x30,0xE3,0x69,0xE1,0xE5,0xB3,0x5D,
+	0x98,0xBB,0x28,0x86,0x48,0xFC,0xDE,0x99,0x04,0x3F,0x5F,0x88,
+	0x0C,0x9C,0x73,0x24,0x0D,0x20,0x5D,0xB9,0x2A,0x9A,0x3F,0x18,
+	0x96,0x27,0xE4,0x62,0x87,0xC1,0x7B,0x74,0x62,0x53,0xFC,0x61,
+	0x27,0xA8,0x7A,0x91,0x09,0x9D,0xB6,0xF1,0x4D,0x9C,0x54,0x0F,
+	0x58,0x06,0xEE,0x49,0x74,0x07,0xCE,0x55,0x7E,0x23,0xCE,0x16,
+	0xF6,0xCA,0xDC,0x5A,0x61,0x01,0x7E,0xC9,0x71,0xB5,0x4D,0xF6,
+	0xDC,0x34,0x29,0x87,0x68,0xF6,0x5E,0x20,0x93,0xB3,0xDB,0xF5,
+	0xE4,0x09,0x6C,0x41,0x17,0x95,0x92,0xEB,0x01,0xB5,0x73,0xA5,
+	0x6A,0x7E,0xD8,0x32,0xED,0x0E,0x02,0xB8,
+	};
+
+DSA *get_dsa1024()
+	{
+	DSA *dsa;
+
+	if ((dsa=DSA_new()) == NULL) return(NULL);
+	dsa->p=BN_bin2bn(dsa1024_p,sizeof(dsa1024_p),NULL);
+	dsa->q=BN_bin2bn(dsa1024_q,sizeof(dsa1024_q),NULL);
+	dsa->g=BN_bin2bn(dsa1024_g,sizeof(dsa1024_g),NULL);
+	if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
+		return(NULL);
+	return(dsa);
+	}
+
+static unsigned char dsa2048_p[]={
+	0xA0,0x25,0xFA,0xAD,0xF4,0x8E,0xB9,0xE5,0x99,0xF3,0x5D,0x6F,
+	0x4F,0x83,0x34,0xE2,0x7E,0xCF,0x6F,0xBF,0x30,0xAF,0x6F,0x81,
+	0xEB,0xF8,0xC4,0x13,0xD9,0xA0,0x5D,0x8B,0x5C,0x8E,0xDC,0xC2,
+	0x1D,0x0B,0x41,0x32,0xB0,0x1F,0xFE,0xEF,0x0C,0xC2,0xA2,0x7E,
+	0x68,0x5C,0x28,0x21,0xE9,0xF5,0xB1,0x58,0x12,0x63,0x4C,0x19,
+	0x4E,0xFF,0x02,0x4B,0x92,0xED,0xD2,0x07,0x11,0x4D,0x8C,0x58,
+	0x16,0x5C,0x55,0x8E,0xAD,0xA3,0x67,0x7D,0xB9,0x86,0x6E,0x0B,
+	0xE6,0x54,0x6F,0x40,0xAE,0x0E,0x67,0x4C,0xF9,0x12,0x5B,0x3C,
+	0x08,0x7A,0xF7,0xFC,0x67,0x86,0x69,0xE7,0x0A,0x94,0x40,0xBF,
+	0x8B,0x76,0xFE,0x26,0xD1,0xF2,0xA1,0x1A,0x84,0xA1,0x43,0x56,
+	0x28,0xBC,0x9A,0x5F,0xD7,0x3B,0x69,0x89,0x8A,0x36,0x2C,0x51,
+	0xDF,0x12,0x77,0x2F,0x57,0x7B,0xA0,0xAA,0xDD,0x7F,0xA1,0x62,
+	0x3B,0x40,0x7B,0x68,0x1A,0x8F,0x0D,0x38,0xBB,0x21,0x5D,0x18,
+	0xFC,0x0F,0x46,0xF7,0xA3,0xB0,0x1D,0x23,0xC3,0xD2,0xC7,0x72,
+	0x51,0x18,0xDF,0x46,0x95,0x79,0xD9,0xBD,0xB5,0x19,0x02,0x2C,
+	0x87,0xDC,0xE7,0x57,0x82,0x7E,0xF1,0x8B,0x06,0x3D,0x00,0xA5,
+	0x7B,0x6B,0x26,0x27,0x91,0x0F,0x6A,0x77,0xE4,0xD5,0x04,0xE4,
+	0x12,0x2C,0x42,0xFF,0xD2,0x88,0xBB,0xD3,0x92,0xA0,0xF9,0xC8,
+	0x51,0x64,0x14,0x5C,0xD8,0xF9,0x6C,0x47,0x82,0xB4,0x1C,0x7F,
+	0x09,0xB8,0xF0,0x25,0x83,0x1D,0x3F,0x3F,0x05,0xB3,0x21,0x0A,
+	0x5D,0xA7,0xD8,0x54,0xC3,0x65,0x7D,0xC3,0xB0,0x1D,0xBF,0xAE,
+	0xF8,0x68,0xCF,0x9B,
+	};
+static unsigned char dsa2048_q[]={
+	0x97,0xE7,0x33,0x4D,0xD3,0x94,0x3E,0x0B,0xDB,0x62,0x74,0xC6,
+	0xA1,0x08,0xDD,0x19,0xA3,0x75,0x17,0x1B,
+	};
+static unsigned char dsa2048_g[]={
+	0x2C,0x78,0x16,0x59,0x34,0x63,0xF4,0xF3,0x92,0xFC,0xB5,0xA5,
+	0x4F,0x13,0xDE,0x2F,0x1C,0xA4,0x3C,0xAE,0xAD,0x38,0x3F,0x7E,
+	0x90,0xBF,0x96,0xA6,0xAE,0x25,0x90,0x72,0xF5,0x8E,0x80,0x0C,
+	0x39,0x1C,0xD9,0xEC,0xBA,0x90,0x5B,0x3A,0xE8,0x58,0x6C,0x9E,
+	0x30,0x42,0x37,0x02,0x31,0x82,0xBC,0x6A,0xDF,0x6A,0x09,0x29,
+	0xE3,0xC0,0x46,0xD1,0xCB,0x85,0xEC,0x0C,0x30,0x5E,0xEA,0xC8,
+	0x39,0x8E,0x22,0x9F,0x22,0x10,0xD2,0x34,0x61,0x68,0x37,0x3D,
+	0x2E,0x4A,0x5B,0x9A,0xF5,0xC1,0x48,0xC6,0xF6,0xDC,0x63,0x1A,
+	0xD3,0x96,0x64,0xBA,0x34,0xC9,0xD1,0xA0,0xD1,0xAE,0x6C,0x2F,
+	0x48,0x17,0x93,0x14,0x43,0xED,0xF0,0x21,0x30,0x19,0xC3,0x1B,
+	0x5F,0xDE,0xA3,0xF0,0x70,0x78,0x18,0xE1,0xA8,0xE4,0xEE,0x2E,
+	0x00,0xA5,0xE4,0xB3,0x17,0xC8,0x0C,0x7D,0x6E,0x42,0xDC,0xB7,
+	0x46,0x00,0x36,0x4D,0xD4,0x46,0xAA,0x3D,0x3C,0x46,0x89,0x40,
+	0xBF,0x1D,0x84,0x77,0x0A,0x75,0xF3,0x87,0x1D,0x08,0x4C,0xA6,
+	0xD1,0xA9,0x1C,0x1E,0x12,0x1E,0xE1,0xC7,0x30,0x28,0x76,0xA5,
+	0x7F,0x6C,0x85,0x96,0x2B,0x6F,0xDB,0x80,0x66,0x26,0xAE,0xF5,
+	0x93,0xC7,0x8E,0xAE,0x9A,0xED,0xE4,0xCA,0x04,0xEA,0x3B,0x72,
+	0xEF,0xDC,0x87,0xED,0x0D,0xA5,0x4C,0x4A,0xDD,0x71,0x22,0x64,
+	0x59,0x69,0x4E,0x8E,0xBF,0x43,0xDC,0xAB,0x8E,0x66,0xBB,0x01,
+	0xB6,0xF4,0xE7,0xFD,0xD2,0xAD,0x9F,0x36,0xC1,0xA0,0x29,0x99,
+	0xD1,0x96,0x70,0x59,0x06,0x78,0x35,0xBD,0x65,0x55,0x52,0x9E,
+	0xF8,0xB2,0xE5,0x38,
+	};
+ 
+DSA *get_dsa2048()
+	{
+	DSA *dsa;
+ 
+	if ((dsa=DSA_new()) == NULL) return(NULL);
+	dsa->p=BN_bin2bn(dsa2048_p,sizeof(dsa2048_p),NULL);
+	dsa->q=BN_bin2bn(dsa2048_q,sizeof(dsa2048_q),NULL);
+	dsa->g=BN_bin2bn(dsa2048_g,sizeof(dsa2048_g),NULL);
+	if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
+		return(NULL);
+	return(dsa);
+	}
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+static int rnd_fake = 0;
diff --git a/crypto/openssl/apps/testrsa.h b/crypto/openssl/apps/testrsa.h
new file mode 100644
index 0000000..3007d79
--- /dev/null
+++ b/crypto/openssl/apps/testrsa.h
@@ -0,0 +1,518 @@
+/* apps/testrsa.h */
+/* used by apps/speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static unsigned char test512[]={
+	0x30,0x82,0x01,0x3a,0x02,0x01,0x00,0x02,0x41,0x00,
+	0xd6,0x33,0xb9,0xc8,0xfb,0x4f,0x3c,0x7d,0xc0,0x01,
+	0x86,0xd0,0xe7,0xa0,0x55,0xf2,0x95,0x93,0xcc,0x4f,
+	0xb7,0x5b,0x67,0x5b,0x94,0x68,0xc9,0x34,0x15,0xde,
+	0xa5,0x2e,0x1c,0x33,0xc2,0x6e,0xfc,0x34,0x5e,0x71,
+	0x13,0xb7,0xd6,0xee,0xd8,0xa5,0x65,0x05,0x72,0x87,
+	0xa8,0xb0,0x77,0xfe,0x57,0xf5,0xfc,0x5f,0x55,0x83,
+	0x87,0xdd,0x57,0x49,0x02,0x03,0x01,0x00,0x01,0x02,
+	0x41,0x00,0xa7,0xf7,0x91,0xc5,0x0f,0x84,0x57,0xdc,
+	0x07,0xf7,0x6a,0x7f,0x60,0x52,0xb3,0x72,0xf1,0x66,
+	0x1f,0x7d,0x97,0x3b,0x9e,0xb6,0x0a,0x8f,0x8c,0xcf,
+	0x42,0x23,0x00,0x04,0xd4,0x28,0x0e,0x1c,0x90,0xc4,
+	0x11,0x25,0x25,0xa5,0x93,0xa5,0x2f,0x70,0x02,0xdf,
+	0x81,0x9c,0x49,0x03,0xa0,0xf8,0x6d,0x54,0x2e,0x26,
+	0xde,0xaa,0x85,0x59,0xa8,0x31,0x02,0x21,0x00,0xeb,
+	0x47,0xd7,0x3b,0xf6,0xc3,0xdd,0x5a,0x46,0xc5,0xb9,
+	0x2b,0x9a,0xa0,0x09,0x8f,0xa6,0xfb,0xf3,0x78,0x7a,
+	0x33,0x70,0x9d,0x0f,0x42,0x6b,0x13,0x68,0x24,0xd3,
+	0x15,0x02,0x21,0x00,0xe9,0x10,0xb0,0xb3,0x0d,0xe2,
+	0x82,0x68,0x77,0x8a,0x6e,0x7c,0xda,0xbc,0x3e,0x53,
+	0x83,0xfb,0xd6,0x22,0xe7,0xb5,0xae,0x6e,0x80,0xda,
+	0x00,0x55,0x97,0xc1,0xd0,0x65,0x02,0x20,0x4c,0xf8,
+	0x73,0xb1,0x6a,0x49,0x29,0x61,0x1f,0x46,0x10,0x0d,
+	0xf3,0xc7,0xe7,0x58,0xd7,0x88,0x15,0x5e,0x94,0x9b,
+	0xbf,0x7b,0xa2,0x42,0x58,0x45,0x41,0x0c,0xcb,0x01,
+	0x02,0x20,0x12,0x11,0xba,0x31,0x57,0x9d,0x3d,0x11,
+	0x0e,0x5b,0x8c,0x2f,0x5f,0xe2,0x02,0x4f,0x05,0x47,
+	0x8c,0x15,0x8e,0xb3,0x56,0x3f,0xb8,0xfb,0xad,0xd4,
+	0xf4,0xfc,0x10,0xc5,0x02,0x20,0x18,0xa1,0x29,0x99,
+	0x5b,0xd9,0xc8,0xd4,0xfc,0x49,0x7a,0x2a,0x21,0x2c,
+	0x49,0xe4,0x4f,0xeb,0xef,0x51,0xf1,0xab,0x6d,0xfb,
+	0x4b,0x14,0xe9,0x4b,0x52,0xb5,0x82,0x2c,
+	};
+
+static unsigned char test1024[]={
+	0x30,0x82,0x02,0x5c,0x02,0x01,0x00,0x02,0x81,0x81,
+	0x00,0xdc,0x98,0x43,0xe8,0x3d,0x43,0x5b,0xe4,0x05,
+	0xcd,0xd0,0xa9,0x3e,0xcb,0x83,0x75,0xf6,0xb5,0xa5,
+	0x9f,0x6b,0xe9,0x34,0x41,0x29,0x18,0xfa,0x6a,0x55,
+	0x4d,0x70,0xfc,0xec,0xae,0x87,0x38,0x0a,0x20,0xa9,
+	0xc0,0x45,0x77,0x6e,0x57,0x60,0x57,0xf4,0xed,0x96,
+	0x22,0xcb,0x8f,0xe1,0x33,0x3a,0x17,0x1f,0xed,0x37,
+	0xa5,0x6f,0xeb,0xa6,0xbc,0x12,0x80,0x1d,0x53,0xbd,
+	0x70,0xeb,0x21,0x76,0x3e,0xc9,0x2f,0x1a,0x45,0x24,
+	0x82,0xff,0xcd,0x59,0x32,0x06,0x2e,0x12,0x3b,0x23,
+	0x78,0xed,0x12,0x3d,0xe0,0x8d,0xf9,0x67,0x4f,0x37,
+	0x4e,0x47,0x02,0x4c,0x2d,0xc0,0x4f,0x1f,0xb3,0x94,
+	0xe1,0x41,0x2e,0x2d,0x90,0x10,0xfc,0x82,0x91,0x8b,
+	0x0f,0x22,0xd4,0xf2,0xfc,0x2c,0xab,0x53,0x55,0x02,
+	0x03,0x01,0x00,0x01,0x02,0x81,0x80,0x2b,0xcc,0x3f,
+	0x8f,0x58,0xba,0x8b,0x00,0x16,0xf6,0xea,0x3a,0xf0,
+	0x30,0xd0,0x05,0x17,0xda,0xb0,0xeb,0x9a,0x2d,0x4f,
+	0x26,0xb0,0xd6,0x38,0xc1,0xeb,0xf5,0xd8,0x3d,0x1f,
+	0x70,0xf7,0x7f,0xf4,0xe2,0xcf,0x51,0x51,0x79,0x88,
+	0xfa,0xe8,0x32,0x0e,0x7b,0x2d,0x97,0xf2,0xfa,0xba,
+	0x27,0xc5,0x9c,0xd9,0xc5,0xeb,0x8a,0x79,0x52,0x3c,
+	0x64,0x34,0x7d,0xc2,0xcf,0x28,0xc7,0x4e,0xd5,0x43,
+	0x0b,0xd1,0xa6,0xca,0x6d,0x03,0x2d,0x72,0x23,0xbc,
+	0x6d,0x05,0xfa,0x16,0x09,0x2f,0x2e,0x5c,0xb6,0xee,
+	0x74,0xdd,0xd2,0x48,0x8e,0x36,0x0c,0x06,0x3d,0x4d,
+	0xe5,0x10,0x82,0xeb,0x6a,0xf3,0x4b,0x9f,0xd6,0xed,
+	0x11,0xb1,0x6e,0xec,0xf4,0xfe,0x8e,0x75,0x94,0x20,
+	0x2f,0xcb,0xac,0x46,0xf1,0x02,0x41,0x00,0xf9,0x8c,
+	0xa3,0x85,0xb1,0xdd,0x29,0xaf,0x65,0xc1,0x33,0xf3,
+	0x95,0xc5,0x52,0x68,0x0b,0xd4,0xf1,0xe5,0x0e,0x02,
+	0x9f,0x4f,0xfa,0x77,0xdc,0x46,0x9e,0xc7,0xa6,0xe4,
+	0x16,0x29,0xda,0xb0,0x07,0xcf,0x5b,0xa9,0x12,0x8a,
+	0xdd,0x63,0x0a,0xde,0x2e,0x8c,0x66,0x8b,0x8c,0xdc,
+	0x19,0xa3,0x7e,0xf4,0x3b,0xd0,0x1a,0x8c,0xa4,0xc2,
+	0xe1,0xd3,0x02,0x41,0x00,0xe2,0x4c,0x05,0xf2,0x04,
+	0x86,0x4e,0x61,0x43,0xdb,0xb0,0xb9,0x96,0x86,0x52,
+	0x2c,0xca,0x8d,0x7b,0xab,0x0b,0x13,0x0d,0x7e,0x38,
+	0x5b,0xe2,0x2e,0x7b,0x0e,0xe7,0x19,0x99,0x38,0xe7,
+	0xf2,0x21,0xbd,0x85,0x85,0xe3,0xfd,0x28,0x77,0x20,
+	0x31,0x71,0x2c,0xd0,0xff,0xfb,0x2e,0xaf,0x85,0xb4,
+	0x86,0xca,0xf3,0xbb,0xca,0xaa,0x0f,0x95,0x37,0x02,
+	0x40,0x0e,0x41,0x9a,0x95,0xe8,0xb3,0x59,0xce,0x4b,
+	0x61,0xde,0x35,0xec,0x38,0x79,0x9c,0xb8,0x10,0x52,
+	0x41,0x63,0xab,0x82,0xae,0x6f,0x00,0xa9,0xf4,0xde,
+	0xdd,0x49,0x0b,0x7e,0xb8,0xa5,0x65,0xa9,0x0c,0x8f,
+	0x8f,0xf9,0x1f,0x35,0xc6,0x92,0xb8,0x5e,0xb0,0x66,
+	0xab,0x52,0x40,0xc0,0xb6,0x36,0x6a,0x7d,0x80,0x46,
+	0x04,0x02,0xe5,0x9f,0x41,0x02,0x41,0x00,0xc0,0xad,
+	0xcc,0x4e,0x21,0xee,0x1d,0x24,0x91,0xfb,0xa7,0x80,
+	0x8d,0x9a,0xb6,0xb3,0x2e,0x8f,0xc2,0xe1,0x82,0xdf,
+	0x69,0x18,0xb4,0x71,0xff,0xa6,0x65,0xde,0xed,0x84,
+	0x8d,0x42,0xb7,0xb3,0x21,0x69,0x56,0x1c,0x07,0x60,
+	0x51,0x29,0x04,0xff,0x34,0x06,0xdd,0xb9,0x67,0x2c,
+	0x7c,0x04,0x93,0x0e,0x46,0x15,0xbb,0x2a,0xb7,0x1b,
+	0xe7,0x87,0x02,0x40,0x78,0xda,0x5d,0x07,0x51,0x0c,
+	0x16,0x7a,0x9f,0x29,0x20,0x84,0x0d,0x42,0xfa,0xd7,
+	0x00,0xd8,0x77,0x7e,0xb0,0xb0,0x6b,0xd6,0x5b,0x53,
+	0xb8,0x9b,0x7a,0xcd,0xc7,0x2b,0xb8,0x6a,0x63,0xa9,
+	0xfb,0x6f,0xa4,0x72,0xbf,0x4c,0x5d,0x00,0x14,0xba,
+	0xfa,0x59,0x88,0xed,0xe4,0xe0,0x8c,0xa2,0xec,0x14,
+	0x7e,0x2d,0xe2,0xf0,0x46,0x49,0x95,0x45,
+	};
+
+static unsigned char test2048[]={
+	0x30,0x82,0x04,0xa3,0x02,0x01,0x00,0x02,0x82,0x01,
+	0x01,0x00,0xc0,0xc0,0xce,0x3e,0x3c,0x53,0x67,0x3f,
+	0x4f,0xc5,0x2f,0xa4,0xc2,0x5a,0x2f,0x58,0xfd,0x27,
+	0x52,0x6a,0xe8,0xcf,0x4a,0x73,0x47,0x8d,0x25,0x0f,
+	0x5f,0x03,0x26,0x78,0xef,0xf0,0x22,0x12,0xd3,0xde,
+	0x47,0xb2,0x1c,0x0b,0x38,0x63,0x1a,0x6c,0x85,0x7a,
+	0x80,0xc6,0x8f,0xa0,0x41,0xaf,0x62,0xc4,0x67,0x32,
+	0x88,0xf8,0xa6,0x9c,0xf5,0x23,0x1d,0xe4,0xac,0x3f,
+	0x29,0xf9,0xec,0xe1,0x8b,0x26,0x03,0x2c,0xb2,0xab,
+	0xf3,0x7d,0xb5,0xca,0x49,0xc0,0x8f,0x1c,0xdf,0x33,
+	0x3a,0x60,0xda,0x3c,0xb0,0x16,0xf8,0xa9,0x12,0x8f,
+	0x64,0xac,0x23,0x0c,0x69,0x64,0x97,0x5d,0x99,0xd4,
+	0x09,0x83,0x9b,0x61,0xd3,0xac,0xf0,0xde,0xdd,0x5e,
+	0x9f,0x44,0x94,0xdb,0x3a,0x4d,0x97,0xe8,0x52,0x29,
+	0xf7,0xdb,0x94,0x07,0x45,0x90,0x78,0x1e,0x31,0x0b,
+	0x80,0xf7,0x57,0xad,0x1c,0x79,0xc5,0xcb,0x32,0xb0,
+	0xce,0xcd,0x74,0xb3,0xe2,0x94,0xc5,0x78,0x2f,0x34,
+	0x1a,0x45,0xf7,0x8c,0x52,0xa5,0xbc,0x8d,0xec,0xd1,
+	0x2f,0x31,0x3b,0xf0,0x49,0x59,0x5e,0x88,0x9d,0x15,
+	0x92,0x35,0x32,0xc1,0xe7,0x61,0xec,0x50,0x48,0x7c,
+	0xba,0x05,0xf9,0xf8,0xf8,0xa7,0x8c,0x83,0xe8,0x66,
+	0x5b,0xeb,0xfe,0xd8,0x4f,0xdd,0x6d,0x36,0xc0,0xb2,
+	0x90,0x0f,0xb8,0x52,0xf9,0x04,0x9b,0x40,0x2c,0x27,
+	0xd6,0x36,0x8e,0xc2,0x1b,0x44,0xf3,0x92,0xd5,0x15,
+	0x9e,0x9a,0xbc,0xf3,0x7d,0x03,0xd7,0x02,0x14,0x20,
+	0xe9,0x10,0x92,0xfd,0xf9,0xfc,0x8f,0xe5,0x18,0xe1,
+	0x95,0xcc,0x9e,0x60,0xa6,0xfa,0x38,0x4d,0x02,0x03,
+	0x01,0x00,0x01,0x02,0x82,0x01,0x00,0x00,0xc3,0xc3,
+	0x0d,0xb4,0x27,0x90,0x8d,0x4b,0xbf,0xb8,0x84,0xaa,
+	0xd0,0xb8,0xc7,0x5d,0x99,0xbe,0x55,0xf6,0x3e,0x7c,
+	0x49,0x20,0xcb,0x8a,0x8e,0x19,0x0e,0x66,0x24,0xac,
+	0xaf,0x03,0x33,0x97,0xeb,0x95,0xd5,0x3b,0x0f,0x40,
+	0x56,0x04,0x50,0xd1,0xe6,0xbe,0x84,0x0b,0x25,0xd3,
+	0x9c,0xe2,0x83,0x6c,0xf5,0x62,0x5d,0xba,0x2b,0x7d,
+	0x3d,0x7a,0x6c,0xe1,0xd2,0x0e,0x54,0x93,0x80,0x01,
+	0x91,0x51,0x09,0xe8,0x5b,0x8e,0x47,0xbd,0x64,0xe4,
+	0x0e,0x03,0x83,0x55,0xcf,0x5a,0x37,0xf0,0x25,0xb5,
+	0x7d,0x21,0xd7,0x69,0xdf,0x6f,0xc2,0xcf,0x10,0xc9,
+	0x8a,0x40,0x9f,0x7a,0x70,0xc0,0xe8,0xe8,0xc0,0xe6,
+	0x9a,0x15,0x0a,0x8d,0x4e,0x46,0xcb,0x7a,0xdb,0xb3,
+	0xcb,0x83,0x02,0xc4,0xf0,0xab,0xeb,0x02,0x01,0x0e,
+	0x23,0xfc,0x1d,0xc4,0xbd,0xd4,0xaa,0x5d,0x31,0x46,
+	0x99,0xce,0x9e,0xf8,0x04,0x75,0x10,0x67,0xc4,0x53,
+	0x47,0x44,0xfa,0xc2,0x25,0x73,0x7e,0xd0,0x8e,0x59,
+	0xd1,0xb2,0x5a,0xf4,0xc7,0x18,0x92,0x2f,0x39,0xab,
+	0xcd,0xa3,0xb5,0xc2,0xb9,0xc7,0xb9,0x1b,0x9f,0x48,
+	0xfa,0x13,0xc6,0x98,0x4d,0xca,0x84,0x9c,0x06,0xca,
+	0xe7,0x89,0x01,0x04,0xc4,0x6c,0xfd,0x29,0x59,0x35,
+	0xe7,0xf3,0xdd,0xce,0x64,0x59,0xbf,0x21,0x13,0xa9,
+	0x9f,0x0e,0xc5,0xff,0xbd,0x33,0x00,0xec,0xac,0x6b,
+	0x11,0xef,0x51,0x5e,0xad,0x07,0x15,0xde,0xb8,0x5f,
+	0xc6,0xb9,0xa3,0x22,0x65,0x46,0x83,0x14,0xdf,0xd0,
+	0xf1,0x44,0x8a,0xe1,0x9c,0x23,0x33,0xb4,0x97,0x33,
+	0xe6,0x6b,0x81,0x02,0x81,0x81,0x00,0xec,0x12,0xa7,
+	0x59,0x74,0x6a,0xde,0x3e,0xad,0xd8,0x36,0x80,0x50,
+	0xa2,0xd5,0x21,0x81,0x07,0xf1,0xd0,0x91,0xf2,0x6c,
+	0x12,0x2f,0x9d,0x1a,0x26,0xf8,0x30,0x65,0xdf,0xe8,
+	0xc0,0x9b,0x6a,0x30,0x98,0x82,0x87,0xec,0xa2,0x56,
+	0x87,0x62,0x6f,0xe7,0x9f,0xf6,0x56,0xe6,0x71,0x8f,
+	0x49,0x86,0x93,0x5a,0x4d,0x34,0x58,0xfe,0xd9,0x04,
+	0x13,0xaf,0x79,0xb7,0xad,0x11,0xd1,0x30,0x9a,0x14,
+	0x06,0xa0,0xfa,0xb7,0x55,0xdc,0x6c,0x5a,0x4c,0x2c,
+	0x59,0x56,0xf6,0xe8,0x9d,0xaf,0x0a,0x78,0x99,0x06,
+	0x06,0x9e,0xe7,0x9c,0x51,0x55,0x43,0xfc,0x3b,0x6c,
+	0x0b,0xbf,0x2d,0x41,0xa7,0xaf,0xb7,0xe0,0xe8,0x28,
+	0x18,0xb4,0x13,0xd1,0xe6,0x97,0xd0,0x9f,0x6a,0x80,
+	0xca,0xdd,0x1a,0x7e,0x15,0x02,0x81,0x81,0x00,0xd1,
+	0x06,0x0c,0x1f,0xe3,0xd0,0xab,0xd6,0xca,0x7c,0xbc,
+	0x7d,0x13,0x35,0xce,0x27,0xcd,0xd8,0x49,0x51,0x63,
+	0x64,0x0f,0xca,0x06,0x12,0xfc,0x07,0x3e,0xaf,0x61,
+	0x6d,0xe2,0x53,0x39,0x27,0xae,0xc3,0x11,0x9e,0x94,
+	0x01,0x4f,0xe3,0xf3,0x67,0xf9,0x77,0xf9,0xe7,0x95,
+	0x3a,0x6f,0xe2,0x20,0x73,0x3e,0xa4,0x7a,0x28,0xd4,
+	0x61,0x97,0xf6,0x17,0xa0,0x23,0x10,0x2b,0xce,0x84,
+	0x57,0x7e,0x25,0x1f,0xf4,0xa8,0x54,0xd2,0x65,0x94,
+	0xcc,0x95,0x0a,0xab,0x30,0xc1,0x59,0x1f,0x61,0x8e,
+	0xb9,0x6b,0xd7,0x4e,0xb9,0x83,0x43,0x79,0x85,0x11,
+	0xbc,0x0f,0xae,0x25,0x20,0x05,0xbc,0xd2,0x48,0xa1,
+	0x68,0x09,0x84,0xf6,0x12,0x9a,0x66,0xb9,0x2b,0xbb,
+	0x76,0x03,0x17,0x46,0x4e,0x97,0x59,0x02,0x81,0x80,
+	0x09,0x4c,0xfa,0xd6,0xe5,0x65,0x48,0x78,0x43,0xb5,
+	0x1f,0x00,0x93,0x2c,0xb7,0x24,0xe8,0xc6,0x7d,0x5a,
+	0x70,0x45,0x92,0xc8,0x6c,0xa3,0xcd,0xe1,0xf7,0x29,
+	0x40,0xfa,0x3f,0x5b,0x47,0x44,0x39,0xc1,0xe8,0x72,
+	0x9e,0x7a,0x0e,0xda,0xaa,0xa0,0x2a,0x09,0xfd,0x54,
+	0x93,0x23,0xaa,0x37,0x85,0x5b,0xcc,0xd4,0xf9,0xd8,
+	0xff,0xc1,0x61,0x0d,0xbd,0x7e,0x18,0x24,0x73,0x6d,
+	0x40,0x72,0xf1,0x93,0x09,0x48,0x97,0x6c,0x84,0x90,
+	0xa8,0x46,0x14,0x01,0x39,0x11,0xe5,0x3c,0x41,0x27,
+	0x32,0x75,0x24,0xed,0xa1,0xd9,0x12,0x29,0x8a,0x28,
+	0x71,0x89,0x8d,0xca,0x30,0xb0,0x01,0xc4,0x2f,0x82,
+	0x19,0x14,0x4c,0x70,0x1c,0xb8,0x23,0x2e,0xe8,0x90,
+	0x49,0x97,0x92,0x97,0x6b,0x7a,0x9d,0xb9,0x02,0x81,
+	0x80,0x0f,0x0e,0xa1,0x76,0xf6,0xa1,0x44,0x8f,0xaf,
+	0x7c,0x76,0xd3,0x87,0xbb,0xbb,0x83,0x10,0x88,0x01,
+	0x18,0x14,0xd1,0xd3,0x75,0x59,0x24,0xaa,0xf5,0x16,
+	0xa5,0xe9,0x9d,0xd1,0xcc,0xee,0xf4,0x15,0xd9,0xc5,
+	0x7e,0x27,0xe9,0x44,0x49,0x06,0x72,0xb9,0xfc,0xd3,
+	0x8a,0xc4,0x2c,0x36,0x7d,0x12,0x9b,0x5a,0xaa,0xdc,
+	0x85,0xee,0x6e,0xad,0x54,0xb3,0xf4,0xfc,0x31,0xa1,
+	0x06,0x3a,0x70,0x57,0x0c,0xf3,0x95,0x5b,0x3e,0xe8,
+	0xfd,0x1a,0x4f,0xf6,0x78,0x93,0x46,0x6a,0xd7,0x31,
+	0xb4,0x84,0x64,0x85,0x09,0x38,0x89,0x92,0x94,0x1c,
+	0xbf,0xe2,0x3c,0x2a,0xe0,0xff,0x99,0xa3,0xf0,0x2b,
+	0x31,0xc2,0x36,0xcd,0x60,0xbf,0x9d,0x2d,0x74,0x32,
+	0xe8,0x9c,0x93,0x6e,0xbb,0x91,0x7b,0xfd,0xd9,0x02,
+	0x81,0x81,0x00,0xa2,0x71,0x25,0x38,0xeb,0x2a,0xe9,
+	0x37,0xcd,0xfe,0x44,0xce,0x90,0x3f,0x52,0x87,0x84,
+	0x52,0x1b,0xae,0x8d,0x22,0x94,0xce,0x38,0xe6,0x04,
+	0x88,0x76,0x85,0x9a,0xd3,0x14,0x09,0xe5,0x69,0x9a,
+	0xff,0x58,0x92,0x02,0x6a,0x7d,0x7c,0x1e,0x2c,0xfd,
+	0xa8,0xca,0x32,0x14,0x4f,0x0d,0x84,0x0d,0x37,0x43,
+	0xbf,0xe4,0x5d,0x12,0xc8,0x24,0x91,0x27,0x8d,0x46,
+	0xd9,0x54,0x53,0xe7,0x62,0x71,0xa8,0x2b,0x71,0x41,
+	0x8d,0x75,0xf8,0x3a,0xa0,0x61,0x29,0x46,0xa6,0xe5,
+	0x82,0xfa,0x3a,0xd9,0x08,0xfa,0xfc,0x63,0xfd,0x6b,
+	0x30,0xbc,0xf4,0x4e,0x9e,0x8c,0x25,0x0c,0xb6,0x55,
+	0xe7,0x3c,0xd4,0x4e,0x0b,0xfd,0x8b,0xc3,0x0e,0x1d,
+	0x9c,0x44,0x57,0x8f,0x1f,0x86,0xf7,0xd5,0x1b,0xe4,
+	0x95,
+	};
+
+static unsigned char test4096[]={
+	0x30,0x82,0x09,0x29,0x02,0x01,0x00,0x02,0x82,0x02,
+	0x01,0x00,0xc0,0x71,0xac,0x1a,0x13,0x88,0x82,0x43,
+	0x3b,0x51,0x57,0x71,0x8d,0xb6,0x2b,0x82,0x65,0x21,
+	0x53,0x5f,0x28,0x29,0x4f,0x8d,0x7c,0x8a,0xb9,0x44,
+	0xb3,0x28,0x41,0x4f,0xd3,0xfa,0x6a,0xf8,0xb9,0x28,
+	0x50,0x39,0x67,0x53,0x2c,0x3c,0xd7,0xcb,0x96,0x41,
+	0x40,0x32,0xbb,0xeb,0x70,0xae,0x1f,0xb0,0x65,0xf7,
+	0x3a,0xd9,0x22,0xfd,0x10,0xae,0xbd,0x02,0xe2,0xdd,
+	0xf3,0xc2,0x79,0x3c,0xc6,0xfc,0x75,0xbb,0xaf,0x4e,
+	0x3a,0x36,0xc2,0x4f,0xea,0x25,0xdf,0x13,0x16,0x4b,
+	0x20,0xfe,0x4b,0x69,0x16,0xc4,0x7f,0x1a,0x43,0xa6,
+	0x17,0x1b,0xb9,0x0a,0xf3,0x09,0x86,0x28,0x89,0xcf,
+	0x2c,0xd0,0xd4,0x81,0xaf,0xc6,0x6d,0xe6,0x21,0x8d,
+	0xee,0xef,0xea,0xdc,0xb7,0xc6,0x3b,0x63,0x9f,0x0e,
+	0xad,0x89,0x78,0x23,0x18,0xbf,0x70,0x7e,0x84,0xe0,
+	0x37,0xec,0xdb,0x8e,0x9c,0x3e,0x6a,0x19,0xcc,0x99,
+	0x72,0xe6,0xb5,0x7d,0x6d,0xfa,0xe5,0xd3,0xe4,0x90,
+	0xb5,0xb2,0xb2,0x12,0x70,0x4e,0xca,0xf8,0x10,0xf8,
+	0xa3,0x14,0xc2,0x48,0x19,0xeb,0x60,0x99,0xbb,0x2a,
+	0x1f,0xb1,0x7a,0xb1,0x3d,0x24,0xfb,0xa0,0x29,0xda,
+	0xbd,0x1b,0xd7,0xa4,0xbf,0xef,0x60,0x2d,0x22,0xca,
+	0x65,0x98,0xf1,0xc4,0xe1,0xc9,0x02,0x6b,0x16,0x28,
+	0x2f,0xa1,0xaa,0x79,0x00,0xda,0xdc,0x7c,0x43,0xf7,
+	0x42,0x3c,0xa0,0xef,0x68,0xf7,0xdf,0xb9,0x69,0xfb,
+	0x8e,0x01,0xed,0x01,0x42,0xb5,0x4e,0x57,0xa6,0x26,
+	0xb8,0xd0,0x7b,0x56,0x6d,0x03,0xc6,0x40,0x8c,0x8c,
+	0x2a,0x55,0xd7,0x9c,0x35,0x00,0x94,0x93,0xec,0x03,
+	0xeb,0x22,0xef,0x77,0xbb,0x79,0x13,0x3f,0x15,0xa1,
+	0x8f,0xca,0xdf,0xfd,0xd3,0xb8,0xe1,0xd4,0xcc,0x09,
+	0x3f,0x3c,0x2c,0xdb,0xd1,0x49,0x7f,0x38,0x07,0x83,
+	0x6d,0xeb,0x08,0x66,0xe9,0x06,0x44,0x12,0xac,0x95,
+	0x22,0x90,0x23,0x67,0xd4,0x08,0xcc,0xf4,0xb7,0xdc,
+	0xcc,0x87,0xd4,0xac,0x69,0x35,0x4c,0xb5,0x39,0x36,
+	0xcd,0xa4,0xd2,0x95,0xca,0x0d,0xc5,0xda,0xc2,0xc5,
+	0x22,0x32,0x28,0x08,0xe3,0xd2,0x8b,0x38,0x30,0xdc,
+	0x8c,0x75,0x4f,0x6a,0xec,0x7a,0xac,0x16,0x3e,0xa8,
+	0xd4,0x6a,0x45,0xe1,0xa8,0x4f,0x2e,0x80,0x34,0xaa,
+	0x54,0x1b,0x02,0x95,0x7d,0x8a,0x6d,0xcc,0x79,0xca,
+	0xf2,0xa4,0x2e,0x8d,0xfb,0xfe,0x15,0x51,0x10,0x0e,
+	0x4d,0x88,0xb1,0xc7,0xf4,0x79,0xdb,0xf0,0xb4,0x56,
+	0x44,0x37,0xca,0x5a,0xc1,0x8c,0x48,0xac,0xae,0x48,
+	0x80,0x83,0x01,0x3f,0xde,0xd9,0xd3,0x2c,0x51,0x46,
+	0xb1,0x41,0xb6,0xc6,0x91,0x72,0xf9,0x83,0x55,0x1b,
+	0x8c,0xba,0xf3,0x73,0xe5,0x2c,0x74,0x50,0x3a,0xbe,
+	0xc5,0x2f,0xa7,0xb2,0x6d,0x8c,0x9e,0x13,0x77,0xa3,
+	0x13,0xcd,0x6d,0x8c,0x45,0xe1,0xfc,0x0b,0xb7,0x69,
+	0xe9,0x27,0xbc,0x65,0xc3,0xfa,0x9b,0xd0,0xef,0xfe,
+	0xe8,0x1f,0xb3,0x5e,0x34,0xf4,0x8c,0xea,0xfc,0xd3,
+	0x81,0xbf,0x3d,0x30,0xb2,0xb4,0x01,0xe8,0x43,0x0f,
+	0xba,0x02,0x23,0x42,0x76,0x82,0x31,0x73,0x91,0xed,
+	0x07,0x46,0x61,0x0d,0x39,0x83,0x40,0xce,0x7a,0xd4,
+	0xdb,0x80,0x2c,0x1f,0x0d,0xd1,0x34,0xd4,0x92,0xe3,
+	0xd4,0xf1,0xc2,0x01,0x02,0x03,0x01,0x00,0x01,0x02,
+	0x82,0x02,0x01,0x00,0x97,0x6c,0xda,0x6e,0xea,0x4f,
+	0xcf,0xaf,0xf7,0x4c,0xd9,0xf1,0x90,0x00,0x77,0xdb,
+	0xf2,0x97,0x76,0x72,0xb9,0xb7,0x47,0xd1,0x9c,0xdd,
+	0xcb,0x4a,0x33,0x6e,0xc9,0x75,0x76,0xe6,0xe4,0xa5,
+	0x31,0x8c,0x77,0x13,0xb4,0x29,0xcd,0xf5,0x52,0x17,
+	0xef,0xf3,0x08,0x00,0xe3,0xbd,0x2e,0xbc,0xd4,0x52,
+	0x88,0xe9,0x30,0x75,0x0b,0x02,0xf5,0xcd,0x89,0x0c,
+	0x6c,0x57,0x19,0x27,0x3d,0x1e,0x85,0xb4,0xc1,0x2f,
+	0x1d,0x92,0x00,0x5c,0x76,0x29,0x4b,0xa4,0xe1,0x12,
+	0xb3,0xc8,0x09,0xfe,0x0e,0x78,0x72,0x61,0xcb,0x61,
+	0x6f,0x39,0x91,0x95,0x4e,0xd5,0x3e,0xc7,0x8f,0xb8,
+	0xf6,0x36,0xfe,0x9c,0x93,0x9a,0x38,0x25,0x7a,0xf4,
+	0x4a,0x12,0xd4,0xa0,0x13,0xbd,0xf9,0x1d,0x12,0x3e,
+	0x21,0x39,0xfb,0x72,0xe0,0x05,0x3d,0xc3,0xe5,0x50,
+	0xa8,0x5d,0x85,0xa3,0xea,0x5f,0x1c,0xb2,0x3f,0xea,
+	0x6d,0x03,0x91,0x55,0xd8,0x19,0x0a,0x21,0x12,0x16,
+	0xd9,0x12,0xc4,0xe6,0x07,0x18,0x5b,0x26,0xa4,0xae,
+	0xed,0x2b,0xb7,0xa6,0xed,0xf8,0xad,0xec,0x77,0xe6,
+	0x7f,0x4f,0x76,0x00,0xc0,0xfa,0x15,0x92,0xb4,0x2c,
+	0x22,0xc2,0xeb,0x6a,0xad,0x14,0x05,0xb2,0xe5,0x8a,
+	0x9e,0x85,0x83,0xcc,0x04,0xf1,0x56,0x78,0x44,0x5e,
+	0xde,0xe0,0x60,0x1a,0x65,0x79,0x31,0x23,0x05,0xbb,
+	0x01,0xff,0xdd,0x2e,0xb7,0xb3,0xaa,0x74,0xe0,0xa5,
+	0x94,0xaf,0x4b,0xde,0x58,0x0f,0x55,0xde,0x33,0xf6,
+	0xe3,0xd6,0x34,0x36,0x57,0xd6,0x79,0x91,0x2e,0xbe,
+	0x3b,0xd9,0x4e,0xb6,0x9d,0x21,0x5c,0xd3,0x48,0x14,
+	0x7f,0x4a,0xc4,0x60,0xa9,0x29,0xf8,0x53,0x7f,0x88,
+	0x11,0x2d,0xb5,0xc5,0x2d,0x6f,0xee,0x85,0x0b,0xf7,
+	0x8d,0x9a,0xbe,0xb0,0x42,0xf2,0x2e,0x71,0xaf,0x19,
+	0x31,0x6d,0xec,0xcd,0x6f,0x2b,0x23,0xdf,0xb4,0x40,
+	0xaf,0x2c,0x0a,0xc3,0x1b,0x7d,0x7d,0x03,0x1d,0x4b,
+	0xf3,0xb5,0xe0,0x85,0xd8,0xdf,0x91,0x6b,0x0a,0x69,
+	0xf7,0xf2,0x69,0x66,0x5b,0xf1,0xcf,0x46,0x7d,0xe9,
+	0x70,0xfa,0x6d,0x7e,0x75,0x4e,0xa9,0x77,0xe6,0x8c,
+	0x02,0xf7,0x14,0x4d,0xa5,0x41,0x8f,0x3f,0xc1,0x62,
+	0x1e,0x71,0x5e,0x38,0xb4,0xd6,0xe6,0xe1,0x4b,0xc2,
+	0x2c,0x30,0x83,0x81,0x6f,0x49,0x2e,0x96,0xe6,0xc9,
+	0x9a,0xf7,0x5d,0x09,0xa0,0x55,0x02,0xa5,0x3a,0x25,
+	0x23,0xd0,0x92,0xc3,0xa3,0xe3,0x0e,0x12,0x2f,0x4d,
+	0xef,0xf3,0x55,0x5a,0xbe,0xe6,0x19,0x86,0x31,0xab,
+	0x75,0x9a,0xd3,0xf0,0x2c,0xc5,0x41,0x92,0xd9,0x1f,
+	0x5f,0x11,0x8c,0x75,0x1c,0x63,0xd0,0x02,0x80,0x2c,
+	0x68,0xcb,0x93,0xfb,0x51,0x73,0x49,0xb4,0x60,0xda,
+	0xe2,0x26,0xaf,0xa9,0x46,0x12,0xb8,0xec,0x50,0xdd,
+	0x12,0x06,0x5f,0xce,0x59,0xe6,0xf6,0x1c,0xe0,0x54,
+	0x10,0xad,0xf6,0xcd,0x98,0xcc,0x0f,0xfb,0xcb,0x41,
+	0x14,0x9d,0xed,0xe4,0xb4,0x74,0x5f,0x09,0x60,0xc7,
+	0x12,0xf6,0x7b,0x3c,0x8f,0xa7,0x20,0xbc,0xe4,0xb1,
+	0xef,0xeb,0xa4,0x93,0xc5,0x06,0xca,0x9a,0x27,0x9d,
+	0x87,0xf3,0xde,0xca,0xe5,0xe7,0xf6,0x1c,0x01,0x65,
+	0x5b,0xfb,0x19,0x79,0x6e,0x08,0x26,0xc5,0xc8,0x28,
+	0x0e,0xb6,0x3b,0x07,0x08,0xc1,0x02,0x82,0x01,0x01,
+	0x00,0xe8,0x1c,0x73,0xa6,0xb8,0xe0,0x0e,0x6d,0x8d,
+	0x1b,0xb9,0x53,0xed,0x58,0x94,0xe6,0x1d,0x60,0x14,
+	0x5c,0x76,0x43,0xc4,0x58,0x19,0xc4,0x24,0xe8,0xbc,
+	0x1b,0x3b,0x0b,0x13,0x24,0x45,0x54,0x0e,0xcc,0x37,
+	0xf0,0xe0,0x63,0x7d,0xc3,0xf7,0xfb,0x81,0x74,0x81,
+	0xc4,0x0f,0x1a,0x21,0x48,0xaf,0xce,0xc1,0xc4,0x94,
+	0x18,0x06,0x44,0x8d,0xd3,0xd2,0x22,0x2d,0x2d,0x3e,
+	0x5a,0x31,0xdc,0x95,0x8e,0xf4,0x41,0xfc,0x58,0xc9,
+	0x40,0x92,0x17,0x5f,0xe3,0xda,0xac,0x9e,0x3f,0x1c,
+	0x2a,0x6b,0x58,0x5f,0x48,0x78,0x20,0xb1,0xaf,0x24,
+	0x9b,0x3c,0x20,0x8b,0x93,0x25,0x9e,0xe6,0x6b,0xbc,
+	0x13,0x42,0x14,0x6c,0x36,0x31,0xff,0x7a,0xd1,0xc1,
+	0x1a,0x26,0x14,0x7f,0xa9,0x76,0xa7,0x0c,0xf8,0xcc,
+	0xed,0x07,0x6a,0xd2,0xdf,0x62,0xee,0x0a,0x7c,0x84,
+	0xcb,0x49,0x90,0xb2,0x03,0x0d,0xa2,0x82,0x06,0x77,
+	0xf1,0xcd,0x67,0xf2,0x47,0x21,0x02,0x3f,0x43,0x21,
+	0xf0,0x46,0x30,0x62,0x51,0x72,0xb1,0xe7,0x48,0xc6,
+	0x67,0x12,0xcd,0x9e,0xd6,0x15,0xe5,0x21,0xed,0xfa,
+	0x8f,0x30,0xa6,0x41,0xfe,0xb6,0xfa,0x8f,0x34,0x14,
+	0x19,0xe8,0x11,0xf7,0xa5,0x77,0x3e,0xb7,0xf9,0x39,
+	0x07,0x8c,0x67,0x2a,0xab,0x7b,0x08,0xf8,0xb0,0x06,
+	0xa8,0xea,0x2f,0x8f,0xfa,0xcc,0xcc,0x40,0xce,0xf3,
+	0x70,0x4f,0x3f,0x7f,0xe2,0x0c,0xea,0x76,0x4a,0x35,
+	0x4e,0x47,0xad,0x2b,0xa7,0x97,0x5d,0x74,0x43,0x97,
+	0x90,0xd2,0xfb,0xd9,0xf9,0x96,0x01,0x33,0x05,0xed,
+	0x7b,0x03,0x05,0xad,0xf8,0x49,0x03,0x02,0x82,0x01,
+	0x01,0x00,0xd4,0x40,0x17,0x66,0x10,0x92,0x95,0xc8,
+	0xec,0x62,0xa9,0x7a,0xcb,0x93,0x8e,0xe6,0x53,0xd4,
+	0x80,0x48,0x27,0x4b,0x41,0xce,0x61,0xdf,0xbf,0x94,
+	0xa4,0x3d,0x71,0x03,0x0b,0xed,0x25,0x71,0x98,0xa4,
+	0xd6,0xd5,0x4a,0x57,0xf5,0x6c,0x1b,0xda,0x21,0x7d,
+	0x35,0x45,0xb3,0xf3,0x6a,0xd9,0xd3,0x43,0xe8,0x5c,
+	0x54,0x1c,0x83,0x1b,0xb4,0x5f,0xf2,0x97,0x24,0x2e,
+	0xdc,0x40,0xde,0x92,0x23,0x59,0x8e,0xbc,0xd2,0xa1,
+	0xf2,0xe0,0x4c,0xdd,0x0b,0xd1,0xe7,0xae,0x65,0xbc,
+	0xb5,0xf5,0x5b,0x98,0xe9,0xd7,0xc2,0xb7,0x0e,0x55,
+	0x71,0x0e,0x3c,0x0a,0x24,0x6b,0xa6,0xe6,0x14,0x61,
+	0x11,0xfd,0x33,0x42,0x99,0x2b,0x84,0x77,0x74,0x92,
+	0x91,0xf5,0x79,0x79,0xcf,0xad,0x8e,0x04,0xef,0x80,
+	0x1e,0x57,0xf4,0x14,0xf5,0x35,0x09,0x74,0xb2,0x13,
+	0x71,0x58,0x6b,0xea,0x32,0x5d,0xf3,0xd3,0x76,0x48,
+	0x39,0x10,0x23,0x84,0x9d,0xbe,0x92,0x77,0x4a,0xed,
+	0x70,0x3e,0x1a,0xa2,0x6c,0xb3,0x81,0x00,0xc3,0xc9,
+	0xe4,0x52,0xc8,0x24,0x88,0x0c,0x41,0xad,0x87,0x5a,
+	0xea,0xa3,0x7a,0x85,0x1c,0x5e,0x31,0x7f,0xc3,0x35,
+	0xc6,0xfa,0x10,0xc8,0x75,0x10,0xc4,0x96,0x99,0xe7,
+	0xfe,0x01,0xb4,0x74,0xdb,0xb4,0x11,0xc3,0xc8,0x8c,
+	0xf6,0xf7,0x3b,0x66,0x50,0xfc,0xdb,0xeb,0xca,0x47,
+	0x85,0x89,0xe1,0x65,0xd9,0x62,0x34,0x3c,0x70,0xd8,
+	0x2e,0xb4,0x2f,0x65,0x3c,0x4a,0xa6,0x2a,0xe7,0xc7,
+	0xd8,0x41,0x8f,0x8a,0x43,0xbf,0x42,0xf2,0x4d,0xbc,
+	0xfc,0x9e,0x27,0x95,0xfb,0x75,0xff,0xab,0x02,0x82,
+	0x01,0x00,0x41,0x2f,0x44,0x57,0x6d,0x12,0x17,0x5b,
+	0x32,0xc6,0xb7,0x6c,0x57,0x7a,0x8a,0x0e,0x79,0xef,
+	0x72,0xa8,0x68,0xda,0x2d,0x38,0xe4,0xbb,0x8d,0xf6,
+	0x02,0x65,0xcf,0x56,0x13,0xe1,0x1a,0xcb,0x39,0x80,
+	0xa6,0xb1,0x32,0x03,0x1e,0xdd,0xbb,0x35,0xd9,0xac,
+	0x43,0x89,0x31,0x08,0x90,0x92,0x5e,0x35,0x3d,0x7b,
+	0x9c,0x6f,0x86,0xcb,0x17,0xdd,0x85,0xe4,0xed,0x35,
+	0x08,0x8e,0xc1,0xf4,0x05,0xd8,0x68,0xc6,0x63,0x3c,
+	0xf7,0xff,0xf7,0x47,0x33,0x39,0xc5,0x3e,0xb7,0x0e,
+	0x58,0x35,0x9d,0x81,0xea,0xf8,0x6a,0x2c,0x1c,0x5a,
+	0x68,0x78,0x64,0x11,0x6b,0xc1,0x3e,0x4e,0x7a,0xbd,
+	0x84,0xcb,0x0f,0xc2,0xb6,0x85,0x1d,0xd3,0x76,0xc5,
+	0x93,0x6a,0x69,0x89,0x56,0x34,0xdc,0x4a,0x9b,0xbc,
+	0xff,0xa8,0x0d,0x6e,0x35,0x9c,0x60,0xa7,0x23,0x30,
+	0xc7,0x06,0x64,0x39,0x8b,0x94,0x89,0xee,0xba,0x7f,
+	0x60,0x8d,0xfa,0xb6,0x97,0x76,0xdc,0x51,0x4a,0x3c,
+	0xeb,0x3a,0x14,0x2c,0x20,0x60,0x69,0x4a,0x86,0xfe,
+	0x8c,0x21,0x84,0x49,0x54,0xb3,0x20,0xe1,0x01,0x7f,
+	0x58,0xdf,0x7f,0xb5,0x21,0x51,0x8c,0x47,0x9f,0x91,
+	0xeb,0x97,0x3e,0xf2,0x54,0xcf,0x16,0x46,0xf9,0xd9,
+	0xb6,0xe7,0x64,0xc9,0xd0,0x54,0xea,0x2f,0xa1,0xcf,
+	0xa5,0x7f,0x28,0x8d,0x84,0xec,0xd5,0x39,0x03,0x76,
+	0x5b,0x2d,0x8e,0x43,0xf2,0x01,0x24,0xc9,0x6f,0xc0,
+	0xf5,0x69,0x6f,0x7d,0xb5,0x85,0xd2,0x5f,0x7f,0x78,
+	0x40,0x07,0x7f,0x09,0x15,0xb5,0x1f,0x28,0x65,0x10,
+	0xe4,0x19,0xa8,0xc6,0x9e,0x8d,0xdc,0xcb,0x02,0x82,
+	0x01,0x00,0x13,0x01,0xee,0x56,0x80,0x93,0x70,0x00,
+	0x7f,0x52,0xd2,0x94,0xa1,0x98,0x84,0x4a,0x92,0x25,
+	0x4c,0x9b,0xa9,0x91,0x2e,0xc2,0x79,0xb7,0x5c,0xe3,
+	0xc5,0xd5,0x8e,0xc2,0x54,0x16,0x17,0xad,0x55,0x9b,
+	0x25,0x76,0x12,0x63,0x50,0x22,0x2f,0x58,0x58,0x79,
+	0x6b,0x04,0xe3,0xf9,0x9f,0x8f,0x04,0x41,0x67,0x94,
+	0xa5,0x1f,0xac,0x8a,0x15,0x9c,0x26,0x10,0x6c,0xf8,
+	0x19,0x57,0x61,0xd7,0x3a,0x7d,0x31,0xb0,0x2d,0x38,
+	0xbd,0x94,0x62,0xad,0xc4,0xfa,0x36,0x42,0x42,0xf0,
+	0x24,0x67,0x65,0x9d,0x8b,0x0b,0x7c,0x6f,0x82,0x44,
+	0x1a,0x8c,0xc8,0xc9,0xab,0xbb,0x4c,0x45,0xfc,0x7b,
+	0x38,0xee,0x30,0xe1,0xfc,0xef,0x8d,0xbc,0x58,0xdf,
+	0x2b,0x5d,0x0d,0x54,0xe0,0x49,0x4d,0x97,0x99,0x8f,
+	0x22,0xa8,0x83,0xbe,0x40,0xbb,0x50,0x2e,0x78,0x28,
+	0x0f,0x95,0x78,0x8c,0x8f,0x98,0x24,0x56,0xc2,0x97,
+	0xf3,0x2c,0x43,0xd2,0x03,0x82,0x66,0x81,0x72,0x5f,
+	0x53,0x16,0xec,0xb1,0xb1,0x04,0x5e,0x40,0x20,0x48,
+	0x7b,0x3f,0x02,0x97,0x6a,0xeb,0x96,0x12,0x21,0x35,
+	0xfe,0x1f,0x47,0xc0,0x95,0xea,0xc5,0x8a,0x08,0x84,
+	0x4f,0x5e,0x63,0x94,0x60,0x0f,0x71,0x5b,0x7f,0x4a,
+	0xec,0x4f,0x60,0xc6,0xba,0x4a,0x24,0xf1,0x20,0x8b,
+	0xa7,0x2e,0x3a,0xce,0x8d,0xe0,0x27,0x1d,0xb5,0x8e,
+	0xb4,0x21,0xc5,0xe2,0xa6,0x16,0x0a,0x51,0x83,0x55,
+	0x88,0xd1,0x30,0x11,0x63,0xd5,0xd7,0x8d,0xae,0x16,
+	0x12,0x82,0xc4,0x85,0x00,0x4e,0x27,0x83,0xa5,0x7c,
+	0x90,0x2e,0xe5,0xa2,0xa3,0xd3,0x4c,0x63,0x02,0x82,
+	0x01,0x01,0x00,0x86,0x08,0x98,0x98,0xa5,0x00,0x05,
+	0x39,0x77,0xd9,0x66,0xb3,0xcf,0xca,0xa0,0x71,0xb3,
+	0x50,0xce,0x3d,0xb1,0x93,0x95,0x35,0xc4,0xd4,0x2e,
+	0x90,0xdf,0x0f,0xfc,0x60,0xc1,0x94,0x68,0x61,0x43,
+	0xca,0x9a,0x23,0x4a,0x1e,0x45,0x72,0x99,0xb5,0x1e,
+	0x61,0x8d,0x77,0x0f,0xa0,0xbb,0xd7,0x77,0xb4,0x2a,
+	0x15,0x11,0x88,0x2d,0xb3,0x56,0x61,0x5e,0x6a,0xed,
+	0xa4,0x46,0x4a,0x3f,0x50,0x11,0xd6,0xba,0xb6,0xd7,
+	0x95,0x65,0x53,0xc3,0xa1,0x8f,0xe0,0xa3,0xf5,0x1c,
+	0xfd,0xaf,0x6e,0x43,0xd7,0x17,0xa7,0xd3,0x81,0x1b,
+	0xa4,0xdf,0xe0,0x97,0x8a,0x46,0x03,0xd3,0x46,0x0e,
+	0x83,0x48,0x4e,0xd2,0x02,0xcb,0xc0,0xad,0x79,0x95,
+	0x8c,0x96,0xba,0x40,0x34,0x11,0x71,0x5e,0xe9,0x11,
+	0xf9,0xc5,0x4a,0x5e,0x91,0x9d,0xf5,0x92,0x4f,0xeb,
+	0xc6,0x70,0x02,0x2d,0x3d,0x04,0xaa,0xe9,0x3a,0x8e,
+	0xd5,0xa8,0xad,0xf7,0xce,0x0d,0x16,0xb2,0xec,0x0a,
+	0x9c,0xf5,0x94,0x39,0xb9,0x8a,0xfc,0x1e,0xf9,0xcc,
+	0xf2,0x5f,0x21,0x31,0x74,0x72,0x6b,0x64,0xae,0x35,
+	0x61,0x8d,0x0d,0xcb,0xe7,0xda,0x39,0xca,0xf3,0x21,
+	0x66,0x0b,0x95,0xd7,0x0a,0x7c,0xca,0xa1,0xa9,0x5a,
+	0xe8,0xac,0xe0,0x71,0x54,0xaf,0x28,0xcf,0xd5,0x70,
+	0x89,0xe0,0xf3,0x9e,0x43,0x6c,0x8d,0x7b,0x99,0x01,
+	0x68,0x4d,0xa1,0x45,0x46,0x0c,0x43,0xbc,0xcc,0x2c,
+	0xdd,0xc5,0x46,0xc8,0x4e,0x0e,0xbe,0xed,0xb9,0x26,
+	0xab,0x2e,0xdb,0xeb,0x8f,0xff,0xdb,0xb0,0xc6,0x55,
+	0xaf,0xf8,0x2a,0x91,0x9d,0x50,0x44,0x21,0x17,
+	};
diff --git a/crypto/openssl/apps/tkca b/crypto/openssl/apps/tkca
new file mode 100644
index 0000000..bdaf216
--- /dev/null
+++ b/crypto/openssl/apps/tkca
@@ -0,0 +1,66 @@
+#!/usr/local/bin/perl5
+#
+# This is only something I'm playing with, it does not work :-)
+#
+
+use Tk;
+
+my $main=MainWindow->new();
+my $f=$main->Frame(-relief => "ridge", -borderwidth => 2);
+$f->pack(-fill => 'x');
+
+my $ff=$f->Frame;
+$ff->pack(-fill => 'x');
+my $l=$ff->Label(-text => "TkCA - SSLeay",
+	-relief => "ridge", -borderwidth => 2);
+$l->pack(-fill => 'x', -ipady => 5);
+
+my $l=$ff->Button(-text => "Certify");
+$l->pack(-fill => 'x', -ipady => 5);
+
+my $l=$ff->Button(-text => "Review");
+$l->pack(-fill => 'x', -ipady => 5);
+
+my $l=$ff->Button(-text => "Revoke");
+$l->pack(-fill => 'x', -ipady => 5);
+
+my $l=$ff->Button(-text => "Generate CRL");
+$l->pack(-fill => 'x', -ipady => 5);
+
+my($db)=&load_db("demoCA/index.txt");
+
+MainLoop;
+
+sub load_db
+	{
+	my(%ret);
+	my($file)=@_;
+	my(*IN);
+	my(%db_serial,%db_name,@f,@db_s);
+
+	$ret{'serial'}=\%db_serial;
+	$ret{'name'}=\%db_name;
+
+	open(IN,"<$file") || die "unable to open $file:$!\n";
+	while (<IN>)
+		{
+		chop;
+		s/([^\\])\t/\1\t\t/g;
+		my(@f)=split(/\t\t/);
+		die "wrong number of fields in $file, line $.\n"
+			if ($#f != 5);
+
+		my(%f);
+		$f{'type'}=$f[0];
+		$f{'exp'}=$f[1];
+		$f{'rev'}=$f[2];
+		$f{'serial'}=$f[3];
+		$f{'file'}=$f[4];
+		$f{'name'}=$f[5];
+		die "serial number $f{'serial'} appears twice (line $.)\n"
+			if (defined($db{$f{'serial'}}))
+		$db_serial{$f{'serial'}}=\%f;
+		$db_name{$f{'name'}}.=$f{'serial'}." ";
+		}
+	return \%ret;
+	}
diff --git a/crypto/openssl/apps/verify.c b/crypto/openssl/apps/verify.c
new file mode 100644
index 0000000..267ee4e
--- /dev/null
+++ b/crypto/openssl/apps/verify.c
@@ -0,0 +1,338 @@
+/* apps/verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	verify_main
+
+static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
+static int check(X509_STORE *ctx,char *file, STACK_OF(X509)*other, int purpose);
+static STACK_OF(X509) *load_untrusted(char *file);
+static int v_verbose=0;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int i,ret=1;
+	int purpose = -1;
+	char *CApath=NULL,*CAfile=NULL;
+	char *untfile = NULL;
+	STACK_OF(X509) *untrusted = NULL;
+	X509_STORE *cert_ctx=NULL;
+	X509_LOOKUP *lookup=NULL;
+
+	cert_ctx=X509_STORE_new();
+	if (cert_ctx == NULL) goto end;
+	X509_STORE_set_verify_cb_func(cert_ctx,cb);
+
+	ERR_load_crypto_strings();
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	argc--;
+	argv++;
+	for (;;)
+		{
+		if (argc >= 1)
+			{
+			if (strcmp(*argv,"-CApath") == 0)
+				{
+				if (argc-- < 1) goto end;
+				CApath= *(++argv);
+				}
+			else if (strcmp(*argv,"-CAfile") == 0)
+				{
+				if (argc-- < 1) goto end;
+				CAfile= *(++argv);
+				}
+			else if (strcmp(*argv,"-purpose") == 0)
+				{
+				X509_PURPOSE *xptmp;
+				if (argc-- < 1) goto end;
+				i = X509_PURPOSE_get_by_sname(*(++argv));
+				if(i < 0)
+					{
+					BIO_printf(bio_err, "unrecognized purpose\n");
+					goto end;
+					}
+				xptmp = X509_PURPOSE_get0(i);
+				purpose = X509_PURPOSE_get_id(xptmp);
+				}
+			else if (strcmp(*argv,"-untrusted") == 0)
+				{
+				if (argc-- < 1) goto end;
+				untfile= *(++argv);
+				}
+			else if (strcmp(*argv,"-help") == 0)
+				goto end;
+			else if (strcmp(*argv,"-verbose") == 0)
+				v_verbose=1;
+			else if (argv[0][0] == '-')
+				goto end;
+			else
+				break;
+			argc--;
+			argv++;
+			}
+		else
+			break;
+		}
+
+	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
+	if (lookup == NULL) abort();
+	if (CAfile) {
+		i=X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM);
+		if(!i) {
+			BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+		
+	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir());
+	if (lookup == NULL) abort();
+	if (CApath) {
+		i=X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM);
+		if(!i) {
+			BIO_printf(bio_err, "Error loading directory %s\n", CApath);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+	ERR_clear_error();
+
+	if(untfile) {
+		if(!(untrusted = load_untrusted(untfile))) {
+			BIO_printf(bio_err, "Error loading untrusted file %s\n", untfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+
+	if (argc < 1) check(cert_ctx, NULL, untrusted, purpose);
+	else
+		for (i=0; i<argc; i++)
+			check(cert_ctx,argv[i], untrusted, purpose);
+	ret=0;
+end:
+	if (ret == 1) {
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] cert1 cert2 ...\n");
+		BIO_printf(bio_err,"recognized usages:\n");
+		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+			X509_PURPOSE *ptmp;
+			ptmp = X509_PURPOSE_get0(i);
+			BIO_printf(bio_err, "\t%-10s\t%s\n", X509_PURPOSE_get0_sname(ptmp),
+								X509_PURPOSE_get0_name(ptmp));
+		}
+	}
+	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
+	sk_X509_pop_free(untrusted, X509_free);
+	EXIT(ret);
+	}
+
+static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, int purpose)
+	{
+	X509 *x=NULL;
+	BIO *in=NULL;
+	int i=0,ret=0;
+	X509_STORE_CTX *csc;
+
+	in=BIO_new(BIO_s_file());
+	if (in == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (file == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,file) <= 0)
+			{
+			perror(file);
+			goto end;
+			}
+		}
+
+	x=PEM_read_bio_X509(in,NULL,NULL,NULL);
+	if (x == NULL)
+		{
+		fprintf(stdout,"%s: unable to load certificate file\n",
+			(file == NULL)?"stdin":file);
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	fprintf(stdout,"%s: ",(file == NULL)?"stdin":file);
+
+	csc = X509_STORE_CTX_new();
+	if (csc == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	X509_STORE_CTX_init(csc,ctx,x,uchain);
+	if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);
+	i=X509_verify_cert(csc);
+	X509_STORE_CTX_free(csc);
+
+	ret=0;
+end:
+	if (i)
+		{
+		fprintf(stdout,"OK\n");
+		ret=1;
+		}
+	else
+		ERR_print_errors(bio_err);
+	if (x != NULL) X509_free(x);
+	if (in != NULL) BIO_free(in);
+
+	return(ret);
+	}
+
+static STACK_OF(X509) *load_untrusted(char *certfile)
+{
+	STACK_OF(X509_INFO) *sk=NULL;
+	STACK_OF(X509) *stack=NULL, *ret=NULL;
+	BIO *in=NULL;
+	X509_INFO *xi;
+
+	if(!(stack = sk_X509_new_null())) {
+		BIO_printf(bio_err,"memory allocation failure\n");
+		goto end;
+	}
+
+	if(!(in=BIO_new_file(certfile, "r"))) {
+		BIO_printf(bio_err,"error opening the file, %s\n",certfile);
+		goto end;
+	}
+
+	/* This loads from a file, a stack of x509/crl/pkey sets */
+	if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL))) {
+		BIO_printf(bio_err,"error reading the file, %s\n",certfile);
+		goto end;
+	}
+
+	/* scan over it and pull out the certs */
+	while (sk_X509_INFO_num(sk))
+		{
+		xi=sk_X509_INFO_shift(sk);
+		if (xi->x509 != NULL)
+			{
+			sk_X509_push(stack,xi->x509);
+			xi->x509=NULL;
+			}
+		X509_INFO_free(xi);
+		}
+	if(!sk_X509_num(stack)) {
+		BIO_printf(bio_err,"no certificates in file, %s\n",certfile);
+		sk_X509_free(stack);
+		goto end;
+	}
+	ret=stack;
+end:
+	BIO_free(in);
+	sk_X509_INFO_free(sk);
+	return(ret);
+	}
+
+static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
+	{
+	char buf[256];
+
+	if (!ok)
+		{
+		X509_NAME_oneline(
+				X509_get_subject_name(ctx->current_cert),buf,256);
+		printf("%s\n",buf);
+		printf("error %d at %d depth lookup:%s\n",ctx->error,
+			ctx->error_depth,
+			X509_verify_cert_error_string(ctx->error));
+		if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1;
+		/* since we are just checking the certificates, it is
+		 * ok if they are self signed. But we should still warn
+		 * the user.
+ 		 */
+		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
+		/* Continue after extension errors too */
+		if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
+		if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;
+		if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
+		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
+		}
+	if (!v_verbose)
+		ERR_clear_error();
+	return(ok);
+	}
+
diff --git a/crypto/openssl/apps/version.c b/crypto/openssl/apps/version.c
new file mode 100644
index 0000000..f5c9adc
--- /dev/null
+++ b/crypto/openssl/apps/version.c
@@ -0,0 +1,132 @@
+/* apps/version.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/evp.h>
+#include <openssl/crypto.h>
+
+#undef PROG
+#define PROG	version_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int i,ret=0;
+	int cflags=0,version=0,date=0,options=0,platform=0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (argc == 1) version=1;
+	for (i=1; i<argc; i++)
+		{
+		if (strcmp(argv[i],"-v") == 0)
+			version=1;	
+		else if (strcmp(argv[i],"-b") == 0)
+			date=1;
+		else if (strcmp(argv[i],"-f") == 0)
+			cflags=1;
+		else if (strcmp(argv[i],"-o") == 0)
+			options=1;
+		else if (strcmp(argv[i],"-p") == 0)
+			platform=1;
+		else if (strcmp(argv[i],"-a") == 0)
+			date=version=cflags=options=platform=1;
+		else
+			{
+			BIO_printf(bio_err,"usage:version -[avbofp]\n");
+			ret=1;
+			goto end;
+			}
+		}
+
+	if (version) printf("%s\n",SSLeay_version(SSLEAY_VERSION));
+	if (date)    printf("%s\n",SSLeay_version(SSLEAY_BUILT_ON));
+	if (platform) printf("%s\n",SSLeay_version(SSLEAY_PLATFORM));
+	if (options) 
+		{
+		printf("options:  ");
+		printf("%s ",BN_options());
+#ifndef NO_MD2
+		printf("%s ",MD2_options());
+#endif
+#ifndef NO_RC4
+		printf("%s ",RC4_options());
+#endif
+#ifndef NO_DES
+		printf("%s ",des_options());
+#endif
+#ifndef NO_IDEA
+		printf("%s ",idea_options());
+#endif
+#ifndef NO_BF
+		printf("%s ",BF_options());
+#endif
+		printf("\n");
+		}
+	if (cflags)  printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
+end:
+	EXIT(ret);
+	}
diff --git a/crypto/openssl/apps/winrand.c b/crypto/openssl/apps/winrand.c
new file mode 100644
index 0000000..d042258
--- /dev/null
+++ b/crypto/openssl/apps/winrand.c
@@ -0,0 +1,149 @@
+/* apps/winrand.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Usage: winrand [filename]
+ *
+ * Collects entropy from mouse movements and other events and writes
+ * random data to filename or .rnd
+ */
+
+#include <windows.h>
+#include <openssl/opensslv.h>
+#include <openssl/rand.h>
+
+LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
+const char *filename;
+
+int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
+        PSTR cmdline, int iCmdShow)
+	{
+	static char appname[] = "OpenSSL";
+	HWND hwnd;
+	MSG msg;
+	WNDCLASSEX wndclass;
+        char buffer[200];
+
+        if (cmdline[0] == '\0')
+                filename = RAND_file_name(buffer, sizeof buffer);
+        else
+                filename = cmdline;
+
+        RAND_load_file(filename, -1);
+
+	wndclass.cbSize = sizeof(wndclass);
+	wndclass.style = CS_HREDRAW | CS_VREDRAW;
+	wndclass.lpfnWndProc = WndProc;
+	wndclass.cbClsExtra = 0;
+	wndclass.cbWndExtra = 0;
+	wndclass.hInstance = hInstance;
+	wndclass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
+	wndclass.hCursor = LoadCursor(NULL, IDC_ARROW);
+	wndclass.hbrBackground = (HBRUSH) GetStockObject(WHITE_BRUSH);
+	wndclass.lpszMenuName = NULL;
+        wndclass.lpszClassName = appname;
+	wndclass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
+	RegisterClassEx(&wndclass);
+
+        hwnd = CreateWindow(appname, OPENSSL_VERSION_TEXT,
+		WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT,
+		CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, hInstance, NULL);
+
+	ShowWindow(hwnd, iCmdShow);
+	UpdateWindow(hwnd);
+
+
+	while (GetMessage(&msg, NULL, 0, 0))
+		{
+		TranslateMessage(&msg);
+		DispatchMessage(&msg);
+		}
+
+	return msg.wParam;
+	}
+
+LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
+	{
+        HDC hdc;
+	PAINTSTRUCT ps;
+        RECT rect;
+        char buffer[200];
+        static int seeded = 0;
+
+	switch (iMsg)
+		{
+	case WM_PAINT:
+		hdc = BeginPaint(hwnd, &ps);
+		GetClientRect(hwnd, &rect);
+                DrawText(hdc, "Seeding the PRNG. Please move the mouse!", -1,
+			&rect, DT_SINGLELINE | DT_CENTER | DT_VCENTER);
+		EndPaint(hwnd, &ps);
+		return 0;
+		
+        case WM_DESTROY:
+                PostQuitMessage(0);
+                return 0;
+                }
+
+        if (RAND_event(iMsg, wParam, lParam) == 1 && seeded == 0)
+                {
+                seeded = 1;
+                if (RAND_write_file(filename) <= 0)
+                        MessageBox(hwnd, "Couldn't write random file!",
+				"OpenSSL", MB_OK | MB_ICONERROR);
+                PostQuitMessage(0);
+                }
+
+	return DefWindowProc(hwnd, iMsg, wParam, lParam);
+	}
diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c
new file mode 100644
index 0000000..2d63841
--- /dev/null
+++ b/crypto/openssl/apps/x509.c
@@ -0,0 +1,1257 @@
+/* apps/x509.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef NO_STDIO
+#define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG x509_main
+
+#undef POSTFIX
+#define	POSTFIX	".srl"
+#define DEF_DAYS	30
+
+#define CERT_HDR	"certificate"
+
+static char *x509_usage[]={
+"usage: x509 args\n",
+" -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
+" -outform arg    - output format - default PEM (one of DER, NET or PEM)\n",
+" -keyform arg    - private key format - default PEM\n",
+" -CAform arg     - CA format - default PEM\n",
+" -CAkeyform arg  - CA key format - default PEM\n",
+" -in arg         - input file - default stdin\n",
+" -out arg        - output file - default stdout\n",
+" -passin arg     - private key password source\n",
+" -serial         - print serial number value\n",
+" -hash           - print hash value\n",
+" -subject        - print subject DN\n",
+" -issuer         - print issuer DN\n",
+" -startdate      - notBefore field\n",
+" -enddate        - notAfter field\n",
+" -purpose        - print out certificate purposes\n",
+" -dates          - both Before and After dates\n",
+" -modulus        - print the RSA key modulus\n",
+" -pubkey         - output the public key\n",
+" -fingerprint    - print the certificate fingerprint\n",
+" -alias          - output certificate alias\n",
+" -noout          - no certificate output\n",
+" -trustout       - output a \"trusted\" certificate\n",
+" -clrtrust       - clear all trusted purposes\n",
+" -clrreject      - clear all rejected purposes\n",
+" -addtrust arg   - trust certificate for a given purpose\n",
+" -addreject arg  - reject certificate for a given purpose\n",
+" -setalias arg   - set certificate alias\n",
+" -days arg       - How long till expiry of a signed certificate - def 30 days\n",
+" -signkey arg    - self sign cert with arg\n",
+" -x509toreq      - output a certification request object\n",
+" -req            - input is a certificate request, sign and output.\n",
+" -CA arg         - set the CA certificate, must be PEM format.\n",
+" -CAkey arg      - set the CA key, must be PEM format\n",
+"                   missing, it is assumed to be in the CA file.\n",
+" -CAcreateserial - create serial number file if it does not exist\n",
+" -CAserial       - serial file\n",
+" -text           - print the certificate in text form\n",
+" -C              - print out C code forms\n",
+" -md2/-md5/-sha1/-mdc2 - digest to use\n",
+" -extfile        - configuration file with X509V3 extensions to add\n",
+" -extensions     - section from config file with X509V3 extensions to add\n",
+" -clrext         - delete extensions before signing and input certificate\n",
+NULL
+};
+
+static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
+static EVP_PKEY *load_key(char *file, int format, char *passin);
+static X509 *load_cert(char *file, int format);
+static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
+						LHASH *conf, char *section);
+static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
+			 X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
+			 int create,int days, int clrext, LHASH *conf, char *section);
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
+static int reqfile=0;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	int ret=1;
+	X509_REQ *req=NULL;
+	X509 *x=NULL,*xca=NULL;
+	ASN1_OBJECT *objtmp;
+	EVP_PKEY *Upkey=NULL,*CApkey=NULL;
+	int i,num,badops=0;
+	BIO *out=NULL;
+	BIO *STDout=NULL;
+	STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
+	int informat,outformat,keyformat,CAformat,CAkeyformat;
+	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
+	char *CAkeyfile=NULL,*CAserial=NULL;
+	char *alias=NULL;
+	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
+	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
+	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
+	int C=0;
+	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+	int pprint = 0;
+	char **pp;
+	X509_STORE *ctx=NULL;
+	X509_REQ *rq=NULL;
+	int fingerprint=0;
+	char buf[256];
+	const EVP_MD *md_alg,*digest=EVP_md5();
+	LHASH *extconf = NULL;
+	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
+	int need_rand = 0;
+
+	reqfile=0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
+
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+	keyformat=FORMAT_PEM;
+	CAformat=FORMAT_PEM;
+	CAkeyformat=FORMAT_PEM;
+
+	ctx=X509_STORE_new();
+	if (ctx == NULL) goto end;
+	X509_STORE_set_verify_cb_func(ctx,callb);
+
+	argc--;
+	argv++;
+	num=0;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-keyform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keyformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-req") == 0)
+			{
+			reqfile=1;
+			need_rand = 1;
+			}
+		else if (strcmp(*argv,"-CAform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-CAkeyform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-days") == 0)
+			{
+			if (--argc < 1) goto bad;
+			days=atoi(*(++argv));
+			if (days == 0)
+				{
+				BIO_printf(STDout,"bad number of days\n");
+				goto bad;
+				}
+			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargin= *(++argv);
+			}
+		else if (strcmp(*argv,"-extfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			extfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-extensions") == 0)
+			{
+			if (--argc < 1) goto bad;
+			extsect= *(++argv);
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-signkey") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keyfile= *(++argv);
+			sign_flag= ++num;
+			need_rand = 1;
+			}
+		else if (strcmp(*argv,"-CA") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAfile= *(++argv);
+			CA_flag= ++num;
+			need_rand = 1;
+			}
+		else if (strcmp(*argv,"-CAkey") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAkeyfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-CAserial") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAserial= *(++argv);
+			}
+		else if (strcmp(*argv,"-addtrust") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+				BIO_printf(bio_err,
+					"Invalid trust object value %s\n", *argv);
+				goto bad;
+			}
+			if(!trust) trust = sk_ASN1_OBJECT_new_null();
+			sk_ASN1_OBJECT_push(trust, objtmp);
+			trustout = 1;
+			}
+		else if (strcmp(*argv,"-addreject") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+				BIO_printf(bio_err,
+					"Invalid reject object value %s\n", *argv);
+				goto bad;
+			}
+			if(!reject) reject = sk_ASN1_OBJECT_new_null();
+			sk_ASN1_OBJECT_push(reject, objtmp);
+			trustout = 1;
+			}
+		else if (strcmp(*argv,"-setalias") == 0)
+			{
+			if (--argc < 1) goto bad;
+			alias= *(++argv);
+			trustout = 1;
+			}
+		else if (strcmp(*argv,"-setalias") == 0)
+			{
+			if (--argc < 1) goto bad;
+			alias= *(++argv);
+			trustout = 1;
+			}
+		else if (strcmp(*argv,"-C") == 0)
+			C= ++num;
+		else if (strcmp(*argv,"-serial") == 0)
+			serial= ++num;
+		else if (strcmp(*argv,"-modulus") == 0)
+			modulus= ++num;
+		else if (strcmp(*argv,"-pubkey") == 0)
+			pubkey= ++num;
+		else if (strcmp(*argv,"-x509toreq") == 0)
+			x509req= ++num;
+		else if (strcmp(*argv,"-text") == 0)
+			text= ++num;
+		else if (strcmp(*argv,"-hash") == 0)
+			hash= ++num;
+		else if (strcmp(*argv,"-subject") == 0)
+			subject= ++num;
+		else if (strcmp(*argv,"-issuer") == 0)
+			issuer= ++num;
+		else if (strcmp(*argv,"-fingerprint") == 0)
+			fingerprint= ++num;
+		else if (strcmp(*argv,"-dates") == 0)
+			{
+			startdate= ++num;
+			enddate= ++num;
+			}
+		else if (strcmp(*argv,"-purpose") == 0)
+			pprint= ++num;
+		else if (strcmp(*argv,"-startdate") == 0)
+			startdate= ++num;
+		else if (strcmp(*argv,"-enddate") == 0)
+			enddate= ++num;
+		else if (strcmp(*argv,"-noout") == 0)
+			noout= ++num;
+		else if (strcmp(*argv,"-trustout") == 0)
+			trustout= 1;
+		else if (strcmp(*argv,"-clrtrust") == 0)
+			clrtrust= ++num;
+		else if (strcmp(*argv,"-clrreject") == 0)
+			clrreject= ++num;
+		else if (strcmp(*argv,"-alias") == 0)
+			aliasout= ++num;
+		else if (strcmp(*argv,"-CAcreateserial") == 0)
+			CA_createserial= ++num;
+		else if (strcmp(*argv,"-clrext") == 0)
+			clrext = 1;
+#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
+		else if (strcmp(*argv,"-crlext") == 0)
+			{
+			BIO_printf(bio_err,"use -clrext instead of -crlext\n");
+			clrext = 1;
+			}
+#endif
+		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
+			{
+			/* ok */
+			digest=md_alg;
+			}
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		for (pp=x509_usage; (*pp != NULL); pp++)
+			BIO_printf(bio_err,*pp);
+		goto end;
+		}
+
+	if (need_rand)
+		app_RAND_load_file(NULL, bio_err, 0);
+
+	ERR_load_crypto_strings();
+
+	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+	}
+
+	if (!X509_STORE_set_default_paths(ctx))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
+		{ CAkeyfile=CAfile; }
+	else if ((CA_flag) && (CAkeyfile == NULL))
+		{
+		BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
+		goto end;
+		}
+
+	if (extfile) {
+		long errorline;
+		X509V3_CTX ctx2;
+		if (!(extconf=CONF_load(NULL,extfile,&errorline))) {
+			if (errorline <= 0)
+				BIO_printf(bio_err,
+					"error loading the config file '%s'\n",
+								extfile);
+                	else
+                        	BIO_printf(bio_err,
+				       "error on line %ld of config file '%s'\n"
+							,errorline,extfile);
+			goto end;
+		}
+		if(!extsect && !(extsect = CONF_get_string(extconf, "default",
+					 "extensions"))) extsect = "default";
+		X509V3_set_ctx_test(&ctx2);
+		X509V3_set_conf_lhash(&ctx2, extconf);
+		if(!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL)) {
+			BIO_printf(bio_err,
+				"Error Loading extension section %s\n",
+								 extsect);
+			ERR_print_errors(bio_err);
+			goto end;
+                }
+	} 
+
+
+	if (reqfile)
+		{
+		EVP_PKEY *pkey;
+		X509_CINF *ci;
+		BIO *in;
+
+		if (!sign_flag && !CA_flag)
+			{
+			BIO_printf(bio_err,"We need a private key to sign with\n");
+			goto end;
+			}
+		in=BIO_new(BIO_s_file());
+		if (in == NULL)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		if (infile == NULL)
+			BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
+		else
+			{
+			if (BIO_read_filename(in,infile) <= 0)
+				{
+				perror(infile);
+				goto end;
+				}
+			}
+		req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
+		BIO_free(in);
+
+		if (req == NULL) { perror(infile); goto end; }
+
+		if (	(req->req_info == NULL) ||
+			(req->req_info->pubkey == NULL) ||
+			(req->req_info->pubkey->public_key == NULL) ||
+			(req->req_info->pubkey->public_key->data == NULL))
+			{
+			BIO_printf(bio_err,"The certificate request appears to corrupted\n");
+			BIO_printf(bio_err,"It does not contain a public key\n");
+			goto end;
+			}
+		if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
+	                {
+	                BIO_printf(bio_err,"error unpacking public key\n");
+	                goto end;
+	                }
+		i=X509_REQ_verify(req,pkey);
+		EVP_PKEY_free(pkey);
+		if (i < 0)
+			{
+			BIO_printf(bio_err,"Signature verification error\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+	        if (i == 0)
+			{
+			BIO_printf(bio_err,"Signature did not match the certificate request\n");
+			goto end;
+			}
+		else
+			BIO_printf(bio_err,"Signature ok\n");
+		
+		X509_NAME_oneline(req->req_info->subject,buf,256);
+		BIO_printf(bio_err,"subject=%s\n",buf);
+
+		if ((x=X509_new()) == NULL) goto end;
+		ci=x->cert_info;
+
+		if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
+		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
+		if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
+
+		X509_gmtime_adj(X509_get_notBefore(x),0);
+	        X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
+
+		pkey = X509_REQ_get_pubkey(req);
+		X509_set_pubkey(x,pkey);
+		EVP_PKEY_free(pkey);
+		}
+	else
+		x=load_cert(infile,informat);
+
+	if (x == NULL) goto end;
+	if (CA_flag)
+		{
+		xca=load_cert(CAfile,CAformat);
+		if (xca == NULL) goto end;
+		}
+
+	if (!noout || text)
+		{
+		OBJ_create("2.99999.3",
+			"SET.ex3","SET x509v3 extension 3");
+
+		out=BIO_new(BIO_s_file());
+		if (out == NULL)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (outfile == NULL)
+			BIO_set_fp(out,stdout,BIO_NOCLOSE);
+		else
+			{
+			if (BIO_write_filename(out,outfile) <= 0)
+				{
+				perror(outfile);
+				goto end;
+				}
+			}
+		}
+
+	if(alias) X509_alias_set1(x, (unsigned char *)alias, -1);
+
+	if(clrtrust) X509_trust_clear(x);
+	if(clrreject) X509_reject_clear(x);
+
+	if(trust) {
+		for(i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
+			objtmp = sk_ASN1_OBJECT_value(trust, i);
+			X509_add1_trust_object(x, objtmp);
+		}
+	}
+
+	if(reject) {
+		for(i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
+			objtmp = sk_ASN1_OBJECT_value(reject, i);
+			X509_add1_reject_object(x, objtmp);
+		}
+	}
+
+	if (num)
+		{
+		for (i=1; i<=num; i++)
+			{
+			if (issuer == i)
+				{
+				X509_NAME_oneline(X509_get_issuer_name(x),
+					buf,256);
+				BIO_printf(STDout,"issuer= %s\n",buf);
+				}
+			else if (subject == i) 
+				{
+				X509_NAME_oneline(X509_get_subject_name(x),
+					buf,256);
+				BIO_printf(STDout,"subject=%s\n",buf);
+				}
+			else if (serial == i)
+				{
+				BIO_printf(STDout,"serial=");
+				i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
+				BIO_printf(STDout,"\n");
+				}
+			else if (aliasout == i)
+				{
+				unsigned char *alstr;
+				alstr = X509_alias_get0(x, NULL);
+				if(alstr) BIO_printf(STDout,"%s\n", alstr);
+				else BIO_puts(STDout,"<No Alias>\n");
+				}
+			else if (hash == i)
+				{
+				BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
+				}
+			else if (pprint == i)
+				{
+				X509_PURPOSE *ptmp;
+				int j;
+				BIO_printf(STDout, "Certificate purposes:\n");
+				for(j = 0; j < X509_PURPOSE_get_count(); j++)
+					{
+					ptmp = X509_PURPOSE_get0(j);
+					purpose_print(STDout, x, ptmp);
+					}
+				}
+			else
+				if (modulus == i)
+				{
+				EVP_PKEY *pkey;
+
+				pkey=X509_get_pubkey(x);
+				if (pkey == NULL)
+					{
+					BIO_printf(bio_err,"Modulus=unavailable\n");
+					ERR_print_errors(bio_err);
+					goto end;
+					}
+				BIO_printf(STDout,"Modulus=");
+#ifndef NO_RSA
+				if (pkey->type == EVP_PKEY_RSA)
+					BN_print(STDout,pkey->pkey.rsa->n);
+				else
+#endif
+#ifndef NO_DSA
+				if (pkey->type == EVP_PKEY_DSA)
+					BN_print(STDout,pkey->pkey.dsa->pub_key);
+				else
+#endif
+					BIO_printf(STDout,"Wrong Algorithm type");
+				BIO_printf(STDout,"\n");
+				EVP_PKEY_free(pkey);
+				}
+			else
+				if (pubkey == i)
+				{
+				EVP_PKEY *pkey;
+
+				pkey=X509_get_pubkey(x);
+				if (pkey == NULL)
+					{
+					BIO_printf(bio_err,"Error getting public key\n");
+					ERR_print_errors(bio_err);
+					goto end;
+					}
+				PEM_write_bio_PUBKEY(STDout, pkey);
+				EVP_PKEY_free(pkey);
+				}
+			else
+				if (C == i)
+				{
+				unsigned char *d;
+				char *m;
+				int y,z;
+
+				X509_NAME_oneline(X509_get_subject_name(x),
+					buf,256);
+				BIO_printf(STDout,"/* subject:%s */\n",buf);
+				m=X509_NAME_oneline(
+					X509_get_issuer_name(x),buf,256);
+				BIO_printf(STDout,"/* issuer :%s */\n",buf);
+
+				z=i2d_X509(x,NULL);
+				m=Malloc(z);
+
+				d=(unsigned char *)m;
+				z=i2d_X509_NAME(X509_get_subject_name(x),&d);
+				BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z);
+				d=(unsigned char *)m;
+				for (y=0; y<z; y++)
+					{
+					BIO_printf(STDout,"0x%02X,",d[y]);
+					if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n");
+					}
+				if (y%16 != 0) BIO_printf(STDout,"\n");
+				BIO_printf(STDout,"};\n");
+
+				z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d);
+				BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z);
+				d=(unsigned char *)m;
+				for (y=0; y<z; y++)
+					{
+					BIO_printf(STDout,"0x%02X,",d[y]);
+					if ((y & 0x0f) == 0x0f)
+						BIO_printf(STDout,"\n");
+					}
+				if (y%16 != 0) BIO_printf(STDout,"\n");
+				BIO_printf(STDout,"};\n");
+
+				z=i2d_X509(x,&d);
+				BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z);
+				d=(unsigned char *)m;
+				for (y=0; y<z; y++)
+					{
+					BIO_printf(STDout,"0x%02X,",d[y]);
+					if ((y & 0x0f) == 0x0f)
+						BIO_printf(STDout,"\n");
+					}
+				if (y%16 != 0) BIO_printf(STDout,"\n");
+				BIO_printf(STDout,"};\n");
+
+				Free(m);
+				}
+			else if (text == i)
+				{
+				X509_print(out,x);
+				}
+			else if (startdate == i)
+				{
+				BIO_puts(STDout,"notBefore=");
+				ASN1_TIME_print(STDout,X509_get_notBefore(x));
+				BIO_puts(STDout,"\n");
+				}
+			else if (enddate == i)
+				{
+				BIO_puts(STDout,"notAfter=");
+				ASN1_TIME_print(STDout,X509_get_notAfter(x));
+				BIO_puts(STDout,"\n");
+				}
+			else if (fingerprint == i)
+				{
+				int j;
+				unsigned int n;
+				unsigned char md[EVP_MAX_MD_SIZE];
+
+				if (!X509_digest(x,digest,md,&n))
+					{
+					BIO_printf(bio_err,"out of memory\n");
+					goto end;
+					}
+				BIO_printf(STDout,"%s Fingerprint=",
+						OBJ_nid2sn(EVP_MD_type(digest)));
+				for (j=0; j<(int)n; j++)
+					{
+					BIO_printf(STDout,"%02X%c",md[j],
+						(j+1 == (int)n)
+						?'\n':':');
+					}
+				}
+
+			/* should be in the library */
+			else if ((sign_flag == i) && (x509req == 0))
+				{
+				BIO_printf(bio_err,"Getting Private key\n");
+				if (Upkey == NULL)
+					{
+					Upkey=load_key(keyfile,keyformat, passin);
+					if (Upkey == NULL) goto end;
+					}
+#ifndef NO_DSA
+		                if (Upkey->type == EVP_PKEY_DSA)
+		                        digest=EVP_dss1();
+#endif
+
+				assert(need_rand);
+				if (!sign(x,Upkey,days,clrext,digest,
+						 extconf, extsect)) goto end;
+				}
+			else if (CA_flag == i)
+				{
+				BIO_printf(bio_err,"Getting CA Private Key\n");
+				if (CAkeyfile != NULL)
+					{
+					CApkey=load_key(CAkeyfile,CAkeyformat, passin);
+					if (CApkey == NULL) goto end;
+					}
+#ifndef NO_DSA
+		                if (CApkey->type == EVP_PKEY_DSA)
+		                        digest=EVP_dss1();
+#endif
+				
+				assert(need_rand);
+				if (!x509_certify(ctx,CAfile,digest,x,xca,
+					CApkey, CAserial,CA_createserial,days, clrext,
+					extconf, extsect))
+					goto end;
+				}
+			else if (x509req == i)
+				{
+				EVP_PKEY *pk;
+
+				BIO_printf(bio_err,"Getting request Private Key\n");
+				if (keyfile == NULL)
+					{
+					BIO_printf(bio_err,"no request key file specified\n");
+					goto end;
+					}
+				else
+					{
+					pk=load_key(keyfile,FORMAT_PEM, passin);
+					if (pk == NULL) goto end;
+					}
+
+				BIO_printf(bio_err,"Generating certificate request\n");
+
+		                if (pk->type == EVP_PKEY_DSA)
+		                        digest=EVP_dss1();
+
+				rq=X509_to_X509_REQ(x,pk,digest);
+				EVP_PKEY_free(pk);
+				if (rq == NULL)
+					{
+					ERR_print_errors(bio_err);
+					goto end;
+					}
+				if (!noout)
+					{
+					X509_REQ_print(out,rq);
+					PEM_write_bio_X509_REQ(out,rq);
+					}
+				noout=1;
+				}
+			}
+		}
+
+	if (noout)
+		{
+		ret=0;
+		goto end;
+		}
+
+	if 	(outformat == FORMAT_ASN1)
+		i=i2d_X509_bio(out,x);
+	else if (outformat == FORMAT_PEM) {
+		if(trustout) i=PEM_write_bio_X509_AUX(out,x);
+		else i=PEM_write_bio_X509(out,x);
+	} else if (outformat == FORMAT_NETSCAPE)
+		{
+		ASN1_HEADER ah;
+		ASN1_OCTET_STRING os;
+
+		os.data=(unsigned char *)CERT_HDR;
+		os.length=strlen(CERT_HDR);
+		ah.header= &os;
+		ah.data=(char *)x;
+		ah.meth=X509_asn1_meth();
+
+		/* no macro for this one yet */
+		i=ASN1_i2d_bio(i2d_ASN1_HEADER,out,(unsigned char *)&ah);
+		}
+	else	{
+		BIO_printf(bio_err,"bad output format specified for outfile\n");
+		goto end;
+		}
+	if (!i) {
+		BIO_printf(bio_err,"unable to write certificate\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	ret=0;
+end:
+	if (need_rand)
+		app_RAND_write_file(NULL, bio_err);
+	OBJ_cleanup();
+	CONF_free(extconf);
+	BIO_free(out);
+	BIO_free(STDout);
+	X509_STORE_free(ctx);
+	X509_REQ_free(req);
+	X509_free(x);
+	X509_free(xca);
+	EVP_PKEY_free(Upkey);
+	EVP_PKEY_free(CApkey);
+	X509_REQ_free(rq);
+	sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
+	sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
+	if(passin) Free(passin);
+	EXIT(ret);
+	}
+
+static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
+	     X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
+	     int days, int clrext, LHASH *conf, char *section)
+	{
+	int ret=0;
+	BIO *io=NULL;
+	MS_STATIC char buf2[1024];
+	char *buf=NULL,*p;
+	BIGNUM *serial=NULL;
+	ASN1_INTEGER *bs=NULL,bs2;
+	X509_STORE_CTX xsc;
+	EVP_PKEY *upkey;
+
+	upkey = X509_get_pubkey(xca);
+	EVP_PKEY_copy_parameters(upkey,pkey);
+	EVP_PKEY_free(upkey);
+
+	X509_STORE_CTX_init(&xsc,ctx,x,NULL);
+	buf=Malloc(EVP_PKEY_size(pkey)*2+
+		((serialfile == NULL)
+			?(strlen(CAfile)+strlen(POSTFIX)+1)
+			:(strlen(serialfile)))+1);
+	if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; }
+	if (serialfile == NULL)
+		{
+		strcpy(buf,CAfile);
+		for (p=buf; *p; p++)
+			if (*p == '.')
+				{
+				*p='\0';
+				break;
+				}
+		strcat(buf,POSTFIX);
+		}
+	else
+		strcpy(buf,serialfile);
+	serial=BN_new();
+	bs=ASN1_INTEGER_new();
+	if ((serial == NULL) || (bs == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	io=BIO_new(BIO_s_file());
+	if (io == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	
+	if (BIO_read_filename(io,buf) <= 0)
+		{
+		if (!create)
+			{
+			perror(buf);
+			goto end;
+			}
+		else
+			{
+			ASN1_INTEGER_set(bs,1);
+			BN_one(serial);
+			}
+		}
+	else 
+		{
+		if (!a2i_ASN1_INTEGER(io,bs,buf2,1024))
+			{
+			BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		else
+			{
+			serial=BN_bin2bn(bs->data,bs->length,serial);
+			if (serial == NULL)
+				{
+				BIO_printf(bio_err,"error converting bin 2 bn");
+				goto end;
+				}
+			}
+		}
+
+	if (!BN_add_word(serial,1))
+		{ BIO_printf(bio_err,"add_word failure\n"); goto end; }
+	bs2.data=(unsigned char *)buf2;
+	bs2.length=BN_bn2bin(serial,bs2.data);
+
+	if (BIO_write_filename(io,buf) <= 0)
+		{
+		BIO_printf(bio_err,"error attempting to write serial number file\n");
+		perror(buf);
+		goto end;
+		}
+	i2a_ASN1_INTEGER(io,&bs2);
+	BIO_puts(io,"\n");
+	BIO_free(io);
+	io=NULL;
+	
+	if (!X509_STORE_add_cert(ctx,x)) goto end;
+
+	/* NOTE: this certificate can/should be self signed, unless it was
+	 * a certificate request in which case it is not. */
+	X509_STORE_CTX_set_cert(&xsc,x);
+	if (!reqfile && !X509_verify_cert(&xsc))
+		goto end;
+
+	if (!X509_check_private_key(xca,pkey))
+		{
+		BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
+		goto end;
+		}
+
+	if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end;
+	if (!X509_set_serialNumber(x,bs)) goto end;
+
+	if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL)
+		goto end;
+
+	/* hardwired expired */
+	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
+		goto end;
+
+	if(clrext) {
+		while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+	}
+
+	if(conf) {
+		X509V3_CTX ctx2;
+		X509_set_version(x,2); /* version 3 certificate */
+                X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
+                X509V3_set_conf_lhash(&ctx2, conf);
+                if(!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
+	}
+
+	if (!X509_sign(x,pkey,digest)) goto end;
+	ret=1;
+end:
+	X509_STORE_CTX_cleanup(&xsc);
+	if (!ret)
+		ERR_print_errors(bio_err);
+	if (buf != NULL) Free(buf);
+	if (bs != NULL) ASN1_INTEGER_free(bs);
+	if (io != NULL)	BIO_free(io);
+	if (serial != NULL) BN_free(serial);
+	return(ret);
+	}
+
+static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
+	{
+	char buf[256];
+	int err;
+	X509 *err_cert;
+
+	/* it is ok to use a self signed certificate
+	 * This case will catch both the initial ok == 0 and the
+	 * final ok == 1 calls to this function */
+	err=X509_STORE_CTX_get_error(ctx);
+	if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+		return(1);
+
+	/* BAD we should have gotten an error.  Normally if everything
+	 * worked X509_STORE_CTX_get_error(ctx) will still be set to
+	 * DEPTH_ZERO_SELF_.... */
+	if (ok)
+		{
+		BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
+		return(0);
+		}
+	else
+		{
+		err_cert=X509_STORE_CTX_get_current_cert(ctx);
+		X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+		BIO_printf(bio_err,"%s\n",buf);
+		BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
+			err,X509_STORE_CTX_get_error_depth(ctx),
+			X509_verify_cert_error_string(err));
+		return(1);
+		}
+	}
+
+static EVP_PKEY *load_key(char *file, int format, char *passin)
+	{
+	BIO *key=NULL;
+	EVP_PKEY *pkey=NULL;
+
+	if (file == NULL)
+		{
+		BIO_printf(bio_err,"no keyfile specified\n");
+		goto end;
+		}
+	key=BIO_new(BIO_s_file());
+	if (key == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	if (BIO_read_filename(key,file) <= 0)
+		{
+		perror(file);
+		goto end;
+		}
+	if (format == FORMAT_ASN1)
+		{
+		pkey=d2i_PrivateKey_bio(key, NULL);
+		}
+	else if (format == FORMAT_PEM)
+		{
+		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
+		}
+	else
+		{
+		BIO_printf(bio_err,"bad input format specified for key\n");
+		goto end;
+		}
+end:
+	if (key != NULL) BIO_free(key);
+	if (pkey == NULL)
+		BIO_printf(bio_err,"unable to load Private Key\n");
+	return(pkey);
+	}
+
+static X509 *load_cert(char *file, int format)
+	{
+	ASN1_HEADER *ah=NULL;
+	BUF_MEM *buf=NULL;
+	X509 *x=NULL;
+	BIO *cert;
+
+	if ((cert=BIO_new(BIO_s_file())) == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (file == NULL)
+		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(cert,file) <= 0)
+			{
+			perror(file);
+			goto end;
+			}
+		}
+	if 	(format == FORMAT_ASN1)
+		x=d2i_X509_bio(cert,NULL);
+	else if (format == FORMAT_NETSCAPE)
+		{
+		unsigned char *p,*op;
+		int size=0,i;
+
+		/* We sort of have to do it this way because it is sort of nice
+		 * to read the header first and check it, then
+		 * try to read the certificate */
+		buf=BUF_MEM_new();
+		for (;;)
+			{
+			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
+				goto end;
+			i=BIO_read(cert,&(buf->data[size]),1024*10);
+			size+=i;
+			if (i == 0) break;
+			if (i < 0)
+				{
+				perror("reading certificate");
+				goto end;
+				}
+			}
+		p=(unsigned char *)buf->data;
+		op=p;
+
+		/* First load the header */
+		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
+			goto end;
+		if ((ah->header == NULL) || (ah->header->data == NULL) ||
+			(strncmp(CERT_HDR,(char *)ah->header->data,
+			ah->header->length) != 0))
+			{
+			BIO_printf(bio_err,"Error reading header on certificate\n");
+			goto end;
+			}
+		/* header is ok, so now read the object */
+		p=op;
+		ah->meth=X509_asn1_meth();
+		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
+			goto end;
+		x=(X509 *)ah->data;
+		ah->data=NULL;
+		}
+	else if (format == FORMAT_PEM)
+		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
+	else	{
+		BIO_printf(bio_err,"bad input format specified for input cert\n");
+		goto end;
+		}
+end:
+	if (x == NULL)
+		{
+		BIO_printf(bio_err,"unable to load certificate\n");
+		ERR_print_errors(bio_err);
+		}
+	if (ah != NULL) ASN1_HEADER_free(ah);
+	if (cert != NULL) BIO_free(cert);
+	if (buf != NULL) BUF_MEM_free(buf);
+	return(x);
+	}
+
+/* self sign */
+static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, 
+						LHASH *conf, char *section)
+	{
+
+	EVP_PKEY *pktmp;
+
+	pktmp = X509_get_pubkey(x);
+	EVP_PKEY_copy_parameters(pktmp,pkey);
+	EVP_PKEY_save_parameters(pktmp,1);
+	EVP_PKEY_free(pktmp);
+
+	if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err;
+	if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err;
+
+	/* Lets just make it 12:00am GMT, Jan 1 1970 */
+	/* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
+	/* 28 days to be certified */
+
+	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
+		goto err;
+
+	if (!X509_set_pubkey(x,pkey)) goto err;
+	if(clrext) {
+		while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+	}
+	if(conf) {
+		X509V3_CTX ctx;
+		X509_set_version(x,2); /* version 3 certificate */
+                X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
+                X509V3_set_conf_lhash(&ctx, conf);
+                if(!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto err;
+	}
+	if (!X509_sign(x,pkey,digest)) goto err;
+	return(1);
+err:
+	ERR_print_errors(bio_err);
+	return(0);
+	}
+
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
+{
+	int id, i, idret;
+	char *pname;
+	id = X509_PURPOSE_get_id(pt);
+	pname = X509_PURPOSE_get0_name(pt);
+	for(i = 0; i < 2; i++) {
+		idret = X509_check_purpose(cert, id, i);
+		BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 
+		if(idret == 1) BIO_printf(bio, "Yes\n");
+		else if (idret == 0) BIO_printf(bio, "No\n");
+		else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
+	}
+	return 1;
+}
+
+
+
diff --git a/crypto/openssl/bugs/MS b/crypto/openssl/bugs/MS
new file mode 100644
index 0000000..a1dcfb9
--- /dev/null
+++ b/crypto/openssl/bugs/MS
@@ -0,0 +1,7 @@
+If you use the function that does an fopen inside the DLL, it's malloc
+will be used and when the function is then written inside, more
+hassles
+....
+
+
+think about it.
diff --git a/crypto/openssl/bugs/SSLv3 b/crypto/openssl/bugs/SSLv3
new file mode 100644
index 0000000..db53e13
--- /dev/null
+++ b/crypto/openssl/bugs/SSLv3
@@ -0,0 +1,49 @@
+So far...
+
+ssl3.netscape.com:443 does not support client side dynamic
+session-renegotiation.
+
+ssl3.netscape.com:444 (asks for client cert) sends out all the CA RDN
+in an invalid format (the outer sequence is removed).
+
+Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
+challenge but then appears to only use 16 bytes when generating the
+encryption keys.  Using 16 bytes is ok but it should be ok to use 32.
+According to the SSLv3 spec, one should use 32 bytes for the challenge
+when opperating in SSLv2/v3 compatablity mode, but as mentioned above,
+this breaks this server so 16 bytes is the way to go.
+
+www.microsoft.com - when talking SSLv2, if session-id reuse is
+performed, the session-id passed back in the server-finished message
+is different from the one decided upon.
+
+ssl3.netscape.com:443, first a connection is established with RC4-MD5.
+If it is then resumed, we end up using DES-CBC3-SHA.  It should be
+RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
+Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
+It only really shows up when connecting via SSLv2/v3 then reconnecting
+via SSLv3. The cipher list changes....
+NEW INFORMATION.  Try connecting with a cipher list of just
+DES-CBC-SHA:RC4-MD5.  For some weird reason, each new connection uses
+RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
+doing a re-connect, always takes the first cipher in the cipher list.
+
+If we accept a netscape connection, demand a client cert, have a
+non-self-sighed CA which does not have it's CA in netscape, and the
+browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta
+
+Netscape browsers do not really notice the server sending a
+close notify message.  I was sending one, and then some invalid data.
+netscape complained of an invalid mac. (a fork()ed child doing a
+SSL_shutdown() and still sharing the socket with its parent).
+
+Netscape, when using export ciphers, will accept a 1024 bit temporary
+RSA key.  It is supposed to only accept 512.
+
+If Netscape connects to a server which requests a client certificate
+it will frequently hang after the user has selected one and never
+complete the connection. Hitting "Stop" and reload fixes this and
+all subsequent connections work fine. This appears to be because 
+Netscape wont read any new records in when it is awaiting a server
+done message at this point. The fix is to send the certificate request
+and server done messages in one record.
diff --git a/crypto/openssl/bugs/VC16.bug b/crypto/openssl/bugs/VC16.bug
new file mode 100644
index 0000000..7815bb5
--- /dev/null
+++ b/crypto/openssl/bugs/VC16.bug
@@ -0,0 +1,18 @@
+Microsoft (R) C/C++ Optimizing Compiler Version 8.00c
+
+Compile with /O2 chokes the compiler on these files
+
+crypto\md\md5_dgst.c		warning '@(#)reg86.c:1.26', line 1110
+crypto\des\ofb64ede.c		warning '@(#)grammar.c:1.147', line 168
+crypto\des\ofb64enc.c		warning '@(#)grammar.c:1.147', line 168
+crypto\des\qud_cksm.c		warning '@(#)grammar.c:1.147', line 168
+crypto\rc2\rc2ofb64.c		warning '@(#)grammar.c:1.147', line 168
+crypto\objects\obj_dat.c	warning	'@(#)grammar.c:1.147', line 168
+				fatal	'@(#)grammar.c:1.147', line 168
+crypto\objects\obj_lib.c	warning	'@(#)grammar.c:1.147', line 168
+				fatal	'@(#)grammar.c:1.147', line 168
+ssl\ssl_auth.c			warning	'@(#)grammar.c:1.147', line 168
+				fatal	'@(#)grammar.c:1.147', line 168
+
+Turning on /G3 with build flags that worked fine for /G2 came up with
+divide by zero errors in 'normal' code in speed.c :-(
diff --git a/crypto/openssl/bugs/alpha.c b/crypto/openssl/bugs/alpha.c
new file mode 100644
index 0000000..701d6a7
--- /dev/null
+++ b/crypto/openssl/bugs/alpha.c
@@ -0,0 +1,91 @@
+/* bugs/alpha.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* while not exactly a bug (ASN1 C leaves this undefined) it is
+ * something to watch out for.  This was fine on linux/NT/Solaris but not
+ * Alpha */
+
+/* it is basically an example of
+ * func(*(a++),*(a++))
+ * which parameter is evaluated first?  It is not defined in ASN1 C.
+ */
+
+#include <stdio.h>
+
+#define TYPE    unsigned int
+
+void func(a,b)
+TYPE *a;
+TYPE b;
+        {
+        printf("%ld -1 == %ld\n",a[0],b);
+        }
+
+main()
+        {
+        TYPE data[5]={1L,2L,3L,4L,5L};
+        TYPE *p;
+        int i;
+
+        p=data;
+
+        for (i=0; i<4; i++)
+                {
+                func(p,*(p++));
+                }
+        }
diff --git a/crypto/openssl/bugs/dggccbug.c b/crypto/openssl/bugs/dggccbug.c
new file mode 100644
index 0000000..30e07a6
--- /dev/null
+++ b/crypto/openssl/bugs/dggccbug.c
@@ -0,0 +1,45 @@
+/* NOCW */
+/* dggccbug.c */
+/* bug found by Eric Young (eay@cryptsoft.com) - May 1995 */
+
+#include <stdio.h>
+
+/* There is a bug in
+ * gcc version 2.5.8 (88open OCS/BCS, DG-2.5.8.3, Oct 14 1994)
+ * as shipped with DGUX 5.4R3.10 that can be bypassed by defining
+ * DG_GCC_BUG in my code.
+ * The bug manifests itself by the vaule of a pointer that is
+ * used only by reference, not having it's value change when it is used
+ * to check for exiting the loop.  Probably caused by there being 2
+ * copies of the valiable, one in a register and one being an address
+ * that is passed. */
+
+/* compare the out put from
+ * gcc dggccbug.c; ./a.out
+ * and
+ * gcc -O dggccbug.c; ./a.out
+ * compile with -DFIXBUG to remove the bug when optimising.
+ */
+
+void inc(a)
+int *a;
+	{
+	(*a)++;
+	}
+
+main()
+	{
+	int p=0;
+#ifdef FIXBUG
+	int dummy;
+#endif
+
+	while (p<3)
+		{
+		fprintf(stderr,"%08X\n",p);
+		inc(&p);
+#ifdef FIXBUG
+		dummy+=p;
+#endif
+		}
+	}
diff --git a/crypto/openssl/bugs/sgiccbug.c b/crypto/openssl/bugs/sgiccbug.c
new file mode 100644
index 0000000..178239d
--- /dev/null
+++ b/crypto/openssl/bugs/sgiccbug.c
@@ -0,0 +1,57 @@
+/* NOCW */
+/* sgibug.c */
+/* bug found by Eric Young (eay@mincom.oz.au) May 95 */
+
+#include <stdio.h>
+
+/* This compiler bug it present on IRIX 5.3, 5.1 and 4.0.5 (these are
+ * the only versions of IRIX I have access to.
+ * defining FIXBUG removes the bug.
+ * (bug is still present in IRIX 6.3 according to
+ * Gage <agage@forgetmenot.Mines.EDU>
+ */
+ 
+/* Compare the output from
+ * cc sgiccbug.c; ./a.out
+ * and
+ * cc -O sgiccbug.c; ./a.out
+ */
+
+static unsigned long a[4]={0x01234567,0x89ABCDEF,0xFEDCBA98,0x76543210};
+static unsigned long b[4]={0x89ABCDEF,0xFEDCBA98,0x76543210,0x01234567};
+static unsigned long c[4]={0x77777778,0x8ACF1357,0x88888888,0x7530ECA9};
+
+main()
+	{
+	unsigned long r[4];
+	sub(r,a,b);
+	fprintf(stderr,"input a= %08X %08X %08X %08X\n",a[3],a[2],a[1],a[0]);
+	fprintf(stderr,"input b= %08X %08X %08X %08X\n",b[3],b[2],b[1],b[0]);
+	fprintf(stderr,"output = %08X %08X %08X %08X\n",r[3],r[2],r[1],r[0]);
+	fprintf(stderr,"correct= %08X %08X %08X %08X\n",c[3],c[2],c[1],c[0]);
+	}
+
+int sub(r,a,b)
+unsigned long *r,*a,*b;
+	{
+	register unsigned long t1,t2,*ap,*bp,*rp;
+	int i,carry;
+#ifdef FIXBUG
+	unsigned long dummy;
+#endif
+
+	ap=a;
+	bp=b;
+	rp=r;
+	carry=0;
+	for (i=0; i<4; i++)
+		{
+		t1= *(ap++);
+		t2= *(bp++);
+		t1=(t1-t2);
+#ifdef FIXBUG
+		dummy=t1;
+#endif
+		*(rp++)=t1&0xffffffff;
+		}
+	}
diff --git a/crypto/openssl/bugs/sslref.dif b/crypto/openssl/bugs/sslref.dif
new file mode 100644
index 0000000..0aa92bf
--- /dev/null
+++ b/crypto/openssl/bugs/sslref.dif
@@ -0,0 +1,26 @@
+The February 9th, 1995 version of the SSL document differs from
+https://www.netscape.com in the following ways.
+=====
+The key material for generating a SSL_CK_DES_64_CBC_WITH_MD5 key is
+KEY-MATERIAL-0 = MD5[MASTER-KEY,"0",CHALLENGE,CONNECTION-ID]
+not
+KEY-MATERIAL-0 = MD5[MASTER-KEY,CHALLENGE,CONNECTION-ID]
+as specified in the documentation.
+=====
+From the section 2.6 Server Only Protocol Messages
+
+If the SESSION-ID-HIT flag is non-zero then the CERTIFICATE-TYPE,
+CERTIFICATE-LENGTH and CIPHER-SPECS-LENGTH fields will be zero. 
+
+This is not true for https://www.netscape.com.  The CERTIFICATE-TYPE
+is returned as 1.
+=====
+I have not tested the following but it is reported by holtzman@mit.edu.
+
+SSLref clients wait to recieve a server-verify before they send a
+client-finished.  Besides this not being evident from the examples in
+2.2.1, it makes more sense to always send all packets you can before
+reading.  SSLeay was waiting in the server to recieve a client-finish
+before sending the server-verify :-).  I have changed SSLeay to send a
+server-verify before trying to read the client-finished.
+
diff --git a/crypto/openssl/bugs/stream.c b/crypto/openssl/bugs/stream.c
new file mode 100644
index 0000000..d2967c8
--- /dev/null
+++ b/crypto/openssl/bugs/stream.c
@@ -0,0 +1,131 @@
+/* bugs/stream.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/rc4.h>
+#ifdef NO_DES
+#include <des.h>
+#else
+#include <openssl/des.h>
+#endif
+
+/* show how stream ciphers are not very good.  The mac has no affect
+ * on RC4 while it does for cfb DES
+ */
+
+main()
+	{
+	fprintf(stderr,"rc4\n");
+	rc4();
+	fprintf(stderr,"cfb des\n");
+	des();
+	}
+
+int des()
+	{
+	des_key_schedule ks;
+	des_cblock iv,key;
+	int num;
+	static char *keystr="01234567";
+	static char *in1="0123456789ABCEDFdata 12345";
+	static char *in2="9876543210abcdefdata 12345";
+	unsigned char out[100];
+	int i;
+
+	des_set_key((des_cblock *)keystr,ks);
+
+	num=0;
+	memset(iv,0,8);
+	des_cfb64_encrypt(in1,out,26,ks,(des_cblock *)iv,&num,1);
+	for (i=0; i<26; i++)
+		fprintf(stderr,"%02X ",out[i]);
+	fprintf(stderr,"\n");
+
+	num=0;
+	memset(iv,0,8);
+	des_cfb64_encrypt(in2,out,26,ks,(des_cblock *)iv,&num,1);
+	for (i=0; i<26; i++)
+		fprintf(stderr,"%02X ",out[i]);
+	fprintf(stderr,"\n");
+	}
+
+int rc4()
+	{
+	static char *keystr="0123456789abcdef";
+	RC4_KEY key;
+	unsigned char in[100],out[100];
+	int i;
+
+	RC4_set_key(&key,16,keystr);
+	in[0]='\0';
+	strcpy(in,"0123456789ABCEDFdata 12345");
+	RC4(key,26,in,out);
+
+	for (i=0; i<26; i++)
+		fprintf(stderr,"%02X ",out[i]);
+	fprintf(stderr,"\n");
+
+	RC4_set_key(&key,16,keystr);
+	in[0]='\0';
+	strcpy(in,"9876543210abcdefdata 12345");
+	RC4(key,26,in,out);
+
+	for (i=0; i<26; i++)
+		fprintf(stderr,"%02X ",out[i]);
+	fprintf(stderr,"\n");
+	}
diff --git a/crypto/openssl/bugs/ultrixcc.c b/crypto/openssl/bugs/ultrixcc.c
new file mode 100644
index 0000000..7ba75b1
--- /dev/null
+++ b/crypto/openssl/bugs/ultrixcc.c
@@ -0,0 +1,45 @@
+#include <stdio.h>
+
+/* This is a cc optimiser bug for ultrix 4.3, mips CPU.
+ * What happens is that the compiler, due to the (a)&7,
+ * does
+ * i=a&7;
+ * i--;
+ * i*=4;
+ * Then uses i as the offset into a jump table.
+ * The problem is that a value of 0 generates an offset of
+ * 0xfffffffc.
+ */
+
+main()
+	{
+	f(5);
+	f(0);
+	}
+
+int f(a)
+int a;
+	{
+	switch(a&7)
+		{
+	case 7:
+		printf("7\n");
+	case 6:
+		printf("6\n");
+	case 5:
+		printf("5\n");
+	case 4:
+		printf("4\n");
+	case 3:
+		printf("3\n");
+	case 2:
+		printf("2\n");
+	case 1:
+		printf("1\n");
+#ifdef FIX_BUG
+	case 0:
+		;
+#endif
+		}
+	}	
+
diff --git a/crypto/openssl/certs/ICE-CA.pem b/crypto/openssl/certs/ICE-CA.pem
new file mode 100644
index 0000000..7565236
--- /dev/null
+++ b/crypto/openssl/certs/ICE-CA.pem
@@ -0,0 +1,59 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
+        Validity
+            Not Before: Apr  2 17:35:53 1997 GMT
+            Not After : Apr  2 17:35:53 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:82:75:ba:f6:d1:60:b5:f9:15:b3:6a:dd:29:8f:
+                    8b:a4:6f:1a:88:e0:50:43:40:0b:79:41:d5:d3:16:
+                    44:7d:74:65:17:42:06:52:0b:e9:50:c8:10:cd:24:
+                    e2:ae:8d:22:30:73:e6:b4:b7:93:1f:e5:6e:a2:ae:
+                    49:11:a5:c9:45
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                0.........z.."p......e..
+            X509v3 Subject Key Identifier: 
+                ..~r..:..B.44fu......3
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Certificate Policies: critical
+                0.0...*...
+            X509v3 Subject Alternative Name: 
+                0!..secude-support@darmstadt.gmd.de
+            X509v3 Issuer Alternative Name: 
+                0I..ice-tel-ca@darmstadt.gmd.de.*http://www.darmstadt.gmd.de/ice-tel/euroca
+            X509v3 Basic Constraints: critical
+                0....
+            X509v3 CRL Distribution Points: 
+                0200...,.*http://www.darmstadt.gmd.de/ice-tel/euroca
+    Signature Algorithm: md5WithRSAEncryption
+        17:a2:88:b7:99:5a:05:41:e4:13:34:67:e6:1f:3e:26:ec:4b:
+        69:f9:3e:28:22:be:9d:1c:ab:41:6f:0c:00:85:fe:45:74:f6:
+        98:f0:ce:9b:65:53:4a:50:42:c7:d4:92:bd:d7:a2:a8:3d:98:
+        88:73:cd:60:28:79:a3:fc:48:7a
+-----BEGIN CERTIFICATE-----
+MIICzDCCAnagAwIBAgIBATANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzU1M1oXDTk4MDQwMjE3MzU1M1owXDEhMB8G
+A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTESMBAGA1UEBxMJRGFybXN0YWR0MFkwCgYEVQgB
+AQICAgADSwAwSAJBAIJ1uvbRYLX5FbNq3SmPi6RvGojgUENAC3lB1dMWRH10ZRdC
+BlIL6VDIEM0k4q6NIjBz5rS3kx/lbqKuSRGlyUUCAwEAAaOCATgwggE0MB8GA1Ud
+IwQYMBaAFIr3yNUOx3ro1yJw4AuJ1bbsZbzPMB0GA1UdDgQWBBR+cvL4OoacQog0
+NGZ1w9T80aIRMzAOBgNVHQ8BAf8EBAMCAfYwFAYDVR0gAQH/BAowCDAGBgQqAwQF
+MCoGA1UdEQQjMCGBH3NlY3VkZS1zdXBwb3J0QGRhcm1zdGFkdC5nbWQuZGUwUgYD
+VR0SBEswSYEbaWNlLXRlbC1jYUBkYXJtc3RhZHQuZ21kLmRlhipodHRwOi8vd3d3
+LmRhcm1zdGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2EwDwYDVR0TAQH/BAUwAwEB
+/zA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vd3d3LmRhcm1zdGFkdC5nbWQuZGUv
+aWNlLXRlbC9ldXJvY2EwDQYJKoZIhvcNAQEEBQADQQAXooi3mVoFQeQTNGfmHz4m
+7Etp+T4oIr6dHKtBbwwAhf5FdPaY8M6bZVNKUELH1JK916KoPZiIc81gKHmj/Eh6
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/ICE-root.pem b/crypto/openssl/certs/ICE-root.pem
new file mode 100644
index 0000000..fa99159
--- /dev/null
+++ b/crypto/openssl/certs/ICE-root.pem
@@ -0,0 +1,48 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
+        Validity
+            Not Before: Apr  2 17:33:36 1997 GMT
+            Not After : Apr  2 17:33:36 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:80:3e:eb:ae:47:a9:fe:10:54:0b:81:8b:9c:2b:
+                    82:ab:3a:61:36:65:8b:f3:73:9f:ac:ac:7a:15:a7:
+                    13:8f:b4:c4:ba:a3:0f:bc:a5:58:8d:cc:b1:93:31:
+                    9e:81:9e:8c:19:61:86:fa:52:73:54:d1:97:76:22:
+                    e7:c7:9f:41:cd
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                ........z.."p......e..
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Alternative Name: 
+                0I.*http://www.darmstadt.gmd.de/ice-tel/euroca..ice-tel-ca@darmstadt.gmd.de
+            X509v3 Basic Constraints: critical
+                0....
+    Signature Algorithm: md5WithRSAEncryption
+        76:69:61:db:b7:cf:8b:06:9e:d8:8c:96:53:d2:4d:a8:23:a6:
+        03:44:e8:8f:24:a5:c0:84:a8:4b:77:d4:2d:2b:7d:37:91:67:
+        f2:2c:ce:02:31:4c:6b:cc:ce:f2:68:a6:11:11:ab:7d:88:b8:
+        7e:22:9f:25:06:60:bd:79:30:3d
+-----BEGIN CERTIFICATE-----
+MIICFjCCAcCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzMzNloXDTk4MDQwMjE3MzMzNlowSDEhMB8G
+A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTBZMAoGBFUIAQECAgIAA0sAMEgCQQCAPuuuR6n+
+EFQLgYucK4KrOmE2ZYvzc5+srHoVpxOPtMS6ow+8pViNzLGTMZ6BnowZYYb6UnNU
+0Zd2IufHn0HNAgMBAAGjgZcwgZQwHQYDVR0OBBYEFIr3yNUOx3ro1yJw4AuJ1bbs
+ZbzPMA4GA1UdDwEB/wQEAwIB9jBSBgNVHREESzBJhipodHRwOi8vd3d3LmRhcm1z
+dGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2GBG2ljZS10ZWwtY2FAZGFybXN0YWR0
+LmdtZC5kZTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAdmlh27fP
+iwae2IyWU9JNqCOmA0TojySlwISoS3fULSt9N5Fn8izOAjFMa8zO8mimERGrfYi4
+fiKfJQZgvXkwPQ==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/ICE-user.pem b/crypto/openssl/certs/ICE-user.pem
new file mode 100644
index 0000000..28065fd
--- /dev/null
+++ b/crypto/openssl/certs/ICE-user.pem
@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
+        Validity
+            Not Before: Apr  2 17:35:59 1997 GMT
+            Not After : Apr  2 17:35:59 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt, CN=USER
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:a8:a8:53:63:49:1b:93:c3:c3:0b:6c:88:11:55:
+                    de:7e:6a:e2:f9:52:a0:dc:69:25:c4:c8:bf:55:e1:
+                    31:a8:ce:e4:a9:29:85:99:8a:15:9a:de:f6:2f:e1:
+                    b4:50:5f:5e:04:75:a6:f4:76:dc:3c:0e:39:dc:3a:
+                    be:3e:a4:61:8b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                0...~r..:..B.44fu......3
+            X509v3 Subject Key Identifier: 
+                ...... .*...1.*.......
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Certificate Policies: critical
+                0.0...*...0.......
+            X509v3 Subject Alternative Name: 
+                0:..user@darmstadt.gmd.de.!http://www.darmstadt.gmd.de/~user
+            X509v3 Issuer Alternative Name: 
+                0....gmdca@gmd.de..http://www.gmd.de..saturn.darmstadt.gmd.de.\1!0...U.
+..European ICE-TEL project1#0!..U....V3-Certification Authority1.0...U....Darmstadt..141.12.62.26
+            X509v3 Basic Constraints: critical
+                0.
+            X509v3 CRL Distribution Points: 
+                0.0.......gmdca@gmd.de
+    Signature Algorithm: md5WithRSAEncryption
+        69:0c:e1:b7:a7:f2:d8:fb:e8:69:c0:13:cd:37:ad:21:06:22:
+        4d:e8:c6:db:f1:04:0b:b7:e0:b3:d6:0c:81:03:ce:c3:6a:3e:
+        c7:e7:24:24:a4:92:64:c2:83:83:06:42:53:0e:6f:09:1e:84:
+        9a:f7:6f:63:9b:94:99:83:d6:a4
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHQwHhcNOTcwNDAyMTczNTU5WhcN
+OTgwNDAyMTczNTU5WjBrMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2pl
+Y3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQH
+EwlEYXJtc3RhZHQxDTALBgNVBAMTBFVTRVIwWTAKBgRVCAEBAgICAANLADBIAkEA
+qKhTY0kbk8PDC2yIEVXefmri+VKg3GklxMi/VeExqM7kqSmFmYoVmt72L+G0UF9e
+BHWm9HbcPA453Dq+PqRhiwIDAQABo4IBmDCCAZQwHwYDVR0jBBgwFoAUfnLy+DqG
+nEKINDRmdcPU/NGiETMwHQYDVR0OBBYEFJfc4B8gjSoRmLUx4Sq/ucIYiMrPMA4G
+A1UdDwEB/wQEAwIB8DAcBgNVHSABAf8EEjAQMAYGBCoDBAUwBgYECQgHBjBDBgNV
+HREEPDA6gRV1c2VyQGRhcm1zdGFkdC5nbWQuZGWGIWh0dHA6Ly93d3cuZGFybXN0
+YWR0LmdtZC5kZS9+dXNlcjCBsQYDVR0SBIGpMIGmgQxnbWRjYUBnbWQuZGWGEWh0
+dHA6Ly93d3cuZ21kLmRlghdzYXR1cm4uZGFybXN0YWR0LmdtZC5kZaRcMSEwHwYD
+VQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRp
+ZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHSHDDE0MS4xMi42
+Mi4yNjAMBgNVHRMBAf8EAjAAMB0GA1UdHwQWMBQwEqAQoA6BDGdtZGNhQGdtZC5k
+ZTANBgkqhkiG9w0BAQQFAANBAGkM4ben8tj76GnAE803rSEGIk3oxtvxBAu34LPW
+DIEDzsNqPsfnJCSkkmTCg4MGQlMObwkehJr3b2OblJmD1qQ=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/ICE.crl b/crypto/openssl/certs/ICE.crl
new file mode 100644
index 0000000..21939e8
--- /dev/null
+++ b/crypto/openssl/certs/ICE.crl
@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBNDCBnjANBgkqhkiG9w0BAQIFADBFMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0Ut
+VEVMIFByb2plY3QxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05
+NzA2MDkxNDQyNDNaFw05NzA3MDkxNDQyNDNaMCgwEgIBChcNOTcwMzAzMTQ0MjU0
+WjASAgEJFw05NjEwMDIxMjI5MjdaMA0GCSqGSIb3DQEBAgUAA4GBAH4vgWo2Tej/
+i7kbiw4Imd30If91iosjClNpBFwvwUDBclPEeMuYimHbLOk4H8Nofc0fw11+U/IO
+KSNouUDcqG7B64oY7c4SXKn+i1MWOb5OJiWeodX3TehHjBlyWzoNMWCnYA8XqFP1
+mOKp8Jla1BibEZf14+/HqCi2hnZUiEXh
+-----END X509 CRL-----
diff --git a/crypto/openssl/certs/ca-cert.pem b/crypto/openssl/certs/ca-cert.pem
new file mode 100644
index 0000000..bcba68a
--- /dev/null
+++ b/crypto/openssl/certs/ca-cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
+HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzODUxWhcN
+MDUwNzEwMjEzODUxWjBbMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
+ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxGzAZBgNVBAMTElRlc3QgQ0Eg
+KDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo7ujy3XXpU/p
+yDJtOxkMJmGv3mdiVm7JrdoKLUgqjO2rBaeNuYMUiuI6oYU+tlD6agwRML0Pn2JF
+b90VdK/UXrmRr9djaEuH17EIKjte5RwOzndCndsjcCYyoeODMTyg7dqPIkDMmRNM
+5R5xBTabD+Aji0wzQupYxBLuW5PLj7ECAwEAAaOBtzCBtDAdBgNVHQ4EFgQU1WWA
+U42mkhi3ecgey1dsJjU61+UwgYQGA1UdIwR9MHuAFE0RaEcrj18q1dw+G6nJbsTW
+R213oWCkXjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0
+IGJpdCmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBb39BRphHL
+6aRAQyymsvBvPSCiG9+kR0R1L23aTpNbhXp2BebyFjbEQYZc2kWGiKKcHkNECA35
+3d4LoqUlVey8DFyafOIJd9hxdZfg+rxlHMxnL7uCJRmx9+xB411Jtsol9/wg1uCK
+sleGpgB4j8cG2SVCz7V2MNZNK+d5QCnR7A==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
+gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
+2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
+AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
+hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
+J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
+HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
+21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
+nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
+MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
+pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
+KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
+XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/certs/dsa-ca.pem b/crypto/openssl/certs/dsa-ca.pem
new file mode 100644
index 0000000..9eb08f3
--- /dev/null
+++ b/crypto/openssl/certs/dsa-ca.pem
@@ -0,0 +1,43 @@
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,C5B6C7CC9E1FE2C0
+
+svCXBcBRhMuU22UXOfiKZA+thmz6KYXpt1Yg5Rd+TYQcQ1MdvNy0B0tkP1SxzDq0
+Xh1eMeTML9/9/0rKakgNXXXbpi5RB8t6BmwRSyej89F7nn1mtR3qzoyPRpp15SDl
+Tn67C+2v+HDF3MFk88hiNCYkNbcmi7TWvChsl8N1r7wdZwtIox56yXdgxw6ZIpa/
+par0oUCzN7fiavPgCWz1kfPNSaBQSdxwH7TZi5tMHAr0J3C7a7QRnZfE09R59Uqr
+zslrq+ndIw1BZAxoY0SlBu+iFOVaBVlwToC4AsHkv7j7l8ITtr7f42YbBa44D9TO
+uOhONmkk/v3Fso4RaOEzdKZC+hnmmzvHs6TiTWm6yzJgSFwyOUK0eGmKEeVxpcH5
+rUOlHOwzen+FFtocZDZAfdFnb7QY7L/boQvyA5A+ZbRG4DUpmBQeQsSaICHM5Rxx
+1QaLF413VNPXTLPbW0ilSc2H8x2iZTIVKfd33oSO6NhXPtSYQgfecEF4BvNHY5c4
+HovjT4mckbK95bcBzoCHu43vuSQkmZzdYo/ydSZt6zoPavbBLueTpgSbdXiDi827
+MVqOsYxGCb+kez0FoDSTgw==
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
+ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
+sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
+rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
+cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
+bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
+CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
+F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
+vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
+AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
+3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
+AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
+AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
+ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
+MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
+MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
+C1Q=
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/dsa-pca.pem b/crypto/openssl/certs/dsa-pca.pem
new file mode 100644
index 0000000..e3641ad
--- /dev/null
+++ b/crypto/openssl/certs/dsa-pca.pem
@@ -0,0 +1,49 @@
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,F80EEEBEEA7386C4
+
+GZ9zgFcHOlnhPoiSbVi/yXc9mGoj44A6IveD4UlpSEUt6Xbse3Fr0KHIUyQ3oGnS
+mClKoAp/eOTb5Frhto85SzdsxYtac+X1v5XwdzAMy2KowHVk1N8A5jmE2OlkNPNt
+of132MNlo2cyIRYaa35PPYBGNCmUm7YcYS8O90YtkrQZZTf4+2C4kllhMcdkQwkr
+FWSWC8YOQ7w0LHb4cX1FejHHom9Nd/0PN3vn3UyySvfOqoR7nbXkrpHXmPIr0hxX
+RcF0aXcV/CzZ1/nfXWQf4o3+oD0T22SDoVcZY60IzI0oIc3pNCbDV3uKNmgekrFd
+qOUJ+QW8oWp7oefRx62iBfIeC8DZunohMXaWAQCU0sLQOR4yEdeUCnzCSywe0bG1
+diD0KYaEe+Yub1BQH4aLsBgDjardgpJRTQLq0DUvw0/QGO1irKTJzegEDNVBKrVn
+V4AHOKT1CUKqvGNRP1UnccUDTF6miOAtaj/qpzra7sSk7dkGBvIEeFoAg84kfh9h
+hVvF1YyzC9bwZepruoqoUwke/WdNIR5ymOVZ/4Liw0JdIOcq+atbdRX08niqIRkf
+dsZrUj4leo3zdefYUQ7w4N2Ns37yDFq7
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
+MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
+lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
+Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
+5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
+aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
+kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
+QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
+6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
+yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
+z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
+nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
+ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
+R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
+JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
+BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
+mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
+VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
+uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
+AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
+5rKUjNBhSg==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/expired/ICE-CA.pem b/crypto/openssl/certs/expired/ICE-CA.pem
new file mode 100644
index 0000000..7565236
--- /dev/null
+++ b/crypto/openssl/certs/expired/ICE-CA.pem
@@ -0,0 +1,59 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
+        Validity
+            Not Before: Apr  2 17:35:53 1997 GMT
+            Not After : Apr  2 17:35:53 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:82:75:ba:f6:d1:60:b5:f9:15:b3:6a:dd:29:8f:
+                    8b:a4:6f:1a:88:e0:50:43:40:0b:79:41:d5:d3:16:
+                    44:7d:74:65:17:42:06:52:0b:e9:50:c8:10:cd:24:
+                    e2:ae:8d:22:30:73:e6:b4:b7:93:1f:e5:6e:a2:ae:
+                    49:11:a5:c9:45
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                0.........z.."p......e..
+            X509v3 Subject Key Identifier: 
+                ..~r..:..B.44fu......3
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Certificate Policies: critical
+                0.0...*...
+            X509v3 Subject Alternative Name: 
+                0!..secude-support@darmstadt.gmd.de
+            X509v3 Issuer Alternative Name: 
+                0I..ice-tel-ca@darmstadt.gmd.de.*http://www.darmstadt.gmd.de/ice-tel/euroca
+            X509v3 Basic Constraints: critical
+                0....
+            X509v3 CRL Distribution Points: 
+                0200...,.*http://www.darmstadt.gmd.de/ice-tel/euroca
+    Signature Algorithm: md5WithRSAEncryption
+        17:a2:88:b7:99:5a:05:41:e4:13:34:67:e6:1f:3e:26:ec:4b:
+        69:f9:3e:28:22:be:9d:1c:ab:41:6f:0c:00:85:fe:45:74:f6:
+        98:f0:ce:9b:65:53:4a:50:42:c7:d4:92:bd:d7:a2:a8:3d:98:
+        88:73:cd:60:28:79:a3:fc:48:7a
+-----BEGIN CERTIFICATE-----
+MIICzDCCAnagAwIBAgIBATANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzU1M1oXDTk4MDQwMjE3MzU1M1owXDEhMB8G
+A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTESMBAGA1UEBxMJRGFybXN0YWR0MFkwCgYEVQgB
+AQICAgADSwAwSAJBAIJ1uvbRYLX5FbNq3SmPi6RvGojgUENAC3lB1dMWRH10ZRdC
+BlIL6VDIEM0k4q6NIjBz5rS3kx/lbqKuSRGlyUUCAwEAAaOCATgwggE0MB8GA1Ud
+IwQYMBaAFIr3yNUOx3ro1yJw4AuJ1bbsZbzPMB0GA1UdDgQWBBR+cvL4OoacQog0
+NGZ1w9T80aIRMzAOBgNVHQ8BAf8EBAMCAfYwFAYDVR0gAQH/BAowCDAGBgQqAwQF
+MCoGA1UdEQQjMCGBH3NlY3VkZS1zdXBwb3J0QGRhcm1zdGFkdC5nbWQuZGUwUgYD
+VR0SBEswSYEbaWNlLXRlbC1jYUBkYXJtc3RhZHQuZ21kLmRlhipodHRwOi8vd3d3
+LmRhcm1zdGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2EwDwYDVR0TAQH/BAUwAwEB
+/zA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vd3d3LmRhcm1zdGFkdC5nbWQuZGUv
+aWNlLXRlbC9ldXJvY2EwDQYJKoZIhvcNAQEEBQADQQAXooi3mVoFQeQTNGfmHz4m
+7Etp+T4oIr6dHKtBbwwAhf5FdPaY8M6bZVNKUELH1JK916KoPZiIc81gKHmj/Eh6
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/expired/ICE-root.pem b/crypto/openssl/certs/expired/ICE-root.pem
new file mode 100644
index 0000000..fa99159
--- /dev/null
+++ b/crypto/openssl/certs/expired/ICE-root.pem
@@ -0,0 +1,48 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
+        Validity
+            Not Before: Apr  2 17:33:36 1997 GMT
+            Not After : Apr  2 17:33:36 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:80:3e:eb:ae:47:a9:fe:10:54:0b:81:8b:9c:2b:
+                    82:ab:3a:61:36:65:8b:f3:73:9f:ac:ac:7a:15:a7:
+                    13:8f:b4:c4:ba:a3:0f:bc:a5:58:8d:cc:b1:93:31:
+                    9e:81:9e:8c:19:61:86:fa:52:73:54:d1:97:76:22:
+                    e7:c7:9f:41:cd
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                ........z.."p......e..
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Alternative Name: 
+                0I.*http://www.darmstadt.gmd.de/ice-tel/euroca..ice-tel-ca@darmstadt.gmd.de
+            X509v3 Basic Constraints: critical
+                0....
+    Signature Algorithm: md5WithRSAEncryption
+        76:69:61:db:b7:cf:8b:06:9e:d8:8c:96:53:d2:4d:a8:23:a6:
+        03:44:e8:8f:24:a5:c0:84:a8:4b:77:d4:2d:2b:7d:37:91:67:
+        f2:2c:ce:02:31:4c:6b:cc:ce:f2:68:a6:11:11:ab:7d:88:b8:
+        7e:22:9f:25:06:60:bd:79:30:3d
+-----BEGIN CERTIFICATE-----
+MIICFjCCAcCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzMzNloXDTk4MDQwMjE3MzMzNlowSDEhMB8G
+A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTBZMAoGBFUIAQECAgIAA0sAMEgCQQCAPuuuR6n+
+EFQLgYucK4KrOmE2ZYvzc5+srHoVpxOPtMS6ow+8pViNzLGTMZ6BnowZYYb6UnNU
+0Zd2IufHn0HNAgMBAAGjgZcwgZQwHQYDVR0OBBYEFIr3yNUOx3ro1yJw4AuJ1bbs
+ZbzPMA4GA1UdDwEB/wQEAwIB9jBSBgNVHREESzBJhipodHRwOi8vd3d3LmRhcm1z
+dGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2GBG2ljZS10ZWwtY2FAZGFybXN0YWR0
+LmdtZC5kZTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAdmlh27fP
+iwae2IyWU9JNqCOmA0TojySlwISoS3fULSt9N5Fn8izOAjFMa8zO8mimERGrfYi4
+fiKfJQZgvXkwPQ==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/expired/ICE-user.pem b/crypto/openssl/certs/expired/ICE-user.pem
new file mode 100644
index 0000000..28065fd
--- /dev/null
+++ b/crypto/openssl/certs/expired/ICE-user.pem
@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
+        Validity
+            Not Before: Apr  2 17:35:59 1997 GMT
+            Not After : Apr  2 17:35:59 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt, CN=USER
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:a8:a8:53:63:49:1b:93:c3:c3:0b:6c:88:11:55:
+                    de:7e:6a:e2:f9:52:a0:dc:69:25:c4:c8:bf:55:e1:
+                    31:a8:ce:e4:a9:29:85:99:8a:15:9a:de:f6:2f:e1:
+                    b4:50:5f:5e:04:75:a6:f4:76:dc:3c:0e:39:dc:3a:
+                    be:3e:a4:61:8b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                0...~r..:..B.44fu......3
+            X509v3 Subject Key Identifier: 
+                ...... .*...1.*.......
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Certificate Policies: critical
+                0.0...*...0.......
+            X509v3 Subject Alternative Name: 
+                0:..user@darmstadt.gmd.de.!http://www.darmstadt.gmd.de/~user
+            X509v3 Issuer Alternative Name: 
+                0....gmdca@gmd.de..http://www.gmd.de..saturn.darmstadt.gmd.de.\1!0...U.
+..European ICE-TEL project1#0!..U....V3-Certification Authority1.0...U....Darmstadt..141.12.62.26
+            X509v3 Basic Constraints: critical
+                0.
+            X509v3 CRL Distribution Points: 
+                0.0.......gmdca@gmd.de
+    Signature Algorithm: md5WithRSAEncryption
+        69:0c:e1:b7:a7:f2:d8:fb:e8:69:c0:13:cd:37:ad:21:06:22:
+        4d:e8:c6:db:f1:04:0b:b7:e0:b3:d6:0c:81:03:ce:c3:6a:3e:
+        c7:e7:24:24:a4:92:64:c2:83:83:06:42:53:0e:6f:09:1e:84:
+        9a:f7:6f:63:9b:94:99:83:d6:a4
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHQwHhcNOTcwNDAyMTczNTU5WhcN
+OTgwNDAyMTczNTU5WjBrMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2pl
+Y3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQH
+EwlEYXJtc3RhZHQxDTALBgNVBAMTBFVTRVIwWTAKBgRVCAEBAgICAANLADBIAkEA
+qKhTY0kbk8PDC2yIEVXefmri+VKg3GklxMi/VeExqM7kqSmFmYoVmt72L+G0UF9e
+BHWm9HbcPA453Dq+PqRhiwIDAQABo4IBmDCCAZQwHwYDVR0jBBgwFoAUfnLy+DqG
+nEKINDRmdcPU/NGiETMwHQYDVR0OBBYEFJfc4B8gjSoRmLUx4Sq/ucIYiMrPMA4G
+A1UdDwEB/wQEAwIB8DAcBgNVHSABAf8EEjAQMAYGBCoDBAUwBgYECQgHBjBDBgNV
+HREEPDA6gRV1c2VyQGRhcm1zdGFkdC5nbWQuZGWGIWh0dHA6Ly93d3cuZGFybXN0
+YWR0LmdtZC5kZS9+dXNlcjCBsQYDVR0SBIGpMIGmgQxnbWRjYUBnbWQuZGWGEWh0
+dHA6Ly93d3cuZ21kLmRlghdzYXR1cm4uZGFybXN0YWR0LmdtZC5kZaRcMSEwHwYD
+VQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRp
+ZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHSHDDE0MS4xMi42
+Mi4yNjAMBgNVHRMBAf8EAjAAMB0GA1UdHwQWMBQwEqAQoA6BDGdtZGNhQGdtZC5k
+ZTANBgkqhkiG9w0BAQQFAANBAGkM4ben8tj76GnAE803rSEGIk3oxtvxBAu34LPW
+DIEDzsNqPsfnJCSkkmTCg4MGQlMObwkehJr3b2OblJmD1qQ=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/expired/ICE.crl b/crypto/openssl/certs/expired/ICE.crl
new file mode 100644
index 0000000..21939e8
--- /dev/null
+++ b/crypto/openssl/certs/expired/ICE.crl
@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBNDCBnjANBgkqhkiG9w0BAQIFADBFMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0Ut
+VEVMIFByb2plY3QxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05
+NzA2MDkxNDQyNDNaFw05NzA3MDkxNDQyNDNaMCgwEgIBChcNOTcwMzAzMTQ0MjU0
+WjASAgEJFw05NjEwMDIxMjI5MjdaMA0GCSqGSIb3DQEBAgUAA4GBAH4vgWo2Tej/
+i7kbiw4Imd30If91iosjClNpBFwvwUDBclPEeMuYimHbLOk4H8Nofc0fw11+U/IO
+KSNouUDcqG7B64oY7c4SXKn+i1MWOb5OJiWeodX3TehHjBlyWzoNMWCnYA8XqFP1
+mOKp8Jla1BibEZf14+/HqCi2hnZUiEXh
+-----END X509 CRL-----
diff --git a/crypto/openssl/certs/factory.pem b/crypto/openssl/certs/factory.pem
new file mode 100644
index 0000000..8e28b39
--- /dev/null
+++ b/crypto/openssl/certs/factory.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
+MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
+DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
+CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
+amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
+iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
+U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
+zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
+BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
+/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
+lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
+S7ELuYGtmYgYm9NZOIr7yU0=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/nortelCA.pem b/crypto/openssl/certs/nortelCA.pem
new file mode 100644
index 0000000..207f34a
--- /dev/null
+++ b/crypto/openssl/certs/nortelCA.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
+BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
+HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
+IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
+MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
+aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
+GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
+ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
+zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
+YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
+hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
+cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
+YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/pca-cert.pem b/crypto/openssl/certs/pca-cert.pem
new file mode 100644
index 0000000..9d754d4
--- /dev/null
+++ b/crypto/openssl/certs/pca-cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
+HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzNTQ4WhcN
+MDUwNzExMjEzNTQ4WjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
+ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENB
+ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2haT/f5Zwy
+V+MiuSDjSR62adBoSiBB7Usty44lXqsp9RICw+DCCxpsn/CfxPEDXLLd4olsWXc6
+JRcxGynbYmnzk+Z6aIPPJQhK3CTvaqGnWKZsA1m+WaUIUqJCuNTK4N+7hMAGaf6S
+S3e9HVgEQ4a34gXJ7VQFVIBNV1EnZRWHAgMBAAGjgbcwgbQwHQYDVR0OBBYEFE0R
+aEcrj18q1dw+G6nJbsTWR213MIGEBgNVHSMEfTB7gBRNEWhHK49fKtXcPhupyW7E
+1kdtd6FgpF4wXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
+NCBiaXQpggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAUa8B3pho
++Mvxeq9HsEzJxHIFQla05S5J/e/V+DQTYoKiRFchKPrDAdrzYSEvP3h4QJEtsNqQ
+JfOxg5M42uLFq7aPGWkF6ZZqZsYS+zA9IVT14g7gNA6Ne+5QtJqQtH9HA24st0T0
+Tga/lZ9M2ovImovaxSL/kRHbpCWcqWVxpOw=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/certs/rsa-cca.pem b/crypto/openssl/certs/rsa-cca.pem
new file mode 100644
index 0000000..69f5c1c
--- /dev/null
+++ b/crypto/openssl/certs/rsa-cca.pem
@@ -0,0 +1,19 @@
+subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+notBefore=941104185834Z
+notAfter =991103185834Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
+Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
+OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
+ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
+IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
+975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
+touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
+7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
+9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
+0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
+MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
+-----END X509 CERTIFICATE-----
diff --git a/crypto/openssl/certs/rsa-ssca.pem b/crypto/openssl/certs/rsa-ssca.pem
new file mode 100644
index 0000000..c940321
--- /dev/null
+++ b/crypto/openssl/certs/rsa-ssca.pem
@@ -0,0 +1,19 @@
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+notBefore=941109235417Z
+notAfter =991231235417Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
+IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
+Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
+YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
+roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
+aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
+HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
+iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
+suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
+cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
+-----END X509 CERTIFICATE-----
diff --git a/crypto/openssl/certs/thawteCb.pem b/crypto/openssl/certs/thawteCb.pem
new file mode 100644
index 0000000..27df192
--- /dev/null
+++ b/crypto/openssl/certs/thawteCb.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
+FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
+VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
+biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
+MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTYwODAx
+MDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT
+DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3
+dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
+cyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3
+DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl/Kj0R1HahbUgdJSGHg91
+yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg71CcEJRCX
+L+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGj
+EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG
+7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e
+QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZ
+qdq5snUb9kLy78fyGPmJvKP/iiMucEc=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/thawteCp.pem b/crypto/openssl/certs/thawteCp.pem
new file mode 100644
index 0000000..51285e3
--- /dev/null
+++ b/crypto/openssl/certs/thawteCp.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
+FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
+VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
+biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
+dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
+MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
+MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
+A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
+b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
+cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
+VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
+ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
+uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
+hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
+pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/timCA.pem b/crypto/openssl/certs/timCA.pem
new file mode 100644
index 0000000..9c8d5bf
--- /dev/null
+++ b/crypto/openssl/certs/timCA.pem
@@ -0,0 +1,16 @@
+Tims test GCI CA
+
+-----BEGIN CERTIFICATE-----
+MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
+cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
+gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
+cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
+dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
+AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
+OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
+AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
+TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/tjhCA.pem b/crypto/openssl/certs/tjhCA.pem
new file mode 100644
index 0000000..67bee1b
--- /dev/null
+++ b/crypto/openssl/certs/tjhCA.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
+IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
+VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
+NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
+I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
+RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
+KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
+Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
+9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
+WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/vsign1.pem b/crypto/openssl/certs/vsign1.pem
new file mode 100644
index 0000000..277894d
--- /dev/null
+++ b/crypto/openssl/certs/vsign1.pem
@@ -0,0 +1,17 @@
+subject=/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
+notBefore=Jan 29 00:00:00 1996 GMT
+notAfter=Jan  7 23:59:59 2020 GMT
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEDJQM89Q0VbzXIGtZVxPyCUwDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTIwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f
+zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi
+TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G
+CSqGSIb3DQEBAgUAA4GBAEtEZmBoZOSYG/OwcuaViXzde7OVwB0u2NgZ0C00PcZQ
+mhCGjKo/O6gE/DdSlcPZydvN8oYGxLEb8IKIMEKOF1AcZHq4PplJdJf8rAJD+5YM
+VgQlDHx8h50kp9jwMim1pN9dokzFFjKoQvZFprY2ueC/ZTaTwtLXa9zeWdaiNfhF
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/vsign2.pem b/crypto/openssl/certs/vsign2.pem
new file mode 100644
index 0000000..d8bdd8c
--- /dev/null
+++ b/crypto/openssl/certs/vsign2.pem
@@ -0,0 +1,18 @@
+subject=/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
+notBefore=Jan 29 00:00:00 1996 GMT
+notAfter=Jan  7 23:59:59 2004 GMT
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaYCEQC6WslMBTuS1qe2307QU5INMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
+c3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
+NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
+VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMiBQdWJsaWMgUHJp
+bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAtlqLow1qI4OAa885h/QhEzMGTCWi7VUSl8WngLn6g8EgoPovFQ18
+oWBrfnks+gYPOq72G2+x0v8vKFJfg31LxHq3+GYfgFT8t8KOWUoUV0bRmpO+QZED
+uxWAk1zr58wIbD8+s0r8/0tsI9VQgiZEGY4jw3HqGSRHBJ51v8imAB8CAwEAATAN
+BgkqhkiG9w0BAQIFAAOBgQC2AB+TV6QHp0DOZUA/VV7t7/pUSaUw1iF8YYfug5ML
+v7Qz8pisnwa/TqjOFIFMywROWMPPX+5815pvy0GKt3+BuP+EYcYnQ2UdDOyxAArd
+G6S7x3ggKLKi3TaVLuFUT79guXdoEZkj6OpS6KoATmdOu5C1RZtG644W78QzWzM9
+1Q==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/vsign3.pem b/crypto/openssl/certs/vsign3.pem
new file mode 100644
index 0000000..aa5bb4c
--- /dev/null
+++ b/crypto/openssl/certs/vsign3.pem
@@ -0,0 +1,18 @@
+subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
+notBefore=Jan 29 00:00:00 1996 GMT
+notAfter=Jan  7 23:59:59 2004 GMT
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
+NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
+VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
+bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo
+RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4
+rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN
+BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp
+STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH
+ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ
+pA==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/vsignss.pem b/crypto/openssl/certs/vsignss.pem
new file mode 100644
index 0000000..5de48bf
--- /dev/null
+++ b/crypto/openssl/certs/vsignss.pem
@@ -0,0 +1,17 @@
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+notBefore=Nov  9 00:00:00 1994 GMT
+notAfter=Jan  7 23:59:59 2010 GMT
+-----BEGIN CERTIFICATE-----
+MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
+VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
+MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
+BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
+dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
+ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
+0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
+uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
+hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
+YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
+1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/vsigntca.pem b/crypto/openssl/certs/vsigntca.pem
new file mode 100644
index 0000000..05acf76
--- /dev/null
+++ b/crypto/openssl/certs/vsigntca.pem
@@ -0,0 +1,18 @@
+subject=/O=VeriSign, Inc/OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD./OU=For VeriSign authorized testing only. No assurances (C)VS1997
+notBefore=Mar  4 00:00:00 1997 GMT
+notAfter=Mar  4 23:59:59 2025 GMT
+-----BEGIN CERTIFICATE-----
+MIICTTCCAfcCEEdoCqpuXxnoK27q7d58Qc4wDQYJKoZIhvcNAQEEBQAwgakxFjAU
+BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
+cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
+RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
+IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTk3MDMwNDAwMDAwMFoXDTI1MDMwNDIz
+NTk1OVowgakxFjAUBgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52
+ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBM
+aWFiLiBMVEQuMUYwRAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0
+aW5nIG9ubHkuIE5vIGFzc3VyYW5jZXMgKEMpVlMxOTk3MFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAMak6xImJx44jMKcbkACy5/CyMA2fqXK4PlzTtCxRq5tFkDzne7s
+cI8oFK/J+gFZNE3bjidDxf07O3JOYG9RGx8CAwEAATANBgkqhkiG9w0BAQQFAANB
+ADT523tENOKrEheZFpsJx1UUjPrG7TwYc/C4NBHrZI4gZJcKVFIfNulftVS6UMYW
+ToLEMaUojc3DuNXHG21PDG8=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/config b/crypto/openssl/config
new file mode 100755
index 0000000..5337348
--- /dev/null
+++ b/crypto/openssl/config
@@ -0,0 +1,582 @@
+#!/bin/sh
+#
+# OpenSSL config: determine the operating system and run ./Configure
+#
+# "config -h" for usage information.
+#
+#          this is a merge of minarch and GuessOS from the Apache Group.
+#          Originally written by Tim Hudson <tjh@cryptsoft.com>.
+
+# Original Apache Group comments on GuessOS
+
+# Simple OS/Platform guesser. Similar to config.guess but
+# much, much smaller. Since it was developed for use with
+# Apache, it follows under Apache's regular licensing
+# with one specific addition: Any changes or additions
+# to this script should be Emailed to the Apache
+# group (apache@apache.org) in general and to
+# Jim Jagielski (jim@jaguNET.com) in specific.
+#
+# Be as similar to the output of config.guess/config.sub
+# as possible.
+
+# First get uname entries that we use below
+
+MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
+RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
+SYSTEM=`(uname -s) 2>/dev/null`  || SYSTEM="unknown"
+VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
+
+
+# Now test for ISC and SCO, since it is has a braindamaged uname.
+#
+# We need to work around FreeBSD 1.1.5.1 
+(
+XREL=`uname -X 2>/dev/null | grep "^Release" | awk '{print $3}'`
+if [ "x$XREL" != "x" ]; then
+    if [ -f /etc/kconfig ]; then
+	case "$XREL" in
+	    4.0|4.1)
+		    echo "${MACHINE}-whatever-isc4"; exit 0
+		;;
+	esac
+    else
+	case "$XREL" in
+	    3.2v4.2)
+		echo "whatever-whatever-sco3"; exit 0
+		;;
+	    3.2v5.0*)
+		echo "whatever-whatever-sco5"; exit 0
+		;;
+	    4.2MP)
+		if [ "x$VERSION" = "x2.1.1" ]; then
+		    echo "${MACHINE}-whatever-unixware211"; exit 0
+		elif [ "x$VERSION" = "x2.1.2" ]; then
+		    echo "${MACHINE}-whatever-unixware212"; exit 0
+		else
+		    echo "${MACHINE}-whatever-unixware2"; exit 0
+		fi
+		;;
+	    4.2)
+		echo "whatever-whatever-unixware1"; exit 0
+		;;
+	    5)
+		if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then
+		    echo "${MACHINE}-sco-unixware7"; exit 0
+		fi
+		;;
+	esac
+    fi
+fi
+# Now we simply scan though... In most cases, the SYSTEM info is enough
+#
+case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
+    A/UX:*)
+	echo "m68k-apple-aux3"; exit 0
+	;;
+
+    AIX:*)
+	echo "${MACHINE}-ibm-aix"; exit 0
+	;;
+
+    dgux:*)
+	echo "${MACHINE}-dg-dgux"; exit 0
+	;;
+
+    HI-UX:*)
+	echo "${MACHINE}-hi-hiux"; exit 0
+	;;
+
+    HP-UX:*)
+	HPUXVER=`echo ${RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "$HPUXVER" in
+	    11.*)
+		echo "${MACHINE}-hp-hpux11"; exit 0
+		;;
+	    10.*)
+		echo "${MACHINE}-hp-hpux10"; exit 0
+		;;
+	    *)
+		echo "${MACHINE}-hp-hpux"; exit 0
+		;;
+	esac
+	;;
+
+    IRIX:5.*)
+	echo "mips2-sgi-irix"; exit 0
+	;;
+
+    IRIX:6.*)
+	echo "mips3-sgi-irix"; exit 0
+	;;
+
+    IRIX64:*)
+	echo "mips4-sgi-irix64"; exit 0
+	;;
+
+    Linux:[2-9].*)
+	echo "${MACHINE}-whatever-linux2"; exit 0
+	;;
+
+    Linux:1.*)
+	echo "${MACHINE}-whatever-linux1"; exit 0
+	;;
+
+    LynxOS:*)
+	echo "${MACHINE}-lynx-lynxos"; exit 0
+	;;
+
+    BSD/OS:4.*)  # BSD/OS always says 386
+	echo "i486-whatever-bsdi4"; exit 0
+	;;
+
+    BSD/386:*:*:*486*|BSD/OS:*:*:*:*486*)
+        case `/sbin/sysctl -n hw.model` in
+	    Pentium*)
+                echo "i586-whatever-bsdi"; exit 0
+                ;;
+            *)
+                echo "i386-whatever-bsdi"; exit 0
+                ;;
+            esac;
+	;;
+
+    BSD/386:*|BSD/OS:*)
+	echo "${MACHINE}-whatever-bsdi"; exit 0
+	;;
+
+    FreeBSD:*)
+        VERS=`echo ${RELEASE} | sed -e 's/[-(].*//'`
+        MACH=`sysctl -n hw.model`
+        ARCH='whatever'
+        case ${MACH} in
+           *386*       ) MACH="i386"     ;;
+           *486*       ) MACH="i486"     ;;
+           Pentium\ II*) MACH="i686"     ;;
+           Pentium*    ) MACH="i586"     ;;
+           Alpha*      ) MACH="alpha"    ;;
+           *           ) MACH="$MACHINE" ;;
+        esac
+        case ${MACH} in
+           i[0-9]86 ) ARCH="pc" ;;
+        esac
+        echo "${MACH}-${ARCH}-freebsd${VERS}"; exit 0
+        ;;
+
+    NetBSD:*:*:*386*)
+        echo "`sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whateve\r-netbsd"; exit 0
+	;;
+
+    NetBSD:*)
+	echo "${MACHINE}-whatever-netbsd"; exit 0
+	;;
+
+    OpenBSD:*)
+	echo "${MACHINE}-whatever-openbsd"; exit 0
+	;;
+
+    OSF1:*:*:*alpha*)
+	echo "${MACHINE}-dec-osf"; exit 0
+	;;
+
+    QNX:*)
+	case "$VERSION" in
+	    423)
+		echo "${MACHINE}-qssl-qnx32"
+		;;
+	    *)
+		echo "${MACHINE}-qssl-qnx"
+		;;
+	esac
+	exit 0
+	;;
+
+    Paragon*:*:*:*)
+	echo "i860-intel-osf1"; exit 0
+	;;
+
+    Rhapsody:*)
+	echo "ppc-apple-rhapsody"; exit 0
+	;;
+
+    SunOS:5.*)
+	echo "${MACHINE}-sun-solaris2"; exit 0
+	;;
+
+    SunOS:*)
+	echo "${MACHINE}-sun-sunos4"; exit 0
+	;;
+
+    UNIX_System_V:4.*:*)
+	echo "${MACHINE}-whatever-sysv4"; exit 0
+	;;
+
+    *:4*:R4*:m88k)
+	echo "${MACHINE}-whatever-sysv4"; exit 0
+	;;
+
+    DYNIX/ptx:4*:*)
+	echo "${MACHINE}-whatever-sysv4"; exit 0
+	;;
+
+    *:4.0:3.0:3[34]?? | *:4.0:3.0:3[34]??,*)
+	echo "i486-ncr-sysv4"; exit 0
+	;;
+
+    ULTRIX:*)
+	echo "${MACHINE}-unknown-ultrix"; exit 0
+	;;
+
+    SINIX*|ReliantUNIX*)
+	echo "${MACHINE}-siemens-sysv4"; exit 0
+	;;
+
+    POSIX-BC*)
+	echo "${MACHINE}-siemens-sysv4"; exit 0   # Here, $MACHINE == "BS2000"
+	;;
+
+    machten:*)
+       echo "${MACHINE}-tenon-${SYSTEM}"; exit 0;
+       ;;
+
+    library:*)
+	echo "${MACHINE}-ncr-sysv4"; exit 0
+	;;
+
+    ConvexOS:*:11.0:*)
+	echo "${MACHINE}-v11-${SYSTEM}"; exit 0;
+	;;
+
+esac
+
+#
+# Ugg. These are all we can determine by what we know about
+# the output of uname. Be more creative:
+#
+
+# Do the Apollo stuff first. Here, we just simply assume
+# that the existance of the /usr/apollo directory is proof
+# enough
+if [ -d /usr/apollo ]; then
+    echo "whatever-apollo-whatever"
+    exit 0
+fi
+
+# Now NeXT
+ISNEXT=`hostinfo 2>/dev/null`
+case "$ISNEXT" in
+    *'NeXT Mach 3.3'*)
+	echo "whatever-next-nextstep3.3"; exit 0
+	;;
+    *NeXT*)
+	echo "whatever-next-nextstep"; exit 0
+	;;
+esac
+
+# At this point we gone through all the one's
+# we know of: Punt
+
+echo "${MACHINE}-whatever-${SYSTEM}" 
+exit 0
+) 2>/dev/null | (
+
+# ---------------------------------------------------------------------------
+# this is where the translation occurs into SSLeay terms
+# ---------------------------------------------------------------------------
+
+PREFIX=""
+SUFFIX=""
+TEST="false"
+
+# pick up any command line args to config
+for i
+do
+case "$i" in 
+# shared library support (behnke@trustcenter.de)
+-shared) SHARED=true;;
+-d*) PREFIX="debug-";;
+-t*) TEST="true";;
+-h*) TEST="true"; cat <<EOF
+Usage: config [options]
+ -d	Add a debug- prefix to machine choice.
+ -t	Test mode, do not run the Configure perl script.
+ -h	This help.
+
+Any other text will be passed to the Configure perl script.
+See INSTALL for instructions.
+
+EOF
+;;
+*) options=$options" $i" ;;
+esac
+done
+
+# figure out if gcc is available and if so we use it otherwise
+# we fallback to whatever cc does on the system
+GCCVER=`(gcc --version) 2>/dev/null`
+if [ "$GCCVER" != "" ]; then
+  CC=gcc
+  # then strip off whatever prefix Cygnus prepends the number with...
+  GCCVER=`echo $GCCVER | sed 's/^[a-z]*\-//'`
+  # peak single digit before and after first dot, e.g. 2.95.1 gives 29
+  GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
+else
+  CC=cc
+fi
+
+if [ "$SYSTEM" = "SunOS" ]; then
+  # check for WorkShop C, expected output is "cc: blah-blah C x.x"
+  CCVER=`(cc -V 2>&1) 2>/dev/null | \
+  	egrep -e '^cc: .* C [0-9]\.[0-9]' | \
+	sed 's/.* C \([0-9]\)\.\([0-9]\).*/\1\2/'`
+  CCVER=${CCVER:-0}
+  if [ $CCVER -gt 40 ]; then
+    CC=cc	# overrides gcc!!!
+    if [ $CCVER -eq 50 ]; then
+      echo "WARNING! Detected WorkShop C 5.0. Do make sure you have"
+      echo "         patch #107357-01 or later applied."
+      sleep 5
+    fi
+  elif [ "$CC" = "cc" -a $CCVER -gt 0 ]; then
+    CC=sc3
+  fi
+fi
+
+if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then
+  # check for Compaq C, expected output is "blah-blah C Vx.x"
+  CCCVER=`(ccc -V 2>&1) 2>/dev/null | \
+	egrep -e '.* C V[0-9]\.[0-9]' | \
+	sed 's/.* C V\([0-9]\)\.\([0-9]\).*/\1\2/'`
+  CCCVER=${CCCVER:-0}
+  if [ $CCCVER -gt 60 ]; then
+    CC=ccc	# overrides gcc!!! well, ccc outperforms inoticeably
+		# only on hash routines and des, otherwise gcc (2.95)
+		# keeps along rather tight...
+  fi
+fi
+
+GCCVER=${GCCVER:-0}
+CCVER=${CCVER:-0}
+
+# read the output of the embedded GuessOS 
+read GUESSOS
+
+echo Operating system: $GUESSOS
+
+# now map the output into SSLeay terms ... really should hack into the
+# script above so we end up with values in vars but that would take
+# more time that I want to waste at the moment
+case "$GUESSOS" in
+  mips2-sgi-irix)
+	CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+	CPU=${CPU:-0}
+	if [ $CPU -ge 4000 ]; then
+		options="$options -mips2"
+	fi
+	OUT="irix-$CC"
+	;;
+  mips3-sgi-irix)
+	CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+	CPU=${CPU:-0}
+	if [ $CPU -ge 5000 ]; then
+		options="$options -mips4"
+	else
+		options="$options -mips3"
+	fi
+	OUT="irix-mips3-$CC"
+	;;
+  mips4-sgi-irix64)
+	echo "WARNING! If you wish to build 64-bit library, then you have to"
+	echo "         invoke './Configre irix64-mips4-$CC' *manually*."
+	echo "         Type Ctrl-C if you don't want to continue."
+	read waste < /dev/tty
+	options="$options -mips4"
+	OUT="irix-mips3-$CC"
+	;;
+  alpha-*-linux2)
+        ISA=`awk '/cpu model/{print$4}' /proc/cpuinfo`
+	case ${ISA:-generic} in
+	*[67])	OUT="linux-alpha+bwx-$CC" ;;
+	*)	OUT="linux-alpha-$CC" ;;
+	esac
+	if [ "$CC" = "gcc" ]; then
+	    case ${ISA:-generic} in
+	    EV5|EV45)		options="$options -mcpu=ev5";;
+	    EV56|PCA56)		options="$options -mcpu=ev56";;
+	    EV6|EV67|PCA57)	options="$options -mcpu=ev6";;
+	    esac
+	fi
+	;;
+  mips-*-linux?) OUT="linux-mips" ;;
+  ppc-*-linux2) OUT="linux-ppc" ;;
+  ia64-*-linux?) OUT="linux-ia64" ;;
+  ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;;
+  sparc64-*-linux2)
+	#Before we can uncomment following lines we have to wait at least
+	#till 64-bit glibc for SPARC is operational:-(
+	#echo "WARNING! If you wish to build 64-bit library, then you have to"
+	#echo "         invoke './Configure linux64-sparcv9' *manually*."
+	#echo "         Type Ctrl-C if you don't want to continue."
+	#read waste < /dev/tty
+	OUT="linux-sparcv9" ;;
+  sparc-*-linux2)
+	KARCH=`awk '/type/{print$3}' /proc/cpuinfo`
+	case ${KARCH:-sun4} in
+	sun4u*)	OUT="linux-sparcv9" ;;
+	sun4m)	OUT="linux-sparcv8" ;;
+	sun4d)	OUT="linux-sparcv8" ;;
+	*)	OUT="linux-sparcv7" ;;
+	esac ;;
+  *-*-linux2) OUT="linux-elf" ;;
+  *-*-linux1) OUT="linux-aout" ;;
+  sun4u*-sun-solaris2)
+	ISA64=`(isalist) 2>/dev/null | grep sparcv9`
+	if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then
+		echo "WARNING! If you wish to build 64-bit library, then you have to"
+		echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
+		echo "         Type Ctrl-C if you don't want to continue."
+		read waste < /dev/tty
+	fi
+	OUT="solaris-sparcv9-$CC" ;;
+  sun4m-sun-solaris2)	OUT="solaris-sparcv8-$CC" ;;
+  sun4d-sun-solaris2)	OUT="solaris-sparcv8-$CC" ;;
+  sun4*-sun-solaris2)	OUT="solaris-sparcv7-$CC" ;;
+  *86*-sun-solaris2) OUT="solaris-x86-$CC" ;;
+  *-*-sunos4) OUT="sunos-$CC" ;;
+  alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
+  *-freebsd[3-9]*) OUT="FreeBSD-elf" ;;
+  *-freebsd[1-2]*) OUT="FreeBSD" ;;
+  *86*-*-netbsd) OUT="NetBSD-x86" ;;
+  sun3*-*-netbsd) OUT="NetBSD-m68" ;;
+  *-*-netbsd) OUT="NetBSD-sparc" ;;
+  *86*-*-openbsd) OUT="OpenBSD-x86" ;;
+  alpha*-*-openbsd) OUT="OpenBSD-alpha" ;;
+  pmax*-*-openbsd) OUT="OpenBSD-mips" ;;
+  *-*-openbsd) OUT="OpenBSD" ;;
+  *86*-*-bsdi4) OUT="bsdi-elf-gcc" ;;
+  *-*-osf) OUT="alpha-cc" ;;
+  *-*-unixware7) OUT="unixware-7" ;;
+  *-*-UnixWare7) OUT="unixware-7" ;;
+  *-*-Unixware7) OUT="unixware-7" ;;
+  *-*-unixware[1-2]*) OUT="unixware-2.0" ;;
+  *-*-UnixWare[1-2]*) OUT="unixware-2.0" ;;
+  *-*-Unixware[1-2]*) OUT="unixware-2.0" ;;
+  BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
+  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
+  *-siemens-sysv4) OUT="SINIX" ;;
+  *-hpux1*)	OUT="hpux-parisc-$CC"
+		options="$options -D_REENTRANT" ;;
+  *-hpux)	OUT="hpux-parisc-$CC" ;;
+  # these are all covered by the catchall below
+  # *-aix) OUT="aix-$CC" ;;
+  # *-dgux) OUT="dgux" ;;
+  *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
+esac
+
+# See whether we can compile Atalla support
+if [ -f /usr/include/atasi.h ]
+then
+  options="$options -DATALLA"
+fi
+
+#get some basic shared lib support (behnke@trustcenter.de)
+case "$OUT" in
+   solaris-*-gcc)
+	if  [ "$SHARED" = "true" ] 
+	 then
+	  options="$options -DPIC -fPIC"
+        fi
+     ;;
+esac
+
+# gcc < 2.8 does not support -mcpu=ultrasparc
+if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
+then
+  echo "WARNING! Do consider upgrading to gcc-2.8 or later."
+  sleep 5
+  OUT=solaris-sparcv9-gcc27
+fi
+if [ "$OUT" = "linux-sparcv9" -a $GCCVER -lt 28 ]
+then
+  echo "WARNING! Falling down to 'linux-sparcv8'."
+  echo "         Upgrade to gcc-2.8 or later."
+  sleep 5
+  OUT=linux-sparcv8
+fi
+# To start with $OUT is never i86pc-sun-solaris2. Secondly why
+# ban *all* assembler implementation if it can't stand only one,
+# SHA-0 implementation.
+#if [ "$OUT" = "i86pc-sun-solaris2" ]
+#then
+#  ASM=`as -V /dev/null 2>&1`
+#  case "$ASM" in
+#    GNU*) ;;
+#    *) options="$options no-asm" ; echo "WARNING: You need the GNU assembler to use OpenSSL assembler code." ; echo "Sun as is not supported on Solaris x86." ;;
+#  esac
+#fi
+
+case "$GUESSOS" in
+  i386-*) options="$options 386" ;;
+esac
+
+for i in bf cast des dh dsa hmac md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha
+do
+  if [ ! -d crypto/$i ]
+  then
+    options="$options no-$i"
+  fi
+done
+
+if [ -z "$OUT" ]; then
+  OUT="$CC"
+fi
+
+if [ ".$PERL" = . ] ; then
+	for i in . `echo $PATH | sed 's/:/ /g'`; do
+		if [ -f "$i/perl5" ] ; then
+			PERL="$i/perl5"
+			break;
+		fi;
+	done
+fi
+
+if [ ".$PERL" = . ] ; then
+	for i in . `echo $PATH | sed 's/:/ /g'`; do
+		if [ -f "$i/perl" ] ; then
+			if "$i/perl" -e 'exit($]<5.0)'; then
+				PERL="$i/perl"
+				break;
+			fi;
+		fi;
+	done
+fi
+
+if [ ".$PERL" = . ] ; then
+	echo "You need Perl 5."
+	exit 1
+fi
+
+# run Configure to check to see if we need to specify the 
+# compiler for the platform ... in which case we add it on
+# the end ... otherwise we leave it off
+
+$PERL ./Configure LIST | grep "$OUT-$CC" > /dev/null
+if [ $? = "0" ]; then
+  OUT="$OUT-$CC"
+fi
+
+OUT="$PREFIX$OUT"
+
+$PERL ./Configure LIST | grep "$OUT" > /dev/null
+if [ $? = "0" ]; then
+  echo Configuring for $OUT
+
+  if [ "$TEST" = "true" ]; then
+    echo $PERL ./Configure $OUT $options
+  else
+    $PERL ./Configure $OUT $options
+  fi
+else
+  echo "This system ($OUT) is not supported. See file INSTALL for details."
+fi
+)
diff --git a/crypto/openssl/crypto/Makefile.save b/crypto/openssl/crypto/Makefile.save
new file mode 100644
index 0000000..cd41e12
--- /dev/null
+++ b/crypto/openssl/crypto/Makefile.save
@@ -0,0 +1,195 @@
+#
+# SSLeay/crypto/Makefile
+#
+
+DIR=		crypto
+TOP=		..
+CC=		cc
+INCLUDE=	-I. -I../include
+INCLUDES=	-I.. -I../../include
+CFLAG=		-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=	/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+RM=             rm -f
+AR=		ar r
+
+PEX_LIBS=
+EX_LIBS=
+ 
+CFLAGS= $(INCLUDE) $(CFLAG)
+
+
+LIBS=
+
+SDIRS=	md2 md5 sha mdc2 hmac ripemd \
+	des rc2 rc4 rc5 idea bf cast \
+	bn rsa dsa dh \
+	buffer bio stack lhash rand err objects \
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+
+GENERAL=Makefile README crypto-lib.com install.com
+
+LIB= $(TOP)/libcrypto.a
+LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h
+HEADER=	cryptlib.h buildinf.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all: buildinf.h lib subdirs
+
+buildinf.h: ../Makefile.ssl
+	( echo "#ifndef MK1MF_BUILD"; \
+	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
+	echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
+	echo "  #define PLATFORM \"$(PLATFORM)\""; \
+	echo "  #define DATE \"`date`\""; \
+	echo "#endif" ) >buildinf.h
+
+testapps:
+	if echo ${SDIRS} | fgrep ' des '; \
+	then cd des && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' des; fi
+	cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
+
+subdirs:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i && echo "making all in crypto/$$i..." && \
+	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+	done;
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making 'files' in crypto/$$i..."; \
+	$(MAKE) PERL='${PERL}' files ); \
+	done;
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@for i in $(SDIRS); do \
+	(cd $$i; echo "making links in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
+	done;
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+libs:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making libs in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' lib ); \
+	done;
+
+tests:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making tests in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
+	done;
+
+install:
+	@for i in $(EXHEADER) ;\
+	do \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making install in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
+	done;
+
+lint:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making lint in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' lint ); \
+	done;
+
+depend:
+	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
+	$(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making depend in crypto/$$i..."; \
+	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \
+	done;
+
+clean:
+	rm -f buildinf.h *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making clean in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' clean ); \
+	done;
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making dclean in crypto/$$i..."; \
+	$(MAKE) PERL='${PERL}' CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' dclean ); \
+	done;
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+cpt_err.o: ../include/openssl/crypto.h ../include/openssl/err.h
+cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+cpt_err.o: ../include/openssl/stack.h
+cryptlib.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+cryptlib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cryptlib.o: cryptlib.h
+cversion.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+cversion.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cversion.o: buildinf.h cryptlib.h
+ex_data.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+ex_data.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ex_data.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+ex_data.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+ex_data.o: ../include/openssl/stack.h cryptlib.h
+mem.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h cryptlib.h
+mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+mem_dbg.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+mem_dbg.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+mem_dbg.o: ../include/openssl/stack.h cryptlib.h
+tmdiff.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+tmdiff.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h
diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl
new file mode 100644
index 0000000..eb022e4
--- /dev/null
+++ b/crypto/openssl/crypto/Makefile.ssl
@@ -0,0 +1,195 @@
+#
+# SSLeay/crypto/Makefile
+#
+
+DIR=		crypto
+TOP=		..
+CC=		cc
+INCLUDE=	-I. -I../include
+INCLUDES=	-I.. -I../../include
+CFLAG=		-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=	/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+RM=             rm -f
+AR=		ar r
+
+PEX_LIBS=
+EX_LIBS=
+ 
+CFLAGS= $(INCLUDE) $(CFLAG)
+
+
+LIBS=
+
+SDIRS=	md2 md5 sha mdc2 hmac ripemd \
+	des rc2 rc4 rc5 idea bf cast \
+	bn rsa dsa dh \
+	buffer bio stack lhash rand err objects \
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+
+GENERAL=Makefile README crypto-lib.com install.com
+
+LIB= $(TOP)/libcrypto.a
+LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h
+HEADER=	cryptlib.h buildinf.h md32_common.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all: buildinf.h lib subdirs
+
+buildinf.h: ../Makefile.ssl
+	( echo "#ifndef MK1MF_BUILD"; \
+	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
+	echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
+	echo "  #define PLATFORM \"$(PLATFORM)\""; \
+	echo "  #define DATE \"`date`\""; \
+	echo "#endif" ) >buildinf.h
+
+testapps:
+	if echo ${SDIRS} | fgrep ' des '; \
+	then cd des && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' des; fi
+	cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
+
+subdirs:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i && echo "making all in crypto/$$i..." && \
+	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+	done;
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making 'files' in crypto/$$i..."; \
+	$(MAKE) PERL='${PERL}' files ); \
+	done;
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@for i in $(SDIRS); do \
+	(cd $$i; echo "making links in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
+	done;
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+libs:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making libs in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' lib ); \
+	done;
+
+tests:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making tests in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
+	done;
+
+install:
+	@for i in $(EXHEADER) ;\
+	do \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making install in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
+	done;
+
+lint:
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making lint in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' lint ); \
+	done;
+
+depend:
+	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
+	$(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making depend in crypto/$$i..."; \
+	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \
+	done;
+
+clean:
+	rm -f buildinf.h *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making clean in crypto/$$i..."; \
+	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' clean ); \
+	done;
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+	@for i in $(SDIRS) ;\
+	do \
+	(cd $$i; echo "making dclean in crypto/$$i..."; \
+	$(MAKE) PERL='${PERL}' CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' dclean ); \
+	done;
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+cpt_err.o: ../include/openssl/crypto.h ../include/openssl/err.h
+cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+cpt_err.o: ../include/openssl/stack.h
+cryptlib.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+cryptlib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cryptlib.o: cryptlib.h
+cversion.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+cversion.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cversion.o: buildinf.h cryptlib.h
+ex_data.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+ex_data.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ex_data.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+ex_data.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+ex_data.o: ../include/openssl/stack.h cryptlib.h
+mem.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h cryptlib.h
+mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+mem_dbg.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+mem_dbg.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+mem_dbg.o: ../include/openssl/stack.h cryptlib.h
+tmdiff.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+tmdiff.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h
diff --git a/crypto/openssl/crypto/asn1/Makefile.save b/crypto/openssl/crypto/asn1/Makefile.save
new file mode 100644
index 0000000..b119a6a
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/Makefile.save
@@ -0,0 +1,1184 @@
+#
+# SSLeay/crypto/asn1/Makefile
+#
+
+DIR=	asn1
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
+	a_null.c a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \
+	a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c \
+	x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c \
+	x_name.c x_cinf.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \
+	d2i_r_pr.c i2d_r_pr.c d2i_r_pu.c i2d_r_pu.c \
+	d2i_s_pr.c i2d_s_pr.c d2i_s_pu.c i2d_s_pu.c \
+	d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\
+	t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \
+	p7_i_s.c p7_signi.c p7_signd.c p7_recip.c p7_enc_c.c p7_evp.c \
+	p7_dgst.c p7_s_e.c p7_enc.c p7_lib.c \
+	f_int.c f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c d2i_dsap.c n_pkey.c \
+	f_enum.c a_hdr.c x_pkey.c a_bool.c x_exten.c \
+	asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c a_strnid.c \
+	evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c
+LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
+	a_null.o a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \
+	a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o \
+	x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o \
+	x_name.o x_cinf.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \
+	d2i_r_pr.o i2d_r_pr.o d2i_r_pu.o i2d_r_pu.o \
+	d2i_s_pr.o i2d_s_pr.o d2i_s_pu.o i2d_s_pu.o \
+	d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \
+	t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \
+	p7_i_s.o p7_signi.o p7_signd.o p7_recip.o p7_enc_c.o p7_evp.o \
+	p7_dgst.o p7_s_e.o p7_enc.o p7_lib.o \
+	f_int.o f_string.o i2d_dhp.o i2d_dsap.o d2i_dhp.o d2i_dsap.o n_pkey.o \
+	f_enum.o a_hdr.o x_pkey.o a_bool.o x_exten.o \
+	asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o a_strnid.o \
+	evp_asn1.o asn_pack.o p5_pbe.o p5_pbev2.o p8_pkey.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=  asn1.h asn1_mac.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:	test.c
+	cc -g -I../../include -c test.c
+	cc -g -I../../include -o test test.o -L../.. -lcrypto
+
+pk:	pk.c
+	cc -g -I../../include -c pk.c
+	cc -g -I../../include -o pk pk.o -L../.. -lcrypto
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+a_bitstr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_bitstr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_bitstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_bitstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bitstr.o: ../../include/openssl/opensslconf.h
+a_bitstr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_bitstr.o: ../../include/openssl/stack.h ../cryptlib.h
+a_bmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_bmp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_bmp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_bmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bmp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_bmp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_bmp.o: ../cryptlib.h
+a_bool.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_bool.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_bool.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_bool.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bool.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_bool.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_bool.o: ../cryptlib.h
+a_bytes.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_bytes.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_bytes.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_bytes.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_bytes.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_bytes.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_bytes.o: ../../include/openssl/stack.h ../cryptlib.h
+a_d2i_fp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_d2i_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_d2i_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_d2i_fp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_d2i_fp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_d2i_fp.o: ../../include/openssl/stack.h ../cryptlib.h
+a_digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_digest.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+a_digest.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+a_digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+a_digest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_digest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_digest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_digest.o: ../cryptlib.h
+a_dup.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_dup.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_dup.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_dup.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_dup.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_dup.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_dup.o: ../../include/openssl/stack.h ../cryptlib.h
+a_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_enum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_enum.o: ../cryptlib.h
+a_gentm.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_gentm.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_gentm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_gentm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_gentm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_gentm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_gentm.o: ../cryptlib.h
+a_hdr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_hdr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_hdr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_hdr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_hdr.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_hdr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_hdr.o: ../../include/openssl/stack.h ../cryptlib.h
+a_i2d_fp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_i2d_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_i2d_fp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_i2d_fp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_i2d_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_i2d_fp.o: ../../include/openssl/stack.h ../cryptlib.h
+a_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_int.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_int.o: ../cryptlib.h
+a_mbstr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_mbstr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_mbstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_mbstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_mbstr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_mbstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_mbstr.o: ../cryptlib.h
+a_meth.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_meth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_meth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_meth.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_meth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_meth.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_meth.o: ../cryptlib.h
+a_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_null.o: ../cryptlib.h
+a_object.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_object.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_object.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_object.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_object.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_object.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_object.o: ../../include/openssl/stack.h ../cryptlib.h
+a_octet.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_octet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_octet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_octet.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_octet.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_octet.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_octet.o: ../cryptlib.h
+a_print.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_print.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_print.o: ../cryptlib.h
+a_set.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_set.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_set.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_set.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_set.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_set.o: ../../include/openssl/stack.h ../cryptlib.h
+a_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+a_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+a_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+a_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_sign.o: ../cryptlib.h
+a_strnid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_strnid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_strnid.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_strnid.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_strnid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_strnid.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_strnid.o: ../../include/openssl/stack.h ../cryptlib.h
+a_time.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_time.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_time.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_time.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_time.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_time.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_time.o: ../cryptlib.h
+a_type.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_type.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_type.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_type.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_type.o: ../../include/openssl/stack.h ../cryptlib.h
+a_utctm.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_utctm.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_utctm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_utctm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_utctm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_utctm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_utctm.o: ../cryptlib.h
+a_utf8.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_utf8.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_utf8.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_utf8.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_utf8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_utf8.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_utf8.o: ../cryptlib.h
+a_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_verify.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_verify.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+a_verify.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+a_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_verify.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+a_verify.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_verify.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_verify.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_verify.o: ../cryptlib.h
+a_vis.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_vis.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_vis.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_vis.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_vis.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_vis.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_vis.o: ../cryptlib.h
+asn1_err.o: ../../include/openssl/asn1.h ../../include/openssl/bn.h
+asn1_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+asn1_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+asn1_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+asn1_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+asn1_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+asn1_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+asn1_lib.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+asn1_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+asn1_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+asn1_par.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+asn1_par.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+asn1_par.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+asn1_par.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn1_par.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+asn1_par.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+asn1_par.o: ../../include/openssl/stack.h ../cryptlib.h
+asn_pack.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+asn_pack.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+asn_pack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+asn_pack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn_pack.o: ../../include/openssl/opensslconf.h
+asn_pack.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+asn_pack.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_dhp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_dhp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_dhp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_dhp.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+d2i_dhp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+d2i_dhp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_dhp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_dhp.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_dsap.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_dsap.o: ../../include/openssl/opensslconf.h
+d2i_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_dsap.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+d2i_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+d2i_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+d2i_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+d2i_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+d2i_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+d2i_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+d2i_pr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+d2i_pr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+d2i_pr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+d2i_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_pu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+d2i_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+d2i_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+d2i_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+d2i_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pu.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+d2i_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+d2i_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+d2i_pu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+d2i_pu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+d2i_pu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+d2i_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_r_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_r_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_r_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_r_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_r_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_r_pr.o: ../../include/openssl/opensslconf.h
+d2i_r_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+d2i_r_pr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+d2i_r_pr.o: ../cryptlib.h
+d2i_r_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_r_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_r_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_r_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_r_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_r_pu.o: ../../include/openssl/opensslconf.h
+d2i_r_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+d2i_r_pu.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+d2i_r_pu.o: ../cryptlib.h
+d2i_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_s_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_s_pr.o: ../../include/openssl/opensslconf.h
+d2i_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_s_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_s_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_s_pu.o: ../../include/openssl/opensslconf.h
+d2i_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_s_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+evp_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+evp_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_asn1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+evp_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+evp_asn1.o: ../../include/openssl/stack.h ../cryptlib.h
+f_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+f_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+f_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+f_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+f_enum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+f_enum.o: ../cryptlib.h
+f_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+f_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+f_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+f_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+f_int.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+f_int.o: ../cryptlib.h
+f_string.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+f_string.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+f_string.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+f_string.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_string.o: ../../include/openssl/opensslconf.h
+f_string.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+f_string.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_dhp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_dhp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_dhp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_dhp.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+i2d_dhp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+i2d_dhp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+i2d_dhp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i2d_dhp.o: ../cryptlib.h
+i2d_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_dsap.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+i2d_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+i2d_dsap.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+i2d_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+i2d_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+i2d_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+i2d_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+i2d_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+i2d_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+i2d_pr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+i2d_pr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+i2d_pr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+i2d_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_pu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+i2d_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+i2d_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+i2d_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+i2d_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pu.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+i2d_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+i2d_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+i2d_pu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+i2d_pu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+i2d_pu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+i2d_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_r_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_r_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_r_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_r_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_r_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_r_pr.o: ../../include/openssl/opensslconf.h
+i2d_r_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+i2d_r_pr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i2d_r_pr.o: ../cryptlib.h
+i2d_r_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_r_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_r_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_r_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_r_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_r_pu.o: ../../include/openssl/opensslconf.h
+i2d_r_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+i2d_r_pu.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i2d_r_pu.o: ../cryptlib.h
+i2d_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_s_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_s_pr.o: ../../include/openssl/opensslconf.h
+i2d_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+i2d_s_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_s_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_s_pu.o: ../../include/openssl/opensslconf.h
+i2d_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+i2d_s_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+n_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+n_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+n_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+n_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+n_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+n_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+n_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+n_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+n_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+n_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+n_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+n_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+n_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+n_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+nsseq.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+nsseq.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+nsseq.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
+nsseq.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+nsseq.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+nsseq.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+nsseq.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+nsseq.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+nsseq.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+nsseq.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+nsseq.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+nsseq.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+nsseq.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+nsseq.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+nsseq.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+nsseq.o: ../../include/openssl/x509_vfy.h
+p5_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p5_pbe.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p5_pbe.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p5_pbe.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p5_pbe.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p5_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p5_pbe.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p5_pbe.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p5_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p5_pbe.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p5_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p5_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+p5_pbe.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p5_pbe.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p5_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_pbe.o: ../cryptlib.h
+p5_pbev2.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p5_pbev2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p5_pbev2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p5_pbev2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p5_pbev2.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p5_pbev2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p5_pbev2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p5_pbev2.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p5_pbev2.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p5_pbev2.o: ../../include/openssl/opensslconf.h
+p5_pbev2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p5_pbev2.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p5_pbev2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p5_pbev2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p5_pbev2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p5_pbev2.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p5_pbev2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_dgst.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_dgst.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_dgst.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_dgst.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_dgst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_dgst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_dgst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_dgst.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_dgst.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_dgst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_dgst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_dgst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_dgst.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_dgst.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_enc.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_enc.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_enc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_enc.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_enc.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_enc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_enc.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_enc.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_enc.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_enc_c.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_enc_c.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_enc_c.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_enc_c.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_enc_c.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_enc_c.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_enc_c.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_enc_c.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_enc_c.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_enc_c.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_enc_c.o: ../../include/openssl/opensslconf.h
+p7_enc_c.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_enc_c.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_enc_c.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_enc_c.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_enc_c.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_enc_c.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_enc_c.o: ../cryptlib.h
+p7_evp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_evp.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_evp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_evp.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_evp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_evp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_evp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_evp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_evp.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_evp.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_evp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_evp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_evp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_evp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_evp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_evp.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_evp.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_i_s.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_i_s.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_i_s.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_i_s.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_i_s.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_i_s.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_i_s.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_i_s.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_i_s.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_i_s.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_i_s.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_i_s.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_i_s.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_i_s.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_i_s.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_i_s.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_i_s.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_lib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_lib.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_recip.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_recip.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_recip.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_recip.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_recip.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_recip.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_recip.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_recip.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_recip.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_recip.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_recip.o: ../../include/openssl/opensslconf.h
+p7_recip.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_recip.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_recip.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_recip.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_recip.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_recip.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_recip.o: ../cryptlib.h
+p7_s_e.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_s_e.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_s_e.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_s_e.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_s_e.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_s_e.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_s_e.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_s_e.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_s_e.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_s_e.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_s_e.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_s_e.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_s_e.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_s_e.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_s_e.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_s_e.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_s_e.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_signd.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_signd.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_signd.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_signd.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_signd.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_signd.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_signd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_signd.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_signd.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_signd.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_signd.o: ../../include/openssl/opensslconf.h
+p7_signd.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_signd.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_signd.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_signd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_signd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_signd.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_signd.o: ../cryptlib.h
+p7_signi.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_signi.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_signi.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_signi.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_signi.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_signi.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_signi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_signi.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_signi.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_signi.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_signi.o: ../../include/openssl/opensslconf.h
+p7_signi.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_signi.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_signi.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_signi.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_signi.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_signi.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_signi.o: ../cryptlib.h
+p8_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p8_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p8_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p8_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p8_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p8_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p8_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p8_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p8_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p8_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p8_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p8_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p8_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p8_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_crl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_crl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_crl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_crl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_crl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_crl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_crl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_crl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_crl.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+t_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+t_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_pkey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+t_pkey.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+t_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+t_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+t_pkey.o: ../cryptlib.h
+t_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_req.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_req.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_req.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_req.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_req.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+t_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+t_spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+t_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+t_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_spki.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+t_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+t_x509.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_x509.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_x509.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_x509.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_x509.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_x509.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+t_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+t_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_algor.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_algor.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_algor.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_algor.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_algor.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_algor.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_algor.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_algor.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_algor.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_algor.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_algor.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_algor.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_algor.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_algor.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_algor.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_algor.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_attrib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_attrib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_attrib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_attrib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_attrib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_attrib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_attrib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_attrib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_attrib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_attrib.o: ../../include/openssl/opensslconf.h
+x_attrib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x_attrib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x_attrib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_attrib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_attrib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_attrib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_attrib.o: ../cryptlib.h
+x_cinf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_cinf.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_cinf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_cinf.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_cinf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_cinf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_cinf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_cinf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_cinf.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_cinf.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_cinf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_cinf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_cinf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_cinf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_cinf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_cinf.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_cinf.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_crl.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_crl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_crl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_crl.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_crl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_crl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_crl.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_crl.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_crl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_crl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_crl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_crl.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_crl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_exten.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_exten.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_exten.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_exten.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_exten.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_exten.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_exten.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_exten.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_exten.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_exten.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_exten.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_exten.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_exten.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_exten.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_exten.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_exten.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_exten.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_info.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_info.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_info.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_info.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_info.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_info.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_name.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_name.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_name.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_name.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_name.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_name.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_name.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_name.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_name.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_name.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_name.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_name.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_name.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_name.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_name.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_pubkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_pubkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_pubkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_pubkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_pubkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_pubkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_pubkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_pubkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_pubkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_pubkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_pubkey.o: ../../include/openssl/opensslconf.h
+x_pubkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x_pubkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x_pubkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_pubkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_pubkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_pubkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_pubkey.o: ../cryptlib.h
+x_req.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_req.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_req.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_req.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_req.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_req.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_req.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_req.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_req.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_req.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_sig.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_sig.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_sig.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_sig.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_sig.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_sig.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_sig.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_sig.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_sig.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_sig.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_sig.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_sig.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_sig.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_sig.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_sig.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_sig.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_sig.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_spki.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_val.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_val.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_val.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_val.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_val.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_val.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_val.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_val.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_val.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_val.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_val.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_val.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_val.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_val.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_val.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_val.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_val.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_x509.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_x509.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_x509.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_x509.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_x509.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_x509.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_x509.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_x509.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl
new file mode 100644
index 0000000..b119a6a
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/Makefile.ssl
@@ -0,0 +1,1184 @@
+#
+# SSLeay/crypto/asn1/Makefile
+#
+
+DIR=	asn1
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
+	a_null.c a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \
+	a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c \
+	x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c \
+	x_name.c x_cinf.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \
+	d2i_r_pr.c i2d_r_pr.c d2i_r_pu.c i2d_r_pu.c \
+	d2i_s_pr.c i2d_s_pr.c d2i_s_pu.c i2d_s_pu.c \
+	d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\
+	t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \
+	p7_i_s.c p7_signi.c p7_signd.c p7_recip.c p7_enc_c.c p7_evp.c \
+	p7_dgst.c p7_s_e.c p7_enc.c p7_lib.c \
+	f_int.c f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c d2i_dsap.c n_pkey.c \
+	f_enum.c a_hdr.c x_pkey.c a_bool.c x_exten.c \
+	asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c a_strnid.c \
+	evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c
+LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
+	a_null.o a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \
+	a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o \
+	x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o \
+	x_name.o x_cinf.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \
+	d2i_r_pr.o i2d_r_pr.o d2i_r_pu.o i2d_r_pu.o \
+	d2i_s_pr.o i2d_s_pr.o d2i_s_pu.o i2d_s_pu.o \
+	d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \
+	t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \
+	p7_i_s.o p7_signi.o p7_signd.o p7_recip.o p7_enc_c.o p7_evp.o \
+	p7_dgst.o p7_s_e.o p7_enc.o p7_lib.o \
+	f_int.o f_string.o i2d_dhp.o i2d_dsap.o d2i_dhp.o d2i_dsap.o n_pkey.o \
+	f_enum.o a_hdr.o x_pkey.o a_bool.o x_exten.o \
+	asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o a_strnid.o \
+	evp_asn1.o asn_pack.o p5_pbe.o p5_pbev2.o p8_pkey.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=  asn1.h asn1_mac.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:	test.c
+	cc -g -I../../include -c test.c
+	cc -g -I../../include -o test test.o -L../.. -lcrypto
+
+pk:	pk.c
+	cc -g -I../../include -c pk.c
+	cc -g -I../../include -o pk pk.o -L../.. -lcrypto
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+a_bitstr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_bitstr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_bitstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_bitstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bitstr.o: ../../include/openssl/opensslconf.h
+a_bitstr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_bitstr.o: ../../include/openssl/stack.h ../cryptlib.h
+a_bmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_bmp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_bmp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_bmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bmp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_bmp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_bmp.o: ../cryptlib.h
+a_bool.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_bool.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_bool.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_bool.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bool.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_bool.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_bool.o: ../cryptlib.h
+a_bytes.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_bytes.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_bytes.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_bytes.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_bytes.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_bytes.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_bytes.o: ../../include/openssl/stack.h ../cryptlib.h
+a_d2i_fp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_d2i_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_d2i_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_d2i_fp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_d2i_fp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_d2i_fp.o: ../../include/openssl/stack.h ../cryptlib.h
+a_digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_digest.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+a_digest.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+a_digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+a_digest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_digest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_digest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_digest.o: ../cryptlib.h
+a_dup.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_dup.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_dup.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_dup.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_dup.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_dup.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_dup.o: ../../include/openssl/stack.h ../cryptlib.h
+a_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_enum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_enum.o: ../cryptlib.h
+a_gentm.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_gentm.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_gentm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_gentm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_gentm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_gentm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_gentm.o: ../cryptlib.h
+a_hdr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_hdr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_hdr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_hdr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_hdr.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_hdr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_hdr.o: ../../include/openssl/stack.h ../cryptlib.h
+a_i2d_fp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_i2d_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_i2d_fp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_i2d_fp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_i2d_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_i2d_fp.o: ../../include/openssl/stack.h ../cryptlib.h
+a_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_int.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_int.o: ../cryptlib.h
+a_mbstr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_mbstr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_mbstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_mbstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_mbstr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_mbstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_mbstr.o: ../cryptlib.h
+a_meth.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_meth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_meth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_meth.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_meth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_meth.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_meth.o: ../cryptlib.h
+a_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_null.o: ../cryptlib.h
+a_object.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_object.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_object.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_object.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_object.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_object.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_object.o: ../../include/openssl/stack.h ../cryptlib.h
+a_octet.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_octet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_octet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_octet.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_octet.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_octet.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_octet.o: ../cryptlib.h
+a_print.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_print.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_print.o: ../cryptlib.h
+a_set.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_set.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_set.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_set.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_set.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_set.o: ../../include/openssl/stack.h ../cryptlib.h
+a_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+a_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+a_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+a_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_sign.o: ../cryptlib.h
+a_strnid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_strnid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_strnid.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_strnid.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_strnid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_strnid.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_strnid.o: ../../include/openssl/stack.h ../cryptlib.h
+a_time.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_time.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_time.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_time.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_time.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_time.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_time.o: ../cryptlib.h
+a_type.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_type.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_type.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+a_type.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_type.o: ../../include/openssl/stack.h ../cryptlib.h
+a_utctm.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_utctm.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_utctm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_utctm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_utctm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_utctm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_utctm.o: ../cryptlib.h
+a_utf8.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_utf8.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_utf8.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_utf8.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_utf8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_utf8.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_utf8.o: ../cryptlib.h
+a_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_verify.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+a_verify.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+a_verify.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+a_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_verify.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+a_verify.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_verify.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_verify.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_verify.o: ../cryptlib.h
+a_vis.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_vis.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_vis.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_vis.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_vis.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_vis.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_vis.o: ../cryptlib.h
+asn1_err.o: ../../include/openssl/asn1.h ../../include/openssl/bn.h
+asn1_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+asn1_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+asn1_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+asn1_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+asn1_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+asn1_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+asn1_lib.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+asn1_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+asn1_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+asn1_par.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+asn1_par.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+asn1_par.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+asn1_par.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn1_par.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+asn1_par.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+asn1_par.o: ../../include/openssl/stack.h ../cryptlib.h
+asn_pack.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+asn_pack.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+asn_pack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+asn_pack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn_pack.o: ../../include/openssl/opensslconf.h
+asn_pack.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+asn_pack.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_dhp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_dhp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_dhp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_dhp.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+d2i_dhp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+d2i_dhp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_dhp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_dhp.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_dsap.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_dsap.o: ../../include/openssl/opensslconf.h
+d2i_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_dsap.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+d2i_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+d2i_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+d2i_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+d2i_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+d2i_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+d2i_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+d2i_pr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+d2i_pr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+d2i_pr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+d2i_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_pu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+d2i_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+d2i_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+d2i_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+d2i_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pu.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+d2i_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+d2i_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+d2i_pu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+d2i_pu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+d2i_pu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+d2i_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_r_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_r_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_r_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_r_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_r_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_r_pr.o: ../../include/openssl/opensslconf.h
+d2i_r_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+d2i_r_pr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+d2i_r_pr.o: ../cryptlib.h
+d2i_r_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_r_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_r_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_r_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_r_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_r_pu.o: ../../include/openssl/opensslconf.h
+d2i_r_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+d2i_r_pu.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+d2i_r_pu.o: ../cryptlib.h
+d2i_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_s_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_s_pr.o: ../../include/openssl/opensslconf.h
+d2i_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_s_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+d2i_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+d2i_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+d2i_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+d2i_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+d2i_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_s_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+d2i_s_pu.o: ../../include/openssl/opensslconf.h
+d2i_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+d2i_s_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+evp_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+evp_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_asn1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+evp_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+evp_asn1.o: ../../include/openssl/stack.h ../cryptlib.h
+f_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+f_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+f_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+f_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+f_enum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+f_enum.o: ../cryptlib.h
+f_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+f_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+f_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+f_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+f_int.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+f_int.o: ../cryptlib.h
+f_string.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+f_string.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+f_string.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+f_string.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_string.o: ../../include/openssl/opensslconf.h
+f_string.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+f_string.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_dhp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_dhp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_dhp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_dhp.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+i2d_dhp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+i2d_dhp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+i2d_dhp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i2d_dhp.o: ../cryptlib.h
+i2d_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_dsap.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+i2d_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+i2d_dsap.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+i2d_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+i2d_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+i2d_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+i2d_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+i2d_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+i2d_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+i2d_pr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+i2d_pr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+i2d_pr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+i2d_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_pu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+i2d_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+i2d_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+i2d_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+i2d_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pu.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+i2d_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+i2d_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+i2d_pu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+i2d_pu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+i2d_pu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+i2d_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_r_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_r_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_r_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_r_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_r_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_r_pr.o: ../../include/openssl/opensslconf.h
+i2d_r_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+i2d_r_pr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i2d_r_pr.o: ../cryptlib.h
+i2d_r_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_r_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_r_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_r_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_r_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_r_pu.o: ../../include/openssl/opensslconf.h
+i2d_r_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+i2d_r_pu.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i2d_r_pu.o: ../cryptlib.h
+i2d_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_s_pr.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_s_pr.o: ../../include/openssl/opensslconf.h
+i2d_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+i2d_s_pr.o: ../../include/openssl/stack.h ../cryptlib.h
+i2d_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+i2d_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+i2d_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+i2d_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+i2d_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_s_pu.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+i2d_s_pu.o: ../../include/openssl/opensslconf.h
+i2d_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+i2d_s_pu.o: ../../include/openssl/stack.h ../cryptlib.h
+n_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+n_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+n_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+n_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+n_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+n_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+n_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+n_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+n_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+n_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+n_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+n_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+n_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+n_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+nsseq.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+nsseq.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+nsseq.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
+nsseq.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+nsseq.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+nsseq.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+nsseq.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+nsseq.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+nsseq.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+nsseq.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+nsseq.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+nsseq.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+nsseq.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+nsseq.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+nsseq.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+nsseq.o: ../../include/openssl/x509_vfy.h
+p5_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p5_pbe.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p5_pbe.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p5_pbe.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p5_pbe.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p5_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p5_pbe.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p5_pbe.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p5_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p5_pbe.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p5_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p5_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+p5_pbe.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p5_pbe.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p5_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_pbe.o: ../cryptlib.h
+p5_pbev2.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p5_pbev2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p5_pbev2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p5_pbev2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p5_pbev2.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p5_pbev2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p5_pbev2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p5_pbev2.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p5_pbev2.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p5_pbev2.o: ../../include/openssl/opensslconf.h
+p5_pbev2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p5_pbev2.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p5_pbev2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p5_pbev2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p5_pbev2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p5_pbev2.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p5_pbev2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_dgst.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_dgst.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_dgst.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_dgst.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_dgst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_dgst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_dgst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_dgst.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_dgst.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_dgst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_dgst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_dgst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_dgst.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_dgst.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_enc.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_enc.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_enc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_enc.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_enc.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_enc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_enc.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_enc.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_enc.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_enc_c.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_enc_c.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_enc_c.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_enc_c.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_enc_c.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_enc_c.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_enc_c.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_enc_c.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_enc_c.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_enc_c.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_enc_c.o: ../../include/openssl/opensslconf.h
+p7_enc_c.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_enc_c.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_enc_c.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_enc_c.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_enc_c.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_enc_c.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_enc_c.o: ../cryptlib.h
+p7_evp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_evp.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_evp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_evp.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_evp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_evp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_evp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_evp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_evp.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_evp.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_evp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_evp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_evp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_evp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_evp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_evp.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_evp.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_i_s.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_i_s.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_i_s.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_i_s.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_i_s.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_i_s.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_i_s.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_i_s.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_i_s.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_i_s.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_i_s.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_i_s.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_i_s.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_i_s.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_i_s.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_i_s.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_i_s.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_lib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_lib.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_recip.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_recip.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_recip.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_recip.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_recip.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_recip.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_recip.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_recip.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_recip.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_recip.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_recip.o: ../../include/openssl/opensslconf.h
+p7_recip.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_recip.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_recip.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_recip.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_recip.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_recip.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_recip.o: ../cryptlib.h
+p7_s_e.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_s_e.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_s_e.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_s_e.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_s_e.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_s_e.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_s_e.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_s_e.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_s_e.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_s_e.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_s_e.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p7_s_e.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p7_s_e.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p7_s_e.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p7_s_e.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p7_s_e.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p7_s_e.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p7_signd.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_signd.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_signd.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_signd.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_signd.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_signd.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_signd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_signd.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_signd.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_signd.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_signd.o: ../../include/openssl/opensslconf.h
+p7_signd.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_signd.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_signd.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_signd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_signd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_signd.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_signd.o: ../cryptlib.h
+p7_signi.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p7_signi.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p7_signi.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p7_signi.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p7_signi.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p7_signi.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p7_signi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p7_signi.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p7_signi.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p7_signi.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p7_signi.o: ../../include/openssl/opensslconf.h
+p7_signi.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p7_signi.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p7_signi.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p7_signi.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p7_signi.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p7_signi.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p7_signi.o: ../cryptlib.h
+p8_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p8_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p8_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p8_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p8_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p8_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p8_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p8_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p8_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p8_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p8_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p8_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p8_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p8_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_crl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_crl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_crl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_crl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_crl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_crl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_crl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_crl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_crl.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+t_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+t_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_pkey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+t_pkey.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+t_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+t_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+t_pkey.o: ../cryptlib.h
+t_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_req.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_req.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_req.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_req.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_req.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+t_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+t_spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+t_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+t_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_spki.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+t_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+t_x509.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_x509.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_x509.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_x509.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_x509.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_x509.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+t_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+t_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_algor.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_algor.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_algor.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_algor.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_algor.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_algor.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_algor.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_algor.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_algor.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_algor.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_algor.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_algor.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_algor.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_algor.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_algor.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_algor.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_attrib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_attrib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_attrib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_attrib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_attrib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_attrib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_attrib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_attrib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_attrib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_attrib.o: ../../include/openssl/opensslconf.h
+x_attrib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x_attrib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x_attrib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_attrib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_attrib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_attrib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_attrib.o: ../cryptlib.h
+x_cinf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_cinf.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_cinf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_cinf.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_cinf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_cinf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_cinf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_cinf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_cinf.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_cinf.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_cinf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_cinf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_cinf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_cinf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_cinf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_cinf.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_cinf.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_crl.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_crl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_crl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_crl.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_crl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_crl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_crl.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_crl.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_crl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_crl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_crl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_crl.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_crl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_exten.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_exten.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_exten.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_exten.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_exten.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_exten.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_exten.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_exten.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_exten.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_exten.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_exten.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_exten.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_exten.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_exten.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_exten.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_exten.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_exten.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_info.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_info.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_info.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_info.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_info.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_info.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_name.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_name.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_name.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_name.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_name.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_name.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_name.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_name.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_name.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_name.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_name.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_name.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_name.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_name.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_name.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_pubkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_pubkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_pubkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_pubkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_pubkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_pubkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_pubkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_pubkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_pubkey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_pubkey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_pubkey.o: ../../include/openssl/opensslconf.h
+x_pubkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x_pubkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x_pubkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_pubkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_pubkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_pubkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_pubkey.o: ../cryptlib.h
+x_req.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_req.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_req.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_req.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_req.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_req.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_req.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_req.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_req.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_req.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_sig.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_sig.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_sig.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_sig.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_sig.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_sig.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_sig.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_sig.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_sig.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_sig.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_sig.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_sig.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_sig.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_sig.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_sig.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_sig.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_sig.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_spki.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_val.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_val.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_val.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_val.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_val.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_val.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_val.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_val.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_val.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_val.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_val.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_val.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_val.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_val.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_val.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_val.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_val.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_x509.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_x509.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_x509.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_x509.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_x509.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_x509.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_x509.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_x509.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/asn1/a_bitstr.c b/crypto/openssl/crypto/asn1/a_bitstr.c
new file mode 100644
index 0000000..c77456b
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_bitstr.c
@@ -0,0 +1,231 @@
+/* crypto/asn1/a_bitstr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_BIT_STRING *ASN1_BIT_STRING_new(void)
+{ return M_ASN1_BIT_STRING_new(); }
+
+void ASN1_BIT_STRING_free(ASN1_BIT_STRING *x)
+{ M_ASN1_BIT_STRING_free(x); }
+
+int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
+{ return M_ASN1_BIT_STRING_set(x, d, len); }
+
+int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
+	{
+	int ret,j,r,bits,len;
+	unsigned char *p,*d;
+
+	if (a == NULL) return(0);
+
+	len=a->length;
+
+	if (len > 0)
+		{
+		if (a->flags & ASN1_STRING_FLAG_BITS_LEFT)
+			{
+			bits=(int)a->flags&0x07;
+			}
+		else
+			{
+			for ( ; len > 0; len--)
+				{
+				if (a->data[len-1]) break;
+				}
+			j=a->data[len-1];
+			if      (j & 0x01) bits=0;
+			else if (j & 0x02) bits=1;
+			else if (j & 0x04) bits=2;
+			else if (j & 0x08) bits=3;
+			else if (j & 0x10) bits=4;
+			else if (j & 0x20) bits=5;
+			else if (j & 0x40) bits=6;
+			else if (j & 0x80) bits=7;
+			else bits=0; /* should not happen */
+			}
+		}
+	else
+		bits=0;
+	ret=1+len;
+	r=ASN1_object_size(0,ret,V_ASN1_BIT_STRING);
+	if (pp == NULL) return(r);
+	p= *pp;
+
+	ASN1_put_object(&p,0,ret,V_ASN1_BIT_STRING,V_ASN1_UNIVERSAL);
+	*(p++)=(unsigned char)bits;
+	d=a->data;
+	memcpy(p,d,len);
+	p+=len;
+	if (len > 0) p[-1]&=(0xff<<bits);
+	*pp=p;
+	return(r);
+	}
+
+ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_BIT_STRING *ret=NULL;
+	unsigned char *p,*s;
+	long len;
+	int inf,tag,xclass;
+	int i;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_BIT_STRING)
+		{
+		i=ASN1_R_EXPECTING_A_BIT_STRING;
+		goto err;
+		}
+	if (len < 1) { i=ASN1_R_STRING_TOO_SHORT; goto err; }
+
+	i= *(p++);
+	/* We do this to preserve the settings.  If we modify
+	 * the settings, via the _set_bit function, we will recalculate
+	 * on output */
+	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+
+	if (len-- > 1) /* using one because of the bits left byte */
+		{
+		s=(unsigned char *)Malloc((int)len);
+		if (s == NULL)
+			{
+			i=ERR_R_MALLOC_FAILURE;
+			goto err;
+			}
+		memcpy(s,p,(int)len);
+		s[len-1]&=(0xff<<i);
+		p+=len;
+		}
+	else
+		s=NULL;
+
+	ret->length=(int)len;
+	if (ret->data != NULL) Free(ret->data);
+	ret->data=s;
+	ret->type=V_ASN1_BIT_STRING;
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_BIT_STRING,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		M_ASN1_BIT_STRING_free(ret);
+	return(NULL);
+	}
+
+/* These next 2 functions from Goetz Babin-Ebell <babinebell@trustcenter.de>
+ */
+int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
+	{
+	int w,v,iv;
+	unsigned char *c;
+
+	w=n/8;
+	v=1<<(7-(n&0x07));
+	iv= ~v;
+
+	a->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear, set on write */
+
+	if (a == NULL) return(0);
+	if ((a->length < (w+1)) || (a->data == NULL))
+		{
+		if (!value) return(1); /* Don't need to set */
+		if (a->data == NULL)
+			c=(unsigned char *)Malloc(w+1);
+		else
+			c=(unsigned char *)Realloc(a->data,w+1);
+		if (c == NULL) return(0);
+		a->data=c;
+		a->length=w+1;
+		c[w]=0;
+		}
+	a->data[w]=((a->data[w])&iv)|v;
+	while ((a->length > 0) && (a->data[a->length-1] == 0))
+		a->length--;
+	return(1);
+	}
+
+int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
+	{
+	int w,v;
+
+	w=n/8;
+	v=1<<(7-(n&0x07));
+	if ((a == NULL) || (a->length < (w+1)) || (a->data == NULL))
+		return(0);
+	return((a->data[w]&v) != 0);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/a_bmp.c b/crypto/openssl/crypto/asn1/a_bmp.c
new file mode 100644
index 0000000..d9ac5a0
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_bmp.c
@@ -0,0 +1,89 @@
+/* crypto/asn1/a_bmp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_BMPSTRING *ASN1_BMPSTRING_new(void)
+{ return M_ASN1_BMPSTRING_new(); }
+
+void ASN1_BMPSTRING_free(ASN1_BMPSTRING *x)
+{ M_ASN1_BMPSTRING_free(x); }
+
+int i2d_ASN1_BMPSTRING(ASN1_BMPSTRING *a, unsigned char **pp)
+	{
+	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+		V_ASN1_BMPSTRING,V_ASN1_UNIVERSAL));
+	}
+
+ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(ASN1_BMPSTRING **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_BMPSTRING *ret=NULL;
+
+	ret=(ASN1_BMPSTRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
+		pp,length,V_ASN1_BMPSTRING,V_ASN1_UNIVERSAL);
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_BMPSTRING,ERR_R_NESTED_ASN1_ERROR);
+		return(NULL);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/a_bool.c b/crypto/openssl/crypto/asn1/a_bool.c
new file mode 100644
index 0000000..18fa618
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_bool.c
@@ -0,0 +1,112 @@
+/* crypto/asn1/a_bool.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
+	{
+	int r;
+	unsigned char *p;
+
+	r=ASN1_object_size(0,1,V_ASN1_BOOLEAN);
+	if (pp == NULL) return(r);
+	p= *pp;
+
+	ASN1_put_object(&p,0,1,V_ASN1_BOOLEAN,V_ASN1_UNIVERSAL);
+	*(p++)= (unsigned char)a;
+	*pp=p;
+	return(r);
+	}
+
+int d2i_ASN1_BOOLEAN(int *a, unsigned char **pp, long length)
+	{
+	int ret= -1;
+	unsigned char *p;
+	long len;
+	int inf,tag,xclass;
+	int i=0;
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_BOOLEAN)
+		{
+		i=ASN1_R_EXPECTING_A_BOOLEAN;
+		goto err;
+		}
+
+	if (len != 1)
+		{
+		i=ASN1_R_BOOLEAN_IS_WRONG_LENGTH;
+		goto err;
+		}
+	ret= (int)*(p++);
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_BOOLEAN,i);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_bytes.c b/crypto/openssl/crypto/asn1/a_bytes.c
new file mode 100644
index 0000000..8cde695
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_bytes.c
@@ -0,0 +1,323 @@
+/* crypto/asn1/a_bytes.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+
+static unsigned long tag2bit[32]={
+0,	0,	0,	B_ASN1_BIT_STRING,	/* tags  0 -  3 */
+B_ASN1_OCTET_STRING,	0,	0,		B_ASN1_UNKNOWN,/* tags  4- 7 */
+B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,/* tags  8-11 */
+B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
+0,	0,	B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING,
+B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,0,
+0,B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING,
+B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN,
+	};
+
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c);
+/* type is a 'bitmap' of acceptable string types.
+ */
+ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
+	     long length, int type)
+	{
+	ASN1_STRING *ret=NULL;
+	unsigned char *p,*s;
+	long len;
+	int inf,tag,xclass;
+	int i=0;
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80) goto err;
+
+	if (tag >= 32)
+		{
+		i=ASN1_R_TAG_VALUE_TOO_HIGH;;
+		goto err;
+		}
+	if (!(tag2bit[tag] & type))
+		{
+		i=ASN1_R_WRONG_TYPE;
+		goto err;
+		}
+
+	/* If a bit-string, exit early */
+	if (tag == V_ASN1_BIT_STRING)
+		return(d2i_ASN1_BIT_STRING(a,pp,length));
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=ASN1_STRING_new()) == NULL) return(NULL);
+		}
+	else
+		ret=(*a);
+
+	if (len != 0)
+		{
+		s=(unsigned char *)Malloc((int)len+1);
+		if (s == NULL)
+			{
+			i=ERR_R_MALLOC_FAILURE;
+			goto err;
+			}
+		memcpy(s,p,(int)len);
+		s[len]='\0';
+		p+=len;
+		}
+	else
+		s=NULL;
+
+	if (ret->data != NULL) Free(ret->data);
+	ret->length=(int)len;
+	ret->data=s;
+	ret->type=tag;
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_TYPE_BYTES,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		ASN1_STRING_free(ret);
+	return(NULL);
+	}
+
+int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass)
+	{
+	int ret,r,constructed;
+	unsigned char *p;
+
+	if (a == NULL)  return(0);
+
+	if (tag == V_ASN1_BIT_STRING)
+		return(i2d_ASN1_BIT_STRING(a,pp));
+		
+	ret=a->length;
+	r=ASN1_object_size(0,ret,tag);
+	if (pp == NULL) return(r);
+	p= *pp;
+
+	if ((tag == V_ASN1_SEQUENCE) || (tag == V_ASN1_SET))
+		constructed=1;
+	else
+		constructed=0;
+	ASN1_put_object(&p,constructed,ret,tag,xclass);
+	memcpy(p,a->data,a->length);
+	p+=a->length;
+	*pp= p;
+	return(r);
+	}
+
+ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
+	     int Ptag, int Pclass)
+	{
+	ASN1_STRING *ret=NULL;
+	unsigned char *p,*s;
+	long len;
+	int inf,tag,xclass;
+	int i=0;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=ASN1_STRING_new()) == NULL) return(NULL);
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != Ptag)
+		{
+		i=ASN1_R_WRONG_TAG;
+		goto err;
+		}
+
+	if (inf & V_ASN1_CONSTRUCTED)
+		{
+		ASN1_CTX c;
+
+		c.pp=pp;
+		c.p=p;
+		c.inf=inf;
+		c.slen=len;
+		c.tag=Ptag;
+		c.xclass=Pclass;
+		c.max=(length == 0)?0:(p+length);
+		if (!asn1_collate_primitive(ret,&c)) 
+			goto err; 
+		else
+			{
+			p=c.p;
+			}
+		}
+	else
+		{
+		if (len != 0)
+			{
+			if ((ret->length < len) || (ret->data == NULL))
+				{
+				if (ret->data != NULL) Free(ret->data);
+				s=(unsigned char *)Malloc((int)len + 1);
+				if (s == NULL)
+					{
+					i=ERR_R_MALLOC_FAILURE;
+					goto err;
+					}
+				}
+			else
+				s=ret->data;
+			memcpy(s,p,(int)len);
+			s[len] = '\0';
+			p+=len;
+			}
+		else
+			{
+			s=NULL;
+			if (ret->data != NULL) Free(ret->data);
+			}
+
+		ret->length=(int)len;
+		ret->data=s;
+		ret->type=Ptag;
+		}
+
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		ASN1_STRING_free(ret);
+	ASN1err(ASN1_F_D2I_ASN1_BYTES,i);
+	return(NULL);
+	}
+
+
+/* We are about to parse 0..n d2i_ASN1_bytes objects, we are to collapse
+ * them into the one structure that is then returned */
+/* There have been a few bug fixes for this function from
+ * Paul Keogh <paul.keogh@sse.ie>, many thanks to him */
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
+	{
+	ASN1_STRING *os=NULL;
+	BUF_MEM b;
+	int num;
+
+	b.length=0;
+	b.max=0;
+	b.data=NULL;
+
+	if (a == NULL)
+		{
+		c->error=ERR_R_PASSED_NULL_PARAMETER;
+		goto err;
+		}
+
+	num=0;
+	for (;;)
+		{
+		if (c->inf & 1)
+			{
+			c->eos=ASN1_check_infinite_end(&c->p,
+				(long)(c->max-c->p));
+			if (c->eos) break;
+			}
+		else
+			{
+			if (c->slen <= 0) break;
+			}
+
+		c->q=c->p;
+		if (d2i_ASN1_bytes(&os,&c->p,c->max-c->p,c->tag,c->xclass)
+			== NULL)
+			{
+			c->error=ERR_R_ASN1_LIB;
+			goto err;
+			}
+
+		if (!BUF_MEM_grow(&b,num+os->length))
+			{
+			c->error=ERR_R_BUF_LIB;
+			goto err;
+			}
+		memcpy(&(b.data[num]),os->data,os->length);
+		if (!(c->inf & 1))
+			c->slen-=(c->p-c->q);
+		num+=os->length;
+		}
+
+	if (!asn1_Finish(c)) goto err;
+
+	a->length=num;
+	if (a->data != NULL) Free(a->data);
+	a->data=(unsigned char *)b.data;
+	if (os != NULL) ASN1_STRING_free(os);
+	return(1);
+err:
+	ASN1err(ASN1_F_ASN1_COLLATE_PRIMITIVE,c->error);
+	if (os != NULL) ASN1_STRING_free(os);
+	if (b.data != NULL) Free(b.data);
+	return(0);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/a_d2i_fp.c b/crypto/openssl/crypto/asn1/a_d2i_fp.c
new file mode 100644
index 0000000..a49d1cb
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_d2i_fp.c
@@ -0,0 +1,195 @@
+/* crypto/asn1/a_d2i_fp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1_mac.h>
+
+#define HEADER_SIZE   8
+
+#ifndef NO_FP_API
+char *ASN1_d2i_fp(char *(*xnew)(), char *(*d2i)(), FILE *in,
+	     unsigned char **x)
+        {
+        BIO *b;
+        char *ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_D2I_FP,ERR_R_BUF_LIB);
+                return(NULL);
+		}
+        BIO_set_fp(b,in,BIO_NOCLOSE);
+        ret=ASN1_d2i_bio(xnew,d2i,b,x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+char *ASN1_d2i_bio(char *(*xnew)(), char *(*d2i)(), BIO *in,
+	     unsigned char **x)
+	{
+	BUF_MEM *b;
+	unsigned char *p;
+	int i;
+	char *ret=NULL;
+	ASN1_CTX c;
+	int want=HEADER_SIZE;
+	int eos=0;
+	int off=0;
+	int len=0;
+
+	b=BUF_MEM_new();
+	if (b == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+
+	ERR_clear_error();
+	for (;;)
+		{
+		if (want >= (len-off))
+			{
+			want-=(len-off);
+
+			if (!BUF_MEM_grow(b,len+want))
+				{
+				ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			i=BIO_read(in,&(b->data[len]),want);
+			if ((i < 0) && ((len-off) == 0))
+				{
+				ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
+				goto err;
+				}
+			if (i > 0)
+				len+=i;
+			}
+		/* else data already loaded */
+
+		p=(unsigned char *)&(b->data[off]);
+		c.p=p;
+		c.inf=ASN1_get_object(&(c.p),&(c.slen),&(c.tag),&(c.xclass),
+			len-off);
+		if (c.inf & 0x80)
+			{
+			unsigned long e;
+
+			e=ERR_GET_REASON(ERR_peek_error());
+			if (e != ASN1_R_TOO_LONG)
+				goto err;
+			else
+				ERR_get_error(); /* clear error */
+			}
+		i=c.p-p;/* header length */
+		off+=i;	/* end of data */
+
+		if (c.inf & 1)
+			{
+			/* no data body so go round again */
+			eos++;
+			want=HEADER_SIZE;
+			}
+		else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC))
+			{
+			/* eos value, so go back and read another header */
+			eos--;
+			if (eos <= 0)
+				break;
+			else
+				want=HEADER_SIZE;
+			}
+		else 
+			{
+			/* suck in c.slen bytes of data */
+			want=(int)c.slen;
+			if (want > (len-off))
+				{
+				want-=(len-off);
+				if (!BUF_MEM_grow(b,len+want))
+					{
+					ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+				i=BIO_read(in,&(b->data[len]),want);
+				if (i <= 0)
+					{
+					ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
+					goto err;
+					}
+				len+=i;
+				}
+			off+=(int)c.slen;
+			if (eos <= 0)
+				{
+				break;
+				}
+			else
+				want=HEADER_SIZE;
+			}
+		}
+
+	p=(unsigned char *)b->data;
+	ret=d2i(x,&p,off);
+err:
+	if (b != NULL) BUF_MEM_free(b);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_digest.c b/crypto/openssl/crypto/asn1/a_digest.c
new file mode 100644
index 0000000..3370aae
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_digest.c
@@ -0,0 +1,90 @@
+/* crypto/asn1/a_digest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+
+#include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
+#include <openssl/x509.h>
+
+int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
+		unsigned char *md, unsigned int *len)
+	{
+	EVP_MD_CTX ctx;
+	int i;
+	unsigned char *str,*p;
+
+	i=i2d(data,NULL);
+	if ((str=(unsigned char *)Malloc(i)) == NULL) return(0);
+	p=str;
+	i2d(data,&p);
+
+	EVP_DigestInit(&ctx,type);
+	EVP_DigestUpdate(&ctx,str,i);
+	EVP_DigestFinal(&ctx,md,len);
+	Free(str);
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/a_dup.c b/crypto/openssl/crypto/asn1/a_dup.c
new file mode 100644
index 0000000..3202a81
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_dup.c
@@ -0,0 +1,83 @@
+/* crypto/asn1/a_dup.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+
+#define READ_CHUNK   2048
+
+char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
+	{
+	unsigned char *b,*p;
+	long i;
+	char *ret;
+
+	if (x == NULL) return(NULL);
+
+	i=(long)i2d(x,NULL);
+	b=(unsigned char *)Malloc((unsigned int)i+10);
+	if (b == NULL)
+		{ ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
+	p= b;
+	i=i2d(x,&p);
+	p= b;
+	ret=d2i(NULL,&p,i);
+	Free(b);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_enum.c b/crypto/openssl/crypto/asn1/a_enum.c
new file mode 100644
index 0000000..ccf62e5
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_enum.c
@@ -0,0 +1,337 @@
+/* crypto/asn1/a_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* 
+ * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
+ * for comments on encoding see a_int.c
+ */
+
+ASN1_ENUMERATED *ASN1_ENUMERATED_new(void)
+{ return M_ASN1_ENUMERATED_new(); }
+
+void ASN1_ENUMERATED_free(ASN1_ENUMERATED *x)
+{ M_ASN1_ENUMERATED_free(x); }
+
+int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp)
+	{
+	int pad=0,ret,r,i,t;
+	unsigned char *p,*n,pb=0;
+
+	if ((a == NULL) || (a->data == NULL)) return(0);
+	t=a->type;
+	if (a->length == 0)
+		ret=1;
+	else
+		{
+		ret=a->length;
+		i=a->data[0];
+		if ((t == V_ASN1_ENUMERATED) && (i > 127)) {
+			pad=1;
+			pb=0;
+		} else if(t == V_ASN1_NEG_ENUMERATED) {
+			if(i>128) {
+				pad=1;
+				pb=0xFF;
+			} else if(i == 128) {
+				for(i = 1; i < a->length; i++) if(a->data[i]) {
+						pad=1;
+						pb=0xFF;
+						break;
+				}
+			}
+		}
+		ret+=pad;
+		}
+	r=ASN1_object_size(0,ret,V_ASN1_ENUMERATED);
+	if (pp == NULL) return(r);
+	p= *pp;
+
+	ASN1_put_object(&p,0,ret,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
+	if (pad) *(p++)=pb;
+	if (a->length == 0)
+		*(p++)=0;
+	else if (t == V_ASN1_ENUMERATED)
+		{
+		memcpy(p,a->data,(unsigned int)a->length);
+		p+=a->length;
+		}
+	else {
+		/* Begin at the end of the encoding */
+		n=a->data + a->length - 1;
+		p += a->length - 1;
+		i = a->length;
+		/* Copy zeros to destination as long as source is zero */
+		while(!*n) {
+			*(p--) = 0;
+			n--;
+			i--;
+		}
+		/* Complement and increment next octet */
+		*(p--) = ((*(n--)) ^ 0xff) + 1;
+		i--;
+		/* Complement any octets left */
+		for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
+		p += a->length;
+	}
+
+	*pp=p;
+	return(r);
+	}
+
+ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_ENUMERATED *ret=NULL;
+	unsigned char *p,*to,*s;
+	long len;
+	int inf,tag,xclass;
+	int i;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=M_ASN1_ENUMERATED_new()) == NULL) return(NULL);
+		ret->type=V_ASN1_ENUMERATED;
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_ENUMERATED)
+		{
+		i=ASN1_R_EXPECTING_AN_ENUMERATED;
+		goto err;
+		}
+
+	/* We must Malloc stuff, even for 0 bytes otherwise it
+	 * signifies a missing NULL parameter. */
+	s=(unsigned char *)Malloc((int)len+1);
+	if (s == NULL)
+		{
+		i=ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+	to=s;
+	if(!len) {
+		/* Strictly speaking this is an illegal ENUMERATED but we
+		 * tolerate it.
+		 */
+		ret->type=V_ASN1_ENUMERATED;
+	} else if (*p & 0x80) /* a negative number */
+		{
+		ret->type=V_ASN1_NEG_ENUMERATED;
+		if ((*p == 0xff) && (len != 1)) {
+			p++;
+			len--;
+		}
+		i = len;
+		p += i - 1;
+		to += i - 1;
+		while((!*p) && i) {
+			*(to--) = 0;
+			i--;
+			p--;
+		}
+		if(!i) {
+			*s = 1;
+			s[len] = 0;
+			p += len;
+			len++;
+		} else {
+			*(to--) = (*(p--) ^ 0xff) + 1;
+			i--;
+			for(;i > 0; i--) *(to--) = *(p--) ^ 0xff;
+			p += len;
+		}
+	} else {
+		ret->type=V_ASN1_ENUMERATED;
+		if ((*p == 0) && (len != 1))
+			{
+			p++;
+			len--;
+			}
+		memcpy(s,p,(int)len);
+		p+=len;
+	}
+
+	if (ret->data != NULL) Free(ret->data);
+	ret->data=s;
+	ret->length=(int)len;
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_ENUMERATED,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		M_ASN1_ENUMERATED_free(ret);
+	return(NULL);
+	}
+
+int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
+	{
+	int i,j,k;
+	unsigned char buf[sizeof(long)+1];
+	long d;
+
+	a->type=V_ASN1_ENUMERATED;
+	if (a->length < (sizeof(long)+1))
+		{
+		if (a->data != NULL)
+			Free(a->data);
+		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+			memset((char *)a->data,0,sizeof(long)+1);
+		}
+	if (a->data == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_ENUMERATED_SET,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	d=v;
+	if (d < 0)
+		{
+		d= -d;
+		a->type=V_ASN1_NEG_ENUMERATED;
+		}
+
+	for (i=0; i<sizeof(long); i++)
+		{
+		if (d == 0) break;
+		buf[i]=(int)d&0xff;
+		d>>=8;
+		}
+	j=0;
+	for (k=i-1; k >=0; k--)
+		a->data[j++]=buf[k];
+	a->length=j;
+	return(1);
+	}
+
+long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
+	{
+	int neg=0,i;
+	long r=0;
+
+	if (a == NULL) return(0L);
+	i=a->type;
+	if (i == V_ASN1_NEG_ENUMERATED)
+		neg=1;
+	else if (i != V_ASN1_ENUMERATED)
+		return(0);
+	
+	if (a->length > sizeof(long))
+		{
+		/* hmm... a bit ugly */
+		return(0xffffffffL);
+		}
+	if (a->data == NULL)
+		return(0);
+
+	for (i=0; i<a->length; i++)
+		{
+		r<<=8;
+		r|=(unsigned char)a->data[i];
+		}
+	if (neg) r= -r;
+	return(r);
+	}
+
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
+	{
+	ASN1_ENUMERATED *ret;
+	int len,j;
+
+	if (ai == NULL)
+		ret=M_ASN1_ENUMERATED_new();
+	else
+		ret=ai;
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_NESTED_ASN1_ERROR);
+		goto err;
+		}
+	if(bn->neg) ret->type = V_ASN1_NEG_ENUMERATED;
+	else ret->type=V_ASN1_ENUMERATED;
+	j=BN_num_bits(bn);
+	len=((j == 0)?0:((j/8)+1));
+	ret->data=(unsigned char *)Malloc(len+4);
+	ret->length=BN_bn2bin(bn,ret->data);
+	return(ret);
+err:
+	if (ret != ai) M_ASN1_ENUMERATED_free(ret);
+	return(NULL);
+	}
+
+BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
+	{
+	BIGNUM *ret;
+
+	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
+		ASN1err(ASN1_F_ASN1_ENUMERATED_TO_BN,ASN1_R_BN_LIB);
+	if(ai->type == V_ASN1_NEG_ENUMERATED) bn->neg = 1;
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_gentm.c b/crypto/openssl/crypto/asn1/a_gentm.c
new file mode 100644
index 0000000..8406217
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_gentm.c
@@ -0,0 +1,230 @@
+/* crypto/asn1/a_gentm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* GENERALIZEDTIME implementation, written by Steve Henson. Based on UTCTIME */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_new(void)
+{ return M_ASN1_GENERALIZEDTIME_new(); }
+
+void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *x)
+{ M_ASN1_GENERALIZEDTIME_free(x); }
+
+int i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a, unsigned char **pp)
+	{
+#ifdef CHARSET_EBCDIC
+	/* KLUDGE! We convert to ascii before writing DER */
+	int len;
+	char tmp[24];
+	ASN1_STRING tmpstr = *(ASN1_STRING *)a;
+
+	len = tmpstr.length;
+	ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len);
+	tmpstr.data = tmp;
+
+	a = (ASN1_GENERALIZEDTIME *) &tmpstr;
+#endif
+	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+		V_ASN1_GENERALIZEDTIME,V_ASN1_UNIVERSAL));
+	}
+
+
+ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,
+	     unsigned char **pp, long length)
+	{
+	ASN1_GENERALIZEDTIME *ret=NULL;
+
+	ret=(ASN1_GENERALIZEDTIME *)d2i_ASN1_bytes((ASN1_STRING **)a,pp,length,
+		V_ASN1_GENERALIZEDTIME,V_ASN1_UNIVERSAL);
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME,ERR_R_NESTED_ASN1_ERROR);
+		return(NULL);
+		}
+#ifdef CHARSET_EBCDIC
+	ascii2ebcdic(ret->data, ret->data, ret->length);
+#endif
+	if (!ASN1_GENERALIZEDTIME_check(ret))
+		{
+		ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME,ASN1_R_INVALID_TIME_FORMAT);
+		goto err;
+		}
+
+	return(ret);
+err:
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		M_ASN1_GENERALIZEDTIME_free(ret);
+	return(NULL);
+	}
+
+int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
+	{
+	static int min[9]={ 0, 0, 1, 1, 0, 0, 0, 0, 0};
+	static int max[9]={99, 99,12,31,23,59,59,12,59};
+	char *a;
+	int n,i,l,o;
+
+	if (d->type != V_ASN1_GENERALIZEDTIME) return(0);
+	l=d->length;
+	a=(char *)d->data;
+	o=0;
+	/* GENERALIZEDTIME is similar to UTCTIME except the year is
+         * represented as YYYY. This stuff treats everything as a two digit
+         * field so make first two fields 00 to 99
+         */
+	if (l < 13) goto err;
+	for (i=0; i<7; i++)
+		{
+		if ((i == 6) && ((a[o] == 'Z') ||
+			(a[o] == '+') || (a[o] == '-')))
+			{ i++; break; }
+		if ((a[o] < '0') || (a[o] > '9')) goto err;
+		n= a[o]-'0';
+		if (++o > l) goto err;
+
+		if ((a[o] < '0') || (a[o] > '9')) goto err;
+		n=(n*10)+ a[o]-'0';
+		if (++o > l) goto err;
+
+		if ((n < min[i]) || (n > max[i])) goto err;
+		}
+	if (a[o] == 'Z')
+		o++;
+	else if ((a[o] == '+') || (a[o] == '-'))
+		{
+		o++;
+		if (o+4 > l) goto err;
+		for (i=7; i<9; i++)
+			{
+			if ((a[o] < '0') || (a[o] > '9')) goto err;
+			n= a[o]-'0';
+			o++;
+			if ((a[o] < '0') || (a[o] > '9')) goto err;
+			n=(n*10)+ a[o]-'0';
+			if ((n < min[i]) || (n > max[i])) goto err;
+			o++;
+			}
+		}
+	return(o == l);
+err:
+	return(0);
+	}
+
+int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
+	{
+	ASN1_GENERALIZEDTIME t;
+
+	t.type=V_ASN1_GENERALIZEDTIME;
+	t.length=strlen(str);
+	t.data=(unsigned char *)str;
+	if (ASN1_GENERALIZEDTIME_check(&t))
+		{
+		if (s != NULL)
+			{
+			ASN1_STRING_set((ASN1_STRING *)s,
+				(unsigned char *)str,t.length);
+			}
+		return(1);
+		}
+	else
+		return(0);
+	}
+
+ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
+	     time_t t)
+	{
+	char *p;
+	struct tm *ts;
+#if defined(THREADS) && !defined(WIN32)
+	struct tm data;
+#endif
+
+	if (s == NULL)
+		s=M_ASN1_GENERALIZEDTIME_new();
+	if (s == NULL)
+		return(NULL);
+
+#if defined(THREADS) && !defined(WIN32)
+	gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */
+	ts=&data;
+#else
+	ts=gmtime(&t);
+#endif
+	p=(char *)s->data;
+	if ((p == NULL) || (s->length < 16))
+		{
+		p=Malloc(20);
+		if (p == NULL) return(NULL);
+		if (s->data != NULL)
+			Free(s->data);
+		s->data=(unsigned char *)p;
+		}
+
+	sprintf(p,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900,
+		ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
+	s->length=strlen(p);
+	s->type=V_ASN1_GENERALIZEDTIME;
+#ifdef CHARSET_EBCDIC_not
+	ebcdic2ascii(s->data, s->data, s->length);
+#endif
+	return(s);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_hdr.c b/crypto/openssl/crypto/asn1/a_hdr.c
new file mode 100644
index 0000000..434610e
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_hdr.c
@@ -0,0 +1,119 @@
+/* crypto/asn1/a_hdr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/asn1.h>
+
+int i2d_ASN1_HEADER(ASN1_HEADER *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->header,	i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len(a->data,		a->meth->i2d);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->header,	i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_put(a->data,		a->meth->i2d);
+
+	M_ASN1_I2D_finish();
+	}
+
+ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,ASN1_HEADER *,ASN1_HEADER_new);
+
+	M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->header,d2i_ASN1_OCTET_STRING);
+	if (ret->meth != NULL)
+		{
+		M_ASN1_D2I_get(ret->data,ret->meth->d2i);
+		}
+	else
+		{
+		if (a != NULL) (*a)=ret;
+		return(ret);
+		}
+        M_ASN1_D2I_Finish(a,ASN1_HEADER_free,ASN1_F_D2I_ASN1_HEADER);
+	}
+
+ASN1_HEADER *ASN1_HEADER_new(void)
+	{
+	ASN1_HEADER *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,ASN1_HEADER);
+	M_ASN1_New(ret->header,M_ASN1_OCTET_STRING_new);
+	ret->meth=NULL;
+	ret->data=NULL;
+	return(ret);
+        M_ASN1_New_Error(ASN1_F_ASN1_HEADER_NEW);
+	}
+
+void ASN1_HEADER_free(ASN1_HEADER *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_OCTET_STRING_free(a->header);
+	if (a->meth != NULL)
+		a->meth->destroy(a->data);
+	Free(a);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_i2d_fp.c b/crypto/openssl/crypto/asn1/a_i2d_fp.c
new file mode 100644
index 0000000..d9b8035
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_i2d_fp.c
@@ -0,0 +1,113 @@
+/* crypto/asn1/a_i2d_fp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1_mac.h>
+
+#ifndef NO_FP_API
+int ASN1_i2d_fp(int (*i2d)(), FILE *out, unsigned char *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_I2D_FP,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,out,BIO_NOCLOSE);
+        ret=ASN1_i2d_bio(i2d,b,x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
+	{
+	char *b;
+	unsigned char *p;
+	int i,j=0,n,ret=1;
+
+	n=i2d(x,NULL);
+	b=(char *)Malloc(n);
+	if (b == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_I2D_BIO,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+
+	p=(unsigned char *)b;
+	i2d(x,&p);
+	
+	for (;;)
+		{
+		i=BIO_write(out,&(b[j]),n);
+		if (i == n) break;
+		if (i <= 0)
+			{
+			ret=0;
+			break;
+			}
+		j+=i;
+		n-=i;
+		}
+	Free(b);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_int.c b/crypto/openssl/crypto/asn1/a_int.c
new file mode 100644
index 0000000..8b6794e
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_int.c
@@ -0,0 +1,435 @@
+/* crypto/asn1/a_int.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_INTEGER *ASN1_INTEGER_new(void)
+{ return M_ASN1_INTEGER_new();}
+
+void ASN1_INTEGER_free(ASN1_INTEGER *x)
+{ M_ASN1_INTEGER_free(x);}
+
+ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
+{ return M_ASN1_INTEGER_dup(x);}
+
+int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
+{ return M_ASN1_INTEGER_cmp(x,y);}
+
+/* 
+ * This converts an ASN1 INTEGER into its DER encoding.
+ * The internal representation is an ASN1_STRING whose data is a big endian
+ * representation of the value, ignoring the sign. The sign is determined by
+ * the type: V_ASN1_INTEGER for positive and V_ASN1_NEG_INTEGER for negative. 
+ *
+ * Positive integers are no problem: they are almost the same as the DER
+ * encoding, except if the first byte is >= 0x80 we need to add a zero pad.
+ *
+ * Negative integers are a bit trickier...
+ * The DER representation of negative integers is in 2s complement form.
+ * The internal form is converted by complementing each octet and finally 
+ * adding one to the result. This can be done less messily with a little trick.
+ * If the internal form has trailing zeroes then they will become FF by the
+ * complement and 0 by the add one (due to carry) so just copy as many trailing 
+ * zeros to the destination as there are in the source. The carry will add one
+ * to the last none zero octet: so complement this octet and add one and finally
+ * complement any left over until you get to the start of the string.
+ *
+ * Padding is a little trickier too. If the first bytes is > 0x80 then we pad
+ * with 0xff. However if the first byte is 0x80 and one of the following bytes
+ * is non-zero we pad with 0xff. The reason for this distinction is that 0x80
+ * followed by optional zeros isn't padded.
+ */
+
+int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
+	{
+	int pad=0,ret,r,i,t;
+	unsigned char *p,*n,pb=0;
+
+	if ((a == NULL) || (a->data == NULL)) return(0);
+	t=a->type;
+	if (a->length == 0)
+		ret=1;
+	else
+		{
+		ret=a->length;
+		i=a->data[0];
+		if ((t == V_ASN1_INTEGER) && (i > 127)) {
+			pad=1;
+			pb=0;
+		} else if(t == V_ASN1_NEG_INTEGER) {
+			if(i>128) {
+				pad=1;
+				pb=0xFF;
+			} else if(i == 128) {
+			/*
+			 * Special case: if any other bytes non zero we pad:
+			 * otherwise we don't.
+			 */
+				for(i = 1; i < a->length; i++) if(a->data[i]) {
+						pad=1;
+						pb=0xFF;
+						break;
+				}
+			}
+		}
+		ret+=pad;
+		}
+	r=ASN1_object_size(0,ret,V_ASN1_INTEGER);
+	if (pp == NULL) return(r);
+	p= *pp;
+
+	ASN1_put_object(&p,0,ret,V_ASN1_INTEGER,V_ASN1_UNIVERSAL);
+	if (pad) *(p++)=pb;
+	if (a->length == 0) *(p++)=0;
+	else if (t == V_ASN1_INTEGER) memcpy(p,a->data,(unsigned int)a->length);
+	else {
+		/* Begin at the end of the encoding */
+		n=a->data + a->length - 1;
+		p += a->length - 1;
+		i = a->length;
+		/* Copy zeros to destination as long as source is zero */
+		while(!*n) {
+			*(p--) = 0;
+			n--;
+			i--;
+		}
+		/* Complement and increment next octet */
+		*(p--) = ((*(n--)) ^ 0xff) + 1;
+		i--;
+		/* Complement any octets left */
+		for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
+	}
+
+	*pp+=r;
+	return(r);
+	}
+
+ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_INTEGER *ret=NULL;
+	unsigned char *p,*to,*s, *pend;
+	long len;
+	int inf,tag,xclass;
+	int i;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
+		ret->type=V_ASN1_INTEGER;
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	pend = p + len;
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_INTEGER)
+		{
+		i=ASN1_R_EXPECTING_AN_INTEGER;
+		goto err;
+		}
+
+	/* We must Malloc stuff, even for 0 bytes otherwise it
+	 * signifies a missing NULL parameter. */
+	s=(unsigned char *)Malloc((int)len+1);
+	if (s == NULL)
+		{
+		i=ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+	to=s;
+	if(!len) {
+		/* Strictly speaking this is an illegal INTEGER but we
+		 * tolerate it.
+		 */
+		ret->type=V_ASN1_INTEGER;
+	} else if (*p & 0x80) /* a negative number */
+		{
+		ret->type=V_ASN1_NEG_INTEGER;
+		if ((*p == 0xff) && (len != 1)) {
+			p++;
+			len--;
+		}
+		i = len;
+		p += i - 1;
+		to += i - 1;
+		while((!*p) && i) {
+			*(to--) = 0;
+			i--;
+			p--;
+		}
+		/* Special case: if all zeros then the number will be of
+		 * the form FF followed by n zero bytes: this corresponds to
+		 * 1 followed by n zero bytes. We've already written n zeros
+		 * so we just append an extra one and set the first byte to
+		 * a 1. This is treated separately because it is the only case
+		 * where the number of bytes is larger than len.
+		 */
+		if(!i) {
+			*s = 1;
+			s[len] = 0;
+			len++;
+		} else {
+			*(to--) = (*(p--) ^ 0xff) + 1;
+			i--;
+			for(;i > 0; i--) *(to--) = *(p--) ^ 0xff;
+		}
+	} else {
+		ret->type=V_ASN1_INTEGER;
+		if ((*p == 0) && (len != 1))
+			{
+			p++;
+			len--;
+			}
+		memcpy(s,p,(int)len);
+	}
+
+	if (ret->data != NULL) Free(ret->data);
+	ret->data=s;
+	ret->length=(int)len;
+	if (a != NULL) (*a)=ret;
+	*pp=pend;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		M_ASN1_INTEGER_free(ret);
+	return(NULL);
+	}
+
+/* This is a version of d2i_ASN1_INTEGER that ignores the sign bit of
+ * ASN1 integers: some broken software can encode a positive INTEGER
+ * with its MSB set as negative (it doesn't add a padding zero).
+ */
+
+ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_INTEGER *ret=NULL;
+	unsigned char *p,*to,*s;
+	long len;
+	int inf,tag,xclass;
+	int i;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
+		ret->type=V_ASN1_INTEGER;
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_INTEGER)
+		{
+		i=ASN1_R_EXPECTING_AN_INTEGER;
+		goto err;
+		}
+
+	/* We must Malloc stuff, even for 0 bytes otherwise it
+	 * signifies a missing NULL parameter. */
+	s=(unsigned char *)Malloc((int)len+1);
+	if (s == NULL)
+		{
+		i=ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+	to=s;
+	ret->type=V_ASN1_INTEGER;
+	if(len) {
+		if ((*p == 0) && (len != 1))
+			{
+			p++;
+			len--;
+			}
+		memcpy(s,p,(int)len);
+		p+=len;
+	}
+
+	if (ret->data != NULL) Free(ret->data);
+	ret->data=s;
+	ret->length=(int)len;
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_UINTEGER,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		M_ASN1_INTEGER_free(ret);
+	return(NULL);
+	}
+
+int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
+	{
+	int i,j,k;
+	unsigned char buf[sizeof(long)+1];
+	long d;
+
+	a->type=V_ASN1_INTEGER;
+	if (a->length < (sizeof(long)+1))
+		{
+		if (a->data != NULL)
+			Free(a->data);
+		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+			memset((char *)a->data,0,sizeof(long)+1);
+		}
+	if (a->data == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_INTEGER_SET,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	d=v;
+	if (d < 0)
+		{
+		d= -d;
+		a->type=V_ASN1_NEG_INTEGER;
+		}
+
+	for (i=0; i<sizeof(long); i++)
+		{
+		if (d == 0) break;
+		buf[i]=(int)d&0xff;
+		d>>=8;
+		}
+	j=0;
+	for (k=i-1; k >=0; k--)
+		a->data[j++]=buf[k];
+	a->length=j;
+	return(1);
+	}
+
+long ASN1_INTEGER_get(ASN1_INTEGER *a)
+	{
+	int neg=0,i;
+	long r=0;
+
+	if (a == NULL) return(0L);
+	i=a->type;
+	if (i == V_ASN1_NEG_INTEGER)
+		neg=1;
+	else if (i != V_ASN1_INTEGER)
+		return(0);
+	
+	if (a->length > sizeof(long))
+		{
+		/* hmm... a bit ugly */
+		return(0xffffffffL);
+		}
+	if (a->data == NULL)
+		return(0);
+
+	for (i=0; i<a->length; i++)
+		{
+		r<<=8;
+		r|=(unsigned char)a->data[i];
+		}
+	if (neg) r= -r;
+	return(r);
+	}
+
+ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
+	{
+	ASN1_INTEGER *ret;
+	int len,j;
+
+	if (ai == NULL)
+		ret=M_ASN1_INTEGER_new();
+	else
+		ret=ai;
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR);
+		goto err;
+		}
+	if(bn->neg) ret->type = V_ASN1_NEG_INTEGER;
+	else ret->type=V_ASN1_INTEGER;
+	j=BN_num_bits(bn);
+	len=((j == 0)?0:((j/8)+1));
+	ret->data=(unsigned char *)Malloc(len+4);
+	ret->length=BN_bn2bin(bn,ret->data);
+	return(ret);
+err:
+	if (ret != ai) M_ASN1_INTEGER_free(ret);
+	return(NULL);
+	}
+
+BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai, BIGNUM *bn)
+	{
+	BIGNUM *ret;
+
+	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
+		ASN1err(ASN1_F_ASN1_INTEGER_TO_BN,ASN1_R_BN_LIB);
+	if(ai->type == V_ASN1_NEG_INTEGER) bn->neg = 1;
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c
new file mode 100644
index 0000000..7a710d5
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_mbstr.c
@@ -0,0 +1,390 @@
+/* a_mbstr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+static int traverse_string(const unsigned char *p, int len, int inform,
+		 int (*rfunc)(unsigned long value, void *in), void *arg);
+static int in_utf8(unsigned long value, void *arg);
+static int out_utf8(unsigned long value, void *arg);
+static int type_str(unsigned long value, void *arg);
+static int cpy_asc(unsigned long value, void *arg);
+static int cpy_bmp(unsigned long value, void *arg);
+static int cpy_univ(unsigned long value, void *arg);
+static int cpy_utf8(unsigned long value, void *arg);
+static int is_printable(unsigned long value);
+
+/* These functions take a string in UTF8, ASCII or multibyte form and
+ * a mask of permissible ASN1 string types. It then works out the minimal
+ * type (using the order Printable < IA5 < T61 < BMP < Universal < UTF8)
+ * and creates a string of the correct type with the supplied data.
+ * Yes this is horrible: it has to be :-(
+ * The 'ncopy' form checks minimum and maximum size limits too.
+ */
+
+int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
+					int inform, unsigned long mask)
+{
+	return ASN1_mbstring_ncopy(out, in, len, inform, mask, 0, 0);
+}
+
+int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
+					int inform, unsigned long mask, 
+					long minsize, long maxsize)
+{
+	int str_type;
+	int ret;
+	int outform, outlen;
+	ASN1_STRING *dest;
+	unsigned char *p;
+	int nchar;
+	char strbuf[32];
+	int (*cpyfunc)(unsigned long,void *) = NULL;
+	if(len == -1) len = strlen((const char *)in);
+	if(!mask) mask = DIRSTRING_TYPE;
+
+	/* First do a string check and work out the number of characters */
+	switch(inform) {
+
+		case MBSTRING_BMP:
+		if(len & 1) {
+			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+					 ASN1_R_INVALID_BMPSTRING_LENGTH);
+			return -1;
+		}
+		nchar = len >> 1;
+		break;
+
+		case MBSTRING_UNIV:
+		if(len & 3) {
+			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+					 ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
+			return -1;
+		}
+		nchar = len >> 2;
+		break;
+
+		case MBSTRING_UTF8:
+		nchar = 0;
+		/* This counts the characters and does utf8 syntax checking */
+		ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
+		if(ret < 0) {
+			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+						 ASN1_R_INVALID_UTF8STRING);
+			return -1;
+		}
+		break;
+
+		case MBSTRING_ASC:
+		nchar = len;
+		break;
+
+		default:
+		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_UNKNOWN_FORMAT);
+		return -1;
+	}
+
+	if((minsize > 0) && (nchar < minsize)) {
+		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
+		sprintf(strbuf, "%ld", minsize);
+		ERR_add_error_data(2, "minsize=", strbuf);
+		return -1;
+	}
+
+	if((maxsize > 0) && (nchar > maxsize)) {
+		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
+		sprintf(strbuf, "%ld", maxsize);
+		ERR_add_error_data(2, "maxsize=", strbuf);
+		return -1;
+	}
+
+	/* Now work out minimal type (if any) */
+	if(traverse_string(in, len, inform, type_str, &mask) < 0) {
+		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_ILLEGAL_CHARACTERS);
+		return -1;
+	}
+
+
+	/* Now work out output format and string type */
+	outform = MBSTRING_ASC;
+	if(mask & B_ASN1_PRINTABLESTRING) str_type = V_ASN1_PRINTABLESTRING;
+	else if(mask & B_ASN1_IA5STRING) str_type = V_ASN1_IA5STRING;
+	else if(mask & B_ASN1_T61STRING) str_type = V_ASN1_T61STRING;
+	else if(mask & B_ASN1_BMPSTRING) {
+		str_type = V_ASN1_BMPSTRING;
+		outform = MBSTRING_BMP;
+	} else if(mask & B_ASN1_UNIVERSALSTRING) {
+		str_type = V_ASN1_UNIVERSALSTRING;
+		outform = MBSTRING_UNIV;
+	} else {
+		str_type = V_ASN1_UTF8STRING;
+		outform = MBSTRING_UTF8;
+	}
+	if(!out) return str_type;
+	if(*out) {
+		dest = *out;
+		if(dest->data) {
+			dest->length = 0;
+			Free(dest->data);
+			dest->data = NULL;
+		}
+		dest->type = str_type;
+	} else {
+		dest = ASN1_STRING_type_new(str_type);
+		if(!dest) {
+			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+							ERR_R_MALLOC_FAILURE);
+			return -1;
+		}
+		*out = dest;
+	}
+	/* If both the same type just copy across */
+	if(inform == outform) {
+		if(!ASN1_STRING_set(dest, in, len)) {
+			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+			return -1;
+		}
+		return str_type;
+	} 
+
+	/* Work out how much space the destination will need */
+	switch(outform) {
+		case MBSTRING_ASC:
+		outlen = nchar;
+		cpyfunc = cpy_asc;
+		break;
+
+		case MBSTRING_BMP:
+		outlen = nchar << 1;
+		cpyfunc = cpy_bmp;
+		break;
+
+		case MBSTRING_UNIV:
+		outlen = nchar << 2;
+		cpyfunc = cpy_univ;
+		break;
+
+		case MBSTRING_UTF8:
+		outlen = 0;
+		traverse_string(in, len, inform, out_utf8, &outlen);
+		cpyfunc = cpy_utf8;
+		break;
+	}
+	if(!(p = Malloc(outlen + 1))) {
+		ASN1_STRING_free(dest);
+		ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+		return -1;
+	}
+	dest->length = outlen;
+	dest->data = p;
+	p[outlen] = 0;
+	traverse_string(in, len, inform, cpyfunc, &p);
+	return str_type;	
+}
+
+/* This function traverses a string and passes the value of each character
+ * to an optional function along with a void * argument.
+ */
+
+static int traverse_string(const unsigned char *p, int len, int inform,
+		 int (*rfunc)(unsigned long value, void *in), void *arg)
+{
+	unsigned long value;
+	int ret;
+	while(len) {
+		if(inform == MBSTRING_ASC) {
+			value = *p++;
+			len--;
+		} else if(inform == MBSTRING_BMP) {
+			value = *p++ << 8;
+			value |= *p++;
+			len -= 2;
+		} else if(inform == MBSTRING_UNIV) {
+			value = *p++ << 24;
+			value |= *p++ << 16;
+			value |= *p++ << 8;
+			value |= *p++;
+			len -= 4;
+		} else {
+			ret = UTF8_getc(p, len, &value);
+			if(ret < 0) return -1;
+			len -= ret;
+			p += ret;
+		}
+		if(rfunc) {
+			ret = rfunc(value, arg);
+			if(ret <= 0) return ret;
+		}
+	}
+	return 1;
+}
+
+/* Various utility functions for traverse_string */
+
+/* Just count number of characters */
+
+static int in_utf8(unsigned long value, void *arg)
+{
+	int *nchar;
+	nchar = arg;
+	(*nchar)++;
+	return 1;
+}
+
+/* Determine size of output as a UTF8 String */
+
+static int out_utf8(unsigned long value, void *arg)
+{
+	long *outlen;
+	outlen = arg;
+	*outlen += UTF8_putc(NULL, -1, value);
+	return 1;
+}
+
+/* Determine the "type" of a string: check each character against a
+ * supplied "mask".
+ */
+
+static int type_str(unsigned long value, void *arg)
+{
+	unsigned long types;
+	types = *((unsigned long *)arg);
+	if((types & B_ASN1_PRINTABLESTRING) && !is_printable(value))
+					types &= ~B_ASN1_PRINTABLESTRING;
+	if((types & B_ASN1_IA5STRING) && (value > 127))
+					types &= ~B_ASN1_IA5STRING;
+	if((types & B_ASN1_T61STRING) && (value > 0xff))
+					types &= ~B_ASN1_T61STRING;
+	if((types & B_ASN1_BMPSTRING) && (value > 0xffff))
+					types &= ~B_ASN1_BMPSTRING;
+	if(!types) return -1;
+	*((unsigned long *)arg) = types;
+	return 1;
+}
+
+/* Copy one byte per character ASCII like strings */
+
+static int cpy_asc(unsigned long value, void *arg)
+{
+	unsigned char **p, *q;
+	p = arg;
+	q = *p;
+	*q = (unsigned char) value;
+	(*p)++;
+	return 1;
+}
+
+/* Copy two byte per character BMPStrings */
+
+static int cpy_bmp(unsigned long value, void *arg)
+{
+	unsigned char **p, *q;
+	p = arg;
+	q = *p;
+	*q++ = (unsigned char) ((value >> 8) & 0xff);
+	*q = (unsigned char) (value & 0xff);
+	*p += 2;
+	return 1;
+}
+
+/* Copy four byte per character UniversalStrings */
+
+static int cpy_univ(unsigned long value, void *arg)
+{
+	unsigned char **p, *q;
+	p = arg;
+	q = *p;
+	*q++ = (unsigned char) ((value >> 24) & 0xff);
+	*q++ = (unsigned char) ((value >> 16) & 0xff);
+	*q++ = (unsigned char) ((value >> 8) & 0xff);
+	*q = (unsigned char) (value & 0xff);
+	*p += 4;
+	return 1;
+}
+
+/* Copy to a UTF8String */
+
+static int cpy_utf8(unsigned long value, void *arg)
+{
+	unsigned char **p;
+	int ret;
+	p = arg;
+	/* We already know there is enough room so pass 0xff as the length */
+	ret = UTF8_putc(*p, 0xff, value);
+	*p += ret;
+	return 1;
+}
+
+/* Return 1 if the character is permitted in a PrintableString */
+static int is_printable(unsigned long value)
+{
+	int ch;
+	if(value > 0x7f) return 0;
+	ch = (int) value;
+	/* Note: we can't use 'isalnum' because certain accented 
+	 * characters may count as alphanumeric in some environments.
+	 */
+	if((ch >= 'a') && (ch <= 'z')) return 1;
+	if((ch >= 'A') && (ch <= 'Z')) return 1;
+	if((ch >= '0') && (ch <= '9')) return 1;
+	if ((ch == ' ') || strchr("'()+,-./:=?", ch)) return 1;
+	return 0;
+}
diff --git a/crypto/openssl/crypto/asn1/a_meth.c b/crypto/openssl/crypto/asn1/a_meth.c
new file mode 100644
index 0000000..63158e9
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_meth.c
@@ -0,0 +1,84 @@
+/* crypto/asn1/a_meth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+
+static  ASN1_METHOD ia5string_meth={
+	(int (*)())	i2d_ASN1_IA5STRING,
+	(char *(*)())	d2i_ASN1_IA5STRING,
+	(char *(*)())	ASN1_STRING_new,
+	(void (*)())	ASN1_STRING_free};
+
+static  ASN1_METHOD bit_string_meth={
+	(int (*)())	i2d_ASN1_BIT_STRING,
+	(char *(*)())	d2i_ASN1_BIT_STRING,
+	(char *(*)())	ASN1_STRING_new,
+	(void (*)())	ASN1_STRING_free};
+
+ASN1_METHOD *ASN1_IA5STRING_asn1_meth(void)
+	{
+	return(&ia5string_meth);
+	}
+
+ASN1_METHOD *ASN1_BIT_STRING_asn1_meth(void)
+	{
+	return(&bit_string_meth);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_null.c b/crypto/openssl/crypto/asn1/a_null.c
new file mode 100644
index 0000000..119fd78
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_null.c
@@ -0,0 +1,119 @@
+/* a_null.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* ASN1 functions for NULL type. For compatibility with other ASN1 code
+ * it returns a pointer to an "ASN1_NULL" structure. The new/free functions
+ * don't need to do any allocating because nothing is stored in a NULL.
+ */
+
+int i2d_ASN1_NULL(ASN1_NULL *a, unsigned char **pp)
+	{
+	if(!a) return 0;
+	if (pp) ASN1_put_object(pp,0,0,V_ASN1_NULL,V_ASN1_UNIVERSAL);
+	return 2;
+	}
+
+ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **a, unsigned char **pp, long length)
+	{
+	ASN1_NULL *ret = NULL;
+	unsigned char *p;
+	long len;
+	int inf,tag,xclass;
+	int i=0;
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_NULL)
+		{
+		i=ASN1_R_EXPECTING_A_NULL;
+		goto err;
+		}
+
+	if (len != 0)
+		{
+		i=ASN1_R_NULL_IS_WRONG_LENGTH;
+		goto err;
+		}
+	ret=(ASN1_NULL *)1;
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_NULL,i);
+	return(ret);
+	}
+
+ASN1_NULL *ASN1_NULL_new(void)
+{
+	return (ASN1_NULL *)1;
+}
+
+void ASN1_NULL_free(ASN1_NULL *a)
+{
+	return;
+}
diff --git a/crypto/openssl/crypto/asn1/a_object.c b/crypto/openssl/crypto/asn1/a_object.c
new file mode 100644
index 0000000..09d56fb
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_object.c
@@ -0,0 +1,304 @@
+/* crypto/asn1/a_object.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+
+int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
+	{
+	unsigned char *p;
+
+	if ((a == NULL) || (a->data == NULL)) return(0);
+
+	if (pp == NULL)
+		return(ASN1_object_size(0,a->length,V_ASN1_OBJECT));
+
+	p= *pp;
+	ASN1_put_object(&p,0,a->length,V_ASN1_OBJECT,V_ASN1_UNIVERSAL);
+	memcpy(p,a->data,a->length);
+	p+=a->length;
+
+	*pp=p;
+	return(a->length);
+	}
+
+int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
+	{
+	int i,first,len=0,c;
+	char tmp[24];
+	const char *p;
+	unsigned long l;
+
+	if (num == 0)
+		return(0);
+	else if (num == -1)
+		num=strlen(buf);
+
+	p=buf;
+	c= *(p++);
+	num--;
+	if ((c >= '0') && (c <= '2'))
+		{
+		first=(c-'0')*40;
+		}
+	else
+		{
+		ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_FIRST_NUM_TOO_LARGE);
+		goto err;
+		}
+
+	if (num <= 0)
+		{
+		ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_MISSING_SECOND_NUMBER);
+		goto err;
+		}
+	c= *(p++);
+	num--;
+	for (;;)
+		{
+		if (num <= 0) break;
+		if ((c != '.') && (c != ' '))
+			{
+			ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_SEPARATOR);
+			goto err;
+			}
+		l=0;
+		for (;;)
+			{
+			if (num <= 0) break;
+			num--;
+			c= *(p++);
+			if ((c == ' ') || (c == '.'))
+				break;
+			if ((c < '0') || (c > '9'))
+				{
+				ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_DIGIT);
+				goto err;
+				}
+			l=l*10L+(long)(c-'0');
+			}
+		if (len == 0)
+			{
+			if ((first < 2) && (l >= 40))
+				{
+				ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_SECOND_NUMBER_TOO_LARGE);
+				goto err;
+				}
+			l+=(long)first;
+			}
+		i=0;
+		for (;;)
+			{
+			tmp[i++]=(unsigned char)l&0x7f;
+			l>>=7L;
+			if (l == 0L) break;
+			}
+		if (out != NULL)
+			{
+			if (len+i > olen)
+				{
+				ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_BUFFER_TOO_SMALL);
+				goto err;
+				}
+			while (--i > 0)
+				out[len++]=tmp[i]|0x80;
+			out[len++]=tmp[0];
+			}
+		else
+			len+=i;
+		}
+	return(len);
+err:
+	return(0);
+	}
+
+int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
+{
+	return OBJ_obj2txt(buf, buf_len, a, 0);
+}
+
+int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
+	{
+	char buf[80];
+	int i;
+
+	if ((a == NULL) || (a->data == NULL))
+		return(BIO_write(bp,"NULL",4));
+	i=i2t_ASN1_OBJECT(buf,80,a);
+	if (i > 80) i=80;
+	BIO_write(bp,buf,i);
+	return(i);
+	}
+
+ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_OBJECT *ret=NULL;
+	unsigned char *p;
+	long len;
+	int tag,xclass;
+	int inf,i;
+
+	/* only the ASN1_OBJECTs from the 'table' will have values
+	 * for ->sn or ->ln */
+	if ((a == NULL) || ((*a) == NULL) ||
+		!((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC))
+		{
+		if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL);
+		}
+	else	ret=(*a);
+
+	p= *pp;
+
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_OBJECT)
+		{
+		i=ASN1_R_EXPECTING_AN_OBJECT;
+		goto err;
+		}
+	if ((ret->data == NULL) || (ret->length < len))
+		{
+		if (ret->data != NULL) Free(ret->data);
+		ret->data=(unsigned char *)Malloc(len ? (int)len : 1);
+		ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
+		if (ret->data == NULL)
+			{ i=ERR_R_MALLOC_FAILURE; goto err; }
+		}
+	memcpy(ret->data,p,(int)len);
+	ret->length=(int)len;
+	ret->sn=NULL;
+	ret->ln=NULL;
+	/* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
+	p+=len;
+
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		ASN1_OBJECT_free(ret);
+	return(NULL);
+	}
+
+ASN1_OBJECT *ASN1_OBJECT_new(void)
+	{
+	ASN1_OBJECT *ret;
+
+	ret=(ASN1_OBJECT *)Malloc(sizeof(ASN1_OBJECT));
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_OBJECT_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	ret->length=0;
+	ret->data=NULL;
+	ret->nid=0;
+	ret->sn=NULL;
+	ret->ln=NULL;
+	ret->flags=ASN1_OBJECT_FLAG_DYNAMIC;
+	return(ret);
+	}
+
+void ASN1_OBJECT_free(ASN1_OBJECT *a)
+	{
+	if (a == NULL) return;
+	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS)
+		{
+#ifndef CONST_STRICT /* disable purely for compile-time strict const checking. Doing this on a "real" compile will cause memory leaks */
+		if (a->sn != NULL) Free((void *)a->sn);
+		if (a->ln != NULL) Free((void *)a->ln);
+#endif
+		a->sn=a->ln=NULL;
+		}
+	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA)
+		{
+		if (a->data != NULL) Free(a->data);
+		a->data=NULL;
+		a->length=0;
+		}
+	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC)
+		Free(a);
+	}
+
+ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len,
+	     char *sn, char *ln)
+	{
+	ASN1_OBJECT o;
+
+	o.sn=sn;
+	o.ln=ln;
+	o.data=data;
+	o.nid=nid;
+	o.length=len;
+	o.flags=ASN1_OBJECT_FLAG_DYNAMIC|ASN1_OBJECT_FLAG_DYNAMIC_STRINGS|
+		ASN1_OBJECT_FLAG_DYNAMIC_DATA;
+	return(OBJ_dup(&o));
+	}
+
+IMPLEMENT_STACK_OF(ASN1_OBJECT)
+IMPLEMENT_ASN1_SET_OF(ASN1_OBJECT)
diff --git a/crypto/openssl/crypto/asn1/a_octet.c b/crypto/openssl/crypto/asn1/a_octet.c
new file mode 100644
index 0000000..2586f43
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_octet.c
@@ -0,0 +1,95 @@
+/* crypto/asn1/a_octet.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void)
+{ return M_ASN1_OCTET_STRING_new(); }
+
+void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *x)
+{ M_ASN1_OCTET_STRING_free(x); }
+
+ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *x)
+{ return M_ASN1_OCTET_STRING_dup(x); }
+
+int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b)
+{ return M_ASN1_OCTET_STRING_cmp(a, b); }
+
+int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, unsigned char *d, int len)
+{ return M_ASN1_OCTET_STRING_set(x, d, len); }
+
+int i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *a, unsigned char **pp)
+{ return M_i2d_ASN1_OCTET_STRING(a, pp); }
+
+ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **a,
+	     unsigned char **pp, long length)
+	{
+	ASN1_OCTET_STRING *ret=NULL;
+
+	ret=(ASN1_OCTET_STRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
+		pp,length,V_ASN1_OCTET_STRING,V_ASN1_UNIVERSAL);
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_OCTET_STRING,ERR_R_NESTED_ASN1_ERROR);
+		return(NULL);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/a_print.c b/crypto/openssl/crypto/asn1/a_print.c
new file mode 100644
index 0000000..b7bd2bd
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_print.c
@@ -0,0 +1,197 @@
+/* crypto/asn1/a_print.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_IA5STRING *ASN1_IA5STRING_new(void)
+{ return M_ASN1_IA5STRING_new();}
+
+void ASN1_IA5STRING_free(ASN1_IA5STRING *x)
+{ M_ASN1_IA5STRING_free(x);}
+
+int i2d_ASN1_IA5STRING(ASN1_IA5STRING *a, unsigned char **pp)
+	{ return(M_i2d_ASN1_IA5STRING(a,pp)); }
+
+ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **a, unsigned char **pp,
+	     long l)
+	{ return(M_d2i_ASN1_IA5STRING(a,pp,l)); }
+
+ASN1_T61STRING *ASN1_T61STRING_new(void)
+{ return M_ASN1_T61STRING_new();}
+
+void ASN1_T61STRING_free(ASN1_T61STRING *x)
+{ M_ASN1_T61STRING_free(x);}
+
+ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **a, unsigned char **pp,
+	     long l)
+	{ return(M_d2i_ASN1_T61STRING(a,pp,l)); }
+
+ASN1_PRINTABLESTRING *ASN1_PRINTABLESTRING_new(void)
+{ return M_ASN1_PRINTABLESTRING_new();}
+
+void ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *x)
+{ M_ASN1_PRINTABLESTRING_free(x);}
+
+ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING **a,
+	     unsigned char **pp, long l)
+	{ return(M_d2i_ASN1_PRINTABLESTRING(a,pp,
+	     l)); }
+
+int i2d_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING *a, unsigned char **pp)
+	{ return(M_i2d_ASN1_PRINTABLESTRING(a,pp)); }
+
+int i2d_ASN1_PRINTABLE(ASN1_STRING *a, unsigned char **pp)
+	{ return(M_i2d_ASN1_PRINTABLE(a,pp)); }
+
+ASN1_STRING *d2i_ASN1_PRINTABLE(ASN1_STRING **a, unsigned char **pp,
+	     long l)
+	{ return(M_d2i_ASN1_PRINTABLE(a,pp,l)); }
+
+int ASN1_PRINTABLE_type(unsigned char *s, int len)
+	{
+	int c;
+	int ia5=0;
+	int t61=0;
+
+	if (len <= 0) len= -1;
+	if (s == NULL) return(V_ASN1_PRINTABLESTRING);
+
+	while ((*s) && (len-- != 0))
+		{
+		c= *(s++);
+#ifndef CHARSET_EBCDIC
+		if (!(	((c >= 'a') && (c <= 'z')) ||
+			((c >= 'A') && (c <= 'Z')) ||
+			(c == ' ') ||
+			((c >= '0') && (c <= '9')) ||
+			(c == ' ') || (c == '\'') ||
+			(c == '(') || (c == ')') ||
+			(c == '+') || (c == ',') ||
+			(c == '-') || (c == '.') ||
+			(c == '/') || (c == ':') ||
+			(c == '=') || (c == '?')))
+			ia5=1;
+		if (c&0x80)
+			t61=1;
+#else
+		if (!isalnum(c) && (c != ' ') &&
+		    strchr("'()+,-./:=?", c) == NULL)
+			ia5=1;
+		if (os_toascii[c] & 0x80)
+			t61=1;
+#endif
+		}
+	if (t61) return(V_ASN1_T61STRING);
+	if (ia5) return(V_ASN1_IA5STRING);
+	return(V_ASN1_PRINTABLESTRING);
+	}
+
+int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s)
+	{
+	int i;
+	unsigned char *p;
+
+	if (s->type != V_ASN1_UNIVERSALSTRING) return(0);
+	if ((s->length%4) != 0) return(0);
+	p=s->data;
+	for (i=0; i<s->length; i+=4)
+		{
+		if ((p[0] != '\0') || (p[1] != '\0') || (p[2] != '\0'))
+			break;
+		else
+			p+=4;
+		}
+	if (i < s->length) return(0);
+	p=s->data;
+	for (i=3; i<s->length; i+=4)
+		{
+		*(p++)=s->data[i];
+		}
+	*(p)='\0';
+	s->length/=4;
+	s->type=ASN1_PRINTABLE_type(s->data,s->length);
+	return(1);
+	}
+
+ASN1_STRING *DIRECTORYSTRING_new(void)
+{ return M_DIRECTORYSTRING_new();}
+
+void DIRECTORYSTRING_free(ASN1_STRING *x)
+{ M_DIRECTORYSTRING_free(x);}
+
+int i2d_DIRECTORYSTRING(ASN1_STRING *a, unsigned char **pp)
+	{ return(M_i2d_DIRECTORYSTRING(a,pp)); }
+
+ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **a, unsigned char **pp,
+	     long l)
+	{ return(M_d2i_DIRECTORYSTRING(a,pp,l)); }
+
+ASN1_STRING *DISPLAYTEXT_new(void)
+{ return M_DISPLAYTEXT_new();}
+
+void DISPLAYTEXT_free(ASN1_STRING *x)
+{ M_DISPLAYTEXT_free(x);}
+
+int i2d_DISPLAYTEXT(ASN1_STRING *a, unsigned char **pp)
+	{ return(M_i2d_DISPLAYTEXT(a,pp)); }
+
+ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **a, unsigned char **pp,
+	     long l)
+	{ return(M_d2i_DISPLAYTEXT(a,pp,l)); }
diff --git a/crypto/openssl/crypto/asn1/a_set.c b/crypto/openssl/crypto/asn1/a_set.c
new file mode 100644
index 0000000..c2481e7
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_set.c
@@ -0,0 +1,217 @@
+/* crypto/asn1/a_set.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+
+typedef struct
+    {
+    unsigned char *pbData;
+    int cbData;
+    } MYBLOB;
+
+/* SetBlobCmp
+ * This function compares two elements of SET_OF block
+ */
+static int SetBlobCmp(const void *elem1, const void *elem2 )
+    {
+    const MYBLOB *b1 = (const MYBLOB *)elem1;
+    const MYBLOB *b2 = (const MYBLOB *)elem2;
+    int r;
+
+    r = memcmp(b1->pbData, b2->pbData,
+	       b1->cbData < b2->cbData ? b1->cbData : b2->cbData);
+    if(r != 0)
+	return r;
+    return b1->cbData-b2->cbData;
+    }
+
+/* int is_set:  if TRUE, then sort the contents (i.e. it isn't a SEQUENCE)    */
+int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
+	     int ex_class, int is_set)
+	{
+	int ret=0,r;
+	int i;
+	unsigned char *p;
+        unsigned char *pStart, *pTempMem;
+        MYBLOB *rgSetBlob;
+        int totSize;
+
+	if (a == NULL) return(0);
+	for (i=sk_num(a)-1; i>=0; i--)
+		ret+=func(sk_value(a,i),NULL);
+	r=ASN1_object_size(1,ret,ex_tag);
+	if (pp == NULL) return(r);
+
+	p= *pp;
+	ASN1_put_object(&p,1,ret,ex_tag,ex_class);
+
+/* Modified by gp@nsj.co.jp */
+	/* And then again by Ben */
+	/* And again by Steve */
+
+	if(!is_set || (sk_num(a) < 2))
+		{
+		for (i=0; i<sk_num(a); i++)
+                	func(sk_value(a,i),&p);
+
+		*pp=p;
+		return(r);
+		}
+
+        pStart  = p; /* Catch the beg of Setblobs*/
+        rgSetBlob = (MYBLOB *)Malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
+we will store the SET blobs */
+
+        for (i=0; i<sk_num(a); i++)
+	        {
+                rgSetBlob[i].pbData = p;  /* catch each set encode blob */
+                func(sk_value(a,i),&p);
+                rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
+SetBlob
+*/
+		}
+        *pp=p;
+        totSize = p - pStart; /* This is the total size of all set blobs */
+
+ /* Now we have to sort the blobs. I am using a simple algo.
+    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
+        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
+        pTempMem = Malloc(totSize);
+
+/* Copy to temp mem */
+        p = pTempMem;
+        for(i=0; i<sk_num(a); ++i)
+		{
+                memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
+                p += rgSetBlob[i].cbData;
+		}
+
+/* Copy back to user mem*/
+        memcpy(pStart, pTempMem, totSize);
+        Free(pTempMem);
+        Free(rgSetBlob);
+
+        return(r);
+        }
+
+STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
+	     char *(*func)(), void (*free_func)(), int ex_tag, int ex_class)
+	{
+	ASN1_CTX c;
+	STACK *ret=NULL;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{ if ((ret=sk_new(NULL)) == NULL) goto err; }
+	else
+		ret=(*a);
+
+	c.p= *pp;
+	c.max=(length == 0)?0:(c.p+length);
+
+	c.inf=ASN1_get_object(&c.p,&c.slen,&c.tag,&c.xclass,c.max-c.p);
+	if (c.inf & 0x80) goto err;
+	if (ex_class != c.xclass)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_SET,ASN1_R_BAD_CLASS);
+		goto err;
+		}
+	if (ex_tag != c.tag)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_SET,ASN1_R_BAD_TAG);
+		goto err;
+		}
+	if ((c.slen+c.p) > c.max)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_SET,ASN1_R_LENGTH_ERROR);
+		goto err;
+		}
+	/* check for infinite constructed - it can be as long
+	 * as the amount of data passed to us */
+	if (c.inf == (V_ASN1_CONSTRUCTED+1))
+		c.slen=length+ *pp-c.p;
+	c.max=c.p+c.slen;
+
+	while (c.p < c.max)
+		{
+		char *s;
+
+		if (M_ASN1_D2I_end_sequence()) break;
+		if ((s=func(NULL,&c.p,c.slen,c.max-c.p)) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_ASN1_SET,ASN1_R_ERROR_PARSING_SET_ELEMENT);
+			asn1_add_error(*pp,(int)(c.q- *pp));
+			goto err;
+			}
+		if (!sk_push(ret,s)) goto err;
+		}
+	if (a != NULL) (*a)=ret;
+	*pp=c.p;
+	return(ret);
+err:
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		{
+		if (free_func != NULL)
+			sk_pop_free(ret,free_func);
+		else
+			sk_free(ret);
+		}
+	return(NULL);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/a_sign.c b/crypto/openssl/crypto/asn1/a_sign.c
new file mode 100644
index 0000000..cfb4bca
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_sign.c
@@ -0,0 +1,148 @@
+/* crypto/asn1/a_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+
+#include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+
+int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
+	     ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey,
+	     const EVP_MD *type)
+	{
+	EVP_MD_CTX ctx;
+	unsigned char *p,*buf_in=NULL,*buf_out=NULL;
+	int i,inl=0,outl=0,outll=0;
+	X509_ALGOR *a;
+
+	for (i=0; i<2; i++)
+		{
+		if (i == 0)
+			a=algor1;
+		else
+			a=algor2;
+		if (a == NULL) continue;
+		if (	(a->parameter == NULL) || 
+			(a->parameter->type != V_ASN1_NULL))
+			{
+			ASN1_TYPE_free(a->parameter);
+			if ((a->parameter=ASN1_TYPE_new()) == NULL) goto err;
+			a->parameter->type=V_ASN1_NULL;
+			}
+		ASN1_OBJECT_free(a->algorithm);
+		a->algorithm=OBJ_nid2obj(type->pkey_type);
+		if (a->algorithm == NULL)
+			{
+			ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_UNKNOWN_OBJECT_TYPE);
+			goto err;
+			}
+		if (a->algorithm->length == 0)
+			{
+			ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+			goto err;
+			}
+		}
+	inl=i2d(data,NULL);
+	buf_in=(unsigned char *)Malloc((unsigned int)inl);
+	outll=outl=EVP_PKEY_size(pkey);
+	buf_out=(unsigned char *)Malloc((unsigned int)outl);
+	if ((buf_in == NULL) || (buf_out == NULL))
+		{
+		outl=0;
+		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	p=buf_in;
+
+	i2d(data,&p);
+	EVP_SignInit(&ctx,type);
+	EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl);
+	if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out,
+			(unsigned int *)&outl,pkey))
+		{
+		outl=0;
+		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB);
+		goto err;
+		}
+	if (signature->data != NULL) Free(signature->data);
+	signature->data=buf_out;
+	buf_out=NULL;
+	signature->length=outl;
+	/* In the interests of compatibility, I'll make sure that
+	 * the bit string has a 'not-used bits' value of 0
+	 */
+	signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+	signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
+err:
+	memset(&ctx,0,sizeof(ctx));
+	if (buf_in != NULL)
+		{ memset((char *)buf_in,0,(unsigned int)inl); Free(buf_in); }
+	if (buf_out != NULL)
+		{ memset((char *)buf_out,0,outll); Free(buf_out); }
+	return(outl);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_strnid.c b/crypto/openssl/crypto/asn1/a_strnid.c
new file mode 100644
index 0000000..ab8417f
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_strnid.c
@@ -0,0 +1,247 @@
+/* a_strnid.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+
+
+static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
+static void st_free(ASN1_STRING_TABLE *tbl);
+static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b);
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b);
+
+
+/* This is the global mask for the mbstring functions: this is use to
+ * mask out certain types (such as BMPString and UTF8String) because
+ * certain software (e.g. Netscape) has problems with them.
+ */
+
+static unsigned long global_mask = 0xFFFFFFFFL;
+
+void ASN1_STRING_set_default_mask(unsigned long mask)
+{
+	global_mask = mask;
+}
+
+unsigned long ASN1_STRING_get_default_mask(void)
+{
+	return global_mask;
+}
+
+/* This function sets the default to various "flavours" of configuration.
+ * based on an ASCII string. Currently this is:
+ * MASK:XXXX : a numerical mask value.
+ * nobmp : Don't use BMPStrings (just Printable, T61).
+ * pkix : PKIX recommendation in RFC2459.
+ * utf8only : only use UTF8Strings (RFC2459 recommendation for 2004).
+ * default:   the default value, Printable, T61, BMP.
+ */
+
+int ASN1_STRING_set_default_mask_asc(char *p)
+{
+	unsigned long mask;
+	char *end;
+	if(!strncmp(p, "MASK:", 5)) {
+		if(!p[5]) return 0;
+		mask = strtoul(p + 5, &end, 0);
+		if(*end) return 0;
+	} else if(!strcmp(p, "nombstr"))
+			 mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING);
+	else if(!strcmp(p, "pkix"))
+			mask = ~B_ASN1_T61STRING;
+	else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING;
+	else if(!strcmp(p, "default"))
+	    mask = 0xFFFFFFFFL;
+	else return 0;
+	ASN1_STRING_set_default_mask(mask);
+	return 1;
+}
+
+/* The following function generates an ASN1_STRING based on limits in a table.
+ * Frequently the types and length of an ASN1_STRING are restricted by a 
+ * corresponding OID. For example certificates and certificate requests.
+ */
+
+ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
+					int inlen, int inform, int nid)
+{
+	ASN1_STRING_TABLE *tbl;
+	ASN1_STRING *str = NULL;
+	unsigned long mask;
+	int ret;
+	if(!out) out = &str;
+	tbl = ASN1_STRING_TABLE_get(nid);
+	if(tbl) {
+		mask = tbl->mask;
+		if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask;
+		ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
+					tbl->minsize, tbl->maxsize);
+	} else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask);
+	if(ret <= 0) return NULL;
+	return *out;
+}
+
+/* Now the tables and helper functions for the string table:
+ */
+
+/* size limits: this stuff is taken straight from RFC2459 */
+
+#define ub_name				32768
+#define ub_common_name			64
+#define ub_locality_name		128
+#define ub_state_name			128
+#define ub_organization_name		64
+#define ub_organization_unit_name	64
+#define ub_title			64
+#define ub_email_address		128
+
+/* This table must be kept in NID order */
+
+static ASN1_STRING_TABLE tbl_standard[] = {
+{NID_commonName,		1, ub_common_name, DIRSTRING_TYPE, 0},
+{NID_countryName,		2, 2, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_localityName,		1, ub_locality_name, DIRSTRING_TYPE, 0},
+{NID_stateOrProvinceName,	1, ub_state_name, DIRSTRING_TYPE, 0},
+{NID_organizationName,		1, ub_organization_name, DIRSTRING_TYPE, 0},
+{NID_organizationalUnitName,	1, ub_organization_unit_name, DIRSTRING_TYPE, 0},
+{NID_pkcs9_emailAddress,	1, ub_email_address, B_ASN1_IA5STRING, STABLE_NO_MASK},
+{NID_pkcs9_unstructuredName,	1, -1, PKCS9STRING_TYPE, 0},
+{NID_pkcs9_challengePassword,	1, -1, PKCS9STRING_TYPE, 0},
+{NID_pkcs9_unstructuredAddress,	1, -1, DIRSTRING_TYPE, 0},
+{NID_givenName,			1, ub_name, DIRSTRING_TYPE, 0},
+{NID_surname,			1, ub_name, DIRSTRING_TYPE, 0},
+{NID_initials,			1, ub_name, DIRSTRING_TYPE, 0},
+{NID_name,			1, ub_name, DIRSTRING_TYPE, 0},
+{NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}
+};
+
+static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b)
+{
+	return (*a)->nid - (*b)->nid;
+}
+
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b)
+{
+	return a->nid - b->nid;
+}
+
+ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
+{
+	int idx;
+	ASN1_STRING_TABLE *ttmp;
+	ASN1_STRING_TABLE fnd;
+	fnd.nid = nid;
+	ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
+					(char *)tbl_standard, 
+			sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
+			sizeof(ASN1_STRING_TABLE), (int(*)())table_cmp);
+	if(ttmp) return ttmp;
+	if(!stable) return NULL;
+	idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
+	if(idx < 0) return NULL;
+	return sk_ASN1_STRING_TABLE_value(stable, idx);
+}
+	
+int ASN1_STRING_TABLE_add(int nid,
+		 long minsize, long maxsize, unsigned long mask,
+				unsigned long flags)
+{
+	ASN1_STRING_TABLE *tmp;
+	char new_nid = 0;
+	flags &= ~STABLE_FLAGS_MALLOC;
+	if(!stable) stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
+	if(!stable) {
+		ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if(!(tmp = ASN1_STRING_TABLE_get(nid))) {
+		tmp = Malloc(sizeof(ASN1_STRING_TABLE));
+		if(!tmp) {
+			ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD,
+							ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		tmp->flags = flags | STABLE_FLAGS_MALLOC;
+		tmp->nid = nid;
+		new_nid = 1;
+	} else tmp->flags = (tmp->flags & STABLE_FLAGS_MALLOC) | flags;
+	if(minsize != -1) tmp->minsize = minsize;
+	if(maxsize != -1) tmp->maxsize = maxsize;
+	tmp->mask = mask;
+	if(new_nid) sk_ASN1_STRING_TABLE_push(stable, tmp);
+	return 1;
+}
+
+void ASN1_STRING_TABLE_cleanup(void)
+{
+	STACK_OF(ASN1_STRING_TABLE) *tmp;
+	tmp = stable;
+	if(!tmp) return;
+	stable = NULL;
+	sk_ASN1_STRING_TABLE_pop_free(tmp, st_free);
+}
+
+static void st_free(ASN1_STRING_TABLE *tbl)
+{
+	if(tbl->flags & STABLE_FLAGS_MALLOC) Free(tbl);
+}
+
+IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
diff --git a/crypto/openssl/crypto/asn1/a_time.c b/crypto/openssl/crypto/asn1/a_time.c
new file mode 100644
index 0000000..b193f1c
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_time.c
@@ -0,0 +1,129 @@
+/* crypto/asn1/a_time.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/* This is an implementation of the ASN1 Time structure which is:
+ *    Time ::= CHOICE {
+ *      utcTime        UTCTime,
+ *      generalTime    GeneralizedTime }
+ * written by Steve Henson.
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_TIME *ASN1_TIME_new(void)
+{ return M_ASN1_TIME_new(); }
+
+void ASN1_TIME_free(ASN1_TIME *x)
+{ M_ASN1_TIME_free(x); }
+
+int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
+	{
+#ifdef CHARSET_EBCDIC
+	/* KLUDGE! We convert to ascii before writing DER */
+	char tmp[24];
+	ASN1_STRING tmpstr;
+
+	if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME) {
+	    int len;
+
+	    tmpstr = *(ASN1_STRING *)a;
+	    len = tmpstr.length;
+	    ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len);
+	    tmpstr.data = tmp;
+	    a = (ASN1_GENERALIZEDTIME *) &tmpstr;
+	}
+#endif
+	if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME)
+				return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+				     a->type ,V_ASN1_UNIVERSAL));
+	ASN1err(ASN1_F_I2D_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
+	return -1;
+	}
+
+
+ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, unsigned char **pp, long length)
+	{
+	unsigned char tag;
+	tag = **pp & ~V_ASN1_CONSTRUCTED;
+	if(tag == (V_ASN1_UTCTIME|V_ASN1_UNIVERSAL))
+					 return d2i_ASN1_UTCTIME(a, pp, length);
+	if(tag == (V_ASN1_GENERALIZEDTIME|V_ASN1_UNIVERSAL))
+				return d2i_ASN1_GENERALIZEDTIME(a, pp, length);
+	ASN1err(ASN1_F_D2I_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
+	return(NULL);
+	}
+
+
+ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
+	{
+	struct tm *ts;
+#if defined(THREADS) && !defined(WIN32)
+	struct tm data;
+#endif
+
+#if defined(THREADS) && !defined(WIN32)
+	gmtime_r(&t,&data);
+	ts=&data; /* should return &data, but doesn't on some systems, so we don't even look at the return value */
+#else
+	ts=gmtime(&t);
+#endif
+	if((ts->tm_year >= 50) && (ts->tm_year < 150))
+					return ASN1_UTCTIME_set(s, t);
+	return ASN1_GENERALIZEDTIME_set(s,t);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_type.c b/crypto/openssl/crypto/asn1/a_type.c
new file mode 100644
index 0000000..161ef81
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_type.c
@@ -0,0 +1,348 @@
+/* crypto/asn1/a_type.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+
+static void ASN1_TYPE_component_free(ASN1_TYPE *a);
+int i2d_ASN1_TYPE(ASN1_TYPE *a, unsigned char **pp)
+	{
+	int r=0;
+
+	if (a == NULL) return(0);
+
+	switch (a->type)
+		{
+	case V_ASN1_NULL:
+		if (pp != NULL)
+			ASN1_put_object(pp,0,0,V_ASN1_NULL,V_ASN1_UNIVERSAL);
+		r=2;
+		break;
+	case V_ASN1_INTEGER:
+	case V_ASN1_NEG_INTEGER:
+		r=i2d_ASN1_INTEGER(a->value.integer,pp);
+		break;
+	case V_ASN1_ENUMERATED:
+	case V_ASN1_NEG_ENUMERATED:
+		r=i2d_ASN1_ENUMERATED(a->value.enumerated,pp);
+		break;
+	case V_ASN1_BIT_STRING:
+		r=i2d_ASN1_BIT_STRING(a->value.bit_string,pp);
+		break;
+	case V_ASN1_OCTET_STRING:
+		r=i2d_ASN1_OCTET_STRING(a->value.octet_string,pp);
+		break;
+	case V_ASN1_OBJECT:
+		r=i2d_ASN1_OBJECT(a->value.object,pp);
+		break;
+	case V_ASN1_PRINTABLESTRING:
+		r=M_i2d_ASN1_PRINTABLESTRING(a->value.printablestring,pp);
+		break;
+	case V_ASN1_T61STRING:
+		r=M_i2d_ASN1_T61STRING(a->value.t61string,pp);
+		break;
+	case V_ASN1_IA5STRING:
+		r=M_i2d_ASN1_IA5STRING(a->value.ia5string,pp);
+		break;
+	case V_ASN1_GENERALSTRING:
+		r=M_i2d_ASN1_GENERALSTRING(a->value.generalstring,pp);
+		break;
+	case V_ASN1_UNIVERSALSTRING:
+		r=M_i2d_ASN1_UNIVERSALSTRING(a->value.universalstring,pp);
+		break;
+	case V_ASN1_UTF8STRING:
+		r=M_i2d_ASN1_UTF8STRING(a->value.utf8string,pp);
+		break;
+	case V_ASN1_VISIBLESTRING:
+		r=M_i2d_ASN1_VISIBLESTRING(a->value.visiblestring,pp);
+		break;
+	case V_ASN1_BMPSTRING:
+		r=M_i2d_ASN1_BMPSTRING(a->value.bmpstring,pp);
+		break;
+	case V_ASN1_UTCTIME:
+		r=i2d_ASN1_UTCTIME(a->value.utctime,pp);
+		break;
+	case V_ASN1_GENERALIZEDTIME:
+		r=i2d_ASN1_GENERALIZEDTIME(a->value.generalizedtime,pp);
+		break;
+	case V_ASN1_SET:
+	case V_ASN1_SEQUENCE:
+		if (a->value.set == NULL)
+			r=0;
+		else
+			{
+			r=a->value.set->length;
+			if (pp != NULL)
+				{
+				memcpy(*pp,a->value.set->data,r);
+				*pp+=r;
+				}
+			}
+		break;
+		}
+	return(r);
+	}
+
+ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **a, unsigned char **pp, long length)
+	{
+	ASN1_TYPE *ret=NULL;
+	unsigned char *q,*p,*max;
+	int inf,tag,xclass;
+	long len;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=ASN1_TYPE_new()) == NULL) goto err;
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
+	q=p;
+	max=(p+length);
+
+	inf=ASN1_get_object(&q,&len,&tag,&xclass,length);
+	if (inf & 0x80) goto err;
+	
+	ASN1_TYPE_component_free(ret);
+
+	switch (tag)
+		{
+	case V_ASN1_NULL:
+		p=q;
+		ret->value.ptr=NULL;
+		break;
+	case V_ASN1_INTEGER:
+		if ((ret->value.integer=
+			d2i_ASN1_INTEGER(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_ENUMERATED:
+		if ((ret->value.enumerated=
+			d2i_ASN1_ENUMERATED(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_BIT_STRING:
+		if ((ret->value.bit_string=
+			d2i_ASN1_BIT_STRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_OCTET_STRING:
+		if ((ret->value.octet_string=
+			d2i_ASN1_OCTET_STRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_VISIBLESTRING:
+		if ((ret->value.visiblestring=
+			d2i_ASN1_VISIBLESTRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_UTF8STRING:
+		if ((ret->value.utf8string=
+			d2i_ASN1_UTF8STRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_OBJECT:
+		if ((ret->value.object=
+			d2i_ASN1_OBJECT(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_PRINTABLESTRING:
+		if ((ret->value.printablestring=
+			d2i_ASN1_PRINTABLESTRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_T61STRING:
+		if ((ret->value.t61string=
+			M_d2i_ASN1_T61STRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_IA5STRING:
+		if ((ret->value.ia5string=
+			M_d2i_ASN1_IA5STRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_GENERALSTRING:
+		if ((ret->value.generalstring=
+			M_d2i_ASN1_GENERALSTRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_UNIVERSALSTRING:
+		if ((ret->value.universalstring=
+			M_d2i_ASN1_UNIVERSALSTRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_BMPSTRING:
+		if ((ret->value.bmpstring=
+			M_d2i_ASN1_BMPSTRING(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_UTCTIME:
+		if ((ret->value.utctime=
+			d2i_ASN1_UTCTIME(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_GENERALIZEDTIME:
+		if ((ret->value.generalizedtime=
+			d2i_ASN1_GENERALIZEDTIME(NULL,&p,max-p)) == NULL)
+			goto err;
+		break;
+	case V_ASN1_SET:
+	case V_ASN1_SEQUENCE:
+		/* Sets and sequences are left complete */
+		if ((ret->value.set=ASN1_STRING_new()) == NULL) goto err;
+		ret->value.set->type=tag;
+		len+=(q-p);
+		if (!ASN1_STRING_set(ret->value.set,p,(int)len)) goto err;
+		p+=len;
+		break;
+	default:
+		ASN1err(ASN1_F_D2I_ASN1_TYPE,ASN1_R_BAD_TYPE);
+		goto err;
+		}
+
+	ret->type=tag;
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_TYPE_free(ret);
+	return(NULL);
+	}
+
+ASN1_TYPE *ASN1_TYPE_new(void)
+	{
+	ASN1_TYPE *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,ASN1_TYPE);
+	ret->type= -1;
+	ret->value.ptr=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_ASN1_TYPE_NEW);
+	}
+
+void ASN1_TYPE_free(ASN1_TYPE *a)
+	{
+	if (a == NULL) return;
+	ASN1_TYPE_component_free(a);
+	Free(a);
+	}
+
+int ASN1_TYPE_get(ASN1_TYPE *a)
+	{
+	if (a->value.ptr != NULL)
+		return(a->type);
+	else
+		return(0);
+	}
+
+void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
+	{
+	if (a->value.ptr != NULL)
+		ASN1_TYPE_component_free(a);
+	a->type=type;
+	a->value.ptr=value;
+	}
+
+static void ASN1_TYPE_component_free(ASN1_TYPE *a)
+	{
+	if (a == NULL) return;
+
+	if (a->value.ptr != NULL)
+		{
+		switch (a->type)
+			{
+		case V_ASN1_OBJECT:
+			ASN1_OBJECT_free(a->value.object);
+			break;
+		case V_ASN1_INTEGER:
+		case V_ASN1_NEG_INTEGER:
+		case V_ASN1_ENUMERATED:
+		case V_ASN1_NEG_ENUMERATED:
+		case V_ASN1_BIT_STRING:
+		case V_ASN1_OCTET_STRING:
+		case V_ASN1_SEQUENCE:
+		case V_ASN1_SET:
+		case V_ASN1_NUMERICSTRING:
+		case V_ASN1_PRINTABLESTRING:
+		case V_ASN1_T61STRING:
+		case V_ASN1_VIDEOTEXSTRING:
+		case V_ASN1_IA5STRING:
+		case V_ASN1_UTCTIME:
+		case V_ASN1_GENERALIZEDTIME:
+		case V_ASN1_GRAPHICSTRING:
+		case V_ASN1_VISIBLESTRING:
+		case V_ASN1_GENERALSTRING:
+		case V_ASN1_UNIVERSALSTRING:
+		case V_ASN1_BMPSTRING:
+		case V_ASN1_UTF8STRING:
+			ASN1_STRING_free((ASN1_STRING *)a->value.ptr);
+			break;
+		default:
+			/* MEMORY LEAK */
+			break;
+			}
+		a->type=0;
+		a->value.ptr=NULL;
+		}
+	}
+
+IMPLEMENT_STACK_OF(ASN1_TYPE)
+IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c
new file mode 100644
index 0000000..0756597
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_utctm.c
@@ -0,0 +1,266 @@
+/* crypto/asn1/a_utctm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#ifdef VMS
+#include <descrip.h>
+#include <lnmdef.h>
+#include <starlet.h>
+#endif
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_UTCTIME *ASN1_UTCTIME_new(void)
+{ return M_ASN1_UTCTIME_new(); }
+
+void ASN1_UTCTIME_free(ASN1_UTCTIME *x)
+{ M_ASN1_UTCTIME_free(x); }
+
+int i2d_ASN1_UTCTIME(ASN1_UTCTIME *a, unsigned char **pp)
+	{
+#ifndef CHARSET_EBCDIC
+	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+		V_ASN1_UTCTIME,V_ASN1_UNIVERSAL));
+#else
+	/* KLUDGE! We convert to ascii before writing DER */
+	int len;
+	char tmp[24];
+	ASN1_STRING x = *(ASN1_STRING *)a;
+
+	len = x.length;
+	ebcdic2ascii(tmp, x.data, (len >= sizeof tmp) ? sizeof tmp : len);
+	x.data = tmp;
+	return i2d_ASN1_bytes(&x, pp, V_ASN1_UTCTIME,V_ASN1_UNIVERSAL);
+#endif
+	}
+
+
+ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_UTCTIME *ret=NULL;
+
+	ret=(ASN1_UTCTIME *)d2i_ASN1_bytes((ASN1_STRING **)a,pp,length,
+		V_ASN1_UTCTIME,V_ASN1_UNIVERSAL);
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_UTCTIME,ERR_R_NESTED_ASN1_ERROR);
+		return(NULL);
+		}
+#ifdef CHARSET_EBCDIC
+	ascii2ebcdic(ret->data, ret->data, ret->length);
+#endif
+	if (!ASN1_UTCTIME_check(ret))
+		{
+		ASN1err(ASN1_F_D2I_ASN1_UTCTIME,ASN1_R_INVALID_TIME_FORMAT);
+		goto err;
+		}
+
+	return(ret);
+err:
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		M_ASN1_UTCTIME_free(ret);
+	return(NULL);
+	}
+
+int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
+	{
+	static int min[8]={ 0, 1, 1, 0, 0, 0, 0, 0};
+	static int max[8]={99,12,31,23,59,59,12,59};
+	char *a;
+	int n,i,l,o;
+
+	if (d->type != V_ASN1_UTCTIME) return(0);
+	l=d->length;
+	a=(char *)d->data;
+	o=0;
+
+	if (l < 11) goto err;
+	for (i=0; i<6; i++)
+		{
+		if ((i == 5) && ((a[o] == 'Z') ||
+			(a[o] == '+') || (a[o] == '-')))
+			{ i++; break; }
+		if ((a[o] < '0') || (a[o] > '9')) goto err;
+		n= a[o]-'0';
+		if (++o > l) goto err;
+
+		if ((a[o] < '0') || (a[o] > '9')) goto err;
+		n=(n*10)+ a[o]-'0';
+		if (++o > l) goto err;
+
+		if ((n < min[i]) || (n > max[i])) goto err;
+		}
+	if (a[o] == 'Z')
+		o++;
+	else if ((a[o] == '+') || (a[o] == '-'))
+		{
+		o++;
+		if (o+4 > l) goto err;
+		for (i=6; i<8; i++)
+			{
+			if ((a[o] < '0') || (a[o] > '9')) goto err;
+			n= a[o]-'0';
+			o++;
+			if ((a[o] < '0') || (a[o] > '9')) goto err;
+			n=(n*10)+ a[o]-'0';
+			if ((n < min[i]) || (n > max[i])) goto err;
+			o++;
+			}
+		}
+	return(o == l);
+err:
+	return(0);
+	}
+
+int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str)
+	{
+	ASN1_UTCTIME t;
+
+	t.type=V_ASN1_UTCTIME;
+	t.length=strlen(str);
+	t.data=(unsigned char *)str;
+	if (ASN1_UTCTIME_check(&t))
+		{
+		if (s != NULL)
+			{
+			ASN1_STRING_set((ASN1_STRING *)s,
+				(unsigned char *)str,t.length);
+			}
+		return(1);
+		}
+	else
+		return(0);
+	}
+
+ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
+	{
+	char *p;
+	struct tm *ts;
+#if defined(THREADS) && !defined(WIN32)
+	struct tm data;
+#endif
+
+	if (s == NULL)
+		s=M_ASN1_UTCTIME_new();
+	if (s == NULL)
+		return(NULL);
+
+#if defined(THREADS) && !defined(WIN32)
+	gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */
+	ts=&data;
+#else
+	ts=gmtime(&t);
+#endif
+#ifdef VMS
+	if (ts == NULL)
+		{
+		static $DESCRIPTOR(tabnam,"LNM$DCL_LOGICAL");
+		static $DESCRIPTOR(lognam,"SYS$TIMEZONE_DIFFERENTIAL");
+		char result[256];
+		unsigned int reslen = 0;
+		struct {
+			short buflen;
+			short code;
+			void *bufaddr;
+			unsigned int *reslen;
+		} itemlist[] = {
+			{ 0, LNM$_STRING, 0, 0 },
+			{ 0, 0, 0, 0 },
+		};
+		int status;
+
+		/* Get the value for SYS$TIMEZONE_DIFFERENTIAL */
+		itemlist[0].buflen = sizeof(result);
+		itemlist[0].bufaddr = result;
+		itemlist[0].reslen = &reslen;
+		status = sys$trnlnm(0, &tabnam, &lognam, 0, itemlist);
+		if (!(status & 1))
+			return NULL;
+		result[reslen] = '\0';
+
+		/* Get the numerical value of the equivalence string */
+		status = atoi(result);
+
+		/* and use it to move time to GMT */
+		t -= status;
+
+		/* then convert the result to the time structure */
+		ts=(struct tm *)localtime(&t);
+		}
+#endif
+	p=(char *)s->data;
+	if ((p == NULL) || (s->length < 14))
+		{
+		p=Malloc(20);
+		if (p == NULL) return(NULL);
+		if (s->data != NULL)
+			Free(s->data);
+		s->data=(unsigned char *)p;
+		}
+
+	sprintf(p,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100,
+		ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
+	s->length=strlen(p);
+	s->type=V_ASN1_UTCTIME;
+#ifdef CHARSET_EBCDIC_not
+	ebcdic2ascii(s->data, s->data, s->length);
+#endif
+	return(s);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_utf8.c b/crypto/openssl/crypto/asn1/a_utf8.c
new file mode 100644
index 0000000..b5125af
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_utf8.c
@@ -0,0 +1,238 @@
+/* crypto/asn1/a_utf8.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_UTF8STRING *ASN1_UTF8STRING_new(void)
+{ return M_ASN1_UTF8STRING_new();}
+
+void ASN1_UTF8STRING_free(ASN1_UTF8STRING *x)
+{ M_ASN1_UTF8STRING_free(x);}
+
+int i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a, unsigned char **pp)
+	{
+	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+		V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL));
+	}
+
+ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a, unsigned char **pp,
+	     long length)
+	{
+	ASN1_UTF8STRING *ret=NULL;
+
+	ret=(ASN1_UTF8STRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
+		pp,length,V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL);
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_UTF8STRING,ERR_R_NESTED_ASN1_ERROR);
+		return(NULL);
+		}
+	return(ret);
+	}
+
+
+/* UTF8 utilities */
+
+/* This parses a UTF8 string one character at a time. It is passed a pointer
+ * to the string and the length of the string. It sets 'value' to the value of
+ * the current character. It returns the number of characters read or a
+ * negative error code:
+ * -1 = string too short
+ * -2 = illegal character
+ * -3 = subsequent characters not of the form 10xxxxxx
+ * -4 = character encoded incorrectly (not minimal length).
+ */
+
+int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
+{
+	const unsigned char *p;
+	unsigned long value;
+	int ret;
+	if(len <= 0) return 0;
+	p = str;
+
+	/* Check syntax and work out the encoded value (if correct) */
+	if((*p & 0x80) == 0) {
+		value = *p++ & 0x7f;
+		ret = 1;
+	} else if((*p & 0xe0) == 0xc0) {
+		if(len < 2) return -1;
+		if((p[1] & 0xc0) != 0x80) return -3;
+		value = (*p++ & 0x1f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x80) return -4;
+		ret = 2;
+	} else if((*p & 0xf0) == 0xe0) {
+		if(len < 3) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0xf) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x800) return -4;
+		ret = 3;
+	} else if((*p & 0xf8) == 0xf0) {
+		if(len < 4) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) 
+		   || ((p[3] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0x7) << 18;
+		value |= (*p++ & 0x3f) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x10000) return -4;
+		ret = 4;
+	} else if((*p & 0xfc) == 0xf8) {
+		if(len < 5) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) 
+		   || ((p[3] & 0xc0) != 0x80) 
+		   || ((p[4] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0x3) << 24;
+		value |= (*p++ & 0x3f) << 18;
+		value |= (*p++ & 0x3f) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x200000) return -4;
+		ret = 5;
+	} else if((*p & 0xfe) == 0xfc) {
+		if(len < 6) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) 
+		   || ((p[3] & 0xc0) != 0x80) 
+		   || ((p[4] & 0xc0) != 0x80) 
+		   || ((p[5] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0x1) << 30;
+		value |= (*p++ & 0x3f) << 24;
+		value |= (*p++ & 0x3f) << 18;
+		value |= (*p++ & 0x3f) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x4000000) return -4;
+		ret = 6;
+	} else return -2;
+	*val = value;
+	return ret;
+}
+
+/* This takes a character 'value' and writes the UTF8 encoded value in
+ * 'str' where 'str' is a buffer containing 'len' characters. Returns
+ * the number of characters written or -1 if 'len' is too small. 'str' can
+ * be set to NULL in which case it just returns the number of characters.
+ * It will need at most 6 characters.
+ */
+
+int UTF8_putc(unsigned char *str, int len, unsigned long value)
+{
+	if(!str) len = 6;	/* Maximum we will need */
+	else if(len <= 0) return -1;
+	if(value < 0x80) {
+		if(str) *str = (unsigned char)value;
+		return 1;
+	}
+	if(value < 0x800) {
+		if(len < 2) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 6) & 0x1f) | 0xc0);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 2;
+	}
+	if(value < 0x10000) {
+		if(len < 3) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 12) & 0xf) | 0xe0);
+			*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 3;
+	}
+	if(value < 0x200000) {
+		if(len < 4) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 18) & 0x7) | 0xf0);
+			*str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
+			*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 4;
+	}
+	if(value < 0x4000000) {
+		if(len < 5) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8);
+			*str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
+			*str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
+			*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 5;
+	}
+	if(len < 6) return -1;
+	if(str) {
+		*str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc);
+		*str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80);
+		*str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
+		*str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
+		*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+		*str = (unsigned char)((value & 0x3f) | 0x80);
+	}
+	return 6;
+}
diff --git a/crypto/openssl/crypto/asn1/a_verify.c b/crypto/openssl/crypto/asn1/a_verify.c
new file mode 100644
index 0000000..d4aede85
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_verify.c
@@ -0,0 +1,119 @@
+/* crypto/asn1/a_verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+
+#include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+
+int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
+	     char *data, EVP_PKEY *pkey)
+	{
+	EVP_MD_CTX ctx;
+	const EVP_MD *type;
+	unsigned char *p,*buf_in=NULL;
+	int ret= -1,i,inl;
+
+	i=OBJ_obj2nid(a->algorithm);
+	type=EVP_get_digestbyname(OBJ_nid2sn(i));
+	if (type == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+		goto err;
+		}
+	
+	inl=i2d(data,NULL);
+	buf_in=Malloc((unsigned int)inl);
+	if (buf_in == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	p=buf_in;
+
+	i2d(data,&p);
+	EVP_VerifyInit(&ctx,type);
+	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
+
+	memset(buf_in,0,(unsigned int)inl);
+	Free(buf_in);
+
+	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
+			(unsigned int)signature->length,pkey) <= 0)
+		{
+		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+		ret=0;
+		goto err;
+		}
+	/* we don't need to zero the 'ctx' because we just checked
+	 * public information */
+	/* memset(&ctx,0,sizeof(ctx)); */
+	ret=1;
+err:
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/asn1/a_vis.c b/crypto/openssl/crypto/asn1/a_vis.c
new file mode 100644
index 0000000..5cfc080
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/a_vis.c
@@ -0,0 +1,89 @@
+/* crypto/asn1/a_vis.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+ASN1_VISIBLESTRING *ASN1_VISIBLESTRING_new(void)
+{ return M_ASN1_VISIBLESTRING_new(); }
+
+void ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *x)
+{ M_ASN1_VISIBLESTRING_free(x); }
+
+int i2d_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING *a, unsigned char **pp)
+	{
+	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+		V_ASN1_VISIBLESTRING,V_ASN1_UNIVERSAL));
+	}
+
+ASN1_VISIBLESTRING *d2i_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING **a,
+	     unsigned char **pp, long length)
+	{
+	ASN1_VISIBLESTRING *ret=NULL;
+
+	ret=(ASN1_VISIBLESTRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
+		pp,length,V_ASN1_VISIBLESTRING,V_ASN1_UNIVERSAL);
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_D2I_ASN1_VISIBLESTRING,ERR_R_NESTED_ASN1_ERROR);
+		return(NULL);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/asn1.h b/crypto/openssl/crypto/asn1/asn1.h
new file mode 100644
index 0000000..99bd64a
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/asn1.h
@@ -0,0 +1,1067 @@
+/* crypto/asn1/asn1.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_ASN1_H
+#define HEADER_ASN1_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <time.h>
+#include <openssl/bn.h>
+#include <openssl/stack.h>
+#include <openssl/safestack.h>
+
+#ifdef VMS
+#include <openssl/vms_idhacks.h>
+#endif
+
+#define V_ASN1_UNIVERSAL		0x00
+#define	V_ASN1_APPLICATION		0x40
+#define V_ASN1_CONTEXT_SPECIFIC		0x80
+#define V_ASN1_PRIVATE			0xc0
+
+#define V_ASN1_CONSTRUCTED		0x20
+#define V_ASN1_PRIMITIVE_TAG		0x1f
+#define V_ASN1_PRIMATIVE_TAG		0x1f
+
+#define V_ASN1_APP_CHOOSE		-2	/* let the recipient choose */
+
+#define V_ASN1_UNDEF			-1
+#define V_ASN1_EOC			0
+#define V_ASN1_BOOLEAN			1	/**/
+#define V_ASN1_INTEGER			2
+#define V_ASN1_NEG_INTEGER		(2+0x100)
+#define V_ASN1_BIT_STRING		3
+#define V_ASN1_OCTET_STRING		4
+#define V_ASN1_NULL			5
+#define V_ASN1_OBJECT			6
+#define V_ASN1_OBJECT_DESCRIPTOR	7
+#define V_ASN1_EXTERNAL			8
+#define V_ASN1_REAL			9
+#define V_ASN1_ENUMERATED		10
+#define V_ASN1_NEG_ENUMERATED		(10+0x100)
+#define V_ASN1_UTF8STRING		12
+#define V_ASN1_SEQUENCE			16
+#define V_ASN1_SET			17
+#define V_ASN1_NUMERICSTRING		18	/**/
+#define V_ASN1_PRINTABLESTRING		19
+#define V_ASN1_T61STRING		20
+#define V_ASN1_TELETEXSTRING		20	/* alias */
+#define V_ASN1_VIDEOTEXSTRING		21	/**/
+#define V_ASN1_IA5STRING		22
+#define V_ASN1_UTCTIME			23
+#define V_ASN1_GENERALIZEDTIME		24	/**/
+#define V_ASN1_GRAPHICSTRING		25	/**/
+#define V_ASN1_ISO64STRING		26	/**/
+#define V_ASN1_VISIBLESTRING		26	/* alias */
+#define V_ASN1_GENERALSTRING		27	/**/
+#define V_ASN1_UNIVERSALSTRING		28	/**/
+#define V_ASN1_BMPSTRING		30
+
+/* For use with d2i_ASN1_type_bytes() */
+#define B_ASN1_NUMERICSTRING	0x0001
+#define B_ASN1_PRINTABLESTRING	0x0002
+#define B_ASN1_T61STRING	0x0004
+#define B_ASN1_TELETEXSTRING	0x0008
+#define B_ASN1_VIDEOTEXSTRING	0x0008
+#define B_ASN1_IA5STRING	0x0010
+#define B_ASN1_GRAPHICSTRING	0x0020
+#define B_ASN1_ISO64STRING	0x0040
+#define B_ASN1_VISIBLESTRING	0x0040
+#define B_ASN1_GENERALSTRING	0x0080
+#define B_ASN1_UNIVERSALSTRING	0x0100
+#define B_ASN1_OCTET_STRING	0x0200
+#define B_ASN1_BIT_STRING	0x0400
+#define B_ASN1_BMPSTRING	0x0800
+#define B_ASN1_UNKNOWN		0x1000
+#define B_ASN1_UTF8STRING	0x2000
+
+/* For use with ASN1_mbstring_copy() */
+#define MBSTRING_FLAG		0x1000
+#define MBSTRING_ASC		(MBSTRING_FLAG|1)
+#define MBSTRING_BMP		(MBSTRING_FLAG|2)
+#define MBSTRING_UNIV		(MBSTRING_FLAG|3)
+#define MBSTRING_UTF8		(MBSTRING_FLAG|4)
+
+#define DECLARE_ASN1_SET_OF(type) \
+int i2d_ASN1_SET_OF_##type(STACK_OF(type) *a,unsigned char **pp, \
+			   int (*func)(type *,unsigned char **), int ex_tag, \
+			   int ex_class, int is_set); \
+STACK_OF(type) *d2i_ASN1_SET_OF_##type(STACK_OF(type) **a,unsigned char **pp, \
+				       long length, \
+				       type *(*func)(type **, \
+						     unsigned char **,long), \
+				       void (*free_func)(type *), \
+				       int ex_tag,int ex_class);
+
+#define IMPLEMENT_ASN1_SET_OF(type) \
+int i2d_ASN1_SET_OF_##type(STACK_OF(type) *a,unsigned char **pp, \
+			   int (*func)(type *,unsigned char **), int ex_tag, \
+			   int ex_class, int is_set) \
+    { return i2d_ASN1_SET((STACK *)a,pp,func,ex_tag,ex_class,is_set); } \
+STACK_OF(type) *d2i_ASN1_SET_OF_##type(STACK_OF(type) **a,unsigned char **pp, \
+				       long length, \
+				       type *(*func)(type **, \
+						     unsigned char **,long), \
+				       void (*free_func)(type *), \
+				       int ex_tag,int ex_class) \
+    { return (STACK_OF(type) *)d2i_ASN1_SET((STACK **)a,pp,length, \
+					    (char *(*)())func, \
+					    (void (*)())free_func, \
+					    ex_tag,ex_class); }
+
+typedef struct asn1_ctx_st
+	{
+	unsigned char *p;/* work char pointer */
+	int eos;	/* end of sequence read for indefinite encoding */
+	int error;	/* error code to use when returning an error */
+	int inf;	/* constructed if 0x20, indefinite is 0x21 */
+	int tag;	/* tag from last 'get object' */
+	int xclass;	/* class from last 'get object' */
+	long slen;	/* length of last 'get object' */
+	unsigned char *max; /* largest value of p allowed */
+	unsigned char *q;/* temporary variable */
+	unsigned char **pp;/* variable */
+	int line;	/* used in error processing */
+	} ASN1_CTX;
+
+/* These are used internally in the ASN1_OBJECT to keep track of
+ * whether the names and data need to be free()ed */
+#define ASN1_OBJECT_FLAG_DYNAMIC	 0x01	/* internal use */
+#define ASN1_OBJECT_FLAG_CRITICAL	 0x02	/* critical x509v3 object id */
+#define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04	/* internal use */
+#define ASN1_OBJECT_FLAG_DYNAMIC_DATA 	 0x08	/* internal use */
+typedef struct asn1_object_st
+	{
+	const char *sn,*ln;
+	int nid;
+	int length;
+	unsigned char *data;
+	int flags;	/* Should we free this one */
+	} ASN1_OBJECT;
+
+#define ASN1_STRING_FLAG_BITS_LEFT 0x08 /* Set if 0x07 has bits left value */
+/* This is the base type that holds just about everything :-) */
+typedef struct asn1_string_st
+	{
+	int length;
+	int type;
+	unsigned char *data;
+	/* The value of the following field depends on the type being
+	 * held.  It is mostly being used for BIT_STRING so if the
+	 * input data has a non-zero 'unused bits' value, it will be
+	 * handled correctly */
+	long flags;
+	} ASN1_STRING;
+
+#define STABLE_FLAGS_MALLOC	0x01
+#define STABLE_NO_MASK		0x02
+#define DIRSTRING_TYPE	\
+ (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING)
+#define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING)
+
+typedef struct asn1_string_table_st {
+	int nid;
+	long minsize;
+	long maxsize;
+	unsigned long mask;
+	unsigned long flags;
+} ASN1_STRING_TABLE;
+
+DECLARE_STACK_OF(ASN1_STRING_TABLE)
+
+/* size limits: this stuff is taken straight from RFC2459 */
+
+#define ub_name				32768
+#define ub_common_name			64
+#define ub_locality_name		128
+#define ub_state_name			128
+#define ub_organization_name		64
+#define ub_organization_unit_name	64
+#define ub_title			64
+#define ub_email_address		128
+
+#ifdef NO_ASN1_TYPEDEFS
+#define ASN1_INTEGER		ASN1_STRING
+#define ASN1_ENUMERATED		ASN1_STRING
+#define ASN1_BIT_STRING		ASN1_STRING
+#define ASN1_OCTET_STRING	ASN1_STRING
+#define ASN1_PRINTABLESTRING	ASN1_STRING
+#define ASN1_T61STRING		ASN1_STRING
+#define ASN1_IA5STRING		ASN1_STRING
+#define ASN1_UTCTIME		ASN1_STRING
+#define ASN1_GENERALIZEDTIME	ASN1_STRING
+#define ASN1_TIME		ASN1_STRING
+#define ASN1_GENERALSTRING	ASN1_STRING
+#define ASN1_UNIVERSALSTRING	ASN1_STRING
+#define ASN1_BMPSTRING		ASN1_STRING
+#define ASN1_VISIBLESTRING	ASN1_STRING
+#define ASN1_UTF8STRING		ASN1_STRING
+#else
+typedef struct asn1_string_st ASN1_INTEGER;
+typedef struct asn1_string_st ASN1_ENUMERATED;
+typedef struct asn1_string_st ASN1_BIT_STRING;
+typedef struct asn1_string_st ASN1_OCTET_STRING;
+typedef struct asn1_string_st ASN1_PRINTABLESTRING;
+typedef struct asn1_string_st ASN1_T61STRING;
+typedef struct asn1_string_st ASN1_IA5STRING;
+typedef struct asn1_string_st ASN1_GENERALSTRING;
+typedef struct asn1_string_st ASN1_UNIVERSALSTRING;
+typedef struct asn1_string_st ASN1_BMPSTRING;
+typedef struct asn1_string_st ASN1_UTCTIME;
+typedef struct asn1_string_st ASN1_TIME;
+typedef struct asn1_string_st ASN1_GENERALIZEDTIME;
+typedef struct asn1_string_st ASN1_VISIBLESTRING;
+typedef struct asn1_string_st ASN1_UTF8STRING;
+#endif
+
+typedef int ASN1_NULL;
+
+typedef struct asn1_type_st
+	{
+	int type;
+	union	{
+		char *ptr;
+		ASN1_STRING *		asn1_string;
+		ASN1_OBJECT *		object;
+		ASN1_INTEGER *		integer;
+		ASN1_ENUMERATED *	enumerated;
+		ASN1_BIT_STRING *	bit_string;
+		ASN1_OCTET_STRING *	octet_string;
+		ASN1_PRINTABLESTRING *	printablestring;
+		ASN1_T61STRING *	t61string;
+		ASN1_IA5STRING *	ia5string;
+		ASN1_GENERALSTRING *	generalstring;
+		ASN1_BMPSTRING *	bmpstring;
+		ASN1_UNIVERSALSTRING *	universalstring;
+		ASN1_UTCTIME *		utctime;
+		ASN1_GENERALIZEDTIME *	generalizedtime;
+		ASN1_VISIBLESTRING *	visiblestring;
+		ASN1_UTF8STRING *	utf8string;
+		/* set and sequence are left complete and still
+		 * contain the set or sequence bytes */
+		ASN1_STRING *		set;
+		ASN1_STRING *		sequence;
+		} value;
+	} ASN1_TYPE;
+
+DECLARE_STACK_OF(ASN1_TYPE)
+DECLARE_ASN1_SET_OF(ASN1_TYPE)
+
+typedef struct asn1_method_st
+	{
+	int (*i2d)();
+	char *(*d2i)();
+	char *(*create)();
+	void (*destroy)();
+	} ASN1_METHOD;
+
+/* This is used when parsing some Netscape objects */
+typedef struct asn1_header_st
+	{
+	ASN1_OCTET_STRING *header;
+	char *data;
+	ASN1_METHOD *meth;
+	} ASN1_HEADER;
+
+/* This is used to contain a list of bit names */
+typedef struct BIT_STRING_BITNAME_st {
+	int bitnum;
+	const char *lname;
+	const char *sname;
+} BIT_STRING_BITNAME;
+
+
+#define M_ASN1_STRING_length(x)	((x)->length)
+#define M_ASN1_STRING_length_set(x, n)	((x)->length = (n))
+#define M_ASN1_STRING_type(x)	((x)->type)
+#define M_ASN1_STRING_data(x)	((x)->data)
+
+/* Macros for string operations */
+#define M_ASN1_BIT_STRING_new()	(ASN1_BIT_STRING *)\
+		ASN1_STRING_type_new(V_ASN1_BIT_STRING)
+#define M_ASN1_BIT_STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_BIT_STRING_dup(a) (ASN1_BIT_STRING *)\
+		ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_ASN1_BIT_STRING_cmp(a,b) ASN1_STRING_cmp(\
+		(ASN1_STRING *)a,(ASN1_STRING *)b)
+#define M_ASN1_BIT_STRING_set(a,b,c) ASN1_STRING_set((ASN1_STRING *)a,b,c)
+
+#define M_ASN1_INTEGER_new()	(ASN1_INTEGER *)\
+		ASN1_STRING_type_new(V_ASN1_INTEGER)
+#define M_ASN1_INTEGER_free(a)		ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_INTEGER_dup(a) (ASN1_INTEGER *)ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_ASN1_INTEGER_cmp(a,b)	ASN1_STRING_cmp(\
+		(ASN1_STRING *)a,(ASN1_STRING *)b)
+
+#define M_ASN1_ENUMERATED_new()	(ASN1_ENUMERATED *)\
+		ASN1_STRING_type_new(V_ASN1_ENUMERATED)
+#define M_ASN1_ENUMERATED_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_ENUMERATED_dup(a) (ASN1_ENUMERATED *)ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_ASN1_ENUMERATED_cmp(a,b)	ASN1_STRING_cmp(\
+		(ASN1_STRING *)a,(ASN1_STRING *)b)
+
+#define M_ASN1_OCTET_STRING_new()	(ASN1_OCTET_STRING *)\
+		ASN1_STRING_type_new(V_ASN1_OCTET_STRING)
+#define M_ASN1_OCTET_STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_OCTET_STRING_dup(a) (ASN1_OCTET_STRING *)\
+		ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_ASN1_OCTET_STRING_cmp(a,b) ASN1_STRING_cmp(\
+		(ASN1_STRING *)a,(ASN1_STRING *)b)
+#define M_ASN1_OCTET_STRING_set(a,b,c)	ASN1_STRING_set((ASN1_STRING *)a,b,c)
+#define M_ASN1_OCTET_STRING_print(a,b)	ASN1_STRING_print(a,(ASN1_STRING *)b)
+#define M_i2d_ASN1_OCTET_STRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_OCTET_STRING,\
+		V_ASN1_UNIVERSAL)
+
+#define M_ASN1_PRINTABLE_new()	ASN1_STRING_type_new(V_ASN1_T61STRING)
+#define M_ASN1_PRINTABLE_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_PRINTABLE(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
+		pp,a->type,V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_PRINTABLE(a,pp,l) \
+		d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \
+			B_ASN1_PRINTABLESTRING| \
+			B_ASN1_T61STRING| \
+			B_ASN1_IA5STRING| \
+			B_ASN1_BIT_STRING| \
+			B_ASN1_UNIVERSALSTRING|\
+			B_ASN1_BMPSTRING|\
+			B_ASN1_UTF8STRING|\
+			B_ASN1_UNKNOWN)
+
+#define M_DIRECTORYSTRING_new() ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING)
+#define M_DIRECTORYSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_DIRECTORYSTRING(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
+						pp,a->type,V_ASN1_UNIVERSAL)
+#define M_d2i_DIRECTORYSTRING(a,pp,l) \
+		d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \
+			B_ASN1_PRINTABLESTRING| \
+			B_ASN1_TELETEXSTRING|\
+			B_ASN1_BMPSTRING|\
+			B_ASN1_UNIVERSALSTRING|\
+			B_ASN1_UTF8STRING)
+
+#define M_DISPLAYTEXT_new() ASN1_STRING_type_new(V_ASN1_VISIBLESTRING)
+#define M_DISPLAYTEXT_free(a) ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_DISPLAYTEXT(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
+						pp,a->type,V_ASN1_UNIVERSAL)
+#define M_d2i_DISPLAYTEXT(a,pp,l) \
+		d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \
+			B_ASN1_VISIBLESTRING| \
+			B_ASN1_BMPSTRING|\
+			B_ASN1_UTF8STRING)
+
+#define M_ASN1_PRINTABLESTRING_new() (ASN1_PRINTABLESTRING *)\
+		ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING)
+#define M_ASN1_PRINTABLESTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_PRINTABLESTRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_PRINTABLESTRING,\
+		V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_PRINTABLESTRING(a,pp,l) \
+		(ASN1_PRINTABLESTRING *)d2i_ASN1_type_bytes\
+		((ASN1_STRING **)a,pp,l,B_ASN1_PRINTABLESTRING)
+
+#define M_ASN1_T61STRING_new()	(ASN1_T61STRING *)\
+		ASN1_STRING_type_new(V_ASN1_T61STRING)
+#define M_ASN1_T61STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_T61STRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_T61STRING,\
+		V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_T61STRING(a,pp,l) \
+		(ASN1_T61STRING *)d2i_ASN1_type_bytes\
+		((ASN1_STRING **)a,pp,l,B_ASN1_T61STRING)
+
+#define M_ASN1_IA5STRING_new()	(ASN1_IA5STRING *)\
+		ASN1_STRING_type_new(V_ASN1_IA5STRING)
+#define M_ASN1_IA5STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_IA5STRING_dup(a)	\
+			(ASN1_IA5STRING *)ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_i2d_ASN1_IA5STRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_IA5STRING,\
+			V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_IA5STRING(a,pp,l) \
+		(ASN1_IA5STRING *)d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l,\
+			B_ASN1_IA5STRING)
+
+#define M_ASN1_UTCTIME_new()	(ASN1_UTCTIME *)\
+		ASN1_STRING_type_new(V_ASN1_UTCTIME)
+#define M_ASN1_UTCTIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_UTCTIME_dup(a) (ASN1_UTCTIME *)ASN1_STRING_dup((ASN1_STRING *)a)
+
+#define M_ASN1_GENERALIZEDTIME_new()	(ASN1_GENERALIZEDTIME *)\
+		ASN1_STRING_type_new(V_ASN1_GENERALIZEDTIME)
+#define M_ASN1_GENERALIZEDTIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_GENERALIZEDTIME_dup(a) (ASN1_GENERALIZEDTIME *)ASN1_STRING_dup(\
+	(ASN1_STRING *)a)
+
+#define M_ASN1_TIME_new()	(ASN1_TIME *)\
+		ASN1_STRING_type_new(V_ASN1_UTCTIME)
+#define M_ASN1_TIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_TIME_dup(a) (ASN1_TIME *)ASN1_STRING_dup((ASN1_STRING *)a)
+
+#define M_ASN1_GENERALSTRING_new()	(ASN1_GENERALSTRING *)\
+		ASN1_STRING_type_new(V_ASN1_GENERALSTRING)
+#define M_ASN1_GENERALSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_GENERALSTRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_GENERALSTRING,\
+			V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_GENERALSTRING(a,pp,l) \
+		(ASN1_GENERALSTRING *)d2i_ASN1_type_bytes\
+		((ASN1_STRING **)a,pp,l,B_ASN1_GENERALSTRING)
+
+#define M_ASN1_UNIVERSALSTRING_new()	(ASN1_UNIVERSALSTRING *)\
+		ASN1_STRING_type_new(V_ASN1_UNIVERSALSTRING)
+#define M_ASN1_UNIVERSALSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_UNIVERSALSTRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UNIVERSALSTRING,\
+			V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_UNIVERSALSTRING(a,pp,l) \
+		(ASN1_UNIVERSALSTRING *)d2i_ASN1_type_bytes\
+		((ASN1_STRING **)a,pp,l,B_ASN1_UNIVERSALSTRING)
+
+#define M_ASN1_BMPSTRING_new()	(ASN1_BMPSTRING *)\
+		ASN1_STRING_type_new(V_ASN1_BMPSTRING)
+#define M_ASN1_BMPSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_BMPSTRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_BMPSTRING,\
+			V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_BMPSTRING(a,pp,l) \
+		(ASN1_BMPSTRING *)d2i_ASN1_type_bytes\
+		((ASN1_STRING **)a,pp,l,B_ASN1_BMPSTRING)
+
+#define M_ASN1_VISIBLESTRING_new()	(ASN1_VISIBLESTRING *)\
+		ASN1_STRING_type_new(V_ASN1_VISIBLESTRING)
+#define M_ASN1_VISIBLESTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_VISIBLESTRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_VISIBLESTRING,\
+			V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_VISIBLESTRING(a,pp,l) \
+		(ASN1_VISIBLESTRING *)d2i_ASN1_type_bytes\
+		((ASN1_STRING **)a,pp,l,B_ASN1_VISIBLESTRING)
+
+#define M_ASN1_UTF8STRING_new()	(ASN1_UTF8STRING *)\
+		ASN1_STRING_type_new(V_ASN1_UTF8STRING)
+#define M_ASN1_UTF8STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_UTF8STRING(a,pp) \
+		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UTF8STRING,\
+			V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_UTF8STRING(a,pp,l) \
+		(ASN1_UTF8STRING *)d2i_ASN1_type_bytes\
+		((ASN1_STRING **)a,pp,l,B_ASN1_UTF8STRING)
+
+  /* for the is_set parameter to i2d_ASN1_SET */
+#define IS_SEQUENCE	0
+#define IS_SET		1
+
+ASN1_TYPE *	ASN1_TYPE_new(void );
+void		ASN1_TYPE_free(ASN1_TYPE *a);
+int		i2d_ASN1_TYPE(ASN1_TYPE *a,unsigned char **pp);
+ASN1_TYPE *	d2i_ASN1_TYPE(ASN1_TYPE **a,unsigned char **pp,long length);
+int ASN1_TYPE_get(ASN1_TYPE *a);
+void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
+
+ASN1_OBJECT *	ASN1_OBJECT_new(void );
+void		ASN1_OBJECT_free(ASN1_OBJECT *a);
+int		i2d_ASN1_OBJECT(ASN1_OBJECT *a,unsigned char **pp);
+ASN1_OBJECT *	d2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
+			long length);
+
+DECLARE_STACK_OF(ASN1_OBJECT)
+DECLARE_ASN1_SET_OF(ASN1_OBJECT)
+
+ASN1_STRING *	ASN1_STRING_new(void);
+void		ASN1_STRING_free(ASN1_STRING *a);
+ASN1_STRING *	ASN1_STRING_dup(ASN1_STRING *a);
+ASN1_STRING *	ASN1_STRING_type_new(int type );
+int 		ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b);
+  /* Since this is used to store all sorts of things, via macros, for now, make
+     its data void * */
+int 		ASN1_STRING_set(ASN1_STRING *str, const void *data, int len);
+int ASN1_STRING_length(ASN1_STRING *x);
+void ASN1_STRING_length_set(ASN1_STRING *x, int n);
+int ASN1_STRING_type(ASN1_STRING *x);
+unsigned char * ASN1_STRING_data(ASN1_STRING *x);
+
+ASN1_BIT_STRING *	ASN1_BIT_STRING_new(void);
+void		ASN1_BIT_STRING_free(ASN1_BIT_STRING *a);
+int		i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp);
+ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp,
+			long length);
+int		ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d,
+			int length );
+int		ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value);
+int		ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n);
+
+#ifdef HEADER_BIO_H
+int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
+				BIT_STRING_BITNAME *tbl, int indent);
+#endif
+int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl);
+int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
+				BIT_STRING_BITNAME *tbl);
+
+int		i2d_ASN1_BOOLEAN(int a,unsigned char **pp);
+int 		d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length);
+
+ASN1_INTEGER *	ASN1_INTEGER_new(void);
+void		ASN1_INTEGER_free(ASN1_INTEGER *a);
+int		i2d_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
+ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
+			long length);
+ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,unsigned char **pp,
+			long length);
+ASN1_INTEGER *	ASN1_INTEGER_dup(ASN1_INTEGER *x);
+int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y);
+
+ASN1_ENUMERATED *	ASN1_ENUMERATED_new(void);
+void		ASN1_ENUMERATED_free(ASN1_ENUMERATED *a);
+int		i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a,unsigned char **pp);
+ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a,unsigned char **pp,
+			long length);
+
+int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
+ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
+int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); 
+
+int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
+ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
+int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str); 
+
+ASN1_OCTET_STRING *	ASN1_OCTET_STRING_new(void);
+void		ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *a);
+int		i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *a,unsigned char **pp);
+ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **a,
+			unsigned char **pp,long length);
+ASN1_OCTET_STRING *	ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *a);
+int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
+int 	ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
+
+ASN1_VISIBLESTRING *	ASN1_VISIBLESTRING_new(void);
+void		ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *a);
+int	i2d_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING *a,unsigned char **pp);
+ASN1_VISIBLESTRING *d2i_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING **a,
+			unsigned char **pp,long length);
+
+ASN1_UTF8STRING *	ASN1_UTF8STRING_new(void);
+void		ASN1_UTF8STRING_free(ASN1_UTF8STRING *a);
+int		i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a,unsigned char **pp);
+ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a,
+			unsigned char **pp,long length);
+
+ASN1_NULL *	ASN1_NULL_new(void);
+void		ASN1_NULL_free(ASN1_NULL *a);
+int		i2d_ASN1_NULL(ASN1_NULL *a,unsigned char **pp);
+ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **a, unsigned char **pp,long length);
+
+ASN1_BMPSTRING *	ASN1_BMPSTRING_new(void);
+void		ASN1_BMPSTRING_free(ASN1_BMPSTRING *a);
+int i2d_ASN1_BMPSTRING(ASN1_BMPSTRING *a, unsigned char **pp);
+ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(ASN1_BMPSTRING **a, unsigned char **pp,
+	long length);
+
+
+int UTF8_getc(const unsigned char *str, int len, unsigned long *val);
+int UTF8_putc(unsigned char *str, int len, unsigned long value);
+
+int i2d_ASN1_PRINTABLE(ASN1_STRING *a,unsigned char **pp);
+ASN1_STRING *d2i_ASN1_PRINTABLE(ASN1_STRING **a,
+	unsigned char **pp, long l);
+
+ASN1_PRINTABLESTRING *	ASN1_PRINTABLESTRING_new(void);
+void		ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *a);
+ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING **a,
+	unsigned char **pp, long l);
+int i2d_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING *a, unsigned char **pp);
+
+ASN1_STRING *	DIRECTORYSTRING_new(void);
+void		DIRECTORYSTRING_free(ASN1_STRING *a);
+int	i2d_DIRECTORYSTRING(ASN1_STRING *a,unsigned char **pp);
+ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **a, unsigned char **pp,
+								 long length);
+
+ASN1_STRING *	DISPLAYTEXT_new(void);
+void		DISPLAYTEXT_free(ASN1_STRING *a);
+int	i2d_DISPLAYTEXT(ASN1_STRING *a,unsigned char **pp);
+ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **a, unsigned char **pp, long length);
+
+ASN1_T61STRING *	ASN1_T61STRING_new(void);
+void		ASN1_T61STRING_free(ASN1_IA5STRING *a);
+ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **a,
+	unsigned char **pp, long l);
+
+ASN1_IA5STRING *	ASN1_IA5STRING_new(void);
+void		ASN1_IA5STRING_free(ASN1_IA5STRING *a);
+int i2d_ASN1_IA5STRING(ASN1_IA5STRING *a,unsigned char **pp);
+ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **a,
+	unsigned char **pp, long l);
+
+ASN1_UTCTIME *	ASN1_UTCTIME_new(void);
+void		ASN1_UTCTIME_free(ASN1_UTCTIME *a);
+int		i2d_ASN1_UTCTIME(ASN1_UTCTIME *a,unsigned char **pp);
+ASN1_UTCTIME *	d2i_ASN1_UTCTIME(ASN1_UTCTIME **a,unsigned char **pp,
+			long length);
+
+ASN1_GENERALIZEDTIME *	ASN1_GENERALIZEDTIME_new(void);
+void		ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *a);
+int		i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a,unsigned char **pp);
+ASN1_GENERALIZEDTIME *	d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,unsigned char **pp,
+			long length);
+
+ASN1_TIME *	ASN1_TIME_new(void);
+void		ASN1_TIME_free(ASN1_TIME *a);
+int		i2d_ASN1_TIME(ASN1_TIME *a,unsigned char **pp);
+ASN1_TIME *	d2i_ASN1_TIME(ASN1_TIME **a,unsigned char **pp, long length);
+ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
+
+int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
+			int (*func)(), int ex_tag, int ex_class, int is_set);
+STACK *		d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
+			char *(*func)(), void (*free_func)(),
+			int ex_tag, int ex_class);
+
+#ifdef HEADER_BIO_H
+int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a);
+int a2i_ASN1_INTEGER(BIO *bp,ASN1_INTEGER *bs,char *buf,int size);
+int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a);
+int a2i_ASN1_ENUMERATED(BIO *bp,ASN1_ENUMERATED *bs,char *buf,int size);
+int i2a_ASN1_OBJECT(BIO *bp,ASN1_OBJECT *a);
+int a2i_ASN1_STRING(BIO *bp,ASN1_STRING *bs,char *buf,int size);
+int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type);
+#endif
+int i2t_ASN1_OBJECT(char *buf,int buf_len,ASN1_OBJECT *a);
+
+int a2d_ASN1_OBJECT(unsigned char *out,int olen, const char *buf, int num);
+ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data,int len,
+	char *sn, char *ln);
+
+int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
+long ASN1_INTEGER_get(ASN1_INTEGER *a);
+ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai);
+BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai,BIGNUM *bn);
+
+int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);
+long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a);
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai);
+BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn);
+
+/* General */
+/* given a string, return the correct type, max is the maximum length */
+int ASN1_PRINTABLE_type(unsigned char *s, int max);
+
+int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
+ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,
+	long length, int Ptag, int Pclass);
+/* type is one or more of the B_ASN1_ values. */
+ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a,unsigned char **pp,
+		long length,int type);
+
+/* PARSING */
+int asn1_Finish(ASN1_CTX *c);
+
+/* SPECIALS */
+int ASN1_get_object(unsigned char **pp, long *plength, int *ptag,
+	int *pclass, long omax);
+int ASN1_check_infinite_end(unsigned char **p,long len);
+void ASN1_put_object(unsigned char **pp, int constructed, int length,
+	int tag, int xclass);
+int ASN1_object_size(int constructed, int length, int tag);
+
+/* Used to implement other functions */
+char *ASN1_dup(int (*i2d)(),char *(*d2i)(),char *x);
+
+#ifndef NO_FP_API
+char *ASN1_d2i_fp(char *(*xnew)(),char *(*d2i)(),FILE *fp,unsigned char **x);
+int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x);
+#endif
+
+#ifdef HEADER_BIO_H
+char *ASN1_d2i_bio(char *(*xnew)(),char *(*d2i)(),BIO *bp,unsigned char **x);
+int ASN1_i2d_bio(int (*i2d)(),BIO *out,unsigned char *x);
+int ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a);
+int ASN1_GENERALIZEDTIME_print(BIO *fp,ASN1_GENERALIZEDTIME *a);
+int ASN1_TIME_print(BIO *fp,ASN1_TIME *a);
+int ASN1_STRING_print(BIO *bp,ASN1_STRING *v);
+int ASN1_parse(BIO *bp,unsigned char *pp,long len,int indent);
+#endif
+const char *ASN1_tag2str(int tag);
+
+/* Used to load and write netscape format cert/key */
+int i2d_ASN1_HEADER(ASN1_HEADER *a,unsigned char **pp);
+ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a,unsigned char **pp, long length);
+ASN1_HEADER *ASN1_HEADER_new(void );
+void ASN1_HEADER_free(ASN1_HEADER *a);
+
+int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s);
+
+void ERR_load_ASN1_strings(void);
+
+/* Not used that much at this point, except for the first two */
+ASN1_METHOD *X509_asn1_meth(void);
+ASN1_METHOD *RSAPrivateKey_asn1_meth(void);
+ASN1_METHOD *ASN1_IA5STRING_asn1_meth(void);
+ASN1_METHOD *ASN1_BIT_STRING_asn1_meth(void);
+
+int ASN1_TYPE_set_octetstring(ASN1_TYPE *a,
+	unsigned char *data, int len);
+int ASN1_TYPE_get_octetstring(ASN1_TYPE *a,
+	unsigned char *data, int max_len);
+int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num,
+	unsigned char *data, int len);
+int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
+	unsigned char *data, int max_len);
+
+STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
+						 void (*free_func)() ); 
+unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
+								 int *len );
+void *ASN1_unpack_string(ASN1_STRING *oct, char *(*d2i)());
+ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
+
+void ASN1_STRING_set_default_mask(unsigned long mask);
+int ASN1_STRING_set_default_mask_asc(char *p);
+unsigned long ASN1_STRING_get_default_mask(void);
+int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
+					int inform, unsigned long mask);
+int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
+					int inform, unsigned long mask, 
+					long minsize, long maxsize);
+
+ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, 
+		const unsigned char *in, int inlen, int inform, int nid);
+ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid);
+int ASN1_STRING_TABLE_add(int, long, long, unsigned long, unsigned long);
+void ASN1_STRING_TABLE_cleanup(void);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the ASN1 functions. */
+
+/* Function codes. */
+#define ASN1_F_A2D_ASN1_OBJECT				 100
+#define ASN1_F_A2I_ASN1_ENUMERATED			 236
+#define ASN1_F_A2I_ASN1_INTEGER				 101
+#define ASN1_F_A2I_ASN1_STRING				 102
+#define ASN1_F_ACCESS_DESCRIPTION_NEW			 291
+#define ASN1_F_ASN1_COLLATE_PRIMITIVE			 103
+#define ASN1_F_ASN1_D2I_BIO				 104
+#define ASN1_F_ASN1_D2I_FP				 105
+#define ASN1_F_ASN1_DUP					 106
+#define ASN1_F_ASN1_ENUMERATED_SET			 232
+#define ASN1_F_ASN1_ENUMERATED_TO_BN			 233
+#define ASN1_F_ASN1_GENERALIZEDTIME_NEW			 222
+#define ASN1_F_ASN1_GET_OBJECT				 107
+#define ASN1_F_ASN1_HEADER_NEW				 108
+#define ASN1_F_ASN1_I2D_BIO				 109
+#define ASN1_F_ASN1_I2D_FP				 110
+#define ASN1_F_ASN1_INTEGER_SET				 111
+#define ASN1_F_ASN1_INTEGER_TO_BN			 112
+#define ASN1_F_ASN1_MBSTRING_COPY			 282
+#define ASN1_F_ASN1_OBJECT_NEW				 113
+#define ASN1_F_ASN1_PACK_STRING				 245
+#define ASN1_F_ASN1_PBE_SET				 253
+#define ASN1_F_ASN1_SEQ_PACK				 246
+#define ASN1_F_ASN1_SEQ_UNPACK				 247
+#define ASN1_F_ASN1_SIGN				 114
+#define ASN1_F_ASN1_STRING_NEW				 115
+#define ASN1_F_ASN1_STRING_TABLE_ADD			 283
+#define ASN1_F_ASN1_STRING_TYPE_NEW			 116
+#define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 117
+#define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 118
+#define ASN1_F_ASN1_TYPE_NEW				 119
+#define ASN1_F_ASN1_UNPACK_STRING			 248
+#define ASN1_F_ASN1_UTCTIME_NEW				 120
+#define ASN1_F_ASN1_VERIFY				 121
+#define ASN1_F_AUTHORITY_KEYID_NEW			 237
+#define ASN1_F_BASIC_CONSTRAINTS_NEW			 226
+#define ASN1_F_BN_TO_ASN1_ENUMERATED			 234
+#define ASN1_F_BN_TO_ASN1_INTEGER			 122
+#define ASN1_F_D2I_ACCESS_DESCRIPTION			 284
+#define ASN1_F_D2I_ASN1_BIT_STRING			 123
+#define ASN1_F_D2I_ASN1_BMPSTRING			 124
+#define ASN1_F_D2I_ASN1_BOOLEAN				 125
+#define ASN1_F_D2I_ASN1_BYTES				 126
+#define ASN1_F_D2I_ASN1_ENUMERATED			 235
+#define ASN1_F_D2I_ASN1_GENERALIZEDTIME			 223
+#define ASN1_F_D2I_ASN1_HEADER				 127
+#define ASN1_F_D2I_ASN1_INTEGER				 128
+#define ASN1_F_D2I_ASN1_NULL				 292
+#define ASN1_F_D2I_ASN1_OBJECT				 129
+#define ASN1_F_D2I_ASN1_OCTET_STRING			 130
+#define ASN1_F_D2I_ASN1_PRINT_TYPE			 131
+#define ASN1_F_D2I_ASN1_SET				 132
+#define ASN1_F_D2I_ASN1_TIME				 224
+#define ASN1_F_D2I_ASN1_TYPE				 133
+#define ASN1_F_D2I_ASN1_TYPE_BYTES			 134
+#define ASN1_F_D2I_ASN1_UINTEGER			 280
+#define ASN1_F_D2I_ASN1_UTCTIME				 135
+#define ASN1_F_D2I_ASN1_UTF8STRING			 266
+#define ASN1_F_D2I_ASN1_VISIBLESTRING			 267
+#define ASN1_F_D2I_AUTHORITY_KEYID			 238
+#define ASN1_F_D2I_BASIC_CONSTRAINTS			 227
+#define ASN1_F_D2I_DHPARAMS				 136
+#define ASN1_F_D2I_DIST_POINT				 276
+#define ASN1_F_D2I_DIST_POINT_NAME			 277
+#define ASN1_F_D2I_DSAPARAMS				 137
+#define ASN1_F_D2I_DSAPRIVATEKEY			 138
+#define ASN1_F_D2I_DSAPUBLICKEY				 139
+#define ASN1_F_D2I_GENERAL_NAME				 230
+#define ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE		 228
+#define ASN1_F_D2I_NETSCAPE_PKEY			 140
+#define ASN1_F_D2I_NETSCAPE_RSA				 141
+#define ASN1_F_D2I_NETSCAPE_RSA_2			 142
+#define ASN1_F_D2I_NETSCAPE_SPKAC			 143
+#define ASN1_F_D2I_NETSCAPE_SPKI			 144
+#define ASN1_F_D2I_NOTICEREF				 268
+#define ASN1_F_D2I_OTHERNAME				 287
+#define ASN1_F_D2I_PBE2PARAM				 262
+#define ASN1_F_D2I_PBEPARAM				 249
+#define ASN1_F_D2I_PBKDF2PARAM				 263
+#define ASN1_F_D2I_PKCS12				 254
+#define ASN1_F_D2I_PKCS12_BAGS				 255
+#define ASN1_F_D2I_PKCS12_MAC_DATA			 256
+#define ASN1_F_D2I_PKCS12_SAFEBAG			 257
+#define ASN1_F_D2I_PKCS7				 145
+#define ASN1_F_D2I_PKCS7_DIGEST				 146
+#define ASN1_F_D2I_PKCS7_ENCRYPT			 147
+#define ASN1_F_D2I_PKCS7_ENC_CONTENT			 148
+#define ASN1_F_D2I_PKCS7_ENVELOPE			 149
+#define ASN1_F_D2I_PKCS7_ISSUER_AND_SERIAL		 150
+#define ASN1_F_D2I_PKCS7_RECIP_INFO			 151
+#define ASN1_F_D2I_PKCS7_SIGNED				 152
+#define ASN1_F_D2I_PKCS7_SIGNER_INFO			 153
+#define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE			 154
+#define ASN1_F_D2I_PKCS8_PRIV_KEY_INFO			 250
+#define ASN1_F_D2I_PKEY_USAGE_PERIOD			 239
+#define ASN1_F_D2I_POLICYINFO				 269
+#define ASN1_F_D2I_POLICYQUALINFO			 270
+#define ASN1_F_D2I_PRIVATEKEY				 155
+#define ASN1_F_D2I_PUBLICKEY				 156
+#define ASN1_F_D2I_RSAPRIVATEKEY			 157
+#define ASN1_F_D2I_RSAPUBLICKEY				 158
+#define ASN1_F_D2I_SXNET				 241
+#define ASN1_F_D2I_SXNETID				 243
+#define ASN1_F_D2I_USERNOTICE				 271
+#define ASN1_F_D2I_X509					 159
+#define ASN1_F_D2I_X509_ALGOR				 160
+#define ASN1_F_D2I_X509_ATTRIBUTE			 161
+#define ASN1_F_D2I_X509_CERT_AUX			 285
+#define ASN1_F_D2I_X509_CINF				 162
+#define ASN1_F_D2I_X509_CRL				 163
+#define ASN1_F_D2I_X509_CRL_INFO			 164
+#define ASN1_F_D2I_X509_EXTENSION			 165
+#define ASN1_F_D2I_X509_KEY				 166
+#define ASN1_F_D2I_X509_NAME				 167
+#define ASN1_F_D2I_X509_NAME_ENTRY			 168
+#define ASN1_F_D2I_X509_PKEY				 169
+#define ASN1_F_D2I_X509_PUBKEY				 170
+#define ASN1_F_D2I_X509_REQ				 171
+#define ASN1_F_D2I_X509_REQ_INFO			 172
+#define ASN1_F_D2I_X509_REVOKED				 173
+#define ASN1_F_D2I_X509_SIG				 174
+#define ASN1_F_D2I_X509_VAL				 175
+#define ASN1_F_DIST_POINT_NAME_NEW			 278
+#define ASN1_F_DIST_POINT_NEW				 279
+#define ASN1_F_GENERAL_NAME_NEW				 231
+#define ASN1_F_I2D_ASN1_HEADER				 176
+#define ASN1_F_I2D_ASN1_TIME				 225
+#define ASN1_F_I2D_DHPARAMS				 177
+#define ASN1_F_I2D_DSAPARAMS				 178
+#define ASN1_F_I2D_DSAPRIVATEKEY			 179
+#define ASN1_F_I2D_DSAPUBLICKEY				 180
+#define ASN1_F_I2D_DSA_PUBKEY				 290
+#define ASN1_F_I2D_NETSCAPE_RSA				 181
+#define ASN1_F_I2D_PKCS7				 182
+#define ASN1_F_I2D_PRIVATEKEY				 183
+#define ASN1_F_I2D_PUBLICKEY				 184
+#define ASN1_F_I2D_RSAPRIVATEKEY			 185
+#define ASN1_F_I2D_RSAPUBLICKEY				 186
+#define ASN1_F_I2D_RSA_PUBKEY				 289
+#define ASN1_F_I2D_X509_ATTRIBUTE			 187
+#define ASN1_F_I2T_ASN1_OBJECT				 188
+#define ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW		 229
+#define ASN1_F_NETSCAPE_PKEY_NEW			 189
+#define ASN1_F_NETSCAPE_SPKAC_NEW			 190
+#define ASN1_F_NETSCAPE_SPKI_NEW			 191
+#define ASN1_F_NOTICEREF_NEW				 272
+#define ASN1_F_OTHERNAME_NEW				 288
+#define ASN1_F_PBE2PARAM_NEW				 264
+#define ASN1_F_PBEPARAM_NEW				 251
+#define ASN1_F_PBKDF2PARAM_NEW				 265
+#define ASN1_F_PKCS12_BAGS_NEW				 258
+#define ASN1_F_PKCS12_MAC_DATA_NEW			 259
+#define ASN1_F_PKCS12_NEW				 260
+#define ASN1_F_PKCS12_SAFEBAG_NEW			 261
+#define ASN1_F_PKCS5_PBE2_SET				 281
+#define ASN1_F_PKCS7_DIGEST_NEW				 192
+#define ASN1_F_PKCS7_ENCRYPT_NEW			 193
+#define ASN1_F_PKCS7_ENC_CONTENT_NEW			 194
+#define ASN1_F_PKCS7_ENVELOPE_NEW			 195
+#define ASN1_F_PKCS7_ISSUER_AND_SERIAL_NEW		 196
+#define ASN1_F_PKCS7_NEW				 197
+#define ASN1_F_PKCS7_RECIP_INFO_NEW			 198
+#define ASN1_F_PKCS7_SIGNED_NEW				 199
+#define ASN1_F_PKCS7_SIGNER_INFO_NEW			 200
+#define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW			 201
+#define ASN1_F_PKCS8_PRIV_KEY_INFO_NEW			 252
+#define ASN1_F_PKEY_USAGE_PERIOD_NEW			 240
+#define ASN1_F_POLICYINFO_NEW				 273
+#define ASN1_F_POLICYQUALINFO_NEW			 274
+#define ASN1_F_SXNETID_NEW				 244
+#define ASN1_F_SXNET_NEW				 242
+#define ASN1_F_USERNOTICE_NEW				 275
+#define ASN1_F_X509_ALGOR_NEW				 202
+#define ASN1_F_X509_ATTRIBUTE_NEW			 203
+#define ASN1_F_X509_CERT_AUX_NEW			 286
+#define ASN1_F_X509_CINF_NEW				 204
+#define ASN1_F_X509_CRL_INFO_NEW			 205
+#define ASN1_F_X509_CRL_NEW				 206
+#define ASN1_F_X509_DHPARAMS_NEW			 207
+#define ASN1_F_X509_EXTENSION_NEW			 208
+#define ASN1_F_X509_INFO_NEW				 209
+#define ASN1_F_X509_KEY_NEW				 210
+#define ASN1_F_X509_NAME_ENTRY_NEW			 211
+#define ASN1_F_X509_NAME_NEW				 212
+#define ASN1_F_X509_NEW					 213
+#define ASN1_F_X509_PKEY_NEW				 214
+#define ASN1_F_X509_PUBKEY_NEW				 215
+#define ASN1_F_X509_REQ_INFO_NEW			 216
+#define ASN1_F_X509_REQ_NEW				 217
+#define ASN1_F_X509_REVOKED_NEW				 218
+#define ASN1_F_X509_SIG_NEW				 219
+#define ASN1_F_X509_VAL_FREE				 220
+#define ASN1_F_X509_VAL_NEW				 221
+
+/* Reason codes. */
+#define ASN1_R_BAD_CLASS				 100
+#define ASN1_R_BAD_OBJECT_HEADER			 101
+#define ASN1_R_BAD_PASSWORD_READ			 102
+#define ASN1_R_BAD_PKCS7_CONTENT			 103
+#define ASN1_R_BAD_PKCS7_TYPE				 104
+#define ASN1_R_BAD_TAG					 105
+#define ASN1_R_BAD_TYPE					 106
+#define ASN1_R_BN_LIB					 107
+#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH			 108
+#define ASN1_R_BUFFER_TOO_SMALL				 109
+#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER		 166
+#define ASN1_R_DATA_IS_WRONG				 110
+#define ASN1_R_DECODE_ERROR				 155
+#define ASN1_R_DECODING_ERROR				 111
+#define ASN1_R_ENCODE_ERROR				 156
+#define ASN1_R_ERROR_PARSING_SET_ELEMENT		 112
+#define ASN1_R_ERROR_SETTING_CIPHER_PARAMS		 157
+#define ASN1_R_EXPECTING_AN_ENUMERATED			 154
+#define ASN1_R_EXPECTING_AN_INTEGER			 113
+#define ASN1_R_EXPECTING_AN_OBJECT			 114
+#define ASN1_R_EXPECTING_AN_OCTET_STRING		 115
+#define ASN1_R_EXPECTING_A_BIT_STRING			 116
+#define ASN1_R_EXPECTING_A_BOOLEAN			 117
+#define ASN1_R_EXPECTING_A_GENERALIZEDTIME		 151
+#define ASN1_R_EXPECTING_A_NULL				 164
+#define ASN1_R_EXPECTING_A_TIME				 152
+#define ASN1_R_EXPECTING_A_UTCTIME			 118
+#define ASN1_R_FIRST_NUM_TOO_LARGE			 119
+#define ASN1_R_GENERALIZEDTIME_TOO_LONG			 153
+#define ASN1_R_HEADER_TOO_LONG				 120
+#define ASN1_R_ILLEGAL_CHARACTERS			 158
+#define ASN1_R_INVALID_BMPSTRING_LENGTH			 159
+#define ASN1_R_INVALID_DIGIT				 121
+#define ASN1_R_INVALID_SEPARATOR			 122
+#define ASN1_R_INVALID_TIME_FORMAT			 123
+#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH		 160
+#define ASN1_R_INVALID_UTF8STRING			 161
+#define ASN1_R_IV_TOO_LARGE				 124
+#define ASN1_R_LENGTH_ERROR				 125
+#define ASN1_R_MISSING_SECOND_NUMBER			 126
+#define ASN1_R_NON_HEX_CHARACTERS			 127
+#define ASN1_R_NOT_ENOUGH_DATA				 128
+#define ASN1_R_NULL_IS_WRONG_LENGTH			 165
+#define ASN1_R_ODD_NUMBER_OF_CHARS			 129
+#define ASN1_R_PARSING					 130
+#define ASN1_R_PRIVATE_KEY_HEADER_MISSING		 131
+#define ASN1_R_SECOND_NUMBER_TOO_LARGE			 132
+#define ASN1_R_SHORT_LINE				 133
+#define ASN1_R_STRING_TOO_LONG				 163
+#define ASN1_R_STRING_TOO_SHORT				 134
+#define ASN1_R_TAG_VALUE_TOO_HIGH			 135
+#define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 136
+#define ASN1_R_TOO_LONG					 137
+#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 138
+#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 139
+#define ASN1_R_UNKNOWN_ATTRIBUTE_TYPE			 140
+#define ASN1_R_UNKNOWN_FORMAT				 162
+#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM		 141
+#define ASN1_R_UNKNOWN_OBJECT_TYPE			 142
+#define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE			 143
+#define ASN1_R_UNSUPPORTED_CIPHER			 144
+#define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM		 145
+#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE		 146
+#define ASN1_R_UTCTIME_TOO_LONG				 147
+#define ASN1_R_WRONG_PRINTABLE_TYPE			 148
+#define ASN1_R_WRONG_TAG				 149
+#define ASN1_R_WRONG_TYPE				 150
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/asn1/asn1_err.c b/crypto/openssl/crypto/asn1/asn1_err.c
new file mode 100644
index 0000000..cecd555
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/asn1_err.c
@@ -0,0 +1,352 @@
+/* crypto/asn1/asn1_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/asn1.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA ASN1_str_functs[]=
+	{
+{ERR_PACK(0,ASN1_F_A2D_ASN1_OBJECT,0),	"a2d_ASN1_OBJECT"},
+{ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),	"a2i_ASN1_ENUMERATED"},
+{ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0),	"a2i_ASN1_INTEGER"},
+{ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),	"a2i_ASN1_STRING"},
+{ERR_PACK(0,ASN1_F_ACCESS_DESCRIPTION_NEW,0),	"ACCESS_DESCRIPTION_new"},
+{ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),	"ASN1_COLLATE_PRIMITIVE"},
+{ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),	"ASN1_d2i_bio"},
+{ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),	"ASN1_d2i_fp"},
+{ERR_PACK(0,ASN1_F_ASN1_DUP,0),	"ASN1_dup"},
+{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),	"ASN1_ENUMERATED_set"},
+{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),	"ASN1_ENUMERATED_to_BN"},
+{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_NEW,0),	"ASN1_GENERALIZEDTIME_new"},
+{ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),	"ASN1_get_object"},
+{ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),	"ASN1_HEADER_new"},
+{ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),	"ASN1_i2d_bio"},
+{ERR_PACK(0,ASN1_F_ASN1_I2D_FP,0),	"ASN1_i2d_fp"},
+{ERR_PACK(0,ASN1_F_ASN1_INTEGER_SET,0),	"ASN1_INTEGER_set"},
+{ERR_PACK(0,ASN1_F_ASN1_INTEGER_TO_BN,0),	"ASN1_INTEGER_to_BN"},
+{ERR_PACK(0,ASN1_F_ASN1_MBSTRING_COPY,0),	"ASN1_mbstring_copy"},
+{ERR_PACK(0,ASN1_F_ASN1_OBJECT_NEW,0),	"ASN1_OBJECT_new"},
+{ERR_PACK(0,ASN1_F_ASN1_PACK_STRING,0),	"ASN1_pack_string"},
+{ERR_PACK(0,ASN1_F_ASN1_PBE_SET,0),	"ASN1_PBE_SET"},
+{ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),	"ASN1_seq_pack"},
+{ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),	"ASN1_seq_unpack"},
+{ERR_PACK(0,ASN1_F_ASN1_SIGN,0),	"ASN1_sign"},
+{ERR_PACK(0,ASN1_F_ASN1_STRING_NEW,0),	"ASN1_STRING_new"},
+{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),	"ASN1_STRING_TABLE_add"},
+{ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),	"ASN1_STRING_type_new"},
+{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),	"ASN1_TYPE_get_int_octetstring"},
+{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),	"ASN1_TYPE_get_octetstring"},
+{ERR_PACK(0,ASN1_F_ASN1_TYPE_NEW,0),	"ASN1_TYPE_new"},
+{ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),	"ASN1_unpack_string"},
+{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_NEW,0),	"ASN1_UTCTIME_new"},
+{ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),	"ASN1_verify"},
+{ERR_PACK(0,ASN1_F_AUTHORITY_KEYID_NEW,0),	"AUTHORITY_KEYID_new"},
+{ERR_PACK(0,ASN1_F_BASIC_CONSTRAINTS_NEW,0),	"BASIC_CONSTRAINTS_new"},
+{ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),	"BN_to_ASN1_ENUMERATED"},
+{ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),	"BN_to_ASN1_INTEGER"},
+{ERR_PACK(0,ASN1_F_D2I_ACCESS_DESCRIPTION,0),	"d2i_ACCESS_DESCRIPTION"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0),	"d2i_ASN1_BIT_STRING"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_BMPSTRING,0),	"d2i_ASN1_BMPSTRING"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_BOOLEAN,0),	"d2i_ASN1_BOOLEAN"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_BYTES,0),	"d2i_ASN1_bytes"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_ENUMERATED,0),	"d2i_ASN1_ENUMERATED"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0),	"d2i_ASN1_GENERALIZEDTIME"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_HEADER,0),	"d2i_ASN1_HEADER"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0),	"d2i_ASN1_INTEGER"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_NULL,0),	"d2i_ASN1_NULL"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_OBJECT,0),	"d2i_ASN1_OBJECT"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_OCTET_STRING,0),	"d2i_ASN1_OCTET_STRING"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_PRINT_TYPE,0),	"D2I_ASN1_PRINT_TYPE"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_SET,0),	"d2i_ASN1_SET"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_TIME,0),	"d2i_ASN1_TIME"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE,0),	"d2i_ASN1_TYPE"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE_BYTES,0),	"d2i_ASN1_type_bytes"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_UINTEGER,0),	"d2i_ASN1_UINTEGER"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_UTCTIME,0),	"d2i_ASN1_UTCTIME"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_UTF8STRING,0),	"d2i_ASN1_UTF8STRING"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_VISIBLESTRING,0),	"d2i_ASN1_VISIBLESTRING"},
+{ERR_PACK(0,ASN1_F_D2I_AUTHORITY_KEYID,0),	"d2i_AUTHORITY_KEYID"},
+{ERR_PACK(0,ASN1_F_D2I_BASIC_CONSTRAINTS,0),	"d2i_BASIC_CONSTRAINTS"},
+{ERR_PACK(0,ASN1_F_D2I_DHPARAMS,0),	"d2i_DHparams"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT,0),	"d2i_DIST_POINT"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT_NAME,0),	"d2i_DIST_POINT_NAME"},
+{ERR_PACK(0,ASN1_F_D2I_DSAPARAMS,0),	"d2i_DSAparams"},
+{ERR_PACK(0,ASN1_F_D2I_DSAPRIVATEKEY,0),	"d2i_DSAPrivateKey"},
+{ERR_PACK(0,ASN1_F_D2I_DSAPUBLICKEY,0),	"d2i_DSAPublicKey"},
+{ERR_PACK(0,ASN1_F_D2I_GENERAL_NAME,0),	"d2i_GENERAL_NAME"},
+{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE,0),	"d2i_NETSCAPE_CERT_SEQUENCE"},
+{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_PKEY,0),	"D2I_NETSCAPE_PKEY"},
+{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA,0),	"d2i_Netscape_RSA"},
+{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0),	"d2i_Netscape_RSA_2"},
+{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKAC,0),	"d2i_NETSCAPE_SPKAC"},
+{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKI,0),	"d2i_NETSCAPE_SPKI"},
+{ERR_PACK(0,ASN1_F_D2I_NOTICEREF,0),	"d2i_NOTICEREF"},
+{ERR_PACK(0,ASN1_F_D2I_OTHERNAME,0),	"d2i_OTHERNAME"},
+{ERR_PACK(0,ASN1_F_D2I_PBE2PARAM,0),	"d2i_PBE2PARAM"},
+{ERR_PACK(0,ASN1_F_D2I_PBEPARAM,0),	"d2i_PBEPARAM"},
+{ERR_PACK(0,ASN1_F_D2I_PBKDF2PARAM,0),	"d2i_PBKDF2PARAM"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS12,0),	"d2i_PKCS12"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS12_BAGS,0),	"d2i_PKCS12_BAGS"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS12_MAC_DATA,0),	"d2i_PKCS12_MAC_DATA"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS12_SAFEBAG,0),	"d2i_PKCS12_SAFEBAG"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7,0),	"d2i_PKCS7"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_DIGEST,0),	"d2i_PKCS7_DIGEST"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_ENCRYPT,0),	"d2i_PKCS7_ENCRYPT"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_ENC_CONTENT,0),	"d2i_PKCS7_ENC_CONTENT"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_ENVELOPE,0),	"d2i_PKCS7_ENVELOPE"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_ISSUER_AND_SERIAL,0),	"d2i_PKCS7_ISSUER_AND_SERIAL"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_RECIP_INFO,0),	"d2i_PKCS7_RECIP_INFO"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNED,0),	"d2i_PKCS7_SIGNED"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNER_INFO,0),	"d2i_PKCS7_SIGNER_INFO"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGN_ENVELOPE,0),	"d2i_PKCS7_SIGN_ENVELOPE"},
+{ERR_PACK(0,ASN1_F_D2I_PKCS8_PRIV_KEY_INFO,0),	"d2i_PKCS8_PRIV_KEY_INFO"},
+{ERR_PACK(0,ASN1_F_D2I_PKEY_USAGE_PERIOD,0),	"d2i_PKEY_USAGE_PERIOD"},
+{ERR_PACK(0,ASN1_F_D2I_POLICYINFO,0),	"d2i_POLICYINFO"},
+{ERR_PACK(0,ASN1_F_D2I_POLICYQUALINFO,0),	"d2i_POLICYQUALINFO"},
+{ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0),	"d2i_PrivateKey"},
+{ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0),	"d2i_PublicKey"},
+{ERR_PACK(0,ASN1_F_D2I_RSAPRIVATEKEY,0),	"d2i_RSAPrivateKey"},
+{ERR_PACK(0,ASN1_F_D2I_RSAPUBLICKEY,0),	"d2i_RSAPublicKey"},
+{ERR_PACK(0,ASN1_F_D2I_SXNET,0),	"d2i_SXNET"},
+{ERR_PACK(0,ASN1_F_D2I_SXNETID,0),	"d2i_SXNETID"},
+{ERR_PACK(0,ASN1_F_D2I_USERNOTICE,0),	"d2i_USERNOTICE"},
+{ERR_PACK(0,ASN1_F_D2I_X509,0),	"d2i_X509"},
+{ERR_PACK(0,ASN1_F_D2I_X509_ALGOR,0),	"d2i_X509_ALGOR"},
+{ERR_PACK(0,ASN1_F_D2I_X509_ATTRIBUTE,0),	"d2i_X509_ATTRIBUTE"},
+{ERR_PACK(0,ASN1_F_D2I_X509_CERT_AUX,0),	"d2i_X509_CERT_AUX"},
+{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),	"d2i_X509_CINF"},
+{ERR_PACK(0,ASN1_F_D2I_X509_CRL,0),	"d2i_X509_CRL"},
+{ERR_PACK(0,ASN1_F_D2I_X509_CRL_INFO,0),	"d2i_X509_CRL_INFO"},
+{ERR_PACK(0,ASN1_F_D2I_X509_EXTENSION,0),	"d2i_X509_EXTENSION"},
+{ERR_PACK(0,ASN1_F_D2I_X509_KEY,0),	"D2I_X509_KEY"},
+{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),	"d2i_X509_NAME"},
+{ERR_PACK(0,ASN1_F_D2I_X509_NAME_ENTRY,0),	"d2i_X509_NAME_ENTRY"},
+{ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
+{ERR_PACK(0,ASN1_F_D2I_X509_PUBKEY,0),	"d2i_X509_PUBKEY"},
+{ERR_PACK(0,ASN1_F_D2I_X509_REQ,0),	"d2i_X509_REQ"},
+{ERR_PACK(0,ASN1_F_D2I_X509_REQ_INFO,0),	"d2i_X509_REQ_INFO"},
+{ERR_PACK(0,ASN1_F_D2I_X509_REVOKED,0),	"d2i_X509_REVOKED"},
+{ERR_PACK(0,ASN1_F_D2I_X509_SIG,0),	"d2i_X509_SIG"},
+{ERR_PACK(0,ASN1_F_D2I_X509_VAL,0),	"d2i_X509_VAL"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NAME_NEW,0),	"DIST_POINT_NAME_new"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NEW,0),	"DIST_POINT_new"},
+{ERR_PACK(0,ASN1_F_GENERAL_NAME_NEW,0),	"GENERAL_NAME_new"},
+{ERR_PACK(0,ASN1_F_I2D_ASN1_HEADER,0),	"i2d_ASN1_HEADER"},
+{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"i2d_ASN1_TIME"},
+{ERR_PACK(0,ASN1_F_I2D_DHPARAMS,0),	"i2d_DHparams"},
+{ERR_PACK(0,ASN1_F_I2D_DSAPARAMS,0),	"i2d_DSAparams"},
+{ERR_PACK(0,ASN1_F_I2D_DSAPRIVATEKEY,0),	"i2d_DSAPrivateKey"},
+{ERR_PACK(0,ASN1_F_I2D_DSAPUBLICKEY,0),	"i2d_DSAPublicKey"},
+{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
+{ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
+{ERR_PACK(0,ASN1_F_I2D_PKCS7,0),	"i2d_PKCS7"},
+{ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
+{ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
+{ERR_PACK(0,ASN1_F_I2D_RSAPRIVATEKEY,0),	"i2d_RSAPrivateKey"},
+{ERR_PACK(0,ASN1_F_I2D_RSAPUBLICKEY,0),	"i2d_RSAPublicKey"},
+{ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),	"i2d_RSA_PUBKEY"},
+{ERR_PACK(0,ASN1_F_I2D_X509_ATTRIBUTE,0),	"i2d_X509_ATTRIBUTE"},
+{ERR_PACK(0,ASN1_F_I2T_ASN1_OBJECT,0),	"i2t_ASN1_OBJECT"},
+{ERR_PACK(0,ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW,0),	"NETSCAPE_CERT_SEQUENCE_new"},
+{ERR_PACK(0,ASN1_F_NETSCAPE_PKEY_NEW,0),	"NETSCAPE_PKEY_NEW"},
+{ERR_PACK(0,ASN1_F_NETSCAPE_SPKAC_NEW,0),	"NETSCAPE_SPKAC_new"},
+{ERR_PACK(0,ASN1_F_NETSCAPE_SPKI_NEW,0),	"NETSCAPE_SPKI_new"},
+{ERR_PACK(0,ASN1_F_NOTICEREF_NEW,0),	"NOTICEREF_new"},
+{ERR_PACK(0,ASN1_F_OTHERNAME_NEW,0),	"OTHERNAME_new"},
+{ERR_PACK(0,ASN1_F_PBE2PARAM_NEW,0),	"PBE2PARAM_new"},
+{ERR_PACK(0,ASN1_F_PBEPARAM_NEW,0),	"PBEPARAM_new"},
+{ERR_PACK(0,ASN1_F_PBKDF2PARAM_NEW,0),	"PBKDF2PARAM_new"},
+{ERR_PACK(0,ASN1_F_PKCS12_BAGS_NEW,0),	"PKCS12_BAGS_new"},
+{ERR_PACK(0,ASN1_F_PKCS12_MAC_DATA_NEW,0),	"PKCS12_MAC_DATA_new"},
+{ERR_PACK(0,ASN1_F_PKCS12_NEW,0),	"PKCS12_new"},
+{ERR_PACK(0,ASN1_F_PKCS12_SAFEBAG_NEW,0),	"PKCS12_SAFEBAG_new"},
+{ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0),	"PKCS5_pbe2_set"},
+{ERR_PACK(0,ASN1_F_PKCS7_DIGEST_NEW,0),	"PKCS7_DIGEST_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_ENCRYPT_NEW,0),	"PKCS7_ENCRYPT_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_ENC_CONTENT_NEW,0),	"PKCS7_ENC_CONTENT_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_ENVELOPE_NEW,0),	"PKCS7_ENVELOPE_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_ISSUER_AND_SERIAL_NEW,0),	"PKCS7_ISSUER_AND_SERIAL_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_NEW,0),	"PKCS7_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_RECIP_INFO_NEW,0),	"PKCS7_RECIP_INFO_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_SIGNED_NEW,0),	"PKCS7_SIGNED_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_SIGNER_INFO_NEW,0),	"PKCS7_SIGNER_INFO_new"},
+{ERR_PACK(0,ASN1_F_PKCS7_SIGN_ENVELOPE_NEW,0),	"PKCS7_SIGN_ENVELOPE_new"},
+{ERR_PACK(0,ASN1_F_PKCS8_PRIV_KEY_INFO_NEW,0),	"PKCS8_PRIV_KEY_INFO_new"},
+{ERR_PACK(0,ASN1_F_PKEY_USAGE_PERIOD_NEW,0),	"PKEY_USAGE_PERIOD_new"},
+{ERR_PACK(0,ASN1_F_POLICYINFO_NEW,0),	"POLICYINFO_new"},
+{ERR_PACK(0,ASN1_F_POLICYQUALINFO_NEW,0),	"POLICYQUALINFO_new"},
+{ERR_PACK(0,ASN1_F_SXNETID_NEW,0),	"SXNETID_new"},
+{ERR_PACK(0,ASN1_F_SXNET_NEW,0),	"SXNET_new"},
+{ERR_PACK(0,ASN1_F_USERNOTICE_NEW,0),	"USERNOTICE_new"},
+{ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0),	"X509_ALGOR_new"},
+{ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0),	"X509_ATTRIBUTE_new"},
+{ERR_PACK(0,ASN1_F_X509_CERT_AUX_NEW,0),	"X509_CERT_AUX_new"},
+{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),	"X509_CINF_new"},
+{ERR_PACK(0,ASN1_F_X509_CRL_INFO_NEW,0),	"X509_CRL_INFO_new"},
+{ERR_PACK(0,ASN1_F_X509_CRL_NEW,0),	"X509_CRL_new"},
+{ERR_PACK(0,ASN1_F_X509_DHPARAMS_NEW,0),	"X509_DHPARAMS_NEW"},
+{ERR_PACK(0,ASN1_F_X509_EXTENSION_NEW,0),	"X509_EXTENSION_new"},
+{ERR_PACK(0,ASN1_F_X509_INFO_NEW,0),	"X509_INFO_new"},
+{ERR_PACK(0,ASN1_F_X509_KEY_NEW,0),	"X509_KEY_NEW"},
+{ERR_PACK(0,ASN1_F_X509_NAME_ENTRY_NEW,0),	"X509_NAME_ENTRY_new"},
+{ERR_PACK(0,ASN1_F_X509_NAME_NEW,0),	"X509_NAME_new"},
+{ERR_PACK(0,ASN1_F_X509_NEW,0),	"X509_new"},
+{ERR_PACK(0,ASN1_F_X509_PKEY_NEW,0),	"X509_PKEY_new"},
+{ERR_PACK(0,ASN1_F_X509_PUBKEY_NEW,0),	"X509_PUBKEY_new"},
+{ERR_PACK(0,ASN1_F_X509_REQ_INFO_NEW,0),	"X509_REQ_INFO_new"},
+{ERR_PACK(0,ASN1_F_X509_REQ_NEW,0),	"X509_REQ_new"},
+{ERR_PACK(0,ASN1_F_X509_REVOKED_NEW,0),	"X509_REVOKED_new"},
+{ERR_PACK(0,ASN1_F_X509_SIG_NEW,0),	"X509_SIG_new"},
+{ERR_PACK(0,ASN1_F_X509_VAL_FREE,0),	"X509_VAL_free"},
+{ERR_PACK(0,ASN1_F_X509_VAL_NEW,0),	"X509_VAL_new"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA ASN1_str_reasons[]=
+	{
+{ASN1_R_BAD_CLASS                        ,"bad class"},
+{ASN1_R_BAD_OBJECT_HEADER                ,"bad object header"},
+{ASN1_R_BAD_PASSWORD_READ                ,"bad password read"},
+{ASN1_R_BAD_PKCS7_CONTENT                ,"bad pkcs7 content"},
+{ASN1_R_BAD_PKCS7_TYPE                   ,"bad pkcs7 type"},
+{ASN1_R_BAD_TAG                          ,"bad tag"},
+{ASN1_R_BAD_TYPE                         ,"bad type"},
+{ASN1_R_BN_LIB                           ,"bn lib"},
+{ASN1_R_BOOLEAN_IS_WRONG_LENGTH          ,"boolean is wrong length"},
+{ASN1_R_BUFFER_TOO_SMALL                 ,"buffer too small"},
+{ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER  ,"cipher has no object identifier"},
+{ASN1_R_DATA_IS_WRONG                    ,"data is wrong"},
+{ASN1_R_DECODE_ERROR                     ,"decode error"},
+{ASN1_R_DECODING_ERROR                   ,"decoding error"},
+{ASN1_R_ENCODE_ERROR                     ,"encode error"},
+{ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
+{ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
+{ASN1_R_EXPECTING_AN_ENUMERATED          ,"expecting an enumerated"},
+{ASN1_R_EXPECTING_AN_INTEGER             ,"expecting an integer"},
+{ASN1_R_EXPECTING_AN_OBJECT              ,"expecting an object"},
+{ASN1_R_EXPECTING_AN_OCTET_STRING        ,"expecting an octet string"},
+{ASN1_R_EXPECTING_A_BIT_STRING           ,"expecting a bit string"},
+{ASN1_R_EXPECTING_A_BOOLEAN              ,"expecting a boolean"},
+{ASN1_R_EXPECTING_A_GENERALIZEDTIME      ,"expecting a generalizedtime"},
+{ASN1_R_EXPECTING_A_NULL                 ,"expecting a null"},
+{ASN1_R_EXPECTING_A_TIME                 ,"expecting a time"},
+{ASN1_R_EXPECTING_A_UTCTIME              ,"expecting a utctime"},
+{ASN1_R_FIRST_NUM_TOO_LARGE              ,"first num too large"},
+{ASN1_R_GENERALIZEDTIME_TOO_LONG         ,"generalizedtime too long"},
+{ASN1_R_HEADER_TOO_LONG                  ,"header too long"},
+{ASN1_R_ILLEGAL_CHARACTERS               ,"illegal characters"},
+{ASN1_R_INVALID_BMPSTRING_LENGTH         ,"invalid bmpstring length"},
+{ASN1_R_INVALID_DIGIT                    ,"invalid digit"},
+{ASN1_R_INVALID_SEPARATOR                ,"invalid separator"},
+{ASN1_R_INVALID_TIME_FORMAT              ,"invalid time format"},
+{ASN1_R_INVALID_UNIVERSALSTRING_LENGTH   ,"invalid universalstring length"},
+{ASN1_R_INVALID_UTF8STRING               ,"invalid utf8string"},
+{ASN1_R_IV_TOO_LARGE                     ,"iv too large"},
+{ASN1_R_LENGTH_ERROR                     ,"length error"},
+{ASN1_R_MISSING_SECOND_NUMBER            ,"missing second number"},
+{ASN1_R_NON_HEX_CHARACTERS               ,"non hex characters"},
+{ASN1_R_NOT_ENOUGH_DATA                  ,"not enough data"},
+{ASN1_R_NULL_IS_WRONG_LENGTH             ,"null is wrong length"},
+{ASN1_R_ODD_NUMBER_OF_CHARS              ,"odd number of chars"},
+{ASN1_R_PARSING                          ,"parsing"},
+{ASN1_R_PRIVATE_KEY_HEADER_MISSING       ,"private key header missing"},
+{ASN1_R_SECOND_NUMBER_TOO_LARGE          ,"second number too large"},
+{ASN1_R_SHORT_LINE                       ,"short line"},
+{ASN1_R_STRING_TOO_LONG                  ,"string too long"},
+{ASN1_R_STRING_TOO_SHORT                 ,"string too short"},
+{ASN1_R_TAG_VALUE_TOO_HIGH               ,"tag value too high"},
+{ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
+{ASN1_R_TOO_LONG                         ,"too long"},
+{ASN1_R_UNABLE_TO_DECODE_RSA_KEY         ,"unable to decode rsa key"},
+{ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
+{ASN1_R_UNKNOWN_ATTRIBUTE_TYPE           ,"unknown attribute type"},
+{ASN1_R_UNKNOWN_FORMAT                   ,"unknown format"},
+{ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
+{ASN1_R_UNKNOWN_OBJECT_TYPE              ,"unknown object type"},
+{ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE          ,"unknown public key type"},
+{ASN1_R_UNSUPPORTED_CIPHER               ,"unsupported cipher"},
+{ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM ,"unsupported encryption algorithm"},
+{ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE      ,"unsupported public key type"},
+{ASN1_R_UTCTIME_TOO_LONG                 ,"utctime too long"},
+{ASN1_R_WRONG_PRINTABLE_TYPE             ,"wrong printable type"},
+{ASN1_R_WRONG_TAG                        ,"wrong tag"},
+{ASN1_R_WRONG_TYPE                       ,"wrong type"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_ASN1_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_ASN1,ASN1_str_functs);
+		ERR_load_strings(ERR_LIB_ASN1,ASN1_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c
new file mode 100644
index 0000000..be8daa8
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/asn1_lib.c
@@ -0,0 +1,424 @@
+/* crypto/asn1/asn1_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+
+static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
+static void asn1_put_length(unsigned char **pp, int length);
+const char *ASN1_version="ASN.1" OPENSSL_VERSION_PTEXT;
+
+int ASN1_check_infinite_end(unsigned char **p, long len)
+	{
+	/* If there is 0 or 1 byte left, the length check should pick
+	 * things up */
+	if (len <= 0)
+		return(1);
+	else if ((len >= 2) && ((*p)[0] == 0) && ((*p)[1] == 0))
+		{
+		(*p)+=2;
+		return(1);
+		}
+	return(0);
+	}
+
+
+int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
+	     long omax)
+	{
+	int i,ret;
+	long l;
+	unsigned char *p= *pp;
+	int tag,xclass,inf;
+	long max=omax;
+
+	if (!max) goto err;
+	ret=(*p&V_ASN1_CONSTRUCTED);
+	xclass=(*p&V_ASN1_PRIVATE);
+	i= *p&V_ASN1_PRIMITIVE_TAG;
+	if (i == V_ASN1_PRIMITIVE_TAG)
+		{		/* high-tag */
+		p++;
+		if (--max == 0) goto err;
+		l=0;
+		while (*p&0x80)
+			{
+			l<<=7L;
+			l|= *(p++)&0x7f;
+			if (--max == 0) goto err;
+			}
+		l<<=7L;
+		l|= *(p++)&0x7f;
+		tag=(int)l;
+		}
+	else
+		{ 
+		tag=i;
+		p++;
+		if (--max == 0) goto err;
+		}
+	*ptag=tag;
+	*pclass=xclass;
+	if (!asn1_get_length(&p,&inf,plength,(int)max)) goto err;
+
+#if 0
+	fprintf(stderr,"p=%d + *plength=%ld > omax=%ld + *pp=%d  (%d > %d)\n", 
+		(int)p,*plength,omax,(int)*pp,(int)(p+ *plength),
+		(int)(omax+ *pp));
+
+#endif
+#if 0
+	if ((p+ *plength) > (omax+ *pp))
+		{
+		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
+		/* Set this so that even if things are not long enough
+		 * the values are set correctly */
+		ret|=0x80;
+		}
+#endif
+	*pp=p;
+	return(ret|inf);
+err:
+	ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_HEADER_TOO_LONG);
+	return(0x80);
+	}
+
+static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
+	{
+	unsigned char *p= *pp;
+	long ret=0;
+	int i;
+
+	if (max-- < 1) return(0);
+	if (*p == 0x80)
+		{
+		*inf=1;
+		ret=0;
+		p++;
+		}
+	else
+		{
+		*inf=0;
+		i= *p&0x7f;
+		if (*(p++) & 0x80)
+			{
+			if (max-- == 0) return(0);
+			while (i-- > 0)
+				{
+				ret<<=8L;
+				ret|= *(p++);
+				if (max-- == 0) return(0);
+				}
+			}
+		else
+			ret=i;
+		}
+	*pp=p;
+	*rl=ret;
+	return(1);
+	}
+
+/* class 0 is constructed
+ * constructed == 2 for indefinite length constructed */
+void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,
+	     int xclass)
+	{
+	unsigned char *p= *pp;
+	int i;
+
+	i=(constructed)?V_ASN1_CONSTRUCTED:0;
+	i|=(xclass&V_ASN1_PRIVATE);
+	if (tag < 31)
+		*(p++)=i|(tag&V_ASN1_PRIMITIVE_TAG);
+	else
+		{
+		*(p++)=i|V_ASN1_PRIMITIVE_TAG;
+		while (tag > 0x7f)
+			{
+			*(p++)=(tag&0x7f)|0x80;
+			tag>>=7;
+			}
+		*(p++)=(tag&0x7f);
+		}
+	if ((constructed == 2) && (length == 0))
+		*(p++)=0x80; /* der_put_length would output 0 instead */
+	else
+		asn1_put_length(&p,length);
+	*pp=p;
+	}
+
+static void asn1_put_length(unsigned char **pp, int length)
+	{
+	unsigned char *p= *pp;
+	int i,l;
+	if (length <= 127)
+		*(p++)=(unsigned char)length;
+	else
+		{
+		l=length;
+		for (i=0; l > 0; i++)
+			l>>=8;
+		*(p++)=i|0x80;
+		l=i;
+		while (i-- > 0)
+			{
+			p[i]=length&0xff;
+			length>>=8;
+			}
+		p+=l;
+		}
+	*pp=p;
+	}
+
+int ASN1_object_size(int constructed, int length, int tag)
+	{
+	int ret;
+
+	ret=length;
+	ret++;
+	if (tag >= 31)
+		{
+		while (tag > 0)
+			{
+			tag>>=7;
+			ret++;
+			}
+		}
+	if ((length == 0) && (constructed == 2))
+		ret+=2;
+	ret++;
+	if (length > 127)
+		{
+		while (length > 0)
+			{
+			length>>=8;
+			ret++;
+			}
+		}
+	return(ret);
+	}
+
+int asn1_Finish(ASN1_CTX *c)
+	{
+	if ((c->inf == (1|V_ASN1_CONSTRUCTED)) && (!c->eos))
+		{
+		if (!ASN1_check_infinite_end(&c->p,c->slen))
+			{
+			c->error=ERR_R_MISSING_ASN1_EOS;
+			return(0);
+			}
+		}
+	if (	((c->slen != 0) && !(c->inf & 1)) ||
+		((c->slen < 0) && (c->inf & 1)))
+		{
+		c->error=ERR_R_ASN1_LENGTH_MISMATCH;
+		return(0);
+		}
+	return(1);
+	}
+
+int asn1_GetSequence(ASN1_CTX *c, long *length)
+	{
+	unsigned char *q;
+
+	q=c->p;
+	c->inf=ASN1_get_object(&(c->p),&(c->slen),&(c->tag),&(c->xclass),
+		*length);
+	if (c->inf & 0x80)
+		{
+		c->error=ERR_R_BAD_GET_ASN1_OBJECT_CALL;
+		return(0);
+		}
+	if (c->tag != V_ASN1_SEQUENCE)
+		{
+		c->error=ERR_R_EXPECTING_AN_ASN1_SEQUENCE;
+		return(0);
+		}
+	(*length)-=(c->p-q);
+	if (c->max && (*length < 0))
+		{
+		c->error=ERR_R_ASN1_LENGTH_MISMATCH;
+		return(0);
+		}
+	if (c->inf == (1|V_ASN1_CONSTRUCTED))
+		c->slen= *length+ *(c->pp)-c->p;
+	c->eos=0;
+	return(1);
+	}
+
+ASN1_STRING *ASN1_STRING_dup(ASN1_STRING *str)
+	{
+	ASN1_STRING *ret;
+
+	if (str == NULL) return(NULL);
+	if ((ret=ASN1_STRING_type_new(str->type)) == NULL)
+		return(NULL);
+	if (!ASN1_STRING_set(ret,str->data,str->length))
+		{
+		ASN1_STRING_free(ret);
+		return(NULL);
+		}
+	ret->flags = str->flags;
+	return(ret);
+	}
+
+int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
+	{
+	unsigned char *c;
+	const char *data=_data;
+
+	if (len < 0)
+		{
+		if (data == NULL)
+			return(0);
+		else
+			len=strlen(data);
+		}
+	if ((str->length < len) || (str->data == NULL))
+		{
+		c=str->data;
+		if (c == NULL)
+			str->data=Malloc(len+1);
+		else
+			str->data=Realloc(c,len+1);
+
+		if (str->data == NULL)
+			{
+			str->data=c;
+			return(0);
+			}
+		}
+	str->length=len;
+	if (data != NULL)
+		{
+		memcpy(str->data,data,len);
+		/* an allowance for strings :-) */
+		str->data[len]='\0';
+		}
+	return(1);
+	}
+
+ASN1_STRING *ASN1_STRING_new(void)
+	{
+	return(ASN1_STRING_type_new(V_ASN1_OCTET_STRING));
+	}
+
+
+ASN1_STRING *ASN1_STRING_type_new(int type)
+	{
+	ASN1_STRING *ret;
+
+	ret=(ASN1_STRING *)Malloc(sizeof(ASN1_STRING));
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_STRING_TYPE_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	ret->length=0;
+	ret->type=type;
+	ret->data=NULL;
+	ret->flags=0;
+	return(ret);
+	}
+
+void ASN1_STRING_free(ASN1_STRING *a)
+	{
+	if (a == NULL) return;
+	if (a->data != NULL) Free(a->data);
+	Free(a);
+	}
+
+int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
+	{
+	int i;
+
+	i=(a->length-b->length);
+	if (i == 0)
+		{
+		i=memcmp(a->data,b->data,a->length);
+		if (i == 0)
+			return(a->type-b->type);
+		else
+			return(i);
+		}
+	else
+		return(i);
+	}
+
+void asn1_add_error(unsigned char *address, int offset)
+	{
+	char buf1[16],buf2[16];
+
+	sprintf(buf1,"%lu",(unsigned long)address);
+	sprintf(buf2,"%d",offset);
+	ERR_add_error_data(4,"address=",buf1," offset=",buf2);
+	}
+
+int ASN1_STRING_length(ASN1_STRING *x)
+{ return M_ASN1_STRING_length(x); }
+
+void ASN1_STRING_length_set(ASN1_STRING *x, int len)
+{ M_ASN1_STRING_length_set(x, len); return; }
+
+int ASN1_STRING_type(ASN1_STRING *x)
+{ return M_ASN1_STRING_type(x); }
+
+unsigned char * ASN1_STRING_data(ASN1_STRING *x)
+{ return M_ASN1_STRING_data(x); }
diff --git a/crypto/openssl/crypto/asn1/asn1_mac.h b/crypto/openssl/crypto/asn1/asn1_mac.h
new file mode 100644
index 0000000..4f2a82d
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/asn1_mac.h
@@ -0,0 +1,560 @@
+/* crypto/asn1/asn1_mac.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_ASN1_MAC_H
+#define HEADER_ASN1_MAC_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/asn1.h>
+
+#ifndef ASN1_MAC_ERR_LIB
+#define ASN1_MAC_ERR_LIB	ERR_LIB_ASN1
+#endif 
+
+#define ASN1_MAC_H_err(f,r,line) \
+	ERR_PUT_error(ASN1_MAC_ERR_LIB,(f),(r),ERR_file_name,(line))
+
+#define M_ASN1_D2I_vars(a,type,func) \
+	ASN1_CTX c; \
+	type ret=NULL; \
+	\
+	c.pp=pp; \
+	c.q= *pp; \
+	c.error=ERR_R_NESTED_ASN1_ERROR; \
+	if ((a == NULL) || ((*a) == NULL)) \
+		{ if ((ret=(type)func()) == NULL) \
+			{ c.line=__LINE__; goto err; } } \
+	else	ret=(*a);
+
+#define M_ASN1_D2I_Init() \
+	c.p= *pp; \
+	c.max=(length == 0)?0:(c.p+length);
+
+#define M_ASN1_D2I_Finish_2(a) \
+	if (!asn1_Finish(&c)) \
+		{ c.line=__LINE__; goto err; } \
+	*pp=c.p; \
+	if (a != NULL) (*a)=ret; \
+	return(ret);
+
+#define M_ASN1_D2I_Finish(a,func,e) \
+	M_ASN1_D2I_Finish_2(a); \
+err:\
+	ASN1_MAC_H_err((e),c.error,c.line); \
+	asn1_add_error(*pp,(int)(c.q- *pp)); \
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
+	return(NULL)
+
+#define M_ASN1_D2I_start_sequence() \
+	if (!asn1_GetSequence(&c,&length)) \
+		{ c.line=__LINE__; goto err; }
+/* Begin reading ASN1 without a surrounding sequence */
+#define M_ASN1_D2I_begin() \
+	c.slen = length;
+
+/* End reading ASN1 with no check on length */
+#define M_ASN1_D2I_Finish_nolen(a, func, e) \
+	*pp=c.p; \
+	if (a != NULL) (*a)=ret; \
+	return(ret); \
+err:\
+	ASN1_MAC_H_err((e),c.error,c.line); \
+	asn1_add_error(*pp,(int)(c.q- *pp)); \
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
+	return(NULL)
+
+#define M_ASN1_D2I_end_sequence() \
+	(((c.inf&1) == 0)?(c.slen <= 0): \
+		(c.eos=ASN1_check_infinite_end(&c.p,c.slen)))
+
+/* Don't use this with d2i_ASN1_BOOLEAN() */
+#define M_ASN1_D2I_get(b,func) \
+	c.q=c.p; \
+	if (func(&(b),&c.p,c.slen) == NULL) \
+		{c.line=__LINE__; goto err; } \
+	c.slen-=(c.p-c.q);
+
+/* use this instead () */
+#define M_ASN1_D2I_get_int(b,func) \
+	c.q=c.p; \
+	if (func(&(b),&c.p,c.slen) < 0) \
+		{c.line=__LINE__; goto err; } \
+	c.slen-=(c.p-c.q);
+
+#define M_ASN1_D2I_get_opt(b,func,type) \
+	if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \
+		== (V_ASN1_UNIVERSAL|(type)))) \
+		{ \
+		M_ASN1_D2I_get(b,func); \
+		}
+
+#define M_ASN1_D2I_get_imp(b,func, type) \
+	M_ASN1_next=(_tmp& V_ASN1_CONSTRUCTED)|type; \
+	c.q=c.p; \
+	if (func(&(b),&c.p,c.slen) == NULL) \
+		{c.line=__LINE__; M_ASN1_next_prev = _tmp; goto err; } \
+	c.slen-=(c.p-c.q);\
+	M_ASN1_next_prev=_tmp;
+
+#define M_ASN1_D2I_get_IMP_opt(b,func,tag,type) \
+	if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) == \
+		(V_ASN1_CONTEXT_SPECIFIC|(tag)))) \
+		{ \
+		unsigned char _tmp = M_ASN1_next; \
+		M_ASN1_D2I_get_imp(b,func, type);\
+		}
+
+#define M_ASN1_D2I_get_set(r,func,free_func) \
+		M_ASN1_D2I_get_imp_set(r,func,free_func, \
+			V_ASN1_SET,V_ASN1_UNIVERSAL);
+
+#define M_ASN1_D2I_get_set_type(type,r,func,free_func) \
+		M_ASN1_D2I_get_imp_set_type(type,r,func,free_func, \
+			V_ASN1_SET,V_ASN1_UNIVERSAL);
+
+#define M_ASN1_D2I_get_set_opt(r,func,free_func) \
+	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
+		V_ASN1_CONSTRUCTED|V_ASN1_SET)))\
+		{ M_ASN1_D2I_get_set(r,func,free_func); }
+
+#define M_ASN1_D2I_get_set_opt_type(type,r,func,free_func) \
+	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
+		V_ASN1_CONSTRUCTED|V_ASN1_SET)))\
+		{ M_ASN1_D2I_get_set_type(type,r,func,free_func); }
+
+#define M_ASN1_I2D_len_SET_opt(a,f) \
+	if ((a != NULL) && (sk_num(a) != 0)) \
+		M_ASN1_I2D_len_SET(a,f);
+
+#define M_ASN1_I2D_put_SET_opt(a,f) \
+	if ((a != NULL) && (sk_num(a) != 0)) \
+		M_ASN1_I2D_put_SET(a,f);
+
+#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \
+	if ((a != NULL) && (sk_num(a) != 0)) \
+		M_ASN1_I2D_put_SEQUENCE(a,f);
+
+#define M_ASN1_I2D_put_SEQUENCE_opt_type(type,a,f) \
+	if ((a != NULL) && (sk_##type##_num(a) != 0)) \
+		M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
+
+#define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \
+	if ((c.slen != 0) && \
+		(M_ASN1_next == \
+		(V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\
+		{ \
+		M_ASN1_D2I_get_imp_set(b,func,free_func,\
+			tag,V_ASN1_CONTEXT_SPECIFIC); \
+		}
+
+#define M_ASN1_D2I_get_IMP_set_opt_type(type,b,func,free_func,tag) \
+	if ((c.slen != 0) && \
+		(M_ASN1_next == \
+		(V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\
+		{ \
+		M_ASN1_D2I_get_imp_set_type(type,b,func,free_func,\
+			tag,V_ASN1_CONTEXT_SPECIFIC); \
+		}
+
+#define M_ASN1_D2I_get_seq(r,func,free_func) \
+		M_ASN1_D2I_get_imp_set(r,func,free_func,\
+			V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+#define M_ASN1_D2I_get_seq_type(type,r,func,free_func) \
+		M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\
+					    V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL)
+
+#define M_ASN1_D2I_get_seq_opt(r,func,free_func) \
+	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
+		V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\
+		{ M_ASN1_D2I_get_seq(r,func,free_func); }
+
+#define M_ASN1_D2I_get_seq_opt_type(type,r,func,free_func) \
+	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
+		V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\
+		{ M_ASN1_D2I_get_seq_type(type,r,func,free_func); }
+
+#define M_ASN1_D2I_get_IMP_set(r,func,free_func,x) \
+		M_ASN1_D2I_get_imp_set(r,func,free_func,\
+			x,V_ASN1_CONTEXT_SPECIFIC);
+
+#define M_ASN1_D2I_get_IMP_set_type(type,r,func,free_func,x) \
+		M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\
+			x,V_ASN1_CONTEXT_SPECIFIC);
+
+#define M_ASN1_D2I_get_imp_set(r,func,free_func,a,b) \
+	c.q=c.p; \
+	if (d2i_ASN1_SET(&(r),&c.p,c.slen,(char *(*)())func,\
+		(void (*)())free_func,a,b) == NULL) \
+		{ c.line=__LINE__; goto err; } \
+	c.slen-=(c.p-c.q);
+
+#define M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,a,b) \
+	c.q=c.p; \
+	if (d2i_ASN1_SET_OF_##type(&(r),&c.p,c.slen,func,\
+				   free_func,a,b) == NULL) \
+		{ c.line=__LINE__; goto err; } \
+	c.slen-=(c.p-c.q);
+
+#define M_ASN1_D2I_get_set_strings(r,func,a,b) \
+	c.q=c.p; \
+	if (d2i_ASN1_STRING_SET(&(r),&c.p,c.slen,a,b) == NULL) \
+		{ c.line=__LINE__; goto err; } \
+	c.slen-=(c.p-c.q);
+
+#define M_ASN1_D2I_get_EXP_opt(r,func,tag) \
+	if ((c.slen != 0L) && (M_ASN1_next == \
+		(V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
+		{ \
+		int Tinf,Ttag,Tclass; \
+		long Tlen; \
+		\
+		c.q=c.p; \
+		Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
+		if (Tinf & 0x80) \
+			{ c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \
+			c.line=__LINE__; goto err; } \
+		if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
+					Tlen = c.slen - (c.p - c.q) - 2; \
+		if (func(&(r),&c.p,Tlen) == NULL) \
+			{ c.line=__LINE__; goto err; } \
+		if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
+			Tlen = c.slen - (c.p - c.q); \
+			if(!ASN1_check_infinite_end(&c.p, Tlen)) \
+				{ c.error=ERR_R_MISSING_ASN1_EOS; \
+				c.line=__LINE__; goto err; } \
+		}\
+		c.slen-=(c.p-c.q); \
+		}
+
+#define M_ASN1_D2I_get_EXP_set_opt(r,func,free_func,tag,b) \
+	if ((c.slen != 0) && (M_ASN1_next == \
+		(V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
+		{ \
+		int Tinf,Ttag,Tclass; \
+		long Tlen; \
+		\
+		c.q=c.p; \
+		Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
+		if (Tinf & 0x80) \
+			{ c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \
+			c.line=__LINE__; goto err; } \
+		if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
+					Tlen = c.slen - (c.p - c.q) - 2; \
+		if (d2i_ASN1_SET(&(r),&c.p,Tlen,(char *(*)())func, \
+			(void (*)())free_func, \
+			b,V_ASN1_UNIVERSAL) == NULL) \
+			{ c.line=__LINE__; goto err; } \
+		if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
+			Tlen = c.slen - (c.p - c.q); \
+			if(!ASN1_check_infinite_end(&c.p, Tlen)) \
+				{ c.error=ERR_R_MISSING_ASN1_EOS; \
+				c.line=__LINE__; goto err; } \
+		}\
+		c.slen-=(c.p-c.q); \
+		}
+
+#define M_ASN1_D2I_get_EXP_set_opt_type(type,r,func,free_func,tag,b) \
+	if ((c.slen != 0) && (M_ASN1_next == \
+		(V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
+		{ \
+		int Tinf,Ttag,Tclass; \
+		long Tlen; \
+		\
+		c.q=c.p; \
+		Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
+		if (Tinf & 0x80) \
+			{ c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \
+			c.line=__LINE__; goto err; } \
+		if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
+					Tlen = c.slen - (c.p - c.q) - 2; \
+		if (d2i_ASN1_SET_OF_##type(&(r),&c.p,Tlen,func, \
+			free_func,b,V_ASN1_UNIVERSAL) == NULL) \
+			{ c.line=__LINE__; goto err; } \
+		if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
+			Tlen = c.slen - (c.p - c.q); \
+			if(!ASN1_check_infinite_end(&c.p, Tlen)) \
+				{ c.error=ERR_R_MISSING_ASN1_EOS; \
+				c.line=__LINE__; goto err; } \
+		}\
+		c.slen-=(c.p-c.q); \
+		}
+
+/* New macros */
+#define M_ASN1_New_Malloc(ret,type) \
+	if ((ret=(type *)Malloc(sizeof(type))) == NULL) \
+		{ c.line=__LINE__; goto err2; }
+
+#define M_ASN1_New(arg,func) \
+	if (((arg)=func()) == NULL) return(NULL)
+
+#define M_ASN1_New_Error(a) \
+/*	err:	ASN1_MAC_H_err((a),ERR_R_NESTED_ASN1_ERROR,c.line); \
+		return(NULL);*/ \
+	err2:	ASN1_MAC_H_err((a),ERR_R_MALLOC_FAILURE,c.line); \
+		return(NULL)
+
+
+#define M_ASN1_next		(*c.p)
+#define M_ASN1_next_prev	(*c.q)
+
+/*************************************************/
+
+#define M_ASN1_I2D_vars(a)	int r=0,ret=0; \
+				unsigned char *p; \
+				if (a == NULL) return(0)
+
+/* Length Macros */
+#define M_ASN1_I2D_len(a,f)	ret+=f(a,NULL)
+#define M_ASN1_I2D_len_IMP_opt(a,f)	if (a != NULL) M_ASN1_I2D_len(a,f)
+
+#define M_ASN1_I2D_len_SET(a,f) \
+		ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
+
+#define M_ASN1_I2D_len_SET_type(type,a,f) \
+		ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SET, \
+					    V_ASN1_UNIVERSAL,IS_SET);
+
+#define M_ASN1_I2D_len_SEQUENCE(a,f) \
+		ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \
+				  IS_SEQUENCE);
+
+#define M_ASN1_I2D_len_SEQUENCE_type(type,a,f) \
+		ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SEQUENCE, \
+					    V_ASN1_UNIVERSAL,IS_SEQUENCE)
+
+#define M_ASN1_I2D_len_SEQUENCE_opt(a,f) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			M_ASN1_I2D_len_SEQUENCE(a,f);
+
+#define M_ASN1_I2D_len_SEQUENCE_opt_type(type,a,f) \
+		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
+			M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
+
+#define M_ASN1_I2D_len_IMP_SET(a,f,x) \
+		ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET);
+
+#define M_ASN1_I2D_len_IMP_SET_type(type,a,f,x) \
+		ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
+					    V_ASN1_CONTEXT_SPECIFIC,IS_SET);
+
+#define M_ASN1_I2D_len_IMP_SET_opt(a,f,x) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
+					  IS_SET);
+
+#define M_ASN1_I2D_len_IMP_SET_opt_type(type,a,f,x) \
+		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
+			ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
+					       V_ASN1_CONTEXT_SPECIFIC,IS_SET);
+
+#define M_ASN1_I2D_len_IMP_SEQUENCE(a,f,x) \
+		ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
+				  IS_SEQUENCE);
+
+#define M_ASN1_I2D_len_IMP_SEQUENCE_opt(a,f,x) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
+					  IS_SEQUENCE);
+
+#define M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(type,a,f,x) \
+		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
+			ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
+						    V_ASN1_CONTEXT_SPECIFIC, \
+						    IS_SEQUENCE);
+
+#define M_ASN1_I2D_len_EXP_opt(a,f,mtag,v) \
+		if (a != NULL)\
+			{ \
+			v=f(a,NULL); \
+			ret+=ASN1_object_size(1,v,mtag); \
+			}
+
+#define M_ASN1_I2D_len_EXP_SET_opt(a,f,mtag,tag,v) \
+		if ((a != NULL) && (sk_num(a) != 0))\
+			{ \
+			v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL,IS_SET); \
+			ret+=ASN1_object_size(1,v,mtag); \
+			}
+
+#define M_ASN1_I2D_len_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \
+		if ((a != NULL) && (sk_num(a) != 0))\
+			{ \
+			v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL, \
+				       IS_SEQUENCE); \
+			ret+=ASN1_object_size(1,v,mtag); \
+			}
+
+#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \
+		if ((a != NULL) && (sk_##type##_num(a) != 0))\
+			{ \
+			v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \
+						 V_ASN1_UNIVERSAL, \
+						 IS_SEQUENCE); \
+			ret+=ASN1_object_size(1,v,mtag); \
+			}
+
+/* Put Macros */
+#define M_ASN1_I2D_put(a,f)	f(a,&p)
+
+#define M_ASN1_I2D_put_IMP_opt(a,f,t)	\
+		if (a != NULL) \
+			{ \
+			unsigned char *q=p; \
+			f(a,&p); \
+			*q=(V_ASN1_CONTEXT_SPECIFIC|t|(*q&V_ASN1_CONSTRUCTED));\
+			}
+
+#define M_ASN1_I2D_put_SET(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SET,\
+			V_ASN1_UNIVERSAL,IS_SET)
+#define M_ASN1_I2D_put_SET_type(type,a,f) \
+     i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET)
+#define M_ASN1_I2D_put_IMP_SET(a,f,x) i2d_ASN1_SET(a,&p,f,x,\
+			V_ASN1_CONTEXT_SPECIFIC,IS_SET)
+#define M_ASN1_I2D_put_IMP_SET_type(type,a,f,x) \
+     i2d_ASN1_SET_OF_##type(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET)
+#define M_ASN1_I2D_put_IMP_SEQUENCE(a,f,x) i2d_ASN1_SET(a,&p,f,x,\
+			V_ASN1_CONTEXT_SPECIFIC,IS_SEQUENCE)
+
+#define M_ASN1_I2D_put_SEQUENCE(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SEQUENCE,\
+					     V_ASN1_UNIVERSAL,IS_SEQUENCE)
+
+#define M_ASN1_I2D_put_SEQUENCE_type(type,a,f) \
+     i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \
+			    IS_SEQUENCE)
+
+#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			M_ASN1_I2D_put_SEQUENCE(a,f);
+
+#define M_ASN1_I2D_put_IMP_SET_opt(a,f,x) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			{ i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \
+				       IS_SET); }
+
+#define M_ASN1_I2D_put_IMP_SET_opt_type(type,a,f,x) \
+		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
+			{ i2d_ASN1_SET_OF_##type(a,&p,f,x, \
+						 V_ASN1_CONTEXT_SPECIFIC, \
+						 IS_SET); }
+
+#define M_ASN1_I2D_put_IMP_SEQUENCE_opt(a,f,x) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			{ i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \
+				       IS_SEQUENCE); }
+
+#define M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(type,a,f,x) \
+		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
+			{ i2d_ASN1_SET_OF_##type(a,&p,f,x, \
+						 V_ASN1_CONTEXT_SPECIFIC, \
+						 IS_SEQUENCE); }
+
+#define M_ASN1_I2D_put_EXP_opt(a,f,tag,v) \
+		if (a != NULL) \
+			{ \
+			ASN1_put_object(&p,1,v,tag,V_ASN1_CONTEXT_SPECIFIC); \
+			f(a,&p); \
+			}
+
+#define M_ASN1_I2D_put_EXP_SET_opt(a,f,mtag,tag,v) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			{ \
+			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
+			i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SET); \
+			}
+
+#define M_ASN1_I2D_put_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \
+		if ((a != NULL) && (sk_num(a) != 0)) \
+			{ \
+			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
+			i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SEQUENCE); \
+			}
+
+#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \
+		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
+			{ \
+			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
+			i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \
+					       IS_SEQUENCE); \
+			}
+
+#define M_ASN1_I2D_seq_total() \
+		r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \
+		if (pp == NULL) return(r); \
+		p= *pp; \
+		ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL)
+
+#define M_ASN1_I2D_INF_seq_start(tag,ctx) \
+		*(p++)=(V_ASN1_CONSTRUCTED|(tag)|(ctx)); \
+		*(p++)=0x80
+
+#define M_ASN1_I2D_INF_seq_end() *(p++)=0x00; *(p++)=0x00
+
+#define M_ASN1_I2D_finish()	*pp=p; \
+				return(r);
+
+int asn1_GetSequence(ASN1_CTX *c, long *length);
+void asn1_add_error(unsigned char *address,int offset);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/asn1/asn1_par.c b/crypto/openssl/crypto/asn1/asn1_par.c
new file mode 100644
index 0000000..d1e9816
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/asn1_par.c
@@ -0,0 +1,385 @@
+/* crypto/asn1/asn1_par.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
+
+static int asn1_print_info(BIO *bp, int tag, int xclass,int constructed,
+	int indent);
+static int asn1_parse2(BIO *bp, unsigned char **pp, long length,
+	int offset, int depth, int indent);
+static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
+	     int indent)
+	{
+	static const char fmt[]="%-18s";
+	static const char fmt2[]="%2d %-15s";
+	char str[128];
+	const char *p,*p2=NULL;
+
+	if (constructed & V_ASN1_CONSTRUCTED)
+		p="cons: ";
+	else
+		p="prim: ";
+	if (BIO_write(bp,p,6) < 6) goto err;
+	if (indent)
+		{
+		if (indent > 128) indent=128;
+		memset(str,' ',indent);
+		if (BIO_write(bp,str,indent) < indent) goto err;
+		}
+
+	p=str;
+	if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
+		sprintf(str,"priv [ %d ] ",tag);
+	else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
+		sprintf(str,"cont [ %d ]",tag);
+	else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
+		sprintf(str,"appl [ %d ]",tag);
+	else p = ASN1_tag2str(tag);
+
+	if (p2 != NULL)
+		{
+		if (BIO_printf(bp,fmt2,tag,p2) <= 0) goto err;
+		}
+	else
+		{
+		if (BIO_printf(bp,fmt,p) <= 0) goto err;
+		}
+	return(1);
+err:
+	return(0);
+	}
+
+int ASN1_parse(BIO *bp, unsigned char *pp, long len, int indent)
+	{
+	return(asn1_parse2(bp,&pp,len,0,0,indent));
+	}
+
+static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
+	     int depth, int indent)
+	{
+	unsigned char *p,*ep,*tot,*op,*opp;
+	long len;
+	int tag,xclass,ret=0;
+	int nl,hl,j,r;
+	ASN1_OBJECT *o=NULL;
+	ASN1_OCTET_STRING *os=NULL;
+	/* ASN1_BMPSTRING *bmp=NULL;*/
+
+	p= *pp;
+	tot=p+length;
+	op=p-1;
+	while ((p < tot) && (op < p))
+		{
+		op=p;
+		j=ASN1_get_object(&p,&len,&tag,&xclass,length);
+#ifdef LINT
+		j=j;
+#endif
+		if (j & 0x80)
+			{
+			if (BIO_write(bp,"Error in encoding\n",18) <= 0)
+				goto end;
+			ret=0;
+			goto end;
+			}
+		hl=(p-op);
+		length-=hl;
+		/* if j == 0x21 it is a constructed indefinite length object */
+		if (BIO_printf(bp,"%5ld:",(long)offset+(long)(op- *pp))
+			<= 0) goto end;
+
+		if (j != (V_ASN1_CONSTRUCTED | 1))
+			{
+			if (BIO_printf(bp,"d=%-2d hl=%ld l=%4ld ",
+				depth,(long)hl,len) <= 0)
+				goto end;
+			}
+		else
+			{
+			if (BIO_printf(bp,"d=%-2d hl=%ld l=inf  ",
+				depth,(long)hl) <= 0)
+				goto end;
+			}
+		if (!asn1_print_info(bp,tag,xclass,j,(indent)?depth:0))
+			goto end;
+		if (j & V_ASN1_CONSTRUCTED)
+			{
+			ep=p+len;
+			if (BIO_write(bp,"\n",1) <= 0) goto end;
+			if (len > length)
+				{
+				BIO_printf(bp,
+					"length is greater than %ld\n",length);
+				ret=0;
+				goto end;
+				}
+			if ((j == 0x21) && (len == 0))
+				{
+				for (;;)
+					{
+					r=asn1_parse2(bp,&p,(long)(tot-p),
+						offset+(p - *pp),depth+1,
+						indent);
+					if (r == 0) { ret=0; goto end; }
+					if ((r == 2) || (p >= tot)) break;
+					}
+				}
+			else
+				while (p < ep)
+					{
+					r=asn1_parse2(bp,&p,(long)len,
+						offset+(p - *pp),depth+1,
+						indent);
+					if (r == 0) { ret=0; goto end; }
+					}
+			}
+		else if (xclass != 0)
+			{
+			p+=len;
+			if (BIO_write(bp,"\n",1) <= 0) goto end;
+			}
+		else
+			{
+			nl=0;
+			if (	(tag == V_ASN1_PRINTABLESTRING) ||
+				(tag == V_ASN1_T61STRING) ||
+				(tag == V_ASN1_IA5STRING) ||
+				(tag == V_ASN1_VISIBLESTRING) ||
+				(tag == V_ASN1_UTCTIME) ||
+				(tag == V_ASN1_GENERALIZEDTIME))
+				{
+				if (BIO_write(bp,":",1) <= 0) goto end;
+				if ((len > 0) &&
+					BIO_write(bp,(char *)p,(int)len)
+					!= (int)len)
+					goto end;
+				}
+			else if (tag == V_ASN1_OBJECT)
+				{
+				opp=op;
+				if (d2i_ASN1_OBJECT(&o,&opp,len+hl) != NULL)
+					{
+					if (BIO_write(bp,":",1) <= 0) goto end;
+					i2a_ASN1_OBJECT(bp,o);
+					}
+				else
+					{
+					if (BIO_write(bp,":BAD OBJECT",11) <= 0)
+						goto end;
+					}
+				}
+			else if (tag == V_ASN1_BOOLEAN)
+				{
+				int ii;
+
+				opp=op;
+				ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl);
+				if (ii < 0)
+					{
+					if (BIO_write(bp,"Bad boolean\n",12))
+						goto end;
+					}
+				BIO_printf(bp,":%d",ii);
+				}
+			else if (tag == V_ASN1_BMPSTRING)
+				{
+				/* do the BMP thang */
+				}
+			else if (tag == V_ASN1_OCTET_STRING)
+				{
+				int i,printable=1;
+
+				opp=op;
+				os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl);
+				if (os != NULL)
+					{
+					opp=os->data;
+					for (i=0; i<os->length; i++)
+						{
+						if ((	(opp[i] < ' ') &&
+							(opp[i] != '\n') &&
+							(opp[i] != '\r') &&
+							(opp[i] != '\t')) ||
+							(opp[i] > '~'))
+							{
+							printable=0;
+							break;
+							}
+						}
+					if (printable && (os->length > 0))
+						{
+						if (BIO_write(bp,":",1) <= 0)
+							goto end;
+						if (BIO_write(bp,(char *)opp,
+							os->length) <= 0)
+							goto end;
+						}
+					M_ASN1_OCTET_STRING_free(os);
+					os=NULL;
+					}
+				}
+			else if (tag == V_ASN1_INTEGER)
+				{
+				ASN1_INTEGER *bs;
+				int i;
+
+				opp=op;
+				bs=d2i_ASN1_INTEGER(NULL,&opp,len+hl);
+				if (bs != NULL)
+					{
+					if (BIO_write(bp,":",1) <= 0) goto end;
+					if (bs->type == V_ASN1_NEG_INTEGER)
+						if (BIO_write(bp,"-",1) <= 0)
+							goto end;
+					for (i=0; i<bs->length; i++)
+						{
+						if (BIO_printf(bp,"%02X",
+							bs->data[i]) <= 0)
+							goto end;
+						}
+					if (bs->length == 0)
+						{
+						if (BIO_write(bp,"00",2) <= 0)
+							goto end;
+						}
+					}
+				else
+					{
+					if (BIO_write(bp,"BAD INTEGER",11) <= 0)
+						goto end;
+					}
+				M_ASN1_INTEGER_free(bs);
+				}
+			else if (tag == V_ASN1_ENUMERATED)
+				{
+				ASN1_ENUMERATED *bs;
+				int i;
+
+				opp=op;
+				bs=d2i_ASN1_ENUMERATED(NULL,&opp,len+hl);
+				if (bs != NULL)
+					{
+					if (BIO_write(bp,":",1) <= 0) goto end;
+					if (bs->type == V_ASN1_NEG_ENUMERATED)
+						if (BIO_write(bp,"-",1) <= 0)
+							goto end;
+					for (i=0; i<bs->length; i++)
+						{
+						if (BIO_printf(bp,"%02X",
+							bs->data[i]) <= 0)
+							goto end;
+						}
+					if (bs->length == 0)
+						{
+						if (BIO_write(bp,"00",2) <= 0)
+							goto end;
+						}
+					}
+				else
+					{
+					if (BIO_write(bp,"BAD ENUMERATED",11) <= 0)
+						goto end;
+					}
+				M_ASN1_ENUMERATED_free(bs);
+				}
+
+			if (!nl) 
+				{
+				if (BIO_write(bp,"\n",1) <= 0) goto end;
+				}
+			p+=len;
+			if ((tag == V_ASN1_EOC) && (xclass == 0))
+				{
+				ret=2; /* End of sequence */
+				goto end;
+				}
+			}
+		length-=len;
+		}
+	ret=1;
+end:
+	if (o != NULL) ASN1_OBJECT_free(o);
+	if (os != NULL) M_ASN1_OCTET_STRING_free(os);
+	*pp=p;
+	return(ret);
+	}
+
+const char *ASN1_tag2str(int tag)
+{
+	const static char *tag2str[] = {
+	 "EOC", "BOOLEAN", "INTEGER", "BIT STRING", "OCTET STRING", /* 0-4 */
+	 "NULL", "OBJECT", "OBJECT DESCRIPTOR", "EXTERNAL", "REAL", /* 5-9 */
+	 "ENUMERATED", "<ASN1 11>", "UTF8STRING", "<ASN1 13>", 	    /* 10-13 */
+	"<ASN1 14>", "<ASN1 15>", "SEQUENCE", "SET", 		    /* 15-17 */
+	"NUMERICSTRING", "PRINTABLESTRING", "T61STRING",	    /* 18-20 */
+	"VIDEOTEXSTRING", "IA5STRING", "UTCTIME","GENERALIZEDTIME", /* 21-24 */
+	"GRAPHICSTRING", "VISIBLESTRING", "GENERALSTRING",	    /* 25-27 */
+	"UNIVERSALSTRING", "<ASN1 29>", "BMPSTRING"		    /* 28-30 */
+	};
+
+	if((tag == V_ASN1_NEG_INTEGER) || (tag == V_ASN1_NEG_ENUMERATED))
+							tag &= ~0x100;
+
+	if(tag < 0 || tag > 30) return "(unknown)";
+	return tag2str[tag];
+}
+
diff --git a/crypto/openssl/crypto/asn1/asn_pack.c b/crypto/openssl/crypto/asn1/asn_pack.c
new file mode 100644
index 0000000..662a262
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/asn_pack.c
@@ -0,0 +1,145 @@
+/* asn_pack.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* ASN1 packing and unpacking functions */
+
+/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
+
+STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
+	     void (*free_func)())
+{
+    STACK *sk;
+    unsigned char *pbuf;
+    pbuf =  buf;
+    if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
+					V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL)))
+		 ASN1err(ASN1_F_ASN1_SEQ_UNPACK,ASN1_R_DECODE_ERROR);
+    return sk;
+}
+
+/* Turn a STACK structures into an ASN1 encoded SEQUENCE OF structure in a
+ * Malloc'ed buffer
+ */
+
+unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
+	     int *len)
+{
+	int safelen;
+	unsigned char *safe, *p;
+	if (!(safelen = i2d_ASN1_SET(safes, NULL, i2d, V_ASN1_SEQUENCE,
+					      V_ASN1_UNIVERSAL, IS_SEQUENCE))) {
+		ASN1err(ASN1_F_ASN1_SEQ_PACK,ASN1_R_ENCODE_ERROR);
+		return NULL;
+	}
+	if (!(safe = Malloc (safelen))) {
+		ASN1err(ASN1_F_ASN1_SEQ_PACK,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	p = safe;
+	i2d_ASN1_SET(safes, &p, i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
+								 IS_SEQUENCE);
+	if (len) *len = safelen;
+	if (buf) *buf = safe;
+	return safe;
+}
+
+/* Extract an ASN1 object from an ASN1_STRING */
+
+void *ASN1_unpack_string (ASN1_STRING *oct, char *(*d2i)())
+{
+	unsigned char *p;
+	char *ret;
+
+	p = oct->data;
+	if(!(ret = d2i(NULL, &p, oct->length)))
+		ASN1err(ASN1_F_ASN1_UNPACK_STRING,ASN1_R_DECODE_ERROR);
+	return ret;
+}
+
+/* Pack an ASN1 object into an ASN1_STRING */
+
+ASN1_STRING *ASN1_pack_string (void *obj, int (*i2d)(), ASN1_STRING **oct)
+{
+	unsigned char *p;
+	ASN1_STRING *octmp;
+
+	if (!oct || !*oct) {
+		if (!(octmp = ASN1_STRING_new ())) {
+			ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+			return NULL;
+		}
+		if (oct) *oct = octmp;
+	} else octmp = *oct;
+		
+	if (!(octmp->length = i2d(obj, NULL))) {
+		ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
+		return NULL;
+	}
+	if (!(p = Malloc (octmp->length))) {
+		ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	octmp->data = p;
+	i2d (obj, &p);
+	return octmp;
+}
+
diff --git a/crypto/openssl/crypto/asn1/d2i_dhp.c b/crypto/openssl/crypto/asn1/d2i_dhp.c
new file mode 100644
index 0000000..635ae82
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_dhp.c
@@ -0,0 +1,101 @@
+/* crypto/asn1/d2i_dhp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DH
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+DH *d2i_DHparams(DH **a, unsigned char **pp, long length)
+	{
+	int i=ERR_R_NESTED_ASN1_ERROR;
+	ASN1_INTEGER *bs=NULL;
+	long v=0;
+	M_ASN1_D2I_vars(a,DH *,DH_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->p=BN_bin2bn(bs->data,bs->length,ret->p)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL) goto err_bn;
+
+	if (!M_ASN1_D2I_end_sequence())
+		{
+		M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+		for (i=0; i<bs->length; i++)
+			v=(v<<8)|(bs->data[i]);
+		ret->length=(int)v;
+		}
+
+	M_ASN1_BIT_STRING_free(bs);
+
+	M_ASN1_D2I_Finish_2(a);
+
+err_bn:
+	i=ERR_R_BN_LIB;
+err:
+	ASN1err(ASN1_F_D2I_DHPARAMS,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DH_free(ret);
+	if (bs != NULL) M_ASN1_BIT_STRING_free(bs);
+	return(NULL);
+	}
+#endif
diff --git a/crypto/openssl/crypto/asn1/d2i_dsap.c b/crypto/openssl/crypto/asn1/d2i_dsap.c
new file mode 100644
index 0000000..6d1c297
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_dsap.c
@@ -0,0 +1,98 @@
+/* crypto/asn1/d2i_dsap.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+#ifdef NEG_PUBKEY_BUG
+#define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER
+#endif
+
+DSA *d2i_DSAparams(DSA **a, unsigned char **pp, long length)
+	{
+	int i=ERR_R_NESTED_ASN1_ERROR;
+	ASN1_INTEGER *bs=NULL;
+	M_ASN1_D2I_vars(a,DSA *,DSA_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->p=BN_bin2bn(bs->data,bs->length,ret->p)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->q=BN_bin2bn(bs->data,bs->length,ret->q)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL) goto err_bn;
+
+	M_ASN1_BIT_STRING_free(bs);
+
+	M_ASN1_D2I_Finish_2(a);
+
+err_bn:
+	i=ERR_R_BN_LIB;
+err:
+	ASN1err(ASN1_F_D2I_DSAPARAMS,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_free(ret);
+	if (bs != NULL) M_ASN1_BIT_STRING_free(bs);
+	return(NULL);
+	}
+#endif
diff --git a/crypto/openssl/crypto/asn1/d2i_pr.c b/crypto/openssl/crypto/asn1/d2i_pr.c
new file mode 100644
index 0000000..c92b832
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_pr.c
@@ -0,0 +1,137 @@
+/* crypto/asn1/d2i_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
+
+EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
+	     long length)
+	{
+	EVP_PKEY *ret;
+
+	if ((a == NULL) || (*a == NULL))
+		{
+		if ((ret=EVP_PKEY_new()) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_PRIVATEKEY,ERR_R_EVP_LIB);
+			return(NULL);
+			}
+		}
+	else	ret= *a;
+
+	ret->save_type=type;
+	ret->type=EVP_PKEY_type(type);
+	switch (ret->type)
+		{
+#ifndef NO_RSA
+	case EVP_PKEY_RSA:
+		if ((ret->pkey.rsa=d2i_RSAPrivateKey(NULL,pp,length)) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_PRIVATEKEY,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		break;
+#endif
+#ifndef NO_DSA
+	case EVP_PKEY_DSA:
+		if ((ret->pkey.dsa=d2i_DSAPrivateKey(NULL,pp,length)) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_PRIVATEKEY,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		break;
+#endif
+	default:
+		ASN1err(ASN1_F_D2I_PRIVATEKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
+		goto err;
+		/* break; */
+		}
+	if (a != NULL) (*a)=ret;
+	return(ret);
+err:
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) EVP_PKEY_free(ret);
+	return(NULL);
+	}
+
+/* This works like d2i_PrivateKey() except it automatically works out the type */
+
+EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
+	     long length)
+{
+	STACK_OF(ASN1_TYPE) *inkey;
+	unsigned char *p;
+	int keytype;
+	p = *pp;
+	/* Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE):
+	 * by analyzing it we can determine the passed structure: this
+	 * assumes the input is surrounded by an ASN1 SEQUENCE.
+	 */
+	inkey = d2i_ASN1_SET_OF_ASN1_TYPE(NULL, &p, length, d2i_ASN1_TYPE, 
+			ASN1_TYPE_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+	/* Since we only need to discern "traditional format" RSA and DSA
+	 * keys we can just count the elements.
+         */
+	if(sk_ASN1_TYPE_num(inkey) == 6) keytype = EVP_PKEY_DSA;
+	else keytype = EVP_PKEY_RSA;
+	sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
+	return d2i_PrivateKey(keytype, a, pp, length);
+}
diff --git a/crypto/openssl/crypto/asn1/d2i_pu.c b/crypto/openssl/crypto/asn1/d2i_pu.c
new file mode 100644
index 0000000..e0d203c
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_pu.c
@@ -0,0 +1,114 @@
+/* crypto/asn1/d2i_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
+
+EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
+	     long length)
+	{
+	EVP_PKEY *ret;
+
+	if ((a == NULL) || (*a == NULL))
+		{
+		if ((ret=EVP_PKEY_new()) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
+			return(NULL);
+			}
+		}
+	else	ret= *a;
+
+	ret->save_type=type;
+	ret->type=EVP_PKEY_type(type);
+	switch (ret->type)
+		{
+#ifndef NO_RSA
+	case EVP_PKEY_RSA:
+		if ((ret->pkey.rsa=d2i_RSAPublicKey(NULL,pp,length)) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		break;
+#endif
+#ifndef NO_DSA
+	case EVP_PKEY_DSA:
+		if ((ret->pkey.dsa=d2i_DSAPublicKey(NULL,pp,length)) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		break;
+#endif
+	default:
+		ASN1err(ASN1_F_D2I_PUBLICKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
+		goto err;
+		/* break; */
+		}
+	if (a != NULL) (*a)=ret;
+	return(ret);
+err:
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) EVP_PKEY_free(ret);
+	return(NULL);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/d2i_r_pr.c b/crypto/openssl/crypto/asn1/d2i_r_pr.c
new file mode 100644
index 0000000..6c8a45f
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_r_pr.c
@@ -0,0 +1,128 @@
+/* crypto/asn1/d2i_r_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+static ASN1_METHOD method={
+        (int (*)())  i2d_RSAPrivateKey,
+        (char *(*)())d2i_RSAPrivateKey,
+        (char *(*)())RSA_new,
+        (void (*)()) RSA_free};
+
+ASN1_METHOD *RSAPrivateKey_asn1_meth(void)
+	{
+	return(&method);
+	}
+
+RSA *d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length)
+	{
+	int i=ASN1_R_PARSING;
+	ASN1_INTEGER *bs=NULL;
+	M_ASN1_D2I_vars(a,RSA *,RSA_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if (bs->length == 0)
+		ret->version=0;
+	else	ret->version=bs->data[0];
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->n=BN_bin2bn(bs->data,bs->length,ret->n)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->e=BN_bin2bn(bs->data,bs->length,ret->e)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->d=BN_bin2bn(bs->data,bs->length,ret->d)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->p=BN_bin2bn(bs->data,bs->length,ret->p)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->q=BN_bin2bn(bs->data,bs->length,ret->q)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->dmp1=BN_bin2bn(bs->data,bs->length,ret->dmp1)) == NULL)
+		goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->dmq1=BN_bin2bn(bs->data,bs->length,ret->dmq1)) == NULL)
+		goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->iqmp=BN_bin2bn(bs->data,bs->length,ret->iqmp)) == NULL)
+		goto err_bn;
+
+	M_ASN1_INTEGER_free(bs);
+
+	M_ASN1_D2I_Finish_2(a);
+err_bn:
+	i=ERR_R_BN_LIB;
+err:
+	ASN1err(ASN1_F_D2I_RSAPRIVATEKEY,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) RSA_free(ret);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
+
+	return(NULL);
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/crypto/asn1/d2i_r_pu.c b/crypto/openssl/crypto/asn1/d2i_r_pu.c
new file mode 100644
index 0000000..d1289f1
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_r_pu.c
@@ -0,0 +1,103 @@
+/* crypto/asn1/d2i_r_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+#ifdef NEG_PUBKEY_BUG
+#define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER
+#endif
+
+RSA *d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length)
+	{
+	int i=ASN1_R_PARSING;
+	ASN1_INTEGER *bs=NULL;
+	M_ASN1_D2I_vars(a,RSA *,RSA_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->n=BN_bin2bn(bs->data,bs->length,ret->n)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->e=BN_bin2bn(bs->data,bs->length,ret->e)) == NULL) goto err_bn;
+
+	M_ASN1_INTEGER_free(bs);
+	bs=NULL;
+
+	M_ASN1_D2I_Finish_2(a);
+
+err_bn:
+	i=ERR_R_BN_LIB;
+err:
+	ASN1err(ASN1_F_D2I_RSAPUBLICKEY,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) RSA_free(ret);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
+	return(NULL);
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/crypto/asn1/d2i_s_pr.c b/crypto/openssl/crypto/asn1/d2i_s_pr.c
new file mode 100644
index 0000000..dec2a2e
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_s_pr.c
@@ -0,0 +1,105 @@
+/* crypto/asn1/d2i_s_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+DSA *d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length)
+	{
+	int i=ASN1_R_PARSING;
+	ASN1_INTEGER *bs=NULL;
+	M_ASN1_D2I_vars(a,DSA *,DSA_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if (bs->length == 0)
+		ret->version=0;
+	else	ret->version=bs->data[0];
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->p=BN_bin2bn(bs->data,bs->length,ret->p)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->q=BN_bin2bn(bs->data,bs->length,ret->q)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->pub_key=BN_bin2bn(bs->data,bs->length,ret->pub_key))
+		== NULL) goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->priv_key=BN_bin2bn(bs->data,bs->length,ret->priv_key))
+		== NULL) goto err_bn;
+
+	M_ASN1_INTEGER_free(bs);
+
+	M_ASN1_D2I_Finish_2(a);
+err_bn:
+	i=ERR_R_BN_LIB;
+err:
+	ASN1err(ASN1_F_D2I_DSAPRIVATEKEY,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_free(ret);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
+	return(NULL);
+	}
+#endif
diff --git a/crypto/openssl/crypto/asn1/d2i_s_pu.c b/crypto/openssl/crypto/asn1/d2i_s_pu.c
new file mode 100644
index 0000000..e0adaa0
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/d2i_s_pu.c
@@ -0,0 +1,121 @@
+/* crypto/asn1/d2i_s_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+#ifdef NEG_PUBKEY_BUG
+#define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER
+#endif
+
+DSA *d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length)
+	{
+	int i=ASN1_R_PARSING;
+	ASN1_INTEGER *bs=NULL;
+	M_ASN1_D2I_vars(a,DSA *,DSA_new);
+
+	M_ASN1_D2I_Init();
+	if ((length != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED))
+		== (V_ASN1_UNIVERSAL|(V_ASN1_INTEGER))))
+		{
+		c.slen=length;
+		M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+		if ((ret->pub_key=BN_bin2bn(bs->data,bs->length,ret->pub_key))
+                        == NULL)
+                        goto err_bn;
+		ret->write_params=0;
+		}
+	else
+		{
+		M_ASN1_D2I_start_sequence();
+		M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+		if ((ret->pub_key=BN_bin2bn(bs->data,bs->length,ret->pub_key))
+			== NULL)
+			goto err_bn;
+		M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+		if ((ret->p=BN_bin2bn(bs->data,bs->length,ret->p)) == NULL)
+			goto err_bn;
+		M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+		if ((ret->q=BN_bin2bn(bs->data,bs->length,ret->q)) == NULL)
+			goto err_bn;
+		M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+		if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL)
+			goto err_bn;
+
+		ret->write_params=1;
+		}
+
+	M_ASN1_INTEGER_free(bs);
+	bs=NULL;
+	M_ASN1_D2I_Finish_2(a);
+err_bn:
+	i=ERR_R_BN_LIB;
+err:
+	ASN1err(ASN1_F_D2I_DSAPUBLICKEY,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_free(ret);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
+	return(NULL);
+	}
+#endif
diff --git a/crypto/openssl/crypto/asn1/evp_asn1.c b/crypto/openssl/crypto/asn1/evp_asn1.c
new file mode 100644
index 0000000..3506005
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/evp_asn1.c
@@ -0,0 +1,185 @@
+/* crypto/asn1/evp_asn1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+
+int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len)
+	{
+	ASN1_STRING *os;
+
+	if ((os=M_ASN1_OCTET_STRING_new()) == NULL) return(0);
+	if (!M_ASN1_OCTET_STRING_set(os,data,len)) return(0);
+	ASN1_TYPE_set(a,V_ASN1_OCTET_STRING,os);
+	return(1);
+	}
+
+/* int max_len:  for returned value    */
+int ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data,
+	     int max_len)
+	{
+	int ret,num;
+	unsigned char *p;
+
+	if ((a->type != V_ASN1_OCTET_STRING) || (a->value.octet_string == NULL))
+		{
+		ASN1err(ASN1_F_ASN1_TYPE_GET_OCTETSTRING,ASN1_R_DATA_IS_WRONG);
+		return(-1);
+		}
+	p=M_ASN1_STRING_data(a->value.octet_string);
+	ret=M_ASN1_STRING_length(a->value.octet_string);
+	if (ret < max_len)
+		num=ret;
+	else
+		num=max_len;
+	memcpy(data,p,num);
+	return(ret);
+	}
+
+int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
+	     int len)
+	{
+	int n,size;
+	ASN1_OCTET_STRING os,*osp;
+	ASN1_INTEGER in;
+	unsigned char *p;
+	unsigned char buf[32]; /* when they have 256bit longs, 
+				* I'll be in trouble */
+	in.data=buf;
+	in.length=32;
+	os.data=data;
+	os.type=V_ASN1_OCTET_STRING;
+	os.length=len;
+	ASN1_INTEGER_set(&in,num);
+	n =  i2d_ASN1_INTEGER(&in,NULL);
+	n+=M_i2d_ASN1_OCTET_STRING(&os,NULL);
+
+	size=ASN1_object_size(1,n,V_ASN1_SEQUENCE);
+
+	if ((osp=ASN1_STRING_new()) == NULL) return(0);
+	/* Grow the 'string' */
+	ASN1_STRING_set(osp,NULL,size);
+
+	M_ASN1_STRING_length_set(osp, size);
+	p=M_ASN1_STRING_data(osp);
+
+	ASN1_put_object(&p,1,n,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+	  i2d_ASN1_INTEGER(&in,&p);
+	M_i2d_ASN1_OCTET_STRING(&os,&p);
+
+	ASN1_TYPE_set(a,V_ASN1_SEQUENCE,osp);
+	return(1);
+	}
+
+/* we return the actual length..., num may be missing, in which
+ * case, set it to zero */
+/* int max_len:  for returned value    */
+int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data,
+	     int max_len)
+	{
+	int ret= -1,n;
+	ASN1_INTEGER *ai=NULL;
+	ASN1_OCTET_STRING *os=NULL;
+	unsigned char *p;
+	long length;
+	ASN1_CTX c;
+
+	if ((a->type != V_ASN1_SEQUENCE) || (a->value.sequence == NULL))
+		{
+		goto err;
+		}
+	p=M_ASN1_STRING_data(a->value.sequence);
+	length=M_ASN1_STRING_length(a->value.sequence);
+
+	c.pp= &p;
+	c.p=p;
+	c.max=p+length;
+	c.error=ASN1_R_DATA_IS_WRONG;
+
+	M_ASN1_D2I_start_sequence();
+	c.q=c.p;
+	if ((ai=d2i_ASN1_INTEGER(NULL,&c.p,c.slen)) == NULL) goto err;
+        c.slen-=(c.p-c.q);
+	c.q=c.p;
+	if ((os=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) goto err;
+        c.slen-=(c.p-c.q);
+	if (!M_ASN1_D2I_end_sequence()) goto err;
+
+	if (num != NULL)
+		*num=ASN1_INTEGER_get(ai);
+
+	ret=M_ASN1_STRING_length(os);
+	if (max_len > ret)
+		n=ret;
+	else
+		n=max_len;
+
+	if (data != NULL)
+		memcpy(data,M_ASN1_STRING_data(os),n);
+	if (0)
+		{
+err:
+		ASN1err(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,ASN1_R_DATA_IS_WRONG);
+		}
+	if (os != NULL) M_ASN1_OCTET_STRING_free(os);
+	if (ai != NULL) M_ASN1_INTEGER_free(ai);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/f.c b/crypto/openssl/crypto/asn1/f.c
new file mode 100644
index 0000000..82bccdf
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/f.c
@@ -0,0 +1,80 @@
+/* crypto/asn1/f.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <openssl/asn1.h>
+#include <openssl/err.h>
+
+main()
+	{
+	ASN1_TYPE *at;
+	char buf[512];
+	int n;
+	long l;
+
+	at=ASN1_TYPE_new();
+
+	n=ASN1_TYPE_set_int_octetstring(at,98736,"01234567",8);
+	printf("%d\n",n);
+	n=ASN1_TYPE_get_int_octetstring(at,&l,buf,8);
+	buf[8]='\0';
+	printf("%ld %d %d\n",l,n,buf[8]);
+	buf[8]='\0';
+	printf("%s\n",buf);
+	ERR_load_crypto_strings();
+	ERR_print_errors_fp(stderr);
+	}
diff --git a/crypto/openssl/crypto/asn1/f_enum.c b/crypto/openssl/crypto/asn1/f_enum.c
new file mode 100644
index 0000000..3d0b1107
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/f_enum.c
@@ -0,0 +1,207 @@
+/* crypto/asn1/f_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+
+/* Based on a_int.c: equivalent ENUMERATED functions */
+
+int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
+	{
+	int i,n=0;
+	static const char *h="0123456789ABCDEF";
+	char buf[2];
+
+	if (a == NULL) return(0);
+
+	if (a->length == 0)
+		{
+		if (BIO_write(bp,"00",2) != 2) goto err;
+		n=2;
+		}
+	else
+		{
+		for (i=0; i<a->length; i++)
+			{
+			if ((i != 0) && (i%35 == 0))
+				{
+				if (BIO_write(bp,"\\\n",2) != 2) goto err;
+				n+=2;
+				}
+			buf[0]=h[((unsigned char)a->data[i]>>4)&0x0f];
+			buf[1]=h[((unsigned char)a->data[i]   )&0x0f];
+			if (BIO_write(bp,buf,2) != 2) goto err;
+			n+=2;
+			}
+		}
+	return(n);
+err:
+	return(-1);
+	}
+
+int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
+	{
+	int ret=0;
+	int i,j,k,m,n,again,bufsize;
+	unsigned char *s=NULL,*sp;
+	unsigned char *bufp;
+	int num=0,slen=0,first=1;
+
+	bs->type=V_ASN1_ENUMERATED;
+
+	bufsize=BIO_gets(bp,buf,size);
+	for (;;)
+		{
+		if (bufsize < 1) goto err_sl;
+		i=bufsize;
+		if (buf[i-1] == '\n') buf[--i]='\0';
+		if (i == 0) goto err_sl;
+		if (buf[i-1] == '\r') buf[--i]='\0';
+		if (i == 0) goto err_sl;
+		again=(buf[i-1] == '\\');
+
+		for (j=0; j<i; j++)
+			{
+			if (!(	((buf[j] >= '0') && (buf[j] <= '9')) ||
+				((buf[j] >= 'a') && (buf[j] <= 'f')) ||
+				((buf[j] >= 'A') && (buf[j] <= 'F'))))
+				{
+				i=j;
+				break;
+				}
+			}
+		buf[i]='\0';
+		/* We have now cleared all the crap off the end of the
+		 * line */
+		if (i < 2) goto err_sl;
+
+		bufp=(unsigned char *)buf;
+		if (first)
+			{
+			first=0;
+			if ((bufp[0] == '0') && (buf[1] == '0'))
+				{
+				bufp+=2;
+				i-=2;
+				}
+			}
+		k=0;
+		i-=again;
+		if (i%2 != 0)
+			{
+			ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_ODD_NUMBER_OF_CHARS);
+			goto err;
+			}
+		i/=2;
+		if (num+i > slen)
+			{
+			if (s == NULL)
+				sp=(unsigned char *)Malloc(
+					(unsigned int)num+i*2);
+			else
+				sp=(unsigned char *)Realloc(s,
+					(unsigned int)num+i*2);
+			if (sp == NULL)
+				{
+				ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
+				if (s != NULL) Free(s);
+				goto err;
+				}
+			s=sp;
+			slen=num+i*2;
+			}
+		for (j=0; j<i; j++,k+=2)
+			{
+			for (n=0; n<2; n++)
+				{
+				m=bufp[k+n];
+				if ((m >= '0') && (m <= '9'))
+					m-='0';
+				else if ((m >= 'a') && (m <= 'f'))
+					m=m-'a'+10;
+				else if ((m >= 'A') && (m <= 'F'))
+					m=m-'A'+10;
+				else
+					{
+					ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_NON_HEX_CHARACTERS);
+					goto err;
+					}
+				s[num+j]<<=4;
+				s[num+j]|=m;
+				}
+			}
+		num+=i;
+		if (again)
+			bufsize=BIO_gets(bp,buf,size);
+		else
+			break;
+		}
+	bs->length=num;
+	bs->data=s;
+	ret=1;
+err:
+	if (0)
+		{
+err_sl:
+		ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_SHORT_LINE);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/f_int.c b/crypto/openssl/crypto/asn1/f_int.c
new file mode 100644
index 0000000..cd57331
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/f_int.c
@@ -0,0 +1,214 @@
+/* crypto/asn1/f_int.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+
+int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a)
+	{
+	int i,n=0;
+	static const char *h="0123456789ABCDEF";
+	char buf[2];
+
+	if (a == NULL) return(0);
+
+	if (a->length == 0)
+		{
+		if (BIO_write(bp,"00",2) != 2) goto err;
+		n=2;
+		}
+	else
+		{
+		for (i=0; i<a->length; i++)
+			{
+			if ((i != 0) && (i%35 == 0))
+				{
+				if (BIO_write(bp,"\\\n",2) != 2) goto err;
+				n+=2;
+				}
+			buf[0]=h[((unsigned char)a->data[i]>>4)&0x0f];
+			buf[1]=h[((unsigned char)a->data[i]   )&0x0f];
+			if (BIO_write(bp,buf,2) != 2) goto err;
+			n+=2;
+			}
+		}
+	return(n);
+err:
+	return(-1);
+	}
+
+int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
+	{
+	int ret=0;
+	int i,j,k,m,n,again,bufsize;
+	unsigned char *s=NULL,*sp;
+	unsigned char *bufp;
+	int num=0,slen=0,first=1;
+
+	bs->type=V_ASN1_INTEGER;
+
+	bufsize=BIO_gets(bp,buf,size);
+	for (;;)
+		{
+		if (bufsize < 1) goto err_sl;
+		i=bufsize;
+		if (buf[i-1] == '\n') buf[--i]='\0';
+		if (i == 0) goto err_sl;
+		if (buf[i-1] == '\r') buf[--i]='\0';
+		if (i == 0) goto err_sl;
+		again=(buf[i-1] == '\\');
+
+		for (j=0; j<i; j++)
+			{
+#ifndef CHARSET_EBCDIC
+			if (!(	((buf[j] >= '0') && (buf[j] <= '9')) ||
+				((buf[j] >= 'a') && (buf[j] <= 'f')) ||
+				((buf[j] >= 'A') && (buf[j] <= 'F'))))
+#else
+			/* This #ifdef is not strictly necessary, since
+			 * the characters A...F a...f 0...9 are contiguous
+			 * (yes, even in EBCDIC - but not the whole alphabet).
+			 * Nevertheless, isxdigit() is faster.
+			 */
+			if (!isxdigit(buf[j]))
+#endif
+				{
+				i=j;
+				break;
+				}
+			}
+		buf[i]='\0';
+		/* We have now cleared all the crap off the end of the
+		 * line */
+		if (i < 2) goto err_sl;
+
+		bufp=(unsigned char *)buf;
+		if (first)
+			{
+			first=0;
+			if ((bufp[0] == '0') && (buf[1] == '0'))
+				{
+				bufp+=2;
+				i-=2;
+				}
+			}
+		k=0;
+		i-=again;
+		if (i%2 != 0)
+			{
+			ASN1err(ASN1_F_A2I_ASN1_INTEGER,ASN1_R_ODD_NUMBER_OF_CHARS);
+			goto err;
+			}
+		i/=2;
+		if (num+i > slen)
+			{
+			if (s == NULL)
+				sp=(unsigned char *)Malloc(
+					(unsigned int)num+i*2);
+			else
+				sp=(unsigned char *)Realloc(s,
+					(unsigned int)num+i*2);
+			if (sp == NULL)
+				{
+				ASN1err(ASN1_F_A2I_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+				if (s != NULL) Free(s);
+				goto err;
+				}
+			s=sp;
+			slen=num+i*2;
+			}
+		for (j=0; j<i; j++,k+=2)
+			{
+			for (n=0; n<2; n++)
+				{
+				m=bufp[k+n];
+				if ((m >= '0') && (m <= '9'))
+					m-='0';
+				else if ((m >= 'a') && (m <= 'f'))
+					m=m-'a'+10;
+				else if ((m >= 'A') && (m <= 'F'))
+					m=m-'A'+10;
+				else
+					{
+					ASN1err(ASN1_F_A2I_ASN1_INTEGER,ASN1_R_NON_HEX_CHARACTERS);
+					goto err;
+					}
+				s[num+j]<<=4;
+				s[num+j]|=m;
+				}
+			}
+		num+=i;
+		if (again)
+			bufsize=BIO_gets(bp,buf,size);
+		else
+			break;
+		}
+	bs->length=num;
+	bs->data=s;
+	ret=1;
+err:
+	if (0)
+		{
+err_sl:
+		ASN1err(ASN1_F_A2I_ASN1_INTEGER,ASN1_R_SHORT_LINE);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/f_string.c b/crypto/openssl/crypto/asn1/f_string.c
new file mode 100644
index 0000000..0883136
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/f_string.c
@@ -0,0 +1,212 @@
+/* crypto/asn1/f_string.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+
+int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type)
+	{
+	int i,n=0;
+	static const char *h="0123456789ABCDEF";
+	char buf[2];
+
+	if (a == NULL) return(0);
+
+	if (a->length == 0)
+		{
+		if (BIO_write(bp,"0",1) != 1) goto err;
+		n=1;
+		}
+	else
+		{
+		for (i=0; i<a->length; i++)
+			{
+			if ((i != 0) && (i%35 == 0))
+				{
+				if (BIO_write(bp,"\\\n",2) != 2) goto err;
+				n+=2;
+				}
+			buf[0]=h[((unsigned char)a->data[i]>>4)&0x0f];
+			buf[1]=h[((unsigned char)a->data[i]   )&0x0f];
+			if (BIO_write(bp,buf,2) != 2) goto err;
+			n+=2;
+			}
+		}
+	return(n);
+err:
+	return(-1);
+	}
+
+int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
+	{
+	int ret=0;
+	int i,j,k,m,n,again,bufsize;
+	unsigned char *s=NULL,*sp;
+	unsigned char *bufp;
+	int num=0,slen=0,first=1;
+
+	bufsize=BIO_gets(bp,buf,size);
+	for (;;)
+		{
+		if (bufsize < 1)
+			{
+			if (first)
+				break;
+			else
+				goto err_sl;
+			}
+		first=0;
+
+		i=bufsize;
+		if (buf[i-1] == '\n') buf[--i]='\0';
+		if (i == 0) goto err_sl;
+		if (buf[i-1] == '\r') buf[--i]='\0';
+		if (i == 0) goto err_sl;
+		again=(buf[i-1] == '\\');
+
+		for (j=i-1; j>0; j--)
+			{
+#ifndef CHARSET_EBCDIC
+			if (!(	((buf[j] >= '0') && (buf[j] <= '9')) ||
+				((buf[j] >= 'a') && (buf[j] <= 'f')) ||
+				((buf[j] >= 'A') && (buf[j] <= 'F'))))
+#else
+			/* This #ifdef is not strictly necessary, since
+			 * the characters A...F a...f 0...9 are contiguous
+			 * (yes, even in EBCDIC - but not the whole alphabet).
+			 * Nevertheless, isxdigit() is faster.
+			 */
+			if (!isxdigit(buf[j]))
+#endif
+				{
+				i=j;
+				break;
+				}
+			}
+		buf[i]='\0';
+		/* We have now cleared all the crap off the end of the
+		 * line */
+		if (i < 2) goto err_sl;
+
+		bufp=(unsigned char *)buf;
+
+		k=0;
+		i-=again;
+		if (i%2 != 0)
+			{
+			ASN1err(ASN1_F_A2I_ASN1_STRING,ASN1_R_ODD_NUMBER_OF_CHARS);
+			goto err;
+			}
+		i/=2;
+		if (num+i > slen)
+			{
+			if (s == NULL)
+				sp=(unsigned char *)Malloc(
+					(unsigned int)num+i*2);
+			else
+				sp=(unsigned char *)Realloc(s,
+					(unsigned int)num+i*2);
+			if (sp == NULL)
+				{
+				ASN1err(ASN1_F_A2I_ASN1_STRING,ERR_R_MALLOC_FAILURE);
+				if (s != NULL) Free(s);
+				goto err;
+				}
+			s=sp;
+			slen=num+i*2;
+			}
+		for (j=0; j<i; j++,k+=2)
+			{
+			for (n=0; n<2; n++)
+				{
+				m=bufp[k+n];
+				if ((m >= '0') && (m <= '9'))
+					m-='0';
+				else if ((m >= 'a') && (m <= 'f'))
+					m=m-'a'+10;
+				else if ((m >= 'A') && (m <= 'F'))
+					m=m-'A'+10;
+				else
+					{
+					ASN1err(ASN1_F_A2I_ASN1_STRING,ASN1_R_NON_HEX_CHARACTERS);
+					goto err;
+					}
+				s[num+j]<<=4;
+				s[num+j]|=m;
+				}
+			}
+		num+=i;
+		if (again)
+			bufsize=BIO_gets(bp,buf,size);
+		else
+			break;
+		}
+	bs->length=num;
+	bs->data=s;
+	ret=1;
+err:
+	if (0)
+		{
+err_sl:
+		ASN1err(ASN1_F_A2I_ASN1_STRING,ASN1_R_SHORT_LINE);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/i2d_dhp.c b/crypto/openssl/crypto/asn1/i2d_dhp.c
new file mode 100644
index 0000000..61eeb64
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_dhp.c
@@ -0,0 +1,128 @@
+/* crypto/asn1/i2d_dhp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DH
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/dh.h>
+
+int i2d_DHparams(DH *a, unsigned char **pp)
+	{
+	BIGNUM *num[3];
+	ASN1_INTEGER bs;
+	unsigned int j,i,tot=0,len,max=0;
+	int t,ret= -1;
+	unsigned char *p;
+
+	if (a == NULL) return(0);
+	num[0]=a->p;
+	num[1]=a->g;
+	if (a->length != 0)
+		{
+		if ((num[2]=BN_new()) == NULL) goto err;
+		if (!BN_set_word(num[2],a->length)) goto err;
+		}
+	else	
+		num[2]=NULL;
+
+	for (i=0; i<3; i++)
+		{
+		if (num[i] == NULL) continue;
+		j=BN_num_bits(num[i]);
+		len=((j == 0)?0:((j/8)+1));
+		if (len > max) max=len;
+		len=ASN1_object_size(0,len,
+			(num[i]->neg)?V_ASN1_NEG_INTEGER:V_ASN1_INTEGER);
+		tot+=len;
+		}
+
+	t=ASN1_object_size(1,tot,V_ASN1_SEQUENCE);
+	if (pp == NULL)
+		{
+		if (num[2] != NULL)
+			BN_free(num[2]);
+		return(t);
+		}
+
+	p= *pp;
+	ASN1_put_object(&p,1,tot,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+	bs.type=V_ASN1_INTEGER;
+	bs.data=(unsigned char *)Malloc(max+4);
+	if (bs.data == NULL)
+		{
+		ASN1err(ASN1_F_I2D_DHPARAMS,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	for (i=0; i<3; i++)
+		{
+		if (num[i] == NULL) continue;
+		bs.length=BN_bn2bin(num[i],bs.data);
+		i2d_ASN1_INTEGER(&bs,&p);
+		}
+	Free(bs.data);
+	ret=t;
+err:
+	if (num[2] != NULL) BN_free(num[2]);
+	*pp=p;
+	return(ret);
+	}
+#endif
diff --git a/crypto/openssl/crypto/asn1/i2d_dsap.c b/crypto/openssl/crypto/asn1/i2d_dsap.c
new file mode 100644
index 0000000..4021123
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_dsap.c
@@ -0,0 +1,117 @@
+/* crypto/asn1/i2d_dsap.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/dsa.h>
+
+int i2d_DSAparams(DSA *a, unsigned char **pp)
+	{
+	BIGNUM *num[3];
+	ASN1_INTEGER bs;
+	unsigned int j,i,tot=0,len,max=0;
+	int t,ret= -1;
+	unsigned char *p;
+
+	if (a == NULL) return(0);
+	num[0]=a->p;
+	num[1]=a->q;
+	num[2]=a->g;
+
+	for (i=0; i<3; i++)
+		{
+		if (num[i] == NULL) continue;
+		j=BN_num_bits(num[i]);
+		len=((j == 0)?0:((j/8)+1));
+		if (len > max) max=len;
+		len=ASN1_object_size(0,len,
+			(num[i]->neg)?V_ASN1_NEG_INTEGER:V_ASN1_INTEGER);
+		tot+=len;
+		}
+
+	t=ASN1_object_size(1,tot,V_ASN1_SEQUENCE);
+	if (pp == NULL) return(t);
+
+	p= *pp;
+	ASN1_put_object(&p,1,tot,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+	bs.type=V_ASN1_INTEGER;
+	bs.data=(unsigned char *)Malloc(max+4);
+	if (bs.data == NULL)
+		{
+		ASN1err(ASN1_F_I2D_DSAPARAMS,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	for (i=0; i<3; i++)
+		{
+		if (num[i] == NULL) continue;
+		bs.length=BN_bn2bin(num[i],bs.data);
+		i2d_ASN1_INTEGER(&bs,&p);
+		}
+	Free(bs.data);
+	ret=t;
+err:
+	*pp=p;
+	return(ret);
+	}
+#endif
+
diff --git a/crypto/openssl/crypto/asn1/i2d_pr.c b/crypto/openssl/crypto/asn1/i2d_pr.c
new file mode 100644
index 0000000..71d6910
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_pr.c
@@ -0,0 +1,84 @@
+/* crypto/asn1/i2d_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
+	{
+#ifndef NO_RSA
+	if (a->type == EVP_PKEY_RSA)
+		{
+		return(i2d_RSAPrivateKey(a->pkey.rsa,pp));
+		}
+	else
+#endif
+#ifndef NO_DSA
+	if (a->type == EVP_PKEY_DSA)
+		{
+		return(i2d_DSAPrivateKey(a->pkey.dsa,pp));
+		}
+#endif
+
+	ASN1err(ASN1_F_I2D_PRIVATEKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+	return(-1);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/i2d_pu.c b/crypto/openssl/crypto/asn1/i2d_pu.c
new file mode 100644
index 0000000..8f73d37
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_pu.c
@@ -0,0 +1,82 @@
+/* crypto/asn1/i2d_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
+	{
+	switch (a->type)
+		{
+#ifndef NO_RSA
+	case EVP_PKEY_RSA:
+		return(i2d_RSAPublicKey(a->pkey.rsa,pp));
+#endif
+#ifndef NO_DSA
+	case EVP_PKEY_DSA:
+		return(i2d_DSAPublicKey(a->pkey.dsa,pp));
+#endif
+	default:
+		ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+		return(-1);
+		}
+	}
+
diff --git a/crypto/openssl/crypto/asn1/i2d_r_pr.c b/crypto/openssl/crypto/asn1/i2d_r_pr.c
new file mode 100644
index 0000000..1250fa4
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_r_pr.c
@@ -0,0 +1,133 @@
+/* crypto/asn1/i2d_r_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+int i2d_RSAPrivateKey(RSA *a, unsigned char **pp)
+	{
+	BIGNUM *num[9];
+	unsigned char data[1];
+	ASN1_INTEGER bs;
+	unsigned int j,i,tot,t,len,max=0;
+	unsigned char *p;
+
+	if (a == NULL) return(0);
+
+	num[1]=a->n;
+	num[2]=a->e;
+	num[3]=a->d;
+	num[4]=a->p;
+	num[5]=a->q;
+	num[6]=a->dmp1;
+	num[7]=a->dmq1;
+	num[8]=a->iqmp;
+
+	bs.length=1;
+	bs.data=data;
+	bs.type=V_ASN1_INTEGER;
+	data[0]=a->version&0x7f;
+
+	tot=i2d_ASN1_INTEGER(&(bs),NULL);
+	for (i=1; i<9; i++)
+		{
+		j=BN_num_bits(num[i]);
+		len=((j == 0)?0:((j/8)+1));
+		if (len > max) max=len;
+		len=ASN1_object_size(0,len,
+			(num[i]->neg)?V_ASN1_NEG_INTEGER:V_ASN1_INTEGER);
+		tot+=len;
+		}
+
+	t=ASN1_object_size(1,tot,V_ASN1_SEQUENCE);
+	if (pp == NULL) return(t);
+
+	p= *pp;
+	ASN1_put_object(&p,1,tot,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+	i2d_ASN1_INTEGER(&bs,&p);
+
+	bs.data=(unsigned char *)Malloc(max+4);
+	if (bs.data == NULL)
+		{
+		ASN1err(ASN1_F_I2D_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
+		return(-1);
+		}
+
+	for (i=1; i<9; i++)
+		{
+		bs.length=BN_bn2bin(num[i],bs.data);
+		i2d_ASN1_INTEGER(&bs,&p);
+		}
+	Free(bs.data);
+	*pp=p;
+	return(t);
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
+
diff --git a/crypto/openssl/crypto/asn1/i2d_r_pu.c b/crypto/openssl/crypto/asn1/i2d_r_pu.c
new file mode 100644
index 0000000..582b92e
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_r_pu.c
@@ -0,0 +1,118 @@
+/* crypto/asn1/i2d_r_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+int i2d_RSAPublicKey(RSA *a, unsigned char **pp)
+	{
+	BIGNUM *num[2];
+	ASN1_INTEGER bs;
+	unsigned int j,i,tot=0,len,max=0,t;
+	unsigned char *p;
+
+	if (a == NULL) return(0);
+
+	num[0]=a->n;
+	num[1]=a->e;
+
+	for (i=0; i<2; i++)
+		{
+		j=BN_num_bits(num[i]);
+		len=((j == 0)?0:((j/8)+1));
+		if (len > max) max=len;
+		len=ASN1_object_size(0,len,
+			(num[i]->neg)?V_ASN1_NEG_INTEGER:V_ASN1_INTEGER);
+		tot+=len;
+		}
+
+	t=ASN1_object_size(1,tot,V_ASN1_SEQUENCE);
+	if (pp == NULL) return(t);
+
+	p= *pp;
+	ASN1_put_object(&p,1,tot,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+	bs.type=V_ASN1_INTEGER;
+	bs.data=(unsigned char *)Malloc(max+4);
+	if (bs.data == NULL)
+		{
+		ASN1err(ASN1_F_I2D_RSAPUBLICKEY,ERR_R_MALLOC_FAILURE);
+		return(-1);
+		}
+
+	for (i=0; i<2; i++)
+		{
+		bs.length=BN_bn2bin(num[i],bs.data);
+		i2d_ASN1_INTEGER(&bs,&p);
+		}
+	Free(bs.data);
+	*pp=p;
+	return(t);
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/crypto/asn1/i2d_s_pr.c b/crypto/openssl/crypto/asn1/i2d_s_pr.c
new file mode 100644
index 0000000..e399cea
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_s_pr.c
@@ -0,0 +1,123 @@
+/* crypto/asn1/i2d_s_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+int i2d_DSAPrivateKey(DSA *a, unsigned char **pp)
+	{
+	BIGNUM *num[6];
+	unsigned char data[1];
+	ASN1_INTEGER bs;
+	unsigned int j,i,tot,t,len,max=0;
+	unsigned char *p;
+
+	if (a == NULL) return(0);
+
+	num[1]=a->p;
+	num[2]=a->q;
+	num[3]=a->g;
+	num[4]=a->pub_key;
+	num[5]=a->priv_key;
+
+	bs.length=1;
+	bs.data=data;
+	bs.type=V_ASN1_INTEGER;
+	data[0]=a->version&0x7f;
+
+	tot=i2d_ASN1_INTEGER(&(bs),NULL);
+	for (i=1; i<6; i++)
+		{
+		j=BN_num_bits(num[i]);
+		len=((j == 0)?0:((j/8)+1));
+		if (len > max) max=len;
+		len=ASN1_object_size(0,len,
+			(num[i]->neg)?V_ASN1_NEG_INTEGER:V_ASN1_INTEGER);
+		tot+=len;
+		}
+
+	t=ASN1_object_size(1,tot,V_ASN1_SEQUENCE);
+	if (pp == NULL) return(t);
+
+	p= *pp;
+	ASN1_put_object(&p,1,tot,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+	i2d_ASN1_INTEGER(&bs,&p);
+
+	bs.data=(unsigned char *)Malloc(max+4);
+	if (bs.data == NULL)
+		{
+		ASN1err(ASN1_F_I2D_DSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
+		return(-1);
+		}
+
+	for (i=1; i<6; i++)
+		{
+		bs.length=BN_bn2bin(num[i],bs.data);
+		i2d_ASN1_INTEGER(&bs,&p);
+		}
+	Free(bs.data);
+	*pp=p;
+	return(t);
+	}
+#endif
diff --git a/crypto/openssl/crypto/asn1/i2d_s_pu.c b/crypto/openssl/crypto/asn1/i2d_s_pu.c
new file mode 100644
index 0000000..ca7f251
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/i2d_s_pu.c
@@ -0,0 +1,129 @@
+/* crypto/asn1/i2d_s_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+
+int i2d_DSAPublicKey(DSA *a, unsigned char **pp)
+	{
+	BIGNUM *num[4];
+	ASN1_INTEGER bs;
+	unsigned int j,i,tot=0,len,max=0,t=0,all,n=1;
+	unsigned char *p;
+
+	if (a == NULL) return(0);
+
+	all=a->write_params;
+
+	num[0]=a->pub_key;
+	if (all)
+		{
+		num[1]=a->p;
+		num[2]=a->q;
+		num[3]=a->g;
+		n=4;
+		}
+
+	for (i=0; i<n; i++)
+		{
+		j=BN_num_bits(num[i]);
+		len=((j == 0)?0:((j/8)+1));
+		if (len > max) max=len;
+		len=ASN1_object_size(0,len,
+			(num[i]->neg)?V_ASN1_NEG_INTEGER:V_ASN1_INTEGER);
+		tot+=len;
+		}
+
+	if (all)
+		{
+		t=ASN1_object_size(1,tot,V_ASN1_SEQUENCE);
+		if (pp == NULL) return(t);
+		}
+	else
+		{
+		if (pp == NULL) return(tot);
+		}
+
+	p= *pp;
+	if (all)
+		ASN1_put_object(&p,1,tot,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+	bs.type=V_ASN1_INTEGER;
+	bs.data=(unsigned char *)Malloc(max+4);
+	if (bs.data == NULL)
+		{
+		ASN1err(ASN1_F_I2D_DSAPUBLICKEY,ERR_R_MALLOC_FAILURE);
+		return(-1);
+		}
+
+	for (i=0; i<n; i++)
+		{
+		bs.length=BN_bn2bin(num[i],bs.data);
+		i2d_ASN1_INTEGER(&bs,&p);
+		}
+	Free(bs.data);
+	*pp=p;
+	if(all) return(t);
+	else return(tot);
+	}
+#endif
diff --git a/crypto/openssl/crypto/asn1/n_pkey.c b/crypto/openssl/crypto/asn1/n_pkey.c
new file mode 100644
index 0000000..d804986
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/n_pkey.c
@@ -0,0 +1,348 @@
+/* crypto/asn1/n_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+
+#ifndef NO_RC4
+
+typedef struct netscape_pkey_st
+	{
+	ASN1_INTEGER *version;
+	X509_ALGOR *algor;
+	ASN1_OCTET_STRING *private_key;
+	} NETSCAPE_PKEY;
+
+static int i2d_NETSCAPE_PKEY(NETSCAPE_PKEY *a, unsigned char **pp);
+static NETSCAPE_PKEY *d2i_NETSCAPE_PKEY(NETSCAPE_PKEY **a,unsigned char **pp, long length);
+static NETSCAPE_PKEY *NETSCAPE_PKEY_new(void);
+static void NETSCAPE_PKEY_free(NETSCAPE_PKEY *);
+
+int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)())
+	{
+	int i,j,l[6];
+	NETSCAPE_PKEY *pkey;
+	unsigned char buf[256],*zz;
+	unsigned char key[EVP_MAX_KEY_LENGTH];
+	EVP_CIPHER_CTX ctx;
+	X509_ALGOR *alg=NULL;
+	ASN1_OCTET_STRING os,os2;
+	M_ASN1_I2D_vars(a);
+
+	if (a == NULL) return(0);
+
+#ifdef WIN32
+	r=r; /* shut the damn compiler up :-) */
+#endif
+
+	os.data=os2.data=NULL;
+	if ((pkey=NETSCAPE_PKEY_new()) == NULL) goto err;
+	if (!ASN1_INTEGER_set(pkey->version,0)) goto err;
+
+	if (pkey->algor->algorithm != NULL)
+		ASN1_OBJECT_free(pkey->algor->algorithm);
+	pkey->algor->algorithm=OBJ_nid2obj(NID_rsaEncryption);
+	if ((pkey->algor->parameter=ASN1_TYPE_new()) == NULL) goto err;
+	pkey->algor->parameter->type=V_ASN1_NULL;
+
+	l[0]=i2d_RSAPrivateKey(a,NULL);
+	pkey->private_key->length=l[0];
+
+	os2.length=i2d_NETSCAPE_PKEY(pkey,NULL);
+	l[1]=i2d_ASN1_OCTET_STRING(&os2,NULL);
+
+	if ((alg=X509_ALGOR_new()) == NULL) goto err;
+	if (alg->algorithm != NULL)
+		ASN1_OBJECT_free(alg->algorithm);
+	alg->algorithm=OBJ_nid2obj(NID_rc4);
+	if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
+	alg->parameter->type=V_ASN1_NULL;
+
+	l[2]=i2d_X509_ALGOR(alg,NULL);
+	l[3]=ASN1_object_size(1,l[2]+l[1],V_ASN1_SEQUENCE);
+
+#ifndef CONST_STRICT
+	os.data=(unsigned char *)"private-key";
+#endif
+	os.length=11;
+	l[4]=i2d_ASN1_OCTET_STRING(&os,NULL);
+
+	l[5]=ASN1_object_size(1,l[4]+l[3],V_ASN1_SEQUENCE);
+
+	if (pp == NULL)
+		{
+		if (pkey != NULL) NETSCAPE_PKEY_free(pkey);
+		if (alg != NULL) X509_ALGOR_free(alg);
+		return(l[5]);
+		}
+
+	if (pkey->private_key->data != NULL)
+		Free(pkey->private_key->data);
+	if ((pkey->private_key->data=(unsigned char *)Malloc(l[0])) == NULL)
+		{
+		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	zz=pkey->private_key->data;
+	i2d_RSAPrivateKey(a,&zz);
+
+	if ((os2.data=(unsigned char *)Malloc(os2.length)) == NULL)
+		{
+		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	zz=os2.data;
+	i2d_NETSCAPE_PKEY(pkey,&zz);
+		
+	if (cb == NULL)
+		cb=EVP_read_pw_string;
+	i=cb(buf,256,"Enter Private Key password:",1);
+	if (i != 0)
+		{
+		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ASN1_R_BAD_PASSWORD_READ);
+		goto err;
+		}
+	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,
+		strlen((char *)buf),1,key,NULL);
+	memset(buf,0,256);
+
+	EVP_CIPHER_CTX_init(&ctx);
+	EVP_EncryptInit(&ctx,EVP_rc4(),key,NULL);
+	EVP_EncryptUpdate(&ctx,os2.data,&i,os2.data,os2.length);
+	EVP_EncryptFinal(&ctx,&(os2.data[i]),&j);
+	EVP_CIPHER_CTX_cleanup(&ctx);
+
+	p= *pp;
+	ASN1_put_object(&p,1,l[4]+l[3],V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+	i2d_ASN1_OCTET_STRING(&os,&p);
+	ASN1_put_object(&p,1,l[2]+l[1],V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+	i2d_X509_ALGOR(alg,&p);
+	i2d_ASN1_OCTET_STRING(&os2,&p);
+	ret=l[5];
+err:
+	if (os2.data != NULL) Free(os2.data);
+	if (alg != NULL) X509_ALGOR_free(alg);
+	if (pkey != NULL) NETSCAPE_PKEY_free(pkey);
+	r=r;
+	return(ret);
+	}
+
+RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)())
+	{
+	RSA *ret=NULL;
+	ASN1_OCTET_STRING *os=NULL;
+	ASN1_CTX c;
+
+	c.pp=pp;
+	c.error=ASN1_R_DECODING_ERROR;
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(os,d2i_ASN1_OCTET_STRING);
+	if ((os->length != 11) || (strncmp("private-key",
+		(char *)os->data,os->length) != 0))
+		{
+		ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_PRIVATE_KEY_HEADER_MISSING);
+		M_ASN1_BIT_STRING_free(os);
+		goto err;
+		}
+	M_ASN1_BIT_STRING_free(os);
+	c.q=c.p;
+	if ((ret=d2i_Netscape_RSA_2(a,&c.p,c.slen,cb)) == NULL) goto err;
+	c.slen-=(c.p-c.q);
+
+	M_ASN1_D2I_Finish(a,RSA_free,ASN1_F_D2I_NETSCAPE_RSA);
+	}
+
+RSA *d2i_Netscape_RSA_2(RSA **a, unsigned char **pp, long length,
+	     int (*cb)())
+	{
+	NETSCAPE_PKEY *pkey=NULL;
+	RSA *ret=NULL;
+	int i,j;
+	unsigned char buf[256],*zz;
+	unsigned char key[EVP_MAX_KEY_LENGTH];
+	EVP_CIPHER_CTX ctx;
+	X509_ALGOR *alg=NULL;
+	ASN1_OCTET_STRING *os=NULL;
+	ASN1_CTX c;
+
+	c.error=ERR_R_NESTED_ASN1_ERROR;
+	c.pp=pp;
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(alg,d2i_X509_ALGOR);
+	if (OBJ_obj2nid(alg->algorithm) != NID_rc4)
+		{
+		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
+		goto err;
+		}
+	M_ASN1_D2I_get(os,d2i_ASN1_OCTET_STRING);
+	if (cb == NULL)
+		cb=EVP_read_pw_string;
+	i=cb(buf,256,"Enter Private Key password:",0);
+	if (i != 0)
+		{
+		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_BAD_PASSWORD_READ);
+		goto err;
+		}
+
+	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,
+		strlen((char *)buf),1,key,NULL);
+	memset(buf,0,256);
+
+	EVP_CIPHER_CTX_init(&ctx);
+	EVP_DecryptInit(&ctx,EVP_rc4(),key,NULL);
+	EVP_DecryptUpdate(&ctx,os->data,&i,os->data,os->length);
+	EVP_DecryptFinal(&ctx,&(os->data[i]),&j);
+	EVP_CIPHER_CTX_cleanup(&ctx);
+	os->length=i+j;
+
+	zz=os->data;
+
+	if ((pkey=d2i_NETSCAPE_PKEY(NULL,&zz,os->length)) == NULL)
+		{
+		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY);
+		goto err;
+		}
+		
+	zz=pkey->private_key->data;
+	if ((ret=d2i_RSAPrivateKey(a,&zz,pkey->private_key->length)) == NULL)
+		{
+		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNABLE_TO_DECODE_RSA_KEY);
+		goto err;
+		}
+	if (!asn1_Finish(&c)) goto err;
+	*pp=c.p;
+err:
+	if (pkey != NULL) NETSCAPE_PKEY_free(pkey);
+	if (os != NULL) M_ASN1_BIT_STRING_free(os);
+	if (alg != NULL) X509_ALGOR_free(alg);
+	return(ret);
+	}
+
+static int i2d_NETSCAPE_PKEY(NETSCAPE_PKEY *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+
+	M_ASN1_I2D_len(a->version,	i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->private_key,	i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,	i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->private_key,	i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+static NETSCAPE_PKEY *d2i_NETSCAPE_PKEY(NETSCAPE_PKEY **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,NETSCAPE_PKEY *,NETSCAPE_PKEY_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->algor,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->private_key,d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_Finish(a,NETSCAPE_PKEY_free,ASN1_F_D2I_NETSCAPE_PKEY);
+	}
+
+static NETSCAPE_PKEY *NETSCAPE_PKEY_new(void)
+	{
+	NETSCAPE_PKEY *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,NETSCAPE_PKEY);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->algor,X509_ALGOR_new);
+	M_ASN1_New(ret->private_key,M_ASN1_OCTET_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_NETSCAPE_PKEY_NEW);
+	}
+
+static void NETSCAPE_PKEY_free(NETSCAPE_PKEY *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	X509_ALGOR_free(a->algor);
+	M_ASN1_OCTET_STRING_free(a->private_key);
+	Free(a);
+	}
+
+#endif /* NO_RC4 */
+
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/crypto/asn1/nsseq.c b/crypto/openssl/crypto/asn1/nsseq.c
new file mode 100644
index 0000000..417d024
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/nsseq.c
@@ -0,0 +1,118 @@
+/* nsseq.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+
+/* Netscape certificate sequence structure */
+
+int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **pp)
+{
+	int v = 0;
+	M_ASN1_I2D_vars(a);
+	M_ASN1_I2D_len (a->type, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
+					     V_ASN1_SEQUENCE,v);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->type, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
+					     V_ASN1_SEQUENCE,v);
+
+	M_ASN1_I2D_finish();
+}
+
+NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void)
+{
+	NETSCAPE_CERT_SEQUENCE *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, NETSCAPE_CERT_SEQUENCE);
+	/* Note hardcoded object type */
+	ret->type = OBJ_nid2obj(NID_netscape_cert_sequence);
+	ret->certs = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW);
+}
+
+NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a,
+	     unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,NETSCAPE_CERT_SEQUENCE *,
+					NETSCAPE_CERT_SEQUENCE_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->type, d2i_ASN1_OBJECT);
+	M_ASN1_D2I_get_EXP_set_opt_type(X509,ret->certs,d2i_X509,X509_free,0,
+					V_ASN1_SEQUENCE);
+	M_ASN1_D2I_Finish(a, NETSCAPE_CERT_SEQUENCE_free,
+			  ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE);
+}
+
+void NETSCAPE_CERT_SEQUENCE_free (NETSCAPE_CERT_SEQUENCE *a)
+{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->type);
+	if(a->certs)
+	    sk_X509_pop_free(a->certs, X509_free);
+	Free (a);
+}
diff --git a/crypto/openssl/crypto/asn1/p5_pbe.c b/crypto/openssl/crypto/asn1/p5_pbe.c
new file mode 100644
index 0000000..a147ac3
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p5_pbe.c
@@ -0,0 +1,157 @@
+/* p5_pbe.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* PKCS#5 password based encryption structure */
+
+int i2d_PBEPARAM(PBEPARAM *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+	M_ASN1_I2D_len (a->salt, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total ();
+
+	M_ASN1_I2D_put (a->salt, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_finish();
+}
+
+PBEPARAM *PBEPARAM_new(void)
+{
+	PBEPARAM *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PBEPARAM);
+	M_ASN1_New(ret->iter,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->salt,M_ASN1_OCTET_STRING_new);
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PBEPARAM_NEW);
+}
+
+PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,PBEPARAM *,PBEPARAM_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->salt, d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
+	M_ASN1_D2I_Finish(a, PBEPARAM_free, ASN1_F_D2I_PBEPARAM);
+}
+
+void PBEPARAM_free (PBEPARAM *a)
+{
+	if(a==NULL) return;
+	M_ASN1_OCTET_STRING_free(a->salt);
+	M_ASN1_INTEGER_free (a->iter);
+	Free (a);
+}
+
+/* Return an algorithm identifier for a PKCS#5 PBE algorithm */
+
+X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
+	     int saltlen)
+{
+	PBEPARAM *pbe;
+	ASN1_OBJECT *al;
+	X509_ALGOR *algor;
+	ASN1_TYPE *astype;
+
+	if (!(pbe = PBEPARAM_new ())) {
+		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
+	ASN1_INTEGER_set (pbe->iter, iter);
+	if (!saltlen) saltlen = PKCS5_SALT_LEN;
+	if (!(pbe->salt->data = Malloc (saltlen))) {
+		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	pbe->salt->length = saltlen;
+	if (salt) memcpy (pbe->salt->data, salt, saltlen);
+	else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0)
+		return NULL;
+
+	if (!(astype = ASN1_TYPE_new())) {
+		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	astype->type = V_ASN1_SEQUENCE;
+	if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
+		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	PBEPARAM_free (pbe);
+	
+	al = OBJ_nid2obj(alg); /* never need to free al */
+	if (!(algor = X509_ALGOR_new())) {
+		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	ASN1_OBJECT_free(algor->algorithm);
+	algor->algorithm = al;
+	algor->parameter = astype;
+
+	return (algor);
+}
diff --git a/crypto/openssl/crypto/asn1/p5_pbev2.c b/crypto/openssl/crypto/asn1/p5_pbev2.c
new file mode 100644
index 0000000..1bbdb10
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p5_pbev2.c
@@ -0,0 +1,282 @@
+/* p5_pbev2.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* PKCS#5 v2.0 password based encryption structures */
+
+int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+	M_ASN1_I2D_len (a->keyfunc, i2d_X509_ALGOR);
+	M_ASN1_I2D_len (a->encryption, i2d_X509_ALGOR);
+
+	M_ASN1_I2D_seq_total ();
+
+	M_ASN1_I2D_put (a->keyfunc, i2d_X509_ALGOR);
+	M_ASN1_I2D_put (a->encryption, i2d_X509_ALGOR);
+
+	M_ASN1_I2D_finish();
+}
+
+PBE2PARAM *PBE2PARAM_new(void)
+{
+	PBE2PARAM *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PBE2PARAM);
+	M_ASN1_New(ret->keyfunc,X509_ALGOR_new);
+	M_ASN1_New(ret->encryption,X509_ALGOR_new);
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PBE2PARAM_NEW);
+}
+
+PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,PBE2PARAM *,PBE2PARAM_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->keyfunc, d2i_X509_ALGOR);
+	M_ASN1_D2I_get (ret->encryption, d2i_X509_ALGOR);
+	M_ASN1_D2I_Finish(a, PBE2PARAM_free, ASN1_F_D2I_PBE2PARAM);
+}
+
+void PBE2PARAM_free (PBE2PARAM *a)
+{
+	if(a==NULL) return;
+	X509_ALGOR_free(a->keyfunc);
+	X509_ALGOR_free(a->encryption);
+	Free (a);
+}
+
+int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+	M_ASN1_I2D_len (a->salt, i2d_ASN1_TYPE);
+	M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len (a->keylength, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len (a->prf, i2d_X509_ALGOR);
+
+	M_ASN1_I2D_seq_total ();
+
+	M_ASN1_I2D_put (a->salt, i2d_ASN1_TYPE);
+	M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put (a->keylength, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put (a->prf, i2d_X509_ALGOR);
+
+	M_ASN1_I2D_finish();
+}
+
+PBKDF2PARAM *PBKDF2PARAM_new(void)
+{
+	PBKDF2PARAM *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PBKDF2PARAM);
+	M_ASN1_New(ret->salt, ASN1_TYPE_new);
+	M_ASN1_New(ret->iter, M_ASN1_INTEGER_new);
+	ret->keylength = NULL;
+	ret->prf = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PBKDF2PARAM_NEW);
+}
+
+PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, unsigned char **pp,
+	     long length)
+{
+	M_ASN1_D2I_vars(a,PBKDF2PARAM *,PBKDF2PARAM_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->salt, d2i_ASN1_TYPE);
+	M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get_opt (ret->keylength, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+	M_ASN1_D2I_get_opt (ret->prf, d2i_X509_ALGOR, V_ASN1_SEQUENCE);
+	M_ASN1_D2I_Finish(a, PBKDF2PARAM_free, ASN1_F_D2I_PBKDF2PARAM);
+}
+
+void PBKDF2PARAM_free (PBKDF2PARAM *a)
+{
+	if(a==NULL) return;
+	ASN1_TYPE_free(a->salt);
+	M_ASN1_INTEGER_free(a->iter);
+	M_ASN1_INTEGER_free(a->keylength);
+	X509_ALGOR_free(a->prf);
+	Free (a);
+}
+
+/* Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm:
+ * yes I know this is horrible!
+ */
+
+X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
+				 unsigned char *salt, int saltlen)
+{
+	X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
+	int alg_nid;
+	EVP_CIPHER_CTX ctx;
+	unsigned char iv[EVP_MAX_IV_LENGTH];
+	PBKDF2PARAM *kdf = NULL;
+	PBE2PARAM *pbe2 = NULL;
+	ASN1_OCTET_STRING *osalt = NULL;
+	ASN1_OBJECT *obj;
+
+	alg_nid = EVP_CIPHER_type(cipher);
+	if(alg_nid == NID_undef) {
+		ASN1err(ASN1_F_PKCS5_PBE2_SET,
+				ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
+		goto err;
+	}
+	obj = OBJ_nid2obj(alg_nid);
+
+	if(!(pbe2 = PBE2PARAM_new())) goto merr;
+
+	/* Setup the AlgorithmIdentifier for the encryption scheme */
+	scheme = pbe2->encryption;
+
+	scheme->algorithm = obj;
+	if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
+
+	/* Create random IV */
+	if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+		goto err;
+
+	/* Dummy cipherinit to just setup the IV */
+	EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
+	if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
+		ASN1err(ASN1_F_PKCS5_PBE2_SET,
+					ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+		goto err;
+	}
+	EVP_CIPHER_CTX_cleanup(&ctx);
+
+	if(!(kdf = PBKDF2PARAM_new())) goto merr;
+	if(!(osalt = M_ASN1_OCTET_STRING_new())) goto merr;
+
+	if (!saltlen) saltlen = PKCS5_SALT_LEN;
+	if (!(osalt->data = Malloc (saltlen))) goto merr;
+	osalt->length = saltlen;
+	if (salt) memcpy (osalt->data, salt, saltlen);
+	else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0) goto merr;
+
+	if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
+	if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
+
+	/* Now include salt in kdf structure */
+	kdf->salt->value.octet_string = osalt;
+	kdf->salt->type = V_ASN1_OCTET_STRING;
+	osalt = NULL;
+
+	/* If its RC2 then we'd better setup the key length */
+
+	if(alg_nid == NID_rc2_cbc) {
+		if(!(kdf->keylength = M_ASN1_INTEGER_new())) goto merr;
+		if(!ASN1_INTEGER_set (kdf->keylength,
+				 EVP_CIPHER_key_length(cipher))) goto merr;
+	}
+
+	/* prf can stay NULL because we are using hmacWithSHA1 */
+
+	/* Now setup the PBE2PARAM keyfunc structure */
+
+	pbe2->keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+
+	/* Encode PBKDF2PARAM into parameter of pbe2 */
+
+	if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr;
+
+	if(!ASN1_pack_string(kdf, i2d_PBKDF2PARAM,
+			 &pbe2->keyfunc->parameter->value.sequence)) goto merr;
+	pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
+
+	PBKDF2PARAM_free(kdf);
+	kdf = NULL;
+
+	/* Now set up top level AlgorithmIdentifier */
+
+	if(!(ret = X509_ALGOR_new())) goto merr;
+	if(!(ret->parameter = ASN1_TYPE_new())) goto merr;
+
+	ret->algorithm = OBJ_nid2obj(NID_pbes2);
+
+	/* Encode PBE2PARAM into parameter */
+
+	if(!ASN1_pack_string(pbe2, i2d_PBE2PARAM,
+				 &ret->parameter->value.sequence)) goto merr;
+	ret->parameter->type = V_ASN1_SEQUENCE;
+
+	PBE2PARAM_free(pbe2);
+	pbe2 = NULL;
+
+	return ret;
+
+	merr:
+	ASN1err(ASN1_F_PKCS5_PBE2_SET,ERR_R_MALLOC_FAILURE);
+
+	err:
+	PBE2PARAM_free(pbe2);
+	/* Note 'scheme' is freed as part of pbe2 */
+	M_ASN1_OCTET_STRING_free(osalt);
+	PBKDF2PARAM_free(kdf);
+	X509_ALGOR_free(kalg);
+	X509_ALGOR_free(ret);
+
+	return NULL;
+
+}
diff --git a/crypto/openssl/crypto/asn1/p7_dgst.c b/crypto/openssl/crypto/asn1/p7_dgst.c
new file mode 100644
index 0000000..cba90e9
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_dgst.c
@@ -0,0 +1,121 @@
+/* crypto/asn1/p7_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_DIGEST(PKCS7_DIGEST *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->md,i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->contents,i2d_PKCS7);
+	M_ASN1_I2D_len(a->digest,i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->md,i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->contents,i2d_PKCS7);
+	M_ASN1_I2D_put(a->digest,i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_DIGEST *d2i_PKCS7_DIGEST(PKCS7_DIGEST **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_DIGEST *,PKCS7_DIGEST_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->md,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->contents,d2i_PKCS7);
+	M_ASN1_D2I_get(ret->digest,d2i_ASN1_OCTET_STRING);
+
+	M_ASN1_D2I_Finish(a,PKCS7_DIGEST_free,ASN1_F_D2I_PKCS7_DIGEST);
+	}
+
+PKCS7_DIGEST *PKCS7_DIGEST_new(void)
+	{
+	PKCS7_DIGEST *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_DIGEST);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->md,X509_ALGOR_new);
+	M_ASN1_New(ret->contents,PKCS7_new);
+	M_ASN1_New(ret->digest,M_ASN1_OCTET_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_DIGEST_NEW);
+	}
+
+void PKCS7_DIGEST_free(PKCS7_DIGEST *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	X509_ALGOR_free(a->md);
+	PKCS7_free(a->contents);
+	M_ASN1_OCTET_STRING_free(a->digest);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p7_enc.c b/crypto/openssl/crypto/asn1/p7_enc.c
new file mode 100644
index 0000000..83b0e15
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_enc.c
@@ -0,0 +1,111 @@
+/* crypto/asn1/p7_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_ENCRYPT(PKCS7_ENCRYPT *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->enc_data,i2d_PKCS7_ENC_CONTENT);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->enc_data,i2d_PKCS7_ENC_CONTENT);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_ENCRYPT *d2i_PKCS7_ENCRYPT(PKCS7_ENCRYPT **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_ENCRYPT *,PKCS7_ENCRYPT_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->enc_data,d2i_PKCS7_ENC_CONTENT);
+
+	M_ASN1_D2I_Finish(a,PKCS7_ENCRYPT_free,ASN1_F_D2I_PKCS7_ENCRYPT);
+	}
+
+PKCS7_ENCRYPT *PKCS7_ENCRYPT_new(void)
+	{
+	PKCS7_ENCRYPT *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_ENCRYPT);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->enc_data,PKCS7_ENC_CONTENT_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_ENCRYPT_NEW);
+	}
+
+void PKCS7_ENCRYPT_free(PKCS7_ENCRYPT *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	PKCS7_ENC_CONTENT_free(a->enc_data);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p7_enc_c.c b/crypto/openssl/crypto/asn1/p7_enc_c.c
new file mode 100644
index 0000000..582cc78
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_enc_c.c
@@ -0,0 +1,120 @@
+/* crypto/asn1/p7_enc_c.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->content_type,i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len(a->algorithm,i2d_X509_ALGOR);
+	M_ASN1_I2D_len_IMP_opt(a->enc_data,i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->content_type,i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put(a->algorithm,i2d_X509_ALGOR);
+	M_ASN1_I2D_put_IMP_opt(a->enc_data,i2d_ASN1_OCTET_STRING,0);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_ENC_CONTENT *d2i_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT **a,
+	     unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_ENC_CONTENT *,PKCS7_ENC_CONTENT_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->content_type,d2i_ASN1_OBJECT);
+	M_ASN1_D2I_get(ret->algorithm,d2i_X509_ALGOR);
+	M_ASN1_D2I_get_IMP_opt(ret->enc_data,d2i_ASN1_OCTET_STRING,0,
+		V_ASN1_OCTET_STRING);
+
+	M_ASN1_D2I_Finish(a,PKCS7_ENC_CONTENT_free,
+		ASN1_F_D2I_PKCS7_ENC_CONTENT);
+	}
+
+PKCS7_ENC_CONTENT *PKCS7_ENC_CONTENT_new(void)
+	{
+	PKCS7_ENC_CONTENT *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_ENC_CONTENT);
+	/* M_ASN1_New(ret->content_type,ASN1_OBJECT_new); */
+	/* We will almost always want this: so make it the default */
+	ret->content_type=OBJ_nid2obj(NID_pkcs7_data);
+	M_ASN1_New(ret->algorithm,X509_ALGOR_new);
+	ret->enc_data=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_ENC_CONTENT_NEW);
+	}
+
+void PKCS7_ENC_CONTENT_free(PKCS7_ENC_CONTENT *a)
+	{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->content_type);
+	X509_ALGOR_free(a->algorithm);
+	M_ASN1_OCTET_STRING_free(a->enc_data);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p7_evp.c b/crypto/openssl/crypto/asn1/p7_evp.c
new file mode 100644
index 0000000..4e734fd
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_evp.c
@@ -0,0 +1,119 @@
+/* crypto/asn1/p7_evp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_ENVELOPE(PKCS7_ENVELOPE *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len_SET_type(PKCS7_RECIP_INFO,a->recipientinfo,
+				i2d_PKCS7_RECIP_INFO);
+	M_ASN1_I2D_len(a->enc_data,i2d_PKCS7_ENC_CONTENT);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put_SET_type(PKCS7_RECIP_INFO,a->recipientinfo,
+				i2d_PKCS7_RECIP_INFO);
+	M_ASN1_I2D_put(a->enc_data,i2d_PKCS7_ENC_CONTENT);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_ENVELOPE *d2i_PKCS7_ENVELOPE(PKCS7_ENVELOPE **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_ENVELOPE *,PKCS7_ENVELOPE_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get_set_type(PKCS7_RECIP_INFO,ret->recipientinfo,
+				d2i_PKCS7_RECIP_INFO,PKCS7_RECIP_INFO_free);
+	M_ASN1_D2I_get(ret->enc_data,d2i_PKCS7_ENC_CONTENT);
+
+	M_ASN1_D2I_Finish(a,PKCS7_ENVELOPE_free,ASN1_F_D2I_PKCS7_ENVELOPE);
+	}
+
+PKCS7_ENVELOPE *PKCS7_ENVELOPE_new(void)
+	{
+	PKCS7_ENVELOPE *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_ENVELOPE);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->recipientinfo,sk_PKCS7_RECIP_INFO_new_null);
+	M_ASN1_New(ret->enc_data,PKCS7_ENC_CONTENT_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_ENVELOPE_NEW);
+	}
+
+void PKCS7_ENVELOPE_free(PKCS7_ENVELOPE *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	sk_PKCS7_RECIP_INFO_pop_free(a->recipientinfo,PKCS7_RECIP_INFO_free);
+	PKCS7_ENC_CONTENT_free(a->enc_data);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p7_i_s.c b/crypto/openssl/crypto/asn1/p7_i_s.c
new file mode 100644
index 0000000..d21f7dd
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_i_s.c
@@ -0,0 +1,111 @@
+/* crypto/asn1/p7_i_s.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_ISSUER_AND_SERIAL(PKCS7_ISSUER_AND_SERIAL *a,
+	     unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->issuer,i2d_X509_NAME);
+	M_ASN1_I2D_len(a->serial,i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->issuer,i2d_X509_NAME);
+	M_ASN1_I2D_put(a->serial,i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(PKCS7_ISSUER_AND_SERIAL **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_ISSUER_AND_SERIAL *,PKCS7_ISSUER_AND_SERIAL_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME);
+	M_ASN1_D2I_get(ret->serial,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_Finish(a,PKCS7_ISSUER_AND_SERIAL_free,
+		ASN1_F_D2I_PKCS7_ISSUER_AND_SERIAL);
+	}
+
+PKCS7_ISSUER_AND_SERIAL *PKCS7_ISSUER_AND_SERIAL_new(void)
+	{
+	PKCS7_ISSUER_AND_SERIAL *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_ISSUER_AND_SERIAL);
+	M_ASN1_New(ret->issuer,X509_NAME_new);
+	M_ASN1_New(ret->serial,M_ASN1_INTEGER_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_ISSUER_AND_SERIAL_NEW);
+	}
+
+void PKCS7_ISSUER_AND_SERIAL_free(PKCS7_ISSUER_AND_SERIAL *a)
+	{
+	if (a == NULL) return;
+	X509_NAME_free(a->issuer);
+	M_ASN1_INTEGER_free(a->serial);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p7_lib.c b/crypto/openssl/crypto/asn1/p7_lib.c
new file mode 100644
index 0000000..86db82c
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_lib.c
@@ -0,0 +1,295 @@
+/* crypto/asn1/p7_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/pkcs7.h>
+#include <openssl/objects.h>
+
+int i2d_PKCS7(PKCS7 *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	if (a->asn1 != NULL)
+		{
+		if (pp == NULL)
+			return((int)a->length);
+		memcpy(*pp,a->asn1,(int)a->length);
+		*pp+=a->length;
+		return((int)a->length);
+		}
+
+	ret+=4; /* sequence, BER header plus '0 0' end padding */
+	M_ASN1_I2D_len(a->type,i2d_ASN1_OBJECT);
+	if (a->d.ptr != NULL)
+		{
+		ret+=4; /* explicit tag [ 0 ] BER plus '0 0' */
+		switch (OBJ_obj2nid(a->type))
+			{
+		case NID_pkcs7_data:
+			M_ASN1_I2D_len(a->d.data,i2d_ASN1_OCTET_STRING);
+			break;
+		case NID_pkcs7_signed:
+			M_ASN1_I2D_len(a->d.sign,i2d_PKCS7_SIGNED);
+			break;
+		case NID_pkcs7_enveloped:
+			M_ASN1_I2D_len(a->d.enveloped,i2d_PKCS7_ENVELOPE);
+			break;
+		case NID_pkcs7_signedAndEnveloped:
+			M_ASN1_I2D_len(a->d.signed_and_enveloped,
+				i2d_PKCS7_SIGN_ENVELOPE);
+			break;
+		case NID_pkcs7_digest:
+			M_ASN1_I2D_len(a->d.digest,i2d_PKCS7_DIGEST);
+			break;
+		case NID_pkcs7_encrypted:
+			M_ASN1_I2D_len(a->d.encrypted,i2d_PKCS7_ENCRYPT);
+			break;
+		default:
+			break;
+			}
+		}
+	r=ret;
+	if (pp == NULL) return(r);
+	p= *pp;
+	M_ASN1_I2D_INF_seq_start(V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+	M_ASN1_I2D_put(a->type,i2d_ASN1_OBJECT);
+
+	if (a->d.ptr != NULL)
+		{
+		M_ASN1_I2D_INF_seq_start(0,V_ASN1_CONTEXT_SPECIFIC);
+		switch (OBJ_obj2nid(a->type))
+			{
+		case NID_pkcs7_data:
+			M_ASN1_I2D_put(a->d.data,i2d_ASN1_OCTET_STRING);
+			break;
+		case NID_pkcs7_signed:
+			M_ASN1_I2D_put(a->d.sign,i2d_PKCS7_SIGNED);
+			break;
+		case NID_pkcs7_enveloped:
+			M_ASN1_I2D_put(a->d.enveloped,i2d_PKCS7_ENVELOPE);
+			break;
+		case NID_pkcs7_signedAndEnveloped:
+			M_ASN1_I2D_put(a->d.signed_and_enveloped,
+				i2d_PKCS7_SIGN_ENVELOPE);
+			break;
+		case NID_pkcs7_digest:
+			M_ASN1_I2D_put(a->d.digest,i2d_PKCS7_DIGEST);
+			break;
+		case NID_pkcs7_encrypted:
+			M_ASN1_I2D_put(a->d.encrypted,i2d_PKCS7_ENCRYPT);
+			break;
+		default:
+			break;
+			}
+		M_ASN1_I2D_INF_seq_end();
+		}
+	M_ASN1_I2D_INF_seq_end();
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7 *d2i_PKCS7(PKCS7 **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7 *,PKCS7_new);
+
+	if ((a != NULL) && ((*a) != NULL))
+		{
+		if ((*a)->asn1 != NULL)
+			{
+			Free((*a)->asn1);
+			(*a)->asn1=NULL;
+			}
+		(*a)->length=0;
+		}
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->type,d2i_ASN1_OBJECT);
+	if (!M_ASN1_D2I_end_sequence())
+		{
+		int Tinf,Ttag,Tclass;
+		long Tlen;
+
+		if (M_ASN1_next != (V_ASN1_CONSTRUCTED|
+			V_ASN1_CONTEXT_SPECIFIC|0))
+			{
+			c.error=ASN1_R_BAD_PKCS7_CONTENT;
+			c.line=__LINE__;
+			goto err;
+			}
+
+		ret->detached=0;
+
+		c.q=c.p;
+		Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,
+			(c.inf & 1)?(length+ *pp-c.q):c.slen);
+		if (Tinf & 0x80) { c.line=__LINE__; goto err; }
+		c.slen-=(c.p-c.q);
+
+		switch (OBJ_obj2nid(ret->type))
+			{
+		case NID_pkcs7_data:
+			M_ASN1_D2I_get(ret->d.data,d2i_ASN1_OCTET_STRING);
+			break;
+		case NID_pkcs7_signed:
+			M_ASN1_D2I_get(ret->d.sign,d2i_PKCS7_SIGNED);
+			if (ret->d.sign->contents->d.ptr == NULL)
+				ret->detached=1;
+			break;
+		case NID_pkcs7_enveloped:
+			M_ASN1_D2I_get(ret->d.enveloped,d2i_PKCS7_ENVELOPE);
+			break;
+		case NID_pkcs7_signedAndEnveloped:
+			M_ASN1_D2I_get(ret->d.signed_and_enveloped,
+				d2i_PKCS7_SIGN_ENVELOPE);
+			break;
+		case NID_pkcs7_digest:
+			M_ASN1_D2I_get(ret->d.digest,d2i_PKCS7_DIGEST);
+			break;
+		case NID_pkcs7_encrypted:
+			M_ASN1_D2I_get(ret->d.encrypted,d2i_PKCS7_ENCRYPT);
+			break;
+		default:
+			c.error=ASN1_R_BAD_PKCS7_TYPE;
+			c.line=__LINE__;
+			goto err;
+			/* break; */
+			}
+		if (Tinf == (1|V_ASN1_CONSTRUCTED))
+			{
+			if (!ASN1_check_infinite_end(&c.p,c.slen))
+				{
+				c.error=ERR_R_MISSING_ASN1_EOS;
+				c.line=__LINE__;
+				goto err;
+				}
+			}
+		}
+	else
+		ret->detached=1;
+		
+	M_ASN1_D2I_Finish(a,PKCS7_free,ASN1_F_D2I_PKCS7);
+	}
+
+PKCS7 *PKCS7_new(void)
+	{
+	PKCS7 *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7);
+	ret->type=OBJ_nid2obj(NID_undef);
+	ret->asn1=NULL;
+	ret->length=0;
+	ret->detached=0;
+	ret->d.ptr=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_NEW);
+	}
+
+void PKCS7_free(PKCS7 *a)
+	{
+	if (a == NULL) return;
+
+	PKCS7_content_free(a);
+	if (a->type != NULL)
+		{
+		ASN1_OBJECT_free(a->type);
+		}
+	Free(a);
+	}
+
+void PKCS7_content_free(PKCS7 *a)
+	{
+	if(a == NULL)
+	    return;
+
+	if (a->asn1 != NULL) Free(a->asn1);
+
+	if (a->d.ptr != NULL)
+		{
+		if (a->type == NULL) return;
+
+		switch (OBJ_obj2nid(a->type))
+			{
+		case NID_pkcs7_data:
+			M_ASN1_OCTET_STRING_free(a->d.data);
+			break;
+		case NID_pkcs7_signed:
+			PKCS7_SIGNED_free(a->d.sign);
+			break;
+		case NID_pkcs7_enveloped:
+			PKCS7_ENVELOPE_free(a->d.enveloped);
+			break;
+		case NID_pkcs7_signedAndEnveloped:
+			PKCS7_SIGN_ENVELOPE_free(a->d.signed_and_enveloped);
+			break;
+		case NID_pkcs7_digest:
+			PKCS7_DIGEST_free(a->d.digest);
+			break;
+		case NID_pkcs7_encrypted:
+			PKCS7_ENCRYPT_free(a->d.encrypted);
+			break;
+		default:
+			/* MEMORY LEAK */
+			break;
+			}
+		}
+	a->d.ptr=NULL;
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p7_recip.c b/crypto/openssl/crypto/asn1/p7_recip.c
new file mode 100644
index 0000000..b1abfa3
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_recip.c
@@ -0,0 +1,125 @@
+/* crypto/asn1/p7_recip.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->issuer_and_serial,i2d_PKCS7_ISSUER_AND_SERIAL);
+	M_ASN1_I2D_len(a->key_enc_algor,i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->enc_key,i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->issuer_and_serial,i2d_PKCS7_ISSUER_AND_SERIAL);
+	M_ASN1_I2D_put(a->key_enc_algor,i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->enc_key,i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_RECIP_INFO *d2i_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO **a,
+	     unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_RECIP_INFO *,PKCS7_RECIP_INFO_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->issuer_and_serial,d2i_PKCS7_ISSUER_AND_SERIAL);
+	M_ASN1_D2I_get(ret->key_enc_algor,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->enc_key,d2i_ASN1_OCTET_STRING);
+
+	M_ASN1_D2I_Finish(a,PKCS7_RECIP_INFO_free,ASN1_F_D2I_PKCS7_RECIP_INFO);
+	}
+
+PKCS7_RECIP_INFO *PKCS7_RECIP_INFO_new(void)
+	{
+	PKCS7_RECIP_INFO *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_RECIP_INFO);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->issuer_and_serial,PKCS7_ISSUER_AND_SERIAL_new);
+	M_ASN1_New(ret->key_enc_algor,X509_ALGOR_new);
+	M_ASN1_New(ret->enc_key,M_ASN1_OCTET_STRING_new);
+	ret->cert=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_RECIP_INFO_NEW);
+	}
+
+void PKCS7_RECIP_INFO_free(PKCS7_RECIP_INFO *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	PKCS7_ISSUER_AND_SERIAL_free(a->issuer_and_serial);
+	X509_ALGOR_free(a->key_enc_algor);
+	M_ASN1_OCTET_STRING_free(a->enc_key);
+	if (a->cert != NULL) X509_free(a->cert);
+	Free(a);
+	}
+
+IMPLEMENT_STACK_OF(PKCS7_RECIP_INFO)
+IMPLEMENT_ASN1_SET_OF(PKCS7_RECIP_INFO)
diff --git a/crypto/openssl/crypto/asn1/p7_s_e.c b/crypto/openssl/crypto/asn1/p7_s_e.c
new file mode 100644
index 0000000..3d18fed
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_s_e.c
@@ -0,0 +1,145 @@
+/* crypto/asn1/p7_s_e.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len_SET_type(PKCS7_RECIP_INFO,a->recipientinfo,
+				i2d_PKCS7_RECIP_INFO);
+	M_ASN1_I2D_len_SET_type(X509_ALGOR,a->md_algs,i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->enc_data,i2d_PKCS7_ENC_CONTENT);
+	M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(X509,a->cert,i2d_X509,0);
+	M_ASN1_I2D_len_IMP_SET_opt_type(X509_CRL,a->crl,i2d_X509_CRL,1);
+	M_ASN1_I2D_len_SET_type(PKCS7_SIGNER_INFO,a->signer_info,
+				i2d_PKCS7_SIGNER_INFO);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put_SET_type(PKCS7_RECIP_INFO,a->recipientinfo,
+				i2d_PKCS7_RECIP_INFO);
+	M_ASN1_I2D_put_SET_type(X509_ALGOR,a->md_algs,i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->enc_data,i2d_PKCS7_ENC_CONTENT);
+	M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(X509,a->cert,i2d_X509,0);
+	M_ASN1_I2D_put_IMP_SET_opt_type(X509_CRL,a->crl,i2d_X509_CRL,1);
+	M_ASN1_I2D_put_SET_type(PKCS7_SIGNER_INFO,a->signer_info,
+				i2d_PKCS7_SIGNER_INFO);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_SIGN_ENVELOPE *d2i_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE **a,
+	     unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_SIGN_ENVELOPE *,PKCS7_SIGN_ENVELOPE_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get_set_type(PKCS7_RECIP_INFO,ret->recipientinfo,
+				d2i_PKCS7_RECIP_INFO,PKCS7_RECIP_INFO_free);
+	M_ASN1_D2I_get_set_type(X509_ALGOR,ret->md_algs,d2i_X509_ALGOR,
+				X509_ALGOR_free);
+	M_ASN1_D2I_get(ret->enc_data,d2i_PKCS7_ENC_CONTENT);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509,ret->cert,d2i_X509,X509_free,0);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509_CRL,ret->crl,d2i_X509_CRL,
+					X509_CRL_free,1);
+	M_ASN1_D2I_get_set_type(PKCS7_SIGNER_INFO,ret->signer_info,
+				d2i_PKCS7_SIGNER_INFO,PKCS7_SIGNER_INFO_free);
+
+	M_ASN1_D2I_Finish(a,PKCS7_SIGN_ENVELOPE_free,
+		ASN1_F_D2I_PKCS7_SIGN_ENVELOPE);
+	}
+
+PKCS7_SIGN_ENVELOPE *PKCS7_SIGN_ENVELOPE_new(void)
+	{
+	PKCS7_SIGN_ENVELOPE *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_SIGN_ENVELOPE);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->recipientinfo,sk_PKCS7_RECIP_INFO_new_null);
+	M_ASN1_New(ret->md_algs,sk_X509_ALGOR_new_null);
+	M_ASN1_New(ret->enc_data,PKCS7_ENC_CONTENT_new);
+	ret->cert=NULL;
+	ret->crl=NULL;
+	M_ASN1_New(ret->signer_info,sk_PKCS7_SIGNER_INFO_new_null);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_SIGN_ENVELOPE_NEW);
+	}
+
+void PKCS7_SIGN_ENVELOPE_free(PKCS7_SIGN_ENVELOPE *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	sk_PKCS7_RECIP_INFO_pop_free(a->recipientinfo,PKCS7_RECIP_INFO_free);
+	sk_X509_ALGOR_pop_free(a->md_algs,X509_ALGOR_free);
+	PKCS7_ENC_CONTENT_free(a->enc_data);
+	sk_X509_pop_free(a->cert,X509_free);
+	sk_X509_CRL_pop_free(a->crl,X509_CRL_free);
+	sk_PKCS7_SIGNER_INFO_pop_free(a->signer_info,PKCS7_SIGNER_INFO_free);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p7_signd.c b/crypto/openssl/crypto/asn1/p7_signd.c
new file mode 100644
index 0000000..f6f16a8
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_signd.c
@@ -0,0 +1,135 @@
+/* crypto/asn1/p7_signd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_SIGNED(PKCS7_SIGNED *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len_SET_type(X509_ALGOR,a->md_algs,i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->contents,i2d_PKCS7);
+	M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(X509,a->cert,i2d_X509,0);
+	M_ASN1_I2D_len_IMP_SET_opt_type(X509_CRL,a->crl,i2d_X509_CRL,1);
+	M_ASN1_I2D_len_SET_type(PKCS7_SIGNER_INFO,a->signer_info,
+				i2d_PKCS7_SIGNER_INFO);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put_SET_type(X509_ALGOR,a->md_algs,i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->contents,i2d_PKCS7);
+	M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(X509,a->cert,i2d_X509,0);
+	M_ASN1_I2D_put_IMP_SET_opt_type(X509_CRL,a->crl,i2d_X509_CRL,1);
+	M_ASN1_I2D_put_SET_type(PKCS7_SIGNER_INFO,a->signer_info,
+				i2d_PKCS7_SIGNER_INFO);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_SIGNED *d2i_PKCS7_SIGNED(PKCS7_SIGNED **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_SIGNED *,PKCS7_SIGNED_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get_set_type(X509_ALGOR,ret->md_algs,d2i_X509_ALGOR,
+				X509_ALGOR_free);
+	M_ASN1_D2I_get(ret->contents,d2i_PKCS7);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509,ret->cert,d2i_X509,X509_free,0);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509_CRL,ret->crl,d2i_X509_CRL,
+					X509_CRL_free,1);
+	M_ASN1_D2I_get_set_type(PKCS7_SIGNER_INFO,ret->signer_info,
+				d2i_PKCS7_SIGNER_INFO,PKCS7_SIGNER_INFO_free);
+
+	M_ASN1_D2I_Finish(a,PKCS7_SIGNED_free,ASN1_F_D2I_PKCS7_SIGNED);
+	}
+
+PKCS7_SIGNED *PKCS7_SIGNED_new(void)
+	{
+	PKCS7_SIGNED *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_SIGNED);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->md_algs,sk_X509_ALGOR_new_null);
+	M_ASN1_New(ret->contents,PKCS7_new);
+	ret->cert=NULL;
+	ret->crl=NULL;
+	M_ASN1_New(ret->signer_info,sk_PKCS7_SIGNER_INFO_new_null);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_SIGNED_NEW);
+	}
+
+void PKCS7_SIGNED_free(PKCS7_SIGNED *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	sk_X509_ALGOR_pop_free(a->md_algs,X509_ALGOR_free);
+	PKCS7_free(a->contents);
+	sk_X509_pop_free(a->cert,X509_free);
+	sk_X509_CRL_pop_free(a->crl,X509_CRL_free);
+	sk_PKCS7_SIGNER_INFO_pop_free(a->signer_info,PKCS7_SIGNER_INFO_free);
+	Free(a);
+	}
diff --git a/crypto/openssl/crypto/asn1/p7_signi.c b/crypto/openssl/crypto/asn1/p7_signi.c
new file mode 100644
index 0000000..f74658f
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p7_signi.c
@@ -0,0 +1,150 @@
+/* crypto/asn1/p7_signi.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->issuer_and_serial,i2d_PKCS7_ISSUER_AND_SERIAL);
+	M_ASN1_I2D_len(a->digest_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_len_IMP_SET_opt_type(X509_ATTRIBUTE,a->auth_attr,
+					i2d_X509_ATTRIBUTE,0);
+	M_ASN1_I2D_len(a->digest_enc_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->enc_digest,i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len_IMP_SET_opt_type(X509_ATTRIBUTE,a->unauth_attr,
+					i2d_X509_ATTRIBUTE,1);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->issuer_and_serial,i2d_PKCS7_ISSUER_AND_SERIAL);
+	M_ASN1_I2D_put(a->digest_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_put_IMP_SET_opt_type(X509_ATTRIBUTE,a->auth_attr,
+					i2d_X509_ATTRIBUTE,0);
+	M_ASN1_I2D_put(a->digest_enc_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->enc_digest,i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_put_IMP_SET_opt_type(X509_ATTRIBUTE,a->unauth_attr,
+					i2d_X509_ATTRIBUTE,1);
+
+	M_ASN1_I2D_finish();
+	}
+
+PKCS7_SIGNER_INFO *d2i_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO **a,
+	     unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,PKCS7_SIGNER_INFO *,PKCS7_SIGNER_INFO_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->issuer_and_serial,d2i_PKCS7_ISSUER_AND_SERIAL);
+	M_ASN1_D2I_get(ret->digest_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509_ATTRIBUTE,ret->auth_attr,
+					d2i_X509_ATTRIBUTE,X509_ATTRIBUTE_free,
+					0);
+	M_ASN1_D2I_get(ret->digest_enc_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->enc_digest,d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509_ATTRIBUTE,ret->unauth_attr,
+					d2i_X509_ATTRIBUTE,
+					X509_ATTRIBUTE_free,1);
+
+	M_ASN1_D2I_Finish(a,PKCS7_SIGNER_INFO_free,
+		ASN1_F_D2I_PKCS7_SIGNER_INFO);
+	}
+
+PKCS7_SIGNER_INFO *PKCS7_SIGNER_INFO_new(void)
+	{
+	PKCS7_SIGNER_INFO *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,PKCS7_SIGNER_INFO);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->issuer_and_serial,PKCS7_ISSUER_AND_SERIAL_new);
+	M_ASN1_New(ret->digest_alg,X509_ALGOR_new);
+	ret->auth_attr=NULL;
+	M_ASN1_New(ret->digest_enc_alg,X509_ALGOR_new);
+	M_ASN1_New(ret->enc_digest,M_ASN1_OCTET_STRING_new);
+	ret->unauth_attr=NULL;
+	ret->pkey=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS7_SIGNER_INFO_NEW);
+	}
+
+void PKCS7_SIGNER_INFO_free(PKCS7_SIGNER_INFO *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	PKCS7_ISSUER_AND_SERIAL_free(a->issuer_and_serial);
+	X509_ALGOR_free(a->digest_alg);
+	sk_X509_ATTRIBUTE_pop_free(a->auth_attr,X509_ATTRIBUTE_free);
+	X509_ALGOR_free(a->digest_enc_alg);
+	M_ASN1_OCTET_STRING_free(a->enc_digest);
+	sk_X509_ATTRIBUTE_pop_free(a->unauth_attr,X509_ATTRIBUTE_free);
+	if (a->pkey != NULL)
+		EVP_PKEY_free(a->pkey);
+	Free(a);
+	}
+
+IMPLEMENT_STACK_OF(PKCS7_SIGNER_INFO)
+IMPLEMENT_ASN1_SET_OF(PKCS7_SIGNER_INFO)
diff --git a/crypto/openssl/crypto/asn1/p8_key.c b/crypto/openssl/crypto/asn1/p8_key.c
new file mode 100644
index 0000000..0b24374
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p8_key.c
@@ -0,0 +1,131 @@
+/* crypto/asn1/p8_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/objects.h>
+
+int i2d_X509_KEY(X509 *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->cert_info,	i2d_X509_CINF);
+	M_ASN1_I2D_len(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->cert_info,	i2d_X509_CINF);
+	M_ASN1_I2D_put(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509 *d2i_X509_KEY(X509 **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509 *,X509_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->cert_info,d2i_X509_CINF);
+	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
+	M_ASN1_D2I_Finish(a,X509_free,ASN1_F_D2I_X509);
+	}
+
+X509 *X509_KEY_new(void)
+	{
+	X509_KEY *ret=NULL;
+
+	M_ASN1_New_Malloc(ret,X509_KEY);
+	ret->references=1;
+	ret->type=NID
+	M_ASN1_New(ret->cert_info,X509_CINF_new);
+	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
+	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_NEW);
+	}
+
+void X509_KEY_free(X509 *a)
+	{
+	int i;
+
+	if (a == NULL) return;
+
+	i=CRYPTO_add_lock(&a->references,-1,CRYPTO_LOCK_X509_KEY);
+#ifdef REF_PRINT
+	REF_PRINT("X509_KEY",a);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"X509_KEY_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	X509_CINF_free(a->cert_info);
+	X509_ALGOR_free(a->sig_alg);
+	ASN1_BIT_STRING_free(a->signature);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/p8_pkey.c b/crypto/openssl/crypto/asn1/p8_pkey.c
new file mode 100644
index 0000000..59cfbe7
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/p8_pkey.c
@@ -0,0 +1,127 @@
+/* p8_pkey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS8_PRIV_KEY_INFO (PKCS8_PRIV_KEY_INFO *a, unsigned char **pp)
+{
+
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len (a->pkeyalg, i2d_X509_ALGOR);
+	M_ASN1_I2D_len (a->pkey, i2d_ASN1_TYPE);
+	M_ASN1_I2D_len_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
+					 i2d_X509_ATTRIBUTE, 0);
+	
+	M_ASN1_I2D_seq_total ();
+
+	M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put (a->pkeyalg, i2d_X509_ALGOR);
+	M_ASN1_I2D_put (a->pkey, i2d_ASN1_TYPE);
+	M_ASN1_I2D_put_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
+					 i2d_X509_ATTRIBUTE, 0);
+
+	M_ASN1_I2D_finish();
+}
+
+PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void)
+{
+	PKCS8_PRIV_KEY_INFO *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PKCS8_PRIV_KEY_INFO);
+	M_ASN1_New (ret->version, M_ASN1_INTEGER_new);
+	M_ASN1_New (ret->pkeyalg, X509_ALGOR_new);
+	M_ASN1_New (ret->pkey, ASN1_TYPE_new);
+	ret->attributes = NULL;
+	ret->broken = PKCS8_OK;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PKCS8_PRIV_KEY_INFO_NEW);
+}
+
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
+	     unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,PKCS8_PRIV_KEY_INFO *,PKCS8_PRIV_KEY_INFO_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get (ret->pkeyalg, d2i_X509_ALGOR);
+	M_ASN1_D2I_get (ret->pkey, d2i_ASN1_TYPE);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509_ATTRIBUTE, ret->attributes,
+					d2i_X509_ATTRIBUTE,
+					X509_ATTRIBUTE_free, 0);
+	M_ASN1_D2I_Finish(a, PKCS8_PRIV_KEY_INFO_free, ASN1_F_D2I_PKCS8_PRIV_KEY_INFO);
+}
+
+void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
+{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free (a->version);
+	X509_ALGOR_free(a->pkeyalg);
+	/* Clear sensitive data */
+	if (a->pkey->value.octet_string)
+		memset (a->pkey->value.octet_string->data,
+				 0, a->pkey->value.octet_string->length);
+	ASN1_TYPE_free (a->pkey);
+	sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free);
+	Free (a);
+}
diff --git a/crypto/openssl/crypto/asn1/pkcs8.c b/crypto/openssl/crypto/asn1/pkcs8.c
new file mode 100644
index 0000000..29c4ea6
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/pkcs8.c
@@ -0,0 +1,131 @@
+/* crypto/asn1/pkcs8.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/objects.h>
+
+int i2d_X509_KEY(X509 *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->cert_info,	i2d_X509_CINF);
+	M_ASN1_I2D_len(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->cert_info,	i2d_X509_CINF);
+	M_ASN1_I2D_put(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509 *d2i_X509_KEY(X509 **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509 *,X509_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->cert_info,d2i_X509_CINF);
+	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
+	M_ASN1_D2I_Finish(a,X509_free,ASN1_F_D2I_X509);
+	}
+
+X509 *X509_KEY_new(void)
+	{
+	X509_KEY *ret=NULL;
+
+	M_ASN1_New_Malloc(ret,X509_KEY);
+	ret->references=1;
+	ret->type=NID
+	M_ASN1_New(ret->cert_info,X509_CINF_new);
+	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
+	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_NEW);
+	}
+
+void X509_KEY_free(X509 *a)
+	{
+	int i;
+
+	if (a == NULL) return;
+
+	i=CRYPTO_add_lock(&a->references,-1,CRYPTO_LOCK_X509_KEY);
+#ifdef REF_PRINT
+	REF_PRINT("X509_KEY",a);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"X509_KEY_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	X509_CINF_free(a->cert_info);
+	X509_ALGOR_free(a->sig_alg);
+	ASN1_BIT_STRING_free(a->signature);
+	Free((char *)a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/t_bitst.c b/crypto/openssl/crypto/asn1/t_bitst.c
new file mode 100644
index 0000000..8ee789f
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/t_bitst.c
@@ -0,0 +1,99 @@
+/* t_bitst.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
+				BIT_STRING_BITNAME *tbl, int indent)
+{
+	BIT_STRING_BITNAME *bnam;
+	char first = 1;
+	BIO_printf(out, "%*s", indent, "");
+	for(bnam = tbl; bnam->lname; bnam++) {
+		if(ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
+			if(!first) BIO_puts(out, ", ");
+			BIO_puts(out, bnam->lname);
+			first = 0;
+		}
+	}
+	BIO_puts(out, "\n");
+	return 1;
+}
+
+int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
+				BIT_STRING_BITNAME *tbl)
+{
+	int bitnum;
+	bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
+	if(bitnum < 0) return 0;
+	if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value);
+	return 1;
+}
+
+int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
+{
+	BIT_STRING_BITNAME *bnam;
+	for(bnam = tbl; bnam->lname; bnam++) {
+		if(!strcmp(bnam->sname, name) ||
+			!strcmp(bnam->lname, name) ) return bnam->bitnum;
+	}
+	return -1;
+}
diff --git a/crypto/openssl/crypto/asn1/t_crl.c b/crypto/openssl/crypto/asn1/t_crl.c
new file mode 100644
index 0000000..d78e4a8
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/t_crl.c
@@ -0,0 +1,166 @@
+/* t_crl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static void ext_print(BIO *out, X509_EXTENSION *ex);
+#ifndef NO_FP_API
+int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=X509_CRL_print(b, x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int X509_CRL_print(BIO *out, X509_CRL *x)
+{
+	char buf[256];
+	unsigned char *s;
+	STACK_OF(X509_REVOKED) *rev;
+	X509_REVOKED *r;
+	long l;
+	int i, j, n;
+
+	BIO_printf(out, "Certificate Revocation List (CRL):\n");
+	l = X509_CRL_get_version(x);
+	BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l+1, l);
+	i = OBJ_obj2nid(x->sig_alg->algorithm);
+	BIO_printf(out, "%8sSignature Algorithm: %s\n", "",
+				 (i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
+	X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256);
+	BIO_printf(out,"%8sIssuer: %s\n","",buf);
+	BIO_printf(out,"%8sLast Update: ","");
+	ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x));
+	BIO_printf(out,"\n%8sNext Update: ","");
+	if (X509_CRL_get_nextUpdate(x))
+		 ASN1_TIME_print(out,X509_CRL_get_nextUpdate(x));
+	else BIO_printf(out,"NONE");
+	BIO_printf(out,"\n");
+
+	n=X509_CRL_get_ext_count(x);
+	if (n > 0) {
+		BIO_printf(out,"%8sCRL extensions:\n","");
+		for (i=0; i<n; i++) ext_print(out, X509_CRL_get_ext(x, i));
+	}
+
+
+	rev = X509_CRL_get_REVOKED(x);
+
+	if(sk_X509_REVOKED_num(rev))
+	    BIO_printf(out, "Revoked Certificates:\n");
+	else BIO_printf(out, "No Revoked Certificates.\n");
+
+	for(i = 0; i < sk_X509_REVOKED_num(rev); i++) {
+		r = sk_X509_REVOKED_value(rev, i);
+		BIO_printf(out,"    Serial Number: ");
+		i2a_ASN1_INTEGER(out,r->serialNumber);
+		BIO_printf(out,"\n        Revocation Date: ","");
+		ASN1_TIME_print(out,r->revocationDate);
+		BIO_printf(out,"\n");
+		for(j = 0; j < X509_REVOKED_get_ext_count(r); j++)
+				ext_print(out, X509_REVOKED_get_ext(r, j));
+	}
+
+	i=OBJ_obj2nid(x->sig_alg->algorithm);
+	BIO_printf(out,"    Signature Algorithm: %s",
+				(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+
+	s = x->signature->data;
+	n = x->signature->length;
+	for (i=0; i<n; i++, s++)
+	{
+		if ((i%18) == 0) BIO_write(out,"\n        ",9);
+		BIO_printf(out,"%02x%s",*s, ((i+1) == n)?"":":");
+	}
+	BIO_write(out,"\n",1);
+
+	return 1;
+
+}
+
+static void ext_print(BIO *out, X509_EXTENSION *ex)
+{
+	ASN1_OBJECT *obj;
+	int j;
+	BIO_printf(out,"%12s","");
+	obj=X509_EXTENSION_get_object(ex);
+	i2a_ASN1_OBJECT(out,obj);
+	j=X509_EXTENSION_get_critical(ex);
+	BIO_printf(out, ": %s\n", j ? "critical":"","");
+	if(!X509V3_EXT_print(out, ex, 0, 16)) {
+		BIO_printf(out, "%16s", "");
+		M_ASN1_OCTET_STRING_print(out,ex->value);
+	}
+	BIO_write(out,"\n",1);
+}
diff --git a/crypto/openssl/crypto/asn1/t_pkey.c b/crypto/openssl/crypto/asn1/t_pkey.c
new file mode 100644
index 0000000..e570ed1
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/t_pkey.c
@@ -0,0 +1,361 @@
+/* crypto/asn1/t_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef NO_DH
+#include <openssl/dh.h>
+#endif
+#ifndef NO_DSA
+#include <openssl/dsa.h>
+#endif
+
+static int print(BIO *fp,const char *str,BIGNUM *num,
+		unsigned char *buf,int off);
+#ifndef NO_RSA
+#ifndef NO_FP_API
+int RSA_print_fp(FILE *fp, RSA *x, int off)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=RSA_print(b,x,off);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int RSA_print(BIO *bp, RSA *x, int off)
+	{
+	char str[128];
+	const char *s;
+	unsigned char *m=NULL;
+	int i,ret=0;
+
+	i=RSA_size(x);
+	m=(unsigned char *)Malloc((unsigned int)i+10);
+	if (m == NULL)
+		{
+		RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	if (off)
+		{
+		if (off > 128) off=128;
+		memset(str,' ',off);
+		}
+	if (x->d != NULL)
+		{
+		if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+		if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n))
+			<= 0) goto err;
+		}
+
+	if (x->d == NULL)
+		sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n));
+	else
+		strcpy(str,"modulus:");
+	if (!print(bp,str,x->n,m,off)) goto err;
+	s=(x->d == NULL)?"Exponent:":"publicExponent:";
+	if (!print(bp,s,x->e,m,off)) goto err;
+	if (!print(bp,"privateExponent:",x->d,m,off)) goto err;
+	if (!print(bp,"prime1:",x->p,m,off)) goto err;
+	if (!print(bp,"prime2:",x->q,m,off)) goto err;
+	if (!print(bp,"exponent1:",x->dmp1,m,off)) goto err;
+	if (!print(bp,"exponent2:",x->dmq1,m,off)) goto err;
+	if (!print(bp,"coefficient:",x->iqmp,m,off)) goto err;
+	ret=1;
+err:
+	if (m != NULL) Free(m);
+	return(ret);
+	}
+#endif /* NO_RSA */
+
+#ifndef NO_DSA
+#ifndef NO_FP_API
+int DSA_print_fp(FILE *fp, DSA *x, int off)
+	{
+	BIO *b;
+	int ret;
+
+	if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		DSAerr(DSA_F_DSA_PRINT_FP,ERR_R_BUF_LIB);
+		return(0);
+		}
+	BIO_set_fp(b,fp,BIO_NOCLOSE);
+	ret=DSA_print(b,x,off);
+	BIO_free(b);
+	return(ret);
+	}
+#endif
+
+int DSA_print(BIO *bp, DSA *x, int off)
+	{
+	char str[128];
+	unsigned char *m=NULL;
+	int i,ret=0;
+	BIGNUM *bn=NULL;
+
+	if (x->p != NULL)
+		bn=x->p;
+	else if (x->priv_key != NULL)
+		bn=x->priv_key;
+	else if (x->pub_key != NULL)
+		bn=x->pub_key;
+		
+	/* larger than needed but what the hell :-) */
+	if (bn != NULL)
+		i=BN_num_bytes(bn)*2;
+	else
+		i=256;
+	m=(unsigned char *)Malloc((unsigned int)i+10);
+	if (m == NULL)
+		{
+		DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	if (off)
+		{
+		if (off > 128) off=128;
+		memset(str,' ',off);
+		}
+	if (x->priv_key != NULL)
+		{
+		if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+		if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->p))
+			<= 0) goto err;
+		}
+
+	if ((x->priv_key != NULL) && !print(bp,"priv:",x->priv_key,m,off))
+		goto err;
+	if ((x->pub_key  != NULL) && !print(bp,"pub: ",x->pub_key,m,off))
+		goto err;
+	if ((x->p != NULL) && !print(bp,"P:   ",x->p,m,off)) goto err;
+	if ((x->q != NULL) && !print(bp,"Q:   ",x->q,m,off)) goto err;
+	if ((x->g != NULL) && !print(bp,"G:   ",x->g,m,off)) goto err;
+	ret=1;
+err:
+	if (m != NULL) Free(m);
+	return(ret);
+	}
+#endif /* !NO_DSA */
+
+static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
+	     int off)
+	{
+	int n,i;
+	char str[128];
+	const char *neg;
+
+	if (num == NULL) return(1);
+	neg=(num->neg)?"-":"";
+	if (off)
+		{
+		if (off > 128) off=128;
+		memset(str,' ',off);
+		if (BIO_write(bp,str,off) <= 0) return(0);
+		}
+
+	if (BN_num_bytes(num) <= BN_BYTES)
+		{
+		if (BIO_printf(bp,"%s %s%lu (%s0x%lx)\n",number,neg,
+			(unsigned long)num->d[0],neg,(unsigned long)num->d[0])
+			<= 0) return(0);
+		}
+	else
+		{
+		buf[0]=0;
+		if (BIO_printf(bp,"%s%s",number,
+			(neg[0] == '-')?" (Negative)":"") <= 0)
+			return(0);
+		n=BN_bn2bin(num,&buf[1]);
+	
+		if (buf[1] & 0x80)
+			n++;
+		else	buf++;
+
+		for (i=0; i<n; i++)
+			{
+			if ((i%15) == 0)
+				{
+				str[0]='\n';
+				memset(&(str[1]),' ',off+4);
+				if (BIO_write(bp,str,off+1+4) <= 0) return(0);
+				}
+			if (BIO_printf(bp,"%02x%s",buf[i],((i+1) == n)?"":":")
+				<= 0) return(0);
+			}
+		if (BIO_write(bp,"\n",1) <= 0) return(0);
+		}
+	return(1);
+	}
+
+#ifndef NO_DH
+#ifndef NO_FP_API
+int DHparams_print_fp(FILE *fp, DH *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		DHerr(DH_F_DHPARAMS_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=DHparams_print(b, x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int DHparams_print(BIO *bp, DH *x)
+	{
+	unsigned char *m=NULL;
+	int reason=ERR_R_BUF_LIB,i,ret=0;
+
+	i=BN_num_bytes(x->p);
+	m=(unsigned char *)Malloc((unsigned int)i+10);
+	if (m == NULL)
+		{
+		reason=ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+
+	if (BIO_printf(bp,"Diffie-Hellman-Parameters: (%d bit)\n",
+		BN_num_bits(x->p)) <= 0)
+		goto err;
+	if (!print(bp,"prime:",x->p,m,4)) goto err;
+	if (!print(bp,"generator:",x->g,m,4)) goto err;
+	if (x->length != 0)
+		{
+		if (BIO_printf(bp,"    recommended-private-length: %d bits\n",
+			(int)x->length) <= 0) goto err;
+		}
+	ret=1;
+	if (0)
+		{
+err:
+		DHerr(DH_F_DHPARAMS_PRINT,reason);
+		}
+	if (m != NULL) Free(m);
+	return(ret);
+	}
+#endif
+
+#ifndef NO_DSA
+#ifndef NO_FP_API
+int DSAparams_print_fp(FILE *fp, DSA *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		DSAerr(DSA_F_DSAPARAMS_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=DSAparams_print(b, x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int DSAparams_print(BIO *bp, DSA *x)
+	{
+	unsigned char *m=NULL;
+	int reason=ERR_R_BUF_LIB,i,ret=0;
+
+	i=BN_num_bytes(x->p);
+	m=(unsigned char *)Malloc((unsigned int)i+10);
+	if (m == NULL)
+		{
+		reason=ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+
+	if (BIO_printf(bp,"DSA-Parameters: (%d bit)\n",
+		BN_num_bits(x->p)) <= 0)
+		goto err;
+	if (!print(bp,"p:",x->p,m,4)) goto err;
+	if (!print(bp,"q:",x->q,m,4)) goto err;
+	if (!print(bp,"g:",x->g,m,4)) goto err;
+	ret=1;
+err:
+	if (m != NULL) Free(m);
+	DSAerr(DSA_F_DSAPARAMS_PRINT,reason);
+	return(ret);
+	}
+
+#endif /* !NO_DSA */
+
diff --git a/crypto/openssl/crypto/asn1/t_req.c b/crypto/openssl/crypto/asn1/t_req.c
new file mode 100644
index 0000000..ea1af09
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/t_req.c
@@ -0,0 +1,254 @@
+/* crypto/asn1/t_req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#ifndef NO_FP_API
+int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		X509err(X509_F_X509_REQ_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=X509_REQ_print(b, x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int X509_REQ_print(BIO *bp, X509_REQ *x)
+	{
+	unsigned long l;
+	int i,n;
+	char *s;
+	const char *neg;
+	X509_REQ_INFO *ri;
+	EVP_PKEY *pkey;
+	STACK_OF(X509_ATTRIBUTE) *sk;
+	STACK_OF(X509_EXTENSION) *exts;
+	char str[128];
+
+	ri=x->req_info;
+	sprintf(str,"Certificate Request:\n");
+	if (BIO_puts(bp,str) <= 0) goto err;
+	sprintf(str,"%4sData:\n","");
+	if (BIO_puts(bp,str) <= 0) goto err;
+
+	neg=(ri->version->type == V_ASN1_NEG_INTEGER)?"-":"";
+	l=0;
+	for (i=0; i<ri->version->length; i++)
+		{ l<<=8; l+=ri->version->data[i]; }
+	sprintf(str,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,l);
+	if (BIO_puts(bp,str) <= 0) goto err;
+	sprintf(str,"%8sSubject: ","");
+	if (BIO_puts(bp,str) <= 0) goto err;
+
+	X509_NAME_print(bp,ri->subject,16);
+	sprintf(str,"\n%8sSubject Public Key Info:\n","");
+	if (BIO_puts(bp,str) <= 0) goto err;
+	i=OBJ_obj2nid(ri->pubkey->algor->algorithm);
+	sprintf(str,"%12sPublic Key Algorithm: %s\n","",
+		(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+	if (BIO_puts(bp,str) <= 0) goto err;
+
+	pkey=X509_REQ_get_pubkey(x);
+#ifndef NO_RSA
+	if (pkey != NULL && pkey->type == EVP_PKEY_RSA)
+		{
+		BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
+			BN_num_bits(pkey->pkey.rsa->n));
+		RSA_print(bp,pkey->pkey.rsa,16);
+		}
+	else 
+#endif
+#ifndef NO_DSA
+		if (pkey != NULL && pkey->type == EVP_PKEY_DSA)
+		{
+		BIO_printf(bp,"%12sDSA Public Key:\n","");
+		DSA_print(bp,pkey->pkey.dsa,16);
+		}
+	else
+#endif
+		BIO_printf(bp,"%12sUnknown Public Key:\n","");
+
+	if (pkey != NULL)
+	    EVP_PKEY_free(pkey);
+
+	/* may not be */
+	sprintf(str,"%8sAttributes:\n","");
+	if (BIO_puts(bp,str) <= 0) goto err;
+
+	sk=x->req_info->attributes;
+	if ((sk == NULL) || (sk_X509_ATTRIBUTE_num(sk) == 0))
+		{
+		if (!x->req_info->req_kludge)
+			{
+			sprintf(str,"%12sa0:00\n","");
+			if (BIO_puts(bp,str) <= 0) goto err;
+			}
+		}
+	else
+		{
+		for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+			{
+			ASN1_TYPE *at;
+			X509_ATTRIBUTE *a;
+			ASN1_BIT_STRING *bs=NULL;
+			ASN1_TYPE *t;
+			int j,type=0,count=1,ii=0;
+
+			a=sk_X509_ATTRIBUTE_value(sk,i);
+			if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
+								continue;
+			sprintf(str,"%12s","");
+			if (BIO_puts(bp,str) <= 0) goto err;
+			if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
+			{
+			if (a->set)
+				{
+				ii=0;
+				count=sk_ASN1_TYPE_num(a->value.set);
+get_next:
+				at=sk_ASN1_TYPE_value(a->value.set,ii);
+				type=at->type;
+				bs=at->value.asn1_string;
+				}
+			else
+				{
+				t=a->value.single;
+				type=t->type;
+				bs=t->value.bit_string;
+				}
+			}
+			for (j=25-j; j>0; j--)
+				if (BIO_write(bp," ",1) != 1) goto err;
+			if (BIO_puts(bp,":") <= 0) goto err;
+			if (	(type == V_ASN1_PRINTABLESTRING) ||
+				(type == V_ASN1_T61STRING) ||
+				(type == V_ASN1_IA5STRING))
+				{
+				if (BIO_write(bp,(char *)bs->data,bs->length)
+					!= bs->length)
+					goto err;
+				BIO_puts(bp,"\n");
+				}
+			else
+				{
+				BIO_puts(bp,"unable to print attribute\n");
+				}
+			if (++ii < count) goto get_next;
+			}
+		}
+
+	exts = X509_REQ_get_extensions(x);
+	if(exts) {
+		BIO_printf(bp,"%8sRequested Extensions:\n","");
+		for (i=0; i<sk_X509_EXTENSION_num(exts); i++) {
+			ASN1_OBJECT *obj;
+			X509_EXTENSION *ex;
+			int j;
+			ex=sk_X509_EXTENSION_value(exts, i);
+			if (BIO_printf(bp,"%12s","") <= 0) goto err;
+			obj=X509_EXTENSION_get_object(ex);
+			i2a_ASN1_OBJECT(bp,obj);
+			j=X509_EXTENSION_get_critical(ex);
+			if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+				goto err;
+			if(!X509V3_EXT_print(bp, ex, 0, 16)) {
+				BIO_printf(bp, "%16s", "");
+				M_ASN1_OCTET_STRING_print(bp,ex->value);
+			}
+			if (BIO_write(bp,"\n",1) <= 0) goto err;
+		}
+		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+	}
+
+	i=OBJ_obj2nid(x->sig_alg->algorithm);
+	sprintf(str,"%4sSignature Algorithm: %s","",
+		(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+	if (BIO_puts(bp,str) <= 0) goto err;
+
+	n=x->signature->length;
+	s=(char *)x->signature->data;
+	for (i=0; i<n; i++)
+		{
+		if ((i%18) == 0)
+			{
+			sprintf(str,"\n%8s","");
+			if (BIO_puts(bp,str) <= 0) goto err;
+			}
+		sprintf(str,"%02x%s",(unsigned char)s[i],((i+1) == n)?"":":");
+		if (BIO_puts(bp,str) <= 0) goto err;
+		}
+	if (BIO_puts(bp,"\n") <= 0) goto err;
+	return(1);
+err:
+	X509err(X509_F_X509_REQ_PRINT,ERR_R_BUF_LIB);
+	return(0);
+	}
diff --git a/crypto/openssl/crypto/asn1/t_spki.c b/crypto/openssl/crypto/asn1/t_spki.c
new file mode 100644
index 0000000..d708434
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/t_spki.c
@@ -0,0 +1,116 @@
+/* t_spki.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/asn1_mac.h>
+
+/* Print out an SPKI */
+
+int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
+{
+	EVP_PKEY *pkey;
+	ASN1_IA5STRING *chal;
+	int i, n;
+	char *s;
+	BIO_printf(out, "Netscape SPKI:\n");
+	i=OBJ_obj2nid(spki->spkac->pubkey->algor->algorithm);
+	BIO_printf(out,"  Public Key Algorithm: %s\n",
+				(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+	pkey = X509_PUBKEY_get(spki->spkac->pubkey);
+	if(!pkey) BIO_printf(out, "  Unable to load public key\n");
+	else {
+#ifndef NO_RSA
+		if (pkey->type == EVP_PKEY_RSA)
+			{
+			BIO_printf(out,"  RSA Public Key: (%d bit)\n",
+				BN_num_bits(pkey->pkey.rsa->n));
+			RSA_print(out,pkey->pkey.rsa,2);
+			}
+		else 
+#endif
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+		{
+		BIO_printf(out,"  DSA Public Key:\n");
+		DSA_print(out,pkey->pkey.dsa,2);
+		}
+		else
+#endif
+			BIO_printf(out,"  Unknown Public Key:\n");
+		EVP_PKEY_free(pkey);
+	}
+	chal = spki->spkac->challenge;
+	if(chal->length)
+		BIO_printf(out, "  Challenge String: %s\n", chal->data);
+	i=OBJ_obj2nid(spki->sig_algor->algorithm);
+	BIO_printf(out,"  Signature Algorithm: %s",
+				(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+
+	n=spki->signature->length;
+	s=(char *)spki->signature->data;
+	for (i=0; i<n; i++)
+		{
+		if ((i%18) == 0) BIO_write(out,"\n      ",7);
+		BIO_printf(out,"%02x%s",(unsigned char)s[i],
+						((i+1) == n)?"":":");
+		}
+	BIO_write(out,"\n",1);
+	return 1;
+}
diff --git a/crypto/openssl/crypto/asn1/t_x509.c b/crypto/openssl/crypto/asn1/t_x509.c
new file mode 100644
index 0000000..6ee1065
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/t_x509.c
@@ -0,0 +1,409 @@
+/* crypto/asn1/t_x509.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef NO_DSA
+#include <openssl/dsa.h>
+#endif
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#ifndef NO_FP_API
+int X509_print_fp(FILE *fp, X509 *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=X509_print(b, x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int X509_print(BIO *bp, X509 *x)
+	{
+	long l;
+	int ret=0,i,j,n;
+	char *m=NULL,*s;
+	X509_CINF *ci;
+	ASN1_INTEGER *bs;
+	EVP_PKEY *pkey=NULL;
+	const char *neg;
+	X509_EXTENSION *ex;
+	ASN1_STRING *str=NULL;
+
+	ci=x->cert_info;
+	if (BIO_write(bp,"Certificate:\n",13) <= 0) goto err;
+	if (BIO_write(bp,"    Data:\n",10) <= 0) goto err;
+	l=X509_get_version(x);
+	if (BIO_printf(bp,"%8sVersion: %lu (0x%lx)\n","",l+1,l) <= 0) goto err;
+	if (BIO_write(bp,"        Serial Number:",22) <= 0) goto err;
+
+	bs=X509_get_serialNumber(x);
+	if (bs->length <= 4)
+		{
+		l=ASN1_INTEGER_get(bs);
+		if (l < 0)
+			{
+			l= -l;
+			neg="-";
+			}
+		else
+			neg="";
+		if (BIO_printf(bp," %s%lu (%s0x%lx)\n",neg,l,neg,l) <= 0)
+			goto err;
+		}
+	else
+		{
+		neg=(bs->type == V_ASN1_NEG_INTEGER)?" (Negative)":"";
+		if (BIO_printf(bp,"\n%12s%s","",neg) <= 0) goto err;
+
+		for (i=0; i<bs->length; i++)
+			{
+			if (BIO_printf(bp,"%02x%c",bs->data[i],
+				((i+1 == bs->length)?'\n':':')) <= 0)
+				goto err;
+			}
+		}
+
+	i=OBJ_obj2nid(ci->signature->algorithm);
+	if (BIO_printf(bp,"%8sSignature Algorithm: %s\n","",
+		(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i)) <= 0)
+		goto err;
+
+	if (BIO_write(bp,"        Issuer: ",16) <= 0) goto err;
+	if (!X509_NAME_print(bp,X509_get_issuer_name(x),16)) goto err;
+	if (BIO_write(bp,"\n        Validity\n",18) <= 0) goto err;
+	if (BIO_write(bp,"            Not Before: ",24) <= 0) goto err;
+	if (!ASN1_TIME_print(bp,X509_get_notBefore(x))) goto err;
+	if (BIO_write(bp,"\n            Not After : ",25) <= 0) goto err;
+	if (!ASN1_TIME_print(bp,X509_get_notAfter(x))) goto err;
+	if (BIO_write(bp,"\n        Subject: ",18) <= 0) goto err;
+	if (!X509_NAME_print(bp,X509_get_subject_name(x),16)) goto err;
+	if (BIO_write(bp,"\n        Subject Public Key Info:\n",34) <= 0)
+		goto err;
+	i=OBJ_obj2nid(ci->key->algor->algorithm);
+	if (BIO_printf(bp,"%12sPublic Key Algorithm: %s\n","",
+		(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i)) <= 0) goto err;
+
+	pkey=X509_get_pubkey(x);
+	if (pkey == NULL)
+		{
+		BIO_printf(bp,"%12sUnable to load Public Key\n","");
+		ERR_print_errors(bp);
+		}
+	else
+#ifndef NO_RSA
+	if (pkey->type == EVP_PKEY_RSA)
+		{
+		BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
+		BN_num_bits(pkey->pkey.rsa->n));
+		RSA_print(bp,pkey->pkey.rsa,16);
+		}
+	else
+#endif
+#ifndef NO_DSA
+	if (pkey->type == EVP_PKEY_DSA)
+		{
+		BIO_printf(bp,"%12sDSA Public Key:\n","");
+		DSA_print(bp,pkey->pkey.dsa,16);
+		}
+	else
+#endif
+		BIO_printf(bp,"%12sUnknown Public Key:\n","");
+
+	EVP_PKEY_free(pkey);
+
+	n=X509_get_ext_count(x);
+	if (n > 0)
+		{
+		BIO_printf(bp,"%8sX509v3 extensions:\n","");
+		for (i=0; i<n; i++)
+			{
+			ASN1_OBJECT *obj;
+			ex=X509_get_ext(x,i);
+			if (BIO_printf(bp,"%12s","") <= 0) goto err;
+			obj=X509_EXTENSION_get_object(ex);
+			i2a_ASN1_OBJECT(bp,obj);
+			j=X509_EXTENSION_get_critical(ex);
+			if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+				goto err;
+			if(!X509V3_EXT_print(bp, ex, 0, 16))
+				{
+				BIO_printf(bp, "%16s", "");
+				M_ASN1_OCTET_STRING_print(bp,ex->value);
+				}
+			if (BIO_write(bp,"\n",1) <= 0) goto err;
+			}
+		}
+
+	i=OBJ_obj2nid(x->sig_alg->algorithm);
+	if (BIO_printf(bp,"%4sSignature Algorithm: %s","",
+		(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i)) <= 0) goto err;
+
+	n=x->signature->length;
+	s=(char *)x->signature->data;
+	for (i=0; i<n; i++)
+		{
+		if ((i%18) == 0)
+			if (BIO_write(bp,"\n        ",9) <= 0) goto err;
+		if (BIO_printf(bp,"%02x%s",(unsigned char)s[i],
+			((i+1) == n)?"":":") <= 0) goto err;
+		}
+	if (BIO_write(bp,"\n",1) != 1) goto err;
+	if (!X509_CERT_AUX_print(bp, x->aux, 0)) goto err;
+	ret=1;
+err:
+	if (str != NULL) ASN1_STRING_free(str);
+	if (m != NULL) Free(m);
+	return(ret);
+	}
+
+int ASN1_STRING_print(BIO *bp, ASN1_STRING *v)
+	{
+	int i,n;
+	char buf[80],*p;;
+
+	if (v == NULL) return(0);
+	n=0;
+	p=(char *)v->data;
+	for (i=0; i<v->length; i++)
+		{
+		if ((p[i] > '~') || ((p[i] < ' ') &&
+			(p[i] != '\n') && (p[i] != '\r')))
+			buf[n]='.';
+		else
+			buf[n]=p[i];
+		n++;
+		if (n >= 80)
+			{
+			if (BIO_write(bp,buf,n) <= 0)
+				return(0);
+			n=0;
+			}
+		}
+	if (n > 0)
+		if (BIO_write(bp,buf,n) <= 0)
+			return(0);
+	return(1);
+	}
+
+int ASN1_TIME_print(BIO *bp, ASN1_TIME *tm)
+{
+	if(tm->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_print(bp, tm);
+	if(tm->type == V_ASN1_GENERALIZEDTIME)
+				return ASN1_GENERALIZEDTIME_print(bp, tm);
+	BIO_write(bp,"Bad time value",14);
+	return(0);
+}
+
+static const char *mon[12]=
+    {
+    "Jan","Feb","Mar","Apr","May","Jun",
+    "Jul","Aug","Sep","Oct","Nov","Dec"
+    };
+
+int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
+	{
+	char *v;
+	int gmt=0;
+	int i;
+	int y=0,M=0,d=0,h=0,m=0,s=0;
+
+	i=tm->length;
+	v=(char *)tm->data;
+
+	if (i < 12) goto err;
+	if (v[i-1] == 'Z') gmt=1;
+	for (i=0; i<12; i++)
+		if ((v[i] > '9') || (v[i] < '0')) goto err;
+	y= (v[0]-'0')*1000+(v[1]-'0')*100 + (v[2]-'0')*10+(v[3]-'0');
+	M= (v[4]-'0')*10+(v[5]-'0');
+	if ((M > 12) || (M < 1)) goto err;
+	d= (v[6]-'0')*10+(v[7]-'0');
+	h= (v[8]-'0')*10+(v[9]-'0');
+	m=  (v[10]-'0')*10+(v[11]-'0');
+	if (	(v[12] >= '0') && (v[12] <= '9') &&
+		(v[13] >= '0') && (v[13] <= '9'))
+		s=  (v[12]-'0')*10+(v[13]-'0');
+
+	if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
+		mon[M-1],d,h,m,s,y,(gmt)?" GMT":"") <= 0)
+		return(0);
+	else
+		return(1);
+err:
+	BIO_write(bp,"Bad time value",14);
+	return(0);
+	}
+
+int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm)
+	{
+	char *v;
+	int gmt=0;
+	int i;
+	int y=0,M=0,d=0,h=0,m=0,s=0;
+
+	i=tm->length;
+	v=(char *)tm->data;
+
+	if (i < 10) goto err;
+	if (v[i-1] == 'Z') gmt=1;
+	for (i=0; i<10; i++)
+		if ((v[i] > '9') || (v[i] < '0')) goto err;
+	y= (v[0]-'0')*10+(v[1]-'0');
+	if (y < 50) y+=100;
+	M= (v[2]-'0')*10+(v[3]-'0');
+	if ((M > 12) || (M < 1)) goto err;
+	d= (v[4]-'0')*10+(v[5]-'0');
+	h= (v[6]-'0')*10+(v[7]-'0');
+	m=  (v[8]-'0')*10+(v[9]-'0');
+	if (	(v[10] >= '0') && (v[10] <= '9') &&
+		(v[11] >= '0') && (v[11] <= '9'))
+		s=  (v[10]-'0')*10+(v[11]-'0');
+
+	if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
+		mon[M-1],d,h,m,s,y+1900,(gmt)?" GMT":"") <= 0)
+		return(0);
+	else
+		return(1);
+err:
+	BIO_write(bp,"Bad time value",14);
+	return(0);
+	}
+
+int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
+	{
+	char *s,*c;
+	int ret=0,l,ll,i,first=1;
+	char buf[256];
+
+	ll=80-2-obase;
+
+	s=X509_NAME_oneline(name,buf,256);
+	s++; /* skip the first slash */
+
+	l=ll;
+	c=s;
+	for (;;)
+		{
+#ifndef CHARSET_EBCDIC
+		if (	((*s == '/') &&
+				((s[1] >= 'A') && (s[1] <= 'Z') && (
+					(s[2] == '=') ||
+					((s[2] >= 'A') && (s[2] <= 'Z') &&
+					(s[3] == '='))
+				 ))) ||
+			(*s == '\0'))
+#else
+		if (	((*s == '/') &&
+				(isupper(s[1]) && (
+					(s[2] == '=') ||
+					(isupper(s[2]) &&
+					(s[3] == '='))
+				 ))) ||
+			(*s == '\0'))
+#endif
+			{
+			if ((l <= 0) && !first)
+				{
+				first=0;
+				if (BIO_write(bp,"\n",1) != 1) goto err;
+				for (i=0; i<obase; i++)
+					{
+					if (BIO_write(bp," ",1) != 1) goto err;
+					}
+				l=ll;
+				}
+			i=s-c;
+			if (BIO_write(bp,c,i) != i) goto err;
+			c+=i;
+			c++;
+			if (*s != '\0')
+				{
+				if (BIO_write(bp,", ",2) != 2) goto err;
+				}
+			l--;
+			}
+		if (*s == '\0') break;
+		s++;
+		l--;
+		}
+	
+	ret=1;
+	if (0)
+		{
+err:
+		X509err(X509_F_X509_NAME_PRINT,ERR_R_BUF_LIB);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/t_x509a.c b/crypto/openssl/crypto/asn1/t_x509a.c
new file mode 100644
index 0000000..a18ebb5
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/t_x509a.c
@@ -0,0 +1,102 @@
+/* t_x509a.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* X509_CERT_AUX and string set routines
+ */
+
+int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
+{
+	char oidstr[80], first;
+	int i;
+	if(!aux) return 1;
+	if(aux->trust) {
+		first = 1;
+		BIO_printf(out, "%*sTrusted Uses:\n%*s",
+						indent, "", indent + 2, "");
+		for(i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) {
+			if(!first) BIO_puts(out, ", ");
+			else first = 0;
+			OBJ_obj2txt(oidstr, 80,
+				sk_ASN1_OBJECT_value(aux->trust, i), 0);
+			BIO_puts(out, oidstr);
+		}
+		BIO_puts(out, "\n");
+	} else BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");
+	if(aux->reject) {
+		first = 1;
+		BIO_printf(out, "%*sRejected Uses:\n%*s",
+						indent, "", indent + 2, "");
+		for(i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) {
+			if(!first) BIO_puts(out, ", ");
+			else first = 0;
+			OBJ_obj2txt(oidstr, 80,
+				sk_ASN1_OBJECT_value(aux->reject, i), 0);
+			BIO_puts(out, oidstr);
+		}
+		BIO_puts(out, "\n");
+	} else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+	if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "",
+							aux->alias->data);
+	return 1;
+}
diff --git a/crypto/openssl/crypto/asn1/x_algor.c b/crypto/openssl/crypto/asn1/x_algor.c
new file mode 100644
index 0000000..fe02384
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_algor.c
@@ -0,0 +1,118 @@
+/* crypto/asn1/x_algor.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_X509_ALGOR(X509_ALGOR *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->algorithm,i2d_ASN1_OBJECT);
+	if (a->parameter != NULL)
+		{ M_ASN1_I2D_len(a->parameter,i2d_ASN1_TYPE); }
+
+	M_ASN1_I2D_seq_total();
+	M_ASN1_I2D_put(a->algorithm,i2d_ASN1_OBJECT);
+	if (a->parameter != NULL)
+		{ M_ASN1_I2D_put(a->parameter,i2d_ASN1_TYPE); }
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509_ALGOR *,X509_ALGOR_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->algorithm,d2i_ASN1_OBJECT);
+	if (!M_ASN1_D2I_end_sequence())
+		{ M_ASN1_D2I_get(ret->parameter,d2i_ASN1_TYPE); }
+	else
+		{
+		ASN1_TYPE_free(ret->parameter);
+		ret->parameter=NULL;
+		}
+	M_ASN1_D2I_Finish(a,X509_ALGOR_free,ASN1_F_D2I_X509_ALGOR);
+	}
+
+X509_ALGOR *X509_ALGOR_new(void)
+	{
+	X509_ALGOR *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_ALGOR);
+	ret->algorithm=OBJ_nid2obj(NID_undef);
+	ret->parameter=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_ALGOR_NEW);
+	}
+
+void X509_ALGOR_free(X509_ALGOR *a)
+	{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->algorithm);
+	ASN1_TYPE_free(a->parameter);
+	Free(a);
+	}
+
+IMPLEMENT_STACK_OF(X509_ALGOR)
+IMPLEMENT_ASN1_SET_OF(X509_ALGOR)
diff --git a/crypto/openssl/crypto/asn1/x_attrib.c b/crypto/openssl/crypto/asn1/x_attrib.c
new file mode 100644
index 0000000..a874df7
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_attrib.c
@@ -0,0 +1,165 @@
+/* crypto/asn1/x_attrib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* sequence */
+int i2d_X509_ATTRIBUTE(X509_ATTRIBUTE *a, unsigned char **pp)
+	{
+	int k=0;
+	int r=0,ret=0;
+	unsigned char **p=NULL;
+
+	if (a == NULL) return(0);
+
+	p=NULL;
+	for (;;)
+		{
+		if (k)
+			{
+			r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE);
+			if (pp == NULL) return(r);
+			p=pp;
+			ASN1_put_object(p,1,ret,V_ASN1_SEQUENCE,
+				V_ASN1_UNIVERSAL);
+			}
+
+		ret+=i2d_ASN1_OBJECT(a->object,p);
+		if (a->set)
+			ret+=i2d_ASN1_SET_OF_ASN1_TYPE(a->value.set,p,i2d_ASN1_TYPE,
+				V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
+		else
+			ret+=i2d_ASN1_TYPE(a->value.single,p);
+		if (k++) return(r);
+		}
+	}
+
+X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,X509_ATTRIBUTE *,X509_ATTRIBUTE_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT);
+
+	if ((c.slen != 0) &&
+		(M_ASN1_next == (V_ASN1_CONSTRUCTED|V_ASN1_UNIVERSAL|V_ASN1_SET)))
+		{
+		ret->set=1;
+		M_ASN1_D2I_get_set_type(ASN1_TYPE,ret->value.set,d2i_ASN1_TYPE,
+					ASN1_TYPE_free);
+		}
+	else
+		{
+		ret->set=0;
+		M_ASN1_D2I_get(ret->value.single,d2i_ASN1_TYPE);
+		}
+
+	M_ASN1_D2I_Finish(a,X509_ATTRIBUTE_free,ASN1_F_D2I_X509_ATTRIBUTE);
+	}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
+	{
+	X509_ATTRIBUTE *ret=NULL;
+	ASN1_TYPE *val=NULL;
+
+	if ((ret=X509_ATTRIBUTE_new()) == NULL)
+		return(NULL);
+	ret->object=OBJ_nid2obj(nid);
+	ret->set=1;
+	if ((ret->value.set=sk_ASN1_TYPE_new_null()) == NULL) goto err;
+	if ((val=ASN1_TYPE_new()) == NULL) goto err;
+	if (!sk_ASN1_TYPE_push(ret->value.set,val)) goto err;
+
+	ASN1_TYPE_set(val,atrtype,value);
+	return(ret);
+err:
+	if (ret != NULL) X509_ATTRIBUTE_free(ret);
+	if (val != NULL) ASN1_TYPE_free(val);
+	return(NULL);
+	}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_new(void)
+	{
+	X509_ATTRIBUTE *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_ATTRIBUTE);
+	ret->object=OBJ_nid2obj(NID_undef);
+	ret->set=0;
+	ret->value.ptr=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_ATTRIBUTE_NEW);
+	}
+	
+void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a)
+	{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->object);
+	if (a->set)
+		sk_ASN1_TYPE_pop_free(a->value.set,ASN1_TYPE_free);
+	else
+		ASN1_TYPE_free(a->value.single);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/x_cinf.c b/crypto/openssl/crypto/asn1/x_cinf.c
new file mode 100644
index 0000000..b87c8ff
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_cinf.c
@@ -0,0 +1,201 @@
+/* crypto/asn1/x_cinf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_X509_CINF(X509_CINF *a, unsigned char **pp)
+	{
+	int v1=0,v2=0;
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len_EXP_opt(a->version,i2d_ASN1_INTEGER,0,v1);
+	M_ASN1_I2D_len(a->serialNumber,		i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->signature,		i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->issuer,		i2d_X509_NAME);
+	M_ASN1_I2D_len(a->validity,		i2d_X509_VAL);
+	M_ASN1_I2D_len(a->subject,		i2d_X509_NAME);
+	M_ASN1_I2D_len(a->key,			i2d_X509_PUBKEY);
+	M_ASN1_I2D_len_IMP_opt(a->issuerUID,	i2d_ASN1_BIT_STRING);
+	M_ASN1_I2D_len_IMP_opt(a->subjectUID,	i2d_ASN1_BIT_STRING);
+	M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+					     i2d_X509_EXTENSION,3,
+					     V_ASN1_SEQUENCE,v2);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put_EXP_opt(a->version,i2d_ASN1_INTEGER,0,v1);
+	M_ASN1_I2D_put(a->serialNumber,		i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->signature,		i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->issuer,		i2d_X509_NAME);
+	M_ASN1_I2D_put(a->validity,		i2d_X509_VAL);
+	M_ASN1_I2D_put(a->subject,		i2d_X509_NAME);
+	M_ASN1_I2D_put(a->key,			i2d_X509_PUBKEY);
+	M_ASN1_I2D_put_IMP_opt(a->issuerUID,	i2d_ASN1_BIT_STRING,1);
+	M_ASN1_I2D_put_IMP_opt(a->subjectUID,	i2d_ASN1_BIT_STRING,2);
+	M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+					     i2d_X509_EXTENSION,3,
+					     V_ASN1_SEQUENCE,v2);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_CINF *d2i_X509_CINF(X509_CINF **a, unsigned char **pp, long length)
+	{
+	int ver=0;
+	M_ASN1_D2I_vars(a,X509_CINF *,X509_CINF_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	/* we have the optional version field */
+	if (M_ASN1_next == (V_ASN1_CONTEXT_SPECIFIC | V_ASN1_CONSTRUCTED | 0))
+		{
+		M_ASN1_D2I_get_EXP_opt(ret->version,d2i_ASN1_INTEGER,0);
+		if (ret->version->data != NULL)
+			ver=ret->version->data[0];
+		}
+	else
+		{
+		if (ret->version != NULL)
+			{
+			M_ASN1_INTEGER_free(ret->version);
+			ret->version=NULL;
+			}
+		}
+	M_ASN1_D2I_get(ret->serialNumber,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->signature,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME);
+	M_ASN1_D2I_get(ret->validity,d2i_X509_VAL);
+	M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
+	M_ASN1_D2I_get(ret->key,d2i_X509_PUBKEY);
+	if (ver >= 1) /* version 2 extensions */
+		{
+		if (ret->issuerUID != NULL)
+			{
+			M_ASN1_BIT_STRING_free(ret->issuerUID);
+			ret->issuerUID=NULL;
+			}
+		if (ret->subjectUID != NULL)
+			{
+			M_ASN1_BIT_STRING_free(ret->subjectUID);
+			ret->subjectUID=NULL;
+			}
+		M_ASN1_D2I_get_IMP_opt(ret->issuerUID,d2i_ASN1_BIT_STRING,  1,
+			V_ASN1_BIT_STRING);
+		M_ASN1_D2I_get_IMP_opt(ret->subjectUID,d2i_ASN1_BIT_STRING, 2,
+			V_ASN1_BIT_STRING);
+		}
+/* Note: some broken certificates include extensions but don't set
+ * the version number properly. By bypassing this check they can
+ * be parsed.
+ */
+
+#ifdef VERSION_EXT_CHECK
+	if (ver >= 2) /* version 3 extensions */
+#endif
+		{
+		if (ret->extensions != NULL)
+			while (sk_X509_EXTENSION_num(ret->extensions))
+				X509_EXTENSION_free(
+				      sk_X509_EXTENSION_pop(ret->extensions));
+		M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
+						d2i_X509_EXTENSION,
+						X509_EXTENSION_free,3,
+						V_ASN1_SEQUENCE);
+		}
+	M_ASN1_D2I_Finish(a,X509_CINF_free,ASN1_F_D2I_X509_CINF);
+	}
+
+X509_CINF *X509_CINF_new(void)
+	{
+	X509_CINF *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_CINF);
+	ret->version=NULL;
+	M_ASN1_New(ret->serialNumber,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->signature,X509_ALGOR_new);
+	M_ASN1_New(ret->issuer,X509_NAME_new);
+	M_ASN1_New(ret->validity,X509_VAL_new);
+	M_ASN1_New(ret->subject,X509_NAME_new);
+	M_ASN1_New(ret->key,X509_PUBKEY_new);
+	ret->issuerUID=NULL;
+	ret->subjectUID=NULL;
+	ret->extensions=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_CINF_NEW);
+	}
+
+void X509_CINF_free(X509_CINF *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->serialNumber);
+	X509_ALGOR_free(a->signature);
+	X509_NAME_free(a->issuer);
+	X509_VAL_free(a->validity);
+	X509_NAME_free(a->subject);
+	X509_PUBKEY_free(a->key);
+	M_ASN1_BIT_STRING_free(a->issuerUID);
+	M_ASN1_BIT_STRING_free(a->subjectUID);
+	sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/x_crl.c b/crypto/openssl/crypto/asn1/x_crl.c
new file mode 100644
index 0000000..12a42d0
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_crl.c
@@ -0,0 +1,343 @@
+/* crypto/asn1/x_crl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+static int X509_REVOKED_cmp(X509_REVOKED **a,X509_REVOKED **b);
+static int X509_REVOKED_seq_cmp(X509_REVOKED **a,X509_REVOKED **b);
+int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME);
+	M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+					 i2d_X509_EXTENSION);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME);
+	M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+					 i2d_X509_EXTENSION);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,X509_REVOKED *,X509_REVOKED_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->serialNumber,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->revocationDate,d2i_ASN1_TIME);
+	M_ASN1_D2I_get_seq_opt_type(X509_EXTENSION,ret->extensions,
+				    d2i_X509_EXTENSION,X509_EXTENSION_free);
+	M_ASN1_D2I_Finish(a,X509_REVOKED_free,ASN1_F_D2I_X509_REVOKED);
+	}
+
+int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp)
+	{
+	int v1=0;
+	long l=0;
+	int (*old_cmp)(X509_REVOKED **,X509_REVOKED **);
+	M_ASN1_I2D_vars(a);
+	
+	old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
+	sk_X509_REVOKED_sort(a->revoked);
+	sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
+
+	if ((a->version != NULL) && ((l=ASN1_INTEGER_get(a->version)) != 0))
+		{
+		M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
+		}
+	M_ASN1_I2D_len(a->sig_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->issuer,i2d_X509_NAME);
+	M_ASN1_I2D_len(a->lastUpdate,i2d_ASN1_TIME);
+	if (a->nextUpdate != NULL)
+		{ M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); }
+	M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
+					 i2d_X509_REVOKED);
+	M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+					     i2d_X509_EXTENSION,0,
+					     V_ASN1_SEQUENCE,v1);
+
+	M_ASN1_I2D_seq_total();
+
+	if ((a->version != NULL) && (l != 0))
+		{
+		M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
+		}
+	M_ASN1_I2D_put(a->sig_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->issuer,i2d_X509_NAME);
+	M_ASN1_I2D_put(a->lastUpdate,i2d_ASN1_TIME);
+	if (a->nextUpdate != NULL)
+		{ M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); }
+	M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
+					 i2d_X509_REVOKED);
+	M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+					     i2d_X509_EXTENSION,0,
+					     V_ASN1_SEQUENCE,v1);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a, unsigned char **pp,
+	     long length)
+	{
+	int i,ver=0;
+	M_ASN1_D2I_vars(a,X509_CRL_INFO *,X509_CRL_INFO_new);
+
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_opt(ret->version,d2i_ASN1_INTEGER,V_ASN1_INTEGER);
+	if (ret->version != NULL)
+		ver=ret->version->data[0];
+	
+	if ((ver == 0) && (ret->version != NULL))
+		{
+		M_ASN1_INTEGER_free(ret->version);
+		ret->version=NULL;
+		}
+	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME);
+	M_ASN1_D2I_get(ret->lastUpdate,d2i_ASN1_TIME);
+	/* Manually handle the OPTIONAL ASN1_TIME stuff */
+	/* First try UTCTime */
+	M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_UTCTIME, V_ASN1_UTCTIME);
+	/* If that doesn't work try GeneralizedTime */
+	if(!ret->nextUpdate) 
+		M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_GENERALIZEDTIME,
+							V_ASN1_GENERALIZEDTIME);
+	if (ret->revoked != NULL)
+		{
+		while (sk_X509_REVOKED_num(ret->revoked))
+			X509_REVOKED_free(sk_X509_REVOKED_pop(ret->revoked));
+		}
+	M_ASN1_D2I_get_seq_opt_type(X509_REVOKED,ret->revoked,d2i_X509_REVOKED,
+				    X509_REVOKED_free);
+
+	if (ret->revoked != NULL)
+		{
+		for (i=0; i<sk_X509_REVOKED_num(ret->revoked); i++)
+			{
+			sk_X509_REVOKED_value(ret->revoked,i)->sequence=i;
+			}
+		}
+
+	if (ret->extensions != NULL)
+		{
+		while (sk_X509_EXTENSION_num(ret->extensions))
+			X509_EXTENSION_free(
+			sk_X509_EXTENSION_pop(ret->extensions));
+		}
+		
+	M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
+					d2i_X509_EXTENSION,
+					X509_EXTENSION_free,0,
+					V_ASN1_SEQUENCE);
+
+	M_ASN1_D2I_Finish(a,X509_CRL_INFO_free,ASN1_F_D2I_X509_CRL_INFO);
+	}
+
+int i2d_X509_CRL(X509_CRL *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->crl,i2d_X509_CRL_INFO);
+	M_ASN1_I2D_len(a->sig_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->signature,i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->crl,i2d_X509_CRL_INFO);
+	M_ASN1_I2D_put(a->sig_alg,i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->signature,i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_CRL *d2i_X509_CRL(X509_CRL **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509_CRL *,X509_CRL_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->crl,d2i_X509_CRL_INFO);
+	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
+
+	M_ASN1_D2I_Finish(a,X509_CRL_free,ASN1_F_D2I_X509_CRL);
+	}
+
+
+X509_REVOKED *X509_REVOKED_new(void)
+	{
+	X509_REVOKED *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_REVOKED);
+	M_ASN1_New(ret->serialNumber,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->revocationDate,M_ASN1_UTCTIME_new);
+	ret->extensions=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_REVOKED_NEW);
+	}
+
+X509_CRL_INFO *X509_CRL_INFO_new(void)
+	{
+	X509_CRL_INFO *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_CRL_INFO);
+	ret->version=NULL;
+	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
+	M_ASN1_New(ret->issuer,X509_NAME_new);
+	M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new);
+	ret->nextUpdate=NULL;
+	M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null);
+	M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null);
+	sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW);
+	}
+
+X509_CRL *X509_CRL_new(void)
+	{
+	X509_CRL *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_CRL);
+	ret->references=1;
+	M_ASN1_New(ret->crl,X509_CRL_INFO_new);
+	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_CRL_NEW);
+	}
+
+void X509_REVOKED_free(X509_REVOKED *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->serialNumber);
+	M_ASN1_UTCTIME_free(a->revocationDate);
+	sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
+	Free(a);
+	}
+
+void X509_CRL_INFO_free(X509_CRL_INFO *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	X509_ALGOR_free(a->sig_alg);
+	X509_NAME_free(a->issuer);
+	M_ASN1_UTCTIME_free(a->lastUpdate);
+	if (a->nextUpdate)
+		M_ASN1_UTCTIME_free(a->nextUpdate);
+	sk_X509_REVOKED_pop_free(a->revoked,X509_REVOKED_free);
+	sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
+	Free(a);
+	}
+
+void X509_CRL_free(X509_CRL *a)
+	{
+	int i;
+
+	if (a == NULL) return;
+
+	i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_CRL);
+#ifdef REF_PRINT
+	REF_PRINT("X509_CRL",a);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"X509_CRL_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	X509_CRL_INFO_free(a->crl);
+	X509_ALGOR_free(a->sig_alg);
+	M_ASN1_BIT_STRING_free(a->signature);
+	Free(a);
+	}
+
+static int X509_REVOKED_cmp(X509_REVOKED **a, X509_REVOKED **b)
+	{
+	return(ASN1_STRING_cmp(
+		(ASN1_STRING *)(*a)->serialNumber,
+		(ASN1_STRING *)(*b)->serialNumber));
+	}
+
+static int X509_REVOKED_seq_cmp(X509_REVOKED **a, X509_REVOKED **b)
+	{
+	return((*a)->sequence-(*b)->sequence);
+	}
+
+IMPLEMENT_STACK_OF(X509_REVOKED)
+IMPLEMENT_ASN1_SET_OF(X509_REVOKED)
+IMPLEMENT_STACK_OF(X509_CRL)
+IMPLEMENT_ASN1_SET_OF(X509_CRL)
diff --git a/crypto/openssl/crypto/asn1/x_exten.c b/crypto/openssl/crypto/asn1/x_exten.c
new file mode 100644
index 0000000..185cbd7
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_exten.c
@@ -0,0 +1,139 @@
+/* crypto/asn1/x_exten.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_X509_EXTENSION(X509_EXTENSION *a, unsigned char **pp)
+	{
+	int k=0;
+	int r=0,ret=0;
+	unsigned char **p=NULL;
+
+	if (a == NULL) return(0);
+
+	p=NULL;
+	for (;;)
+		{
+		if (k)
+			{
+			r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE);
+			if (pp == NULL) return(r);
+			p=pp;
+			ASN1_put_object(p,1,ret,V_ASN1_SEQUENCE,
+				V_ASN1_UNIVERSAL);
+			}
+
+		ret+=i2d_ASN1_OBJECT(a->object,p);
+		if ((a->critical) || a->netscape_hack)
+			ret+=i2d_ASN1_BOOLEAN(a->critical,p);
+		ret+=i2d_ASN1_OCTET_STRING(a->value,p);
+		if (k++) return(r);
+		}
+	}
+
+X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **a, unsigned char **pp,
+	     long length)
+	{
+	int i;
+	M_ASN1_D2I_vars(a,X509_EXTENSION *,X509_EXTENSION_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT);
+
+	ret->netscape_hack=0;
+	if ((c.slen != 0) &&
+		(M_ASN1_next == (V_ASN1_UNIVERSAL|V_ASN1_BOOLEAN)))
+		{
+		c.q=c.p;
+		if (d2i_ASN1_BOOLEAN(&i,&c.p,c.slen) < 0) goto err;
+		ret->critical=i;
+		c.slen-=(c.p-c.q);
+		if (ret->critical == 0) ret->netscape_hack=1;
+		}
+	M_ASN1_D2I_get(ret->value,d2i_ASN1_OCTET_STRING);
+
+	M_ASN1_D2I_Finish(a,X509_EXTENSION_free,ASN1_F_D2I_X509_EXTENSION);
+	}
+
+X509_EXTENSION *X509_EXTENSION_new(void)
+	{
+	X509_EXTENSION *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_EXTENSION);
+	ret->object=OBJ_nid2obj(NID_undef);
+	M_ASN1_New(ret->value,M_ASN1_OCTET_STRING_new);
+	ret->critical=0;
+	ret->netscape_hack=0;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_EXTENSION_NEW);
+	}
+	
+void X509_EXTENSION_free(X509_EXTENSION *a)
+	{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->object);
+	M_ASN1_OCTET_STRING_free(a->value);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/x_info.c b/crypto/openssl/crypto/asn1/x_info.c
new file mode 100644
index 0000000..7fdc6f9
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_info.c
@@ -0,0 +1,114 @@
+/* crypto/asn1/x_info.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+X509_INFO *X509_INFO_new(void)
+	{
+	X509_INFO *ret=NULL;
+
+	ret=(X509_INFO *)Malloc(sizeof(X509_INFO));
+	if (ret == NULL)
+		{
+		ASN1err(ASN1_F_X509_INFO_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+ 
+        ret->enc_cipher.cipher=NULL;
+        ret->enc_len=0;
+        ret->enc_data=NULL;
+ 
+	ret->references=1;
+	ret->x509=NULL;
+	ret->crl=NULL;
+	ret->x_pkey=NULL;
+	return(ret);
+	}
+
+void X509_INFO_free(X509_INFO *x)
+	{
+	int i;
+
+	if (x == NULL) return;
+
+	i=CRYPTO_add(&x->references,-1,CRYPTO_LOCK_X509_INFO);
+#ifdef REF_PRINT
+	REF_PRINT("X509_INFO",x);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"X509_INFO_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	if (x->x509 != NULL) X509_free(x->x509);
+	if (x->crl != NULL) X509_CRL_free(x->crl);
+	if (x->x_pkey != NULL) X509_PKEY_free(x->x_pkey);
+	if (x->enc_data != NULL) Free(x->enc_data);
+	Free(x);
+	}
+
+IMPLEMENT_STACK_OF(X509_INFO)
+
diff --git a/crypto/openssl/crypto/asn1/x_name.c b/crypto/openssl/crypto/asn1/x_name.c
new file mode 100644
index 0000000..64baf57
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_name.c
@@ -0,0 +1,279 @@
+/* crypto/asn1/x_name.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+static int i2d_X509_NAME_entries(X509_NAME *a);
+int i2d_X509_NAME_ENTRY(X509_NAME_ENTRY *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->object,i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len(a->value,i2d_ASN1_PRINTABLE);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->object,i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put(a->value,i2d_ASN1_PRINTABLE);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,X509_NAME_ENTRY *,X509_NAME_ENTRY_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT);
+	M_ASN1_D2I_get(ret->value,d2i_ASN1_PRINTABLE);
+	ret->set=0;
+	M_ASN1_D2I_Finish(a,X509_NAME_ENTRY_free,ASN1_F_D2I_X509_NAME_ENTRY);
+	}
+
+int i2d_X509_NAME(X509_NAME *a, unsigned char **pp)
+	{
+	int ret;
+
+	if (a == NULL) return(0);
+	if (a->modified)
+		{
+		ret=i2d_X509_NAME_entries(a);
+		if (ret < 0) return(ret);
+		}
+
+	ret=a->bytes->length;
+	if (pp != NULL)
+		{
+		memcpy(*pp,a->bytes->data,ret);
+		*pp+=ret;
+		}
+	return(ret);
+	}
+
+static int i2d_X509_NAME_entries(X509_NAME *a)
+	{
+	X509_NAME_ENTRY *ne,*fe=NULL;
+	STACK_OF(X509_NAME_ENTRY) *sk;
+	BUF_MEM *buf=NULL;
+	int set=0,r,ret=0;
+	int i;
+	unsigned char *p;
+	int size=0;
+
+	sk=a->entries;
+	for (i=0; i<sk_X509_NAME_ENTRY_num(sk); i++)
+		{
+		ne=sk_X509_NAME_ENTRY_value(sk,i);
+		if (fe == NULL)
+			{
+			fe=ne;
+			size=0;
+			}
+
+		if (ne->set != set)
+			{
+			ret+=ASN1_object_size(1,size,V_ASN1_SET);
+			fe->size=size;
+			fe=ne;
+			size=0;
+			set=ne->set;
+			}
+		size+=i2d_X509_NAME_ENTRY(ne,NULL);
+		}
+
+	ret+=ASN1_object_size(1,size,V_ASN1_SET);
+	if (fe != NULL)
+		fe->size=size;
+
+	r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE);
+
+	buf=a->bytes;
+	if (!BUF_MEM_grow(buf,r)) goto err;
+	p=(unsigned char *)buf->data;
+
+	ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+
+	set= -1;
+	for (i=0; i<sk_X509_NAME_ENTRY_num(sk); i++)
+		{
+		ne=sk_X509_NAME_ENTRY_value(sk,i);
+		if (set != ne->set)
+			{
+			set=ne->set;
+			ASN1_put_object(&p,1,ne->size,
+				V_ASN1_SET,V_ASN1_UNIVERSAL);
+			}
+		i2d_X509_NAME_ENTRY(ne,&p);
+		}
+	a->modified=0;
+	return(r);
+err:
+	return(-1);
+	}
+
+X509_NAME *d2i_X509_NAME(X509_NAME **a, unsigned char **pp, long length)
+	{
+	int set=0,i;
+	int idx=0;
+	unsigned char *orig;
+	M_ASN1_D2I_vars(a,X509_NAME *,X509_NAME_new);
+
+	orig= *pp;
+	if (sk_X509_NAME_ENTRY_num(ret->entries) > 0)
+		{
+		while (sk_X509_NAME_ENTRY_num(ret->entries) > 0)
+			X509_NAME_ENTRY_free(
+				       sk_X509_NAME_ENTRY_pop(ret->entries));
+		}
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	for (;;)
+		{
+		if (M_ASN1_D2I_end_sequence()) break;
+		M_ASN1_D2I_get_set_type(X509_NAME_ENTRY,ret->entries,
+					d2i_X509_NAME_ENTRY,
+					X509_NAME_ENTRY_free);
+		for (; idx < sk_X509_NAME_ENTRY_num(ret->entries); idx++)
+			{
+			sk_X509_NAME_ENTRY_value(ret->entries,idx)->set=set;
+			}
+		set++;
+		}
+
+	i=(int)(c.p-orig);
+	if (!BUF_MEM_grow(ret->bytes,i)) goto err;
+	memcpy(ret->bytes->data,orig,i);
+	ret->bytes->length=i;
+	ret->modified=0;
+
+	M_ASN1_D2I_Finish(a,X509_NAME_free,ASN1_F_D2I_X509_NAME);
+	}
+
+X509_NAME *X509_NAME_new(void)
+	{
+	X509_NAME *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_NAME);
+	if ((ret->entries=sk_X509_NAME_ENTRY_new(NULL)) == NULL)
+		{ c.line=__LINE__; goto err2; }
+	M_ASN1_New(ret->bytes,BUF_MEM_new);
+	ret->modified=1;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_NAME_NEW);
+	}
+
+X509_NAME_ENTRY *X509_NAME_ENTRY_new(void)
+	{
+	X509_NAME_ENTRY *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_NAME_ENTRY);
+/*	M_ASN1_New(ret->object,ASN1_OBJECT_new);*/
+	ret->object=NULL;
+	ret->set=0;
+	M_ASN1_New(ret->value,ASN1_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_NAME_ENTRY_NEW);
+	}
+
+void X509_NAME_free(X509_NAME *a)
+	{
+	if(a == NULL)
+	    return;
+
+	BUF_MEM_free(a->bytes);
+	sk_X509_NAME_ENTRY_pop_free(a->entries,X509_NAME_ENTRY_free);
+	Free(a);
+	}
+
+void X509_NAME_ENTRY_free(X509_NAME_ENTRY *a)
+	{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->object);
+	M_ASN1_BIT_STRING_free(a->value);
+	Free(a);
+	}
+
+int X509_NAME_set(X509_NAME **xn, X509_NAME *name)
+	{
+	X509_NAME *in;
+
+	if (*xn == NULL) return(0);
+
+	if (*xn != name)
+		{
+		in=X509_NAME_dup(name);
+		if (in != NULL)
+			{
+			X509_NAME_free(*xn);
+			*xn=in;
+			}
+		}
+	return(*xn != NULL);
+	}
+	
+IMPLEMENT_STACK_OF(X509_NAME_ENTRY)
+IMPLEMENT_ASN1_SET_OF(X509_NAME_ENTRY)
diff --git a/crypto/openssl/crypto/asn1/x_pkey.c b/crypto/openssl/crypto/asn1/x_pkey.c
new file mode 100644
index 0000000..fe58919
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_pkey.c
@@ -0,0 +1,151 @@
+/* crypto/asn1/x_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* need to implement */
+int i2d_X509_PKEY(X509_PKEY *a, unsigned char **pp)
+	{
+	return(0);
+	}
+
+X509_PKEY *d2i_X509_PKEY(X509_PKEY **a, unsigned char **pp, long length)
+	{
+	int i;
+	M_ASN1_D2I_vars(a,X509_PKEY *,X509_PKEY_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->enc_algor,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->enc_pkey,d2i_ASN1_OCTET_STRING);
+
+	ret->cipher.cipher=EVP_get_cipherbyname(
+		OBJ_nid2ln(OBJ_obj2nid(ret->enc_algor->algorithm)));
+	if (ret->cipher.cipher == NULL)
+		{
+		c.error=ASN1_R_UNSUPPORTED_CIPHER;
+		c.line=__LINE__;
+		goto err;
+		}
+	if (ret->enc_algor->parameter->type == V_ASN1_OCTET_STRING) 
+		{
+		i=ret->enc_algor->parameter->value.octet_string->length;
+		if (i > EVP_MAX_IV_LENGTH)
+			{
+			c.error=ASN1_R_IV_TOO_LARGE;
+			c.line=__LINE__;
+			goto err;
+			}
+		memcpy(ret->cipher.iv,
+			ret->enc_algor->parameter->value.octet_string->data,i);
+		}
+	else
+		memset(ret->cipher.iv,0,EVP_MAX_IV_LENGTH);
+	M_ASN1_D2I_Finish(a,X509_PKEY_free,ASN1_F_D2I_X509_PKEY);
+	}
+
+X509_PKEY *X509_PKEY_new(void)
+	{
+	X509_PKEY *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_PKEY);
+	ret->version=0;
+	M_ASN1_New(ret->enc_algor,X509_ALGOR_new);
+	M_ASN1_New(ret->enc_pkey,M_ASN1_OCTET_STRING_new);
+	ret->dec_pkey=NULL;
+	ret->key_length=0;
+	ret->key_data=NULL;
+	ret->key_free=0;
+	ret->cipher.cipher=NULL;
+	memset(ret->cipher.iv,0,EVP_MAX_IV_LENGTH);
+	ret->references=1;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_PKEY_NEW);
+	}
+
+void X509_PKEY_free(X509_PKEY *x)
+	{
+	int i;
+
+	if (x == NULL) return;
+
+	i=CRYPTO_add(&x->references,-1,CRYPTO_LOCK_X509_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("X509_PKEY",x);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"X509_PKEY_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	if (x->enc_algor != NULL) X509_ALGOR_free(x->enc_algor);
+	if (x->enc_pkey != NULL) M_ASN1_OCTET_STRING_free(x->enc_pkey);
+	if (x->dec_pkey != NULL)EVP_PKEY_free(x->dec_pkey);
+	if ((x->key_data != NULL) && (x->key_free)) Free(x->key_data);
+	Free(x);
+	}
diff --git a/crypto/openssl/crypto/asn1/x_pubkey.c b/crypto/openssl/crypto/asn1/x_pubkey.c
new file mode 100644
index 0000000..7a05d57
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_pubkey.c
@@ -0,0 +1,366 @@
+/* crypto/asn1/x_pubkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_X509_PUBKEY(X509_PUBKEY *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->public_key,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->public_key,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_PUBKEY *d2i_X509_PUBKEY(X509_PUBKEY **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,X509_PUBKEY *,X509_PUBKEY_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->algor,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->public_key,d2i_ASN1_BIT_STRING);
+	if (ret->pkey != NULL)
+		{
+		EVP_PKEY_free(ret->pkey);
+		ret->pkey=NULL;
+		}
+	M_ASN1_D2I_Finish(a,X509_PUBKEY_free,ASN1_F_D2I_X509_PUBKEY);
+	}
+
+X509_PUBKEY *X509_PUBKEY_new(void)
+	{
+	X509_PUBKEY *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_PUBKEY);
+	M_ASN1_New(ret->algor,X509_ALGOR_new);
+	M_ASN1_New(ret->public_key,M_ASN1_BIT_STRING_new);
+	ret->pkey=NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_PUBKEY_NEW);
+	}
+
+void X509_PUBKEY_free(X509_PUBKEY *a)
+	{
+	if (a == NULL) return;
+	X509_ALGOR_free(a->algor);
+	M_ASN1_BIT_STRING_free(a->public_key);
+	if (a->pkey != NULL) EVP_PKEY_free(a->pkey);
+	Free(a);
+	}
+
+int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
+	{
+	int ok=0;
+	X509_PUBKEY *pk;
+	X509_ALGOR *a;
+	ASN1_OBJECT *o;
+	unsigned char *s,*p;
+	int i;
+
+	if (x == NULL) return(0);
+
+	if ((pk=X509_PUBKEY_new()) == NULL) goto err;
+	a=pk->algor;
+
+	/* set the algorithm id */
+	if ((o=OBJ_nid2obj(pkey->type)) == NULL) goto err;
+	ASN1_OBJECT_free(a->algorithm);
+	a->algorithm=o;
+
+	/* Set the parameter list */
+	if (!pkey->save_parameters || (pkey->type == EVP_PKEY_RSA))
+		{
+		if ((a->parameter == NULL) ||
+			(a->parameter->type != V_ASN1_NULL))
+			{
+			ASN1_TYPE_free(a->parameter);
+			a->parameter=ASN1_TYPE_new();
+			a->parameter->type=V_ASN1_NULL;
+			}
+		}
+	else
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+		{
+		unsigned char *pp;
+		DSA *dsa;
+
+		dsa=pkey->pkey.dsa;
+		dsa->write_params=0;
+		ASN1_TYPE_free(a->parameter);
+		i=i2d_DSAparams(dsa,NULL);
+		p=(unsigned char *)Malloc(i);
+		pp=p;
+		i2d_DSAparams(dsa,&pp);
+		a->parameter=ASN1_TYPE_new();
+		a->parameter->type=V_ASN1_SEQUENCE;
+		a->parameter->value.sequence=ASN1_STRING_new();
+		ASN1_STRING_set(a->parameter->value.sequence,p,i);
+		Free(p);
+		}
+	else
+#endif
+		{
+		X509err(X509_F_X509_PUBKEY_SET,X509_R_UNSUPPORTED_ALGORITHM);
+		goto err;
+		}
+
+	if ((i=i2d_PublicKey(pkey,NULL)) <= 0) goto err;
+	if ((s=(unsigned char *)Malloc(i+1)) == NULL) goto err;
+	p=s;
+	i2d_PublicKey(pkey,&p);
+	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
+	/* Set number of unused bits to zero */
+	pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+	pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT;
+
+	Free(s);
+
+#if 0
+	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
+	pk->pkey=pkey;
+#endif
+
+	if (*x != NULL)
+		X509_PUBKEY_free(*x);
+
+	*x=pk;
+	pk=NULL;
+
+	ok=1;
+err:
+	if (pk != NULL) X509_PUBKEY_free(pk);
+	return(ok);
+	}
+
+EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
+	{
+	EVP_PKEY *ret=NULL;
+	long j;
+	int type;
+	unsigned char *p;
+#ifndef NO_DSA
+	X509_ALGOR *a;
+#endif
+
+	if (key == NULL) goto err;
+
+	if (key->pkey != NULL)
+	    {
+	    CRYPTO_add(&key->pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
+	    return(key->pkey);
+	    }
+
+	if (key->public_key == NULL) goto err;
+
+	type=OBJ_obj2nid(key->algor->algorithm);
+	p=key->public_key->data;
+        j=key->public_key->length;
+        if ((ret=d2i_PublicKey(type,NULL,&p,(long)j)) == NULL)
+		{
+		X509err(X509_F_X509_PUBKEY_GET,X509_R_ERR_ASN1_LIB);
+		goto err;
+		}
+	ret->save_parameters=0;
+
+#ifndef NO_DSA
+	a=key->algor;
+	if (ret->type == EVP_PKEY_DSA)
+		{
+		if (a->parameter->type == V_ASN1_SEQUENCE)
+			{
+			ret->pkey.dsa->write_params=0;
+			p=a->parameter->value.sequence->data;
+			j=a->parameter->value.sequence->length;
+			if (!d2i_DSAparams(&ret->pkey.dsa,&p,(long)j))
+				goto err;
+			}
+		ret->save_parameters=1;
+		}
+#endif
+	key->pkey=ret;
+	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_EVP_PKEY);
+	return(ret);
+err:
+	if (ret != NULL)
+		EVP_PKEY_free(ret);
+	return(NULL);
+	}
+
+/* Now two pseudo ASN1 routines that take an EVP_PKEY structure
+ * and encode or decode as X509_PUBKEY
+ */
+
+EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, unsigned char **pp,
+	     long length)
+{
+	X509_PUBKEY *xpk;
+	EVP_PKEY *pktmp;
+	xpk = d2i_X509_PUBKEY(NULL, pp, length);
+	if(!xpk) return NULL;
+	pktmp = X509_PUBKEY_get(xpk);
+	X509_PUBKEY_free(xpk);
+	if(!pktmp) return NULL;
+	if(a) {
+		EVP_PKEY_free(*a);
+		*a = pktmp;
+	}
+	return pktmp;
+}
+
+int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp)
+{
+	X509_PUBKEY *xpk=NULL;
+	int ret;
+	if(!a) return 0;
+	if(!X509_PUBKEY_set(&xpk, a)) return 0;
+	ret = i2d_X509_PUBKEY(xpk, pp);
+	X509_PUBKEY_free(xpk);
+	return ret;
+}
+
+/* The following are equivalents but which return RSA and DSA
+ * keys
+ */
+#ifndef NO_RSA
+RSA *d2i_RSA_PUBKEY(RSA **a, unsigned char **pp,
+	     long length)
+{
+	EVP_PKEY *pkey;
+	RSA *key;
+	unsigned char *q;
+	q = *pp;
+	pkey = d2i_PUBKEY(NULL, &q, length);
+	if(!pkey) return NULL;
+	key = EVP_PKEY_get1_RSA(pkey);
+	EVP_PKEY_free(pkey);
+	if(!key) return NULL;
+	*pp = q;
+	if(a) {
+		RSA_free(*a);
+		*a = key;
+	}
+	return key;
+}
+
+int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp)
+{
+	EVP_PKEY *pktmp;
+	int ret;
+	if(!a) return 0;
+	pktmp = EVP_PKEY_new();
+	if(!pktmp) {
+		ASN1err(ASN1_F_I2D_RSA_PUBKEY, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	EVP_PKEY_set1_RSA(pktmp, a);
+	ret = i2d_PUBKEY(pktmp, pp);
+	EVP_PKEY_free(pktmp);
+	return ret;
+}
+#endif
+
+#ifndef NO_DSA
+DSA *d2i_DSA_PUBKEY(DSA **a, unsigned char **pp,
+	     long length)
+{
+	EVP_PKEY *pkey;
+	DSA *key;
+	unsigned char *q;
+	q = *pp;
+	pkey = d2i_PUBKEY(NULL, &q, length);
+	if(!pkey) return NULL;
+	key = EVP_PKEY_get1_DSA(pkey);
+	EVP_PKEY_free(pkey);
+	if(!key) return NULL;
+	*pp = q;
+	if(a) {
+		DSA_free(*a);
+		*a = key;
+	}
+	return key;
+}
+
+int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
+{
+	EVP_PKEY *pktmp;
+	int ret;
+	if(!a) return 0;
+	pktmp = EVP_PKEY_new();
+	if(!pktmp) {
+		ASN1err(ASN1_F_I2D_DSA_PUBKEY, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	EVP_PKEY_set1_DSA(pktmp, a);
+	ret = i2d_PUBKEY(pktmp, pp);
+	EVP_PKEY_free(pktmp);
+	return ret;
+}
+#endif
diff --git a/crypto/openssl/crypto/asn1/x_req.c b/crypto/openssl/crypto/asn1/x_req.c
new file mode 100644
index 0000000..0cd572e
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_req.c
@@ -0,0 +1,236 @@
+/* crypto/asn1/x_req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->version,		i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(a->subject,		i2d_X509_NAME);
+	M_ASN1_I2D_len(a->pubkey,		i2d_X509_PUBKEY);
+
+	/* this is a *nasty* hack reported to be required to
+	 * allow some CA Software to accept the cert request.
+	 * It is not following the PKCS standards ...
+	 * PKCS#10 pg 5
+	 * attributes [0] IMPLICIT Attributes
+	 * NOTE: no OPTIONAL ... so it *must* be there
+	 */
+	if (a->req_kludge) 
+	        {
+	        M_ASN1_I2D_len_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,i2d_X509_ATTRIBUTE,0);
+		}
+	else
+	        {
+	        M_ASN1_I2D_len_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
+					    i2d_X509_ATTRIBUTE,0);
+		}
+	
+	M_ASN1_I2D_seq_total();
+	M_ASN1_I2D_put(a->version,		i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(a->subject,		i2d_X509_NAME);
+	M_ASN1_I2D_put(a->pubkey,		i2d_X509_PUBKEY);
+
+	/* this is a *nasty* hack reported to be required by some CA's.
+	 * It is not following the PKCS standards ...
+	 * PKCS#10 pg 5
+	 * attributes [0] IMPLICIT Attributes
+	 * NOTE: no OPTIONAL ... so it *must* be there
+	 */
+	if (a->req_kludge)
+		{
+	        M_ASN1_I2D_put_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,
+						i2d_X509_ATTRIBUTE,0);
+		}
+	else
+		{
+	        M_ASN1_I2D_put_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
+					    i2d_X509_ATTRIBUTE,0);
+		}
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_REQ_INFO *d2i_X509_REQ_INFO(X509_REQ_INFO **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,X509_REQ_INFO *,X509_REQ_INFO_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
+	M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
+
+	/* this is a *nasty* hack to allow for some CA's that
+	 * have been reported as requiring it.
+	 * It is not following the PKCS standards ...
+	 * PKCS#10 pg 5
+	 * attributes [0] IMPLICIT Attributes
+	 * NOTE: no OPTIONAL ... so it *must* be there
+	 */
+	if (asn1_Finish(&c))
+		ret->req_kludge=1;
+	else
+		{
+		M_ASN1_D2I_get_IMP_set_type(X509_ATTRIBUTE,ret->attributes,
+					    d2i_X509_ATTRIBUTE,
+					    X509_ATTRIBUTE_free,0);
+		}
+
+	M_ASN1_D2I_Finish(a,X509_REQ_INFO_free,ASN1_F_D2I_X509_REQ_INFO);
+	}
+
+X509_REQ_INFO *X509_REQ_INFO_new(void)
+	{
+	X509_REQ_INFO *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_REQ_INFO);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->subject,X509_NAME_new);
+	M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
+	M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
+	ret->req_kludge=0;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
+	}
+	
+void X509_REQ_INFO_free(X509_REQ_INFO *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	X509_NAME_free(a->subject);
+	X509_PUBKEY_free(a->pubkey);
+	sk_X509_ATTRIBUTE_pop_free(a->attributes,X509_ATTRIBUTE_free);
+	Free(a);
+	}
+
+int i2d_X509_REQ(X509_REQ *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+	M_ASN1_I2D_len(a->req_info,	i2d_X509_REQ_INFO);
+	M_ASN1_I2D_len(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->req_info,	i2d_X509_REQ_INFO);
+	M_ASN1_I2D_put(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509_REQ *,X509_REQ_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
+	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
+	M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
+	}
+
+X509_REQ *X509_REQ_new(void)
+	{
+	X509_REQ *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_REQ);
+	ret->references=1;
+	M_ASN1_New(ret->req_info,X509_REQ_INFO_new);
+	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_REQ_NEW);
+	}
+
+void X509_REQ_free(X509_REQ *a)
+	{
+	int i;
+
+	if (a == NULL) return;
+
+	i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_REQ);
+#ifdef REF_PRINT
+	REF_PRINT("X509_REQ",a);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"X509_REQ_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	X509_REQ_INFO_free(a->req_info);
+	X509_ALGOR_free(a->sig_alg);
+	M_ASN1_BIT_STRING_free(a->signature);
+	Free(a);
+	}
+
+
diff --git a/crypto/openssl/crypto/asn1/x_sig.c b/crypto/openssl/crypto/asn1/x_sig.c
new file mode 100644
index 0000000..3559bd5
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_sig.c
@@ -0,0 +1,110 @@
+/* crypto/asn1/x_sig.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_X509_SIG(X509_SIG *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->digest,	i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->digest,	i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509_SIG *,X509_SIG_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->algor,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->digest,d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_Finish(a,X509_SIG_free,ASN1_F_D2I_X509_SIG);
+	}
+
+X509_SIG *X509_SIG_new(void)
+	{
+	X509_SIG *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_SIG);
+	M_ASN1_New(ret->algor,X509_ALGOR_new);
+	M_ASN1_New(ret->digest,M_ASN1_OCTET_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_SIG_NEW);
+	}
+
+void X509_SIG_free(X509_SIG *a)
+	{
+	if (a == NULL) return;
+	X509_ALGOR_free(a->algor);
+	M_ASN1_OCTET_STRING_free(a->digest);
+	Free(a);
+	}
+
+
diff --git a/crypto/openssl/crypto/asn1/x_spki.c b/crypto/openssl/crypto/asn1/x_spki.c
new file mode 100644
index 0000000..8f5e7e6
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_spki.c
@@ -0,0 +1,166 @@
+/* crypto/asn1/x_spki.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+ /* This module was send to me my Pat Richards <patr@x509.com> who
+  * wrote it.  It is under my Copyright with his permission
+  */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/asn1_mac.h>
+
+int i2d_NETSCAPE_SPKAC(NETSCAPE_SPKAC *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->pubkey,	i2d_X509_PUBKEY);
+	M_ASN1_I2D_len(a->challenge,	i2d_ASN1_IA5STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->pubkey,	i2d_X509_PUBKEY);
+	M_ASN1_I2D_put(a->challenge,	i2d_ASN1_IA5STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,NETSCAPE_SPKAC *,NETSCAPE_SPKAC_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
+	M_ASN1_D2I_get(ret->challenge,d2i_ASN1_IA5STRING);
+	M_ASN1_D2I_Finish(a,NETSCAPE_SPKAC_free,ASN1_F_D2I_NETSCAPE_SPKAC);
+	}
+
+NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void)
+	{
+	NETSCAPE_SPKAC *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,NETSCAPE_SPKAC);
+	M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
+	M_ASN1_New(ret->challenge,M_ASN1_IA5STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_NETSCAPE_SPKAC_NEW);
+	}
+
+void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *a)
+	{
+	if (a == NULL) return;
+	X509_PUBKEY_free(a->pubkey);
+	M_ASN1_IA5STRING_free(a->challenge);
+	Free(a);
+	}
+
+int i2d_NETSCAPE_SPKI(NETSCAPE_SPKI *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->spkac,	i2d_NETSCAPE_SPKAC);
+	M_ASN1_I2D_len(a->sig_algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->spkac,	i2d_NETSCAPE_SPKAC);
+	M_ASN1_I2D_put(a->sig_algor,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, unsigned char **pp,
+	     long length)
+	{
+	M_ASN1_D2I_vars(a,NETSCAPE_SPKI *,NETSCAPE_SPKI_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->spkac,d2i_NETSCAPE_SPKAC);
+	M_ASN1_D2I_get(ret->sig_algor,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
+	M_ASN1_D2I_Finish(a,NETSCAPE_SPKI_free,ASN1_F_D2I_NETSCAPE_SPKI);
+	}
+
+NETSCAPE_SPKI *NETSCAPE_SPKI_new(void)
+	{
+	NETSCAPE_SPKI *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,NETSCAPE_SPKI);
+	M_ASN1_New(ret->spkac,NETSCAPE_SPKAC_new);
+	M_ASN1_New(ret->sig_algor,X509_ALGOR_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_NETSCAPE_SPKI_NEW);
+	}
+
+void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a)
+	{
+	if (a == NULL) return;
+	NETSCAPE_SPKAC_free(a->spkac);
+	X509_ALGOR_free(a->sig_algor);
+	M_ASN1_BIT_STRING_free(a->signature);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/x_val.c b/crypto/openssl/crypto/asn1/x_val.c
new file mode 100644
index 0000000..1a2f49f
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_val.c
@@ -0,0 +1,109 @@
+/* crypto/asn1/x_val.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_X509_VAL(X509_VAL *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->notBefore,i2d_ASN1_TIME);
+	M_ASN1_I2D_len(a->notAfter,i2d_ASN1_TIME);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->notBefore,i2d_ASN1_TIME);
+	M_ASN1_I2D_put(a->notAfter,i2d_ASN1_TIME);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509_VAL *d2i_X509_VAL(X509_VAL **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509_VAL *,X509_VAL_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->notBefore,d2i_ASN1_TIME);
+	M_ASN1_D2I_get(ret->notAfter,d2i_ASN1_TIME);
+	M_ASN1_D2I_Finish(a,X509_VAL_free,ASN1_F_D2I_X509_VAL);
+	}
+
+X509_VAL *X509_VAL_new(void)
+	{
+	X509_VAL *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509_VAL);
+	M_ASN1_New(ret->notBefore,M_ASN1_TIME_new);
+	M_ASN1_New(ret->notAfter,M_ASN1_TIME_new);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_VAL_NEW);
+	}
+
+void X509_VAL_free(X509_VAL *a)
+	{
+	if (a == NULL) return;
+	M_ASN1_TIME_free(a->notBefore);
+	M_ASN1_TIME_free(a->notAfter);
+	Free(a);
+	}
+
diff --git a/crypto/openssl/crypto/asn1/x_x509.c b/crypto/openssl/crypto/asn1/x_x509.c
new file mode 100644
index 0000000..11e564e
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_x509.c
@@ -0,0 +1,210 @@
+/* crypto/asn1/x_x509.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+static int x509_meth_num = 0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_meth = NULL;
+
+static ASN1_METHOD meth={
+	(int (*)())  i2d_X509,
+	(char *(*)())d2i_X509,
+	(char *(*)())X509_new,
+	(void (*)()) X509_free};
+
+ASN1_METHOD *X509_asn1_meth(void)
+	{
+	return(&meth);
+	}
+
+int i2d_X509(X509 *a, unsigned char **pp)
+	{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->cert_info,	i2d_X509_CINF);
+	M_ASN1_I2D_len(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_len(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->cert_info,	i2d_X509_CINF);
+	M_ASN1_I2D_put(a->sig_alg,	i2d_X509_ALGOR);
+	M_ASN1_I2D_put(a->signature,	i2d_ASN1_BIT_STRING);
+
+	M_ASN1_I2D_finish();
+	}
+
+X509 *d2i_X509(X509 **a, unsigned char **pp, long length)
+	{
+	M_ASN1_D2I_vars(a,X509 *,X509_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->cert_info,d2i_X509_CINF);
+	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
+	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
+	if (ret->name != NULL) Free(ret->name);
+	ret->name=X509_NAME_oneline(ret->cert_info->subject,NULL,0);
+
+	M_ASN1_D2I_Finish(a,X509_free,ASN1_F_D2I_X509);
+	}
+
+X509 *X509_new(void)
+	{
+	X509 *ret=NULL;
+	ASN1_CTX c;
+
+	M_ASN1_New_Malloc(ret,X509);
+	ret->references=1;
+	ret->valid=0;
+	ret->ex_flags = 0;
+	ret->name=NULL;
+	ret->aux=NULL;
+	M_ASN1_New(ret->cert_info,X509_CINF_new);
+	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
+	CRYPTO_new_ex_data(x509_meth, ret, &ret->ex_data);
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_NEW);
+	}
+
+void X509_free(X509 *a)
+	{
+	int i;
+
+	if (a == NULL) return;
+
+	i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509);
+#ifdef REF_PRINT
+	REF_PRINT("X509",a);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"X509_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	CRYPTO_free_ex_data(x509_meth,a,&a->ex_data);
+	X509_CINF_free(a->cert_info);
+	X509_ALGOR_free(a->sig_alg);
+	M_ASN1_BIT_STRING_free(a->signature);
+	X509_CERT_AUX_free(a->aux);
+
+	if (a->name != NULL) Free(a->name);
+	Free(a);
+	}
+
+int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	x509_meth_num++;
+	return(CRYPTO_get_ex_new_index(x509_meth_num-1,
+		&x509_meth,argl,argp,new_func,dup_func,free_func));
+        }
+
+int X509_set_ex_data(X509 *r, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
+	}
+
+void *X509_get_ex_data(X509 *r, int idx)
+	{
+	return(CRYPTO_get_ex_data(&r->ex_data,idx));
+	}
+
+/* X509_AUX ASN1 routines. X509_AUX is the name given to
+ * a certificate with extra info tagged on the end. Since these
+ * functions set how a certificate is trusted they should only
+ * be used when the certificate comes from a reliable source
+ * such as local storage.
+ *
+ */
+
+X509 *d2i_X509_AUX(X509 **a, unsigned char **pp, long length)
+{
+	unsigned char *q;
+	X509 *ret;
+	/* Save start position */
+	q = *pp;
+	ret = d2i_X509(a, pp, length);
+	/* If certificate unreadable then forget it */
+	if(!ret) return NULL;
+	/* update length */
+	length -= *pp - q;
+	if(!length) return ret;
+	if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
+	return ret;
+	err:
+	X509_free(ret);
+	return NULL;
+}
+
+int i2d_X509_AUX(X509 *a, unsigned char **pp)
+{
+	int length;
+	length = i2d_X509(a, pp);
+	if(a) length += i2d_X509_CERT_AUX(a->aux, pp);
+	return length;
+}
diff --git a/crypto/openssl/crypto/asn1/x_x509a.c b/crypto/openssl/crypto/asn1/x_x509a.c
new file mode 100644
index 0000000..b9987ea
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/x_x509a.c
@@ -0,0 +1,200 @@
+/* a_x509a.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* X509_CERT_AUX routines. These are used to encode additional
+ * user modifiable data about a certificate. This data is
+ * appended to the X509 encoding when the *_X509_AUX routines
+ * are used. This means that the "traditional" X509 routines
+ * will simply ignore the extra data. 
+ */
+
+static X509_CERT_AUX *aux_get(X509 *x);
+
+X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a, X509_CERT_AUX *, X509_CERT_AUX_new);
+	
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+
+	M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->trust,
+					d2i_ASN1_OBJECT, ASN1_OBJECT_free);
+	M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->reject,
+					d2i_ASN1_OBJECT, ASN1_OBJECT_free, 0);
+	M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
+	M_ASN1_D2I_get_opt(ret->keyid, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_IMP_set_opt_type(X509_ALGOR, ret->other,
+					d2i_X509_ALGOR, X509_ALGOR_free, 1);
+
+	M_ASN1_D2I_Finish(a, X509_CERT_AUX_free, ASN1_F_D2I_X509_CERT_AUX);
+}
+
+X509_CERT_AUX *X509_CERT_AUX_new()
+{
+	X509_CERT_AUX *ret = NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, X509_CERT_AUX);
+	ret->trust = NULL;
+	ret->reject = NULL;
+	ret->alias = NULL;
+	ret->keyid = NULL;
+	ret->other = NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_X509_CERT_AUX_NEW);
+}
+
+void X509_CERT_AUX_free(X509_CERT_AUX *a)
+{
+	if(a == NULL) return;
+	sk_ASN1_OBJECT_pop_free(a->trust, ASN1_OBJECT_free);
+	sk_ASN1_OBJECT_pop_free(a->reject, ASN1_OBJECT_free);
+	ASN1_UTF8STRING_free(a->alias);
+	ASN1_OCTET_STRING_free(a->keyid);
+	sk_X509_ALGOR_pop_free(a->other, X509_ALGOR_free);
+	Free(a);
+}
+
+int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
+
+	M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
+	M_ASN1_I2D_len(a->keyid, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
+
+	M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
+	M_ASN1_I2D_put(a->keyid, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
+
+	M_ASN1_I2D_finish();
+}
+
+static X509_CERT_AUX *aux_get(X509 *x)
+{
+	if(!x) return NULL;
+	if(!x->aux && !(x->aux = X509_CERT_AUX_new())) return NULL;
+	return x->aux;
+}
+
+int X509_alias_set1(X509 *x, unsigned char *name, int len)
+{
+	X509_CERT_AUX *aux;
+	if(!(aux = aux_get(x))) return 0;
+	if(!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) return 0;
+	return ASN1_STRING_set(aux->alias, name, len);
+}
+
+unsigned char *X509_alias_get0(X509 *x, int *len)
+{
+	if(!x->aux || !x->aux->alias) return NULL;
+	if(len) *len = x->aux->alias->length;
+	return x->aux->alias->data;
+}
+
+int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj)
+{
+	X509_CERT_AUX *aux;
+	ASN1_OBJECT *objtmp;
+	if(!(objtmp = OBJ_dup(obj))) return 0;
+	if(!(aux = aux_get(x))) return 0;
+	if(!aux->trust
+		&& !(aux->trust = sk_ASN1_OBJECT_new_null())) return 0;
+	return sk_ASN1_OBJECT_push(aux->trust, objtmp);
+}
+
+int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
+{
+	X509_CERT_AUX *aux;
+	ASN1_OBJECT *objtmp;
+	if(!(objtmp = OBJ_dup(obj))) return 0;
+	if(!(aux = aux_get(x))) return 0;
+	if(!aux->reject
+		&& !(aux->reject = sk_ASN1_OBJECT_new_null())) return 0;
+	return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+}
+
+void X509_trust_clear(X509 *x)
+{
+	if(x->aux && x->aux->trust) {
+		sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free);
+		x->aux->trust = NULL;
+	}
+}
+
+void X509_reject_clear(X509 *x)
+{
+	if(x->aux && x->aux->reject) {
+		sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free);
+		x->aux->reject = NULL;
+	}
+}
+
diff --git a/crypto/openssl/crypto/bf/COPYRIGHT b/crypto/openssl/crypto/bf/COPYRIGHT
new file mode 100644
index 0000000..6857223
--- /dev/null
+++ b/crypto/openssl/crypto/bf/COPYRIGHT
@@ -0,0 +1,46 @@
+Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+All rights reserved.
+
+This package is an Blowfish implementation written
+by Eric Young (eay@cryptsoft.com).
+
+This library is free for commercial and non-commercial use as long as
+the following conditions are aheared to.  The following conditions
+apply to all code found in this distribution.
+
+Copyright remains Eric Young's, and as such any Copyright notices in
+the code are not to be removed.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@cryptsoft.com)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+The license and distribution terms for any publically available version or
+derivative of this code cannot be changed.  i.e. this code cannot simply be
+copied and put under another distrubution license
+[including the GNU Public License.]
+
+The reason behind this being stated in this direct manner is past
+experience in code simply being copied and the attribution removed
+from it and then being distributed as part of other packages. This
+implementation was a non-trivial and unpaid effort.
diff --git a/crypto/openssl/crypto/bf/INSTALL b/crypto/openssl/crypto/bf/INSTALL
new file mode 100644
index 0000000..3b25923
--- /dev/null
+++ b/crypto/openssl/crypto/bf/INSTALL
@@ -0,0 +1,14 @@
+This Eric Young's blowfish implementation, taken from his SSLeay library
+and made available as a separate library.
+ 
+The version number (0.7.2m) is the SSLeay version that this library was
+taken from.
+ 
+To build, just unpack and type make.
+If you are not using gcc, edit the Makefile.
+If you are compiling for an x86 box, try the assembler (it needs improving).
+There are also some compile time options that can improve performance,
+these are documented in the Makefile.
+ 
+eric 15-Apr-1997
+ 
diff --git a/crypto/openssl/crypto/bf/Makefile.save b/crypto/openssl/crypto/bf/Makefile.save
new file mode 100644
index 0000000..1bb5688
--- /dev/null
+++ b/crypto/openssl/crypto/bf/Makefile.save
@@ -0,0 +1,116 @@
+#
+# SSLeay/crypto/blowfish/Makefile
+#
+
+DIR=	bf
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+BF_ENC=		bf_enc.o
+# or use
+#DES_ENC=	bx86-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=bftest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=bf_skey.c bf_ecb.c bf_enc.c bf_cfb64.c bf_ofb64.c 
+LIBOBJ=bf_skey.o bf_ecb.o $(BF_ENC) bf_cfb64.o bf_ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= blowfish.h
+HEADER=	bf_pi.h bf_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/bx86-elf.o: asm/bx86unix.cpp
+	$(CPP) -DELF -x c asm/bx86unix.cpp | as -o asm/bx86-elf.o
+
+# solaris
+asm/bx86-sol.o: asm/bx86unix.cpp
+	$(CC) -E -DSOL asm/bx86unix.cpp | sed 's/^#.*//' > asm/bx86-sol.s
+	as -o asm/bx86-sol.o asm/bx86-sol.s
+	rm -f asm/bx86-sol.s
+
+# a.out
+asm/bx86-out.o: asm/bx86unix.cpp
+	$(CPP) -DOUT asm/bx86unix.cpp | as -o asm/bx86-out.o
+
+# bsdi
+asm/bx86bsdi.o: asm/bx86unix.cpp
+	$(CPP) -DBSDI asm/bx86unix.cpp | sed 's/ :/:/' | as -o asm/bx86bsdi.o
+
+asm/bx86unix.cpp: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) bf-586.pl cpp $(PROCESSOR) >bx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/bx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bf_cfb64.o: ../../include/openssl/blowfish.h
+bf_cfb64.o: ../../include/openssl/opensslconf.h bf_locl.h
+bf_ecb.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
+bf_ecb.o: ../../include/openssl/opensslv.h bf_locl.h
+bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
+bf_enc.o: bf_locl.h
+bf_ofb64.o: ../../include/openssl/blowfish.h
+bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h
+bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
+bf_skey.o: bf_locl.h bf_pi.h
diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl
new file mode 100644
index 0000000..1bb5688
--- /dev/null
+++ b/crypto/openssl/crypto/bf/Makefile.ssl
@@ -0,0 +1,116 @@
+#
+# SSLeay/crypto/blowfish/Makefile
+#
+
+DIR=	bf
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+BF_ENC=		bf_enc.o
+# or use
+#DES_ENC=	bx86-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=bftest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=bf_skey.c bf_ecb.c bf_enc.c bf_cfb64.c bf_ofb64.c 
+LIBOBJ=bf_skey.o bf_ecb.o $(BF_ENC) bf_cfb64.o bf_ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= blowfish.h
+HEADER=	bf_pi.h bf_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/bx86-elf.o: asm/bx86unix.cpp
+	$(CPP) -DELF -x c asm/bx86unix.cpp | as -o asm/bx86-elf.o
+
+# solaris
+asm/bx86-sol.o: asm/bx86unix.cpp
+	$(CC) -E -DSOL asm/bx86unix.cpp | sed 's/^#.*//' > asm/bx86-sol.s
+	as -o asm/bx86-sol.o asm/bx86-sol.s
+	rm -f asm/bx86-sol.s
+
+# a.out
+asm/bx86-out.o: asm/bx86unix.cpp
+	$(CPP) -DOUT asm/bx86unix.cpp | as -o asm/bx86-out.o
+
+# bsdi
+asm/bx86bsdi.o: asm/bx86unix.cpp
+	$(CPP) -DBSDI asm/bx86unix.cpp | sed 's/ :/:/' | as -o asm/bx86bsdi.o
+
+asm/bx86unix.cpp: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) bf-586.pl cpp $(PROCESSOR) >bx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/bx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bf_cfb64.o: ../../include/openssl/blowfish.h
+bf_cfb64.o: ../../include/openssl/opensslconf.h bf_locl.h
+bf_ecb.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
+bf_ecb.o: ../../include/openssl/opensslv.h bf_locl.h
+bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
+bf_enc.o: bf_locl.h
+bf_ofb64.o: ../../include/openssl/blowfish.h
+bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h
+bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
+bf_skey.o: bf_locl.h bf_pi.h
diff --git a/crypto/openssl/crypto/bf/Makefile.uni b/crypto/openssl/crypto/bf/Makefile.uni
new file mode 100644
index 0000000..f67e5ca
--- /dev/null
+++ b/crypto/openssl/crypto/bf/Makefile.uni
@@ -0,0 +1,157 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+DIR=	bf
+TOP=	.
+# use BF_PTR2 for intel boxes,
+# BF_PTR for sparc and MIPS/SGI
+# use nothing for Alpha and HP.
+
+# There are 3 possible performance options, experiment :-)
+#OPTS= -DBF_PTR  # usr for sparc and MIPS/SGI
+#OPTS= -DBF_PTR2 # use for pentium
+OPTS=		 # use for pentium pro, Alpha and HP
+
+MAKE=make -f Makefile
+#CC=cc
+#CFLAG= -O
+
+CC=gcc
+#CFLAG= -O4 -funroll-loops -fomit-frame-pointer
+CFLAG= -O3 -fomit-frame-pointer
+
+CFLAGS=$(OPTS) $(CFLAG)
+CPP=$(CC) -E
+AS=as
+RANLIB=ranlib
+
+# Assember version of bf_encrypt().
+BF_ENC=bf_enc.o		# normal C version
+#BF_ENC=asm/bx86-elf.o	# elf format x86
+#BF_ENC=asm/bx86-out.o	# a.out format x86
+#BF_ENC=asm/bx86-sol.o	# solaris format x86 
+#BF_ENC=asm/bx86bsdi.o	# bsdi format x86 
+
+LIBDIR=/usr/local/lib
+BINDIR=/usr/local/bin
+INCDIR=/usr/local/include
+MANDIR=/usr/local/man
+MAN1=1
+MAN3=3
+SHELL=/bin/sh
+LIBOBJ=bf_skey.o bf_ecb.o $(BF_ENC) bf_cfb64.o bf_ofb64.o
+LIBSRC=bf_skey.c bf_ecb.c bf_enc.c bf_cfb64.c bf_ofb64.c
+
+GENERAL=Makefile Makefile.ssl Makefile.uni asm bf_locl.org README \
+	COPYRIGHT blowfish.doc INSTALL
+
+TESTING=    bftest bfspeed bf_opts
+TESTING_SRC=bftest.c bfspeed.c bf_opts.c
+HEADERS=bf_locl.h blowfish.h bf_pi.h
+
+ALL=	$(GENERAL) $(TESTING_SRC) $(LIBSRC) $(HEADERS)
+
+BLIB=	libblowfish.a
+
+all: $(BLIB) $(TESTING)
+
+cc:
+	$(MAKE) CC=cc CFLAGS="-O $(OPTS) $(CFLAG)" all
+
+gcc:
+	$(MAKE) CC=gcc CFLAGS="-O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all
+
+x86-elf:
+	$(MAKE) BF_ENC='asm/bx86-elf.o' CC=$(CC) CFLAGS="-DELF $(OPTS) $(CFLAG)" all
+
+x86-out:
+	$(MAKE) BF_ENC='asm/bx86-out.o' CC=$(CC) CFLAGS="-DOUT $(OPTS) $(CFLAG)" all
+
+x86-solaris:
+	$(MAKE) BF_ENC='asm/bx86-sol.o' CC=$(CC) CFLAGS="-DSOL $(OPTS) $(CFLAG)" all
+
+x86-bsdi:
+	$(MAKE) BF_ENC='asm/bx86bsdi.o' CC=$(CC) CFLAGS="-DBSDI $(OPTS) $(CFLAG)" all
+
+# elf
+asm/bx86-elf.o: asm/bx86unix.cpp
+	$(CPP) -DELF asm/bx86unix.cpp | $(AS) -o asm/bx86-elf.o
+
+# solaris
+asm/bx86-sol.o: asm/bx86unix.cpp
+	$(CC) -E -DSOL asm/bx86unix.cpp | sed 's/^#.*//' > asm/bx86-sol.s
+	as -o asm/bx86-sol.o asm/bx86-sol.s
+	rm -f asm/bx86-sol.s
+
+# a.out
+asm/bx86-out.o: asm/bx86unix.cpp
+	$(CPP) -DOUT asm/bx86unix.cpp | $(AS) -o asm/bx86-out.o
+
+# bsdi
+asm/bx86bsdi.o: asm/bx86unix.cpp
+	$(CPP) -DBSDI asm/bx86unix.cpp | $(AS) -o asm/bx86bsdi.o
+
+asm/bx86unix.cpp:
+	(cd asm; perl bf-586.pl cpp >bx86unix.cpp)
+	
+test:	all
+	./bftest
+
+$(BLIB): $(LIBOBJ)
+	/bin/rm -f $(BLIB)
+	ar cr $(BLIB) $(LIBOBJ)
+	$(RANLIB) $(BLIB)
+
+bftest: bftest.o $(BLIB)
+	$(CC) $(CFLAGS) -o bftest bftest.o $(BLIB)
+
+bfspeed: bfspeed.o $(BLIB)
+	$(CC) $(CFLAGS) -o bfspeed bfspeed.o $(BLIB)
+
+bf_opts: bf_opts.o $(BLIB)
+	$(CC) $(CFLAGS) -o bf_opts bf_opts.o $(BLIB)
+
+tags:
+	ctags $(TESTING_SRC) $(LIBBF)
+
+tar:
+	tar chf libbf.tar $(ALL)
+
+shar:
+	shar $(ALL) >libbf.shar
+
+depend:
+	makedepend $(LIBBF) $(TESTING_SRC)
+
+clean:
+	/bin/rm -f *.o tags core $(TESTING) $(BLIB) .nfs* *.old *.bak asm/*.o 
+
+dclean:
+	sed -e '/^# DO NOT DELETE THIS LINE/ q' Makefile >Makefile.new
+	mv -f Makefile.new Makefile
+
+# Eric is probably going to choke when he next looks at this --tjh
+install: $(BLIB)
+	if test $(INSTALLTOP); then \
+	    echo SSL style install; \
+	    cp $(BLIB) $(INSTALLTOP)/lib; \
+		$(RANLIB) $(BLIB); \
+	    chmod 644 $(INSTALLTOP)/lib/$(BLIB); \
+	    cp blowfish.h $(INSTALLTOP)/include; \
+	    chmod 644 $(INSTALLTOP)/include/blowfish.h; \
+	else \
+	    echo Standalone install; \
+	    cp $(BLIB) $(LIBDIR)/$(BLIB); \
+		$(RANLIB) $(BLIB); \
+	    chmod 644 $(LIBDIR)/$(BLIB); \
+	    cp blowfish.h $(INCDIR)/blowfish.h; \
+	    chmod 644 $(INCDIR)/blowfish.h; \
+	fi
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/bf/README b/crypto/openssl/crypto/bf/README
new file mode 100644
index 0000000..f2712fd
--- /dev/null
+++ b/crypto/openssl/crypto/bf/README
@@ -0,0 +1,8 @@
+This is a quick packaging up of my blowfish code into a library.
+It has been lifted from SSLeay.
+The copyright notices seem a little harsh because I have not spent the
+time to rewrite the conditions from the normal SSLeay ones.
+
+Basically if you just want to play with the library, not a problem.
+
+eric 15-Apr-1997
diff --git a/crypto/openssl/crypto/bf/VERSION b/crypto/openssl/crypto/bf/VERSION
new file mode 100644
index 0000000..be99585
--- /dev/null
+++ b/crypto/openssl/crypto/bf/VERSION
@@ -0,0 +1,6 @@
+The version numbers will follow my SSL implementation
+
+0.7.2r - Some reasonable default compiler options from 
+	Peter Gutman <pgut001@cs.auckland.ac.nz>
+
+0.7.2m - the first release
diff --git a/crypto/openssl/crypto/bf/asm/bf-586.pl b/crypto/openssl/crypto/bf/asm/bf-586.pl
new file mode 100644
index 0000000..b556642
--- /dev/null
+++ b/crypto/openssl/crypto/bf/asm/bf-586.pl
@@ -0,0 +1,136 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+require "cbc.pl";
+
+&asm_init($ARGV[0],"bf-586.pl",$ARGV[$#ARGV] eq "386");
+
+$BF_ROUNDS=16;
+$BF_OFF=($BF_ROUNDS+2)*4;
+$L="edi";
+$R="esi";
+$P="ebp";
+$tmp1="eax";
+$tmp2="ebx";
+$tmp3="ecx";
+$tmp4="edx";
+
+&BF_encrypt("BF_encrypt",1);
+&BF_encrypt("BF_decrypt",0);
+&cbc("BF_cbc_encrypt","BF_encrypt","BF_decrypt",1,4,5,3,-1,-1);
+&asm_finish();
+
+sub BF_encrypt
+	{
+	local($name,$enc)=@_;
+
+	&function_begin_B($name,"");
+
+	&comment("");
+
+	&push("ebp");
+	&push("ebx");
+	&mov($tmp2,&wparam(0));
+	&mov($P,&wparam(1));
+	&push("esi");
+	&push("edi");
+
+	&comment("Load the 2 words");
+	&mov($L,&DWP(0,$tmp2,"",0));
+	&mov($R,&DWP(4,$tmp2,"",0));
+
+	&xor(	$tmp1,	$tmp1);
+
+	# encrypting part
+
+	if ($enc)
+		{
+		 &mov($tmp2,&DWP(0,$P,"",0));
+		&xor(	$tmp3,	$tmp3);
+
+		&xor($L,$tmp2);
+		for ($i=0; $i<$BF_ROUNDS; $i+=2)
+			{
+			&comment("");
+			&comment("Round $i");
+			&BF_ENCRYPT($i+1,$R,$L,$P,$tmp1,$tmp2,$tmp3,$tmp4,1);
+
+			&comment("");
+			&comment("Round ".sprintf("%d",$i+1));
+			&BF_ENCRYPT($i+2,$L,$R,$P,$tmp1,$tmp2,$tmp3,$tmp4,1);
+			}
+		# &mov($tmp1,&wparam(0)); In last loop
+		&mov($tmp4,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
+		}
+	else
+		{
+		 &mov($tmp2,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
+		&xor(	$tmp3,	$tmp3);
+
+		&xor($L,$tmp2);
+		for ($i=$BF_ROUNDS; $i>0; $i-=2)
+			{
+			&comment("");
+			&comment("Round $i");
+			&BF_ENCRYPT($i,$R,$L,$P,$tmp1,$tmp2,$tmp3,$tmp4,0);
+			&comment("");
+			&comment("Round ".sprintf("%d",$i-1));
+			&BF_ENCRYPT($i-1,$L,$R,$P,$tmp1,$tmp2,$tmp3,$tmp4,0);
+			}
+		# &mov($tmp1,&wparam(0)); In last loop
+		&mov($tmp4,&DWP(0,$P,"",0));
+		}
+
+	&xor($R,$tmp4);
+	&mov(&DWP(4,$tmp1,"",0),$L);
+
+	&mov(&DWP(0,$tmp1,"",0),$R);
+	&function_end($name);
+	}
+
+sub BF_ENCRYPT
+	{
+	local($i,$L,$R,$P,$tmp1,$tmp2,$tmp3,$tmp4,$enc)=@_;
+
+	&mov(	$tmp4,		&DWP(&n2a($i*4),$P,"",0)); # for next round
+
+	&mov(	$tmp2,		$R);
+	&xor(	$L,		$tmp4);
+
+	&shr(	$tmp2,		16);
+	&mov(	$tmp4,		$R);
+
+	&movb(	&LB($tmp1),	&HB($tmp2));	# A
+	&and(	$tmp2,		0xff);		# B
+
+	&movb(	&LB($tmp3),	&HB($tmp4));	# C
+	&and(	$tmp4,		0xff);		# D
+
+	&mov(	$tmp1,		&DWP(&n2a($BF_OFF+0x0000),$P,$tmp1,4));
+	&mov(	$tmp2,		&DWP(&n2a($BF_OFF+0x0400),$P,$tmp2,4));
+
+	&add(	$tmp2,		$tmp1);
+	&mov(	$tmp1,		&DWP(&n2a($BF_OFF+0x0800),$P,$tmp3,4));
+
+	&xor(	$tmp2,		$tmp1);
+	&mov(	$tmp4,		&DWP(&n2a($BF_OFF+0x0C00),$P,$tmp4,4));
+
+	&add(	$tmp2,		$tmp4);
+	if (($enc && ($i != 16)) || ((!$enc) && ($i != 1)))
+		{ &xor(	$tmp1,		$tmp1); }
+	else
+		{
+		&comment("Load parameter 0 ($i) enc=$enc");
+		&mov($tmp1,&wparam(0));
+		} # In last loop
+
+	&xor(	$L,		$tmp2);
+	# delay
+	}
+
+sub n2a
+	{
+	sprintf("%d",$_[0]);
+	}
+
diff --git a/crypto/openssl/crypto/bf/asm/bf-686.pl b/crypto/openssl/crypto/bf/asm/bf-686.pl
new file mode 100644
index 0000000..8e4c25f
--- /dev/null
+++ b/crypto/openssl/crypto/bf/asm/bf-686.pl
@@ -0,0 +1,127 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+require "cbc.pl";
+
+&asm_init($ARGV[0],"bf-686.pl");
+
+$BF_ROUNDS=16;
+$BF_OFF=($BF_ROUNDS+2)*4;
+$L="ecx";
+$R="edx";
+$P="edi";
+$tot="esi";
+$tmp1="eax";
+$tmp2="ebx";
+$tmp3="ebp";
+
+&des_encrypt("BF_encrypt",1);
+&des_encrypt("BF_decrypt",0);
+&cbc("BF_cbc_encrypt","BF_encrypt","BF_decrypt",1,4,5,3,-1,-1);
+
+&asm_finish();
+
+&file_end();
+
+sub des_encrypt
+	{
+	local($name,$enc)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	&comment("Load the 2 words");
+	&mov("eax",&wparam(0));
+	&mov($L,&DWP(0,"eax","",0));
+	&mov($R,&DWP(4,"eax","",0));
+
+	&comment("");
+	&comment("P pointer, s and enc flag");
+	&mov($P,&wparam(1));
+
+	&xor(	$tmp1,	$tmp1);
+	&xor(	$tmp2,	$tmp2);
+
+	# encrypting part
+
+	if ($enc)
+		{
+		&xor($L,&DWP(0,$P,"",0));
+		for ($i=0; $i<$BF_ROUNDS; $i+=2)
+			{
+			&comment("");
+			&comment("Round $i");
+			&BF_ENCRYPT($i+1,$R,$L,$P,$tot,$tmp1,$tmp2,$tmp3);
+
+			&comment("");
+			&comment("Round ".sprintf("%d",$i+1));
+			&BF_ENCRYPT($i+2,$L,$R,$P,$tot,$tmp1,$tmp2,$tmp3);
+			}
+		&xor($R,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
+
+		&mov("eax",&wparam(0));
+		&mov(&DWP(0,"eax","",0),$R);
+		&mov(&DWP(4,"eax","",0),$L);
+		&function_end_A($name);
+		}
+	else
+		{
+		&xor($L,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
+		for ($i=$BF_ROUNDS; $i>0; $i-=2)
+			{
+			&comment("");
+			&comment("Round $i");
+			&BF_ENCRYPT($i,$R,$L,$P,$tot,$tmp1,$tmp2,$tmp3);
+			&comment("");
+			&comment("Round ".sprintf("%d",$i-1));
+			&BF_ENCRYPT($i-1,$L,$R,$P,$tot,$tmp1,$tmp2,$tmp3);
+			}
+		&xor($R,&DWP(0,$P,"",0));
+
+		&mov("eax",&wparam(0));
+		&mov(&DWP(0,"eax","",0),$R);
+		&mov(&DWP(4,"eax","",0),$L);
+		&function_end_A($name);
+		}
+
+	&function_end_B($name);
+	}
+
+sub BF_ENCRYPT
+	{
+	local($i,$L,$R,$P,$tot,$tmp1,$tmp2,$tmp3)=@_;
+
+	&rotr(	$R,		16);
+	&mov(	$tot,		&DWP(&n2a($i*4),$P,"",0));
+
+	&movb(	&LB($tmp1),	&HB($R));
+	&movb(	&LB($tmp2),	&LB($R));
+
+	&rotr(	$R,		16);
+	&xor(	$L,		$tot);
+
+	&mov(	$tot,		&DWP(&n2a($BF_OFF+0x0000),$P,$tmp1,4));
+	&mov(	$tmp3,		&DWP(&n2a($BF_OFF+0x0400),$P,$tmp2,4));
+
+	&movb(	&LB($tmp1),	&HB($R));
+	&movb(	&LB($tmp2),	&LB($R));
+
+	&add(	$tot,		$tmp3);
+	&mov(	$tmp1,		&DWP(&n2a($BF_OFF+0x0800),$P,$tmp1,4)); # delay
+
+	&xor(	$tot,		$tmp1);
+	&mov(	$tmp3,		&DWP(&n2a($BF_OFF+0x0C00),$P,$tmp2,4));
+
+	&add(	$tot,		$tmp3);
+	&xor(	$tmp1,		$tmp1);
+
+	&xor(	$L,		$tot);					
+	# delay
+	}
+
+sub n2a
+	{
+	sprintf("%d",$_[0]);
+	}
+
diff --git a/crypto/openssl/crypto/bf/asm/readme b/crypto/openssl/crypto/bf/asm/readme
new file mode 100644
index 0000000..2385fa3
--- /dev/null
+++ b/crypto/openssl/crypto/bf/asm/readme
@@ -0,0 +1,10 @@
+There are blowfish assembler generation scripts.
+bf-586.pl version is for the pentium and
+bf-686.pl is my original version, which is faster on the pentium pro.
+
+When using a bf-586.pl, the pentium pro/II is %8 slower than using
+bf-686.pl.  When using a bf-686.pl, the pentium is %16 slower
+than bf-586.pl
+
+So the default is bf-586.pl
+
diff --git a/crypto/openssl/crypto/bf/bf_cbc.c b/crypto/openssl/crypto/bf/bf_cbc.c
new file mode 100644
index 0000000..f949629
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_cbc.c
@@ -0,0 +1,143 @@
+/* crypto/bf/bf_cbc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/blowfish.h>
+#include "bf_locl.h"
+
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int encrypt)
+	{
+	register BF_LONG tin0,tin1;
+	register BF_LONG tout0,tout1,xor0,xor1;
+	register long l=length;
+	BF_LONG tin[2];
+
+	if (encrypt)
+		{
+		n2l(ivec,tout0);
+		n2l(ivec,tout1);
+		ivec-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_encrypt(tin,schedule);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+			}
+		if (l != -8)
+			{
+			n2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_encrypt(tin,schedule);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+			}
+		l2n(tout0,ivec);
+		l2n(tout1,ivec);
+		}
+	else
+		{
+		n2l(ivec,xor0);
+		n2l(ivec,xor1);
+		ivec-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_decrypt(tin,schedule);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2n(tout0,out);
+			l2n(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_decrypt(tin,schedule);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2nn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		l2n(xor0,ivec);
+		l2n(xor1,ivec);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/bf/bf_cfb64.c b/crypto/openssl/crypto/bf/bf_cfb64.c
new file mode 100644
index 0000000..6451c8d
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_cfb64.c
@@ -0,0 +1,121 @@
+/* crypto/bf/bf_cfb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/blowfish.h>
+#include "bf_locl.h"
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+
+void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int *num, int encrypt)
+	{
+	register BF_LONG v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	BF_LONG ti[2];
+	unsigned char *iv,c,cc;
+
+	iv=(unsigned char *)ivec;
+	if (encrypt)
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				n2l(iv,v0); ti[0]=v0;
+				n2l(iv,v1); ti[1]=v1;
+				BF_encrypt((BF_LONG *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2n(t,iv);
+				t=ti[1]; l2n(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			c= *(in++)^iv[n];
+			*(out++)=c;
+			iv[n]=c;
+			n=(n+1)&0x07;
+			}
+		}
+	else
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				n2l(iv,v0); ti[0]=v0;
+				n2l(iv,v1); ti[1]=v1;
+				BF_encrypt((BF_LONG *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2n(t,iv);
+				t=ti[1]; l2n(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			cc= *(in++);
+			c=iv[n];
+			iv[n]=cc;
+			*(out++)=c^cc;
+			n=(n+1)&0x07;
+			}
+		}
+	v0=v1=ti[0]=ti[1]=t=c=cc=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/bf/bf_ecb.c b/crypto/openssl/crypto/bf/bf_ecb.c
new file mode 100644
index 0000000..3419916
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_ecb.c
@@ -0,0 +1,96 @@
+/* crypto/bf/bf_ecb.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/blowfish.h>
+#include "bf_locl.h"
+#include <openssl/opensslv.h>
+
+/* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
+ * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
+ * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
+ */
+
+const char *BF_version="Blowfish" OPENSSL_VERSION_PTEXT;
+
+const char *BF_options(void)
+	{
+#ifdef BF_PTR
+	return("blowfish(ptr)");
+#elif defined(BF_PTR2)
+	return("blowfish(ptr2)");
+#else
+	return("blowfish(idx)");
+#endif
+	}
+
+void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
+	     const BF_KEY *key, int encrypt)
+	{
+	BF_LONG l,d[2];
+
+	n2l(in,l); d[0]=l;
+	n2l(in,l); d[1]=l;
+	if (encrypt)
+		BF_encrypt(d,key);
+	else
+		BF_decrypt(d,key);
+	l=d[0]; l2n(l,out);
+	l=d[1]; l2n(l,out);
+	l=d[0]=d[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/bf/bf_enc.c b/crypto/openssl/crypto/bf/bf_enc.c
new file mode 100644
index 0000000..b380acf
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_enc.c
@@ -0,0 +1,306 @@
+/* crypto/bf/bf_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/blowfish.h>
+#include "bf_locl.h"
+
+/* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
+ * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
+ * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
+ */
+
+#if (BF_ROUNDS != 16) && (BF_ROUNDS != 20)
+#error If you set BF_ROUNDS to some value other than 16 or 20, you will have \
+to modify the code.
+#endif
+
+void BF_encrypt(BF_LONG *data, const BF_KEY *key)
+	{
+#ifndef BF_PTR2
+	register BF_LONG l,r;
+    const register BF_LONG *p,*s;
+
+	p=key->P;
+	s= &(key->S[0]);
+	l=data[0];
+	r=data[1];
+
+	l^=p[0];
+	BF_ENC(r,l,s,p[ 1]);
+	BF_ENC(l,r,s,p[ 2]);
+	BF_ENC(r,l,s,p[ 3]);
+	BF_ENC(l,r,s,p[ 4]);
+	BF_ENC(r,l,s,p[ 5]);
+	BF_ENC(l,r,s,p[ 6]);
+	BF_ENC(r,l,s,p[ 7]);
+	BF_ENC(l,r,s,p[ 8]);
+	BF_ENC(r,l,s,p[ 9]);
+	BF_ENC(l,r,s,p[10]);
+	BF_ENC(r,l,s,p[11]);
+	BF_ENC(l,r,s,p[12]);
+	BF_ENC(r,l,s,p[13]);
+	BF_ENC(l,r,s,p[14]);
+	BF_ENC(r,l,s,p[15]);
+	BF_ENC(l,r,s,p[16]);
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,s,p[17]);
+	BF_ENC(l,r,s,p[18]);
+	BF_ENC(r,l,s,p[19]);
+	BF_ENC(l,r,s,p[20]);
+#endif
+	r^=p[BF_ROUNDS+1];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#else
+	register BF_LONG l,r,t,*k;
+
+	l=data[0];
+	r=data[1];
+	k=(BF_LONG*)key;
+
+	l^=k[0];
+	BF_ENC(r,l,k, 1);
+	BF_ENC(l,r,k, 2);
+	BF_ENC(r,l,k, 3);
+	BF_ENC(l,r,k, 4);
+	BF_ENC(r,l,k, 5);
+	BF_ENC(l,r,k, 6);
+	BF_ENC(r,l,k, 7);
+	BF_ENC(l,r,k, 8);
+	BF_ENC(r,l,k, 9);
+	BF_ENC(l,r,k,10);
+	BF_ENC(r,l,k,11);
+	BF_ENC(l,r,k,12);
+	BF_ENC(r,l,k,13);
+	BF_ENC(l,r,k,14);
+	BF_ENC(r,l,k,15);
+	BF_ENC(l,r,k,16);
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,k,17);
+	BF_ENC(l,r,k,18);
+	BF_ENC(r,l,k,19);
+	BF_ENC(l,r,k,20);
+#endif
+	r^=k[BF_ROUNDS+1];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#endif
+	}
+
+#ifndef BF_DEFAULT_OPTIONS
+
+void BF_decrypt(BF_LONG *data, const BF_KEY *key)
+	{
+#ifndef BF_PTR2
+	register BF_LONG l,r;
+    const register BF_LONG *p,*s;
+
+	p=key->P;
+	s= &(key->S[0]);
+	l=data[0];
+	r=data[1];
+
+	l^=p[BF_ROUNDS+1];
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,s,p[20]);
+	BF_ENC(l,r,s,p[19]);
+	BF_ENC(r,l,s,p[18]);
+	BF_ENC(l,r,s,p[17]);
+#endif
+	BF_ENC(r,l,s,p[16]);
+	BF_ENC(l,r,s,p[15]);
+	BF_ENC(r,l,s,p[14]);
+	BF_ENC(l,r,s,p[13]);
+	BF_ENC(r,l,s,p[12]);
+	BF_ENC(l,r,s,p[11]);
+	BF_ENC(r,l,s,p[10]);
+	BF_ENC(l,r,s,p[ 9]);
+	BF_ENC(r,l,s,p[ 8]);
+	BF_ENC(l,r,s,p[ 7]);
+	BF_ENC(r,l,s,p[ 6]);
+	BF_ENC(l,r,s,p[ 5]);
+	BF_ENC(r,l,s,p[ 4]);
+	BF_ENC(l,r,s,p[ 3]);
+	BF_ENC(r,l,s,p[ 2]);
+	BF_ENC(l,r,s,p[ 1]);
+	r^=p[0];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#else
+	register BF_LONG l,r,t,*k;
+
+	l=data[0];
+	r=data[1];
+	k=(BF_LONG *)key;
+
+	l^=k[BF_ROUNDS+1];
+#if BF_ROUNDS == 20
+	BF_ENC(r,l,k,20);
+	BF_ENC(l,r,k,19);
+	BF_ENC(r,l,k,18);
+	BF_ENC(l,r,k,17);
+#endif
+	BF_ENC(r,l,k,16);
+	BF_ENC(l,r,k,15);
+	BF_ENC(r,l,k,14);
+	BF_ENC(l,r,k,13);
+	BF_ENC(r,l,k,12);
+	BF_ENC(l,r,k,11);
+	BF_ENC(r,l,k,10);
+	BF_ENC(l,r,k, 9);
+	BF_ENC(r,l,k, 8);
+	BF_ENC(l,r,k, 7);
+	BF_ENC(r,l,k, 6);
+	BF_ENC(l,r,k, 5);
+	BF_ENC(r,l,k, 4);
+	BF_ENC(l,r,k, 3);
+	BF_ENC(r,l,k, 2);
+	BF_ENC(l,r,k, 1);
+	r^=k[0];
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+#endif
+	}
+
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int encrypt)
+	{
+	register BF_LONG tin0,tin1;
+	register BF_LONG tout0,tout1,xor0,xor1;
+	register long l=length;
+	BF_LONG tin[2];
+
+	if (encrypt)
+		{
+		n2l(ivec,tout0);
+		n2l(ivec,tout1);
+		ivec-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_encrypt(tin,schedule);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+			}
+		if (l != -8)
+			{
+			n2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_encrypt(tin,schedule);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+			}
+		l2n(tout0,ivec);
+		l2n(tout1,ivec);
+		}
+	else
+		{
+		n2l(ivec,xor0);
+		n2l(ivec,xor1);
+		ivec-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_decrypt(tin,schedule);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2n(tout0,out);
+			l2n(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			BF_decrypt(tin,schedule);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2nn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		l2n(xor0,ivec);
+		l2n(xor1,ivec);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/bf/bf_locl.h b/crypto/openssl/crypto/bf/bf_locl.h
new file mode 100644
index 0000000..cc7c3ec
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_locl.h
@@ -0,0 +1,219 @@
+/* crypto/bf/bf_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BF_LOCL_H
+#define HEADER_BF_LOCL_H
+#include <openssl/opensslconf.h> /* BF_PTR, BF_PTR2 */
+
+#undef c2l
+#define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
+			 l|=((unsigned long)(*((c)++)))<< 8L, \
+			 l|=((unsigned long)(*((c)++)))<<16L, \
+			 l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))    ; \
+			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+			case 4: l1 =((unsigned long)(*(--(c))))    ; \
+			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+				} \
+			}
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* This is actually a big endian algorithm, the most significant byte
+ * is used to lookup array 0 */
+
+#if defined(BF_PTR2)
+
+/*
+ * This is basically a special Intel version. Point is that Intel
+ * doesn't have many registers, but offers a reach choice of addressing
+ * modes. So we spare some registers by directly traversing BF_KEY
+ * structure and hiring the most decorated addressing mode. The code
+ * generated by EGCS is *perfectly* competitive with assembler
+ * implementation!
+ */
+#define BF_ENC(LL,R,KEY,Pi) (\
+	LL^=KEY[Pi], \
+	t=  KEY[BF_ROUNDS+2 +   0 + ((R>>24)&0xFF)], \
+	t+= KEY[BF_ROUNDS+2 + 256 + ((R>>16)&0xFF)], \
+	t^= KEY[BF_ROUNDS+2 + 512 + ((R>>8 )&0xFF)], \
+	t+= KEY[BF_ROUNDS+2 + 768 + ((R    )&0xFF)], \
+	LL^=t \
+	)
+
+#elif defined(BF_PTR)
+
+#ifndef BF_LONG_LOG2
+#define BF_LONG_LOG2  2       /* default to BF_LONG being 32 bits */
+#endif
+#define BF_M  (0xFF<<BF_LONG_LOG2)
+#define BF_0  (24-BF_LONG_LOG2)
+#define BF_1  (16-BF_LONG_LOG2)
+#define BF_2  ( 8-BF_LONG_LOG2)
+#define BF_3  BF_LONG_LOG2 /* left shift */
+
+/*
+ * This is normally very good on RISC platforms where normally you
+ * have to explicitly "multiply" array index by sizeof(BF_LONG)
+ * in order to calculate the effective address. This implementation
+ * excuses CPU from this extra work. Power[PC] uses should have most
+ * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
+ * rlwinm. So let'em double-check if their compiler does it.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+	LL^=P, \
+	LL^= (((*(BF_LONG *)((unsigned char *)&(S[  0])+((R>>BF_0)&BF_M))+ \
+		*(BF_LONG *)((unsigned char *)&(S[256])+((R>>BF_1)&BF_M)))^ \
+		*(BF_LONG *)((unsigned char *)&(S[512])+((R>>BF_2)&BF_M)))+ \
+		*(BF_LONG *)((unsigned char *)&(S[768])+((R<<BF_3)&BF_M))) \
+	)
+#else
+
+/*
+ * This is a *generic* version. Seem to perform best on platforms that
+ * offer explicit support for extraction of 8-bit nibbles preferably
+ * complemented with "multiplying" of array index by sizeof(BF_LONG).
+ * For the moment of this writing the list comprises Alpha CPU featuring
+ * extbl and s[48]addq instructions.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+	LL^=P, \
+	LL^=(((	S[       ((int)(R>>24)&0xff)] + \
+		S[0x0100+((int)(R>>16)&0xff)])^ \
+		S[0x0200+((int)(R>> 8)&0xff)])+ \
+		S[0x0300+((int)(R    )&0xff)])&0xffffffffL \
+	)
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/bf/bf_ofb64.c b/crypto/openssl/crypto/bf/bf_ofb64.c
new file mode 100644
index 0000000..f2a9ff6
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_ofb64.c
@@ -0,0 +1,110 @@
+/* crypto/bf/bf_ofb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/blowfish.h>
+#include "bf_locl.h"
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int *num)
+	{
+	register BF_LONG v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned char d[8];
+	register char *dp;
+	BF_LONG ti[2];
+	unsigned char *iv;
+	int save=0;
+
+	iv=(unsigned char *)ivec;
+	n2l(iv,v0);
+	n2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	dp=(char *)d;
+	l2n(v0,dp);
+	l2n(v1,dp);
+	while (l--)
+		{
+		if (n == 0)
+			{
+			BF_encrypt((BF_LONG *)ti,schedule);
+			dp=(char *)d;
+			t=ti[0]; l2n(t,dp);
+			t=ti[1]; l2n(t,dp);
+			save++;
+			}
+		*(out++)= *(in++)^d[n];
+		n=(n+1)&0x07;
+		}
+	if (save)
+		{
+		v0=ti[0];
+		v1=ti[1];
+		iv=(unsigned char *)ivec;
+		l2n(v0,iv);
+		l2n(v1,iv);
+		}
+	t=v0=v1=ti[0]=ti[1]=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/bf/bf_opts.c b/crypto/openssl/crypto/bf/bf_opts.c
new file mode 100644
index 0000000..bbe32b2
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_opts.c
@@ -0,0 +1,328 @@
+/* crypto/bf/bf_opts.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
+ * This is for machines with 64k code segment size restrictions. */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/blowfish.h>
+
+#define BF_DEFAULT_OPTIONS
+
+#undef BF_ENC
+#define BF_encrypt  BF_encrypt_normal
+#undef HEADER_BF_LOCL_H
+#include "bf_enc.c"
+
+#define BF_PTR
+#undef BF_PTR2
+#undef BF_ENC
+#undef BF_encrypt
+#define BF_encrypt  BF_encrypt_ptr
+#undef HEADER_BF_LOCL_H
+#include "bf_enc.c"
+
+#undef BF_PTR
+#define BF_PTR2
+#undef BF_ENC
+#undef BF_encrypt
+#define BF_encrypt  BF_encrypt_ptr2
+#undef HEADER_BF_LOCL_H
+#include "bf_enc.c"
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD fix */
+#   define HZ	100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+#ifdef SIGALRM
+#define print_name(name) fprintf(stderr,"Doing %s's for 10 seconds\n",name); alarm(10);
+#else
+#define print_name(name) fprintf(stderr,"Doing %s %ld times\n",name,cb);
+#endif
+	
+#define time_it(func,name,index) \
+	print_name(name); \
+	Time_F(START); \
+	for (count=0,run=1; COND(cb); count+=4) \
+		{ \
+		unsigned long d[2]; \
+		func(d,&sch); \
+		func(d,&sch); \
+		func(d,&sch); \
+		func(d,&sch); \
+		} \
+	tm[index]=Time_F(STOP); \
+	fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \
+	tm[index]=((double)COUNT(cb))/tm[index];
+
+#define print_it(name,index) \
+	fprintf(stderr,"%s bytes per sec = %12.2f (%5.1fuS)\n",name, \
+		tm[index]*8,1.0e6/tm[index]);
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static char key[16]={	0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+				0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	BF_KEY sch;
+	double d,tm[16],max=0;
+	int rank[16];
+	char *str[16];
+	int max_idx=0,i,num=0,j;
+#ifndef SIGALARM
+	long ca,cb,cc,cd,ce;
+#endif
+
+	for (i=0; i<12; i++)
+		{
+		tm[i]=0.0;
+		rank[i]=0;
+		}
+
+#ifndef TIMES
+	fprintf(stderr,"To get the most accurate results, try to run this\n");
+	fprintf(stderr,"program when this computer is idle.\n");
+#endif
+
+	BF_set_key(&sch,16,key);
+
+#ifndef SIGALRM
+	fprintf(stderr,"First we calculate the approximate speed ...\n");
+	count=10;
+	do	{
+		long i;
+		unsigned long data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			BF_encrypt(data,&sch);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count;
+	cb=count*3;
+	cc=count*3*8/BUFSIZE+1;
+	cd=count*8/BUFSIZE+1;
+
+	ce=count/20+1;
+#define COND(d) (count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c) (run)
+#define COUNT(d) (count)
+        signal(SIGALRM,sig_done);
+        alarm(10);
+#endif
+
+	time_it(BF_encrypt_normal,	"BF_encrypt_normal ", 0);
+	time_it(BF_encrypt_ptr,		"BF_encrypt_ptr    ", 1);
+	time_it(BF_encrypt_ptr2,	"BF_encrypt_ptr2   ", 2);
+	num+=3;
+
+	str[0]="<nothing>";
+	print_it("BF_encrypt_normal ",0);
+	max=tm[0];
+	max_idx=0;
+	str[1]="ptr      ";
+	print_it("BF_encrypt_ptr ",1);
+	if (max < tm[1]) { max=tm[1]; max_idx=1; }
+	str[2]="ptr2     ";
+	print_it("BF_encrypt_ptr2 ",2);
+	if (max < tm[2]) { max=tm[2]; max_idx=2; }
+
+	printf("options    BF ecb/s\n");
+	printf("%s %12.2f 100.0%%\n",str[max_idx],tm[max_idx]);
+	d=tm[max_idx];
+	tm[max_idx]= -2.0;
+	max= -1.0;
+	for (;;)
+		{
+		for (i=0; i<3; i++)
+			{
+			if (max < tm[i]) { max=tm[i]; j=i; }
+			}
+		if (max < 0.0) break;
+		printf("%s %12.2f  %4.1f%%\n",str[j],tm[j],tm[j]/d*100.0);
+		tm[j]= -2.0;
+		max= -1.0;
+		}
+
+	switch (max_idx)
+		{
+	case 0:
+		printf("-DBF_DEFAULT_OPTIONS\n");
+		break;
+	case 1:
+		printf("-DBF_PTR\n");
+		break;
+	case 2:
+		printf("-DBF_PTR2\n");
+		break;
+		}
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
diff --git a/crypto/openssl/crypto/bf/bf_pi.h b/crypto/openssl/crypto/bf/bf_pi.h
new file mode 100644
index 0000000..9949513
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_pi.h
@@ -0,0 +1,325 @@
+/* crypto/bf/bf_pi.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static const BF_KEY bf_init= {
+	{
+	0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L,
+	0xa4093822L, 0x299f31d0L, 0x082efa98L, 0xec4e6c89L,
+	0x452821e6L, 0x38d01377L, 0xbe5466cfL, 0x34e90c6cL,
+	0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L,
+	0x9216d5d9L, 0x8979fb1b
+	},{
+	0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 
+	0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 
+	0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L, 
+	0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL, 
+	0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, 
+	0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 
+	0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL, 
+	0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL, 
+	0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L, 
+	0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, 
+	0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 
+	0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 
+	0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL, 
+	0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L, 
+	0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, 
+	0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 
+	0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L, 
+	0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L, 
+	0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL, 
+	0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, 
+	0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 
+	0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 
+	0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L, 
+	0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL, 
+	0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, 
+	0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 
+	0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 
+	0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L, 
+	0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL, 
+	0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, 
+	0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 
+	0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 
+	0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L, 
+	0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL, 
+	0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, 
+	0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 
+	0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 
+	0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L, 
+	0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL, 
+	0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, 
+	0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 
+	0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 
+	0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L, 
+	0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L, 
+	0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, 
+	0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 
+	0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 
+	0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL, 
+	0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL, 
+	0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, 
+	0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 
+	0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 
+	0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L, 
+	0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL, 
+	0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, 
+	0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 
+	0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 
+	0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L, 
+	0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L, 
+	0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, 
+	0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 
+	0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 
+	0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L, 
+	0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL, 
+	0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, 
+	0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 
+	0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 
+	0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL, 
+	0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L, 
+	0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, 
+	0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 
+	0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 
+	0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L, 
+	0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L, 
+	0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, 
+	0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 
+	0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L, 
+	0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L, 
+	0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L, 
+	0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, 
+	0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 
+	0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL, 
+	0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL, 
+	0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L, 
+	0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, 
+	0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 
+	0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 
+	0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL, 
+	0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL, 
+	0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, 
+	0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 
+	0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 
+	0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL, 
+	0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL, 
+	0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, 
+	0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 
+	0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 
+	0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L, 
+	0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L, 
+	0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, 
+	0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 
+	0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 
+	0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L, 
+	0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL, 
+	0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, 
+	0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 
+	0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L, 
+	0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L, 
+	0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L, 
+	0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, 
+	0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 
+	0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 
+	0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L, 
+	0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L, 
+	0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, 
+	0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 
+	0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 
+	0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L, 
+	0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L, 
+	0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, 
+	0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 
+	0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 
+	0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L, 
+	0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL, 
+	0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, 
+	0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 
+	0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 
+	0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L, 
+	0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L, 
+	0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, 
+	0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 
+	0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L, 
+	0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L, 
+	0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L, 
+	0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, 
+	0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 
+	0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 
+	0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L, 
+	0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L, 
+	0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, 
+	0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 
+	0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 
+	0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L, 
+	0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL, 
+	0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, 
+	0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 
+	0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L, 
+	0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL, 
+	0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L, 
+	0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, 
+	0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 
+	0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 
+	0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L, 
+	0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L, 
+	0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, 
+	0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 
+	0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 
+	0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL, 
+	0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L, 
+	0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, 
+	0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 
+	0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 
+	0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL, 
+	0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL, 
+	0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, 
+	0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 
+	0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 
+	0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL, 
+	0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL, 
+	0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, 
+	0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 
+	0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L, 
+	0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L, 
+	0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L, 
+	0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, 
+	0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 
+	0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 
+	0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L, 
+	0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L, 
+	0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, 
+	0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 
+	0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 
+	0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L, 
+	0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L, 
+	0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, 
+	0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 
+	0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 
+	0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL, 
+	0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L, 
+	0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, 
+	0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 
+	0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L, 
+	0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL, 
+	0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL, 
+	0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, 
+	0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 
+	0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 
+	0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L, 
+	0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L, 
+	0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, 
+	0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 
+	0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 
+	0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L, 
+	0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L, 
+	0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, 
+	0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 
+	0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 
+	0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL, 
+	0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL, 
+	0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, 
+	0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 
+	0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 
+	0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL, 
+	0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L, 
+	0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, 
+	0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 
+	0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L, 
+	0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L, 
+	0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L, 
+	0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, 
+	0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 
+	0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 
+	0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L, 
+	0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L, 
+	0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, 
+	0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 
+	0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 
+	0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L, 
+	0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L, 
+	0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, 
+	0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 
+	0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 
+	0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L, 
+	0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL, 
+	0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, 
+	0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 
+	0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 
+	0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L, 
+	0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L, 
+	0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, 
+	0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 
+	0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 
+	0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL, 
+	0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L, 
+	0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, 
+	0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 
+	0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L, 
+	0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL, 
+	0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L, 
+	0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, 
+	0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 
+	0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L, 
+	0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL, 
+	0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L, 
+	0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, 
+	0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, 
+	}
+	};
+
diff --git a/crypto/openssl/crypto/bf/bf_skey.c b/crypto/openssl/crypto/bf/bf_skey.c
new file mode 100644
index 0000000..4d6a232
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bf_skey.c
@@ -0,0 +1,116 @@
+/* crypto/bf/bf_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/blowfish.h>
+#include "bf_locl.h"
+#include "bf_pi.h"
+
+void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+	{
+	int i;
+	BF_LONG *p,ri,in[2];
+	const unsigned char *d,*end;
+
+
+	memcpy((char *)key,(char *)&bf_init,sizeof(BF_KEY));
+	p=key->P;
+
+	if (len > ((BF_ROUNDS+2)*4)) len=(BF_ROUNDS+2)*4;
+
+	d=data;
+	end= &(data[len]);
+	for (i=0; i<(BF_ROUNDS+2); i++)
+		{
+		ri= *(d++);
+		if (d >= end) d=data;
+
+		ri<<=8;
+		ri|= *(d++);
+		if (d >= end) d=data;
+
+		ri<<=8;
+		ri|= *(d++);
+		if (d >= end) d=data;
+
+		ri<<=8;
+		ri|= *(d++);
+		if (d >= end) d=data;
+
+		p[i]^=ri;
+		}
+
+	in[0]=0L;
+	in[1]=0L;
+	for (i=0; i<(BF_ROUNDS+2); i+=2)
+		{
+		BF_encrypt(in,key);
+		p[i  ]=in[0];
+		p[i+1]=in[1];
+		}
+
+	p=key->S;
+	for (i=0; i<4*256; i+=2)
+		{
+		BF_encrypt(in,key);
+		p[i  ]=in[0];
+		p[i+1]=in[1];
+		}
+	}
+
diff --git a/crypto/openssl/crypto/bf/bfs.cpp b/crypto/openssl/crypto/bf/bfs.cpp
new file mode 100644
index 0000000..d74c457
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bfs.cpp
@@ -0,0 +1,67 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/blowfish.h>
+
+void main(int argc,char *argv[])
+	{
+	BF_KEY key;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			BF_encrypt(&data[0],&key);
+			GetTSC(s1);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			GetTSC(e1);
+			GetTSC(s2);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			GetTSC(e2);
+			BF_encrypt(&data[0],&key);
+			}
+
+		printf("blowfish %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/crypto/bf/bfspeed.c b/crypto/openssl/crypto/bf/bfspeed.c
new file mode 100644
index 0000000..ecc9dff
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bfspeed.c
@@ -0,0 +1,274 @@
+/* crypto/bf/bfspeed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/blowfish.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+#ifndef CLK_TCK
+#define HZ	100.0
+#else /* CLK_TCK */
+#define HZ ((double)CLK_TCK)
+#endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static unsigned char key[] ={
+			0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+			0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
+			};
+	BF_KEY sch;
+	double a,b,c,d;
+#ifndef SIGALRM
+	long ca,cb,cc;
+#endif
+
+#ifndef TIMES
+	printf("To get the most accurate results, try to run this\n");
+	printf("program when this computer is idle.\n");
+#endif
+
+#ifndef SIGALRM
+	printf("First we calculate the approximate speed ...\n");
+	BF_set_key(&sch,16,key);
+	count=10;
+	do	{
+		long i;
+		BF_LONG data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			BF_encrypt(data,&sch);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count/512;
+	cb=count;
+	cc=count*8/BUFSIZE+1;
+	printf("Doing BF_set_key %ld times\n",ca);
+#define COND(d)	(count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+	printf("Doing BF_set_key for 10 seconds\n");
+	alarm(10);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(ca); count+=4)
+		{
+		BF_set_key(&sch,16,key);
+		BF_set_key(&sch,16,key);
+		BF_set_key(&sch,16,key);
+		BF_set_key(&sch,16,key);
+		}
+	d=Time_F(STOP);
+	printf("%ld BF_set_key's in %.2f seconds\n",count,d);
+	a=((double)COUNT(ca))/d;
+
+#ifdef SIGALRM
+	printf("Doing BF_encrypt's for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing BF_encrypt %ld times\n",cb);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cb); count+=4)
+		{
+		BF_LONG data[2];
+
+		BF_encrypt(data,&sch);
+		BF_encrypt(data,&sch);
+		BF_encrypt(data,&sch);
+		BF_encrypt(data,&sch);
+		}
+	d=Time_F(STOP);
+	printf("%ld BF_encrypt's in %.2f second\n",count,d);
+	b=((double)COUNT(cb)*8)/d;
+
+#ifdef SIGALRM
+	printf("Doing BF_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+		BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing BF_cbc_encrypt %ld times on %ld byte blocks\n",cc,
+		BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cc); count++)
+		BF_cbc_encrypt(buf,buf,BUFSIZE,&sch,
+			&(key[0]),BF_ENCRYPT);
+	d=Time_F(STOP);
+	printf("%ld BF_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	c=((double)COUNT(cc)*BUFSIZE)/d;
+
+	printf("Blowfish set_key       per sec = %12.3f (%9.3fuS)\n",a,1.0e6/a);
+	printf("Blowfish raw ecb bytes per sec = %12.3f (%9.3fuS)\n",b,8.0e6/b);
+	printf("Blowfish cbc     bytes per sec = %12.3f (%9.3fuS)\n",c,8.0e6/c);
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
diff --git a/crypto/openssl/crypto/bf/bftest.c b/crypto/openssl/crypto/bf/bftest.c
new file mode 100644
index 0000000..5695250
--- /dev/null
+++ b/crypto/openssl/crypto/bf/bftest.c
@@ -0,0 +1,533 @@
+/* crypto/bf/bftest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* This has been a quickly hacked 'ideatest.c'.  When I add tests for other
+ * RC2 modes, more of the code will be uncommented. */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_BF
+int main(int argc, char *argv[])
+{
+    printf("No BF support\n");
+    return(0);
+}
+#else
+#include <openssl/blowfish.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+static char *bf_key[2]={
+	"abcdefghijklmnopqrstuvwxyz",
+	"Who is John Galt?"
+	};
+
+/* big endian */
+static BF_LONG bf_plain[2][2]={
+	{0x424c4f57L,0x46495348L},
+	{0xfedcba98L,0x76543210L}
+	};
+
+static BF_LONG bf_cipher[2][2]={
+	{0x324ed0feL,0xf413a203L},
+	{0xcc91732bL,0x8022f684L}
+	};
+/************/
+
+/* Lets use the DES test vectors :-) */
+#define NUM_TESTS 34
+static unsigned char ecb_data[NUM_TESTS][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10},
+	{0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57},
+	{0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E},
+	{0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86},
+	{0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E},
+	{0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6},
+	{0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE},
+	{0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6},
+	{0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE},
+	{0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16},
+	{0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F},
+	{0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46},
+	{0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E},
+	{0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76},
+	{0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07},
+	{0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F},
+	{0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7},
+	{0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF},
+	{0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6},
+	{0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF},
+	{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+	{0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E},
+	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}};
+
+static unsigned char plain_data[NUM_TESTS][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42},
+	{0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA},
+	{0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72},
+	{0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A},
+	{0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2},
+	{0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A},
+	{0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2},
+	{0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A},
+	{0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02},
+	{0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A},
+	{0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32},
+	{0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA},
+	{0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62},
+	{0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2},
+	{0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA},
+	{0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92},
+	{0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A},
+	{0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2},
+	{0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}};
+
+static unsigned char cipher_data[NUM_TESTS][8]={
+	{0x4E,0xF9,0x97,0x45,0x61,0x98,0xDD,0x78},
+	{0x51,0x86,0x6F,0xD5,0xB8,0x5E,0xCB,0x8A},
+	{0x7D,0x85,0x6F,0x9A,0x61,0x30,0x63,0xF2},
+	{0x24,0x66,0xDD,0x87,0x8B,0x96,0x3C,0x9D},
+	{0x61,0xF9,0xC3,0x80,0x22,0x81,0xB0,0x96},
+	{0x7D,0x0C,0xC6,0x30,0xAF,0xDA,0x1E,0xC7},
+	{0x4E,0xF9,0x97,0x45,0x61,0x98,0xDD,0x78},
+	{0x0A,0xCE,0xAB,0x0F,0xC6,0xA0,0xA2,0x8D},
+	{0x59,0xC6,0x82,0x45,0xEB,0x05,0x28,0x2B},
+	{0xB1,0xB8,0xCC,0x0B,0x25,0x0F,0x09,0xA0},
+	{0x17,0x30,0xE5,0x77,0x8B,0xEA,0x1D,0xA4},
+	{0xA2,0x5E,0x78,0x56,0xCF,0x26,0x51,0xEB},
+	{0x35,0x38,0x82,0xB1,0x09,0xCE,0x8F,0x1A},
+	{0x48,0xF4,0xD0,0x88,0x4C,0x37,0x99,0x18},
+	{0x43,0x21,0x93,0xB7,0x89,0x51,0xFC,0x98},
+	{0x13,0xF0,0x41,0x54,0xD6,0x9D,0x1A,0xE5},
+	{0x2E,0xED,0xDA,0x93,0xFF,0xD3,0x9C,0x79},
+	{0xD8,0x87,0xE0,0x39,0x3C,0x2D,0xA6,0xE3},
+	{0x5F,0x99,0xD0,0x4F,0x5B,0x16,0x39,0x69},
+	{0x4A,0x05,0x7A,0x3B,0x24,0xD3,0x97,0x7B},
+	{0x45,0x20,0x31,0xC1,0xE4,0xFA,0xDA,0x8E},
+	{0x75,0x55,0xAE,0x39,0xF5,0x9B,0x87,0xBD},
+	{0x53,0xC5,0x5F,0x9C,0xB4,0x9F,0xC0,0x19},
+	{0x7A,0x8E,0x7B,0xFA,0x93,0x7E,0x89,0xA3},
+	{0xCF,0x9C,0x5D,0x7A,0x49,0x86,0xAD,0xB5},
+	{0xD1,0xAB,0xB2,0x90,0x65,0x8B,0xC7,0x78},
+	{0x55,0xCB,0x37,0x74,0xD1,0x3E,0xF2,0x01},
+	{0xFA,0x34,0xEC,0x48,0x47,0xB2,0x68,0xB2},
+	{0xA7,0x90,0x79,0x51,0x08,0xEA,0x3C,0xAE},
+	{0xC3,0x9E,0x07,0x2D,0x9F,0xAC,0x63,0x1D},
+	{0x01,0x49,0x33,0xE0,0xCD,0xAF,0xF6,0xE4},
+	{0xF2,0x1E,0x9A,0x77,0xB7,0x1C,0x49,0xBC},
+	{0x24,0x59,0x46,0x88,0x57,0x54,0x36,0x9A},
+	{0x6B,0x5C,0x5A,0x9C,0x5D,0x9E,0x0A,0x5A},
+	};
+
+static unsigned char cbc_key [16]={
+	0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
+	0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87};
+static unsigned char cbc_iv [8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
+static char cbc_data[40]="7654321 Now is the time for ";
+static unsigned char cbc_ok[32]={
+	0x6B,0x77,0xB4,0xD6,0x30,0x06,0xDE,0xE6,
+	0x05,0xB1,0x56,0xE2,0x74,0x03,0x97,0x93,
+	0x58,0xDE,0xB9,0xE7,0x15,0x46,0x16,0xD9,
+	0x59,0xF1,0x65,0x2B,0xD5,0xFF,0x92,0xCC};
+
+static unsigned char cfb64_ok[]={
+	0xE7,0x32,0x14,0xA2,0x82,0x21,0x39,0xCA,
+	0xF2,0x6E,0xCF,0x6D,0x2E,0xB9,0xE7,0x6E,
+	0x3D,0xA3,0xDE,0x04,0xD1,0x51,0x72,0x00,
+	0x51,0x9D,0x57,0xA6,0xC3};
+
+static unsigned char ofb64_ok[]={
+	0xE7,0x32,0x14,0xA2,0x82,0x21,0x39,0xCA,
+	0x62,0xB3,0x43,0xCC,0x5B,0x65,0x58,0x73,
+	0x10,0xDD,0x90,0x8D,0x0C,0x24,0x1B,0x22,
+	0x63,0xC2,0xCF,0x80,0xDA};
+
+#define KEY_TEST_NUM	25
+static unsigned char key_test[KEY_TEST_NUM]={
+	0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87,
+	0x78,0x69,0x5a,0x4b,0x3c,0x2d,0x1e,0x0f,
+	0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
+	0x88};
+
+static unsigned char key_data[8]=
+	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10};
+
+static unsigned char key_out[KEY_TEST_NUM][8]={
+	{0xF9,0xAD,0x59,0x7C,0x49,0xDB,0x00,0x5E},
+	{0xE9,0x1D,0x21,0xC1,0xD9,0x61,0xA6,0xD6},
+	{0xE9,0xC2,0xB7,0x0A,0x1B,0xC6,0x5C,0xF3},
+	{0xBE,0x1E,0x63,0x94,0x08,0x64,0x0F,0x05},
+	{0xB3,0x9E,0x44,0x48,0x1B,0xDB,0x1E,0x6E},
+	{0x94,0x57,0xAA,0x83,0xB1,0x92,0x8C,0x0D},
+	{0x8B,0xB7,0x70,0x32,0xF9,0x60,0x62,0x9D},
+	{0xE8,0x7A,0x24,0x4E,0x2C,0xC8,0x5E,0x82},
+	{0x15,0x75,0x0E,0x7A,0x4F,0x4E,0xC5,0x77},
+	{0x12,0x2B,0xA7,0x0B,0x3A,0xB6,0x4A,0xE0},
+	{0x3A,0x83,0x3C,0x9A,0xFF,0xC5,0x37,0xF6},
+	{0x94,0x09,0xDA,0x87,0xA9,0x0F,0x6B,0xF2},
+	{0x88,0x4F,0x80,0x62,0x50,0x60,0xB8,0xB4},
+	{0x1F,0x85,0x03,0x1C,0x19,0xE1,0x19,0x68},
+	{0x79,0xD9,0x37,0x3A,0x71,0x4C,0xA3,0x4F},
+	{0x93,0x14,0x28,0x87,0xEE,0x3B,0xE1,0x5C},
+	{0x03,0x42,0x9E,0x83,0x8C,0xE2,0xD1,0x4B},
+	{0xA4,0x29,0x9E,0x27,0x46,0x9F,0xF6,0x7B},
+	{0xAF,0xD5,0xAE,0xD1,0xC1,0xBC,0x96,0xA8},
+	{0x10,0x85,0x1C,0x0E,0x38,0x58,0xDA,0x9F},
+	{0xE6,0xF5,0x1E,0xD7,0x9B,0x9D,0xB2,0x1F},
+	{0x64,0xA6,0xE1,0x4A,0xFD,0x36,0xB4,0x6F},
+	{0x80,0xC7,0xD7,0xD4,0x5A,0x54,0x79,0xAD},
+	{0x05,0x04,0x4B,0x62,0xFA,0x52,0xD0,0x80},
+	};
+
+static int test(void );
+static int print_test_data(void );
+int main(int argc, char *argv[])
+	{
+	int ret;
+
+	if (argc > 1)
+		ret=print_test_data();
+	else
+		ret=test();
+
+	exit(ret);
+	return(0);
+	}
+
+static int print_test_data(void)
+	{
+	unsigned int i,j;
+
+	printf("ecb test data\n");
+	printf("key bytes\t\tclear bytes\t\tcipher bytes\n");
+	for (i=0; i<NUM_TESTS; i++)
+		{
+		for (j=0; j<8; j++)
+			printf("%02X",ecb_data[i][j]);
+		printf("\t");
+		for (j=0; j<8; j++)
+			printf("%02X",plain_data[i][j]);
+		printf("\t");
+		for (j=0; j<8; j++)
+			printf("%02X",cipher_data[i][j]);
+		printf("\n");
+		}
+
+	printf("set_key test data\n");
+	printf("data[8]= ");
+	for (j=0; j<8; j++)
+		printf("%02X",key_data[j]);
+	printf("\n");
+	for (i=0; i<KEY_TEST_NUM-1; i++)
+		{
+		printf("c=");
+		for (j=0; j<8; j++)
+			printf("%02X",key_out[i][j]);
+		printf(" k[%2u]=",i+1);
+		for (j=0; j<i+1; j++)
+			printf("%02X",key_test[j]);
+		printf("\n");
+		}
+
+	printf("\nchaining mode test data\n");
+	printf("key[16]   = ");
+	for (j=0; j<16; j++)
+		printf("%02X",cbc_key[j]);
+	printf("\niv[8]     = ");
+	for (j=0; j<8; j++)
+		printf("%02X",cbc_iv[j]);
+	printf("\ndata[%d]  = '%s'",(int)strlen(cbc_data)+1,cbc_data);
+	printf("\ndata[%d]  = ",(int)strlen(cbc_data)+1);
+	for (j=0; j<strlen(cbc_data)+1; j++)
+		printf("%02X",cbc_data[j]);
+	printf("\n");
+	printf("cbc cipher text\n");
+	printf("cipher[%d]= ",32);
+	for (j=0; j<32; j++)
+		printf("%02X",cbc_ok[j]);
+	printf("\n");
+
+	printf("cfb64 cipher text\n");
+	printf("cipher[%d]= ",(int)strlen(cbc_data)+1);
+	for (j=0; j<strlen(cbc_data)+1; j++)
+		printf("%02X",cfb64_ok[j]);
+	printf("\n");
+
+	printf("ofb64 cipher text\n");
+	printf("cipher[%d]= ",(int)strlen(cbc_data)+1);
+	for (j=0; j<strlen(cbc_data)+1; j++)
+		printf("%02X",ofb64_ok[j]);
+	printf("\n");
+	return(0);
+	}
+
+static int test(void)
+	{
+	unsigned char cbc_in[40],cbc_out[40],iv[8];
+	int i,n,err=0;
+	BF_KEY key;
+	BF_LONG data[2]; 
+	unsigned char out[8]; 
+	BF_LONG len;
+
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(cbc_data, cbc_data, strlen(cbc_data));
+#endif
+
+	printf("testing blowfish in raw ecb mode\n");
+	for (n=0; n<2; n++)
+		{
+#ifdef CHARSET_EBCDIC
+		ebcdic2ascii(bf_key[n], bf_key[n], strlen(bf_key[n]));
+#endif
+		BF_set_key(&key,strlen(bf_key[n]),(unsigned char *)bf_key[n]);
+
+		data[0]=bf_plain[n][0];
+		data[1]=bf_plain[n][1];
+		BF_encrypt(data,&key);
+		if (memcmp(&(bf_cipher[n][0]),&(data[0]),8) != 0)
+			{
+			printf("BF_encrypt error encrypting\n");
+			printf("got     :");
+			for (i=0; i<2; i++)
+				printf("%08lX ",(unsigned long)data[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<2; i++)
+				printf("%08lX ",(unsigned long)bf_cipher[n][i]);
+			err=1;
+			printf("\n");
+			}
+
+		BF_decrypt(&(data[0]),&key);
+		if (memcmp(&(bf_plain[n][0]),&(data[0]),8) != 0)
+			{
+			printf("BF_encrypt error decrypting\n");
+			printf("got     :");
+			for (i=0; i<2; i++)
+				printf("%08lX ",(unsigned long)data[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<2; i++)
+				printf("%08lX ",(unsigned long)bf_plain[n][i]);
+			printf("\n");
+			err=1;
+			}
+		}
+
+	printf("testing blowfish in ecb mode\n");
+
+	for (n=0; n<NUM_TESTS; n++)
+		{
+		BF_set_key(&key,8,ecb_data[n]);
+
+		BF_ecb_encrypt(&(plain_data[n][0]),out,&key,BF_ENCRYPT);
+		if (memcmp(&(cipher_data[n][0]),out,8) != 0)
+			{
+			printf("BF_ecb_encrypt blowfish error encrypting\n");
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",out[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",cipher_data[n][i]);
+			err=1;
+			printf("\n");
+			}
+
+		BF_ecb_encrypt(out,out,&key,BF_DECRYPT);
+		if (memcmp(&(plain_data[n][0]),out,8) != 0)
+			{
+			printf("BF_ecb_encrypt error decrypting\n");
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",out[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",plain_data[n][i]);
+			printf("\n");
+			err=1;
+			}
+		}
+
+	printf("testing blowfish set_key\n");
+	for (n=1; n<KEY_TEST_NUM; n++)
+		{
+		BF_set_key(&key,n,key_test);
+		BF_ecb_encrypt(key_data,out,&key,BF_ENCRYPT);
+		if (memcmp(out,&(key_out[n-1][0]),8) != 0)
+			{
+			printf("blowfish setkey error\n");
+			err=1;
+			}
+		}
+
+	printf("testing blowfish in cbc mode\n");
+	len=strlen(cbc_data)+1;
+
+	BF_set_key(&key,16,cbc_key);
+	memset(cbc_in,0,40);
+	memset(cbc_out,0,40);
+	memcpy(iv,cbc_iv,8);
+	BF_cbc_encrypt((unsigned char *)cbc_data,cbc_out,len,
+		&key,iv,BF_ENCRYPT);
+	if (memcmp(cbc_out,cbc_ok,32) != 0)
+		{
+		err=1;
+		printf("BF_cbc_encrypt encrypt error\n");
+		for (i=0; i<32; i++) printf("0x%02X,",cbc_out[i]);
+		}
+	memcpy(iv,cbc_iv,8);
+	BF_cbc_encrypt(cbc_out,cbc_in,len,
+		&key,iv,BF_DECRYPT);
+	if (memcmp(cbc_in,cbc_data,strlen(cbc_data)+1) != 0)
+		{
+		printf("BF_cbc_encrypt decrypt error\n");
+		err=1;
+		}
+
+	printf("testing blowfish in cfb64 mode\n");
+
+	BF_set_key(&key,16,cbc_key);
+	memset(cbc_in,0,40);
+	memset(cbc_out,0,40);
+	memcpy(iv,cbc_iv,8);
+	n=0;
+	BF_cfb64_encrypt((unsigned char *)cbc_data,cbc_out,(long)13,
+		&key,iv,&n,BF_ENCRYPT);
+	BF_cfb64_encrypt((unsigned char *)&(cbc_data[13]),&(cbc_out[13]),len-13,
+		&key,iv,&n,BF_ENCRYPT);
+	if (memcmp(cbc_out,cfb64_ok,(int)len) != 0)
+		{
+		err=1;
+		printf("BF_cfb64_encrypt encrypt error\n");
+		for (i=0; i<(int)len; i++) printf("0x%02X,",cbc_out[i]);
+		}
+	n=0;
+	memcpy(iv,cbc_iv,8);
+	BF_cfb64_encrypt(cbc_out,cbc_in,17,
+		&key,iv,&n,BF_DECRYPT);
+	BF_cfb64_encrypt(&(cbc_out[17]),&(cbc_in[17]),len-17,
+		&key,iv,&n,BF_DECRYPT);
+	if (memcmp(cbc_in,cbc_data,(int)len) != 0)
+		{
+		printf("BF_cfb64_encrypt decrypt error\n");
+		err=1;
+		}
+
+	printf("testing blowfish in ofb64\n");
+
+	BF_set_key(&key,16,cbc_key);
+	memset(cbc_in,0,40);
+	memset(cbc_out,0,40);
+	memcpy(iv,cbc_iv,8);
+	n=0;
+	BF_ofb64_encrypt((unsigned char *)cbc_data,cbc_out,(long)13,&key,iv,&n);
+	BF_ofb64_encrypt((unsigned char *)&(cbc_data[13]),
+		&(cbc_out[13]),len-13,&key,iv,&n);
+	if (memcmp(cbc_out,ofb64_ok,(int)len) != 0)
+		{
+		err=1;
+		printf("BF_ofb64_encrypt encrypt error\n");
+		for (i=0; i<(int)len; i++) printf("0x%02X,",cbc_out[i]);
+		}
+	n=0;
+	memcpy(iv,cbc_iv,8);
+	BF_ofb64_encrypt(cbc_out,cbc_in,17,&key,iv,&n);
+	BF_ofb64_encrypt(&(cbc_out[17]),&(cbc_in[17]),len-17,&key,iv,&n);
+	if (memcmp(cbc_in,cbc_data,(int)len) != 0)
+		{
+		printf("BF_ofb64_encrypt decrypt error\n");
+		err=1;
+		}
+
+	return(err);
+	}
+#endif
diff --git a/crypto/openssl/crypto/bf/blowfish.h b/crypto/openssl/crypto/bf/blowfish.h
new file mode 100644
index 0000000..78acfd6
--- /dev/null
+++ b/crypto/openssl/crypto/bf/blowfish.h
@@ -0,0 +1,125 @@
+/* crypto/bf/blowfish.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BLOWFISH_H
+#define HEADER_BLOWFISH_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_BF
+#error BF is disabled.
+#endif
+
+#define BF_ENCRYPT	1
+#define BF_DECRYPT	0
+
+/*
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * ! BF_LONG has to be at least 32 bits wide. If it's wider, then !
+ * ! BF_LONG_LOG2 has to be defined along.                        !
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ */
+
+#if defined(WIN16) || defined(__LP32__)
+#define BF_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define BF_LONG unsigned long
+#define BF_LONG_LOG2 3
+/*
+ * _CRAY note. I could declare short, but I have no idea what impact
+ * does it have on performance on none-T3E machines. I could declare
+ * int, but at least on C90 sizeof(int) can be chosen at compile time.
+ * So I've chosen long...
+ *					<appro@fy.chalmers.se>
+ */
+#else
+#define BF_LONG unsigned int
+#endif
+
+#define BF_ROUNDS	16
+#define BF_BLOCK	8
+
+typedef struct bf_key_st
+	{
+	BF_LONG P[BF_ROUNDS+2];
+	BF_LONG S[4*256];
+	} BF_KEY;
+
+ 
+void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+
+void BF_encrypt(BF_LONG *data,const BF_KEY *key);
+void BF_decrypt(BF_LONG *data,const BF_KEY *key);
+
+void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
+	const BF_KEY *key, int enc);
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int enc);
+void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int *num, int enc);
+void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int *num);
+const char *BF_options(void);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/bio/Makefile.save b/crypto/openssl/crypto/bio/Makefile.save
new file mode 100644
index 0000000..0ce9391
--- /dev/null
+++ b/crypto/openssl/crypto/bio/Makefile.save
@@ -0,0 +1,220 @@
+#
+# SSLeay/crypto/bio/Makefile
+#
+
+DIR=	bio
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= bio_lib.c bio_cb.c bio_err.c \
+	bss_mem.c bss_null.c bss_fd.c \
+	bss_file.c bss_sock.c bss_conn.c \
+	bf_null.c bf_buff.c b_print.c b_dump.c \
+	b_sock.c bss_acpt.c bf_nbio.c bss_log.c bss_bio.c
+LIBOBJ= bio_lib.o bio_cb.o bio_err.o \
+	bss_mem.o bss_null.o bss_fd.o \
+	bss_file.o bss_sock.o bss_conn.o \
+	bf_null.o bf_buff.o b_print.o b_dump.o \
+	b_sock.o bss_acpt.o bf_nbio.o bss_log.o bss_bio.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= bio.h
+HEADER=	bss_file.c $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER); \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+b_dump.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_dump.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+b_dump.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+b_dump.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_dump.o: ../cryptlib.h
+b_print.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_print.o: ../cryptlib.h
+b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+b_sock.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+b_sock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_sock.o: ../cryptlib.h
+bf_buff.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_buff.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_buff.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_buff.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_buff.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_buff.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bf_buff.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bf_buff.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bf_buff.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bf_buff.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bf_buff.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bf_buff.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bf_buff.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bf_buff.o: ../../include/openssl/stack.h ../cryptlib.h
+bf_nbio.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_nbio.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_nbio.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_nbio.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_nbio.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_nbio.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_nbio.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bf_nbio.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bf_nbio.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bf_nbio.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bf_nbio.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bf_nbio.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+bf_nbio.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+bf_nbio.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+bf_nbio.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+bf_nbio.o: ../cryptlib.h
+bf_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bf_null.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bf_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bf_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bf_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bf_null.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bf_null.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bf_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bf_null.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_cb.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_cb.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_cb.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bio_cb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_cb.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_cb.o: ../cryptlib.h
+bio_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+bio_err.o: ../../include/openssl/err.h ../../include/openssl/opensslv.h
+bio_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bio_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_lib.o: ../cryptlib.h
+bss_acpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_acpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_acpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_acpt.o: ../../include/openssl/opensslconf.h
+bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_acpt.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_bio.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+bss_bio.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bss_bio.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bss_bio.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_bio.o: ../../include/openssl/stack.h
+bss_conn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_conn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_conn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_conn.o: ../../include/openssl/opensslconf.h
+bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_conn.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_fd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_fd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_fd.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bss_fd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_fd.o: ../cryptlib.h bss_sock.c
+bss_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_file.o: ../../include/openssl/opensslconf.h
+bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_file.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_log.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_log.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_log.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bss_log.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_log.o: ../cryptlib.h
+bss_mem.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_mem.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_mem.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bss_mem.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_mem.o: ../cryptlib.h
+bss_null.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_null.o: ../../include/openssl/opensslconf.h
+bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_null.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_sock.o: ../../include/openssl/opensslconf.h
+bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_sock.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl
new file mode 100644
index 0000000..0ce9391
--- /dev/null
+++ b/crypto/openssl/crypto/bio/Makefile.ssl
@@ -0,0 +1,220 @@
+#
+# SSLeay/crypto/bio/Makefile
+#
+
+DIR=	bio
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= bio_lib.c bio_cb.c bio_err.c \
+	bss_mem.c bss_null.c bss_fd.c \
+	bss_file.c bss_sock.c bss_conn.c \
+	bf_null.c bf_buff.c b_print.c b_dump.c \
+	b_sock.c bss_acpt.c bf_nbio.c bss_log.c bss_bio.c
+LIBOBJ= bio_lib.o bio_cb.o bio_err.o \
+	bss_mem.o bss_null.o bss_fd.o \
+	bss_file.o bss_sock.o bss_conn.o \
+	bf_null.o bf_buff.o b_print.o b_dump.o \
+	b_sock.o bss_acpt.o bf_nbio.o bss_log.o bss_bio.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= bio.h
+HEADER=	bss_file.c $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER); \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+b_dump.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_dump.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+b_dump.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+b_dump.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_dump.o: ../cryptlib.h
+b_print.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_print.o: ../cryptlib.h
+b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+b_sock.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+b_sock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_sock.o: ../cryptlib.h
+bf_buff.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_buff.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_buff.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_buff.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_buff.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_buff.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bf_buff.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bf_buff.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bf_buff.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bf_buff.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bf_buff.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bf_buff.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bf_buff.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bf_buff.o: ../../include/openssl/stack.h ../cryptlib.h
+bf_nbio.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_nbio.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_nbio.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_nbio.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_nbio.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_nbio.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_nbio.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bf_nbio.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bf_nbio.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bf_nbio.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bf_nbio.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bf_nbio.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+bf_nbio.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+bf_nbio.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+bf_nbio.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+bf_nbio.o: ../cryptlib.h
+bf_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bf_null.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bf_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bf_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bf_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bf_null.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bf_null.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bf_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bf_null.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_cb.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_cb.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_cb.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bio_cb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_cb.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_cb.o: ../cryptlib.h
+bio_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+bio_err.o: ../../include/openssl/err.h ../../include/openssl/opensslv.h
+bio_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bio_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_lib.o: ../cryptlib.h
+bss_acpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_acpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_acpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_acpt.o: ../../include/openssl/opensslconf.h
+bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_acpt.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_bio.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+bss_bio.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bss_bio.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bss_bio.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_bio.o: ../../include/openssl/stack.h
+bss_conn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_conn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_conn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_conn.o: ../../include/openssl/opensslconf.h
+bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_conn.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_fd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_fd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_fd.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bss_fd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_fd.o: ../cryptlib.h bss_sock.c
+bss_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_file.o: ../../include/openssl/opensslconf.h
+bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_file.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_log.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_log.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_log.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bss_log.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_log.o: ../cryptlib.h
+bss_mem.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_mem.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_mem.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bss_mem.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_mem.o: ../cryptlib.h
+bss_null.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_null.o: ../../include/openssl/opensslconf.h
+bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_null.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_sock.o: ../../include/openssl/opensslconf.h
+bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_sock.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/bio/b_dump.c b/crypto/openssl/crypto/bio/b_dump.c
new file mode 100644
index 0000000..f5aeb23
--- /dev/null
+++ b/crypto/openssl/crypto/bio/b_dump.c
@@ -0,0 +1,128 @@
+/* crypto/bio/b_dump.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 
+ * Stolen from tjh's ssl/ssl_trc.c stuff.
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+#define TRUNCATE
+#define DUMP_WIDTH	16
+
+int BIO_dump(BIO *bio, const char *s, int len)
+{
+  int ret=0;
+  char buf[160+1],tmp[20];
+  int i,j,rows,trunc;
+  unsigned char ch;
+
+  trunc=0;
+
+#ifdef TRUNCATE
+  for(; (len > 0) && ((s[len-1] == ' ') || (s[len-1] == '\0')); len--) 
+    trunc++;
+#endif
+
+  rows=(len/DUMP_WIDTH);
+  if ((rows*DUMP_WIDTH)<len)
+    rows++;
+  for(i=0;i<rows;i++) {
+    buf[0]='\0';	/* start with empty string */
+    sprintf(tmp,"%04x - ",i*DUMP_WIDTH);
+    strcpy(buf,tmp);
+    for(j=0;j<DUMP_WIDTH;j++) {
+      if (((i*DUMP_WIDTH)+j)>=len) {
+	strcat(buf,"   ");
+      } else {
+        ch=((unsigned char)*(s+i*DUMP_WIDTH+j)) & 0xff;
+	sprintf(tmp,"%02x%c",ch,j==7?'-':' ');
+        strcat(buf,tmp);
+      }
+    }
+    strcat(buf,"  ");
+    for(j=0;j<DUMP_WIDTH;j++) {
+      if (((i*DUMP_WIDTH)+j)>=len)
+	break;
+      ch=((unsigned char)*(s+i*DUMP_WIDTH+j)) & 0xff;
+#ifndef CHARSET_EBCDIC
+      sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.');
+#else
+      sprintf(tmp,"%c",((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
+	      ? os_toebcdic[ch]
+	      : '.');
+#endif
+      strcat(buf,tmp);
+    }
+    strcat(buf,"\n");
+    /* if this is the last call then update the ddt_dump thing so that
+     * we will move the selection point in the debug window 
+     */
+    ret+=BIO_write(bio,(char *)buf,strlen(buf));
+  }
+#ifdef TRUNCATE
+  if (trunc > 0) {
+    sprintf(buf,"%04x - <SPACES/NULS>\n",len+trunc);
+    ret+=BIO_write(bio,(char *)buf,strlen(buf));
+  }
+#endif
+  return(ret);
+}
+
diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c
new file mode 100644
index 0000000..b11b501
--- /dev/null
+++ b/crypto/openssl/crypto/bio/b_print.c
@@ -0,0 +1,844 @@
+/* crypto/bio/b_print.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 
+ * Stolen from tjh's ssl/ssl_trc.c stuff.
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <ctype.h>
+#include <assert.h>
+#include <limits.h>
+#include "cryptlib.h"
+#ifndef NO_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <openssl/bio.h>
+
+#ifdef BN_LLONG
+# ifndef HAVE_LONG_LONG
+#  define HAVE_LONG_LONG 1
+# endif
+#endif
+
+static void dopr (char *buffer, size_t maxlen, size_t *retlen,
+	const char *format, va_list args);
+#ifdef USE_ALLOCATING_PRINT
+static void doapr (char **buffer, size_t *retlen,
+	const char *format, va_list args);
+#endif
+
+int BIO_printf (BIO *bio, ...)
+	{
+	va_list args;
+	char *format;
+	int ret;
+	size_t retlen;
+#ifdef USE_ALLOCATING_PRINT
+	char *hugebuf;
+#else
+	MS_STATIC char hugebuf[1024*2]; /* 10k in one chunk is the limit */
+#endif
+
+	va_start(args, bio);
+	format=va_arg(args, char *);
+
+#ifndef USE_ALLOCATING_PRINT
+	hugebuf[0]='\0';
+	dopr(hugebuf, sizeof(hugebuf), &retlen, format, args);
+#else
+	hugebuf = NULL;
+	CRYPTO_push_info("doapr()");
+	doapr(&hugebuf, &retlen, format, args);
+	if (hugebuf)
+		{
+#endif
+		ret=BIO_write(bio, hugebuf, (int)retlen);
+
+#ifdef USE_ALLOCATING_PRINT
+		Free(hugebuf);
+		}
+	CRYPTO_pop_info();
+#endif
+	va_end(args);
+	return(ret);
+	}
+
+/*
+ * Copyright Patrick Powell 1995
+ * This code is based on code written by Patrick Powell <papowell@astart.com>
+ * It may be used for any purpose as long as this notice remains intact
+ * on all source code distributions.
+ */
+
+/*
+ * This code contains numerious changes and enhancements which were
+ * made by lots of contributors over the last years to Patrick Powell's
+ * original code:
+ *
+ * o Patrick Powell <papowell@astart.com>      (1995)
+ * o Brandon Long <blong@fiction.net>          (1996, for Mutt)
+ * o Thomas Roessler <roessler@guug.de>        (1998, for Mutt)
+ * o Michael Elkins <me@cs.hmc.edu>            (1998, for Mutt)
+ * o Andrew Tridgell <tridge@samba.org>        (1998, for Samba)
+ * o Luke Mewburn <lukem@netbsd.org>           (1999, for LukemFTP)
+ * o Ralf S. Engelschall <rse@engelschall.com> (1999, for Pth)
+ */
+
+#if HAVE_LONG_DOUBLE
+#define LDOUBLE long double
+#else
+#define LDOUBLE double
+#endif
+
+#if HAVE_LONG_LONG
+#define LLONG long long
+#else
+#define LLONG long
+#endif
+
+static void fmtstr     (void (*)(char **, size_t *, size_t *, int),
+			char **, size_t *, size_t *, const char *, int, int,
+			int);
+static void fmtint     (void (*)(char **, size_t *, size_t *, int),
+			char **, size_t *, size_t *, LLONG, int, int, int, int);
+static void fmtfp      (void (*)(char **, size_t *, size_t *, int),
+			char **, size_t *, size_t *, LDOUBLE, int, int, int);
+#ifndef USE_ALLOCATING_PRINT
+static int dopr_isbig (size_t, size_t);
+static int dopr_copy (size_t);
+static void dopr_outch (char **, size_t *, size_t *, int);
+#else
+static int doapr_isbig (size_t, size_t);
+static int doapr_copy (size_t);
+static void doapr_outch (char **, size_t *, size_t *, int);
+#endif
+static void _dopr(void (*)(char **, size_t *, size_t *, int),
+		  int (*)(size_t, size_t), int (*)(size_t),
+		  char **buffer, size_t *maxlen, size_t *retlen,
+		  const char *format, va_list args);
+
+/* format read states */
+#define DP_S_DEFAULT    0
+#define DP_S_FLAGS      1
+#define DP_S_MIN        2
+#define DP_S_DOT        3
+#define DP_S_MAX        4
+#define DP_S_MOD        5
+#define DP_S_CONV       6
+#define DP_S_DONE       7
+
+/* format flags - Bits */
+#define DP_F_MINUS      (1 << 0)
+#define DP_F_PLUS       (1 << 1)
+#define DP_F_SPACE      (1 << 2)
+#define DP_F_NUM        (1 << 3)
+#define DP_F_ZERO       (1 << 4)
+#define DP_F_UP         (1 << 5)
+#define DP_F_UNSIGNED   (1 << 6)
+
+/* conversion flags */
+#define DP_C_SHORT      1
+#define DP_C_LONG       2
+#define DP_C_LDOUBLE    3
+#define DP_C_LLONG      4
+
+/* some handy macros */
+#define char_to_int(p) (p - '0')
+#define MAX(p,q) ((p >= q) ? p : q)
+
+#ifndef USE_ALLOCATING_PRINT
+static void
+dopr(
+    char *buffer,
+    size_t maxlen,
+    size_t *retlen,
+    const char *format,
+    va_list args)
+{
+    _dopr(dopr_outch, dopr_isbig, dopr_copy,
+	  &buffer, &maxlen, retlen, format, args);
+}
+
+#else
+static void
+doapr(
+    char **buffer,
+    size_t *retlen,
+    const char *format,
+    va_list args)
+{
+    size_t dummy_maxlen = 0;
+    _dopr(doapr_outch, doapr_isbig, doapr_copy,
+	  buffer, &dummy_maxlen, retlen, format, args);
+}
+#endif
+
+static void
+_dopr(
+    void (*outch_fn)(char **, size_t *, size_t *, int),
+    int (*isbig_fn)(size_t, size_t),
+    int (*copy_fn)(size_t),
+    char **buffer,
+    size_t *maxlen,
+    size_t *retlen,
+    const char *format,
+    va_list args)
+{
+    char ch;
+    LLONG value;
+    LDOUBLE fvalue;
+    char *strvalue;
+    int min;
+    int max;
+    int state;
+    int flags;
+    int cflags;
+    size_t currlen;
+
+    state = DP_S_DEFAULT;
+    flags = currlen = cflags = min = 0;
+    max = -1;
+    ch = *format++;
+
+    while (state != DP_S_DONE) {
+        if ((ch == '\0') || (*isbig_fn)(currlen, *maxlen))
+            state = DP_S_DONE;
+
+        switch (state) {
+        case DP_S_DEFAULT:
+            if (ch == '%')
+                state = DP_S_FLAGS;
+            else
+                (*outch_fn)(buffer, &currlen, maxlen, ch);
+            ch = *format++;
+            break;
+        case DP_S_FLAGS:
+            switch (ch) {
+            case '-':
+                flags |= DP_F_MINUS;
+                ch = *format++;
+                break;
+            case '+':
+                flags |= DP_F_PLUS;
+                ch = *format++;
+                break;
+            case ' ':
+                flags |= DP_F_SPACE;
+                ch = *format++;
+                break;
+            case '#':
+                flags |= DP_F_NUM;
+                ch = *format++;
+                break;
+            case '0':
+                flags |= DP_F_ZERO;
+                ch = *format++;
+                break;
+            default:
+                state = DP_S_MIN;
+                break;
+            }
+            break;
+        case DP_S_MIN:
+            if (isdigit((unsigned char)ch)) {
+                min = 10 * min + char_to_int(ch);
+                ch = *format++;
+            } else if (ch == '*') {
+                min = va_arg(args, int);
+                ch = *format++;
+                state = DP_S_DOT;
+            } else
+                state = DP_S_DOT;
+            break;
+        case DP_S_DOT:
+            if (ch == '.') {
+                state = DP_S_MAX;
+                ch = *format++;
+            } else
+                state = DP_S_MOD;
+            break;
+        case DP_S_MAX:
+            if (isdigit((unsigned char)ch)) {
+                if (max < 0)
+                    max = 0;
+                max = 10 * max + char_to_int(ch);
+                ch = *format++;
+            } else if (ch == '*') {
+                max = va_arg(args, int);
+                ch = *format++;
+                state = DP_S_MOD;
+            } else
+                state = DP_S_MOD;
+            break;
+        case DP_S_MOD:
+            switch (ch) {
+            case 'h':
+                cflags = DP_C_SHORT;
+                ch = *format++;
+                break;
+            case 'l':
+                if (*format == 'l') {
+                    cflags = DP_C_LLONG;
+                    format++;
+                } else
+                    cflags = DP_C_LONG;
+                ch = *format++;
+                break;
+            case 'q':
+                cflags = DP_C_LLONG;
+                ch = *format++;
+                break;
+            case 'L':
+                cflags = DP_C_LDOUBLE;
+                ch = *format++;
+                break;
+            default:
+                break;
+            }
+            state = DP_S_CONV;
+            break;
+        case DP_S_CONV:
+            switch (ch) {
+            case 'd':
+            case 'i':
+                switch (cflags) {
+                case DP_C_SHORT:
+                    value = (short int)va_arg(args, int);
+                    break;
+                case DP_C_LONG:
+                    value = va_arg(args, long int);
+                    break;
+                case DP_C_LLONG:
+                    value = va_arg(args, LLONG);
+                    break;
+                default:
+                    value = va_arg(args, int);
+                    break;
+                }
+                fmtint(outch_fn, buffer, &currlen, maxlen,
+		       value, 10, min, max, flags);
+                break;
+            case 'X':
+                flags |= DP_F_UP;
+                /* FALLTHROUGH */
+            case 'x':
+            case 'o':
+            case 'u':
+                flags |= DP_F_UNSIGNED;
+                switch (cflags) {
+                case DP_C_SHORT:
+                    value = (unsigned short int)va_arg(args, unsigned int);
+                    break;
+                case DP_C_LONG:
+                    value = (LLONG) va_arg(args,
+                        unsigned long int);
+                    break;
+                case DP_C_LLONG:
+                    value = va_arg(args, unsigned LLONG);
+                    break;
+                default:
+                    value = (LLONG) va_arg(args,
+                        unsigned int);
+                    break;
+                }
+                fmtint(outch_fn, buffer, &currlen, maxlen, value,
+                       ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
+                       min, max, flags);
+                break;
+            case 'f':
+                if (cflags == DP_C_LDOUBLE)
+                    fvalue = va_arg(args, LDOUBLE);
+                else
+                    fvalue = va_arg(args, double);
+                fmtfp(outch_fn, buffer, &currlen, maxlen,
+		      fvalue, min, max, flags);
+                break;
+            case 'E':
+                flags |= DP_F_UP;
+            case 'e':
+                if (cflags == DP_C_LDOUBLE)
+                    fvalue = va_arg(args, LDOUBLE);
+                else
+                    fvalue = va_arg(args, double);
+                break;
+            case 'G':
+                flags |= DP_F_UP;
+            case 'g':
+                if (cflags == DP_C_LDOUBLE)
+                    fvalue = va_arg(args, LDOUBLE);
+                else
+                    fvalue = va_arg(args, double);
+                break;
+            case 'c':
+                (*outch_fn)(buffer, &currlen, maxlen,
+                    va_arg(args, int));
+                break;
+            case 's':
+                strvalue = va_arg(args, char *);
+                if (max < 0)
+                    max = (*copy_fn)(*maxlen);
+                fmtstr(outch_fn, buffer, &currlen, maxlen, strvalue,
+		       flags, min, max);
+                break;
+            case 'p':
+                value = (long)va_arg(args, void *);
+                fmtint(outch_fn, buffer, &currlen, maxlen,
+                    value, 16, min, max, flags);
+                break;
+            case 'n': /* XXX */
+                if (cflags == DP_C_SHORT) {
+                    short int *num;
+                    num = va_arg(args, short int *);
+                    *num = currlen;
+                } else if (cflags == DP_C_LONG) { /* XXX */
+                    long int *num;
+                    num = va_arg(args, long int *);
+                    *num = (long int) currlen;
+                } else if (cflags == DP_C_LLONG) { /* XXX */
+                    LLONG *num;
+                    num = va_arg(args, LLONG *);
+                    *num = (LLONG) currlen;
+                } else {
+                    int    *num;
+                    num = va_arg(args, int *);
+                    *num = currlen;
+                }
+                break;
+            case '%':
+                (*outch_fn)(buffer, &currlen, maxlen, ch);
+                break;
+            case 'w':
+                /* not supported yet, treat as next char */
+                ch = *format++;
+                break;
+            default:
+                /* unknown, skip */
+                break;
+            }
+            ch = *format++;
+            state = DP_S_DEFAULT;
+            flags = cflags = min = 0;
+            max = -1;
+            break;
+        case DP_S_DONE:
+            break;
+        default:
+            break;
+        }
+    }
+    if (currlen >= *maxlen - 1)
+        currlen = *maxlen - 1;
+    (*buffer)[currlen] = '\0';
+    *retlen = currlen;
+    return;
+}
+
+static void
+fmtstr(
+    void (*outch_fn)(char **, size_t *, size_t *, int),
+    char **buffer,
+    size_t *currlen,
+    size_t *maxlen,
+    const char *value,
+    int flags,
+    int min,
+    int max)
+{
+    int padlen, strln;
+    int cnt = 0;
+
+    if (value == 0)
+        value = "<NULL>";
+    for (strln = 0; value[strln]; ++strln)
+        ;
+    padlen = min - strln;
+    if (padlen < 0)
+        padlen = 0;
+    if (flags & DP_F_MINUS)
+        padlen = -padlen;
+
+    while ((padlen > 0) && (cnt < max)) {
+        (*outch_fn)(buffer, currlen, maxlen, ' ');
+        --padlen;
+        ++cnt;
+    }
+    while (*value && (cnt < max)) {
+        (*outch_fn)(buffer, currlen, maxlen, *value++);
+        ++cnt;
+    }
+    while ((padlen < 0) && (cnt < max)) {
+        (*outch_fn)(buffer, currlen, maxlen, ' ');
+        ++padlen;
+        ++cnt;
+    }
+}
+
+static void
+fmtint(
+    void (*outch_fn)(char **, size_t *, size_t *, int),
+    char **buffer,
+    size_t *currlen,
+    size_t *maxlen,
+    LLONG value,
+    int base,
+    int min,
+    int max,
+    int flags)
+{
+    int signvalue = 0;
+    unsigned LLONG uvalue;
+    char convert[20];
+    int place = 0;
+    int spadlen = 0;
+    int zpadlen = 0;
+    int caps = 0;
+
+    if (max < 0)
+        max = 0;
+    uvalue = value;
+    if (!(flags & DP_F_UNSIGNED)) {
+        if (value < 0) {
+            signvalue = '-';
+            uvalue = -value;
+        } else if (flags & DP_F_PLUS)
+            signvalue = '+';
+        else if (flags & DP_F_SPACE)
+            signvalue = ' ';
+    }
+    if (flags & DP_F_UP)
+        caps = 1;
+    do {
+        convert[place++] =
+            (caps ? "0123456789ABCDEF" : "0123456789abcdef")
+            [uvalue % (unsigned) base];
+        uvalue = (uvalue / (unsigned) base);
+    } while (uvalue && (place < 20));
+    if (place == 20)
+        place--;
+    convert[place] = 0;
+
+    zpadlen = max - place;
+    spadlen = min - MAX(max, place) - (signvalue ? 1 : 0);
+    if (zpadlen < 0)
+        zpadlen = 0;
+    if (spadlen < 0)
+        spadlen = 0;
+    if (flags & DP_F_ZERO) {
+        zpadlen = MAX(zpadlen, spadlen);
+        spadlen = 0;
+    }
+    if (flags & DP_F_MINUS)
+        spadlen = -spadlen;
+
+    /* spaces */
+    while (spadlen > 0) {
+        (*outch_fn)(buffer, currlen, maxlen, ' ');
+        --spadlen;
+    }
+
+    /* sign */
+    if (signvalue)
+        (*outch_fn)(buffer, currlen, maxlen, signvalue);
+
+    /* zeros */
+    if (zpadlen > 0) {
+        while (zpadlen > 0) {
+            (*outch_fn)(buffer, currlen, maxlen, '0');
+            --zpadlen;
+        }
+    }
+    /* digits */
+    while (place > 0)
+        (*outch_fn)(buffer, currlen, maxlen, convert[--place]);
+
+    /* left justified spaces */
+    while (spadlen < 0) {
+        (*outch_fn)(buffer, currlen, maxlen, ' ');
+        ++spadlen;
+    }
+    return;
+}
+
+static LDOUBLE
+abs_val(LDOUBLE value)
+{
+    LDOUBLE result = value;
+    if (value < 0)
+        result = -value;
+    return result;
+}
+
+static LDOUBLE
+pow10(int exp)
+{
+    LDOUBLE result = 1;
+    while (exp) {
+        result *= 10;
+        exp--;
+    }
+    return result;
+}
+
+static long
+round(LDOUBLE value)
+{
+    long intpart;
+    intpart = (long) value;
+    value = value - intpart;
+    if (value >= 0.5)
+        intpart++;
+    return intpart;
+}
+
+static void
+fmtfp(
+    void (*outch_fn)(char **, size_t *, size_t *, int),
+    char **buffer,
+    size_t *currlen,
+    size_t *maxlen,
+    LDOUBLE fvalue,
+    int min,
+    int max,
+    int flags)
+{
+    int signvalue = 0;
+    LDOUBLE ufvalue;
+    char iconvert[20];
+    char fconvert[20];
+    int iplace = 0;
+    int fplace = 0;
+    int padlen = 0;
+    int zpadlen = 0;
+    int caps = 0;
+    long intpart;
+    long fracpart;
+
+    if (max < 0)
+        max = 6;
+    ufvalue = abs_val(fvalue);
+    if (fvalue < 0)
+        signvalue = '-';
+    else if (flags & DP_F_PLUS)
+        signvalue = '+';
+    else if (flags & DP_F_SPACE)
+        signvalue = ' ';
+
+    intpart = (long)ufvalue;
+
+    /* sorry, we only support 9 digits past the decimal because of our
+       conversion method */
+    if (max > 9)
+        max = 9;
+
+    /* we "cheat" by converting the fractional part to integer by
+       multiplying by a factor of 10 */
+    fracpart = round((pow10(max)) * (ufvalue - intpart));
+
+    if (fracpart >= pow10(max)) {
+        intpart++;
+        fracpart -= (long)pow10(max);
+    }
+
+    /* convert integer part */
+    do {
+        iconvert[iplace++] =
+            (caps ? "0123456789ABCDEF"
+              : "0123456789abcdef")[intpart % 10];
+        intpart = (intpart / 10);
+    } while (intpart && (iplace < 20));
+    if (iplace == 20)
+        iplace--;
+    iconvert[iplace] = 0;
+
+    /* convert fractional part */
+    do {
+        fconvert[fplace++] =
+            (caps ? "0123456789ABCDEF"
+              : "0123456789abcdef")[fracpart % 10];
+        fracpart = (fracpart / 10);
+    } while (fracpart && (fplace < 20));
+    if (fplace == 20)
+        fplace--;
+    fconvert[fplace] = 0;
+
+    /* -1 for decimal point, another -1 if we are printing a sign */
+    padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
+    zpadlen = max - fplace;
+    if (zpadlen < 0)
+        zpadlen = 0;
+    if (padlen < 0)
+        padlen = 0;
+    if (flags & DP_F_MINUS)
+        padlen = -padlen;
+
+    if ((flags & DP_F_ZERO) && (padlen > 0)) {
+        if (signvalue) {
+            (*outch_fn)(buffer, currlen, maxlen, signvalue);
+            --padlen;
+            signvalue = 0;
+        }
+        while (padlen > 0) {
+            (*outch_fn)(buffer, currlen, maxlen, '0');
+            --padlen;
+        }
+    }
+    while (padlen > 0) {
+        (*outch_fn)(buffer, currlen, maxlen, ' ');
+        --padlen;
+    }
+    if (signvalue)
+        (*outch_fn)(buffer, currlen, maxlen, signvalue);
+
+    while (iplace > 0)
+        (*outch_fn)(buffer, currlen, maxlen, iconvert[--iplace]);
+
+    /*
+     * Decimal point. This should probably use locale to find the correct
+     * char to print out.
+     */
+    if (max > 0) {
+        (*outch_fn)(buffer, currlen, maxlen, '.');
+
+        while (fplace > 0)
+            (*outch_fn)(buffer, currlen, maxlen, fconvert[--fplace]);
+    }
+    while (zpadlen > 0) {
+        (*outch_fn)(buffer, currlen, maxlen, '0');
+        --zpadlen;
+    }
+
+    while (padlen < 0) {
+        (*outch_fn)(buffer, currlen, maxlen, ' ');
+        ++padlen;
+    }
+}
+
+static int
+dopr_copy(
+    size_t len)
+{
+    return len;
+}
+
+#ifdef USE_ALLOCATING_PRINT
+static int
+doapr_copy(
+    size_t len)
+{
+    /* Return as high an integer as possible */
+    return INT_MAX;
+}
+#endif
+
+static int
+dopr_isbig(
+    size_t currlen,
+    size_t maxlen)
+{
+    return currlen > maxlen;
+}
+
+#ifdef USE_ALLOCATING_PRINT
+static int
+doapr_isbig(
+    size_t currlen,
+    size_t maxlen)
+{
+    return 0;
+}
+#endif
+
+static void
+dopr_outch(
+    char **buffer,
+    size_t *currlen,
+    size_t *maxlen,
+    int c)
+{
+    if (*currlen < *maxlen)
+        (*buffer)[(*currlen)++] = (char)c;
+    return;
+}
+
+#ifdef USE_ALLOCATING_PRINT
+static void
+doapr_outch(
+    char **buffer,
+    size_t *currlen,
+    size_t *maxlen,
+    int c)
+{
+    if (*buffer == NULL) {
+	if (*maxlen == 0)
+	    *maxlen = 1024;
+	*buffer = Malloc(*maxlen);
+    }
+    while (*currlen >= *maxlen) {
+	*maxlen += 1024;
+	*buffer = Realloc(*buffer, *maxlen);
+    }
+    /* What to do if *buffer is NULL? */
+    assert(*buffer != NULL);
+
+    (*buffer)[(*currlen)++] = (char)c;
+    return;
+}
+#endif
diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c
new file mode 100644
index 0000000..6409f98
--- /dev/null
+++ b/crypto/openssl/crypto/bio/b_sock.c
@@ -0,0 +1,717 @@
+/* crypto/bio/b_sock.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_SOCK
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+#ifdef WIN16
+#define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
+#else
+#define SOCKET_PROTOCOL IPPROTO_TCP
+#endif
+
+#ifdef SO_MAXCONN
+#define MAX_LISTEN  SOMAXCONN
+#elif defined(SO_MAXCONN)
+#define MAX_LISTEN  SO_MAXCONN
+#else
+#define MAX_LISTEN  32
+#endif
+
+#ifdef WINDOWS
+static int wsa_init_done=0;
+#endif
+
+static unsigned long BIO_ghbn_hits=0L;
+static unsigned long BIO_ghbn_miss=0L;
+
+#define GHBN_NUM	4
+static struct ghbn_cache_st
+	{
+	char name[129];
+	struct hostent *ent;
+	unsigned long order;
+	} ghbn_cache[GHBN_NUM];
+
+static int get_ip(const char *str,unsigned char *ip);
+static void ghbn_free(struct hostent *a);
+static struct hostent *ghbn_dup(struct hostent *a);
+int BIO_get_host_ip(const char *str, unsigned char *ip)
+	{
+	int i;
+	int err = 1;
+	int locked = 0;
+	struct hostent *he;
+
+	i=get_ip(str,ip);
+	if (i > 0) return(1);
+	if (i < 0)
+		{
+		BIOerr(BIO_F_BIO_GET_HOST_IP,BIO_R_INVALID_IP_ADDRESS);
+		goto err;
+		}
+
+	/* do a gethostbyname */
+	if (!BIO_sock_init())
+		return(0); /* don't generate another error code here */
+
+	CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
+	locked = 1;
+	he=BIO_gethostbyname(str);
+	if (he == NULL)
+		{
+		BIOerr(BIO_F_BIO_GET_HOST_IP,BIO_R_BAD_HOSTNAME_LOOKUP);
+		goto err;
+		}
+
+	/* cast to short because of win16 winsock definition */
+	if ((short)he->h_addrtype != AF_INET)
+		{
+		BIOerr(BIO_F_BIO_GET_HOST_IP,BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET);
+		goto err;
+		}
+	for (i=0; i<4; i++)
+		ip[i]=he->h_addr_list[0][i];
+	err = 0;
+
+ err:
+	if (locked)
+		CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME);
+	if (err)
+		{
+		ERR_add_error_data(2,"host=",str);
+		return 0;
+		}
+	else
+		return 1;
+	}
+
+int BIO_get_port(const char *str, unsigned short *port_ptr)
+	{
+	int i;
+	struct servent *s;
+
+	if (str == NULL)
+		{
+		BIOerr(BIO_F_BIO_GET_PORT,BIO_R_NO_PORT_DEFINED);
+		return(0);
+		}
+	i=atoi(str);
+	if (i != 0)
+		*port_ptr=(unsigned short)i;
+	else
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_GETSERVBYNAME);
+		/* Note: under VMS with SOCKETSHR, it seems like the first
+		 * parameter is 'char *', instead of 'const char *'
+		 */
+ 		s=getservbyname(
+#ifndef CONST_STRICT
+		    (char *)
+#endif
+		    str,"tcp");
+		if(s != NULL)
+			*port_ptr=ntohs((unsigned short)s->s_port);
+		CRYPTO_w_unlock(CRYPTO_LOCK_GETSERVBYNAME);
+		if(s == NULL)
+			{
+			if (strcmp(str,"http") == 0)
+				*port_ptr=80;
+			else if (strcmp(str,"telnet") == 0)
+				*port_ptr=23;
+			else if (strcmp(str,"socks") == 0)
+				*port_ptr=1080;
+			else if (strcmp(str,"https") == 0)
+				*port_ptr=443;
+			else if (strcmp(str,"ssl") == 0)
+				*port_ptr=443;
+			else if (strcmp(str,"ftp") == 0)
+				*port_ptr=21;
+			else if (strcmp(str,"gopher") == 0)
+				*port_ptr=70;
+#if 0
+			else if (strcmp(str,"wais") == 0)
+				*port_ptr=21;
+#endif
+			else
+				{
+				SYSerr(SYS_F_GETSERVBYNAME,get_last_socket_error());
+				ERR_add_error_data(3,"service='",str,"'");
+				return(0);
+				}
+			}
+		}
+	return(1);
+	}
+
+int BIO_sock_error(int sock)
+	{
+	int j,i;
+	int size;
+		 
+	size=sizeof(int);
+	/* Note: under Windows the third parameter is of type (char *)
+	 * whereas under other systems it is (void *) if you don't have
+	 * a cast it will choke the compiler: if you do have a cast then
+	 * you can either go for (char *) or (void *).
+	 */
+	i=getsockopt(sock,SOL_SOCKET,SO_ERROR,(void *)&j,(void *)&size);
+	if (i < 0)
+		return(1);
+	else
+		return(j);
+	}
+
+long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
+	{
+	int i;
+	char **p;
+
+	switch (cmd)
+		{
+	case BIO_GHBN_CTRL_HITS:
+		return(BIO_ghbn_hits);
+		/* break; */
+	case BIO_GHBN_CTRL_MISSES:
+		return(BIO_ghbn_miss);
+		/* break; */
+	case BIO_GHBN_CTRL_CACHE_SIZE:
+		return(GHBN_NUM);
+		/* break; */
+	case BIO_GHBN_CTRL_GET_ENTRY:
+		if ((iarg >= 0) && (iarg <GHBN_NUM) &&
+			(ghbn_cache[iarg].order > 0))
+			{
+			p=(char **)parg;
+			if (p == NULL) return(0);
+			*p=ghbn_cache[iarg].name;
+			ghbn_cache[iarg].name[128]='\0';
+			return(1);
+			}
+		return(0);
+		/* break; */
+	case BIO_GHBN_CTRL_FLUSH:
+		for (i=0; i<GHBN_NUM; i++)
+			ghbn_cache[i].order=0;
+		break;
+	default:
+		return(0);
+		}
+	return(1);
+	}
+
+static struct hostent *ghbn_dup(struct hostent *a)
+	{
+	struct hostent *ret;
+	int i,j;
+
+	MemCheck_off();
+	ret=(struct hostent *)Malloc(sizeof(struct hostent));
+	if (ret == NULL) return(NULL);
+	memset(ret,0,sizeof(struct hostent));
+
+	for (i=0; a->h_aliases[i] != NULL; i++)
+		;
+	i++;
+	ret->h_aliases = (char **)Malloc(i*sizeof(char *));
+	if (ret->h_aliases == NULL)
+		goto err;
+	memset(ret->h_aliases, 0, i*sizeof(char *));
+
+	for (i=0; a->h_addr_list[i] != NULL; i++)
+		;
+	i++;
+	ret->h_addr_list=(char **)Malloc(i*sizeof(char *));
+	if (ret->h_addr_list == NULL)
+		goto err;
+	memset(ret->h_addr_list, 0, i*sizeof(char *));
+
+	j=strlen(a->h_name)+1;
+	if ((ret->h_name=Malloc(j)) == NULL) goto err;
+	memcpy((char *)ret->h_name,a->h_name,j);
+	for (i=0; a->h_aliases[i] != NULL; i++)
+		{
+		j=strlen(a->h_aliases[i])+1;
+		if ((ret->h_aliases[i]=Malloc(j)) == NULL) goto err;
+		memcpy(ret->h_aliases[i],a->h_aliases[i],j);
+		}
+	ret->h_length=a->h_length;
+	ret->h_addrtype=a->h_addrtype;
+	for (i=0; a->h_addr_list[i] != NULL; i++)
+		{
+		if ((ret->h_addr_list[i]=Malloc(a->h_length)) == NULL)
+			goto err;
+		memcpy(ret->h_addr_list[i],a->h_addr_list[i],a->h_length);
+		}
+	if (0)
+		{
+err:	
+		if (ret != NULL)
+			ghbn_free(ret);
+		ret=NULL;
+		}
+	MemCheck_on();
+	return(ret);
+	}
+
+static void ghbn_free(struct hostent *a)
+	{
+	int i;
+
+	if(a == NULL)
+	    return;
+
+	if (a->h_aliases != NULL)
+		{
+		for (i=0; a->h_aliases[i] != NULL; i++)
+			Free(a->h_aliases[i]);
+		Free(a->h_aliases);
+		}
+	if (a->h_addr_list != NULL)
+		{
+		for (i=0; a->h_addr_list[i] != NULL; i++)
+			Free(a->h_addr_list[i]);
+		Free(a->h_addr_list);
+		}
+	if (a->h_name != NULL) Free(a->h_name);
+	Free(a);
+	}
+
+struct hostent *BIO_gethostbyname(const char *name)
+	{
+	struct hostent *ret;
+	int i,lowi=0,j;
+	unsigned long low= (unsigned long)-1;
+
+/*	return(gethostbyname(name)); */
+
+#if 0 /* It doesn't make sense to use locking here: The function interface
+	   * is not thread-safe, because threads can never be sure when
+	   * some other thread destroys the data they were given a pointer to.
+	   */
+	CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
+#endif
+	j=strlen(name);
+	if (j < 128)
+		{
+		for (i=0; i<GHBN_NUM; i++)
+			{
+			if (low > ghbn_cache[i].order)
+				{
+				low=ghbn_cache[i].order;
+				lowi=i;
+				}
+			if (ghbn_cache[i].order > 0)
+				{
+				if (strncmp(name,ghbn_cache[i].name,128) == 0)
+					break;
+				}
+			}
+		}
+	else
+		i=GHBN_NUM;
+
+	if (i == GHBN_NUM) /* no hit*/
+		{
+		BIO_ghbn_miss++;
+		/* Note: under VMS with SOCKETSHR, it seems like the first
+		 * parameter is 'char *', instead of 'const char *'
+		 */
+		ret=gethostbyname(
+#ifndef CONST_STRICT
+		    (char *)
+#endif
+		    name);
+
+		if (ret == NULL)
+			goto end;
+		if (j > 128) /* too big to cache */
+			{
+#if 0 /* If we were trying to make this function thread-safe (which
+	   * is bound to fail), we'd have to give up in this case
+	   * (or allocate more memory). */
+			ret = NULL;
+#endif
+			goto end;
+			}
+
+		/* else add to cache */
+		if (ghbn_cache[lowi].ent != NULL)
+			ghbn_free(ghbn_cache[lowi].ent); /* XXX not thread-safe */
+		ghbn_cache[lowi].name[0] = '\0';
+
+		if((ret=ghbn_cache[lowi].ent=ghbn_dup(ret)) == NULL)
+			{
+			BIOerr(BIO_F_BIO_GETHOSTBYNAME,ERR_R_MALLOC_FAILURE);
+			goto end;
+			}
+		strncpy(ghbn_cache[lowi].name,name,128);
+		ghbn_cache[lowi].order=BIO_ghbn_miss+BIO_ghbn_hits;
+		}
+	else
+		{
+		BIO_ghbn_hits++;
+		ret= ghbn_cache[i].ent;
+		ghbn_cache[i].order=BIO_ghbn_miss+BIO_ghbn_hits;
+		}
+end:
+#if 0
+	CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME);
+#endif
+	return(ret);
+	}
+
+int BIO_sock_init(void)
+	{
+#ifdef WINDOWS
+	static struct WSAData wsa_state;
+
+	if (!wsa_init_done)
+		{
+		int err;
+	  
+#ifdef SIGINT
+		signal(SIGINT,(void (*)(int))BIO_sock_cleanup);
+#endif
+		wsa_init_done=1;
+		memset(&wsa_state,0,sizeof(wsa_state));
+		if (WSAStartup(0x0101,&wsa_state)!=0)
+			{
+			err=WSAGetLastError();
+			SYSerr(SYS_F_WSASTARTUP,err);
+			BIOerr(BIO_F_BIO_SOCK_INIT,BIO_R_WSASTARTUP);
+			return(-1);
+			}
+		}
+#endif /* WINDOWS */
+	return(1);
+	}
+
+void BIO_sock_cleanup(void)
+	{
+#ifdef WINDOWS
+	if (wsa_init_done)
+		{
+		wsa_init_done=0;
+		WSACancelBlockingCall();
+		WSACleanup();
+		}
+#endif
+	}
+
+#if !defined(VMS) || __VMS_VER >= 70000000
+
+int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
+	{
+	int i;
+
+	i=ioctlsocket(fd,type,arg);
+	if (i < 0)
+		SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error());
+	return(i);
+	}
+#endif /* __VMS_VER */
+
+/* The reason I have implemented this instead of using sscanf is because
+ * Visual C 1.52c gives an unresolved external when linking a DLL :-( */
+static int get_ip(const char *str, unsigned char ip[4])
+	{
+	unsigned int tmp[4];
+	int num=0,c,ok=0;
+
+	tmp[0]=tmp[1]=tmp[2]=tmp[3]=0;
+
+	for (;;)
+		{
+		c= *(str++);
+		if ((c >= '0') && (c <= '9'))
+			{
+			ok=1;
+			tmp[num]=tmp[num]*10+c-'0';
+			if (tmp[num] > 255) return(-1);
+			}
+		else if (c == '.')
+			{
+			if (!ok) return(-1);
+			if (num == 3) break;
+			num++;
+			ok=0;
+			}
+		else if ((num == 3) && ok)
+			break;
+		else
+			return(0);
+		}
+	ip[0]=tmp[0];
+	ip[1]=tmp[1];
+	ip[2]=tmp[2];
+	ip[3]=tmp[3];
+	return(1);
+	}
+
+int BIO_get_accept_socket(char *host, int bind_mode)
+	{
+	int ret=0;
+	struct sockaddr_in server,client;
+	int s= -1,cs;
+	unsigned char ip[4];
+	unsigned short port;
+	char *str,*e;
+	const char *h,*p;
+	unsigned long l;
+	int err_num;
+
+	if (!BIO_sock_init()) return(INVALID_SOCKET);
+
+	if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET);
+
+	h=p=NULL;
+	h=str;
+	for (e=str; *e; e++)
+		{
+		if (*e == ':')
+			{
+			p= &(e[1]);
+			*e='\0';
+			}
+		else if (*e == '/')
+			{
+			*e='\0';
+			break;
+			}
+		}
+
+	if (p == NULL)
+		{
+		p=h;
+		h="*";
+		}
+
+	if (!BIO_get_port(p,&port)) return(INVALID_SOCKET);
+
+	memset((char *)&server,0,sizeof(server));
+	server.sin_family=AF_INET;
+	server.sin_port=htons(port);
+
+	if (strcmp(h,"*") == 0)
+		server.sin_addr.s_addr=INADDR_ANY;
+	else
+		{
+		if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET);
+		l=(unsigned long)
+			((unsigned long)ip[0]<<24L)|
+			((unsigned long)ip[1]<<16L)|
+			((unsigned long)ip[2]<< 8L)|
+			((unsigned long)ip[3]);
+		server.sin_addr.s_addr=htonl(l);
+		}
+
+again:
+	s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+	if (s == INVALID_SOCKET)
+		{
+		SYSerr(SYS_F_SOCKET,get_last_socket_error());
+		ERR_add_error_data(3,"port='",host,"'");
+		BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET,BIO_R_UNABLE_TO_CREATE_SOCKET);
+		goto err;
+		}
+
+#ifdef SO_REUSEADDR
+	if (bind_mode == BIO_BIND_REUSEADDR)
+		{
+		int i=1;
+
+		ret=setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char *)&i,sizeof(i));
+		bind_mode=BIO_BIND_NORMAL;
+		}
+#endif
+	if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
+		{
+#ifdef SO_REUSEADDR
+		err_num=get_last_socket_error();
+		if ((bind_mode == BIO_BIND_REUSEADDR_IF_UNUSED) &&
+			(err_num == EADDRINUSE))
+			{
+			memcpy((char *)&client,(char *)&server,sizeof(server));
+			if (strcmp(h,"*") == 0)
+				client.sin_addr.s_addr=htonl(0x7F000001);
+			cs=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+			if (cs != INVALID_SOCKET)
+				{
+				int ii;
+				ii=connect(cs,(struct sockaddr *)&client,
+					sizeof(client));
+				closesocket(cs);
+				if (ii == INVALID_SOCKET)
+					{
+					bind_mode=BIO_BIND_REUSEADDR;
+					closesocket(s);
+					goto again;
+					}
+				/* else error */
+				}
+			/* else error */
+			}
+#endif
+		SYSerr(SYS_F_BIND,err_num);
+		ERR_add_error_data(3,"port='",host,"'");
+		BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET,BIO_R_UNABLE_TO_BIND_SOCKET);
+		goto err;
+		}
+	if (listen(s,MAX_LISTEN) == -1)
+		{
+		SYSerr(SYS_F_BIND,get_last_socket_error());
+		ERR_add_error_data(3,"port='",host,"'");
+		BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET,BIO_R_UNABLE_TO_LISTEN_SOCKET);
+		goto err;
+		}
+	ret=1;
+err:
+	if (str != NULL) Free(str);
+	if ((ret == 0) && (s != INVALID_SOCKET))
+		{
+		closesocket(s);
+		s= INVALID_SOCKET;
+		}
+	return(s);
+	}
+
+int BIO_accept(int sock, char **addr)
+	{
+	int ret=INVALID_SOCKET;
+	static struct sockaddr_in from;
+	unsigned long l;
+	unsigned short port;
+	int len;
+	char *p;
+
+	memset((char *)&from,0,sizeof(from));
+	len=sizeof(from);
+	/* Note: under VMS with SOCKETSHR the fourth parameter is currently
+	 * of type (int *) whereas under other systems it is (void *) if
+	 * you don't have a cast it will choke the compiler: if you do
+	 * have a cast then you can either go for (int *) or (void *).
+	 */
+	ret=accept(sock,(struct sockaddr *)&from,(void *)&len);
+	if (ret == INVALID_SOCKET)
+		{
+		SYSerr(SYS_F_ACCEPT,get_last_socket_error());
+		BIOerr(BIO_F_BIO_ACCEPT,BIO_R_ACCEPT_ERROR);
+		goto end;
+		}
+
+	if (addr == NULL) goto end;
+
+	l=ntohl(from.sin_addr.s_addr);
+	port=ntohs(from.sin_port);
+	if (*addr == NULL)
+		{
+		if ((p=Malloc(24)) == NULL)
+			{
+			BIOerr(BIO_F_BIO_ACCEPT,ERR_R_MALLOC_FAILURE);
+			goto end;
+			}
+		*addr=p;
+		}
+	sprintf(*addr,"%d.%d.%d.%d:%d",
+		(unsigned char)(l>>24L)&0xff,
+		(unsigned char)(l>>16L)&0xff,
+		(unsigned char)(l>> 8L)&0xff,
+		(unsigned char)(l     )&0xff,
+		port);
+end:
+	return(ret);
+	}
+
+int BIO_set_tcp_ndelay(int s, int on)
+	{
+	int ret=0;
+#if defined(TCP_NODELAY) && (defined(IPPROTO_TCP) || defined(SOL_TCP))
+	int opt;
+
+#ifdef SOL_TCP
+	opt=SOL_TCP;
+#else
+#ifdef IPPROTO_TCP
+	opt=IPPROTO_TCP;
+#endif
+#endif
+	
+	ret=setsockopt(s,opt,TCP_NODELAY,(char *)&on,sizeof(on));
+#endif
+	return(ret == 0);
+	}
+#endif
+
+int BIO_socket_nbio(int s, int mode)
+	{
+	int ret= -1;
+	unsigned long l;
+
+	l=mode;
+#ifdef FIONBIO
+	ret=BIO_socket_ioctl(s,FIONBIO,&l);
+#endif
+	return(ret == 0);
+	}
diff --git a/crypto/openssl/crypto/bio/bf_buff.c b/crypto/openssl/crypto/bio/bf_buff.c
new file mode 100644
index 0000000..ff0c907
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bf_buff.c
@@ -0,0 +1,511 @@
+/* crypto/bio/bf_buff.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+
+static int buffer_write(BIO *h,char *buf,int num);
+static int buffer_read(BIO *h,char *buf,int size);
+static int buffer_puts(BIO *h,char *str);
+static int buffer_gets(BIO *h,char *str,int size);
+static long buffer_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int buffer_new(BIO *h);
+static int buffer_free(BIO *data);
+static long buffer_callback_ctrl(BIO *h,int cmd, void (*fp)());
+#define DEFAULT_BUFFER_SIZE	1024
+
+static BIO_METHOD methods_buffer=
+	{
+	BIO_TYPE_BUFFER,
+	"buffer",
+	buffer_write,
+	buffer_read,
+	buffer_puts,
+	buffer_gets,
+	buffer_ctrl,
+	buffer_new,
+	buffer_free,
+	buffer_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_buffer(void)
+	{
+	return(&methods_buffer);
+	}
+
+static int buffer_new(BIO *bi)
+	{
+	BIO_F_BUFFER_CTX *ctx;
+
+	ctx=(BIO_F_BUFFER_CTX *)Malloc(sizeof(BIO_F_BUFFER_CTX));
+	if (ctx == NULL) return(0);
+	ctx->ibuf=(char *)Malloc(DEFAULT_BUFFER_SIZE);
+	if (ctx->ibuf == NULL) { Free(ctx); return(0); }
+	ctx->obuf=(char *)Malloc(DEFAULT_BUFFER_SIZE);
+	if (ctx->obuf == NULL) { Free(ctx->ibuf); Free(ctx); return(0); }
+	ctx->ibuf_size=DEFAULT_BUFFER_SIZE;
+	ctx->obuf_size=DEFAULT_BUFFER_SIZE;
+	ctx->ibuf_len=0;
+	ctx->ibuf_off=0;
+	ctx->obuf_len=0;
+	ctx->obuf_off=0;
+
+	bi->init=1;
+	bi->ptr=(char *)ctx;
+	bi->flags=0;
+	return(1);
+	}
+
+static int buffer_free(BIO *a)
+	{
+	BIO_F_BUFFER_CTX *b;
+
+	if (a == NULL) return(0);
+	b=(BIO_F_BUFFER_CTX *)a->ptr;
+	if (b->ibuf != NULL) Free(b->ibuf);
+	if (b->obuf != NULL) Free(b->obuf);
+	Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+	}
+	
+static int buffer_read(BIO *b, char *out, int outl)
+	{
+	int i,num=0;
+	BIO_F_BUFFER_CTX *ctx;
+
+	if (out == NULL) return(0);
+	ctx=(BIO_F_BUFFER_CTX *)b->ptr;
+
+	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+	num=0;
+	BIO_clear_retry_flags(b);
+
+start:
+	i=ctx->ibuf_len;
+	/* If there is stuff left over, grab it */
+	if (i != 0)
+		{
+		if (i > outl) i=outl;
+		memcpy(out,&(ctx->ibuf[ctx->ibuf_off]),i);
+		ctx->ibuf_off+=i;
+		ctx->ibuf_len-=i;
+		num+=i;
+		if (outl == i)  return(num);
+		outl-=i;
+		out+=i;
+		}
+
+	/* We may have done a partial read. try to do more.
+	 * We have nothing in the buffer.
+	 * If we get an error and have read some data, just return it
+	 * and let them retry to get the error again.
+	 * copy direct to parent address space */
+	if (outl > ctx->ibuf_size)
+		{
+		for (;;)
+			{
+			i=BIO_read(b->next_bio,out,outl);
+			if (i <= 0)
+				{
+				BIO_copy_next_retry(b);
+				if (i < 0) return((num > 0)?num:i);
+				if (i == 0) return(num);
+				}
+			num+=i;
+			if (outl == i) return(num);
+			out+=i;
+			outl-=i;
+			}
+		}
+	/* else */
+
+	/* we are going to be doing some buffering */
+	i=BIO_read(b->next_bio,ctx->ibuf,ctx->ibuf_size);
+	if (i <= 0)
+		{
+		BIO_copy_next_retry(b);
+		if (i < 0) return((num > 0)?num:i);
+		if (i == 0) return(num);
+		}
+	ctx->ibuf_off=0;
+	ctx->ibuf_len=i;
+
+	/* Lets re-read using ourselves :-) */
+	goto start;
+	}
+
+static int buffer_write(BIO *b, char *in, int inl)
+	{
+	int i,num=0;
+	BIO_F_BUFFER_CTX *ctx;
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+	ctx=(BIO_F_BUFFER_CTX *)b->ptr;
+	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+	BIO_clear_retry_flags(b);
+start:
+	i=ctx->obuf_size-(ctx->obuf_len+ctx->obuf_off);
+	/* add to buffer and return */
+	if (i >= inl)
+		{
+		memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl);
+		ctx->obuf_len+=inl;
+		return(num+inl);
+		}
+	/* else */
+	/* stuff already in buffer, so add to it first, then flush */
+	if (ctx->obuf_len != 0)
+		{
+		if (i > 0) /* lets fill it up if we can */
+			{
+			memcpy(&(ctx->obuf[ctx->obuf_len]),in,i);
+			in+=i;
+			inl-=i;
+			num+=i;
+			ctx->obuf_len+=i;
+			}
+		/* we now have a full buffer needing flushing */
+		for (;;)
+			{
+			i=BIO_write(b->next_bio,&(ctx->obuf[ctx->obuf_off]),
+				ctx->obuf_len);
+			if (i <= 0)
+				{
+				BIO_copy_next_retry(b);
+
+				if (i < 0) return((num > 0)?num:i);
+				if (i == 0) return(num);
+				}
+			ctx->obuf_off+=i;
+			ctx->obuf_len-=i;
+			if (ctx->obuf_len == 0) break;
+			}
+		}
+	/* we only get here if the buffer has been flushed and we
+	 * still have stuff to write */
+	ctx->obuf_off=0;
+
+	/* we now have inl bytes to write */
+	while (inl >= ctx->obuf_size)
+		{
+		i=BIO_write(b->next_bio,in,inl);
+		if (i <= 0)
+			{
+			BIO_copy_next_retry(b);
+			if (i < 0) return((num > 0)?num:i);
+			if (i == 0) return(num);
+			}
+		num+=i;
+		in+=i;
+		inl-=i;
+		if (inl == 0) return(num);
+		}
+
+	/* copy the rest into the buffer since we have only a small 
+	 * amount left */
+	goto start;
+	}
+
+static long buffer_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	BIO *dbio;
+	BIO_F_BUFFER_CTX *ctx;
+	long ret=1;
+	char *p1,*p2;
+	int r,i,*ip;
+	int ibs,obs;
+
+	ctx=(BIO_F_BUFFER_CTX *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		ctx->ibuf_off=0;
+		ctx->ibuf_len=0;
+		ctx->obuf_off=0;
+		ctx->obuf_len=0;
+		if (b->next_bio == NULL) return(0);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_INFO:
+		ret=(long)ctx->obuf_len;
+		break;
+	case BIO_C_GET_BUFF_NUM_LINES:
+		ret=0;
+		p1=ctx->ibuf;
+		for (i=ctx->ibuf_off; i<ctx->ibuf_len; i++)
+			{
+			if (p1[i] == '\n') ret++;
+			}
+		break;
+	case BIO_CTRL_WPENDING:
+		ret=(long)ctx->obuf_len;
+		if (ret == 0)
+			{
+			if (b->next_bio == NULL) return(0);
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+			}
+		break;
+	case BIO_CTRL_PENDING:
+		ret=(long)ctx->ibuf_len;
+		if (ret == 0)
+			{
+			if (b->next_bio == NULL) return(0);
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+			}
+		break;
+	case BIO_C_SET_BUFF_READ_DATA:
+		if (num > ctx->ibuf_size)
+			{
+			p1=Malloc((int)num);
+			if (p1 == NULL) goto malloc_error;
+			if (ctx->ibuf != NULL) Free(ctx->ibuf);
+			ctx->ibuf=p1;
+			}
+		ctx->ibuf_off=0;
+		ctx->ibuf_len=(int)num;
+		memcpy(ctx->ibuf,ptr,(int)num);
+		ret=1;
+		break;
+	case BIO_C_SET_BUFF_SIZE:
+		if (ptr != NULL)
+			{
+			ip=(int *)ptr;
+			if (*ip == 0)
+				{
+				ibs=(int)num;
+				obs=ctx->obuf_size;
+				}
+			else /* if (*ip == 1) */
+				{
+				ibs=ctx->ibuf_size;
+				obs=(int)num;
+				}
+			}
+		else
+			{
+			ibs=(int)num;
+			obs=(int)num;
+			}
+		p1=ctx->ibuf;
+		p2=ctx->obuf;
+		if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size))
+			{
+			p1=(char *)Malloc((int)num);
+			if (p1 == NULL) goto malloc_error;
+			}
+		if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size))
+			{
+			p2=(char *)Malloc((int)num);
+			if (p2 == NULL)
+				{
+				if (p1 != ctx->ibuf) Free(p1);
+				goto malloc_error;
+				}
+			}
+		if (ctx->ibuf != p1)
+			{
+			Free(ctx->ibuf);
+			ctx->ibuf=p1;
+			ctx->ibuf_off=0;
+			ctx->ibuf_len=0;
+			ctx->ibuf_size=ibs;
+			}
+		if (ctx->obuf != p2)
+			{
+			Free(ctx->obuf);
+			ctx->obuf=p2;
+			ctx->obuf_off=0;
+			ctx->obuf_len=0;
+			ctx->obuf_size=obs;
+			}
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		if (b->next_bio == NULL) return(0);
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+
+	case BIO_CTRL_FLUSH:
+		if (b->next_bio == NULL) return(0);
+		if (ctx->obuf_len <= 0)
+			{
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+			break;
+			}
+
+		for (;;)
+			{
+			BIO_clear_retry_flags(b);
+			if (ctx->obuf_len > ctx->obuf_off)
+				{
+				r=BIO_write(b->next_bio,
+					&(ctx->obuf[ctx->obuf_off]),
+					ctx->obuf_len-ctx->obuf_off);
+#if 0
+fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r);
+#endif
+				BIO_copy_next_retry(b);
+				if (r <= 0) return((long)r);
+				ctx->obuf_off+=r;
+				}
+			else
+				{
+				ctx->obuf_len=0;
+				ctx->obuf_off=0;
+				ret=1;
+				break;
+				}
+			}
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_DUP:
+		dbio=(BIO *)ptr;
+		if (	!BIO_set_read_buffer_size(dbio,ctx->ibuf_size) ||
+			!BIO_set_write_buffer_size(dbio,ctx->obuf_size))
+			ret=0;
+		break;
+	default:
+		if (b->next_bio == NULL) return(0);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+malloc_error:
+	BIOerr(BIO_F_BUFFER_CTRL,ERR_R_MALLOC_FAILURE);
+	return(0);
+	}
+
+static long buffer_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+static int buffer_gets(BIO *b, char *buf, int size)
+	{
+	BIO_F_BUFFER_CTX *ctx;
+	int num=0,i,flag;
+	char *p;
+
+	ctx=(BIO_F_BUFFER_CTX *)b->ptr;
+	size--; /* reserve space for a '\0' */
+	BIO_clear_retry_flags(b);
+
+	for (;;)
+		{
+		if (ctx->ibuf_len > 0)
+			{
+			p= &(ctx->ibuf[ctx->ibuf_off]);
+			flag=0;
+			for (i=0; (i<ctx->ibuf_len) && (i<size); i++)
+				{
+				*(buf++)=p[i];
+				if (p[i] == '\n')
+					{
+					flag=1;
+					i++;
+					break;
+					}
+				}
+			num+=i;
+			size-=i;
+			ctx->ibuf_len-=i;
+			ctx->ibuf_off+=i;
+			if ((flag) || (i == size))
+				{
+				*buf='\0';
+				return(num);
+				}
+			}
+		else	/* read another chunk */
+			{
+			i=BIO_read(b->next_bio,ctx->ibuf,ctx->ibuf_size);
+			if (i <= 0)
+				{
+				BIO_copy_next_retry(b);
+				if (i < 0) return((num > 0)?num:i);
+				if (i == 0) return(num);
+				}
+			ctx->ibuf_len=i;
+			ctx->ibuf_off=0;
+			}
+		}
+	}
+
+static int buffer_puts(BIO *b, char *str)
+	{
+	return(BIO_write(b,str,strlen(str)));
+	}
+
diff --git a/crypto/openssl/crypto/bio/bf_nbio.c b/crypto/openssl/crypto/bio/bf_nbio.c
new file mode 100644
index 0000000..5e574b7
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bf_nbio.c
@@ -0,0 +1,256 @@
+/* crypto/bio/bf_nbio.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+
+/* BIO_put and BIO_get both add to the digest,
+ * BIO_gets returns the digest */
+
+static int nbiof_write(BIO *h,char *buf,int num);
+static int nbiof_read(BIO *h,char *buf,int size);
+static int nbiof_puts(BIO *h,char *str);
+static int nbiof_gets(BIO *h,char *str,int size);
+static long nbiof_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int nbiof_new(BIO *h);
+static int nbiof_free(BIO *data);
+static long nbiof_callback_ctrl(BIO *h,int cmd,void (*fp)());
+typedef struct nbio_test_st
+	{
+	/* only set if we sent a 'should retry' error */
+	int lrn;
+	int lwn;
+	} NBIO_TEST;
+
+static BIO_METHOD methods_nbiof=
+	{
+	BIO_TYPE_NBIO_TEST,
+	"non-blocking IO test filter",
+	nbiof_write,
+	nbiof_read,
+	nbiof_puts,
+	nbiof_gets,
+	nbiof_ctrl,
+	nbiof_new,
+	nbiof_free,
+	nbiof_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_nbio_test(void)
+	{
+	return(&methods_nbiof);
+	}
+
+static int nbiof_new(BIO *bi)
+	{
+	NBIO_TEST *nt;
+
+	nt=(NBIO_TEST *)Malloc(sizeof(NBIO_TEST));
+	nt->lrn= -1;
+	nt->lwn= -1;
+	bi->ptr=(char *)nt;
+	bi->init=1;
+	bi->flags=0;
+	return(1);
+	}
+
+static int nbiof_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	if (a->ptr != NULL)
+		Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+	}
+	
+static int nbiof_read(BIO *b, char *out, int outl)
+	{
+	NBIO_TEST *nt;
+	int ret=0;
+#if 0
+	int num;
+	unsigned char n;
+#endif
+
+	if (out == NULL) return(0);
+	if (b->next_bio == NULL) return(0);
+	nt=(NBIO_TEST *)b->ptr;
+
+	BIO_clear_retry_flags(b);
+#if 0
+	RAND_pseudo_bytes(&n,1);
+	num=(n&0x07);
+
+	if (outl > num) outl=num;
+
+	if (num == 0)
+		{
+		ret= -1;
+		BIO_set_retry_read(b);
+		}
+	else
+#endif
+		{
+		ret=BIO_read(b->next_bio,out,outl);
+		if (ret < 0)
+			BIO_copy_next_retry(b);
+		}
+	return(ret);
+	}
+
+static int nbiof_write(BIO *b, char *in, int inl)
+	{
+	NBIO_TEST *nt;
+	int ret=0;
+	int num;
+	unsigned char n;
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+	if (b->next_bio == NULL) return(0);
+	nt=(NBIO_TEST *)b->ptr;
+
+	BIO_clear_retry_flags(b);
+
+#if 1
+	if (nt->lwn > 0)
+		{
+		num=nt->lwn;
+		nt->lwn=0;
+		}
+	else
+		{
+		RAND_pseudo_bytes(&n,1);
+		num=(n&7);
+		}
+
+	if (inl > num) inl=num;
+
+	if (num == 0)
+		{
+		ret= -1;
+		BIO_set_retry_write(b);
+		}
+	else
+#endif
+		{
+		ret=BIO_write(b->next_bio,in,inl);
+		if (ret < 0)
+			{
+			BIO_copy_next_retry(b);
+			nt->lwn=inl;
+			}
+		}
+	return(ret);
+	}
+
+static long nbiof_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	long ret;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+        case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+	case BIO_CTRL_DUP:
+		ret=0L;
+		break;
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+	}
+
+static long nbiof_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+static int nbiof_gets(BIO *bp, char *buf, int size)
+	{
+	if (bp->next_bio == NULL) return(0);
+	return(BIO_gets(bp->next_bio,buf,size));
+	}
+
+
+static int nbiof_puts(BIO *bp, char *str)
+	{
+	if (bp->next_bio == NULL) return(0);
+	return(BIO_puts(bp->next_bio,str));
+	}
+
+
diff --git a/crypto/openssl/crypto/bio/bf_null.c b/crypto/openssl/crypto/bio/bf_null.c
new file mode 100644
index 0000000..0d183a6
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bf_null.c
@@ -0,0 +1,184 @@
+/* crypto/bio/bf_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+
+/* BIO_put and BIO_get both add to the digest,
+ * BIO_gets returns the digest */
+
+static int nullf_write(BIO *h,char *buf,int num);
+static int nullf_read(BIO *h,char *buf,int size);
+static int nullf_puts(BIO *h,char *str);
+static int nullf_gets(BIO *h,char *str,int size);
+static long nullf_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int nullf_new(BIO *h);
+static int nullf_free(BIO *data);
+static long nullf_callback_ctrl(BIO *h,int cmd,void (*fp)());
+static BIO_METHOD methods_nullf=
+	{
+	BIO_TYPE_NULL_FILTER,
+	"NULL filter",
+	nullf_write,
+	nullf_read,
+	nullf_puts,
+	nullf_gets,
+	nullf_ctrl,
+	nullf_new,
+	nullf_free,
+	nullf_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_null(void)
+	{
+	return(&methods_nullf);
+	}
+
+static int nullf_new(BIO *bi)
+	{
+	bi->init=1;
+	bi->ptr=NULL;
+	bi->flags=0;
+	return(1);
+	}
+
+static int nullf_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+/*	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;*/
+	return(1);
+	}
+	
+static int nullf_read(BIO *b, char *out, int outl)
+	{
+	int ret=0;
+ 
+	if (out == NULL) return(0);
+	if (b->next_bio == NULL) return(0);
+	ret=BIO_read(b->next_bio,out,outl);
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static int nullf_write(BIO *b, char *in, int inl)
+	{
+	int ret=0;
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+	if (b->next_bio == NULL) return(0);
+	ret=BIO_write(b->next_bio,in,inl);
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static long nullf_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	long ret;
+
+	if (b->next_bio == NULL) return(0);
+	switch(cmd)
+		{
+        case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+	case BIO_CTRL_DUP:
+		ret=0L;
+		break;
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		}
+	return(ret);
+	}
+
+static long nullf_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+static int nullf_gets(BIO *bp, char *buf, int size)
+	{
+	if (bp->next_bio == NULL) return(0);
+	return(BIO_gets(bp->next_bio,buf,size));
+	}
+
+
+static int nullf_puts(BIO *bp, char *str)
+	{
+	if (bp->next_bio == NULL) return(0);
+	return(BIO_puts(bp->next_bio,str));
+	}
+
+
diff --git a/crypto/openssl/crypto/bio/bio.h b/crypto/openssl/crypto/bio/bio.h
new file mode 100644
index 0000000..ebdb181
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bio.h
@@ -0,0 +1,667 @@
+/* crypto/bio/bio.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BIO_H
+#define HEADER_BIO_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/crypto.h>
+
+/* These are the 'types' of BIOs */
+#define BIO_TYPE_NONE		0
+#define BIO_TYPE_MEM		(1|0x0400)
+#define BIO_TYPE_FILE		(2|0x0400)
+
+#define BIO_TYPE_FD		(4|0x0400|0x0100)
+#define BIO_TYPE_SOCKET		(5|0x0400|0x0100)
+#define BIO_TYPE_NULL		(6|0x0400)
+#define BIO_TYPE_SSL		(7|0x0200)
+#define BIO_TYPE_MD		(8|0x0200)		/* passive filter */
+#define BIO_TYPE_BUFFER		(9|0x0200)		/* filter */
+#define BIO_TYPE_CIPHER		(10|0x0200)		/* filter */
+#define BIO_TYPE_BASE64		(11|0x0200)		/* filter */
+#define BIO_TYPE_CONNECT	(12|0x0400|0x0100)	/* socket - connect */
+#define BIO_TYPE_ACCEPT		(13|0x0400|0x0100)	/* socket for accept */
+#define BIO_TYPE_PROXY_CLIENT	(14|0x0200)		/* client proxy BIO */
+#define BIO_TYPE_PROXY_SERVER	(15|0x0200)		/* server proxy BIO */
+#define BIO_TYPE_NBIO_TEST	(16|0x0200)		/* server proxy BIO */
+#define BIO_TYPE_NULL_FILTER	(17|0x0200)
+#define BIO_TYPE_BER		(18|0x0200)		/* BER -> bin filter */
+#define BIO_TYPE_BIO		(19|0x0400)		/* (half a) BIO pair */
+
+#define BIO_TYPE_DESCRIPTOR	0x0100	/* socket, fd, connect or accept */
+#define BIO_TYPE_FILTER		0x0200
+#define BIO_TYPE_SOURCE_SINK	0x0400
+
+/* BIO_FILENAME_READ|BIO_CLOSE to open or close on free.
+ * BIO_set_fp(in,stdin,BIO_NOCLOSE); */
+#define BIO_NOCLOSE		0x00
+#define BIO_CLOSE		0x01
+
+/* These are used in the following macros and are passed to
+ * BIO_ctrl() */
+#define BIO_CTRL_RESET		1  /* opt - rewind/zero etc */
+#define BIO_CTRL_EOF		2  /* opt - are we at the eof */
+#define BIO_CTRL_INFO		3  /* opt - extra tit-bits */
+#define BIO_CTRL_SET		4  /* man - set the 'IO' type */
+#define BIO_CTRL_GET		5  /* man - get the 'IO' type */
+#define BIO_CTRL_PUSH		6  /* opt - internal, used to signify change */
+#define BIO_CTRL_POP		7  /* opt - internal, used to signify change */
+#define BIO_CTRL_GET_CLOSE	8  /* man - set the 'close' on free */
+#define BIO_CTRL_SET_CLOSE	9  /* man - set the 'close' on free */
+#define BIO_CTRL_PENDING	10  /* opt - is their more data buffered */
+#define BIO_CTRL_FLUSH		11  /* opt - 'flush' buffered output */
+#define BIO_CTRL_DUP		12  /* man - extra stuff for 'duped' BIO */
+#define BIO_CTRL_WPENDING	13  /* opt - number of bytes still to write */
+/* callback is int cb(BIO *bio,state,ret); */
+#define BIO_CTRL_SET_CALLBACK	14  /* opt - set callback function */
+#define BIO_CTRL_GET_CALLBACK	15  /* opt - set callback function */
+
+#define BIO_CTRL_SET_FILENAME	30	/* BIO_s_file special */
+
+/* modifiers */
+#define BIO_FP_READ		0x02
+#define BIO_FP_WRITE		0x04
+#define BIO_FP_APPEND		0x08
+#define BIO_FP_TEXT		0x10
+
+#define BIO_FLAGS_READ		0x01
+#define BIO_FLAGS_WRITE		0x02
+#define BIO_FLAGS_IO_SPECIAL	0x04
+#define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL)
+#define BIO_FLAGS_SHOULD_RETRY	0x08
+
+/* Used in BIO_gethostbyname() */
+#define BIO_GHBN_CTRL_HITS		1
+#define BIO_GHBN_CTRL_MISSES		2
+#define BIO_GHBN_CTRL_CACHE_SIZE	3
+#define BIO_GHBN_CTRL_GET_ENTRY		4
+#define BIO_GHBN_CTRL_FLUSH		5
+
+/* Mostly used in the SSL BIO */
+/* Not used anymore
+ * #define BIO_FLAGS_PROTOCOL_DELAYED_READ 0x10
+ * #define BIO_FLAGS_PROTOCOL_DELAYED_WRITE 0x20
+ * #define BIO_FLAGS_PROTOCOL_STARTUP	0x40
+ */
+
+#define BIO_FLAGS_BASE64_NO_NL	0x100
+
+/* This is used with memory BIOs: it means we shouldn't free up or change the
+ * data in any way.
+ */
+#define BIO_FLAGS_MEM_RDONLY	0x200
+
+#define BIO_set_flags(b,f) ((b)->flags|=(f))
+#define BIO_get_flags(b) ((b)->flags)
+#define BIO_set_retry_special(b) \
+		((b)->flags|=(BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY))
+#define BIO_set_retry_read(b) \
+		((b)->flags|=(BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY))
+#define BIO_set_retry_write(b) \
+		((b)->flags|=(BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY))
+
+/* These are normally used internally in BIOs */
+#define BIO_clear_flags(b,f) ((b)->flags&= ~(f))
+#define BIO_clear_retry_flags(b) \
+		((b)->flags&= ~(BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY))
+#define BIO_get_retry_flags(b) \
+		((b)->flags&(BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY))
+
+/* These should be used by the application to tell why we should retry */
+#define BIO_should_read(a)		((a)->flags & BIO_FLAGS_READ)
+#define BIO_should_write(a)		((a)->flags & BIO_FLAGS_WRITE)
+#define BIO_should_io_special(a)	((a)->flags & BIO_FLAGS_IO_SPECIAL)
+#define BIO_retry_type(a)		((a)->flags & BIO_FLAGS_RWS)
+#define BIO_should_retry(a)		((a)->flags & BIO_FLAGS_SHOULD_RETRY)
+
+/* The next two are used in conjunction with the
+ * BIO_should_io_special() condition.  After this returns true,
+ * BIO *BIO_get_retry_BIO(BIO *bio, int *reason); will walk the BIO 
+ * stack and return the 'reason' for the special and the offending BIO.
+ * Given a BIO, BIO_get_retry_reason(bio) will return the code. */
+/* Returned from the SSL bio when the certificate retrieval code had an error */
+#define BIO_RR_SSL_X509_LOOKUP		0x01
+/* Returned from the connect BIO when a connect would have blocked */
+#define BIO_RR_CONNECT			0x02
+
+/* These are passed by the BIO callback */
+#define BIO_CB_FREE	0x01
+#define BIO_CB_READ	0x02
+#define BIO_CB_WRITE	0x03
+#define BIO_CB_PUTS	0x04
+#define BIO_CB_GETS	0x05
+#define BIO_CB_CTRL	0x06
+
+/* The callback is called before and after the underling operation,
+ * The BIO_CB_RETURN flag indicates if it is after the call */
+#define BIO_CB_RETURN	0x80
+#define BIO_CB_return(a) ((a)|BIO_CB_RETURN))
+#define BIO_cb_pre(a)	(!((a)&BIO_CB_RETURN))
+#define BIO_cb_post(a)	((a)&BIO_CB_RETURN)
+
+#define BIO_set_callback(b,cb)		((b)->callback=(cb))
+#define BIO_set_callback_arg(b,arg)	((b)->cb_arg=(char *)(arg))
+#define BIO_get_callback_arg(b)		((b)->cb_arg)
+#define BIO_get_callback(b)		((b)->callback)
+#define BIO_method_name(b)		((b)->method->name)
+#define BIO_method_type(b)		((b)->method->type)
+
+#ifndef WIN16
+typedef struct bio_method_st
+	{
+	int type;
+	const char *name;
+	int (*bwrite)();
+	int (*bread)();
+	int (*bputs)();
+	int (*bgets)();
+	long (*ctrl)();
+	int (*create)();
+	int (*destroy)();
+	long (*callback_ctrl)();
+	} BIO_METHOD;
+#else
+typedef struct bio_method_st
+	{
+	int type;
+	const char *name;
+	int (_far *bwrite)();
+	int (_far *bread)();
+	int (_far *bputs)();
+	int (_far *bgets)();
+	long (_far *ctrl)();
+	int (_far *create)();
+	int (_far *destroy)();
+	long (_fat *callback_ctrl)();
+	} BIO_METHOD;
+#endif
+
+typedef struct bio_st
+	{
+	BIO_METHOD *method;
+	/* bio, mode, argp, argi, argl, ret */
+	long (*callback)(struct bio_st *,int,const char *,int, long,long);
+	char *cb_arg; /* first argument for the callback */
+
+	int init;
+	int shutdown;
+	int flags;	/* extra storage */
+	int retry_reason;
+	int num;
+	void *ptr;
+	struct bio_st *next_bio;	/* used by filter BIOs */
+	struct bio_st *prev_bio;	/* used by filter BIOs */
+	int references;
+	unsigned long num_read;
+	unsigned long num_write;
+
+	CRYPTO_EX_DATA ex_data;
+	} BIO;
+
+typedef struct bio_f_buffer_ctx_struct
+	{
+	/* BIO *bio; */ /* this is now in the BIO struct */
+	int ibuf_size;	/* how big is the input buffer */
+	int obuf_size;	/* how big is the output buffer */
+
+	char *ibuf;		/* the char array */
+	int ibuf_len;		/* how many bytes are in it */
+	int ibuf_off;		/* write/read offset */
+
+	char *obuf;		/* the char array */
+	int obuf_len;		/* how many bytes are in it */
+	int obuf_off;		/* write/read offset */
+	} BIO_F_BUFFER_CTX;
+
+/* connect BIO stuff */
+#define BIO_CONN_S_BEFORE		1
+#define BIO_CONN_S_GET_IP		2
+#define BIO_CONN_S_GET_PORT		3
+#define BIO_CONN_S_CREATE_SOCKET	4
+#define BIO_CONN_S_CONNECT		5
+#define BIO_CONN_S_OK			6
+#define BIO_CONN_S_BLOCKED_CONNECT	7
+#define BIO_CONN_S_NBIO			8
+/*#define BIO_CONN_get_param_hostname	BIO_ctrl */
+
+#define BIO_C_SET_CONNECT			100
+#define BIO_C_DO_STATE_MACHINE			101
+#define BIO_C_SET_NBIO				102
+#define BIO_C_SET_PROXY_PARAM			103
+#define BIO_C_SET_FD				104
+#define BIO_C_GET_FD				105
+#define BIO_C_SET_FILE_PTR			106
+#define BIO_C_GET_FILE_PTR			107
+#define BIO_C_SET_FILENAME			108
+#define BIO_C_SET_SSL				109
+#define BIO_C_GET_SSL				110
+#define BIO_C_SET_MD				111
+#define BIO_C_GET_MD				112
+#define BIO_C_GET_CIPHER_STATUS			113
+#define BIO_C_SET_BUF_MEM			114
+#define BIO_C_GET_BUF_MEM_PTR			115
+#define BIO_C_GET_BUFF_NUM_LINES		116
+#define BIO_C_SET_BUFF_SIZE			117
+#define BIO_C_SET_ACCEPT			118
+#define BIO_C_SSL_MODE				119
+#define BIO_C_GET_MD_CTX			120
+#define BIO_C_GET_PROXY_PARAM			121
+#define BIO_C_SET_BUFF_READ_DATA		122 /* data to read first */
+#define BIO_C_GET_CONNECT			123
+#define BIO_C_GET_ACCEPT			124
+#define BIO_C_SET_SSL_RENEGOTIATE_BYTES		125
+#define BIO_C_GET_SSL_NUM_RENEGOTIATES		126
+#define BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT	127
+#define BIO_C_FILE_SEEK				128
+#define BIO_C_GET_CIPHER_CTX			129
+#define BIO_C_SET_BUF_MEM_EOF_RETURN		130/*return end of input value*/
+#define BIO_C_SET_BIND_MODE			131
+#define BIO_C_GET_BIND_MODE			132
+#define BIO_C_FILE_TELL				133
+#define BIO_C_GET_SOCKS				134
+#define BIO_C_SET_SOCKS				135
+
+#define BIO_C_SET_WRITE_BUF_SIZE		136/* for BIO_s_bio */
+#define BIO_C_GET_WRITE_BUF_SIZE		137
+#define BIO_C_MAKE_BIO_PAIR			138
+#define BIO_C_DESTROY_BIO_PAIR			139
+#define BIO_C_GET_WRITE_GUARANTEE		140
+#define BIO_C_GET_READ_REQUEST			141
+#define BIO_C_SHUTDOWN_WR			142
+#define BIO_C_NREAD0				143
+#define BIO_C_NREAD				144
+#define BIO_C_NWRITE0				145
+#define BIO_C_NWRITE				146
+#define BIO_C_RESET_READ_REQUEST		147
+
+
+#define BIO_set_app_data(s,arg)		BIO_set_ex_data(s,0,arg)
+#define BIO_get_app_data(s)		BIO_get_ex_data(s,0)
+
+/* BIO_s_connect() and BIO_s_socks4a_connect() */
+#define BIO_set_conn_hostname(b,name) BIO_ctrl(b,BIO_C_SET_CONNECT,0,(char *)name)
+#define BIO_set_conn_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,1,(char *)port)
+#define BIO_set_conn_ip(b,ip)	  BIO_ctrl(b,BIO_C_SET_CONNECT,2,(char *)ip)
+#define BIO_set_conn_int_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,3,(char *)port)
+#define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
+#define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
+#define BIO_get_conn_ip(b,ip) BIO_ptr_ctrl(b,BIO_C_SET_CONNECT,2)
+#define BIO_get_conn_int_port(b,port) BIO_int_ctrl(b,BIO_C_SET_CONNECT,3,port)
+
+
+#define BIO_set_nbio(b,n)	BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
+
+/* BIO_s_accept_socket() */
+#define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name)
+#define BIO_get_accept_port(b)	BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
+/* #define BIO_set_nbio(b,n)	BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */
+#define BIO_set_nbio_accept(b,n) BIO_ctrl(b,BIO_C_SET_ACCEPT,1,(n)?"a":NULL)
+#define BIO_set_accept_bios(b,bio) BIO_ctrl(b,BIO_C_SET_ACCEPT,2,(char *)bio)
+
+#define BIO_BIND_NORMAL			0
+#define BIO_BIND_REUSEADDR_IF_UNUSED	1
+#define BIO_BIND_REUSEADDR		2
+#define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL)
+#define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL)
+
+#define BIO_do_connect(b)	BIO_do_handshake(b)
+#define BIO_do_accept(b)	BIO_do_handshake(b)
+#define BIO_do_handshake(b)	BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
+
+/* BIO_s_proxy_client() */
+#define BIO_set_url(b,url)	BIO_ctrl(b,BIO_C_SET_PROXY_PARAM,0,(char *)(url))
+#define BIO_set_proxies(b,p)	BIO_ctrl(b,BIO_C_SET_PROXY_PARAM,1,(char *)(p))
+/* BIO_set_nbio(b,n) */
+#define BIO_set_filter_bio(b,s) BIO_ctrl(b,BIO_C_SET_PROXY_PARAM,2,(char *)(s))
+/* BIO *BIO_get_filter_bio(BIO *bio); */
+#define BIO_set_proxy_cb(b,cb) BIO_callback_ctrl(b,BIO_C_SET_PROXY_PARAM,3,(void *(*cb)()))
+#define BIO_set_proxy_header(b,sk) BIO_ctrl(b,BIO_C_SET_PROXY_PARAM,4,(char *)sk)
+#define BIO_set_no_connect_return(b,bool) BIO_int_ctrl(b,BIO_C_SET_PROXY_PARAM,5,bool)
+
+#define BIO_get_proxy_header(b,skp) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,0,(char *)skp)
+#define BIO_get_proxies(b,pxy_p) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,1,(char *)(pxy_p))
+#define BIO_get_url(b,url)	BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url))
+#define BIO_get_no_connect_return(b)	BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL)
+
+#define BIO_set_fd(b,fd,c)	BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
+#define BIO_get_fd(b,c)		BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
+
+#define BIO_set_fp(b,fp,c)	BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp)
+#define BIO_get_fp(b,fpp)	BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp)
+
+#define BIO_seek(b,ofs)	(int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL)
+#define BIO_tell(b)	(int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
+
+/* name is cast to lose const, but might be better to route through a function
+   so we can do it safely */
+#ifdef CONST_STRICT
+/* If you are wondering why this isn't defined, its because CONST_STRICT is
+ * purely a compile-time kludge to allow const to be checked.
+ */
+int BIO_read_filename(BIO *b,const char *name);
+#else
+#define BIO_read_filename(b,name) BIO_ctrl(b,BIO_C_SET_FILENAME, \
+		BIO_CLOSE|BIO_FP_READ,(char *)name)
+#endif
+#define BIO_write_filename(b,name) BIO_ctrl(b,BIO_C_SET_FILENAME, \
+		BIO_CLOSE|BIO_FP_WRITE,name)
+#define BIO_append_filename(b,name) BIO_ctrl(b,BIO_C_SET_FILENAME, \
+		BIO_CLOSE|BIO_FP_APPEND,name)
+#define BIO_rw_filename(b,name) BIO_ctrl(b,BIO_C_SET_FILENAME, \
+		BIO_CLOSE|BIO_FP_READ|BIO_FP_WRITE,name)
+
+/* WARNING WARNING, this ups the reference count on the read bio of the
+ * SSL structure.  This is because the ssl read BIO is now pointed to by
+ * the next_bio field in the bio.  So when you free the BIO, make sure
+ * you are doing a BIO_free_all() to catch the underlying BIO. */
+#define BIO_set_ssl(b,ssl,c)	BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl)
+#define BIO_get_ssl(b,sslp)	BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
+#define BIO_set_ssl_mode(b,client)	BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
+#define BIO_set_ssl_renegotiate_bytes(b,num) \
+	BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
+#define BIO_get_num_renegotiates(b) \
+	BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
+#define BIO_set_ssl_renegotiate_timeout(b,seconds) \
+	BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
+
+/* defined in evp.h */
+/* #define BIO_set_md(b,md)	BIO_ctrl(b,BIO_C_SET_MD,1,(char *)md) */
+
+#define BIO_get_mem_data(b,pp)	BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp)
+#define BIO_set_mem_buf(b,bm,c)	BIO_ctrl(b,BIO_C_SET_BUF_MEM,c,(char *)bm)
+#define BIO_get_mem_ptr(b,pp)	BIO_ctrl(b,BIO_C_GET_BUF_MEM_PTR,0,(char *)pp)
+#define BIO_set_mem_eof_return(b,v) \
+				BIO_ctrl(b,BIO_C_SET_BUF_MEM_EOF_RETURN,v,NULL)
+
+/* For the BIO_f_buffer() type */
+#define BIO_get_buffer_num_lines(b)	BIO_ctrl(b,BIO_C_GET_BUFF_NUM_LINES,0,NULL)
+#define BIO_set_buffer_size(b,size)	BIO_ctrl(b,BIO_C_SET_BUFF_SIZE,size,NULL)
+#define BIO_set_read_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,0)
+#define BIO_set_write_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,1)
+#define BIO_set_buffer_read_data(b,buf,num) BIO_ctrl(b,BIO_C_SET_BUFF_READ_DATA,num,buf)
+
+/* Don't use the next one unless you know what you are doing :-) */
+#define BIO_dup_state(b,ret)	BIO_ctrl(b,BIO_CTRL_DUP,0,(char *)(ret))
+
+#define BIO_reset(b)		(int)BIO_ctrl(b,BIO_CTRL_RESET,0,NULL)
+#define BIO_eof(b)		(int)BIO_ctrl(b,BIO_CTRL_EOF,0,NULL)
+#define BIO_set_close(b,c)	(int)BIO_ctrl(b,BIO_CTRL_SET_CLOSE,(c),NULL)
+#define BIO_get_close(b)	(int)BIO_ctrl(b,BIO_CTRL_GET_CLOSE,0,NULL)
+#define BIO_pending(b)		(int)BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL)
+#define BIO_wpending(b)		(int)BIO_ctrl(b,BIO_CTRL_WPENDING,0,NULL)
+/* ...pending macros have inappropriate return type */
+size_t BIO_ctrl_pending(BIO *b);
+size_t BIO_ctrl_wpending(BIO *b);
+#define BIO_flush(b)		(int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)
+#define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0,(void (**)())(cbp))
+#define BIO_set_info_callback(b,cb) (int)BIO_callback_ctrl(b,BIO_CTRL_SET_CALLBACK,(void (*)())(cb))
+
+/* For the BIO_f_buffer() type */
+#define BIO_buffer_get_num_lines(b) BIO_ctrl(b,BIO_CTRL_GET,0,NULL)
+
+/* For BIO_s_bio() */
+#define BIO_set_write_buf_size(b,size) (int)BIO_ctrl(b,BIO_C_SET_WRITE_BUF_SIZE,size,NULL)
+#define BIO_get_write_buf_size(b,size) (size_t)BIO_ctrl(b,BIO_C_GET_WRITE_BUF_SIZE,size,NULL)
+#define BIO_make_bio_pair(b1,b2)   (int)BIO_ctrl(b1,BIO_C_MAKE_BIO_PAIR,0,b2)
+#define BIO_destroy_bio_pair(b)    (int)BIO_ctrl(b,BIO_C_DESTROY_BIO_PAIR,0,NULL)
+/* macros with inappropriate type -- but ...pending macros use int too: */
+#define BIO_get_write_guarantee(b) (int)BIO_ctrl(b,BIO_C_GET_WRITE_GUARANTEE,0,NULL)
+#define BIO_get_read_request(b)    (int)BIO_ctrl(b,BIO_C_GET_READ_REQUEST,0,NULL)
+size_t BIO_ctrl_get_write_guarantee(BIO *b);
+size_t BIO_ctrl_get_read_request(BIO *b);
+int BIO_ctrl_reset_read_request(BIO *b);
+
+#ifdef NO_STDIO
+#define NO_FP_API
+#endif
+
+
+/* These two aren't currently implemented */
+/* int BIO_get_ex_num(BIO *bio); */
+/* void BIO_set_ex_free_func(BIO *bio,int idx,void (*cb)()); */
+int BIO_set_ex_data(BIO *bio,int idx,void *data);
+void *BIO_get_ex_data(BIO *bio,int idx);
+int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+unsigned long BIO_number_read(BIO *bio);
+unsigned long BIO_number_written(BIO *bio);
+
+#  if defined(WIN16) && defined(_WINDLL)
+BIO_METHOD *BIO_s_file_internal(void);
+BIO *BIO_new_file_internal(char *filename, char *mode);
+BIO *BIO_new_fp_internal(FILE *stream, int close_flag);
+#    define BIO_s_file	BIO_s_file_internal
+#    define BIO_new_file	BIO_new_file_internal
+#    define BIO_new_fp	BIO_new_fp_internal
+#  else /* FP_API */
+BIO_METHOD *BIO_s_file(void );
+BIO *BIO_new_file(const char *filename, const char *mode);
+BIO *BIO_new_fp(FILE *stream, int close_flag);
+#    define BIO_s_file_internal		BIO_s_file
+#    define BIO_new_file_internal	BIO_new_file
+#    define BIO_new_fp_internal		BIO_s_file
+#  endif /* FP_API */
+BIO *	BIO_new(BIO_METHOD *type);
+int	BIO_set(BIO *a,BIO_METHOD *type);
+int	BIO_free(BIO *a);
+int	BIO_read(BIO *b, void *data, int len);
+int	BIO_gets(BIO *bp,char *buf, int size);
+int	BIO_write(BIO *b, const void *data, int len);
+int	BIO_puts(BIO *bp,const char *buf);
+long	BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
+long	BIO_callback_ctrl(BIO *bp,int cmd,void (*fp)());
+char *	BIO_ptr_ctrl(BIO *bp,int cmd,long larg);
+long	BIO_int_ctrl(BIO *bp,int cmd,long larg,int iarg);
+BIO *	BIO_push(BIO *b,BIO *append);
+BIO *	BIO_pop(BIO *b);
+void	BIO_free_all(BIO *a);
+BIO *	BIO_find_type(BIO *b,int bio_type);
+BIO *	BIO_get_retry_BIO(BIO *bio, int *reason);
+int	BIO_get_retry_reason(BIO *bio);
+BIO *	BIO_dup_chain(BIO *in);
+
+int BIO_nread0(BIO *bio, char **buf);
+int BIO_nread(BIO *bio, char **buf, int num);
+int BIO_nwrite0(BIO *bio, char **buf);
+int BIO_nwrite(BIO *bio, char **buf, int num);
+
+#ifndef WIN16
+long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi,
+	long argl,long ret);
+#else
+long _far _loadds BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi,
+	long argl,long ret);
+#endif
+
+BIO_METHOD *BIO_s_mem(void);
+BIO *BIO_new_mem_buf(void *buf, int len);
+BIO_METHOD *BIO_s_socket(void);
+BIO_METHOD *BIO_s_connect(void);
+BIO_METHOD *BIO_s_accept(void);
+BIO_METHOD *BIO_s_fd(void);
+BIO_METHOD *BIO_s_log(void);
+BIO_METHOD *BIO_s_bio(void);
+BIO_METHOD *BIO_s_null(void);
+BIO_METHOD *BIO_f_null(void);
+BIO_METHOD *BIO_f_buffer(void);
+BIO_METHOD *BIO_f_nbio_test(void);
+/* BIO_METHOD *BIO_f_ber(void); */
+
+int BIO_sock_should_retry(int i);
+int BIO_sock_non_fatal_error(int error);
+int BIO_fd_should_retry(int i);
+int BIO_fd_non_fatal_error(int error);
+int BIO_dump(BIO *b,const char *bytes,int len);
+
+struct hostent *BIO_gethostbyname(const char *name);
+/* We might want a thread-safe interface too:
+ * struct hostent *BIO_gethostbyname_r(const char *name,
+ *     struct hostent *result, void *buffer, size_t buflen);
+ * or something similar (caller allocates a struct hostent,
+ * pointed to by "result", and additional buffer space for the various
+ * substructures; if the buffer does not suffice, NULL is returned
+ * and an appropriate error code is set).
+ */
+int BIO_sock_error(int sock);
+int BIO_socket_ioctl(int fd, long type, unsigned long *arg);
+int BIO_socket_nbio(int fd,int mode);
+int BIO_get_port(const char *str, unsigned short *port_ptr);
+int BIO_get_host_ip(const char *str, unsigned char *ip);
+int BIO_get_accept_socket(char *host_port,int mode);
+int BIO_accept(int sock,char **ip_port);
+int BIO_sock_init(void );
+void BIO_sock_cleanup(void);
+int BIO_set_tcp_ndelay(int sock,int turn_on);
+
+void ERR_load_BIO_strings(void );
+
+BIO *BIO_new_socket(int sock, int close_flag);
+BIO *BIO_new_fd(int fd, int close_flag);
+BIO *BIO_new_connect(char *host_port);
+BIO *BIO_new_accept(char *host_port);
+
+int BIO_new_bio_pair(BIO **bio1, size_t writebuf1,
+	BIO **bio2, size_t writebuf2);
+/* If successful, returns 1 and in *bio1, *bio2 two BIO pair endpoints.
+ * Otherwise returns 0 and sets *bio1 and *bio2 to NULL.
+ * Size 0 uses default value.
+ */
+
+void BIO_copy_next_retry(BIO *b);
+
+long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);
+
+int BIO_printf(BIO *bio, ...);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the BIO functions. */
+
+/* Function codes. */
+#define BIO_F_ACPT_STATE				 100
+#define BIO_F_BIO_ACCEPT				 101
+#define BIO_F_BIO_BER_GET_HEADER			 102
+#define BIO_F_BIO_CTRL					 103
+#define BIO_F_BIO_GETHOSTBYNAME				 120
+#define BIO_F_BIO_GETS					 104
+#define BIO_F_BIO_GET_ACCEPT_SOCKET			 105
+#define BIO_F_BIO_GET_HOST_IP				 106
+#define BIO_F_BIO_GET_PORT				 107
+#define BIO_F_BIO_MAKE_PAIR				 121
+#define BIO_F_BIO_NEW					 108
+#define BIO_F_BIO_NEW_FILE				 109
+#define BIO_F_BIO_NEW_MEM_BUF				 126
+#define BIO_F_BIO_NREAD					 123
+#define BIO_F_BIO_NREAD0				 124
+#define BIO_F_BIO_NWRITE				 125
+#define BIO_F_BIO_NWRITE0				 122
+#define BIO_F_BIO_PUTS					 110
+#define BIO_F_BIO_READ					 111
+#define BIO_F_BIO_SOCK_INIT				 112
+#define BIO_F_BIO_WRITE					 113
+#define BIO_F_BUFFER_CTRL				 114
+#define BIO_F_CONN_CTRL					 127
+#define BIO_F_CONN_STATE				 115
+#define BIO_F_FILE_CTRL					 116
+#define BIO_F_MEM_WRITE					 117
+#define BIO_F_SSL_NEW					 118
+#define BIO_F_WSASTARTUP				 119
+
+/* Reason codes. */
+#define BIO_R_ACCEPT_ERROR				 100
+#define BIO_R_BAD_FOPEN_MODE				 101
+#define BIO_R_BAD_HOSTNAME_LOOKUP			 102
+#define BIO_R_BROKEN_PIPE				 124
+#define BIO_R_CONNECT_ERROR				 103
+#define BIO_R_ERROR_SETTING_NBIO			 104
+#define BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET	 105
+#define BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET	 106
+#define BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET		 107
+#define BIO_R_INVALID_ARGUMENT				 125
+#define BIO_R_INVALID_IP_ADDRESS			 108
+#define BIO_R_IN_USE					 123
+#define BIO_R_KEEPALIVE					 109
+#define BIO_R_NBIO_CONNECT_ERROR			 110
+#define BIO_R_NO_ACCEPT_PORT_SPECIFIED			 111
+#define BIO_R_NO_HOSTNAME_SPECIFIED			 112
+#define BIO_R_NO_PORT_DEFINED				 113
+#define BIO_R_NO_PORT_SPECIFIED				 114
+#define BIO_R_NULL_PARAMETER				 115
+#define BIO_R_TAG_MISMATCH				 116
+#define BIO_R_UNABLE_TO_BIND_SOCKET			 117
+#define BIO_R_UNABLE_TO_CREATE_SOCKET			 118
+#define BIO_R_UNABLE_TO_LISTEN_SOCKET			 119
+#define BIO_R_UNINITIALIZED				 120
+#define BIO_R_UNSUPPORTED_METHOD			 121
+#define BIO_R_WRITE_TO_READ_ONLY_BIO			 126
+#define BIO_R_WSASTARTUP				 122
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/bio/bio_cb.c b/crypto/openssl/crypto/bio/bio_cb.c
new file mode 100644
index 0000000..37c7c22
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bio_cb.c
@@ -0,0 +1,133 @@
+/* crypto/bio/bio_cb.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp,
+	     int argi, long argl, long ret)
+	{
+	BIO *b;
+	MS_STATIC char buf[256];
+	char *p;
+	long r=1;
+
+	if (BIO_CB_RETURN & cmd)
+		r=ret;
+
+	sprintf(buf,"BIO[%08lX]:",(unsigned long)bio);
+	p= &(buf[14]);
+	switch (cmd)
+		{
+	case BIO_CB_FREE:
+		sprintf(p,"Free - %s\n",bio->method->name);
+		break;
+	case BIO_CB_READ:
+		if (bio->method->type & BIO_TYPE_DESCRIPTOR)
+			sprintf(p,"read(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+		else
+			sprintf(p,"read(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+		break;
+	case BIO_CB_WRITE:
+		if (bio->method->type & BIO_TYPE_DESCRIPTOR)
+			sprintf(p,"write(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+		else
+			sprintf(p,"write(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+		break;
+	case BIO_CB_PUTS:
+		sprintf(p,"puts() - %s\n",bio->method->name);
+		break;
+	case BIO_CB_GETS:
+		sprintf(p,"gets(%d) - %s\n",argi,bio->method->name);
+		break;
+	case BIO_CB_CTRL:
+		sprintf(p,"ctrl(%d) - %s\n",argi,bio->method->name);
+		break;
+	case BIO_CB_RETURN|BIO_CB_READ:
+		sprintf(p,"read return %ld\n",ret);
+		break;
+	case BIO_CB_RETURN|BIO_CB_WRITE:
+		sprintf(p,"write return %ld\n",ret);
+		break;
+	case BIO_CB_RETURN|BIO_CB_GETS:
+		sprintf(p,"gets return %ld\n",ret);
+		break;
+	case BIO_CB_RETURN|BIO_CB_PUTS:
+		sprintf(p,"puts return %ld\n",ret);
+		break;
+	case BIO_CB_RETURN|BIO_CB_CTRL:
+		sprintf(p,"ctrl return %ld\n",ret);
+		break;
+	default:
+		sprintf(p,"bio callback - unknown type (%d)\n",cmd);
+		break;
+		}
+
+	b=(BIO *)bio->cb_arg;
+	if (b != NULL)
+		BIO_write(b,buf,strlen(buf));
+#if !defined(NO_STDIO) && !defined(WIN16)
+	else
+		fputs(buf,stderr);
+#endif
+	return(r);
+	}
diff --git a/crypto/openssl/crypto/bio/bio_err.c b/crypto/openssl/crypto/bio/bio_err.c
new file mode 100644
index 0000000..f38e7b9
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bio_err.c
@@ -0,0 +1,147 @@
+/* crypto/bio/bio_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA BIO_str_functs[]=
+	{
+{ERR_PACK(0,BIO_F_ACPT_STATE,0),	"ACPT_STATE"},
+{ERR_PACK(0,BIO_F_BIO_ACCEPT,0),	"BIO_accept"},
+{ERR_PACK(0,BIO_F_BIO_BER_GET_HEADER,0),	"BIO_BER_GET_HEADER"},
+{ERR_PACK(0,BIO_F_BIO_CTRL,0),	"BIO_ctrl"},
+{ERR_PACK(0,BIO_F_BIO_GETHOSTBYNAME,0),	"BIO_gethostbyname"},
+{ERR_PACK(0,BIO_F_BIO_GETS,0),	"BIO_gets"},
+{ERR_PACK(0,BIO_F_BIO_GET_ACCEPT_SOCKET,0),	"BIO_get_accept_socket"},
+{ERR_PACK(0,BIO_F_BIO_GET_HOST_IP,0),	"BIO_get_host_ip"},
+{ERR_PACK(0,BIO_F_BIO_GET_PORT,0),	"BIO_get_port"},
+{ERR_PACK(0,BIO_F_BIO_MAKE_PAIR,0),	"BIO_MAKE_PAIR"},
+{ERR_PACK(0,BIO_F_BIO_NEW,0),	"BIO_new"},
+{ERR_PACK(0,BIO_F_BIO_NEW_FILE,0),	"BIO_new_file"},
+{ERR_PACK(0,BIO_F_BIO_NEW_MEM_BUF,0),	"BIO_new_mem_buf"},
+{ERR_PACK(0,BIO_F_BIO_NREAD,0),	"BIO_nread"},
+{ERR_PACK(0,BIO_F_BIO_NREAD0,0),	"BIO_nread0"},
+{ERR_PACK(0,BIO_F_BIO_NWRITE,0),	"BIO_nwrite"},
+{ERR_PACK(0,BIO_F_BIO_NWRITE0,0),	"BIO_nwrite0"},
+{ERR_PACK(0,BIO_F_BIO_PUTS,0),	"BIO_puts"},
+{ERR_PACK(0,BIO_F_BIO_READ,0),	"BIO_read"},
+{ERR_PACK(0,BIO_F_BIO_SOCK_INIT,0),	"BIO_sock_init"},
+{ERR_PACK(0,BIO_F_BIO_WRITE,0),	"BIO_write"},
+{ERR_PACK(0,BIO_F_BUFFER_CTRL,0),	"BUFFER_CTRL"},
+{ERR_PACK(0,BIO_F_CONN_CTRL,0),	"CONN_CTRL"},
+{ERR_PACK(0,BIO_F_CONN_STATE,0),	"CONN_STATE"},
+{ERR_PACK(0,BIO_F_FILE_CTRL,0),	"FILE_CTRL"},
+{ERR_PACK(0,BIO_F_MEM_WRITE,0),	"MEM_WRITE"},
+{ERR_PACK(0,BIO_F_SSL_NEW,0),	"SSL_new"},
+{ERR_PACK(0,BIO_F_WSASTARTUP,0),	"WSASTARTUP"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA BIO_str_reasons[]=
+	{
+{BIO_R_ACCEPT_ERROR                      ,"accept error"},
+{BIO_R_BAD_FOPEN_MODE                    ,"bad fopen mode"},
+{BIO_R_BAD_HOSTNAME_LOOKUP               ,"bad hostname lookup"},
+{BIO_R_BROKEN_PIPE                       ,"broken pipe"},
+{BIO_R_CONNECT_ERROR                     ,"connect error"},
+{BIO_R_ERROR_SETTING_NBIO                ,"error setting nbio"},
+{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET,"error setting nbio on accepted socket"},
+{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET,"error setting nbio on accept socket"},
+{BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET ,"gethostbyname addr is not af inet"},
+{BIO_R_INVALID_ARGUMENT                  ,"invalid argument"},
+{BIO_R_INVALID_IP_ADDRESS                ,"invalid ip address"},
+{BIO_R_IN_USE                            ,"in use"},
+{BIO_R_KEEPALIVE                         ,"keepalive"},
+{BIO_R_NBIO_CONNECT_ERROR                ,"nbio connect error"},
+{BIO_R_NO_ACCEPT_PORT_SPECIFIED          ,"no accept port specified"},
+{BIO_R_NO_HOSTNAME_SPECIFIED             ,"no hostname specified"},
+{BIO_R_NO_PORT_DEFINED                   ,"no port defined"},
+{BIO_R_NO_PORT_SPECIFIED                 ,"no port specified"},
+{BIO_R_NULL_PARAMETER                    ,"null parameter"},
+{BIO_R_TAG_MISMATCH                      ,"tag mismatch"},
+{BIO_R_UNABLE_TO_BIND_SOCKET             ,"unable to bind socket"},
+{BIO_R_UNABLE_TO_CREATE_SOCKET           ,"unable to create socket"},
+{BIO_R_UNABLE_TO_LISTEN_SOCKET           ,"unable to listen socket"},
+{BIO_R_UNINITIALIZED                     ,"uninitialized"},
+{BIO_R_UNSUPPORTED_METHOD                ,"unsupported method"},
+{BIO_R_WRITE_TO_READ_ONLY_BIO            ,"write to read only bio"},
+{BIO_R_WSASTARTUP                        ,"wsastartup"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_BIO_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_BIO,BIO_str_functs);
+		ERR_load_strings(ERR_LIB_BIO,BIO_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c
new file mode 100644
index 0000000..e88dcc8
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bio_lib.c
@@ -0,0 +1,534 @@
+/* crypto/bio/bio_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/stack.h>
+
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *bio_meth=NULL;
+static int bio_meth_num=0;
+
+BIO *BIO_new(BIO_METHOD *method)
+	{
+	BIO *ret=NULL;
+
+	ret=(BIO *)Malloc(sizeof(BIO));
+	if (ret == NULL)
+		{
+		BIOerr(BIO_F_BIO_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	if (!BIO_set(ret,method))
+		{
+		Free(ret);
+		ret=NULL;
+		}
+	return(ret);
+	}
+
+int BIO_set(BIO *bio, BIO_METHOD *method)
+	{
+	bio->method=method;
+	bio->callback=NULL;
+	bio->cb_arg=NULL;
+	bio->init=0;
+	bio->shutdown=1;
+	bio->flags=0;
+	bio->retry_reason=0;
+	bio->num=0;
+	bio->ptr=NULL;
+	bio->prev_bio=NULL;
+	bio->next_bio=NULL;
+	bio->references=1;
+	bio->num_read=0L;
+	bio->num_write=0L;
+	CRYPTO_new_ex_data(bio_meth,bio,&bio->ex_data);
+	if (method->create != NULL)
+		if (!method->create(bio))
+			return(0);
+	return(1);
+	}
+
+int BIO_free(BIO *a)
+	{
+	int ret=0,i;
+
+	if (a == NULL) return(0);
+
+	i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_BIO);
+#ifdef REF_PRINT
+	REF_PRINT("BIO",a);
+#endif
+	if (i > 0) return(1);
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"BIO_free, bad reference count\n");
+		abort();
+		}
+#endif
+	if ((a->callback != NULL) &&
+		((i=(int)a->callback(a,BIO_CB_FREE,NULL,0,0L,1L)) <= 0))
+			return(i);
+
+	CRYPTO_free_ex_data(bio_meth,a,&a->ex_data);
+
+	if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
+	ret=a->method->destroy(a);
+	Free(a);
+	return(1);
+	}
+
+int BIO_read(BIO *b, void *out, int outl)
+	{
+	int i;
+	long (*cb)();
+
+	if ((b == NULL) || (b->method == NULL) || (b->method->bread == NULL))
+		{
+		BIOerr(BIO_F_BIO_READ,BIO_R_UNSUPPORTED_METHOD);
+		return(-2);
+		}
+
+	cb=b->callback;
+	if ((cb != NULL) &&
+		((i=(int)cb(b,BIO_CB_READ,out,outl,0L,1L)) <= 0))
+			return(i);
+
+	if (!b->init)
+		{
+		BIOerr(BIO_F_BIO_READ,BIO_R_UNINITIALIZED);
+		return(-2);
+		}
+
+	i=b->method->bread(b,out,outl);
+
+	if (i > 0) b->num_read+=(unsigned long)i;
+
+	if (cb != NULL)
+		i=(int)cb(b,BIO_CB_READ|BIO_CB_RETURN,out,outl,
+			0L,(long)i);
+	return(i);
+	}
+
+int BIO_write(BIO *b, const void *in, int inl)
+	{
+	int i;
+	long (*cb)();
+
+	if (b == NULL)
+		return(0);
+
+	cb=b->callback;
+	if ((b->method == NULL) || (b->method->bwrite == NULL))
+		{
+		BIOerr(BIO_F_BIO_WRITE,BIO_R_UNSUPPORTED_METHOD);
+		return(-2);
+		}
+
+	if ((cb != NULL) &&
+		((i=(int)cb(b,BIO_CB_WRITE,in,inl,0L,1L)) <= 0))
+			return(i);
+
+	if (!b->init)
+		{
+		BIOerr(BIO_F_BIO_WRITE,BIO_R_UNINITIALIZED);
+		return(-2);
+		}
+
+	i=b->method->bwrite(b,in,inl);
+
+	if (i > 0) b->num_write+=(unsigned long)i;
+
+	/* This is evil and not thread safe.  If the BIO has been freed,
+	 * we must not call the callback.  The only way to be able to
+	 * determine this is the reference count which is now invalid since
+	 * the memory has been free()ed.
+	 */
+	if (b->references <= 0) abort();
+	if (cb != NULL) /* && (b->references >= 1)) */
+		i=(int)cb(b,BIO_CB_WRITE|BIO_CB_RETURN,in,inl,
+			0L,(long)i);
+	return(i);
+	}
+
+int BIO_puts(BIO *b, const char *in)
+	{
+	int i;
+	long (*cb)();
+
+	if ((b == NULL) || (b->method == NULL) || (b->method->bputs == NULL))
+		{
+		BIOerr(BIO_F_BIO_PUTS,BIO_R_UNSUPPORTED_METHOD);
+		return(-2);
+		}
+
+	cb=b->callback;
+
+	if ((cb != NULL) &&
+		((i=(int)cb(b,BIO_CB_PUTS,in,0,0L,1L)) <= 0))
+			return(i);
+
+	if (!b->init)
+		{
+		BIOerr(BIO_F_BIO_PUTS,BIO_R_UNINITIALIZED);
+		return(-2);
+		}
+
+	i=b->method->bputs(b,in);
+
+	if (cb != NULL)
+		i=(int)cb(b,BIO_CB_PUTS|BIO_CB_RETURN,in,0,
+			0L,(long)i);
+	return(i);
+	}
+
+int BIO_gets(BIO *b, char *in, int inl)
+	{
+	int i;
+	long (*cb)();
+
+	if ((b == NULL) || (b->method == NULL) || (b->method->bgets == NULL))
+		{
+		BIOerr(BIO_F_BIO_GETS,BIO_R_UNSUPPORTED_METHOD);
+		return(-2);
+		}
+
+	cb=b->callback;
+
+	if ((cb != NULL) &&
+		((i=(int)cb(b,BIO_CB_GETS,in,inl,0L,1L)) <= 0))
+			return(i);
+
+	if (!b->init)
+		{
+		BIOerr(BIO_F_BIO_GETS,BIO_R_UNINITIALIZED);
+		return(-2);
+		}
+
+	i=b->method->bgets(b,in,inl);
+
+	if (cb != NULL)
+		i=(int)cb(b,BIO_CB_GETS|BIO_CB_RETURN,in,inl,
+			0L,(long)i);
+	return(i);
+	}
+
+long BIO_int_ctrl(BIO *b, int cmd, long larg, int iarg)
+	{
+	int i;
+
+	i=iarg;
+	return(BIO_ctrl(b,cmd,larg,(char *)&i));
+	}
+
+char *BIO_ptr_ctrl(BIO *b, int cmd, long larg)
+	{
+	char *p=NULL;
+
+	if (BIO_ctrl(b,cmd,larg,(char *)&p) <= 0)
+		return(NULL);
+	else
+		return(p);
+	}
+
+long BIO_ctrl(BIO *b, int cmd, long larg, void *parg)
+	{
+	long ret;
+	long (*cb)();
+
+	if (b == NULL) return(0);
+
+	if ((b->method == NULL) || (b->method->ctrl == NULL))
+		{
+		BIOerr(BIO_F_BIO_CTRL,BIO_R_UNSUPPORTED_METHOD);
+		return(-2);
+		}
+
+	cb=b->callback;
+
+	if ((cb != NULL) &&
+		((ret=cb(b,BIO_CB_CTRL,parg,cmd,larg,1L)) <= 0))
+		return(ret);
+
+	ret=b->method->ctrl(b,cmd,larg,parg);
+
+	if (cb != NULL)
+		ret=cb(b,BIO_CB_CTRL|BIO_CB_RETURN,parg,cmd,
+			larg,ret);
+	return(ret);
+	}
+
+long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret;
+	long (*cb)();
+
+	if (b == NULL) return(0);
+
+	if ((b->method == NULL) || (b->method->callback_ctrl == NULL))
+		{
+		BIOerr(BIO_F_BIO_CTRL,BIO_R_UNSUPPORTED_METHOD);
+		return(-2);
+		}
+
+	cb=b->callback;
+
+	if ((cb != NULL) &&
+		((ret=cb(b,BIO_CB_CTRL,(void *)&fp,cmd,0,1L)) <= 0))
+		return(ret);
+
+	ret=b->method->callback_ctrl(b,cmd,fp);
+
+	if (cb != NULL)
+		ret=cb(b,BIO_CB_CTRL|BIO_CB_RETURN,(void *)&fp,cmd,
+			0,ret);
+	return(ret);
+	}
+
+/* It is unfortunate to duplicate in functions what the BIO_(w)pending macros
+ * do; but those macros have inappropriate return type, and for interfacing
+ * from other programming languages, C macros aren't much of a help anyway. */
+size_t BIO_ctrl_pending(BIO *bio)
+	{
+	return BIO_ctrl(bio, BIO_CTRL_PENDING, 0, NULL);
+	}
+
+size_t BIO_ctrl_wpending(BIO *bio)
+	{
+	return BIO_ctrl(bio, BIO_CTRL_WPENDING, 0, NULL);
+	}
+
+
+/* put the 'bio' on the end of b's list of operators */
+BIO *BIO_push(BIO *b, BIO *bio)
+	{
+	BIO *lb;
+
+	if (b == NULL) return(bio);
+	lb=b;
+	while (lb->next_bio != NULL)
+		lb=lb->next_bio;
+	lb->next_bio=bio;
+	if (bio != NULL)
+		bio->prev_bio=lb;
+	/* called to do internal processing */
+	BIO_ctrl(b,BIO_CTRL_PUSH,0,NULL);
+	return(b);
+	}
+
+/* Remove the first and return the rest */
+BIO *BIO_pop(BIO *b)
+	{
+	BIO *ret;
+
+	if (b == NULL) return(NULL);
+	ret=b->next_bio;
+
+	if (b->prev_bio != NULL)
+		b->prev_bio->next_bio=b->next_bio;
+	if (b->next_bio != NULL)
+		b->next_bio->prev_bio=b->prev_bio;
+
+	b->next_bio=NULL;
+	b->prev_bio=NULL;
+	BIO_ctrl(b,BIO_CTRL_POP,0,NULL);
+	return(ret);
+	}
+
+BIO *BIO_get_retry_BIO(BIO *bio, int *reason)
+	{
+	BIO *b,*last;
+
+	b=last=bio;
+	for (;;)
+		{
+		if (!BIO_should_retry(b)) break;
+		last=b;
+		b=b->next_bio;
+		if (b == NULL) break;
+		}
+	if (reason != NULL) *reason=last->retry_reason;
+	return(last);
+	}
+
+int BIO_get_retry_reason(BIO *bio)
+	{
+	return(bio->retry_reason);
+	}
+
+BIO *BIO_find_type(BIO *bio, int type)
+	{
+	int mt,mask;
+
+	mask=type&0xff;
+	do	{
+		if (bio->method != NULL)
+			{
+			mt=bio->method->type;
+
+			if (!mask)
+				{
+				if (mt & type) return(bio);
+				}
+			else if (mt == type)
+				return(bio);
+			}
+		bio=bio->next_bio;
+		} while (bio != NULL);
+	return(NULL);
+	}
+
+void BIO_free_all(BIO *bio)
+	{
+	BIO *b;
+	int ref;
+
+	while (bio != NULL)
+		{
+		b=bio;
+		ref=b->references;
+		bio=bio->next_bio;
+		BIO_free(b);
+		/* Since ref count > 1, don't free anyone else. */
+		if (ref > 1) break;
+		}
+	}
+
+BIO *BIO_dup_chain(BIO *in)
+	{
+	BIO *ret=NULL,*eoc=NULL,*bio,*new;
+
+	for (bio=in; bio != NULL; bio=bio->next_bio)
+		{
+		if ((new=BIO_new(bio->method)) == NULL) goto err;
+		new->callback=bio->callback;
+		new->cb_arg=bio->cb_arg;
+		new->init=bio->init;
+		new->shutdown=bio->shutdown;
+		new->flags=bio->flags;
+
+		/* This will let SSL_s_sock() work with stdin/stdout */
+		new->num=bio->num;
+
+		if (!BIO_dup_state(bio,(char *)new))
+			{
+			BIO_free(new);
+			goto err;
+			}
+
+		/* copy app data */
+		if (!CRYPTO_dup_ex_data(bio_meth,&new->ex_data,&bio->ex_data))
+			goto err;
+
+		if (ret == NULL)
+			{
+			eoc=new;
+			ret=eoc;
+			}
+		else
+			{
+			BIO_push(eoc,new);
+			eoc=new;
+			}
+		}
+	return(ret);
+err:
+	if (ret != NULL)
+		BIO_free(ret);
+	return(NULL);	
+	}
+
+void BIO_copy_next_retry(BIO *b)
+	{
+	BIO_set_flags(b,BIO_get_retry_flags(b->next_bio));
+	b->retry_reason=b->next_bio->retry_reason;
+	}
+
+int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+	{
+	bio_meth_num++;
+	return(CRYPTO_get_ex_new_index(bio_meth_num-1,&bio_meth,
+		argl,argp,new_func,dup_func,free_func));
+	}
+
+int BIO_set_ex_data(BIO *bio, int idx, void *data)
+	{
+	return(CRYPTO_set_ex_data(&(bio->ex_data),idx,data));
+	}
+
+void *BIO_get_ex_data(BIO *bio, int idx)
+	{
+	return(CRYPTO_get_ex_data(&(bio->ex_data),idx));
+	}
+
+unsigned long BIO_number_read(BIO *bio)
+{
+	if(bio) return bio->num_read;
+	return 0;
+}
+
+unsigned long BIO_number_written(BIO *bio)
+{
+	if(bio) return bio->num_write;
+	return 0;
+}
diff --git a/crypto/openssl/crypto/bio/bss_acpt.c b/crypto/openssl/crypto/bio/bss_acpt.c
new file mode 100644
index 0000000..9afa636
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_acpt.c
@@ -0,0 +1,467 @@
+/* crypto/bio/bss_acpt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_SOCK
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+#ifdef WIN16
+#define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
+#else
+#define SOCKET_PROTOCOL IPPROTO_TCP
+#endif
+
+#if (defined(VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+#undef FIONBIO
+#endif
+
+typedef struct bio_accept_st
+	{
+	int state;
+	char *param_addr;
+
+	int accept_sock;
+	int accept_nbio;
+
+	char *addr;
+	int nbio;
+	/* If 0, it means normal, if 1, do a connect on bind failure,
+	 * and if there is no-one listening, bind with SO_REUSEADDR.
+	 * If 2, always use SO_REUSEADDR. */
+	int bind_mode;
+	BIO *bio_chain;
+	} BIO_ACCEPT;
+
+static int acpt_write(BIO *h,char *buf,int num);
+static int acpt_read(BIO *h,char *buf,int size);
+static int acpt_puts(BIO *h,char *str);
+static long acpt_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int acpt_new(BIO *h);
+static int acpt_free(BIO *data);
+static int acpt_state(BIO *b, BIO_ACCEPT *c);
+static void acpt_close_socket(BIO *data);
+BIO_ACCEPT *BIO_ACCEPT_new(void );
+void BIO_ACCEPT_free(BIO_ACCEPT *a);
+
+#define ACPT_S_BEFORE			1
+#define ACPT_S_GET_ACCEPT_SOCKET	2
+#define ACPT_S_OK			3
+
+static BIO_METHOD methods_acceptp=
+	{
+	BIO_TYPE_ACCEPT,
+	"socket accept",
+	acpt_write,
+	acpt_read,
+	acpt_puts,
+	NULL, /* connect_gets, */
+	acpt_ctrl,
+	acpt_new,
+	acpt_free,
+	NULL,
+	};
+
+BIO_METHOD *BIO_s_accept(void)
+	{
+	return(&methods_acceptp);
+	}
+
+static int acpt_new(BIO *bi)
+	{
+	BIO_ACCEPT *ba;
+
+	bi->init=0;
+	bi->num=INVALID_SOCKET;
+	bi->flags=0;
+	if ((ba=BIO_ACCEPT_new()) == NULL)
+		return(0);
+	bi->ptr=(char *)ba;
+	ba->state=ACPT_S_BEFORE;
+	bi->shutdown=1;
+	return(1);
+	}
+
+BIO_ACCEPT *BIO_ACCEPT_new(void)
+	{
+	BIO_ACCEPT *ret;
+
+	if ((ret=(BIO_ACCEPT *)Malloc(sizeof(BIO_ACCEPT))) == NULL)
+		return(NULL);
+
+	memset(ret,0,sizeof(BIO_ACCEPT));
+	ret->accept_sock=INVALID_SOCKET;
+	ret->bind_mode=BIO_BIND_NORMAL;
+	return(ret);
+	}
+
+void BIO_ACCEPT_free(BIO_ACCEPT *a)
+	{
+	if(a == NULL)
+	    return;
+
+	if (a->param_addr != NULL) Free(a->param_addr);
+	if (a->addr != NULL) Free(a->addr);
+	if (a->bio_chain != NULL) BIO_free(a->bio_chain);
+	Free(a);
+	}
+
+static void acpt_close_socket(BIO *bio)
+	{
+	BIO_ACCEPT *c;
+
+	c=(BIO_ACCEPT *)bio->ptr;
+	if (c->accept_sock != INVALID_SOCKET)
+		{
+		shutdown(c->accept_sock,2);
+		closesocket(c->accept_sock);
+		c->accept_sock=INVALID_SOCKET;
+		bio->num=INVALID_SOCKET;
+		}
+	}
+
+static int acpt_free(BIO *a)
+	{
+	BIO_ACCEPT *data;
+
+	if (a == NULL) return(0);
+	data=(BIO_ACCEPT *)a->ptr;
+	 
+	if (a->shutdown)
+		{
+		acpt_close_socket(a);
+		BIO_ACCEPT_free(data);
+		a->ptr=NULL;
+		a->flags=0;
+		a->init=0;
+		}
+	return(1);
+	}
+	
+static int acpt_state(BIO *b, BIO_ACCEPT *c)
+	{
+	BIO *bio=NULL,*dbio;
+	int s= -1;
+	int i;
+
+again:
+	switch (c->state)
+		{
+	case ACPT_S_BEFORE:
+		if (c->param_addr == NULL)
+			{
+			BIOerr(BIO_F_ACPT_STATE,BIO_R_NO_ACCEPT_PORT_SPECIFIED);
+			return(-1);
+			}
+		s=BIO_get_accept_socket(c->param_addr,c->bind_mode);
+		if (s == INVALID_SOCKET)
+			return(-1);
+
+		if (c->accept_nbio)
+			{
+			if (!BIO_socket_nbio(s,1))
+				{
+				closesocket(s);
+				BIOerr(BIO_F_ACPT_STATE,BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET);
+				return(-1);
+				}
+			}
+		c->accept_sock=s;
+		b->num=s;
+		c->state=ACPT_S_GET_ACCEPT_SOCKET;
+		return(1);
+		/* break; */
+	case ACPT_S_GET_ACCEPT_SOCKET:
+		if (b->next_bio != NULL)
+			{
+			c->state=ACPT_S_OK;
+			goto again;
+			}
+		i=BIO_accept(c->accept_sock,&(c->addr));
+		if (i < 0) return(i);
+		bio=BIO_new_socket(i,BIO_CLOSE);
+		if (bio == NULL) goto err;
+
+		BIO_set_callback(bio,BIO_get_callback(b));
+		BIO_set_callback_arg(bio,BIO_get_callback_arg(b));
+
+		if (c->nbio)
+			{
+			if (!BIO_socket_nbio(i,1))
+				{
+				BIOerr(BIO_F_ACPT_STATE,BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET);
+				goto err;
+				}
+			}
+
+		/* If the accept BIO has an bio_chain, we dup it and
+		 * put the new socket at the end. */
+		if (c->bio_chain != NULL)
+			{
+			if ((dbio=BIO_dup_chain(c->bio_chain)) == NULL)
+				goto err;
+			if (!BIO_push(dbio,bio)) goto err;
+			bio=dbio;
+			}
+		if (BIO_push(b,bio) == NULL) goto err;
+
+		c->state=ACPT_S_OK;
+		return(1);
+err:
+		if (bio != NULL)
+			BIO_free(bio);
+		else if (s >= 0)
+			closesocket(s);
+		return(0);
+		/* break; */
+	case ACPT_S_OK:
+		if (b->next_bio == NULL)
+			{
+			c->state=ACPT_S_GET_ACCEPT_SOCKET;
+			goto again;
+			}
+		return(1);
+		/* break; */
+	default:	
+		return(0);
+		/* break; */
+		}
+
+	}
+
+static int acpt_read(BIO *b, char *out, int outl)
+	{
+	int ret=0;
+	BIO_ACCEPT *data;
+
+	BIO_clear_retry_flags(b);
+	data=(BIO_ACCEPT *)b->ptr;
+
+	while (b->next_bio == NULL)
+		{
+		ret=acpt_state(b,data);
+		if (ret <= 0) return(ret);
+		}
+
+	ret=BIO_read(b->next_bio,out,outl);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static int acpt_write(BIO *b, char *in, int inl)
+	{
+	int ret;
+	BIO_ACCEPT *data;
+
+	BIO_clear_retry_flags(b);
+	data=(BIO_ACCEPT *)b->ptr;
+
+	while (b->next_bio == NULL)
+		{
+		ret=acpt_state(b,data);
+		if (ret <= 0) return(ret);
+		}
+
+	ret=BIO_write(b->next_bio,in,inl);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static long acpt_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	BIO *dbio;
+	int *ip;
+	long ret=1;
+	BIO_ACCEPT *data;
+	char **pp;
+
+	data=(BIO_ACCEPT *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		ret=0;
+		data->state=ACPT_S_BEFORE;
+		acpt_close_socket(b);
+		b->flags=0;
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		/* use this one to start the connection */
+		ret=(long)acpt_state(b,data);
+		break;
+	case BIO_C_SET_ACCEPT:
+		if (ptr != NULL)
+			{
+			if (num == 0)
+				{
+				b->init=1;
+				if (data->param_addr != NULL)
+					Free(data->param_addr);
+				data->param_addr=BUF_strdup(ptr);
+				}
+			else if (num == 1)
+				{
+				data->accept_nbio=(ptr != NULL);
+				}
+			else if (num == 2)
+				{
+				if (data->bio_chain != NULL)
+					BIO_free(data->bio_chain);
+				data->bio_chain=(BIO *)ptr;
+				}
+			}
+		break;
+	case BIO_C_SET_NBIO:
+		data->nbio=(int)num;
+		break;
+	case BIO_C_SET_FD:
+		b->init=1;
+		b->num= *((int *)ptr);
+		data->accept_sock=b->num;
+		data->state=ACPT_S_GET_ACCEPT_SOCKET;
+		b->shutdown=(int)num;
+		b->init=1;
+		break;
+	case BIO_C_GET_FD:
+		if (b->init)
+			{
+			ip=(int *)ptr;
+			if (ip != NULL)
+				*ip=data->accept_sock;
+			ret=data->accept_sock;
+			}
+		else
+			ret= -1;
+		break;
+	case BIO_C_GET_ACCEPT:
+		if (b->init)
+			{
+			if (ptr != NULL)
+				{
+				pp=(char **)ptr;
+				*pp=data->param_addr;
+				}
+			else
+				ret= -1;
+			}
+		else
+			ret= -1;
+		break;
+	case BIO_CTRL_GET_CLOSE:
+		ret=b->shutdown;
+		break;
+	case BIO_CTRL_SET_CLOSE:
+		b->shutdown=(int)num;
+		break;
+	case BIO_CTRL_PENDING:
+	case BIO_CTRL_WPENDING:
+		ret=0;
+		break;
+	case BIO_CTRL_FLUSH:
+		break;
+	case BIO_C_SET_BIND_MODE:
+		data->bind_mode=(int)num;
+		break;
+	case BIO_C_GET_BIND_MODE:
+		ret=(long)data->bind_mode;
+		break;
+	case BIO_CTRL_DUP:
+		dbio=(BIO *)ptr;
+/*		if (data->param_port) EAY EAY
+			BIO_set_port(dbio,data->param_port);
+		if (data->param_hostname)
+			BIO_set_hostname(dbio,data->param_hostname);
+		BIO_set_nbio(dbio,data->nbio); */
+		break;
+
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static int acpt_puts(BIO *bp, char *str)
+	{
+	int n,ret;
+
+	n=strlen(str);
+	ret=acpt_write(bp,str,n);
+	return(ret);
+	}
+
+BIO *BIO_new_accept(char *str)
+	{
+	BIO *ret;
+
+	ret=BIO_new(BIO_s_accept());
+	if (ret == NULL) return(NULL);
+	if (BIO_set_accept_port(ret,str))
+		return(ret);
+	else
+		{
+		BIO_free(ret);
+		return(NULL);
+		}
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/bio/bss_bio.c b/crypto/openssl/crypto/bio/bss_bio.c
new file mode 100644
index 0000000..1e2d749
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_bio.c
@@ -0,0 +1,857 @@
+/* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
+
+/* Special method for a BIO where the other endpoint is also a BIO
+ * of this kind, handled by the same thread (i.e. the "peer" is actually
+ * ourselves, wearing a different hat).
+ * Such "BIO pairs" are mainly for using the SSL library with I/O interfaces
+ * for which no specific BIO method is available.
+ * See ssl/ssltest.c for some hints on how this can be used. */
+
+#ifndef BIO_PAIR_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <assert.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+
+#include "openssl/e_os.h"
+#ifndef SSIZE_MAX
+# define SSIZE_MAX INT_MAX
+#endif
+
+static int bio_new(BIO *bio);
+static int bio_free(BIO *bio);
+static int bio_read(BIO *bio, char *buf, int size);
+static int bio_write(BIO *bio, char *buf, int num);
+static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr);
+static int bio_puts(BIO *bio, char *str);
+
+static int bio_make_pair(BIO *bio1, BIO *bio2);
+static void bio_destroy_pair(BIO *bio);
+
+static BIO_METHOD methods_biop =
+{
+	BIO_TYPE_BIO,
+	"BIO pair",
+	bio_write,
+	bio_read,
+	bio_puts,
+	NULL /* no bio_gets */,
+	bio_ctrl,
+	bio_new,
+	bio_free,
+	NULL /* no bio_callback_ctrl */
+};
+
+BIO_METHOD *BIO_s_bio(void)
+	{
+	return &methods_biop;
+	}
+
+struct bio_bio_st
+{
+	BIO *peer;     /* NULL if buf == NULL.
+	                * If peer != NULL, then peer->ptr is also a bio_bio_st,
+	                * and its "peer" member points back to us.
+	                * peer != NULL iff init != 0 in the BIO. */
+	
+	/* This is for what we write (i.e. reading uses peer's struct): */
+	int closed;     /* valid iff peer != NULL */
+	size_t len;     /* valid iff buf != NULL; 0 if peer == NULL */
+	size_t offset;  /* valid iff buf != NULL; 0 if len == 0 */
+	size_t size;
+	char *buf;      /* "size" elements (if != NULL) */
+
+	size_t request; /* valid iff peer != NULL; 0 if len != 0,
+	                 * otherwise set by peer to number of bytes
+	                 * it (unsuccessfully) tried to read,
+	                 * never more than buffer space (size-len) warrants. */
+};
+
+static int bio_new(BIO *bio)
+	{
+	struct bio_bio_st *b;
+	
+	b = Malloc(sizeof *b);
+	if (b == NULL)
+		return 0;
+
+	b->peer = NULL;
+	b->size = 17*1024; /* enough for one TLS record (just a default) */
+	b->buf = NULL;
+
+	bio->ptr = b;
+	return 1;
+	}
+
+
+static int bio_free(BIO *bio)
+	{
+	struct bio_bio_st *b;
+
+	if (bio == NULL)
+		return 0;
+	b = bio->ptr;
+
+	assert(b != NULL);
+
+	if (b->peer)
+		bio_destroy_pair(bio);
+	
+	if (b->buf != NULL)
+		{
+		Free(b->buf);
+		}
+
+	Free(b);
+
+	return 1;
+	}
+
+
+
+static int bio_read(BIO *bio, char *buf, int size_)
+	{
+	size_t size = size_;
+	size_t rest;
+	struct bio_bio_st *b, *peer_b;
+
+	BIO_clear_retry_flags(bio);
+
+	if (!bio->init)
+		return 0;
+
+	b = bio->ptr;
+	assert(b != NULL);
+	assert(b->peer != NULL);
+	peer_b = b->peer->ptr;
+	assert(peer_b != NULL);
+	assert(peer_b->buf != NULL);
+
+	peer_b->request = 0; /* will be set in "retry_read" situation */
+
+	if (buf == NULL || size == 0)
+		return 0;
+
+	if (peer_b->len == 0)
+		{
+		if (peer_b->closed)
+			return 0; /* writer has closed, and no data is left */
+		else
+			{
+			BIO_set_retry_read(bio); /* buffer is empty */
+			if (size <= peer_b->size)
+				peer_b->request = size;
+			else
+				/* don't ask for more than the peer can
+				 * deliver in one write */
+				peer_b->request = peer_b->size;
+			return -1;
+			}
+		}
+
+	/* we can read */
+	if (peer_b->len < size)
+		size = peer_b->len;
+
+	/* now read "size" bytes */
+	
+	rest = size;
+	
+	assert(rest > 0);
+	do /* one or two iterations */
+		{
+		size_t chunk;
+		
+		assert(rest <= peer_b->len);
+		if (peer_b->offset + rest <= peer_b->size)
+			chunk = rest;
+		else
+			/* wrap around ring buffer */
+			chunk = peer_b->size - peer_b->offset;
+		assert(peer_b->offset + chunk <= peer_b->size);
+		
+		memcpy(buf, peer_b->buf + peer_b->offset, chunk);
+		
+		peer_b->len -= chunk;
+		if (peer_b->len)
+			{
+			peer_b->offset += chunk;
+			assert(peer_b->offset <= peer_b->size);
+			if (peer_b->offset == peer_b->size)
+				peer_b->offset = 0;
+			buf += chunk;
+			}
+		else
+			{
+			/* buffer now empty, no need to advance "buf" */
+			assert(chunk == rest);
+			peer_b->offset = 0;
+			}
+		rest -= chunk;
+		}
+	while (rest);
+	
+	return size;
+	}
+
+/* non-copying interface: provide pointer to available data in buffer
+ *    bio_nread0:  return number of available bytes
+ *    bio_nread:   also advance index
+ * (example usage:  bio_nread0(), read from buffer, bio_nread()
+ *  or just         bio_nread(), read from buffer)
+ */
+/* WARNING: The non-copying interface is largely untested as of yet
+ * and may contain bugs. */
+static ssize_t bio_nread0(BIO *bio, char **buf)
+	{
+	struct bio_bio_st *b, *peer_b;
+	ssize_t num;
+	
+	BIO_clear_retry_flags(bio);
+
+	if (!bio->init)
+		return 0;
+	
+	b = bio->ptr;
+	assert(b != NULL);
+	assert(b->peer != NULL);
+	peer_b = b->peer->ptr;
+	assert(peer_b != NULL);
+	assert(peer_b->buf != NULL);
+	
+	peer_b->request = 0;
+	
+	if (peer_b->len == 0)
+		{
+		char dummy;
+		
+		/* avoid code duplication -- nothing available for reading */
+		return bio_read(bio, &dummy, 1); /* returns 0 or -1 */
+		}
+
+	num = peer_b->len;
+	if (peer_b->size < peer_b->offset + num)
+		/* no ring buffer wrap-around for non-copying interface */
+		num = peer_b->size - peer_b->offset;
+	assert(num > 0);
+
+	if (buf != NULL)
+		*buf = peer_b->buf + peer_b->offset;
+	return num;
+	}
+
+static ssize_t bio_nread(BIO *bio, char **buf, size_t num_)
+	{
+	struct bio_bio_st *b, *peer_b;
+	ssize_t num, available;
+
+	if (num_ > SSIZE_MAX)
+		num = SSIZE_MAX;
+	else
+		num = (ssize_t)num_;
+
+	available = bio_nread0(bio, buf);
+	if (num > available)
+		num = available;
+	if (num <= 0)
+		return num;
+
+	b = bio->ptr;
+	peer_b = b->peer->ptr;
+
+	peer_b->len -= num;
+	if (peer_b->len) 
+		{
+		peer_b->offset += num;
+		assert(peer_b->offset <= peer_b->size);
+		if (peer_b->offset == peer_b->size)
+			peer_b->offset = 0;
+		}
+	else
+		peer_b->offset = 0;
+
+	return num;
+	}
+
+
+static int bio_write(BIO *bio, char *buf, int num_)
+	{
+	size_t num = num_;
+	size_t rest;
+	struct bio_bio_st *b;
+
+	BIO_clear_retry_flags(bio);
+
+	if (!bio->init || buf == NULL || num == 0)
+		return 0;
+
+	b = bio->ptr;		
+	assert(b != NULL);
+	assert(b->peer != NULL);
+	assert(b->buf != NULL);
+
+	b->request = 0;
+	if (b->closed)
+		{
+		/* we already closed */
+		BIOerr(BIO_F_BIO_WRITE, BIO_R_BROKEN_PIPE);
+		return -1;
+		}
+
+	assert(b->len <= b->size);
+
+	if (b->len == b->size)
+		{
+		BIO_set_retry_write(bio); /* buffer is full */
+		return -1;
+		}
+
+	/* we can write */
+	if (num > b->size - b->len)
+		num = b->size - b->len;
+	
+	/* now write "num" bytes */
+
+	rest = num;
+	
+	assert(rest > 0);
+	do /* one or two iterations */
+		{
+		size_t write_offset;
+		size_t chunk;
+
+		assert(b->len + rest <= b->size);
+
+		write_offset = b->offset + b->len;
+		if (write_offset >= b->size)
+			write_offset -= b->size;
+		/* b->buf[write_offset] is the first byte we can write to. */
+
+		if (write_offset + rest <= b->size)
+			chunk = rest;
+		else
+			/* wrap around ring buffer */
+			chunk = b->size - write_offset;
+		
+		memcpy(b->buf + write_offset, buf, chunk);
+		
+		b->len += chunk;
+
+		assert(b->len <= b->size);
+		
+		rest -= chunk;
+		buf += chunk;
+		}
+	while (rest);
+
+	return num;
+	}
+
+/* non-copying interface: provide pointer to region to write to
+ *   bio_nwrite0:  check how much space is available
+ *   bio_nwrite:   also increase length
+ * (example usage:  bio_nwrite0(), write to buffer, bio_nwrite()
+ *  or just         bio_nwrite(), write to buffer)
+ */
+static ssize_t bio_nwrite0(BIO *bio, char **buf)
+	{
+	struct bio_bio_st *b;
+	size_t num;
+	size_t write_offset;
+
+	BIO_clear_retry_flags(bio);
+
+	if (!bio->init)
+		return 0;
+
+	b = bio->ptr;		
+	assert(b != NULL);
+	assert(b->peer != NULL);
+	assert(b->buf != NULL);
+
+	b->request = 0;
+	if (b->closed)
+		{
+		BIOerr(BIO_F_BIO_NWRITE0, BIO_R_BROKEN_PIPE);
+		return -1;
+		}
+
+	assert(b->len <= b->size);
+
+	if (b->len == b->size)
+		{
+		BIO_set_retry_write(bio);
+		return -1;
+		}
+
+	num = b->size - b->len;
+	write_offset = b->offset + b->len;
+	if (write_offset >= b->size)
+		write_offset -= b->size;
+	if (write_offset + num > b->size)
+		/* no ring buffer wrap-around for non-copying interface
+		 * (to fulfil the promise by BIO_ctrl_get_write_guarantee,
+		 * BIO_nwrite may have to be called twice) */
+		num = b->size - write_offset;
+
+	if (buf != NULL)
+		*buf = b->buf + write_offset;
+	assert(write_offset + num <= b->size);
+
+	return num;
+	}
+
+static ssize_t bio_nwrite(BIO *bio, char **buf, size_t num_)
+	{
+	struct bio_bio_st *b;
+	ssize_t num, space;
+
+	if (num_ > SSIZE_MAX)
+		num = SSIZE_MAX;
+	else
+		num = (ssize_t)num_;
+
+	space = bio_nwrite0(bio, buf);
+	if (num > space)
+		num = space;
+	if (num <= 0)
+		return num;
+	b = bio->ptr;
+	assert(b != NULL);
+	b->len += num;
+	assert(b->len <= b->size);
+
+	return num;
+	}
+
+
+static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
+	{
+	long ret;
+	struct bio_bio_st *b = bio->ptr;
+	
+	assert(b != NULL);
+
+	switch (cmd)
+		{
+	/* specific CTRL codes */
+
+	case BIO_C_SET_WRITE_BUF_SIZE:
+		if (b->peer)
+			{
+			BIOerr(BIO_F_BIO_CTRL, BIO_R_IN_USE);
+			ret = 0;
+			}
+		else if (num == 0)
+			{
+			BIOerr(BIO_F_BIO_CTRL, BIO_R_INVALID_ARGUMENT);
+			ret = 0;
+			}
+		else
+			{
+			size_t new_size = num;
+
+			if (b->size != new_size)
+				{
+				if (b->buf) 
+					{
+					Free(b->buf);
+					b->buf = NULL;
+					}
+				b->size = new_size;
+				}
+			ret = 1;
+			}
+		break;
+
+	case BIO_C_GET_WRITE_BUF_SIZE:
+		num = (long) b->size;
+
+	case BIO_C_MAKE_BIO_PAIR:
+		{
+		BIO *other_bio = ptr;
+		
+		if (bio_make_pair(bio, other_bio))
+			ret = 1;
+		else
+			ret = 0;
+		}
+		break;
+		
+	case BIO_C_DESTROY_BIO_PAIR:
+		/* Effects both BIOs in the pair -- call just once!
+		 * Or let BIO_free(bio1); BIO_free(bio2); do the job. */
+		bio_destroy_pair(bio);
+		ret = 1;
+		break;
+
+	case BIO_C_GET_WRITE_GUARANTEE:
+		/* How many bytes can the caller feed to the next write
+		 * without having to keep any? */
+		if (b->peer == NULL || b->closed)
+			ret = 0;
+		else
+			ret = (long) b->size - b->len;
+		break;
+
+	case BIO_C_GET_READ_REQUEST:
+		/* If the peer unsuccessfully tried to read, how many bytes
+		 * were requested?  (As with BIO_CTRL_PENDING, that number
+		 * can usually be treated as boolean.) */
+		ret = (long) b->request;
+		break;
+
+	case BIO_C_RESET_READ_REQUEST:
+		/* Reset request.  (Can be useful after read attempts
+		 * at the other side that are meant to be non-blocking,
+		 * e.g. when probing SSL_read to see if any data is
+		 * available.) */
+		b->request = 0;
+		ret = 1;
+		break;
+
+	case BIO_C_SHUTDOWN_WR:
+		/* similar to shutdown(..., SHUT_WR) */
+		b->closed = 1;
+		ret = 1;
+		break;
+
+	case BIO_C_NREAD0:
+		/* prepare for non-copying read */
+		ret = (long) bio_nread0(bio, ptr);
+		break;
+		
+	case BIO_C_NREAD:
+		/* non-copying read */
+		ret = (long) bio_nread(bio, ptr, (size_t) num);
+		break;
+		
+	case BIO_C_NWRITE0:
+		/* prepare for non-copying write */
+		ret = (long) bio_nwrite0(bio, ptr);
+		break;
+
+	case BIO_C_NWRITE:
+		/* non-copying write */
+		ret = (long) bio_nwrite(bio, ptr, (size_t) num);
+		break;
+		
+
+	/* standard CTRL codes follow */
+
+	case BIO_CTRL_RESET:
+		if (b->buf != NULL)
+			{
+			b->len = 0;
+			b->offset = 0;
+			}
+		ret = 0;
+		break;		
+
+	case BIO_CTRL_GET_CLOSE:
+		ret = bio->shutdown;
+		break;
+
+	case BIO_CTRL_SET_CLOSE:
+		bio->shutdown = (int) num;
+		ret = 1;
+		break;
+
+	case BIO_CTRL_PENDING:
+		if (b->peer != NULL)
+			{
+			struct bio_bio_st *peer_b = b->peer->ptr;
+			
+			ret = (long) peer_b->len;
+			}
+		else
+			ret = 0;
+		break;
+
+	case BIO_CTRL_WPENDING:
+		if (b->buf != NULL)
+			ret = (long) b->len;
+		else
+			ret = 0;
+		break;
+
+	case BIO_CTRL_DUP:
+		/* See BIO_dup_chain for circumstances we have to expect. */
+		{
+		BIO *other_bio = ptr;
+		struct bio_bio_st *other_b;
+		
+		assert(other_bio != NULL);
+		other_b = other_bio->ptr;
+		assert(other_b != NULL);
+		
+		assert(other_b->buf == NULL); /* other_bio is always fresh */
+
+		other_b->size = b->size;
+		}
+
+		ret = 1;
+		break;
+
+	case BIO_CTRL_FLUSH:
+		ret = 1;
+		break;
+
+	case BIO_CTRL_EOF:
+		{
+		BIO *other_bio = ptr;
+		
+		if (other_bio)
+			{
+			struct bio_bio_st *other_b = other_bio->ptr;
+			
+			assert(other_b != NULL);
+			ret = other_b->len == 0 && other_b->closed;
+			}
+		else
+			ret = 1;
+		}
+		break;
+
+	default:
+		ret = 0;
+		}
+	return ret;
+	}
+
+static int bio_puts(BIO *bio, char *str)
+	{
+	return bio_write(bio, str, strlen(str));
+	}
+
+
+static int bio_make_pair(BIO *bio1, BIO *bio2)
+	{
+	struct bio_bio_st *b1, *b2;
+
+	assert(bio1 != NULL);
+	assert(bio2 != NULL);
+
+	b1 = bio1->ptr;
+	b2 = bio2->ptr;
+	
+	if (b1->peer != NULL || b2->peer != NULL)
+		{
+		BIOerr(BIO_F_BIO_MAKE_PAIR, BIO_R_IN_USE);
+		return 0;
+		}
+	
+	if (b1->buf == NULL)
+		{
+		b1->buf = Malloc(b1->size);
+		if (b1->buf == NULL)
+			{
+			BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		b1->len = 0;
+		b1->offset = 0;
+		}
+	
+	if (b2->buf == NULL)
+		{
+		b2->buf = Malloc(b2->size);
+		if (b2->buf == NULL)
+			{
+			BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		b2->len = 0;
+		b2->offset = 0;
+		}
+	
+	b1->peer = bio2;
+	b1->closed = 0;
+	b1->request = 0;
+	b2->peer = bio1;
+	b2->closed = 0;
+	b2->request = 0;
+
+	bio1->init = 1;
+	bio2->init = 1;
+
+	return 1;
+	}
+
+static void bio_destroy_pair(BIO *bio)
+	{
+	struct bio_bio_st *b = bio->ptr;
+
+	if (b != NULL)
+		{
+		BIO *peer_bio = b->peer;
+
+		if (peer_bio != NULL)
+			{
+			struct bio_bio_st *peer_b = peer_bio->ptr;
+
+			assert(peer_b != NULL);
+			assert(peer_b->peer == bio);
+
+			peer_b->peer = NULL;
+			peer_bio->init = 0;
+			assert(peer_b->buf != NULL);
+			peer_b->len = 0;
+			peer_b->offset = 0;
+			
+			b->peer = NULL;
+			bio->init = 0;
+			assert(b->buf != NULL);
+			b->len = 0;
+			b->offset = 0;
+			}
+		}
+	}
+ 
+
+/* Exported convenience functions */
+int BIO_new_bio_pair(BIO **bio1_p, size_t writebuf1,
+	BIO **bio2_p, size_t writebuf2)
+	 {
+	 BIO *bio1 = NULL, *bio2 = NULL;
+	 long r;
+	 int ret = 0;
+
+	 bio1 = BIO_new(BIO_s_bio());
+	 if (bio1 == NULL)
+		 goto err;
+	 bio2 = BIO_new(BIO_s_bio());
+	 if (bio2 == NULL)
+		 goto err;
+
+	 if (writebuf1)
+		 {
+		 r = BIO_set_write_buf_size(bio1, writebuf1);
+		 if (!r)
+			 goto err;
+		 }
+	 if (writebuf2)
+		 {
+		 r = BIO_set_write_buf_size(bio2, writebuf2);
+		 if (!r)
+			 goto err;
+		 }
+
+	 r = BIO_make_bio_pair(bio1, bio2);
+	 if (!r)
+		 goto err;
+	 ret = 1;
+
+ err:
+	 if (ret == 0)
+		 {
+		 if (bio1)
+			 {
+			 BIO_free(bio1);
+			 bio1 = NULL;
+			 }
+		 if (bio2)
+			 {
+			 BIO_free(bio2);
+			 bio2 = NULL;
+			 }
+		 }
+
+	 *bio1_p = bio1;
+	 *bio2_p = bio2;
+	 return ret;
+	 }
+
+size_t BIO_ctrl_get_write_guarantee(BIO *bio)
+	{
+	return BIO_ctrl(bio, BIO_C_GET_WRITE_GUARANTEE, 0, NULL);
+	}
+
+size_t BIO_ctrl_get_read_request(BIO *bio)
+	{
+	return BIO_ctrl(bio, BIO_C_GET_READ_REQUEST, 0, NULL);
+	}
+
+int BIO_ctrl_reset_read_request(BIO *bio)
+	{
+	return (BIO_ctrl(bio, BIO_C_RESET_READ_REQUEST, 0, NULL) != 0);
+	}
+
+
+/* BIO_nread0/nread/nwrite0/nwrite are available only for BIO pairs for now
+ * (conceivably some other BIOs could allow non-copying reads and writes too.)
+ */
+int BIO_nread0(BIO *bio, char **buf)
+	{
+	long ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NREAD0, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = BIO_ctrl(bio, BIO_C_NREAD0, 0, buf);
+	if (ret > INT_MAX)
+		return INT_MAX;
+	else
+		return (int) ret;
+	}
+
+int BIO_nread(BIO *bio, char **buf, int num)
+	{
+	int ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NREAD, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = (int) BIO_ctrl(bio, BIO_C_NREAD, num, buf);
+	if (ret > 0)
+		bio->num_read += ret;
+	return ret;
+	}
+
+int BIO_nwrite0(BIO *bio, char **buf)
+	{
+	long ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NWRITE0, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = BIO_ctrl(bio, BIO_C_NWRITE0, 0, buf);
+	if (ret > INT_MAX)
+		return INT_MAX;
+	else
+		return (int) ret;
+	}
+
+int BIO_nwrite(BIO *bio, char **buf, int num)
+	{
+	int ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NWRITE, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = BIO_ctrl(bio, BIO_C_NWRITE, num, buf);
+	if (ret > 0)
+		bio->num_read += ret;
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/bio/bss_conn.c b/crypto/openssl/crypto/bio/bss_conn.c
new file mode 100644
index 0000000..22d00b3
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_conn.c
@@ -0,0 +1,650 @@
+/* crypto/bio/bss_conn.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_SOCK
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+#ifdef WIN16
+#define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
+#else
+#define SOCKET_PROTOCOL IPPROTO_TCP
+#endif
+
+#if (defined(VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+#undef FIONBIO
+#endif
+
+
+typedef struct bio_connect_st
+	{
+	int state;
+
+	char *param_hostname;
+	char *param_port;
+	int nbio;
+
+	unsigned char ip[4];
+	unsigned short port;
+
+	struct sockaddr_in them;
+
+	/* int socket; this will be kept in bio->num so that it is
+	 * compatible with the bss_sock bio */ 
+
+	/* called when the connection is initially made
+	 *  callback(BIO,state,ret);  The callback should return
+	 * 'ret'.  state is for compatibility with the ssl info_callback */
+	int (*info_callback)();
+	} BIO_CONNECT;
+
+static int conn_write(BIO *h,char *buf,int num);
+static int conn_read(BIO *h,char *buf,int size);
+static int conn_puts(BIO *h,char *str);
+static long conn_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int conn_new(BIO *h);
+static int conn_free(BIO *data);
+static long conn_callback_ctrl(BIO *h,int cmd,void *(*fp)());
+
+static int conn_state(BIO *b, BIO_CONNECT *c);
+static void conn_close_socket(BIO *data);
+BIO_CONNECT *BIO_CONNECT_new(void );
+void BIO_CONNECT_free(BIO_CONNECT *a);
+
+static BIO_METHOD methods_connectp=
+	{
+	BIO_TYPE_CONNECT,
+	"socket connect",
+	conn_write,
+	conn_read,
+	conn_puts,
+	NULL, /* connect_gets, */
+	conn_ctrl,
+	conn_new,
+	conn_free,
+	conn_callback_ctrl,
+	};
+
+static int conn_state(BIO *b, BIO_CONNECT *c)
+	{
+	int ret= -1,i;
+	unsigned long l;
+	char *p,*q;
+	int (*cb)()=NULL;
+
+	if (c->info_callback != NULL)
+		cb=c->info_callback;
+
+	for (;;)
+		{
+		switch (c->state)
+			{
+		case BIO_CONN_S_BEFORE:
+			p=c->param_hostname;
+			if (p == NULL)
+				{
+				BIOerr(BIO_F_CONN_STATE,BIO_R_NO_HOSTNAME_SPECIFIED);
+				goto exit_loop;
+				}
+			for ( ; *p != '\0'; p++)
+				{
+				if ((*p == ':') || (*p == '/')) break;
+				}
+
+			i= *p;
+			if ((i == ':') || (i == '/'))
+				{
+
+				*(p++)='\0';
+				if (i == ':')
+					{
+					for (q=p; *q; q++)
+						if (*q == '/')
+							{
+							*q='\0';
+							break;
+							}
+					if (c->param_port != NULL)
+						Free(c->param_port);
+					c->param_port=BUF_strdup(p);
+					}
+				}
+
+			if (c->param_port == NULL)
+				{
+				BIOerr(BIO_F_CONN_STATE,BIO_R_NO_PORT_SPECIFIED);
+				ERR_add_error_data(2,"host=",c->param_hostname);
+				goto exit_loop;
+				}
+			c->state=BIO_CONN_S_GET_IP;
+			break;
+
+		case BIO_CONN_S_GET_IP:
+			if (BIO_get_host_ip(c->param_hostname,&(c->ip[0])) <= 0)
+				goto exit_loop;
+			c->state=BIO_CONN_S_GET_PORT;
+			break;
+
+		case BIO_CONN_S_GET_PORT:
+			if (c->param_port == NULL)
+				{
+				abort();
+				goto exit_loop;
+				}
+			else if (BIO_get_port(c->param_port,&c->port) <= 0)
+				goto exit_loop;
+			c->state=BIO_CONN_S_CREATE_SOCKET;
+			break;
+
+		case BIO_CONN_S_CREATE_SOCKET:
+			/* now setup address */
+			memset((char *)&c->them,0,sizeof(c->them));
+			c->them.sin_family=AF_INET;
+			c->them.sin_port=htons((unsigned short)c->port);
+			l=(unsigned long)
+				((unsigned long)c->ip[0]<<24L)|
+				((unsigned long)c->ip[1]<<16L)|
+				((unsigned long)c->ip[2]<< 8L)|
+				((unsigned long)c->ip[3]);
+			c->them.sin_addr.s_addr=htonl(l);
+			c->state=BIO_CONN_S_CREATE_SOCKET;
+
+			ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+			if (ret == INVALID_SOCKET)
+				{
+				SYSerr(SYS_F_SOCKET,get_last_socket_error());
+				ERR_add_error_data(4,"host=",c->param_hostname,
+					":",c->param_port);
+				BIOerr(BIO_F_CONN_STATE,BIO_R_UNABLE_TO_CREATE_SOCKET);
+				goto exit_loop;
+				}
+			b->num=ret;
+			c->state=BIO_CONN_S_NBIO;
+			break;
+
+		case BIO_CONN_S_NBIO:
+			if (c->nbio)
+				{
+				if (!BIO_socket_nbio(b->num,1))
+					{
+					BIOerr(BIO_F_CONN_STATE,BIO_R_ERROR_SETTING_NBIO);
+					ERR_add_error_data(4,"host=",
+						c->param_hostname,
+						":",c->param_port);
+					goto exit_loop;
+					}
+				}
+			c->state=BIO_CONN_S_CONNECT;
+
+#ifdef SO_KEEPALIVE
+			i=1;
+			i=setsockopt(b->num,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+			if (i < 0)
+				{
+				SYSerr(SYS_F_SOCKET,get_last_socket_error());
+				ERR_add_error_data(4,"host=",c->param_hostname,
+					":",c->param_port);
+				BIOerr(BIO_F_CONN_STATE,BIO_R_KEEPALIVE);
+				goto exit_loop;
+				}
+#endif
+			break;
+
+		case BIO_CONN_S_CONNECT:
+			BIO_clear_retry_flags(b);
+			ret=connect(b->num,
+				(struct sockaddr *)&c->them,
+				sizeof(c->them));
+			b->retry_reason=0;
+			if (ret < 0)
+				{
+				if (BIO_sock_should_retry(ret))
+					{
+					BIO_set_retry_special(b);
+					c->state=BIO_CONN_S_BLOCKED_CONNECT;
+					b->retry_reason=BIO_RR_CONNECT;
+					}
+				else
+					{
+					SYSerr(SYS_F_CONNECT,get_last_socket_error());
+					ERR_add_error_data(4,"host=",
+						c->param_hostname,
+						":",c->param_port);
+					BIOerr(BIO_F_CONN_STATE,BIO_R_CONNECT_ERROR);
+					}
+				goto exit_loop;
+				}
+			else
+				c->state=BIO_CONN_S_OK;
+			break;
+
+		case BIO_CONN_S_BLOCKED_CONNECT:
+			i=BIO_sock_error(b->num);
+			if (i)
+				{
+				BIO_clear_retry_flags(b);
+				SYSerr(SYS_F_CONNECT,i);
+				ERR_add_error_data(4,"host=",
+					c->param_hostname,
+					":",c->param_port);
+				BIOerr(BIO_F_CONN_STATE,BIO_R_NBIO_CONNECT_ERROR);
+				ret=0;
+				goto exit_loop;
+				}
+			else
+				c->state=BIO_CONN_S_OK;
+			break;
+
+		case BIO_CONN_S_OK:
+			ret=1;
+			goto exit_loop;
+		default:
+			abort();
+			goto exit_loop;
+			}
+
+		if (cb != NULL)
+			{
+			if (!(ret=cb((BIO *)b,c->state,ret)))
+				goto end;
+			}
+		}
+
+	/* Loop does not exit */
+exit_loop:
+	if (cb != NULL)
+		ret=cb((BIO *)b,c->state,ret);
+end:
+	return(ret);
+	}
+
+BIO_CONNECT *BIO_CONNECT_new(void)
+	{
+	BIO_CONNECT *ret;
+
+	if ((ret=(BIO_CONNECT *)Malloc(sizeof(BIO_CONNECT))) == NULL)
+		return(NULL);
+	ret->state=BIO_CONN_S_BEFORE;
+	ret->param_hostname=NULL;
+	ret->param_port=NULL;
+	ret->info_callback=NULL;
+	ret->nbio=0;
+	ret->ip[0]=0;
+	ret->ip[1]=0;
+	ret->ip[2]=0;
+	ret->ip[3]=0;
+	ret->port=0;
+	memset((char *)&ret->them,0,sizeof(ret->them));
+	return(ret);
+	}
+
+void BIO_CONNECT_free(BIO_CONNECT *a)
+	{
+	if(a == NULL)
+	    return;
+
+	if (a->param_hostname != NULL)
+		Free(a->param_hostname);
+	if (a->param_port != NULL)
+		Free(a->param_port);
+	Free(a);
+	}
+
+BIO_METHOD *BIO_s_connect(void)
+	{
+	return(&methods_connectp);
+	}
+
+static int conn_new(BIO *bi)
+	{
+	bi->init=0;
+	bi->num=INVALID_SOCKET;
+	bi->flags=0;
+	if ((bi->ptr=(char *)BIO_CONNECT_new()) == NULL)
+		return(0);
+	else
+		return(1);
+	}
+
+static void conn_close_socket(BIO *bio)
+	{
+	BIO_CONNECT *c;
+
+	c=(BIO_CONNECT *)bio->ptr;
+	if (bio->num != INVALID_SOCKET)
+		{
+		/* Only do a shutdown if things were established */
+		if (c->state == BIO_CONN_S_OK)
+			shutdown(bio->num,2);
+		closesocket(bio->num);
+		bio->num=INVALID_SOCKET;
+		}
+	}
+
+static int conn_free(BIO *a)
+	{
+	BIO_CONNECT *data;
+
+	if (a == NULL) return(0);
+	data=(BIO_CONNECT *)a->ptr;
+	 
+	if (a->shutdown)
+		{
+		conn_close_socket(a);
+		BIO_CONNECT_free(data);
+		a->ptr=NULL;
+		a->flags=0;
+		a->init=0;
+		}
+	return(1);
+	}
+	
+static int conn_read(BIO *b, char *out, int outl)
+	{
+	int ret=0;
+	BIO_CONNECT *data;
+
+	data=(BIO_CONNECT *)b->ptr;
+	if (data->state != BIO_CONN_S_OK)
+		{
+		ret=conn_state(b,data);
+		if (ret <= 0)
+				return(ret);
+		}
+
+	if (out != NULL)
+		{
+		clear_socket_error();
+		ret=readsocket(b->num,out,outl);
+		BIO_clear_retry_flags(b);
+		if (ret <= 0)
+			{
+			if (BIO_sock_should_retry(ret))
+				BIO_set_retry_read(b);
+			}
+		}
+	return(ret);
+	}
+
+static int conn_write(BIO *b, char *in, int inl)
+	{
+	int ret;
+	BIO_CONNECT *data;
+
+	data=(BIO_CONNECT *)b->ptr;
+	if (data->state != BIO_CONN_S_OK)
+		{
+		ret=conn_state(b,data);
+		if (ret <= 0) return(ret);
+		}
+
+	clear_socket_error();
+	ret=writesocket(b->num,in,inl);
+	BIO_clear_retry_flags(b);
+	if (ret <= 0)
+		{
+		if (BIO_sock_should_retry(ret))
+			BIO_set_retry_write(b);
+		}
+	return(ret);
+	}
+
+static long conn_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	BIO *dbio;
+	int *ip;
+	const char **pptr;
+	long ret=1;
+	BIO_CONNECT *data;
+
+	data=(BIO_CONNECT *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		ret=0;
+		data->state=BIO_CONN_S_BEFORE;
+		conn_close_socket(b);
+		b->flags=0;
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		/* use this one to start the connection */
+		if (!data->state != BIO_CONN_S_OK)
+			ret=(long)conn_state(b,data);
+		else
+			ret=1;
+		break;
+	case BIO_C_GET_CONNECT:
+		if (ptr != NULL)
+			{
+			pptr=(const char **)ptr;
+			if (num == 0)
+				{
+				*pptr=data->param_hostname;
+
+				}
+			else if (num == 1)
+				{
+				*pptr=data->param_port;
+				}
+			else if (num == 2)
+				{
+				*pptr= (char *)&(data->ip[0]);
+				}
+			else if (num == 3)
+				{
+				*((int *)ptr)=data->port;
+				}
+			if ((!b->init) || (ptr == NULL))
+				*pptr="not initialized";
+			ret=1;
+			}
+		break;
+	case BIO_C_SET_CONNECT:
+		if (ptr != NULL)
+			{
+			b->init=1;
+			if (num == 0)
+				{
+				if (data->param_hostname != NULL)
+					Free(data->param_hostname);
+				data->param_hostname=BUF_strdup(ptr);
+				}
+			else if (num == 1)
+				{
+				if (data->param_port != NULL)
+					Free(data->param_port);
+				data->param_port=BUF_strdup(ptr);
+				}
+			else if (num == 2)
+				{
+				char buf[16];
+
+				sprintf(buf,"%d.%d.%d.%d",
+					ptr[0],ptr[1],ptr[2],ptr[3]);
+				if (data->param_hostname != NULL)
+					Free(data->param_hostname);
+				data->param_hostname=BUF_strdup(buf);
+				memcpy(&(data->ip[0]),ptr,4);
+				}
+			else if (num == 3)
+				{
+				char buf[16];
+
+				sprintf(buf,"%d",*(int *)ptr);
+				if (data->param_port != NULL)
+					Free(data->param_port);
+				data->param_port=BUF_strdup(buf);
+				data->port= *(int *)ptr;
+				}
+			}
+		break;
+	case BIO_C_SET_NBIO:
+		data->nbio=(int)num;
+		break;
+	case BIO_C_GET_FD:
+		if (b->init)
+			{
+			ip=(int *)ptr;
+			if (ip != NULL)
+				*ip=b->num;
+			ret=b->num;
+			}
+		else
+			ret= -1;
+		break;
+	case BIO_CTRL_GET_CLOSE:
+		ret=b->shutdown;
+		break;
+	case BIO_CTRL_SET_CLOSE:
+		b->shutdown=(int)num;
+		break;
+	case BIO_CTRL_PENDING:
+	case BIO_CTRL_WPENDING:
+		ret=0;
+		break;
+	case BIO_CTRL_FLUSH:
+		break;
+	case BIO_CTRL_DUP:
+		{
+		dbio=(BIO *)ptr;
+		if (data->param_port)
+			BIO_set_conn_port(dbio,data->param_port);
+		if (data->param_hostname)
+			BIO_set_conn_hostname(dbio,data->param_hostname);
+		BIO_set_nbio(dbio,data->nbio);
+		(void)BIO_set_info_callback(dbio,(void *(*)())(data->info_callback));
+		}
+		break;
+	case BIO_CTRL_SET_CALLBACK:
+		{
+#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
+		BIOerr(BIO_F_CONN_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ret = -1;
+#else
+		ret=0;
+#endif
+		}
+		break;
+	case BIO_CTRL_GET_CALLBACK:
+		{
+		int (**fptr)();
+
+		fptr=(int (**)())ptr;
+		*fptr=data->info_callback;
+		}
+		break;
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static long conn_callback_ctrl(BIO *b, int cmd, void *(*fp)())
+	{
+	long ret=1;
+	BIO_CONNECT *data;
+
+	data=(BIO_CONNECT *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_SET_CALLBACK:
+		{
+		data->info_callback=(int (*)())fp;
+		}
+		break;
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static int conn_puts(BIO *bp, char *str)
+	{
+	int n,ret;
+
+	n=strlen(str);
+	ret=conn_write(bp,str,n);
+	return(ret);
+	}
+
+BIO *BIO_new_connect(char *str)
+	{
+	BIO *ret;
+
+	ret=BIO_new(BIO_s_connect());
+	if (ret == NULL) return(NULL);
+	if (BIO_set_conn_hostname(ret,str))
+		return(ret);
+	else
+		{
+		BIO_free(ret);
+		return(NULL);
+		}
+	}
+
+#endif
+
diff --git a/crypto/openssl/crypto/bio/bss_fd.c b/crypto/openssl/crypto/bio/bss_fd.c
new file mode 100644
index 0000000..686c4909
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_fd.c
@@ -0,0 +1,62 @@
+/* crypto/bio/bss_fd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#define BIO_FD
+#include "bss_sock.c"
+#undef BIO_FD
+
diff --git a/crypto/openssl/crypto/bio/bss_file.c b/crypto/openssl/crypto/bio/bss_file.c
new file mode 100644
index 0000000..0d44dc3
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_file.c
@@ -0,0 +1,310 @@
+/* crypto/bio/bss_file.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * 03-Dec-1997	rdenny@dc3.com  Fix bug preventing use of stdin/stdout
+ *		with binary data (e.g. asn1parse -inform DER < xxx) under
+ *		Windows
+ */
+
+#ifndef HEADER_BSS_FILE_C
+#define HEADER_BSS_FILE_C
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#if !defined(NO_STDIO)
+
+static int MS_CALLBACK file_write(BIO *h,char *buf,int num);
+static int MS_CALLBACK file_read(BIO *h,char *buf,int size);
+static int MS_CALLBACK file_puts(BIO *h,char *str);
+static int MS_CALLBACK file_gets(BIO *h,char *str,int size);
+static long MS_CALLBACK file_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int MS_CALLBACK file_new(BIO *h);
+static int MS_CALLBACK file_free(BIO *data);
+static BIO_METHOD methods_filep=
+	{
+	BIO_TYPE_FILE,
+	"FILE pointer",
+	file_write,
+	file_read,
+	file_puts,
+	file_gets,
+	file_ctrl,
+	file_new,
+	file_free,
+	NULL,
+	};
+
+BIO *BIO_new_file(const char *filename, const char *mode)
+	{
+	BIO *ret;
+	FILE *file;
+
+	if ((file=fopen(filename,mode)) == NULL)
+		{
+		SYSerr(SYS_F_FOPEN,get_last_sys_error());
+		ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
+		BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
+		return(NULL);
+		}
+	if ((ret=BIO_new(BIO_s_file_internal())) == NULL)
+		return(NULL);
+
+	BIO_set_fp(ret,file,BIO_CLOSE);
+	return(ret);
+	}
+
+BIO *BIO_new_fp(FILE *stream, int close_flag)
+	{
+	BIO *ret;
+
+	if ((ret=BIO_new(BIO_s_file())) == NULL)
+		return(NULL);
+
+	BIO_set_fp(ret,stream,close_flag);
+	return(ret);
+	}
+
+BIO_METHOD *BIO_s_file(void)
+	{
+	return(&methods_filep);
+	}
+
+static int MS_CALLBACK file_new(BIO *bi)
+	{
+	bi->init=0;
+	bi->num=0;
+	bi->ptr=NULL;
+	return(1);
+	}
+
+static int MS_CALLBACK file_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	if (a->shutdown)
+		{
+		if ((a->init) && (a->ptr != NULL))
+			{
+			fclose((FILE *)a->ptr);
+			a->ptr=NULL;
+			}
+		a->init=0;
+		}
+	return(1);
+	}
+	
+static int MS_CALLBACK file_read(BIO *b, char *out, int outl)
+	{
+	int ret=0;
+
+	if (b->init && (out != NULL))
+		{
+		ret=fread(out,1,(int)outl,(FILE *)b->ptr);
+		}
+	return(ret);
+	}
+
+static int MS_CALLBACK file_write(BIO *b, char *in, int inl)
+	{
+	int ret=0;
+
+	if (b->init && (in != NULL))
+		{
+		if (fwrite(in,(int)inl,1,(FILE *)b->ptr))
+			ret=inl;
+		/* ret=fwrite(in,1,(int)inl,(FILE *)b->ptr); */
+		/* according to Tim Hudson <tjh@cryptsoft.com>, the commented
+		 * out version above can cause 'inl' write calls under
+		 * some stupid stdio implementations (VMS) */
+		}
+	return(ret);
+	}
+
+static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	long ret=1;
+	FILE *fp=(FILE *)b->ptr;
+	FILE **fpp;
+	char p[4];
+
+	switch (cmd)
+		{
+	case BIO_C_FILE_SEEK:
+	case BIO_CTRL_RESET:
+		ret=(long)fseek(fp,num,0);
+		break;
+	case BIO_CTRL_EOF:
+		ret=(long)feof(fp);
+		break;
+	case BIO_C_FILE_TELL:
+	case BIO_CTRL_INFO:
+		ret=ftell(fp);
+		break;
+	case BIO_C_SET_FILE_PTR:
+		file_free(b);
+		b->shutdown=(int)num&BIO_CLOSE;
+		b->ptr=(char *)ptr;
+		b->init=1;
+#if defined(MSDOS) || defined(WINDOWS)
+		/* Set correct text/binary mode */
+		if (num & BIO_FP_TEXT)
+			_setmode(fileno((FILE *)ptr),_O_TEXT);
+		else
+			_setmode(fileno((FILE *)ptr),_O_BINARY);
+#endif
+		break;
+	case BIO_C_SET_FILENAME:
+		file_free(b);
+		b->shutdown=(int)num&BIO_CLOSE;
+		if (num & BIO_FP_APPEND)
+			{
+			if (num & BIO_FP_READ)
+				strcpy(p,"a+");
+			else	strcpy(p,"a");
+			}
+		else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE))
+			strcpy(p,"r+");
+		else if (num & BIO_FP_WRITE)
+			strcpy(p,"w");
+		else if (num & BIO_FP_READ)
+			strcpy(p,"r");
+		else
+			{
+			BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE);
+			ret=0;
+			break;
+			}
+#if defined(MSDOS) || defined(WINDOWS)
+		if (!(num & BIO_FP_TEXT))
+			strcat(p,"b");
+		else
+			strcat(p,"t");
+#endif
+		fp=fopen(ptr,p);
+		if (fp == NULL)
+			{
+			SYSerr(SYS_F_FOPEN,get_last_sys_error());
+			ERR_add_error_data(5,"fopen('",ptr,"','",p,"')");
+			BIOerr(BIO_F_FILE_CTRL,ERR_R_SYS_LIB);
+			ret=0;
+			break;
+			}
+		b->ptr=(char *)fp;
+		b->init=1;
+		break;
+	case BIO_C_GET_FILE_PTR:
+		/* the ptr parameter is actually a FILE ** in this case. */
+		if (ptr != NULL)
+			{
+			fpp=(FILE **)ptr;
+			*fpp=(FILE *)b->ptr;
+			}
+		break;
+	case BIO_CTRL_GET_CLOSE:
+		ret=(long)b->shutdown;
+		break;
+	case BIO_CTRL_SET_CLOSE:
+		b->shutdown=(int)num;
+		break;
+	case BIO_CTRL_FLUSH:
+		fflush((FILE *)b->ptr);
+		break;
+	case BIO_CTRL_DUP:
+		ret=1;
+		break;
+
+	case BIO_CTRL_WPENDING:
+	case BIO_CTRL_PENDING:
+	case BIO_CTRL_PUSH:
+	case BIO_CTRL_POP:
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static int MS_CALLBACK file_gets(BIO *bp, char *buf, int size)
+	{
+	int ret=0;
+
+	buf[0]='\0';
+	fgets(buf,size,(FILE *)bp->ptr);
+	if (buf[0] != '\0')
+		ret=strlen(buf);
+	return(ret);
+	}
+
+static int MS_CALLBACK file_puts(BIO *bp, char *str)
+	{
+	int n,ret;
+
+	n=strlen(str);
+	ret=file_write(bp,str,n);
+	return(ret);
+	}
+
+#endif /* NO_STDIO */
+
+#endif /* HEADER_BSS_FILE_C */
+
+
diff --git a/crypto/openssl/crypto/bio/bss_log.c b/crypto/openssl/crypto/bio/bss_log.c
new file mode 100644
index 0000000..497eb1a
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_log.c
@@ -0,0 +1,336 @@
+/* crypto/bio/bss_log.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+	Why BIO_s_log?
+
+	BIO_s_log is useful for system daemons (or services under NT).
+	It is one-way BIO, it sends all stuff to syslogd (on system that
+	commonly use that), or event log (on NT), or OPCOM (on OpenVMS).
+
+*/
+
+
+#include <stdio.h>
+#include <errno.h>
+
+#if defined(WIN32)
+#  include <process.h>
+#elif defined(VMS) || defined(__VMS)
+#  include <opcdef.h>
+#  include <descrip.h>
+#  include <lib$routines.h>
+#  include <starlet.h>
+#elif defined(__ultrix)
+#  include <sys/syslog.h>
+#elif !defined(MSDOS) /* Unix */
+#  include <syslog.h>
+#endif
+
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+#ifndef NO_SYSLOG
+
+#if defined(WIN32)
+#define LOG_EMERG	0
+#define LOG_ALERT	1
+#define LOG_CRIT	2
+#define LOG_ERR		3
+#define LOG_WARNING	4
+#define LOG_NOTICE	5
+#define LOG_INFO	6
+#define LOG_DEBUG	7
+
+#define LOG_DAEMON	(3<<3)
+#elif defined(VMS)
+/* On VMS, we don't really care about these, but we need them to compile */
+#define LOG_EMERG	0
+#define LOG_ALERT	1
+#define LOG_CRIT	2
+#define LOG_ERR		3
+#define LOG_WARNING	4
+#define LOG_NOTICE	5
+#define LOG_INFO	6
+#define LOG_DEBUG	7
+
+#define LOG_DAEMON	OPC$M_NM_NTWORK
+#endif
+
+static int MS_CALLBACK slg_write(BIO *h,char *buf,int num);
+static int MS_CALLBACK slg_puts(BIO *h,char *str);
+static long MS_CALLBACK slg_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int MS_CALLBACK slg_new(BIO *h);
+static int MS_CALLBACK slg_free(BIO *data);
+static void xopenlog(BIO* bp, const char* name, int level);
+static void xsyslog(BIO* bp, int priority, const char* string);
+static void xcloselog(BIO* bp);
+
+static BIO_METHOD methods_slg=
+	{
+	BIO_TYPE_MEM,"syslog",
+	slg_write,
+	NULL,
+	slg_puts,
+	NULL,
+	slg_ctrl,
+	slg_new,
+	slg_free,
+	NULL,
+	};
+
+BIO_METHOD *BIO_s_log(void)
+	{
+	return(&methods_slg);
+	}
+
+static int MS_CALLBACK slg_new(BIO *bi)
+	{
+	bi->init=1;
+	bi->num=0;
+	bi->ptr=NULL;
+	xopenlog(bi, "application", LOG_DAEMON);
+	return(1);
+	}
+
+static int MS_CALLBACK slg_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	xcloselog(a);
+	return(1);
+	}
+	
+static int MS_CALLBACK slg_write(BIO *b, char *in, int inl)
+	{
+	int ret= inl;
+	char* buf= in;
+	char* pp;
+	int priority;
+
+	if((buf= (char *)Malloc(inl+ 1)) == NULL){
+		return(0);
+	}
+	strncpy(buf, in, inl);
+	buf[inl]= '\0';
+
+	if(strncmp(buf, "ERR ", 4) == 0){
+		priority= LOG_ERR;
+		pp= buf+ 4;
+	}else if(strncmp(buf, "WAR ", 4) == 0){
+		priority= LOG_WARNING;
+		pp= buf+ 4;
+	}else if(strncmp(buf, "INF ", 4) == 0){
+		priority= LOG_INFO;
+		pp= buf+ 4;
+	}else{
+		priority= LOG_ERR;
+		pp= buf;
+	}
+
+	xsyslog(b, priority, pp);
+
+	Free(buf);
+	return(ret);
+	}
+
+static long MS_CALLBACK slg_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	switch (cmd)
+		{
+	case BIO_CTRL_SET:
+		xcloselog(b);
+		xopenlog(b, ptr, num);
+		break;
+	default:
+		break;
+		}
+	return(0);
+	}
+
+static int MS_CALLBACK slg_puts(BIO *bp, char *str)
+	{
+	int n,ret;
+
+	n=strlen(str);
+	ret=slg_write(bp,str,n);
+	return(ret);
+	}
+
+#if defined(WIN32)
+
+static void xopenlog(BIO* bp, const char* name, int level)
+{
+	bp->ptr= (char *)RegisterEventSource(NULL, name);
+}
+
+static void xsyslog(BIO *bp, int priority, const char *string)
+{
+	LPCSTR lpszStrings[2];
+	WORD evtype= EVENTLOG_ERROR_TYPE;
+	int pid = _getpid();
+	char pidbuf[20];
+
+	switch (priority)
+		{
+	case LOG_ERR:
+		evtype = EVENTLOG_ERROR_TYPE;
+		break;
+	case LOG_WARNING:
+		evtype = EVENTLOG_WARNING_TYPE;
+		break;
+	case LOG_INFO:
+		evtype = EVENTLOG_INFORMATION_TYPE;
+		break;
+	default:
+		evtype = EVENTLOG_ERROR_TYPE;
+		break;
+		}
+
+	sprintf(pidbuf, "[%d] ", pid);
+	lpszStrings[0] = pidbuf;
+	lpszStrings[1] = string;
+
+	if(bp->ptr)
+		ReportEvent(bp->ptr, evtype, 0, 1024, NULL, 2, 0,
+				lpszStrings, NULL);
+}
+	
+static void xcloselog(BIO* bp)
+{
+	if(bp->ptr)
+		DeregisterEventSource((HANDLE)(bp->ptr));
+	bp->ptr= NULL;
+}
+
+#elif defined(VMS)
+
+static int VMS_OPC_target = LOG_DAEMON;
+
+static void xopenlog(BIO* bp, const char* name, int level)
+{
+	VMS_OPC_target = level; 
+}
+
+static void xsyslog(BIO *bp, int priority, const char *string)
+{
+	struct dsc$descriptor_s opc_dsc;
+	struct opcdef *opcdef_p;
+	char buf[10240];
+	unsigned int len;
+        struct dsc$descriptor_s buf_dsc;
+	$DESCRIPTOR(fao_cmd, "!AZ: !AZ");
+	char *priority_tag;
+
+	switch (priority)
+	  {
+	  case LOG_EMERG: priority_tag = "Emergency"; break;
+	  case LOG_ALERT: priority_tag = "Alert"; break;
+	  case LOG_CRIT: priority_tag = "Critical"; break;
+	  case LOG_ERR: priority_tag = "Error"; break;
+	  case LOG_WARNING: priority_tag = "Warning"; break;
+	  case LOG_NOTICE: priority_tag = "Notice"; break;
+	  case LOG_INFO: priority_tag = "Info"; break;
+	  case LOG_DEBUG: priority_tag = "DEBUG"; break;
+	  }
+
+	buf_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+	buf_dsc.dsc$b_class = DSC$K_CLASS_S;
+	buf_dsc.dsc$a_pointer = buf;
+	buf_dsc.dsc$w_length = sizeof(buf) - 1;
+
+	lib$sys_fao(&fao_cmd, &len, &buf_dsc, priority_tag, string);
+
+	/* we know there's an 8 byte header.  That's documented */
+	opcdef_p = (struct opcdef *) Malloc(8 + len);
+	opcdef_p->opc$b_ms_type = OPC$_RQ_RQST;
+	memcpy(opcdef_p->opc$z_ms_target_classes, &VMS_OPC_target, 3);
+	opcdef_p->opc$l_ms_rqstid = 0;
+	memcpy(&opcdef_p->opc$l_ms_text, buf, len);
+
+	opc_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+	opc_dsc.dsc$b_class = DSC$K_CLASS_S;
+	opc_dsc.dsc$a_pointer = (char *)opcdef_p;
+	opc_dsc.dsc$w_length = len + 8;
+
+	sys$sndopr(opc_dsc, 0);
+
+	Free(opcdef_p);
+}
+
+static void xcloselog(BIO* bp)
+{
+}
+
+#else /* Unix */
+
+static void xopenlog(BIO* bp, const char* name, int level)
+{
+	openlog(name, LOG_PID|LOG_CONS, level);
+}
+
+static void xsyslog(BIO *bp, int priority, const char *string)
+{
+	syslog(priority, "%s", string);
+}
+
+static void xcloselog(BIO* bp)
+{
+	closelog();
+}
+
+#endif /* Unix */
+
+#endif /* NO_SYSLOG */
diff --git a/crypto/openssl/crypto/bio/bss_mem.c b/crypto/openssl/crypto/bio/bss_mem.c
new file mode 100644
index 0000000..41eab92
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_mem.c
@@ -0,0 +1,312 @@
+/* crypto/bio/bss_mem.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+static int mem_write(BIO *h,char *buf,int num);
+static int mem_read(BIO *h,char *buf,int size);
+static int mem_puts(BIO *h,char *str);
+static int mem_gets(BIO *h,char *str,int size);
+static long mem_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int mem_new(BIO *h);
+static int mem_free(BIO *data);
+static BIO_METHOD mem_method=
+	{
+	BIO_TYPE_MEM,
+	"memory buffer",
+	mem_write,
+	mem_read,
+	mem_puts,
+	mem_gets,
+	mem_ctrl,
+	mem_new,
+	mem_free,
+	NULL,
+	};
+
+/* bio->num is used to hold the value to return on 'empty', if it is
+ * 0, should_retry is not set */
+
+BIO_METHOD *BIO_s_mem(void)
+	{
+	return(&mem_method);
+	}
+
+BIO *BIO_new_mem_buf(void *buf, int len)
+{
+	BIO *ret;
+	BUF_MEM *b;
+	if (!buf) {
+		BIOerr(BIO_F_BIO_NEW_MEM_BUF,BIO_R_NULL_PARAMETER);
+		return NULL;
+	}
+	if(len == -1) len = strlen(buf);
+	if(!(ret = BIO_new(BIO_s_mem())) ) return NULL;
+	b = (BUF_MEM *)ret->ptr;
+	b->data = buf;
+	b->length = len;
+	b->max = len;
+	ret->flags |= BIO_FLAGS_MEM_RDONLY;
+	/* Since this is static data retrying wont help */
+	ret->num = 0;
+	return ret;
+}
+
+static int mem_new(BIO *bi)
+	{
+	BUF_MEM *b;
+
+	if ((b=BUF_MEM_new()) == NULL)
+		return(0);
+	bi->shutdown=1;
+	bi->init=1;
+	bi->num= -1;
+	bi->ptr=(char *)b;
+	return(1);
+	}
+
+static int mem_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	if (a->shutdown)
+		{
+		if ((a->init) && (a->ptr != NULL))
+			{
+			BUF_MEM *b;
+			b = (BUF_MEM *)a->ptr;
+			if(a->flags & BIO_FLAGS_MEM_RDONLY) b->data = NULL;
+			BUF_MEM_free(b);
+			a->ptr=NULL;
+			}
+		}
+	return(1);
+	}
+	
+static int mem_read(BIO *b, char *out, int outl)
+	{
+	int ret= -1;
+	BUF_MEM *bm;
+	int i;
+	char *from,*to;
+
+	bm=(BUF_MEM *)b->ptr;
+	BIO_clear_retry_flags(b);
+	ret=(outl > bm->length)?bm->length:outl;
+	if ((out != NULL) && (ret > 0)) {
+		memcpy(out,bm->data,ret);
+		bm->length-=ret;
+		/* memmove(&(bm->data[0]),&(bm->data[ret]), bm->length); */
+		if(b->flags & BIO_FLAGS_MEM_RDONLY) bm->data += ret;
+		else {
+			from=(char *)&(bm->data[ret]);
+			to=(char *)&(bm->data[0]);
+			for (i=0; i<bm->length; i++)
+				to[i]=from[i];
+		}
+	} else if (bm->length == 0)
+		{
+		if (b->num != 0)
+			BIO_set_retry_read(b);
+		ret= b->num;
+		}
+	return(ret);
+	}
+
+static int mem_write(BIO *b, char *in, int inl)
+	{
+	int ret= -1;
+	int blen;
+	BUF_MEM *bm;
+
+	bm=(BUF_MEM *)b->ptr;
+	if (in == NULL)
+		{
+		BIOerr(BIO_F_MEM_WRITE,BIO_R_NULL_PARAMETER);
+		goto end;
+		}
+
+	if(b->flags & BIO_FLAGS_MEM_RDONLY) {
+		BIOerr(BIO_F_MEM_WRITE,BIO_R_WRITE_TO_READ_ONLY_BIO);
+		goto end;
+	}
+
+	BIO_clear_retry_flags(b);
+	blen=bm->length;
+	if (BUF_MEM_grow(bm,blen+inl) != (blen+inl))
+		goto end;
+	memcpy(&(bm->data[blen]),in,inl);
+	ret=inl;
+end:
+	return(ret);
+	}
+
+static long mem_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	long ret=1;
+	char **pptr;
+
+	BUF_MEM *bm=(BUF_MEM *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		if (bm->data != NULL) {
+			/* For read only case reset to the start again */
+			if(b->flags & BIO_FLAGS_MEM_RDONLY) 
+					bm->data -= bm->max - bm->length;
+			else {
+				memset(bm->data,0,bm->max);
+				bm->length=0;
+			}
+		}
+		break;
+	case BIO_CTRL_EOF:
+		ret=(long)(bm->length == 0);
+		break;
+	case BIO_C_SET_BUF_MEM_EOF_RETURN:
+		b->num=(int)num;
+		break;
+	case BIO_CTRL_INFO:
+		ret=(long)bm->length;
+		if (ptr != NULL)
+			{
+			pptr=(char **)ptr;
+			*pptr=(char *)&(bm->data[0]);
+			}
+		break;
+	case BIO_C_SET_BUF_MEM:
+		mem_free(b);
+		b->shutdown=(int)num;
+		b->ptr=ptr;
+		break;
+	case BIO_C_GET_BUF_MEM_PTR:
+		if (ptr != NULL)
+			{
+			pptr=(char **)ptr;
+			*pptr=(char *)bm;
+			}
+		break;
+	case BIO_CTRL_GET_CLOSE:
+		ret=(long)b->shutdown;
+		break;
+	case BIO_CTRL_SET_CLOSE:
+		b->shutdown=(int)num;
+		break;
+
+	case BIO_CTRL_WPENDING:
+		ret=0L;
+		break;
+	case BIO_CTRL_PENDING:
+		ret=(long)bm->length;
+		break;
+	case BIO_CTRL_DUP:
+	case BIO_CTRL_FLUSH:
+		ret=1;
+		break;
+	case BIO_CTRL_PUSH:
+	case BIO_CTRL_POP:
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static int mem_gets(BIO *bp, char *buf, int size)
+	{
+	int i,j;
+	int ret= -1;
+	char *p;
+	BUF_MEM *bm=(BUF_MEM *)bp->ptr;
+
+	BIO_clear_retry_flags(bp);
+	j=bm->length;
+	if (j <= 0) return(0);
+	p=bm->data;
+	for (i=0; i<j; i++)
+		{
+		if (p[i] == '\n') break;
+		}
+	if (i == j)
+		{
+		BIO_set_retry_read(bp);
+		/* return(-1);  change the semantics 0.6.6a */ 
+		}
+	else
+		i++;
+	/* i is the max to copy */
+	if ((size-1) < i) i=size-1;
+	i=mem_read(bp,buf,i);
+	if (i > 0) buf[i]='\0';
+	ret=i;
+	return(ret);
+	}
+
+static int mem_puts(BIO *bp, char *str)
+	{
+	int n,ret;
+
+	n=strlen(str);
+	ret=mem_write(bp,str,n);
+	/* memory semantics is that it will always work */
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/bio/bss_null.c b/crypto/openssl/crypto/bio/bss_null.c
new file mode 100644
index 0000000..aee18e3
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_null.c
@@ -0,0 +1,150 @@
+/* crypto/bio/bss_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+static int null_write(BIO *h,char *buf,int num);
+static int null_read(BIO *h,char *buf,int size);
+static int null_puts(BIO *h,char *str);
+static int null_gets(BIO *h,char *str,int size);
+static long null_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int null_new(BIO *h);
+static int null_free(BIO *data);
+static BIO_METHOD null_method=
+	{
+	BIO_TYPE_NULL,
+	"NULL",
+	null_write,
+	null_read,
+	null_puts,
+	null_gets,
+	null_ctrl,
+	null_new,
+	null_free,
+	NULL,
+	};
+
+BIO_METHOD *BIO_s_null(void)
+	{
+	return(&null_method);
+	}
+
+static int null_new(BIO *bi)
+	{
+	bi->init=1;
+	bi->num=0;
+	bi->ptr=(NULL);
+	return(1);
+	}
+
+static int null_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	return(1);
+	}
+	
+static int null_read(BIO *b, char *out, int outl)
+	{
+	return(0);
+	}
+
+static int null_write(BIO *b, char *in, int inl)
+	{
+	return(inl);
+	}
+
+static long null_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	long ret=1;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+	case BIO_CTRL_EOF:
+	case BIO_CTRL_SET:
+	case BIO_CTRL_SET_CLOSE:
+	case BIO_CTRL_FLUSH:
+	case BIO_CTRL_DUP:
+		ret=1;
+		break;
+	case BIO_CTRL_GET_CLOSE:
+	case BIO_CTRL_INFO:
+	case BIO_CTRL_GET:
+	case BIO_CTRL_PENDING:
+	case BIO_CTRL_WPENDING:
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static int null_gets(BIO *bp, char *buf, int size)
+	{
+	return(0);
+	}
+
+static int null_puts(BIO *bp, char *str)
+	{
+	if (str == NULL) return(0);
+	return(strlen(str));
+	}
+
diff --git a/crypto/openssl/crypto/bio/bss_rtcp.c b/crypto/openssl/crypto/bio/bss_rtcp.c
new file mode 100644
index 0000000..4ad0739
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_rtcp.c
@@ -0,0 +1,294 @@
+/* crypto/bio/bss_rtcp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Written by David L. Jones <jonesd@kcgl1.eng.ohio-state.edu>
+ * Date:   22-JUL-1996
+ * Revised: 25-SEP-1997		Update for 0.8.1, BIO_CTRL_SET -> BIO_C_SET_FD
+ */
+/* VMS */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+#include <iodef.h>		/* VMS IO$_ definitions */
+#include <starlet.h>
+
+typedef unsigned short io_channel;
+/*************************************************************************/
+struct io_status { short status, count; long flags; };
+
+struct rpc_msg {		/* Should have member alignment inhibited */
+   char channel;		/* 'A'-app data. 'R'-remote client 'G'-global */
+   char function;		/* 'G'-get, 'P'-put, 'C'-confirm, 'X'-close */
+   unsigned short int length;	/* Amount of data returned or max to return */
+   char data[4092];		/* variable data */
+};
+#define RPC_HDR_SIZE (sizeof(struct rpc_msg) - 4092)
+
+struct rpc_ctx {
+    int filled, pos;
+    struct rpc_msg msg;
+};
+
+static int rtcp_write(BIO *h,char *buf,int num);
+static int rtcp_read(BIO *h,char *buf,int size);
+static int rtcp_puts(BIO *h,char *str);
+static int rtcp_gets(BIO *h,char *str,int size);
+static long rtcp_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int rtcp_new(BIO *h);
+static int rtcp_free(BIO *data);
+
+static BIO_METHOD rtcp_method=
+	{
+	BIO_TYPE_FD,
+	"RTCP",
+	rtcp_write,
+	rtcp_read,
+	rtcp_puts,
+	rtcp_gets,
+	rtcp_ctrl,
+	rtcp_new,
+	rtcp_free,
+	NULL,
+	};
+
+BIO_METHOD *BIO_s_rtcp(void)
+	{
+	return(&rtcp_method);
+	}
+/*****************************************************************************/
+/* Decnet I/O routines.
+ */
+
+#ifdef __DECC
+#pragma message save
+#pragma message disable DOLLARID
+#endif
+
+static int get ( io_channel chan, char *buffer, int maxlen, int *length )
+{
+    int status;
+    struct io_status iosb;
+    status = sys$qiow ( 0, chan, IO$_READVBLK, &iosb, 0, 0,
+	buffer, maxlen, 0, 0, 0, 0 );
+    if ( (status&1) == 1 ) status = iosb.status;
+    if ( (status&1) == 1 ) *length = iosb.count;
+    return status;
+}
+
+static int put ( io_channel chan, char *buffer, int length )
+{
+    int status;
+    struct io_status iosb;
+    status = sys$qiow ( 0, chan, IO$_WRITEVBLK, &iosb, 0, 0,
+	buffer, length, 0, 0, 0, 0 );
+    if ( (status&1) == 1 ) status = iosb.status;
+    return status;
+}
+
+#ifdef __DECC
+#pragma message restore
+#endif
+
+/***************************************************************************/
+
+static int rtcp_new(BIO *bi)
+{
+    struct rpc_ctx *ctx;
+	bi->init=1;
+	bi->num=0;
+	bi->flags = 0;
+	bi->ptr=Malloc(sizeof(struct rpc_ctx));
+	ctx = (struct rpc_ctx *) bi->ptr;
+	ctx->filled = 0;
+	ctx->pos = 0;
+	return(1);
+}
+
+static int rtcp_free(BIO *a)
+{
+	if (a == NULL) return(0);
+	if ( a->ptr ) Free ( a->ptr );
+	a->ptr = NULL;
+	return(1);
+}
+	
+static int rtcp_read(BIO *b, char *out, int outl)
+{
+    int status, length;
+    struct rpc_ctx *ctx;
+    /*
+     * read data, return existing.
+     */
+    ctx = (struct rpc_ctx *) b->ptr;
+    if ( ctx->pos < ctx->filled ) {
+	length = ctx->filled - ctx->pos;
+	if ( length > outl ) length = outl;
+	memmove ( out, &ctx->msg.data[ctx->pos], length );
+	ctx->pos += length;
+	return length;
+    }
+    /*
+     * Requst more data from R channel.
+     */
+    ctx->msg.channel = 'R';
+    ctx->msg.function = 'G';
+    ctx->msg.length = sizeof(ctx->msg.data);
+    status = put ( b->num, (char *) &ctx->msg, RPC_HDR_SIZE );
+    if ( (status&1) == 0 ) {
+	return -1;
+    }
+    /*
+     * Read.
+     */
+    ctx->pos = ctx->filled = 0;
+    status = get ( b->num, (char *) &ctx->msg, sizeof(ctx->msg), &length );
+    if ( (status&1) == 0 ) length = -1;
+    if ( ctx->msg.channel != 'R' || ctx->msg.function != 'C' ) {
+	length = -1;
+    }
+    ctx->filled = length - RPC_HDR_SIZE;
+    
+    if ( ctx->pos < ctx->filled ) {
+	length = ctx->filled - ctx->pos;
+	if ( length > outl ) length = outl;
+	memmove ( out, ctx->msg.data, length );
+	ctx->pos += length;
+	return length;
+    }
+
+    return length;
+}
+
+static int rtcp_write(BIO *b, char *in, int inl)
+{
+    int status, i, segment, length;
+    struct rpc_ctx *ctx;
+    /*
+     * Output data, send in chunks no larger that sizeof(ctx->msg.data).
+     */
+    ctx = (struct rpc_ctx *) b->ptr;
+    for ( i = 0; i < inl; i += segment ) {
+	segment = inl - i;
+	if ( segment > sizeof(ctx->msg.data) ) segment = sizeof(ctx->msg.data);
+	ctx->msg.channel = 'R';
+	ctx->msg.function = 'P';
+	ctx->msg.length = segment;
+	memmove ( ctx->msg.data, &in[i], segment );
+	status = put ( b->num, (char *) &ctx->msg, segment + RPC_HDR_SIZE );
+	if ((status&1) == 0 ) { i = -1; break; }
+
+	status = get ( b->num, (char *) &ctx->msg, sizeof(ctx->msg), &length );
+	if ( ((status&1) == 0) || (length < RPC_HDR_SIZE) ) { i = -1; break; }
+	if ( (ctx->msg.channel != 'R') || (ctx->msg.function != 'C') ) {
+	   printf("unexpected response when confirming put %c %c\n",
+		ctx->msg.channel, ctx->msg.function );
+
+	}
+    }
+    return(i);
+}
+
+static long rtcp_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	long ret=1;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+	case BIO_CTRL_EOF:
+		ret = 1;
+		break;
+	case BIO_C_SET_FD:
+		b->num = num;
+		ret = 1;
+	 	break;
+	case BIO_CTRL_SET_CLOSE:
+	case BIO_CTRL_FLUSH:
+	case BIO_CTRL_DUP:
+		ret=1;
+		break;
+	case BIO_CTRL_GET_CLOSE:
+	case BIO_CTRL_INFO:
+	case BIO_CTRL_GET:
+	case BIO_CTRL_PENDING:
+	case BIO_CTRL_WPENDING:
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static int rtcp_gets(BIO *bp, char *buf, int size)
+	{
+	return(0);
+	}
+
+static int rtcp_puts(BIO *bp, char *str)
+{
+    int length;
+    if (str == NULL) return(0);
+    length = strlen ( str );
+    if ( length == 0 ) return (0);
+    return rtcp_write ( bp,str, length );
+}
+
diff --git a/crypto/openssl/crypto/bio/bss_sock.c b/crypto/openssl/crypto/bio/bss_sock.c
new file mode 100644
index 0000000..8ce80ef
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_sock.c
@@ -0,0 +1,424 @@
+/* crypto/bio/bss_sock.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#if !defined(NO_SOCK) || defined(BIO_FD)
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+
+#ifndef BIO_FD
+static int sock_write(BIO *h,char *buf,int num);
+static int sock_read(BIO *h,char *buf,int size);
+static int sock_puts(BIO *h,char *str);
+static long sock_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int sock_new(BIO *h);
+static int sock_free(BIO *data);
+int BIO_sock_should_retry(int s);
+#else
+
+static int fd_write(BIO *h,char *buf,int num);
+static int fd_read(BIO *h,char *buf,int size);
+static int fd_puts(BIO *h,char *str);
+static long fd_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int fd_new(BIO *h);
+static int fd_free(BIO *data);
+int BIO_fd_should_retry(int s);
+#endif
+
+#ifndef BIO_FD
+static BIO_METHOD methods_sockp=
+	{
+	BIO_TYPE_SOCKET,
+	"socket",
+	sock_write,
+	sock_read,
+	sock_puts,
+	NULL, /* sock_gets, */
+	sock_ctrl,
+	sock_new,
+	sock_free,
+	NULL,
+	};
+
+BIO_METHOD *BIO_s_socket(void)
+	{
+	return(&methods_sockp);
+	}
+#else
+static BIO_METHOD methods_fdp=
+	{
+	BIO_TYPE_FD,"file descriptor",
+	fd_write,
+	fd_read,
+	fd_puts,
+	NULL, /* fd_gets, */
+	fd_ctrl,
+	fd_new,
+	fd_free,
+	NULL,
+	};
+
+BIO_METHOD *BIO_s_fd(void)
+	{
+	return(&methods_fdp);
+	}
+#endif
+
+#ifndef BIO_FD
+BIO *BIO_new_socket(int fd, int close_flag)
+#else
+BIO *BIO_new_fd(int fd,int close_flag)
+#endif
+	{
+	BIO *ret;
+
+#ifndef BIO_FD
+	ret=BIO_new(BIO_s_socket());
+#else
+	ret=BIO_new(BIO_s_fd());
+#endif
+	if (ret == NULL) return(NULL);
+	BIO_set_fd(ret,fd,close_flag);
+	return(ret);
+	}
+
+#ifndef BIO_FD
+static int sock_new(BIO *bi)
+#else
+static int fd_new(BIO *bi)
+#endif
+	{
+	bi->init=0;
+	bi->num=0;
+	bi->ptr=NULL;
+	bi->flags=0;
+	return(1);
+	}
+
+#ifndef BIO_FD
+static int sock_free(BIO *a)
+#else
+static int fd_free(BIO *a)
+#endif
+	{
+	if (a == NULL) return(0);
+	if (a->shutdown)
+		{
+		if (a->init)
+			{
+#ifndef BIO_FD
+			SHUTDOWN2(a->num);
+#else			/* BIO_FD */
+			close(a->num);
+#endif
+
+			}
+		a->init=0;
+		a->flags=0;
+		}
+	return(1);
+	}
+	
+#ifndef BIO_FD
+static int sock_read(BIO *b, char *out, int outl)
+#else
+static int fd_read(BIO *b, char *out,int outl)
+#endif
+	{
+	int ret=0;
+
+	if (out != NULL)
+		{
+#ifndef BIO_FD
+		clear_socket_error();
+		ret=readsocket(b->num,out,outl);
+#else
+		clear_sys_error();
+		ret=read(b->num,out,outl);
+#endif
+		BIO_clear_retry_flags(b);
+		if (ret <= 0)
+			{
+#ifndef BIO_FD
+			if (BIO_sock_should_retry(ret))
+#else
+			if (BIO_fd_should_retry(ret))
+#endif
+				BIO_set_retry_read(b);
+			}
+		}
+	return(ret);
+	}
+
+#ifndef BIO_FD
+static int sock_write(BIO *b, char *in, int inl)
+#else
+static int fd_write(BIO *b, char *in, int inl)
+#endif
+	{
+	int ret;
+	
+#ifndef BIO_FD
+	clear_socket_error();
+	ret=writesocket(b->num,in,inl);
+#else
+	clear_sys_error();
+	ret=write(b->num,in,inl);
+#endif
+	BIO_clear_retry_flags(b);
+	if (ret <= 0)
+		{
+#ifndef BIO_FD
+		if (BIO_sock_should_retry(ret))
+#else
+		if (BIO_fd_should_retry(ret))
+#endif
+			BIO_set_retry_write(b);
+		}
+	return(ret);
+	}
+
+#ifndef BIO_FD
+static long sock_ctrl(BIO *b, int cmd, long num, char *ptr)
+#else
+static long fd_ctrl(BIO *b, int cmd, long num, char *ptr)
+#endif
+	{
+	long ret=1;
+	int *ip;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		num=0;
+	case BIO_C_FILE_SEEK:
+#ifdef BIO_FD
+		ret=(long)lseek(b->num,num,0);
+#else
+		ret=0;
+#endif
+		break;
+	case BIO_C_FILE_TELL:
+	case BIO_CTRL_INFO:
+#ifdef BIO_FD
+		ret=(long)lseek(b->num,0,1);
+#else
+		ret=0;
+#endif
+		break;
+	case BIO_C_SET_FD:
+#ifndef BIO_FD
+		sock_free(b);
+#else
+		fd_free(b);
+#endif
+		b->num= *((int *)ptr);
+		b->shutdown=(int)num;
+		b->init=1;
+		break;
+	case BIO_C_GET_FD:
+		if (b->init)
+			{
+			ip=(int *)ptr;
+			if (ip != NULL) *ip=b->num;
+			ret=b->num;
+			}
+		else
+			ret= -1;
+		break;
+	case BIO_CTRL_GET_CLOSE:
+		ret=b->shutdown;
+		break;
+	case BIO_CTRL_SET_CLOSE:
+		b->shutdown=(int)num;
+		break;
+	case BIO_CTRL_PENDING:
+	case BIO_CTRL_WPENDING:
+		ret=0;
+		break;
+	case BIO_CTRL_DUP:
+	case BIO_CTRL_FLUSH:
+		ret=1;
+		break;
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+#ifdef undef
+static int sock_gets(BIO *bp, char *buf,int size)
+	{
+	return(-1);
+	}
+#endif
+
+#ifndef BIO_FD
+static int sock_puts(BIO *bp, char *str)
+#else
+static int fd_puts(BIO *bp, char *str)
+#endif
+	{
+	int n,ret;
+
+	n=strlen(str);
+#ifndef BIO_FD
+	ret=sock_write(bp,str,n);
+#else
+	ret=fd_write(bp,str,n);
+#endif
+	return(ret);
+	}
+
+#ifndef BIO_FD
+int BIO_sock_should_retry(int i)
+#else
+int BIO_fd_should_retry(int i)
+#endif
+	{
+	int err;
+
+	if ((i == 0) || (i == -1))
+		{
+#ifndef BIO_FD
+		err=get_last_socket_error();
+#else
+		err=get_last_sys_error();
+#endif
+
+#if defined(WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */
+		if ((i == -1) && (err == 0))
+			return(1);
+#endif
+
+#ifndef BIO_FD
+		return(BIO_sock_non_fatal_error(err));
+#else
+		return(BIO_fd_non_fatal_error(err));
+#endif
+		}
+	return(0);
+	}
+
+#ifndef BIO_FD
+int BIO_sock_non_fatal_error(int err)
+#else
+int BIO_fd_non_fatal_error(int err)
+#endif
+	{
+	switch (err)
+		{
+#if !defined(BIO_FD) && defined(WINDOWS)
+# if defined(WSAEWOULDBLOCK)
+	case WSAEWOULDBLOCK:
+# endif
+
+# if 0 /* This appears to always be an error */
+#  if defined(WSAENOTCONN)
+	case WSAENOTCONN:
+#  endif
+# endif
+#endif
+
+#ifdef EWOULDBLOCK
+# ifdef WSAEWOULDBLOCK
+#  if WSAEWOULDBLOCK != EWOULDBLOCK
+	case EWOULDBLOCK:
+#  endif
+# else
+	case EWOULDBLOCK:
+# endif
+#endif
+
+#if defined(ENOTCONN)
+	case ENOTCONN:
+#endif
+
+#ifdef EINTR
+	case EINTR:
+#endif
+
+#ifdef EAGAIN
+#if EWOULDBLOCK != EAGAIN
+	case EAGAIN:
+# endif
+#endif
+
+#ifdef EPROTO
+	case EPROTO:
+#endif
+
+#ifdef EINPROGRESS
+	case EINPROGRESS:
+#endif
+
+#ifdef EALREADY
+	case EALREADY:
+#endif
+		return(1);
+		/* break; */
+	default:
+		break;
+		}
+	return(0);
+	}
+#endif
diff --git a/crypto/openssl/crypto/bn/Makefile.save b/crypto/openssl/crypto/bn/Makefile.save
new file mode 100644
index 0000000..29ca88c
--- /dev/null
+++ b/crypto/openssl/crypto/bn/Makefile.save
@@ -0,0 +1,286 @@
+#
+# SSLeay/crypto/bn/Makefile
+#
+
+DIR=	bn
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+BN_ASM=		bn_asm.o
+# or use
+#BN_ASM=	bn86-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
+ASFLAGS=$(CFLAGS)
+
+GENERAL=Makefile
+TEST=bntest.c exptest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
+	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
+	bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c bn_recp.c bn_mont.c \
+	bn_mpi.c bn_exp2.c
+
+LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o \
+	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
+	bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) bn_recp.o bn_mont.o \
+	bn_mpi.o bn_exp2.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= bn.h
+HEADER=	bn_lcl.h bn_prime.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+bn_prime.h: bn_prime.pl
+	$(PERL) bn_prime.pl >bn_prime.h
+
+divtest: divtest.c ../../libcrypto.a
+	cc -I../../include divtest.c -o divtest ../../libcrypto.a
+
+bnbug: bnbug.c ../../libcrypto.a top
+	cc -g -I../../include bnbug.c -o bnbug ../../libcrypto.a
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/bn86-elf.o: asm/bn86unix.cpp
+	$(CPP) -DELF -x c asm/bn86unix.cpp | as -o asm/bn86-elf.o
+
+asm/co86-elf.o: asm/co86unix.cpp
+	$(CPP) -DELF -x c asm/co86unix.cpp | as -o asm/co86-elf.o
+
+# solaris
+asm/bn86-sol.o: asm/bn86unix.cpp
+	$(CC) -E -DSOL asm/bn86unix.cpp | sed 's/^#.*//' > asm/bn86-sol.s
+	as -o asm/bn86-sol.o asm/bn86-sol.s
+	rm -f asm/bn86-sol.s
+
+asm/co86-sol.o: asm/co86unix.cpp
+	$(CC) -E -DSOL asm/co86unix.cpp | sed 's/^#.*//' > asm/co86-sol.s
+	as -o asm/co86-sol.o asm/co86-sol.s
+	rm -f asm/co86-sol.s
+
+# a.out
+asm/bn86-out.o: asm/bn86unix.cpp
+	$(CPP) -DOUT asm/bn86unix.cpp | as -o asm/bn86-out.o
+
+asm/co86-out.o: asm/co86unix.cpp
+	$(CPP) -DOUT asm/co86unix.cpp | as -o asm/co86-out.o
+
+# bsdi
+asm/bn86bsdi.o: asm/bn86unix.cpp
+	$(CPP) -DBSDI asm/bn86unix.cpp | sed 's/ :/:/' | as -o asm/bn86bsdi.o
+
+asm/co86bsdi.o: asm/co86unix.cpp
+	$(CPP) -DBSDI asm/co86unix.cpp | sed 's/ :/:/' | as -o asm/co86bsdi.o
+
+asm/bn86unix.cpp: asm/bn-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) bn-586.pl cpp >bn86unix.cpp )
+
+asm/co86unix.cpp: asm/co-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) co-586.pl cpp >co86unix.cpp )
+
+asm/sparcv8.o: asm/sparcv8.S
+
+asm/sparcv8plus.o: asm/sparcv8plus.S
+
+# Old GNU assembler doesn't understand V9 instructions, so we
+# hire /usr/ccs/bin/as to do the job. Note that option is called
+# *-gcc27, but even gcc 2>=8 users may experience similar problem
+# if they didn't bother to upgrade GNU assembler. Such users should
+# not choose this option, but be adviced to *remove* GNU assembler
+# or upgrade it.
+asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S
+	$(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \
+		/usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+exptest:
+	rm -f exptest
+	gcc -I../../include -g2 -ggdb -o exptest exptest.c ../../libcrypto.a
+
+div:
+	rm -f a.out
+	gcc -I.. -g div.c ../../libcrypto.a
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/co86unix.cpp asm/bn86unix.cpp *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bn_add.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_add.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_add.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_asm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_asm.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_asm.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_asm.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_blind.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_blind.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_blind.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_blind.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_ctx.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_ctx.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_ctx.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_ctx.o: ../../include/openssl/stack.h ../cryptlib.h
+bn_div.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_div.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_div.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_div.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_err.o: ../../include/openssl/bn.h ../../include/openssl/err.h
+bn_err.o: ../../include/openssl/opensslconf.h
+bn_exp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_exp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_exp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_exp2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_exp2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_exp2.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp2.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_gcd.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_gcd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_gcd.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_gcd.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_lib.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_lib.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_mont.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mont.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mont.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_mpi.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_mpi.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mpi.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mpi.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_mul.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_mul.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mul.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mul.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_prime.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_prime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_prime.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bn_prime.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_prime.o: ../cryptlib.h bn_lcl.h bn_prime.h
+bn_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_print.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_print.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_rand.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_rand.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_rand.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bn_rand.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_rand.o: ../cryptlib.h bn_lcl.h
+bn_recp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_recp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_recp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_recp.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_shift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_shift.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_shift.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_shift.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_sqr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_sqr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_sqr.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_sqr.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_word.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_word.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_word.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_word.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl
new file mode 100644
index 0000000..3902c41
--- /dev/null
+++ b/crypto/openssl/crypto/bn/Makefile.ssl
@@ -0,0 +1,287 @@
+#
+# SSLeay/crypto/bn/Makefile
+#
+
+DIR=	bn
+TOP=	../..
+CC=	cc
+CPP=    $(CC) -E
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+BN_ASM=		bn_asm.o
+# or use
+#BN_ASM=	bn86-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
+ASFLAGS=$(CFLAGS)
+
+GENERAL=Makefile
+TEST=bntest.c exptest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
+	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
+	bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c bn_recp.c bn_mont.c \
+	bn_mpi.c bn_exp2.c
+
+LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o \
+	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
+	bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) bn_recp.o bn_mont.o \
+	bn_mpi.o bn_exp2.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= bn.h
+HEADER=	bn_lcl.h bn_prime.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+bn_prime.h: bn_prime.pl
+	$(PERL) bn_prime.pl >bn_prime.h
+
+divtest: divtest.c ../../libcrypto.a
+	cc -I../../include divtest.c -o divtest ../../libcrypto.a
+
+bnbug: bnbug.c ../../libcrypto.a top
+	cc -g -I../../include bnbug.c -o bnbug ../../libcrypto.a
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/bn86-elf.o: asm/bn86unix.cpp
+	$(CPP) -DELF -x c asm/bn86unix.cpp | as -o asm/bn86-elf.o
+
+asm/co86-elf.o: asm/co86unix.cpp
+	$(CPP) -DELF -x c asm/co86unix.cpp | as -o asm/co86-elf.o
+
+# solaris
+asm/bn86-sol.o: asm/bn86unix.cpp
+	$(CC) -E -DSOL asm/bn86unix.cpp | sed 's/^#.*//' > asm/bn86-sol.s
+	as -o asm/bn86-sol.o asm/bn86-sol.s
+	rm -f asm/bn86-sol.s
+
+asm/co86-sol.o: asm/co86unix.cpp
+	$(CC) -E -DSOL asm/co86unix.cpp | sed 's/^#.*//' > asm/co86-sol.s
+	as -o asm/co86-sol.o asm/co86-sol.s
+	rm -f asm/co86-sol.s
+
+# a.out
+asm/bn86-out.o: asm/bn86unix.cpp
+	$(CPP) -DOUT asm/bn86unix.cpp | as -o asm/bn86-out.o
+
+asm/co86-out.o: asm/co86unix.cpp
+	$(CPP) -DOUT asm/co86unix.cpp | as -o asm/co86-out.o
+
+# bsdi
+asm/bn86bsdi.o: asm/bn86unix.cpp
+	$(CPP) -DBSDI asm/bn86unix.cpp | sed 's/ :/:/' | as -o asm/bn86bsdi.o
+
+asm/co86bsdi.o: asm/co86unix.cpp
+	$(CPP) -DBSDI asm/co86unix.cpp | sed 's/ :/:/' | as -o asm/co86bsdi.o
+
+asm/bn86unix.cpp: asm/bn-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) bn-586.pl cpp >bn86unix.cpp )
+
+asm/co86unix.cpp: asm/co-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) co-586.pl cpp >co86unix.cpp )
+
+asm/sparcv8.o: asm/sparcv8.S
+
+asm/sparcv8plus.o: asm/sparcv8plus.S
+
+# Old GNU assembler doesn't understand V9 instructions, so we
+# hire /usr/ccs/bin/as to do the job. Note that option is called
+# *-gcc27, but even gcc 2>=8 users may experience similar problem
+# if they didn't bother to upgrade GNU assembler. Such users should
+# not choose this option, but be adviced to *remove* GNU assembler
+# or upgrade it.
+asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S
+	$(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \
+		/usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+exptest:
+	rm -f exptest
+	gcc -I../../include -g2 -ggdb -o exptest exptest.c ../../libcrypto.a
+
+div:
+	rm -f a.out
+	gcc -I.. -g div.c ../../libcrypto.a
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/co86unix.cpp asm/bn86unix.cpp *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bn_add.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_add.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_add.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_asm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_asm.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_asm.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_asm.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_blind.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_blind.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_blind.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_blind.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_ctx.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_ctx.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_ctx.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_ctx.o: ../../include/openssl/stack.h ../cryptlib.h
+bn_div.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_div.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_div.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_div.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_err.o: ../../include/openssl/bn.h ../../include/openssl/err.h
+bn_err.o: ../../include/openssl/opensslconf.h
+bn_exp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_exp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_exp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_exp2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_exp2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_exp2.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp2.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_gcd.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_gcd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_gcd.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_gcd.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_lib.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_lib.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_mont.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mont.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mont.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_mpi.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_mpi.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mpi.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mpi.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_mul.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_mul.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mul.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mul.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_prime.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_prime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_prime.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bn_prime.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_prime.o: ../cryptlib.h bn_lcl.h bn_prime.h
+bn_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_print.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_print.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_rand.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_rand.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_rand.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bn_rand.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_rand.o: ../cryptlib.h bn_lcl.h
+bn_recp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_recp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_recp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_recp.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_shift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_shift.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_shift.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_shift.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_sqr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_sqr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_sqr.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_sqr.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_word.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_word.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_word.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_word.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
diff --git a/crypto/openssl/crypto/bn/asm/README b/crypto/openssl/crypto/bn/asm/README
new file mode 100644
index 0000000..86bf64c
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/README
@@ -0,0 +1,23 @@
+All assember in this directory are just version of the file
+crypto/bn/bn_asm.c.
+
+Quite a few of these files are just the assember output from gcc since on 
+quite a few machines they are 2 times faster than the system compiler.
+
+For the x86, I have hand written assember because of the bad job all
+compilers seem to do on it.  This normally gives a 2 time speed up in the RSA
+routines.
+
+For the DEC alpha, I also hand wrote the assember (except the division which
+is just the output from the C compiler pasted on the end of the file).
+On the 2 alpha C compilers I had access to, it was not possible to do
+64b x 64b -> 128b calculations (both long and the long long data types
+were 64 bits).  So the hand assember gives access to the 128 bit result and
+a 2 times speedup :-).
+
+There are 2 versions of assember for the HP PA-RISC.
+pa-risc.s is the origional one which works fine.
+pa-risc2.s is a new version that often generates warnings but if the
+tests pass, it gives performance that is over 2 times faster than
+pa-risc.s.
+Both were generated using gcc :-)
diff --git a/crypto/openssl/crypto/bn/asm/alpha.s b/crypto/openssl/crypto/bn/asm/alpha.s
new file mode 100644
index 0000000..555ff0b
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.s
@@ -0,0 +1,3199 @@
+ # DEC Alpha assember
+ # The bn_div_words is actually gcc output but the other parts are hand done.
+ # Thanks to tzeruch@ceddec.com for sending me the gcc output for
+ # bn_div_words.
+ # I've gone back and re-done most of routines.
+ # The key thing to remeber for the 164 CPU is that while a
+ # multiply operation takes 8 cycles, another one can only be issued
+ # after 4 cycles have elapsed.  I've done modification to help
+ # improve this.  Also, normally, a ld instruction will not be available
+ # for about 3 cycles.
+	.file	1 "bn_asm.c"
+	.set noat
+gcc2_compiled.:
+__gnu_compiled_c:
+	.text
+	.align 3
+	.globl bn_mul_add_words
+	.ent bn_mul_add_words
+bn_mul_add_words:
+bn_mul_add_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+	.align 5
+	subq	$18,4,$18
+	bis	$31,$31,$0
+	blt	$18,$43		# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$20,0($17)	# 1 1
+	ldq	$1,0($16)	# 1 1
+	.align 3
+$42:
+	mulq	$20,$19,$5	# 1 2 1	######
+	ldq	$21,8($17)	# 2 1
+	ldq	$2,8($16)	# 2 1
+	umulh	$20,$19,$20	# 1 2	######
+	ldq	$27,16($17)	# 3 1
+	ldq	$3,16($16)	# 3 1
+	mulq	$21,$19,$6	# 2 2 1	######
+	 ldq	$28,24($17)	# 4 1
+	addq	$1,$5,$1	# 1 2 2
+	 ldq	$4,24($16)	# 4 1
+	umulh	$21,$19,$21	# 2 2	######
+	 cmpult	$1,$5,$22	# 1 2 3 1
+	addq	$20,$22,$20	# 1 3 1
+	 addq	$1,$0,$1	# 1 2 3 1
+	mulq	$27,$19,$7	# 3 2 1	######
+	 cmpult	$1,$0,$0	# 1 2 3 2
+	addq	$2,$6,$2	# 2 2 2
+	 addq	$20,$0,$0	# 1 3 2 
+	cmpult	$2,$6,$23	# 2 2 3 1
+	 addq	$21,$23,$21	# 2 3 1
+	umulh	$27,$19,$27	# 3 2	######
+	 addq	$2,$0,$2	# 2 2 3 1
+	cmpult	$2,$0,$0	# 2 2 3 2
+	 subq	$18,4,$18
+	mulq	$28,$19,$8	# 4 2 1	######
+	 addq	$21,$0,$0	# 2 3 2 
+	addq	$3,$7,$3	# 3 2 2
+	 addq	$16,32,$16
+	cmpult	$3,$7,$24	# 3 2 3 1
+	 stq	$1,-32($16)	# 1 2 4
+	umulh	$28,$19,$28	# 4 2	######
+	 addq	$27,$24,$27	# 3 3 1
+	addq	$3,$0,$3	# 3 2 3 1
+	 stq	$2,-24($16)	# 2 2 4
+	cmpult	$3,$0,$0	# 3 2 3 2
+	 stq	$3,-16($16)	# 3 2 4
+	addq	$4,$8,$4	# 4 2 2
+	 addq	$27,$0,$0	# 3 3 2 
+	cmpult	$4,$8,$25	# 4 2 3 1
+	 addq	$17,32,$17
+	addq	$28,$25,$28	# 4 3 1
+	 addq	$4,$0,$4	# 4 2 3 1
+	cmpult	$4,$0,$0	# 4 2 3 2
+	 stq	$4,-8($16)	# 4 2 4
+	addq	$28,$0,$0	# 4 3 2 
+	 blt	$18,$43
+
+	ldq	$20,0($17)	# 1 1
+	ldq	$1,0($16)	# 1 1
+
+	br	$42
+
+	.align 4
+$45:
+	ldq	$20,0($17)	# 4 1
+	ldq	$1,0($16)	# 4 1
+	mulq	$20,$19,$5	# 4 2 1
+	subq	$18,1,$18
+	addq	$16,8,$16
+	addq	$17,8,$17
+	umulh	$20,$19,$20	# 4 2
+	addq	$1,$5,$1	# 4 2 2
+	cmpult	$1,$5,$22	# 4 2 3 1
+	addq	$20,$22,$20	# 4 3 1
+	addq	$1,$0,$1	# 4 2 3 1
+	cmpult	$1,$0,$0	# 4 2 3 2
+	addq	$20,$0,$0	# 4 3 2 
+	stq	$1,-8($16)	# 4 2 4
+	bgt	$18,$45
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$43:
+	addq	$18,4,$18
+	bgt	$18,$45		# goto tail code
+	ret	$31,($26),1	# else exit
+
+	.end bn_mul_add_words
+	.align 3
+	.globl bn_mul_words
+	.ent bn_mul_words
+bn_mul_words:
+bn_mul_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+	.align 5
+	subq	$18,4,$18
+	bis	$31,$31,$0
+	blt	$18,$143	# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$20,0($17)	# 1 1
+	.align 3
+$142:
+
+	mulq	$20,$19,$5	# 1 2 1	#####
+	 ldq	$21,8($17)	# 2 1
+	 ldq	$27,16($17)	# 3 1
+	umulh	$20,$19,$20	# 1 2	#####
+	 ldq	$28,24($17)	# 4 1
+	mulq	$21,$19,$6	# 2 2 1	#####
+	 addq	$5,$0,$5	# 1 2 3 1
+	subq	$18,4,$18
+	 cmpult	$5,$0,$0	# 1 2 3 2
+	umulh	$21,$19,$21	# 2 2	#####
+	 addq	$20,$0,$0	# 1 3 2 
+	addq	$17,32,$17
+	 addq	$6,$0,$6	# 2 2 3 1
+	mulq	$27,$19,$7	# 3 2 1	#####
+	 cmpult	$6,$0,$0	# 2 2 3 2
+	addq	$21,$0,$0	# 2 3 2 
+	 addq	$16,32,$16
+	umulh	$27,$19,$27	# 3 2	#####
+	 stq	$5,-32($16)	# 1 2 4
+	mulq	$28,$19,$8	# 4 2 1	#####
+	 addq	$7,$0,$7	# 3 2 3 1
+	stq	$6,-24($16)	# 2 2 4
+	 cmpult	$7,$0,$0	# 3 2 3 2
+	umulh	$28,$19,$28	# 4 2	#####
+	 addq	$27,$0,$0	# 3 3 2 
+	stq	$7,-16($16)	# 3 2 4
+	 addq	$8,$0,$8	# 4 2 3 1
+	cmpult	$8,$0,$0	# 4 2 3 2
+
+	addq	$28,$0,$0	# 4 3 2 
+
+	stq	$8,-8($16)	# 4 2 4
+
+	blt	$18,$143
+
+	ldq	$20,0($17)	# 1 1
+
+	br	$142
+
+	.align 4
+$145:
+	ldq	$20,0($17)	# 4 1
+	mulq	$20,$19,$5	# 4 2 1
+	subq	$18,1,$18
+	umulh	$20,$19,$20	# 4 2
+	addq	$5,$0,$5	# 4 2 3 1
+	 addq	$16,8,$16
+	cmpult	$5,$0,$0	# 4 2 3 2
+	 addq	$17,8,$17
+	addq	$20,$0,$0	# 4 3 2 
+	stq	$5,-8($16)	# 4 2 4
+
+	bgt	$18,$145
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$143:
+	addq	$18,4,$18
+	bgt	$18,$145	# goto tail code
+	ret	$31,($26),1	# else exit
+
+	.end bn_mul_words
+	.align 3
+	.globl bn_sqr_words
+	.ent bn_sqr_words
+bn_sqr_words:
+bn_sqr_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$18,4,$18
+	blt	$18,$543	# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$20,0($17)	# 1 1
+	.align 3
+$542:
+	mulq	$20,$20,$5		######
+	 ldq	$21,8($17)	# 1 1
+	subq	$18,4
+ 	umulh	$20,$20,$1		######
+	ldq	$27,16($17)	# 1 1
+	mulq	$21,$21,$6		######
+	ldq	$28,24($17)	# 1 1
+	stq	$5,0($16)	# r[0]
+ 	umulh	$21,$21,$2		######
+	stq	$1,8($16)	# r[1]
+	mulq	$27,$27,$7		######
+	stq	$6,16($16)	# r[0]
+ 	umulh	$27,$27,$3		######
+	stq	$2,24($16)	# r[1]
+	mulq	$28,$28,$8		######
+	stq	$7,32($16)	# r[0]
+ 	umulh	$28,$28,$4		######
+	stq	$3,40($16)	# r[1]
+
+ 	addq	$16,64,$16
+ 	addq	$17,32,$17
+	stq	$8,-16($16)	# r[0]
+	stq	$4,-8($16)	# r[1]
+
+	blt	$18,$543
+	ldq	$20,0($17)	# 1 1
+ 	br 	$542
+
+$442:
+	ldq	$20,0($17)   # a[0]
+	mulq	$20,$20,$5  # a[0]*w low part       r2
+	addq	$16,16,$16
+	addq	$17,8,$17
+	subq	$18,1,$18
+        umulh	$20,$20,$1  # a[0]*w high part       r3
+	stq	$5,-16($16)   # r[0]
+        stq	$1,-8($16)   # r[1]
+
+	bgt	$18,$442
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$543:
+	addq	$18,4,$18
+	bgt	$18,$442	# goto tail code
+	ret	$31,($26),1	# else exit
+	.end bn_sqr_words
+
+	.align 3
+	.globl bn_add_words
+	.ent bn_add_words
+bn_add_words:
+bn_add_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$19,4,$19
+	bis	$31,$31,$0	# carry = 0
+	blt	$19,$900
+	ldq	$5,0($17)	# a[0]
+	ldq	$1,0($18)	# b[1]
+	.align 3
+$901:
+	addq	$1,$5,$1	# r=a+b;
+	 ldq	$6,8($17)	# a[1]
+	cmpult	$1,$5,$22	# did we overflow?
+	 ldq	$2,8($18)	# b[1]
+	addq	$1,$0,$1	# c+= overflow
+	 ldq	$7,16($17)	# a[2]
+	cmpult	$1,$0,$0	# overflow?
+	 ldq	$3,16($18)	# b[2]
+	addq	$0,$22,$0
+	 ldq	$8,24($17)	# a[3]
+	addq	$2,$6,$2	# r=a+b;
+	 ldq	$4,24($18)	# b[3]
+	cmpult	$2,$6,$23	# did we overflow?
+	 addq	$3,$7,$3	# r=a+b;
+	addq	$2,$0,$2	# c+= overflow
+	 cmpult	$3,$7,$24	# did we overflow?
+	cmpult	$2,$0,$0	# overflow?
+	 addq	$4,$8,$4	# r=a+b;
+	addq	$0,$23,$0
+	 cmpult	$4,$8,$25	# did we overflow?
+	addq	$3,$0,$3	# c+= overflow
+	 stq	$1,0($16)	# r[0]=c
+	cmpult	$3,$0,$0	# overflow?
+	 stq	$2,8($16)	# r[1]=c
+	addq	$0,$24,$0
+	 stq	$3,16($16)	# r[2]=c
+	addq	$4,$0,$4	# c+= overflow
+	 subq	$19,4,$19	# loop--
+	cmpult	$4,$0,$0	# overflow?
+	 addq	$17,32,$17	# a++
+	addq	$0,$25,$0
+	 stq	$4,24($16)	# r[3]=c
+	addq	$18,32,$18	# b++
+	 addq	$16,32,$16	# r++
+
+	blt	$19,$900
+	 ldq	$5,0($17)	# a[0]
+	ldq	$1,0($18)	# b[1]
+	 br	$901
+	.align 4
+$945:
+	ldq	$5,0($17)	# a[0]
+	 ldq	$1,0($18)	# b[1]
+	addq	$1,$5,$1	# r=a+b;
+	 subq	$19,1,$19	# loop--
+	addq	$1,$0,$1	# c+= overflow
+	 addq	$17,8,$17	# a++
+	cmpult	$1,$5,$22	# did we overflow?
+	 cmpult	$1,$0,$0	# overflow?
+	addq	$18,8,$18	# b++
+	 stq	$1,0($16)	# r[0]=c
+	addq	$0,$22,$0
+	 addq	$16,8,$16	# r++
+
+	bgt	$19,$945
+	ret	$31,($26),1	# else exit
+
+$900:
+	addq	$19,4,$19
+	bgt	$19,$945	# goto tail code
+	ret	$31,($26),1	# else exit
+	.end bn_add_words
+
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+	.align 3
+	.globl bn_div_words
+	.ent bn_div_words
+bn_div_words:
+	ldgp $29,0($27)
+bn_div_words..ng:
+	lda $30,-48($30)
+	.frame $30,48,$26,0
+	stq $26,0($30)
+	stq $9,8($30)
+	stq $10,16($30)
+	stq $11,24($30)
+	stq $12,32($30)
+	stq $13,40($30)
+	.mask 0x4003e00,-48
+	.prologue 1
+	bis $16,$16,$9
+	bis $17,$17,$10
+	bis $18,$18,$11
+	bis $31,$31,$13
+	bis $31,2,$12
+	bne $11,$119
+	lda $0,-1
+	br $31,$136
+	.align 4
+$119:
+	bis $11,$11,$16
+	jsr $26,BN_num_bits_word
+	ldgp $29,0($26)
+	subq $0,64,$1
+	beq $1,$120
+	bis $31,1,$1
+	sll $1,$0,$1
+	cmpule $9,$1,$1
+	bne $1,$120
+ #	lda $16,_IO_stderr_
+ #	lda $17,$C32
+ #	bis $0,$0,$18
+ #	jsr $26,fprintf
+ #	ldgp $29,0($26)
+	jsr $26,abort
+	ldgp $29,0($26)
+	.align 4
+$120:
+	bis $31,64,$3
+	cmpult $9,$11,$2
+	subq $3,$0,$1
+	addl $1,$31,$0
+	subq $9,$11,$1
+	cmoveq $2,$1,$9
+	beq $0,$122
+	zapnot $0,15,$2
+	subq $3,$0,$1
+	sll $11,$2,$11
+	sll $9,$2,$3
+	srl $10,$1,$1
+	sll $10,$2,$10
+	bis $3,$1,$9
+$122:
+	srl $11,32,$5
+	zapnot $11,15,$6
+	lda $7,-1
+	.align 5
+$123:
+	srl $9,32,$1
+	subq $1,$5,$1
+	bne $1,$126
+	zapnot $7,15,$27
+	br $31,$127
+	.align 4
+$126:
+	bis $9,$9,$24
+	bis $5,$5,$25
+	divqu $24,$25,$27
+$127:
+	srl $10,32,$4
+	.align 5
+$128:
+	mulq $27,$5,$1
+	subq $9,$1,$3
+	zapnot $3,240,$1
+	bne $1,$129
+	mulq $6,$27,$2
+	sll $3,32,$1
+	addq $1,$4,$1
+	cmpule $2,$1,$2
+	bne $2,$129
+	subq $27,1,$27
+	br $31,$128
+	.align 4
+$129:
+	mulq $27,$6,$1
+	mulq $27,$5,$4
+	srl $1,32,$3
+	sll $1,32,$1
+	addq $4,$3,$4
+	cmpult $10,$1,$2
+	subq $10,$1,$10
+	addq $2,$4,$2
+	cmpult $9,$2,$1
+	bis $2,$2,$4
+	beq $1,$134
+	addq $9,$11,$9
+	subq $27,1,$27
+$134:
+	subl $12,1,$12
+	subq $9,$4,$9
+	beq $12,$124
+	sll $27,32,$13
+	sll $9,32,$2
+	srl $10,32,$1
+	sll $10,32,$10
+	bis $2,$1,$9
+	br $31,$123
+	.align 4
+$124:
+	bis $13,$27,$0
+$136:
+	ldq $26,0($30)
+	ldq $9,8($30)
+	ldq $10,16($30)
+	ldq $11,24($30)
+	ldq $12,32($30)
+	ldq $13,40($30)
+	addq $30,48,$30
+	ret $31,($26),1
+	.end bn_div_words
+
+	.set noat
+	.text
+	.align 3
+	.globl bn_sub_words
+	.ent bn_sub_words
+bn_sub_words:
+bn_sub_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$19,	4,	$19
+	bis	$31,	$31,	$0
+	blt	$19,	$100
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+$101:
+	ldq	$3,	8($17)
+	cmpult	$1,	$2,	$4
+	ldq	$5,	8($18)
+	subq	$1,	$2,	$1
+	ldq	$6,	16($17)
+	cmpult	$1,	$0,	$2
+	ldq	$7,	16($18)
+	subq	$1,	$0,	$23
+	ldq	$8,	24($17)
+	addq	$2,	$4,	$0
+	cmpult	$3,	$5,	$24
+	subq	$3,	$5,	$3
+	ldq	$22,	24($18)
+	cmpult	$3,	$0,	$5
+	subq	$3,	$0,	$25
+	addq	$5,	$24,	$0
+	cmpult	$6,	$7,	$27
+	subq	$6,	$7,	$6
+	stq	$23,	0($16)
+	cmpult	$6,	$0,	$7
+	subq	$6,	$0,	$28
+	addq	$7,	$27,	$0
+	cmpult	$8,	$22,	$21
+	subq	$8,	$22,	$8
+	stq	$25,	8($16)
+	cmpult	$8,	$0,	$22
+	subq	$8,	$0,	$20
+	addq	$22,	$21,	$0
+	stq	$28,	16($16)
+	subq	$19,	4,	$19
+	stq	$20,	24($16)
+	addq	$17,	32,	$17
+	addq	$18,	32,	$18
+	addq	$16,	32,	$16
+	blt	$19,	$100
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+	br	$101
+$102:
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+	cmpult	$1,	$2,	$27
+	subq	$1,	$2,	$1
+	cmpult	$1,	$0,	$2
+	subq	$1,	$0,	$1
+	stq	$1,	0($16)
+	addq	$2,	$27,	$0
+	addq	$17,	8,	$17
+	addq	$18,	8,	$18
+	addq	$16,	8,	$16
+	subq	$19,	1,	$19
+	bgt	$19,	$102
+	ret	$31,($26),1
+$100:
+	addq	$19,	4,	$19
+	bgt	$19,	$102
+$103:
+	ret	$31,($26),1
+	.end bn_sub_words
+	.text
+	.align 3
+	.globl bn_mul_comba4
+	.ent bn_mul_comba4
+bn_mul_comba4:
+bn_mul_comba4..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	ldq	$0,	0($17)
+	ldq	$1,	0($18)
+	ldq	$2,	8($17)
+	ldq	$3,	8($18)
+	ldq	$4,	16($17)
+	ldq	$5,	16($18)
+	ldq	$6,	24($17)
+	ldq	$7,	24($18)
+	bis	$31,	$31,	$23
+	mulq	$0,	$1,	$8
+	umulh	$0,	$1,	$22
+	stq	$8,	0($16)
+	bis	$31,	$31,	$8
+	mulq	$0,	$3,	$24
+	umulh	$0,	$3,	$25
+	addq	$22,	$24,	$22
+	cmpult	$22,	$24,	$27
+	addq	$27,	$25,	$25
+	addq	$23,	$25,	$23
+	cmpult	$23,	$25,	$28
+	addq	$8,	$28,	$8
+	mulq	$2,	$1,	$21
+	umulh	$2,	$1,	$20
+	addq	$22,	$21,	$22
+	cmpult	$22,	$21,	$19
+	addq	$19,	$20,	$20
+	addq	$23,	$20,	$23
+	cmpult	$23,	$20,	$17
+	addq	$8,	$17,	$8
+	stq	$22,	8($16)
+	bis	$31,	$31,	$22
+	mulq	$2,	$3,	$18
+	umulh	$2,	$3,	$24
+	addq	$23,	$18,	$23
+	cmpult	$23,	$18,	$27
+	addq	$27,	$24,	$24
+	addq	$8,	$24,	$8
+	cmpult	$8,	$24,	$25
+	addq	$22,	$25,	$22
+	mulq	$0,	$5,	$28
+	umulh	$0,	$5,	$21
+	addq	$23,	$28,	$23
+	cmpult	$23,	$28,	$19
+	addq	$19,	$21,	$21
+	addq	$8,	$21,	$8
+	cmpult	$8,	$21,	$20
+	addq	$22,	$20,	$22
+	mulq	$4,	$1,	$17
+	umulh	$4,	$1,	$18
+	addq	$23,	$17,	$23
+	cmpult	$23,	$17,	$27
+	addq	$27,	$18,	$18
+	addq	$8,	$18,	$8
+	cmpult	$8,	$18,	$24
+	addq	$22,	$24,	$22
+	stq	$23,	16($16)
+	bis	$31,	$31,	$23
+	mulq	$0,	$7,	$25
+	umulh	$0,	$7,	$28
+	addq	$8,	$25,	$8
+	cmpult	$8,	$25,	$19
+	addq	$19,	$28,	$28
+	addq	$22,	$28,	$22
+	cmpult	$22,	$28,	$21
+	addq	$23,	$21,	$23
+	mulq	$2,	$5,	$20
+	umulh	$2,	$5,	$17
+	addq	$8,	$20,	$8
+	cmpult	$8,	$20,	$27
+	addq	$27,	$17,	$17
+	addq	$22,	$17,	$22
+	cmpult	$22,	$17,	$18
+	addq	$23,	$18,	$23
+	mulq	$4,	$3,	$24
+	umulh	$4,	$3,	$25
+	addq	$8,	$24,	$8
+	cmpult	$8,	$24,	$19
+	addq	$19,	$25,	$25
+	addq	$22,	$25,	$22
+	cmpult	$22,	$25,	$28
+	addq	$23,	$28,	$23
+	mulq	$6,	$1,	$21
+	umulh	$6,	$1,	$0
+	addq	$8,	$21,	$8
+	cmpult	$8,	$21,	$20
+	addq	$20,	$0,	$0
+	addq	$22,	$0,	$22
+	cmpult	$22,	$0,	$27
+	addq	$23,	$27,	$23
+	stq	$8,	24($16)
+	bis	$31,	$31,	$8
+	mulq	$2,	$7,	$17
+	umulh	$2,	$7,	$18
+	addq	$22,	$17,	$22
+	cmpult	$22,	$17,	$24
+	addq	$24,	$18,	$18
+	addq	$23,	$18,	$23
+	cmpult	$23,	$18,	$19
+	addq	$8,	$19,	$8
+	mulq	$4,	$5,	$25
+	umulh	$4,	$5,	$28
+	addq	$22,	$25,	$22
+	cmpult	$22,	$25,	$21
+	addq	$21,	$28,	$28
+	addq	$23,	$28,	$23
+	cmpult	$23,	$28,	$20
+	addq	$8,	$20,	$8
+	mulq	$6,	$3,	$0
+	umulh	$6,	$3,	$27
+	addq	$22,	$0,	$22
+	cmpult	$22,	$0,	$1
+	addq	$1,	$27,	$27
+	addq	$23,	$27,	$23
+	cmpult	$23,	$27,	$17
+	addq	$8,	$17,	$8
+	stq	$22,	32($16)
+	bis	$31,	$31,	$22
+	mulq	$4,	$7,	$24
+	umulh	$4,	$7,	$18
+	addq	$23,	$24,	$23
+	cmpult	$23,	$24,	$19
+	addq	$19,	$18,	$18
+	addq	$8,	$18,	$8
+	cmpult	$8,	$18,	$2
+	addq	$22,	$2,	$22
+	mulq	$6,	$5,	$25
+	umulh	$6,	$5,	$21
+	addq	$23,	$25,	$23
+	cmpult	$23,	$25,	$28
+	addq	$28,	$21,	$21
+	addq	$8,	$21,	$8
+	cmpult	$8,	$21,	$20
+	addq	$22,	$20,	$22
+	stq	$23,	40($16)
+	bis	$31,	$31,	$23
+	mulq	$6,	$7,	$0
+	umulh	$6,	$7,	$1
+	addq	$8,	$0,	$8
+	cmpult	$8,	$0,	$27
+	addq	$27,	$1,	$1
+	addq	$22,	$1,	$22
+	cmpult	$22,	$1,	$17
+	addq	$23,	$17,	$23
+	stq	$8,	48($16)
+	stq	$22,	56($16)
+	ret	$31,($26),1
+	.end bn_mul_comba4
+	.text
+	.align 3
+	.globl bn_mul_comba8
+	.ent bn_mul_comba8
+bn_mul_comba8:
+bn_mul_comba8..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+	zapnot	$1,	15,	$7
+	srl	$2,	32,	$8
+	mulq	$8,	$7,	$22
+	srl	$1,	32,	$6
+	zapnot	$2,	15,	$5
+	mulq	$5,	$6,	$4
+	mulq	$7,	$5,	$24
+	addq	$22,	$4,	$22
+	cmpult	$22,	$4,	$1
+	mulq	$6,	$8,	$3
+	beq	$1,	$173
+	bis	$31,	1,	$1
+	sll	$1,	32,	$1
+	addq	$3,	$1,	$3
+$173:
+	sll	$22,	32,	$4
+	addq	$24,	$4,	$24
+	stq	$24,	0($16)
+	ldq	$2,	0($17)
+	ldq	$1,	8($18)
+	zapnot	$2,	15,	$7
+	srl	$1,	32,	$8
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$2,	32,	$6
+	mulq	$5,	$6,	$23
+	mulq	$6,	$8,	$6
+	srl	$22,	32,	$1
+	cmpult	$24,	$4,	$2
+	addq	$3,	$1,	$3
+	addq	$2,	$3,	$22
+	addq	$25,	$23,	$25
+	cmpult	$25,	$23,	$1
+	bis	$31,	1,	$2
+	beq	$1,	$177
+	sll	$2,	32,	$1
+	addq	$6,	$1,	$6
+$177:
+	sll	$25,	32,	$23
+	ldq	$1,	0($18)
+	addq	$0,	$23,	$0
+	bis	$0,	$0,	$7
+	ldq	$3,	8($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$4
+	zapnot	$3,	15,	$7
+	mulq	$8,	$7,	$28
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$25,	32,	$1
+	cmpult	$0,	$23,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$4,	$6,	$24
+	srl	$3,	32,	$6
+	mulq	$5,	$6,	$2
+	mulq	$6,	$8,	$6
+	addq	$28,	$2,	$28
+	cmpult	$28,	$2,	$1
+	bis	$31,	1,	$2
+	beq	$1,	$181
+	sll	$2,	32,	$1
+	addq	$6,	$1,	$6
+$181:
+	sll	$28,	32,	$2
+	addq	$21,	$2,	$21
+	bis	$21,	$21,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	8($16)
+	ldq	$3,	16($17)
+	ldq	$1,	0($18)
+	cmpult	$22,	$7,	$4
+	zapnot	$3,	15,	$7
+	srl	$1,	32,	$8
+	mulq	$8,	$7,	$22
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$20
+	srl	$28,	32,	$1
+	cmpult	$21,	$2,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$4,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$3,	32,	$6
+	mulq	$5,	$6,	$2
+	mulq	$6,	$8,	$6
+	addq	$22,	$2,	$22
+	cmpult	$22,	$2,	$1
+	bis	$31,	1,	$2
+	beq	$1,	$185
+	sll	$2,	32,	$1
+	addq	$6,	$1,	$6
+$185:
+	sll	$22,	32,	$2
+	ldq	$1,	8($18)
+	addq	$20,	$2,	$20
+	bis	$20,	$20,	$7
+	ldq	$4,	8($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$22,	32,	$1
+	cmpult	$20,	$2,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$189
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$189:
+	sll	$25,	32,	$5
+	ldq	$2,	16($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	0($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$193
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$193:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	16($16)
+	ldq	$4,	0($17)
+	ldq	$5,	24($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$0,	$24,	$0
+	cmpult	$0,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$197
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$197:
+	sll	$0,	32,	$24
+	ldq	$1,	16($18)
+	addq	$2,	$24,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	8($17)
+	addq	$23,	$7,	$23
+	srl	$1,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$24,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$201
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$201:
+	sll	$25,	32,	$5
+	ldq	$2,	8($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	16($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$205
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$205:
+	sll	$28,	32,	$25
+	ldq	$2,	0($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$209
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$209:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	24($16)
+	ldq	$4,	32($17)
+	ldq	$5,	0($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$28,	$23,	$28
+	cmpult	$28,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$213
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$213:
+	sll	$28,	32,	$23
+	ldq	$1,	8($18)
+	addq	$2,	$23,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	24($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$23,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$217
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$217:
+	sll	$25,	32,	$5
+	ldq	$2,	16($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	16($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$221
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$221:
+	sll	$28,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	8($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$225
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$225:
+	sll	$0,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	0($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$229
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$229:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	32($16)
+	ldq	$4,	0($17)
+	ldq	$5,	40($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$0,	$22,	$0
+	cmpult	$0,	$22,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$233
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$233:
+	sll	$0,	32,	$22
+	ldq	$1,	32($18)
+	addq	$2,	$22,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	8($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$22,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$237
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$237:
+	sll	$25,	32,	$5
+	ldq	$2,	24($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	16($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$241
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$241:
+	sll	$28,	32,	$25
+	ldq	$2,	16($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$245
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$245:
+	sll	$0,	32,	$25
+	ldq	$2,	8($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$249
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$249:
+	sll	$28,	32,	$25
+	ldq	$2,	0($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$253
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$253:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	40($16)
+	ldq	$4,	48($17)
+	ldq	$5,	0($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$28,	$24,	$28
+	cmpult	$28,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$257
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$257:
+	sll	$28,	32,	$24
+	ldq	$1,	8($18)
+	addq	$2,	$24,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	40($17)
+	addq	$23,	$7,	$23
+	srl	$1,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$24,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$261
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$261:
+	sll	$25,	32,	$5
+	ldq	$2,	16($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	32($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$265
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$265:
+	sll	$28,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$269
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$269:
+	sll	$0,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	16($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$273
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$273:
+	sll	$28,	32,	$25
+	ldq	$2,	40($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	8($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$277
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$277:
+	sll	$0,	32,	$25
+	ldq	$2,	48($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	0($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$281
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$281:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	48($16)
+	ldq	$4,	0($17)
+	ldq	$5,	56($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$23,	$0
+	cmpult	$0,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$285
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$285:
+	sll	$0,	32,	$23
+	ldq	$1,	48($18)
+	addq	$2,	$23,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	8($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$23,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$289
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$289:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	16($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$293
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$293:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$297
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$297:
+	sll	$0,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$301
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$301:
+	sll	$28,	32,	$25
+	ldq	$2,	16($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$305
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$305:
+	sll	$0,	32,	$25
+	ldq	$2,	8($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	48($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$309
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$309:
+	sll	$28,	32,	$25
+	ldq	$2,	0($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$313
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$313:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	56($16)
+	ldq	$4,	56($17)
+	ldq	$5,	8($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$22,	$28
+	cmpult	$28,	$22,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$317
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$317:
+	sll	$28,	32,	$22
+	ldq	$1,	16($18)
+	addq	$2,	$22,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	48($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$22,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$321
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$321:
+	sll	$25,	32,	$5
+	ldq	$2,	24($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	40($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$325
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$325:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$329
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$329:
+	sll	$0,	32,	$25
+	ldq	$2,	40($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$333
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$333:
+	sll	$28,	32,	$25
+	ldq	$2,	48($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	16($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$337
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$337:
+	sll	$0,	32,	$25
+	ldq	$2,	56($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	8($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$341
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$341:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	64($16)
+	ldq	$4,	16($17)
+	ldq	$5,	56($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$0,	$24,	$0
+	cmpult	$0,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$345
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$345:
+	sll	$0,	32,	$24
+	ldq	$1,	48($18)
+	addq	$2,	$24,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	24($17)
+	addq	$23,	$7,	$23
+	srl	$1,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$24,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$349
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$349:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	32($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$353
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$353:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$357
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$357:
+	sll	$0,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	48($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$361
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$361:
+	sll	$28,	32,	$25
+	ldq	$2,	16($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$365
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$365:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	72($16)
+	ldq	$4,	56($17)
+	ldq	$5,	24($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$28,	$23,	$28
+	cmpult	$28,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$369
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$369:
+	sll	$28,	32,	$23
+	ldq	$1,	32($18)
+	addq	$2,	$23,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	48($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$23,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$373
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$373:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	40($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$377
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$377:
+	sll	$28,	32,	$25
+	ldq	$2,	48($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$381
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$381:
+	sll	$0,	32,	$25
+	ldq	$2,	56($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$385
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$385:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	80($16)
+	ldq	$4,	32($17)
+	ldq	$5,	56($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$0,	$22,	$0
+	cmpult	$0,	$22,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$389
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$389:
+	sll	$0,	32,	$22
+	ldq	$1,	48($18)
+	addq	$2,	$22,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	40($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$22,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$393
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$393:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	48($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$397
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$397:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$21
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$21,	$25,	$21
+	cmpult	$21,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$401
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$401:
+	sll	$21,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	88($16)
+	ldq	$4,	56($17)
+	ldq	$5,	40($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$21,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$24,	$0
+	cmpult	$0,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$405
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$405:
+	sll	$0,	32,	$24
+	ldq	$2,	48($18)
+	addq	$5,	$24,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	48($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$24,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$409
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$409:
+	sll	$28,	32,	$25
+	ldq	$2,	56($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$413
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$413:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	96($16)
+	ldq	$4,	48($17)
+	ldq	$5,	56($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$23,	$28
+	cmpult	$28,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$417
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$417:
+	sll	$28,	32,	$23
+	ldq	$2,	48($18)
+	addq	$5,	$23,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$23,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$421
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$421:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	104($16)
+	ldq	$4,	56($17)
+	ldq	$5,	56($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$22,	$28
+	cmpult	$28,	$22,	$1
+	mulq	$6,	$8,	$3
+	beq	$1,	$425
+	sll	$20,	32,	$1
+	addq	$3,	$1,	$3
+$425:
+	sll	$28,	32,	$22
+	srl	$28,	32,	$1
+	addq	$2,	$22,	$2
+	addq	$3,	$1,	$3
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	cmpult	$7,	$22,	$1
+	cmpult	$24,	$7,	$2
+	addq	$1,	$3,	$6
+	addq	$2,	$6,	$6
+	stq	$24,	112($16)
+	addq	$23,	$6,	$23
+	stq	$23,	120($16)
+	ret	$31,	($26),	1
+	.end bn_mul_comba8
+	.text
+	.align 3
+	.globl bn_sqr_comba4
+	.ent bn_sqr_comba4
+bn_sqr_comba4:
+bn_sqr_comba4..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	ldq	$0,	0($17)
+	ldq	$1,	8($17)
+	ldq	$2,	16($17)
+	ldq	$3,	24($17)
+	bis	$31,	$31,	$6
+	mulq	$0,	$0,	$4
+	umulh	$0,	$0,	$5
+	stq	$4,	0($16)
+	bis	$31,	$31,	$4
+	mulq	$0,	$1,	$7
+	umulh	$0,	$1,	$8
+	cmplt	$7,	$31,	$22
+	cmplt	$8,	$31,	$23
+	addq	$7,	$7,	$7
+	addq	$8,	$8,	$8
+	addq	$8,	$22,	$8
+	addq	$4,	$23,	$4
+	addq	$5,	$7,	$5
+	addq	$6,	$8,	$6
+	cmpult	$5,	$7,	$24
+	cmpult	$6,	$8,	$25
+	addq	$6,	$24,	$6
+	addq	$4,	$25,	$4
+	stq	$5,	8($16)
+	bis	$31,	$31,	$5
+	mulq	$1,	$1,	$27
+	umulh	$1,	$1,	$28
+	addq	$6,	$27,	$6
+	addq	$4,	$28,	$4
+	cmpult	$6,	$27,	$21
+	cmpult	$4,	$28,	$20
+	addq	$4,	$21,	$4
+	addq	$5,	$20,	$5
+	mulq	$2,	$0,	$19
+	umulh	$2,	$0,	$18
+	cmplt	$19,	$31,	$17
+	cmplt	$18,	$31,	$22
+	addq	$19,	$19,	$19
+	addq	$18,	$18,	$18
+	addq	$18,	$17,	$18
+	addq	$5,	$22,	$5
+	addq	$6,	$19,	$6
+	addq	$4,	$18,	$4
+	cmpult	$6,	$19,	$23
+	cmpult	$4,	$18,	$7
+	addq	$4,	$23,	$4
+	addq	$5,	$7,	$5
+	stq	$6,	16($16)
+	bis	$31,	$31,	$6
+	mulq	$3,	$0,	$8
+	umulh	$3,	$0,	$24
+	cmplt	$8,	$31,	$25
+	cmplt	$24,	$31,	$27
+	addq	$8,	$8,	$8
+	addq	$24,	$24,	$24
+	addq	$24,	$25,	$24
+	addq	$6,	$27,	$6
+	addq	$4,	$8,	$4
+	addq	$5,	$24,	$5
+	cmpult	$4,	$8,	$28
+	cmpult	$5,	$24,	$21
+	addq	$5,	$28,	$5
+	addq	$6,	$21,	$6
+	mulq	$2,	$1,	$20
+	umulh	$2,	$1,	$17
+	cmplt	$20,	$31,	$22
+	cmplt	$17,	$31,	$19
+	addq	$20,	$20,	$20
+	addq	$17,	$17,	$17
+	addq	$17,	$22,	$17
+	addq	$6,	$19,	$6
+	addq	$4,	$20,	$4
+	addq	$5,	$17,	$5
+	cmpult	$4,	$20,	$18
+	cmpult	$5,	$17,	$23
+	addq	$5,	$18,	$5
+	addq	$6,	$23,	$6
+	stq	$4,	24($16)
+	bis	$31,	$31,	$4
+	mulq	$2,	$2,	$7
+	umulh	$2,	$2,	$25
+	addq	$5,	$7,	$5
+	addq	$6,	$25,	$6
+	cmpult	$5,	$7,	$27
+	cmpult	$6,	$25,	$8
+	addq	$6,	$27,	$6
+	addq	$4,	$8,	$4
+	mulq	$3,	$1,	$24
+	umulh	$3,	$1,	$28
+	cmplt	$24,	$31,	$21
+	cmplt	$28,	$31,	$22
+	addq	$24,	$24,	$24
+	addq	$28,	$28,	$28
+	addq	$28,	$21,	$28
+	addq	$4,	$22,	$4
+	addq	$5,	$24,	$5
+	addq	$6,	$28,	$6
+	cmpult	$5,	$24,	$19
+	cmpult	$6,	$28,	$20
+	addq	$6,	$19,	$6
+	addq	$4,	$20,	$4
+	stq	$5,	32($16)
+	bis	$31,	$31,	$5
+	mulq	$3,	$2,	$17
+	umulh	$3,	$2,	$18
+	cmplt	$17,	$31,	$23
+	cmplt	$18,	$31,	$7
+	addq	$17,	$17,	$17
+	addq	$18,	$18,	$18
+	addq	$18,	$23,	$18
+	addq	$5,	$7,	$5
+	addq	$6,	$17,	$6
+	addq	$4,	$18,	$4
+	cmpult	$6,	$17,	$25
+	cmpult	$4,	$18,	$27
+	addq	$4,	$25,	$4
+	addq	$5,	$27,	$5
+	stq	$6,	40($16)
+	bis	$31,	$31,	$6
+	mulq	$3,	$3,	$8
+	umulh	$3,	$3,	$21
+	addq	$4,	$8,	$4
+	addq	$5,	$21,	$5
+	cmpult	$4,	$8,	$22
+	cmpult	$5,	$21,	$24
+	addq	$5,	$22,	$5
+	addq	$6,	$24,	$6
+	stq	$4,	48($16)
+	stq	$5,	56($16)
+	ret	$31,($26),1
+	.end bn_sqr_comba4
+	.text
+	.align 3
+	.globl bn_sqr_comba8
+	.ent bn_sqr_comba8
+bn_sqr_comba8:
+bn_sqr_comba8..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	ldq	$0,	0($17)
+	ldq	$1,	8($17)
+	ldq	$2,	16($17)
+	ldq	$3,	24($17)
+	ldq	$4,	32($17)
+	ldq	$5,	40($17)
+	ldq	$6,	48($17)
+	ldq	$7,	56($17)
+	bis	$31,	$31,	$23
+	mulq	$0,	$0,	$8
+	umulh	$0,	$0,	$22
+	stq	$8,	0($16)
+	bis	$31,	$31,	$8
+	mulq	$1,	$0,	$24
+	umulh	$1,	$0,	$25
+	cmplt	$24,	$31,	$27
+	cmplt	$25,	$31,	$28
+	addq	$24,	$24,	$24
+	addq	$25,	$25,	$25
+	addq	$25,	$27,	$25
+	addq	$8,	$28,	$8
+	addq	$22,	$24,	$22
+	addq	$23,	$25,	$23
+	cmpult	$22,	$24,	$21
+	cmpult	$23,	$25,	$20
+	addq	$23,	$21,	$23
+	addq	$8,	$20,	$8
+	stq	$22,	8($16)
+	bis	$31,	$31,	$22
+	mulq	$1,	$1,	$19
+	umulh	$1,	$1,	$18
+	addq	$23,	$19,	$23
+	addq	$8,	$18,	$8
+	cmpult	$23,	$19,	$17
+	cmpult	$8,	$18,	$27
+	addq	$8,	$17,	$8
+	addq	$22,	$27,	$22
+	mulq	$2,	$0,	$28
+	umulh	$2,	$0,	$24
+	cmplt	$28,	$31,	$25
+	cmplt	$24,	$31,	$21
+	addq	$28,	$28,	$28
+	addq	$24,	$24,	$24
+	addq	$24,	$25,	$24
+	addq	$22,	$21,	$22
+	addq	$23,	$28,	$23
+	addq	$8,	$24,	$8
+	cmpult	$23,	$28,	$20
+	cmpult	$8,	$24,	$19
+	addq	$8,	$20,	$8
+	addq	$22,	$19,	$22
+	stq	$23,	16($16)
+	bis	$31,	$31,	$23
+	mulq	$2,	$1,	$18
+	umulh	$2,	$1,	$17
+	cmplt	$18,	$31,	$27
+	cmplt	$17,	$31,	$25
+	addq	$18,	$18,	$18
+	addq	$17,	$17,	$17
+	addq	$17,	$27,	$17
+	addq	$23,	$25,	$23
+	addq	$8,	$18,	$8
+	addq	$22,	$17,	$22
+	cmpult	$8,	$18,	$21
+	cmpult	$22,	$17,	$28
+	addq	$22,	$21,	$22
+	addq	$23,	$28,	$23
+	mulq	$3,	$0,	$24
+	umulh	$3,	$0,	$20
+	cmplt	$24,	$31,	$19
+	cmplt	$20,	$31,	$27
+	addq	$24,	$24,	$24
+	addq	$20,	$20,	$20
+	addq	$20,	$19,	$20
+	addq	$23,	$27,	$23
+	addq	$8,	$24,	$8
+	addq	$22,	$20,	$22
+	cmpult	$8,	$24,	$25
+	cmpult	$22,	$20,	$18
+	addq	$22,	$25,	$22
+	addq	$23,	$18,	$23
+	stq	$8,	24($16)
+	bis	$31,	$31,	$8
+	mulq	$2,	$2,	$17
+	umulh	$2,	$2,	$21
+	addq	$22,	$17,	$22
+	addq	$23,	$21,	$23
+	cmpult	$22,	$17,	$28
+	cmpult	$23,	$21,	$19
+	addq	$23,	$28,	$23
+	addq	$8,	$19,	$8
+	mulq	$3,	$1,	$27
+	umulh	$3,	$1,	$24
+	cmplt	$27,	$31,	$20
+	cmplt	$24,	$31,	$25
+	addq	$27,	$27,	$27
+	addq	$24,	$24,	$24
+	addq	$24,	$20,	$24
+	addq	$8,	$25,	$8
+	addq	$22,	$27,	$22
+	addq	$23,	$24,	$23
+	cmpult	$22,	$27,	$18
+	cmpult	$23,	$24,	$17
+	addq	$23,	$18,	$23
+	addq	$8,	$17,	$8
+	mulq	$4,	$0,	$21
+	umulh	$4,	$0,	$28
+	cmplt	$21,	$31,	$19
+	cmplt	$28,	$31,	$20
+	addq	$21,	$21,	$21
+	addq	$28,	$28,	$28
+	addq	$28,	$19,	$28
+	addq	$8,	$20,	$8
+	addq	$22,	$21,	$22
+	addq	$23,	$28,	$23
+	cmpult	$22,	$21,	$25
+	cmpult	$23,	$28,	$27
+	addq	$23,	$25,	$23
+	addq	$8,	$27,	$8
+	stq	$22,	32($16)
+	bis	$31,	$31,	$22
+	mulq	$3,	$2,	$24
+	umulh	$3,	$2,	$18
+	cmplt	$24,	$31,	$17
+	cmplt	$18,	$31,	$19
+	addq	$24,	$24,	$24
+	addq	$18,	$18,	$18
+	addq	$18,	$17,	$18
+	addq	$22,	$19,	$22
+	addq	$23,	$24,	$23
+	addq	$8,	$18,	$8
+	cmpult	$23,	$24,	$20
+	cmpult	$8,	$18,	$21
+	addq	$8,	$20,	$8
+	addq	$22,	$21,	$22
+	mulq	$4,	$1,	$28
+	umulh	$4,	$1,	$25
+	cmplt	$28,	$31,	$27
+	cmplt	$25,	$31,	$17
+	addq	$28,	$28,	$28
+	addq	$25,	$25,	$25
+	addq	$25,	$27,	$25
+	addq	$22,	$17,	$22
+	addq	$23,	$28,	$23
+	addq	$8,	$25,	$8
+	cmpult	$23,	$28,	$19
+	cmpult	$8,	$25,	$24
+	addq	$8,	$19,	$8
+	addq	$22,	$24,	$22
+	mulq	$5,	$0,	$18
+	umulh	$5,	$0,	$20
+	cmplt	$18,	$31,	$21
+	cmplt	$20,	$31,	$27
+	addq	$18,	$18,	$18
+	addq	$20,	$20,	$20
+	addq	$20,	$21,	$20
+	addq	$22,	$27,	$22
+	addq	$23,	$18,	$23
+	addq	$8,	$20,	$8
+	cmpult	$23,	$18,	$17
+	cmpult	$8,	$20,	$28
+	addq	$8,	$17,	$8
+	addq	$22,	$28,	$22
+	stq	$23,	40($16)
+	bis	$31,	$31,	$23
+	mulq	$3,	$3,	$25
+	umulh	$3,	$3,	$19
+	addq	$8,	$25,	$8
+	addq	$22,	$19,	$22
+	cmpult	$8,	$25,	$24
+	cmpult	$22,	$19,	$21
+	addq	$22,	$24,	$22
+	addq	$23,	$21,	$23
+	mulq	$4,	$2,	$27
+	umulh	$4,	$2,	$18
+	cmplt	$27,	$31,	$20
+	cmplt	$18,	$31,	$17
+	addq	$27,	$27,	$27
+	addq	$18,	$18,	$18
+	addq	$18,	$20,	$18
+	addq	$23,	$17,	$23
+	addq	$8,	$27,	$8
+	addq	$22,	$18,	$22
+	cmpult	$8,	$27,	$28
+	cmpult	$22,	$18,	$25
+	addq	$22,	$28,	$22
+	addq	$23,	$25,	$23
+	mulq	$5,	$1,	$19
+	umulh	$5,	$1,	$24
+	cmplt	$19,	$31,	$21
+	cmplt	$24,	$31,	$20
+	addq	$19,	$19,	$19
+	addq	$24,	$24,	$24
+	addq	$24,	$21,	$24
+	addq	$23,	$20,	$23
+	addq	$8,	$19,	$8
+	addq	$22,	$24,	$22
+	cmpult	$8,	$19,	$17
+	cmpult	$22,	$24,	$27
+	addq	$22,	$17,	$22
+	addq	$23,	$27,	$23
+	mulq	$6,	$0,	$18
+	umulh	$6,	$0,	$28
+	cmplt	$18,	$31,	$25
+	cmplt	$28,	$31,	$21
+	addq	$18,	$18,	$18
+	addq	$28,	$28,	$28
+	addq	$28,	$25,	$28
+	addq	$23,	$21,	$23
+	addq	$8,	$18,	$8
+	addq	$22,	$28,	$22
+	cmpult	$8,	$18,	$20
+	cmpult	$22,	$28,	$19
+	addq	$22,	$20,	$22
+	addq	$23,	$19,	$23
+	stq	$8,	48($16)
+	bis	$31,	$31,	$8
+	mulq	$4,	$3,	$24
+	umulh	$4,	$3,	$17
+	cmplt	$24,	$31,	$27
+	cmplt	$17,	$31,	$25
+	addq	$24,	$24,	$24
+	addq	$17,	$17,	$17
+	addq	$17,	$27,	$17
+	addq	$8,	$25,	$8
+	addq	$22,	$24,	$22
+	addq	$23,	$17,	$23
+	cmpult	$22,	$24,	$21
+	cmpult	$23,	$17,	$18
+	addq	$23,	$21,	$23
+	addq	$8,	$18,	$8
+	mulq	$5,	$2,	$28
+	umulh	$5,	$2,	$20
+	cmplt	$28,	$31,	$19
+	cmplt	$20,	$31,	$27
+	addq	$28,	$28,	$28
+	addq	$20,	$20,	$20
+	addq	$20,	$19,	$20
+	addq	$8,	$27,	$8
+	addq	$22,	$28,	$22
+	addq	$23,	$20,	$23
+	cmpult	$22,	$28,	$25
+	cmpult	$23,	$20,	$24
+	addq	$23,	$25,	$23
+	addq	$8,	$24,	$8
+	mulq	$6,	$1,	$17
+	umulh	$6,	$1,	$21
+	cmplt	$17,	$31,	$18
+	cmplt	$21,	$31,	$19
+	addq	$17,	$17,	$17
+	addq	$21,	$21,	$21
+	addq	$21,	$18,	$21
+	addq	$8,	$19,	$8
+	addq	$22,	$17,	$22
+	addq	$23,	$21,	$23
+	cmpult	$22,	$17,	$27
+	cmpult	$23,	$21,	$28
+	addq	$23,	$27,	$23
+	addq	$8,	$28,	$8
+	mulq	$7,	$0,	$20
+	umulh	$7,	$0,	$25
+	cmplt	$20,	$31,	$24
+	cmplt	$25,	$31,	$18
+	addq	$20,	$20,	$20
+	addq	$25,	$25,	$25
+	addq	$25,	$24,	$25
+	addq	$8,	$18,	$8
+	addq	$22,	$20,	$22
+	addq	$23,	$25,	$23
+	cmpult	$22,	$20,	$19
+	cmpult	$23,	$25,	$17
+	addq	$23,	$19,	$23
+	addq	$8,	$17,	$8
+	stq	$22,	56($16)
+	bis	$31,	$31,	$22
+	mulq	$4,	$4,	$21
+	umulh	$4,	$4,	$27
+	addq	$23,	$21,	$23
+	addq	$8,	$27,	$8
+	cmpult	$23,	$21,	$28
+	cmpult	$8,	$27,	$24
+	addq	$8,	$28,	$8
+	addq	$22,	$24,	$22
+	mulq	$5,	$3,	$18
+	umulh	$5,	$3,	$20
+	cmplt	$18,	$31,	$25
+	cmplt	$20,	$31,	$19
+	addq	$18,	$18,	$18
+	addq	$20,	$20,	$20
+	addq	$20,	$25,	$20
+	addq	$22,	$19,	$22
+	addq	$23,	$18,	$23
+	addq	$8,	$20,	$8
+	cmpult	$23,	$18,	$17
+	cmpult	$8,	$20,	$21
+	addq	$8,	$17,	$8
+	addq	$22,	$21,	$22
+	mulq	$6,	$2,	$27
+	umulh	$6,	$2,	$28
+	cmplt	$27,	$31,	$24
+	cmplt	$28,	$31,	$25
+	addq	$27,	$27,	$27
+	addq	$28,	$28,	$28
+	addq	$28,	$24,	$28
+	addq	$22,	$25,	$22
+	addq	$23,	$27,	$23
+	addq	$8,	$28,	$8
+	cmpult	$23,	$27,	$19
+	cmpult	$8,	$28,	$18
+	addq	$8,	$19,	$8
+	addq	$22,	$18,	$22
+	mulq	$7,	$1,	$20
+	umulh	$7,	$1,	$17
+	cmplt	$20,	$31,	$21
+	cmplt	$17,	$31,	$24
+	addq	$20,	$20,	$20
+	addq	$17,	$17,	$17
+	addq	$17,	$21,	$17
+	addq	$22,	$24,	$22
+	addq	$23,	$20,	$23
+	addq	$8,	$17,	$8
+	cmpult	$23,	$20,	$25
+	cmpult	$8,	$17,	$27
+	addq	$8,	$25,	$8
+	addq	$22,	$27,	$22
+	stq	$23,	64($16)
+	bis	$31,	$31,	$23
+	mulq	$5,	$4,	$28
+	umulh	$5,	$4,	$19
+	cmplt	$28,	$31,	$18
+	cmplt	$19,	$31,	$21
+	addq	$28,	$28,	$28
+	addq	$19,	$19,	$19
+	addq	$19,	$18,	$19
+	addq	$23,	$21,	$23
+	addq	$8,	$28,	$8
+	addq	$22,	$19,	$22
+	cmpult	$8,	$28,	$24
+	cmpult	$22,	$19,	$20
+	addq	$22,	$24,	$22
+	addq	$23,	$20,	$23
+	mulq	$6,	$3,	$17
+	umulh	$6,	$3,	$25
+	cmplt	$17,	$31,	$27
+	cmplt	$25,	$31,	$18
+	addq	$17,	$17,	$17
+	addq	$25,	$25,	$25
+	addq	$25,	$27,	$25
+	addq	$23,	$18,	$23
+	addq	$8,	$17,	$8
+	addq	$22,	$25,	$22
+	cmpult	$8,	$17,	$21
+	cmpult	$22,	$25,	$28
+	addq	$22,	$21,	$22
+	addq	$23,	$28,	$23
+	mulq	$7,	$2,	$19
+	umulh	$7,	$2,	$24
+	cmplt	$19,	$31,	$20
+	cmplt	$24,	$31,	$27
+	addq	$19,	$19,	$19
+	addq	$24,	$24,	$24
+	addq	$24,	$20,	$24
+	addq	$23,	$27,	$23
+	addq	$8,	$19,	$8
+	addq	$22,	$24,	$22
+	cmpult	$8,	$19,	$18
+	cmpult	$22,	$24,	$17
+	addq	$22,	$18,	$22
+	addq	$23,	$17,	$23
+	stq	$8,	72($16)
+	bis	$31,	$31,	$8
+	mulq	$5,	$5,	$25
+	umulh	$5,	$5,	$21
+	addq	$22,	$25,	$22
+	addq	$23,	$21,	$23
+	cmpult	$22,	$25,	$28
+	cmpult	$23,	$21,	$20
+	addq	$23,	$28,	$23
+	addq	$8,	$20,	$8
+	mulq	$6,	$4,	$27
+	umulh	$6,	$4,	$19
+	cmplt	$27,	$31,	$24
+	cmplt	$19,	$31,	$18
+	addq	$27,	$27,	$27
+	addq	$19,	$19,	$19
+	addq	$19,	$24,	$19
+	addq	$8,	$18,	$8
+	addq	$22,	$27,	$22
+	addq	$23,	$19,	$23
+	cmpult	$22,	$27,	$17
+	cmpult	$23,	$19,	$25
+	addq	$23,	$17,	$23
+	addq	$8,	$25,	$8
+	mulq	$7,	$3,	$21
+	umulh	$7,	$3,	$28
+	cmplt	$21,	$31,	$20
+	cmplt	$28,	$31,	$24
+	addq	$21,	$21,	$21
+	addq	$28,	$28,	$28
+	addq	$28,	$20,	$28
+	addq	$8,	$24,	$8
+	addq	$22,	$21,	$22
+	addq	$23,	$28,	$23
+	cmpult	$22,	$21,	$18
+	cmpult	$23,	$28,	$27
+	addq	$23,	$18,	$23
+	addq	$8,	$27,	$8
+	stq	$22,	80($16)
+	bis	$31,	$31,	$22
+	mulq	$6,	$5,	$19
+	umulh	$6,	$5,	$17
+	cmplt	$19,	$31,	$25
+	cmplt	$17,	$31,	$20
+	addq	$19,	$19,	$19
+	addq	$17,	$17,	$17
+	addq	$17,	$25,	$17
+	addq	$22,	$20,	$22
+	addq	$23,	$19,	$23
+	addq	$8,	$17,	$8
+	cmpult	$23,	$19,	$24
+	cmpult	$8,	$17,	$21
+	addq	$8,	$24,	$8
+	addq	$22,	$21,	$22
+	mulq	$7,	$4,	$28
+	umulh	$7,	$4,	$18
+	cmplt	$28,	$31,	$27
+	cmplt	$18,	$31,	$25
+	addq	$28,	$28,	$28
+	addq	$18,	$18,	$18
+	addq	$18,	$27,	$18
+	addq	$22,	$25,	$22
+	addq	$23,	$28,	$23
+	addq	$8,	$18,	$8
+	cmpult	$23,	$28,	$20
+	cmpult	$8,	$18,	$19
+	addq	$8,	$20,	$8
+	addq	$22,	$19,	$22
+	stq	$23,	88($16)
+	bis	$31,	$31,	$23
+	mulq	$6,	$6,	$17
+	umulh	$6,	$6,	$24
+	addq	$8,	$17,	$8
+	addq	$22,	$24,	$22
+	cmpult	$8,	$17,	$21
+	cmpult	$22,	$24,	$27
+	addq	$22,	$21,	$22
+	addq	$23,	$27,	$23
+	mulq	$7,	$5,	$25
+	umulh	$7,	$5,	$28
+	cmplt	$25,	$31,	$18
+	cmplt	$28,	$31,	$20
+	addq	$25,	$25,	$25
+	addq	$28,	$28,	$28
+	addq	$28,	$18,	$28
+	addq	$23,	$20,	$23
+	addq	$8,	$25,	$8
+	addq	$22,	$28,	$22
+	cmpult	$8,	$25,	$19
+	cmpult	$22,	$28,	$17
+	addq	$22,	$19,	$22
+	addq	$23,	$17,	$23
+	stq	$8,	96($16)
+	bis	$31,	$31,	$8
+	mulq	$7,	$6,	$24
+	umulh	$7,	$6,	$21
+	cmplt	$24,	$31,	$27
+	cmplt	$21,	$31,	$18
+	addq	$24,	$24,	$24
+	addq	$21,	$21,	$21
+	addq	$21,	$27,	$21
+	addq	$8,	$18,	$8
+	addq	$22,	$24,	$22
+	addq	$23,	$21,	$23
+	cmpult	$22,	$24,	$20
+	cmpult	$23,	$21,	$25
+	addq	$23,	$20,	$23
+	addq	$8,	$25,	$8
+	stq	$22,	104($16)
+	bis	$31,	$31,	$22
+	mulq	$7,	$7,	$28
+	umulh	$7,	$7,	$19
+	addq	$23,	$28,	$23
+	addq	$8,	$19,	$8
+	cmpult	$23,	$28,	$17
+	cmpult	$8,	$19,	$27
+	addq	$8,	$17,	$8
+	addq	$22,	$27,	$22
+	stq	$23,	112($16)
+	stq	$8,	120($16)
+	ret	$31,($26),1
+	.end bn_sqr_comba8
diff --git a/crypto/openssl/crypto/bn/asm/alpha.s.works b/crypto/openssl/crypto/bn/asm/alpha.s.works
new file mode 100644
index 0000000..ee6c587
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.s.works
@@ -0,0 +1,533 @@
+
+ # DEC Alpha assember
+ # The bn_div64 is actually gcc output but the other parts are hand done.
+ # Thanks to tzeruch@ceddec.com for sending me the gcc output for
+ # bn_div64.
+ # I've gone back and re-done most of routines.
+ # The key thing to remeber for the 164 CPU is that while a
+ # multiply operation takes 8 cycles, another one can only be issued
+ # after 4 cycles have elapsed.  I've done modification to help
+ # improve this.  Also, normally, a ld instruction will not be available
+ # for about 3 cycles.
+	.file	1 "bn_asm.c"
+	.set noat
+gcc2_compiled.:
+__gnu_compiled_c:
+	.text
+	.align 3
+	.globl bn_mul_add_words
+	.ent bn_mul_add_words
+bn_mul_add_words:
+bn_mul_add_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+	.align 5
+	subq	$18,4,$18
+	bis	$31,$31,$0
+	blt	$18,$43		# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$20,0($17)	# 1 1
+	ldq	$1,0($16)	# 1 1
+	.align 3
+$42:
+	mulq	$20,$19,$5	# 1 2 1	######
+	ldq	$21,8($17)	# 2 1
+	ldq	$2,8($16)	# 2 1
+	umulh	$20,$19,$20	# 1 2	######
+	ldq	$27,16($17)	# 3 1
+	ldq	$3,16($16)	# 3 1
+	mulq	$21,$19,$6	# 2 2 1	######
+	 ldq	$28,24($17)	# 4 1
+	addq	$1,$5,$1	# 1 2 2
+	 ldq	$4,24($16)	# 4 1
+	umulh	$21,$19,$21	# 2 2	######
+	 cmpult	$1,$5,$22	# 1 2 3 1
+	addq	$20,$22,$20	# 1 3 1
+	 addq	$1,$0,$1	# 1 2 3 1
+	mulq	$27,$19,$7	# 3 2 1	######
+	 cmpult	$1,$0,$0	# 1 2 3 2
+	addq	$2,$6,$2	# 2 2 2
+	 addq	$20,$0,$0	# 1 3 2 
+	cmpult	$2,$6,$23	# 2 2 3 1
+	 addq	$21,$23,$21	# 2 3 1
+	umulh	$27,$19,$27	# 3 2	######
+	 addq	$2,$0,$2	# 2 2 3 1
+	cmpult	$2,$0,$0	# 2 2 3 2
+	 subq	$18,4,$18
+	mulq	$28,$19,$8	# 4 2 1	######
+	 addq	$21,$0,$0	# 2 3 2 
+	addq	$3,$7,$3	# 3 2 2
+	 addq	$16,32,$16
+	cmpult	$3,$7,$24	# 3 2 3 1
+	 stq	$1,-32($16)	# 1 2 4
+	umulh	$28,$19,$28	# 4 2	######
+	 addq	$27,$24,$27	# 3 3 1
+	addq	$3,$0,$3	# 3 2 3 1
+	 stq	$2,-24($16)	# 2 2 4
+	cmpult	$3,$0,$0	# 3 2 3 2
+	 stq	$3,-16($16)	# 3 2 4
+	addq	$4,$8,$4	# 4 2 2
+	 addq	$27,$0,$0	# 3 3 2 
+	cmpult	$4,$8,$25	# 4 2 3 1
+	 addq	$17,32,$17
+	addq	$28,$25,$28	# 4 3 1
+	 addq	$4,$0,$4	# 4 2 3 1
+	cmpult	$4,$0,$0	# 4 2 3 2
+	 stq	$4,-8($16)	# 4 2 4
+	addq	$28,$0,$0	# 4 3 2 
+	 blt	$18,$43
+
+	ldq	$20,0($17)	# 1 1
+	ldq	$1,0($16)	# 1 1
+
+	br	$42
+
+	.align 4
+$45:
+	ldq	$20,0($17)	# 4 1
+	ldq	$1,0($16)	# 4 1
+	mulq	$20,$19,$5	# 4 2 1
+	subq	$18,1,$18
+	addq	$16,8,$16
+	addq	$17,8,$17
+	umulh	$20,$19,$20	# 4 2
+	addq	$1,$5,$1	# 4 2 2
+	cmpult	$1,$5,$22	# 4 2 3 1
+	addq	$20,$22,$20	# 4 3 1
+	addq	$1,$0,$1	# 4 2 3 1
+	cmpult	$1,$0,$0	# 4 2 3 2
+	addq	$20,$0,$0	# 4 3 2 
+	stq	$1,-8($16)	# 4 2 4
+	bgt	$18,$45
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$43:
+	addq	$18,4,$18
+	bgt	$18,$45		# goto tail code
+	ret	$31,($26),1	# else exit
+
+	.end bn_mul_add_words
+	.align 3
+	.globl bn_mul_words
+	.ent bn_mul_words
+bn_mul_words:
+bn_mul_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+	.align 5
+	subq	$18,4,$18
+	bis	$31,$31,$0
+	blt	$18,$143	# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$20,0($17)	# 1 1
+	.align 3
+$142:
+
+	mulq	$20,$19,$5	# 1 2 1	#####
+	 ldq	$21,8($17)	# 2 1
+	 ldq	$27,16($17)	# 3 1
+	umulh	$20,$19,$20	# 1 2	#####
+	 ldq	$28,24($17)	# 4 1
+	mulq	$21,$19,$6	# 2 2 1	#####
+	 addq	$5,$0,$5	# 1 2 3 1
+	subq	$18,4,$18
+	 cmpult	$5,$0,$0	# 1 2 3 2
+	umulh	$21,$19,$21	# 2 2	#####
+	 addq	$20,$0,$0	# 1 3 2 
+	addq	$17,32,$17
+	 addq	$6,$0,$6	# 2 2 3 1
+	mulq	$27,$19,$7	# 3 2 1	#####
+	 cmpult	$6,$0,$0	# 2 2 3 2
+	addq	$21,$0,$0	# 2 3 2 
+	 addq	$16,32,$16
+	umulh	$27,$19,$27	# 3 2	#####
+	 stq	$5,-32($16)	# 1 2 4
+	mulq	$28,$19,$8	# 4 2 1	#####
+	 addq	$7,$0,$7	# 3 2 3 1
+	stq	$6,-24($16)	# 2 2 4
+	 cmpult	$7,$0,$0	# 3 2 3 2
+	umulh	$28,$19,$28	# 4 2	#####
+	 addq	$27,$0,$0	# 3 3 2 
+	stq	$7,-16($16)	# 3 2 4
+	 addq	$8,$0,$8	# 4 2 3 1
+	cmpult	$8,$0,$0	# 4 2 3 2
+
+	addq	$28,$0,$0	# 4 3 2 
+
+	stq	$8,-8($16)	# 4 2 4
+
+	blt	$18,$143
+
+	ldq	$20,0($17)	# 1 1
+
+	br	$142
+
+	.align 4
+$145:
+	ldq	$20,0($17)	# 4 1
+	mulq	$20,$19,$5	# 4 2 1
+	subq	$18,1,$18
+	umulh	$20,$19,$20	# 4 2
+	addq	$5,$0,$5	# 4 2 3 1
+	 addq	$16,8,$16
+	cmpult	$5,$0,$0	# 4 2 3 2
+	 addq	$17,8,$17
+	addq	$20,$0,$0	# 4 3 2 
+	stq	$5,-8($16)	# 4 2 4
+
+	bgt	$18,$145
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$143:
+	addq	$18,4,$18
+	bgt	$18,$145	# goto tail code
+	ret	$31,($26),1	# else exit
+
+	.end bn_mul_words
+	.align 3
+	.globl bn_sqr_words
+	.ent bn_sqr_words
+bn_sqr_words:
+bn_sqr_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$18,4,$18
+	blt	$18,$543	# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$20,0($17)	# 1 1
+	.align 3
+$542:
+	mulq	$20,$20,$5		######
+	 ldq	$21,8($17)	# 1 1
+	subq	$18,4
+ 	umulh	$20,$20,$1		######
+	ldq	$27,16($17)	# 1 1
+	mulq	$21,$21,$6		######
+	ldq	$28,24($17)	# 1 1
+	stq	$5,0($16)	# r[0]
+ 	umulh	$21,$21,$2		######
+	stq	$1,8($16)	# r[1]
+	mulq	$27,$27,$7		######
+	stq	$6,16($16)	# r[0]
+ 	umulh	$27,$27,$3		######
+	stq	$2,24($16)	# r[1]
+	mulq	$28,$28,$8		######
+	stq	$7,32($16)	# r[0]
+ 	umulh	$28,$28,$4		######
+	stq	$3,40($16)	# r[1]
+
+ 	addq	$16,64,$16
+ 	addq	$17,32,$17
+	stq	$8,-16($16)	# r[0]
+	stq	$4,-8($16)	# r[1]
+
+	blt	$18,$543
+	ldq	$20,0($17)	# 1 1
+ 	br 	$542
+
+$442:
+	ldq	$20,0($17)   # a[0]
+	mulq	$20,$20,$5  # a[0]*w low part       r2
+	addq	$16,16,$16
+	addq	$17,8,$17
+	subq	$18,1,$18
+        umulh	$20,$20,$1  # a[0]*w high part       r3
+	stq	$5,-16($16)   # r[0]
+        stq	$1,-8($16)   # r[1]
+
+	bgt	$18,$442
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$543:
+	addq	$18,4,$18
+	bgt	$18,$442	# goto tail code
+	ret	$31,($26),1	# else exit
+	.end bn_sqr_words
+
+	.align 3
+	.globl bn_add_words
+	.ent bn_add_words
+bn_add_words:
+bn_add_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$19,4,$19
+	bis	$31,$31,$0	# carry = 0
+	blt	$19,$900
+	ldq	$5,0($17)	# a[0]
+	ldq	$1,0($18)	# b[1]
+	.align 3
+$901:
+	addq	$1,$5,$1	# r=a+b;
+	 ldq	$6,8($17)	# a[1]
+	cmpult	$1,$5,$22	# did we overflow?
+	 ldq	$2,8($18)	# b[1]
+	addq	$1,$0,$1	# c+= overflow
+	 ldq	$7,16($17)	# a[2]
+	cmpult	$1,$0,$0	# overflow?
+	 ldq	$3,16($18)	# b[2]
+	addq	$0,$22,$0
+	 ldq	$8,24($17)	# a[3]
+	addq	$2,$6,$2	# r=a+b;
+	 ldq	$4,24($18)	# b[3]
+	cmpult	$2,$6,$23	# did we overflow?
+	 addq	$3,$7,$3	# r=a+b;
+	addq	$2,$0,$2	# c+= overflow
+	 cmpult	$3,$7,$24	# did we overflow?
+	cmpult	$2,$0,$0	# overflow?
+	 addq	$4,$8,$4	# r=a+b;
+	addq	$0,$23,$0
+	 cmpult	$4,$8,$25	# did we overflow?
+	addq	$3,$0,$3	# c+= overflow
+	 stq	$1,0($16)	# r[0]=c
+	cmpult	$3,$0,$0	# overflow?
+	 stq	$2,8($16)	# r[1]=c
+	addq	$0,$24,$0
+	 stq	$3,16($16)	# r[2]=c
+	addq	$4,$0,$4	# c+= overflow
+	 subq	$19,4,$19	# loop--
+	cmpult	$4,$0,$0	# overflow?
+	 addq	$17,32,$17	# a++
+	addq	$0,$25,$0
+	 stq	$4,24($16)	# r[3]=c
+	addq	$18,32,$18	# b++
+	 addq	$16,32,$16	# r++
+
+	blt	$19,$900
+	 ldq	$5,0($17)	# a[0]
+	ldq	$1,0($18)	# b[1]
+	 br	$901
+	.align 4
+$945:
+	ldq	$5,0($17)	# a[0]
+	 ldq	$1,0($18)	# b[1]
+	addq	$1,$5,$1	# r=a+b;
+	 subq	$19,1,$19	# loop--
+	addq	$1,$0,$1	# c+= overflow
+	 addq	$17,8,$17	# a++
+	cmpult	$1,$5,$22	# did we overflow?
+	 cmpult	$1,$0,$0	# overflow?
+	addq	$18,8,$18	# b++
+	 stq	$1,0($16)	# r[0]=c
+	addq	$0,$22,$0
+	 addq	$16,8,$16	# r++
+
+	bgt	$19,$945
+	ret	$31,($26),1	# else exit
+
+$900:
+	addq	$19,4,$19
+	bgt	$19,$945	# goto tail code
+	ret	$31,($26),1	# else exit
+	.end bn_add_words
+
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+	.align 3
+	.globl bn_div64
+	.ent bn_div64
+bn_div64:
+	ldgp $29,0($27)
+bn_div64..ng:
+	lda $30,-48($30)
+	.frame $30,48,$26,0
+	stq $26,0($30)
+	stq $9,8($30)
+	stq $10,16($30)
+	stq $11,24($30)
+	stq $12,32($30)
+	stq $13,40($30)
+	.mask 0x4003e00,-48
+	.prologue 1
+	bis $16,$16,$9
+	bis $17,$17,$10
+	bis $18,$18,$11
+	bis $31,$31,$13
+	bis $31,2,$12
+	bne $11,$119
+	lda $0,-1
+	br $31,$136
+	.align 4
+$119:
+	bis $11,$11,$16
+	jsr $26,BN_num_bits_word
+	ldgp $29,0($26)
+	subq $0,64,$1
+	beq $1,$120
+	bis $31,1,$1
+	sll $1,$0,$1
+	cmpule $9,$1,$1
+	bne $1,$120
+ #	lda $16,_IO_stderr_
+ #	lda $17,$C32
+ #	bis $0,$0,$18
+ #	jsr $26,fprintf
+ #	ldgp $29,0($26)
+	jsr $26,abort
+	ldgp $29,0($26)
+	.align 4
+$120:
+	bis $31,64,$3
+	cmpult $9,$11,$2
+	subq $3,$0,$1
+	addl $1,$31,$0
+	subq $9,$11,$1
+	cmoveq $2,$1,$9
+	beq $0,$122
+	zapnot $0,15,$2
+	subq $3,$0,$1
+	sll $11,$2,$11
+	sll $9,$2,$3
+	srl $10,$1,$1
+	sll $10,$2,$10
+	bis $3,$1,$9
+$122:
+	srl $11,32,$5
+	zapnot $11,15,$6
+	lda $7,-1
+	.align 5
+$123:
+	srl $9,32,$1
+	subq $1,$5,$1
+	bne $1,$126
+	zapnot $7,15,$27
+	br $31,$127
+	.align 4
+$126:
+	bis $9,$9,$24
+	bis $5,$5,$25
+	divqu $24,$25,$27
+$127:
+	srl $10,32,$4
+	.align 5
+$128:
+	mulq $27,$5,$1
+	subq $9,$1,$3
+	zapnot $3,240,$1
+	bne $1,$129
+	mulq $6,$27,$2
+	sll $3,32,$1
+	addq $1,$4,$1
+	cmpule $2,$1,$2
+	bne $2,$129
+	subq $27,1,$27
+	br $31,$128
+	.align 4
+$129:
+	mulq $27,$6,$1
+	mulq $27,$5,$4
+	srl $1,32,$3
+	sll $1,32,$1
+	addq $4,$3,$4
+	cmpult $10,$1,$2
+	subq $10,$1,$10
+	addq $2,$4,$2
+	cmpult $9,$2,$1
+	bis $2,$2,$4
+	beq $1,$134
+	addq $9,$11,$9
+	subq $27,1,$27
+$134:
+	subl $12,1,$12
+	subq $9,$4,$9
+	beq $12,$124
+	sll $27,32,$13
+	sll $9,32,$2
+	srl $10,32,$1
+	sll $10,32,$10
+	bis $2,$1,$9
+	br $31,$123
+	.align 4
+$124:
+	bis $13,$27,$0
+$136:
+	ldq $26,0($30)
+	ldq $9,8($30)
+	ldq $10,16($30)
+	ldq $11,24($30)
+	ldq $12,32($30)
+	ldq $13,40($30)
+	addq $30,48,$30
+	ret $31,($26),1
+	.end bn_div64
+
+	.set noat
+	.text
+	.align 3
+	.globl bn_sub_words
+	.ent bn_sub_words
+bn_sub_words:
+bn_sub_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$19,	4,	$19
+	bis	$31,	$31,	$0
+	blt	$19,	$100
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+$101:
+	ldq	$3,	8($17)
+	cmpult	$1,	$2,	$4
+	ldq	$5,	8($18)
+	subq	$1,	$2,	$1
+	ldq	$6,	16($17)
+	cmpult	$1,	$0,	$2
+	ldq	$7,	16($18)
+	subq	$1,	$0,	$23
+	ldq	$8,	24($17)
+	addq	$2,	$4,	$0
+	cmpult	$3,	$5,	$24
+	subq	$3,	$5,	$3
+	ldq	$22,	24($18)
+	cmpult	$3,	$0,	$5
+	subq	$3,	$0,	$25
+	addq	$5,	$24,	$0
+	cmpult	$6,	$7,	$27
+	subq	$6,	$7,	$6
+	stq	$23,	0($16)
+	cmpult	$6,	$0,	$7
+	subq	$6,	$0,	$28
+	addq	$7,	$27,	$0
+	cmpult	$8,	$22,	$21
+	subq	$8,	$22,	$8
+	stq	$25,	8($16)
+	cmpult	$8,	$0,	$22
+	subq	$8,	$0,	$20
+	addq	$22,	$21,	$0
+	stq	$28,	16($16)
+	subq	$19,	4,	$19
+	stq	$20,	24($16)
+	addq	$17,	32,	$17
+	addq	$18,	32,	$18
+	addq	$16,	32,	$16
+	blt	$19,	$100
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+	br	$101
+$102:
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+	cmpult	$1,	$2,	$27
+	subq	$1,	$2,	$1
+	cmpult	$1,	$0,	$2
+	subq	$1,	$0,	$1
+	stq	$1,	0($16)
+	addq	$2,	$27,	$0
+	addq	$17,	8,	$17
+	addq	$18,	8,	$18
+	addq	$16,	8,	$16
+	subq	$19,	1,	$19
+	bgt	$19,	$102
+	ret	$31,($26),1
+$100:
+	addq	$19,	4,	$19
+	bgt	$19,	$102
+$103:
+	ret	$31,($26),1
+	.end bn_sub_words
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/add.pl b/crypto/openssl/crypto/bn/asm/alpha.works/add.pl
new file mode 100644
index 0000000..4dc76e6
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/add.pl
@@ -0,0 +1,119 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_add_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+	$count=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&br(&label("finish"));
+	&blt($count,&label("finish"));
+
+	($a0,$b0)=&NR(2);
+	&ld($a0,&QWPw(0,$ap));
+	&ld($b0,&QWPw(0,$bp));
+
+##########################################################
+	&set_label("loop");
+
+	($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+	($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+	($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+	($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+	($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+	($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+	($o0,$t0)=&NR(2);
+	&add($a0,$b0,$o0); 
+	&cmpult($o0,$b0,$t0);
+	&add($o0,$cc,$o0);
+	&cmpult($o0,$cc,$cc);
+	&add($cc,$t0,$cc);	&FR($t0);
+
+	($t1,$o1)=&NR(2);
+
+	&add($a1,$b1,$o1);	&FR($a1);
+	&cmpult($o1,$b1,$t1);	&FR($b1);
+	&add($o1,$cc,$o1);
+	&cmpult($o1,$cc,$cc);
+	&add($cc,$t1,$cc);	&FR($t1);
+
+	($t2,$o2)=&NR(2);
+
+	&add($a2,$b2,$o2);	&FR($a2);
+	&cmpult($o2,$b2,$t2);	&FR($b2);
+	&add($o2,$cc,$o2);
+	&cmpult($o2,$cc,$cc);
+	&add($cc,$t2,$cc);	&FR($t2);
+
+	($t3,$o3)=&NR(2);
+
+	&add($a3,$b3,$o3);	&FR($a3);
+	&cmpult($o3,$b3,$t3);	&FR($b3);
+	&add($o3,$cc,$o3);
+	&cmpult($o3,$cc,$cc);
+	&add($cc,$t3,$cc);	&FR($t3);
+
+	&st($o0,&QWPw(0,$rp)); &FR($o0);
+	&st($o1,&QWPw(0,$rp)); &FR($o1);
+	&st($o2,&QWPw(0,$rp)); &FR($o2);
+	&st($o3,&QWPw(0,$rp)); &FR($o3);
+
+	&sub($count,4,$count);	# count-=4
+	&add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	&add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+##################################################
+	# Do the last 0..3 words
+
+	($t0,$o0)=&NR(2);
+	&set_label("last_loop");
+
+	&ld($a0,&QWPw(0,$ap));	# get a
+	&ld($b0,&QWPw(0,$bp));	# get b
+
+	&add($a0,$b0,$o0); 
+	&cmpult($o0,$b0,$t0);	# will we borrow?
+	&add($o0,$cc,$o0);	# will we borrow?
+	&cmpult($o0,$cc,$cc);	# will we borrow?
+	&add($cc,$t0,$cc);	# add the borrows
+	&st($o0,&QWPw(0,$rp));	# save
+
+	&add($ap,$QWS,$ap);
+	&add($bp,$QWS,$bp);
+	&add($rp,$QWS,$rp);
+	&sub($count,1,$count);
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&FR($o0,$t0,$a0,$b0);
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/div.pl b/crypto/openssl/crypto/bn/asm/alpha.works/div.pl
new file mode 100644
index 0000000..7ec1443
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/div.pl
@@ -0,0 +1,144 @@
+#!/usr/local/bin/perl
+
+sub bn_div64
+	{
+	local($data)=<<'EOF';
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+        .set noreorder
+	.set volatile
+	.align 3
+	.globl bn_div64
+	.ent bn_div64
+bn_div64:
+	ldgp $29,0($27)
+bn_div64..ng:
+	lda $30,-48($30)
+	.frame $30,48,$26,0
+	stq $26,0($30)
+	stq $9,8($30)
+	stq $10,16($30)
+	stq $11,24($30)
+	stq $12,32($30)
+	stq $13,40($30)
+	.mask 0x4003e00,-48
+	.prologue 1
+	bis $16,$16,$9
+	bis $17,$17,$10
+	bis $18,$18,$11
+	bis $31,$31,$13
+	bis $31,2,$12
+	bne $11,$9119
+	lda $0,-1
+	br $31,$9136
+	.align 4
+$9119:
+	bis $11,$11,$16
+	jsr $26,BN_num_bits_word
+	ldgp $29,0($26)
+	subq $0,64,$1
+	beq $1,$9120
+	bis $31,1,$1
+	sll $1,$0,$1
+	cmpule $9,$1,$1
+	bne $1,$9120
+ #	lda $16,_IO_stderr_
+ #	lda $17,$C32
+ #	bis $0,$0,$18
+ #	jsr $26,fprintf
+ #	ldgp $29,0($26)
+	jsr $26,abort
+	ldgp $29,0($26)
+	.align 4
+$9120:
+	bis $31,64,$3
+	cmpult $9,$11,$2
+	subq $3,$0,$1
+	addl $1,$31,$0
+	subq $9,$11,$1
+	cmoveq $2,$1,$9
+	beq $0,$9122
+	zapnot $0,15,$2
+	subq $3,$0,$1
+	sll $11,$2,$11
+	sll $9,$2,$3
+	srl $10,$1,$1
+	sll $10,$2,$10
+	bis $3,$1,$9
+$9122:
+	srl $11,32,$5
+	zapnot $11,15,$6
+	lda $7,-1
+	.align 5
+$9123:
+	srl $9,32,$1
+	subq $1,$5,$1
+	bne $1,$9126
+	zapnot $7,15,$27
+	br $31,$9127
+	.align 4
+$9126:
+	bis $9,$9,$24
+	bis $5,$5,$25
+	divqu $24,$25,$27
+$9127:
+	srl $10,32,$4
+	.align 5
+$9128:
+	mulq $27,$5,$1
+	subq $9,$1,$3
+	zapnot $3,240,$1
+	bne $1,$9129
+	mulq $6,$27,$2
+	sll $3,32,$1
+	addq $1,$4,$1
+	cmpule $2,$1,$2
+	bne $2,$9129
+	subq $27,1,$27
+	br $31,$9128
+	.align 4
+$9129:
+	mulq $27,$6,$1
+	mulq $27,$5,$4
+	srl $1,32,$3
+	sll $1,32,$1
+	addq $4,$3,$4
+	cmpult $10,$1,$2
+	subq $10,$1,$10
+	addq $2,$4,$2
+	cmpult $9,$2,$1
+	bis $2,$2,$4
+	beq $1,$9134
+	addq $9,$11,$9
+	subq $27,1,$27
+$9134:
+	subl $12,1,$12
+	subq $9,$4,$9
+	beq $12,$9124
+	sll $27,32,$13
+	sll $9,32,$2
+	srl $10,32,$1
+	sll $10,32,$10
+	bis $2,$1,$9
+	br $31,$9123
+	.align 4
+$9124:
+	bis $13,$27,$0
+$9136:
+	ldq $26,0($30)
+	ldq $9,8($30)
+	ldq $10,16($30)
+	ldq $11,24($30)
+	ldq $12,32($30)
+	ldq $13,40($30)
+	addq $30,48,$30
+	ret $31,($26),1
+	.end bn_div64
+EOF
+	&asm_add($data);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/mul.pl b/crypto/openssl/crypto/bn/asm/alpha.works/mul.pl
new file mode 100644
index 0000000..b182bae
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/mul.pl
@@ -0,0 +1,116 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r,$couny);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$count=&wparam(2);
+	$word=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&br(&label("finish"));
+	&blt($count,&label("finish"));
+
+	($a0,$r0)=&NR(2);
+	&ld($a0,&QWPw(0,$ap));
+	&ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+	&set_label("loop");
+
+	($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+	($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+	($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+	($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+	($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+	($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+	($o0,$t0)=&NR(2);
+	&add($a0,$b0,$o0); 
+	&cmpult($o0,$b0,$t0);
+	&add($o0,$cc,$o0);
+	&cmpult($o0,$cc,$cc);
+	&add($cc,$t0,$cc);	&FR($t0);
+
+	($t1,$o1)=&NR(2);
+
+	&add($a1,$b1,$o1);	&FR($a1);
+	&cmpult($o1,$b1,$t1);	&FR($b1);
+	&add($o1,$cc,$o1);
+	&cmpult($o1,$cc,$cc);
+	&add($cc,$t1,$cc);	&FR($t1);
+
+	($t2,$o2)=&NR(2);
+
+	&add($a2,$b2,$o2);	&FR($a2);
+	&cmpult($o2,$b2,$t2);	&FR($b2);
+	&add($o2,$cc,$o2);
+	&cmpult($o2,$cc,$cc);
+	&add($cc,$t2,$cc);	&FR($t2);
+
+	($t3,$o3)=&NR(2);
+
+	&add($a3,$b3,$o3);	&FR($a3);
+	&cmpult($o3,$b3,$t3);	&FR($b3);
+	&add($o3,$cc,$o3);
+	&cmpult($o3,$cc,$cc);
+	&add($cc,$t3,$cc);	&FR($t3);
+
+	&st($o0,&QWPw(0,$rp)); &FR($o0);
+	&st($o1,&QWPw(0,$rp)); &FR($o1);
+	&st($o2,&QWPw(0,$rp)); &FR($o2);
+	&st($o3,&QWPw(0,$rp)); &FR($o3);
+
+	&sub($count,4,$count);	# count-=4
+	&add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	&add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+EOF
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));	# get a
+	&mul($a0,$word,($l0)=&NR(1));
+	 &add($ap,$QWS,$ap);
+	&muh($a0,$word,($h0)=&NR(1));	&FR($a0);
+	&add($l0,$cc,$l0);
+	 &add($rp,$QWS,$rp);
+	 &sub($count,1,$count);
+	&cmpult($l0,$cc,$cc);
+	&st($l0,&QWPw(-1,$rp));		&FR($l0);
+	&add($h0,$cc,$cc);		&FR($h0);
+
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/mul_add.pl b/crypto/openssl/crypto/bn/asm/alpha.works/mul_add.pl
new file mode 100644
index 0000000..e37f631
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/mul_add.pl
@@ -0,0 +1,120 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_add_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r,$couny);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$count=&wparam(2);
+	$word=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&br(&label("finish"));
+	&blt($count,&label("finish"));
+
+	($a0,$r0)=&NR(2);
+	&ld($a0,&QWPw(0,$ap));
+	&ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+	&set_label("loop");
+
+	($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+	($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+	($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+	($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+	($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+	($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+	($o0,$t0)=&NR(2);
+	&add($a0,$b0,$o0); 
+	&cmpult($o0,$b0,$t0);
+	&add($o0,$cc,$o0);
+	&cmpult($o0,$cc,$cc);
+	&add($cc,$t0,$cc);	&FR($t0);
+
+	($t1,$o1)=&NR(2);
+
+	&add($a1,$b1,$o1);	&FR($a1);
+	&cmpult($o1,$b1,$t1);	&FR($b1);
+	&add($o1,$cc,$o1);
+	&cmpult($o1,$cc,$cc);
+	&add($cc,$t1,$cc);	&FR($t1);
+
+	($t2,$o2)=&NR(2);
+
+	&add($a2,$b2,$o2);	&FR($a2);
+	&cmpult($o2,$b2,$t2);	&FR($b2);
+	&add($o2,$cc,$o2);
+	&cmpult($o2,$cc,$cc);
+	&add($cc,$t2,$cc);	&FR($t2);
+
+	($t3,$o3)=&NR(2);
+
+	&add($a3,$b3,$o3);	&FR($a3);
+	&cmpult($o3,$b3,$t3);	&FR($b3);
+	&add($o3,$cc,$o3);
+	&cmpult($o3,$cc,$cc);
+	&add($cc,$t3,$cc);	&FR($t3);
+
+	&st($o0,&QWPw(0,$rp)); &FR($o0);
+	&st($o1,&QWPw(0,$rp)); &FR($o1);
+	&st($o2,&QWPw(0,$rp)); &FR($o2);
+	&st($o3,&QWPw(0,$rp)); &FR($o3);
+
+	&sub($count,4,$count);	# count-=4
+	&add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	&add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+EOF
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));	# get a
+	&ld(($r0)=&NR(1),&QWPw(0,$rp));	# get b
+	&mul($a0,$word,($l0)=&NR(1));
+	 &sub($count,1,$count);
+	 &add($ap,$QWS,$ap);
+	&muh($a0,$word,($h0)=&NR(1));	&FR($a0);
+	&add($r0,$l0,$r0);
+	 &add($rp,$QWS,$rp);
+	&cmpult($r0,$l0,($t0)=&NR(1));	&FR($l0);
+	 &add($r0,$cc,$r0);
+	&add($h0,$t0,$h0);		&FR($t0);
+	 &cmpult($r0,$cc,$cc);
+	&st($r0,&QWPw(-1,$rp));		&FR($r0);
+	 &add($h0,$cc,$cc);		&FR($h0);
+
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/mul_c4.pl b/crypto/openssl/crypto/bn/asm/alpha.works/mul_c4.pl
new file mode 100644
index 0000000..5efd201
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/mul_c4.pl
@@ -0,0 +1,213 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub mul_add_c
+	{
+	local($a,$b,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+	&mul($a,$b,($l1)=&NR(1));
+	&muh($a,$b,($h1)=&NR(1));
+	&add($c0,$l1,$c0);
+	&cmpult($c0,$l1,($t1)=&NR(1));	&FR($l1);
+	&add($t1,$h1,$h1);		&FR($t1);
+	&add($c1,$h1,$c1);
+	&cmpult($c1,$h1,($t2)=&NR(1));	&FR($h1);
+	&add($c2,$t2,$c2);		&FR($t2);
+	}
+
+sub bn_mul_comba4
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(3);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($b[0])=&NR(1),&QWPw(0,$bp));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[1])=&NR(1),&QWPw(1,$bp));
+	&mul($a[0],$b[0],($r00)=&NR(1));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($b[2])=&NR(1),&QWPw(2,$bp));
+	&muh($a[0],$b[0],($r01)=&NR(1));
+	&FR($ap); &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+	&FR($bp); &ld(($b[3])=&NR(1),&QWPw(3,$bp));
+	&mul($a[0],$b[1],($r02)=&NR(1));
+
+	($R,$H1,$H2)=&NR(3);
+
+	&st($r00,&QWPw(0,$rp));	&FR($r00);
+
+	&mov("zero",$R);
+	&mul($a[1],$b[0],($r03)=&NR(1));
+
+	&mov("zero",$H1);
+	&mov("zero",$H0);
+	 &add($R,$r01,$R);
+	&muh($a[0],$b[1],($r04)=&NR(1));
+	 &cmpult($R,$r01,($t01)=&NR(1));	&FR($r01);
+	 &add($R,$r02,$R);
+	 &add($H1,$t01,$H1)			&FR($t01);
+	&muh($a[1],$b[0],($r05)=&NR(1));
+	 &cmpult($R,$r02,($t02)=&NR(1));	&FR($r02);
+	 &add($R,$r03,$R);
+	 &add($H2,$t02,$H2)			&FR($t02);
+	&mul($a[0],$b[2],($r06)=&NR(1));
+	 &cmpult($R,$r03,($t03)=&NR(1));	&FR($r03);
+	 &add($H1,$t03,$H1)			&FR($t03);
+	&st($R,&QWPw(1,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r04,$R);
+	&mov("zero",$H2);
+	&mul($a[1],$b[1],($r07)=&NR(1));
+	 &cmpult($R,$r04,($t04)=&NR(1));	&FR($r04);
+	 &add($R,$r05,$R);
+	 &add($H1,$t04,$H1)			&FR($t04);
+	&mul($a[2],$b[0],($r08)=&NR(1));
+	 &cmpult($R,$r05,($t05)=&NR(1));	&FR($r05);
+	 &add($R,$r01,$R);
+	 &add($H2,$t05,$H2)			&FR($t05);
+	&muh($a[0],$b[2],($r09)=&NR(1));
+	 &cmpult($R,$r06,($t06)=&NR(1));	&FR($r06);
+	 &add($R,$r07,$R);
+	 &add($H1,$t06,$H1)			&FR($t06);
+	&muh($a[1],$b[1],($r10)=&NR(1));
+	 &cmpult($R,$r07,($t07)=&NR(1));	&FR($r07);
+	 &add($R,$r08,$R);
+	 &add($H2,$t07,$H2)			&FR($t07);
+	&muh($a[2],$b[0],($r11)=&NR(1));
+	 &cmpult($R,$r08,($t08)=&NR(1));	&FR($r08);
+	 &add($H1,$t08,$H1)			&FR($t08);
+	&st($R,&QWPw(2,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r09,$R);
+	&mov("zero",$H2);
+	&mul($a[0],$b[3],($r12)=&NR(1));
+	 &cmpult($R,$r09,($t09)=&NR(1));	&FR($r09);
+	 &add($R,$r10,$R);
+	 &add($H1,$t09,$H1)			&FR($t09);
+	&mul($a[1],$b[2],($r13)=&NR(1));
+	 &cmpult($R,$r10,($t10)=&NR(1));	&FR($r10);
+	 &add($R,$r11,$R);
+	 &add($H1,$t10,$H1)			&FR($t10);
+	&mul($a[2],$b[1],($r14)=&NR(1));
+	 &cmpult($R,$r11,($t11)=&NR(1));	&FR($r11);
+	 &add($R,$r12,$R);
+	 &add($H1,$t11,$H1)			&FR($t11);
+	&mul($a[3],$b[0],($r15)=&NR(1));
+	 &cmpult($R,$r12,($t12)=&NR(1));	&FR($r12);
+	 &add($R,$r13,$R);
+	 &add($H1,$t12,$H1)			&FR($t12);
+	&muh($a[0],$b[3],($r16)=&NR(1));
+	 &cmpult($R,$r13,($t13)=&NR(1));	&FR($r13);
+	 &add($R,$r14,$R);
+	 &add($H1,$t13,$H1)			&FR($t13);
+	&muh($a[1],$b[2],($r17)=&NR(1));
+	 &cmpult($R,$r14,($t14)=&NR(1));	&FR($r14);
+	 &add($R,$r15,$R);
+	 &add($H1,$t14,$H1)			&FR($t14);
+	&muh($a[2],$b[1],($r18)=&NR(1));
+	 &cmpult($R,$r15,($t15)=&NR(1));	&FR($r15);
+	 &add($H1,$t15,$H1)			&FR($t15);
+	&st($R,&QWPw(3,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r16,$R);
+	&mov("zero",$H2);
+	&muh($a[3],$b[0],($r19)=&NR(1));
+	 &cmpult($R,$r16,($t16)=&NR(1));	&FR($r16);
+	 &add($R,$r17,$R);
+	 &add($H1,$t16,$H1)			&FR($t16);
+	&mul($a[1],$b[3],($r20)=&NR(1));
+	 &cmpult($R,$r17,($t17)=&NR(1));	&FR($r17);
+	 &add($R,$r18,$R);
+	 &add($H1,$t17,$H1)			&FR($t17);
+	&mul($a[2],$b[2],($r21)=&NR(1));
+	 &cmpult($R,$r18,($t18)=&NR(1));	&FR($r18);
+	 &add($R,$r19,$R);
+	 &add($H1,$t18,$H1)			&FR($t18);
+	&mul($a[3],$b[1],($r22)=&NR(1));
+	 &cmpult($R,$r19,($t19)=&NR(1));	&FR($r19);
+	 &add($R,$r20,$R);
+	 &add($H1,$t19,$H1)			&FR($t19);
+	&muh($a[1],$b[3],($r23)=&NR(1));
+	 &cmpult($R,$r20,($t20)=&NR(1));	&FR($r20);
+	 &add($R,$r21,$R);
+	 &add($H1,$t20,$H1)			&FR($t20);
+	&muh($a[2],$b[2],($r24)=&NR(1));
+	 &cmpult($R,$r21,($t21)=&NR(1));	&FR($r21);
+	 &add($R,$r22,$R);
+	 &add($H1,$t21,$H1)			&FR($t21);
+	&muh($a[3],$b[1],($r25)=&NR(1));
+	 &cmpult($R,$r22,($t22)=&NR(1));	&FR($r22);
+	 &add($H1,$t22,$H1)			&FR($t22);
+	&st($R,&QWPw(4,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r23,$R);
+	&mov("zero",$H2);
+	&mul($a[2],$b[3],($r26)=&NR(1));
+	 &cmpult($R,$r23,($t23)=&NR(1));	&FR($r23);
+	 &add($R,$r24,$R);
+	 &add($H1,$t23,$H1)			&FR($t23);
+	&mul($a[3],$b[2],($r27)=&NR(1));
+	 &cmpult($R,$r24,($t24)=&NR(1));	&FR($r24);
+	 &add($R,$r25,$R);
+	 &add($H1,$t24,$H1)			&FR($t24);
+	&muh($a[2],$b[3],($r28)=&NR(1));
+	 &cmpult($R,$r25,($t25)=&NR(1));	&FR($r25);
+	 &add($R,$r26,$R);
+	 &add($H1,$t25,$H1)			&FR($t25);
+	&muh($a[3],$b[2],($r29)=&NR(1));
+	 &cmpult($R,$r26,($t26)=&NR(1));	&FR($r26);
+	 &add($R,$r27,$R);
+	 &add($H1,$t26,$H1)			&FR($t26);
+	&mul($a[3],$b[3],($r30)=&NR(1));
+	 &cmpult($R,$r27,($t27)=&NR(1));	&FR($r27);
+	 &add($H1,$t27,$H1)			&FR($t27);
+	&st($R,&QWPw(5,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r28,$R);
+	&mov("zero",$H2);
+	&muh($a[3],$b[3],($r31)=&NR(1));
+	 &cmpult($R,$r28,($t28)=&NR(1));	&FR($r28);
+	 &add($R,$r29,$R);
+	 &add($H1,$t28,$H1)			&FR($t28);
+	############
+	 &cmpult($R,$r29,($t29)=&NR(1));	&FR($r29);
+	 &add($R,$r30,$R);
+	 &add($H1,$t29,$H1)			&FR($t29);
+        ############
+	 &cmpult($R,$r30,($t30)=&NR(1));	&FR($r30);
+	 &add($H1,$t30,$H1)			&FR($t30);
+	&st($R,&QWPw(6,$rp));
+	&add($H1,$H2,$R);
+
+	 &add($R,$r31,$R);			&FR($r31);
+	&st($R,&QWPw(7,$rp));
+
+	&FR($R,$H1,$H2);
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/mul_c4.works.pl b/crypto/openssl/crypto/bn/asm/alpha.works/mul_c4.works.pl
new file mode 100644
index 0000000..79d86dd
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/mul_c4.works.pl
@@ -0,0 +1,98 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub mul_add_c
+	{
+	local($a,$b,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+print STDERR "count=$cnt\n"; $cnt++;
+	&mul($a,$b,($l1)=&NR(1));
+	&muh($a,$b,($h1)=&NR(1));
+	&add($c0,$l1,$c0);
+	&cmpult($c0,$l1,($t1)=&NR(1));	&FR($l1);
+	&add($t1,$h1,$h1);		&FR($t1);
+	&add($c1,$h1,$c1);
+	&cmpult($c1,$h1,($t2)=&NR(1));	&FR($h1);
+	&add($c2,$t2,$c2);		&FR($t2);
+	}
+
+sub bn_mul_comba4
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(3);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($b[0])=&NR(1),&QWPw(0,$bp));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[1])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($b[2])=&NR(1),&QWPw(2,$bp));
+	&ld(($a[3])=&NR(1),&QWPw(3,$ap));	&FR($ap);
+	&ld(($b[3])=&NR(1),&QWPw(3,$bp));	&FR($bp);
+
+	($c0,$c1,$c2)=&NR(3);
+	&mov("zero",$c2);
+	&mul($a[0],$b[0],$c0);
+	&muh($a[0],$b[0],$c1);
+	&st($c0,&QWPw(0,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[3],$c0,$c1,$c2);	&FR($a[0]);
+	&mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[0],$c0,$c1,$c2);	&FR($b[0]);
+	&st($c0,&QWPw(3,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[1],$b[3],$c0,$c1,$c2);	&FR($a[1]);
+	&mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[1],$c0,$c1,$c2);	&FR($b[1]);
+	&st($c0,&QWPw(4,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[2],$b[3],$c0,$c1,$c2);	&FR($a[2]);
+	&mul_add_c($a[3],$b[2],$c0,$c1,$c2);	&FR($b[2]);
+	&st($c0,&QWPw(5,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[3],$b[3],$c0,$c1,$c2);	&FR($a[3],$b[3]);
+	&st($c0,&QWPw(6,$rp));
+	&st($c1,&QWPw(7,$rp));
+
+	&FR($c0,$c1,$c2);
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/mul_c8.pl b/crypto/openssl/crypto/bn/asm/alpha.works/mul_c8.pl
new file mode 100644
index 0000000..525ca74
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/mul_c8.pl
@@ -0,0 +1,177 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_comba8
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(3);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&stack_push(2);
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($b[0])=&NR(1),&QWPw(0,$bp));
+	&st($reg_s0,&swtmp(0)); &FR($reg_s0);
+	&st($reg_s1,&swtmp(1)); &FR($reg_s1);
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[1])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($b[2])=&NR(1),&QWPw(2,$bp));
+	&ld(($a[3])=&NR(1),&QWPw(3,$ap));
+	&ld(($b[3])=&NR(1),&QWPw(3,$bp));
+	&ld(($a[4])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[4])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[5])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[5])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[6])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[6])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[7])=&NR(1),&QWPw(1,$ap));	&FR($ap);
+	&ld(($b[7])=&NR(1),&QWPw(1,$bp));	&FR($bp);
+
+	($c0,$c1,$c2)=&NR(3);
+	&mov("zero",$c2);
+	&mul($a[0],$b[0],$c0);
+	&muh($a[0],$b[0],$c1);
+	&st($c0,&QWPw(0,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(3,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(4,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(5,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(6,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[7],$c0,$c1,$c2);	&FR($a[0]);
+	&mul_add_c($a[1],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[0],$c0,$c1,$c2);	&FR($b[0]);
+	&st($c0,&QWPw(7,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[1],$b[7],$c0,$c1,$c2);	&FR($a[1]);
+	&mul_add_c($a[2],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[1],$c0,$c1,$c2);	&FR($b[1]);
+	&st($c0,&QWPw(8,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[2],$b[7],$c0,$c1,$c2);	&FR($a[2]);
+	&mul_add_c($a[3],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[2],$c0,$c1,$c2);	&FR($b[2]);
+	&st($c0,&QWPw(9,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[3],$b[7],$c0,$c1,$c2);	&FR($a[3]);
+	&mul_add_c($a[4],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[3],$c0,$c1,$c2);	&FR($b[3]);
+	&st($c0,&QWPw(10,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[4],$b[7],$c0,$c1,$c2);	&FR($a[4]);
+	&mul_add_c($a[5],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[4],$c0,$c1,$c2);	&FR($b[4]);
+	&st($c0,&QWPw(11,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[5],$b[7],$c0,$c1,$c2);	&FR($a[5]);
+	&mul_add_c($a[6],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[5],$c0,$c1,$c2);	&FR($b[5]);
+	&st($c0,&QWPw(12,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[6],$b[7],$c0,$c1,$c2);	&FR($a[6]);
+	&mul_add_c($a[7],$b[6],$c0,$c1,$c2);	&FR($b[6]);
+	&st($c0,&QWPw(13,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[7],$b[7],$c0,$c1,$c2);	&FR($a[7],$b[7]);
+	&st($c0,&QWPw(14,$rp));
+	&st($c1,&QWPw(15,$rp));
+
+	&FR($c0,$c1,$c2);
+
+	&ld($reg_s0,&swtmp(0));
+	&ld($reg_s1,&swtmp(1));
+	&stack_pop(2);
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/sqr.pl b/crypto/openssl/crypto/bn/asm/alpha.works/sqr.pl
new file mode 100644
index 0000000..a55b696
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/sqr.pl
@@ -0,0 +1,113 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r,$couny);
+
+	&init_pool(3);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$count=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&br(&label("finish"));
+	&blt($count,&label("finish"));
+
+	($a0,$r0)=&NR(2);
+	&ld($a0,&QWPw(0,$ap));
+	&ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+	&set_label("loop");
+
+	($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+	($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+	($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+	($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+	($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+	($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+	($o0,$t0)=&NR(2);
+	&add($a0,$b0,$o0); 
+	&cmpult($o0,$b0,$t0);
+	&add($o0,$cc,$o0);
+	&cmpult($o0,$cc,$cc);
+	&add($cc,$t0,$cc);	&FR($t0);
+
+	($t1,$o1)=&NR(2);
+
+	&add($a1,$b1,$o1);	&FR($a1);
+	&cmpult($o1,$b1,$t1);	&FR($b1);
+	&add($o1,$cc,$o1);
+	&cmpult($o1,$cc,$cc);
+	&add($cc,$t1,$cc);	&FR($t1);
+
+	($t2,$o2)=&NR(2);
+
+	&add($a2,$b2,$o2);	&FR($a2);
+	&cmpult($o2,$b2,$t2);	&FR($b2);
+	&add($o2,$cc,$o2);
+	&cmpult($o2,$cc,$cc);
+	&add($cc,$t2,$cc);	&FR($t2);
+
+	($t3,$o3)=&NR(2);
+
+	&add($a3,$b3,$o3);	&FR($a3);
+	&cmpult($o3,$b3,$t3);	&FR($b3);
+	&add($o3,$cc,$o3);
+	&cmpult($o3,$cc,$cc);
+	&add($cc,$t3,$cc);	&FR($t3);
+
+	&st($o0,&QWPw(0,$rp)); &FR($o0);
+	&st($o1,&QWPw(0,$rp)); &FR($o1);
+	&st($o2,&QWPw(0,$rp)); &FR($o2);
+	&st($o3,&QWPw(0,$rp)); &FR($o3);
+
+	&sub($count,4,$count);	# count-=4
+	&add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	&add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+EOF
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));	# get a
+	&mul($a0,$a0,($l0)=&NR(1));
+	 &add($ap,$QWS,$ap);
+	 &add($rp,2*$QWS,$rp);
+	 &sub($count,1,$count);
+	&muh($a0,$a0,($h0)=&NR(1));	&FR($a0);
+	&st($l0,&QWPw(-2,$rp));		&FR($l0);
+	&st($h0,&QWPw(-1,$rp));		&FR($h0);
+
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/sqr_c4.pl b/crypto/openssl/crypto/bn/asm/alpha.works/sqr_c4.pl
new file mode 100644
index 0000000..bf33f5b
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/sqr_c4.pl
@@ -0,0 +1,109 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub sqr_add_c
+	{
+	local($a,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+	&mul($a,$a,($l1)=&NR(1));
+	&muh($a,$a,($h1)=&NR(1));
+	&add($c0,$l1,$c0);
+	&add($c1,$h1,$c1);
+	&cmpult($c0,$l1,($t1)=&NR(1));	&FR($l1);
+	&cmpult($c1,$h1,($t2)=&NR(1));	&FR($h1);
+	&add($c1,$t1,$c1);		&FR($t1);
+	&add($c2,$t2,$c2);		&FR($t2);
+	}
+
+sub sqr_add_c2
+	{
+	local($a,$b,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+	&mul($a,$b,($l1)=&NR(1));
+	&muh($a,$b,($h1)=&NR(1));
+	&cmplt($l1,"zero",($lc1)=&NR(1));
+	&cmplt($h1,"zero",($hc1)=&NR(1));
+	&add($l1,$l1,$l1);
+	&add($h1,$h1,$h1);
+	&add($h1,$lc1,$h1);		&FR($lc1);
+	&add($c2,$hc1,$c2);		&FR($hc1);
+
+	&add($c0,$l1,$c0);
+	&add($c1,$h1,$c1);
+	&cmpult($c0,$l1,($lc1)=&NR(1));	&FR($l1);
+	&cmpult($c1,$h1,($hc1)=&NR(1));	&FR($h1);
+
+	&add($c1,$lc1,$c1);		&FR($lc1);
+	&add($c2,$hc1,$c2);		&FR($hc1);
+	}
+
+
+sub bn_sqr_comba4
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(2);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap)); &FR($ap);
+
+	($c0,$c1,$c2)=&NR(3);
+
+	&mov("zero",$c2);
+	&mul($a[0],$a[0],$c0);
+	&muh($a[0],$a[0],$c1);
+	&st($c0,&QWPw(0,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[0],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+	&sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(3,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(4,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+	&st($c0,&QWPw(5,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[3],$c0,$c1,$c2);
+	&st($c0,&QWPw(6,$rp));
+	&st($c1,&QWPw(7,$rp));
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/sqr_c8.pl b/crypto/openssl/crypto/bn/asm/alpha.works/sqr_c8.pl
new file mode 100644
index 0000000..b4afe08
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/sqr_c8.pl
@@ -0,0 +1,132 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_comba8
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(2);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($a[3])=&NR(1),&QWPw(3,$ap));
+	&ld(($a[4])=&NR(1),&QWPw(4,$ap));
+	&ld(($a[5])=&NR(1),&QWPw(5,$ap));
+	&ld(($a[6])=&NR(1),&QWPw(6,$ap));
+        &ld(($a[7])=&NR(1),&QWPw(7,$ap)); &FR($ap);
+
+	($c0,$c1,$c2)=&NR(3);
+
+	&mov("zero",$c2);
+	&mul($a[0],$a[0],$c0);
+	&muh($a[0],$a[0],$c1);
+	&st($c0,&QWPw(0,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[1],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(3,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[4],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(4,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[4],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(5,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[4],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(6,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[4],$a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(7,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[4],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(8,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[5],$a[4],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[2],$c0,$c1,$c2);
+	&st($c0,&QWPw(9,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[5],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[4],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[3],$c0,$c1,$c2);
+	&st($c0,&QWPw(10,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[6],$a[5],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[4],$c0,$c1,$c2);
+	&st($c0,&QWPw(11,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[6],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[5],$c0,$c1,$c2);
+	&st($c0,&QWPw(12,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[7],$a[6],$c0,$c1,$c2);
+	&st($c0,&QWPw(13,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[7],$c0,$c1,$c2);
+	&st($c0,&QWPw(14,$rp));
+	&st($c1,&QWPw(15,$rp));
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha.works/sub.pl b/crypto/openssl/crypto/bn/asm/alpha.works/sub.pl
new file mode 100644
index 0000000..d998da5
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha.works/sub.pl
@@ -0,0 +1,108 @@
+#!/usr/local/bin/perl
+# alpha assember
+
+sub bn_sub_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+	$count=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&blt($count,&label("finish"));
+
+	($a0,$b0)=&NR(2);
+	&ld($a0,&QWPw(0,$ap));
+	&ld($b0,&QWPw(0,$bp));
+
+##########################################################
+	&set_label("loop");
+
+	($a1,$tmp,$b1,$a2,$b2,$a3,$b3,$o0)=&NR(8);
+	&ld($a1,&QWPw(1,$ap));
+	 &cmpult($a0,$b0,$tmp);	# will we borrow?
+	&ld($b1,&QWPw(1,$bp));
+	 &sub($a0,$b0,$a0);		# do the subtract
+	&ld($a2,&QWPw(2,$ap));
+	 &cmpult($a0,$cc,$b0);	# will we borrow?
+	&ld($b2,&QWPw(2,$bp));
+	 &sub($a0,$cc,$o0);	# will we borrow?
+	&ld($a3,&QWPw(3,$ap));
+	 &add($b0,$tmp,$cc); ($t1,$o1)=&NR(2); &FR($tmp);
+
+	&cmpult($a1,$b1,$t1);	# will we borrow?
+	 &sub($a1,$b1,$a1);	# do the subtract
+	&ld($b3,&QWPw(3,$bp));
+	 &cmpult($a1,$cc,$b1);	# will we borrow?
+	&sub($a1,$cc,$o1);	# will we borrow?
+	 &add($b1,$t1,$cc); ($tmp,$o2)=&NR(2); &FR($t1,$a1,$b1);
+	
+	&cmpult($a2,$b2,$tmp);	# will we borrow?
+	 &sub($a2,$b2,$a2);		# do the subtract
+	&st($o0,&QWPw(0,$rp));	&FR($o0); # save
+	 &cmpult($a2,$cc,$b2);	# will we borrow?
+	&sub($a2,$cc,$o2);	# will we borrow?
+	 &add($b2,$tmp,$cc); ($t3,$o3)=&NR(2); &FR($tmp,$a2,$b2);
+
+	&cmpult($a3,$b3,$t3);	# will we borrow?
+	 &sub($a3,$b3,$a3);	# do the subtract
+	&st($o1,&QWPw(1,$rp)); &FR($o1);
+	 &cmpult($a3,$cc,$b3);	# will we borrow?
+	&sub($a3,$cc,$o3);	# will we borrow?
+	 &add($b3,$t3,$cc); &FR($t3,$a3,$b3);
+
+	&st($o2,&QWPw(2,$rp));	&FR($o2);
+	 &sub($count,4,$count);	# count-=4
+	&st($o3,&QWPw(3,$rp));	&FR($o3);
+	 &add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	 &add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld($a0,&QWPw(0,$ap));	# get a
+	 &ld($b0,&QWPw(0,$bp));	# get b
+	&cmpult($a0,$b0,$tmp);	# will we borrow?
+	&sub($a0,$b0,$a0);	# do the subtract
+	&cmpult($a0,$cc,$b0);	# will we borrow?
+	&sub($a0,$cc,$a0);	# will we borrow?
+	&st($a0,&QWPw(0,$rp));	# save
+	&add($b0,$tmp,$cc);	# add the borrows
+
+	&add($ap,$QWS,$ap);
+	&add($bp,$QWS,$bp);
+	&add($rp,$QWS,$rp);
+	&sub($count,1,$count);
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&FR($a0,$b0);
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/add.pl b/crypto/openssl/crypto/bn/asm/alpha/add.pl
new file mode 100644
index 0000000..13bf516
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/add.pl
@@ -0,0 +1,118 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_add_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+	$count=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	 &mov("zero",$cc);
+	&blt($count,&label("finish"));
+
+	($a0,$b0)=&NR(2);
+
+##########################################################
+	&set_label("loop");
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));
+	 &ld(($b0)=&NR(1),&QWPw(0,$bp));
+	&ld(($a1)=&NR(1),&QWPw(1,$ap));
+	 &ld(($b1)=&NR(1),&QWPw(1,$bp));
+
+	($o0,$t0)=&NR(2);
+	&add($a0,$b0,$o0); 
+	 &ld(($a2)=&NR(1),&QWPw(2,$ap));
+	&cmpult($o0,$b0,$t0);
+	 &add($o0,$cc,$o0);
+	&cmpult($o0,$cc,$cc);
+	 &ld(($b2)=&NR(1),&QWPw(2,$bp));
+	&add($cc,$t0,$cc);	&FR($t0);
+
+	($t1,$o1)=&NR(2);
+
+	 &add($a1,$b1,$o1);	&FR($a1);
+	&cmpult($o1,$b1,$t1);	&FR($b1);
+	 &add($o1,$cc,$o1);
+	&cmpult($o1,$cc,$cc);
+	 &ld(($a3)=&NR(1),&QWPw(3,$ap));
+	&add($cc,$t1,$cc);	&FR($t1);
+
+	($t2,$o2)=&NR(2);
+
+	 &add($a2,$b2,$o2);	&FR($a2);
+	&cmpult($o2,$b2,$t2);	&FR($b2);
+	 &add($o2,$cc,$o2);
+	&cmpult($o2,$cc,$cc);
+	 &ld(($b3)=&NR(1),&QWPw(3,$bp));
+	&st($o0,&QWPw(0,$rp)); &FR($o0);
+	 &add($cc,$t2,$cc);	&FR($t2);
+
+	($t3,$o3)=&NR(2);
+
+	&st($o1,&QWPw(0,$rp)); &FR($o1);
+	 &add($a3,$b3,$o3);	&FR($a3);
+	&cmpult($o3,$b3,$t3);	&FR($b3);
+	 &add($o3,$cc,$o3);
+	&st($o2,&QWPw(0,$rp)); &FR($o2);
+	 &cmpult($o3,$cc,$cc);
+	&st($o3,&QWPw(0,$rp)); &FR($o3);
+	 &add($cc,$t3,$cc);	&FR($t3);
+
+
+	&sub($count,4,$count);	# count-=4
+	 &add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	 &add($rp,4*$QWS,$rp);	# count+=4
+
+	###
+	 &bge($count,&label("loop"));
+	###
+	&br(&label("finish"));
+##################################################
+	# Do the last 0..3 words
+
+	($t0,$o0)=&NR(2);
+	&set_label("last_loop");
+
+	&ld($a0,&QWPw(0,$ap));	# get a
+	 &ld($b0,&QWPw(0,$bp));	# get b
+	&add($ap,$QWS,$ap);
+	 &add($bp,$QWS,$bp);
+	&add($a0,$b0,$o0); 
+	 &sub($count,1,$count);
+	&cmpult($o0,$b0,$t0);	# will we borrow?
+	 &add($o0,$cc,$o0);	# will we borrow?
+	&cmpult($o0,$cc,$cc);	# will we borrow?
+	 &add($rp,$QWS,$rp);
+	&st($o0,&QWPw(-1,$rp));	# save
+	 &add($cc,$t0,$cc);	# add the borrows
+
+	###
+	 &bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	 &bgt($count,&label("last_loop"));
+
+	&FR($o0,$t0,$a0,$b0);
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/div.pl b/crypto/openssl/crypto/bn/asm/alpha/div.pl
new file mode 100644
index 0000000..e9e6808
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/div.pl
@@ -0,0 +1,144 @@
+#!/usr/local/bin/perl
+
+sub bn_div_words
+	{
+	local($data)=<<'EOF';
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+        .set noreorder
+	.set volatile
+	.align 3
+	.globl bn_div_words
+	.ent bn_div_words
+bn_div_words
+	ldgp $29,0($27)
+bn_div_words.ng:
+	lda $30,-48($30)
+	.frame $30,48,$26,0
+	stq $26,0($30)
+	stq $9,8($30)
+	stq $10,16($30)
+	stq $11,24($30)
+	stq $12,32($30)
+	stq $13,40($30)
+	.mask 0x4003e00,-48
+	.prologue 1
+	bis $16,$16,$9
+	bis $17,$17,$10
+	bis $18,$18,$11
+	bis $31,$31,$13
+	bis $31,2,$12
+	bne $11,$9119
+	lda $0,-1
+	br $31,$9136
+	.align 4
+$9119:
+	bis $11,$11,$16
+	jsr $26,BN_num_bits_word
+	ldgp $29,0($26)
+	subq $0,64,$1
+	beq $1,$9120
+	bis $31,1,$1
+	sll $1,$0,$1
+	cmpule $9,$1,$1
+	bne $1,$9120
+ #	lda $16,_IO_stderr_
+ #	lda $17,$C32
+ #	bis $0,$0,$18
+ #	jsr $26,fprintf
+ #	ldgp $29,0($26)
+	jsr $26,abort
+	ldgp $29,0($26)
+	.align 4
+$9120:
+	bis $31,64,$3
+	cmpult $9,$11,$2
+	subq $3,$0,$1
+	addl $1,$31,$0
+	subq $9,$11,$1
+	cmoveq $2,$1,$9
+	beq $0,$9122
+	zapnot $0,15,$2
+	subq $3,$0,$1
+	sll $11,$2,$11
+	sll $9,$2,$3
+	srl $10,$1,$1
+	sll $10,$2,$10
+	bis $3,$1,$9
+$9122:
+	srl $11,32,$5
+	zapnot $11,15,$6
+	lda $7,-1
+	.align 5
+$9123:
+	srl $9,32,$1
+	subq $1,$5,$1
+	bne $1,$9126
+	zapnot $7,15,$27
+	br $31,$9127
+	.align 4
+$9126:
+	bis $9,$9,$24
+	bis $5,$5,$25
+	divqu $24,$25,$27
+$9127:
+	srl $10,32,$4
+	.align 5
+$9128:
+	mulq $27,$5,$1
+	subq $9,$1,$3
+	zapnot $3,240,$1
+	bne $1,$9129
+	mulq $6,$27,$2
+	sll $3,32,$1
+	addq $1,$4,$1
+	cmpule $2,$1,$2
+	bne $2,$9129
+	subq $27,1,$27
+	br $31,$9128
+	.align 4
+$9129:
+	mulq $27,$6,$1
+	mulq $27,$5,$4
+	srl $1,32,$3
+	sll $1,32,$1
+	addq $4,$3,$4
+	cmpult $10,$1,$2
+	subq $10,$1,$10
+	addq $2,$4,$2
+	cmpult $9,$2,$1
+	bis $2,$2,$4
+	beq $1,$9134
+	addq $9,$11,$9
+	subq $27,1,$27
+$9134:
+	subl $12,1,$12
+	subq $9,$4,$9
+	beq $12,$9124
+	sll $27,32,$13
+	sll $9,32,$2
+	srl $10,32,$1
+	sll $10,32,$10
+	bis $2,$1,$9
+	br $31,$9123
+	.align 4
+$9124:
+	bis $13,$27,$0
+$9136:
+	ldq $26,0($30)
+	ldq $9,8($30)
+	ldq $10,16($30)
+	ldq $11,24($30)
+	ldq $12,32($30)
+	ldq $13,40($30)
+	addq $30,48,$30
+	ret $31,($26),1
+	.end bn_div_words
+EOF
+	&asm_add($data);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/mul.pl b/crypto/openssl/crypto/bn/asm/alpha/mul.pl
new file mode 100644
index 0000000..76c9265
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/mul.pl
@@ -0,0 +1,104 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r,$couny);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$count=&wparam(2);
+	$word=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	 &mov("zero",$cc);
+	###
+	 &blt($count,&label("finish"));
+
+	($a0)=&NR(1); &ld($a0,&QWPw(0,$ap));
+
+	&set_label("loop");
+
+	($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+	 ($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+
+	&muh($a0,$word,($h0)=&NR(1));	&FR($a0);
+	 ($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+	 						### wait 8
+	&mul($a0,$word,($l0)=&NR(1));	&FR($a0);
+	 						### wait 8
+	&muh($a1,$word,($h1)=&NR(1));	&FR($a1);
+	 &add($l0,$cc,$l0);				### wait 8
+	&mul($a1,$word,($l1)=&NR(1));	&FR($a1);
+	 &cmpult($l0,$cc,$cc);				### wait 8
+	&muh($a2,$word,($h2)=&NR(1));	&FR($a2);
+	 &add($h0,$cc,$cc);	&FR($h0); 		### wait 8
+	&mul($a2,$word,($l2)=&NR(1));	&FR($a2);
+	 &add($l1,$cc,$l1);				### wait 8
+	&st($l0,&QWPw(0,$rp));		&FR($l0);
+	 &cmpult($l1,$cc,$cc);				### wait 8
+	&muh($a3,$word,($h3)=&NR(1));	&FR($a3);
+	 &add($h1,$cc,$cc);		&FR($h1);
+	&mul($a3,$word,($l3)=&NR(1));	&FR($a3);
+	 &add($l2,$cc,$l2);
+	&st($l1,&QWPw(1,$rp));		&FR($l1);
+	 &cmpult($l2,$cc,$cc);
+	&add($h2,$cc,$cc);		&FR($h2);
+	 &sub($count,4,$count);	# count-=4
+	&st($l2,&QWPw(2,$rp));		&FR($l2);
+	 &add($l3,$cc,$l3);
+	&cmpult($l3,$cc,$cc);
+	 &add($bp,4*$QWS,$bp);	# count+=4
+	&add($h3,$cc,$cc);		&FR($h3);
+	 &add($ap,4*$QWS,$ap);	# count+=4
+	&st($l3,&QWPw(3,$rp));		&FR($l3);
+	 &add($rp,4*$QWS,$rp);	# count+=4
+	###
+	 &blt($count,&label("finish"));
+	 ($a0)=&NR(1); &ld($a0,&QWPw(0,$ap));
+	&br(&label("finish"));
+##################################################
+
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));	# get a
+	 ###
+	###
+	 ###
+	&muh($a0,$word,($h0)=&NR(1));
+	 ### Wait 8 for next mul issue
+	&mul($a0,$word,($l0)=&NR(1)); &FR($a0)
+	 &add($ap,$QWS,$ap);
+	### Loose 12 until result is available
+	&add($rp,$QWS,$rp);
+	 &sub($count,1,$count);
+	&add($l0,$cc,$l0);
+	 ###
+	&st($l0,&QWPw(-1,$rp));		&FR($l0);
+	 &cmpult($l0,$cc,$cc);
+	&add($h0,$cc,$cc);		&FR($h0);
+	 &bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/mul_add.pl b/crypto/openssl/crypto/bn/asm/alpha/mul_add.pl
new file mode 100644
index 0000000..0d6df69
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/mul_add.pl
@@ -0,0 +1,123 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_add_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r,$couny);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$count=&wparam(2);
+	$word=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	 &mov("zero",$cc);
+	###
+	 &blt($count,&label("finish"));
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));
+
+$a=<<'EOF';
+##########################################################
+	&set_label("loop");
+
+	&ld(($r0)=&NR(1),&QWPw(0,$rp));
+	 &ld(($a1)=&NR(1),&QWPw(1,$ap));
+	&muh($a0,$word,($h0)=&NR(1));
+	 &ld(($r1)=&NR(1),&QWPw(1,$rp));
+	&ld(($a2)=&NR(1),&QWPw(2,$ap));
+	 ###
+	&mul($a0,$word,($l0)=&NR(1));	&FR($a0);
+	 &ld(($r2)=&NR(1),&QWPw(2,$rp));
+	&muh($a1,$word,($h1)=&NR(1));
+	 &ld(($a3)=&NR(1),&QWPw(3,$ap));
+	&mul($a1,$word,($l1)=&NR(1));	&FR($a1);
+	 &ld(($r3)=&NR(1),&QWPw(3,$rp));
+	&add($r0,$l0,$r0);
+	 &add($r1,$l1,$r1);
+	&cmpult($r0,$l0,($t0)=&NR(1));	&FR($l0);
+	 &cmpult($r1,$l1,($t1)=&NR(1));	&FR($l1);
+	&muh($a2,$word,($h2)=&NR(1));
+	 &add($r0,$cc,$r0);
+	&add($h0,$t0,$h0);		&FR($t0);
+	 &cmpult($r0,$cc,$cc);
+	&add($h1,$t1,$h1);		&FR($t1);
+	 &add($h0,$cc,$cc);		&FR($h0);
+	&mul($a2,$word,($l2)=&NR(1));	&FR($a2);
+	 &add($r1,$cc,$r1);
+	&cmpult($r1,$cc,$cc);
+	 &add($r2,$l2,$r2);
+	&add($h1,$cc,$cc);		&FR($h1);
+	 &cmpult($r2,$l2,($t2)=&NR(1));	&FR($l2);
+	&muh($a3,$word,($h3)=&NR(1));
+	 &add($r2,$cc,$r2);
+	&st($r0,&QWPw(0,$rp)); &FR($r0);
+	 &add($h2,$t2,$h2);		&FR($t2);
+	&st($r1,&QWPw(1,$rp)); &FR($r1);
+	 &cmpult($r2,$cc,$cc);
+	&mul($a3,$word,($l3)=&NR(1));	&FR($a3);
+	 &add($h2,$cc,$cc);		&FR($h2);
+	&st($r2,&QWPw(2,$rp)); &FR($r2);
+	 &sub($count,4,$count);	# count-=4
+	 &add($rp,4*$QWS,$rp);	# count+=4
+	&add($r3,$l3,$r3);
+	 &add($ap,4*$QWS,$ap);	# count+=4
+	&cmpult($r3,$l3,($t3)=&NR(1));	&FR($l3);
+	 &add($r3,$cc,$r3);
+	&add($h3,$t3,$h3);		&FR($t3);
+	 &cmpult($r3,$cc,$cc);
+	&st($r3,&QWPw(-1,$rp)); &FR($r3);
+	 &add($h3,$cc,$cc);		&FR($h3);
+
+	###
+	 &blt($count,&label("finish"));
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));
+	 &br(&label("loop"));
+EOF
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));	# get a
+	 &ld(($r0)=&NR(1),&QWPw(0,$rp));	# get b
+	###
+	 ###
+	&muh($a0,$word,($h0)=&NR(1));	&FR($a0);
+	 ### wait 8
+	&mul($a0,$word,($l0)=&NR(1));	&FR($a0);
+	 &add($rp,$QWS,$rp);
+	&add($ap,$QWS,$ap);
+	 &sub($count,1,$count);
+	### wait 3 until l0 is available
+	&add($r0,$l0,$r0);
+	 ###
+	&cmpult($r0,$l0,($t0)=&NR(1));	&FR($l0);
+	 &add($r0,$cc,$r0);
+	&add($h0,$t0,$h0);		&FR($t0);
+	 &cmpult($r0,$cc,$cc);
+	&add($h0,$cc,$cc);		&FR($h0);
+
+	&st($r0,&QWPw(-1,$rp));		&FR($r0);
+	 &bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	 &bgt($count,&label("last_loop"));
+
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/mul_c4.pl b/crypto/openssl/crypto/bn/asm/alpha/mul_c4.pl
new file mode 100644
index 0000000..9cc876d
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/mul_c4.pl
@@ -0,0 +1,215 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+# upto
+
+sub mul_add_c
+	{
+	local($a,$b,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+	&mul($a,$b,($l1)=&NR(1));
+	&muh($a,$b,($h1)=&NR(1));
+	&add($c0,$l1,$c0);
+	&cmpult($c0,$l1,($t1)=&NR(1));	&FR($l1);
+	&add($t1,$h1,$h1);		&FR($t1);
+	&add($c1,$h1,$c1);
+	&cmpult($c1,$h1,($t2)=&NR(1));	&FR($h1);
+	&add($c2,$t2,$c2);		&FR($t2);
+	}
+
+sub bn_mul_comba4
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(3);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($b[0])=&NR(1),&QWPw(0,$bp));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[1])=&NR(1),&QWPw(1,$bp));
+	&mul($a[0],$b[0],($r00)=&NR(1));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($b[2])=&NR(1),&QWPw(2,$bp));
+	&muh($a[0],$b[0],($r01)=&NR(1));
+	&FR($ap); &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+	&FR($bp); &ld(($b[3])=&NR(1),&QWPw(3,$bp));
+	&mul($a[0],$b[1],($r02)=&NR(1));
+
+	($R,$H1,$H2)=&NR(3);
+
+	&st($r00,&QWPw(0,$rp));	&FR($r00);
+
+	&mov("zero",$R);
+	&mul($a[1],$b[0],($r03)=&NR(1));
+
+	&mov("zero",$H1);
+	&mov("zero",$H0);
+	 &add($R,$r01,$R);
+	&muh($a[0],$b[1],($r04)=&NR(1));
+	 &cmpult($R,$r01,($t01)=&NR(1));	&FR($r01);
+	 &add($R,$r02,$R);
+	 &add($H1,$t01,$H1)			&FR($t01);
+	&muh($a[1],$b[0],($r05)=&NR(1));
+	 &cmpult($R,$r02,($t02)=&NR(1));	&FR($r02);
+	 &add($R,$r03,$R);
+	 &add($H2,$t02,$H2)			&FR($t02);
+	&mul($a[0],$b[2],($r06)=&NR(1));
+	 &cmpult($R,$r03,($t03)=&NR(1));	&FR($r03);
+	 &add($H1,$t03,$H1)			&FR($t03);
+	&st($R,&QWPw(1,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r04,$R);
+	&mov("zero",$H2);
+	&mul($a[1],$b[1],($r07)=&NR(1));
+	 &cmpult($R,$r04,($t04)=&NR(1));	&FR($r04);
+	 &add($R,$r05,$R);
+	 &add($H1,$t04,$H1)			&FR($t04);
+	&mul($a[2],$b[0],($r08)=&NR(1));
+	 &cmpult($R,$r05,($t05)=&NR(1));	&FR($r05);
+	 &add($R,$r01,$R);
+	 &add($H2,$t05,$H2)			&FR($t05);
+	&muh($a[0],$b[2],($r09)=&NR(1));
+	 &cmpult($R,$r06,($t06)=&NR(1));	&FR($r06);
+	 &add($R,$r07,$R);
+	 &add($H1,$t06,$H1)			&FR($t06);
+	&muh($a[1],$b[1],($r10)=&NR(1));
+	 &cmpult($R,$r07,($t07)=&NR(1));	&FR($r07);
+	 &add($R,$r08,$R);
+	 &add($H2,$t07,$H2)			&FR($t07);
+	&muh($a[2],$b[0],($r11)=&NR(1));
+	 &cmpult($R,$r08,($t08)=&NR(1));	&FR($r08);
+	 &add($H1,$t08,$H1)			&FR($t08);
+	&st($R,&QWPw(2,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r09,$R);
+	&mov("zero",$H2);
+	&mul($a[0],$b[3],($r12)=&NR(1));
+	 &cmpult($R,$r09,($t09)=&NR(1));	&FR($r09);
+	 &add($R,$r10,$R);
+	 &add($H1,$t09,$H1)			&FR($t09);
+	&mul($a[1],$b[2],($r13)=&NR(1));
+	 &cmpult($R,$r10,($t10)=&NR(1));	&FR($r10);
+	 &add($R,$r11,$R);
+	 &add($H1,$t10,$H1)			&FR($t10);
+	&mul($a[2],$b[1],($r14)=&NR(1));
+	 &cmpult($R,$r11,($t11)=&NR(1));	&FR($r11);
+	 &add($R,$r12,$R);
+	 &add($H1,$t11,$H1)			&FR($t11);
+	&mul($a[3],$b[0],($r15)=&NR(1));
+	 &cmpult($R,$r12,($t12)=&NR(1));	&FR($r12);
+	 &add($R,$r13,$R);
+	 &add($H1,$t12,$H1)			&FR($t12);
+	&muh($a[0],$b[3],($r16)=&NR(1));
+	 &cmpult($R,$r13,($t13)=&NR(1));	&FR($r13);
+	 &add($R,$r14,$R);
+	 &add($H1,$t13,$H1)			&FR($t13);
+	&muh($a[1],$b[2],($r17)=&NR(1));
+	 &cmpult($R,$r14,($t14)=&NR(1));	&FR($r14);
+	 &add($R,$r15,$R);
+	 &add($H1,$t14,$H1)			&FR($t14);
+	&muh($a[2],$b[1],($r18)=&NR(1));
+	 &cmpult($R,$r15,($t15)=&NR(1));	&FR($r15);
+	 &add($H1,$t15,$H1)			&FR($t15);
+	&st($R,&QWPw(3,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r16,$R);
+	&mov("zero",$H2);
+	&muh($a[3],$b[0],($r19)=&NR(1));
+	 &cmpult($R,$r16,($t16)=&NR(1));	&FR($r16);
+	 &add($R,$r17,$R);
+	 &add($H1,$t16,$H1)			&FR($t16);
+	&mul($a[1],$b[3],($r20)=&NR(1));
+	 &cmpult($R,$r17,($t17)=&NR(1));	&FR($r17);
+	 &add($R,$r18,$R);
+	 &add($H1,$t17,$H1)			&FR($t17);
+	&mul($a[2],$b[2],($r21)=&NR(1));
+	 &cmpult($R,$r18,($t18)=&NR(1));	&FR($r18);
+	 &add($R,$r19,$R);
+	 &add($H1,$t18,$H1)			&FR($t18);
+	&mul($a[3],$b[1],($r22)=&NR(1));
+	 &cmpult($R,$r19,($t19)=&NR(1));	&FR($r19);
+	 &add($R,$r20,$R);
+	 &add($H1,$t19,$H1)			&FR($t19);
+	&muh($a[1],$b[3],($r23)=&NR(1));
+	 &cmpult($R,$r20,($t20)=&NR(1));	&FR($r20);
+	 &add($R,$r21,$R);
+	 &add($H1,$t20,$H1)			&FR($t20);
+	&muh($a[2],$b[2],($r24)=&NR(1));
+	 &cmpult($R,$r21,($t21)=&NR(1));	&FR($r21);
+	 &add($R,$r22,$R);
+	 &add($H1,$t21,$H1)			&FR($t21);
+	&muh($a[3],$b[1],($r25)=&NR(1));
+	 &cmpult($R,$r22,($t22)=&NR(1));	&FR($r22);
+	 &add($H1,$t22,$H1)			&FR($t22);
+	&st($R,&QWPw(4,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r23,$R);
+	&mov("zero",$H2);
+	&mul($a[2],$b[3],($r26)=&NR(1));
+	 &cmpult($R,$r23,($t23)=&NR(1));	&FR($r23);
+	 &add($R,$r24,$R);
+	 &add($H1,$t23,$H1)			&FR($t23);
+	&mul($a[3],$b[2],($r27)=&NR(1));
+	 &cmpult($R,$r24,($t24)=&NR(1));	&FR($r24);
+	 &add($R,$r25,$R);
+	 &add($H1,$t24,$H1)			&FR($t24);
+	&muh($a[2],$b[3],($r28)=&NR(1));
+	 &cmpult($R,$r25,($t25)=&NR(1));	&FR($r25);
+	 &add($R,$r26,$R);
+	 &add($H1,$t25,$H1)			&FR($t25);
+	&muh($a[3],$b[2],($r29)=&NR(1));
+	 &cmpult($R,$r26,($t26)=&NR(1));	&FR($r26);
+	 &add($R,$r27,$R);
+	 &add($H1,$t26,$H1)			&FR($t26);
+	&mul($a[3],$b[3],($r30)=&NR(1));
+	 &cmpult($R,$r27,($t27)=&NR(1));	&FR($r27);
+	 &add($H1,$t27,$H1)			&FR($t27);
+	&st($R,&QWPw(5,$rp));
+	&add($H1,$H2,$R);
+
+	&mov("zero",$H1);
+	 &add($R,$r28,$R);
+	&mov("zero",$H2);
+	&muh($a[3],$b[3],($r31)=&NR(1));
+	 &cmpult($R,$r28,($t28)=&NR(1));	&FR($r28);
+	 &add($R,$r29,$R);
+	 &add($H1,$t28,$H1)			&FR($t28);
+	############
+	 &cmpult($R,$r29,($t29)=&NR(1));	&FR($r29);
+	 &add($R,$r30,$R);
+	 &add($H1,$t29,$H1)			&FR($t29);
+        ############
+	 &cmpult($R,$r30,($t30)=&NR(1));	&FR($r30);
+	 &add($H1,$t30,$H1)			&FR($t30);
+	&st($R,&QWPw(6,$rp));
+	&add($H1,$H2,$R);
+
+	 &add($R,$r31,$R);			&FR($r31);
+	&st($R,&QWPw(7,$rp));
+
+	&FR($R,$H1,$H2);
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/mul_c4.works.pl b/crypto/openssl/crypto/bn/asm/alpha/mul_c4.works.pl
new file mode 100644
index 0000000..79d86dd
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/mul_c4.works.pl
@@ -0,0 +1,98 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub mul_add_c
+	{
+	local($a,$b,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+print STDERR "count=$cnt\n"; $cnt++;
+	&mul($a,$b,($l1)=&NR(1));
+	&muh($a,$b,($h1)=&NR(1));
+	&add($c0,$l1,$c0);
+	&cmpult($c0,$l1,($t1)=&NR(1));	&FR($l1);
+	&add($t1,$h1,$h1);		&FR($t1);
+	&add($c1,$h1,$c1);
+	&cmpult($c1,$h1,($t2)=&NR(1));	&FR($h1);
+	&add($c2,$t2,$c2);		&FR($t2);
+	}
+
+sub bn_mul_comba4
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(3);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($b[0])=&NR(1),&QWPw(0,$bp));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[1])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($b[2])=&NR(1),&QWPw(2,$bp));
+	&ld(($a[3])=&NR(1),&QWPw(3,$ap));	&FR($ap);
+	&ld(($b[3])=&NR(1),&QWPw(3,$bp));	&FR($bp);
+
+	($c0,$c1,$c2)=&NR(3);
+	&mov("zero",$c2);
+	&mul($a[0],$b[0],$c0);
+	&muh($a[0],$b[0],$c1);
+	&st($c0,&QWPw(0,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[3],$c0,$c1,$c2);	&FR($a[0]);
+	&mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[0],$c0,$c1,$c2);	&FR($b[0]);
+	&st($c0,&QWPw(3,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[1],$b[3],$c0,$c1,$c2);	&FR($a[1]);
+	&mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[1],$c0,$c1,$c2);	&FR($b[1]);
+	&st($c0,&QWPw(4,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[2],$b[3],$c0,$c1,$c2);	&FR($a[2]);
+	&mul_add_c($a[3],$b[2],$c0,$c1,$c2);	&FR($b[2]);
+	&st($c0,&QWPw(5,$rp));			&FR($c0); ($c0)=&NR($c0);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[3],$b[3],$c0,$c1,$c2);	&FR($a[3],$b[3]);
+	&st($c0,&QWPw(6,$rp));
+	&st($c1,&QWPw(7,$rp));
+
+	&FR($c0,$c1,$c2);
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/mul_c8.pl b/crypto/openssl/crypto/bn/asm/alpha/mul_c8.pl
new file mode 100644
index 0000000..525ca74
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/mul_c8.pl
@@ -0,0 +1,177 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_comba8
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(3);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&stack_push(2);
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($b[0])=&NR(1),&QWPw(0,$bp));
+	&st($reg_s0,&swtmp(0)); &FR($reg_s0);
+	&st($reg_s1,&swtmp(1)); &FR($reg_s1);
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[1])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($b[2])=&NR(1),&QWPw(2,$bp));
+	&ld(($a[3])=&NR(1),&QWPw(3,$ap));
+	&ld(($b[3])=&NR(1),&QWPw(3,$bp));
+	&ld(($a[4])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[4])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[5])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[5])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[6])=&NR(1),&QWPw(1,$ap));
+	&ld(($b[6])=&NR(1),&QWPw(1,$bp));
+	&ld(($a[7])=&NR(1),&QWPw(1,$ap));	&FR($ap);
+	&ld(($b[7])=&NR(1),&QWPw(1,$bp));	&FR($bp);
+
+	($c0,$c1,$c2)=&NR(3);
+	&mov("zero",$c2);
+	&mul($a[0],$b[0],$c0);
+	&muh($a[0],$b[0],$c1);
+	&st($c0,&QWPw(0,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(3,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(4,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(5,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[1],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(6,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[0],$b[7],$c0,$c1,$c2);	&FR($a[0]);
+	&mul_add_c($a[1],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[2],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[1],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[0],$c0,$c1,$c2);	&FR($b[0]);
+	&st($c0,&QWPw(7,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[1],$b[7],$c0,$c1,$c2);	&FR($a[1]);
+	&mul_add_c($a[2],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[3],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[2],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[1],$c0,$c1,$c2);	&FR($b[1]);
+	&st($c0,&QWPw(8,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[2],$b[7],$c0,$c1,$c2);	&FR($a[2]);
+	&mul_add_c($a[3],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[4],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[3],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[2],$c0,$c1,$c2);	&FR($b[2]);
+	&st($c0,&QWPw(9,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[3],$b[7],$c0,$c1,$c2);	&FR($a[3]);
+	&mul_add_c($a[4],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[5],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[4],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[3],$c0,$c1,$c2);	&FR($b[3]);
+	&st($c0,&QWPw(10,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[4],$b[7],$c0,$c1,$c2);	&FR($a[4]);
+	&mul_add_c($a[5],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[6],$b[5],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[4],$c0,$c1,$c2);	&FR($b[4]);
+	&st($c0,&QWPw(11,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[5],$b[7],$c0,$c1,$c2);	&FR($a[5]);
+	&mul_add_c($a[6],$b[6],$c0,$c1,$c2);
+	&mul_add_c($a[7],$b[5],$c0,$c1,$c2);	&FR($b[5]);
+	&st($c0,&QWPw(12,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[6],$b[7],$c0,$c1,$c2);	&FR($a[6]);
+	&mul_add_c($a[7],$b[6],$c0,$c1,$c2);	&FR($b[6]);
+	&st($c0,&QWPw(13,$rp));			&FR($c0); ($c0)=&NR(1);
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&mul_add_c($a[7],$b[7],$c0,$c1,$c2);	&FR($a[7],$b[7]);
+	&st($c0,&QWPw(14,$rp));
+	&st($c1,&QWPw(15,$rp));
+
+	&FR($c0,$c1,$c2);
+
+	&ld($reg_s0,&swtmp(0));
+	&ld($reg_s1,&swtmp(1));
+	&stack_pop(2);
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/sqr.pl b/crypto/openssl/crypto/bn/asm/alpha/sqr.pl
new file mode 100644
index 0000000..a55b696
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/sqr.pl
@@ -0,0 +1,113 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r,$couny);
+
+	&init_pool(3);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$count=&wparam(2);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&br(&label("finish"));
+	&blt($count,&label("finish"));
+
+	($a0,$r0)=&NR(2);
+	&ld($a0,&QWPw(0,$ap));
+	&ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+	&set_label("loop");
+
+	($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+	($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+	($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+	($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+	($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+	($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+	($o0,$t0)=&NR(2);
+	&add($a0,$b0,$o0); 
+	&cmpult($o0,$b0,$t0);
+	&add($o0,$cc,$o0);
+	&cmpult($o0,$cc,$cc);
+	&add($cc,$t0,$cc);	&FR($t0);
+
+	($t1,$o1)=&NR(2);
+
+	&add($a1,$b1,$o1);	&FR($a1);
+	&cmpult($o1,$b1,$t1);	&FR($b1);
+	&add($o1,$cc,$o1);
+	&cmpult($o1,$cc,$cc);
+	&add($cc,$t1,$cc);	&FR($t1);
+
+	($t2,$o2)=&NR(2);
+
+	&add($a2,$b2,$o2);	&FR($a2);
+	&cmpult($o2,$b2,$t2);	&FR($b2);
+	&add($o2,$cc,$o2);
+	&cmpult($o2,$cc,$cc);
+	&add($cc,$t2,$cc);	&FR($t2);
+
+	($t3,$o3)=&NR(2);
+
+	&add($a3,$b3,$o3);	&FR($a3);
+	&cmpult($o3,$b3,$t3);	&FR($b3);
+	&add($o3,$cc,$o3);
+	&cmpult($o3,$cc,$cc);
+	&add($cc,$t3,$cc);	&FR($t3);
+
+	&st($o0,&QWPw(0,$rp)); &FR($o0);
+	&st($o1,&QWPw(0,$rp)); &FR($o1);
+	&st($o2,&QWPw(0,$rp)); &FR($o2);
+	&st($o3,&QWPw(0,$rp)); &FR($o3);
+
+	&sub($count,4,$count);	# count-=4
+	&add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	&add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+EOF
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld(($a0)=&NR(1),&QWPw(0,$ap));	# get a
+	&mul($a0,$a0,($l0)=&NR(1));
+	 &add($ap,$QWS,$ap);
+	 &add($rp,2*$QWS,$rp);
+	 &sub($count,1,$count);
+	&muh($a0,$a0,($h0)=&NR(1));	&FR($a0);
+	&st($l0,&QWPw(-2,$rp));		&FR($l0);
+	&st($h0,&QWPw(-1,$rp));		&FR($h0);
+
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/sqr_c4.pl b/crypto/openssl/crypto/bn/asm/alpha/sqr_c4.pl
new file mode 100644
index 0000000..bf33f5b
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/sqr_c4.pl
@@ -0,0 +1,109 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub sqr_add_c
+	{
+	local($a,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+	&mul($a,$a,($l1)=&NR(1));
+	&muh($a,$a,($h1)=&NR(1));
+	&add($c0,$l1,$c0);
+	&add($c1,$h1,$c1);
+	&cmpult($c0,$l1,($t1)=&NR(1));	&FR($l1);
+	&cmpult($c1,$h1,($t2)=&NR(1));	&FR($h1);
+	&add($c1,$t1,$c1);		&FR($t1);
+	&add($c2,$t2,$c2);		&FR($t2);
+	}
+
+sub sqr_add_c2
+	{
+	local($a,$b,$c0,$c1,$c2)=@_;
+	local($l1,$h1,$t1,$t2);
+
+	&mul($a,$b,($l1)=&NR(1));
+	&muh($a,$b,($h1)=&NR(1));
+	&cmplt($l1,"zero",($lc1)=&NR(1));
+	&cmplt($h1,"zero",($hc1)=&NR(1));
+	&add($l1,$l1,$l1);
+	&add($h1,$h1,$h1);
+	&add($h1,$lc1,$h1);		&FR($lc1);
+	&add($c2,$hc1,$c2);		&FR($hc1);
+
+	&add($c0,$l1,$c0);
+	&add($c1,$h1,$c1);
+	&cmpult($c0,$l1,($lc1)=&NR(1));	&FR($l1);
+	&cmpult($c1,$h1,($hc1)=&NR(1));	&FR($h1);
+
+	&add($c1,$lc1,$c1);		&FR($lc1);
+	&add($c2,$hc1,$c2);		&FR($hc1);
+	}
+
+
+sub bn_sqr_comba4
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(2);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap)); &FR($ap);
+
+	($c0,$c1,$c2)=&NR(3);
+
+	&mov("zero",$c2);
+	&mul($a[0],$a[0],$c0);
+	&muh($a[0],$a[0],$c1);
+	&st($c0,&QWPw(0,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[0],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+	&sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(3,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(4,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+	&st($c0,&QWPw(5,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[3],$c0,$c1,$c2);
+	&st($c0,&QWPw(6,$rp));
+	&st($c1,&QWPw(7,$rp));
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/sqr_c8.pl b/crypto/openssl/crypto/bn/asm/alpha/sqr_c8.pl
new file mode 100644
index 0000000..b4afe08
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/sqr_c8.pl
@@ -0,0 +1,132 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_comba8
+	{
+	local($name)=@_;
+	local(@a,@b,$r,$c0,$c1,$c2);
+
+	$cnt=1;
+	&init_pool(2);
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+
+	&function_begin($name,"");
+
+	&comment("");
+
+	&ld(($a[0])=&NR(1),&QWPw(0,$ap));
+	&ld(($a[1])=&NR(1),&QWPw(1,$ap));
+	&ld(($a[2])=&NR(1),&QWPw(2,$ap));
+	&ld(($a[3])=&NR(1),&QWPw(3,$ap));
+	&ld(($a[4])=&NR(1),&QWPw(4,$ap));
+	&ld(($a[5])=&NR(1),&QWPw(5,$ap));
+	&ld(($a[6])=&NR(1),&QWPw(6,$ap));
+        &ld(($a[7])=&NR(1),&QWPw(7,$ap)); &FR($ap);
+
+	($c0,$c1,$c2)=&NR(3);
+
+	&mov("zero",$c2);
+	&mul($a[0],$a[0],$c0);
+	&muh($a[0],$a[0],$c1);
+	&st($c0,&QWPw(0,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[1],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(1,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(2,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(3,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[4],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(4,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[4],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(5,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[4],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(6,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[4],$a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[1],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[0],$c0,$c1,$c2);
+	&st($c0,&QWPw(7,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[4],$c0,$c1,$c2);
+	&sqr_add_c2($a[5],$a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[2],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[1],$c0,$c1,$c2);
+	&st($c0,&QWPw(8,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[5],$a[4],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[3],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[2],$c0,$c1,$c2);
+	&st($c0,&QWPw(9,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[5],$c0,$c1,$c2);
+	&sqr_add_c2($a[6],$a[4],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[3],$c0,$c1,$c2);
+	&st($c0,&QWPw(10,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[6],$a[5],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[4],$c0,$c1,$c2);
+	&st($c0,&QWPw(11,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[6],$c0,$c1,$c2);
+	&sqr_add_c2($a[7],$a[5],$c0,$c1,$c2);
+	&st($c0,&QWPw(12,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c2($a[7],$a[6],$c0,$c1,$c2);
+	&st($c0,&QWPw(13,$rp));
+	($c0,$c1,$c2)=($c1,$c2,$c0);
+	&mov("zero",$c2);
+
+	&sqr_add_c($a[7],$c0,$c1,$c2);
+	&st($c0,&QWPw(14,$rp));
+	&st($c1,&QWPw(15,$rp));
+
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/alpha/sub.pl b/crypto/openssl/crypto/bn/asm/alpha/sub.pl
new file mode 100644
index 0000000..d998da5
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/alpha/sub.pl
@@ -0,0 +1,108 @@
+#!/usr/local/bin/perl
+# alpha assember
+
+sub bn_sub_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r);
+
+	&init_pool(4);
+	($cc)=GR("r0");
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+	$count=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&blt($count,&label("finish"));
+
+	($a0,$b0)=&NR(2);
+	&ld($a0,&QWPw(0,$ap));
+	&ld($b0,&QWPw(0,$bp));
+
+##########################################################
+	&set_label("loop");
+
+	($a1,$tmp,$b1,$a2,$b2,$a3,$b3,$o0)=&NR(8);
+	&ld($a1,&QWPw(1,$ap));
+	 &cmpult($a0,$b0,$tmp);	# will we borrow?
+	&ld($b1,&QWPw(1,$bp));
+	 &sub($a0,$b0,$a0);		# do the subtract
+	&ld($a2,&QWPw(2,$ap));
+	 &cmpult($a0,$cc,$b0);	# will we borrow?
+	&ld($b2,&QWPw(2,$bp));
+	 &sub($a0,$cc,$o0);	# will we borrow?
+	&ld($a3,&QWPw(3,$ap));
+	 &add($b0,$tmp,$cc); ($t1,$o1)=&NR(2); &FR($tmp);
+
+	&cmpult($a1,$b1,$t1);	# will we borrow?
+	 &sub($a1,$b1,$a1);	# do the subtract
+	&ld($b3,&QWPw(3,$bp));
+	 &cmpult($a1,$cc,$b1);	# will we borrow?
+	&sub($a1,$cc,$o1);	# will we borrow?
+	 &add($b1,$t1,$cc); ($tmp,$o2)=&NR(2); &FR($t1,$a1,$b1);
+	
+	&cmpult($a2,$b2,$tmp);	# will we borrow?
+	 &sub($a2,$b2,$a2);		# do the subtract
+	&st($o0,&QWPw(0,$rp));	&FR($o0); # save
+	 &cmpult($a2,$cc,$b2);	# will we borrow?
+	&sub($a2,$cc,$o2);	# will we borrow?
+	 &add($b2,$tmp,$cc); ($t3,$o3)=&NR(2); &FR($tmp,$a2,$b2);
+
+	&cmpult($a3,$b3,$t3);	# will we borrow?
+	 &sub($a3,$b3,$a3);	# do the subtract
+	&st($o1,&QWPw(1,$rp)); &FR($o1);
+	 &cmpult($a3,$cc,$b3);	# will we borrow?
+	&sub($a3,$cc,$o3);	# will we borrow?
+	 &add($b3,$t3,$cc); &FR($t3,$a3,$b3);
+
+	&st($o2,&QWPw(2,$rp));	&FR($o2);
+	 &sub($count,4,$count);	# count-=4
+	&st($o3,&QWPw(3,$rp));	&FR($o3);
+	 &add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	 &add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld($a0,&QWPw(0,$ap));	# get a
+	 &ld($b0,&QWPw(0,$bp));	# get b
+	&cmpult($a0,$b0,$tmp);	# will we borrow?
+	&sub($a0,$b0,$a0);	# do the subtract
+	&cmpult($a0,$cc,$b0);	# will we borrow?
+	&sub($a0,$cc,$a0);	# will we borrow?
+	&st($a0,&QWPw(0,$rp));	# save
+	&add($b0,$tmp,$cc);	# add the borrows
+
+	&add($ap,$QWS,$ap);
+	&add($bp,$QWS,$bp);
+	&add($rp,$QWS,$rp);
+	&sub($count,1,$count);
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&FR($a0,$b0);
+	&set_label("end");
+	&function_end($name);
+
+	&fin_pool;
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/bn-586.pl b/crypto/openssl/crypto/bn/asm/bn-586.pl
new file mode 100644
index 0000000..5191bed
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/bn-586.pl
@@ -0,0 +1,384 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_add_words("bn_mul_add_words");
+&bn_mul_words("bn_mul_words");
+&bn_sqr_words("bn_sqr_words");
+&bn_div_words("bn_div_words");
+&bn_add_words("bn_add_words");
+&bn_sub_words("bn_sub_words");
+
+&asm_finish();
+
+sub bn_mul_add_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$Low="eax";
+	$High="edx";
+	$a="ebx";
+	$w="ebp";
+	$r="edi";
+	$c="esi";
+
+	&xor($c,$c);		# clear carry
+	&mov($r,&wparam(0));	#
+
+	&mov("ecx",&wparam(2));	#
+	&mov($a,&wparam(1));	#
+
+	&and("ecx",0xfffffff8);	# num / 8
+	&mov($w,&wparam(3));	#
+
+	&push("ecx");		# Up the stack for a tmp variable
+
+	&jz(&label("maw_finish"));
+
+	&set_label("maw_loop",0);
+
+	&mov(&swtmp(0),"ecx");	#
+
+	for ($i=0; $i<32; $i+=4)
+		{
+		&comment("Round $i");
+
+		 &mov("eax",&DWP($i,$a,"",0)); 	# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);		# L(t)+= *r
+		 &mov($c,&DWP($i,$r,"",0));	# L(t)+= *r
+		&adc("edx",0);			# H(t)+=carry
+		 &add("eax",$c);		# L(t)+=c
+		&adc("edx",0);			# H(t)+=carry
+		 &mov(&DWP($i,$r,"",0),"eax");	# *r= L(t);
+		&mov($c,"edx");			# c=  H(t);
+		}
+
+	&comment("");
+	&mov("ecx",&swtmp(0));	#
+	&add($a,32);
+	&add($r,32);
+	&sub("ecx",8);
+	&jnz(&label("maw_loop"));
+
+	&set_label("maw_finish",0);
+	&mov("ecx",&wparam(2));	# get num
+	&and("ecx",7);
+	&jnz(&label("maw_finish2"));	# helps branch prediction
+	&jmp(&label("maw_end"));
+
+	&set_label("maw_finish2",1);
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		 &mov("eax",&DWP($i*4,$a,"",0));# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);			# L(t)+=c
+		 &mov($c,&DWP($i*4,$r,"",0));	# L(t)+= *r
+		&adc("edx",0);			# H(t)+=carry
+		 &add("eax",$c);
+		&adc("edx",0);			# H(t)+=carry
+		 &dec("ecx") if ($i != 7-1);
+		&mov(&DWP($i*4,$r,"",0),"eax");	# *r= L(t);
+		 &mov($c,"edx");			# c=  H(t);
+		&jz(&label("maw_end")) if ($i != 7-1);
+		}
+	&set_label("maw_end",0);
+	&mov("eax",$c);
+
+	&pop("ecx");	# clear variable from
+
+	&function_end($name);
+	}
+
+sub bn_mul_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$Low="eax";
+	$High="edx";
+	$a="ebx";
+	$w="ecx";
+	$r="edi";
+	$c="esi";
+	$num="ebp";
+
+	&xor($c,$c);		# clear carry
+	&mov($r,&wparam(0));	#
+	&mov($a,&wparam(1));	#
+	&mov($num,&wparam(2));	#
+	&mov($w,&wparam(3));	#
+
+	&and($num,0xfffffff8);	# num / 8
+	&jz(&label("mw_finish"));
+
+	&set_label("mw_loop",0);
+	for ($i=0; $i<32; $i+=4)
+		{
+		&comment("Round $i");
+
+		 &mov("eax",&DWP($i,$a,"",0)); 	# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);			# L(t)+=c
+		 # XXX
+
+		&adc("edx",0);			# H(t)+=carry
+		 &mov(&DWP($i,$r,"",0),"eax");	# *r= L(t);
+
+		&mov($c,"edx");			# c=  H(t);
+		}
+
+	&comment("");
+	&add($a,32);
+	&add($r,32);
+	&sub($num,8);
+	&jz(&label("mw_finish"));
+	&jmp(&label("mw_loop"));
+
+	&set_label("mw_finish",0);
+	&mov($num,&wparam(2));	# get num
+	&and($num,7);
+	&jnz(&label("mw_finish2"));
+	&jmp(&label("mw_end"));
+
+	&set_label("mw_finish2",1);
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		 &mov("eax",&DWP($i*4,$a,"",0));# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);			# L(t)+=c
+		 # XXX
+		&adc("edx",0);			# H(t)+=carry
+		 &mov(&DWP($i*4,$r,"",0),"eax");# *r= L(t);
+		&mov($c,"edx");			# c=  H(t);
+		 &dec($num) if ($i != 7-1);
+		&jz(&label("mw_end")) if ($i != 7-1);
+		}
+	&set_label("mw_end",0);
+	&mov("eax",$c);
+
+	&function_end($name);
+	}
+
+sub bn_sqr_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$r="esi";
+	$a="edi";
+	$num="ebx";
+
+	&mov($r,&wparam(0));	#
+	&mov($a,&wparam(1));	#
+	&mov($num,&wparam(2));	#
+
+	&and($num,0xfffffff8);	# num / 8
+	&jz(&label("sw_finish"));
+
+	&set_label("sw_loop",0);
+	for ($i=0; $i<32; $i+=4)
+		{
+		&comment("Round $i");
+		&mov("eax",&DWP($i,$a,"",0)); 	# *a
+		 # XXX
+		&mul("eax");			# *a * *a
+		&mov(&DWP($i*2,$r,"",0),"eax");	#
+		 &mov(&DWP($i*2+4,$r,"",0),"edx");#
+		}
+
+	&comment("");
+	&add($a,32);
+	&add($r,64);
+	&sub($num,8);
+	&jnz(&label("sw_loop"));
+
+	&set_label("sw_finish",0);
+	&mov($num,&wparam(2));	# get num
+	&and($num,7);
+	&jz(&label("sw_end"));
+
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		&mov("eax",&DWP($i*4,$a,"",0));	# *a
+		 # XXX
+		&mul("eax");			# *a * *a
+		&mov(&DWP($i*8,$r,"",0),"eax");	#
+		 &dec($num) if ($i != 7-1);
+		&mov(&DWP($i*8+4,$r,"",0),"edx");
+		 &jz(&label("sw_end")) if ($i != 7-1);
+		}
+	&set_label("sw_end",0);
+
+	&function_end($name);
+	}
+
+sub bn_div_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+	&mov("edx",&wparam(0));	#
+	&mov("eax",&wparam(1));	#
+	&mov("ebx",&wparam(2));	#
+	&div("ebx");
+	&function_end($name);
+	}
+
+sub bn_add_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$a="esi";
+	$b="edi";
+	$c="eax";
+	$r="ebx";
+	$tmp1="ecx";
+	$tmp2="edx";
+	$num="ebp";
+
+	&mov($r,&wparam(0));	# get r
+	 &mov($a,&wparam(1));	# get a
+	&mov($b,&wparam(2));	# get b
+	 &mov($num,&wparam(3));	# get num
+	&xor($c,$c);		# clear carry
+	 &and($num,0xfffffff8);	# num / 8
+
+	&jz(&label("aw_finish"));
+
+	&set_label("aw_loop",0);
+	for ($i=0; $i<8; $i++)
+		{
+		&comment("Round $i");
+
+		&mov($tmp1,&DWP($i*4,$a,"",0)); 	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0)); 	# *b
+		&add($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &add($tmp1,$tmp2);
+		&adc($c,0);
+		 &mov(&DWP($i*4,$r,"",0),$tmp1); 	# *r
+		}
+
+	&comment("");
+	&add($a,32);
+	 &add($b,32);
+	&add($r,32);
+	 &sub($num,8);
+	&jnz(&label("aw_loop"));
+
+	&set_label("aw_finish",0);
+	&mov($num,&wparam(3));	# get num
+	&and($num,7);
+	 &jz(&label("aw_end"));
+
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		&mov($tmp1,&DWP($i*4,$a,"",0));	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+		&add($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &add($tmp1,$tmp2);
+		&adc($c,0);
+		 &dec($num) if ($i != 6);
+		&mov(&DWP($i*4,$r,"",0),$tmp1);	# *a
+		 &jz(&label("aw_end")) if ($i != 6);
+		}
+	&set_label("aw_end",0);
+
+#	&mov("eax",$c);		# $c is "eax"
+
+	&function_end($name);
+	}
+
+sub bn_sub_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$a="esi";
+	$b="edi";
+	$c="eax";
+	$r="ebx";
+	$tmp1="ecx";
+	$tmp2="edx";
+	$num="ebp";
+
+	&mov($r,&wparam(0));	# get r
+	 &mov($a,&wparam(1));	# get a
+	&mov($b,&wparam(2));	# get b
+	 &mov($num,&wparam(3));	# get num
+	&xor($c,$c);		# clear carry
+	 &and($num,0xfffffff8);	# num / 8
+
+	&jz(&label("aw_finish"));
+
+	&set_label("aw_loop",0);
+	for ($i=0; $i<8; $i++)
+		{
+		&comment("Round $i");
+
+		&mov($tmp1,&DWP($i*4,$a,"",0)); 	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0)); 	# *b
+		&sub($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &sub($tmp1,$tmp2);
+		&adc($c,0);
+		 &mov(&DWP($i*4,$r,"",0),$tmp1); 	# *r
+		}
+
+	&comment("");
+	&add($a,32);
+	 &add($b,32);
+	&add($r,32);
+	 &sub($num,8);
+	&jnz(&label("aw_loop"));
+
+	&set_label("aw_finish",0);
+	&mov($num,&wparam(3));	# get num
+	&and($num,7);
+	 &jz(&label("aw_end"));
+
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		&mov($tmp1,&DWP($i*4,$a,"",0));	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+		&sub($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &sub($tmp1,$tmp2);
+		&adc($c,0);
+		 &dec($num) if ($i != 6);
+		&mov(&DWP($i*4,$r,"",0),$tmp1);	# *a
+		 &jz(&label("aw_end")) if ($i != 6);
+		}
+	&set_label("aw_end",0);
+
+#	&mov("eax",$c);		# $c is "eax"
+
+	&function_end($name);
+	}
+
diff --git a/crypto/openssl/crypto/bn/asm/bn-alpha.pl b/crypto/openssl/crypto/bn/asm/bn-alpha.pl
new file mode 100644
index 0000000..302edf2
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/bn-alpha.pl
@@ -0,0 +1,571 @@
+#!/usr/local/bin/perl
+# I have this in perl so I can use more usefull register names and then convert
+# them into alpha registers.
+#
+
+$d=&data();
+$d =~ s/CC/0/g;
+$d =~ s/R1/1/g;
+$d =~ s/R2/2/g;
+$d =~ s/R3/3/g;
+$d =~ s/R4/4/g;
+$d =~ s/L1/5/g;
+$d =~ s/L2/6/g;
+$d =~ s/L3/7/g;
+$d =~ s/L4/8/g;
+$d =~ s/O1/22/g;
+$d =~ s/O2/23/g;
+$d =~ s/O3/24/g;
+$d =~ s/O4/25/g;
+$d =~ s/A1/20/g;
+$d =~ s/A2/21/g;
+$d =~ s/A3/27/g;
+$d =~ s/A4/28/g;
+if (0){
+}
+
+print $d;
+
+sub data
+	{
+	local($data)=<<'EOF';
+
+ # DEC Alpha assember
+ # The bn_div_words is actually gcc output but the other parts are hand done.
+ # Thanks to tzeruch@ceddec.com for sending me the gcc output for
+ # bn_div_words.
+ # I've gone back and re-done most of routines.
+ # The key thing to remeber for the 164 CPU is that while a
+ # multiply operation takes 8 cycles, another one can only be issued
+ # after 4 cycles have elapsed.  I've done modification to help
+ # improve this.  Also, normally, a ld instruction will not be available
+ # for about 3 cycles.
+	.file	1 "bn_asm.c"
+	.set noat
+gcc2_compiled.:
+__gnu_compiled_c:
+	.text
+	.align 3
+	.globl bn_mul_add_words
+	.ent bn_mul_add_words
+bn_mul_add_words:
+bn_mul_add_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+	.align 5
+	subq	$18,4,$18
+	bis	$31,$31,$CC
+	blt	$18,$43		# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$A1,0($17)	# 1 1
+	ldq	$R1,0($16)	# 1 1
+	.align 3
+$42:
+	mulq	$A1,$19,$L1	# 1 2 1	######
+	ldq	$A2,8($17)	# 2 1
+	ldq	$R2,8($16)	# 2 1
+	umulh	$A1,$19,$A1	# 1 2	######
+	ldq	$A3,16($17)	# 3 1
+	ldq	$R3,16($16)	# 3 1
+	mulq	$A2,$19,$L2	# 2 2 1	######
+	 ldq	$A4,24($17)	# 4 1
+	addq	$R1,$L1,$R1	# 1 2 2
+	 ldq	$R4,24($16)	# 4 1
+	umulh	$A2,$19,$A2	# 2 2	######
+	 cmpult	$R1,$L1,$O1	# 1 2 3 1
+	addq	$A1,$O1,$A1	# 1 3 1
+	 addq	$R1,$CC,$R1	# 1 2 3 1
+	mulq	$A3,$19,$L3	# 3 2 1	######
+	 cmpult	$R1,$CC,$CC	# 1 2 3 2
+	addq	$R2,$L2,$R2	# 2 2 2
+	 addq	$A1,$CC,$CC	# 1 3 2 
+	cmpult	$R2,$L2,$O2	# 2 2 3 1
+	 addq	$A2,$O2,$A2	# 2 3 1
+	umulh	$A3,$19,$A3	# 3 2	######
+	 addq	$R2,$CC,$R2	# 2 2 3 1
+	cmpult	$R2,$CC,$CC	# 2 2 3 2
+	 subq	$18,4,$18
+	mulq	$A4,$19,$L4	# 4 2 1	######
+	 addq	$A2,$CC,$CC	# 2 3 2 
+	addq	$R3,$L3,$R3	# 3 2 2
+	 addq	$16,32,$16
+	cmpult	$R3,$L3,$O3	# 3 2 3 1
+	 stq	$R1,-32($16)	# 1 2 4
+	umulh	$A4,$19,$A4	# 4 2	######
+	 addq	$A3,$O3,$A3	# 3 3 1
+	addq	$R3,$CC,$R3	# 3 2 3 1
+	 stq	$R2,-24($16)	# 2 2 4
+	cmpult	$R3,$CC,$CC	# 3 2 3 2
+	 stq	$R3,-16($16)	# 3 2 4
+	addq	$R4,$L4,$R4	# 4 2 2
+	 addq	$A3,$CC,$CC	# 3 3 2 
+	cmpult	$R4,$L4,$O4	# 4 2 3 1
+	 addq	$17,32,$17
+	addq	$A4,$O4,$A4	# 4 3 1
+	 addq	$R4,$CC,$R4	# 4 2 3 1
+	cmpult	$R4,$CC,$CC	# 4 2 3 2
+	 stq	$R4,-8($16)	# 4 2 4
+	addq	$A4,$CC,$CC	# 4 3 2 
+	 blt	$18,$43
+
+	ldq	$A1,0($17)	# 1 1
+	ldq	$R1,0($16)	# 1 1
+
+	br	$42
+
+	.align 4
+$45:
+	ldq	$A1,0($17)	# 4 1
+	ldq	$R1,0($16)	# 4 1
+	mulq	$A1,$19,$L1	# 4 2 1
+	subq	$18,1,$18
+	addq	$16,8,$16
+	addq	$17,8,$17
+	umulh	$A1,$19,$A1	# 4 2
+	addq	$R1,$L1,$R1	# 4 2 2
+	cmpult	$R1,$L1,$O1	# 4 2 3 1
+	addq	$A1,$O1,$A1	# 4 3 1
+	addq	$R1,$CC,$R1	# 4 2 3 1
+	cmpult	$R1,$CC,$CC	# 4 2 3 2
+	addq	$A1,$CC,$CC	# 4 3 2 
+	stq	$R1,-8($16)	# 4 2 4
+	bgt	$18,$45
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$43:
+	addq	$18,4,$18
+	bgt	$18,$45		# goto tail code
+	ret	$31,($26),1	# else exit
+
+	.end bn_mul_add_words
+	.align 3
+	.globl bn_mul_words
+	.ent bn_mul_words
+bn_mul_words:
+bn_mul_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+	.align 5
+	subq	$18,4,$18
+	bis	$31,$31,$CC
+	blt	$18,$143	# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$A1,0($17)	# 1 1
+	.align 3
+$142:
+
+	mulq	$A1,$19,$L1	# 1 2 1	#####
+	 ldq	$A2,8($17)	# 2 1
+	 ldq	$A3,16($17)	# 3 1
+	umulh	$A1,$19,$A1	# 1 2	#####
+	 ldq	$A4,24($17)	# 4 1
+	mulq	$A2,$19,$L2	# 2 2 1	#####
+	 addq	$L1,$CC,$L1	# 1 2 3 1
+	subq	$18,4,$18
+	 cmpult	$L1,$CC,$CC	# 1 2 3 2
+	umulh	$A2,$19,$A2	# 2 2	#####
+	 addq	$A1,$CC,$CC	# 1 3 2 
+	addq	$17,32,$17
+	 addq	$L2,$CC,$L2	# 2 2 3 1
+	mulq	$A3,$19,$L3	# 3 2 1	#####
+	 cmpult	$L2,$CC,$CC	# 2 2 3 2
+	addq	$A2,$CC,$CC	# 2 3 2 
+	 addq	$16,32,$16
+	umulh	$A3,$19,$A3	# 3 2	#####
+	 stq	$L1,-32($16)	# 1 2 4
+	mulq	$A4,$19,$L4	# 4 2 1	#####
+	 addq	$L3,$CC,$L3	# 3 2 3 1
+	stq	$L2,-24($16)	# 2 2 4
+	 cmpult	$L3,$CC,$CC	# 3 2 3 2
+	umulh	$A4,$19,$A4	# 4 2	#####
+	 addq	$A3,$CC,$CC	# 3 3 2 
+	stq	$L3,-16($16)	# 3 2 4
+	 addq	$L4,$CC,$L4	# 4 2 3 1
+	cmpult	$L4,$CC,$CC	# 4 2 3 2
+
+	addq	$A4,$CC,$CC	# 4 3 2 
+
+	stq	$L4,-8($16)	# 4 2 4
+
+	blt	$18,$143
+
+	ldq	$A1,0($17)	# 1 1
+
+	br	$142
+
+	.align 4
+$145:
+	ldq	$A1,0($17)	# 4 1
+	mulq	$A1,$19,$L1	# 4 2 1
+	subq	$18,1,$18
+	umulh	$A1,$19,$A1	# 4 2
+	addq	$L1,$CC,$L1	# 4 2 3 1
+	 addq	$16,8,$16
+	cmpult	$L1,$CC,$CC	# 4 2 3 2
+	 addq	$17,8,$17
+	addq	$A1,$CC,$CC	# 4 3 2 
+	stq	$L1,-8($16)	# 4 2 4
+
+	bgt	$18,$145
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$143:
+	addq	$18,4,$18
+	bgt	$18,$145	# goto tail code
+	ret	$31,($26),1	# else exit
+
+	.end bn_mul_words
+	.align 3
+	.globl bn_sqr_words
+	.ent bn_sqr_words
+bn_sqr_words:
+bn_sqr_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$18,4,$18
+	blt	$18,$543	# if we are -1, -2, -3 or -4 goto tail code
+	ldq	$A1,0($17)	# 1 1
+	.align 3
+$542:
+	mulq	$A1,$A1,$L1		######
+	 ldq	$A2,8($17)	# 1 1
+	subq	$18,4
+ 	umulh	$A1,$A1,$R1		######
+	ldq	$A3,16($17)	# 1 1
+	mulq	$A2,$A2,$L2		######
+	ldq	$A4,24($17)	# 1 1
+	stq	$L1,0($16)	# r[0]
+ 	umulh	$A2,$A2,$R2		######
+	stq	$R1,8($16)	# r[1]
+	mulq	$A3,$A3,$L3		######
+	stq	$L2,16($16)	# r[0]
+ 	umulh	$A3,$A3,$R3		######
+	stq	$R2,24($16)	# r[1]
+	mulq	$A4,$A4,$L4		######
+	stq	$L3,32($16)	# r[0]
+ 	umulh	$A4,$A4,$R4		######
+	stq	$R3,40($16)	# r[1]
+
+ 	addq	$16,64,$16
+ 	addq	$17,32,$17
+	stq	$L4,-16($16)	# r[0]
+	stq	$R4,-8($16)	# r[1]
+
+	blt	$18,$543
+	ldq	$A1,0($17)	# 1 1
+ 	br 	$542
+
+$442:
+	ldq	$A1,0($17)   # a[0]
+	mulq	$A1,$A1,$L1  # a[0]*w low part       r2
+	addq	$16,16,$16
+	addq	$17,8,$17
+	subq	$18,1,$18
+        umulh	$A1,$A1,$R1  # a[0]*w high part       r3
+	stq	$L1,-16($16)   # r[0]
+        stq	$R1,-8($16)   # r[1]
+
+	bgt	$18,$442
+	ret	$31,($26),1	# else exit
+
+	.align 4
+$543:
+	addq	$18,4,$18
+	bgt	$18,$442	# goto tail code
+	ret	$31,($26),1	# else exit
+	.end bn_sqr_words
+
+	.align 3
+	.globl bn_add_words
+	.ent bn_add_words
+bn_add_words:
+bn_add_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$19,4,$19
+	bis	$31,$31,$CC	# carry = 0
+	blt	$19,$900
+	ldq	$L1,0($17)	# a[0]
+	ldq	$R1,0($18)	# b[1]
+	.align 3
+$901:
+	addq	$R1,$L1,$R1	# r=a+b;
+	 ldq	$L2,8($17)	# a[1]
+	cmpult	$R1,$L1,$O1	# did we overflow?
+	 ldq	$R2,8($18)	# b[1]
+	addq	$R1,$CC,$R1	# c+= overflow
+	 ldq	$L3,16($17)	# a[2]
+	cmpult	$R1,$CC,$CC	# overflow?
+	 ldq	$R3,16($18)	# b[2]
+	addq	$CC,$O1,$CC
+	 ldq	$L4,24($17)	# a[3]
+	addq	$R2,$L2,$R2	# r=a+b;
+	 ldq	$R4,24($18)	# b[3]
+	cmpult	$R2,$L2,$O2	# did we overflow?
+	 addq	$R3,$L3,$R3	# r=a+b;
+	addq	$R2,$CC,$R2	# c+= overflow
+	 cmpult	$R3,$L3,$O3	# did we overflow?
+	cmpult	$R2,$CC,$CC	# overflow?
+	 addq	$R4,$L4,$R4	# r=a+b;
+	addq	$CC,$O2,$CC
+	 cmpult	$R4,$L4,$O4	# did we overflow?
+	addq	$R3,$CC,$R3	# c+= overflow
+	 stq	$R1,0($16)	# r[0]=c
+	cmpult	$R3,$CC,$CC	# overflow?
+	 stq	$R2,8($16)	# r[1]=c
+	addq	$CC,$O3,$CC
+	 stq	$R3,16($16)	# r[2]=c
+	addq	$R4,$CC,$R4	# c+= overflow
+	 subq	$19,4,$19	# loop--
+	cmpult	$R4,$CC,$CC	# overflow?
+	 addq	$17,32,$17	# a++
+	addq	$CC,$O4,$CC
+	 stq	$R4,24($16)	# r[3]=c
+	addq	$18,32,$18	# b++
+	 addq	$16,32,$16	# r++
+
+	blt	$19,$900
+	 ldq	$L1,0($17)	# a[0]
+	ldq	$R1,0($18)	# b[1]
+	 br	$901
+	.align 4
+$945:
+	ldq	$L1,0($17)	# a[0]
+	 ldq	$R1,0($18)	# b[1]
+	addq	$R1,$L1,$R1	# r=a+b;
+	 subq	$19,1,$19	# loop--
+	addq	$R1,$CC,$R1	# c+= overflow
+	 addq	$17,8,$17	# a++
+	cmpult	$R1,$L1,$O1	# did we overflow?
+	 cmpult	$R1,$CC,$CC	# overflow?
+	addq	$18,8,$18	# b++
+	 stq	$R1,0($16)	# r[0]=c
+	addq	$CC,$O1,$CC
+	 addq	$16,8,$16	# r++
+
+	bgt	$19,$945
+	ret	$31,($26),1	# else exit
+
+$900:
+	addq	$19,4,$19
+	bgt	$19,$945	# goto tail code
+	ret	$31,($26),1	# else exit
+	.end bn_add_words
+
+	.align 3
+	.globl bn_sub_words
+	.ent bn_sub_words
+bn_sub_words:
+bn_sub_words..ng:
+	.frame $30,0,$26,0
+	.prologue 0
+
+	subq	$19,4,$19
+	bis	$31,$31,$CC	# carry = 0
+ br	$800
+	blt	$19,$800
+	ldq	$L1,0($17)	# a[0]
+	ldq	$R1,0($18)	# b[1]
+	.align 3
+$801:
+	addq	$R1,$L1,$R1	# r=a+b;
+	 ldq	$L2,8($17)	# a[1]
+	cmpult	$R1,$L1,$O1	# did we overflow?
+	 ldq	$R2,8($18)	# b[1]
+	addq	$R1,$CC,$R1	# c+= overflow
+	 ldq	$L3,16($17)	# a[2]
+	cmpult	$R1,$CC,$CC	# overflow?
+	 ldq	$R3,16($18)	# b[2]
+	addq	$CC,$O1,$CC
+	 ldq	$L4,24($17)	# a[3]
+	addq	$R2,$L2,$R2	# r=a+b;
+	 ldq	$R4,24($18)	# b[3]
+	cmpult	$R2,$L2,$O2	# did we overflow?
+	 addq	$R3,$L3,$R3	# r=a+b;
+	addq	$R2,$CC,$R2	# c+= overflow
+	 cmpult	$R3,$L3,$O3	# did we overflow?
+	cmpult	$R2,$CC,$CC	# overflow?
+	 addq	$R4,$L4,$R4	# r=a+b;
+	addq	$CC,$O2,$CC
+	 cmpult	$R4,$L4,$O4	# did we overflow?
+	addq	$R3,$CC,$R3	# c+= overflow
+	 stq	$R1,0($16)	# r[0]=c
+	cmpult	$R3,$CC,$CC	# overflow?
+	 stq	$R2,8($16)	# r[1]=c
+	addq	$CC,$O3,$CC
+	 stq	$R3,16($16)	# r[2]=c
+	addq	$R4,$CC,$R4	# c+= overflow
+	 subq	$19,4,$19	# loop--
+	cmpult	$R4,$CC,$CC	# overflow?
+	 addq	$17,32,$17	# a++
+	addq	$CC,$O4,$CC
+	 stq	$R4,24($16)	# r[3]=c
+	addq	$18,32,$18	# b++
+	 addq	$16,32,$16	# r++
+
+	blt	$19,$800
+	 ldq	$L1,0($17)	# a[0]
+	ldq	$R1,0($18)	# b[1]
+	 br	$801
+	.align 4
+$845:
+	ldq	$L1,0($17)	# a[0]
+	 ldq	$R1,0($18)	# b[1]
+	cmpult	$L1,$R1,$O1	# will we borrow?
+	 subq	$L1,$R1,$R1	# r=a-b;
+	subq	$19,1,$19	# loop--
+	 cmpult  $R1,$CC,$O2	# will we borrow?
+	subq	$R1,$CC,$R1	# c+= overflow
+	 addq	$17,8,$17	# a++
+	addq	$18,8,$18	# b++
+	 stq	$R1,0($16)	# r[0]=c
+	addq	$O2,$O1,$CC
+	 addq	$16,8,$16	# r++
+
+	bgt	$19,$845
+	ret	$31,($26),1	# else exit
+
+$800:
+	addq	$19,4,$19
+	bgt	$19,$845	# goto tail code
+	ret	$31,($26),1	# else exit
+	.end bn_sub_words
+
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+	.align 3
+	.globl bn_div_words
+	.ent bn_div_words
+bn_div_words:
+	ldgp $29,0($27)
+bn_div_words..ng:
+	lda $30,-48($30)
+	.frame $30,48,$26,0
+	stq $26,0($30)
+	stq $9,8($30)
+	stq $10,16($30)
+	stq $11,24($30)
+	stq $12,32($30)
+	stq $13,40($30)
+	.mask 0x4003e00,-48
+	.prologue 1
+	bis $16,$16,$9
+	bis $17,$17,$10
+	bis $18,$18,$11
+	bis $31,$31,$13
+	bis $31,2,$12
+	bne $11,$119
+	lda $0,-1
+	br $31,$136
+	.align 4
+$119:
+	bis $11,$11,$16
+	jsr $26,BN_num_bits_word
+	ldgp $29,0($26)
+	subq $0,64,$1
+	beq $1,$120
+	bis $31,1,$1
+	sll $1,$0,$1
+	cmpule $9,$1,$1
+	bne $1,$120
+ #	lda $16,_IO_stderr_
+ #	lda $17,$C32
+ #	bis $0,$0,$18
+ #	jsr $26,fprintf
+ #	ldgp $29,0($26)
+	jsr $26,abort
+	ldgp $29,0($26)
+	.align 4
+$120:
+	bis $31,64,$3
+	cmpult $9,$11,$2
+	subq $3,$0,$1
+	addl $1,$31,$0
+	subq $9,$11,$1
+	cmoveq $2,$1,$9
+	beq $0,$122
+	zapnot $0,15,$2
+	subq $3,$0,$1
+	sll $11,$2,$11
+	sll $9,$2,$3
+	srl $10,$1,$1
+	sll $10,$2,$10
+	bis $3,$1,$9
+$122:
+	srl $11,32,$5
+	zapnot $11,15,$6
+	lda $7,-1
+	.align 5
+$123:
+	srl $9,32,$1
+	subq $1,$5,$1
+	bne $1,$126
+	zapnot $7,15,$27
+	br $31,$127
+	.align 4
+$126:
+	bis $9,$9,$24
+	bis $5,$5,$25
+	divqu $24,$25,$27
+$127:
+	srl $10,32,$4
+	.align 5
+$128:
+	mulq $27,$5,$1
+	subq $9,$1,$3
+	zapnot $3,240,$1
+	bne $1,$129
+	mulq $6,$27,$2
+	sll $3,32,$1
+	addq $1,$4,$1
+	cmpule $2,$1,$2
+	bne $2,$129
+	subq $27,1,$27
+	br $31,$128
+	.align 4
+$129:
+	mulq $27,$6,$1
+	mulq $27,$5,$4
+	srl $1,32,$3
+	sll $1,32,$1
+	addq $4,$3,$4
+	cmpult $10,$1,$2
+	subq $10,$1,$10
+	addq $2,$4,$2
+	cmpult $9,$2,$1
+	bis $2,$2,$4
+	beq $1,$134
+	addq $9,$11,$9
+	subq $27,1,$27
+$134:
+	subl $12,1,$12
+	subq $9,$4,$9
+	beq $12,$124
+	sll $27,32,$13
+	sll $9,32,$2
+	srl $10,32,$1
+	sll $10,32,$10
+	bis $2,$1,$9
+	br $31,$123
+	.align 4
+$124:
+	bis $13,$27,$0
+$136:
+	ldq $26,0($30)
+	ldq $9,8($30)
+	ldq $10,16($30)
+	ldq $11,24($30)
+	ldq $12,32($30)
+	ldq $13,40($30)
+	addq $30,48,$30
+	ret $31,($26),1
+	.end bn_div_words
+EOF
+	return($data);
+	}
+
diff --git a/crypto/openssl/crypto/bn/asm/ca.pl b/crypto/openssl/crypto/bn/asm/ca.pl
new file mode 100644
index 0000000..c1ce67a
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/ca.pl
@@ -0,0 +1,33 @@
+#!/usr/local/bin/perl
+# I have this in perl so I can use more usefull register names and then convert
+# them into alpha registers.
+#
+
+push(@INC,"perlasm","../../perlasm");
+require "alpha.pl";
+require "alpha/mul_add.pl";
+require "alpha/mul.pl";
+require "alpha/sqr.pl";
+require "alpha/add.pl";
+require "alpha/sub.pl";
+require "alpha/mul_c8.pl";
+require "alpha/mul_c4.pl";
+require "alpha/sqr_c4.pl";
+require "alpha/sqr_c8.pl";
+require "alpha/div.pl";
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_words("bn_mul_words");
+&bn_sqr_words("bn_sqr_words");
+&bn_mul_add_words("bn_mul_add_words");
+&bn_add_words("bn_add_words");
+&bn_sub_words("bn_sub_words");
+&bn_div_words("bn_div_words");
+&bn_mul_comba8("bn_mul_comba8");
+&bn_mul_comba4("bn_mul_comba4");
+&bn_sqr_comba4("bn_sqr_comba4");
+&bn_sqr_comba8("bn_sqr_comba8");
+
+&asm_finish();
+
diff --git a/crypto/openssl/crypto/bn/asm/co-586.pl b/crypto/openssl/crypto/bn/asm/co-586.pl
new file mode 100644
index 0000000..5d962cb
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/co-586.pl
@@ -0,0 +1,286 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_comba("bn_mul_comba8",8);
+&bn_mul_comba("bn_mul_comba4",4);
+&bn_sqr_comba("bn_sqr_comba8",8);
+&bn_sqr_comba("bn_sqr_comba4",4);
+
+&asm_finish();
+
+sub mul_add_c
+	{
+	local($a,$ai,$b,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+	# pos == -1 if eax and edx are pre-loaded, 0 to load from next
+	# words, and 1 if load return value
+
+	&comment("mul a[$ai]*b[$bi]");
+
+	# "eax" and "edx" will always be pre-loaded.
+	# &mov("eax",&DWP($ai*4,$a,"",0)) ;
+	# &mov("edx",&DWP($bi*4,$b,"",0));
+
+	&mul("edx");
+	&add($c0,"eax");
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;	# laod next a
+	 &mov("eax",&wparam(0)) if $pos > 0;			# load r[]
+	 ###
+	&adc($c1,"edx");
+	 &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 0;	# laod next b
+	 &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 1;	# laod next b
+	 ###
+	&adc($c2,0);
+	 # is pos > 1, it means it is the last loop 
+	 &mov(&DWP($i*4,"eax","",0),$c0) if $pos > 0;		# save r[];
+	&mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;		# laod next a
+	}
+
+sub sqr_add_c
+	{
+	local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+	# pos == -1 if eax and edx are pre-loaded, 0 to load from next
+	# words, and 1 if load return value
+
+	&comment("sqr a[$ai]*a[$bi]");
+
+	# "eax" and "edx" will always be pre-loaded.
+	# &mov("eax",&DWP($ai*4,$a,"",0)) ;
+	# &mov("edx",&DWP($bi*4,$b,"",0));
+
+	if ($ai == $bi)
+		{ &mul("eax");}
+	else
+		{ &mul("edx");}
+	&add($c0,"eax");
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;	# load next a
+	 ###
+	&adc($c1,"edx");
+	 &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos == 1) && ($na != $nb);
+	 ###
+	&adc($c2,0);
+	 # is pos > 1, it means it is the last loop 
+	 &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;		# save r[];
+	&mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;		# load next b
+	}
+
+sub sqr_add_c2
+	{
+	local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+	# pos == -1 if eax and edx are pre-loaded, 0 to load from next
+	# words, and 1 if load return value
+
+	&comment("sqr a[$ai]*a[$bi]");
+
+	# "eax" and "edx" will always be pre-loaded.
+	# &mov("eax",&DWP($ai*4,$a,"",0)) ;
+	# &mov("edx",&DWP($bi*4,$a,"",0));
+
+	if ($ai == $bi)
+		{ &mul("eax");}
+	else
+		{ &mul("edx");}
+	&add("eax","eax");
+	 ###
+	&adc("edx","edx");
+	 ###
+	&adc($c2,0);
+	 &add($c0,"eax");
+	&adc($c1,"edx");
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;	# load next a
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;	# load next b
+	&adc($c2,0);
+	&mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;		# save r[];
+	 &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos <= 1) && ($na != $nb);
+	 ###
+	}
+
+sub bn_mul_comba
+	{
+	local($name,$num)=@_;
+	local($a,$b,$c0,$c1,$c2);
+	local($i,$as,$ae,$bs,$be,$ai,$bi);
+	local($tot,$end);
+
+	&function_begin_B($name,"");
+
+	$c0="ebx";
+	$c1="ecx";
+	$c2="ebp";
+	$a="esi";
+	$b="edi";
+	
+	$as=0;
+	$ae=0;
+	$bs=0;
+	$be=0;
+	$tot=$num+$num-1;
+
+	&push("esi");
+	 &mov($a,&wparam(1));
+	&push("edi");
+	 &mov($b,&wparam(2));
+	&push("ebp");
+	 &push("ebx");
+
+	&xor($c0,$c0);
+	 &mov("eax",&DWP(0,$a,"",0));	# load the first word 
+	&xor($c1,$c1);
+	 &mov("edx",&DWP(0,$b,"",0));	# load the first second 
+
+	for ($i=0; $i<$tot; $i++)
+		{
+		$ai=$as;
+		$bi=$bs;
+		$end=$be+1;
+
+		&comment("################## Calculate word $i"); 
+
+		for ($j=$bs; $j<$end; $j++)
+			{
+			&xor($c2,$c2) if ($j == $bs);
+			if (($j+1) == $end)
+				{
+				$v=1;
+				$v=2 if (($i+1) == $tot);
+				}
+			else
+				{ $v=0; }
+			if (($j+1) != $end)
+				{
+				$na=($ai-1);
+				$nb=($bi+1);
+				}
+			else
+				{
+				$na=$as+($i < ($num-1));
+				$nb=$bs+($i >= ($num-1));
+				}
+#printf STDERR "[$ai,$bi] -> [$na,$nb]\n";
+			&mul_add_c($a,$ai,$b,$bi,$c0,$c1,$c2,$v,$i,$na,$nb);
+			if ($v)
+				{
+				&comment("saved r[$i]");
+				# &mov("eax",&wparam(0));
+				# &mov(&DWP($i*4,"eax","",0),$c0);
+				($c0,$c1,$c2)=($c1,$c2,$c0);
+				}
+			$ai--;
+			$bi++;
+			}
+		$as++ if ($i < ($num-1));
+		$ae++ if ($i >= ($num-1));
+
+		$bs++ if ($i >= ($num-1));
+		$be++ if ($i < ($num-1));
+		}
+	&comment("save r[$i]");
+	# &mov("eax",&wparam(0));
+	&mov(&DWP($i*4,"eax","",0),$c0);
+
+	&pop("ebx");
+	&pop("ebp");
+	&pop("edi");
+	&pop("esi");
+	&ret();
+	&function_end_B($name);
+	}
+
+sub bn_sqr_comba
+	{
+	local($name,$num)=@_;
+	local($r,$a,$c0,$c1,$c2)=@_;
+	local($i,$as,$ae,$bs,$be,$ai,$bi);
+	local($b,$tot,$end,$half);
+
+	&function_begin_B($name,"");
+
+	$c0="ebx";
+	$c1="ecx";
+	$c2="ebp";
+	$a="esi";
+	$r="edi";
+
+	&push("esi");
+	 &push("edi");
+	&push("ebp");
+	 &push("ebx");
+	&mov($r,&wparam(0));
+	 &mov($a,&wparam(1));
+	&xor($c0,$c0);
+	 &xor($c1,$c1);
+	&mov("eax",&DWP(0,$a,"",0)); # load the first word
+
+	$as=0;
+	$ae=0;
+	$bs=0;
+	$be=0;
+	$tot=$num+$num-1;
+
+	for ($i=0; $i<$tot; $i++)
+		{
+		$ai=$as;
+		$bi=$bs;
+		$end=$be+1;
+
+		&comment("############### Calculate word $i");
+		for ($j=$bs; $j<$end; $j++)
+			{
+			&xor($c2,$c2) if ($j == $bs);
+			if (($ai-1) < ($bi+1))
+				{
+				$v=1;
+				$v=2 if ($i+1) == $tot;
+				}
+			else
+				{ $v=0; }
+			if (!$v)
+				{
+				$na=$ai-1;
+				$nb=$bi+1;
+				}
+			else
+				{
+				$na=$as+($i < ($num-1));
+				$nb=$bs+($i >= ($num-1));
+				}
+			if ($ai == $bi)
+				{
+				&sqr_add_c($r,$a,$ai,$bi,
+					$c0,$c1,$c2,$v,$i,$na,$nb);
+				}
+			else
+				{
+				&sqr_add_c2($r,$a,$ai,$bi,
+					$c0,$c1,$c2,$v,$i,$na,$nb);
+				}
+			if ($v)
+				{
+				&comment("saved r[$i]");
+				#&mov(&DWP($i*4,$r,"",0),$c0);
+				($c0,$c1,$c2)=($c1,$c2,$c0);
+				last;
+				}
+			$ai--;
+			$bi++;
+			}
+		$as++ if ($i < ($num-1));
+		$ae++ if ($i >= ($num-1));
+
+		$bs++ if ($i >= ($num-1));
+		$be++ if ($i < ($num-1));
+		}
+	&mov(&DWP($i*4,$r,"",0),$c0);
+	&pop("ebx");
+	&pop("ebp");
+	&pop("edi");
+	&pop("esi");
+	&ret();
+	&function_end_B($name);
+	}
diff --git a/crypto/openssl/crypto/bn/asm/co-alpha.pl b/crypto/openssl/crypto/bn/asm/co-alpha.pl
new file mode 100644
index 0000000..67dad3e
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/co-alpha.pl
@@ -0,0 +1,116 @@
+#!/usr/local/bin/perl
+# I have this in perl so I can use more usefull register names and then convert
+# them into alpha registers.
+#
+
+push(@INC,"perlasm","../../perlasm");
+require "alpha.pl";
+
+&asm_init($ARGV[0],$0);
+
+print &bn_sub_words("bn_sub_words");
+
+&asm_finish();
+
+sub bn_sub_words
+	{
+	local($name)=@_;
+	local($cc,$a,$b,$r);
+
+	$cc="r0";
+	$a0="r1"; $b0="r5"; $r0="r9";  $tmp="r13";
+	$a1="r2"; $b1="r6"; $r1="r10"; $t1="r14";
+	$a2="r3"; $b2="r7"; $r2="r11";
+	$a3="r4"; $b3="r8"; $r3="r12"; $t3="r15";
+
+	$rp=&wparam(0);
+	$ap=&wparam(1);
+	$bp=&wparam(2);
+	$count=&wparam(3);
+
+	&function_begin($name,"");
+
+	&comment("");
+	&sub($count,4,$count);
+	&mov("zero",$cc);
+	&blt($count,&label("finish"));
+
+	&ld($a0,&QWPw(0,$ap));
+	&ld($b0,&QWPw(0,$bp));
+
+##########################################################
+	&set_label("loop");
+
+	&ld($a1,&QWPw(1,$ap));
+	 &cmpult($a0,$b0,$tmp);	# will we borrow?
+	&ld($b1,&QWPw(1,$bp));
+	 &sub($a0,$b0,$a0);		# do the subtract
+	&ld($a2,&QWPw(2,$ap));
+	 &cmpult($a0,$cc,$b0);	# will we borrow?
+	&ld($b2,&QWPw(2,$bp));
+	 &sub($a0,$cc,$a0);	# will we borrow?
+	&ld($a3,&QWPw(3,$ap));
+	 &add($b0,$tmp,$cc);	# add the borrows
+
+	&cmpult($a1,$b1,$t1);	# will we borrow?
+	 &sub($a1,$b1,$a1);	# do the subtract
+	&ld($b3,&QWPw(3,$bp));
+	 &cmpult($a1,$cc,$b1);	# will we borrow?
+	&sub($a1,$cc,$a1);	# will we borrow?
+	 &add($b1,$t1,$cc);	# add the borrows
+
+	&cmpult($a2,$b2,$tmp);	# will we borrow?
+	 &sub($a2,$b2,$a2);		# do the subtract
+	&st($a0,&QWPw(0,$rp));	# save
+	 &cmpult($a2,$cc,$b2);	# will we borrow?
+	&sub($a2,$cc,$a2);	# will we borrow?
+	 &add($b2,$tmp,$cc);	# add the borrows
+
+	&cmpult($a3,$b3,$t3);	# will we borrow?
+	 &sub($a3,$b3,$a3);		# do the subtract
+	&st($a1,&QWPw(1,$rp));	# save
+	 &cmpult($a3,$cc,$b3);	# will we borrow?
+	&sub($a3,$cc,$a3);	# will we borrow?
+	 &add($b3,$t3,$cc);	# add the borrows
+
+	&st($a2,&QWPw(2,$rp));	# save
+	 &sub($count,4,$count);	# count-=4
+	&st($a3,&QWPw(3,$rp));	# save
+	 &add($ap,4*$QWS,$ap);	# count+=4
+	&add($bp,4*$QWS,$bp);	# count+=4
+	 &add($rp,4*$QWS,$rp);	# count+=4
+
+	&blt($count,&label("finish"));
+	&ld($a0,&QWPw(0,$ap));
+	 &ld($b0,&QWPw(0,$bp));
+	&br(&label("loop"));
+##################################################
+	# Do the last 0..3 words
+
+	&set_label("last_loop");
+
+	&ld($a0,&QWPw(0,$ap));	# get a
+	 &ld($b0,&QWPw(0,$bp));	# get b
+	&cmpult($a0,$b0,$tmp);	# will we borrow?
+	&sub($a0,$b0,$a0);	# do the subtract
+	&cmpult($a0,$cc,$b0);	# will we borrow?
+	&sub($a0,$cc,$a0);	# will we borrow?
+	&st($a0,&QWPw(0,$rp));	# save
+	&add($b0,$tmp,$cc);	# add the borrows
+
+	&add($ap,$QWS,$ap);
+	&add($bp,$QWS,$bp);
+	&add($rp,$QWS,$rp);
+	&sub($count,1,$count);
+	&bgt($count,&label("last_loop"));
+	&function_end_A($name);
+
+######################################################
+	&set_label("finish");
+	&add($count,4,$count);
+	&bgt($count,&label("last_loop"));
+
+	&set_label("end");
+	&function_end($name);
+	}
+
diff --git a/crypto/openssl/crypto/bn/asm/mips1.s b/crypto/openssl/crypto/bn/asm/mips1.s
new file mode 100644
index 0000000..44fa125
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/mips1.s
@@ -0,0 +1,539 @@
+/* This assember is for R2000/R3000 machines, or higher ones that do
+ * no want to do any 64 bit arithmatic.
+ * Make sure that the SSLeay bignum library is compiled with 
+ * THIRTY_TWO_BIT set.
+ * This must either be compiled with the system CC, or, if you use GNU gas,
+ * cc -E mips1.s|gas -o mips1.o
+ */
+	.set	reorder
+	.set	noat
+
+#define R1	$1
+#define CC	$2
+#define	R2	$3
+#define R3	$8
+#define R4	$9
+#define L1	$10
+#define L2 	$11
+#define L3	$12
+#define L4 	$13
+#define H1 	$14
+#define H2	$15
+#define H3	$24
+#define H4	$25
+
+#define P1	$4
+#define P2	$5
+#define P3	$6
+#define P4	$7
+
+	.align	2
+	.ent	bn_mul_add_words
+	.globl	bn_mul_add_words
+.text
+bn_mul_add_words:
+	.frame	$sp,0,$31
+	.mask	0x00000000,0
+	.fmask	0x00000000,0
+
+	#blt	P3,4,$lab34
+	
+	subu	R1,P3,4
+	move	CC,$0
+	bltz	R1,$lab34
+$lab2:	
+	lw	R1,0(P1)
+	 lw	L1,0(P2)
+	lw	R2,4(P1)
+	 lw	L2,4(P2)
+	lw	R3,8(P1)
+	 lw	L3,8(P2)
+	lw	R4,12(P1)
+	 lw	L4,12(P2)
+	multu	L1,P4
+	 addu	R1,R1,CC
+	mflo	L1
+	 sltu	CC,R1,CC
+	addu	R1,R1,L1
+	 mfhi	H1
+	sltu	L1,R1,L1
+	 sw	R1,0(P1)
+	addu	CC,CC,L1
+	 multu	L2,P4
+	addu	CC,H1,CC
+	mflo	L2
+	 addu	R2,R2,CC
+	sltu	CC,R2,CC
+	 mfhi	H2
+	addu	R2,R2,L2
+	 addu	P2,P2,16
+	sltu	L2,R2,L2
+	 sw	R2,4(P1)
+	addu	CC,CC,L2
+	 multu	L3,P4
+	addu	CC,H2,CC
+	mflo	L3
+	 addu	R3,R3,CC
+	sltu	CC,R3,CC
+	 mfhi	H3
+	addu	R3,R3,L3
+	 addu	P1,P1,16
+	sltu	L3,R3,L3
+	 sw	R3,-8(P1)
+	addu	CC,CC,L3
+	 multu	L4,P4
+	addu	CC,H3,CC
+	mflo	L4
+	 addu	R4,R4,CC
+	sltu	CC,R4,CC
+	 mfhi	H4
+	addu	R4,R4,L4
+	 subu	P3,P3,4
+	sltu	L4,R4,L4
+	addu	CC,CC,L4
+	addu	CC,H4,CC
+
+	subu	R1,P3,4
+	sw	R4,-4(P1)	# delay slot
+	bgez	R1,$lab2
+
+	bleu	P3,0,$lab3
+	.align	2
+$lab33: 
+	lw	L1,0(P2)
+	 lw	R1,0(P1)
+	multu	L1,P4
+	 addu	R1,R1,CC
+	sltu	CC,R1,CC
+	 addu	P1,P1,4
+	mflo	L1
+	 mfhi	H1
+	addu	R1,R1,L1
+	 addu	P2,P2,4
+	sltu	L1,R1,L1
+	 subu	P3,P3,1
+	addu	CC,CC,L1
+	 sw	R1,-4(P1)
+	addu	CC,H1,CC
+	 bgtz	P3,$lab33
+	j	$31
+	.align	2
+$lab3:
+	j	$31
+	.align	2
+$lab34:
+	bgt	P3,0,$lab33
+	j	$31
+	.end	bn_mul_add_words
+
+	.align	2
+	# Program Unit: bn_mul_words
+	.ent	bn_mul_words
+	.globl	bn_mul_words
+.text
+bn_mul_words:
+	.frame	$sp,0,$31
+	.mask	0x00000000,0
+	.fmask	0x00000000,0
+	
+	subu	P3,P3,4
+	move	CC,$0
+	bltz	P3,$lab45
+$lab44:	
+	lw	L1,0(P2)
+	 lw	L2,4(P2)
+	lw	L3,8(P2)
+	 lw	L4,12(P2)
+	multu	L1,P4
+	 subu	P3,P3,4
+	mflo	L1
+	 mfhi	H1
+	addu	L1,L1,CC
+	 multu	L2,P4
+	sltu	CC,L1,CC
+	 sw	L1,0(P1)
+	addu	CC,H1,CC
+	 mflo	L2
+	mfhi	H2
+	 addu	L2,L2,CC
+	multu	L3,P4
+	 sltu	CC,L2,CC
+	sw	L2,4(P1)
+	 addu	CC,H2,CC
+	mflo	L3
+	 mfhi	H3
+	addu	L3,L3,CC
+	 multu	L4,P4
+	sltu	CC,L3,CC
+	 sw	L3,8(P1)
+	addu	CC,H3,CC
+	 mflo	L4
+	mfhi	H4
+	 addu	L4,L4,CC
+	addu	P1,P1,16
+	 sltu	CC,L4,CC
+	addu	P2,P2,16
+	 addu	CC,H4,CC
+	sw	L4,-4(P1)
+
+	bgez	P3,$lab44
+	b	$lab45
+$lab46:
+	lw	L1,0(P2)
+	 addu	P1,P1,4
+	multu	L1,P4
+	 addu	P2,P2,4
+	mflo	L1
+	 mfhi	H1
+	addu	L1,L1,CC
+	 subu	P3,P3,1
+	sltu	CC,L1,CC
+	 sw	L1,-4(P1)
+	addu	CC,H1,CC
+	 bgtz	P3,$lab46
+	j	$31
+$lab45:
+	addu	P3,P3,4
+	bgtz	P3,$lab46
+	j	$31
+	.align	2
+	.end	bn_mul_words
+
+	# Program Unit: bn_sqr_words
+	.ent	bn_sqr_words
+	.globl	bn_sqr_words
+.text
+bn_sqr_words:
+	.frame	$sp,0,$31
+	.mask	0x00000000,0
+	.fmask	0x00000000,0
+	
+	subu	P3,P3,4
+	bltz	P3,$lab55
+$lab54:
+	lw	L1,0(P2)
+	 lw	L2,4(P2)
+	lw	L3,8(P2)
+	 lw	L4,12(P2)
+
+	multu	L1,L1
+	 subu	P3,P3,4
+	mflo	L1
+	 mfhi	H1
+	sw	L1,0(P1)
+	 sw	H1,4(P1)
+
+	multu	L2,L2
+	 addu	P1,P1,32
+	mflo	L2
+	 mfhi	H2
+	sw	L2,-24(P1)
+	 sw	H2,-20(P1)
+
+	multu	L3,L3
+	 addu	P2,P2,16
+	mflo	L3
+	 mfhi	H3
+	sw	L3,-16(P1)
+	 sw	H3,-12(P1)
+
+	multu	L4,L4
+
+	mflo	L4
+	 mfhi	H4
+	sw	L4,-8(P1)
+	 sw	H4,-4(P1)
+
+	bgtz	P3,$lab54
+	b	$lab55
+$lab56:	
+	lw	L1,0(P2)
+	addu	P1,P1,8
+	multu	L1,L1
+	addu	P2,P2,4
+	subu	P3,P3,1
+	mflo	L1
+	mfhi	H1
+	sw	L1,-8(P1)
+	sw	H1,-4(P1)
+
+	bgtz	P3,$lab56
+	j	$31
+$lab55:
+	addu	P3,P3,4
+	bgtz	P3,$lab56
+	j	$31
+	.align	2
+	.end	bn_sqr_words
+
+	# Program Unit: bn_add_words
+	.ent	bn_add_words
+	.globl	bn_add_words
+.text
+bn_add_words: 	 # 0x590
+	.frame	$sp,0,$31
+	.mask	0x00000000,0
+	.fmask	0x00000000,0
+	
+	subu	P4,P4,4
+	move	CC,$0
+	bltz	P4,$lab65
+$lab64:	
+	lw	L1,0(P2)
+	lw	R1,0(P3)
+	lw	L2,4(P2)
+	lw	R2,4(P3)
+
+	addu	L1,L1,CC
+	 lw	L3,8(P2)
+	sltu	CC,L1,CC
+	 addu	L1,L1,R1
+	sltu	R1,L1,R1
+	 lw	R3,8(P3)
+	addu	CC,CC,R1
+	 lw	L4,12(P2)
+
+	addu	L2,L2,CC
+	 lw	R4,12(P3)
+	sltu	CC,L2,CC
+	 addu	L2,L2,R2
+	sltu	R2,L2,R2
+	 sw	L1,0(P1)
+	addu	CC,CC,R2
+	 addu	P1,P1,16
+	addu	L3,L3,CC
+	 sw	L2,-12(P1)
+ 
+	sltu	CC,L3,CC
+	 addu	L3,L3,R3
+	sltu	R3,L3,R3
+	 addu	P2,P2,16
+	addu	CC,CC,R3
+
+	addu	L4,L4,CC
+	 addu	P3,P3,16
+	sltu	CC,L4,CC
+	 addu	L4,L4,R4
+	subu	P4,P4,4
+	 sltu	R4,L4,R4
+	sw	L3,-8(P1)
+	 addu	CC,CC,R4
+	sw	L4,-4(P1)
+
+	bgtz	P4,$lab64
+	b	$lab65
+$lab66:
+	lw	L1,0(P2)
+	 lw	R1,0(P3)
+	addu	L1,L1,CC
+	 addu	P1,P1,4
+	sltu	CC,L1,CC
+	 addu	P2,P2,4
+	addu	P3,P3,4
+	 addu	L1,L1,R1
+	subu	P4,P4,1
+	 sltu	R1,L1,R1
+	sw	L1,-4(P1)
+	 addu	CC,CC,R1
+
+	bgtz	P4,$lab66
+	j	$31
+$lab65:
+	addu	P4,P4,4
+	bgtz	P4,$lab66
+	j	$31
+	.end	bn_add_words
+
+	# Program Unit: bn_div64
+	.set	at
+	.set	reorder
+	.text	
+	.align	2
+	.globl	bn_div64
+ # 321		{
+	.ent	bn_div64 2
+bn_div64:
+	subu	$sp, 64
+	sw	$31, 56($sp)
+	sw	$16, 48($sp)
+	.mask	0x80010000, -56
+	.frame	$sp, 64, $31
+	move	$9, $4
+	move	$12, $5
+	move	$16, $6
+ # 322		BN_ULONG dh,dl,q,ret=0,th,tl,t;
+	move	$31, $0
+ # 323		int i,count=2;
+	li	$13, 2
+ # 324	
+ # 325		if (d == 0) return(BN_MASK2);
+	bne	$16, 0, $80
+	li	$2, -1
+	b	$93
+$80:
+ # 326	
+ # 327		i=BN_num_bits_word(d);
+	move	$4, $16
+	sw	$31, 16($sp)
+	sw	$9, 24($sp)
+	sw	$12, 32($sp)
+	sw	$13, 40($sp)
+	.livereg	0x800ff0e,0xfff
+	jal	BN_num_bits_word
+	li	$4, 32
+	lw	$31, 16($sp)
+	lw	$9, 24($sp)
+	lw	$12, 32($sp)
+	lw	$13, 40($sp)
+	move	$3, $2
+ # 328		if ((i != BN_BITS2) && (h > (BN_ULONG)1<<i))
+	beq	$2, $4, $81
+	li	$14, 1
+	sll	$15, $14, $2
+	bleu	$9, $15, $81
+ # 329			{
+ # 330	#if !defined(NO_STDIO) && !defined(WIN16)
+ # 331			fprintf(stderr,"Division would overflow (%d)\n",i);
+ # 332	#endif
+ # 333			abort();
+	sw	$3, 8($sp)
+	sw	$9, 24($sp)
+	sw	$12, 32($sp)
+	sw	$13, 40($sp)
+	sw	$31, 26($sp)
+	.livereg	0xff0e,0xfff
+	jal	abort
+	lw	$3, 8($sp)
+	li	$4, 32
+	lw	$9, 24($sp)
+	lw	$12, 32($sp)
+	lw	$13, 40($sp)
+	lw	$31, 26($sp)
+ # 334			}
+$81:
+ # 335		i=BN_BITS2-i;
+	subu	$3, $4, $3
+ # 336		if (h >= d) h-=d;
+	bltu	$9, $16, $82
+	subu	$9, $9, $16
+$82:
+ # 337	
+ # 338		if (i)
+	beq	$3, 0, $83
+ # 339			{
+ # 340			d<<=i;
+	sll	$16, $16, $3
+ # 341			h=(h<<i)|(l>>(BN_BITS2-i));
+	sll	$24, $9, $3
+	subu	$25, $4, $3
+	srl	$14, $12, $25
+	or	$9, $24, $14
+ # 342			l<<=i;
+	sll	$12, $12, $3
+ # 343			}
+$83:
+ # 344		dh=(d&BN_MASK2h)>>BN_BITS4;
+ # 345		dl=(d&BN_MASK2l);
+	and	$8, $16, -65536
+	srl	$8, $8, 16
+	and	$10, $16, 65535
+	li	$6, -65536
+$84:
+ # 346		for (;;)
+ # 347			{
+ # 348			if ((h>>BN_BITS4) == dh)
+	srl	$15, $9, 16
+	bne	$8, $15, $85
+ # 349				q=BN_MASK2l;
+	li	$5, 65535
+	b	$86
+$85:
+ # 350			else
+ # 351				q=h/dh;
+	divu	$5, $9, $8
+$86:
+ # 352	
+ # 353			for (;;)
+ # 354				{
+ # 355				t=(h-q*dh);
+	mul	$4, $5, $8
+	subu	$2, $9, $4
+	move	$3, $2
+ # 356				if ((t&BN_MASK2h) ||
+ # 357					((dl*q) <= (
+ # 358						(t<<BN_BITS4)+
+ # 359						((l&BN_MASK2h)>>BN_BITS4))))
+	and	$25, $2, $6
+	bne	$25, $0, $87
+	mul	$24, $10, $5
+	sll	$14, $3, 16
+	and	$15, $12, $6
+	srl	$25, $15, 16
+	addu	$15, $14, $25
+	bgtu	$24, $15, $88
+$87:
+ # 360					break;
+	mul	$3, $10, $5
+	b	$89
+$88:
+ # 361				q--;
+	addu	$5, $5, -1
+ # 362				}
+	b	$86
+$89:
+ # 363			th=q*dh;
+ # 364			tl=q*dl;
+ # 365			t=(tl>>BN_BITS4);
+ # 366			tl=(tl<<BN_BITS4)&BN_MASK2h;
+	sll	$14, $3, 16
+	and	$2, $14, $6
+	move	$11, $2
+ # 367			th+=t;
+	srl	$25, $3, 16
+	addu	$7, $4, $25
+ # 368	
+ # 369			if (l < tl) th++;
+	bgeu	$12, $2, $90
+	addu	$7, $7, 1
+$90:
+ # 370			l-=tl;
+	subu	$12, $12, $11
+ # 371			if (h < th)
+	bgeu	$9, $7, $91
+ # 372				{
+ # 373				h+=d;
+	addu	$9, $9, $16
+ # 374				q--;
+	addu	$5, $5, -1
+ # 375				}
+$91:
+ # 376			h-=th;
+	subu	$9, $9, $7
+ # 377	
+ # 378			if (--count == 0) break;
+	addu	$13, $13, -1
+	beq	$13, 0, $92
+ # 379	
+ # 380			ret=q<<BN_BITS4;
+	sll	$31, $5, 16
+ # 381			h=((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2;
+	sll	$24, $9, 16
+	srl	$15, $12, 16
+	or	$9, $24, $15
+ # 382			l=(l&BN_MASK2l)<<BN_BITS4;
+	and	$12, $12, 65535
+	sll	$12, $12, 16
+ # 383			}
+	b	$84
+$92:
+ # 384		ret|=q;
+	or	$31, $31, $5
+ # 385		return(ret);
+	move	$2, $31
+$93:
+	lw	$16, 48($sp)
+	lw	$31, 56($sp)
+	addu	$sp, 64
+	j	$31
+	.end	bn_div64
+
diff --git a/crypto/openssl/crypto/bn/asm/mips3.s b/crypto/openssl/crypto/bn/asm/mips3.s
new file mode 100644
index 0000000..2df4dcd
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/mips3.s
@@ -0,0 +1,2141 @@
+.rdata
+.asciiz "mips3.s, Version 1.0"
+.asciiz	"MIPS III/IV ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to the OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * The module is designed to work with either of the "new" MIPS ABI(5),
+ * namely N32 or N64, offered by IRIX 6.x. It's not ment to work under
+ * IRIX 5.x not only because it doesn't support new ABIs but also
+ * because 5.x kernels put R4x00 CPU into 32-bit mode and all those
+ * 64-bit instructions (daddu, dmultu, etc.) found below gonna only
+ * cause illegal instruction exception:-(
+ *
+ * In addition the code depends on preprocessor flags set up by MIPSpro
+ * compiler driver (either as or cc) and therefore (probably?) can't be
+ * compiled by the GNU assembler. GNU C driver manages fine though...
+ * I mean as long as -mmips-as is specified or is the default option,
+ * because then it simply invokes /usr/bin/as which in turn takes
+ * perfect care of the preprocessor definitions. Another neat feature
+ * offered by the MIPSpro assembler is an optimization pass. This gave
+ * me the opportunity to have the code looking more regular as all those
+ * architecture dependent instruction rescheduling details were left to
+ * the assembler. Cool, huh?
+ *
+ * Performance improvement is astonishing! 'apps/openssl speed rsa dsa'
+ * goes way over 3 times faster!
+ *
+ *					<appro@fy.chalmers.se>
+ */
+#include <asm.h>
+#include <regdef.h>
+
+#if _MIPS_ISA>=4
+#define	MOVNZ(cond,dst,src)	\
+	movn	dst,src,cond
+#else
+#define	MOVNZ(cond,dst,src)	\
+	.set	noreorder;	\
+	bnezl	cond,.+8;	\
+	move	dst,src;	\
+	.set	reorder
+#endif
+
+.text
+
+.set	noat
+.set	reorder
+
+#define	MINUS4	v1
+
+.align	5
+LEAF(bn_mul_add_words)
+	.set	noreorder
+	bgtzl	a2,.L_bn_mul_add_words_proceed
+	ld	t0,0(a1)
+	jr	ra
+	move	v0,zero
+	.set	reorder
+
+.L_bn_mul_add_words_proceed:
+	li	MINUS4,-4
+	and	ta0,a2,MINUS4
+	move	v0,zero
+	beqz	ta0,.L_bn_mul_add_words_tail
+
+.L_bn_mul_add_words_loop:
+	dmultu	t0,a3
+	ld	t1,0(a0)
+	ld	t2,8(a1)
+	ld	t3,8(a0)
+	ld	ta0,16(a1)
+	ld	ta1,16(a0)
+	daddu	t1,v0
+	sltu	v0,t1,v0	/* All manuals say it "compares 32-bit
+				 * values", but it seems to work fine
+				 * even on 64-bit registers. */
+	mflo	AT
+	mfhi	t0
+	daddu	t1,AT
+	daddu	v0,t0
+	sltu	AT,t1,AT
+	sd	t1,0(a0)
+	daddu	v0,AT
+
+	dmultu	t2,a3
+	ld	ta2,24(a1)
+	ld	ta3,24(a0)
+	daddu	t3,v0
+	sltu	v0,t3,v0
+	mflo	AT
+	mfhi	t2
+	daddu	t3,AT
+	daddu	v0,t2
+	sltu	AT,t3,AT
+	sd	t3,8(a0)
+	daddu	v0,AT
+
+	dmultu	ta0,a3
+	subu	a2,4
+	PTR_ADD	a0,32
+	PTR_ADD	a1,32
+	daddu	ta1,v0
+	sltu	v0,ta1,v0
+	mflo	AT
+	mfhi	ta0
+	daddu	ta1,AT
+	daddu	v0,ta0
+	sltu	AT,ta1,AT
+	sd	ta1,-16(a0)
+	daddu	v0,AT
+
+
+	dmultu	ta2,a3
+	and	ta0,a2,MINUS4
+	daddu	ta3,v0
+	sltu	v0,ta3,v0
+	mflo	AT
+	mfhi	ta2
+	daddu	ta3,AT
+	daddu	v0,ta2
+	sltu	AT,ta3,AT
+	sd	ta3,-8(a0)
+	daddu	v0,AT
+	.set	noreorder
+	bgtzl	ta0,.L_bn_mul_add_words_loop
+	ld	t0,0(a1)
+
+	bnezl	a2,.L_bn_mul_add_words_tail
+	ld	t0,0(a1)
+	.set	reorder
+
+.L_bn_mul_add_words_return:
+	jr	ra
+
+.L_bn_mul_add_words_tail:
+	dmultu	t0,a3
+	ld	t1,0(a0)
+	subu	a2,1
+	daddu	t1,v0
+	sltu	v0,t1,v0
+	mflo	AT
+	mfhi	t0
+	daddu	t1,AT
+	daddu	v0,t0
+	sltu	AT,t1,AT
+	sd	t1,0(a0)
+	daddu	v0,AT
+	beqz	a2,.L_bn_mul_add_words_return
+
+	ld	t0,8(a1)
+	dmultu	t0,a3
+	ld	t1,8(a0)
+	subu	a2,1
+	daddu	t1,v0
+	sltu	v0,t1,v0
+	mflo	AT
+	mfhi	t0
+	daddu	t1,AT
+	daddu	v0,t0
+	sltu	AT,t1,AT
+	sd	t1,8(a0)
+	daddu	v0,AT
+	beqz	a2,.L_bn_mul_add_words_return
+
+	ld	t0,16(a1)
+	dmultu	t0,a3
+	ld	t1,16(a0)
+	daddu	t1,v0
+	sltu	v0,t1,v0
+	mflo	AT
+	mfhi	t0
+	daddu	t1,AT
+	daddu	v0,t0
+	sltu	AT,t1,AT
+	sd	t1,16(a0)
+	daddu	v0,AT
+	jr	ra
+END(bn_mul_add_words)
+
+.align	5
+LEAF(bn_mul_words)
+	.set	noreorder
+	bgtzl	a2,.L_bn_mul_words_proceed
+	ld	t0,0(a1)
+	jr	ra
+	move	v0,zero
+	.set	reorder
+
+.L_bn_mul_words_proceed:
+	li	MINUS4,-4
+	and	ta0,a2,MINUS4
+	move	v0,zero
+	beqz	ta0,.L_bn_mul_words_tail
+
+.L_bn_mul_words_loop:
+	dmultu	t0,a3
+	ld	t2,8(a1)
+	ld	ta0,16(a1)
+	ld	ta2,24(a1)
+	mflo	AT
+	mfhi	t0
+	daddu	v0,AT
+	sltu	t1,v0,AT
+	sd	v0,0(a0)
+	daddu	v0,t1,t0
+
+	dmultu	t2,a3
+	subu	a2,4
+	PTR_ADD	a0,32
+	PTR_ADD	a1,32
+	mflo	AT
+	mfhi	t2
+	daddu	v0,AT
+	sltu	t3,v0,AT
+	sd	v0,-24(a0)
+	daddu	v0,t3,t2
+
+	dmultu	ta0,a3
+	mflo	AT
+	mfhi	ta0
+	daddu	v0,AT
+	sltu	ta1,v0,AT
+	sd	v0,-16(a0)
+	daddu	v0,ta1,ta0
+
+
+	dmultu	ta2,a3
+	and	ta0,a2,MINUS4
+	mflo	AT
+	mfhi	ta2
+	daddu	v0,AT
+	sltu	ta3,v0,AT
+	sd	v0,-8(a0)
+	daddu	v0,ta3,ta2
+	.set	noreorder
+	bgtzl	ta0,.L_bn_mul_words_loop
+	ld	t0,0(a1)
+
+	bnezl	a2,.L_bn_mul_words_tail
+	ld	t0,0(a1)
+	.set	reorder
+
+.L_bn_mul_words_return:
+	jr	ra
+
+.L_bn_mul_words_tail:
+	dmultu	t0,a3
+	subu	a2,1
+	mflo	AT
+	mfhi	t0
+	daddu	v0,AT
+	sltu	t1,v0,AT
+	sd	v0,0(a0)
+	daddu	v0,t1,t0
+	beqz	a2,.L_bn_mul_words_return
+
+	ld	t0,8(a1)
+	dmultu	t0,a3
+	subu	a2,1
+	mflo	AT
+	mfhi	t0
+	daddu	v0,AT
+	sltu	t1,v0,AT
+	sd	v0,8(a0)
+	daddu	v0,t1,t0
+	beqz	a2,.L_bn_mul_words_return
+
+	ld	t0,16(a1)
+	dmultu	t0,a3
+	mflo	AT
+	mfhi	t0
+	daddu	v0,AT
+	sltu	t1,v0,AT
+	sd	v0,16(a0)
+	daddu	v0,t1,t0
+	jr	ra
+END(bn_mul_words)
+
+.align	5
+LEAF(bn_sqr_words)
+	.set	noreorder
+	bgtzl	a2,.L_bn_sqr_words_proceed
+	ld	t0,0(a1)
+	jr	ra
+	move	v0,zero
+	.set	reorder
+
+.L_bn_sqr_words_proceed:
+	li	MINUS4,-4
+	and	ta0,a2,MINUS4
+	move	v0,zero
+	beqz	ta0,.L_bn_sqr_words_tail
+
+.L_bn_sqr_words_loop:
+	dmultu	t0,t0
+	ld	t2,8(a1)
+	ld	ta0,16(a1)
+	ld	ta2,24(a1)
+	mflo	t1
+	mfhi	t0
+	sd	t1,0(a0)
+	sd	t0,8(a0)
+
+	dmultu	t2,t2
+	subu	a2,4
+	PTR_ADD	a0,64
+	PTR_ADD	a1,32
+	mflo	t3
+	mfhi	t2
+	sd	t3,-48(a0)
+	sd	t2,-40(a0)
+
+	dmultu	ta0,ta0
+	mflo	ta1
+	mfhi	ta0
+	sd	ta1,-32(a0)
+	sd	ta0,-24(a0)
+
+
+	dmultu	ta2,ta2
+	and	ta0,a2,MINUS4
+	mflo	ta3
+	mfhi	ta2
+	sd	ta3,-16(a0)
+	sd	ta2,-8(a0)
+
+	.set	noreorder
+	bgtzl	ta0,.L_bn_sqr_words_loop
+	ld	t0,0(a1)
+
+	bnezl	a2,.L_bn_sqr_words_tail
+	ld	t0,0(a1)
+	.set	reorder
+
+.L_bn_sqr_words_return:
+	move	v0,zero
+	jr	ra
+
+.L_bn_sqr_words_tail:
+	dmultu	t0,t0
+	subu	a2,1
+	mflo	t1
+	mfhi	t0
+	sd	t1,0(a0)
+	sd	t0,8(a0)
+	beqz	a2,.L_bn_sqr_words_return
+
+	ld	t0,8(a1)
+	dmultu	t0,t0
+	subu	a2,1
+	mflo	t1
+	mfhi	t0
+	sd	t1,16(a0)
+	sd	t0,24(a0)
+	beqz	a2,.L_bn_sqr_words_return
+
+	ld	t0,16(a1)
+	dmultu	t0,t0
+	mflo	t1
+	mfhi	t0
+	sd	t1,32(a0)
+	sd	t0,40(a0)
+	jr	ra
+END(bn_sqr_words)
+
+.align	5
+LEAF(bn_add_words)
+	.set	noreorder
+	bgtzl	a3,.L_bn_add_words_proceed
+	ld	t0,0(a1)
+	jr	ra
+	move	v0,zero
+	.set	reorder
+
+.L_bn_add_words_proceed:
+	li	MINUS4,-4
+	and	AT,a3,MINUS4
+	move	v0,zero
+	beqz	AT,.L_bn_add_words_tail
+
+.L_bn_add_words_loop:
+	ld	ta0,0(a2)
+	subu	a3,4
+	ld	t1,8(a1)
+	and	AT,a3,MINUS4
+	ld	t2,16(a1)
+	PTR_ADD	a2,32
+	ld	t3,24(a1)
+	PTR_ADD	a0,32
+	ld	ta1,-24(a2)
+	PTR_ADD	a1,32
+	ld	ta2,-16(a2)
+	ld	ta3,-8(a2)
+	daddu	ta0,t0
+	sltu	t8,ta0,t0
+	daddu	t0,ta0,v0
+	sltu	v0,t0,ta0
+	sd	t0,-32(a0)
+	daddu	v0,t8
+
+	daddu	ta1,t1
+	sltu	t9,ta1,t1
+	daddu	t1,ta1,v0
+	sltu	v0,t1,ta1
+	sd	t1,-24(a0)
+	daddu	v0,t9
+
+	daddu	ta2,t2
+	sltu	t8,ta2,t2
+	daddu	t2,ta2,v0
+	sltu	v0,t2,ta2
+	sd	t2,-16(a0)
+	daddu	v0,t8
+	
+	daddu	ta3,t3
+	sltu	t9,ta3,t3
+	daddu	t3,ta3,v0
+	sltu	v0,t3,ta3
+	sd	t3,-8(a0)
+	daddu	v0,t9
+	
+	.set	noreorder
+	bgtzl	AT,.L_bn_add_words_loop
+	ld	t0,0(a1)
+
+	bnezl	a3,.L_bn_add_words_tail
+	ld	t0,0(a1)
+	.set	reorder
+
+.L_bn_add_words_return:
+	jr	ra
+
+.L_bn_add_words_tail:
+	ld	ta0,0(a2)
+	daddu	ta0,t0
+	subu	a3,1
+	sltu	t8,ta0,t0
+	daddu	t0,ta0,v0
+	sltu	v0,t0,ta0
+	sd	t0,0(a0)
+	daddu	v0,t8
+	beqz	a3,.L_bn_add_words_return
+
+	ld	t1,8(a1)
+	ld	ta1,8(a2)
+	daddu	ta1,t1
+	subu	a3,1
+	sltu	t9,ta1,t1
+	daddu	t1,ta1,v0
+	sltu	v0,t1,ta1
+	sd	t1,8(a0)
+	daddu	v0,t9
+	beqz	a3,.L_bn_add_words_return
+
+	ld	t2,16(a1)
+	ld	ta2,16(a2)
+	daddu	ta2,t2
+	sltu	t8,ta2,t2
+	daddu	t2,ta2,v0
+	sltu	v0,t2,ta2
+	sd	t2,16(a0)
+	daddu	v0,t8
+	jr	ra
+END(bn_add_words)
+
+.align	5
+LEAF(bn_sub_words)
+	.set	noreorder
+	bgtzl	a3,.L_bn_sub_words_proceed
+	ld	t0,0(a1)
+	jr	ra
+	move	v0,zero
+	.set	reorder
+
+.L_bn_sub_words_proceed:
+	li	MINUS4,-4
+	and	AT,a3,MINUS4
+	move	v0,zero
+	beqz	AT,.L_bn_sub_words_tail
+
+.L_bn_sub_words_loop:
+	ld	ta0,0(a2)
+	subu	a3,4
+	ld	t1,8(a1)
+	and	AT,a3,MINUS4
+	ld	t2,16(a1)
+	PTR_ADD	a2,32
+	ld	t3,24(a1)
+	PTR_ADD	a0,32
+	ld	ta1,-24(a2)
+	PTR_ADD	a1,32
+	ld	ta2,-16(a2)
+	ld	ta3,-8(a2)
+	sltu	t8,t0,ta0
+	dsubu	t0,ta0
+	dsubu	ta0,t0,v0
+	sd	ta0,-32(a0)
+	MOVNZ	(t0,v0,t8)
+
+	sltu	t9,t1,ta1
+	dsubu	t1,ta1
+	dsubu	ta1,t1,v0
+	sd	ta1,-24(a0)
+	MOVNZ	(t1,v0,t9)
+
+
+	sltu	t8,t2,ta2
+	dsubu	t2,ta2
+	dsubu	ta2,t2,v0
+	sd	ta2,-16(a0)
+	MOVNZ	(t2,v0,t8)
+
+	sltu	t9,t3,ta3
+	dsubu	t3,ta3
+	dsubu	ta3,t3,v0
+	sd	ta3,-8(a0)
+	MOVNZ	(t3,v0,t9)
+
+	.set	noreorder
+	bgtzl	AT,.L_bn_sub_words_loop
+	ld	t0,0(a1)
+
+	bnezl	a3,.L_bn_sub_words_tail
+	ld	t0,0(a1)
+	.set	reorder
+
+.L_bn_sub_words_return:
+	jr	ra
+
+.L_bn_sub_words_tail:
+	ld	ta0,0(a2)
+	subu	a3,1
+	sltu	t8,t0,ta0
+	dsubu	t0,ta0
+	dsubu	ta0,t0,v0
+	MOVNZ	(t0,v0,t8)
+	sd	ta0,0(a0)
+	beqz	a3,.L_bn_sub_words_return
+
+	ld	t1,8(a1)
+	subu	a3,1
+	ld	ta1,8(a2)
+	sltu	t9,t1,ta1
+	dsubu	t1,ta1
+	dsubu	ta1,t1,v0
+	MOVNZ	(t1,v0,t9)
+	sd	ta1,8(a0)
+	beqz	a3,.L_bn_sub_words_return
+
+	ld	t2,16(a1)
+	ld	ta2,16(a2)
+	sltu	t8,t2,ta2
+	dsubu	t2,ta2
+	dsubu	ta2,t2,v0
+	MOVNZ	(t2,v0,t8)
+	sd	ta2,16(a0)
+	jr	ra
+END(bn_sub_words)
+
+#undef	MINUS4
+
+.align 5
+LEAF(bn_div_3_words)
+	.set	reorder
+	move	a3,a0		/* we know that bn_div_words doesn't
+				 * touch a3, ta2, ta3 and preserves a2
+				 * so that we can save two arguments
+				 * and return address in registers
+				 * instead of stack:-)
+				 */
+	ld	a0,(a3)
+	move	ta2,a1
+	ld	a1,-8(a3)
+	move	ta3,ra
+	move	v1,zero
+	li	v0,-1
+	beq	a0,a2,.L_bn_div_3_words_skip_div
+	bal	bn_div_words
+	move	ra,ta3
+.L_bn_div_3_words_skip_div:
+	dmultu	ta2,v0
+	ld	t2,-16(a3)
+	move	ta0,zero
+	mfhi	t1
+	mflo	t0
+	sltu	t8,t1,v1
+.L_bn_div_3_words_inner_loop:
+	bnez	t8,.L_bn_div_3_words_inner_loop_done
+	sgeu	AT,t2,t0
+	seq	t9,t1,v1
+	and	AT,t9
+	sltu	t3,t0,ta2
+	daddu	v1,a2
+	dsubu	t1,t3
+	dsubu	t0,ta2
+	sltu	t8,t1,v1
+	sltu	ta0,v1,a2
+	or	t8,ta0
+	.set	noreorder
+	beqzl	AT,.L_bn_div_3_words_inner_loop
+	dsubu	v0,1
+	.set	reorder
+.L_bn_div_3_words_inner_loop_done:
+	jr	ra
+END(bn_div_3_words)
+
+.align	5
+LEAF(bn_div_words)
+	.set	noreorder
+	bnezl	a2,.L_bn_div_words_proceed
+	move	v1,zero
+	jr	ra
+	li	v0,-1		/* I'd rather signal div-by-zero
+				 * which can be done with 'break 7' */
+
+.L_bn_div_words_proceed:
+	bltz	a2,.L_bn_div_words_body
+	move	t9,v1
+	dsll	a2,1
+	bgtz	a2,.-4
+	addu	t9,1
+
+	.set	reorder
+	negu	t1,t9
+	li	t2,-1
+	dsll	t2,t1
+	and	t2,a0
+	dsrl	AT,a1,t1
+	.set	noreorder
+	bnezl	t2,.+8
+	break	6		/* signal overflow */
+	.set	reorder
+	dsll	a0,t9
+	dsll	a1,t9
+	or	a0,AT
+
+#define	QT	ta0
+#define	HH	ta1
+#define	DH	v1
+.L_bn_div_words_body:
+	dsrl	DH,a2,32
+	sgeu	AT,a0,a2
+	.set	noreorder
+	bnezl	AT,.+8
+	dsubu	a0,a2
+	.set	reorder
+
+	li	QT,-1
+	dsrl	HH,a0,32
+	dsrl	QT,32	/* q=0xffffffff */
+	beq	DH,HH,.L_bn_div_words_skip_div1
+	ddivu	zero,a0,DH
+	mflo	QT
+.L_bn_div_words_skip_div1:
+	dmultu	a2,QT
+	dsll	t3,a0,32
+	dsrl	AT,a1,32
+	or	t3,AT
+	mflo	t0
+	mfhi	t1
+.L_bn_div_words_inner_loop1:
+	sltu	t2,t3,t0
+	seq	t8,HH,t1
+	sltu	AT,HH,t1
+	and	t2,t8
+	sltu	v0,t0,a2
+	or	AT,t2
+	.set	noreorder
+	beqz	AT,.L_bn_div_words_inner_loop1_done
+	dsubu	t1,v0
+	dsubu	t0,a2
+	b	.L_bn_div_words_inner_loop1
+	dsubu	QT,1
+	.set	reorder
+.L_bn_div_words_inner_loop1_done:
+
+	dsll	a1,32
+	dsubu	a0,t3,t0
+	dsll	v0,QT,32
+
+	li	QT,-1
+	dsrl	HH,a0,32
+	dsrl	QT,32	/* q=0xffffffff */
+	beq	DH,HH,.L_bn_div_words_skip_div2
+	ddivu	zero,a0,DH
+	mflo	QT
+.L_bn_div_words_skip_div2:
+#undef	DH
+	dmultu	a2,QT
+	dsll	t3,a0,32
+	dsrl	AT,a1,32
+	or	t3,AT
+	mflo	t0
+	mfhi	t1
+.L_bn_div_words_inner_loop2:
+	sltu	t2,t3,t0
+	seq	t8,HH,t1
+	sltu	AT,HH,t1
+	and	t2,t8
+	sltu	v1,t0,a2
+	or	AT,t2
+	.set	noreorder
+	beqz	AT,.L_bn_div_words_inner_loop2_done
+	dsubu	t1,v1
+	dsubu	t0,a2
+	b	.L_bn_div_words_inner_loop2
+	dsubu	QT,1
+	.set	reorder
+.L_bn_div_words_inner_loop2_done:	
+#undef	HH
+
+	dsubu	a0,t3,t0
+	or	v0,QT
+	dsrl	v1,a0,t9	/* v1 contains remainder if anybody wants it */
+	dsrl	a2,t9		/* restore a2 */
+	jr	ra
+#undef	QT
+END(bn_div_words)
+
+#define	a_0	t0
+#define	a_1	t1
+#define	a_2	t2
+#define	a_3	t3
+#define	b_0	ta0
+#define	b_1	ta1
+#define	b_2	ta2
+#define	b_3	ta3
+
+#define	a_4	s0
+#define	a_5	s2
+#define	a_6	s4
+#define	a_7	a1	/* once we load a[7] we don't need a anymore */
+#define	b_4	s1
+#define	b_5	s3
+#define	b_6	s5
+#define	b_7	a2	/* once we load b[7] we don't need b anymore */
+
+#define	t_1	t8
+#define	t_2	t9
+
+#define	c_1	v0
+#define	c_2	v1
+#define	c_3	a3
+
+#define	FRAME_SIZE	48
+
+.align	5
+LEAF(bn_mul_comba8)
+	.set	noreorder
+	PTR_SUB	sp,FRAME_SIZE
+	.frame	sp,64,ra
+	.set	reorder
+	ld	a_0,0(a1)	/* If compiled with -mips3 option on
+				 * R5000 box assembler barks on this
+				 * line with "shouldn't have mult/div
+				 * as last instruction in bb (R10K
+				 * bug)" warning. If anybody out there
+				 * has a clue about how to circumvent
+				 * this do send me a note.
+				 *		<appro@fy.chalmers.se>
+				 */
+	ld	b_0,0(a2)
+	ld	a_1,8(a1)
+	ld	a_2,16(a1)
+	ld	a_3,24(a1)
+	ld	b_1,8(a2)
+	ld	b_2,16(a2)
+	ld	b_3,24(a2)
+	dmultu	a_0,b_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
+	sd	s0,0(sp)
+	sd	s1,8(sp)
+	sd	s2,16(sp)
+	sd	s3,24(sp)
+	sd	s4,32(sp)
+	sd	s5,40(sp)
+	mflo	c_1
+	mfhi	c_2
+
+	dmultu	a_0,b_1		/* mul_add_c(a[0],b[1],c2,c3,c1); */
+	ld	a_4,32(a1)
+	ld	a_5,40(a1)
+	ld	a_6,48(a1)
+	ld	a_7,56(a1)
+	ld	b_4,32(a2)
+	ld	b_5,40(a2)
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	c_3,t_2,AT
+	dmultu	a_1,b_0		/* mul_add_c(a[1],b[0],c2,c3,c1); */
+	ld	b_6,48(a2)
+	ld	b_7,56(a2)
+	sd	c_1,0(a0)	/* r[0]=c1; */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	sd	c_2,8(a0)	/* r[1]=c2; */
+
+	dmultu	a_2,b_0		/* mul_add_c(a[2],b[0],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	dmultu	a_1,b_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_0,b_2		/* mul_add_c(a[0],b[2],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,16(a0)	/* r[2]=c3; */
+
+	dmultu	a_0,b_3		/* mul_add_c(a[0],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	dmultu	a_1,b_2		/* mul_add_c(a[1],b[2],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_2,b_1		/* mul_add_c(a[2],b[1],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_3,b_0		/* mul_add_c(a[3],b[0],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,24(a0)	/* r[3]=c1; */
+
+	dmultu	a_4,b_0		/* mul_add_c(a[4],b[0],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	dmultu	a_3,b_1		/* mul_add_c(a[3],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_2,b_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_1,b_3		/* mul_add_c(a[1],b[3],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_0,b_4		/* mul_add_c(a[0],b[4],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,32(a0)	/* r[4]=c2; */
+
+	dmultu	a_0,b_5		/* mul_add_c(a[0],b[5],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	dmultu	a_1,b_4		/* mul_add_c(a[1],b[4],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_2,b_3		/* mul_add_c(a[2],b[3],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_3,b_2		/* mul_add_c(a[3],b[2],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_4,b_1		/* mul_add_c(a[4],b[1],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_5,b_0		/* mul_add_c(a[5],b[0],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,40(a0)	/* r[5]=c3; */
+
+	dmultu	a_6,b_0		/* mul_add_c(a[6],b[0],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	dmultu	a_5,b_1		/* mul_add_c(a[5],b[1],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_4,b_2		/* mul_add_c(a[4],b[2],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_3,b_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_2,b_4		/* mul_add_c(a[2],b[4],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_1,b_5		/* mul_add_c(a[1],b[5],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_0,b_6		/* mul_add_c(a[0],b[6],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,48(a0)	/* r[6]=c1; */
+
+	dmultu	a_0,b_7		/* mul_add_c(a[0],b[7],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	dmultu	a_1,b_6		/* mul_add_c(a[1],b[6],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_2,b_5		/* mul_add_c(a[2],b[5],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_3,b_4		/* mul_add_c(a[3],b[4],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_4,b_3		/* mul_add_c(a[4],b[3],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_5,b_2		/* mul_add_c(a[5],b[2],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_6,b_1		/* mul_add_c(a[6],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_7,b_0		/* mul_add_c(a[7],b[0],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,56(a0)	/* r[7]=c2; */
+
+	dmultu	a_7,b_1		/* mul_add_c(a[7],b[1],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	dmultu	a_6,b_2		/* mul_add_c(a[6],b[2],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_5,b_3		/* mul_add_c(a[5],b[3],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_4,b_4		/* mul_add_c(a[4],b[4],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_3,b_5		/* mul_add_c(a[3],b[5],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_2,b_6		/* mul_add_c(a[2],b[6],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_1,b_7		/* mul_add_c(a[1],b[7],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,64(a0)	/* r[8]=c3; */
+
+	dmultu	a_2,b_7		/* mul_add_c(a[2],b[7],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	dmultu	a_3,b_6		/* mul_add_c(a[3],b[6],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_4,b_5		/* mul_add_c(a[4],b[5],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_5,b_4		/* mul_add_c(a[5],b[4],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_6,b_3		/* mul_add_c(a[6],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_7,b_2		/* mul_add_c(a[7],b[2],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,72(a0)	/* r[9]=c1; */
+
+	dmultu	a_7,b_3		/* mul_add_c(a[7],b[3],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	dmultu	a_6,b_4		/* mul_add_c(a[6],b[4],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_5,b_5		/* mul_add_c(a[5],b[5],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_4,b_6		/* mul_add_c(a[4],b[6],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_3,b_7		/* mul_add_c(a[3],b[7],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,80(a0)	/* r[10]=c2; */
+
+	dmultu	a_4,b_7		/* mul_add_c(a[4],b[7],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	dmultu	a_5,b_6		/* mul_add_c(a[5],b[6],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_6,b_5		/* mul_add_c(a[6],b[5],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_7,b_4		/* mul_add_c(a[7],b[4],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,88(a0)	/* r[11]=c3; */
+
+	dmultu	a_7,b_5		/* mul_add_c(a[7],b[5],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	dmultu	a_6,b_6		/* mul_add_c(a[6],b[6],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_5,b_7		/* mul_add_c(a[5],b[7],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,96(a0)	/* r[12]=c1; */
+
+	dmultu	a_6,b_7		/* mul_add_c(a[6],b[7],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	dmultu	a_7,b_6		/* mul_add_c(a[7],b[6],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	sd	c_2,104(a0)	/* r[13]=c2; */
+
+	dmultu	a_7,b_7		/* mul_add_c(a[7],b[7],c3,c1,c2); */
+	ld	s0,0(sp)
+	ld	s1,8(sp)
+	ld	s2,16(sp)
+	ld	s3,24(sp)
+	ld	s4,32(sp)
+	ld	s5,40(sp)
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sd	c_3,112(a0)	/* r[14]=c3; */
+	sd	c_1,120(a0)	/* r[15]=c1; */
+
+	PTR_ADD	sp,FRAME_SIZE
+
+	jr	ra
+END(bn_mul_comba8)
+
+.align	5
+LEAF(bn_mul_comba4)
+	.set	reorder
+	ld	a_0,0(a1)
+	ld	b_0,0(a2)
+	ld	a_1,8(a1)
+	ld	a_2,16(a1)
+	dmultu	a_0,b_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
+	ld	a_3,24(a1)
+	ld	b_1,8(a2)
+	ld	b_2,16(a2)
+	ld	b_3,24(a2)
+	mflo	c_1
+	mfhi	c_2
+	sd	c_1,0(a0)
+
+	dmultu	a_0,b_1		/* mul_add_c(a[0],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	c_3,t_2,AT
+	dmultu	a_1,b_0		/* mul_add_c(a[1],b[0],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	sd	c_2,8(a0)
+
+	dmultu	a_2,b_0		/* mul_add_c(a[2],b[0],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	dmultu	a_1,b_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_0,b_2		/* mul_add_c(a[0],b[2],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,16(a0)
+
+	dmultu	a_0,b_3		/* mul_add_c(a[0],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	dmultu	a_1,b_2		/* mul_add_c(a[1],b[2],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_2,b_1		/* mul_add_c(a[2],b[1],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_3,b_0		/* mul_add_c(a[3],b[0],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,24(a0)
+
+	dmultu	a_3,b_1		/* mul_add_c(a[3],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	dmultu	a_2,b_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_1,b_3		/* mul_add_c(a[1],b[3],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,32(a0)
+
+	dmultu	a_2,b_3		/* mul_add_c(a[2],b[3],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	dmultu	a_3,b_2		/* mul_add_c(a[3],b[2],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	sd	c_3,40(a0)
+
+	dmultu	a_3,b_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sd	c_1,48(a0)
+	sd	c_2,56(a0)
+
+	jr	ra
+END(bn_mul_comba4)
+
+#undef	a_4
+#undef	a_5
+#undef	a_6
+#undef	a_7
+#define	a_4	b_0
+#define	a_5	b_1
+#define	a_6	b_2
+#define	a_7	b_3
+
+.align	5
+LEAF(bn_sqr_comba8)
+	.set	reorder
+	ld	a_0,0(a1)
+	ld	a_1,8(a1)
+	ld	a_2,16(a1)
+	ld	a_3,24(a1)
+
+	dmultu	a_0,a_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
+	ld	a_4,32(a1)
+	ld	a_5,40(a1)
+	ld	a_6,48(a1)
+	ld	a_7,56(a1)
+	mflo	c_1
+	mfhi	c_2
+	sd	c_1,0(a0)
+
+	dmultu	a_0,a_1		/* mul_add_c2(a[0],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	c_3,t_2,AT
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	sd	c_2,8(a0)
+
+	dmultu	a_2,a_0		/* mul_add_c2(a[2],b[0],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_1,a_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,16(a0)
+
+	dmultu	a_0,a_3		/* mul_add_c2(a[0],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_1,a_2		/* mul_add_c2(a[1],b[2],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	sltu	AT,c_2,a2
+	daddu	c_3,AT
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,24(a0)
+
+	dmultu	a_4,a_0		/* mul_add_c2(a[4],b[0],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_3,a_1		/* mul_add_c2(a[3],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	sltu	AT,c_3,a2
+	daddu	c_1,AT
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_2,a_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,32(a0)
+
+	dmultu	a_0,a_5		/* mul_add_c2(a[0],b[5],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_1,a_4		/* mul_add_c2(a[1],b[4],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	sltu	AT,c_1,a2
+	daddu	c_2,AT
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_2,a_3		/* mul_add_c2(a[2],b[3],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	sltu	AT,c_1,a2
+	daddu	c_2,AT
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,40(a0)
+
+	dmultu	a_6,a_0		/* mul_add_c2(a[6],b[0],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_5,a_1		/* mul_add_c2(a[5],b[1],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	sltu	AT,c_2,a2
+	daddu	c_3,AT
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_4,a_2		/* mul_add_c2(a[4],b[2],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	sltu	AT,c_2,a2
+	daddu	c_3,AT
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_3,a_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,48(a0)
+
+	dmultu	a_0,a_7		/* mul_add_c2(a[0],b[7],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_1,a_6		/* mul_add_c2(a[1],b[6],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	sltu	AT,c_3,a2
+	daddu	c_1,AT
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_2,a_5		/* mul_add_c2(a[2],b[5],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	sltu	AT,c_3,a2
+	daddu	c_1,AT
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_3,a_4		/* mul_add_c2(a[3],b[4],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	sltu	AT,c_3,a2
+	daddu	c_1,AT
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,56(a0)
+
+	dmultu	a_7,a_1		/* mul_add_c2(a[7],b[1],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_6,a_2		/* mul_add_c2(a[6],b[2],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	sltu	AT,c_1,a2
+	daddu	c_2,AT
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_5,a_3		/* mul_add_c2(a[5],b[3],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	sltu	AT,c_1,a2
+	daddu	c_2,AT
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	dmultu	a_4,a_4		/* mul_add_c(a[4],b[4],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,64(a0)
+
+	dmultu	a_2,a_7		/* mul_add_c2(a[2],b[7],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_3,a_6		/* mul_add_c2(a[3],b[6],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	sltu	AT,c_2,a2
+	daddu	c_3,AT
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	dmultu	a_4,a_5		/* mul_add_c2(a[4],b[5],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	sltu	AT,c_2,a2
+	daddu	c_3,AT
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,72(a0)
+
+	dmultu	a_7,a_3		/* mul_add_c2(a[7],b[3],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_6,a_4		/* mul_add_c2(a[6],b[4],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	sltu	AT,c_3,a2
+	daddu	c_1,AT
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	dmultu	a_5,a_5		/* mul_add_c(a[5],b[5],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,80(a0)
+
+	dmultu	a_4,a_7		/* mul_add_c2(a[4],b[7],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_5,a_6		/* mul_add_c2(a[5],b[6],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	sltu	AT,c_1,a2
+	daddu	c_2,AT
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,88(a0)
+
+	dmultu	a_7,a_5		/* mul_add_c2(a[7],b[5],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_6,a_6		/* mul_add_c(a[6],b[6],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,96(a0)
+
+	dmultu	a_6,a_7		/* mul_add_c2(a[6],b[7],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	sd	c_2,104(a0)
+
+	dmultu	a_7,a_7		/* mul_add_c(a[7],b[7],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sd	c_3,112(a0)
+	sd	c_1,120(a0)
+
+	jr	ra
+END(bn_sqr_comba8)
+
+.align	5
+LEAF(bn_sqr_comba4)
+	.set	reorder
+	ld	a_0,0(a1)
+	ld	a_1,8(a1)
+	ld	a_2,16(a1)
+	ld	a_3,24(a1)
+	dmultu	a_0,a_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
+	mflo	c_1
+	mfhi	c_2
+	sd	c_1,0(a0)
+
+	dmultu	a_0,a_1		/* mul_add_c2(a[0],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	c_3,t_2,AT
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	sd	c_2,8(a0)
+
+	dmultu	a_2,a_0		/* mul_add_c2(a[2],b[0],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	dmultu	a_1,a_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	AT,c_1,t_2
+	daddu	c_2,AT
+	sd	c_3,16(a0)
+
+	dmultu	a_0,a_3		/* mul_add_c2(a[0],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	c_3,c_2,t_2
+	dmultu	a_1,a_2		/* mul_add_c(a2[1],b[2],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	a2,t_2,AT
+	daddu	c_2,a2
+	sltu	AT,c_2,a2
+	daddu	c_3,AT
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sltu	AT,c_2,t_2
+	daddu	c_3,AT
+	sd	c_1,24(a0)
+
+	dmultu	a_3,a_1		/* mul_add_c2(a[3],b[1],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	a2,t_2,AT
+	daddu	c_3,a2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	c_1,c_3,t_2
+	dmultu	a_2,a_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_2,t_1
+	sltu	AT,c_2,t_1
+	daddu	t_2,AT
+	daddu	c_3,t_2
+	sltu	AT,c_3,t_2
+	daddu	c_1,AT
+	sd	c_2,32(a0)
+
+	dmultu	a_2,a_3		/* mul_add_c2(a[2],b[3],c3,c1,c2); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	a2,t_2,AT
+	daddu	c_1,a2
+	daddu	c_3,t_1
+	sltu	AT,c_3,t_1
+	daddu	t_2,AT
+	daddu	c_1,t_2
+	sltu	c_2,c_1,t_2
+	sd	c_3,40(a0)
+
+	dmultu	a_3,a_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
+	mflo	t_1
+	mfhi	t_2
+	daddu	c_1,t_1
+	sltu	AT,c_1,t_1
+	daddu	t_2,AT
+	daddu	c_2,t_2
+	sd	c_1,48(a0)
+	sd	c_2,56(a0)
+
+	jr	ra
+END(bn_sqr_comba4)
diff --git a/crypto/openssl/crypto/bn/asm/pa-risc.s b/crypto/openssl/crypto/bn/asm/pa-risc.s
new file mode 100644
index 0000000..775130a
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/pa-risc.s
@@ -0,0 +1,710 @@
+	.SPACE $PRIVATE$
+	.SUBSPA $DATA$,QUAD=1,ALIGN=8,ACCESS=31
+	.SUBSPA $BSS$,QUAD=1,ALIGN=8,ACCESS=31,ZERO,SORT=82
+	.SPACE $TEXT$
+	.SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=44
+	.SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44,CODE_ONLY
+	.IMPORT $global$,DATA
+	.IMPORT $$dyncall,MILLICODE
+; gcc_compiled.:
+	.SPACE $TEXT$
+	.SUBSPA $CODE$
+
+	.align 4
+	.EXPORT bn_mul_add_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,RTNVAL=GR
+bn_mul_add_words
+	.PROC
+	.CALLINFO FRAME=0,CALLS,SAVE_RP
+	.ENTRY
+	stw %r2,-20(0,%r30)
+	ldi 0,%r28
+	extru %r23,31,16,%r2
+	stw %r2,-16(0,%r30)
+	extru %r23,15,16,%r23
+	ldil L'65536,%r31
+	fldws -16(0,%r30),%fr11R
+	stw %r23,-16(0,%r30)
+	ldo 12(%r25),%r29
+	ldo 12(%r26),%r23
+	fldws -16(0,%r30),%fr11L
+L$0002
+	ldw 0(0,%r25),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0005
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi 1,%r19,%r19
+	ldw 0(0,%r26),%r28
+	addl %r20,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0003
+	stw %r20,0(0,%r26)
+	ldw -8(0,%r29),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0010
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi 1,%r19,%r19
+	ldw -8(0,%r23),%r28
+	addl %r20,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0003
+	stw %r20,-8(0,%r23)
+	ldw -4(0,%r29),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0015
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi 1,%r19,%r19
+	ldw -4(0,%r23),%r28
+	addl %r20,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0003
+	stw %r20,-4(0,%r23)
+	ldw 0(0,%r29),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0020
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi 1,%r19,%r19
+	ldw 0(0,%r23),%r28
+	addl %r20,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0003
+	stw %r20,0(0,%r23)
+	ldo 16(%r29),%r29
+	ldo 16(%r25),%r25
+	ldo 16(%r23),%r23
+	bl L$0002,0
+	ldo 16(%r26),%r26
+L$0003
+	ldw -20(0,%r30),%r2
+	bv,n 0(%r2)
+	.EXIT
+	.PROCEND
+	.align 4
+	.EXPORT bn_mul_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,RTNVAL=GR
+bn_mul_words
+	.PROC
+	.CALLINFO FRAME=0,CALLS,SAVE_RP
+	.ENTRY
+	stw %r2,-20(0,%r30)
+	ldi 0,%r28
+	extru %r23,31,16,%r2
+	stw %r2,-16(0,%r30)
+	extru %r23,15,16,%r23
+	ldil L'65536,%r31
+	fldws -16(0,%r30),%fr11R
+	stw %r23,-16(0,%r30)
+	ldo 12(%r26),%r29
+	ldo 12(%r25),%r23
+	fldws -16(0,%r30),%fr11L
+L$0026
+	ldw 0(0,%r25),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0029
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0027
+	stw %r20,0(0,%r26)
+	ldw -8(0,%r23),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0033
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0027
+	stw %r20,-8(0,%r29)
+	ldw -4(0,%r23),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0037
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0027
+	stw %r20,-4(0,%r29)
+	ldw 0(0,%r23),%r19
+	extru %r19,31,16,%r20
+	stw %r20,-16(0,%r30)
+	extru %r19,15,16,%r19
+	fldws -16(0,%r30),%fr22L
+	stw %r19,-16(0,%r30)
+	xmpyu %fr22L,%fr11R,%fr8
+	fldws -16(0,%r30),%fr22L
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr11R,%fr22L,%fr10
+	ldw -16(0,%r30),%r2
+	stw %r20,-16(0,%r30)
+	xmpyu %fr22L,%fr11L,%fr9
+	fldws -16(0,%r30),%fr22L
+	fstws %fr10R,-16(0,%r30)
+	copy %r2,%r22
+	ldw -16(0,%r30),%r2
+	fstws %fr9R,-16(0,%r30)
+	xmpyu %fr11L,%fr22L,%fr8
+	copy %r2,%r19
+	ldw -16(0,%r30),%r2
+	fstws %fr8R,-16(0,%r30)
+	copy %r2,%r20
+	ldw -16(0,%r30),%r2
+	addl %r2,%r19,%r21
+	comclr,<<= %r19,%r21,0
+	addl %r20,%r31,%r20
+L$0041
+	extru %r21,15,16,%r19
+	addl %r20,%r19,%r20
+	zdep %r21,15,16,%r19
+	addl %r22,%r19,%r22
+	comclr,<<= %r19,%r22,0
+	addi,tr 1,%r20,%r19
+	copy %r20,%r19
+	addl %r22,%r28,%r20
+	comclr,<<= %r28,%r20,0
+	addi,tr 1,%r19,%r28
+	copy %r19,%r28
+	addib,= -1,%r24,L$0027
+	stw %r20,0(0,%r29)
+	ldo 16(%r23),%r23
+	ldo 16(%r25),%r25
+	ldo 16(%r29),%r29
+	bl L$0026,0
+	ldo 16(%r26),%r26
+L$0027
+	ldw -20(0,%r30),%r2
+	bv,n 0(%r2)
+	.EXIT
+	.PROCEND
+	.align 4
+	.EXPORT bn_sqr_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR
+bn_sqr_words
+	.PROC
+	.CALLINFO FRAME=0,NO_CALLS
+	.ENTRY
+	ldo 28(%r26),%r23
+	ldo 12(%r25),%r28
+L$0046
+	ldw 0(0,%r25),%r21
+	extru %r21,31,16,%r22
+	stw %r22,-16(0,%r30)
+	extru %r21,15,16,%r21
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	stw %r22,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	stw %r21,-16(0,%r30)
+	copy %r29,%r19
+	xmpyu %fr10L,%fr10R,%fr8
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	fstws %fr8R,-16(0,%r30)
+	extru %r19,16,17,%r20
+	zdep %r19,14,15,%r19
+	ldw -16(0,%r30),%r29
+	xmpyu %fr10L,%fr10R,%fr9
+	addl %r29,%r19,%r22
+	stw %r22,0(0,%r26)
+	fstws %fr9R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	addl %r29,%r20,%r21
+	comclr,<<= %r19,%r22,0
+	addi 1,%r21,%r21
+	addib,= -1,%r24,L$0057
+	stw %r21,-24(0,%r23)
+	ldw -8(0,%r28),%r21
+	extru %r21,31,16,%r22
+	stw %r22,-16(0,%r30)
+	extru %r21,15,16,%r21
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	stw %r22,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	stw %r21,-16(0,%r30)
+	copy %r29,%r19
+	xmpyu %fr10L,%fr10R,%fr8
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	fstws %fr8R,-16(0,%r30)
+	extru %r19,16,17,%r20
+	zdep %r19,14,15,%r19
+	ldw -16(0,%r30),%r29
+	xmpyu %fr10L,%fr10R,%fr9
+	addl %r29,%r19,%r22
+	stw %r22,-20(0,%r23)
+	fstws %fr9R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	addl %r29,%r20,%r21
+	comclr,<<= %r19,%r22,0
+	addi 1,%r21,%r21
+	addib,= -1,%r24,L$0057
+	stw %r21,-16(0,%r23)
+	ldw -4(0,%r28),%r21
+	extru %r21,31,16,%r22
+	stw %r22,-16(0,%r30)
+	extru %r21,15,16,%r21
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	stw %r22,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	stw %r21,-16(0,%r30)
+	copy %r29,%r19
+	xmpyu %fr10L,%fr10R,%fr8
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	fstws %fr8R,-16(0,%r30)
+	extru %r19,16,17,%r20
+	zdep %r19,14,15,%r19
+	ldw -16(0,%r30),%r29
+	xmpyu %fr10L,%fr10R,%fr9
+	addl %r29,%r19,%r22
+	stw %r22,-12(0,%r23)
+	fstws %fr9R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	addl %r29,%r20,%r21
+	comclr,<<= %r19,%r22,0
+	addi 1,%r21,%r21
+	addib,= -1,%r24,L$0057
+	stw %r21,-8(0,%r23)
+	ldw 0(0,%r28),%r21
+	extru %r21,31,16,%r22
+	stw %r22,-16(0,%r30)
+	extru %r21,15,16,%r21
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	stw %r22,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	stw %r21,-16(0,%r30)
+	copy %r29,%r19
+	xmpyu %fr10L,%fr10R,%fr8
+	fldws -16(0,%r30),%fr10L
+	stw %r21,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	fstws %fr8R,-16(0,%r30)
+	extru %r19,16,17,%r20
+	zdep %r19,14,15,%r19
+	ldw -16(0,%r30),%r29
+	xmpyu %fr10L,%fr10R,%fr9
+	addl %r29,%r19,%r22
+	stw %r22,-4(0,%r23)
+	fstws %fr9R,-16(0,%r30)
+	ldw -16(0,%r30),%r29
+	addl %r29,%r20,%r21
+	comclr,<<= %r19,%r22,0
+	addi 1,%r21,%r21
+	addib,= -1,%r24,L$0057
+	stw %r21,0(0,%r23)
+	ldo 16(%r28),%r28
+	ldo 16(%r25),%r25
+	ldo 32(%r23),%r23
+	bl L$0046,0
+	ldo 32(%r26),%r26
+L$0057
+	bv,n 0(%r2)
+	.EXIT
+	.PROCEND
+	.IMPORT BN_num_bits_word,CODE
+	.IMPORT fprintf,CODE
+	.IMPORT __iob,DATA
+	.SPACE $TEXT$
+	.SUBSPA $LIT$
+
+	.align 4
+L$C0000
+	.STRING "Division would overflow\x0a\x00"
+	.IMPORT abort,CODE
+	.SPACE $TEXT$
+	.SUBSPA $CODE$
+
+	.align 4
+	.EXPORT bn_div64,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR
+bn_div64
+	.PROC
+	.CALLINFO FRAME=128,CALLS,SAVE_RP,ENTRY_GR=8
+	.ENTRY
+	stw %r2,-20(0,%r30)
+	stwm %r8,128(0,%r30)
+	stw %r7,-124(0,%r30)
+	stw %r4,-112(0,%r30)
+	stw %r3,-108(0,%r30)
+	copy %r26,%r3
+	copy %r25,%r4
+	stw %r6,-120(0,%r30)
+	ldi 0,%r7
+	stw %r5,-116(0,%r30)
+	movb,<> %r24,%r5,L$0059
+	ldi 2,%r6
+	bl L$0076,0
+	ldi -1,%r28
+L$0059
+	.CALL ARGW0=GR
+	bl BN_num_bits_word,%r2
+	copy %r5,%r26
+	ldi 32,%r19
+	comb,= %r19,%r28,L$0060
+	subi 31,%r28,%r19
+	mtsar %r19
+	zvdepi 1,32,%r19
+	comb,>>= %r19,%r3,L$0060
+	addil LR'__iob-$global$+32,%r27
+	ldo RR'__iob-$global$+32(%r1),%r26
+	ldil LR'L$C0000,%r25
+	.CALL ARGW0=GR,ARGW1=GR
+	bl fprintf,%r2
+	ldo RR'L$C0000(%r25),%r25
+	.CALL 
+	bl abort,%r2
+	nop
+L$0060
+	comb,>> %r5,%r3,L$0061
+	subi 32,%r28,%r28
+	sub %r3,%r5,%r3
+L$0061
+	comib,= 0,%r28,L$0062
+	subi 31,%r28,%r19
+	mtsar %r19
+	zvdep %r5,32,%r5
+	zvdep %r3,32,%r21
+	subi 32,%r28,%r20
+	mtsar %r20
+	vshd 0,%r4,%r20
+	or %r21,%r20,%r3
+	mtsar %r19
+	zvdep %r4,32,%r4
+L$0062
+	extru %r5,15,16,%r23
+	extru %r5,31,16,%r28
+L$0063
+	extru %r3,15,16,%r19
+	comb,<> %r23,%r19,L$0066
+	copy %r3,%r26
+	bl L$0067,0
+	zdepi -1,31,16,%r29
+L$0066
+	.IMPORT $$divU,MILLICODE
+	bl $$divU,%r31
+	copy %r23,%r25
+L$0067
+	stw %r29,-16(0,%r30)
+	fldws -16(0,%r30),%fr10L
+	stw %r28,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	stw %r23,-16(0,%r30)
+	xmpyu %fr10L,%fr10R,%fr8
+	fldws -16(0,%r30),%fr10R
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr10L,%fr10R,%fr9
+	ldw -16(0,%r30),%r8
+	fstws %fr9R,-16(0,%r30)
+	copy %r8,%r22
+	ldw -16(0,%r30),%r8
+	extru %r4,15,16,%r24
+	copy %r8,%r21
+L$0068
+	sub %r3,%r21,%r20
+	copy %r20,%r19
+	depi 0,31,16,%r19
+	comib,<> 0,%r19,L$0069
+	zdep %r20,15,16,%r19
+	addl %r19,%r24,%r19
+	comb,>>= %r19,%r22,L$0069
+	sub %r22,%r28,%r22
+	sub %r21,%r23,%r21
+	bl L$0068,0
+	ldo -1(%r29),%r29
+L$0069
+	stw %r29,-16(0,%r30)
+	fldws -16(0,%r30),%fr10L
+	stw %r28,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	ldw -16(0,%r30),%r8
+	stw %r23,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	copy %r8,%r19
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	extru %r19,15,16,%r20
+	ldw -16(0,%r30),%r8
+	zdep %r19,15,16,%r19
+	addl %r8,%r20,%r20
+	comclr,<<= %r19,%r4,0
+	addi 1,%r20,%r20
+	comb,<<= %r20,%r3,L$0074
+	sub %r4,%r19,%r4
+	addl %r3,%r5,%r3
+	ldo -1(%r29),%r29
+L$0074
+	addib,= -1,%r6,L$0064
+	sub %r3,%r20,%r3
+	zdep %r29,15,16,%r7
+	shd %r3,%r4,16,%r3
+	bl L$0063,0
+	zdep %r4,15,16,%r4
+L$0064
+	or %r7,%r29,%r28
+L$0076
+	ldw -148(0,%r30),%r2
+	ldw -124(0,%r30),%r7
+	ldw -120(0,%r30),%r6
+	ldw -116(0,%r30),%r5
+	ldw -112(0,%r30),%r4
+	ldw -108(0,%r30),%r3
+	bv 0(%r2)
+	ldwm -128(0,%r30),%r8
+	.EXIT
+	.PROCEND
diff --git a/crypto/openssl/crypto/bn/asm/pa-risc2.s b/crypto/openssl/crypto/bn/asm/pa-risc2.s
new file mode 100644
index 0000000..c272599
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/pa-risc2.s
@@ -0,0 +1,416 @@
+	.SPACE $PRIVATE$
+	.SUBSPA $DATA$,QUAD=1,ALIGN=8,ACCESS=31
+	.SUBSPA $BSS$,QUAD=1,ALIGN=8,ACCESS=31,ZERO,SORT=82
+	.SPACE $TEXT$
+	.SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=44
+	.SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44,CODE_ONLY
+	.IMPORT $global$,DATA
+	.IMPORT $$dyncall,MILLICODE
+; gcc_compiled.:
+	.SPACE $TEXT$
+	.SUBSPA $CODE$
+
+	.align 4
+	.EXPORT bn_mul_add_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,RTNVAL=GR
+bn_mul_add_words
+	.PROC
+	.CALLINFO FRAME=64,CALLS,SAVE_RP,ENTRY_GR=4
+	.ENTRY
+	stw %r2,-20(0,%r30)
+	stwm %r4,64(0,%r30)
+	copy %r24,%r31
+	stw %r3,-60(0,%r30)
+	ldi 0,%r20
+	ldo 12(%r26),%r2
+	stw %r23,-16(0,%r30)
+	copy %r25,%r3
+	ldo 12(%r3),%r1
+	fldws -16(0,%r30),%fr8L
+L$0010
+	copy %r20,%r25
+	ldi 0,%r24
+	fldws 0(0,%r3),%fr9L
+	ldw 0(0,%r26),%r19
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r19,%r23
+	ldw -16(0,%r30),%r28
+	ldw -12(0,%r30),%r29
+	ldi 0,%r22
+	add %r23,%r29,%r29
+	addc %r22,%r28,%r28
+	add %r25,%r29,%r29
+	addc %r24,%r28,%r28
+	copy %r28,%r21
+	ldi 0,%r20
+	copy %r21,%r20
+	addib,= -1,%r31,L$0011
+	stw %r29,0(0,%r26)
+	copy %r20,%r25
+	ldi 0,%r24
+	fldws -8(0,%r1),%fr9L
+	ldw -8(0,%r2),%r19
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r19,%r23
+	ldw -16(0,%r30),%r28
+	ldw -12(0,%r30),%r29
+	ldi 0,%r22
+	add %r23,%r29,%r29
+	addc %r22,%r28,%r28
+	add %r25,%r29,%r29
+	addc %r24,%r28,%r28
+	copy %r28,%r21
+	ldi 0,%r20
+	copy %r21,%r20
+	addib,= -1,%r31,L$0011
+	stw %r29,-8(0,%r2)
+	copy %r20,%r25
+	ldi 0,%r24
+	fldws -4(0,%r1),%fr9L
+	ldw -4(0,%r2),%r19
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r19,%r23
+	ldw -16(0,%r30),%r28
+	ldw -12(0,%r30),%r29
+	ldi 0,%r22
+	add %r23,%r29,%r29
+	addc %r22,%r28,%r28
+	add %r25,%r29,%r29
+	addc %r24,%r28,%r28
+	copy %r28,%r21
+	ldi 0,%r20
+	copy %r21,%r20
+	addib,= -1,%r31,L$0011
+	stw %r29,-4(0,%r2)
+	copy %r20,%r25
+	ldi 0,%r24
+	fldws 0(0,%r1),%fr9L
+	ldw 0(0,%r2),%r19
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r19,%r23
+	ldw -16(0,%r30),%r28
+	ldw -12(0,%r30),%r29
+	ldi 0,%r22
+	add %r23,%r29,%r29
+	addc %r22,%r28,%r28
+	add %r25,%r29,%r29
+	addc %r24,%r28,%r28
+	copy %r28,%r21
+	ldi 0,%r20
+	copy %r21,%r20
+	addib,= -1,%r31,L$0011
+	stw %r29,0(0,%r2)
+	ldo 16(%r1),%r1
+	ldo 16(%r3),%r3
+	ldo 16(%r2),%r2
+	bl L$0010,0
+	ldo 16(%r26),%r26
+L$0011
+	copy %r20,%r28
+	ldw -84(0,%r30),%r2
+	ldw -60(0,%r30),%r3
+	bv 0(%r2)
+	ldwm -64(0,%r30),%r4
+	.EXIT
+	.PROCEND
+	.align 4
+	.EXPORT bn_mul_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,RTNVAL=GR
+bn_mul_words
+	.PROC
+	.CALLINFO FRAME=64,CALLS,SAVE_RP,ENTRY_GR=3
+	.ENTRY
+	stw %r2,-20(0,%r30)
+	copy %r25,%r2
+	stwm %r4,64(0,%r30)
+	copy %r24,%r19
+	ldi 0,%r28
+	stw %r23,-16(0,%r30)
+	ldo 12(%r26),%r31
+	ldo 12(%r2),%r29
+	fldws -16(0,%r30),%fr8L
+L$0026
+	fldws 0(0,%r2),%fr9L
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r28,%r21
+	ldi 0,%r20
+	ldw -16(0,%r30),%r24
+	ldw -12(0,%r30),%r25
+	add %r21,%r25,%r25
+	addc %r20,%r24,%r24
+	copy %r24,%r23
+	ldi 0,%r22
+	copy %r23,%r28
+	addib,= -1,%r19,L$0027
+	stw %r25,0(0,%r26)
+	fldws -8(0,%r29),%fr9L
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r28,%r21
+	ldi 0,%r20
+	ldw -16(0,%r30),%r24
+	ldw -12(0,%r30),%r25
+	add %r21,%r25,%r25
+	addc %r20,%r24,%r24
+	copy %r24,%r23
+	ldi 0,%r22
+	copy %r23,%r28
+	addib,= -1,%r19,L$0027
+	stw %r25,-8(0,%r31)
+	fldws -4(0,%r29),%fr9L
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r28,%r21
+	ldi 0,%r20
+	ldw -16(0,%r30),%r24
+	ldw -12(0,%r30),%r25
+	add %r21,%r25,%r25
+	addc %r20,%r24,%r24
+	copy %r24,%r23
+	ldi 0,%r22
+	copy %r23,%r28
+	addib,= -1,%r19,L$0027
+	stw %r25,-4(0,%r31)
+	fldws 0(0,%r29),%fr9L
+	xmpyu %fr8L,%fr9L,%fr9
+	fstds %fr9,-16(0,%r30)
+	copy %r28,%r21
+	ldi 0,%r20
+	ldw -16(0,%r30),%r24
+	ldw -12(0,%r30),%r25
+	add %r21,%r25,%r25
+	addc %r20,%r24,%r24
+	copy %r24,%r23
+	ldi 0,%r22
+	copy %r23,%r28
+	addib,= -1,%r19,L$0027
+	stw %r25,0(0,%r31)
+	ldo 16(%r29),%r29
+	ldo 16(%r2),%r2
+	ldo 16(%r31),%r31
+	bl L$0026,0
+	ldo 16(%r26),%r26
+L$0027
+	ldw -84(0,%r30),%r2
+	bv 0(%r2)
+	ldwm -64(0,%r30),%r4
+	.EXIT
+	.PROCEND
+	.align 4
+	.EXPORT bn_sqr_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR
+bn_sqr_words
+	.PROC
+	.CALLINFO FRAME=0,NO_CALLS
+	.ENTRY
+	ldo 28(%r26),%r19
+	ldo 12(%r25),%r28
+L$0042
+	fldws 0(0,%r25),%fr8L
+	fldws 0(0,%r25),%fr8R
+	xmpyu %fr8L,%fr8R,%fr8
+	fstds %fr8,-16(0,%r30)
+	ldw -16(0,%r30),%r22
+	ldw -12(0,%r30),%r23
+	stw %r23,0(0,%r26)
+	copy %r22,%r21
+	ldi 0,%r20
+	addib,= -1,%r24,L$0049
+	stw %r21,-24(0,%r19)
+	fldws -8(0,%r28),%fr8L
+	fldws -8(0,%r28),%fr8R
+	xmpyu %fr8L,%fr8R,%fr8
+	fstds %fr8,-16(0,%r30)
+	ldw -16(0,%r30),%r22
+	ldw -12(0,%r30),%r23
+	stw %r23,-20(0,%r19)
+	copy %r22,%r21
+	ldi 0,%r20
+	addib,= -1,%r24,L$0049
+	stw %r21,-16(0,%r19)
+	fldws -4(0,%r28),%fr8L
+	fldws -4(0,%r28),%fr8R
+	xmpyu %fr8L,%fr8R,%fr8
+	fstds %fr8,-16(0,%r30)
+	ldw -16(0,%r30),%r22
+	ldw -12(0,%r30),%r23
+	stw %r23,-12(0,%r19)
+	copy %r22,%r21
+	ldi 0,%r20
+	addib,= -1,%r24,L$0049
+	stw %r21,-8(0,%r19)
+	fldws 0(0,%r28),%fr8L
+	fldws 0(0,%r28),%fr8R
+	xmpyu %fr8L,%fr8R,%fr8
+	fstds %fr8,-16(0,%r30)
+	ldw -16(0,%r30),%r22
+	ldw -12(0,%r30),%r23
+	stw %r23,-4(0,%r19)
+	copy %r22,%r21
+	ldi 0,%r20
+	addib,= -1,%r24,L$0049
+	stw %r21,0(0,%r19)
+	ldo 16(%r28),%r28
+	ldo 16(%r25),%r25
+	ldo 32(%r19),%r19
+	bl L$0042,0
+	ldo 32(%r26),%r26
+L$0049
+	bv,n 0(%r2)
+	.EXIT
+	.PROCEND
+	.IMPORT BN_num_bits_word,CODE
+	.IMPORT fprintf,CODE
+	.IMPORT __iob,DATA
+	.SPACE $TEXT$
+	.SUBSPA $LIT$
+
+	.align 4
+L$C0000
+	.STRING "Division would overflow (%d)\x0a\x00"
+	.IMPORT abort,CODE
+	.SPACE $TEXT$
+	.SUBSPA $CODE$
+
+	.align 4
+	.EXPORT bn_div64,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR
+bn_div64
+	.PROC
+	.CALLINFO FRAME=128,CALLS,SAVE_RP,ENTRY_GR=8
+	.ENTRY
+	stw %r2,-20(0,%r30)
+	stwm %r8,128(0,%r30)
+	stw %r7,-124(0,%r30)
+	stw %r4,-112(0,%r30)
+	stw %r3,-108(0,%r30)
+	copy %r26,%r3
+	copy %r25,%r4
+	stw %r6,-120(0,%r30)
+	ldi 0,%r7
+	stw %r5,-116(0,%r30)
+	movb,<> %r24,%r5,L$0051
+	ldi 2,%r6
+	bl L$0068,0
+	ldi -1,%r28
+L$0051
+	.CALL ARGW0=GR
+	bl BN_num_bits_word,%r2
+	copy %r5,%r26
+	copy %r28,%r24
+	ldi 32,%r19
+	comb,= %r19,%r24,L$0052
+	subi 31,%r24,%r19
+	mtsar %r19
+	zvdepi 1,32,%r19
+	comb,>>= %r19,%r3,L$0052
+	addil LR'__iob-$global$+32,%r27
+	ldo RR'__iob-$global$+32(%r1),%r26
+	ldil LR'L$C0000,%r25
+	.CALL ARGW0=GR,ARGW1=GR,ARGW2=GR
+	bl fprintf,%r2
+	ldo RR'L$C0000(%r25),%r25
+	.CALL 
+	bl abort,%r2
+	nop
+L$0052
+	comb,>> %r5,%r3,L$0053
+	subi 32,%r24,%r24
+	sub %r3,%r5,%r3
+L$0053
+	comib,= 0,%r24,L$0054
+	subi 31,%r24,%r19
+	mtsar %r19
+	zvdep %r5,32,%r5
+	zvdep %r3,32,%r21
+	subi 32,%r24,%r20
+	mtsar %r20
+	vshd 0,%r4,%r20
+	or %r21,%r20,%r3
+	mtsar %r19
+	zvdep %r4,32,%r4
+L$0054
+	extru %r5,15,16,%r23
+	extru %r5,31,16,%r28
+L$0055
+	extru %r3,15,16,%r19
+	comb,<> %r23,%r19,L$0058
+	copy %r3,%r26
+	bl L$0059,0
+	zdepi -1,31,16,%r29
+L$0058
+	.IMPORT $$divU,MILLICODE
+	bl $$divU,%r31
+	copy %r23,%r25
+L$0059
+	stw %r29,-16(0,%r30)
+	fldws -16(0,%r30),%fr10L
+	stw %r28,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	stw %r23,-16(0,%r30)
+	xmpyu %fr10L,%fr10R,%fr8
+	fldws -16(0,%r30),%fr10R
+	fstws %fr8R,-16(0,%r30)
+	xmpyu %fr10L,%fr10R,%fr9
+	ldw -16(0,%r30),%r8
+	fstws %fr9R,-16(0,%r30)
+	copy %r8,%r22
+	ldw -16(0,%r30),%r8
+	extru %r4,15,16,%r24
+	copy %r8,%r21
+L$0060
+	sub %r3,%r21,%r20
+	copy %r20,%r19
+	depi 0,31,16,%r19
+	comib,<> 0,%r19,L$0061
+	zdep %r20,15,16,%r19
+	addl %r19,%r24,%r19
+	comb,>>= %r19,%r22,L$0061
+	sub %r22,%r28,%r22
+	sub %r21,%r23,%r21
+	bl L$0060,0
+	ldo -1(%r29),%r29
+L$0061
+	stw %r29,-16(0,%r30)
+	fldws -16(0,%r30),%fr10L
+	stw %r28,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	ldw -16(0,%r30),%r8
+	stw %r23,-16(0,%r30)
+	fldws -16(0,%r30),%fr10R
+	copy %r8,%r19
+	xmpyu %fr10L,%fr10R,%fr8
+	fstws %fr8R,-16(0,%r30)
+	extru %r19,15,16,%r20
+	ldw -16(0,%r30),%r8
+	zdep %r19,15,16,%r19
+	addl %r8,%r20,%r20
+	comclr,<<= %r19,%r4,0
+	addi 1,%r20,%r20
+	comb,<<= %r20,%r3,L$0066
+	sub %r4,%r19,%r4
+	addl %r3,%r5,%r3
+	ldo -1(%r29),%r29
+L$0066
+	addib,= -1,%r6,L$0056
+	sub %r3,%r20,%r3
+	zdep %r29,15,16,%r7
+	shd %r3,%r4,16,%r3
+	bl L$0055,0
+	zdep %r4,15,16,%r4
+L$0056
+	or %r7,%r29,%r28
+L$0068
+	ldw -148(0,%r30),%r2
+	ldw -124(0,%r30),%r7
+	ldw -120(0,%r30),%r6
+	ldw -116(0,%r30),%r5
+	ldw -112(0,%r30),%r4
+	ldw -108(0,%r30),%r3
+	bv 0(%r2)
+	ldwm -128(0,%r30),%r8
+	.EXIT
+	.PROCEND
diff --git a/crypto/openssl/crypto/bn/asm/r3000.s b/crypto/openssl/crypto/bn/asm/r3000.s
new file mode 100644
index 0000000..e95269a
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/r3000.s
@@ -0,0 +1,646 @@
+	.file	1 "../bn_mulw.c"
+	.set	nobopt
+	.option pic2
+
+ # GNU C 2.6.3 [AL 1.1, MM 40] SGI running IRIX 5.0 compiled by GNU C
+
+ # Cc1 defaults:
+ # -mabicalls
+
+ # Cc1 arguments (-G value = 0, Cpu = 3000, ISA = 1):
+ # -quiet -dumpbase -O2 -o
+
+gcc2_compiled.:
+__gnu_compiled_c:
+	.rdata
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x34,0x39,0x20
+	.byte	0x24,0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x33,0x34,0x20
+	.byte	0x24,0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x35,0x20,0x24
+	.byte	0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x38,0x20,0x24
+	.byte	0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x32,0x33,0x20
+	.byte	0x24,0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x37,0x38,0x20
+	.byte	0x24,0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x33,0x2e,0x37,0x30,0x20
+	.byte	0x24,0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x32,0x20,0x24
+	.byte	0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x34,0x20,0x24
+	.byte	0x0
+
+	.byte	0x24,0x52,0x65,0x76,0x69,0x73,0x69,0x6f
+	.byte	0x6e,0x3a,0x20,0x31,0x2e,0x38,0x20,0x24
+	.byte	0x0
+	.text
+	.align	2
+	.globl	bn_mul_add_words
+	.ent	bn_mul_add_words
+bn_mul_add_words:
+	.frame	$sp,0,$31		# vars= 0, regs= 0/0, args= 0, extra= 0
+	.mask	0x00000000,0
+	.fmask	0x00000000,0
+	.set	noreorder
+	.cpload	$25
+	.set	reorder
+	move	$12,$4
+	move	$14,$5
+	move	$9,$6
+	move	$13,$7
+	move	$8,$0
+	addu	$10,$12,12
+	addu	$11,$14,12
+$L2:
+	lw	$6,0($14)
+	#nop
+	multu	$13,$6
+	mfhi	$6
+	mflo	$7
+	#nop
+	move	$5,$8
+	move	$4,$0
+	lw	$3,0($12)
+	addu	$9,$9,-1
+	move	$2,$0
+	addu	$7,$7,$3
+	sltu	$8,$7,$3
+	addu	$6,$6,$2
+	addu	$6,$6,$8
+	addu	$7,$7,$5
+	sltu	$2,$7,$5
+	addu	$6,$6,$4
+	addu	$6,$6,$2
+	srl	$3,$6,0
+	move	$2,$0
+	move	$8,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$9,$0,$L3
+	sw	$7,0($12)
+	.set	macro
+	.set	reorder
+
+	lw	$6,-8($11)
+	#nop
+	multu	$13,$6
+	mfhi	$6
+	mflo	$7
+	#nop
+	move	$5,$8
+	move	$4,$0
+	lw	$3,-8($10)
+	addu	$9,$9,-1
+	move	$2,$0
+	addu	$7,$7,$3
+	sltu	$8,$7,$3
+	addu	$6,$6,$2
+	addu	$6,$6,$8
+	addu	$7,$7,$5
+	sltu	$2,$7,$5
+	addu	$6,$6,$4
+	addu	$6,$6,$2
+	srl	$3,$6,0
+	move	$2,$0
+	move	$8,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$9,$0,$L3
+	sw	$7,-8($10)
+	.set	macro
+	.set	reorder
+
+	lw	$6,-4($11)
+	#nop
+	multu	$13,$6
+	mfhi	$6
+	mflo	$7
+	#nop
+	move	$5,$8
+	move	$4,$0
+	lw	$3,-4($10)
+	addu	$9,$9,-1
+	move	$2,$0
+	addu	$7,$7,$3
+	sltu	$8,$7,$3
+	addu	$6,$6,$2
+	addu	$6,$6,$8
+	addu	$7,$7,$5
+	sltu	$2,$7,$5
+	addu	$6,$6,$4
+	addu	$6,$6,$2
+	srl	$3,$6,0
+	move	$2,$0
+	move	$8,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$9,$0,$L3
+	sw	$7,-4($10)
+	.set	macro
+	.set	reorder
+
+	lw	$6,0($11)
+	#nop
+	multu	$13,$6
+	mfhi	$6
+	mflo	$7
+	#nop
+	move	$5,$8
+	move	$4,$0
+	lw	$3,0($10)
+	addu	$9,$9,-1
+	move	$2,$0
+	addu	$7,$7,$3
+	sltu	$8,$7,$3
+	addu	$6,$6,$2
+	addu	$6,$6,$8
+	addu	$7,$7,$5
+	sltu	$2,$7,$5
+	addu	$6,$6,$4
+	addu	$6,$6,$2
+	srl	$3,$6,0
+	move	$2,$0
+	move	$8,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$9,$0,$L3
+	sw	$7,0($10)
+	.set	macro
+	.set	reorder
+
+	addu	$11,$11,16
+	addu	$14,$14,16
+	addu	$10,$10,16
+	.set	noreorder
+	.set	nomacro
+	j	$L2
+	addu	$12,$12,16
+	.set	macro
+	.set	reorder
+
+$L3:
+	.set	noreorder
+	.set	nomacro
+	j	$31
+	move	$2,$8
+	.set	macro
+	.set	reorder
+
+	.end	bn_mul_add_words
+	.align	2
+	.globl	bn_mul_words
+	.ent	bn_mul_words
+bn_mul_words:
+	.frame	$sp,0,$31		# vars= 0, regs= 0/0, args= 0, extra= 0
+	.mask	0x00000000,0
+	.fmask	0x00000000,0
+	.set	noreorder
+	.cpload	$25
+	.set	reorder
+	move	$11,$4
+	move	$12,$5
+	move	$8,$6
+	move	$6,$0
+	addu	$10,$11,12
+	addu	$9,$12,12
+$L10:
+	lw	$4,0($12)
+	#nop
+	multu	$7,$4
+	mfhi	$4
+	mflo	$5
+	#nop
+	move	$3,$6
+	move	$2,$0
+	addu	$8,$8,-1
+	addu	$5,$5,$3
+	sltu	$6,$5,$3
+	addu	$4,$4,$2
+	addu	$4,$4,$6
+	srl	$3,$4,0
+	move	$2,$0
+	move	$6,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$8,$0,$L11
+	sw	$5,0($11)
+	.set	macro
+	.set	reorder
+
+	lw	$4,-8($9)
+	#nop
+	multu	$7,$4
+	mfhi	$4
+	mflo	$5
+	#nop
+	move	$3,$6
+	move	$2,$0
+	addu	$8,$8,-1
+	addu	$5,$5,$3
+	sltu	$6,$5,$3
+	addu	$4,$4,$2
+	addu	$4,$4,$6
+	srl	$3,$4,0
+	move	$2,$0
+	move	$6,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$8,$0,$L11
+	sw	$5,-8($10)
+	.set	macro
+	.set	reorder
+
+	lw	$4,-4($9)
+	#nop
+	multu	$7,$4
+	mfhi	$4
+	mflo	$5
+	#nop
+	move	$3,$6
+	move	$2,$0
+	addu	$8,$8,-1
+	addu	$5,$5,$3
+	sltu	$6,$5,$3
+	addu	$4,$4,$2
+	addu	$4,$4,$6
+	srl	$3,$4,0
+	move	$2,$0
+	move	$6,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$8,$0,$L11
+	sw	$5,-4($10)
+	.set	macro
+	.set	reorder
+
+	lw	$4,0($9)
+	#nop
+	multu	$7,$4
+	mfhi	$4
+	mflo	$5
+	#nop
+	move	$3,$6
+	move	$2,$0
+	addu	$8,$8,-1
+	addu	$5,$5,$3
+	sltu	$6,$5,$3
+	addu	$4,$4,$2
+	addu	$4,$4,$6
+	srl	$3,$4,0
+	move	$2,$0
+	move	$6,$3
+	.set	noreorder
+	.set	nomacro
+	beq	$8,$0,$L11
+	sw	$5,0($10)
+	.set	macro
+	.set	reorder
+
+	addu	$9,$9,16
+	addu	$12,$12,16
+	addu	$10,$10,16
+	.set	noreorder
+	.set	nomacro
+	j	$L10
+	addu	$11,$11,16
+	.set	macro
+	.set	reorder
+
+$L11:
+	.set	noreorder
+	.set	nomacro
+	j	$31
+	move	$2,$6
+	.set	macro
+	.set	reorder
+
+	.end	bn_mul_words
+	.align	2
+	.globl	bn_sqr_words
+	.ent	bn_sqr_words
+bn_sqr_words:
+	.frame	$sp,0,$31		# vars= 0, regs= 0/0, args= 0, extra= 0
+	.mask	0x00000000,0
+	.fmask	0x00000000,0
+	.set	noreorder
+	.cpload	$25
+	.set	reorder
+	move	$9,$4
+	addu	$7,$9,28
+	addu	$8,$5,12
+$L18:
+	lw	$2,0($5)
+	#nop
+	multu	$2,$2
+	mfhi	$2
+	mflo	$3
+	#nop
+	addu	$6,$6,-1
+	sw	$3,0($9)
+	srl	$3,$2,0
+	move	$2,$0
+	.set	noreorder
+	.set	nomacro
+	beq	$6,$0,$L19
+	sw	$3,-24($7)
+	.set	macro
+	.set	reorder
+
+	lw	$2,-8($8)
+	#nop
+	multu	$2,$2
+	mfhi	$2
+	mflo	$3
+	#nop
+	addu	$6,$6,-1
+	sw	$3,-20($7)
+	srl	$3,$2,0
+	move	$2,$0
+	.set	noreorder
+	.set	nomacro
+	beq	$6,$0,$L19
+	sw	$3,-16($7)
+	.set	macro
+	.set	reorder
+
+	lw	$2,-4($8)
+	#nop
+	multu	$2,$2
+	mfhi	$2
+	mflo	$3
+	#nop
+	addu	$6,$6,-1
+	sw	$3,-12($7)
+	srl	$3,$2,0
+	move	$2,$0
+	.set	noreorder
+	.set	nomacro
+	beq	$6,$0,$L19
+	sw	$3,-8($7)
+	.set	macro
+	.set	reorder
+
+	lw	$2,0($8)
+	#nop
+	multu	$2,$2
+	mfhi	$2
+	mflo	$3
+	#nop
+	addu	$6,$6,-1
+	sw	$3,-4($7)
+	srl	$3,$2,0
+	move	$2,$0
+	.set	noreorder
+	.set	nomacro
+	beq	$6,$0,$L19
+	sw	$3,0($7)
+	.set	macro
+	.set	reorder
+
+	addu	$8,$8,16
+	addu	$5,$5,16
+	addu	$7,$7,32
+	.set	noreorder
+	.set	nomacro
+	j	$L18
+	addu	$9,$9,32
+	.set	macro
+	.set	reorder
+
+$L19:
+	j	$31
+	.end	bn_sqr_words
+	.rdata
+	.align	2
+$LC0:
+
+	.byte	0x44,0x69,0x76,0x69,0x73,0x69,0x6f,0x6e
+	.byte	0x20,0x77,0x6f,0x75,0x6c,0x64,0x20,0x6f
+	.byte	0x76,0x65,0x72,0x66,0x6c,0x6f,0x77,0xa
+	.byte	0x0
+	.text
+	.align	2
+	.globl	bn_div64
+	.ent	bn_div64
+bn_div64:
+	.frame	$sp,56,$31		# vars= 0, regs= 7/0, args= 16, extra= 8
+	.mask	0x901f0000,-8
+	.fmask	0x00000000,0
+	.set	noreorder
+	.cpload	$25
+	.set	reorder
+	subu	$sp,$sp,56
+	.cprestore 16
+	sw	$16,24($sp)
+	move	$16,$4
+	sw	$17,28($sp)
+	move	$17,$5
+	sw	$18,32($sp)
+	move	$18,$6
+	sw	$20,40($sp)
+	move	$20,$0
+	sw	$19,36($sp)
+	li	$19,0x00000002		# 2
+	sw	$31,48($sp)
+	.set	noreorder
+	.set	nomacro
+	bne	$18,$0,$L26
+	sw	$28,44($sp)
+	.set	macro
+	.set	reorder
+
+	.set	noreorder
+	.set	nomacro
+	j	$L43
+	li	$2,-1			# 0xffffffff
+	.set	macro
+	.set	reorder
+
+$L26:
+	move	$4,$18
+	jal	BN_num_bits_word
+	move	$4,$2
+	li	$2,0x00000020		# 32
+	.set	noreorder
+	.set	nomacro
+	beq	$4,$2,$L27
+	li	$2,0x00000001		# 1
+	.set	macro
+	.set	reorder
+
+	sll	$2,$2,$4
+	sltu	$2,$2,$16
+	.set	noreorder
+	.set	nomacro
+	beq	$2,$0,$L44
+	li	$5,0x00000020		# 32
+	.set	macro
+	.set	reorder
+
+	la	$4,__iob+32
+	la	$5,$LC0
+	jal	fprintf
+	jal	abort
+$L27:
+	li	$5,0x00000020		# 32
+$L44:
+	sltu	$2,$16,$18
+	.set	noreorder
+	.set	nomacro
+	bne	$2,$0,$L28
+	subu	$4,$5,$4
+	.set	macro
+	.set	reorder
+
+	subu	$16,$16,$18
+$L28:
+	.set	noreorder
+	.set	nomacro
+	beq	$4,$0,$L29
+	li	$10,-65536			# 0xffff0000
+	.set	macro
+	.set	reorder
+
+	sll	$18,$18,$4
+	sll	$3,$16,$4
+	subu	$2,$5,$4
+	srl	$2,$17,$2
+	or	$16,$3,$2
+	sll	$17,$17,$4
+$L29:
+	srl	$7,$18,16
+	andi	$9,$18,0xffff
+$L30:
+	srl	$2,$16,16
+	.set	noreorder
+	.set	nomacro
+	beq	$2,$7,$L34
+	li	$6,0x0000ffff		# 65535
+	.set	macro
+	.set	reorder
+
+	divu	$6,$16,$7
+$L34:
+	mult	$6,$9
+	mflo	$5
+	#nop
+	#nop
+	mult	$6,$7
+	and	$2,$17,$10
+	srl	$8,$2,16
+	mflo	$4
+$L35:
+	subu	$3,$16,$4
+	and	$2,$3,$10
+	.set	noreorder
+	.set	nomacro
+	bne	$2,$0,$L36
+	sll	$2,$3,16
+	.set	macro
+	.set	reorder
+
+	addu	$2,$2,$8
+	sltu	$2,$2,$5
+	.set	noreorder
+	.set	nomacro
+	beq	$2,$0,$L36
+	subu	$5,$5,$9
+	.set	macro
+	.set	reorder
+
+	subu	$4,$4,$7
+	.set	noreorder
+	.set	nomacro
+	j	$L35
+	addu	$6,$6,-1
+	.set	macro
+	.set	reorder
+
+$L36:
+	mult	$6,$7
+	mflo	$5
+	#nop
+	#nop
+	mult	$6,$9
+	mflo	$4
+	#nop
+	#nop
+	srl	$3,$4,16
+	sll	$2,$4,16
+	and	$4,$2,$10
+	sltu	$2,$17,$4
+	.set	noreorder
+	.set	nomacro
+	beq	$2,$0,$L40
+	addu	$5,$5,$3
+	.set	macro
+	.set	reorder
+
+	addu	$5,$5,1
+$L40:
+	sltu	$2,$16,$5
+	.set	noreorder
+	.set	nomacro
+	beq	$2,$0,$L41
+	subu	$17,$17,$4
+	.set	macro
+	.set	reorder
+
+	addu	$16,$16,$18
+	addu	$6,$6,-1
+$L41:
+	addu	$19,$19,-1
+	.set	noreorder
+	.set	nomacro
+	beq	$19,$0,$L31
+	subu	$16,$16,$5
+	.set	macro
+	.set	reorder
+
+	sll	$20,$6,16
+	sll	$3,$16,16
+	srl	$2,$17,16
+	or	$16,$3,$2
+	.set	noreorder
+	.set	nomacro
+	j	$L30
+	sll	$17,$17,16
+	.set	macro
+	.set	reorder
+
+$L31:
+	or	$2,$20,$6
+$L43:
+	lw	$31,48($sp)
+	lw	$20,40($sp)
+	lw	$19,36($sp)
+	lw	$18,32($sp)
+	lw	$17,28($sp)
+	lw	$16,24($sp)
+	addu	$sp,$sp,56
+	j	$31
+	.end	bn_div64
+
+	.globl abort .text
+	.globl fprintf .text
+	.globl BN_num_bits_word .text
diff --git a/crypto/openssl/crypto/bn/asm/sparcv8.S b/crypto/openssl/crypto/bn/asm/sparcv8.S
new file mode 100644
index 0000000..88c5dc4
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/sparcv8.S
@@ -0,0 +1,1458 @@
+.ident	"sparcv8.s, Version 1.4"
+.ident	"SPARC v8 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in SuperSPARC ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * See bn_asm.sparc.v8plus.S for more details.
+ */
+
+/*
+ * Revision history.
+ *
+ * 1.1	- new loop unrolling model(*);
+ * 1.2	- made gas friendly;
+ * 1.3	- fixed problem with /usr/ccs/lib/cpp;
+ * 1.4	- some retunes;
+ *
+ * (*)	see bn_asm.sparc.v8plus.S for details
+ */
+
+.section	".text",#alloc,#execinstr
+.file		"bn_asm.sparc.v8.S"
+
+.align	32
+
+.global bn_mul_add_words
+/*
+ * BN_ULONG bn_mul_add_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_add_words:
+	cmp	%o2,0
+	bg,a	.L_bn_mul_add_words_proceed
+	ld	[%o1],%g2
+	retl
+	clr	%o0
+
+.L_bn_mul_add_words_proceed:
+	andcc	%o2,-4,%g0
+	bz	.L_bn_mul_add_words_tail
+	clr	%o5
+
+.L_bn_mul_add_words_loop:
+	ld	[%o0],%o4
+	ld	[%o1+4],%g3
+	umul	%o3,%g2,%g2
+	rd	%y,%g1
+	addcc	%o4,%o5,%o4
+	addx	%g1,0,%g1
+	addcc	%o4,%g2,%o4
+	st	%o4,[%o0]
+	addx	%g1,0,%o5
+
+	ld	[%o0+4],%o4
+	ld	[%o1+8],%g2
+	umul	%o3,%g3,%g3
+	dec	4,%o2
+	rd	%y,%g1
+	addcc	%o4,%o5,%o4
+	addx	%g1,0,%g1
+	addcc	%o4,%g3,%o4
+	st	%o4,[%o0+4]
+	addx	%g1,0,%o5
+
+	ld	[%o0+8],%o4
+	ld	[%o1+12],%g3
+	umul	%o3,%g2,%g2
+	inc	16,%o1
+	rd	%y,%g1
+	addcc	%o4,%o5,%o4
+	addx	%g1,0,%g1
+	addcc	%o4,%g2,%o4
+	st	%o4,[%o0+8]
+	addx	%g1,0,%o5
+
+	ld	[%o0+12],%o4
+	umul	%o3,%g3,%g3
+	inc	16,%o0
+	rd	%y,%g1
+	addcc	%o4,%o5,%o4
+	addx	%g1,0,%g1
+	addcc	%o4,%g3,%o4
+	st	%o4,[%o0-4]
+	addx	%g1,0,%o5
+	andcc	%o2,-4,%g0
+	bnz,a	.L_bn_mul_add_words_loop
+	ld	[%o1],%g2
+
+	tst	%o2
+	bnz,a	.L_bn_mul_add_words_tail
+	ld	[%o1],%g2
+.L_bn_mul_add_words_return:
+	retl
+	mov	%o5,%o0
+	nop
+
+.L_bn_mul_add_words_tail:
+	ld	[%o0],%o4
+	umul	%o3,%g2,%g2
+	addcc	%o4,%o5,%o4
+	rd	%y,%g1
+	addx	%g1,0,%g1
+	addcc	%o4,%g2,%o4
+	addx	%g1,0,%o5
+	deccc	%o2
+	bz	.L_bn_mul_add_words_return
+	st	%o4,[%o0]
+
+	ld	[%o1+4],%g2
+	ld	[%o0+4],%o4
+	umul	%o3,%g2,%g2
+	rd	%y,%g1
+	addcc	%o4,%o5,%o4
+	addx	%g1,0,%g1
+	addcc	%o4,%g2,%o4
+	addx	%g1,0,%o5
+	deccc	%o2
+	bz	.L_bn_mul_add_words_return
+	st	%o4,[%o0+4]
+
+	ld	[%o1+8],%g2
+	ld	[%o0+8],%o4
+	umul	%o3,%g2,%g2
+	rd	%y,%g1
+	addcc	%o4,%o5,%o4
+	addx	%g1,0,%g1
+	addcc	%o4,%g2,%o4
+	st	%o4,[%o0+8]
+	retl
+	addx	%g1,0,%o0
+
+.type	bn_mul_add_words,#function
+.size	bn_mul_add_words,(.-bn_mul_add_words)
+
+.align	32
+
+.global bn_mul_words
+/*
+ * BN_ULONG bn_mul_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_words:
+	cmp	%o2,0
+	bg,a	.L_bn_mul_words_proceeed
+	ld	[%o1],%g2
+	retl
+	clr	%o0
+
+.L_bn_mul_words_proceeed:
+	andcc	%o2,-4,%g0
+	bz	.L_bn_mul_words_tail
+	clr	%o5
+
+.L_bn_mul_words_loop:
+	ld	[%o1+4],%g3
+	umul	%o3,%g2,%g2
+	addcc	%g2,%o5,%g2
+	rd	%y,%g1
+	addx	%g1,0,%o5
+	st	%g2,[%o0]
+
+	ld	[%o1+8],%g2
+	umul	%o3,%g3,%g3
+	addcc	%g3,%o5,%g3
+	rd	%y,%g1
+	dec	4,%o2
+	addx	%g1,0,%o5
+	st	%g3,[%o0+4]
+
+	ld	[%o1+12],%g3
+	umul	%o3,%g2,%g2
+	addcc	%g2,%o5,%g2
+	rd	%y,%g1
+	inc	16,%o1
+	st	%g2,[%o0+8]
+	addx	%g1,0,%o5
+
+	umul	%o3,%g3,%g3
+	addcc	%g3,%o5,%g3
+	rd	%y,%g1
+	inc	16,%o0
+	addx	%g1,0,%o5
+	st	%g3,[%o0-4]
+	andcc	%o2,-4,%g0
+	nop
+	bnz,a	.L_bn_mul_words_loop
+	ld	[%o1],%g2
+
+	tst	%o2
+	bnz,a	.L_bn_mul_words_tail
+	ld	[%o1],%g2
+.L_bn_mul_words_return:
+	retl
+	mov	%o5,%o0
+	nop
+
+.L_bn_mul_words_tail:
+	umul	%o3,%g2,%g2
+	addcc	%g2,%o5,%g2
+	rd	%y,%g1
+	addx	%g1,0,%o5
+	deccc	%o2
+	bz	.L_bn_mul_words_return
+	st	%g2,[%o0]
+	nop
+
+	ld	[%o1+4],%g2
+	umul	%o3,%g2,%g2
+	addcc	%g2,%o5,%g2
+	rd	%y,%g1
+	addx	%g1,0,%o5
+	deccc	%o2
+	bz	.L_bn_mul_words_return
+	st	%g2,[%o0+4]
+
+	ld	[%o1+8],%g2
+	umul	%o3,%g2,%g2
+	addcc	%g2,%o5,%g2
+	rd	%y,%g1
+	st	%g2,[%o0+8]
+	retl
+	addx	%g1,0,%o0
+
+.type	bn_mul_words,#function
+.size	bn_mul_words,(.-bn_mul_words)
+
+.align  32
+.global	bn_sqr_words
+/*
+ * void bn_sqr_words(r,a,n)
+ * BN_ULONG *r,*a;
+ * int n;
+ */
+bn_sqr_words:
+	cmp	%o2,0
+	bg,a	.L_bn_sqr_words_proceeed
+	ld	[%o1],%g2
+	retl
+	clr	%o0
+
+.L_bn_sqr_words_proceeed:
+	andcc	%o2,-4,%g0
+	bz	.L_bn_sqr_words_tail
+	clr	%o5
+
+.L_bn_sqr_words_loop:
+	ld	[%o1+4],%g3
+	umul	%g2,%g2,%o4
+	st	%o4,[%o0]
+	rd	%y,%o5
+	st	%o5,[%o0+4]
+
+	ld	[%o1+8],%g2
+	umul	%g3,%g3,%o4
+	dec	4,%o2
+	st	%o4,[%o0+8]
+	rd	%y,%o5
+	st	%o5,[%o0+12]
+	nop
+
+	ld	[%o1+12],%g3
+	umul	%g2,%g2,%o4
+	st	%o4,[%o0+16]
+	rd	%y,%o5
+	inc	16,%o1
+	st	%o5,[%o0+20]
+
+	umul	%g3,%g3,%o4
+	inc	32,%o0
+	st	%o4,[%o0-8]
+	rd	%y,%o5
+	st	%o5,[%o0-4]
+	andcc	%o2,-4,%g2
+	bnz,a	.L_bn_sqr_words_loop
+	ld	[%o1],%g2
+
+	tst	%o2
+	nop
+	bnz,a	.L_bn_sqr_words_tail
+	ld	[%o1],%g2
+.L_bn_sqr_words_return:
+	retl
+	clr	%o0
+
+.L_bn_sqr_words_tail:
+	umul	%g2,%g2,%o4
+	st	%o4,[%o0]
+	deccc	%o2
+	rd	%y,%o5
+	bz	.L_bn_sqr_words_return
+	st	%o5,[%o0+4]
+
+	ld	[%o1+4],%g2
+	umul	%g2,%g2,%o4
+	st	%o4,[%o0+8]
+	deccc	%o2
+	rd	%y,%o5
+	nop
+	bz	.L_bn_sqr_words_return
+	st	%o5,[%o0+12]
+
+	ld	[%o1+8],%g2
+	umul	%g2,%g2,%o4
+	st	%o4,[%o0+16]
+	rd	%y,%o5
+	st	%o5,[%o0+20]
+	retl
+	clr	%o0
+
+.type	bn_sqr_words,#function
+.size	bn_sqr_words,(.-bn_sqr_words)
+
+.align	32
+
+.global bn_div_words
+/*
+ * BN_ULONG bn_div_words(h,l,d)
+ * BN_ULONG h,l,d;
+ */
+bn_div_words:
+	wr	%o0,%y
+	udiv	%o1,%o2,%o0
+	retl
+	nop
+
+.type	bn_div_words,#function
+.size	bn_div_words,(.-bn_div_words)
+
+.align	32
+
+.global bn_add_words
+/*
+ * BN_ULONG bn_add_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_add_words:
+	cmp	%o3,0
+	bg,a	.L_bn_add_words_proceed
+	ld	[%o1],%o4
+	retl
+	clr	%o0
+
+.L_bn_add_words_proceed:
+	andcc	%o3,-4,%g0
+	bz	.L_bn_add_words_tail
+	clr	%g1
+	ba	.L_bn_add_words_warn_loop
+	addcc	%g0,0,%g0	! clear carry flag
+
+.L_bn_add_words_loop:
+	ld	[%o1],%o4
+.L_bn_add_words_warn_loop:
+	ld	[%o2],%o5
+	ld	[%o1+4],%g3
+	ld	[%o2+4],%g4
+	dec	4,%o3
+	addxcc	%o5,%o4,%o5
+	st	%o5,[%o0]
+
+	ld	[%o1+8],%o4
+	ld	[%o2+8],%o5
+	inc	16,%o1
+	addxcc	%g3,%g4,%g3
+	st	%g3,[%o0+4]
+	
+	ld	[%o1-4],%g3
+	ld	[%o2+12],%g4
+	inc	16,%o2
+	addxcc	%o5,%o4,%o5
+	st	%o5,[%o0+8]
+
+	inc	16,%o0
+	addxcc	%g3,%g4,%g3
+	st	%g3,[%o0-4]
+	addx	%g0,0,%g1
+	andcc	%o3,-4,%g0
+	bnz,a	.L_bn_add_words_loop
+	addcc	%g1,-1,%g0
+
+	tst	%o3
+	bnz,a	.L_bn_add_words_tail
+	ld	[%o1],%o4
+.L_bn_add_words_return:
+	retl
+	mov	%g1,%o0
+
+.L_bn_add_words_tail:
+	addcc	%g1,-1,%g0
+	ld	[%o2],%o5
+	addxcc	%o5,%o4,%o5
+	addx	%g0,0,%g1
+	deccc	%o3
+	bz	.L_bn_add_words_return
+	st	%o5,[%o0]
+
+	ld	[%o1+4],%o4
+	addcc	%g1,-1,%g0
+	ld	[%o2+4],%o5
+	addxcc	%o5,%o4,%o5
+	addx	%g0,0,%g1
+	deccc	%o3
+	bz	.L_bn_add_words_return
+	st	%o5,[%o0+4]
+
+	ld	[%o1+8],%o4
+	addcc	%g1,-1,%g0
+	ld	[%o2+8],%o5
+	addxcc	%o5,%o4,%o5
+	st	%o5,[%o0+8]
+	retl
+	addx	%g0,0,%o0
+
+.type	bn_add_words,#function
+.size	bn_add_words,(.-bn_add_words)
+
+.align	32
+
+.global bn_sub_words
+/*
+ * BN_ULONG bn_sub_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_sub_words:
+	cmp	%o3,0
+	bg,a	.L_bn_sub_words_proceed
+	ld	[%o1],%o4
+	retl
+	clr	%o0
+
+.L_bn_sub_words_proceed:
+	andcc	%o3,-4,%g0
+	bz	.L_bn_sub_words_tail
+	clr	%g1
+	ba	.L_bn_sub_words_warm_loop
+	addcc	%g0,0,%g0	! clear carry flag
+
+.L_bn_sub_words_loop:
+	ld	[%o1],%o4
+.L_bn_sub_words_warm_loop:
+	ld	[%o2],%o5
+	ld	[%o1+4],%g3
+	ld	[%o2+4],%g4
+	dec	4,%o3
+	subxcc	%o4,%o5,%o5
+	st	%o5,[%o0]
+
+	ld	[%o1+8],%o4
+	ld	[%o2+8],%o5
+	inc	16,%o1
+	subxcc	%g3,%g4,%g4
+	st	%g4,[%o0+4]
+	
+	ld	[%o1-4],%g3
+	ld	[%o2+12],%g4
+	inc	16,%o2
+	subxcc	%o4,%o5,%o5
+	st	%o5,[%o0+8]
+
+	inc	16,%o0
+	subxcc	%g3,%g4,%g4
+	st	%g4,[%o0-4]
+	addx	%g0,0,%g1
+	andcc	%o3,-4,%g0
+	bnz,a	.L_bn_sub_words_loop
+	addcc	%g1,-1,%g0
+
+	tst	%o3
+	nop
+	bnz,a	.L_bn_sub_words_tail
+	ld	[%o1],%o4
+.L_bn_sub_words_return:
+	retl
+	mov	%g1,%o0
+
+.L_bn_sub_words_tail:
+	addcc	%g1,-1,%g0
+	ld	[%o2],%o5
+	subxcc	%o4,%o5,%o5
+	addx	%g0,0,%g1
+	deccc	%o3
+	bz	.L_bn_sub_words_return
+	st	%o5,[%o0]
+	nop
+
+	ld	[%o1+4],%o4
+	addcc	%g1,-1,%g0
+	ld	[%o2+4],%o5
+	subxcc	%o4,%o5,%o5
+	addx	%g0,0,%g1
+	deccc	%o3
+	bz	.L_bn_sub_words_return
+	st	%o5,[%o0+4]
+
+	ld	[%o1+8],%o4
+	addcc	%g1,-1,%g0
+	ld	[%o2+8],%o5
+	subxcc	%o4,%o5,%o5
+	st	%o5,[%o0+8]
+	retl
+	addx	%g0,0,%o0
+
+.type	bn_sub_words,#function
+.size	bn_sub_words,(.-bn_sub_words)
+
+#define FRAME_SIZE	-96
+
+/*
+ * Here is register usage map for *all* routines below.
+ */
+#define t_1	%o0
+#define	t_2	%o1
+#define c_1	%o2
+#define c_2	%o3
+#define c_3	%o4
+
+#define ap(I)	[%i1+4*I]
+#define bp(I)	[%i2+4*I]
+#define rp(I)	[%i0+4*I]
+
+#define	a_0	%l0
+#define	a_1	%l1
+#define	a_2	%l2
+#define	a_3	%l3
+#define	a_4	%l4
+#define	a_5	%l5
+#define	a_6	%l6
+#define	a_7	%l7
+
+#define	b_0	%i3
+#define	b_1	%i4
+#define	b_2	%i5
+#define	b_3	%o5
+#define	b_4	%g1
+#define	b_5	%g2
+#define	b_6	%g3
+#define	b_7	%g4
+
+.align	32
+.global bn_mul_comba8
+/*
+ * void bn_mul_comba8(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba8:
+	save	%sp,FRAME_SIZE,%sp
+	ld	ap(0),a_0
+	ld	bp(0),b_0
+	umul	a_0,b_0,c_1	!=!mul_add_c(a[0],b[0],c1,c2,c3);
+	ld	bp(1),b_1
+	rd	%y,c_2
+	st	c_1,rp(0)	!r[0]=c1;
+
+	umul	a_0,b_1,t_1	!=!mul_add_c(a[0],b[1],c2,c3,c1);
+	ld	ap(1),a_1
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	%g0,t_2,c_3	!=
+	addx	%g0,%g0,c_1
+	ld	ap(2),a_2
+	umul	a_1,b_0,t_1	!mul_add_c(a[1],b[0],c2,c3,c1);
+	addcc	c_2,t_1,c_2	!=
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	st	c_2,rp(1)	!r[1]=c2;
+	addx	c_1,%g0,c_1	!=
+
+	umul	a_2,b_0,t_1	!mul_add_c(a[2],b[0],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	%g0,%g0,c_2
+	ld	bp(2),b_2
+	umul	a_1,b_1,t_1	!mul_add_c(a[1],b[1],c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	ld	bp(3),b_3
+	addx	c_2,%g0,c_2	!=
+	umul	a_0,b_2,t_1	!mul_add_c(a[0],b[2],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	st	c_3,rp(2)	!r[2]=c3;
+
+	umul	a_0,b_3,t_1	!mul_add_c(a[0],b[3],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	%g0,%g0,c_3
+	umul	a_1,b_2,t_1	!=!mul_add_c(a[1],b[2],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	ld	ap(3),a_3
+	umul	a_2,b_1,t_1	!mul_add_c(a[2],b[1],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2		!=
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	ld	ap(4),a_4
+	umul	a_3,b_0,t_1	!mul_add_c(a[3],b[0],c1,c2,c3);!=
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	st	c_1,rp(3)	!r[3]=c1;
+
+	umul	a_4,b_0,t_1	!mul_add_c(a[4],b[0],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	umul	a_3,b_1,t_1	!mul_add_c(a[3],b[1],c2,c3,c1);
+	addcc	c_2,t_1,c_2	!=
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	umul	a_2,b_2,t_1	!=!mul_add_c(a[2],b[2],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	ld	bp(4),b_4
+	umul	a_1,b_3,t_1	!mul_add_c(a[1],b[3],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	ld	bp(5),b_5
+	umul	a_0,b_4,t_1	!=!mul_add_c(a[0],b[4],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	st	c_2,rp(4)	!r[4]=c2;
+
+	umul	a_0,b_5,t_1	!mul_add_c(a[0],b[5],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2
+	umul	a_1,b_4,t_1	!mul_add_c(a[1],b[4],c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_2,b_3,t_1	!=!mul_add_c(a[2],b[3],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	umul	a_3,b_2,t_1	!mul_add_c(a[3],b[2],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	ld	ap(5),a_5
+	umul	a_4,b_1,t_1	!mul_add_c(a[4],b[1],c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	ld	ap(6),a_6
+	addx	c_2,%g0,c_2	!=
+	umul	a_5,b_0,t_1	!mul_add_c(a[5],b[0],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	st	c_3,rp(5)	!r[5]=c3;
+
+	umul	a_6,b_0,t_1	!mul_add_c(a[6],b[0],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	%g0,%g0,c_3
+	umul	a_5,b_1,t_1	!=!mul_add_c(a[5],b[1],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	umul	a_4,b_2,t_1	!mul_add_c(a[4],b[2],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	umul	a_3,b_3,t_1	!mul_add_c(a[3],b[3],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2		!=
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	umul	a_2,b_4,t_1	!mul_add_c(a[2],b[4],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	ld	bp(6),b_6
+	addx	c_3,%g0,c_3	!=
+	umul	a_1,b_5,t_1	!mul_add_c(a[1],b[5],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	ld	bp(7),b_7
+	umul	a_0,b_6,t_1	!mul_add_c(a[0],b[6],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	st	c_1,rp(6)	!r[6]=c1;
+	addx	c_3,%g0,c_3	!=
+
+	umul	a_0,b_7,t_1	!mul_add_c(a[0],b[7],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	%g0,%g0,c_1
+	umul	a_1,b_6,t_1	!mul_add_c(a[1],b[6],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	umul	a_2,b_5,t_1	!mul_add_c(a[2],b[5],c2,c3,c1);
+	addcc	c_2,t_1,c_2	!=
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	umul	a_3,b_4,t_1	!=!mul_add_c(a[3],b[4],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	umul	a_4,b_3,t_1	!mul_add_c(a[4],b[3],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_5,b_2,t_1	!mul_add_c(a[5],b[2],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	ld	ap(7),a_7
+	umul	a_6,b_1,t_1	!=!mul_add_c(a[6],b[1],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	umul	a_7,b_0,t_1	!mul_add_c(a[7],b[0],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	st	c_2,rp(7)	!r[7]=c2;
+
+	umul	a_7,b_1,t_1	!mul_add_c(a[7],b[1],c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2
+	umul	a_6,b_2,t_1	!=!mul_add_c(a[6],b[2],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	umul	a_5,b_3,t_1	!mul_add_c(a[5],b[3],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	umul	a_4,b_4,t_1	!mul_add_c(a[4],b[4],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_3,b_5,t_1	!mul_add_c(a[3],b[5],c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_2,b_6,t_1	!=!mul_add_c(a[2],b[6],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	umul	a_1,b_7,t_1	!mul_add_c(a[1],b[7],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!
+	addx	c_2,%g0,c_2
+	st	c_3,rp(8)	!r[8]=c3;
+
+	umul	a_2,b_7,t_1	!mul_add_c(a[2],b[7],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	%g0,%g0,c_3
+	umul	a_3,b_6,t_1	!=!mul_add_c(a[3],b[6],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	umul	a_4,b_5,t_1	!mul_add_c(a[4],b[5],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	umul	a_5,b_4,t_1	!mul_add_c(a[5],b[4],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2		!=
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	umul	a_6,b_3,t_1	!mul_add_c(a[6],b[3],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	umul	a_7,b_2,t_1	!=!mul_add_c(a[7],b[2],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	st	c_1,rp(9)	!r[9]=c1;
+
+	umul	a_7,b_3,t_1	!mul_add_c(a[7],b[3],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	umul	a_6,b_4,t_1	!mul_add_c(a[6],b[4],c2,c3,c1);
+	addcc	c_2,t_1,c_2	!=
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	umul	a_5,b_5,t_1	!=!mul_add_c(a[5],b[5],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	umul	a_4,b_6,t_1	!mul_add_c(a[4],b[6],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_3,b_7,t_1	!mul_add_c(a[3],b[7],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	st	c_2,rp(10)	!r[10]=c2;
+
+	umul	a_4,b_7,t_1	!=!mul_add_c(a[4],b[7],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2	!=
+	umul	a_5,b_6,t_1	!mul_add_c(a[5],b[6],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	umul	a_6,b_5,t_1	!mul_add_c(a[6],b[5],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_7,b_4,t_1	!mul_add_c(a[7],b[4],c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	st	c_3,rp(11)	!r[11]=c3;
+	addx	c_2,%g0,c_2	!=
+
+	umul	a_7,b_5,t_1	!mul_add_c(a[7],b[5],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	%g0,%g0,c_3
+	umul	a_6,b_6,t_1	!mul_add_c(a[6],b[6],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2		!=
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	umul	a_5,b_7,t_1	!mul_add_c(a[5],b[7],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	st	c_1,rp(12)	!r[12]=c1;
+	addx	c_3,%g0,c_3	!=
+
+	umul	a_6,b_7,t_1	!mul_add_c(a[6],b[7],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	%g0,%g0,c_1
+	umul	a_7,b_6,t_1	!mul_add_c(a[7],b[6],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	st	c_2,rp(13)	!r[13]=c2;
+
+	umul	a_7,b_7,t_1	!=!mul_add_c(a[7],b[7],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	nop			!=
+	st	c_3,rp(14)	!r[14]=c3;
+	st	c_1,rp(15)	!r[15]=c1;
+
+	ret
+	restore	%g0,%g0,%o0
+
+.type	bn_mul_comba8,#function
+.size	bn_mul_comba8,(.-bn_mul_comba8)
+
+.align	32
+
+.global bn_mul_comba4
+/*
+ * void bn_mul_comba4(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba4:
+	save	%sp,FRAME_SIZE,%sp
+	ld	ap(0),a_0
+	ld	bp(0),b_0
+	umul	a_0,b_0,c_1	!=!mul_add_c(a[0],b[0],c1,c2,c3);
+	ld	bp(1),b_1
+	rd	%y,c_2
+	st	c_1,rp(0)	!r[0]=c1;
+
+	umul	a_0,b_1,t_1	!=!mul_add_c(a[0],b[1],c2,c3,c1);
+	ld	ap(1),a_1
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	%g0,t_2,c_3
+	addx	%g0,%g0,c_1
+	ld	ap(2),a_2
+	umul	a_1,b_0,t_1	!=!mul_add_c(a[1],b[0],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	st	c_2,rp(1)	!r[1]=c2;
+
+	umul	a_2,b_0,t_1	!mul_add_c(a[2],b[0],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2
+	ld	bp(2),b_2
+	umul	a_1,b_1,t_1	!=!mul_add_c(a[1],b[1],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	ld	bp(3),b_3
+	umul	a_0,b_2,t_1	!mul_add_c(a[0],b[2],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	st	c_3,rp(2)	!r[2]=c3;
+
+	umul	a_0,b_3,t_1	!=!mul_add_c(a[0],b[3],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	%g0,%g0,c_3	!=
+	umul	a_1,b_2,t_1	!mul_add_c(a[1],b[2],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	ld	ap(3),a_3
+	umul	a_2,b_1,t_1	!mul_add_c(a[2],b[1],c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	umul	a_3,b_0,t_1	!=!mul_add_c(a[3],b[0],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	st	c_1,rp(3)	!r[3]=c1;
+
+	umul	a_3,b_1,t_1	!mul_add_c(a[3],b[1],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	umul	a_2,b_2,t_1	!mul_add_c(a[2],b[2],c2,c3,c1);
+	addcc	c_2,t_1,c_2	!=
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	umul	a_1,b_3,t_1	!=!mul_add_c(a[1],b[3],c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	st	c_2,rp(4)	!r[4]=c2;
+
+	umul	a_2,b_3,t_1	!mul_add_c(a[2],b[3],c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2
+	umul	a_3,b_2,t_1	!mul_add_c(a[3],b[2],c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	st	c_3,rp(5)	!r[5]=c3;
+	addx	c_2,%g0,c_2	!=
+
+	umul	a_3,b_3,t_1	!mul_add_c(a[3],b[3],c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	st	c_1,rp(6)	!r[6]=c1;
+	st	c_2,rp(7)	!r[7]=c2;
+	
+	ret
+	restore	%g0,%g0,%o0
+
+.type	bn_mul_comba4,#function
+.size	bn_mul_comba4,(.-bn_mul_comba4)
+
+.align	32
+
+.global bn_sqr_comba8
+bn_sqr_comba8:
+	save	%sp,FRAME_SIZE,%sp
+	ld	ap(0),a_0
+	ld	ap(1),a_1
+	umul	a_0,a_0,c_1	!=!sqr_add_c(a,0,c1,c2,c3);
+	rd	%y,c_2
+	st	c_1,rp(0)	!r[0]=c1;
+
+	ld	ap(2),a_2
+	umul	a_0,a_1,t_1	!=!sqr_add_c2(a,1,0,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	%g0,t_2,c_3
+	addx	%g0,%g0,c_1	!=
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3
+	st	c_2,rp(1)	!r[1]=c2;
+	addx	c_1,%g0,c_1	!=
+
+	umul	a_2,a_0,t_1	!sqr_add_c2(a,2,0,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	%g0,%g0,c_2
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	ld	ap(3),a_3
+	umul	a_1,a_1,t_1	!sqr_add_c(a,1,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	st	c_3,rp(2)	!r[2]=c3;
+
+	umul	a_0,a_3,t_1	!=!sqr_add_c2(a,3,0,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	%g0,%g0,c_3	!=
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	ld	ap(4),a_4
+	addx	c_3,%g0,c_3	!=
+	umul	a_1,a_2,t_1	!sqr_add_c2(a,2,1,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	st	c_1,rp(3)	!r[3]=c1;
+
+	umul	a_4,a_0,t_1	!sqr_add_c2(a,4,0,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_3,a_1,t_1	!sqr_add_c2(a,3,1,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	ld	ap(5),a_5
+	umul	a_2,a_2,t_1	!sqr_add_c(a,2,c2,c3,c1);
+	addcc	c_2,t_1,c_2	!=
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	st	c_2,rp(4)	!r[4]=c2;
+	addx	c_1,%g0,c_1	!=
+
+	umul	a_0,a_5,t_1	!sqr_add_c2(a,5,0,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	%g0,%g0,c_2
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	umul	a_1,a_4,t_1	!sqr_add_c2(a,4,1,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	ld	ap(6),a_6
+	umul	a_2,a_3,t_1	!sqr_add_c2(a,3,2,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	st	c_3,rp(5)	!r[5]=c3;
+
+	umul	a_6,a_0,t_1	!sqr_add_c2(a,6,0,c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	%g0,%g0,c_3
+	addcc	c_1,t_1,c_1	!=
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	umul	a_5,a_1,t_1	!sqr_add_c2(a,5,1,c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	addcc	c_1,t_1,c_1	!=
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	umul	a_4,a_2,t_1	!sqr_add_c2(a,4,2,c1,c2,c3);
+	addcc	c_1,t_1,c_1	!=
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	addcc	c_1,t_1,c_1	!=
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3
+	ld	ap(7),a_7
+	umul	a_3,a_3,t_1	!=!sqr_add_c(a,3,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	st	c_1,rp(6)	!r[6]=c1;
+
+	umul	a_0,a_7,t_1	!sqr_add_c2(a,7,0,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_1,a_6,t_1	!sqr_add_c2(a,6,1,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_2,a_5,t_1	!sqr_add_c2(a,5,2,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_3,a_4,t_1	!sqr_add_c2(a,4,3,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	st	c_2,rp(7)	!r[7]=c2;
+
+	umul	a_7,a_1,t_1	!sqr_add_c2(a,7,1,c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2
+	addcc	c_3,t_1,c_3	!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_6,a_2,t_1	!sqr_add_c2(a,6,2,c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	addcc	c_3,t_1,c_3	!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_5,a_3,t_1	!sqr_add_c2(a,5,3,c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	addcc	c_3,t_1,c_3	!=
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_4,a_4,t_1	!sqr_add_c(a,4,c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	st	c_3,rp(8)	!r[8]=c3;
+	addx	c_2,%g0,c_2	!=
+
+	umul	a_2,a_7,t_1	!sqr_add_c2(a,7,2,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	%g0,%g0,c_3
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	umul	a_3,a_6,t_1	!sqr_add_c2(a,6,3,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	umul	a_4,a_5,t_1	!sqr_add_c2(a,5,4,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	st	c_1,rp(9)	!r[9]=c1;
+
+	umul	a_7,a_3,t_1	!sqr_add_c2(a,7,3,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_6,a_4,t_1	!sqr_add_c2(a,6,4,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_5,a_5,t_1	!sqr_add_c(a,5,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	st	c_2,rp(10)	!r[10]=c2;
+
+	umul	a_4,a_7,t_1	!=!sqr_add_c2(a,7,4,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2	!=
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2
+	umul	a_5,a_6,t_1	!=!sqr_add_c2(a,6,5,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	c_2,%g0,c_2	!=
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1
+	st	c_3,rp(11)	!r[11]=c3;
+	addx	c_2,%g0,c_2	!=
+
+	umul	a_7,a_5,t_1	!sqr_add_c2(a,7,5,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	%g0,%g0,c_3
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	umul	a_6,a_6,t_1	!sqr_add_c(a,6,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	st	c_1,rp(12)	!r[12]=c1;
+
+	umul	a_6,a_7,t_1	!sqr_add_c2(a,7,6,c2,c3,c1);
+	addcc	c_2,t_1,c_2	!=
+	rd	%y,t_2
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	addcc	c_2,t_1,c_2	!=
+	addxcc	c_3,t_2,c_3
+	st	c_2,rp(13)	!r[13]=c2;
+	addx	c_1,%g0,c_1	!=
+
+	umul	a_7,a_7,t_1	!sqr_add_c(a,7,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1	!=
+	st	c_3,rp(14)	!r[14]=c3;
+	st	c_1,rp(15)	!r[15]=c1;
+
+	ret
+	restore	%g0,%g0,%o0
+
+.type	bn_sqr_comba8,#function
+.size	bn_sqr_comba8,(.-bn_sqr_comba8)
+
+.align	32
+
+.global bn_sqr_comba4
+/*
+ * void bn_sqr_comba4(r,a)
+ * BN_ULONG *r,*a;
+ */
+bn_sqr_comba4:
+	save	%sp,FRAME_SIZE,%sp
+	ld	ap(0),a_0
+	umul	a_0,a_0,c_1	!sqr_add_c(a,0,c1,c2,c3);
+	ld	ap(1),a_1	!=
+	rd	%y,c_2
+	st	c_1,rp(0)	!r[0]=c1;
+
+	ld	ap(2),a_2
+	umul	a_0,a_1,t_1	!=!sqr_add_c2(a,1,0,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2
+	addxcc	%g0,t_2,c_3
+	addx	%g0,%g0,c_1	!=
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1	!=
+	st	c_2,rp(1)	!r[1]=c2;
+
+	umul	a_2,a_0,t_1	!sqr_add_c2(a,2,0,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2		!=
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1	!=
+	addx	c_2,%g0,c_2
+	ld	ap(3),a_3
+	umul	a_1,a_1,t_1	!sqr_add_c(a,1,c3,c1,c2);
+	addcc	c_3,t_1,c_3	!=
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	st	c_3,rp(2)	!r[2]=c3;
+	addx	c_2,%g0,c_2	!=
+
+	umul	a_0,a_3,t_1	!sqr_add_c2(a,3,0,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	%g0,%g0,c_3
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	umul	a_1,a_2,t_1	!sqr_add_c2(a,2,1,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	addx	c_3,%g0,c_3
+	addcc	c_1,t_1,c_1
+	addxcc	c_2,t_2,c_2
+	addx	c_3,%g0,c_3	!=
+	st	c_1,rp(3)	!r[3]=c1;
+
+	umul	a_3,a_1,t_1	!sqr_add_c2(a,3,1,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	%g0,%g0,c_1
+	addcc	c_2,t_1,c_2
+	addxcc	c_3,t_2,c_3	!=
+	addx	c_1,%g0,c_1
+	umul	a_2,a_2,t_1	!sqr_add_c(a,2,c2,c3,c1);
+	addcc	c_2,t_1,c_2
+	rd	%y,t_2		!=
+	addxcc	c_3,t_2,c_3
+	addx	c_1,%g0,c_1
+	st	c_2,rp(4)	!r[4]=c2;
+
+	umul	a_2,a_3,t_1	!=!sqr_add_c2(a,3,2,c3,c1,c2);
+	addcc	c_3,t_1,c_3
+	rd	%y,t_2
+	addxcc	c_1,t_2,c_1
+	addx	%g0,%g0,c_2	!=
+	addcc	c_3,t_1,c_3
+	addxcc	c_1,t_2,c_1
+	st	c_3,rp(5)	!r[5]=c3;
+	addx	c_2,%g0,c_2	!=
+
+	umul	a_3,a_3,t_1	!sqr_add_c(a,3,c1,c2,c3);
+	addcc	c_1,t_1,c_1
+	rd	%y,t_2
+	addxcc	c_2,t_2,c_2	!=
+	st	c_1,rp(6)	!r[6]=c1;
+	st	c_2,rp(7)	!r[7]=c2;
+	
+	ret
+	restore	%g0,%g0,%o0
+
+.type	bn_sqr_comba4,#function
+.size	bn_sqr_comba4,(.-bn_sqr_comba4)
+
+.align	32
diff --git a/crypto/openssl/crypto/bn/asm/sparcv8plus.S b/crypto/openssl/crypto/bn/asm/sparcv8plus.S
new file mode 100644
index 0000000..0074dfd
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/sparcv8plus.S
@@ -0,0 +1,1535 @@
+.ident	"sparcv8plus.s, Version 1.4"
+.ident	"SPARC v9 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in UltraSPARC ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * Questions-n-answers.
+ *
+ * Q. How to compile?
+ * A. With SC4.x/SC5.x:
+ *
+ *	cc -xarch=v8plus -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *
+ *    and with gcc:
+ *
+ *	gcc -mcpu=ultrasparc -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *
+ *    or if above fails (it does if you have gas installed):
+ *
+ *	gcc -E bn_asm.sparc.v8plus.S | as -xarch=v8plus /dev/fd/0 -o bn_asm.o
+ *
+ *    Quick-n-dirty way to fuse the module into the library.
+ *    Provided that the library is already configured and built
+ *    (in 0.9.2 case with no-asm option):
+ *
+ *	# cd crypto/bn
+ *	# cp /some/place/bn_asm.sparc.v8plus.S .
+ *	# cc -xarch=v8plus -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *	# make
+ *	# cd ../..
+ *	# make; make test
+ *
+ *    Quick-n-dirty way to get rid of it:
+ *
+ *	# cd crypto/bn
+ *	# touch bn_asm.c
+ *	# make
+ *	# cd ../..
+ *	# make; make test
+ *
+ * Q. V8plus achitecture? What kind of beast is that?
+ * A. Well, it's rather a programming model than an architecture...
+ *    It's actually v9-compliant, i.e. *any* UltraSPARC, CPU under
+ *    special conditions, namely when kernel doesn't preserve upper
+ *    32 bits of otherwise 64-bit registers during a context switch.
+ *
+ * Q. Why just UltraSPARC? What about SuperSPARC?
+ * A. Original release did target UltraSPARC only. Now SuperSPARC
+ *    version is provided along. Both version share bn_*comba[48]
+ *    implementations (see comment later in code for explanation).
+ *    But what's so special about this UltraSPARC implementation?
+ *    Why didn't I let compiler do the job? Trouble is that most of
+ *    available compilers (well, SC5.0 is the only exception) don't
+ *    attempt to take advantage of UltraSPARC's 64-bitness under
+ *    32-bit kernels even though it's perfectly possible (see next
+ *    question).
+ *
+ * Q. 64-bit registers under 32-bit kernels? Didn't you just say it
+ *    doesn't work?
+ * A. You can't adress *all* registers as 64-bit wide:-( The catch is
+ *    that you actually may rely upon %o0-%o5 and %g1-%g4 being fully
+ *    preserved if you're in a leaf function, i.e. such never calling
+ *    any other functions. All functions in this module are leaf and
+ *    10 registers is a handful. And as a matter of fact none-"comba"
+ *    routines don't require even that much and I could even afford to
+ *    not allocate own stack frame for 'em:-)
+ *
+ * Q. What about 64-bit kernels?
+ * A. What about 'em? Just kidding:-) Pure 64-bit version is currently
+ *    under evaluation and development...
+ *
+ * Q. What about shared libraries?
+ * A. What about 'em? Kidding again:-) Code does *not* contain any
+ *    code position dependencies and it's safe to include it into
+ *    shared library as is.
+ *
+ * Q. How much faster does it go?
+ * A. Do you have a good benchmark? In either case below is what I
+ *    experience with crypto/bn/expspeed.c test program:
+ *
+ *	v8plus module on U10/300MHz against bn_asm.c compiled with:
+ *
+ *	cc-5.0 -xarch=v8plus -xO5 -xdepend	+7-12%
+ *	cc-4.2 -xarch=v8plus -xO5 -xdepend	+25-35%
+ *	egcs-1.1.2 -mcpu=ultrasparc -O3		+35-45%
+ *
+ *	v8 module on SS10/60MHz against bn_asm.c compiled with:
+ *
+ *	cc-5.0 -xarch=v8 -xO5 -xdepend		+7-10%
+ *	cc-4.2 -xarch=v8 -xO5 -xdepend		+10%
+ *	egcs-1.1.2 -mv8 -O3			+35-45%
+ *
+ *    As you can see it's damn hard to beat the new Sun C compiler
+ *    and it's in first place GNU C users who will appreciate this
+ *    assembler implementation:-)	
+ */
+
+/*
+ * Revision history.
+ *
+ * 1.0	- initial release;
+ * 1.1	- new loop unrolling model(*);
+ *	- some more fine tuning;
+ * 1.2	- made gas friendly;
+ *	- updates to documentation concerning v9;
+ *	- new performance comparison matrix;
+ * 1.3	- fixed problem with /usr/ccs/lib/cpp;
+ * 1.4	- native V9 bn_*_comba[48] implementation (15% more efficient)
+ *	  resulting in slight overall performance kick;
+ *	- some retunes;
+ *	- support for GNU as added;
+ *
+ * (*)	Originally unrolled loop looked like this:
+ *	    for (;;) {
+ *		op(p+0); if (--n==0) break;
+ *		op(p+1); if (--n==0) break;
+ *		op(p+2); if (--n==0) break;
+ *		op(p+3); if (--n==0) break;
+ *		p+=4;
+ *	    }
+ *	I unroll according to following:
+ *	    while (n&~3) {
+ *		op(p+0); op(p+1); op(p+2); op(p+3);
+ *		p+=4; n=-4;
+ *	    }
+ *	    if (n) {
+ *		op(p+0); if (--n==0) return;
+ *		op(p+2); if (--n==0) return;
+ *		op(p+3); return;
+ *	    }
+ */
+
+/*
+ * GNU assembler can't stand stuw:-(
+ */
+#define stuw st
+
+.section	".text",#alloc,#execinstr
+.file		"bn_asm.sparc.v8plus.S"
+
+.align	32
+
+.global bn_mul_add_words
+/*
+ * BN_ULONG bn_mul_add_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_add_words:
+	brgz,a	%o2,.L_bn_mul_add_words_proceed
+	lduw	[%o1],%g2
+	retl
+	clr	%o0
+
+.L_bn_mul_add_words_proceed:
+	srl	%o3,%g0,%o3	! clruw	%o3
+	andcc	%o2,-4,%g0
+	bz,pn	%icc,.L_bn_mul_add_words_tail
+	clr	%o5
+
+.L_bn_mul_add_words_loop:	! wow! 32 aligned!
+	lduw	[%o0],%g1
+	lduw	[%o1+4],%g3
+	mulx	%o3,%g2,%g2
+	add	%g1,%o5,%o4
+	nop
+	add	%o4,%g2,%o4
+	stuw	%o4,[%o0]
+	srlx	%o4,32,%o5
+
+	lduw	[%o0+4],%g1
+	lduw	[%o1+8],%g2
+	mulx	%o3,%g3,%g3
+	add	%g1,%o5,%o4
+	dec	4,%o2
+	add	%o4,%g3,%o4
+	stuw	%o4,[%o0+4]
+	srlx	%o4,32,%o5
+
+	lduw	[%o0+8],%g1
+	lduw	[%o1+12],%g3
+	mulx	%o3,%g2,%g2
+	add	%g1,%o5,%o4
+	inc	16,%o1
+	add	%o4,%g2,%o4
+	stuw	%o4,[%o0+8]
+	srlx	%o4,32,%o5
+
+	lduw	[%o0+12],%g1
+	mulx	%o3,%g3,%g3
+	add	%g1,%o5,%o4
+	inc	16,%o0
+	add	%o4,%g3,%o4
+	andcc	%o2,-4,%g0
+	stuw	%o4,[%o0-4]
+	srlx	%o4,32,%o5
+	bnz,a,pt	%icc,.L_bn_mul_add_words_loop
+	lduw	[%o1],%g2
+
+	brnz,a,pn	%o2,.L_bn_mul_add_words_tail
+	lduw	[%o1],%g2
+.L_bn_mul_add_words_return:
+	retl
+	mov	%o5,%o0
+
+.L_bn_mul_add_words_tail:
+	lduw	[%o0],%g1
+	mulx	%o3,%g2,%g2
+	add	%g1,%o5,%o4
+	dec	%o2
+	add	%o4,%g2,%o4
+	srlx	%o4,32,%o5
+	brz,pt	%o2,.L_bn_mul_add_words_return
+	stuw	%o4,[%o0]
+
+	lduw	[%o1+4],%g2
+	lduw	[%o0+4],%g1
+	mulx	%o3,%g2,%g2
+	add	%g1,%o5,%o4
+	dec	%o2
+	add	%o4,%g2,%o4
+	srlx	%o4,32,%o5
+	brz,pt	%o2,.L_bn_mul_add_words_return
+	stuw	%o4,[%o0+4]
+
+	lduw	[%o1+8],%g2
+	lduw	[%o0+8],%g1
+	mulx	%o3,%g2,%g2
+	add	%g1,%o5,%o4
+	add	%o4,%g2,%o4
+	stuw	%o4,[%o0+8]
+	retl
+	srlx	%o4,32,%o0
+
+.type	bn_mul_add_words,#function
+.size	bn_mul_add_words,(.-bn_mul_add_words)
+
+.align	32
+
+.global bn_mul_words
+/*
+ * BN_ULONG bn_mul_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_words:
+	brgz,a	%o2,.L_bn_mul_words_proceeed
+	lduw	[%o1],%g2
+	retl
+	clr	%o0
+
+.L_bn_mul_words_proceeed:
+	srl	%o3,%g0,%o3	! clruw	%o3
+	andcc	%o2,-4,%g0
+	bz,pn	%icc,.L_bn_mul_words_tail
+	clr	%o5
+
+.L_bn_mul_words_loop:		! wow! 32 aligned!
+	lduw	[%o1+4],%g3
+	mulx	%o3,%g2,%g2
+	add	%g2,%o5,%o4
+	nop
+	stuw	%o4,[%o0]
+	srlx	%o4,32,%o5
+
+	lduw	[%o1+8],%g2
+	mulx	%o3,%g3,%g3
+	add	%g3,%o5,%o4
+	dec	4,%o2
+	stuw	%o4,[%o0+4]
+	srlx	%o4,32,%o5
+
+	lduw	[%o1+12],%g3
+	mulx	%o3,%g2,%g2
+	add	%g2,%o5,%o4
+	inc	16,%o1
+	stuw	%o4,[%o0+8]
+	srlx	%o4,32,%o5
+
+	mulx	%o3,%g3,%g3
+	add	%g3,%o5,%o4
+	inc	16,%o0
+	stuw	%o4,[%o0-4]
+	srlx	%o4,32,%o5
+	andcc	%o2,-4,%g0
+	bnz,a,pt	%icc,.L_bn_mul_words_loop
+	lduw	[%o1],%g2
+	nop
+	nop
+
+	brnz,a,pn	%o2,.L_bn_mul_words_tail
+	lduw	[%o1],%g2
+.L_bn_mul_words_return:
+	retl
+	mov	%o5,%o0
+
+.L_bn_mul_words_tail:
+	mulx	%o3,%g2,%g2
+	add	%g2,%o5,%o4
+	dec	%o2
+	srlx	%o4,32,%o5
+	brz,pt	%o2,.L_bn_mul_words_return
+	stuw	%o4,[%o0]
+
+	lduw	[%o1+4],%g2
+	mulx	%o3,%g2,%g2
+	add	%g2,%o5,%o4
+	dec	%o2
+	srlx	%o4,32,%o5
+	brz,pt	%o2,.L_bn_mul_words_return
+	stuw	%o4,[%o0+4]
+
+	lduw	[%o1+8],%g2
+	mulx	%o3,%g2,%g2
+	add	%g2,%o5,%o4
+	stuw	%o4,[%o0+8]
+	retl
+	srlx	%o4,32,%o0
+
+.type	bn_mul_words,#function
+.size	bn_mul_words,(.-bn_mul_words)
+
+.align  32
+.global	bn_sqr_words
+/*
+ * void bn_sqr_words(r,a,n)
+ * BN_ULONG *r,*a;
+ * int n;
+ */
+bn_sqr_words:
+	brgz,a	%o2,.L_bn_sqr_words_proceeed
+	lduw	[%o1],%g2
+	retl
+	clr	%o0
+
+.L_bn_sqr_words_proceeed:
+	andcc	%o2,-4,%g0
+	nop
+	bz,pn	%icc,.L_bn_sqr_words_tail
+	nop
+
+.L_bn_sqr_words_loop:		! wow! 32 aligned!
+	lduw	[%o1+4],%g3
+	mulx	%g2,%g2,%o4
+	stuw	%o4,[%o0]
+	srlx	%o4,32,%o5
+	stuw	%o5,[%o0+4]
+	nop
+
+	lduw	[%o1+8],%g2
+	mulx	%g3,%g3,%o4
+	dec	4,%o2
+	stuw	%o4,[%o0+8]
+	srlx	%o4,32,%o5
+	stuw	%o5,[%o0+12]
+
+	lduw	[%o1+12],%g3
+	mulx	%g2,%g2,%o4
+	srlx	%o4,32,%o5
+	stuw	%o4,[%o0+16]
+	inc	16,%o1
+	stuw	%o5,[%o0+20]
+
+	mulx	%g3,%g3,%o4
+	inc	32,%o0
+	stuw	%o4,[%o0-8]
+	srlx	%o4,32,%o5
+	andcc	%o2,-4,%g2
+	stuw	%o5,[%o0-4]
+	bnz,a,pt	%icc,.L_bn_sqr_words_loop
+	lduw	[%o1],%g2
+	nop
+
+	brnz,a,pn	%o2,.L_bn_sqr_words_tail
+	lduw	[%o1],%g2
+.L_bn_sqr_words_return:
+	retl
+	clr	%o0
+
+.L_bn_sqr_words_tail:
+	mulx	%g2,%g2,%o4
+	dec	%o2
+	stuw	%o4,[%o0]
+	srlx	%o4,32,%o5
+	brz,pt	%o2,.L_bn_sqr_words_return
+	stuw	%o5,[%o0+4]
+
+	lduw	[%o1+4],%g2
+	mulx	%g2,%g2,%o4
+	dec	%o2
+	stuw	%o4,[%o0+8]
+	srlx	%o4,32,%o5
+	brz,pt	%o2,.L_bn_sqr_words_return
+	stuw	%o5,[%o0+12]
+
+	lduw	[%o1+8],%g2
+	mulx	%g2,%g2,%o4
+	srlx	%o4,32,%o5
+	stuw	%o4,[%o0+16]
+	stuw	%o5,[%o0+20]
+	retl
+	clr	%o0
+
+.type	bn_sqr_words,#function
+.size	bn_sqr_words,(.-bn_sqr_words)
+
+.align	32
+.global bn_div_words
+/*
+ * BN_ULONG bn_div_words(h,l,d)
+ * BN_ULONG h,l,d;
+ */
+bn_div_words:
+	sllx	%o0,32,%o0
+	or	%o0,%o1,%o0
+	udivx	%o0,%o2,%o0
+	retl
+	srl	%o0,%g0,%o0	! clruw	%o0
+
+.type	bn_div_words,#function
+.size	bn_div_words,(.-bn_div_words)
+
+.align	32
+
+.global bn_add_words
+/*
+ * BN_ULONG bn_add_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_add_words:
+	brgz,a	%o3,.L_bn_add_words_proceed
+	lduw	[%o1],%o4
+	retl
+	clr	%o0
+
+.L_bn_add_words_proceed:
+	andcc	%o3,-4,%g0
+	bz,pn	%icc,.L_bn_add_words_tail
+	addcc	%g0,0,%g0	! clear carry flag
+	nop
+
+.L_bn_add_words_loop:		! wow! 32 aligned!
+	dec	4,%o3
+	lduw	[%o2],%o5
+	lduw	[%o1+4],%g1
+	lduw	[%o2+4],%g2
+	lduw	[%o1+8],%g3
+	lduw	[%o2+8],%g4
+	addccc	%o5,%o4,%o5
+	stuw	%o5,[%o0]
+
+	lduw	[%o1+12],%o4
+	lduw	[%o2+12],%o5
+	inc	16,%o1
+	addccc	%g1,%g2,%g1
+	stuw	%g1,[%o0+4]
+	
+	inc	16,%o2
+	addccc	%g3,%g4,%g3
+	stuw	%g3,[%o0+8]
+
+	inc	16,%o0
+	addccc	%o5,%o4,%o5
+	stuw	%o5,[%o0-4]
+	and	%o3,-4,%g1
+	brnz,a,pt	%g1,.L_bn_add_words_loop
+	lduw	[%o1],%o4
+
+	brnz,a,pn	%o3,.L_bn_add_words_tail
+	lduw	[%o1],%o4
+.L_bn_add_words_return:
+	clr	%o0
+	retl
+	movcs	%icc,1,%o0
+	nop
+
+.L_bn_add_words_tail:
+	lduw	[%o2],%o5
+	dec	%o3
+	addccc	%o5,%o4,%o5
+	brz,pt	%o3,.L_bn_add_words_return
+	stuw	%o5,[%o0]
+
+	lduw	[%o1+4],%o4
+	lduw	[%o2+4],%o5
+	dec	%o3
+	addccc	%o5,%o4,%o5
+	brz,pt	%o3,.L_bn_add_words_return
+	stuw	%o5,[%o0+4]
+
+	lduw	[%o1+8],%o4
+	lduw	[%o2+8],%o5
+	addccc	%o5,%o4,%o5
+	stuw	%o5,[%o0+8]
+	clr	%o0
+	retl
+	movcs	%icc,1,%o0
+
+.type	bn_add_words,#function
+.size	bn_add_words,(.-bn_add_words)
+
+.global bn_sub_words
+/*
+ * BN_ULONG bn_sub_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_sub_words:
+	brgz,a	%o3,.L_bn_sub_words_proceed
+	lduw	[%o1],%o4
+	retl
+	clr	%o0
+
+.L_bn_sub_words_proceed:
+	andcc	%o3,-4,%g0
+	bz,pn	%icc,.L_bn_sub_words_tail
+	addcc	%g0,0,%g0	! clear carry flag
+	nop
+
+.L_bn_sub_words_loop:		! wow! 32 aligned!
+	dec	4,%o3
+	lduw	[%o2],%o5
+	lduw	[%o1+4],%g1
+	lduw	[%o2+4],%g2
+	lduw	[%o1+8],%g3
+	lduw	[%o2+8],%g4
+	subccc	%o4,%o5,%o5
+	stuw	%o5,[%o0]
+
+	lduw	[%o1+12],%o4
+	lduw	[%o2+12],%o5
+	inc	16,%o1
+	subccc	%g1,%g2,%g2
+	stuw	%g2,[%o0+4]
+
+	inc	16,%o2
+	subccc	%g3,%g4,%g4
+	stuw	%g4,[%o0+8]
+
+	inc	16,%o0
+	subccc	%o4,%o5,%o5
+	stuw	%o5,[%o0-4]
+	and	%o3,-4,%g1
+	brnz,a,pt	%g1,.L_bn_sub_words_loop
+	lduw	[%o1],%o4
+
+	brnz,a,pn	%o3,.L_bn_sub_words_tail
+	lduw	[%o1],%o4
+.L_bn_sub_words_return:
+	clr	%o0
+	retl
+	movcs	%icc,1,%o0
+	nop
+
+.L_bn_sub_words_tail:		! wow! 32 aligned!
+	lduw	[%o2],%o5
+	dec	%o3
+	subccc	%o4,%o5,%o5
+	brz,pt	%o3,.L_bn_sub_words_return
+	stuw	%o5,[%o0]
+
+	lduw	[%o1+4],%o4
+	lduw	[%o2+4],%o5
+	dec	%o3
+	subccc	%o4,%o5,%o5
+	brz,pt	%o3,.L_bn_sub_words_return
+	stuw	%o5,[%o0+4]
+
+	lduw	[%o1+8],%o4
+	lduw	[%o2+8],%o5
+	subccc	%o4,%o5,%o5
+	stuw	%o5,[%o0+8]
+	clr	%o0
+	retl
+	movcs	%icc,1,%o0
+
+.type	bn_sub_words,#function
+.size	bn_sub_words,(.-bn_sub_words)
+
+/*
+ * Code below depends on the fact that upper parts of the %l0-%l7
+ * and %i0-%i7 are zeroed by kernel after context switch. In
+ * previous versions this comment stated that "the trouble is that
+ * it's not feasible to implement the mumbo-jumbo in less V9
+ * instructions:-(" which apparently isn't true thanks to
+ * 'bcs,a %xcc,.+8; inc %rd' pair. But the performance improvement
+ * results not from the shorter code, but from elimination of
+ * multicycle none-pairable 'rd %y,%rd' instructions.
+ *
+ *							Andy.
+ */
+
+#define FRAME_SIZE	-96
+
+/*
+ * Here is register usage map for *all* routines below.
+ */
+#define t_1	%o0
+#define	t_2	%o1
+#define c_12	%o2
+#define c_3	%o3
+
+#define ap(I)	[%i1+4*I]
+#define bp(I)	[%i2+4*I]
+#define rp(I)	[%i0+4*I]
+
+#define	a_0	%l0
+#define	a_1	%l1
+#define	a_2	%l2
+#define	a_3	%l3
+#define	a_4	%l4
+#define	a_5	%l5
+#define	a_6	%l6
+#define	a_7	%l7
+
+#define	b_0	%i3
+#define	b_1	%i4
+#define	b_2	%i5
+#define	b_3	%o4
+#define	b_4	%o5
+#define	b_5	%o7
+#define	b_6	%g1
+#define	b_7	%g4
+
+.align	32
+.global bn_mul_comba8
+/*
+ * void bn_mul_comba8(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba8:
+	save	%sp,FRAME_SIZE,%sp
+	mov	1,t_2
+	lduw	ap(0),a_0
+	sllx	t_2,32,t_2
+	lduw	bp(0),b_0	!=
+	lduw	bp(1),b_1
+	mulx	a_0,b_0,t_1	!mul_add_c(a[0],b[0],c1,c2,c3);
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(0)	!=!r[0]=c1;
+
+	lduw	ap(1),a_1
+	mulx	a_0,b_1,t_1	!mul_add_c(a[0],b[1],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3		!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(2),a_2
+	mulx	a_1,b_0,t_1	!=!mul_add_c(a[1],b[0],c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12	!=
+	stuw	t_1,rp(1)	!r[1]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,b_0,t_1	!mul_add_c(a[2],b[0],c3,c1,c2);
+	addcc	c_12,t_1,c_12	!=
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	bp(2),b_2	!=
+	mulx	a_1,b_1,t_1	!mul_add_c(a[1],b[1],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	lduw	bp(3),b_3
+	mulx	a_0,b_2,t_1	!mul_add_c(a[0],b[2],c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(2)	!r[2]=c3;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_0,b_3,t_1	!mul_add_c(a[0],b[3],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_1,b_2,t_1	!=!mul_add_c(a[1],b[2],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	lduw	ap(3),a_3
+	mulx	a_2,b_1,t_1	!mul_add_c(a[2],b[1],c1,c2,c3);
+	addcc	c_12,t_1,c_12	!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(4),a_4
+	mulx	a_3,b_0,t_1	!=!mul_add_c(a[3],b[0],c1,c2,c3);!=
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12	!=
+	stuw	t_1,rp(3)	!r[3]=c1;
+	or	c_12,c_3,c_12
+
+	mulx	a_4,b_0,t_1	!mul_add_c(a[4],b[0],c2,c3,c1);
+	addcc	c_12,t_1,c_12	!=
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_3,b_1,t_1	!=!mul_add_c(a[3],b[1],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_2,b_2,t_1	!=!mul_add_c(a[2],b[2],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	bp(4),b_4	!=
+	mulx	a_1,b_3,t_1	!mul_add_c(a[1],b[3],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	lduw	bp(5),b_5
+	mulx	a_0,b_4,t_1	!mul_add_c(a[0],b[4],c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(4)	!r[4]=c2;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_0,b_5,t_1	!mul_add_c(a[0],b[5],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_1,b_4,t_1	!mul_add_c(a[1],b[4],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_2,b_3,t_1	!mul_add_c(a[2],b[3],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_3,b_2,t_1	!mul_add_c(a[3],b[2],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	lduw	ap(5),a_5
+	mulx	a_4,b_1,t_1	!mul_add_c(a[4],b[1],c3,c1,c2);
+	addcc	c_12,t_1,c_12	!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(6),a_6
+	mulx	a_5,b_0,t_1	!=!mul_add_c(a[5],b[0],c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12	!=
+	stuw	t_1,rp(5)	!r[5]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_6,b_0,t_1	!mul_add_c(a[6],b[0],c1,c2,c3);
+	addcc	c_12,t_1,c_12	!=
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_5,b_1,t_1	!=!mul_add_c(a[5],b[1],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_4,b_2,t_1	!=!mul_add_c(a[4],b[2],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_3,b_3,t_1	!=!mul_add_c(a[3],b[3],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_2,b_4,t_1	!=!mul_add_c(a[2],b[4],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	bp(6),b_6	!=
+	mulx	a_1,b_5,t_1	!mul_add_c(a[1],b[5],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	lduw	bp(7),b_7
+	mulx	a_0,b_6,t_1	!mul_add_c(a[0],b[6],c1,c2,c3);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(6)	!r[6]=c1;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_0,b_7,t_1	!mul_add_c(a[0],b[7],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_1,b_6,t_1	!mul_add_c(a[1],b[6],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_2,b_5,t_1	!mul_add_c(a[2],b[5],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_3,b_4,t_1	!mul_add_c(a[3],b[4],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_4,b_3,t_1	!mul_add_c(a[4],b[3],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_5,b_2,t_1	!mul_add_c(a[5],b[2],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	lduw	ap(7),a_7
+	mulx	a_6,b_1,t_1	!=!mul_add_c(a[6],b[1],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_7,b_0,t_1	!=!mul_add_c(a[7],b[0],c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12	!=
+	stuw	t_1,rp(7)	!r[7]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_7,b_1,t_1	!=!mul_add_c(a[7],b[1],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	mulx	a_6,b_2,t_1	!mul_add_c(a[6],b[2],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	mulx	a_5,b_3,t_1	!mul_add_c(a[5],b[3],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	mulx	a_4,b_4,t_1	!mul_add_c(a[4],b[4],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	mulx	a_3,b_5,t_1	!mul_add_c(a[3],b[5],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	mulx	a_2,b_6,t_1	!mul_add_c(a[2],b[6],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	mulx	a_1,b_7,t_1	!mul_add_c(a[1],b[7],c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(8)	!r[8]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,b_7,t_1	!=!mul_add_c(a[2],b[7],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	mulx	a_3,b_6,t_1	!mul_add_c(a[3],b[6],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_4,b_5,t_1	!mul_add_c(a[4],b[5],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_5,b_4,t_1	!mul_add_c(a[5],b[4],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_6,b_3,t_1	!mul_add_c(a[6],b[3],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_7,b_2,t_1	!mul_add_c(a[7],b[2],c1,c2,c3);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(9)	!r[9]=c1;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_7,b_3,t_1	!mul_add_c(a[7],b[3],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_6,b_4,t_1	!mul_add_c(a[6],b[4],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_5,b_5,t_1	!mul_add_c(a[5],b[5],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_4,b_6,t_1	!mul_add_c(a[4],b[6],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_3,b_7,t_1	!mul_add_c(a[3],b[7],c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(10)	!r[10]=c2;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_4,b_7,t_1	!mul_add_c(a[4],b[7],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_5,b_6,t_1	!mul_add_c(a[5],b[6],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_6,b_5,t_1	!mul_add_c(a[6],b[5],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_7,b_4,t_1	!mul_add_c(a[7],b[4],c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(11)	!r[11]=c3;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_7,b_5,t_1	!mul_add_c(a[7],b[5],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_6,b_6,t_1	!mul_add_c(a[6],b[6],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_5,b_7,t_1	!mul_add_c(a[5],b[7],c1,c2,c3);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(12)	!r[12]=c1;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_6,b_7,t_1	!mul_add_c(a[6],b[7],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_7,b_6,t_1	!mul_add_c(a[7],b[6],c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	st	t_1,rp(13)	!r[13]=c2;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_7,b_7,t_1	!mul_add_c(a[7],b[7],c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	srlx	t_1,32,c_12	!=
+	stuw	t_1,rp(14)	!r[14]=c3;
+	stuw	c_12,rp(15)	!r[15]=c1;
+
+	ret
+	restore	%g0,%g0,%o0	!=
+
+.type	bn_mul_comba8,#function
+.size	bn_mul_comba8,(.-bn_mul_comba8)
+
+.align	32
+
+.global bn_mul_comba4
+/*
+ * void bn_mul_comba4(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba4:
+	save	%sp,FRAME_SIZE,%sp
+	lduw	ap(0),a_0
+	mov	1,t_2
+	lduw	bp(0),b_0
+	sllx	t_2,32,t_2	!=
+	lduw	bp(1),b_1
+	mulx	a_0,b_0,t_1	!mul_add_c(a[0],b[0],c1,c2,c3);
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(0)	!=!r[0]=c1;
+
+	lduw	ap(1),a_1
+	mulx	a_0,b_1,t_1	!mul_add_c(a[0],b[1],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3		!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(2),a_2
+	mulx	a_1,b_0,t_1	!=!mul_add_c(a[1],b[0],c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12	!=
+	stuw	t_1,rp(1)	!r[1]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,b_0,t_1	!mul_add_c(a[2],b[0],c3,c1,c2);
+	addcc	c_12,t_1,c_12	!=
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	bp(2),b_2	!=
+	mulx	a_1,b_1,t_1	!mul_add_c(a[1],b[1],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3	!=
+	lduw	bp(3),b_3
+	mulx	a_0,b_2,t_1	!mul_add_c(a[0],b[2],c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(2)	!r[2]=c3;
+	or	c_12,c_3,c_12	!=
+
+	mulx	a_0,b_3,t_1	!mul_add_c(a[0],b[3],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	mulx	a_1,b_2,t_1	!mul_add_c(a[1],b[2],c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8	!=
+	add	c_3,t_2,c_3
+	lduw	ap(3),a_3
+	mulx	a_2,b_1,t_1	!mul_add_c(a[2],b[1],c1,c2,c3);
+	addcc	c_12,t_1,c_12	!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_3,b_0,t_1	!mul_add_c(a[3],b[0],c1,c2,c3);!=
+	addcc	c_12,t_1,t_1	!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(3)	!=!r[3]=c1;
+	or	c_12,c_3,c_12
+
+	mulx	a_3,b_1,t_1	!mul_add_c(a[3],b[1],c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3		!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_2,b_2,t_1	!mul_add_c(a[2],b[2],c2,c3,c1);
+	addcc	c_12,t_1,c_12	!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_1,b_3,t_1	!mul_add_c(a[1],b[3],c2,c3,c1);
+	addcc	c_12,t_1,t_1	!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(4)	!=!r[4]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,b_3,t_1	!mul_add_c(a[2],b[3],c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3		!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_3,b_2,t_1	!mul_add_c(a[3],b[2],c3,c1,c2);
+	addcc	c_12,t_1,t_1	!=
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(5)	!=!r[5]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_3,b_3,t_1	!mul_add_c(a[3],b[3],c1,c2,c3);
+	addcc	c_12,t_1,t_1
+	srlx	t_1,32,c_12	!=
+	stuw	t_1,rp(6)	!r[6]=c1;
+	stuw	c_12,rp(7)	!r[7]=c2;
+	
+	ret
+	restore	%g0,%g0,%o0
+
+.type	bn_mul_comba4,#function
+.size	bn_mul_comba4,(.-bn_mul_comba4)
+
+.align	32
+
+.global bn_sqr_comba8
+bn_sqr_comba8:
+	save	%sp,FRAME_SIZE,%sp
+	mov	1,t_2
+	lduw	ap(0),a_0
+	sllx	t_2,32,t_2
+	lduw	ap(1),a_1
+	mulx	a_0,a_0,t_1	!sqr_add_c(a,0,c1,c2,c3);
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(0)	!r[0]=c1;
+
+	lduw	ap(2),a_2
+	mulx	a_0,a_1,t_1	!=!sqr_add_c2(a,1,0,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(1)	!r[1]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,a_0,t_1	!sqr_add_c2(a,2,0,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(3),a_3
+	mulx	a_1,a_1,t_1	!sqr_add_c(a,1,c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(2)	!r[2]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_0,a_3,t_1	!sqr_add_c2(a,3,0,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(4),a_4
+	mulx	a_1,a_2,t_1	!sqr_add_c2(a,2,1,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	st	t_1,rp(3)	!r[3]=c1;
+	or	c_12,c_3,c_12
+
+	mulx	a_4,a_0,t_1	!sqr_add_c2(a,4,0,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_3,a_1,t_1	!sqr_add_c2(a,3,1,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(5),a_5
+	mulx	a_2,a_2,t_1	!sqr_add_c(a,2,c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(4)	!r[4]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_0,a_5,t_1	!sqr_add_c2(a,5,0,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_1,a_4,t_1	!sqr_add_c2(a,4,1,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(6),a_6
+	mulx	a_2,a_3,t_1	!sqr_add_c2(a,3,2,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(5)	!r[5]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_6,a_0,t_1	!sqr_add_c2(a,6,0,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_5,a_1,t_1	!sqr_add_c2(a,5,1,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_4,a_2,t_1	!sqr_add_c2(a,4,2,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(7),a_7
+	mulx	a_3,a_3,t_1	!=!sqr_add_c(a,3,c1,c2,c3);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(6)	!r[6]=c1;
+	or	c_12,c_3,c_12
+
+	mulx	a_0,a_7,t_1	!sqr_add_c2(a,7,0,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_1,a_6,t_1	!sqr_add_c2(a,6,1,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_2,a_5,t_1	!sqr_add_c2(a,5,2,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_3,a_4,t_1	!sqr_add_c2(a,4,3,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(7)	!r[7]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_7,a_1,t_1	!sqr_add_c2(a,7,1,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_6,a_2,t_1	!sqr_add_c2(a,6,2,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_5,a_3,t_1	!sqr_add_c2(a,5,3,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_4,a_4,t_1	!sqr_add_c(a,4,c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(8)	!r[8]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,a_7,t_1	!sqr_add_c2(a,7,2,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_3,a_6,t_1	!sqr_add_c2(a,6,3,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_4,a_5,t_1	!sqr_add_c2(a,5,4,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(9)	!r[9]=c1;
+	or	c_12,c_3,c_12
+
+	mulx	a_7,a_3,t_1	!sqr_add_c2(a,7,3,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_6,a_4,t_1	!sqr_add_c2(a,6,4,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_5,a_5,t_1	!sqr_add_c(a,5,c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(10)	!r[10]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_4,a_7,t_1	!sqr_add_c2(a,7,4,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_5,a_6,t_1	!sqr_add_c2(a,6,5,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(11)	!r[11]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_7,a_5,t_1	!sqr_add_c2(a,7,5,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_6,a_6,t_1	!sqr_add_c(a,6,c1,c2,c3);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(12)	!r[12]=c1;
+	or	c_12,c_3,c_12
+
+	mulx	a_6,a_7,t_1	!sqr_add_c2(a,7,6,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(13)	!r[13]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_7,a_7,t_1	!sqr_add_c(a,7,c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(14)	!r[14]=c3;
+	stuw	c_12,rp(15)	!r[15]=c1;
+
+	ret
+	restore	%g0,%g0,%o0
+
+.type	bn_sqr_comba8,#function
+.size	bn_sqr_comba8,(.-bn_sqr_comba8)
+
+.align	32
+
+.global bn_sqr_comba4
+/*
+ * void bn_sqr_comba4(r,a)
+ * BN_ULONG *r,*a;
+ */
+bn_sqr_comba4:
+	save	%sp,FRAME_SIZE,%sp
+	mov	1,t_2
+	lduw	ap(0),a_0
+	sllx	t_2,32,t_2
+	lduw	ap(1),a_1
+	mulx	a_0,a_0,t_1	!sqr_add_c(a,0,c1,c2,c3);
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(0)	!r[0]=c1;
+
+	lduw	ap(2),a_2
+	mulx	a_0,a_1,t_1	!sqr_add_c2(a,1,0,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(1)	!r[1]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,a_0,t_1	!sqr_add_c2(a,2,0,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	lduw	ap(3),a_3
+	mulx	a_1,a_1,t_1	!sqr_add_c(a,1,c3,c1,c2);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(2)	!r[2]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_0,a_3,t_1	!sqr_add_c2(a,3,0,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_1,a_2,t_1	!sqr_add_c2(a,2,1,c1,c2,c3);
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(3)	!r[3]=c1;
+	or	c_12,c_3,c_12
+
+	mulx	a_3,a_1,t_1	!sqr_add_c2(a,3,1,c2,c3,c1);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,c_12
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	mulx	a_2,a_2,t_1	!sqr_add_c(a,2,c2,c3,c1);
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(4)	!r[4]=c2;
+	or	c_12,c_3,c_12
+
+	mulx	a_2,a_3,t_1	!sqr_add_c2(a,3,2,c3,c1,c2);
+	addcc	c_12,t_1,c_12
+	clr	c_3
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	addcc	c_12,t_1,t_1
+	bcs,a	%xcc,.+8
+	add	c_3,t_2,c_3
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(5)	!r[5]=c3;
+	or	c_12,c_3,c_12
+
+	mulx	a_3,a_3,t_1	!sqr_add_c(a,3,c1,c2,c3);
+	addcc	c_12,t_1,t_1
+	srlx	t_1,32,c_12
+	stuw	t_1,rp(6)	!r[6]=c1;
+	stuw	c_12,rp(7)	!r[7]=c2;
+	
+	ret
+	restore	%g0,%g0,%o0
+
+.type	bn_sqr_comba4,#function
+.size	bn_sqr_comba4,(.-bn_sqr_comba4)
+
+.align	32
diff --git a/crypto/openssl/crypto/bn/asm/x86.pl b/crypto/openssl/crypto/bn/asm/x86.pl
new file mode 100644
index 0000000..1bc4f1b
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86.pl
@@ -0,0 +1,28 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+require("x86/mul_add.pl");
+require("x86/mul.pl");
+require("x86/sqr.pl");
+require("x86/div.pl");
+require("x86/add.pl");
+require("x86/sub.pl");
+require("x86/comba.pl");
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_add_words("bn_mul_add_words");
+&bn_mul_words("bn_mul_words");
+&bn_sqr_words("bn_sqr_words");
+&bn_div_words("bn_div_words");
+&bn_add_words("bn_add_words");
+&bn_sub_words("bn_sub_words");
+&bn_mul_comba("bn_mul_comba8",8);
+&bn_mul_comba("bn_mul_comba4",4);
+&bn_sqr_comba("bn_sqr_comba8",8);
+&bn_sqr_comba("bn_sqr_comba4",4);
+
+&asm_finish();
+
diff --git a/crypto/openssl/crypto/bn/asm/x86/add.pl b/crypto/openssl/crypto/bn/asm/x86/add.pl
new file mode 100644
index 0000000..0b5cf58
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/add.pl
@@ -0,0 +1,76 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_add_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$a="esi";
+	$b="edi";
+	$c="eax";
+	$r="ebx";
+	$tmp1="ecx";
+	$tmp2="edx";
+	$num="ebp";
+
+	&mov($r,&wparam(0));	# get r
+	 &mov($a,&wparam(1));	# get a
+	&mov($b,&wparam(2));	# get b
+	 &mov($num,&wparam(3));	# get num
+	&xor($c,$c);		# clear carry
+	 &and($num,0xfffffff8);	# num / 8
+
+	&jz(&label("aw_finish"));
+
+	&set_label("aw_loop",0);
+	for ($i=0; $i<8; $i++)
+		{
+		&comment("Round $i");
+
+		&mov($tmp1,&DWP($i*4,$a,"",0)); 	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0)); 	# *b
+		&add($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &add($tmp1,$tmp2);
+		&adc($c,0);
+		 &mov(&DWP($i*4,$r,"",0),$tmp1); 	# *r
+		}
+
+	&comment("");
+	&add($a,32);
+	 &add($b,32);
+	&add($r,32);
+	 &sub($num,8);
+	&jnz(&label("aw_loop"));
+
+	&set_label("aw_finish",0);
+	&mov($num,&wparam(3));	# get num
+	&and($num,7);
+	 &jz(&label("aw_end"));
+
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		&mov($tmp1,&DWP($i*4,$a,"",0));	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+		&add($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &add($tmp1,$tmp2);
+		&adc($c,0);
+		 &dec($num) if ($i != 6);
+		&mov(&DWP($i*4,$r,"",0),$tmp1);	# *a
+		 &jz(&label("aw_end")) if ($i != 6);
+		}
+	&set_label("aw_end",0);
+
+#	&mov("eax",$c);		# $c is "eax"
+
+	&function_end($name);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/x86/comba.pl b/crypto/openssl/crypto/bn/asm/x86/comba.pl
new file mode 100644
index 0000000..2291253
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/comba.pl
@@ -0,0 +1,277 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub mul_add_c
+	{
+	local($a,$ai,$b,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+	# pos == -1 if eax and edx are pre-loaded, 0 to load from next
+	# words, and 1 if load return value
+
+	&comment("mul a[$ai]*b[$bi]");
+
+	# "eax" and "edx" will always be pre-loaded.
+	# &mov("eax",&DWP($ai*4,$a,"",0)) ;
+	# &mov("edx",&DWP($bi*4,$b,"",0));
+
+	&mul("edx");
+	&add($c0,"eax");
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;	# laod next a
+	 &mov("eax",&wparam(0)) if $pos > 0;			# load r[]
+	 ###
+	&adc($c1,"edx");
+	 &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 0;	# laod next b
+	 &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 1;	# laod next b
+	 ###
+	&adc($c2,0);
+	 # is pos > 1, it means it is the last loop 
+	 &mov(&DWP($i*4,"eax","",0),$c0) if $pos > 0;		# save r[];
+	&mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;		# laod next a
+	}
+
+sub sqr_add_c
+	{
+	local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+	# pos == -1 if eax and edx are pre-loaded, 0 to load from next
+	# words, and 1 if load return value
+
+	&comment("sqr a[$ai]*a[$bi]");
+
+	# "eax" and "edx" will always be pre-loaded.
+	# &mov("eax",&DWP($ai*4,$a,"",0)) ;
+	# &mov("edx",&DWP($bi*4,$b,"",0));
+
+	if ($ai == $bi)
+		{ &mul("eax");}
+	else
+		{ &mul("edx");}
+	&add($c0,"eax");
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;	# load next a
+	 ###
+	&adc($c1,"edx");
+	 &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos == 1) && ($na != $nb);
+	 ###
+	&adc($c2,0);
+	 # is pos > 1, it means it is the last loop 
+	 &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;		# save r[];
+	&mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;		# load next b
+	}
+
+sub sqr_add_c2
+	{
+	local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+	# pos == -1 if eax and edx are pre-loaded, 0 to load from next
+	# words, and 1 if load return value
+
+	&comment("sqr a[$ai]*a[$bi]");
+
+	# "eax" and "edx" will always be pre-loaded.
+	# &mov("eax",&DWP($ai*4,$a,"",0)) ;
+	# &mov("edx",&DWP($bi*4,$a,"",0));
+
+	if ($ai == $bi)
+		{ &mul("eax");}
+	else
+		{ &mul("edx");}
+	&add("eax","eax");
+	 ###
+	&adc("edx","edx");
+	 ###
+	&adc($c2,0);
+	 &add($c0,"eax");
+	&adc($c1,"edx");
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;	# load next a
+	 &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;	# load next b
+	&adc($c2,0);
+	&mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;		# save r[];
+	 &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos <= 1) && ($na != $nb);
+	 ###
+	}
+
+sub bn_mul_comba
+	{
+	local($name,$num)=@_;
+	local($a,$b,$c0,$c1,$c2);
+	local($i,$as,$ae,$bs,$be,$ai,$bi);
+	local($tot,$end);
+
+	&function_begin_B($name,"");
+
+	$c0="ebx";
+	$c1="ecx";
+	$c2="ebp";
+	$a="esi";
+	$b="edi";
+	
+	$as=0;
+	$ae=0;
+	$bs=0;
+	$be=0;
+	$tot=$num+$num-1;
+
+	&push("esi");
+	 &mov($a,&wparam(1));
+	&push("edi");
+	 &mov($b,&wparam(2));
+	&push("ebp");
+	 &push("ebx");
+
+	&xor($c0,$c0);
+	 &mov("eax",&DWP(0,$a,"",0));	# load the first word 
+	&xor($c1,$c1);
+	 &mov("edx",&DWP(0,$b,"",0));	# load the first second 
+
+	for ($i=0; $i<$tot; $i++)
+		{
+		$ai=$as;
+		$bi=$bs;
+		$end=$be+1;
+
+		&comment("################## Calculate word $i"); 
+
+		for ($j=$bs; $j<$end; $j++)
+			{
+			&xor($c2,$c2) if ($j == $bs);
+			if (($j+1) == $end)
+				{
+				$v=1;
+				$v=2 if (($i+1) == $tot);
+				}
+			else
+				{ $v=0; }
+			if (($j+1) != $end)
+				{
+				$na=($ai-1);
+				$nb=($bi+1);
+				}
+			else
+				{
+				$na=$as+($i < ($num-1));
+				$nb=$bs+($i >= ($num-1));
+				}
+#printf STDERR "[$ai,$bi] -> [$na,$nb]\n";
+			&mul_add_c($a,$ai,$b,$bi,$c0,$c1,$c2,$v,$i,$na,$nb);
+			if ($v)
+				{
+				&comment("saved r[$i]");
+				# &mov("eax",&wparam(0));
+				# &mov(&DWP($i*4,"eax","",0),$c0);
+				($c0,$c1,$c2)=($c1,$c2,$c0);
+				}
+			$ai--;
+			$bi++;
+			}
+		$as++ if ($i < ($num-1));
+		$ae++ if ($i >= ($num-1));
+
+		$bs++ if ($i >= ($num-1));
+		$be++ if ($i < ($num-1));
+		}
+	&comment("save r[$i]");
+	# &mov("eax",&wparam(0));
+	&mov(&DWP($i*4,"eax","",0),$c0);
+
+	&pop("ebx");
+	&pop("ebp");
+	&pop("edi");
+	&pop("esi");
+	&ret();
+	&function_end_B($name);
+	}
+
+sub bn_sqr_comba
+	{
+	local($name,$num)=@_;
+	local($r,$a,$c0,$c1,$c2)=@_;
+	local($i,$as,$ae,$bs,$be,$ai,$bi);
+	local($b,$tot,$end,$half);
+
+	&function_begin_B($name,"");
+
+	$c0="ebx";
+	$c1="ecx";
+	$c2="ebp";
+	$a="esi";
+	$r="edi";
+
+	&push("esi");
+	 &push("edi");
+	&push("ebp");
+	 &push("ebx");
+	&mov($r,&wparam(0));
+	 &mov($a,&wparam(1));
+	&xor($c0,$c0);
+	 &xor($c1,$c1);
+	&mov("eax",&DWP(0,$a,"",0)); # load the first word
+
+	$as=0;
+	$ae=0;
+	$bs=0;
+	$be=0;
+	$tot=$num+$num-1;
+
+	for ($i=0; $i<$tot; $i++)
+		{
+		$ai=$as;
+		$bi=$bs;
+		$end=$be+1;
+
+		&comment("############### Calculate word $i");
+		for ($j=$bs; $j<$end; $j++)
+			{
+			&xor($c2,$c2) if ($j == $bs);
+			if (($ai-1) < ($bi+1))
+				{
+				$v=1;
+				$v=2 if ($i+1) == $tot;
+				}
+			else
+				{ $v=0; }
+			if (!$v)
+				{
+				$na=$ai-1;
+				$nb=$bi+1;
+				}
+			else
+				{
+				$na=$as+($i < ($num-1));
+				$nb=$bs+($i >= ($num-1));
+				}
+			if ($ai == $bi)
+				{
+				&sqr_add_c($r,$a,$ai,$bi,
+					$c0,$c1,$c2,$v,$i,$na,$nb);
+				}
+			else
+				{
+				&sqr_add_c2($r,$a,$ai,$bi,
+					$c0,$c1,$c2,$v,$i,$na,$nb);
+				}
+			if ($v)
+				{
+				&comment("saved r[$i]");
+				#&mov(&DWP($i*4,$r,"",0),$c0);
+				($c0,$c1,$c2)=($c1,$c2,$c0);
+				last;
+				}
+			$ai--;
+			$bi++;
+			}
+		$as++ if ($i < ($num-1));
+		$ae++ if ($i >= ($num-1));
+
+		$bs++ if ($i >= ($num-1));
+		$be++ if ($i < ($num-1));
+		}
+	&mov(&DWP($i*4,$r,"",0),$c0);
+	&pop("ebx");
+	&pop("ebp");
+	&pop("edi");
+	&pop("esi");
+	&ret();
+	&function_end_B($name);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/x86/div.pl b/crypto/openssl/crypto/bn/asm/x86/div.pl
new file mode 100644
index 0000000..0e90152
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/div.pl
@@ -0,0 +1,15 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_div_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+	&mov("edx",&wparam(0));	#
+	&mov("eax",&wparam(1));	#
+	&mov("ebx",&wparam(2));	#
+	&div("ebx");
+	&function_end($name);
+	}
+1;
diff --git a/crypto/openssl/crypto/bn/asm/x86/f b/crypto/openssl/crypto/bn/asm/x86/f
new file mode 100644
index 0000000..22e4112
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/f
@@ -0,0 +1,3 @@
+#!/usr/local/bin/perl
+# x86 assember
+
diff --git a/crypto/openssl/crypto/bn/asm/x86/mul.pl b/crypto/openssl/crypto/bn/asm/x86/mul.pl
new file mode 100644
index 0000000..674cb9b
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/mul.pl
@@ -0,0 +1,77 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_mul_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$Low="eax";
+	$High="edx";
+	$a="ebx";
+	$w="ecx";
+	$r="edi";
+	$c="esi";
+	$num="ebp";
+
+	&xor($c,$c);		# clear carry
+	&mov($r,&wparam(0));	#
+	&mov($a,&wparam(1));	#
+	&mov($num,&wparam(2));	#
+	&mov($w,&wparam(3));	#
+
+	&and($num,0xfffffff8);	# num / 8
+	&jz(&label("mw_finish"));
+
+	&set_label("mw_loop",0);
+	for ($i=0; $i<32; $i+=4)
+		{
+		&comment("Round $i");
+
+		 &mov("eax",&DWP($i,$a,"",0)); 	# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);			# L(t)+=c
+		 # XXX
+
+		&adc("edx",0);			# H(t)+=carry
+		 &mov(&DWP($i,$r,"",0),"eax");	# *r= L(t);
+
+		&mov($c,"edx");			# c=  H(t);
+		}
+
+	&comment("");
+	&add($a,32);
+	&add($r,32);
+	&sub($num,8);
+	&jz(&label("mw_finish"));
+	&jmp(&label("mw_loop"));
+
+	&set_label("mw_finish",0);
+	&mov($num,&wparam(2));	# get num
+	&and($num,7);
+	&jnz(&label("mw_finish2"));
+	&jmp(&label("mw_end"));
+
+	&set_label("mw_finish2",1);
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		 &mov("eax",&DWP($i*4,$a,"",0));# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);			# L(t)+=c
+		 # XXX
+		&adc("edx",0);			# H(t)+=carry
+		 &mov(&DWP($i*4,$r,"",0),"eax");# *r= L(t);
+		&mov($c,"edx");			# c=  H(t);
+		 &dec($num) if ($i != 7-1);
+		&jz(&label("mw_end")) if ($i != 7-1);
+		}
+	&set_label("mw_end",0);
+	&mov("eax",$c);
+
+	&function_end($name);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/x86/mul_add.pl b/crypto/openssl/crypto/bn/asm/x86/mul_add.pl
new file mode 100644
index 0000000..61830d3
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/mul_add.pl
@@ -0,0 +1,87 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_mul_add_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$Low="eax";
+	$High="edx";
+	$a="ebx";
+	$w="ebp";
+	$r="edi";
+	$c="esi";
+
+	&xor($c,$c);		# clear carry
+	&mov($r,&wparam(0));	#
+
+	&mov("ecx",&wparam(2));	#
+	&mov($a,&wparam(1));	#
+
+	&and("ecx",0xfffffff8);	# num / 8
+	&mov($w,&wparam(3));	#
+
+	&push("ecx");		# Up the stack for a tmp variable
+
+	&jz(&label("maw_finish"));
+
+	&set_label("maw_loop",0);
+
+	&mov(&swtmp(0),"ecx");	#
+
+	for ($i=0; $i<32; $i+=4)
+		{
+		&comment("Round $i");
+
+		 &mov("eax",&DWP($i,$a,"",0)); 	# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);		# L(t)+= *r
+		 &mov($c,&DWP($i,$r,"",0));	# L(t)+= *r
+		&adc("edx",0);			# H(t)+=carry
+		 &add("eax",$c);		# L(t)+=c
+		&adc("edx",0);			# H(t)+=carry
+		 &mov(&DWP($i,$r,"",0),"eax");	# *r= L(t);
+		&mov($c,"edx");			# c=  H(t);
+		}
+
+	&comment("");
+	&mov("ecx",&swtmp(0));	#
+	&add($a,32);
+	&add($r,32);
+	&sub("ecx",8);
+	&jnz(&label("maw_loop"));
+
+	&set_label("maw_finish",0);
+	&mov("ecx",&wparam(2));	# get num
+	&and("ecx",7);
+	&jnz(&label("maw_finish2"));	# helps branch prediction
+	&jmp(&label("maw_end"));
+
+	&set_label("maw_finish2",1);
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		 &mov("eax",&DWP($i*4,$a,"",0));# *a
+		&mul($w);			# *a * w
+		&add("eax",$c);			# L(t)+=c
+		 &mov($c,&DWP($i*4,$r,"",0));	# L(t)+= *r
+		&adc("edx",0);			# H(t)+=carry
+		 &add("eax",$c);
+		&adc("edx",0);			# H(t)+=carry
+		 &dec("ecx") if ($i != 7-1);
+		&mov(&DWP($i*4,$r,"",0),"eax");	# *r= L(t);
+		 &mov($c,"edx");			# c=  H(t);
+		&jz(&label("maw_end")) if ($i != 7-1);
+		}
+	&set_label("maw_end",0);
+	&mov("eax",$c);
+
+	&pop("ecx");	# clear variable from
+
+	&function_end($name);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/x86/sqr.pl b/crypto/openssl/crypto/bn/asm/x86/sqr.pl
new file mode 100644
index 0000000..1f90993
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/sqr.pl
@@ -0,0 +1,60 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_sqr_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$r="esi";
+	$a="edi";
+	$num="ebx";
+
+	&mov($r,&wparam(0));	#
+	&mov($a,&wparam(1));	#
+	&mov($num,&wparam(2));	#
+
+	&and($num,0xfffffff8);	# num / 8
+	&jz(&label("sw_finish"));
+
+	&set_label("sw_loop",0);
+	for ($i=0; $i<32; $i+=4)
+		{
+		&comment("Round $i");
+		&mov("eax",&DWP($i,$a,"",0)); 	# *a
+		 # XXX
+		&mul("eax");			# *a * *a
+		&mov(&DWP($i*2,$r,"",0),"eax");	#
+		 &mov(&DWP($i*2+4,$r,"",0),"edx");#
+		}
+
+	&comment("");
+	&add($a,32);
+	&add($r,64);
+	&sub($num,8);
+	&jnz(&label("sw_loop"));
+
+	&set_label("sw_finish",0);
+	&mov($num,&wparam(2));	# get num
+	&and($num,7);
+	&jz(&label("sw_end"));
+
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		&mov("eax",&DWP($i*4,$a,"",0));	# *a
+		 # XXX
+		&mul("eax");			# *a * *a
+		&mov(&DWP($i*8,$r,"",0),"eax");	#
+		 &dec($num) if ($i != 7-1);
+		&mov(&DWP($i*8+4,$r,"",0),"edx");
+		 &jz(&label("sw_end")) if ($i != 7-1);
+		}
+	&set_label("sw_end",0);
+
+	&function_end($name);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/asm/x86/sub.pl b/crypto/openssl/crypto/bn/asm/x86/sub.pl
new file mode 100644
index 0000000..837b0e1
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/x86/sub.pl
@@ -0,0 +1,76 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_sub_words
+	{
+	local($name)=@_;
+
+	&function_begin($name,"");
+
+	&comment("");
+	$a="esi";
+	$b="edi";
+	$c="eax";
+	$r="ebx";
+	$tmp1="ecx";
+	$tmp2="edx";
+	$num="ebp";
+
+	&mov($r,&wparam(0));	# get r
+	 &mov($a,&wparam(1));	# get a
+	&mov($b,&wparam(2));	# get b
+	 &mov($num,&wparam(3));	# get num
+	&xor($c,$c);		# clear carry
+	 &and($num,0xfffffff8);	# num / 8
+
+	&jz(&label("aw_finish"));
+
+	&set_label("aw_loop",0);
+	for ($i=0; $i<8; $i++)
+		{
+		&comment("Round $i");
+
+		&mov($tmp1,&DWP($i*4,$a,"",0)); 	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0)); 	# *b
+		&sub($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &sub($tmp1,$tmp2);
+		&adc($c,0);
+		 &mov(&DWP($i*4,$r,"",0),$tmp1); 	# *r
+		}
+
+	&comment("");
+	&add($a,32);
+	 &add($b,32);
+	&add($r,32);
+	 &sub($num,8);
+	&jnz(&label("aw_loop"));
+
+	&set_label("aw_finish",0);
+	&mov($num,&wparam(3));	# get num
+	&and($num,7);
+	 &jz(&label("aw_end"));
+
+	for ($i=0; $i<7; $i++)
+		{
+		&comment("Tail Round $i");
+		&mov($tmp1,&DWP($i*4,$a,"",0));	# *a
+		 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+		&sub($tmp1,$c);
+		 &mov($c,0);
+		&adc($c,$c);
+		 &sub($tmp1,$tmp2);
+		&adc($c,0);
+		 &dec($num) if ($i != 6);
+		&mov(&DWP($i*4,$r,"",0),$tmp1);	# *a
+		 &jz(&label("aw_end")) if ($i != 6);
+		}
+	&set_label("aw_end",0);
+
+#	&mov("eax",$c);		# $c is "eax"
+
+	&function_end($name);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h
new file mode 100644
index 0000000..009b0eb
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn.h
@@ -0,0 +1,510 @@
+/* crypto/bn/bn.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BN_H
+#define HEADER_BN_H
+
+#ifndef WIN16
+#include <stdio.h> /* FILE */
+#endif
+#include <openssl/opensslconf.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef VMS
+#undef BN_LLONG /* experimental, so far... */
+#endif
+
+#define BN_MUL_COMBA
+#define BN_SQR_COMBA
+#define BN_RECURSION
+#define RECP_MUL_MOD
+#define MONT_MUL_MOD
+
+/* This next option uses the C libraries (2 word)/(1 word) function.
+ * If it is not defined, I use my C version (which is slower).
+ * The reason for this flag is that when the particular C compiler
+ * library routine is used, and the library is linked with a different
+ * compiler, the library is missing.  This mostly happens when the
+ * library is built with gcc and then linked using normal cc.  This would
+ * be a common occurrence because gcc normally produces code that is
+ * 2 times faster than system compilers for the big number stuff.
+ * For machines with only one compiler (or shared libraries), this should
+ * be on.  Again this in only really a problem on machines
+ * using "long long's", are 32bit, and are not using my assembler code. */
+#if defined(MSDOS) || defined(WINDOWS) || defined(WIN32) || defined(linux)
+#define BN_DIV2W
+#endif
+
+/* assuming long is 64bit - this is the DEC Alpha
+ * unsigned long long is only 64 bits :-(, don't define
+ * BN_LLONG for the DEC Alpha */
+#ifdef SIXTY_FOUR_BIT_LONG
+#define BN_ULLONG	unsigned long long
+#define BN_ULONG	unsigned long
+#define BN_LONG		long
+#define BN_BITS		128
+#define BN_BYTES	8
+#define BN_BITS2	64
+#define BN_BITS4	32
+#define BN_MASK		(0xffffffffffffffffffffffffffffffffLL)
+#define BN_MASK2	(0xffffffffffffffffL)
+#define BN_MASK2l	(0xffffffffL)
+#define BN_MASK2h	(0xffffffff00000000L)
+#define BN_MASK2h1	(0xffffffff80000000L)
+#define BN_TBIT		(0x8000000000000000L)
+#define BN_DEC_CONV	(10000000000000000000UL)
+#define BN_DEC_FMT1	"%lu"
+#define BN_DEC_FMT2	"%019lu"
+#define BN_DEC_NUM	19
+#endif
+
+/* This is where the long long data type is 64 bits, but long is 32.
+ * For machines where there are 64bit registers, this is the mode to use.
+ * IRIX, on R4000 and above should use this mode, along with the relevant
+ * assembler code :-).  Do NOT define BN_LLONG.
+ */
+#ifdef SIXTY_FOUR_BIT
+#undef BN_LLONG
+#undef BN_ULLONG
+#define BN_ULONG	unsigned long long
+#define BN_LONG		long long
+#define BN_BITS		128
+#define BN_BYTES	8
+#define BN_BITS2	64
+#define BN_BITS4	32
+#define BN_MASK2	(0xffffffffffffffffLL)
+#define BN_MASK2l	(0xffffffffL)
+#define BN_MASK2h	(0xffffffff00000000LL)
+#define BN_MASK2h1	(0xffffffff80000000LL)
+#define BN_TBIT		(0x8000000000000000LL)
+#define BN_DEC_CONV	(10000000000000000000LL)
+#define BN_DEC_FMT1	"%llu"
+#define BN_DEC_FMT2	"%019llu"
+#define BN_DEC_NUM	19
+#endif
+
+#ifdef THIRTY_TWO_BIT
+#if defined(WIN32) && !defined(__GNUC__)
+#define BN_ULLONG	unsigned _int64
+#else
+#define BN_ULLONG	unsigned long long
+#endif
+#define BN_ULONG	unsigned long
+#define BN_LONG		long
+#define BN_BITS		64
+#define BN_BYTES	4
+#define BN_BITS2	32
+#define BN_BITS4	16
+#ifdef WIN32
+/* VC++ doesn't like the LL suffix */
+#define BN_MASK		(0xffffffffffffffffL)
+#else
+#define BN_MASK		(0xffffffffffffffffLL)
+#endif
+#define BN_MASK2	(0xffffffffL)
+#define BN_MASK2l	(0xffff)
+#define BN_MASK2h1	(0xffff8000L)
+#define BN_MASK2h	(0xffff0000L)
+#define BN_TBIT		(0x80000000L)
+#define BN_DEC_CONV	(1000000000L)
+#define BN_DEC_FMT1	"%lu"
+#define BN_DEC_FMT2	"%09lu"
+#define BN_DEC_NUM	9
+#endif
+
+#ifdef SIXTEEN_BIT
+#ifndef BN_DIV2W
+#define BN_DIV2W
+#endif
+#define BN_ULLONG	unsigned long
+#define BN_ULONG	unsigned short
+#define BN_LONG		short
+#define BN_BITS		32
+#define BN_BYTES	2
+#define BN_BITS2	16
+#define BN_BITS4	8
+#define BN_MASK		(0xffffffff)
+#define BN_MASK2	(0xffff)
+#define BN_MASK2l	(0xff)
+#define BN_MASK2h1	(0xff80)
+#define BN_MASK2h	(0xff00)
+#define BN_TBIT		(0x8000)
+#define BN_DEC_CONV	(100000)
+#define BN_DEC_FMT1	"%u"
+#define BN_DEC_FMT2	"%05u"
+#define BN_DEC_NUM	5
+#endif
+
+#ifdef EIGHT_BIT
+#ifndef BN_DIV2W
+#define BN_DIV2W
+#endif
+#define BN_ULLONG	unsigned short
+#define BN_ULONG	unsigned char
+#define BN_LONG		char
+#define BN_BITS		16
+#define BN_BYTES	1
+#define BN_BITS2	8
+#define BN_BITS4	4
+#define BN_MASK		(0xffff)
+#define BN_MASK2	(0xff)
+#define BN_MASK2l	(0xf)
+#define BN_MASK2h1	(0xf8)
+#define BN_MASK2h	(0xf0)
+#define BN_TBIT		(0x80)
+#define BN_DEC_CONV	(100)
+#define BN_DEC_FMT1	"%u"
+#define BN_DEC_FMT2	"%02u"
+#define BN_DEC_NUM	2
+#endif
+
+#define BN_DEFAULT_BITS	1280
+
+#ifdef BIGNUM
+#undef BIGNUM
+#endif
+
+#define BN_FLG_MALLOCED		0x01
+#define BN_FLG_STATIC_DATA	0x02
+#define BN_FLG_FREE		0x8000	/* used for debuging */
+#define BN_set_flags(b,n)	((b)->flags|=(n))
+#define BN_get_flags(b,n)	((b)->flags&(n))
+
+typedef struct bignum_st
+	{
+	BN_ULONG *d;	/* Pointer to an array of 'BN_BITS2' bit chunks. */
+	int top;	/* Index of last used d +1. */
+	/* The next are internal book keeping for bn_expand. */
+	int max;	/* Size of the d array. */
+	int neg;	/* one if the number is negative */
+	int flags;
+	} BIGNUM;
+
+/* Used for temp variables */
+#define BN_CTX_NUM	12
+#define BN_CTX_NUM_POS	12
+typedef struct bignum_ctx
+	{
+	int tos;
+	BIGNUM bn[BN_CTX_NUM];
+	int flags;
+	int depth;
+	int pos[BN_CTX_NUM_POS];
+	int too_many;
+	} BN_CTX;
+
+typedef struct bn_blinding_st
+	{
+	int init;
+	BIGNUM *A;
+	BIGNUM *Ai;
+	BIGNUM *mod; /* just a reference */
+	} BN_BLINDING;
+
+/* Used for montgomery multiplication */
+typedef struct bn_mont_ctx_st
+	{
+	int ri;        /* number of bits in R */
+	BIGNUM RR;     /* used to convert to montgomery form */
+	BIGNUM N;      /* The modulus */
+	BIGNUM Ni;     /* R*(1/R mod N) - N*Ni = 1
+	                * (Ni is only stored for bignum algorithm) */
+	BN_ULONG n0;   /* least significant word of Ni */
+	int flags;
+	} BN_MONT_CTX;
+
+/* Used for reciprocal division/mod functions
+ * It cannot be shared between threads
+ */
+typedef struct bn_recp_ctx_st
+	{
+	BIGNUM N;	/* the divisor */
+	BIGNUM Nr;	/* the reciprocal */
+	int num_bits;
+	int shift;
+	int flags;
+	} BN_RECP_CTX;
+
+#define BN_to_montgomery(r,a,mont,ctx)	BN_mod_mul_montgomery(\
+	r,a,&((mont)->RR),(mont),ctx)
+
+#define BN_prime_checks 0 /* default: select number of iterations
+			     based on the size of the number */
+
+/* number of Miller-Rabin iterations for an error rate  of less than 2^-80
+ * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
+ * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
+ * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
+ * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
+#define BN_prime_checks_for_size(b) ((b) >= 1300 ?  2 : \
+                                (b) >=  850 ?  3 : \
+                                (b) >=  650 ?  4 : \
+                                (b) >=  550 ?  5 : \
+                                (b) >=  450 ?  6 : \
+                                (b) >=  400 ?  7 : \
+                                (b) >=  350 ?  8 : \
+                                (b) >=  300 ?  9 : \
+                                (b) >=  250 ? 12 : \
+                                (b) >=  200 ? 15 : \
+                                (b) >=  150 ? 18 : \
+                                /* b >= 100 */ 27)
+
+#define BN_num_bytes(a)	((BN_num_bits(a)+7)/8)
+#define BN_is_word(a,w)	(((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
+#define BN_is_zero(a)	(((a)->top == 0) || BN_is_word(a,0))
+#define BN_is_one(a)	(BN_is_word((a),1))
+#define BN_is_odd(a)	(((a)->top > 0) && ((a)->d[0] & 1))
+#define BN_one(a)	(BN_set_word((a),1))
+#define BN_zero(a)	(BN_set_word((a),0))
+
+/*#define BN_ascii2bn(a)	BN_hex2bn(a) */
+/*#define BN_bn2ascii(a)	BN_bn2hex(a) */
+
+BIGNUM *BN_value_one(void);
+char *	BN_options(void);
+BN_CTX *BN_CTX_new(void);
+void	BN_CTX_init(BN_CTX *c);
+void	BN_CTX_free(BN_CTX *c);
+void	BN_CTX_start(BN_CTX *ctx);
+BIGNUM *BN_CTX_get(BN_CTX *ctx);
+void	BN_CTX_end(BN_CTX *ctx);
+int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int	BN_num_bits(const BIGNUM *a);
+int	BN_num_bits_word(BN_ULONG);
+BIGNUM *BN_new(void);
+void	BN_init(BIGNUM *);
+void	BN_clear_free(BIGNUM *a);
+BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+BIGNUM *BN_bin2bn(const unsigned char *s,int len,BIGNUM *ret);
+int	BN_bn2bin(const BIGNUM *a, unsigned char *to);
+BIGNUM *BN_mpi2bn(unsigned char *s,int len,BIGNUM *ret);
+int	BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+int	BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int	BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int	BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int	BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int	BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
+int	BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+	       BN_CTX *ctx);
+int	BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+int	BN_sqr(BIGNUM *r, BIGNUM *a,BN_CTX *ctx);
+BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+int	BN_mul_word(BIGNUM *a, BN_ULONG w);
+int	BN_add_word(BIGNUM *a, BN_ULONG w);
+int	BN_sub_word(BIGNUM *a, BN_ULONG w);
+int	BN_set_word(BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_get_word(BIGNUM *a);
+int	BN_cmp(const BIGNUM *a, const BIGNUM *b);
+void	BN_free(BIGNUM *a);
+int	BN_is_bit_set(const BIGNUM *a, int n);
+int	BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+int	BN_lshift1(BIGNUM *r, BIGNUM *a);
+int	BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p,BN_CTX *ctx);
+int	BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		   const BIGNUM *m,BN_CTX *ctx);
+int	BN_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int	BN_mod_exp2_mont(BIGNUM *r, BIGNUM *a1, BIGNUM *p1,BIGNUM *a2,
+		BIGNUM *p2,BIGNUM *m,BN_CTX *ctx,BN_MONT_CTX *m_ctx);
+int	BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p,
+	BIGNUM *m,BN_CTX *ctx);
+int	BN_mask_bits(BIGNUM *a,int n);
+int	BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
+#ifndef NO_FP_API
+int	BN_print_fp(FILE *fp, const BIGNUM *a);
+#endif
+#ifdef HEADER_BIO_H
+int	BN_print(BIO *fp, const BIGNUM *a);
+#else
+int	BN_print(void *fp, const BIGNUM *a);
+#endif
+int	BN_reciprocal(BIGNUM *r, BIGNUM *m, int len, BN_CTX *ctx);
+int	BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+int	BN_rshift1(BIGNUM *r, BIGNUM *a);
+void	BN_clear(BIGNUM *a);
+BIGNUM *BN_dup(const BIGNUM *a);
+int	BN_ucmp(const BIGNUM *a, const BIGNUM *b);
+int	BN_set_bit(BIGNUM *a, int n);
+int	BN_clear_bit(BIGNUM *a, int n);
+char *	BN_bn2hex(const BIGNUM *a);
+char *	BN_bn2dec(const BIGNUM *a);
+int 	BN_hex2bn(BIGNUM **a, const char *str);
+int 	BN_dec2bn(BIGNUM **a, const char *str);
+int	BN_gcd(BIGNUM *r,BIGNUM *in_a,BIGNUM *in_b,BN_CTX *ctx);
+BIGNUM *BN_mod_inverse(BIGNUM *ret,BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add,
+		BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg);
+int	BN_is_prime(const BIGNUM *p,int nchecks,
+		void (*callback)(int,int,void *),
+		BN_CTX *ctx,void *cb_arg);
+int	BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
+		void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
+		int do_trial_division);
+void	ERR_load_BN_strings(void );
+
+BN_MONT_CTX *BN_MONT_CTX_new(void );
+void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont,
+			  BN_CTX *ctx);
+int BN_from_montgomery(BIGNUM *r,BIGNUM *a,BN_MONT_CTX *mont,BN_CTX *ctx);
+void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);
+BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+
+BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
+void BN_BLINDING_free(BN_BLINDING *b);
+int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *r, BN_CTX *ctx);
+int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+
+void BN_set_params(int mul,int high,int low,int mont);
+int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
+
+void	BN_RECP_CTX_init(BN_RECP_CTX *recp);
+BN_RECP_CTX *BN_RECP_CTX_new(void);
+void	BN_RECP_CTX_free(BN_RECP_CTX *recp);
+int	BN_RECP_CTX_set(BN_RECP_CTX *recp,const BIGNUM *rdiv,BN_CTX *ctx);
+int	BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y,
+		BN_RECP_CTX *recp,BN_CTX *ctx);
+int	BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx);
+int	BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
+		BN_RECP_CTX *recp, BN_CTX *ctx);
+
+/* library internal functions */
+
+#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->max)?\
+	(a):bn_expand2((a),(bits)/BN_BITS2+1))
+#define bn_wexpand(a,words) (((words) <= (a)->max)?(a):bn_expand2((a),(words)))
+BIGNUM *bn_expand2(BIGNUM *a, int words);
+
+#define bn_fix_top(a) \
+        { \
+        BN_ULONG *ftl; \
+	if ((a)->top > 0) \
+		{ \
+		for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \
+		if (*(ftl--)) break; \
+		} \
+	}
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+
+#ifdef BN_DEBUG
+  void bn_dump1(FILE *o, const char *a, BN_ULONG *b,int n);
+# define bn_print(a) {fprintf(stderr, #a "="); BN_print_fp(stderr,a); \
+   fprintf(stderr,"\n");}
+# define bn_dump(a,n) bn_dump1(stderr,#a,a,n);
+#else
+# define bn_print(a)
+# define bn_dump(a,b)
+#endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the BN functions. */
+
+/* Function codes. */
+#define BN_F_BN_BLINDING_CONVERT			 100
+#define BN_F_BN_BLINDING_INVERT				 101
+#define BN_F_BN_BLINDING_NEW				 102
+#define BN_F_BN_BLINDING_UPDATE				 103
+#define BN_F_BN_BN2DEC					 104
+#define BN_F_BN_BN2HEX					 105
+#define BN_F_BN_CTX_GET					 116
+#define BN_F_BN_CTX_NEW					 106
+#define BN_F_BN_DIV					 107
+#define BN_F_BN_EXPAND2					 108
+#define BN_F_BN_MOD_EXP_MONT				 109
+#define BN_F_BN_MOD_INVERSE				 110
+#define BN_F_BN_MOD_MUL_RECIPROCAL			 111
+#define BN_F_BN_MPI2BN					 112
+#define BN_F_BN_NEW					 113
+#define BN_F_BN_RAND					 114
+#define BN_F_BN_USUB					 115
+
+/* Reason codes. */
+#define BN_R_ARG2_LT_ARG3				 100
+#define BN_R_BAD_RECIPROCAL				 101
+#define BN_R_CALLED_WITH_EVEN_MODULUS			 102
+#define BN_R_DIV_BY_ZERO				 103
+#define BN_R_ENCODING_ERROR				 104
+#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA		 105
+#define BN_R_INVALID_LENGTH				 106
+#define BN_R_NOT_INITIALIZED				 107
+#define BN_R_NO_INVERSE					 108
+#define BN_R_TOO_MANY_TEMPORARY_VARIABLES		 109
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/bn/bn.mul b/crypto/openssl/crypto/bn/bn.mul
new file mode 100644
index 0000000..9728870
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn.mul
@@ -0,0 +1,19 @@
+We need
+
+* bn_mul_comba8
+* bn_mul_comba4
+* bn_mul_normal
+* bn_mul_recursive
+
+* bn_sqr_comba8
+* bn_sqr_comba4
+bn_sqr_normal -> BN_sqr
+* bn_sqr_recursive
+
+* bn_mul_low_recursive
+* bn_mul_low_normal
+* bn_mul_high
+
+* bn_mul_part_recursive	# symetric but not power of 2
+
+bn_mul_asymetric_recursive # uneven, but do the chop up.
diff --git a/crypto/openssl/crypto/bn/bn_add.c b/crypto/openssl/crypto/bn/bn_add.c
new file mode 100644
index 0000000..5d24691
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_add.c
@@ -0,0 +1,307 @@
+/* crypto/bn/bn_add.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+/* r can == a or b */
+int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
+	{
+	const BIGNUM *tmp;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	/*  a +  b	a+b
+	 *  a + -b	a-b
+	 * -a +  b	b-a
+	 * -a + -b	-(a+b)
+	 */
+	if (a->neg ^ b->neg)
+		{
+		/* only one is negative */
+		if (a->neg)
+			{ tmp=a; a=b; b=tmp; }
+
+		/* we are now a - b */
+
+		if (BN_ucmp(a,b) < 0)
+			{
+			if (!BN_usub(r,b,a)) return(0);
+			r->neg=1;
+			}
+		else
+			{
+			if (!BN_usub(r,a,b)) return(0);
+			r->neg=0;
+			}
+		return(1);
+		}
+
+	if (a->neg) /* both are neg */
+		r->neg=1;
+	else
+		r->neg=0;
+
+	if (!BN_uadd(r,a,b)) return(0);
+	return(1);
+	}
+
+/* unsigned add of b to a, r must be large enough */
+int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
+	{
+	register int i;
+	int max,min;
+	BN_ULONG *ap,*bp,*rp,carry,t1;
+	const BIGNUM *tmp;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	if (a->top < b->top)
+		{ tmp=a; a=b; b=tmp; }
+	max=a->top;
+	min=b->top;
+
+	if (bn_wexpand(r,max+1) == NULL)
+		return(0);
+
+	r->top=max;
+
+
+	ap=a->d;
+	bp=b->d;
+	rp=r->d;
+	carry=0;
+
+	carry=bn_add_words(rp,ap,bp,min);
+	rp+=min;
+	ap+=min;
+	bp+=min;
+	i=min;
+
+	if (carry)
+		{
+		while (i < max)
+			{
+			i++;
+			t1= *(ap++);
+			if ((*(rp++)=(t1+1)&BN_MASK2) >= t1)
+				{
+				carry=0;
+				break;
+				}
+			}
+		if ((i >= max) && carry)
+			{
+			*(rp++)=1;
+			r->top++;
+			}
+		}
+	if (rp != ap)
+		{
+		for (; i<max; i++)
+			*(rp++)= *(ap++);
+		}
+	/* memcpy(rp,ap,sizeof(*ap)*(max-i));*/
+	return(1);
+	}
+
+/* unsigned subtraction of b from a, a must be larger than b. */
+int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
+	{
+	int max,min;
+	register BN_ULONG t1,t2,*ap,*bp,*rp;
+	int i,carry;
+#if defined(IRIX_CC_BUG) && !defined(LINT)
+	int dummy;
+#endif
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	if (a->top < b->top) /* hmm... should not be happening */
+		{
+		BNerr(BN_F_BN_USUB,BN_R_ARG2_LT_ARG3);
+		return(0);
+		}
+
+	max=a->top;
+	min=b->top;
+	if (bn_wexpand(r,max) == NULL) return(0);
+
+	ap=a->d;
+	bp=b->d;
+	rp=r->d;
+
+#if 1
+	carry=0;
+	for (i=0; i<min; i++)
+		{
+		t1= *(ap++);
+		t2= *(bp++);
+		if (carry)
+			{
+			carry=(t1 <= t2);
+			t1=(t1-t2-1)&BN_MASK2;
+			}
+		else
+			{
+			carry=(t1 < t2);
+			t1=(t1-t2)&BN_MASK2;
+			}
+#if defined(IRIX_CC_BUG) && !defined(LINT)
+		dummy=t1;
+#endif
+		*(rp++)=t1&BN_MASK2;
+		}
+#else
+	carry=bn_sub_words(rp,ap,bp,min);
+	ap+=min;
+	bp+=min;
+	rp+=min;
+	i=min;
+#endif
+	if (carry) /* subtracted */
+		{
+		while (i < max)
+			{
+			i++;
+			t1= *(ap++);
+			t2=(t1-1)&BN_MASK2;
+			*(rp++)=t2;
+			if (t1 > t2) break;
+			}
+		}
+#if 0
+	memcpy(rp,ap,sizeof(*rp)*(max-i));
+#else
+	if (rp != ap)
+		{
+		for (;;)
+			{
+			if (i++ >= max) break;
+			rp[0]=ap[0];
+			if (i++ >= max) break;
+			rp[1]=ap[1];
+			if (i++ >= max) break;
+			rp[2]=ap[2];
+			if (i++ >= max) break;
+			rp[3]=ap[3];
+			rp+=4;
+			ap+=4;
+			}
+		}
+#endif
+
+	r->top=max;
+	bn_fix_top(r);
+	return(1);
+	}
+
+int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
+	{
+	int max;
+	int add=0,neg=0;
+	const BIGNUM *tmp;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	/*  a -  b	a-b
+	 *  a - -b	a+b
+	 * -a -  b	-(a+b)
+	 * -a - -b	b-a
+	 */
+	if (a->neg)
+		{
+		if (b->neg)
+			{ tmp=a; a=b; b=tmp; }
+		else
+			{ add=1; neg=1; }
+		}
+	else
+		{
+		if (b->neg) { add=1; neg=0; }
+		}
+
+	if (add)
+		{
+		if (!BN_uadd(r,a,b)) return(0);
+		r->neg=neg;
+		return(1);
+		}
+
+	/* We are actually doing a - b :-) */
+
+	max=(a->top > b->top)?a->top:b->top;
+	if (bn_wexpand(r,max) == NULL) return(0);
+	if (BN_ucmp(a,b) < 0)
+		{
+		if (!BN_usub(r,b,a)) return(0);
+		r->neg=1;
+		}
+	else
+		{
+		if (!BN_usub(r,a,b)) return(0);
+		r->neg=0;
+		}
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_asm.c b/crypto/openssl/crypto/bn/bn_asm.c
new file mode 100644
index 0000000..3329cc1
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_asm.c
@@ -0,0 +1,837 @@
+/* crypto/bn/bn_asm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef BN_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#if defined(BN_LLONG) || defined(BN_UMULT_HIGH)
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+	{
+	BN_ULONG c1=0;
+
+	assert(num >= 0);
+	if (num <= 0) return(c1);
+
+	while (num&~3)
+		{
+		mul_add(rp[0],ap[0],w,c1);
+		mul_add(rp[1],ap[1],w,c1);
+		mul_add(rp[2],ap[2],w,c1);
+		mul_add(rp[3],ap[3],w,c1);
+		ap+=4; rp+=4; num-=4;
+		}
+	if (num)
+		{
+		mul_add(rp[0],ap[0],w,c1); if (--num==0) return c1;
+		mul_add(rp[1],ap[1],w,c1); if (--num==0) return c1;
+		mul_add(rp[2],ap[2],w,c1); return c1;
+		}
+	
+	return(c1);
+	} 
+
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+	{
+	BN_ULONG c1=0;
+
+	assert(num >= 0);
+	if (num <= 0) return(c1);
+
+	while (num&~3)
+		{
+		mul(rp[0],ap[0],w,c1);
+		mul(rp[1],ap[1],w,c1);
+		mul(rp[2],ap[2],w,c1);
+		mul(rp[3],ap[3],w,c1);
+		ap+=4; rp+=4; num-=4;
+		}
+	if (num)
+		{
+		mul(rp[0],ap[0],w,c1); if (--num == 0) return c1;
+		mul(rp[1],ap[1],w,c1); if (--num == 0) return c1;
+		mul(rp[2],ap[2],w,c1);
+		}
+	return(c1);
+	} 
+
+void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+        {
+	assert(n >= 0);
+	if (n <= 0) return;
+	while (n&~3)
+		{
+		sqr(r[0],r[1],a[0]);
+		sqr(r[2],r[3],a[1]);
+		sqr(r[4],r[5],a[2]);
+		sqr(r[6],r[7],a[3]);
+		a+=4; r+=8; n-=4;
+		}
+	if (n)
+		{
+		sqr(r[0],r[1],a[0]); if (--n == 0) return;
+		sqr(r[2],r[3],a[1]); if (--n == 0) return;
+		sqr(r[4],r[5],a[2]);
+		}
+	}
+
+#else /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+	{
+	BN_ULONG c=0;
+	BN_ULONG bl,bh;
+
+	assert(num >= 0);
+	if (num <= 0) return((BN_ULONG)0);
+
+	bl=LBITS(w);
+	bh=HBITS(w);
+
+	for (;;)
+		{
+		mul_add(rp[0],ap[0],bl,bh,c);
+		if (--num == 0) break;
+		mul_add(rp[1],ap[1],bl,bh,c);
+		if (--num == 0) break;
+		mul_add(rp[2],ap[2],bl,bh,c);
+		if (--num == 0) break;
+		mul_add(rp[3],ap[3],bl,bh,c);
+		if (--num == 0) break;
+		ap+=4;
+		rp+=4;
+		}
+	return(c);
+	} 
+
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+	{
+	BN_ULONG carry=0;
+	BN_ULONG bl,bh;
+
+	assert(num >= 0);
+	if (num <= 0) return((BN_ULONG)0);
+
+	bl=LBITS(w);
+	bh=HBITS(w);
+
+	for (;;)
+		{
+		mul(rp[0],ap[0],bl,bh,carry);
+		if (--num == 0) break;
+		mul(rp[1],ap[1],bl,bh,carry);
+		if (--num == 0) break;
+		mul(rp[2],ap[2],bl,bh,carry);
+		if (--num == 0) break;
+		mul(rp[3],ap[3],bl,bh,carry);
+		if (--num == 0) break;
+		ap+=4;
+		rp+=4;
+		}
+	return(carry);
+	} 
+
+void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+        {
+	assert(n >= 0);
+	if (n <= 0) return;
+	for (;;)
+		{
+		sqr64(r[0],r[1],a[0]);
+		if (--n == 0) break;
+
+		sqr64(r[2],r[3],a[1]);
+		if (--n == 0) break;
+
+		sqr64(r[4],r[5],a[2]);
+		if (--n == 0) break;
+
+		sqr64(r[6],r[7],a[3]);
+		if (--n == 0) break;
+
+		a+=4;
+		r+=8;
+		}
+	}
+
+#endif /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */
+
+#if defined(BN_LLONG) && defined(BN_DIV2W)
+
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+	{
+	return((BN_ULONG)(((((BN_ULLONG)h)<<BN_BITS2)|l)/(BN_ULLONG)d));
+	}
+
+#else
+
+/* Divide h-l by d and return the result. */
+/* I need to test this some more :-( */
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+	{
+	BN_ULONG dh,dl,q,ret=0,th,tl,t;
+	int i,count=2;
+
+	if (d == 0) return(BN_MASK2);
+
+	i=BN_num_bits_word(d);
+	if ((i != BN_BITS2) && (h > (BN_ULONG)1<<i))
+		{
+#if !defined(NO_STDIO) && !defined(WIN16)
+		fprintf(stderr,"Division would overflow (%d)\n",i);
+#endif
+		abort();
+		}
+	i=BN_BITS2-i;
+	if (h >= d) h-=d;
+
+	if (i)
+		{
+		d<<=i;
+		h=(h<<i)|(l>>(BN_BITS2-i));
+		l<<=i;
+		}
+	dh=(d&BN_MASK2h)>>BN_BITS4;
+	dl=(d&BN_MASK2l);
+	for (;;)
+		{
+		if ((h>>BN_BITS4) == dh)
+			q=BN_MASK2l;
+		else
+			q=h/dh;
+
+		th=q*dh;
+		tl=dl*q;
+		for (;;)
+			{
+			t=h-th;
+			if ((t&BN_MASK2h) ||
+				((tl) <= (
+					(t<<BN_BITS4)|
+					((l&BN_MASK2h)>>BN_BITS4))))
+				break;
+			q--;
+			th-=dh;
+			tl-=dl;
+			}
+		t=(tl>>BN_BITS4);
+		tl=(tl<<BN_BITS4)&BN_MASK2h;
+		th+=t;
+
+		if (l < tl) th++;
+		l-=tl;
+		if (h < th)
+			{
+			h+=d;
+			q--;
+			}
+		h-=th;
+
+		if (--count == 0) break;
+
+		ret=q<<BN_BITS4;
+		h=((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2;
+		l=(l&BN_MASK2l)<<BN_BITS4;
+		}
+	ret|=q;
+	return(ret);
+	}
+#endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */
+
+#ifdef BN_LLONG
+BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+	BN_ULLONG ll=0;
+
+	assert(n >= 0);
+	if (n <= 0) return((BN_ULONG)0);
+
+	for (;;)
+		{
+		ll+=(BN_ULLONG)a[0]+b[0];
+		r[0]=(BN_ULONG)ll&BN_MASK2;
+		ll>>=BN_BITS2;
+		if (--n <= 0) break;
+
+		ll+=(BN_ULLONG)a[1]+b[1];
+		r[1]=(BN_ULONG)ll&BN_MASK2;
+		ll>>=BN_BITS2;
+		if (--n <= 0) break;
+
+		ll+=(BN_ULLONG)a[2]+b[2];
+		r[2]=(BN_ULONG)ll&BN_MASK2;
+		ll>>=BN_BITS2;
+		if (--n <= 0) break;
+
+		ll+=(BN_ULLONG)a[3]+b[3];
+		r[3]=(BN_ULONG)ll&BN_MASK2;
+		ll>>=BN_BITS2;
+		if (--n <= 0) break;
+
+		a+=4;
+		b+=4;
+		r+=4;
+		}
+	return((BN_ULONG)ll);
+	}
+#else /* !BN_LLONG */
+BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+	BN_ULONG c,l,t;
+
+	assert(n >= 0);
+	if (n <= 0) return((BN_ULONG)0);
+
+	c=0;
+	for (;;)
+		{
+		t=a[0];
+		t=(t+c)&BN_MASK2;
+		c=(t < c);
+		l=(t+b[0])&BN_MASK2;
+		c+=(l < t);
+		r[0]=l;
+		if (--n <= 0) break;
+
+		t=a[1];
+		t=(t+c)&BN_MASK2;
+		c=(t < c);
+		l=(t+b[1])&BN_MASK2;
+		c+=(l < t);
+		r[1]=l;
+		if (--n <= 0) break;
+
+		t=a[2];
+		t=(t+c)&BN_MASK2;
+		c=(t < c);
+		l=(t+b[2])&BN_MASK2;
+		c+=(l < t);
+		r[2]=l;
+		if (--n <= 0) break;
+
+		t=a[3];
+		t=(t+c)&BN_MASK2;
+		c=(t < c);
+		l=(t+b[3])&BN_MASK2;
+		c+=(l < t);
+		r[3]=l;
+		if (--n <= 0) break;
+
+		a+=4;
+		b+=4;
+		r+=4;
+		}
+	return((BN_ULONG)c);
+	}
+#endif /* !BN_LLONG */
+
+BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+	BN_ULONG t1,t2;
+	int c=0;
+
+	assert(n >= 0);
+	if (n <= 0) return((BN_ULONG)0);
+
+	for (;;)
+		{
+		t1=a[0]; t2=b[0];
+		r[0]=(t1-t2-c)&BN_MASK2;
+		if (t1 != t2) c=(t1 < t2);
+		if (--n <= 0) break;
+
+		t1=a[1]; t2=b[1];
+		r[1]=(t1-t2-c)&BN_MASK2;
+		if (t1 != t2) c=(t1 < t2);
+		if (--n <= 0) break;
+
+		t1=a[2]; t2=b[2];
+		r[2]=(t1-t2-c)&BN_MASK2;
+		if (t1 != t2) c=(t1 < t2);
+		if (--n <= 0) break;
+
+		t1=a[3]; t2=b[3];
+		r[3]=(t1-t2-c)&BN_MASK2;
+		if (t1 != t2) c=(t1 < t2);
+		if (--n <= 0) break;
+
+		a+=4;
+		b+=4;
+		r+=4;
+		}
+	return(c);
+	}
+
+#ifdef BN_MUL_COMBA
+
+#undef bn_mul_comba8
+#undef bn_mul_comba4
+#undef bn_sqr_comba8
+#undef bn_sqr_comba4
+
+/* mul_add_c(a,b,c0,c1,c2)  -- c+=a*b for three word number c=(c2,c1,c0) */
+/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
+/* sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
+/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
+
+#ifdef BN_LLONG
+#define mul_add_c(a,b,c0,c1,c2) \
+	t=(BN_ULLONG)a*b; \
+	t1=(BN_ULONG)Lw(t); \
+	t2=(BN_ULONG)Hw(t); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+	t=(BN_ULLONG)a*b; \
+	tt=(t+t)&BN_MASK; \
+	if (tt < t) c2++; \
+	t1=(BN_ULONG)Lw(tt); \
+	t2=(BN_ULONG)Hw(tt); \
+	c0=(c0+t1)&BN_MASK2;  \
+	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+	t=(BN_ULLONG)a[i]*a[i]; \
+	t1=(BN_ULONG)Lw(t); \
+	t2=(BN_ULONG)Hw(t); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+
+#elif defined(BN_UMULT_HIGH)
+
+#define mul_add_c(a,b,c0,c1,c2)	{	\
+	BN_ULONG ta=(a),tb=(b);		\
+	t1 = ta * tb;			\
+	t2 = BN_UMULT_HIGH(ta,tb);	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define mul_add_c2(a,b,c0,c1,c2) {	\
+	BN_ULONG ta=(a),tb=(b),t0;	\
+	t1 = BN_UMULT_HIGH(ta,tb);	\
+	t0 = ta * tb;			\
+	t2 = t1+t1; c2 += (t2<t1)?1:0;	\
+	t1 = t0+t0; t2 += (t1<t0)?1:0;	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define sqr_add_c(a,i,c0,c1,c2)	{	\
+	BN_ULONG ta=(a)[i];		\
+	t1 = ta * ta;			\
+	t2 = BN_UMULT_HIGH(ta,ta);	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define sqr_add_c2(a,i,j,c0,c1,c2)	\
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+
+#else /* !BN_LLONG */
+#define mul_add_c(a,b,c0,c1,c2) \
+	t1=LBITS(a); t2=HBITS(a); \
+	bl=LBITS(b); bh=HBITS(b); \
+	mul64(t1,t2,bl,bh); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+	t1=LBITS(a); t2=HBITS(a); \
+	bl=LBITS(b); bh=HBITS(b); \
+	mul64(t1,t2,bl,bh); \
+	if (t2 & BN_TBIT) c2++; \
+	t2=(t2+t2)&BN_MASK2; \
+	if (t1 & BN_TBIT) t2++; \
+	t1=(t1+t1)&BN_MASK2; \
+	c0=(c0+t1)&BN_MASK2;  \
+	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+	sqr64(t1,t2,(a)[i]); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#endif /* !BN_LLONG */
+
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	mul_add_c(a[0],b[0],c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	mul_add_c(a[0],b[1],c2,c3,c1);
+	mul_add_c(a[1],b[0],c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	mul_add_c(a[2],b[0],c3,c1,c2);
+	mul_add_c(a[1],b[1],c3,c1,c2);
+	mul_add_c(a[0],b[2],c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	mul_add_c(a[0],b[3],c1,c2,c3);
+	mul_add_c(a[1],b[2],c1,c2,c3);
+	mul_add_c(a[2],b[1],c1,c2,c3);
+	mul_add_c(a[3],b[0],c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	mul_add_c(a[4],b[0],c2,c3,c1);
+	mul_add_c(a[3],b[1],c2,c3,c1);
+	mul_add_c(a[2],b[2],c2,c3,c1);
+	mul_add_c(a[1],b[3],c2,c3,c1);
+	mul_add_c(a[0],b[4],c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	mul_add_c(a[0],b[5],c3,c1,c2);
+	mul_add_c(a[1],b[4],c3,c1,c2);
+	mul_add_c(a[2],b[3],c3,c1,c2);
+	mul_add_c(a[3],b[2],c3,c1,c2);
+	mul_add_c(a[4],b[1],c3,c1,c2);
+	mul_add_c(a[5],b[0],c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	mul_add_c(a[6],b[0],c1,c2,c3);
+	mul_add_c(a[5],b[1],c1,c2,c3);
+	mul_add_c(a[4],b[2],c1,c2,c3);
+	mul_add_c(a[3],b[3],c1,c2,c3);
+	mul_add_c(a[2],b[4],c1,c2,c3);
+	mul_add_c(a[1],b[5],c1,c2,c3);
+	mul_add_c(a[0],b[6],c1,c2,c3);
+	r[6]=c1;
+	c1=0;
+	mul_add_c(a[0],b[7],c2,c3,c1);
+	mul_add_c(a[1],b[6],c2,c3,c1);
+	mul_add_c(a[2],b[5],c2,c3,c1);
+	mul_add_c(a[3],b[4],c2,c3,c1);
+	mul_add_c(a[4],b[3],c2,c3,c1);
+	mul_add_c(a[5],b[2],c2,c3,c1);
+	mul_add_c(a[6],b[1],c2,c3,c1);
+	mul_add_c(a[7],b[0],c2,c3,c1);
+	r[7]=c2;
+	c2=0;
+	mul_add_c(a[7],b[1],c3,c1,c2);
+	mul_add_c(a[6],b[2],c3,c1,c2);
+	mul_add_c(a[5],b[3],c3,c1,c2);
+	mul_add_c(a[4],b[4],c3,c1,c2);
+	mul_add_c(a[3],b[5],c3,c1,c2);
+	mul_add_c(a[2],b[6],c3,c1,c2);
+	mul_add_c(a[1],b[7],c3,c1,c2);
+	r[8]=c3;
+	c3=0;
+	mul_add_c(a[2],b[7],c1,c2,c3);
+	mul_add_c(a[3],b[6],c1,c2,c3);
+	mul_add_c(a[4],b[5],c1,c2,c3);
+	mul_add_c(a[5],b[4],c1,c2,c3);
+	mul_add_c(a[6],b[3],c1,c2,c3);
+	mul_add_c(a[7],b[2],c1,c2,c3);
+	r[9]=c1;
+	c1=0;
+	mul_add_c(a[7],b[3],c2,c3,c1);
+	mul_add_c(a[6],b[4],c2,c3,c1);
+	mul_add_c(a[5],b[5],c2,c3,c1);
+	mul_add_c(a[4],b[6],c2,c3,c1);
+	mul_add_c(a[3],b[7],c2,c3,c1);
+	r[10]=c2;
+	c2=0;
+	mul_add_c(a[4],b[7],c3,c1,c2);
+	mul_add_c(a[5],b[6],c3,c1,c2);
+	mul_add_c(a[6],b[5],c3,c1,c2);
+	mul_add_c(a[7],b[4],c3,c1,c2);
+	r[11]=c3;
+	c3=0;
+	mul_add_c(a[7],b[5],c1,c2,c3);
+	mul_add_c(a[6],b[6],c1,c2,c3);
+	mul_add_c(a[5],b[7],c1,c2,c3);
+	r[12]=c1;
+	c1=0;
+	mul_add_c(a[6],b[7],c2,c3,c1);
+	mul_add_c(a[7],b[6],c2,c3,c1);
+	r[13]=c2;
+	c2=0;
+	mul_add_c(a[7],b[7],c3,c1,c2);
+	r[14]=c3;
+	r[15]=c1;
+	}
+
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	mul_add_c(a[0],b[0],c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	mul_add_c(a[0],b[1],c2,c3,c1);
+	mul_add_c(a[1],b[0],c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	mul_add_c(a[2],b[0],c3,c1,c2);
+	mul_add_c(a[1],b[1],c3,c1,c2);
+	mul_add_c(a[0],b[2],c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	mul_add_c(a[0],b[3],c1,c2,c3);
+	mul_add_c(a[1],b[2],c1,c2,c3);
+	mul_add_c(a[2],b[1],c1,c2,c3);
+	mul_add_c(a[3],b[0],c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	mul_add_c(a[3],b[1],c2,c3,c1);
+	mul_add_c(a[2],b[2],c2,c3,c1);
+	mul_add_c(a[1],b[3],c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	mul_add_c(a[2],b[3],c3,c1,c2);
+	mul_add_c(a[3],b[2],c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	mul_add_c(a[3],b[3],c1,c2,c3);
+	r[6]=c1;
+	r[7]=c2;
+	}
+
+void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t,tt;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	sqr_add_c(a,0,c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	sqr_add_c2(a,1,0,c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	sqr_add_c(a,1,c3,c1,c2);
+	sqr_add_c2(a,2,0,c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	sqr_add_c2(a,3,0,c1,c2,c3);
+	sqr_add_c2(a,2,1,c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	sqr_add_c(a,2,c2,c3,c1);
+	sqr_add_c2(a,3,1,c2,c3,c1);
+	sqr_add_c2(a,4,0,c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	sqr_add_c2(a,5,0,c3,c1,c2);
+	sqr_add_c2(a,4,1,c3,c1,c2);
+	sqr_add_c2(a,3,2,c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	sqr_add_c(a,3,c1,c2,c3);
+	sqr_add_c2(a,4,2,c1,c2,c3);
+	sqr_add_c2(a,5,1,c1,c2,c3);
+	sqr_add_c2(a,6,0,c1,c2,c3);
+	r[6]=c1;
+	c1=0;
+	sqr_add_c2(a,7,0,c2,c3,c1);
+	sqr_add_c2(a,6,1,c2,c3,c1);
+	sqr_add_c2(a,5,2,c2,c3,c1);
+	sqr_add_c2(a,4,3,c2,c3,c1);
+	r[7]=c2;
+	c2=0;
+	sqr_add_c(a,4,c3,c1,c2);
+	sqr_add_c2(a,5,3,c3,c1,c2);
+	sqr_add_c2(a,6,2,c3,c1,c2);
+	sqr_add_c2(a,7,1,c3,c1,c2);
+	r[8]=c3;
+	c3=0;
+	sqr_add_c2(a,7,2,c1,c2,c3);
+	sqr_add_c2(a,6,3,c1,c2,c3);
+	sqr_add_c2(a,5,4,c1,c2,c3);
+	r[9]=c1;
+	c1=0;
+	sqr_add_c(a,5,c2,c3,c1);
+	sqr_add_c2(a,6,4,c2,c3,c1);
+	sqr_add_c2(a,7,3,c2,c3,c1);
+	r[10]=c2;
+	c2=0;
+	sqr_add_c2(a,7,4,c3,c1,c2);
+	sqr_add_c2(a,6,5,c3,c1,c2);
+	r[11]=c3;
+	c3=0;
+	sqr_add_c(a,6,c1,c2,c3);
+	sqr_add_c2(a,7,5,c1,c2,c3);
+	r[12]=c1;
+	c1=0;
+	sqr_add_c2(a,7,6,c2,c3,c1);
+	r[13]=c2;
+	c2=0;
+	sqr_add_c(a,7,c3,c1,c2);
+	r[14]=c3;
+	r[15]=c1;
+	}
+
+void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t,tt;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	sqr_add_c(a,0,c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	sqr_add_c2(a,1,0,c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	sqr_add_c(a,1,c3,c1,c2);
+	sqr_add_c2(a,2,0,c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	sqr_add_c2(a,3,0,c1,c2,c3);
+	sqr_add_c2(a,2,1,c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	sqr_add_c(a,2,c2,c3,c1);
+	sqr_add_c2(a,3,1,c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	sqr_add_c2(a,3,2,c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	sqr_add_c(a,3,c1,c2,c3);
+	r[6]=c1;
+	r[7]=c2;
+	}
+#else /* !BN_MUL_COMBA */
+
+/* hmm... is it faster just to do a multiply? */
+#undef bn_sqr_comba4
+void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+	{
+	BN_ULONG t[8];
+	bn_sqr_normal(r,a,4,t);
+	}
+
+#undef bn_sqr_comba8
+void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+	{
+	BN_ULONG t[16];
+	bn_sqr_normal(r,a,8,t);
+	}
+
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+	{
+	r[4]=bn_mul_words(    &(r[0]),a,4,b[0]);
+	r[5]=bn_mul_add_words(&(r[1]),a,4,b[1]);
+	r[6]=bn_mul_add_words(&(r[2]),a,4,b[2]);
+	r[7]=bn_mul_add_words(&(r[3]),a,4,b[3]);
+	}
+
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+	{
+	r[ 8]=bn_mul_words(    &(r[0]),a,8,b[0]);
+	r[ 9]=bn_mul_add_words(&(r[1]),a,8,b[1]);
+	r[10]=bn_mul_add_words(&(r[2]),a,8,b[2]);
+	r[11]=bn_mul_add_words(&(r[3]),a,8,b[3]);
+	r[12]=bn_mul_add_words(&(r[4]),a,8,b[4]);
+	r[13]=bn_mul_add_words(&(r[5]),a,8,b[5]);
+	r[14]=bn_mul_add_words(&(r[6]),a,8,b[6]);
+	r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
+	}
+
+#endif /* !BN_MUL_COMBA */
diff --git a/crypto/openssl/crypto/bn/bn_blind.c b/crypto/openssl/crypto/bn/bn_blind.c
new file mode 100644
index 0000000..1b1bb06
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_blind.c
@@ -0,0 +1,144 @@
+/* crypto/bn/bn_blind.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+BN_BLINDING *BN_BLINDING_new(BIGNUM *A, BIGNUM *Ai, BIGNUM *mod)
+	{
+	BN_BLINDING *ret=NULL;
+
+	bn_check_top(Ai);
+	bn_check_top(mod);
+
+	if ((ret=(BN_BLINDING *)Malloc(sizeof(BN_BLINDING))) == NULL)
+		{
+		BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	memset(ret,0,sizeof(BN_BLINDING));
+	if ((ret->A=BN_new()) == NULL) goto err;
+	if ((ret->Ai=BN_new()) == NULL) goto err;
+	if (!BN_copy(ret->A,A)) goto err;
+	if (!BN_copy(ret->Ai,Ai)) goto err;
+	ret->mod=mod;
+	return(ret);
+err:
+	if (ret != NULL) BN_BLINDING_free(ret);
+	return(NULL);
+	}
+
+void BN_BLINDING_free(BN_BLINDING *r)
+	{
+	if(r == NULL)
+	    return;
+
+	if (r->A  != NULL) BN_free(r->A );
+	if (r->Ai != NULL) BN_free(r->Ai);
+	Free(r);
+	}
+
+int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
+	{
+	int ret=0;
+
+	if ((b->A == NULL) || (b->Ai == NULL))
+		{
+		BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
+		goto err;
+		}
+		
+	if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
+	if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
+
+	ret=1;
+err:
+	return(ret);
+	}
+
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
+	{
+	bn_check_top(n);
+
+	if ((b->A == NULL) || (b->Ai == NULL))
+		{
+		BNerr(BN_F_BN_BLINDING_CONVERT,BN_R_NOT_INITIALIZED);
+		return(0);
+		}
+	return(BN_mod_mul(n,n,b->A,b->mod,ctx));
+	}
+
+int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
+	{
+	int ret;
+
+	bn_check_top(n);
+	if ((b->A == NULL) || (b->Ai == NULL))
+		{
+		BNerr(BN_F_BN_BLINDING_INVERT,BN_R_NOT_INITIALIZED);
+		return(0);
+		}
+	if ((ret=BN_mod_mul(n,n,b->Ai,b->mod,ctx)) >= 0)
+		{
+		if (!BN_BLINDING_update(b,ctx))
+			return(0);
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_comba.c b/crypto/openssl/crypto/bn/bn_comba.c
new file mode 100644
index 0000000..7ad09b4
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_comba.c
@@ -0,0 +1,345 @@
+/* crypto/bn/bn_comba.c */
+#include <stdio.h>
+#include "bn_lcl.h"
+/* Auto generated from crypto/bn/comba.pl
+ */
+
+#undef bn_mul_comba8
+#undef bn_mul_comba4
+#undef bn_sqr_comba8
+#undef bn_sqr_comba4
+
+#ifdef BN_LLONG
+#define mul_add_c(a,b,c0,c1,c2) \
+	t=(BN_ULLONG)a*b; \
+	t1=(BN_ULONG)Lw(t); \
+	t2=(BN_ULONG)Hw(t); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+	t=(BN_ULLONG)a*b; \
+	tt=(t+t)&BN_MASK; \
+	if (tt < t) c2++; \
+	t1=(BN_ULONG)Lw(tt); \
+	t2=(BN_ULONG)Hw(tt); \
+	c0=(c0+t1)&BN_MASK2;  \
+	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+	t=(BN_ULLONG)a[i]*a[i]; \
+	t1=(BN_ULONG)Lw(t); \
+	t2=(BN_ULONG)Hw(t); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#else
+#define mul_add_c(a,b,c0,c1,c2) \
+	t1=LBITS(a); t2=HBITS(a); \
+	bl=LBITS(b); bh=HBITS(b); \
+	mul64(t1,t2,bl,bh); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+	t1=LBITS(a); t2=HBITS(a); \
+	bl=LBITS(b); bh=HBITS(b); \
+	mul64(t1,t2,bl,bh); \
+	if (t2 & BN_TBIT) c2++; \
+	t2=(t2+t2)&BN_MASK2; \
+	if (t1 & BN_TBIT) t2++; \
+	t1=(t1+t1)&BN_MASK2; \
+	c0=(c0+t1)&BN_MASK2;  \
+	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+	sqr64(t1,t2,(a)[i]); \
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#endif
+
+void bn_mul_comba88(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
+void bn_mul_comba44(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
+void bn_sqr_comba88(BN_ULONG *r,BN_ULONG *a);
+void bn_sqr_comba44(BN_ULONG *r,BN_ULONG *a);
+
+void bn_mul_comba88(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	mul_add_c(a[0],b[0],c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	mul_add_c(a[0],b[1],c2,c3,c1);
+	mul_add_c(a[1],b[0],c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	mul_add_c(a[2],b[0],c3,c1,c2);
+	mul_add_c(a[1],b[1],c3,c1,c2);
+	mul_add_c(a[0],b[2],c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	mul_add_c(a[0],b[3],c1,c2,c3);
+	mul_add_c(a[1],b[2],c1,c2,c3);
+	mul_add_c(a[2],b[1],c1,c2,c3);
+	mul_add_c(a[3],b[0],c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	mul_add_c(a[4],b[0],c2,c3,c1);
+	mul_add_c(a[3],b[1],c2,c3,c1);
+	mul_add_c(a[2],b[2],c2,c3,c1);
+	mul_add_c(a[1],b[3],c2,c3,c1);
+	mul_add_c(a[0],b[4],c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	mul_add_c(a[0],b[5],c3,c1,c2);
+	mul_add_c(a[1],b[4],c3,c1,c2);
+	mul_add_c(a[2],b[3],c3,c1,c2);
+	mul_add_c(a[3],b[2],c3,c1,c2);
+	mul_add_c(a[4],b[1],c3,c1,c2);
+	mul_add_c(a[5],b[0],c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	mul_add_c(a[6],b[0],c1,c2,c3);
+	mul_add_c(a[5],b[1],c1,c2,c3);
+	mul_add_c(a[4],b[2],c1,c2,c3);
+	mul_add_c(a[3],b[3],c1,c2,c3);
+	mul_add_c(a[2],b[4],c1,c2,c3);
+	mul_add_c(a[1],b[5],c1,c2,c3);
+	mul_add_c(a[0],b[6],c1,c2,c3);
+	r[6]=c1;
+	c1=0;
+	mul_add_c(a[0],b[7],c2,c3,c1);
+	mul_add_c(a[1],b[6],c2,c3,c1);
+	mul_add_c(a[2],b[5],c2,c3,c1);
+	mul_add_c(a[3],b[4],c2,c3,c1);
+	mul_add_c(a[4],b[3],c2,c3,c1);
+	mul_add_c(a[5],b[2],c2,c3,c1);
+	mul_add_c(a[6],b[1],c2,c3,c1);
+	mul_add_c(a[7],b[0],c2,c3,c1);
+	r[7]=c2;
+	c2=0;
+	mul_add_c(a[7],b[1],c3,c1,c2);
+	mul_add_c(a[6],b[2],c3,c1,c2);
+	mul_add_c(a[5],b[3],c3,c1,c2);
+	mul_add_c(a[4],b[4],c3,c1,c2);
+	mul_add_c(a[3],b[5],c3,c1,c2);
+	mul_add_c(a[2],b[6],c3,c1,c2);
+	mul_add_c(a[1],b[7],c3,c1,c2);
+	r[8]=c3;
+	c3=0;
+	mul_add_c(a[2],b[7],c1,c2,c3);
+	mul_add_c(a[3],b[6],c1,c2,c3);
+	mul_add_c(a[4],b[5],c1,c2,c3);
+	mul_add_c(a[5],b[4],c1,c2,c3);
+	mul_add_c(a[6],b[3],c1,c2,c3);
+	mul_add_c(a[7],b[2],c1,c2,c3);
+	r[9]=c1;
+	c1=0;
+	mul_add_c(a[7],b[3],c2,c3,c1);
+	mul_add_c(a[6],b[4],c2,c3,c1);
+	mul_add_c(a[5],b[5],c2,c3,c1);
+	mul_add_c(a[4],b[6],c2,c3,c1);
+	mul_add_c(a[3],b[7],c2,c3,c1);
+	r[10]=c2;
+	c2=0;
+	mul_add_c(a[4],b[7],c3,c1,c2);
+	mul_add_c(a[5],b[6],c3,c1,c2);
+	mul_add_c(a[6],b[5],c3,c1,c2);
+	mul_add_c(a[7],b[4],c3,c1,c2);
+	r[11]=c3;
+	c3=0;
+	mul_add_c(a[7],b[5],c1,c2,c3);
+	mul_add_c(a[6],b[6],c1,c2,c3);
+	mul_add_c(a[5],b[7],c1,c2,c3);
+	r[12]=c1;
+	c1=0;
+	mul_add_c(a[6],b[7],c2,c3,c1);
+	mul_add_c(a[7],b[6],c2,c3,c1);
+	r[13]=c2;
+	c2=0;
+	mul_add_c(a[7],b[7],c3,c1,c2);
+	r[14]=c3;
+	r[15]=c1;
+	}
+
+void bn_mul_comba44(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	mul_add_c(a[0],b[0],c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	mul_add_c(a[0],b[1],c2,c3,c1);
+	mul_add_c(a[1],b[0],c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	mul_add_c(a[2],b[0],c3,c1,c2);
+	mul_add_c(a[1],b[1],c3,c1,c2);
+	mul_add_c(a[0],b[2],c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	mul_add_c(a[0],b[3],c1,c2,c3);
+	mul_add_c(a[1],b[2],c1,c2,c3);
+	mul_add_c(a[2],b[1],c1,c2,c3);
+	mul_add_c(a[3],b[0],c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	mul_add_c(a[3],b[1],c2,c3,c1);
+	mul_add_c(a[2],b[2],c2,c3,c1);
+	mul_add_c(a[1],b[3],c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	mul_add_c(a[2],b[3],c3,c1,c2);
+	mul_add_c(a[3],b[2],c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	mul_add_c(a[3],b[3],c1,c2,c3);
+	r[6]=c1;
+	r[7]=c2;
+	}
+
+void bn_sqr_comba88(BN_ULONG *r, BN_ULONG *a)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t,tt;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	sqr_add_c(a,0,c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	sqr_add_c2(a,1,0,c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	sqr_add_c(a,1,c3,c1,c2);
+	sqr_add_c2(a,2,0,c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	sqr_add_c2(a,3,0,c1,c2,c3);
+	sqr_add_c2(a,2,1,c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	sqr_add_c(a,2,c2,c3,c1);
+	sqr_add_c2(a,3,1,c2,c3,c1);
+	sqr_add_c2(a,4,0,c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	sqr_add_c2(a,5,0,c3,c1,c2);
+	sqr_add_c2(a,4,1,c3,c1,c2);
+	sqr_add_c2(a,3,2,c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	sqr_add_c(a,3,c1,c2,c3);
+	sqr_add_c2(a,4,2,c1,c2,c3);
+	sqr_add_c2(a,5,1,c1,c2,c3);
+	sqr_add_c2(a,6,0,c1,c2,c3);
+	r[6]=c1;
+	c1=0;
+	sqr_add_c2(a,7,0,c2,c3,c1);
+	sqr_add_c2(a,6,1,c2,c3,c1);
+	sqr_add_c2(a,5,2,c2,c3,c1);
+	sqr_add_c2(a,4,3,c2,c3,c1);
+	r[7]=c2;
+	c2=0;
+	sqr_add_c(a,4,c3,c1,c2);
+	sqr_add_c2(a,5,3,c3,c1,c2);
+	sqr_add_c2(a,6,2,c3,c1,c2);
+	sqr_add_c2(a,7,1,c3,c1,c2);
+	r[8]=c3;
+	c3=0;
+	sqr_add_c2(a,7,2,c1,c2,c3);
+	sqr_add_c2(a,6,3,c1,c2,c3);
+	sqr_add_c2(a,5,4,c1,c2,c3);
+	r[9]=c1;
+	c1=0;
+	sqr_add_c(a,5,c2,c3,c1);
+	sqr_add_c2(a,6,4,c2,c3,c1);
+	sqr_add_c2(a,7,3,c2,c3,c1);
+	r[10]=c2;
+	c2=0;
+	sqr_add_c2(a,7,4,c3,c1,c2);
+	sqr_add_c2(a,6,5,c3,c1,c2);
+	r[11]=c3;
+	c3=0;
+	sqr_add_c(a,6,c1,c2,c3);
+	sqr_add_c2(a,7,5,c1,c2,c3);
+	r[12]=c1;
+	c1=0;
+	sqr_add_c2(a,7,6,c2,c3,c1);
+	r[13]=c2;
+	c2=0;
+	sqr_add_c(a,7,c3,c1,c2);
+	r[14]=c3;
+	r[15]=c1;
+	}
+
+void bn_sqr_comba44(BN_ULONG *r, BN_ULONG *a)
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t,tt;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+	c1=0;
+	c2=0;
+	c3=0;
+	sqr_add_c(a,0,c1,c2,c3);
+	r[0]=c1;
+	c1=0;
+	sqr_add_c2(a,1,0,c2,c3,c1);
+	r[1]=c2;
+	c2=0;
+	sqr_add_c(a,1,c3,c1,c2);
+	sqr_add_c2(a,2,0,c3,c1,c2);
+	r[2]=c3;
+	c3=0;
+	sqr_add_c2(a,3,0,c1,c2,c3);
+	sqr_add_c2(a,2,1,c1,c2,c3);
+	r[3]=c1;
+	c1=0;
+	sqr_add_c(a,2,c2,c3,c1);
+	sqr_add_c2(a,3,1,c2,c3,c1);
+	r[4]=c2;
+	c2=0;
+	sqr_add_c2(a,3,2,c3,c1,c2);
+	r[5]=c3;
+	c3=0;
+	sqr_add_c(a,3,c1,c2,c3);
+	r[6]=c1;
+	r[7]=c2;
+	}
diff --git a/crypto/openssl/crypto/bn/bn_ctx.c b/crypto/openssl/crypto/bn/bn_ctx.c
new file mode 100644
index 0000000..46132fd
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_ctx.c
@@ -0,0 +1,144 @@
+/* crypto/bn/bn_ctx.c */
+/* Written by Ulf Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef BN_CTX_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+
+
+BN_CTX *BN_CTX_new(void)
+	{
+	BN_CTX *ret;
+
+	ret=(BN_CTX *)Malloc(sizeof(BN_CTX));
+	if (ret == NULL)
+		{
+		BNerr(BN_F_BN_CTX_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+
+	BN_CTX_init(ret);
+	ret->flags=BN_FLG_MALLOCED;
+	return(ret);
+	}
+
+void BN_CTX_init(BN_CTX *ctx)
+	{
+	int i;
+	ctx->tos = 0;
+	ctx->flags = 0;
+	ctx->depth = 0;
+	ctx->too_many = 0;
+	for (i = 0; i < BN_CTX_NUM; i++)
+		BN_init(&(ctx->bn[i]));
+	}
+
+void BN_CTX_free(BN_CTX *ctx)
+	{
+	int i;
+
+	if (ctx == NULL) return;
+	assert(ctx->depth == 0);
+
+	for (i=0; i < BN_CTX_NUM; i++)
+		BN_clear_free(&(ctx->bn[i]));
+	if (ctx->flags & BN_FLG_MALLOCED)
+		Free(ctx);
+	}
+
+void BN_CTX_start(BN_CTX *ctx)
+	{
+	if (ctx->depth < BN_CTX_NUM_POS)
+		ctx->pos[ctx->depth] = ctx->tos;
+	ctx->depth++;
+	}
+
+BIGNUM *BN_CTX_get(BN_CTX *ctx)
+	{
+	if (ctx->depth > BN_CTX_NUM_POS || ctx->tos >= BN_CTX_NUM)
+		{
+		if (!ctx->too_many)
+			{
+			BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES);
+			/* disable error code until BN_CTX_end is called: */
+			ctx->too_many = 1;
+			}
+		return NULL;
+		}
+	return (&(ctx->bn[ctx->tos++]));
+	}
+
+void BN_CTX_end(BN_CTX *ctx)
+	{
+	if (ctx == NULL) return;
+	assert(ctx->depth > 0);
+	if (ctx->depth == 0)
+		/* should never happen, but we can tolerate it if not in
+		 * debug mode (could be a 'goto err' in the calling function
+		 * before BN_CTX_start was reached) */
+		BN_CTX_start(ctx);
+
+	ctx->too_many = 0;
+	ctx->depth--;
+	if (ctx->depth < BN_CTX_NUM_POS)
+		ctx->tos = ctx->pos[ctx->depth];
+	}
diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c
new file mode 100644
index 0000000..07af1d3
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_div.c
@@ -0,0 +1,380 @@
+/* crypto/bn/bn_div.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+/* The old slow way */
+#if 0
+int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+	   BN_CTX *ctx)
+	{
+	int i,nm,nd;
+	int ret = 0;
+	BIGNUM *D;
+
+	bn_check_top(m);
+	bn_check_top(d);
+	if (BN_is_zero(d))
+		{
+		BNerr(BN_F_BN_DIV,BN_R_DIV_BY_ZERO);
+		return(0);
+		}
+
+	if (BN_ucmp(m,d) < 0)
+		{
+		if (rem != NULL)
+			{ if (BN_copy(rem,m) == NULL) return(0); }
+		if (dv != NULL) BN_zero(dv);
+		return(1);
+		}
+
+	BN_CTX_start(ctx);
+	D = BN_CTX_get(ctx);
+	if (dv == NULL) dv = BN_CTX_get(ctx);
+	if (rem == NULL) rem = BN_CTX_get(ctx);
+	if (D == NULL || dv == NULL || rem == NULL)
+		goto end;
+
+	nd=BN_num_bits(d);
+	nm=BN_num_bits(m);
+	if (BN_copy(D,d) == NULL) goto end;
+	if (BN_copy(rem,m) == NULL) goto end;
+
+	/* The next 2 are needed so we can do a dv->d[0]|=1 later
+	 * since BN_lshift1 will only work once there is a value :-) */
+	BN_zero(dv);
+	bn_wexpand(dv,1);
+	dv->top=1;
+
+	if (!BN_lshift(D,D,nm-nd)) goto end;
+	for (i=nm-nd; i>=0; i--)
+		{
+		if (!BN_lshift1(dv,dv)) goto end;
+		if (BN_ucmp(rem,D) >= 0)
+			{
+			dv->d[0]|=1;
+			if (!BN_usub(rem,rem,D)) goto end;
+			}
+/* CAN IMPROVE (and have now :=) */
+		if (!BN_rshift1(D,D)) goto end;
+		}
+	rem->neg=BN_is_zero(rem)?0:m->neg;
+	dv->neg=m->neg^d->neg;
+	ret = 1;
+ end:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+#else
+
+#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC) && !defined(BN_DIV3W)
+# if defined(__GNUC__) && __GNUC__>=2
+#  if defined(__i386)
+   /*
+    * There were two reasons for implementing this template:
+    * - GNU C generates a call to a function (__udivdi3 to be exact)
+    *   in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
+    *   understand why...);
+    * - divl doesn't only calculate quotient, but also leaves
+    *   remainder in %edx which we can definitely use here:-)
+    *
+    *					<appro@fy.chalmers.se>
+    */
+#  define bn_div_words(n0,n1,d0)		\
+	({  asm volatile (			\
+		"divl	%4"			\
+		: "=a"(q), "=d"(rem)		\
+		: "a"(n1), "d"(n0), "g"(d0)	\
+		: "cc");			\
+	    q;					\
+	})
+#  define REMAINDER_IS_ALREADY_CALCULATED
+#  endif /* __<cpu> */
+# endif /* __GNUC__ */
+#endif /* NO_ASM */
+
+int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+	   BN_CTX *ctx)
+	{
+	int norm_shift,i,j,loop;
+	BIGNUM *tmp,wnum,*snum,*sdiv,*res;
+	BN_ULONG *resp,*wnump;
+	BN_ULONG d0,d1;
+	int num_n,div_n;
+
+	bn_check_top(num);
+	bn_check_top(divisor);
+
+	if (BN_is_zero(divisor))
+		{
+		BNerr(BN_F_BN_DIV,BN_R_DIV_BY_ZERO);
+		return(0);
+		}
+
+	if (BN_ucmp(num,divisor) < 0)
+		{
+		if (rm != NULL)
+			{ if (BN_copy(rm,num) == NULL) return(0); }
+		if (dv != NULL) BN_zero(dv);
+		return(1);
+		}
+
+	BN_CTX_start(ctx);
+	tmp=BN_CTX_get(ctx);
+	tmp->neg=0;
+	snum=BN_CTX_get(ctx);
+	sdiv=BN_CTX_get(ctx);
+	if (dv == NULL)
+		res=BN_CTX_get(ctx);
+	else	res=dv;
+	if (res == NULL) goto err;
+
+	/* First we normalise the numbers */
+	norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
+	BN_lshift(sdiv,divisor,norm_shift);
+	sdiv->neg=0;
+	norm_shift+=BN_BITS2;
+	BN_lshift(snum,num,norm_shift);
+	snum->neg=0;
+	div_n=sdiv->top;
+	num_n=snum->top;
+	loop=num_n-div_n;
+
+	/* Lets setup a 'window' into snum
+	 * This is the part that corresponds to the current
+	 * 'area' being divided */
+	BN_init(&wnum);
+	wnum.d=	 &(snum->d[loop]);
+	wnum.top= div_n;
+	wnum.max= snum->max+1; /* a bit of a lie */
+
+	/* Get the top 2 words of sdiv */
+	/* i=sdiv->top; */
+	d0=sdiv->d[div_n-1];
+	d1=(div_n == 1)?0:sdiv->d[div_n-2];
+
+	/* pointer to the 'top' of snum */
+	wnump= &(snum->d[num_n-1]);
+
+	/* Setup to 'res' */
+	res->neg= (num->neg^divisor->neg);
+	if (!bn_wexpand(res,(loop+1))) goto err;
+	res->top=loop;
+	resp= &(res->d[loop-1]);
+
+	/* space for temp */
+	if (!bn_wexpand(tmp,(div_n+1))) goto err;
+
+	if (BN_ucmp(&wnum,sdiv) >= 0)
+		{
+		if (!BN_usub(&wnum,&wnum,sdiv)) goto err;
+		*resp=1;
+		res->d[res->top-1]=1;
+		}
+	else
+		res->top--;
+	resp--;
+
+	for (i=0; i<loop-1; i++)
+		{
+		BN_ULONG q,l0;
+#ifdef BN_DIV3W
+		q=bn_div_3_words(wnump,d1,d0);
+#else
+		BN_ULONG n0,n1,rem=0;
+
+		n0=wnump[0];
+		n1=wnump[-1];
+		if (n0 == d0)
+			q=BN_MASK2;
+		else 			/* n0 < d0 */
+			{
+#ifdef BN_LLONG
+			BN_ULLONG t2;
+
+#if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
+			q=(BN_ULONG)(((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0);
+#else
+			q=bn_div_words(n0,n1,d0);
+#endif
+
+#ifndef REMAINDER_IS_ALREADY_CALCULATED
+			/*
+			 * rem doesn't have to be BN_ULLONG. The least we
+			 * know it's less that d0, isn't it?
+			 */
+			rem=(n1-q*d0)&BN_MASK2;
+#endif
+			t2=(BN_ULLONG)d1*q;
+
+			for (;;)
+				{
+				if (t2 <= ((((BN_ULLONG)rem)<<BN_BITS2)|wnump[-2]))
+					break;
+				q--;
+				rem += d0;
+				if (rem < d0) break; /* don't let rem overflow */
+				t2 -= d1;
+				}
+#else /* !BN_LLONG */
+			BN_ULONG t2l,t2h,ql,qh;
+
+			q=bn_div_words(n0,n1,d0);
+#ifndef REMAINDER_IS_ALREADY_CALCULATED
+			rem=(n1-q*d0)&BN_MASK2;
+#endif
+
+#ifdef BN_UMULT_HIGH
+			t2l = d1 * q;
+			t2h = BN_UMULT_HIGH(d1,q);
+#else
+			t2l=LBITS(d1); t2h=HBITS(d1);
+			ql =LBITS(q);  qh =HBITS(q);
+			mul64(t2l,t2h,ql,qh); /* t2=(BN_ULLONG)d1*q; */
+#endif
+
+			for (;;)
+				{
+				if ((t2h < rem) ||
+					((t2h == rem) && (t2l <= wnump[-2])))
+					break;
+				q--;
+				rem += d0;
+				if (rem < d0) break; /* don't let rem overflow */
+				if (t2l < d1) t2h--; t2l -= d1;
+				}
+#endif /* !BN_LLONG */
+			}
+#endif /* !BN_DIV3W */
+
+		l0=bn_mul_words(tmp->d,sdiv->d,div_n,q);
+		wnum.d--; wnum.top++;
+		tmp->d[div_n]=l0;
+		for (j=div_n+1; j>0; j--)
+			if (tmp->d[j-1]) break;
+		tmp->top=j;
+
+		j=wnum.top;
+		BN_sub(&wnum,&wnum,tmp);
+
+		snum->top=snum->top+wnum.top-j;
+
+		if (wnum.neg)
+			{
+			q--;
+			j=wnum.top;
+			BN_add(&wnum,&wnum,sdiv);
+			snum->top+=wnum.top-j;
+			}
+		*(resp--)=q;
+		wnump--;
+		}
+	if (rm != NULL)
+		{
+		BN_rshift(rm,snum,norm_shift);
+		rm->neg=num->neg;
+		}
+	BN_CTX_end(ctx);
+	return(1);
+err:
+	BN_CTX_end(ctx);
+	return(0);
+	}
+
+#endif
+
+/* rem != m */
+int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
+	{
+#if 0 /* The old slow way */
+	int i,nm,nd;
+	BIGNUM *dv;
+
+	if (BN_ucmp(m,d) < 0)
+		return((BN_copy(rem,m) == NULL)?0:1);
+
+	BN_CTX_start(ctx);
+	dv=BN_CTX_get(ctx);
+
+	if (!BN_copy(rem,m)) goto err;
+
+	nm=BN_num_bits(rem);
+	nd=BN_num_bits(d);
+	if (!BN_lshift(dv,d,nm-nd)) goto err;
+	for (i=nm-nd; i>=0; i--)
+		{
+		if (BN_cmp(rem,dv) >= 0)
+			{
+			if (!BN_sub(rem,rem,dv)) goto err;
+			}
+		if (!BN_rshift1(dv,dv)) goto err;
+		}
+	BN_CTX_end(ctx);
+	return(1);
+ err:
+	BN_CTX_end(ctx);
+	return(0);
+#else
+	return(BN_div(NULL,rem,m,d,ctx));
+#endif
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_err.c b/crypto/openssl/crypto/bn/bn_err.c
new file mode 100644
index 0000000..988270b
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_err.c
@@ -0,0 +1,119 @@
+/* crypto/bn/bn_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA BN_str_functs[]=
+	{
+{ERR_PACK(0,BN_F_BN_BLINDING_CONVERT,0),	"BN_BLINDING_convert"},
+{ERR_PACK(0,BN_F_BN_BLINDING_INVERT,0),	"BN_BLINDING_invert"},
+{ERR_PACK(0,BN_F_BN_BLINDING_NEW,0),	"BN_BLINDING_new"},
+{ERR_PACK(0,BN_F_BN_BLINDING_UPDATE,0),	"BN_BLINDING_update"},
+{ERR_PACK(0,BN_F_BN_BN2DEC,0),	"BN_bn2dec"},
+{ERR_PACK(0,BN_F_BN_BN2HEX,0),	"BN_bn2hex"},
+{ERR_PACK(0,BN_F_BN_CTX_GET,0),	"BN_CTX_get"},
+{ERR_PACK(0,BN_F_BN_CTX_NEW,0),	"BN_CTX_new"},
+{ERR_PACK(0,BN_F_BN_DIV,0),	"BN_div"},
+{ERR_PACK(0,BN_F_BN_EXPAND2,0),	"bn_expand2"},
+{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0),	"BN_mod_exp_mont"},
+{ERR_PACK(0,BN_F_BN_MOD_INVERSE,0),	"BN_mod_inverse"},
+{ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0),	"BN_mod_mul_reciprocal"},
+{ERR_PACK(0,BN_F_BN_MPI2BN,0),	"BN_mpi2bn"},
+{ERR_PACK(0,BN_F_BN_NEW,0),	"BN_new"},
+{ERR_PACK(0,BN_F_BN_RAND,0),	"BN_rand"},
+{ERR_PACK(0,BN_F_BN_USUB,0),	"BN_usub"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA BN_str_reasons[]=
+	{
+{BN_R_ARG2_LT_ARG3                       ,"arg2 lt arg3"},
+{BN_R_BAD_RECIPROCAL                     ,"bad reciprocal"},
+{BN_R_CALLED_WITH_EVEN_MODULUS           ,"called with even modulus"},
+{BN_R_DIV_BY_ZERO                        ,"div by zero"},
+{BN_R_ENCODING_ERROR                     ,"encoding error"},
+{BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
+{BN_R_INVALID_LENGTH                     ,"invalid length"},
+{BN_R_NOT_INITIALIZED                    ,"not initialized"},
+{BN_R_NO_INVERSE                         ,"no inverse"},
+{BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_BN_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_BN,BN_str_functs);
+		ERR_load_strings(ERR_LIB_BN,BN_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/bn/bn_exp.c b/crypto/openssl/crypto/bn/bn_exp.c
new file mode 100644
index 0000000..0c11601
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_exp.c
@@ -0,0 +1,749 @@
+/* crypto/bn/bn_exp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+#ifdef ATALLA
+# include <alloca.h>
+# include <atasi.h>
+# include <assert.h>
+# include <dlfcn.h>
+#endif
+
+#define TABLE_SIZE	16
+
+/* slow but works */
+int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
+	{
+	BIGNUM *t;
+	int r=0;
+
+	bn_check_top(a);
+	bn_check_top(b);
+	bn_check_top(m);
+
+	BN_CTX_start(ctx);
+	if ((t = BN_CTX_get(ctx)) == NULL) goto err;
+	if (a == b)
+		{ if (!BN_sqr(t,a,ctx)) goto err; }
+	else
+		{ if (!BN_mul(t,a,b,ctx)) goto err; }
+	if (!BN_mod(ret,t,m,ctx)) goto err;
+	r=1;
+err:
+	BN_CTX_end(ctx);
+	return(r);
+	}
+
+#if 0
+/* this one works - simple but works */
+int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m, BN_CTX *ctx)
+	{
+	int i,bits,ret=0;
+	BIGNUM *v,*tmp;
+
+	BN_CTX_start(ctx);
+	v = BN_CTX_get(ctx);
+	tmp = BN_CTX_get(ctx);
+	if (v == NULL || tmp == NULL) goto err;
+
+	if (BN_copy(v,a) == NULL) goto err;
+	bits=BN_num_bits(p);
+
+	if (BN_is_odd(p))
+		{ if (BN_copy(r,a) == NULL) goto err; }
+	else	{ if (!BN_one(r)) goto err; }
+
+	for (i=1; i<bits; i++)
+		{
+		if (!BN_sqr(tmp,v,ctx)) goto err;
+		if (!BN_mod(v,tmp,m,ctx)) goto err;
+		if (BN_is_bit_set(p,i))
+			{
+			if (!BN_mul(tmp,r,v,ctx)) goto err;
+			if (!BN_mod(r,tmp,m,ctx)) goto err;
+			}
+		}
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+#endif
+
+/* this one works - simple but works */
+int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx)
+	{
+	int i,bits,ret=0;
+	BIGNUM *v,*rr;
+
+	BN_CTX_start(ctx);
+	if ((r == a) || (r == p))
+		rr = BN_CTX_get(ctx);
+	else
+		rr = r;
+	if ((v = BN_CTX_get(ctx)) == NULL) goto err;
+
+	if (BN_copy(v,a) == NULL) goto err;
+	bits=BN_num_bits(p);
+
+	if (BN_is_odd(p))
+		{ if (BN_copy(rr,a) == NULL) goto err; }
+	else	{ if (!BN_one(rr)) goto err; }
+
+	for (i=1; i<bits; i++)
+		{
+		if (!BN_sqr(v,v,ctx)) goto err;
+		if (BN_is_bit_set(p,i))
+			{
+			if (!BN_mul(rr,rr,v,ctx)) goto err;
+			}
+		}
+	ret=1;
+err:
+	if (r != rr) BN_copy(r,rr);
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+#ifdef ATALLA
+
+/*
+ * This routine will dynamically check for the existance of an Atalla AXL-200
+ * SSL accelerator module.  If one is found, the variable
+ * asi_accelerator_present is set to 1 and the function pointers
+ * ptr_ASI_xxxxxx above will be initialized to corresponding ASI API calls.
+ */
+typedef int tfnASI_GetPerformanceStatistics(int reset_flag,
+					    unsigned int *ret_buf);
+typedef int tfnASI_GetHardwareConfig(long card_num, unsigned int *ret_buf);
+typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
+				     unsigned char *output,
+				     unsigned char *input,
+				     unsigned int modulus_len);
+
+static tfnASI_GetHardwareConfig *ptr_ASI_GetHardwareConfig;
+static tfnASI_RSAPrivateKeyOpFn *ptr_ASI_RSAPrivateKeyOpFn;
+static tfnASI_GetPerformanceStatistics *ptr_ASI_GetPerformanceStatistics;
+static int asi_accelerator_present;
+static int tried_atalla;
+
+void atalla_initialize_accelerator_handle(void)
+	{
+	void *dl_handle;
+	int status;
+	unsigned int config_buf[1024]; 
+	static int tested;
+
+	if(tested)
+		return;
+
+	tested=1;
+
+	bzero((void *)config_buf, 1024);
+
+	/*
+	 * Check to see if the library is present on the system
+	 */
+	dl_handle = dlopen("atasi.so", RTLD_NOW);
+	if (dl_handle == (void *) NULL)
+		{
+/*		printf("atasi.so library is not present on the system\n");
+		printf("No HW acceleration available\n");*/
+		return;
+	        }
+
+	/*
+	 * The library is present.  Now we'll check to insure that the
+	 * LDM is up and running. First we'll get the address of the
+	 * function in the atasi library that we need to see if the
+	 * LDM is operating.
+	 */
+
+	ptr_ASI_GetHardwareConfig =
+	  (tfnASI_GetHardwareConfig *)dlsym(dl_handle,"ASI_GetHardwareConfig");
+
+	if (ptr_ASI_GetHardwareConfig)
+		{
+		/*
+		 * We found the call, now we'll get our config
+		 * status.  If we get a non 0 result, the LDM is not
+		 * running and we cannot use the Atalla ASI *
+		 * library.
+		 */
+		status = (*ptr_ASI_GetHardwareConfig)(0L, config_buf);
+		if (status != 0)
+			{
+			printf("atasi.so library is present but not initialized\n");
+			printf("No HW acceleration available\n");
+			return;
+			}    
+	        }
+	else
+		{
+/*		printf("We found the library, but not the function. Very Strange!\n");*/
+		return ;
+	      	}
+
+	/* 
+	 * It looks like we have acceleration capabilities.  Load up the
+	 * pointers to our ASI API calls.
+	 */
+	ptr_ASI_RSAPrivateKeyOpFn=
+	  (tfnASI_RSAPrivateKeyOpFn *)dlsym(dl_handle, "ASI_RSAPrivateKeyOpFn");
+	if (ptr_ASI_RSAPrivateKeyOpFn == NULL)
+		{
+/*		printf("We found the library, but no RSA function. Very Strange!\n");*/
+		return;
+	        }
+
+	ptr_ASI_GetPerformanceStatistics =
+	  (tfnASI_GetPerformanceStatistics *)dlsym(dl_handle, "ASI_GetPerformanceStatistics");
+	if (ptr_ASI_GetPerformanceStatistics == NULL)
+		{
+/*		printf("We found the library, but no stat function. Very Strange!\n");*/
+		return;
+	      }
+
+	/*
+	 * Indicate that acceleration is available
+	 */
+	asi_accelerator_present = 1;
+
+/*	printf("This system has acceleration!\n");*/
+
+	return;
+	}
+
+/* make sure this only gets called once when bn_mod_exp calls bn_mod_exp_mont */
+int BN_mod_exp_atalla(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m)
+	{
+	unsigned char *abin;
+	unsigned char *pbin;
+	unsigned char *mbin;
+	unsigned char *rbin;
+	int an,pn,mn,ret;
+	RSAPrivateKey keydata;
+
+	atalla_initialize_accelerator_handle();
+	if(!asi_accelerator_present)
+		return 0;
+
+
+/* We should be able to run without size testing */
+# define ASIZE	128
+	an=BN_num_bytes(a);
+	pn=BN_num_bytes(p);
+	mn=BN_num_bytes(m);
+
+	if(an <= ASIZE && pn <= ASIZE && mn <= ASIZE)
+	    {
+	    int size=mn;
+
+	    assert(an <= mn);
+	    abin=alloca(size);
+	    memset(abin,'\0',mn);
+	    BN_bn2bin(a,abin+size-an);
+
+	    pbin=alloca(pn);
+	    BN_bn2bin(p,pbin);
+
+	    mbin=alloca(size);
+	    memset(mbin,'\0',mn);
+	    BN_bn2bin(m,mbin+size-mn);
+
+	    rbin=alloca(size);
+
+	    memset(&keydata,'\0',sizeof keydata);
+	    keydata.privateExponent.data=pbin;
+	    keydata.privateExponent.len=pn;
+	    keydata.modulus.data=mbin;
+	    keydata.modulus.len=size;
+
+	    ret=(*ptr_ASI_RSAPrivateKeyOpFn)(&keydata,rbin,abin,keydata.modulus.len);
+/*fprintf(stderr,"!%s\n",BN_bn2hex(a));*/
+	    if(!ret)
+	        {
+		BN_bin2bn(rbin,keydata.modulus.len,r);
+/*fprintf(stderr,"?%s\n",BN_bn2hex(r));*/
+		return 1;
+	        }
+	    }
+	return 0;
+        }
+#endif /* def ATALLA */
+
+int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+	       BN_CTX *ctx)
+	{
+	int ret;
+
+	bn_check_top(a);
+	bn_check_top(p);
+	bn_check_top(m);
+
+#ifdef ATALLA
+	if(BN_mod_exp_atalla(r,a,p,m))
+	    return 1;
+/* If it fails, try the other methods (but don't try atalla again) */
+	tried_atalla=1;
+#endif
+
+#ifdef MONT_MUL_MOD
+	/* I have finally been able to take out this pre-condition of
+	 * the top bit being set.  It was caused by an error in BN_div
+	 * with negatives.  There was also another problem when for a^b%m
+	 * a >= m.  eay 07-May-97 */
+/*	if ((m->d[m->top-1]&BN_TBIT) && BN_is_odd(m)) */
+
+	if (BN_is_odd(m))
+		{ ret=BN_mod_exp_mont(r,a,p,m,ctx,NULL); }
+	else
+#endif
+#ifdef RECP_MUL_MOD
+		{ ret=BN_mod_exp_recp(r,a,p,m,ctx); }
+#else
+		{ ret=BN_mod_exp_simple(r,a,p,m,ctx); }
+#endif
+
+#ifdef ATALLA
+	tried_atalla=0;
+#endif
+
+	return(ret);
+	}
+
+/* #ifdef RECP_MUL_MOD */
+int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		    const BIGNUM *m, BN_CTX *ctx)
+	{
+	int i,j,bits,ret=0,wstart,wend,window,wvalue;
+	int start=1,ts=0;
+	BIGNUM *aa;
+	BIGNUM val[TABLE_SIZE];
+	BN_RECP_CTX recp;
+
+	bits=BN_num_bits(p);
+
+	if (bits == 0)
+		{
+		BN_one(r);
+		return(1);
+		}
+
+	BN_CTX_start(ctx);
+	if ((aa = BN_CTX_get(ctx)) == NULL) goto err;
+
+	BN_RECP_CTX_init(&recp);
+	if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err;
+
+	BN_init(&(val[0]));
+	ts=1;
+
+	if (!BN_mod(&(val[0]),a,m,ctx)) goto err;		/* 1 */
+	if (!BN_mod_mul_reciprocal(aa,&(val[0]),&(val[0]),&recp,ctx))
+		goto err;				/* 2 */
+
+	if (bits <= 17) /* This is probably 3 or 0x10001, so just do singles */
+		window=1;
+	else if (bits >= 256)
+		window=5;	/* max size of window */
+	else if (bits >= 128)
+		window=4;
+	else
+		window=3;
+
+	j=1<<(window-1);
+	for (i=1; i<j; i++)
+		{
+		BN_init(&val[i]);
+		if (!BN_mod_mul_reciprocal(&(val[i]),&(val[i-1]),aa,&recp,ctx))
+			goto err;
+		}
+	ts=i;
+
+	start=1;	/* This is used to avoid multiplication etc
+			 * when there is only the value '1' in the
+			 * buffer. */
+	wvalue=0;	/* The 'value' of the window */
+	wstart=bits-1;	/* The top bit of the window */
+	wend=0;		/* The bottom bit of the window */
+
+	if (!BN_one(r)) goto err;
+
+	for (;;)
+		{
+		if (BN_is_bit_set(p,wstart) == 0)
+			{
+			if (!start)
+				if (!BN_mod_mul_reciprocal(r,r,r,&recp,ctx))
+				goto err;
+			if (wstart == 0) break;
+			wstart--;
+			continue;
+			}
+		/* We now have wstart on a 'set' bit, we now need to work out
+		 * how bit a window to do.  To do this we need to scan
+		 * forward until the last set bit before the end of the
+		 * window */
+		j=wstart;
+		wvalue=1;
+		wend=0;
+		for (i=1; i<window; i++)
+			{
+			if (wstart-i < 0) break;
+			if (BN_is_bit_set(p,wstart-i))
+				{
+				wvalue<<=(i-wend);
+				wvalue|=1;
+				wend=i;
+				}
+			}
+
+		/* wend is the size of the current window */
+		j=wend+1;
+		/* add the 'bytes above' */
+		if (!start)
+			for (i=0; i<j; i++)
+				{
+				if (!BN_mod_mul_reciprocal(r,r,r,&recp,ctx))
+					goto err;
+				}
+		
+		/* wvalue will be an odd number < 2^window */
+		if (!BN_mod_mul_reciprocal(r,r,&(val[wvalue>>1]),&recp,ctx))
+			goto err;
+
+		/* move the 'window' down further */
+		wstart-=wend+1;
+		wvalue=0;
+		start=0;
+		if (wstart < 0) break;
+		}
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	for (i=0; i<ts; i++)
+		BN_clear_free(&(val[i]));
+	BN_RECP_CTX_free(&recp);
+	return(ret);
+	}
+/* #endif */
+
+/* #ifdef MONT_MUL_MOD */
+int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
+		    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	int i,j,bits,ret=0,wstart,wend,window,wvalue;
+	int start=1,ts=0;
+	BIGNUM *d,*r;
+	BIGNUM *aa;
+	BIGNUM val[TABLE_SIZE];
+	BN_MONT_CTX *mont=NULL;
+
+	bn_check_top(a);
+	bn_check_top(p);
+	bn_check_top(m);
+
+#ifdef ATALLA
+	if(!tried_atalla && BN_mod_exp_atalla(rr,a,p,m))
+	    return 1;
+/* If it fails, try the other methods */
+#endif
+
+	if (!(m->d[0] & 1))
+		{
+		BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
+		return(0);
+		}
+	bits=BN_num_bits(p);
+	if (bits == 0)
+		{
+		BN_one(rr);
+		return(1);
+		}
+	BN_CTX_start(ctx);
+	d = BN_CTX_get(ctx);
+	r = BN_CTX_get(ctx);
+	if (d == NULL || r == NULL) goto err;
+
+	/* If this is not done, things will break in the montgomery
+	 * part */
+
+#if 1
+	if (in_mont != NULL)
+		mont=in_mont;
+	else
+#endif
+		{
+		if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+		if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+		}
+
+	BN_init(&val[0]);
+	ts=1;
+	if (BN_ucmp(a,m) >= 0)
+		{
+		BN_mod(&(val[0]),a,m,ctx);
+		aa= &(val[0]);
+		}
+	else
+		aa=a;
+	if (!BN_to_montgomery(&(val[0]),aa,mont,ctx)) goto err; /* 1 */
+	if (!BN_mod_mul_montgomery(d,&(val[0]),&(val[0]),mont,ctx)) goto err; /* 2 */
+
+	if (bits <= 20) /* This is probably 3 or 0x10001, so just do singles */
+		window=1;
+	else if (bits >= 256)
+		window=5;	/* max size of window */
+	else if (bits >= 128)
+		window=4;
+	else
+		window=3;
+
+	j=1<<(window-1);
+	for (i=1; i<j; i++)
+		{
+		BN_init(&(val[i]));
+		if (!BN_mod_mul_montgomery(&(val[i]),&(val[i-1]),d,mont,ctx))
+			goto err;
+		}
+	ts=i;
+
+	start=1;	/* This is used to avoid multiplication etc
+			 * when there is only the value '1' in the
+			 * buffer. */
+	wvalue=0;	/* The 'value' of the window */
+	wstart=bits-1;	/* The top bit of the window */
+	wend=0;		/* The bottom bit of the window */
+
+        if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+	for (;;)
+		{
+		if (BN_is_bit_set(p,wstart) == 0)
+			{
+			if (!start)
+				{
+				if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+				goto err;
+				}
+			if (wstart == 0) break;
+			wstart--;
+			continue;
+			}
+		/* We now have wstart on a 'set' bit, we now need to work out
+		 * how bit a window to do.  To do this we need to scan
+		 * forward until the last set bit before the end of the
+		 * window */
+		j=wstart;
+		wvalue=1;
+		wend=0;
+		for (i=1; i<window; i++)
+			{
+			if (wstart-i < 0) break;
+			if (BN_is_bit_set(p,wstart-i))
+				{
+				wvalue<<=(i-wend);
+				wvalue|=1;
+				wend=i;
+				}
+			}
+
+		/* wend is the size of the current window */
+		j=wend+1;
+		/* add the 'bytes above' */
+		if (!start)
+			for (i=0; i<j; i++)
+				{
+				if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+					goto err;
+				}
+		
+		/* wvalue will be an odd number < 2^window */
+		if (!BN_mod_mul_montgomery(r,r,&(val[wvalue>>1]),mont,ctx))
+			goto err;
+
+		/* move the 'window' down further */
+		wstart-=wend+1;
+		wvalue=0;
+		start=0;
+		if (wstart < 0) break;
+		}
+	BN_from_montgomery(rr,r,mont,ctx);
+	ret=1;
+err:
+	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+	BN_CTX_end(ctx);
+	for (i=0; i<ts; i++)
+		BN_clear_free(&(val[i]));
+	return(ret);
+	}
+/* #endif */
+
+/* The old fallback, simple version :-) */
+int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
+	     BN_CTX *ctx)
+	{
+	int i,j,bits,ret=0,wstart,wend,window,wvalue,ts=0;
+	int start=1;
+	BIGNUM *d;
+	BIGNUM val[TABLE_SIZE];
+
+	bits=BN_num_bits(p);
+
+	if (bits == 0)
+		{
+		BN_one(r);
+		return(1);
+		}
+
+	BN_CTX_start(ctx);
+	if ((d = BN_CTX_get(ctx)) == NULL) goto err;
+
+	BN_init(&(val[0]));
+	ts=1;
+	if (!BN_mod(&(val[0]),a,m,ctx)) goto err;		/* 1 */
+	if (!BN_mod_mul(d,&(val[0]),&(val[0]),m,ctx))
+		goto err;				/* 2 */
+
+	if (bits <= 17) /* This is probably 3 or 0x10001, so just do singles */
+		window=1;
+	else if (bits >= 256)
+		window=5;	/* max size of window */
+	else if (bits >= 128)
+		window=4;
+	else
+		window=3;
+
+	j=1<<(window-1);
+	for (i=1; i<j; i++)
+		{
+		BN_init(&(val[i]));
+		if (!BN_mod_mul(&(val[i]),&(val[i-1]),d,m,ctx))
+			goto err;
+		}
+	ts=i;
+
+	start=1;	/* This is used to avoid multiplication etc
+			 * when there is only the value '1' in the
+			 * buffer. */
+	wvalue=0;	/* The 'value' of the window */
+	wstart=bits-1;	/* The top bit of the window */
+	wend=0;		/* The bottom bit of the window */
+
+	if (!BN_one(r)) goto err;
+
+	for (;;)
+		{
+		if (BN_is_bit_set(p,wstart) == 0)
+			{
+			if (!start)
+				if (!BN_mod_mul(r,r,r,m,ctx))
+				goto err;
+			if (wstart == 0) break;
+			wstart--;
+			continue;
+			}
+		/* We now have wstart on a 'set' bit, we now need to work out
+		 * how bit a window to do.  To do this we need to scan
+		 * forward until the last set bit before the end of the
+		 * window */
+		j=wstart;
+		wvalue=1;
+		wend=0;
+		for (i=1; i<window; i++)
+			{
+			if (wstart-i < 0) break;
+			if (BN_is_bit_set(p,wstart-i))
+				{
+				wvalue<<=(i-wend);
+				wvalue|=1;
+				wend=i;
+				}
+			}
+
+		/* wend is the size of the current window */
+		j=wend+1;
+		/* add the 'bytes above' */
+		if (!start)
+			for (i=0; i<j; i++)
+				{
+				if (!BN_mod_mul(r,r,r,m,ctx))
+					goto err;
+				}
+		
+		/* wvalue will be an odd number < 2^window */
+		if (!BN_mod_mul(r,r,&(val[wvalue>>1]),m,ctx))
+			goto err;
+
+		/* move the 'window' down further */
+		wstart-=wend+1;
+		wvalue=0;
+		start=0;
+		if (wstart < 0) break;
+		}
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	for (i=0; i<ts; i++)
+		BN_clear_free(&(val[i]));
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_exp2.c b/crypto/openssl/crypto/bn/bn_exp2.c
new file mode 100644
index 0000000..4f4e9e3
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_exp2.c
@@ -0,0 +1,199 @@
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+/* I've done some timing with different table sizes.
+ * The main hassle is that even with bits set at 3, this requires
+ * 63 BIGNUMs to store the pre-calculated values.
+ *          512   1024 
+ * bits=1  75.4%  79.4%
+ * bits=2  61.2%  62.4%
+ * bits=3  61.3%  59.3%
+ * The lack of speed improvement is also a function of the pre-calculation
+ * which could be removed.
+ */
+#define EXP2_TABLE_BITS	2 /* 1  2  3  4  5  */
+#define EXP2_TABLE_SIZE	4 /* 2  4  8 16 32  */
+
+int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
+	     BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	int i,j,k,bits,bits1,bits2,ret=0,wstart,wend,window,xvalue,yvalue;
+	int start=1,ts=0,x,y;
+	BIGNUM *d,*aa1,*aa2,*r;
+	BIGNUM val[EXP2_TABLE_SIZE][EXP2_TABLE_SIZE];
+	BN_MONT_CTX *mont=NULL;
+
+	bn_check_top(a1);
+	bn_check_top(p1);
+	bn_check_top(a2);
+	bn_check_top(p2);
+	bn_check_top(m);
+
+	if (!(m->d[0] & 1))
+		{
+		BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
+		return(0);
+		}
+	bits1=BN_num_bits(p1);
+	bits2=BN_num_bits(p2);
+	if ((bits1 == 0) && (bits2 == 0))
+		{
+		BN_one(rr);
+		return(1);
+		}
+
+	BN_CTX_start(ctx);
+	d = BN_CTX_get(ctx);
+	r = BN_CTX_get(ctx);
+	if (d == NULL || r == NULL) goto err;
+
+	bits=(bits1 > bits2)?bits1:bits2;
+
+	/* If this is not done, things will break in the montgomery
+	 * part */
+
+	if (in_mont != NULL)
+		mont=in_mont;
+	else
+		{
+		if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+		if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+		}
+
+	BN_init(&(val[0][0]));
+	BN_init(&(val[1][1]));
+	BN_init(&(val[0][1]));
+	BN_init(&(val[1][0]));
+	ts=1;
+	if (BN_ucmp(a1,m) >= 0)
+		{
+		BN_mod(&(val[1][0]),a1,m,ctx);
+		aa1= &(val[1][0]);
+		}
+	else
+		aa1=a1;
+	if (BN_ucmp(a2,m) >= 0)
+		{
+		BN_mod(&(val[0][1]),a2,m,ctx);
+		aa2= &(val[0][1]);
+		}
+	else
+		aa2=a2;
+	if (!BN_to_montgomery(&(val[1][0]),aa1,mont,ctx)) goto err;
+	if (!BN_to_montgomery(&(val[0][1]),aa2,mont,ctx)) goto err;
+	if (!BN_mod_mul_montgomery(&(val[1][1]),
+		&(val[1][0]),&(val[0][1]),mont,ctx))
+		goto err;
+
+#if 0
+	if (bits <= 20) /* This is probably 3 or 0x10001, so just do singles */
+		window=1;
+	else if (bits > 250)
+		window=5;	/* max size of window */
+	else if (bits >= 120)
+		window=4;
+	else
+		window=3;
+#else
+	window=EXP2_TABLE_BITS;
+#endif
+
+	k=1<<window;
+	for (x=0; x<k; x++)
+		{
+		if (x >= 2)
+			{
+			BN_init(&(val[x][0]));
+			BN_init(&(val[x][1]));
+			if (!BN_mod_mul_montgomery(&(val[x][0]),
+				&(val[1][0]),&(val[x-1][0]),mont,ctx)) goto err;
+			if (!BN_mod_mul_montgomery(&(val[x][1]),
+				&(val[1][0]),&(val[x-1][1]),mont,ctx)) goto err;
+			}
+		for (y=2; y<k; y++)
+			{
+			BN_init(&(val[x][y]));
+			if (!BN_mod_mul_montgomery(&(val[x][y]),
+				&(val[x][y-1]),&(val[0][1]),mont,ctx))
+				goto err;
+			}
+		}
+	ts=k;
+
+	start=1;	/* This is used to avoid multiplication etc
+			 * when there is only the value '1' in the
+			 * buffer. */
+	xvalue=0;	/* The 'x value' of the window */
+	yvalue=0;	/* The 'y value' of the window */
+	wstart=bits-1;	/* The top bit of the window */
+	wend=0;		/* The bottom bit of the window */
+
+        if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+	for (;;)
+		{
+		xvalue=BN_is_bit_set(p1,wstart);
+		yvalue=BN_is_bit_set(p2,wstart);
+		if (!(xvalue || yvalue))
+			{
+			if (!start)
+				{
+				if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+					goto err;
+				}
+			wstart--;
+			if (wstart < 0) break;
+			continue;
+			}
+		/* We now have wstart on a 'set' bit, we now need to work out
+		 * how bit a window to do.  To do this we need to scan
+		 * forward until the last set bit before the end of the
+		 * window */
+		j=wstart;
+		/* xvalue=BN_is_bit_set(p1,wstart); already set */
+		/* yvalue=BN_is_bit_set(p1,wstart); already set */
+		wend=0;
+		for (i=1; i<window; i++)
+			{
+			if (wstart-i < 0) break;
+			xvalue+=xvalue;
+			xvalue|=BN_is_bit_set(p1,wstart-i);
+			yvalue+=yvalue;
+			yvalue|=BN_is_bit_set(p2,wstart-i);
+			}
+
+		/* i is the size of the current window */
+		/* add the 'bytes above' */
+		if (!start)
+			for (j=0; j<i; j++)
+				{
+				if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+					goto err;
+				}
+		
+		/* wvalue will be an odd number < 2^window */
+		if (xvalue || yvalue)
+			{
+			if (!BN_mod_mul_montgomery(r,r,&(val[xvalue][yvalue]),
+				mont,ctx)) goto err;
+			}
+
+		/* move the 'window' down further */
+		wstart-=i;
+		start=0;
+		if (wstart < 0) break;
+		}
+	BN_from_montgomery(rr,r,mont,ctx);
+	ret=1;
+err:
+	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+	BN_CTX_end(ctx);
+	for (i=0; i<ts; i++)
+		{
+		for (j=0; j<ts; j++)
+			{
+			BN_clear_free(&(val[i][j]));
+			}
+		}
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/bn/bn_gcd.c b/crypto/openssl/crypto/bn/bn_gcd.c
new file mode 100644
index 0000000..3982071
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_gcd.c
@@ -0,0 +1,210 @@
+/* crypto/bn/bn_gcd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+static BIGNUM *euclid(BIGNUM *a, BIGNUM *b);
+
+int BN_gcd(BIGNUM *r, BIGNUM *in_a, BIGNUM *in_b, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*t;
+	int ret=0;
+
+	bn_check_top(in_a);
+	bn_check_top(in_b);
+
+	BN_CTX_start(ctx);
+	a = BN_CTX_get(ctx);
+	b = BN_CTX_get(ctx);
+	if (a == NULL || b == NULL) goto err;
+
+	if (BN_copy(a,in_a) == NULL) goto err;
+	if (BN_copy(b,in_b) == NULL) goto err;
+
+	if (BN_cmp(a,b) < 0) { t=a; a=b; b=t; }
+	t=euclid(a,b);
+	if (t == NULL) goto err;
+
+	if (BN_copy(r,t) == NULL) goto err;
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
+	{
+	BIGNUM *t;
+	int shifts=0;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	for (;;)
+		{
+		if (BN_is_zero(b))
+			break;
+
+		if (BN_is_odd(a))
+			{
+			if (BN_is_odd(b))
+				{
+				if (!BN_sub(a,a,b)) goto err;
+				if (!BN_rshift1(a,a)) goto err;
+				if (BN_cmp(a,b) < 0)
+					{ t=a; a=b; b=t; }
+				}
+			else		/* a odd - b even */
+				{
+				if (!BN_rshift1(b,b)) goto err;
+				if (BN_cmp(a,b) < 0)
+					{ t=a; a=b; b=t; }
+				}
+			}
+		else			/* a is even */
+			{
+			if (BN_is_odd(b))
+				{
+				if (!BN_rshift1(a,a)) goto err;
+				if (BN_cmp(a,b) < 0)
+					{ t=a; a=b; b=t; }
+				}
+			else		/* a even - b even */
+				{
+				if (!BN_rshift1(a,a)) goto err;
+				if (!BN_rshift1(b,b)) goto err;
+				shifts++;
+				}
+			}
+		}
+	if (shifts)
+		{
+		if (!BN_lshift(a,a,shifts)) goto err;
+		}
+	return(a);
+err:
+	return(NULL);
+	}
+
+/* solves ax == 1 (mod n) */
+BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+	{
+	BIGNUM *A,*B,*X,*Y,*M,*D,*R=NULL;
+	BIGNUM *T,*ret=NULL;
+	int sign;
+
+	bn_check_top(a);
+	bn_check_top(n);
+
+	BN_CTX_start(ctx);
+	A = BN_CTX_get(ctx);
+	B = BN_CTX_get(ctx);
+	X = BN_CTX_get(ctx);
+	D = BN_CTX_get(ctx);
+	M = BN_CTX_get(ctx);
+	Y = BN_CTX_get(ctx);
+	if (Y == NULL) goto err;
+
+	if (in == NULL)
+		R=BN_new();
+	else
+		R=in;
+	if (R == NULL) goto err;
+
+	BN_zero(X);
+	BN_one(Y);
+	if (BN_copy(A,a) == NULL) goto err;
+	if (BN_copy(B,n) == NULL) goto err;
+	sign=1;
+
+	while (!BN_is_zero(B))
+		{
+		if (!BN_div(D,M,A,B,ctx)) goto err;
+		T=A;
+		A=B;
+		B=M;
+		/* T has a struct, M does not */
+
+		if (!BN_mul(T,D,X,ctx)) goto err;
+		if (!BN_add(T,T,Y)) goto err;
+		M=Y;
+		Y=X;
+		X=T;
+		sign= -sign;
+		}
+	if (sign < 0)
+		{
+		if (!BN_sub(Y,n,Y)) goto err;
+		}
+
+	if (BN_is_one(A))
+		{ if (!BN_mod(R,Y,n,ctx)) goto err; }
+	else
+		{
+		BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE);
+		goto err;
+		}
+	ret=R;
+err:
+	if ((ret == NULL) && (in == NULL)) BN_free(R);
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_lcl.h b/crypto/openssl/crypto/bn/bn_lcl.h
new file mode 100644
index 0000000..e36ccbc
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_lcl.h
@@ -0,0 +1,321 @@
+/* crypto/bn/bn_lcl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BN_LCL_H
+#define HEADER_BN_LCL_H
+
+#include <openssl/bn.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Pentium pro 16,16,16,32,64 */
+/* Alpha       16,16,16,16.64 */
+#define BN_MULL_SIZE_NORMAL			(16) /* 32 */
+#define BN_MUL_RECURSIVE_SIZE_NORMAL		(16) /* 32 less than */
+#define BN_SQR_RECURSIVE_SIZE_NORMAL		(16) /* 32 */
+#define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL	(32) /* 32 */
+#define BN_MONT_CTX_SET_SIZE_WORD		(64) /* 32 */
+
+#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC)
+/*
+ * BN_UMULT_HIGH section.
+ *
+ * No, I'm not trying to overwhelm you when stating that the
+ * product of N-bit numbers is 2*N bits wide:-) No, I don't expect
+ * you to be impressed when I say that if the compiler doesn't
+ * support 2*N integer type, then you have to replace every N*N
+ * multiplication with 4 (N/2)*(N/2) accompanied by some shifts
+ * and additions which unavoidably results in severe performance
+ * penalties. Of course provided that the hardware is capable of
+ * producing 2*N result... That's when you normally start
+ * considering assembler implementation. However! It should be
+ * pointed out that some CPUs (most notably Alpha, PowerPC and
+ * upcoming IA-64 family:-) provide *separate* instruction
+ * calculating the upper half of the product placing the result
+ * into a general purpose register. Now *if* the compiler supports
+ * inline assembler, then it's not impossible to implement the
+ * "bignum" routines (and have the compiler optimize 'em)
+ * exhibiting "native" performance in C. That's what BN_UMULT_HIGH
+ * macro is about:-)
+ *
+ *					<appro@fy.chalmers.se>
+ */
+# if defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
+#  if defined(__DECC)
+#   include <c_asm.h>
+#   define BN_UMULT_HIGH(a,b)	(BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
+#  elif defined(__GNUC__)
+#   define BN_UMULT_HIGH(a,b)	({	\
+	register BN_ULONG ret;		\
+	asm ("umulh	%1,%2,%0"	\
+	     : "=r"(ret)		\
+	     : "r"(a), "r"(b));		\
+	ret;			})
+#  endif	/* compiler */
+# elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG)
+#  if defined(__GNUC__)
+#   define BN_UMULT_HIGH(a,b)	({	\
+	register BN_ULONG ret;		\
+	asm ("mulhdu	%0,%1,%2"	\
+	     : "=r"(ret)		\
+	     : "r"(a), "r"(b));		\
+	ret;			})
+#  endif	/* compiler */
+# endif		/* cpu */
+#endif		/* NO_ASM */
+
+/*************************************************************
+ * Using the long long type
+ */
+#define Lw(t)    (((BN_ULONG)(t))&BN_MASK2)
+#define Hw(t)    (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
+
+/* This is used for internal error checking and is not normally used */
+#ifdef BN_DEBUG
+# include <assert.h>
+# define bn_check_top(a) assert ((a)->top >= 0 && (a)->top <= (a)->max);
+#else
+# define bn_check_top(a)
+#endif
+
+/* This macro is to add extra stuff for development checking */
+#ifdef BN_DEBUG
+#define	bn_set_max(r) ((r)->max=(r)->top,BN_set_flags((r),BN_FLG_STATIC_DATA))
+#else
+#define	bn_set_max(r)
+#endif
+
+/* These macros are used to 'take' a section of a bignum for read only use */
+#define bn_set_low(r,a,n) \
+	{ \
+	(r)->top=((a)->top > (n))?(n):(a)->top; \
+	(r)->d=(a)->d; \
+	(r)->neg=(a)->neg; \
+	(r)->flags|=BN_FLG_STATIC_DATA; \
+	bn_set_max(r); \
+	}
+
+#define bn_set_high(r,a,n) \
+	{ \
+	if ((a)->top > (n)) \
+		{ \
+		(r)->top=(a)->top-n; \
+		(r)->d= &((a)->d[n]); \
+		} \
+	else \
+		(r)->top=0; \
+	(r)->neg=(a)->neg; \
+	(r)->flags|=BN_FLG_STATIC_DATA; \
+	bn_set_max(r); \
+	}
+
+#ifdef BN_LLONG
+#define mul_add(r,a,w,c) { \
+	BN_ULLONG t; \
+	t=(BN_ULLONG)w * (a) + (r) + (c); \
+	(r)= Lw(t); \
+	(c)= Hw(t); \
+	}
+
+#define mul(r,a,w,c) { \
+	BN_ULLONG t; \
+	t=(BN_ULLONG)w * (a) + (c); \
+	(r)= Lw(t); \
+	(c)= Hw(t); \
+	}
+
+#define sqr(r0,r1,a) { \
+	BN_ULLONG t; \
+	t=(BN_ULLONG)(a)*(a); \
+	(r0)=Lw(t); \
+	(r1)=Hw(t); \
+	}
+
+#elif defined(BN_UMULT_HIGH)
+#define mul_add(r,a,w,c) {		\
+	BN_ULONG high,low,ret,tmp=(a);	\
+	ret =  (r);			\
+	high=  BN_UMULT_HIGH(w,tmp);	\
+	ret += (c);			\
+	low =  (w) * tmp;		\
+	(c) =  (ret<(c))?1:0;		\
+	(c) += high;			\
+	ret += low;			\
+	(c) += (ret<low)?1:0;		\
+	(r) =  ret;			\
+	}
+
+#define mul(r,a,w,c)	{		\
+	BN_ULONG high,low,ret,ta=(a);	\
+	low =  (w) * ta;		\
+	high=  BN_UMULT_HIGH(w,ta);	\
+	ret =  low + (c);		\
+	(c) =  high;			\
+	(c) += (ret<low)?1:0;		\
+	(r) =  ret;			\
+	}
+
+#define sqr(r0,r1,a)	{		\
+	BN_ULONG tmp=(a);		\
+	(r0) = tmp * tmp;		\
+	(r1) = BN_UMULT_HIGH(tmp,tmp);	\
+	}
+
+#else
+/*************************************************************
+ * No long long type
+ */
+
+#define LBITS(a)	((a)&BN_MASK2l)
+#define HBITS(a)	(((a)>>BN_BITS4)&BN_MASK2l)
+#define	L2HBITS(a)	((BN_ULONG)((a)&BN_MASK2l)<<BN_BITS4)
+
+#define LLBITS(a)	((a)&BN_MASKl)
+#define LHBITS(a)	(((a)>>BN_BITS2)&BN_MASKl)
+#define	LL2HBITS(a)	((BN_ULLONG)((a)&BN_MASKl)<<BN_BITS2)
+
+#define mul64(l,h,bl,bh) \
+	{ \
+	BN_ULONG m,m1,lt,ht; \
+ \
+	lt=l; \
+	ht=h; \
+	m =(bh)*(lt); \
+	lt=(bl)*(lt); \
+	m1=(bl)*(ht); \
+	ht =(bh)*(ht); \
+	m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS(1L); \
+	ht+=HBITS(m); \
+	m1=L2HBITS(m); \
+	lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
+	(l)=lt; \
+	(h)=ht; \
+	}
+
+#define sqr64(lo,ho,in) \
+	{ \
+	BN_ULONG l,h,m; \
+ \
+	h=(in); \
+	l=LBITS(h); \
+	h=HBITS(h); \
+	m =(l)*(h); \
+	l*=l; \
+	h*=h; \
+	h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
+	m =(m&BN_MASK2l)<<(BN_BITS4+1); \
+	l=(l+m)&BN_MASK2; if (l < m) h++; \
+	(lo)=l; \
+	(ho)=h; \
+	}
+
+#define mul_add(r,a,bl,bh,c) { \
+	BN_ULONG l,h; \
+ \
+	h= (a); \
+	l=LBITS(h); \
+	h=HBITS(h); \
+	mul64(l,h,(bl),(bh)); \
+ \
+	/* non-multiply part */ \
+	l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
+	(c)=(r); \
+	l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
+	(c)=h&BN_MASK2; \
+	(r)=l; \
+	}
+
+#define mul(r,a,bl,bh,c) { \
+	BN_ULONG l,h; \
+ \
+	h= (a); \
+	l=LBITS(h); \
+	h=HBITS(h); \
+	mul64(l,h,(bl),(bh)); \
+ \
+	/* non-multiply part */ \
+	l+=(c); if ((l&BN_MASK2) < (c)) h++; \
+	(c)=h&BN_MASK2; \
+	(r)=l&BN_MASK2; \
+	}
+#endif /* !BN_LLONG */
+
+void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
+void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
+void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
+void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp);
+void bn_sqr_comba8(BN_ULONG *r,BN_ULONG *a);
+void bn_sqr_comba4(BN_ULONG *r,BN_ULONG *a);
+int bn_cmp_words(BN_ULONG *a,BN_ULONG *b,int n);
+void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,BN_ULONG *t);
+void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
+	int tn, int n,BN_ULONG *t);
+void bn_sqr_recursive(BN_ULONG *r,BN_ULONG *a, int n2, BN_ULONG *t);
+void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
+void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
+	BN_ULONG *t);
+void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
+	BN_ULONG *t);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c
new file mode 100644
index 0000000..0e6b12d9
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_lib.c
@@ -0,0 +1,755 @@
+/* crypto/bn/bn_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+const char *BN_version="Big Number" OPENSSL_VERSION_PTEXT;
+
+/* For a 32 bit machine
+ * 2 -   4 ==  128
+ * 3 -   8 ==  256
+ * 4 -  16 ==  512
+ * 5 -  32 == 1024
+ * 6 -  64 == 2048
+ * 7 - 128 == 4096
+ * 8 - 256 == 8192
+ */
+static int bn_limit_bits=0;
+static int bn_limit_num=8;        /* (1<<bn_limit_bits) */
+static int bn_limit_bits_low=0;
+static int bn_limit_num_low=8;    /* (1<<bn_limit_bits_low) */
+static int bn_limit_bits_high=0;
+static int bn_limit_num_high=8;   /* (1<<bn_limit_bits_high) */
+static int bn_limit_bits_mont=0;
+static int bn_limit_num_mont=8;   /* (1<<bn_limit_bits_mont) */
+
+void BN_set_params(int mult, int high, int low, int mont)
+	{
+	if (mult >= 0)
+		{
+		if (mult > (sizeof(int)*8)-1)
+			mult=sizeof(int)*8-1;
+		bn_limit_bits=mult;
+		bn_limit_num=1<<mult;
+		}
+	if (high >= 0)
+		{
+		if (high > (sizeof(int)*8)-1)
+			high=sizeof(int)*8-1;
+		bn_limit_bits_high=high;
+		bn_limit_num_high=1<<high;
+		}
+	if (low >= 0)
+		{
+		if (low > (sizeof(int)*8)-1)
+			low=sizeof(int)*8-1;
+		bn_limit_bits_low=low;
+		bn_limit_num_low=1<<low;
+		}
+	if (mont >= 0)
+		{
+		if (mont > (sizeof(int)*8)-1)
+			mont=sizeof(int)*8-1;
+		bn_limit_bits_mont=mont;
+		bn_limit_num_mont=1<<mont;
+		}
+	}
+
+int BN_get_params(int which)
+	{
+	if      (which == 0) return(bn_limit_bits);
+	else if (which == 1) return(bn_limit_bits_high);
+	else if (which == 2) return(bn_limit_bits_low);
+	else if (which == 3) return(bn_limit_bits_mont);
+	else return(0);
+	}
+
+BIGNUM *BN_value_one(void)
+	{
+	static BN_ULONG data_one=1L;
+	static BIGNUM const_one={&data_one,1,1,0};
+
+	return(&const_one);
+	}
+
+char *BN_options(void)
+	{
+	static int init=0;
+	static char data[16];
+
+	if (!init)
+		{
+		init++;
+#ifdef BN_LLONG
+		sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULLONG)*8,
+			(int)sizeof(BN_ULONG)*8);
+#else
+		sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULONG)*8,
+			(int)sizeof(BN_ULONG)*8);
+#endif
+		}
+	return(data);
+	}
+
+int BN_num_bits_word(BN_ULONG l)
+	{
+	static const char bits[256]={
+		0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
+		5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,
+		6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
+		6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,
+		7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+		7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+		7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+		7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
+		};
+
+#if defined(SIXTY_FOUR_BIT_LONG)
+	if (l & 0xffffffff00000000L)
+		{
+		if (l & 0xffff000000000000L)
+			{
+			if (l & 0xff00000000000000L)
+				{
+				return(bits[(int)(l>>56)]+56);
+				}
+			else	return(bits[(int)(l>>48)]+48);
+			}
+		else
+			{
+			if (l & 0x0000ff0000000000L)
+				{
+				return(bits[(int)(l>>40)]+40);
+				}
+			else	return(bits[(int)(l>>32)]+32);
+			}
+		}
+	else
+#else
+#ifdef SIXTY_FOUR_BIT
+	if (l & 0xffffffff00000000LL)
+		{
+		if (l & 0xffff000000000000LL)
+			{
+			if (l & 0xff00000000000000LL)
+				{
+				return(bits[(int)(l>>56)]+56);
+				}
+			else	return(bits[(int)(l>>48)]+48);
+			}
+		else
+			{
+			if (l & 0x0000ff0000000000LL)
+				{
+				return(bits[(int)(l>>40)]+40);
+				}
+			else	return(bits[(int)(l>>32)]+32);
+			}
+		}
+	else
+#endif
+#endif
+		{
+#if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
+		if (l & 0xffff0000L)
+			{
+			if (l & 0xff000000L)
+				return(bits[(int)(l>>24L)]+24);
+			else	return(bits[(int)(l>>16L)]+16);
+			}
+		else
+#endif
+			{
+#if defined(SIXTEEN_BIT) || defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
+			if (l & 0xff00L)
+				return(bits[(int)(l>>8)]+8);
+			else	
+#endif
+				return(bits[(int)(l   )]  );
+			}
+		}
+	}
+
+int BN_num_bits(const BIGNUM *a)
+	{
+	BN_ULONG l;
+	int i;
+
+	bn_check_top(a);
+
+	if (a->top == 0) return(0);
+	l=a->d[a->top-1];
+	i=(a->top-1)*BN_BITS2;
+	if (l == 0)
+		{
+#if !defined(NO_STDIO) && !defined(WIN16)
+		fprintf(stderr,"BAD TOP VALUE\n");
+#endif
+		abort();
+		}
+	return(i+BN_num_bits_word(l));
+	}
+
+void BN_clear_free(BIGNUM *a)
+	{
+	int i;
+
+	if (a == NULL) return;
+	if (a->d != NULL)
+		{
+		memset(a->d,0,a->max*sizeof(a->d[0]));
+		if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
+			Free(a->d);
+		}
+	i=BN_get_flags(a,BN_FLG_MALLOCED);
+	memset(a,0,sizeof(BIGNUM));
+	if (i)
+		Free(a);
+	}
+
+void BN_free(BIGNUM *a)
+	{
+	if (a == NULL) return;
+	if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA)))
+		Free(a->d);
+	a->flags|=BN_FLG_FREE; /* REMOVE? */
+	if (a->flags & BN_FLG_MALLOCED)
+		Free(a);
+	}
+
+void BN_init(BIGNUM *a)
+	{
+	memset(a,0,sizeof(BIGNUM));
+	}
+
+BIGNUM *BN_new(void)
+	{
+	BIGNUM *ret;
+
+	if ((ret=(BIGNUM *)Malloc(sizeof(BIGNUM))) == NULL)
+		{
+		BNerr(BN_F_BN_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	ret->flags=BN_FLG_MALLOCED;
+	ret->top=0;
+	ret->neg=0;
+	ret->max=0;
+	ret->d=NULL;
+	return(ret);
+	}
+
+/* This is an internal function that should not be used in applications.
+ * It ensures that 'b' has enough room for a 'words' word number number.
+ * It is mostly used by the various BIGNUM routines. If there is an error,
+ * NULL is returned. If not, 'b' is returned. */
+
+BIGNUM *bn_expand2(BIGNUM *b, int words)
+	{
+	BN_ULONG *A,*a;
+	const BN_ULONG *B;
+	int i;
+
+	bn_check_top(b);
+
+	if (words > b->max)
+		{
+		bn_check_top(b);	
+		if (BN_get_flags(b,BN_FLG_STATIC_DATA))
+			{
+			BNerr(BN_F_BN_EXPAND2,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
+			return(NULL);
+			}
+		a=A=(BN_ULONG *)Malloc(sizeof(BN_ULONG)*(words+1));
+		if (A == NULL)
+			{
+			BNerr(BN_F_BN_EXPAND2,ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+#if 1
+		B=b->d;
+		/* Check if the previous number needs to be copied */
+		if (B != NULL)
+			{
+#if 0
+			/* This lot is an unrolled loop to copy b->top 
+			 * BN_ULONGs from B to A
+			 */
+/*
+ * I have nothing against unrolling but it's usually done for
+ * several reasons, namely:
+ * - minimize percentage of decision making code, i.e. branches;
+ * - avoid cache trashing;
+ * - make it possible to schedule loads earlier;
+ * Now let's examine the code below. The cornerstone of C is
+ * "programmer is always right" and that's what we love it for:-)
+ * For this very reason C compilers have to be paranoid when it
+ * comes to data aliasing and assume the worst. Yeah, but what
+ * does it mean in real life? This means that loop body below will
+ * be compiled to sequence of loads immediately followed by stores
+ * as compiler assumes the worst, something in A==B+1 style. As a
+ * result CPU pipeline is going to starve for incoming data. Secondly
+ * if A and B happen to share same cache line such code is going to
+ * cause severe cache trashing. Both factors have severe impact on
+ * performance of modern CPUs and this is the reason why this
+ * particular piece of code is #ifdefed away and replaced by more
+ * "friendly" version found in #else section below. This comment
+ * also applies to BN_copy function.
+ *
+ *					<appro@fy.chalmers.se>
+ */
+			for (i=b->top&(~7); i>0; i-=8)
+				{
+				A[0]=B[0]; A[1]=B[1]; A[2]=B[2]; A[3]=B[3];
+				A[4]=B[4]; A[5]=B[5]; A[6]=B[6]; A[7]=B[7];
+				A+=8;
+				B+=8;
+				}
+			switch (b->top&7)
+				{
+			case 7:
+				A[6]=B[6];
+			case 6:
+				A[5]=B[5];
+			case 5:
+				A[4]=B[4];
+			case 4:
+				A[3]=B[3];
+			case 3:
+				A[2]=B[2];
+			case 2:
+				A[1]=B[1];
+			case 1:
+				A[0]=B[0];
+			case 0:
+				/* I need the 'case 0' entry for utrix cc.
+				 * If the optimizer is turned on, it does the
+				 * switch table by doing
+				 * a=top&7
+				 * a--;
+				 * goto jump_table[a];
+				 * If top is 0, this makes us jump to 0xffffffc 
+				 * which is rather bad :-(.
+				 * eric 23-Apr-1998
+				 */
+				;
+				}
+#else
+			for (i=b->top>>2; i>0; i--,A+=4,B+=4)
+				{
+				/*
+				 * The fact that the loop is unrolled
+				 * 4-wise is a tribute to Intel. It's
+				 * the one that doesn't have enough
+				 * registers to accomodate more data.
+				 * I'd unroll it 8-wise otherwise:-)
+				 *
+				 *		<appro@fy.chalmers.se>
+				 */
+				BN_ULONG a0,a1,a2,a3;
+				a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
+				A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
+				}
+			switch (b->top&3)
+				{
+				case 3:	A[2]=B[2];
+				case 2:	A[1]=B[1];
+				case 1:	A[0]=B[0];
+				case 0:	; /* ultrix cc workaround, see above */
+				}
+#endif
+			Free(b->d);
+			}
+
+		b->d=a;
+		b->max=words;
+
+		/* Now need to zero any data between b->top and b->max */
+
+		A= &(b->d[b->top]);
+		for (i=(b->max - b->top)>>3; i>0; i--,A+=8)
+			{
+			A[0]=0; A[1]=0; A[2]=0; A[3]=0;
+			A[4]=0; A[5]=0; A[6]=0; A[7]=0;
+			}
+		for (i=(b->max - b->top)&7; i>0; i--,A++)
+			A[0]=0;
+#else
+			memset(A,0,sizeof(BN_ULONG)*(words+1));
+			memcpy(A,b->d,sizeof(b->d[0])*b->top);
+			b->d=a;
+			b->max=words;
+#endif
+		
+/*		memset(&(p[b->max]),0,((words+1)-b->max)*sizeof(BN_ULONG)); */
+/*	{ int i; for (i=b->max; i<words+1; i++) p[i]=i;} */
+
+		}
+	return(b);
+	}
+
+BIGNUM *BN_dup(const BIGNUM *a)
+	{
+	BIGNUM *r;
+
+	if (a == NULL) return NULL;
+
+	bn_check_top(a);
+
+	r=BN_new();
+	if (r == NULL) return(NULL);
+	return((BIGNUM *)BN_copy(r,a));
+	}
+
+BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
+	{
+	int i;
+	BN_ULONG *A;
+	const BN_ULONG *B;
+
+	bn_check_top(b);
+
+	if (a == b) return(a);
+	if (bn_wexpand(a,b->top) == NULL) return(NULL);
+
+#if 1
+	A=a->d;
+	B=b->d;
+	for (i=b->top>>2; i>0; i--,A+=4,B+=4)
+		{
+		BN_ULONG a0,a1,a2,a3;
+		a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
+		A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
+		}
+	switch (b->top&3)
+		{
+		case 3: A[2]=B[2];
+		case 2: A[1]=B[1];
+		case 1: A[0]=B[0];
+		case 0: ; /* ultrix cc workaround, see comments in bn_expand2 */
+		}
+#else
+	memcpy(a->d,b->d,sizeof(b->d[0])*b->top);
+#endif
+
+/*	memset(&(a->d[b->top]),0,sizeof(a->d[0])*(a->max-b->top));*/
+	a->top=b->top;
+	if ((a->top == 0) && (a->d != NULL))
+		a->d[0]=0;
+	a->neg=b->neg;
+	return(a);
+	}
+
+void BN_clear(BIGNUM *a)
+	{
+	if (a->d != NULL)
+		memset(a->d,0,a->max*sizeof(a->d[0]));
+	a->top=0;
+	a->neg=0;
+	}
+
+BN_ULONG BN_get_word(BIGNUM *a)
+	{
+	int i,n;
+	BN_ULONG ret=0;
+
+	n=BN_num_bytes(a);
+	if (n > sizeof(BN_ULONG))
+		return(BN_MASK2);
+	for (i=a->top-1; i>=0; i--)
+		{
+#ifndef SIXTY_FOUR_BIT /* the data item > unsigned long */
+		ret<<=BN_BITS4; /* stops the compiler complaining */
+		ret<<=BN_BITS4;
+#else
+		ret=0;
+#endif
+		ret|=a->d[i];
+		}
+	return(ret);
+	}
+
+int BN_set_word(BIGNUM *a, BN_ULONG w)
+	{
+	int i,n;
+	if (bn_expand(a,sizeof(BN_ULONG)*8) == NULL) return(0);
+
+	n=sizeof(BN_ULONG)/BN_BYTES;
+	a->neg=0;
+	a->top=0;
+	a->d[0]=(BN_ULONG)w&BN_MASK2;
+	if (a->d[0] != 0) a->top=1;
+	for (i=1; i<n; i++)
+		{
+		/* the following is done instead of
+		 * w>>=BN_BITS2 so compilers don't complain
+		 * on builds where sizeof(long) == BN_TYPES */
+#ifndef SIXTY_FOUR_BIT /* the data item > unsigned long */
+		w>>=BN_BITS4;
+		w>>=BN_BITS4;
+#else
+		w=0;
+#endif
+		a->d[i]=(BN_ULONG)w&BN_MASK2;
+		if (a->d[i] != 0) a->top=i+1;
+		}
+	return(1);
+	}
+
+/* ignore negative */
+BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
+	{
+	unsigned int i,m;
+	unsigned int n;
+	BN_ULONG l;
+
+	if (ret == NULL) ret=BN_new();
+	if (ret == NULL) return(NULL);
+	l=0;
+	n=len;
+	if (n == 0)
+		{
+		ret->top=0;
+		return(ret);
+		}
+	if (bn_expand(ret,(int)(n+2)*8) == NULL)
+		return(NULL);
+	i=((n-1)/BN_BYTES)+1;
+	m=((n-1)%(BN_BYTES));
+	ret->top=i;
+	while (n-- > 0)
+		{
+		l=(l<<8L)| *(s++);
+		if (m-- == 0)
+			{
+			ret->d[--i]=l;
+			l=0;
+			m=BN_BYTES-1;
+			}
+		}
+	/* need to call this due to clear byte at top if avoiding
+	 * having the top bit set (-ve number) */
+	bn_fix_top(ret);
+	return(ret);
+	}
+
+/* ignore negative */
+int BN_bn2bin(const BIGNUM *a, unsigned char *to)
+	{
+	int n,i;
+	BN_ULONG l;
+
+	n=i=BN_num_bytes(a);
+	while (i-- > 0)
+		{
+		l=a->d[i/BN_BYTES];
+		*(to++)=(unsigned char)(l>>(8*(i%BN_BYTES)))&0xff;
+		}
+	return(n);
+	}
+
+int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
+	{
+	int i;
+	BN_ULONG t1,t2,*ap,*bp;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	i=a->top-b->top;
+	if (i != 0) return(i);
+	ap=a->d;
+	bp=b->d;
+	for (i=a->top-1; i>=0; i--)
+		{
+		t1= ap[i];
+		t2= bp[i];
+		if (t1 != t2)
+			return(t1 > t2?1:-1);
+		}
+	return(0);
+	}
+
+int BN_cmp(const BIGNUM *a, const BIGNUM *b)
+	{
+	int i;
+	int gt,lt;
+	BN_ULONG t1,t2;
+
+	if ((a == NULL) || (b == NULL))
+		{
+		if (a != NULL)
+			return(-1);
+		else if (b != NULL)
+			return(1);
+		else
+			return(0);
+		}
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	if (a->neg != b->neg)
+		{
+		if (a->neg)
+			return(-1);
+		else	return(1);
+		}
+	if (a->neg == 0)
+		{ gt=1; lt= -1; }
+	else	{ gt= -1; lt=1; }
+
+	if (a->top > b->top) return(gt);
+	if (a->top < b->top) return(lt);
+	for (i=a->top-1; i>=0; i--)
+		{
+		t1=a->d[i];
+		t2=b->d[i];
+		if (t1 > t2) return(gt);
+		if (t1 < t2) return(lt);
+		}
+	return(0);
+	}
+
+int BN_set_bit(BIGNUM *a, int n)
+	{
+	int i,j,k;
+
+	i=n/BN_BITS2;
+	j=n%BN_BITS2;
+	if (a->top <= i)
+		{
+		if (bn_wexpand(a,i+1) == NULL) return(0);
+		for(k=a->top; k<i+1; k++)
+			a->d[k]=0;
+		a->top=i+1;
+		}
+
+	a->d[i]|=(((BN_ULONG)1)<<j);
+	return(1);
+	}
+
+int BN_clear_bit(BIGNUM *a, int n)
+	{
+	int i,j;
+
+	i=n/BN_BITS2;
+	j=n%BN_BITS2;
+	if (a->top <= i) return(0);
+
+	a->d[i]&=(~(((BN_ULONG)1)<<j));
+	bn_fix_top(a);
+	return(1);
+	}
+
+int BN_is_bit_set(const BIGNUM *a, int n)
+	{
+	int i,j;
+
+	if (n < 0) return(0);
+	i=n/BN_BITS2;
+	j=n%BN_BITS2;
+	if (a->top <= i) return(0);
+	return((a->d[i]&(((BN_ULONG)1)<<j))?1:0);
+	}
+
+int BN_mask_bits(BIGNUM *a, int n)
+	{
+	int b,w;
+
+	w=n/BN_BITS2;
+	b=n%BN_BITS2;
+	if (w >= a->top) return(0);
+	if (b == 0)
+		a->top=w;
+	else
+		{
+		a->top=w+1;
+		a->d[w]&= ~(BN_MASK2<<b);
+		}
+	bn_fix_top(a);
+	return(1);
+	}
+
+int bn_cmp_words(BN_ULONG *a, BN_ULONG *b, int n)
+	{
+	int i;
+	BN_ULONG aa,bb;
+
+	aa=a[n-1];
+	bb=b[n-1];
+	if (aa != bb) return((aa > bb)?1:-1);
+	for (i=n-2; i>=0; i--)
+		{
+		aa=a[i];
+		bb=b[i];
+		if (aa != bb) return((aa > bb)?1:-1);
+		}
+	return(0);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_mont.c b/crypto/openssl/crypto/bn/bn_mont.c
new file mode 100644
index 0000000..598fecb
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_mont.c
@@ -0,0 +1,339 @@
+/* crypto/bn/bn_mont.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * Details about Montgomery multiplication algorithms can be found at
+ * http://security.ece.orst.edu/publications.html, e.g.
+ * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and
+ * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#define MONT_WORD /* use the faster word-based algorithm */
+
+int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+			  BN_MONT_CTX *mont, BN_CTX *ctx)
+	{
+	BIGNUM *tmp,*tmp2;
+	int ret=0;
+
+	BN_CTX_start(ctx);
+	tmp = BN_CTX_get(ctx);
+	tmp2 = BN_CTX_get(ctx);
+	if (tmp == NULL || tmp2 == NULL) goto err;
+
+	bn_check_top(tmp);
+	bn_check_top(tmp2);
+
+	if (a == b)
+		{
+#if 0
+		bn_wexpand(tmp,a->top*2);
+		bn_wexpand(tmp2,a->top*4);
+		bn_sqr_recursive(tmp->d,a->d,a->top,tmp2->d);
+		tmp->top=a->top*2;
+		if (tmp->d[tmp->top-1] == 0)
+			tmp->top--;
+#else
+		if (!BN_sqr(tmp,a,ctx)) goto err;
+#endif
+		}
+	else
+		{
+		if (!BN_mul(tmp,a,b,ctx)) goto err;
+		}
+	/* reduce from aRR to aR */
+	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont,
+	     BN_CTX *ctx)
+	{
+	int retn=0;
+
+#ifdef MONT_WORD
+	BIGNUM *n,*r;
+	BN_ULONG *ap,*np,*rp,n0,v,*nrp;
+	int al,nl,max,i,x,ri;
+
+	BN_CTX_start(ctx);
+	if ((r = BN_CTX_get(ctx)) == NULL) goto err;
+
+	if (!BN_copy(r,a)) goto err;
+	n= &(mont->N);
+
+	ap=a->d;
+	/* mont->ri is the size of mont->N in bits (rounded up
+	   to the word size) */
+	al=ri=mont->ri/BN_BITS2;
+	
+	nl=n->top;
+	if ((al == 0) || (nl == 0)) { r->top=0; return(1); }
+
+	max=(nl+al+1); /* allow for overflow (no?) XXX */
+	if (bn_wexpand(r,max) == NULL) goto err;
+	if (bn_wexpand(ret,max) == NULL) goto err;
+
+	r->neg=a->neg^n->neg;
+	np=n->d;
+	rp=r->d;
+	nrp= &(r->d[nl]);
+
+	/* clear the top words of T */
+#if 1
+	for (i=r->top; i<max; i++) /* memset? XXX */
+		r->d[i]=0;
+#else
+	memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG)); 
+#endif
+
+	r->top=max;
+	n0=mont->n0;
+
+#ifdef BN_COUNT
+	printf("word BN_from_montgomery %d * %d\n",nl,nl);
+#endif
+	for (i=0; i<nl; i++)
+		{
+		v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
+		nrp++;
+		rp++;
+		if (((nrp[-1]+=v)&BN_MASK2) >= v)
+			continue;
+		else
+			{
+			if (((++nrp[0])&BN_MASK2) != 0) continue;
+			if (((++nrp[1])&BN_MASK2) != 0) continue;
+			for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
+			}
+		}
+	bn_fix_top(r);
+	
+	/* mont->ri will be a multiple of the word size */
+#if 0
+	BN_rshift(ret,r,mont->ri);
+#else
+	x=ri;
+	rp=ret->d;
+	ap= &(r->d[x]);
+	if (r->top < x)
+		al=0;
+	else
+		al=r->top-x;
+	ret->top=al;
+	al-=4;
+	for (i=0; i<al; i+=4)
+		{
+		BN_ULONG t1,t2,t3,t4;
+		
+		t1=ap[i+0];
+		t2=ap[i+1];
+		t3=ap[i+2];
+		t4=ap[i+3];
+		rp[i+0]=t1;
+		rp[i+1]=t2;
+		rp[i+2]=t3;
+		rp[i+3]=t4;
+		}
+	al+=4;
+	for (; i<al; i++)
+		rp[i]=ap[i];
+#endif
+#else /* !MONT_WORD */ 
+	BIGNUM *t1,*t2;
+
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	t2 = BN_CTX_get(ctx);
+	if (t1 == NULL || t2 == NULL) goto err;
+	
+	if (!BN_copy(t1,a)) goto err;
+	BN_mask_bits(t1,mont->ri);
+
+	if (!BN_mul(t2,t1,&mont->Ni,ctx)) goto err;
+	BN_mask_bits(t2,mont->ri);
+
+	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
+	if (!BN_add(t2,a,t1)) goto err;
+	BN_rshift(ret,t2,mont->ri);
+#endif /* MONT_WORD */
+
+	if (BN_ucmp(ret, &(mont->N)) >= 0)
+		{
+		BN_usub(ret,ret,&(mont->N));
+		}
+	retn=1;
+ err:
+	BN_CTX_end(ctx);
+	return(retn);
+	}
+
+BN_MONT_CTX *BN_MONT_CTX_new(void)
+	{
+	BN_MONT_CTX *ret;
+
+	if ((ret=(BN_MONT_CTX *)Malloc(sizeof(BN_MONT_CTX))) == NULL)
+		return(NULL);
+
+	BN_MONT_CTX_init(ret);
+	ret->flags=BN_FLG_MALLOCED;
+	return(ret);
+	}
+
+void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
+	{
+	ctx->ri=0;
+	BN_init(&(ctx->RR));
+	BN_init(&(ctx->N));
+	BN_init(&(ctx->Ni));
+	ctx->flags=0;
+	}
+
+void BN_MONT_CTX_free(BN_MONT_CTX *mont)
+	{
+	if(mont == NULL)
+	    return;
+
+	BN_free(&(mont->RR));
+	BN_free(&(mont->N));
+	BN_free(&(mont->Ni));
+	if (mont->flags & BN_FLG_MALLOCED)
+		Free(mont);
+	}
+
+int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
+	{
+	BIGNUM Ri,*R;
+
+	BN_init(&Ri);
+	R= &(mont->RR);					/* grab RR as a temp */
+	BN_copy(&(mont->N),mod);			/* Set N */
+
+#ifdef MONT_WORD
+		{
+		BIGNUM tmod;
+		BN_ULONG buf[2];
+
+		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
+		BN_zero(R);
+		BN_set_bit(R,BN_BITS2);			/* R */
+
+		buf[0]=mod->d[0]; /* tmod = N mod word size */
+		buf[1]=0;
+		tmod.d=buf;
+		tmod.top=1;
+		tmod.max=2;
+		tmod.neg=mod->neg;
+							/* Ri = R^-1 mod N*/
+		if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
+			goto err;
+		BN_lshift(&Ri,&Ri,BN_BITS2);		/* R*Ri */
+		if (!BN_is_zero(&Ri))
+			BN_sub_word(&Ri,1);
+		else /* if N mod word size == 1 */
+			BN_set_word(&Ri,BN_MASK2);  /* Ri-- (mod word size) */
+		BN_div(&Ri,NULL,&Ri,&tmod,ctx);	/* Ni = (R*Ri-1)/N,
+		                                 * keep only least significant word: */
+		mont->n0=Ri.d[0];
+		BN_free(&Ri);
+		}
+#else /* !MONT_WORD */
+		{ /* bignum version */
+		mont->ri=BN_num_bits(mod);
+		BN_zero(R);
+		BN_set_bit(R,mont->ri);			/* R = 2^ri */
+							/* Ri = R^-1 mod N*/
+		if ((BN_mod_inverse(&Ri,R,mod,ctx)) == NULL)
+			goto err;
+		BN_lshift(&Ri,&Ri,mont->ri);		/* R*Ri */
+		BN_sub_word(&Ri,1);
+							/* Ni = (R*Ri-1) / N */
+		BN_div(&(mont->Ni),NULL,&Ri,mod,ctx);
+		BN_free(&Ri);
+		}
+#endif
+
+	/* setup RR for conversions */
+	BN_zero(&(mont->RR));
+	BN_set_bit(&(mont->RR),mont->ri*2);
+	BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx);
+
+	return(1);
+err:
+	return(0);
+	}
+
+BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
+	{
+	if (to == from) return(to);
+
+	BN_copy(&(to->RR),&(from->RR));
+	BN_copy(&(to->N),&(from->N));
+	BN_copy(&(to->Ni),&(from->Ni));
+	to->ri=from->ri;
+	to->n0=from->n0;
+	return(to);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_mpi.c b/crypto/openssl/crypto/bn/bn_mpi.c
new file mode 100644
index 0000000..80e1dca
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_mpi.c
@@ -0,0 +1,129 @@
+/* crypto/bn/bn_mpi.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+int BN_bn2mpi(const BIGNUM *a, unsigned char *d)
+	{
+	int bits;
+	int num=0;
+	int ext=0;
+	long l;
+
+	bits=BN_num_bits(a);
+	num=(bits+7)/8;
+	if (bits > 0)
+		{
+		ext=((bits & 0x07) == 0);
+		}
+	if (d == NULL)
+		return(num+4+ext);
+
+	l=num+ext;
+	d[0]=(unsigned char)(l>>24)&0xff;
+	d[1]=(unsigned char)(l>>16)&0xff;
+	d[2]=(unsigned char)(l>> 8)&0xff;
+	d[3]=(unsigned char)(l    )&0xff;
+	if (ext) d[4]=0;
+	num=BN_bn2bin(a,&(d[4+ext]));
+	if (a->neg)
+		d[4]|=0x80;
+	return(num+4+ext);
+	}
+
+BIGNUM *BN_mpi2bn(unsigned char *d, int n, BIGNUM *a)
+	{
+	long len;
+	int neg=0;
+
+	if (n < 4)
+		{
+		BNerr(BN_F_BN_MPI2BN,BN_R_INVALID_LENGTH);
+		return(NULL);
+		}
+	len=((long)d[0]<<24)|((long)d[1]<<16)|((int)d[2]<<8)|(int)d[3];
+	if ((len+4) != n)
+		{
+		BNerr(BN_F_BN_MPI2BN,BN_R_ENCODING_ERROR);
+		return(NULL);
+		}
+
+	if (a == NULL) a=BN_new();
+	if (a == NULL) return(NULL);
+
+	if (len == 0)
+		{
+		a->neg=0;
+		a->top=0;
+		return(a);
+		}
+	d+=4;
+	if ((*d) & 0x80)
+		neg=1;
+	if (BN_bin2bn(d,(int)len,a) == NULL)
+		return(NULL);
+	a->neg=neg;
+	if (neg)
+		{
+		BN_clear_bit(a,BN_num_bits(a)-1);
+		}
+	return(a);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_mul.c b/crypto/openssl/crypto/bn/bn_mul.c
new file mode 100644
index 0000000..3e8baaa
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_mul.c
@@ -0,0 +1,794 @@
+/* crypto/bn/bn_mul.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#ifdef BN_RECURSION
+/* Karatsuba recursive multiplication algorithm
+ * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
+
+/* r is 2*n2 words in size,
+ * a and b are both n2 words in size.
+ * n2 must be a power of 2.
+ * We multiply and return the result.
+ * t must be 2*n2 words in size
+ * We calculate
+ * a[0]*b[0]
+ * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+ * a[1]*b[1]
+ */
+void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+	     BN_ULONG *t)
+	{
+	int n=n2/2,c1,c2;
+	unsigned int neg,zero;
+	BN_ULONG ln,lo,*p;
+
+# ifdef BN_COUNT
+	printf(" bn_mul_recursive %d * %d\n",n2,n2);
+# endif
+# ifdef BN_MUL_COMBA
+#  if 0
+	if (n2 == 4)
+		{
+		bn_mul_comba4(r,a,b);
+		return;
+		}
+#  endif
+	if (n2 == 8)
+		{
+		bn_mul_comba8(r,a,b);
+		return; 
+		}
+# endif /* BN_MUL_COMBA */
+	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
+		{
+		/* This should not happen */
+		bn_mul_normal(r,a,n2,b,n2);
+		return;
+		}
+	/* r=(a[0]-a[1])*(b[1]-b[0]) */
+	c1=bn_cmp_words(a,&(a[n]),n);
+	c2=bn_cmp_words(&(b[n]),b,n);
+	zero=neg=0;
+	switch (c1*3+c2)
+		{
+	case -4:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		break;
+	case -3:
+		zero=1;
+		break;
+	case -2:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+		neg=1;
+		break;
+	case -1:
+	case 0:
+	case 1:
+		zero=1;
+		break;
+	case 2:
+		bn_sub_words(t,      a,      &(a[n]),n); /* + */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		neg=1;
+		break;
+	case 3:
+		zero=1;
+		break;
+	case 4:
+		bn_sub_words(t,      a,      &(a[n]),n);
+		bn_sub_words(&(t[n]),&(b[n]),b,      n);
+		break;
+		}
+
+# ifdef BN_MUL_COMBA
+	if (n == 4)
+		{
+		if (!zero)
+			bn_mul_comba4(&(t[n2]),t,&(t[n]));
+		else
+			memset(&(t[n2]),0,8*sizeof(BN_ULONG));
+		
+		bn_mul_comba4(r,a,b);
+		bn_mul_comba4(&(r[n2]),&(a[n]),&(b[n]));
+		}
+	else if (n == 8)
+		{
+		if (!zero)
+			bn_mul_comba8(&(t[n2]),t,&(t[n]));
+		else
+			memset(&(t[n2]),0,16*sizeof(BN_ULONG));
+		
+		bn_mul_comba8(r,a,b);
+		bn_mul_comba8(&(r[n2]),&(a[n]),&(b[n]));
+		}
+	else
+# endif /* BN_MUL_COMBA */
+		{
+		p= &(t[n2*2]);
+		if (!zero)
+			bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+		else
+			memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
+		bn_mul_recursive(r,a,b,n,p);
+		bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p);
+		}
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 */
+
+	c1=(int)(bn_add_words(t,r,&(r[n2]),n2));
+
+	if (neg) /* if t[32] is negative */
+		{
+		c1-=(int)(bn_sub_words(&(t[n2]),t,&(t[n2]),n2));
+		}
+	else
+		{
+		/* Might have a carry */
+		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),t,n2));
+		}
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 * c1 holds the carry bits
+	 */
+	c1+=(int)(bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2));
+	if (c1)
+		{
+		p= &(r[n+n2]);
+		lo= *p;
+		ln=(lo+c1)&BN_MASK2;
+		*p=ln;
+
+		/* The overflow will stop before we over write
+		 * words we should not overwrite */
+		if (ln < (BN_ULONG)c1)
+			{
+			do	{
+				p++;
+				lo= *p;
+				ln=(lo+1)&BN_MASK2;
+				*p=ln;
+				} while (ln == 0);
+			}
+		}
+	}
+
+/* n+tn is the word length
+ * t needs to be n*4 is size, as does r */
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
+	     int n, BN_ULONG *t)
+	{
+	int i,j,n2=n*2;
+	unsigned int c1,c2,neg,zero;
+	BN_ULONG ln,lo,*p;
+
+# ifdef BN_COUNT
+	printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
+# endif
+	if (n < 8)
+		{
+		i=tn+n;
+		bn_mul_normal(r,a,i,b,i);
+		return;
+		}
+
+	/* r=(a[0]-a[1])*(b[1]-b[0]) */
+	c1=bn_cmp_words(a,&(a[n]),n);
+	c2=bn_cmp_words(&(b[n]),b,n);
+	zero=neg=0;
+	switch (c1*3+c2)
+		{
+	case -4:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		break;
+	case -3:
+		zero=1;
+		/* break; */
+	case -2:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+		neg=1;
+		break;
+	case -1:
+	case 0:
+	case 1:
+		zero=1;
+		/* break; */
+	case 2:
+		bn_sub_words(t,      a,      &(a[n]),n); /* + */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		neg=1;
+		break;
+	case 3:
+		zero=1;
+		/* break; */
+	case 4:
+		bn_sub_words(t,      a,      &(a[n]),n);
+		bn_sub_words(&(t[n]),&(b[n]),b,      n);
+		break;
+		}
+		/* The zero case isn't yet implemented here. The speedup
+		   would probably be negligible. */
+# if 0
+	if (n == 4)
+		{
+		bn_mul_comba4(&(t[n2]),t,&(t[n]));
+		bn_mul_comba4(r,a,b);
+		bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+		memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
+		}
+	else
+# endif
+	if (n == 8)
+		{
+		bn_mul_comba8(&(t[n2]),t,&(t[n]));
+		bn_mul_comba8(r,a,b);
+		bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+		memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
+		}
+	else
+		{
+		p= &(t[n2*2]);
+		bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+		bn_mul_recursive(r,a,b,n,p);
+		i=n/2;
+		/* If there is only a bottom half to the number,
+		 * just do it */
+		j=tn-i;
+		if (j == 0)
+			{
+			bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p);
+			memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2));
+			}
+		else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */
+				{
+				bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]),
+					j,i,p);
+				memset(&(r[n2+tn*2]),0,
+					sizeof(BN_ULONG)*(n2-tn*2));
+				}
+		else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
+			{
+			memset(&(r[n2]),0,sizeof(BN_ULONG)*n2);
+			if (tn < BN_MUL_RECURSIVE_SIZE_NORMAL)
+				{
+				bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+				}
+			else
+				{
+				for (;;)
+					{
+					i/=2;
+					if (i < tn)
+						{
+						bn_mul_part_recursive(&(r[n2]),
+							&(a[n]),&(b[n]),
+							tn-i,i,p);
+						break;
+						}
+					else if (i == tn)
+						{
+						bn_mul_recursive(&(r[n2]),
+							&(a[n]),&(b[n]),
+							i,p);
+						break;
+						}
+					}
+				}
+			}
+		}
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 */
+
+	c1=(int)(bn_add_words(t,r,&(r[n2]),n2));
+
+	if (neg) /* if t[32] is negative */
+		{
+		c1-=(int)(bn_sub_words(&(t[n2]),t,&(t[n2]),n2));
+		}
+	else
+		{
+		/* Might have a carry */
+		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),t,n2));
+		}
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 * c1 holds the carry bits
+	 */
+	c1+=(int)(bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2));
+	if (c1)
+		{
+		p= &(r[n+n2]);
+		lo= *p;
+		ln=(lo+c1)&BN_MASK2;
+		*p=ln;
+
+		/* The overflow will stop before we over write
+		 * words we should not overwrite */
+		if (ln < c1)
+			{
+			do	{
+				p++;
+				lo= *p;
+				ln=(lo+1)&BN_MASK2;
+				*p=ln;
+				} while (ln == 0);
+			}
+		}
+	}
+
+/* a and b must be the same size, which is n2.
+ * r needs to be n2 words and t needs to be n2*2
+ */
+void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+	     BN_ULONG *t)
+	{
+	int n=n2/2;
+
+# ifdef BN_COUNT
+	printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
+# endif
+
+	bn_mul_recursive(r,a,b,n,&(t[0]));
+	if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
+		{
+		bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2]));
+		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
+		bn_mul_low_recursive(&(t[0]),&(a[n]),&(b[0]),n,&(t[n2]));
+		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
+		}
+	else
+		{
+		bn_mul_low_normal(&(t[0]),&(a[0]),&(b[n]),n);
+		bn_mul_low_normal(&(t[n]),&(a[n]),&(b[0]),n);
+		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
+		bn_add_words(&(r[n]),&(r[n]),&(t[n]),n);
+		}
+	}
+
+/* a and b must be the same size, which is n2.
+ * r needs to be n2 words and t needs to be n2*2
+ * l is the low words of the output.
+ * t needs to be n2*3
+ */
+void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
+	     BN_ULONG *t)
+	{
+	int i,n;
+	int c1,c2;
+	int neg,oneg,zero;
+	BN_ULONG ll,lc,*lp,*mp;
+
+# ifdef BN_COUNT
+	printf(" bn_mul_high %d * %d\n",n2,n2);
+# endif
+	n=n2/2;
+
+	/* Calculate (al-ah)*(bh-bl) */
+	neg=zero=0;
+	c1=bn_cmp_words(&(a[0]),&(a[n]),n);
+	c2=bn_cmp_words(&(b[n]),&(b[0]),n);
+	switch (c1*3+c2)
+		{
+	case -4:
+		bn_sub_words(&(r[0]),&(a[n]),&(a[0]),n);
+		bn_sub_words(&(r[n]),&(b[0]),&(b[n]),n);
+		break;
+	case -3:
+		zero=1;
+		break;
+	case -2:
+		bn_sub_words(&(r[0]),&(a[n]),&(a[0]),n);
+		bn_sub_words(&(r[n]),&(b[n]),&(b[0]),n);
+		neg=1;
+		break;
+	case -1:
+	case 0:
+	case 1:
+		zero=1;
+		break;
+	case 2:
+		bn_sub_words(&(r[0]),&(a[0]),&(a[n]),n);
+		bn_sub_words(&(r[n]),&(b[0]),&(b[n]),n);
+		neg=1;
+		break;
+	case 3:
+		zero=1;
+		break;
+	case 4:
+		bn_sub_words(&(r[0]),&(a[0]),&(a[n]),n);
+		bn_sub_words(&(r[n]),&(b[n]),&(b[0]),n);
+		break;
+		}
+		
+	oneg=neg;
+	/* t[10] = (a[0]-a[1])*(b[1]-b[0]) */
+	/* r[10] = (a[1]*b[1]) */
+# ifdef BN_MUL_COMBA
+	if (n == 8)
+		{
+		bn_mul_comba8(&(t[0]),&(r[0]),&(r[n]));
+		bn_mul_comba8(r,&(a[n]),&(b[n]));
+		}
+	else
+# endif
+		{
+		bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
+		bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
+		}
+
+	/* s0 == low(al*bl)
+	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
+	 * We know s0 and s1 so the only unknown is high(al*bl)
+	 * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
+	 * high(al*bl) == s1 - (r[0]+l[0]+t[0])
+	 */
+	if (l != NULL)
+		{
+		lp= &(t[n2+n]);
+		c1=(int)(bn_add_words(lp,&(r[0]),&(l[0]),n));
+		}
+	else
+		{
+		c1=0;
+		lp= &(r[0]);
+		}
+
+	if (neg)
+		neg=(int)(bn_sub_words(&(t[n2]),lp,&(t[0]),n));
+	else
+		{
+		bn_add_words(&(t[n2]),lp,&(t[0]),n);
+		neg=0;
+		}
+
+	if (l != NULL)
+		{
+		bn_sub_words(&(t[n2+n]),&(l[n]),&(t[n2]),n);
+		}
+	else
+		{
+		lp= &(t[n2+n]);
+		mp= &(t[n2]);
+		for (i=0; i<n; i++)
+			lp[i]=((~mp[i])+1)&BN_MASK2;
+		}
+
+	/* s[0] = low(al*bl)
+	 * t[3] = high(al*bl)
+	 * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
+	 * r[10] = (a[1]*b[1])
+	 */
+	/* R[10] = al*bl
+	 * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
+	 * R[32] = ah*bh
+	 */
+	/* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
+	 * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
+	 * R[3]=r[1]+(carry/borrow)
+	 */
+	if (l != NULL)
+		{
+		lp= &(t[n2]);
+		c1= (int)(bn_add_words(lp,&(t[n2+n]),&(l[0]),n));
+		}
+	else
+		{
+		lp= &(t[n2+n]);
+		c1=0;
+		}
+	c1+=(int)(bn_add_words(&(t[n2]),lp,  &(r[0]),n));
+	if (oneg)
+		c1-=(int)(bn_sub_words(&(t[n2]),&(t[n2]),&(t[0]),n));
+	else
+		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),&(t[0]),n));
+
+	c2 =(int)(bn_add_words(&(r[0]),&(r[0]),&(t[n2+n]),n));
+	c2+=(int)(bn_add_words(&(r[0]),&(r[0]),&(r[n]),n));
+	if (oneg)
+		c2-=(int)(bn_sub_words(&(r[0]),&(r[0]),&(t[n]),n));
+	else
+		c2+=(int)(bn_add_words(&(r[0]),&(r[0]),&(t[n]),n));
+	
+	if (c1 != 0) /* Add starting at r[0], could be +ve or -ve */
+		{
+		i=0;
+		if (c1 > 0)
+			{
+			lc=c1;
+			do	{
+				ll=(r[i]+lc)&BN_MASK2;
+				r[i++]=ll;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		else
+			{
+			lc= -c1;
+			do	{
+				ll=r[i];
+				r[i++]=(ll-lc)&BN_MASK2;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		}
+	if (c2 != 0) /* Add starting at r[1] */
+		{
+		i=n;
+		if (c2 > 0)
+			{
+			lc=c2;
+			do	{
+				ll=(r[i]+lc)&BN_MASK2;
+				r[i++]=ll;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		else
+			{
+			lc= -c2;
+			do	{
+				ll=r[i];
+				r[i++]=(ll-lc)&BN_MASK2;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		}
+	}
+#endif /* BN_RECURSION */
+
+int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+	{
+	int top,al,bl;
+	BIGNUM *rr;
+	int ret = 0;
+#if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
+	int i;
+#endif
+#ifdef BN_RECURSION
+	BIGNUM *t;
+	int j,k;
+#endif
+
+#ifdef BN_COUNT
+	printf("BN_mul %d * %d\n",a->top,b->top);
+#endif
+
+	bn_check_top(a);
+	bn_check_top(b);
+	bn_check_top(r);
+
+	al=a->top;
+	bl=b->top;
+	r->neg=a->neg^b->neg;
+
+	if ((al == 0) || (bl == 0))
+		{
+		BN_zero(r);
+		return(1);
+		}
+	top=al+bl;
+
+	BN_CTX_start(ctx);
+	if ((r == a) || (r == b))
+		{
+		if ((rr = BN_CTX_get(ctx)) == NULL) goto err;
+		}
+	else
+		rr = r;
+
+#if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
+	i = al-bl;
+#endif
+#ifdef BN_MUL_COMBA
+	if (i == 0)
+		{
+# if 0
+		if (al == 4)
+			{
+			if (bn_wexpand(rr,8) == NULL) goto err;
+			rr->top=8;
+			bn_mul_comba4(rr->d,a->d,b->d);
+			goto end;
+			}
+# endif
+		if (al == 8)
+			{
+			if (bn_wexpand(rr,16) == NULL) goto err;
+			rr->top=16;
+			bn_mul_comba8(rr->d,a->d,b->d);
+			goto end;
+			}
+		}
+#endif /* BN_MUL_COMBA */
+#ifdef BN_RECURSION
+	if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL))
+		{
+		if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
+			{
+			bn_wexpand(b,al);
+			b->d[bl]=0;
+			bl++;
+			i--;
+			}
+		else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
+			{
+			bn_wexpand(a,bl);
+			a->d[al]=0;
+			al++;
+			i++;
+			}
+		if (i == 0)
+			{
+			/* symmetric and > 4 */
+			/* 16 or larger */
+			j=BN_num_bits_word((BN_ULONG)al);
+			j=1<<(j-1);
+			k=j+j;
+			t = BN_CTX_get(ctx);
+			if (al == j) /* exact multiple */
+				{
+				bn_wexpand(t,k*2);
+				bn_wexpand(rr,k*2);
+				bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
+				}
+			else
+				{
+				bn_wexpand(a,k);
+				bn_wexpand(b,k);
+				bn_wexpand(t,k*4);
+				bn_wexpand(rr,k*4);
+				for (i=a->top; i<k; i++)
+					a->d[i]=0;
+				for (i=b->top; i<k; i++)
+					b->d[i]=0;
+				bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
+				}
+			rr->top=top;
+			goto end;
+			}
+		}
+#endif /* BN_RECURSION */
+	if (bn_wexpand(rr,top) == NULL) goto err;
+	rr->top=top;
+	bn_mul_normal(rr->d,a->d,al,b->d,bl);
+
+#if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
+end:
+#endif
+	bn_fix_top(rr);
+	if (r != rr) BN_copy(r,rr);
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
+	{
+	BN_ULONG *rr;
+
+#ifdef BN_COUNT
+	printf(" bn_mul_normal %d * %d\n",na,nb);
+#endif
+
+	if (na < nb)
+		{
+		int itmp;
+		BN_ULONG *ltmp;
+
+		itmp=na; na=nb; nb=itmp;
+		ltmp=a;   a=b;   b=ltmp;
+
+		}
+	rr= &(r[na]);
+	rr[0]=bn_mul_words(r,a,na,b[0]);
+
+	for (;;)
+		{
+		if (--nb <= 0) return;
+		rr[1]=bn_mul_add_words(&(r[1]),a,na,b[1]);
+		if (--nb <= 0) return;
+		rr[2]=bn_mul_add_words(&(r[2]),a,na,b[2]);
+		if (--nb <= 0) return;
+		rr[3]=bn_mul_add_words(&(r[3]),a,na,b[3]);
+		if (--nb <= 0) return;
+		rr[4]=bn_mul_add_words(&(r[4]),a,na,b[4]);
+		rr+=4;
+		r+=4;
+		b+=4;
+		}
+	}
+
+void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+	{
+#ifdef BN_COUNT
+	printf(" bn_mul_low_normal %d * %d\n",n,n);
+#endif
+	bn_mul_words(r,a,n,b[0]);
+
+	for (;;)
+		{
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[1]),a,n,b[1]);
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[2]),a,n,b[2]);
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[3]),a,n,b[3]);
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[4]),a,n,b[4]);
+		r+=4;
+		b+=4;
+		}
+	}
diff --git a/crypto/openssl/crypto/bn/bn_opts.c b/crypto/openssl/crypto/bn/bn_opts.c
new file mode 100644
index 0000000..381be52
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_opts.c
@@ -0,0 +1,324 @@
+/* crypto/bn/expspeed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* most of this code has been pilfered from my libdes speed.c program */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/tmdiff.h>
+#include <openssl/bn.h>
+#include <openssl/err.h>
+
+#define DEFAULT_SIZE	512
+#define DEFAULT_TIME	3
+
+int verbose=1;
+
+typedef struct parms_st
+	{
+	char *name;
+	void (*func)();
+	BIGNUM r;
+	BIGNUM a;
+	BIGNUM b;
+	BIGNUM c;
+	BIGNUM low;
+	BN_CTX *ctx;
+	BN_MONT_CTX *mont;
+	int w;
+	} PARMS;
+
+void do_mul_exp(int num,PARMS *p);
+void do_mul(int num,PARMS *p);
+void do_sqr(int num,PARMS *p);
+void do_mul_low(int num,PARMS *p);
+void do_mul_high(int num,PARMS *p);
+void do_from_montgomery(int num,PARMS *p);
+int time_it(int sec, PARMS *p);
+void do_it(int sec, PARMS *p);
+
+#define P_EXP	1
+#define P_MUL	2
+#define P_SQR	3
+#define P_MULL	4
+#define P_MULH	5
+#define P_MRED	6
+
+int main(int argc, char **argv)
+	{
+	PARMS p;
+	BN_MONT_CTX *mont;
+	int size=0,num;
+	char *name;
+	int type=P_EXP;
+
+	mont=BN_MONT_CTX_new();
+	p.mont=NULL;
+	p.ctx=BN_CTX_new();
+	BN_init(&p.r);
+	BN_init(&p.a);
+	BN_init(&p.b);
+	BN_init(&p.c);
+	BN_init(&p.low);
+	p.w=0;
+
+	for (;;)
+		{
+		if (argc > 1)
+			{
+			if (argv[1][0] == '-')
+				{
+				switch(argv[1][1])
+					{
+				case 'e': type=P_EXP; break;
+				case 'm': type=P_MUL; break;
+				case 's': type=P_SQR; break;
+				case 'l': type=P_MULL; break;
+				case 'h': type=P_MULH; break;
+				case 'r': type=P_MRED; break;
+				default:
+					fprintf(stderr,"options: -[emslhr]\n");
+					exit(1);
+					}
+				}
+			else
+				{
+				size=atoi(argv[1]);
+				}
+			argc--;
+			argv++;
+			}
+		else
+			break;
+		}
+	if (size == 0)
+		size=DEFAULT_SIZE;
+
+	printf("bit size:%5d\n",size);
+
+	BN_rand(&p.a,size,1,0);
+	BN_rand(&p.b,size,1,0);
+	BN_rand(&p.c,size,1,1);
+	BN_mod(&p.a,&p.a,&p.c,p.ctx);
+	BN_mod(&p.b,&p.b,&p.c,p.ctx);
+	p.w=(p.a.top+1)/2;
+
+	BN_mul(&p.low,&p.a,&p.b,p.ctx);
+	p.low.top=p.a.top;
+	
+	switch(type)
+		{
+	case P_EXP:
+		p.name="r=a^b%c";
+		p.func=do_mul_exp;
+		p.mont=mont;
+		break;
+	case P_MUL:
+		p.name="r=a*b";
+		p.func=do_mul;
+		break;
+	case P_SQR:
+		p.name="r=a*a";
+		p.func=do_sqr;
+		break;
+	case P_MULL:
+		p.name="r=low(a*b)";
+		p.func=do_mul_low;
+		break;
+	case P_MULH:
+		p.name="r=high(a*b)";
+		p.func=do_mul_high;
+		break;
+	case P_MRED:
+		p.name="r=montgomery_reduction(a)";
+		p.func=do_from_montgomery;
+		p.mont=mont;
+		break;
+	default:
+		fprintf(stderr,"options: -[emslhr]\n");
+		exit(1);
+		}
+
+	num=time_it(DEFAULT_TIME,&p);
+	do_it(num,&p);
+	}
+
+void do_it(int num, PARMS *p)
+	{
+	char *start,*end;
+	int i,j,number;
+	double d;
+
+	start=ms_time_new();
+	end=ms_time_new();
+
+	number=BN_num_bits_word((BN_ULONG)BN_num_bits(&(p->c)))-
+		BN_num_bits_word(BN_BITS2)+2;
+	for (i=number-1; i >=0; i--)
+		{
+		if (i == 1) continue;
+		BN_set_params(i,i,i,1);
+		if (p->mont != NULL)
+			BN_MONT_CTX_set(p->mont,&(p->c),p->ctx);
+
+		printf("Timing %5d (%2d bit) %2d %2d %2d %2d :",
+			(1<<i)*BN_BITS2,i,
+				BN_get_params(0),
+				BN_get_params(1),
+				BN_get_params(2),
+				BN_get_params(3));
+		fflush(stdout);
+
+		ms_time_get(start);
+		p->func(num,p);
+		ms_time_get(end);
+		d=ms_time_diff(start,end);
+		printf("%6.6f sec, or %d in %.4f seconds\n",
+			(double)d/num,num,d);
+		}
+	}
+
+int time_it(int sec, PARMS *p)
+	{
+	char *start,*end;
+	int i,j;
+	double d;
+
+	if (p->mont != NULL)
+		BN_MONT_CTX_set(p->mont,&(p->c),p->ctx);
+
+	start=ms_time_new();
+	end=ms_time_new();
+
+	i=1;
+	for (;;)
+		{
+		if (verbose)
+			printf("timing %s for %d interations\n",p->name,i);
+
+		ms_time_get(start);
+		p->func(i,p);
+		ms_time_get(end);
+		d=ms_time_diff(start,end);
+
+		if 	(d < 0.01) i*=100;
+		else if (d < 0.1 ) i*=10;
+		else if (d > (double)sec) break;
+		else
+			{
+			i=(int)(1.0*i*sec/d);
+			break;
+			}
+		}
+	if (verbose)
+		printf("using %d interations\n",i);
+	return(i);
+	}
+
+void do_mul_exp(int num, PARMS *p)
+	{
+	int i;
+
+	for (i=0; i<num; i++)
+		BN_mod_exp_mont(&(p->r),&(p->a),&(p->b),&(p->c),
+			p->ctx,p->mont);
+	}
+
+void do_mul(int num, PARMS *p)
+	{
+	int i;
+
+	for (i=0; i<num; i++)
+		BN_mul(&(p->r),&(p->a),&(p->b),p->ctx);
+	}
+
+void do_sqr(int num, PARMS *p)
+	{
+	int i;
+
+	for (i=0; i<num; i++)
+			BN_sqr(&(p->r),&(p->a),p->ctx);
+	}
+
+void do_mul_low(int num, PARMS *p)
+	{
+	int i;
+	
+	for (i=0; i<num; i++)
+		BN_mul_low(&(p->r),&(p->a),&(p->b),p->w,p->ctx);
+	}
+
+void do_mul_high(int num, PARMS *p)
+	{
+	int i;
+
+	for (i=0; i<num; i++)
+		BN_mul_low(&(p->r),&(p->a),&(p->b),&(p->low),p->w,p->ctx);
+	}
+
+void do_from_montgomery(int num, PARMS *p)
+	{
+	int i;
+	
+	for (i=0; i<num; i++)
+		BN_from_montgomery(&(p->r),&(p->a),p->mont,p->ctx);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_prime.c b/crypto/openssl/crypto/bn/bn_prime.c
new file mode 100644
index 0000000..a5f01b9
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_prime.c
@@ -0,0 +1,465 @@
+/* crypto/bn/bn_prime.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+#include <openssl/rand.h>
+
+/* The quick sieve algorithm approach to weeding out primes is
+ * Philip Zimmermann's, as implemented in PGP.  I have had a read of
+ * his comments and implemented my own version.
+ */
+#include "bn_prime.h"
+
+static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
+	const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont);
+static int probable_prime(BIGNUM *rnd, int bits);
+static int probable_prime_dh(BIGNUM *rnd, int bits,
+	BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
+static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
+	BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
+
+BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
+	     BIGNUM *rem, void (*callback)(int,int,void *), void *cb_arg)
+	{
+	BIGNUM *rnd=NULL;
+	BIGNUM t;
+	int found=0;
+	int i,j,c1=0;
+	BN_CTX *ctx;
+	int checks = BN_prime_checks_for_size(bits);
+
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+	if (ret == NULL)
+		{
+		if ((rnd=BN_new()) == NULL) goto err;
+		}
+	else
+		rnd=ret;
+	BN_init(&t);
+loop: 
+	/* make a random number and set the top and bottom bits */
+	if (add == NULL)
+		{
+		if (!probable_prime(rnd,bits)) goto err;
+		}
+	else
+		{
+		if (safe)
+			{
+			if (!probable_prime_dh_safe(rnd,bits,add,rem,ctx))
+				 goto err;
+			}
+		else
+			{
+			if (!probable_prime_dh(rnd,bits,add,rem,ctx))
+				goto err;
+			}
+		}
+	/* if (BN_mod_word(rnd,(BN_ULONG)3) == 1) goto loop; */
+	if (callback != NULL) callback(0,c1++,cb_arg);
+
+	if (!safe)
+		{
+		i=BN_is_prime_fasttest(rnd,checks,callback,ctx,cb_arg,0);
+		if (i == -1) goto err;
+		if (i == 0) goto loop;
+		}
+	else
+		{
+		/* for "safe prime" generation,
+		 * check that (p-1)/2 is prime.
+		 * Since a prime is odd, We just
+		 * need to divide by 2 */
+		if (!BN_rshift1(&t,rnd)) goto err;
+
+		for (i=0; i<checks; i++)
+			{
+			j=BN_is_prime_fasttest(rnd,1,callback,ctx,cb_arg,0);
+			if (j == -1) goto err;
+			if (j == 0) goto loop;
+
+			j=BN_is_prime_fasttest(&t,1,callback,ctx,cb_arg,0);
+			if (j == -1) goto err;
+			if (j == 0) goto loop;
+
+			if (callback != NULL) callback(2,c1-1,cb_arg);
+			/* We have a safe prime test pass */
+			}
+		}
+	/* we have a prime :-) */
+	found = 1;
+err:
+	if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd);
+	BN_free(&t);
+	if (ctx != NULL) BN_CTX_free(ctx);
+	return(found ? rnd : NULL);
+	}
+
+int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int,int,void *),
+	BN_CTX *ctx_passed, void *cb_arg)
+	{
+	return BN_is_prime_fasttest(a, checks, callback, ctx_passed, cb_arg, 0);
+	}
+
+int BN_is_prime_fasttest(const BIGNUM *a, int checks,
+		void (*callback)(int,int,void *),
+		BN_CTX *ctx_passed, void *cb_arg,
+		int do_trial_division)
+	{
+	int i, j, ret = -1;
+	int k;
+	BN_CTX *ctx = NULL;
+	BIGNUM *A1, *A1_odd, *check; /* taken from ctx */
+	BN_MONT_CTX *mont = NULL;
+	const BIGNUM *A = NULL;
+
+	if (checks == BN_prime_checks)
+		checks = BN_prime_checks_for_size(BN_num_bits(a));
+
+	/* first look for small factors */
+	if (!BN_is_odd(a))
+		return(0);
+	if (do_trial_division)
+		{
+		for (i = 1; i < NUMPRIMES; i++)
+			if (BN_mod_word(a, primes[i]) == 0) 
+				return 0;
+		if (callback != NULL) callback(1, -1, cb_arg);
+		}
+
+	if (ctx_passed != NULL)
+		ctx = ctx_passed;
+	else
+		if ((ctx=BN_CTX_new()) == NULL)
+			goto err;
+	BN_CTX_start(ctx);
+
+	/* A := abs(a) */
+	if (a->neg)
+		{
+		BIGNUM *t;
+		if ((t = BN_CTX_get(ctx)) == NULL) goto err;
+		BN_copy(t, a);
+		t->neg = 0;
+		A = t;
+		}
+	else
+		A = a;
+	A1 = BN_CTX_get(ctx);
+	A1_odd = BN_CTX_get(ctx);
+	check = BN_CTX_get(ctx);
+	if (check == NULL) goto err;
+
+	/* compute A1 := A - 1 */
+	if (!BN_copy(A1, A))
+		goto err;
+	if (!BN_sub_word(A1, 1))
+		goto err;
+	if (BN_is_zero(A1))
+		{
+		ret = 0;
+		goto err;
+		}
+
+	/* write  A1  as  A1_odd * 2^k */
+	k = 1;
+	while (!BN_is_bit_set(A1, k))
+		k++;
+	if (!BN_rshift(A1_odd, A1, k))
+		goto err;
+
+	/* Montgomery setup for computations mod A */
+	mont = BN_MONT_CTX_new();
+	if (mont == NULL)
+		goto err;
+	if (!BN_MONT_CTX_set(mont, A, ctx))
+		goto err;
+	
+	for (i = 0; i < checks; i++)
+		{
+		if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0))
+			goto err;
+		if (BN_cmp(check, A1) >= 0)
+			if (!BN_sub(check, check, A1))
+				goto err;
+		if (!BN_add_word(check, 1))
+			goto err;
+		/* now 1 <= check < A */
+
+		j = witness(check, A, A1, A1_odd, k, ctx, mont);
+		if (j == -1) goto err;
+		if (j)
+			{
+			ret=0;
+			goto err;
+			}
+		if (callback != NULL) callback(1,i,cb_arg);
+		}
+	ret=1;
+err:
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		if (ctx_passed == NULL)
+			BN_CTX_free(ctx);
+		}
+	if (mont != NULL)
+		BN_MONT_CTX_free(mont);
+
+	return(ret);
+	}
+
+static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
+	const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont)
+	{
+	if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
+		return -1;
+	if (BN_is_one(w))
+		return 0; /* probably prime */
+	if (BN_cmp(w, a1) == 0)
+		return 0; /* w == -1 (mod a),  'a' is probably prime */
+	while (--k)
+		{
+		if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
+			return -1;
+		if (BN_is_one(w))
+			return 1; /* 'a' is composite, otherwise a previous 'w' would
+			           * have been == -1 (mod 'a') */
+		if (BN_cmp(w, a1) == 0)
+			return 0; /* w == -1 (mod a), 'a' is probably prime */
+		}
+	/* If we get here, 'w' is the (a-1)/2-th power of the original 'w',
+	 * and it is neither -1 nor +1 -- so 'a' cannot be prime */
+	return 1;
+	}
+
+static int probable_prime(BIGNUM *rnd, int bits)
+	{
+	int i;
+	BN_ULONG mods[NUMPRIMES];
+	BN_ULONG delta,d;
+
+again:
+	if (!BN_rand(rnd,bits,1,1)) return(0);
+	/* we now have a random number 'rand' to test. */
+	for (i=1; i<NUMPRIMES; i++)
+		mods[i]=BN_mod_word(rnd,(BN_ULONG)primes[i]);
+	delta=0;
+	loop: for (i=1; i<NUMPRIMES; i++)
+		{
+		/* check that rnd is not a prime and also
+		 * that gcd(rnd-1,primes) == 1 (except for 2) */
+		if (((mods[i]+delta)%primes[i]) <= 1)
+			{
+			d=delta;
+			delta+=2;
+			/* perhaps need to check for overflow of
+			 * delta (but delta can be up to 2^32)
+			 * 21-May-98 eay - added overflow check */
+			if (delta < d) goto again;
+			goto loop;
+			}
+		}
+	if (!BN_add_word(rnd,delta)) return(0);
+	return(1);
+	}
+
+static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem,
+	     BN_CTX *ctx)
+	{
+	int i,ret=0;
+	BIGNUM *t1;
+
+	BN_CTX_start(ctx);
+	if ((t1 = BN_CTX_get(ctx)) == NULL) goto err;
+
+	if (!BN_rand(rnd,bits,0,1)) goto err;
+
+	/* we need ((rnd-rem) % add) == 0 */
+
+	if (!BN_mod(t1,rnd,add,ctx)) goto err;
+	if (!BN_sub(rnd,rnd,t1)) goto err;
+	if (rem == NULL)
+		{ if (!BN_add_word(rnd,1)) goto err; }
+	else
+		{ if (!BN_add(rnd,rnd,rem)) goto err; }
+
+	/* we now have a random number 'rand' to test. */
+
+	loop: for (i=1; i<NUMPRIMES; i++)
+		{
+		/* check that rnd is a prime */
+		if (BN_mod_word(rnd,(BN_ULONG)primes[i]) <= 1)
+			{
+			if (!BN_add(rnd,rnd,add)) goto err;
+			goto loop;
+			}
+		}
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+static int probable_prime_dh_safe(BIGNUM *p, int bits, BIGNUM *padd,
+	     BIGNUM *rem, BN_CTX *ctx)
+	{
+	int i,ret=0;
+	BIGNUM *t1,*qadd,*q;
+
+	bits--;
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	q = BN_CTX_get(ctx);
+	qadd = BN_CTX_get(ctx);
+	if (qadd == NULL) goto err;
+
+	if (!BN_rshift1(qadd,padd)) goto err;
+		
+	if (!BN_rand(q,bits,0,1)) goto err;
+
+	/* we need ((rnd-rem) % add) == 0 */
+	if (!BN_mod(t1,q,qadd,ctx)) goto err;
+	if (!BN_sub(q,q,t1)) goto err;
+	if (rem == NULL)
+		{ if (!BN_add_word(q,1)) goto err; }
+	else
+		{
+		if (!BN_rshift1(t1,rem)) goto err;
+		if (!BN_add(q,q,t1)) goto err;
+		}
+
+	/* we now have a random number 'rand' to test. */
+	if (!BN_lshift1(p,q)) goto err;
+	if (!BN_add_word(p,1)) goto err;
+
+	loop: for (i=1; i<NUMPRIMES; i++)
+		{
+		/* check that p and q are prime */
+		/* check that for p and q
+		 * gcd(p-1,primes) == 1 (except for 2) */
+		if (	(BN_mod_word(p,(BN_ULONG)primes[i]) == 0) ||
+			(BN_mod_word(q,(BN_ULONG)primes[i]) == 0))
+			{
+			if (!BN_add(p,p,padd)) goto err;
+			if (!BN_add(q,q,qadd)) goto err;
+			goto loop;
+			}
+		}
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/bn/bn_prime.h b/crypto/openssl/crypto/bn/bn_prime.h
new file mode 100644
index 0000000..b7cf9a9
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_prime.h
@@ -0,0 +1,325 @@
+/* Auto generated by bn_prime.pl */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef EIGHT_BIT
+#define NUMPRIMES 2048
+#else
+#define NUMPRIMES 54
+#endif
+static const unsigned int primes[NUMPRIMES]=
+	{
+	   2,   3,   5,   7,  11,  13,  17,  19,
+	  23,  29,  31,  37,  41,  43,  47,  53,
+	  59,  61,  67,  71,  73,  79,  83,  89,
+	  97, 101, 103, 107, 109, 113, 127, 131,
+	 137, 139, 149, 151, 157, 163, 167, 173,
+	 179, 181, 191, 193, 197, 199, 211, 223,
+	 227, 229, 233, 239, 241, 251,
+#ifndef EIGHT_BIT
+	 257, 263,
+	 269, 271, 277, 281, 283, 293, 307, 311,
+	 313, 317, 331, 337, 347, 349, 353, 359,
+	 367, 373, 379, 383, 389, 397, 401, 409,
+	 419, 421, 431, 433, 439, 443, 449, 457,
+	 461, 463, 467, 479, 487, 491, 499, 503,
+	 509, 521, 523, 541, 547, 557, 563, 569,
+	 571, 577, 587, 593, 599, 601, 607, 613,
+	 617, 619, 631, 641, 643, 647, 653, 659,
+	 661, 673, 677, 683, 691, 701, 709, 719,
+	 727, 733, 739, 743, 751, 757, 761, 769,
+	 773, 787, 797, 809, 811, 821, 823, 827,
+	 829, 839, 853, 857, 859, 863, 877, 881,
+	 883, 887, 907, 911, 919, 929, 937, 941,
+	 947, 953, 967, 971, 977, 983, 991, 997,
+	1009,1013,1019,1021,1031,1033,1039,1049,
+	1051,1061,1063,1069,1087,1091,1093,1097,
+	1103,1109,1117,1123,1129,1151,1153,1163,
+	1171,1181,1187,1193,1201,1213,1217,1223,
+	1229,1231,1237,1249,1259,1277,1279,1283,
+	1289,1291,1297,1301,1303,1307,1319,1321,
+	1327,1361,1367,1373,1381,1399,1409,1423,
+	1427,1429,1433,1439,1447,1451,1453,1459,
+	1471,1481,1483,1487,1489,1493,1499,1511,
+	1523,1531,1543,1549,1553,1559,1567,1571,
+	1579,1583,1597,1601,1607,1609,1613,1619,
+	1621,1627,1637,1657,1663,1667,1669,1693,
+	1697,1699,1709,1721,1723,1733,1741,1747,
+	1753,1759,1777,1783,1787,1789,1801,1811,
+	1823,1831,1847,1861,1867,1871,1873,1877,
+	1879,1889,1901,1907,1913,1931,1933,1949,
+	1951,1973,1979,1987,1993,1997,1999,2003,
+	2011,2017,2027,2029,2039,2053,2063,2069,
+	2081,2083,2087,2089,2099,2111,2113,2129,
+	2131,2137,2141,2143,2153,2161,2179,2203,
+	2207,2213,2221,2237,2239,2243,2251,2267,
+	2269,2273,2281,2287,2293,2297,2309,2311,
+	2333,2339,2341,2347,2351,2357,2371,2377,
+	2381,2383,2389,2393,2399,2411,2417,2423,
+	2437,2441,2447,2459,2467,2473,2477,2503,
+	2521,2531,2539,2543,2549,2551,2557,2579,
+	2591,2593,2609,2617,2621,2633,2647,2657,
+	2659,2663,2671,2677,2683,2687,2689,2693,
+	2699,2707,2711,2713,2719,2729,2731,2741,
+	2749,2753,2767,2777,2789,2791,2797,2801,
+	2803,2819,2833,2837,2843,2851,2857,2861,
+	2879,2887,2897,2903,2909,2917,2927,2939,
+	2953,2957,2963,2969,2971,2999,3001,3011,
+	3019,3023,3037,3041,3049,3061,3067,3079,
+	3083,3089,3109,3119,3121,3137,3163,3167,
+	3169,3181,3187,3191,3203,3209,3217,3221,
+	3229,3251,3253,3257,3259,3271,3299,3301,
+	3307,3313,3319,3323,3329,3331,3343,3347,
+	3359,3361,3371,3373,3389,3391,3407,3413,
+	3433,3449,3457,3461,3463,3467,3469,3491,
+	3499,3511,3517,3527,3529,3533,3539,3541,
+	3547,3557,3559,3571,3581,3583,3593,3607,
+	3613,3617,3623,3631,3637,3643,3659,3671,
+	3673,3677,3691,3697,3701,3709,3719,3727,
+	3733,3739,3761,3767,3769,3779,3793,3797,
+	3803,3821,3823,3833,3847,3851,3853,3863,
+	3877,3881,3889,3907,3911,3917,3919,3923,
+	3929,3931,3943,3947,3967,3989,4001,4003,
+	4007,4013,4019,4021,4027,4049,4051,4057,
+	4073,4079,4091,4093,4099,4111,4127,4129,
+	4133,4139,4153,4157,4159,4177,4201,4211,
+	4217,4219,4229,4231,4241,4243,4253,4259,
+	4261,4271,4273,4283,4289,4297,4327,4337,
+	4339,4349,4357,4363,4373,4391,4397,4409,
+	4421,4423,4441,4447,4451,4457,4463,4481,
+	4483,4493,4507,4513,4517,4519,4523,4547,
+	4549,4561,4567,4583,4591,4597,4603,4621,
+	4637,4639,4643,4649,4651,4657,4663,4673,
+	4679,4691,4703,4721,4723,4729,4733,4751,
+	4759,4783,4787,4789,4793,4799,4801,4813,
+	4817,4831,4861,4871,4877,4889,4903,4909,
+	4919,4931,4933,4937,4943,4951,4957,4967,
+	4969,4973,4987,4993,4999,5003,5009,5011,
+	5021,5023,5039,5051,5059,5077,5081,5087,
+	5099,5101,5107,5113,5119,5147,5153,5167,
+	5171,5179,5189,5197,5209,5227,5231,5233,
+	5237,5261,5273,5279,5281,5297,5303,5309,
+	5323,5333,5347,5351,5381,5387,5393,5399,
+	5407,5413,5417,5419,5431,5437,5441,5443,
+	5449,5471,5477,5479,5483,5501,5503,5507,
+	5519,5521,5527,5531,5557,5563,5569,5573,
+	5581,5591,5623,5639,5641,5647,5651,5653,
+	5657,5659,5669,5683,5689,5693,5701,5711,
+	5717,5737,5741,5743,5749,5779,5783,5791,
+	5801,5807,5813,5821,5827,5839,5843,5849,
+	5851,5857,5861,5867,5869,5879,5881,5897,
+	5903,5923,5927,5939,5953,5981,5987,6007,
+	6011,6029,6037,6043,6047,6053,6067,6073,
+	6079,6089,6091,6101,6113,6121,6131,6133,
+	6143,6151,6163,6173,6197,6199,6203,6211,
+	6217,6221,6229,6247,6257,6263,6269,6271,
+	6277,6287,6299,6301,6311,6317,6323,6329,
+	6337,6343,6353,6359,6361,6367,6373,6379,
+	6389,6397,6421,6427,6449,6451,6469,6473,
+	6481,6491,6521,6529,6547,6551,6553,6563,
+	6569,6571,6577,6581,6599,6607,6619,6637,
+	6653,6659,6661,6673,6679,6689,6691,6701,
+	6703,6709,6719,6733,6737,6761,6763,6779,
+	6781,6791,6793,6803,6823,6827,6829,6833,
+	6841,6857,6863,6869,6871,6883,6899,6907,
+	6911,6917,6947,6949,6959,6961,6967,6971,
+	6977,6983,6991,6997,7001,7013,7019,7027,
+	7039,7043,7057,7069,7079,7103,7109,7121,
+	7127,7129,7151,7159,7177,7187,7193,7207,
+	7211,7213,7219,7229,7237,7243,7247,7253,
+	7283,7297,7307,7309,7321,7331,7333,7349,
+	7351,7369,7393,7411,7417,7433,7451,7457,
+	7459,7477,7481,7487,7489,7499,7507,7517,
+	7523,7529,7537,7541,7547,7549,7559,7561,
+	7573,7577,7583,7589,7591,7603,7607,7621,
+	7639,7643,7649,7669,7673,7681,7687,7691,
+	7699,7703,7717,7723,7727,7741,7753,7757,
+	7759,7789,7793,7817,7823,7829,7841,7853,
+	7867,7873,7877,7879,7883,7901,7907,7919,
+	7927,7933,7937,7949,7951,7963,7993,8009,
+	8011,8017,8039,8053,8059,8069,8081,8087,
+	8089,8093,8101,8111,8117,8123,8147,8161,
+	8167,8171,8179,8191,8209,8219,8221,8231,
+	8233,8237,8243,8263,8269,8273,8287,8291,
+	8293,8297,8311,8317,8329,8353,8363,8369,
+	8377,8387,8389,8419,8423,8429,8431,8443,
+	8447,8461,8467,8501,8513,8521,8527,8537,
+	8539,8543,8563,8573,8581,8597,8599,8609,
+	8623,8627,8629,8641,8647,8663,8669,8677,
+	8681,8689,8693,8699,8707,8713,8719,8731,
+	8737,8741,8747,8753,8761,8779,8783,8803,
+	8807,8819,8821,8831,8837,8839,8849,8861,
+	8863,8867,8887,8893,8923,8929,8933,8941,
+	8951,8963,8969,8971,8999,9001,9007,9011,
+	9013,9029,9041,9043,9049,9059,9067,9091,
+	9103,9109,9127,9133,9137,9151,9157,9161,
+	9173,9181,9187,9199,9203,9209,9221,9227,
+	9239,9241,9257,9277,9281,9283,9293,9311,
+	9319,9323,9337,9341,9343,9349,9371,9377,
+	9391,9397,9403,9413,9419,9421,9431,9433,
+	9437,9439,9461,9463,9467,9473,9479,9491,
+	9497,9511,9521,9533,9539,9547,9551,9587,
+	9601,9613,9619,9623,9629,9631,9643,9649,
+	9661,9677,9679,9689,9697,9719,9721,9733,
+	9739,9743,9749,9767,9769,9781,9787,9791,
+	9803,9811,9817,9829,9833,9839,9851,9857,
+	9859,9871,9883,9887,9901,9907,9923,9929,
+	9931,9941,9949,9967,9973,10007,10009,10037,
+	10039,10061,10067,10069,10079,10091,10093,10099,
+	10103,10111,10133,10139,10141,10151,10159,10163,
+	10169,10177,10181,10193,10211,10223,10243,10247,
+	10253,10259,10267,10271,10273,10289,10301,10303,
+	10313,10321,10331,10333,10337,10343,10357,10369,
+	10391,10399,10427,10429,10433,10453,10457,10459,
+	10463,10477,10487,10499,10501,10513,10529,10531,
+	10559,10567,10589,10597,10601,10607,10613,10627,
+	10631,10639,10651,10657,10663,10667,10687,10691,
+	10709,10711,10723,10729,10733,10739,10753,10771,
+	10781,10789,10799,10831,10837,10847,10853,10859,
+	10861,10867,10883,10889,10891,10903,10909,10937,
+	10939,10949,10957,10973,10979,10987,10993,11003,
+	11027,11047,11057,11059,11069,11071,11083,11087,
+	11093,11113,11117,11119,11131,11149,11159,11161,
+	11171,11173,11177,11197,11213,11239,11243,11251,
+	11257,11261,11273,11279,11287,11299,11311,11317,
+	11321,11329,11351,11353,11369,11383,11393,11399,
+	11411,11423,11437,11443,11447,11467,11471,11483,
+	11489,11491,11497,11503,11519,11527,11549,11551,
+	11579,11587,11593,11597,11617,11621,11633,11657,
+	11677,11681,11689,11699,11701,11717,11719,11731,
+	11743,11777,11779,11783,11789,11801,11807,11813,
+	11821,11827,11831,11833,11839,11863,11867,11887,
+	11897,11903,11909,11923,11927,11933,11939,11941,
+	11953,11959,11969,11971,11981,11987,12007,12011,
+	12037,12041,12043,12049,12071,12073,12097,12101,
+	12107,12109,12113,12119,12143,12149,12157,12161,
+	12163,12197,12203,12211,12227,12239,12241,12251,
+	12253,12263,12269,12277,12281,12289,12301,12323,
+	12329,12343,12347,12373,12377,12379,12391,12401,
+	12409,12413,12421,12433,12437,12451,12457,12473,
+	12479,12487,12491,12497,12503,12511,12517,12527,
+	12539,12541,12547,12553,12569,12577,12583,12589,
+	12601,12611,12613,12619,12637,12641,12647,12653,
+	12659,12671,12689,12697,12703,12713,12721,12739,
+	12743,12757,12763,12781,12791,12799,12809,12821,
+	12823,12829,12841,12853,12889,12893,12899,12907,
+	12911,12917,12919,12923,12941,12953,12959,12967,
+	12973,12979,12983,13001,13003,13007,13009,13033,
+	13037,13043,13049,13063,13093,13099,13103,13109,
+	13121,13127,13147,13151,13159,13163,13171,13177,
+	13183,13187,13217,13219,13229,13241,13249,13259,
+	13267,13291,13297,13309,13313,13327,13331,13337,
+	13339,13367,13381,13397,13399,13411,13417,13421,
+	13441,13451,13457,13463,13469,13477,13487,13499,
+	13513,13523,13537,13553,13567,13577,13591,13597,
+	13613,13619,13627,13633,13649,13669,13679,13681,
+	13687,13691,13693,13697,13709,13711,13721,13723,
+	13729,13751,13757,13759,13763,13781,13789,13799,
+	13807,13829,13831,13841,13859,13873,13877,13879,
+	13883,13901,13903,13907,13913,13921,13931,13933,
+	13963,13967,13997,13999,14009,14011,14029,14033,
+	14051,14057,14071,14081,14083,14087,14107,14143,
+	14149,14153,14159,14173,14177,14197,14207,14221,
+	14243,14249,14251,14281,14293,14303,14321,14323,
+	14327,14341,14347,14369,14387,14389,14401,14407,
+	14411,14419,14423,14431,14437,14447,14449,14461,
+	14479,14489,14503,14519,14533,14537,14543,14549,
+	14551,14557,14561,14563,14591,14593,14621,14627,
+	14629,14633,14639,14653,14657,14669,14683,14699,
+	14713,14717,14723,14731,14737,14741,14747,14753,
+	14759,14767,14771,14779,14783,14797,14813,14821,
+	14827,14831,14843,14851,14867,14869,14879,14887,
+	14891,14897,14923,14929,14939,14947,14951,14957,
+	14969,14983,15013,15017,15031,15053,15061,15073,
+	15077,15083,15091,15101,15107,15121,15131,15137,
+	15139,15149,15161,15173,15187,15193,15199,15217,
+	15227,15233,15241,15259,15263,15269,15271,15277,
+	15287,15289,15299,15307,15313,15319,15329,15331,
+	15349,15359,15361,15373,15377,15383,15391,15401,
+	15413,15427,15439,15443,15451,15461,15467,15473,
+	15493,15497,15511,15527,15541,15551,15559,15569,
+	15581,15583,15601,15607,15619,15629,15641,15643,
+	15647,15649,15661,15667,15671,15679,15683,15727,
+	15731,15733,15737,15739,15749,15761,15767,15773,
+	15787,15791,15797,15803,15809,15817,15823,15859,
+	15877,15881,15887,15889,15901,15907,15913,15919,
+	15923,15937,15959,15971,15973,15991,16001,16007,
+	16033,16057,16061,16063,16067,16069,16073,16087,
+	16091,16097,16103,16111,16127,16139,16141,16183,
+	16187,16189,16193,16217,16223,16229,16231,16249,
+	16253,16267,16273,16301,16319,16333,16339,16349,
+	16361,16363,16369,16381,16411,16417,16421,16427,
+	16433,16447,16451,16453,16477,16481,16487,16493,
+	16519,16529,16547,16553,16561,16567,16573,16603,
+	16607,16619,16631,16633,16649,16651,16657,16661,
+	16673,16691,16693,16699,16703,16729,16741,16747,
+	16759,16763,16787,16811,16823,16829,16831,16843,
+	16871,16879,16883,16889,16901,16903,16921,16927,
+	16931,16937,16943,16963,16979,16981,16987,16993,
+	17011,17021,17027,17029,17033,17041,17047,17053,
+	17077,17093,17099,17107,17117,17123,17137,17159,
+	17167,17183,17189,17191,17203,17207,17209,17231,
+	17239,17257,17291,17293,17299,17317,17321,17327,
+	17333,17341,17351,17359,17377,17383,17387,17389,
+	17393,17401,17417,17419,17431,17443,17449,17467,
+	17471,17477,17483,17489,17491,17497,17509,17519,
+	17539,17551,17569,17573,17579,17581,17597,17599,
+	17609,17623,17627,17657,17659,17669,17681,17683,
+	17707,17713,17729,17737,17747,17749,17761,17783,
+	17789,17791,17807,17827,17837,17839,17851,17863,
+#endif
+	};
diff --git a/crypto/openssl/crypto/bn/bn_prime.pl b/crypto/openssl/crypto/bn/bn_prime.pl
new file mode 100644
index 0000000..9fc3765
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_prime.pl
@@ -0,0 +1,117 @@
+#!/usr/local/bin/perl
+# bn_prime.pl
+
+$num=2048;
+$num=$ARGV[0] if ($#ARGV >= 0);
+
+push(@primes,2);
+$p=1;
+loop: while ($#primes < $num-1)
+	{
+	$p+=2;
+	$s=int(sqrt($p));
+
+	for ($i=0; $primes[$i]<=$s; $i++)
+		{
+		next loop if (($p%$primes[$i]) == 0);
+		}
+	push(@primes,$p);
+	}
+
+# print <<"EOF";
+# /* Auto generated by bn_prime.pl */
+# /* Copyright (C) 1995-1997 Eric Young (eay\@mincom.oz.au).
+#  * All rights reserved.
+#  * Copyright remains Eric Young's, and as such any Copyright notices in
+#  * the code are not to be removed.
+#  * See the COPYRIGHT file in the SSLeay distribution for more details.
+#  */
+# 
+# EOF
+
+print <<\EOF;
+/* Auto generated by bn_prime.pl */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+EOF
+
+for ($i=0; $i <= $#primes; $i++)
+	{
+	if ($primes[$i] > 256)
+		{
+		$eight=$i;
+		last;
+		}
+	}
+
+printf "#ifndef EIGHT_BIT\n";
+printf "#define NUMPRIMES %d\n",$num;
+printf "#else\n";
+printf "#define NUMPRIMES %d\n",$eight;
+printf "#endif\n";
+print "static const unsigned int primes[NUMPRIMES]=\n\t{\n\t";
+$init=0;
+for ($i=0; $i <= $#primes; $i++)
+	{
+	printf "\n#ifndef EIGHT_BIT\n\t" if ($primes[$i] > 256) && !($init++);
+	printf("\n\t") if (($i%8) == 0) && ($i != 0);
+	printf("%4d,",$primes[$i]);
+	}
+print "\n#endif\n\t};\n";
+
+
diff --git a/crypto/openssl/crypto/bn/bn_print.c b/crypto/openssl/crypto/bn/bn_print.c
new file mode 100644
index 0000000..782a96e
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_print.c
@@ -0,0 +1,332 @@
+/* crypto/bn/bn_print.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include "bn_lcl.h"
+
+static const char *Hex="0123456789ABCDEF";
+
+/* Must 'Free' the returned data */
+char *BN_bn2hex(const BIGNUM *a)
+	{
+	int i,j,v,z=0;
+	char *buf;
+	char *p;
+
+	buf=(char *)Malloc(a->top*BN_BYTES*2+2);
+	if (buf == NULL)
+		{
+		BNerr(BN_F_BN_BN2HEX,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	p=buf;
+	if (a->neg) *(p++)='-';
+	if (a->top == 0) *(p++)='0';
+	for (i=a->top-1; i >=0; i--)
+		{
+		for (j=BN_BITS2-8; j >= 0; j-=8)
+			{
+			/* strip leading zeros */
+			v=((int)(a->d[i]>>(long)j))&0xff;
+			if (z || (v != 0))
+				{
+				*(p++)=Hex[v>>4];
+				*(p++)=Hex[v&0x0f];
+				z=1;
+				}
+			}
+		}
+	*p='\0';
+err:
+	return(buf);
+	}
+
+/* Must 'Free' the returned data */
+char *BN_bn2dec(const BIGNUM *a)
+	{
+	int i=0,num;
+	char *buf=NULL;
+	char *p;
+	BIGNUM *t=NULL;
+	BN_ULONG *bn_data=NULL,*lp;
+
+	i=BN_num_bits(a)*3;
+	num=(i/10+i/1000+3)+1;
+	bn_data=(BN_ULONG *)Malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));
+	buf=(char *)Malloc(num+3);
+	if ((buf == NULL) || (bn_data == NULL))
+		{
+		BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	if ((t=BN_dup(a)) == NULL) goto err;
+
+	p=buf;
+	lp=bn_data;
+	if (t->neg) *(p++)='-';
+	if (t->top == 0)
+		{
+		*(p++)='0';
+		*(p++)='\0';
+		}
+	else
+		{
+		i=0;
+		while (!BN_is_zero(t))
+			{
+			*lp=BN_div_word(t,BN_DEC_CONV);
+			lp++;
+			}
+		lp--;
+		/* We now have a series of blocks, BN_DEC_NUM chars
+		 * in length, where the last one needs truncation.
+		 * The blocks need to be reversed in order. */
+		sprintf(p,BN_DEC_FMT1,*lp);
+		while (*p) p++;
+		while (lp != bn_data)
+			{
+			lp--;
+			sprintf(p,BN_DEC_FMT2,*lp);
+			while (*p) p++;
+			}
+		}
+err:
+	if (bn_data != NULL) Free(bn_data);
+	if (t != NULL) BN_free(t);
+	return(buf);
+	}
+
+int BN_hex2bn(BIGNUM **bn, const char *a)
+	{
+	BIGNUM *ret=NULL;
+	BN_ULONG l=0;
+	int neg=0,h,m,i,j,k,c;
+	int num;
+
+	if ((a == NULL) || (*a == '\0')) return(0);
+
+	if (*a == '-') { neg=1; a++; }
+
+	for (i=0; isxdigit((unsigned char) a[i]); i++)
+		;
+
+	num=i+neg;
+	if (bn == NULL) return(num);
+
+	/* a is the start of the hex digits, and it is 'i' long */
+	if (*bn == NULL)
+		{
+		if ((ret=BN_new()) == NULL) return(0);
+		}
+	else
+		{
+		ret= *bn;
+		BN_zero(ret);
+		}
+
+	/* i is the number of hex digests; */
+	if (bn_expand(ret,i*4) == NULL) goto err;
+
+	j=i; /* least significant 'hex' */
+	m=0;
+	h=0;
+	while (j > 0)
+		{
+		m=((BN_BYTES*2) <= j)?(BN_BYTES*2):j;
+		l=0;
+		for (;;)
+			{
+			c=a[j-m];
+			if ((c >= '0') && (c <= '9')) k=c-'0';
+			else if ((c >= 'a') && (c <= 'f')) k=c-'a'+10;
+			else if ((c >= 'A') && (c <= 'F')) k=c-'A'+10;
+			else k=0; /* paranoia */
+			l=(l<<4)|k;
+
+			if (--m <= 0)
+				{
+				ret->d[h++]=l;
+				break;
+				}
+			}
+		j-=(BN_BYTES*2);
+		}
+	ret->top=h;
+	bn_fix_top(ret);
+	ret->neg=neg;
+
+	*bn=ret;
+	return(num);
+err:
+	if (*bn == NULL) BN_free(ret);
+	return(0);
+	}
+
+int BN_dec2bn(BIGNUM **bn, const char *a)
+	{
+	BIGNUM *ret=NULL;
+	BN_ULONG l=0;
+	int neg=0,i,j;
+	int num;
+
+	if ((a == NULL) || (*a == '\0')) return(0);
+	if (*a == '-') { neg=1; a++; }
+
+	for (i=0; isdigit((unsigned char) a[i]); i++)
+		;
+
+	num=i+neg;
+	if (bn == NULL) return(num);
+
+	/* a is the start of the digits, and it is 'i' long.
+	 * We chop it into BN_DEC_NUM digits at a time */
+	if (*bn == NULL)
+		{
+		if ((ret=BN_new()) == NULL) return(0);
+		}
+	else
+		{
+		ret= *bn;
+		BN_zero(ret);
+		}
+
+	/* i is the number of digests, a bit of an over expand; */
+	if (bn_expand(ret,i*4) == NULL) goto err;
+
+	j=BN_DEC_NUM-(i%BN_DEC_NUM);
+	if (j == BN_DEC_NUM) j=0;
+	l=0;
+	while (*a)
+		{
+		l*=10;
+		l+= *a-'0';
+		a++;
+		if (++j == BN_DEC_NUM)
+			{
+			BN_mul_word(ret,BN_DEC_CONV);
+			BN_add_word(ret,l);
+			l=0;
+			j=0;
+			}
+		}
+	ret->neg=neg;
+
+	bn_fix_top(ret);
+	*bn=ret;
+	return(num);
+err:
+	if (*bn == NULL) BN_free(ret);
+	return(0);
+	}
+
+#ifndef NO_BIO
+#ifndef NO_FP_API
+int BN_print_fp(FILE *fp, const BIGNUM *a)
+	{
+	BIO *b;
+	int ret;
+
+	if ((b=BIO_new(BIO_s_file())) == NULL)
+		return(0);
+	BIO_set_fp(b,fp,BIO_NOCLOSE);
+	ret=BN_print(b,a);
+	BIO_free(b);
+	return(ret);
+	}
+#endif
+
+int BN_print(BIO *bp, const BIGNUM *a)
+	{
+	int i,j,v,z=0;
+	int ret=0;
+
+	if ((a->neg) && (BIO_write(bp,"-",1) != 1)) goto end;
+	if ((a->top == 0) && (BIO_write(bp,"0",1) != 1)) goto end;
+	for (i=a->top-1; i >=0; i--)
+		{
+		for (j=BN_BITS2-4; j >= 0; j-=4)
+			{
+			/* strip leading zeros */
+			v=((int)(a->d[i]>>(long)j))&0x0f;
+			if (z || (v != 0))
+				{
+				if (BIO_write(bp,&(Hex[v]),1) != 1)
+					goto end;
+				z=1;
+				}
+			}
+		}
+	ret=1;
+end:
+	return(ret);
+	}
+#endif
+
+#ifdef BN_DEBUG
+void bn_dump1(FILE *o, const char *a, BN_ULONG *b,int n)
+	{
+	int i;
+	fprintf(o, "%s=", a);
+	for (i=n-1;i>=0;i--)
+		fprintf(o, "%08lX", b[i]); /* assumes 32-bit BN_ULONG */
+	fprintf(o, "\n");
+	}
+#endif
diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c
new file mode 100644
index 0000000..943712c
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_rand.c
@@ -0,0 +1,136 @@
+/* crypto/bn/bn_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+#include <openssl/rand.h>
+
+static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	unsigned char *buf=NULL;
+	int ret=0,bit,bytes,mask;
+	time_t tim;
+
+	bytes=(bits+7)/8;
+	bit=(bits-1)%8;
+	mask=0xff<<bit;
+
+	buf=(unsigned char *)Malloc(bytes);
+	if (buf == NULL)
+		{
+		BNerr(BN_F_BN_RAND,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	/* make a random number and set the top and bottom bits */
+	time(&tim);
+	RAND_add(&tim,sizeof(tim),0);
+
+	if (pseudorand)
+		{
+		if (RAND_pseudo_bytes(buf, bytes) == -1)
+			goto err;
+		}
+	else
+		{
+		if (RAND_bytes(buf, bytes) <= 0)
+			goto err;
+		}
+
+	if (top)
+		{
+		if (bit == 0)
+			{
+			buf[0]=1;
+			buf[1]|=0x80;
+			}
+		else
+			{
+			buf[0]|=(3<<(bit-1));
+			buf[0]&= ~(mask<<1);
+			}
+		}
+	else
+		{
+		buf[0]|=(1<<bit);
+		buf[0]&= ~(mask<<1);
+		}
+	if (bottom) /* set bottom bits to whatever odd is */
+		buf[bytes-1]|=1;
+	if (!BN_bin2bn(buf,bytes,rnd)) goto err;
+	ret=1;
+err:
+	if (buf != NULL)
+		{
+		memset(buf,0,bytes);
+		Free(buf);
+		}
+	return(ret);
+	}
+
+int     BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	return bnrand(0, rnd, bits, top, bottom);
+	}
+
+int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	return bnrand(1, rnd, bits, top, bottom);
+	}
diff --git a/crypto/openssl/crypto/bn/bn_recp.c b/crypto/openssl/crypto/bn/bn_recp.c
new file mode 100644
index 0000000..a8796bd
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_recp.c
@@ -0,0 +1,220 @@
+/* crypto/bn/bn_recp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+void BN_RECP_CTX_init(BN_RECP_CTX *recp)
+	{
+	BN_init(&(recp->N));
+	BN_init(&(recp->Nr));
+	recp->num_bits=0;
+	recp->flags=0;
+	}
+
+BN_RECP_CTX *BN_RECP_CTX_new(void)
+	{
+	BN_RECP_CTX *ret;
+
+	if ((ret=(BN_RECP_CTX *)Malloc(sizeof(BN_RECP_CTX))) == NULL)
+		return(NULL);
+
+	BN_RECP_CTX_init(ret);
+	ret->flags=BN_FLG_MALLOCED;
+	return(ret);
+	}
+
+void BN_RECP_CTX_free(BN_RECP_CTX *recp)
+	{
+	if(recp == NULL)
+	    return;
+
+	BN_free(&(recp->N));
+	BN_free(&(recp->Nr));
+	if (recp->flags & BN_FLG_MALLOCED)
+		Free(recp);
+	}
+
+int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx)
+	{
+	BN_copy(&(recp->N),d);
+	BN_zero(&(recp->Nr));
+	recp->num_bits=BN_num_bits(d);
+	recp->shift=0;
+	return(1);
+	}
+
+int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BN_RECP_CTX *recp,
+	     BN_CTX *ctx)
+	{
+	int ret=0;
+	BIGNUM *a;
+
+	BN_CTX_start(ctx);
+	if ((a = BN_CTX_get(ctx)) == NULL) goto err;
+	if (y != NULL)
+		{
+		if (x == y)
+			{ if (!BN_sqr(a,x,ctx)) goto err; }
+		else
+			{ if (!BN_mul(a,x,y,ctx)) goto err; }
+		}
+	else
+		a=x; /* Just do the mod */
+
+	BN_div_recp(NULL,r,a,recp,ctx);
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BN_RECP_CTX *recp,
+	     BN_CTX *ctx)
+	{
+	int i,j,ret=0;
+	BIGNUM *a,*b,*d,*r;
+
+	BN_CTX_start(ctx);
+	a=BN_CTX_get(ctx);
+	b=BN_CTX_get(ctx);
+	if (dv != NULL)
+		d=dv;
+	else
+		d=BN_CTX_get(ctx);
+	if (rem != NULL)
+		r=rem;
+	else
+		r=BN_CTX_get(ctx);
+	if (a == NULL || b == NULL || d == NULL || r == NULL) goto err;
+
+	if (BN_ucmp(m,&(recp->N)) < 0)
+		{
+		BN_zero(d);
+		BN_copy(r,m);
+		BN_CTX_end(ctx);
+		return(1);
+		}
+
+	/* We want the remainder
+	 * Given input of ABCDEF / ab
+	 * we need multiply ABCDEF by 3 digests of the reciprocal of ab
+	 *
+	 */
+	i=BN_num_bits(m);
+
+	j=recp->num_bits<<1;
+	if (j>i) i=j;
+	j>>=1;
+
+	if (i != recp->shift)
+		recp->shift=BN_reciprocal(&(recp->Nr),&(recp->N),
+			i,ctx);
+
+	if (!BN_rshift(a,m,j)) goto err;
+	if (!BN_mul(b,a,&(recp->Nr),ctx)) goto err;
+	if (!BN_rshift(d,b,i-j)) goto err;
+	d->neg=0;
+	if (!BN_mul(b,&(recp->N),d,ctx)) goto err;
+	if (!BN_usub(r,m,b)) goto err;
+	r->neg=0;
+
+#if 1
+	j=0;
+	while (BN_ucmp(r,&(recp->N)) >= 0)
+		{
+		if (j++ > 2)
+			{
+			BNerr(BN_F_BN_MOD_MUL_RECIPROCAL,BN_R_BAD_RECIPROCAL);
+			goto err;
+			}
+		if (!BN_usub(r,r,&(recp->N))) goto err;
+		if (!BN_add_word(d,1)) goto err;
+		}
+#endif
+
+	r->neg=BN_is_zero(r)?0:m->neg;
+	d->neg=m->neg^recp->N.neg;
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
+	} 
+
+/* len is the expected size of the result
+ * We actually calculate with an extra word of precision, so
+ * we can do faster division if the remainder is not required.
+ */
+int BN_reciprocal(BIGNUM *r, BIGNUM *m, int len, BN_CTX *ctx)
+	{
+	int ret= -1;
+	BIGNUM t;
+
+	BN_init(&t);
+
+	BN_zero(&t);
+	if (!BN_set_bit(&t,len)) goto err;
+
+	if (!BN_div(r,NULL,&t,m,ctx)) goto err;
+	ret=len;
+err:
+	BN_free(&t);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_shift.c b/crypto/openssl/crypto/bn/bn_shift.c
new file mode 100644
index 0000000..61aae65
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_shift.c
@@ -0,0 +1,200 @@
+/* crypto/bn/bn_shift.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+int BN_lshift1(BIGNUM *r, BIGNUM *a)
+	{
+	register BN_ULONG *ap,*rp,t,c;
+	int i;
+
+	if (r != a)
+		{
+		r->neg=a->neg;
+		if (bn_wexpand(r,a->top+1) == NULL) return(0);
+		r->top=a->top;
+		}
+	else
+		{
+		if (bn_wexpand(r,a->top+1) == NULL) return(0);
+		}
+	ap=a->d;
+	rp=r->d;
+	c=0;
+	for (i=0; i<a->top; i++)
+		{
+		t= *(ap++);
+		*(rp++)=((t<<1)|c)&BN_MASK2;
+		c=(t & BN_TBIT)?1:0;
+		}
+	if (c)
+		{
+		*rp=1;
+		r->top++;
+		}
+	return(1);
+	}
+
+int BN_rshift1(BIGNUM *r, BIGNUM *a)
+	{
+	BN_ULONG *ap,*rp,t,c;
+	int i;
+
+	if (BN_is_zero(a))
+		{
+		BN_zero(r);
+		return(1);
+		}
+	if (a != r)
+		{
+		if (bn_wexpand(r,a->top) == NULL) return(0);
+		r->top=a->top;
+		r->neg=a->neg;
+		}
+	ap=a->d;
+	rp=r->d;
+	c=0;
+	for (i=a->top-1; i>=0; i--)
+		{
+		t=ap[i];
+		rp[i]=((t>>1)&BN_MASK2)|c;
+		c=(t&1)?BN_TBIT:0;
+		}
+	bn_fix_top(r);
+	return(1);
+	}
+
+int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
+	{
+	int i,nw,lb,rb;
+	BN_ULONG *t,*f;
+	BN_ULONG l;
+
+	r->neg=a->neg;
+	if (bn_wexpand(r,a->top+(n/BN_BITS2)+1) == NULL) return(0);
+	nw=n/BN_BITS2;
+	lb=n%BN_BITS2;
+	rb=BN_BITS2-lb;
+	f=a->d;
+	t=r->d;
+	t[a->top+nw]=0;
+	if (lb == 0)
+		for (i=a->top-1; i>=0; i--)
+			t[nw+i]=f[i];
+	else
+		for (i=a->top-1; i>=0; i--)
+			{
+			l=f[i];
+			t[nw+i+1]|=(l>>rb)&BN_MASK2;
+			t[nw+i]=(l<<lb)&BN_MASK2;
+			}
+	memset(t,0,nw*sizeof(t[0]));
+/*	for (i=0; i<nw; i++)
+		t[i]=0;*/
+	r->top=a->top+nw+1;
+	bn_fix_top(r);
+	return(1);
+	}
+
+int BN_rshift(BIGNUM *r, BIGNUM *a, int n)
+	{
+	int i,j,nw,lb,rb;
+	BN_ULONG *t,*f;
+	BN_ULONG l,tmp;
+
+	nw=n/BN_BITS2;
+	rb=n%BN_BITS2;
+	lb=BN_BITS2-rb;
+	if (nw > a->top)
+		{
+		BN_zero(r);
+		return(1);
+		}
+	if (r != a)
+		{
+		r->neg=a->neg;
+		if (bn_wexpand(r,a->top-nw+1) == NULL) return(0);
+		}
+
+	f= &(a->d[nw]);
+	t=r->d;
+	j=a->top-nw;
+	r->top=j;
+
+	if (rb == 0)
+		{
+		for (i=j+1; i > 0; i--)
+			*(t++)= *(f++);
+		}
+	else
+		{
+		l= *(f++);
+		for (i=1; i<j; i++)
+			{
+			tmp =(l>>rb)&BN_MASK2;
+			l= *(f++);
+			*(t++) =(tmp|(l<<lb))&BN_MASK2;
+			}
+		*(t++) =(l>>rb)&BN_MASK2;
+		}
+	*t=0;
+	bn_fix_top(r);
+	return(1);
+	}
diff --git a/crypto/openssl/crypto/bn/bn_sqr.c b/crypto/openssl/crypto/bn/bn_sqr.c
new file mode 100644
index 0000000..fe00c5f
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_sqr.c
@@ -0,0 +1,288 @@
+/* crypto/bn/bn_sqr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+/* r must not be a */
+/* I've just gone over this and it is now %20 faster on x86 - eay - 27 Jun 96 */
+int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx)
+	{
+	int max,al;
+	int ret = 0;
+	BIGNUM *tmp,*rr;
+
+#ifdef BN_COUNT
+printf("BN_sqr %d * %d\n",a->top,a->top);
+#endif
+	bn_check_top(a);
+
+	al=a->top;
+	if (al <= 0)
+		{
+		r->top=0;
+		return(1);
+		}
+
+	BN_CTX_start(ctx);
+	rr=(a != r) ? r : BN_CTX_get(ctx);
+	tmp=BN_CTX_get(ctx);
+	if (tmp == NULL) goto err;
+
+	max=(al+al);
+	if (bn_wexpand(rr,max+1) == NULL) goto err;
+
+	r->neg=0;
+	if (al == 4)
+		{
+#ifndef BN_SQR_COMBA
+		BN_ULONG t[8];
+		bn_sqr_normal(rr->d,a->d,4,t);
+#else
+		bn_sqr_comba4(rr->d,a->d);
+#endif
+		}
+	else if (al == 8)
+		{
+#ifndef BN_SQR_COMBA
+		BN_ULONG t[16];
+		bn_sqr_normal(rr->d,a->d,8,t);
+#else
+		bn_sqr_comba8(rr->d,a->d);
+#endif
+		}
+	else 
+		{
+#if defined(BN_RECURSION)
+		if (al < BN_SQR_RECURSIVE_SIZE_NORMAL)
+			{
+			BN_ULONG t[BN_SQR_RECURSIVE_SIZE_NORMAL*2];
+			bn_sqr_normal(rr->d,a->d,al,t);
+			}
+		else
+			{
+			int j,k;
+
+			j=BN_num_bits_word((BN_ULONG)al);
+			j=1<<(j-1);
+			k=j+j;
+			if (al == j)
+				{
+				if (bn_wexpand(a,k*2) == NULL) goto err;
+				if (bn_wexpand(tmp,k*2) == NULL) goto err;
+				bn_sqr_recursive(rr->d,a->d,al,tmp->d);
+				}
+			else
+				{
+				if (bn_wexpand(tmp,max) == NULL) goto err;
+				bn_sqr_normal(rr->d,a->d,al,tmp->d);
+				}
+			}
+#else
+		if (bn_wexpand(tmp,max) == NULL) goto err;
+		bn_sqr_normal(rr->d,a->d,al,tmp->d);
+#endif
+		}
+
+	rr->top=max;
+	if ((max > 0) && (rr->d[max-1] == 0)) rr->top--;
+	if (rr != r) BN_copy(r,rr);
+	ret = 1;
+ err:
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
+/* tmp must have 2*n words */
+void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp)
+	{
+	int i,j,max;
+	BN_ULONG *ap,*rp;
+
+	max=n*2;
+	ap=a;
+	rp=r;
+	rp[0]=rp[max-1]=0;
+	rp++;
+	j=n;
+
+	if (--j > 0)
+		{
+		ap++;
+		rp[j]=bn_mul_words(rp,ap,j,ap[-1]);
+		rp+=2;
+		}
+
+	for (i=n-2; i>0; i--)
+		{
+		j--;
+		ap++;
+		rp[j]=bn_mul_add_words(rp,ap,j,ap[-1]);
+		rp+=2;
+		}
+
+	bn_add_words(r,r,r,max);
+
+	/* There will not be a carry */
+
+	bn_sqr_words(tmp,a,n);
+
+	bn_add_words(r,r,tmp,max);
+	}
+
+#ifdef BN_RECURSION
+/* r is 2*n words in size,
+ * a and b are both n words in size.
+ * n must be a power of 2.
+ * We multiply and return the result.
+ * t must be 2*n words in size
+ * We calculate
+ * a[0]*b[0]
+ * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+ * a[1]*b[1]
+ */
+void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *t)
+	{
+	int n=n2/2;
+	int zero,c1;
+	BN_ULONG ln,lo,*p;
+
+#ifdef BN_COUNT
+printf(" bn_sqr_recursive %d * %d\n",n2,n2);
+#endif
+	if (n2 == 4)
+		{
+#ifndef BN_SQR_COMBA
+		bn_sqr_normal(r,a,4,t);
+#else
+		bn_sqr_comba4(r,a);
+#endif
+		return;
+		}
+	else if (n2 == 8)
+		{
+#ifndef BN_SQR_COMBA
+		bn_sqr_normal(r,a,8,t);
+#else
+		bn_sqr_comba8(r,a);
+#endif
+		return;
+		}
+	if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL)
+		{
+		bn_sqr_normal(r,a,n2,t);
+		return;
+		}
+	/* r=(a[0]-a[1])*(a[1]-a[0]) */
+	c1=bn_cmp_words(a,&(a[n]),n);
+	zero=0;
+	if (c1 > 0)
+		bn_sub_words(t,a,&(a[n]),n);
+	else if (c1 < 0)
+		bn_sub_words(t,&(a[n]),a,n);
+	else
+		zero=1;
+
+	/* The result will always be negative unless it is zero */
+	p= &(t[n2*2]);
+
+	if (!zero)
+		bn_sqr_recursive(&(t[n2]),t,n,p);
+	else
+		memset(&(t[n2]),0,n*sizeof(BN_ULONG));
+	bn_sqr_recursive(r,a,n,p);
+	bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);
+
+	/* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 */
+
+	c1=(int)(bn_add_words(t,r,&(r[n2]),n2));
+
+	/* t[32] is negative */
+	c1-=(int)(bn_sub_words(&(t[n2]),t,&(t[n2]),n2));
+
+	/* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
+	 * r[10] holds (a[0]*a[0])
+	 * r[32] holds (a[1]*a[1])
+	 * c1 holds the carry bits
+	 */
+	c1+=(int)(bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2));
+	if (c1)
+		{
+		p= &(r[n+n2]);
+		lo= *p;
+		ln=(lo+c1)&BN_MASK2;
+		*p=ln;
+
+		/* The overflow will stop before we over write
+		 * words we should not overwrite */
+		if (ln < (BN_ULONG)c1)
+			{
+			do	{
+				p++;
+				lo= *p;
+				ln=(lo+1)&BN_MASK2;
+				*p=ln;
+				} while (ln == 0);
+			}
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/bn/bn_word.c b/crypto/openssl/crypto/bn/bn_word.c
new file mode 100644
index 0000000..73157a7
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_word.c
@@ -0,0 +1,194 @@
+/* crypto/bn/bn_word.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w)
+	{
+#ifndef BN_LLONG
+	BN_ULONG ret=0;
+#else
+	BN_ULLONG ret=0;
+#endif
+	int i;
+
+	w&=BN_MASK2;
+	for (i=a->top-1; i>=0; i--)
+		{
+#ifndef BN_LLONG
+		ret=((ret<<BN_BITS4)|((a->d[i]>>BN_BITS4)&BN_MASK2l))%w;
+		ret=((ret<<BN_BITS4)|(a->d[i]&BN_MASK2l))%w;
+#else
+		ret=(BN_ULLONG)(((ret<<(BN_ULLONG)BN_BITS2)|a->d[i])%
+			(BN_ULLONG)w);
+#endif
+		}
+	return((BN_ULONG)ret);
+	}
+
+BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w)
+	{
+	BN_ULONG ret;
+	int i;
+
+	if (a->top == 0) return(0);
+	ret=0;
+	w&=BN_MASK2;
+	for (i=a->top-1; i>=0; i--)
+		{
+		BN_ULONG l,d;
+		
+		l=a->d[i];
+		d=bn_div_words(ret,l,w);
+		ret=(l-((d*w)&BN_MASK2))&BN_MASK2;
+		a->d[i]=d;
+		}
+	if ((a->top > 0) && (a->d[a->top-1] == 0))
+		a->top--;
+	return(ret);
+	}
+
+int BN_add_word(BIGNUM *a, BN_ULONG w)
+	{
+	BN_ULONG l;
+	int i;
+
+	if (a->neg)
+		{
+		a->neg=0;
+		i=BN_sub_word(a,w);
+		if (!BN_is_zero(a))
+			a->neg=1;
+		return(i);
+		}
+	w&=BN_MASK2;
+	if (bn_wexpand(a,a->top+1) == NULL) return(0);
+	i=0;
+	for (;;)
+		{
+		l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
+		a->d[i]=l;
+		if (w > l)
+			w=1;
+		else
+			break;
+		i++;
+		}
+	if (i >= a->top)
+		a->top++;
+	return(1);
+	}
+
+int BN_sub_word(BIGNUM *a, BN_ULONG w)
+	{
+	int i;
+
+	if (a->neg)
+		{
+		a->neg=0;
+		i=BN_add_word(a,w);
+		a->neg=1;
+		return(i);
+		}
+
+	w&=BN_MASK2;
+	if ((a->top == 1) && (a->d[0] < w))
+		{
+		a->d[0]=w-a->d[0];
+		a->neg=1;
+		return(1);
+		}
+	i=0;
+	for (;;)
+		{
+		if (a->d[i] >= w)
+			{
+			a->d[i]-=w;
+			break;
+			}
+		else
+			{
+			a->d[i]=(a->d[i]-w)&BN_MASK2;
+			i++;
+			w=1;
+			}
+		}
+	if ((a->d[i] == 0) && (i == (a->top-1)))
+		a->top--;
+	return(1);
+	}
+
+int BN_mul_word(BIGNUM *a, BN_ULONG w)
+	{
+	BN_ULONG ll;
+
+	w&=BN_MASK2;
+	if (a->top)
+		{
+		ll=bn_mul_words(a->d,a->d,a->top,w);
+		if (ll)
+			{
+			if (bn_wexpand(a,a->top+1) == NULL) return(0);
+			a->d[a->top++]=ll;
+			}
+		}
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bnspeed.c b/crypto/openssl/crypto/bn/bnspeed.c
new file mode 100644
index 0000000..20fc7e0
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bnspeed.c
@@ -0,0 +1,233 @@
+/* unused */
+
+/* crypto/bn/bnspeed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* most of this code has been pilfered from my libdes speed.c program */
+
+#define BASENUM	1000000
+#undef PROG
+#define PROG bnspeed_main
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/x509.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
+#   define HZ	100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#undef BUFSIZE
+#define BUFSIZE	((long)1024*8)
+int run=0;
+
+static double Time_F(int s);
+#define START	0
+#define STOP	1
+
+static double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret < 1e-3)?1e-3:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret < 0.001)?0.001:ret);
+		}
+#endif
+	}
+
+#define NUM_SIZES	5
+static int sizes[NUM_SIZES]={128,256,512,1024,2048};
+/*static int sizes[NUM_SIZES]={59,179,299,419,539}; */
+
+void do_mul(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_CTX *ctx); 
+
+int main(int argc, char **argv)
+	{
+	BN_CTX *ctx;
+	BIGNUM a,b,c;
+
+	ctx=BN_CTX_new();
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+
+	do_mul(&a,&b,&c,ctx);
+	}
+
+void do_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+	{
+	int i,j,k;
+	double tm;
+	long num;
+
+	for (i=0; i<NUM_SIZES; i++)
+		{
+		num=BASENUM;
+		if (i) num/=(i*3);
+		BN_rand(a,sizes[i],1,0);
+		for (j=i; j<NUM_SIZES; j++)
+			{
+			BN_rand(b,sizes[j],1,0);
+			Time_F(START);
+			for (k=0; k<num; k++)
+				BN_mul(r,b,a,ctx);
+			tm=Time_F(STOP);
+			printf("mul %4d x %4d -> %8.3fms\n",sizes[i],sizes[j],tm*1000.0/num);
+			}
+		}
+
+	for (i=0; i<NUM_SIZES; i++)
+		{
+		num=BASENUM;
+		if (i) num/=(i*3);
+		BN_rand(a,sizes[i],1,0);
+		Time_F(START);
+		for (k=0; k<num; k++)
+			BN_sqr(r,a,ctx);
+		tm=Time_F(STOP);
+		printf("sqr %4d x %4d -> %8.3fms\n",sizes[i],sizes[i],tm*1000.0/num);
+		}
+
+	for (i=0; i<NUM_SIZES; i++)
+		{
+		num=BASENUM/10;
+		if (i) num/=(i*3);
+		BN_rand(a,sizes[i]-1,1,0);
+		for (j=i; j<NUM_SIZES; j++)
+			{
+			BN_rand(b,sizes[j],1,0);
+			Time_F(START);
+			for (k=0; k<100000; k++)
+				BN_div(r, NULL, b, a,ctx);
+			tm=Time_F(STOP);
+			printf("div %4d / %4d -> %8.3fms\n",sizes[j],sizes[i]-1,tm*1000.0/num);
+			}
+		}
+	}
+
diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c
new file mode 100644
index 0000000..0a97af6
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bntest.c
@@ -0,0 +1,1078 @@
+/* crypto/bn/bntest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+
+#ifdef WINDOWS
+#include "../bio/bss_file.c"
+#endif
+
+const int num0 = 100; /* number of tests */
+const int num1 = 50;  /* additional tests for some functions */
+const int num2 = 5;   /* number of tests for slow functions */
+
+int test_add(BIO *bp);
+int test_sub(BIO *bp);
+int test_lshift1(BIO *bp);
+int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_);
+int test_rshift1(BIO *bp);
+int test_rshift(BIO *bp,BN_CTX *ctx);
+int test_div(BIO *bp,BN_CTX *ctx);
+int test_div_recp(BIO *bp,BN_CTX *ctx);
+int test_mul(BIO *bp);
+int test_sqr(BIO *bp,BN_CTX *ctx);
+int test_mont(BIO *bp,BN_CTX *ctx);
+int test_mod(BIO *bp,BN_CTX *ctx);
+int test_mod_mul(BIO *bp,BN_CTX *ctx);
+int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_exp(BIO *bp,BN_CTX *ctx);
+int rand_neg(void);
+static int results=0;
+
+#ifdef NO_STDIO
+#define APPS_WIN16
+#include "bss_file.c"
+#endif
+
+static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
+"\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+static void message(BIO *out, char *m)
+	{
+	fprintf(stderr, "test %s\n", m);
+#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */
+	BIO_puts(out, "print \"test ");
+	BIO_puts(out, m);
+	BIO_puts(out, "\\n\"\n");
+#endif
+	}
+
+int main(int argc, char *argv[])
+	{
+	BN_CTX *ctx;
+	BIO *out;
+	char *outfile=NULL;
+
+	results = 0;
+
+	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
+	                                       * even check its return value
+	                                       * (which we should) */
+
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if (strcmp(*argv,"-results") == 0)
+			results=1;
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) break;
+			outfile= *(++argv);
+			}
+		argc--;
+		argv++;
+		}
+
+
+	ctx=BN_CTX_new();
+	if (ctx == NULL) exit(1);
+
+	out=BIO_new(BIO_s_file());
+	if (out == NULL) exit(1);
+	if (outfile == NULL)
+		{
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+		}
+	else
+		{
+		if (!BIO_write_filename(out,outfile))
+			{
+			perror(outfile);
+			exit(1);
+			}
+		}
+
+	if (!results)
+		BIO_puts(out,"obase=16\nibase=16\n");
+
+	message(out,"BN_add");
+	if (!test_add(out)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_sub");
+	if (!test_sub(out)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_lshift1");
+	if (!test_lshift1(out)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_lshift (fixed)");
+	if (!test_lshift(out,ctx,BN_bin2bn(lst,sizeof(lst)-1,NULL)))
+	    goto err;
+	BIO_flush(out);
+
+	message(out,"BN_lshift");
+	if (!test_lshift(out,ctx,NULL)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_rshift1");
+	if (!test_rshift1(out)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_rshift");
+	if (!test_rshift(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_sqr");
+	if (!test_sqr(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_mul");
+	if (!test_mul(out)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_div");
+	if (!test_div(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_div_recp");
+	if (!test_div_recp(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_mod");
+	if (!test_mod(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_mod_mul");
+	if (!test_mod_mul(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_mont");
+	if (!test_mont(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_mod_exp");
+	if (!test_mod_exp(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_exp");
+	if (!test_exp(out,ctx)) goto err;
+	BIO_flush(out);
+
+	BN_CTX_free(ctx);
+	BIO_free(out);
+
+/**/
+	exit(0);
+err:
+	BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
+	                      * the failure, see test_bn in test/Makefile.ssl*/
+	BIO_flush(out);
+	ERR_load_crypto_strings();
+	ERR_print_errors_fp(stderr);
+	exit(1);
+	return(1);
+	}
+
+int test_add(BIO *bp)
+	{
+	BIGNUM a,b,c;
+	int i;
+	int j;
+
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+
+	BN_rand(&a,512,0,0);
+	for (i=0; i<num0; i++)
+		{
+		BN_rand(&b,450+i,0,0);
+		a.neg=rand_neg();
+		b.neg=rand_neg();
+		if (bp == NULL)
+			for (j=0; j<10000; j++)
+				BN_add(&c,&a,&b);
+		BN_add(&c,&a,&b);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," + ");
+				BN_print(bp,&b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+		a.neg=!a.neg;
+		b.neg=!b.neg;
+		BN_add(&c,&c,&b);
+		BN_add(&c,&c,&a);
+		if(!BN_is_zero(&c))
+		    {
+		    fprintf(stderr,"Add test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	return(1);
+	}
+
+int test_sub(BIO *bp)
+	{
+	BIGNUM a,b,c;
+	int i;
+	int j;
+
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+
+	for (i=0; i<num0+num1; i++)
+		{
+		if (i < num1)
+			{
+			BN_rand(&a,512,0,0);
+			BN_copy(&b,&a);
+			if (BN_set_bit(&a,i)==0) return(0);
+			BN_add_word(&b,i);
+			}
+		else
+			{
+			BN_rand(&b,400+i-num1,0,0);
+			a.neg=rand_neg();
+			b.neg=rand_neg();
+			}
+		if (bp == NULL)
+			for (j=0; j<10000; j++)
+				BN_sub(&c,&a,&b);
+		BN_sub(&c,&a,&b);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," - ");
+				BN_print(bp,&b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+		BN_add(&c,&c,&b);
+		BN_sub(&c,&c,&a);
+		if(!BN_is_zero(&c))
+		    {
+		    fprintf(stderr,"Subtract test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	return(1);
+	}
+
+int test_div(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM a,b,c,d,e;
+	int i;
+	int j;
+
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+	BN_init(&d);
+	BN_init(&e);
+
+	for (i=0; i<num0+num1; i++)
+		{
+		if (i < num1)
+			{
+			BN_rand(&a,400,0,0);
+			BN_copy(&b,&a);
+			BN_lshift(&a,&a,i);
+			BN_add_word(&a,i);
+			}
+		else
+			BN_rand(&b,50+3*(i-num1),0,0);
+		a.neg=rand_neg();
+		b.neg=rand_neg();
+		if (bp == NULL)
+			for (j=0; j<100; j++)
+				BN_div(&d,&c,&a,&b,ctx);
+		BN_div(&d,&c,&a,&b,ctx);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," / ");
+				BN_print(bp,&b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&d);
+			BIO_puts(bp,"\n");
+
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," % ");
+				BN_print(bp,&b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+		BN_mul(&e,&d,&b,ctx);
+		BN_add(&d,&e,&c);
+		BN_sub(&d,&d,&a);
+		if(!BN_is_zero(&d))
+		    {
+		    fprintf(stderr,"Division test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	BN_free(&d);
+	BN_free(&e);
+	return(1);
+	}
+
+int test_div_recp(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM a,b,c,d,e;
+	BN_RECP_CTX recp;
+	int i;
+	int j;
+
+	BN_RECP_CTX_init(&recp);
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+	BN_init(&d);
+	BN_init(&e);
+
+	for (i=0; i<num0+num1; i++)
+		{
+		if (i < num1)
+			{
+			BN_rand(&a,400,0,0);
+			BN_copy(&b,&a);
+			BN_lshift(&a,&a,i);
+			BN_add_word(&a,i);
+			}
+		else
+			BN_rand(&b,50+3*(i-num1),0,0);
+		a.neg=rand_neg();
+		b.neg=rand_neg();
+		BN_RECP_CTX_set(&recp,&b,ctx);
+		if (bp == NULL)
+			for (j=0; j<100; j++)
+				BN_div_recp(&d,&c,&a,&recp,ctx);
+		BN_div_recp(&d,&c,&a,&recp,ctx);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," / ");
+				BN_print(bp,&b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&d);
+			BIO_puts(bp,"\n");
+
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," % ");
+				BN_print(bp,&b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+		BN_mul(&e,&d,&b,ctx);
+		BN_add(&d,&e,&c);
+		BN_sub(&d,&d,&a);
+		if(!BN_is_zero(&d))
+		    {
+		    fprintf(stderr,"Reciprocal division test failed!\n");
+		    fprintf(stderr,"a=");
+		    BN_print_fp(stderr,&a);
+		    fprintf(stderr,"\nb=");
+		    BN_print_fp(stderr,&b);
+		    fprintf(stderr,"\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	BN_free(&d);
+	BN_free(&e);
+	BN_RECP_CTX_free(&recp);
+	return(1);
+	}
+
+int test_mul(BIO *bp)
+	{
+	BIGNUM a,b,c,d,e;
+	int i;
+	int j;
+	BN_CTX ctx;
+
+	BN_CTX_init(&ctx);
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+	BN_init(&d);
+	BN_init(&e);
+
+	for (i=0; i<num0+num1; i++)
+		{
+		if (i <= num1)
+			{
+			BN_rand(&a,100,0,0);
+			BN_rand(&b,100,0,0);
+			}
+		else
+			BN_rand(&b,i-num1,0,0);
+		a.neg=rand_neg();
+		b.neg=rand_neg();
+		if (bp == NULL)
+			for (j=0; j<100; j++)
+				BN_mul(&c,&a,&b,&ctx);
+		BN_mul(&c,&a,&b,&ctx);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," * ");
+				BN_print(bp,&b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+		BN_div(&d,&e,&c,&a,&ctx);
+		BN_sub(&d,&d,&b);
+		if(!BN_is_zero(&d) || !BN_is_zero(&e))
+		    {
+		    fprintf(stderr,"Multiplication test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	BN_free(&d);
+	BN_free(&e);
+	BN_CTX_free(&ctx);
+	return(1);
+	}
+
+int test_sqr(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM a,c,d,e;
+	int i;
+	int j;
+
+	BN_init(&a);
+	BN_init(&c);
+	BN_init(&d);
+	BN_init(&e);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_rand(&a,40+i*10,0,0);
+		a.neg=rand_neg();
+		if (bp == NULL)
+			for (j=0; j<100; j++)
+				BN_sqr(&c,&a,ctx);
+		BN_sqr(&c,&a,ctx);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," * ");
+				BN_print(bp,&a);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+		BN_div(&d,&e,&c,&a,ctx);
+		BN_sub(&d,&d,&a);
+		if(!BN_is_zero(&d) || !BN_is_zero(&e))
+		    {
+		    fprintf(stderr,"Square test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&c);
+	BN_free(&d);
+	BN_free(&e);
+	return(1);
+	}
+
+int test_mont(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM a,b,c,d,A,B;
+	BIGNUM n;
+	int i;
+	int j;
+	BN_MONT_CTX *mont;
+
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+	BN_init(&d);
+	BN_init(&A);
+	BN_init(&B);
+	BN_init(&n);
+
+	mont=BN_MONT_CTX_new();
+
+	BN_rand(&a,100,0,0); /**/
+	BN_rand(&b,100,0,0); /**/
+	for (i=0; i<num2; i++)
+		{
+		int bits = (200*(i+1))/num2;
+
+		if (bits == 0)
+			continue;
+		BN_rand(&n,bits,0,1);
+		BN_MONT_CTX_set(mont,&n,ctx);
+
+		BN_to_montgomery(&A,&a,mont,ctx);
+		BN_to_montgomery(&B,&b,mont,ctx);
+
+		if (bp == NULL)
+			for (j=0; j<100; j++)
+				BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
+		BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
+		BN_from_montgomery(&A,&c,mont,ctx);/**/
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+#ifdef undef
+fprintf(stderr,"%d * %d %% %d\n",
+BN_num_bits(&a),
+BN_num_bits(&b),
+BN_num_bits(mont->N));
+#endif
+				BN_print(bp,&a);
+				BIO_puts(bp," * ");
+				BN_print(bp,&b);
+				BIO_puts(bp," % ");
+				BN_print(bp,&(mont->N));
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&A);
+			BIO_puts(bp,"\n");
+			}
+		BN_mod_mul(&d,&a,&b,&n,ctx);
+		BN_sub(&d,&d,&A);
+		if(!BN_is_zero(&d))
+		    {
+		    fprintf(stderr,"Montgomery multiplication test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_MONT_CTX_free(mont);
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	BN_free(&d);
+	BN_free(&A);
+	BN_free(&B);
+	BN_free(&n);
+	return(1);
+	}
+
+int test_mod(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+	int j;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_rand(a,1024,0,0); /**/
+	for (i=0; i<num0; i++)
+		{
+		BN_rand(b,450+i*10,0,0); /**/
+		a->neg=rand_neg();
+		b->neg=rand_neg();
+		if (bp == NULL)
+			for (j=0; j<100; j++)
+				BN_mod(c,a,b,ctx);/**/
+		BN_mod(c,a,b,ctx);/**/
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," % ");
+				BN_print(bp,b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,c);
+			BIO_puts(bp,"\n");
+			}
+		BN_div(d,e,a,b,ctx);
+		BN_sub(e,e,c);
+		if(!BN_is_zero(e))
+		    {
+		    fprintf(stderr,"Modulo test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
+int test_mod_mul(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_rand(c,1024,0,0); /**/
+	for (i=0; i<num0; i++)
+		{
+		BN_rand(a,475+i*10,0,0); /**/
+		BN_rand(b,425+i*11,0,0); /**/
+		a->neg=rand_neg();
+		b->neg=rand_neg();
+	/*	if (bp == NULL)
+			for (j=0; j<100; j++)
+				BN_mod_mul(d,a,b,c,ctx);*/ /**/
+
+		if (!BN_mod_mul(e,a,b,c,ctx))
+			{
+			unsigned long l;
+
+			while ((l=ERR_get_error()))
+				fprintf(stderr,"ERROR:%s\n",
+					ERR_error_string(l,NULL));
+			exit(1);
+			}
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," * ");
+				BN_print(bp,b);
+				BIO_puts(bp," % ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,e);
+			BIO_puts(bp,"\n");
+			}
+		BN_mul(d,a,b,ctx);
+		BN_sub(d,d,e);
+		BN_div(a,b,d,c,ctx);
+		if(!BN_is_zero(b))
+		    {
+		    fprintf(stderr,"Modulo multiply test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
+int test_mod_exp(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_rand(c,30,0,1); /* must be odd for montgomery */
+	for (i=0; i<num2; i++)
+		{
+		BN_rand(a,20+i*5,0,0); /**/
+		BN_rand(b,2+i,0,0); /**/
+
+		if (!BN_mod_exp(d,a,b,c,ctx))
+			return(00);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,b);
+				BIO_puts(bp," % ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,d);
+			BIO_puts(bp,"\n");
+			}
+		BN_exp(e,a,b,ctx);
+		BN_sub(e,e,d);
+		BN_div(a,b,e,c,ctx);
+		if(!BN_is_zero(b))
+		    {
+		    fprintf(stderr,"Modulo exponentiation test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
+int test_exp(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*d,*e,*one;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	d=BN_new();
+	e=BN_new();
+	one=BN_new();
+	BN_one(one);
+
+	for (i=0; i<num2; i++)
+		{
+		BN_rand(a,20+i*5,0,0); /**/
+		BN_rand(b,2+i,0,0); /**/
+
+		if (!BN_exp(d,a,b,ctx))
+			return(00);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,b);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,d);
+			BIO_puts(bp,"\n");
+			}
+		BN_one(e);
+		for( ; !BN_is_zero(b) ; BN_sub(b,b,one))
+		    BN_mul(e,e,a,ctx);
+		BN_sub(e,e,d);
+		if(!BN_is_zero(e))
+		    {
+		    fprintf(stderr,"Exponentiation test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(d);
+	BN_free(e);
+	BN_free(one);
+	return(1);
+	}
+
+int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
+	{
+	BIGNUM *a,*b,*c,*d;
+	int i;
+
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	BN_one(c);
+
+	if(a_)
+	    a=a_;
+	else
+	    {
+	    a=BN_new();
+	    BN_rand(a,200,0,0); /**/
+	    a->neg=rand_neg();
+	    }
+	for (i=0; i<num0; i++)
+		{
+		BN_lshift(b,a,i+1);
+		BN_add(c,c,c);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," * ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,b);
+			BIO_puts(bp,"\n");
+			}
+		BN_mul(d,a,c,ctx);
+		BN_sub(d,d,b);
+		if(!BN_is_zero(d))
+		    {
+		    fprintf(stderr,"Left shift test failed!\n");
+		    fprintf(stderr,"a=");
+		    BN_print_fp(stderr,a);
+		    fprintf(stderr,"\nb=");
+		    BN_print_fp(stderr,b);
+		    fprintf(stderr,"\nc=");
+		    BN_print_fp(stderr,c);
+		    fprintf(stderr,"\nd=");
+		    BN_print_fp(stderr,d);
+		    fprintf(stderr,"\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	return(1);
+	}
+
+int test_lshift1(BIO *bp)
+	{
+	BIGNUM *a,*b,*c;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+
+	BN_rand(a,200,0,0); /**/
+	a->neg=rand_neg();
+	for (i=0; i<num0; i++)
+		{
+		BN_lshift1(b,a);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," * 2");
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,b);
+			BIO_puts(bp,"\n");
+			}
+		BN_add(c,a,a);
+		BN_sub(a,b,c);
+		if(!BN_is_zero(a))
+		    {
+		    fprintf(stderr,"Left shift one test failed!\n");
+		    return 0;
+		    }
+		
+		BN_copy(a,b);
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	return(1);
+	}
+
+int test_rshift(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	BN_one(c);
+
+	BN_rand(a,200,0,0); /**/
+	a->neg=rand_neg();
+	for (i=0; i<num0; i++)
+		{
+		BN_rshift(b,a,i+1);
+		BN_add(c,c,c);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," / ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,b);
+			BIO_puts(bp,"\n");
+			}
+		BN_div(d,e,a,c,ctx);
+		BN_sub(d,d,b);
+		if(!BN_is_zero(d))
+		    {
+		    fprintf(stderr,"Right shift test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
+int test_rshift1(BIO *bp)
+	{
+	BIGNUM *a,*b,*c;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+
+	BN_rand(a,200,0,0); /**/
+	a->neg=rand_neg();
+	for (i=0; i<num0; i++)
+		{
+		BN_rshift1(b,a);
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," / 2");
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,b);
+			BIO_puts(bp,"\n");
+			}
+		BN_sub(c,a,b);
+		BN_sub(c,c,b);
+		if(!BN_is_zero(c) && !BN_is_one(c))
+		    {
+		    fprintf(stderr,"Right shift one test failed!\n");
+		    return 0;
+		    }
+		BN_copy(a,b);
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	return(1);
+	}
+
+int rand_neg(void)
+	{
+	static unsigned int neg=0;
+	static int sign[8]={0,0,0,1,1,0,1,1};
+
+	return(sign[(neg++)%8]);
+	}
diff --git a/crypto/openssl/crypto/bn/comba.pl b/crypto/openssl/crypto/bn/comba.pl
new file mode 100644
index 0000000..211a8b4
--- /dev/null
+++ b/crypto/openssl/crypto/bn/comba.pl
@@ -0,0 +1,285 @@
+#!/usr/local/bin/perl
+
+$num=8;
+$num2=8/2;
+
+print <<"EOF";
+/* crypto/bn/bn_comba.c */
+#include <stdio.h>
+#include "bn_lcl.h"
+/* Auto generated from crypto/bn/comba.pl
+ */
+
+#undef bn_mul_comba8
+#undef bn_mul_comba4
+#undef bn_sqr_comba8
+#undef bn_sqr_comba4
+
+#ifdef BN_LLONG
+#define mul_add_c(a,b,c0,c1,c2) \\
+	t=(BN_ULLONG)a*b; \\
+	t1=(BN_ULONG)Lw(t); \\
+	t2=(BN_ULONG)Hw(t); \\
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \\
+	t=(BN_ULLONG)a*b; \\
+	tt=(t+t)&BN_MASK; \\
+	if (tt < t) c2++; \\
+	t1=(BN_ULONG)Lw(tt); \\
+	t2=(BN_ULONG)Hw(tt); \\
+	c0=(c0+t1)&BN_MASK2;  \\
+	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \\
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \\
+	t=(BN_ULLONG)a[i]*a[i]; \\
+	t1=(BN_ULONG)Lw(t); \\
+	t2=(BN_ULONG)Hw(t); \\
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \\
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#else
+#define mul_add_c(a,b,c0,c1,c2) \\
+	t1=LBITS(a); t2=HBITS(a); \\
+	bl=LBITS(b); bh=HBITS(b); \\
+	mul64(t1,t2,bl,bh); \\
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \\
+	t1=LBITS(a); t2=HBITS(a); \\
+	bl=LBITS(b); bh=HBITS(b); \\
+	mul64(t1,t2,bl,bh); \\
+	if (t2 & BN_TBIT) c2++; \\
+	t2=(t2+t2)&BN_MASK2; \\
+	if (t1 & BN_TBIT) t2++; \\
+	t1=(t1+t1)&BN_MASK2; \\
+	c0=(c0+t1)&BN_MASK2;  \\
+	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \\
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \\
+	sqr64(t1,t2,(a)[i]); \\
+	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
+	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \\
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#endif
+
+void bn_mul_comba${num}(r,a,b)
+BN_ULONG *r,*a,*b;
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+EOF
+$ret=&combas_mul("r","a","b",$num,"c1","c2","c3");
+printf <<"EOF";
+	}
+
+void bn_mul_comba${num2}(r,a,b)
+BN_ULONG *r,*a,*b;
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+EOF
+$ret=&combas_mul("r","a","b",$num2,"c1","c2","c3");
+printf <<"EOF";
+	}
+
+void bn_sqr_comba${num}(r,a)
+BN_ULONG *r,*a;
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t,tt;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+EOF
+$ret=&combas_sqr("r","a",$num,"c1","c2","c3");
+printf <<"EOF";
+	}
+
+void bn_sqr_comba${num2}(r,a)
+BN_ULONG *r,*a;
+	{
+#ifdef BN_LLONG
+	BN_ULLONG t,tt;
+#else
+	BN_ULONG bl,bh;
+#endif
+	BN_ULONG t1,t2;
+	BN_ULONG c1,c2,c3;
+
+EOF
+$ret=&combas_sqr("r","a",$num2,"c1","c2","c3");
+printf <<"EOF";
+	}
+EOF
+
+sub bn_str
+	{
+	local($var,$val)=@_;
+	print "\t$var=$val;\n";
+	}
+
+sub bn_ary
+	{
+	local($var,$idx)=@_;
+	return("${var}[$idx]");
+	}
+
+sub bn_clr
+	{
+	local($var)=@_;
+
+	print "\t$var=0;\n";
+	}
+
+sub bn_mad
+	{
+	local($a,$b,$c0,$c1,$c2,$num)=@_;
+
+	if ($num == 2)
+		{ printf("\tmul_add_c2($a,$b,$c0,$c1,$c2);\n"); }
+	else
+		{ printf("\tmul_add_c($a,$b,$c0,$c1,$c2);\n"); }
+	}
+
+sub bn_sad
+	{
+	local($a,$i,$j,$c0,$c1,$c2,$num)=@_;
+
+	if ($num == 2)
+		{ printf("\tsqr_add_c2($a,$i,$j,$c0,$c1,$c2);\n"); }
+	else
+		{ printf("\tsqr_add_c($a,$i,$c0,$c1,$c2);\n"); }
+	}
+
+sub combas_mul
+	{
+	local($r,$a,$b,$num,$c0,$c1,$c2)=@_;
+	local($i,$as,$ae,$bs,$be,$ai,$bi);
+	local($tot,$end);
+
+	$as=0;
+	$ae=0;
+	$bs=0;
+	$be=0;
+	$tot=$num+$num-1;
+	&bn_clr($c0);
+	&bn_clr($c1);
+	for ($i=0; $i<$tot; $i++)
+		{
+		$ai=$as;
+		$bi=$bs;
+		$end=$be+1;
+		@numa=@numb=();
+
+#print "($as $ae) ($bs $be) $bs -> $end [$i $num]\n";
+		for ($j=$bs; $j<$end; $j++)
+			{
+			push(@numa,$ai);
+			push(@numb,$bi);
+			$ai--;
+			$bi++;
+			}
+
+		if ($i & 1)
+			{
+			@numa=reverse(@numa);
+			@numb=reverse(@numb);
+			}
+
+		&bn_clr($c2);
+		for ($j=0; $j<=$#numa; $j++)
+			{
+			&bn_mad(&bn_ary($a,$numa[$j]),
+				&bn_ary($b,$numb[$j]),$c0,$c1,$c2,1);
+			}
+		&bn_str(&bn_ary($r,$i),$c0);
+		($c0,$c1,$c2)=($c1,$c2,$c0);
+
+		$as++ if ($i < ($num-1));
+		$ae++ if ($i >= ($num-1));
+
+		$bs++ if ($i >= ($num-1));
+		$be++ if ($i < ($num-1));
+		}
+	&bn_str(&bn_ary($r,$i),$c0);
+	}
+
+sub combas_sqr
+	{
+	local($r,$a,$num,$c0,$c1,$c2)=@_;
+	local($i,$as,$ae,$bs,$be,$ai,$bi);
+	local($b,$tot,$end,$half);
+
+	$b=$a;
+	$as=0;
+	$ae=0;
+	$bs=0;
+	$be=0;
+	$tot=$num+$num-1;
+	&bn_clr($c0);
+	&bn_clr($c1);
+	for ($i=0; $i<$tot; $i++)
+		{
+		$ai=$as;
+		$bi=$bs;
+		$end=$be+1;
+		@numa=@numb=();
+
+#print "($as $ae) ($bs $be) $bs -> $end [$i $num]\n";
+		for ($j=$bs; $j<$end; $j++)
+			{
+			push(@numa,$ai);
+			push(@numb,$bi);
+			$ai--;
+			$bi++;
+			last if ($ai < $bi);
+			}
+		if (!($i & 1))
+			{
+			@numa=reverse(@numa);
+			@numb=reverse(@numb);
+			}
+
+		&bn_clr($c2);
+		for ($j=0; $j <= $#numa; $j++)
+			{
+			if ($numa[$j] == $numb[$j])
+				{&bn_sad($a,$numa[$j],$numb[$j],$c0,$c1,$c2,1);}
+			else
+				{&bn_sad($a,$numa[$j],$numb[$j],$c0,$c1,$c2,2);}
+			}
+		&bn_str(&bn_ary($r,$i),$c0);
+		($c0,$c1,$c2)=($c1,$c2,$c0);
+
+		$as++ if ($i < ($num-1));
+		$ae++ if ($i >= ($num-1));
+
+		$bs++ if ($i >= ($num-1));
+		$be++ if ($i < ($num-1));
+		}
+	&bn_str(&bn_ary($r,$i),$c0);
+	}
diff --git a/crypto/openssl/crypto/bn/d.c b/crypto/openssl/crypto/bn/d.c
new file mode 100644
index 0000000..ced2291
--- /dev/null
+++ b/crypto/openssl/crypto/bn/d.c
@@ -0,0 +1,72 @@
+#include <stdio.h>
+#include <openssl/bio.h>
+#include "bn_lcl.h"
+
+#define SIZE_A (100*4+4)
+#define SIZE_B (13*4)
+
+main(argc,argv)
+int argc;
+char *argv[];
+	{
+	BN_CTX ctx;
+	BN_RECP_CTX recp;
+	BIGNUM a,b,dd,d,r,rr,t,l;
+	int i;
+
+	MemCheck_start();
+	MemCheck_on();
+	BN_CTX_init(&ctx);
+	BN_RECP_CTX_init(&recp);
+
+	BN_init(&r);
+	BN_init(&rr);
+	BN_init(&d);
+	BN_init(&dd);
+	BN_init(&a);
+	BN_init(&b);
+
+	{
+	BN_rand(&a,SIZE_A,0,0);
+	BN_rand(&b,SIZE_B,0,0);
+
+	a.neg=1;
+	BN_RECP_CTX_set(&recp,&b,&ctx);
+
+	BN_print_fp(stdout,&a); printf(" a\n");
+	BN_print_fp(stdout,&b); printf(" b\n");
+
+	BN_print_fp(stdout,&recp.N); printf(" N\n");
+	BN_print_fp(stdout,&recp.Nr); printf(" Nr num_bits=%d\n",recp.num_bits);
+
+	BN_div_recp(&r,&d,&a,&recp,&ctx);
+
+for (i=0; i<300; i++)
+	BN_div(&rr,&dd,&a,&b,&ctx);
+
+	BN_print_fp(stdout,&r); printf(" div recp\n");
+	BN_print_fp(stdout,&rr); printf(" div\n");
+	BN_print_fp(stdout,&d); printf(" rem recp\n");
+	BN_print_fp(stdout,&dd); printf(" rem\n");
+	}
+	BN_CTX_free(&ctx);
+	BN_RECP_CTX_free(&recp);
+
+	BN_free(&r);
+	BN_free(&rr);
+	BN_free(&d);
+	BN_free(&dd);
+	BN_free(&a);
+	BN_free(&b);
+
+	{
+	BIO *out;
+
+	if ((out=BIO_new(BIO_s_file())) != NULL)
+		BIO_set_fp(out,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+        CRYPTO_mem_leaks(out);
+	BIO_free(out);
+	}
+
+	}
diff --git a/crypto/openssl/crypto/bn/divtest.c b/crypto/openssl/crypto/bn/divtest.c
new file mode 100644
index 0000000..13ba86e
--- /dev/null
+++ b/crypto/openssl/crypto/bn/divtest.c
@@ -0,0 +1,41 @@
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+
+static int rand(n)
+{
+    unsigned char x[2];
+    RAND_pseudo_bytes(x,2);
+    return (x[0] + 2*x[1]);
+}
+
+static void bug(char *m, BIGNUM *a, BIGNUM *b)
+{
+    printf("%s!\na=",m);
+    BN_print_fp(stdout, a);
+    printf("\nb=");
+    BN_print_fp(stdout, b);
+    printf("\n");
+    fflush(stdout);
+}
+
+main()
+{
+    BIGNUM *a=BN_new(), *b=BN_new(), *c=BN_new(), *d=BN_new(),
+	*C=BN_new(), *D=BN_new();
+    BN_RECP_CTX *recp=BN_RECP_CTX_new();
+    BN_CTX *ctx=BN_CTX_new();
+
+    for(;;) {
+	BN_pseudo_rand(a,rand(),0,0);
+	BN_pseudo_rand(b,rand(),0,0);
+	if (BN_is_zero(b)) continue;
+
+	BN_RECP_CTX_set(recp,b,ctx);
+	if (BN_div(C,D,a,b,ctx) != 1)
+	    bug("BN_div failed",a,b);
+	if (BN_div_recp(c,d,a,recp,ctx) != 1)
+	    bug("BN_div_recp failed",a,b);
+	else if (BN_cmp(c,C) != 0 || BN_cmp(c,C) != 0)
+	    bug("mismatch",a,b);
+    }
+}
diff --git a/crypto/openssl/crypto/bn/exp.c b/crypto/openssl/crypto/bn/exp.c
new file mode 100644
index 0000000..4865b0e
--- /dev/null
+++ b/crypto/openssl/crypto/bn/exp.c
@@ -0,0 +1,62 @@
+/* unused */
+
+#include <stdio.h>
+#include <openssl/tmdiff.h>
+#include "bn_lcl.h"
+
+#define SIZE	256
+#define NUM	(8*8*8)
+#define MOD	(8*8*8*8*8)
+
+main(argc,argv)
+int argc;
+char *argv[];
+	{
+	BN_CTX ctx;
+	BIGNUM a,b,c,r,rr,t,l;
+	int j,i,size=SIZE,num=NUM,mod=MOD;
+	char *start,*end;
+	BN_MONT_CTX mont;
+	double d,md;
+
+	BN_MONT_CTX_init(&mont);
+	BN_CTX_init(&ctx);
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+	BN_init(&r);
+
+	start=ms_time_new();
+	end=ms_time_new();
+	while (size <= 1024*8)
+		{
+		BN_rand(&a,size,0,0);
+		BN_rand(&b,size,1,0);
+		BN_rand(&c,size,0,1);
+
+		BN_mod(&a,&a,&c,&ctx);
+
+		ms_time_get(start);
+		for (i=0; i<10; i++)
+			BN_MONT_CTX_set(&mont,&c,&ctx);
+		ms_time_get(end);
+		md=ms_time_diff(start,end);
+
+		ms_time_get(start);
+		for (i=0; i<num; i++)
+			{
+			/* bn_mull(&r,&a,&b,&ctx); */
+			/* BN_sqr(&r,&a,&ctx); */
+			BN_mod_exp_mont(&r,&a,&b,&c,&ctx,&mont);
+			}
+		ms_time_get(end);
+		d=ms_time_diff(start,end)/* *50/33 */;
+		printf("%5d bit:%6.2f %6d %6.4f %4d m_set(%5.4f)\n",size,
+			d,num,d/num,(int)((d/num)*mod),md/10.0);
+		num/=8;
+		mod/=8;
+		if (num <= 0) num=1;
+		size*=2;
+		}
+
+	}
diff --git a/crypto/openssl/crypto/bn/expspeed.c b/crypto/openssl/crypto/bn/expspeed.c
new file mode 100644
index 0000000..2044ab9
--- /dev/null
+++ b/crypto/openssl/crypto/bn/expspeed.c
@@ -0,0 +1,215 @@
+/* unused */
+
+/* crypto/bn/expspeed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* most of this code has been pilfered from my libdes speed.c program */
+
+#define BASENUM	5000
+#undef PROG
+#define PROG bnspeed_main
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/x509.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
+#   define HZ	100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#undef BUFSIZE
+#define BUFSIZE	((long)1024*8)
+int run=0;
+
+static double Time_F(int s);
+#define START	0
+#define STOP	1
+
+static double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret < 1e-3)?1e-3:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret < 0.001)?0.001:ret);
+		}
+#endif
+	}
+
+#define NUM_SIZES	6
+static int sizes[NUM_SIZES]={256,512,1024,2048,4096,8192};
+static int mul_c[NUM_SIZES]={8*8*8*8*8,8*8*8*8,8*8*8,8*8,8,1};
+/*static int sizes[NUM_SIZES]={59,179,299,419,539}; */
+
+void do_mul_exp(BIGNUM *r,BIGNUM *a,BIGNUM *b,BIGNUM *c,BN_CTX *ctx); 
+
+int main(int argc, char **argv)
+	{
+	BN_CTX *ctx;
+	BIGNUM *a,*b,*c,*r;
+
+	ctx=BN_CTX_new();
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	r=BN_new();
+
+	do_mul_exp(r,a,b,c,ctx);
+	}
+
+void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
+	{
+	int i,k;
+	double tm;
+	long num;
+	BN_MONT_CTX m;
+
+	memset(&m,0,sizeof(m));
+
+	num=BASENUM;
+	for (i=0; i<NUM_SIZES; i++)
+		{
+		BN_rand(a,sizes[i],1,0);
+		BN_rand(b,sizes[i],1,0);
+		BN_rand(c,sizes[i],1,1);
+		BN_mod(a,a,c,ctx);
+		BN_mod(b,b,c,ctx);
+
+		BN_MONT_CTX_set(&m,c,ctx);
+
+		Time_F(START);
+		for (k=0; k<num; k++)
+			BN_mod_exp_mont(r,a,b,c,ctx,&m);
+		tm=Time_F(STOP);
+		printf("mul %4d ^ %4d %% %d -> %8.3fms %5.1f\n",sizes[i],sizes[i],sizes[i],tm*1000.0/num,tm*mul_c[i]/num);
+		num/=7;
+		if (num <= 0) num=1;
+		}
+
+	}
+
diff --git a/crypto/openssl/crypto/bn/exptest.c b/crypto/openssl/crypto/bn/exptest.c
new file mode 100644
index 0000000..3e86f2e
--- /dev/null
+++ b/crypto/openssl/crypto/bn/exptest.c
@@ -0,0 +1,187 @@
+/* crypto/bn/exptest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#ifdef WINDOWS
+#include "../bio/bss_file.c"
+#endif
+
+#define NUM_BITS	(BN_BITS*2)
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int main(int argc, char *argv[])
+	{
+	BN_CTX *ctx;
+	BIO *out=NULL;
+	int i,ret;
+	unsigned char c;
+	BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
+
+	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
+	                                       * even check its return value
+	                                       * (which we should) */
+
+	ERR_load_BN_strings();
+
+	ctx=BN_CTX_new();
+	if (ctx == NULL) exit(1);
+	r_mont=BN_new();
+	r_recp=BN_new();
+	r_simple=BN_new();
+	a=BN_new();
+	b=BN_new();
+	m=BN_new();
+	if (	(r_mont == NULL) || (r_recp == NULL) ||
+		(a == NULL) || (b == NULL))
+		goto err;
+
+	out=BIO_new(BIO_s_file());
+
+	if (out == NULL) exit(1);
+	BIO_set_fp(out,stdout,BIO_NOCLOSE);
+
+	for (i=0; i<200; i++)
+		{
+		RAND_bytes(&c,1);
+		c=(c%BN_BITS)-BN_BITS2;
+		BN_rand(a,NUM_BITS+c,0,0);
+
+		RAND_bytes(&c,1);
+		c=(c%BN_BITS)-BN_BITS2;
+		BN_rand(b,NUM_BITS+c,0,0);
+
+		RAND_bytes(&c,1);
+		c=(c%BN_BITS)-BN_BITS2;
+		BN_rand(m,NUM_BITS+c,0,1);
+
+		BN_mod(a,a,m,ctx);
+		BN_mod(b,b,m,ctx);
+
+		ret=BN_mod_exp_mont(r_mont,a,b,m,ctx,NULL);
+		if (ret <= 0)
+			{
+			printf("BN_mod_exp_mont() problems\n");
+			ERR_print_errors(out);
+			exit(1);
+			}
+
+		ret=BN_mod_exp_recp(r_recp,a,b,m,ctx);
+		if (ret <= 0)
+			{
+			printf("BN_mod_exp_recp() problems\n");
+			ERR_print_errors(out);
+			exit(1);
+			}
+
+		ret=BN_mod_exp_simple(r_simple,a,b,m,ctx);
+		if (ret <= 0)
+			{
+			printf("BN_mod_exp_simple() problems\n");
+			ERR_print_errors(out);
+			exit(1);
+			}
+
+		if (BN_cmp(r_simple, r_mont) == 0
+		    && BN_cmp(r_simple,r_recp) == 0)
+			{
+			printf(".");
+			fflush(stdout);
+			}
+		else
+		  	{
+			if (BN_cmp(r_simple,r_mont) != 0)
+				printf("\nsimple and mont results differ\n");
+			if (BN_cmp(r_simple,r_recp) != 0)
+				printf("\nsimple and recp results differ\n");
+
+			printf("a (%3d) = ",BN_num_bits(a));   BN_print(out,a);
+			printf("\nb (%3d) = ",BN_num_bits(b)); BN_print(out,b);
+			printf("\nm (%3d) = ",BN_num_bits(m)); BN_print(out,m);
+			printf("\nsimple   =");	BN_print(out,r_simple);
+			printf("\nrecp     =");	BN_print(out,r_recp);
+			printf("\nmont     ="); BN_print(out,r_mont);
+			printf("\n");
+			exit(1);
+			}
+		}
+	BN_free(r_mont);
+	BN_free(r_recp);
+	BN_free(r_simple);
+	BN_free(a);
+	BN_free(b);
+	BN_free(m);
+	BN_CTX_free(ctx);
+	ERR_remove_state(0);
+	CRYPTO_mem_leaks(out);
+	BIO_free(out);
+	printf(" done\n");
+	exit(0);
+err:
+	ERR_load_crypto_strings();
+	ERR_print_errors(out);
+	exit(1);
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/bn/new b/crypto/openssl/crypto/bn/new
new file mode 100644
index 0000000..285d506
--- /dev/null
+++ b/crypto/openssl/crypto/bn/new
@@ -0,0 +1,23 @@
+void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+BN_RECP_CTX *BN_RECP_CTX_new();
+void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+int BN_RECP_CTX_set(BN_RECP_CTX *recp,BIGNUM *div,BN_CTX *ctx);
+
+int BN_mod_exp_recp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
+	BN_RECP_CTX *recp,BN_CTX *ctx);
+
+int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d,
+	BN_RECP_CTX *recp, BN_CTX *ctx);
+int BN_mod_recp(BIGNUM *rem, BIGNUM *m, BIGNUM *d,
+	BN_RECP_CTX *recp, BN_CTX *ctx);
+int BN_mod_mul_recp(BIGNUM *ret,BIGNUM *a,BIGNUM *b,BIGNUM *m
+
+int BN_mod_exp_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *p,
+	BN_MONT_CTX *m_ctx,BN_CTX *ctx);
+int BN_mod_exp2_montgomery(BIGNUM *r, BIGNUM *a1, BIGNUM *p1,BIGNUM *a2,
+                BIGNUM *p2,BN_MONT_CTX *m_ctx,BN_CTX *ctx);
+
+
+bn_div64 -> bn_div_words
+
+
diff --git a/crypto/openssl/crypto/bn/old/b_sqr.c b/crypto/openssl/crypto/bn/old/b_sqr.c
new file mode 100644
index 0000000..715cb1c
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/b_sqr.c
@@ -0,0 +1,199 @@
+/* crypto/bn/bn_mul.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+static int bn_mm(BIGNUM *m,BIGNUM *A,BIGNUM *B, BIGNUM *sk,BN_CTX *ctx);
+
+/* r must be different to a and b */
+/* int BN_mmul(r, a, b) */
+int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b)
+	{
+	BN_ULONG *ap,*bp,*rp;
+	BIGNUM *sk;
+	int i,n,ret;
+	int max,al,bl;
+	BN_CTX ctx;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	al=a->top;
+	bl=b->top;
+	if ((al == 0) || (bl == 0))
+		{
+		r->top=0;
+		return(1);
+		}
+#ifdef BN_MUL_DEBUG
+printf("BN_mul(%d,%d)\n",a->top,b->top);
+#endif
+
+	if (	(bn_limit_bits > 0) &&
+		(bl > bn_limit_num) && (al > bn_limit_num))
+		{
+		n=(BN_num_bits_word(al|bl)-bn_limit_bits);
+		n*=2;
+		sk=(BIGNUM *)Malloc(sizeof(BIGNUM)*n);
+		memset(sk,0,sizeof(BIGNUM)*n);
+		memset(&ctx,0,sizeof(ctx));
+
+		ret=bn_mm(r,a,b,&(sk[0]),&ctx);
+		for (i=0; i<n; i+=2)
+			{
+			BN_clear_free(&sk[i]);
+			BN_clear_free(&sk[i+1]);
+			}
+		Free(sk);
+		return(ret);
+		}
+
+	max=(al+bl);
+	if (bn_wexpand(r,max) == NULL) return(0);
+	r->top=max;
+	r->neg=a->neg^b->neg;
+	ap=a->d;
+	bp=b->d;
+	rp=r->d;
+
+	rp[al]=bn_mul_words(rp,ap,al,*(bp++));
+	rp++;
+	for (i=1; i<bl; i++)
+		{
+		rp[al]=bn_mul_add_words(rp,ap,al,*(bp++));
+		rp++;
+		}
+	if ((max > 0) && (r->d[max-1] == 0)) r->top--;
+	return(1);
+	}
+
+
+#define ahal	(sk[0])
+#define blbh	(sk[1])
+
+/* r must be different to a and b */
+int bn_mm(BIGNUM *m, BIGNUM *A, BIGNUM *B, BIGNUM *sk, BN_CTX *ctx)
+	{
+	int n,num,sqr=0;
+	int an,bn;
+	BIGNUM ah,al,bh,bl;
+
+	an=A->top;
+	bn=B->top;
+#ifdef BN_MUL_DEBUG
+printf("bn_mm(%d,%d)\n",A->top,B->top);
+#endif
+
+	if (A == B) sqr=1;
+	num=(an>bn)?an:bn;
+	n=(num+1)/2;
+	/* Are going to now chop things into 'num' word chunks. */
+
+	BN_init(&ah);
+	BN_init(&al);
+	BN_init(&bh);
+	BN_init(&bl);
+
+	bn_set_low (&al,A,n);
+	bn_set_high(&ah,A,n);
+	bn_set_low (&bl,B,n);
+	bn_set_high(&bh,B,n);
+
+	BN_sub(&ahal,&ah,&al);
+	BN_sub(&blbh,&bl,&bh);
+
+	if (num <= (bn_limit_num+bn_limit_num))
+		{
+		BN_mul(m,&ahal,&blbh);
+		if (sqr)
+			{
+			BN_sqr(&ahal,&al,ctx);
+			BN_sqr(&blbh,&ah,ctx);
+			}
+		else
+			{
+			BN_mul(&ahal,&al,&bl);
+			BN_mul(&blbh,&ah,&bh);
+			}
+		}
+	else
+		{
+		bn_mm(m,&ahal,&blbh,&(sk[2]),ctx);
+		bn_mm(&ahal,&al,&bl,&(sk[2]),ctx);
+		bn_mm(&blbh,&ah,&bh,&(sk[2]),ctx);
+		}
+
+	BN_add(m,m,&ahal);
+	BN_add(m,m,&blbh);
+
+	BN_lshift(m,m,n*BN_BITS2);
+	BN_lshift(&blbh,&blbh,n*BN_BITS2*2);
+
+	BN_add(m,m,&ahal);
+	BN_add(m,m,&blbh);
+
+	m->neg=A->neg^B->neg;
+	return(1);
+	}
+#undef ahal	(sk[0])
+#undef blbh	(sk[1])
+
+#include "bn_low.c"
+#include "bn_high.c"
diff --git a/crypto/openssl/crypto/bn/old/bn_com.c b/crypto/openssl/crypto/bn/old/bn_com.c
new file mode 100644
index 0000000..7666b23
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/bn_com.c
@@ -0,0 +1,90 @@
+/* crypto/bn/bn_mulw.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#ifdef BN_LLONG 
+
+ab
+12
+   a2 b2
+a1 b1
+
+abc
+123
+      a3 b3 c3
+   a2 b2 c2
+a1 b1 c1
+
+abcd
+1234
+         a4 b4 c4 d4
+      a3 b3 c3 d3
+   a2 b2 c2 d2
+a1 b1 c1 d1
+
+abcde
+01234
+               a5 b5 c5 d5 e5
+            a4 b4 c4 d4 e4
+         a3 b3 c3 d3 e3
+      a2 b2 c2 d2 e2
+   a1 b1 c1 d1 e1
+a0 b0 c0 d0 e0
diff --git a/crypto/openssl/crypto/bn/old/bn_high.c b/crypto/openssl/crypto/bn/old/bn_high.c
new file mode 100644
index 0000000..763bcb6
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/bn_high.c
@@ -0,0 +1,135 @@
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#undef BN_MUL_HIGH_DEBUG
+
+#ifdef BN_MUL_HIGH_DEBUG
+#define debug_BN_print(a,b,c) BN_print_fp(a,b); printf(c);
+#else
+#define debug_BN_print(a,b,c)
+#endif
+
+int BN_mul_high(BIGNUM *r,BIGNUM *a,BIGNUM *b,BIGNUM *low, int words);
+
+#undef t1
+#undef t2
+
+int BN_mul_high(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *low, int words)
+	{
+	int w2,borrow=0,full=0;
+	BIGNUM t1,t2,t3,h,ah,al,bh,bl,m,s0,s1;
+	BN_ULONG ul1,ul2;
+	
+	BN_mul(r,a,b);
+	BN_rshift(r,r,words*BN_BITS2);
+	return(1);
+
+	w2=(words+1)/2;
+
+#ifdef BN_MUL_HIGH_DEBUG
+fprintf(stdout,"words=%d w2=%d\n",words,w2);
+#endif
+debug_BN_print(stdout,a," a\n");
+debug_BN_print(stdout,b," b\n");
+debug_BN_print(stdout,low," low\n");
+	BN_init(&al); BN_init(&ah);
+	BN_init(&bl); BN_init(&bh);
+	BN_init(&t1); BN_init(&t2); BN_init(&t3);
+	BN_init(&s0); BN_init(&s1);
+	BN_init(&h); BN_init(&m);
+
+	bn_set_low (&al,a,w2);
+	bn_set_high(&ah,a,w2);
+	bn_set_low (&bl,b,w2);
+	bn_set_high(&bh,b,w2);
+
+	bn_set_low(&s0,low,w2);
+	bn_set_high(&s1,low,w2);
+
+debug_BN_print(stdout,&al," al\n");
+debug_BN_print(stdout,&ah," ah\n");
+debug_BN_print(stdout,&bl," bl\n");
+debug_BN_print(stdout,&bh," bh\n");
+debug_BN_print(stdout,&s0," s0\n");
+debug_BN_print(stdout,&s1," s1\n");
+
+	/* Calculate (al-ah)*(bh-bl) */
+	BN_sub(&t1,&al,&ah);
+	BN_sub(&t2,&bh,&bl);
+	BN_mul(&m,&t1,&t2);
+
+	/* Calculate ah*bh */
+	BN_mul(&h,&ah,&bh);
+
+	/* s0 == low(al*bl)
+	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
+	 * We know s0 and s1 so the only unknown is high(al*bl)
+	 * high(al*bl) == s1 - low(ah*bh+(al-ah)*(bh-bl)+s0)
+	 */
+	BN_add(&m,&m,&h);
+	BN_add(&t2,&m,&s0);
+
+debug_BN_print(stdout,&t2," middle value\n");
+
+	/* Quick and dirty mask off of high words */
+	if (w2 < t2.top) t2.top=w2;
+#if 0
+	bn_set_low(&t3,&t2,w2);
+#endif
+
+debug_BN_print(stdout,&t2," low middle value\n");
+	BN_sub(&t1,&s1,&t2);
+
+	if (t1.neg)
+		{
+debug_BN_print(stdout,&t1," before\n");
+		BN_zero(&t2);
+		BN_set_bit(&t2,w2*BN_BITS2);
+		BN_add(&t1,&t2,&t1);
+		/* BN_mask_bits(&t1,w2*BN_BITS2); */
+		/* if (words < t1.top) t1.top=words; */
+debug_BN_print(stdout,&t1," after\n");
+		borrow=1;
+		}
+
+/* XXXXX SPEED THIS UP */
+	/* al*bl == high(al*bl)<<words+s0 */
+	BN_lshift(&t1,&t1,w2*BN_BITS2);
+	BN_add(&t1,&t1,&s0);
+	if (w2*2 < t1.top) t1.top=w2*2; /* This should not happen? */
+	
+	/* We now have
+	 * al*bl			- t1
+	 * (al-ah)*(bh-bl)+ah*bh	- m
+	 * ah*bh			- h
+	 */
+#if 0
+	BN_add(&m,&m,&t1);
+debug_BN_print(stdout,&t1," s10\n");
+debug_BN_print(stdout,&m," s21\n");
+debug_BN_print(stdout,&h," s32\n");
+	BN_lshift(&m,&m,w2*BN_BITS2);
+	BN_lshift(&h,&h,w2*2*BN_BITS2);
+	BN_add(r,&m,&t1);
+	BN_add(r,r,&h);
+	BN_rshift(r,r,w2*2*BN_BITS2);
+#else
+	BN_add(&m,&m,&t1); 		/* Do a cmp then +1 if needed? */
+	bn_set_high(&t3,&t1,w2);
+	BN_add(&m,&m,&t3);
+	bn_set_high(&t3,&m,w2);
+	BN_add(r,&h,&t3);
+#endif
+
+#ifdef BN_MUL_HIGH_DEBUG
+printf("carry=%d\n",borrow);
+#endif
+debug_BN_print(stdout,r," ret\n");
+	BN_free(&t1); BN_free(&t2);
+	BN_free(&m); BN_free(&h);
+	return(1);
+	}
+
+
+
diff --git a/crypto/openssl/crypto/bn/old/bn_ka.c b/crypto/openssl/crypto/bn/old/bn_ka.c
new file mode 100644
index 0000000..378c94d
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/bn_ka.c
@@ -0,0 +1,567 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include "bn_lcl.h"
+
+/* r is 2*n2 words in size,
+ * a and b are both n2 words in size.
+ * n2 must be a power of 2.
+ * We multiply and return the result.
+ * t must be 2*n2 words in size
+ * We calulate
+ * a[0]*b[0]
+ * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+ * a[1]*b[1]
+ */
+void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+	     BN_ULONG *t)
+	{
+	int n=n2/2;
+	int neg,zero,c1,c2;
+	BN_ULONG ln,lo,*p;
+
+#ifdef BN_COUNT
+printf(" bn_mul_recursive %d * %d\n",n2,n2);
+#endif
+	if (n2 <= 8)
+		{
+		if (n2 == 8)
+			bn_mul_comba8(r,a,b);
+		else
+			bn_mul_normal(r,a,n2,b,n2);
+		return;
+		}
+
+	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
+		{
+		/* This should not happen */
+		/*abort(); */
+		bn_mul_normal(r,a,n2,b,n2);
+		return;
+		}
+	/* r=(a[0]-a[1])*(b[1]-b[0]) */
+	c1=bn_cmp_words(a,&(a[n]),n);
+	c2=bn_cmp_words(&(b[n]),b,n);
+	zero=neg=0;
+	switch (c1*3+c2)
+		{
+	case -4:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		break;
+	case -3:
+		zero=1;
+		break;
+	case -2:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+		neg=1;
+		break;
+	case -1:
+	case 0:
+	case 1:
+		zero=1;
+		break;
+	case 2:
+		bn_sub_words(t,      a,      &(a[n]),n); /* + */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		neg=1;
+		break;
+	case 3:
+		zero=1;
+		break;
+	case 4:
+		bn_sub_words(t,      a,      &(a[n]),n);
+		bn_sub_words(&(t[n]),&(b[n]),b,      n);
+		break;
+		}
+
+	if (n == 8)
+		{
+		if (!zero)
+			bn_mul_comba8(&(t[n2]),t,&(t[n]));
+		else
+			memset(&(t[n2]),0,8*sizeof(BN_ULONG));
+		
+		bn_mul_comba8(r,a,b);
+		bn_mul_comba8(&(r[n2]),&(a[n]),&(b[n]));
+		}
+	else
+		{
+		p= &(t[n2*2]);
+		if (!zero)
+			bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+		else
+			memset(&(t[n2]),0,n*sizeof(BN_ULONG));
+		bn_mul_recursive(r,a,b,n,p);
+		bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p);
+		}
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 */
+
+	c1=bn_add_words(t,r,&(r[n2]),n2);
+
+	if (neg) /* if t[32] is negative */
+		{
+		c1-=bn_sub_words(&(t[n2]),t,&(t[n2]),n2);
+		}
+	else
+		{
+		/* Might have a carry */
+		c1+=bn_add_words(&(t[n2]),&(t[n2]),t,n2);
+		}
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 * c1 holds the carry bits
+	 */
+	c1+=bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2);
+	if (c1)
+		{
+		p= &(r[n+n2]);
+		lo= *p;
+		ln=(lo+c1)&BN_MASK2;
+		*p=ln;
+
+		/* The overflow will stop before we over write
+		 * words we should not overwrite */
+		if (ln < c1)
+			{
+			do	{
+				p++;
+				lo= *p;
+				ln=(lo+1)&BN_MASK2;
+				*p=ln;
+				} while (ln == 0);
+			}
+		}
+	}
+
+/* n+tn is the word length
+ * t needs to be n*4 is size, as does r */
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
+	     int n, BN_ULONG *t)
+	{
+	int n2=n*2,i,j;
+	int c1;
+	BN_ULONG ln,lo,*p;
+
+#ifdef BN_COUNT
+printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
+#endif
+	if (n < 8)
+		{
+		i=tn+n;
+		bn_mul_normal(r,a,i,b,i);
+		return;
+		}
+
+	/* r=(a[0]-a[1])*(b[1]-b[0]) */
+	bn_sub_words(t,      a,      &(a[n]),n); /* + */
+	bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+
+	if (n == 8)
+		{
+		bn_mul_comba8(&(t[n2]),t,&(t[n]));
+		bn_mul_comba8(r,a,b);
+		bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+		memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
+		}
+	else
+		{
+		p= &(t[n2*2]);
+		bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+		bn_mul_recursive(r,a,b,n,p);
+		i=n/2;
+		/* If there is only a bottom half to the number,
+		 * just do it */
+		j=tn-i;
+		if (j == 0)
+			{
+			bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p);
+			memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2));
+			}
+		else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */
+				{
+				bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]),
+					j,i,p);
+				memset(&(r[n2+tn*2]),0,
+					sizeof(BN_ULONG)*(n2-tn*2));
+				}
+		else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
+			{
+			memset(&(r[n2]),0,sizeof(BN_ULONG)*(tn*2));
+			for (;;)
+				{
+				i/=2;
+				if (i < tn)
+					{
+					bn_mul_part_recursive(&(r[n2]),
+						&(a[n]),&(b[n]),
+						tn-i,i,p);
+					break;
+					}
+				else if (i == tn)
+					{
+					bn_mul_recursive(&(r[n2]),
+						&(a[n]),&(b[n]),
+						i,p);
+					break;
+					}
+				}
+			}
+		}
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 */
+
+	c1=bn_add_words(t,r,&(r[n2]),n2);
+	c1-=bn_sub_words(&(t[n2]),t,&(t[n2]),n2);
+
+	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 * c1 holds the carry bits
+	 */
+	c1+=bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2);
+	if (c1)
+		{
+		p= &(r[n+n2]);
+		lo= *p;
+		ln=(lo+c1)&BN_MASK2;
+		*p=ln;
+
+		/* The overflow will stop before we over write
+		 * words we should not overwrite */
+		if (ln < c1)
+			{
+			do	{
+				p++;
+				lo= *p;
+				ln=(lo+1)&BN_MASK2;
+				*p=ln;
+				} while (ln == 0);
+			}
+		}
+	}
+
+/* r is 2*n words in size,
+ * a and b are both n words in size.
+ * n must be a power of 2.
+ * We multiply and return the result.
+ * t must be 2*n words in size
+ * We calulate
+ * a[0]*b[0]
+ * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+ * a[1]*b[1]
+ */
+void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *t)
+	{
+	int n=n2/2;
+	int zero,c1;
+	BN_ULONG ln,lo,*p;
+
+#ifdef BN_COUNT
+printf(" bn_sqr_recursive %d * %d\n",n2,n2);
+#endif
+	if (n2 == 4)
+		{
+		bn_sqr_comba4(r,a);
+		return;
+		}
+	else if (n2 == 8)
+		{
+		bn_sqr_comba8(r,a);
+		return;
+		}
+	if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL)
+		{
+		bn_sqr_normal(r,a,n2,t);
+		return;
+		abort();
+		}
+	/* r=(a[0]-a[1])*(a[1]-a[0]) */
+	c1=bn_cmp_words(a,&(a[n]),n);
+	zero=0;
+	if (c1 > 0)
+		bn_sub_words(t,a,&(a[n]),n);
+	else if (c1 < 0)
+		bn_sub_words(t,&(a[n]),a,n);
+	else
+		zero=1;
+
+	/* The result will always be negative unless it is zero */
+
+	if (n == 8)
+		{
+		if (!zero)
+			bn_sqr_comba8(&(t[n2]),t);
+		else
+			memset(&(t[n2]),0,8*sizeof(BN_ULONG));
+		
+		bn_sqr_comba8(r,a);
+		bn_sqr_comba8(&(r[n2]),&(a[n]));
+		}
+	else
+		{
+		p= &(t[n2*2]);
+		if (!zero)
+			bn_sqr_recursive(&(t[n2]),t,n,p);
+		else
+			memset(&(t[n2]),0,n*sizeof(BN_ULONG));
+		bn_sqr_recursive(r,a,n,p);
+		bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);
+		}
+
+	/* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
+	 * r[10] holds (a[0]*b[0])
+	 * r[32] holds (b[1]*b[1])
+	 */
+
+	c1=bn_add_words(t,r,&(r[n2]),n2);
+
+	/* t[32] is negative */
+	c1-=bn_sub_words(&(t[n2]),t,&(t[n2]),n2);
+
+	/* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
+	 * r[10] holds (a[0]*a[0])
+	 * r[32] holds (a[1]*a[1])
+	 * c1 holds the carry bits
+	 */
+	c1+=bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2);
+	if (c1)
+		{
+		p= &(r[n+n2]);
+		lo= *p;
+		ln=(lo+c1)&BN_MASK2;
+		*p=ln;
+
+		/* The overflow will stop before we over write
+		 * words we should not overwrite */
+		if (ln < c1)
+			{
+			do	{
+				p++;
+				lo= *p;
+				ln=(lo+1)&BN_MASK2;
+				*p=ln;
+				} while (ln == 0);
+			}
+		}
+	}
+
+#if 1
+/* a and b must be the same size, which is n2.
+ * r needs to be n2 words and t needs to be n2*2
+ */
+void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+	     BN_ULONG *t)
+	{
+	int n=n2/2;
+
+#ifdef BN_COUNT
+printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
+#endif
+
+	bn_mul_recursive(r,a,b,n,&(t[0]));
+	if (n > BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
+		{
+		bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2]));
+		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
+		bn_mul_low_recursive(&(t[0]),&(a[n]),&(b[0]),n,&(t[n2]));
+		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
+		}
+	else
+		{
+		bn_mul_low_normal(&(t[0]),&(a[0]),&(b[n]),n);
+		bn_mul_low_normal(&(t[n]),&(a[n]),&(b[0]),n);
+		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
+		bn_add_words(&(r[n]),&(r[n]),&(t[n]),n);
+		}
+	}
+
+/* a and b must be the same size, which is n2.
+ * r needs to be n2 words and t needs to be n2*2
+ * l is the low words of the output.
+ * t needs to be n2*3
+ */
+void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
+	     BN_ULONG *t)
+	{
+	int j,i,n,c1,c2;
+	int neg,oneg,zero;
+	BN_ULONG ll,lc,*lp,*mp;
+
+#ifdef BN_COUNT
+printf(" bn_mul_high %d * %d\n",n2,n2);
+#endif
+	n=(n2+1)/2;
+
+	/* Calculate (al-ah)*(bh-bl) */
+	neg=zero=0;
+	c1=bn_cmp_words(&(a[0]),&(a[n]),n);
+	c2=bn_cmp_words(&(b[n]),&(b[0]),n);
+	switch (c1*3+c2)
+		{
+	case -4:
+		bn_sub_words(&(r[0]),&(a[n]),&(a[0]),n);
+		bn_sub_words(&(r[n]),&(b[0]),&(b[n]),n);
+		break;
+	case -3:
+		zero=1;
+		break;
+	case -2:
+		bn_sub_words(&(r[0]),&(a[n]),&(a[0]),n);
+		bn_sub_words(&(r[n]),&(b[n]),&(b[0]),n);
+		neg=1;
+		break;
+	case -1:
+	case 0:
+	case 1:
+		zero=1;
+		break;
+	case 2:
+		bn_sub_words(&(r[0]),&(a[0]),&(a[n]),n);
+		bn_sub_words(&(r[n]),&(b[0]),&(b[n]),n);
+		neg=1;
+		break;
+	case 3:
+		zero=1;
+		break;
+	case 4:
+		bn_sub_words(&(r[0]),&(a[0]),&(a[n]),n);
+		bn_sub_words(&(r[n]),&(b[n]),&(b[0]),n);
+		break;
+		}
+		
+	oneg=neg;
+	/* t[10] = (a[0]-a[1])*(b[1]-b[0]) */
+	bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
+	/* r[10] = (a[1]*b[1]) */
+	bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
+
+	/* s0 == low(al*bl)
+	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
+	 * We know s0 and s1 so the only unknown is high(al*bl)
+	 * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
+	 * high(al*bl) == s1 - (r[0]+l[0]+t[0])
+	 */
+	if (l != NULL)
+		{
+		lp= &(t[n2+n]);
+		c1=bn_add_words(lp,&(r[0]),&(l[0]),n);
+		}
+	else
+		{
+		c1=0;
+		lp= &(r[0]);
+		}
+
+	if (neg)
+		neg=bn_sub_words(&(t[n2]),lp,&(t[0]),n);
+	else
+		{
+		bn_add_words(&(t[n2]),lp,&(t[0]),n);
+		neg=0;
+		}
+
+	if (l != NULL)
+		{
+		bn_sub_words(&(t[n2+n]),&(l[n]),&(t[n2]),n);
+		}
+	else
+		{
+		lp= &(t[n2+n]);
+		mp= &(t[n2]);
+		for (i=0; i<n; i++)
+			lp[i]=((~mp[i])+1)&BN_MASK2;
+		}
+
+	/* s[0] = low(al*bl)
+	 * t[3] = high(al*bl)
+	 * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
+	 * r[10] = (a[1]*b[1])
+	 */
+	/* R[10] = al*bl
+	 * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
+	 * R[32] = ah*bh
+	 */
+	/* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
+	 * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
+	 * R[3]=r[1]+(carry/borrow)
+	 */
+	if (l != NULL)
+		{
+		lp= &(t[n2]);
+		c1= bn_add_words(lp,&(t[n2+n]),&(l[0]),n);
+		}
+	else
+		{
+		lp= &(t[n2+n]);
+		c1=0;
+		}
+	c1+=bn_add_words(&(t[n2]),lp,  &(r[0]),n);
+	if (oneg)
+		c1-=bn_sub_words(&(t[n2]),&(t[n2]),&(t[0]),n);
+	else
+		c1+=bn_add_words(&(t[n2]),&(t[n2]),&(t[0]),n);
+
+	c2 =bn_add_words(&(r[0]),&(r[0]),&(t[n2+n]),n);
+	c2+=bn_add_words(&(r[0]),&(r[0]),&(r[n]),n);
+	if (oneg)
+		c2-=bn_sub_words(&(r[0]),&(r[0]),&(t[n]),n);
+	else
+		c2+=bn_add_words(&(r[0]),&(r[0]),&(t[n]),n);
+	
+	if (c1 != 0) /* Add starting at r[0], could be +ve or -ve */
+		{
+		i=0;
+		if (c1 > 0)
+			{
+			lc=c1;
+			do	{
+				ll=(r[i]+lc)&BN_MASK2;
+				r[i++]=ll;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		else
+			{
+			lc= -c1;
+			do	{
+				ll=r[i];
+				r[i++]=(ll-lc)&BN_MASK2;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		}
+	if (c2 != 0) /* Add starting at r[1] */
+		{
+		i=n;
+		if (c2 > 0)
+			{
+			lc=c2;
+			do	{
+				ll=(r[i]+lc)&BN_MASK2;
+				r[i++]=ll;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		else
+			{
+			lc= -c2;
+			do	{
+				ll=r[i];
+				r[i++]=(ll-lc)&BN_MASK2;
+				lc=(lc > ll);
+				} while (lc);
+			}
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/bn/old/bn_low.c b/crypto/openssl/crypto/bn/old/bn_low.c
new file mode 100644
index 0000000..cbc4067
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/bn_low.c
@@ -0,0 +1,194 @@
+/* crypto/bn/bn_mul.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+static int bn_mm_low(BIGNUM *m,BIGNUM *A,BIGNUM *B, int num,
+		BIGNUM *sk,BN_CTX *ctx);
+int BN_mul_low(BIGNUM *r, BIGNUM *a, BIGNUM *b,int words);
+
+/* r must be different to a and b */
+int BN_mul_low(BIGNUM *r, BIGNUM *a, BIGNUM *b, int num)
+	{
+	BN_ULONG *ap,*bp,*rp;
+	BIGNUM *sk;
+	int j,i,n,ret;
+	int max,al,bl;
+	BN_CTX ctx;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+#ifdef BN_MUL_DEBUG
+printf("BN_mul_low(%d,%d,%d)\n",a->top,b->top,num);
+#endif
+
+	al=a->top;
+	bl=b->top;
+	if ((al == 0) || (bl == 0))
+		{
+		r->top=0;
+		return(1);
+		}
+
+	if ((bn_limit_bits_low > 0) && (num > bn_limit_num_low))
+		{
+		n=BN_num_bits_word(num*2)-bn_limit_bits_low;
+		n*=2;
+		sk=(BIGNUM *)Malloc(sizeof(BIGNUM)*n);
+		memset(sk,0,sizeof(BIGNUM)*n);
+		memset(&ctx,0,sizeof(ctx));
+
+		ret=bn_mm_low(r,a,b,num,&(sk[0]),&ctx);
+		for (i=0; i<n; i+=2)
+			{
+			BN_clear_free(&sk[i]);
+			BN_clear_free(&sk[i+1]);
+			}
+		Free(sk);
+		return(ret);
+		}
+
+	max=(al+bl);
+	if (bn_wexpand(r,max) == NULL) return(0);
+	r->neg=a->neg^b->neg;
+	ap=a->d;
+	bp=b->d;
+	rp=r->d;
+	r->top=(max > num)?num:max;
+
+	rp[al]=bn_mul_words(rp,ap,al,*(bp++));
+	rp++;
+	j=bl;
+	for (i=1; i<j; i++)
+		{
+		if (al >= num--)
+			{
+			al--;
+			if (al <= 0) break;
+			}
+		rp[al]=bn_mul_add_words(rp,ap,al,*(bp++));
+		rp++;
+		}
+	
+	while ((r->top > 0) && (r->d[r->top-1] == 0))
+		r->top--;
+	return(1);
+	}
+
+
+#define t1	(sk[0])
+#define t2	(sk[1])
+
+/* r must be different to a and b */
+int bn_mm_low(BIGNUM *m, BIGNUM *A, BIGNUM *B, int num, BIGNUM *sk,
+	     BN_CTX *ctx)
+	{
+	int n; /* ,sqr=0; */
+	int an,bn;
+	BIGNUM ah,al,bh,bl;
+
+	bn_wexpand(m,num+3);
+	an=A->top;
+	bn=B->top;
+
+#ifdef BN_MUL_DEBUG
+printf("bn_mm_low(%d,%d,%d)\n",A->top,B->top,num);
+#endif
+
+	n=(num+1)/2;
+
+	BN_init(&ah); BN_init(&al); BN_init(&bh); BN_init(&bl);
+
+	bn_set_low( &al,A,n);
+	bn_set_high(&ah,A,n);
+	bn_set_low( &bl,B,n);
+	bn_set_high(&bh,B,n);
+
+	if (num <= (bn_limit_num_low+bn_limit_num_low))
+		{
+		BN_mul(m,&al,&bl);
+		BN_mul_low(&t1,&al,&bh,n);
+		BN_mul_low(&t2,&ah,&bl,n);
+		}
+	else
+		{
+		bn_mm(m  ,&al,&bl,&(sk[2]),ctx);
+		bn_mm_low(&t1,&al,&bh,n,&(sk[2]),ctx);
+		bn_mm_low(&t2,&ah,&bl,n,&(sk[2]),ctx);
+		}
+
+	BN_add(&t1,&t1,&t2);
+
+	/* We will now do an evil hack instead of
+	 * BN_lshift(&t1,&t1,n*BN_BITS2);
+	 * BN_add(m,m,&t1);
+	 * BN_mask_bits(m,num*BN_BITS2);
+	 */
+	bn_set_high(&ah,m,n); ah.max=num+2;
+	BN_add(&ah,&ah,&t1);
+	m->top=num;
+
+	m->neg=A->neg^B->neg;
+	return(1);
+	}
+
+#undef t1	(sk[0])
+#undef t2	(sk[1])
diff --git a/crypto/openssl/crypto/bn/old/bn_m.c b/crypto/openssl/crypto/bn/old/bn_m.c
new file mode 100644
index 0000000..522beb0
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/bn_m.c
@@ -0,0 +1,139 @@
+/* crypto/bn/bn_m.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+/*#include "cryptlib.h"*/
+#include "bn_lcl.h"
+
+#define limit_bits 5			/* 2^5, or 32 words */
+#define limit_num (1<<limit_bits)
+
+int BN_m(BIGNUM *r, BIGNUM *a, BIGNUM *b)
+	{
+	BIGNUM *sk;
+	int i,n;
+
+	n=(BN_num_bits_word(a->top|b->top)-limit_bits);
+	n*=2;
+	sk=(BIGNUM *)malloc(sizeof(BIGNUM)*n);
+	for (i=0; i<n; i++)
+		BN_init(&(sk[i]));
+
+	return(BN_mm(r,a,b,&(sk[0])));
+	}
+
+#define ahal	(sk[0])
+#define blbh	(sk[1])
+
+/* r must be different to a and b */
+int BN_mm(BIGNUM *m, BIGNUM *A, BIGNUM *B, BIGNUM *sk)
+	{
+	int i,num,anum,bnum;
+	int an,bn;
+	BIGNUM ah,al,bh,bl;
+
+	an=A->top;
+	bn=B->top;
+	if ((an <= limit_num) || (bn <= limit_num))
+		{
+		return(BN_mul(m,A,B));
+		}
+
+	anum=(an>bn)?an:bn;
+	num=(anum)/2;
+
+	/* Are going to now chop things into 'num' word chunks. */
+	bnum=num*BN_BITS2;
+
+	BN_init(&ahal);
+	BN_init(&blbh);
+	BN_init(&ah);
+	BN_init(&al);
+	BN_init(&bh);
+	BN_init(&bl);
+
+	al.top=num;
+	al.d=A->d;
+	ah.top=A->top-num;
+	ah.d= &(A->d[num]);
+
+	bl.top=num;
+	bl.d=B->d;
+	bh.top=B->top-num;
+	bh.d= &(B->d[num]);
+
+	BN_sub(&ahal,&ah,&al);
+	BN_sub(&blbh,&bl,&bh);
+
+	BN_mm(m,&ahal,&blbh,&(sk[2]));
+	BN_mm(&ahal,&al,&bl,&(sk[2]));
+	BN_mm(&blbh,&ah,&bh,&(sk[2]));
+
+	BN_add(m,m,&ahal);
+	BN_add(m,m,&blbh);
+
+	BN_lshift(m,m,bnum);
+	BN_add(m,m,&ahal);
+
+	BN_lshift(&blbh,&blbh,bnum*2);
+	BN_add(m,m,&blbh);
+
+	m->neg=A->neg^B->neg;
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/bn/old/bn_mul.c.works b/crypto/openssl/crypto/bn/old/bn_mul.c.works
new file mode 100644
index 0000000..6d565d4
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/bn_mul.c.works
@@ -0,0 +1,219 @@
+/* crypto/bn/bn_mul.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+int bn_mm(BIGNUM *m,BIGNUM *A,BIGNUM *B, BIGNUM *sk,BN_CTX *ctx);
+
+/* r must be different to a and b */
+int BN_mul(r, a, b)
+BIGNUM *r;
+BIGNUM *a;
+BIGNUM *b;
+	{
+	BN_ULONG *ap,*bp,*rp;
+	BIGNUM *sk;
+	int i,n,ret;
+	int max,al,bl;
+	BN_CTX ctx;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	al=a->top;
+	bl=b->top;
+	if ((al == 0) || (bl == 0))
+		{
+		r->top=0;
+		return(1);
+		}
+#ifdef BN_MUL_DEBUG
+printf("BN_mul(%d,%d)\n",a->top,b->top);
+#endif
+
+#ifdef BN_RECURSION
+	if (	(bn_limit_bits > 0) &&
+		(bl > bn_limit_num) && (al > bn_limit_num))
+		{
+		n=(BN_num_bits_word(al|bl)-bn_limit_bits);
+		n*=2;
+		sk=(BIGNUM *)Malloc(sizeof(BIGNUM)*n);
+		memset(sk,0,sizeof(BIGNUM)*n);
+		memset(&ctx,0,sizeof(ctx));
+
+		ret=bn_mm(r,a,b,&(sk[0]),&ctx);
+		for (i=0; i<n; i+=2)
+			{
+			BN_clear_free(&sk[i]);
+			BN_clear_free(&sk[i+1]);
+			}
+		Free(sk);
+		return(ret);
+		}
+#endif
+
+	max=(al+bl);
+	if (bn_wexpand(r,max) == NULL) return(0);
+	r->top=max;
+	r->neg=a->neg^b->neg;
+	ap=a->d;
+	bp=b->d;
+	rp=r->d;
+
+#ifdef BN_RECURSION
+	if ((al == bl) && (al == 8))
+		{
+		bn_mul_comba8(rp,ap,bp);
+		}
+	else
+#endif
+		{
+		rp[al]=bn_mul_words(rp,ap,al,*(bp++));
+		rp++;
+		for (i=1; i<bl; i++)
+			{
+			rp[al]=bn_mul_add_words(rp,ap,al,*(bp++));
+			rp++;
+			}
+		}
+	if ((max > 0) && (r->d[max-1] == 0)) r->top--;
+	return(1);
+	}
+
+#ifdef BN_RECURSION
+
+#define ahal	(sk[0])
+#define blbh	(sk[1])
+
+/* r must be different to a and b */
+int bn_mm(m, A, B, sk,ctx)
+BIGNUM *m,*A,*B;
+BIGNUM *sk;
+BN_CTX *ctx;
+	{
+	int n,num,sqr=0;
+	int an,bn;
+	BIGNUM ah,al,bh,bl;
+
+	an=A->top;
+	bn=B->top;
+#ifdef BN_MUL_DEBUG
+printf("bn_mm(%d,%d)\n",A->top,B->top);
+#endif
+
+	if (A == B) sqr=1;
+	num=(an>bn)?an:bn;
+	n=(num+1)/2;
+	/* Are going to now chop things into 'num' word chunks. */
+
+	BN_init(&ah);
+	BN_init(&al);
+	BN_init(&bh);
+	BN_init(&bl);
+
+	bn_set_low (&al,A,n);
+	bn_set_high(&ah,A,n);
+	bn_set_low (&bl,B,n);
+	bn_set_high(&bh,B,n);
+
+	BN_sub(&ahal,&ah,&al);
+	BN_sub(&blbh,&bl,&bh);
+
+	if (num <= (bn_limit_num+bn_limit_num))
+		{
+		BN_mul(m,&ahal,&blbh);
+		if (sqr)
+			{
+			BN_sqr(&ahal,&al,ctx);
+			BN_sqr(&blbh,&ah,ctx);
+			}
+		else
+			{
+			BN_mul(&ahal,&al,&bl);
+			BN_mul(&blbh,&ah,&bh);
+			}
+		}
+	else
+		{
+		bn_mm(m,&ahal,&blbh,&(sk[2]),ctx);
+		bn_mm(&ahal,&al,&bl,&(sk[2]),ctx);
+		bn_mm(&blbh,&ah,&bh,&(sk[2]),ctx);
+		}
+
+	BN_add(m,m,&ahal);
+	BN_add(m,m,&blbh);
+
+	BN_lshift(m,m,n*BN_BITS2);
+	BN_lshift(&blbh,&blbh,n*BN_BITS2*2);
+
+	BN_add(m,m,&ahal);
+	BN_add(m,m,&blbh);
+
+	m->neg=A->neg^B->neg;
+	return(1);
+	}
+#undef ahal	(sk[0])
+#undef blbh	(sk[1])
+
+#include "bn_low.c"
+#include "bn_high.c"
+#include "f.c"
+
+#endif
diff --git a/crypto/openssl/crypto/bn/old/bn_wmul.c b/crypto/openssl/crypto/bn/old/bn_wmul.c
new file mode 100644
index 0000000..a467b2f
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/bn_wmul.c
@@ -0,0 +1,173 @@
+#include <stdio.h>
+#include "bn_lcl.h"
+
+#if 1
+
+int bn_mull(BIGNUM *r,BIGNUM *a,BIGNUM *b, BN_CTX *ctx);
+
+int bn_mull(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+	{
+	int top,i,j,k,al,bl;
+	BIGNUM *t;
+
+#ifdef BN_COUNT
+printf("bn_mull %d * %d\n",a->top,b->top);
+#endif
+
+	bn_check_top(a);
+	bn_check_top(b);
+	bn_check_top(r);
+
+	al=a->top;
+	bl=b->top;
+	r->neg=a->neg^b->neg;
+
+	top=al+bl;
+	if ((al < 4) || (bl < 4))
+		{
+		if (bn_wexpand(r,top) == NULL) return(0);
+		r->top=top;
+		bn_mul_normal(r->d,a->d,al,b->d,bl);
+		goto end;
+		}
+	else if (al == bl) /* A good start, they are the same size */
+		goto symetric;
+	else
+		{
+		i=(al-bl);
+		if ((i ==  1) && !BN_get_flags(b,BN_FLG_STATIC_DATA))
+			{
+			bn_wexpand(b,al);
+			b->d[bl]=0;
+			bl++;
+			goto symetric;
+			}
+		else if ((i ==  -1) && !BN_get_flags(a,BN_FLG_STATIC_DATA))
+			{
+			bn_wexpand(a,bl);
+			a->d[al]=0;
+			al++;
+			goto symetric;
+			}
+		}
+
+	/* asymetric and >= 4 */ 
+	if (bn_wexpand(r,top) == NULL) return(0);
+	r->top=top;
+	bn_mul_normal(r->d,a->d,al,b->d,bl);
+
+	if (0)
+		{
+		/* symetric and > 4 */
+symetric:
+		if (al == 4)
+			{
+			if (bn_wexpand(r,al*2) == NULL) return(0);
+			r->top=top;
+			bn_mul_comba4(r->d,a->d,b->d);
+			goto end;
+			}
+		if (al == 8)
+			{
+			if (bn_wexpand(r,al*2) == NULL) return(0);
+			r->top=top;
+			bn_mul_comba8(r->d,a->d,b->d);
+			goto end;
+			}
+		if (al <= BN_MULL_NORMAL_SIZE)
+			{
+			if (bn_wexpand(r,al*2) == NULL) return(0);
+			r->top=top;
+			bn_mul_normal(r->d,a->d,al,b->d,bl);
+			goto end;
+			}
+		/* 16 or larger */
+		j=BN_num_bits_word((BN_ULONG)al);
+		j=1<<(j-1);
+		k=j+j;
+		t= &(ctx->bn[ctx->tos]);
+		if (al == j) /* exact multiple */
+			{
+			bn_wexpand(t,k*2);
+			bn_wexpand(r,k*2);
+			bn_mul_recursive(r->d,a->d,b->d,al,t->d);
+			}
+		else
+			{
+			bn_wexpand(a,k);
+			bn_wexpand(b,k);
+			bn_wexpand(t,k*4);
+			bn_wexpand(r,k*4);
+			for (i=a->top; i<k; i++)
+				a->d[i]=0;
+			for (i=b->top; i<k; i++)
+				b->d[i]=0;
+			bn_mul_part_recursive(r->d,a->d,b->d,al-j,j,t->d);
+			}
+		r->top=top;
+		}
+end:
+	bn_fix_top(r);
+	return(1);
+	}
+#endif
+
+void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
+	{
+	BN_ULONG *rr;
+
+#ifdef BN_COUNT
+printf(" bn_mul_normal %d * %d\n",na,nb);
+#endif
+
+	if (na < nb)
+		{
+		int itmp;
+		BN_ULONG *ltmp;
+
+		itmp=na; na=nb; nb=itmp;
+		ltmp=a;   a=b;   b=ltmp;
+
+		}
+	rr= &(r[na]);
+	rr[0]=bn_mul_words(r,a,na,b[0]);
+
+	for (;;)
+		{
+		if (--nb <= 0) return;
+		rr[1]=bn_mul_add_words(&(r[1]),a,na,b[1]);
+		if (--nb <= 0) return;
+		rr[2]=bn_mul_add_words(&(r[2]),a,na,b[2]);
+		if (--nb <= 0) return;
+		rr[3]=bn_mul_add_words(&(r[3]),a,na,b[3]);
+		if (--nb <= 0) return;
+		rr[4]=bn_mul_add_words(&(r[4]),a,na,b[4]);
+		rr+=4;
+		r+=4;
+		b+=4;
+		}
+	}
+
+#if 1
+void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+	{
+#ifdef BN_COUNT
+printf(" bn_mul_low_normal %d * %d\n",n,n);
+#endif
+	bn_mul_words(r,a,n,b[0]);
+
+	for (;;)
+		{
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[1]),a,n,b[1]);
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[2]),a,n,b[2]);
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[3]),a,n,b[3]);
+		if (--n <= 0) return;
+		bn_mul_add_words(&(r[4]),a,n,b[4]);
+		r+=4;
+		b+=4;
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/bn/old/build b/crypto/openssl/crypto/bn/old/build
new file mode 100755
index 0000000..8cd99e5
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/build
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+gcc -g -I../../include test.c -L../.. -lcrypto
diff --git a/crypto/openssl/crypto/bn/old/info b/crypto/openssl/crypto/bn/old/info
new file mode 100644
index 0000000..5ac99c3
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/info
@@ -0,0 +1,22 @@
+Given A1A0 * B1B0 == S3S2S1S0
+
+S0=     low(A0*B0)
+S1=     low( (A1-A0)*(B0-B1)) +low( A1*B1) +high(A0*B0)
+S2=     high((A1-A0)*(B0-B1)) +high(A1*B1) +low( A1*B1)
+S3=     high(A1*B1);
+
+Assume we know S1 and S0, and can calulate A1*B1 and high((A1-A0)*(B0-B1))
+
+k0=	S0 == low(A0*B0)
+k1=	S1
+k2=	low( A1*B1)
+k3=	high(A1*B1)
+k4=	high((A1-A0)*(B0-B1))
+
+k1=	low((A1-A0)*(B0-B1)) +k2 +high(A0*B0)
+S2=	k4 +k3 +k2
+S3=	k3
+
+S1-k2= low((A1-A0)*(B0-B1)) +high(A0*B0)
+
+We potentially have a carry or a borrow from S1
diff --git a/crypto/openssl/crypto/bn/old/test.works b/crypto/openssl/crypto/bn/old/test.works
new file mode 100644
index 0000000..127c7b4
--- /dev/null
+++ b/crypto/openssl/crypto/bn/old/test.works
@@ -0,0 +1,205 @@
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#define SIZE	128
+
+#define BN_MONT_CTX_set		bn_mcs
+#define BN_from_montgomery	bn_fm
+#define BN_mod_mul_montgomery	bn_mmm
+#undef BN_to_montgomery
+#define BN_to_montgomery(r,a,mont,ctx)	bn_mmm(\
+	r,a,(mont)->RR,(mont),ctx)
+
+main()
+	{
+	BIGNUM prime,a,b,r,A,B,R;
+	BN_MONT_CTX *mont;
+	BN_CTX *ctx;
+	int i;
+
+	ctx=BN_CTX_new();
+	BN_init(&prime);
+	BN_init(&a); BN_init(&b); BN_init(&r);
+	BN_init(&A); BN_init(&B); BN_init(&R);
+
+	BN_generate_prime(&prime,SIZE,0,NULL,NULL,NULL,NULL);
+	BN_rand(&A,SIZE,1,0);
+	BN_rand(&B,SIZE,1,0);
+	BN_mod(&A,&A,&prime,ctx);
+	BN_mod(&B,&B,&prime,ctx);
+
+	mont=BN_MONT_CTX_new();
+	BN_MONT_CTX_set(mont,&prime,ctx);
+
+	BN_to_montgomery(&a,&A,mont,ctx);
+	BN_to_montgomery(&b,&B,mont,ctx);
+
+	BN_mul(&r,&a,&b);
+	BN_print_fp(stdout,&r); printf("\n");
+	BN_from_montgomery(&r,&r,mont,ctx);
+	BN_print_fp(stdout,&r); printf("\n");
+	BN_from_montgomery(&r,&r,mont,ctx);
+	BN_print_fp(stdout,&r); printf("\n");
+
+	BN_mod_mul(&R,&A,&B,&prime,ctx);
+
+	BN_print_fp(stdout,&a); printf("\n");
+	BN_print_fp(stdout,&b); printf("\n");
+	BN_print_fp(stdout,&prime); printf("\n");
+	BN_print_fp(stdout,&r); printf("\n\n");
+
+	BN_print_fp(stdout,&A); printf("\n");
+	BN_print_fp(stdout,&B); printf("\n");
+	BN_print_fp(stdout,&prime); printf("\n");
+	BN_print_fp(stdout,&R); printf("\n\n");
+
+	BN_mul(&r,&a,&b);
+	BN_print_fp(stdout,&r); printf(" <- BA*DC\n");
+	BN_copy(&A,&r);
+	i=SIZE/2;
+	BN_mask_bits(&A,i*2);
+//	BN_print_fp(stdout,&A); printf(" <- low(BA*DC)\n");
+	bn_do_lower(&r,&a,&b,&A,i);
+//	BN_print_fp(stdout,&r); printf(" <- low(BA*DC)\n");
+	}
+
+int bn_mul_low(r,a,b,low,i)
+BIGNUM *r,*a,*b,*low;
+int i;
+	{
+	int w;
+	BIGNUM Kh,Km,t1,t2,h,ah,al,bh,bl,l,m,s0,s1;
+
+	BN_init(&Kh); BN_init(&Km); BN_init(&t1); BN_init(&t2); BN_init(&l);
+	BN_init(&ah); BN_init(&al); BN_init(&bh); BN_init(&bl); BN_init(&h);
+	BN_init(&m); BN_init(&s0); BN_init(&s1);
+
+	BN_copy(&al,a); BN_mask_bits(&al,i); BN_rshift(&ah,a,i);
+	BN_copy(&bl,b); BN_mask_bits(&bl,i); BN_rshift(&bh,b,i);
+
+
+	BN_sub(&t1,&al,&ah);
+	BN_sub(&t2,&bh,&bl);
+	BN_mul(&m,&t1,&t2);
+	BN_mul(&h,&ah,&bh);
+
+	BN_copy(&s0,low); BN_mask_bits(&s0,i);
+	BN_rshift(&s1,low,i);
+
+	BN_add(&t1,&h,&m);
+	BN_add(&t1,&t1,&s0);
+
+	BN_copy(&t2,&t1); BN_mask_bits(&t2,i);
+	BN_sub(&t1,&s1,&t2);
+	BN_lshift(&t1,&t1,i);
+	BN_add(&t1,&t1,&s0);
+	if (t1.neg)
+		{
+		BN_lshift(&t2,BN_value_one(),i*2);
+		BN_add(&t1,&t2,&t1);
+		BN_mask_bits(&t1,i*2);
+		}
+	
+	BN_free(&Kh); BN_free(&Km); BN_free(&t1); BN_free(&t2);
+	BN_free(&ah); BN_free(&al); BN_free(&bh); BN_free(&bl);
+	}
+
+int BN_mod_mul_montgomery(r,a,b,mont,ctx)
+BIGNUM *r,*a,*b;
+BN_MONT_CTX *mont;
+BN_CTX *ctx;
+	{
+	BIGNUM *tmp;
+
+        tmp= &(ctx->bn[ctx->tos++]);
+
+	if (a == b)
+		{
+		if (!BN_sqr(tmp,a,ctx)) goto err;
+		}
+	else
+		{
+		if (!BN_mul(tmp,a,b)) goto err;
+		}
+	/* reduce from aRR to aR */
+	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
+	ctx->tos--;
+	return(1);
+err:
+	return(0);
+	}
+
+int BN_from_montgomery(r,a,mont,ctx)
+BIGNUM *r;
+BIGNUM *a;
+BN_MONT_CTX *mont;
+BN_CTX *ctx;
+	{
+	BIGNUM z1;
+	BIGNUM *t1,*t2;
+	BN_ULONG *ap,*bp,*rp;
+	int j,i,bl,al;
+
+	BN_init(&z1);
+	t1= &(ctx->bn[ctx->tos]);
+	t2= &(ctx->bn[ctx->tos+1]);
+
+	if (!BN_copy(t1,a)) goto err;
+	/* can cheat */
+	BN_mask_bits(t1,mont->ri);
+	if (!BN_mul(t2,t1,mont->Ni)) goto err;
+	BN_mask_bits(t2,mont->ri);
+
+	if (!BN_mul(t1,t2,mont->N)) goto err;
+	if (!BN_add(t2,t1,a)) goto err;
+
+	/* At this point, t2 has the bottom ri bits set to zero.
+	 * This means that the bottom ri bits == the 1^ri minus the bottom
+	 * ri bits of a.
+	 * This means that only the bits above 'ri' in a need to be added,
+	 * and XXXXXXXXXXXXXXXXXXXXXXXX
+	 */
+BN_print_fp(stdout,t2); printf("\n");
+	BN_rshift(r,t2,mont->ri);
+
+	if (BN_ucmp(r,mont->N) >= 0)
+		bn_qsub(r,r,mont->N);
+
+	return(1);
+err:
+	return(0);
+	}
+
+int BN_MONT_CTX_set(mont,mod,ctx)
+BN_MONT_CTX *mont;
+BIGNUM *mod;
+BN_CTX *ctx;
+	{
+	BIGNUM *Ri=NULL,*R=NULL;
+
+	if (mont->RR == NULL) mont->RR=BN_new();
+	if (mont->N == NULL)  mont->N=BN_new();
+
+	R=mont->RR;					/* grab RR as a temp */
+	BN_copy(mont->N,mod);				/* Set N */
+
+	mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
+	BN_lshift(R,BN_value_one(),mont->ri);			/* R */
+	if ((Ri=BN_mod_inverse(NULL,R,mod,ctx)) == NULL) goto err;/* Ri */
+	BN_lshift(Ri,Ri,mont->ri);				/* R*Ri */
+	bn_qsub(Ri,Ri,BN_value_one());				/* R*Ri - 1 */
+	BN_div(Ri,NULL,Ri,mod,ctx);
+	if (mont->Ni != NULL) BN_free(mont->Ni);
+	mont->Ni=Ri;					/* Ni=(R*Ri-1)/N */
+
+	/* setup RR for conversions */
+	BN_lshift(mont->RR,BN_value_one(),mont->ri*2);
+	BN_mod(mont->RR,mont->RR,mont->N,ctx);
+
+	return(1);
+err:
+	return(0);
+	}
+
+
diff --git a/crypto/openssl/crypto/bn/test.c b/crypto/openssl/crypto/bn/test.c
new file mode 100644
index 0000000..a048b9f
--- /dev/null
+++ b/crypto/openssl/crypto/bn/test.c
@@ -0,0 +1,241 @@
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#define SIZE	32
+
+#define BN_MONT_CTX_set		bn_mcs
+#define BN_from_montgomery	bn_fm
+#define BN_mod_mul_montgomery	bn_mmm
+#undef BN_to_montgomery
+#define BN_to_montgomery(r,a,mont,ctx)	bn_mmm(\
+	r,a,(mont)->RR,(mont),ctx)
+
+main()
+	{
+	BIGNUM prime,a,b,r,A,B,R;
+	BN_MONT_CTX *mont;
+	BN_CTX *ctx;
+	int i;
+
+	ctx=BN_CTX_new();
+	BN_init(&prime);
+	BN_init(&a); BN_init(&b); BN_init(&r);
+	BN_init(&A); BN_init(&B); BN_init(&R);
+
+	BN_generate_prime(&prime,SIZE,0,NULL,NULL,NULL,NULL);
+	BN_rand(&A,SIZE,1,0);
+	BN_rand(&B,SIZE,1,0);
+	BN_mod(&A,&A,&prime,ctx);
+	BN_mod(&B,&B,&prime,ctx);
+
+	i=A.top;
+	BN_mul(&R,&A,&B,ctx);
+	BN_mask_bits(&R,i*BN_BITS2);
+
+
+	BN_print_fp(stdout,&A); printf(" <- a\n");
+	BN_print_fp(stdout,&B); printf(" <- b\n");
+	BN_mul_high(&r,&A,&B,&R,i);
+	BN_print_fp(stdout,&r); printf(" <- high(BA*DC)\n");
+
+	BN_mask_bits(&A,i*32);
+	BN_mask_bits(&B,i*32);
+
+	BN_mul(&R,&A,&B);
+	BN_rshift(&R,&R,i*32);
+	BN_print_fp(stdout,&R); printf(" <- norm BA*DC\n");
+	BN_sub(&R,&R,&r);
+	BN_print_fp(stdout,&R); printf(" <- diff\n");
+	}
+
+#if 0
+int bn_mul_high(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *low, int words)
+	{
+	int i;
+	BIGNUM t1,t2,t3,h,ah,al,bh,bl,m,s0,s1;
+
+	BN_init(&al); BN_init(&ah);
+	BN_init(&bl); BN_init(&bh);
+	BN_init(&t1); BN_init(&t2); BN_init(&t3);
+	BN_init(&s0); BN_init(&s1);
+	BN_init(&h); BN_init(&m);
+
+	i=a->top;
+	if (i >= words)
+		{
+		al.top=words;
+		ah.top=a->top-words;
+		ah.d= &(a->d[ah.top]);
+		}
+	else
+		al.top=i;
+	al.d=a->d;
+
+	i=b->top;
+	if (i >= words)
+		{
+		bl.top=words;
+		bh.top=i-words;
+		bh.d= &(b->d[bh.top]);
+		}
+	else
+		bl.top=i;
+	bl.d=b->d;
+
+	i=low->top;
+	if (i >= words)
+		{
+		s0.top=words;
+		s1.top=i-words;
+		s1.d= &(low->d[s1.top]);
+		}
+	else
+		s0.top=i;
+	s0.d=low->d;
+
+al.max=al.top; ah.max=ah.top;
+bl.max=bl.top; bh.max=bh.top;
+s0.max=bl.top; s1.max=bh.top;
+
+	/* Calculate (al-ah)*(bh-bl) */
+	BN_sub(&t1,&al,&ah);
+	BN_sub(&t2,&bh,&bl);
+	BN_mul(&m,&t1,&t2);
+
+	/* Calculate ah*bh */
+	BN_mul(&h,&ah,&bh);
+
+	/* s0 == low(al*bl)
+	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
+	 * We know s0 and s1 so the only unknown is high(al*bl)
+	 * high(al*bl) == s1 - low(ah*bh+(al-ah)*(bh-bl)+s0)
+	 */
+	BN_add(&m,&m,&h);
+	BN_add(&t2,&m,&s0);
+	/* Quick and dirty mask off of high words */
+	t3.d=t2.d;
+	t3.top=(t2.top > words)?words:t2.top;
+	t3.neg=t2.neg;
+t3.max=t3.top;
+/* BN_print_fp(stdout,&s1); printf(" s1\n"); */
+/* BN_print_fp(stdout,&t2); printf(" middle value\n"); */
+/* BN_print_fp(stdout,&t3); printf(" low middle value\n"); */
+	BN_sub(&t1,&s1,&t3);
+
+	if (t1.neg)
+		{
+/*printf("neg fixup\n"); BN_print_fp(stdout,&t1); printf(" before\n"); */
+		BN_lshift(&t2,BN_value_one(),words*32);
+		BN_add(&t1,&t2,&t1);
+		BN_mask_bits(&t1,words*32);
+/* BN_print_fp(stdout,&t1); printf(" after\n"); */
+		}
+	/* al*bl == high(al*bl)<<words+s0 */
+	BN_lshift(&t1,&t1,words*32);
+	BN_add(&t1,&t1,&s0);
+	
+	/* We now have
+	 * al*bl			- t1
+	 * (al-ah)*(bh-bl)+ah*bh	- m
+	 * ah*bh			- h
+	 */
+	BN_copy(r,&t1);
+	BN_mask_bits(r,words*32*2);
+
+	/*BN_lshift(&m,&m,words*/
+
+	BN_free(&t1); BN_free(&t2);
+	BN_free(&m); BN_free(&h);
+	}
+
+int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_MONT_CTX *mont,
+	     BN_CTX *ctx)
+	{
+	BIGNUM *tmp;
+
+        tmp= &(ctx->bn[ctx->tos++]);
+
+	if (a == b)
+		{
+		if (!BN_sqr(tmp,a,ctx)) goto err;
+		}
+	else
+		{
+		if (!BN_mul(tmp,a,b)) goto err;
+		}
+	/* reduce from aRR to aR */
+	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
+	ctx->tos--;
+	return(1);
+err:
+	return(0);
+	}
+
+int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx)
+	{
+	BIGNUM z1;
+	BIGNUM *t1,*t2;
+	BN_ULONG *ap,*bp,*rp;
+	int j,i,bl,al;
+
+	BN_init(&z1);
+	t1= &(ctx->bn[ctx->tos]);
+	t2= &(ctx->bn[ctx->tos+1]);
+
+	if (!BN_copy(t1,a)) goto err;
+	/* can cheat */
+	BN_mask_bits(t1,mont->ri);
+	if (!BN_mul(t2,t1,mont->Ni)) goto err;
+	BN_mask_bits(t2,mont->ri);
+
+	if (!BN_mul(t1,t2,mont->N)) goto err;
+	if (!BN_add(t2,t1,a)) goto err;
+
+	/* At this point, t2 has the bottom ri bits set to zero.
+	 * This means that the bottom ri bits == the 1^ri minus the bottom
+	 * ri bits of a.
+	 * This means that only the bits above 'ri' in a need to be added,
+	 * and XXXXXXXXXXXXXXXXXXXXXXXX
+	 */
+BN_print_fp(stdout,t2); printf("\n");
+	BN_rshift(r,t2,mont->ri);
+
+	if (BN_ucmp(r,mont->N) >= 0)
+		BN_usub(r,r,mont->N);
+
+	return(1);
+err:
+	return(0);
+	}
+
+int BN_MONT_CTX_set(BN_MONT_CTX *mont, BIGNUM *mod, BN_CTX *ctx)
+	{
+	BIGNUM *Ri=NULL,*R=NULL;
+
+	if (mont->RR == NULL) mont->RR=BN_new();
+	if (mont->N == NULL)  mont->N=BN_new();
+
+	R=mont->RR;					/* grab RR as a temp */
+	BN_copy(mont->N,mod);				/* Set N */
+
+	mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
+	BN_lshift(R,BN_value_one(),mont->ri);			/* R */
+	if ((Ri=BN_mod_inverse(NULL,R,mod,ctx)) == NULL) goto err;/* Ri */
+	BN_lshift(Ri,Ri,mont->ri);				/* R*Ri */
+	BN_usub(Ri,Ri,BN_value_one());				/* R*Ri - 1 */
+	BN_div(Ri,NULL,Ri,mod,ctx);
+	if (mont->Ni != NULL) BN_free(mont->Ni);
+	mont->Ni=Ri;					/* Ni=(R*Ri-1)/N */
+
+	/* setup RR for conversions */
+	BN_lshift(mont->RR,BN_value_one(),mont->ri*2);
+	BN_mod(mont->RR,mont->RR,mont->N,ctx);
+
+	return(1);
+err:
+	return(0);
+	}
+
+
+#endif
diff --git a/crypto/openssl/crypto/bn/todo b/crypto/openssl/crypto/bn/todo
new file mode 100644
index 0000000..e47e381
--- /dev/null
+++ b/crypto/openssl/crypto/bn/todo
@@ -0,0 +1,3 @@
+Cache RECP_CTX values
+make the result argument independant of the inputs.
+split up the _exp_ functions
diff --git a/crypto/openssl/crypto/buffer/Makefile.save b/crypto/openssl/crypto/buffer/Makefile.save
new file mode 100644
index 0000000..bbcba1f
--- /dev/null
+++ b/crypto/openssl/crypto/buffer/Makefile.save
@@ -0,0 +1,87 @@
+#
+# SSLeay/crypto/buffer/Makefile
+#
+
+DIR=	buffer
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= buffer.c buf_err.c
+LIBOBJ= buffer.o buf_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= buffer.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+buf_err.o: ../../include/openssl/buffer.h ../../include/openssl/err.h
+buffer.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+buffer.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+buffer.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+buffer.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+buffer.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+buffer.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl
new file mode 100644
index 0000000..bbcba1f
--- /dev/null
+++ b/crypto/openssl/crypto/buffer/Makefile.ssl
@@ -0,0 +1,87 @@
+#
+# SSLeay/crypto/buffer/Makefile
+#
+
+DIR=	buffer
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= buffer.c buf_err.c
+LIBOBJ= buffer.o buf_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= buffer.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+buf_err.o: ../../include/openssl/buffer.h ../../include/openssl/err.h
+buffer.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+buffer.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+buffer.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+buffer.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+buffer.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+buffer.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/buffer/buf_err.c b/crypto/openssl/crypto/buffer/buf_err.c
new file mode 100644
index 0000000..2f971a5
--- /dev/null
+++ b/crypto/openssl/crypto/buffer/buf_err.c
@@ -0,0 +1,95 @@
+/* crypto/buffer/buf_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/buffer.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA BUF_str_functs[]=
+	{
+{ERR_PACK(0,BUF_F_BUF_MEM_GROW,0),	"BUF_MEM_grow"},
+{ERR_PACK(0,BUF_F_BUF_MEM_NEW,0),	"BUF_MEM_new"},
+{ERR_PACK(0,BUF_F_BUF_STRDUP,0),	"BUF_strdup"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA BUF_str_reasons[]=
+	{
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_BUF_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_BUF,BUF_str_functs);
+		ERR_load_strings(ERR_LIB_BUF,BUF_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/buffer/buffer.c b/crypto/openssl/crypto/buffer/buffer.c
new file mode 100644
index 0000000..c3a108e
--- /dev/null
+++ b/crypto/openssl/crypto/buffer/buffer.c
@@ -0,0 +1,144 @@
+/* crypto/buffer/buffer.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+
+BUF_MEM *BUF_MEM_new(void)
+	{
+	BUF_MEM *ret;
+
+	ret=Malloc(sizeof(BUF_MEM));
+	if (ret == NULL)
+		{
+		BUFerr(BUF_F_BUF_MEM_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	ret->length=0;
+	ret->max=0;
+	ret->data=NULL;
+	return(ret);
+	}
+
+void BUF_MEM_free(BUF_MEM *a)
+	{
+	if(a == NULL)
+	    return;
+
+	if (a->data != NULL)
+		{
+		memset(a->data,0,(unsigned int)a->max);
+		Free(a->data);
+		}
+	Free(a);
+	}
+
+int BUF_MEM_grow(BUF_MEM *str, int len)
+	{
+	char *ret;
+	unsigned int n;
+
+	if (str->length >= len)
+		{
+		str->length=len;
+		return(len);
+		}
+	if (str->max >= len)
+		{
+		memset(&str->data[str->length],0,len-str->length);
+		str->length=len;
+		return(len);
+		}
+	n=(len+3)/3*4;
+	if (str->data == NULL)
+		ret=Malloc(n);
+	else
+		ret=Realloc(str->data,n);
+	if (ret == NULL)
+		{
+		BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+		len=0;
+		}
+	else
+		{
+		str->data=ret;
+		str->length=len;
+		str->max=n;
+		}
+	return(len);
+	}
+
+char *BUF_strdup(const char *str)
+	{
+	char *ret;
+	int n;
+
+	if (str == NULL) return(NULL);
+
+	n=strlen(str);
+	ret=Malloc(n+1);
+	if (ret == NULL) 
+		{
+		BUFerr(BUF_F_BUF_STRDUP,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	memcpy(ret,str,n+1);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/buffer/buffer.h b/crypto/openssl/crypto/buffer/buffer.h
new file mode 100644
index 0000000..bff26bf
--- /dev/null
+++ b/crypto/openssl/crypto/buffer/buffer.h
@@ -0,0 +1,98 @@
+/* crypto/buffer/buffer.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BUFFER_H
+#define HEADER_BUFFER_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+typedef struct buf_mem_st
+	{
+	int length;	/* current number of bytes */
+	char *data;
+	int max;	/* size of buffer */
+	} BUF_MEM;
+
+BUF_MEM *BUF_MEM_new(void);
+void	BUF_MEM_free(BUF_MEM *a);
+int	BUF_MEM_grow(BUF_MEM *str, int len);
+char *	BUF_strdup(const char *str);
+
+void ERR_load_BUF_strings(void );
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the BUF functions. */
+
+/* Function codes. */
+#define BUF_F_BUF_MEM_GROW				 100
+#define BUF_F_BUF_MEM_NEW				 101
+#define BUF_F_BUF_STRDUP				 102
+
+/* Reason codes. */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/cast/Makefile.save b/crypto/openssl/crypto/cast/Makefile.save
new file mode 100644
index 0000000..afba084
--- /dev/null
+++ b/crypto/openssl/crypto/cast/Makefile.save
@@ -0,0 +1,124 @@
+#
+# SSLeay/crypto/cast/Makefile
+#
+
+DIR=	cast
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CAST_ENC=c_enc.o
+# or use
+#CAST_ENC=asm/cx86-elf.o
+#CAST_ENC=asm/cx86-out.o
+#CAST_ENC=asm/cx86-sol.o
+#CAST_ENC=asm/cx86bdsi.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=casttest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=c_skey.c c_ecb.c c_enc.c c_cfb64.c c_ofb64.c 
+LIBOBJ=c_skey.o c_ecb.o $(CAST_ENC) c_cfb64.o c_ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= cast.h
+HEADER=	cast_s.h cast_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/cx86-elf.o: asm/cx86unix.cpp
+	$(CPP) -DELF -x c asm/cx86unix.cpp | as -o asm/cx86-elf.o
+
+# solaris
+asm/cx86-sol.o: asm/cx86unix.cpp
+	$(CC) -E -DSOL asm/cx86unix.cpp | sed 's/^#.*//' > asm/cx86-sol.s
+	as -o asm/cx86-sol.o asm/cx86-sol.s
+	rm -f asm/cx86-sol.s
+
+# a.out
+asm/cx86-out.o: asm/cx86unix.cpp
+	$(CPP) -DOUT asm/cx86unix.cpp | as -o asm/cx86-out.o
+
+# bsdi
+asm/cx86bsdi.o: asm/cx86unix.cpp
+	$(CPP) -DBSDI asm/cx86unix.cpp | sed 's/ :/:/' | as -o asm/cx86bsdi.o
+
+asm/cx86unix.cpp: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) cast-586.pl cpp $(PROCESSOR) >cx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/cx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+c_cfb64.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_cfb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_cfb64.o: cast_lcl.h
+c_ecb.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_ecb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_ecb.o: ../../include/openssl/opensslv.h cast_lcl.h
+c_enc.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_enc.o: cast_lcl.h
+c_ofb64.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_ofb64.o: cast_lcl.h
+c_skey.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_skey.o: cast_lcl.h cast_s.h
diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl
new file mode 100644
index 0000000..afba084
--- /dev/null
+++ b/crypto/openssl/crypto/cast/Makefile.ssl
@@ -0,0 +1,124 @@
+#
+# SSLeay/crypto/cast/Makefile
+#
+
+DIR=	cast
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CAST_ENC=c_enc.o
+# or use
+#CAST_ENC=asm/cx86-elf.o
+#CAST_ENC=asm/cx86-out.o
+#CAST_ENC=asm/cx86-sol.o
+#CAST_ENC=asm/cx86bdsi.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=casttest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=c_skey.c c_ecb.c c_enc.c c_cfb64.c c_ofb64.c 
+LIBOBJ=c_skey.o c_ecb.o $(CAST_ENC) c_cfb64.o c_ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= cast.h
+HEADER=	cast_s.h cast_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/cx86-elf.o: asm/cx86unix.cpp
+	$(CPP) -DELF -x c asm/cx86unix.cpp | as -o asm/cx86-elf.o
+
+# solaris
+asm/cx86-sol.o: asm/cx86unix.cpp
+	$(CC) -E -DSOL asm/cx86unix.cpp | sed 's/^#.*//' > asm/cx86-sol.s
+	as -o asm/cx86-sol.o asm/cx86-sol.s
+	rm -f asm/cx86-sol.s
+
+# a.out
+asm/cx86-out.o: asm/cx86unix.cpp
+	$(CPP) -DOUT asm/cx86unix.cpp | as -o asm/cx86-out.o
+
+# bsdi
+asm/cx86bsdi.o: asm/cx86unix.cpp
+	$(CPP) -DBSDI asm/cx86unix.cpp | sed 's/ :/:/' | as -o asm/cx86bsdi.o
+
+asm/cx86unix.cpp: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) cast-586.pl cpp $(PROCESSOR) >cx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/cx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+c_cfb64.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_cfb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_cfb64.o: cast_lcl.h
+c_ecb.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_ecb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_ecb.o: ../../include/openssl/opensslv.h cast_lcl.h
+c_enc.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_enc.o: cast_lcl.h
+c_ofb64.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_ofb64.o: cast_lcl.h
+c_skey.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+c_skey.o: cast_lcl.h cast_s.h
diff --git a/crypto/openssl/crypto/cast/Makefile.uni b/crypto/openssl/crypto/cast/Makefile.uni
new file mode 100644
index 0000000..a587089
--- /dev/null
+++ b/crypto/openssl/crypto/cast/Makefile.uni
@@ -0,0 +1,124 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+# There are 3 possible performance options, experiment :-)
+#OPTS= -DBF_PTR
+#OPTS= -DBF_PTR2
+OPTS=
+
+DIR=    cast
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+RANLIB=         ranlib
+
+CAST_ENC=c_enc.o
+# or use
+#CAST_ENC=asm/cx86-elf.o
+#CAST_ENC=asm/cx86-out.o
+#CAST_ENC=asm/cx86-sol.o
+#CAST_ENC=asm/cx86bdsi.o
+
+CFLAGS= $(OPTS) $(INCLUDES) $(CFLAG) -DFULL_TEST
+
+GENERAL=Makefile
+TEST=casttest
+APP1=cast_spd
+APP2=castopts
+APPS=$(APP1) $(APP2)
+
+LIB=libcast.a
+LIBSRC=c_skey.c c_ecb.c c_enc.c c_cfb64.c c_ofb64.c
+LIBOBJ=c_skey.o c_ecb.o $(CAST_ENC) c_cfb64.o c_ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= cast.h
+HEADER= cast_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB):    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+# elf
+asm/cx86-elf.o: asm/cx86unix.cpp
+	$(CPP) -DELF asm/cx86unix.cpp | as -o asm/cx86-elf.o
+
+# solaris
+asm/cx86-sol.o: asm/cx86unix.cpp
+	$(CC) -E -DSOL asm/cx86unix.cpp | sed 's/^#.*//' > asm/cx86-sol.s
+	as -o asm/cx86-sol.o asm/cx86-sol.s
+	rm -f asm/cx86-sol.s
+
+# a.out
+asm/cx86-out.o: asm/cx86unix.cpp
+	$(CPP) -DOUT asm/cx86unix.cpp | as -o asm/cx86-out.o
+
+# bsdi
+asm/cx86bsdi.o: asm/cx86unix.cpp
+	$(CPP) -DBSDI asm/cx86unix.cpp | as -o asm/cx86bsdi.o
+
+asm/cx86unix.cpp:
+	(cd asm; perl cast-586.pl cpp >cx86unix.cpp)
+
+test:	$(TEST)
+	./$(TEST)
+
+$(TEST): $(TEST).c $(LIB)
+	$(CC) -o $(TEST) $(CFLAGS) $(TEST).c $(LIB)
+
+$(APP1): $(APP1).c $(LIB)
+	$(CC) -o $(APP1) $(CFLAGS) $(APP1).c $(LIB)
+
+$(APP2): $(APP2).c $(LIB)
+	$(CC) -o $(APP2) $(CFLAGS) $(APP2).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+x86-elf:
+	$(MAKE) CAST_ENC="asm/cx86-elf.o" CFLAG="-DELF $(CFLAGS)" all
+
+x86-out:
+	$(MAKE) CAST_ENC="asm/cx86-out.o" CFLAG="-DOUT $(CFLAGS)" all
+
+x86-solaris:
+	$(MAKE) CAST_ENC="asm/cx86-sol.o" CFLAG="-DSOL $(CFLAGS)" all
+
+x86-bdsi:
+	$(MAKE) CAST_ENC="asm/cx86-bdsi.o" CFLAG="-DBDSI $(CFLAGS)" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/cast/asm/cast-586.pl b/crypto/openssl/crypto/cast/asm/cast-586.pl
new file mode 100644
index 0000000..6be0bfe
--- /dev/null
+++ b/crypto/openssl/crypto/cast/asm/cast-586.pl
@@ -0,0 +1,176 @@
+#!/usr/local/bin/perl
+
+# define for pentium pro friendly version
+$ppro=1;
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+require "cbc.pl";
+
+&asm_init($ARGV[0],"cast-586.pl",$ARGV[$#ARGV] eq "386");
+
+$CAST_ROUNDS=16;
+$L="edi";
+$R="esi";
+$K="ebp";
+$tmp1="ecx";
+$tmp2="ebx";
+$tmp3="eax";
+$tmp4="edx";
+$S1="CAST_S_table0";
+$S2="CAST_S_table1";
+$S3="CAST_S_table2";
+$S4="CAST_S_table3";
+
+@F1=("add","xor","sub");
+@F2=("xor","sub","add");
+@F3=("sub","add","xor");
+
+&CAST_encrypt("CAST_encrypt",1);
+&CAST_encrypt("CAST_decrypt",0);
+&cbc("CAST_cbc_encrypt","CAST_encrypt","CAST_decrypt",1,4,5,3,-1,-1);
+
+&asm_finish();
+
+sub CAST_encrypt {
+    local($name,$enc)=@_;
+
+    local($win_ex)=<<"EOF";
+EXTERN	_CAST_S_table0:DWORD
+EXTERN	_CAST_S_table1:DWORD
+EXTERN	_CAST_S_table2:DWORD
+EXTERN	_CAST_S_table3:DWORD
+EOF
+    &main::external_label(
+			  "CAST_S_table0",
+			  "CAST_S_table1",
+			  "CAST_S_table2",
+			  "CAST_S_table3",
+			  );
+
+    &function_begin_B($name,$win_ex);
+
+    &comment("");
+
+    &push("ebp");
+    &push("ebx");
+    &mov($tmp2,&wparam(0));
+    &mov($K,&wparam(1));
+    &push("esi");
+    &push("edi");
+
+    &comment("Load the 2 words");
+    &mov($L,&DWP(0,$tmp2,"",0));
+    &mov($R,&DWP(4,$tmp2,"",0));
+
+    &comment('Get short key flag');
+    &mov($tmp3,&DWP(128,$K,"",0));
+    if($enc) {
+	&push($tmp3);
+    } else {
+	&or($tmp3,$tmp3);
+	&jnz(&label('cast_dec_skip'));
+    }
+
+    &xor($tmp3,	$tmp3);
+
+    # encrypting part
+
+    if ($enc) {
+	&E_CAST( 0,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 1,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 2,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 3,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 4,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 5,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 6,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 7,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 8,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 9,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(10,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(11,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&comment('test short key flag');
+	&pop($tmp4);
+	&or($tmp4,$tmp4);
+	&jnz(&label('cast_enc_done'));
+	&E_CAST(12,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(13,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(14,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(15,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+    } else {
+	&E_CAST(15,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(14,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(13,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(12,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&set_label('cast_dec_skip');
+	&E_CAST(11,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST(10,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 9,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 8,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 7,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 6,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 5,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 4,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 3,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 2,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 1,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
+	&E_CAST( 0,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
+    }
+
+    &set_label('cast_enc_done') if $enc;
+# Why the nop? - Ben 17/1/99
+    &nop();
+    &mov($tmp3,&wparam(0));
+    &mov(&DWP(4,$tmp3,"",0),$L);
+    &mov(&DWP(0,$tmp3,"",0),$R);
+    &function_end($name);
+}
+
+sub E_CAST {
+    local($i,$S,$L,$R,$K,$OP1,$OP2,$OP3,$tmp1,$tmp2,$tmp3,$tmp4)=@_;
+    # Ri needs to have 16 pre added.
+
+    &comment("round $i");
+    &mov(	$tmp4,		&DWP($i*8,$K,"",1));
+
+    &mov(	$tmp1,		&DWP($i*8+4,$K,"",1));
+    &$OP1(	$tmp4,		$R);
+
+    &rotl(	$tmp4,		&LB($tmp1));
+
+    if ($ppro) {
+	&mov(	$tmp2,		$tmp4);		# B
+	&xor(	$tmp1,		$tmp1);
+	
+	&movb(	&LB($tmp1),	&HB($tmp4));	# A
+	&and(	$tmp2,		0xff);
+
+	&shr(	$tmp4,		16); 		#
+	&xor(	$tmp3,		$tmp3);
+    } else {
+	&mov(	$tmp2,		$tmp4);		# B
+	&movb(	&LB($tmp1),	&HB($tmp4));	# A	# BAD BAD BAD
+	
+	&shr(	$tmp4,		16); 		#
+	&and(	$tmp2,		0xff);
+    }
+
+    &movb(	&LB($tmp3),	&HB($tmp4));	# C	# BAD BAD BAD
+    &and(	$tmp4,		0xff);		# D
+
+    &mov(	$tmp1,		&DWP($S1,"",$tmp1,4));
+    &mov(	$tmp2,		&DWP($S2,"",$tmp2,4));
+
+    &$OP2(	$tmp1,		$tmp2);
+    &mov(	$tmp2,		&DWP($S3,"",$tmp3,4));
+
+    &$OP3(	$tmp1,		$tmp2);
+    &mov(	$tmp2,		&DWP($S4,"",$tmp4,4));
+
+    &$OP1(	$tmp1,		$tmp2);
+    # XXX
+
+    &xor(	$L,		$tmp1);
+    # XXX
+}
+
diff --git a/crypto/openssl/crypto/cast/asm/readme b/crypto/openssl/crypto/cast/asm/readme
new file mode 100644
index 0000000..fbcd762
--- /dev/null
+++ b/crypto/openssl/crypto/cast/asm/readme
@@ -0,0 +1,7 @@
+There is a ppro flag in cast-586 which turns on/off
+generation of pentium pro/II friendly code
+
+This flag makes the inner loop one cycle longer, but generates 
+code that runs %30 faster on the pentium pro/II, while only %7 slower
+on the pentium.  By default, this flag is on.
+
diff --git a/crypto/openssl/crypto/cast/c_cfb64.c b/crypto/openssl/crypto/cast/c_cfb64.c
new file mode 100644
index 0000000..514c005
--- /dev/null
+++ b/crypto/openssl/crypto/cast/c_cfb64.c
@@ -0,0 +1,122 @@
+/* crypto/cast/c_cfb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/cast.h>
+#include "cast_lcl.h"
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+
+void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+			long length, CAST_KEY *schedule, unsigned char *ivec,
+			int *num, int enc)
+	{
+	register CAST_LONG v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	CAST_LONG ti[2];
+	unsigned char *iv,c,cc;
+
+	iv=ivec;
+	if (enc)
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				n2l(iv,v0); ti[0]=v0;
+				n2l(iv,v1); ti[1]=v1;
+				CAST_encrypt((CAST_LONG *)ti,schedule);
+				iv=ivec;
+				t=ti[0]; l2n(t,iv);
+				t=ti[1]; l2n(t,iv);
+				iv=ivec;
+				}
+			c= *(in++)^iv[n];
+			*(out++)=c;
+			iv[n]=c;
+			n=(n+1)&0x07;
+			}
+		}
+	else
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				n2l(iv,v0); ti[0]=v0;
+				n2l(iv,v1); ti[1]=v1;
+				CAST_encrypt((CAST_LONG *)ti,schedule);
+				iv=ivec;
+				t=ti[0]; l2n(t,iv);
+				t=ti[1]; l2n(t,iv);
+				iv=ivec;
+				}
+			cc= *(in++);
+			c=iv[n];
+			iv[n]=cc;
+			*(out++)=c^cc;
+			n=(n+1)&0x07;
+			}
+		}
+	v0=v1=ti[0]=ti[1]=t=c=cc=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/cast/c_ecb.c b/crypto/openssl/crypto/cast/c_ecb.c
new file mode 100644
index 0000000..0b3da9a
--- /dev/null
+++ b/crypto/openssl/crypto/cast/c_ecb.c
@@ -0,0 +1,80 @@
+/* crypto/cast/c_ecb.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/cast.h>
+#include "cast_lcl.h"
+#include <openssl/opensslv.h>
+
+const char *CAST_version="CAST" OPENSSL_VERSION_PTEXT;
+
+void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
+		      CAST_KEY *ks, int enc)
+	{
+	CAST_LONG l,d[2];
+
+	n2l(in,l); d[0]=l;
+	n2l(in,l); d[1]=l;
+	if (enc)
+		CAST_encrypt(d,ks);
+	else
+		CAST_decrypt(d,ks);
+	l=d[0]; l2n(l,out);
+	l=d[1]; l2n(l,out);
+	l=d[0]=d[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/cast/c_enc.c b/crypto/openssl/crypto/cast/c_enc.c
new file mode 100644
index 0000000..0fe2cff
--- /dev/null
+++ b/crypto/openssl/crypto/cast/c_enc.c
@@ -0,0 +1,207 @@
+/* crypto/cast/c_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/cast.h>
+#include "cast_lcl.h"
+
+void CAST_encrypt(CAST_LONG *data, CAST_KEY *key)
+	{
+	register CAST_LONG l,r,*k,t;
+
+	k= &(key->data[0]);
+	l=data[0];
+	r=data[1];
+
+	E_CAST( 0,k,l,r,+,^,-);
+	E_CAST( 1,k,r,l,^,-,+);
+	E_CAST( 2,k,l,r,-,+,^);
+	E_CAST( 3,k,r,l,+,^,-);
+	E_CAST( 4,k,l,r,^,-,+);
+	E_CAST( 5,k,r,l,-,+,^);
+	E_CAST( 6,k,l,r,+,^,-);
+	E_CAST( 7,k,r,l,^,-,+);
+	E_CAST( 8,k,l,r,-,+,^);
+	E_CAST( 9,k,r,l,+,^,-);
+	E_CAST(10,k,l,r,^,-,+);
+	E_CAST(11,k,r,l,-,+,^);
+	if(!key->short_key)
+	    {
+	    E_CAST(12,k,l,r,+,^,-);
+	    E_CAST(13,k,r,l,^,-,+);
+	    E_CAST(14,k,l,r,-,+,^);
+	    E_CAST(15,k,r,l,+,^,-);
+	    }
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+	}
+
+void CAST_decrypt(CAST_LONG *data, CAST_KEY *key)
+	{
+	register CAST_LONG l,r,*k,t;
+
+	k= &(key->data[0]);
+	l=data[0];
+	r=data[1];
+
+	if(!key->short_key)
+	    {
+	    E_CAST(15,k,l,r,+,^,-);
+	    E_CAST(14,k,r,l,-,+,^);
+	    E_CAST(13,k,l,r,^,-,+);
+	    E_CAST(12,k,r,l,+,^,-);
+	    }
+	E_CAST(11,k,l,r,-,+,^);
+	E_CAST(10,k,r,l,^,-,+);
+	E_CAST( 9,k,l,r,+,^,-);
+	E_CAST( 8,k,r,l,-,+,^);
+	E_CAST( 7,k,l,r,^,-,+);
+	E_CAST( 6,k,r,l,+,^,-);
+	E_CAST( 5,k,l,r,-,+,^);
+	E_CAST( 4,k,r,l,^,-,+);
+	E_CAST( 3,k,l,r,+,^,-);
+	E_CAST( 2,k,r,l,-,+,^);
+	E_CAST( 1,k,l,r,^,-,+);
+	E_CAST( 0,k,r,l,+,^,-);
+
+	data[1]=l&0xffffffffL;
+	data[0]=r&0xffffffffL;
+	}
+
+void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     CAST_KEY *ks, unsigned char *iv, int enc)
+	{
+	register CAST_LONG tin0,tin1;
+	register CAST_LONG tout0,tout1,xor0,xor1;
+	register long l=length;
+	CAST_LONG tin[2];
+
+	if (enc)
+		{
+		n2l(iv,tout0);
+		n2l(iv,tout1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			CAST_encrypt(tin,ks);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+			}
+		if (l != -8)
+			{
+			n2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			CAST_encrypt(tin,ks);
+			tout0=tin[0];
+			tout1=tin[1];
+			l2n(tout0,out);
+			l2n(tout1,out);
+			}
+		l2n(tout0,iv);
+		l2n(tout1,iv);
+		}
+	else
+		{
+		n2l(iv,xor0);
+		n2l(iv,xor1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			CAST_decrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2n(tout0,out);
+			l2n(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin[0]=tin0;
+			tin[1]=tin1;
+			CAST_decrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2nn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		l2n(xor0,iv);
+		l2n(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/cast/c_ofb64.c b/crypto/openssl/crypto/cast/c_ofb64.c
new file mode 100644
index 0000000..fd0469a
--- /dev/null
+++ b/crypto/openssl/crypto/cast/c_ofb64.c
@@ -0,0 +1,111 @@
+/* crypto/cast/c_ofb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/cast.h>
+#include "cast_lcl.h"
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+			long length, CAST_KEY *schedule, unsigned char *ivec,
+			int *num)
+	{
+	register CAST_LONG v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned char d[8];
+	register char *dp;
+	CAST_LONG ti[2];
+	unsigned char *iv;
+	int save=0;
+
+	iv=ivec;
+	n2l(iv,v0);
+	n2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	dp=(char *)d;
+	l2n(v0,dp);
+	l2n(v1,dp);
+	while (l--)
+		{
+		if (n == 0)
+			{
+			CAST_encrypt((CAST_LONG *)ti,schedule);
+			dp=(char *)d;
+			t=ti[0]; l2n(t,dp);
+			t=ti[1]; l2n(t,dp);
+			save++;
+			}
+		*(out++)= *(in++)^d[n];
+		n=(n+1)&0x07;
+		}
+	if (save)
+		{
+		v0=ti[0];
+		v1=ti[1];
+		iv=ivec;
+		l2n(v0,iv);
+		l2n(v1,iv);
+		}
+	t=v0=v1=ti[0]=ti[1]=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/cast/c_skey.c b/crypto/openssl/crypto/cast/c_skey.c
new file mode 100644
index 0000000..acf2c3e
--- /dev/null
+++ b/crypto/openssl/crypto/cast/c_skey.c
@@ -0,0 +1,166 @@
+/* crypto/cast/c_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/cast.h>
+#include "cast_lcl.h"
+#include "cast_s.h"
+
+#define CAST_exp(l,A,a,n) \
+	A[n/4]=l; \
+	a[n+3]=(l    )&0xff; \
+	a[n+2]=(l>> 8)&0xff; \
+	a[n+1]=(l>>16)&0xff; \
+	a[n+0]=(l>>24)&0xff;
+
+#define S4 CAST_S_table4
+#define S5 CAST_S_table5
+#define S6 CAST_S_table6
+#define S7 CAST_S_table7
+
+void CAST_set_key(CAST_KEY *key, int len, unsigned char *data)
+	{
+	CAST_LONG x[16];
+	CAST_LONG z[16];
+	CAST_LONG k[32];
+	CAST_LONG X[4],Z[4];
+	CAST_LONG l,*K;
+	int i;
+
+	for (i=0; i<16; i++) x[i]=0;
+	if (len > 16) len=16;
+	for (i=0; i<len; i++)
+		x[i]=data[i];
+	if(len <= 10)
+	    key->short_key=1;
+	else
+	    key->short_key=0;
+
+	K= &k[0];
+	X[0]=((x[ 0]<<24)|(x[ 1]<<16)|(x[ 2]<<8)|x[ 3])&0xffffffffL;
+	X[1]=((x[ 4]<<24)|(x[ 5]<<16)|(x[ 6]<<8)|x[ 7])&0xffffffffL;
+	X[2]=((x[ 8]<<24)|(x[ 9]<<16)|(x[10]<<8)|x[11])&0xffffffffL;
+	X[3]=((x[12]<<24)|(x[13]<<16)|(x[14]<<8)|x[15])&0xffffffffL;
+
+	for (;;)
+		{
+	l=X[0]^S4[x[13]]^S5[x[15]]^S6[x[12]]^S7[x[14]]^S6[x[ 8]];
+	CAST_exp(l,Z,z, 0);
+	l=X[2]^S4[z[ 0]]^S5[z[ 2]]^S6[z[ 1]]^S7[z[ 3]]^S7[x[10]];
+	CAST_exp(l,Z,z, 4);
+	l=X[3]^S4[z[ 7]]^S5[z[ 6]]^S6[z[ 5]]^S7[z[ 4]]^S4[x[ 9]];
+	CAST_exp(l,Z,z, 8);
+	l=X[1]^S4[z[10]]^S5[z[ 9]]^S6[z[11]]^S7[z[ 8]]^S5[x[11]];
+	CAST_exp(l,Z,z,12);
+
+	K[ 0]= S4[z[ 8]]^S5[z[ 9]]^S6[z[ 7]]^S7[z[ 6]]^S4[z[ 2]];
+	K[ 1]= S4[z[10]]^S5[z[11]]^S6[z[ 5]]^S7[z[ 4]]^S5[z[ 6]];
+	K[ 2]= S4[z[12]]^S5[z[13]]^S6[z[ 3]]^S7[z[ 2]]^S6[z[ 9]];
+	K[ 3]= S4[z[14]]^S5[z[15]]^S6[z[ 1]]^S7[z[ 0]]^S7[z[12]];
+
+	l=Z[2]^S4[z[ 5]]^S5[z[ 7]]^S6[z[ 4]]^S7[z[ 6]]^S6[z[ 0]];
+	CAST_exp(l,X,x, 0);
+	l=Z[0]^S4[x[ 0]]^S5[x[ 2]]^S6[x[ 1]]^S7[x[ 3]]^S7[z[ 2]];
+	CAST_exp(l,X,x, 4);
+	l=Z[1]^S4[x[ 7]]^S5[x[ 6]]^S6[x[ 5]]^S7[x[ 4]]^S4[z[ 1]];
+	CAST_exp(l,X,x, 8);
+	l=Z[3]^S4[x[10]]^S5[x[ 9]]^S6[x[11]]^S7[x[ 8]]^S5[z[ 3]];
+	CAST_exp(l,X,x,12);
+
+	K[ 4]= S4[x[ 3]]^S5[x[ 2]]^S6[x[12]]^S7[x[13]]^S4[x[ 8]];
+	K[ 5]= S4[x[ 1]]^S5[x[ 0]]^S6[x[14]]^S7[x[15]]^S5[x[13]];
+	K[ 6]= S4[x[ 7]]^S5[x[ 6]]^S6[x[ 8]]^S7[x[ 9]]^S6[x[ 3]];
+	K[ 7]= S4[x[ 5]]^S5[x[ 4]]^S6[x[10]]^S7[x[11]]^S7[x[ 7]];
+
+	l=X[0]^S4[x[13]]^S5[x[15]]^S6[x[12]]^S7[x[14]]^S6[x[ 8]];
+	CAST_exp(l,Z,z, 0);
+	l=X[2]^S4[z[ 0]]^S5[z[ 2]]^S6[z[ 1]]^S7[z[ 3]]^S7[x[10]];
+	CAST_exp(l,Z,z, 4);
+	l=X[3]^S4[z[ 7]]^S5[z[ 6]]^S6[z[ 5]]^S7[z[ 4]]^S4[x[ 9]];
+	CAST_exp(l,Z,z, 8);
+	l=X[1]^S4[z[10]]^S5[z[ 9]]^S6[z[11]]^S7[z[ 8]]^S5[x[11]];
+	CAST_exp(l,Z,z,12);
+
+	K[ 8]= S4[z[ 3]]^S5[z[ 2]]^S6[z[12]]^S7[z[13]]^S4[z[ 9]];
+	K[ 9]= S4[z[ 1]]^S5[z[ 0]]^S6[z[14]]^S7[z[15]]^S5[z[12]];
+	K[10]= S4[z[ 7]]^S5[z[ 6]]^S6[z[ 8]]^S7[z[ 9]]^S6[z[ 2]];
+	K[11]= S4[z[ 5]]^S5[z[ 4]]^S6[z[10]]^S7[z[11]]^S7[z[ 6]];
+
+	l=Z[2]^S4[z[ 5]]^S5[z[ 7]]^S6[z[ 4]]^S7[z[ 6]]^S6[z[ 0]];
+	CAST_exp(l,X,x, 0);
+	l=Z[0]^S4[x[ 0]]^S5[x[ 2]]^S6[x[ 1]]^S7[x[ 3]]^S7[z[ 2]];
+	CAST_exp(l,X,x, 4);
+	l=Z[1]^S4[x[ 7]]^S5[x[ 6]]^S6[x[ 5]]^S7[x[ 4]]^S4[z[ 1]];
+	CAST_exp(l,X,x, 8);
+	l=Z[3]^S4[x[10]]^S5[x[ 9]]^S6[x[11]]^S7[x[ 8]]^S5[z[ 3]];
+	CAST_exp(l,X,x,12);
+
+	K[12]= S4[x[ 8]]^S5[x[ 9]]^S6[x[ 7]]^S7[x[ 6]]^S4[x[ 3]];
+	K[13]= S4[x[10]]^S5[x[11]]^S6[x[ 5]]^S7[x[ 4]]^S5[x[ 7]];
+	K[14]= S4[x[12]]^S5[x[13]]^S6[x[ 3]]^S7[x[ 2]]^S6[x[ 8]];
+	K[15]= S4[x[14]]^S5[x[15]]^S6[x[ 1]]^S7[x[ 0]]^S7[x[13]];
+	if (K != k)  break;
+	K+=16;
+		}
+
+	for (i=0; i<16; i++)
+		{
+		key->data[i*2]=k[i];
+		key->data[i*2+1]=((k[i+16])+16)&0x1f;
+		}
+	}
+
diff --git a/crypto/openssl/crypto/cast/cast.h b/crypto/openssl/crypto/cast/cast.h
new file mode 100644
index 0000000..6cc5e8a
--- /dev/null
+++ b/crypto/openssl/crypto/cast/cast.h
@@ -0,0 +1,103 @@
+/* crypto/cast/cast.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_CAST_H
+#define HEADER_CAST_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_CAST
+#error CAST is disabled.
+#endif
+
+#define CAST_ENCRYPT	1
+#define CAST_DECRYPT	0
+
+#define CAST_LONG unsigned long
+
+#define CAST_BLOCK	8
+#define CAST_KEY_LENGTH	16
+
+typedef struct cast_key_st
+	{
+	CAST_LONG data[32];
+	int short_key;	/* Use reduced rounds for short key */
+	} CAST_KEY;
+
+ 
+void CAST_set_key(CAST_KEY *key, int len, unsigned char *data);
+void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
+		      int enc);
+void CAST_encrypt(CAST_LONG *data,CAST_KEY *key);
+void CAST_decrypt(CAST_LONG *data,CAST_KEY *key);
+void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+		      CAST_KEY *ks, unsigned char *iv, int enc);
+void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+			long length, CAST_KEY *schedule, unsigned char *ivec,
+			int *num, int enc);
+void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out, 
+			long length, CAST_KEY *schedule, unsigned char *ivec,
+			int *num);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/cast/cast_lcl.h b/crypto/openssl/crypto/cast/cast_lcl.h
new file mode 100644
index 0000000..5fab8a4
--- /dev/null
+++ b/crypto/openssl/crypto/cast/cast_lcl.h
@@ -0,0 +1,226 @@
+/* crypto/cast/cast_lcl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifdef WIN32
+#include <stdlib.h>
+#endif
+
+
+#include "openssl/e_os.h" /* OPENSSL_EXTERN */
+
+#undef c2l
+#define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
+			 l|=((unsigned long)(*((c)++)))<< 8L, \
+			 l|=((unsigned long)(*((c)++)))<<16L, \
+			 l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))    ; \
+			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+			case 4: l1 =((unsigned long)(*(--(c))))    ; \
+			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+				} \
+			}
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+#if defined(WIN32) && defined(_MSC_VER)
+#define ROTL(a,n)     (_lrotl(a,n))
+#else
+#define ROTL(a,n)     ((((a)<<(n))&0xffffffffL)|((a)>>(32-(n))))
+#endif
+
+#define C_M    0x3fc
+#define C_0    22L
+#define C_1    14L
+#define C_2     6L
+#define C_3     2L /* left shift */
+
+/* The rotate has an extra 16 added to it to help the x86 asm */
+#if defined(CAST_PTR)
+#define E_CAST(n,key,L,R,OP1,OP2,OP3) \
+	{ \
+	int i; \
+	t=(key[n*2] OP1 R)&0xffffffffL; \
+	i=key[n*2+1]; \
+	t=ROTL(t,i); \
+	L^= (((((*(CAST_LONG *)((unsigned char *) \
+			CAST_S_table0+((t>>C_2)&C_M)) OP2 \
+		*(CAST_LONG *)((unsigned char *) \
+			CAST_S_table1+((t<<C_3)&C_M)))&0xffffffffL) OP3 \
+		*(CAST_LONG *)((unsigned char *) \
+			CAST_S_table2+((t>>C_0)&C_M)))&0xffffffffL) OP1 \
+		*(CAST_LONG *)((unsigned char *) \
+			CAST_S_table3+((t>>C_1)&C_M)))&0xffffffffL; \
+	}
+#elif defined(CAST_PTR2)
+#define E_CAST(n,key,L,R,OP1,OP2,OP3) \
+	{ \
+	int i; \
+	CAST_LONG u,v,w; \
+	w=(key[n*2] OP1 R)&0xffffffffL; \
+	i=key[n*2+1]; \
+	w=ROTL(w,i); \
+	u=w>>C_2; \
+	v=w<<C_3; \
+	u&=C_M; \
+	v&=C_M; \
+	t= *(CAST_LONG *)((unsigned char *)CAST_S_table0+u); \
+	u=w>>C_0; \
+	t=(t OP2 *(CAST_LONG *)((unsigned char *)CAST_S_table1+v))&0xffffffffL;\
+	v=w>>C_1; \
+	u&=C_M; \
+	v&=C_M; \
+	t=(t OP3 *(CAST_LONG *)((unsigned char *)CAST_S_table2+u)&0xffffffffL);\
+	t=(t OP1 *(CAST_LONG *)((unsigned char *)CAST_S_table3+v)&0xffffffffL);\
+	L^=(t&0xffffffff); \
+	}
+#else
+#define E_CAST(n,key,L,R,OP1,OP2,OP3) \
+	{ \
+	CAST_LONG a,b,c,d; \
+	t=(key[n*2] OP1 R)&0xffffffff; \
+	t=ROTL(t,(key[n*2+1])); \
+	a=CAST_S_table0[(t>> 8)&0xff]; \
+	b=CAST_S_table1[(t    )&0xff]; \
+	c=CAST_S_table2[(t>>24)&0xff]; \
+	d=CAST_S_table3[(t>>16)&0xff]; \
+	L^=(((((a OP2 b)&0xffffffffL) OP3 c)&0xffffffffL) OP1 d)&0xffffffffL; \
+	}
+#endif
+
+OPENSSL_EXTERN const CAST_LONG CAST_S_table0[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table1[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table2[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table3[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table4[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table5[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table6[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table7[256];
diff --git a/crypto/openssl/crypto/cast/cast_s.h b/crypto/openssl/crypto/cast/cast_s.h
new file mode 100644
index 0000000..c483fd5
--- /dev/null
+++ b/crypto/openssl/crypto/cast/cast_s.h
@@ -0,0 +1,585 @@
+/* crypto/cast/cast_s.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table0[256]={
+	0x30fb40d4,0x9fa0ff0b,0x6beccd2f,0x3f258c7a,
+	0x1e213f2f,0x9c004dd3,0x6003e540,0xcf9fc949,
+	0xbfd4af27,0x88bbbdb5,0xe2034090,0x98d09675,
+	0x6e63a0e0,0x15c361d2,0xc2e7661d,0x22d4ff8e,
+	0x28683b6f,0xc07fd059,0xff2379c8,0x775f50e2,
+	0x43c340d3,0xdf2f8656,0x887ca41a,0xa2d2bd2d,
+	0xa1c9e0d6,0x346c4819,0x61b76d87,0x22540f2f,
+	0x2abe32e1,0xaa54166b,0x22568e3a,0xa2d341d0,
+	0x66db40c8,0xa784392f,0x004dff2f,0x2db9d2de,
+	0x97943fac,0x4a97c1d8,0x527644b7,0xb5f437a7,
+	0xb82cbaef,0xd751d159,0x6ff7f0ed,0x5a097a1f,
+	0x827b68d0,0x90ecf52e,0x22b0c054,0xbc8e5935,
+	0x4b6d2f7f,0x50bb64a2,0xd2664910,0xbee5812d,
+	0xb7332290,0xe93b159f,0xb48ee411,0x4bff345d,
+	0xfd45c240,0xad31973f,0xc4f6d02e,0x55fc8165,
+	0xd5b1caad,0xa1ac2dae,0xa2d4b76d,0xc19b0c50,
+	0x882240f2,0x0c6e4f38,0xa4e4bfd7,0x4f5ba272,
+	0x564c1d2f,0xc59c5319,0xb949e354,0xb04669fe,
+	0xb1b6ab8a,0xc71358dd,0x6385c545,0x110f935d,
+	0x57538ad5,0x6a390493,0xe63d37e0,0x2a54f6b3,
+	0x3a787d5f,0x6276a0b5,0x19a6fcdf,0x7a42206a,
+	0x29f9d4d5,0xf61b1891,0xbb72275e,0xaa508167,
+	0x38901091,0xc6b505eb,0x84c7cb8c,0x2ad75a0f,
+	0x874a1427,0xa2d1936b,0x2ad286af,0xaa56d291,
+	0xd7894360,0x425c750d,0x93b39e26,0x187184c9,
+	0x6c00b32d,0x73e2bb14,0xa0bebc3c,0x54623779,
+	0x64459eab,0x3f328b82,0x7718cf82,0x59a2cea6,
+	0x04ee002e,0x89fe78e6,0x3fab0950,0x325ff6c2,
+	0x81383f05,0x6963c5c8,0x76cb5ad6,0xd49974c9,
+	0xca180dcf,0x380782d5,0xc7fa5cf6,0x8ac31511,
+	0x35e79e13,0x47da91d0,0xf40f9086,0xa7e2419e,
+	0x31366241,0x051ef495,0xaa573b04,0x4a805d8d,
+	0x548300d0,0x00322a3c,0xbf64cddf,0xba57a68e,
+	0x75c6372b,0x50afd341,0xa7c13275,0x915a0bf5,
+	0x6b54bfab,0x2b0b1426,0xab4cc9d7,0x449ccd82,
+	0xf7fbf265,0xab85c5f3,0x1b55db94,0xaad4e324,
+	0xcfa4bd3f,0x2deaa3e2,0x9e204d02,0xc8bd25ac,
+	0xeadf55b3,0xd5bd9e98,0xe31231b2,0x2ad5ad6c,
+	0x954329de,0xadbe4528,0xd8710f69,0xaa51c90f,
+	0xaa786bf6,0x22513f1e,0xaa51a79b,0x2ad344cc,
+	0x7b5a41f0,0xd37cfbad,0x1b069505,0x41ece491,
+	0xb4c332e6,0x032268d4,0xc9600acc,0xce387e6d,
+	0xbf6bb16c,0x6a70fb78,0x0d03d9c9,0xd4df39de,
+	0xe01063da,0x4736f464,0x5ad328d8,0xb347cc96,
+	0x75bb0fc3,0x98511bfb,0x4ffbcc35,0xb58bcf6a,
+	0xe11f0abc,0xbfc5fe4a,0xa70aec10,0xac39570a,
+	0x3f04442f,0x6188b153,0xe0397a2e,0x5727cb79,
+	0x9ceb418f,0x1cacd68d,0x2ad37c96,0x0175cb9d,
+	0xc69dff09,0xc75b65f0,0xd9db40d8,0xec0e7779,
+	0x4744ead4,0xb11c3274,0xdd24cb9e,0x7e1c54bd,
+	0xf01144f9,0xd2240eb1,0x9675b3fd,0xa3ac3755,
+	0xd47c27af,0x51c85f4d,0x56907596,0xa5bb15e6,
+	0x580304f0,0xca042cf1,0x011a37ea,0x8dbfaadb,
+	0x35ba3e4a,0x3526ffa0,0xc37b4d09,0xbc306ed9,
+	0x98a52666,0x5648f725,0xff5e569d,0x0ced63d0,
+	0x7c63b2cf,0x700b45e1,0xd5ea50f1,0x85a92872,
+	0xaf1fbda7,0xd4234870,0xa7870bf3,0x2d3b4d79,
+	0x42e04198,0x0cd0ede7,0x26470db8,0xf881814c,
+	0x474d6ad7,0x7c0c5e5c,0xd1231959,0x381b7298,
+	0xf5d2f4db,0xab838653,0x6e2f1e23,0x83719c9e,
+	0xbd91e046,0x9a56456e,0xdc39200c,0x20c8c571,
+	0x962bda1c,0xe1e696ff,0xb141ab08,0x7cca89b9,
+	0x1a69e783,0x02cc4843,0xa2f7c579,0x429ef47d,
+	0x427b169c,0x5ac9f049,0xdd8f0f00,0x5c8165bf,
+	};
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table1[256]={
+	0x1f201094,0xef0ba75b,0x69e3cf7e,0x393f4380,
+	0xfe61cf7a,0xeec5207a,0x55889c94,0x72fc0651,
+	0xada7ef79,0x4e1d7235,0xd55a63ce,0xde0436ba,
+	0x99c430ef,0x5f0c0794,0x18dcdb7d,0xa1d6eff3,
+	0xa0b52f7b,0x59e83605,0xee15b094,0xe9ffd909,
+	0xdc440086,0xef944459,0xba83ccb3,0xe0c3cdfb,
+	0xd1da4181,0x3b092ab1,0xf997f1c1,0xa5e6cf7b,
+	0x01420ddb,0xe4e7ef5b,0x25a1ff41,0xe180f806,
+	0x1fc41080,0x179bee7a,0xd37ac6a9,0xfe5830a4,
+	0x98de8b7f,0x77e83f4e,0x79929269,0x24fa9f7b,
+	0xe113c85b,0xacc40083,0xd7503525,0xf7ea615f,
+	0x62143154,0x0d554b63,0x5d681121,0xc866c359,
+	0x3d63cf73,0xcee234c0,0xd4d87e87,0x5c672b21,
+	0x071f6181,0x39f7627f,0x361e3084,0xe4eb573b,
+	0x602f64a4,0xd63acd9c,0x1bbc4635,0x9e81032d,
+	0x2701f50c,0x99847ab4,0xa0e3df79,0xba6cf38c,
+	0x10843094,0x2537a95e,0xf46f6ffe,0xa1ff3b1f,
+	0x208cfb6a,0x8f458c74,0xd9e0a227,0x4ec73a34,
+	0xfc884f69,0x3e4de8df,0xef0e0088,0x3559648d,
+	0x8a45388c,0x1d804366,0x721d9bfd,0xa58684bb,
+	0xe8256333,0x844e8212,0x128d8098,0xfed33fb4,
+	0xce280ae1,0x27e19ba5,0xd5a6c252,0xe49754bd,
+	0xc5d655dd,0xeb667064,0x77840b4d,0xa1b6a801,
+	0x84db26a9,0xe0b56714,0x21f043b7,0xe5d05860,
+	0x54f03084,0x066ff472,0xa31aa153,0xdadc4755,
+	0xb5625dbf,0x68561be6,0x83ca6b94,0x2d6ed23b,
+	0xeccf01db,0xa6d3d0ba,0xb6803d5c,0xaf77a709,
+	0x33b4a34c,0x397bc8d6,0x5ee22b95,0x5f0e5304,
+	0x81ed6f61,0x20e74364,0xb45e1378,0xde18639b,
+	0x881ca122,0xb96726d1,0x8049a7e8,0x22b7da7b,
+	0x5e552d25,0x5272d237,0x79d2951c,0xc60d894c,
+	0x488cb402,0x1ba4fe5b,0xa4b09f6b,0x1ca815cf,
+	0xa20c3005,0x8871df63,0xb9de2fcb,0x0cc6c9e9,
+	0x0beeff53,0xe3214517,0xb4542835,0x9f63293c,
+	0xee41e729,0x6e1d2d7c,0x50045286,0x1e6685f3,
+	0xf33401c6,0x30a22c95,0x31a70850,0x60930f13,
+	0x73f98417,0xa1269859,0xec645c44,0x52c877a9,
+	0xcdff33a6,0xa02b1741,0x7cbad9a2,0x2180036f,
+	0x50d99c08,0xcb3f4861,0xc26bd765,0x64a3f6ab,
+	0x80342676,0x25a75e7b,0xe4e6d1fc,0x20c710e6,
+	0xcdf0b680,0x17844d3b,0x31eef84d,0x7e0824e4,
+	0x2ccb49eb,0x846a3bae,0x8ff77888,0xee5d60f6,
+	0x7af75673,0x2fdd5cdb,0xa11631c1,0x30f66f43,
+	0xb3faec54,0x157fd7fa,0xef8579cc,0xd152de58,
+	0xdb2ffd5e,0x8f32ce19,0x306af97a,0x02f03ef8,
+	0x99319ad5,0xc242fa0f,0xa7e3ebb0,0xc68e4906,
+	0xb8da230c,0x80823028,0xdcdef3c8,0xd35fb171,
+	0x088a1bc8,0xbec0c560,0x61a3c9e8,0xbca8f54d,
+	0xc72feffa,0x22822e99,0x82c570b4,0xd8d94e89,
+	0x8b1c34bc,0x301e16e6,0x273be979,0xb0ffeaa6,
+	0x61d9b8c6,0x00b24869,0xb7ffce3f,0x08dc283b,
+	0x43daf65a,0xf7e19798,0x7619b72f,0x8f1c9ba4,
+	0xdc8637a0,0x16a7d3b1,0x9fc393b7,0xa7136eeb,
+	0xc6bcc63e,0x1a513742,0xef6828bc,0x520365d6,
+	0x2d6a77ab,0x3527ed4b,0x821fd216,0x095c6e2e,
+	0xdb92f2fb,0x5eea29cb,0x145892f5,0x91584f7f,
+	0x5483697b,0x2667a8cc,0x85196048,0x8c4bacea,
+	0x833860d4,0x0d23e0f9,0x6c387e8a,0x0ae6d249,
+	0xb284600c,0xd835731d,0xdcb1c647,0xac4c56ea,
+	0x3ebd81b3,0x230eabb0,0x6438bc87,0xf0b5b1fa,
+	0x8f5ea2b3,0xfc184642,0x0a036b7a,0x4fb089bd,
+	0x649da589,0xa345415e,0x5c038323,0x3e5d3bb9,
+	0x43d79572,0x7e6dd07c,0x06dfdf1e,0x6c6cc4ef,
+	0x7160a539,0x73bfbe70,0x83877605,0x4523ecf1,
+	};
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table2[256]={
+	0x8defc240,0x25fa5d9f,0xeb903dbf,0xe810c907,
+	0x47607fff,0x369fe44b,0x8c1fc644,0xaececa90,
+	0xbeb1f9bf,0xeefbcaea,0xe8cf1950,0x51df07ae,
+	0x920e8806,0xf0ad0548,0xe13c8d83,0x927010d5,
+	0x11107d9f,0x07647db9,0xb2e3e4d4,0x3d4f285e,
+	0xb9afa820,0xfade82e0,0xa067268b,0x8272792e,
+	0x553fb2c0,0x489ae22b,0xd4ef9794,0x125e3fbc,
+	0x21fffcee,0x825b1bfd,0x9255c5ed,0x1257a240,
+	0x4e1a8302,0xbae07fff,0x528246e7,0x8e57140e,
+	0x3373f7bf,0x8c9f8188,0xa6fc4ee8,0xc982b5a5,
+	0xa8c01db7,0x579fc264,0x67094f31,0xf2bd3f5f,
+	0x40fff7c1,0x1fb78dfc,0x8e6bd2c1,0x437be59b,
+	0x99b03dbf,0xb5dbc64b,0x638dc0e6,0x55819d99,
+	0xa197c81c,0x4a012d6e,0xc5884a28,0xccc36f71,
+	0xb843c213,0x6c0743f1,0x8309893c,0x0feddd5f,
+	0x2f7fe850,0xd7c07f7e,0x02507fbf,0x5afb9a04,
+	0xa747d2d0,0x1651192e,0xaf70bf3e,0x58c31380,
+	0x5f98302e,0x727cc3c4,0x0a0fb402,0x0f7fef82,
+	0x8c96fdad,0x5d2c2aae,0x8ee99a49,0x50da88b8,
+	0x8427f4a0,0x1eac5790,0x796fb449,0x8252dc15,
+	0xefbd7d9b,0xa672597d,0xada840d8,0x45f54504,
+	0xfa5d7403,0xe83ec305,0x4f91751a,0x925669c2,
+	0x23efe941,0xa903f12e,0x60270df2,0x0276e4b6,
+	0x94fd6574,0x927985b2,0x8276dbcb,0x02778176,
+	0xf8af918d,0x4e48f79e,0x8f616ddf,0xe29d840e,
+	0x842f7d83,0x340ce5c8,0x96bbb682,0x93b4b148,
+	0xef303cab,0x984faf28,0x779faf9b,0x92dc560d,
+	0x224d1e20,0x8437aa88,0x7d29dc96,0x2756d3dc,
+	0x8b907cee,0xb51fd240,0xe7c07ce3,0xe566b4a1,
+	0xc3e9615e,0x3cf8209d,0x6094d1e3,0xcd9ca341,
+	0x5c76460e,0x00ea983b,0xd4d67881,0xfd47572c,
+	0xf76cedd9,0xbda8229c,0x127dadaa,0x438a074e,
+	0x1f97c090,0x081bdb8a,0x93a07ebe,0xb938ca15,
+	0x97b03cff,0x3dc2c0f8,0x8d1ab2ec,0x64380e51,
+	0x68cc7bfb,0xd90f2788,0x12490181,0x5de5ffd4,
+	0xdd7ef86a,0x76a2e214,0xb9a40368,0x925d958f,
+	0x4b39fffa,0xba39aee9,0xa4ffd30b,0xfaf7933b,
+	0x6d498623,0x193cbcfa,0x27627545,0x825cf47a,
+	0x61bd8ba0,0xd11e42d1,0xcead04f4,0x127ea392,
+	0x10428db7,0x8272a972,0x9270c4a8,0x127de50b,
+	0x285ba1c8,0x3c62f44f,0x35c0eaa5,0xe805d231,
+	0x428929fb,0xb4fcdf82,0x4fb66a53,0x0e7dc15b,
+	0x1f081fab,0x108618ae,0xfcfd086d,0xf9ff2889,
+	0x694bcc11,0x236a5cae,0x12deca4d,0x2c3f8cc5,
+	0xd2d02dfe,0xf8ef5896,0xe4cf52da,0x95155b67,
+	0x494a488c,0xb9b6a80c,0x5c8f82bc,0x89d36b45,
+	0x3a609437,0xec00c9a9,0x44715253,0x0a874b49,
+	0xd773bc40,0x7c34671c,0x02717ef6,0x4feb5536,
+	0xa2d02fff,0xd2bf60c4,0xd43f03c0,0x50b4ef6d,
+	0x07478cd1,0x006e1888,0xa2e53f55,0xb9e6d4bc,
+	0xa2048016,0x97573833,0xd7207d67,0xde0f8f3d,
+	0x72f87b33,0xabcc4f33,0x7688c55d,0x7b00a6b0,
+	0x947b0001,0x570075d2,0xf9bb88f8,0x8942019e,
+	0x4264a5ff,0x856302e0,0x72dbd92b,0xee971b69,
+	0x6ea22fde,0x5f08ae2b,0xaf7a616d,0xe5c98767,
+	0xcf1febd2,0x61efc8c2,0xf1ac2571,0xcc8239c2,
+	0x67214cb8,0xb1e583d1,0xb7dc3e62,0x7f10bdce,
+	0xf90a5c38,0x0ff0443d,0x606e6dc6,0x60543a49,
+	0x5727c148,0x2be98a1d,0x8ab41738,0x20e1be24,
+	0xaf96da0f,0x68458425,0x99833be5,0x600d457d,
+	0x282f9350,0x8334b362,0xd91d1120,0x2b6d8da0,
+	0x642b1e31,0x9c305a00,0x52bce688,0x1b03588a,
+	0xf7baefd5,0x4142ed9c,0xa4315c11,0x83323ec5,
+	0xdfef4636,0xa133c501,0xe9d3531c,0xee353783,
+	};
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table3[256]={
+	0x9db30420,0x1fb6e9de,0xa7be7bef,0xd273a298,
+	0x4a4f7bdb,0x64ad8c57,0x85510443,0xfa020ed1,
+	0x7e287aff,0xe60fb663,0x095f35a1,0x79ebf120,
+	0xfd059d43,0x6497b7b1,0xf3641f63,0x241e4adf,
+	0x28147f5f,0x4fa2b8cd,0xc9430040,0x0cc32220,
+	0xfdd30b30,0xc0a5374f,0x1d2d00d9,0x24147b15,
+	0xee4d111a,0x0fca5167,0x71ff904c,0x2d195ffe,
+	0x1a05645f,0x0c13fefe,0x081b08ca,0x05170121,
+	0x80530100,0xe83e5efe,0xac9af4f8,0x7fe72701,
+	0xd2b8ee5f,0x06df4261,0xbb9e9b8a,0x7293ea25,
+	0xce84ffdf,0xf5718801,0x3dd64b04,0xa26f263b,
+	0x7ed48400,0x547eebe6,0x446d4ca0,0x6cf3d6f5,
+	0x2649abdf,0xaea0c7f5,0x36338cc1,0x503f7e93,
+	0xd3772061,0x11b638e1,0x72500e03,0xf80eb2bb,
+	0xabe0502e,0xec8d77de,0x57971e81,0xe14f6746,
+	0xc9335400,0x6920318f,0x081dbb99,0xffc304a5,
+	0x4d351805,0x7f3d5ce3,0xa6c866c6,0x5d5bcca9,
+	0xdaec6fea,0x9f926f91,0x9f46222f,0x3991467d,
+	0xa5bf6d8e,0x1143c44f,0x43958302,0xd0214eeb,
+	0x022083b8,0x3fb6180c,0x18f8931e,0x281658e6,
+	0x26486e3e,0x8bd78a70,0x7477e4c1,0xb506e07c,
+	0xf32d0a25,0x79098b02,0xe4eabb81,0x28123b23,
+	0x69dead38,0x1574ca16,0xdf871b62,0x211c40b7,
+	0xa51a9ef9,0x0014377b,0x041e8ac8,0x09114003,
+	0xbd59e4d2,0xe3d156d5,0x4fe876d5,0x2f91a340,
+	0x557be8de,0x00eae4a7,0x0ce5c2ec,0x4db4bba6,
+	0xe756bdff,0xdd3369ac,0xec17b035,0x06572327,
+	0x99afc8b0,0x56c8c391,0x6b65811c,0x5e146119,
+	0x6e85cb75,0xbe07c002,0xc2325577,0x893ff4ec,
+	0x5bbfc92d,0xd0ec3b25,0xb7801ab7,0x8d6d3b24,
+	0x20c763ef,0xc366a5fc,0x9c382880,0x0ace3205,
+	0xaac9548a,0xeca1d7c7,0x041afa32,0x1d16625a,
+	0x6701902c,0x9b757a54,0x31d477f7,0x9126b031,
+	0x36cc6fdb,0xc70b8b46,0xd9e66a48,0x56e55a79,
+	0x026a4ceb,0x52437eff,0x2f8f76b4,0x0df980a5,
+	0x8674cde3,0xedda04eb,0x17a9be04,0x2c18f4df,
+	0xb7747f9d,0xab2af7b4,0xefc34d20,0x2e096b7c,
+	0x1741a254,0xe5b6a035,0x213d42f6,0x2c1c7c26,
+	0x61c2f50f,0x6552daf9,0xd2c231f8,0x25130f69,
+	0xd8167fa2,0x0418f2c8,0x001a96a6,0x0d1526ab,
+	0x63315c21,0x5e0a72ec,0x49bafefd,0x187908d9,
+	0x8d0dbd86,0x311170a7,0x3e9b640c,0xcc3e10d7,
+	0xd5cad3b6,0x0caec388,0xf73001e1,0x6c728aff,
+	0x71eae2a1,0x1f9af36e,0xcfcbd12f,0xc1de8417,
+	0xac07be6b,0xcb44a1d8,0x8b9b0f56,0x013988c3,
+	0xb1c52fca,0xb4be31cd,0xd8782806,0x12a3a4e2,
+	0x6f7de532,0x58fd7eb6,0xd01ee900,0x24adffc2,
+	0xf4990fc5,0x9711aac5,0x001d7b95,0x82e5e7d2,
+	0x109873f6,0x00613096,0xc32d9521,0xada121ff,
+	0x29908415,0x7fbb977f,0xaf9eb3db,0x29c9ed2a,
+	0x5ce2a465,0xa730f32c,0xd0aa3fe8,0x8a5cc091,
+	0xd49e2ce7,0x0ce454a9,0xd60acd86,0x015f1919,
+	0x77079103,0xdea03af6,0x78a8565e,0xdee356df,
+	0x21f05cbe,0x8b75e387,0xb3c50651,0xb8a5c3ef,
+	0xd8eeb6d2,0xe523be77,0xc2154529,0x2f69efdf,
+	0xafe67afb,0xf470c4b2,0xf3e0eb5b,0xd6cc9876,
+	0x39e4460c,0x1fda8538,0x1987832f,0xca007367,
+	0xa99144f8,0x296b299e,0x492fc295,0x9266beab,
+	0xb5676e69,0x9bd3ddda,0xdf7e052f,0xdb25701c,
+	0x1b5e51ee,0xf65324e6,0x6afce36c,0x0316cc04,
+	0x8644213e,0xb7dc59d0,0x7965291f,0xccd6fd43,
+	0x41823979,0x932bcdf6,0xb657c34d,0x4edfd282,
+	0x7ae5290c,0x3cb9536b,0x851e20fe,0x9833557e,
+	0x13ecf0b0,0xd3ffb372,0x3f85c5c1,0x0aef7ed2,
+	};
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table4[256]={
+	0x7ec90c04,0x2c6e74b9,0x9b0e66df,0xa6337911,
+	0xb86a7fff,0x1dd358f5,0x44dd9d44,0x1731167f,
+	0x08fbf1fa,0xe7f511cc,0xd2051b00,0x735aba00,
+	0x2ab722d8,0x386381cb,0xacf6243a,0x69befd7a,
+	0xe6a2e77f,0xf0c720cd,0xc4494816,0xccf5c180,
+	0x38851640,0x15b0a848,0xe68b18cb,0x4caadeff,
+	0x5f480a01,0x0412b2aa,0x259814fc,0x41d0efe2,
+	0x4e40b48d,0x248eb6fb,0x8dba1cfe,0x41a99b02,
+	0x1a550a04,0xba8f65cb,0x7251f4e7,0x95a51725,
+	0xc106ecd7,0x97a5980a,0xc539b9aa,0x4d79fe6a,
+	0xf2f3f763,0x68af8040,0xed0c9e56,0x11b4958b,
+	0xe1eb5a88,0x8709e6b0,0xd7e07156,0x4e29fea7,
+	0x6366e52d,0x02d1c000,0xc4ac8e05,0x9377f571,
+	0x0c05372a,0x578535f2,0x2261be02,0xd642a0c9,
+	0xdf13a280,0x74b55bd2,0x682199c0,0xd421e5ec,
+	0x53fb3ce8,0xc8adedb3,0x28a87fc9,0x3d959981,
+	0x5c1ff900,0xfe38d399,0x0c4eff0b,0x062407ea,
+	0xaa2f4fb1,0x4fb96976,0x90c79505,0xb0a8a774,
+	0xef55a1ff,0xe59ca2c2,0xa6b62d27,0xe66a4263,
+	0xdf65001f,0x0ec50966,0xdfdd55bc,0x29de0655,
+	0x911e739a,0x17af8975,0x32c7911c,0x89f89468,
+	0x0d01e980,0x524755f4,0x03b63cc9,0x0cc844b2,
+	0xbcf3f0aa,0x87ac36e9,0xe53a7426,0x01b3d82b,
+	0x1a9e7449,0x64ee2d7e,0xcddbb1da,0x01c94910,
+	0xb868bf80,0x0d26f3fd,0x9342ede7,0x04a5c284,
+	0x636737b6,0x50f5b616,0xf24766e3,0x8eca36c1,
+	0x136e05db,0xfef18391,0xfb887a37,0xd6e7f7d4,
+	0xc7fb7dc9,0x3063fcdf,0xb6f589de,0xec2941da,
+	0x26e46695,0xb7566419,0xf654efc5,0xd08d58b7,
+	0x48925401,0xc1bacb7f,0xe5ff550f,0xb6083049,
+	0x5bb5d0e8,0x87d72e5a,0xab6a6ee1,0x223a66ce,
+	0xc62bf3cd,0x9e0885f9,0x68cb3e47,0x086c010f,
+	0xa21de820,0xd18b69de,0xf3f65777,0xfa02c3f6,
+	0x407edac3,0xcbb3d550,0x1793084d,0xb0d70eba,
+	0x0ab378d5,0xd951fb0c,0xded7da56,0x4124bbe4,
+	0x94ca0b56,0x0f5755d1,0xe0e1e56e,0x6184b5be,
+	0x580a249f,0x94f74bc0,0xe327888e,0x9f7b5561,
+	0xc3dc0280,0x05687715,0x646c6bd7,0x44904db3,
+	0x66b4f0a3,0xc0f1648a,0x697ed5af,0x49e92ff6,
+	0x309e374f,0x2cb6356a,0x85808573,0x4991f840,
+	0x76f0ae02,0x083be84d,0x28421c9a,0x44489406,
+	0x736e4cb8,0xc1092910,0x8bc95fc6,0x7d869cf4,
+	0x134f616f,0x2e77118d,0xb31b2be1,0xaa90b472,
+	0x3ca5d717,0x7d161bba,0x9cad9010,0xaf462ba2,
+	0x9fe459d2,0x45d34559,0xd9f2da13,0xdbc65487,
+	0xf3e4f94e,0x176d486f,0x097c13ea,0x631da5c7,
+	0x445f7382,0x175683f4,0xcdc66a97,0x70be0288,
+	0xb3cdcf72,0x6e5dd2f3,0x20936079,0x459b80a5,
+	0xbe60e2db,0xa9c23101,0xeba5315c,0x224e42f2,
+	0x1c5c1572,0xf6721b2c,0x1ad2fff3,0x8c25404e,
+	0x324ed72f,0x4067b7fd,0x0523138e,0x5ca3bc78,
+	0xdc0fd66e,0x75922283,0x784d6b17,0x58ebb16e,
+	0x44094f85,0x3f481d87,0xfcfeae7b,0x77b5ff76,
+	0x8c2302bf,0xaaf47556,0x5f46b02a,0x2b092801,
+	0x3d38f5f7,0x0ca81f36,0x52af4a8a,0x66d5e7c0,
+	0xdf3b0874,0x95055110,0x1b5ad7a8,0xf61ed5ad,
+	0x6cf6e479,0x20758184,0xd0cefa65,0x88f7be58,
+	0x4a046826,0x0ff6f8f3,0xa09c7f70,0x5346aba0,
+	0x5ce96c28,0xe176eda3,0x6bac307f,0x376829d2,
+	0x85360fa9,0x17e3fe2a,0x24b79767,0xf5a96b20,
+	0xd6cd2595,0x68ff1ebf,0x7555442c,0xf19f06be,
+	0xf9e0659a,0xeeb9491d,0x34010718,0xbb30cab8,
+	0xe822fe15,0x88570983,0x750e6249,0xda627e55,
+	0x5e76ffa8,0xb1534546,0x6d47de08,0xefe9e7d4,
+	};
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table5[256]={
+	0xf6fa8f9d,0x2cac6ce1,0x4ca34867,0xe2337f7c,
+	0x95db08e7,0x016843b4,0xeced5cbc,0x325553ac,
+	0xbf9f0960,0xdfa1e2ed,0x83f0579d,0x63ed86b9,
+	0x1ab6a6b8,0xde5ebe39,0xf38ff732,0x8989b138,
+	0x33f14961,0xc01937bd,0xf506c6da,0xe4625e7e,
+	0xa308ea99,0x4e23e33c,0x79cbd7cc,0x48a14367,
+	0xa3149619,0xfec94bd5,0xa114174a,0xeaa01866,
+	0xa084db2d,0x09a8486f,0xa888614a,0x2900af98,
+	0x01665991,0xe1992863,0xc8f30c60,0x2e78ef3c,
+	0xd0d51932,0xcf0fec14,0xf7ca07d2,0xd0a82072,
+	0xfd41197e,0x9305a6b0,0xe86be3da,0x74bed3cd,
+	0x372da53c,0x4c7f4448,0xdab5d440,0x6dba0ec3,
+	0x083919a7,0x9fbaeed9,0x49dbcfb0,0x4e670c53,
+	0x5c3d9c01,0x64bdb941,0x2c0e636a,0xba7dd9cd,
+	0xea6f7388,0xe70bc762,0x35f29adb,0x5c4cdd8d,
+	0xf0d48d8c,0xb88153e2,0x08a19866,0x1ae2eac8,
+	0x284caf89,0xaa928223,0x9334be53,0x3b3a21bf,
+	0x16434be3,0x9aea3906,0xefe8c36e,0xf890cdd9,
+	0x80226dae,0xc340a4a3,0xdf7e9c09,0xa694a807,
+	0x5b7c5ecc,0x221db3a6,0x9a69a02f,0x68818a54,
+	0xceb2296f,0x53c0843a,0xfe893655,0x25bfe68a,
+	0xb4628abc,0xcf222ebf,0x25ac6f48,0xa9a99387,
+	0x53bddb65,0xe76ffbe7,0xe967fd78,0x0ba93563,
+	0x8e342bc1,0xe8a11be9,0x4980740d,0xc8087dfc,
+	0x8de4bf99,0xa11101a0,0x7fd37975,0xda5a26c0,
+	0xe81f994f,0x9528cd89,0xfd339fed,0xb87834bf,
+	0x5f04456d,0x22258698,0xc9c4c83b,0x2dc156be,
+	0x4f628daa,0x57f55ec5,0xe2220abe,0xd2916ebf,
+	0x4ec75b95,0x24f2c3c0,0x42d15d99,0xcd0d7fa0,
+	0x7b6e27ff,0xa8dc8af0,0x7345c106,0xf41e232f,
+	0x35162386,0xe6ea8926,0x3333b094,0x157ec6f2,
+	0x372b74af,0x692573e4,0xe9a9d848,0xf3160289,
+	0x3a62ef1d,0xa787e238,0xf3a5f676,0x74364853,
+	0x20951063,0x4576698d,0xb6fad407,0x592af950,
+	0x36f73523,0x4cfb6e87,0x7da4cec0,0x6c152daa,
+	0xcb0396a8,0xc50dfe5d,0xfcd707ab,0x0921c42f,
+	0x89dff0bb,0x5fe2be78,0x448f4f33,0x754613c9,
+	0x2b05d08d,0x48b9d585,0xdc049441,0xc8098f9b,
+	0x7dede786,0xc39a3373,0x42410005,0x6a091751,
+	0x0ef3c8a6,0x890072d6,0x28207682,0xa9a9f7be,
+	0xbf32679d,0xd45b5b75,0xb353fd00,0xcbb0e358,
+	0x830f220a,0x1f8fb214,0xd372cf08,0xcc3c4a13,
+	0x8cf63166,0x061c87be,0x88c98f88,0x6062e397,
+	0x47cf8e7a,0xb6c85283,0x3cc2acfb,0x3fc06976,
+	0x4e8f0252,0x64d8314d,0xda3870e3,0x1e665459,
+	0xc10908f0,0x513021a5,0x6c5b68b7,0x822f8aa0,
+	0x3007cd3e,0x74719eef,0xdc872681,0x073340d4,
+	0x7e432fd9,0x0c5ec241,0x8809286c,0xf592d891,
+	0x08a930f6,0x957ef305,0xb7fbffbd,0xc266e96f,
+	0x6fe4ac98,0xb173ecc0,0xbc60b42a,0x953498da,
+	0xfba1ae12,0x2d4bd736,0x0f25faab,0xa4f3fceb,
+	0xe2969123,0x257f0c3d,0x9348af49,0x361400bc,
+	0xe8816f4a,0x3814f200,0xa3f94043,0x9c7a54c2,
+	0xbc704f57,0xda41e7f9,0xc25ad33a,0x54f4a084,
+	0xb17f5505,0x59357cbe,0xedbd15c8,0x7f97c5ab,
+	0xba5ac7b5,0xb6f6deaf,0x3a479c3a,0x5302da25,
+	0x653d7e6a,0x54268d49,0x51a477ea,0x5017d55b,
+	0xd7d25d88,0x44136c76,0x0404a8c8,0xb8e5a121,
+	0xb81a928a,0x60ed5869,0x97c55b96,0xeaec991b,
+	0x29935913,0x01fdb7f1,0x088e8dfa,0x9ab6f6f5,
+	0x3b4cbf9f,0x4a5de3ab,0xe6051d35,0xa0e1d855,
+	0xd36b4cf1,0xf544edeb,0xb0e93524,0xbebb8fbd,
+	0xa2d762cf,0x49c92f54,0x38b5f331,0x7128a454,
+	0x48392905,0xa65b1db8,0x851c97bd,0xd675cf2f,
+	};
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table6[256]={
+	0x85e04019,0x332bf567,0x662dbfff,0xcfc65693,
+	0x2a8d7f6f,0xab9bc912,0xde6008a1,0x2028da1f,
+	0x0227bce7,0x4d642916,0x18fac300,0x50f18b82,
+	0x2cb2cb11,0xb232e75c,0x4b3695f2,0xb28707de,
+	0xa05fbcf6,0xcd4181e9,0xe150210c,0xe24ef1bd,
+	0xb168c381,0xfde4e789,0x5c79b0d8,0x1e8bfd43,
+	0x4d495001,0x38be4341,0x913cee1d,0x92a79c3f,
+	0x089766be,0xbaeeadf4,0x1286becf,0xb6eacb19,
+	0x2660c200,0x7565bde4,0x64241f7a,0x8248dca9,
+	0xc3b3ad66,0x28136086,0x0bd8dfa8,0x356d1cf2,
+	0x107789be,0xb3b2e9ce,0x0502aa8f,0x0bc0351e,
+	0x166bf52a,0xeb12ff82,0xe3486911,0xd34d7516,
+	0x4e7b3aff,0x5f43671b,0x9cf6e037,0x4981ac83,
+	0x334266ce,0x8c9341b7,0xd0d854c0,0xcb3a6c88,
+	0x47bc2829,0x4725ba37,0xa66ad22b,0x7ad61f1e,
+	0x0c5cbafa,0x4437f107,0xb6e79962,0x42d2d816,
+	0x0a961288,0xe1a5c06e,0x13749e67,0x72fc081a,
+	0xb1d139f7,0xf9583745,0xcf19df58,0xbec3f756,
+	0xc06eba30,0x07211b24,0x45c28829,0xc95e317f,
+	0xbc8ec511,0x38bc46e9,0xc6e6fa14,0xbae8584a,
+	0xad4ebc46,0x468f508b,0x7829435f,0xf124183b,
+	0x821dba9f,0xaff60ff4,0xea2c4e6d,0x16e39264,
+	0x92544a8b,0x009b4fc3,0xaba68ced,0x9ac96f78,
+	0x06a5b79a,0xb2856e6e,0x1aec3ca9,0xbe838688,
+	0x0e0804e9,0x55f1be56,0xe7e5363b,0xb3a1f25d,
+	0xf7debb85,0x61fe033c,0x16746233,0x3c034c28,
+	0xda6d0c74,0x79aac56c,0x3ce4e1ad,0x51f0c802,
+	0x98f8f35a,0x1626a49f,0xeed82b29,0x1d382fe3,
+	0x0c4fb99a,0xbb325778,0x3ec6d97b,0x6e77a6a9,
+	0xcb658b5c,0xd45230c7,0x2bd1408b,0x60c03eb7,
+	0xb9068d78,0xa33754f4,0xf430c87d,0xc8a71302,
+	0xb96d8c32,0xebd4e7be,0xbe8b9d2d,0x7979fb06,
+	0xe7225308,0x8b75cf77,0x11ef8da4,0xe083c858,
+	0x8d6b786f,0x5a6317a6,0xfa5cf7a0,0x5dda0033,
+	0xf28ebfb0,0xf5b9c310,0xa0eac280,0x08b9767a,
+	0xa3d9d2b0,0x79d34217,0x021a718d,0x9ac6336a,
+	0x2711fd60,0x438050e3,0x069908a8,0x3d7fedc4,
+	0x826d2bef,0x4eeb8476,0x488dcf25,0x36c9d566,
+	0x28e74e41,0xc2610aca,0x3d49a9cf,0xbae3b9df,
+	0xb65f8de6,0x92aeaf64,0x3ac7d5e6,0x9ea80509,
+	0xf22b017d,0xa4173f70,0xdd1e16c3,0x15e0d7f9,
+	0x50b1b887,0x2b9f4fd5,0x625aba82,0x6a017962,
+	0x2ec01b9c,0x15488aa9,0xd716e740,0x40055a2c,
+	0x93d29a22,0xe32dbf9a,0x058745b9,0x3453dc1e,
+	0xd699296e,0x496cff6f,0x1c9f4986,0xdfe2ed07,
+	0xb87242d1,0x19de7eae,0x053e561a,0x15ad6f8c,
+	0x66626c1c,0x7154c24c,0xea082b2a,0x93eb2939,
+	0x17dcb0f0,0x58d4f2ae,0x9ea294fb,0x52cf564c,
+	0x9883fe66,0x2ec40581,0x763953c3,0x01d6692e,
+	0xd3a0c108,0xa1e7160e,0xe4f2dfa6,0x693ed285,
+	0x74904698,0x4c2b0edd,0x4f757656,0x5d393378,
+	0xa132234f,0x3d321c5d,0xc3f5e194,0x4b269301,
+	0xc79f022f,0x3c997e7e,0x5e4f9504,0x3ffafbbd,
+	0x76f7ad0e,0x296693f4,0x3d1fce6f,0xc61e45be,
+	0xd3b5ab34,0xf72bf9b7,0x1b0434c0,0x4e72b567,
+	0x5592a33d,0xb5229301,0xcfd2a87f,0x60aeb767,
+	0x1814386b,0x30bcc33d,0x38a0c07d,0xfd1606f2,
+	0xc363519b,0x589dd390,0x5479f8e6,0x1cb8d647,
+	0x97fd61a9,0xea7759f4,0x2d57539d,0x569a58cf,
+	0xe84e63ad,0x462e1b78,0x6580f87e,0xf3817914,
+	0x91da55f4,0x40a230f3,0xd1988f35,0xb6e318d2,
+	0x3ffa50bc,0x3d40f021,0xc3c0bdae,0x4958c24c,
+	0x518f36b2,0x84b1d370,0x0fedce83,0x878ddada,
+	0xf2a279c7,0x94e01be8,0x90716f4b,0x954b8aa3,
+	};
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table7[256]={
+	0xe216300d,0xbbddfffc,0xa7ebdabd,0x35648095,
+	0x7789f8b7,0xe6c1121b,0x0e241600,0x052ce8b5,
+	0x11a9cfb0,0xe5952f11,0xece7990a,0x9386d174,
+	0x2a42931c,0x76e38111,0xb12def3a,0x37ddddfc,
+	0xde9adeb1,0x0a0cc32c,0xbe197029,0x84a00940,
+	0xbb243a0f,0xb4d137cf,0xb44e79f0,0x049eedfd,
+	0x0b15a15d,0x480d3168,0x8bbbde5a,0x669ded42,
+	0xc7ece831,0x3f8f95e7,0x72df191b,0x7580330d,
+	0x94074251,0x5c7dcdfa,0xabbe6d63,0xaa402164,
+	0xb301d40a,0x02e7d1ca,0x53571dae,0x7a3182a2,
+	0x12a8ddec,0xfdaa335d,0x176f43e8,0x71fb46d4,
+	0x38129022,0xce949ad4,0xb84769ad,0x965bd862,
+	0x82f3d055,0x66fb9767,0x15b80b4e,0x1d5b47a0,
+	0x4cfde06f,0xc28ec4b8,0x57e8726e,0x647a78fc,
+	0x99865d44,0x608bd593,0x6c200e03,0x39dc5ff6,
+	0x5d0b00a3,0xae63aff2,0x7e8bd632,0x70108c0c,
+	0xbbd35049,0x2998df04,0x980cf42a,0x9b6df491,
+	0x9e7edd53,0x06918548,0x58cb7e07,0x3b74ef2e,
+	0x522fffb1,0xd24708cc,0x1c7e27cd,0xa4eb215b,
+	0x3cf1d2e2,0x19b47a38,0x424f7618,0x35856039,
+	0x9d17dee7,0x27eb35e6,0xc9aff67b,0x36baf5b8,
+	0x09c467cd,0xc18910b1,0xe11dbf7b,0x06cd1af8,
+	0x7170c608,0x2d5e3354,0xd4de495a,0x64c6d006,
+	0xbcc0c62c,0x3dd00db3,0x708f8f34,0x77d51b42,
+	0x264f620f,0x24b8d2bf,0x15c1b79e,0x46a52564,
+	0xf8d7e54e,0x3e378160,0x7895cda5,0x859c15a5,
+	0xe6459788,0xc37bc75f,0xdb07ba0c,0x0676a3ab,
+	0x7f229b1e,0x31842e7b,0x24259fd7,0xf8bef472,
+	0x835ffcb8,0x6df4c1f2,0x96f5b195,0xfd0af0fc,
+	0xb0fe134c,0xe2506d3d,0x4f9b12ea,0xf215f225,
+	0xa223736f,0x9fb4c428,0x25d04979,0x34c713f8,
+	0xc4618187,0xea7a6e98,0x7cd16efc,0x1436876c,
+	0xf1544107,0xbedeee14,0x56e9af27,0xa04aa441,
+	0x3cf7c899,0x92ecbae6,0xdd67016d,0x151682eb,
+	0xa842eedf,0xfdba60b4,0xf1907b75,0x20e3030f,
+	0x24d8c29e,0xe139673b,0xefa63fb8,0x71873054,
+	0xb6f2cf3b,0x9f326442,0xcb15a4cc,0xb01a4504,
+	0xf1e47d8d,0x844a1be5,0xbae7dfdc,0x42cbda70,
+	0xcd7dae0a,0x57e85b7a,0xd53f5af6,0x20cf4d8c,
+	0xcea4d428,0x79d130a4,0x3486ebfb,0x33d3cddc,
+	0x77853b53,0x37effcb5,0xc5068778,0xe580b3e6,
+	0x4e68b8f4,0xc5c8b37e,0x0d809ea2,0x398feb7c,
+	0x132a4f94,0x43b7950e,0x2fee7d1c,0x223613bd,
+	0xdd06caa2,0x37df932b,0xc4248289,0xacf3ebc3,
+	0x5715f6b7,0xef3478dd,0xf267616f,0xc148cbe4,
+	0x9052815e,0x5e410fab,0xb48a2465,0x2eda7fa4,
+	0xe87b40e4,0xe98ea084,0x5889e9e1,0xefd390fc,
+	0xdd07d35b,0xdb485694,0x38d7e5b2,0x57720101,
+	0x730edebc,0x5b643113,0x94917e4f,0x503c2fba,
+	0x646f1282,0x7523d24a,0xe0779695,0xf9c17a8f,
+	0x7a5b2121,0xd187b896,0x29263a4d,0xba510cdf,
+	0x81f47c9f,0xad1163ed,0xea7b5965,0x1a00726e,
+	0x11403092,0x00da6d77,0x4a0cdd61,0xad1f4603,
+	0x605bdfb0,0x9eedc364,0x22ebe6a8,0xcee7d28a,
+	0xa0e736a0,0x5564a6b9,0x10853209,0xc7eb8f37,
+	0x2de705ca,0x8951570f,0xdf09822b,0xbd691a6c,
+	0xaa12e4f2,0x87451c0f,0xe0f6a27a,0x3ada4819,
+	0x4cf1764f,0x0d771c2b,0x67cdb156,0x350d8384,
+	0x5938fa0f,0x42399ef3,0x36997b07,0x0e84093d,
+	0x4aa93e61,0x8360d87b,0x1fa98b0c,0x1149382c,
+	0xe97625a5,0x0614d1b7,0x0e25244b,0x0c768347,
+	0x589e8d82,0x0d2059d1,0xa466bb1e,0xf8da0a82,
+	0x04f19130,0xba6e4ec0,0x99265164,0x1ee7230d,
+	0x50b2ad80,0xeaee6801,0x8db2a283,0xea8bf59e,
+	};
diff --git a/crypto/openssl/crypto/cast/cast_spd.c b/crypto/openssl/crypto/cast/cast_spd.c
new file mode 100644
index 0000000..0af915c
--- /dev/null
+++ b/crypto/openssl/crypto/cast/cast_spd.c
@@ -0,0 +1,275 @@
+/* crypto/cast/cast_spd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/cast.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+#ifndef CLK_TCK
+#define HZ	100.0
+#else /* CLK_TCK */
+#define HZ ((double)CLK_TCK)
+#endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static unsigned char key[] ={
+			0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+			0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
+			};
+	CAST_KEY sch;
+	double a,b,c,d;
+#ifndef SIGALRM
+	long ca,cb,cc;
+#endif
+
+#ifndef TIMES
+	printf("To get the most accurate results, try to run this\n");
+	printf("program when this computer is idle.\n");
+#endif
+
+#ifndef SIGALRM
+	printf("First we calculate the approximate speed ...\n");
+	CAST_set_key(&sch,16,key);
+	count=10;
+	do	{
+		long i;
+		CAST_LONG data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			CAST_encrypt(data,&sch);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count/512;
+	cb=count;
+	cc=count*8/BUFSIZE+1;
+	printf("Doing CAST_set_key %ld times\n",ca);
+#define COND(d)	(count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+	printf("Doing CAST_set_key for 10 seconds\n");
+	alarm(10);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(ca); count+=4)
+		{
+		CAST_set_key(&sch,16,key);
+		CAST_set_key(&sch,16,key);
+		CAST_set_key(&sch,16,key);
+		CAST_set_key(&sch,16,key);
+		}
+	d=Time_F(STOP);
+	printf("%ld cast set_key's in %.2f seconds\n",count,d);
+	a=((double)COUNT(ca))/d;
+
+#ifdef SIGALRM
+	printf("Doing CAST_encrypt's for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing CAST_encrypt %ld times\n",cb);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cb); count+=4)
+		{
+		CAST_LONG data[2];
+
+		CAST_encrypt(data,&sch);
+		CAST_encrypt(data,&sch);
+		CAST_encrypt(data,&sch);
+		CAST_encrypt(data,&sch);
+		}
+	d=Time_F(STOP);
+	printf("%ld CAST_encrypt's in %.2f second\n",count,d);
+	b=((double)COUNT(cb)*8)/d;
+
+#ifdef SIGALRM
+	printf("Doing CAST_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+		BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing CAST_cbc_encrypt %ld times on %ld byte blocks\n",cc,
+		BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cc); count++)
+		CAST_cbc_encrypt(buf,buf,BUFSIZE,&sch,
+			&(key[0]),CAST_ENCRYPT);
+	d=Time_F(STOP);
+	printf("%ld CAST_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	c=((double)COUNT(cc)*BUFSIZE)/d;
+
+	printf("CAST set_key       per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
+	printf("CAST raw ecb bytes per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
+	printf("CAST cbc     bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
+
diff --git a/crypto/openssl/crypto/cast/castopts.c b/crypto/openssl/crypto/cast/castopts.c
new file mode 100644
index 0000000..c783796
--- /dev/null
+++ b/crypto/openssl/crypto/cast/castopts.c
@@ -0,0 +1,339 @@
+/* crypto/cast/castopts.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
+ * This is for machines with 64k code segment size restrictions. */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/cast.h>
+
+#define CAST_DEFAULT_OPTIONS
+
+#undef E_CAST
+#define CAST_encrypt  CAST_encrypt_normal
+#define CAST_decrypt  CAST_decrypt_normal
+#define CAST_cbc_encrypt  CAST_cbc_encrypt_normal
+#undef HEADER_CAST_LOCL_H
+#include "c_enc.c"
+
+#define CAST_PTR
+#undef CAST_PTR2
+#undef E_CAST
+#undef CAST_encrypt
+#undef CAST_decrypt
+#undef CAST_cbc_encrypt
+#define CAST_encrypt  CAST_encrypt_ptr
+#define CAST_decrypt  CAST_decrypt_ptr
+#define CAST_cbc_encrypt  CAST_cbc_encrypt_ptr
+#undef HEADER_CAST_LOCL_H
+#include "c_enc.c"
+
+#undef CAST_PTR
+#define CAST_PTR2
+#undef E_CAST
+#undef CAST_encrypt
+#undef CAST_decrypt
+#undef CAST_cbc_encrypt
+#define CAST_encrypt  CAST_encrypt_ptr2
+#define CAST_decrypt  CAST_decrypt_ptr2
+#define CAST_cbc_encrypt  CAST_cbc_encrypt_ptr2
+#undef HEADER_CAST_LOCL_H
+#include "c_enc.c"
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD fix */
+#   define HZ	100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+#ifdef SIGALRM
+#define print_name(name) fprintf(stderr,"Doing %s's for 10 seconds\n",name); alarm(10);
+#else
+#define print_name(name) fprintf(stderr,"Doing %s %ld times\n",name,cb);
+#endif
+	
+#define time_it(func,name,index) \
+	print_name(name); \
+	Time_F(START); \
+	for (count=0,run=1; COND(cb); count+=4) \
+		{ \
+		unsigned long d[2]; \
+		func(d,&sch); \
+		func(d,&sch); \
+		func(d,&sch); \
+		func(d,&sch); \
+		} \
+	tm[index]=Time_F(STOP); \
+	fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \
+	tm[index]=((double)COUNT(cb))/tm[index];
+
+#define print_it(name,index) \
+	fprintf(stderr,"%s bytes per sec = %12.2f (%5.1fuS)\n",name, \
+		tm[index]*8,1.0e6/tm[index]);
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static char key[16]={	0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+				0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	CAST_KEY sch;
+	double d,tm[16],max=0;
+	int rank[16];
+	char *str[16];
+	int max_idx=0,i,num=0,j;
+#ifndef SIGALARM
+	long ca,cb,cc,cd,ce;
+#endif
+
+	for (i=0; i<12; i++)
+		{
+		tm[i]=0.0;
+		rank[i]=0;
+		}
+
+#ifndef TIMES
+	fprintf(stderr,"To get the most accurate results, try to run this\n");
+	fprintf(stderr,"program when this computer is idle.\n");
+#endif
+
+	CAST_set_key(&sch,16,key);
+
+#ifndef SIGALRM
+	fprintf(stderr,"First we calculate the approximate speed ...\n");
+	count=10;
+	do	{
+		long i;
+		unsigned long data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			CAST_encrypt(data,&sch);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count;
+	cb=count*3;
+	cc=count*3*8/BUFSIZE+1;
+	cd=count*8/BUFSIZE+1;
+
+	ce=count/20+1;
+#define COND(d) (count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c) (run)
+#define COUNT(d) (count)
+        signal(SIGALRM,sig_done);
+        alarm(10);
+#endif
+
+	time_it(CAST_encrypt_normal,	"CAST_encrypt_normal ", 0);
+	time_it(CAST_encrypt_ptr,	"CAST_encrypt_ptr    ", 1);
+	time_it(CAST_encrypt_ptr2,	"CAST_encrypt_ptr2   ", 2);
+	num+=3;
+
+	str[0]="<nothing>";
+	print_it("CAST_encrypt_normal ",0);
+	max=tm[0];
+	max_idx=0;
+	str[1]="ptr      ";
+	print_it("CAST_encrypt_ptr ",1);
+	if (max < tm[1]) { max=tm[1]; max_idx=1; }
+	str[2]="ptr2     ";
+	print_it("CAST_encrypt_ptr2 ",2);
+	if (max < tm[2]) { max=tm[2]; max_idx=2; }
+
+	printf("options    CAST ecb/s\n");
+	printf("%s %12.2f 100.0%%\n",str[max_idx],tm[max_idx]);
+	d=tm[max_idx];
+	tm[max_idx]= -2.0;
+	max= -1.0;
+	for (;;)
+		{
+		for (i=0; i<3; i++)
+			{
+			if (max < tm[i]) { max=tm[i]; j=i; }
+			}
+		if (max < 0.0) break;
+		printf("%s %12.2f  %4.1f%%\n",str[j],tm[j],tm[j]/d*100.0);
+		tm[j]= -2.0;
+		max= -1.0;
+		}
+
+	switch (max_idx)
+		{
+	case 0:
+		printf("-DCAST_DEFAULT_OPTIONS\n");
+		break;
+	case 1:
+		printf("-DCAST_PTR\n");
+		break;
+	case 2:
+		printf("-DCAST_PTR2\n");
+		break;
+		}
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
+
diff --git a/crypto/openssl/crypto/cast/casts.cpp b/crypto/openssl/crypto/cast/casts.cpp
new file mode 100644
index 0000000..8d7bd46
--- /dev/null
+++ b/crypto/openssl/crypto/cast/casts.cpp
@@ -0,0 +1,70 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/cast.h>
+
+void main(int argc,char *argv[])
+	{
+	CAST_KEY key;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+	static unsigned char d[16]={0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF};
+
+	CAST_set_key(&key, 16,d);
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			CAST_encrypt(&data[0],&key);
+			GetTSC(s1);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			GetTSC(e1);
+			GetTSC(s2);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			GetTSC(e2);
+			CAST_encrypt(&data[0],&key);
+			}
+
+		printf("cast %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/crypto/cast/casttest.c b/crypto/openssl/crypto/cast/casttest.c
new file mode 100644
index 0000000..ab2aeac
--- /dev/null
+++ b/crypto/openssl/crypto/cast/casttest.c
@@ -0,0 +1,230 @@
+/* crypto/cast/casttest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_CAST
+int main(int argc, char *argv[])
+{
+    printf("No CAST support\n");
+    return(0);
+}
+#else
+#include <openssl/cast.h>
+
+#define FULL_TEST
+
+static unsigned char k[16]={
+	0x01,0x23,0x45,0x67,0x12,0x34,0x56,0x78,
+	0x23,0x45,0x67,0x89,0x34,0x56,0x78,0x9A
+	};
+
+static unsigned char in[8]={ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF};
+
+static int k_len[3]={16,10,5};
+static unsigned char c[3][8]={
+	{0x23,0x8B,0x4F,0xE5,0x84,0x7E,0x44,0xB2},
+	{0xEB,0x6A,0x71,0x1A,0x2C,0x02,0x27,0x1B},
+	{0x7A,0xC8,0x16,0xD1,0x6E,0x9B,0x30,0x2E},
+	};
+static unsigned char out[80];
+
+static unsigned char in_a[16]={
+	0x01,0x23,0x45,0x67,0x12,0x34,0x56,0x78,
+	0x23,0x45,0x67,0x89,0x34,0x56,0x78,0x9A};
+static unsigned char in_b[16]={
+	0x01,0x23,0x45,0x67,0x12,0x34,0x56,0x78,
+	0x23,0x45,0x67,0x89,0x34,0x56,0x78,0x9A};
+
+static unsigned char c_a[16]={
+	0xEE,0xA9,0xD0,0xA2,0x49,0xFD,0x3B,0xA6,
+	0xB3,0x43,0x6F,0xB8,0x9D,0x6D,0xCA,0x92};
+static unsigned char c_b[16]={
+	0xB2,0xC9,0x5E,0xB0,0x0C,0x31,0xAD,0x71,
+	0x80,0xAC,0x05,0xB8,0xE8,0x3D,0x69,0x6E};
+
+#if 0
+char *text="Hello to all people out there";
+
+static unsigned char cfb_key[16]={
+	0xe1,0xf0,0xc3,0xd2,0xa5,0xb4,0x87,0x96,
+	0x69,0x78,0x4b,0x5a,0x2d,0x3c,0x0f,0x1e,
+	};
+static unsigned char cfb_iv[80]={0x34,0x12,0x78,0x56,0xab,0x90,0xef,0xcd};
+static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8];
+#define CFB_TEST_SIZE 24
+static unsigned char plain[CFB_TEST_SIZE]=
+        {
+        0x4e,0x6f,0x77,0x20,0x69,0x73,
+        0x20,0x74,0x68,0x65,0x20,0x74,
+        0x69,0x6d,0x65,0x20,0x66,0x6f,
+        0x72,0x20,0x61,0x6c,0x6c,0x20
+        };
+static unsigned char cfb_cipher64[CFB_TEST_SIZE]={
+	0x59,0xD8,0xE2,0x65,0x00,0x58,0x6C,0x3F,
+	0x2C,0x17,0x25,0xD0,0x1A,0x38,0xB7,0x2A,
+	0x39,0x61,0x37,0xDC,0x79,0xFB,0x9F,0x45
+
+/*	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+	0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
+	0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
+	}; 
+#endif
+
+int main(int argc, char *argv[])
+    {
+#ifdef FULL_TEST
+    long l;
+    CAST_KEY key_b;
+#endif
+    int i,z,err=0;
+    CAST_KEY key;
+
+    for (z=0; z<3; z++)
+	{
+	CAST_set_key(&key,k_len[z],k);
+
+	CAST_ecb_encrypt(in,out,&key,CAST_ENCRYPT);
+	if (memcmp(out,&(c[z][0]),8) != 0)
+	    {
+	    printf("ecb cast error encrypting for keysize %d\n",k_len[z]*8);
+	    printf("got     :");
+	    for (i=0; i<8; i++)
+		printf("%02X ",out[i]);
+	    printf("\n");
+	    printf("expected:");
+	    for (i=0; i<8; i++)
+		printf("%02X ",c[z][i]);
+	    err=20;
+	    printf("\n");
+	    }
+
+	CAST_ecb_encrypt(out,out,&key,CAST_DECRYPT);
+	if (memcmp(out,in,8) != 0)
+	    {
+	    printf("ecb cast error decrypting for keysize %d\n",k_len[z]*8);
+	    printf("got     :");
+	    for (i=0; i<8; i++)
+		printf("%02X ",out[i]);
+	    printf("\n");
+	    printf("expected:");
+	    for (i=0; i<8; i++)
+		printf("%02X ",in[i]);
+	    printf("\n");
+	    err=3;
+	    }
+	}
+    if (err == 0)
+	printf("ecb cast5 ok\n");
+
+#ifdef FULL_TEST
+      {
+      unsigned char out_a[16],out_b[16];
+      static char *hex="0123456789ABCDEF";
+      
+      printf("This test will take some time....");
+      fflush(stdout);
+      memcpy(out_a,in_a,sizeof(in_a));
+      memcpy(out_b,in_b,sizeof(in_b));
+      i=1;
+
+      for (l=0; l<1000000L; l++)
+	  {
+	  CAST_set_key(&key_b,16,out_b);
+	  CAST_ecb_encrypt(&(out_a[0]),&(out_a[0]),&key_b,CAST_ENCRYPT);
+	  CAST_ecb_encrypt(&(out_a[8]),&(out_a[8]),&key_b,CAST_ENCRYPT);
+	  CAST_set_key(&key,16,out_a);
+	  CAST_ecb_encrypt(&(out_b[0]),&(out_b[0]),&key,CAST_ENCRYPT);
+	  CAST_ecb_encrypt(&(out_b[8]),&(out_b[8]),&key,CAST_ENCRYPT);
+	  if ((l & 0xffff) == 0xffff)
+	      {
+	      printf("%c",hex[i&0x0f]);
+	      fflush(stdout);
+	      i++;
+	      }
+	  }
+
+      if (	(memcmp(out_a,c_a,sizeof(c_a)) != 0) ||
+		(memcmp(out_b,c_b,sizeof(c_b)) != 0))
+	  {
+	  printf("\n");
+	  printf("Error\n");
+
+	  printf("A out =");
+	  for (i=0; i<16; i++) printf("%02X ",out_a[i]);
+	  printf("\nactual=");
+	  for (i=0; i<16; i++) printf("%02X ",c_a[i]);
+	  printf("\n");
+
+	  printf("B out =");
+	  for (i=0; i<16; i++) printf("%02X ",out_b[i]);
+	  printf("\nactual=");
+	  for (i=0; i<16; i++) printf("%02X ",c_b[i]);
+	  printf("\n");
+	  }
+      else
+	  printf(" ok\n");
+      }
+#endif
+
+    exit(err);
+    return(err);
+    }
+#endif
diff --git a/crypto/openssl/crypto/comp/Makefile.save b/crypto/openssl/crypto/comp/Makefile.save
new file mode 100644
index 0000000..d946bcb
--- /dev/null
+++ b/crypto/openssl/crypto/comp/Makefile.save
@@ -0,0 +1,99 @@
+#
+# SSLeay/crypto/comp/Makefile
+#
+
+DIR=	comp
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= comp_lib.c \
+	c_rle.c c_zlib.c
+
+LIBOBJ=	comp_lib.o \
+	c_rle.o c_zlib.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= comp.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+c_rle.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_rle.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
+c_rle.o: ../../include/openssl/crypto.h ../../include/openssl/objects.h
+c_rle.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_rle.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+c_zlib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_zlib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
+c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/objects.h
+c_zlib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_zlib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+comp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+comp_lib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
+comp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/objects.h
+comp_lib.o: ../../include/openssl/opensslconf.h
+comp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+comp_lib.o: ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl
new file mode 100644
index 0000000..d946bcb
--- /dev/null
+++ b/crypto/openssl/crypto/comp/Makefile.ssl
@@ -0,0 +1,99 @@
+#
+# SSLeay/crypto/comp/Makefile
+#
+
+DIR=	comp
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= comp_lib.c \
+	c_rle.c c_zlib.c
+
+LIBOBJ=	comp_lib.o \
+	c_rle.o c_zlib.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= comp.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+c_rle.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_rle.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
+c_rle.o: ../../include/openssl/crypto.h ../../include/openssl/objects.h
+c_rle.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_rle.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+c_zlib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_zlib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
+c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/objects.h
+c_zlib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_zlib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+comp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+comp_lib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
+comp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/objects.h
+comp_lib.o: ../../include/openssl/opensslconf.h
+comp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+comp_lib.o: ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/comp/c_rle.c b/crypto/openssl/crypto/comp/c_rle.c
new file mode 100644
index 0000000..1a819e3
--- /dev/null
+++ b/crypto/openssl/crypto/comp/c_rle.c
@@ -0,0 +1,61 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+
+static COMP_METHOD rle_method={
+	NID_rle_compression,
+	LN_rle_compression,
+	NULL,
+	NULL,
+	rle_compress_block,
+	rle_expand_block,
+	NULL,
+	};
+
+COMP_METHOD *COMP_rle(void)
+	{
+	return(&rle_method);
+	}
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+	     unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	/* int i; */
+
+	if (olen < (ilen+1))
+		{
+		/* ZZZZZZZZZZZZZZZZZZZZZZ */
+		return(-1);
+		}
+
+	*(out++)=0;
+	memcpy(out,in,ilen);
+	return(ilen+1);
+	}
+
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+	     unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	int i;
+
+	if (olen < (ilen-1))
+		{
+		/* ZZZZZZZZZZZZZZZZZZZZZZ */
+		return(-1);
+		}
+
+	i= *(in++);
+	if (i == 0)
+		{
+		memcpy(out,in,ilen-1);
+		}
+	return(ilen-1);
+	}
+
diff --git a/crypto/openssl/crypto/comp/c_zlib.c b/crypto/openssl/crypto/comp/c_zlib.c
new file mode 100644
index 0000000..6684ab4
--- /dev/null
+++ b/crypto/openssl/crypto/comp/c_zlib.c
@@ -0,0 +1,133 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+COMP_METHOD *COMP_zlib(void );
+
+#ifndef ZLIB
+
+static COMP_METHOD zlib_method={
+	NID_undef,
+	"(null)",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	};
+
+#else
+
+#include <zlib.h>
+
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+
+static int zz_uncompress(Bytef *dest, uLongf *destLen, const Bytef *source,
+	uLong sourceLen);
+
+static COMP_METHOD zlib_method={
+	NID_zlib_compression,
+	LN_zlib_compression,
+	NULL,
+	NULL,
+	zlib_compress_block,
+	zlib_expand_block,
+	NULL,
+	};
+
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+	     unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	unsigned long l;
+	int i;
+	int clear=1;
+
+	if (ilen > 128)
+		{
+		out[0]=1;
+		l=olen-1;
+		i=compress(&(out[1]),&l,in,(unsigned long)ilen);
+		if (i != Z_OK)
+			return(-1);
+		if (ilen > l)
+			{
+			clear=0;
+			l++;
+			}
+		}
+	if (clear)
+		{
+		out[0]=0;
+		memcpy(&(out[1]),in,ilen);
+		l=ilen+1;
+		}
+fprintf(stderr,"compress(%4d)->%4d %s\n",ilen,(int)l,(clear)?"clear":"zlib");
+	return((int)l);
+	}
+
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+	     unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	unsigned long l;
+	int i;
+
+	if (in[0])
+		{
+		l=olen;
+		i=zz_uncompress(out,&l,&(in[1]),(unsigned long)ilen-1);
+		if (i != Z_OK)
+			return(-1);
+		}
+	else
+		{
+		memcpy(out,&(in[1]),ilen-1);
+		l=ilen-1;
+		}
+        fprintf(stderr,"expand  (%4d)->%4d %s\n",ilen,(int)l,in[0]?"zlib":"clear");
+	return((int)l);
+	}
+
+static int zz_uncompress (Bytef *dest, uLongf *destLen, const Bytef *source,
+	     uLong sourceLen)
+{
+    z_stream stream;
+    int err;
+
+    stream.next_in = (Bytef*)source;
+    stream.avail_in = (uInt)sourceLen;
+    /* Check for source > 64K on 16-bit machine: */
+    if ((uLong)stream.avail_in != sourceLen) return Z_BUF_ERROR;
+
+    stream.next_out = dest;
+    stream.avail_out = (uInt)*destLen;
+    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;
+
+    stream.zalloc = (alloc_func)0;
+    stream.zfree = (free_func)0;
+
+    err = inflateInit(&stream);
+    if (err != Z_OK) return err;
+
+    err = inflate(&stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        inflateEnd(&stream);
+        return err;
+    }
+    *destLen = stream.total_out;
+
+    err = inflateEnd(&stream);
+    return err;
+}
+
+#endif
+
+COMP_METHOD *COMP_zlib(void)
+	{
+	return(&zlib_method);
+	}
+
diff --git a/crypto/openssl/crypto/comp/comp.h b/crypto/openssl/crypto/comp/comp.h
new file mode 100644
index 0000000..811cb58
--- /dev/null
+++ b/crypto/openssl/crypto/comp/comp.h
@@ -0,0 +1,61 @@
+
+#ifndef HEADER_COMP_H
+#define HEADER_COMP_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/crypto.h>
+
+typedef struct comp_method_st
+	{
+	int type;		/* NID for compression library */
+	const char *name;	/* A text string to identify the library */
+	int (*init)();
+	void (*finish)();
+	int (*compress)();
+	int (*expand)();
+	long (*ctrl)();
+	long (*callback_ctrl)();
+	} COMP_METHOD;
+
+typedef struct comp_ctx_st
+	{
+	COMP_METHOD *meth;
+	unsigned long compress_in;
+	unsigned long compress_out;
+	unsigned long expand_in;
+	unsigned long expand_out;
+
+	CRYPTO_EX_DATA	ex_data;
+	} COMP_CTX;
+
+
+COMP_CTX *COMP_CTX_new(COMP_METHOD *meth);
+void COMP_CTX_free(COMP_CTX *ctx);
+int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
+	unsigned char *in, int ilen);
+int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
+	unsigned char *in, int ilen);
+COMP_METHOD *COMP_rle(void );
+#ifdef ZLIB
+COMP_METHOD *COMP_zlib(void );
+#endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the COMP functions. */
+
+/* Function codes. */
+
+/* Reason codes. */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/comp/comp_err.c b/crypto/openssl/crypto/comp/comp_err.c
new file mode 100644
index 0000000..c10282a
--- /dev/null
+++ b/crypto/openssl/crypto/comp/comp_err.c
@@ -0,0 +1,92 @@
+/* crypto/comp/comp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/comp.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA COMP_str_functs[]=
+	{
+{0,NULL}
+	};
+
+static ERR_STRING_DATA COMP_str_reasons[]=
+	{
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_COMP_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_COMP,COMP_str_functs);
+		ERR_load_strings(ERR_LIB_COMP,COMP_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/comp/comp_lib.c b/crypto/openssl/crypto/comp/comp_lib.c
new file mode 100644
index 0000000..a67ef23
--- /dev/null
+++ b/crypto/openssl/crypto/comp/comp_lib.c
@@ -0,0 +1,78 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+COMP_CTX *COMP_CTX_new(COMP_METHOD *meth)
+	{
+	COMP_CTX *ret;
+
+	if ((ret=(COMP_CTX *)Malloc(sizeof(COMP_CTX))) == NULL)
+		{
+		/* ZZZZZZZZZZZZZZZZ */
+		return(NULL);
+		}
+	memset(ret,0,sizeof(COMP_CTX));
+	ret->meth=meth;
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+		{
+		Free(ret);
+		ret=NULL;
+		}
+#if 0
+	else
+		CRYPTO_new_ex_data(rsa_meth,(char *)ret,&ret->ex_data);
+#endif
+	return(ret);
+	}
+
+void COMP_CTX_free(COMP_CTX *ctx)
+	{
+	/* CRYPTO_free_ex_data(rsa_meth,(char *)ctx,&ctx->ex_data); */
+
+	if(ctx == NULL)
+	    return;
+
+	if (ctx->meth->finish != NULL)
+		ctx->meth->finish(ctx);
+
+	Free(ctx);
+	}
+
+int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
+	     unsigned char *in, int ilen)
+	{
+	int ret;
+	if (ctx->meth->compress == NULL)
+		{
+		/* ZZZZZZZZZZZZZZZZZ */
+		return(-1);
+		}
+	ret=ctx->meth->compress(ctx,out,olen,in,ilen);
+	if (ret > 0)
+		{
+		ctx->compress_in+=ilen;
+		ctx->compress_out+=ret;
+		}
+	return(ret);
+	}
+
+int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
+	     unsigned char *in, int ilen)
+	{
+	int ret;
+
+	if (ctx->meth->expand == NULL)
+		{
+		/* ZZZZZZZZZZZZZZZZZ */
+		return(-1);
+		}
+	ret=ctx->meth->expand(ctx,out,olen,in,ilen);
+	if (ret > 0)
+		{
+		ctx->expand_in+=ilen;
+		ctx->expand_out+=ret;
+		}
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/conf/Makefile.save b/crypto/openssl/crypto/conf/Makefile.save
new file mode 100644
index 0000000..64b763f
--- /dev/null
+++ b/crypto/openssl/crypto/conf/Makefile.save
@@ -0,0 +1,92 @@
+#
+# SSLeay/crypto/conf/Makefile
+#
+
+DIR=	conf
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= conf.c conf_err.c
+
+LIBOBJ=	conf.o conf_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= conf.h
+HEADER=	conf_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+conf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+conf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+conf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+conf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+conf.o: ../cryptlib.h conf_lcl.h
+conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
+conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
+conf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
+conf_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl
new file mode 100644
index 0000000..64b763f
--- /dev/null
+++ b/crypto/openssl/crypto/conf/Makefile.ssl
@@ -0,0 +1,92 @@
+#
+# SSLeay/crypto/conf/Makefile
+#
+
+DIR=	conf
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= conf.c conf_err.c
+
+LIBOBJ=	conf.o conf_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= conf.h
+HEADER=	conf_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+conf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+conf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+conf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+conf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+conf.o: ../cryptlib.h conf_lcl.h
+conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
+conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
+conf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
+conf_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/conf/cnf_save.c b/crypto/openssl/crypto/conf/cnf_save.c
new file mode 100644
index 0000000..e907cc2
--- /dev/null
+++ b/crypto/openssl/crypto/conf/cnf_save.c
@@ -0,0 +1,105 @@
+/* crypto/conf/cnf_save.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/conf.h>
+
+void print_conf(CONF_VALUE *cv);
+
+main()
+	{
+	LHASH *conf;
+	long l;
+
+	conf=CONF_load(NULL,"../../apps/openssl.cnf",&l);
+	if (conf == NULL)
+		{
+		fprintf(stderr,"error loading config, line %ld\n",l);
+		exit(1);
+		}
+
+	lh_doall(conf,print_conf);
+	}
+
+
+void print_conf(CONF_VALUE *cv)
+	{
+	int i;
+	CONF_VALUE *v;
+	char *section;
+	char *name;
+	char *value;
+	STACK *s;
+
+	/* If it is a single entry, return */
+
+	if (cv->name != NULL) return;
+
+	printf("[ %s ]\n",cv->section);
+	s=(STACK *)cv->value;
+
+	for (i=0; i<sk_num(s); i++)
+		{
+		v=(CONF_VALUE *)sk_value(s,i);
+		section=(v->section == NULL)?"None":v->section;
+		name=(v->name == NULL)?"None":v->name;
+		value=(v->value == NULL)?"None":v->value;
+		printf("%s=%s\n",name,value);
+		}
+	printf("\n");
+	}
diff --git a/crypto/openssl/crypto/conf/conf.c b/crypto/openssl/crypto/conf/conf.c
new file mode 100644
index 0000000..3031fa3
--- /dev/null
+++ b/crypto/openssl/crypto/conf/conf.c
@@ -0,0 +1,730 @@
+/* crypto/conf/conf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/stack.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+#include "conf_lcl.h"
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf);
+static void value_free_stack(CONF_VALUE *a,LHASH *conf);
+static unsigned long hash(CONF_VALUE *v);
+static int cmp_conf(CONF_VALUE *a,CONF_VALUE *b);
+static char *eat_ws(char *p);
+static char *eat_alpha_numeric(char *p);
+static void clear_comments(char *p);
+static int str_copy(LHASH *conf,char *section,char **to, char *from);
+static char *scan_quote(char *p);
+static CONF_VALUE *new_section(LHASH *conf,char *section);
+static CONF_VALUE *get_section(LHASH *conf,char *section);
+#define scan_esc(p)	((((p)[1] == '\0')?(p++):(p+=2)),p)
+
+const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT;
+
+
+LHASH *CONF_load(LHASH *h, const char *file, long *line)
+	{
+	LHASH *ltmp;
+	BIO *in=NULL;
+
+#ifdef VMS
+	in=BIO_new_file(file, "r");
+#else
+	in=BIO_new_file(file, "rb");
+#endif
+	if (in == NULL)
+		{
+		CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+		return NULL;
+		}
+
+	ltmp = CONF_load_bio(h, in, line);
+	BIO_free(in);
+
+	return ltmp;
+}
+#ifndef NO_FP_API
+LHASH *CONF_load_fp(LHASH *h, FILE *in, long *line)
+{
+	BIO *btmp;
+	LHASH *ltmp;
+	if(!(btmp = BIO_new_fp(in, BIO_NOCLOSE))) {
+		CONFerr(CONF_F_CONF_LOAD_FP,ERR_R_BUF_LIB);
+		return NULL;
+	}
+	ltmp = CONF_load_bio(h, btmp, line);
+	BIO_free(btmp);
+	return ltmp;
+}
+#endif
+
+LHASH *CONF_load_bio(LHASH *h, BIO *in, long *line)
+	{
+	LHASH *ret=NULL;
+#define BUFSIZE	512
+	char btmp[16];
+	int bufnum=0,i,ii;
+	BUF_MEM *buff=NULL;
+	char *s,*p,*end;
+	int again,n;
+	long eline=0;
+	CONF_VALUE *v=NULL,*vv,*tv;
+	CONF_VALUE *sv=NULL;
+	char *section=NULL,*buf;
+	STACK_OF(CONF_VALUE) *section_sk=NULL,*ts;
+	char *start,*psection,*pname;
+
+	if ((buff=BUF_MEM_new()) == NULL)
+		{
+		CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+		goto err;
+		}
+
+	section=(char *)Malloc(10);
+	if (section == NULL)
+		{
+		CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	strcpy(section,"default");
+
+	if (h == NULL)
+		{
+		if ((ret=lh_new(hash,cmp_conf)) == NULL)
+			{
+			CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
+	else
+		ret=h;
+
+	sv=new_section(ret,section);
+	if (sv == NULL)
+		{
+		CONFerr(CONF_F_CONF_LOAD_BIO,
+					CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+		goto err;
+		}
+	section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+
+	bufnum=0;
+	for (;;)
+		{
+		again=0;
+		if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
+			{
+			CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+			goto err;
+			}
+		p= &(buff->data[bufnum]);
+		*p='\0';
+		BIO_gets(in, p, BUFSIZE-1);
+		p[BUFSIZE-1]='\0';
+		ii=i=strlen(p);
+		if (i == 0) break;
+		while (i > 0)
+			{
+			if ((p[i-1] != '\r') && (p[i-1] != '\n'))
+				break;
+			else
+				i--;
+			}
+		/* we removed some trailing stuff so there is a new
+		 * line on the end. */
+		if (i == ii)
+			again=1; /* long line */
+		else
+			{
+			p[i]='\0';
+			eline++; /* another input line */
+			}
+
+		/* we now have a line with trailing \r\n removed */
+
+		/* i is the number of bytes */
+		bufnum+=i;
+
+		v=NULL;
+		/* check for line continuation */
+		if (bufnum >= 1)
+			{
+			/* If we have bytes and the last char '\\' and
+			 * second last char is not '\\' */
+			p= &(buff->data[bufnum-1]);
+			if (	IS_ESC(p[0]) &&
+				((bufnum <= 1) || !IS_ESC(p[-1])))
+				{
+				bufnum--;
+				again=1;
+				}
+			}
+		if (again) continue;
+		bufnum=0;
+		buf=buff->data;
+
+		clear_comments(buf);
+		n=strlen(buf);
+		s=eat_ws(buf);
+		if (IS_EOF(*s)) continue; /* blank line */
+		if (*s == '[')
+			{
+			char *ss;
+
+			s++;
+			start=eat_ws(s);
+			ss=start;
+again:
+			end=eat_alpha_numeric(ss);
+			p=eat_ws(end);
+			if (*p != ']')
+				{
+				if (*p != '\0')
+					{
+					ss=p;
+					goto again;
+					}
+				CONFerr(CONF_F_CONF_LOAD_BIO,
+					CONF_R_MISSING_CLOSE_SQUARE_BRACKET);
+				goto err;
+				}
+			*end='\0';
+			if (!str_copy(ret,NULL,&section,start)) goto err;
+			if ((sv=get_section(ret,section)) == NULL)
+				sv=new_section(ret,section);
+			if (sv == NULL)
+				{
+				CONFerr(CONF_F_CONF_LOAD_BIO,
+					CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+				goto err;
+				}
+			section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+			continue;
+			}
+		else
+			{
+			pname=s;
+			psection=NULL;
+			end=eat_alpha_numeric(s);
+			if ((end[0] == ':') && (end[1] == ':'))
+				{
+				*end='\0';
+				end+=2;
+				psection=pname;
+				pname=end;
+				end=eat_alpha_numeric(end);
+				}
+			p=eat_ws(end);
+			if (*p != '=')
+				{
+				CONFerr(CONF_F_CONF_LOAD_BIO,
+						CONF_R_MISSING_EQUAL_SIGN);
+				goto err;
+				}
+			*end='\0';
+			p++;
+			start=eat_ws(p);
+			while (!IS_EOF(*p))
+				p++;
+			p--;
+			while ((p != start) && (IS_WS(*p)))
+				p--;
+			p++;
+			*p='\0';
+
+			if (!(v=(CONF_VALUE *)Malloc(sizeof(CONF_VALUE))))
+				{
+				CONFerr(CONF_F_CONF_LOAD_BIO,
+							ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			if (psection == NULL) psection=section;
+			v->name=(char *)Malloc(strlen(pname)+1);
+			v->value=NULL;
+			if (v->name == NULL)
+				{
+				CONFerr(CONF_F_CONF_LOAD_BIO,
+							ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			strcpy(v->name,pname);
+			if (!str_copy(ret,psection,&(v->value),start)) goto err;
+
+			if (strcmp(psection,section) != 0)
+				{
+				if ((tv=get_section(ret,psection))
+					== NULL)
+					tv=new_section(ret,psection);
+				if (tv == NULL)
+					{
+					CONFerr(CONF_F_CONF_LOAD_BIO,
+					   CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+					goto err;
+					}
+				ts=(STACK_OF(CONF_VALUE) *)tv->value;
+				}
+			else
+				{
+				tv=sv;
+				ts=section_sk;
+				}
+			v->section=tv->section;	
+			if (!sk_CONF_VALUE_push(ts,v))
+				{
+				CONFerr(CONF_F_CONF_LOAD_BIO,
+							ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			vv=(CONF_VALUE *)lh_insert(ret,v);
+			if (vv != NULL)
+				{
+				sk_CONF_VALUE_delete_ptr(ts,vv);
+				Free(vv->name);
+				Free(vv->value);
+				Free(vv);
+				}
+			v=NULL;
+			}
+		}
+	if (buff != NULL) BUF_MEM_free(buff);
+	if (section != NULL) Free(section);
+	return(ret);
+err:
+	if (buff != NULL) BUF_MEM_free(buff);
+	if (section != NULL) Free(section);
+	if (line != NULL) *line=eline;
+	sprintf(btmp,"%ld",eline);
+	ERR_add_error_data(2,"line ",btmp);
+	if ((h != ret) && (ret != NULL)) CONF_free(ret);
+	if (v != NULL)
+		{
+		if (v->name != NULL) Free(v->name);
+		if (v->value != NULL) Free(v->value);
+		if (v != NULL) Free(v);
+		}
+	return(NULL);
+	}
+
+char *CONF_get_string(LHASH *conf, char *section, char *name)
+	{
+	CONF_VALUE *v,vv;
+	char *p;
+
+	if (name == NULL) return(NULL);
+	if (conf != NULL)
+		{
+		if (section != NULL)
+			{
+			vv.name=name;
+			vv.section=section;
+			v=(CONF_VALUE *)lh_retrieve(conf,&vv);
+			if (v != NULL) return(v->value);
+			if (strcmp(section,"ENV") == 0)
+				{
+				p=Getenv(name);
+				if (p != NULL) return(p);
+				}
+			}
+		vv.section="default";
+		vv.name=name;
+		v=(CONF_VALUE *)lh_retrieve(conf,&vv);
+		if (v != NULL)
+			return(v->value);
+		else
+			return(NULL);
+		}
+	else
+		return(Getenv(name));
+	}
+
+static CONF_VALUE *get_section(LHASH *conf, char *section)
+	{
+	CONF_VALUE *v,vv;
+
+	if ((conf == NULL) || (section == NULL)) return(NULL);
+	vv.name=NULL;
+	vv.section=section;
+	v=(CONF_VALUE *)lh_retrieve(conf,&vv);
+	return(v);
+	}
+
+STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf, char *section)
+	{
+	CONF_VALUE *v;
+
+	v=get_section(conf,section);
+	if (v != NULL)
+		return((STACK_OF(CONF_VALUE) *)v->value);
+	else
+		return(NULL);
+	}
+
+long CONF_get_number(LHASH *conf, char *section, char *name)
+	{
+	char *str;
+	long ret=0;
+
+	str=CONF_get_string(conf,section,name);
+	if (str == NULL) return(0);
+	for (;;)
+		{
+		if (IS_NUMER(*str))
+			ret=ret*10+(*str -'0');
+		else
+			return(ret);
+		str++;
+		}
+	}
+
+void CONF_free(LHASH *conf)
+	{
+	if (conf == NULL) return;
+
+	conf->down_load=0; 	/* evil thing to make sure the 'Free()'
+				 * works as expected */
+	lh_doall_arg(conf,(void (*)())value_free_hash,conf);
+
+	/* We now have only 'section' entries in the hash table.
+	 * Due to problems with */
+
+	lh_doall_arg(conf,(void (*)())value_free_stack,conf);
+	lh_free(conf);
+	}
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf)
+	{
+	if (a->name != NULL)
+		{
+		a=(CONF_VALUE *)lh_delete(conf,a);
+		}
+	}
+
+static void value_free_stack(CONF_VALUE *a, LHASH *conf)
+	{
+	CONF_VALUE *vv;
+	STACK *sk;
+	int i;
+
+	if (a->name != NULL) return;
+
+	sk=(STACK *)a->value;
+	for (i=sk_num(sk)-1; i>=0; i--)
+		{
+		vv=(CONF_VALUE *)sk_value(sk,i);
+		Free(vv->value);
+		Free(vv->name);
+		Free(vv);
+		}
+	if (sk != NULL) sk_free(sk);
+	Free(a->section);
+	Free(a);
+	}
+
+static void clear_comments(char *p)
+	{
+	char *to;
+
+	to=p;
+	for (;;)
+		{
+		if (IS_COMMENT(*p))
+			{
+			*p='\0';
+			return;
+			}
+		if (IS_QUOTE(*p))
+			{
+			p=scan_quote(p);
+			continue;
+			}
+		if (IS_ESC(*p))
+			{
+			p=scan_esc(p);
+			continue;
+			}
+		if (IS_EOF(*p))
+			return;
+		else
+			p++;
+		}
+	}
+
+static int str_copy(LHASH *conf, char *section, char **pto, char *from)
+	{
+	int q,r,rr=0,to=0,len=0;
+	char *s,*e,*rp,*p,*rrp,*np,*cp,v;
+	BUF_MEM *buf;
+
+	if ((buf=BUF_MEM_new()) == NULL) return(0);
+
+	len=strlen(from)+1;
+	if (!BUF_MEM_grow(buf,len)) goto err;
+
+	for (;;)
+		{
+		if (IS_QUOTE(*from))
+			{
+			q= *from;
+			from++;
+			while ((*from != '\0') && (*from != q))
+				{
+				if (*from == '\\')
+					{
+					from++;
+					if (*from == '\0') break;
+					}
+				buf->data[to++]= *(from++);
+				}
+			}
+		else if (*from == '\\')
+			{
+			from++;
+			v= *(from++);
+			if (v == '\0') break;
+			else if (v == 'r') v='\r';
+			else if (v == 'n') v='\n';
+			else if (v == 'b') v='\b';
+			else if (v == 't') v='\t';
+			buf->data[to++]= v;
+			}
+		else if (*from == '\0')
+			break;
+		else if (*from == '$')
+			{
+			/* try to expand it */
+			rrp=NULL;
+			s= &(from[1]);
+			if (*s == '{')
+				q='}';
+			else if (*s == '(')
+				q=')';
+			else q=0;
+
+			if (q) s++;
+			cp=section;
+			e=np=s;
+			while (IS_ALPHA_NUMERIC(*e))
+				e++;
+			if ((e[0] == ':') && (e[1] == ':'))
+				{
+				cp=np;
+				rrp=e;
+				rr= *e;
+				*rrp='\0';
+				e+=2;
+				np=e;
+				while (IS_ALPHA_NUMERIC(*e))
+					e++;
+				}
+			r= *e;
+			*e='\0';
+			rp=e;
+			if (q)
+				{
+				if (r != q)
+					{
+					CONFerr(CONF_F_STR_COPY,CONF_R_NO_CLOSE_BRACE);
+					goto err;
+					}
+				e++;
+				}
+			/* So at this point we have
+			 * ns which is the start of the name string which is
+			 *   '\0' terminated. 
+			 * cs which is the start of the section string which is
+			 *   '\0' terminated.
+			 * e is the 'next point after'.
+			 * r and s are the chars replaced by the '\0'
+			 * rp and sp is where 'r' and 's' came from.
+			 */
+			p=CONF_get_string(conf,cp,np);
+			if (rrp != NULL) *rrp=rr;
+			*rp=r;
+			if (p == NULL)
+				{
+				CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
+				goto err;
+				}
+			BUF_MEM_grow(buf,(strlen(p)+len-(e-from)));
+			while (*p)
+				buf->data[to++]= *(p++);
+			from=e;
+			}
+		else
+			buf->data[to++]= *(from++);
+		}
+	buf->data[to]='\0';
+	if (*pto != NULL) Free(*pto);
+	*pto=buf->data;
+	Free(buf);
+	return(1);
+err:
+	if (buf != NULL) BUF_MEM_free(buf);
+	return(0);
+	}
+
+static char *eat_ws(char *p)
+	{
+	while (IS_WS(*p) && (!IS_EOF(*p)))
+		p++;
+	return(p);
+	}
+
+static char *eat_alpha_numeric(char *p)
+	{
+	for (;;)
+		{
+		if (IS_ESC(*p))
+			{
+			p=scan_esc(p);
+			continue;
+			}
+		if (!IS_ALPHA_NUMERIC_PUNCT(*p))
+			return(p);
+		p++;
+		}
+	}
+
+static unsigned long hash(CONF_VALUE *v)
+	{
+	return((lh_strhash(v->section)<<2)^lh_strhash(v->name));
+	}
+
+static int cmp_conf(CONF_VALUE *a, CONF_VALUE *b)
+	{
+	int i;
+
+	if (a->section != b->section)
+		{
+		i=strcmp(a->section,b->section);
+		if (i) return(i);
+		}
+
+	if ((a->name != NULL) && (b->name != NULL))
+		{
+		i=strcmp(a->name,b->name);
+		return(i);
+		}
+	else if (a->name == b->name)
+		return(0);
+	else
+		return((a->name == NULL)?-1:1);
+	}
+
+static char *scan_quote(char *p)
+	{
+	int q= *p;
+
+	p++;
+	while (!(IS_EOF(*p)) && (*p != q))
+		{
+		if (IS_ESC(*p))
+			{
+			p++;
+			if (IS_EOF(*p)) return(p);
+			}
+		p++;
+		}
+	if (*p == q) p++;
+	return(p);
+	}
+
+static CONF_VALUE *new_section(LHASH *conf, char *section)
+	{
+	STACK *sk=NULL;
+	int ok=0,i;
+	CONF_VALUE *v=NULL,*vv;
+
+	if ((sk=sk_new_null()) == NULL)
+		goto err;
+	if ((v=(CONF_VALUE *)Malloc(sizeof(CONF_VALUE))) == NULL)
+		goto err;
+	i=strlen(section)+1;
+	if ((v->section=(char *)Malloc(i)) == NULL)
+		goto err;
+
+	memcpy(v->section,section,i);
+	v->name=NULL;
+	v->value=(char *)sk;
+	
+	vv=(CONF_VALUE *)lh_insert(conf,v);
+	if (vv != NULL)
+		{
+#if !defined(NO_STDIO) && !defined(WIN16)
+		fprintf(stderr,"internal fault\n");
+#endif
+		abort();
+		}
+	ok=1;
+err:
+	if (!ok)
+		{
+		if (sk != NULL) sk_free(sk);
+		if (v != NULL) Free(v);
+		v=NULL;
+		}
+	return(v);
+	}
+
+IMPLEMENT_STACK_OF(CONF_VALUE)
diff --git a/crypto/openssl/crypto/conf/conf.h b/crypto/openssl/crypto/conf/conf.h
new file mode 100644
index 0000000..21831a9
--- /dev/null
+++ b/crypto/openssl/crypto/conf/conf.h
@@ -0,0 +1,116 @@
+/* crypto/conf/conf.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef  HEADER_CONF_H
+#define HEADER_CONF_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/lhash.h>
+#include <openssl/stack.h>
+#include <openssl/safestack.h>
+
+typedef struct
+	{
+	char *section;
+	char *name;
+	char *value;
+	} CONF_VALUE;
+
+DECLARE_STACK_OF(CONF_VALUE)
+
+LHASH *CONF_load(LHASH *conf,const char *file,long *eline);
+#ifndef NO_FP_API
+LHASH *CONF_load_fp(LHASH *conf, FILE *fp,long *eline);
+#endif
+LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline);
+STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section);
+char *CONF_get_string(LHASH *conf,char *group,char *name);
+long CONF_get_number(LHASH *conf,char *group,char *name);
+void CONF_free(LHASH *conf);
+void ERR_load_CONF_strings(void );
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the CONF functions. */
+
+/* Function codes. */
+#define CONF_F_CONF_LOAD				 100
+#define CONF_F_CONF_LOAD_BIO				 102
+#define CONF_F_CONF_LOAD_FP				 103
+#define CONF_F_STR_COPY					 101
+
+/* Reason codes. */
+#define CONF_R_MISSING_CLOSE_SQUARE_BRACKET		 100
+#define CONF_R_MISSING_EQUAL_SIGN			 101
+#define CONF_R_NO_CLOSE_BRACE				 102
+#define CONF_R_UNABLE_TO_CREATE_NEW_SECTION		 103
+#define CONF_R_VARIABLE_HAS_NO_VALUE			 104
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/conf/conf_err.c b/crypto/openssl/crypto/conf/conf_err.c
new file mode 100644
index 0000000..5c1ca59
--- /dev/null
+++ b/crypto/openssl/crypto/conf/conf_err.c
@@ -0,0 +1,101 @@
+/* crypto/conf/conf_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/conf.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA CONF_str_functs[]=
+	{
+{ERR_PACK(0,CONF_F_CONF_LOAD,0),	"CONF_load"},
+{ERR_PACK(0,CONF_F_CONF_LOAD_BIO,0),	"CONF_load_bio"},
+{ERR_PACK(0,CONF_F_CONF_LOAD_FP,0),	"CONF_load_fp"},
+{ERR_PACK(0,CONF_F_STR_COPY,0),	"STR_COPY"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA CONF_str_reasons[]=
+	{
+{CONF_R_MISSING_CLOSE_SQUARE_BRACKET     ,"missing close square bracket"},
+{CONF_R_MISSING_EQUAL_SIGN               ,"missing equal sign"},
+{CONF_R_NO_CLOSE_BRACE                   ,"no close brace"},
+{CONF_R_UNABLE_TO_CREATE_NEW_SECTION     ,"unable to create new section"},
+{CONF_R_VARIABLE_HAS_NO_VALUE            ,"variable has no value"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_CONF_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_CONF,CONF_str_functs);
+		ERR_load_strings(ERR_LIB_CONF,CONF_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/conf/conf_lcl.h b/crypto/openssl/crypto/conf/conf_lcl.h
new file mode 100644
index 0000000..f9a015d
--- /dev/null
+++ b/crypto/openssl/crypto/conf/conf_lcl.h
@@ -0,0 +1,116 @@
+/* crypto/conf/conf_lcl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#define CONF_NUMBER		1
+#define CONF_UPPER		2
+#define CONF_LOWER		4
+#define CONF_UNDER		256
+#define CONF_PUNCTUATION	512
+#define CONF_WS			16
+#define CONF_ESC		32
+#define CONF_QUOTE		64
+#define CONF_COMMENT		128
+#define CONF_EOF		8
+#define CONF_ALPHA		(CONF_UPPER|CONF_LOWER)
+#define CONF_ALPHA_NUMERIC	(CONF_ALPHA|CONF_NUMBER|CONF_UNDER)
+#define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \
+					CONF_PUNCTUATION)
+
+#ifndef CHARSET_EBCDIC
+#define IS_COMMENT(a)		(CONF_COMMENT&(CONF_type[(a)&0x7f]))
+#define IS_EOF(a)		((a) == '\0')
+#define IS_ESC(a)		((a) == '\\')
+#define IS_NUMER(a)		(CONF_type[(a)&0x7f]&CONF_NUMBER)
+#define IS_WS(a)		(CONF_type[(a)&0x7f]&CONF_WS)
+#define IS_ALPHA_NUMERIC(a)	(CONF_type[(a)&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_ALPHA_NUMERIC_PUNCT(a) \
+				(CONF_type[(a)&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(a)		(CONF_type[(a)&0x7f]&CONF_QUOTE)
+
+#else /*CHARSET_EBCDIC*/
+
+#define IS_COMMENT(a)		(CONF_COMMENT&(CONF_type[os_toascii[a]&0x7f]))
+#define IS_EOF(a)		(os_toascii[a] == '\0')
+#define IS_ESC(a)		(os_toascii[a] == '\\')
+#define IS_NUMER(a)		(CONF_type[os_toascii[a]&0x7f]&CONF_NUMBER)
+#define IS_WS(a)		(CONF_type[os_toascii[a]&0x7f]&CONF_WS)
+#define IS_ALPHA_NUMERIC(a)	(CONF_type[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_ALPHA_NUMERIC_PUNCT(a) \
+				(CONF_type[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(a)		(CONF_type[os_toascii[a]&0x7f]&CONF_QUOTE)
+#endif /*CHARSET_EBCDIC*/
+
+static unsigned short CONF_type[128]={
+	0x008,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+	0x000,0x010,0x010,0x000,0x000,0x010,0x000,0x000,
+	0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+	0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+	0x010,0x200,0x040,0x080,0x000,0x200,0x200,0x040,
+	0x000,0x000,0x200,0x200,0x200,0x200,0x200,0x200,
+	0x001,0x001,0x001,0x001,0x001,0x001,0x001,0x001,
+	0x001,0x001,0x000,0x200,0x000,0x000,0x000,0x200,
+	0x200,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+	0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+	0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+	0x002,0x002,0x002,0x000,0x020,0x000,0x200,0x100,
+	0x040,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+	0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+	0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+	0x004,0x004,0x004,0x000,0x200,0x000,0x200,0x000,
+	};
+
diff --git a/crypto/openssl/crypto/conf/keysets.pl b/crypto/openssl/crypto/conf/keysets.pl
new file mode 100644
index 0000000..1aed0c8
--- /dev/null
+++ b/crypto/openssl/crypto/conf/keysets.pl
@@ -0,0 +1,61 @@
+#!/usr/local/bin/perl
+
+$NUMBER=0x01;
+$UPPER=0x02;
+$LOWER=0x04;
+$EOF=0x08;
+$WS=0x10;
+$ESC=0x20;
+$QUOTE=0x40;
+$COMMENT=0x80;
+$UNDER=0x100;
+
+foreach (0 .. 127)
+	{
+	$v=0;
+	$c=sprintf("%c",$_);
+	$v|=$NUMBER	if ($c =~ /[0-9]/);
+	$v|=$UPPER	if ($c =~ /[A-Z]/);
+	$v|=$LOWER	if ($c =~ /[a-z]/);
+	$v|=$UNDER	if ($c =~ /_/);
+	$v|=$WS		if ($c =~ / \t\r\n/);
+	$v|=$ESC	if ($c =~ /\\/);
+	$v|=$QUOTE	if ($c =~ /['`"]/);
+	$v|=$COMMENT	if ($c =~ /\#/);
+	$v|=$EOF	if ($c =~ /\0/);
+
+	push(@V,$v);
+	}
+
+print <<"EOF";
+#define CONF_NUMBER		$NUMBER
+#define CONF_UPPER		$UPPER
+#define CONF_LOWER		$LOWER
+#define CONF_EOF		$EOF
+#define CONF_WS			$WS
+#define CONF_ESC		$ESC
+#define CONF_QUOTE		$QUOTE
+#define CONF_COMMENT		$COMMENT
+#define CONF_ALPHA		(CONF_UPPER|CONF_LOWER)
+#define CONF_ALPHA_NUMERIC	(CONF_ALPHA|CONF_NUMBER|CONF_UNDER)
+#define CONF_UNDER		$UNDER
+
+#define IS_COMMENT(a)		(CONF_COMMENT&(CONF_type[(a)&0x7f]))
+#define IS_EOF(a)		((a) == '\\0')
+#define IS_ESC(a)		((a) == '\\\\')
+#define IS_NUMER(a)		(CONF_type[(a)&0x7f]&CONF_NUMBER)
+#define IS_WS(a)		(CONF_type[(a)&0x7f]&CONF_WS)
+#define IS_ALPHA_NUMERIC(a)	(CONF_type[(a)&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_QUOTE(a)		(CONF_type[(a)&0x7f]&CONF_QUOTE)
+
+EOF
+
+print "static unsigned short CONF_type[128]={";
+
+for ($i=0; $i<128; $i++)
+	{
+	print "\n\t" if ($i % 8) == 0;
+	printf "0x%03X,",$V[$i];
+	}
+
+print "\n\t};\n";
diff --git a/crypto/openssl/crypto/conf/ssleay.cnf b/crypto/openssl/crypto/conf/ssleay.cnf
new file mode 100644
index 0000000..ed33af6
--- /dev/null
+++ b/crypto/openssl/crypto/conf/ssleay.cnf
@@ -0,0 +1,78 @@
+#
+# This is a test configuration file for use in SSLeay etc...
+#
+
+init = 5
+in\#it1 =10
+init2='10'
+init3='10\''
+init4="10'"
+init5='='10\'' again'
+
+SSLeay::version = 0.5.0
+
+[genrsa]
+default_bits	= 512
+SSLEAY::version = 0.5.0
+
+[gendh]
+default_bits	= 512
+def_generator	= 2
+
+[s_client]
+cipher1		= DES_CBC_MD5:DES_CBC_SHA:DES_EDE_SHA:RC4_MD5\
+cipher2		= 'DES_CBC_MD5 DES_CBC_SHA DES_EDE_SHA RC4_MD5'
+cipher3		= "DES_CBC_MD5 DES_CBC_SHA DES_EDE_SHA RC4_MD5"
+cipher4		= DES_CBC_MD5 DES_CBC_SHA DES_EDE_SHA RC4_MD5
+
+[ default ]
+cert_dir	= $ENV::HOME/.ca_certs
+
+HOME		= /tmp/eay
+
+tmp_cert_dir	= $HOME/.ca_certs
+tmp2_cert_dir	= thisis$(HOME)stuff
+
+LOGNAME	= Eric Young (home=$HOME)
+
+[ special ]
+
+H=$HOME
+H=$default::HOME
+H=$ENV::HOME
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= $HOME/.rand
+
+[ req ]
+default_bits		= 512
+default_keyfile 	= privkey.pem
+
+Attribute_type_1	= countryName
+Attribute_text_1	= Country Name (2 letter code)
+Attribute_default_1	= AU
+
+Attribute_type_2	= stateOrProvinceName
+Attribute_text_2	= State or Province Name (full name)
+Attribute_default_2	= Queensland
+
+Attribute_type_3	= localityName
+Attribute_text_3	= Locality Name (eg, city)
+
+Attribute_type_4	= organizationName
+Attribute_text_4	= Organization Name (eg, company)
+Attribute_default_4	= Mincom Pty Ltd
+
+Attribute_type_5	= organizationalUnitName
+Attribute_text_5	= Organizational Unit Name (eg, section)
+Attribute_default_5	= TR
+
+Attribute_type_6	= commonName
+Attribute_text_6	= Common Name (eg, YOUR name)
+
+Attribute_type_7	= emailAddress
+Attribute_text_7	= Email Address
+
diff --git a/crypto/openssl/crypto/conf/test.c b/crypto/openssl/crypto/conf/test.c
new file mode 100644
index 0000000..9390a48
--- /dev/null
+++ b/crypto/openssl/crypto/conf/test.c
@@ -0,0 +1,92 @@
+/* crypto/conf/test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+
+main()
+	{
+	LHASH *conf;
+	long eline;
+	char *s,*s2;
+
+	conf=CONF_load(NULL,"openssl.conf",&eline);
+	if (conf == NULL)
+		{
+		ERR_load_crypto_strings();
+		printf("unable to load configuration, line %ld\n",eline);
+		ERR_print_errors_fp(stderr);
+		exit(1);
+		}
+	lh_stats(conf,stdout);
+	lh_node_stats(conf,stdout);
+	lh_node_usage_stats(conf,stdout);
+
+	s=CONF_get_string(conf,NULL,"init2");
+	printf("init2=%s\n",(s == NULL)?"NULL":s);
+
+	s=CONF_get_string(conf,NULL,"cipher1");
+	printf("cipher1=%s\n",(s == NULL)?"NULL":s);
+
+	s=CONF_get_string(conf,"s_client","cipher1");
+	printf("s_client:cipher1=%s\n",(s == NULL)?"NULL":s);
+
+	exit(0);
+	}
diff --git a/crypto/openssl/crypto/cpt_err.c b/crypto/openssl/crypto/cpt_err.c
new file mode 100644
index 0000000..dadd8d8
--- /dev/null
+++ b/crypto/openssl/crypto/cpt_err.c
@@ -0,0 +1,95 @@
+/* crypto/cpt_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA CRYPTO_str_functs[]=
+	{
+{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,0),	"CRYPTO_get_ex_new_index"},
+{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_LOCKID,0),	"CRYPTO_get_new_lockid"},
+{ERR_PACK(0,CRYPTO_F_CRYPTO_SET_EX_DATA,0),	"CRYPTO_set_ex_data"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA CRYPTO_str_reasons[]=
+	{
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_CRYPTO_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_functs);
+		ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/cryptlib.c b/crypto/openssl/crypto/cryptlib.c
new file mode 100644
index 0000000..a8f29f1
--- /dev/null
+++ b/crypto/openssl/crypto/cryptlib.c
@@ -0,0 +1,302 @@
+/* crypto/cryptlib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "cryptlib.h"
+#include <openssl/crypto.h>
+
+#if defined(WIN32) || defined(WIN16)
+static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
+#endif
+
+/* real #defines in crypto.h, keep these upto date */
+static const char* lock_names[CRYPTO_NUM_LOCKS] =
+	{
+	"<<ERROR>>",
+	"err",
+	"err_hash",
+	"x509",
+	"x509_info",
+	"x509_pkey",
+	"x509_crl",
+	"x509_req",
+	"dsa",
+	"rsa",
+	"evp_pkey",
+	"x509_store",
+	"ssl_ctx",
+	"ssl_cert",
+	"ssl_session",
+	"ssl_sess_cert",
+	"ssl",
+	"rand",
+	"debug_malloc",
+	"BIO",
+	"gethostbyname",
+	"getservbyname",
+	"readdir",
+	"RSA_blinding",
+	"dh",
+	"debug_malloc2",
+#if CRYPTO_NUM_LOCKS != 26
+# error "Inconsistency between crypto.h and cryptlib.c"
+#endif
+	};
+
+static STACK *app_locks=NULL;
+
+static void (MS_FAR *locking_callback)(int mode,int type,
+	const char *file,int line)=NULL;
+static int (MS_FAR *add_lock_callback)(int *pointer,int amount,
+	int type,const char *file,int line)=NULL;
+static unsigned long (MS_FAR *id_callback)(void)=NULL;
+int CRYPTO_get_new_lockid(char *name)
+	{
+	char *str;
+	int i;
+
+	/* A hack to make Visual C++ 5.0 work correctly when linking as
+	 * a DLL using /MT. Without this, the application cannot use
+	 * and floating point printf's.
+	 * It also seems to be needed for Visual C 1.5 (win16) */
+#if defined(WIN32) || defined(WIN16)
+	SSLeay_MSVC5_hack=(double)name[0]*(double)name[1];
+#endif
+
+	if ((app_locks == NULL) && ((app_locks=sk_new_null()) == NULL))
+		{
+		CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	if ((str=BUF_strdup(name)) == NULL)
+		return(0);
+	i=sk_push(app_locks,str);
+	if (!i)
+		Free(str);
+	else
+		i+=CRYPTO_NUM_LOCKS; /* gap of one :-) */
+	return(i);
+	}
+
+int CRYPTO_num_locks(void)
+	{
+	return CRYPTO_NUM_LOCKS;
+	}
+
+void (*CRYPTO_get_locking_callback(void))(int mode,int type,const char *file,
+		int line)
+	{
+	return(locking_callback);
+	}
+
+int (*CRYPTO_get_add_lock_callback(void))(int *num,int mount,int type,
+					  const char *file,int line)
+	{
+	return(add_lock_callback);
+	}
+
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+					      const char *file,int line))
+	{
+	locking_callback=func;
+	}
+
+void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,int type,
+					      const char *file,int line))
+	{
+	add_lock_callback=func;
+	}
+
+unsigned long (*CRYPTO_get_id_callback(void))(void)
+	{
+	return(id_callback);
+	}
+
+void CRYPTO_set_id_callback(unsigned long (*func)(void))
+	{
+	id_callback=func;
+	}
+
+unsigned long CRYPTO_thread_id(void)
+	{
+	unsigned long ret=0;
+
+	if (id_callback == NULL)
+		{
+#ifdef WIN16
+		ret=(unsigned long)GetCurrentTask();
+#elif defined(WIN32)
+		ret=(unsigned long)GetCurrentThreadId();
+#elif defined(GETPID_IS_MEANINGLESS)
+		ret=1L;
+#else
+		ret=(unsigned long)getpid();
+#endif
+		}
+	else
+		ret=id_callback();
+	return(ret);
+	}
+
+void CRYPTO_lock(int mode, int type, const char *file, int line)
+	{
+#ifdef LOCK_DEBUG
+		{
+		char *rw_text,*operation_text;
+
+		if (mode & CRYPTO_LOCK)
+			operation_text="lock  ";
+		else if (mode & CRYPTO_UNLOCK)
+			operation_text="unlock";
+		else
+			operation_text="ERROR ";
+
+		if (mode & CRYPTO_READ)
+			rw_text="r";
+		else if (mode & CRYPTO_WRITE)
+			rw_text="w";
+		else
+			rw_text="ERROR";
+
+		fprintf(stderr,"lock:%08lx:(%s)%s %-18s %s:%d\n",
+			CRYPTO_thread_id(), rw_text, operation_text,
+			CRYPTO_get_lock_name(type), file, line);
+		}
+#endif
+	if (locking_callback != NULL)
+		locking_callback(mode,type,file,line);
+	}
+
+int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file,
+	     int line)
+	{
+	int ret;
+
+	if (add_lock_callback != NULL)
+		{
+#ifdef LOCK_DEBUG
+		int before= *pointer;
+#endif
+
+		ret=add_lock_callback(pointer,amount,type,file,line);
+#ifdef LOCK_DEBUG
+		fprintf(stderr,"ladd:%08lx:%2d+%2d->%2d %-18s %s:%d\n",
+			CRYPTO_thread_id(),
+			before,amount,ret,
+			CRYPTO_get_lock_name(type),
+			file,line);
+#endif
+		*pointer=ret;
+		}
+	else
+		{
+		CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,file,line);
+
+		ret= *pointer+amount;
+#ifdef LOCK_DEBUG
+		fprintf(stderr,"ladd:%08lx:%2d+%2d->%2d %-18s %s:%d\n",
+			CRYPTO_thread_id(),
+			*pointer,amount,ret,
+			CRYPTO_get_lock_name(type),
+			file,line);
+#endif
+		*pointer=ret;
+		CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,file,line);
+		}
+	return(ret);
+	}
+
+const char *CRYPTO_get_lock_name(int type)
+	{
+	if (type < 0)
+		return("ERROR");
+	else if (type < CRYPTO_NUM_LOCKS)
+		return(lock_names[type]);
+	else if (type-CRYPTO_NUM_LOCKS >= sk_num(app_locks))
+		return("ERROR");
+	else
+		return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
+	}
+
+#ifdef _DLL
+#ifdef WIN32
+
+/* All we really need to do is remove the 'error' state when a thread
+ * detaches */
+
+BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
+	     LPVOID lpvReserved)
+	{
+	switch(fdwReason)
+		{
+	case DLL_PROCESS_ATTACH:
+		break;
+	case DLL_THREAD_ATTACH:
+		break;
+	case DLL_THREAD_DETACH:
+		ERR_remove_state(0);
+		break;
+	case DLL_PROCESS_DETACH:
+		break;
+		}
+	return(TRUE);
+	}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/cryptlib.h b/crypto/openssl/crypto/cryptlib.h
new file mode 100644
index 0000000..e3d3852
--- /dev/null
+++ b/crypto/openssl/crypto/cryptlib.h
@@ -0,0 +1,96 @@
+/* crypto/cryptlib.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_CRYPTLIB_H
+#define HEADER_CRYPTLIB_H
+
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include "openssl/e_os.h"
+
+#include <openssl/crypto.h>
+#include <openssl/buffer.h> 
+#include <openssl/bio.h> 
+#include <openssl/err.h>
+#include <openssl/opensslconf.h>
+
+#ifndef VMS
+#define X509_CERT_AREA		OPENSSLDIR
+#define X509_CERT_DIR		OPENSSLDIR "/certs"
+#define X509_CERT_FILE		OPENSSLDIR "/cert.pem"
+#define X509_PRIVATE_DIR	OPENSSLDIR "/private"
+#else
+#define X509_CERT_AREA		"SSLROOT:[000000]"
+#define X509_CERT_DIR		"SSLCERTS:"
+#define X509_CERT_FILE		"SSLCERTS:cert.pem"
+#define X509_PRIVATE_DIR        "SSLPRIVATE:"
+#endif
+
+#define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+#define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/crypto.h b/crypto/openssl/crypto/crypto.h
new file mode 100644
index 0000000..41c9379
--- /dev/null
+++ b/crypto/openssl/crypto/crypto.h
@@ -0,0 +1,373 @@
+/* crypto/crypto.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_CRYPTO_H
+#define HEADER_CRYPTO_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <stdlib.h>
+
+#ifndef NO_FP_API
+#include <stdio.h>
+#endif
+
+#include <openssl/stack.h>
+#include <openssl/safestack.h>
+#include <openssl/opensslv.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+#if defined(VMS) || defined(__VMS)
+#include "vms_idhacks.h"
+#endif
+
+
+/* Backward compatibility to SSLeay */
+/* This is more to be used to check the correct DLL is being used
+ * in the MS world. */
+#define SSLEAY_VERSION_NUMBER	OPENSSL_VERSION_NUMBER
+#define SSLEAY_VERSION		0
+/* #define SSLEAY_OPTIONS	1 no longer supported */
+#define SSLEAY_CFLAGS		2
+#define SSLEAY_BUILT_ON		3
+#define SSLEAY_PLATFORM		4
+
+/* When changing the CRYPTO_LOCK_* list, be sure to maintin the text lock
+ * names in cryptlib.c
+ */
+
+#define	CRYPTO_LOCK_ERR			1
+#define	CRYPTO_LOCK_ERR_HASH		2
+#define	CRYPTO_LOCK_X509		3
+#define	CRYPTO_LOCK_X509_INFO		4
+#define	CRYPTO_LOCK_X509_PKEY		5
+#define CRYPTO_LOCK_X509_CRL		6
+#define CRYPTO_LOCK_X509_REQ		7
+#define CRYPTO_LOCK_DSA			8
+#define CRYPTO_LOCK_RSA			9
+#define CRYPTO_LOCK_EVP_PKEY		10
+#define	CRYPTO_LOCK_X509_STORE		11
+#define	CRYPTO_LOCK_SSL_CTX		12
+#define	CRYPTO_LOCK_SSL_CERT		13
+#define	CRYPTO_LOCK_SSL_SESSION		14
+#define	CRYPTO_LOCK_SSL_SESS_CERT	15
+#define	CRYPTO_LOCK_SSL			16
+#define	CRYPTO_LOCK_RAND		17
+#define	CRYPTO_LOCK_MALLOC		18
+#define	CRYPTO_LOCK_BIO			19
+#define	CRYPTO_LOCK_GETHOSTBYNAME	20
+#define	CRYPTO_LOCK_GETSERVBYNAME	21
+#define	CRYPTO_LOCK_READDIR		22
+#define	CRYPTO_LOCK_RSA_BLINDING	23
+#define	CRYPTO_LOCK_DH			24
+#define	CRYPTO_LOCK_MALLOC2		25
+#define	CRYPTO_NUM_LOCKS		26
+
+#define CRYPTO_LOCK		1
+#define CRYPTO_UNLOCK		2
+#define CRYPTO_READ		4
+#define CRYPTO_WRITE		8
+
+#ifndef NO_LOCKING
+#ifndef CRYPTO_w_lock
+#define CRYPTO_w_lock(type)	\
+	CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
+#define CRYPTO_w_unlock(type)	\
+	CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
+#define CRYPTO_r_lock(type)	\
+	CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
+#define CRYPTO_r_unlock(type)	\
+	CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
+#define CRYPTO_add(addr,amount,type)	\
+	CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)
+#endif
+#else
+#define CRYPTO_w_lock(a)
+#define	CRYPTO_w_unlock(a)
+#define CRYPTO_r_lock(a)
+#define CRYPTO_r_unlock(a)
+#define CRYPTO_add(a,b,c)	((*(a))+=(b))
+#endif
+
+/* The following can be used to detect memory leaks in the SSLeay library.
+ * It used, it turns on malloc checking */
+
+#define CRYPTO_MEM_CHECK_OFF	0x0	/* an enume */
+#define CRYPTO_MEM_CHECK_ON	0x1	/* a bit */
+#define CRYPTO_MEM_CHECK_ENABLE	0x2	/* a bit */
+#define CRYPTO_MEM_CHECK_DISABLE 0x3	/* an enume */
+
+/* The following are bit values to turn on or off options connected to the
+ * malloc checking functionality */
+
+/* Adds time to the memory checking information */
+#define V_CRYPTO_MDEBUG_TIME	0x1 /* a bit */
+/* Adds thread number to the memory checking information */
+#define V_CRYPTO_MDEBUG_THREAD	0x2 /* a bit */
+
+#define V_CRYPTO_MDEBUG_ALL (V_CRYPTO_MDEBUG_TIME | V_CRYPTO_MDEBUG_THREAD)
+
+
+/* predec of the BIO type */
+typedef struct bio_st BIO_dummy;
+
+typedef struct crypto_ex_data_st
+	{
+	STACK *sk;
+	int dummy; /* gcc is screwing up this data structure :-( */
+	} CRYPTO_EX_DATA;
+
+/* Called when a new object is created */
+typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+/* Called when an object is free()ed */
+typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+/* Called when we need to dup an object */
+typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
+					int idx, long argl, void *argp);
+
+/* This stuff is basically class callback functions
+ * The current classes are SSL_CTX, SSL, SSL_SESSION, and a few more */
+
+typedef struct crypto_ex_data_func_st
+	{
+	long argl;	/* Arbitary long */
+	void *argp;	/* Arbitary void * */
+	CRYPTO_EX_new *new_func;
+	CRYPTO_EX_free *free_func;
+	CRYPTO_EX_dup *dup_func;
+	} CRYPTO_EX_DATA_FUNCS;
+
+DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
+
+/* Per class, we have a STACK of CRYPTO_EX_DATA_FUNCS for each CRYPTO_EX_DATA
+ * entry.
+ */
+
+#define CRYPTO_EX_INDEX_BIO		0
+#define CRYPTO_EX_INDEX_SSL		1
+#define CRYPTO_EX_INDEX_SSL_CTX		2
+#define CRYPTO_EX_INDEX_SSL_SESSION	3
+#define CRYPTO_EX_INDEX_X509_STORE	4
+#define CRYPTO_EX_INDEX_X509_STORE_CTX	5
+
+
+/* This is the default callbacks, but we can have others as well:
+ * this is needed in Win32 where the application malloc and the
+ * library malloc may not be the same.
+ */
+#define CRYPTO_malloc_init()	CRYPTO_set_mem_functions(\
+	malloc, realloc, free)
+
+#if defined CRYPTO_MDEBUG_ALL || defined CRYPTO_MDEBUG_TIME || defined CRYPTO_MDEBUG_THREAD
+# ifndef CRYPTO_MDEBUG /* avoid duplicate #define */
+#  define CRYPTO_MDEBUG
+# endif
+#endif
+
+/* Set standard debugging functions (not done by default
+ * unless CRYPTO_MDEBUG is defined) */
+#define CRYPTO_malloc_debug_init()	do {\
+	CRYPTO_set_mem_debug_functions(\
+		(void (*)())CRYPTO_dbg_malloc,\
+		(void (*)())CRYPTO_dbg_realloc,\
+		(void (*)())CRYPTO_dbg_free,\
+		(void (*)())CRYPTO_dbg_set_options,\
+		(long (*)())CRYPTO_dbg_get_options);\
+	} while(0)
+
+int CRYPTO_mem_ctrl(int mode);
+int CRYPTO_is_mem_check_on(void);
+
+/* for applications */
+#define MemCheck_start() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON)
+#define MemCheck_stop()	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF)
+
+/* for library-internal use */
+#define MemCheck_on()	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE)
+#define MemCheck_off()	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)
+#define is_MemCheck_on() CRYPTO_is_mem_check_on()
+
+#define Malloc(num)	CRYPTO_malloc((int)num,__FILE__,__LINE__)
+#define Realloc(addr,num) \
+	CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
+#define Remalloc(addr,num) \
+	CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
+#define FreeFunc	CRYPTO_free
+#define Free(addr)	CRYPTO_free(addr)
+
+#define Malloc_locked(num) CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
+#define Free_locked(addr) CRYPTO_free_locked(addr)
+
+
+/* Case insensiteve linking causes problems.... */
+#if defined(WIN16) || defined(VMS)
+#define ERR_load_CRYPTO_strings	ERR_load_CRYPTOlib_strings
+#endif
+
+
+const char *SSLeay_version(int type);
+unsigned long SSLeay(void);
+
+int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp,
+	     CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val);
+void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad,int idx);
+int CRYPTO_dup_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, CRYPTO_EX_DATA *to,
+	     CRYPTO_EX_DATA *from);
+void CRYPTO_free_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad);
+void CRYPTO_new_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad);
+
+int CRYPTO_get_new_lockid(char *name);
+
+int CRYPTO_num_locks(void); /* return CRYPTO_NUM_LOCKS (shared libs!) */
+void CRYPTO_lock(int mode, int type,const char *file,int line);
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+					      const char *file,int line));
+void (*CRYPTO_get_locking_callback(void))(int mode,int type,const char *file,
+		int line);
+void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,int type,
+					      const char *file, int line));
+int (*CRYPTO_get_add_lock_callback(void))(int *num,int mount,int type,
+					  const char *file,int line);
+void CRYPTO_set_id_callback(unsigned long (*func)(void));
+unsigned long (*CRYPTO_get_id_callback(void))(void);
+unsigned long CRYPTO_thread_id(void);
+const char *CRYPTO_get_lock_name(int type);
+int CRYPTO_add_lock(int *pointer,int amount,int type, const char *file,
+		    int line);
+
+/* CRYPTO_set_mem_functions includes CRYPTO_set_locked_mem_functions --
+ * call the latter last if you need different functions */
+int CRYPTO_set_mem_functions(void *(*m)(size_t),void *(*r)(void *,size_t), void (*f)(void *));
+int CRYPTO_set_locked_mem_functions(void *(*m)(size_t), void (*free_func)(void *));
+int CRYPTO_set_mem_debug_functions(void (*m)(),void (*r)(),void (*f)(),void (*so)(),long (*go)());
+void CRYPTO_get_mem_functions(void *(**m)(size_t),void *(**r)(void *, size_t), void (**f)(void *));
+void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *));
+void CRYPTO_get_mem_debug_functions(void (**m)(),void (**r)(),void (**f)(),void (**so)(),long (**go)());
+
+void *CRYPTO_malloc_locked(int num, const char *file, int line);
+void CRYPTO_free_locked(void *);
+void *CRYPTO_malloc(int num, const char *file, int line);
+void CRYPTO_free(void *);
+void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
+void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
+
+void CRYPTO_set_mem_debug_options(long bits);
+long CRYPTO_get_mem_debug_options(void);
+
+#define CRYPTO_push_info(info) \
+        CRYPTO_push_info_(info, __FILE__, __LINE__);
+int CRYPTO_push_info_(const char *info, const char *file, int line);
+int CRYPTO_pop_info(void);
+int CRYPTO_remove_all_info(void);
+
+/* The last argument has the following significance:
+ *
+ * 0:	called before the actual memory allocation has taken place
+ * 1:	called after the actual memory allocation has taken place
+ */
+void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p);
+void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p);
+void CRYPTO_dbg_free(void *addr,int before_p);
+
+/* Tell the debugging code about options.  By default, the following values
+ * apply:
+ *
+ * 0:	Clear all options.
+ * 1:	Set the "Show Time" option.
+ * 2:	Set the "Show Thread Number" option.
+ * 3:	1 + 2
+ */
+void CRYPTO_dbg_set_options(long bits);
+long CRYPTO_dbg_get_options(void);
+
+#ifndef NO_FP_API
+void CRYPTO_mem_leaks_fp(FILE *);
+#endif
+void CRYPTO_mem_leaks(struct bio_st *bio);
+/* unsigned long order, char *file, int line, int num_bytes, char *addr */
+void CRYPTO_mem_leaks_cb(void (*cb)());
+
+void ERR_load_CRYPTO_strings(void);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the CRYPTO functions. */
+
+/* Function codes. */
+#define CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX		 100
+#define CRYPTO_F_CRYPTO_GET_NEW_LOCKID			 101
+#define CRYPTO_F_CRYPTO_SET_EX_DATA			 102
+
+/* Reason codes. */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/cversion.c b/crypto/openssl/crypto/cversion.c
new file mode 100644
index 0000000..297f884
--- /dev/null
+++ b/crypto/openssl/crypto/cversion.c
@@ -0,0 +1,110 @@
+/* crypto/cversion.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "cryptlib.h"
+#include <openssl/crypto.h>
+
+#include "buildinf.h"
+
+const char *SSLeay_version(int t)
+	{
+	if (t == SSLEAY_VERSION)
+		return OPENSSL_VERSION_TEXT;
+	if (t == SSLEAY_BUILT_ON)
+		{
+#ifdef DATE
+		static char buf[sizeof(DATE)+11];
+
+		sprintf(buf,"built on: %s",DATE);
+		return(buf);
+#else
+		return("built on: date not available");
+#endif
+		}
+	if (t == SSLEAY_CFLAGS)
+		{
+#ifdef CFLAGS
+		static char buf[sizeof(CFLAGS)+11];
+
+		sprintf(buf,"compiler: %s",CFLAGS);
+		return(buf);
+#else
+		return("compiler: information not available");
+#endif
+		}
+	if (t == SSLEAY_PLATFORM)
+		{
+#ifdef PLATFORM
+		static char buf[sizeof(PLATFORM)+11];
+
+		sprintf(buf,"platform: %s", PLATFORM);
+		return(buf);
+#else
+		return("platform: information not available");
+#endif
+		}
+	return("not available");
+	}
+
+unsigned long SSLeay(void)
+	{
+	return(SSLEAY_VERSION_NUMBER);
+	}
+
diff --git a/crypto/openssl/crypto/des/COPYRIGHT b/crypto/openssl/crypto/des/COPYRIGHT
new file mode 100644
index 0000000..5469e1e
--- /dev/null
+++ b/crypto/openssl/crypto/des/COPYRIGHT
@@ -0,0 +1,50 @@
+Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+All rights reserved.
+
+This package is an DES implementation written by Eric Young (eay@cryptsoft.com).
+The implementation was written so as to conform with MIT's libdes.
+
+This library is free for commercial and non-commercial use as long as
+the following conditions are aheared to.  The following conditions
+apply to all code found in this distribution.
+
+Copyright remains Eric Young's, and as such any Copyright notices in
+the code are not to be removed.
+If this package is used in a product, Eric Young should be given attribution
+as the author of that the SSL library.  This can be in the form of a textual
+message at program startup or in documentation (online or textual) provided
+with the package.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@cryptsoft.com)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+The license and distribution terms for any publically available version or
+derivative of this code cannot be changed.  i.e. this code cannot simply be
+copied and put under another distrubution license
+[including the GNU Public License.]
+
+The reason behind this being stated in this direct manner is past
+experience in code simply being copied and the attribution removed
+from it and then being distributed as part of other packages. This
+implementation was a non-trivial and unpaid effort.
diff --git a/crypto/openssl/crypto/des/DES.pm b/crypto/openssl/crypto/des/DES.pm
new file mode 100644
index 0000000..6a175b6
--- /dev/null
+++ b/crypto/openssl/crypto/des/DES.pm
@@ -0,0 +1,19 @@
+package DES;
+
+require Exporter;
+require DynaLoader;
+@ISA = qw(Exporter DynaLoader);
+# Items to export into callers namespace by default
+# (move infrequently used names to @EXPORT_OK below)
+@EXPORT = qw(
+);
+# Other items we are prepared to export if requested
+@EXPORT_OK = qw(
+crypt
+);
+
+# Preloaded methods go here.  Autoload methods go after __END__, and are
+# processed by the autosplit program.
+bootstrap DES;
+1;
+__END__
diff --git a/crypto/openssl/crypto/des/DES.pod b/crypto/openssl/crypto/des/DES.pod
new file mode 100644
index 0000000..8a739e7
--- /dev/null
+++ b/crypto/openssl/crypto/des/DES.pod
@@ -0,0 +1,16 @@
+crypt	<= 	crypt(buf,salt)
+key	<=	set_odd_parity(key)
+int	<=	is_weak_key(key)
+keysched<=	set_key(key)
+key	<=	ecb_encrypt(string8,ks,enc)
+key	<=	ecb3_encrypt(input,ks1,ks2,enc)
+string	<=	cbc_encrypt(input,ks,ivec,enc)			=> ivec 
+string	<=	cbc3_encrypt(input,ks1,ks2,ivec1,ivec2,enc)	=> ivec1&ivec2 
+ck1,ck2	<=	cbc_cksum(input,ks,ivec)			=> ivec
+string	<=	pcbc_encrypt(input,ks,ivec,enc)			=> ivec 
+string	<=	ofb_encrypt(input,numbits,ks,ivec)		=> ivec
+string	<=	cfb_encrypt(input,numbits,ks,ivec,enc)		=> ivec
+key	<=	random_key()
+key	<=	string_to_key(string)
+key1,key2<=	string_to_2keys(string)
+
diff --git a/crypto/openssl/crypto/des/DES.xs b/crypto/openssl/crypto/des/DES.xs
new file mode 100644
index 0000000..b8050b9
--- /dev/null
+++ b/crypto/openssl/crypto/des/DES.xs
@@ -0,0 +1,268 @@
+#include "EXTERN.h"
+#include "perl.h"
+#include "XSUB.h"
+#include "des.h"
+
+#define deschar	char
+static STRLEN len;
+
+static int
+not_here(s)
+char *s;
+{
+    croak("%s not implemented on this architecture", s);
+    return -1;
+}
+
+MODULE = DES	PACKAGE = DES	PREFIX = des_
+
+char *
+des_crypt(buf,salt)
+	char *	buf
+	char *	salt
+
+void
+des_set_odd_parity(key)
+	des_cblock *	key
+PPCODE:
+	{
+	SV *s;
+
+	s=sv_newmortal();
+	sv_setpvn(s,(char *)key,8);
+	des_set_odd_parity((des_cblock *)SvPV(s,na));
+	PUSHs(s);
+	}
+
+int
+des_is_weak_key(key)
+	des_cblock *	key
+
+des_key_schedule
+des_set_key(key)
+	des_cblock *	key
+CODE:
+	des_set_key(key,RETVAL);
+OUTPUT:
+RETVAL
+
+des_cblock
+des_ecb_encrypt(input,ks,encrypt)
+	des_cblock *	input
+	des_key_schedule *	ks
+	int	encrypt
+CODE:
+	des_ecb_encrypt(input,&RETVAL,*ks,encrypt);
+OUTPUT:
+RETVAL
+
+void
+des_cbc_encrypt(input,ks,ivec,encrypt)
+	char *	input
+	des_key_schedule *	ks
+	des_cblock *	ivec
+	int	encrypt
+PPCODE:
+	{
+	SV *s;
+	STRLEN len,l;
+	char *c;
+
+	l=SvCUR(ST(0));
+	len=((((unsigned long)l)+7)/8)*8;
+	s=sv_newmortal();
+	sv_setpvn(s,"",0);
+	SvGROW(s,len);
+	SvCUR_set(s,len);
+	c=(char *)SvPV(s,na);
+	des_cbc_encrypt((des_cblock *)input,(des_cblock *)c,
+		l,*ks,ivec,encrypt);
+	sv_setpvn(ST(2),(char *)c[len-8],8);
+	PUSHs(s);
+	}
+
+void
+des_cbc3_encrypt(input,ks1,ks2,ivec1,ivec2,encrypt)
+	char *	input
+	des_key_schedule *	ks1
+	des_key_schedule *	ks2
+	des_cblock *	ivec1
+	des_cblock *	ivec2
+	int	encrypt
+PPCODE:
+	{
+	SV *s;
+	STRLEN len,l;
+
+	l=SvCUR(ST(0));
+	len=((((unsigned long)l)+7)/8)*8;
+	s=sv_newmortal();
+	sv_setpvn(s,"",0);
+	SvGROW(s,len);
+	SvCUR_set(s,len);
+	des_3cbc_encrypt((des_cblock *)input,(des_cblock *)SvPV(s,na),
+		l,*ks1,*ks2,ivec1,ivec2,encrypt);
+	sv_setpvn(ST(3),(char *)ivec1,8);
+	sv_setpvn(ST(4),(char *)ivec2,8);
+	PUSHs(s);
+	}
+
+void
+des_cbc_cksum(input,ks,ivec)
+	char *	input
+	des_key_schedule *	ks
+	des_cblock *	ivec
+PPCODE:
+	{
+	SV *s1,*s2;
+	STRLEN len,l;
+	des_cblock c;
+	unsigned long i1,i2;
+
+	s1=sv_newmortal();
+	s2=sv_newmortal();
+	l=SvCUR(ST(0));
+	des_cbc_cksum((des_cblock *)input,(des_cblock *)c,
+		l,*ks,ivec);
+	i1=c[4]|(c[5]<<8)|(c[6]<<16)|(c[7]<<24);
+	i2=c[0]|(c[1]<<8)|(c[2]<<16)|(c[3]<<24);
+	sv_setiv(s1,i1);
+	sv_setiv(s2,i2);
+	sv_setpvn(ST(2),(char *)c,8);
+	PUSHs(s1);
+	PUSHs(s2);
+	}
+
+void
+des_cfb_encrypt(input,numbits,ks,ivec,encrypt)
+	char *	input
+	int	numbits
+	des_key_schedule *	ks
+	des_cblock *	ivec
+	int	encrypt
+PPCODE:
+	{
+	SV *s;
+	STRLEN len;
+	char *c;
+
+	len=SvCUR(ST(0));
+	s=sv_newmortal();
+	sv_setpvn(s,"",0);
+	SvGROW(s,len);
+	SvCUR_set(s,len);
+	c=(char *)SvPV(s,na);
+	des_cfb_encrypt((unsigned char *)input,(unsigned char *)c,
+		(int)numbits,(long)len,*ks,ivec,encrypt);
+	sv_setpvn(ST(3),(char *)ivec,8);
+	PUSHs(s);
+	}
+
+des_cblock *
+des_ecb3_encrypt(input,ks1,ks2,encrypt)
+	des_cblock *	input
+	des_key_schedule *	ks1
+	des_key_schedule *	ks2
+	int	encrypt
+CODE:
+	{
+	des_cblock c;
+
+	des_ecb3_encrypt((des_cblock *)input,(des_cblock *)&c,
+		*ks1,*ks2,encrypt);
+	RETVAL= &c;
+	}
+OUTPUT:
+RETVAL
+
+void
+des_ofb_encrypt(input,numbits,ks,ivec)
+	unsigned char *	input
+	int	numbits
+	des_key_schedule *	ks
+	des_cblock *	ivec
+PPCODE:
+	{
+	SV *s;
+	STRLEN len,l;
+	unsigned char *c;
+
+	len=SvCUR(ST(0));
+	s=sv_newmortal();
+	sv_setpvn(s,"",0);
+	SvGROW(s,len);
+	SvCUR_set(s,len);
+	c=(unsigned char *)SvPV(s,na);
+	des_ofb_encrypt((unsigned char *)input,(unsigned char *)c,
+		numbits,len,*ks,ivec);
+	sv_setpvn(ST(3),(char *)ivec,8);
+	PUSHs(s);
+	}
+
+void
+des_pcbc_encrypt(input,ks,ivec,encrypt)
+	char *	input
+	des_key_schedule *	ks
+	des_cblock *	ivec
+	int	encrypt
+PPCODE:
+	{
+	SV *s;
+	STRLEN len,l;
+	char *c;
+
+	l=SvCUR(ST(0));
+	len=((((unsigned long)l)+7)/8)*8;
+	s=sv_newmortal();
+	sv_setpvn(s,"",0);
+	SvGROW(s,len);
+	SvCUR_set(s,len);
+	c=(char *)SvPV(s,na);
+	des_pcbc_encrypt((des_cblock *)input,(des_cblock *)c,
+		l,*ks,ivec,encrypt);
+	sv_setpvn(ST(2),(char *)c[len-8],8);
+	PUSHs(s);
+	}
+
+des_cblock *
+des_random_key()
+CODE:
+	{
+	des_cblock c;
+
+	des_random_key(c);
+	RETVAL=&c;
+	}
+OUTPUT:
+RETVAL
+
+des_cblock *
+des_string_to_key(str)
+char *	str
+CODE:
+	{
+	des_cblock c;
+
+	des_string_to_key(str,&c);
+	RETVAL=&c;
+	}
+OUTPUT:
+RETVAL
+
+void
+des_string_to_2keys(str)
+char *	str
+PPCODE:
+	{
+	des_cblock c1,c2;
+	SV *s1,*s2;
+
+	des_string_to_2keys(str,&c1,&c2);
+	EXTEND(sp,2);
+	s1=sv_newmortal();
+	sv_setpvn(s1,(char *)c1,8);
+	s2=sv_newmortal();
+	sv_setpvn(s2,(char *)c2,8);
+	PUSHs(s1);
+	PUSHs(s2);
+	}
diff --git a/crypto/openssl/crypto/des/FILES b/crypto/openssl/crypto/des/FILES
new file mode 100644
index 0000000..4c7ea2d
--- /dev/null
+++ b/crypto/openssl/crypto/des/FILES
@@ -0,0 +1,96 @@
+/* General stuff */
+COPYRIGHT	- Copyright info.
+MODES.DES	- A description of the features of the different modes of DES.
+FILES		- This file.
+INSTALL		- How to make things compile.
+Imakefile	- For use with kerberos.
+README		- What this package is.
+VERSION		- Which version this is and what was changed.
+KERBEROS	- Kerberos version 4 notes.
+Makefile.PL	- An old makefile to build with perl5, not current.
+Makefile.ssl	- The SSLeay makefile
+Makefile.uni	- The normal unix makefile.
+GNUmakefile	- The makefile for use with glibc.
+makefile.bc	- A Borland C makefile
+times		- Some outputs from 'speed' on some machines.
+vms.com		- For use when compiling under VMS
+
+/* My SunOS des(1) replacement */
+des.c		- des(1) source code.
+des.man		- des(1) manual.
+
+/* Testing and timing programs. */
+destest.c	- Source for libdes.a test program.
+speed.c		- Source for libdes.a timing program.
+rpw.c		- Source for libdes.a testing password reading routines.
+
+/* libdes.a source code */
+des_crypt.man	- libdes.a manual page.
+des.h		- Public libdes.a header file.
+ecb_enc.c	- des_ecb_encrypt() source, this contains the basic DES code.
+ecb3_enc.c	- des_ecb3_encrypt() source.
+cbc_ckm.c	- des_cbc_cksum() source.
+cbc_enc.c	- des_cbc_encrypt() source.
+ncbc_enc.c	- des_cbc_encrypt() that is 'normal' in that it copies
+		  the new iv values back in the passed iv vector.
+ede_enc.c	- des_ede3_cbc_encrypt() cbc mode des using triple DES.
+cbc3_enc.c	- des_3cbc_encrypt() source, don't use this function.
+cfb_enc.c	- des_cfb_encrypt() source.
+cfb64enc.c	- des_cfb64_encrypt() cfb in 64 bit mode but setup to be
+		  used as a stream cipher.
+cfb64ede.c	- des_ede3_cfb64_encrypt() cfb in 64 bit mode but setup to be
+		  used as a stream cipher and using triple DES.
+ofb_enc.c	- des_cfb_encrypt() source.
+ofb64_enc.c	- des_ofb_encrypt() ofb in 64 bit mode but setup to be
+		  used as a stream cipher.
+ofb64ede.c	- des_ede3_ofb64_encrypt() ofb in 64 bit mode but setup to be
+		  used as a stream cipher and using triple DES.
+enc_read.c	- des_enc_read() source.
+enc_writ.c	- des_enc_write() source.
+pcbc_enc.c	- des_pcbc_encrypt() source.
+qud_cksm.c	- quad_cksum() source.
+rand_key.c	- des_random_key() source.
+read_pwd.c	- Source for des_read_password() plus related functions.
+set_key.c	- Source for des_set_key().
+str2key.c	- Covert a string of any length into a key.
+fcrypt.c	- A small, fast version of crypt(3).
+des_locl.h	- Internal libdes.a header file.
+podd.h		- Odd parity tables - used in des_set_key().
+sk.h		- Lookup tables used in des_set_key().
+spr.h		- What is left of the S tables - used in ecb_encrypt().
+des_ver.h	- header file for the external definition of the
+		  version string.
+des.doc		- SSLeay documentation for the library.
+
+/* The perl scripts - you can ignore these files they are only
+ * included for the curious */
+des.pl		- des in perl anyone? des_set_key and des_ecb_encrypt
+		  both done in a perl library.
+testdes.pl	- Testing program for des.pl
+doIP		- Perl script used to develop IP xor/shift code.
+doPC1		- Perl script used to develop PC1 xor/shift code.
+doPC2		- Generates sk.h.
+PC1		- Output of doPC1 should be the same as output from PC1.
+PC2		- used in development of doPC2.
+shifts.pl	- Perl library used by my perl scripts.
+
+/* I started making a perl5 dynamic library for libdes
+ * but did not fully finish, these files are part of that effort. */
+DES.pm
+DES.pod
+DES.xs
+t
+typemap
+
+/* The following are for use with sun RPC implementaions. */
+rpc_des.h
+rpc_enc.c
+
+/* The following are contibuted by Mark Murray <mark@grondar.za>.  They
+ * are not normally built into libdes due to machine specific routines
+ * contained in them.  They are for use in the most recent incarnation of
+ * export kerberos v 4 (eBones). */
+supp.c
+new_rkey.c
+
+
diff --git a/crypto/openssl/crypto/des/INSTALL b/crypto/openssl/crypto/des/INSTALL
new file mode 100644
index 0000000..32457d7
--- /dev/null
+++ b/crypto/openssl/crypto/des/INSTALL
@@ -0,0 +1,69 @@
+Check the CC and CFLAGS lines in the makefile
+
+If your C library does not support the times(3) function, change the
+#define TIMES to
+#undef TIMES in speed.c
+If it does, check the HZ value for the times(3) function.
+If your system does not define CLK_TCK it will be assumed to
+be 100.0.
+
+If possible use gcc v 2.7.?
+Turn on the maximum optimising (normally '-O3 -fomit-frame-pointer' for gcc)
+In recent times, some system compilers give better performace.
+
+type 'make'
+
+run './destest' to check things are ok.
+run './rpw' to check the tty code for reading passwords works.
+run './speed' to see how fast those optimisations make the library run :-)
+run './des_opts' to determin the best compile time options.
+
+The output from des_opts should be put in the makefile options and des_enc.c
+should be rebuilt.  For 64 bit computers, do not use the DES_PTR option.
+For the DEC Alpha, edit des.h and change DES_LONG to 'unsigned int'
+and then you can use the 'DES_PTR' option.
+
+The file options.txt has the options listed for best speed on quite a
+few systems.  Look and the options (UNROLL, PTR, RISC2 etc) and then
+turn on the relevent option in the Makefile
+
+There are some special Makefile targets that make life easier.
+make cc		- standard cc build
+make gcc	- standard gcc build
+make x86-elf	- x86 assembler (elf), linux-elf.
+make x86-out	- x86 assembler (a.out), FreeBSD
+make x86-solaris- x86 assembler
+make x86-bsdi	- x86 assembler (a.out with primative assembler).
+
+If at all possible use the assembler (for Windows NT/95, use
+asm/win32.obj to link with).  The x86 assembler is very very fast.
+
+A make install will by default install
+libdes.a      in /usr/local/lib/libdes.a
+des           in /usr/local/bin/des
+des_crypt.man in /usr/local/man/man3/des_crypt.3
+des.man       in /usr/local/man/man1/des.1
+des.h         in /usr/include/des.h
+
+des(1) should be compatible with sunOS's but I have been unable to
+test it.
+
+These routines should compile on MSDOS, most 32bit and 64bit version
+of Unix (BSD and SYSV) and VMS, without modification.
+The only problems should be #include files that are in the wrong places.
+
+These routines can be compiled under MSDOS.
+I have successfully encrypted files using des(1) under MSDOS and then
+decrypted the files on a SparcStation.
+I have been able to compile and test the routines with
+Microsoft C v 5.1 and Turbo C v 2.0.
+The code in this library is in no way optimised for the 16bit
+operation of MSDOS.
+
+When building for glibc, ignore all of the above and just unpack into
+glibc-1.??/des and then gmake as per normal.
+
+As a final note on performace.  Certain CPUs like sparcs and Alpha often give
+a %10 speed difference depending on the link order.  It is rather anoying
+when one program reports 'x' DES encrypts a second and another reports
+'x*0.9' the speed.
diff --git a/crypto/openssl/crypto/des/Imakefile b/crypto/openssl/crypto/des/Imakefile
new file mode 100644
index 0000000..1b9b562
--- /dev/null
+++ b/crypto/openssl/crypto/des/Imakefile
@@ -0,0 +1,35 @@
+# This Imakefile has not been tested for a while but it should still
+# work when placed in the correct directory in the kerberos v 4 distribution
+
+SRCS=   cbc_cksm.c cbc_enc.c ecb_enc.c pcbc_enc.c \
+        qud_cksm.c rand_key.c read_pwd.c set_key.c str2key.c \
+        enc_read.c enc_writ.c fcrypt.c cfb_enc.c \
+	ecb3_enc.c ofb_enc.c ofb64enc.c
+
+OBJS=   cbc_cksm.o cbc_enc.o ecb_enc.o pcbc_enc.o \
+	qud_cksm.o rand_key.o read_pwd.o set_key.o str2key.o \
+	enc_read.o enc_writ.o fcrypt.o cfb_enc.o \
+	ecb3_enc.o ofb_enc.o ofb64enc.o
+
+GENERAL=COPYRIGHT FILES INSTALL Imakefile README VERSION makefile times \
+	vms.com KERBEROS
+DES=    des.c des.man
+TESTING=destest.c speed.c rpw.c
+LIBDES= des_crypt.man des.h des_locl.h podd.h sk.h spr.h
+
+PERL=   des.pl testdes.pl doIP doPC1 doPC2 PC1 PC2 shifts.pl
+
+CODE=    $(GENERAL) $(DES) $(TESTING) $(SRCS) $(LIBDES) $(PERL)
+
+SRCDIR=$(SRCTOP)/lib/des
+
+DBG= -O
+INCLUDE= -I$(SRCDIR)
+CC= cc
+
+library_obj_rule()
+
+install_library_target(des,$(OBJS),$(SRCS),)
+
+test(destest,libdes.a,)
+test(rpw,libdes.a,)
diff --git a/crypto/openssl/crypto/des/KERBEROS b/crypto/openssl/crypto/des/KERBEROS
new file mode 100644
index 0000000..f401b10
--- /dev/null
+++ b/crypto/openssl/crypto/des/KERBEROS
@@ -0,0 +1,41 @@
+ [ This is an old file, I don't know if it is true anymore
+   but I will leave the file here - eay 21/11/95 ]
+
+To use this library with Bones (kerberos without DES):
+1) Get my modified Bones - eBones.  It can be found on
+   gondwana.ecr.mu.oz.au (128.250.1.63) /pub/athena/eBones-p9.tar.Z
+   and
+   nic.funet.fi (128.214.6.100) /pub/unix/security/Kerberos/eBones-p9.tar.Z
+
+2) Unpack this library in src/lib/des, makeing sure it is version
+   3.00 or greater (libdes.tar.93-10-07.Z).  This versions differences
+   from the version in comp.sources.misc volume 29 patchlevel2.
+   The primarily difference is that it should compile under kerberos :-).
+   It can be found at.
+   ftp.psy.uq.oz.au (130.102.32.1) /pub/DES/libdes.tar.93-10-07.Z
+
+Now do a normal kerberos build and things should work.
+
+One problem I found when I was build on my local sun.
+---
+For sunOS 4.1.1 apply the following patch to src/util/ss/make_commands.c
+
+*** make_commands.c.orig	Fri Jul  3 04:18:35 1987
+--- make_commands.c	Wed May 20 08:47:42 1992
+***************
+*** 98,104 ****
+       if (!rename(o_file, z_file)) {
+  	  if (!vfork()) {
+  	       chdir("/tmp");
+! 	       execl("/bin/ld", "ld", "-o", o_file+5, "-s", "-r", "-n",
+  		     z_file+5, 0);
+  	       perror("/bin/ld");
+  	       _exit(1);
+--- 98,104 ----
+       if (!rename(o_file, z_file)) {
+  	  if (!vfork()) {
+  	       chdir("/tmp");
+! 	       execl("/bin/ld", "ld", "-o", o_file+5, "-s", "-r",
+  		     z_file+5, 0);
+  	       perror("/bin/ld");
+  	       _exit(1);
diff --git a/crypto/openssl/crypto/des/MODES.DES b/crypto/openssl/crypto/des/MODES.DES
new file mode 100644
index 0000000..0cbc44f
--- /dev/null
+++ b/crypto/openssl/crypto/des/MODES.DES
@@ -0,0 +1,84 @@
+Modes of DES
+Quite a bit of the following information has been taken from
+	AS 2805.5.2
+	Australian Standard
+	Electronic funds transfer - Requirements for interfaces,
+	Part 5.2: Modes of operation for an n-bit block cipher algorithm
+	Appendix A
+
+There are several different modes in which DES can be used, they are
+as follows.
+
+Electronic Codebook Mode (ECB) (des_ecb_encrypt())
+- 64 bits are enciphered at a time.
+- The order of the blocks can be rearranged without detection.
+- The same plaintext block always produces the same ciphertext block
+  (for the same key) making it vulnerable to a 'dictionary attack'.
+- An error will only affect one ciphertext block.
+
+Cipher Block Chaining Mode (CBC) (des_cbc_encrypt())
+- a multiple of 64 bits are enciphered at a time.
+- The CBC mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext blocks dependent on the
+  current and all preceding plaintext blocks and therefore blocks can not
+  be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- An error will affect the current and the following ciphertext blocks.
+
+Cipher Feedback Mode (CFB) (des_cfb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The CFB mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext variables dependent on the
+  current and all preceding variables and therefore j-bit variables are
+  chained together and con not be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- The strength of the CFB mode depends on the size of k (maximal if
+  j == k).  In my implementation this is always the case.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- An error will affect the current and the following ciphertext variables.
+
+Output Feedback Mode (OFB) (des_ofb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The OFB mode produces the same ciphertext whenever the same
+  plaintext enciphered using the same key and starting variable.  More
+  over, in the OFB mode the same key stream is produced when the same
+  key and start variable are used.  Consequently, for security reasons
+  a specific start variable should be used only once for a given key.
+- The absence of chaining makes the OFB more vulnerable to specific attacks.
+- The use of different start variables values prevents the same
+  plaintext enciphering to the same ciphertext, by producing different
+  key streams.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- OFB mode of operation does not extend ciphertext errors in the
+  resultant plaintext output.  Every bit error in the ciphertext causes
+  only one bit to be in error in the deciphered plaintext.
+- OFB mode is not self-synchronising.  If the two operation of
+  encipherment and decipherment get out of synchronism, the system needs
+  to be re-initialised.
+- Each re-initialisation should use a value of the start variable
+different from the start variable values used before with the same
+key.  The reason for this is that an identical bit stream would be
+produced each time from the same parameters.  This would be
+susceptible to a 'known plaintext' attack.
+
+Triple ECB Mode (des_ecb3_encrypt())
+- Encrypt with key1, decrypt with key2 and encrypt with key1 again.
+- As for ECB encryption but increases the effective key length to 112 bits.
+- If both keys are the same it is equivalent to encrypting once with
+  just one key.
+
+Triple CBC Mode (des_3cbc_encrypt())
+- Encrypt with key1, decrypt with key2 and encrypt with key1 again.
+- As for CBC encryption but increases the effective key length to 112 bits.
+- If both keys are the same it is equivalent to encrypting once with
+  just one key.
diff --git a/crypto/openssl/crypto/des/Makefile.PL b/crypto/openssl/crypto/des/Makefile.PL
new file mode 100644
index 0000000..b54a243
--- /dev/null
+++ b/crypto/openssl/crypto/des/Makefile.PL
@@ -0,0 +1,14 @@
+use ExtUtils::MakeMaker;
+# See lib/ExtUtils/MakeMaker.pm for details of how to influence
+# the contents of the Makefile being created.
+&writeMakefile(
+	'potential_libs' => '',   # e.g., '-lm' 
+	'INC' => '',     # e.g., '-I/usr/include/other' 
+	'DISTNAME' => 'DES',
+	'VERSION' => '0.1',
+	'DEFINE' => '-DPERL5',
+	'OBJECT' => 'DES.o cbc_cksm.o cbc_enc.o ecb_enc.o pcbc_enc.o \
+	rand_key.o set_key.o str2key.o \
+	enc_read.o enc_writ.o fcrypt.o cfb_enc.o \
+	ecb3_enc.o ofb_enc.o cbc3_enc.o des_enc.o',
+	);
diff --git a/crypto/openssl/crypto/des/Makefile.lit b/crypto/openssl/crypto/des/Makefile.lit
new file mode 100644
index 0000000..c09f696
--- /dev/null
+++ b/crypto/openssl/crypto/des/Makefile.lit
@@ -0,0 +1,250 @@
+# You must select the correct terminal control system to be used to
+# turn character echo off when reading passwords.  There a 5 systems
+# SGTTY   - the old BSD system
+# TERMIO  - most system V boxes
+# TERMIOS - SGI (ala IRIX).
+# VMS     - the DEC operating system
+# MSDOS   - we all know what it is :-)
+# read_pwd.c makes a reasonable guess at what is correct.
+
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+# If you are on a DEC Alpha, edit des.h and change the DES_LONG
+# define to 'unsigned int'.  I have seen this give a %20 speedup.
+
+OPTS0= -DLIBDES_LIT -DRAND -DTERMIO #-DNOCONST
+
+# Version 1.94 has changed the strings_to_key function so that it is
+# now compatible with MITs when the string is longer than 8 characters.
+# If you wish to keep the old version, uncomment the following line.
+# This will affect the -E/-D options on des(1).
+#OPTS1= -DOLD_STR_TO_KEY
+
+# There are 4 possible performance options
+# -DDES_PTR
+# -DDES_RISC1
+# -DDES_RISC2 (only one of DES_RISC1 and DES_RISC2)
+# -DDES_UNROLL
+# after the initial build, run 'des_opts' to see which options are best
+# for your platform.  There are some listed in options.txt
+#OPTS2= -DDES_PTR 
+#OPTS3= -DDES_RISC1 # or DES_RISC2
+#OPTS4= -DDES_UNROLL
+
+OPTS= $(OPTS0) $(OPTS1) $(OPTS2) $(OPTS3) $(OPTS4)
+
+MAKE=make -f Makefile
+#CC=cc
+#CFLAG= -O
+
+CC=gcc
+#CFLAG= -O4 -funroll-loops -fomit-frame-pointer
+CFLAG= -O3 -fomit-frame-pointer
+
+CFLAGS=$(OPTS) $(CFLAG)
+CPP=$(CC) -E
+AS=as
+
+# Assember version of des_encrypt*().
+DES_ENC=des_enc.o fcrypt_b.o		# normal C version
+#DES_ENC=asm/dx86-elf.o	asm/yx86-elf.o	# elf format x86
+#DES_ENC=asm/dx86-out.o	asm/yx86-out.o	# a.out format x86
+#DES_ENC=asm/dx86-sol.o	asm/yx86-sol.o	# solaris format x86 
+#DES_ENC=asm/dx86bsdi.o	asm/yx86basi.o	# bsdi format x86 
+
+LIBDIR=/usr/local/lib
+BINDIR=/usr/local/bin
+INCDIR=/usr/local/include
+MANDIR=/usr/local/man
+MAN1=1
+MAN3=3
+SHELL=/bin/sh
+OBJ_LIT=cbc_enc.o ecb_enc.o $(DES_ENC) fcrypt.o set_key.o
+OBJ_FULL=cbc_cksm.o $(OBJ_LIT) pcbc_enc.o \
+	xcbc_enc.o qud_cksm.o \
+	cfb64ede.o cfb64enc.o cfb_enc.o ecb3_enc.o \
+	enc_read.o enc_writ.o ofb64ede.o ofb64enc.o ofb_enc.o  \
+	rand_key.o read_pwd.o read2pwd.o rpc_enc.o  str2key.o supp.o
+
+GENERAL_LIT=COPYRIGHT INSTALL README VERSION Makefile des_crypt.man \
+	des.doc options.txt asm
+GENERAL_FULL=$(GENERAL_LIT) FILES Imakefile times vms.com KERBEROS MODES.DES \
+	des.man DES.pm DES.pod DES.xs Makefile.PL dess.cpp des3s.cpp \
+	Makefile.uni typemap t Makefile.ssl makefile.bc Makefile.lit \
+	des.org des_locl.org
+TESTING_LIT=	destest speed des_opts
+TESTING_FULL=	rpw $(TESTING_LIT)
+TESTING_SRC_LIT=destest.c speed.c des_opts.c
+TESTING_SRC_FULL=rpw.c $(TESTING_SRC_LIT)
+HEADERS_LIT=des_ver.h des.h des_locl.h podd.h sk.h spr.h
+HEADERS_FULL= $(HEADERS_LIT) rpc_des.h
+LIBDES_LIT=cbc_enc.c ecb_enc.c fcrypt.c set_key.c des_enc.c fcrypt_b.c
+LIBDES_FULL= cbc_cksm.c pcbc_enc.c qud_cksm.c \
+	cfb64ede.c cfb64enc.c cfb_enc.c ecb3_enc.c \
+	enc_read.c enc_writ.c ofb64ede.c ofb64enc.c ofb_enc.c  \
+	rand_key.c rpc_enc.c  str2key.c  supp.c \
+	xcbc_enc.c $(LIBDES_LIT) read_pwd.c read2pwd.c
+
+PERL=	des.pl testdes.pl doIP doPC1 doPC2 PC1 PC2 shifts.pl
+
+OBJ=	$(OBJ_LIT)
+GENERAL=$(GENERAL_LIT)
+TESTING=$(TESTING_LIT)
+TESTING_SRC=$(TESTING_SRC_LIT)
+HEADERS=$(HEADERS_LIT)
+LIBDES=	$(LIBDES_LIT)
+
+ALL=	$(GENERAL) $(TESTING_SRC) $(LIBDES) $(PERL) $(HEADERS)
+
+DLIB=	libdes.a
+
+all: $(DLIB) $(TESTING)
+
+cc:
+	$(MAKE) CC=cc CFLAGS="-O $(OPTS) $(CFLAG)" all
+
+gcc:
+	$(MAKE) CC=gcc CFLAGS="-O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all
+
+x86-elf:
+	$(MAKE) DES_ENC='asm/dx86-elf.o asm/yx86-elf.o' CC=$(CC) CFLAGS="-DELF $(OPTS) $(CFLAG)" all
+
+x86-out:
+	$(MAKE) DES_ENC='asm/dx86-out.o asm/yx86-out.o' CC=$(CC) CFLAGS="-DOUT $(OPTS) $(CFLAG)" all
+
+x86-solaris:
+	$(MAKE) DES_ENC='asm/dx86-sol.o asm/yx86-sol.o' CC=$(CC) CFLAGS="-DSOL $(OPTS) $(CFLAG)" all
+
+x86-bsdi:
+	$(MAKE) DES_ENC='asm/dx86bsdi.o asm/yx86bsdi.o' CC=$(CC) CFLAGS="-DBSDI $(OPTS) $(CFLAG)" all
+
+# elf
+asm/dx86-elf.o: asm/dx86unix.cpp
+	$(CPP) -DELF asm/dx86unix.cpp | $(AS) -o asm/dx86-elf.o
+
+asm/yx86-elf.o: asm/yx86unix.cpp
+	$(CPP) -DELF asm/yx86unix.cpp | $(AS) -o asm/yx86-elf.o
+
+# solaris
+asm/dx86-sol.o: asm/dx86unix.cpp
+	$(CC) -E -DSOL asm/dx86unix.cpp | sed 's/^#.*//' > asm/dx86-sol.s
+	as -o asm/dx86-sol.o asm/dx86-sol.s
+	rm -f asm/dx86-sol.s
+
+asm/yx86-sol.o: asm/yx86unix.cpp
+	$(CC) -E -DSOL asm/yx86unix.cpp | sed 's/^#.*//' > asm/yx86-sol.s
+	as -o asm/yx86-sol.o asm/yx86-sol.s
+	rm -f asm/yx86-sol.s
+
+# a.out
+asm/dx86-out.o: asm/dx86unix.cpp
+	$(CPP) -DOUT asm/dx86unix.cpp | $(AS) -o asm/dx86-out.o
+
+asm/yx86-out.o: asm/yx86unix.cpp
+	$(CPP) -DOUT asm/yx86unix.cpp | $(AS) -o asm/yx86-out.o
+
+# bsdi
+asm/dx86bsdi.o: asm/dx86unix.cpp
+	$(CPP) -DBSDI asm/dx86unix.cpp | $(AS) -o asm/dx86bsdi.o
+
+asm/yx86bsdi.o: asm/yx86unix.cpp
+	$(CPP) -DBSDI asm/yx86unix.cpp | $(AS) -o asm/yx86bsdi.o
+
+asm/dx86unix.cpp:
+	(cd asm; perl des-586.pl cpp >dx86unix.cpp)
+
+asm/yx86unix.cpp:
+	(cd asm; perl crypt586.pl cpp >yx86unix.cpp)
+
+test:	all
+	./destest
+
+$(DLIB): $(OBJ)
+	/bin/rm -f $(DLIB)
+	ar cr $(DLIB) $(OBJ)
+	-if test -s /bin/ranlib; then /bin/ranlib $(DLIB); \
+	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(DLIB); \
+	else exit 0; fi; fi
+
+des_opts: des_opts.o $(DLIB)
+	$(CC) $(CFLAGS) -o des_opts des_opts.o $(DLIB)
+
+destest: destest.o $(DLIB)
+	$(CC) $(CFLAGS) -o destest destest.o $(DLIB)
+
+rpw: rpw.o $(DLIB)
+	$(CC) $(CFLAGS) -o rpw rpw.o $(DLIB)
+
+speed: speed.o $(DLIB)
+	$(CC) $(CFLAGS) -o speed speed.o $(DLIB)
+
+des: des.o $(DLIB)
+	$(CC) $(CFLAGS) -o des des.o $(DLIB)
+
+tags:
+	ctags $(TESTING_SRC) $(LIBDES)
+
+tar_lit:
+	/bin/mv Makefile Makefile.tmp
+	/bin/cp Makefile.lit Makefile
+	tar chf libdes-l.tar $(LIBDES_LIT) $(HEADERS_LIT) \
+		$(GENERAL_LIT) $(TESTING_SRC_LIT)
+	/bin/rm -f Makefile
+	/bin/mv Makefile.tmp Makefile
+
+tar:
+	tar chf libdes.tar $(ALL)
+
+shar:
+	shar $(ALL) >libdes.shar
+
+depend:
+	makedepend $(LIBDES) $(TESTING_SRC)
+
+clean:
+	/bin/rm -f *.o tags core $(TESTING) $(DLIB) .nfs* *.old *.bak asm/*.o 
+
+dclean:
+	sed -e '/^# DO NOT DELETE THIS LINE/ q' Makefile >Makefile.new
+	mv -f Makefile.new Makefile
+
+# Eric is probably going to choke when he next looks at this --tjh
+install:
+	if test $(INSTALLTOP); then \
+	    echo SSL style install; \
+	    cp $(DLIB) $(INSTALLTOP)/lib; \
+	    if test -s /bin/ranlib; then \
+	        /bin/ranlib $(INSTALLTOP)/lib/$(DLIB); \
+	    else \
+		if test -s /usr/bin/ranlib; then \
+		/usr/bin/ranlib $(INSTALLTOP)/lib/$(DLIB); \
+	    fi; fi; \
+	    chmod 644 $(INSTALLTOP)/lib/$(DLIB); \
+	    cp des.h $(INSTALLTOP)/include; \
+	    chmod 644 $(INSTALLTOP)/include/des.h; \
+	else \
+	    echo Standalone install; \
+	    cp $(DLIB) $(LIBDIR)/$(DLIB); \
+	    if test -s /bin/ranlib; then \
+	      /bin/ranlib $(LIBDIR)/$(DLIB); \
+	    else \
+	      if test -s /usr/bin/ranlib; then \
+		/usr/bin/ranlib $(LIBDIR)/$(DLIB); \
+	      fi; \
+	    fi; \
+	    chmod 644 $(LIBDIR)/$(DLIB); \
+	    cp des_crypt.man $(MANDIR)/man$(MAN3)/des_crypt.$(MAN3); \
+	    chmod 644 $(MANDIR)/man$(MAN3)/des_crypt.$(MAN3); \
+	    cp des.man $(MANDIR)/man$(MAN1)/des.$(MAN1); \
+	    chmod 644 $(MANDIR)/man$(MAN1)/des.$(MAN1); \
+	    cp des.h $(INCDIR)/des.h; \
+	    chmod 644 $(INCDIR)/des.h; \
+	fi
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/des/Makefile.save b/crypto/openssl/crypto/des/Makefile.save
new file mode 100644
index 0000000..733b83a
--- /dev/null
+++ b/crypto/openssl/crypto/des/Makefile.save
@@ -0,0 +1,206 @@
+#
+# SSLeay/crypto/des/Makefile
+#
+
+DIR=	des
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=-I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+RANLIB=		ranlib
+DES_ENC=	des_enc.o fcrypt_b.o
+# or use
+#DES_ENC=	dx86-elf.o yx86-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=destest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	cbc_cksm.c cbc_enc.c  cfb64enc.c cfb_enc.c  \
+	ecb3_enc.c ecb_enc.c  enc_read.c enc_writ.c \
+	fcrypt.c ofb64enc.c ofb_enc.c  pcbc_enc.c \
+	qud_cksm.c rand_key.c read_pwd.c rpc_enc.c  set_key.c  \
+	des_enc.c fcrypt_b.c read2pwd.c \
+	xcbc_enc.c \
+	str2key.c  cfb64ede.c ofb64ede.c ede_cbcm_enc.c
+
+LIBOBJ= set_key.o  ecb_enc.o  cbc_enc.o \
+	ecb3_enc.o cfb64enc.o cfb64ede.o cfb_enc.o  ofb64ede.o \
+	enc_read.o enc_writ.o ofb64enc.o \
+	ofb_enc.o  str2key.o  pcbc_enc.o qud_cksm.o rand_key.o \
+	${DES_ENC} read2pwd.o \
+	fcrypt.o xcbc_enc.o read_pwd.o rpc_enc.o  cbc_cksm.o \
+	ede_cbcm_enc.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= des.h
+HEADER=	des_locl.h rpc_des.h spr.h des_ver.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+des: des.o cbc3_enc.o lib
+	$(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB)
+
+# elf
+asm/dx86-elf.o: asm/dx86unix.cpp
+	$(CPP) -DELF -x c asm/dx86unix.cpp | as -o asm/dx86-elf.o
+
+asm/yx86-elf.o: asm/yx86unix.cpp
+	$(CPP) -DELF -x c asm/yx86unix.cpp | as -o asm/yx86-elf.o
+
+# solaris
+asm/dx86-sol.o: asm/dx86unix.cpp
+	$(CC) -E -DSOL asm/dx86unix.cpp | sed 's/^#.*//' > asm/dx86-sol.s
+	as -o asm/dx86-sol.o asm/dx86-sol.s
+	rm -f asm/dx86-sol.s
+
+asm/yx86-sol.o: asm/yx86unix.cpp
+	$(CC) -E -DSOL asm/yx86unix.cpp | sed 's/^#.*//' > asm/yx86-sol.s
+	as -o asm/yx86-sol.o asm/yx86-sol.s
+	rm -f asm/yx86-sol.s
+
+# a.out
+asm/dx86-out.o: asm/dx86unix.cpp
+	$(CPP) -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o
+
+asm/yx86-out.o: asm/yx86unix.cpp
+	$(CPP) -DOUT asm/yx86unix.cpp | as -o asm/yx86-out.o
+
+# bsdi
+asm/dx86bsdi.o: asm/dx86unix.cpp
+	$(CPP) -DBSDI asm/dx86unix.cpp | sed 's/ :/:/' | as -o asm/dx86bsdi.o
+
+asm/yx86bsdi.o: asm/yx86unix.cpp
+	$(CPP) -DBSDI asm/yx86unix.cpp | sed 's/ :/:/' | as -o asm/yx86bsdi.o
+
+asm/dx86unix.cpp: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) des-586.pl cpp >dx86unix.cpp)
+
+asm/yx86unix.cpp: asm/crypt586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) crypt586.pl cpp >yx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(TOP)/util/point.sh ../../perlasm asm/perlasm
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install: installs
+
+installs:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/dx86unix.cpp asm/yx86unix.cpp *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+cbc_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cbc_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
+cbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h ncbc_enc.c
+cfb64ede.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cfb64ede.o: ../../include/openssl/opensslconf.h des_locl.h
+cfb64enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cfb64enc.o: ../../include/openssl/opensslconf.h des_locl.h
+cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cfb_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+des_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+des_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_locl.h ncbc_enc.c
+ecb3_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ecb3_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ecb_enc.o: des_locl.h spr.h
+ede_cbcm_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ede_cbcm_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+enc_read.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+enc_read.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+enc_read.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+enc_read.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+enc_read.o: ../../include/openssl/stack.h ../cryptlib.h des_locl.h
+enc_writ.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+enc_writ.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+enc_writ.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+enc_writ.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+enc_writ.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+enc_writ.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+enc_writ.o: ../cryptlib.h des_locl.h
+fcrypt.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+fcrypt.o: ../../include/openssl/opensslconf.h des_locl.h
+fcrypt_b.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+fcrypt_b.o: ../../include/openssl/opensslconf.h des_locl.h
+ofb64ede.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ofb64ede.o: ../../include/openssl/opensslconf.h des_locl.h
+ofb64enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ofb64enc.o: ../../include/openssl/opensslconf.h des_locl.h
+ofb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ofb_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+pcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+pcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+qud_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
+rand_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+rand_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
+read2pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+read2pwd.o: ../../include/openssl/opensslconf.h des_locl.h
+read_pwd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+read_pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+read_pwd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+read_pwd.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+read_pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+read_pwd.o: ../../include/openssl/stack.h ../cryptlib.h des_locl.h
+rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+rpc_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_ver.h rpc_des.h
+set_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+set_key.o: ../../include/openssl/opensslconf.h des_locl.h podd.h sk.h
+str2key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+str2key.o: ../../include/openssl/opensslconf.h des_locl.h
+xcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+xcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl
new file mode 100644
index 0000000..0c253e1
--- /dev/null
+++ b/crypto/openssl/crypto/des/Makefile.ssl
@@ -0,0 +1,206 @@
+#
+# SSLeay/crypto/des/Makefile
+#
+
+DIR=	des
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=-I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+RANLIB=		ranlib
+DES_ENC=	des_enc.o fcrypt_b.o
+# or use
+#DES_ENC=	dx86-elf.o yx86-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=destest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	cbc_cksm.c cbc_enc.c  cfb64enc.c cfb_enc.c  \
+	ecb3_enc.c ecb_enc.c  enc_read.c enc_writ.c \
+	fcrypt.c ofb64enc.c ofb_enc.c  pcbc_enc.c \
+	qud_cksm.c rand_key.c read_pwd.c rpc_enc.c  set_key.c  \
+	des_enc.c fcrypt_b.c read2pwd.c \
+	xcbc_enc.c \
+	str2key.c  cfb64ede.c ofb64ede.c ede_cbcm_enc.c
+
+LIBOBJ= set_key.o  ecb_enc.o  cbc_enc.o \
+	ecb3_enc.o cfb64enc.o cfb64ede.o cfb_enc.o  ofb64ede.o \
+	enc_read.o enc_writ.o ofb64enc.o \
+	ofb_enc.o  str2key.o  pcbc_enc.o qud_cksm.o rand_key.o \
+	${DES_ENC} read2pwd.o \
+	fcrypt.o xcbc_enc.o read_pwd.o rpc_enc.o  cbc_cksm.o \
+	ede_cbcm_enc.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= des.h
+HEADER=	des_locl.h rpc_des.h spr.h des_ver.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+des: des.o cbc3_enc.o lib
+	$(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB)
+
+# elf
+asm/dx86-elf.o: asm/dx86unix.cpp
+	$(CPP) -DELF -x c asm/dx86unix.cpp | as -o asm/dx86-elf.o
+
+asm/yx86-elf.o: asm/yx86unix.cpp
+	$(CPP) -DELF -x c asm/yx86unix.cpp | as -o asm/yx86-elf.o
+
+# solaris
+asm/dx86-sol.o: asm/dx86unix.cpp
+	$(CC) -E -DSOL asm/dx86unix.cpp | sed 's/^#.*//' > asm/dx86-sol.s
+	as -o asm/dx86-sol.o asm/dx86-sol.s
+	rm -f asm/dx86-sol.s
+
+asm/yx86-sol.o: asm/yx86unix.cpp
+	$(CC) -E -DSOL asm/yx86unix.cpp | sed 's/^#.*//' > asm/yx86-sol.s
+	as -o asm/yx86-sol.o asm/yx86-sol.s
+	rm -f asm/yx86-sol.s
+
+# a.out
+asm/dx86-out.o: asm/dx86unix.cpp
+	$(CPP) -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o
+
+asm/yx86-out.o: asm/yx86unix.cpp
+	$(CPP) -DOUT asm/yx86unix.cpp | as -o asm/yx86-out.o
+
+# bsdi
+asm/dx86bsdi.o: asm/dx86unix.cpp
+	$(CPP) -DBSDI asm/dx86unix.cpp | sed 's/ :/:/' | as -o asm/dx86bsdi.o
+
+asm/yx86bsdi.o: asm/yx86unix.cpp
+	$(CPP) -DBSDI asm/yx86unix.cpp | sed 's/ :/:/' | as -o asm/yx86bsdi.o
+
+asm/dx86unix.cpp: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) des-586.pl cpp >dx86unix.cpp)
+
+asm/yx86unix.cpp: asm/crypt586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) crypt586.pl cpp >yx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(TOP)/util/point.sh ../../perlasm asm/perlasm
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install: installs
+
+installs:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/dx86unix.cpp asm/yx86unix.cpp *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+cbc_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cbc_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
+cbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h ncbc_enc.c
+cfb64ede.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cfb64ede.o: ../../include/openssl/opensslconf.h des_locl.h
+cfb64enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cfb64enc.o: ../../include/openssl/opensslconf.h des_locl.h
+cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cfb_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+des_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+des_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_locl.h ncbc_enc.c
+ecb3_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ecb3_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ecb_enc.o: des_locl.h spr.h
+ede_cbcm_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ede_cbcm_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+enc_read.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+enc_read.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+enc_read.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+enc_read.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+enc_read.o: ../../include/openssl/stack.h ../cryptlib.h des_locl.h
+enc_writ.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+enc_writ.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+enc_writ.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+enc_writ.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+enc_writ.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+enc_writ.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+enc_writ.o: ../cryptlib.h des_locl.h
+fcrypt.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+fcrypt.o: ../../include/openssl/opensslconf.h des_locl.h
+fcrypt_b.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+fcrypt_b.o: ../../include/openssl/opensslconf.h des_locl.h
+ofb64ede.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ofb64ede.o: ../../include/openssl/opensslconf.h des_locl.h
+ofb64enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ofb64enc.o: ../../include/openssl/opensslconf.h des_locl.h
+ofb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+ofb_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+pcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+pcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+qud_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
+rand_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+rand_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
+read2pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+read2pwd.o: ../../include/openssl/opensslconf.h des_locl.h
+read_pwd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+read_pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+read_pwd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+read_pwd.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+read_pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+read_pwd.o: ../../include/openssl/stack.h ../cryptlib.h des_locl.h
+rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+rpc_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_ver.h rpc_des.h
+set_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+set_key.o: ../../include/openssl/opensslconf.h des_locl.h
+str2key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+str2key.o: ../../include/openssl/opensslconf.h des_locl.h
+xcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+xcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
diff --git a/crypto/openssl/crypto/des/Makefile.uni b/crypto/openssl/crypto/des/Makefile.uni
new file mode 100644
index 0000000..ec19d75
--- /dev/null
+++ b/crypto/openssl/crypto/des/Makefile.uni
@@ -0,0 +1,251 @@
+# You must select the correct terminal control system to be used to
+# turn character echo off when reading passwords.  There a 5 systems
+# SGTTY   - the old BSD system
+# TERMIO  - most system V boxes
+# TERMIOS - SGI (ala IRIX).
+# VMS     - the DEC operating system
+# MSDOS   - we all know what it is :-)
+# read_pwd.c makes a reasonable guess at what is correct.
+
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+# If you are on a DEC Alpha, edit des.h and change the DES_LONG
+# define to 'unsigned int'.  I have seen this give a %20 speedup.
+
+OPTS0= -DRAND -DTERMIO #-DNOCONST
+
+# Version 1.94 has changed the strings_to_key function so that it is
+# now compatible with MITs when the string is longer than 8 characters.
+# If you wish to keep the old version, uncomment the following line.
+# This will affect the -E/-D options on des(1).
+#OPTS1= -DOLD_STR_TO_KEY
+
+# There are 4 possible performance options
+# -DDES_PTR
+# -DDES_RISC1
+# -DDES_RISC2 (only one of DES_RISC1 and DES_RISC2)
+# -DDES_UNROLL
+# after the initial build, run 'des_opts' to see which options are best
+# for your platform.  There are some listed in options.txt
+#OPTS2= -DDES_PTR 
+#OPTS3= -DDES_RISC1 # or DES_RISC2
+#OPTS4= -DDES_UNROLL
+
+OPTS= $(OPTS0) $(OPTS1) $(OPTS2) $(OPTS3) $(OPTS4)
+
+MAKE=make -f Makefile
+#CC=cc
+#CFLAG= -O
+
+CC=gcc
+#CFLAG= -O4 -funroll-loops -fomit-frame-pointer
+CFLAG= -O3 -fomit-frame-pointer
+
+CFLAGS=$(OPTS) $(CFLAG)
+CPP=$(CC) -E
+AS=as
+RANLIB=ranlib
+
+# Assember version of des_encrypt*().
+DES_ENC=des_enc.o fcrypt_b.o		# normal C version
+#DES_ENC=asm/dx86-elf.o	asm/yx86-elf.o	# elf format x86
+#DES_ENC=asm/dx86-out.o	asm/yx86-out.o	# a.out format x86
+#DES_ENC=asm/dx86-sol.o	asm/yx86-sol.o	# solaris format x86 
+#DES_ENC=asm/dx86bsdi.o	asm/yx86basi.o	# bsdi format x86 
+
+LIBDIR=/usr/local/lib
+BINDIR=/usr/local/bin
+INCDIR=/usr/local/include
+MANDIR=/usr/local/man
+MAN1=1
+MAN3=3
+SHELL=/bin/sh
+OBJ_LIT=cbc_enc.o ecb_enc.o $(DES_ENC) fcrypt.o set_key.o
+OBJ_FULL=cbc_cksm.o $(OBJ_LIT) pcbc_enc.o \
+	xcbc_enc.o qud_cksm.o cbc3_enc.o \
+	cfb64ede.o cfb64enc.o cfb_enc.o ecb3_enc.o \
+	enc_read.o enc_writ.o ofb64ede.o ofb64enc.o ofb_enc.o  \
+	rand_key.o read_pwd.o read2pwd.o rpc_enc.o  str2key.o supp.o
+
+GENERAL_LIT=COPYRIGHT INSTALL README VERSION Makefile des_crypt.man \
+	des.doc options.txt asm
+GENERAL_FULL=$(GENERAL_LIT) FILES Imakefile times vms.com KERBEROS MODES.DES \
+	des.man DES.pm DES.pod DES.xs Makefile.PL dess.cpp des3s.cpp \
+	Makefile.uni typemap t Makefile.ssl makefile.bc Makefile.lit \
+	des.org des_locl.org
+TESTING_LIT=	destest speed des_opts
+TESTING_FULL=	rpw des $(TESTING_LIT)
+TESTING_SRC_LIT=destest.c speed.c des_opts.c
+TESTING_SRC_FULL=rpw.c des.c $(TESTING_SRC_LIT)
+HEADERS_LIT=des_ver.h des.h des_locl.h podd.h sk.h spr.h
+HEADERS_FULL= $(HEADERS_LIT) rpc_des.h
+LIBDES_LIT=cbc_enc.c ecb_enc.c fcrypt.c set_key.c des_enc.c fcrypt_b.c
+LIBDES_FULL= cbc_cksm.c pcbc_enc.c qud_cksm.c cbc3_enc.c \
+	cfb64ede.c cfb64enc.c cfb_enc.c ecb3_enc.c \
+	enc_read.c enc_writ.c ofb64ede.c ofb64enc.c ofb_enc.c  \
+	rand_key.c rpc_enc.c  str2key.c  supp.c \
+	xcbc_enc.c $(LIBDES_LIT) read_pwd.c read2pwd.c
+
+PERL=	des.pl testdes.pl doIP doPC1 doPC2 PC1 PC2 shifts.pl
+
+OBJ=	$(OBJ_FULL)
+GENERAL=$(GENERAL_FULL)
+TESTING=$(TESTING_FULL)
+TESTING_SRC=$(TESTING_SRC_FULL)
+HEADERS=$(HEADERS_FULL)
+LIBDES=	$(LIBDES_FULL)
+
+ALL=	$(GENERAL) $(TESTING_SRC) $(LIBDES) $(PERL) $(HEADERS)
+
+DLIB=	libdes.a
+
+all: $(DLIB) $(TESTING)
+
+cc:
+	$(MAKE) CC=cc CFLAGS="-O $(OPTS) $(CFLAG)" all
+
+gcc:
+	$(MAKE) CC=gcc CFLAGS="-O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all
+
+x86-elf:
+	$(MAKE) DES_ENC='asm/dx86-elf.o asm/yx86-elf.o' CC=$(CC) CFLAGS="-DELF $(OPTS) $(CFLAG)" all
+
+x86-out:
+	$(MAKE) DES_ENC='asm/dx86-out.o asm/yx86-out.o' CC=$(CC) CFLAGS="-DOUT $(OPTS) $(CFLAG)" all
+
+x86-solaris:
+	$(MAKE) DES_ENC='asm/dx86-sol.o asm/yx86-sol.o' CC=$(CC) CFLAGS="-DSOL $(OPTS) $(CFLAG)" all
+
+x86-bsdi:
+	$(MAKE) DES_ENC='asm/dx86bsdi.o asm/yx86bsdi.o' CC=$(CC) CFLAGS="-DBSDI $(OPTS) $(CFLAG)" all
+
+# elf
+asm/dx86-elf.o: asm/dx86unix.cpp
+	$(CPP) -DELF asm/dx86unix.cpp | $(AS) -o asm/dx86-elf.o
+
+asm/yx86-elf.o: asm/yx86unix.cpp
+	$(CPP) -DELF asm/yx86unix.cpp | $(AS) -o asm/yx86-elf.o
+
+# solaris
+asm/dx86-sol.o: asm/dx86unix.cpp
+	$(CC) -E -DSOL asm/dx86unix.cpp | sed 's/^#.*//' > asm/dx86-sol.s
+	as -o asm/dx86-sol.o asm/dx86-sol.s
+	rm -f asm/dx86-sol.s
+
+asm/yx86-sol.o: asm/yx86unix.cpp
+	$(CC) -E -DSOL asm/yx86unix.cpp | sed 's/^#.*//' > asm/yx86-sol.s
+	as -o asm/yx86-sol.o asm/yx86-sol.s
+	rm -f asm/yx86-sol.s
+
+# a.out
+asm/dx86-out.o: asm/dx86unix.cpp
+	$(CPP) -DOUT asm/dx86unix.cpp | $(AS) -o asm/dx86-out.o
+
+asm/yx86-out.o: asm/yx86unix.cpp
+	$(CPP) -DOUT asm/yx86unix.cpp | $(AS) -o asm/yx86-out.o
+
+# bsdi
+asm/dx86bsdi.o: asm/dx86unix.cpp
+	$(CPP) -DBSDI asm/dx86unix.cpp | $(AS) -o asm/dx86bsdi.o
+
+asm/yx86bsdi.o: asm/yx86unix.cpp
+	$(CPP) -DBSDI asm/yx86unix.cpp | $(AS) -o asm/yx86bsdi.o
+
+asm/dx86unix.cpp:
+	(cd asm; perl des-586.pl cpp >dx86unix.cpp)
+
+asm/yx86unix.cpp:
+	(cd asm; perl crypt586.pl cpp >yx86unix.cpp)
+
+test:	all
+	./destest
+
+$(DLIB): $(OBJ)
+	/bin/rm -f $(DLIB)
+	ar cr $(DLIB) $(OBJ)
+	$(RANLIB) $(DLIB)
+
+des_opts: des_opts.o $(DLIB)
+	$(CC) $(CFLAGS) -o des_opts des_opts.o $(DLIB)
+
+destest: destest.o $(DLIB)
+	$(CC) $(CFLAGS) -o destest destest.o $(DLIB)
+
+rpw: rpw.o $(DLIB)
+	$(CC) $(CFLAGS) -o rpw rpw.o $(DLIB)
+
+speed: speed.o $(DLIB)
+	$(CC) $(CFLAGS) -o speed speed.o $(DLIB)
+
+des: des.o $(DLIB)
+	$(CC) $(CFLAGS) -o des des.o $(DLIB)
+
+tags:
+	ctags $(TESTING_SRC) $(LIBDES)
+
+tar_lit:
+	/bin/mv Makefile Makefile.tmp
+	/bin/cp Makefile.lit Makefile
+	for i in $(HEADERS_LIT) $(LIBDES_LIT) $(GENERAL_LIT) $(TESTING_SRC_LIT) ;\
+	do \
+		n="$$n des/$$i"; \
+	done; \
+	( cd .. ; tar chf - $$n )| gzip > libdes-l.tgz
+	/bin/rm -f Makefile
+	/bin/mv Makefile.tmp Makefile
+
+tar:
+	mv Makefile Makefile.tmp
+	/bin/cp Makefile.uni Makefile
+	for i in $(ALL) ;\
+	do \
+		n="$$n des/$$i"; \
+	done; \
+	( cd .. ; tar chf - $$n )| gzip > libdes.tgz
+	/bin/rm -f Makefile
+	/bin/mv Makefile.tmp Makefile
+
+shar:
+	shar $(ALL) >libdes.shar
+
+depend:
+	makedepend $(LIBDES) $(TESTING_SRC)
+
+clean:
+	/bin/rm -f *.o tags core $(TESTING) $(DLIB) .nfs* *.old *.bak asm/*.o 
+
+dclean:
+	sed -e '/^# DO NOT DELETE THIS LINE/ q' Makefile >Makefile.new
+	mv -f Makefile.new Makefile
+
+# Eric is probably going to choke when he next looks at this --tjh
+install: des
+	if test $(INSTALLTOP); then \
+	    echo SSL style install; \
+	    cp $(DLIB) $(INSTALLTOP)/lib; \
+		$(RANLIB) $(DLIB); \
+	    chmod 644 $(INSTALLTOP)/lib/$(DLIB); \
+	    cp des.h $(INSTALLTOP)/include; \
+	    chmod 644 $(INSTALLTOP)/include/des.h; \
+	else \
+	    echo Standalone install; \
+	    cp $(DLIB) $(LIBDIR)/$(DLIB); \
+		$(RANLIB) $(DLIB); \
+	    chmod 644 $(LIBDIR)/$(DLIB); \
+	    cp des $(BINDIR)/des; \
+	    chmod 711 $(BINDIR)/des; \
+	    cp des_crypt.man $(MANDIR)/man$(MAN3)/des_crypt.$(MAN3); \
+	    chmod 644 $(MANDIR)/man$(MAN3)/des_crypt.$(MAN3); \
+	    cp des.man $(MANDIR)/man$(MAN1)/des.$(MAN1); \
+	    chmod 644 $(MANDIR)/man$(MAN1)/des.$(MAN1); \
+	    cp des.h $(INCDIR)/des.h; \
+	    chmod 644 $(INCDIR)/des.h; \
+	fi
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/des/PC1 b/crypto/openssl/crypto/des/PC1
new file mode 100644
index 0000000..efb8348
--- /dev/null
+++ b/crypto/openssl/crypto/des/PC1
@@ -0,0 +1,28 @@
+#!/usr/local/bin/perl
+
+@PC1=(  57,49,41,33,25,17, 9,
+	 1,58,50,42,34,26,18,
+	10, 2,59,51,43,35,27,
+	19,11, 3,60,52,44,36,
+	"-","-","-","-",
+	63,55,47,39,31,23,15,
+	 7,62,54,46,38,30,22,
+	14, 6,61,53,45,37,29,
+	21,13, 5,28,20,12, 4,
+	"-","-","-","-",
+	);
+
+foreach (@PC1)
+	{
+	if ($_ ne "-")
+		{
+		$_--;
+		$_=int($_/8)*8+7-($_%8);
+		printf "%2d  ",$_;
+		}
+	else
+		{ print "--  "; }
+	print "\n" if (((++$i) % 8) == 0);
+	print "\n" if ((($i) % 32) == 0);
+	}
+
diff --git a/crypto/openssl/crypto/des/PC2 b/crypto/openssl/crypto/des/PC2
new file mode 100644
index 0000000..2d56027
--- /dev/null
+++ b/crypto/openssl/crypto/des/PC2
@@ -0,0 +1,57 @@
+#!/usr/local/bin/perl
+
+@PC2_C=(14,17,11,24, 1, 5,
+	 3,28,15, 6,21,10,
+	23,19,12, 4,26, 8,
+	16, 7,27,20,13, 2,
+	);
+
+@PC2_D=(41,52,31,37,47,55,
+	30,40,51,45,33,48,
+	44,49,39,56,34,53,
+	46,42,50,36,29,32,
+	);
+
+foreach (@PC2_C) {
+	if ($_ ne "-")
+		{
+		$_--;
+		printf "%2d  ",$_; }
+	else { print "--  "; }
+	$C{$_}=1;
+	print "\n" if (((++$i) % 8) == 0);
+	}
+$i=0;
+print "\n";
+foreach (@PC2_D) {
+	if ($_ ne "-")
+		{
+		$_-=29;
+		printf "%2d  ",$_; }
+	else { print "--  "; }
+	$D{$_}=1;
+	print "\n" if (((++$i) % 8) == 0); }
+
+print "\n";
+foreach $i (0 .. 27)
+	{
+	$_=$C{$i};
+	if ($_ ne "-") {printf "%2d ",$_;}
+	else { print "--  "; }
+	print "\n" if (((++$i) % 8) == 0);
+	}
+print "\n";
+
+print "\n";
+foreach $i (0 .. 27)
+	{
+	$_=$D{$i};
+	if ($_ ne "-") {printf "%2d  ",$_;}
+	else { print "--  "; }
+	print "\n" if (((++$i) % 8) == 0);
+	}
+print "\n";
+sub numsort
+	{
+	$a-$b;
+	}
diff --git a/crypto/openssl/crypto/des/README b/crypto/openssl/crypto/des/README
new file mode 100644
index 0000000..621a5ab
--- /dev/null
+++ b/crypto/openssl/crypto/des/README
@@ -0,0 +1,54 @@
+
+		libdes, Version 4.01 10-Jan-97
+
+		Copyright (c) 1997, Eric Young
+			  All rights reserved.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms specified in COPYRIGHT.
+    
+--
+The primary ftp site for this library is
+ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-x.xx.tar.gz
+libdes is now also shipped with SSLeay.  Primary ftp site of
+ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-x.x.x.tar.gz
+
+The best way to build this library is to build it as part of SSLeay.
+
+This kit builds a DES encryption library and a DES encryption program.
+It supports ecb, cbc, ofb, cfb, triple ecb, triple cbc, triple ofb,
+triple cfb, desx, and MIT's pcbc encryption modes and also has a fast
+implementation of crypt(3).
+It contains support routines to read keys from a terminal,
+generate a random key, generate a key from an arbitrary length string,
+read/write encrypted data from/to a file descriptor.
+
+The implementation was written so as to conform with the manual entry
+for the des_crypt(3) library routines from MIT's project Athena.
+
+destest should be run after compilation to test the des routines.
+rpw should be run after compilation to test the read password routines.
+The des program is a replacement for the sun des command.  I believe it
+conforms to the sun version.
+
+The Imakefile is setup for use in the kerberos distribution.
+
+These routines are best compiled with gcc or any other good
+optimising compiler.
+Just turn you optimiser up to the highest settings and run destest
+after the build to make sure everything works.
+
+I believe these routines are close to the fastest and most portable DES
+routines that use small lookup tables (4.5k) that are publicly available.
+The fcrypt routine is faster than ufc's fcrypt (when compiling with
+gcc2 -O2) on the sparc 2 (1410 vs 1270) but is not so good on other machines
+(on a sun3/260 168 vs 336).  It is a function of CPU on chip cache size.
+[ 10-Jan-97 and a function of an incorrect speed testing program in
+  ufc which gave much better test figures that reality ].
+
+It is worth noting that on sparc and Alpha CPUs, performance of the DES
+library can vary by upto %10 due to the positioning of files after application
+linkage.
+
+Eric Young (eay@cryptsoft.com)
+
diff --git a/crypto/openssl/crypto/des/VERSION b/crypto/openssl/crypto/des/VERSION
new file mode 100644
index 0000000..c7d0154
--- /dev/null
+++ b/crypto/openssl/crypto/des/VERSION
@@ -0,0 +1,412 @@
+	Fixed the weak key values which were wrong :-(
+	Defining SIGACTION causes sigaction() to be used instead of signal().
+	SIGUSR1/SIGUSR2 are no longer mapped in the read tty stuff because it
+	can cause problems.  This should hopefully not affect normal
+	applications.
+
+Version 4.04
+	Fixed a few tests in destest.  Also added x86 assember for
+	des_ncbc_encrypt() which is the standard cbc mode function.
+	This makes a very very large performace difference.
+	Ariel Glenn ariel@columbia.edu reports that the terminal
+	'turn echo off' can return (errno == EINVAL) under solaris
+	when redirection is used.  So I now catch that as well as ENOTTY.
+
+
+Version 4.03
+	Left a static out of enc_write.c, which caused to buffer to be
+	continiously malloc()ed.  Does anyone use these functions?  I keep
+	on feeling like removing them since I only had these in there
+	for a version of kerberised login.  Anyway, this was pointed out
+	by Theo de Raadt <deraadt@cvs.openbsd.org>
+	The 'n' bit ofb code was wrong, it was not shifting the shift
+	register. It worked correctly for n == 64.  Thanks to
+	Gigi Ankeny <Gigi.Ankeny@Eng.Sun.COM> for pointing this one out.
+
+Version 4.02
+	I was doing 'if (memcmp(weak_keys[i],key,sizeof(key)) == 0)'
+	when checking for weak keys which is wrong :-(, pointed out by
+	Markus F.X.J. Oberhumer <markus.oberhumer@jk.uni-linz.ac.at>.
+
+Version 4.01
+	Even faster inner loop in the DES assembler for x86 and a modification
+	for IP/FP which is faster on x86.  Both of these changes are
+	from Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  His
+	changes make the assembler run %40 faster on a pentium.  This is just
+	a case of getting the instruction sequence 'just right'.
+	All credit to 'Svend' :-)
+	Quite a few special x86 'make' targets.
+	A libdes-l (lite) distribution.
+
+Version 4.00
+	After a bit of a pause, I'll up the major version number since this
+	is mostly a performace release.  I've added x86 assembler and
+	added more options for performance.  A %28 speedup for gcc 
+	on a pentium and the assembler is a %50 speedup.
+	MIPS CPU's, sparc and Alpha are the main CPU's with speedups.
+	Run des_opts to work out which options should be used.
+	DES_RISC1/DES_RISC2 use alternative inner loops which use
+	more registers but should give speedups on any CPU that does
+	dual issue (pentium).  DES_UNROLL unrolls the inner loop,
+	which costs in code size.
+
+Version 3.26
+	I've finally removed one of the shifts in D_ENCRYPT.  This
+	meant I've changed the des_SPtrans table (spr.h), the set_key()
+	function and some things in des_enc.c.  This has definitly
+	made things faster :-).  I've known about this one for some
+	time but I've been too lazy to follow it up :-).
+	Noticed that in the D_ENCRYPT() macro, we can just do L^=(..)^(..)^..
+	instead of L^=((..)|(..)|(..)..  This should save a register at
+	least.
+	Assember for x86.  The file to replace is des_enc.c, which is replaced
+	by one of the assembler files found in asm.  Look at des/asm/readme
+	for more info.
+
+	/* Modification to fcrypt so it can be compiled to support
+	HPUX 10.x's long password format, define -DLONGCRYPT to use this.
+	Thanks to Jens Kupferschmidt <bt1cu@hpboot.rz.uni-leipzig.de>. */
+
+	SIGWINCH case put in des_read_passwd() so the function does not
+	'exit' if this function is recieved.
+
+Version 3.25 17/07/96
+	Modified read_pwd.c so that stdin can be read if not a tty.
+	Thanks to Jeff Barber <jeffb@issl.atl.hp.com> for the patches.
+	des_init_random_number_generator() shortened due to VMS linker
+	limits.
+	Added RSA's DESX cbc mode.  It is a form of cbc encryption, with 2
+	8 byte quantites xored before and after encryption.
+	des_xcbc_encryption() - the name is funny to preserve the des_
+	prefix on all functions.
+
+Version 3.24 20/04/96
+	The DES_PTR macro option checked and used by SSLeay configuration
+
+Version 3.23 11/04/96
+	Added DES_LONG.  If defined to 'unsigned int' on the DEC Alpha,
+	it gives a %20 speedup :-)
+	Fixed the problem with des.pl under perl5.  The patches were
+	sent by Ed Kubaitis (ejk@uiuc.edu).
+	if fcrypt.c, changed values to handle illegal salt values the way
+	normal crypt() implementations do.  Some programs apparently use
+	them :-(. The patch was sent by Bjorn Gronvall <bg@sics.se>
+
+Version 3.22 29/11/95
+	Bug in des(1), an error with the uuencoding stuff when the
+	'data' is small, thanks to Geoff Keating <keagchon@mehta.anu.edu.au>
+	for the patch.
+
+Version 3.21 22/11/95
+	After some emailing back and forth with 
+	Colin Plumb <colin@nyx10.cs.du.edu>, I've tweaked a few things
+	and in a future version I will probably put in some of the
+	optimisation he suggested for use with the DES_USE_PTR option.
+	Extra routines from Mark Murray <mark@grondar.za> for use in
+	freeBSD.  They mostly involve random number generation for use
+	with kerberos.  They involve evil machine specific system calls
+	etc so I would normally suggest pushing this stuff into the
+	application and/or using RAND_seed()/RAND_bytes() if you are
+	using this DES library as part of SSLeay.
+	Redone the read_pw() function so that it is cleaner and
+	supports termios, thanks to Sameer Parekh <sameer@c2.org>
+	for the initial patches for this.
+	Renamed 3ecb_encrypt() to ecb3_encrypt().  This has been
+	 done just to make things more consistent.
+	I have also now added triple DES versions of cfb and ofb.
+
+Version 3.20
+	Damn, Damn, Damn, as pointed out by Mike_Spreitzer.PARC@xerox.com,
+	my des_random_seed() function was only copying 4 bytes of the
+	passed seed into the init structure.  It is now fixed to copy 8.
+	My own suggestion is to used something like MD5 :-)
+
+Version 3.19 
+	While looking at my code one day, I though, why do I keep on
+	calling des_encrypt(in,out,ks,enc) when every function that
+	calls it has in and out the same.  So I dropped the 'out'
+	parameter, people should not be using this function.
+
+Version 3.18 30/08/95
+	Fixed a few bit with the distribution and the filenames.
+	3.17 had been munged via a move to DOS and back again.
+	NO CODE CHANGES
+
+Version 3.17 14/07/95
+	Fixed ede3 cbc which I had broken in 3.16.  I have also
+	removed some unneeded variables in 7-8 of the routines.
+
+Version 3.16 26/06/95
+	Added des_encrypt2() which does not use IP/FP, used by triple
+	des routines.  Tweaked things a bit elsewhere. %13 speedup on
+	sparc and %6 on a R4400 for ede3 cbc mode.
+
+Version 3.15 06/06/95
+	Added des_ncbc_encrypt(), it is des_cbc mode except that it is
+	'normal' and copies the new iv value back over the top of the
+	passed parameter.
+	CHANGED des_ede3_cbc_encrypt() so that it too now overwrites
+	the iv.  THIS WILL BREAK EXISTING CODE, but since this function
+	only new, I feel I can change it, not so with des_cbc_encrypt :-(.
+	I need to update the documentation.
+
+Version 3.14 31/05/95
+	New release upon the world, as part of my SSL implementation.
+	New copyright and usage stuff.  Basically free for all to use
+	as long as you say it came from me :-)
+
+Version 3.13 31/05/95
+	A fix in speed.c, if HZ is not defined, I set it to 100.0
+	which is reasonable for most unixes except SunOS 4.x.
+	I now have a #ifdef sun but timing for SunOS 4.x looked very
+	good :-(.  At my last job where I used SunOS 4.x, it was
+	defined to be 60.0 (look at the old INSTALL documentation), at
+	the last release had it changed to 100.0 since I now work with
+	Solaris2 and SVR4 boxes.
+	Thanks to  Rory Chisholm <rchishol@math.ethz.ch> for pointing this
+	one out.
+
+Version 3.12 08/05/95
+	As pointed out by The Crypt Keeper <tck@bend.UCSD.EDU>,
+	my D_ENCRYPT macro in crypt() had an un-necessary variable.
+	It has been removed.
+
+Version 3.11 03/05/95
+	Added des_ede3_cbc_encrypt() which is cbc mode des with 3 keys
+	and one iv.  It is a standard and I needed it for my SSL code.
+	It makes more sense to use this for triple DES than
+	3cbc_encrypt().  I have also added (or should I say tested :-)
+	cfb64_encrypt() which is cfb64 but it will encrypt a partial
+	number of bytes - 3 bytes in 3 bytes out.  Again this is for
+	my SSL library, as a form of encryption to use with SSL
+	telnet.
+
+Version 3.10 22/03/95
+	Fixed a bug in 3cbc_encrypt() :-(.  When making repeated calls
+	to cbc3_encrypt, the 2 iv values that were being returned to
+	be used in the next call were reversed :-(.
+	Many thanks to Bill Wade <wade@Stoner.COM> for pointing out
+	this error.
+
+Version 3.09 01/02/95
+	Fixed des_random_key to far more random, it was rather feeble
+	with regards to picking the initial seed.  The problem was
+	pointed out by Olaf Kirch <okir@monad.swb.de>.
+
+Version 3.08 14/12/94
+	Added Makefile.PL so libdes can be built into perl5.
+	Changed des_locl.h so RAND is always defined.
+
+Version 3.07 05/12/94
+	Added GNUmake and stuff so the library can be build with
+	glibc.
+
+Version 3.06 30/08/94
+	Added rpc_enc.c which contains _des_crypt.  This is for use in
+	secure_rpc v 4.0
+	Finally fixed the cfb_enc problems.
+	Fixed a few parameter parsing bugs in des (-3 and -b), thanks
+	to Rob McMillan <R.McMillan@its.gu.edu.au>
+
+Version 3.05 21/04/94
+	for unsigned long l; gcc does not produce ((l>>34) == 0)
+	This causes bugs in cfb_enc.
+	Thanks to Hadmut Danisch <danisch@ira.uka.de>
+
+Version 3.04 20/04/94
+	Added a version number to des.c and libdes.a
+
+Version 3.03 12/01/94
+	Fixed a bug in non zero iv in 3cbc_enc.
+
+Version 3.02 29/10/93
+	I now work in a place where there are 6+ architectures and 14+
+	OS versions :-).
+	Fixed TERMIO definition so the most sys V boxes will work :-)
+
+Release upon comp.sources.misc
+Version 3.01 08/10/93
+	Added des_3cbc_encrypt()
+
+Version 3.00 07/10/93
+	Fixed up documentation.
+	quad_cksum definitely compatible with MIT's now.
+
+Version 2.30 24/08/93
+	Triple DES now defaults to triple cbc but can do triple ecb
+	 with the -b flag.
+	Fixed some MSDOS uuen/uudecoding problems, thanks to
+	Added prototypes.
+	
+Version 2.22 29/06/93
+	Fixed a bug in des_is_weak_key() which stopped it working :-(
+	thanks to engineering@MorningStar.Com.
+
+Version 2.21 03/06/93
+	des(1) with no arguments gives quite a bit of help.
+	Added -c (generate ckecksum) flag to des(1).
+	Added -3 (triple DES) flag to des(1).
+	Added cfb and ofb routines to the library.
+
+Version 2.20 11/03/93
+	Added -u (uuencode) flag to des(1).
+	I have been playing with byte order in quad_cksum to make it
+	 compatible with MIT's version.  All I can say is avid this
+	 function if possible since MIT's output is endian dependent.
+
+Version 2.12 14/10/92
+	Added MSDOS specific macro in ecb_encrypt which gives a %70
+	 speed up when the code is compiled with turbo C.
+
+Version 2.11 12/10/92
+	Speedup in set_key (recoding of PC-1)
+	 I now do it in 47 simple operations, down from 60.
+	 Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+	 for motivating me to look for a faster system :-)
+	 The speedup is probably less that 1% but it is still 13
+	 instructions less :-).
+
+Version 2.10 06/10/92
+	The code now works on the 64bit ETA10 and CRAY without modifications or
+	 #defines.  I believe the code should work on any machine that
+	 defines long, int or short to be 8 bytes long.
+	Thanks to Shabbir J. Safdar (shabby@mentor.cc.purdue.edu)
+	 for helping me fix the code to run on 64bit machines (he had
+	 access to an ETA10).
+	Thanks also to John Fletcher <john_fletcher@lccmail.ocf.llnl.gov>
+	 for testing the routines on a CRAY.
+	read_password.c has been renamed to read_passwd.c
+	string_to_key.c has been renamed to string2key.c
+
+Version 2.00 14/09/92
+	Made mods so that the library should work on 64bit CPU's.
+	Removed all my uchar and ulong defs.  To many different
+	 versions of unix define them in their header files in too many
+	 different combinations :-)
+	IRIX - Sillicon Graphics mods (mostly in read_password.c).
+	 Thanks to Andrew Daviel (advax@erich.triumf.ca)
+
+Version 1.99 26/08/92
+	Fixed a bug or 2 in enc_read.c
+	Fixed a bug in enc_write.c
+	Fixed a pseudo bug in fcrypt.c (very obscure).
+
+Version 1.98 31/07/92
+	Support for the ETA10.  This is a strange machine that defines
+	longs and ints as 8 bytes and shorts as 4 bytes.
+	Since I do evil things with long * that assume that they are 4
+	bytes.  Look in the Makefile for the option to compile for
+	this machine.  quad_cksum appears to have problems but I
+	will don't have the time to fix it right now, and this is not
+	a function that uses DES and so will not effect the main uses
+	of the library.
+
+Version 1.97 20/05/92 eay
+	Fixed the Imakefile and made some changes to des.h to fix some
+	problems when building this package with Kerberos v 4.
+
+Version 1.96 18/05/92 eay
+	Fixed a small bug in string_to_key() where problems could
+	occur if des_check_key was set to true and the string
+	generated a weak key.
+
+Patch2 posted to comp.sources.misc
+Version 1.95 13/05/92 eay
+	Added an alternative version of the D_ENCRYPT macro in
+	ecb_encrypt and fcrypt.  Depending on the compiler, one version or the
+	other will be faster.  This was inspired by 
+	Dana How <how@isl.stanford.edu>, and her pointers about doing the
+	*(ulong *)((uchar *)ptr+(value&0xfc))
+	vs
+	ptr[value&0x3f]
+	to stop the C compiler doing a <<2 to convert the long array index.
+
+Version 1.94 05/05/92 eay
+	Fixed an incompatibility between my string_to_key and the MIT
+	 version.  When the key is longer than 8 chars, I was wrapping
+	 with a different method.  To use the old version, define
+	 OLD_STR_TO_KEY in the makefile.  Thanks to
+	 viktor@newsu.shearson.com (Viktor Dukhovni).
+
+Version 1.93 28/04/92 eay
+	Fixed the VMS mods so that echo is now turned off in
+	 read_password.  Thanks again to brennan@coco.cchs.su.oz.AU.
+	MSDOS support added.  The routines can be compiled with
+	 Turbo C (v2.0) and MSC (v5.1).  Make sure MSDOS is defined.
+
+Patch1 posted to comp.sources.misc
+Version 1.92 13/04/92 eay
+	Changed D_ENCRYPT so that the rotation of R occurs outside of
+	 the loop.  This required rotating all the longs in sp.h (now
+	 called spr.h). Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	speed.c has been changed so it will work without SIGALRM.  If
+	 times(3) is not present it will try to use ftime() instead.
+
+Version 1.91 08/04/92 eay
+	Added -E/-D options to des(1) so it can use string_to_key.
+	Added SVR4 mods suggested by witr@rwwa.COM
+	Added VMS mods suggested by brennan@coco.cchs.su.oz.AU.  If
+	anyone knows how to turn of tty echo in VMS please tell me or
+	implement it yourself :-).
+	Changed FILE *IN/*OUT to *DES_IN/*DES_OUT since it appears VMS
+	does not like IN/OUT being used.
+
+Libdes posted to comp.sources.misc
+Version 1.9 24/03/92 eay
+	Now contains a fast small crypt replacement.
+	Added des(1) command.
+	Added des_rw_mode so people can use cbc encryption with
+	enc_read and enc_write.
+
+Version 1.8 15/10/91 eay
+	Bug in cbc_cksum.
+	Many thanks to Keith Reynolds (keithr@sco.COM) for pointing this
+	one out.
+
+Version 1.7 24/09/91 eay
+	Fixed set_key :-)
+	set_key is 4 times faster and takes less space.
+	There are a few minor changes that could be made.
+
+Version 1.6 19/09/1991 eay
+	Finally go IP and FP finished.
+	Now I need to fix set_key.
+	This version is quite a bit faster that 1.51
+
+Version 1.52 15/06/1991 eay
+	20% speedup in ecb_encrypt by changing the E bit selection
+	to use 2 32bit words.  This also required modification of the
+	sp table.  There is still a way to speedup the IP and IP-1
+	(hints from outer@sq.com) still working on this one :-(.
+
+Version 1.51 07/06/1991 eay
+	Faster des_encrypt by loop unrolling
+	Fixed bug in quad_cksum.c (thanks to hughes@logos.ucs.indiana.edu)
+
+Version 1.50 28/05/1991 eay
+	Optimised the code a bit more for the sparc.  I have improved the
+	speed of the inner des_encrypt by speeding up the initial and
+	final permutations.
+
+Version 1.40 23/10/1990 eay
+	Fixed des_random_key, it did not produce a random key :-(
+
+Version 1.30  2/10/1990 eay
+	Have made des_quad_cksum the same as MIT's, the full package
+	should be compatible with MIT's
+	Have tested on a DECstation 3100
+	Still need to fix des_set_key (make it faster).
+	Does des_cbc_encrypts at 70.5k/sec on a 3100.
+
+Version 1.20 18/09/1990 eay
+	Fixed byte order dependencies.
+	Fixed (I hope) all the word alignment problems.
+	Speedup in des_ecb_encrypt.
+
+Version 1.10 11/09/1990 eay
+	Added des_enc_read and des_enc_write.
+	Still need to fix des_quad_cksum.
+	Still need to document des_enc_read and des_enc_write.
+
+Version 1.00 27/08/1990 eay
+
diff --git a/crypto/openssl/crypto/des/asm/crypt586.pl b/crypto/openssl/crypto/des/asm/crypt586.pl
new file mode 100644
index 0000000..197c413
--- /dev/null
+++ b/crypto/openssl/crypto/des/asm/crypt586.pl
@@ -0,0 +1,204 @@
+#!/usr/local/bin/perl
+#
+# The inner loop instruction sequence and the IP/FP modifications are from
+# Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
+# I've added the stuff needed for crypt() but I've not worried about making
+# things perfect.
+#
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],"crypt586.pl");
+
+$L="edi";
+$R="esi";
+
+&external_label("des_SPtrans");
+&fcrypt_body("fcrypt_body");
+&asm_finish();
+
+sub fcrypt_body
+	{
+	local($name,$do_ip)=@_;
+
+	&function_begin($name,"EXTRN   _des_SPtrans:DWORD");
+
+	&comment("");
+	&comment("Load the 2 words");
+	$ks="ebp";
+
+	&xor(	$L,	$L);
+	&xor(	$R,	$R);
+	&mov($ks,&wparam(1));
+
+	&push(&DWC(25)); # add a variable
+
+	&set_label("start");
+	for ($i=0; $i<16; $i+=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+
+		&comment("");
+		&comment("Round ".sprintf("%d",$i+1));
+		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		}
+	 &mov("ebx",	&swtmp(0));
+	&mov("eax",	$L);
+	 &dec("ebx");
+	&mov($L,	$R);
+	 &mov($R,	"eax");
+	&mov(&swtmp(0),	"ebx");
+	 &jnz(&label("start"));
+
+	&comment("");
+	&comment("FP");
+	&mov("edx",&wparam(0));
+
+	&FP_new($R,$L,"eax",3);
+	&mov(&DWP(0,"edx","",0),"eax");
+	&mov(&DWP(4,"edx","",0),$L);
+
+	&pop("ecx");	# remove variable
+
+	&function_end($name);
+	}
+
+sub D_ENCRYPT
+	{
+	local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
+
+	&mov(	$u,		&wparam(2));			# 2
+	&mov(	$t,		$R);
+	&shr(	$t,		16);				# 1
+	&mov(	$tmp2,		&wparam(3));			# 2
+	&xor(	$t,		$R);				# 1
+
+	&and(	$u,		$t);				# 2
+	&and(	$t,		$tmp2);				# 2
+
+	&mov(	$tmp1,		$u);
+	&shl(	$tmp1,		16); 				# 1
+	&mov(	$tmp2,		$t);
+	&shl(	$tmp2,		16); 				# 1
+	&xor(	$u,		$tmp1);				# 2
+	&xor(	$t,		$tmp2);				# 2
+	&mov(	$tmp1,		&DWP(&n2a($S*4),$ks,"",0));	# 2
+	&xor(	$u,		$tmp1);
+	&mov(	$tmp2,		&DWP(&n2a(($S+1)*4),$ks,"",0));	# 2
+	&xor(	$u,		$R);
+	&xor(	$t,		$R);
+	&xor(	$t,		$tmp2);
+
+	&and(	$u,		"0xfcfcfcfc"	);		# 2
+	&xor(	$tmp1,		$tmp1);				# 1
+	&and(	$t,		"0xcfcfcfcf"	);		# 2
+	&xor(	$tmp2,		$tmp2);	
+	&movb(	&LB($tmp1),	&LB($u)	);
+	&movb(	&LB($tmp2),	&HB($u)	);
+	&rotr(	$t,		4		);
+	&mov(	$ks,		&DWP("      $desSP",$tmp1,"",0));
+	&movb(	&LB($tmp1),	&LB($t)	);
+	&xor(	$L,		$ks);
+	&mov(	$ks,		&DWP("0x200+$desSP",$tmp2,"",0));
+	&xor(	$L,		$ks);
+	&movb(	&LB($tmp2),	&HB($t)	);
+	&shr(	$u,		16);
+	&mov(	$ks,		&DWP("0x100+$desSP",$tmp1,"",0));
+	&xor(	$L,		$ks); 
+	&movb(	&LB($tmp1),	&HB($u)	);
+	&shr(	$t,		16);
+	&mov(	$ks,		&DWP("0x300+$desSP",$tmp2,"",0));
+	&xor(	$L,		$ks);
+	&mov(	$ks,		&wparam(1));
+	&movb(	&LB($tmp2),	&HB($t)	);
+	&and(	$u,		"0xff"	);
+	&and(	$t,		"0xff"	);
+	&mov(	$tmp1,		&DWP("0x600+$desSP",$tmp1,"",0));
+	&xor(	$L,		$tmp1);
+	&mov(	$tmp1,		&DWP("0x700+$desSP",$tmp2,"",0));
+	&xor(	$L,		$tmp1);
+	&mov(	$tmp1,		&DWP("0x400+$desSP",$u,"",0));
+	&xor(	$L,		$tmp1);
+	&mov(	$tmp1,		&DWP("0x500+$desSP",$t,"",0));
+	&xor(	$L,		$tmp1);
+	}
+
+sub n2a
+	{
+	sprintf("%d",$_[0]);
+	}
+
+# now has a side affect of rotating $a by $shift
+sub R_PERM_OP
+	{
+	local($a,$b,$tt,$shift,$mask,$last)=@_;
+
+	&rotl(	$a,		$shift		) if ($shift != 0);
+	&mov(	$tt,		$a		);
+	&xor(	$a,		$b		);
+	&and(	$a,		$mask		);
+	if ($notlast eq $b)
+		{
+		&xor(	$b,		$a		);
+		&xor(	$tt,		$a		);
+		}
+	else
+		{
+		&xor(	$tt,		$a		);
+		&xor(	$b,		$a		);
+		}
+	&comment("");
+	}
+
+sub IP_new
+	{
+	local($l,$r,$tt,$lr)=@_;
+
+	&R_PERM_OP($l,$r,$tt, 4,"0xf0f0f0f0",$l);
+	&R_PERM_OP($r,$tt,$l,20,"0xfff0000f",$l);
+	&R_PERM_OP($l,$tt,$r,14,"0x33333333",$r);
+	&R_PERM_OP($tt,$r,$l,22,"0x03fc03fc",$r);
+	&R_PERM_OP($l,$r,$tt, 9,"0xaaaaaaaa",$r);
+	
+	if ($lr != 3)
+		{
+		if (($lr-3) < 0)
+			{ &rotr($tt,	3-$lr); }
+		else	{ &rotl($tt,	$lr-3); }
+		}
+	if ($lr != 2)
+		{
+		if (($lr-2) < 0)
+			{ &rotr($r,	2-$lr); }
+		else	{ &rotl($r,	$lr-2); }
+		}
+	}
+
+sub FP_new
+	{
+	local($l,$r,$tt,$lr)=@_;
+
+	if ($lr != 2)
+		{
+		if (($lr-2) < 0)
+			{ &rotl($r,	2-$lr); }
+		else	{ &rotr($r,	$lr-2); }
+		}
+	if ($lr != 3)
+		{
+		if (($lr-3) < 0)
+			{ &rotl($l,	3-$lr); }
+		else	{ &rotr($l,	$lr-3); }
+		}
+
+	&R_PERM_OP($l,$r,$tt, 0,"0xaaaaaaaa",$r);
+	&R_PERM_OP($tt,$r,$l,23,"0x03fc03fc",$r);
+	&R_PERM_OP($l,$r,$tt,10,"0x33333333",$l);
+	&R_PERM_OP($r,$tt,$l,18,"0xfff0000f",$l);
+	&R_PERM_OP($l,$tt,$r,12,"0xf0f0f0f0",$r);
+	&rotr($tt	, 4);
+	}
+
diff --git a/crypto/openssl/crypto/des/asm/des-586.pl b/crypto/openssl/crypto/des/asm/des-586.pl
new file mode 100644
index 0000000..f054071
--- /dev/null
+++ b/crypto/openssl/crypto/des/asm/des-586.pl
@@ -0,0 +1,253 @@
+#!/usr/local/bin/perl
+#
+# The inner loop instruction sequence and the IP/FP modifications are from
+# Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
+#
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+require "cbc.pl";
+require "desboth.pl";
+
+# base code is in microsft
+# op dest, source
+# format.
+#
+
+&asm_init($ARGV[0],"des-586.pl");
+
+$L="edi";
+$R="esi";
+
+&external_label("des_SPtrans");
+&des_encrypt("des_encrypt",1);
+&des_encrypt("des_encrypt2",0);
+&des_encrypt3("des_encrypt3",1);
+&des_encrypt3("des_decrypt3",0);
+&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1);
+&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);
+
+&asm_finish();
+
+sub des_encrypt
+	{
+	local($name,$do_ip)=@_;
+
+	&function_begin_B($name,"EXTRN   _des_SPtrans:DWORD");
+
+	&push("esi");
+	&push("edi");
+
+	&comment("");
+	&comment("Load the 2 words");
+	$ks="ebp";
+
+	if ($do_ip)
+		{
+		&mov($R,&wparam(0));
+		 &xor(	"ecx",		"ecx"		);
+
+		&push("ebx");
+		&push("ebp");
+
+		&mov("eax",&DWP(0,$R,"",0));
+		 &mov("ebx",&wparam(2));	# get encrypt flag
+		&mov($L,&DWP(4,$R,"",0));
+		&comment("");
+		&comment("IP");
+		&IP_new("eax",$L,$R,3);
+		}
+	else
+		{
+		&mov("eax",&wparam(0));
+		 &xor(	"ecx",		"ecx"		);
+
+		&push("ebx");
+		&push("ebp");
+
+		&mov($R,&DWP(0,"eax","",0));
+		 &mov("ebx",&wparam(2));	# get encrypt flag
+		&rotl($R,3);
+		&mov($L,&DWP(4,"eax","",0));
+		&rotl($L,3);
+		}
+
+	&mov(	$ks,		&wparam(1)	);
+	&cmp("ebx","0");
+	&je(&label("start_decrypt"));
+
+	for ($i=0; $i<16; $i+=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+
+		&comment("");
+		&comment("Round ".sprintf("%d",$i+1));
+		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		}
+	&jmp(&label("end"));
+
+	&set_label("start_decrypt");
+
+	for ($i=15; $i>0; $i-=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&comment("");
+		&comment("Round ".sprintf("%d",$i-1));
+		&D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		}
+
+	&set_label("end");
+
+	if ($do_ip)
+		{
+		&comment("");
+		&comment("FP");
+		&mov("edx",&wparam(0));
+		&FP_new($L,$R,"eax",3);
+
+		&mov(&DWP(0,"edx","",0),"eax");
+		&mov(&DWP(4,"edx","",0),$R);
+		}
+	else
+		{
+		&comment("");
+		&comment("Fixup");
+		&rotr($L,3);		# r
+		 &mov("eax",&wparam(0));
+		&rotr($R,3);		# l
+		 &mov(&DWP(0,"eax","",0),$L);
+		 &mov(&DWP(4,"eax","",0),$R);
+		}
+
+	&pop("ebp");
+	&pop("ebx");
+	&pop("edi");
+	&pop("esi");
+	&ret();
+
+	&function_end_B($name);
+	}
+
+sub D_ENCRYPT
+	{
+	local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
+
+	 &mov(	$u,		&DWP(&n2a($S*4),$ks,"",0));
+	&xor(	$tmp1,		$tmp1);
+	 &mov(	$t,		&DWP(&n2a(($S+1)*4),$ks,"",0));
+	&xor(	$u,		$R);
+	 &xor(	$t,		$R);
+	&and(	$u,		"0xfcfcfcfc"	);
+	 &and(	$t,		"0xcfcfcfcf"	);
+	&movb(	&LB($tmp1),	&LB($u)	);
+	 &movb(	&LB($tmp2),	&HB($u)	);
+	&rotr(	$t,		4		);
+	&mov(	$ks,		&DWP("      $desSP",$tmp1,"",0));
+	 &movb(	&LB($tmp1),	&LB($t)	);
+	&xor(	$L,		$ks);
+	 &mov(	$ks,		&DWP("0x200+$desSP",$tmp2,"",0));
+	&xor(	$L,		$ks); ######
+	 &movb(	&LB($tmp2),	&HB($t)	);
+	&shr(	$u,		16);
+	 &mov(	$ks,		&DWP("0x100+$desSP",$tmp1,"",0));
+	&xor(	$L,		$ks); ######
+	 &movb(	&LB($tmp1),	&HB($u)	);
+	&shr(	$t,		16);
+	 &mov(	$ks,		&DWP("0x300+$desSP",$tmp2,"",0));
+	&xor(	$L,		$ks);
+	 &mov(	$ks,		&wparam(1)	);
+	&movb(	&LB($tmp2),	&HB($t)	);
+	 &and(	$u,		"0xff"	);
+	&and(	$t,		"0xff"	);
+	 &mov(	$tmp1,		&DWP("0x600+$desSP",$tmp1,"",0));
+	&xor(	$L,		$tmp1);
+	 &mov(	$tmp1,		&DWP("0x700+$desSP",$tmp2,"",0));
+	&xor(	$L,		$tmp1);
+	 &mov(	$tmp1,		&DWP("0x400+$desSP",$u,"",0));
+	&xor(	$L,		$tmp1);
+	 &mov(	$tmp1,		&DWP("0x500+$desSP",$t,"",0));
+	&xor(	$L,		$tmp1);
+	}
+
+sub n2a
+	{
+	sprintf("%d",$_[0]);
+	}
+
+# now has a side affect of rotating $a by $shift
+sub R_PERM_OP
+	{
+	local($a,$b,$tt,$shift,$mask,$last)=@_;
+
+	&rotl(	$a,		$shift		) if ($shift != 0);
+	&mov(	$tt,		$a		);
+	&xor(	$a,		$b		);
+	&and(	$a,		$mask		);
+	# This can never succeed, and besides it is difficult to see what the
+	# idea was - Ben 13 Feb 99
+	if (!$last eq $b)
+		{
+		&xor(	$b,		$a		);
+		&xor(	$tt,		$a		);
+		}
+	else
+		{
+		&xor(	$tt,		$a		);
+		&xor(	$b,		$a		);
+		}
+	&comment("");
+	}
+
+sub IP_new
+	{
+	local($l,$r,$tt,$lr)=@_;
+
+	&R_PERM_OP($l,$r,$tt, 4,"0xf0f0f0f0",$l);
+	&R_PERM_OP($r,$tt,$l,20,"0xfff0000f",$l);
+	&R_PERM_OP($l,$tt,$r,14,"0x33333333",$r);
+	&R_PERM_OP($tt,$r,$l,22,"0x03fc03fc",$r);
+	&R_PERM_OP($l,$r,$tt, 9,"0xaaaaaaaa",$r);
+	
+	if ($lr != 3)
+		{
+		if (($lr-3) < 0)
+			{ &rotr($tt,	3-$lr); }
+		else	{ &rotl($tt,	$lr-3); }
+		}
+	if ($lr != 2)
+		{
+		if (($lr-2) < 0)
+			{ &rotr($r,	2-$lr); }
+		else	{ &rotl($r,	$lr-2); }
+		}
+	}
+
+sub FP_new
+	{
+	local($l,$r,$tt,$lr)=@_;
+
+	if ($lr != 2)
+		{
+		if (($lr-2) < 0)
+			{ &rotl($r,	2-$lr); }
+		else	{ &rotr($r,	$lr-2); }
+		}
+	if ($lr != 3)
+		{
+		if (($lr-3) < 0)
+			{ &rotl($l,	3-$lr); }
+		else	{ &rotr($l,	$lr-3); }
+		}
+
+	&R_PERM_OP($l,$r,$tt, 0,"0xaaaaaaaa",$r);
+	&R_PERM_OP($tt,$r,$l,23,"0x03fc03fc",$r);
+	&R_PERM_OP($l,$r,$tt,10,"0x33333333",$l);
+	&R_PERM_OP($r,$tt,$l,18,"0xfff0000f",$l);
+	&R_PERM_OP($l,$tt,$r,12,"0xf0f0f0f0",$r);
+	&rotr($tt	, 4);
+	}
+
diff --git a/crypto/openssl/crypto/des/asm/des686.pl b/crypto/openssl/crypto/des/asm/des686.pl
new file mode 100644
index 0000000..77dc5b5
--- /dev/null
+++ b/crypto/openssl/crypto/des/asm/des686.pl
@@ -0,0 +1,230 @@
+#!/usr/local/bin/perl
+
+$prog="des686.pl";
+
+# base code is in microsft
+# op dest, source
+# format.
+#
+
+# WILL NOT WORK ANYMORE WITH desboth.pl
+require "desboth.pl";
+
+if (	($ARGV[0] eq "elf"))
+	{ require "x86unix.pl"; }
+elsif (	($ARGV[0] eq "a.out"))
+	{ $aout=1; require "x86unix.pl"; }
+elsif (	($ARGV[0] eq "sol"))
+	{ $sol=1; require "x86unix.pl"; }
+elsif ( ($ARGV[0] eq "cpp"))
+	{ $cpp=1; require "x86unix.pl"; }
+elsif (	($ARGV[0] eq "win32"))
+	{ require "x86ms.pl"; }
+else
+	{
+	print STDERR <<"EOF";
+Pick one target type from
+	elf	- linux, FreeBSD etc
+	a.out	- old linux
+	sol	- x86 solaris
+	cpp	- format so x86unix.cpp can be used
+	win32	- Windows 95/Windows NT
+EOF
+	exit(1);
+	}
+
+&comment("Don't even think of reading this code");
+&comment("It was automatically generated by $prog");
+&comment("Which is a perl program used to generate the x86 assember for");
+&comment("any of elf, a.out, Win32, or Solaris");
+&comment("It can be found in SSLeay 0.6.5+ or in libdes 3.26+");
+&comment("eric <eay\@cryptsoft.com>");
+&comment("");
+
+&file("dx86xxxx");
+
+$L="edi";
+$R="esi";
+
+&des_encrypt("des_encrypt",1);
+&des_encrypt("des_encrypt2",0);
+
+&des_encrypt3("des_encrypt3",1);
+&des_encrypt3("des_decrypt3",0);
+
+&file_end();
+
+sub des_encrypt
+	{
+	local($name,$do_ip)=@_;
+
+	&function_begin($name,"EXTRN   _des_SPtrans:DWORD");
+
+	&comment("");
+	&comment("Load the 2 words");
+	&mov("eax",&wparam(0));
+	&mov($L,&DWP(0,"eax","",0));
+	&mov($R,&DWP(4,"eax","",0));
+
+	$ksp=&wparam(1);
+
+	if ($do_ip)
+		{
+		&comment("");
+		&comment("IP");
+		&IP_new($L,$R,"eax");
+		}
+
+	&comment("");
+	&comment("fixup rotate");
+	&rotl($R,3);
+	&rotl($L,3);
+	&exch($L,$R);
+
+	&comment("");
+	&comment("load counter, key_schedule and enc flag");
+	&mov("eax",&wparam(2));	# get encrypt flag
+	&mov("ebp",&wparam(1));	# get ks
+	&cmp("eax","0");
+	&je(&label("start_decrypt"));
+
+	# encrypting part
+
+	for ($i=0; $i<16; $i+=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+
+		&comment("");
+		&comment("Round ".sprintf("%d",$i+1));
+		&D_ENCRYPT($R,$L,($i+1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		}
+	&jmp(&label("end"));
+
+	&set_label("start_decrypt");
+
+	for ($i=15; $i>0; $i-=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		&comment("");
+		&comment("Round ".sprintf("%d",$i-1));
+		&D_ENCRYPT($R,$L,($i-1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		}
+
+	&set_label("end");
+
+	&comment("");
+	&comment("Fixup");
+	&rotr($L,3);		# r
+	&rotr($R,3);		# l
+
+	if ($do_ip)
+		{
+		&comment("");
+		&comment("FP");
+		&FP_new($R,$L,"eax");
+		}
+
+	&mov("eax",&wparam(0));
+	&mov(&DWP(0,"eax","",0),$L);
+	&mov(&DWP(4,"eax","",0),$R);
+
+	&function_end($name);
+	}
+
+
+# The logic is to load R into 2 registers and operate on both at the same time.
+# We also load the 2 R's into 2 more registers so we can do the 'move word down a byte'
+# while also masking the other copy and doing a lookup.  We then also accumulate the
+# L value in 2 registers then combine them at the end.
+sub D_ENCRYPT
+	{
+	local($L,$R,$S,$ks,$desSP,$u,$t,$tmp1,$tmp2,$tmp3)=@_;
+
+	&mov(	$u,		&DWP(&n2a($S*4),$ks,"",0));
+	&mov(	$t,		&DWP(&n2a(($S+1)*4),$ks,"",0));
+	&xor(	$u,		$R		);
+	&xor(	$t,		$R		);
+	&rotr(	$t,		4		);
+
+	# the numbers at the end of the line are origional instruction order
+	&mov(	$tmp2,		$u		);			# 1 2
+	&mov(	$tmp1,		$t		);			# 1 1
+	&and(	$tmp2,		"0xfc"		);			# 1 4
+	&and(	$tmp1,		"0xfc"		);			# 1 3
+	&shr(	$t,		8		);			# 1 5
+	&xor(	$L,		&DWP("0x100+$desSP",$tmp1,"",0));	# 1 7
+	&shr(	$u,		8		);			# 1 6
+	&mov(	$tmp1,		&DWP("      $desSP",$tmp2,"",0));	# 1 8
+
+	&mov(	$tmp2,		$u		);			# 2 2
+	&xor(	$L,		$tmp1		);			# 1 9
+	&and(	$tmp2,		"0xfc"		);			# 2 4
+	&mov(	$tmp1,		$t		);			# 2 1
+	&and(	$tmp1,		"0xfc"		);			# 2 3
+	&shr(	$t,		8		);			# 2 5
+	&xor(	$L,		&DWP("0x300+$desSP",$tmp1,"",0));	# 2 7
+	&shr(	$u,		8		);			# 2 6
+	&mov(	$tmp1,		&DWP("0x200+$desSP",$tmp2,"",0));	# 2 8
+	&mov(	$tmp2,		$u		);			# 3 2
+
+	&xor(	$L,		$tmp1		);			# 2 9
+	&and(	$tmp2,		"0xfc"		);			# 3 4
+
+	&mov(	$tmp1,		$t		);			# 3 1 
+	&shr(	$u,		8		);			# 3 6
+	&and(	$tmp1,		"0xfc"		);			# 3 3
+	&shr(	$t,		8		);			# 3 5
+	&xor(	$L,		&DWP("0x500+$desSP",$tmp1,"",0));	# 3 7
+	&mov(	$tmp1,		&DWP("0x400+$desSP",$tmp2,"",0));	# 3 8
+
+	&and(	$t,		"0xfc"		);			# 4 1
+	&xor(	$L,		$tmp1		);			# 3 9
+
+	&and(	$u,		"0xfc"		);			# 4 2
+	&xor(	$L,		&DWP("0x700+$desSP",$t,"",0));		# 4 3
+	&xor(	$L,		&DWP("0x600+$desSP",$u,"",0));		# 4 4
+	}
+
+sub PERM_OP
+	{
+	local($a,$b,$tt,$shift,$mask)=@_;
+
+	&mov(	$tt,		$a		);
+	&shr(	$tt,		$shift		);
+	&xor(	$tt,		$b		);
+	&and(	$tt,		$mask		);
+	&xor(	$b,		$tt		);
+	&shl(	$tt,		$shift		);
+	&xor(	$a,		$tt		);
+	}
+
+sub IP_new
+	{
+	local($l,$r,$tt)=@_;
+
+	&PERM_OP($r,$l,$tt, 4,"0x0f0f0f0f");
+	&PERM_OP($l,$r,$tt,16,"0x0000ffff");
+	&PERM_OP($r,$l,$tt, 2,"0x33333333");
+	&PERM_OP($l,$r,$tt, 8,"0x00ff00ff");
+	&PERM_OP($r,$l,$tt, 1,"0x55555555");
+	}
+
+sub FP_new
+	{
+	local($l,$r,$tt)=@_;
+
+	&PERM_OP($l,$r,$tt, 1,"0x55555555");
+        &PERM_OP($r,$l,$tt, 8,"0x00ff00ff");
+        &PERM_OP($l,$r,$tt, 2,"0x33333333");
+        &PERM_OP($r,$l,$tt,16,"0x0000ffff");
+        &PERM_OP($l,$r,$tt, 4,"0x0f0f0f0f");
+	}
+
+sub n2a
+	{
+	sprintf("%d",$_[0]);
+	}
diff --git a/crypto/openssl/crypto/des/asm/desboth.pl b/crypto/openssl/crypto/des/asm/desboth.pl
new file mode 100644
index 0000000..d510641
--- /dev/null
+++ b/crypto/openssl/crypto/des/asm/desboth.pl
@@ -0,0 +1,79 @@
+#!/usr/local/bin/perl
+
+$L="edi";
+$R="esi";
+
+sub des_encrypt3
+	{
+	local($name,$enc)=@_;
+
+	&function_begin_B($name,"");
+	&push("ebx");
+	&mov("ebx",&wparam(0));
+
+	&push("ebp");
+	&push("esi");
+
+	&push("edi");
+
+	&comment("");
+	&comment("Load the data words");
+	&mov($L,&DWP(0,"ebx","",0));
+	&mov($R,&DWP(4,"ebx","",0));
+	&stack_push(3);
+
+	&comment("");
+	&comment("IP");
+	&IP_new($L,$R,"edx",0);
+
+	# put them back
+	
+	if ($enc)
+		{
+		&mov(&DWP(4,"ebx","",0),$R);
+		 &mov("eax",&wparam(1));
+		&mov(&DWP(0,"ebx","",0),"edx");
+		 &mov("edi",&wparam(2));
+		 &mov("esi",&wparam(3));
+		}
+	else
+		{
+		&mov(&DWP(4,"ebx","",0),$R);
+		 &mov("esi",&wparam(1));
+		&mov(&DWP(0,"ebx","",0),"edx");
+		 &mov("edi",&wparam(2));
+		 &mov("eax",&wparam(3));
+		}
+	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
+	&mov(&swtmp(1),	"eax");
+	&mov(&swtmp(0),	"ebx");
+	&call("des_encrypt2");
+	&mov(&swtmp(2),	(DWC(($enc)?"0":"1")));
+	&mov(&swtmp(1),	"edi");
+	&mov(&swtmp(0),	"ebx");
+	&call("des_encrypt2");
+	&mov(&swtmp(2),	(DWC(($enc)?"1":"0")));
+	&mov(&swtmp(1),	"esi");
+	&mov(&swtmp(0),	"ebx");
+	&call("des_encrypt2");
+
+	&stack_pop(3);
+	&mov($L,&DWP(0,"ebx","",0));
+	&mov($R,&DWP(4,"ebx","",0));
+
+	&comment("");
+	&comment("FP");
+	&FP_new($L,$R,"eax",0);
+
+	&mov(&DWP(0,"ebx","",0),"eax");
+	&mov(&DWP(4,"ebx","",0),$R);
+
+	&pop("edi");
+	&pop("esi");
+	&pop("ebp");
+	&pop("ebx");
+	&ret();
+	&function_end_B($name);
+	}
+
+
diff --git a/crypto/openssl/crypto/des/asm/readme b/crypto/openssl/crypto/des/asm/readme
new file mode 100644
index 0000000..f8529d9
--- /dev/null
+++ b/crypto/openssl/crypto/des/asm/readme
@@ -0,0 +1,131 @@
+First up, let me say I don't like writing in assembler.  It is not portable,
+dependant on the particular CPU architecture release and is generally a pig
+to debug and get right.  Having said that, the x86 architecture is probably
+the most important for speed due to number of boxes and since
+it appears to be the worst architecture to to get
+good C compilers for.  So due to this, I have lowered myself to do
+assembler for the inner DES routines in libdes :-).
+
+The file to implement in assembler is des_enc.c.  Replace the following
+4 functions
+des_encrypt(DES_LONG data[2],des_key_schedule ks, int encrypt);
+des_encrypt2(DES_LONG data[2],des_key_schedule ks, int encrypt);
+des_encrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3);
+des_decrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3);
+
+They encrypt/decrypt the 64 bits held in 'data' using
+the 'ks' key schedules.   The only difference between the 4 functions is that
+des_encrypt2() does not perform IP() or FP() on the data (this is an
+optimization for when doing triple DES and des_encrypt3() and des_decrypt3()
+perform triple des.  The triple DES routines are in here because it does
+make a big difference to have them located near the des_encrypt2 function
+at link time..
+
+Now as we all know, there are lots of different operating systems running on
+x86 boxes, and unfortunately they normally try to make sure their assembler
+formating is not the same as the other peoples.
+The 4 main formats I know of are
+Microsoft	Windows 95/Windows NT
+Elf		Includes Linux and FreeBSD(?).
+a.out		The older Linux.
+Solaris		Same as Elf but different comments :-(.
+
+Now I was not overly keen to write 4 different copies of the same code,
+so I wrote a few perl routines to output the correct assembler, given
+a target assembler type.  This code is ugly and is just a hack.
+The libraries are x86unix.pl and x86ms.pl.
+des586.pl, des686.pl and des-som[23].pl are the programs to actually
+generate the assembler.
+
+So to generate elf assembler
+perl des-som3.pl elf >dx86-elf.s
+For Windows 95/NT
+perl des-som2.pl win32 >win32.asm
+
+[ update 4 Jan 1996 ]
+I have added another way to do things.
+perl des-som3.pl cpp >dx86-cpp.s
+generates a file that will be included by dx86unix.cpp when it is compiled.
+To build for elf, a.out, solaris, bsdi etc,
+cc -E -DELF asm/dx86unix.cpp | as -o asm/dx86-elf.o
+cc -E -DSOL asm/dx86unix.cpp | as -o asm/dx86-sol.o
+cc -E -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o
+cc -E -DBSDI asm/dx86unix.cpp | as -o asm/dx86bsdi.o
+This was done to cut down the number of files in the distribution.
+
+Now the ugly part.  I acquired my copy of Intels
+"Optimization's For Intel's 32-Bit Processors" and found a few interesting
+things.  First, the aim of the exersize is to 'extract' one byte at a time
+from a word and do an array lookup.  This involves getting the byte from
+the 4 locations in the word and moving it to a new word and doing the lookup.
+The most obvious way to do this is
+xor	eax,	eax				# clear word
+movb	al,	cl				# get low byte
+xor	edi	DWORD PTR 0x100+des_SP[eax] 	# xor in word
+movb	al,	ch				# get next byte
+xor	edi	DWORD PTR 0x300+des_SP[eax] 	# xor in word
+shr	ecx	16
+which seems ok.  For the pentium, this system appears to be the best.
+One has to do instruction interleaving to keep both functional units
+operating, but it is basically very efficient.
+
+Now the crunch.  When a full register is used after a partial write, eg.
+mov	al,	cl
+xor	edi,	DWORD PTR 0x100+des_SP[eax]
+386	- 1 cycle stall
+486	- 1 cycle stall
+586	- 0 cycle stall
+686	- at least 7 cycle stall (page 22 of the above mentioned document).
+
+So the technique that produces the best results on a pentium, according to
+the documentation, will produce hideous results on a pentium pro.
+
+To get around this, des686.pl will generate code that is not as fast on
+a pentium, should be very good on a pentium pro.
+mov	eax,	ecx				# copy word 
+shr	ecx,	8				# line up next byte
+and	eax,	0fch				# mask byte
+xor	edi	DWORD PTR 0x100+des_SP[eax] 	# xor in array lookup
+mov	eax,	ecx				# get word
+shr	ecx	8				# line up next byte
+and	eax,	0fch				# mask byte
+xor	edi	DWORD PTR 0x300+des_SP[eax] 	# xor in array lookup
+
+Due to the execution units in the pentium, this actually works quite well.
+For a pentium pro it should be very good.  This is the type of output
+Visual C++ generates.
+
+There is a third option.  instead of using
+mov	al,	ch
+which is bad on the pentium pro, one may be able to use
+movzx	eax,	ch
+which may not incur the partial write penalty.  On the pentium,
+this instruction takes 4 cycles so is not worth using but on the
+pentium pro it appears it may be worth while.  I need access to one to
+experiment :-).
+
+eric (20 Oct 1996)
+
+22 Nov 1996 - I have asked people to run the 2 different version on pentium
+pros and it appears that the intel documentation is wrong.  The
+mov al,bh is still faster on a pentium pro, so just use the des586.pl
+install des686.pl
+
+3 Dec 1996 - I added des_encrypt3/des_decrypt3 because I have moved these
+functions into des_enc.c because it does make a massive performance
+difference on some boxes to have the functions code located close to
+the des_encrypt2() function.
+
+9 Jan 1997 - des-som2.pl is now the correct perl script to use for
+pentiums.  It contains an inner loop from
+Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk> which does raw ecb DES calls at
+273,000 per second.  He had a previous version at 250,000 and the best
+I was able to get was 203,000.  The content has not changed, this is all
+due to instruction sequencing (and actual instructions choice) which is able
+to keep both functional units of the pentium going.
+We may have lost the ugly register usage restrictions when x86 went 32 bit
+but for the pentium it has been replaced by evil instruction ordering tricks.
+
+13 Jan 1997 - des-som3.pl, more optimizations from Svend Olaf.
+raw DES at 281,000 per second on a pentium 100.
+
diff --git a/crypto/openssl/crypto/des/cbc3_enc.c b/crypto/openssl/crypto/des/cbc3_enc.c
new file mode 100644
index 0000000..527e74f
--- /dev/null
+++ b/crypto/openssl/crypto/des/cbc3_enc.c
@@ -0,0 +1,99 @@
+/* crypto/des/cbc3_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* HAS BUGS! DON'T USE - this is only present for use in des.c */
+void des_3cbc_encrypt(des_cblock *input, des_cblock *output, long length,
+	     des_key_schedule ks1, des_key_schedule ks2, des_cblock *iv1,
+	     des_cblock *iv2, int enc)
+	{
+	int off=((int)length-1)/8;
+	long l8=((length+7)/8)*8;
+	des_cblock niv1,niv2;
+
+	if (enc == DES_ENCRYPT)
+		{
+		des_cbc_encrypt((unsigned char*)input,
+				(unsigned char*)output,length,ks1,iv1,enc);
+		if (length >= sizeof(des_cblock))
+			memcpy(niv1,output[off],sizeof(des_cblock));
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,l8,ks2,iv1,!enc);
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,l8,ks1,iv2,enc);
+		if (length >= sizeof(des_cblock))
+			memcpy(niv2,output[off],sizeof(des_cblock));
+		}
+	else
+		{
+		if (length >= sizeof(des_cblock))
+			memcpy(niv2,input[off],sizeof(des_cblock));
+		des_cbc_encrypt((unsigned char*)input,
+				(unsigned char*)output,l8,ks1,iv2,enc);
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,l8,ks2,iv1,!enc);
+		if (length >= sizeof(des_cblock))
+			memcpy(niv1,output[off],sizeof(des_cblock));
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,length,ks1,iv1,enc);
+		}
+	memcpy(*iv1,niv1,sizeof(des_cblock));
+	memcpy(*iv2,niv2,sizeof(des_cblock));
+	}
+
diff --git a/crypto/openssl/crypto/des/cbc_cksm.c b/crypto/openssl/crypto/des/cbc_cksm.c
new file mode 100644
index 0000000..1e543cb
--- /dev/null
+++ b/crypto/openssl/crypto/des/cbc_cksm.c
@@ -0,0 +1,97 @@
+/* crypto/des/cbc_cksm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+DES_LONG des_cbc_cksum(const unsigned char *in, des_cblock *output,
+		long length,
+		des_key_schedule schedule, const_des_cblock *ivec)
+	{
+	register DES_LONG tout0,tout1,tin0,tin1;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *out = &(*output)[0];
+	const unsigned char *iv = &(*ivec)[0];
+
+	c2l(iv,tout0);
+	c2l(iv,tout1);
+	for (; l>0; l-=8)
+		{
+		if (l >= 8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			}
+		else
+			c2ln(in,tin0,tin1,l);
+			
+		tin0^=tout0; tin[0]=tin0;
+		tin1^=tout1; tin[1]=tin1;
+		des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+		/* fix 15/10/91 eay - thanks to keithr@sco.COM */
+		tout0=tin[0];
+		tout1=tin[1];
+		}
+	if (out != NULL)
+		{
+		l2c(tout0,out);
+		l2c(tout1,out);
+		}
+	tout0=tin0=tin1=tin[0]=tin[1]=0;
+	return(tout1);
+	}
diff --git a/crypto/openssl/crypto/des/cbc_enc.c b/crypto/openssl/crypto/des/cbc_enc.c
new file mode 100644
index 0000000..677903a
--- /dev/null
+++ b/crypto/openssl/crypto/des/cbc_enc.c
@@ -0,0 +1,61 @@
+/* crypto/des/cbc_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#define CBC_ENC_C__DONT_UPDATE_IV
+
+#include "ncbc_enc.c" /* des_cbc_encrypt */
diff --git a/crypto/openssl/crypto/des/cfb64ede.c b/crypto/openssl/crypto/des/cfb64ede.c
new file mode 100644
index 0000000..5362a55
--- /dev/null
+++ b/crypto/openssl/crypto/des/cfb64ede.c
@@ -0,0 +1,141 @@
+/* crypto/des/cfb64ede.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+
+void des_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+	     long length, des_key_schedule ks1, des_key_schedule ks2,
+	     des_key_schedule ks3, des_cblock *ivec, int *num, int enc)
+	{
+	register DES_LONG v0,v1;
+	register long l=length;
+	register int n= *num;
+	DES_LONG ti[2];
+	unsigned char *iv,c,cc;
+
+	iv=&(*ivec)[0];
+	if (enc)
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0);
+				c2l(iv,v1);
+
+				ti[0]=v0;
+				ti[1]=v1;
+				des_encrypt3(ti,ks1,ks2,ks3);
+				v0=ti[0];
+				v1=ti[1];
+
+				iv = &(*ivec)[0];
+				l2c(v0,iv);
+				l2c(v1,iv);
+				iv = &(*ivec)[0];
+				}
+			c= *(in++)^iv[n];
+			*(out++)=c;
+			iv[n]=c;
+			n=(n+1)&0x07;
+			}
+		}
+	else
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0);
+				c2l(iv,v1);
+
+				ti[0]=v0;
+				ti[1]=v1;
+				des_encrypt3(ti,ks1,ks2,ks3);
+				v0=ti[0];
+				v1=ti[1];
+
+				iv = &(*ivec)[0];
+				l2c(v0,iv);
+				l2c(v1,iv);
+				iv = &(*ivec)[0];
+				}
+			cc= *(in++);
+			c=iv[n];
+			iv[n]=cc;
+			*(out++)=c^cc;
+			n=(n+1)&0x07;
+			}
+		}
+	v0=v1=ti[0]=ti[1]=c=cc=0;
+	*num=n;
+	}
+
+#ifdef undef /* MACRO */
+void des_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	     des_key_schedule ks1, des_key_schedule ks2, des_cblock (*ivec),
+	     int *num, int enc)
+	{
+	des_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc);
+	}
+#endif
diff --git a/crypto/openssl/crypto/des/cfb64enc.c b/crypto/openssl/crypto/des/cfb64enc.c
new file mode 100644
index 0000000..389a232
--- /dev/null
+++ b/crypto/openssl/crypto/des/cfb64enc.c
@@ -0,0 +1,121 @@
+/* crypto/des/cfb64enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+
+void des_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+	     long length, des_key_schedule schedule, des_cblock *ivec,
+	     int *num, int enc)
+	{
+	register DES_LONG v0,v1;
+	register long l=length;
+	register int n= *num;
+	DES_LONG ti[2];
+	unsigned char *iv,c,cc;
+
+	iv = &(*ivec)[0];
+	if (enc)
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0); ti[0]=v0;
+				c2l(iv,v1); ti[1]=v1;
+				des_encrypt(ti,schedule,DES_ENCRYPT);
+				iv = &(*ivec)[0];
+				v0=ti[0]; l2c(v0,iv);
+				v0=ti[1]; l2c(v0,iv);
+				iv = &(*ivec)[0];
+				}
+			c= *(in++)^iv[n];
+			*(out++)=c;
+			iv[n]=c;
+			n=(n+1)&0x07;
+			}
+		}
+	else
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0); ti[0]=v0;
+				c2l(iv,v1); ti[1]=v1;
+				des_encrypt(ti,schedule,DES_ENCRYPT);
+				iv = &(*ivec)[0];
+				v0=ti[0]; l2c(v0,iv);
+				v0=ti[1]; l2c(v0,iv);
+				iv = &(*ivec)[0];
+				}
+			cc= *(in++);
+			c=iv[n];
+			iv[n]=cc;
+			*(out++)=c^cc;
+			n=(n+1)&0x07;
+			}
+		}
+	v0=v1=ti[0]=ti[1]=c=cc=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/des/cfb_enc.c b/crypto/openssl/crypto/des/cfb_enc.c
new file mode 100644
index 0000000..cca34dd
--- /dev/null
+++ b/crypto/openssl/crypto/des/cfb_enc.c
@@ -0,0 +1,165 @@
+/* crypto/des/cfb_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* The input and output are loaded in multiples of 8 bits.
+ * What this means is that if you hame numbits=12 and length=2
+ * the first 12 bits will be retrieved from the first byte and half
+ * the second.  The second 12 bits will come from the 3rd and half the 4th
+ * byte.
+ */
+void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
+	     long length, des_key_schedule schedule, des_cblock *ivec, int enc)
+	{
+	register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
+	register DES_LONG mask0,mask1;
+	register unsigned long l=length;
+	register int num=numbits;
+	DES_LONG ti[2];
+	unsigned char *iv;
+
+	if (num > 64) return;
+	if (num > 32)
+		{
+		mask0=0xffffffffL;
+		if (num == 64)
+			mask1=mask0;
+		else	mask1=(1L<<(num-32))-1;
+		}
+	else
+		{
+		if (num == 32)
+			mask0=0xffffffffL;
+		else	mask0=(1L<<num)-1;
+		mask1=0x00000000L;
+		}
+
+	iv = &(*ivec)[0];
+	c2l(iv,v0);
+	c2l(iv,v1);
+	if (enc)
+		{
+		while (l >= n)
+			{
+			l-=n;
+			ti[0]=v0;
+			ti[1]=v1;
+			des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT);
+			c2ln(in,d0,d1,n);
+			in+=n;
+			d0=(d0^ti[0])&mask0;
+			d1=(d1^ti[1])&mask1;
+			l2cn(d0,d1,out,n);
+			out+=n;
+			/* 30-08-94 - eay - changed because l>>32 and
+			 * l<<32 are bad under gcc :-( */
+			if (num == 32)
+				{ v0=v1; v1=d0; }
+			else if (num == 64)
+				{ v0=d0; v1=d1; }
+			else if (num > 32) /* && num != 64 */
+				{
+				v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
+				v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
+				}
+			else /* num < 32 */
+				{
+				v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
+				v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+				}
+			}
+		}
+	else
+		{
+		while (l >= n)
+			{
+			l-=n;
+			ti[0]=v0;
+			ti[1]=v1;
+			des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT);
+			c2ln(in,d0,d1,n);
+			in+=n;
+			/* 30-08-94 - eay - changed because l>>32 and
+			 * l<<32 are bad under gcc :-( */
+			if (num == 32)
+				{ v0=v1; v1=d0; }
+			else if (num == 64)
+				{ v0=d0; v1=d1; }
+			else if (num > 32) /* && num != 64 */
+				{
+				v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
+				v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
+				}
+			else /* num < 32 */
+				{
+				v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
+				v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+				}
+			d0=(d0^ti[0])&mask0;
+			d1=(d1^ti[1])&mask1;
+			l2cn(d0,d1,out,n);
+			out+=n;
+			}
+		}
+	iv = &(*ivec)[0];
+	l2c(v0,iv);
+	l2c(v1,iv);
+	v0=v1=d0=d1=ti[0]=ti[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/des/des.c b/crypto/openssl/crypto/des/des.c
new file mode 100644
index 0000000..0197489
--- /dev/null
+++ b/crypto/openssl/crypto/des/des.c
@@ -0,0 +1,928 @@
+/* crypto/des/des.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifndef MSDOS
+#ifndef VMS
+#include <openssl/opensslconf.h>
+#include OPENSSL_UNISTD
+#else /* VMS */
+#ifdef __DECC
+#include <unistd.h>
+#else /* not __DECC */
+#include <math.h>
+#endif /* __DECC */
+#endif /* VMS */
+#else /* MSDOS */
+#include <io.h>
+#endif
+
+#include <time.h>
+#include "des_ver.h"
+
+#ifdef VMS
+#include <types.h>
+#include <stat.h>
+#else
+#ifndef _IRIX
+#include <sys/types.h>
+#endif
+#include <sys/stat.h>
+#endif
+#include <openssl/des.h>
+#include <openssl/rand.h>
+
+void usage(void);
+void doencryption(void);
+int uufwrite(unsigned char *data, int size, unsigned int num, FILE *fp);
+void uufwriteEnd(FILE *fp);
+int uufread(unsigned char *out,int size,unsigned int num,FILE *fp);
+int uuencode(unsigned char *in,int num,unsigned char *out);
+int uudecode(unsigned char *in,int num,unsigned char *out);
+void des_3cbc_encrypt(des_cblock *input,des_cblock *output,long length,
+	des_key_schedule sk1,des_key_schedule sk2,
+	des_cblock *ivec1,des_cblock *ivec2,int enc);
+#ifdef VMS
+#define EXIT(a) exit(a&0x10000000L)
+#else
+#define EXIT(a) exit(a)
+#endif
+
+#define BUFSIZE (8*1024)
+#define VERIFY  1
+#define KEYSIZ	8
+#define KEYSIZB 1024 /* should hit tty line limit first :-) */
+char key[KEYSIZB+1];
+int do_encrypt,longk=0;
+FILE *DES_IN,*DES_OUT,*CKSUM_OUT;
+char uuname[200];
+unsigned char uubuf[50];
+int uubufnum=0;
+#define INUUBUFN	(45*100)
+#define OUTUUBUF	(65*100)
+unsigned char b[OUTUUBUF];
+unsigned char bb[300];
+des_cblock cksum={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+char cksumname[200]="";
+
+int vflag,cflag,eflag,dflag,kflag,bflag,fflag,sflag,uflag,flag3,hflag,error;
+
+int main(int argc, char **argv)
+	{
+	int i;
+	struct stat ins,outs;
+	char *p;
+	char *in=NULL,*out=NULL;
+
+	vflag=cflag=eflag=dflag=kflag=hflag=bflag=fflag=sflag=uflag=flag3=0;
+	error=0;
+	memset(key,0,sizeof(key));
+
+	for (i=1; i<argc; i++)
+		{
+		p=argv[i];
+		if ((p[0] == '-') && (p[1] != '\0'))
+			{
+			p++;
+			while (*p)
+				{
+				switch (*(p++))
+					{
+				case '3':
+					flag3=1;
+					longk=1;
+					break;
+				case 'c':
+					cflag=1;
+					strncpy(cksumname,p,200);
+					p+=strlen(cksumname);
+					break;
+				case 'C':
+					cflag=1;
+					longk=1;
+					strncpy(cksumname,p,200);
+					p+=strlen(cksumname);
+					break;
+				case 'e':
+					eflag=1;
+					break;
+				case 'v':
+					vflag=1;
+					break;
+				case 'E':
+					eflag=1;
+					longk=1;
+					break;
+				case 'd':
+					dflag=1;
+					break;
+				case 'D':
+					dflag=1;
+					longk=1;
+					break;
+				case 'b':
+					bflag=1;
+					break;
+				case 'f':
+					fflag=1;
+					break;
+				case 's':
+					sflag=1;
+					break;
+				case 'u':
+					uflag=1;
+					strncpy(uuname,p,200);
+					p+=strlen(uuname);
+					break;
+				case 'h':
+					hflag=1;
+					break;
+				case 'k':
+					kflag=1;
+					if ((i+1) == argc)
+						{
+						fputs("must have a key with the -k option\n",stderr);
+						error=1;
+						}
+					else
+						{
+						int j;
+
+						i++;
+						strncpy(key,argv[i],KEYSIZB);
+						for (j=strlen(argv[i])-1; j>=0; j--)
+							argv[i][j]='\0';
+						}
+					break;
+				default:
+					fprintf(stderr,"'%c' unknown flag\n",p[-1]);
+					error=1;
+					break;
+					}
+				}
+			}
+		else
+			{
+			if (in == NULL)
+				in=argv[i];
+			else if (out == NULL)
+				out=argv[i];
+			else
+				error=1;
+			}
+		}
+	if (error) usage();
+	/* We either
+	 * do checksum or
+	 * do encrypt or
+	 * do decrypt or
+	 * do decrypt then ckecksum or
+	 * do checksum then encrypt
+	 */
+	if (((eflag+dflag) == 1) || cflag)
+		{
+		if (eflag) do_encrypt=DES_ENCRYPT;
+		if (dflag) do_encrypt=DES_DECRYPT;
+		}
+	else
+		{
+		if (vflag) 
+			{
+#ifndef _Windows			
+			fprintf(stderr,"des(1) built with %s\n",libdes_version);
+#endif			
+			EXIT(1);
+			}
+		else usage();
+		}
+
+#ifndef _Windows			
+	if (vflag) fprintf(stderr,"des(1) built with %s\n",libdes_version);
+#endif			
+	if (	(in != NULL) &&
+		(out != NULL) &&
+#ifndef MSDOS
+		(stat(in,&ins) != -1) &&
+		(stat(out,&outs) != -1) &&
+		(ins.st_dev == outs.st_dev) &&
+		(ins.st_ino == outs.st_ino))
+#else /* MSDOS */
+		(strcmp(in,out) == 0))
+#endif
+			{
+			fputs("input and output file are the same\n",stderr);
+			EXIT(3);
+			}
+
+	if (!kflag)
+		if (des_read_pw_string(key,KEYSIZB+1,"Enter key:",eflag?VERIFY:0))
+			{
+			fputs("password error\n",stderr);
+			EXIT(2);
+			}
+
+	if (in == NULL)
+		DES_IN=stdin;
+	else if ((DES_IN=fopen(in,"r")) == NULL)
+		{
+		perror("opening input file");
+		EXIT(4);
+		}
+
+	CKSUM_OUT=stdout;
+	if (out == NULL)
+		{
+		DES_OUT=stdout;
+		CKSUM_OUT=stderr;
+		}
+	else if ((DES_OUT=fopen(out,"w")) == NULL)
+		{
+		perror("opening output file");
+		EXIT(5);
+		}
+
+#ifdef MSDOS
+	/* This should set the file to binary mode. */
+	{
+#include <fcntl.h>
+	if (!(uflag && dflag))
+		setmode(fileno(DES_IN),O_BINARY);
+	if (!(uflag && eflag))
+		setmode(fileno(DES_OUT),O_BINARY);
+	}
+#endif
+
+	doencryption();
+	fclose(DES_IN);
+	fclose(DES_OUT);
+	EXIT(0);
+	}
+
+void usage(void)
+	{
+	char **u;
+	static const char *Usage[]={
+"des <options> [input-file [output-file]]",
+"options:",
+"-v         : des(1) version number",
+"-e         : encrypt using SunOS compatible user key to DES key conversion.",
+"-E         : encrypt ",
+"-d         : decrypt using SunOS compatible user key to DES key conversion.",
+"-D         : decrypt ",
+"-c[ckname] : generate a cbc_cksum using SunOS compatible user key to",
+"             DES key conversion and output to ckname (stdout default,",
+"             stderr if data being output on stdout).  The checksum is",
+"             generated before encryption and after decryption if used",
+"             in conjunction with -[eEdD].",
+"-C[ckname] : generate a cbc_cksum as for -c but compatible with -[ED].",
+"-k key     : use key 'key'",
+"-h         : the key that is entered will be a hexadecimal number",
+"             that is used directly as the des key",
+"-u[uuname] : input file is uudecoded if -[dD] or output uuencoded data if -[eE]",
+"             (uuname is the filename to put in the uuencode header).",
+"-b         : encrypt using DES in ecb encryption mode, the default is cbc mode.",
+"-3         : encrypt using triple DES encryption.  This uses 2 keys",
+"             generated from the input key.  If the input key is less",
+"             than 8 characters long, this is equivalent to normal",
+"             encryption.  Default is triple cbc, -b makes it triple ecb.",
+NULL
+};
+	for (u=(char **)Usage; *u; u++)
+		{
+		fputs(*u,stderr);
+		fputc('\n',stderr);
+		}
+
+	EXIT(1);
+	}
+
+void doencryption(void)
+	{
+#ifdef _LIBC
+	extern unsigned long time();
+#endif
+
+	register int i;
+	des_key_schedule ks,ks2;
+	des_cblock iv,iv2;
+	char *p;
+	int num=0,j,k,l,rem,ll,len,last,ex=0;
+	des_cblock kk,k2;
+	FILE *O;
+	int Exit=0;
+#ifndef MSDOS
+	static unsigned char buf[BUFSIZE+8],obuf[BUFSIZE+8];
+#else
+	static unsigned char *buf=NULL,*obuf=NULL;
+
+	if (buf == NULL)
+		{
+		if (    (( buf=Malloc(BUFSIZE+8)) == NULL) ||
+			((obuf=Malloc(BUFSIZE+8)) == NULL))
+			{
+			fputs("Not enough memory\n",stderr);
+			Exit=10;
+			goto problems;
+			}
+		}
+#endif
+
+	if (hflag)
+		{
+		j=(flag3?16:8);
+		p=key;
+		for (i=0; i<j; i++)
+			{
+			k=0;
+			if ((*p <= '9') && (*p >= '0'))
+				k=(*p-'0')<<4;
+			else if ((*p <= 'f') && (*p >= 'a'))
+				k=(*p-'a'+10)<<4;
+			else if ((*p <= 'F') && (*p >= 'A'))
+				k=(*p-'A'+10)<<4;
+			else
+				{
+				fputs("Bad hex key\n",stderr);
+				Exit=9;
+				goto problems;
+				}
+			p++;
+			if ((*p <= '9') && (*p >= '0'))
+				k|=(*p-'0');
+			else if ((*p <= 'f') && (*p >= 'a'))
+				k|=(*p-'a'+10);
+			else if ((*p <= 'F') && (*p >= 'A'))
+				k|=(*p-'A'+10);
+			else
+				{
+				fputs("Bad hex key\n",stderr);
+				Exit=9;
+				goto problems;
+				}
+			p++;
+			if (i < 8)
+				kk[i]=k;
+			else
+				k2[i-8]=k;
+			}
+		des_set_key_unchecked(&k2,ks2);
+		memset(k2,0,sizeof(k2));
+		}
+	else if (longk || flag3)
+		{
+		if (flag3)
+			{
+			des_string_to_2keys(key,&kk,&k2);
+			des_set_key_unchecked(&k2,ks2);
+			memset(k2,0,sizeof(k2));
+			}
+		else
+			des_string_to_key(key,&kk);
+		}
+	else
+		for (i=0; i<KEYSIZ; i++)
+			{
+			l=0;
+			k=key[i];
+			for (j=0; j<8; j++)
+				{
+				if (k&1) l++;
+				k>>=1;
+				}
+			if (l & 1)
+				kk[i]=key[i]&0x7f;
+			else
+				kk[i]=key[i]|0x80;
+			}
+
+	des_set_key_unchecked(&kk,ks);
+	memset(key,0,sizeof(key));
+	memset(kk,0,sizeof(kk));
+	/* woops - A bug that does not showup under unix :-( */
+	memset(iv,0,sizeof(iv));
+	memset(iv2,0,sizeof(iv2));
+
+	l=1;
+	rem=0;
+	/* first read */
+	if (eflag || (!dflag && cflag))
+		{
+		for (;;)
+			{
+			num=l=fread(&(buf[rem]),1,BUFSIZE,DES_IN);
+			l+=rem;
+			num+=rem;
+			if (l < 0)
+				{
+				perror("read error");
+				Exit=6;
+				goto problems;
+				}
+
+			rem=l%8;
+			len=l-rem;
+			if (feof(DES_IN))
+				{
+				for (i=7-rem; i>0; i--)
+					RAND_pseudo_bytes(buf + l++, 1);
+				buf[l++]=rem;
+				ex=1;
+				len+=rem;
+				}
+			else
+				l-=rem;
+
+			if (cflag)
+				{
+				des_cbc_cksum(buf,&cksum,
+					(long)len,ks,&cksum);
+				if (!eflag)
+					{
+					if (feof(DES_IN)) break;
+					else continue;
+					}
+				}
+
+			if (bflag && !flag3)
+				for (i=0; i<l; i+=8)
+					des_ecb_encrypt(
+						(des_cblock *)&(buf[i]),
+						(des_cblock *)&(obuf[i]),
+						ks,do_encrypt);
+			else if (flag3 && bflag)
+				for (i=0; i<l; i+=8)
+					des_ecb2_encrypt(
+						(des_cblock *)&(buf[i]),
+						(des_cblock *)&(obuf[i]),
+						ks,ks2,do_encrypt);
+			else if (flag3 && !bflag)
+				{
+				char tmpbuf[8];
+
+				if (rem) memcpy(tmpbuf,&(buf[l]),
+					(unsigned int)rem);
+				des_3cbc_encrypt(
+					(des_cblock *)buf,(des_cblock *)obuf,
+					(long)l,ks,ks2,&iv,
+					&iv2,do_encrypt);
+				if (rem) memcpy(&(buf[l]),tmpbuf,
+					(unsigned int)rem);
+				}
+			else
+				{
+				des_cbc_encrypt(
+					buf,obuf,
+					(long)l,ks,&iv,do_encrypt);
+				if (l >= 8) memcpy(iv,&(obuf[l-8]),8);
+				}
+			if (rem) memcpy(buf,&(buf[l]),(unsigned int)rem);
+
+			i=0;
+			while (i < l)
+				{
+				if (uflag)
+					j=uufwrite(obuf,1,(unsigned int)l-i,
+						DES_OUT);
+				else
+					j=fwrite(obuf,1,(unsigned int)l-i,
+						DES_OUT);
+				if (j == -1)
+					{
+					perror("Write error");
+					Exit=7;
+					goto problems;
+					}
+				i+=j;
+				}
+			if (feof(DES_IN))
+				{
+				if (uflag) uufwriteEnd(DES_OUT);
+				break;
+				}
+			}
+		}
+	else /* decrypt */
+		{
+		ex=1;
+		for (;;)
+			{
+			if (ex) {
+				if (uflag)
+					l=uufread(buf,1,BUFSIZE,DES_IN);
+				else
+					l=fread(buf,1,BUFSIZE,DES_IN);
+				ex=0;
+				rem=l%8;
+				l-=rem;
+				}
+			if (l < 0)
+				{
+				perror("read error");
+				Exit=6;
+				goto problems;
+				}
+
+			if (bflag && !flag3)
+				for (i=0; i<l; i+=8)
+					des_ecb_encrypt(
+						(des_cblock *)&(buf[i]),
+						(des_cblock *)&(obuf[i]),
+						ks,do_encrypt);
+			else if (flag3 && bflag)
+				for (i=0; i<l; i+=8)
+					des_ecb2_encrypt(
+						(des_cblock *)&(buf[i]),
+						(des_cblock *)&(obuf[i]),
+						ks,ks2,do_encrypt);
+			else if (flag3 && !bflag)
+				{
+				des_3cbc_encrypt(
+					(des_cblock *)buf,(des_cblock *)obuf,
+					(long)l,ks,ks2,&iv,
+					&iv2,do_encrypt);
+				}
+			else
+				{
+				des_cbc_encrypt(
+					buf,obuf,
+				 	(long)l,ks,&iv,do_encrypt);
+				if (l >= 8) memcpy(iv,&(buf[l-8]),8);
+				}
+
+			if (uflag)
+				ll=uufread(&(buf[rem]),1,BUFSIZE,DES_IN);
+			else
+				ll=fread(&(buf[rem]),1,BUFSIZE,DES_IN);
+			ll+=rem;
+			rem=ll%8;
+			ll-=rem;
+			if (feof(DES_IN) && (ll == 0))
+				{
+				last=obuf[l-1];
+
+				if ((last > 7) || (last < 0))
+					{
+					fputs("The file was not decrypted correctly.\n",
+						stderr);
+					Exit=8;
+					last=0;
+					}
+				l=l-8+last;
+				}
+			i=0;
+			if (cflag) des_cbc_cksum(obuf,
+				(des_cblock *)cksum,(long)l/8*8,ks,
+				(des_cblock *)cksum);
+			while (i != l)
+				{
+				j=fwrite(obuf,1,(unsigned int)l-i,DES_OUT);
+				if (j == -1)
+					{
+					perror("Write error");
+					Exit=7;
+					goto problems;
+					}
+				i+=j;
+				}
+			l=ll;
+			if ((l == 0) && feof(DES_IN)) break;
+			}
+		}
+	if (cflag)
+		{
+		l=0;
+		if (cksumname[0] != '\0')
+			{
+			if ((O=fopen(cksumname,"w")) != NULL)
+				{
+				CKSUM_OUT=O;
+				l=1;
+				}
+			}
+		for (i=0; i<8; i++)
+			fprintf(CKSUM_OUT,"%02X",cksum[i]);
+		fprintf(CKSUM_OUT,"\n");
+		if (l) fclose(CKSUM_OUT);
+		}
+problems:
+	memset(buf,0,sizeof(buf));
+	memset(obuf,0,sizeof(obuf));
+	memset(ks,0,sizeof(ks));
+	memset(ks2,0,sizeof(ks2));
+	memset(iv,0,sizeof(iv));
+	memset(iv2,0,sizeof(iv2));
+	memset(kk,0,sizeof(kk));
+	memset(k2,0,sizeof(k2));
+	memset(uubuf,0,sizeof(uubuf));
+	memset(b,0,sizeof(b));
+	memset(bb,0,sizeof(bb));
+	memset(cksum,0,sizeof(cksum));
+	if (Exit) EXIT(Exit);
+	}
+
+/*    We ignore this parameter but it should be > ~50 I believe    */
+int uufwrite(unsigned char *data, int size, unsigned int num, FILE *fp)
+	{
+	int i,j,left,rem,ret=num;
+	static int start=1;
+
+	if (start)
+		{
+		fprintf(fp,"begin 600 %s\n",
+			(uuname[0] == '\0')?"text.d":uuname);
+		start=0;
+		}
+
+	if (uubufnum)
+		{
+		if (uubufnum+num < 45)
+			{
+			memcpy(&(uubuf[uubufnum]),data,(unsigned int)num);
+			uubufnum+=num;
+			return(num);
+			}
+		else
+			{
+			i=45-uubufnum;
+			memcpy(&(uubuf[uubufnum]),data,(unsigned int)i);
+			j=uuencode((unsigned char *)uubuf,45,b);
+			fwrite(b,1,(unsigned int)j,fp);
+			uubufnum=0;
+			data+=i;
+			num-=i;
+			}
+		}
+
+	for (i=0; i<(((int)num)-INUUBUFN); i+=INUUBUFN)
+		{
+		j=uuencode(&(data[i]),INUUBUFN,b);
+		fwrite(b,1,(unsigned int)j,fp);
+		}
+	rem=(num-i)%45;
+	left=(num-i-rem);
+	if (left)
+		{
+		j=uuencode(&(data[i]),left,b);
+		fwrite(b,1,(unsigned int)j,fp);
+		i+=left;
+		}
+	if (i != num)
+		{
+		memcpy(uubuf,&(data[i]),(unsigned int)rem);
+		uubufnum=rem;
+		}
+	return(ret);
+	}
+
+void uufwriteEnd(FILE *fp)
+	{
+	int j;
+	static const char *end=" \nend\n";
+
+	if (uubufnum != 0)
+		{
+		uubuf[uubufnum]='\0';
+		uubuf[uubufnum+1]='\0';
+		uubuf[uubufnum+2]='\0';
+		j=uuencode(uubuf,uubufnum,b);
+		fwrite(b,1,(unsigned int)j,fp);
+		}
+	fwrite(end,1,strlen(end),fp);
+	}
+
+/* int size:  should always be > ~ 60; I actually ignore this parameter :-)    */
+int uufread(unsigned char *out, int size, unsigned int num, FILE *fp)
+	{
+	int i,j,tot;
+	static int done=0;
+	static int valid=0;
+	static int start=1;
+
+	if (start)
+		{
+		for (;;)
+			{
+			b[0]='\0';
+			fgets((char *)b,300,fp);
+			if (b[0] == '\0')
+				{
+				fprintf(stderr,"no 'begin' found in uuencoded input\n");
+				return(-1);
+				}
+			if (strncmp((char *)b,"begin ",6) == 0) break;
+			}
+		start=0;
+		}
+	if (done) return(0);
+	tot=0;
+	if (valid)
+		{
+		memcpy(out,bb,(unsigned int)valid);
+		tot=valid;
+		valid=0;
+		}
+	for (;;)
+		{
+		b[0]='\0';
+		fgets((char *)b,300,fp);
+		if (b[0] == '\0') break;
+		i=strlen((char *)b);
+		if ((b[0] == 'e') && (b[1] == 'n') && (b[2] == 'd'))
+			{
+			done=1;
+			while (!feof(fp))
+				{
+				fgets((char *)b,300,fp);
+				}
+			break;
+			}
+		i=uudecode(b,i,bb);
+		if (i < 0) break;
+		if ((i+tot+8) > num)
+			{
+			/* num to copy to make it a multiple of 8 */
+			j=(num/8*8)-tot-8;
+			memcpy(&(out[tot]),bb,(unsigned int)j);
+			tot+=j;
+			memcpy(bb,&(bb[j]),(unsigned int)i-j);
+			valid=i-j;
+			break;
+			}
+		memcpy(&(out[tot]),bb,(unsigned int)i);
+		tot+=i;
+		}
+	return(tot);
+	}
+
+#define ccc2l(c,l)      (l =((DES_LONG)(*((c)++)))<<16, \
+			 l|=((DES_LONG)(*((c)++)))<< 8, \
+		 	 l|=((DES_LONG)(*((c)++))))
+
+#define l2ccc(l,c)      (*((c)++)=(unsigned char)(((l)>>16)&0xff), \
+                    *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+                    *((c)++)=(unsigned char)(((l)    )&0xff))
+
+
+int uuencode(unsigned char *in, int num, unsigned char *out)
+	{
+	int j,i,n,tot=0;
+	DES_LONG l;
+	register unsigned char *p;
+	p=out;
+
+	for (j=0; j<num; j+=45)
+		{
+		if (j+45 > num)
+			i=(num-j);
+		else	i=45;
+		*(p++)=i+' ';
+		for (n=0; n<i; n+=3)
+			{
+			ccc2l(in,l);
+			*(p++)=((l>>18)&0x3f)+' ';
+			*(p++)=((l>>12)&0x3f)+' ';
+			*(p++)=((l>> 6)&0x3f)+' ';
+			*(p++)=((l    )&0x3f)+' ';
+			tot+=4;
+			}
+		*(p++)='\n';
+		tot+=2;
+		}
+	*p='\0';
+	l=0;
+	return(tot);
+	}
+
+int uudecode(unsigned char *in, int num, unsigned char *out)
+	{
+	int j,i,k;
+	unsigned int n=0,space=0;
+	DES_LONG l;
+	DES_LONG w,x,y,z;
+	unsigned int blank=(unsigned int)'\n'-' ';
+
+	for (j=0; j<num; )
+		{
+		n= *(in++)-' ';
+		if (n == blank)
+			{
+			n=0;
+			in--;
+			}
+		if (n > 60)
+			{
+			fprintf(stderr,"uuencoded line length too long\n");
+			return(-1);
+			}
+		j++;
+
+		for (i=0; i<n; j+=4,i+=3)
+			{
+			/* the following is for cases where spaces are
+			 * removed from lines.
+			 */
+			if (space)
+				{
+				w=x=y=z=0;
+				}
+			else
+				{
+				w= *(in++)-' ';
+				x= *(in++)-' ';
+				y= *(in++)-' ';
+				z= *(in++)-' ';
+				}
+			if ((w > 63) || (x > 63) || (y > 63) || (z > 63))
+				{
+				k=0;
+				if (w == blank) k=1;
+				if (x == blank) k=2;
+				if (y == blank) k=3;
+				if (z == blank) k=4;
+				space=1;
+				switch (k) {
+				case 1:	w=0; in--;
+				case 2: x=0; in--;
+				case 3: y=0; in--;
+				case 4: z=0; in--;
+					break;
+				case 0:
+					space=0;
+					fprintf(stderr,"bad uuencoded data values\n");
+					w=x=y=z=0;
+					return(-1);
+					break;
+					}
+				}
+			l=(w<<18)|(x<<12)|(y<< 6)|(z    );
+			l2ccc(l,out);
+			}
+		if (*(in++) != '\n')
+			{
+			fprintf(stderr,"missing nl in uuencoded line\n");
+			w=x=y=z=0;
+			return(-1);
+			}
+		j++;
+		}
+	*out='\0';
+	w=x=y=z=0;
+	return(n);
+	}
diff --git a/crypto/openssl/crypto/des/des.h b/crypto/openssl/crypto/des/des.h
new file mode 100644
index 0000000..9b93340
--- /dev/null
+++ b/crypto/openssl/crypto/des/des.h
@@ -0,0 +1,271 @@
+/* crypto/des/des.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#ifndef HEADER_DES_H
+#define HEADER_DES_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_DES
+#error DES is disabled.
+#endif
+
+#ifdef _KERBEROS_DES_H
+#error <openssl/des.h> replaces <kerberos/des.h>.
+#endif
+
+#include <stdio.h>
+#include <openssl/opensslconf.h> /* DES_LONG */
+#include <openssl/e_os2.h>	/* OPENSSL_EXTERN */
+
+typedef unsigned char des_cblock[8];
+typedef /* const */ unsigned char const_des_cblock[8];
+/* With "const", gcc 2.8.1 on Solaris thinks that des_cblock *
+ * and const_des_cblock * are incompatible pointer types. */
+
+typedef struct des_ks_struct
+	{
+	union	{
+		des_cblock cblock;
+		/* make sure things are correct size on machines with
+		 * 8 byte longs */
+		DES_LONG deslong[2];
+		} ks;
+	int weak_key;
+	} des_key_schedule[16];
+
+#define DES_KEY_SZ 	(sizeof(des_cblock))
+#define DES_SCHEDULE_SZ (sizeof(des_key_schedule))
+
+#define DES_ENCRYPT	1
+#define DES_DECRYPT	0
+
+#define DES_CBC_MODE	0
+#define DES_PCBC_MODE	1
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+	des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+	des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+	des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+	des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+OPENSSL_EXTERN int des_check_key;	/* defaults to false */
+OPENSSL_EXTERN int des_rw_mode;		/* defaults to DES_PCBC_MODE */
+OPENSSL_EXTERN int des_set_weak_key_flag; /* set the weak key flag */
+
+const char *des_options(void);
+void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output,
+		      des_key_schedule ks1,des_key_schedule ks2,
+		      des_key_schedule ks3, int enc);
+DES_LONG des_cbc_cksum(const unsigned char *input,des_cblock *output,
+		       long length,des_key_schedule schedule,
+		       const_des_cblock *ivec);
+/* des_cbc_encrypt does not update the IV!  Use des_ncbc_encrypt instead. */
+void des_cbc_encrypt(const unsigned char *input,unsigned char *output,
+		     long length,des_key_schedule schedule,des_cblock *ivec,
+		     int enc);
+void des_ncbc_encrypt(const unsigned char *input,unsigned char *output,
+		      long length,des_key_schedule schedule,des_cblock *ivec,
+		      int enc);
+void des_xcbc_encrypt(const unsigned char *input,unsigned char *output,
+		      long length,des_key_schedule schedule,des_cblock *ivec,
+		      const_des_cblock *inw,const_des_cblock *outw,int enc);
+void des_cfb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+		     long length,des_key_schedule schedule,des_cblock *ivec,
+		     int enc);
+void des_ecb_encrypt(const_des_cblock *input,des_cblock *output,
+		     des_key_schedule ks,int enc);
+
+/* 	This is the DES encryption function that gets called by just about
+	every other DES routine in the library.  You should not use this
+	function except to implement 'modes' of DES.  I say this because the
+	functions that call this routine do the conversion from 'char *' to
+	long, and this needs to be done to make sure 'non-aligned' memory
+	access do not occur.  The characters are loaded 'little endian'.
+	Data is a pointer to 2 unsigned long's and ks is the
+	des_key_schedule to use.  enc, is non zero specifies encryption,
+	zero if decryption. */
+void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc);
+
+/* 	This functions is the same as des_encrypt() except that the DES
+	initial permutation (IP) and final permutation (FP) have been left
+	out.  As for des_encrypt(), you should not use this function.
+	It is used by the routines in the library that implement triple DES.
+	IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same
+	as des_encrypt() des_encrypt() des_encrypt() except faster :-). */
+void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc);
+
+void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
+	des_key_schedule ks2, des_key_schedule ks3);
+void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
+	des_key_schedule ks2, des_key_schedule ks3);
+void des_ede3_cbc_encrypt(const unsigned char *input,unsigned char *output, 
+			  long length,
+			  des_key_schedule ks1,des_key_schedule ks2,
+			  des_key_schedule ks3,des_cblock *ivec,int enc);
+void des_ede3_cbcm_encrypt(const unsigned char *in,unsigned char *out,
+			   long length,
+			   des_key_schedule ks1,des_key_schedule ks2,
+			   des_key_schedule ks3,
+			   des_cblock *ivec1,des_cblock *ivec2,
+			   int enc);
+void des_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
+			    long length,des_key_schedule ks1,
+			    des_key_schedule ks2,des_key_schedule ks3,
+			    des_cblock *ivec,int *num,int enc);
+void des_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
+			    long length,des_key_schedule ks1,
+			    des_key_schedule ks2,des_key_schedule ks3,
+			    des_cblock *ivec,int *num);
+
+void des_xwhite_in2out(const_des_cblock *des_key,const_des_cblock *in_white,
+		       des_cblock *out_white);
+
+int des_enc_read(int fd,void *buf,int len,des_key_schedule sched,
+		 des_cblock *iv);
+int des_enc_write(int fd,const void *buf,int len,des_key_schedule sched,
+		  des_cblock *iv);
+char *des_fcrypt(const char *buf,const char *salt, char *ret);
+char *des_crypt(const char *buf,const char *salt);
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+char *crypt(const char *buf,const char *salt);
+#endif
+void des_ofb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+		     long length,des_key_schedule schedule,des_cblock *ivec);
+void des_pcbc_encrypt(const unsigned char *input,unsigned char *output,
+		      long length,des_key_schedule schedule,des_cblock *ivec,
+		      int enc);
+DES_LONG des_quad_cksum(const unsigned char *input,des_cblock output[],
+			long length,int out_count,des_cblock *seed);
+void des_random_seed(des_cblock *key);
+int des_new_random_key(des_cblock *key);
+void des_init_random_number_generator(des_cblock *seed);
+void des_rand_data(unsigned char *data, int size);
+int des_random_key(des_cblock *ret);
+int des_read_password(des_cblock *key,const char *prompt,int verify);
+int des_read_2passwords(des_cblock *key1,des_cblock *key2,
+			const char *prompt,int verify);
+int des_read_pw_string(char *buf,int length,const char *prompt,int verify);
+void des_set_odd_parity(des_cblock *key);
+int des_check_key_parity(const_des_cblock *key);
+int des_is_weak_key(const_des_cblock *key);
+/* des_set_key (= set_key = des_key_sched = key_sched) calls
+ * des_set_key_checked if global variable des_check_key is set,
+ * des_set_key_unchecked otherwise. */
+int des_set_key(const_des_cblock *key,des_key_schedule schedule);
+int des_key_sched(const_des_cblock *key,des_key_schedule schedule);
+int des_set_key_checked(const_des_cblock *key,des_key_schedule schedule);
+void des_set_key_unchecked(const_des_cblock *key,des_key_schedule schedule);
+void des_string_to_key(const char *str,des_cblock *key);
+void des_string_to_2keys(const char *str,des_cblock *key1,des_cblock *key2);
+void des_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+		       des_key_schedule schedule,des_cblock *ivec,int *num,
+		       int enc);
+void des_ofb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+		       des_key_schedule schedule,des_cblock *ivec,int *num);
+int des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+/* The following definitions provide compatibility with the MIT Kerberos
+ * library. The des_key_schedule structure is not binary compatible. */
+
+#define _KERBEROS_DES_H
+
+#define KRBDES_ENCRYPT DES_ENCRYPT
+#define KRBDES_DECRYPT DES_DECRYPT
+
+#ifdef KERBEROS
+#  define ENCRYPT DES_ENCRYPT
+#  define DECRYPT DES_DECRYPT
+#endif
+
+#ifndef NCOMPAT
+#  define C_Block des_cblock
+#  define Key_schedule des_key_schedule
+#  define KEY_SZ DES_KEY_SZ
+#  define string_to_key des_string_to_key
+#  define read_pw_string des_read_pw_string
+#  define random_key des_random_key
+#  define pcbc_encrypt des_pcbc_encrypt
+#  define set_key des_set_key
+#  define key_sched des_key_sched
+#  define ecb_encrypt des_ecb_encrypt
+#  define cbc_encrypt des_cbc_encrypt
+#  define ncbc_encrypt des_ncbc_encrypt
+#  define xcbc_encrypt des_xcbc_encrypt
+#  define cbc_cksum des_cbc_cksum
+#  define quad_cksum des_quad_cksum
+#  define check_parity des_check_key_parity
+#endif
+
+typedef des_key_schedule bit_64;
+#define des_fixup_key_parity des_set_odd_parity
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/des/des.man b/crypto/openssl/crypto/des/des.man
new file mode 100644
index 0000000..7e06a18
--- /dev/null
+++ b/crypto/openssl/crypto/des/des.man
@@ -0,0 +1,186 @@
+.TH DES 1 
+.SH NAME
+des - encrypt or decrypt data using Data Encryption Standard
+.SH SYNOPSIS
+.B des
+(
+.B \-e
+|
+.B \-E
+) | (
+.B \-d
+|
+.B \-D
+) | (
+.B \-\fR[\fPcC\fR][\fPckname\fR]\fP
+) |
+[
+.B \-b3hfs
+] [
+.B \-k
+.I key
+]
+] [
+.B \-u\fR[\fIuuname\fR]
+[
+.I input-file
+[
+.I output-file
+] ]
+.SH DESCRIPTION
+.B des
+encrypts and decrypts data using the
+Data Encryption Standard algorithm.
+One of
+.B \-e, \-E
+(for encrypt) or
+.B \-d, \-D
+(for decrypt) must be specified.
+It is also possible to use
+.B \-c
+or
+.B \-C
+in conjunction or instead of the a encrypt/decrypt option to generate
+a 16 character hexadecimal checksum, generated via the
+.I des_cbc_cksum.
+.LP
+Two standard encryption modes are supported by the
+.B des
+program, Cipher Block Chaining (the default) and Electronic Code Book
+(specified with
+.B \-b
+).
+.LP
+The key used for the DES
+algorithm is obtained by prompting the user unless the
+.B `\-k
+.I key'
+option is given.
+If the key is an argument to the
+.B des
+command, it is potentially visible to users executing
+.BR ps (1)
+or a derivative.  To minimise this possibility,
+.B des
+takes care to destroy the key argument immediately upon entry.
+If your shell keeps a history file be careful to make sure it is not
+world readable.
+.LP
+Since this program attempts to maintain compatability with sunOS's
+des(1) command, there are 2 different methods used to convert the user
+supplied key to a des key.
+Whenever and one or more of
+.B \-E, \-D, \-C
+or
+.B \-3
+options are used, the key conversion procedure will not be compatible
+with the sunOS des(1) version but will use all the user supplied
+character to generate the des key.
+.B des
+command reads from standard input unless
+.I input-file
+is specified and writes to standard output unless
+.I output-file
+is given.
+.SH OPTIONS
+.TP
+.B \-b
+Select ECB
+(eight bytes at a time) encryption mode.
+.TP
+.B \-3
+Encrypt using triple encryption.
+By default triple cbc encryption is used but if the
+.B \-b
+option is used then triple ecb encryption is performed.
+If the key is less than 8 characters long, the flag has no effect.
+.TP
+.B \-e
+Encrypt data using an 8 byte key in a manner compatible with sunOS
+des(1).
+.TP
+.B \-E
+Encrypt data using a key of nearly unlimited length (1024 bytes).
+This will product a more secure encryption.
+.TP
+.B \-d
+Decrypt data that was encrypted with the \-e option.
+.TP
+.B \-D
+Decrypt data that was encrypted with the \-E option.
+.TP
+.B \-c
+Generate a 16 character hexadecimal cbc checksum and output this to
+stderr.
+If a filename was specified after the
+.B \-c
+option, the checksum is output to that file.
+The checksum is generated using a key generated in a sunOS compatible
+manner.
+.TP
+.B \-C
+A cbc checksum is generated in the same manner as described for the
+.B \-c
+option but the DES key is generated in the same manner as used for the
+.B \-E
+and
+.B \-D
+options
+.TP
+.B \-f
+Does nothing - allowed for compatibility with sunOS des(1) command.
+.TP
+.B \-s
+Does nothing - allowed for compatibility with sunOS des(1) command.
+.TP
+.B "\-k \fIkey\fP"
+Use the encryption 
+.I key
+specified.
+.TP
+.B "\-h"
+The
+.I key
+is assumed to be a 16 character hexadecimal number.
+If the
+.B "\-3"
+option is used the key is assumed to be a 32 character hexadecimal
+number.
+.TP
+.B \-u
+This flag is used to read and write uuencoded files.  If decrypting,
+the input file is assumed to contain uuencoded, DES encrypted data.
+If encrypting, the characters following the -u are used as the name of
+the uuencoded file to embed in the begin line of the uuencoded
+output.  If there is no name specified after the -u, the name text.des
+will be embedded in the header.
+.SH SEE ALSO
+.B ps (1)
+.B des_crypt(3)
+.SH BUGS
+.LP
+The problem with using the
+.B -e
+option is the short key length.
+It would be better to use a real 56-bit key rather than an
+ASCII-based 56-bit pattern.  Knowing that the key was derived from ASCII
+radically reduces the time necessary for a brute-force cryptographic attack.
+My attempt to remove this problem is to add an alternative text-key to
+DES-key function.  This alternative function (accessed via
+.B -E, -D, -S
+and
+.B -3
+)
+uses DES to help generate the key.
+.LP
+Be carefully when using the -u option.  Doing des -ud <filename> will
+not decrypt filename (the -u option will gobble the d option).
+.LP
+The VMS operating system operates in a world where files are always a
+multiple of 512 bytes.  This causes problems when encrypted data is
+send from unix to VMS since a 88 byte file will suddenly be padded
+with 424 null bytes.  To get around this problem, use the -u option
+to uuencode the data before it is send to the VMS system.
+.SH AUTHOR
+.LP
+Eric Young (eay@cryptsoft.com)
diff --git a/crypto/openssl/crypto/des/des.pl b/crypto/openssl/crypto/des/des.pl
new file mode 100644
index 0000000..8a3f7e3
--- /dev/null
+++ b/crypto/openssl/crypto/des/des.pl
@@ -0,0 +1,552 @@
+#!/usr/local/bin/perl
+# des.pl - eric young 22/11/1991 eay@cryptsoft.com
+#
+# Copyright (C) 1993 Eric Young
+#
+# 11 April 1996 - patched to circumvent Perl 5 (through 5.002) problem
+#                 with sign-extension on right shift operations.
+#                 Ed Kubaitis - ejk@uiuc.edu
+#
+# eay - 92/08/31 - I think I have fixed all problems for 64bit
+# versions of perl but I could be wrong since I have not tested it yet :-).
+#
+# This is an implementation of DES in perl.
+# The two routines (des_set_key and des_ecb_encrypt)
+# take 8 byte objects as arguments.
+#
+# des_set_key takes an 8 byte string as a key and returns a key schedule
+# for use in calls to des_ecb_encrypt.
+# des_ecb_encrypt takes three arguments, the first is a key schedule
+# (make sure to pass it by reference with the *), the second is 1
+# to encrypt, 0 to decrypt.  The third argument is an 8 byte object
+# to encrypt.  The function returns an 8 byte object that has been
+# DES encrypted.
+#
+# example:
+# require 'des.pl'
+#
+# $key =pack("C8",0x12,0x23,0x45,0x67,0x89,0xab,0xcd,0xef);
+# @ks=  &des_set_key($key);
+#
+# $outbytes= &des_ecb_encrypt(*ks,1,$data);
+# @enc =unpack("C8",$outbytes);
+#
+                 
+package des;
+
+eval("use integer;") if (int($]) > 4);
+
+# The following 8 arrays are used in des_set_key
+@skb0=(
+# for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 
+0x00000000,0x00000010,0x20000000,0x20000010,
+0x00010000,0x00010010,0x20010000,0x20010010,
+0x00000800,0x00000810,0x20000800,0x20000810,
+0x00010800,0x00010810,0x20010800,0x20010810,
+0x00000020,0x00000030,0x20000020,0x20000030,
+0x00010020,0x00010030,0x20010020,0x20010030,
+0x00000820,0x00000830,0x20000820,0x20000830,
+0x00010820,0x00010830,0x20010820,0x20010830,
+0x00080000,0x00080010,0x20080000,0x20080010,
+0x00090000,0x00090010,0x20090000,0x20090010,
+0x00080800,0x00080810,0x20080800,0x20080810,
+0x00090800,0x00090810,0x20090800,0x20090810,
+0x00080020,0x00080030,0x20080020,0x20080030,
+0x00090020,0x00090030,0x20090020,0x20090030,
+0x00080820,0x00080830,0x20080820,0x20080830,
+0x00090820,0x00090830,0x20090820,0x20090830,
+);
+@skb1=(
+# for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 
+0x00000000,0x02000000,0x00002000,0x02002000,
+0x00200000,0x02200000,0x00202000,0x02202000,
+0x00000004,0x02000004,0x00002004,0x02002004,
+0x00200004,0x02200004,0x00202004,0x02202004,
+0x00000400,0x02000400,0x00002400,0x02002400,
+0x00200400,0x02200400,0x00202400,0x02202400,
+0x00000404,0x02000404,0x00002404,0x02002404,
+0x00200404,0x02200404,0x00202404,0x02202404,
+0x10000000,0x12000000,0x10002000,0x12002000,
+0x10200000,0x12200000,0x10202000,0x12202000,
+0x10000004,0x12000004,0x10002004,0x12002004,
+0x10200004,0x12200004,0x10202004,0x12202004,
+0x10000400,0x12000400,0x10002400,0x12002400,
+0x10200400,0x12200400,0x10202400,0x12202400,
+0x10000404,0x12000404,0x10002404,0x12002404,
+0x10200404,0x12200404,0x10202404,0x12202404,
+);
+@skb2=(
+# for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 
+0x00000000,0x00000001,0x00040000,0x00040001,
+0x01000000,0x01000001,0x01040000,0x01040001,
+0x00000002,0x00000003,0x00040002,0x00040003,
+0x01000002,0x01000003,0x01040002,0x01040003,
+0x00000200,0x00000201,0x00040200,0x00040201,
+0x01000200,0x01000201,0x01040200,0x01040201,
+0x00000202,0x00000203,0x00040202,0x00040203,
+0x01000202,0x01000203,0x01040202,0x01040203,
+0x08000000,0x08000001,0x08040000,0x08040001,
+0x09000000,0x09000001,0x09040000,0x09040001,
+0x08000002,0x08000003,0x08040002,0x08040003,
+0x09000002,0x09000003,0x09040002,0x09040003,
+0x08000200,0x08000201,0x08040200,0x08040201,
+0x09000200,0x09000201,0x09040200,0x09040201,
+0x08000202,0x08000203,0x08040202,0x08040203,
+0x09000202,0x09000203,0x09040202,0x09040203,
+);
+@skb3=(
+# for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 
+0x00000000,0x00100000,0x00000100,0x00100100,
+0x00000008,0x00100008,0x00000108,0x00100108,
+0x00001000,0x00101000,0x00001100,0x00101100,
+0x00001008,0x00101008,0x00001108,0x00101108,
+0x04000000,0x04100000,0x04000100,0x04100100,
+0x04000008,0x04100008,0x04000108,0x04100108,
+0x04001000,0x04101000,0x04001100,0x04101100,
+0x04001008,0x04101008,0x04001108,0x04101108,
+0x00020000,0x00120000,0x00020100,0x00120100,
+0x00020008,0x00120008,0x00020108,0x00120108,
+0x00021000,0x00121000,0x00021100,0x00121100,
+0x00021008,0x00121008,0x00021108,0x00121108,
+0x04020000,0x04120000,0x04020100,0x04120100,
+0x04020008,0x04120008,0x04020108,0x04120108,
+0x04021000,0x04121000,0x04021100,0x04121100,
+0x04021008,0x04121008,0x04021108,0x04121108,
+);
+@skb4=(
+# for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 
+0x00000000,0x10000000,0x00010000,0x10010000,
+0x00000004,0x10000004,0x00010004,0x10010004,
+0x20000000,0x30000000,0x20010000,0x30010000,
+0x20000004,0x30000004,0x20010004,0x30010004,
+0x00100000,0x10100000,0x00110000,0x10110000,
+0x00100004,0x10100004,0x00110004,0x10110004,
+0x20100000,0x30100000,0x20110000,0x30110000,
+0x20100004,0x30100004,0x20110004,0x30110004,
+0x00001000,0x10001000,0x00011000,0x10011000,
+0x00001004,0x10001004,0x00011004,0x10011004,
+0x20001000,0x30001000,0x20011000,0x30011000,
+0x20001004,0x30001004,0x20011004,0x30011004,
+0x00101000,0x10101000,0x00111000,0x10111000,
+0x00101004,0x10101004,0x00111004,0x10111004,
+0x20101000,0x30101000,0x20111000,0x30111000,
+0x20101004,0x30101004,0x20111004,0x30111004,
+);
+@skb5=(
+# for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 
+0x00000000,0x08000000,0x00000008,0x08000008,
+0x00000400,0x08000400,0x00000408,0x08000408,
+0x00020000,0x08020000,0x00020008,0x08020008,
+0x00020400,0x08020400,0x00020408,0x08020408,
+0x00000001,0x08000001,0x00000009,0x08000009,
+0x00000401,0x08000401,0x00000409,0x08000409,
+0x00020001,0x08020001,0x00020009,0x08020009,
+0x00020401,0x08020401,0x00020409,0x08020409,
+0x02000000,0x0A000000,0x02000008,0x0A000008,
+0x02000400,0x0A000400,0x02000408,0x0A000408,
+0x02020000,0x0A020000,0x02020008,0x0A020008,
+0x02020400,0x0A020400,0x02020408,0x0A020408,
+0x02000001,0x0A000001,0x02000009,0x0A000009,
+0x02000401,0x0A000401,0x02000409,0x0A000409,
+0x02020001,0x0A020001,0x02020009,0x0A020009,
+0x02020401,0x0A020401,0x02020409,0x0A020409,
+);
+@skb6=(
+# for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 
+0x00000000,0x00000100,0x00080000,0x00080100,
+0x01000000,0x01000100,0x01080000,0x01080100,
+0x00000010,0x00000110,0x00080010,0x00080110,
+0x01000010,0x01000110,0x01080010,0x01080110,
+0x00200000,0x00200100,0x00280000,0x00280100,
+0x01200000,0x01200100,0x01280000,0x01280100,
+0x00200010,0x00200110,0x00280010,0x00280110,
+0x01200010,0x01200110,0x01280010,0x01280110,
+0x00000200,0x00000300,0x00080200,0x00080300,
+0x01000200,0x01000300,0x01080200,0x01080300,
+0x00000210,0x00000310,0x00080210,0x00080310,
+0x01000210,0x01000310,0x01080210,0x01080310,
+0x00200200,0x00200300,0x00280200,0x00280300,
+0x01200200,0x01200300,0x01280200,0x01280300,
+0x00200210,0x00200310,0x00280210,0x00280310,
+0x01200210,0x01200310,0x01280210,0x01280310,
+);
+@skb7=(
+# for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 
+0x00000000,0x04000000,0x00040000,0x04040000,
+0x00000002,0x04000002,0x00040002,0x04040002,
+0x00002000,0x04002000,0x00042000,0x04042000,
+0x00002002,0x04002002,0x00042002,0x04042002,
+0x00000020,0x04000020,0x00040020,0x04040020,
+0x00000022,0x04000022,0x00040022,0x04040022,
+0x00002020,0x04002020,0x00042020,0x04042020,
+0x00002022,0x04002022,0x00042022,0x04042022,
+0x00000800,0x04000800,0x00040800,0x04040800,
+0x00000802,0x04000802,0x00040802,0x04040802,
+0x00002800,0x04002800,0x00042800,0x04042800,
+0x00002802,0x04002802,0x00042802,0x04042802,
+0x00000820,0x04000820,0x00040820,0x04040820,
+0x00000822,0x04000822,0x00040822,0x04040822,
+0x00002820,0x04002820,0x00042820,0x04042820,
+0x00002822,0x04002822,0x00042822,0x04042822,
+);
+
+@shifts2=(0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0);
+
+# used in ecb_encrypt
+@SP0=(
+0x00410100, 0x00010000, 0x40400000, 0x40410100,
+0x00400000, 0x40010100, 0x40010000, 0x40400000,
+0x40010100, 0x00410100, 0x00410000, 0x40000100,
+0x40400100, 0x00400000, 0x00000000, 0x40010000,
+0x00010000, 0x40000000, 0x00400100, 0x00010100,
+0x40410100, 0x00410000, 0x40000100, 0x00400100,
+0x40000000, 0x00000100, 0x00010100, 0x40410000,
+0x00000100, 0x40400100, 0x40410000, 0x00000000,
+0x00000000, 0x40410100, 0x00400100, 0x40010000,
+0x00410100, 0x00010000, 0x40000100, 0x00400100,
+0x40410000, 0x00000100, 0x00010100, 0x40400000,
+0x40010100, 0x40000000, 0x40400000, 0x00410000,
+0x40410100, 0x00010100, 0x00410000, 0x40400100,
+0x00400000, 0x40000100, 0x40010000, 0x00000000,
+0x00010000, 0x00400000, 0x40400100, 0x00410100,
+0x40000000, 0x40410000, 0x00000100, 0x40010100,
+);
+@SP1=(
+0x08021002, 0x00000000, 0x00021000, 0x08020000,
+0x08000002, 0x00001002, 0x08001000, 0x00021000,
+0x00001000, 0x08020002, 0x00000002, 0x08001000,
+0x00020002, 0x08021000, 0x08020000, 0x00000002,
+0x00020000, 0x08001002, 0x08020002, 0x00001000,
+0x00021002, 0x08000000, 0x00000000, 0x00020002,
+0x08001002, 0x00021002, 0x08021000, 0x08000002,
+0x08000000, 0x00020000, 0x00001002, 0x08021002,
+0x00020002, 0x08021000, 0x08001000, 0x00021002,
+0x08021002, 0x00020002, 0x08000002, 0x00000000,
+0x08000000, 0x00001002, 0x00020000, 0x08020002,
+0x00001000, 0x08000000, 0x00021002, 0x08001002,
+0x08021000, 0x00001000, 0x00000000, 0x08000002,
+0x00000002, 0x08021002, 0x00021000, 0x08020000,
+0x08020002, 0x00020000, 0x00001002, 0x08001000,
+0x08001002, 0x00000002, 0x08020000, 0x00021000,
+);
+@SP2=(
+0x20800000, 0x00808020, 0x00000020, 0x20800020,
+0x20008000, 0x00800000, 0x20800020, 0x00008020,
+0x00800020, 0x00008000, 0x00808000, 0x20000000,
+0x20808020, 0x20000020, 0x20000000, 0x20808000,
+0x00000000, 0x20008000, 0x00808020, 0x00000020,
+0x20000020, 0x20808020, 0x00008000, 0x20800000,
+0x20808000, 0x00800020, 0x20008020, 0x00808000,
+0x00008020, 0x00000000, 0x00800000, 0x20008020,
+0x00808020, 0x00000020, 0x20000000, 0x00008000,
+0x20000020, 0x20008000, 0x00808000, 0x20800020,
+0x00000000, 0x00808020, 0x00008020, 0x20808000,
+0x20008000, 0x00800000, 0x20808020, 0x20000000,
+0x20008020, 0x20800000, 0x00800000, 0x20808020,
+0x00008000, 0x00800020, 0x20800020, 0x00008020,
+0x00800020, 0x00000000, 0x20808000, 0x20000020,
+0x20800000, 0x20008020, 0x00000020, 0x00808000,
+);
+@SP3=(
+0x00080201, 0x02000200, 0x00000001, 0x02080201,
+0x00000000, 0x02080000, 0x02000201, 0x00080001,
+0x02080200, 0x02000001, 0x02000000, 0x00000201,
+0x02000001, 0x00080201, 0x00080000, 0x02000000,
+0x02080001, 0x00080200, 0x00000200, 0x00000001,
+0x00080200, 0x02000201, 0x02080000, 0x00000200,
+0x00000201, 0x00000000, 0x00080001, 0x02080200,
+0x02000200, 0x02080001, 0x02080201, 0x00080000,
+0x02080001, 0x00000201, 0x00080000, 0x02000001,
+0x00080200, 0x02000200, 0x00000001, 0x02080000,
+0x02000201, 0x00000000, 0x00000200, 0x00080001,
+0x00000000, 0x02080001, 0x02080200, 0x00000200,
+0x02000000, 0x02080201, 0x00080201, 0x00080000,
+0x02080201, 0x00000001, 0x02000200, 0x00080201,
+0x00080001, 0x00080200, 0x02080000, 0x02000201,
+0x00000201, 0x02000000, 0x02000001, 0x02080200,
+);
+@SP4=(
+0x01000000, 0x00002000, 0x00000080, 0x01002084,
+0x01002004, 0x01000080, 0x00002084, 0x01002000,
+0x00002000, 0x00000004, 0x01000004, 0x00002080,
+0x01000084, 0x01002004, 0x01002080, 0x00000000,
+0x00002080, 0x01000000, 0x00002004, 0x00000084,
+0x01000080, 0x00002084, 0x00000000, 0x01000004,
+0x00000004, 0x01000084, 0x01002084, 0x00002004,
+0x01002000, 0x00000080, 0x00000084, 0x01002080,
+0x01002080, 0x01000084, 0x00002004, 0x01002000,
+0x00002000, 0x00000004, 0x01000004, 0x01000080,
+0x01000000, 0x00002080, 0x01002084, 0x00000000,
+0x00002084, 0x01000000, 0x00000080, 0x00002004,
+0x01000084, 0x00000080, 0x00000000, 0x01002084,
+0x01002004, 0x01002080, 0x00000084, 0x00002000,
+0x00002080, 0x01002004, 0x01000080, 0x00000084,
+0x00000004, 0x00002084, 0x01002000, 0x01000004,
+);
+@SP5=(
+0x10000008, 0x00040008, 0x00000000, 0x10040400,
+0x00040008, 0x00000400, 0x10000408, 0x00040000,
+0x00000408, 0x10040408, 0x00040400, 0x10000000,
+0x10000400, 0x10000008, 0x10040000, 0x00040408,
+0x00040000, 0x10000408, 0x10040008, 0x00000000,
+0x00000400, 0x00000008, 0x10040400, 0x10040008,
+0x10040408, 0x10040000, 0x10000000, 0x00000408,
+0x00000008, 0x00040400, 0x00040408, 0x10000400,
+0x00000408, 0x10000000, 0x10000400, 0x00040408,
+0x10040400, 0x00040008, 0x00000000, 0x10000400,
+0x10000000, 0x00000400, 0x10040008, 0x00040000,
+0x00040008, 0x10040408, 0x00040400, 0x00000008,
+0x10040408, 0x00040400, 0x00040000, 0x10000408,
+0x10000008, 0x10040000, 0x00040408, 0x00000000,
+0x00000400, 0x10000008, 0x10000408, 0x10040400,
+0x10040000, 0x00000408, 0x00000008, 0x10040008,
+);
+@SP6=(
+0x00000800, 0x00000040, 0x00200040, 0x80200000,
+0x80200840, 0x80000800, 0x00000840, 0x00000000,
+0x00200000, 0x80200040, 0x80000040, 0x00200800,
+0x80000000, 0x00200840, 0x00200800, 0x80000040,
+0x80200040, 0x00000800, 0x80000800, 0x80200840,
+0x00000000, 0x00200040, 0x80200000, 0x00000840,
+0x80200800, 0x80000840, 0x00200840, 0x80000000,
+0x80000840, 0x80200800, 0x00000040, 0x00200000,
+0x80000840, 0x00200800, 0x80200800, 0x80000040,
+0x00000800, 0x00000040, 0x00200000, 0x80200800,
+0x80200040, 0x80000840, 0x00000840, 0x00000000,
+0x00000040, 0x80200000, 0x80000000, 0x00200040,
+0x00000000, 0x80200040, 0x00200040, 0x00000840,
+0x80000040, 0x00000800, 0x80200840, 0x00200000,
+0x00200840, 0x80000000, 0x80000800, 0x80200840,
+0x80200000, 0x00200840, 0x00200800, 0x80000800,
+);
+@SP7=(
+0x04100010, 0x04104000, 0x00004010, 0x00000000,
+0x04004000, 0x00100010, 0x04100000, 0x04104010,
+0x00000010, 0x04000000, 0x00104000, 0x00004010,
+0x00104010, 0x04004010, 0x04000010, 0x04100000,
+0x00004000, 0x00104010, 0x00100010, 0x04004000,
+0x04104010, 0x04000010, 0x00000000, 0x00104000,
+0x04000000, 0x00100000, 0x04004010, 0x04100010,
+0x00100000, 0x00004000, 0x04104000, 0x00000010,
+0x00100000, 0x00004000, 0x04000010, 0x04104010,
+0x00004010, 0x04000000, 0x00000000, 0x00104000,
+0x04100010, 0x04004010, 0x04004000, 0x00100010,
+0x04104000, 0x00000010, 0x00100010, 0x04004000,
+0x04104010, 0x00100000, 0x04100000, 0x04000010,
+0x00104000, 0x00004010, 0x04004010, 0x04100000,
+0x00000010, 0x04104000, 0x00104010, 0x00000000,
+0x04000000, 0x04100010, 0x00004000, 0x00104010,
+);
+
+sub main'des_set_key
+	{
+	local($param)=@_;
+	local(@key);
+	local($c,$d,$i,$s,$t);
+	local(@ks)=();
+
+	# Get the bytes in the order we want.
+	@key=unpack("C8",$param);
+
+	$c=	($key[0]    )|
+		($key[1]<< 8)|
+		($key[2]<<16)|
+		($key[3]<<24);
+	$d=	($key[4]    )|
+		($key[5]<< 8)|
+		($key[6]<<16)|
+		($key[7]<<24);
+
+	&doPC1(*c,*d);
+
+	for $i (@shifts2)
+		{
+		if ($i)
+			{
+			$c=($c>>2)|($c<<26);
+			$d=($d>>2)|($d<<26);
+			}
+		else
+			{
+			$c=($c>>1)|($c<<27);
+			$d=($d>>1)|($d<<27);
+			}
+		$c&=0x0fffffff;
+		$d&=0x0fffffff;
+		$s=	$skb0[ ($c    )&0x3f                 ]|
+			$skb1[(($c>> 6)&0x03)|(($c>> 7)&0x3c)]|
+			$skb2[(($c>>13)&0x0f)|(($c>>14)&0x30)]|
+			$skb3[(($c>>20)&0x01)|(($c>>21)&0x06) |
+					     (($c>>22)&0x38)];
+		$t=     $skb4[ ($d    )&0x3f                ]|
+			$skb5[(($d>> 7)&0x03)|(($d>> 8)&0x3c)]|
+			$skb6[ ($d>>15)&0x3f                 ]|
+			$skb7[(($d>>21)&0x0f)|(($d>>22)&0x30)];
+		push(@ks,(($t<<16)|($s&0x0000ffff))&0xffffffff);
+		$s=      (($s>>16)&0x0000ffff)|($t&0xffff0000) ;
+		push(@ks,(($s<<4)|(($s>>28)&0xf))&0xffffffff);
+		}
+	@ks;
+	}
+
+sub doPC1
+	{
+	local(*a,*b)=@_;
+	local($t);
+
+	$t=(($b>>4)^$a)&0x0f0f0f0f;
+	$b^=($t<<4); $a^=$t;
+	# do $a first 
+	$t=(($a<<18)^$a)&0xcccc0000;
+	$a=$a^$t^(($t>>18)&0x00003fff);
+	$t=(($a<<17)^$a)&0xaaaa0000;
+	$a=$a^$t^(($t>>17)&0x00007fff);
+	$t=(($a<< 8)^$a)&0x00ff0000;
+	$a=$a^$t^(($t>> 8)&0x00ffffff);
+	$t=(($a<<17)^$a)&0xaaaa0000;
+	$a=$a^$t^(($t>>17)&0x00007fff);
+
+	# now do $b
+	$t=(($b<<24)^$b)&0xff000000;
+	$b=$b^$t^(($t>>24)&0x000000ff);
+	$t=(($b<< 8)^$b)&0x00ff0000;
+	$b=$b^$t^(($t>> 8)&0x00ffffff);
+	$t=(($b<<14)^$b)&0x33330000;
+	$b=$b^$t^(($t>>14)&0x0003ffff);
+	$b=(($b&0x00aa00aa)<<7)|(($b&0x55005500)>>7)|($b&0xaa55aa55);
+	$b=(($b>>8)&0x00ffffff)|((($a&0xf0000000)>>4)&0x0fffffff);
+	$a&=0x0fffffff;
+	}
+
+sub doIP
+	{
+	local(*a,*b)=@_;
+	local($t);
+
+	$t=(($b>> 4)^$a)&0x0f0f0f0f;
+	$b^=($t<< 4); $a^=$t;
+	$t=(($a>>16)^$b)&0x0000ffff;
+	$a^=($t<<16); $b^=$t;
+	$t=(($b>> 2)^$a)&0x33333333;
+	$b^=($t<< 2); $a^=$t;
+	$t=(($a>> 8)^$b)&0x00ff00ff;
+	$a^=($t<< 8); $b^=$t;
+	$t=(($b>> 1)^$a)&0x55555555;
+	$b^=($t<< 1); $a^=$t;
+	$t=$a;
+	$a=$b&0xffffffff;
+	$b=$t&0xffffffff;
+	}
+
+sub doFP
+	{
+	local(*a,*b)=@_;
+	local($t);
+
+	$t=(($b>> 1)^$a)&0x55555555;
+	$b^=($t<< 1); $a^=$t;
+	$t=(($a>> 8)^$b)&0x00ff00ff;
+	$a^=($t<< 8); $b^=$t;
+	$t=(($b>> 2)^$a)&0x33333333;
+	$b^=($t<< 2); $a^=$t;
+	$t=(($a>>16)^$b)&0x0000ffff;
+	$a^=($t<<16); $b^=$t;
+	$t=(($b>> 4)^$a)&0x0f0f0f0f;
+	$b^=($t<< 4); $a^=$t;
+	$a&=0xffffffff;
+	$b&=0xffffffff;
+	}
+
+sub main'des_ecb_encrypt
+	{
+	local(*ks,$encrypt,$in)=@_;
+	local($l,$r,$i,$t,$u,@input);
+	
+	@input=unpack("C8",$in);
+	# Get the bytes in the order we want.
+	$l=	($input[0]    )|
+		($input[1]<< 8)|
+		($input[2]<<16)|
+		($input[3]<<24);
+	$r=	($input[4]    )|
+		($input[5]<< 8)|
+		($input[6]<<16)|
+		($input[7]<<24);
+
+	$l&=0xffffffff;
+	$r&=0xffffffff;
+	&doIP(*l,*r);
+	if ($encrypt)
+		{
+		for ($i=0; $i<32; $i+=4)
+			{
+			$t=((($r&0x7fffffff)<<1)|(($r>>31)&0x00000001));
+			$u=$t^$ks[$i  ];
+			$t=$t^$ks[$i+1];
+			$t2=(($t&0x0000000f)<<28);
+
+			$t=((($t>>4)&0x0fffffff)|(($t&0x0000000f)<<28));
+			$l^=	$SP1[ $t     &0x3f]|
+				$SP3[($t>> 8)&0x3f]|
+				$SP5[($t>>16)&0x3f]|
+				$SP7[($t>>24)&0x3f]|
+				$SP0[ $u     &0x3f]|
+				$SP2[($u>> 8)&0x3f]|
+				$SP4[($u>>16)&0x3f]|
+				$SP6[($u>>24)&0x3f];
+
+			$t=(($l<<1)|(($l>>31)&0x1))&0xffffffff;
+			$u=$t^$ks[$i+2];
+			$t=$t^$ks[$i+3];
+			$t=((($t>>4)&0x0fffffff)|($t<<28))&0xffffffff;
+			$r^=	$SP1[ $t     &0x3f]|
+				$SP3[($t>> 8)&0x3f]|
+				$SP5[($t>>16)&0x3f]|
+				$SP7[($t>>24)&0x3f]|
+				$SP0[ $u     &0x3f]|
+				$SP2[($u>> 8)&0x3f]|
+				$SP4[($u>>16)&0x3f]|
+				$SP6[($u>>24)&0x3f];
+			}
+		}
+	else	
+		{
+		for ($i=30; $i>0; $i-=4)
+			{
+			$t=(($r<<1)|(($r>>31)&0x1))&0xffffffff;
+			$u=$t^$ks[$i  ];
+			$t=$t^$ks[$i+1];
+			$t=((($t>>4)&0x0fffffff)|($t<<28))&0xffffffff;
+			$l^=	$SP1[ $t     &0x3f]|
+				$SP3[($t>> 8)&0x3f]|
+				$SP5[($t>>16)&0x3f]|
+				$SP7[($t>>24)&0x3f]|
+				$SP0[ $u     &0x3f]|
+				$SP2[($u>> 8)&0x3f]|
+				$SP4[($u>>16)&0x3f]|
+				$SP6[($u>>24)&0x3f];
+
+			$t=(($l<<1)|(($l>>31)&0x1))&0xffffffff;
+			$u=$t^$ks[$i-2];
+			$t=$t^$ks[$i-1];
+			$t=((($t>>4)&0x0fffffff)|($t<<28))&0xffffffff;
+			$r^=	$SP1[ $t     &0x3f]|
+				$SP3[($t>> 8)&0x3f]|
+				$SP5[($t>>16)&0x3f]|
+				$SP7[($t>>24)&0x3f]|
+				$SP0[ $u     &0x3f]|
+				$SP2[($u>> 8)&0x3f]|
+				$SP4[($u>>16)&0x3f]|
+				$SP6[($u>>24)&0x3f];
+			}
+		}
+	&doFP(*l,*r);
+	pack("C8",$l&0xff, 
+	          ($l>> 8)&0x00ffffff,
+	          ($l>>16)&0x0000ffff,
+		  ($l>>24)&0x000000ff,
+		  $r&0xff,
+	          ($r>> 8)&0x00ffffff,
+	          ($r>>16)&0x0000ffff,
+		  ($r>>24)&0x000000ff);
+	}
diff --git a/crypto/openssl/crypto/des/des.pod b/crypto/openssl/crypto/des/des.pod
new file mode 100644
index 0000000..bf479e8
--- /dev/null
+++ b/crypto/openssl/crypto/des/des.pod
@@ -0,0 +1,217 @@
+=pod
+
+=head1 NAME
+
+des - encrypt or decrypt data using Data Encryption Standard
+
+=head1 SYNOPSIS
+
+B<des>
+(
+B<-e>
+|
+B<-E>
+) | (
+B<-d>
+|
+B<-D>
+) | (
+B<->[B<cC>][B<ckname>]
+) |
+[
+B<-b3hfs>
+] [
+B<-k>
+I<key>
+]
+] [
+B<-u>[I<uuname>]
+[
+I<input-file>
+[
+I<output-file>
+] ]
+
+=head1 NOTE
+
+This page describes the B<des> stand-alone program, not the B<openssl des>
+command.
+
+=head1 DESCRIPTION
+
+B<des>
+encrypts and decrypts data using the
+Data Encryption Standard algorithm.
+One of
+B<-e>, B<-E>
+(for encrypt) or
+B<-d>, B<-D>
+(for decrypt) must be specified.
+It is also possible to use
+B<-c>
+or
+B<-C>
+in conjunction or instead of the a encrypt/decrypt option to generate
+a 16 character hexadecimal checksum, generated via the
+I<des_cbc_cksum>.
+
+Two standard encryption modes are supported by the
+B<des>
+program, Cipher Block Chaining (the default) and Electronic Code Book
+(specified with
+B<-b>).
+
+The key used for the DES
+algorithm is obtained by prompting the user unless the
+B<-k>
+I<key>
+option is given.
+If the key is an argument to the
+B<des>
+command, it is potentially visible to users executing
+ps(1)
+or a derivative.  To minimise this possibility,
+B<des>
+takes care to destroy the key argument immediately upon entry.
+If your shell keeps a history file be careful to make sure it is not
+world readable.
+
+Since this program attempts to maintain compatibility with sunOS's
+des(1) command, there are 2 different methods used to convert the user
+supplied key to a des key.
+Whenever and one or more of
+B<-E>, B<-D>, B<-C>
+or
+B<-3>
+options are used, the key conversion procedure will not be compatible
+with the sunOS des(1) version but will use all the user supplied
+character to generate the des key.
+B<des>
+command reads from standard input unless
+I<input-file>
+is specified and writes to standard output unless
+I<output-file>
+is given.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-b>
+
+Select ECB
+(eight bytes at a time) encryption mode.
+
+=item B<-3>
+
+Encrypt using triple encryption.
+By default triple cbc encryption is used but if the
+B<-b>
+option is used then triple ECB encryption is performed.
+If the key is less than 8 characters long, the flag has no effect.
+
+=item B<-e>
+
+Encrypt data using an 8 byte key in a manner compatible with sunOS
+des(1).
+
+=item B<-E>
+
+Encrypt data using a key of nearly unlimited length (1024 bytes).
+This will product a more secure encryption.
+
+=item B<-d>
+
+Decrypt data that was encrypted with the B<-e> option.
+
+=item B<-D>
+
+Decrypt data that was encrypted with the B<-E> option.
+
+=item B<-c>
+
+Generate a 16 character hexadecimal cbc checksum and output this to
+stderr.
+If a filename was specified after the
+B<-c>
+option, the checksum is output to that file.
+The checksum is generated using a key generated in a sunOS compatible
+manner.
+
+=item B<-C>
+
+A cbc checksum is generated in the same manner as described for the
+B<-c>
+option but the DES key is generated in the same manner as used for the
+B<-E>
+and
+B<-D>
+options
+
+=item B<-f>
+
+Does nothing - allowed for compatibility with sunOS des(1) command.
+
+=item B<-s>
+
+Does nothing - allowed for compatibility with sunOS des(1) command.
+
+=item B<-k> I<key>
+
+Use the encryption 
+I<key>
+specified.
+
+=item B<-h>
+
+The
+I<key>
+is assumed to be a 16 character hexadecimal number.
+If the
+B<-3>
+option is used the key is assumed to be a 32 character hexadecimal
+number.
+
+=item B<-u>
+
+This flag is used to read and write uuencoded files.  If decrypting,
+the input file is assumed to contain uuencoded, DES encrypted data.
+If encrypting, the characters following the B<-u> are used as the name of
+the uuencoded file to embed in the begin line of the uuencoded
+output.  If there is no name specified after the B<-u>, the name text.des
+will be embedded in the header.
+
+=head1 SEE ALSO
+
+ps(1),
+L<des_crypt(3)|des_crypt(3)>
+
+=head1 BUGS
+
+The problem with using the
+B<-e>
+option is the short key length.
+It would be better to use a real 56-bit key rather than an
+ASCII-based 56-bit pattern.  Knowing that the key was derived from ASCII
+radically reduces the time necessary for a brute-force cryptographic attack.
+My attempt to remove this problem is to add an alternative text-key to
+DES-key function.  This alternative function (accessed via
+B<-E>, B<-D>, B<-S>
+and
+B<-3>)
+uses DES to help generate the key.
+
+Be carefully when using the B<-u> option.  Doing B<des -ud> I<filename> will
+not decrypt filename (the B<-u> option will gobble the B<-d> option).
+
+The VMS operating system operates in a world where files are always a
+multiple of 512 bytes.  This causes problems when encrypted data is
+send from Unix to VMS since a 88 byte file will suddenly be padded
+with 424 null bytes.  To get around this problem, use the B<-u> option
+to uuencode the data before it is send to the VMS system.
+
+=head1 AUTHOR
+
+Eric Young (eay@cryptsoft.com)
+
+=cut
diff --git a/crypto/openssl/crypto/des/des3s.cpp b/crypto/openssl/crypto/des/des3s.cpp
new file mode 100644
index 0000000..02d527c
--- /dev/null
+++ b/crypto/openssl/crypto/des/des3s.cpp
@@ -0,0 +1,67 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/des.h>
+
+void main(int argc,char *argv[])
+	{
+	des_key_schedule key1,key2,key3;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			des_encrypt3(&data[0],key1,key2,key3);
+			GetTSC(s1);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			GetTSC(e1);
+			GetTSC(s2);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			GetTSC(e2);
+			des_encrypt3(&data[0],key1,key2,key3);
+			}
+
+		printf("des %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/crypto/des/des_crypt.man b/crypto/openssl/crypto/des/des_crypt.man
new file mode 100644
index 0000000..ed12ff9
--- /dev/null
+++ b/crypto/openssl/crypto/des/des_crypt.man
@@ -0,0 +1,509 @@
+.\" $FreeBSD$
+.TH DES_CRYPT 3 
+.SH NAME
+des_read_password, des_read_2password,
+des_string_to_key, des_string_to_2key, des_read_pw_string,
+des_random_key, des_set_key,
+des_key_sched, des_ecb_encrypt, des_ecb3_encrypt, des_cbc_encrypt,
+des_3cbc_encrypt,
+des_pcbc_encrypt, des_cfb_encrypt, des_ofb_encrypt,
+des_cbc_cksum, des_quad_cksum,
+des_enc_read, des_enc_write, des_set_odd_parity,
+des_is_weak_key, crypt \- (non USA) DES encryption
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+#include <openssl/des.h>
+.PP
+.B int des_read_password(key,prompt,verify)
+des_cblock *key;
+char *prompt;
+int verify;
+.PP
+.B int des_read_2password(key1,key2,prompt,verify)
+des_cblock *key1,*key2;
+char *prompt;
+int verify;
+.PP
+.B int des_string_to_key(str,key)
+char *str;
+des_cblock *key;
+.PP
+.B int des_string_to_2keys(str,key1,key2)
+char *str;
+des_cblock *key1,*key2;
+.PP
+.B int des_read_pw_string(buf,length,prompt,verify)
+char *buf;
+int length;
+char *prompt;
+int verify;
+.PP
+.B int des_random_key(key)
+des_cblock *key;
+.PP
+.B int des_set_key(key,schedule)
+des_cblock *key;
+des_key_schedule schedule;
+.PP
+.B int des_key_sched(key,schedule)
+des_cblock *key;
+des_key_schedule schedule;
+.PP
+.B int des_ecb_encrypt(input,output,schedule,encrypt)
+des_cblock *input;
+des_cblock *output;
+des_key_schedule schedule;
+int encrypt;
+.PP
+.B int des_ecb3_encrypt(input,output,ks1,ks2,encrypt)
+des_cblock *input;
+des_cblock *output;
+des_key_schedule ks1,ks2;
+int encrypt;
+.PP
+.B int des_cbc_encrypt(input,output,length,schedule,ivec,encrypt)
+des_cblock *input;
+des_cblock *output;
+long length;
+des_key_schedule schedule;
+des_cblock *ivec;
+int encrypt;
+.PP
+.B int des_3cbc_encrypt(input,output,length,sk1,sk2,ivec1,ivec2,encrypt)
+des_cblock *input;
+des_cblock *output;
+long length;
+des_key_schedule sk1;
+des_key_schedule sk2;
+des_cblock *ivec1;
+des_cblock *ivec2;
+int encrypt;
+.PP
+.B int des_pcbc_encrypt(input,output,length,schedule,ivec,encrypt)
+des_cblock *input;
+des_cblock *output;
+long length;
+des_key_schedule schedule;
+des_cblock *ivec;
+int encrypt;
+.PP
+.B int des_cfb_encrypt(input,output,numbits,length,schedule,ivec,encrypt)
+unsigned char *input;
+unsigned char *output;
+int numbits;
+long length;
+des_key_schedule schedule;
+des_cblock *ivec;
+int encrypt;
+.PP
+.B int des_ofb_encrypt(input,output,numbits,length,schedule,ivec)
+unsigned char *input,*output;
+int numbits;
+long length;
+des_key_schedule schedule;
+des_cblock *ivec;
+.PP
+.B unsigned long des_cbc_cksum(input,output,length,schedule,ivec)
+des_cblock *input;
+des_cblock *output;
+long length;
+des_key_schedule schedule;
+des_cblock *ivec;
+.PP
+.B unsigned long des_quad_cksum(input,output,length,out_count,seed)
+des_cblock *input;
+des_cblock *output;
+long length;
+int out_count;
+des_cblock *seed;
+.PP
+.B int des_check_key;
+.PP
+.B int des_enc_read(fd,buf,len,sched,iv)
+int fd;
+char *buf;
+int len;
+des_key_schedule sched;
+des_cblock *iv;
+.PP
+.B int des_enc_write(fd,buf,len,sched,iv)
+int fd;
+char *buf;
+int len;
+des_key_schedule sched;
+des_cblock *iv;
+.PP
+.B extern int des_rw_mode;
+.PP
+.B void des_set_odd_parity(key)
+des_cblock *key;
+.PP
+.B int des_is_weak_key(key)
+des_cblock *key;
+.PP
+.B char *crypt(passwd,salt)
+char *passwd;
+char *salt;
+.PP
+.fi
+.SH DESCRIPTION
+This library contains a fast implementation of the DES encryption
+algorithm.
+.PP
+There are two phases to the use of DES encryption.
+The first is the generation of a
+.I des_key_schedule
+from a key,
+the second is the actual encryption.
+A des key is of type
+.I des_cblock.
+This type is made from 8 characters with odd parity.
+The least significant bit in the character is the parity bit.
+The key schedule is an expanded form of the key; it is used to speed the
+encryption process.
+.PP
+.I des_read_password
+writes the string specified by prompt to the standard output,
+turns off echo and reads an input string from standard input
+until terminated with a newline.
+If verify is non-zero, it prompts and reads the input again and verifies
+that both entered passwords are the same.
+The entered string is converted into a des key by using the
+.I des_string_to_key
+routine.
+The new key is placed in the
+.I des_cblock
+that was passed (by reference) to the routine.
+If there were no errors,
+.I des_read_password
+returns 0,
+-1 is returned if there was a terminal error and 1 is returned for
+any other error.
+.PP
+.I des_read_2password
+operates in the same way as
+.I des_read_password
+except that it generates 2 keys by using the
+.I des_string_to_2key
+function.
+.PP
+.I des_read_pw_string
+is called by
+.I des_read_password
+to read and verify a string from a terminal device.
+The string is returned in
+.I buf.
+The size of
+.I buf
+is passed to the routine via the
+.I length
+parameter.
+.PP
+.I des_string_to_key
+converts a string into a valid des key.
+.PP
+.I des_string_to_2key
+converts a string into 2 valid des keys.
+This routine is best suited for used to generate keys for use with
+.I des_ecb3_encrypt.
+.PP
+.I des_random_key
+returns a random key that is made of a combination of process id,
+time and an increasing counter.
+.PP
+Before a des key can be used it is converted into a
+.I des_key_schedule
+via the
+.I des_set_key
+routine.
+If the
+.I des_check_key
+flag is non-zero,
+.I des_set_key
+will check that the key passed is of odd parity and is not a week or
+semi-weak key.
+If the parity is wrong,
+then -1 is returned.
+If the key is a weak key,
+then -2 is returned.
+If an error is returned,
+the key schedule is not generated.
+.PP
+.I des_key_sched
+is another name for the
+.I des_set_key
+function.
+.PP
+The following routines mostly operate on an input and output stream of
+.I des_cblock's.
+.PP
+.I des_ecb_encrypt
+is the basic DES encryption routine that encrypts or decrypts a single 8-byte
+.I des_cblock
+in
+.I electronic code book
+mode.
+It always transforms the input data, pointed to by
+.I input,
+into the output data,
+pointed to by the
+.I output
+argument.
+If the
+.I encrypt
+argument is non-zero (DES_ENCRYPT),
+the
+.I input
+(cleartext) is encrypted in to the
+.I output
+(ciphertext) using the key_schedule specified by the
+.I schedule
+argument,
+previously set via
+.I des_set_key.
+If
+.I encrypt
+is zero (DES_DECRYPT),
+the
+.I input
+(now ciphertext)
+is decrypted into the
+.I output
+(now cleartext).
+Input and output may overlap.
+No meaningful value is returned.
+.PP
+.I des_ecb3_encrypt
+encrypts/decrypts the
+.I input
+block by using triple ecb DES encryption.
+This involves encrypting the input with 
+.I ks1,
+decryption with the key schedule
+.I ks2,
+and then encryption with the first again.
+This routine greatly reduces the chances of brute force breaking of
+DES and has the advantage of if
+.I ks1
+and
+.I ks2
+are the same, it is equivalent to just encryption using ecb mode and
+.I ks1
+as the key.
+.PP
+.I des_cbc_encrypt
+encrypts/decrypts using the
+.I cipher-block-chaining
+mode of DES.
+If the
+.I encrypt
+argument is non-zero,
+the routine cipher-block-chain encrypts the cleartext data pointed to by the
+.I input
+argument into the ciphertext pointed to by the
+.I output
+argument,
+using the key schedule provided by the
+.I schedule
+argument,
+and initialisation vector provided by the
+.I ivec
+argument.
+If the
+.I length
+argument is not an integral multiple of eight bytes, 
+the last block is copied to a temporary area and zero filled.
+The output is always
+an integral multiple of eight bytes.
+To make multiple cbc encrypt calls on a large amount of data appear to
+be one 
+.I des_cbc_encrypt
+call, the
+.I ivec
+of subsequent calls should be the last 8 bytes of the output.
+.PP
+.I des_3cbc_encrypt
+encrypts/decrypts the
+.I input
+block by using triple cbc DES encryption.
+This involves encrypting the input with key schedule
+.I ks1,
+decryption with the key schedule
+.I ks2,
+and then encryption with the first again.
+2 initialisation vectors are required,
+.I ivec1
+and
+.I ivec2.
+Unlike
+.I des_cbc_encrypt,
+these initialisation vectors are modified by the subroutine.
+This routine greatly reduces the chances of brute force breaking of
+DES and has the advantage of if
+.I ks1
+and
+.I ks2
+are the same, it is equivalent to just encryption using cbc mode and
+.I ks1
+as the key.
+.PP
+.I des_pcbc_encrypt
+encrypt/decrypts using a modified block chaining mode.
+It provides better error propagation characteristics than cbc
+encryption.
+.PP
+.I des_cfb_encrypt
+encrypt/decrypts using cipher feedback mode.  This method takes an
+array of characters as input and outputs and array of characters.  It
+does not require any padding to 8 character groups.  Note: the ivec
+variable is changed and the new changed value needs to be passed to
+the next call to this function.  Since this function runs a complete
+DES ecb encryption per numbits, this function is only suggested for
+use when sending small numbers of characters.
+.PP
+.I des_ofb_encrypt
+encrypt using output feedback mode.  This method takes an
+array of characters as input and outputs and array of characters.  It
+does not require any padding to 8 character groups.  Note: the ivec
+variable is changed and the new changed value needs to be passed to
+the next call to this function.  Since this function runs a complete
+DES ecb encryption per numbits, this function is only suggested for
+use when sending small numbers of characters.
+.PP
+.I des_cbc_cksum
+produces an 8 byte checksum based on the input stream (via cbc encryption).
+The last 4 bytes of the checksum is returned and the complete 8 bytes is
+placed in
+.I output.
+.PP
+.I des_quad_cksum
+returns a 4 byte checksum from the input bytes.
+The algorithm can be iterated over the input,
+depending on
+.I out_count,
+1, 2, 3 or 4 times.
+If
+.I output
+is non-NULL,
+the 8 bytes generated by each pass are written into
+.I output.
+.PP
+.I des_enc_write
+is used to write
+.I len
+bytes
+to file descriptor
+.I fd
+from buffer
+.I buf.
+The data is encrypted via
+.I pcbc_encrypt
+(default) using
+.I sched
+for the key and
+.I iv
+as a starting vector.
+The actual data send down
+.I fd
+consists of 4 bytes (in network byte order) containing the length of the
+following encrypted data.  The encrypted data then follows, padded with random
+data out to a multiple of 8 bytes.
+.PP
+.I des_enc_read
+is used to read
+.I len
+bytes
+from file descriptor
+.I fd
+into buffer
+.I buf.
+The data being read from
+.I fd
+is assumed to have come from
+.I des_enc_write
+and is decrypted using
+.I sched
+for the key schedule and
+.I iv
+for the initial vector.
+The
+.I des_enc_read/des_enc_write
+pair can be used to read/write to files, pipes and sockets.
+I have used them in implementing a version of rlogin in which all
+data is encrypted.
+.PP
+.I des_rw_mode
+is used to specify the encryption mode to use with 
+.I des_enc_read
+and 
+.I des_end_write.
+If set to
+.I DES_PCBC_MODE
+(the default), des_pcbc_encrypt is used.
+If set to
+.I DES_CBC_MODE
+des_cbc_encrypt is used.
+These two routines and the variable are not part of the normal MIT library.
+.PP
+.I des_set_odd_parity
+sets the parity of the passed
+.I key
+to odd.  This routine is not part of the standard MIT library.
+.PP
+.I des_is_weak_key
+returns 1 is the passed key is a weak key (pick again :-),
+0 if it is ok.
+This routine is not part of the standard MIT library.
+.PP
+.I crypt
+is a replacement for the normal system crypt.
+It is much faster than the system crypt.
+.PP
+.SH FILES
+/usr/include/openssl/des.h
+.br
+/usr/lib/libcrypto.a
+.PP
+The encryption routines have been tested on 16bit, 32bit and 64bit
+machines of various endian and even works under VMS.
+.PP
+.SH BUGS
+.PP
+If you think this manual is sparse,
+read the des_crypt(3) manual from the MIT kerberos (or bones outside
+of the USA) distribution.
+.PP
+.I des_cfb_encrypt
+and
+.I des_ofb_encrypt
+operates on input of 8 bits.  What this means is that if you set
+numbits to 12, and length to 2, the first 12 bits will come from the 1st
+input byte and the low half of the second input byte.  The second 12
+bits will have the low 8 bits taken from the 3rd input byte and the
+top 4 bits taken from the 4th input byte.  The same holds for output.
+This function has been implemented this way because most people will
+be using a multiple of 8 and because once you get into pulling bytes input
+bytes apart things get ugly!
+.PP
+.I des_read_pw_string
+is the most machine/OS dependent function and normally generates the
+most problems when porting this code.
+.PP
+.I des_string_to_key
+is probably different from the MIT version since there are lots
+of fun ways to implement one-way encryption of a text string.
+.PP
+The routines are optimised for 32 bit machines and so are not efficient
+on IBM PCs.
+.PP
+NOTE: extensive work has been done on this library since this document
+was origionally written.  Please try to read des.doc from the libdes
+distribution since it is far more upto date and documents more of the
+functions.  Libdes is now also being shipped as part of SSLeay, a
+general cryptographic library that amonst other things implements
+netscapes SSL protocoll.  The most recent version can be found in
+SSLeay distributions.
+.SH AUTHOR
+Eric Young (eay@cryptsoft.com)
diff --git a/crypto/openssl/crypto/des/des_enc.c b/crypto/openssl/crypto/des/des_enc.c
new file mode 100644
index 0000000..8311e10
--- /dev/null
+++ b/crypto/openssl/crypto/des/des_enc.c
@@ -0,0 +1,406 @@
+/* crypto/des/des_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc)
+	{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	IP(r,l);
+	/* Things have been modified so that the initial rotate is
+	 * done outside the loop.  This required the
+	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * One perl script later and things have a 5% speed up on a sparc2.
+	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	 * for pointing this out. */
+	/* clear the top bits on machines with 8byte longs */
+	/* shift left by 2 */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=ks->ks.deslong;
+	/* I don't know if it is worth the effort of loop unrolling the
+	 * inner loop */
+	if (enc)
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+			{
+			D_ENCRYPT(l,r,i+0); /*  1 */
+			D_ENCRYPT(r,l,i+2); /*  2 */
+			D_ENCRYPT(l,r,i+4); /*  3 */
+			D_ENCRYPT(r,l,i+6); /*  4 */
+			}
+#endif
+		}
+	else
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+			{
+			D_ENCRYPT(l,r,i-0); /* 16 */
+			D_ENCRYPT(r,l,i-2); /* 15 */
+			D_ENCRYPT(l,r,i-4); /* 14 */
+			D_ENCRYPT(r,l,i-6); /* 13 */
+			}
+#endif
+		}
+
+	/* rotate and clear the top bits on machines with 8byte longs */
+	l=ROTATE(l,3)&0xffffffffL;
+	r=ROTATE(r,3)&0xffffffffL;
+
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	l=r=t=u=0;
+	}
+
+void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
+	{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	/* Things have been modified so that the initial rotate is
+	 * done outside the loop.  This required the
+	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * One perl script later and things have a 5% speed up on a sparc2.
+	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	 * for pointing this out. */
+	/* clear the top bits on machines with 8byte longs */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=ks->ks.deslong;
+	/* I don't know if it is worth the effort of loop unrolling the
+	 * inner loop */
+	if (enc)
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+			{
+			D_ENCRYPT(l,r,i+0); /*  1 */
+			D_ENCRYPT(r,l,i+2); /*  2 */
+			D_ENCRYPT(l,r,i+4); /*  3 */
+			D_ENCRYPT(r,l,i+6); /*  4 */
+			}
+#endif
+		}
+	else
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+			{
+			D_ENCRYPT(l,r,i-0); /* 16 */
+			D_ENCRYPT(r,l,i-2); /* 15 */
+			D_ENCRYPT(l,r,i-4); /* 14 */
+			D_ENCRYPT(r,l,i-6); /* 13 */
+			}
+#endif
+		}
+	/* rotate and clear the top bits on machines with 8byte longs */
+	data[0]=ROTATE(l,3)&0xffffffffL;
+	data[1]=ROTATE(r,3)&0xffffffffL;
+	l=r=t=u=0;
+	}
+
+void des_encrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
+	     des_key_schedule ks3)
+	{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	}
+
+void des_decrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
+	     des_key_schedule ks3)
+	{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	}
+
+#ifndef DES_DEFAULT_OPTIONS
+
+#undef CBC_ENC_C__DONT_UPDATE_IV
+#include "ncbc_enc.c" /* des_ncbc_encrypt */
+
+void des_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
+	     long length, des_key_schedule ks1, des_key_schedule ks2,
+	     des_key_schedule ks3, des_cblock *ivec, int enc)
+	{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register const unsigned char *in;
+	unsigned char *out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=input;
+	out=output;
+	iv = &(*ivec)[0];
+
+	if (enc)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+			}
+		iv = &(*ivec)[0];
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+		}
+	else
+		{
+		register DES_LONG t0,t1;
+
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			tout0^=xor0;
+			tout1^=xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=t0;
+			xor1=t1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+		
+			tout0^=xor0;
+			tout1^=xor1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=t0;
+			xor1=t1;
+			}
+
+		iv = &(*ivec)[0];
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
+#endif /* DES_DEFAULT_OPTIONS */
diff --git a/crypto/openssl/crypto/des/des_locl.h b/crypto/openssl/crypto/des/des_locl.h
new file mode 100644
index 0000000..1ace8f5
--- /dev/null
+++ b/crypto/openssl/crypto/des/des_locl.h
@@ -0,0 +1,412 @@
+/* crypto/des/des_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_DES_LOCL_H
+#define HEADER_DES_LOCL_H
+
+#if defined(WIN32) || defined(WIN16)
+#ifndef MSDOS
+#define MSDOS
+#endif
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/opensslconf.h>
+
+#ifndef MSDOS
+#if !defined(VMS) || defined(__DECC)
+#ifdef OPENSSL_UNISTD
+# include OPENSSL_UNISTD
+#else
+# include <unistd.h>
+#endif
+#include <math.h>
+#endif
+#endif
+#include <openssl/des.h>
+
+#ifdef MSDOS		/* Visual C++ 2.1 (Windows NT/95) */
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <io.h>
+#endif
+
+#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
+#include <string.h>
+#endif
+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+/* used in des_read and des_write */
+#define MAXWRITE	(1024*16)
+#define BSIZE		(MAXWRITE+4)
+
+#define c2l(c,l)	(l =((DES_LONG)(*((c)++)))    , \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \
+			case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \
+			case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 5: l2|=((DES_LONG)(*(--(c))));     \
+			case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \
+			case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \
+			case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 1: l1|=((DES_LONG)(*(--(c))));     \
+				} \
+			}
+
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* replacements for htonl and ntohl since I have no idea what to do
+ * when faced with machines with 8 byte longs. */
+#define HDRSIZE 4
+
+#define n2l(c,l)	(l =((DES_LONG)(*((c)++)))<<24L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++))))
+
+#define l2n(l,c)	(*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+#if defined(WIN32) && defined(_MSC_VER)
+#define	ROTATE(a,n)	(_lrotr(a,n))
+#else
+#define	ROTATE(a,n)	(((a)>>(n))+((a)<<(32-(n))))
+#endif
+
+/* Don't worry about the LOAD_DATA() stuff, that is used by
+ * fcrypt() to add it's little bit to the front */
+
+#ifdef DES_FCRYPT
+
+#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \
+	{ DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); }
+
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	t=R^(R>>16L); \
+	u=t&E0; t&=E1; \
+	tmp=(u<<16); u^=R^s[S  ]; u^=tmp; \
+	tmp=(t<<16); t^=R^s[S+1]; t^=tmp
+#else
+#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g)
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	u=R^s[S  ]; \
+	t=R^s[S+1]
+#endif
+
+/* The changes to this macro may help or hinder, depending on the
+ * compiler and the architecture.  gcc2 always seems to do well :-).
+ * Inspired by Dana How <how@isl.stanford.edu>
+ * DO NOT use the alternative version on machines with 8 byte longs.
+ * It does not seem to work on the Alpha, even when DES_LONG is 4
+ * bytes, probably an issue of accessing non-word aligned objects :-( */
+#ifdef DES_PTR
+
+/* It recently occurred to me that 0^0^0^0^0^0^0 == 0, so there
+ * is no reason to not xor all the sub items together.  This potentially
+ * saves a register since things can be xored directly into L */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	u>>=16L; \
+	LL^= *(const DES_LONG *)(des_SP      +u1); \
+	LL^= *(const DES_LONG *)(des_SP+0x200+u2); \
+	u3=(int)(u>>8L); \
+	u1=(int)u&0xfc; \
+	u3&=0xfc; \
+	LL^= *(const DES_LONG *)(des_SP+0x400+u1); \
+	LL^= *(const DES_LONG *)(des_SP+0x600+u3); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	t>>=16L; \
+	LL^= *(const DES_LONG *)(des_SP+0x100+u1); \
+	LL^= *(const DES_LONG *)(des_SP+0x300+u2); \
+	u3=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u3&=0xfc; \
+	LL^= *(const DES_LONG *)(des_SP+0x500+u1); \
+	LL^= *(const DES_LONG *)(des_SP+0x700+u3); }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	LL^= *(const DES_LONG *)(des_SP      +u1); \
+	LL^= *(const DES_LONG *)(des_SP+0x200+u2); \
+	s1=(int)(u>>16L); \
+	s2=(int)(u>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(const DES_LONG *)(des_SP+0x400+s1); \
+	LL^= *(const DES_LONG *)(des_SP+0x600+s2); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	LL^= *(const DES_LONG *)(des_SP+0x100+u1); \
+	LL^= *(const DES_LONG *)(des_SP+0x300+u2); \
+	s1=(int)(t>>16L); \
+	s2=(int)(t>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(const DES_LONG *)(des_SP+0x500+s1); \
+	LL^= *(const DES_LONG *)(des_SP+0x700+s2); }
+#endif
+#else
+#define D_ENCRYPT(LL,R,S) { \
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^= \
+	*(const DES_LONG *)(des_SP      +((u     )&0xfc))^ \
+	*(const DES_LONG *)(des_SP+0x200+((u>> 8L)&0xfc))^ \
+	*(const DES_LONG *)(des_SP+0x400+((u>>16L)&0xfc))^ \
+	*(const DES_LONG *)(des_SP+0x600+((u>>24L)&0xfc))^ \
+	*(const DES_LONG *)(des_SP+0x100+((t     )&0xfc))^ \
+	*(const DES_LONG *)(des_SP+0x300+((t>> 8L)&0xfc))^ \
+	*(const DES_LONG *)(des_SP+0x500+((t>>16L)&0xfc))^ \
+	*(const DES_LONG *)(des_SP+0x700+((t>>24L)&0xfc)); }
+#endif
+
+#else /* original version */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	u>>=16L; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	u3=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[4][u1]; \
+	LL^=des_SPtrans[6][u3]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	t>>=16L; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	u3=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[5][u1]; \
+	LL^=des_SPtrans[7][u3]; }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	s1=(int)u>>16L; \
+	s2=(int)u>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[4][s1]; \
+	LL^=des_SPtrans[6][s2]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	s1=(int)t>>16; \
+	s2=(int)t>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[5][s1]; \
+	LL^=des_SPtrans[7][s2]; }
+#endif
+
+#else
+
+#define D_ENCRYPT(LL,R,S) {\
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^=\
+		des_SPtrans[0][(u>> 2L)&0x3f]^ \
+		des_SPtrans[2][(u>>10L)&0x3f]^ \
+		des_SPtrans[4][(u>>18L)&0x3f]^ \
+		des_SPtrans[6][(u>>26L)&0x3f]^ \
+		des_SPtrans[1][(t>> 2L)&0x3f]^ \
+		des_SPtrans[3][(t>>10L)&0x3f]^ \
+		des_SPtrans[5][(t>>18L)&0x3f]^ \
+		des_SPtrans[7][(t>>26L)&0x3f]; }
+#endif
+#endif
+
+	/* IP and FP
+	 * The problem is more of a geometric problem that random bit fiddling.
+	 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
+	 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
+	16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
+	24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
+
+	32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
+	40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
+	48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
+	56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
+
+	The output has been subject to swaps of the form
+	0 1 -> 3 1 but the odd and even bits have been put into
+	2 3    2 0
+	different words.  The main trick is to remember that
+	t=((l>>size)^r)&(mask);
+	r^=t;
+	l^=(t<<size);
+	can be used to swap and move bits between words.
+
+	So l =  0  1  2  3  r = 16 17 18 19
+	        4  5  6  7      20 21 22 23
+	        8  9 10 11      24 25 26 27
+	       12 13 14 15      28 29 30 31
+	becomes (for size == 2 and mask == 0x3333)
+	   t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
+		 6^20  7^21 -- --        4  5 20 21       6  7 22 23
+		10^24 11^25 -- --        8  9 24 25      10 11 24 25
+		14^28 15^29 -- --       12 13 28 29      14 15 28 29
+
+	Thanks for hints from Richard Outerbridge - he told me IP&FP
+	could be done in 15 xor, 10 shifts and 5 ands.
+	When I finally started to think of the problem in 2D
+	I first got ~42 operations without xors.  When I remembered
+	how to use xors :-) I got it to its final state.
+	*/
+#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+	(b)^=(t),\
+	(a)^=((t)<<(n)))
+
+#define IP(l,r) \
+	{ \
+	register DES_LONG tt; \
+	PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
+	PERM_OP(l,r,tt,16,0x0000ffffL); \
+	PERM_OP(r,l,tt, 2,0x33333333L); \
+	PERM_OP(l,r,tt, 8,0x00ff00ffL); \
+	PERM_OP(r,l,tt, 1,0x55555555L); \
+	}
+
+#define FP(l,r) \
+	{ \
+	register DES_LONG tt; \
+	PERM_OP(l,r,tt, 1,0x55555555L); \
+	PERM_OP(r,l,tt, 8,0x00ff00ffL); \
+	PERM_OP(l,r,tt, 2,0x33333333L); \
+	PERM_OP(r,l,tt,16,0x0000ffffL); \
+	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
+	}
+
+OPENSSL_EXTERN const DES_LONG des_SPtrans[8][64];
+
+void fcrypt_body(DES_LONG *out,des_key_schedule ks,
+	DES_LONG Eswap0, DES_LONG Eswap1);
+#endif
diff --git a/crypto/openssl/crypto/des/des_opts.c b/crypto/openssl/crypto/des/des_opts.c
new file mode 100644
index 0000000..b2ca7ac
--- /dev/null
+++ b/crypto/openssl/crypto/des/des_opts.c
@@ -0,0 +1,604 @@
+/* crypto/des/des_opts.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
+ * This is for machines with 64k code segment size restrictions. */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+#ifndef MSDOS
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD
+#else
+#include <io.h>
+extern void exit();
+#endif
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/des.h>
+#include "spr.h"
+
+#define DES_DEFAULT_OPTIONS
+
+#if !defined(PART1) && !defined(PART2) && !defined(PART3) && !defined(PART4)
+#define PART1
+#define PART2
+#define PART3
+#define PART4
+#endif
+
+#ifdef PART1
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#define des_encrypt  des_encrypt_u4_cisc_idx
+#define des_encrypt2 des_encrypt2_u4_cisc_idx
+#define des_encrypt3 des_encrypt3_u4_cisc_idx
+#define des_decrypt3 des_decrypt3_u4_cisc_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_cisc_idx
+#define des_encrypt2 des_encrypt2_u16_cisc_idx
+#define des_encrypt3 des_encrypt3_u16_cisc_idx
+#define des_decrypt3 des_decrypt3_u16_cisc_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#undef DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc1_idx
+#define des_encrypt2 des_encrypt2_u4_risc1_idx
+#define des_encrypt3 des_encrypt3_u4_risc1_idx
+#define des_decrypt3 des_decrypt3_u4_risc1_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+#ifdef PART2
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc2_idx
+#define des_encrypt2 des_encrypt2_u4_risc2_idx
+#define des_encrypt3 des_encrypt3_u4_risc2_idx
+#define des_decrypt3 des_decrypt3_u4_risc2_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc1_idx
+#define des_encrypt2 des_encrypt2_u16_risc1_idx
+#define des_encrypt3 des_encrypt3_u16_risc1_idx
+#define des_decrypt3 des_decrypt3_u16_risc1_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc2_idx
+#define des_encrypt2 des_encrypt2_u16_risc2_idx
+#define des_encrypt3 des_encrypt3_u16_risc2_idx
+#define des_decrypt3 des_decrypt3_u16_risc2_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+#ifdef PART3
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_cisc_ptr
+#define des_encrypt2 des_encrypt2_u4_cisc_ptr
+#define des_encrypt3 des_encrypt3_u4_cisc_ptr
+#define des_decrypt3 des_decrypt3_u4_cisc_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_cisc_ptr
+#define des_encrypt2 des_encrypt2_u16_cisc_ptr
+#define des_encrypt3 des_encrypt3_u16_cisc_ptr
+#define des_decrypt3 des_decrypt3_u16_cisc_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#undef DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc1_ptr
+#define des_encrypt2 des_encrypt2_u4_risc1_ptr
+#define des_encrypt3 des_encrypt3_u4_risc1_ptr
+#define des_decrypt3 des_decrypt3_u4_risc1_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+#ifdef PART4
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc2_ptr
+#define des_encrypt2 des_encrypt2_u4_risc2_ptr
+#define des_encrypt3 des_encrypt3_u4_risc2_ptr
+#define des_decrypt3 des_decrypt3_u4_risc2_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc1_ptr
+#define des_encrypt2 des_encrypt2_u16_risc1_ptr
+#define des_encrypt3 des_encrypt3_u16_risc1_ptr
+#define des_decrypt3 des_decrypt3_u16_risc1_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc2_ptr
+#define des_encrypt2 des_encrypt2_u16_risc2_ptr
+#define des_encrypt3 des_encrypt3_u16_risc2_ptr
+#define des_decrypt3 des_decrypt3_u16_risc2_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD fix */
+#   define HZ	100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+#ifdef SIGALRM
+#define print_name(name) fprintf(stderr,"Doing %s's for 10 seconds\n",name); alarm(10);
+#else
+#define print_name(name) fprintf(stderr,"Doing %s %ld times\n",name,cb);
+#endif
+	
+#define time_it(func,name,index) \
+	print_name(name); \
+	Time_F(START); \
+	for (count=0,run=1; COND(cb); count++) \
+		{ \
+		unsigned long d[2]; \
+		func(d,&(sch[0]),DES_ENCRYPT); \
+		} \
+	tm[index]=Time_F(STOP); \
+	fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \
+	tm[index]=((double)COUNT(cb))/tm[index];
+
+#define print_it(name,index) \
+	fprintf(stderr,"%s bytes per sec = %12.2f (%5.1fuS)\n",name, \
+		tm[index]*8,1.0e6/tm[index]);
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+	des_key_schedule sch,sch2,sch3;
+	double d,tm[16],max=0;
+	int rank[16];
+	char *str[16];
+	int max_idx=0,i,num=0,j;
+#ifndef SIGALARM
+	long ca,cb,cc,cd,ce;
+#endif
+
+	for (i=0; i<12; i++)
+		{
+		tm[i]=0.0;
+		rank[i]=0;
+		}
+
+#ifndef TIMES
+	fprintf(stderr,"To get the most accurate results, try to run this\n");
+	fprintf(stderr,"program when this computer is idle.\n");
+#endif
+
+	des_set_key_unchecked(&key,sch);
+	des_set_key_unchecked(&key2,sch2);
+	des_set_key_unchecked(&key3,sch3);
+
+#ifndef SIGALRM
+	fprintf(stderr,"First we calculate the approximate speed ...\n");
+	des_set_key_unchecked(&key,sch);
+	count=10;
+	do	{
+		long i;
+		unsigned long data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			des_encrypt(data,&(sch[0]),DES_ENCRYPT);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count;
+	cb=count*3;
+	cc=count*3*8/BUFSIZE+1;
+	cd=count*8/BUFSIZE+1;
+
+	ce=count/20+1;
+#define COND(d) (count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c) (run)
+#define COUNT(d) (count)
+        signal(SIGALRM,sig_done);
+        alarm(10);
+#endif
+
+#ifdef PART1
+	time_it(des_encrypt_u4_cisc_idx,  "des_encrypt_u4_cisc_idx  ", 0);
+	time_it(des_encrypt_u16_cisc_idx, "des_encrypt_u16_cisc_idx ", 1);
+	time_it(des_encrypt_u4_risc1_idx, "des_encrypt_u4_risc1_idx ", 2);
+	num+=3;
+#endif
+#ifdef PART2
+	time_it(des_encrypt_u16_risc1_idx,"des_encrypt_u16_risc1_idx", 3);
+	time_it(des_encrypt_u4_risc2_idx, "des_encrypt_u4_risc2_idx ", 4);
+	time_it(des_encrypt_u16_risc2_idx,"des_encrypt_u16_risc2_idx", 5);
+	num+=3;
+#endif
+#ifdef PART3
+	time_it(des_encrypt_u4_cisc_ptr,  "des_encrypt_u4_cisc_ptr  ", 6);
+	time_it(des_encrypt_u16_cisc_ptr, "des_encrypt_u16_cisc_ptr ", 7);
+	time_it(des_encrypt_u4_risc1_ptr, "des_encrypt_u4_risc1_ptr ", 8);
+	num+=3;
+#endif
+#ifdef PART4
+	time_it(des_encrypt_u16_risc1_ptr,"des_encrypt_u16_risc1_ptr", 9);
+	time_it(des_encrypt_u4_risc2_ptr, "des_encrypt_u4_risc2_ptr ",10);
+	time_it(des_encrypt_u16_risc2_ptr,"des_encrypt_u16_risc2_ptr",11);
+	num+=3;
+#endif
+
+#ifdef PART1
+	str[0]=" 4  c i";
+	print_it("des_encrypt_u4_cisc_idx  ",0);
+	max=tm[0];
+	max_idx=0;
+	str[1]="16  c i";
+	print_it("des_encrypt_u16_cisc_idx ",1);
+	if (max < tm[1]) { max=tm[1]; max_idx=1; }
+	str[2]=" 4 r1 i";
+	print_it("des_encrypt_u4_risc1_idx ",2);
+	if (max < tm[2]) { max=tm[2]; max_idx=2; }
+#endif
+#ifdef PART2
+	str[3]="16 r1 i";
+	print_it("des_encrypt_u16_risc1_idx",3);
+	if (max < tm[3]) { max=tm[3]; max_idx=3; }
+	str[4]=" 4 r2 i";
+	print_it("des_encrypt_u4_risc2_idx ",4);
+	if (max < tm[4]) { max=tm[4]; max_idx=4; }
+	str[5]="16 r2 i";
+	print_it("des_encrypt_u16_risc2_idx",5);
+	if (max < tm[5]) { max=tm[5]; max_idx=5; }
+#endif
+#ifdef PART3
+	str[6]=" 4  c p";
+	print_it("des_encrypt_u4_cisc_ptr  ",6);
+	if (max < tm[6]) { max=tm[6]; max_idx=6; }
+	str[7]="16  c p";
+	print_it("des_encrypt_u16_cisc_ptr ",7);
+	if (max < tm[7]) { max=tm[7]; max_idx=7; }
+	str[8]=" 4 r1 p";
+	print_it("des_encrypt_u4_risc1_ptr ",8);
+	if (max < tm[8]) { max=tm[8]; max_idx=8; }
+#endif
+#ifdef PART4
+	str[9]="16 r1 p";
+	print_it("des_encrypt_u16_risc1_ptr",9);
+	if (max < tm[9]) { max=tm[9]; max_idx=9; }
+	str[10]=" 4 r2 p";
+	print_it("des_encrypt_u4_risc2_ptr ",10);
+	if (max < tm[10]) { max=tm[10]; max_idx=10; }
+	str[11]="16 r2 p";
+	print_it("des_encrypt_u16_risc2_ptr",11);
+	if (max < tm[11]) { max=tm[11]; max_idx=11; }
+#endif
+	printf("options    des ecb/s\n");
+	printf("%s %12.2f 100.0%%\n",str[max_idx],tm[max_idx]);
+	d=tm[max_idx];
+	tm[max_idx]= -2.0;
+	max= -1.0;
+	for (;;)
+		{
+		for (i=0; i<12; i++)
+			{
+			if (max < tm[i]) { max=tm[i]; j=i; }
+			}
+		if (max < 0.0) break;
+		printf("%s %12.2f  %4.1f%%\n",str[j],tm[j],tm[j]/d*100.0);
+		tm[j]= -2.0;
+		max= -1.0;
+		}
+
+	switch (max_idx)
+		{
+	case 0:
+		printf("-DDES_DEFAULT_OPTIONS\n");
+		break;
+	case 1:
+		printf("-DDES_UNROLL\n");
+		break;
+	case 2:
+		printf("-DDES_RISC1\n");
+		break;
+	case 3:
+		printf("-DDES_UNROLL -DDES_RISC1\n");
+		break;
+	case 4:
+		printf("-DDES_RISC2\n");
+		break;
+	case 5:
+		printf("-DDES_UNROLL -DDES_RISC2\n");
+		break;
+	case 6:
+		printf("-DDES_PTR\n");
+		break;
+	case 7:
+		printf("-DDES_UNROLL -DDES_PTR\n");
+		break;
+	case 8:
+		printf("-DDES_RISC1 -DDES_PTR\n");
+		break;
+	case 9:
+		printf("-DDES_UNROLL -DDES_RISC1 -DDES_PTR\n");
+		break;
+	case 10:
+		printf("-DDES_RISC2 -DDES_PTR\n");
+		break;
+	case 11:
+		printf("-DDES_UNROLL -DDES_RISC2 -DDES_PTR\n");
+		break;
+		}
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
diff --git a/crypto/openssl/crypto/des/des_ver.h b/crypto/openssl/crypto/des/des_ver.h
new file mode 100644
index 0000000..de3c02f
--- /dev/null
+++ b/crypto/openssl/crypto/des/des_ver.h
@@ -0,0 +1,61 @@
+/* crypto/des/des_ver.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/e_os2.h>
+OPENSSL_EXTERN char *DES_version;	/* SSLeay version string */
+OPENSSL_EXTERN char *libdes_version;	/* old libdes version string */
diff --git a/crypto/openssl/crypto/des/dess.cpp b/crypto/openssl/crypto/des/dess.cpp
new file mode 100644
index 0000000..753e67a
--- /dev/null
+++ b/crypto/openssl/crypto/des/dess.cpp
@@ -0,0 +1,67 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/des.h>
+
+void main(int argc,char *argv[])
+	{
+	des_key_schedule key;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			des_encrypt(&data[0],key,1);
+			GetTSC(s1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			GetTSC(e1);
+			GetTSC(s2);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			GetTSC(e2);
+			des_encrypt(&data[0],key,1);
+			}
+
+		printf("des %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/crypto/des/destest.c b/crypto/openssl/crypto/des/destest.c
new file mode 100644
index 0000000..df0d615
--- /dev/null
+++ b/crypto/openssl/crypto/des/destest.c
@@ -0,0 +1,927 @@
+/* crypto/des/destest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#if defined(WIN32) || defined(WIN16) || defined(WINDOWS)
+#ifndef MSDOS
+#define MSDOS
+#endif
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifndef MSDOS
+#if !defined(VMS) || defined(__DECC)
+#include <openssl/opensslconf.h>
+#include OPENSSL_UNISTD
+#endif /* VMS */
+#else
+#include <io.h>
+#endif
+#include <string.h>
+
+#ifdef NO_DES
+int main(int argc, char *argv[])
+{
+    printf("No DES support\n");
+    return(0);
+}
+#else
+#include <openssl/des.h>
+
+#if defined(PERL5) || defined(__FreeBSD__)
+#define crypt(c,s) (des_crypt((c),(s)))
+#endif
+
+/* tisk tisk - the test keys don't all have odd parity :-( */
+/* test data */
+#define NUM_TESTS 34
+static unsigned char key_data[NUM_TESTS][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10},
+	{0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57},
+	{0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E},
+	{0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86},
+	{0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E},
+	{0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6},
+	{0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE},
+	{0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6},
+	{0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE},
+	{0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16},
+	{0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F},
+	{0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46},
+	{0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E},
+	{0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76},
+	{0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07},
+	{0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F},
+	{0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7},
+	{0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF},
+	{0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6},
+	{0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF},
+	{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+	{0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E},
+	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}};
+
+static unsigned char plain_data[NUM_TESTS][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42},
+	{0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA},
+	{0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72},
+	{0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A},
+	{0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2},
+	{0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A},
+	{0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2},
+	{0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A},
+	{0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02},
+	{0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A},
+	{0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32},
+	{0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA},
+	{0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62},
+	{0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2},
+	{0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA},
+	{0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92},
+	{0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A},
+	{0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2},
+	{0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}};
+
+static unsigned char cipher_data[NUM_TESTS][8]={
+	{0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7},
+	{0x73,0x59,0xB2,0x16,0x3E,0x4E,0xDC,0x58},
+	{0x95,0x8E,0x6E,0x62,0x7A,0x05,0x55,0x7B},
+	{0xF4,0x03,0x79,0xAB,0x9E,0x0E,0xC5,0x33},
+	{0x17,0x66,0x8D,0xFC,0x72,0x92,0x53,0x2D},
+	{0x8A,0x5A,0xE1,0xF8,0x1A,0xB8,0xF2,0xDD},
+	{0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7},
+	{0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4},
+	{0x69,0x0F,0x5B,0x0D,0x9A,0x26,0x93,0x9B},
+	{0x7A,0x38,0x9D,0x10,0x35,0x4B,0xD2,0x71},
+	{0x86,0x8E,0xBB,0x51,0xCA,0xB4,0x59,0x9A},
+	{0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A},
+	{0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95},
+	{0x86,0xA5,0x60,0xF1,0x0E,0xC6,0xD8,0x5B},
+	{0x0C,0xD3,0xDA,0x02,0x00,0x21,0xDC,0x09},
+	{0xEA,0x67,0x6B,0x2C,0xB7,0xDB,0x2B,0x7A},
+	{0xDF,0xD6,0x4A,0x81,0x5C,0xAF,0x1A,0x0F},
+	{0x5C,0x51,0x3C,0x9C,0x48,0x86,0xC0,0x88},
+	{0x0A,0x2A,0xEE,0xAE,0x3F,0xF4,0xAB,0x77},
+	{0xEF,0x1B,0xF0,0x3E,0x5D,0xFA,0x57,0x5A},
+	{0x88,0xBF,0x0D,0xB6,0xD7,0x0D,0xEE,0x56},
+	{0xA1,0xF9,0x91,0x55,0x41,0x02,0x0B,0x56},
+	{0x6F,0xBF,0x1C,0xAF,0xCF,0xFD,0x05,0x56},
+	{0x2F,0x22,0xE4,0x9B,0xAB,0x7C,0xA1,0xAC},
+	{0x5A,0x6B,0x61,0x2C,0xC2,0x6C,0xCE,0x4A},
+	{0x5F,0x4C,0x03,0x8E,0xD1,0x2B,0x2E,0x41},
+	{0x63,0xFA,0xC0,0xD0,0x34,0xD9,0xF7,0x93},
+	{0x61,0x7B,0x3A,0x0C,0xE8,0xF0,0x71,0x00},
+	{0xDB,0x95,0x86,0x05,0xF8,0xC8,0xC6,0x06},
+	{0xED,0xBF,0xD1,0xC6,0x6C,0x29,0xCC,0xC7},
+	{0x35,0x55,0x50,0xB2,0x15,0x0E,0x24,0x51},
+	{0xCA,0xAA,0xAF,0x4D,0xEA,0xF1,0xDB,0xAE},
+	{0xD5,0xD4,0x4F,0xF7,0x20,0x68,0x3D,0x0D},
+	{0x2A,0x2B,0xB0,0x08,0xDF,0x97,0xC2,0xF2}};
+
+static unsigned char cipher_ecb2[NUM_TESTS-1][8]={
+	{0x92,0x95,0xB5,0x9B,0xB3,0x84,0x73,0x6E},
+	{0x19,0x9E,0x9D,0x6D,0xF3,0x9A,0xA8,0x16},
+	{0x2A,0x4B,0x4D,0x24,0x52,0x43,0x84,0x27},
+	{0x35,0x84,0x3C,0x01,0x9D,0x18,0xC5,0xB6},
+	{0x4A,0x5B,0x2F,0x42,0xAA,0x77,0x19,0x25},
+	{0xA0,0x6B,0xA9,0xB8,0xCA,0x5B,0x17,0x8A},
+	{0xAB,0x9D,0xB7,0xFB,0xED,0x95,0xF2,0x74},
+	{0x3D,0x25,0x6C,0x23,0xA7,0x25,0x2F,0xD6},
+	{0xB7,0x6F,0xAB,0x4F,0xBD,0xBD,0xB7,0x67},
+	{0x8F,0x68,0x27,0xD6,0x9C,0xF4,0x1A,0x10},
+	{0x82,0x57,0xA1,0xD6,0x50,0x5E,0x81,0x85},
+	{0xA2,0x0F,0x0A,0xCD,0x80,0x89,0x7D,0xFA},
+	{0xCD,0x2A,0x53,0x3A,0xDB,0x0D,0x7E,0xF3},
+	{0xD2,0xC2,0xBE,0x27,0xE8,0x1B,0x68,0xE3},
+	{0xE9,0x24,0xCF,0x4F,0x89,0x3C,0x5B,0x0A},
+	{0xA7,0x18,0xC3,0x9F,0xFA,0x9F,0xD7,0x69},
+	{0x77,0x2C,0x79,0xB1,0xD2,0x31,0x7E,0xB1},
+	{0x49,0xAB,0x92,0x7F,0xD0,0x22,0x00,0xB7},
+	{0xCE,0x1C,0x6C,0x7D,0x85,0xE3,0x4A,0x6F},
+	{0xBE,0x91,0xD6,0xE1,0x27,0xB2,0xE9,0x87},
+	{0x70,0x28,0xAE,0x8F,0xD1,0xF5,0x74,0x1A},
+	{0xAA,0x37,0x80,0xBB,0xF3,0x22,0x1D,0xDE},
+	{0xA6,0xC4,0xD2,0x5E,0x28,0x93,0xAC,0xB3},
+	{0x22,0x07,0x81,0x5A,0xE4,0xB7,0x1A,0xAD},
+	{0xDC,0xCE,0x05,0xE7,0x07,0xBD,0xF5,0x84},
+	{0x26,0x1D,0x39,0x2C,0xB3,0xBA,0xA5,0x85},
+	{0xB4,0xF7,0x0F,0x72,0xFB,0x04,0xF0,0xDC},
+	{0x95,0xBA,0xA9,0x4E,0x87,0x36,0xF2,0x89},
+	{0xD4,0x07,0x3A,0xF1,0x5A,0x17,0x82,0x0E},
+	{0xEF,0x6F,0xAF,0xA7,0x66,0x1A,0x7E,0x89},
+	{0xC1,0x97,0xF5,0x58,0x74,0x8A,0x20,0xE7},
+	{0x43,0x34,0xCF,0xDA,0x22,0xC4,0x86,0xC8},
+	{0x08,0xD7,0xB4,0xFB,0x62,0x9D,0x08,0x85}};
+
+static unsigned char cbc_key [8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
+static unsigned char cbc2_key[8]={0xf1,0xe0,0xd3,0xc2,0xb5,0xa4,0x97,0x86};
+static unsigned char cbc3_key[8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
+static unsigned char cbc_iv  [8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
+/* Changed the following text constant to binary so it will work on ebcdic
+ * machines :-) */
+/* static char cbc_data[40]="7654321 Now is the time for \0001"; */
+static unsigned char cbc_data[40]={
+	0x37,0x36,0x35,0x34,0x33,0x32,0x31,0x20,
+	0x4E,0x6F,0x77,0x20,0x69,0x73,0x20,0x74,
+	0x68,0x65,0x20,0x74,0x69,0x6D,0x65,0x20,
+	0x66,0x6F,0x72,0x20,0x00,0x31,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	};
+
+static unsigned char cbc_ok[32]={
+	0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4,
+	0xac,0xd8,0xae,0xfd,0xdf,0xd8,0xa1,0xeb,
+	0x46,0x8e,0x91,0x15,0x78,0x88,0xba,0x68,
+	0x1d,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
+
+#ifdef SCREW_THE_PARITY
+#error "SCREW_THE_PARITY is not ment to be defined."
+#error "Original vectors are preserved for reference only."
+static unsigned char cbc2_key[8]={0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87};
+static unsigned char xcbc_ok[32]={
+	0x86,0x74,0x81,0x0D,0x61,0xA4,0xA5,0x48,
+	0xB9,0x93,0x03,0xE1,0xB8,0xBB,0xBD,0xBD,
+	0x64,0x30,0x0B,0xB9,0x06,0x65,0x81,0x76,
+	0x04,0x1D,0x77,0x62,0x17,0xCA,0x2B,0xD2,
+	};
+#else
+static unsigned char xcbc_ok[32]={
+	0x84,0x6B,0x29,0x14,0x85,0x1E,0x9A,0x29,
+	0x54,0x73,0x2F,0x8A,0xA0,0xA6,0x11,0xC1,
+	0x15,0xCD,0xC2,0xD7,0x95,0x1B,0x10,0x53,
+	0xA6,0x3C,0x5E,0x03,0xB2,0x1A,0xA3,0xC4,
+	};
+#endif
+
+static unsigned char cbc3_ok[32]={
+	0x3F,0xE3,0x01,0xC9,0x62,0xAC,0x01,0xD0,
+	0x22,0x13,0x76,0x3C,0x1C,0xBD,0x4C,0xDC,
+	0x79,0x96,0x57,0xC0,0x64,0xEC,0xF5,0xD4,
+	0x1C,0x67,0x38,0x12,0xCF,0xDE,0x96,0x75};
+
+static unsigned char pcbc_ok[32]={
+	0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4,
+	0x6d,0xec,0xb4,0x70,0xa0,0xe5,0x6b,0x15,
+	0xae,0xa6,0xbf,0x61,0xed,0x7d,0x9c,0x9f,
+	0xf7,0x17,0x46,0x3b,0x8a,0xb3,0xcc,0x88};
+
+static unsigned char cfb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
+static unsigned char cfb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef};
+static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8];
+static unsigned char plain[24]=
+	{
+	0x4e,0x6f,0x77,0x20,0x69,0x73,
+	0x20,0x74,0x68,0x65,0x20,0x74,
+	0x69,0x6d,0x65,0x20,0x66,0x6f,
+	0x72,0x20,0x61,0x6c,0x6c,0x20
+	};
+static unsigned char cfb_cipher8[24]= {
+	0xf3,0x1f,0xda,0x07,0x01,0x14, 0x62,0xee,0x18,0x7f,0x43,0xd8,
+	0x0a,0x7c,0xd9,0xb5,0xb0,0xd2, 0x90,0xda,0x6e,0x5b,0x9a,0x87 };
+static unsigned char cfb_cipher16[24]={
+	0xF3,0x09,0x87,0x87,0x7F,0x57, 0xF7,0x3C,0x36,0xB6,0xDB,0x70,
+	0xD8,0xD5,0x34,0x19,0xD3,0x86, 0xB2,0x23,0xB7,0xB2,0xAD,0x1B };
+static unsigned char cfb_cipher32[24]={
+	0xF3,0x09,0x62,0x49,0xA4,0xDF, 0xA4,0x9F,0x33,0xDC,0x7B,0xAD,
+	0x4C,0xC8,0x9F,0x64,0xE4,0x53, 0xE5,0xEC,0x67,0x20,0xDA,0xB6 };
+static unsigned char cfb_cipher48[24]={
+	0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x30,0xB5,0x15,0xEC,0xBB,0x85,
+	0x97,0x5A,0x13,0x8C,0x68,0x60, 0xE2,0x38,0x34,0x3C,0xDC,0x1F };
+static unsigned char cfb_cipher64[24]={
+	0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x6E,0x51,0xA6,0x9E,0x83,0x9B,
+	0x1A,0x92,0xF7,0x84,0x03,0x46, 0x71,0x33,0x89,0x8E,0xA6,0x22 };
+
+static unsigned char ofb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
+static unsigned char ofb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef};
+static unsigned char ofb_buf1[24],ofb_buf2[24],ofb_tmp[8];
+static unsigned char ofb_cipher[24]=
+	{
+	0xf3,0x09,0x62,0x49,0xc7,0xf4,0x6e,0x51,
+	0x35,0xf2,0x4a,0x24,0x2e,0xeb,0x3d,0x3f,
+	0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3
+	};
+
+static DES_LONG cbc_cksum_ret=0xB462FEF7L;
+static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
+
+static char *pt(unsigned char *p);
+static int cfb_test(int bits, unsigned char *cfb_cipher);
+static int cfb64_test(unsigned char *cfb_cipher);
+static int ede_cfb64_test(unsigned char *cfb_cipher);
+int main(int argc, char *argv[])
+	{
+	int i,j,err=0;
+	des_cblock in,out,outin,iv3,iv2;
+	des_key_schedule ks,ks2,ks3;
+	unsigned char cbc_in[40];
+	unsigned char cbc_out[40];
+	DES_LONG cs;
+	unsigned char cret[8];
+#ifdef _CRAY
+        struct {
+            int a:32;
+            int b:32;
+        } lqret[2];
+#else
+        DES_LONG lqret[4];
+#endif
+	int num;
+	char *str;
+
+#ifndef NO_DESCBCM
+	printf("Doing cbcm\n");
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	if ((j=des_set_key_checked(&cbc2_key,ks2)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	if ((j=des_set_key_checked(&cbc3_key,ks3)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	memset(cbc_out,0,40);
+	memset(cbc_in,0,40);
+	i=strlen((char *)cbc_data)+1;
+	/* i=((i+7)/8)*8; */
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+	memset(iv2,'\0',sizeof iv2);
+
+	des_ede3_cbcm_encrypt(cbc_data,cbc_out,16L,ks,ks2,ks3,&iv3,&iv2,
+			      DES_ENCRYPT);
+	des_ede3_cbcm_encrypt(&cbc_data[16],&cbc_out[16],i-16,ks,ks2,ks3,
+			      &iv3,&iv2,DES_ENCRYPT);
+	/*	if (memcmp(cbc_out,cbc3_ok,
+		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
+		{
+		printf("des_ede3_cbc_encrypt encrypt error\n");
+		err=1;
+		}
+	*/
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+	memset(iv2,'\0',sizeof iv2);
+	des_ede3_cbcm_encrypt(cbc_out,cbc_in,i,ks,ks2,ks3,&iv3,&iv2,DES_DECRYPT);
+	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
+		{
+		int n;
+
+		printf("des_ede3_cbcm_encrypt decrypt error\n");
+		for(n=0 ; n < i ; ++n)
+		    printf(" %02x",cbc_data[n]);
+		printf("\n");
+		for(n=0 ; n < i ; ++n)
+		    printf(" %02x",cbc_in[n]);
+		printf("\n");
+		err=1;
+		}
+#endif
+
+	printf("Doing ecb\n");
+	for (i=0; i<NUM_TESTS; i++)
+		{
+		des_set_key_unchecked(&key_data[i],ks);
+		memcpy(in,plain_data[i],8);
+		memset(out,0,8);
+		memset(outin,0,8);
+		des_ecb_encrypt(&in,&out,ks,DES_ENCRYPT);
+		des_ecb_encrypt(&out,&outin,ks,DES_DECRYPT);
+
+		if (memcmp(out,cipher_data[i],8) != 0)
+			{
+			printf("Encryption error %2d\nk=%s p=%s o=%s act=%s\n",
+				i+1,pt(key_data[i]),pt(in),pt(cipher_data[i]),
+				pt(out));
+			err=1;
+			}
+		if (memcmp(in,outin,8) != 0)
+			{
+			printf("Decryption error %2d\nk=%s p=%s o=%s act=%s\n",
+				i+1,pt(key_data[i]),pt(out),pt(in),pt(outin));
+			err=1;
+			}
+		}
+
+#ifndef LIBDES_LIT
+	printf("Doing ede ecb\n");
+	for (i=0; i<(NUM_TESTS-1); i++)
+		{
+		des_set_key_unchecked(&key_data[i],ks);
+		des_set_key_unchecked(&key_data[i+1],ks2);
+		des_set_key_unchecked(&key_data[i+2],ks3);
+		memcpy(in,plain_data[i],8);
+		memset(out,0,8);
+		memset(outin,0,8);
+		des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT);
+		des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT);
+
+		if (memcmp(out,cipher_ecb2[i],8) != 0)
+			{
+			printf("Encryption error %2d\nk=%s p=%s o=%s act=%s\n",
+				i+1,pt(key_data[i]),pt(in),pt(cipher_ecb2[i]),
+				pt(out));
+			err=1;
+			}
+		if (memcmp(in,outin,8) != 0)
+			{
+			printf("Decryption error %2d\nk=%s p=%s o=%s act=%s\n",
+				i+1,pt(key_data[i]),pt(out),pt(in),pt(outin));
+			err=1;
+			}
+		}
+#endif
+
+	printf("Doing cbc\n");
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	memset(cbc_out,0,40);
+	memset(cbc_in,0,40);
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+	des_ncbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,ks,
+			 &iv3,DES_ENCRYPT);
+	if (memcmp(cbc_out,cbc_ok,32) != 0)
+		{
+		printf("cbc_encrypt encrypt error\n");
+		err=1;
+		}
+
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+	des_ncbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,
+			 &iv3,DES_DECRYPT);
+	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)) != 0)
+		{
+		printf("cbc_encrypt decrypt error\n");
+		err=1;
+		}
+
+#ifndef LIBDES_LIT
+	printf("Doing desx cbc\n");
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	memset(cbc_out,0,40);
+	memset(cbc_in,0,40);
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+	des_xcbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,ks,
+			 &iv3,&cbc2_key,&cbc3_key, DES_ENCRYPT);
+	if (memcmp(cbc_out,xcbc_ok,32) != 0)
+		{
+		printf("des_xcbc_encrypt encrypt error\n");
+		err=1;
+		}
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+	des_xcbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,
+			 &iv3,&cbc2_key,&cbc3_key, DES_DECRYPT);
+	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
+		{
+		printf("des_xcbc_encrypt decrypt error\n");
+		err=1;
+		}
+#endif
+
+	printf("Doing ede cbc\n");
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	if ((j=des_set_key_checked(&cbc2_key,ks2)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	if ((j=des_set_key_checked(&cbc3_key,ks3)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	memset(cbc_out,0,40);
+	memset(cbc_in,0,40);
+	i=strlen((char *)cbc_data)+1;
+	/* i=((i+7)/8)*8; */
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+
+	des_ede3_cbc_encrypt(cbc_data,cbc_out,16L,ks,ks2,ks3,&iv3,DES_ENCRYPT);
+	des_ede3_cbc_encrypt(&(cbc_data[16]),&(cbc_out[16]),i-16,ks,ks2,ks3,
+			     &iv3,DES_ENCRYPT);
+	if (memcmp(cbc_out,cbc3_ok,
+		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
+		{
+		printf("des_ede3_cbc_encrypt encrypt error\n");
+		err=1;
+		}
+
+	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
+	des_ede3_cbc_encrypt(cbc_out,cbc_in,i,ks,ks2,ks3,&iv3,DES_DECRYPT);
+	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
+		{
+		printf("des_ede3_cbc_encrypt decrypt error\n");
+		err=1;
+		}
+
+#ifndef LIBDES_LIT
+	printf("Doing pcbc\n");
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+		{
+		printf("Key error %d\n",j);
+		err=1;
+		}
+	memset(cbc_out,0,40);
+	memset(cbc_in,0,40);
+	des_pcbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,ks,
+			 &cbc_iv,DES_ENCRYPT);
+	if (memcmp(cbc_out,pcbc_ok,32) != 0)
+		{
+		printf("pcbc_encrypt encrypt error\n");
+		err=1;
+		}
+	des_pcbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,&cbc_iv,
+			 DES_DECRYPT);
+	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
+		{
+		printf("pcbc_encrypt decrypt error\n");
+		err=1;
+		}
+
+	printf("Doing ");
+	printf("cfb8 ");
+	err+=cfb_test(8,cfb_cipher8);
+	printf("cfb16 ");
+	err+=cfb_test(16,cfb_cipher16);
+	printf("cfb32 ");
+	err+=cfb_test(32,cfb_cipher32);
+	printf("cfb48 ");
+	err+=cfb_test(48,cfb_cipher48);
+	printf("cfb64 ");
+	err+=cfb_test(64,cfb_cipher64);
+
+	printf("cfb64() ");
+	err+=cfb64_test(cfb_cipher64);
+
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	for (i=0; i<sizeof(plain); i++)
+		des_cfb_encrypt(&(plain[i]),&(cfb_buf1[i]),
+			8,1,ks,&cfb_tmp,DES_ENCRYPT);
+	if (memcmp(cfb_cipher8,cfb_buf1,sizeof(plain)) != 0)
+		{
+		printf("cfb_encrypt small encrypt error\n");
+		err=1;
+		}
+
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	for (i=0; i<sizeof(plain); i++)
+		des_cfb_encrypt(&(cfb_buf1[i]),&(cfb_buf2[i]),
+			8,1,ks,&cfb_tmp,DES_DECRYPT);
+	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
+		{
+		printf("cfb_encrypt small decrypt error\n");
+		err=1;
+		}
+
+	printf("ede_cfb64() ");
+	err+=ede_cfb64_test(cfb_cipher64);
+
+	printf("done\n");
+
+	printf("Doing ofb\n");
+	des_set_key_checked(&ofb_key,ks);
+	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
+	des_ofb_encrypt(plain,ofb_buf1,64,sizeof(plain)/8,ks,&ofb_tmp);
+	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
+		{
+		printf("ofb_encrypt encrypt error\n");
+printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
+ofb_buf1[8+0], ofb_buf1[8+1], ofb_buf1[8+2], ofb_buf1[8+3],
+ofb_buf1[8+4], ofb_buf1[8+5], ofb_buf1[8+6], ofb_buf1[8+7]);
+printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
+ofb_buf1[8+0], ofb_cipher[8+1], ofb_cipher[8+2], ofb_cipher[8+3],
+ofb_buf1[8+4], ofb_cipher[8+5], ofb_cipher[8+6], ofb_cipher[8+7]);
+		err=1;
+		}
+	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
+	des_ofb_encrypt(ofb_buf1,ofb_buf2,64,sizeof(ofb_buf1)/8,ks,&ofb_tmp);
+	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
+		{
+		printf("ofb_encrypt decrypt error\n");
+printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
+ofb_buf2[8+0], ofb_buf2[8+1], ofb_buf2[8+2], ofb_buf2[8+3],
+ofb_buf2[8+4], ofb_buf2[8+5], ofb_buf2[8+6], ofb_buf2[8+7]);
+printf("%02X %02X %02X %02X %02X %02X %02X %02X\n",
+plain[8+0], plain[8+1], plain[8+2], plain[8+3],
+plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
+		err=1;
+		}
+
+	printf("Doing ofb64\n");
+	des_set_key_checked(&ofb_key,ks);
+	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
+	memset(ofb_buf1,0,sizeof(ofb_buf1));
+	memset(ofb_buf2,0,sizeof(ofb_buf1));
+	num=0;
+	for (i=0; i<sizeof(plain); i++)
+		{
+		des_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,&ofb_tmp,
+				  &num);
+		}
+	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
+		{
+		printf("ofb64_encrypt encrypt error\n");
+		err=1;
+		}
+	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
+	num=0;
+	des_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,&ofb_tmp,&num);
+	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
+		{
+		printf("ofb64_encrypt decrypt error\n");
+		err=1;
+		}
+
+	printf("Doing ede_ofb64\n");
+	des_set_key_checked(&ofb_key,ks);
+	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
+	memset(ofb_buf1,0,sizeof(ofb_buf1));
+	memset(ofb_buf2,0,sizeof(ofb_buf1));
+	num=0;
+	for (i=0; i<sizeof(plain); i++)
+		{
+		des_ede3_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,ks,ks,
+				       &ofb_tmp,&num);
+		}
+	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
+		{
+		printf("ede_ofb64_encrypt encrypt error\n");
+		err=1;
+		}
+	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
+	num=0;
+	des_ede3_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,
+			       ks,ks,&ofb_tmp,&num);
+	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
+		{
+		printf("ede_ofb64_encrypt decrypt error\n");
+		err=1;
+		}
+
+	printf("Doing cbc_cksum\n");
+	des_set_key_checked(&cbc_key,ks);
+	cs=des_cbc_cksum(cbc_data,&cret,strlen((char *)cbc_data),ks,&cbc_iv);
+	if (cs != cbc_cksum_ret)
+		{
+		printf("bad return value (%08lX), should be %08lX\n",
+			(unsigned long)cs,(unsigned long)cbc_cksum_ret);
+		err=1;
+		}
+	if (memcmp(cret,cbc_cksum_data,8) != 0)
+		{
+		printf("bad cbc_cksum block returned\n");
+		err=1;
+		}
+
+	printf("Doing quad_cksum\n");
+	cs=quad_cksum(cbc_data,(des_cblock *)lqret,
+		(long)strlen((char *)cbc_data),2,(des_cblock *)cbc_iv);
+	if (cs != 0x70d7a63aL)
+		{
+		printf("quad_cksum error, ret %08lx should be 70d7a63a\n",
+			(unsigned long)cs);
+		err=1;
+		}
+#ifdef _CRAY
+	if (lqret[0].a != 0x327eba8dL)
+		{
+		printf("quad_cksum error, out[0] %08lx is not %08lx\n",
+			(unsigned long)lqret[0].a,0x327eba8dUL);
+		err=1;
+		}
+	if (lqret[0].b != 0x201a49ccL)
+		{
+		printf("quad_cksum error, out[1] %08lx is not %08lx\n",
+			(unsigned long)lqret[0].b,0x201a49ccUL);
+		err=1;
+		}
+	if (lqret[1].a != 0x70d7a63aL)
+		{
+		printf("quad_cksum error, out[2] %08lx is not %08lx\n",
+			(unsigned long)lqret[1].a,0x70d7a63aUL);
+		err=1;
+		}
+	if (lqret[1].b != 0x501c2c26L)
+		{
+		printf("quad_cksum error, out[3] %08lx is not %08lx\n",
+			(unsigned long)lqret[1].b,0x501c2c26UL);
+		err=1;
+		}
+#else
+	if (lqret[0] != 0x327eba8dL)
+		{
+		printf("quad_cksum error, out[0] %08lx is not %08lx\n",
+			(unsigned long)lqret[0],0x327eba8dUL);
+		err=1;
+		}
+	if (lqret[1] != 0x201a49ccL)
+		{
+		printf("quad_cksum error, out[1] %08lx is not %08lx\n",
+			(unsigned long)lqret[1],0x201a49ccUL);
+		err=1;
+		}
+	if (lqret[2] != 0x70d7a63aL)
+		{
+		printf("quad_cksum error, out[2] %08lx is not %08lx\n",
+			(unsigned long)lqret[2],0x70d7a63aUL);
+		err=1;
+		}
+	if (lqret[3] != 0x501c2c26L)
+		{
+		printf("quad_cksum error, out[3] %08lx is not %08lx\n",
+			(unsigned long)lqret[3],0x501c2c26UL);
+		err=1;
+		}
+#endif
+#endif
+
+	printf("input word alignment test");
+	for (i=0; i<4; i++)
+		{
+		printf(" %d",i);
+		des_ncbc_encrypt(&(cbc_out[i]),cbc_in,
+				 strlen((char *)cbc_data)+1,ks,
+				 &cbc_iv,DES_ENCRYPT);
+		}
+	printf("\noutput word alignment test");
+	for (i=0; i<4; i++)
+		{
+		printf(" %d",i);
+		des_ncbc_encrypt(cbc_out,&(cbc_in[i]),
+				 strlen((char *)cbc_data)+1,ks,
+				 &cbc_iv,DES_ENCRYPT);
+		}
+	printf("\n");
+	printf("fast crypt test ");
+	str=crypt("testing","ef");
+	if (strcmp("efGnQx2725bI2",str) != 0)
+		{
+		printf("fast crypt error, %s should be efGnQx2725bI2\n",str);
+		err=1;
+		}
+	str=crypt("bca76;23","yA");
+	if (strcmp("yA1Rp/1hZXIJk",str) != 0)
+		{
+		printf("fast crypt error, %s should be yA1Rp/1hZXIJk\n",str);
+		err=1;
+		}
+	printf("\n");
+	return(err);
+	}
+
+static char *pt(unsigned char *p)
+	{
+	static char bufs[10][20];
+	static int bnum=0;
+	char *ret;
+	int i;
+	static char *f="0123456789ABCDEF";
+
+	ret= &(bufs[bnum++][0]);
+	bnum%=10;
+	for (i=0; i<8; i++)
+		{
+		ret[i*2]=f[(p[i]>>4)&0xf];
+		ret[i*2+1]=f[p[i]&0xf];
+		}
+	ret[16]='\0';
+	return(ret);
+	}
+
+#ifndef LIBDES_LIT
+
+static int cfb_test(int bits, unsigned char *cfb_cipher)
+	{
+	des_key_schedule ks;
+	int i,err=0;
+
+	des_set_key_checked(&cfb_key,ks);
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	des_cfb_encrypt(plain,cfb_buf1,bits,sizeof(plain),ks,&cfb_tmp,
+			DES_ENCRYPT);
+	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
+		{
+		err=1;
+		printf("cfb_encrypt encrypt error\n");
+		for (i=0; i<24; i+=8)
+			printf("%s\n",pt(&(cfb_buf1[i])));
+		}
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	des_cfb_encrypt(cfb_buf1,cfb_buf2,bits,sizeof(plain),ks,&cfb_tmp,
+			DES_DECRYPT);
+	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
+		{
+		err=1;
+		printf("cfb_encrypt decrypt error\n");
+		for (i=0; i<24; i+=8)
+			printf("%s\n",pt(&(cfb_buf1[i])));
+		}
+	return(err);
+	}
+
+static int cfb64_test(unsigned char *cfb_cipher)
+	{
+	des_key_schedule ks;
+	int err=0,i,n;
+
+	des_set_key_checked(&cfb_key,ks);
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	n=0;
+	des_cfb64_encrypt(plain,cfb_buf1,12,ks,&cfb_tmp,&n,DES_ENCRYPT);
+	des_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),sizeof(plain)-12,ks,
+			  &cfb_tmp,&n,DES_ENCRYPT);
+	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
+		{
+		err=1;
+		printf("cfb_encrypt encrypt error\n");
+		for (i=0; i<24; i+=8)
+			printf("%s\n",pt(&(cfb_buf1[i])));
+		}
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	n=0;
+	des_cfb64_encrypt(cfb_buf1,cfb_buf2,17,ks,&cfb_tmp,&n,DES_DECRYPT);
+	des_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
+			  sizeof(plain)-17,ks,&cfb_tmp,&n,DES_DECRYPT);
+	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
+		{
+		err=1;
+		printf("cfb_encrypt decrypt error\n");
+		for (i=0; i<24; i+=8)
+			printf("%s\n",pt(&(cfb_buf2[i])));
+		}
+	return(err);
+	}
+
+static int ede_cfb64_test(unsigned char *cfb_cipher)
+	{
+	des_key_schedule ks;
+	int err=0,i,n;
+
+	des_set_key_checked(&cfb_key,ks);
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	n=0;
+	des_ede3_cfb64_encrypt(plain,cfb_buf1,12,ks,ks,ks,&cfb_tmp,&n,
+			       DES_ENCRYPT);
+	des_ede3_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
+			       sizeof(plain)-12,ks,ks,ks,
+			       &cfb_tmp,&n,DES_ENCRYPT);
+	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
+		{
+		err=1;
+		printf("ede_cfb_encrypt encrypt error\n");
+		for (i=0; i<24; i+=8)
+			printf("%s\n",pt(&(cfb_buf1[i])));
+		}
+	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
+	n=0;
+	des_ede3_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks,ks,ks,
+			       &cfb_tmp,&n,DES_DECRYPT);
+	des_ede3_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
+			       sizeof(plain)-17,ks,ks,ks,
+			       &cfb_tmp,&n,DES_DECRYPT);
+	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
+		{
+		err=1;
+		printf("ede_cfb_encrypt decrypt error\n");
+		for (i=0; i<24; i+=8)
+			printf("%s\n",pt(&(cfb_buf2[i])));
+		}
+	return(err);
+	}
+
+#endif
+#endif
diff --git a/crypto/openssl/crypto/des/doIP b/crypto/openssl/crypto/des/doIP
new file mode 100644
index 0000000..18cf231
--- /dev/null
+++ b/crypto/openssl/crypto/des/doIP
@@ -0,0 +1,46 @@
+#!/usr/local/bin/perl
+
+@l=(
+	 0, 1, 2, 3, 4, 5, 6, 7,
+	 8, 9,10,11,12,13,14,15,
+	16,17,18,19,20,21,22,23,
+	24,25,26,27,28,29,30,31
+	);
+@r=(
+	32,33,34,35,36,37,38,39,
+	40,41,42,43,44,45,46,47,
+	48,49,50,51,52,53,54,55,
+	56,57,58,59,60,61,62,63
+	);
+
+require 'shifts.pl';
+
+sub PERM_OP
+	{
+	local(*a,*b,*t,$n,$m)=@_;
+
+	@z=&shift(*a,-$n);
+	@z=&xor(*b,*z);
+	@z=&and(*z,$m);
+	@b=&xor(*b,*z);
+	@z=&shift(*z,$n);
+	@a=&xor(*a,*z);
+	}
+
+
+@L=@l;
+@R=@r;
+&PERM_OP(*R,*L,*T,4,0x0f0f0f0f);
+&PERM_OP(*L,*R,*T,16,0x0000ffff);
+&PERM_OP(*R,*L,*T,2,0x33333333);
+&PERM_OP(*L,*R,*T,8,0x00ff00ff);
+&PERM_OP(*R,*L,*T,1,0x55555555);
+	&printit(@L);
+	&printit(@R);
+&PERM_OP(*R,*L,*T,1,0x55555555);
+&PERM_OP(*L,*R,*T,8,0x00ff00ff);
+&PERM_OP(*R,*L,*T,2,0x33333333);
+&PERM_OP(*L,*R,*T,16,0x0000ffff);
+&PERM_OP(*R,*L,*T,4,0x0f0f0f0f);
+	&printit(@L);
+	&printit(@R);
diff --git a/crypto/openssl/crypto/des/doPC1 b/crypto/openssl/crypto/des/doPC1
new file mode 100644
index 0000000..096afd8
--- /dev/null
+++ b/crypto/openssl/crypto/des/doPC1
@@ -0,0 +1,110 @@
+#!/usr/local/bin/perl
+
+@l=(
+	 0, 1, 2, 3, 4, 5, 6, 7,
+	 8, 9,10,11,12,13,14,15,
+	16,17,18,19,20,21,22,23,
+	24,25,26,27,28,29,30,31
+	);
+@r=(
+	32,33,34,35,36,37,38,39,
+	40,41,42,43,44,45,46,47,
+	48,49,50,51,52,53,54,55,
+	56,57,58,59,60,61,62,63
+	);
+
+require 'shifts.pl';
+
+sub PERM_OP
+	{
+	local(*a,*b,*t,$n,$m)=@_;
+
+	@z=&shift(*a,-$n);
+	@z=&xor(*b,*z);
+	@z=&and(*z,$m);
+	@b=&xor(*b,*z);
+	@z=&shift(*z,$n);
+	@a=&xor(*a,*z);
+	}
+
+sub HPERM_OP2
+	{
+	local(*a,*t,$n,$m)=@_;
+	local(@x,@y,$i);
+
+	@z=&shift(*a,16-$n);
+	@z=&xor(*a,*z);
+	@z=&and(*z,$m);
+	@a=&xor(*a,*z);
+	@z=&shift(*z,$n-16);
+	@a=&xor(*a,*z);
+	}
+
+sub HPERM_OP
+        {
+        local(*a,*t,$n,$m)=@_;
+        local(@x,@y,$i);
+
+        for ($i=0; $i<16; $i++)
+                {
+                $x[$i]=$a[$i];
+                $y[$i]=$a[16+$i];
+                }
+        @z=&shift(*x,-$n);
+        @z=&xor(*y,*z);
+        @z=&and(*z,$m);
+        @y=&xor(*y,*z);
+        @z=&shift(*z,$n);
+        @x=&xor(*x,*z);
+        for ($i=0; $i<16; $i++)
+                {
+                $a[$i]=$x[$i];
+                $a[16+$i]=$y[$i];
+                }
+        }
+
+@L=@l;
+@R=@r;
+
+	print "---\n"; &printit(@R);
+&PERM_OP(*R,*L,*T,4,0x0f0f0f0f);
+	print "---\n"; &printit(@R);
+&HPERM_OP2(*L,*T,-2,0xcccc0000);
+&HPERM_OP2(*R,*T,-2,0xcccc0000);
+	print "---\n"; &printit(@R);
+&PERM_OP(*R,*L,*T,1,0x55555555);
+	print "---\n"; &printit(@R);
+&PERM_OP(*L,*R,*T,8,0x00ff00ff);
+	print "---\n"; &printit(@R);
+&PERM_OP(*R,*L,*T,1,0x55555555);
+	print "---\n"; &printit(@R);
+#	&printit(@L);
+	&printit(@R);
+print <<"EOF";
+==============================
+63  55  47  39  31  23  15   7  
+62  54  46  38  30  22  14   6  
+61  53  45  37  29  21  13   5  
+60  52  44  36  --  --  --  --  
+
+57  49  41  33  25  17   9   1  
+58  50  42  34  26  18  10   2  
+59  51  43  35  27  19  11   3  
+28  20  12   4  --  --  --  --  
+EOF
+exit(1);
+@A=&and(*R,0x000000ff);
+@A=&shift(*A,16);
+@B=&and(*R,0x0000ff00);
+@C=&and(*R,0x00ff0000);
+@C=&shift(*C,-16);
+@D=&and(*L,0xf0000000);
+@D=&shift(*D,-4);
+@A=&or(*A,*B);
+@B=&or(*D,*C);
+@R=&or(*A,*B);
+@L=&and(*L,0x0fffffff);
+
+	&printit(@L);
+	&printit(@R);
+
diff --git a/crypto/openssl/crypto/des/doPC2 b/crypto/openssl/crypto/des/doPC2
new file mode 100644
index 0000000..fa5cf74
--- /dev/null
+++ b/crypto/openssl/crypto/des/doPC2
@@ -0,0 +1,94 @@
+#!/usr/local/bin/perl
+
+@PC2_C=(14,17,11,24, 1, 5,
+	 3,28,15, 6,21,10,
+	23,19,12, 4,26, 8,
+	16, 7,27,20,13, 2,
+	);
+
+@PC2_D=(41,52,31,37,47,55,
+	30,40,51,45,33,48,
+	44,49,39,56,34,53,
+	46,42,50,36,29,32,
+	);
+
+$i=0;
+foreach (@PC2_C) {
+	$_--;
+#	printf "%2d,",$_;
+	$C{$_}=$i;
+	++$i;
+#	print "\n" if ((($i) % 8) == 0);
+	}
+$i=0;
+#print "\n";
+foreach (@PC2_D) {
+	$_-=28;
+	$_--;
+#	printf "%2d,",$_;
+	$D{$_}=$i;
+	$i++;
+#	print "\n" if ((($i) % 8) == 0);
+	}
+
+#print "\n";
+foreach $i (0 .. 27)
+	{
+	$_=$C{$i};
+#	printf "%2d,",$_;
+	$i++;
+#	print "\n" if ((($i) % 8) == 0);
+	}
+#print "\n";
+
+#print "\n";
+foreach $i (0 .. 27)
+	{
+	$_=$D{$i};
+#	printf "%2d,",$_;
+	$i++;
+#	print "\n" if ((($i) % 8) == 0);
+	}
+#print "\n";
+
+print "static ulong skb[8][64]={\n";
+&doit("C",*C, 0, 1, 2, 3, 4, 5);
+&doit("C",*C, 6, 7, 9,10,11,12);
+&doit("C",*C,13,14,15,16,18,19);
+&doit("C",*C,20,22,23,25,26,27);
+
+&doit("D",*D, 0, 1, 2, 3, 4, 5);
+&doit("D",*D, 7, 8,10,11,12,13);
+&doit("D",*D,15,16,17,18,19,20);
+&doit("D",*D,21,22,23,24,26,27);
+print "};\n";
+
+sub doit
+	{
+	local($l,*A,@b)=@_;
+	local(@out);
+
+	printf("/* for $l bits (numbered as per FIPS 46) %d %d %d %d %d %d */\n",
+		$b[0]+1, $b[1]+1, $b[2]+1, $b[3]+1, $b[4]+1, $b[5]+1);
+	for ($i=0; $i<64; $i++)
+		{
+		$out[$i]=0;
+		$j=1;
+#print "\n";
+		for ($k=0; $k<6; $k++)
+			{
+			$l=$A{$b[$k]};
+#print"$l - ";
+			if ((1<<$k) & $i)
+				{
+				$ll=int($l/6)*8+($l%6);
+				$out[$i]|=1<<($ll);
+				}
+			}
+		$pp=$out[$i];
+		$pp=($pp&0xff0000ff)|   (($pp&0x00ff0000)>>8)|
+					(($pp&0x0000ff00)<<8);
+		printf("0x%08X,",$pp);
+		print "\n" if (($i+1) % 4 == 0);
+		}
+	}
diff --git a/crypto/openssl/crypto/des/ecb3_enc.c b/crypto/openssl/crypto/des/ecb3_enc.c
new file mode 100644
index 0000000..fb28b97
--- /dev/null
+++ b/crypto/openssl/crypto/des/ecb3_enc.c
@@ -0,0 +1,82 @@
+/* crypto/des/ecb3_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output,
+	     des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3,
+	     int enc)
+	{
+	register DES_LONG l0,l1;
+	DES_LONG ll[2];
+	const unsigned char *in = &(*input)[0];
+	unsigned char *out = &(*output)[0];
+
+	c2l(in,l0);
+	c2l(in,l1);
+	ll[0]=l0;
+	ll[1]=l1;
+	if (enc)
+		des_encrypt3(ll,ks1,ks2,ks3);
+	else
+		des_decrypt3(ll,ks1,ks2,ks3);
+	l0=ll[0];
+	l1=ll[1];
+	l2c(l0,out);
+	l2c(l1,out);
+	}
diff --git a/crypto/openssl/crypto/des/ecb_enc.c b/crypto/openssl/crypto/des/ecb_enc.c
new file mode 100644
index 0000000..b261a8a
--- /dev/null
+++ b/crypto/openssl/crypto/des/ecb_enc.c
@@ -0,0 +1,122 @@
+/* crypto/des/ecb_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+#include "spr.h"
+#include <openssl/opensslv.h>
+
+OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT;
+OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT;
+
+const char *des_options(void)
+	{
+	static int init=1;
+	static char buf[32];
+
+	if (init)
+		{
+		const char *ptr,*unroll,*risc,*size;
+
+#ifdef DES_PTR
+		ptr="ptr";
+#else
+		ptr="idx";
+#endif
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+		risc="risc1";
+#endif
+#ifdef DES_RISC2
+		risc="risc2";
+#endif
+#else
+		risc="cisc";
+#endif
+#ifdef DES_UNROLL
+		unroll="16";
+#else
+		unroll="4";
+#endif
+		if (sizeof(DES_LONG) != sizeof(long))
+			size="int";
+		else
+			size="long";
+		sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size);
+		init=0;
+		}
+	return(buf);
+	}
+		
+
+void des_ecb_encrypt(const_des_cblock *input, des_cblock *output,
+	     des_key_schedule ks,
+	     int enc)
+	{
+	register DES_LONG l;
+	DES_LONG ll[2];
+	const unsigned char *in = &(*input)[0];
+	unsigned char *out = &(*output)[0];
+
+	c2l(in,l); ll[0]=l;
+	c2l(in,l); ll[1]=l;
+	des_encrypt(ll,ks,enc);
+	l=ll[0]; l2c(l,out);
+	l=ll[1]; l2c(l,out);
+	l=ll[0]=ll[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/des/ede_cbcm_enc.c b/crypto/openssl/crypto/des/ede_cbcm_enc.c
new file mode 100644
index 0000000..c530624
--- /dev/null
+++ b/crypto/openssl/crypto/des/ede_cbcm_enc.c
@@ -0,0 +1,197 @@
+/* ede_cbcm_enc.c */
+/* Written by Ben Laurie <ben@algroup.co.uk> for the OpenSSL
+ * project 13 Feb 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+
+This is an implementation of Triple DES Cipher Block Chaining with Output
+Feedback Masking, by Coppersmith, Johnson and Matyas, (IBM and Certicom).
+
+Note that there is a known attack on this by Biham and Knudsen but it takes
+a lot of work:
+
+http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz
+
+*/
+
+#ifndef NO_DESCBCM
+#include "des_locl.h"
+
+void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
+	     long length, des_key_schedule ks1, des_key_schedule ks2,
+	     des_key_schedule ks3, des_cblock *ivec1, des_cblock *ivec2,
+	     int enc)
+    {
+    register DES_LONG tin0,tin1;
+    register DES_LONG tout0,tout1,xor0,xor1,m0,m1;
+    register long l=length;
+    DES_LONG tin[2];
+    unsigned char *iv1,*iv2;
+
+    iv1 = &(*ivec1)[0];
+    iv2 = &(*ivec2)[0];
+
+    if (enc)
+	{
+	c2l(iv1,m0);
+	c2l(iv1,m1);
+	c2l(iv2,tout0);
+	c2l(iv2,tout1);
+	for (l-=8; l>=-7; l-=8)
+	    {
+	    tin[0]=m0;
+	    tin[1]=m1;
+	    des_encrypt(tin,ks3,1);
+	    m0=tin[0];
+	    m1=tin[1];
+
+	    if(l < 0)
+		{
+		c2ln(in,tin0,tin1,l+8);
+		}
+	    else
+		{
+		c2l(in,tin0);
+		c2l(in,tin1);
+		}
+	    tin0^=tout0;
+	    tin1^=tout1;
+
+	    tin[0]=tin0;
+	    tin[1]=tin1;
+	    des_encrypt(tin,ks1,1);
+	    tin[0]^=m0;
+	    tin[1]^=m1;
+	    des_encrypt(tin,ks2,0);
+	    tin[0]^=m0;
+	    tin[1]^=m1;
+	    des_encrypt(tin,ks1,1);
+	    tout0=tin[0];
+	    tout1=tin[1];
+
+	    l2c(tout0,out);
+	    l2c(tout1,out);
+	    }
+	iv1=&(*ivec1)[0];
+	l2c(m0,iv1);
+	l2c(m1,iv1);
+
+	iv2=&(*ivec2)[0];
+	l2c(tout0,iv2);
+	l2c(tout1,iv2);
+	}
+    else
+	{
+	register DES_LONG t0,t1;
+
+	c2l(iv1,m0);
+	c2l(iv1,m1);
+	c2l(iv2,xor0);
+	c2l(iv2,xor1);
+	for (l-=8; l>=-7; l-=8)
+	    {
+	    tin[0]=m0;
+	    tin[1]=m1;
+	    des_encrypt(tin,ks3,1);
+	    m0=tin[0];
+	    m1=tin[1];
+
+	    c2l(in,tin0);
+	    c2l(in,tin1);
+
+	    t0=tin0;
+	    t1=tin1;
+
+	    tin[0]=tin0;
+	    tin[1]=tin1;
+	    des_encrypt(tin,ks1,0);
+	    tin[0]^=m0;
+	    tin[1]^=m1;
+	    des_encrypt(tin,ks2,1);
+	    tin[0]^=m0;
+	    tin[1]^=m1;
+	    des_encrypt(tin,ks1,0);
+	    tout0=tin[0];
+	    tout1=tin[1];
+
+	    tout0^=xor0;
+	    tout1^=xor1;
+	    if(l < 0)
+		{
+		l2cn(tout0,tout1,out,l+8);
+		}
+	    else
+		{
+		l2c(tout0,out);
+		l2c(tout1,out);
+		}
+	    xor0=t0;
+	    xor1=t1;
+	    }
+
+	iv1=&(*ivec1)[0];
+	l2c(m0,iv1);
+	l2c(m1,iv1);
+
+	iv2=&(*ivec2)[0];
+	l2c(xor0,iv2);
+	l2c(xor1,iv2);
+	}
+    tin0=tin1=tout0=tout1=xor0=xor1=0;
+    tin[0]=tin[1]=0;
+    }
+#endif
diff --git a/crypto/openssl/crypto/des/enc_read.c b/crypto/openssl/crypto/des/enc_read.c
new file mode 100644
index 0000000..7399ff7
--- /dev/null
+++ b/crypto/openssl/crypto/des/enc_read.c
@@ -0,0 +1,228 @@
+/* crypto/des/enc_read.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include "des_locl.h"
+
+/* This has some uglies in it but it works - even over sockets. */
+/*extern int errno;*/
+OPENSSL_GLOBAL int des_rw_mode=DES_PCBC_MODE;
+
+
+/*
+ * WARNINGS:
+ *
+ *  -  The data format used by des_enc_write() and des_enc_read()
+ *     has a cryptographic weakness: When asked to write more
+ *     than MAXWRITE bytes, des_enc_write will split the data
+ *     into several chunks that are all encrypted
+ *     using the same IV.  So don't use these functions unless you
+ *     are sure you know what you do (in which case you might
+ *     not want to use them anyway).
+ *
+ *  -  This code cannot handle non-blocking sockets.
+ *
+ *  -  This function uses an internal state and thus cannot be
+ *     used on multiple files.
+ */
+
+
+int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
+		 des_cblock *iv)
+	{
+	/* data to be unencrypted */
+	int net_num=0;
+	static unsigned char *net=NULL;
+	/* extra unencrypted data 
+	 * for when a block of 100 comes in but is des_read one byte at
+	 * a time. */
+	static unsigned char *unnet=NULL;
+	static int unnet_start=0;
+	static int unnet_left=0;
+	static unsigned char *tmpbuf=NULL;
+	int i;
+	long num=0,rnum;
+	unsigned char *p;
+
+	if (tmpbuf == NULL)
+		{
+		tmpbuf=Malloc(BSIZE);
+		if (tmpbuf == NULL) return(-1);
+		}
+	if (net == NULL)
+		{
+		net=Malloc(BSIZE);
+		if (net == NULL) return(-1);
+		}
+	if (unnet == NULL)
+		{
+		unnet=Malloc(BSIZE);
+		if (unnet == NULL) return(-1);
+		}
+	/* left over data from last decrypt */
+	if (unnet_left != 0)
+		{
+		if (unnet_left < len)
+			{
+			/* we still still need more data but will return
+			 * with the number of bytes we have - should always
+			 * check the return value */
+			memcpy(buf,&(unnet[unnet_start]),
+			       unnet_left);
+			/* eay 26/08/92 I had the next 2 lines
+			 * reversed :-( */
+			i=unnet_left;
+			unnet_start=unnet_left=0;
+			}
+		else
+			{
+			memcpy(buf,&(unnet[unnet_start]),len);
+			unnet_start+=len;
+			unnet_left-=len;
+			i=len;
+			}
+		return(i);
+		}
+
+	/* We need to get more data. */
+	if (len > MAXWRITE) len=MAXWRITE;
+
+	/* first - get the length */
+	while (net_num < HDRSIZE) 
+		{
+		i=read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
+#ifdef EINTR
+		if ((i == -1) && (errno == EINTR)) continue;
+#endif
+		if (i <= 0) return(0);
+		net_num+=i;
+		}
+
+	/* we now have at net_num bytes in net */
+	p=net;
+	/* num=0;  */
+	n2l(p,num);
+	/* num should be rounded up to the next group of eight
+	 * we make sure that we have read a multiple of 8 bytes from the net.
+	 */
+	if ((num > MAXWRITE) || (num < 0)) /* error */
+		return(-1);
+	rnum=(num < 8)?8:((num+7)/8*8);
+
+	net_num=0;
+	while (net_num < rnum)
+		{
+		i=read(fd,(void *)&(net[net_num]),rnum-net_num);
+#ifdef EINTR
+		if ((i == -1) && (errno == EINTR)) continue;
+#endif
+		if (i <= 0) return(0);
+		net_num+=i;
+		}
+
+	/* Check if there will be data left over. */
+	if (len < num)
+		{
+		if (des_rw_mode & DES_PCBC_MODE)
+			des_pcbc_encrypt(net,unnet,num,sched,iv,DES_DECRYPT);
+		else
+			des_cbc_encrypt(net,unnet,num,sched,iv,DES_DECRYPT);
+		memcpy(buf,unnet,len);
+		unnet_start=len;
+		unnet_left=num-len;
+
+		/* The following line is done because we return num
+		 * as the number of bytes read. */
+		num=len;
+		}
+	else
+		{
+		/* >output is a multiple of 8 byes, if len < rnum
+		 * >we must be careful.  The user must be aware that this
+		 * >routine will write more bytes than he asked for.
+		 * >The length of the buffer must be correct.
+		 * FIXED - Should be ok now 18-9-90 - eay */
+		if (len < rnum)
+			{
+
+			if (des_rw_mode & DES_PCBC_MODE)
+				des_pcbc_encrypt(net,tmpbuf,num,sched,iv,
+						 DES_DECRYPT);
+			else
+				des_cbc_encrypt(net,tmpbuf,num,sched,iv,
+						DES_DECRYPT);
+
+			/* eay 26/08/92 fix a bug that returned more
+			 * bytes than you asked for (returned len bytes :-( */
+			memcpy(buf,tmpbuf,num);
+			}
+		else
+			{
+			if (des_rw_mode & DES_PCBC_MODE)
+				des_pcbc_encrypt(net,buf,num,sched,iv,
+						 DES_DECRYPT);
+			else
+				des_cbc_encrypt(net,buf,num,sched,iv,
+						DES_DECRYPT);
+			}
+		}
+	return num;
+	}
+
diff --git a/crypto/openssl/crypto/des/enc_writ.c b/crypto/openssl/crypto/des/enc_writ.c
new file mode 100644
index 0000000..4d34527
--- /dev/null
+++ b/crypto/openssl/crypto/des/enc_writ.c
@@ -0,0 +1,171 @@
+/* crypto/des/enc_writ.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <errno.h>
+#include <time.h>
+#include <stdio.h>
+#include "cryptlib.h"
+#include "des_locl.h"
+#include <openssl/rand.h>
+
+/*
+ * WARNINGS:
+ *
+ *  -  The data format used by des_enc_write() and des_enc_read()
+ *     has a cryptographic weakness: When asked to write more
+ *     than MAXWRITE bytes, des_enc_write will split the data
+ *     into several chunks that are all encrypted
+ *     using the same IV.  So don't use these functions unless you
+ *     are sure you know what you do (in which case you might
+ *     not want to use them anyway).
+ *
+ *  -  This code cannot handle non-blocking sockets.
+ */
+
+int des_enc_write(int fd, const void *_buf, int len,
+		  des_key_schedule sched, des_cblock *iv)
+	{
+#ifdef _LIBC
+	extern unsigned long time();
+	extern int write();
+#endif
+	const unsigned char *buf=_buf;
+	long rnum;
+	int i,j,k,outnum;
+	static unsigned char *outbuf=NULL;
+	unsigned char shortbuf[8];
+	unsigned char *p;
+	const unsigned char *cp;
+	static int start=1;
+
+	if (outbuf == NULL)
+		{
+		outbuf=Malloc(BSIZE+HDRSIZE);
+		if (outbuf == NULL) return(-1);
+		}
+	/* If we are sending less than 8 bytes, the same char will look
+	 * the same if we don't pad it out with random bytes */
+	if (start)
+		{
+		start=0;
+		}
+
+	/* lets recurse if we want to send the data in small chunks */
+	if (len > MAXWRITE)
+		{
+		j=0;
+		for (i=0; i<len; i+=k)
+			{
+			k=des_enc_write(fd,&(buf[i]),
+				((len-i) > MAXWRITE)?MAXWRITE:(len-i),sched,iv);
+			if (k < 0)
+				return(k);
+			else
+				j+=k;
+			}
+		return(j);
+		}
+
+	/* write length first */
+	p=outbuf;
+	l2n(len,p);
+
+	/* pad short strings */
+	if (len < 8)
+		{
+		cp=shortbuf;
+		memcpy(shortbuf,buf,len);
+		RAND_pseudo_bytes(shortbuf+len, 8-len);
+		rnum=8;
+		}
+	else
+		{
+		cp=buf;
+		rnum=((len+7)/8*8); /* round up to nearest eight */
+		}
+
+	if (des_rw_mode & DES_PCBC_MODE)
+		des_pcbc_encrypt(cp,&(outbuf[HDRSIZE]),(len<8)?8:len,sched,iv,
+				 DES_ENCRYPT); 
+	else
+		des_cbc_encrypt(cp,&(outbuf[HDRSIZE]),(len<8)?8:len,sched,iv,
+				DES_ENCRYPT); 
+
+	/* output */
+	outnum=rnum+HDRSIZE;
+
+	for (j=0; j<outnum; j+=i)
+		{
+		/* eay 26/08/92 I was not doing writing from where we
+		 * got up to. */
+		i=write(fd,(void *)&(outbuf[j]),outnum-j);
+		if (i == -1)
+			{
+#ifdef EINTR
+			if (errno == EINTR)
+				i=0;
+			else
+#endif
+			        /* This is really a bad error - very bad
+				 * It will stuff-up both ends. */
+				return(-1);
+			}
+		}
+
+	return(len);
+	}
diff --git a/crypto/openssl/crypto/des/fcrypt.c b/crypto/openssl/crypto/des/fcrypt.c
new file mode 100644
index 0000000..1d61931
--- /dev/null
+++ b/crypto/openssl/crypto/des/fcrypt.c
@@ -0,0 +1,180 @@
+/* NOCW */
+#include <stdio.h>
+#ifdef _OSD_POSIX
+#ifndef CHARSET_EBCDIC
+#define CHARSET_EBCDIC 1
+#endif
+#endif
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+/* This version of crypt has been developed from my MIT compatible
+ * DES library.
+ * Eric Young (eay@cryptsoft.com)
+ */
+
+/* Modification by Jens Kupferschmidt (Cu)
+ * I have included directive PARA for shared memory computers.
+ * I have included a directive LONGCRYPT to using this routine to cipher
+ * passwords with more then 8 bytes like HP-UX 10.x it used. The MAXPLEN
+ * definition is the maximum of length of password and can changed. I have
+ * defined 24.
+ */
+
+#include "des_locl.h"
+
+/* Added more values to handle illegal salt values the way normal
+ * crypt() implementations do.  The patch was sent by 
+ * Bjorn Gronvall <bg@sics.se>
+ */
+static unsigned const char con_salt[128]={
+0xD2,0xD3,0xD4,0xD5,0xD6,0xD7,0xD8,0xD9,
+0xDA,0xDB,0xDC,0xDD,0xDE,0xDF,0xE0,0xE1,
+0xE2,0xE3,0xE4,0xE5,0xE6,0xE7,0xE8,0xE9,
+0xEA,0xEB,0xEC,0xED,0xEE,0xEF,0xF0,0xF1,
+0xF2,0xF3,0xF4,0xF5,0xF6,0xF7,0xF8,0xF9,
+0xFA,0xFB,0xFC,0xFD,0xFE,0xFF,0x00,0x01,
+0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,
+0x0A,0x0B,0x05,0x06,0x07,0x08,0x09,0x0A,
+0x0B,0x0C,0x0D,0x0E,0x0F,0x10,0x11,0x12,
+0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,
+0x1B,0x1C,0x1D,0x1E,0x1F,0x20,0x21,0x22,
+0x23,0x24,0x25,0x20,0x21,0x22,0x23,0x24,
+0x25,0x26,0x27,0x28,0x29,0x2A,0x2B,0x2C,
+0x2D,0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,
+0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,
+0x3D,0x3E,0x3F,0x40,0x41,0x42,0x43,0x44,
+};
+
+static unsigned const char cov_2char[64]={
+0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,0x35,
+0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44,
+0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,
+0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,
+0x55,0x56,0x57,0x58,0x59,0x5A,0x61,0x62,
+0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,
+0x6B,0x6C,0x6D,0x6E,0x6F,0x70,0x71,0x72,
+0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
+};
+
+void fcrypt_body(DES_LONG *out,des_key_schedule ks,
+	DES_LONG Eswap0, DES_LONG Eswap1);
+
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+char *crypt(const char *buf, const char *salt)
+	{
+	return(des_crypt(buf, salt));
+	}
+#endif
+
+char *des_crypt(const char *buf, const char *salt)
+	{
+	static char buff[14];
+
+#ifndef CHARSET_EBCDIC
+	return(des_fcrypt(buf,salt,buff));
+#else
+	char e_salt[2+1];
+	char e_buf[32+1];	/* replace 32 by 8 ? */
+	char *ret;
+
+	/* Copy at most 2 chars of salt */
+	if ((e_salt[0] = salt[0]) != '\0')
+	    e_salt[1] = salt[1];
+
+	/* Copy at most 32 chars of password */
+	strncpy (e_buf, buf, sizeof(e_buf));
+
+	/* Make sure we have a delimiter */
+	e_salt[sizeof(e_salt)-1] = e_buf[sizeof(e_buf)-1] = '\0';
+
+	/* Convert the e_salt to ASCII, as that's what des_fcrypt works on */
+	ebcdic2ascii(e_salt, e_salt, sizeof e_salt);
+
+	/* Convert the cleartext password to ASCII */
+	ebcdic2ascii(e_buf, e_buf, sizeof e_buf);
+
+	/* Encrypt it (from/to ASCII) */
+	ret = des_fcrypt(e_buf,e_salt,buff);
+
+	/* Convert the result back to EBCDIC */
+	ascii2ebcdic(ret, ret, strlen(ret));
+	
+	return ret;
+#endif
+	}
+
+
+char *des_fcrypt(const char *buf, const char *salt, char *ret)
+	{
+	unsigned int i,j,x,y;
+	DES_LONG Eswap0,Eswap1;
+	DES_LONG out[2],ll;
+	des_cblock key;
+	des_key_schedule ks;
+	unsigned char bb[9];
+	unsigned char *b=bb;
+	unsigned char c,u;
+
+	/* eay 25/08/92
+	 * If you call crypt("pwd","*") as often happens when you
+	 * have * as the pwd field in /etc/passwd, the function
+	 * returns *\0XXXXXXXXX
+	 * The \0 makes the string look like * so the pwd "*" would
+	 * crypt to "*".  This was found when replacing the crypt in
+	 * our shared libraries.  People found that the disabled
+	 * accounts effectively had no passwd :-(. */
+#ifndef CHARSET_EBCDIC
+	x=ret[0]=((salt[0] == '\0')?'A':salt[0]);
+	Eswap0=con_salt[x]<<2;
+	x=ret[1]=((salt[1] == '\0')?'A':salt[1]);
+	Eswap1=con_salt[x]<<6;
+#else
+	x=ret[0]=((salt[0] == '\0')?os_toascii['A']:salt[0]);
+	Eswap0=con_salt[x]<<2;
+	x=ret[1]=((salt[1] == '\0')?os_toascii['A']:salt[1]);
+	Eswap1=con_salt[x]<<6;
+#endif
+
+/* EAY
+r=strlen(buf);
+r=(r+7)/8;
+*/
+	for (i=0; i<8; i++)
+		{
+		c= *(buf++);
+		if (!c) break;
+		key[i]=(c<<1);
+		}
+	for (; i<8; i++)
+		key[i]=0;
+
+	des_set_key_unchecked(&key,ks);
+	fcrypt_body(&(out[0]),ks,Eswap0,Eswap1);
+
+	ll=out[0]; l2c(ll,b);
+	ll=out[1]; l2c(ll,b);
+	y=0;
+	u=0x80;
+	bb[8]=0;
+	for (i=2; i<13; i++)
+		{
+		c=0;
+		for (j=0; j<6; j++)
+			{
+			c<<=1;
+			if (bb[y] & u) c|=1;
+			u>>=1;
+			if (!u)
+				{
+				y++;
+				u=0x80;
+				}
+			}
+		ret[i]=cov_2char[c];
+		}
+	ret[13]='\0';
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/des/fcrypt_b.c b/crypto/openssl/crypto/des/fcrypt_b.c
new file mode 100644
index 0000000..22c87f5
--- /dev/null
+++ b/crypto/openssl/crypto/des/fcrypt_b.c
@@ -0,0 +1,145 @@
+/* crypto/des/fcrypt_b.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+
+/* This version of crypt has been developed from my MIT compatible
+ * DES library.
+ * The library is available at pub/Crypto/DES at ftp.psy.uq.oz.au
+ * Eric Young (eay@cryptsoft.com)
+ */
+
+#define DES_FCRYPT
+#include "des_locl.h"
+#undef DES_FCRYPT
+
+#undef PERM_OP
+#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+	(b)^=(t),\
+	(a)^=((t)<<(n)))
+
+#undef HPERM_OP
+#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
+	(a)=(a)^(t)^(t>>(16-(n))))\
+
+void fcrypt_body(DES_LONG *out, des_key_schedule ks, DES_LONG Eswap0,
+	     DES_LONG Eswap1)
+	{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+#endif
+	register DES_LONG *s;
+	register int j;
+	register DES_LONG E0,E1;
+
+	l=0;
+	r=0;
+
+	s=(DES_LONG *)ks;
+	E0=Eswap0;
+	E1=Eswap1;
+
+	for (j=0; j<25; j++)
+		{
+#ifndef DES_UNROLL
+		register int i;
+
+		for (i=0; i<32; i+=8)
+			{
+			D_ENCRYPT(l,r,i+0); /*  1 */
+			D_ENCRYPT(r,l,i+2); /*  2 */
+			D_ENCRYPT(l,r,i+4); /*  1 */
+			D_ENCRYPT(r,l,i+6); /*  2 */
+			}
+#else
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#endif
+
+		t=l;
+		l=r;
+		r=t;
+		}
+	l=ROTATE(l,3)&0xffffffffL;
+	r=ROTATE(r,3)&0xffffffffL;
+
+	PERM_OP(l,r,t, 1,0x55555555L);
+	PERM_OP(r,l,t, 8,0x00ff00ffL);
+	PERM_OP(l,r,t, 2,0x33333333L);
+	PERM_OP(r,l,t,16,0x0000ffffL);
+	PERM_OP(l,r,t, 4,0x0f0f0f0fL);
+
+	out[0]=r;
+	out[1]=l;
+	}
+
diff --git a/crypto/openssl/crypto/des/makefile.bc b/crypto/openssl/crypto/des/makefile.bc
new file mode 100644
index 0000000..1fe6d49
--- /dev/null
+++ b/crypto/openssl/crypto/des/makefile.bc
@@ -0,0 +1,50 @@
+#
+# Origional BC Makefile from Teun <Teun.Nijssen@kub.nl>
+#
+#
+CC      = bcc
+TLIB    = tlib /0 /C
+# note: the -3 flag produces code for 386, 486, Pentium etc; omit it for 286s
+OPTIMIZE= -3 -O2
+#WINDOWS= -W
+CFLAGS  = -c -ml -d $(OPTIMIZE) $(WINDOWS) -DMSDOS
+LFLAGS  = -ml $(WINDOWS)
+
+.c.obj:
+	$(CC) $(CFLAGS) $*.c
+
+.obj.exe:
+	$(CC) $(LFLAGS) -e$*.exe $*.obj libdes.lib  
+
+all: $(LIB) destest.exe rpw.exe des.exe speed.exe
+
+# "make clean": use a directory containing only libdes .exe and .obj files...
+clean:
+	del *.exe
+	del *.obj
+	del libdes.lib
+	del libdes.rsp
+
+OBJS=   cbc_cksm.obj cbc_enc.obj  ecb_enc.obj  pcbc_enc.obj \
+	qud_cksm.obj rand_key.obj set_key.obj  str2key.obj \
+	enc_read.obj enc_writ.obj fcrypt.obj   cfb_enc.obj \
+	ecb3_enc.obj ofb_enc.obj  cbc3_enc.obj read_pwd.obj\
+	cfb64enc.obj ofb64enc.obj ede_enc.obj  cfb64ede.obj\
+	ofb64ede.obj supp.obj
+
+LIB=    libdes.lib
+
+$(LIB): $(OBJS)
+	del $(LIB)
+	makersp "+%s &\n" &&|
+	$(OBJS)
+|       >libdes.rsp
+	$(TLIB) libdes.lib @libdes.rsp,nul
+	del libdes.rsp
+
+destest.exe: destest.obj libdes.lib
+rpw.exe:     rpw.obj libdes.lib
+speed.exe:   speed.obj libdes.lib
+des.exe:     des.obj libdes.lib
+
+
diff --git a/crypto/openssl/crypto/des/ncbc_enc.c b/crypto/openssl/crypto/des/ncbc_enc.c
new file mode 100644
index 0000000..3b68169
--- /dev/null
+++ b/crypto/openssl/crypto/des/ncbc_enc.c
@@ -0,0 +1,148 @@
+/* crypto/des/ncbc_enc.c */
+/*
+ * #included by:
+ *    cbc_enc.c  (des_cbc_encrypt)
+ *    des_enc.c  (des_ncbc_encrypt)
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+#ifdef CBC_ENC_C__DONT_UPDATE_IV
+void des_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     des_key_schedule schedule, des_cblock *ivec, int enc)
+#else
+void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     des_key_schedule schedule, des_cblock *ivec, int enc)
+#endif
+	{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	iv = &(*ivec)[0];
+
+	if (enc)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+#ifndef CBC_ENC_C__DONT_UPDATE_IV
+		iv = &(*ivec)[0];
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+#endif
+		}
+	else
+		{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2cn(tout0,tout1,out,l+8);
+#ifndef CBC_ENC_C__DONT_UPDATE_IV
+			xor0=tin0;
+			xor1=tin1;
+#endif
+			}
+#ifndef CBC_ENC_C__DONT_UPDATE_IV 
+		iv = &(*ivec)[0];
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+#endif
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
diff --git a/crypto/openssl/crypto/des/ofb64ede.c b/crypto/openssl/crypto/des/ofb64ede.c
new file mode 100644
index 0000000..6eafe90
--- /dev/null
+++ b/crypto/openssl/crypto/des/ofb64ede.c
@@ -0,0 +1,124 @@
+/* crypto/des/ofb64ede.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void des_ede3_ofb64_encrypt(register const unsigned char *in,
+	     register unsigned char *out, long length, des_key_schedule k1,
+	     des_key_schedule k2, des_key_schedule k3, des_cblock *ivec,
+	     int *num)
+	{
+	register DES_LONG v0,v1;
+	register int n= *num;
+	register long l=length;
+	des_cblock d;
+	register char *dp;
+	DES_LONG ti[2];
+	unsigned char *iv;
+	int save=0;
+
+	iv = &(*ivec)[0];
+	c2l(iv,v0);
+	c2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	dp=(char *)d;
+	l2c(v0,dp);
+	l2c(v1,dp);
+	while (l--)
+		{
+		if (n == 0)
+			{
+			/* ti[0]=v0; */
+			/* ti[1]=v1; */
+			des_encrypt3(ti,k1,k2,k3);
+			v0=ti[0];
+			v1=ti[1];
+
+			dp=(char *)d;
+			l2c(v0,dp);
+			l2c(v1,dp);
+			save++;
+			}
+		*(out++)= *(in++)^d[n];
+		n=(n+1)&0x07;
+		}
+	if (save)
+		{
+/*		v0=ti[0];
+		v1=ti[1];*/
+		iv = &(*ivec)[0];
+		l2c(v0,iv);
+		l2c(v1,iv);
+		}
+	v0=v1=ti[0]=ti[1]=0;
+	*num=n;
+	}
+
+#ifdef undef /* MACRO */
+void des_ede2_ofb64_encrypt(register unsigned char *in,
+	     register unsigned char *out, long length, des_key_schedule k1,
+	     des_key_schedule k2, des_cblock (*ivec), int *num)
+	{
+	des_ede3_ofb64_encrypt(in, out, length, k1,k2,k1, ivec, num);
+	}
+#endif
diff --git a/crypto/openssl/crypto/des/ofb64enc.c b/crypto/openssl/crypto/des/ofb64enc.c
new file mode 100644
index 0000000..6495395
--- /dev/null
+++ b/crypto/openssl/crypto/des/ofb64enc.c
@@ -0,0 +1,110 @@
+/* crypto/des/ofb64enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void des_ofb64_encrypt(register const unsigned char *in,
+	     register unsigned char *out, long length, des_key_schedule schedule,
+	     des_cblock *ivec, int *num)
+	{
+	register DES_LONG v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	des_cblock d;
+	register unsigned char *dp;
+	DES_LONG ti[2];
+	unsigned char *iv;
+	int save=0;
+
+	iv = &(*ivec)[0];
+	c2l(iv,v0);
+	c2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	dp=d;
+	l2c(v0,dp);
+	l2c(v1,dp);
+	while (l--)
+		{
+		if (n == 0)
+			{
+			des_encrypt(ti,schedule,DES_ENCRYPT);
+			dp=d;
+			t=ti[0]; l2c(t,dp);
+			t=ti[1]; l2c(t,dp);
+			save++;
+			}
+		*(out++)= *(in++)^d[n];
+		n=(n+1)&0x07;
+		}
+	if (save)
+		{
+		v0=ti[0];
+		v1=ti[1];
+		iv = &(*ivec)[0];
+		l2c(v0,iv);
+		l2c(v1,iv);
+		}
+	t=v0=v1=ti[0]=ti[1]=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/des/ofb_enc.c b/crypto/openssl/crypto/des/ofb_enc.c
new file mode 100644
index 0000000..a8f425a
--- /dev/null
+++ b/crypto/openssl/crypto/des/ofb_enc.c
@@ -0,0 +1,134 @@
+/* crypto/des/ofb_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* The input and output are loaded in multiples of 8 bits.
+ * What this means is that if you hame numbits=12 and length=2
+ * the first 12 bits will be retrieved from the first byte and half
+ * the second.  The second 12 bits will come from the 3rd and half the 4th
+ * byte.
+ */
+void des_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
+	     long length, des_key_schedule schedule, des_cblock *ivec)
+	{
+	register DES_LONG d0,d1,vv0,vv1,v0,v1,n=(numbits+7)/8;
+	register DES_LONG mask0,mask1;
+	register long l=length;
+	register int num=numbits;
+	DES_LONG ti[2];
+	unsigned char *iv;
+
+	if (num > 64) return;
+	if (num > 32)
+		{
+		mask0=0xffffffffL;
+		if (num >= 64)
+			mask1=mask0;
+		else
+			mask1=(1L<<(num-32))-1;
+		}
+	else
+		{
+		if (num == 32)
+			mask0=0xffffffffL;
+		else
+			mask0=(1L<<num)-1;
+		mask1=0x00000000L;
+		}
+
+	iv = &(*ivec)[0];
+	c2l(iv,v0);
+	c2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	while (l-- > 0)
+		{
+		ti[0]=v0;
+		ti[1]=v1;
+		des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT);
+		vv0=ti[0];
+		vv1=ti[1];
+		c2ln(in,d0,d1,n);
+		in+=n;
+		d0=(d0^vv0)&mask0;
+		d1=(d1^vv1)&mask1;
+		l2cn(d0,d1,out,n);
+		out+=n;
+
+		if (num == 32)
+			{ v0=v1; v1=vv0; }
+		else if (num == 64)
+				{ v0=vv0; v1=vv1; }
+		else if (num > 32) /* && num != 64 */
+			{
+			v0=((v1>>(num-32))|(vv0<<(64-num)))&0xffffffffL;
+			v1=((vv0>>(num-32))|(vv1<<(64-num)))&0xffffffffL;
+			}
+		else /* num < 32 */
+			{
+			v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
+			v1=((v1>>num)|(vv0<<(32-num)))&0xffffffffL;
+			}
+		}
+	iv = &(*ivec)[0];
+	l2c(v0,iv);
+	l2c(v1,iv);
+	v0=v1=d0=d1=ti[0]=ti[1]=vv0=vv1=0;
+	}
+
diff --git a/crypto/openssl/crypto/des/options.txt b/crypto/openssl/crypto/des/options.txt
new file mode 100644
index 0000000..6e2b50f
--- /dev/null
+++ b/crypto/openssl/crypto/des/options.txt
@@ -0,0 +1,39 @@
+Note that the UNROLL option makes the 'inner' des loop unroll all 16 rounds
+instead of the default 4.
+RISC1 and RISC2 are 2 alternatives for the inner loop and
+PTR means to use pointers arithmatic instead of arrays.
+
+FreeBSD - Pentium Pro 200mhz - gcc 2.7.2.2 - assembler		577,000 4620k/s
+IRIX 6.2 - R10000 195mhz - cc (-O3 -n32) - UNROLL RISC2 PTR	496,000 3968k/s
+solaris 2.5.1 usparc 167mhz?? - SC4.0 - UNROLL RISC1 PTR [1]	459,400 3672k/s
+FreeBSD - Pentium Pro 200mhz - gcc 2.7.2.2 - UNROLL RISC1	433,000 3468k/s
+solaris 2.5.1 usparc 167mhz?? - gcc 2.7.2 - UNROLL 		380,000 3041k/s
+linux - pentium 100mhz - gcc 2.7.0 - assembler			281,000 2250k/s
+NT 4.0 - pentium 100mhz - VC 4.2 - assembler			281,000 2250k/s
+AIX 4.1? - PPC604 100mhz - cc - UNROLL 				275,000 2200k/s
+IRIX 5.3 - R4400 200mhz - gcc 2.6.3 - UNROLL RISC2 PTR		235,300 1882k/s
+IRIX 5.3 - R4400 200mhz - cc - UNROLL RISC2 PTR			233,700 1869k/s
+NT 4.0 - pentium 100mhz - VC 4.2 - UNROLL RISC1 PTR		191,000 1528k/s
+DEC Alpha 165mhz??  - cc - RISC2 PTR [2]			181,000 1448k/s
+linux - pentium 100mhz - gcc 2.7.0 - UNROLL RISC1 PTR		158,500 1268k/s
+HPUX 10 - 9000/887 - cc - UNROLL [3]	 			148,000	1190k/s
+solaris 2.5.1 - sparc 10 50mhz - gcc 2.7.2 - UNROLL		123,600  989k/s
+IRIX 5.3 - R4000 100mhz - cc - UNROLL RISC2 PTR			101,000  808k/s
+DGUX - 88100 50mhz(?) - gcc 2.6.3 - UNROLL			 81,000  648k/s
+solaris 2.4 486 50mhz - gcc 2.6.3 - assembler			 65,000  522k/s
+HPUX 10 - 9000/887 - k&r cc (default compiler) - UNROLL PTR	 76,000	 608k/s
+solaris 2.4 486 50mhz - gcc 2.6.3 - UNROLL RISC2		 43,500  344k/s
+AIX - old slow one :-) - cc -					 39,000  312k/s
+
+Notes.
+[1] For the ultra sparc, SunC 4.0 
+    cc -xtarget=ultra -xarch=v8plus -Xa -xO5, running 'des_opts'
+    gives a speed of 344,000 des/s while 'speed' gives 459,000 des/s.
+    I'll record the higher since it is coming from the library but it
+    is all rather weird.
+[2] Similar to the ultra sparc ([1]), 181,000 for 'des_opts' vs 175,000.
+[3] I was unable to get access to this machine when it was not heavily loaded.
+    As such, my timing program was never able to get more that %30 of the CPU.
+    This would cause the program to give much lower speed numbers because
+    it would be 'fighting' to stay in the cache with the other CPU burning
+    processes.
diff --git a/crypto/openssl/crypto/des/pcbc_enc.c b/crypto/openssl/crypto/des/pcbc_enc.c
new file mode 100644
index 0000000..dd69a26
--- /dev/null
+++ b/crypto/openssl/crypto/des/pcbc_enc.c
@@ -0,0 +1,122 @@
+/* crypto/des/pcbc_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+void des_pcbc_encrypt(const unsigned char *input, unsigned char *output,
+	     long length, des_key_schedule schedule, des_cblock *ivec, int enc)
+	{
+	register DES_LONG sin0,sin1,xor0,xor1,tout0,tout1;
+	DES_LONG tin[2];
+	const unsigned char *in;
+	unsigned char *out,*iv;
+
+	in=input;
+	out=output;
+	iv = &(*ivec)[0];
+
+	if (enc)
+		{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (; length>0; length-=8)
+			{
+			if (length >= 8)
+				{
+				c2l(in,sin0);
+				c2l(in,sin1);
+				}
+			else
+				c2ln(in,sin0,sin1,length);
+			tin[0]=sin0^xor0;
+			tin[1]=sin1^xor1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0];
+			tout1=tin[1];
+			xor0=sin0^tout0;
+			xor1=sin1^tout1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			}
+		}
+	else
+		{
+		c2l(iv,xor0); c2l(iv,xor1);
+		for (; length>0; length-=8)
+			{
+			c2l(in,sin0);
+			c2l(in,sin1);
+			tin[0]=sin0;
+			tin[1]=sin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			if (length >= 8)
+				{
+				l2c(tout0,out);
+				l2c(tout1,out);
+				}
+			else
+				l2cn(tout0,tout1,out,length);
+			xor0=tout0^sin0;
+			xor1=tout1^sin1;
+			}
+		}
+	tin[0]=tin[1]=0;
+	sin0=sin1=xor0=xor1=tout0=tout1=0;
+	}
diff --git a/crypto/openssl/crypto/des/podd.h b/crypto/openssl/crypto/des/podd.h
new file mode 100644
index 0000000..1b2bfe0
--- /dev/null
+++ b/crypto/openssl/crypto/des/podd.h
@@ -0,0 +1,75 @@
+/* crypto/des/podd.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static const unsigned char odd_parity[256]={
+  1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
+ 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
+ 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
+ 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
+ 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
+ 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
+ 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
+112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
+128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
+145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
+161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
+176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
+193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
+208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
+224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
+241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254};
diff --git a/crypto/openssl/crypto/des/qud_cksm.c b/crypto/openssl/crypto/des/qud_cksm.c
new file mode 100644
index 0000000..5f0ec53
--- /dev/null
+++ b/crypto/openssl/crypto/des/qud_cksm.c
@@ -0,0 +1,129 @@
+/* crypto/des/qud_cksm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* From "Message Authentication"  R.R. Jueneman, S.M. Matyas, C.H. Meyer
+ * IEEE Communications Magazine Sept 1985 Vol. 23 No. 9 p 29-40
+ * This module in only based on the code in this paper and is
+ * almost definitely not the same as the MIT implementation.
+ */
+#include "des_locl.h"
+
+/* bug fix for dos - 7/6/91 - Larry hughes@logos.ucs.indiana.edu */
+#define Q_B0(a)	(((DES_LONG)(a)))
+#define Q_B1(a)	(((DES_LONG)(a))<<8)
+#define Q_B2(a)	(((DES_LONG)(a))<<16)
+#define Q_B3(a)	(((DES_LONG)(a))<<24)
+
+/* used to scramble things a bit */
+/* Got the value MIT uses via brute force :-) 2/10/90 eay */
+#define NOISE	((DES_LONG)83653421L)
+
+DES_LONG des_quad_cksum(const unsigned char *input, des_cblock output[],
+	     long length, int out_count, des_cblock *seed)
+	{
+	DES_LONG z0,z1,t0,t1;
+	int i;
+	long l;
+	const unsigned char *cp;
+#ifdef _CRAY
+	short *lp;
+#else
+	DES_LONG *lp;
+#endif
+
+	if (out_count < 1) out_count=1;
+	lp = (DES_LONG *) &(output[0])[0];
+
+	z0=Q_B0((*seed)[0])|Q_B1((*seed)[1])|Q_B2((*seed)[2])|Q_B3((*seed)[3]);
+	z1=Q_B0((*seed)[4])|Q_B1((*seed)[5])|Q_B2((*seed)[6])|Q_B3((*seed)[7]);
+
+	for (i=0; ((i<4)&&(i<out_count)); i++)
+		{
+		cp=input;
+		l=length;
+		while (l > 0)
+			{
+			if (l > 1)
+				{
+				t0= (DES_LONG)(*(cp++));
+				t0|=(DES_LONG)Q_B1(*(cp++));
+				l--;
+				}
+			else
+				t0= (DES_LONG)(*(cp++));
+			l--;
+			/* add */
+			t0+=z0;
+			t0&=0xffffffffL;
+			t1=z1;
+			/* square, well sort of square */
+			z0=((((t0*t0)&0xffffffffL)+((t1*t1)&0xffffffffL))
+				&0xffffffffL)%0x7fffffffL; 
+			z1=((t0*((t1+NOISE)&0xffffffffL))&0xffffffffL)%0x7fffffffL;
+			}
+		if (lp != NULL)
+			{
+			/* The MIT library assumes that the checksum is
+			 * composed of 2*out_count 32 bit ints */
+			*lp++ = z0;
+			*lp++ = z1;
+			}
+		}
+	return(z0);
+	}
+
diff --git a/crypto/openssl/crypto/des/rand_key.c b/crypto/openssl/crypto/des/rand_key.c
new file mode 100644
index 0000000..ee1a6c2
--- /dev/null
+++ b/crypto/openssl/crypto/des/rand_key.c
@@ -0,0 +1,73 @@
+/* crypto/des/rand_key.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/des.h>
+#include <openssl/rand.h>
+
+void des_random_seed(des_cblock *key)
+	{
+	RAND_seed(key, sizeof(des_cblock));
+	}
+
+int des_random_key(des_cblock *ret)
+	{
+	do
+		{
+		if (RAND_bytes((unsigned char *)ret, sizeof(des_cblock)) != 1)
+			return (0);
+		} while (des_is_weak_key(ret));
+	des_set_odd_parity(ret);
+	return (1);
+	}
diff --git a/crypto/openssl/crypto/des/read2pwd.c b/crypto/openssl/crypto/des/read2pwd.c
new file mode 100644
index 0000000..a8ceaf0
--- /dev/null
+++ b/crypto/openssl/crypto/des/read2pwd.c
@@ -0,0 +1,84 @@
+/* crypto/des/read2pwd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+int des_read_password(des_cblock *key, const char *prompt, int verify)
+	{
+	int ok;
+	char buf[BUFSIZ],buff[BUFSIZ];
+
+	if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
+		des_string_to_key(buf,key);
+	memset(buf,0,BUFSIZ);
+	memset(buff,0,BUFSIZ);
+	return(ok);
+	}
+
+int des_read_2passwords(des_cblock *key1, des_cblock *key2, const char *prompt,
+	     int verify)
+	{
+	int ok;
+	char buf[BUFSIZ],buff[BUFSIZ];
+
+	if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
+		des_string_to_2keys(buf,key1,key2);
+	memset(buf,0,BUFSIZ);
+	memset(buff,0,BUFSIZ);
+	return(ok);
+	}
diff --git a/crypto/openssl/crypto/des/read_pwd.c b/crypto/openssl/crypto/des/read_pwd.c
new file mode 100644
index 0000000..fa2d67d
--- /dev/null
+++ b/crypto/openssl/crypto/des/read_pwd.c
@@ -0,0 +1,497 @@
+/* crypto/des/read_pwd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#if !defined(MSDOS) && !defined(VMS) && !defined(WIN32)
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_UNISTD
+# include OPENSSL_UNISTD
+#else
+# include <unistd.h>
+#endif
+/* If unistd.h defines _POSIX_VERSION, we conclude that we
+ * are on a POSIX system and have sigaction and termios. */
+#if defined(_POSIX_VERSION)
+
+# define SIGACTION
+# if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)
+# define TERMIOS
+# endif
+
+#endif
+#endif
+
+/* #define SIGACTION */ /* Define this if you have sigaction() */
+
+#ifdef WIN16TTY
+#undef WIN16
+#undef _WINDOWS
+#include <graph.h>
+#endif
+
+/* 06-Apr-92 Luke Brennan    Support for VMS */
+#include "des_locl.h"
+#include "cryptlib.h"
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <setjmp.h>
+#include <errno.h>
+
+#ifdef VMS			/* prototypes for sys$whatever */
+#include <starlet.h>
+#ifdef __DECC
+#pragma message disable DOLLARID
+#endif
+#endif
+
+#ifdef WIN_CONSOLE_BUG
+#include <windows.h>
+#include <wincon.h>
+#endif
+
+
+/* There are 5 types of terminal interface supported,
+ * TERMIO, TERMIOS, VMS, MSDOS and SGTTY
+ */
+
+#if defined(__sgi) && !defined(TERMIOS)
+#define TERMIOS
+#undef  TERMIO
+#undef  SGTTY
+#endif
+
+#if defined(linux) && !defined(TERMIO)
+#undef  TERMIOS
+#define TERMIO
+#undef  SGTTY
+#endif
+
+#ifdef _LIBC
+#undef  TERMIOS
+#define TERMIO
+#undef  SGTTY
+#endif
+
+#if !defined(TERMIO) && !defined(TERMIOS) && !defined(VMS) && !defined(MSDOS) && !defined(MAC_OS_pre_X) && !defined(MAC_OS_GUSI_SOURCE)
+#undef  TERMIOS
+#undef  TERMIO
+#define SGTTY
+#endif
+
+#ifdef TERMIOS
+#include <termios.h>
+#define TTY_STRUCT		struct termios
+#define TTY_FLAGS		c_lflag
+#define	TTY_get(tty,data)	tcgetattr(tty,data)
+#define TTY_set(tty,data)	tcsetattr(tty,TCSANOW,data)
+#endif
+
+#ifdef TERMIO
+#include <termio.h>
+#define TTY_STRUCT		struct termio
+#define TTY_FLAGS		c_lflag
+#define TTY_get(tty,data)	ioctl(tty,TCGETA,data)
+#define TTY_set(tty,data)	ioctl(tty,TCSETA,data)
+#endif
+
+#ifdef SGTTY
+#include <sgtty.h>
+#define TTY_STRUCT		struct sgttyb
+#define TTY_FLAGS		sg_flags
+#define TTY_get(tty,data)	ioctl(tty,TIOCGETP,data)
+#define TTY_set(tty,data)	ioctl(tty,TIOCSETP,data)
+#endif
+
+#if !defined(_LIBC) && !defined(MSDOS) && !defined(VMS) && !defined(MAC_OS_pre_X)
+#include <sys/ioctl.h>
+#endif
+
+#ifdef MSDOS
+#include <conio.h>
+#define fgets(a,b,c) noecho_fgets(a,b,c)
+#endif
+
+#ifdef VMS
+#include <ssdef.h>
+#include <iodef.h>
+#include <ttdef.h>
+#include <descrip.h>
+struct IOSB {
+	short iosb$w_value;
+	short iosb$w_count;
+	long  iosb$l_info;
+	};
+#endif
+
+#if defined(MAC_OS_pre_X) || defined(MAC_OS_GUSI_SOURCE)
+/*
+ * This one needs work. As a matter of fact the code is unoperational
+ * and this is only a trick to get it compiled.
+ *					<appro@fy.chalmers.se>
+ */
+#define TTY_STRUCT int
+#endif
+
+#ifndef NX509_SIG
+#define NX509_SIG 32
+#endif
+
+static void read_till_nl(FILE *);
+static void recsig(int);
+static void pushsig(void);
+static void popsig(void);
+#if defined(MSDOS) && !defined(WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty);
+#endif
+#ifdef SIGACTION
+ static struct sigaction savsig[NX509_SIG];
+#else
+  static void (*savsig[NX509_SIG])(int );
+#endif
+static jmp_buf save;
+
+int des_read_pw_string(char *buf, int length, const char *prompt,
+	     int verify)
+	{
+	char buff[BUFSIZ];
+	int ret;
+
+	ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
+	memset(buff,0,BUFSIZ);
+	return(ret);
+	}
+
+#ifndef WIN16
+
+static void read_till_nl(FILE *in)
+	{
+#define SIZE 4
+	char buf[SIZE+1];
+
+	do	{
+		fgets(buf,SIZE,in);
+		} while (strchr(buf,'\n') == NULL);
+	}
+
+
+/* return 0 if ok, 1 (or -1) otherwise */
+int des_read_pw(char *buf, char *buff, int size, const char *prompt,
+	     int verify)
+	{
+#ifdef VMS
+	struct IOSB iosb;
+	$DESCRIPTOR(terminal,"TT");
+	long tty_orig[3], tty_new[3];
+	long status;
+	unsigned short channel = 0;
+#else
+#ifndef MSDOS
+	TTY_STRUCT tty_orig,tty_new;
+#endif
+#endif
+	int number;
+	int ok;
+	/* statics are simply to avoid warnings about longjmp clobbering
+	   things */
+	static int ps;
+	int is_a_tty;
+	static FILE *tty;
+	char *p;
+
+	if (setjmp(save))
+		{
+		ok=0;
+		goto error;
+		}
+
+	number=5;
+	ok=0;
+	ps=0;
+	is_a_tty=1;
+	tty=NULL;
+
+#ifndef MSDOS
+	if ((tty=fopen("/dev/tty","r")) == NULL)
+		tty=stdin;
+#else /* MSDOS */
+	if ((tty=fopen("con","r")) == NULL)
+		tty=stdin;
+#endif /* MSDOS */
+
+#if defined(TTY_get) && !defined(VMS)
+	if (TTY_get(fileno(tty),&tty_orig) == -1)
+		{
+#ifdef ENOTTY
+		if (errno == ENOTTY)
+			is_a_tty=0;
+		else
+#endif
+#ifdef EINVAL
+		/* Ariel Glenn ariel@columbia.edu reports that solaris
+		 * can return EINVAL instead.  This should be ok */
+		if (errno == EINVAL)
+			is_a_tty=0;
+		else
+#endif
+			return(-1);
+		}
+	memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
+#endif
+#ifdef VMS
+	status = sys$assign(&terminal,&channel,0,0);
+	if (status != SS$_NORMAL)
+		return(-1);
+	status=sys$qiow(0,channel,IO$_SENSEMODE,&iosb,0,0,tty_orig,12,0,0,0,0);
+	if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+		return(-1);
+#endif
+
+	pushsig();
+	ps=1;
+
+#ifdef TTY_FLAGS
+	tty_new.TTY_FLAGS &= ~ECHO;
+#endif
+
+#if defined(TTY_set) && !defined(VMS)
+	if (is_a_tty && (TTY_set(fileno(tty),&tty_new) == -1))
+		return(-1);
+#endif
+#ifdef VMS
+	tty_new[0] = tty_orig[0];
+	tty_new[1] = tty_orig[1] | TT$M_NOECHO;
+	tty_new[2] = tty_orig[2];
+	status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0);
+	if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+		return(-1);
+#endif
+	ps=2;
+
+	while ((!ok) && (number--))
+		{
+		fputs(prompt,stderr);
+		fflush(stderr);
+
+		buf[0]='\0';
+		fgets(buf,size,tty);
+		if (feof(tty)) goto error;
+		if (ferror(tty)) goto error;
+		if ((p=(char *)strchr(buf,'\n')) != NULL)
+			*p='\0';
+		else	read_till_nl(tty);
+		if (verify)
+			{
+			fprintf(stderr,"\nVerifying password - %s",prompt);
+			fflush(stderr);
+			buff[0]='\0';
+			fgets(buff,size,tty);
+			if (feof(tty)) goto error;
+			if ((p=(char *)strchr(buff,'\n')) != NULL)
+				*p='\0';
+			else	read_till_nl(tty);
+				
+			if (strcmp(buf,buff) != 0)
+				{
+				fprintf(stderr,"\nVerify failure");
+				fflush(stderr);
+				break;
+				/* continue; */
+				}
+			}
+		ok=1;
+		}
+
+error:
+	fprintf(stderr,"\n");
+#ifdef DEBUG
+	perror("fgets(tty)");
+#endif
+	/* What can we do if there is an error? */
+#if defined(TTY_set) && !defined(VMS)
+	if (ps >= 2) TTY_set(fileno(tty),&tty_orig);
+#endif
+#ifdef VMS
+	if (ps >= 2)
+		status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0
+			,tty_orig,12,0,0,0,0);
+#endif
+	
+	if (ps >= 1) popsig();
+	if (stdin != tty) fclose(tty);
+#ifdef VMS
+	status = sys$dassgn(channel);
+#endif
+	return(!ok);
+	}
+
+#else /* WIN16 */
+
+int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
+	{ 
+	memset(buf,0,size);
+	memset(buff,0,size);
+	return(0);
+	}
+
+#endif
+
+static void pushsig(void)
+	{
+	int i;
+#ifdef SIGACTION
+	struct sigaction sa;
+
+	memset(&sa,0,sizeof sa);
+	sa.sa_handler=recsig;
+#endif
+
+	for (i=1; i<NX509_SIG; i++)
+		{
+#ifdef SIGUSR1
+		if (i == SIGUSR1)
+			continue;
+#endif
+#ifdef SIGUSR2
+		if (i == SIGUSR2)
+			continue;
+#endif
+#ifdef SIGACTION
+		sigaction(i,&sa,&savsig[i]);
+#else
+		savsig[i]=signal(i,recsig);
+#endif
+		}
+
+#ifdef SIGWINCH
+	signal(SIGWINCH,SIG_DFL);
+#endif
+	}
+
+static void popsig(void)
+	{
+	int i;
+
+	for (i=1; i<NX509_SIG; i++)
+		{
+#ifdef SIGUSR1
+		if (i == SIGUSR1)
+			continue;
+#endif
+#ifdef SIGUSR2
+		if (i == SIGUSR2)
+			continue;
+#endif
+#ifdef SIGACTION
+		sigaction(i,&savsig[i],NULL);
+#else
+		signal(i,savsig[i]);
+#endif
+		}
+	}
+
+static void recsig(int i)
+	{
+	longjmp(save,1);
+#ifdef LINT
+	i=i;
+#endif
+	}
+
+#if defined(MSDOS) && !defined(WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty)
+	{
+	int i;
+	char *p;
+
+	p=buf;
+	for (;;)
+		{
+		if (size == 0)
+			{
+			*p='\0';
+			break;
+			}
+		size--;
+#ifdef WIN16TTY
+		i=_inchar();
+#else
+		i=getch();
+#endif
+		if (i == '\r') i='\n';
+		*(p++)=i;
+		if (i == '\n')
+			{
+			*p='\0';
+			break;
+			}
+		}
+#ifdef WIN_CONSOLE_BUG
+/* Win95 has several evil console bugs: one of these is that the
+ * last character read using getch() is passed to the next read: this is
+ * usually a CR so this can be trouble. No STDIO fix seems to work but
+ * flushing the console appears to do the trick.
+ */
+		{
+			HANDLE inh;
+			inh = GetStdHandle(STD_INPUT_HANDLE);
+			FlushConsoleInputBuffer(inh);
+		}
+#endif
+	return(strlen(buf));
+	}
+#endif
diff --git a/crypto/openssl/crypto/des/rnd_keys.c b/crypto/openssl/crypto/des/rnd_keys.c
new file mode 100644
index 0000000..c2626c4
--- /dev/null
+++ b/crypto/openssl/crypto/des/rnd_keys.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$Id$
+ * $FreeBSD$
+ */
+
+#include <openssl/des.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#ifndef RETSIGTYPE
+#define RETSIGTYPE void
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+/*
+ * Generate "random" data by checksumming a file.
+ *
+ * Returns -1 if there were any problems with permissions or I/O
+ * errors.
+ */
+static
+int
+sumFile (const char *name, int len, void *res)
+{
+  u_int32_t sum[2];
+  u_int32_t buf[1024*2];
+  int fd, i;
+
+  fd = open (name, 0);
+  if (fd < 0)
+    return -1;
+
+  while (len > 0)
+    {
+      int n = read(fd, buf, sizeof(buf));
+      if (n < 0)
+	{
+	  close(fd);
+	  return n;
+	}
+      for (i = 0; i < (n/sizeof(buf[0])); i++)
+	{
+	  sum[0] += buf[i];
+	  i++;
+	  sum[1] += buf[i];
+	}
+      len -= n;
+    }
+  close (fd);
+  memcpy (res, &sum, sizeof(sum));
+  return 0;
+}
+
+/*
+ * Create a sequence of random 64 bit blocks.
+ * The sequence is indexed with a long long and 
+ * based on an initial des key used as a seed.
+ */
+static des_key_schedule sequence_seed;
+static u_int32_t sequence_index[2];
+
+/* 
+ * Random number generator based on ideas from truerand in cryptolib
+ * as described on page 424 in Applied Cryptography 2 ed. by Bruce
+ * Schneier.
+ */
+
+static volatile int counter;
+static volatile unsigned char *gdata; /* Global data */
+static volatile int igdata;	/* Index into global data */
+static int gsize;
+
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
+/* Visual C++ 4.0 (Windows95/NT) */
+
+static
+RETSIGTYPE
+sigALRM(int sig)
+{
+    if (igdata < gsize)
+	gdata[igdata++] ^= counter & 0xff;
+
+#ifndef HAVE_SIGACTION
+    signal(SIGALRM, sigALRM); /* Reinstall SysV signal handler */
+#endif
+    SIGRETURN(0);
+}
+
+#endif
+
+#if !defined(HAVE_RANDOM) && defined(HAVE_RAND)
+#ifndef srandom
+#define srandom srand
+#endif
+#ifndef random
+#define random rand
+#endif
+#endif
+
+static void
+des_not_rand_data(unsigned char *data, int size)
+{
+  int i;
+
+  srandom (time (NULL));
+
+  for(i = 0; i < size; ++i)
+    data[i] ^= random() % 0x100;
+}
+
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
+
+#ifndef HAVE_SETITIMER
+static void
+pacemaker(struct timeval *tv)
+{
+    fd_set fds;
+    pid_t pid;
+    pid = getppid();
+    while(1){
+	FD_ZERO(&fds);
+	FD_SET(0, &fds);
+	select(1, &fds, NULL, NULL, tv);
+	kill(pid, SIGALRM);
+    }
+}
+#endif
+
+#ifdef HAVE_SIGACTION
+/* XXX ugly hack, should perhaps use function from roken */
+static RETSIGTYPE 
+(*fake_signal(int sig, RETSIGTYPE (*f)(int)))(int)
+{
+    struct sigaction sa, osa;
+    sa.sa_handler = f;
+    sa.sa_flags = 0;
+    sigemptyset(&sa.sa_mask);
+    sigaction(sig, &sa, &osa);
+    return osa.sa_handler;
+}
+#define signal(S, F) fake_signal((S), (F))
+#endif
+
+/*
+ * Generate size bytes of "random" data using timed interrupts.
+ * It takes about 40ms/byte random data.
+ * It's not neccessary to be root to run it.
+ */
+void
+des_rand_data(unsigned char *data, int size)
+{
+    struct itimerval tv;
+#ifdef HAVE_SETITIMER
+    struct itimerval otv;
+#endif
+    RETSIGTYPE (*osa)(int);
+    int i, j;
+#ifndef HAVE_SETITIMER 
+    RETSIGTYPE (*ochld)(int);
+    pid_t pid;
+#endif
+    char *rnd_devices[] = {"/dev/random",
+			   "/dev/srandom",
+			   "/dev/urandom",
+			   NULL};
+    char **p;
+
+    for(p = rnd_devices; *p; p++) {
+      int fd = open(*p, O_RDONLY | O_NDELAY);
+      
+      if(fd >= 0 && read(fd, data, size) == size) {
+	close(fd);
+	return;
+      }
+      close(fd);
+    }
+
+    /* Paranoia? Initialize data from /dev/mem if we can read it. */
+    if (size >= 8)
+      sumFile("/dev/mem", (1024*1024*2), data);
+
+    gdata = data;
+    gsize = size;
+    igdata = 0;
+
+    osa = signal(SIGALRM, sigALRM);
+  
+    /* Start timer */
+    tv.it_value.tv_sec = 0;
+    tv.it_value.tv_usec = 10 * 1000; /* 10 ms */
+    tv.it_interval = tv.it_value;
+#ifdef HAVE_SETITIMER
+    setitimer(ITIMER_REAL, &tv, &otv);
+#else
+    ochld = signal(SIGCHLD, SIG_IGN);
+    pid = fork();
+    if(pid == -1){
+	signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL);
+	des_not_rand_data(data, size);
+	return;
+    }
+    if(pid == 0)
+	pacemaker(&tv.it_interval);
+#endif
+
+    for(i = 0; i < 4; i++) {
+	for (igdata = 0; igdata < size;) /* igdata++ in sigALRM */
+	    counter++;
+	for (j = 0; j < size; j++) /* Only use 2 bits each lap */
+	    gdata[j] = (gdata[j]>>2) | (gdata[j]<<6);
+    }
+#ifdef HAVE_SETITIMER
+    setitimer(ITIMER_REAL, &otv, 0);
+#else
+    kill(pid, SIGKILL);
+    while(waitpid(pid, NULL, 0) != pid);
+    signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL);
+#endif
+    signal(SIGALRM, osa != SIG_ERR ? osa : SIG_DFL);
+}
+#else
+void
+des_rand_data(unsigned char *p, int s)
+{
+  des_not_rand_data (p, s);
+}
+#endif
+
+void
+des_generate_random_block(des_cblock *block)
+{
+  des_rand_data((unsigned char *)block, sizeof(*block));
+}
+
+/*
+ * Generate a "random" DES key.
+ */
+void
+des_rand_data_key(des_cblock *key)
+{
+    unsigned char data[8];
+    des_key_schedule sched;
+    do {
+	des_rand_data(data, sizeof(data));
+	des_rand_data((unsigned char*)key, sizeof(des_cblock));
+	des_set_odd_parity(key);
+	des_key_sched(key, sched);
+	des_ecb_encrypt(&data, key, sched, DES_ENCRYPT);
+	memset(&data, 0, sizeof(data));
+	memset(&sched, 0, sizeof(sched));
+	des_set_odd_parity(key);
+    } while(des_is_weak_key(key));
+}
+
+/*
+ * Generate "random" data by checksumming /dev/mem
+ *
+ * It's neccessary to be root to run it. Returns -1 if there were any
+ * problems with permissions.
+ */
+int
+des_mem_rand8(unsigned char *data)
+{
+  return 1;
+}
+
+/*
+ * In case the generator does not get initialized use this as fallback.
+ */
+static int initialized;
+
+static void
+do_initialize(void)
+{
+    des_cblock default_seed;
+    do {
+	des_generate_random_block(&default_seed);
+	des_set_odd_parity(&default_seed);
+    } while (des_is_weak_key(&default_seed));
+    des_init_random_number_generator(&default_seed);
+}
+
+#define zero_long_long(ll) do { ll[0] = ll[1] = 0; } while (0)
+
+#define incr_long_long(ll) do { if (++ll[0] == 0) ++ll[1]; } while (0)
+
+#define set_sequence_number(ll) \
+memcpy((char *)sequence_index, (ll), sizeof(sequence_index));
+
+/*
+ * Set the sequnce number to this value (a long long).
+ */
+void
+des_set_sequence_number(unsigned char *ll)
+{
+    set_sequence_number(ll);
+}
+
+/*
+ * Set the generator seed and reset the sequence number to 0.
+ */
+void
+des_set_random_generator_seed(des_cblock *seed)
+{
+    des_key_sched(seed, sequence_seed);
+    zero_long_long(sequence_index);
+    initialized = 1;
+}
+
+/*
+ * Generate a sequence of random des keys
+ * using the random block sequence, fixup
+ * parity and skip weak keys.
+ */
+int
+des_new_random_key(des_cblock *key)
+{
+    if (!initialized)
+	do_initialize();
+
+    do {
+	des_ecb_encrypt((des_cblock *) sequence_index,
+			key,
+			sequence_seed,
+			DES_ENCRYPT);
+	incr_long_long(sequence_index);
+	/* random key must have odd parity and not be weak */
+	des_set_odd_parity(key);
+    } while (des_is_weak_key(key));
+    return(0);
+}
+
+/*
+ * des_init_random_number_generator:
+ *
+ * Initialize the sequence of random 64 bit blocks.  The input seed
+ * can be a secret key since it should be well hidden and is also not
+ * kept.
+ *
+ */
+void 
+des_init_random_number_generator(des_cblock *seed)
+{
+    struct timeval now;
+    des_cblock uniq;
+    des_cblock new_key;
+
+    gettimeofday(&now, (struct timezone *)0);
+    des_generate_random_block(&uniq);
+
+    /* Pick a unique random key from the shared sequence. */
+    des_set_random_generator_seed(seed);
+    set_sequence_number((unsigned char *)&uniq);
+    des_new_random_key(&new_key);
+
+    /* Select a new nonshared sequence, */
+    des_set_random_generator_seed(&new_key);
+
+    /* and use the current time to pick a key for the new sequence. */
+    set_sequence_number((unsigned char *)&now);
+    des_new_random_key(&new_key);
+    des_set_random_generator_seed(&new_key);
+}
+
+#ifdef TESTRUN
+int
+main()
+{
+    unsigned char data[8];
+    int i;
+
+    while (1)
+        {
+	    if (sumFile("/dev/mem", (1024*1024*8), data) != 0)
+	      { perror("sumFile"); exit(1); }
+            for (i = 0; i < 8; i++)
+                printf("%02x", data[i]);
+            printf("\n");
+        }
+}
+#endif
+
+#ifdef TESTRUN2
+int
+main()
+{
+    des_cblock data;
+    int i;
+
+    while (1)
+        {
+	    do_initialize();
+            des_random_key(data);
+            for (i = 0; i < 8; i++)
+                printf("%02x", data[i]);
+            printf("\n");
+        }
+}
+#endif
diff --git a/crypto/openssl/crypto/des/rpc_des.h b/crypto/openssl/crypto/des/rpc_des.h
new file mode 100644
index 0000000..4cbb4d2
--- /dev/null
+++ b/crypto/openssl/crypto/des/rpc_des.h
@@ -0,0 +1,131 @@
+/* crypto/des/rpc_des.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*  @(#)des.h	2.2 88/08/10 4.0 RPCSRC; from 2.7 88/02/08 SMI  */
+/*
+ * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
+ * unrestricted use provided that this legend is included on all tape
+ * media and as a part of the software program in whole or part.  Users
+ * may copy or modify Sun RPC without charge, but are not authorized
+ * to license or distribute it to anyone else except as part of a product or
+ * program developed by the user.
+ * 
+ * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
+ * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
+ * 
+ * Sun RPC is provided with no support and without any obligation on the
+ * part of Sun Microsystems, Inc. to assist in its use, correction,
+ * modification or enhancement.
+ * 
+ * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
+ * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
+ * OR ANY PART THEREOF.
+ * 
+ * In no event will Sun Microsystems, Inc. be liable for any lost revenue
+ * or profits or other special, indirect and consequential damages, even if
+ * Sun has been advised of the possibility of such damages.
+ * 
+ * Sun Microsystems, Inc.
+ * 2550 Garcia Avenue
+ * Mountain View, California  94043
+ */
+/*
+ * Generic DES driver interface
+ * Keep this file hardware independent!
+ * Copyright (c) 1986 by Sun Microsystems, Inc.
+ */
+
+#define DES_MAXLEN 	65536	/* maximum # of bytes to encrypt  */
+#define DES_QUICKLEN	16	/* maximum # of bytes to encrypt quickly */
+
+#ifdef HEADER_DES_H
+#undef ENCRYPT
+#undef DECRYPT
+#endif
+
+enum desdir { ENCRYPT, DECRYPT };
+enum desmode { CBC, ECB };
+
+/*
+ * parameters to ioctl call
+ */
+struct desparams {
+	unsigned char des_key[8];	/* key (with low bit parity) */
+	enum desdir des_dir;	/* direction */
+	enum desmode des_mode;	/* mode */
+	unsigned char des_ivec[8];	/* input vector */
+	unsigned des_len;	/* number of bytes to crypt */
+	union {
+		unsigned char UDES_data[DES_QUICKLEN];
+		unsigned char *UDES_buf;
+	} UDES;
+#	define des_data UDES.UDES_data	/* direct data here if quick */
+#	define des_buf	UDES.UDES_buf	/* otherwise, pointer to data */
+};
+
+/*
+ * Encrypt an arbitrary sized buffer
+ */
+#define	DESIOCBLOCK	_IOWR(d, 6, struct desparams)
+
+/* 
+ * Encrypt of small amount of data, quickly
+ */
+#define DESIOCQUICK	_IOWR(d, 7, struct desparams) 
+
diff --git a/crypto/openssl/crypto/des/rpc_enc.c b/crypto/openssl/crypto/des/rpc_enc.c
new file mode 100644
index 0000000..32d96d5
--- /dev/null
+++ b/crypto/openssl/crypto/des/rpc_enc.c
@@ -0,0 +1,98 @@
+/* crypto/des/rpc_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "rpc_des.h"
+#include "des_locl.h"
+#include "des_ver.h"
+
+int _des_crypt(char *buf,int len,struct desparams *desp);
+int _des_crypt(char *buf, int len, struct desparams *desp)
+	{
+	des_key_schedule ks;
+	int enc;
+
+	des_set_key_unchecked(&desp->des_key,ks);
+	enc=(desp->des_dir == ENCRYPT)?DES_ENCRYPT:DES_DECRYPT;
+
+	if (desp->des_mode == CBC)
+		des_ecb_encrypt((const_des_cblock *)desp->UDES.UDES_buf,
+				(des_cblock *)desp->UDES.UDES_buf,ks,
+				enc);
+	else
+		{
+		des_ncbc_encrypt(desp->UDES.UDES_buf,desp->UDES.UDES_buf,
+				len,ks,&desp->des_ivec,enc);
+#ifdef undef
+		/* len will always be %8 if called from common_crypt
+		 * in secure_rpc.
+		 * Libdes's cbc encrypt does not copy back the iv,
+		 * so we have to do it here. */
+		/* It does now :-) eay 20/09/95 */
+
+		a=(char *)&(desp->UDES.UDES_buf[len-8]);
+		b=(char *)&(desp->des_ivec[0]);
+
+		*(a++)= *(b++); *(a++)= *(b++);
+		*(a++)= *(b++); *(a++)= *(b++);
+		*(a++)= *(b++); *(a++)= *(b++);
+		*(a++)= *(b++); *(a++)= *(b++);
+#endif
+		}
+	return(1);	
+	}
+
diff --git a/crypto/openssl/crypto/des/rpw.c b/crypto/openssl/crypto/des/rpw.c
new file mode 100644
index 0000000..0b6b151
--- /dev/null
+++ b/crypto/openssl/crypto/des/rpw.c
@@ -0,0 +1,99 @@
+/* crypto/des/rpw.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/des.h>
+
+int main(int argc, char *argv[])
+	{
+	des_cblock k,k1;
+	int i;
+
+	printf("read passwd\n");
+	if ((i=des_read_password(&k,"Enter password:",0)) == 0)
+		{
+		printf("password = ");
+		for (i=0; i<8; i++)
+			printf("%02x ",k[i]);
+		}
+	else
+		printf("error %d\n",i);
+	printf("\n");
+	printf("read 2passwds and verify\n");
+	if ((i=des_read_2passwords(&k,&k1,
+		"Enter verified password:",1)) == 0)
+		{
+		printf("password1 = ");
+		for (i=0; i<8; i++)
+			printf("%02x ",k[i]);
+		printf("\n");
+		printf("password2 = ");
+		for (i=0; i<8; i++)
+			printf("%02x ",k1[i]);
+		printf("\n");
+		exit(1);
+		}
+	else
+		{
+		printf("error %d\n",i);
+		exit(0);
+		}
+#ifdef LINT
+	return(0);
+#endif
+	}
diff --git a/crypto/openssl/crypto/des/set_key.c b/crypto/openssl/crypto/des/set_key.c
new file mode 100644
index 0000000..09afd4f
--- /dev/null
+++ b/crypto/openssl/crypto/des/set_key.c
@@ -0,0 +1,402 @@
+/* crypto/des/set_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* set_key.c v 1.4 eay 24/9/91
+ * 1.4 Speed up by 400% :-)
+ * 1.3 added register declarations.
+ * 1.2 unrolled make_key_sched a bit more
+ * 1.1 added norm_expand_bits
+ * 1.0 First working version
+ */
+#include "des_locl.h"
+
+OPENSSL_GLOBAL int des_check_key=0;
+
+static const unsigned char odd_parity[256]={
+  1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
+ 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
+ 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
+ 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
+ 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
+ 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
+ 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
+112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
+128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
+145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
+161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
+176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
+193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
+208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
+224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
+241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254};
+
+void des_set_odd_parity(des_cblock *key)
+	{
+	int i;
+
+	for (i=0; i<DES_KEY_SZ; i++)
+		(*key)[i]=odd_parity[(*key)[i]];
+	}
+
+int des_check_key_parity(const_des_cblock *key)
+	{
+	int i;
+
+	for (i=0; i<DES_KEY_SZ; i++)
+		{
+		if ((*key)[i] != odd_parity[(*key)[i]])
+			return(0);
+		}
+	return(1);
+	}
+
+/* Weak and semi week keys as take from
+ * %A D.W. Davies
+ * %A W.L. Price
+ * %T Security for Computer Networks
+ * %I John Wiley & Sons
+ * %D 1984
+ * Many thanks to smb@ulysses.att.com (Steven Bellovin) for the reference
+ * (and actual cblock values).
+ */
+#define NUM_WEAK_KEY	16
+static des_cblock weak_keys[NUM_WEAK_KEY]={
+	/* weak keys */
+	{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+	{0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE},
+	{0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E},
+	{0xE0,0xE0,0xE0,0xE0,0xF1,0xF1,0xF1,0xF1},
+	/* semi-weak keys */
+	{0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE},
+	{0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01},
+	{0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1},
+	{0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E},
+	{0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1},
+	{0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01},
+	{0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE},
+	{0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E},
+	{0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E},
+	{0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01},
+	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
+	{0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}};
+
+int des_is_weak_key(const_des_cblock *key)
+	{
+	int i;
+
+	for (i=0; i<NUM_WEAK_KEY; i++)
+		/* Added == 0 to comparison, I obviously don't run
+		 * this section very often :-(, thanks to
+		 * engineering@MorningStar.Com for the fix
+		 * eay 93/06/29
+		 * Another problem, I was comparing only the first 4
+		 * bytes, 97/03/18 */
+		if (memcmp(weak_keys[i],key,sizeof(des_cblock)) == 0) return(1);
+	return(0);
+	}
+
+/* NOW DEFINED IN des_local.h
+ * See ecb_encrypt.c for a pseudo description of these macros. 
+ * #define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+ * 	(b)^=(t),\
+ * 	(a)=((a)^((t)<<(n))))
+ */
+
+#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
+	(a)=(a)^(t)^(t>>(16-(n))))
+
+static const DES_LONG des_skb[8][64]={
+	{
+	/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+	0x00000000L,0x00000010L,0x20000000L,0x20000010L,
+	0x00010000L,0x00010010L,0x20010000L,0x20010010L,
+	0x00000800L,0x00000810L,0x20000800L,0x20000810L,
+	0x00010800L,0x00010810L,0x20010800L,0x20010810L,
+	0x00000020L,0x00000030L,0x20000020L,0x20000030L,
+	0x00010020L,0x00010030L,0x20010020L,0x20010030L,
+	0x00000820L,0x00000830L,0x20000820L,0x20000830L,
+	0x00010820L,0x00010830L,0x20010820L,0x20010830L,
+	0x00080000L,0x00080010L,0x20080000L,0x20080010L,
+	0x00090000L,0x00090010L,0x20090000L,0x20090010L,
+	0x00080800L,0x00080810L,0x20080800L,0x20080810L,
+	0x00090800L,0x00090810L,0x20090800L,0x20090810L,
+	0x00080020L,0x00080030L,0x20080020L,0x20080030L,
+	0x00090020L,0x00090030L,0x20090020L,0x20090030L,
+	0x00080820L,0x00080830L,0x20080820L,0x20080830L,
+	0x00090820L,0x00090830L,0x20090820L,0x20090830L,
+	},{
+	/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
+	0x00000000L,0x02000000L,0x00002000L,0x02002000L,
+	0x00200000L,0x02200000L,0x00202000L,0x02202000L,
+	0x00000004L,0x02000004L,0x00002004L,0x02002004L,
+	0x00200004L,0x02200004L,0x00202004L,0x02202004L,
+	0x00000400L,0x02000400L,0x00002400L,0x02002400L,
+	0x00200400L,0x02200400L,0x00202400L,0x02202400L,
+	0x00000404L,0x02000404L,0x00002404L,0x02002404L,
+	0x00200404L,0x02200404L,0x00202404L,0x02202404L,
+	0x10000000L,0x12000000L,0x10002000L,0x12002000L,
+	0x10200000L,0x12200000L,0x10202000L,0x12202000L,
+	0x10000004L,0x12000004L,0x10002004L,0x12002004L,
+	0x10200004L,0x12200004L,0x10202004L,0x12202004L,
+	0x10000400L,0x12000400L,0x10002400L,0x12002400L,
+	0x10200400L,0x12200400L,0x10202400L,0x12202400L,
+	0x10000404L,0x12000404L,0x10002404L,0x12002404L,
+	0x10200404L,0x12200404L,0x10202404L,0x12202404L,
+	},{
+	/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
+	0x00000000L,0x00000001L,0x00040000L,0x00040001L,
+	0x01000000L,0x01000001L,0x01040000L,0x01040001L,
+	0x00000002L,0x00000003L,0x00040002L,0x00040003L,
+	0x01000002L,0x01000003L,0x01040002L,0x01040003L,
+	0x00000200L,0x00000201L,0x00040200L,0x00040201L,
+	0x01000200L,0x01000201L,0x01040200L,0x01040201L,
+	0x00000202L,0x00000203L,0x00040202L,0x00040203L,
+	0x01000202L,0x01000203L,0x01040202L,0x01040203L,
+	0x08000000L,0x08000001L,0x08040000L,0x08040001L,
+	0x09000000L,0x09000001L,0x09040000L,0x09040001L,
+	0x08000002L,0x08000003L,0x08040002L,0x08040003L,
+	0x09000002L,0x09000003L,0x09040002L,0x09040003L,
+	0x08000200L,0x08000201L,0x08040200L,0x08040201L,
+	0x09000200L,0x09000201L,0x09040200L,0x09040201L,
+	0x08000202L,0x08000203L,0x08040202L,0x08040203L,
+	0x09000202L,0x09000203L,0x09040202L,0x09040203L,
+	},{
+	/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
+	0x00000000L,0x00100000L,0x00000100L,0x00100100L,
+	0x00000008L,0x00100008L,0x00000108L,0x00100108L,
+	0x00001000L,0x00101000L,0x00001100L,0x00101100L,
+	0x00001008L,0x00101008L,0x00001108L,0x00101108L,
+	0x04000000L,0x04100000L,0x04000100L,0x04100100L,
+	0x04000008L,0x04100008L,0x04000108L,0x04100108L,
+	0x04001000L,0x04101000L,0x04001100L,0x04101100L,
+	0x04001008L,0x04101008L,0x04001108L,0x04101108L,
+	0x00020000L,0x00120000L,0x00020100L,0x00120100L,
+	0x00020008L,0x00120008L,0x00020108L,0x00120108L,
+	0x00021000L,0x00121000L,0x00021100L,0x00121100L,
+	0x00021008L,0x00121008L,0x00021108L,0x00121108L,
+	0x04020000L,0x04120000L,0x04020100L,0x04120100L,
+	0x04020008L,0x04120008L,0x04020108L,0x04120108L,
+	0x04021000L,0x04121000L,0x04021100L,0x04121100L,
+	0x04021008L,0x04121008L,0x04021108L,0x04121108L,
+	},{
+	/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+	0x00000000L,0x10000000L,0x00010000L,0x10010000L,
+	0x00000004L,0x10000004L,0x00010004L,0x10010004L,
+	0x20000000L,0x30000000L,0x20010000L,0x30010000L,
+	0x20000004L,0x30000004L,0x20010004L,0x30010004L,
+	0x00100000L,0x10100000L,0x00110000L,0x10110000L,
+	0x00100004L,0x10100004L,0x00110004L,0x10110004L,
+	0x20100000L,0x30100000L,0x20110000L,0x30110000L,
+	0x20100004L,0x30100004L,0x20110004L,0x30110004L,
+	0x00001000L,0x10001000L,0x00011000L,0x10011000L,
+	0x00001004L,0x10001004L,0x00011004L,0x10011004L,
+	0x20001000L,0x30001000L,0x20011000L,0x30011000L,
+	0x20001004L,0x30001004L,0x20011004L,0x30011004L,
+	0x00101000L,0x10101000L,0x00111000L,0x10111000L,
+	0x00101004L,0x10101004L,0x00111004L,0x10111004L,
+	0x20101000L,0x30101000L,0x20111000L,0x30111000L,
+	0x20101004L,0x30101004L,0x20111004L,0x30111004L,
+	},{
+	/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
+	0x00000000L,0x08000000L,0x00000008L,0x08000008L,
+	0x00000400L,0x08000400L,0x00000408L,0x08000408L,
+	0x00020000L,0x08020000L,0x00020008L,0x08020008L,
+	0x00020400L,0x08020400L,0x00020408L,0x08020408L,
+	0x00000001L,0x08000001L,0x00000009L,0x08000009L,
+	0x00000401L,0x08000401L,0x00000409L,0x08000409L,
+	0x00020001L,0x08020001L,0x00020009L,0x08020009L,
+	0x00020401L,0x08020401L,0x00020409L,0x08020409L,
+	0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
+	0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
+	0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
+	0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
+	0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
+	0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
+	0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
+	0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
+	},{
+	/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
+	0x00000000L,0x00000100L,0x00080000L,0x00080100L,
+	0x01000000L,0x01000100L,0x01080000L,0x01080100L,
+	0x00000010L,0x00000110L,0x00080010L,0x00080110L,
+	0x01000010L,0x01000110L,0x01080010L,0x01080110L,
+	0x00200000L,0x00200100L,0x00280000L,0x00280100L,
+	0x01200000L,0x01200100L,0x01280000L,0x01280100L,
+	0x00200010L,0x00200110L,0x00280010L,0x00280110L,
+	0x01200010L,0x01200110L,0x01280010L,0x01280110L,
+	0x00000200L,0x00000300L,0x00080200L,0x00080300L,
+	0x01000200L,0x01000300L,0x01080200L,0x01080300L,
+	0x00000210L,0x00000310L,0x00080210L,0x00080310L,
+	0x01000210L,0x01000310L,0x01080210L,0x01080310L,
+	0x00200200L,0x00200300L,0x00280200L,0x00280300L,
+	0x01200200L,0x01200300L,0x01280200L,0x01280300L,
+	0x00200210L,0x00200310L,0x00280210L,0x00280310L,
+	0x01200210L,0x01200310L,0x01280210L,0x01280310L,
+	},{
+	/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
+	0x00000000L,0x04000000L,0x00040000L,0x04040000L,
+	0x00000002L,0x04000002L,0x00040002L,0x04040002L,
+	0x00002000L,0x04002000L,0x00042000L,0x04042000L,
+	0x00002002L,0x04002002L,0x00042002L,0x04042002L,
+	0x00000020L,0x04000020L,0x00040020L,0x04040020L,
+	0x00000022L,0x04000022L,0x00040022L,0x04040022L,
+	0x00002020L,0x04002020L,0x00042020L,0x04042020L,
+	0x00002022L,0x04002022L,0x00042022L,0x04042022L,
+	0x00000800L,0x04000800L,0x00040800L,0x04040800L,
+	0x00000802L,0x04000802L,0x00040802L,0x04040802L,
+	0x00002800L,0x04002800L,0x00042800L,0x04042800L,
+	0x00002802L,0x04002802L,0x00042802L,0x04042802L,
+	0x00000820L,0x04000820L,0x00040820L,0x04040820L,
+	0x00000822L,0x04000822L,0x00040822L,0x04040822L,
+	0x00002820L,0x04002820L,0x00042820L,0x04042820L,
+	0x00002822L,0x04002822L,0x00042822L,0x04042822L,
+	}};
+
+int des_set_key(const_des_cblock *key, des_key_schedule schedule)
+	{
+	if (des_check_key)
+		{
+		return des_set_key_checked(key, schedule);
+		}
+	else
+		{
+		des_set_key_unchecked(key, schedule);
+		return 0;
+		}
+	}
+
+/* return 0 if key parity is odd (correct),
+ * return -1 if key parity error,
+ * return -2 if illegal weak key.
+ */
+int des_set_key_checked(const_des_cblock *key, des_key_schedule schedule)
+	{
+	if (!des_check_key_parity(key))
+		return(-1);
+	if (des_is_weak_key(key))
+		return(-2);
+	des_set_key_unchecked(key, schedule);
+	return 0;
+	}
+
+void des_set_key_unchecked(const_des_cblock *key, des_key_schedule schedule)
+	{
+	static int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
+	register DES_LONG c,d,t,s,t2;
+	register const unsigned char *in;
+	register DES_LONG *k;
+	register int i;
+
+	k = &schedule->ks.deslong[0];
+	in = &(*key)[0];
+
+	c2l(in,c);
+	c2l(in,d);
+
+	/* do PC1 in 47 simple operations :-)
+	 * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+	 * for the inspiration. :-) */
+	PERM_OP (d,c,t,4,0x0f0f0f0fL);
+	HPERM_OP(c,t,-2,0xcccc0000L);
+	HPERM_OP(d,t,-2,0xcccc0000L);
+	PERM_OP (d,c,t,1,0x55555555L);
+	PERM_OP (c,d,t,8,0x00ff00ffL);
+	PERM_OP (d,c,t,1,0x55555555L);
+	d=	(((d&0x000000ffL)<<16L)| (d&0x0000ff00L)     |
+		 ((d&0x00ff0000L)>>16L)|((c&0xf0000000L)>>4L));
+	c&=0x0fffffffL;
+
+	for (i=0; i<ITERATIONS; i++)
+		{
+		if (shifts2[i])
+			{ c=((c>>2L)|(c<<26L)); d=((d>>2L)|(d<<26L)); }
+		else
+			{ c=((c>>1L)|(c<<27L)); d=((d>>1L)|(d<<27L)); }
+		c&=0x0fffffffL;
+		d&=0x0fffffffL;
+		/* could be a few less shifts but I am to lazy at this
+		 * point in time to investigate */
+		s=	des_skb[0][ (c    )&0x3f                ]|
+			des_skb[1][((c>> 6L)&0x03)|((c>> 7L)&0x3c)]|
+			des_skb[2][((c>>13L)&0x0f)|((c>>14L)&0x30)]|
+			des_skb[3][((c>>20L)&0x01)|((c>>21L)&0x06) |
+						  ((c>>22L)&0x38)];
+		t=	des_skb[4][ (d    )&0x3f                ]|
+			des_skb[5][((d>> 7L)&0x03)|((d>> 8L)&0x3c)]|
+			des_skb[6][ (d>>15L)&0x3f                ]|
+			des_skb[7][((d>>21L)&0x0f)|((d>>22L)&0x30)];
+
+		/* table contained 0213 4657 */
+		t2=((t<<16L)|(s&0x0000ffffL))&0xffffffffL;
+		*(k++)=ROTATE(t2,30)&0xffffffffL;
+
+		t2=((s>>16L)|(t&0xffff0000L));
+		*(k++)=ROTATE(t2,26)&0xffffffffL;
+		}
+	}
+
+int des_key_sched(const_des_cblock *key, des_key_schedule schedule)
+	{
+	return(des_set_key(key,schedule));
+	}
+
+#undef des_fixup_key_parity
+void des_fixup_key_parity(des_cblock *key)
+	{
+	des_set_odd_parity(key);
+	}
diff --git a/crypto/openssl/crypto/des/shifts.pl b/crypto/openssl/crypto/des/shifts.pl
new file mode 100644
index 0000000..ba686d8
--- /dev/null
+++ b/crypto/openssl/crypto/des/shifts.pl
@@ -0,0 +1,198 @@
+#!/usr/local/bin/perl
+
+sub lab_shift
+	{
+	local(*a,$n)=@_;
+	local(@r,$i,$j,$k,$d,@z);
+
+	@r=&shift(*a,$n);
+	foreach $i (0 .. 31)
+		{
+		@z=split(/\^/,$r[$i]);
+		for ($j=0; $j <= $#z; $j++)
+			{
+			($d)=($z[$j] =~ /^(..)/);
+			($k)=($z[$j] =~ /\[(.*)\]$/);
+			$k.=",$n" if ($k ne "");
+			$k="$n"	  if ($k eq "");
+			$d="$d[$k]";
+			$z[$j]=$d;
+			}
+		$r[$i]=join('^',@z);
+		}
+	return(@r);
+	}
+
+sub shift
+	{
+	local(*a,$n)=@_;
+	local(@f);
+
+	if ($n > 0)
+		{
+		@f=&shiftl(*a,$n);
+		}
+	else
+		{
+		@f=&shiftr(*a,-$n);
+		}
+	return(@f);
+	}
+
+sub rotate
+	{
+	local(*a,$n)=@_;
+	local(@f);
+
+	if ($n > 0)
+		{ @f=&rotatel(*a,$n); }
+	else
+		{ @f=&rotater(*a,-$n); }
+	return(@f);
+	}
+
+sub rotater
+	{
+	local(*a,$n)=@_;
+	local(@f,@g);
+
+	@f=&shiftr(*a,$n);
+	@g=&shiftl(*a,32-$n);
+	$#f=31;
+	$#g=31;
+	return(&or(*f,*g));
+	}
+
+sub rotatel
+	{
+	local(*a,$n)=@_;
+	local(@f,@g);
+
+	@f=&shiftl(*a,$n);
+	@g=&shiftr(*a,32-$n);
+	$#f=31;
+	$#g=31;
+	return(&or(*f,*g));
+	}
+
+sub shiftr
+	{
+	local(*a,$n)=@_;
+	local(@r,$i);
+
+	$#r=31;
+	foreach $i (0 .. 31)
+		{
+		if (($i+$n) > 31)
+			{
+			$r[$i]="--";
+			}
+		else
+			{
+			$r[$i]=$a[$i+$n];
+			}
+		}
+	return(@r);
+	}
+
+sub shiftl
+	{
+	local(*a,$n)=@_;
+	local(@r,$i);
+
+	$#r=31;
+	foreach $i (0 .. 31)
+		{
+		if ($i < $n)
+			{
+			$r[$i]="--";
+			}
+		else
+			{
+			$r[$i]=$a[$i-$n];
+			}
+		}
+	return(@r);
+	}
+
+sub printit
+	{
+	local(@a)=@_;
+	local($i);
+
+	foreach $i (0 .. 31)
+		{
+		printf "%2s  ",$a[$i];
+		print "\n" if (($i%8) == 7);
+		}
+	print "\n";
+	}
+
+sub xor
+	{
+	local(*a,*b)=@_;
+	local(@r,$i);
+
+	$#r=31;
+	foreach $i (0 .. 31)
+		{
+		$r[$i]=&compress($a[$i].'^'.$b[$i]);
+#		$r[$i]=$a[$i]."^".$b[$i];
+		}
+	return(@r);
+	}
+
+sub and
+	{
+	local(*a,$m)=@_;
+	local(@r,$i);
+
+	$#r=31;
+	foreach $i (0 .. 31)
+		{
+		$r[$i]=(($m & (1<<$i))?($a[$i]):('--'));
+		}
+	return(@r);
+	}
+
+sub or
+	{
+	local(*a,*b)=@_;
+	local(@r,$i);
+
+	$#r=31;
+	foreach $i (0 .. 31)
+		{
+		$r[$i]='--'   if (($a[$i] eq '--') && ($b[$i] eq '--'));
+		$r[$i]=$a[$i] if (($a[$i] ne '--') && ($b[$i] eq '--'));
+		$r[$i]=$b[$i] if (($a[$i] eq '--') && ($b[$i] ne '--'));
+		$r[$i]='++'   if (($a[$i] ne '--') && ($b[$i] ne '--'));
+		}
+	return(@r);
+	}
+
+sub compress
+	{
+	local($s)=@_;
+	local($_,$i,@a,%a,$r);
+
+	$s =~ s/\^\^/\^/g;
+	$s =~ s/^\^//;
+	$s =~ s/\^$//;
+	@a=split(/\^/,$s);
+
+	while ($#a >= 0)
+		{
+		$_=shift(@a);
+		next unless /\d/;
+		$a{$_}++;
+		}
+	foreach $i (sort keys %a)
+		{
+		next if ($a{$i}%2 == 0);
+		$r.="$i^";
+		}
+	chop($r);
+	return($r);
+	}
+1;
diff --git a/crypto/openssl/crypto/des/sk.h b/crypto/openssl/crypto/des/sk.h
new file mode 100644
index 0000000..f2ade88
--- /dev/null
+++ b/crypto/openssl/crypto/des/sk.h
@@ -0,0 +1,204 @@
+/* crypto/des/sk.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static const DES_LONG des_skb[8][64]={
+{
+/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+0x00000000L,0x00000010L,0x20000000L,0x20000010L,
+0x00010000L,0x00010010L,0x20010000L,0x20010010L,
+0x00000800L,0x00000810L,0x20000800L,0x20000810L,
+0x00010800L,0x00010810L,0x20010800L,0x20010810L,
+0x00000020L,0x00000030L,0x20000020L,0x20000030L,
+0x00010020L,0x00010030L,0x20010020L,0x20010030L,
+0x00000820L,0x00000830L,0x20000820L,0x20000830L,
+0x00010820L,0x00010830L,0x20010820L,0x20010830L,
+0x00080000L,0x00080010L,0x20080000L,0x20080010L,
+0x00090000L,0x00090010L,0x20090000L,0x20090010L,
+0x00080800L,0x00080810L,0x20080800L,0x20080810L,
+0x00090800L,0x00090810L,0x20090800L,0x20090810L,
+0x00080020L,0x00080030L,0x20080020L,0x20080030L,
+0x00090020L,0x00090030L,0x20090020L,0x20090030L,
+0x00080820L,0x00080830L,0x20080820L,0x20080830L,
+0x00090820L,0x00090830L,0x20090820L,0x20090830L,
+},{
+/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
+0x00000000L,0x02000000L,0x00002000L,0x02002000L,
+0x00200000L,0x02200000L,0x00202000L,0x02202000L,
+0x00000004L,0x02000004L,0x00002004L,0x02002004L,
+0x00200004L,0x02200004L,0x00202004L,0x02202004L,
+0x00000400L,0x02000400L,0x00002400L,0x02002400L,
+0x00200400L,0x02200400L,0x00202400L,0x02202400L,
+0x00000404L,0x02000404L,0x00002404L,0x02002404L,
+0x00200404L,0x02200404L,0x00202404L,0x02202404L,
+0x10000000L,0x12000000L,0x10002000L,0x12002000L,
+0x10200000L,0x12200000L,0x10202000L,0x12202000L,
+0x10000004L,0x12000004L,0x10002004L,0x12002004L,
+0x10200004L,0x12200004L,0x10202004L,0x12202004L,
+0x10000400L,0x12000400L,0x10002400L,0x12002400L,
+0x10200400L,0x12200400L,0x10202400L,0x12202400L,
+0x10000404L,0x12000404L,0x10002404L,0x12002404L,
+0x10200404L,0x12200404L,0x10202404L,0x12202404L,
+},{
+/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
+0x00000000L,0x00000001L,0x00040000L,0x00040001L,
+0x01000000L,0x01000001L,0x01040000L,0x01040001L,
+0x00000002L,0x00000003L,0x00040002L,0x00040003L,
+0x01000002L,0x01000003L,0x01040002L,0x01040003L,
+0x00000200L,0x00000201L,0x00040200L,0x00040201L,
+0x01000200L,0x01000201L,0x01040200L,0x01040201L,
+0x00000202L,0x00000203L,0x00040202L,0x00040203L,
+0x01000202L,0x01000203L,0x01040202L,0x01040203L,
+0x08000000L,0x08000001L,0x08040000L,0x08040001L,
+0x09000000L,0x09000001L,0x09040000L,0x09040001L,
+0x08000002L,0x08000003L,0x08040002L,0x08040003L,
+0x09000002L,0x09000003L,0x09040002L,0x09040003L,
+0x08000200L,0x08000201L,0x08040200L,0x08040201L,
+0x09000200L,0x09000201L,0x09040200L,0x09040201L,
+0x08000202L,0x08000203L,0x08040202L,0x08040203L,
+0x09000202L,0x09000203L,0x09040202L,0x09040203L,
+},{
+/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
+0x00000000L,0x00100000L,0x00000100L,0x00100100L,
+0x00000008L,0x00100008L,0x00000108L,0x00100108L,
+0x00001000L,0x00101000L,0x00001100L,0x00101100L,
+0x00001008L,0x00101008L,0x00001108L,0x00101108L,
+0x04000000L,0x04100000L,0x04000100L,0x04100100L,
+0x04000008L,0x04100008L,0x04000108L,0x04100108L,
+0x04001000L,0x04101000L,0x04001100L,0x04101100L,
+0x04001008L,0x04101008L,0x04001108L,0x04101108L,
+0x00020000L,0x00120000L,0x00020100L,0x00120100L,
+0x00020008L,0x00120008L,0x00020108L,0x00120108L,
+0x00021000L,0x00121000L,0x00021100L,0x00121100L,
+0x00021008L,0x00121008L,0x00021108L,0x00121108L,
+0x04020000L,0x04120000L,0x04020100L,0x04120100L,
+0x04020008L,0x04120008L,0x04020108L,0x04120108L,
+0x04021000L,0x04121000L,0x04021100L,0x04121100L,
+0x04021008L,0x04121008L,0x04021108L,0x04121108L,
+},{
+/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+0x00000000L,0x10000000L,0x00010000L,0x10010000L,
+0x00000004L,0x10000004L,0x00010004L,0x10010004L,
+0x20000000L,0x30000000L,0x20010000L,0x30010000L,
+0x20000004L,0x30000004L,0x20010004L,0x30010004L,
+0x00100000L,0x10100000L,0x00110000L,0x10110000L,
+0x00100004L,0x10100004L,0x00110004L,0x10110004L,
+0x20100000L,0x30100000L,0x20110000L,0x30110000L,
+0x20100004L,0x30100004L,0x20110004L,0x30110004L,
+0x00001000L,0x10001000L,0x00011000L,0x10011000L,
+0x00001004L,0x10001004L,0x00011004L,0x10011004L,
+0x20001000L,0x30001000L,0x20011000L,0x30011000L,
+0x20001004L,0x30001004L,0x20011004L,0x30011004L,
+0x00101000L,0x10101000L,0x00111000L,0x10111000L,
+0x00101004L,0x10101004L,0x00111004L,0x10111004L,
+0x20101000L,0x30101000L,0x20111000L,0x30111000L,
+0x20101004L,0x30101004L,0x20111004L,0x30111004L,
+},{
+/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
+0x00000000L,0x08000000L,0x00000008L,0x08000008L,
+0x00000400L,0x08000400L,0x00000408L,0x08000408L,
+0x00020000L,0x08020000L,0x00020008L,0x08020008L,
+0x00020400L,0x08020400L,0x00020408L,0x08020408L,
+0x00000001L,0x08000001L,0x00000009L,0x08000009L,
+0x00000401L,0x08000401L,0x00000409L,0x08000409L,
+0x00020001L,0x08020001L,0x00020009L,0x08020009L,
+0x00020401L,0x08020401L,0x00020409L,0x08020409L,
+0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
+0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
+0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
+0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
+0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
+0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
+0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
+0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
+},{
+/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
+0x00000000L,0x00000100L,0x00080000L,0x00080100L,
+0x01000000L,0x01000100L,0x01080000L,0x01080100L,
+0x00000010L,0x00000110L,0x00080010L,0x00080110L,
+0x01000010L,0x01000110L,0x01080010L,0x01080110L,
+0x00200000L,0x00200100L,0x00280000L,0x00280100L,
+0x01200000L,0x01200100L,0x01280000L,0x01280100L,
+0x00200010L,0x00200110L,0x00280010L,0x00280110L,
+0x01200010L,0x01200110L,0x01280010L,0x01280110L,
+0x00000200L,0x00000300L,0x00080200L,0x00080300L,
+0x01000200L,0x01000300L,0x01080200L,0x01080300L,
+0x00000210L,0x00000310L,0x00080210L,0x00080310L,
+0x01000210L,0x01000310L,0x01080210L,0x01080310L,
+0x00200200L,0x00200300L,0x00280200L,0x00280300L,
+0x01200200L,0x01200300L,0x01280200L,0x01280300L,
+0x00200210L,0x00200310L,0x00280210L,0x00280310L,
+0x01200210L,0x01200310L,0x01280210L,0x01280310L,
+},{
+/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
+0x00000000L,0x04000000L,0x00040000L,0x04040000L,
+0x00000002L,0x04000002L,0x00040002L,0x04040002L,
+0x00002000L,0x04002000L,0x00042000L,0x04042000L,
+0x00002002L,0x04002002L,0x00042002L,0x04042002L,
+0x00000020L,0x04000020L,0x00040020L,0x04040020L,
+0x00000022L,0x04000022L,0x00040022L,0x04040022L,
+0x00002020L,0x04002020L,0x00042020L,0x04042020L,
+0x00002022L,0x04002022L,0x00042022L,0x04042022L,
+0x00000800L,0x04000800L,0x00040800L,0x04040800L,
+0x00000802L,0x04000802L,0x00040802L,0x04040802L,
+0x00002800L,0x04002800L,0x00042800L,0x04042800L,
+0x00002802L,0x04002802L,0x00042802L,0x04042802L,
+0x00000820L,0x04000820L,0x00040820L,0x04040820L,
+0x00000822L,0x04000822L,0x00040822L,0x04040822L,
+0x00002820L,0x04002820L,0x00042820L,0x04042820L,
+0x00002822L,0x04002822L,0x00042822L,0x04042822L,
+}};
diff --git a/crypto/openssl/crypto/des/speed.c b/crypto/openssl/crypto/des/speed.c
new file mode 100644
index 0000000..814b86f
--- /dev/null
+++ b/crypto/openssl/crypto/des/speed.c
@@ -0,0 +1,310 @@
+/* crypto/des/speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/des.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD fix */
+#   define HZ	100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+	des_key_schedule sch,sch2,sch3;
+	double a,b,c,d,e;
+#ifndef SIGALRM
+	long ca,cb,cc,cd,ce;
+#endif
+
+#ifndef TIMES
+	printf("To get the most accurate results, try to run this\n");
+	printf("program when this computer is idle.\n");
+#endif
+
+	des_set_key_unchecked(&key2,sch2);
+	des_set_key_unchecked(&key3,sch3);
+
+#ifndef SIGALRM
+	printf("First we calculate the approximate speed ...\n");
+	des_set_key_unchecked(&key,sch);
+	count=10;
+	do	{
+		long i;
+		DES_LONG data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			des_encrypt(data,&(sch[0]),DES_ENCRYPT);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count;
+	cb=count*3;
+	cc=count*3*8/BUFSIZE+1;
+	cd=count*8/BUFSIZE+1;
+	ce=count/20+1;
+	printf("Doing set_key %ld times\n",ca);
+#define COND(d)	(count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+	printf("Doing set_key for 10 seconds\n");
+	alarm(10);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(ca); count++)
+		des_set_key_unchecked(&key,sch);
+	d=Time_F(STOP);
+	printf("%ld set_key's in %.2f seconds\n",count,d);
+	a=((double)COUNT(ca))/d;
+
+#ifdef SIGALRM
+	printf("Doing des_encrypt's for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing des_encrypt %ld times\n",cb);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cb); count++)
+		{
+		DES_LONG data[2];
+
+		des_encrypt(data,&(sch[0]),DES_ENCRYPT);
+		}
+	d=Time_F(STOP);
+	printf("%ld des_encrypt's in %.2f second\n",count,d);
+	b=((double)COUNT(cb)*8)/d;
+
+#ifdef SIGALRM
+	printf("Doing des_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+		BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing des_cbc_encrypt %ld times on %ld byte blocks\n",cc,
+		BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cc); count++)
+		des_ncbc_encrypt(buf,buf,BUFSIZE,&(sch[0]),
+			&key,DES_ENCRYPT);
+	d=Time_F(STOP);
+	printf("%ld des_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	c=((double)COUNT(cc)*BUFSIZE)/d;
+
+#ifdef SIGALRM
+	printf("Doing des_ede_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+		BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing des_ede_cbc_encrypt %ld times on %ld byte blocks\n",cd,
+		BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cd); count++)
+		des_ede3_cbc_encrypt(buf,buf,BUFSIZE,
+			&(sch[0]),
+			&(sch2[0]),
+			&(sch3[0]),
+			&key,
+			DES_ENCRYPT);
+	d=Time_F(STOP);
+	printf("%ld des_ede_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	d=((double)COUNT(cd)*BUFSIZE)/d;
+
+#ifdef SIGALRM
+	printf("Doing crypt for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing crypt %ld times\n",ce);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(ce); count++)
+		crypt("testing1","ef");
+	e=Time_F(STOP);
+	printf("%ld crypts in %.2f second\n",count,e);
+	e=((double)COUNT(ce))/e;
+
+	printf("set_key            per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
+	printf("DES raw ecb bytes  per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
+	printf("DES cbc bytes      per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
+	printf("DES ede cbc bytes  per sec = %12.2f (%9.3fuS)\n",d,8.0e6/d);
+	printf("crypt              per sec = %12.2f (%9.3fuS)\n",e,1.0e6/e);
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
diff --git a/crypto/openssl/crypto/des/spr.h b/crypto/openssl/crypto/des/spr.h
new file mode 100644
index 0000000..b8fbdcf
--- /dev/null
+++ b/crypto/openssl/crypto/des/spr.h
@@ -0,0 +1,204 @@
+/* crypto/des/spr.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+OPENSSL_GLOBAL const DES_LONG des_SPtrans[8][64]={
+{
+/* nibble 0 */
+0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
+0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L,
+0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L,
+0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L,
+0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L,
+0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L,
+0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L,
+0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L,
+0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L,
+0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L,
+0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L,
+0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L,
+0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L,
+0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L,
+0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
+0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L,
+},{
+/* nibble 1 */
+0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L,
+0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L,
+0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L,
+0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L,
+0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L,
+0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L,
+0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L,
+0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L,
+0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L,
+0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L,
+0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L,
+0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L,
+0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L,
+0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L,
+0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
+0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L,
+},{
+/* nibble 2 */
+0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L,
+0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L,
+0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L,
+0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L,
+0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L,
+0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L,
+0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L,
+0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L,
+0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L,
+0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L,
+0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L,
+0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L,
+0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L,
+0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L,
+0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
+0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L,
+},{
+/* nibble 3 */
+0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L,
+0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L,
+0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L,
+0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L,
+0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L,
+0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L,
+0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L,
+0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L,
+0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L,
+0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L,
+0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L,
+0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L,
+0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L,
+0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L,
+0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
+0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L,
+},{
+/* nibble 4 */
+0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L,
+0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L,
+0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L,
+0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L,
+0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L,
+0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L,
+0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L,
+0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L,
+0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L,
+0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L,
+0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L,
+0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L,
+0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L,
+0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L,
+0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
+0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L,
+},{
+/* nibble 5 */
+0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L,
+0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L,
+0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L,
+0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L,
+0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L,
+0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L,
+0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L,
+0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L,
+0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L,
+0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L,
+0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L,
+0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L,
+0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L,
+0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L,
+0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
+0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L,
+},{
+/* nibble 6 */
+0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L,
+0x01004204L, 0x00004004L, 0x00004200L, 0x00000000L,
+0x01000000L, 0x01000204L, 0x00000204L, 0x01004000L,
+0x00000004L, 0x01004200L, 0x01004000L, 0x00000204L,
+0x01000204L, 0x00004000L, 0x00004004L, 0x01004204L,
+0x00000000L, 0x01000200L, 0x01000004L, 0x00004200L,
+0x01004004L, 0x00004204L, 0x01004200L, 0x00000004L,
+0x00004204L, 0x01004004L, 0x00000200L, 0x01000000L,
+0x00004204L, 0x01004000L, 0x01004004L, 0x00000204L,
+0x00004000L, 0x00000200L, 0x01000000L, 0x01004004L,
+0x01000204L, 0x00004204L, 0x00004200L, 0x00000000L,
+0x00000200L, 0x01000004L, 0x00000004L, 0x01000200L,
+0x00000000L, 0x01000204L, 0x01000200L, 0x00004200L,
+0x00000204L, 0x00004000L, 0x01004204L, 0x01000000L,
+0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
+0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L,
+},{
+/* nibble 7 */
+0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L,
+0x20020000L, 0x00800080L, 0x20800000L, 0x20820080L,
+0x00000080L, 0x20000000L, 0x00820000L, 0x00020080L,
+0x00820080L, 0x20020080L, 0x20000080L, 0x20800000L,
+0x00020000L, 0x00820080L, 0x00800080L, 0x20020000L,
+0x20820080L, 0x20000080L, 0x00000000L, 0x00820000L,
+0x20000000L, 0x00800000L, 0x20020080L, 0x20800080L,
+0x00800000L, 0x00020000L, 0x20820000L, 0x00000080L,
+0x00800000L, 0x00020000L, 0x20000080L, 0x20820080L,
+0x00020080L, 0x20000000L, 0x00000000L, 0x00820000L,
+0x20800080L, 0x20020080L, 0x20020000L, 0x00800080L,
+0x20820000L, 0x00000080L, 0x00800080L, 0x20020000L,
+0x20820080L, 0x00800000L, 0x20800000L, 0x20000080L,
+0x00820000L, 0x00020080L, 0x20020080L, 0x20800000L,
+0x00000080L, 0x20820000L, 0x00820080L, 0x00000000L,
+0x20000000L, 0x20800080L, 0x00020000L, 0x00820080L,
+}};
diff --git a/crypto/openssl/crypto/des/str2key.c b/crypto/openssl/crypto/des/str2key.c
new file mode 100644
index 0000000..c6abb87
--- /dev/null
+++ b/crypto/openssl/crypto/des/str2key.c
@@ -0,0 +1,155 @@
+/* crypto/des/str2key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+void des_string_to_key(const char *str, des_cblock *key)
+	{
+	des_key_schedule ks;
+	int i,length;
+	register unsigned char j;
+
+	memset(key,0,8);
+	length=strlen(str);
+#ifdef OLD_STR_TO_KEY
+	for (i=0; i<length; i++)
+		(*key)[i%8]^=(str[i]<<1);
+#else /* MIT COMPATIBLE */
+	for (i=0; i<length; i++)
+		{
+		j=str[i];
+		if ((i%16) < 8)
+			(*key)[i%8]^=(j<<1);
+		else
+			{
+			/* Reverse the bit order 05/05/92 eay */
+			j=((j<<4)&0xf0)|((j>>4)&0x0f);
+			j=((j<<2)&0xcc)|((j>>2)&0x33);
+			j=((j<<1)&0xaa)|((j>>1)&0x55);
+			(*key)[7-(i%8)]^=j;
+			}
+		}
+#endif
+	des_set_odd_parity(key);
+	des_set_key_unchecked(key,ks);
+	des_cbc_cksum((const unsigned char*)str,key,length,ks,key);
+	memset(ks,0,sizeof(ks));
+	des_set_odd_parity(key);
+	}
+
+void des_string_to_2keys(const char *str, des_cblock *key1, des_cblock *key2)
+	{
+	des_key_schedule ks;
+	int i,length;
+	register unsigned char j;
+
+	memset(key1,0,8);
+	memset(key2,0,8);
+	length=strlen(str);
+#ifdef OLD_STR_TO_KEY
+	if (length <= 8)
+		{
+		for (i=0; i<length; i++)
+			{
+			(*key2)[i]=(*key1)[i]=(str[i]<<1);
+			}
+		}
+	else
+		{
+		for (i=0; i<length; i++)
+			{
+			if ((i/8)&1)
+				(*key2)[i%8]^=(str[i]<<1);
+			else
+				(*key1)[i%8]^=(str[i]<<1);
+			}
+		}
+#else /* MIT COMPATIBLE */
+	for (i=0; i<length; i++)
+		{
+		j=str[i];
+		if ((i%32) < 16)
+			{
+			if ((i%16) < 8)
+				(*key1)[i%8]^=(j<<1);
+			else
+				(*key2)[i%8]^=(j<<1);
+			}
+		else
+			{
+			j=((j<<4)&0xf0)|((j>>4)&0x0f);
+			j=((j<<2)&0xcc)|((j>>2)&0x33);
+			j=((j<<1)&0xaa)|((j>>1)&0x55);
+			if ((i%16) < 8)
+				(*key1)[7-(i%8)]^=j;
+			else
+				(*key2)[7-(i%8)]^=j;
+			}
+		}
+	if (length <= 8) memcpy(key2,key1,8);
+#endif
+	des_set_odd_parity(key1);
+	des_set_odd_parity(key2);
+	des_set_key_unchecked(key1,ks);
+	des_cbc_cksum((const unsigned char*)str,key1,length,ks,key1);
+	des_set_key_unchecked(key2,ks);
+	des_cbc_cksum((const unsigned char*)str,key2,length,ks,key2);
+	memset(ks,0,sizeof(ks));
+	des_set_odd_parity(key1);
+	des_set_odd_parity(key2);
+	}
diff --git a/crypto/openssl/crypto/des/supp.c b/crypto/openssl/crypto/des/supp.c
new file mode 100644
index 0000000..e51b36c
--- /dev/null
+++ b/crypto/openssl/crypto/des/supp.c
@@ -0,0 +1,107 @@
+/* crypto/des/supp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * Copyright (c) 1995
+ *	Mark Murray.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Mark Murray
+ * 4. Neither the name of the author nor the names of any co-contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY MARK MURRAY AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: supp.c,v 1.5 1999/05/16 12:25:45 bodo Exp $
+ */
+
+#include <stdio.h>
+#include "des_locl.h"
+
+void des_cblock_print_file(const_des_cblock *cb, FILE *fp)
+{
+	int i;
+	const unsigned int *p = (const unsigned int *)cb;
+
+	fprintf(fp, " 0x { ");
+	for (i = 0; i < 8; i++) {
+		fprintf(fp, "%x", p[i]);
+		if (i != 7) fprintf(fp, ", ");
+	}
+	fprintf(fp, " }");
+}
diff --git a/crypto/openssl/crypto/des/t/test b/crypto/openssl/crypto/des/t/test
new file mode 100644
index 0000000..97acd05
--- /dev/null
+++ b/crypto/openssl/crypto/des/t/test
@@ -0,0 +1,27 @@
+#!./perl
+
+BEGIN { push(@INC, qw(../../../lib ../../lib ../lib lib)); }
+
+use DES;
+
+$key='00000000';
+$ks=DES::set_key($key);
+@a=split(//,$ks);
+foreach (@a) { printf "%02x-",ord($_); }
+print "\n";
+
+
+$key=DES::random_key();
+print "($_)\n";
+@a=split(//,$key);
+foreach (@a) { printf "%02x-",ord($_); }
+print "\n";
+$str="this is and again into the breach";
+($k1,$k2)=DES::string_to_2keys($str);
+@a=split(//,$k1);
+foreach (@a) { printf "%02x-",ord($_); }
+print "\n";
+@a=split(//,$k2);
+foreach (@a) { printf "%02x-",ord($_); }
+print "\n";
+
diff --git a/crypto/openssl/crypto/des/testdes.pl b/crypto/openssl/crypto/des/testdes.pl
new file mode 100644
index 0000000..01a165a
--- /dev/null
+++ b/crypto/openssl/crypto/des/testdes.pl
@@ -0,0 +1,167 @@
+#!/usr/local/bin/perl
+
+# des.pl tesing code
+
+require 'des.pl';
+
+$num_tests=34;
+@key_data=(
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,
+	0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
+	0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,
+	0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57,
+	0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E,
+	0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86,
+	0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E,
+	0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6,
+	0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE,
+	0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6,
+	0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE,
+	0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16,
+	0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F,
+	0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46,
+	0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E,
+	0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76,
+	0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07,
+	0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F,
+	0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7,
+	0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF,
+	0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6,
+	0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF,
+	0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
+	0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E,
+	0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
+	0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,
+	);
+
+@plain_data=(
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
+	0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,
+	0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,
+	0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
+	0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42,
+	0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA,
+	0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72,
+	0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A,
+	0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2,
+	0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A,
+	0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2,
+	0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A,
+	0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02,
+	0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A,
+	0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32,
+	0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA,
+	0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62,
+	0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2,
+	0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA,
+	0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92,
+	0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A,
+	0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2,
+	0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A,
+	0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
+	0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
+	0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF);
+
+@cipher_data=(
+	0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7,
+	0x73,0x59,0xB2,0x16,0x3E,0x4E,0xDC,0x58,
+	0x95,0x8E,0x6E,0x62,0x7A,0x05,0x55,0x7B,
+	0xF4,0x03,0x79,0xAB,0x9E,0x0E,0xC5,0x33,
+	0x17,0x66,0x8D,0xFC,0x72,0x92,0x53,0x2D,
+	0x8A,0x5A,0xE1,0xF8,0x1A,0xB8,0xF2,0xDD,
+	0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7,
+	0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4,
+	0x69,0x0F,0x5B,0x0D,0x9A,0x26,0x93,0x9B,
+	0x7A,0x38,0x9D,0x10,0x35,0x4B,0xD2,0x71,
+	0x86,0x8E,0xBB,0x51,0xCA,0xB4,0x59,0x9A,
+	0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A,
+	0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95,
+	0x86,0xA5,0x60,0xF1,0x0E,0xC6,0xD8,0x5B,
+	0x0C,0xD3,0xDA,0x02,0x00,0x21,0xDC,0x09,
+	0xEA,0x67,0x6B,0x2C,0xB7,0xDB,0x2B,0x7A,
+	0xDF,0xD6,0x4A,0x81,0x5C,0xAF,0x1A,0x0F,
+	0x5C,0x51,0x3C,0x9C,0x48,0x86,0xC0,0x88,
+	0x0A,0x2A,0xEE,0xAE,0x3F,0xF4,0xAB,0x77,
+	0xEF,0x1B,0xF0,0x3E,0x5D,0xFA,0x57,0x5A,
+	0x88,0xBF,0x0D,0xB6,0xD7,0x0D,0xEE,0x56,
+	0xA1,0xF9,0x91,0x55,0x41,0x02,0x0B,0x56,
+	0x6F,0xBF,0x1C,0xAF,0xCF,0xFD,0x05,0x56,
+	0x2F,0x22,0xE4,0x9B,0xAB,0x7C,0xA1,0xAC,
+	0x5A,0x6B,0x61,0x2C,0xC2,0x6C,0xCE,0x4A,
+	0x5F,0x4C,0x03,0x8E,0xD1,0x2B,0x2E,0x41,
+	0x63,0xFA,0xC0,0xD0,0x34,0xD9,0xF7,0x93,
+	0x61,0x7B,0x3A,0x0C,0xE8,0xF0,0x71,0x00,
+	0xDB,0x95,0x86,0x05,0xF8,0xC8,0xC6,0x06,
+	0xED,0xBF,0xD1,0xC6,0x6C,0x29,0xCC,0xC7,
+	0x35,0x55,0x50,0xB2,0x15,0x0E,0x24,0x51,
+	0xCA,0xAA,0xAF,0x4D,0xEA,0xF1,0xDB,0xAE,
+	0xD5,0xD4,0x4F,0xF7,0x20,0x68,0x3D,0x0D,
+	0x2A,0x2B,0xB0,0x08,0xDF,0x97,0xC2,0xF2);
+
+print "Doing ecb tests\n";
+for ($i=0; $i<$num_tests; $i++)
+	{
+	printf "Doing test $i\n";
+	$key =pack("C8",splice(@key_data   ,0,8));
+	$data=pack("C8",splice(@plain_data ,0,8));
+	$res =pack("C8",splice(@cipher_data,0,8));
+
+	@ks=  &des_set_key($key);
+	$out1= &des_ecb_encrypt(*ks,1,$data);
+	$out2= &des_ecb_encrypt(*ks,0,$out1);
+	$out3= &des_ecb_encrypt(*ks,0,$res);
+	&eprint("encryption failure",$res,$out1)
+		if ($out1 ne $res);
+	&eprint("encryption/decryption failure",$data,$out2)
+		if ($out2 ne $data);
+	&eprint("decryption failure",$data,$out3)
+		if ($data ne $out3);
+	}
+print "Done\n";
+
+print "doing speed test over 30 seconds\n";
+$SIG{'ALRM'}='done';
+sub done {$done=1;}
+$done=0;
+
+$count=0;
+$d=pack("C8",0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef);
+@ks=  &des_set_key($d);
+alarm(30);
+$start=(times)[0];
+while (!$done)
+	{
+	$count++;
+	$d=&des_ecb_encrypt(*ks,1,$d);
+	}
+$end=(times)[0];
+$t=$end-$start;
+printf "$count DESs in %.2f seconds is %.2f DESs/sec or %.2f bytes/sec\n",
+	1.0*$t,1.0*$count/$t,$count*8.0/$t;
+
+sub eprint
+	{
+	local($s,$c,$e)=@_;
+	local(@k);
+
+	@k=unpack("C8",$c);
+	printf "%02x%02x%02x%02x %02x%02x%02x%02x - ",unpack("C8",$c);
+	printf "%02x%02x%02x%02x %02x%02x%02x%02x :",unpack("C8",$e);
+	print " $s\n";
+	}
diff --git a/crypto/openssl/crypto/des/times/486-50.sol b/crypto/openssl/crypto/des/times/486-50.sol
new file mode 100644
index 0000000..0de62d6
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/486-50.sol
@@ -0,0 +1,16 @@
+Solaris 2.4, 486 50mhz, gcc 2.6.3
+options    des ecb/s
+16 r2 i     43552.51 100.0%
+16 r1 i     43487.45  99.9%
+16  c p     43003.23  98.7%
+16 r2 p     42339.00  97.2%
+16  c i     41900.91  96.2%
+16 r1 p     41360.64  95.0%
+ 4  c i     38728.48  88.9%
+ 4  c p     38225.63  87.8%
+ 4 r1 i     38085.79  87.4%
+ 4 r2 i     37825.64  86.9%
+ 4 r2 p     34611.00  79.5%
+ 4 r1 p     31802.00  73.0%
+-DDES_UNROLL -DDES_RISC2
+
diff --git a/crypto/openssl/crypto/des/times/586-100.lnx b/crypto/openssl/crypto/des/times/586-100.lnx
new file mode 100644
index 0000000..4323914
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/586-100.lnx
@@ -0,0 +1,20 @@
+Pentium 100
+Linux 2 kernel
+gcc 2.7.0 -O3 -fomit-frame-pointer
+No X server running, just a console, it makes the top speed jump from 151,000
+to 158,000 :-).
+options    des ecb/s
+assember   281000.00 177.1%
+16 r1 p    158667.40 100.0%
+16 r1 i    148471.70  93.6%
+16 r2 p    143961.80  90.7%
+16 r2 i    141689.20  89.3%
+ 4 r1 i    140100.00  88.3%
+ 4 r2 i    134049.40  84.5%
+16  c i    124145.20  78.2%
+16  c p    121584.20  76.6%
+ 4  c i    118116.00  74.4%
+ 4 r2 p    117977.90  74.4%
+ 4  c p    114971.40  72.5%
+ 4 r1 p    114578.40  72.2%
+-DDES_UNROLL -DDES_RISC1 -DDES_PTR
diff --git a/crypto/openssl/crypto/des/times/686-200.fre b/crypto/openssl/crypto/des/times/686-200.fre
new file mode 100644
index 0000000..7d83f6a
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/686-200.fre
@@ -0,0 +1,18 @@
+Pentium 100
+Free BSD 2.1.5 kernel
+gcc 2.7.2.2 -O3 -fomit-frame-pointer
+options    des ecb/s
+assember   578000.00 133.1%
+16 r2 i    434454.80 100.0%
+16 r1 i    433621.43  99.8%
+16 r2 p    431375.69  99.3%
+ 4 r1 i    423722.30  97.5%
+ 4 r2 i    422399.40  97.2%
+16 r1 p    421739.40  97.1%
+16  c i    399027.94  91.8%
+16  c p    372251.70  85.7%
+ 4  c i    365118.35  84.0%
+ 4  c p    352880.51  81.2%
+ 4 r2 p    255104.90  58.7%
+ 4 r1 p    251289.18  57.8%
+-DDES_UNROLL -DDES_RISC2
diff --git a/crypto/openssl/crypto/des/times/aix.cc b/crypto/openssl/crypto/des/times/aix.cc
new file mode 100644
index 0000000..d96b74e
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/aix.cc
@@ -0,0 +1,26 @@
+From: Paco Garcia <pgarcia@cam.es>
+
+This machine is a Bull Estrella  Minitower Model MT604-100
+Processor        : PPC604 
+P.Speed          : 100Mhz 
+Data/Instr Cache :    16 K
+L2 Cache         :   256 K
+PCI BUS Speed    :    33 Mhz
+TransfRate PCI   :   132 MB/s
+Memory           :    96 MB
+
+options    des ecb/s       
+ 4  c p    275118.61 100.0%
+ 4  c i    273545.07  99.4%
+ 4 r2 p    270441.02  98.3%
+ 4 r1 p    253052.15  92.0%
+ 4 r2 i    240842.97  87.5%
+ 4 r1 i    240556.66  87.4%
+16  c i    224603.99  81.6%
+16  c p    224483.98  81.6%
+16 r2 p    215691.19  78.4%
+16 r1 p    208332.83  75.7%
+16 r1 i    199206.50  72.4%
+16 r2 i    198963.70  72.3%
+-DDES_PTR
+
diff --git a/crypto/openssl/crypto/des/times/alpha.cc b/crypto/openssl/crypto/des/times/alpha.cc
new file mode 100644
index 0000000..95c17ef
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/alpha.cc
@@ -0,0 +1,18 @@
+cc -O2
+DES_LONG is 'unsigned int'
+
+options    des ecb/s
+ 4 r2 p    181146.14 100.0%
+16 r2 p    172102.94  95.0%
+ 4 r2 i    165424.11  91.3%
+16  c p    160468.64  88.6%
+ 4  c p    156653.59  86.5%
+ 4  c i    155245.18  85.7%
+ 4 r1 p    154729.68  85.4%
+16 r2 i    154137.69  85.1%
+16 r1 p    152357.96  84.1%
+16  c i    148743.91  82.1%
+ 4 r1 i    146695.59  81.0%
+16 r1 i    144961.00  80.0%
+-DDES_RISC2 -DDES_PTR
+
diff --git a/crypto/openssl/crypto/des/times/hpux.cc b/crypto/openssl/crypto/des/times/hpux.cc
new file mode 100644
index 0000000..3de856d
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/hpux.cc
@@ -0,0 +1,17 @@
+HPUX 10 - 9000/887 - cc -D_HPUX_SOURCE -Aa +ESlit +O2 -Wl,-a,archive
+
+options    des ecb/s
+16  c i    149448.90 100.0%
+ 4  c i    145861.79  97.6%
+16 r2 i    141710.96  94.8%
+16 r1 i    139455.33  93.3%
+ 4 r2 i    138800.00  92.9%
+ 4 r1 i    136692.65  91.5%
+16 r2 p    110228.17  73.8%
+16 r1 p    109397.07  73.2%
+16  c p    109209.89  73.1%
+ 4  c p    108014.71  72.3%
+ 4 r2 p    107873.88  72.2%
+ 4 r1 p    107685.83  72.1%
+-DDES_UNROLL
+
diff --git a/crypto/openssl/crypto/des/times/sparc.gcc b/crypto/openssl/crypto/des/times/sparc.gcc
new file mode 100644
index 0000000..8eaa042
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/sparc.gcc
@@ -0,0 +1,17 @@
+solaris 2.5.1 - sparc 10 50mhz - gcc 2.7.2
+
+options    des ecb/s
+16  c i    124382.70 100.0%
+ 4  c i    118884.68  95.6%
+16  c p    112261.20  90.3%
+16 r2 i    111777.10  89.9%
+16 r2 p    108896.30  87.5%
+16 r1 p    108791.59  87.5%
+ 4  c p    107290.10  86.3%
+ 4 r1 p    104583.80  84.1%
+16 r1 i    104206.20  83.8%
+ 4 r2 p    103709.80  83.4%
+ 4 r2 i     98306.43  79.0%
+ 4 r1 i     91525.80  73.6%
+-DDES_UNROLL
+      
diff --git a/crypto/openssl/crypto/des/times/usparc.cc b/crypto/openssl/crypto/des/times/usparc.cc
new file mode 100644
index 0000000..f6ec8e8
--- /dev/null
+++ b/crypto/openssl/crypto/des/times/usparc.cc
@@ -0,0 +1,31 @@
+solaris 2.5.1 usparc 167mhz?? - SC4.0 cc -fast -Xa -xO5
+
+For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts'
+gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s.
+I belive the difference is tied up in optimisation that the compiler
+is able to perform when the code is 'inlined'.  For 'speed', the DES
+routines are being linked from a library.  I'll record the higher
+speed since if performance is everything, you can always inline
+'des_enc.c'.
+
+[ 16-Jan-06 - I've been playing with the
+  '-xtarget=ultra -xarch=v8plus -Xa -xO5 -Xa'
+  and while it makes the des_opts numbers much slower, it makes the
+  actual 'speed' numbers look better which is a realistic version of
+  using the libraries. ]
+
+options    des ecb/s
+16 r1 p    475516.90 100.0%
+16 r2 p    439388.10  92.4%
+16  c i    427001.40  89.8%
+16  c p    419516.50  88.2%
+ 4 r2 p    409491.70  86.1%
+ 4 r1 p    404266.90  85.0%
+ 4  c p    398121.00  83.7%
+ 4  c i    370588.40  77.9%
+ 4 r1 i    362742.20  76.3%
+16 r2 i    331275.50  69.7%
+16 r1 i    324730.60  68.3%
+ 4 r2 i     63535.10  13.4%	<-- very very weird, must be cache problems.
+-DDES_UNROLL -DDES_RISC1 -DDES_PTR
+
diff --git a/crypto/openssl/crypto/des/typemap b/crypto/openssl/crypto/des/typemap
new file mode 100644
index 0000000..a524f53
--- /dev/null
+++ b/crypto/openssl/crypto/des/typemap
@@ -0,0 +1,34 @@
+#
+# DES SECTION
+#
+deschar *	T_DESCHARP
+des_cblock *	T_CBLOCK
+des_cblock	T_CBLOCK
+des_key_schedule	T_SCHEDULE
+des_key_schedule *	T_SCHEDULE
+
+INPUT
+T_CBLOCK
+	$var=(des_cblock *)SvPV($arg,len);
+	if (len < DES_KEY_SZ)
+		{
+		croak(\"$var needs to be at least %u bytes long\",DES_KEY_SZ);
+		}
+
+T_SCHEDULE
+	$var=(des_key_schedule *)SvPV($arg,len);
+	if (len < DES_SCHEDULE_SZ)
+		{
+		croak(\"$var needs to be at least %u bytes long\",
+			DES_SCHEDULE_SZ);
+		}
+
+OUTPUT
+T_CBLOCK
+	sv_setpvn($arg,(char *)$var,DES_KEY_SZ);
+
+T_SCHEDULE
+	sv_setpvn($arg,(char *)$var,DES_SCHEDULE_SZ);
+
+T_DESCHARP
+	sv_setpvn($arg,(char *)$var,len);
diff --git a/crypto/openssl/crypto/des/xcbc_enc.c b/crypto/openssl/crypto/des/xcbc_enc.c
new file mode 100644
index 0000000..51e17e6
--- /dev/null
+++ b/crypto/openssl/crypto/des/xcbc_enc.c
@@ -0,0 +1,194 @@
+/* crypto/des/xcbc_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_locl.h"
+
+/* RSA's DESX */
+
+static unsigned char desx_white_in2out[256]={
+0xBD,0x56,0xEA,0xF2,0xA2,0xF1,0xAC,0x2A,0xB0,0x93,0xD1,0x9C,0x1B,0x33,0xFD,0xD0,
+0x30,0x04,0xB6,0xDC,0x7D,0xDF,0x32,0x4B,0xF7,0xCB,0x45,0x9B,0x31,0xBB,0x21,0x5A,
+0x41,0x9F,0xE1,0xD9,0x4A,0x4D,0x9E,0xDA,0xA0,0x68,0x2C,0xC3,0x27,0x5F,0x80,0x36,
+0x3E,0xEE,0xFB,0x95,0x1A,0xFE,0xCE,0xA8,0x34,0xA9,0x13,0xF0,0xA6,0x3F,0xD8,0x0C,
+0x78,0x24,0xAF,0x23,0x52,0xC1,0x67,0x17,0xF5,0x66,0x90,0xE7,0xE8,0x07,0xB8,0x60,
+0x48,0xE6,0x1E,0x53,0xF3,0x92,0xA4,0x72,0x8C,0x08,0x15,0x6E,0x86,0x00,0x84,0xFA,
+0xF4,0x7F,0x8A,0x42,0x19,0xF6,0xDB,0xCD,0x14,0x8D,0x50,0x12,0xBA,0x3C,0x06,0x4E,
+0xEC,0xB3,0x35,0x11,0xA1,0x88,0x8E,0x2B,0x94,0x99,0xB7,0x71,0x74,0xD3,0xE4,0xBF,
+0x3A,0xDE,0x96,0x0E,0xBC,0x0A,0xED,0x77,0xFC,0x37,0x6B,0x03,0x79,0x89,0x62,0xC6,
+0xD7,0xC0,0xD2,0x7C,0x6A,0x8B,0x22,0xA3,0x5B,0x05,0x5D,0x02,0x75,0xD5,0x61,0xE3,
+0x18,0x8F,0x55,0x51,0xAD,0x1F,0x0B,0x5E,0x85,0xE5,0xC2,0x57,0x63,0xCA,0x3D,0x6C,
+0xB4,0xC5,0xCC,0x70,0xB2,0x91,0x59,0x0D,0x47,0x20,0xC8,0x4F,0x58,0xE0,0x01,0xE2,
+0x16,0x38,0xC4,0x6F,0x3B,0x0F,0x65,0x46,0xBE,0x7E,0x2D,0x7B,0x82,0xF9,0x40,0xB5,
+0x1D,0x73,0xF8,0xEB,0x26,0xC7,0x87,0x97,0x25,0x54,0xB1,0x28,0xAA,0x98,0x9D,0xA5,
+0x64,0x6D,0x7A,0xD4,0x10,0x81,0x44,0xEF,0x49,0xD6,0xAE,0x2E,0xDD,0x76,0x5C,0x2F,
+0xA7,0x1C,0xC9,0x09,0x69,0x9A,0x83,0xCF,0x29,0x39,0xB9,0xE9,0x4C,0xFF,0x43,0xAB,
+	};
+
+void des_xwhite_in2out(const_des_cblock *des_key, const_des_cblock *in_white,
+	     des_cblock *out_white)
+	{
+	int out0,out1;
+	int i;
+	const unsigned char *key = &(*des_key)[0];
+	const unsigned char *in = &(*in_white)[0];
+	unsigned char *out = &(*out_white)[0];
+
+	out[0]=out[1]=out[2]=out[3]=out[4]=out[5]=out[6]=out[7]=0;
+	out0=out1=0;
+	for (i=0; i<8; i++)
+		{
+		out[i]=key[i]^desx_white_in2out[out0^out1];
+		out0=out1;
+		out1=(int)out[i&0x07];
+		}
+
+	out0=out[0];
+	out1=out[i];
+	for (i=0; i<8; i++)
+		{
+		out[i]=in[i]^desx_white_in2out[out0^out1];
+		out0=out1;
+		out1=(int)out[i&0x07];
+		}
+	}
+
+void des_xcbc_encrypt(const unsigned char *in, unsigned char *out,
+	    long length, des_key_schedule schedule, des_cblock *ivec,
+	    const_des_cblock *inw, const_des_cblock *outw, int enc)
+	{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register DES_LONG inW0,inW1,outW0,outW1;
+	register const unsigned char *in2;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in2 = &(*inw)[0];
+	c2l(in2,inW0);
+	c2l(in2,inW1);
+	in2 = &(*outw)[0];
+	c2l(in2,outW0);
+	c2l(in2,outW1);
+
+	iv = &(*ivec)[0];
+
+	if (enc)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0^inW0; tin[0]=tin0;
+			tin1^=tout1^inW1; tin[1]=tin1;
+			des_encrypt(tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]^outW0; l2c(tout0,out);
+			tout1=tin[1]^outW1; l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0^inW0; tin[0]=tin0;
+			tin1^=tout1^inW1; tin[1]=tin1;
+			des_encrypt(tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]^outW0; l2c(tout0,out);
+			tout1=tin[1]^outW1; l2c(tout1,out);
+			}
+		iv = &(*ivec)[0];
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+		}
+	else
+		{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>0; l-=8)
+			{
+			c2l(in,tin0); tin[0]=tin0^outW0;
+			c2l(in,tin1); tin[1]=tin1^outW1;
+			des_encrypt(tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0^inW0;
+			tout1=tin[1]^xor1^inW1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0); tin[0]=tin0^outW0;
+			c2l(in,tin1); tin[1]=tin1^outW1;
+			des_encrypt(tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0^inW0;
+			tout1=tin[1]^xor1^inW1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+
+		iv = &(*ivec)[0];
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	inW0=inW1=outW0=outW1=0;
+	tin[0]=tin[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/dh/Makefile.save b/crypto/openssl/crypto/dh/Makefile.save
new file mode 100644
index 0000000..4bc694e
--- /dev/null
+++ b/crypto/openssl/crypto/dh/Makefile.save
@@ -0,0 +1,112 @@
+#
+# SSLeay/crypto/dh/Makefile
+#
+
+DIR=	dh
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST= dhtest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c
+LIBOBJ= dh_gen.o dh_key.o dh_lib.o dh_check.o dh_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= dh.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+dh_check.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_check.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_check.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_check.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_check.o: ../../include/openssl/opensslconf.h
+dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dh_check.o: ../../include/openssl/stack.h ../cryptlib.h
+dh_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+dh_err.o: ../../include/openssl/dh.h ../../include/openssl/err.h
+dh_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_gen.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_gen.o: ../cryptlib.h
+dh_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dh_key.o: ../../include/openssl/stack.h ../cryptlib.h
+dh_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_lib.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl
new file mode 100644
index 0000000..4bc694e
--- /dev/null
+++ b/crypto/openssl/crypto/dh/Makefile.ssl
@@ -0,0 +1,112 @@
+#
+# SSLeay/crypto/dh/Makefile
+#
+
+DIR=	dh
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST= dhtest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c
+LIBOBJ= dh_gen.o dh_key.o dh_lib.o dh_check.o dh_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= dh.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+dh_check.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_check.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_check.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_check.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_check.o: ../../include/openssl/opensslconf.h
+dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dh_check.o: ../../include/openssl/stack.h ../cryptlib.h
+dh_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+dh_err.o: ../../include/openssl/dh.h ../../include/openssl/err.h
+dh_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_gen.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_gen.o: ../cryptlib.h
+dh_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dh_key.o: ../../include/openssl/stack.h ../cryptlib.h
+dh_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
+dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_lib.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/dh/dh.h b/crypto/openssl/crypto/dh/dh.h
new file mode 100644
index 0000000..c15b2ad
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh.h
@@ -0,0 +1,201 @@
+/* crypto/dh/dh.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_DH_H
+#define HEADER_DH_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_DH
+#error DH is disabled.
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+	
+#define DH_FLAG_CACHE_MONT_P	0x01
+
+typedef struct dh_st DH;
+
+typedef struct dh_method {
+	const char *name;
+	/* Methods here */
+	int (*generate_key)(DH *dh);
+	int (*compute_key)(unsigned char *key,BIGNUM *pub_key,DH *dh);
+	int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+				const BIGNUM *m, BN_CTX *ctx,
+				BN_MONT_CTX *m_ctx); /* Can be null */
+
+	int (*init)(DH *dh);
+	int (*finish)(DH *dh);
+	int flags;
+	char *app_data;
+} DH_METHOD;
+
+struct dh_st
+	{
+	/* This first argument is used to pick up errors when
+	 * a DH is passed instead of a EVP_PKEY */
+	int pad;
+	int version;
+	BIGNUM *p;
+	BIGNUM *g;
+	int length; /* optional */
+	BIGNUM *pub_key;	/* g^x */
+	BIGNUM *priv_key;	/* x */
+
+	int flags;
+	char *method_mont_p;
+	/* Place holders if we want to do X9.42 DH */
+	BIGNUM *q;
+	BIGNUM *j;
+	unsigned char *seed;
+	int seedlen;
+	BIGNUM *counter;
+
+	int references;
+	CRYPTO_EX_DATA ex_data;
+	DH_METHOD *meth;
+	};
+
+#define DH_GENERATOR_2		2
+/* #define DH_GENERATOR_3	3 */
+#define DH_GENERATOR_5		5
+
+/* DH_check error codes */
+#define DH_CHECK_P_NOT_PRIME		0x01
+#define DH_CHECK_P_NOT_SAFE_PRIME	0x02
+#define DH_UNABLE_TO_CHECK_GENERATOR	0x04
+#define DH_NOT_SUITABLE_GENERATOR	0x08
+
+/* primes p where (p-1)/2 is prime too are called "safe"; we define
+   this for backward compatibility: */
+#define DH_CHECK_P_NOT_STRONG_PRIME	DH_CHECK_P_NOT_SAFE_PRIME
+
+#define DHparams_dup(x) (DH *)ASN1_dup((int (*)())i2d_DHparams, \
+		(char *(*)())d2i_DHparams,(char *)(x))
+#define d2i_DHparams_fp(fp,x) (DH *)ASN1_d2i_fp((char *(*)())DH_new, \
+		(char *(*)())d2i_DHparams,(fp),(unsigned char **)(x))
+#define i2d_DHparams_fp(fp,x) ASN1_i2d_fp(i2d_DHparams,(fp), \
+		(unsigned char *)(x))
+#define d2i_DHparams_bio(bp,x) (DH *)ASN1_d2i_bio((char *(*)())DH_new, \
+		(char *(*)())d2i_DHparams,(bp),(unsigned char **)(x))
+#ifdef  __cplusplus
+#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio((int (*)())i2d_DHparams,(bp), \
+		(unsigned char *)(x))
+#else
+#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio(i2d_DHparams,(bp), \
+		(unsigned char *)(x))
+#endif
+
+DH_METHOD *DH_OpenSSL(void);
+
+void DH_set_default_method(DH_METHOD *meth);
+DH_METHOD *DH_get_default_method(void);
+DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+DH *DH_new_method(DH_METHOD *meth);
+
+DH *	DH_new(void);
+void	DH_free(DH *dh);
+int	DH_size(DH *dh);
+int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int DH_set_ex_data(DH *d, int idx, void *arg);
+void *DH_get_ex_data(DH *d, int idx);
+DH *	DH_generate_parameters(int prime_len,int generator,
+		void (*callback)(int,int,void *),void *cb_arg);
+int	DH_check(DH *dh,int *codes);
+int	DH_generate_key(DH *dh);
+int	DH_compute_key(unsigned char *key,BIGNUM *pub_key,DH *dh);
+DH *	d2i_DHparams(DH **a,unsigned char **pp, long length);
+int	i2d_DHparams(DH *a,unsigned char **pp);
+#ifndef NO_FP_API
+int	DHparams_print_fp(FILE *fp, DH *x);
+#endif
+#ifdef HEADER_BIO_H
+int	DHparams_print(BIO *bp, DH *x);
+#else
+int	DHparams_print(char *bp, DH *x);
+#endif
+void	ERR_load_DH_strings(void );
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the DH functions. */
+
+/* Function codes. */
+#define DH_F_DHPARAMS_PRINT				 100
+#define DH_F_DHPARAMS_PRINT_FP				 101
+#define DH_F_DH_COMPUTE_KEY				 102
+#define DH_F_DH_GENERATE_KEY				 103
+#define DH_F_DH_GENERATE_PARAMETERS			 104
+#define DH_F_DH_NEW					 105
+
+/* Reason codes. */
+#define DH_R_NO_PRIVATE_VALUE				 100
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/dh/dh1024.pem b/crypto/openssl/crypto/dh/dh1024.pem
new file mode 100644
index 0000000..81d43f6
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh1024.pem
@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq
+/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx
+/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC
+-----END DH PARAMETERS-----
diff --git a/crypto/openssl/crypto/dh/dh192.pem b/crypto/openssl/crypto/dh/dh192.pem
new file mode 100644
index 0000000..521c072
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh192.pem
@@ -0,0 +1,3 @@
+-----BEGIN DH PARAMETERS-----
+MB4CGQDUoLoCULb9LsYm5+/WN992xxbiLQlEuIsCAQM=
+-----END DH PARAMETERS-----
diff --git a/crypto/openssl/crypto/dh/dh2048.pem b/crypto/openssl/crypto/dh/dh2048.pem
new file mode 100644
index 0000000..295460f
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh2048.pem
@@ -0,0 +1,16 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o
+AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh
+z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo
+pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW
+aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA
+Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==
+-----END DH PARAMETERS-----
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEArtA3w73zP6Lu3EOQtwogiXt3AXXpuS6yD4BhzNS1pZFyPHk0/an5
+8ydEkPhQZHKDW+BZJxxPLANaTudWo2YT8TgtvUdN6KSgMiEi6McwqDw+SADuvW+F
+SKUYFxG6VFIxyEP6xBdf+vhJxEDbRG2EYsHDRRtJ76gp9cSKTHusf2R+4AAVGqnt
+gRAbNqtcOar/7FSj+Pl8G3v0Bty0LcCSpbqgYlnv6z+rErQmmC6PPvSz97TDMCok
+yKpCE9hFA1zkqK3TH4FmFvGeIaXJUIBZf4mArWuBTjWFW3nmhESRUn1VK3K3x42N
+a5k6c2+EhrMFiLjxuH6JZoqL0/E93FF9SwIBAg==
+-----END DH PARAMETERS-----
diff --git a/crypto/openssl/crypto/dh/dh4096.pem b/crypto/openssl/crypto/dh/dh4096.pem
new file mode 100644
index 0000000..390943a
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh4096.pem
@@ -0,0 +1,14 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7
+vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H
+TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF
+bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1
+rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE
+EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9
+bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3
+W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH
+ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb
+NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR
+jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=
+-----END DH PARAMETERS-----
+
diff --git a/crypto/openssl/crypto/dh/dh512.pem b/crypto/openssl/crypto/dh/dh512.pem
new file mode 100644
index 0000000..0a4d863
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh512.pem
@@ -0,0 +1,4 @@
+-----BEGIN DH PARAMETERS-----
+MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn
+a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC
+-----END DH PARAMETERS-----
diff --git a/crypto/openssl/crypto/dh/dh_check.c b/crypto/openssl/crypto/dh/dh_check.c
new file mode 100644
index 0000000..7e5cfd8
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh_check.c
@@ -0,0 +1,120 @@
+/* crypto/dh/dh_check.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+
+/* Check that p is a safe prime and
+ * if g is 2, 3 or 5, check that is is a suitable generator
+ * where
+ * for 2, p mod 24 == 11
+ * for 3, p mod 12 == 5
+ * for 5, p mod 10 == 3 or 7
+ * should hold.
+ */
+
+int DH_check(DH *dh, int *ret)
+	{
+	int ok=0;
+	BN_CTX *ctx=NULL;
+	BN_ULONG l;
+	BIGNUM *q=NULL;
+
+	*ret=0;
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+	q=BN_new();
+	if (q == NULL) goto err;
+
+	if (BN_is_word(dh->g,DH_GENERATOR_2))
+		{
+		l=BN_mod_word(dh->p,24);
+		if (l != 11) *ret|=DH_NOT_SUITABLE_GENERATOR;
+		}
+#if 0
+	else if (BN_is_word(dh->g,DH_GENERATOR_3))
+		{
+		l=BN_mod_word(dh->p,12);
+		if (l != 5) *ret|=DH_NOT_SUITABLE_GENERATOR;
+		}
+#endif
+	else if (BN_is_word(dh->g,DH_GENERATOR_5))
+		{
+		l=BN_mod_word(dh->p,10);
+		if ((l != 3) && (l != 7))
+			*ret|=DH_NOT_SUITABLE_GENERATOR;
+		}
+	else
+		*ret|=DH_UNABLE_TO_CHECK_GENERATOR;
+
+	if (!BN_is_prime(dh->p,BN_prime_checks,NULL,ctx,NULL))
+		*ret|=DH_CHECK_P_NOT_PRIME;
+	else
+		{
+		if (!BN_rshift1(q,dh->p)) goto err;
+		if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
+			*ret|=DH_CHECK_P_NOT_SAFE_PRIME;
+		}
+	ok=1;
+err:
+	if (ctx != NULL) BN_CTX_free(ctx);
+	if (q != NULL) BN_free(q);
+	return(ok);
+	}
diff --git a/crypto/openssl/crypto/dh/dh_err.c b/crypto/openssl/crypto/dh/dh_err.c
new file mode 100644
index 0000000..ff2d168
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh_err.c
@@ -0,0 +1,99 @@
+/* crypto/dh/dh_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/dh.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA DH_str_functs[]=
+	{
+{ERR_PACK(0,DH_F_DHPARAMS_PRINT,0),	"DHparams_print"},
+{ERR_PACK(0,DH_F_DHPARAMS_PRINT_FP,0),	"DHparams_print_fp"},
+{ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0),	"DH_compute_key"},
+{ERR_PACK(0,DH_F_DH_GENERATE_KEY,0),	"DH_generate_key"},
+{ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0),	"DH_generate_parameters"},
+{ERR_PACK(0,DH_F_DH_NEW,0),	"DH_new"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA DH_str_reasons[]=
+	{
+{DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_DH_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_DH,DH_str_functs);
+		ERR_load_strings(ERR_LIB_DH,DH_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/dh/dh_gen.c b/crypto/openssl/crypto/dh/dh_gen.c
new file mode 100644
index 0000000..7a6a38fb
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh_gen.c
@@ -0,0 +1,153 @@
+/* crypto/dh/dh_gen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+
+/* We generate DH parameters as follows
+ * find a prime q which is prime_len/2 bits long.
+ * p=(2*q)+1 or (p-1)/2 = q
+ * For this case, g is a generator if
+ * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
+ * Since the factors of p-1 are q and 2, we just need to check
+ * g^2 mod p != 1 and g^q mod p != 1.
+ *
+ * Having said all that,
+ * there is another special case method for the generators 2, 3 and 5.
+ * for 2, p mod 24 == 11
+ * for 3, p mod 12 == 5  <<<<< does not work for safe primes.
+ * for 5, p mod 10 == 3 or 7
+ *
+ * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
+ * special generators and for answering some of my questions.
+ *
+ * I've implemented the second simple method :-).
+ * Since DH should be using a safe prime (both p and q are prime),
+ * this generator function can take a very very long time to run.
+ */
+
+DH *DH_generate_parameters(int prime_len, int generator,
+	     void (*callback)(int,int,void *), void *cb_arg)
+	{
+	BIGNUM *p=NULL,*t1,*t2;
+	DH *ret=NULL;
+	int g,ok= -1;
+	BN_CTX *ctx=NULL;
+
+	ret=DH_new();
+	if (ret == NULL) goto err;
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	t2 = BN_CTX_get(ctx);
+	if (t1 == NULL || t2 == NULL) goto err;
+	
+	if (generator == DH_GENERATOR_2)
+		{
+		BN_set_word(t1,24);
+		BN_set_word(t2,11);
+		g=2;
+		}
+#ifdef undef  /* does not work for safe primes */
+	else if (generator == DH_GENERATOR_3)
+		{
+		BN_set_word(t1,12);
+		BN_set_word(t2,5);
+		g=3;
+		}
+#endif
+	else if (generator == DH_GENERATOR_5)
+		{
+		BN_set_word(t1,10);
+		BN_set_word(t2,3);
+		/* BN_set_word(t3,7); just have to miss
+		 * out on these ones :-( */
+		g=5;
+		}
+	else
+		g=generator;
+	
+	p=BN_generate_prime(NULL,prime_len,1,t1,t2,callback,cb_arg);
+	if (p == NULL) goto err;
+	if (callback != NULL) callback(3,0,cb_arg);
+	ret->p=p;
+	ret->g=BN_new();
+	if (!BN_set_word(ret->g,g)) goto err;
+	ok=1;
+err:
+	if (ok == -1)
+		{
+		DHerr(DH_F_DH_GENERATE_PARAMETERS,ERR_R_BN_LIB);
+		ok=0;
+		}
+
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
+	if (!ok && (ret != NULL))
+		{
+		DH_free(ret);
+		ret=NULL;
+		}
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/dh/dh_key.c b/crypto/openssl/crypto/dh/dh_key.c
new file mode 100644
index 0000000..0c7eeaf
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh_key.c
@@ -0,0 +1,211 @@
+/* crypto/dh/dh_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+#include <openssl/dh.h>
+
+static int generate_key(DH *dh);
+static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+static int dh_bn_mod_exp(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx,
+			BN_MONT_CTX *m_ctx);
+static int dh_init(DH *dh);
+static int dh_finish(DH *dh);
+
+int DH_generate_key(DH *dh)
+	{
+	return dh->meth->generate_key(dh);
+	}
+
+int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
+	{
+	return dh->meth->compute_key(key, pub_key, dh);
+	}
+
+static DH_METHOD dh_ossl = {
+"OpenSSL DH Method",
+generate_key,
+compute_key,
+dh_bn_mod_exp,
+dh_init,
+dh_finish,
+0,
+NULL
+};
+
+DH_METHOD *DH_OpenSSL(void)
+{
+	return &dh_ossl;
+}
+
+static int generate_key(DH *dh)
+	{
+	int ok=0;
+	unsigned int i;
+	BN_CTX ctx;
+	BN_MONT_CTX *mont;
+	BIGNUM *pub_key=NULL,*priv_key=NULL;
+
+	BN_CTX_init(&ctx);
+
+	if (dh->priv_key == NULL)
+		{
+		i=dh->length;
+		if (i == 0)
+			{
+			/* Make the number p-1 bits long */
+			i=BN_num_bits(dh->p)-1;
+			}
+		priv_key=BN_new();
+		if (priv_key == NULL) goto err;
+		if (!BN_rand(priv_key,i,0,0)) goto err;
+		}
+	else
+		priv_key=dh->priv_key;
+
+	if (dh->pub_key == NULL)
+		{
+		pub_key=BN_new();
+		if (pub_key == NULL) goto err;
+		}
+	else
+		pub_key=dh->pub_key;
+
+	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+		{
+		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
+				dh->p,&ctx)) goto err;
+		}
+	mont=(BN_MONT_CTX *)dh->method_mont_p;
+
+	if (!dh->meth->bn_mod_exp(dh, pub_key,dh->g,priv_key,dh->p,&ctx,mont))
+								goto err;
+		
+	dh->pub_key=pub_key;
+	dh->priv_key=priv_key;
+	ok=1;
+err:
+	if (ok != 1)
+		DHerr(DH_F_DH_GENERATE_KEY,ERR_R_BN_LIB);
+
+	if ((pub_key != NULL)  && (dh->pub_key == NULL))  BN_free(pub_key);
+	if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);
+	BN_CTX_free(&ctx);
+	return(ok);
+	}
+
+static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
+	{
+	BN_CTX ctx;
+	BN_MONT_CTX *mont;
+	BIGNUM *tmp;
+	int ret= -1;
+
+	BN_CTX_init(&ctx);
+	BN_CTX_start(&ctx);
+	tmp = BN_CTX_get(&ctx);
+	
+	if (dh->priv_key == NULL)
+		{
+		DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
+		goto err;
+		}
+	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+		{
+		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
+				dh->p,&ctx)) goto err;
+		}
+
+	mont=(BN_MONT_CTX *)dh->method_mont_p;
+	if (!dh->meth->bn_mod_exp(dh, tmp,pub_key,dh->priv_key,dh->p,&ctx,mont))
+		{
+		DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
+		goto err;
+		}
+
+	ret=BN_bn2bin(tmp,key);
+err:
+	BN_CTX_end(&ctx);
+	BN_CTX_free(&ctx);
+	return(ret);
+	}
+
+static int dh_bn_mod_exp(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx,
+			BN_MONT_CTX *m_ctx)
+{
+	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+}
+
+static int dh_init(DH *dh)
+{
+	dh->flags |= DH_FLAG_CACHE_MONT_P;
+	return(1);
+}
+
+static int dh_finish(DH *dh)
+{
+	if(dh->method_mont_p)
+		BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
+	return(1);
+}
diff --git a/crypto/openssl/crypto/dh/dh_lib.c b/crypto/openssl/crypto/dh/dh_lib.c
new file mode 100644
index 0000000..6c21463
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh_lib.c
@@ -0,0 +1,187 @@
+/* crypto/dh/dh_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+
+const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
+
+static DH_METHOD *default_DH_method;
+static int dh_meth_num = 0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
+
+void DH_set_default_method(DH_METHOD *meth)
+{
+	default_DH_method = meth;
+}
+
+DH_METHOD *DH_get_default_method(void)
+{
+	if(!default_DH_method) default_DH_method = DH_OpenSSL();
+	return default_DH_method;
+}
+
+DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth)
+{
+        DH_METHOD *mtmp;
+        mtmp = dh->meth;
+        if (mtmp->finish) mtmp->finish(dh);
+        dh->meth = meth;
+        if (meth->init) meth->init(dh);
+        return mtmp;
+}
+
+DH *DH_new(void)
+{
+	return DH_new_method(NULL);
+}
+
+DH *DH_new_method(DH_METHOD *meth)
+	{
+	DH *ret;
+	ret=(DH *)Malloc(sizeof(DH));
+
+	if (ret == NULL)
+		{
+		DHerr(DH_F_DH_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	if(!default_DH_method) default_DH_method = DH_OpenSSL();
+	if(meth) ret->meth = meth;
+	else ret->meth = default_DH_method;
+	ret->pad=0;
+	ret->version=0;
+	ret->p=NULL;
+	ret->g=NULL;
+	ret->length=0;
+	ret->pub_key=NULL;
+	ret->priv_key=NULL;
+	ret->q=NULL;
+	ret->j=NULL;
+	ret->seed = NULL;
+	ret->seedlen = 0;
+	ret->counter = NULL;
+	ret->method_mont_p=NULL;
+	ret->references = 1;
+	ret->flags=ret->meth->flags;
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+		{
+		Free(ret);
+		ret=NULL;
+		}
+	else
+		CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data);
+	return(ret);
+	}
+
+void DH_free(DH *r)
+	{
+	int i;
+	if(r == NULL) return;
+	i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_DH);
+#ifdef REF_PRINT
+	REF_PRINT("DH",r);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"DH_free, bad reference count\n");
+		abort();
+	}
+#endif
+
+	CRYPTO_free_ex_data(dh_meth, r, &r->ex_data);
+
+	if(r->meth->finish) r->meth->finish(r);
+
+	if (r->p != NULL) BN_clear_free(r->p);
+	if (r->g != NULL) BN_clear_free(r->g);
+	if (r->q != NULL) BN_clear_free(r->q);
+	if (r->j != NULL) BN_clear_free(r->j);
+	if (r->seed) Free(r->seed);
+	if (r->counter != NULL) BN_clear_free(r->counter);
+	if (r->pub_key != NULL) BN_clear_free(r->pub_key);
+	if (r->priv_key != NULL) BN_clear_free(r->priv_key);
+	Free(r);
+	}
+
+int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	dh_meth_num++;
+	return(CRYPTO_get_ex_new_index(dh_meth_num-1,
+		&dh_meth,argl,argp,new_func,dup_func,free_func));
+        }
+
+int DH_set_ex_data(DH *d, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&d->ex_data,idx,arg));
+	}
+
+void *DH_get_ex_data(DH *d, int idx)
+	{
+	return(CRYPTO_get_ex_data(&d->ex_data,idx));
+	}
+
+int DH_size(DH *dh)
+	{
+	return(BN_num_bytes(dh->p));
+	}
diff --git a/crypto/openssl/crypto/dh/dhtest.c b/crypto/openssl/crypto/dh/dhtest.c
new file mode 100644
index 0000000..d66c284
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dhtest.c
@@ -0,0 +1,196 @@
+/* crypto/dh/dhtest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef WINDOWS
+#include "../bio/bss_file.c" 
+#endif
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+
+#ifdef NO_DH
+int main(int argc, char *argv[])
+{
+    printf("No DH support\n");
+    return(0);
+}
+#else
+#include <openssl/dh.h>
+
+#ifdef WIN16
+#define MS_CALLBACK	_far _loadds
+#else
+#define MS_CALLBACK
+#endif
+
+static void MS_CALLBACK cb(int p, int n, void *arg);
+#ifdef NO_STDIO
+#define APPS_WIN16
+#include "bss_file.c"
+#endif
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int main(int argc, char *argv[])
+	{
+	DH *a;
+	DH *b=NULL;
+	char buf[12];
+	unsigned char *abuf=NULL,*bbuf=NULL;
+	int i,alen,blen,aout,bout,ret=1;
+	BIO *out;
+
+#ifdef WIN32
+	CRYPTO_malloc_init();
+#endif
+
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
+	out=BIO_new(BIO_s_file());
+	if (out == NULL) exit(1);
+	BIO_set_fp(out,stdout,BIO_NOCLOSE);
+
+	a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
+	if (a == NULL) goto err;
+
+	BIO_puts(out,"\np    =");
+	BN_print(out,a->p);
+	BIO_puts(out,"\ng    =");
+	BN_print(out,a->g);
+	BIO_puts(out,"\n");
+
+	b=DH_new();
+	if (b == NULL) goto err;
+
+	b->p=BN_dup(a->p);
+	b->g=BN_dup(a->g);
+	if ((b->p == NULL) || (b->g == NULL)) goto err;
+
+	if (!DH_generate_key(a)) goto err;
+	BIO_puts(out,"pri 1=");
+	BN_print(out,a->priv_key);
+	BIO_puts(out,"\npub 1=");
+	BN_print(out,a->pub_key);
+	BIO_puts(out,"\n");
+
+	if (!DH_generate_key(b)) goto err;
+	BIO_puts(out,"pri 2=");
+	BN_print(out,b->priv_key);
+	BIO_puts(out,"\npub 2=");
+	BN_print(out,b->pub_key);
+	BIO_puts(out,"\n");
+
+	alen=DH_size(a);
+	abuf=(unsigned char *)Malloc(alen);
+	aout=DH_compute_key(abuf,b->pub_key,a);
+
+	BIO_puts(out,"key1 =");
+	for (i=0; i<aout; i++)
+		{
+		sprintf(buf,"%02X",abuf[i]);
+		BIO_puts(out,buf);
+		}
+	BIO_puts(out,"\n");
+
+	blen=DH_size(b);
+	bbuf=(unsigned char *)Malloc(blen);
+	bout=DH_compute_key(bbuf,a->pub_key,b);
+
+	BIO_puts(out,"key2 =");
+	for (i=0; i<bout; i++)
+		{
+		sprintf(buf,"%02X",bbuf[i]);
+		BIO_puts(out,buf);
+		}
+	BIO_puts(out,"\n");
+	if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
+		{
+		fprintf(stderr,"Error in DH routines\n");
+		ret=1;
+		}
+	else
+		ret=0;
+err:
+	if (abuf != NULL) Free(abuf);
+	if (bbuf != NULL) Free(bbuf);
+	if(b != NULL) DH_free(b);
+	if(a != NULL) DH_free(a);
+	BIO_free(out);
+	exit(ret);
+	return(ret);
+	}
+
+static void MS_CALLBACK cb(int p, int n, void *arg)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	BIO_write((BIO *)arg,&c,1);
+	(void)BIO_flush((BIO *)arg);
+#ifdef LINT
+	p=n;
+#endif
+	}
+#endif
diff --git a/crypto/openssl/crypto/dh/example b/crypto/openssl/crypto/dh/example
new file mode 100644
index 0000000..16a33d2
--- /dev/null
+++ b/crypto/openssl/crypto/dh/example
@@ -0,0 +1,50 @@
+From owner-cypherpunks@toad.com Mon Sep 25 10:50:51 1995
+Received: from minbne.mincom.oz.au by orb.mincom.oz.au with SMTP id AA10562
+  (5.65c/IDA-1.4.4 for eay); Wed, 27 Sep 1995 19:41:55 +1000
+Received: by minbne.mincom.oz.au id AA19958
+  (5.65c/IDA-1.4.4 for eay@orb.mincom.oz.au); Wed, 27 Sep 1995 19:34:59 +1000
+Received: from relay3.UU.NET by bunyip.cc.uq.oz.au with SMTP (PP);
+          Wed, 27 Sep 1995 19:13:05 +1000
+Received: from toad.com by relay3.UU.NET with SMTP id QQzizb16156;
+          Wed, 27 Sep 1995 04:48:46 -0400
+Received: by toad.com id AA07905; Tue, 26 Sep 95 06:31:45 PDT
+Received: from by toad.com id AB07851; Tue, 26 Sep 95 06:31:40 PDT
+Received: from servo.qualcomm.com (servo.qualcomm.com [129.46.128.14]) 
+          by cygnus.com (8.6.12/8.6.9) with ESMTP id RAA18442 
+          for <cypherpunks@toad.com>; Mon, 25 Sep 1995 17:52:47 -0700
+Received: (karn@localhost) by servo.qualcomm.com (8.6.12/QC-BSD-2.5.1) 
+          id RAA14732; Mon, 25 Sep 1995 17:50:51 -0700
+Date: Mon, 25 Sep 1995 17:50:51 -0700
+From: Phil Karn <karn@qualcomm.com>
+Message-Id: <199509260050.RAA14732@servo.qualcomm.com>
+To: cypherpunks@toad.com, ipsec-dev@eit.com
+Subject: Primality verification needed
+Sender: owner-cypherpunks@toad.com
+Precedence: bulk
+Status: RO
+X-Status: 
+
+Hi. I've generated a 2047-bit "strong" prime number that I would like to
+use with Diffie-Hellman key exchange. I assert that not only is this number
+'p' prime, but so is (p-1)/2.
+
+I've used the mpz_probab_prime() function in the Gnu Math Package (GMP) version
+1.3.2 to test this number. This function uses the Miller-Rabin primality test.
+However, to increase my confidence that this number really is a strong prime,
+I'd like to ask others to confirm it with other tests. Here's the number in hex:
+
+72a925f760b2f954ed287f1b0953f3e6aef92e456172f9fe86fdd8822241b9c9788fbc289982743e
+fbcd2ccf062b242d7a567ba8bbb40d79bca7b8e0b6c05f835a5b938d985816bc648985adcff5402a
+a76756b36c845a840a1d059ce02707e19cf47af0b5a882f32315c19d1b86a56c5389c5e9bee16b65
+fde7b1a8d74a7675de9b707d4c5a4633c0290c95ff30a605aeb7ae864ff48370f13cf01d49adb9f2
+3d19a439f753ee7703cf342d87f431105c843c78ca4df639931f3458fae8a94d1687e99a76ed99d0
+ba87189f42fd31ad8262c54a8cf5914ae6c28c540d714a5f6087a171fb74f4814c6f968d72386ef3
+56a05180c3bec7ddd5ef6fe76b1f717b
+
+The generator, g, for this prime is 2.
+
+Thanks!
+
+Phil Karn
+
+
diff --git a/crypto/openssl/crypto/dh/generate b/crypto/openssl/crypto/dh/generate
new file mode 100644
index 0000000..5d40723
--- /dev/null
+++ b/crypto/openssl/crypto/dh/generate
@@ -0,0 +1,65 @@
+From: stewarts@ix.netcom.com (Bill Stewart)
+Newsgroups: sci.crypt
+Subject: Re: Diffie-Hellman key exchange
+Date: Wed, 11 Oct 1995 23:08:28 GMT
+Organization: Freelance Information Architect
+Lines: 32
+Message-ID: <45hir2$7l8@ixnews7.ix.netcom.com>
+References: <458rhn$76m$1@mhadf.production.compuserve.com>
+NNTP-Posting-Host: ix-pl4-16.ix.netcom.com
+X-NETCOM-Date: Wed Oct 11  4:09:22 PM PDT 1995
+X-Newsreader: Forte Free Agent 1.0.82
+
+Kent Briggs <72124.3234@CompuServe.COM> wrote:
+
+>I have a copy of the 1976 IEEE article describing the
+>Diffie-Hellman public key exchange algorithm: y=a^x mod q.  I'm
+>looking for sources that give examples of secure a,q pairs and
+>possible some source code that I could examine.
+
+q should be prime, and ideally should be a "strong prime",
+which means it's of the form 2n+1 where n is also prime.
+q also needs to be long enough to prevent the attacks LaMacchia and
+Odlyzko described (some variant on a factoring attack which generates
+a large pile of simultaneous equations and then solves them);
+long enough is about the same size as factoring, so 512 bits may not
+be secure enough for most applications.  (The 192 bits used by
+"secure NFS" was certainly not long enough.)
+
+a should be a generator for q, which means it needs to be
+relatively prime to q-1.   Usually a small prime like 2, 3 or 5 will
+work.  
+
+....
+
+Date: Tue, 26 Sep 1995 13:52:36 MST
+From: "Richard Schroeppel" <rcs@cs.arizona.edu>
+To: karn
+Cc: ho@cs.arizona.edu
+Subject: random large primes
+
+Since your prime is really random, proving it is hard.
+My personal limit on rigorously proved primes is ~350 digits.
+If you really want a proof, we should talk to Francois Morain,
+or the Australian group.
+
+If you want 2 to be a generator (mod P), then you need it
+to be a non-square.  If (P-1)/2 is also prime, then
+non-square == primitive-root for bases << P.
+
+In the case at hand, this means 2 is a generator iff P = 11 (mod 24).
+If you want this, you should restrict your sieve accordingly.
+
+3 is a generator iff P = 5 (mod 12).
+
+5 is a generator iff P = 3 or 7 (mod 10).
+
+2 is perfectly usable as a base even if it's a non-generator, since
+it still covers half the space of possible residues.  And an
+eavesdropper can always determine the low-bit of your exponent for
+a generator anyway.
+
+Rich  rcs@cs.arizona.edu
+
+
+
diff --git a/crypto/openssl/crypto/dh/p1024.c b/crypto/openssl/crypto/dh/p1024.c
new file mode 100644
index 0000000..368ceca
--- /dev/null
+++ b/crypto/openssl/crypto/dh/p1024.c
@@ -0,0 +1,92 @@
+/* crypto/dh/p1024.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+#include <openssl/asn1.h>
+#include <openssl/dh.h>
+#include <openssl/pem.h>
+
+unsigned char data[]={0x97,0xF6,0x42,0x61,0xCA,0xB5,0x05,0xDD,
+	0x28,0x28,0xE1,0x3F,0x1D,0x68,0xB6,0xD3,
+	0xDB,0xD0,0xF3,0x13,0x04,0x7F,0x40,0xE8,
+	0x56,0xDA,0x58,0xCB,0x13,0xB8,0xA1,0xBF,
+	0x2B,0x78,0x3A,0x4C,0x6D,0x59,0xD5,0xF9,
+	0x2A,0xFC,0x6C,0xFF,0x3D,0x69,0x3F,0x78,
+	0xB2,0x3D,0x4F,0x31,0x60,0xA9,0x50,0x2E,
+	0x3E,0xFA,0xF7,0xAB,0x5E,0x1A,0xD5,0xA6,
+	0x5E,0x55,0x43,0x13,0x82,0x8D,0xA8,0x3B,
+	0x9F,0xF2,0xD9,0x41,0xDE,0xE9,0x56,0x89,
+	0xFA,0xDA,0xEA,0x09,0x36,0xAD,0xDF,0x19,
+	0x71,0xFE,0x63,0x5B,0x20,0xAF,0x47,0x03,
+	0x64,0x60,0x3C,0x2D,0xE0,0x59,0xF5,0x4B,
+	0x65,0x0A,0xD8,0xFA,0x0C,0xF7,0x01,0x21,
+	0xC7,0x47,0x99,0xD7,0x58,0x71,0x32,0xBE,
+	0x9B,0x99,0x9B,0xB9,0xB7,0x87,0xE8,0xAB,
+	};
+
+main()
+	{
+	DH *dh;
+
+	dh=DH_new();
+	dh->p=BN_bin2bn(data,sizeof(data),NULL);
+	dh->g=BN_new();
+	BN_set_word(dh->g,2);
+	PEM_write_DHparams(stdout,dh);
+	}
diff --git a/crypto/openssl/crypto/dh/p192.c b/crypto/openssl/crypto/dh/p192.c
new file mode 100644
index 0000000..7bdf404
--- /dev/null
+++ b/crypto/openssl/crypto/dh/p192.c
@@ -0,0 +1,80 @@
+/* crypto/dh/p192.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+#include <openssl/asn1.h>
+#include <openssl/dh.h>
+#include <openssl/pem.h>
+
+unsigned char data[]={
+0xD4,0xA0,0xBA,0x02,0x50,0xB6,0xFD,0x2E,
+0xC6,0x26,0xE7,0xEF,0xD6,0x37,0xDF,0x76,
+0xC7,0x16,0xE2,0x2D,0x09,0x44,0xB8,0x8B,
+	};
+
+main()
+	{
+	DH *dh;
+
+	dh=DH_new();
+	dh->p=BN_bin2bn(data,sizeof(data),NULL);
+	dh->g=BN_new();
+	BN_set_word(dh->g,3);
+	PEM_write_DHparams(stdout,dh);
+	}
diff --git a/crypto/openssl/crypto/dh/p512.c b/crypto/openssl/crypto/dh/p512.c
new file mode 100644
index 0000000..a9b6aa8
--- /dev/null
+++ b/crypto/openssl/crypto/dh/p512.c
@@ -0,0 +1,85 @@
+/* crypto/dh/p512.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+#include <openssl/asn1.h>
+#include <openssl/dh.h>
+#include <openssl/pem.h>
+
+unsigned char data[]={
+0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,
+0xD0,0xE4,0xAF,0x75,0x6F,0x4C,0xCA,0x92,
+0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,
+0x57,0x46,0x50,0xD3,0x69,0x99,0xDB,0x29,
+0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,
+0xD8,0x00,0x3E,0x7C,0x47,0x74,0xE8,0x33,
+	};
+
+main()
+	{
+	DH *dh;
+
+	dh=DH_new();
+	dh->p=BN_bin2bn(data,sizeof(data),NULL);
+	dh->g=BN_new();
+	BN_set_word(dh->g,2);
+	PEM_write_DHparams(stdout,dh);
+	}
diff --git a/crypto/openssl/crypto/dsa/Makefile.save b/crypto/openssl/crypto/dsa/Makefile.save
new file mode 100644
index 0000000..1890d14
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/Makefile.save
@@ -0,0 +1,146 @@
+#
+# SSLeay/crypto/dsa/Makefile
+#
+
+DIR=	dsa
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=dsatest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \
+	dsa_err.c dsa_ossl.c
+LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o \
+	dsa_err.o dsa_ossl.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= dsa.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+dsa_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+dsa_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_asn1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dsa_asn1.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+dsa_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dsa_err.o: ../../include/openssl/stack.h
+dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_gen.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_gen.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_key.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_key.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_key.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dsa_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_lib.o: ../cryptlib.h
+dsa_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dsa_ossl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_ossl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_ossl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_ossl.o: ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_ossl.o: ../cryptlib.h
+dsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_sign.o: ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_sign.o: ../cryptlib.h
+dsa_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+dsa_vrf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_vrf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_vrf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_vrf.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl
new file mode 100644
index 0000000..1890d14
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/Makefile.ssl
@@ -0,0 +1,146 @@
+#
+# SSLeay/crypto/dsa/Makefile
+#
+
+DIR=	dsa
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=dsatest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \
+	dsa_err.c dsa_ossl.c
+LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o \
+	dsa_err.o dsa_ossl.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= dsa.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+dsa_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+dsa_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_asn1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dsa_asn1.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+dsa_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dsa_err.o: ../../include/openssl/stack.h
+dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_gen.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_gen.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_key.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_key.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_key.o: ../../include/openssl/stack.h ../cryptlib.h
+dsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dsa_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_lib.o: ../cryptlib.h
+dsa_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dsa_ossl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_ossl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_ossl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_ossl.o: ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_ossl.o: ../cryptlib.h
+dsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_sign.o: ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_sign.o: ../cryptlib.h
+dsa_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+dsa_vrf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_vrf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_vrf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_vrf.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/dsa/README b/crypto/openssl/crypto/dsa/README
new file mode 100644
index 0000000..6a7e9c1
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/README
@@ -0,0 +1,4 @@
+The stuff in here is based on patches supplied to me by
+Steven Schoch <schoch@sheba.arc.nasa.gov> to do DSS.
+I have since modified a them a little but a debt of gratitude
+is due for doing the initial work.
diff --git a/crypto/openssl/crypto/dsa/dsa.h b/crypto/openssl/crypto/dsa/dsa.h
new file mode 100644
index 0000000..68d9912
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa.h
@@ -0,0 +1,241 @@
+/* crypto/dsa/dsa.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * The DSS routines are based on patches supplied by
+ * Steven Schoch <schoch@sheba.arc.nasa.gov>.  He basically did the
+ * work and I have just tweaked them a little to fit into my
+ * stylistic vision for SSLeay :-) */
+
+#ifndef HEADER_DSA_H
+#define HEADER_DSA_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_DSA
+#error DSA is disabled.
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#ifndef NO_DH
+# include <openssl/dh.h>
+#endif
+
+#define DSA_FLAG_CACHE_MONT_P	0x01
+
+typedef struct dsa_st DSA;
+
+typedef struct DSA_SIG_st
+	{
+	BIGNUM *r;
+	BIGNUM *s;
+	} DSA_SIG;
+
+typedef struct dsa_method {
+	const char *name;
+	DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
+	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+								BIGNUM **rp);
+	int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
+							DSA_SIG *sig, DSA *dsa);
+	int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+			BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+			BN_MONT_CTX *in_mont);
+	int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+				const BIGNUM *m, BN_CTX *ctx,
+				BN_MONT_CTX *m_ctx); /* Can be null */
+	int (*init)(DSA *dsa);
+	int (*finish)(DSA *dsa);
+	int flags;
+	char *app_data;
+} DSA_METHOD;
+
+struct dsa_st
+	{
+	/* This first variable is used to pick up errors where
+	 * a DSA is passed instead of of a EVP_PKEY */
+	int pad;
+	int version;
+	int write_params;
+	BIGNUM *p;
+	BIGNUM *q;	/* == 20 */
+	BIGNUM *g;
+
+	BIGNUM *pub_key;  /* y public key */
+	BIGNUM *priv_key; /* x private key */
+
+	BIGNUM *kinv;	/* Signing pre-calc */
+	BIGNUM *r;	/* Signing pre-calc */
+
+	int flags;
+	/* Normally used to cache montgomery values */
+	char *method_mont_p;
+	int references;
+	CRYPTO_EX_DATA ex_data;
+	DSA_METHOD *meth;
+	};
+
+#define DSAparams_dup(x) (DSA *)ASN1_dup((int (*)())i2d_DSAparams, \
+		(char *(*)())d2i_DSAparams,(char *)(x))
+#define d2i_DSAparams_fp(fp,x) (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \
+		(char *(*)())d2i_DSAparams,(fp),(unsigned char **)(x))
+#define i2d_DSAparams_fp(fp,x) ASN1_i2d_fp(i2d_DSAparams,(fp), \
+		(unsigned char *)(x))
+#define d2i_DSAparams_bio(bp,x) (DSA *)ASN1_d2i_bio((char *(*)())DSA_new, \
+		(char *(*)())d2i_DSAparams,(bp),(unsigned char **)(x))
+#define i2d_DSAparams_bio(bp,x) ASN1_i2d_bio(i2d_DSAparams,(bp), \
+		(unsigned char *)(x))
+
+
+DSA_SIG * DSA_SIG_new(void);
+void	DSA_SIG_free(DSA_SIG *a);
+int	i2d_DSA_SIG(DSA_SIG *a, unsigned char **pp);
+DSA_SIG * d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length);
+
+DSA_SIG * DSA_do_sign(const unsigned char *dgst,int dlen,DSA *dsa);
+int	DSA_do_verify(const unsigned char *dgst,int dgst_len,
+		      DSA_SIG *sig,DSA *dsa);
+
+DSA_METHOD *DSA_OpenSSL(void);
+
+void        DSA_set_default_method(DSA_METHOD *);
+DSA_METHOD *DSA_get_default_method(void);
+DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *);
+
+DSA *	DSA_new(void);
+DSA *	DSA_new_method(DSA_METHOD *meth);
+int	DSA_size(DSA *);
+	/* next 4 return -1 on error */
+int	DSA_sign_setup( DSA *dsa,BN_CTX *ctx_in,BIGNUM **kinvp,BIGNUM **rp);
+int	DSA_sign(int type,const unsigned char *dgst,int dlen,
+		unsigned char *sig, unsigned int *siglen, DSA *dsa);
+int	DSA_verify(int type,const unsigned char *dgst,int dgst_len,
+		unsigned char *sigbuf, int siglen, DSA *dsa);
+void	DSA_free (DSA *r);
+int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int DSA_set_ex_data(DSA *d, int idx, void *arg);
+void *DSA_get_ex_data(DSA *d, int idx);
+
+void	ERR_load_DSA_strings(void );
+
+DSA *	d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
+DSA *	d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
+DSA * 	d2i_DSAparams(DSA **a, unsigned char **pp, long length);
+DSA *	DSA_generate_parameters(int bits, unsigned char *seed,int seed_len,
+		int *counter_ret, unsigned long *h_ret,void
+		(*callback)(int, int, void *),void *cb_arg);
+int	DSA_generate_key(DSA *a);
+int	i2d_DSAPublicKey(DSA *a, unsigned char **pp);
+int 	i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
+int	i2d_DSAparams(DSA *a,unsigned char **pp);
+
+#ifdef HEADER_BIO_H
+int	DSAparams_print(BIO *bp, DSA *x);
+int	DSA_print(BIO *bp, DSA *x, int off);
+#endif
+#ifndef NO_FP_API
+int	DSAparams_print_fp(FILE *fp, DSA *x);
+int	DSA_print_fp(FILE *bp, DSA *x, int off);
+#endif
+
+#define DSS_prime_checks 50
+/* Primality test according to FIPS PUB 186[-1], Appendix 2.1:
+ * 50 rounds of Rabin-Miller */
+#define DSA_is_prime(n, callback, cb_arg) \
+	BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
+
+#ifndef NO_DH
+/* Convert DSA structure (key or just parameters) into DH structure
+ * (be careful to avoid small subgroup attacks when using this!) */
+DH *DSA_dup_DH(DSA *r);
+#endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the DSA functions. */
+
+/* Function codes. */
+#define DSA_F_D2I_DSA_SIG				 110
+#define DSA_F_DSAPARAMS_PRINT				 100
+#define DSA_F_DSAPARAMS_PRINT_FP			 101
+#define DSA_F_DSA_DO_SIGN				 112
+#define DSA_F_DSA_DO_VERIFY				 113
+#define DSA_F_DSA_NEW					 103
+#define DSA_F_DSA_PRINT					 104
+#define DSA_F_DSA_PRINT_FP				 105
+#define DSA_F_DSA_SIGN					 106
+#define DSA_F_DSA_SIGN_SETUP				 107
+#define DSA_F_DSA_SIG_NEW				 109
+#define DSA_F_DSA_VERIFY				 108
+#define DSA_F_I2D_DSA_SIG				 111
+
+/* Reason codes. */
+#define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 100
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/dsa/dsa_asn1.c b/crypto/openssl/crypto/dsa/dsa_asn1.c
new file mode 100644
index 0000000..c9b32b4
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_asn1.c
@@ -0,0 +1,96 @@
+/* crypto/dsa/dsa_asn1.c */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dsa.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+
+DSA_SIG *DSA_SIG_new(void)
+{
+	DSA_SIG *ret;
+
+	ret = Malloc(sizeof(DSA_SIG));
+	if (ret == NULL)
+		{
+		DSAerr(DSA_F_DSA_SIG_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	ret->r = NULL;
+	ret->s = NULL;
+	return(ret);
+}
+
+void DSA_SIG_free(DSA_SIG *r)
+{
+	if (r == NULL) return;
+	if (r->r) BN_clear_free(r->r);
+	if (r->s) BN_clear_free(r->s);
+	Free(r);
+}
+
+int i2d_DSA_SIG(DSA_SIG *v, unsigned char **pp)
+{
+	int t=0,len;
+	ASN1_INTEGER rbs,sbs;
+	unsigned char *p;
+
+	rbs.data=Malloc(BN_num_bits(v->r)/8+1);
+	if (rbs.data == NULL)
+		{
+		DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	rbs.type=V_ASN1_INTEGER;
+	rbs.length=BN_bn2bin(v->r,rbs.data);
+	sbs.data=Malloc(BN_num_bits(v->s)/8+1);
+	if (sbs.data == NULL)
+		{
+		Free(rbs.data);
+		DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	sbs.type=V_ASN1_INTEGER;
+	sbs.length=BN_bn2bin(v->s,sbs.data);
+
+	len=i2d_ASN1_INTEGER(&rbs,NULL);
+	len+=i2d_ASN1_INTEGER(&sbs,NULL);
+
+	if (pp)
+		{
+		p=*pp;
+		ASN1_put_object(&p,1,len,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+		i2d_ASN1_INTEGER(&rbs,&p);
+		i2d_ASN1_INTEGER(&sbs,&p);
+		}
+	t=ASN1_object_size(1,len,V_ASN1_SEQUENCE);
+	Free(rbs.data);
+	Free(sbs.data);
+	return(t);
+}
+
+DSA_SIG *d2i_DSA_SIG(DSA_SIG **a, unsigned char **pp, long length)
+{
+	int i=ERR_R_NESTED_ASN1_ERROR;
+	ASN1_INTEGER *bs=NULL;
+	M_ASN1_D2I_vars(a,DSA_SIG *,DSA_SIG_new);
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->r=BN_bin2bn(bs->data,bs->length,ret->r)) == NULL)
+		goto err_bn;
+	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+	if ((ret->s=BN_bin2bn(bs->data,bs->length,ret->s)) == NULL)
+		goto err_bn;
+	M_ASN1_BIT_STRING_free(bs);
+	M_ASN1_D2I_Finish_2(a);
+
+err_bn:
+	i=ERR_R_BN_LIB;
+err:
+	DSAerr(DSA_F_D2I_DSA_SIG,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_SIG_free(ret);
+	if (bs != NULL) M_ASN1_BIT_STRING_free(bs);
+	return(NULL);
+}
diff --git a/crypto/openssl/crypto/dsa/dsa_err.c b/crypto/openssl/crypto/dsa/dsa_err.c
new file mode 100644
index 0000000..2b3ab3a
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_err.c
@@ -0,0 +1,106 @@
+/* crypto/dsa/dsa_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/dsa.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA DSA_str_functs[]=
+	{
+{ERR_PACK(0,DSA_F_D2I_DSA_SIG,0),	"d2i_DSA_SIG"},
+{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT,0),	"DSAparams_print"},
+{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0),	"DSAparams_print_fp"},
+{ERR_PACK(0,DSA_F_DSA_DO_SIGN,0),	"DSA_do_sign"},
+{ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0),	"DSA_do_verify"},
+{ERR_PACK(0,DSA_F_DSA_NEW,0),	"DSA_new"},
+{ERR_PACK(0,DSA_F_DSA_PRINT,0),	"DSA_print"},
+{ERR_PACK(0,DSA_F_DSA_PRINT_FP,0),	"DSA_print_fp"},
+{ERR_PACK(0,DSA_F_DSA_SIGN,0),	"DSA_sign"},
+{ERR_PACK(0,DSA_F_DSA_SIGN_SETUP,0),	"DSA_sign_setup"},
+{ERR_PACK(0,DSA_F_DSA_SIG_NEW,0),	"DSA_SIG_new"},
+{ERR_PACK(0,DSA_F_DSA_VERIFY,0),	"DSA_verify"},
+{ERR_PACK(0,DSA_F_I2D_DSA_SIG,0),	"i2d_DSA_SIG"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA DSA_str_reasons[]=
+	{
+{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_DSA_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_DSA,DSA_str_functs);
+		ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/dsa/dsa_gen.c b/crypto/openssl/crypto/dsa/dsa_gen.c
new file mode 100644
index 0000000..2294a36
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_gen.c
@@ -0,0 +1,294 @@
+/* crypto/dsa/dsa_gen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#undef GENUINE_DSA
+
+#ifdef GENUINE_DSA
+/* Parameter generation follows the original release of FIPS PUB 186,
+ * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */
+#define HASH    SHA
+#else
+/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
+ * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in
+ * FIPS PUB 180-1) */
+#define HASH    SHA1
+#endif 
+
+#ifndef NO_SHA
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/sha.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+
+DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
+		int *counter_ret, unsigned long *h_ret,
+		void (*callback)(int, int, void *),
+		void *cb_arg)
+	{
+	int ok=0;
+	unsigned char seed[SHA_DIGEST_LENGTH];
+	unsigned char md[SHA_DIGEST_LENGTH];
+	unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH];
+	BIGNUM *r0,*W,*X,*c,*test;
+	BIGNUM *g=NULL,*q=NULL,*p=NULL;
+	BN_MONT_CTX *mont=NULL;
+	int k,n=0,i,b,m=0;
+	int counter=0;
+	int r=0;
+	BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL;
+	unsigned int h=2;
+	DSA *ret=NULL;
+
+	if (bits < 512) bits=512;
+	bits=(bits+63)/64*64;
+
+	if (seed_len < 20)
+		seed_in = NULL; /* seed buffer too small -- ignore */
+	if (seed_len > 20) 
+		seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
+		                * but our internal buffers are restricted to 160 bits*/
+	if ((seed_in != NULL) && (seed_len == 20))
+		memcpy(seed,seed_in,seed_len);
+
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	if ((ctx2=BN_CTX_new()) == NULL) goto err;
+	if ((ctx3=BN_CTX_new()) == NULL) goto err;
+	if ((ret=DSA_new()) == NULL) goto err;
+
+	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+
+	BN_CTX_start(ctx2);
+	r0 = BN_CTX_get(ctx2);
+	g = BN_CTX_get(ctx2);
+	W = BN_CTX_get(ctx2);
+	q = BN_CTX_get(ctx2);
+	X = BN_CTX_get(ctx2);
+	c = BN_CTX_get(ctx2);
+	p = BN_CTX_get(ctx2);
+	test = BN_CTX_get(ctx2);
+
+	BN_lshift(test,BN_value_one(),bits-1);
+
+	for (;;)
+		{
+		for (;;) /* find q */
+			{
+			int seed_is_random;
+
+			/* step 1 */
+			if (callback != NULL) callback(0,m++,cb_arg);
+
+			if (!seed_len)
+				{
+				RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
+				seed_is_random = 1;
+				}
+			else
+				{
+				seed_is_random = 0;
+				seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
+				}
+			memcpy(buf,seed,SHA_DIGEST_LENGTH);
+			memcpy(buf2,seed,SHA_DIGEST_LENGTH);
+			/* precompute "SEED + 1" for step 7: */
+			for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
+				{
+				buf[i]++;
+				if (buf[i] != 0) break;
+				}
+
+			/* step 2 */
+			HASH(seed,SHA_DIGEST_LENGTH,md);
+			HASH(buf,SHA_DIGEST_LENGTH,buf2);
+			for (i=0; i<SHA_DIGEST_LENGTH; i++)
+				md[i]^=buf2[i];
+
+			/* step 3 */
+			md[0]|=0x80;
+			md[SHA_DIGEST_LENGTH-1]|=0x01;
+			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
+
+			/* step 4 */
+			r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random);
+			if (r > 0)
+				break;
+			if (r != 0)
+				goto err;
+
+			/* do a callback call */
+			/* step 5 */
+			}
+
+		if (callback != NULL) callback(2,0,cb_arg);
+		if (callback != NULL) callback(3,0,cb_arg);
+
+		/* step 6 */
+		counter=0;
+		/* "offset = 2" */
+
+		n=(bits-1)/160;
+		b=(bits-1)-n*160;
+
+		for (;;)
+			{
+			if (callback != NULL && counter != 0)
+				callback(0,counter,cb_arg);
+
+			/* step 7 */
+			BN_zero(W);
+			/* now 'buf' contains "SEED + offset - 1" */
+			for (k=0; k<=n; k++)
+				{
+				/* obtain "SEED + offset + k" by incrementing: */
+				for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
+					{
+					buf[i]++;
+					if (buf[i] != 0) break;
+					}
+
+				HASH(buf,SHA_DIGEST_LENGTH,md);
+
+				/* step 8 */
+				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
+					goto err;
+				BN_lshift(r0,r0,160*k);
+				BN_add(W,W,r0);
+				}
+
+			/* more of step 8 */
+			BN_mask_bits(W,bits-1);
+			BN_copy(X,W); /* this should be ok */
+			BN_add(X,X,test); /* this should be ok */
+
+			/* step 9 */
+			BN_lshift1(r0,q);
+			BN_mod(c,X,r0,ctx);
+			BN_sub(r0,c,BN_value_one());
+			BN_sub(p,X,r0);
+
+			/* step 10 */
+			if (BN_cmp(p,test) >= 0)
+				{
+				/* step 11 */
+				r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);
+				if (r > 0)
+						goto end; /* found it */
+				if (r != 0)
+					goto err;
+				}
+
+			/* step 13 */
+			counter++;
+			/* "offset = offset + n + 1" */
+
+			/* step 14 */
+			if (counter >= 4096) break;
+			}
+		}
+end:
+	if (callback != NULL) callback(2,1,cb_arg);
+
+	/* We now need to generate g */
+	/* Set r0=(p-1)/q */
+	BN_sub(test,p,BN_value_one());
+	BN_div(r0,NULL,test,q,ctx);
+
+	BN_set_word(test,h);
+	BN_MONT_CTX_set(mont,p,ctx);
+
+	for (;;)
+		{
+		/* g=test^r0%p */
+		BN_mod_exp_mont(g,test,r0,p,ctx,mont);
+		if (!BN_is_one(g)) break;
+		BN_add(test,test,BN_value_one());
+		h++;
+		}
+
+	if (callback != NULL) callback(3,1,cb_arg);
+
+	ok=1;
+err:
+	if (!ok)
+		{
+		if (ret != NULL) DSA_free(ret);
+		}
+	else
+		{
+		ret->p=BN_dup(p);
+		ret->q=BN_dup(q);
+		ret->g=BN_dup(g);
+		if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
+		if (counter_ret != NULL) *counter_ret=counter;
+		if (h_ret != NULL) *h_ret=h;
+		}
+	if (ctx != NULL) BN_CTX_free(ctx);
+	if (ctx2 != NULL)
+		{
+		BN_CTX_end(ctx2);
+		BN_CTX_free(ctx2);
+		}
+	if (ctx3 != NULL) BN_CTX_free(ctx3);
+	if (mont != NULL) BN_MONT_CTX_free(mont);
+	return(ok?ret:NULL);
+	}
+#endif
diff --git a/crypto/openssl/crypto/dsa/dsa_key.c b/crypto/openssl/crypto/dsa/dsa_key.c
new file mode 100644
index 0000000..5aef2d5
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_key.c
@@ -0,0 +1,113 @@
+/* crypto/dsa/dsa_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_SHA
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/sha.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+
+int DSA_generate_key(DSA *dsa)
+	{
+	int ok=0;
+	unsigned int i;
+	BN_CTX *ctx=NULL;
+	BIGNUM *pub_key=NULL,*priv_key=NULL;
+
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+
+	if (dsa->priv_key == NULL)
+		{
+		if ((priv_key=BN_new()) == NULL) goto err;
+		}
+	else
+		priv_key=dsa->priv_key;
+
+	i=BN_num_bits(dsa->q);
+	for (;;)
+		{
+		if (!BN_rand(priv_key,i,1,0))
+			goto err;
+		if (BN_cmp(priv_key,dsa->q) >= 0)
+			BN_sub(priv_key,priv_key,dsa->q);
+		if (!BN_is_zero(priv_key)) break;
+		}
+
+	if (dsa->pub_key == NULL)
+		{
+		if ((pub_key=BN_new()) == NULL) goto err;
+		}
+	else
+		pub_key=dsa->pub_key;
+
+	if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+
+	dsa->priv_key=priv_key;
+	dsa->pub_key=pub_key;
+	ok=1;
+
+err:
+	if ((pub_key != NULL) && (dsa->pub_key == NULL)) BN_free(pub_key);
+	if ((priv_key != NULL) && (dsa->priv_key == NULL)) BN_free(priv_key);
+	if (ctx != NULL) BN_CTX_free(ctx);
+	return(ok);
+	}
+#endif
diff --git a/crypto/openssl/crypto/dsa/dsa_lib.c b/crypto/openssl/crypto/dsa/dsa_lib.c
new file mode 100644
index 0000000..224e412
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_lib.c
@@ -0,0 +1,246 @@
+/* crypto/dsa/dsa_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/asn1.h>
+
+const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
+
+static DSA_METHOD *default_DSA_method;
+static int dsa_meth_num = 0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
+
+void DSA_set_default_method(DSA_METHOD *meth)
+{
+	default_DSA_method = meth;
+}
+
+DSA_METHOD *DSA_get_default_method(void)
+{
+	if(!default_DSA_method) default_DSA_method = DSA_OpenSSL();
+	return default_DSA_method;
+}
+
+DSA *DSA_new(void)
+{
+	return DSA_new_method(NULL);
+}
+
+DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth)
+{
+        DSA_METHOD *mtmp;
+        mtmp = dsa->meth;
+        if (mtmp->finish) mtmp->finish(dsa);
+        dsa->meth = meth;
+        if (meth->init) meth->init(dsa);
+        return mtmp;
+}
+
+
+DSA *DSA_new_method(DSA_METHOD *meth)
+	{
+	DSA *ret;
+
+	ret=(DSA *)Malloc(sizeof(DSA));
+	if (ret == NULL)
+		{
+		DSAerr(DSA_F_DSA_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	if(!default_DSA_method) default_DSA_method = DSA_OpenSSL();
+	if(meth) ret->meth = meth;
+	else ret->meth = default_DSA_method;
+	ret->pad=0;
+	ret->version=0;
+	ret->write_params=1;
+	ret->p=NULL;
+	ret->q=NULL;
+	ret->g=NULL;
+
+	ret->pub_key=NULL;
+	ret->priv_key=NULL;
+
+	ret->kinv=NULL;
+	ret->r=NULL;
+	ret->method_mont_p=NULL;
+
+	ret->references=1;
+	ret->flags=ret->meth->flags;
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+		{
+		Free(ret);
+		ret=NULL;
+		}
+	else
+		CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
+	
+	return(ret);
+	}
+
+void DSA_free(DSA *r)
+	{
+	int i;
+
+	if (r == NULL) return;
+
+	i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_DSA);
+#ifdef REF_PRINT
+	REF_PRINT("DSA",r);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"DSA_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
+
+	if(r->meth->finish) r->meth->finish(r);
+
+	if (r->p != NULL) BN_clear_free(r->p);
+	if (r->q != NULL) BN_clear_free(r->q);
+	if (r->g != NULL) BN_clear_free(r->g);
+	if (r->pub_key != NULL) BN_clear_free(r->pub_key);
+	if (r->priv_key != NULL) BN_clear_free(r->priv_key);
+	if (r->kinv != NULL) BN_clear_free(r->kinv);
+	if (r->r != NULL) BN_clear_free(r->r);
+	Free(r);
+	}
+
+int DSA_size(DSA *r)
+	{
+	int ret,i;
+	ASN1_INTEGER bs;
+	unsigned char buf[4];
+
+	i=BN_num_bits(r->q);
+	bs.length=(i+7)/8;
+	bs.data=buf;
+	bs.type=V_ASN1_INTEGER;
+	/* If the top bit is set the asn1 encoding is 1 larger. */
+	buf[0]=0xff;	
+
+	i=i2d_ASN1_INTEGER(&bs,NULL);
+	i+=i; /* r and s */
+	ret=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
+	return(ret);
+	}
+
+int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	dsa_meth_num++;
+	return(CRYPTO_get_ex_new_index(dsa_meth_num-1,
+		&dsa_meth,argl,argp,new_func,dup_func,free_func));
+        }
+
+int DSA_set_ex_data(DSA *d, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&d->ex_data,idx,arg));
+	}
+
+void *DSA_get_ex_data(DSA *d, int idx)
+	{
+	return(CRYPTO_get_ex_data(&d->ex_data,idx));
+	}
+
+#ifndef NO_DH
+DH *DSA_dup_DH(DSA *r)
+	{
+	/* DSA has p, q, g, optional pub_key, optional priv_key.
+	 * DH has p, optional length, g, optional pub_key, optional priv_key.
+	 */ 
+
+	DH *ret = NULL;
+
+	if (r == NULL)
+		goto err;
+	ret = DH_new();
+	if (ret == NULL)
+		goto err;
+	if (r->p != NULL) 
+		if ((ret->p = BN_dup(r->p)) == NULL)
+			goto err;
+	if (r->q != NULL)
+		ret->length = BN_num_bits(r->q);
+	if (r->g != NULL)
+		if ((ret->g = BN_dup(r->g)) == NULL)
+			goto err;
+	if (r->pub_key != NULL)
+		if ((ret->pub_key = BN_dup(r->pub_key)) == NULL)
+			goto err;
+	if (r->priv_key != NULL)
+		if ((ret->priv_key = BN_dup(r->priv_key)) == NULL)
+			goto err;
+
+	return ret;
+
+ err:
+	if (ret != NULL)
+		DH_free(ret);
+	return NULL;
+	}
+#endif
diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c
new file mode 100644
index 0000000..b51cf6a
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_ossl.c
@@ -0,0 +1,321 @@
+/* crypto/dsa/dsa_ossl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+#include <openssl/asn1.h>
+
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+		  DSA *dsa);
+static int dsa_init(DSA *dsa);
+static int dsa_finish(DSA *dsa);
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+		BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *in_mont);
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+				const BIGNUM *m, BN_CTX *ctx,
+				BN_MONT_CTX *m_ctx);
+
+static DSA_METHOD openssl_dsa_meth = {
+"OpenSSL DSA method",
+dsa_do_sign,
+dsa_sign_setup,
+dsa_do_verify,
+dsa_mod_exp,
+dsa_bn_mod_exp,
+dsa_init,
+dsa_finish,
+0,
+NULL
+};
+
+DSA_METHOD *DSA_OpenSSL(void)
+{
+	return &openssl_dsa_meth;
+}
+
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+	{
+	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
+	BIGNUM m;
+	BIGNUM xr;
+	BN_CTX *ctx=NULL;
+	int i,reason=ERR_R_BN_LIB;
+	DSA_SIG *ret=NULL;
+
+	BN_init(&m);
+	BN_init(&xr);
+	s=BN_new();
+	if (s == NULL) goto err;
+
+	i=BN_num_bytes(dsa->q); /* should be 20 */
+	if ((dlen > i) || (dlen > 50))
+		{
+		reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
+		goto err;
+		}
+
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+
+	if ((dsa->kinv == NULL) || (dsa->r == NULL))
+		{
+		if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
+		}
+	else
+		{
+		kinv=dsa->kinv;
+		dsa->kinv=NULL;
+		r=dsa->r;
+		dsa->r=NULL;
+		}
+
+	if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;
+
+	/* Compute  s = inv(k) (m + xr) mod q */
+	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
+	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */
+	if (BN_cmp(s,dsa->q) > 0)
+		BN_sub(s,s,dsa->q);
+	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
+
+	ret=DSA_SIG_new();
+	if (ret == NULL) goto err;
+	ret->r = r;
+	ret->s = s;
+	
+err:
+	if (!ret)
+		{
+		DSAerr(DSA_F_DSA_DO_SIGN,reason);
+		BN_free(r);
+		BN_free(s);
+		}
+	if (ctx != NULL) BN_CTX_free(ctx);
+	BN_clear_free(&m);
+	BN_clear_free(&xr);
+	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
+	    BN_clear_free(kinv);
+	return(ret);
+	}
+
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
+	{
+	BN_CTX *ctx;
+	BIGNUM k,*kinv=NULL,*r=NULL;
+	int ret=0;
+
+	if (ctx_in == NULL)
+		{
+		if ((ctx=BN_CTX_new()) == NULL) goto err;
+		}
+	else
+		ctx=ctx_in;
+
+	BN_init(&k);
+	if ((r=BN_new()) == NULL) goto err;
+	kinv=NULL;
+
+	/* Get random k */
+	for (;;)
+		{
+		if (!BN_rand(&k, BN_num_bits(dsa->q), 1, 0)) goto err;
+		if (BN_cmp(&k,dsa->q) >= 0)
+			BN_sub(&k,&k,dsa->q);
+		if (!BN_is_zero(&k)) break;
+		}
+
+	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+		{
+		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+				dsa->p,ctx)) goto err;
+		}
+
+	/* Compute r = (g^k mod p) mod q */
+	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+		(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
+	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
+
+	/* Compute  part of 's = inv(k) (m + xr) mod q' */
+	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
+
+	if (*kinvp != NULL) BN_clear_free(*kinvp);
+	*kinvp=kinv;
+	kinv=NULL;
+	if (*rp != NULL) BN_clear_free(*rp);
+	*rp=r;
+	ret=1;
+err:
+	if (!ret)
+		{
+		DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
+		if (kinv != NULL) BN_clear_free(kinv);
+		if (r != NULL) BN_clear_free(r);
+		}
+	if (ctx_in == NULL) BN_CTX_free(ctx);
+	if (kinv != NULL) BN_clear_free(kinv);
+	BN_clear_free(&k);
+	return(ret);
+	}
+
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+		  DSA *dsa)
+	{
+	BN_CTX *ctx;
+	BIGNUM u1,u2,t1;
+	BN_MONT_CTX *mont=NULL;
+	int ret = -1;
+
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	BN_init(&u1);
+	BN_init(&u2);
+	BN_init(&t1);
+
+	/* Calculate W = inv(S) mod Q
+	 * save W in u2 */
+	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
+
+	/* save M in u1 */
+	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
+
+	/* u1 = M * w mod q */
+	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
+
+	/* u2 = r * w mod q */
+	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
+
+	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+		{
+		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+				dsa->p,ctx)) goto err;
+		}
+	mont=(BN_MONT_CTX *)dsa->method_mont_p;
+
+#if 0
+	{
+	BIGNUM t2;
+
+	BN_init(&t2);
+	/* v = ( g^u1 * y^u2 mod p ) mod q */
+	/* let t1 = g ^ u1 mod p */
+	if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
+	/* let t2 = y ^ u2 mod p */
+	if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
+	/* let u1 = t1 * t2 mod p */
+	if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
+	BN_free(&t2);
+	}
+	/* let u1 = u1 mod q */
+	if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
+#else
+	{
+	if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
+						dsa->p,ctx,mont)) goto err;
+	/* BN_copy(&u1,&t1); */
+	/* let u1 = u1 mod q */
+	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
+	}
+#endif
+	/* V is now in u1.  If the signature is correct, it will be
+	 * equal to R. */
+	ret=(BN_ucmp(&u1, sig->r) == 0);
+
+	err:
+	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
+	if (ctx != NULL) BN_CTX_free(ctx);
+	BN_free(&u1);
+	BN_free(&u2);
+	BN_free(&t1);
+	return(ret);
+	}
+
+static int dsa_init(DSA *dsa)
+{
+	dsa->flags|=DSA_FLAG_CACHE_MONT_P;
+	return(1);
+}
+
+static int dsa_finish(DSA *dsa)
+{
+	if(dsa->method_mont_p)
+		BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);
+	return(1);
+}
+
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+		BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *in_mont)
+{
+	return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
+}
+	
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+				const BIGNUM *m, BN_CTX *ctx,
+				BN_MONT_CTX *m_ctx)
+{
+	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+}
diff --git a/crypto/openssl/crypto/dsa/dsa_sign.c b/crypto/openssl/crypto/dsa/dsa_sign.c
new file mode 100644
index 0000000..8920502
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_sign.c
@@ -0,0 +1,92 @@
+/* crypto/dsa/dsa_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+#include <openssl/asn1.h>
+
+DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+	{
+	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
+	}
+
+int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
+	     unsigned int *siglen, DSA *dsa)
+	{
+	DSA_SIG *s;
+	s=DSA_do_sign(dgst,dlen,dsa);
+	if (s == NULL)
+		{
+		*siglen=0;
+		return(0);
+		}
+	*siglen=i2d_DSA_SIG(s,&sig);
+	DSA_SIG_free(s);
+	return(1);
+	}
+
+int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
+	{
+	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
+	}
+
diff --git a/crypto/openssl/crypto/dsa/dsa_vrf.c b/crypto/openssl/crypto/dsa/dsa_vrf.c
new file mode 100644
index 0000000..03277f8
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_vrf.c
@@ -0,0 +1,94 @@
+/* crypto/dsa/dsa_vrf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+
+int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+		  DSA *dsa)
+	{
+	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+	}
+
+/* data has already been hashed (probably with SHA or SHA-1). */
+/* returns
+ *      1: correct signature
+ *      0: incorrect signature
+ *     -1: error
+ */
+int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
+	     unsigned char *sigbuf, int siglen, DSA *dsa)
+	{
+	DSA_SIG *s;
+	int ret=-1;
+
+	s = DSA_SIG_new();
+	if (s == NULL) return(ret);
+	if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
+	ret=DSA_do_verify(dgst,dgst_len,s,dsa);
+err:
+	DSA_SIG_free(s);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/dsa/dsagen.c b/crypto/openssl/crypto/dsa/dsagen.c
new file mode 100644
index 0000000..a0b0976
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsagen.c
@@ -0,0 +1,111 @@
+/* crypto/dsa/dsagen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/dsa.h>
+
+#define TEST
+#define GENUINE_DSA
+
+#ifdef GENUINE_DSA
+#define LAST_VALUE 0xbd
+#else
+#define LAST_VALUE 0xd3
+#endif
+
+#ifdef TEST
+unsigned char seed[20]={
+	0xd5,0x01,0x4e,0x4b,
+	0x60,0xef,0x2b,0xa8,
+	0xb6,0x21,0x1b,0x40,
+	0x62,0xba,0x32,0x24,
+	0xe0,0x42,0x7d,LAST_VALUE};
+#endif
+
+int cb(int p, int n)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	printf("%c",c);
+	fflush(stdout);
+	}
+
+main()
+	{
+	int i;
+	BIGNUM *n;
+	BN_CTX *ctx;
+	unsigned char seed_buf[20];
+	DSA *dsa;
+	int counter,h;
+	BIO *bio_err=NULL;
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+	memcpy(seed_buf,seed,20);
+	dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb);
+
+	if (dsa == NULL)
+		DSA_print(bio_err,dsa,0);
+	}
+
diff --git a/crypto/openssl/crypto/dsa/dsatest.c b/crypto/openssl/crypto/dsa/dsatest.c
new file mode 100644
index 0000000..309a7cd
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsatest.c
@@ -0,0 +1,232 @@
+/* crypto/dsa/dsatest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#ifdef WINDOWS
+#include "../bio/bss_file.c"
+#endif
+
+#ifdef NO_DSA
+int main(int argc, char *argv[])
+{
+    printf("No DSA support\n");
+    return(0);
+}
+#else
+#include <openssl/dsa.h>
+
+#ifdef WIN16
+#define MS_CALLBACK     _far _loadds
+#else
+#define MS_CALLBACK
+#endif
+
+static void MS_CALLBACK dsa_cb(int p, int n, void *arg);
+
+/* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
+ * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
+static unsigned char seed[20]={
+	0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
+	0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
+	};
+
+static unsigned char out_p[]={
+	0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
+	0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
+	0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+	0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
+	0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
+	0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
+	0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
+	0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
+	};
+
+static unsigned char out_q[]={
+	0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
+	0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
+	0xda,0xce,0x91,0x5f,
+	};
+
+static unsigned char out_g[]={
+	0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
+	0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
+	0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
+	0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
+	0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
+	0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
+	0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
+	0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
+	};
+
+static const unsigned char str1[]="12345678901234567890";
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+static BIO *bio_err=NULL;
+
+int main(int argc, char **argv)
+	{
+	DSA *dsa=NULL;
+	int counter,ret=0,i,j;
+	unsigned char buf[256];
+	unsigned long h;
+	unsigned char sig[256];
+	unsigned int siglen;
+
+	ERR_load_crypto_strings();
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+	BIO_printf(bio_err,"test generation of DSA parameters\n");
+
+	dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb,bio_err);
+
+	BIO_printf(bio_err,"seed\n");
+	for (i=0; i<20; i+=4)
+		{
+		BIO_printf(bio_err,"%02X%02X%02X%02X ",
+			seed[i],seed[i+1],seed[i+2],seed[i+3]);
+		}
+	BIO_printf(bio_err,"\ncounter=%d h=%d\n",counter,h);
+		
+	if (dsa == NULL) goto end;
+	DSA_print(bio_err,dsa,0);
+	if (counter != 105) 
+		{
+		BIO_printf(bio_err,"counter should be 105\n");
+		goto end;
+		}
+	if (h != 2)
+		{
+		BIO_printf(bio_err,"h should be 2\n");
+		goto end;
+		}
+
+	i=BN_bn2bin(dsa->q,buf);
+	j=sizeof(out_q);
+	if ((i != j) || (memcmp(buf,out_q,i) != 0))
+		{
+		BIO_printf(bio_err,"q value is wrong\n");
+		goto end;
+		}
+
+	i=BN_bn2bin(dsa->p,buf);
+	j=sizeof(out_p);
+	if ((i != j) || (memcmp(buf,out_p,i) != 0))
+		{
+		BIO_printf(bio_err,"p value is wrong\n");
+		goto end;
+		}
+
+	i=BN_bn2bin(dsa->g,buf);
+	j=sizeof(out_g);
+	if ((i != j) || (memcmp(buf,out_g,i) != 0))
+		{
+		BIO_printf(bio_err,"g value is wrong\n");
+		goto end;
+		}
+	DSA_generate_key(dsa);
+	DSA_sign(0, str1, 20, sig, &siglen, dsa);
+	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+		ret=1;
+end:
+	if (!ret)
+		ERR_print_errors(bio_err);
+	if (dsa != NULL) DSA_free(dsa);
+	ERR_remove_state(0);
+	CRYPTO_mem_leaks(bio_err);
+	if (bio_err != NULL)
+		{
+		BIO_free(bio_err);
+		bio_err = NULL;
+		}
+	exit(!ret);
+	return(0);
+	}
+
+static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
+	{
+	char c='*';
+	static int ok=0,num=0;
+
+	if (p == 0) { c='.'; num++; };
+	if (p == 1) c='+';
+	if (p == 2) { c='*'; ok++; }
+	if (p == 3) c='\n';
+	BIO_write(arg,&c,1);
+	(void)BIO_flush(arg);
+
+	if (!ok && (p == 0) && (num > 1))
+		{
+		BIO_printf((BIO *)arg,"error in dsatest\n");
+		exit(1);
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/dsa/fips186a.txt b/crypto/openssl/crypto/dsa/fips186a.txt
new file mode 100644
index 0000000..3a2e0a0
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/fips186a.txt
@@ -0,0 +1,122 @@
+The origional FIPE 180 used SHA-0 (FIPS 180) for its appendix 5
+examples.  This is an updated version that uses SHA-1 (FIPS 180-1)
+supplied to me by Wei Dai
+--
+		     APPENDIX 5. EXAMPLE OF THE DSA
+
+
+This appendix is for informational purposes only and is not required to meet
+the standard.
+
+Let L = 512 (size of p).  The values in this example are expressed in
+hexadecimal notation.  The p and q given here were generated by the prime
+generation standard described in appendix 2 using the 160-bit SEED:
+
+          d5014e4b 60ef2ba8 b6211b40 62ba3224 e0427dd3
+
+With this SEED, the algorithm found p and q when the counter was at 105.
+
+x was generated by the algorithm described in appendix 3, section 3.1, using
+the SHA to construct G (as in appendix 3, section 3.3) and a 160-bit XSEED:
+
+XSEED =   
+
+	bd029bbe 7f51960b cf9edb2b 61f06f0f eb5a38b6
+
+t =
+	67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0
+
+x = G(t,XSEED) mod q
+
+k was generated by the algorithm described in appendix 3, section 3.2, using
+the SHA to construct G (as in appendix 3, section 3.3) and a 160-bit KSEED:
+
+KSEED =
+
+	687a66d9 0648f993 867e121f 4ddf9ddb 01205584
+
+t =
+	EFCDAB89 98BADCFE 10325476 C3D2E1F0 67452301
+
+k = G(t,KSEED) mod q
+
+Finally:
+
+h = 2
+
+p =
+	8df2a494 492276aa 3d25759b b06869cb eac0d83a fb8d0cf7
+	cbb8324f 0d7882e5 d0762fc5 b7210eaf c2e9adac 32ab7aac
+	49693dfb f83724c2 ec0736ee 31c80291
+
+
+q =
+	c773218c 737ec8ee 993b4f2d ed30f48e dace915f
+
+
+g =
+	626d0278 39ea0a13 413163a5 5b4cb500 299d5522 956cefcb
+	3bff10f3 99ce2c2e 71cb9de5 fa24babf 58e5b795 21925c9c
+	c42e9f6f 464b088c c572af53 e6d78802
+
+
+x =
+	2070b322 3dba372f de1c0ffc 7b2e3b49 8b260614
+
+
+k =
+	358dad57 1462710f 50e254cf 1a376b2b deaadfbf
+
+
+kinv = 
+
+	0d516729 8202e49b 4116ac10 4fc3f415 ae52f917
+
+M = ASCII form of "abc" (See FIPS PUB 180-1, Appendix A)
+
+SHA(M) =  
+
+	a9993e36 4706816a ba3e2571 7850c26c 9cd0d89d
+
+
+y =
+
+	19131871 d75b1612 a819f29d 78d1b0d7 346f7aa7 7bb62a85 
+	9bfd6c56 75da9d21 2d3a36ef 1672ef66 0b8c7c25 5cc0ec74
+	858fba33 f44c0669 9630a76b 030ee333
+
+
+r =
+	8bac1ab6 6410435c b7181f95 b16ab97c 92b341c0
+
+s =
+	41e2345f 1f56df24 58f426d1 55b4ba2d b6dcd8c8
+
+
+w =
+	9df4ece5 826be95f ed406d41 b43edc0b 1c18841b
+
+
+u1 =
+	bf655bd0 46f0b35e c791b004 804afcbb 8ef7d69d
+
+
+u2 =
+	821a9263 12e97ade abcc8d08 2b527897 8a2df4b0
+
+
+gu1 mod p =
+
+	51b1bf86 7888e5f3 af6fb476 9dd016bc fe667a65 aafc2753
+	9063bd3d 2b138b4c e02cc0c0 2ec62bb6 7306c63e 4db95bbf
+	6f96662a 1987a21b e4ec1071 010b6069
+
+
+yu2 mod p =
+
+	8b510071 2957e950 50d6b8fd 376a668e 4b0d633c 1e46e665
+	5c611a72 e2b28483 be52c74d 4b30de61 a668966e dc307a67 
+	c19441f4 22bf3c34 08aeba1f 0a4dbec7
+
+v =
+	8bac1ab6 6410435c b7181f95 b16ab97c 92b341c0
diff --git a/crypto/openssl/crypto/ebcdic.c b/crypto/openssl/crypto/ebcdic.c
new file mode 100644
index 0000000..31397b2
--- /dev/null
+++ b/crypto/openssl/crypto/ebcdic.c
@@ -0,0 +1,217 @@
+/* crypto/ebcdic.c */
+
+#ifdef CHARSET_EBCDIC
+#include "ebcdic.h"
+/*      Initial Port for  Apache-1.3     by <Martin.Kraemer@Mch.SNI.De>
+ *      Adapted for       OpenSSL-0.9.4  by <Martin.Kraemer@Mch.SNI.De>
+ */
+
+#ifdef _OSD_POSIX
+/*
+    "BS2000 OSD" is a POSIX subsystem on a main frame.
+    It is made by Siemens AG, Germany, for their BS2000 mainframe machines.
+    Within the POSIX subsystem, the same character set was chosen as in
+    "native BS2000", namely EBCDIC. (EDF04)
+
+    The name "ASCII" in these routines is misleading: actually, conversion
+    is not between EBCDIC and ASCII, but EBCDIC(EDF04) and ISO-8859.1;
+    that means that (western european) national characters are preserved.
+
+    This table is identical to the one used by rsh/rcp/ftp and other POSIX tools.
+*/
+
+/* Here's the bijective ebcdic-to-ascii table: */
+const unsigned char os_toascii[256] = {
+/*00*/ 0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f,
+       0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /*................*/
+/*10*/ 0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97,
+       0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /*................*/
+/*20*/ 0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b,
+       0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /*................*/
+/*30*/ 0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04,
+       0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /*................*/
+/*40*/ 0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5,
+       0xe7, 0xf1, 0x60, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /* .........`.<(+|*/
+/*50*/ 0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef,
+       0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x9f, /*&.........!$*);.*/
+/*60*/ 0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5,
+       0xc7, 0xd1, 0x5e, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /*-/........^,%_>?*/
+/*70*/ 0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf,
+       0xcc, 0xa8, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /*..........:#@'="*/
+/*80*/ 0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+       0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /*.abcdefghi......*/
+/*90*/ 0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+       0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /*.jklmnopqr......*/
+/*a0*/ 0xb5, 0xaf, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+       0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0xdd, 0xde, 0xae, /*..stuvwxyz......*/
+/*b0*/ 0xa2, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc,
+       0xbd, 0xbe, 0xac, 0x5b, 0x5c, 0x5d, 0xb4, 0xd7, /*...........[\]..*/
+/*c0*/ 0xf9, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+       0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /*.ABCDEFGHI......*/
+/*d0*/ 0xa6, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+       0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xdb, 0xfa, 0xff, /*.JKLMNOPQR......*/
+/*e0*/ 0xd9, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
+       0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /*..STUVWXYZ......*/
+/*f0*/ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+       0x38, 0x39, 0xb3, 0x7b, 0xdc, 0x7d, 0xda, 0x7e  /*0123456789.{.}.~*/
+};
+
+
+/* The ascii-to-ebcdic table: */
+const unsigned char os_toebcdic[256] = {
+/*00*/  0x00, 0x01, 0x02, 0x03, 0x37, 0x2d, 0x2e, 0x2f,
+	0x16, 0x05, 0x15, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,  /*................*/
+/*10*/  0x10, 0x11, 0x12, 0x13, 0x3c, 0x3d, 0x32, 0x26,
+	0x18, 0x19, 0x3f, 0x27, 0x1c, 0x1d, 0x1e, 0x1f,  /*................*/
+/*20*/  0x40, 0x5a, 0x7f, 0x7b, 0x5b, 0x6c, 0x50, 0x7d,
+	0x4d, 0x5d, 0x5c, 0x4e, 0x6b, 0x60, 0x4b, 0x61,  /* !"#$%&'()*+,-./ */
+/*30*/  0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0x7a, 0x5e, 0x4c, 0x7e, 0x6e, 0x6f,  /*0123456789:;<=>?*/
+/*40*/  0x7c, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6,  /*@ABCDEFGHIJKLMNO*/
+/*50*/  0xd7, 0xd8, 0xd9, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6,
+	0xe7, 0xe8, 0xe9, 0xbb, 0xbc, 0xbd, 0x6a, 0x6d,  /*PQRSTUVWXYZ[\]^_*/
+/*60*/  0x4a, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96,  /*`abcdefghijklmno*/
+/*70*/  0x97, 0x98, 0x99, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6,
+	0xa7, 0xa8, 0xa9, 0xfb, 0x4f, 0xfd, 0xff, 0x07,  /*pqrstuvwxyz{|}~.*/
+/*80*/  0x20, 0x21, 0x22, 0x23, 0x24, 0x04, 0x06, 0x08,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x09, 0x0a, 0x14,  /*................*/
+/*90*/  0x30, 0x31, 0x25, 0x33, 0x34, 0x35, 0x36, 0x17,
+	0x38, 0x39, 0x3a, 0x3b, 0x1a, 0x1b, 0x3e, 0x5f,  /*................*/
+/*a0*/  0x41, 0xaa, 0xb0, 0xb1, 0x9f, 0xb2, 0xd0, 0xb5,
+	0x79, 0xb4, 0x9a, 0x8a, 0xba, 0xca, 0xaf, 0xa1,  /*................*/
+/*b0*/  0x90, 0x8f, 0xea, 0xfa, 0xbe, 0xa0, 0xb6, 0xb3,
+	0x9d, 0xda, 0x9b, 0x8b, 0xb7, 0xb8, 0xb9, 0xab,  /*................*/
+/*c0*/  0x64, 0x65, 0x62, 0x66, 0x63, 0x67, 0x9e, 0x68,
+	0x74, 0x71, 0x72, 0x73, 0x78, 0x75, 0x76, 0x77,  /*................*/
+/*d0*/  0xac, 0x69, 0xed, 0xee, 0xeb, 0xef, 0xec, 0xbf,
+	0x80, 0xe0, 0xfe, 0xdd, 0xfc, 0xad, 0xae, 0x59,  /*................*/
+/*e0*/  0x44, 0x45, 0x42, 0x46, 0x43, 0x47, 0x9c, 0x48,
+	0x54, 0x51, 0x52, 0x53, 0x58, 0x55, 0x56, 0x57,  /*................*/
+/*f0*/  0x8c, 0x49, 0xcd, 0xce, 0xcb, 0xcf, 0xcc, 0xe1,
+	0x70, 0xc0, 0xde, 0xdb, 0xdc, 0x8d, 0x8e, 0xdf   /*................*/
+};
+
+#else  /*_OSD_POSIX*/
+
+/*
+This code does basic character mapping for IBM's TPF and OS/390 operating systems.
+It is a modified version of the BS2000 table.
+
+Bijective EBCDIC (character set IBM-1047) to US-ASCII table:
+This table is bijective - there are no ambigous or duplicate characters.
+*/
+const unsigned char os_toascii[256] = {
+    0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f, /* 00-0f:           */
+    0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
+    0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97, /* 10-1f:           */
+    0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
+    0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b, /* 20-2f:           */
+    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /* ................ */
+    0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04, /* 30-3f:           */
+    0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /* ................ */
+    0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5, /* 40-4f:           */
+    0xe7, 0xf1, 0xa2, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /*  ...........<(+| */
+    0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef, /* 50-5f:           */
+    0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x5e, /* &.........!$*);^ */
+    0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5, /* 60-6f:           */
+    0xc7, 0xd1, 0xa6, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /* -/.........,%_>? */
+    0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf, /* 70-7f:           */
+    0xcc, 0x60, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /* .........`:#@'=" */
+    0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, /* 80-8f:           */
+    0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /* .abcdefghi...... */
+    0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, /* 90-9f:           */
+    0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /* .jklmnopqr...... */
+    0xb5, 0x7e, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, /* a0-af:           */
+    0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0x5b, 0xde, 0xae, /* .~stuvwxyz...[.. */
+    0xac, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc, /* b0-bf:           */
+    0xbd, 0xbe, 0xdd, 0xa8, 0xaf, 0x5d, 0xb4, 0xd7, /* .............].. */
+    0x7b, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, /* c0-cf:           */
+    0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /* {ABCDEFGHI...... */
+    0x7d, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, /* d0-df:           */
+    0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xf9, 0xfa, 0xff, /* }JKLMNOPQR...... */
+    0x5c, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, /* e0-ef:           */
+    0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /* \.STUVWXYZ...... */
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, /* f0-ff:           */
+    0x38, 0x39, 0xb3, 0xdb, 0xdc, 0xd9, 0xda, 0x9f  /* 0123456789...... */
+};
+
+
+/*
+The US-ASCII to EBCDIC (character set IBM-1047) table:
+This table is bijective (no ambiguous or duplicate characters)
+*/
+const unsigned char os_toebcdic[256] = {
+    0x00, 0x01, 0x02, 0x03, 0x37, 0x2d, 0x2e, 0x2f, /* 00-0f:           */
+    0x16, 0x05, 0x15, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
+    0x10, 0x11, 0x12, 0x13, 0x3c, 0x3d, 0x32, 0x26, /* 10-1f:           */
+    0x18, 0x19, 0x3f, 0x27, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
+    0x40, 0x5a, 0x7f, 0x7b, 0x5b, 0x6c, 0x50, 0x7d, /* 20-2f:           */
+    0x4d, 0x5d, 0x5c, 0x4e, 0x6b, 0x60, 0x4b, 0x61, /*  !"#$%&'()*+,-./ */
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, /* 30-3f:           */
+    0xf8, 0xf9, 0x7a, 0x5e, 0x4c, 0x7e, 0x6e, 0x6f, /* 0123456789:;<=>? */
+    0x7c, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, /* 40-4f:           */
+    0xc8, 0xc9, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, /* @ABCDEFGHIJKLMNO */
+    0xd7, 0xd8, 0xd9, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, /* 50-5f:           */
+    0xe7, 0xe8, 0xe9, 0xad, 0xe0, 0xbd, 0x5f, 0x6d, /* PQRSTUVWXYZ[\]^_ */
+    0x79, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 60-6f:           */
+    0x88, 0x89, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, /* `abcdefghijklmno */
+    0x97, 0x98, 0x99, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, /* 70-7f:           */
+    0xa7, 0xa8, 0xa9, 0xc0, 0x4f, 0xd0, 0xa1, 0x07, /* pqrstuvwxyz{|}~. */
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x04, 0x06, 0x08, /* 80-8f:           */
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x09, 0x0a, 0x14, /* ................ */
+    0x30, 0x31, 0x25, 0x33, 0x34, 0x35, 0x36, 0x17, /* 90-9f:           */
+    0x38, 0x39, 0x3a, 0x3b, 0x1a, 0x1b, 0x3e, 0xff, /* ................ */
+    0x41, 0xaa, 0x4a, 0xb1, 0x9f, 0xb2, 0x6a, 0xb5, /* a0-af:           */
+    0xbb, 0xb4, 0x9a, 0x8a, 0xb0, 0xca, 0xaf, 0xbc, /* ................ */
+    0x90, 0x8f, 0xea, 0xfa, 0xbe, 0xa0, 0xb6, 0xb3, /* b0-bf:           */
+    0x9d, 0xda, 0x9b, 0x8b, 0xb7, 0xb8, 0xb9, 0xab, /* ................ */
+    0x64, 0x65, 0x62, 0x66, 0x63, 0x67, 0x9e, 0x68, /* c0-cf:           */
+    0x74, 0x71, 0x72, 0x73, 0x78, 0x75, 0x76, 0x77, /* ................ */
+    0xac, 0x69, 0xed, 0xee, 0xeb, 0xef, 0xec, 0xbf, /* d0-df:           */
+    0x80, 0xfd, 0xfe, 0xfb, 0xfc, 0xba, 0xae, 0x59, /* ................ */
+    0x44, 0x45, 0x42, 0x46, 0x43, 0x47, 0x9c, 0x48, /* e0-ef:           */
+    0x54, 0x51, 0x52, 0x53, 0x58, 0x55, 0x56, 0x57, /* ................ */
+    0x8c, 0x49, 0xcd, 0xce, 0xcb, 0xcf, 0xcc, 0xe1, /* f0-ff:           */
+    0x70, 0xdd, 0xde, 0xdb, 0xdc, 0x8d, 0x8e, 0xdf  /* ................ */
+};
+#endif /*_OSD_POSIX*/
+
+/* Translate a memory block from EBCDIC (host charset) to ASCII (net charset)
+ * dest and srce may be identical, or separate memory blocks, but
+ * should not overlap. These functions intentionally have an interface
+ * compatible to memcpy(3).
+ */
+
+void *
+ebcdic2ascii(void *dest, const void *srce, size_t count)
+{
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+
+    while (count-- != 0) {
+        *udest++ = os_toascii[*usrce++];
+    }
+
+    return dest;
+}
+
+void *
+ascii2ebcdic(void *dest, const void *srce, size_t count)
+{
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+
+    while (count-- != 0) {
+        *udest++ = os_toebcdic[*usrce++];
+    }
+
+    return dest;
+}
+
+#else /*CHARSET_EBCDIC*/
+#ifdef PEDANTIC
+static void *dummy=&dummy;
+#endif
+#endif
diff --git a/crypto/openssl/crypto/ebcdic.h b/crypto/openssl/crypto/ebcdic.h
new file mode 100644
index 0000000..6d65afc
--- /dev/null
+++ b/crypto/openssl/crypto/ebcdic.h
@@ -0,0 +1,19 @@
+/* crypto/ebcdic.h */
+
+#ifndef HEADER_EBCDIC_H
+#define HEADER_EBCDIC_H
+
+#include <sys/types.h>
+
+/* Avoid name clashes with other applications */
+#define os_toascii   _openssl_os_toascii
+#define os_toebcdic  _openssl_os_toebcdic
+#define ebcdic2ascii _openssl_ebcdic2ascii
+#define ascii2ebcdic _openssl_ascii2ebcdic
+
+extern const unsigned char os_toascii[256];
+extern const unsigned char os_toebcdic[256];
+void *ebcdic2ascii(void *dest, const void *srce, size_t count);
+void *ascii2ebcdic(void *dest, const void *srce, size_t count);
+
+#endif
diff --git a/crypto/openssl/crypto/err/Makefile.save b/crypto/openssl/crypto/err/Makefile.save
new file mode 100644
index 0000000..e1bee09
--- /dev/null
+++ b/crypto/openssl/crypto/err/Makefile.save
@@ -0,0 +1,111 @@
+#
+# SSLeay/crypto/err/Makefile
+#
+
+DIR=	err
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=err.c err_all.c err_prn.c
+LIBOBJ=err.o err_all.o err_prn.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= err.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+err.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+err.o: ../../include/openssl/stack.h ../cryptlib.h
+err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+err_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+err_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+err_all.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+err_all.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+err_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+err_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+err_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+err_all.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+err_all.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+err_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+err_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+err_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+err_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+err_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+err_all.o: ../../include/openssl/x509v3.h
+err_prn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+err_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+err_prn.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl
new file mode 100644
index 0000000..e1bee09
--- /dev/null
+++ b/crypto/openssl/crypto/err/Makefile.ssl
@@ -0,0 +1,111 @@
+#
+# SSLeay/crypto/err/Makefile
+#
+
+DIR=	err
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=err.c err_all.c err_prn.c
+LIBOBJ=err.o err_all.o err_prn.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= err.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+err.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+err.o: ../../include/openssl/stack.h ../cryptlib.h
+err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+err_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+err_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+err_all.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+err_all.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+err_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+err_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+err_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+err_all.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+err_all.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+err_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+err_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+err_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+err_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+err_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+err_all.o: ../../include/openssl/x509v3.h
+err_prn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+err_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+err_prn.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c
new file mode 100644
index 0000000..eb8c76a
--- /dev/null
+++ b/crypto/openssl/crypto/err/err.c
@@ -0,0 +1,747 @@
+/* crypto/err/err.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/lhash.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+
+
+static LHASH *error_hash=NULL;
+static LHASH *thread_hash=NULL;
+
+static unsigned long err_hash(ERR_STRING_DATA *a);
+static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b);
+static unsigned long pid_hash(ERR_STATE *pid);
+static int pid_cmp(ERR_STATE *a,ERR_STATE *pid);
+static unsigned long get_error_values(int inc,const char **file,int *line,
+				      const char **data,int *flags);
+static void ERR_STATE_free(ERR_STATE *s);
+#ifndef NO_ERR
+static ERR_STRING_DATA ERR_str_libraries[]=
+	{
+{ERR_PACK(ERR_LIB_NONE,0,0)		,"unknown library"},
+{ERR_PACK(ERR_LIB_SYS,0,0)		,"system library"},
+{ERR_PACK(ERR_LIB_BN,0,0)		,"bignum routines"},
+{ERR_PACK(ERR_LIB_RSA,0,0)		,"rsa routines"},
+{ERR_PACK(ERR_LIB_DH,0,0)		,"Diffie-Hellman routines"},
+{ERR_PACK(ERR_LIB_EVP,0,0)		,"digital envelope routines"},
+{ERR_PACK(ERR_LIB_BUF,0,0)		,"memory buffer routines"},
+{ERR_PACK(ERR_LIB_BIO,0,0)		,"BIO routines"},
+{ERR_PACK(ERR_LIB_OBJ,0,0)		,"object identifier routines"},
+{ERR_PACK(ERR_LIB_PEM,0,0)		,"PEM routines"},
+{ERR_PACK(ERR_LIB_ASN1,0,0)		,"asn1 encoding routines"},
+{ERR_PACK(ERR_LIB_X509,0,0)		,"x509 certificate routines"},
+{ERR_PACK(ERR_LIB_CONF,0,0)		,"configuration file routines"},
+{ERR_PACK(ERR_LIB_METH,0,0)		,"X509 lookup 'method' routines"},
+{ERR_PACK(ERR_LIB_SSL,0,0)		,"SSL routines"},
+{ERR_PACK(ERR_LIB_RSAREF,0,0)		,"RSAref routines"},
+{ERR_PACK(ERR_LIB_PROXY,0,0)		,"Proxy routines"},
+{ERR_PACK(ERR_LIB_BIO,0,0)		,"BIO routines"},
+{ERR_PACK(ERR_LIB_PKCS7,0,0)		,"PKCS7 routines"},
+{ERR_PACK(ERR_LIB_X509V3,0,0)		,"X509 V3 routines"},
+{ERR_PACK(ERR_LIB_PKCS12,0,0)		,"PKCS12 routines"},
+{ERR_PACK(ERR_LIB_RAND,0,0)		,"random number generator"},
+{0,NULL},
+	};
+
+static ERR_STRING_DATA ERR_str_functs[]=
+	{
+	{ERR_PACK(0,SYS_F_FOPEN,0),     	"fopen"},
+	{ERR_PACK(0,SYS_F_CONNECT,0),		"connect"},
+	{ERR_PACK(0,SYS_F_GETSERVBYNAME,0),	"getservbyname"},
+	{ERR_PACK(0,SYS_F_SOCKET,0),		"socket"}, 
+	{ERR_PACK(0,SYS_F_IOCTLSOCKET,0),	"ioctlsocket"},
+	{ERR_PACK(0,SYS_F_BIND,0),		"bind"},
+	{ERR_PACK(0,SYS_F_LISTEN,0),		"listen"},
+	{ERR_PACK(0,SYS_F_ACCEPT,0),		"accept"},
+#ifdef WINDOWS
+	{ERR_PACK(0,SYS_F_WSASTARTUP,0),	"WSAstartup"},
+#endif
+	{ERR_PACK(0,SYS_F_OPENDIR,0),		"opendir"},
+	{0,NULL},
+	};
+
+static ERR_STRING_DATA ERR_str_reasons[]=
+	{
+{ERR_R_FATAL                             ,"fatal"},
+{ERR_R_SYS_LIB				,"system lib"},
+{ERR_R_BN_LIB				,"BN lib"},
+{ERR_R_RSA_LIB				,"RSA lib"},
+{ERR_R_DH_LIB				,"DH lib"},
+{ERR_R_EVP_LIB				,"EVP lib"},
+{ERR_R_BUF_LIB				,"BUF lib"},
+{ERR_R_BIO_LIB				,"BIO lib"},
+{ERR_R_OBJ_LIB				,"OBJ lib"},
+{ERR_R_PEM_LIB				,"PEM lib"},
+{ERR_R_X509_LIB				,"X509 lib"},
+{ERR_R_METH_LIB				,"METH lib"},
+{ERR_R_ASN1_LIB				,"ASN1 lib"},
+{ERR_R_CONF_LIB				,"CONF lib"},
+{ERR_R_SSL_LIB				,"SSL lib"},
+{ERR_R_PROXY_LIB			,"PROXY lib"},
+{ERR_R_BIO_LIB				,"BIO lib"},
+{ERR_R_PKCS7_LIB			,"PKCS7 lib"},
+{ERR_R_PKCS12_LIB			,"PKCS12 lib"},
+{ERR_R_MALLOC_FAILURE			,"Malloc failure"},
+{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	,"called a function you should not call"},
+{ERR_R_PASSED_NULL_PARAMETER		,"passed a null parameter"},
+{ERR_R_NESTED_ASN1_ERROR		,"nested asn1 error"},
+{ERR_R_BAD_ASN1_OBJECT_HEADER		,"bad asn1 object header"},
+{ERR_R_BAD_GET_ASN1_OBJECT_CALL		,"bad get asn1 object call"},
+{ERR_R_EXPECTING_AN_ASN1_SEQUENCE	,"expecting an asn1 sequence"},
+{ERR_R_ASN1_LENGTH_MISMATCH		,"asn1 length mismatch"},
+{ERR_R_MISSING_ASN1_EOS			,"missing asn1 eos"},
+
+{0,NULL},
+	};
+
+
+#define NUM_SYS_STR_REASONS 127
+#define LEN_SYS_STR_REASON 32
+
+static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
+/* SYS_str_reasons is filled with copies of strerror() results at
+ * initialization.
+ * 'errno' values up to 127 should cover all usual errors,
+ * others will be displayed numerically by ERR_error_string.
+ * It is crucial that we have something for each reason code
+ * that occurs in ERR_str_reasons, or bogus reason strings
+ * will be returned for SYSerr(), which always gets an errno
+ * value and never one of those 'standard' reason codes. */
+
+static void build_SYS_str_reasons()
+	{
+	/* Malloc cannot be used here, use static storage instead */
+	static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
+	int i;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
+
+	for (i = 1; i <= NUM_SYS_STR_REASONS; i++)
+		{
+		ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
+
+		str->error = (unsigned long)i;
+		if (str->string == NULL)
+			{
+			char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
+			char *src = strerror(i);
+			if (src != NULL)
+				{
+				strncpy(*dest, src, sizeof *dest);
+				(*dest)[sizeof *dest - 1] = '\0';
+				str->string = *dest;
+				}
+			}
+		if (str->string == NULL)
+			str->string = "unknown";
+		}
+
+	/* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
+	 * as required by ERR_load_strings. */
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
+	}
+#endif
+
+#define err_clear_data(p,i) \
+	if (((p)->err_data[i] != NULL) && \
+		(p)->err_data_flags[i] & ERR_TXT_MALLOCED) \
+		{  \
+		Free((p)->err_data[i]); \
+		(p)->err_data[i]=NULL; \
+		} \
+	(p)->err_data_flags[i]=0;
+
+static void ERR_STATE_free(ERR_STATE *s)
+	{
+	int i;
+
+	if(s == NULL)
+	    return;
+
+	for (i=0; i<ERR_NUM_ERRORS; i++)
+		{
+		err_clear_data(s,i);
+		}
+	Free(s);
+	}
+
+void ERR_load_ERR_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+		if (init == 0)
+			{
+			CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+			return;
+			}
+		CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+#ifndef NO_ERR
+		ERR_load_strings(0,ERR_str_libraries);
+		ERR_load_strings(0,ERR_str_reasons);
+		ERR_load_strings(ERR_LIB_SYS,ERR_str_functs);
+		build_SYS_str_reasons();
+		ERR_load_strings(ERR_LIB_SYS,SYS_str_reasons);
+#endif
+		init=0;
+		}
+	}
+
+void ERR_load_strings(int lib, ERR_STRING_DATA *str)
+	{
+	if (error_hash == NULL)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
+		error_hash=lh_new(err_hash,err_cmp);
+		if (error_hash == NULL)
+			{
+			CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
+			return;
+			}
+		CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
+
+		ERR_load_ERR_strings();
+		}
+
+	CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
+	while (str->error)
+		{
+		str->error|=ERR_PACK(lib,0,0);
+		lh_insert(error_hash,str);
+		str++;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
+	}
+
+void ERR_free_strings(void)
+	{
+	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+
+	if (error_hash != NULL)
+		{
+		lh_free(error_hash);
+		error_hash=NULL;
+		}
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+	}
+
+/********************************************************/
+
+void ERR_put_error(int lib, int func, int reason, const char *file,
+	     int line)
+	{
+	ERR_STATE *es;
+
+#ifdef _OSD_POSIX
+	/* In the BS2000-OSD POSIX subsystem, the compiler generates
+	 * path names in the form "*POSIX(/etc/passwd)".
+	 * This dirty hack strips them to something sensible.
+	 * @@@ We shouldn't modify a const string, though.
+	 */
+	if (strncmp(file,"*POSIX(", sizeof("*POSIX(")-1) == 0) {
+		char *end;
+
+		/* Skip the "*POSIX(" prefix */
+		file += sizeof("*POSIX(")-1;
+		end = &file[strlen(file)-1];
+		if (*end == ')')
+			*end = '\0';
+		/* Optional: use the basename of the path only. */
+		if ((end = strrchr(file, '/')) != NULL)
+			file = &end[1];
+	}
+#endif
+	es=ERR_get_state();
+
+	es->top=(es->top+1)%ERR_NUM_ERRORS;
+	if (es->top == es->bottom)
+		es->bottom=(es->bottom+1)%ERR_NUM_ERRORS;
+	es->err_buffer[es->top]=ERR_PACK(lib,func,reason);
+	es->err_file[es->top]=file;
+	es->err_line[es->top]=line;
+	err_clear_data(es,es->top);
+	}
+
+void ERR_clear_error(void)
+	{
+	ERR_STATE *es;
+
+	es=ERR_get_state();
+
+#if 0
+	/* hmm... is this needed */
+	for (i=0; i<ERR_NUM_ERRORS; i++)
+		{
+		es->err_buffer[i]=0;
+		es->err_file[i]=NULL;
+		es->err_line[i]= -1;
+		err_clear_data(es,i);
+		}
+#endif
+	es->top=es->bottom=0;
+	}
+
+
+unsigned long ERR_get_error(void)
+	{ return(get_error_values(1,NULL,NULL,NULL,NULL)); }
+
+unsigned long ERR_get_error_line(const char **file,
+	     int *line)
+	{ return(get_error_values(1,file,line,NULL,NULL)); }
+
+unsigned long ERR_get_error_line_data(const char **file, int *line,
+	     const char **data, int *flags)
+	{ return(get_error_values(1,file,line,
+	     data,flags)); }
+
+unsigned long ERR_peek_error(void)
+	{ return(get_error_values(0,NULL,NULL,NULL,NULL)); }
+
+unsigned long ERR_peek_error_line(const char **file,
+	     int *line)
+	{ return(get_error_values(0,file,line,NULL,NULL)); }
+
+unsigned long ERR_peek_error_line_data(const char **file, int *line,
+	     const char **data, int *flags)
+	{ return(get_error_values(0,file,line,
+	     data,flags)); }
+
+static unsigned long get_error_values(int inc, const char **file, int *line,
+	     const char **data, int *flags)
+	{	
+	int i=0;
+	ERR_STATE *es;
+	unsigned long ret;
+
+	es=ERR_get_state();
+
+	if (es->bottom == es->top) return(0);
+	i=(es->bottom+1)%ERR_NUM_ERRORS;
+
+	ret=es->err_buffer[i];
+	if (inc)
+		{
+		es->bottom=i;
+		es->err_buffer[i]=0;
+		}
+
+	if ((file != NULL) && (line != NULL))
+		{
+		if (es->err_file[i] == NULL)
+			{
+			*file="NA";
+			if (line != NULL) *line=0;
+			}
+		else
+			{
+			*file=es->err_file[i];
+			if (line != NULL) *line=es->err_line[i];
+			}
+		}
+
+	if (data != NULL)
+		{
+		if (es->err_data[i] == NULL)
+			{
+			*data="";
+			if (flags != NULL) *flags=0;
+			}
+		else
+			{
+			*data=es->err_data[i];
+			if (flags != NULL) *flags=es->err_data_flags[i];
+			}
+		}
+	return(ret);
+	}
+
+/* BAD for multi-threaded, uses a local buffer if ret == NULL */
+char *ERR_error_string(unsigned long e, char *ret)
+	{
+	static char buf[256];
+	const char *ls,*fs,*rs;
+	unsigned long l,f,r;
+	int i;
+
+	l=ERR_GET_LIB(e);
+	f=ERR_GET_FUNC(e);
+	r=ERR_GET_REASON(e);
+
+	ls=ERR_lib_error_string(e);
+	fs=ERR_func_error_string(e);
+	rs=ERR_reason_error_string(e);
+
+	if (ret == NULL) ret=buf;
+
+	sprintf(&(ret[0]),"error:%08lX:",e);
+	i=strlen(ret);
+	if (ls == NULL)
+		sprintf(&(ret[i]),":lib(%lu) ",l);
+	else	sprintf(&(ret[i]),"%s",ls);
+	i=strlen(ret);
+	if (fs == NULL)
+		sprintf(&(ret[i]),":func(%lu) ",f);
+	else	sprintf(&(ret[i]),":%s",fs);
+	i=strlen(ret);
+	if (rs == NULL)
+		sprintf(&(ret[i]),":reason(%lu)",r);
+	else	sprintf(&(ret[i]),":%s",rs);
+
+	return(ret);
+	}
+
+LHASH *ERR_get_string_table(void)
+	{
+	return(error_hash);
+	}
+
+LHASH *ERR_get_err_state_table(void)
+	{
+	return(thread_hash);
+	}
+
+const char *ERR_lib_error_string(unsigned long e)
+	{
+	ERR_STRING_DATA d,*p=NULL;
+	unsigned long l;
+
+	l=ERR_GET_LIB(e);
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ERR_HASH);
+
+	if (error_hash != NULL)
+		{
+		d.error=ERR_PACK(l,0,0);
+		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
+		}
+
+	CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH);
+
+	return((p == NULL)?NULL:p->string);
+	}
+
+const char *ERR_func_error_string(unsigned long e)
+	{
+	ERR_STRING_DATA d,*p=NULL;
+	unsigned long l,f;
+
+	l=ERR_GET_LIB(e);
+	f=ERR_GET_FUNC(e);
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ERR_HASH);
+
+	if (error_hash != NULL)
+		{
+		d.error=ERR_PACK(l,f,0);
+		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
+		}
+
+	CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH);
+
+	return((p == NULL)?NULL:p->string);
+	}
+
+const char *ERR_reason_error_string(unsigned long e)
+	{
+	ERR_STRING_DATA d,*p=NULL;
+	unsigned long l,r;
+
+	l=ERR_GET_LIB(e);
+	r=ERR_GET_REASON(e);
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ERR_HASH);
+
+	if (error_hash != NULL)
+		{
+		d.error=ERR_PACK(l,0,r);
+		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
+		if (p == NULL)
+			{
+			d.error=ERR_PACK(0,0,r);
+			p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
+			}
+		}
+
+	CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH);
+
+	return((p == NULL)?NULL:p->string);
+	}
+
+static unsigned long err_hash(ERR_STRING_DATA *a)
+	{
+	unsigned long ret,l;
+
+	l=a->error;
+	ret=l^ERR_GET_LIB(l)^ERR_GET_FUNC(l);
+	return(ret^ret%19*13);
+	}
+
+static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b)
+	{
+	return((int)(a->error-b->error));
+	}
+
+static unsigned long pid_hash(ERR_STATE *a)
+	{
+	return(a->pid*13);
+	}
+
+static int pid_cmp(ERR_STATE *a, ERR_STATE *b)
+	{
+	return((int)((long)a->pid - (long)b->pid));
+	}
+
+void ERR_remove_state(unsigned long pid)
+	{
+	ERR_STATE *p,tmp;
+
+	if (thread_hash == NULL)
+		return;
+	if (pid == 0)
+		pid=(unsigned long)CRYPTO_thread_id();
+	tmp.pid=pid;
+	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+	p=(ERR_STATE *)lh_delete(thread_hash,&tmp);
+	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+	if (p != NULL) ERR_STATE_free(p);
+	}
+
+ERR_STATE *ERR_get_state(void)
+	{
+	static ERR_STATE fallback;
+	ERR_STATE *ret=NULL,tmp,*tmpp;
+	int i;
+	unsigned long pid;
+
+	pid=(unsigned long)CRYPTO_thread_id();
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ERR);
+	if (thread_hash == NULL)
+		{
+		CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+		CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+		if (thread_hash == NULL)
+			{
+			MemCheck_off();
+			thread_hash=lh_new(pid_hash,pid_cmp);
+			MemCheck_on();
+			CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+			if (thread_hash == NULL) return(&fallback);
+			}
+		else
+			CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+		}
+	else
+		{
+		tmp.pid=pid;
+		ret=(ERR_STATE *)lh_retrieve(thread_hash,&tmp);
+		CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+		}
+
+	/* ret == the error state, if NULL, make a new one */
+	if (ret == NULL)
+		{
+		ret=(ERR_STATE *)Malloc(sizeof(ERR_STATE));
+		if (ret == NULL) return(&fallback);
+		ret->pid=pid;
+		ret->top=0;
+		ret->bottom=0;
+		for (i=0; i<ERR_NUM_ERRORS; i++)
+			{
+			ret->err_data[i]=NULL;
+			ret->err_data_flags[i]=0;
+			}
+		CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+		tmpp=(ERR_STATE *)lh_insert(thread_hash,ret);
+		CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+		if (tmpp != NULL) /* old entry - should not happen */
+			{
+			ERR_STATE_free(tmpp);
+			}
+		}
+	return(ret);
+	}
+
+int ERR_get_next_error_library(void)
+	{
+	static int value=ERR_LIB_USER;
+
+	return(value++);
+	}
+
+void ERR_set_error_data(char *data, int flags)
+	{
+	ERR_STATE *es;
+	int i;
+
+	es=ERR_get_state();
+
+	i=es->top;
+	if (i == 0)
+		i=ERR_NUM_ERRORS-1;
+
+	es->err_data[i]=data;
+	es->err_data_flags[es->top]=flags;
+	}
+
+void ERR_add_error_data(int num, ...)
+	{
+	va_list args;
+	int i,n,s;
+	char *str,*p,*a;
+
+	s=64;
+	str=Malloc(s+1);
+	if (str == NULL) return;
+	str[0]='\0';
+
+	va_start(args, num);
+	n=0;
+	for (i=0; i<num; i++)
+		{
+		a=va_arg(args, char*);
+		/* ignore NULLs, thanks to Bob Beck <beck@obtuse.com> */
+		if (a != NULL)
+			{
+			n+=strlen(a);
+			if (n > s)
+				{
+				s=n+20;
+				p=Realloc(str,s+1);
+				if (p == NULL)
+					{
+					Free(str);
+					return;
+					}
+				else
+					str=p;
+				}
+			strcat(str,a);
+			}
+		}
+	ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
+
+	va_end(args);
+	}
+
diff --git a/crypto/openssl/crypto/err/err.h b/crypto/openssl/crypto/err/err.h
new file mode 100644
index 0000000..15bafbf
--- /dev/null
+++ b/crypto/openssl/crypto/err/err.h
@@ -0,0 +1,265 @@
+/* crypto/err/err.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_ERR_H
+#define HEADER_ERR_H
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+#ifndef NO_FP_API
+#include <stdio.h>
+#endif
+
+/* The following is a bit of a trick to help the object files only contain
+ * the 'name of the file' string once.  Since 'err.h' is protected by the
+ * HEADER_ERR_H stuff, this should be included only once per file. */
+
+#define ERR_file_name	__FILE__
+
+#ifndef NO_ERR
+#define ERR_PUT_error(a,b,c,d,e)	ERR_put_error(a,b,c,d,e)
+#else
+#define ERR_PUT_error(a,b,c,d,e)	ERR_put_error(a,b,c,NULL,0)
+#endif
+
+#include <errno.h>
+
+#define ERR_TXT_MALLOCED	0x01
+#define ERR_TXT_STRING		0x02
+
+#define ERR_NUM_ERRORS	16
+typedef struct err_state_st
+	{
+	unsigned long pid;
+	unsigned long err_buffer[ERR_NUM_ERRORS];
+	char *err_data[ERR_NUM_ERRORS];
+	int err_data_flags[ERR_NUM_ERRORS];
+	const char *err_file[ERR_NUM_ERRORS];
+	int err_line[ERR_NUM_ERRORS];
+	int top,bottom;
+	} ERR_STATE;
+
+/* library */
+#define ERR_LIB_NONE		1
+#define ERR_LIB_SYS		2
+#define ERR_LIB_BN		3
+#define ERR_LIB_RSA		4
+#define ERR_LIB_DH		5
+#define ERR_LIB_EVP		6
+#define ERR_LIB_BUF		7
+#define ERR_LIB_OBJ		8
+#define ERR_LIB_PEM		9
+#define ERR_LIB_DSA		10
+#define ERR_LIB_X509		11
+#define ERR_LIB_METH		12
+#define ERR_LIB_ASN1		13
+#define ERR_LIB_CONF		14
+#define ERR_LIB_CRYPTO		15
+#define ERR_LIB_SSL		20
+#define ERR_LIB_SSL23		21
+#define ERR_LIB_SSL2		22
+#define ERR_LIB_SSL3		23
+#define ERR_LIB_RSAREF		30
+#define ERR_LIB_PROXY		31
+#define ERR_LIB_BIO		32
+#define ERR_LIB_PKCS7		33
+#define ERR_LIB_X509V3		34
+#define ERR_LIB_PKCS12		35
+#define ERR_LIB_RAND		36
+
+#define ERR_LIB_USER		128
+
+#define SYSerr(f,r)  ERR_PUT_error(ERR_LIB_SYS,(f),(r),ERR_file_name,__LINE__)
+#define BNerr(f,r)   ERR_PUT_error(ERR_LIB_BN,(f),(r),ERR_file_name,__LINE__)
+#define RSAerr(f,r)  ERR_PUT_error(ERR_LIB_RSA,(f),(r),ERR_file_name,__LINE__)
+#define DHerr(f,r)   ERR_PUT_error(ERR_LIB_DH,(f),(r),ERR_file_name,__LINE__)
+#define EVPerr(f,r)  ERR_PUT_error(ERR_LIB_EVP,(f),(r),ERR_file_name,__LINE__)
+#define BUFerr(f,r)  ERR_PUT_error(ERR_LIB_BUF,(f),(r),ERR_file_name,__LINE__)
+#define BIOerr(f,r)  ERR_PUT_error(ERR_LIB_BIO,(f),(r),ERR_file_name,__LINE__)
+#define OBJerr(f,r)  ERR_PUT_error(ERR_LIB_OBJ,(f),(r),ERR_file_name,__LINE__)
+#define PEMerr(f,r)  ERR_PUT_error(ERR_LIB_PEM,(f),(r),ERR_file_name,__LINE__)
+#define DSAerr(f,r)  ERR_PUT_error(ERR_LIB_DSA,(f),(r),ERR_file_name,__LINE__)
+#define X509err(f,r) ERR_PUT_error(ERR_LIB_X509,(f),(r),ERR_file_name,__LINE__)
+#define METHerr(f,r) ERR_PUT_error(ERR_LIB_METH,(f),(r),ERR_file_name,__LINE__)
+#define ASN1err(f,r) ERR_PUT_error(ERR_LIB_ASN1,(f),(r),ERR_file_name,__LINE__)
+#define CONFerr(f,r) ERR_PUT_error(ERR_LIB_CONF,(f),(r),ERR_file_name,__LINE__)
+#define CRYPTOerr(f,r) ERR_PUT_error(ERR_LIB_CRYPTO,(f),(r),ERR_file_name,__LINE__)
+#define SSLerr(f,r)  ERR_PUT_error(ERR_LIB_SSL,(f),(r),ERR_file_name,__LINE__)
+#define SSL23err(f,r) ERR_PUT_error(ERR_LIB_SSL23,(f),(r),ERR_file_name,__LINE__)
+#define SSL2err(f,r) ERR_PUT_error(ERR_LIB_SSL2,(f),(r),ERR_file_name,__LINE__)
+#define SSL3err(f,r) ERR_PUT_error(ERR_LIB_SSL3,(f),(r),ERR_file_name,__LINE__)
+#define RSAREFerr(f,r) ERR_PUT_error(ERR_LIB_RSAREF,(f),(r),ERR_file_name,__LINE__)
+#define PROXYerr(f,r) ERR_PUT_error(ERR_LIB_PROXY,(f),(r),ERR_file_name,__LINE__)
+#define PKCS7err(f,r) ERR_PUT_error(ERR_LIB_PKCS7,(f),(r),ERR_file_name,__LINE__)
+#define X509V3err(f,r) ERR_PUT_error(ERR_LIB_X509V3,(f),(r),ERR_file_name,__LINE__)
+#define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),ERR_file_name,__LINE__)
+#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),ERR_file_name,__LINE__)
+
+/* Borland C seems too stupid to be able to shift and do longs in
+ * the pre-processor :-( */
+#define ERR_PACK(l,f,r)		(((((unsigned long)l)&0xffL)*0x1000000)| \
+				((((unsigned long)f)&0xfffL)*0x1000)| \
+				((((unsigned long)r)&0xfffL)))
+#define ERR_GET_LIB(l)		(int)((((unsigned long)l)>>24L)&0xffL)
+#define ERR_GET_FUNC(l)		(int)((((unsigned long)l)>>12L)&0xfffL)
+#define ERR_GET_REASON(l)	(int)((l)&0xfffL)
+#define ERR_FATAL_ERROR(l)	(int)((l)&ERR_R_FATAL)
+
+/* OS functions */
+#define SYS_F_FOPEN		1
+#define SYS_F_CONNECT		2
+#define SYS_F_GETSERVBYNAME	3
+#define SYS_F_SOCKET		4
+#define SYS_F_IOCTLSOCKET	5
+#define SYS_F_BIND		6
+#define SYS_F_LISTEN		7
+#define SYS_F_ACCEPT		8
+#define SYS_F_WSASTARTUP	9 /* Winsock stuff */
+#define SYS_F_OPENDIR		10
+
+#define ERR_R_FATAL		32	
+/* reasons */
+#define ERR_R_SYS_LIB	ERR_LIB_SYS
+#define ERR_R_BN_LIB	ERR_LIB_BN
+#define ERR_R_RSA_LIB	ERR_LIB_RSA
+#define ERR_R_DSA_LIB	ERR_LIB_DSA
+#define ERR_R_DH_LIB	ERR_LIB_DH
+#define ERR_R_EVP_LIB	ERR_LIB_EVP
+#define ERR_R_BUF_LIB	ERR_LIB_BUF
+#define ERR_R_BIO_LIB	ERR_LIB_BIO
+#define ERR_R_OBJ_LIB	ERR_LIB_OBJ
+#define ERR_R_PEM_LIB	ERR_LIB_PEM
+#define ERR_R_X509_LIB	ERR_LIB_X509
+#define ERR_R_METH_LIB	ERR_LIB_METH
+#define ERR_R_ASN1_LIB	ERR_LIB_ASN1
+#define ERR_R_CONF_LIB	ERR_LIB_CONF
+#define ERR_R_CRYPTO_LIB ERR_LIB_CRYPTO
+#define ERR_R_SSL_LIB	ERR_LIB_SSL
+#define ERR_R_SSL23_LIB	ERR_LIB_SSL23
+#define ERR_R_SSL2_LIB	ERR_LIB_SSL2
+#define ERR_R_SSL3_LIB	ERR_LIB_SSL3
+#define ERR_R_PROXY_LIB	ERR_LIB_PROXY
+#define ERR_R_BIO_LIB	ERR_LIB_BIO
+#define ERR_R_PKCS7_LIB	ERR_LIB_PKCS7
+#define ERR_R_PKCS12_LIB ERR_LIB_PKCS12
+
+/* fatal error */
+#define	ERR_R_MALLOC_FAILURE			(1|ERR_R_FATAL)
+#define	ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	(2|ERR_R_FATAL)
+#define	ERR_R_PASSED_NULL_PARAMETER		(3|ERR_R_FATAL)
+#define ERR_R_NESTED_ASN1_ERROR			(4)
+#define ERR_R_BAD_ASN1_OBJECT_HEADER		(5)
+#define ERR_R_BAD_GET_ASN1_OBJECT_CALL		(6)
+#define ERR_R_EXPECTING_AN_ASN1_SEQUENCE	(7)
+#define ERR_R_ASN1_LENGTH_MISMATCH		(8)
+#define ERR_R_MISSING_ASN1_EOS			(9)
+
+typedef struct ERR_string_data_st
+	{
+	unsigned long error;
+	const char *string;
+	} ERR_STRING_DATA;
+
+void ERR_put_error(int lib, int func,int reason,const char *file,int line);
+void ERR_set_error_data(char *data,int flags);
+
+unsigned long ERR_get_error(void );
+unsigned long ERR_get_error_line(const char **file,int *line);
+unsigned long ERR_get_error_line_data(const char **file,int *line,
+				      const char **data, int *flags);
+unsigned long ERR_peek_error(void );
+unsigned long ERR_peek_error_line(const char **file,int *line);
+unsigned long ERR_peek_error_line_data(const char **file,int *line,
+				       const char **data,int *flags);
+void ERR_clear_error(void );
+char *ERR_error_string(unsigned long e,char *buf);
+const char *ERR_lib_error_string(unsigned long e);
+const char *ERR_func_error_string(unsigned long e);
+const char *ERR_reason_error_string(unsigned long e);
+#ifndef NO_FP_API
+void ERR_print_errors_fp(FILE *fp);
+#endif
+#ifdef HEADER_BIO_H
+void ERR_print_errors(BIO *bp);
+void ERR_add_error_data(int num, ...);
+#endif
+void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
+void ERR_load_ERR_strings(void);
+void ERR_load_crypto_strings(void);
+void ERR_free_strings(void);
+
+void ERR_remove_state(unsigned long pid); /* if zero we look it up */
+ERR_STATE *ERR_get_state(void);
+
+#ifdef HEADER_LHASH_H
+LHASH *ERR_get_string_table(void );
+LHASH *ERR_get_err_state_table(void );
+#else
+char *ERR_get_string_table(void );
+char *ERR_get_err_state_table(void );
+#endif
+
+int ERR_get_next_error_library(void );
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/err/err_all.c b/crypto/openssl/crypto/err/err_all.c
new file mode 100644
index 0000000..18a2cb3
--- /dev/null
+++ b/crypto/openssl/crypto/err/err_all.c
@@ -0,0 +1,116 @@
+/* crypto/err/err_all.c */
+/* $FreeBSD$ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/asn1.h>
+#include <openssl/bn.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef NO_DH
+#include <openssl/dh.h>
+#endif
+#ifndef NO_DSA
+#include <openssl/dsa.h>
+#endif
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/pem2.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/conf.h>
+#include <openssl/pkcs12.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+
+void ERR_load_crypto_strings(void)
+	{
+	static int done=0;
+
+	if (done) return;
+	done=1;
+#ifndef NO_ERR
+	ERR_load_ASN1_strings();
+	ERR_load_BN_strings();
+	ERR_load_BUF_strings();
+	ERR_load_BIO_strings();
+	ERR_load_CONF_strings();
+#ifndef NO_RSA
+	ERR_load_RSA_strings();
+#endif
+#ifndef NO_DH
+	ERR_load_DH_strings();
+#endif
+#ifndef NO_DSA
+	ERR_load_DSA_strings();
+#endif
+	ERR_load_ERR_strings();
+	ERR_load_EVP_strings();
+	ERR_load_OBJ_strings();
+	ERR_load_PEM_strings();
+	ERR_load_X509_strings();
+	ERR_load_X509V3_strings();
+	ERR_load_CRYPTO_strings();
+	ERR_load_PKCS7_strings();
+	ERR_load_PKCS12_strings();
+	ERR_load_RAND_strings();
+#endif
+	}
diff --git a/crypto/openssl/crypto/err/err_prn.c b/crypto/openssl/crypto/err/err_prn.c
new file mode 100644
index 0000000..0999ff2
--- /dev/null
+++ b/crypto/openssl/crypto/err/err_prn.c
@@ -0,0 +1,105 @@
+/* crypto/err/err_prn.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/lhash.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+
+#ifndef NO_FP_API
+void ERR_print_errors_fp(FILE *fp)
+	{
+	unsigned long l;
+	char buf[200];
+	const char *file,*data;
+	int line,flags;
+	unsigned long es;
+
+	es=CRYPTO_thread_id();
+	while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
+		{
+		fprintf(fp,"%lu:%s:%s:%d:%s\n",es,ERR_error_string(l,buf),
+			file,line,(flags&ERR_TXT_STRING)?data:"");
+		}
+	}
+#endif
+
+void ERR_print_errors(BIO *bp)
+	{
+	unsigned long l;
+	char buf[256];
+	char buf2[256];
+	const char *file,*data;
+	int line,flags;
+	unsigned long es;
+
+	es=CRYPTO_thread_id();
+	while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
+		{
+		sprintf(buf2,"%lu:%s:%s:%d:",es,ERR_error_string(l,buf),
+			file,line);
+		BIO_write(bp,buf2,strlen(buf2));
+		if (flags & ERR_TXT_STRING)
+			BIO_write(bp,data,strlen(data));
+		BIO_write(bp,"\n",1);
+		}
+	}
+
diff --git a/crypto/openssl/crypto/err/openssl.ec b/crypto/openssl/crypto/err/openssl.ec
new file mode 100644
index 0000000..e132ba3
--- /dev/null
+++ b/crypto/openssl/crypto/err/openssl.ec
@@ -0,0 +1,72 @@
+L ERR		NONE				NONE
+L CRYPTO	crypto/crypto.h			crypto/cpt_err.c
+L BN		crypto/bn/bn.h			crypto/bn/bn_err.c
+L RSA		crypto/rsa/rsa.h		crypto/rsa/rsa_err.c
+L DSA		crypto/dsa/dsa.h		crypto/dsa/dsa_err.c
+L DH		crypto/dh/dh.h			crypto/dh/dh_err.c
+L EVP		crypto/evp/evp.h		crypto/evp/evp_err.c
+L BUF		crypto/buffer/buffer.h		crypto/buffer/buf_err.c
+L BIO		crypto/bio/bio.h		crypto/bio/bio_err.c
+L OBJ		crypto/objects/objects.h	crypto/objects/obj_err.c
+L PEM		crypto/pem/pem.h		crypto/pem/pem_err.c
+L X509		crypto/x509/x509.h		crypto/x509/x509_err.c
+L NONE		crypto/x509/x509_vfy.h		NONE
+L X509V3	crypto/x509v3/x509v3.h		crypto/x509v3/v3err.c
+#L METH		crypto/meth/meth.h		crypto/meth/meth_err.c
+L ASN1		crypto/asn1/asn1.h		crypto/asn1/asn1_err.c
+L CONF		crypto/conf/conf.h		crypto/conf/conf_err.c
+#L PROXY		crypto/proxy/proxy.h		crypto/proxy/proxy_err.c
+L PKCS7		crypto/pkcs7/pkcs7.h		crypto/pkcs7/pkcs7err.c
+L PKCS12	crypto/pkcs12/pkcs12.h		crypto/pkcs12/pk12err.c
+L RSAREF	rsaref/rsaref.h			rsaref/rsar_err.c
+L SSL		ssl/ssl.h			ssl/ssl_err.c
+L COMP		crypto/comp/comp.h		crypto/comp/comp_err.c
+L RAND		crypto/rand/rand.h		crypto/rand/rand_err.c
+
+
+F RSAREF_F_RSA_BN2BIN
+F RSAREF_F_RSA_PRIVATE_DECRYPT
+F RSAREF_F_RSA_PRIVATE_ENCRYPT
+F RSAREF_F_RSA_PUBLIC_DECRYPT
+F RSAREF_F_RSA_PUBLIC_ENCRYPT
+#F SSL_F_CLIENT_CERTIFICATE
+
+R SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE		1010
+R SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		1020
+R SSL_R_TLSV1_ALERT_DECRYPTION_FAILED		1021
+R SSL_R_TLSV1_ALERT_RECORD_OVERFLOW		1022
+R SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE	1030
+R SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE		1040
+R SSL_R_SSLV3_ALERT_NO_CERTIFICATE		1041
+R SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		1042
+R SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE	1043
+R SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED		1044
+R SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED		1045
+R SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN		1046
+R SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER		1047
+R SSL_R_TLSV1_ALERT_UNKNOWN_CA			1048
+R SSL_R_TLSV1_ALERT_ACCESS_DENIED		1049
+R SSL_R_TLSV1_ALERT_DECODE_ERROR		1050
+R SSL_R_TLSV1_ALERT_DECRYPT_ERROR		1051
+R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION		1060
+R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION		1070
+R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY	1071
+R SSL_R_TLSV1_ALERT_INTERNAL_ERROR		1080
+R SSL_R_TLSV1_ALERT_USER_CANCELLED		1090
+R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		1100
+
+R RSAREF_R_CONTENT_ENCODING			0x0400
+R RSAREF_R_DATA					0x0401
+R RSAREF_R_DIGEST_ALGORITHM			0x0402
+R RSAREF_R_ENCODING				0x0403
+R RSAREF_R_KEY					0x0404
+R RSAREF_R_KEY_ENCODING				0x0405
+R RSAREF_R_LEN					0x0406
+R RSAREF_R_MODULUS_LEN				0x0407
+R RSAREF_R_NEED_RANDOM				0x0408
+R RSAREF_R_PRIVATE_KEY				0x0409
+R RSAREF_R_PUBLIC_KEY				0x040a
+R RSAREF_R_SIGNATURE				0x040b
+R RSAREF_R_SIGNATURE_ENCODING			0x040c
+R RSAREF_R_ENCRYPTION_ALGORITHM			0x040d
+
diff --git a/crypto/openssl/crypto/evp/Makefile.save b/crypto/openssl/crypto/evp/Makefile.save
new file mode 100644
index 0000000..1150e88
--- /dev/null
+++ b/crypto/openssl/crypto/evp/Makefile.save
@@ -0,0 +1,1133 @@
+#
+# SSLeay/crypto/evp/Makefile
+#
+
+DIR=	evp
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= encode.c digest.c evp_enc.c evp_key.c \
+	e_ecb_d.c e_cbc_d.c e_cfb_d.c e_ofb_d.c \
+	e_ecb_i.c e_cbc_i.c e_cfb_i.c e_ofb_i.c \
+	e_ecb_3d.c e_cbc_3d.c e_rc4.c names.c \
+	e_cfb_3d.c e_ofb_3d.c e_xcbc_d.c \
+	e_ecb_r2.c e_cbc_r2.c e_cfb_r2.c e_ofb_r2.c \
+	e_ecb_bf.c e_cbc_bf.c e_cfb_bf.c e_ofb_bf.c \
+	e_ecb_c.c e_cbc_c.c e_cfb_c.c e_ofb_c.c \
+	e_ecb_r5.c e_cbc_r5.c e_cfb_r5.c e_ofb_r5.c \
+	m_null.c m_md2.c m_md5.c m_sha.c m_sha1.c m_dss.c m_dss1.c m_mdc2.c \
+	m_ripemd.c \
+	p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
+	bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
+	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
+	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
+
+LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o \
+	e_ecb_d.o e_cbc_d.o e_cfb_d.o e_ofb_d.o \
+	e_ecb_i.o e_cbc_i.o e_cfb_i.o e_ofb_i.o \
+	e_ecb_3d.o e_cbc_3d.o e_rc4.o names.o \
+	e_cfb_3d.o e_ofb_3d.o e_xcbc_d.o \
+	e_ecb_r2.o e_cbc_r2.o e_cfb_r2.o e_ofb_r2.o \
+	e_ecb_bf.o e_cbc_bf.o e_cfb_bf.o e_ofb_bf.o \
+	e_ecb_c.o e_cbc_c.o e_cfb_c.o e_ofb_c.o \
+	e_ecb_r5.o e_cbc_r5.o e_cfb_r5.o e_ofb_r5.o \
+	m_null.o m_md2.o m_md5.o m_sha.o m_sha1.o m_dss.o m_dss1.o m_mdc2.o \
+	m_ripemd.o \
+	p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
+	bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
+	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
+	evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= evp.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bio_b64.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_b64.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_b64.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_b64.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_b64.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_b64.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_b64.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_b64.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_b64.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_b64.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_b64.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bio_b64.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bio_b64.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bio_b64.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bio_b64.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_enc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bio_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bio_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bio_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bio_enc.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_md.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_md.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_md.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_md.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_md.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_md.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_md.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_md.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_md.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bio_md.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bio_md.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bio_md.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bio_md.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_ok.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_ok.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_ok.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_ok.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_ok.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_ok.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_ok.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_ok.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_ok.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_ok.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_ok.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bio_ok.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+bio_ok.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+bio_ok.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+bio_ok.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+bio_ok.o: ../cryptlib.h
+c_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+c_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_all.o: ../../include/openssl/stack.h ../cryptlib.h
+c_allc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_allc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_allc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_allc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_allc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_allc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_allc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_allc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_allc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_allc.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+c_allc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+c_allc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_allc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_allc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_allc.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+c_alld.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_alld.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_alld.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_alld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_alld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_alld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_alld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_alld.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_alld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_alld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_alld.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+c_alld.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+c_alld.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_alld.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_alld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_alld.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+digest.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+digest.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+digest.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+digest.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+digest.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_null.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_null.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_null.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_null.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_rc4.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_rc4.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_rc4.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_rc4.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_rc4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_rc4.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_rc4.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_rc4.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_rc4.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_rc4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc4.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_rc4.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_rc4.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_rc4.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_rc4.o: ../../include/openssl/stack.h ../cryptlib.h
+e_xcbc_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_xcbc_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_xcbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_xcbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_xcbc_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_xcbc_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_xcbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_xcbc_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_xcbc_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_xcbc_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_xcbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_xcbc_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_xcbc_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_xcbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_xcbc_d.o: ../../include/openssl/stack.h ../cryptlib.h
+encode.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+encode.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+encode.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+encode.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+encode.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+encode.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+encode.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+encode.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+encode.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+encode.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+encode.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+encode.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+encode.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+encode.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+encode.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_enc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+evp_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_enc.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+evp_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+evp_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+evp_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_err.o: ../../include/openssl/stack.h
+evp_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_key.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_key.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+evp_key.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+evp_key.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+evp_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_key.o: ../cryptlib.h
+evp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+evp_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_pbe.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_pbe.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_pbe.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_pbe.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_pbe.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_pbe.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_pbe.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+evp_pbe.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+evp_pbe.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+evp_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_pbe.o: ../cryptlib.h
+evp_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_pkey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_pkey.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+evp_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+evp_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+evp_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+m_dss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_dss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_dss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_dss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_dss.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_dss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_dss.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_dss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_dss.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_dss.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_dss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_dss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_dss.o: ../cryptlib.h
+m_dss1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss1.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_dss1.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_dss1.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_dss1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_dss1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_dss1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_dss1.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_dss1.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_dss1.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_dss1.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_dss1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_dss1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_dss1.o: ../cryptlib.h
+m_md2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_md2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_md2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_md2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_md2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_md2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_md2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_md2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_md2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_md2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_md2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_md2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_md2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md2.o: ../cryptlib.h
+m_md5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_md5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_md5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_md5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_md5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_md5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_md5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_md5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_md5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_md5.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_md5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_md5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md5.o: ../cryptlib.h
+m_mdc2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_mdc2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_mdc2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_mdc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_mdc2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_mdc2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_mdc2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_mdc2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_mdc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_mdc2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_mdc2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_mdc2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_mdc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_mdc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_mdc2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_mdc2.o: ../cryptlib.h
+m_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_null.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_null.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_null.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_null.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_null.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_null.o: ../cryptlib.h
+m_ripemd.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_ripemd.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_ripemd.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_ripemd.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_ripemd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_ripemd.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_ripemd.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_ripemd.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_ripemd.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_ripemd.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_ripemd.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_ripemd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_ripemd.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_ripemd.o: ../cryptlib.h
+m_sha.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_sha.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_sha.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_sha.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_sha.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_sha.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_sha.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_sha.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_sha.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_sha.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_sha.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_sha.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_sha.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_sha.o: ../cryptlib.h
+m_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha1.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_sha1.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_sha1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_sha1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_sha1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_sha1.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_sha1.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_sha1.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_sha1.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_sha1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_sha1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_sha1.o: ../cryptlib.h
+names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+names.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+names.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+names.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+names.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+names.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+names.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+names.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+names.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+names.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+names.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+names.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+names.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+names.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+names.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+names.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+names.o: ../cryptlib.h
+p5_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p5_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p5_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p5_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p5_crpt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p5_crpt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p5_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p5_crpt.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p5_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p5_crpt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p5_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p5_crpt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p5_crpt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p5_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_crpt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_crpt.o: ../cryptlib.h
+p5_crpt2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p5_crpt2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p5_crpt2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p5_crpt2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p5_crpt2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p5_crpt2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p5_crpt2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p5_crpt2.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
+p5_crpt2.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p5_crpt2.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p5_crpt2.o: ../../include/openssl/opensslconf.h
+p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p5_crpt2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p5_crpt2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p5_crpt2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_crpt2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_crpt2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_crpt2.o: ../cryptlib.h
+p_dec.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_dec.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_dec.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_dec.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_dec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_dec.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_dec.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_dec.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_dec.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_dec.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p_dec.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_dec.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_dec.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_dec.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_dec.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_enc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_enc.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_enc.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p_lib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_lib.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_open.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_open.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_open.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_open.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_open.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_open.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_open.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_open.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_open.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_open.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_open.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_open.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p_open.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p_open.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p_open.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_open.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_open.o: ../cryptlib.h
+p_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_seal.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_seal.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_seal.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p_seal.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_seal.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_seal.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_seal.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_sign.o: ../cryptlib.h
+p_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_verify.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_verify.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_verify.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_verify.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_verify.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p_verify.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p_verify.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_verify.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl
new file mode 100644
index 0000000..1150e88
--- /dev/null
+++ b/crypto/openssl/crypto/evp/Makefile.ssl
@@ -0,0 +1,1133 @@
+#
+# SSLeay/crypto/evp/Makefile
+#
+
+DIR=	evp
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= encode.c digest.c evp_enc.c evp_key.c \
+	e_ecb_d.c e_cbc_d.c e_cfb_d.c e_ofb_d.c \
+	e_ecb_i.c e_cbc_i.c e_cfb_i.c e_ofb_i.c \
+	e_ecb_3d.c e_cbc_3d.c e_rc4.c names.c \
+	e_cfb_3d.c e_ofb_3d.c e_xcbc_d.c \
+	e_ecb_r2.c e_cbc_r2.c e_cfb_r2.c e_ofb_r2.c \
+	e_ecb_bf.c e_cbc_bf.c e_cfb_bf.c e_ofb_bf.c \
+	e_ecb_c.c e_cbc_c.c e_cfb_c.c e_ofb_c.c \
+	e_ecb_r5.c e_cbc_r5.c e_cfb_r5.c e_ofb_r5.c \
+	m_null.c m_md2.c m_md5.c m_sha.c m_sha1.c m_dss.c m_dss1.c m_mdc2.c \
+	m_ripemd.c \
+	p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
+	bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
+	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
+	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
+
+LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o \
+	e_ecb_d.o e_cbc_d.o e_cfb_d.o e_ofb_d.o \
+	e_ecb_i.o e_cbc_i.o e_cfb_i.o e_ofb_i.o \
+	e_ecb_3d.o e_cbc_3d.o e_rc4.o names.o \
+	e_cfb_3d.o e_ofb_3d.o e_xcbc_d.o \
+	e_ecb_r2.o e_cbc_r2.o e_cfb_r2.o e_ofb_r2.o \
+	e_ecb_bf.o e_cbc_bf.o e_cfb_bf.o e_ofb_bf.o \
+	e_ecb_c.o e_cbc_c.o e_cfb_c.o e_ofb_c.o \
+	e_ecb_r5.o e_cbc_r5.o e_cfb_r5.o e_ofb_r5.o \
+	m_null.o m_md2.o m_md5.o m_sha.o m_sha1.o m_dss.o m_dss1.o m_mdc2.o \
+	m_ripemd.o \
+	p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
+	bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
+	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
+	evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= evp.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bio_b64.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_b64.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_b64.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_b64.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_b64.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_b64.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_b64.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_b64.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_b64.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_b64.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_b64.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bio_b64.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bio_b64.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bio_b64.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bio_b64.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_enc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bio_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bio_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bio_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bio_enc.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_md.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_md.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_md.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_md.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_md.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_md.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_md.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_md.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_md.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+bio_md.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+bio_md.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+bio_md.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bio_md.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_ok.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_ok.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bio_ok.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bio_ok.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bio_ok.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_ok.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_ok.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+bio_ok.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+bio_ok.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_ok.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_ok.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+bio_ok.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+bio_ok.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+bio_ok.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+bio_ok.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+bio_ok.o: ../cryptlib.h
+c_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+c_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_all.o: ../../include/openssl/stack.h ../cryptlib.h
+c_allc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_allc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_allc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_allc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_allc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_allc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_allc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_allc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_allc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_allc.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+c_allc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+c_allc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_allc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_allc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_allc.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+c_alld.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_alld.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_alld.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_alld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_alld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_alld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_alld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_alld.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_alld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_alld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_alld.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+c_alld.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+c_alld.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_alld.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_alld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_alld.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+digest.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+digest.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+digest.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+digest.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+digest.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cbc_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cbc_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cbc_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cbc_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cbc_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cbc_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cbc_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cbc_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cbc_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cbc_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cbc_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cbc_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cbc_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cbc_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cbc_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_cfb_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cfb_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_cfb_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cfb_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_cfb_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_cfb_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_cfb_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cfb_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_cfb_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_cfb_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_cfb_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_cfb_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_cfb_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_cfb_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_cfb_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ecb_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ecb_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ecb_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ecb_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ecb_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ecb_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ecb_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ecb_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ecb_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ecb_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ecb_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ecb_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ecb_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ecb_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ecb_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_null.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_null.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_null.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_null.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_3d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_3d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_3d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_3d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_3d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_3d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_3d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_3d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_3d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_3d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_3d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_3d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_3d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_3d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_3d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_bf.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_bf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_bf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_bf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_bf.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_c.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_c.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_c.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_c.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_c.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_c.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_c.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_c.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_c.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_c.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_c.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_c.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_c.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_c.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_d.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_i.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_i.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_i.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_i.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_i.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_i.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_i.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_i.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_i.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_i.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_i.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_i.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_i.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_i.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_i.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_r2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_r2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_r2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_r2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_r2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_r2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_r2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_r2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_r2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_r2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_r2.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_r2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_r2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_r2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_r2.o: ../../include/openssl/stack.h ../cryptlib.h
+e_ofb_r5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_ofb_r5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_ofb_r5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_ofb_r5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_ofb_r5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_ofb_r5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_ofb_r5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_ofb_r5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_ofb_r5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_ofb_r5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_ofb_r5.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_ofb_r5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_ofb_r5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_ofb_r5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_ofb_r5.o: ../../include/openssl/stack.h ../cryptlib.h
+e_rc4.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_rc4.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_rc4.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_rc4.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_rc4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_rc4.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_rc4.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_rc4.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_rc4.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_rc4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc4.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_rc4.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_rc4.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_rc4.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_rc4.o: ../../include/openssl/stack.h ../cryptlib.h
+e_xcbc_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_xcbc_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+e_xcbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_xcbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_xcbc_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_xcbc_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_xcbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_xcbc_d.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+e_xcbc_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_xcbc_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_xcbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+e_xcbc_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_xcbc_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_xcbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_xcbc_d.o: ../../include/openssl/stack.h ../cryptlib.h
+encode.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+encode.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+encode.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+encode.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+encode.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+encode.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+encode.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+encode.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+encode.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+encode.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+encode.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+encode.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+encode.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+encode.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+encode.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_enc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+evp_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_enc.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+evp_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+evp_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+evp_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_err.o: ../../include/openssl/stack.h
+evp_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_key.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_key.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+evp_key.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+evp_key.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+evp_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_key.o: ../cryptlib.h
+evp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+evp_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+evp_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_pbe.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_pbe.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_pbe.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_pbe.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_pbe.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_pbe.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_pbe.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+evp_pbe.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+evp_pbe.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+evp_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_pbe.o: ../cryptlib.h
+evp_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+evp_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+evp_pkey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_pkey.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+evp_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+evp_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+evp_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+evp_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+evp_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+evp_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+m_dss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_dss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_dss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_dss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_dss.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_dss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_dss.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_dss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_dss.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_dss.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_dss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_dss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_dss.o: ../cryptlib.h
+m_dss1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss1.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_dss1.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_dss1.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_dss1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_dss1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_dss1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_dss1.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_dss1.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_dss1.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_dss1.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_dss1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_dss1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_dss1.o: ../cryptlib.h
+m_md2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_md2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_md2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_md2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_md2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_md2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_md2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_md2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_md2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_md2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_md2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_md2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_md2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md2.o: ../cryptlib.h
+m_md5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_md5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_md5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_md5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_md5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_md5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_md5.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_md5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_md5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_md5.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_md5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_md5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md5.o: ../cryptlib.h
+m_mdc2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_mdc2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_mdc2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_mdc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_mdc2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_mdc2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_mdc2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_mdc2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_mdc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_mdc2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_mdc2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_mdc2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_mdc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_mdc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_mdc2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_mdc2.o: ../cryptlib.h
+m_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_null.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_null.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_null.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_null.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_null.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_null.o: ../cryptlib.h
+m_ripemd.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_ripemd.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_ripemd.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_ripemd.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_ripemd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_ripemd.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_ripemd.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_ripemd.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_ripemd.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_ripemd.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_ripemd.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_ripemd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_ripemd.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_ripemd.o: ../cryptlib.h
+m_sha.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_sha.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_sha.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_sha.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_sha.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_sha.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_sha.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_sha.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_sha.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_sha.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_sha.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_sha.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_sha.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_sha.o: ../cryptlib.h
+m_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha1.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_sha1.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_sha1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_sha1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_sha1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_sha1.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+m_sha1.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+m_sha1.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+m_sha1.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_sha1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_sha1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_sha1.o: ../cryptlib.h
+names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+names.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+names.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+names.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+names.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+names.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+names.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+names.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+names.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+names.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+names.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+names.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+names.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+names.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+names.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+names.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+names.o: ../cryptlib.h
+p5_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p5_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p5_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p5_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p5_crpt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p5_crpt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p5_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p5_crpt.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p5_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p5_crpt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p5_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p5_crpt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p5_crpt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p5_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_crpt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_crpt.o: ../cryptlib.h
+p5_crpt2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p5_crpt2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p5_crpt2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p5_crpt2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p5_crpt2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p5_crpt2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p5_crpt2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p5_crpt2.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
+p5_crpt2.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p5_crpt2.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p5_crpt2.o: ../../include/openssl/opensslconf.h
+p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p5_crpt2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p5_crpt2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p5_crpt2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_crpt2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_crpt2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_crpt2.o: ../cryptlib.h
+p_dec.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_dec.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_dec.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_dec.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_dec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_dec.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_dec.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_dec.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_dec.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_dec.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p_dec.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_dec.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_dec.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_dec.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_dec.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_enc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_enc.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_enc.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p_lib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_lib.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_open.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_open.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_open.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_open.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_open.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_open.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_open.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_open.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_open.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_open.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_open.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_open.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p_open.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p_open.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p_open.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_open.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_open.o: ../cryptlib.h
+p_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_seal.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_seal.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_seal.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+p_seal.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p_seal.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_seal.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_seal.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_sign.o: ../cryptlib.h
+p_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_verify.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p_verify.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_verify.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_verify.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+p_verify.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p_verify.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p_verify.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_verify.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/evp/bio_b64.c b/crypto/openssl/crypto/evp/bio_b64.c
new file mode 100644
index 0000000..bd5e24f
--- /dev/null
+++ b/crypto/openssl/crypto/evp/bio_b64.c
@@ -0,0 +1,540 @@
+/* crypto/evp/bio_b64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+
+static int b64_write(BIO *h,char *buf,int num);
+static int b64_read(BIO *h,char *buf,int size);
+/*static int b64_puts(BIO *h,char *str); */
+/*static int b64_gets(BIO *h,char *str,int size); */
+static long b64_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int b64_new(BIO *h);
+static int b64_free(BIO *data);
+static long b64_callback_ctrl(BIO *h,int cmd,void (*fp)());
+#define B64_BLOCK_SIZE	1024
+#define B64_BLOCK_SIZE2	768
+#define B64_NONE	0
+#define B64_ENCODE	1
+#define B64_DECODE	2
+
+typedef struct b64_struct
+	{
+	/*BIO *bio; moved to the BIO structure */
+	int buf_len;
+	int buf_off;
+	int tmp_len;		/* used to find the start when decoding */
+	int tmp_nl;		/* If true, scan until '\n' */
+	int encode;
+	int start;		/* have we started decoding yet? */
+	int cont;		/* <= 0 when finished */
+	EVP_ENCODE_CTX base64;
+	char buf[EVP_ENCODE_LENGTH(B64_BLOCK_SIZE)+10];
+	char tmp[B64_BLOCK_SIZE];
+	} BIO_B64_CTX;
+
+static BIO_METHOD methods_b64=
+	{
+	BIO_TYPE_BASE64,"base64 encoding",
+	b64_write,
+	b64_read,
+	NULL, /* b64_puts, */
+	NULL, /* b64_gets, */
+	b64_ctrl,
+	b64_new,
+	b64_free,
+	b64_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_base64(void)
+	{
+	return(&methods_b64);
+	}
+
+static int b64_new(BIO *bi)
+	{
+	BIO_B64_CTX *ctx;
+
+	ctx=(BIO_B64_CTX *)Malloc(sizeof(BIO_B64_CTX));
+	if (ctx == NULL) return(0);
+
+	ctx->buf_len=0;
+	ctx->tmp_len=0;
+	ctx->tmp_nl=0;
+	ctx->buf_off=0;
+	ctx->cont=1;
+	ctx->start=1;
+	ctx->encode=0;
+
+	bi->init=1;
+	bi->ptr=(char *)ctx;
+	bi->flags=0;
+	return(1);
+	}
+
+static int b64_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+	}
+	
+static int b64_read(BIO *b, char *out, int outl)
+	{
+	int ret=0,i,ii,j,k,x,n,num,ret_code=0;
+	BIO_B64_CTX *ctx;
+	unsigned char *p,*q;
+
+	if (out == NULL) return(0);
+	ctx=(BIO_B64_CTX *)b->ptr;
+
+	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+	if (ctx->encode != B64_DECODE)
+		{
+		ctx->encode=B64_DECODE;
+		ctx->buf_len=0;
+		ctx->buf_off=0;
+		ctx->tmp_len=0;
+		EVP_DecodeInit(&(ctx->base64));
+		}
+
+	/* First check if there are bytes decoded/encoded */
+	if (ctx->buf_len > 0)
+		{
+		i=ctx->buf_len-ctx->buf_off;
+		if (i > outl) i=outl;
+		memcpy(out,&(ctx->buf[ctx->buf_off]),i);
+		ret=i;
+		out+=i;
+		outl-=i;
+		ctx->buf_off+=i;
+		if (ctx->buf_len == ctx->buf_off)
+			{
+			ctx->buf_len=0;
+			ctx->buf_off=0;
+			}
+		}
+
+	/* At this point, we have room of outl bytes and an empty
+	 * buffer, so we should read in some more. */
+
+	ret_code=0;
+	while (outl > 0)
+		{
+		if (ctx->cont <= 0) break;
+
+		i=BIO_read(b->next_bio,&(ctx->tmp[ctx->tmp_len]),
+			B64_BLOCK_SIZE-ctx->tmp_len);
+
+		if (i <= 0)
+			{
+			ret_code=i;
+
+			/* Should be continue next time we are called? */
+			if (!BIO_should_retry(b->next_bio))
+				ctx->cont=i;
+			/* else we should continue when called again */
+			break;
+			}
+		i+=ctx->tmp_len;
+
+		/* We need to scan, a line at a time until we
+		 * have a valid line if we are starting. */
+		if (ctx->start && (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL))
+			{
+			/* ctx->start=1; */
+			ctx->tmp_len=0;
+			}
+		else if (ctx->start)
+			{
+			q=p=(unsigned char *)ctx->tmp;
+			for (j=0; j<i; j++)
+				{
+				if (*(q++) != '\n') continue;
+
+				/* due to a previous very long line,
+				 * we need to keep on scanning for a '\n'
+				 * before we even start looking for
+				 * base64 encoded stuff. */
+				if (ctx->tmp_nl)
+					{
+					p=q;
+					ctx->tmp_nl=0;
+					continue;
+					}
+
+				k=EVP_DecodeUpdate(&(ctx->base64),
+					(unsigned char *)ctx->buf,
+					&num,p,q-p);
+				if ((k <= 0) && (num == 0) && (ctx->start))
+					EVP_DecodeInit(&ctx->base64);
+				else 
+					{
+					if (p != (unsigned char *)
+						&(ctx->tmp[0]))
+						{
+						i-=(p- (unsigned char *)
+							&(ctx->tmp[0]));
+						for (x=0; x < i; x++)
+							ctx->tmp[x]=p[x];
+						}
+					EVP_DecodeInit(&ctx->base64);
+					ctx->start=0;
+					break;
+					}
+				p=q;
+				}
+
+			/* we fell off the end without starting */
+			if (j == i)
+				{
+				/* Is this is one long chunk?, if so, keep on
+				 * reading until a new line. */
+				if (p == (unsigned char *)&(ctx->tmp[0]))
+					{
+					ctx->tmp_nl=1;
+					ctx->tmp_len=0;
+					}
+				else if (p != q) /* finished on a '\n' */
+					{
+					n=q-p;
+					for (ii=0; ii<n; ii++)
+						ctx->tmp[ii]=p[ii];
+					ctx->tmp_len=n;
+					}
+				/* else finished on a '\n' */
+				continue;
+				}
+			else
+				ctx->tmp_len=0;
+			}
+
+		if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
+			{
+			int z,jj;
+
+			jj=(i>>2)<<2;
+			z=EVP_DecodeBlock((unsigned char *)ctx->buf,
+				(unsigned char *)ctx->tmp,jj);
+			if (jj > 2)
+				{
+				if (ctx->tmp[jj-1] == '=')
+					{
+					z--;
+					if (ctx->tmp[jj-2] == '=')
+						z--;
+					}
+				}
+			/* z is now number of output bytes and jj is the
+			 * number consumed */
+			if (jj != i)
+				{
+				memcpy((unsigned char *)ctx->tmp,
+					(unsigned char *)&(ctx->tmp[jj]),i-jj);
+				ctx->tmp_len=i-jj;
+				}
+			ctx->buf_len=0;
+			if (z > 0)
+				{
+				ctx->buf_len=z;
+				i=1;
+				}
+			else
+				i=z;
+			}
+		else
+			{
+			i=EVP_DecodeUpdate(&(ctx->base64),
+				(unsigned char *)ctx->buf,&ctx->buf_len,
+				(unsigned char *)ctx->tmp,i);
+			}
+		ctx->cont=i;
+		ctx->buf_off=0;
+		if (i < 0)
+			{
+			ret_code=0;
+			ctx->buf_len=0;
+			break;
+			}
+
+		if (ctx->buf_len <= outl)
+			i=ctx->buf_len;
+		else
+			i=outl;
+
+		memcpy(out,ctx->buf,i);
+		ret+=i;
+		ctx->buf_off=i;
+		if (ctx->buf_off == ctx->buf_len)
+			{
+			ctx->buf_len=0;
+			ctx->buf_off=0;
+			}
+		outl-=i;
+		out+=i;
+		}
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return((ret == 0)?ret_code:ret);
+	}
+
+static int b64_write(BIO *b, char *in, int inl)
+	{
+	int ret=inl,n,i;
+	BIO_B64_CTX *ctx;
+
+	ctx=(BIO_B64_CTX *)b->ptr;
+	BIO_clear_retry_flags(b);
+
+	if (ctx->encode != B64_ENCODE)
+		{
+		ctx->encode=B64_ENCODE;
+		ctx->buf_len=0;
+		ctx->buf_off=0;
+		ctx->tmp_len=0;
+		EVP_EncodeInit(&(ctx->base64));
+		}
+
+	n=ctx->buf_len-ctx->buf_off;
+	while (n > 0)
+		{
+		i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+		if (i <= 0)
+			{
+			BIO_copy_next_retry(b);
+			return(i);
+			}
+		ctx->buf_off+=i;
+		n-=i;
+		}
+	/* at this point all pending data has been written */
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+
+	ctx->buf_off=0;
+	while (inl > 0)
+		{
+		n=(inl > B64_BLOCK_SIZE)?B64_BLOCK_SIZE:inl;
+
+		if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
+			{
+			if (ctx->tmp_len > 0)
+				{
+				n=3-ctx->tmp_len;
+				memcpy(&(ctx->tmp[ctx->tmp_len]),in,n);
+				ctx->tmp_len+=n;
+				n=ctx->tmp_len;
+				if (n < 3)
+					break;
+				ctx->buf_len=EVP_EncodeBlock(
+					(unsigned char *)ctx->buf,
+					(unsigned char *)ctx->tmp,n);
+				}
+			else
+				{
+				if (n < 3)
+					{
+					memcpy(&(ctx->tmp[0]),in,n);
+					ctx->tmp_len=n;
+					break;
+					}
+				n-=n%3;
+				ctx->buf_len=EVP_EncodeBlock(
+					(unsigned char *)ctx->buf,
+					(unsigned char *)in,n);
+				}
+			}
+		else
+			{
+			EVP_EncodeUpdate(&(ctx->base64),
+				(unsigned char *)ctx->buf,&ctx->buf_len,
+				(unsigned char *)in,n);
+			}
+		inl-=n;
+		in+=n;
+
+		ctx->buf_off=0;
+		n=ctx->buf_len;
+		while (n > 0)
+			{
+			i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+			if (i <= 0)
+				{
+				BIO_copy_next_retry(b);
+				return((ret == 0)?i:ret);
+				}
+			n-=i;
+			ctx->buf_off+=i;
+			}
+		ctx->buf_len=0;
+		ctx->buf_off=0;
+		}
+	return(ret);
+	}
+
+static long b64_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	BIO_B64_CTX *ctx;
+	long ret=1;
+	int i;
+
+	ctx=(BIO_B64_CTX *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		ctx->cont=1;
+		ctx->start=1;
+		ctx->encode=B64_NONE;
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_EOF:	/* More to read */
+		if (ctx->cont <= 0)
+			ret=1;
+		else
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_WPENDING: /* More to write in buffer */
+		ret=ctx->buf_len-ctx->buf_off;
+		if ((ret == 0) && (ctx->base64.num != 0))
+			ret=1;
+		else if (ret <= 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_PENDING: /* More to read in buffer */
+		ret=ctx->buf_len-ctx->buf_off;
+		if (ret <= 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_FLUSH:
+		/* do a final write */
+again:
+		while (ctx->buf_len != ctx->buf_off)
+			{
+			i=b64_write(b,NULL,0);
+			if (i < 0)
+				{
+				ret=i;
+				break;
+				}
+			}
+		if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
+			{
+			if (ctx->tmp_len != 0)
+				{
+				ctx->buf_len=EVP_EncodeBlock(
+					(unsigned char *)ctx->buf,
+					(unsigned char *)ctx->tmp,
+					ctx->tmp_len);
+				ctx->buf_off=0;
+				ctx->tmp_len=0;
+				goto again;
+				}
+			}
+		else if (ctx->base64.num != 0)
+			{
+			ctx->buf_off=0;
+			EVP_EncodeFinal(&(ctx->base64),
+				(unsigned char *)ctx->buf,
+				&(ctx->buf_len));
+			/* push out the bytes */
+			goto again;
+			}
+		/* Finally flush the underlying BIO */
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+
+	case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+
+	case BIO_CTRL_DUP:
+		break;
+	case BIO_CTRL_INFO:
+	case BIO_CTRL_GET:
+	case BIO_CTRL_SET:
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+	}
+
+static long b64_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/evp/bio_enc.c b/crypto/openssl/crypto/evp/bio_enc.c
new file mode 100644
index 0000000..629bf4b
--- /dev/null
+++ b/crypto/openssl/crypto/evp/bio_enc.c
@@ -0,0 +1,425 @@
+/* crypto/evp/bio_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+
+static int enc_write(BIO *h,char *buf,int num);
+static int enc_read(BIO *h,char *buf,int size);
+/*static int enc_puts(BIO *h,char *str); */
+/*static int enc_gets(BIO *h,char *str,int size); */
+static long enc_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int enc_new(BIO *h);
+static int enc_free(BIO *data);
+static long enc_callback_ctrl(BIO *h,int cmd,void (*fp)());
+#define ENC_BLOCK_SIZE	(1024*4)
+
+typedef struct enc_struct
+	{
+	int buf_len;
+	int buf_off;
+	int cont;		/* <= 0 when finished */
+	int finished;
+	int ok;			/* bad decrypt */
+	EVP_CIPHER_CTX cipher;
+	char buf[ENC_BLOCK_SIZE+10];
+	} BIO_ENC_CTX;
+
+static BIO_METHOD methods_enc=
+	{
+	BIO_TYPE_CIPHER,"cipher",
+	enc_write,
+	enc_read,
+	NULL, /* enc_puts, */
+	NULL, /* enc_gets, */
+	enc_ctrl,
+	enc_new,
+	enc_free,
+	enc_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_cipher(void)
+	{
+	return(&methods_enc);
+	}
+
+static int enc_new(BIO *bi)
+	{
+	BIO_ENC_CTX *ctx;
+
+	ctx=(BIO_ENC_CTX *)Malloc(sizeof(BIO_ENC_CTX));
+	EVP_CIPHER_CTX_init(&ctx->cipher);
+	if (ctx == NULL) return(0);
+
+	ctx->buf_len=0;
+	ctx->buf_off=0;
+	ctx->cont=1;
+	ctx->finished=0;
+	ctx->ok=1;
+
+	bi->init=0;
+	bi->ptr=(char *)ctx;
+	bi->flags=0;
+	return(1);
+	}
+
+static int enc_free(BIO *a)
+	{
+	BIO_ENC_CTX *b;
+
+	if (a == NULL) return(0);
+	b=(BIO_ENC_CTX *)a->ptr;
+	EVP_CIPHER_CTX_cleanup(&(b->cipher));
+	memset(a->ptr,0,sizeof(BIO_ENC_CTX));
+	Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+	}
+	
+static int enc_read(BIO *b, char *out, int outl)
+	{
+	int ret=0,i;
+	BIO_ENC_CTX *ctx;
+
+	if (out == NULL) return(0);
+	ctx=(BIO_ENC_CTX *)b->ptr;
+
+	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+	/* First check if there are bytes decoded/encoded */
+	if (ctx->buf_len > 0)
+		{
+		i=ctx->buf_len-ctx->buf_off;
+		if (i > outl) i=outl;
+		memcpy(out,&(ctx->buf[ctx->buf_off]),i);
+		ret=i;
+		out+=i;
+		outl-=i;
+		ctx->buf_off+=i;
+		if (ctx->buf_len == ctx->buf_off)
+			{
+			ctx->buf_len=0;
+			ctx->buf_off=0;
+			}
+		}
+
+	/* At this point, we have room of outl bytes and an empty
+	 * buffer, so we should read in some more. */
+
+	while (outl > 0)
+		{
+		if (ctx->cont <= 0) break;
+
+		/* read in at offset 8, read the EVP_Cipher
+		 * documentation about why */
+		i=BIO_read(b->next_bio,&(ctx->buf[8]),ENC_BLOCK_SIZE);
+
+		if (i <= 0)
+			{
+			/* Should be continue next time we are called? */
+			if (!BIO_should_retry(b->next_bio))
+				{
+				ctx->cont=i;
+				i=EVP_CipherFinal(&(ctx->cipher),
+					(unsigned char *)ctx->buf,
+					&(ctx->buf_len));
+				ctx->ok=i;
+				ctx->buf_off=0;
+				}
+			else 
+				{
+				ret=(ret == 0)?i:ret;
+				break;
+				}
+			}
+		else
+			{
+			EVP_CipherUpdate(&(ctx->cipher),
+				(unsigned char *)ctx->buf,&ctx->buf_len,
+				(unsigned char *)&(ctx->buf[8]),i);
+			ctx->cont=1;
+			/* Note: it is possible for EVP_CipherUpdate to
+			 * decrypt zero bytes because this is or looks like
+			 * the final block: if this happens we should retry
+			 * and either read more data or decrypt the final
+			 * block
+			 */
+			if(ctx->buf_len == 0) continue;
+			}
+
+		if (ctx->buf_len <= outl)
+			i=ctx->buf_len;
+		else
+			i=outl;
+		if (i <= 0) break;
+		memcpy(out,ctx->buf,i);
+		ret+=i;
+		ctx->buf_off=i;
+		outl-=i;
+		out+=i;
+		}
+
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return((ret == 0)?ctx->cont:ret);
+	}
+
+static int enc_write(BIO *b, char *in, int inl)
+	{
+	int ret=0,n,i;
+	BIO_ENC_CTX *ctx;
+
+	ctx=(BIO_ENC_CTX *)b->ptr;
+	ret=inl;
+
+	BIO_clear_retry_flags(b);
+	n=ctx->buf_len-ctx->buf_off;
+	while (n > 0)
+		{
+		i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+		if (i <= 0)
+			{
+			BIO_copy_next_retry(b);
+			return(i);
+			}
+		ctx->buf_off+=i;
+		n-=i;
+		}
+	/* at this point all pending data has been written */
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+
+	ctx->buf_off=0;
+	while (inl > 0)
+		{
+		n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
+		EVP_CipherUpdate(&(ctx->cipher),
+			(unsigned char *)ctx->buf,&ctx->buf_len,
+			(unsigned char *)in,n);
+		inl-=n;
+		in+=n;
+
+		ctx->buf_off=0;
+		n=ctx->buf_len;
+		while (n > 0)
+			{
+			i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+			if (i <= 0)
+				{
+				BIO_copy_next_retry(b);
+				return(i);
+				}
+			n-=i;
+			ctx->buf_off+=i;
+			}
+		ctx->buf_len=0;
+		ctx->buf_off=0;
+		}
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static long enc_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	BIO *dbio;
+	BIO_ENC_CTX *ctx,*dctx;
+	long ret=1;
+	int i;
+	EVP_CIPHER_CTX **c_ctx;
+
+	ctx=(BIO_ENC_CTX *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		ctx->ok=1;
+		ctx->finished=0;
+		EVP_CipherInit(&(ctx->cipher),NULL,NULL,NULL,
+			ctx->cipher.encrypt);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_EOF:	/* More to read */
+		if (ctx->cont <= 0)
+			ret=1;
+		else
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_WPENDING:
+		ret=ctx->buf_len-ctx->buf_off;
+		if (ret <= 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_PENDING: /* More to read in buffer */
+		ret=ctx->buf_len-ctx->buf_off;
+		if (ret <= 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_FLUSH:
+		/* do a final write */
+again:
+		while (ctx->buf_len != ctx->buf_off)
+			{
+			i=enc_write(b,NULL,0);
+			if (i < 0)
+				{
+				ret=i;
+				break;
+				}
+			}
+
+		if (!ctx->finished)
+			{
+			ctx->finished=1;
+			ctx->buf_off=0;
+			ret=EVP_CipherFinal(&(ctx->cipher),
+				(unsigned char *)ctx->buf,
+				&(ctx->buf_len));
+			ctx->ok=(int)ret;
+			if (ret <= 0) break;
+
+			/* push out the bytes */
+			goto again;
+			}
+		
+		/* Finally flush the underlying BIO */
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_C_GET_CIPHER_STATUS:
+		ret=(long)ctx->ok;
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+	case BIO_C_GET_CIPHER_CTX:
+		c_ctx=(EVP_CIPHER_CTX **)ptr;
+		(*c_ctx)= &(ctx->cipher);
+		b->init=1;
+		break;
+	case BIO_CTRL_DUP:
+		dbio=(BIO *)ptr;
+		dctx=(BIO_ENC_CTX *)dbio->ptr;
+		memcpy(&(dctx->cipher),&(ctx->cipher),sizeof(ctx->cipher));
+		dbio->init=1;
+		break;
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+	}
+
+static long enc_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+/*
+void BIO_set_cipher_ctx(b,c)
+BIO *b;
+EVP_CIPHER_ctx *c;
+	{
+	if (b == NULL) return;
+
+	if ((b->callback != NULL) &&
+		(b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,0L) <= 0))
+		return;
+
+	b->init=1;
+	ctx=(BIO_ENC_CTX *)b->ptr;
+	memcpy(ctx->cipher,c,sizeof(EVP_CIPHER_CTX));
+	
+	if (b->callback != NULL)
+		b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
+	}
+*/
+
+void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, unsigned char *k,
+	     unsigned char *i, int e)
+	{
+	BIO_ENC_CTX *ctx;
+
+	if (b == NULL) return;
+
+	if ((b->callback != NULL) &&
+		(b->callback(b,BIO_CB_CTRL,(const char *)c,BIO_CTRL_SET,e,0L) <= 0))
+		return;
+
+	b->init=1;
+	ctx=(BIO_ENC_CTX *)b->ptr;
+	EVP_CipherInit(&(ctx->cipher),c,k,i,e);
+	
+	if (b->callback != NULL)
+		b->callback(b,BIO_CB_CTRL,(const char *)c,BIO_CTRL_SET,e,1L);
+	}
+
diff --git a/crypto/openssl/crypto/evp/bio_md.c b/crypto/openssl/crypto/evp/bio_md.c
new file mode 100644
index 0000000..aef928d
--- /dev/null
+++ b/crypto/openssl/crypto/evp/bio_md.c
@@ -0,0 +1,261 @@
+/* crypto/evp/bio_md.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+
+/* BIO_put and BIO_get both add to the digest,
+ * BIO_gets returns the digest */
+
+static int md_write(BIO *h,char *buf,int num);
+static int md_read(BIO *h,char *buf,int size);
+/*static int md_puts(BIO *h,char *str); */
+static int md_gets(BIO *h,char *str,int size);
+static long md_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int md_new(BIO *h);
+static int md_free(BIO *data);
+static long md_callback_ctrl(BIO *h,int cmd,void (*fp)());
+
+static BIO_METHOD methods_md=
+	{
+	BIO_TYPE_MD,"message digest",
+	md_write,
+	md_read,
+	NULL, /* md_puts, */
+	md_gets,
+	md_ctrl,
+	md_new,
+	md_free,
+	md_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_md(void)
+	{
+	return(&methods_md);
+	}
+
+static int md_new(BIO *bi)
+	{
+	EVP_MD_CTX *ctx;
+
+	ctx=(EVP_MD_CTX *)Malloc(sizeof(EVP_MD_CTX));
+	if (ctx == NULL) return(0);
+
+	bi->init=0;
+	bi->ptr=(char *)ctx;
+	bi->flags=0;
+	return(1);
+	}
+
+static int md_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+	}
+	
+static int md_read(BIO *b, char *out, int outl)
+	{
+	int ret=0;
+	EVP_MD_CTX *ctx;
+
+	if (out == NULL) return(0);
+	ctx=(EVP_MD_CTX *)b->ptr;
+
+	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+	ret=BIO_read(b->next_bio,out,outl);
+	if (b->init)
+		{
+		if (ret > 0)
+			{
+			EVP_DigestUpdate(ctx,(unsigned char *)out,
+				(unsigned int)ret);
+			}
+		}
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static int md_write(BIO *b, char *in, int inl)
+	{
+	int ret=0;
+	EVP_MD_CTX *ctx;
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+	ctx=(EVP_MD_CTX *)b->ptr;
+
+	if ((ctx != NULL) && (b->next_bio != NULL))
+		ret=BIO_write(b->next_bio,in,inl);
+	if (b->init)
+		{
+		if (ret > 0)
+			{
+			EVP_DigestUpdate(ctx,(unsigned char *)in,
+				(unsigned int)ret);
+			}
+		}
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static long md_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	EVP_MD_CTX *ctx,*dctx,**pctx;
+	const EVP_MD **ppmd;
+	EVP_MD *md;
+	long ret=1;
+	BIO *dbio;
+
+	ctx=(EVP_MD_CTX *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		if (b->init)
+			EVP_DigestInit(ctx,ctx->digest);
+		else
+			ret=0;
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_C_GET_MD:
+		if (b->init)
+			{
+			ppmd=(const EVP_MD **)ptr;
+			*ppmd=ctx->digest;
+			}
+		else
+			ret=0;
+		break;
+	case BIO_C_GET_MD_CTX:
+		if (b->init)
+			{
+			pctx=(EVP_MD_CTX **)ptr;
+			*pctx=ctx;
+			}
+		else
+			ret=0;
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+
+	case BIO_C_SET_MD:
+		md=(EVP_MD *)ptr;
+		EVP_DigestInit(ctx,md);
+		b->init=1;
+		break;
+	case BIO_CTRL_DUP:
+		dbio=(BIO *)ptr;
+		dctx=(EVP_MD_CTX *)dbio->ptr;
+		memcpy(dctx,ctx,sizeof(ctx));
+		b->init=1;
+		break;
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+	}
+
+static long md_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+static int md_gets(BIO *bp, char *buf, int size)
+	{
+	EVP_MD_CTX *ctx;
+	unsigned int ret;
+
+
+	ctx=(EVP_MD_CTX *)bp->ptr;
+	if (size < ctx->digest->md_size)
+		return(0);
+	EVP_DigestFinal(ctx,(unsigned char *)buf,&ret);
+	return((int)ret);
+	}
+
+/*
+static int md_puts(bp,str)
+BIO *bp;
+char *str;
+	{
+	return(-1);
+	}
+*/
+
diff --git a/crypto/openssl/crypto/evp/bio_ok.c b/crypto/openssl/crypto/evp/bio_ok.c
new file mode 100644
index 0000000..e6ff5f2
--- /dev/null
+++ b/crypto/openssl/crypto/evp/bio_ok.c
@@ -0,0 +1,569 @@
+/* crypto/evp/bio_ok.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+	From: Arne Ansper <arne@cyber.ee>
+
+	Why BIO_f_reliable?
+
+	I wrote function which took BIO* as argument, read data from it
+	and processed it. Then I wanted to store the input file in 
+	encrypted form. OK I pushed BIO_f_cipher to the BIO stack
+	and everything was OK. BUT if user types wrong password 
+	BIO_f_cipher outputs only garbage and my function crashes. Yes
+	I can and I should fix my function, but BIO_f_cipher is 
+	easy way to add encryption support to many existing applications
+	and it's hard to debug and fix them all. 
+
+	So I wanted another BIO which would catch the incorrect passwords and
+	file damages which cause garbage on BIO_f_cipher's output. 
+
+	The easy way is to push the BIO_f_md and save the checksum at 
+	the end of the file. However there are several problems with this
+	approach:
+
+	1) you must somehow separate checksum from actual data. 
+	2) you need lot's of memory when reading the file, because you 
+	must read to the end of the file and verify the checksum before
+	letting the application to read the data. 
+	
+	BIO_f_reliable tries to solve both problems, so that you can 
+	read and write arbitrary long streams using only fixed amount
+	of memory.
+
+	BIO_f_reliable splits data stream into blocks. Each block is prefixed
+	with it's length and suffixed with it's digest. So you need only 
+	several Kbytes of memory to buffer single block before verifying 
+	it's digest. 
+
+	BIO_f_reliable goes further and adds several important capabilities:
+
+	1) the digest of the block is computed over the whole stream 
+	-- so nobody can rearrange the blocks or remove or replace them.
+
+	2) to detect invalid passwords right at the start BIO_f_reliable 
+	adds special prefix to the stream. In order to avoid known plain-text
+	attacks this prefix is generated as follows:
+
+		*) digest is initialized with random seed instead of 
+		standardized one.
+		*) same seed is written to ouput
+		*) well-known text is then hashed and the output 
+		of the digest is also written to output.
+
+	reader can now read the seed from stream, hash the same string
+	and then compare the digest output.
+
+	Bad things: BIO_f_reliable knows what's going on in EVP_Digest. I 
+	initially wrote and tested this code on x86 machine and wrote the
+	digests out in machine-dependent order :( There are people using
+	this code and I cannot change this easily without making existing
+	data files unreadable.
+
+*/
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+static int ok_write(BIO *h,char *buf,int num);
+static int ok_read(BIO *h,char *buf,int size);
+static long ok_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int ok_new(BIO *h);
+static int ok_free(BIO *data);
+static long ok_callback_ctrl(BIO *h,int cmd,void (*fp)());
+
+static void sig_out(BIO* b);
+static void sig_in(BIO* b);
+static void block_out(BIO* b);
+static void block_in(BIO* b);
+#define OK_BLOCK_SIZE	(1024*4)
+#define OK_BLOCK_BLOCK	4
+#define IOBS		(OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE)
+#define WELLKNOWN "The quick brown fox jumped over the lazy dog's back."
+
+#ifndef L_ENDIAN
+#define swapem(x) \
+	((unsigned long int)((((unsigned long int)(x) & 0x000000ffU) << 24) | \
+			     (((unsigned long int)(x) & 0x0000ff00U) <<  8) | \
+			     (((unsigned long int)(x) & 0x00ff0000U) >>  8) | \
+			     (((unsigned long int)(x) & 0xff000000U) >> 24)))
+#else
+#define swapem(x) (x)
+#endif
+
+typedef struct ok_struct
+	{
+	int buf_len;
+	int buf_off;
+	int buf_len_save;
+	int buf_off_save;
+	int cont;		/* <= 0 when finished */
+	int finished;
+	EVP_MD_CTX md;
+	int blockout;		/* output block is ready */ 
+	int sigio;		/* must process signature */
+	char buf[IOBS];
+	} BIO_OK_CTX;
+
+static BIO_METHOD methods_ok=
+	{
+	BIO_TYPE_CIPHER,"reliable",
+	ok_write,
+	ok_read,
+	NULL, /* ok_puts, */
+	NULL, /* ok_gets, */
+	ok_ctrl,
+	ok_new,
+	ok_free,
+	ok_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_reliable(void)
+	{
+	return(&methods_ok);
+	}
+
+static int ok_new(BIO *bi)
+	{
+	BIO_OK_CTX *ctx;
+
+	ctx=(BIO_OK_CTX *)Malloc(sizeof(BIO_OK_CTX));
+	if (ctx == NULL) return(0);
+
+	ctx->buf_len=0;
+	ctx->buf_off=0;
+	ctx->buf_len_save=0;
+	ctx->buf_off_save=0;
+	ctx->cont=1;
+	ctx->finished=0;
+	ctx->blockout= 0;
+	ctx->sigio=1;
+
+	bi->init=0;
+	bi->ptr=(char *)ctx;
+	bi->flags=0;
+	return(1);
+	}
+
+static int ok_free(BIO *a)
+	{
+	if (a == NULL) return(0);
+	memset(a->ptr,0,sizeof(BIO_OK_CTX));
+	Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+	}
+	
+static int ok_read(BIO *b, char *out, int outl)
+	{
+	int ret=0,i,n;
+	BIO_OK_CTX *ctx;
+
+	if (out == NULL) return(0);
+	ctx=(BIO_OK_CTX *)b->ptr;
+
+	if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0);
+
+	while(outl > 0)
+		{
+
+		/* copy clean bytes to output buffer */
+		if (ctx->blockout)
+			{
+			i=ctx->buf_len-ctx->buf_off;
+			if (i > outl) i=outl;
+			memcpy(out,&(ctx->buf[ctx->buf_off]),i);
+			ret+=i;
+			out+=i;
+			outl-=i;
+			ctx->buf_off+=i;
+
+			/* all clean bytes are out */
+			if (ctx->buf_len == ctx->buf_off)
+				{
+				ctx->buf_off=0;
+
+				/* copy start of the next block into proper place */
+				if(ctx->buf_len_save- ctx->buf_off_save > 0)
+					{
+					ctx->buf_len= ctx->buf_len_save- ctx->buf_off_save;
+					memmove(ctx->buf, &(ctx->buf[ctx->buf_off_save]),
+							ctx->buf_len);
+					}
+				else
+					{
+					ctx->buf_len=0;
+					}
+				ctx->blockout= 0;
+				}
+			}
+	
+		/* output buffer full -- cancel */
+		if (outl == 0) break;
+
+		/* no clean bytes in buffer -- fill it */
+		n=IOBS- ctx->buf_len;
+		i=BIO_read(b->next_bio,&(ctx->buf[ctx->buf_len]),n);
+
+		if (i <= 0) break;	/* nothing new */
+
+		ctx->buf_len+= i;
+
+		/* no signature yet -- check if we got one */
+		if (ctx->sigio == 1) sig_in(b);
+
+		/* signature ok -- check if we got block */
+		if (ctx->sigio == 0) block_in(b);
+
+		/* invalid block -- cancel */
+		if (ctx->cont <= 0) break;
+
+		}
+
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static int ok_write(BIO *b, char *in, int inl)
+	{
+	int ret=0,n,i;
+	BIO_OK_CTX *ctx;
+
+	ctx=(BIO_OK_CTX *)b->ptr;
+	ret=inl;
+
+	if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0);
+
+	if(ctx->sigio) sig_out(b);
+
+	do{
+		BIO_clear_retry_flags(b);
+		n=ctx->buf_len-ctx->buf_off;
+		while (ctx->blockout && n > 0)
+			{
+			i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+			if (i <= 0)
+				{
+				BIO_copy_next_retry(b);
+				if(!BIO_should_retry(b))
+					ctx->cont= 0;
+				return(i);
+				}
+			ctx->buf_off+=i;
+			n-=i;
+			}
+
+		/* at this point all pending data has been written */
+		ctx->blockout= 0;
+		if (ctx->buf_len == ctx->buf_off)
+			{
+			ctx->buf_len=OK_BLOCK_BLOCK;
+			ctx->buf_off=0;
+			}
+	
+		if ((in == NULL) || (inl <= 0)) return(0);
+
+		n= (inl+ ctx->buf_len > OK_BLOCK_SIZE+ OK_BLOCK_BLOCK) ? 
+				OK_BLOCK_SIZE+ OK_BLOCK_BLOCK- ctx->buf_len : inl;
+
+		memcpy((unsigned char *)(&(ctx->buf[ctx->buf_len])),(unsigned char *)in,n);
+		ctx->buf_len+= n;
+		inl-=n;
+		in+=n;
+
+		if(ctx->buf_len >= OK_BLOCK_SIZE+ OK_BLOCK_BLOCK)
+			{
+			block_out(b);
+			}
+	}while(inl > 0);
+
+	BIO_clear_retry_flags(b);
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static long ok_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	BIO_OK_CTX *ctx;
+	EVP_MD *md;
+	const EVP_MD **ppmd;
+	long ret=1;
+	int i;
+
+	ctx=(BIO_OK_CTX *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		ctx->buf_len=0;
+		ctx->buf_off=0;
+		ctx->buf_len_save=0;
+		ctx->buf_off_save=0;
+		ctx->cont=1;
+		ctx->finished=0;
+		ctx->blockout= 0;
+		ctx->sigio=1;
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_EOF:	/* More to read */
+		if (ctx->cont <= 0)
+			ret=1;
+		else
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_PENDING: /* More to read in buffer */
+	case BIO_CTRL_WPENDING: /* More to read in buffer */
+		ret=ctx->blockout ? ctx->buf_len-ctx->buf_off : 0;
+		if (ret <= 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_FLUSH:
+		/* do a final write */
+		if(ctx->blockout == 0)
+			block_out(b);
+
+		while (ctx->blockout)
+			{
+			i=ok_write(b,NULL,0);
+			if (i < 0)
+				{
+				ret=i;
+				break;
+				}
+			}
+
+		ctx->finished=1;
+		ctx->buf_off=ctx->buf_len=0;
+		ctx->cont=(int)ret;
+		
+		/* Finally flush the underlying BIO */
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+	case BIO_CTRL_INFO:
+		ret=(long)ctx->cont;
+		break;
+	case BIO_C_SET_MD:
+		md=(EVP_MD *)ptr;
+		EVP_DigestInit(&(ctx->md),md);
+		b->init=1;
+		break;
+	case BIO_C_GET_MD:
+		if (b->init)
+			{
+			ppmd=(const EVP_MD **)ptr;
+			*ppmd=ctx->md.digest;
+			}
+		else
+			ret=0;
+		break;
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+	}
+
+static long ok_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+static void longswap(void *_ptr, int len)
+{
+#ifndef L_ENDIAN
+	int i;
+	char *ptr=_ptr;
+
+	for(i= 0;i < len;i+= 4){
+		*((unsigned long *)&(ptr[i]))= swapem(*((unsigned long *)&(ptr[i])));
+	}
+#endif
+}
+
+static void sig_out(BIO* b)
+	{
+	BIO_OK_CTX *ctx;
+	EVP_MD_CTX *md;
+
+	ctx=(BIO_OK_CTX *)b->ptr;
+	md= &(ctx->md);
+
+	if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
+
+	EVP_DigestInit(md, md->digest);
+	RAND_pseudo_bytes(&(md->md.base[0]), md->digest->md_size);
+	memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size);
+	longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
+	ctx->buf_len+= md->digest->md_size;
+
+	EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
+	md->digest->final(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]));
+	ctx->buf_len+= md->digest->md_size;
+	ctx->blockout= 1;
+	ctx->sigio= 0;
+	}
+
+static void sig_in(BIO* b)
+	{
+	BIO_OK_CTX *ctx;
+	EVP_MD_CTX *md;
+	unsigned char tmp[EVP_MAX_MD_SIZE];
+	int ret= 0;
+
+	ctx=(BIO_OK_CTX *)b->ptr;
+	md= &(ctx->md);
+
+	if(ctx->buf_len- ctx->buf_off < 2* md->digest->md_size) return;
+
+	EVP_DigestInit(md, md->digest);
+	memcpy(&(md->md.base[0]), &(ctx->buf[ctx->buf_off]), md->digest->md_size);
+	longswap(&(md->md.base[0]), md->digest->md_size);
+	ctx->buf_off+= md->digest->md_size;
+
+	EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
+	md->digest->final(tmp, &(md->md.base[0]));
+	ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0;
+	ctx->buf_off+= md->digest->md_size;
+	if(ret == 1)
+		{
+		ctx->sigio= 0;
+		if(ctx->buf_len != ctx->buf_off)
+			{
+			memmove(ctx->buf, &(ctx->buf[ctx->buf_off]), ctx->buf_len- ctx->buf_off);
+			}
+		ctx->buf_len-= ctx->buf_off;
+		ctx->buf_off= 0;
+		}
+	else
+		{
+		ctx->cont= 0;
+		}
+	}
+
+static void block_out(BIO* b)
+	{
+	BIO_OK_CTX *ctx;
+	EVP_MD_CTX *md;
+	unsigned long tl;
+
+	ctx=(BIO_OK_CTX *)b->ptr;
+	md= &(ctx->md);
+
+	tl= ctx->buf_len- OK_BLOCK_BLOCK;
+	tl= swapem(tl);
+	memcpy(ctx->buf, &tl, OK_BLOCK_BLOCK);
+	tl= swapem(tl);
+	EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
+	md->digest->final(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]));
+	ctx->buf_len+= md->digest->md_size;
+	ctx->blockout= 1;
+	}
+
+static void block_in(BIO* b)
+	{
+	BIO_OK_CTX *ctx;
+	EVP_MD_CTX *md;
+	long tl= 0;
+	unsigned char tmp[EVP_MAX_MD_SIZE];
+
+	ctx=(BIO_OK_CTX *)b->ptr;
+	md= &(ctx->md);
+
+	memcpy(&tl, ctx->buf, OK_BLOCK_BLOCK);
+	tl= swapem(tl);
+	if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return;
+ 
+	EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
+	md->digest->final(tmp, &(md->md.base[0]));
+	if(memcmp(&(ctx->buf[tl+ OK_BLOCK_BLOCK]), tmp, md->digest->md_size) == 0)
+		{
+		/* there might be parts from next block lurking around ! */
+		ctx->buf_off_save= tl+ OK_BLOCK_BLOCK+ md->digest->md_size;
+		ctx->buf_len_save= ctx->buf_len;
+		ctx->buf_off= OK_BLOCK_BLOCK;
+		ctx->buf_len= tl+ OK_BLOCK_BLOCK;
+		ctx->blockout= 1;
+		}
+	else
+		{
+		ctx->cont= 0;
+		}
+	}
+
diff --git a/crypto/openssl/crypto/evp/c_all.c b/crypto/openssl/crypto/evp/c_all.c
new file mode 100644
index 0000000..1e18583
--- /dev/null
+++ b/crypto/openssl/crypto/evp/c_all.c
@@ -0,0 +1,67 @@
+/* crypto/evp/c_all.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+
+void OpenSSL_add_all_algorithms(void)
+{
+	OpenSSL_add_all_ciphers();
+	OpenSSL_add_all_digests();
+}
diff --git a/crypto/openssl/crypto/evp/c_allc.c b/crypto/openssl/crypto/evp/c_allc.c
new file mode 100644
index 0000000..f24d375
--- /dev/null
+++ b/crypto/openssl/crypto/evp/c_allc.c
@@ -0,0 +1,149 @@
+/* crypto/evp/c_allc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+#include <openssl/objects.h>
+
+void OpenSSL_add_all_ciphers(void)
+	{
+#ifndef NO_DES
+	EVP_add_cipher(EVP_des_cfb());
+	EVP_add_cipher(EVP_des_ede_cfb());
+	EVP_add_cipher(EVP_des_ede3_cfb());
+
+	EVP_add_cipher(EVP_des_ofb());
+	EVP_add_cipher(EVP_des_ede_ofb());
+	EVP_add_cipher(EVP_des_ede3_ofb());
+
+	EVP_add_cipher(EVP_desx_cbc());
+	EVP_add_cipher_alias(SN_desx_cbc,"DESX");
+	EVP_add_cipher_alias(SN_desx_cbc,"desx");
+
+	EVP_add_cipher(EVP_des_cbc());
+	EVP_add_cipher_alias(SN_des_cbc,"DES");
+	EVP_add_cipher_alias(SN_des_cbc,"des");
+	EVP_add_cipher(EVP_des_ede_cbc());
+	EVP_add_cipher(EVP_des_ede3_cbc());
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+	EVP_add_cipher(EVP_des_ecb());
+	EVP_add_cipher(EVP_des_ede());
+	EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef NO_RC4
+	EVP_add_cipher(EVP_rc4());
+	EVP_add_cipher(EVP_rc4_40());
+#endif
+
+#ifndef NO_IDEA
+	EVP_add_cipher(EVP_idea_ecb());
+	EVP_add_cipher(EVP_idea_cfb());
+	EVP_add_cipher(EVP_idea_ofb());
+	EVP_add_cipher(EVP_idea_cbc());
+	EVP_add_cipher_alias(SN_idea_cbc,"IDEA");
+	EVP_add_cipher_alias(SN_idea_cbc,"idea");
+#endif
+
+#ifndef NO_RC2
+	EVP_add_cipher(EVP_rc2_ecb());
+	EVP_add_cipher(EVP_rc2_cfb());
+	EVP_add_cipher(EVP_rc2_ofb());
+	EVP_add_cipher(EVP_rc2_cbc());
+	EVP_add_cipher(EVP_rc2_40_cbc());
+	EVP_add_cipher(EVP_rc2_64_cbc());
+	EVP_add_cipher_alias(SN_rc2_cbc,"RC2");
+	EVP_add_cipher_alias(SN_rc2_cbc,"rc2");
+#endif
+
+#ifndef NO_BF
+	EVP_add_cipher(EVP_bf_ecb());
+	EVP_add_cipher(EVP_bf_cfb());
+	EVP_add_cipher(EVP_bf_ofb());
+	EVP_add_cipher(EVP_bf_cbc());
+	EVP_add_cipher_alias(SN_bf_cbc,"BF");
+	EVP_add_cipher_alias(SN_bf_cbc,"bf");
+	EVP_add_cipher_alias(SN_bf_cbc,"blowfish");
+#endif
+
+#ifndef NO_CAST
+	EVP_add_cipher(EVP_cast5_ecb());
+	EVP_add_cipher(EVP_cast5_cfb());
+	EVP_add_cipher(EVP_cast5_ofb());
+	EVP_add_cipher(EVP_cast5_cbc());
+	EVP_add_cipher_alias(SN_cast5_cbc,"CAST");
+	EVP_add_cipher_alias(SN_cast5_cbc,"cast");
+	EVP_add_cipher_alias(SN_cast5_cbc,"CAST-cbc");
+	EVP_add_cipher_alias(SN_cast5_cbc,"cast-cbc");
+#endif
+
+#ifndef NO_RC5
+	EVP_add_cipher(EVP_rc5_32_12_16_ecb());
+	EVP_add_cipher(EVP_rc5_32_12_16_cfb());
+	EVP_add_cipher(EVP_rc5_32_12_16_ofb());
+	EVP_add_cipher(EVP_rc5_32_12_16_cbc());
+	EVP_add_cipher_alias(SN_rc5_cbc,"rc5");
+	EVP_add_cipher_alias(SN_rc5_cbc,"RC5");
+#endif
+	PKCS12_PBE_add();
+	PKCS5_PBE_add();
+	}
diff --git a/crypto/openssl/crypto/evp/c_alld.c b/crypto/openssl/crypto/evp/c_alld.c
new file mode 100644
index 0000000..febe51a
--- /dev/null
+++ b/crypto/openssl/crypto/evp/c_alld.c
@@ -0,0 +1,100 @@
+/* crypto/evp/c_alld.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+#include <openssl/objects.h>
+
+void OpenSSL_add_all_digests(void)
+	{
+#ifndef NO_MD2
+	EVP_add_digest(EVP_md2());
+#endif
+#ifndef NO_MD5
+	EVP_add_digest(EVP_md5());
+	EVP_add_digest_alias(SN_md5,"ssl2-md5");
+	EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef NO_SHA
+	EVP_add_digest(EVP_sha());
+#ifndef NO_DSA
+	EVP_add_digest(EVP_dss());
+#endif
+#endif
+#ifndef NO_SHA
+	EVP_add_digest(EVP_sha1());
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef NO_DSA
+	EVP_add_digest(EVP_dss1());
+	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#endif
+#if !defined(NO_MDC2) && !defined(NO_DES)
+	EVP_add_digest(EVP_mdc2());
+#endif
+#ifndef NO_RIPEMD
+	EVP_add_digest(EVP_ripemd160());
+	EVP_add_digest_alias(SN_ripemd160,"ripemd");
+	EVP_add_digest_alias(SN_ripemd160,"rmd160");
+#endif
+	}
diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c
new file mode 100644
index 0000000..c560733
--- /dev/null
+++ b/crypto/openssl/crypto/evp/digest.c
@@ -0,0 +1,92 @@
+/* crypto/evp/digest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+
+void EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
+	{
+	ctx->digest=type;
+	type->init(&(ctx->md));
+	}
+
+void EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
+	     unsigned int count)
+	{
+	ctx->digest->update(&(ctx->md.base[0]),data,(unsigned long)count);
+	}
+
+void EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
+	{
+	ctx->digest->final(md,&(ctx->md.base[0]));
+	if (size != NULL)
+		*size=ctx->digest->md_size;
+	memset(&(ctx->md),0,sizeof(ctx->md));
+	}
+
+int EVP_MD_CTX_copy(EVP_MD_CTX *out, EVP_MD_CTX *in)
+{
+    if ((in == NULL) || (in->digest == NULL)) {
+        EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
+	return 0;
+    }
+    memcpy((char *)out,(char *)in,in->digest->ctx_size);
+    return 1;
+}    
diff --git a/crypto/openssl/crypto/evp/e_cbc_3d.c b/crypto/openssl/crypto/evp/e_cbc_3d.c
new file mode 100644
index 0000000..5d16b86
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cbc_3d.c
@@ -0,0 +1,151 @@
+/* crypto/evp/e_cbc_3d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void des_cbc_ede_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_cbc_ede3_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_cbc_ede_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_cbc_ede_cipher2=
+	{
+	NID_des_ede_cbc,
+	8,16,8,
+	des_cbc_ede_init_key,
+	des_cbc_ede_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+static EVP_CIPHER d_cbc_ede_cipher3=
+	{
+	NID_des_ede3_cbc,
+	8,24,8,
+	des_cbc_ede3_init_key,
+	des_cbc_ede_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_des_ede_cbc(void)
+	{
+	return(&d_cbc_ede_cipher2);
+	}
+
+EVP_CIPHER *EVP_des_ede3_cbc(void)
+	{
+	return(&d_cbc_ede_cipher3);
+	}
+	
+static void des_cbc_ede_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		memcpy( (char *)ctx->c.des_ede.ks3,
+			(char *)ctx->c.des_ede.ks1,
+			sizeof(ctx->c.des_ede.ks1));
+		}
+	}
+
+static void des_cbc_ede3_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
+		}
+	}
+
+static void des_cbc_ede_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	des_ede3_cbc_encrypt(in,out,inl, ctx->c.des_ede.ks1,
+		ctx->c.des_ede.ks2,ctx->c.des_ede.ks3,
+		(des_cblock *) &(ctx->iv[0]),
+		ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cbc_bf.c b/crypto/openssl/crypto/evp/e_cbc_bf.c
new file mode 100644
index 0000000..9bcba3c
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cbc_bf.c
@@ -0,0 +1,106 @@
+/* crypto/evp/e_cbc_bf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_BF
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void bf_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void bf_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER bfish_cbc_cipher=
+	{
+	NID_bf_cbc,
+	8,EVP_BLOWFISH_KEY_SIZE,8,
+	bf_cbc_init_key,
+	bf_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.bf_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_bf_cbc(void)
+	{
+	return(&bfish_cbc_cipher);
+	}
+	
+static void bf_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		BF_set_key(&(ctx->c.bf_ks),EVP_BLOWFISH_KEY_SIZE,key);
+	}
+
+static void bf_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	BF_cbc_encrypt(
+		in,out,(long)inl,
+		&(ctx->c.bf_ks),&(ctx->iv[0]),
+		ctx->encrypt);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cbc_c.c b/crypto/openssl/crypto/evp/e_cbc_c.c
new file mode 100644
index 0000000..6845b0b
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cbc_c.c
@@ -0,0 +1,107 @@
+/* crypto/evp/e_cbc_c.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_CAST
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void cast_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void cast_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER cast5_cbc_cipher=
+	{
+	NID_cast5_cbc,
+	8,EVP_CAST5_KEY_SIZE,8,
+	cast_cbc_init_key,
+	cast_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.cast_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_cast5_cbc(void)
+	{
+	return(&cast5_cbc_cipher);
+	}
+	
+static void cast_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		CAST_set_key(&(ctx->c.cast_ks),EVP_CAST5_KEY_SIZE,key);
+	}
+
+static void cast_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	CAST_cbc_encrypt(
+		in,out,(long)inl,
+		&(ctx->c.cast_ks),&(ctx->iv[0]),
+		ctx->encrypt);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cbc_d.c b/crypto/openssl/crypto/evp/e_cbc_d.c
new file mode 100644
index 0000000..5b4e5b8
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cbc_d.c
@@ -0,0 +1,106 @@
+/* crypto/evp/e_cbc_d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void des_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_cbc_cipher=
+	{
+	NID_des_cbc,
+	8,8,8,
+	des_cbc_init_key,
+	des_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_des_cbc(void)
+	{
+	return(&d_cbc_cipher);
+	}
+	
+static void des_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
+	}
+
+static void des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	des_ncbc_encrypt(in,out,inl,ctx->c.des_ks,
+		(des_cblock *)&(ctx->iv[0]),
+		ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cbc_i.c b/crypto/openssl/crypto/evp/e_cbc_i.c
new file mode 100644
index 0000000..34b44aa
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cbc_i.c
@@ -0,0 +1,119 @@
+/* crypto/evp/e_cbc_i.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_IDEA
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void idea_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void idea_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER i_cbc_cipher=
+	{
+	NID_idea_cbc,
+	8,16,8,
+	idea_cbc_init_key,
+	idea_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.idea_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_idea_cbc(void)
+	{
+	return(&i_cbc_cipher);
+	}
+	
+static void idea_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		{
+		if (enc)
+			idea_set_encrypt_key(key,&(ctx->c.idea_ks));
+		else
+			{
+			IDEA_KEY_SCHEDULE tmp;
+
+			idea_set_encrypt_key(key,&tmp);
+			idea_set_decrypt_key(&tmp,&(ctx->c.idea_ks));
+			memset((unsigned char *)&tmp,0,
+				sizeof(IDEA_KEY_SCHEDULE));
+			}
+		}
+	}
+
+static void idea_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	idea_cbc_encrypt(
+		in,out,(long)inl,
+		&(ctx->c.idea_ks),&(ctx->iv[0]),
+		ctx->encrypt);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cbc_r2.c b/crypto/openssl/crypto/evp/e_cbc_r2.c
new file mode 100644
index 0000000..9dfada4
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cbc_r2.c
@@ -0,0 +1,216 @@
+/* crypto/evp/e_cbc_r2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC2
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc2_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc2_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static int rc2_meth_to_magic(const EVP_CIPHER *e);
+static EVP_CIPHER *rc2_magic_to_meth(int i);
+static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
+#define RC2_40_MAGIC	0xa0
+#define RC2_64_MAGIC	0x78
+#define RC2_128_MAGIC	0x3a
+
+static EVP_CIPHER r2_cbc_cipher=
+	{
+	NID_rc2_cbc,
+	8,EVP_RC2_KEY_SIZE,8,
+	rc2_cbc_init_key,
+	rc2_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2_ks)),
+	rc2_set_asn1_type_and_iv,
+	rc2_get_asn1_type_and_iv,
+	};
+
+static EVP_CIPHER r2_64_cbc_cipher=
+	{
+	NID_rc2_64_cbc,
+	8,8 /* 64 bit */,8,
+	rc2_cbc_init_key,
+	rc2_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2_ks)),
+	rc2_set_asn1_type_and_iv,
+	rc2_get_asn1_type_and_iv,
+	};
+
+static EVP_CIPHER r2_40_cbc_cipher=
+	{
+	NID_rc2_40_cbc,
+	8,5 /* 40 bit */,8,
+	rc2_cbc_init_key,
+	rc2_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2_ks)),
+	rc2_set_asn1_type_and_iv,
+	rc2_get_asn1_type_and_iv,
+	};
+
+EVP_CIPHER *EVP_rc2_cbc(void)
+	{
+	return(&r2_cbc_cipher);
+	}
+
+EVP_CIPHER *EVP_rc2_64_cbc(void)
+	{
+	return(&r2_64_cbc_cipher);
+	}
+
+EVP_CIPHER *EVP_rc2_40_cbc(void)
+	{
+	return(&r2_40_cbc_cipher);
+	}
+	
+static void rc2_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		RC2_set_key(&(ctx->c.rc2_ks),EVP_CIPHER_CTX_key_length(ctx),
+			key,EVP_CIPHER_CTX_key_length(ctx)*8);
+	}
+
+static void rc2_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	RC2_cbc_encrypt(
+		in,out,(long)inl,
+		&(ctx->c.rc2_ks),&(ctx->iv[0]),
+		ctx->encrypt);
+	}
+
+static int rc2_meth_to_magic(const EVP_CIPHER *e)
+	{
+	int i;
+
+	i=EVP_CIPHER_key_length(e);
+	if 	(i == 16) return(RC2_128_MAGIC);
+	else if (i == 8)  return(RC2_64_MAGIC);
+	else if (i == 5)  return(RC2_40_MAGIC);
+	else return(0);
+	}
+
+static EVP_CIPHER *rc2_magic_to_meth(int i)
+	{
+	if      (i == RC2_128_MAGIC) return(EVP_rc2_cbc());
+	else if (i == RC2_64_MAGIC)  return(EVP_rc2_64_cbc());
+	else if (i == RC2_40_MAGIC)  return(EVP_rc2_40_cbc());
+	else
+		{
+		EVPerr(EVP_F_RC2_MAGIC_TO_METH,EVP_R_UNSUPPORTED_KEY_SIZE);
+		return(NULL);
+		}
+	}
+
+static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+	{
+	long num=0;
+	int i=0,l;
+	EVP_CIPHER *e;
+
+	if (type != NULL)
+		{
+		l=EVP_CIPHER_CTX_iv_length(c);
+		i=ASN1_TYPE_get_int_octetstring(type,&num,c->oiv,l);
+		if (i != l)
+			return(-1);
+		else if (i > 0)
+			memcpy(c->iv,c->oiv,l);
+		e=rc2_magic_to_meth((int)num);
+		if (e == NULL)
+			return(-1);
+		if (e != EVP_CIPHER_CTX_cipher(c))
+			{
+			EVP_CIPHER_CTX_cipher(c)=e;
+			rc2_cbc_init_key(c,NULL,NULL,1);
+			}
+		}
+	return(i);
+	}
+
+static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+	{
+	long num;
+	int i=0,j;
+
+	if (type != NULL)
+		{
+		num=rc2_meth_to_magic(EVP_CIPHER_CTX_cipher(c));
+		j=EVP_CIPHER_CTX_iv_length(c);
+		i=ASN1_TYPE_set_int_octetstring(type,num,c->oiv,j);
+		}
+	return(i);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cbc_r5.c b/crypto/openssl/crypto/evp/e_cbc_r5.c
new file mode 100644
index 0000000..cea3fe3
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cbc_r5.c
@@ -0,0 +1,108 @@
+/* crypto/evp/e_cbc_r5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC5
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void r_32_12_16_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void r_32_12_16_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER rc5_32_12_16_cbc_cipher=
+	{
+	NID_rc5_cbc,
+	8,EVP_RC5_32_12_16_KEY_SIZE,8,
+	r_32_12_16_cbc_init_key,
+	r_32_12_16_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc5_ks)),
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_rc5_32_12_16_cbc(void)
+	{
+	return(&rc5_32_12_16_cbc_cipher);
+	}
+	
+static void r_32_12_16_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		RC5_32_set_key(&(ctx->c.rc5_ks),EVP_RC5_32_12_16_KEY_SIZE,
+			key,RC5_12_ROUNDS);
+	}
+
+static void r_32_12_16_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	RC5_32_cbc_encrypt(
+		in,out,(long)inl,
+		&(ctx->c.rc5_ks),&(ctx->iv[0]),
+		ctx->encrypt);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cfb_3d.c b/crypto/openssl/crypto/evp/e_cfb_3d.c
new file mode 100644
index 0000000..b364bd4
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cfb_3d.c
@@ -0,0 +1,155 @@
+/* crypto/evp/e_cfb_3d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void des_ede_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ede3_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_ede_cfb_cipher2=
+	{
+	NID_des_ede_cfb64,
+	1,16,8,
+	des_ede_cfb_init_key,
+	des_ede_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+static EVP_CIPHER d_ede3_cfb_cipher3=
+	{
+	NID_des_ede3_cfb64,
+	1,24,8,
+	des_ede3_cfb_init_key,
+	des_ede_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_des_ede_cfb(void)
+	{
+	return(&d_ede_cfb_cipher2);
+	}
+
+EVP_CIPHER *EVP_des_ede3_cfb(void)
+	{
+	return(&d_ede3_cfb_cipher3);
+	}
+	
+static void des_ede_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		memcpy( (char *)ctx->c.des_ede.ks3,
+			(char *)ctx->c.des_ede.ks1,
+			sizeof(ctx->c.des_ede.ks1));
+		}
+	}
+
+static void des_ede3_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
+		}
+	}
+
+static void des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	des_ede3_cfb64_encrypt(in,out,(long)inl,
+			       ctx->c.des_ede.ks1,
+			       ctx->c.des_ede.ks2,
+			       ctx->c.des_ede.ks3,
+			       (des_cblock*)&(ctx->iv[0]),
+			       &ctx->num,ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cfb_bf.c b/crypto/openssl/crypto/evp/e_cfb_bf.c
new file mode 100644
index 0000000..63e1e62
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cfb_bf.c
@@ -0,0 +1,108 @@
+/* crypto/evp/e_cfb_bf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_BF
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void bf_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void bf_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER bfish_cfb_cipher=
+	{
+	NID_bf_cfb64,
+	1,EVP_BLOWFISH_KEY_SIZE,8,
+	bf_cfb_init_key,
+	bf_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.bf_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_bf_cfb(void)
+	{
+	return(&bfish_cfb_cipher);
+	}
+	
+static void bf_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		BF_set_key(&(ctx->c.bf_ks),EVP_BLOWFISH_KEY_SIZE,key);
+	}
+
+static void bf_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	BF_cfb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.bf_ks),
+		&(ctx->iv[0]),
+		&ctx->num,ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cfb_c.c b/crypto/openssl/crypto/evp/e_cfb_c.c
new file mode 100644
index 0000000..f04bac0
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cfb_c.c
@@ -0,0 +1,109 @@
+/* crypto/evp/e_cfb_c.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_CAST
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void cast_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void cast_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER cast5_cfb_cipher=
+	{
+	NID_cast5_cfb64,
+	1,EVP_CAST5_KEY_SIZE,8,
+	cast_cfb_init_key,
+	cast_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.cast_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_cast5_cfb(void)
+	{
+	return(&cast5_cfb_cipher);
+	}
+	
+static void cast_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		CAST_set_key(&(ctx->c.cast_ks),EVP_CAST5_KEY_SIZE,key);
+	}
+
+static void cast_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	CAST_cfb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.cast_ks),
+		&(ctx->iv[0]),
+		&ctx->num,ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cfb_d.c b/crypto/openssl/crypto/evp/e_cfb_d.c
new file mode 100644
index 0000000..9e1714b
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cfb_d.c
@@ -0,0 +1,110 @@
+/* crypto/evp/e_cfb_d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+#ifndef NO_DES
+static void des_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_cfb_cipher=
+	{
+	NID_des_cfb64,
+	1,8,8,
+	des_cfb_init_key,
+	des_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_des_cfb(void)
+	{
+	return(&d_cfb_cipher);
+	}
+	
+static void des_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
+	}
+
+static void des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	des_cfb64_encrypt(
+		in,out,
+		(long)inl, ctx->c.des_ks,
+		(des_cblock *)&(ctx->iv[0]),
+		&ctx->num,ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cfb_i.c b/crypto/openssl/crypto/evp/e_cfb_i.c
new file mode 100644
index 0000000..31c76c6
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cfb_i.c
@@ -0,0 +1,109 @@
+/* crypto/evp/e_cfb_i.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_IDEA
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void idea_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void idea_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER i_cfb_cipher=
+	{
+	NID_idea_cfb64,
+	1,IDEA_KEY_LENGTH,IDEA_BLOCK,
+	idea_cfb_init_key,
+	idea_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.idea_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_idea_cfb(void)
+	{
+	return(&i_cfb_cipher);
+	}
+
+static void idea_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		idea_set_encrypt_key(key,&(ctx->c.idea_ks));
+	}
+
+static void idea_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	idea_cfb64_encrypt(
+		in,out,(long)inl,
+		&(ctx->c.idea_ks),&(ctx->iv[0]),
+		&ctx->num,ctx->encrypt);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cfb_r2.c b/crypto/openssl/crypto/evp/e_cfb_r2.c
new file mode 100644
index 0000000..32dd77e
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cfb_r2.c
@@ -0,0 +1,110 @@
+/* crypto/evp/e_cfb_r2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC2
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc2_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc2_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER r2_cfb_cipher=
+	{
+	NID_rc2_cfb64,
+	1,EVP_RC2_KEY_SIZE,8,
+	rc2_cfb_init_key,
+	rc2_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_rc2_cfb(void)
+	{
+	return(&r2_cfb_cipher);
+	}
+	
+static void rc2_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		RC2_set_key(&(ctx->c.rc2_ks),EVP_CIPHER_CTX_key_length(ctx),
+			key,EVP_CIPHER_CTX_key_length(ctx)*8);
+	}
+
+static void rc2_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	RC2_cfb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.rc2_ks),
+		&(ctx->iv[0]),
+		&ctx->num,ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_cfb_r5.c b/crypto/openssl/crypto/evp/e_cfb_r5.c
new file mode 100644
index 0000000..8e79728
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_cfb_r5.c
@@ -0,0 +1,110 @@
+/* crypto/evp/e_cfb_r5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC5
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc5_32_12_16_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc5_32_12_16_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER rc5_cfb_cipher=
+	{
+	NID_rc5_cfb64,
+	1,EVP_RC5_32_12_16_KEY_SIZE,8,
+	rc5_32_12_16_cfb_init_key,
+	rc5_32_12_16_cfb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc5_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_rc5_32_12_16_cfb(void)
+	{
+	return(&rc5_cfb_cipher);
+	}
+	
+static void rc5_32_12_16_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		RC5_32_set_key(&(ctx->c.rc5_ks),EVP_RC5_32_12_16_KEY_SIZE,key,
+			RC5_12_ROUNDS);
+	}
+
+static void rc5_32_12_16_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	RC5_32_cfb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.rc5_ks),
+		&(ctx->iv[0]),
+		&ctx->num,ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_dsa.c b/crypto/openssl/crypto/evp/e_dsa.c
new file mode 100644
index 0000000..b96f273
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_dsa.c
@@ -0,0 +1,71 @@
+/* crypto/evp/e_dsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_PKEY_METHOD dss_method=
+	{
+	DSA_sign,
+	DSA_verify,
+	{EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3,NULL},
+	};
+
diff --git a/crypto/openssl/crypto/evp/e_ecb_3d.c b/crypto/openssl/crypto/evp/e_ecb_3d.c
new file mode 100644
index 0000000..806e971
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ecb_3d.c
@@ -0,0 +1,158 @@
+/* crypto/evp/e_ecb_3d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void des_ede_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ede3_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ede_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_ede_cipher2=
+	{
+	NID_des_ede,
+	8,16,0,
+	des_ede_init_key,
+	des_ede_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	NULL,
+	NULL,
+	};
+
+static EVP_CIPHER d_ede3_cipher3=
+	{
+	NID_des_ede3,
+	8,24,0,
+	des_ede3_init_key,
+	des_ede_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	NULL,
+	};
+
+EVP_CIPHER *EVP_des_ede(void)
+	{
+	return(&d_ede_cipher2);
+	}
+
+EVP_CIPHER *EVP_des_ede3(void)
+	{
+	return(&d_ede3_cipher3);
+	}
+
+static void des_ede_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		memcpy( (char *)ctx->c.des_ede.ks3,
+			(char *)ctx->c.des_ede.ks1,
+			sizeof(ctx->c.des_ede.ks1));
+		}
+	}
+
+static void des_ede3_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
+		}
+	}
+
+static void des_ede_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	unsigned int i;
+	des_cblock *output   /* = (des_cblock *)out */;
+	des_cblock *input    /* = (des_cblock *)in */;
+
+	if (inl < 8) return;
+	inl-=8;
+	for (i=0; i<=inl; i+=8)
+		{
+		output = (des_cblock *)(out + i);
+		input = (des_cblock *)(in + i);
+
+		des_ecb3_encrypt(input,output,
+			ctx->c.des_ede.ks1,
+			ctx->c.des_ede.ks2,
+			ctx->c.des_ede.ks3,
+			ctx->encrypt);
+
+		/* output++; */
+		/* input++; */
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ecb_bf.c b/crypto/openssl/crypto/evp/e_ecb_bf.c
new file mode 100644
index 0000000..334736d
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ecb_bf.c
@@ -0,0 +1,109 @@
+/* crypto/evp/e_ecb_bf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_BF
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void bf_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void bf_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER bfish_ecb_cipher=
+	{
+	NID_bf_ecb,
+	8,EVP_BLOWFISH_KEY_SIZE,0,
+	bf_ecb_init_key,
+	bf_ecb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.bf_ks)),
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_bf_ecb(void)
+	{
+	return(&bfish_ecb_cipher);
+	}
+	
+static void bf_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (key != NULL)
+		BF_set_key(&(ctx->c.bf_ks),EVP_BLOWFISH_KEY_SIZE,key);
+	}
+
+static void bf_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	unsigned int i;
+
+	if (inl < 8) return;
+	inl-=8;
+	for (i=0; i<=inl; i+=8)
+		{
+		BF_ecb_encrypt(
+			&(in[i]),&(out[i]),
+			&(ctx->c.bf_ks),ctx->encrypt);
+		}
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ecb_c.c b/crypto/openssl/crypto/evp/e_ecb_c.c
new file mode 100644
index 0000000..ad14e20
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ecb_c.c
@@ -0,0 +1,110 @@
+/* crypto/evp/e_ecb_c.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_CAST
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void cast_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void cast_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER cast5_ecb_cipher=
+	{
+	NID_cast5_ecb,
+	8,EVP_CAST5_KEY_SIZE,0,
+	cast_ecb_init_key,
+	cast_ecb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.cast_ks)),
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_cast5_ecb(void)
+	{
+	return(&cast5_ecb_cipher);
+	}
+	
+static void cast_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (key != NULL)
+		CAST_set_key(&(ctx->c.cast_ks),EVP_CAST5_KEY_SIZE,key);
+	}
+
+static void cast_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	unsigned int i;
+
+	if (inl < 8) return;
+	inl-=8;
+	for (i=0; i<=inl; i+=8)
+		{
+		CAST_ecb_encrypt(
+			&(in[i]),&(out[i]),
+			&(ctx->c.cast_ks),ctx->encrypt);
+		}
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ecb_d.c b/crypto/openssl/crypto/evp/e_ecb_d.c
new file mode 100644
index 0000000..c11bef5
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ecb_d.c
@@ -0,0 +1,118 @@
+/* crypto/evp/e_ecb_d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void des_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_ecb_cipher=
+	{
+	NID_des_ecb,
+	8,8,0,
+	des_ecb_init_key,
+	des_ecb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ks)),
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_des_ecb(void)
+	{
+	return(&d_ecb_cipher);
+	}
+	
+static void des_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	if (deskey != NULL)
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
+	}
+
+static void des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	unsigned int i;
+	des_cblock *output  /* = (des_cblock *)out */;
+	des_cblock *input   /* = (des_cblock *)in */; 
+
+	if (inl < 8) return;
+	inl-=8;
+	for (i=0; i<=inl; i+=8)
+		{
+		/* Either this ... */
+		output = (des_cblock *)(out + i);
+		input = (des_cblock *)(in + i);
+
+		des_ecb_encrypt(input,output,ctx->c.des_ks,ctx->encrypt);
+
+		/* ... or this. */
+		/* output++; */
+		/* input++; */
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ecb_i.c b/crypto/openssl/crypto/evp/e_ecb_i.c
new file mode 100644
index 0000000..50a3da1
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ecb_i.c
@@ -0,0 +1,121 @@
+/* crypto/evp/e_ecb_i.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_IDEA
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void idea_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER i_ecb_cipher=
+	{
+	NID_idea_ecb,
+	8,16,0,
+	idea_ecb_init_key,
+	idea_ecb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.idea_ks)),
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_idea_ecb(void)
+	{
+	return(&i_ecb_cipher);
+	}
+	
+static void idea_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (key != NULL)
+		{
+		if (enc)
+			idea_set_encrypt_key(key,&(ctx->c.idea_ks));
+		else
+			{
+			IDEA_KEY_SCHEDULE tmp;
+
+			idea_set_encrypt_key(key,&tmp);
+			idea_set_decrypt_key(&tmp, &(ctx->c.idea_ks));
+			memset((unsigned char *)&tmp,0,
+				sizeof(IDEA_KEY_SCHEDULE));
+			}
+		}
+	}
+
+static void idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	unsigned int i;
+
+	if (inl < 8) return;
+	inl-=8;
+	for (i=0; i<=inl; i+=8)
+		{
+		idea_ecb_encrypt(
+			&(in[i]),&(out[i]),&(ctx->c.idea_ks));
+		}
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ecb_r2.c b/crypto/openssl/crypto/evp/e_ecb_r2.c
new file mode 100644
index 0000000..3c23301
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ecb_r2.c
@@ -0,0 +1,111 @@
+/* crypto/evp/e_ecb_r2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC2
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc2_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc2_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER r2_ecb_cipher=
+	{
+	NID_rc2_ecb,
+	8,EVP_RC2_KEY_SIZE,0,
+	rc2_ecb_init_key,
+	rc2_ecb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2_ks)),
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_rc2_ecb(void)
+	{
+	return(&r2_ecb_cipher);
+	}
+	
+static void rc2_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (key != NULL)
+		RC2_set_key(&(ctx->c.rc2_ks),EVP_CIPHER_CTX_key_length(ctx),
+			key,EVP_CIPHER_CTX_key_length(ctx)*8);
+	}
+
+static void rc2_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	unsigned int i;
+
+	if (inl < 8) return;
+	inl-=8;
+	for (i=0; i<=inl; i+=8)
+		{
+		RC2_ecb_encrypt(
+			&(in[i]),&(out[i]),
+			&(ctx->c.rc2_ks),ctx->encrypt);
+		}
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ecb_r5.c b/crypto/openssl/crypto/evp/e_ecb_r5.c
new file mode 100644
index 0000000..ef43ce3
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ecb_r5.c
@@ -0,0 +1,111 @@
+/* crypto/evp/e_ecb_r5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC5
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc5_32_12_16_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc5_32_12_16_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER rc5_ecb_cipher=
+	{
+	NID_rc5_ecb,
+	8,EVP_RC5_32_12_16_KEY_SIZE,0,
+	rc5_32_12_16_ecb_init_key,
+	rc5_32_12_16_ecb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc5_ks)),
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_rc5_32_12_16_ecb(void)
+	{
+	return(&rc5_ecb_cipher);
+	}
+	
+static void rc5_32_12_16_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (key != NULL)
+		RC5_32_set_key(&(ctx->c.rc5_ks),EVP_RC5_32_12_16_KEY_SIZE,key,
+			RC5_12_ROUNDS);
+	}
+
+static void rc5_32_12_16_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	unsigned int i;
+
+	if (inl < 8) return;
+	inl-=8;
+	for (i=0; i<=inl; i+=8)
+		{
+		RC5_32_ecb_encrypt(
+			&(in[i]),&(out[i]),
+			&(ctx->c.rc5_ks),ctx->encrypt);
+		}
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_null.c b/crypto/openssl/crypto/evp/e_null.c
new file mode 100644
index 0000000..0a62c10
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_null.c
@@ -0,0 +1,97 @@
+/* crypto/evp/e_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void null_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER n_cipher=
+	{
+	NID_undef,
+	1,0,0,
+	null_init_key,
+	null_cipher,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	};
+
+EVP_CIPHER *EVP_enc_null(void)
+	{
+	return(&n_cipher);
+	}
+
+static void null_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	memset(&(ctx->c),0,sizeof(ctx->c));
+	}
+
+static void null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	if (in != out)
+		memcpy((char *)out,(char *)in,(int)inl);
+	}
+
diff --git a/crypto/openssl/crypto/evp/e_ofb_3d.c b/crypto/openssl/crypto/evp/e_ofb_3d.c
new file mode 100644
index 0000000..d1a33e2
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ofb_3d.c
@@ -0,0 +1,152 @@
+/* crypto/evp/e_ofb_3d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void des_ede_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ede3_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_ede_ofb_cipher2=
+	{
+	NID_des_ede_ofb64,
+	1,16,8,
+	des_ede_ofb_init_key,
+	des_ede_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+static EVP_CIPHER d_ede3_ofb_cipher3=
+	{
+	NID_des_ede3_ofb64,
+	1,24,8,
+	des_ede3_ofb_init_key,
+	des_ede_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ede)),
+	EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_des_ede_ofb(void)
+	{
+	return(&d_ede_ofb_cipher2);
+	}
+
+EVP_CIPHER *EVP_des_ede3_ofb(void)
+	{
+	return(&d_ede3_ofb_cipher3);
+	}
+	
+static void des_ede_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		memcpy( (char *)ctx->c.des_ede.ks3,
+			(char *)ctx->c.des_ede.ks1,
+			sizeof(ctx->c.des_ede.ks1));
+		}
+	}
+
+static void des_ede3_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
+		}
+	}
+
+static void des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	des_ede3_ofb64_encrypt(in,out,inl,ctx->c.des_ede.ks1,
+			       ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+			       (des_cblock *)&(ctx->iv[0]),&ctx->num);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ofb_bf.c b/crypto/openssl/crypto/evp/e_ofb_bf.c
new file mode 100644
index 0000000..c82154b
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ofb_bf.c
@@ -0,0 +1,109 @@
+/* crypto/evp/e_ofb_bf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_BF
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void bf_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void bf_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER bfish_ofb_cipher=
+	{
+	NID_bf_ofb64,
+	1,EVP_BLOWFISH_KEY_SIZE,8,
+	bf_ofb_init_key,
+	bf_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.bf_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_bf_ofb(void)
+	{
+	return(&bfish_ofb_cipher);
+	}
+	
+static void bf_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		BF_set_key(&(ctx->c.bf_ks),EVP_BLOWFISH_KEY_SIZE,key);
+	}
+
+static void bf_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	BF_ofb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.bf_ks),
+		&(ctx->iv[0]),
+		&ctx->num);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ofb_c.c b/crypto/openssl/crypto/evp/e_ofb_c.c
new file mode 100644
index 0000000..971043d
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ofb_c.c
@@ -0,0 +1,110 @@
+/* crypto/evp/e_ofb_c.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_CAST
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void cast_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void cast_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER cast5_ofb_cipher=
+	{
+	NID_cast5_ofb64,
+	1,EVP_CAST5_KEY_SIZE,8,
+	cast_ofb_init_key,
+	cast_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.cast_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_cast5_ofb(void)
+	{
+	return(&cast5_ofb_cipher);
+	}
+	
+static void cast_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		CAST_set_key(&(ctx->c.cast_ks),EVP_CAST5_KEY_SIZE,key);
+	}
+
+static void cast_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	CAST_ofb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.cast_ks),
+		&(ctx->iv[0]),
+		&ctx->num);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ofb_d.c b/crypto/openssl/crypto/evp/e_ofb_d.c
new file mode 100644
index 0000000..d51ce23
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ofb_d.c
@@ -0,0 +1,107 @@
+/* crypto/evp/e_ofb_d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void des_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_ofb_cipher=
+	{
+	NID_des_ofb64,
+	1,8,8,
+	des_ofb_init_key,
+	des_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.des_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_des_ofb(void)
+	{
+	return(&d_ofb_cipher);
+	}
+	
+static void des_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
+	}
+
+static void des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	des_ofb64_encrypt(in,out,inl,ctx->c.des_ks,
+		(des_cblock *)&(ctx->iv[0]),&ctx->num);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ofb_i.c b/crypto/openssl/crypto/evp/e_ofb_i.c
new file mode 100644
index 0000000..389206e
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ofb_i.c
@@ -0,0 +1,109 @@
+/* crypto/evp/e_ofb_i.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_IDEA
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void idea_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void idea_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER i_ofb_cipher=
+	{
+	NID_idea_ofb64,
+	1,IDEA_KEY_LENGTH,IDEA_BLOCK,
+	idea_ofb_init_key,
+	idea_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.idea_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_idea_ofb(void)
+	{
+	return(&i_ofb_cipher);
+	}
+	
+static void idea_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		idea_set_encrypt_key(key,&(ctx->c.idea_ks));
+	}
+
+static void idea_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	idea_ofb64_encrypt(
+		in,out,(long)inl,
+		&(ctx->c.idea_ks),&(ctx->iv[0]),
+		&ctx->num);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ofb_r2.c b/crypto/openssl/crypto/evp/e_ofb_r2.c
new file mode 100644
index 0000000..60ae3d4
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ofb_r2.c
@@ -0,0 +1,111 @@
+/* crypto/evp/e_ofb_r2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC2
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc2_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc2_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER r2_ofb_cipher=
+	{
+	NID_rc2_ofb64,
+	1,EVP_RC2_KEY_SIZE,8,
+	rc2_ofb_init_key,
+	rc2_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_rc2_ofb(void)
+	{
+	return(&r2_ofb_cipher);
+	}
+	
+static void rc2_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		RC2_set_key(&(ctx->c.rc2_ks),EVP_CIPHER_CTX_key_length(ctx),
+			key,EVP_CIPHER_CTX_key_length(ctx)*8);
+	}
+
+static void rc2_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	RC2_ofb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.rc2_ks),
+		&(ctx->iv[0]),
+		&ctx->num);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_ofb_r5.c b/crypto/openssl/crypto/evp/e_ofb_r5.c
new file mode 100644
index 0000000..3013682
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_ofb_r5.c
@@ -0,0 +1,111 @@
+/* crypto/evp/e_ofb_r5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC5
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc5_32_12_16_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc5_32_12_16_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER rc5_ofb_cipher=
+	{
+	NID_rc5_ofb64,
+	1,EVP_RC5_32_12_16_KEY_SIZE,8,
+	rc5_32_12_16_ofb_init_key,
+	rc5_32_12_16_ofb_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc5_ks)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_rc5_32_12_16_ofb(void)
+	{
+	return(&rc5_ofb_cipher);
+	}
+	
+static void rc5_32_12_16_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	ctx->num=0;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (key != NULL)
+		RC5_32_set_key(&(ctx->c.rc5_ks),EVP_RC5_32_12_16_KEY_SIZE,key,
+			RC5_12_ROUNDS);
+	}
+
+static void rc5_32_12_16_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	RC5_32_ofb64_encrypt(
+		in,out,
+		(long)inl, &(ctx->c.rc5_ks),
+		&(ctx->iv[0]),
+		&ctx->num);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_rc4.c b/crypto/openssl/crypto/evp/e_rc4.c
new file mode 100644
index 0000000..c7e58a7
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_rc4.c
@@ -0,0 +1,115 @@
+/* crypto/evp/e_rc4.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC4
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void rc4_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER r4_cipher=
+	{
+	NID_rc4,
+	1,EVP_RC4_KEY_SIZE,0,
+	rc4_init_key,
+	rc4_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc4)),
+	NULL,
+	NULL,
+	};
+
+static EVP_CIPHER r4_40_cipher=
+	{
+	NID_rc4_40,
+	1,5 /* 40 bit */,0,
+	rc4_init_key,
+	rc4_cipher,
+	};
+
+EVP_CIPHER *EVP_rc4(void)
+	{
+	return(&r4_cipher);
+	}
+
+EVP_CIPHER *EVP_rc4_40(void)
+	{
+	return(&r4_40_cipher);
+	}
+
+static void rc4_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	if (key != NULL)
+		memcpy(&(ctx->c.rc4.key[0]),key,EVP_CIPHER_CTX_key_length(ctx));
+	RC4_set_key(&(ctx->c.rc4.ks),EVP_CIPHER_CTX_key_length(ctx),
+		ctx->c.rc4.key);
+	}
+
+static void rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	RC4(&(ctx->c.rc4.ks),inl,in,out);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/e_xcbc_d.c b/crypto/openssl/crypto/evp/e_xcbc_d.c
new file mode 100644
index 0000000..7568fad
--- /dev/null
+++ b/crypto/openssl/crypto/evp/e_xcbc_d.c
@@ -0,0 +1,112 @@
+/* crypto/evp/e_xcbc_d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+static void desx_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	unsigned char *iv,int enc);
+static void desx_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	unsigned char *in, unsigned int inl);
+static EVP_CIPHER d_xcbc_cipher=
+	{
+	NID_desx_cbc,
+	8,24,8,
+	desx_cbc_init_key,
+	desx_cbc_cipher,
+	NULL,
+	sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+		sizeof((((EVP_CIPHER_CTX *)NULL)->c.desx_cbc)),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	};
+
+EVP_CIPHER *EVP_desx_cbc(void)
+	{
+	return(&d_xcbc_cipher);
+	}
+	
+static void desx_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
+	     unsigned char *iv, int enc)
+	{
+	des_cblock *deskey = (des_cblock *)key;
+
+	if (iv != NULL)
+		memcpy(&(ctx->oiv[0]),iv,8);
+	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
+	if (deskey != NULL)
+		{
+		des_set_key_unchecked(deskey,ctx->c.desx_cbc.ks);
+		memcpy(&(ctx->c.desx_cbc.inw[0]),&(key[8]),8);
+		memcpy(&(ctx->c.desx_cbc.outw[0]),&(key[16]),8);
+		}
+	}
+
+static void desx_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	     unsigned char *in, unsigned int inl)
+	{
+	des_xcbc_encrypt(in,out,inl,ctx->c.desx_cbc.ks,
+		(des_cblock *)&(ctx->iv[0]),
+		&ctx->c.desx_cbc.inw,
+		&ctx->c.desx_cbc.outw,
+		ctx->encrypt);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/encode.c b/crypto/openssl/crypto/evp/encode.c
new file mode 100644
index 0000000..14a4cb1
--- /dev/null
+++ b/crypto/openssl/crypto/evp/encode.c
@@ -0,0 +1,427 @@
+/* crypto/evp/encode.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+
+#ifndef CHARSET_EBCDIC
+#define conv_bin2ascii(a)	(data_bin2ascii[(a)&0x3f])
+#define conv_ascii2bin(a)	(data_ascii2bin[(a)&0x7f])
+#else
+/* We assume that PEM encoded files are EBCDIC files
+ * (i.e., printable text files). Convert them here while decoding.
+ * When encoding, output is EBCDIC (text) format again.
+ * (No need for conversion in the conv_bin2ascii macro, as the
+ * underlying textstring data_bin2ascii[] is already EBCDIC)
+ */
+#define conv_bin2ascii(a)	(data_bin2ascii[(a)&0x3f])
+#define conv_ascii2bin(a)	(data_ascii2bin[os_toascii[a]&0x7f])
+#endif
+
+/* 64 char lines
+ * pad input with 0
+ * left over chars are set to =
+ * 1 byte  => xx==
+ * 2 bytes => xxx=
+ * 3 bytes => xxxx
+ */
+#define BIN_PER_LINE    (64/4*3)
+#define CHUNKS_PER_LINE (64/4)
+#define CHAR_PER_LINE   (64+1)
+
+static unsigned char data_bin2ascii[65]="ABCDEFGHIJKLMNOPQRSTUVWXYZ\
+abcdefghijklmnopqrstuvwxyz0123456789+/";
+
+/* 0xF0 is a EOLN
+ * 0xF1 is ignore but next needs to be 0xF0 (for \r\n processing).
+ * 0xF2 is EOF
+ * 0xE0 is ignore at start of line.
+ * 0xFF is error
+ */
+
+#define B64_EOLN		0xF0
+#define B64_CR			0xF1
+#define B64_EOF			0xF2
+#define B64_WS			0xE0
+#define B64_ERROR       	0xFF
+#define B64_NOT_BASE64(a)	(((a)|0x13) == 0xF3)
+
+static unsigned char data_ascii2bin[128]={
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xE0,0xF0,0xFF,0xFF,0xF1,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xE0,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0x3E,0xFF,0xF2,0xFF,0x3F,
+	0x34,0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,
+	0x3C,0x3D,0xFF,0xFF,0xFF,0x00,0xFF,0xFF,
+	0xFF,0x00,0x01,0x02,0x03,0x04,0x05,0x06,
+	0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,
+	0x0F,0x10,0x11,0x12,0x13,0x14,0x15,0x16,
+	0x17,0x18,0x19,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,0x20,
+	0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,
+	0x29,0x2A,0x2B,0x2C,0x2D,0x2E,0x2F,0x30,
+	0x31,0x32,0x33,0xFF,0xFF,0xFF,0xFF,0xFF,
+	};
+
+void EVP_EncodeInit(EVP_ENCODE_CTX *ctx)
+	{
+	ctx->length=48;
+	ctx->num=0;
+	ctx->line_num=0;
+	}
+
+void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
+	     unsigned char *in, int inl)
+	{
+	int i,j;
+	unsigned int total=0;
+
+	*outl=0;
+	if (inl == 0) return;
+	if ((ctx->num+inl) < ctx->length)
+		{
+		memcpy(&(ctx->enc_data[ctx->num]),in,inl);
+		ctx->num+=inl;
+		return;
+		}
+	if (ctx->num != 0)
+		{
+		i=ctx->length-ctx->num;
+		memcpy(&(ctx->enc_data[ctx->num]),in,i);
+		in+=i;
+		inl-=i;
+		j=EVP_EncodeBlock(out,ctx->enc_data,ctx->length);
+		ctx->num=0;
+		out+=j;
+		*(out++)='\n';
+		*out='\0';
+		total=j+1;
+		}
+	while (inl >= ctx->length)
+		{
+		j=EVP_EncodeBlock(out,in,ctx->length);
+		in+=ctx->length;
+		inl-=ctx->length;
+		out+=j;
+		*(out++)='\n';
+		*out='\0';
+		total+=j+1;
+		}
+	if (inl != 0)
+		memcpy(&(ctx->enc_data[0]),in,inl);
+	ctx->num=inl;
+	*outl=total;
+	}
+
+void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl)
+	{
+	unsigned int ret=0;
+
+	if (ctx->num != 0)
+		{
+		ret=EVP_EncodeBlock(out,ctx->enc_data,ctx->num);
+		out[ret++]='\n';
+		out[ret]='\0';
+		ctx->num=0;
+		}
+	*outl=ret;
+	}
+
+int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int dlen)
+	{
+	int i,ret=0;
+	unsigned long l;
+
+	for (i=dlen; i > 0; i-=3)
+		{
+		if (i >= 3)
+			{
+			l=	(((unsigned long)f[0])<<16L)|
+				(((unsigned long)f[1])<< 8L)|f[2];
+			*(t++)=conv_bin2ascii(l>>18L);
+			*(t++)=conv_bin2ascii(l>>12L);
+			*(t++)=conv_bin2ascii(l>> 6L);
+			*(t++)=conv_bin2ascii(l     );
+			}
+		else
+			{
+			l=((unsigned long)f[0])<<16L;
+			if (i == 2) l|=((unsigned long)f[1]<<8L);
+
+			*(t++)=conv_bin2ascii(l>>18L);
+			*(t++)=conv_bin2ascii(l>>12L);
+			*(t++)=(i == 1)?'=':conv_bin2ascii(l>> 6L);
+			*(t++)='=';
+			}
+		ret+=4;
+		f+=3;
+		}
+
+	*t='\0';
+	return(ret);
+	}
+
+void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
+	{
+	ctx->length=30;
+	ctx->num=0;
+	ctx->line_num=0;
+	ctx->expect_nl=0;
+	}
+
+/* -1 for error
+ *  0 for last line
+ *  1 for full line
+ */
+int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
+	     unsigned char *in, int inl)
+	{
+	int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,tmp2,exp_nl;
+	unsigned char *d;
+
+	n=ctx->num;
+	d=ctx->enc_data;
+	ln=ctx->line_num;
+	exp_nl=ctx->expect_nl;
+
+	/* last line of input. */
+	if ((inl == 0) || ((n == 0) && (conv_ascii2bin(in[0]) == B64_EOF)))
+		{ rv=0; goto end; }
+		
+	/* We parse the input data */
+	for (i=0; i<inl; i++)
+		{
+		/* If the current line is > 80 characters, scream alot */
+		if (ln >= 80) { rv= -1; goto end; }
+
+		/* Get char and put it into the buffer */
+		tmp= *(in++);
+		v=conv_ascii2bin(tmp);
+		/* only save the good data :-) */
+		if (!B64_NOT_BASE64(v))
+			{
+			d[n++]=tmp;
+			ln++;
+			}
+		else if (v == B64_ERROR)
+			{
+			rv= -1;
+			goto end;
+			}
+
+		/* have we seen a '=' which is 'definitly' the last
+		 * input line.  seof will point to the character that
+		 * holds it. and eof will hold how many characters to
+		 * chop off. */
+		if (tmp == '=')
+			{
+			if (seof == -1) seof=n;
+			eof++;
+			}
+
+		/* eoln */
+		if (v == B64_EOLN)
+			{
+			ln=0;
+			if (exp_nl)
+				{
+				exp_nl=0;
+				continue;
+				}
+			}
+		exp_nl=0;
+
+		/* If we are at the end of input and it looks like a
+		 * line, process it. */
+		if (((i+1) == inl) && (((n&3) == 0) || eof))
+			v=B64_EOF;
+
+		if ((v == B64_EOF) || (n >= 64))
+			{
+			/* This is needed to work correctly on 64 byte input
+			 * lines.  We process the line and then need to
+			 * accept the '\n' */
+			if ((v != B64_EOF) && (n >= 64)) exp_nl=1;
+			tmp2=v;
+			if (n > 0)
+				{
+				v=EVP_DecodeBlock(out,d,n);
+				if (v < 0) { rv=0; goto end; }
+				n=0;
+				ret+=(v-eof);
+				}
+			else
+				{
+				eof=1;
+				v=0;
+				}
+
+			/* This is the case where we have had a short
+			 * but valid input line */
+			if ((v < ctx->length) && eof)
+				{
+				rv=0;
+				goto end;
+				}
+			else
+				ctx->length=v;
+
+			if (seof >= 0) { rv=0; goto end; }
+			out+=v;
+			}
+		}
+	rv=1;
+end:
+	*outl=ret;
+	ctx->num=n;
+	ctx->line_num=ln;
+	ctx->expect_nl=exp_nl;
+	return(rv);
+	}
+
+int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n)
+	{
+	int i,ret=0,a,b,c,d;
+	unsigned long l;
+
+	/* trim white space from the start of the line. */
+	while ((conv_ascii2bin(*f) == B64_WS) && (n > 0))
+		{
+		f++;
+		n--;
+		}
+
+	/* strip off stuff at the end of the line
+	 * ascii2bin values B64_WS, B64_EOLN, B64_EOLN and B64_EOF */
+	while ((n > 3) && (B64_NOT_BASE64(conv_ascii2bin(f[n-1]))))
+		n--;
+
+	if (n%4 != 0) return(-1);
+
+	for (i=0; i<n; i+=4)
+		{
+		a=conv_ascii2bin(*(f++));
+		b=conv_ascii2bin(*(f++));
+		c=conv_ascii2bin(*(f++));
+		d=conv_ascii2bin(*(f++));
+		if (	(a & 0x80) || (b & 0x80) ||
+			(c & 0x80) || (d & 0x80))
+			return(-1);
+		l=(	(((unsigned long)a)<<18L)|
+			(((unsigned long)b)<<12L)|
+			(((unsigned long)c)<< 6L)|
+			(((unsigned long)d)     ));
+		*(t++)=(unsigned char)(l>>16L)&0xff;
+		*(t++)=(unsigned char)(l>> 8L)&0xff;
+		*(t++)=(unsigned char)(l     )&0xff;
+		ret+=3;
+		}
+	return(ret);
+	}
+
+int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl)
+	{
+	int i;
+
+	*outl=0;
+	if (ctx->num != 0)
+		{
+		i=EVP_DecodeBlock(out,ctx->enc_data,ctx->num);
+		if (i < 0) return(-1);
+		ctx->num=0;
+		*outl=i;
+		return(1);
+		}
+	else
+		return(1);
+	}
+
+#ifdef undef
+int EVP_DecodeValid(unsigned char *buf, int len)
+	{
+	int i,num=0,bad=0;
+
+	if (len == 0) return(-1);
+	while (conv_ascii2bin(*buf) == B64_WS)
+		{
+		buf++;
+		len--;
+		if (len == 0) return(-1);
+		}
+
+	for (i=len; i >= 4; i-=4)
+		{
+		if (	(conv_ascii2bin(buf[0]) >= 0x40) ||
+			(conv_ascii2bin(buf[1]) >= 0x40) ||
+			(conv_ascii2bin(buf[2]) >= 0x40) ||
+			(conv_ascii2bin(buf[3]) >= 0x40))
+			return(-1);
+		buf+=4;
+		num+=1+(buf[2] != '=')+(buf[3] != '=');
+		}
+	if ((i == 1) && (conv_ascii2bin(buf[0]) == B64_EOLN))
+		return(num);
+	if ((i == 2) && (conv_ascii2bin(buf[0]) == B64_EOLN) &&
+		(conv_ascii2bin(buf[0]) == B64_EOLN))
+		return(num);
+	return(1);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h
new file mode 100644
index 0000000..39969c2
--- /dev/null
+++ b/crypto/openssl/crypto/evp/evp.h
@@ -0,0 +1,745 @@
+/* crypto/evp/evp.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#ifndef HEADER_ENVELOPE_H
+#define HEADER_ENVELOPE_H
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+#ifndef NO_MD2
+#include <openssl/md2.h>
+#endif
+#ifndef NO_MD5
+#include <openssl/md5.h>
+#endif
+#ifndef NO_SHA
+#include <openssl/sha.h>
+#endif
+#ifndef NO_RIPEMD
+#include <openssl/ripemd.h>
+#endif
+#ifndef NO_DES
+#include <openssl/des.h>
+#endif
+#ifndef NO_RC4
+#include <openssl/rc4.h>
+#endif
+#ifndef NO_RC2
+#include <openssl/rc2.h>
+#endif
+#ifndef NO_RC5
+#include <openssl/rc5.h>
+#endif
+#ifndef NO_BF
+#include <openssl/blowfish.h>
+#endif
+#ifndef NO_CAST
+#include <openssl/cast.h>
+#endif
+#ifndef NO_IDEA
+#include <openssl/idea.h>
+#endif
+#ifndef NO_MDC2
+#include <openssl/mdc2.h>
+#endif
+
+#define EVP_RC2_KEY_SIZE		16
+#define EVP_RC4_KEY_SIZE		16
+#define EVP_BLOWFISH_KEY_SIZE		16
+#define EVP_CAST5_KEY_SIZE		16
+#define EVP_RC5_32_12_16_KEY_SIZE	16
+#define EVP_MAX_MD_SIZE			(16+20) /* The SSLv3 md5+sha1 type */
+#define EVP_MAX_KEY_LENGTH		24
+#define EVP_MAX_IV_LENGTH		8
+
+#define PKCS5_SALT_LEN			8
+/* Default PKCS#5 iteration count */
+#define PKCS5_DEFAULT_ITER		2048
+
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+
+#ifndef NO_DSA
+#include <openssl/dsa.h>
+#endif
+
+#ifndef NO_DH
+#include <openssl/dh.h>
+#endif
+
+#include <openssl/objects.h>
+
+#define EVP_PK_RSA	0x0001
+#define EVP_PK_DSA	0x0002
+#define EVP_PK_DH	0x0004
+#define EVP_PKT_SIGN	0x0010
+#define EVP_PKT_ENC	0x0020
+#define EVP_PKT_EXCH	0x0040
+#define EVP_PKS_RSA	0x0100
+#define EVP_PKS_DSA	0x0200
+#define EVP_PKT_EXP	0x1000 /* <= 512 bit key */
+
+#define EVP_PKEY_NONE	NID_undef
+#define EVP_PKEY_RSA	NID_rsaEncryption
+#define EVP_PKEY_RSA2	NID_rsa
+#define EVP_PKEY_DSA	NID_dsa
+#define EVP_PKEY_DSA1	NID_dsa_2
+#define EVP_PKEY_DSA2	NID_dsaWithSHA
+#define EVP_PKEY_DSA3	NID_dsaWithSHA1
+#define EVP_PKEY_DSA4	NID_dsaWithSHA1_2
+#define EVP_PKEY_DH	NID_dhKeyAgreement
+
+/* Type needs to be a bit field
+ * Sub-type needs to be for variations on the method, as in, can it do
+ * arbitrary encryption.... */
+typedef struct evp_pkey_st
+	{
+	int type;
+	int save_type;
+	int references;
+	union	{
+		char *ptr;
+#ifndef NO_RSA
+		struct rsa_st *rsa;	/* RSA */
+#endif
+#ifndef NO_DSA
+		struct dsa_st *dsa;	/* DSA */
+#endif
+#ifndef NO_DH
+		struct dh_st *dh;	/* DH */
+#endif
+		} pkey;
+	int save_parameters;
+	STACK /*X509_ATTRIBUTE*/ *attributes; /* [ 0 ] */
+	} EVP_PKEY;
+
+#define EVP_PKEY_MO_SIGN	0x0001
+#define EVP_PKEY_MO_VERIFY	0x0002
+#define EVP_PKEY_MO_ENCRYPT	0x0004
+#define EVP_PKEY_MO_DECRYPT	0x0008
+
+#if 0
+/* This structure is required to tie the message digest and signing together.
+ * The lookup can be done by md/pkey_method, oid, oid/pkey_method, or
+ * oid, md and pkey.
+ * This is required because for various smart-card perform the digest and
+ * signing/verification on-board.  To handle this case, the specific
+ * EVP_MD and EVP_PKEY_METHODs need to be closely associated.
+ * When a PKEY is created, it will have a EVP_PKEY_METHOD associated with it.
+ * This can either be software or a token to provide the required low level
+ * routines.
+ */
+typedef struct evp_pkey_md_st
+	{
+	int oid;
+	EVP_MD *md;
+	EVP_PKEY_METHOD *pkey;
+	} EVP_PKEY_MD;
+
+#define EVP_rsa_md2() \
+		EVP_PKEY_MD_add(NID_md2WithRSAEncryption,\
+			EVP_rsa_pkcs1(),EVP_md2())
+#define EVP_rsa_md5() \
+		EVP_PKEY_MD_add(NID_md5WithRSAEncryption,\
+			EVP_rsa_pkcs1(),EVP_md5())
+#define EVP_rsa_sha0() \
+		EVP_PKEY_MD_add(NID_shaWithRSAEncryption,\
+			EVP_rsa_pkcs1(),EVP_sha())
+#define EVP_rsa_sha1() \
+		EVP_PKEY_MD_add(NID_sha1WithRSAEncryption,\
+			EVP_rsa_pkcs1(),EVP_sha1())
+#define EVP_rsa_ripemd160() \
+		EVP_PKEY_MD_add(NID_ripemd160WithRSA,\
+			EVP_rsa_pkcs1(),EVP_ripemd160())
+#define EVP_rsa_mdc2() \
+		EVP_PKEY_MD_add(NID_mdc2WithRSA,\
+			EVP_rsa_octet_string(),EVP_mdc2())
+#define EVP_dsa_sha() \
+		EVP_PKEY_MD_add(NID_dsaWithSHA,\
+			EVP_dsa(),EVP_mdc2())
+#define EVP_dsa_sha1() \
+		EVP_PKEY_MD_add(NID_dsaWithSHA1,\
+			EVP_dsa(),EVP_sha1())
+
+typedef struct evp_pkey_method_st
+	{
+	char *name;
+	int flags;
+	int type;		/* RSA, DSA, an SSLeay specific constant */
+	int oid;		/* For the pub-key type */
+	int encrypt_oid;	/* pub/priv key encryption */
+
+	int (*sign)();
+	int (*verify)();
+	struct	{
+		int
+		int (*set)();	/* get and/or set the underlying type */
+		int (*get)();
+		int (*encrypt)();
+		int (*decrypt)();
+		int (*i2d)();
+		int (*d2i)();
+		int (*dup)();
+		} pub,priv;
+	int (*set_asn1_parameters)();
+	int (*get_asn1_parameters)();
+	} EVP_PKEY_METHOD;
+#endif
+
+#ifndef EVP_MD
+typedef struct env_md_st
+	{
+	int type;
+	int pkey_type;
+	int md_size;
+	void (*init)();
+	void (*update)();
+	void (*final)();
+
+	int (*sign)();
+	int (*verify)();
+	int required_pkey_type[5]; /*EVP_PKEY_xxx */
+	int block_size;
+	int ctx_size; /* how big does the ctx need to be */
+	} EVP_MD;
+
+
+
+#define EVP_PKEY_NULL_method	NULL,NULL,{0,0,0,0}
+
+#ifndef NO_DSA
+#define EVP_PKEY_DSA_method	DSA_sign,DSA_verify, \
+				{EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3, \
+					EVP_PKEY_DSA4,0}
+#else
+#define EVP_PKEY_DSA_method	EVP_PKEY_NULL_method
+#endif
+
+#ifndef NO_RSA
+#define EVP_PKEY_RSA_method	RSA_sign,RSA_verify, \
+				{EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
+#define EVP_PKEY_RSA_ASN1_OCTET_STRING_method \
+				RSA_sign_ASN1_OCTET_STRING, \
+				RSA_verify_ASN1_OCTET_STRING, \
+				{EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
+#else
+#define EVP_PKEY_RSA_method	EVP_PKEY_NULL_method
+#define EVP_PKEY_RSA_ASN1_OCTET_STRING_method EVP_PKEY_NULL_method
+#endif
+
+#endif /* !EVP_MD */
+
+typedef struct env_md_ctx_st
+	{
+	const EVP_MD *digest;
+	union	{
+		unsigned char base[4];
+#ifndef NO_MD2
+		MD2_CTX md2;
+#endif
+#ifndef NO_MD5
+		MD5_CTX md5;
+#endif
+#ifndef NO_RIPEMD
+		RIPEMD160_CTX ripemd160;
+#endif
+#ifndef NO_SHA
+		SHA_CTX sha;
+#endif
+#ifndef NO_MDC2
+		MDC2_CTX mdc2;
+#endif
+		} md;
+	} EVP_MD_CTX;
+
+typedef struct evp_cipher_st
+	{
+	int nid;
+	int block_size;
+	int key_len;
+	int iv_len;
+	void (*init)();		/* init for encryption */
+	void (*do_cipher)();	/* encrypt data */
+	void (*cleanup)();	/* used by cipher method */ 
+	int ctx_size;		/* how big the ctx needs to be */
+	/* int set_asn1_parameters(EVP_CIPHER_CTX,ASN1_TYPE *); */
+	int (*set_asn1_parameters)(); /* Populate a ASN1_TYPE with parameters */
+	/* int get_asn1_parameters(EVP_CIPHER_CTX,ASN1_TYPE *); */
+	int (*get_asn1_parameters)(); /* Get parameters from a ASN1_TYPE */
+	} EVP_CIPHER;
+
+typedef struct evp_cipher_info_st
+	{
+	const EVP_CIPHER *cipher;
+	unsigned char iv[EVP_MAX_IV_LENGTH];
+	} EVP_CIPHER_INFO;
+
+typedef struct evp_cipher_ctx_st
+	{
+	const EVP_CIPHER *cipher;
+	int encrypt;		/* encrypt or decrypt */
+	int buf_len;		/* number we have left */
+
+	unsigned char  oiv[EVP_MAX_IV_LENGTH];	/* original iv */
+	unsigned char  iv[EVP_MAX_IV_LENGTH];	/* working iv */
+	unsigned char buf[EVP_MAX_IV_LENGTH];	/* saved partial block */
+	int num;				/* used by cfb/ofb mode */
+
+	char *app_data;		/* application stuff */
+	union	{
+#ifndef NO_RC4
+		struct
+			{
+			unsigned char key[EVP_RC4_KEY_SIZE];
+			RC4_KEY ks;	/* working key */
+			} rc4;
+#endif
+#ifndef NO_DES
+		des_key_schedule des_ks;/* key schedule */
+		struct
+			{
+			des_key_schedule ks;/* key schedule */
+			des_cblock inw;
+			des_cblock outw;
+			} desx_cbc;
+		struct
+			{
+			des_key_schedule ks1;/* key schedule */
+			des_key_schedule ks2;/* key schedule (for ede) */
+			des_key_schedule ks3;/* key schedule (for ede3) */
+			} des_ede;
+#endif
+#ifndef NO_IDEA
+		IDEA_KEY_SCHEDULE idea_ks;/* key schedule */
+#endif
+#ifndef NO_RC2
+		RC2_KEY rc2_ks;/* key schedule */
+#endif
+#ifndef NO_RC5
+		RC5_32_KEY rc5_ks;/* key schedule */
+#endif
+#ifndef NO_BF
+		BF_KEY bf_ks;/* key schedule */
+#endif
+#ifndef NO_CAST
+		CAST_KEY cast_ks;/* key schedule */
+#endif
+		} c;
+	} EVP_CIPHER_CTX;
+
+typedef struct evp_Encode_Ctx_st
+	{
+	int num;	/* number saved in a partial encode/decode */
+	int length;	/* The length is either the output line length
+			 * (in input bytes) or the shortest input line
+			 * length that is ok.  Once decoding begins,
+			 * the length is adjusted up each time a longer
+			 * line is decoded */
+	unsigned char enc_data[80];	/* data to encode */
+	int line_num;	/* number read on current line */
+	int expect_nl;
+	} EVP_ENCODE_CTX;
+
+/* Password based encryption function */
+typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+		ASN1_TYPE *param, EVP_CIPHER *cipher,
+                EVP_MD *md, int en_de);
+
+#define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
+					(char *)(rsa))
+#define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\
+					(char *)(dsa))
+#define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\
+					(char *)(dh))
+
+/* Add some extra combinations */
+#define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
+#define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
+#define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
+#define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
+
+#define EVP_MD_type(e)			((e)->type)
+#define EVP_MD_pkey_type(e)		((e)->pkey_type)
+#define EVP_MD_size(e)			((e)->md_size)
+#define EVP_MD_block_size(e)		((e)->block_size)
+
+#define EVP_MD_CTX_md(e)		((e)->digest)
+#define EVP_MD_CTX_size(e)		EVP_MD_size((e)->digest)
+#define EVP_MD_CTX_block_size(e)	EVP_MD_block_size((e)->digest)
+#define EVP_MD_CTX_type(e)		EVP_MD_type((e)->digest)
+
+#define EVP_CIPHER_nid(e)		((e)->nid)
+#define EVP_CIPHER_block_size(e)	((e)->block_size)
+#define EVP_CIPHER_key_length(e)	((e)->key_len)
+#define EVP_CIPHER_iv_length(e)		((e)->iv_len)
+
+#define EVP_CIPHER_CTX_cipher(e)	((e)->cipher)
+#define EVP_CIPHER_CTX_nid(e)		((e)->cipher->nid)
+#define EVP_CIPHER_CTX_block_size(e)	((e)->cipher->block_size)
+#define EVP_CIPHER_CTX_key_length(e)	((e)->cipher->key_len)
+#define EVP_CIPHER_CTX_iv_length(e)	((e)->cipher->iv_len)
+#define EVP_CIPHER_CTX_get_app_data(e)	((e)->app_data)
+#define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
+#define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
+
+#define EVP_ENCODE_LENGTH(l)	(((l+2)/3*4)+(l/48+1)*2+80)
+#define EVP_DECODE_LENGTH(l)	((l+3)/4*3+80)
+
+#define EVP_SignInit(a,b)		EVP_DigestInit(a,b)
+#define EVP_SignUpdate(a,b,c)		EVP_DigestUpdate(a,b,c)
+#define	EVP_VerifyInit(a,b)		EVP_DigestInit(a,b)
+#define	EVP_VerifyUpdate(a,b,c)		EVP_DigestUpdate(a,b,c)
+#define EVP_OpenUpdate(a,b,c,d,e)	EVP_DecryptUpdate(a,b,c,d,e)
+#define EVP_SealUpdate(a,b,c,d,e)	EVP_EncryptUpdate(a,b,c,d,e)	
+
+#ifdef CONST_STRICT
+void BIO_set_md(BIO *,const EVP_MD *md);
+#else
+# define BIO_set_md(b,md)		BIO_ctrl(b,BIO_C_SET_MD,0,(char *)md)
+#endif
+#define BIO_get_md(b,mdp)		BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp)
+#define BIO_get_md_ctx(b,mdcp)     BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp)
+#define BIO_get_cipher_status(b)	BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL)
+#define BIO_get_cipher_ctx(b,c_pp)	BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp)
+
+#define	EVP_Cipher(c,o,i,l)	(c)->cipher->do_cipher((c),(o),(i),(l))
+
+#define EVP_add_cipher_alias(n,alias) \
+	OBJ_NAME_add((alias),OBJ_NAME_TYPE_CIPHER_METH|OBJ_NAME_ALIAS,(n))
+#define EVP_add_digest_alias(n,alias) \
+	OBJ_NAME_add((alias),OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,(n))
+#define EVP_delete_cipher_alias(alias) \
+	OBJ_NAME_remove(alias,OBJ_NAME_TYPE_CIPHER_METH|OBJ_NAME_ALIAS);
+#define EVP_delete_digest_alias(alias) \
+	OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS);
+
+
+int     EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
+void	EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+void	EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d,
+			 unsigned int cnt);
+void	EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
+
+int	EVP_read_pw_string(char *buf,int length,const char *prompt,int verify);
+void	EVP_set_pw_prompt(char *prompt);
+char *	EVP_get_pw_prompt(void);
+
+int	EVP_BytesToKey(const EVP_CIPHER *type,EVP_MD *md,unsigned char *salt,
+		unsigned char *data, int datal, int count,
+		unsigned char *key,unsigned char *iv);
+
+void	EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
+		unsigned char *key, unsigned char *iv);
+void	EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+		int *outl, unsigned char *in, int inl);
+void	EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+
+void	EVP_DecryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
+		unsigned char *key, unsigned char *iv);
+void	EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+		int *outl, unsigned char *in, int inl);
+int	EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+
+void	EVP_CipherInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
+		       unsigned char *key,unsigned char *iv,int enc);
+void	EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+		int *outl, unsigned char *in, int inl);
+int	EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+
+int	EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s,
+		EVP_PKEY *pkey);
+
+int	EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf,
+		unsigned int siglen,EVP_PKEY *pkey);
+
+int	EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
+		int ekl,unsigned char *iv,EVP_PKEY *priv);
+int	EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+
+int	EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+		int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+void	EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl);
+
+void	EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
+void	EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,
+		int *outl,unsigned char *in,int inl);
+void	EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl);
+int	EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n);
+
+void	EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
+int	EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl,
+		unsigned char *in, int inl);
+int	EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
+		char *out, int *outl);
+int	EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
+
+void	ERR_load_EVP_strings(void );
+
+void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
+void EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
+
+#ifdef HEADER_BIO_H
+BIO_METHOD *BIO_f_md(void);
+BIO_METHOD *BIO_f_base64(void);
+BIO_METHOD *BIO_f_cipher(void);
+BIO_METHOD *BIO_f_reliable(void);
+void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k,
+	unsigned char *i, int enc);
+#endif
+
+EVP_MD *EVP_md_null(void);
+EVP_MD *EVP_md2(void);
+EVP_MD *EVP_md5(void);
+EVP_MD *EVP_sha(void);
+EVP_MD *EVP_sha1(void);
+EVP_MD *EVP_dss(void);
+EVP_MD *EVP_dss1(void);
+EVP_MD *EVP_mdc2(void);
+EVP_MD *EVP_ripemd160(void);
+
+EVP_CIPHER *EVP_enc_null(void);		/* does nothing :-) */
+EVP_CIPHER *EVP_des_ecb(void);
+EVP_CIPHER *EVP_des_ede(void);
+EVP_CIPHER *EVP_des_ede3(void);
+EVP_CIPHER *EVP_des_cfb(void);
+EVP_CIPHER *EVP_des_ede_cfb(void);
+EVP_CIPHER *EVP_des_ede3_cfb(void);
+EVP_CIPHER *EVP_des_ofb(void);
+EVP_CIPHER *EVP_des_ede_ofb(void);
+EVP_CIPHER *EVP_des_ede3_ofb(void);
+EVP_CIPHER *EVP_des_cbc(void);
+EVP_CIPHER *EVP_des_ede_cbc(void);
+EVP_CIPHER *EVP_des_ede3_cbc(void);
+EVP_CIPHER *EVP_desx_cbc(void);
+EVP_CIPHER *EVP_rc4(void);
+EVP_CIPHER *EVP_rc4_40(void);
+EVP_CIPHER *EVP_idea_ecb(void);
+EVP_CIPHER *EVP_idea_cfb(void);
+EVP_CIPHER *EVP_idea_ofb(void);
+EVP_CIPHER *EVP_idea_cbc(void);
+EVP_CIPHER *EVP_rc2_ecb(void);
+EVP_CIPHER *EVP_rc2_cbc(void);
+EVP_CIPHER *EVP_rc2_40_cbc(void);
+EVP_CIPHER *EVP_rc2_64_cbc(void);
+EVP_CIPHER *EVP_rc2_cfb(void);
+EVP_CIPHER *EVP_rc2_ofb(void);
+EVP_CIPHER *EVP_bf_ecb(void);
+EVP_CIPHER *EVP_bf_cbc(void);
+EVP_CIPHER *EVP_bf_cfb(void);
+EVP_CIPHER *EVP_bf_ofb(void);
+EVP_CIPHER *EVP_cast5_ecb(void);
+EVP_CIPHER *EVP_cast5_cbc(void);
+EVP_CIPHER *EVP_cast5_cfb(void);
+EVP_CIPHER *EVP_cast5_ofb(void);
+EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
+EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
+EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
+EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
+
+void OpenSSL_add_all_algorithms(void);
+void OpenSSL_add_all_ciphers(void);
+void OpenSSL_add_all_digests(void);
+#define SSLeay_add_all_algorithms() OpenSSL_add_all_algorithms()
+#define SSLeay_add_all_ciphers() OpenSSL_add_all_ciphers()
+#define SSLeay_add_all_digests() OpenSSL_add_all_digests()
+
+int EVP_add_cipher(EVP_CIPHER *cipher);
+int EVP_add_digest(EVP_MD *digest);
+
+const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
+const EVP_MD *EVP_get_digestbyname(const char *name);
+void EVP_cleanup(void);
+
+int		EVP_PKEY_decrypt(unsigned char *dec_key,unsigned char *enc_key,
+			int enc_key_len,EVP_PKEY *private_key);
+int		EVP_PKEY_encrypt(unsigned char *enc_key,
+			unsigned char *key,int key_len,EVP_PKEY *pub_key);
+int		EVP_PKEY_type(int type);
+int		EVP_PKEY_bits(EVP_PKEY *pkey);
+int		EVP_PKEY_size(EVP_PKEY *pkey);
+int 		EVP_PKEY_assign(EVP_PKEY *pkey,int type,char *key);
+#ifndef NO_RSA
+int 		EVP_PKEY_set1_RSA(EVP_PKEY *pkey,RSA *key);
+RSA *		EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
+#endif
+#ifndef NO_DSA
+int 		EVP_PKEY_set1_DSA(EVP_PKEY *pkey,DSA *key);
+DSA *		EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
+#endif
+#ifndef NO_DH
+int 		EVP_PKEY_set1_DH(EVP_PKEY *pkey,DH *key);
+DH *		EVP_PKEY_get1_DH(EVP_PKEY *pkey);
+#endif
+EVP_PKEY *	EVP_PKEY_new(void);
+void		EVP_PKEY_free(EVP_PKEY *pkey);
+EVP_PKEY *	d2i_PublicKey(int type,EVP_PKEY **a, unsigned char **pp,
+			long length);
+int		i2d_PublicKey(EVP_PKEY *a, unsigned char **pp);
+
+EVP_PKEY *	d2i_PrivateKey(int type,EVP_PKEY **a, unsigned char **pp,
+			long length);
+EVP_PKEY *	d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
+			long length);
+int		i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp);
+
+int EVP_PKEY_copy_parameters(EVP_PKEY *to,EVP_PKEY *from);
+int EVP_PKEY_missing_parameters(EVP_PKEY *pkey);
+int EVP_PKEY_save_parameters(EVP_PKEY *pkey,int mode);
+int EVP_PKEY_cmp_parameters(EVP_PKEY *a,EVP_PKEY *b);
+
+int EVP_CIPHER_type(const EVP_CIPHER *ctx);
+
+/* calls methods */
+int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
+/* These are used by EVP_CIPHER methods */
+int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c,ASN1_TYPE *type);
+int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c,ASN1_TYPE *type);
+
+/* PKCS5 password based encryption */
+int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+			 ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+			 int en_de);
+int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
+			   unsigned char *salt, int saltlen, int iter,
+			   int keylen, unsigned char *out);
+int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+			 ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+			 int en_de);
+
+void PKCS5_PBE_add(void);
+
+int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
+	     ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de);
+int EVP_PBE_alg_add(int nid, EVP_CIPHER *cipher, EVP_MD *md,
+		    EVP_PBE_KEYGEN *keygen);
+void EVP_PBE_cleanup(void);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the EVP functions. */
+
+/* Function codes. */
+#define EVP_F_D2I_PKEY					 100
+#define EVP_F_EVP_DECRYPTFINAL				 101
+#define EVP_F_EVP_MD_CTX_COPY				 110
+#define EVP_F_EVP_OPENINIT				 102
+#define EVP_F_EVP_PBE_ALG_ADD				 115
+#define EVP_F_EVP_PBE_CIPHERINIT			 116
+#define EVP_F_EVP_PKCS82PKEY				 111
+#define EVP_F_EVP_PKCS8_SET_BROKEN			 112
+#define EVP_F_EVP_PKEY2PKCS8				 113
+#define EVP_F_EVP_PKEY_COPY_PARAMETERS			 103
+#define EVP_F_EVP_PKEY_DECRYPT				 104
+#define EVP_F_EVP_PKEY_ENCRYPT				 105
+#define EVP_F_EVP_PKEY_GET1_DH				 119
+#define EVP_F_EVP_PKEY_GET1_DSA				 120
+#define EVP_F_EVP_PKEY_GET1_RSA				 121
+#define EVP_F_EVP_PKEY_NEW				 106
+#define EVP_F_EVP_SIGNFINAL				 107
+#define EVP_F_EVP_VERIFYFINAL				 108
+#define EVP_F_PKCS5_PBE_KEYIVGEN			 117
+#define EVP_F_PKCS5_V2_PBE_KEYIVGEN			 118
+#define EVP_F_RC2_MAGIC_TO_METH				 109
+
+/* Reason codes. */
+#define EVP_R_BAD_DECRYPT				 100
+#define EVP_R_BN_DECODE_ERROR				 112
+#define EVP_R_BN_PUBKEY_ERROR				 113
+#define EVP_R_CIPHER_PARAMETER_ERROR			 122
+#define EVP_R_DECODE_ERROR				 114
+#define EVP_R_DIFFERENT_KEY_TYPES			 101
+#define EVP_R_ENCODE_ERROR				 115
+#define EVP_R_EVP_PBE_CIPHERINIT_ERROR			 119
+#define EVP_R_EXPECTING_AN_RSA_KEY			 127
+#define EVP_R_EXPECTING_A_DH_KEY			 128
+#define EVP_R_EXPECTING_A_DSA_KEY			 129
+#define EVP_R_INPUT_NOT_INITIALIZED			 111
+#define EVP_R_IV_TOO_LARGE				 102
+#define EVP_R_KEYGEN_FAILURE				 120
+#define EVP_R_MISSING_PARAMETERS			 103
+#define EVP_R_NO_DSA_PARAMETERS				 116
+#define EVP_R_NO_SIGN_FUNCTION_CONFIGURED		 104
+#define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED		 105
+#define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE			 117
+#define EVP_R_PUBLIC_KEY_NOT_RSA			 106
+#define EVP_R_UNKNOWN_PBE_ALGORITHM			 121
+#define EVP_R_UNSUPPORTED_CIPHER			 107
+#define EVP_R_UNSUPPORTED_KEYLENGTH			 123
+#define EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION	 124
+#define EVP_R_UNSUPPORTED_KEY_SIZE			 108
+#define EVP_R_UNSUPPORTED_PRF				 125
+#define EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM		 118
+#define EVP_R_UNSUPPORTED_SALT_TYPE			 126
+#define EVP_R_WRONG_FINAL_BLOCK_LENGTH			 109
+#define EVP_R_WRONG_PUBLIC_KEY_TYPE			 110
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
new file mode 100644
index 0000000..5299a65
--- /dev/null
+++ b/crypto/openssl/crypto/evp/evp_enc.c
@@ -0,0 +1,270 @@
+/* crypto/evp/evp_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+
+const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT;
+
+void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
+	{
+	memset(ctx,0,sizeof(EVP_CIPHER_CTX));
+	/* ctx->cipher=NULL; */
+	}
+
+void EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *data,
+	     unsigned char *key, unsigned char *iv, int enc)
+	{
+	if (enc)
+		EVP_EncryptInit(ctx,data,key,iv);
+	else	
+		EVP_DecryptInit(ctx,data,key,iv);
+	}
+
+void EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
+	     unsigned char *in, int inl)
+	{
+	if (ctx->encrypt)
+		EVP_EncryptUpdate(ctx,out,outl,in,inl);
+	else	EVP_DecryptUpdate(ctx,out,outl,in,inl);
+	}
+
+int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+	{
+	if (ctx->encrypt)
+		{
+		EVP_EncryptFinal(ctx,out,outl);
+		return(1);
+		}
+	else	return(EVP_DecryptFinal(ctx,out,outl));
+	}
+
+void EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+	     unsigned char *key, unsigned char *iv)
+	{
+	if (cipher != NULL)
+		ctx->cipher=cipher;
+	ctx->cipher->init(ctx,key,iv,1);
+	ctx->encrypt=1;
+	ctx->buf_len=0;
+	}
+
+void EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+	     unsigned char *key, unsigned char *iv)
+	{
+	if (cipher != NULL)
+		ctx->cipher=cipher;
+	ctx->cipher->init(ctx,key,iv,0);
+	ctx->encrypt=0;
+	ctx->buf_len=0;
+	}
+
+
+void EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
+	     unsigned char *in, int inl)
+	{
+	int i,j,bl;
+
+	i=ctx->buf_len;
+	bl=ctx->cipher->block_size;
+	*outl=0;
+	if ((inl == 0) && (i != bl)) return;
+	if (i != 0)
+		{
+		if (i+inl < bl)
+			{
+			memcpy(&(ctx->buf[i]),in,inl);
+			ctx->buf_len+=inl;
+			return;
+			}
+		else
+			{
+			j=bl-i;
+			if (j != 0) memcpy(&(ctx->buf[i]),in,j);
+			ctx->cipher->do_cipher(ctx,out,ctx->buf,bl);
+			inl-=j;
+			in+=j;
+			out+=bl;
+			*outl+=bl;
+			}
+		}
+	i=inl%bl; /* how much is left */
+	inl-=i;
+	if (inl > 0)
+		{
+		ctx->cipher->do_cipher(ctx,out,in,inl);
+		*outl+=inl;
+		}
+
+	if (i != 0)
+		memcpy(ctx->buf,&(in[inl]),i);
+	ctx->buf_len=i;
+	}
+
+void EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+	{
+	int i,n,b,bl;
+
+	b=ctx->cipher->block_size;
+	if (b == 1)
+		{
+		*outl=0;
+		return;
+		}
+	bl=ctx->buf_len;
+	n=b-bl;
+	for (i=bl; i<b; i++)
+		ctx->buf[i]=n;
+	ctx->cipher->do_cipher(ctx,out,ctx->buf,b);
+	*outl=b;
+	}
+
+void EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
+	     unsigned char *in, int inl)
+	{
+	int b,bl,n;
+	int keep_last=0;
+
+	*outl=0;
+	if (inl == 0) return;
+
+	b=ctx->cipher->block_size;
+	if (b > 1)
+		{
+		/* Is the input a multiple of the block size? */
+		bl=ctx->buf_len;
+		n=inl+bl;
+		if (n%b == 0)
+			{
+			if (inl < b) /* must be 'just one' buff */
+				{
+				memcpy(&(ctx->buf[bl]),in,inl);
+				ctx->buf_len=b;
+				*outl=0;
+				return;
+				}
+			keep_last=1;
+			inl-=b; /* don't do the last block */
+			}
+		}
+	EVP_EncryptUpdate(ctx,out,outl,in,inl);
+
+	/* if we have 'decrypted' a multiple of block size, make sure
+	 * we have a copy of this last block */
+	if (keep_last)
+		{
+		memcpy(&(ctx->buf[0]),&(in[inl]),b);
+#ifdef DEBUG
+		if (ctx->buf_len != 0)
+			{
+			abort();
+			}
+#endif
+		ctx->buf_len=b;
+		}
+	}
+
+int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+	{
+	int i,b;
+	int n;
+
+	*outl=0;
+	b=ctx->cipher->block_size;
+	if (b > 1)
+		{
+		if (ctx->buf_len != b)
+			{
+			EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
+			return(0);
+			}
+		EVP_EncryptUpdate(ctx,ctx->buf,&n,ctx->buf,0);
+		if (n != b)
+			return(0);
+		n=ctx->buf[b-1];
+		if (n > b)
+			{
+			EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
+			return(0);
+			}
+		for (i=0; i<n; i++)
+			{
+			if (ctx->buf[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; i<n; i++)
+			out[i]=ctx->buf[i];
+		*outl=n;
+		}
+	else
+		*outl=0;
+	return(1);
+	}
+
+void EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
+	{
+	if ((c->cipher != NULL) && (c->cipher->cleanup != NULL))
+		c->cipher->cleanup(c);
+	memset(c,0,sizeof(EVP_CIPHER_CTX));
+	}
+
diff --git a/crypto/openssl/crypto/evp/evp_err.c b/crypto/openssl/crypto/evp/evp_err.c
new file mode 100644
index 0000000..fc149cb
--- /dev/null
+++ b/crypto/openssl/crypto/evp/evp_err.c
@@ -0,0 +1,143 @@
+/* crypto/evp/evp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA EVP_str_functs[]=
+	{
+{ERR_PACK(0,EVP_F_D2I_PKEY,0),	"D2I_PKEY"},
+{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0),	"EVP_DecryptFinal"},
+{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0),	"EVP_MD_CTX_copy"},
+{ERR_PACK(0,EVP_F_EVP_OPENINIT,0),	"EVP_OpenInit"},
+{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0),	"EVP_PBE_alg_add"},
+{ERR_PACK(0,EVP_F_EVP_PBE_CIPHERINIT,0),	"EVP_PBE_CipherInit"},
+{ERR_PACK(0,EVP_F_EVP_PKCS82PKEY,0),	"EVP_PKCS82PKEY"},
+{ERR_PACK(0,EVP_F_EVP_PKCS8_SET_BROKEN,0),	"EVP_PKCS8_SET_BROKEN"},
+{ERR_PACK(0,EVP_F_EVP_PKEY2PKCS8,0),	"EVP_PKEY2PKCS8"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_COPY_PARAMETERS,0),	"EVP_PKEY_copy_parameters"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_DECRYPT,0),	"EVP_PKEY_decrypt"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_ENCRYPT,0),	"EVP_PKEY_encrypt"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DH,0),	"EVP_PKEY_get1_DH"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DSA,0),	"EVP_PKEY_get1_DSA"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_RSA,0),	"EVP_PKEY_get1_RSA"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_NEW,0),	"EVP_PKEY_new"},
+{ERR_PACK(0,EVP_F_EVP_SIGNFINAL,0),	"EVP_SignFinal"},
+{ERR_PACK(0,EVP_F_EVP_VERIFYFINAL,0),	"EVP_VerifyFinal"},
+{ERR_PACK(0,EVP_F_PKCS5_PBE_KEYIVGEN,0),	"PKCS5_PBE_keyivgen"},
+{ERR_PACK(0,EVP_F_PKCS5_V2_PBE_KEYIVGEN,0),	"PKCS5_v2_PBE_keyivgen"},
+{ERR_PACK(0,EVP_F_RC2_MAGIC_TO_METH,0),	"RC2_MAGIC_TO_METH"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA EVP_str_reasons[]=
+	{
+{EVP_R_BAD_DECRYPT                       ,"bad decrypt"},
+{EVP_R_BN_DECODE_ERROR                   ,"bn decode error"},
+{EVP_R_BN_PUBKEY_ERROR                   ,"bn pubkey error"},
+{EVP_R_CIPHER_PARAMETER_ERROR            ,"cipher parameter error"},
+{EVP_R_DECODE_ERROR                      ,"decode error"},
+{EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
+{EVP_R_ENCODE_ERROR                      ,"encode error"},
+{EVP_R_EVP_PBE_CIPHERINIT_ERROR          ,"evp pbe cipherinit error"},
+{EVP_R_EXPECTING_AN_RSA_KEY              ,"expecting an rsa key"},
+{EVP_R_EXPECTING_A_DH_KEY                ,"expecting a dh key"},
+{EVP_R_EXPECTING_A_DSA_KEY               ,"expecting a dsa key"},
+{EVP_R_INPUT_NOT_INITIALIZED             ,"input not initialized"},
+{EVP_R_IV_TOO_LARGE                      ,"iv too large"},
+{EVP_R_KEYGEN_FAILURE                    ,"keygen failure"},
+{EVP_R_MISSING_PARAMETERS                ,"missing parameters"},
+{EVP_R_NO_DSA_PARAMETERS                 ,"no dsa parameters"},
+{EVP_R_NO_SIGN_FUNCTION_CONFIGURED       ,"no sign function configured"},
+{EVP_R_NO_VERIFY_FUNCTION_CONFIGURED     ,"no verify function configured"},
+{EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE         ,"pkcs8 unknown broken type"},
+{EVP_R_PUBLIC_KEY_NOT_RSA                ,"public key not rsa"},
+{EVP_R_UNKNOWN_PBE_ALGORITHM             ,"unknown pbe algorithm"},
+{EVP_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
+{EVP_R_UNSUPPORTED_KEYLENGTH             ,"unsupported keylength"},
+{EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION,"unsupported key derivation function"},
+{EVP_R_UNSUPPORTED_KEY_SIZE              ,"unsupported key size"},
+{EVP_R_UNSUPPORTED_PRF                   ,"unsupported prf"},
+{EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM ,"unsupported private key algorithm"},
+{EVP_R_UNSUPPORTED_SALT_TYPE             ,"unsupported salt type"},
+{EVP_R_WRONG_FINAL_BLOCK_LENGTH          ,"wrong final block length"},
+{EVP_R_WRONG_PUBLIC_KEY_TYPE             ,"wrong public key type"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_EVP_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_EVP,EVP_str_functs);
+		ERR_load_strings(ERR_LIB_EVP,EVP_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/evp/evp_key.c b/crypto/openssl/crypto/evp/evp_key.c
new file mode 100644
index 0000000..667c21c
--- /dev/null
+++ b/crypto/openssl/crypto/evp/evp_key.c
@@ -0,0 +1,159 @@
+/* crypto/evp/evp_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+
+/* should be init to zeros. */
+static char prompt_string[80];
+
+void EVP_set_pw_prompt(char *prompt)
+	{
+	if (prompt == NULL)
+		prompt_string[0]='\0';
+	else
+		strncpy(prompt_string,prompt,79);
+	}
+
+char *EVP_get_pw_prompt(void)
+	{
+	if (prompt_string[0] == '\0')
+		return(NULL);
+	else
+		return(prompt_string);
+	}
+
+/* For historical reasons, the standard function for reading passwords is
+ * in the DES library -- if someone ever wants to disable DES,
+ * this function will fail */
+int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
+	{
+#ifndef NO_DES
+	if ((prompt == NULL) && (prompt_string[0] != '\0'))
+		prompt=prompt_string;
+	return(des_read_pw_string(buf,len,prompt,verify));
+#else
+	return -1;
+#endif
+	}
+
+int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, unsigned char *salt,
+	     unsigned char *data, int datal, int count, unsigned char *key,
+	     unsigned char *iv)
+	{
+	EVP_MD_CTX c;
+	unsigned char md_buf[EVP_MAX_MD_SIZE];
+	int niv,nkey,addmd=0;
+	unsigned int mds=0,i;
+
+	nkey=type->key_len;
+	niv=type->iv_len;
+
+	if (data == NULL) return(nkey);
+
+	for (;;)
+		{
+		EVP_DigestInit(&c,md);
+		if (addmd++)
+			EVP_DigestUpdate(&c,&(md_buf[0]),mds);
+		EVP_DigestUpdate(&c,data,datal);
+		if (salt != NULL)
+			EVP_DigestUpdate(&c,salt,8);
+		EVP_DigestFinal(&c,&(md_buf[0]),&mds);
+
+		for (i=1; i<(unsigned int)count; i++)
+			{
+			EVP_DigestInit(&c,md);
+			EVP_DigestUpdate(&c,&(md_buf[0]),mds);
+			EVP_DigestFinal(&c,&(md_buf[0]),&mds);
+			}
+		i=0;
+		if (nkey)
+			{
+			for (;;)
+				{
+				if (nkey == 0) break;
+				if (i == mds) break;
+				if (key != NULL)
+					*(key++)=md_buf[i];
+				nkey--;
+				i++;
+				}
+			}
+		if (niv && (i != mds))
+			{
+			for (;;)
+				{
+				if (niv == 0) break;
+				if (i == mds) break;
+				if (iv != NULL)
+					*(iv++)=md_buf[i];
+				niv--;
+				i++;
+				}
+			}
+		if ((nkey == 0) && (niv == 0)) break;
+		}
+	memset(&c,0,sizeof(c));
+	memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE);
+	return(type->key_len);
+	}
+
diff --git a/crypto/openssl/crypto/evp/evp_lib.c b/crypto/openssl/crypto/evp/evp_lib.c
new file mode 100644
index 0000000..a431945
--- /dev/null
+++ b/crypto/openssl/crypto/evp/evp_lib.c
@@ -0,0 +1,142 @@
+/* crypto/evp/evp_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+	{
+	int ret;
+
+	if (c->cipher->set_asn1_parameters != NULL)
+		ret=c->cipher->set_asn1_parameters(c,type);
+	else
+		ret=1;
+	return(ret);
+	}
+
+int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+	{
+	int ret;
+
+	if (c->cipher->get_asn1_parameters != NULL)
+		ret=c->cipher->get_asn1_parameters(c,type);
+	else
+		ret=1;
+	return(ret);
+	}
+
+int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+	{
+	int i=0,l;
+
+	if (type != NULL) 
+		{
+		l=EVP_CIPHER_CTX_iv_length(c);
+		i=ASN1_TYPE_get_octetstring(type,c->oiv,l);
+		if (i != l)
+			return(-1);
+		else if (i > 0)
+			memcpy(c->iv,c->oiv,l);
+		}
+	return(i);
+	}
+
+int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+	{
+	int i=0,j;
+
+	if (type != NULL)
+		{
+		j=EVP_CIPHER_CTX_iv_length(c);
+		i=ASN1_TYPE_set_octetstring(type,c->oiv,j);
+		}
+	return(i);
+	}
+
+/* Convert the various cipher NIDs and dummies to a proper OID NID */
+int EVP_CIPHER_type(const EVP_CIPHER *ctx)
+{
+	int nid;
+	ASN1_OBJECT *otmp;
+	nid = EVP_CIPHER_nid(ctx);
+
+	switch(nid) {
+
+		case NID_rc2_cbc:
+		case NID_rc2_64_cbc:
+		case NID_rc2_40_cbc:
+
+		return NID_rc2_cbc;
+
+		case NID_rc4:
+		case NID_rc4_40:
+
+		return NID_rc4;
+
+		default:
+		/* Check it has an OID and it is valid */
+		otmp = OBJ_nid2obj(nid);
+		if(!otmp || !otmp->data) nid = NID_undef;
+		ASN1_OBJECT_free(otmp);
+		return nid;
+	}
+}
+
diff --git a/crypto/openssl/crypto/evp/evp_pbe.c b/crypto/openssl/crypto/evp/evp_pbe.c
new file mode 100644
index 0000000..353c3ad
--- /dev/null
+++ b/crypto/openssl/crypto/evp/evp_pbe.c
@@ -0,0 +1,134 @@
+/* evp_pbe.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include "cryptlib.h"
+
+/* Password based encryption (PBE) functions */
+
+static STACK *pbe_algs;
+
+/* Setup a cipher context from a PBE algorithm */
+
+typedef struct {
+int pbe_nid;
+EVP_CIPHER *cipher;
+EVP_MD *md;
+EVP_PBE_KEYGEN *keygen;
+} EVP_PBE_CTL;
+
+int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
+	     ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
+{
+
+	EVP_PBE_CTL *pbetmp, pbelu;
+	int i;
+	pbelu.pbe_nid = OBJ_obj2nid(pbe_obj);
+	if (pbelu.pbe_nid != NID_undef) i = sk_find(pbe_algs, (char *)&pbelu);
+	else i = -1;
+
+	if (i == -1) {
+		char obj_tmp[80];
+		EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
+		if (!pbe_obj) strcpy (obj_tmp, "NULL");
+		else i2t_ASN1_OBJECT(obj_tmp, 80, pbe_obj);
+		ERR_add_error_data(2, "TYPE=", obj_tmp);
+		return 0;
+	}
+	if (passlen == -1) passlen = strlen(pass);
+	pbetmp = (EVP_PBE_CTL *)sk_value (pbe_algs, i);
+	i = (*pbetmp->keygen)(ctx, pass, passlen, param, pbetmp->cipher,
+						 pbetmp->md, en_de);
+	if (!i) {
+		EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_KEYGEN_FAILURE);
+		return 0;
+	}
+	return 1;	
+}
+
+static int pbe_cmp (EVP_PBE_CTL **pbe1, EVP_PBE_CTL **pbe2)
+{
+	return ((*pbe1)->pbe_nid - (*pbe2)->pbe_nid);
+}
+
+/* Add a PBE algorithm */
+
+int EVP_PBE_alg_add (int nid, EVP_CIPHER *cipher, EVP_MD *md,
+	     EVP_PBE_KEYGEN *keygen)
+{
+	EVP_PBE_CTL *pbe_tmp;
+	if (!pbe_algs) pbe_algs = sk_new (pbe_cmp);
+	if (!(pbe_tmp = (EVP_PBE_CTL*) Malloc (sizeof(EVP_PBE_CTL)))) {
+		EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	pbe_tmp->pbe_nid = nid;
+	pbe_tmp->cipher = cipher;
+	pbe_tmp->md = md;
+	pbe_tmp->keygen = keygen;
+	sk_push (pbe_algs, (char *)pbe_tmp);
+	return 1;
+}
+
+void EVP_PBE_cleanup(void)
+{
+	sk_pop_free(pbe_algs, FreeFunc);
+	pbe_algs = NULL;
+}
diff --git a/crypto/openssl/crypto/evp/evp_pkey.c b/crypto/openssl/crypto/evp/evp_pkey.c
new file mode 100644
index 0000000..4ab091f
--- /dev/null
+++ b/crypto/openssl/crypto/evp/evp_pkey.c
@@ -0,0 +1,407 @@
+/* evp_pkey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8inf, EVP_PKEY *pkey);
+
+/* Extract a private key from a PKCS8 structure */
+
+EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
+{
+	EVP_PKEY *pkey = NULL;
+#ifndef NO_RSA
+	RSA *rsa = NULL;
+#endif
+#ifndef NO_DSA
+	DSA *dsa = NULL;
+	ASN1_INTEGER *privkey;
+	ASN1_TYPE *t1, *t2, *param = NULL;
+	STACK *ndsa = NULL;
+	BN_CTX *ctx = NULL;
+	int plen;
+#endif
+	X509_ALGOR *a;
+	unsigned char *p;
+	int pkeylen;
+	char obj_tmp[80];
+
+	if(p8->pkey->type == V_ASN1_OCTET_STRING) {
+		p8->broken = PKCS8_OK;
+		p = p8->pkey->value.octet_string->data;
+		pkeylen = p8->pkey->value.octet_string->length;
+	} else {
+		p8->broken = PKCS8_NO_OCTET;
+		p = p8->pkey->value.sequence->data;
+		pkeylen = p8->pkey->value.sequence->length;
+	}
+	if (!(pkey = EVP_PKEY_new())) {
+		EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	a = p8->pkeyalg;
+	switch (OBJ_obj2nid(a->algorithm))
+	{
+#ifndef NO_RSA
+		case NID_rsaEncryption:
+		if (!(rsa = d2i_RSAPrivateKey (NULL, &p, pkeylen))) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			return NULL;
+		}
+		EVP_PKEY_assign_RSA (pkey, rsa);
+		break;
+#endif
+#ifndef NO_DSA
+		case NID_dsa:
+		/* PKCS#8 DSA is weird: you just get a private key integer
+	         * and parameters in the AlgorithmIdentifier the pubkey must
+		 * be recalculated.
+		 */
+	
+		/* Check for broken DSA PKCS#8, UGH! */
+		if(*p == (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
+		    if(!(ndsa = ASN1_seq_unpack(p, pkeylen, 
+					(char *(*)())d2i_ASN1_TYPE,
+							 ASN1_TYPE_free))) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
+		    }
+		    if(sk_num(ndsa) != 2 ) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
+		    }
+		    /* Handle Two broken types:
+		     * SEQUENCE {parameters, priv_key}
+		     * SEQUENCE {pub_key, priv_key}
+		     */
+
+		    t1 = (ASN1_TYPE *)sk_value(ndsa, 0);
+		    t2 = (ASN1_TYPE *)sk_value(ndsa, 1);
+		    if(t1->type == V_ASN1_SEQUENCE) {
+			p8->broken = PKCS8_EMBEDDED_PARAM;
+			param = t1;
+		    } else if(a->parameter->type == V_ASN1_SEQUENCE) {
+			p8->broken = PKCS8_NS_DB;
+			param = a->parameter;
+		    } else {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
+		    }
+
+		    if(t2->type != V_ASN1_INTEGER) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
+		    }
+		    privkey = t2->value.integer;
+		} else {
+			if (!(privkey=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) {
+				EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+				goto dsaerr;
+			}
+			param = p8->pkeyalg->parameter;
+		}
+		if (!param || (param->type != V_ASN1_SEQUENCE)) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
+		}
+		p = param->value.sequence->data;
+		plen = param->value.sequence->length;
+		if (!(dsa = d2i_DSAparams (NULL, &p, plen))) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
+		}
+		/* We have parameters now set private key */
+		if (!(dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL))) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_DECODE_ERROR);
+			goto dsaerr;
+		}
+		/* Calculate public key (ouch!) */
+		if (!(dsa->pub_key = BN_new())) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+			goto dsaerr;
+		}
+		if (!(ctx = BN_CTX_new())) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+			goto dsaerr;
+		}
+			
+		if (!BN_mod_exp(dsa->pub_key, dsa->g,
+						 dsa->priv_key, dsa->p, ctx)) {
+			
+			EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_PUBKEY_ERROR);
+			goto dsaerr;
+		}
+
+		EVP_PKEY_assign_DSA(pkey, dsa);
+		BN_CTX_free (ctx);
+		if(ndsa) sk_pop_free(ndsa, ASN1_TYPE_free);
+		else ASN1_INTEGER_free(privkey);
+		break;
+		dsaerr:
+		BN_CTX_free (ctx);
+		sk_pop_free(ndsa, ASN1_TYPE_free);
+		DSA_free(dsa);
+		EVP_PKEY_free(pkey);
+		return NULL;
+		break;
+#endif
+		default:
+		EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+		if (!a->algorithm) strcpy (obj_tmp, "NULL");
+		else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm);
+		ERR_add_error_data(2, "TYPE=", obj_tmp);
+		EVP_PKEY_free (pkey);
+		return NULL;
+	}
+	return pkey;
+}
+
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
+{
+	return EVP_PKEY2PKCS8_broken(pkey, PKCS8_OK);
+}
+
+/* Turn a private key into a PKCS8 structure */
+
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
+{
+	PKCS8_PRIV_KEY_INFO *p8;
+
+	if (!(p8 = PKCS8_PRIV_KEY_INFO_new())) {	
+		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	p8->broken = broken;
+	ASN1_INTEGER_set (p8->version, 0);
+	if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
+		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		PKCS8_PRIV_KEY_INFO_free (p8);
+		return NULL;
+	}
+	p8->pkey->type = V_ASN1_OCTET_STRING;
+	switch (EVP_PKEY_type(pkey->type)) {
+#ifndef NO_RSA
+		case EVP_PKEY_RSA:
+
+		if(p8->broken == PKCS8_NO_OCTET) p8->pkey->type = V_ASN1_SEQUENCE;
+
+		p8->pkeyalg->algorithm = OBJ_nid2obj(NID_rsaEncryption);
+		p8->pkeyalg->parameter->type = V_ASN1_NULL;
+		if (!ASN1_pack_string ((char *)pkey, i2d_PrivateKey,
+					 &p8->pkey->value.octet_string)) {
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			PKCS8_PRIV_KEY_INFO_free (p8);
+			return NULL;
+		}
+		break;
+#endif
+#ifndef NO_DSA
+		case EVP_PKEY_DSA:
+		if(!dsa_pkey2pkcs8(p8, pkey)) {
+			PKCS8_PRIV_KEY_INFO_free (p8);
+			return NULL;
+		}
+
+		break;
+#endif
+		default:
+		EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+		PKCS8_PRIV_KEY_INFO_free (p8);
+		return NULL;
+	}
+	RAND_add(p8->pkey->value.octet_string->data,
+		 p8->pkey->value.octet_string->length, 0);
+	return p8;
+}
+
+PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
+{
+	switch (broken) {
+
+		case PKCS8_OK:
+		p8->broken = PKCS8_OK;
+		return p8;
+		break;
+
+		case PKCS8_NO_OCTET:
+		p8->broken = PKCS8_NO_OCTET;
+		p8->pkey->type = V_ASN1_SEQUENCE;
+		return p8;
+		break;
+
+		default:
+		EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
+		return NULL;
+		break;
+		
+	}
+}
+
+#ifndef NO_DSA
+static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
+{
+	ASN1_STRING *params;
+	ASN1_INTEGER *prkey;
+	ASN1_TYPE *ttmp;
+	STACK *ndsa;
+	unsigned char *p, *q;
+	int len;
+	p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
+	len = i2d_DSAparams (pkey->pkey.dsa, NULL);
+	if (!(p = Malloc(len))) {
+		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		PKCS8_PRIV_KEY_INFO_free (p8);
+		return 0;
+	}
+	q = p;
+	i2d_DSAparams (pkey->pkey.dsa, &q);
+	params = ASN1_STRING_new();
+	ASN1_STRING_set(params, p, len);
+	Free(p);
+	/* Get private key into integer */
+	if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
+		EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+		return 0;
+	}
+
+	switch(p8->broken) {
+
+		case PKCS8_OK:
+		case PKCS8_NO_OCTET:
+
+		if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER,
+					 &p8->pkey->value.octet_string)) {
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			M_ASN1_INTEGER_free (prkey);
+			return 0;
+		}
+
+		M_ASN1_INTEGER_free (prkey);
+		p8->pkeyalg->parameter->value.sequence = params;
+		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
+
+		break;
+
+		case PKCS8_NS_DB:
+
+		p8->pkeyalg->parameter->value.sequence = params;
+		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
+		ndsa = sk_new_null();
+		ttmp = ASN1_TYPE_new();
+		if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) {
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+			PKCS8_PRIV_KEY_INFO_free(p8);
+			return 0;
+		}
+		ttmp->type = V_ASN1_INTEGER;
+		sk_push(ndsa, (char *)ttmp);
+
+		ttmp = ASN1_TYPE_new();
+		ttmp->value.integer = prkey;
+		ttmp->type = V_ASN1_INTEGER;
+		sk_push(ndsa, (char *)ttmp);
+
+		p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+
+		if (!ASN1_seq_pack(ndsa, i2d_ASN1_TYPE,
+					 &p8->pkey->value.octet_string->data,
+					 &p8->pkey->value.octet_string->length)) {
+
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			sk_pop_free(ndsa, ASN1_TYPE_free);
+			M_ASN1_INTEGER_free(prkey);
+			return 0;
+		}
+		sk_pop_free(ndsa, ASN1_TYPE_free);
+		break;
+
+		case PKCS8_EMBEDDED_PARAM:
+
+		p8->pkeyalg->parameter->type = V_ASN1_NULL;
+		ndsa = sk_new_null();
+		ttmp = ASN1_TYPE_new();
+		ttmp->value.sequence = params;
+		ttmp->type = V_ASN1_SEQUENCE;
+		sk_push(ndsa, (char *)ttmp);
+
+		ttmp = ASN1_TYPE_new();
+		ttmp->value.integer = prkey;
+		ttmp->type = V_ASN1_INTEGER;
+		sk_push(ndsa, (char *)ttmp);
+
+		p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+
+		if (!ASN1_seq_pack(ndsa, i2d_ASN1_TYPE,
+					 &p8->pkey->value.octet_string->data,
+					 &p8->pkey->value.octet_string->length)) {
+
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			sk_pop_free(ndsa, ASN1_TYPE_free);
+			M_ASN1_INTEGER_free (prkey);
+			return 0;
+		}
+		sk_pop_free(ndsa, ASN1_TYPE_free);
+		break;
+	}
+	return 1;
+}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_dss.c b/crypto/openssl/crypto/evp/m_dss.c
new file mode 100644
index 0000000..8ea8268
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_dss.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_dss.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+#ifndef NO_SHA
+static EVP_MD dsa_md=
+	{
+	NID_dsaWithSHA,
+	NID_dsaWithSHA,
+	SHA_DIGEST_LENGTH,
+	SHA1_Init,
+	SHA1_Update,
+	SHA1_Final,
+	EVP_PKEY_DSA_method,
+	SHA_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA_CTX),
+	};
+
+EVP_MD *EVP_dss(void)
+	{
+	return(&dsa_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_dss1.c b/crypto/openssl/crypto/evp/m_dss1.c
new file mode 100644
index 0000000..9d8d1ce
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_dss1.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_dss1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_SHA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD dss1_md=
+	{
+	NID_dsa,
+	NID_dsaWithSHA1,
+	SHA_DIGEST_LENGTH,
+	SHA1_Init,
+	SHA1_Update,
+	SHA1_Final,
+	EVP_PKEY_DSA_method,
+	SHA_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA_CTX),
+	};
+
+EVP_MD *EVP_dss1(void)
+	{
+	return(&dss1_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_md2.c b/crypto/openssl/crypto/evp/m_md2.c
new file mode 100644
index 0000000..3281e91
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_md2.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_md2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_MD2
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD md2_md=
+	{
+	NID_md2,
+	NID_md2WithRSAEncryption,
+	MD2_DIGEST_LENGTH,
+	MD2_Init,
+	MD2_Update,
+	MD2_Final,
+	EVP_PKEY_RSA_method,
+	MD2_BLOCK,
+	sizeof(EVP_MD *)+sizeof(MD2_CTX),
+	};
+
+EVP_MD *EVP_md2(void)
+	{
+	return(&md2_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_md5.c b/crypto/openssl/crypto/evp/m_md5.c
new file mode 100644
index 0000000..9fc9530
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_md5.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_md5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_MD5
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD md5_md=
+	{
+	NID_md5,
+	NID_md5WithRSAEncryption,
+	MD5_DIGEST_LENGTH,
+	MD5_Init,
+	MD5_Update,
+	MD5_Final,
+	EVP_PKEY_RSA_method,
+	MD5_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(MD5_CTX),
+	};
+
+EVP_MD *EVP_md5(void)
+	{
+	return(&md5_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_mdc2.c b/crypto/openssl/crypto/evp/m_mdc2.c
new file mode 100644
index 0000000..2c7f1ae
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_mdc2.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_mdc2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_MDC2
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD mdc2_md=
+	{
+	NID_mdc2,
+	NID_mdc2WithRSA,
+	MDC2_DIGEST_LENGTH,
+	MDC2_Init,
+	MDC2_Update,
+	MDC2_Final,
+	EVP_PKEY_RSA_ASN1_OCTET_STRING_method,
+	MDC2_BLOCK,
+	sizeof(EVP_MD *)+sizeof(MDC2_CTX),
+	};
+
+EVP_MD *EVP_mdc2(void)
+	{
+	return(&mdc2_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_null.c b/crypto/openssl/crypto/evp/m_null.c
new file mode 100644
index 0000000..e2dadf3
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_null.c
@@ -0,0 +1,88 @@
+/* crypto/evp/m_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static void function(void)
+	{
+	}
+
+static EVP_MD null_md=
+	{
+	NID_undef,
+	NID_undef,
+	0,
+	function,
+	function,
+	function,
+	
+	EVP_PKEY_NULL_method,
+	0,
+	sizeof(EVP_MD *),
+	};
+
+EVP_MD *EVP_md_null(void)
+	{
+	return(&null_md);
+	}
+
+
diff --git a/crypto/openssl/crypto/evp/m_ripemd.c b/crypto/openssl/crypto/evp/m_ripemd.c
new file mode 100644
index 0000000..3d781a4
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_ripemd.c
@@ -0,0 +1,84 @@
+/* crypto/evp/m_ripemd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RIPEMD
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/ripemd.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD ripemd160_md=
+	{
+	NID_ripemd160,
+	NID_ripemd160WithRSA,
+	RIPEMD160_DIGEST_LENGTH,
+	RIPEMD160_Init,
+	RIPEMD160_Update,
+	RIPEMD160_Final,
+	EVP_PKEY_RSA_method,
+	RIPEMD160_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(RIPEMD160_CTX),
+	};
+
+EVP_MD *EVP_ripemd160(void)
+	{
+	return(&ripemd160_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_sha.c b/crypto/openssl/crypto/evp/m_sha.c
new file mode 100644
index 0000000..6d35b71
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_sha.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_sha.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_SHA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD sha_md=
+	{
+	NID_sha,
+	NID_shaWithRSAEncryption,
+	SHA_DIGEST_LENGTH,
+	SHA_Init,
+	SHA_Update,
+	SHA_Final,
+	EVP_PKEY_RSA_method,
+	SHA_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA_CTX),
+	};
+
+EVP_MD *EVP_sha(void)
+	{
+	return(&sha_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_sha1.c b/crypto/openssl/crypto/evp/m_sha1.c
new file mode 100644
index 0000000..57a1ab0
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_sha1.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_sha1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_SHA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD sha1_md=
+	{
+	NID_sha1,
+	NID_sha1WithRSAEncryption,
+	SHA_DIGEST_LENGTH,
+	SHA1_Init,
+	SHA1_Update,
+	SHA1_Final,
+	EVP_PKEY_RSA_method,
+	SHA_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA_CTX),
+	};
+
+EVP_MD *EVP_sha1(void)
+	{
+	return(&sha1_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/names.c b/crypto/openssl/crypto/evp/names.c
new file mode 100644
index 0000000..620f43f
--- /dev/null
+++ b/crypto/openssl/crypto/evp/names.c
@@ -0,0 +1,123 @@
+/* crypto/evp/names.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int EVP_add_cipher(EVP_CIPHER *c)
+	{
+	int r;
+
+	r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(char *)c);
+	if (r == 0) return(0);
+	r=OBJ_NAME_add(OBJ_nid2ln(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(char *)c);
+	return(r);
+	}
+
+int EVP_add_digest(EVP_MD *md)
+	{
+	int r;
+	const char *name;
+
+	name=OBJ_nid2sn(md->type);
+	r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(char *)md);
+	if (r == 0) return(0);
+	r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(char *)md);
+	if (r == 0) return(0);
+
+	if (md->type != md->pkey_type)
+		{
+		r=OBJ_NAME_add(OBJ_nid2sn(md->pkey_type),
+			OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name);
+		if (r == 0) return(0);
+		r=OBJ_NAME_add(OBJ_nid2ln(md->pkey_type),
+			OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name);
+		}
+	return(r);
+	}
+
+const EVP_CIPHER *EVP_get_cipherbyname(const char *name)
+	{
+	const EVP_CIPHER *cp;
+
+	cp=(const EVP_CIPHER *)OBJ_NAME_get(name,OBJ_NAME_TYPE_CIPHER_METH);
+	return(cp);
+	}
+
+const EVP_MD *EVP_get_digestbyname(const char *name)
+	{
+	const EVP_MD *cp;
+
+	cp=(const EVP_MD *)OBJ_NAME_get(name,OBJ_NAME_TYPE_MD_METH);
+	return(cp);
+	}
+
+void EVP_cleanup(void)
+	{
+	OBJ_NAME_cleanup(OBJ_NAME_TYPE_CIPHER_METH);
+	OBJ_NAME_cleanup(OBJ_NAME_TYPE_MD_METH);
+	/* The above calls will only clean out the contents of the name
+	   hash table, but not the hash table itself.  The following line
+	   does that part.  -- Richard Levitte */
+	OBJ_NAME_cleanup(-1);
+
+	EVP_PBE_cleanup();
+	}
diff --git a/crypto/openssl/crypto/evp/p5_crpt.c b/crypto/openssl/crypto/evp/p5_crpt.c
new file mode 100644
index 0000000..e3dae52
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p5_crpt.c
@@ -0,0 +1,146 @@
+/* p5_crpt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include "cryptlib.h"
+
+/* PKCS#5 v1.5 compatible PBE functions: see PKCS#5 v2.0 for more info.
+ */
+
+void PKCS5_PBE_add(void)
+{
+#ifndef NO_DES
+#  ifndef NO_MD5
+EVP_PBE_alg_add(NID_pbeWithMD5AndDES_CBC, EVP_des_cbc(), EVP_md5(),
+							 PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_MD2
+EVP_PBE_alg_add(NID_pbeWithMD2AndDES_CBC, EVP_des_cbc(), EVP_md2(),
+							 PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_SHA
+EVP_PBE_alg_add(NID_pbeWithSHA1AndDES_CBC, EVP_des_cbc(), EVP_sha1(),
+							 PKCS5_PBE_keyivgen);
+#  endif
+#endif
+#ifndef NO_RC2
+#  ifndef NO_MD5
+EVP_PBE_alg_add(NID_pbeWithMD5AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md5(),
+							 PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_MD2
+EVP_PBE_alg_add(NID_pbeWithMD2AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md2(),
+							 PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_SHA
+EVP_PBE_alg_add(NID_pbeWithSHA1AndRC2_CBC, EVP_rc2_64_cbc(), EVP_sha1(),
+							 PKCS5_PBE_keyivgen);
+#  endif
+#endif
+#ifndef NO_HMAC
+EVP_PBE_alg_add(NID_pbes2, NULL, NULL, PKCS5_v2_PBE_keyivgen);
+#endif
+}
+
+int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
+			 ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+			 int en_de)
+{
+	EVP_MD_CTX ctx;
+	unsigned char md_tmp[EVP_MAX_MD_SIZE];
+	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+	int i;
+	PBEPARAM *pbe;
+	int saltlen, iter;
+	unsigned char *salt, *pbuf;
+
+	/* Extract useful info from parameter */
+	pbuf = param->value.sequence->data;
+	if (!param || (param->type != V_ASN1_SEQUENCE) ||
+	   !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
+		EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
+	if (!pbe->iter) iter = 1;
+	else iter = ASN1_INTEGER_get (pbe->iter);
+	salt = pbe->salt->data;
+	saltlen = pbe->salt->length;
+
+	EVP_DigestInit (&ctx, md);
+	EVP_DigestUpdate (&ctx, pass, passlen);
+	EVP_DigestUpdate (&ctx, salt, saltlen);
+	PBEPARAM_free(pbe);
+	EVP_DigestFinal (&ctx, md_tmp, NULL);
+	for (i = 1; i < iter; i++) {
+		EVP_DigestInit(&ctx, md);
+		EVP_DigestUpdate(&ctx, md_tmp, EVP_MD_size(md));
+		EVP_DigestFinal (&ctx, md_tmp, NULL);
+	}
+	memcpy (key, md_tmp, EVP_CIPHER_key_length(cipher));
+	memcpy (iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
+						 EVP_CIPHER_iv_length(cipher));
+	EVP_CipherInit(cctx, cipher, key, iv, en_de);
+	memset(md_tmp, 0, EVP_MAX_MD_SIZE);
+	memset(key, 0, EVP_MAX_KEY_LENGTH);
+	memset(iv, 0, EVP_MAX_IV_LENGTH);
+	return 1;
+}
diff --git a/crypto/openssl/crypto/evp/p5_crpt2.c b/crypto/openssl/crypto/evp/p5_crpt2.c
new file mode 100644
index 0000000..27a2c51
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p5_crpt2.c
@@ -0,0 +1,247 @@
+/* p5_crpt2.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#if !defined(NO_HMAC) && !defined(NO_SHA)
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include "cryptlib.h"
+
+/* set this to print out info about the keygen algorithm */
+/* #define DEBUG_PKCS5V2 */
+
+#ifdef DEBUG_PKCS5V2
+	static void h__dump (const unsigned char *p, int len);
+#endif
+
+/* This is an implementation of PKCS#5 v2.0 password based encryption key
+ * derivation function PBKDF2 using the only currently defined function HMAC
+ * with SHA1. Verified against test vectors posted by Peter Gutmann
+ * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
+ */
+
+int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
+			   unsigned char *salt, int saltlen, int iter,
+			   int keylen, unsigned char *out)
+{
+	unsigned char digtmp[SHA_DIGEST_LENGTH], *p, itmp[4];
+	int cplen, j, k, tkeylen;
+	unsigned long i = 1;
+	HMAC_CTX hctx;
+	p = out;
+	tkeylen = keylen;
+	if(passlen == -1) passlen = strlen(pass);
+	while(tkeylen) {
+		if(tkeylen > SHA_DIGEST_LENGTH) cplen = SHA_DIGEST_LENGTH;
+		else cplen = tkeylen;
+		/* We are unlikely to ever use more than 256 blocks (5120 bits!)
+		 * but just in case...
+		 */
+		itmp[0] = (unsigned char)((i >> 24) & 0xff);
+		itmp[1] = (unsigned char)((i >> 16) & 0xff);
+		itmp[2] = (unsigned char)((i >> 8) & 0xff);
+		itmp[3] = (unsigned char)(i & 0xff);
+		HMAC_Init(&hctx, pass, passlen, EVP_sha1());
+		HMAC_Update(&hctx, salt, saltlen);
+		HMAC_Update(&hctx, itmp, 4);
+		HMAC_Final(&hctx, digtmp, NULL);
+		memcpy(p, digtmp, cplen);
+		for(j = 1; j < iter; j++) {
+			HMAC(EVP_sha1(), pass, passlen,
+				 digtmp, SHA_DIGEST_LENGTH, digtmp, NULL);
+			for(k = 0; k < cplen; k++) p[k] ^= digtmp[k];
+		}
+		tkeylen-= cplen;
+		i++;
+		p+= cplen;
+	}
+	HMAC_cleanup(&hctx);
+#ifdef DEBUG_PKCS5V2
+	fprintf(stderr, "Password:\n");
+	h__dump (pass, passlen);
+	fprintf(stderr, "Salt:\n");
+	h__dump (salt, saltlen);
+	fprintf(stderr, "Iteration count %d\n", iter);
+	fprintf(stderr, "Key:\n");
+	h__dump (out, keylen);
+#endif
+	return 1;
+}
+
+#ifdef DO_TEST
+main()
+{
+	unsigned char out[4];
+	unsigned char salt[] = {0x12, 0x34, 0x56, 0x78};
+	PKCS5_PBKDF2_HMAC_SHA1("password", -1, salt, 4, 5, 4, out);
+	fprintf(stderr, "Out %02X %02X %02X %02X\n",
+					 out[0], out[1], out[2], out[3]);
+}
+
+#endif
+
+/* Now the key derivation function itself. This is a bit evil because
+ * it has to check the ASN1 parameters are valid: and there are quite a
+ * few of them...
+ */
+
+int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+                         ASN1_TYPE *param, EVP_CIPHER *c, EVP_MD *md,
+                         int en_de)
+{
+	unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH];
+	int saltlen, keylen, iter, plen;
+	PBE2PARAM *pbe2 = NULL;
+	const EVP_CIPHER *cipher;
+	PBKDF2PARAM *kdf = NULL;
+
+	pbuf = param->value.sequence->data;
+	plen = param->value.sequence->length;
+	if(!param || (param->type != V_ASN1_SEQUENCE) ||
+				   !(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
+	/* See if we recognise the key derivation function */
+
+	if(OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+				EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
+		goto err;
+	}
+
+	/* lets see if we recognise the encryption algorithm.
+	 */
+
+	cipher = EVP_get_cipherbyname(
+			OBJ_nid2sn(OBJ_obj2nid(pbe2->encryption->algorithm)));
+
+	if(!cipher) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+						EVP_R_UNSUPPORTED_CIPHER);
+		goto err;
+	}
+
+	/* Fixup cipher based on AlgorithmIdentifier */
+	EVP_CipherInit(ctx, cipher, NULL, NULL, en_de);
+	if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+					EVP_R_CIPHER_PARAMETER_ERROR);
+		goto err;
+	}
+	keylen = EVP_CIPHER_CTX_key_length(ctx);
+
+	/* Now decode key derivation function */
+
+	pbuf = pbe2->keyfunc->parameter->value.sequence->data;
+	plen = pbe2->keyfunc->parameter->value.sequence->length;
+	if(!pbe2->keyfunc->parameter ||
+		 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
+				!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		goto err;
+	}
+
+	PBE2PARAM_free(pbe2);
+	pbe2 = NULL;
+
+	/* Now check the parameters of the kdf */
+
+	if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != keylen)){
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+						EVP_R_UNSUPPORTED_KEYLENGTH);
+		goto err;
+	}
+
+	if(kdf->prf && (OBJ_obj2nid(kdf->prf->algorithm) != NID_hmacWithSHA1)) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
+		goto err;
+	}
+
+	if(kdf->salt->type != V_ASN1_OCTET_STRING) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+						EVP_R_UNSUPPORTED_SALT_TYPE);
+		goto err;
+	}
+
+	/* it seems that its all OK */
+	salt = kdf->salt->value.octet_string->data;
+	saltlen = kdf->salt->value.octet_string->length;
+	iter = ASN1_INTEGER_get(kdf->iter);
+	PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
+	EVP_CipherInit(ctx, NULL, key, NULL, en_de);
+	memset(key, 0, keylen);
+	PBKDF2PARAM_free(kdf);
+	return 1;
+
+	err:
+	PBE2PARAM_free(pbe2);
+	PBKDF2PARAM_free(kdf);
+	return 0;
+}
+
+#ifdef DEBUG_PKCS5V2
+static void h__dump (const unsigned char *p, int len)
+{
+        for (; len --; p++) fprintf(stderr, "%02X ", *p);
+        fprintf(stderr, "\n");
+}
+#endif
+#endif
diff --git a/crypto/openssl/crypto/evp/p_dec.c b/crypto/openssl/crypto/evp/p_dec.c
new file mode 100644
index 0000000..57b5daa
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p_dec.c
@@ -0,0 +1,87 @@
+/* crypto/evp/p_dec.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int EVP_PKEY_decrypt(unsigned char *key, unsigned char *ek, int ekl,
+	     EVP_PKEY *priv)
+	{
+	int ret= -1;
+	
+#ifndef NO_RSA
+	if (priv->type != EVP_PKEY_RSA)
+		{
+#endif
+		EVPerr(EVP_F_EVP_PKEY_DECRYPT,EVP_R_PUBLIC_KEY_NOT_RSA);
+#ifndef NO_RSA
+		goto err;
+                }
+
+	ret=RSA_private_decrypt(ekl,ek,key,priv->pkey.rsa,RSA_PKCS1_PADDING);
+err:
+#endif
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/evp/p_enc.c b/crypto/openssl/crypto/evp/p_enc.c
new file mode 100644
index 0000000..4cf6aca
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p_enc.c
@@ -0,0 +1,86 @@
+/* crypto/evp/p_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int EVP_PKEY_encrypt(unsigned char *ek, unsigned char *key, int key_len,
+	     EVP_PKEY *pubk)
+	{
+	int ret=0;
+	
+#ifndef NO_RSA
+	if (pubk->type != EVP_PKEY_RSA)
+		{
+#endif
+		EVPerr(EVP_F_EVP_PKEY_ENCRYPT,EVP_R_PUBLIC_KEY_NOT_RSA);
+#ifndef NO_RSA
+		goto err;
+		}
+	ret=RSA_public_encrypt(key_len,key,ek,pubk->pkey.rsa,RSA_PKCS1_PADDING);
+err:
+#endif
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/evp/p_lib.c b/crypto/openssl/crypto/evp/p_lib.c
new file mode 100644
index 0000000..4cb387f
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p_lib.c
@@ -0,0 +1,333 @@
+/* crypto/evp/p_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+static void EVP_PKEY_free_it(EVP_PKEY *x);
+int EVP_PKEY_bits(EVP_PKEY *pkey)
+	{
+#ifndef NO_RSA
+	if (pkey->type == EVP_PKEY_RSA)
+		return(BN_num_bits(pkey->pkey.rsa->n));
+	else
+#endif
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+		return(BN_num_bits(pkey->pkey.dsa->p));
+#endif
+	return(0);
+	}
+
+int EVP_PKEY_size(EVP_PKEY *pkey)
+	{
+	if (pkey == NULL)
+		return(0);
+#ifndef NO_RSA
+	if (pkey->type == EVP_PKEY_RSA)
+		return(RSA_size(pkey->pkey.rsa));
+	else
+#endif
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+		return(DSA_size(pkey->pkey.dsa));
+#endif
+	return(0);
+	}
+
+int EVP_PKEY_save_parameters(EVP_PKEY *pkey, int mode)
+	{
+#ifndef NO_DSA
+	if (pkey->type == EVP_PKEY_DSA)
+		{
+		int ret=pkey->save_parameters=mode;
+
+		if (mode >= 0)
+			pkey->save_parameters=mode;
+		return(ret);
+		}
+#endif
+	return(0);
+	}
+
+int EVP_PKEY_copy_parameters(EVP_PKEY *to, EVP_PKEY *from)
+	{
+	if (to->type != from->type)
+		{
+		EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS,EVP_R_DIFFERENT_KEY_TYPES);
+		goto err;
+		}
+
+	if (EVP_PKEY_missing_parameters(from))
+		{
+		EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS,EVP_R_MISSING_PARAMETERS);
+		goto err;
+		}
+#ifndef NO_DSA
+	if (to->type == EVP_PKEY_DSA)
+		{
+		BIGNUM *a;
+
+		if ((a=BN_dup(from->pkey.dsa->p)) == NULL) goto err;
+		if (to->pkey.dsa->p != NULL) BN_free(to->pkey.dsa->p);
+		to->pkey.dsa->p=a;
+
+		if ((a=BN_dup(from->pkey.dsa->q)) == NULL) goto err;
+		if (to->pkey.dsa->q != NULL) BN_free(to->pkey.dsa->q);
+		to->pkey.dsa->q=a;
+
+		if ((a=BN_dup(from->pkey.dsa->g)) == NULL) goto err;
+		if (to->pkey.dsa->g != NULL) BN_free(to->pkey.dsa->g);
+		to->pkey.dsa->g=a;
+		}
+#endif
+	return(1);
+err:
+	return(0);
+	}
+
+int EVP_PKEY_missing_parameters(EVP_PKEY *pkey)
+	{
+#ifndef NO_DSA
+	if (pkey->type == EVP_PKEY_DSA)
+		{
+		DSA *dsa;
+
+		dsa=pkey->pkey.dsa;
+		if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
+			return(1);
+		}
+#endif
+	return(0);
+	}
+
+int EVP_PKEY_cmp_parameters(EVP_PKEY *a, EVP_PKEY *b)
+	{
+#ifndef NO_DSA
+	if ((a->type == EVP_PKEY_DSA) && (b->type == EVP_PKEY_DSA))
+		{
+		if (	BN_cmp(a->pkey.dsa->p,b->pkey.dsa->p) ||
+			BN_cmp(a->pkey.dsa->q,b->pkey.dsa->q) ||
+			BN_cmp(a->pkey.dsa->g,b->pkey.dsa->g))
+			return(0);
+		else
+			return(1);
+		}
+#endif
+	return(-1);
+	}
+
+EVP_PKEY *EVP_PKEY_new(void)
+	{
+	EVP_PKEY *ret;
+
+	ret=(EVP_PKEY *)Malloc(sizeof(EVP_PKEY));
+	if (ret == NULL)
+		{
+		EVPerr(EVP_F_EVP_PKEY_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	ret->type=EVP_PKEY_NONE;
+	ret->references=1;
+	ret->pkey.ptr=NULL;
+	ret->attributes=NULL;
+	ret->save_parameters=1;
+	return(ret);
+	}
+
+int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key)
+	{
+	if (pkey == NULL) return(0);
+	if (pkey->pkey.ptr != NULL)
+		EVP_PKEY_free_it(pkey);
+	pkey->type=EVP_PKEY_type(type);
+	pkey->save_type=type;
+	pkey->pkey.ptr=key;
+	return(key != NULL);
+	}
+
+#ifndef NO_RSA
+int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
+{
+	int ret = EVP_PKEY_assign_RSA(pkey, key);
+	if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_RSA);
+	return ret;
+}
+
+RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
+	{
+	if(pkey->type != EVP_PKEY_RSA) {
+		EVPerr(EVP_F_EVP_PKEY_GET1_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
+		return NULL;
+	}
+	CRYPTO_add(&pkey->pkey.rsa->references, 1, CRYPTO_LOCK_RSA);
+	return pkey->pkey.rsa;
+}
+#endif
+
+#ifndef NO_DSA
+int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key)
+{
+	int ret = EVP_PKEY_assign_DSA(pkey, key);
+	if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_DSA);
+	return ret;
+}
+
+DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
+	{
+	if(pkey->type != EVP_PKEY_DSA) {
+		EVPerr(EVP_F_EVP_PKEY_GET1_DSA, EVP_R_EXPECTING_A_DSA_KEY);
+		return NULL;
+	}
+	CRYPTO_add(&pkey->pkey.dsa->references, 1, CRYPTO_LOCK_DSA);
+	return pkey->pkey.dsa;
+}
+#endif
+
+#ifndef NO_DH
+
+int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
+{
+	int ret = EVP_PKEY_assign_DH(pkey, key);
+	if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_DH);
+	return ret;
+}
+
+DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
+	{
+	if(pkey->type != EVP_PKEY_DH) {
+		EVPerr(EVP_F_EVP_PKEY_GET1_DH, EVP_R_EXPECTING_A_DH_KEY);
+		return NULL;
+	}
+	CRYPTO_add(&pkey->pkey.dh->references, 1, CRYPTO_LOCK_DH);
+	return pkey->pkey.dh;
+}
+#endif
+
+int EVP_PKEY_type(int type)
+	{
+	switch (type)
+		{
+	case EVP_PKEY_RSA:
+	case EVP_PKEY_RSA2:
+		return(EVP_PKEY_RSA);
+	case EVP_PKEY_DSA:
+	case EVP_PKEY_DSA1:
+	case EVP_PKEY_DSA2:
+	case EVP_PKEY_DSA3:
+	case EVP_PKEY_DSA4:
+		return(EVP_PKEY_DSA);
+	case EVP_PKEY_DH:
+		return(EVP_PKEY_DH);
+	default:
+		return(NID_undef);
+		}
+	}
+
+void EVP_PKEY_free(EVP_PKEY *x)
+	{
+	int i;
+
+	if (x == NULL) return;
+
+	i=CRYPTO_add(&x->references,-1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",x);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"EVP_PKEY_free, bad reference count\n");
+		abort();
+		}
+#endif
+	EVP_PKEY_free_it(x);
+	Free(x);
+	}
+
+static void EVP_PKEY_free_it(EVP_PKEY *x)
+	{
+	switch (x->type)
+		{
+#ifndef NO_RSA
+	case EVP_PKEY_RSA:
+	case EVP_PKEY_RSA2:
+		RSA_free(x->pkey.rsa);
+		break;
+#endif
+#ifndef NO_DSA
+	case EVP_PKEY_DSA:
+	case EVP_PKEY_DSA2:
+	case EVP_PKEY_DSA3:
+	case EVP_PKEY_DSA4:
+		DSA_free(x->pkey.dsa);
+		break;
+#endif
+#ifndef NO_DH
+	case EVP_PKEY_DH:
+		DH_free(x->pkey.dh);
+		break;
+#endif
+		}
+	}
+
diff --git a/crypto/openssl/crypto/evp/p_open.c b/crypto/openssl/crypto/evp/p_open.c
new file mode 100644
index 0000000..b9ca789
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p_open.c
@@ -0,0 +1,119 @@
+/* crypto/evp/p_open.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek,
+	     int ekl, unsigned char *iv, EVP_PKEY *priv)
+	{
+	unsigned char *key=NULL;
+	int i,size=0,ret=0;
+	
+	if (priv->type != EVP_PKEY_RSA)
+		{
+		EVPerr(EVP_F_EVP_OPENINIT,EVP_R_PUBLIC_KEY_NOT_RSA);
+		ret= -1;
+		goto err;
+                }
+
+	size=RSA_size(priv->pkey.rsa);
+	key=(unsigned char *)Malloc(size+2);
+	if (key == NULL)
+		{
+		/* ERROR */
+		EVPerr(EVP_F_EVP_OPENINIT,ERR_R_MALLOC_FAILURE);
+		ret= -1;
+		goto err;
+		}
+
+	i=EVP_PKEY_decrypt(key,ek,ekl,priv);
+	if (i != type->key_len)
+		{
+		/* ERROR */
+		goto err;
+		}
+
+	EVP_CIPHER_CTX_init(ctx);
+	EVP_DecryptInit(ctx,type,key,iv);
+	ret=1;
+err:
+	if (key != NULL) memset(key,0,size);
+	Free(key);
+	return(ret);
+	}
+
+int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+	{
+	int i;
+
+	i=EVP_DecryptFinal(ctx,out,outl);
+	EVP_DecryptInit(ctx,NULL,NULL,NULL);
+	return(i);
+	}
+#else /* !NO_RSA */
+
+# ifdef PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/crypto/evp/p_seal.c b/crypto/openssl/crypto/evp/p_seal.c
new file mode 100644
index 0000000..d449e89
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p_seal.c
@@ -0,0 +1,109 @@
+/* crypto/evp/p_seal.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+	     int *ekl, unsigned char *iv, EVP_PKEY **pubk, int npubk)
+	{
+	unsigned char key[EVP_MAX_KEY_LENGTH];
+	int i;
+	
+	if (npubk <= 0) return(0);
+	if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0)
+		return(0);
+	if (type->iv_len > 0)
+		RAND_pseudo_bytes(iv,type->iv_len);
+
+	EVP_CIPHER_CTX_init(ctx);
+	EVP_EncryptInit(ctx,type,key,iv);
+
+	for (i=0; i<npubk; i++)
+		{
+		ekl[i]=EVP_PKEY_encrypt(ek[i],key,EVP_CIPHER_key_length(type),
+			pubk[i]);
+		if (ekl[i] <= 0) return(-1);
+		}
+	return(npubk);
+	}
+
+/* MACRO
+void EVP_SealUpdate(ctx,out,outl,in,inl)
+EVP_CIPHER_CTX *ctx;
+unsigned char *out;
+int *outl;
+unsigned char *in;
+int inl;
+	{
+	EVP_EncryptUpdate(ctx,out,outl,in,inl);
+	}
+*/
+
+void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+	{
+	EVP_EncryptFinal(ctx,out,outl);
+	EVP_EncryptInit(ctx,NULL,NULL,NULL);
+	}
diff --git a/crypto/openssl/crypto/evp/p_sign.c b/crypto/openssl/crypto/evp/p_sign.c
new file mode 100644
index 0000000..1fa32ac
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p_sign.c
@@ -0,0 +1,112 @@
+/* crypto/evp/p_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+#ifdef undef
+void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+	{
+	EVP_DigestInit(ctx,type);
+	}
+
+void EVP_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data,
+	     unsigned int count)
+	{
+	EVP_DigestUpdate(ctx,data,count);
+	}
+#endif
+
+int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
+	     EVP_PKEY *pkey)
+	{
+	unsigned char m[EVP_MAX_MD_SIZE];
+	unsigned int m_len;
+	int i,ok=0,v;
+	MS_STATIC EVP_MD_CTX tmp_ctx;
+
+	*siglen=0;
+	EVP_MD_CTX_copy(&tmp_ctx,ctx);   
+	EVP_DigestFinal(&tmp_ctx,&(m[0]),&m_len);
+	for (i=0; i<4; i++)
+		{
+		v=ctx->digest->required_pkey_type[i];
+		if (v == 0) break;
+		if (pkey->type == v)
+			{
+			ok=1;
+			break;
+			}
+		}
+	if (!ok)
+		{
+		EVPerr(EVP_F_EVP_SIGNFINAL,EVP_R_WRONG_PUBLIC_KEY_TYPE);
+		return(0);
+		}
+	if (ctx->digest->sign == NULL)
+		{
+		EVPerr(EVP_F_EVP_SIGNFINAL,EVP_R_NO_SIGN_FUNCTION_CONFIGURED);
+		return(0);
+		}
+	return(ctx->digest->sign(ctx->digest->type,m,m_len,sigret,siglen,
+		pkey->pkey.ptr));
+	}
+
diff --git a/crypto/openssl/crypto/evp/p_verify.c b/crypto/openssl/crypto/evp/p_verify.c
new file mode 100644
index 0000000..dcb54f3
--- /dev/null
+++ b/crypto/openssl/crypto/evp/p_verify.c
@@ -0,0 +1,99 @@
+/* crypto/evp/p_verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int EVP_VerifyFinal(EVP_MD_CTX *ctx, unsigned char *sigbuf,
+	     unsigned int siglen, EVP_PKEY *pkey)
+	{
+	unsigned char m[EVP_MAX_MD_SIZE];
+	unsigned int m_len;
+	int i,ok=0,v;
+	MS_STATIC EVP_MD_CTX tmp_ctx;
+
+	for (i=0; i<4; i++)
+		{
+		v=ctx->digest->required_pkey_type[i];
+		if (v == 0) break;
+		if (pkey->type == v)
+			{
+			ok=1;
+			break;
+			}
+		}
+	if (!ok)
+		{
+		EVPerr(EVP_F_EVP_VERIFYFINAL,EVP_R_WRONG_PUBLIC_KEY_TYPE);
+		return(-1);
+		}
+	EVP_MD_CTX_copy(&tmp_ctx,ctx);     
+	EVP_DigestFinal(&tmp_ctx,&(m[0]),&m_len);
+        if (ctx->digest->verify == NULL)
+                {
+		EVPerr(EVP_F_EVP_VERIFYFINAL,EVP_R_NO_VERIFY_FUNCTION_CONFIGURED);
+		return(0);
+		}
+
+	return(ctx->digest->verify(ctx->digest->type,m,m_len,
+		sigbuf,siglen,pkey->pkey.ptr));
+	}
+
diff --git a/crypto/openssl/crypto/ex_data.c b/crypto/openssl/crypto/ex_data.c
new file mode 100644
index 0000000..a057dd3
--- /dev/null
+++ b/crypto/openssl/crypto/ex_data.c
@@ -0,0 +1,223 @@
+/* crypto/ex_data.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/lhash.h>
+#include "cryptlib.h"
+
+int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp,
+	     CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+	{
+	int ret= -1;
+	CRYPTO_EX_DATA_FUNCS *a;
+
+	MemCheck_off();
+	if (*skp == NULL)
+		*skp=sk_CRYPTO_EX_DATA_FUNCS_new_null();
+	if (*skp == NULL)
+		{
+		CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	a=(CRYPTO_EX_DATA_FUNCS *)Malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
+	if (a == NULL)
+		{
+		CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	a->argl=argl;
+	a->argp=argp;
+	a->new_func=new_func;
+	a->dup_func=dup_func;
+	a->free_func=free_func;
+	while (sk_CRYPTO_EX_DATA_FUNCS_num(*skp) <= idx)
+		{
+		if (!sk_CRYPTO_EX_DATA_FUNCS_push(*skp,NULL))
+			{
+			CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
+			Free(a);
+			goto err;
+			}
+		}
+	sk_CRYPTO_EX_DATA_FUNCS_set(*skp,idx, a);
+	ret=idx;
+err:
+	MemCheck_on();
+	return(idx);
+	}
+
+int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
+	{
+	int i;
+
+	if (ad->sk == NULL)
+		{
+		if ((ad->sk=sk_new_null()) == NULL)
+			{
+			CRYPTOerr(CRYPTO_F_CRYPTO_SET_EX_DATA,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		}
+	i=sk_num(ad->sk);
+
+	while (i <= idx)
+		{
+		if (!sk_push(ad->sk,NULL))
+			{
+			CRYPTOerr(CRYPTO_F_CRYPTO_SET_EX_DATA,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		i++;
+		}
+	sk_set(ad->sk,idx,val);
+	return(1);
+	}
+
+void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad, int idx)
+	{
+	if (ad->sk == NULL)
+		return(0);
+	else if (idx >= sk_num(ad->sk))
+		return(0);
+	else
+		return(sk_value(ad->sk,idx));
+	}
+
+/* The callback is called with the 'object', which is the original data object
+ * being duplicated, a pointer to the
+ * 'new' object to be inserted, the index, and the argi/argp
+ */
+int CRYPTO_dup_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, CRYPTO_EX_DATA *to,
+	     CRYPTO_EX_DATA *from)
+	{
+	int i,j,m,r;
+	CRYPTO_EX_DATA_FUNCS *mm;
+	char *from_d;
+
+	if (meth == NULL) return(1);
+	if (from->sk == NULL) return(1);
+	m=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
+	j=sk_num(from->sk);
+	for (i=0; i<j; i++)
+		{
+		from_d=CRYPTO_get_ex_data(from,i);
+		if (i < m)
+			{
+			mm=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
+			if (mm->dup_func != NULL)
+				r=mm->dup_func(to,from,(char **)&from_d,i,
+					mm->argl,mm->argp);
+			}
+		CRYPTO_set_ex_data(to,i,from_d);
+		}
+	return(1);
+	}
+
+/* Call each free callback */
+void CRYPTO_free_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad)
+	{
+	CRYPTO_EX_DATA_FUNCS *m;
+	void *ptr;
+	int i,max;
+
+	if (meth != NULL)
+		{
+		max=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
+		for (i=0; i<max; i++)
+			{
+			m=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
+			if ((m != NULL) && (m->free_func != NULL))
+				{
+				ptr=CRYPTO_get_ex_data(ad,i);
+				m->free_func(obj,ptr,ad,i,m->argl,m->argp);
+				}
+			}
+		}
+	if (ad->sk != NULL)
+		{
+		sk_free(ad->sk);
+		ad->sk=NULL;
+		}
+	}
+
+void CRYPTO_new_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad)
+	{
+	CRYPTO_EX_DATA_FUNCS *m;
+	void *ptr;
+	int i,max;
+
+	ad->sk=NULL;
+	if (meth != NULL)
+		{
+		max=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
+		for (i=0; i<max; i++)
+			{
+			m=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
+			if ((m != NULL) && (m->new_func != NULL))
+				{
+				ptr=CRYPTO_get_ex_data(ad,i);
+				m->new_func(obj,ptr,ad,i,m->argl,m->argp);
+				}
+			}
+		}
+	}
+
+IMPLEMENT_STACK_OF(CRYPTO_EX_DATA_FUNCS)
diff --git a/crypto/openssl/crypto/hmac/Makefile.save b/crypto/openssl/crypto/hmac/Makefile.save
new file mode 100644
index 0000000..4f55128
--- /dev/null
+++ b/crypto/openssl/crypto/hmac/Makefile.save
@@ -0,0 +1,94 @@
+#
+# SSLeay/crypto/md/Makefile
+#
+
+DIR=	hmac
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=hmactest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=hmac.c
+LIBOBJ=hmac.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= hmac.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+hmac.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hmac.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hmac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+hmac.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+hmac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+hmac.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
+hmac.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+hmac.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hmac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+hmac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+hmac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+hmac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hmac.o: ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl
new file mode 100644
index 0000000..4f55128
--- /dev/null
+++ b/crypto/openssl/crypto/hmac/Makefile.ssl
@@ -0,0 +1,94 @@
+#
+# SSLeay/crypto/md/Makefile
+#
+
+DIR=	hmac
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=hmactest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=hmac.c
+LIBOBJ=hmac.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= hmac.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+hmac.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hmac.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hmac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+hmac.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+hmac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+hmac.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
+hmac.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+hmac.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hmac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
+hmac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+hmac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+hmac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hmac.o: ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/hmac/hmac.c b/crypto/openssl/crypto/hmac/hmac.c
new file mode 100644
index 0000000..e1ec79e
--- /dev/null
+++ b/crypto/openssl/crypto/hmac/hmac.c
@@ -0,0 +1,152 @@
+/* crypto/hmac/hmac.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/hmac.h>
+
+void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
+	       const EVP_MD *md)
+	{
+	int i,j,reset=0;
+	unsigned char pad[HMAC_MAX_MD_CBLOCK];
+
+	if (md != NULL)
+		{
+		reset=1;
+		ctx->md=md;
+		}
+	else
+		md=ctx->md;
+
+	if (key != NULL)
+		{
+		reset=1;
+		j=EVP_MD_block_size(md);
+		if (j < len)
+			{
+			EVP_DigestInit(&ctx->md_ctx,md);
+			EVP_DigestUpdate(&ctx->md_ctx,key,len);
+			EVP_DigestFinal(&(ctx->md_ctx),ctx->key,
+				&ctx->key_length);
+			}
+		else
+			{
+			memcpy(ctx->key,key,len);
+			ctx->key_length=len;
+			}
+		if(ctx->key_length != HMAC_MAX_MD_CBLOCK)
+			memset(&ctx->key[ctx->key_length], 0,
+				HMAC_MAX_MD_CBLOCK - ctx->key_length);
+		}
+
+	if (reset)	
+		{
+		for (i=0; i<HMAC_MAX_MD_CBLOCK; i++)
+			pad[i]=0x36^ctx->key[i];
+		EVP_DigestInit(&ctx->i_ctx,md);
+		EVP_DigestUpdate(&ctx->i_ctx,pad,EVP_MD_block_size(md));
+
+		for (i=0; i<HMAC_MAX_MD_CBLOCK; i++)
+			pad[i]=0x5c^ctx->key[i];
+		EVP_DigestInit(&ctx->o_ctx,md);
+		EVP_DigestUpdate(&ctx->o_ctx,pad,EVP_MD_block_size(md));
+		}
+
+	memcpy(&ctx->md_ctx,&ctx->i_ctx,sizeof(ctx->i_ctx));
+	}
+
+void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len)
+	{
+	EVP_DigestUpdate(&(ctx->md_ctx),data,len);
+	}
+
+void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
+	{
+	int j;
+	unsigned int i;
+	unsigned char buf[EVP_MAX_MD_SIZE];
+
+	j=EVP_MD_block_size(ctx->md);
+
+	EVP_DigestFinal(&(ctx->md_ctx),buf,&i);
+	memcpy(&(ctx->md_ctx),&(ctx->o_ctx),sizeof(ctx->o_ctx));
+	EVP_DigestUpdate(&(ctx->md_ctx),buf,i);
+	EVP_DigestFinal(&(ctx->md_ctx),md,len);
+	}
+
+void HMAC_cleanup(HMAC_CTX *ctx)
+	{
+	memset(ctx,0,sizeof(HMAC_CTX));
+	}
+
+unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+		    const unsigned char *d, int n, unsigned char *md,
+		    unsigned int *md_len)
+	{
+	HMAC_CTX c;
+	static unsigned char m[EVP_MAX_MD_SIZE];
+
+	if (md == NULL) md=m;
+	HMAC_Init(&c,key,key_len,evp_md);
+	HMAC_Update(&c,d,n);
+	HMAC_Final(&c,md,md_len);
+	HMAC_cleanup(&c);
+	return(md);
+	}
+
diff --git a/crypto/openssl/crypto/hmac/hmac.h b/crypto/openssl/crypto/hmac/hmac.h
new file mode 100644
index 0000000..223eeda
--- /dev/null
+++ b/crypto/openssl/crypto/hmac/hmac.h
@@ -0,0 +1,100 @@
+/* crypto/hmac/hmac.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#ifndef HEADER_HMAC_H
+#define HEADER_HMAC_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_HMAC
+#error HMAC is disabled.
+#endif
+
+#include <openssl/evp.h>
+
+#define HMAC_MAX_MD_CBLOCK	64
+
+typedef struct hmac_ctx_st
+	{
+	const EVP_MD *md;
+	EVP_MD_CTX md_ctx;
+	EVP_MD_CTX i_ctx;
+	EVP_MD_CTX o_ctx;
+	unsigned int key_length;
+	unsigned char key[HMAC_MAX_MD_CBLOCK];
+	} HMAC_CTX;
+
+#define HMAC_size(e)	(EVP_MD_size((e)->md))
+
+
+void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
+	       const EVP_MD *md);
+void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
+void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
+void HMAC_cleanup(HMAC_CTX *ctx);
+unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+		    const unsigned char *d, int n, unsigned char *md,
+		    unsigned int *md_len);
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/hmac/hmactest.c b/crypto/openssl/crypto/hmac/hmactest.c
new file mode 100644
index 0000000..4b56b8e
--- /dev/null
+++ b/crypto/openssl/crypto/hmac/hmactest.c
@@ -0,0 +1,159 @@
+/* crypto/hmac/hmactest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_HMAC
+int main(int argc, char *argv[])
+{
+    printf("No HMAC support\n");
+    return(0);
+}
+#else
+#include <openssl/hmac.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+static struct test_st
+	{
+	unsigned char key[16];
+	int key_len;
+	unsigned char data[64];
+	int data_len;
+	unsigned char *digest;
+	} test[4]={
+	{	"",
+		0,
+		"More text test vectors to stuff up EBCDIC machines :-)",
+		54,
+		(unsigned char *)"e9139d1e6ee064ef8cf514fc7dc83e86",
+	},{	{0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,
+		 0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,},
+		16,
+		"Hi There",
+		8,
+		(unsigned char *)"9294727a3638bb1c13f48ef8158bfc9d",
+	},{	"Jefe",
+		4,
+		"what do ya want for nothing?",
+		28,
+		(unsigned char *)"750c783e6ab0b503eaa86e310a5db738",
+	},{
+		{0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,
+		 0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,},
+		16,
+		{0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,
+		 0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,
+		 0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,
+		 0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,
+		 0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,
+		 0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,0xdd,
+		 0xdd,0xdd},
+		50,
+		(unsigned char *)"56be34521d144c88dbb8c733f0e8b3f6",
+	},
+	};
+
+
+static char *pt(unsigned char *md);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	char *p;
+
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(test[0].data, test[0].data, test[0].data_len);
+	ebcdic2ascii(test[1].data, test[1].data, test[1].data_len);
+	ebcdic2ascii(test[2].key,  test[2].key,  test[2].key_len);
+	ebcdic2ascii(test[2].data, test[2].data, test[2].data_len);
+#endif
+
+	for (i=0; i<4; i++)
+		{
+		p=pt(HMAC(EVP_md5(),
+			test[i].key, test[i].key_len,
+			test[i].data, test[i].data_len,
+			NULL,NULL));
+
+		if (strcmp(p,(char *)test[i].digest) != 0)
+			{
+			printf("error calculating HMAC on %d entry'\n",i);
+			printf("got %s instead of %s\n",p,test[i].digest);
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		}
+	exit(err);
+	return(0);
+	}
+
+static char *pt(unsigned char *md)
+	{
+	int i;
+	static char buf[80];
+
+	for (i=0; i<MD5_DIGEST_LENGTH; i++)
+		sprintf(&(buf[i*2]),"%02x",md[i]);
+	return(buf);
+	}
+#endif
diff --git a/crypto/openssl/crypto/idea/Makefile.save b/crypto/openssl/crypto/idea/Makefile.save
new file mode 100644
index 0000000..ac32f13
--- /dev/null
+++ b/crypto/openssl/crypto/idea/Makefile.save
@@ -0,0 +1,91 @@
+#
+# SSLeay/crypto/idea/Makefile
+# $FreeBSD$
+#
+
+DIR=	idea
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=ideatest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c i_skey.c
+LIBOBJ=i_cbc.o i_cfb64.o i_ofb64.o i_ecb.o i_skey.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= idea.h
+HEADER=	idea_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+i_cbc.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_cbc.o: idea_lcl.h
+i_cfb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_cfb64.o: idea_lcl.h
+i_ecb.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_ecb.o: ../../include/openssl/opensslv.h idea_lcl.h
+i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_ofb64.o: idea_lcl.h
+i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_skey.o: idea_lcl.h
diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl
new file mode 100644
index 0000000..ac32f13
--- /dev/null
+++ b/crypto/openssl/crypto/idea/Makefile.ssl
@@ -0,0 +1,91 @@
+#
+# SSLeay/crypto/idea/Makefile
+# $FreeBSD$
+#
+
+DIR=	idea
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=ideatest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c i_skey.c
+LIBOBJ=i_cbc.o i_cfb64.o i_ofb64.o i_ecb.o i_skey.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= idea.h
+HEADER=	idea_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+i_cbc.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_cbc.o: idea_lcl.h
+i_cfb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_cfb64.o: idea_lcl.h
+i_ecb.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_ecb.o: ../../include/openssl/opensslv.h idea_lcl.h
+i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_ofb64.o: idea_lcl.h
+i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
+i_skey.o: idea_lcl.h
diff --git a/crypto/openssl/crypto/idea/Makefile.uni b/crypto/openssl/crypto/idea/Makefile.uni
new file mode 100644
index 0000000..d7c9844
--- /dev/null
+++ b/crypto/openssl/crypto/idea/Makefile.uni
@@ -0,0 +1,74 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# $FreeBSD$
+
+DIR=    cast
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+RANLIB=         ranlib
+
+IDEA_ENC=i_cbc.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=ideatest
+APPS=idea_spd
+
+LIB=libidea.a
+LIBSRC=i_skey.c i_ecb.c i_cbc.c i_cfb64.c i_ofb64.c
+LIBOBJ=i_skey.o i_ecb.o $(IDEA_ENC) i_cfb64.o i_ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= idea.h
+HEADER= idea_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB):    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+
+test:	$(TEST)
+	./$(TEST)
+
+$(TEST): $(TEST).c $(LIB)
+	$(CC) -o $(TEST) $(CFLAGS) $(TEST).c $(LIB)
+
+$(APPS): $(APPS).c $(LIB)
+	$(CC) -o $(APPS) $(CFLAGS) $(APPS).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/idea/i_cbc.c b/crypto/openssl/crypto/idea/i_cbc.c
new file mode 100644
index 0000000..76b6100
--- /dev/null
+++ b/crypto/openssl/crypto/idea/i_cbc.c
@@ -0,0 +1,169 @@
+/* crypto/idea/i_cbc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#include <openssl/idea.h>
+#include "idea_lcl.h"
+
+void idea_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+	     IDEA_KEY_SCHEDULE *ks, unsigned char *iv, int encrypt)
+	{
+	register unsigned long tin0,tin1;
+	register unsigned long tout0,tout1,xor0,xor1;
+	register long l=length;
+	unsigned long tin[2];
+
+	if (encrypt)
+		{
+		n2l(iv,tout0);
+		n2l(iv,tout1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0);
+			n2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			idea_encrypt(tin,ks);
+			tout0=tin[0]; l2n(tout0,out);
+			tout1=tin[1]; l2n(tout1,out);
+			}
+		if (l != -8)
+			{
+			n2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			idea_encrypt(tin,ks);
+			tout0=tin[0]; l2n(tout0,out);
+			tout1=tin[1]; l2n(tout1,out);
+			}
+		l2n(tout0,iv);
+		l2n(tout1,iv);
+		}
+	else
+		{
+		n2l(iv,xor0);
+		n2l(iv,xor1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			n2l(in,tin0); tin[0]=tin0;
+			n2l(in,tin1); tin[1]=tin1;
+			idea_encrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2n(tout0,out);
+			l2n(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			n2l(in,tin0); tin[0]=tin0;
+			n2l(in,tin1); tin[1]=tin1;
+			idea_encrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2nn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		l2n(xor0,iv);
+		l2n(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
+void idea_encrypt(unsigned long *d, IDEA_KEY_SCHEDULE *key)
+	{
+	register IDEA_INT *p;
+	register unsigned long x1,x2,x3,x4,t0,t1,ul;
+
+	x2=d[0];
+	x1=(x2>>16);
+	x4=d[1];
+	x3=(x4>>16);
+
+	p= &(key->data[0][0]);
+
+	E_IDEA(0);
+	E_IDEA(1);
+	E_IDEA(2);
+	E_IDEA(3);
+	E_IDEA(4);
+	E_IDEA(5);
+	E_IDEA(6);
+	E_IDEA(7);
+
+	x1&=0xffff;
+	idea_mul(x1,x1,*p,ul); p++;
+
+	t0= x3+ *(p++);
+	t1= x2+ *(p++);
+
+	x4&=0xffff;
+	idea_mul(x4,x4,*p,ul);
+
+	d[0]=(t0&0xffff)|((x1&0xffff)<<16);
+	d[1]=(x4&0xffff)|((t1&0xffff)<<16);
+	}
diff --git a/crypto/openssl/crypto/idea/i_cfb64.c b/crypto/openssl/crypto/idea/i_cfb64.c
new file mode 100644
index 0000000..2093aaa
--- /dev/null
+++ b/crypto/openssl/crypto/idea/i_cfb64.c
@@ -0,0 +1,123 @@
+/* crypto/idea/i_cfb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#include <openssl/idea.h>
+#include "idea_lcl.h"
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+
+void idea_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	     IDEA_KEY_SCHEDULE *schedule, unsigned char *ivec, int *num,
+	     int encrypt)
+	{
+	register unsigned long v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned long ti[2];
+	unsigned char *iv,c,cc;
+
+	iv=(unsigned char *)ivec;
+	if (encrypt)
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				n2l(iv,v0); ti[0]=v0;
+				n2l(iv,v1); ti[1]=v1;
+				idea_encrypt((unsigned long *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2n(t,iv);
+				t=ti[1]; l2n(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			c= *(in++)^iv[n];
+			*(out++)=c;
+			iv[n]=c;
+			n=(n+1)&0x07;
+			}
+		}
+	else
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				n2l(iv,v0); ti[0]=v0;
+				n2l(iv,v1); ti[1]=v1;
+				idea_encrypt((unsigned long *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2n(t,iv);
+				t=ti[1]; l2n(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			cc= *(in++);
+			c=iv[n];
+			iv[n]=cc;
+			*(out++)=c^cc;
+			n=(n+1)&0x07;
+			}
+		}
+	v0=v1=ti[0]=ti[1]=t=c=cc=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/idea/i_ecb.c b/crypto/openssl/crypto/idea/i_ecb.c
new file mode 100644
index 0000000..73f684e
--- /dev/null
+++ b/crypto/openssl/crypto/idea/i_ecb.c
@@ -0,0 +1,86 @@
+/* crypto/idea/i_ecb.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#include <openssl/idea.h>
+#include "idea_lcl.h"
+#include <openssl/opensslv.h>
+
+const char *IDEA_version="IDEA" OPENSSL_VERSION_PTEXT;
+
+const char *idea_options(void)
+	{
+	if (sizeof(short) != sizeof(IDEA_INT))
+		return("idea(int)");
+	else
+		return("idea(short)");
+	}
+
+void idea_ecb_encrypt(unsigned char *in, unsigned char *out,
+	     IDEA_KEY_SCHEDULE *ks)
+	{
+	unsigned long l0,l1,d[2];
+
+	n2l(in,l0); d[0]=l0;
+	n2l(in,l1); d[1]=l1;
+	idea_encrypt(d,ks);
+	l0=d[0]; l2n(l0,out);
+	l1=d[1]; l2n(l1,out);
+	l0=l1=d[0]=d[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/idea/i_ofb64.c b/crypto/openssl/crypto/idea/i_ofb64.c
new file mode 100644
index 0000000..41d1be8
--- /dev/null
+++ b/crypto/openssl/crypto/idea/i_ofb64.c
@@ -0,0 +1,111 @@
+/* crypto/idea/i_ofb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#include <openssl/idea.h>
+#include "idea_lcl.h"
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void idea_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	     IDEA_KEY_SCHEDULE *schedule, unsigned char *ivec, int *num)
+	{
+	register unsigned long v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned char d[8];
+	register char *dp;
+	unsigned long ti[2];
+	unsigned char *iv;
+	int save=0;
+
+	iv=(unsigned char *)ivec;
+	n2l(iv,v0);
+	n2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	dp=(char *)d;
+	l2n(v0,dp);
+	l2n(v1,dp);
+	while (l--)
+		{
+		if (n == 0)
+			{
+			idea_encrypt((unsigned long *)ti,schedule);
+			dp=(char *)d;
+			t=ti[0]; l2n(t,dp);
+			t=ti[1]; l2n(t,dp);
+			save++;
+			}
+		*(out++)= *(in++)^d[n];
+		n=(n+1)&0x07;
+		}
+	if (save)
+		{
+		v0=ti[0];
+		v1=ti[1];
+		iv=(unsigned char *)ivec;
+		l2n(v0,iv);
+		l2n(v1,iv);
+		}
+	t=v0=v1=ti[0]=ti[1]=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/idea/i_skey.c b/crypto/openssl/crypto/idea/i_skey.c
new file mode 100644
index 0000000..da2fd85
--- /dev/null
+++ b/crypto/openssl/crypto/idea/i_skey.c
@@ -0,0 +1,157 @@
+/* crypto/idea/i_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#include <openssl/idea.h>
+#include "idea_lcl.h"
+
+static IDEA_INT inverse(unsigned int xin);
+void idea_set_encrypt_key(unsigned char *key, IDEA_KEY_SCHEDULE *ks)
+	{
+	int i;
+	register IDEA_INT *kt,*kf,r0,r1,r2;
+
+	kt= &(ks->data[0][0]);
+	n2s(key,kt[0]); n2s(key,kt[1]); n2s(key,kt[2]); n2s(key,kt[3]);
+	n2s(key,kt[4]); n2s(key,kt[5]); n2s(key,kt[6]); n2s(key,kt[7]);
+
+	kf=kt;
+	kt+=8;
+	for (i=0; i<6; i++)
+		{
+		r2= kf[1];
+		r1= kf[2];
+		*(kt++)= ((r2<<9) | (r1>>7))&0xffff;
+		r0= kf[3];
+		*(kt++)= ((r1<<9) | (r0>>7))&0xffff;
+		r1= kf[4];
+		*(kt++)= ((r0<<9) | (r1>>7))&0xffff;
+		r0= kf[5];
+		*(kt++)= ((r1<<9) | (r0>>7))&0xffff;
+		r1= kf[6];
+		*(kt++)= ((r0<<9) | (r1>>7))&0xffff;
+		r0= kf[7];
+		*(kt++)= ((r1<<9) | (r0>>7))&0xffff;
+		r1= kf[0];
+		if (i >= 5) break;
+		*(kt++)= ((r0<<9) | (r1>>7))&0xffff;
+		*(kt++)= ((r1<<9) | (r2>>7))&0xffff;
+		kf+=8;
+		}
+	}
+
+void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk)
+	{
+	int r;
+	register IDEA_INT *fp,*tp,t;
+
+	tp= &(dk->data[0][0]);
+	fp= &(ek->data[8][0]);
+	for (r=0; r<9; r++)
+		{
+		*(tp++)=inverse(fp[0]);
+		*(tp++)=((int)(0x10000L-fp[2])&0xffff);
+		*(tp++)=((int)(0x10000L-fp[1])&0xffff);
+		*(tp++)=inverse(fp[3]);
+		if (r == 8) break;
+		fp-=6;
+		*(tp++)=fp[4];
+		*(tp++)=fp[5];
+		}
+
+	tp= &(dk->data[0][0]);
+	t=tp[1];
+	tp[1]=tp[2];
+	tp[2]=t;
+
+	t=tp[49];
+	tp[49]=tp[50];
+	tp[50]=t;
+	}
+
+/* taken directly from the 'paper' I'll have a look at it later */
+static IDEA_INT inverse(unsigned int xin)
+	{
+	long n1,n2,q,r,b1,b2,t;
+
+	if (xin == 0)
+		b2=0;
+	else
+		{
+		n1=0x10001;
+		n2=xin;
+		b2=1;
+		b1=0;
+
+		do	{
+			r=(n1%n2);
+			q=(n1-r)/n2;
+			if (r == 0)
+				{ if (b2 < 0) b2=0x10001+b2; }
+			else
+				{
+				n1=n2;
+				n2=r;
+				t=b2;
+				b2=b1-q*b2;
+				b1=t;
+				}
+			} while (r != 0);
+		}
+	return((IDEA_INT)b2);
+	}
diff --git a/crypto/openssl/crypto/idea/idea.h b/crypto/openssl/crypto/idea/idea.h
new file mode 100644
index 0000000..38e553f
--- /dev/null
+++ b/crypto/openssl/crypto/idea/idea.h
@@ -0,0 +1,100 @@
+/* crypto/idea/idea.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#ifndef HEADER_IDEA_H
+#define HEADER_IDEA_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_IDEA
+#error IDEA is disabled.
+#endif
+
+#define IDEA_ENCRYPT	1
+#define IDEA_DECRYPT	0
+
+#include <openssl/opensslconf.h> /* IDEA_INT */
+#define IDEA_BLOCK	8
+#define IDEA_KEY_LENGTH	16
+
+typedef struct idea_key_st
+	{
+	IDEA_INT data[9][6];
+	} IDEA_KEY_SCHEDULE;
+
+const char *idea_options(void);
+void idea_ecb_encrypt(unsigned char *in, unsigned char *out,
+	IDEA_KEY_SCHEDULE *ks);
+void idea_set_encrypt_key(unsigned char *key, IDEA_KEY_SCHEDULE *ks);
+void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
+void idea_cbc_encrypt(unsigned char *in, unsigned char *out,
+	long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,int enc);
+void idea_cfb64_encrypt(unsigned char *in, unsigned char *out,
+	long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,
+	int *num,int enc);
+void idea_ofb64_encrypt(unsigned char *in, unsigned char *out,
+	long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv, int *num);
+void idea_encrypt(unsigned long *in, IDEA_KEY_SCHEDULE *ks);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/idea/idea_lcl.h b/crypto/openssl/crypto/idea/idea_lcl.h
new file mode 100644
index 0000000..0190599
--- /dev/null
+++ b/crypto/openssl/crypto/idea/idea_lcl.h
@@ -0,0 +1,216 @@
+/* crypto/idea/idea_lcl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+/* The new form of this macro (check if the a*b == 0) was suggested by 
+ * Colin Plumb <colin@nyx10.cs.du.edu> */
+/* Removal of the inner if from from Wei Dai 24/4/96 */
+#define idea_mul(r,a,b,ul) \
+ul=(unsigned long)a*b; \
+if (ul != 0) \
+	{ \
+	r=(ul&0xffff)-(ul>>16); \
+	r-=((r)>>16); \
+	} \
+else \
+	r=(-(int)a-b+1); /* assuming a or b is 0 and in range */ \
+
+#ifdef undef
+#define idea_mul(r,a,b,ul,sl) \
+if (a == 0) r=(0x10001-b)&0xffff; \
+else if (b == 0) r=(0x10001-a)&0xffff; \
+else	{ \
+	ul=(unsigned long)a*b; \
+	sl=(ul&0xffff)-(ul>>16); \
+	if (sl <= 0) sl+=0x10001; \
+	r=sl; \
+	} 
+#endif
+
+/*  7/12/95 - Many thanks to Rhys Weatherley <rweather@us.oracle.com>
+ * for pointing out that I was assuming little endian
+ * byte order for all quantities what idea
+ * actually used bigendian.  No where in the spec does it mention
+ * this, it is all in terms of 16 bit numbers and even the example
+ * does not use byte streams for the input example :-(.
+ * If you byte swap each pair of input, keys and iv, the functions
+ * would produce the output as the old version :-(.
+ */
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))    ; \
+			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+			case 4: l1 =((unsigned long)(*(--(c))))    ; \
+			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+				} \
+			}
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+#undef s2n
+#define s2n(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff))
+
+#undef n2s
+#define n2s(c,l)	(l =((IDEA_INT)(*((c)++)))<< 8L, \
+			 l|=((IDEA_INT)(*((c)++)))      )
+
+#ifdef undef
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+				} \
+			}
+
+#undef c2s
+#define c2s(c,l)	(l =((unsigned long)(*((c)++)))    , \
+			 l|=((unsigned long)(*((c)++)))<< 8L)
+
+#undef s2c
+#define s2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff))
+
+#undef c2l
+#define c2l(c,l)	(l =((unsigned long)(*((c)++)))     , \
+			 l|=((unsigned long)(*((c)++)))<< 8L, \
+			 l|=((unsigned long)(*((c)++)))<<16L, \
+			 l|=((unsigned long)(*((c)++)))<<24L)
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+#endif
+
+#define E_IDEA(num) \
+	x1&=0xffff; \
+	idea_mul(x1,x1,*p,ul); p++; \
+	x2+= *(p++); \
+	x3+= *(p++); \
+	x4&=0xffff; \
+	idea_mul(x4,x4,*p,ul); p++; \
+	t0=(x1^x3)&0xffff; \
+	idea_mul(t0,t0,*p,ul); p++; \
+	t1=(t0+(x2^x4))&0xffff; \
+	idea_mul(t1,t1,*p,ul); p++; \
+	t0+=t1; \
+	x1^=t1; \
+	x4^=t0; \
+	ul=x2^t0; /* do the swap to x3 */ \
+	x2=x3^t1; \
+	x3=ul;
+
diff --git a/crypto/openssl/crypto/idea/idea_spd.c b/crypto/openssl/crypto/idea/idea_spd.c
new file mode 100644
index 0000000..aefe178
--- /dev/null
+++ b/crypto/openssl/crypto/idea/idea_spd.c
@@ -0,0 +1,297 @@
+/* crypto/idea/idea_spd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/idea.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+#ifndef CLK_TCK
+#define HZ	100.0
+#else /* CLK_TCK */
+#define HZ ((double)CLK_TCK)
+#endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static unsigned char key[] ={
+			0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+			0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
+			};
+	IDEA_KEY_SCHEDULE sch;
+	double a,aa,b,c,d;
+#ifndef SIGALRM
+	long ca,cca,cb,cc;
+#endif
+
+#ifndef TIMES
+	printf("To get the most accurate results, try to run this\n");
+	printf("program when this computer is idle.\n");
+#endif
+
+#ifndef SIGALRM
+	printf("First we calculate the approximate speed ...\n");
+	idea_set_encrypt_key(key,&sch);
+	count=10;
+	do	{
+		long i;
+		IDEA_INT data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			idea_encrypt(data,&sch);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count/4;
+	cca=count/200;
+	cb=count;
+	cc=count*8/BUFSIZE+1;
+	printf("idea_set_encrypt_key %ld times\n",ca);
+#define COND(d)	(count <= (d))
+#define COUNT(d) (d)
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+	printf("Doing idea_set_encrypt_key for 10 seconds\n");
+	alarm(10);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(ca); count+=4)
+		{
+		idea_set_encrypt_key(key,&sch);
+		idea_set_encrypt_key(key,&sch);
+		idea_set_encrypt_key(key,&sch);
+		idea_set_encrypt_key(key,&sch);
+		}
+	d=Time_F(STOP);
+	printf("%ld idea idea_set_encrypt_key's in %.2f seconds\n",count,d);
+	a=((double)COUNT(ca))/d;
+
+#ifdef SIGALRM
+	printf("Doing idea_set_decrypt_key for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing idea_set_decrypt_key %ld times\n",cca);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(cca); count+=4)
+		{
+		idea_set_decrypt_key(&sch,&sch);
+		idea_set_decrypt_key(&sch,&sch);
+		idea_set_decrypt_key(&sch,&sch);
+		idea_set_decrypt_key(&sch,&sch);
+		}
+	d=Time_F(STOP);
+	printf("%ld idea idea_set_decrypt_key's in %.2f seconds\n",count,d);
+	aa=((double)COUNT(cca))/d;
+
+#ifdef SIGALRM
+	printf("Doing idea_encrypt's for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing idea_encrypt %ld times\n",cb);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cb); count+=4)
+		{
+		unsigned long data[2];
+
+		idea_encrypt(data,&sch);
+		idea_encrypt(data,&sch);
+		idea_encrypt(data,&sch);
+		idea_encrypt(data,&sch);
+		}
+	d=Time_F(STOP);
+	printf("%ld idea_encrypt's in %.2f second\n",count,d);
+	b=((double)COUNT(cb)*8)/d;
+
+#ifdef SIGALRM
+	printf("Doing idea_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+		BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing idea_cbc_encrypt %ld times on %ld byte blocks\n",cc,
+		BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cc); count++)
+		idea_cbc_encrypt(buf,buf,BUFSIZE,&sch,
+			&(key[0]),IDEA_ENCRYPT);
+	d=Time_F(STOP);
+	printf("%ld idea_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	c=((double)COUNT(cc)*BUFSIZE)/d;
+
+	printf("IDEA set_encrypt_key per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
+	printf("IDEA set_decrypt_key per sec = %12.2f (%9.3fuS)\n",aa,1.0e6/aa);
+	printf("IDEA raw ecb bytes   per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
+	printf("IDEA cbc     bytes   per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
+
diff --git a/crypto/openssl/crypto/idea/ideatest.c b/crypto/openssl/crypto/idea/ideatest.c
new file mode 100644
index 0000000..810f351
--- /dev/null
+++ b/crypto/openssl/crypto/idea/ideatest.c
@@ -0,0 +1,231 @@
+/* crypto/idea/ideatest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ * $FreeBSD$
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_IDEA
+int main(int argc, char *argv[])
+{
+    printf("No IDEA support\n");
+    return(0);
+}
+#else
+#include <openssl/idea.h>
+
+unsigned char k[16]={
+	0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x04,
+	0x00,0x05,0x00,0x06,0x00,0x07,0x00,0x08};
+
+unsigned char in[8]={0x00,0x00,0x00,0x01,0x00,0x02,0x00,0x03};
+unsigned char  c[8]={0x11,0xFB,0xED,0x2B,0x01,0x98,0x6D,0xE5};
+unsigned char out[80];
+
+char *text="Hello to all people out there";
+
+static unsigned char cfb_key[16]={
+	0xe1,0xf0,0xc3,0xd2,0xa5,0xb4,0x87,0x96,
+	0x69,0x78,0x4b,0x5a,0x2d,0x3c,0x0f,0x1e,
+	};
+static unsigned char cfb_iv[80]={0x34,0x12,0x78,0x56,0xab,0x90,0xef,0xcd};
+static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8];
+#define CFB_TEST_SIZE 24
+static unsigned char plain[CFB_TEST_SIZE]=
+        {
+        0x4e,0x6f,0x77,0x20,0x69,0x73,
+        0x20,0x74,0x68,0x65,0x20,0x74,
+        0x69,0x6d,0x65,0x20,0x66,0x6f,
+        0x72,0x20,0x61,0x6c,0x6c,0x20
+        };
+static unsigned char cfb_cipher64[CFB_TEST_SIZE]={
+	0x59,0xD8,0xE2,0x65,0x00,0x58,0x6C,0x3F,
+	0x2C,0x17,0x25,0xD0,0x1A,0x38,0xB7,0x2A,
+	0x39,0x61,0x37,0xDC,0x79,0xFB,0x9F,0x45
+
+/*	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+	0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
+	0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
+	}; 
+
+static int cfb64_test(unsigned char *cfb_cipher);
+static char *pt(unsigned char *p);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	IDEA_KEY_SCHEDULE key,dkey; 
+	unsigned char iv[8];
+
+	idea_set_encrypt_key(k,&key);
+	idea_ecb_encrypt(in,out,&key);
+	if (memcmp(out,c,8) != 0)
+		{
+		printf("ecb idea error encrypting\n");
+		printf("got     :");
+		for (i=0; i<8; i++)
+			printf("%02X ",out[i]);
+		printf("\n");
+		printf("expected:");
+		for (i=0; i<8; i++)
+			printf("%02X ",c[i]);
+		err=20;
+		printf("\n");
+		}
+
+	idea_set_decrypt_key(&key,&dkey);
+	idea_ecb_encrypt(c,out,&dkey);
+	if (memcmp(out,in,8) != 0)
+		{
+		printf("ecb idea error decrypting\n");
+		printf("got     :");
+		for (i=0; i<8; i++)
+			printf("%02X ",out[i]);
+		printf("\n");
+		printf("expected:");
+		for (i=0; i<8; i++)
+			printf("%02X ",in[i]);
+		printf("\n");
+		err=3;
+		}
+
+	if (err == 0) printf("ecb idea ok\n");
+
+	memcpy(iv,k,8);
+	idea_cbc_encrypt((unsigned char *)text,out,strlen(text)+1,&key,iv,1);
+	memcpy(iv,k,8);
+	idea_cbc_encrypt(out,out,8,&dkey,iv,0);
+	idea_cbc_encrypt(&(out[8]),&(out[8]),strlen(text)+1-8,&dkey,iv,0);
+	if (memcmp(text,out,strlen(text)+1) != 0)
+		{
+		printf("cbc idea bad\n");
+		err=4;
+		}
+	else
+		printf("cbc idea ok\n");
+
+	printf("cfb64 idea ");
+	if (cfb64_test(cfb_cipher64))
+		{
+		printf("bad\n");
+		err=5;
+		}
+	else
+		printf("ok\n");
+
+	exit(err);
+	return(err);
+	}
+
+static int cfb64_test(unsigned char *cfb_cipher)
+        {
+        IDEA_KEY_SCHEDULE eks,dks;
+        int err=0,i,n;
+
+        idea_set_encrypt_key(cfb_key,&eks);
+        idea_set_decrypt_key(&eks,&dks);
+        memcpy(cfb_tmp,cfb_iv,8);
+        n=0;
+        idea_cfb64_encrypt(plain,cfb_buf1,(long)12,&eks,
+                cfb_tmp,&n,IDEA_ENCRYPT);
+        idea_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
+                (long)CFB_TEST_SIZE-12,&eks,
+                cfb_tmp,&n,IDEA_ENCRYPT);
+        if (memcmp(cfb_cipher,cfb_buf1,CFB_TEST_SIZE) != 0)
+                {
+                err=1;
+                printf("idea_cfb64_encrypt encrypt error\n");
+                for (i=0; i<CFB_TEST_SIZE; i+=8)
+                        printf("%s\n",pt(&(cfb_buf1[i])));
+                }
+        memcpy(cfb_tmp,cfb_iv,8);
+        n=0;
+        idea_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,&eks,
+                cfb_tmp,&n,IDEA_DECRYPT);
+        idea_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
+                (long)CFB_TEST_SIZE-17,&dks,
+                cfb_tmp,&n,IDEA_DECRYPT);
+        if (memcmp(plain,cfb_buf2,CFB_TEST_SIZE) != 0)
+                {
+                err=1;
+                printf("idea_cfb_encrypt decrypt error\n");
+                for (i=0; i<24; i+=8)
+                        printf("%s\n",pt(&(cfb_buf2[i])));
+                }
+        return(err);
+        }
+
+static char *pt(unsigned char *p)
+	{
+	static char bufs[10][20];
+	static int bnum=0;
+	char *ret;
+	int i;
+	static char *f="0123456789ABCDEF";
+
+	ret= &(bufs[bnum++][0]);
+	bnum%=10;
+	for (i=0; i<8; i++)
+		{
+		ret[i*2]=f[(p[i]>>4)&0xf];
+		ret[i*2+1]=f[p[i]&0xf];
+		}
+	ret[16]='\0';
+	return(ret);
+	}
+#endif
diff --git a/crypto/openssl/crypto/idea/version b/crypto/openssl/crypto/idea/version
new file mode 100644
index 0000000..c269d85
--- /dev/null
+++ b/crypto/openssl/crypto/idea/version
@@ -0,0 +1,13 @@
+# $FreeBSD$
+1.1 07/12/95 - eay
+	Many thanks to Rhys Weatherley <rweather@us.oracle.com>
+	for pointing out that I was assuming little endian byte
+	order for all quantities what idea actually used
+	bigendian.  No where in the spec does it mention
+	this, it is all in terms of 16 bit numbers and even the example
+	does not use byte streams for the input example :-(.
+	If you byte swap each pair of input, keys and iv, the functions
+	would produce the output as the old version :-(.
+
+1.0 ??/??/95 - eay
+	First version.
diff --git a/crypto/openssl/crypto/lhash/Makefile.save b/crypto/openssl/crypto/lhash/Makefile.save
new file mode 100644
index 0000000..836997d
--- /dev/null
+++ b/crypto/openssl/crypto/lhash/Makefile.save
@@ -0,0 +1,89 @@
+#
+# SSLeay/crypto/lhash/Makefile
+#
+
+DIR=	lhash
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=lhash.c lh_stats.c
+LIBOBJ=lhash.o lh_stats.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= lhash.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+lh_stats.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+lh_stats.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+lh_stats.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+lh_stats.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+lh_stats.o: ../../include/openssl/stack.h ../cryptlib.h
+lhash.o: ../../include/openssl/crypto.h ../../include/openssl/lhash.h
+lhash.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+lhash.o: ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl
new file mode 100644
index 0000000..836997d
--- /dev/null
+++ b/crypto/openssl/crypto/lhash/Makefile.ssl
@@ -0,0 +1,89 @@
+#
+# SSLeay/crypto/lhash/Makefile
+#
+
+DIR=	lhash
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=lhash.c lh_stats.c
+LIBOBJ=lhash.o lh_stats.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= lhash.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+lh_stats.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+lh_stats.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+lh_stats.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+lh_stats.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+lh_stats.o: ../../include/openssl/stack.h ../cryptlib.h
+lhash.o: ../../include/openssl/crypto.h ../../include/openssl/lhash.h
+lhash.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+lhash.o: ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/lhash/lh_stats.c b/crypto/openssl/crypto/lhash/lh_stats.c
new file mode 100644
index 0000000..80b931c
--- /dev/null
+++ b/crypto/openssl/crypto/lhash/lh_stats.c
@@ -0,0 +1,271 @@
+/* crypto/lhash/lh_stats.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+/* If you wish to build this outside of SSLeay, remove the following lines
+ * and things should work as expected */
+#include "cryptlib.h"
+
+#include <openssl/lhash.h>
+
+#ifndef HEADER_BIO_H
+
+void lh_stats(LHASH *lh, FILE *out)
+	{
+	fprintf(out,"num_items             = %lu\n",lh->num_items);
+	fprintf(out,"num_nodes             = %u\n",lh->num_nodes);
+	fprintf(out,"num_alloc_nodes       = %u\n",lh->num_alloc_nodes);
+	fprintf(out,"num_expands           = %lu\n",lh->num_expands);
+	fprintf(out,"num_expand_reallocs   = %lu\n",lh->num_expand_reallocs);
+	fprintf(out,"num_contracts         = %lu\n",lh->num_contracts);
+	fprintf(out,"num_contract_reallocs = %lu\n",lh->num_contract_reallocs);
+	fprintf(out,"num_hash_calls        = %lu\n",lh->num_hash_calls);
+	fprintf(out,"num_comp_calls        = %lu\n",lh->num_comp_calls);
+	fprintf(out,"num_insert            = %lu\n",lh->num_insert);
+	fprintf(out,"num_replace           = %lu\n",lh->num_replace);
+	fprintf(out,"num_delete            = %lu\n",lh->num_delete);
+	fprintf(out,"num_no_delete         = %lu\n",lh->num_no_delete);
+	fprintf(out,"num_retrieve          = %lu\n",lh->num_retrieve);
+	fprintf(out,"num_retrieve_miss     = %lu\n",lh->num_retrieve_miss);
+	fprintf(out,"num_hash_comps        = %lu\n",lh->num_hash_comps);
+#ifdef DEBUG
+	fprintf(out,"p                     = %u\n",lh->p);
+	fprintf(out,"pmax                  = %u\n",lh->pmax);
+	fprintf(out,"up_load               = %lu\n",lh->up_load);
+	fprintf(out,"down_load             = %lu\n",lh->down_load);
+#endif
+	}
+
+void lh_node_stats(LHASH *lh, FILE *out)
+	{
+	LHASH_NODE *n;
+	unsigned int i,num;
+
+	for (i=0; i<lh->num_nodes; i++)
+		{
+		for (n=lh->b[i],num=0; n != NULL; n=n->next)
+			num++;
+		fprintf(out,"node %6u -> %3u\n",i,num);
+		}
+	}
+
+void lh_node_usage_stats(LHASH *lh, FILE *out)
+	{
+	LHASH_NODE *n;
+	unsigned long num;
+	unsigned int i;
+	unsigned long total=0,n_used=0;
+
+	for (i=0; i<lh->num_nodes; i++)
+		{
+		for (n=lh->b[i],num=0; n != NULL; n=n->next)
+			num++;
+		if (num != 0)
+			{
+			n_used++;
+			total+=num;
+			}
+		}
+	fprintf(out,"%lu nodes used out of %u\n",n_used,lh->num_nodes);
+	fprintf(out,"%lu items\n",total);
+	if (n_used == 0) return;
+	fprintf(out,"load %d.%02d  actual load %d.%02d\n",
+		(int)(total/lh->num_nodes),
+		(int)((total%lh->num_nodes)*100/lh->num_nodes),
+		(int)(total/n_used),
+		(int)((total%n_used)*100/n_used));
+	}
+
+#else
+
+#ifndef NO_FP_API
+void lh_stats(LHASH *lh, FILE *fp)
+	{
+	BIO *bp;
+
+	bp=BIO_new(BIO_s_file());
+	if (bp == NULL) goto end;
+	BIO_set_fp(bp,fp,BIO_NOCLOSE);
+	lh_stats_bio(lh,bp);
+	BIO_free(bp);
+end:;
+	}
+
+void lh_node_stats(LHASH *lh, FILE *fp)
+	{
+	BIO *bp;
+
+	bp=BIO_new(BIO_s_file());
+	if (bp == NULL) goto end;
+	BIO_set_fp(bp,fp,BIO_NOCLOSE);
+	lh_node_stats_bio(lh,bp);
+	BIO_free(bp);
+end:;
+	}
+
+void lh_node_usage_stats(LHASH *lh, FILE *fp)
+	{
+	BIO *bp;
+
+	bp=BIO_new(BIO_s_file());
+	if (bp == NULL) goto end;
+	BIO_set_fp(bp,fp,BIO_NOCLOSE);
+	lh_node_usage_stats_bio(lh,bp);
+	BIO_free(bp);
+end:;
+	}
+
+#endif
+
+void lh_stats_bio(LHASH *lh, BIO *out)
+	{
+	char buf[128];
+
+	sprintf(buf,"num_items             = %lu\n",lh->num_items);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_nodes             = %u\n",lh->num_nodes);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_alloc_nodes       = %u\n",lh->num_alloc_nodes);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_expands           = %lu\n",lh->num_expands);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_expand_reallocs   = %lu\n",lh->num_expand_reallocs);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_contracts         = %lu\n",lh->num_contracts);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_contract_reallocs = %lu\n",lh->num_contract_reallocs);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_hash_calls        = %lu\n",lh->num_hash_calls);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_comp_calls        = %lu\n",lh->num_comp_calls);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_insert            = %lu\n",lh->num_insert);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_replace           = %lu\n",lh->num_replace);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_delete            = %lu\n",lh->num_delete);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_no_delete         = %lu\n",lh->num_no_delete);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_retrieve          = %lu\n",lh->num_retrieve);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_retrieve_miss     = %lu\n",lh->num_retrieve_miss);
+	BIO_puts(out,buf);
+	sprintf(buf,"num_hash_comps        = %lu\n",lh->num_hash_comps);
+	BIO_puts(out,buf);
+#ifdef DEBUG
+	sprintf(buf,"p                     = %u\n",lh->p);
+	BIO_puts(out,buf);
+	sprintf(buf,"pmax                  = %u\n",lh->pmax);
+	BIO_puts(out,buf);
+	sprintf(buf,"up_load               = %lu\n",lh->up_load);
+	BIO_puts(out,buf);
+	sprintf(buf,"down_load             = %lu\n",lh->down_load);
+	BIO_puts(out,buf);
+#endif
+	}
+
+void lh_node_stats_bio(LHASH *lh, BIO *out)
+	{
+	LHASH_NODE *n;
+	unsigned int i,num;
+	char buf[128];
+
+	for (i=0; i<lh->num_nodes; i++)
+		{
+		for (n=lh->b[i],num=0; n != NULL; n=n->next)
+			num++;
+		sprintf(buf,"node %6u -> %3u\n",i,num);
+		BIO_puts(out,buf);
+		}
+	}
+
+void lh_node_usage_stats_bio(LHASH *lh, BIO *out)
+	{
+	LHASH_NODE *n;
+	unsigned long num;
+	unsigned int i;
+	unsigned long total=0,n_used=0;
+	char buf[128];
+
+	for (i=0; i<lh->num_nodes; i++)
+		{
+		for (n=lh->b[i],num=0; n != NULL; n=n->next)
+			num++;
+		if (num != 0)
+			{
+			n_used++;
+			total+=num;
+			}
+		}
+	sprintf(buf,"%lu nodes used out of %u\n",n_used,lh->num_nodes);
+	BIO_puts(out,buf);
+	sprintf(buf,"%lu items\n",total);
+	BIO_puts(out,buf);
+	if (n_used == 0) return;
+	sprintf(buf,"load %d.%02d  actual load %d.%02d\n",
+		(int)(total/lh->num_nodes),
+		(int)((total%lh->num_nodes)*100/lh->num_nodes),
+		(int)(total/n_used),
+		(int)((total%n_used)*100/n_used));
+	BIO_puts(out,buf);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/lhash/lh_test.c b/crypto/openssl/crypto/lhash/lh_test.c
new file mode 100644
index 0000000..08138b5
--- /dev/null
+++ b/crypto/openssl/crypto/lhash/lh_test.c
@@ -0,0 +1,89 @@
+/* crypto/lhash/lh_test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/lhash.h>
+
+main()
+	{
+	LHASH *conf;
+	char buf[256];
+	int i;
+
+	conf=lh_new(lh_strhash,strcmp);
+	for (;;)
+		{
+		char *p;
+
+		buf[0]='\0';
+		fgets(buf,256,stdin);
+		if (buf[0] == '\0') break;
+		buf[256]='\0';
+		i=strlen(buf);
+		p=Malloc(i+1);
+		memcpy(p,buf,i+1);
+		lh_insert(conf,p);
+		}
+
+	lh_node_stats(conf,stdout);
+	lh_stats(conf,stdout);
+	lh_node_usage_stats(conf,stdout);
+	exit(0);
+	}
diff --git a/crypto/openssl/crypto/lhash/lhash.c b/crypto/openssl/crypto/lhash/lhash.c
new file mode 100644
index 0000000..7eb92a1
--- /dev/null
+++ b/crypto/openssl/crypto/lhash/lhash.c
@@ -0,0 +1,461 @@
+/* crypto/lhash/lhash.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Code for dynamic hash table routines
+ * Author - Eric Young v 2.0
+ *
+ * 2.2 eay - added #include "crypto.h" so the memory leak checking code is
+ *	     present. eay 18-Jun-98
+ *
+ * 2.1 eay - Added an 'error in last operation' flag. eay 6-May-98
+ *
+ * 2.0 eay - Fixed a bug that occurred when using lh_delete
+ *	     from inside lh_doall().  As entries were deleted,
+ *	     the 'table' was 'contract()ed', making some entries
+ *	     jump from the end of the table to the start, there by
+ *	     skipping the lh_doall() processing. eay - 4/12/95
+ *
+ * 1.9 eay - Fixed a memory leak in lh_free, the LHASH_NODEs
+ *	     were not being free()ed. 21/11/95
+ *
+ * 1.8 eay - Put the stats routines into a separate file, lh_stats.c
+ *	     19/09/95
+ *
+ * 1.7 eay - Removed the fputs() for realloc failures - the code
+ *           should silently tolerate them.  I have also fixed things
+ *           lint complained about 04/05/95
+ *
+ * 1.6 eay - Fixed an invalid pointers in contract/expand 27/07/92
+ *
+ * 1.5 eay - Fixed a misuse of realloc in expand 02/03/1992
+ *
+ * 1.4 eay - Fixed lh_doall so the function can call lh_delete 28/05/91
+ *
+ * 1.3 eay - Fixed a few lint problems 19/3/1991
+ *
+ * 1.2 eay - Fixed lh_doall problem 13/3/1991
+ *
+ * 1.1 eay - Added lh_doall
+ *
+ * 1.0 eay - First version
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+
+const char *lh_version="lhash" OPENSSL_VERSION_PTEXT;
+
+#undef MIN_NODES 
+#define MIN_NODES	16
+#define UP_LOAD		(2*LH_LOAD_MULT) /* load times 256  (default 2) */
+#define DOWN_LOAD	(LH_LOAD_MULT)   /* load times 256  (default 1) */
+
+static void expand(LHASH *lh);
+static void contract(LHASH *lh);
+static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash);
+
+LHASH *lh_new(unsigned long (*h)(), int (*c)())
+	{
+	LHASH *ret;
+	int i;
+
+	if ((ret=(LHASH *)Malloc(sizeof(LHASH))) == NULL)
+		goto err0;
+	if ((ret->b=(LHASH_NODE **)Malloc(sizeof(LHASH_NODE *)*MIN_NODES)) == NULL)
+		goto err1;
+	for (i=0; i<MIN_NODES; i++)
+		ret->b[i]=NULL;
+	ret->comp=((c == NULL)?(int (*)())strcmp:c);
+	ret->hash=((h == NULL)?(unsigned long (*)())lh_strhash:h);
+	ret->num_nodes=MIN_NODES/2;
+	ret->num_alloc_nodes=MIN_NODES;
+	ret->p=0;
+	ret->pmax=MIN_NODES/2;
+	ret->up_load=UP_LOAD;
+	ret->down_load=DOWN_LOAD;
+	ret->num_items=0;
+
+	ret->num_expands=0;
+	ret->num_expand_reallocs=0;
+	ret->num_contracts=0;
+	ret->num_contract_reallocs=0;
+	ret->num_hash_calls=0;
+	ret->num_comp_calls=0;
+	ret->num_insert=0;
+	ret->num_replace=0;
+	ret->num_delete=0;
+	ret->num_no_delete=0;
+	ret->num_retrieve=0;
+	ret->num_retrieve_miss=0;
+	ret->num_hash_comps=0;
+
+	ret->error=0;
+	return(ret);
+err1:
+	Free(ret);
+err0:
+	return(NULL);
+	}
+
+void lh_free(LHASH *lh)
+	{
+	unsigned int i;
+	LHASH_NODE *n,*nn;
+
+	if (lh == NULL)
+	    return;
+
+	for (i=0; i<lh->num_nodes; i++)
+		{
+		n=lh->b[i];
+		while (n != NULL)
+			{
+			nn=n->next;
+			Free(n);
+			n=nn;
+			}
+		}
+	Free(lh->b);
+	Free(lh);
+	}
+
+void *lh_insert(LHASH *lh, void *data)
+	{
+	unsigned long hash;
+	LHASH_NODE *nn,**rn;
+	void *ret;
+
+	lh->error=0;
+	if (lh->up_load <= (lh->num_items*LH_LOAD_MULT/lh->num_nodes))
+		expand(lh);
+
+	rn=getrn(lh,data,&hash);
+
+	if (*rn == NULL)
+		{
+		if ((nn=(LHASH_NODE *)Malloc(sizeof(LHASH_NODE))) == NULL)
+			{
+			lh->error++;
+			return(NULL);
+			}
+		nn->data=data;
+		nn->next=NULL;
+#ifndef NO_HASH_COMP
+		nn->hash=hash;
+#endif
+		*rn=nn;
+		ret=NULL;
+		lh->num_insert++;
+		lh->num_items++;
+		}
+	else /* replace same key */
+		{
+		ret= (*rn)->data;
+		(*rn)->data=data;
+		lh->num_replace++;
+		}
+	return(ret);
+	}
+
+void *lh_delete(LHASH *lh, void *data)
+	{
+	unsigned long hash;
+	LHASH_NODE *nn,**rn;
+	void *ret;
+
+	lh->error=0;
+	rn=getrn(lh,data,&hash);
+
+	if (*rn == NULL)
+		{
+		lh->num_no_delete++;
+		return(NULL);
+		}
+	else
+		{
+		nn= *rn;
+		*rn=nn->next;
+		ret=nn->data;
+		Free(nn);
+		lh->num_delete++;
+		}
+
+	lh->num_items--;
+	if ((lh->num_nodes > MIN_NODES) &&
+		(lh->down_load >= (lh->num_items*LH_LOAD_MULT/lh->num_nodes)))
+		contract(lh);
+
+	return(ret);
+	}
+
+void *lh_retrieve(LHASH *lh, void *data)
+	{
+	unsigned long hash;
+	LHASH_NODE **rn;
+	void *ret;
+
+	lh->error=0;
+	rn=getrn(lh,data,&hash);
+
+	if (*rn == NULL)
+		{
+		lh->num_retrieve_miss++;
+		return(NULL);
+		}
+	else
+		{
+		ret= (*rn)->data;
+		lh->num_retrieve++;
+		}
+	return(ret);
+	}
+
+void lh_doall(LHASH *lh, void (*func)())
+	{
+	lh_doall_arg(lh,func,NULL);
+	}
+
+void lh_doall_arg(LHASH *lh, void (*func)(), void *arg)
+	{
+	int i;
+	LHASH_NODE *a,*n;
+
+	/* reverse the order so we search from 'top to bottom'
+	 * We were having memory leaks otherwise */
+	for (i=lh->num_nodes-1; i>=0; i--)
+		{
+		a=lh->b[i];
+		while (a != NULL)
+			{
+			/* 28/05/91 - eay - n added so items can be deleted
+			 * via lh_doall */
+			n=a->next;
+			func(a->data,arg);
+			a=n;
+			}
+		}
+	}
+
+static void expand(LHASH *lh)
+	{
+	LHASH_NODE **n,**n1,**n2,*np;
+	unsigned int p,i,j;
+	unsigned long hash,nni;
+
+	lh->num_nodes++;
+	lh->num_expands++;
+	p=(int)lh->p++;
+	n1= &(lh->b[p]);
+	n2= &(lh->b[p+(int)lh->pmax]);
+	*n2=NULL;        /* 27/07/92 - eay - undefined pointer bug */
+	nni=lh->num_alloc_nodes;
+	
+	for (np= *n1; np != NULL; )
+		{
+#ifndef NO_HASH_COMP
+		hash=np->hash;
+#else
+		hash=(*(lh->hash))(np->data);
+		lh->num_hash_calls++;
+#endif
+		if ((hash%nni) != p)
+			{ /* move it */
+			*n1= (*n1)->next;
+			np->next= *n2;
+			*n2=np;
+			}
+		else
+			n1= &((*n1)->next);
+		np= *n1;
+		}
+
+	if ((lh->p) >= lh->pmax)
+		{
+		j=(int)lh->num_alloc_nodes*2;
+		n=(LHASH_NODE **)Realloc(lh->b,
+			(unsigned int)sizeof(LHASH_NODE *)*j);
+		if (n == NULL)
+			{
+/*			fputs("realloc error in lhash",stderr); */
+			lh->error++;
+			lh->p=0;
+			return;
+			}
+		/* else */
+		for (i=(int)lh->num_alloc_nodes; i<j; i++)/* 26/02/92 eay */
+			n[i]=NULL;			  /* 02/03/92 eay */
+		lh->pmax=lh->num_alloc_nodes;
+		lh->num_alloc_nodes=j;
+		lh->num_expand_reallocs++;
+		lh->p=0;
+		lh->b=n;
+		}
+	}
+
+static void contract(LHASH *lh)
+	{
+	LHASH_NODE **n,*n1,*np;
+
+	np=lh->b[lh->p+lh->pmax-1];
+	lh->b[lh->p+lh->pmax-1]=NULL; /* 24/07-92 - eay - weird but :-( */
+	if (lh->p == 0)
+		{
+		n=(LHASH_NODE **)Realloc(lh->b,
+			(unsigned int)(sizeof(LHASH_NODE *)*lh->pmax));
+		if (n == NULL)
+			{
+/*			fputs("realloc error in lhash",stderr); */
+			lh->error++;
+			return;
+			}
+		lh->num_contract_reallocs++;
+		lh->num_alloc_nodes/=2;
+		lh->pmax/=2;
+		lh->p=lh->pmax-1;
+		lh->b=n;
+		}
+	else
+		lh->p--;
+
+	lh->num_nodes--;
+	lh->num_contracts++;
+
+	n1=lh->b[(int)lh->p];
+	if (n1 == NULL)
+		lh->b[(int)lh->p]=np;
+	else
+		{
+		while (n1->next != NULL)
+			n1=n1->next;
+		n1->next=np;
+		}
+	}
+
+static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash)
+	{
+	LHASH_NODE **ret,*n1;
+	unsigned long hash,nn;
+	int (*cf)();
+
+	hash=(*(lh->hash))(data);
+	lh->num_hash_calls++;
+	*rhash=hash;
+
+	nn=hash%lh->pmax;
+	if (nn < lh->p)
+		nn=hash%lh->num_alloc_nodes;
+
+	cf=lh->comp;
+	ret= &(lh->b[(int)nn]);
+	for (n1= *ret; n1 != NULL; n1=n1->next)
+		{
+#ifndef NO_HASH_COMP
+		lh->num_hash_comps++;
+		if (n1->hash != hash)
+			{
+			ret= &(n1->next);
+			continue;
+			}
+#endif
+		lh->num_comp_calls++;
+		if ((*cf)(n1->data,data) == 0)
+			break;
+		ret= &(n1->next);
+		}
+	return(ret);
+	}
+
+/* The following hash seems to work very well on normal text strings
+ * no collisions on /usr/dict/words and it distributes on %2^n quite
+ * well, not as good as MD5, but still good.
+ */
+unsigned long lh_strhash(const char *c)
+	{
+	unsigned long ret=0;
+	long n;
+	unsigned long v;
+	int r;
+
+	if ((c == NULL) || (*c == '\0'))
+		return(ret);
+/*
+	unsigned char b[16];
+	MD5(c,strlen(c),b);
+	return(b[0]|(b[1]<<8)|(b[2]<<16)|(b[3]<<24)); 
+*/
+
+	n=0x100;
+	while (*c)
+		{
+		v=n|(*c);
+		n+=0x100;
+		r= (int)((v>>2)^v)&0x0f;
+		ret=(ret<<r)|(ret>>(32-r));
+		ret&=0xFFFFFFFFL;
+		ret^=v*v;
+		c++;
+		}
+	return((ret>>16)^ret);
+	}
+
+unsigned long lh_num_items(LHASH *lh)
+	{
+	return lh ? lh->num_items : 0;
+	}
diff --git a/crypto/openssl/crypto/lhash/lhash.h b/crypto/openssl/crypto/lhash/lhash.h
new file mode 100644
index 0000000..d315fd9
--- /dev/null
+++ b/crypto/openssl/crypto/lhash/lhash.h
@@ -0,0 +1,145 @@
+/* crypto/lhash/lhash.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Header for dynamic hash table routines
+ * Author - Eric Young
+ */
+
+#ifndef HEADER_LHASH_H
+#define HEADER_LHASH_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifndef NO_FP_API
+#include <stdio.h>
+#endif
+
+typedef struct lhash_node_st
+	{
+	void *data;
+	struct lhash_node_st *next;
+#ifndef NO_HASH_COMP
+	unsigned long hash;
+#endif
+	} LHASH_NODE;
+
+typedef struct lhash_st
+	{
+	LHASH_NODE **b;
+	int (*comp)();
+	unsigned long (*hash)();
+	unsigned int num_nodes;
+	unsigned int num_alloc_nodes;
+	unsigned int p;
+	unsigned int pmax;
+	unsigned long up_load; /* load times 256 */
+	unsigned long down_load; /* load times 256 */
+	unsigned long num_items;
+
+	unsigned long num_expands;
+	unsigned long num_expand_reallocs;
+	unsigned long num_contracts;
+	unsigned long num_contract_reallocs;
+	unsigned long num_hash_calls;
+	unsigned long num_comp_calls;
+	unsigned long num_insert;
+	unsigned long num_replace;
+	unsigned long num_delete;
+	unsigned long num_no_delete;
+	unsigned long num_retrieve;
+	unsigned long num_retrieve_miss;
+	unsigned long num_hash_comps;
+
+	int error;
+	} LHASH;
+
+#define LH_LOAD_MULT	256
+
+/* Indicates a malloc() error in the last call, this is only bad
+ * in lh_insert(). */
+#define lh_error(lh)	((lh)->error)
+
+LHASH *lh_new(unsigned long (*h)(/* void *a */), int (*c)(/* void *a,void *b */));
+void lh_free(LHASH *lh);
+void *lh_insert(LHASH *lh, void *data);
+void *lh_delete(LHASH *lh, void *data);
+void *lh_retrieve(LHASH *lh, void *data);
+    void lh_doall(LHASH *lh, void (*func)(/*void *b*/));
+void lh_doall_arg(LHASH *lh, void (*func)(/*void *a,void *b*/),void *arg);
+unsigned long lh_strhash(const char *c);
+unsigned long lh_num_items(LHASH *lh);
+
+#ifndef NO_FP_API
+void lh_stats(LHASH *lh, FILE *out);
+void lh_node_stats(LHASH *lh, FILE *out);
+void lh_node_usage_stats(LHASH *lh, FILE *out);
+#endif
+
+#ifdef HEADER_BIO_H
+void lh_stats_bio(LHASH *lh, BIO *out);
+void lh_node_stats_bio(LHASH *lh, BIO *out);
+void lh_node_usage_stats_bio(LHASH *lh, BIO *out);
+#endif
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/crypto/openssl/crypto/lhash/num.pl b/crypto/openssl/crypto/lhash/num.pl
new file mode 100644
index 0000000..30fedf9
--- /dev/null
+++ b/crypto/openssl/crypto/lhash/num.pl
@@ -0,0 +1,17 @@
+#!/usr/local/bin/perl
+
+#node     10 ->   4
+
+while (<>)
+	{
+	next unless /^node/;
+	chop;
+	@a=split;
+	$num{$a[3]}++;
+	}
+
+@a=sort {$a <=> $b } keys %num;
+foreach (0 .. $a[$#a])
+	{
+	printf "%4d:%4d\n",$_,$num{$_};
+	}
diff --git a/crypto/openssl/crypto/md2/Makefile.save b/crypto/openssl/crypto/md2/Makefile.save
new file mode 100644
index 0000000..cf90965
--- /dev/null
+++ b/crypto/openssl/crypto/md2/Makefile.save
@@ -0,0 +1,88 @@
+#
+# SSLeay/crypto/md/Makefile
+#
+
+DIR=	md
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=md2test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=md2_dgst.c md2_one.c
+LIBOBJ=md2_dgst.o md2_one.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= md2.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
+md2_dgst.o: ../../include/openssl/opensslv.h
+md2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+md2_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+md2_one.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
+md2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md2_one.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl
new file mode 100644
index 0000000..cf90965
--- /dev/null
+++ b/crypto/openssl/crypto/md2/Makefile.ssl
@@ -0,0 +1,88 @@
+#
+# SSLeay/crypto/md/Makefile
+#
+
+DIR=	md
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=md2test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=md2_dgst.c md2_one.c
+LIBOBJ=md2_dgst.o md2_one.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= md2.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
+md2_dgst.o: ../../include/openssl/opensslv.h
+md2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+md2_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+md2_one.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
+md2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md2_one.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/md2/md2.c b/crypto/openssl/crypto/md2/md2.c
new file mode 100644
index 0000000..f4d6f62
--- /dev/null
+++ b/crypto/openssl/crypto/md2/md2.c
@@ -0,0 +1,124 @@
+/* crypto/md2/md2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/md2.h>
+
+#define BUFSIZE	1024*16
+
+void do_fp(FILE *f);
+void pt(unsigned char *md);
+int read(int, void *, unsigned int);
+void exit(int);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	FILE *IN;
+
+	if (argc == 1)
+		{
+		do_fp(stdin);
+		}
+	else
+		{
+		for (i=1; i<argc; i++)
+			{
+			IN=fopen(argv[i],"r");
+			if (IN == NULL)
+				{
+				perror(argv[i]);
+				err++;
+				continue;
+				}
+			printf("MD2(%s)= ",argv[i]);
+			do_fp(IN);
+			fclose(IN);
+			}
+		}
+	exit(err);
+	return(err);
+	}
+
+void do_fp(FILE *f)
+	{
+	MD2_CTX c;
+	unsigned char md[MD2_DIGEST_LENGTH];
+	int fd,i;
+	static unsigned char buf[BUFSIZE];
+
+	fd=fileno(f);
+	MD2_Init(&c);
+	for (;;)
+		{
+		i=read(fd,buf,BUFSIZE);
+		if (i <= 0) break;
+		MD2_Update(&c,buf,(unsigned long)i);
+		}
+	MD2_Final(&(md[0]),&c);
+	pt(md);
+	}
+
+void pt(unsigned char *md)
+	{
+	int i;
+
+	for (i=0; i<MD2_DIGEST_LENGTH; i++)
+		printf("%02x",md[i]);
+	printf("\n");
+	}
diff --git a/crypto/openssl/crypto/md2/md2.h b/crypto/openssl/crypto/md2/md2.h
new file mode 100644
index 0000000..582bffb
--- /dev/null
+++ b/crypto/openssl/crypto/md2/md2.h
@@ -0,0 +1,91 @@
+/* crypto/md/md2.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_MD2_H
+#define HEADER_MD2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_MD2
+#error MD2 is disabled.
+#endif
+
+#define MD2_DIGEST_LENGTH	16
+#define MD2_BLOCK       	16
+#include <openssl/opensslconf.h> /* MD2_INT */
+
+typedef struct MD2state_st
+	{
+	int num;
+	unsigned char data[MD2_BLOCK];
+	MD2_INT cksm[MD2_BLOCK];
+	MD2_INT state[MD2_BLOCK];
+	} MD2_CTX;
+
+const char *MD2_options(void);
+void MD2_Init(MD2_CTX *c);
+void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
+void MD2_Final(unsigned char *md, MD2_CTX *c);
+unsigned char *MD2(const unsigned char *d, unsigned long n,unsigned char *md);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/md2/md2_dgst.c b/crypto/openssl/crypto/md2/md2_dgst.c
new file mode 100644
index 0000000..608baef
--- /dev/null
+++ b/crypto/openssl/crypto/md2/md2_dgst.c
@@ -0,0 +1,223 @@
+/* crypto/md2/md2_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/md2.h>
+#include <openssl/opensslv.h>
+
+const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
+
+/* Implemented from RFC1319 The MD2 Message-Digest Algorithm
+ */
+
+#define UCHAR	unsigned char
+
+static void md2_block(MD2_CTX *c, const unsigned char *d);
+/* The magic S table - I have converted it to hex since it is
+ * basically just a random byte string. */
+static MD2_INT S[256]={
+	0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01,
+	0x3D, 0x36, 0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13,
+	0x62, 0xA7, 0x05, 0xF3, 0xC0, 0xC7, 0x73, 0x8C,
+	0x98, 0x93, 0x2B, 0xD9, 0xBC, 0x4C, 0x82, 0xCA,
+	0x1E, 0x9B, 0x57, 0x3C, 0xFD, 0xD4, 0xE0, 0x16,
+	0x67, 0x42, 0x6F, 0x18, 0x8A, 0x17, 0xE5, 0x12,
+	0xBE, 0x4E, 0xC4, 0xD6, 0xDA, 0x9E, 0xDE, 0x49,
+	0xA0, 0xFB, 0xF5, 0x8E, 0xBB, 0x2F, 0xEE, 0x7A,
+	0xA9, 0x68, 0x79, 0x91, 0x15, 0xB2, 0x07, 0x3F,
+	0x94, 0xC2, 0x10, 0x89, 0x0B, 0x22, 0x5F, 0x21,
+	0x80, 0x7F, 0x5D, 0x9A, 0x5A, 0x90, 0x32, 0x27,
+	0x35, 0x3E, 0xCC, 0xE7, 0xBF, 0xF7, 0x97, 0x03,
+	0xFF, 0x19, 0x30, 0xB3, 0x48, 0xA5, 0xB5, 0xD1,
+	0xD7, 0x5E, 0x92, 0x2A, 0xAC, 0x56, 0xAA, 0xC6,
+	0x4F, 0xB8, 0x38, 0xD2, 0x96, 0xA4, 0x7D, 0xB6,
+	0x76, 0xFC, 0x6B, 0xE2, 0x9C, 0x74, 0x04, 0xF1,
+	0x45, 0x9D, 0x70, 0x59, 0x64, 0x71, 0x87, 0x20,
+	0x86, 0x5B, 0xCF, 0x65, 0xE6, 0x2D, 0xA8, 0x02,
+	0x1B, 0x60, 0x25, 0xAD, 0xAE, 0xB0, 0xB9, 0xF6,
+	0x1C, 0x46, 0x61, 0x69, 0x34, 0x40, 0x7E, 0x0F,
+	0x55, 0x47, 0xA3, 0x23, 0xDD, 0x51, 0xAF, 0x3A,
+	0xC3, 0x5C, 0xF9, 0xCE, 0xBA, 0xC5, 0xEA, 0x26,
+	0x2C, 0x53, 0x0D, 0x6E, 0x85, 0x28, 0x84, 0x09,
+	0xD3, 0xDF, 0xCD, 0xF4, 0x41, 0x81, 0x4D, 0x52,
+	0x6A, 0xDC, 0x37, 0xC8, 0x6C, 0xC1, 0xAB, 0xFA,
+	0x24, 0xE1, 0x7B, 0x08, 0x0C, 0xBD, 0xB1, 0x4A,
+	0x78, 0x88, 0x95, 0x8B, 0xE3, 0x63, 0xE8, 0x6D,
+	0xE9, 0xCB, 0xD5, 0xFE, 0x3B, 0x00, 0x1D, 0x39,
+	0xF2, 0xEF, 0xB7, 0x0E, 0x66, 0x58, 0xD0, 0xE4,
+	0xA6, 0x77, 0x72, 0xF8, 0xEB, 0x75, 0x4B, 0x0A,
+	0x31, 0x44, 0x50, 0xB4, 0x8F, 0xED, 0x1F, 0x1A,
+	0xDB, 0x99, 0x8D, 0x33, 0x9F, 0x11, 0x83, 0x14,
+	};
+
+const char *MD2_options(void)
+	{
+	if (sizeof(MD2_INT) == 1)
+		return("md2(char)");
+	else
+		return("md2(int)");
+	}
+
+void MD2_Init(MD2_CTX *c)
+	{
+	c->num=0;
+	memset(c->state,0,MD2_BLOCK*sizeof(MD2_INT));
+	memset(c->cksm,0,MD2_BLOCK*sizeof(MD2_INT));
+	memset(c->data,0,MD2_BLOCK);
+	}
+
+void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
+	{
+	register UCHAR *p;
+
+	if (len == 0) return;
+
+	p=c->data;
+	if (c->num != 0)
+		{
+		if ((c->num+len) >= MD2_BLOCK)
+			{
+			memcpy(&(p[c->num]),data,MD2_BLOCK-c->num);
+			md2_block(c,c->data);
+			data+=(MD2_BLOCK - c->num);
+			len-=(MD2_BLOCK - c->num);
+			c->num=0;
+			/* drop through and do the rest */
+			}
+		else
+			{
+			memcpy(&(p[c->num]),data,(int)len);
+			/* data+=len; */
+			c->num+=(int)len;
+			return;
+			}
+		}
+	/* we now can process the input data in blocks of MD2_BLOCK
+	 * chars and save the leftovers to c->data. */
+	while (len >= MD2_BLOCK)
+		{
+		md2_block(c,data);
+		data+=MD2_BLOCK;
+		len-=MD2_BLOCK;
+		}
+	memcpy(p,data,(int)len);
+	c->num=(int)len;
+	}
+
+static void md2_block(MD2_CTX *c, const unsigned char *d)
+	{
+	register MD2_INT t,*sp1,*sp2;
+	register int i,j;
+	MD2_INT state[48];
+
+	sp1=c->state;
+	sp2=c->cksm;
+	j=sp2[MD2_BLOCK-1];
+	for (i=0; i<16; i++)
+		{
+		state[i]=sp1[i];
+		state[i+16]=t=d[i];
+		state[i+32]=(t^sp1[i]);
+		j=sp2[i]^=S[t^j];
+		}
+	t=0;
+	for (i=0; i<18; i++)
+		{
+		for (j=0; j<48; j+=8)
+			{
+			t= state[j+ 0]^=S[t];
+			t= state[j+ 1]^=S[t];
+			t= state[j+ 2]^=S[t];
+			t= state[j+ 3]^=S[t];
+			t= state[j+ 4]^=S[t];
+			t= state[j+ 5]^=S[t];
+			t= state[j+ 6]^=S[t];
+			t= state[j+ 7]^=S[t];
+			}
+		t=(t+i)&0xff;
+		}
+	memcpy(sp1,state,16*sizeof(MD2_INT));
+	memset(state,0,48*sizeof(MD2_INT));
+	}
+
+void MD2_Final(unsigned char *md, MD2_CTX *c)
+	{
+	int i,v;
+	register UCHAR *cp;
+	register MD2_INT *p1,*p2;
+
+	cp=c->data;
+	p1=c->state;
+	p2=c->cksm;
+	v=MD2_BLOCK-c->num;
+	for (i=c->num; i<MD2_BLOCK; i++)
+		cp[i]=(UCHAR)v;
+
+	md2_block(c,cp);
+
+	for (i=0; i<MD2_BLOCK; i++)
+		cp[i]=(UCHAR)p2[i];
+	md2_block(c,cp);
+
+	for (i=0; i<16; i++)
+		md[i]=(UCHAR)(p1[i]&0xff);
+	memset((char *)&c,0,sizeof(c));
+	}
+
diff --git a/crypto/openssl/crypto/md2/md2_one.c b/crypto/openssl/crypto/md2/md2_one.c
new file mode 100644
index 0000000..b12c37c
--- /dev/null
+++ b/crypto/openssl/crypto/md2/md2_one.c
@@ -0,0 +1,93 @@
+/* crypto/md2/md2_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/md2.h>
+
+/* This is a separate file so that #defines in cryptlib.h can
+ * map my MD functions to different names */
+
+unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
+	{
+	MD2_CTX c;
+	static unsigned char m[MD2_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	MD2_Init(&c);
+#ifndef CHARSET_EBCDIC
+	MD2_Update(&c,d,n);
+#else
+	{
+		char temp[1024];
+		unsigned long chunk;
+
+		while (n > 0)
+		{
+			chunk = (n > sizeof(temp)) ? sizeof(temp) : n;
+			ebcdic2ascii(temp, d, chunk);
+			MD2_Update(&c,temp,chunk);
+			n -= chunk;
+			d += chunk;
+		}
+	}
+#endif
+	MD2_Final(md,&c);
+	memset(&c,0,sizeof(c));	/* Security consideration */
+	return(md);
+	}
diff --git a/crypto/openssl/crypto/md2/md2test.c b/crypto/openssl/crypto/md2/md2test.c
new file mode 100644
index 0000000..e3f4fb4
--- /dev/null
+++ b/crypto/openssl/crypto/md2/md2test.c
@@ -0,0 +1,135 @@
+/* crypto/md2/md2test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef NO_MD2
+int main(int argc, char *argv[])
+{
+    printf("No MD2 support\n");
+    return(0);
+}
+#else
+#include <openssl/md2.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+static char *test[]={
+	"",
+	"a",
+	"abc",
+	"message digest",
+	"abcdefghijklmnopqrstuvwxyz",
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+	"12345678901234567890123456789012345678901234567890123456789012345678901234567890",
+	NULL,
+	};
+
+static char *ret[]={
+	"8350e5a3e24c153df2275c9f80692773",
+	"32ec01ec4a6dac72c0ab96fb34c0b5d1",
+	"da853b0d3f88d99b30283a69e6ded6bb",
+	"ab4f496bfb2a530b219ff33031fe06b0",
+	"4e8ddff3650292ab5a4108c3aa47940b",
+	"da33def2a42df13975352846c30338cd",
+	"d5976f79d83d3a0dc9806c3c66f3efd8",
+	};
+
+static char *pt(unsigned char *md);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	char **P,**R;
+	char *p;
+
+	P=test;
+	R=ret;
+	i=1;
+	while (*P != NULL)
+		{
+		p=pt(MD2((unsigned char *)*P,(unsigned long)strlen(*P),NULL));
+		if (strcmp(p,*R) != 0)
+			{
+			printf("error calculating MD2 on '%s'\n",*P);
+			printf("got %s instead of %s\n",p,*R);
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		i++;
+		R++;
+		P++;
+		}
+	exit(err);
+	return(0);
+	}
+
+static char *pt(unsigned char *md)
+	{
+	int i;
+	static char buf[80];
+
+	for (i=0; i<MD2_DIGEST_LENGTH; i++)
+		sprintf(&(buf[i*2]),"%02x",md[i]);
+	return(buf);
+	}
+#endif
diff --git a/crypto/openssl/crypto/md32_common.h b/crypto/openssl/crypto/md32_common.h
new file mode 100644
index 0000000..1a404a4
--- /dev/null
+++ b/crypto/openssl/crypto/md32_common.h
@@ -0,0 +1,607 @@
+/* crypto/md32_common.h */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * This is a generic 32 bit "collector" for message digest algorithms.
+ * Whenever needed it collects input character stream into chunks of
+ * 32 bit values and invokes a block function that performs actual hash
+ * calculations.
+ *
+ * Porting guide.
+ *
+ * Obligatory macros:
+ *
+ * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
+ *	this macro defines byte order of input stream.
+ * HASH_CBLOCK
+ *	size of a unit chunk HASH_BLOCK operates on.
+ * HASH_LONG
+ *	has to be at lest 32 bit wide, if it's wider, then
+ *	HASH_LONG_LOG2 *has to* be defined along
+ * HASH_CTX
+ *	context structure that at least contains following
+ *	members:
+ *		typedef struct {
+ *			...
+ *			HASH_LONG	Nl,Nh;
+ *			HASH_LONG	data[HASH_LBLOCK];
+ *			int		num;
+ *			...
+ *			} HASH_CTX;
+ * HASH_UPDATE
+ *	name of "Update" function, implemented here.
+ * HASH_TRANSFORM
+ *	name of "Transform" function, implemented here.
+ * HASH_FINAL
+ *	name of "Final" function, implemented here.
+ * HASH_BLOCK_HOST_ORDER
+ *	name of "block" function treating *aligned* input message
+ *	in host byte order, implemented externally.
+ * HASH_BLOCK_DATA_ORDER
+ *	name of "block" function treating *unaligned* input message
+ *	in original (data) byte order, implemented externally (it
+ *	actually is optional if data and host are of the same
+ *	"endianess").
+ * HASH_MAKE_STRING
+ *	macro convering context variables to an ASCII hash string.
+ *
+ * Optional macros:
+ *
+ * B_ENDIAN or L_ENDIAN
+ *	defines host byte-order.
+ * HASH_LONG_LOG2
+ *	defaults to 2 if not states otherwise.
+ * HASH_LBLOCK
+ *	assumed to be HASH_CBLOCK/4 if not stated otherwise.
+ * HASH_BLOCK_DATA_ORDER_ALIGNED
+ *	alternative "block" function capable of treating
+ *	aligned input message in original (data) order,
+ *	implemented externally.
+ *
+ * MD5 example:
+ *
+ *	#define DATA_ORDER_IS_LITTLE_ENDIAN
+ *
+ *	#define HASH_LONG		MD5_LONG
+ *	#define HASH_LONG_LOG2		MD5_LONG_LOG2
+ *	#define HASH_CTX		MD5_CTX
+ *	#define HASH_CBLOCK		MD5_CBLOCK
+ *	#define HASH_LBLOCK		MD5_LBLOCK
+ *	#define HASH_UPDATE		MD5_Update
+ *	#define HASH_TRANSFORM		MD5_Transform
+ *	#define HASH_FINAL		MD5_Final
+ *	#define HASH_BLOCK_HOST_ORDER	md5_block_host_order
+ *	#define HASH_BLOCK_DATA_ORDER	md5_block_data_order
+ *
+ *					<appro@fy.chalmers.se>
+ */
+
+#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#error "DATA_ORDER must be defined!"
+#endif
+
+#ifndef HASH_CBLOCK
+#error "HASH_CBLOCK must be defined!"
+#endif
+#ifndef HASH_LONG
+#error "HASH_LONG must be defined!"
+#endif
+#ifndef HASH_CTX
+#error "HASH_CTX must be defined!"
+#endif
+
+#ifndef HASH_UPDATE
+#error "HASH_UPDATE must be defined!"
+#endif
+#ifndef HASH_TRANSFORM
+#error "HASH_TRANSFORM must be defined!"
+#endif
+#ifndef HASH_FINAL
+#error "HASH_FINAL must be defined!"
+#endif
+
+#ifndef HASH_BLOCK_HOST_ORDER
+#error "HASH_BLOCK_HOST_ORDER must be defined!"
+#endif
+
+#if 0
+/*
+ * Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED
+ * isn't defined.
+ */
+#ifndef HASH_BLOCK_DATA_ORDER
+#error "HASH_BLOCK_DATA_ORDER must be defined!"
+#endif
+#endif
+
+#ifndef HASH_LBLOCK
+#define HASH_LBLOCK	(HASH_CBLOCK/4)
+#endif
+
+#ifndef HASH_LONG_LOG2
+#define HASH_LONG_LOG2	2
+#endif
+
+/*
+ * Engage compiler specific rotate intrinsic function if available.
+ */
+#undef ROTATE
+#ifndef PEDANTIC
+# if defined(_MSC_VER)
+#  define ROTATE(a,n)	_lrotl(a,n)
+# elif defined(__MWERKS__)
+#  if defined(__POWERPC__)
+#   define ROTATE(a,n)	__rlwinm(a,n,0,31)
+#  elif defined(__MC68K__)
+    /* Motorola specific tweak. <appro@fy.chalmers.se> */
+#   define ROTATE(a,n)	( n<24 ? __rol(a,n) : __ror(a,32-n) )
+#  else
+#   define ROTATE(a,n)	__rol(a,n)
+#  endif
+# elif defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
+  /*
+   * Some GNU C inline assembler templates. Note that these are
+   * rotates by *constant* number of bits! But that's exactly
+   * what we need here...
+   *
+   * 					<appro@fy.chalmers.se>
+   */
+#  if defined(__i386)
+#   define ROTATE(a,n)	({ register unsigned int ret;	\
+				asm (			\
+				"roll %1,%0"		\
+				: "=r"(ret)		\
+				: "I"(n), "0"(a)	\
+				: "cc");		\
+			   ret;				\
+			})
+#  elif defined(__powerpc) || defined(__ppc)
+#   define ROTATE(a,n)	({ register unsigned int ret;	\
+				asm (			\
+				"rlwinm %0,%1,%2,0,31"	\
+				: "=r"(ret)		\
+				: "r"(a), "I"(n));	\
+			   ret;				\
+			})
+#  endif
+# endif
+
+/*
+ * Engage compiler specific "fetch in reverse byte order"
+ * intrinsic function if available.
+ */
+# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
+  /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
+#  if defined(__i386) && !defined(I386_ONLY)
+#   define BE_FETCH32(a)	({ register unsigned int l=(a);\
+				asm (			\
+				"bswapl %0"		\
+				: "=r"(l) : "0"(l));	\
+			  l;				\
+			})
+#  elif defined(__powerpc)
+#   define LE_FETCH32(a)	({ register unsigned int l;	\
+				asm (			\
+				"lwbrx %0,0,%1"		\
+				: "=r"(l)		\
+				: "r"(a));		\
+			   l;				\
+			})
+
+#  elif defined(__sparc) && defined(ULTRASPARC)
+#  define LE_FETCH32(a)	({ register unsigned int l;		\
+				asm (				\
+				"lda [%1]#ASI_PRIMARY_LITTLE,%0"\
+				: "=r"(l)			\
+				: "r"(a));			\
+			   l;					\
+			})
+#  endif
+# endif
+#endif /* PEDANTIC */
+
+#if HASH_LONG_LOG2==2	/* Engage only if sizeof(HASH_LONG)== 4 */
+/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
+#ifdef ROTATE
+/* 5 instructions with rotate instruction, else 9 */
+#define REVERSE_FETCH32(a,l)	(					\
+		l=*(const HASH_LONG *)(a),				\
+		((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24)))	\
+				)
+#else
+/* 6 instructions with rotate instruction, else 8 */
+#define REVERSE_FETCH32(a,l)	(				\
+		l=*(const HASH_LONG *)(a),			\
+		l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)),	\
+		ROTATE(l,16)					\
+				)
+/*
+ * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
+ * It's rewritten as above for two reasons:
+ *	- RISCs aren't good at long constants and have to explicitely
+ *	  compose 'em with several (well, usually 2) instructions in a
+ *	  register before performing the actual operation and (as you
+ *	  already realized:-) having same constant should inspire the
+ *	  compiler to permanently allocate the only register for it;
+ *	- most modern CPUs have two ALUs, but usually only one has
+ *	  circuitry for shifts:-( this minor tweak inspires compiler
+ *	  to schedule shift instructions in a better way...
+ *
+ *				<appro@fy.chalmers.se>
+ */
+#endif
+#endif
+
+#ifndef ROTATE
+#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
+#endif
+
+/*
+ * Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED
+ * and HASH_BLOCK_HOST_ORDER ought to be the same if input data
+ * and host are of the same "endianess". It's possible to mask
+ * this with blank #define HASH_BLOCK_DATA_ORDER though...
+ *
+ *				<appro@fy.chalmers.se>
+ */
+#if defined(B_ENDIAN)
+#  if defined(DATA_ORDER_IS_BIG_ENDIAN)
+#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
+#      define HASH_BLOCK_DATA_ORDER_ALIGNED	HASH_BLOCK_HOST_ORDER
+#    endif
+#  elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#    ifndef HOST_FETCH32
+#      ifdef LE_FETCH32
+#        define HOST_FETCH32(p,l)	LE_FETCH32(p)
+#      elif defined(REVERSE_FETCH32)
+#        define HOST_FETCH32(p,l)	REVERSE_FETCH32(p,l)
+#      endif
+#    endif
+#  endif
+#elif defined(L_ENDIAN)
+#  if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
+#      define HASH_BLOCK_DATA_ORDER_ALIGNED	HASH_BLOCK_HOST_ORDER
+#    endif
+#  elif defined(DATA_ORDER_IS_BIG_ENDIAN)
+#    ifndef HOST_FETCH32
+#      ifdef BE_FETCH32
+#        define HOST_FETCH32(p,l)	BE_FETCH32(p)
+#      elif defined(REVERSE_FETCH32)
+#        define HOST_FETCH32(p,l)	REVERSE_FETCH32(p,l)
+#      endif
+#    endif
+#  endif
+#endif
+
+#if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+#ifndef HASH_BLOCK_DATA_ORDER
+#error "HASH_BLOCK_DATA_ORDER must be defined!"
+#endif
+#endif
+
+#if defined(DATA_ORDER_IS_BIG_ENDIAN)
+
+#define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))<<24),		\
+			 l|=(((unsigned long)(*((c)++)))<<16),		\
+			 l|=(((unsigned long)(*((c)++)))<< 8),		\
+			 l|=(((unsigned long)(*((c)++)))    ),		\
+			 l)
+#define HOST_p_c2l(c,l,n)	{					\
+			switch (n) {					\
+			case 0: l =((unsigned long)(*((c)++)))<<24;	\
+			case 1: l|=((unsigned long)(*((c)++)))<<16;	\
+			case 2: l|=((unsigned long)(*((c)++)))<< 8;	\
+			case 3: l|=((unsigned long)(*((c)++)));		\
+				} }
+#define HOST_p_c2l_p(c,l,sc,len) {					\
+			switch (sc) {					\
+			case 0: l =((unsigned long)(*((c)++)))<<24;	\
+				if (--len == 0) break;			\
+			case 1: l|=((unsigned long)(*((c)++)))<<16;	\
+				if (--len == 0) break;			\
+			case 2: l|=((unsigned long)(*((c)++)))<< 8;	\
+				} }
+/* NOTE the pointer is not incremented at the end of this */
+#define HOST_c2l_p(c,l,n)	{					\
+			l=0; (c)+=n;					\
+			switch (n) {					\
+			case 3: l =((unsigned long)(*(--(c))))<< 8;	\
+			case 2: l|=((unsigned long)(*(--(c))))<<16;	\
+			case 1: l|=((unsigned long)(*(--(c))))<<24;	\
+				} }
+#define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff),	\
+			 *((c)++)=(unsigned char)(((l)>>16)&0xff),	\
+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff),	\
+			 *((c)++)=(unsigned char)(((l)    )&0xff),	\
+			 l)
+
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+
+#define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))    ),		\
+			 l|=(((unsigned long)(*((c)++)))<< 8),		\
+			 l|=(((unsigned long)(*((c)++)))<<16),		\
+			 l|=(((unsigned long)(*((c)++)))<<24),		\
+			 l)
+#define HOST_p_c2l(c,l,n)	{					\
+			switch (n) {					\
+			case 0: l =((unsigned long)(*((c)++)));		\
+			case 1: l|=((unsigned long)(*((c)++)))<< 8;	\
+			case 2: l|=((unsigned long)(*((c)++)))<<16;	\
+			case 3: l|=((unsigned long)(*((c)++)))<<24;	\
+				} }
+#define HOST_p_c2l_p(c,l,sc,len) {					\
+			switch (sc) {					\
+			case 0: l =((unsigned long)(*((c)++)));		\
+				if (--len == 0) break;			\
+			case 1: l|=((unsigned long)(*((c)++)))<< 8;	\
+				if (--len == 0) break;			\
+			case 2: l|=((unsigned long)(*((c)++)))<<16;	\
+				} }
+/* NOTE the pointer is not incremented at the end of this */
+#define HOST_c2l_p(c,l,n)	{					\
+			l=0; (c)+=n;					\
+			switch (n) {					\
+			case 3: l =((unsigned long)(*(--(c))))<<16;	\
+			case 2: l|=((unsigned long)(*(--(c))))<< 8;	\
+			case 1: l|=((unsigned long)(*(--(c))));		\
+				} }
+#define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff),	\
+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff),	\
+			 *((c)++)=(unsigned char)(((l)>>16)&0xff),	\
+			 *((c)++)=(unsigned char)(((l)>>24)&0xff),	\
+			 l)
+
+#endif
+
+/*
+ * Time for some action:-)
+ */
+
+void HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
+	{
+	const unsigned char *data=data_;
+	register HASH_LONG * p;
+	register unsigned long l;
+	int sw,sc,ew,ec;
+
+	if (len==0) return;
+
+	l=(c->Nl+(len<<3))&0xffffffffL;
+	/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
+	 * Wei Dai <weidai@eskimo.com> for pointing it out. */
+	if (l < c->Nl) /* overflow */
+		c->Nh++;
+	c->Nh+=(len>>29);
+	c->Nl=l;
+
+	if (c->num != 0)
+		{
+		p=c->data;
+		sw=c->num>>2;
+		sc=c->num&0x03;
+
+		if ((c->num+len) >= HASH_CBLOCK)
+			{
+			l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+			for (; sw<HASH_LBLOCK; sw++)
+				{
+				HOST_c2l(data,l); p[sw]=l;
+				}
+			HASH_BLOCK_HOST_ORDER (c,p,1);
+			len-=(HASH_CBLOCK-c->num);
+			c->num=0;
+			/* drop through and do the rest */
+			}
+		else
+			{
+			c->num+=len;
+			if ((sc+len) < 4) /* ugly, add char's to a word */
+				{
+				l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
+				}
+			else
+				{
+				ew=(c->num>>2);
+				ec=(c->num&0x03);
+				l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+				for (; sw < ew; sw++)
+					{
+					HOST_c2l(data,l); p[sw]=l;
+					}
+				if (ec)
+					{
+					HOST_c2l_p(data,l,ec); p[sw]=l;
+					}
+				}
+			return;
+			}
+		}
+
+	sw=len/HASH_CBLOCK;
+	if (sw > 0)
+		{
+#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+		/*
+		 * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
+		 * only if sizeof(HASH_LONG)==4.
+		 */
+		if ((((unsigned long)data)%4) == 0)
+			{
+			/* data is properly aligned so that we can cast it: */
+			HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
+			sw*=HASH_CBLOCK;
+			data+=sw;
+			len-=sw;
+			}
+		else
+#if !defined(HASH_BLOCK_DATA_ORDER)
+			while (sw--)
+				{
+				memcpy (p=c->data,data,HASH_CBLOCK);
+				HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1);
+				data+=HASH_CBLOCK;
+				len-=HASH_CBLOCK;
+				}
+#endif
+#endif
+#if defined(HASH_BLOCK_DATA_ORDER)
+			{
+			HASH_BLOCK_DATA_ORDER(c,data,sw);
+			sw*=HASH_CBLOCK;
+			data+=sw;
+			len-=sw;
+			}
+#endif
+		}
+
+	if (len!=0)
+		{
+		p = c->data;
+		c->num = len;
+		ew=len>>2;	/* words to copy */
+		ec=len&0x03;
+		for (; ew; ew--,p++)
+			{
+			HOST_c2l(data,l); *p=l;
+			}
+		HOST_c2l_p(data,l,ec);
+		*p=l;
+		}
+	}
+
+
+void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
+	{
+#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+	if ((((unsigned long)data)%4) == 0)
+		/* data is properly aligned so that we can cast it: */
+		HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
+	else
+#if !defined(HASH_BLOCK_DATA_ORDER)
+		{
+		memcpy (c->data,data,HASH_CBLOCK);
+		HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1);
+		}
+#endif
+#endif
+#if defined(HASH_BLOCK_DATA_ORDER)
+	HASH_BLOCK_DATA_ORDER (c,data,1);
+#endif
+	}
+
+
+void HASH_FINAL (unsigned char *md, HASH_CTX *c)
+	{
+	register HASH_LONG *p;
+	register unsigned long l;
+	register int i,j;
+	static const unsigned char end[4]={0x80,0x00,0x00,0x00};
+	const unsigned char *cp=end;
+
+	/* c->num should definitly have room for at least one more byte. */
+	p=c->data;
+	i=c->num>>2;
+	j=c->num&0x03;
+
+#if 0
+	/* purify often complains about the following line as an
+	 * Uninitialized Memory Read.  While this can be true, the
+	 * following p_c2l macro will reset l when that case is true.
+	 * This is because j&0x03 contains the number of 'valid' bytes
+	 * already in p[i].  If and only if j&0x03 == 0, the UMR will
+	 * occur but this is also the only time p_c2l will do
+	 * l= *(cp++) instead of l|= *(cp++)
+	 * Many thanks to Alex Tang <altitude@cic.net> for pickup this
+	 * 'potential bug' */
+#ifdef PURIFY
+	if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */
+#endif
+	l=p[i];
+#else
+	l = (j==0) ? 0 : p[i];
+#endif
+	HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */
+
+	if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */
+		{
+		if (i<HASH_LBLOCK) p[i]=0;
+		HASH_BLOCK_HOST_ORDER (c,p,1);
+		i=0;
+		}
+	for (; i<(HASH_LBLOCK-2); i++)
+		p[i]=0;
+
+#if   defined(DATA_ORDER_IS_BIG_ENDIAN)
+	p[HASH_LBLOCK-2]=c->Nh;
+	p[HASH_LBLOCK-1]=c->Nl;
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+	p[HASH_LBLOCK-2]=c->Nl;
+	p[HASH_LBLOCK-1]=c->Nh;
+#endif
+	HASH_BLOCK_HOST_ORDER (c,p,1);
+
+#ifndef HASH_MAKE_STRING
+#error "HASH_MAKE_STRING must be defined!"
+#else
+	HASH_MAKE_STRING(c,md);
+#endif
+
+	c->num=0;
+	/* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
+	 * but I'm not worried :-)
+	memset((void *)c,0,sizeof(HASH_CTX));
+	 */
+	}
diff --git a/crypto/openssl/crypto/md5/Makefile.save b/crypto/openssl/crypto/md5/Makefile.save
new file mode 100644
index 0000000..2c0489d
--- /dev/null
+++ b/crypto/openssl/crypto/md5/Makefile.save
@@ -0,0 +1,133 @@
+#
+# SSLeay/crypto/md5/Makefile
+#
+
+DIR=    md5
+TOP=    ../..
+CC=     cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+MD5_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
+ASFLAGS=$(CFLAGS)
+
+GENERAL=Makefile
+TEST=md5test.c
+APPS=md5.c
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=md5_dgst.c md5_one.c
+LIBOBJ=md5_dgst.o md5_one.o $(MD5_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= md5.h
+HEADER= md5_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/mx86-elf.o: asm/mx86unix.cpp
+	$(CPP) -DELF -x c asm/mx86unix.cpp | as -o asm/mx86-elf.o
+
+# solaris
+asm/mx86-sol.o: asm/mx86unix.cpp
+	$(CC) -E -DSOL asm/mx86unix.cpp | sed 's/^#.*//' > asm/mx86-sol.s
+	as -o asm/mx86-sol.o asm/mx86-sol.s
+	rm -f asm/mx86-sol.s
+
+# a.out
+asm/mx86-out.o: asm/mx86unix.cpp
+	$(CPP) -DOUT asm/mx86unix.cpp | as -o asm/mx86-out.o
+
+# bsdi
+asm/mx86bsdi.o: asm/mx86unix.cpp
+	$(CPP) -DBSDI asm/mx86unix.cpp | sed 's/ :/:/' | as -o asm/mx86bsdi.o
+
+asm/mx86unix.cpp: asm/md5-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) md5-586.pl cpp >mx86unix.cpp)
+
+asm/md5-sparcv8plus.o: asm/md5-sparcv9.S
+	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \
+		-o asm/md5-sparcv8plus.o asm/md5-sparcv9.S
+
+# Old GNU assembler doesn't understand V9 instructions, so we
+# hire /usr/ccs/bin/as to do the job. Note that option is called
+# *-gcc27, but even gcc 2>=8 users may experience similar problem
+# if they didn't bother to upgrade GNU assembler. Such users should
+# not choose this option, but be adviced to *remove* GNU assembler
+# or upgrade it.
+asm/md5-sparcv8plus-gcc27.o: asm/md5-sparcv9.S
+	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -E asm/md5-sparcv9.S | \
+		/usr/ccs/bin/as -xarch=v8plus - -o asm/md5-sparcv8plus-gcc27.o
+
+asm/md5-sparcv9.o: asm/md5-sparcv9.S
+	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \
+		-o asm/md5-sparcv9.o asm/md5-sparcv9.S
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/mx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
+md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_locl.h
+md5_one.o: ../../include/openssl/md5.h
diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl
new file mode 100644
index 0000000..2c0489d
--- /dev/null
+++ b/crypto/openssl/crypto/md5/Makefile.ssl
@@ -0,0 +1,133 @@
+#
+# SSLeay/crypto/md5/Makefile
+#
+
+DIR=    md5
+TOP=    ../..
+CC=     cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+MD5_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
+ASFLAGS=$(CFLAGS)
+
+GENERAL=Makefile
+TEST=md5test.c
+APPS=md5.c
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=md5_dgst.c md5_one.c
+LIBOBJ=md5_dgst.o md5_one.o $(MD5_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= md5.h
+HEADER= md5_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/mx86-elf.o: asm/mx86unix.cpp
+	$(CPP) -DELF -x c asm/mx86unix.cpp | as -o asm/mx86-elf.o
+
+# solaris
+asm/mx86-sol.o: asm/mx86unix.cpp
+	$(CC) -E -DSOL asm/mx86unix.cpp | sed 's/^#.*//' > asm/mx86-sol.s
+	as -o asm/mx86-sol.o asm/mx86-sol.s
+	rm -f asm/mx86-sol.s
+
+# a.out
+asm/mx86-out.o: asm/mx86unix.cpp
+	$(CPP) -DOUT asm/mx86unix.cpp | as -o asm/mx86-out.o
+
+# bsdi
+asm/mx86bsdi.o: asm/mx86unix.cpp
+	$(CPP) -DBSDI asm/mx86unix.cpp | sed 's/ :/:/' | as -o asm/mx86bsdi.o
+
+asm/mx86unix.cpp: asm/md5-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) md5-586.pl cpp >mx86unix.cpp)
+
+asm/md5-sparcv8plus.o: asm/md5-sparcv9.S
+	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \
+		-o asm/md5-sparcv8plus.o asm/md5-sparcv9.S
+
+# Old GNU assembler doesn't understand V9 instructions, so we
+# hire /usr/ccs/bin/as to do the job. Note that option is called
+# *-gcc27, but even gcc 2>=8 users may experience similar problem
+# if they didn't bother to upgrade GNU assembler. Such users should
+# not choose this option, but be adviced to *remove* GNU assembler
+# or upgrade it.
+asm/md5-sparcv8plus-gcc27.o: asm/md5-sparcv9.S
+	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -E asm/md5-sparcv9.S | \
+		/usr/ccs/bin/as -xarch=v8plus - -o asm/md5-sparcv8plus-gcc27.o
+
+asm/md5-sparcv9.o: asm/md5-sparcv9.S
+	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \
+		-o asm/md5-sparcv9.o asm/md5-sparcv9.S
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/mx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
+md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_locl.h
+md5_one.o: ../../include/openssl/md5.h
diff --git a/crypto/openssl/crypto/md5/Makefile.uni b/crypto/openssl/crypto/md5/Makefile.uni
new file mode 100644
index 0000000..d21c72f
--- /dev/null
+++ b/crypto/openssl/crypto/md5/Makefile.uni
@@ -0,0 +1,110 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+DIR=    md5
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+RANLIB=         ranlib
+
+MD5_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=md5test
+APPS=md5
+
+LIB=libmd5.a
+LIBSRC=md5_dgst.c md5_one.c
+LIBOBJ=md5_dgst.o md5_one.o $(MD5_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= md5.h
+HEADER= md5_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB):    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+
+# elf
+asm/mx86-elf.o: asm/mx86unix.cpp
+	$(CPP) -DELF asm/mx86unix.cpp | as -o asm/mx86-elf.o
+
+# solaris
+asm/mx86-sol.o: asm/mx86unix.cpp
+	$(CC) -E -DSOL asm/mx86unix.cpp | sed 's/^#.*//' > asm/mx86-sol.s
+	as -o asm/mx86-sol.o asm/mx86-sol.s
+	rm -f asm/mx86-sol.s
+
+# a.out
+asm/mx86-out.o: asm/mx86unix.cpp
+	$(CPP) -DOUT asm/mx86unix.cpp | as -o asm/mx86-out.o
+
+# bsdi
+asm/mx86bsdi.o: asm/mx86unix.cpp
+	$(CPP) -DBSDI asm/mx86unix.cpp | as -o asm/mx86bsdi.o
+
+asm/mx86unix.cpp:
+	(cd asm; perl md5-586.pl cpp >mx86unix.cpp)
+
+test:	$(TEST)
+	./$(TEST)
+
+$(TEST): $(TEST).c $(LIB)
+	$(CC) -o $(TEST) $(CFLAGS) $(TEST).c $(LIB)
+
+$(APPS): $(APPS).c $(LIB)
+	$(CC) -o $(APPS) $(CFLAGS) $(APPS).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) MD5_ASM_OBJ="" CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) MD5_ASM_OBJ="" CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+x86-elf:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-elf.o" CFLAG="-DELF -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-out:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-out.o" CFLAG="-DOUT -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-solaris:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-sol.o" CFLAG="-DSOL -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-bdsi:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-bdsi.o" CFLAG="-DBDSI -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/md5/asm/md5-586.pl b/crypto/openssl/crypto/md5/asm/md5-586.pl
new file mode 100644
index 0000000..5fc6a20
--- /dev/null
+++ b/crypto/openssl/crypto/md5/asm/md5-586.pl
@@ -0,0 +1,306 @@
+#!/usr/local/bin/perl
+
+# Normal is the
+# md5_block_x86(MD5_CTX *c, ULONG *X);
+# version, non-normal is the
+# md5_block_x86(MD5_CTX *c, ULONG *X,int blocks);
+
+$normal=0;
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],$0);
+
+$A="eax";
+$B="ebx";
+$C="ecx";
+$D="edx";
+$tmp1="edi";
+$tmp2="ebp";
+$X="esi";
+
+# What we need to load into $tmp for the next round
+%Ltmp1=("R0",&Np($C), "R1",&Np($C), "R2",&Np($C), "R3",&Np($D));
+@xo=(
+ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,	# R0
+ 1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,	# R1
+ 5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,	# R2
+ 0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9,	# R3
+ );
+
+&md5_block("md5_block_asm_host_order");
+&asm_finish();
+
+sub Np
+	{
+	local($p)=@_;
+	local(%n)=($A,$D,$B,$A,$C,$B,$D,$C);
+	return($n{$p});
+	}
+
+sub R0
+	{
+	local($pos,$a,$b,$c,$d,$K,$ki,$s,$t)=@_;
+
+	&mov($tmp1,$C)  if $pos < 0;
+	&mov($tmp2,&DWP($xo[$ki]*4,$K,"",0)) if $pos < 0; # very first one 
+
+	# body proper
+
+	&comment("R0 $ki");
+	&xor($tmp1,$d); # F function - part 2
+
+	&and($tmp1,$b); # F function - part 3
+	&lea($a,&DWP($t,$a,$tmp2,1));
+
+	&xor($tmp1,$d); # F function - part 4
+
+	&add($a,$tmp1);
+	&mov($tmp1,&Np($c)) if $pos < 1;	# next tmp1 for R0
+	&mov($tmp1,&Np($c)) if $pos == 1;	# next tmp1 for R1
+
+	&rotl($a,$s);
+
+	&mov($tmp2,&DWP($xo[$ki+1]*4,$K,"",0)) if ($pos != 2);
+
+	&add($a,$b);
+	}
+
+sub R1
+	{
+	local($pos,$a,$b,$c,$d,$K,$ki,$s,$t)=@_;
+
+	&comment("R1 $ki");
+
+	&lea($a,&DWP($t,$a,$tmp2,1));
+
+	&xor($tmp1,$b); # G function - part 2
+	&and($tmp1,$d); # G function - part 3
+
+	&mov($tmp2,&DWP($xo[$ki+1]*4,$K,"",0)) if ($pos != 2);
+	&xor($tmp1,$c);			# G function - part 4
+
+	&add($a,$tmp1);
+	&mov($tmp1,&Np($c)) if $pos < 1;	# G function - part 1
+	&mov($tmp1,&Np($c)) if $pos == 1;	# G function - part 1
+
+	&rotl($a,$s);
+
+	&add($a,$b);
+	}
+
+sub R2
+	{
+	local($n,$pos,$a,$b,$c,$d,$K,$ki,$s,$t)=@_;
+	# This one is different, only 3 logical operations
+
+if (($n & 1) == 0)
+	{
+	&comment("R2 $ki");
+	# make sure to do 'D' first, not 'B', else we clash with
+	# the last add from the previous round.
+
+	&xor($tmp1,$d); # H function - part 2
+
+	&xor($tmp1,$b); # H function - part 3
+	&lea($a,&DWP($t,$a,$tmp2,1));
+
+	&add($a,$tmp1);
+
+	&rotl($a,$s);
+
+	&mov($tmp2,&DWP($xo[$ki+1]*4,$K,"",0));
+	&mov($tmp1,&Np($c));
+	}
+else
+	{
+	&comment("R2 $ki");
+	# make sure to do 'D' first, not 'B', else we clash with
+	# the last add from the previous round.
+
+	&lea($a,&DWP($t,$a,$tmp2,1));
+
+	&add($b,$c);			# MOVED FORWARD
+	&xor($tmp1,$d); # H function - part 2
+
+	&xor($tmp1,$b); # H function - part 3
+	&mov($tmp2,&DWP($xo[$ki+1]*4,$K,"",0)) if ($pos != 2);
+
+	&add($a,$tmp1);
+	&mov($tmp1,&Np($c)) if $pos < 1;	# H function - part 1
+	&mov($tmp1,-1) if $pos == 1;		# I function - part 1
+
+	&rotl($a,$s);
+
+	&add($a,$b);
+	}
+	}
+
+sub R3
+	{
+	local($pos,$a,$b,$c,$d,$K,$ki,$s,$t)=@_;
+
+	&comment("R3 $ki");
+
+	# &not($tmp1)
+	&xor($tmp1,$d) if $pos < 0; 	# I function - part 2
+
+	&or($tmp1,$b);				# I function - part 3
+	&lea($a,&DWP($t,$a,$tmp2,1));
+
+	&xor($tmp1,$c); 			# I function - part 4
+	&mov($tmp2,&DWP($xo[$ki+1]*4,$K,"",0))	if $pos != 2; # load X/k value
+	&mov($tmp2,&wparam(0)) if $pos == 2;
+
+	&add($a,$tmp1);
+	&mov($tmp1,-1) if $pos < 1;	# H function - part 1
+	&add($K,64) if $pos >=1 && !$normal;
+
+	&rotl($a,$s);
+
+	&xor($tmp1,&Np($d)) if $pos <= 0; 	# I function - part = first time
+	&mov($tmp1,&DWP( 0,$tmp2,"",0)) if $pos > 0;
+	&add($a,$b);
+	}
+
+
+sub md5_block
+	{
+	local($name)=@_;
+
+	&function_begin_B($name,"",3);
+
+	# parameter 1 is the MD5_CTX structure.
+	# A	0
+	# B	4
+	# C	8
+	# D 	12
+
+	&push("esi");
+	 &push("edi");
+	&mov($tmp1,	&wparam(0)); # edi
+	 &mov($X,	&wparam(1)); # esi
+	&mov($C,	&wparam(2));
+	 &push("ebp");
+	&shl($C,	6);
+	&push("ebx");
+	 &add($C,	$X); # offset we end at
+	&sub($C,	64);
+	 &mov($A,	&DWP( 0,$tmp1,"",0));
+	&push($C);	# Put on the TOS
+	 &mov($B,	&DWP( 4,$tmp1,"",0));
+	&mov($C,	&DWP( 8,$tmp1,"",0));
+	 &mov($D,	&DWP(12,$tmp1,"",0));
+
+	&set_label("start") unless $normal;
+	&comment("");
+	&comment("R0 section");
+
+	&R0(-2,$A,$B,$C,$D,$X, 0, 7,0xd76aa478);
+	&R0( 0,$D,$A,$B,$C,$X, 1,12,0xe8c7b756);
+	&R0( 0,$C,$D,$A,$B,$X, 2,17,0x242070db);
+	&R0( 0,$B,$C,$D,$A,$X, 3,22,0xc1bdceee);
+	&R0( 0,$A,$B,$C,$D,$X, 4, 7,0xf57c0faf);
+	&R0( 0,$D,$A,$B,$C,$X, 5,12,0x4787c62a);
+	&R0( 0,$C,$D,$A,$B,$X, 6,17,0xa8304613);
+	&R0( 0,$B,$C,$D,$A,$X, 7,22,0xfd469501);
+	&R0( 0,$A,$B,$C,$D,$X, 8, 7,0x698098d8);
+	&R0( 0,$D,$A,$B,$C,$X, 9,12,0x8b44f7af);
+	&R0( 0,$C,$D,$A,$B,$X,10,17,0xffff5bb1);
+	&R0( 0,$B,$C,$D,$A,$X,11,22,0x895cd7be);
+	&R0( 0,$A,$B,$C,$D,$X,12, 7,0x6b901122);
+	&R0( 0,$D,$A,$B,$C,$X,13,12,0xfd987193);
+	&R0( 0,$C,$D,$A,$B,$X,14,17,0xa679438e);
+	&R0( 1,$B,$C,$D,$A,$X,15,22,0x49b40821);
+
+	&comment("");
+	&comment("R1 section");
+	&R1(-1,$A,$B,$C,$D,$X,16, 5,0xf61e2562);
+	&R1( 0,$D,$A,$B,$C,$X,17, 9,0xc040b340);
+	&R1( 0,$C,$D,$A,$B,$X,18,14,0x265e5a51);
+	&R1( 0,$B,$C,$D,$A,$X,19,20,0xe9b6c7aa);
+	&R1( 0,$A,$B,$C,$D,$X,20, 5,0xd62f105d);
+	&R1( 0,$D,$A,$B,$C,$X,21, 9,0x02441453);
+	&R1( 0,$C,$D,$A,$B,$X,22,14,0xd8a1e681);
+	&R1( 0,$B,$C,$D,$A,$X,23,20,0xe7d3fbc8);
+	&R1( 0,$A,$B,$C,$D,$X,24, 5,0x21e1cde6);
+	&R1( 0,$D,$A,$B,$C,$X,25, 9,0xc33707d6);
+	&R1( 0,$C,$D,$A,$B,$X,26,14,0xf4d50d87);
+	&R1( 0,$B,$C,$D,$A,$X,27,20,0x455a14ed);
+	&R1( 0,$A,$B,$C,$D,$X,28, 5,0xa9e3e905);
+	&R1( 0,$D,$A,$B,$C,$X,29, 9,0xfcefa3f8);
+	&R1( 0,$C,$D,$A,$B,$X,30,14,0x676f02d9);
+	&R1( 1,$B,$C,$D,$A,$X,31,20,0x8d2a4c8a);
+
+	&comment("");
+	&comment("R2 section");
+	&R2( 0,-1,$A,$B,$C,$D,$X,32, 4,0xfffa3942);
+	&R2( 1, 0,$D,$A,$B,$C,$X,33,11,0x8771f681);
+	&R2( 2, 0,$C,$D,$A,$B,$X,34,16,0x6d9d6122);
+	&R2( 3, 0,$B,$C,$D,$A,$X,35,23,0xfde5380c);
+	&R2( 4, 0,$A,$B,$C,$D,$X,36, 4,0xa4beea44);
+	&R2( 5, 0,$D,$A,$B,$C,$X,37,11,0x4bdecfa9);
+	&R2( 6, 0,$C,$D,$A,$B,$X,38,16,0xf6bb4b60);
+	&R2( 7, 0,$B,$C,$D,$A,$X,39,23,0xbebfbc70);
+	&R2( 8, 0,$A,$B,$C,$D,$X,40, 4,0x289b7ec6);
+	&R2( 9, 0,$D,$A,$B,$C,$X,41,11,0xeaa127fa);
+	&R2(10, 0,$C,$D,$A,$B,$X,42,16,0xd4ef3085);
+	&R2(11, 0,$B,$C,$D,$A,$X,43,23,0x04881d05);
+	&R2(12, 0,$A,$B,$C,$D,$X,44, 4,0xd9d4d039);
+	&R2(13, 0,$D,$A,$B,$C,$X,45,11,0xe6db99e5);
+	&R2(14, 0,$C,$D,$A,$B,$X,46,16,0x1fa27cf8);
+	&R2(15, 1,$B,$C,$D,$A,$X,47,23,0xc4ac5665);
+
+	&comment("");
+	&comment("R3 section");
+	&R3(-1,$A,$B,$C,$D,$X,48, 6,0xf4292244);
+	&R3( 0,$D,$A,$B,$C,$X,49,10,0x432aff97);
+	&R3( 0,$C,$D,$A,$B,$X,50,15,0xab9423a7);
+	&R3( 0,$B,$C,$D,$A,$X,51,21,0xfc93a039);
+	&R3( 0,$A,$B,$C,$D,$X,52, 6,0x655b59c3);
+	&R3( 0,$D,$A,$B,$C,$X,53,10,0x8f0ccc92);
+	&R3( 0,$C,$D,$A,$B,$X,54,15,0xffeff47d);
+	&R3( 0,$B,$C,$D,$A,$X,55,21,0x85845dd1);
+	&R3( 0,$A,$B,$C,$D,$X,56, 6,0x6fa87e4f);
+	&R3( 0,$D,$A,$B,$C,$X,57,10,0xfe2ce6e0);
+	&R3( 0,$C,$D,$A,$B,$X,58,15,0xa3014314);
+	&R3( 0,$B,$C,$D,$A,$X,59,21,0x4e0811a1);
+	&R3( 0,$A,$B,$C,$D,$X,60, 6,0xf7537e82);
+	&R3( 0,$D,$A,$B,$C,$X,61,10,0xbd3af235);
+	&R3( 0,$C,$D,$A,$B,$X,62,15,0x2ad7d2bb);
+	&R3( 2,$B,$C,$D,$A,$X,63,21,0xeb86d391);
+
+	# &mov($tmp2,&wparam(0));	# done in the last R3
+	# &mov($tmp1,	&DWP( 0,$tmp2,"",0)); # done is the last R3
+
+	&add($A,$tmp1);
+	 &mov($tmp1,	&DWP( 4,$tmp2,"",0));
+
+	&add($B,$tmp1);
+	&mov($tmp1,	&DWP( 8,$tmp2,"",0));
+
+	&add($C,$tmp1);
+	&mov($tmp1,	&DWP(12,$tmp2,"",0));
+
+	&add($D,$tmp1);
+	&mov(&DWP( 0,$tmp2,"",0),$A);
+
+	&mov(&DWP( 4,$tmp2,"",0),$B);
+	&mov($tmp1,&swtmp(0)) unless $normal;
+
+	&mov(&DWP( 8,$tmp2,"",0),$C);
+	 &mov(&DWP(12,$tmp2,"",0),$D);
+
+	&cmp($tmp1,$X) unless $normal;			# check count
+	 &jge(&label("start")) unless $normal;
+
+	&pop("eax"); # pop the temp variable off the stack
+	 &pop("ebx");
+	&pop("ebp");
+	 &pop("edi");
+	&pop("esi");
+	 &ret();
+	&function_end_B($name);
+	}
+
diff --git a/crypto/openssl/crypto/md5/asm/md5-sparcv9.S b/crypto/openssl/crypto/md5/asm/md5-sparcv9.S
new file mode 100644
index 0000000..ca4257f
--- /dev/null
+++ b/crypto/openssl/crypto/md5/asm/md5-sparcv9.S
@@ -0,0 +1,1029 @@
+.ident	"md5-sparcv9.S, Version 1.0"
+.ident	"SPARC V9 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+.file	"md5-sparcv9.S"
+
+/*
+ * ====================================================================
+ * Copyright (c) 1999 Andy Polyakov <appro@fy.chalmers.se>.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted as long as above copyright notices are retained. Warranty
+ * of any kind is (of course:-) disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contribution to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is an
+ * assembler implementation of MD5 block hash function. I've hand-coded
+ * this for the sole reason to reach UltraSPARC-specific "load in
+ * little-endian byte order" instruction. This gives up to 15%
+ * performance improvement for cases when input message is aligned at
+ * 32 bits boundary. The module was tested under both 32 *and* 64 bit
+ * kernels. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * To compile with SC4.x/SC5.x:
+ *
+ *	cc -xarch=v[9|8plus] -DULTRASPARC -DMD5_BLOCK_DATA_ORDER \
+ *		-c md5-sparcv9.S
+ *
+ * and with gcc:
+ *
+ *	gcc -mcpu=ultrasparc -DULTRASPARC -DMD5_BLOCK_DATA_ORDER \
+ *		-c md5-sparcv9.S
+ *
+ * or if above fails (it does if you have gas):
+ *
+ *	gcc -E -DULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
+ *		as -xarch=v8plus /dev/fd/0 -o md5-sparcv9.o
+ */
+
+#define	A	%o0
+#define B	%o1
+#define	C	%o2
+#define	D	%o3
+#define	T1	%o4
+#define	T2	%o5
+
+#define	R0	%l0
+#define	R1	%l1
+#define	R2	%l2
+#define	R3	%l3
+#define	R4	%l4
+#define	R5	%l5
+#define	R6	%l6
+#define	R7	%l7
+#define	R8	%i3
+#define	R9	%i4
+#define	R10	%i5
+#define	R11	%g1
+#define R12	%g2
+#define	R13	%g3
+#define RX	%g4
+
+#define Aptr	%i0+0
+#define Bptr	%i0+4
+#define Cptr	%i0+8
+#define Dptr	%i0+12
+
+#define Aval	R5	/* those not used at the end of the last round */
+#define Bval	R6
+#define Cval	R7
+#define Dval	R8
+
+#if defined(MD5_BLOCK_DATA_ORDER)
+# if defined(ULTRASPARC)
+#  define	LOAD			lda
+#  define	X(i)			[%i1+i*4]%asi
+#  define	md5_block		md5_block_asm_data_order_aligned
+#  define	ASI_PRIMARY_LITTLE	0x88
+# else
+#  error "MD5_BLOCK_DATA_ORDER is supported only on UltraSPARC!"
+# endif
+#else
+# define	LOAD			ld
+# define	X(i)			[%i1+i*4]
+# define	md5_block		md5_block_asm_host_order
+#endif
+
+.section        ".text",#alloc,#execinstr
+
+#if defined(__SUNPRO_C) && defined(__sparcv9)
+  /* They've said -xarch=v9 at command line */
+  .register	%g2,#scratch
+  .register	%g3,#scratch
+# define	FRAME	-192
+#elif defined(__GNUC__) && defined(__arch64__)
+  /* They've said -m64 at command line */
+  .register     %g2,#scratch
+  .register     %g3,#scratch
+# define        FRAME   -192
+#else
+# define	FRAME	-96
+#endif
+
+.align  32
+
+.global md5_block
+md5_block:
+	save	%sp,FRAME,%sp
+
+	ld	[Dptr],D
+	ld	[Cptr],C
+	ld	[Bptr],B
+	ld	[Aptr],A
+#ifdef ASI_PRIMARY_LITTLE
+	rd	%asi,%o7	! How dare I? Well, I just do:-)
+	wr	%g0,ASI_PRIMARY_LITTLE,%asi
+#endif
+	LOAD	X(0),R0
+
+.Lmd5_block_loop:
+
+!!!!!!!!Round 0
+
+	xor	C,D,T1
+	sethi	%hi(0xd76aa478),T2
+	and	T1,B,T1
+	or	T2,%lo(0xd76aa478),T2	!=
+	xor	T1,D,T1
+	add	T1,R0,T1
+	LOAD	X(1),R1
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,7,T2
+	srl	A,32-7,A
+	or	A,T2,A			!=
+	 xor	 B,C,T1
+	add	A,B,A
+
+	sethi	%hi(0xe8c7b756),T2
+	and	T1,A,T1			!=
+	or	T2,%lo(0xe8c7b756),T2
+	xor	T1,C,T1
+	LOAD	X(2),R2
+	add	T1,R1,T1		!=
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,12,T2
+	srl	D,32-12,D		!=
+	or	D,T2,D
+	 xor	 A,B,T1
+	add	D,A,D
+
+	sethi	%hi(0x242070db),T2	!=
+	and	T1,D,T1
+	or	T2,%lo(0x242070db),T2
+	xor	T1,B,T1
+	add	T1,R2,T1		!=
+	LOAD	X(3),R3
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,17,T2			!=
+	srl	C,32-17,C
+	or	C,T2,C
+	 xor	 D,A,T1
+	add	C,D,C			!=
+
+	sethi	%hi(0xc1bdceee),T2
+	and	T1,C,T1
+	or	T2,%lo(0xc1bdceee),T2
+	xor	T1,A,T1			!=
+	add	T1,R3,T1
+	LOAD	X(4),R4
+	add	T1,T2,T1
+	add	B,T1,B			!=
+	sll	B,22,T2
+	srl	B,32-22,B
+	or	B,T2,B
+	 xor	 C,D,T1			!=
+	add	B,C,B
+
+	sethi	%hi(0xf57c0faf),T2
+	and	T1,B,T1
+	or	T2,%lo(0xf57c0faf),T2	!=
+	xor	T1,D,T1
+	add	T1,R4,T1
+	LOAD	X(5),R5
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,7,T2
+	srl	A,32-7,A
+	or	A,T2,A			!=
+	 xor	 B,C,T1
+	add	A,B,A
+
+	sethi	%hi(0x4787c62a),T2
+	and	T1,A,T1			!=
+	or	T2,%lo(0x4787c62a),T2
+	xor	T1,C,T1
+	LOAD	X(6),R6
+	add	T1,R5,T1		!=
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,12,T2
+	srl	D,32-12,D		!=
+	or	D,T2,D
+	 xor	 A,B,T1
+	add	D,A,D
+
+	sethi	%hi(0xa8304613),T2	!=
+	and	T1,D,T1
+	or	T2,%lo(0xa8304613),T2
+	xor	T1,B,T1
+	add	T1,R6,T1		!=
+	LOAD	X(7),R7
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,17,T2			!=
+	srl	C,32-17,C
+	or	C,T2,C
+	 xor	 D,A,T1
+	add	C,D,C			!=
+
+	sethi	%hi(0xfd469501),T2
+	and	T1,C,T1
+	or	T2,%lo(0xfd469501),T2
+	xor	T1,A,T1			!=
+	add	T1,R7,T1
+	LOAD	X(8),R8
+	add	T1,T2,T1
+	add	B,T1,B			!=
+	sll	B,22,T2
+	srl	B,32-22,B
+	or	B,T2,B
+	 xor	 C,D,T1			!=
+	add	B,C,B
+
+	sethi	%hi(0x698098d8),T2
+	and	T1,B,T1
+	or	T2,%lo(0x698098d8),T2	!=
+	xor	T1,D,T1
+	add	T1,R8,T1
+	LOAD	X(9),R9
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,7,T2
+	srl	A,32-7,A
+	or	A,T2,A			!=
+	 xor	 B,C,T1
+	add	A,B,A
+
+	sethi	%hi(0x8b44f7af),T2
+	and	T1,A,T1			!=
+	or	T2,%lo(0x8b44f7af),T2
+	xor	T1,C,T1
+	LOAD	X(10),R10
+	add	T1,R9,T1		!=
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,12,T2
+	srl	D,32-12,D		!=
+	or	D,T2,D
+	 xor	 A,B,T1
+	add	D,A,D
+
+	sethi	%hi(0xffff5bb1),T2	!=
+	and	T1,D,T1
+	or	T2,%lo(0xffff5bb1),T2
+	xor	T1,B,T1
+	add	T1,R10,T1		!=
+	LOAD	X(11),R11
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,17,T2			!=
+	srl	C,32-17,C
+	or	C,T2,C
+	 xor	 D,A,T1
+	add	C,D,C			!=
+
+	sethi	%hi(0x895cd7be),T2
+	and	T1,C,T1
+	or	T2,%lo(0x895cd7be),T2
+	xor	T1,A,T1			!=
+	add	T1,R11,T1
+	LOAD	X(12),R12
+	add	T1,T2,T1
+	add	B,T1,B			!=
+	sll	B,22,T2
+	srl	B,32-22,B
+	or	B,T2,B
+	 xor	 C,D,T1			!=
+	add	B,C,B
+
+	sethi	%hi(0x6b901122),T2
+	and	T1,B,T1
+	or	T2,%lo(0x6b901122),T2	!=
+	xor	T1,D,T1
+	add	T1,R12,T1
+	LOAD	X(13),R13
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,7,T2
+	srl	A,32-7,A
+	or	A,T2,A			!=
+	 xor	 B,C,T1
+	add	A,B,A
+
+	sethi	%hi(0xfd987193),T2
+	and	T1,A,T1			!=
+	or	T2,%lo(0xfd987193),T2
+	xor	T1,C,T1
+	LOAD	X(14),RX
+	add	T1,R13,T1		!=
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,12,T2
+	srl	D,32-12,D		!=
+	or	D,T2,D
+	 xor	 A,B,T1
+	add	D,A,D
+
+	sethi	%hi(0xa679438e),T2	!=
+	and	T1,D,T1
+	or	T2,%lo(0xa679438e),T2
+	xor	T1,B,T1
+	add	T1,RX,T1		!=
+	LOAD	X(15),RX
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,17,T2			!=
+	srl	C,32-17,C
+	or	C,T2,C
+	 xor	 D,A,T1
+	add	C,D,C			!=
+
+	sethi	%hi(0x49b40821),T2
+	and	T1,C,T1
+	or	T2,%lo(0x49b40821),T2
+	xor	T1,A,T1			!=
+	add	T1,RX,T1
+	!pre-LOADed	X(1),R1
+	add	T1,T2,T1
+	add	B,T1,B
+	sll	B,22,T2			!=
+	srl	B,32-22,B
+	or	B,T2,B
+	add	B,C,B
+
+!!!!!!!!Round 1
+
+	xor	B,C,T1			!=
+	sethi	%hi(0xf61e2562),T2
+	and	T1,D,T1
+	or	T2,%lo(0xf61e2562),T2
+	xor	T1,C,T1			!=
+	add	T1,R1,T1
+	!pre-LOADed	X(6),R6
+	add	T1,T2,T1
+	add	A,T1,A
+	sll	A,5,T2			!=
+	srl	A,32-5,A
+	or	A,T2,A
+	add	A,B,A
+
+	xor	A,B,T1			!=
+	sethi	%hi(0xc040b340),T2
+	and	T1,C,T1
+	or	T2,%lo(0xc040b340),T2
+	xor	T1,B,T1			!=
+	add	T1,R6,T1
+	!pre-LOADed	X(11),R11
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,9,T2			!=
+	srl	D,32-9,D
+	or	D,T2,D
+	add	D,A,D
+
+	xor	D,A,T1			!=
+	sethi	%hi(0x265e5a51),T2
+	and	T1,B,T1
+	or	T2,%lo(0x265e5a51),T2
+	xor	T1,A,T1			!=
+	add	T1,R11,T1
+	!pre-LOADed	X(0),R0
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,14,T2			!=
+	srl	C,32-14,C
+	or	C,T2,C
+	add	C,D,C
+
+	xor	C,D,T1			!=
+	sethi	%hi(0xe9b6c7aa),T2
+	and	T1,A,T1
+	or	T2,%lo(0xe9b6c7aa),T2
+	xor	T1,D,T1			!=
+	add	T1,R0,T1
+	!pre-LOADed	X(5),R5
+	add	T1,T2,T1
+	add	B,T1,B
+	sll	B,20,T2			!=
+	srl	B,32-20,B
+	or	B,T2,B
+	add	B,C,B
+
+	xor	B,C,T1			!=
+	sethi	%hi(0xd62f105d),T2
+	and	T1,D,T1
+	or	T2,%lo(0xd62f105d),T2
+	xor	T1,C,T1			!=
+	add	T1,R5,T1
+	!pre-LOADed	X(10),R10
+	add	T1,T2,T1
+	add	A,T1,A
+	sll	A,5,T2			!=
+	srl	A,32-5,A
+	or	A,T2,A
+	add	A,B,A
+
+	xor	A,B,T1			!=
+	sethi	%hi(0x02441453),T2
+	and	T1,C,T1
+	or	T2,%lo(0x02441453),T2
+	xor	T1,B,T1			!=
+	add	T1,R10,T1
+	LOAD	X(15),RX
+	add	T1,T2,T1
+	add	D,T1,D			!=
+	sll	D,9,T2
+	srl	D,32-9,D
+	or	D,T2,D
+	add	D,A,D			!=
+
+	xor	D,A,T1
+	sethi	%hi(0xd8a1e681),T2
+	and	T1,B,T1
+	or	T2,%lo(0xd8a1e681),T2	!=
+	xor	T1,A,T1
+	add	T1,RX,T1
+	!pre-LOADed	X(4),R4
+	add	T1,T2,T1
+	add	C,T1,C			!=
+	sll	C,14,T2
+	srl	C,32-14,C
+	or	C,T2,C
+	add	C,D,C			!=
+
+	xor	C,D,T1
+	sethi	%hi(0xe7d3fbc8),T2
+	and	T1,A,T1
+	or	T2,%lo(0xe7d3fbc8),T2	!=
+	xor	T1,D,T1
+	add	T1,R4,T1
+	!pre-LOADed	X(9),R9
+	add	T1,T2,T1
+	add	B,T1,B			!=
+	sll	B,20,T2
+	srl	B,32-20,B
+	or	B,T2,B
+	add	B,C,B			!=
+
+	xor	B,C,T1
+	sethi	%hi(0x21e1cde6),T2
+	and	T1,D,T1
+	or	T2,%lo(0x21e1cde6),T2	!=
+	xor	T1,C,T1
+	add	T1,R9,T1
+	LOAD	X(14),RX
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,5,T2
+	srl	A,32-5,A
+	or	A,T2,A			!=
+	add	A,B,A
+
+	xor	A,B,T1
+	sethi	%hi(0xc33707d6),T2
+	and	T1,C,T1			!=
+	or	T2,%lo(0xc33707d6),T2
+	xor	T1,B,T1
+	add	T1,RX,T1
+	!pre-LOADed	X(3),R3
+	add	T1,T2,T1		!=
+	add	D,T1,D
+	sll	D,9,T2
+	srl	D,32-9,D
+	or	D,T2,D			!=
+	add	D,A,D
+
+	xor	D,A,T1
+	sethi	%hi(0xf4d50d87),T2
+	and	T1,B,T1			!=
+	or	T2,%lo(0xf4d50d87),T2
+	xor	T1,A,T1
+	add	T1,R3,T1
+	!pre-LOADed	X(8),R8
+	add	T1,T2,T1		!=
+	add	C,T1,C
+	sll	C,14,T2
+	srl	C,32-14,C
+	or	C,T2,C			!=
+	add	C,D,C
+
+	xor	C,D,T1
+	sethi	%hi(0x455a14ed),T2
+	and	T1,A,T1			!=
+	or	T2,%lo(0x455a14ed),T2
+	xor	T1,D,T1
+	add	T1,R8,T1
+	!pre-LOADed	X(13),R13
+	add	T1,T2,T1		!=
+	add	B,T1,B
+	sll	B,20,T2
+	srl	B,32-20,B
+	or	B,T2,B			!=
+	add	B,C,B
+
+	xor	B,C,T1
+	sethi	%hi(0xa9e3e905),T2
+	and	T1,D,T1			!=
+	or	T2,%lo(0xa9e3e905),T2
+	xor	T1,C,T1
+	add	T1,R13,T1
+	!pre-LOADed	X(2),R2
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,5,T2
+	srl	A,32-5,A
+	or	A,T2,A			!=
+	add	A,B,A
+
+	xor	A,B,T1
+	sethi	%hi(0xfcefa3f8),T2
+	and	T1,C,T1			!=
+	or	T2,%lo(0xfcefa3f8),T2
+	xor	T1,B,T1
+	add	T1,R2,T1
+	!pre-LOADed	X(7),R7
+	add	T1,T2,T1		!=
+	add	D,T1,D
+	sll	D,9,T2
+	srl	D,32-9,D
+	or	D,T2,D			!=
+	add	D,A,D
+
+	xor	D,A,T1
+	sethi	%hi(0x676f02d9),T2
+	and	T1,B,T1			!=
+	or	T2,%lo(0x676f02d9),T2
+	xor	T1,A,T1
+	add	T1,R7,T1
+	!pre-LOADed	X(12),R12
+	add	T1,T2,T1		!=
+	add	C,T1,C
+	sll	C,14,T2
+	srl	C,32-14,C
+	or	C,T2,C			!=
+	add	C,D,C
+
+	xor	C,D,T1
+	sethi	%hi(0x8d2a4c8a),T2
+	and	T1,A,T1			!=
+	or	T2,%lo(0x8d2a4c8a),T2
+	xor	T1,D,T1
+	add	T1,R12,T1
+	!pre-LOADed	X(5),R5
+	add	T1,T2,T1		!=
+	add	B,T1,B
+	sll	B,20,T2
+	srl	B,32-20,B
+	or	B,T2,B			!=
+	add	B,C,B
+
+!!!!!!!!Round 2
+
+	xor	B,C,T1
+	sethi	%hi(0xfffa3942),T2
+	xor	T1,D,T1			!=
+	or	T2,%lo(0xfffa3942),T2
+	add	T1,R5,T1
+	!pre-LOADed	X(8),R8
+	add	T1,T2,T1
+	add	A,T1,A			!=
+	sll	A,4,T2
+	srl	A,32-4,A
+	or	A,T2,A
+	add	A,B,A			!=
+
+	xor	A,B,T1
+	sethi	%hi(0x8771f681),T2
+	xor	T1,C,T1
+	or	T2,%lo(0x8771f681),T2	!=
+	add	T1,R8,T1
+	!pre-LOADed	X(11),R11
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,11,T2			!=
+	srl	D,32-11,D
+	or	D,T2,D
+	add	D,A,D
+
+	xor	D,A,T1			!=
+	sethi	%hi(0x6d9d6122),T2
+	xor	T1,B,T1
+	or	T2,%lo(0x6d9d6122),T2
+	add	T1,R11,T1		!=
+	LOAD	X(14),RX
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,16,T2			!=
+	srl	C,32-16,C
+	or	C,T2,C
+	add	C,D,C
+
+	xor	C,D,T1			!=
+	sethi	%hi(0xfde5380c),T2
+	xor	T1,A,T1
+	or	T2,%lo(0xfde5380c),T2
+	add	T1,RX,T1		!=
+	!pre-LOADed	X(1),R1
+	add	T1,T2,T1
+	add	B,T1,B
+	sll	B,23,T2
+	srl	B,32-23,B		!=
+	or	B,T2,B
+	add	B,C,B
+
+	xor	B,C,T1
+	sethi	%hi(0xa4beea44),T2	!=
+	xor	T1,D,T1
+	or	T2,%lo(0xa4beea44),T2
+	add	T1,R1,T1
+	!pre-LOADed	X(4),R4
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,4,T2
+	srl	A,32-4,A
+	or	A,T2,A			!=
+	add	A,B,A
+
+	xor	A,B,T1
+	sethi	%hi(0x4bdecfa9),T2
+	xor	T1,C,T1			!=
+	or	T2,%lo(0x4bdecfa9),T2
+	add	T1,R4,T1
+	!pre-LOADed	X(7),R7
+	add	T1,T2,T1
+	add	D,T1,D			!=
+	sll	D,11,T2
+	srl	D,32-11,D
+	or	D,T2,D
+	add	D,A,D			!=
+
+	xor	D,A,T1
+	sethi	%hi(0xf6bb4b60),T2
+	xor	T1,B,T1
+	or	T2,%lo(0xf6bb4b60),T2	!=
+	add	T1,R7,T1
+	!pre-LOADed	X(10),R10
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,16,T2			!=
+	srl	C,32-16,C
+	or	C,T2,C
+	add	C,D,C
+
+	xor	C,D,T1			!=
+	sethi	%hi(0xbebfbc70),T2
+	xor	T1,A,T1
+	or	T2,%lo(0xbebfbc70),T2
+	add	T1,R10,T1		!=
+	!pre-LOADed	X(13),R13
+	add	T1,T2,T1
+	add	B,T1,B
+	sll	B,23,T2
+	srl	B,32-23,B		!=
+	or	B,T2,B
+	add	B,C,B
+
+	xor	B,C,T1
+	sethi	%hi(0x289b7ec6),T2	!=
+	xor	T1,D,T1
+	or	T2,%lo(0x289b7ec6),T2
+	add	T1,R13,T1
+	!pre-LOADed	X(0),R0
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,4,T2
+	srl	A,32-4,A
+	or	A,T2,A			!=
+	add	A,B,A
+
+	xor	A,B,T1
+	sethi	%hi(0xeaa127fa),T2
+	xor	T1,C,T1			!=
+	or	T2,%lo(0xeaa127fa),T2
+	add	T1,R0,T1
+	!pre-LOADed	X(3),R3
+	add	T1,T2,T1
+	add	D,T1,D			!=
+	sll	D,11,T2
+	srl	D,32-11,D
+	or	D,T2,D
+	add	D,A,D			!=
+
+	xor	D,A,T1
+	sethi	%hi(0xd4ef3085),T2
+	xor	T1,B,T1
+	or	T2,%lo(0xd4ef3085),T2	!=
+	add	T1,R3,T1
+	!pre-LOADed	X(6),R6
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,16,T2			!=
+	srl	C,32-16,C
+	or	C,T2,C
+	add	C,D,C
+
+	xor	C,D,T1			!=
+	sethi	%hi(0x04881d05),T2
+	xor	T1,A,T1
+	or	T2,%lo(0x04881d05),T2
+	add	T1,R6,T1		!=
+	!pre-LOADed	X(9),R9
+	add	T1,T2,T1
+	add	B,T1,B
+	sll	B,23,T2
+	srl	B,32-23,B		!=
+	or	B,T2,B
+	add	B,C,B
+
+	xor	B,C,T1
+	sethi	%hi(0xd9d4d039),T2	!=
+	xor	T1,D,T1
+	or	T2,%lo(0xd9d4d039),T2
+	add	T1,R9,T1
+	!pre-LOADed	X(12),R12
+	add	T1,T2,T1		!=
+	add	A,T1,A
+	sll	A,4,T2
+	srl	A,32-4,A
+	or	A,T2,A			!=
+	add	A,B,A
+
+	xor	A,B,T1
+	sethi	%hi(0xe6db99e5),T2
+	xor	T1,C,T1			!=
+	or	T2,%lo(0xe6db99e5),T2
+	add	T1,R12,T1
+	LOAD	X(15),RX
+	add	T1,T2,T1		!=
+	add	D,T1,D
+	sll	D,11,T2
+	srl	D,32-11,D
+	or	D,T2,D			!=
+	add	D,A,D
+
+	xor	D,A,T1
+	sethi	%hi(0x1fa27cf8),T2
+	xor	T1,B,T1			!=
+	or	T2,%lo(0x1fa27cf8),T2
+	add	T1,RX,T1
+	!pre-LOADed	X(2),R2
+	add	T1,T2,T1
+	add	C,T1,C			!=
+	sll	C,16,T2
+	srl	C,32-16,C
+	or	C,T2,C
+	add	C,D,C			!=
+
+	xor	C,D,T1
+	sethi	%hi(0xc4ac5665),T2
+	xor	T1,A,T1
+	or	T2,%lo(0xc4ac5665),T2	!=
+	add	T1,R2,T1
+	!pre-LOADed	X(0),R0
+	add	T1,T2,T1
+	add	B,T1,B
+	sll	B,23,T2			!=
+	srl	B,32-23,B
+	or	B,T2,B
+	add	B,C,B
+
+!!!!!!!!Round 3
+
+	orn	B,D,T1			!=
+	sethi	%hi(0xf4292244),T2
+	xor	T1,C,T1
+	or	T2,%lo(0xf4292244),T2
+	add	T1,R0,T1		!=
+	!pre-LOADed	X(7),R7
+	add	T1,T2,T1
+	add	A,T1,A
+	sll	A,6,T2
+	srl	A,32-6,A		!=
+	or	A,T2,A
+	add	A,B,A
+
+	orn	A,C,T1
+	sethi	%hi(0x432aff97),T2	!=
+	xor	T1,B,T1
+	or	T2,%lo(0x432aff97),T2
+	LOAD	X(14),RX
+	add	T1,R7,T1		!=
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,10,T2
+	srl	D,32-10,D		!=
+	or	D,T2,D
+	add	D,A,D
+
+	orn	D,B,T1
+	sethi	%hi(0xab9423a7),T2	!=
+	xor	T1,A,T1
+	or	T2,%lo(0xab9423a7),T2
+	add	T1,RX,T1
+	!pre-LOADed	X(5),R5
+	add	T1,T2,T1		!=
+	add	C,T1,C
+	sll	C,15,T2
+	srl	C,32-15,C
+	or	C,T2,C			!=
+	add	C,D,C
+
+	orn	C,A,T1
+	sethi	%hi(0xfc93a039),T2
+	xor	T1,D,T1			!=
+	or	T2,%lo(0xfc93a039),T2
+	add	T1,R5,T1
+	!pre-LOADed	X(12),R12
+	add	T1,T2,T1
+	add	B,T1,B			!=
+	sll	B,21,T2
+	srl	B,32-21,B
+	or	B,T2,B
+	add	B,C,B			!=
+
+	orn	B,D,T1
+	sethi	%hi(0x655b59c3),T2
+	xor	T1,C,T1
+	or	T2,%lo(0x655b59c3),T2	!=
+	add	T1,R12,T1
+	!pre-LOADed	X(3),R3
+	add	T1,T2,T1
+	add	A,T1,A
+	sll	A,6,T2			!=
+	srl	A,32-6,A
+	or	A,T2,A
+	add	A,B,A
+
+	orn	A,C,T1			!=
+	sethi	%hi(0x8f0ccc92),T2
+	xor	T1,B,T1
+	or	T2,%lo(0x8f0ccc92),T2
+	add	T1,R3,T1		!=
+	!pre-LOADed	X(10),R10
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,10,T2
+	srl	D,32-10,D		!=
+	or	D,T2,D
+	add	D,A,D
+
+	orn	D,B,T1
+	sethi	%hi(0xffeff47d),T2	!=
+	xor	T1,A,T1
+	or	T2,%lo(0xffeff47d),T2
+	add	T1,R10,T1
+	!pre-LOADed	X(1),R1
+	add	T1,T2,T1		!=
+	add	C,T1,C
+	sll	C,15,T2
+	srl	C,32-15,C
+	or	C,T2,C			!=
+	add	C,D,C
+
+	orn	C,A,T1
+	sethi	%hi(0x85845dd1),T2
+	xor	T1,D,T1			!=
+	or	T2,%lo(0x85845dd1),T2
+	add	T1,R1,T1
+	!pre-LOADed	X(8),R8
+	add	T1,T2,T1
+	add	B,T1,B			!=
+	sll	B,21,T2
+	srl	B,32-21,B
+	or	B,T2,B
+	add	B,C,B			!=
+
+	orn	B,D,T1
+	sethi	%hi(0x6fa87e4f),T2
+	xor	T1,C,T1
+	or	T2,%lo(0x6fa87e4f),T2	!=
+	add	T1,R8,T1
+	LOAD	X(15),RX
+	add	T1,T2,T1
+	add	A,T1,A			!=
+	sll	A,6,T2
+	srl	A,32-6,A
+	or	A,T2,A
+	add	A,B,A			!=
+
+	orn	A,C,T1
+	sethi	%hi(0xfe2ce6e0),T2
+	xor	T1,B,T1
+	or	T2,%lo(0xfe2ce6e0),T2	!=
+	add	T1,RX,T1
+	!pre-LOADed	X(6),R6
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,10,T2			!=
+	srl	D,32-10,D
+	or	D,T2,D
+	add	D,A,D
+
+	orn	D,B,T1			!=
+	sethi	%hi(0xa3014314),T2
+	xor	T1,A,T1
+	or	T2,%lo(0xa3014314),T2
+	add	T1,R6,T1		!=
+	!pre-LOADed	X(13),R13
+	add	T1,T2,T1
+	add	C,T1,C
+	sll	C,15,T2
+	srl	C,32-15,C		!=
+	or	C,T2,C
+	add	C,D,C
+
+	orn	C,A,T1
+	sethi	%hi(0x4e0811a1),T2	!=
+	xor	T1,D,T1
+	or	T2,%lo(0x4e0811a1),T2
+	!pre-LOADed	X(4),R4
+	 ld	 [Aptr],Aval
+	add	T1,R13,T1		!=
+	add	T1,T2,T1
+	add	B,T1,B
+	sll	B,21,T2
+	srl	B,32-21,B		!=
+	or	B,T2,B
+	add	B,C,B
+
+	orn	B,D,T1
+	sethi	%hi(0xf7537e82),T2	!=
+	xor	T1,C,T1
+	or	T2,%lo(0xf7537e82),T2
+	!pre-LOADed	X(11),R11
+	 ld	 [Dptr],Dval
+	add	T1,R4,T1		!=
+	add	T1,T2,T1
+	add	A,T1,A
+	sll	A,6,T2
+	srl	A,32-6,A		!=
+	or	A,T2,A
+	add	A,B,A
+
+	orn	A,C,T1
+	sethi	%hi(0xbd3af235),T2	!=
+	xor	T1,B,T1
+	or	T2,%lo(0xbd3af235),T2
+	!pre-LOADed	X(2),R2
+	 ld	 [Cptr],Cval
+	add	T1,R11,T1		!=
+	add	T1,T2,T1
+	add	D,T1,D
+	sll	D,10,T2
+	srl	D,32-10,D		!=
+	or	D,T2,D
+	add	D,A,D
+
+	orn	D,B,T1
+	sethi	%hi(0x2ad7d2bb),T2	!=
+	xor	T1,A,T1
+	or	T2,%lo(0x2ad7d2bb),T2
+	!pre-LOADed	X(9),R9
+	 ld	 [Bptr],Bval
+	add	T1,R2,T1		!=
+	 add	 Aval,A,Aval
+	add	T1,T2,T1
+	 st	 Aval,[Aptr]
+	add	C,T1,C			!=
+	sll	C,15,T2
+	 add	 Dval,D,Dval
+	srl	C,32-15,C
+	or	C,T2,C			!=
+	 st	 Dval,[Dptr]
+	add	C,D,C
+
+	orn	C,A,T1
+	sethi	%hi(0xeb86d391),T2	!=
+	xor	T1,D,T1
+	or	T2,%lo(0xeb86d391),T2
+	add	T1,R9,T1
+	!pre-LOADed	X(0),R0
+	 mov	 Aval,A			!=
+	add	T1,T2,T1
+	 mov	 Dval,D
+	add	B,T1,B
+	sll	B,21,T2			!=
+	 add	 Cval,C,Cval
+	srl	B,32-21,B
+	 st	 Cval,[Cptr]
+	or	B,T2,B			!=
+	add	B,C,B
+
+	deccc	%i2
+	mov	Cval,C
+	add	B,Bval,B		!=
+	inc	64,%i1
+	nop
+	st	B,[Bptr]
+	nop				!=
+
+#ifdef	ULTRASPARC
+	bg,a,pt	%icc,.Lmd5_block_loop
+#else
+	bg,a	.Lmd5_block_loop
+#endif
+	LOAD	X(0),R0
+
+#ifdef ASI_PRIMARY_LITTLE
+	wr	%g0,%o7,%asi
+#endif
+	ret
+	restore	%g0,0,%o0
+
+.type	md5_block,#function
+.size	md5_block,(.-md5_block)
diff --git a/crypto/openssl/crypto/md5/md5.c b/crypto/openssl/crypto/md5/md5.c
new file mode 100644
index 0000000..7ed0024
--- /dev/null
+++ b/crypto/openssl/crypto/md5/md5.c
@@ -0,0 +1,127 @@
+/* crypto/md5/md5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/md5.h>
+
+#define BUFSIZE	1024*16
+
+void do_fp(FILE *f);
+void pt(unsigned char *md);
+#ifndef _OSD_POSIX
+int read(int, void *, unsigned int);
+#endif
+
+int main(int argc, char **argv)
+	{
+	int i,err=0;
+	FILE *IN;
+
+	if (argc == 1)
+		{
+		do_fp(stdin);
+		}
+	else
+		{
+		for (i=1; i<argc; i++)
+			{
+			IN=fopen(argv[i],"r");
+			if (IN == NULL)
+				{
+				perror(argv[i]);
+				err++;
+				continue;
+				}
+			printf("MD5(%s)= ",argv[i]);
+			do_fp(IN);
+			fclose(IN);
+			}
+		}
+	exit(err);
+	}
+
+void do_fp(FILE *f)
+	{
+	MD5_CTX c;
+	unsigned char md[MD5_DIGEST_LENGTH];
+	int fd;
+	int i;
+	static unsigned char buf[BUFSIZE];
+
+	fd=fileno(f);
+	MD5_Init(&c);
+	for (;;)
+		{
+		i=read(fd,buf,BUFSIZE);
+		if (i <= 0) break;
+		MD5_Update(&c,buf,(unsigned long)i);
+		}
+	MD5_Final(&(md[0]),&c);
+	pt(md);
+	}
+
+void pt(unsigned char *md)
+	{
+	int i;
+
+	for (i=0; i<MD5_DIGEST_LENGTH; i++)
+		printf("%02x",md[i]);
+	printf("\n");
+	}
+
diff --git a/crypto/openssl/crypto/md5/md5.h b/crypto/openssl/crypto/md5/md5.h
new file mode 100644
index 0000000..d10bc83
--- /dev/null
+++ b/crypto/openssl/crypto/md5/md5.h
@@ -0,0 +1,114 @@
+/* crypto/md5/md5.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_MD5_H
+#define HEADER_MD5_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_MD5
+#error MD5 is disabled.
+#endif
+
+/*
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * ! MD5_LONG has to be at least 32 bits wide. If it's wider, then !
+ * ! MD5_LONG_LOG2 has to be defined along.			   !
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ */
+
+#if defined(WIN16) || defined(__LP32__)
+#define MD5_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define MD5_LONG unsigned long
+#define MD5_LONG_LOG2 3
+/*
+ * _CRAY note. I could declare short, but I have no idea what impact
+ * does it have on performance on none-T3E machines. I could declare
+ * int, but at least on C90 sizeof(int) can be chosen at compile time.
+ * So I've chosen long...
+ *					<appro@fy.chalmers.se>
+ */
+#else
+#define MD5_LONG unsigned int
+#endif
+
+#define MD5_CBLOCK	64
+#define MD5_LBLOCK	(MD5_CBLOCK/4)
+#define MD5_DIGEST_LENGTH 16
+
+typedef struct MD5state_st
+	{
+	MD5_LONG A,B,C,D;
+	MD5_LONG Nl,Nh;
+	MD5_LONG data[MD5_LBLOCK];
+	int num;
+	} MD5_CTX;
+
+void MD5_Init(MD5_CTX *c);
+void MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
+void MD5_Final(unsigned char *md, MD5_CTX *c);
+unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
+void MD5_Transform(MD5_CTX *c, const unsigned char *b);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/md5/md5_dgst.c b/crypto/openssl/crypto/md5/md5_dgst.c
new file mode 100644
index 0000000..23d196b
--- /dev/null
+++ b/crypto/openssl/crypto/md5/md5_dgst.c
@@ -0,0 +1,319 @@
+/* crypto/md5/md5_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "md5_locl.h"
+#include <openssl/opensslv.h>
+
+const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
+
+/* Implemented from RFC1321 The MD5 Message-Digest Algorithm
+ */
+
+#define INIT_DATA_A (unsigned long)0x67452301L
+#define INIT_DATA_B (unsigned long)0xefcdab89L
+#define INIT_DATA_C (unsigned long)0x98badcfeL
+#define INIT_DATA_D (unsigned long)0x10325476L
+
+void MD5_Init(MD5_CTX *c)
+	{
+	c->A=INIT_DATA_A;
+	c->B=INIT_DATA_B;
+	c->C=INIT_DATA_C;
+	c->D=INIT_DATA_D;
+	c->Nl=0;
+	c->Nh=0;
+	c->num=0;
+	}
+
+#ifndef md5_block_host_order
+void md5_block_host_order (MD5_CTX *c, const void *data, int num)
+	{
+	const MD5_LONG *X=data;
+	register unsigned long A,B,C,D;
+	/*
+	 * In case you wonder why A-D are declared as long and not
+	 * as MD5_LONG. Doing so results in slight performance
+	 * boost on LP64 architectures. The catch is we don't
+	 * really care if 32 MSBs of a 64-bit register get polluted
+	 * with eventual overflows as we *save* only 32 LSBs in
+	 * *either* case. Now declaring 'em long excuses the compiler
+	 * from keeping 32 MSBs zeroed resulting in 13% performance
+	 * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+	 * Well, to be honest it should say that this *prevents* 
+	 * performance degradation.
+	 *
+	 *				<appro@fy.chalmers.se>
+	 */
+
+	A=c->A;
+	B=c->B;
+	C=c->C;
+	D=c->D;
+
+	for (;num--;X+=HASH_LBLOCK)
+		{
+	/* Round 0 */
+	R0(A,B,C,D,X[ 0], 7,0xd76aa478L);
+	R0(D,A,B,C,X[ 1],12,0xe8c7b756L);
+	R0(C,D,A,B,X[ 2],17,0x242070dbL);
+	R0(B,C,D,A,X[ 3],22,0xc1bdceeeL);
+	R0(A,B,C,D,X[ 4], 7,0xf57c0fafL);
+	R0(D,A,B,C,X[ 5],12,0x4787c62aL);
+	R0(C,D,A,B,X[ 6],17,0xa8304613L);
+	R0(B,C,D,A,X[ 7],22,0xfd469501L);
+	R0(A,B,C,D,X[ 8], 7,0x698098d8L);
+	R0(D,A,B,C,X[ 9],12,0x8b44f7afL);
+	R0(C,D,A,B,X[10],17,0xffff5bb1L);
+	R0(B,C,D,A,X[11],22,0x895cd7beL);
+	R0(A,B,C,D,X[12], 7,0x6b901122L);
+	R0(D,A,B,C,X[13],12,0xfd987193L);
+	R0(C,D,A,B,X[14],17,0xa679438eL);
+	R0(B,C,D,A,X[15],22,0x49b40821L);
+	/* Round 1 */
+	R1(A,B,C,D,X[ 1], 5,0xf61e2562L);
+	R1(D,A,B,C,X[ 6], 9,0xc040b340L);
+	R1(C,D,A,B,X[11],14,0x265e5a51L);
+	R1(B,C,D,A,X[ 0],20,0xe9b6c7aaL);
+	R1(A,B,C,D,X[ 5], 5,0xd62f105dL);
+	R1(D,A,B,C,X[10], 9,0x02441453L);
+	R1(C,D,A,B,X[15],14,0xd8a1e681L);
+	R1(B,C,D,A,X[ 4],20,0xe7d3fbc8L);
+	R1(A,B,C,D,X[ 9], 5,0x21e1cde6L);
+	R1(D,A,B,C,X[14], 9,0xc33707d6L);
+	R1(C,D,A,B,X[ 3],14,0xf4d50d87L);
+	R1(B,C,D,A,X[ 8],20,0x455a14edL);
+	R1(A,B,C,D,X[13], 5,0xa9e3e905L);
+	R1(D,A,B,C,X[ 2], 9,0xfcefa3f8L);
+	R1(C,D,A,B,X[ 7],14,0x676f02d9L);
+	R1(B,C,D,A,X[12],20,0x8d2a4c8aL);
+	/* Round 2 */
+	R2(A,B,C,D,X[ 5], 4,0xfffa3942L);
+	R2(D,A,B,C,X[ 8],11,0x8771f681L);
+	R2(C,D,A,B,X[11],16,0x6d9d6122L);
+	R2(B,C,D,A,X[14],23,0xfde5380cL);
+	R2(A,B,C,D,X[ 1], 4,0xa4beea44L);
+	R2(D,A,B,C,X[ 4],11,0x4bdecfa9L);
+	R2(C,D,A,B,X[ 7],16,0xf6bb4b60L);
+	R2(B,C,D,A,X[10],23,0xbebfbc70L);
+	R2(A,B,C,D,X[13], 4,0x289b7ec6L);
+	R2(D,A,B,C,X[ 0],11,0xeaa127faL);
+	R2(C,D,A,B,X[ 3],16,0xd4ef3085L);
+	R2(B,C,D,A,X[ 6],23,0x04881d05L);
+	R2(A,B,C,D,X[ 9], 4,0xd9d4d039L);
+	R2(D,A,B,C,X[12],11,0xe6db99e5L);
+	R2(C,D,A,B,X[15],16,0x1fa27cf8L);
+	R2(B,C,D,A,X[ 2],23,0xc4ac5665L);
+	/* Round 3 */
+	R3(A,B,C,D,X[ 0], 6,0xf4292244L);
+	R3(D,A,B,C,X[ 7],10,0x432aff97L);
+	R3(C,D,A,B,X[14],15,0xab9423a7L);
+	R3(B,C,D,A,X[ 5],21,0xfc93a039L);
+	R3(A,B,C,D,X[12], 6,0x655b59c3L);
+	R3(D,A,B,C,X[ 3],10,0x8f0ccc92L);
+	R3(C,D,A,B,X[10],15,0xffeff47dL);
+	R3(B,C,D,A,X[ 1],21,0x85845dd1L);
+	R3(A,B,C,D,X[ 8], 6,0x6fa87e4fL);
+	R3(D,A,B,C,X[15],10,0xfe2ce6e0L);
+	R3(C,D,A,B,X[ 6],15,0xa3014314L);
+	R3(B,C,D,A,X[13],21,0x4e0811a1L);
+	R3(A,B,C,D,X[ 4], 6,0xf7537e82L);
+	R3(D,A,B,C,X[11],10,0xbd3af235L);
+	R3(C,D,A,B,X[ 2],15,0x2ad7d2bbL);
+	R3(B,C,D,A,X[ 9],21,0xeb86d391L);
+
+	A = c->A += A;
+	B = c->B += B;
+	C = c->C += C;
+	D = c->D += D;
+		}
+	}
+#endif
+
+#ifndef md5_block_data_order
+#ifdef X
+#undef X
+#endif
+void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
+	{
+	const unsigned char *data=data_;
+	register unsigned long A,B,C,D,l;
+	/*
+	 * In case you wonder why A-D are declared as long and not
+	 * as MD5_LONG. Doing so results in slight performance
+	 * boost on LP64 architectures. The catch is we don't
+	 * really care if 32 MSBs of a 64-bit register get polluted
+	 * with eventual overflows as we *save* only 32 LSBs in
+	 * *either* case. Now declaring 'em long excuses the compiler
+	 * from keeping 32 MSBs zeroed resulting in 13% performance
+	 * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+	 * Well, to be honest it should say that this *prevents* 
+	 * performance degradation.
+	 *
+	 *				<appro@fy.chalmers.se>
+	 */
+#ifndef MD32_XARRAY
+	/* See comment in crypto/sha/sha_locl.h for details. */
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+# define X(i)	XX##i
+#else
+	MD5_LONG XX[MD5_LBLOCK];
+# define X(i)	XX[i]
+#endif
+
+	A=c->A;
+	B=c->B;
+	C=c->C;
+	D=c->D;
+
+	for (;num--;)
+		{
+	HOST_c2l(data,l); X( 0)=l;		HOST_c2l(data,l); X( 1)=l;
+	/* Round 0 */
+	R0(A,B,C,D,X( 0), 7,0xd76aa478L);	HOST_c2l(data,l); X( 2)=l;
+	R0(D,A,B,C,X( 1),12,0xe8c7b756L);	HOST_c2l(data,l); X( 3)=l;
+	R0(C,D,A,B,X( 2),17,0x242070dbL);	HOST_c2l(data,l); X( 4)=l;
+	R0(B,C,D,A,X( 3),22,0xc1bdceeeL);	HOST_c2l(data,l); X( 5)=l;
+	R0(A,B,C,D,X( 4), 7,0xf57c0fafL);	HOST_c2l(data,l); X( 6)=l;
+	R0(D,A,B,C,X( 5),12,0x4787c62aL);	HOST_c2l(data,l); X( 7)=l;
+	R0(C,D,A,B,X( 6),17,0xa8304613L);	HOST_c2l(data,l); X( 8)=l;
+	R0(B,C,D,A,X( 7),22,0xfd469501L);	HOST_c2l(data,l); X( 9)=l;
+	R0(A,B,C,D,X( 8), 7,0x698098d8L);	HOST_c2l(data,l); X(10)=l;
+	R0(D,A,B,C,X( 9),12,0x8b44f7afL);	HOST_c2l(data,l); X(11)=l;
+	R0(C,D,A,B,X(10),17,0xffff5bb1L);	HOST_c2l(data,l); X(12)=l;
+	R0(B,C,D,A,X(11),22,0x895cd7beL);	HOST_c2l(data,l); X(13)=l;
+	R0(A,B,C,D,X(12), 7,0x6b901122L);	HOST_c2l(data,l); X(14)=l;
+	R0(D,A,B,C,X(13),12,0xfd987193L);	HOST_c2l(data,l); X(15)=l;
+	R0(C,D,A,B,X(14),17,0xa679438eL);
+	R0(B,C,D,A,X(15),22,0x49b40821L);
+	/* Round 1 */
+	R1(A,B,C,D,X( 1), 5,0xf61e2562L);
+	R1(D,A,B,C,X( 6), 9,0xc040b340L);
+	R1(C,D,A,B,X(11),14,0x265e5a51L);
+	R1(B,C,D,A,X( 0),20,0xe9b6c7aaL);
+	R1(A,B,C,D,X( 5), 5,0xd62f105dL);
+	R1(D,A,B,C,X(10), 9,0x02441453L);
+	R1(C,D,A,B,X(15),14,0xd8a1e681L);
+	R1(B,C,D,A,X( 4),20,0xe7d3fbc8L);
+	R1(A,B,C,D,X( 9), 5,0x21e1cde6L);
+	R1(D,A,B,C,X(14), 9,0xc33707d6L);
+	R1(C,D,A,B,X( 3),14,0xf4d50d87L);
+	R1(B,C,D,A,X( 8),20,0x455a14edL);
+	R1(A,B,C,D,X(13), 5,0xa9e3e905L);
+	R1(D,A,B,C,X( 2), 9,0xfcefa3f8L);
+	R1(C,D,A,B,X( 7),14,0x676f02d9L);
+	R1(B,C,D,A,X(12),20,0x8d2a4c8aL);
+	/* Round 2 */
+	R2(A,B,C,D,X( 5), 4,0xfffa3942L);
+	R2(D,A,B,C,X( 8),11,0x8771f681L);
+	R2(C,D,A,B,X(11),16,0x6d9d6122L);
+	R2(B,C,D,A,X(14),23,0xfde5380cL);
+	R2(A,B,C,D,X( 1), 4,0xa4beea44L);
+	R2(D,A,B,C,X( 4),11,0x4bdecfa9L);
+	R2(C,D,A,B,X( 7),16,0xf6bb4b60L);
+	R2(B,C,D,A,X(10),23,0xbebfbc70L);
+	R2(A,B,C,D,X(13), 4,0x289b7ec6L);
+	R2(D,A,B,C,X( 0),11,0xeaa127faL);
+	R2(C,D,A,B,X( 3),16,0xd4ef3085L);
+	R2(B,C,D,A,X( 6),23,0x04881d05L);
+	R2(A,B,C,D,X( 9), 4,0xd9d4d039L);
+	R2(D,A,B,C,X(12),11,0xe6db99e5L);
+	R2(C,D,A,B,X(15),16,0x1fa27cf8L);
+	R2(B,C,D,A,X( 2),23,0xc4ac5665L);
+	/* Round 3 */
+	R3(A,B,C,D,X( 0), 6,0xf4292244L);
+	R3(D,A,B,C,X( 7),10,0x432aff97L);
+	R3(C,D,A,B,X(14),15,0xab9423a7L);
+	R3(B,C,D,A,X( 5),21,0xfc93a039L);
+	R3(A,B,C,D,X(12), 6,0x655b59c3L);
+	R3(D,A,B,C,X( 3),10,0x8f0ccc92L);
+	R3(C,D,A,B,X(10),15,0xffeff47dL);
+	R3(B,C,D,A,X( 1),21,0x85845dd1L);
+	R3(A,B,C,D,X( 8), 6,0x6fa87e4fL);
+	R3(D,A,B,C,X(15),10,0xfe2ce6e0L);
+	R3(C,D,A,B,X( 6),15,0xa3014314L);
+	R3(B,C,D,A,X(13),21,0x4e0811a1L);
+	R3(A,B,C,D,X( 4), 6,0xf7537e82L);
+	R3(D,A,B,C,X(11),10,0xbd3af235L);
+	R3(C,D,A,B,X( 2),15,0x2ad7d2bbL);
+	R3(B,C,D,A,X( 9),21,0xeb86d391L);
+
+	A = c->A += A;
+	B = c->B += B;
+	C = c->C += C;
+	D = c->D += D;
+		}
+	}
+#endif
+
+#ifdef undef
+int printit(unsigned long *l)
+	{
+	int i,ii;
+
+	for (i=0; i<2; i++)
+		{
+		for (ii=0; ii<8; ii++)
+			{
+			fprintf(stderr,"%08lx ",l[i*8+ii]);
+			}
+		fprintf(stderr,"\n");
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/md5/md5_locl.h b/crypto/openssl/crypto/md5/md5_locl.h
new file mode 100644
index 0000000..c912484
--- /dev/null
+++ b/crypto/openssl/crypto/md5/md5_locl.h
@@ -0,0 +1,172 @@
+/* crypto/md5/md5_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/opensslconf.h>
+#include <openssl/md5.h>
+
+#ifndef MD5_LONG_LOG2
+#define MD5_LONG_LOG2 2 /* default to 32 bits */
+#endif
+
+#ifdef MD5_ASM
+# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#  define md5_block_host_order md5_block_asm_host_order
+# elif defined(__sparc) && defined(ULTRASPARC)
+   void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
+#  define HASH_BLOCK_DATA_ORDER_ALIGNED md5_block_asm_data_order_aligned
+# endif
+#endif
+
+void md5_block_host_order (MD5_CTX *c, const void *p,int num);
+void md5_block_data_order (MD5_CTX *c, const void *p,int num);
+
+#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+/*
+ * *_block_host_order is expected to handle aligned data while
+ * *_block_data_order - unaligned. As algorithm and host (x86)
+ * are in this case of the same "endianness" these two are
+ * otherwise indistinguishable. But normally you don't want to
+ * call the same function because unaligned access in places
+ * where alignment is expected is usually a "Bad Thing". Indeed,
+ * on RISCs you get punished with BUS ERROR signal or *severe*
+ * performance degradation. Intel CPUs are in turn perfectly
+ * capable of loading unaligned data without such drastic side
+ * effect. Yes, they say it's slower than aligned load, but no
+ * exception is generated and therefore performance degradation
+ * is *incomparable* with RISCs. What we should weight here is
+ * costs of unaligned access against costs of aligning data.
+ * According to my measurements allowing unaligned access results
+ * in ~9% performance improvement on Pentium II operating at
+ * 266MHz. I won't be surprised if the difference will be higher
+ * on faster systems:-)
+ *
+ *				<appro@fy.chalmers.se>
+ */
+#define md5_block_data_order md5_block_host_order
+#endif
+
+#define DATA_ORDER_IS_LITTLE_ENDIAN
+
+#define HASH_LONG		MD5_LONG
+#define HASH_LONG_LOG2		MD5_LONG_LOG2
+#define HASH_CTX		MD5_CTX
+#define HASH_CBLOCK		MD5_CBLOCK
+#define HASH_LBLOCK		MD5_LBLOCK
+#define HASH_UPDATE		MD5_Update
+#define HASH_TRANSFORM		MD5_Transform
+#define HASH_FINAL		MD5_Final
+#define	HASH_MAKE_STRING(c,s)	do {	\
+	unsigned long ll;		\
+	ll=(c)->A; HOST_l2c(ll,(s));	\
+	ll=(c)->B; HOST_l2c(ll,(s));	\
+	ll=(c)->C; HOST_l2c(ll,(s));	\
+	ll=(c)->D; HOST_l2c(ll,(s));	\
+	} while (0)
+#define HASH_BLOCK_HOST_ORDER	md5_block_host_order
+#if !defined(L_ENDIAN) || defined(md5_block_data_order)
+#define	HASH_BLOCK_DATA_ORDER	md5_block_data_order
+/*
+ * Little-endians (Intel and Alpha) feel better without this.
+ * It looks like memcpy does better job than generic
+ * md5_block_data_order on copying-n-aligning input data.
+ * But frankly speaking I didn't expect such result on Alpha.
+ * On the other hand I've got this with egcs-1.0.2 and if
+ * program is compiled with another (better?) compiler it
+ * might turn out other way around.
+ *
+ *				<appro@fy.chalmers.se>
+ */
+#endif
+
+#include "md32_common.h"
+
+/*
+#define	F(x,y,z)	(((x) & (y))  |  ((~(x)) & (z)))
+#define	G(x,y,z)	(((x) & (z))  |  ((y) & (~(z))))
+*/
+
+/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
+ * simplified to the code below.  Wei attributes these optimizations
+ * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
+ */
+#define	F(b,c,d)	((((c) ^ (d)) & (b)) ^ (d))
+#define	G(b,c,d)	((((b) ^ (c)) & (d)) ^ (c))
+#define	H(b,c,d)	((b) ^ (c) ^ (d))
+#define	I(b,c,d)	(((~(d)) | (b)) ^ (c))
+
+#define R0(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+F((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };\
+
+#define R1(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+G((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };
+
+#define R2(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+H((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };
+
+#define R3(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+I((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };
diff --git a/crypto/openssl/crypto/md5/md5_one.c b/crypto/openssl/crypto/md5/md5_one.c
new file mode 100644
index 0000000..b89dec8
--- /dev/null
+++ b/crypto/openssl/crypto/md5/md5_one.c
@@ -0,0 +1,95 @@
+/* crypto/md5/md5_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/md5.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
+	{
+	MD5_CTX c;
+	static unsigned char m[MD5_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	MD5_Init(&c);
+#ifndef CHARSET_EBCDIC
+	MD5_Update(&c,d,n);
+#else
+	{
+		char temp[1024];
+		unsigned long chunk;
+
+		while (n > 0)
+		{
+			chunk = (n > sizeof(temp)) ? sizeof(temp) : n;
+			ebcdic2ascii(temp, d, chunk);
+			MD5_Update(&c,temp,chunk);
+			n -= chunk;
+			d += chunk;
+		}
+	}
+#endif
+	MD5_Final(md,&c);
+	memset(&c,0,sizeof(c)); /* security consideration */
+	return(md);
+	}
+
diff --git a/crypto/openssl/crypto/md5/md5s.cpp b/crypto/openssl/crypto/md5/md5s.cpp
new file mode 100644
index 0000000..dd343fd
--- /dev/null
+++ b/crypto/openssl/crypto/md5/md5s.cpp
@@ -0,0 +1,78 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/md5.h>
+
+extern "C" {
+void md5_block_x86(MD5_CTX *ctx, unsigned char *buffer,int num);
+}
+
+void main(int argc,char *argv[])
+	{
+	unsigned char buffer[64*256];
+	MD5_CTX ctx;
+	unsigned long s1,s2,e1,e2;
+	unsigned char k[16];
+	unsigned long data[2];
+	unsigned char iv[8];
+	int i,num=0,numm;
+	int j=0;
+
+	if (argc >= 2)
+		num=atoi(argv[1]);
+
+	if (num == 0) num=16;
+	if (num > 250) num=16;
+	numm=num+2;
+	num*=64;
+	numm*=64;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<10; i++) /**/
+			{
+			md5_block_x86(&ctx,buffer,numm);
+			GetTSC(s1);
+			md5_block_x86(&ctx,buffer,numm);
+			GetTSC(e1);
+			GetTSC(s2);
+			md5_block_x86(&ctx,buffer,num);
+			GetTSC(e2);
+			md5_block_x86(&ctx,buffer,num);
+			}
+		printf("md5 (%d bytes) %d %d (%.2f)\n",num,
+			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
+		}
+	}
+
diff --git a/crypto/openssl/crypto/md5/md5test.c b/crypto/openssl/crypto/md5/md5test.c
new file mode 100644
index 0000000..6bd8656
--- /dev/null
+++ b/crypto/openssl/crypto/md5/md5test.c
@@ -0,0 +1,131 @@
+/* crypto/md5/md5test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_MD5
+int main(int argc, char *argv[])
+{
+    printf("No MD5 support\n");
+    return(0);
+}
+#else
+#include <openssl/md5.h>
+
+static char *test[]={
+	"",
+	"a",
+	"abc",
+	"message digest",
+	"abcdefghijklmnopqrstuvwxyz",
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+	"12345678901234567890123456789012345678901234567890123456789012345678901234567890",
+	NULL,
+	};
+
+static char *ret[]={
+	"d41d8cd98f00b204e9800998ecf8427e",
+	"0cc175b9c0f1b6a831c399e269772661",
+	"900150983cd24fb0d6963f7d28e17f72",
+	"f96b697d7cb7938d525a2f31aaf161d0",
+	"c3fcd3d76192e4007dfb496cca67e13b",
+	"d174ab98d277d9f5a5611c2c9f419d9f",
+	"57edf4a22be3c955ac49da2e2107b67a",
+	};
+
+static char *pt(unsigned char *md);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	unsigned char **P,**R;
+	char *p;
+
+	P=(unsigned char **)test;
+	R=(unsigned char **)ret;
+	i=1;
+	while (*P != NULL)
+		{
+		p=pt(MD5(&(P[0][0]),(unsigned long)strlen((char *)*P),NULL));
+		if (strcmp(p,(char *)*R) != 0)
+			{
+			printf("error calculating MD5 on '%s'\n",*P);
+			printf("got %s instead of %s\n",p,*R);
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		i++;
+		R++;
+		P++;
+		}
+	exit(err);
+	return(0);
+	}
+
+static char *pt(unsigned char *md)
+	{
+	int i;
+	static char buf[80];
+
+	for (i=0; i<MD5_DIGEST_LENGTH; i++)
+		sprintf(&(buf[i*2]),"%02x",md[i]);
+	return(buf);
+	}
+#endif
diff --git a/crypto/openssl/crypto/mdc2/Makefile.save b/crypto/openssl/crypto/mdc2/Makefile.save
new file mode 100644
index 0000000..4ed72c0
--- /dev/null
+++ b/crypto/openssl/crypto/mdc2/Makefile.save
@@ -0,0 +1,89 @@
+#
+# SSLeay/crypto/mdc2/Makefile
+#
+
+DIR=	mdc2
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST= mdc2test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=mdc2dgst.c mdc2_one.c
+LIBOBJ=mdc2dgst.o mdc2_one.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= mdc2.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+mdc2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+mdc2_one.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+mdc2_one.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+mdc2_one.o: ../../include/openssl/err.h ../../include/openssl/mdc2.h
+mdc2_one.o: ../../include/openssl/opensslconf.h
+mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2_one.o: ../../include/openssl/stack.h ../cryptlib.h
+mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl
new file mode 100644
index 0000000..4ed72c0
--- /dev/null
+++ b/crypto/openssl/crypto/mdc2/Makefile.ssl
@@ -0,0 +1,89 @@
+#
+# SSLeay/crypto/mdc2/Makefile
+#
+
+DIR=	mdc2
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST= mdc2test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=mdc2dgst.c mdc2_one.c
+LIBOBJ=mdc2dgst.o mdc2_one.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= mdc2.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+mdc2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+mdc2_one.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+mdc2_one.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+mdc2_one.o: ../../include/openssl/err.h ../../include/openssl/mdc2.h
+mdc2_one.o: ../../include/openssl/opensslconf.h
+mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2_one.o: ../../include/openssl/stack.h ../cryptlib.h
+mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
diff --git a/crypto/openssl/crypto/mdc2/mdc2.h b/crypto/openssl/crypto/mdc2/mdc2.h
new file mode 100644
index 0000000..00acd70
--- /dev/null
+++ b/crypto/openssl/crypto/mdc2/mdc2.h
@@ -0,0 +1,95 @@
+/* crypto/mdc2/mdc2.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_MDC2_H
+#define HEADER_MDC2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/des.h>
+
+#ifdef NO_MDC2
+#error MDC2 is disabled.
+#endif
+
+#define MDC2_BLOCK              8
+#define MDC2_DIGEST_LENGTH      16
+ 
+typedef struct mdc2_ctx_st
+	{
+	int num;
+	unsigned char data[MDC2_BLOCK];
+	des_cblock h,hh;
+	int pad_type; /* either 1 or 2, default 1 */
+	} MDC2_CTX;
+
+
+void MDC2_Init(MDC2_CTX *c);
+void MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
+void MDC2_Final(unsigned char *md, MDC2_CTX *c);
+unsigned char *MDC2(const unsigned char *d, unsigned long n,
+	unsigned char *md);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/crypto/openssl/crypto/mdc2/mdc2_one.c b/crypto/openssl/crypto/mdc2/mdc2_one.c
new file mode 100644
index 0000000..6cd141b
--- /dev/null
+++ b/crypto/openssl/crypto/mdc2/mdc2_one.c
@@ -0,0 +1,75 @@
+/* crypto/mdc2/mdc2_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/mdc2.h>
+
+unsigned char *MDC2(const unsigned char *d, unsigned long n, unsigned char *md)
+	{
+	MDC2_CTX c;
+	static unsigned char m[MDC2_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	MDC2_Init(&c);
+	MDC2_Update(&c,d,n);
+        MDC2_Final(md,&c);
+	memset(&c,0,sizeof(c)); /* security consideration */
+	return(md);
+	}
+
diff --git a/crypto/openssl/crypto/mdc2/mdc2dgst.c b/crypto/openssl/crypto/mdc2/mdc2dgst.c
new file mode 100644
index 0000000..c630a24
--- /dev/null
+++ b/crypto/openssl/crypto/mdc2/mdc2dgst.c
@@ -0,0 +1,195 @@
+/* crypto/mdc2/mdc2dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/des.h>
+#include <openssl/mdc2.h>
+
+#undef c2l
+#define c2l(c,l)	(l =((DES_LONG)(*((c)++)))    , \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<<24L)
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			*((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			*((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			*((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len);
+void MDC2_Init(MDC2_CTX *c)
+	{
+	c->num=0;
+	c->pad_type=1;
+	memset(&(c->h[0]),0x52,MDC2_BLOCK);
+	memset(&(c->hh[0]),0x25,MDC2_BLOCK);
+	}
+
+void MDC2_Update(MDC2_CTX *c, const unsigned char *in, unsigned long len)
+	{
+	int i,j;
+
+	i=c->num;
+	if (i != 0)
+		{
+		if (i+len < MDC2_BLOCK)
+			{
+			/* partial block */
+			memcpy(&(c->data[i]),in,(int)len);
+			c->num+=(int)len;
+			return;
+			}
+		else
+			{
+			/* filled one */
+			j=MDC2_BLOCK-i;
+			memcpy(&(c->data[i]),in,j);
+			len-=j;
+			in+=j;
+			c->num=0;
+			mdc2_body(c,&(c->data[0]),MDC2_BLOCK);
+			}
+		}
+	i=(int)(len&(unsigned long)~(MDC2_BLOCK-1));
+	if (i > 0) mdc2_body(c,in,i);
+	j=(int)len-i;
+	if (j > 0)
+		{
+		memcpy(&(c->data[0]),&(in[i]),j);
+		c->num=j;
+		}
+	}
+
+static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len)
+	{
+	register DES_LONG tin0,tin1;
+	register DES_LONG ttin0,ttin1;
+	DES_LONG d[2],dd[2];
+	des_key_schedule k;
+	unsigned char *p;
+	unsigned int i;
+
+	for (i=0; i<len; i+=8)
+		{
+		c2l(in,tin0); d[0]=dd[0]=tin0;
+		c2l(in,tin1); d[1]=dd[1]=tin1;
+		c->h[0]=(c->h[0]&0x9f)|0x40;
+		c->hh[0]=(c->hh[0]&0x9f)|0x20;
+
+		des_set_odd_parity(&c->h);
+		des_set_key_unchecked(&c->h,k);
+		des_encrypt(d,k,1);
+
+		des_set_odd_parity(&c->hh);
+		des_set_key_unchecked(&c->hh,k);
+		des_encrypt(dd,k,1);
+
+		ttin0=tin0^dd[0];
+		ttin1=tin1^dd[1];
+		tin0^=d[0];
+		tin1^=d[1];
+
+		p=c->h;
+		l2c(tin0,p);
+		l2c(ttin1,p);
+		p=c->hh;
+		l2c(ttin0,p);
+		l2c(tin1,p);
+		}
+	}
+
+void MDC2_Final(unsigned char *md, MDC2_CTX *c)
+	{
+	int i,j;
+
+	i=c->num;
+	j=c->pad_type;
+	if ((i > 0) || (j == 2))
+		{
+		if (j == 2)
+			c->data[i++]=0x80;
+		memset(&(c->data[i]),0,MDC2_BLOCK-i);
+		mdc2_body(c,c->data,MDC2_BLOCK);
+		}
+	memcpy(md,(char *)c->h,MDC2_BLOCK);
+	memcpy(&(md[MDC2_BLOCK]),(char *)c->hh,MDC2_BLOCK);
+	}
+
+#undef TEST
+
+#ifdef TEST
+main()
+	{
+	unsigned char md[MDC2_DIGEST_LENGTH];
+	int i;
+	MDC2_CTX c;
+	static char *text="Now is the time for all ";
+
+	MDC2_Init(&c);
+	MDC2_Update(&c,text,strlen(text));
+	MDC2_Final(&(md[0]),&c);
+
+	for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+		printf("%02X",md[i]);
+	printf("\n");
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/mdc2/mdc2test.c b/crypto/openssl/crypto/mdc2/mdc2test.c
new file mode 100644
index 0000000..46c25ae
--- /dev/null
+++ b/crypto/openssl/crypto/mdc2/mdc2test.c
@@ -0,0 +1,140 @@
+/* crypto/mdc2/mdc2test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if defined(NO_DES) && !defined(NO_MDC2)
+#define NO_MDC2
+#endif
+
+#ifdef NO_MDC2
+int main(int argc, char *argv[])
+{
+    printf("No MDC2 support\n");
+    return(0);
+}
+#else
+#include <openssl/mdc2.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+static unsigned char pad1[16]={
+	0x42,0xE5,0x0C,0xD2,0x24,0xBA,0xCE,0xBA,
+	0x76,0x0B,0xDD,0x2B,0xD4,0x09,0x28,0x1A
+	};
+
+static unsigned char pad2[16]={
+	0x2E,0x46,0x79,0xB5,0xAD,0xD9,0xCA,0x75,
+	0x35,0xD8,0x7A,0xFE,0xAB,0x33,0xBE,0xE2
+	};
+
+int main(int argc, char *argv[])
+	{
+	int ret=0;
+	unsigned char md[MDC2_DIGEST_LENGTH];
+	int i;
+	MDC2_CTX c;
+	static char *text="Now is the time for all ";
+
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(text,text,strlen(text));
+#endif
+
+	MDC2_Init(&c);
+	MDC2_Update(&c,(unsigned char *)text,strlen(text));
+	MDC2_Final(&(md[0]),&c);
+
+	if (memcmp(md,pad1,MDC2_DIGEST_LENGTH) != 0)
+		{
+		for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+			printf("%02X",md[i]);
+		printf(" <- generated\n");
+		for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+			printf("%02X",pad1[i]);
+		printf(" <- correct\n");
+		ret=1;
+		}
+	else
+		printf("pad1 - ok\n");
+
+	MDC2_Init(&c);
+	c.pad_type=2;
+	MDC2_Update(&c,(unsigned char *)text,strlen(text));
+	MDC2_Final(&(md[0]),&c);
+
+	if (memcmp(md,pad2,MDC2_DIGEST_LENGTH) != 0)
+		{
+		for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+			printf("%02X",md[i]);
+		printf(" <- generated\n");
+		for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+			printf("%02X",pad2[i]);
+		printf(" <- correct\n");
+		ret=1;
+		}
+	else
+		printf("pad2 - ok\n");
+
+	exit(ret);
+	return(ret);
+	}
+#endif
diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c
new file mode 100644
index 0000000..5a661e5
--- /dev/null
+++ b/crypto/openssl/crypto/mem.c
@@ -0,0 +1,261 @@
+/* crypto/mem.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+
+
+static int allow_customize = 1;      /* we provide flexible functions for */
+static int allow_customize_debug = 1;/* exchanging memory-related functions at
+                                      * run-time, but this must be done
+                                      * before any blocks are actually
+                                      * allocated; or we'll run into huge
+                                      * problems when malloc/free pairs
+                                      * don't match etc. */
+
+/* may be changed as long as `allow_customize' is set */
+static void *(*malloc_locked_func)(size_t)  = malloc;
+static void (*free_locked_func)(void *)     = free;
+static void *(*malloc_func)(size_t)         = malloc;
+static void *(*realloc_func)(void *, size_t)= realloc;
+static void (*free_func)(void *)            = free;
+
+/* may be changed as long as `allow_customize_debug' is set */
+/* XXX use correct function pointer types */
+#ifdef CRYPTO_MDEBUG
+  /* use default functions from mem_dbg.c */
+  static void (*malloc_debug_func)()= (void (*)())CRYPTO_dbg_malloc;
+  static void (*realloc_debug_func)()= (void (*)())CRYPTO_dbg_realloc;
+  static void (*free_debug_func)()= (void (*)())CRYPTO_dbg_free;
+  static void (*set_debug_options_func)()= (void (*)())CRYPTO_dbg_set_options;
+  static long (*get_debug_options_func)()= (long (*)())CRYPTO_dbg_get_options;
+#else
+  /* applications can use CRYPTO_malloc_debug_init() to select above case
+   * at run-time */
+  static void (*malloc_debug_func)()= NULL;
+  static void (*realloc_debug_func)()= NULL;
+  static void (*free_debug_func)()= NULL;
+  static void (*set_debug_options_func)()= NULL;
+  static long (*get_debug_options_func)()= NULL;
+#endif
+
+
+int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
+	void (*f)(void *))
+	{
+	if (!allow_customize)
+		return 0;
+	if ((m == NULL) || (r == NULL) || (f == NULL))
+		return 0;
+	malloc_func=m;
+	realloc_func=r;
+	free_func=f;
+	malloc_locked_func=m;
+	free_locked_func=f;
+	return 1;
+	}
+
+int CRYPTO_set_locked_mem_functions(void *(*m)(size_t), void (*f)(void *))
+	{
+	if (!allow_customize)
+		return 0;
+	if ((m == NULL) || (f == NULL))
+		return 0;
+	malloc_locked_func=m;
+	free_locked_func=f;
+	return 1;
+	}
+
+int CRYPTO_set_mem_debug_functions(void (*m)(), void (*r)(), void (*f)(),void (*so)(),long (*go)())
+	{
+	if (!allow_customize_debug)
+		return 0;
+	malloc_debug_func=m;
+	realloc_debug_func=r;
+	free_debug_func=f;
+	set_debug_options_func=so;
+	get_debug_options_func=go;
+	return 1;
+	}
+
+void CRYPTO_get_mem_functions(void *(**m)(size_t), void *(**r)(void *, size_t),
+	void (**f)(void *))
+	{
+	if (m != NULL) *m=malloc_func;
+	if (r != NULL) *r=realloc_func;
+	if (f != NULL) *f=free_func;
+	}
+
+void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *))
+	{
+	if (m != NULL) *m=malloc_locked_func;
+	if (f != NULL) *f=free_locked_func;
+	}
+
+void CRYPTO_get_mem_debug_functions(void (**m)(), void (**r)(), void (**f)(),void (**so)(),long (**go)())
+	{
+	if (m != NULL) *m=malloc_debug_func;
+	if (r != NULL) *r=realloc_debug_func;
+	if (f != NULL) *f=free_debug_func;
+	if (so != NULL) *so=set_debug_options_func;
+	if (go != NULL) *go=get_debug_options_func;
+	}
+
+
+void *CRYPTO_malloc_locked(int num, const char *file, int line)
+	{
+	char *ret = NULL;
+
+	allow_customize = 0;
+	if (malloc_debug_func != NULL)
+		{
+		allow_customize_debug = 0;
+		malloc_debug_func(NULL, num, file, line, 0);
+		}
+	ret = malloc_locked_func(num);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
+#endif
+	if (malloc_debug_func != NULL)
+		malloc_debug_func(ret, num, file, line, 1);
+
+	return ret;
+	}
+
+void CRYPTO_free_locked(void *str)
+	{
+	if (free_debug_func != NULL)
+		free_debug_func(str, 0);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
+#endif
+	free_locked_func(str);
+	if (free_debug_func != NULL)
+		free_debug_func(NULL, 1);
+	}
+
+void *CRYPTO_malloc(int num, const char *file, int line)
+	{
+	char *ret = NULL;
+
+	allow_customize = 0;
+	if (malloc_debug_func != NULL)
+		{
+		allow_customize_debug = 0;
+		malloc_debug_func(NULL, num, file, line, 0);
+		}
+	ret = malloc_func(num);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
+#endif
+	if (malloc_debug_func != NULL)
+		malloc_debug_func(ret, num, file, line, 1);
+
+	return ret;
+	}
+
+void *CRYPTO_realloc(void *str, int num, const char *file, int line)
+	{
+	char *ret = NULL;
+
+	if (realloc_debug_func != NULL)
+		realloc_debug_func(str, NULL, num, file, line, 0);
+	ret = realloc_func(str,num);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         | 0x%p -> 0x%p (%d)\n", str, ret, num);
+#endif
+	if (realloc_debug_func != NULL)
+		realloc_debug_func(str, ret, num, file, line, 1);
+
+	return ret;
+	}
+
+void CRYPTO_free(void *str)
+	{
+	if (free_debug_func != NULL)
+		free_debug_func(str, 0);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
+#endif
+	free_func(str);
+	if (free_debug_func != NULL)
+		free_debug_func(NULL, 1);
+	}
+
+void *CRYPTO_remalloc(void *a, int num, const char *file, int line)
+	{
+	if (a != NULL) Free(a);
+	a=(char *)Malloc(num);
+	return(a);
+	}
+
+
+void CRYPTO_set_mem_debug_options(long bits)
+	{
+	if (set_debug_options_func != NULL)
+		set_debug_options_func(bits);
+	}
+
+long CRYPTO_get_mem_debug_options(void)
+	{
+	if (get_debug_options_func != NULL)
+		return get_debug_options_func();
+	return 0;
+	}
diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c
new file mode 100644
index 0000000..a399485
--- /dev/null
+++ b/crypto/openssl/crypto/mem_dbg.c
@@ -0,0 +1,738 @@
+/* crypto/mem_dbg.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>	
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/lhash.h>
+#include "cryptlib.h"
+
+static int mh_mode=CRYPTO_MEM_CHECK_OFF;
+/* The state changes to CRYPTO_MEM_CHECK_ON | CRYPTO_MEM_CHECK_ENABLE
+ * when the application asks for it (usually after library initialisation
+ * for which no book-keeping is desired).
+ *
+ * State CRYPTO_MEM_CHECK_ON exists only temporarily when the library
+ * thinks that certain allocations should not be checked (e.g. the data
+ * structures used for memory checking).  It is not suitable as an initial
+ * state: the library will unexpectedly enable memory checking when it
+ * executes one of those sections that want to disable checking
+ * temporarily.
+ *
+ * State CRYPTO_MEM_CHECK_ENABLE without ..._ON makes no sense whatsoever.
+ */
+
+static unsigned long order = 0; /* number of memory requests */
+static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */
+
+
+typedef struct app_mem_info_st
+/* For application-defined information (static C-string `info')
+ * to be displayed in memory leak list.
+ * Each thread has its own stack.  For applications, there is
+ *   CRYPTO_push_info("...")     to push an entry,
+ *   CRYPTO_pop_info()           to pop an entry,
+ *   CRYPTO_remove_all_info()    to pop all entries.
+ */
+	{	
+	unsigned long thread;
+	const char *file;
+	int line;
+	const char *info;
+	struct app_mem_info_st *next; /* tail of thread's stack */
+	int references;
+	} APP_INFO;
+
+static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's
+                          * that are at the top of their thread's stack
+                          * (with `thread' as key) */
+
+typedef struct mem_st
+/* memory-block description */
+	{
+	char *addr;
+	int num;
+	const char *file;
+	int line;
+	unsigned long thread;
+	unsigned long order;
+	time_t time;
+	APP_INFO *app_info;
+	} MEM;
+
+static long options =             /* extra information to be recorded */
+#if defined(CRYPTO_MDEBUG_TIME) || defined(CRYPTO_MDEBUG_ALL)
+	V_CRYPTO_MDEBUG_TIME |
+#endif
+#if defined(CRYPTO_MDEBUG_THREAD) || defined(CRYPTO_MDEBUG_ALL)
+	V_CRYPTO_MDEBUG_THREAD |
+#endif
+	0;
+
+
+static unsigned long disabling_thread = 0;
+
+int CRYPTO_mem_ctrl(int mode)
+	{
+	int ret=mh_mode;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+	switch (mode)
+		{
+	/* for applications: */
+	case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */
+		mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE;
+		disabling_thread = 0;
+		break;
+	case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */
+		mh_mode = 0;
+		disabling_thread = 0;
+		break;
+
+	/* switch off temporarily (for library-internal use): */
+	case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */
+		if (mh_mode & CRYPTO_MEM_CHECK_ON)
+			{
+			mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE;
+			if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */
+				{
+				/* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while
+				 * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if
+				 * somebody else holds CRYPTO_LOCK_MALLOC2 (and cannot release
+				 * it because we block entry to this function).
+				 * Give them a chance, first, and then claim the locks in
+				 * appropriate order (long-time lock first).
+				 */
+				CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+				/* Note that after we have waited for CRYPTO_LOCK_MALLOC2
+				 * and CRYPTO_LOCK_MALLOC, we'll still be in the right
+				 * "case" and "if" branch because MemCheck_start and
+				 * MemCheck_stop may never be used while there are multiple
+				 * OpenSSL threads. */
+				CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+				CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+				disabling_thread=CRYPTO_thread_id();
+				}
+			}
+		break;
+	case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */
+		if (mh_mode & CRYPTO_MEM_CHECK_ON)
+			{
+			mh_mode|=CRYPTO_MEM_CHECK_ENABLE;
+			if (disabling_thread != 0)
+				{
+				disabling_thread=0;
+				CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+				}
+			}
+		break;
+
+	default:
+		break;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+	return(ret);
+	}
+
+int CRYPTO_is_mem_check_on(void)
+	{
+	int ret = 0;
+
+	if (mh_mode & CRYPTO_MEM_CHECK_ON)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+
+		ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE)
+			&& disabling_thread != CRYPTO_thread_id();
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+		}
+	return(ret);
+	}	
+
+
+void CRYPTO_dbg_set_options(long bits)
+	{
+	options = bits;
+	}
+
+long CRYPTO_dbg_get_options(void)
+	{
+	return options;
+	}
+
+static int mem_cmp(MEM *a, MEM *b)
+	{
+	return(a->addr - b->addr);
+	}
+
+static unsigned long mem_hash(MEM *a)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)a->addr;
+
+	ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
+	return(ret);
+	}
+
+static int app_info_cmp(APP_INFO *a, APP_INFO *b)
+	{
+	return(a->thread != b->thread);
+	}
+
+static unsigned long app_info_hash(APP_INFO *a)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)a->thread;
+
+	ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
+	return(ret);
+	}
+
+static APP_INFO *pop_info()
+	{
+	APP_INFO tmp;
+	APP_INFO *ret = NULL;
+
+	if (amih != NULL)
+		{
+		tmp.thread=CRYPTO_thread_id();
+		if ((ret=(APP_INFO *)lh_delete(amih,&tmp)) != NULL)
+			{
+			APP_INFO *next=ret->next;
+
+			if (next != NULL)
+				{
+				next->references++;
+				lh_insert(amih,(char *)next);
+				}
+#ifdef LEVITTE_DEBUG
+			if (ret->thread != tmp.thread)
+				{
+				fprintf(stderr, "pop_info(): deleted info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+					ret->thread, tmp.thread);
+				abort();
+				}
+#endif
+			if (--(ret->references) <= 0)
+				{
+				ret->next = NULL;
+				if (next != NULL)
+					next->references--;
+				Free(ret);
+				}
+			}
+		}
+	return(ret);
+	}
+
+int CRYPTO_push_info_(const char *info, const char *file, int line)
+	{
+	APP_INFO *ami, *amim;
+	int ret=0;
+
+	if (is_MemCheck_on())
+		{
+		MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+		if ((ami = (APP_INFO *)Malloc(sizeof(APP_INFO))) == NULL)
+			{
+			ret=0;
+			goto err;
+			}
+		if (amih == NULL)
+			{
+			if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL)
+				{
+				Free(ami);
+				ret=0;
+				goto err;
+				}
+			}
+
+		ami->thread=CRYPTO_thread_id();
+		ami->file=file;
+		ami->line=line;
+		ami->info=info;
+		ami->references=1;
+		ami->next=NULL;
+
+		if ((amim=(APP_INFO *)lh_insert(amih,(char *)ami)) != NULL)
+			{
+#ifdef LEVITTE_DEBUG
+			if (ami->thread != amim->thread)
+				{
+				fprintf(stderr, "CRYPTO_push_info(): previous info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+					amim->thread, ami->thread);
+				abort();
+				}
+#endif
+			ami->next=amim;
+			}
+ err:
+		MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+		}
+
+	return(ret);
+	}
+
+int CRYPTO_pop_info(void)
+	{
+	int ret=0;
+
+	if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */
+		{
+		MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+		ret=(pop_info() != NULL);
+
+		MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+		}
+	return(ret);
+	}
+
+int CRYPTO_remove_all_info(void)
+	{
+	int ret=0;
+
+	if (is_MemCheck_on()) /* _must_ be true */
+		{
+		MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+		while(pop_info() != NULL)
+			ret++;
+
+		MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+		}
+	return(ret);
+	}
+
+
+static unsigned long break_order_num=0;
+void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
+	int before_p)
+	{
+	MEM *m,*mm;
+	APP_INFO tmp,*amim;
+
+	switch(before_p & 127)
+		{
+	case 0:
+		break;
+	case 1:
+		if (addr == NULL)
+			break;
+
+		if (is_MemCheck_on())
+			{
+			MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+			if ((m=(MEM *)Malloc(sizeof(MEM))) == NULL)
+				{
+				Free(addr);
+				MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+				return;
+				}
+			if (mh == NULL)
+				{
+				if ((mh=lh_new(mem_hash,mem_cmp)) == NULL)
+					{
+					Free(addr);
+					Free(m);
+					addr=NULL;
+					goto err;
+					}
+				}
+
+			m->addr=addr;
+			m->file=file;
+			m->line=line;
+			m->num=num;
+			if (options & V_CRYPTO_MDEBUG_THREAD)
+				m->thread=CRYPTO_thread_id();
+			else
+				m->thread=0;
+
+			if (order == break_order_num)
+				{
+				/* BREAK HERE */
+				m->order=order;
+				}
+			m->order=order++;
+#ifdef LEVITTE_DEBUG
+			fprintf(stderr, "LEVITTE_DEBUG: [%5d] %c 0x%p (%d)\n",
+				m->order,
+				(before_p & 128) ? '*' : '+',
+				m->addr, m->num);
+#endif
+			if (options & V_CRYPTO_MDEBUG_TIME)
+				m->time=time(NULL);
+			else
+				m->time=0;
+
+			tmp.thread=CRYPTO_thread_id();
+			m->app_info=NULL;
+			if (amih != NULL
+				&& (amim=(APP_INFO *)lh_retrieve(amih,(char *)&tmp)) != NULL)
+				{
+				m->app_info = amim;
+				amim->references++;
+				}
+
+			if ((mm=(MEM *)lh_insert(mh,(char *)m)) != NULL)
+				{
+				/* Not good, but don't sweat it */
+				if (mm->app_info != NULL)
+					{
+					mm->app_info->references--;
+					}
+				Free(mm);
+				}
+		err:
+			MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+			}
+		break;
+		}
+	return;
+	}
+
+void CRYPTO_dbg_free(void *addr, int before_p)
+	{
+	MEM m,*mp;
+
+	switch(before_p)
+		{
+	case 0:
+		if (addr == NULL)
+			break;
+
+		if (is_MemCheck_on() && (mh != NULL))
+			{
+			MemCheck_off();
+
+			m.addr=addr;
+			mp=(MEM *)lh_delete(mh,(char *)&m);
+			if (mp != NULL)
+				{
+#ifdef LEVITTE_DEBUG
+			fprintf(stderr, "LEVITTE_DEBUG: [%5d] - 0x%p (%d)\n",
+				mp->order, mp->addr, mp->num);
+#endif
+				if (mp->app_info != NULL)
+					{
+					mp->app_info->references--;
+					}
+				Free(mp);
+				}
+
+			MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+			}
+		break;
+	case 1:
+		break;
+		}
+	}
+
+void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
+	const char *file, int line, int before_p)
+	{
+	MEM m,*mp;
+
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG: --> CRYPTO_dbg_malloc(addr1 = %p, addr2 = %p, num = %d, file = \"%s\", line = %d, before_p = %d)\n",
+		addr1, addr2, num, file, line, before_p);
+#endif
+
+	switch(before_p)
+		{
+	case 0:
+		break;
+	case 1:
+		if (addr2 == NULL)
+			break;
+
+		if (addr1 == NULL)
+			{
+			CRYPTO_dbg_malloc(addr2, num, file, line, 128 | before_p);
+			break;
+			}
+
+		if (is_MemCheck_on())
+			{
+			MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+			m.addr=addr1;
+			mp=(MEM *)lh_delete(mh,(char *)&m);
+			if (mp != NULL)
+				{
+#ifdef LEVITTE_DEBUG
+				fprintf(stderr, "LEVITTE_DEBUG: [%5d] * 0x%p (%d) -> 0x%p (%d)\n",
+					mp->order,
+					mp->addr, mp->num,
+					addr2, num);
+#endif
+				mp->addr=addr2;
+				mp->num=num;
+				lh_insert(mh,(char *)mp);
+				}
+
+			MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+			}
+		break;
+		}
+	return;
+	}
+
+
+typedef struct mem_leak_st
+	{
+	BIO *bio;
+	int chunks;
+	long bytes;
+	} MEM_LEAK;
+
+static void print_leak(MEM *m, MEM_LEAK *l)
+	{
+	char buf[1024];
+	char *bufp = buf;
+	APP_INFO *amip;
+	int ami_cnt;
+	struct tm *lcl = NULL;
+	unsigned long ti;
+
+	if(m->addr == (char *)l->bio)
+	    return;
+
+	if (options & V_CRYPTO_MDEBUG_TIME)
+		{
+		lcl = localtime(&m->time);
+	
+		sprintf(bufp, "[%02d:%02d:%02d] ",
+			lcl->tm_hour,lcl->tm_min,lcl->tm_sec);
+		bufp += strlen(bufp);
+		}
+
+	sprintf(bufp, "%5lu file=%s, line=%d, ",
+		m->order,m->file,m->line);
+	bufp += strlen(bufp);
+
+	if (options & V_CRYPTO_MDEBUG_THREAD)
+		{
+		sprintf(bufp, "thread=%lu, ", m->thread);
+		bufp += strlen(bufp);
+		}
+
+	sprintf(bufp, "number=%d, address=%08lX\n",
+		m->num,(unsigned long)m->addr);
+	bufp += strlen(bufp);
+
+	BIO_puts(l->bio,buf);
+	
+	l->chunks++;
+	l->bytes+=m->num;
+
+	amip=m->app_info;
+	ami_cnt=0;
+	if (!amip)
+		return;
+	ti=amip->thread;
+	
+	do
+		{
+		int buf_len;
+		int info_len;
+
+		ami_cnt++;
+		memset(buf,'>',ami_cnt);
+		sprintf(buf + ami_cnt,
+			" thread=%lu, file=%s, line=%d, info=\"",
+			amip->thread, amip->file, amip->line);
+		buf_len=strlen(buf);
+		info_len=strlen(amip->info);
+		if (128 - buf_len - 3 < info_len)
+			{
+			memcpy(buf + buf_len, amip->info, 128 - buf_len - 3);
+			buf_len = 128 - 3;
+			}
+		else
+			{
+			strcpy(buf + buf_len, amip->info);
+			buf_len = strlen(buf);
+			}
+		sprintf(buf + buf_len, "\"\n");
+		
+		BIO_puts(l->bio,buf);
+
+		amip = amip->next;
+		}
+	while(amip && amip->thread == ti);
+		
+#ifdef LEVITTE_DEBUG
+	if (amip)
+		{
+		fprintf(stderr, "Thread switch detected in backtrace!!!!\n");
+		abort();
+		}
+#endif
+	}
+
+void CRYPTO_mem_leaks(BIO *b)
+	{
+	MEM_LEAK ml;
+	char buf[80];
+
+	if (mh == NULL && amih == NULL)
+		return;
+	ml.bio=b;
+	ml.bytes=0;
+	ml.chunks=0;
+	MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+	if (mh != NULL)
+		lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml);
+	if (ml.chunks != 0)
+		{
+		sprintf(buf,"%ld bytes leaked in %d chunks\n",
+			ml.bytes,ml.chunks);
+		BIO_puts(b,buf);
+		}
+	else
+		{
+		/* Make sure that, if we found no leaks, memory-leak debugging itself
+		 * does not introduce memory leaks (which might irritate
+		 * external debugging tools).
+		 * (When someone enables leak checking, but does not call
+		 * this function, we declare it to be their fault.)
+		 *
+		 * XXX    This should be in CRYPTO_mem_leaks_cb,
+		 * and CRYPTO_mem_leaks should be implemented by
+		 * using CRYPTO_mem_leaks_cb.
+		 * (Also their should be a variant of lh_doall_arg
+		 * that takes a function pointer instead of a void *;
+		 * this would obviate the ugly and illegal
+		 * void_fn_to_char kludge in CRYPTO_mem_leaks_cb.
+		 * Otherwise the code police will come and get us.)
+		 */
+		CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+		if (mh != NULL)
+			{
+			lh_free(mh);
+			mh = NULL;
+			}
+		if (amih != NULL)
+			{
+			if (lh_num_items(amih) == 0) 
+				{
+				lh_free(amih);
+				amih = NULL;
+				}
+			}
+		CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+		}
+	MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+
+#if 0
+	lh_stats_bio(mh,b);
+	lh_node_stats_bio(mh,b);
+	lh_node_usage_stats_bio(mh,b);
+#endif
+	}
+
+union void_fn_to_char_u
+	{
+	char *char_p;
+	void (*fn_p)();
+	};
+
+static void cb_leak(MEM *m, char *cb)
+	{
+	union void_fn_to_char_u mem_callback;
+
+	mem_callback.char_p=cb;
+	mem_callback.fn_p(m->order,m->file,m->line,m->num,m->addr);
+	}
+
+void CRYPTO_mem_leaks_cb(void (*cb)())
+	{
+	union void_fn_to_char_u mem_cb;
+
+	if (mh == NULL) return;
+	CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+	mem_cb.fn_p=cb;
+	lh_doall_arg(mh,(void (*)())cb_leak,mem_cb.char_p);
+	mem_cb.char_p=NULL;
+	CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+	}
+
+#ifndef NO_FP_API
+void CRYPTO_mem_leaks_fp(FILE *fp)
+	{
+	BIO *b;
+
+	if (mh == NULL) return;
+	if ((b=BIO_new(BIO_s_file())) == NULL)
+		return;
+	BIO_set_fp(b,fp,BIO_NOCLOSE);
+	CRYPTO_mem_leaks(b);
+	BIO_free(b);
+	}
+#endif
+
diff --git a/crypto/openssl/crypto/objects/Makefile.save b/crypto/openssl/crypto/objects/Makefile.save
new file mode 100644
index 0000000..ea5348e
--- /dev/null
+++ b/crypto/openssl/crypto/objects/Makefile.save
@@ -0,0 +1,106 @@
+#
+# SSLeay/crypto/objects/Makefile
+#
+
+DIR=	objects
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	o_names.c obj_dat.c obj_lib.c obj_err.c
+LIBOBJ= o_names.o obj_dat.o obj_lib.o obj_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= objects.h
+HEADER=	$(EXHEADER) obj_dat.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	obj_dat.h lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+o_names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+o_names.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+o_names.o: ../../include/openssl/lhash.h ../../include/openssl/objects.h
+o_names.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+o_names.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_dat.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+obj_dat.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+obj_dat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+obj_dat.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+obj_dat.o: ../../include/openssl/lhash.h ../../include/openssl/objects.h
+obj_dat.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_dat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_dat.o: ../cryptlib.h obj_dat.h
+obj_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+obj_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+obj_err.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+obj_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+obj_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+obj_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+obj_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+obj_lib.o: ../../include/openssl/lhash.h ../../include/openssl/objects.h
+obj_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_lib.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl
new file mode 100644
index 0000000..ea5348e
--- /dev/null
+++ b/crypto/openssl/crypto/objects/Makefile.ssl
@@ -0,0 +1,106 @@
+#
+# SSLeay/crypto/objects/Makefile
+#
+
+DIR=	objects
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	o_names.c obj_dat.c obj_lib.c obj_err.c
+LIBOBJ= o_names.o obj_dat.o obj_lib.o obj_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= objects.h
+HEADER=	$(EXHEADER) obj_dat.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	obj_dat.h lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+o_names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+o_names.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+o_names.o: ../../include/openssl/lhash.h ../../include/openssl/objects.h
+o_names.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+o_names.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_dat.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+obj_dat.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+obj_dat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+obj_dat.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+obj_dat.o: ../../include/openssl/lhash.h ../../include/openssl/objects.h
+obj_dat.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_dat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_dat.o: ../cryptlib.h obj_dat.h
+obj_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+obj_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+obj_err.o: ../../include/openssl/err.h ../../include/openssl/objects.h
+obj_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+obj_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+obj_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+obj_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+obj_lib.o: ../../include/openssl/lhash.h ../../include/openssl/objects.h
+obj_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_lib.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/objects/o_names.c b/crypto/openssl/crypto/objects/o_names.c
new file mode 100644
index 0000000..d9389a5
--- /dev/null
+++ b/crypto/openssl/crypto/objects/o_names.c
@@ -0,0 +1,265 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/lhash.h>
+#include <openssl/objects.h>
+#include <openssl/safestack.h>
+
+/* I use the ex_data stuff to manage the identifiers for the obj_name_types
+ * that applications may define.  I only really use the free function field.
+ */
+static LHASH *names_lh=NULL;
+static int names_type_num=OBJ_NAME_TYPE_NUM;
+
+typedef struct name_funcs_st
+	{
+	unsigned long (*hash_func)();
+	int (*cmp_func)();
+	void (*free_func)();
+	} NAME_FUNCS;
+
+DECLARE_STACK_OF(NAME_FUNCS)
+IMPLEMENT_STACK_OF(NAME_FUNCS)
+
+static STACK_OF(NAME_FUNCS) *name_funcs_stack;
+
+static unsigned long obj_name_hash(OBJ_NAME *a);
+static int obj_name_cmp(OBJ_NAME *a,OBJ_NAME *b);
+
+int OBJ_NAME_init(void)
+	{
+	if (names_lh != NULL) return(1);
+	MemCheck_off();
+	names_lh=lh_new(obj_name_hash,obj_name_cmp);
+	MemCheck_on();
+	return(names_lh != NULL);
+	}
+
+int OBJ_NAME_new_index(unsigned long (*hash_func)(), int (*cmp_func)(),
+	     void (*free_func)())
+	{
+	int ret;
+	int i;
+	NAME_FUNCS *name_funcs;
+
+	if (name_funcs_stack == NULL)
+		{
+		MemCheck_off();
+		name_funcs_stack=sk_NAME_FUNCS_new_null();
+		MemCheck_on();
+		}
+	if ((name_funcs_stack == NULL))
+		{
+		/* ERROR */
+		return(0);
+		}
+	ret=names_type_num;
+	names_type_num++;
+	for (i=sk_NAME_FUNCS_num(name_funcs_stack); i<names_type_num; i++)
+		{
+		MemCheck_off();
+		name_funcs = Malloc(sizeof(NAME_FUNCS));
+		name_funcs->hash_func = lh_strhash;
+		name_funcs->cmp_func = (int (*)())strcmp;
+		name_funcs->free_func = 0; /* NULL is often declared to
+					    * ((void *)0), which according
+					    * to Compaq C is not really
+					    * compatible with a function
+					    * pointer.  -- Richard Levitte*/
+		sk_NAME_FUNCS_push(name_funcs_stack,name_funcs);
+		MemCheck_on();
+		}
+	name_funcs = sk_NAME_FUNCS_value(name_funcs_stack, ret);
+	if (hash_func != NULL)
+		name_funcs->hash_func = hash_func;
+	if (cmp_func != NULL)
+		name_funcs->cmp_func = cmp_func;
+	if (free_func != NULL)
+		name_funcs->free_func = free_func;
+	return(ret);
+	}
+
+static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
+	{
+	int ret;
+
+	ret=a->type-b->type;
+	if (ret == 0)
+		{
+		if ((name_funcs_stack != NULL)
+			&& (sk_NAME_FUNCS_num(name_funcs_stack) > a->type))
+			{
+			ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
+				->cmp_func(a->name,b->name);
+			}
+		else
+			ret=strcmp(a->name,b->name);
+		}
+	return(ret);
+	}
+
+static unsigned long obj_name_hash(OBJ_NAME *a)
+	{
+	unsigned long ret;
+
+	if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > a->type))
+		{
+		ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
+			->hash_func(a->name);
+		}
+	else
+		{
+		ret=lh_strhash(a->name);
+		}
+	ret^=a->type;
+	return(ret);
+	}
+
+const char *OBJ_NAME_get(const char *name, int type)
+	{
+	OBJ_NAME on,*ret;
+	int num=0,alias;
+
+	if (name == NULL) return(NULL);
+	if ((names_lh == NULL) && !OBJ_NAME_init()) return(NULL);
+
+	alias=type&OBJ_NAME_ALIAS;
+	type&= ~OBJ_NAME_ALIAS;
+
+	on.name=name;
+	on.type=type;
+
+	for (;;)
+		{
+		ret=(OBJ_NAME *)lh_retrieve(names_lh,&on);
+		if (ret == NULL) return(NULL);
+		if ((ret->alias) && !alias)
+			{
+			if (++num > 10) return(NULL);
+			on.name=ret->data;
+			}
+		else
+			{
+			return(ret->data);
+			}
+		}
+	}
+
+int OBJ_NAME_add(const char *name, int type, const char *data)
+	{
+	OBJ_NAME *onp,*ret;
+	int alias;
+
+	if ((names_lh == NULL) && !OBJ_NAME_init()) return(0);
+
+	alias=type&OBJ_NAME_ALIAS;
+	type&= ~OBJ_NAME_ALIAS;
+
+	onp=(OBJ_NAME *)Malloc(sizeof(OBJ_NAME));
+	if (onp == NULL)
+		{
+		/* ERROR */
+		return(0);
+		}
+
+	onp->name=name;
+	onp->alias=alias;
+	onp->type=type;
+	onp->data=data;
+
+	ret=(OBJ_NAME *)lh_insert(names_lh,onp);
+	if (ret != NULL)
+		{
+		/* free things */
+		if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > ret->type))
+			{
+			/* XXX: I'm not sure I understand why the free
+			 * function should get three arguments...
+			 * -- Richard Levitte
+			 */
+			sk_NAME_FUNCS_value(name_funcs_stack,ret->type)
+				->free_func(ret->name,ret->type,ret->data);
+			}
+		Free(ret);
+		}
+	else
+		{
+		if (lh_error(names_lh))
+			{
+			/* ERROR */
+			return(0);
+			}
+		}
+	return(1);
+	}
+
+int OBJ_NAME_remove(const char *name, int type)
+	{
+	OBJ_NAME on,*ret;
+
+	if (names_lh == NULL) return(0);
+
+	type&= ~OBJ_NAME_ALIAS;
+	on.name=name;
+	on.type=type;
+	ret=(OBJ_NAME *)lh_delete(names_lh,&on);
+	if (ret != NULL)
+		{
+		/* free things */
+		if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > ret->type))
+			{
+			/* XXX: I'm not sure I understand why the free
+			 * function should get three arguments...
+			 * -- Richard Levitte
+			 */
+			sk_NAME_FUNCS_value(name_funcs_stack,ret->type)
+				->free_func(ret->name,ret->type,ret->data);
+			}
+		Free(ret);
+		return(1);
+		}
+	else
+		return(0);
+	}
+
+static int free_type;
+
+static void names_lh_free(OBJ_NAME *onp, int type)
+{
+	if(onp == NULL)
+	    return;
+
+	if ((free_type < 0) || (free_type == onp->type))
+		{
+		OBJ_NAME_remove(onp->name,onp->type);
+		}
+	}
+
+static void name_funcs_free(NAME_FUNCS *ptr)
+	{
+	Free(ptr);
+	}
+
+void OBJ_NAME_cleanup(int type)
+	{
+	unsigned long down_load;
+
+	if (names_lh == NULL) return;
+
+	free_type=type;
+	down_load=names_lh->down_load;
+	names_lh->down_load=0;
+
+	lh_doall(names_lh,names_lh_free);
+	if (type < 0)
+		{
+		lh_free(names_lh);
+		sk_NAME_FUNCS_pop_free(name_funcs_stack,name_funcs_free);
+		names_lh=NULL;
+		name_funcs_stack = NULL;
+		}
+	else
+		names_lh->down_load=down_load;
+	}
+
diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c
new file mode 100644
index 0000000..da6df37
--- /dev/null
+++ b/crypto/openssl/crypto/objects/obj_dat.c
@@ -0,0 +1,649 @@
+/* crypto/objects/obj_dat.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/lhash.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+
+/* obj_dat.h is generated from objects.h by obj_dat.pl */
+#ifndef NO_OBJECT
+#include "obj_dat.h"
+#else
+/* You will have to load all the objects needed manually in the application */
+#define NUM_NID 0
+#define NUM_SN 0
+#define NUM_LN 0
+#define NUM_OBJ 0
+static unsigned char lvalues[1];
+static ASN1_OBJECT nid_objs[1];
+static ASN1_OBJECT *sn_objs[1];
+static ASN1_OBJECT *ln_objs[1];
+static ASN1_OBJECT *obj_objs[1];
+#endif
+
+static int sn_cmp(ASN1_OBJECT **a, ASN1_OBJECT **b);
+static int ln_cmp(ASN1_OBJECT **a, ASN1_OBJECT **b);
+static int obj_cmp(ASN1_OBJECT **a, ASN1_OBJECT **b);
+#define ADDED_DATA	0
+#define ADDED_SNAME	1
+#define ADDED_LNAME	2
+#define ADDED_NID	3
+
+typedef struct added_obj_st
+	{
+	int type;
+	ASN1_OBJECT *obj;
+	} ADDED_OBJ;
+
+static int new_nid=NUM_NID;
+static LHASH *added=NULL;
+
+static int sn_cmp(ASN1_OBJECT **ap, ASN1_OBJECT **bp)
+	{ return(strcmp((*ap)->sn,(*bp)->sn)); }
+
+static int ln_cmp(ASN1_OBJECT **ap, ASN1_OBJECT **bp)
+	{ return(strcmp((*ap)->ln,(*bp)->ln)); }
+
+static unsigned long add_hash(ADDED_OBJ *ca)
+	{
+	ASN1_OBJECT *a;
+	int i;
+	unsigned long ret=0;
+	unsigned char *p;
+
+	a=ca->obj;
+	switch (ca->type)
+		{
+	case ADDED_DATA:
+		ret=a->length<<20L;
+		p=(unsigned char *)a->data;
+		for (i=0; i<a->length; i++)
+			ret^=p[i]<<((i*3)%24);
+		break;
+	case ADDED_SNAME:
+		ret=lh_strhash(a->sn);
+		break;
+	case ADDED_LNAME:
+		ret=lh_strhash(a->ln);
+		break;
+	case ADDED_NID:
+		ret=a->nid;
+		break;
+	default:
+		abort();
+		}
+	ret&=0x3fffffffL;
+	ret|=ca->type<<30L;
+	return(ret);
+	}
+
+static int add_cmp(ADDED_OBJ *ca, ADDED_OBJ *cb)
+	{
+	ASN1_OBJECT *a,*b;
+	int i;
+
+	i=ca->type-cb->type;
+	if (i) return(i);
+	a=ca->obj;
+	b=cb->obj;
+	switch (ca->type)
+		{
+	case ADDED_DATA:
+		i=(a->length - b->length);
+		if (i) return(i);
+		return(memcmp(a->data,b->data,a->length));
+	case ADDED_SNAME:
+		if (a->sn == NULL) return(-1);
+		else if (b->sn == NULL) return(1);
+		else return(strcmp(a->sn,b->sn));
+	case ADDED_LNAME:
+		if (a->ln == NULL) return(-1);
+		else if (b->ln == NULL) return(1);
+		else return(strcmp(a->ln,b->ln));
+	case ADDED_NID:
+		return(a->nid-b->nid);
+	default:
+		abort();
+		}
+	return(1); /* should not get here */
+	}
+
+static int init_added(void)
+	{
+	if (added != NULL) return(1);
+	added=lh_new(add_hash,add_cmp);
+	return(added != NULL);
+	}
+
+static void cleanup1(ADDED_OBJ *a)
+	{
+	a->obj->nid=0;
+	a->obj->flags|=ASN1_OBJECT_FLAG_DYNAMIC|
+	                ASN1_OBJECT_FLAG_DYNAMIC_STRINGS|
+			ASN1_OBJECT_FLAG_DYNAMIC_DATA;
+	}
+
+static void cleanup2(ADDED_OBJ *a)
+	{ a->obj->nid++; }
+
+static void cleanup3(ADDED_OBJ *a)
+	{
+	if (--a->obj->nid == 0)
+		ASN1_OBJECT_free(a->obj);
+	Free(a);
+	}
+
+void OBJ_cleanup(void)
+	{
+	if (added == NULL) return;
+	added->down_load=0;
+	lh_doall(added,cleanup1); /* zero counters */
+	lh_doall(added,cleanup2); /* set counters */
+	lh_doall(added,cleanup3); /* free objects */
+	lh_free(added);
+	added=NULL;
+	}
+
+int OBJ_new_nid(int num)
+	{
+	int i;
+
+	i=new_nid;
+	new_nid+=num;
+	return(i);
+	}
+
+int OBJ_add_object(ASN1_OBJECT *obj)
+	{
+	ASN1_OBJECT *o;
+	ADDED_OBJ *ao[4]={NULL,NULL,NULL,NULL},*aop;
+	int i;
+
+	if (added == NULL)
+		if (!init_added()) return(0);
+	if ((o=OBJ_dup(obj)) == NULL) goto err;
+	ao[ADDED_NID]=(ADDED_OBJ *)Malloc(sizeof(ADDED_OBJ));
+	if ((o->length != 0) && (obj->data != NULL))
+		ao[ADDED_DATA]=(ADDED_OBJ *)Malloc(sizeof(ADDED_OBJ));
+	if (o->sn != NULL)
+		ao[ADDED_SNAME]=(ADDED_OBJ *)Malloc(sizeof(ADDED_OBJ));
+	if (o->ln != NULL)
+		ao[ADDED_LNAME]=(ADDED_OBJ *)Malloc(sizeof(ADDED_OBJ));
+
+	for (i=ADDED_DATA; i<=ADDED_NID; i++)
+		{
+		if (ao[i] != NULL)
+			{
+			ao[i]->type=i;
+			ao[i]->obj=o;
+			aop=(ADDED_OBJ *)lh_insert(added,ao[i]);
+			/* memory leak, buit should not normally matter */
+			if (aop != NULL)
+				Free(aop);
+			}
+		}
+	o->flags&= ~(ASN1_OBJECT_FLAG_DYNAMIC|ASN1_OBJECT_FLAG_DYNAMIC_STRINGS|
+			ASN1_OBJECT_FLAG_DYNAMIC_DATA);
+
+	return(o->nid);
+err:
+	for (i=ADDED_DATA; i<=ADDED_NID; i++)
+		if (ao[i] != NULL) Free(ao[i]);
+	if (o != NULL) Free(o);
+	return(NID_undef);
+	}
+
+ASN1_OBJECT *OBJ_nid2obj(int n)
+	{
+	ADDED_OBJ ad,*adp;
+	ASN1_OBJECT ob;
+
+	if ((n >= 0) && (n < NUM_NID))
+		{
+		if ((n != NID_undef) && (nid_objs[n].nid == NID_undef))
+			{
+			OBJerr(OBJ_F_OBJ_NID2OBJ,OBJ_R_UNKNOWN_NID);
+			return(NULL);
+			}
+		return((ASN1_OBJECT *)&(nid_objs[n]));
+		}
+	else if (added == NULL)
+		return(NULL);
+	else
+		{
+		ad.type=ADDED_NID;
+		ad.obj= &ob;
+		ob.nid=n;
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
+		if (adp != NULL)
+			return(adp->obj);
+		else
+			{
+			OBJerr(OBJ_F_OBJ_NID2OBJ,OBJ_R_UNKNOWN_NID);
+			return(NULL);
+			}
+		}
+	}
+
+const char *OBJ_nid2sn(int n)
+	{
+	ADDED_OBJ ad,*adp;
+	ASN1_OBJECT ob;
+
+	if ((n >= 0) && (n < NUM_NID))
+		{
+		if ((n != NID_undef) && (nid_objs[n].nid == NID_undef))
+			{
+			OBJerr(OBJ_F_OBJ_NID2SN,OBJ_R_UNKNOWN_NID);
+			return(NULL);
+			}
+		return(nid_objs[n].sn);
+		}
+	else if (added == NULL)
+		return(NULL);
+	else
+		{
+		ad.type=ADDED_NID;
+		ad.obj= &ob;
+		ob.nid=n;
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
+		if (adp != NULL)
+			return(adp->obj->sn);
+		else
+			{
+			OBJerr(OBJ_F_OBJ_NID2SN,OBJ_R_UNKNOWN_NID);
+			return(NULL);
+			}
+		}
+	}
+
+const char *OBJ_nid2ln(int n)
+	{
+	ADDED_OBJ ad,*adp;
+	ASN1_OBJECT ob;
+
+	if ((n >= 0) && (n < NUM_NID))
+		{
+		if ((n != NID_undef) && (nid_objs[n].nid == NID_undef))
+			{
+			OBJerr(OBJ_F_OBJ_NID2LN,OBJ_R_UNKNOWN_NID);
+			return(NULL);
+			}
+		return(nid_objs[n].ln);
+		}
+	else if (added == NULL)
+		return(NULL);
+	else
+		{
+		ad.type=ADDED_NID;
+		ad.obj= &ob;
+		ob.nid=n;
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
+		if (adp != NULL)
+			return(adp->obj->ln);
+		else
+			{
+			OBJerr(OBJ_F_OBJ_NID2LN,OBJ_R_UNKNOWN_NID);
+			return(NULL);
+			}
+		}
+	}
+
+int OBJ_obj2nid(ASN1_OBJECT *a)
+	{
+	ASN1_OBJECT **op;
+	ADDED_OBJ ad,*adp;
+
+	if (a == NULL)
+		return(NID_undef);
+	if (a->nid != 0)
+		return(a->nid);
+
+	if (added != NULL)
+		{
+		ad.type=ADDED_DATA;
+		ad.obj=a;
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
+		if (adp != NULL) return (adp->obj->nid);
+		}
+	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&a,(char *)obj_objs,NUM_OBJ,
+		sizeof(ASN1_OBJECT *),(int (*)())obj_cmp);
+	if (op == NULL)
+		return(NID_undef);
+	return((*op)->nid);
+	}
+
+/* Convert an object name into an ASN1_OBJECT
+ * if "noname" is not set then search for short and long names first.
+ * This will convert the "dotted" form into an object: unlike OBJ_txt2nid
+ * it can be used with any objects, not just registered ones.
+ */
+
+ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
+	{
+	int nid = NID_undef;
+	ASN1_OBJECT *op=NULL;
+	unsigned char *buf,*p;
+	int i, j;
+
+	if(!no_name) {
+		if( ((nid = OBJ_sn2nid(s)) != NID_undef) ||
+			((nid = OBJ_ln2nid(s)) != NID_undef) ) 
+					return OBJ_nid2obj(nid);
+	}
+
+	/* Work out size of content octets */
+	i=a2d_ASN1_OBJECT(NULL,0,s,-1);
+	if (i <= 0) {
+		/* Clear the error */
+		ERR_get_error();
+		return NULL;
+	}
+	/* Work out total size */
+	j = ASN1_object_size(0,i,V_ASN1_OBJECT);
+
+	if((buf=(unsigned char *)Malloc(j)) == NULL) return NULL;
+
+	p = buf;
+	/* Write out tag+length */
+	ASN1_put_object(&p,0,i,V_ASN1_OBJECT,V_ASN1_UNIVERSAL);
+	/* Write out contents */
+	a2d_ASN1_OBJECT(p,i,s,-1);
+	
+	p=buf;
+	op=d2i_ASN1_OBJECT(NULL,&p,i);
+	Free(buf);
+	return op;
+	}
+
+int OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name)
+{
+	int i,idx=0,n=0,len,nid;
+	unsigned long l;
+	unsigned char *p;
+	const char *s;
+	char tbuf[32];
+
+	if (buf_len <= 0) return(0);
+
+	if ((a == NULL) || (a->data == NULL)) {
+		buf[0]='\0';
+		return(0);
+	}
+
+	nid=OBJ_obj2nid(a);
+	if ((nid == NID_undef) || no_name) {
+		len=a->length;
+		p=a->data;
+
+		idx=0;
+		l=0;
+		while (idx < a->length) {
+			l|=(p[idx]&0x7f);
+			if (!(p[idx] & 0x80)) break;
+			l<<=7L;
+			idx++;
+		}
+		idx++;
+		i=(int)(l/40);
+		if (i > 2) i=2;
+		l-=(long)(i*40);
+
+		sprintf(tbuf,"%d.%lu",i,l);
+		i=strlen(tbuf);
+		strncpy(buf,tbuf,buf_len);
+		buf_len-=i;
+		buf+=i;
+		n+=i;
+
+		l=0;
+		for (; idx<len; idx++) {
+			l|=p[idx]&0x7f;
+			if (!(p[idx] & 0x80)) {
+				sprintf(tbuf,".%lu",l);
+				i=strlen(tbuf);
+				if (buf_len > 0)
+					strncpy(buf,tbuf,buf_len);
+				buf_len-=i;
+				buf+=i;
+				n+=i;
+				l=0;
+			}
+			l<<=7L;
+		}
+	} else {
+		s=OBJ_nid2ln(nid);
+		if (s == NULL)
+			s=OBJ_nid2sn(nid);
+		strncpy(buf,s,buf_len);
+		n=strlen(s);
+	}
+	buf[buf_len-1]='\0';
+	return(n);
+}
+
+int OBJ_txt2nid(char *s)
+{
+	ASN1_OBJECT *obj;
+	int nid;
+	obj = OBJ_txt2obj(s, 0);
+	nid = OBJ_obj2nid(obj);
+	ASN1_OBJECT_free(obj);
+	return nid;
+}
+
+int OBJ_ln2nid(const char *s)
+	{
+	ASN1_OBJECT o,*oo= &o,**op;
+	ADDED_OBJ ad,*adp;
+
+	o.ln=s;
+	if (added != NULL)
+		{
+		ad.type=ADDED_LNAME;
+		ad.obj= &o;
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
+		if (adp != NULL) return (adp->obj->nid);
+		}
+	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)ln_objs,NUM_LN,
+		sizeof(ASN1_OBJECT *),(int (*)())ln_cmp);
+	if (op == NULL) return(NID_undef);
+	return((*op)->nid);
+	}
+
+int OBJ_sn2nid(const char *s)
+	{
+	ASN1_OBJECT o,*oo= &o,**op;
+	ADDED_OBJ ad,*adp;
+
+	o.sn=s;
+	if (added != NULL)
+		{
+		ad.type=ADDED_SNAME;
+		ad.obj= &o;
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
+		if (adp != NULL) return (adp->obj->nid);
+		}
+	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)sn_objs,NUM_SN,
+		sizeof(ASN1_OBJECT *),(int (*)())sn_cmp);
+	if (op == NULL) return(NID_undef);
+	return((*op)->nid);
+	}
+
+static int obj_cmp(ASN1_OBJECT **ap, ASN1_OBJECT **bp)
+	{
+	int j;
+	ASN1_OBJECT *a= *ap;
+	ASN1_OBJECT *b= *bp;
+
+	j=(a->length - b->length);
+        if (j) return(j);
+	return(memcmp(a->data,b->data,a->length));
+        }
+
+char *OBJ_bsearch(char *key, char *base, int num, int size, int (*cmp)())
+	{
+	int l,h,i,c;
+	char *p;
+
+	if (num == 0) return(NULL);
+	l=0;
+	h=num;
+	while (l < h)
+		{
+		i=(l+h)/2;
+		p= &(base[i*size]);
+		c=(*cmp)(key,p);
+		if (c < 0)
+			h=i;
+		else if (c > 0)
+			l=i+1;
+		else
+			return(p);
+		}
+#ifdef CHARSET_EBCDIC
+/* THIS IS A KLUDGE - Because the *_obj is sorted in ASCII order, and
+ * I don't have perl (yet), we revert to a *LINEAR* search
+ * when the object wasn't found in the binary search.
+ */
+	for (i=0; i<num; ++i) {
+		p= &(base[i*size]);
+		if ((*cmp)(key,p) == 0)
+			return p;
+	}
+#endif
+	return(NULL);
+	}
+
+int OBJ_create_objects(BIO *in)
+	{
+	MS_STATIC char buf[512];
+	int i,num=0;
+	char *o,*s,*l=NULL;
+
+	for (;;)
+		{
+		s=o=NULL;
+		i=BIO_gets(in,buf,512);
+		if (i <= 0) return(num);
+		buf[i-1]='\0';
+		if (!isalnum((unsigned char)buf[0])) return(num);
+		o=s=buf;
+		while (isdigit((unsigned char)*s) || (*s == '.'))
+			s++;
+		if (*s != '\0')
+			{
+			*(s++)='\0';
+			while (isspace((unsigned char)*s))
+				s++;
+			if (*s == '\0')
+				s=NULL;
+			else
+				{
+				l=s;
+				while ((*l != '\0') && !isspace((unsigned char)*l))
+					l++;
+				if (*l != '\0')
+					{
+					*(l++)='\0';
+					while (isspace((unsigned char)*l))
+						l++;
+					if (*l == '\0') l=NULL;
+					}
+				else
+					l=NULL;
+				}
+			}
+		else
+			s=NULL;
+		if ((o == NULL) || (*o == '\0')) return(num);
+		if (!OBJ_create(o,s,l)) return(num);
+		num++;
+		}
+	/* return(num); */
+	}
+
+int OBJ_create(char *oid, char *sn, char *ln)
+	{
+	int ok=0;
+	ASN1_OBJECT *op=NULL;
+	unsigned char *buf;
+	int i;
+
+	i=a2d_ASN1_OBJECT(NULL,0,oid,-1);
+	if (i <= 0) return(0);
+
+	if ((buf=(unsigned char *)Malloc(i)) == NULL)
+		{
+		OBJerr(OBJ_F_OBJ_CREATE,OBJ_R_MALLOC_FAILURE);
+		return(0);
+		}
+	i=a2d_ASN1_OBJECT(buf,i,oid,-1);
+	op=(ASN1_OBJECT *)ASN1_OBJECT_create(OBJ_new_nid(1),buf,i,sn,ln);
+	if (op == NULL) 
+		goto err;
+	ok=OBJ_add_object(op);
+err:
+	ASN1_OBJECT_free(op);
+	Free(buf);
+	return(ok);
+	}
+
diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h
new file mode 100644
index 0000000..d03460f
--- /dev/null
+++ b/crypto/openssl/crypto/objects/obj_dat.h
@@ -0,0 +1,956 @@
+/* lib/obj/obj_dat.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* THIS FILE IS GENERATED FROM Objects.h by obj_dat.pl via the
+ * following command:
+ * perl obj_dat.pl objects.h obj_dat.h
+ */
+
+#define NUM_NID 181
+#define NUM_SN 141
+#define NUM_LN 175
+#define NUM_OBJ 154
+
+static unsigned char lvalues[1085]={
+0x00,                                        /* [  0] OBJ_undef */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,     /* [ 14] OBJ_md2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x05,     /* [ 22] OBJ_md5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x04,     /* [ 30] OBJ_rc4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,/* [ 38] OBJ_rsaEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x02,/* [ 47] OBJ_md2WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04,/* [ 56] OBJ_md5WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x01,/* [ 65] OBJ_pbeWithMD2AndDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x03,/* [ 74] OBJ_pbeWithMD5AndDES_CBC */
+0x55,                                        /* [ 83] OBJ_X500 */
+0x55,0x04,                                   /* [ 84] OBJ_X509 */
+0x55,0x04,0x03,                              /* [ 86] OBJ_commonName */
+0x55,0x04,0x06,                              /* [ 89] OBJ_countryName */
+0x55,0x04,0x07,                              /* [ 92] OBJ_localityName */
+0x55,0x04,0x08,                              /* [ 95] OBJ_stateOrProvinceName */
+0x55,0x04,0x0A,                              /* [ 98] OBJ_organizationName */
+0x55,0x04,0x0B,                              /* [101] OBJ_organizationalUnitName */
+0x55,0x08,0x01,0x01,                         /* [104] OBJ_rsa */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,     /* [108] OBJ_pkcs7 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x01,/* [116] OBJ_pkcs7_data */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x02,/* [125] OBJ_pkcs7_signed */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x03,/* [134] OBJ_pkcs7_enveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x04,/* [143] OBJ_pkcs7_signedAndEnveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x05,/* [152] OBJ_pkcs7_digest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x06,/* [161] OBJ_pkcs7_encrypted */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,     /* [170] OBJ_pkcs3 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,0x01,/* [178] OBJ_dhKeyAgreement */
+0x2B,0x0E,0x03,0x02,0x06,                    /* [187] OBJ_des_ecb */
+0x2B,0x0E,0x03,0x02,0x09,                    /* [192] OBJ_des_cfb64 */
+0x2B,0x0E,0x03,0x02,0x07,                    /* [197] OBJ_des_cbc */
+0x2B,0x0E,0x03,0x02,0x11,                    /* [202] OBJ_des_ede */
+0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,/* [207] OBJ_idea_cbc */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02,     /* [218] OBJ_rc2_cbc */
+0x2B,0x0E,0x03,0x02,0x12,                    /* [226] OBJ_sha */
+0x2B,0x0E,0x03,0x02,0x0F,                    /* [231] OBJ_shaWithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07,     /* [236] OBJ_des_ede3_cbc */
+0x2B,0x0E,0x03,0x02,0x08,                    /* [244] OBJ_des_ofb64 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,     /* [249] OBJ_pkcs9 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,/* [257] OBJ_pkcs9_emailAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x02,/* [266] OBJ_pkcs9_unstructuredName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x03,/* [275] OBJ_pkcs9_contentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x04,/* [284] OBJ_pkcs9_messageDigest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x05,/* [293] OBJ_pkcs9_signingTime */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x06,/* [302] OBJ_pkcs9_countersignature */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x07,/* [311] OBJ_pkcs9_challengePassword */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x08,/* [320] OBJ_pkcs9_unstructuredAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x09,/* [329] OBJ_pkcs9_extCertAttributes */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,          /* [338] OBJ_netscape */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,     /* [345] OBJ_netscape_cert_extension */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,     /* [353] OBJ_netscape_data_type */
+0x2B,0x0E,0x03,0x02,0x1A,                    /* [361] OBJ_sha1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,/* [366] OBJ_sha1WithRSAEncryption */
+0x2B,0x0E,0x03,0x02,0x0D,                    /* [375] OBJ_dsaWithSHA */
+0x2B,0x0E,0x03,0x02,0x0C,                    /* [380] OBJ_dsa_2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0B,/* [385] OBJ_pbeWithSHA1AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0C,/* [394] OBJ_id_pbkdf2 */
+0x2B,0x0E,0x03,0x02,0x1B,                    /* [403] OBJ_dsaWithSHA1_2 */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,/* [408] OBJ_netscape_cert_type */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x02,/* [417] OBJ_netscape_base_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x03,/* [426] OBJ_netscape_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,/* [435] OBJ_netscape_ca_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x07,/* [444] OBJ_netscape_renewal_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x08,/* [453] OBJ_netscape_ca_policy_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0C,/* [462] OBJ_netscape_ssl_server_name */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,/* [471] OBJ_netscape_comment */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,0x05,/* [480] OBJ_netscape_cert_sequence */
+0x55,0x1D,                                   /* [489] OBJ_ld_ce */
+0x55,0x1D,0x0E,                              /* [491] OBJ_subject_key_identifier */
+0x55,0x1D,0x0F,                              /* [494] OBJ_key_usage */
+0x55,0x1D,0x10,                              /* [497] OBJ_private_key_usage_period */
+0x55,0x1D,0x11,                              /* [500] OBJ_subject_alt_name */
+0x55,0x1D,0x12,                              /* [503] OBJ_issuer_alt_name */
+0x55,0x1D,0x13,                              /* [506] OBJ_basic_constraints */
+0x55,0x1D,0x14,                              /* [509] OBJ_crl_number */
+0x55,0x1D,0x20,                              /* [512] OBJ_certificate_policies */
+0x55,0x1D,0x23,                              /* [515] OBJ_authority_key_identifier */
+0x2B,0x06,0x01,0x04,0x01,0x97,0x55,0x01,0x02,/* [518] OBJ_bf_cbc */
+0x55,0x08,0x03,0x65,                         /* [527] OBJ_mdc2 */
+0x55,0x08,0x03,0x64,                         /* [531] OBJ_mdc2WithRSA */
+0x55,0x04,0x2A,                              /* [535] OBJ_givenName */
+0x55,0x04,0x04,                              /* [538] OBJ_surname */
+0x55,0x04,0x2B,                              /* [541] OBJ_initials */
+0x55,0x04,0x2D,                              /* [544] OBJ_uniqueIdentifier */
+0x55,0x1D,0x1F,                              /* [547] OBJ_crl_distribution_points */
+0x2B,0x0E,0x03,0x02,0x03,                    /* [550] OBJ_md5WithRSA */
+0x55,0x04,0x05,                              /* [555] OBJ_serialNumber */
+0x55,0x04,0x0C,                              /* [558] OBJ_title */
+0x55,0x04,0x0D,                              /* [561] OBJ_description */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0A,/* [564] OBJ_cast5_cbc */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0C,/* [573] OBJ_pbeWithMD5AndCast5_CBC */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x03,          /* [582] OBJ_dsaWithSHA1 */
+0x2B,0x0E,0x03,0x02,0x1D,                    /* [589] OBJ_sha1WithRSA */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x01,          /* [594] OBJ_dsa */
+0x2B,0x24,0x03,0x02,0x01,                    /* [601] OBJ_ripemd160 */
+0x2B,0x24,0x03,0x03,0x01,0x02,               /* [606] OBJ_ripemd160WithRSA */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x08,     /* [612] OBJ_rc5_cbc */
+0x29,0x01,0x01,0x85,0x1A,0x01,               /* [620] OBJ_rle_compression */
+0x29,0x01,0x01,0x85,0x1A,0x02,               /* [626] OBJ_zlib_compression */
+0x55,0x1D,0x25,                              /* [632] OBJ_ext_key_usage */
+0x2B,0x06,0x01,0x05,0x05,0x07,               /* [635] OBJ_id_pkix */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,          /* [641] OBJ_id_kp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,     /* [648] OBJ_server_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,     /* [656] OBJ_client_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,     /* [664] OBJ_code_sign */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04,     /* [672] OBJ_email_protect */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08,     /* [680] OBJ_time_stamp */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [688] OBJ_ms_code_ind */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [698] OBJ_ms_code_com */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [708] OBJ_ms_ctl_sign */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x03,/* [718] OBJ_ms_sgc */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x04,/* [728] OBJ_ms_efs */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x04,0x01,/* [738] OBJ_ns_sgc */
+0x55,0x1D,0x1B,                              /* [747] OBJ_delta_crl */
+0x55,0x1D,0x15,                              /* [750] OBJ_crl_reason */
+0x55,0x1D,0x18,                              /* [753] OBJ_invalidity_date */
+0x2B,0x65,0x01,0x04,0x01,                    /* [756] OBJ_sxnet */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x01,/* [761] OBJ_pbe_WithSHA1And128BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x02,/* [771] OBJ_pbe_WithSHA1And40BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x03,/* [781] OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x04,/* [791] OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x05,/* [801] OBJ_pbe_WithSHA1And128BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x06,/* [811] OBJ_pbe_WithSHA1And40BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x01,/* [821] OBJ_keyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x02,/* [832] OBJ_pkcs8ShroudedKeyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x03,/* [843] OBJ_certBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x04,/* [854] OBJ_crlBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x05,/* [865] OBJ_secretBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x06,/* [876] OBJ_safeContentsBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x14,/* [887] OBJ_friendlyName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x15,/* [896] OBJ_localKeyID */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x01,/* [905] OBJ_x509Certificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x02,/* [915] OBJ_sdsiCertificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x17,0x01,/* [925] OBJ_x509Crl */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0D,/* [935] OBJ_pbes2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0E,/* [944] OBJ_pbmac1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x07,     /* [953] OBJ_hmacWithSHA1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,     /* [961] OBJ_id_qt_cps */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,     /* [969] OBJ_id_qt_unotice */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0F,/* [977] OBJ_SMIMECapabilities */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x04,/* [986] OBJ_pbeWithMD2AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x06,/* [995] OBJ_pbeWithMD5AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0A,/* [1004] OBJ_pbeWithSHA1AndDES_CBC */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x0E,/* [1013] OBJ_ms_ext_req */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0E,/* [1023] OBJ_ext_req */
+0x55,0x04,0x29,                              /* [1032] OBJ_name */
+0x55,0x04,0x2E,                              /* [1035] OBJ_dnQualifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,          /* [1038] OBJ_id_pe */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,          /* [1045] OBJ_id_ad */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,     /* [1052] OBJ_info_access */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,     /* [1060] OBJ_ad_OCSP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,     /* [1068] OBJ_ad_ca_issuers */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,     /* [1076] OBJ_OCSP_sign */
+};
+
+static ASN1_OBJECT nid_objs[NUM_NID]={
+{"UNDEF","undefined",NID_undef,1,&(lvalues[0]),0},
+{"rsadsi","rsadsi",NID_rsadsi,6,&(lvalues[1]),0},
+{"pkcs","pkcs",NID_pkcs,7,&(lvalues[7]),0},
+{"MD2","md2",NID_md2,8,&(lvalues[14]),0},
+{"MD5","md5",NID_md5,8,&(lvalues[22]),0},
+{"RC4","rc4",NID_rc4,8,&(lvalues[30]),0},
+{"rsaEncryption","rsaEncryption",NID_rsaEncryption,9,&(lvalues[38]),0},
+{"RSA-MD2","md2WithRSAEncryption",NID_md2WithRSAEncryption,9,
+	&(lvalues[47]),0},
+{"RSA-MD5","md5WithRSAEncryption",NID_md5WithRSAEncryption,9,
+	&(lvalues[56]),0},
+{"PBE-MD2-DES","pbeWithMD2AndDES-CBC",NID_pbeWithMD2AndDES_CBC,9,
+	&(lvalues[65]),0},
+{"PBE-MD5-DES","pbeWithMD5AndDES-CBC",NID_pbeWithMD5AndDES_CBC,9,
+	&(lvalues[74]),0},
+{"X500","X500",NID_X500,1,&(lvalues[83]),0},
+{"X509","X509",NID_X509,2,&(lvalues[84]),0},
+{"CN","commonName",NID_commonName,3,&(lvalues[86]),0},
+{"C","countryName",NID_countryName,3,&(lvalues[89]),0},
+{"L","localityName",NID_localityName,3,&(lvalues[92]),0},
+{"ST","stateOrProvinceName",NID_stateOrProvinceName,3,&(lvalues[95]),0},
+{"O","organizationName",NID_organizationName,3,&(lvalues[98]),0},
+{"OU","organizationalUnitName",NID_organizationalUnitName,3,
+	&(lvalues[101]),0},
+{"RSA","rsa",NID_rsa,4,&(lvalues[104]),0},
+{"pkcs7","pkcs7",NID_pkcs7,8,&(lvalues[108]),0},
+{"pkcs7-data","pkcs7-data",NID_pkcs7_data,9,&(lvalues[116]),0},
+{"pkcs7-signedData","pkcs7-signedData",NID_pkcs7_signed,9,
+	&(lvalues[125]),0},
+{"pkcs7-envelopedData","pkcs7-envelopedData",NID_pkcs7_enveloped,9,
+	&(lvalues[134]),0},
+{"pkcs7-signedAndEnvelopedData","pkcs7-signedAndEnvelopedData",
+	NID_pkcs7_signedAndEnveloped,9,&(lvalues[143]),0},
+{"pkcs7-digestData","pkcs7-digestData",NID_pkcs7_digest,9,
+	&(lvalues[152]),0},
+{"pkcs7-encryptedData","pkcs7-encryptedData",NID_pkcs7_encrypted,9,
+	&(lvalues[161]),0},
+{"pkcs3","pkcs3",NID_pkcs3,8,&(lvalues[170]),0},
+{"dhKeyAgreement","dhKeyAgreement",NID_dhKeyAgreement,9,
+	&(lvalues[178]),0},
+{"DES-ECB","des-ecb",NID_des_ecb,5,&(lvalues[187]),0},
+{"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[192]),0},
+{"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[197]),0},
+{"DES-EDE","des-ede",NID_des_ede,5,&(lvalues[202]),0},
+{"DES-EDE3","des-ede3",NID_des_ede3,0,NULL},
+{"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[207]),0},
+{"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL},
+{"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL},
+{"RC2-CBC","rc2-cbc",NID_rc2_cbc,8,&(lvalues[218]),0},
+{"RC2-ECB","rc2-ecb",NID_rc2_ecb,0,NULL},
+{"RC2-CFB","rc2-cfb",NID_rc2_cfb64,0,NULL},
+{"RC2-OFB","rc2-ofb",NID_rc2_ofb64,0,NULL},
+{"SHA","sha",NID_sha,5,&(lvalues[226]),0},
+{"RSA-SHA","shaWithRSAEncryption",NID_shaWithRSAEncryption,5,
+	&(lvalues[231]),0},
+{"DES-EDE-CBC","des-ede-cbc",NID_des_ede_cbc,0,NULL},
+{"DES-EDE3-CBC","des-ede3-cbc",NID_des_ede3_cbc,8,&(lvalues[236]),0},
+{"DES-OFB","des-ofb",NID_des_ofb64,5,&(lvalues[244]),0},
+{"IDEA-OFB","idea-ofb",NID_idea_ofb64,0,NULL},
+{"pkcs9","pkcs9",NID_pkcs9,8,&(lvalues[249]),0},
+{"Email","emailAddress",NID_pkcs9_emailAddress,9,&(lvalues[257]),0},
+{"unstructuredName","unstructuredName",NID_pkcs9_unstructuredName,9,
+	&(lvalues[266]),0},
+{"contentType","contentType",NID_pkcs9_contentType,9,&(lvalues[275]),0},
+{"messageDigest","messageDigest",NID_pkcs9_messageDigest,9,
+	&(lvalues[284]),0},
+{"signingTime","signingTime",NID_pkcs9_signingTime,9,&(lvalues[293]),0},
+{"countersignature","countersignature",NID_pkcs9_countersignature,9,
+	&(lvalues[302]),0},
+{"challengePassword","challengePassword",NID_pkcs9_challengePassword,
+	9,&(lvalues[311]),0},
+{"unstructuredAddress","unstructuredAddress",
+	NID_pkcs9_unstructuredAddress,9,&(lvalues[320]),0},
+{"extendedCertificateAttributes","extendedCertificateAttributes",
+	NID_pkcs9_extCertAttributes,9,&(lvalues[329]),0},
+{"Netscape","Netscape Communications Corp.",NID_netscape,7,
+	&(lvalues[338]),0},
+{"nsCertExt","Netscape Certificate Extension",
+	NID_netscape_cert_extension,8,&(lvalues[345]),0},
+{"nsDataType","Netscape Data Type",NID_netscape_data_type,8,
+	&(lvalues[353]),0},
+{"DES-EDE-CFB","des-ede-cfb",NID_des_ede_cfb64,0,NULL},
+{"DES-EDE3-CFB","des-ede3-cfb",NID_des_ede3_cfb64,0,NULL},
+{"DES-EDE-OFB","des-ede-ofb",NID_des_ede_ofb64,0,NULL},
+{"DES-EDE3-OFB","des-ede3-ofb",NID_des_ede3_ofb64,0,NULL},
+{"SHA1","sha1",NID_sha1,5,&(lvalues[361]),0},
+{"RSA-SHA1","sha1WithRSAEncryption",NID_sha1WithRSAEncryption,9,
+	&(lvalues[366]),0},
+{"DSA-SHA","dsaWithSHA",NID_dsaWithSHA,5,&(lvalues[375]),0},
+{"DSA-old","dsaEncryption-old",NID_dsa_2,5,&(lvalues[380]),0},
+{"PBE-SHA1-RC2-64","pbeWithSHA1AndRC2-CBC",NID_pbeWithSHA1AndRC2_CBC,
+	9,&(lvalues[385]),0},
+{"PBKDF2","PBKDF2",NID_id_pbkdf2,9,&(lvalues[394]),0},
+{"DSA-SHA1-old","dsaWithSHA1-old",NID_dsaWithSHA1_2,5,&(lvalues[403]),0},
+{"nsCertType","Netscape Cert Type",NID_netscape_cert_type,9,
+	&(lvalues[408]),0},
+{"nsBaseUrl","Netscape Base Url",NID_netscape_base_url,9,
+	&(lvalues[417]),0},
+{"nsRevocationUrl","Netscape Revocation Url",
+	NID_netscape_revocation_url,9,&(lvalues[426]),0},
+{"nsCaRevocationUrl","Netscape CA Revocation Url",
+	NID_netscape_ca_revocation_url,9,&(lvalues[435]),0},
+{"nsRenewalUrl","Netscape Renewal Url",NID_netscape_renewal_url,9,
+	&(lvalues[444]),0},
+{"nsCaPolicyUrl","Netscape CA Policy Url",NID_netscape_ca_policy_url,
+	9,&(lvalues[453]),0},
+{"nsSslServerName","Netscape SSL Server Name",
+	NID_netscape_ssl_server_name,9,&(lvalues[462]),0},
+{"nsComment","Netscape Comment",NID_netscape_comment,9,&(lvalues[471]),0},
+{"nsCertSequence","Netscape Certificate Sequence",
+	NID_netscape_cert_sequence,9,&(lvalues[480]),0},
+{"DESX-CBC","desx-cbc",NID_desx_cbc,0,NULL},
+{"ld-ce","ld-ce",NID_ld_ce,2,&(lvalues[489]),0},
+{"subjectKeyIdentifier","X509v3 Subject Key Identifier",
+	NID_subject_key_identifier,3,&(lvalues[491]),0},
+{"keyUsage","X509v3 Key Usage",NID_key_usage,3,&(lvalues[494]),0},
+{"privateKeyUsagePeriod","X509v3 Private Key Usage Period",
+	NID_private_key_usage_period,3,&(lvalues[497]),0},
+{"subjectAltName","X509v3 Subject Alternative Name",
+	NID_subject_alt_name,3,&(lvalues[500]),0},
+{"issuerAltName","X509v3 Issuer Alternative Name",NID_issuer_alt_name,
+	3,&(lvalues[503]),0},
+{"basicConstraints","X509v3 Basic Constraints",NID_basic_constraints,
+	3,&(lvalues[506]),0},
+{"crlNumber","X509v3 CRL Number",NID_crl_number,3,&(lvalues[509]),0},
+{"certificatePolicies","X509v3 Certificate Policies",
+	NID_certificate_policies,3,&(lvalues[512]),0},
+{"authorityKeyIdentifier","X509v3 Authority Key Identifier",
+	NID_authority_key_identifier,3,&(lvalues[515]),0},
+{"BF-CBC","bf-cbc",NID_bf_cbc,9,&(lvalues[518]),0},
+{"BF-ECB","bf-ecb",NID_bf_ecb,0,NULL},
+{"BF-CFB","bf-cfb",NID_bf_cfb64,0,NULL},
+{"BF-OFB","bf-ofb",NID_bf_ofb64,0,NULL},
+{"MDC2","mdc2",NID_mdc2,4,&(lvalues[527]),0},
+{"RSA-MDC2","mdc2withRSA",NID_mdc2WithRSA,4,&(lvalues[531]),0},
+{"RC4-40","rc4-40",NID_rc4_40,0,NULL},
+{"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL},
+{"G","givenName",NID_givenName,3,&(lvalues[535]),0},
+{"S","surname",NID_surname,3,&(lvalues[538]),0},
+{"I","initials",NID_initials,3,&(lvalues[541]),0},
+{"UID","uniqueIdentifier",NID_uniqueIdentifier,3,&(lvalues[544]),0},
+{"crlDistributionPoints","X509v3 CRL Distribution Points",
+	NID_crl_distribution_points,3,&(lvalues[547]),0},
+{"RSA-NP-MD5","md5WithRSA",NID_md5WithRSA,5,&(lvalues[550]),0},
+{"SN","serialNumber",NID_serialNumber,3,&(lvalues[555]),0},
+{"T","title",NID_title,3,&(lvalues[558]),0},
+{"D","description",NID_description,3,&(lvalues[561]),0},
+{"CAST5-CBC","cast5-cbc",NID_cast5_cbc,9,&(lvalues[564]),0},
+{"CAST5-ECB","cast5-ecb",NID_cast5_ecb,0,NULL},
+{"CAST5-CFB","cast5-cfb",NID_cast5_cfb64,0,NULL},
+{"CAST5-OFB","cast5-ofb",NID_cast5_ofb64,0,NULL},
+{"pbeWithMD5AndCast5CBC","pbeWithMD5AndCast5CBC",
+	NID_pbeWithMD5AndCast5_CBC,9,&(lvalues[573]),0},
+{"DSA-SHA1","dsaWithSHA1",NID_dsaWithSHA1,7,&(lvalues[582]),0},
+{"MD5-SHA1","md5-sha1",NID_md5_sha1,0,NULL},
+{"RSA-SHA1-2","sha1WithRSA",NID_sha1WithRSA,5,&(lvalues[589]),0},
+{"DSA","dsaEncryption",NID_dsa,7,&(lvalues[594]),0},
+{"RIPEMD160","ripemd160",NID_ripemd160,5,&(lvalues[601]),0},
+{NULL,NULL,NID_undef,0,NULL},
+{"RSA-RIPEMD160","ripemd160WithRSA",NID_ripemd160WithRSA,6,
+	&(lvalues[606]),0},
+{"RC5-CBC","rc5-cbc",NID_rc5_cbc,8,&(lvalues[612]),0},
+{"RC5-ECB","rc5-ecb",NID_rc5_ecb,0,NULL},
+{"RC5-CFB","rc5-cfb",NID_rc5_cfb64,0,NULL},
+{"RC5-OFB","rc5-ofb",NID_rc5_ofb64,0,NULL},
+{"RLE","run length compression",NID_rle_compression,6,&(lvalues[620]),0},
+{"ZLIB","zlib compression",NID_zlib_compression,6,&(lvalues[626]),0},
+{"extendedKeyUsage","X509v3 Extended Key Usage",NID_ext_key_usage,3,
+	&(lvalues[632]),0},
+{"PKIX","PKIX",NID_id_pkix,6,&(lvalues[635]),0},
+{"id-kp","id-kp",NID_id_kp,7,&(lvalues[641]),0},
+{"serverAuth","TLS Web Server Authentication",NID_server_auth,8,
+	&(lvalues[648]),0},
+{"clientAuth","TLS Web Client Authentication",NID_client_auth,8,
+	&(lvalues[656]),0},
+{"codeSigning","Code Signing",NID_code_sign,8,&(lvalues[664]),0},
+{"emailProtection","E-mail Protection",NID_email_protect,8,
+	&(lvalues[672]),0},
+{"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[680]),0},
+{"msCodeInd","Microsoft Individual Code Signing",NID_ms_code_ind,10,
+	&(lvalues[688]),0},
+{"msCodeCom","Microsoft Commercial Code Signing",NID_ms_code_com,10,
+	&(lvalues[698]),0},
+{"msCTLSign","Microsoft Trust List Signing",NID_ms_ctl_sign,10,
+	&(lvalues[708]),0},
+{"msSGC","Microsoft Server Gated Crypto",NID_ms_sgc,10,&(lvalues[718]),0},
+{"msEFS","Microsoft Encrypted File System",NID_ms_efs,10,
+	&(lvalues[728]),0},
+{"nsSGC","Netscape Server Gated Crypto",NID_ns_sgc,9,&(lvalues[738]),0},
+{"deltaCRL","X509v3 Delta CRL Indicator",NID_delta_crl,3,
+	&(lvalues[747]),0},
+{"CRLReason","CRL Reason Code",NID_crl_reason,3,&(lvalues[750]),0},
+{"invalidityDate","Invalidity Date",NID_invalidity_date,3,
+	&(lvalues[753]),0},
+{"SXNetID","Strong Extranet ID",NID_sxnet,5,&(lvalues[756]),0},
+{"PBE-SHA1-RC4-128","pbeWithSHA1And128BitRC4",
+	NID_pbe_WithSHA1And128BitRC4,10,&(lvalues[761]),0},
+{"PBE-SHA1-RC4-40","pbeWithSHA1And40BitRC4",
+	NID_pbe_WithSHA1And40BitRC4,10,&(lvalues[771]),0},
+{"PBE-SHA1-3DES","pbeWithSHA1And3-KeyTripleDES-CBC",
+	NID_pbe_WithSHA1And3_Key_TripleDES_CBC,10,&(lvalues[781]),0},
+{"PBE-SHA1-2DES","pbeWithSHA1And2-KeyTripleDES-CBC",
+	NID_pbe_WithSHA1And2_Key_TripleDES_CBC,10,&(lvalues[791]),0},
+{"PBE-SHA1-RC2-128","pbeWithSHA1And128BitRC2-CBC",
+	NID_pbe_WithSHA1And128BitRC2_CBC,10,&(lvalues[801]),0},
+{"PBE-SHA1-RC2-40","pbeWithSHA1And40BitRC2-CBC",
+	NID_pbe_WithSHA1And40BitRC2_CBC,10,&(lvalues[811]),0},
+{"keyBag","keyBag",NID_keyBag,11,&(lvalues[821]),0},
+{"pkcs8ShroudedKeyBag","pkcs8ShroudedKeyBag",NID_pkcs8ShroudedKeyBag,
+	11,&(lvalues[832]),0},
+{"certBag","certBag",NID_certBag,11,&(lvalues[843]),0},
+{"crlBag","crlBag",NID_crlBag,11,&(lvalues[854]),0},
+{"secretBag","secretBag",NID_secretBag,11,&(lvalues[865]),0},
+{"safeContentsBag","safeContentsBag",NID_safeContentsBag,11,
+	&(lvalues[876]),0},
+{"friendlyName","friendlyName",NID_friendlyName,9,&(lvalues[887]),0},
+{"localKeyID","localKeyID",NID_localKeyID,9,&(lvalues[896]),0},
+{"x509Certificate","x509Certificate",NID_x509Certificate,10,
+	&(lvalues[905]),0},
+{"sdsiCertificate","sdsiCertificate",NID_sdsiCertificate,10,
+	&(lvalues[915]),0},
+{"x509Crl","x509Crl",NID_x509Crl,10,&(lvalues[925]),0},
+{"PBES2","PBES2",NID_pbes2,9,&(lvalues[935]),0},
+{"PBMAC1","PBMAC1",NID_pbmac1,9,&(lvalues[944]),0},
+{"hmacWithSHA1","hmacWithSHA1",NID_hmacWithSHA1,8,&(lvalues[953]),0},
+{"id-qt-cps","Policy Qualifier CPS",NID_id_qt_cps,8,&(lvalues[961]),0},
+{"id-qt-unotice","Policy Qualifier User Notice",NID_id_qt_unotice,8,
+	&(lvalues[969]),0},
+{"RC2-64-CBC","rc2-64-cbc",NID_rc2_64_cbc,0,NULL},
+{"SMIME-CAPS","S/MIME Capabilities",NID_SMIMECapabilities,9,
+	&(lvalues[977]),0},
+{"PBE-MD2-RC2-64","pbeWithMD2AndRC2-CBC",NID_pbeWithMD2AndRC2_CBC,9,
+	&(lvalues[986]),0},
+{"PBE-MD5-RC2-64","pbeWithMD5AndRC2-CBC",NID_pbeWithMD5AndRC2_CBC,9,
+	&(lvalues[995]),0},
+{"PBE-SHA1-DES","pbeWithSHA1AndDES-CBC",NID_pbeWithSHA1AndDES_CBC,9,
+	&(lvalues[1004]),0},
+{"msExtReq","Microsoft Extension Request",NID_ms_ext_req,10,
+	&(lvalues[1013]),0},
+{"extReq","Extension Request",NID_ext_req,9,&(lvalues[1023]),0},
+{"name","name",NID_name,3,&(lvalues[1032]),0},
+{"dnQualifier","dnQualifier",NID_dnQualifier,3,&(lvalues[1035]),0},
+{"id-pe","id-pe",NID_id_pe,7,&(lvalues[1038]),0},
+{"id-ad","id-ad",NID_id_ad,7,&(lvalues[1045]),0},
+{"authorityInfoAccess","Authority Information Access",NID_info_access,
+	8,&(lvalues[1052]),0},
+{"OCSP","OCSP",NID_ad_OCSP,8,&(lvalues[1060]),0},
+{"caIssuers","CA Issuers",NID_ad_ca_issuers,8,&(lvalues[1068]),0},
+{"OCSPSigning","OCSP Signing",NID_OCSP_sign,8,&(lvalues[1076]),0},
+};
+
+static ASN1_OBJECT *sn_objs[NUM_SN]={
+&(nid_objs[91]),/* "BF-CBC" */
+&(nid_objs[93]),/* "BF-CFB" */
+&(nid_objs[92]),/* "BF-ECB" */
+&(nid_objs[94]),/* "BF-OFB" */
+&(nid_objs[14]),/* "C" */
+&(nid_objs[108]),/* "CAST5-CBC" */
+&(nid_objs[110]),/* "CAST5-CFB" */
+&(nid_objs[109]),/* "CAST5-ECB" */
+&(nid_objs[111]),/* "CAST5-OFB" */
+&(nid_objs[13]),/* "CN" */
+&(nid_objs[141]),/* "CRLReason" */
+&(nid_objs[107]),/* "D" */
+&(nid_objs[31]),/* "DES-CBC" */
+&(nid_objs[30]),/* "DES-CFB" */
+&(nid_objs[29]),/* "DES-ECB" */
+&(nid_objs[32]),/* "DES-EDE" */
+&(nid_objs[43]),/* "DES-EDE-CBC" */
+&(nid_objs[60]),/* "DES-EDE-CFB" */
+&(nid_objs[62]),/* "DES-EDE-OFB" */
+&(nid_objs[33]),/* "DES-EDE3" */
+&(nid_objs[44]),/* "DES-EDE3-CBC" */
+&(nid_objs[61]),/* "DES-EDE3-CFB" */
+&(nid_objs[63]),/* "DES-EDE3-OFB" */
+&(nid_objs[45]),/* "DES-OFB" */
+&(nid_objs[80]),/* "DESX-CBC" */
+&(nid_objs[116]),/* "DSA" */
+&(nid_objs[66]),/* "DSA-SHA" */
+&(nid_objs[113]),/* "DSA-SHA1" */
+&(nid_objs[70]),/* "DSA-SHA1-old" */
+&(nid_objs[67]),/* "DSA-old" */
+&(nid_objs[48]),/* "Email" */
+&(nid_objs[99]),/* "G" */
+&(nid_objs[101]),/* "I" */
+&(nid_objs[34]),/* "IDEA-CBC" */
+&(nid_objs[35]),/* "IDEA-CFB" */
+&(nid_objs[36]),/* "IDEA-ECB" */
+&(nid_objs[46]),/* "IDEA-OFB" */
+&(nid_objs[15]),/* "L" */
+&(nid_objs[ 3]),/* "MD2" */
+&(nid_objs[ 4]),/* "MD5" */
+&(nid_objs[114]),/* "MD5-SHA1" */
+&(nid_objs[95]),/* "MDC2" */
+&(nid_objs[57]),/* "Netscape" */
+&(nid_objs[17]),/* "O" */
+&(nid_objs[178]),/* "OCSP" */
+&(nid_objs[180]),/* "OCSPSigning" */
+&(nid_objs[18]),/* "OU" */
+&(nid_objs[ 9]),/* "PBE-MD2-DES" */
+&(nid_objs[168]),/* "PBE-MD2-RC2-64" */
+&(nid_objs[10]),/* "PBE-MD5-DES" */
+&(nid_objs[169]),/* "PBE-MD5-RC2-64" */
+&(nid_objs[147]),/* "PBE-SHA1-2DES" */
+&(nid_objs[146]),/* "PBE-SHA1-3DES" */
+&(nid_objs[170]),/* "PBE-SHA1-DES" */
+&(nid_objs[148]),/* "PBE-SHA1-RC2-128" */
+&(nid_objs[149]),/* "PBE-SHA1-RC2-40" */
+&(nid_objs[68]),/* "PBE-SHA1-RC2-64" */
+&(nid_objs[144]),/* "PBE-SHA1-RC4-128" */
+&(nid_objs[145]),/* "PBE-SHA1-RC4-40" */
+&(nid_objs[127]),/* "PKIX" */
+&(nid_objs[98]),/* "RC2-40-CBC" */
+&(nid_objs[166]),/* "RC2-64-CBC" */
+&(nid_objs[37]),/* "RC2-CBC" */
+&(nid_objs[39]),/* "RC2-CFB" */
+&(nid_objs[38]),/* "RC2-ECB" */
+&(nid_objs[40]),/* "RC2-OFB" */
+&(nid_objs[ 5]),/* "RC4" */
+&(nid_objs[97]),/* "RC4-40" */
+&(nid_objs[120]),/* "RC5-CBC" */
+&(nid_objs[122]),/* "RC5-CFB" */
+&(nid_objs[121]),/* "RC5-ECB" */
+&(nid_objs[123]),/* "RC5-OFB" */
+&(nid_objs[117]),/* "RIPEMD160" */
+&(nid_objs[124]),/* "RLE" */
+&(nid_objs[19]),/* "RSA" */
+&(nid_objs[ 7]),/* "RSA-MD2" */
+&(nid_objs[ 8]),/* "RSA-MD5" */
+&(nid_objs[96]),/* "RSA-MDC2" */
+&(nid_objs[104]),/* "RSA-NP-MD5" */
+&(nid_objs[119]),/* "RSA-RIPEMD160" */
+&(nid_objs[42]),/* "RSA-SHA" */
+&(nid_objs[65]),/* "RSA-SHA1" */
+&(nid_objs[115]),/* "RSA-SHA1-2" */
+&(nid_objs[100]),/* "S" */
+&(nid_objs[41]),/* "SHA" */
+&(nid_objs[64]),/* "SHA1" */
+&(nid_objs[167]),/* "SMIME-CAPS" */
+&(nid_objs[105]),/* "SN" */
+&(nid_objs[16]),/* "ST" */
+&(nid_objs[143]),/* "SXNetID" */
+&(nid_objs[106]),/* "T" */
+&(nid_objs[102]),/* "UID" */
+&(nid_objs[ 0]),/* "UNDEF" */
+&(nid_objs[125]),/* "ZLIB" */
+&(nid_objs[177]),/* "authorityInfoAccess" */
+&(nid_objs[90]),/* "authorityKeyIdentifier" */
+&(nid_objs[87]),/* "basicConstraints" */
+&(nid_objs[179]),/* "caIssuers" */
+&(nid_objs[89]),/* "certificatePolicies" */
+&(nid_objs[130]),/* "clientAuth" */
+&(nid_objs[131]),/* "codeSigning" */
+&(nid_objs[103]),/* "crlDistributionPoints" */
+&(nid_objs[88]),/* "crlNumber" */
+&(nid_objs[140]),/* "deltaCRL" */
+&(nid_objs[174]),/* "dnQualifier" */
+&(nid_objs[132]),/* "emailProtection" */
+&(nid_objs[172]),/* "extReq" */
+&(nid_objs[126]),/* "extendedKeyUsage" */
+&(nid_objs[176]),/* "id-ad" */
+&(nid_objs[128]),/* "id-kp" */
+&(nid_objs[175]),/* "id-pe" */
+&(nid_objs[164]),/* "id-qt-cps" */
+&(nid_objs[165]),/* "id-qt-unotice" */
+&(nid_objs[142]),/* "invalidityDate" */
+&(nid_objs[86]),/* "issuerAltName" */
+&(nid_objs[83]),/* "keyUsage" */
+&(nid_objs[81]),/* "ld-ce" */
+&(nid_objs[136]),/* "msCTLSign" */
+&(nid_objs[135]),/* "msCodeCom" */
+&(nid_objs[134]),/* "msCodeInd" */
+&(nid_objs[138]),/* "msEFS" */
+&(nid_objs[171]),/* "msExtReq" */
+&(nid_objs[137]),/* "msSGC" */
+&(nid_objs[173]),/* "name" */
+&(nid_objs[72]),/* "nsBaseUrl" */
+&(nid_objs[76]),/* "nsCaPolicyUrl" */
+&(nid_objs[74]),/* "nsCaRevocationUrl" */
+&(nid_objs[58]),/* "nsCertExt" */
+&(nid_objs[79]),/* "nsCertSequence" */
+&(nid_objs[71]),/* "nsCertType" */
+&(nid_objs[78]),/* "nsComment" */
+&(nid_objs[59]),/* "nsDataType" */
+&(nid_objs[75]),/* "nsRenewalUrl" */
+&(nid_objs[73]),/* "nsRevocationUrl" */
+&(nid_objs[139]),/* "nsSGC" */
+&(nid_objs[77]),/* "nsSslServerName" */
+&(nid_objs[84]),/* "privateKeyUsagePeriod" */
+&(nid_objs[129]),/* "serverAuth" */
+&(nid_objs[85]),/* "subjectAltName" */
+&(nid_objs[82]),/* "subjectKeyIdentifier" */
+&(nid_objs[133]),/* "timeStamping" */
+};
+
+static ASN1_OBJECT *ln_objs[NUM_LN]={
+&(nid_objs[177]),/* "Authority Information Access" */
+&(nid_objs[179]),/* "CA Issuers" */
+&(nid_objs[141]),/* "CRL Reason Code" */
+&(nid_objs[131]),/* "Code Signing" */
+&(nid_objs[132]),/* "E-mail Protection" */
+&(nid_objs[172]),/* "Extension Request" */
+&(nid_objs[142]),/* "Invalidity Date" */
+&(nid_objs[135]),/* "Microsoft Commercial Code Signing" */
+&(nid_objs[138]),/* "Microsoft Encrypted File System" */
+&(nid_objs[171]),/* "Microsoft Extension Request" */
+&(nid_objs[134]),/* "Microsoft Individual Code Signing" */
+&(nid_objs[137]),/* "Microsoft Server Gated Crypto" */
+&(nid_objs[136]),/* "Microsoft Trust List Signing" */
+&(nid_objs[72]),/* "Netscape Base Url" */
+&(nid_objs[76]),/* "Netscape CA Policy Url" */
+&(nid_objs[74]),/* "Netscape CA Revocation Url" */
+&(nid_objs[71]),/* "Netscape Cert Type" */
+&(nid_objs[58]),/* "Netscape Certificate Extension" */
+&(nid_objs[79]),/* "Netscape Certificate Sequence" */
+&(nid_objs[78]),/* "Netscape Comment" */
+&(nid_objs[57]),/* "Netscape Communications Corp." */
+&(nid_objs[59]),/* "Netscape Data Type" */
+&(nid_objs[75]),/* "Netscape Renewal Url" */
+&(nid_objs[73]),/* "Netscape Revocation Url" */
+&(nid_objs[77]),/* "Netscape SSL Server Name" */
+&(nid_objs[139]),/* "Netscape Server Gated Crypto" */
+&(nid_objs[180]),/* "OCSP Signing" */
+&(nid_objs[178]),/* "OCSP" */
+&(nid_objs[161]),/* "PBES2" */
+&(nid_objs[69]),/* "PBKDF2" */
+&(nid_objs[162]),/* "PBMAC1" */
+&(nid_objs[164]),/* "Policy Qualifier CPS" */
+&(nid_objs[165]),/* "Policy Qualifier User Notice" */
+&(nid_objs[167]),/* "S/MIME Capabilities" */
+&(nid_objs[143]),/* "Strong Extranet ID" */
+&(nid_objs[130]),/* "TLS Web Client Authentication" */
+&(nid_objs[129]),/* "TLS Web Server Authentication" */
+&(nid_objs[133]),/* "Time Stamping" */
+&(nid_objs[11]),/* "X500" */
+&(nid_objs[12]),/* "X509" */
+&(nid_objs[90]),/* "X509v3 Authority Key Identifier" */
+&(nid_objs[87]),/* "X509v3 Basic Constraints" */
+&(nid_objs[103]),/* "X509v3 CRL Distribution Points" */
+&(nid_objs[88]),/* "X509v3 CRL Number" */
+&(nid_objs[89]),/* "X509v3 Certificate Policies" */
+&(nid_objs[140]),/* "X509v3 Delta CRL Indicator" */
+&(nid_objs[126]),/* "X509v3 Extended Key Usage" */
+&(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
+&(nid_objs[83]),/* "X509v3 Key Usage" */
+&(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
+&(nid_objs[85]),/* "X509v3 Subject Alternative Name" */
+&(nid_objs[82]),/* "X509v3 Subject Key Identifier" */
+&(nid_objs[91]),/* "bf-cbc" */
+&(nid_objs[93]),/* "bf-cfb" */
+&(nid_objs[92]),/* "bf-ecb" */
+&(nid_objs[94]),/* "bf-ofb" */
+&(nid_objs[108]),/* "cast5-cbc" */
+&(nid_objs[110]),/* "cast5-cfb" */
+&(nid_objs[109]),/* "cast5-ecb" */
+&(nid_objs[111]),/* "cast5-ofb" */
+&(nid_objs[152]),/* "certBag" */
+&(nid_objs[54]),/* "challengePassword" */
+&(nid_objs[13]),/* "commonName" */
+&(nid_objs[50]),/* "contentType" */
+&(nid_objs[53]),/* "countersignature" */
+&(nid_objs[14]),/* "countryName" */
+&(nid_objs[153]),/* "crlBag" */
+&(nid_objs[31]),/* "des-cbc" */
+&(nid_objs[30]),/* "des-cfb" */
+&(nid_objs[29]),/* "des-ecb" */
+&(nid_objs[32]),/* "des-ede" */
+&(nid_objs[43]),/* "des-ede-cbc" */
+&(nid_objs[60]),/* "des-ede-cfb" */
+&(nid_objs[62]),/* "des-ede-ofb" */
+&(nid_objs[33]),/* "des-ede3" */
+&(nid_objs[44]),/* "des-ede3-cbc" */
+&(nid_objs[61]),/* "des-ede3-cfb" */
+&(nid_objs[63]),/* "des-ede3-ofb" */
+&(nid_objs[45]),/* "des-ofb" */
+&(nid_objs[107]),/* "description" */
+&(nid_objs[80]),/* "desx-cbc" */
+&(nid_objs[28]),/* "dhKeyAgreement" */
+&(nid_objs[174]),/* "dnQualifier" */
+&(nid_objs[116]),/* "dsaEncryption" */
+&(nid_objs[67]),/* "dsaEncryption-old" */
+&(nid_objs[66]),/* "dsaWithSHA" */
+&(nid_objs[113]),/* "dsaWithSHA1" */
+&(nid_objs[70]),/* "dsaWithSHA1-old" */
+&(nid_objs[48]),/* "emailAddress" */
+&(nid_objs[56]),/* "extendedCertificateAttributes" */
+&(nid_objs[156]),/* "friendlyName" */
+&(nid_objs[99]),/* "givenName" */
+&(nid_objs[163]),/* "hmacWithSHA1" */
+&(nid_objs[34]),/* "idea-cbc" */
+&(nid_objs[35]),/* "idea-cfb" */
+&(nid_objs[36]),/* "idea-ecb" */
+&(nid_objs[46]),/* "idea-ofb" */
+&(nid_objs[101]),/* "initials" */
+&(nid_objs[150]),/* "keyBag" */
+&(nid_objs[157]),/* "localKeyID" */
+&(nid_objs[15]),/* "localityName" */
+&(nid_objs[ 3]),/* "md2" */
+&(nid_objs[ 7]),/* "md2WithRSAEncryption" */
+&(nid_objs[ 4]),/* "md5" */
+&(nid_objs[114]),/* "md5-sha1" */
+&(nid_objs[104]),/* "md5WithRSA" */
+&(nid_objs[ 8]),/* "md5WithRSAEncryption" */
+&(nid_objs[95]),/* "mdc2" */
+&(nid_objs[96]),/* "mdc2withRSA" */
+&(nid_objs[51]),/* "messageDigest" */
+&(nid_objs[173]),/* "name" */
+&(nid_objs[17]),/* "organizationName" */
+&(nid_objs[18]),/* "organizationalUnitName" */
+&(nid_objs[ 9]),/* "pbeWithMD2AndDES-CBC" */
+&(nid_objs[168]),/* "pbeWithMD2AndRC2-CBC" */
+&(nid_objs[112]),/* "pbeWithMD5AndCast5CBC" */
+&(nid_objs[10]),/* "pbeWithMD5AndDES-CBC" */
+&(nid_objs[169]),/* "pbeWithMD5AndRC2-CBC" */
+&(nid_objs[148]),/* "pbeWithSHA1And128BitRC2-CBC" */
+&(nid_objs[144]),/* "pbeWithSHA1And128BitRC4" */
+&(nid_objs[147]),/* "pbeWithSHA1And2-KeyTripleDES-CBC" */
+&(nid_objs[146]),/* "pbeWithSHA1And3-KeyTripleDES-CBC" */
+&(nid_objs[149]),/* "pbeWithSHA1And40BitRC2-CBC" */
+&(nid_objs[145]),/* "pbeWithSHA1And40BitRC4" */
+&(nid_objs[170]),/* "pbeWithSHA1AndDES-CBC" */
+&(nid_objs[68]),/* "pbeWithSHA1AndRC2-CBC" */
+&(nid_objs[ 2]),/* "pkcs" */
+&(nid_objs[27]),/* "pkcs3" */
+&(nid_objs[20]),/* "pkcs7" */
+&(nid_objs[21]),/* "pkcs7-data" */
+&(nid_objs[25]),/* "pkcs7-digestData" */
+&(nid_objs[26]),/* "pkcs7-encryptedData" */
+&(nid_objs[23]),/* "pkcs7-envelopedData" */
+&(nid_objs[24]),/* "pkcs7-signedAndEnvelopedData" */
+&(nid_objs[22]),/* "pkcs7-signedData" */
+&(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
+&(nid_objs[47]),/* "pkcs9" */
+&(nid_objs[98]),/* "rc2-40-cbc" */
+&(nid_objs[166]),/* "rc2-64-cbc" */
+&(nid_objs[37]),/* "rc2-cbc" */
+&(nid_objs[39]),/* "rc2-cfb" */
+&(nid_objs[38]),/* "rc2-ecb" */
+&(nid_objs[40]),/* "rc2-ofb" */
+&(nid_objs[ 5]),/* "rc4" */
+&(nid_objs[97]),/* "rc4-40" */
+&(nid_objs[120]),/* "rc5-cbc" */
+&(nid_objs[122]),/* "rc5-cfb" */
+&(nid_objs[121]),/* "rc5-ecb" */
+&(nid_objs[123]),/* "rc5-ofb" */
+&(nid_objs[117]),/* "ripemd160" */
+&(nid_objs[119]),/* "ripemd160WithRSA" */
+&(nid_objs[19]),/* "rsa" */
+&(nid_objs[ 6]),/* "rsaEncryption" */
+&(nid_objs[ 1]),/* "rsadsi" */
+&(nid_objs[124]),/* "run length compression" */
+&(nid_objs[155]),/* "safeContentsBag" */
+&(nid_objs[159]),/* "sdsiCertificate" */
+&(nid_objs[154]),/* "secretBag" */
+&(nid_objs[105]),/* "serialNumber" */
+&(nid_objs[41]),/* "sha" */
+&(nid_objs[64]),/* "sha1" */
+&(nid_objs[115]),/* "sha1WithRSA" */
+&(nid_objs[65]),/* "sha1WithRSAEncryption" */
+&(nid_objs[42]),/* "shaWithRSAEncryption" */
+&(nid_objs[52]),/* "signingTime" */
+&(nid_objs[16]),/* "stateOrProvinceName" */
+&(nid_objs[100]),/* "surname" */
+&(nid_objs[106]),/* "title" */
+&(nid_objs[ 0]),/* "undefined" */
+&(nid_objs[102]),/* "uniqueIdentifier" */
+&(nid_objs[55]),/* "unstructuredAddress" */
+&(nid_objs[49]),/* "unstructuredName" */
+&(nid_objs[158]),/* "x509Certificate" */
+&(nid_objs[160]),/* "x509Crl" */
+&(nid_objs[125]),/* "zlib compression" */
+};
+
+static ASN1_OBJECT *obj_objs[NUM_OBJ]={
+&(nid_objs[ 0]),/* OBJ_undef                        0 */
+&(nid_objs[11]),/* OBJ_X500                         2 5 */
+&(nid_objs[12]),/* OBJ_X509                         2 5 4 */
+&(nid_objs[81]),/* OBJ_ld_ce                        2 5 29 */
+&(nid_objs[13]),/* OBJ_commonName                   2 5 4 3 */
+&(nid_objs[100]),/* OBJ_surname                      2 5 4 4 */
+&(nid_objs[105]),/* OBJ_serialNumber                 2 5 4 5 */
+&(nid_objs[14]),/* OBJ_countryName                  2 5 4 6 */
+&(nid_objs[15]),/* OBJ_localityName                 2 5 4 7 */
+&(nid_objs[16]),/* OBJ_stateOrProvinceName          2 5 4 8 */
+&(nid_objs[17]),/* OBJ_organizationName             2 5 4 10 */
+&(nid_objs[18]),/* OBJ_organizationalUnitName       2 5 4 11 */
+&(nid_objs[106]),/* OBJ_title                        2 5 4 12 */
+&(nid_objs[107]),/* OBJ_description                  2 5 4 13 */
+&(nid_objs[173]),/* OBJ_name                         2 5 4 41 */
+&(nid_objs[99]),/* OBJ_givenName                    2 5 4 42 */
+&(nid_objs[101]),/* OBJ_initials                     2 5 4 43 */
+&(nid_objs[102]),/* OBJ_uniqueIdentifier             2 5 4 45 */
+&(nid_objs[174]),/* OBJ_dnQualifier                  2 5 4 46 */
+&(nid_objs[82]),/* OBJ_subject_key_identifier       2 5 29 14 */
+&(nid_objs[83]),/* OBJ_key_usage                    2 5 29 15 */
+&(nid_objs[84]),/* OBJ_private_key_usage_period     2 5 29 16 */
+&(nid_objs[85]),/* OBJ_subject_alt_name             2 5 29 17 */
+&(nid_objs[86]),/* OBJ_issuer_alt_name              2 5 29 18 */
+&(nid_objs[87]),/* OBJ_basic_constraints            2 5 29 19 */
+&(nid_objs[88]),/* OBJ_crl_number                   2 5 29 20 */
+&(nid_objs[141]),/* OBJ_crl_reason                   2 5 29 21 */
+&(nid_objs[142]),/* OBJ_invalidity_date              2 5 29 24 */
+&(nid_objs[140]),/* OBJ_delta_crl                    2 5 29 27 */
+&(nid_objs[103]),/* OBJ_crl_distribution_points      2 5 29 31 */
+&(nid_objs[89]),/* OBJ_certificate_policies         2 5 29 32 */
+&(nid_objs[90]),/* OBJ_authority_key_identifier     2 5 29 35 */
+&(nid_objs[126]),/* OBJ_ext_key_usage                2 5 29 37 */
+&(nid_objs[19]),/* OBJ_rsa                          2 5 8 1 1 */
+&(nid_objs[96]),/* OBJ_mdc2WithRSA                  2 5 8 3 100 */
+&(nid_objs[95]),/* OBJ_mdc2                         2 5 8 3 101 */
+&(nid_objs[104]),/* OBJ_md5WithRSA                   1 3 14 3 2 3 */
+&(nid_objs[29]),/* OBJ_des_ecb                      1 3 14 3 2 6 */
+&(nid_objs[31]),/* OBJ_des_cbc                      1 3 14 3 2 7 */
+&(nid_objs[45]),/* OBJ_des_ofb64                    1 3 14 3 2 8 */
+&(nid_objs[30]),/* OBJ_des_cfb64                    1 3 14 3 2 9 */
+&(nid_objs[67]),/* OBJ_dsa_2                        1 3 14 3 2 12 */
+&(nid_objs[66]),/* OBJ_dsaWithSHA                   1 3 14 3 2 13 */
+&(nid_objs[42]),/* OBJ_shaWithRSAEncryption         1 3 14 3 2 15 */
+&(nid_objs[32]),/* OBJ_des_ede                      1 3 14 3 2 17 */
+&(nid_objs[41]),/* OBJ_sha                          1 3 14 3 2 18 */
+&(nid_objs[64]),/* OBJ_sha1                         1 3 14 3 2 26 */
+&(nid_objs[70]),/* OBJ_dsaWithSHA1_2                1 3 14 3 2 27 */
+&(nid_objs[115]),/* OBJ_sha1WithRSA                  1 3 14 3 2 29 */
+&(nid_objs[117]),/* OBJ_ripemd160                    1 3 36 3 2 1 */
+&(nid_objs[143]),/* OBJ_sxnet                        1 3 101 1 4 1 */
+&(nid_objs[124]),/* OBJ_rle_compression              1 1 1 1 666 1 */
+&(nid_objs[125]),/* OBJ_zlib_compression             1 1 1 1 666 2 */
+&(nid_objs[ 1]),/* OBJ_rsadsi                       1 2 840 113549 */
+&(nid_objs[127]),/* OBJ_id_pkix                      1 3 6 1 5 5 7 */
+&(nid_objs[119]),/* OBJ_ripemd160WithRSA             1 3 36 3 3 1 2 */
+&(nid_objs[ 2]),/* OBJ_pkcs                         1 2 840 113549 1 */
+&(nid_objs[116]),/* OBJ_dsa                          1 2 840 10040 4 1 */
+&(nid_objs[113]),/* OBJ_dsaWithSHA1                  1 2 840 10040 4 3 */
+&(nid_objs[175]),/* OBJ_id_pe                        1 3 6 1 5 5 7 1 */
+&(nid_objs[128]),/* OBJ_id_kp                        1 3 6 1 5 5 7 3 */
+&(nid_objs[176]),/* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
+&(nid_objs[57]),/* OBJ_netscape                     2 16 840 1 113730 */
+&(nid_objs[27]),/* OBJ_pkcs3                        1 2 840 113549 1 3 */
+&(nid_objs[20]),/* OBJ_pkcs7                        1 2 840 113549 1 7 */
+&(nid_objs[47]),/* OBJ_pkcs9                        1 2 840 113549 1 9 */
+&(nid_objs[ 3]),/* OBJ_md2                          1 2 840 113549 2 2 */
+&(nid_objs[ 4]),/* OBJ_md5                          1 2 840 113549 2 5 */
+&(nid_objs[163]),/* OBJ_hmacWithSHA1                 1 2 840 113549 2 7 */
+&(nid_objs[37]),/* OBJ_rc2_cbc                      1 2 840 113549 3 2 */
+&(nid_objs[ 5]),/* OBJ_rc4                          1 2 840 113549 3 4 */
+&(nid_objs[44]),/* OBJ_des_ede3_cbc                 1 2 840 113549 3 7 */
+&(nid_objs[120]),/* OBJ_rc5_cbc                      1 2 840 113549 3 8 */
+&(nid_objs[177]),/* OBJ_info_access                  1 3 6 1 5 5 7 1 1 */
+&(nid_objs[164]),/* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
+&(nid_objs[165]),/* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
+&(nid_objs[129]),/* OBJ_server_auth                  1 3 6 1 5 5 7 3 1 */
+&(nid_objs[130]),/* OBJ_client_auth                  1 3 6 1 5 5 7 3 2 */
+&(nid_objs[131]),/* OBJ_code_sign                    1 3 6 1 5 5 7 3 3 */
+&(nid_objs[132]),/* OBJ_email_protect                1 3 6 1 5 5 7 3 4 */
+&(nid_objs[133]),/* OBJ_time_stamp                   1 3 6 1 5 5 7 3 8 */
+&(nid_objs[180]),/* OBJ_OCSP_sign                    1 3 6 1 5 5 7 3 9 */
+&(nid_objs[178]),/* OBJ_ad_OCSP                      1 3 6 1 5 5 7 48 1 */
+&(nid_objs[179]),/* OBJ_ad_ca_issuers                1 3 6 1 5 5 7 48 2 */
+&(nid_objs[58]),/* OBJ_netscape_cert_extension      2 16 840 1 113730 1 */
+&(nid_objs[59]),/* OBJ_netscape_data_type           2 16 840 1 113730 2 */
+&(nid_objs[108]),/* OBJ_cast5_cbc                    1 2 840 113533 7 66 10 */
+&(nid_objs[112]),/* OBJ_pbeWithMD5AndCast5_CBC       1 2 840 113533 7 66 12 */
+&(nid_objs[ 6]),/* OBJ_rsaEncryption                1 2 840 113549 1 1 1 */
+&(nid_objs[ 7]),/* OBJ_md2WithRSAEncryption         1 2 840 113549 1 1 2 */
+&(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
+&(nid_objs[65]),/* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
+&(nid_objs[28]),/* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
+&(nid_objs[ 9]),/* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
+&(nid_objs[10]),/* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
+&(nid_objs[168]),/* OBJ_pbeWithMD2AndRC2_CBC         1 2 840 113549 1 5 4 */
+&(nid_objs[169]),/* OBJ_pbeWithMD5AndRC2_CBC         1 2 840 113549 1 5 6 */
+&(nid_objs[170]),/* OBJ_pbeWithSHA1AndDES_CBC        1 2 840 113549 1 5 10 */
+&(nid_objs[68]),/* OBJ_pbeWithSHA1AndRC2_CBC        1 2 840 113549 1 5 11  */
+&(nid_objs[69]),/* OBJ_id_pbkdf2                    1 2 840 113549 1 5 12  */
+&(nid_objs[161]),/* OBJ_pbes2                        1 2 840 113549 1 5 13 */
+&(nid_objs[162]),/* OBJ_pbmac1                       1 2 840 113549 1 5 14 */
+&(nid_objs[21]),/* OBJ_pkcs7_data                   1 2 840 113549 1 7 1 */
+&(nid_objs[22]),/* OBJ_pkcs7_signed                 1 2 840 113549 1 7 2 */
+&(nid_objs[23]),/* OBJ_pkcs7_enveloped              1 2 840 113549 1 7 3 */
+&(nid_objs[24]),/* OBJ_pkcs7_signedAndEnveloped     1 2 840 113549 1 7 4 */
+&(nid_objs[25]),/* OBJ_pkcs7_digest                 1 2 840 113549 1 7 5 */
+&(nid_objs[26]),/* OBJ_pkcs7_encrypted              1 2 840 113549 1 7 6 */
+&(nid_objs[48]),/* OBJ_pkcs9_emailAddress           1 2 840 113549 1 9 1 */
+&(nid_objs[49]),/* OBJ_pkcs9_unstructuredName       1 2 840 113549 1 9 2 */
+&(nid_objs[50]),/* OBJ_pkcs9_contentType            1 2 840 113549 1 9 3 */
+&(nid_objs[51]),/* OBJ_pkcs9_messageDigest          1 2 840 113549 1 9 4 */
+&(nid_objs[52]),/* OBJ_pkcs9_signingTime            1 2 840 113549 1 9 5 */
+&(nid_objs[53]),/* OBJ_pkcs9_countersignature       1 2 840 113549 1 9 6 */
+&(nid_objs[54]),/* OBJ_pkcs9_challengePassword      1 2 840 113549 1 9 7 */
+&(nid_objs[55]),/* OBJ_pkcs9_unstructuredAddress    1 2 840 113549 1 9 8 */
+&(nid_objs[56]),/* OBJ_pkcs9_extCertAttributes      1 2 840 113549 1 9 9 */
+&(nid_objs[172]),/* OBJ_ext_req                      1 2 840 113549 1 9 14 */
+&(nid_objs[167]),/* OBJ_SMIMECapabilities            1 2 840 113549 1 9 15 */
+&(nid_objs[156]),/* OBJ_friendlyName                 1 2 840 113549 1 9  20 */
+&(nid_objs[157]),/* OBJ_localKeyID                   1 2 840 113549 1 9  21 */
+&(nid_objs[91]),/* OBJ_bf_cbc                       1 3 6 1 4 1 3029 1 2 */
+&(nid_objs[71]),/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
+&(nid_objs[72]),/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
+&(nid_objs[73]),/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
+&(nid_objs[74]),/* OBJ_netscape_ca_revocation_url   2 16 840 1 113730 1 4 */
+&(nid_objs[75]),/* OBJ_netscape_renewal_url         2 16 840 1 113730 1 7 */
+&(nid_objs[76]),/* OBJ_netscape_ca_policy_url       2 16 840 1 113730 1 8 */
+&(nid_objs[77]),/* OBJ_netscape_ssl_server_name     2 16 840 1 113730 1 12 */
+&(nid_objs[78]),/* OBJ_netscape_comment             2 16 840 1 113730 1 13 */
+&(nid_objs[79]),/* OBJ_netscape_cert_sequence       2 16 840 1 113730 2 5 */
+&(nid_objs[139]),/* OBJ_ns_sgc                       2 16 840 1 113730 4 1 */
+&(nid_objs[158]),/* OBJ_x509Certificate              1 2 840 113549 1 9  22  1 */
+&(nid_objs[159]),/* OBJ_sdsiCertificate              1 2 840 113549 1 9  22  2 */
+&(nid_objs[160]),/* OBJ_x509Crl                      1 2 840 113549 1 9  23  1 */
+&(nid_objs[144]),/* OBJ_pbe_WithSHA1And128BitRC4     1 2 840 113549 1 12  1  1 */
+&(nid_objs[145]),/* OBJ_pbe_WithSHA1And40BitRC4      1 2 840 113549 1 12  1  2 */
+&(nid_objs[146]),/* OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC 1 2 840 113549 1 12  1  3 */
+&(nid_objs[147]),/* OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC 1 2 840 113549 1 12  1  4 */
+&(nid_objs[148]),/* OBJ_pbe_WithSHA1And128BitRC2_CBC 1 2 840 113549 1 12  1  5 */
+&(nid_objs[149]),/* OBJ_pbe_WithSHA1And40BitRC2_CBC  1 2 840 113549 1 12  1  6 */
+&(nid_objs[171]),/* OBJ_ms_ext_req                   1 3 6 1 4 1 311 2 1 14 */
+&(nid_objs[134]),/* OBJ_ms_code_ind                  1 3 6 1 4 1 311 2 1 21 */
+&(nid_objs[135]),/* OBJ_ms_code_com                  1 3 6 1 4 1 311 2 1 22 */
+&(nid_objs[136]),/* OBJ_ms_ctl_sign                  1 3 6 1 4 1 311 10 3 1 */
+&(nid_objs[137]),/* OBJ_ms_sgc                       1 3 6 1 4 1 311 10 3 3 */
+&(nid_objs[138]),/* OBJ_ms_efs                       1 3 6 1 4 1 311 10 3 4 */
+&(nid_objs[150]),/* OBJ_keyBag                       1 2 840 113549 1 12  10  1  1 */
+&(nid_objs[151]),/* OBJ_pkcs8ShroudedKeyBag          1 2 840 113549 1 12  10  1  2 */
+&(nid_objs[152]),/* OBJ_certBag                      1 2 840 113549 1 12  10  1  3 */
+&(nid_objs[153]),/* OBJ_crlBag                       1 2 840 113549 1 12  10  1  4 */
+&(nid_objs[154]),/* OBJ_secretBag                    1 2 840 113549 1 12  10  1  5 */
+&(nid_objs[155]),/* OBJ_safeContentsBag              1 2 840 113549 1 12  10  1  6 */
+&(nid_objs[34]),/* OBJ_idea_cbc                     1 3 6 1 4 1 188 7 1 1 2 */
+};
+
diff --git a/crypto/openssl/crypto/objects/obj_dat.pl b/crypto/openssl/crypto/objects/obj_dat.pl
new file mode 100644
index 0000000..e6e3c3b
--- /dev/null
+++ b/crypto/openssl/crypto/objects/obj_dat.pl
@@ -0,0 +1,275 @@
+#!/usr/local/bin/perl
+
+sub obj_cmp
+	{
+	local(@a,@b,$_,$r);
+
+	$A=$obj_len{$obj{$nid{$a}}};
+	$B=$obj_len{$obj{$nid{$b}}};
+
+	$r=($A-$B);
+	return($r) if $r != 0;
+
+	$A=$obj_der{$obj{$nid{$a}}};
+	$B=$obj_der{$obj{$nid{$b}}};
+
+	return($A cmp $B);
+	}
+
+sub expand_obj
+	{
+	local(*v)=@_;
+	local($k,$d);
+	local($i);
+
+	do	{
+		$i=0;
+		foreach $k (keys %v)
+			{
+			if (($v{$k} =~ s/(OBJ_[^,]+),/$v{$1},/))
+				{ $i++; }
+			}
+		} while($i);
+	foreach $k (keys %v)
+		{
+		@a=split(/,/,$v{$k});
+		$objn{$k}=$#a+1;
+		}
+	return(%objn);
+	}
+
+open (IN,"$ARGV[0]") || die "Can't open input file $ARGV[0]";
+open (OUT,">$ARGV[1]") || die "Can't open output file $ARGV[1]";
+
+while (<IN>)
+	{
+	next unless /^\#define\s+(\S+)\s+(.*)$/;
+	$v=$1;
+	$d=$2;
+	if ($v =~ /^SN_(.*)$/)
+		{ $sn{$1}=$d; }
+	elsif ($v =~ /^LN_(.*)$/)
+		{ $ln{$1}=$d; }
+	elsif ($v =~ /^NID_(.*)$/)
+		{ $nid{$d}=$1; }
+	elsif ($v =~ /^OBJ_(.*)$/)
+		{
+		$obj{$1}=$v;
+		$objd{$v}=$d;
+		}
+	}
+close IN;
+
+%ob=&expand_obj(*objd);
+
+@a=sort { $a <=> $b } keys %nid;
+$n=$a[$#a]+1;
+
+@lvalues=();
+$lvalues=0;
+
+for ($i=0; $i<$n; $i++)
+	{
+	if (!defined($nid{$i}))
+		{
+		push(@out,"{NULL,NULL,NID_undef,0,NULL},\n");
+		}
+	else
+		{
+		$sn=defined($sn{$nid{$i}})?"$sn{$nid{$i}}":"NULL";
+		$ln=defined($ln{$nid{$i}})?"$ln{$nid{$i}}":"NULL";
+		$sn=$ln if ($sn eq "NULL");
+		$ln=$sn if ($ln eq "NULL");
+		$out ="{";
+		$out.=$sn;
+		$out.=",".$ln;
+		$out.=",NID_$nid{$i},";
+		if (defined($obj{$nid{$i}}))
+			{
+			$v=$objd{$obj{$nid{$i}}};
+			$v =~ s/L//g;
+			$v =~ s/,/ /g;
+			$r=&der_it($v);
+			$z="";
+			$length=0;
+			foreach (unpack("C*",$r))
+				{
+				$z.=sprintf("0x%02X,",$_);
+				$length++;
+				}
+			$obj_der{$obj{$nid{$i}}}=$z;
+			$obj_len{$obj{$nid{$i}}}=$length;
+
+			push(@lvalues,sprintf("%-45s/* [%3d] %s */\n",
+				$z,$lvalues,$obj{$nid{$i}}));
+			$out.="$length,&(lvalues[$lvalues]),0";
+			$lvalues+=$length;
+			}
+		else
+			{
+			$out.="0,NULL";
+			}
+		$out.="},\n";
+		push(@out,$out);
+		}
+	}
+
+@a=grep(defined($sn{$nid{$_}}),0 .. $n);
+foreach (sort { $sn{$nid{$a}} cmp $sn{$nid{$b}} } @a)
+	{
+	push(@sn,sprintf("&(nid_objs[%2d]),/* $sn{$nid{$_}} */\n",$_));
+	}
+
+@a=grep(defined($ln{$nid{$_}}),0 .. $n);
+foreach (sort { $ln{$nid{$a}} cmp $ln{$nid{$b}} } @a)
+	{
+	push(@ln,sprintf("&(nid_objs[%2d]),/* $ln{$nid{$_}} */\n",$_));
+	}
+
+@a=grep(defined($obj{$nid{$_}}),0 .. $n);
+foreach (sort obj_cmp @a)
+	{
+	$m=$obj{$nid{$_}};
+	$v=$objd{$m};
+	$v =~ s/L//g;
+	$v =~ s/,/ /g;
+	push(@ob,sprintf("&(nid_objs[%2d]),/* %-32s %s */\n",$_,$m,$v));
+	}
+
+print OUT <<'EOF';
+/* lib/obj/obj_dat.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* THIS FILE IS GENERATED FROM Objects.h by obj_dat.pl via the
+ * following command:
+ * perl obj_dat.pl objects.h obj_dat.h
+ */
+
+EOF
+
+printf OUT "#define NUM_NID %d\n",$n;
+printf OUT "#define NUM_SN %d\n",$#sn+1;
+printf OUT "#define NUM_LN %d\n",$#ln+1;
+printf OUT "#define NUM_OBJ %d\n\n",$#ob+1;
+
+printf OUT "static unsigned char lvalues[%d]={\n",$lvalues+1;
+print OUT @lvalues;
+print OUT "};\n\n";
+
+printf OUT "static ASN1_OBJECT nid_objs[NUM_NID]={\n";
+foreach (@out)
+	{
+	if (length($_) > 75)
+		{
+		$out="";
+		foreach (split(/,/))
+			{
+			$t=$out.$_.",";
+			if (length($t) > 70)
+				{
+				print OUT "$out\n";
+				$t="\t$_,";
+				}
+			$out=$t;
+			}
+		chop $out;
+		print OUT "$out";
+		}
+	else
+		{ print OUT $_; }
+	}
+print  OUT "};\n\n";
+
+printf OUT "static ASN1_OBJECT *sn_objs[NUM_SN]={\n";
+print  OUT @sn;
+print  OUT "};\n\n";
+
+printf OUT "static ASN1_OBJECT *ln_objs[NUM_LN]={\n";
+print  OUT @ln;
+print  OUT "};\n\n";
+
+printf OUT "static ASN1_OBJECT *obj_objs[NUM_OBJ]={\n";
+print  OUT @ob;
+print  OUT "};\n\n";
+
+close OUT;
+
+sub der_it
+	{
+	local($v)=@_;
+	local(@a,$i,$ret,@r);
+
+	@a=split(/\s+/,$v);
+	$ret.=pack("C*",$a[0]*40+$a[1]);
+	shift @a;
+	shift @a;
+	foreach (@a)
+		{
+		@r=();
+		$t=0;
+		while ($_ >= 128)
+			{
+			$x=$_%128;
+			$_/=128;
+			push(@r,((($t++)?0x80:0)|$x));
+			}
+		push(@r,((($t++)?0x80:0)|$_));
+		$ret.=pack("C*",reverse(@r));
+		}
+	return($ret);
+	}
diff --git a/crypto/openssl/crypto/objects/obj_err.c b/crypto/openssl/crypto/objects/obj_err.c
new file mode 100644
index 0000000..7aec0ed
--- /dev/null
+++ b/crypto/openssl/crypto/objects/obj_err.c
@@ -0,0 +1,99 @@
+/* crypto/objects/obj_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA OBJ_str_functs[]=
+	{
+{ERR_PACK(0,OBJ_F_OBJ_CREATE,0),	"OBJ_create"},
+{ERR_PACK(0,OBJ_F_OBJ_DUP,0),	"OBJ_dup"},
+{ERR_PACK(0,OBJ_F_OBJ_NID2LN,0),	"OBJ_nid2ln"},
+{ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0),	"OBJ_nid2obj"},
+{ERR_PACK(0,OBJ_F_OBJ_NID2SN,0),	"OBJ_nid2sn"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA OBJ_str_reasons[]=
+	{
+{OBJ_R_MALLOC_FAILURE                    ,"malloc failure"},
+{OBJ_R_UNKNOWN_NID                       ,"unknown nid"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_OBJ_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_OBJ,OBJ_str_functs);
+		ERR_load_strings(ERR_LIB_OBJ,OBJ_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/objects/obj_lib.c b/crypto/openssl/crypto/objects/obj_lib.c
new file mode 100644
index 0000000..1a1ba0f
--- /dev/null
+++ b/crypto/openssl/crypto/objects/obj_lib.c
@@ -0,0 +1,126 @@
+/* crypto/objects/obj_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/lhash.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+
+ASN1_OBJECT *OBJ_dup(ASN1_OBJECT *o)
+	{
+	ASN1_OBJECT *r;
+	int i;
+	char *ln=NULL;
+
+	if (o == NULL) return(NULL);
+	if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC))
+		return(o);
+
+	r=ASN1_OBJECT_new();
+	if (r == NULL)
+		{
+		OBJerr(OBJ_F_OBJ_DUP,ERR_R_ASN1_LIB);
+		return(NULL);
+		}
+	r->data=Malloc(o->length);
+	if (r->data == NULL)
+		goto err;
+	memcpy(r->data,o->data,o->length);
+	r->length=o->length;
+	r->nid=o->nid;
+	r->ln=r->sn=NULL;
+	if (o->ln != NULL)
+		{
+		i=strlen(o->ln)+1;
+		r->ln=ln=Malloc(i);
+		if (r->ln == NULL) goto err;
+		memcpy(ln,o->ln,i);
+		}
+
+	if (o->sn != NULL)
+		{
+		char *s;
+
+		i=strlen(o->sn)+1;
+		r->sn=s=Malloc(i);
+		if (r->sn == NULL) goto err;
+		memcpy(s,o->sn,i);
+		}
+	r->flags=o->flags|(ASN1_OBJECT_FLAG_DYNAMIC|
+		ASN1_OBJECT_FLAG_DYNAMIC_STRINGS|ASN1_OBJECT_FLAG_DYNAMIC_DATA);
+	return(r);
+err:
+	OBJerr(OBJ_F_OBJ_DUP,ERR_R_MALLOC_FAILURE);
+	if (r != NULL)
+		{
+		if (ln != NULL) Free(ln);
+		if (r->data != NULL) Free(r->data);
+		Free(r);
+		}
+	return(NULL);
+	}
+
+int OBJ_cmp(ASN1_OBJECT *a, ASN1_OBJECT *b)
+	{
+	int ret;
+
+	ret=(a->length-b->length);
+	if (ret) return(ret);
+	return(memcmp(a->data,b->data,a->length));
+	}
diff --git a/crypto/openssl/crypto/objects/objects.h b/crypto/openssl/crypto/objects/objects.h
new file mode 100644
index 0000000..95c8a21
--- /dev/null
+++ b/crypto/openssl/crypto/objects/objects.h
@@ -0,0 +1,1032 @@
+/* crypto/objects/objects.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_OBJECTS_H
+#define HEADER_OBJECTS_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define SN_undef			"UNDEF"
+#define LN_undef			"undefined"
+#define NID_undef			0
+#define OBJ_undef			0L
+
+#define SN_Algorithm			"Algorithm"
+#define LN_algorithm			"algorithm"
+#define NID_algorithm			38
+#define OBJ_algorithm			1L,3L,14L,3L,2L
+
+#define LN_rsadsi			"rsadsi"
+#define NID_rsadsi			1
+#define OBJ_rsadsi			1L,2L,840L,113549L
+
+#define LN_pkcs				"pkcs"
+#define NID_pkcs			2
+#define OBJ_pkcs			OBJ_rsadsi,1L
+
+#define SN_md2				"MD2"
+#define LN_md2				"md2"
+#define NID_md2				3
+#define OBJ_md2				OBJ_rsadsi,2L,2L
+
+#define SN_md5				"MD5"
+#define LN_md5				"md5"
+#define NID_md5				4
+#define OBJ_md5				OBJ_rsadsi,2L,5L
+
+#define SN_rc4				"RC4"
+#define LN_rc4				"rc4"
+#define NID_rc4				5
+#define OBJ_rc4				OBJ_rsadsi,3L,4L
+
+#define LN_rsaEncryption		"rsaEncryption"
+#define NID_rsaEncryption		6
+#define OBJ_rsaEncryption		OBJ_pkcs,1L,1L
+
+#define SN_md2WithRSAEncryption		"RSA-MD2"
+#define LN_md2WithRSAEncryption		"md2WithRSAEncryption"
+#define NID_md2WithRSAEncryption	7
+#define OBJ_md2WithRSAEncryption	OBJ_pkcs,1L,2L
+
+#define SN_md5WithRSAEncryption		"RSA-MD5"
+#define LN_md5WithRSAEncryption		"md5WithRSAEncryption"
+#define NID_md5WithRSAEncryption	8
+#define OBJ_md5WithRSAEncryption	OBJ_pkcs,1L,4L
+
+#define SN_pbeWithMD2AndDES_CBC		"PBE-MD2-DES"
+#define LN_pbeWithMD2AndDES_CBC		"pbeWithMD2AndDES-CBC"
+#define NID_pbeWithMD2AndDES_CBC	9
+#define OBJ_pbeWithMD2AndDES_CBC	OBJ_pkcs,5L,1L
+
+#define SN_pbeWithMD5AndDES_CBC		"PBE-MD5-DES"
+#define LN_pbeWithMD5AndDES_CBC		"pbeWithMD5AndDES-CBC"
+#define NID_pbeWithMD5AndDES_CBC	10
+#define OBJ_pbeWithMD5AndDES_CBC	OBJ_pkcs,5L,3L
+
+#define LN_X500				"X500"
+#define NID_X500			11
+#define OBJ_X500			2L,5L
+
+#define LN_X509				"X509"
+#define NID_X509			12
+#define OBJ_X509			OBJ_X500,4L
+
+#define SN_commonName			"CN"
+#define LN_commonName			"commonName"
+#define NID_commonName			13
+#define OBJ_commonName			OBJ_X509,3L
+
+#define SN_countryName			"C"
+#define LN_countryName			"countryName"
+#define NID_countryName			14
+#define OBJ_countryName			OBJ_X509,6L
+
+#define SN_localityName			"L"
+#define LN_localityName			"localityName"
+#define NID_localityName		15
+#define OBJ_localityName		OBJ_X509,7L
+
+/* Postal Address? PA */
+
+/* should be "ST" (rfc1327) but MS uses 'S' */
+#define SN_stateOrProvinceName		"ST"
+#define LN_stateOrProvinceName		"stateOrProvinceName"
+#define NID_stateOrProvinceName		16
+#define OBJ_stateOrProvinceName		OBJ_X509,8L
+
+#define SN_organizationName		"O"
+#define LN_organizationName		"organizationName"
+#define NID_organizationName		17
+#define OBJ_organizationName		OBJ_X509,10L
+
+#define SN_organizationalUnitName	"OU"
+#define LN_organizationalUnitName	"organizationalUnitName"
+#define NID_organizationalUnitName	18
+#define OBJ_organizationalUnitName	OBJ_X509,11L
+
+#define SN_rsa				"RSA"
+#define LN_rsa				"rsa"
+#define NID_rsa				19
+#define OBJ_rsa				OBJ_X500,8L,1L,1L
+
+#define LN_pkcs7			"pkcs7"
+#define NID_pkcs7			20
+#define OBJ_pkcs7			OBJ_pkcs,7L
+
+#define LN_pkcs7_data			"pkcs7-data"
+#define NID_pkcs7_data			21
+#define OBJ_pkcs7_data			OBJ_pkcs7,1L
+
+#define LN_pkcs7_signed			"pkcs7-signedData"
+#define NID_pkcs7_signed		22
+#define OBJ_pkcs7_signed		OBJ_pkcs7,2L
+
+#define LN_pkcs7_enveloped		"pkcs7-envelopedData"
+#define NID_pkcs7_enveloped		23
+#define OBJ_pkcs7_enveloped		OBJ_pkcs7,3L
+
+#define LN_pkcs7_signedAndEnveloped	"pkcs7-signedAndEnvelopedData"
+#define NID_pkcs7_signedAndEnveloped	24
+#define OBJ_pkcs7_signedAndEnveloped	OBJ_pkcs7,4L
+
+#define LN_pkcs7_digest			"pkcs7-digestData"
+#define NID_pkcs7_digest		25
+#define OBJ_pkcs7_digest		OBJ_pkcs7,5L
+
+#define LN_pkcs7_encrypted		"pkcs7-encryptedData"
+#define NID_pkcs7_encrypted		26
+#define OBJ_pkcs7_encrypted		OBJ_pkcs7,6L
+
+#define LN_pkcs3			"pkcs3"
+#define NID_pkcs3			27
+#define OBJ_pkcs3			OBJ_pkcs,3L
+
+#define LN_dhKeyAgreement		"dhKeyAgreement"
+#define NID_dhKeyAgreement		28
+#define OBJ_dhKeyAgreement		OBJ_pkcs3,1L
+
+#define SN_des_ecb			"DES-ECB"
+#define LN_des_ecb			"des-ecb"
+#define NID_des_ecb			29
+#define OBJ_des_ecb			OBJ_algorithm,6L
+
+#define SN_des_cfb64			"DES-CFB"
+#define LN_des_cfb64			"des-cfb"
+#define NID_des_cfb64			30
+/* IV + num */
+#define OBJ_des_cfb64			OBJ_algorithm,9L
+
+#define SN_des_cbc			"DES-CBC"
+#define LN_des_cbc			"des-cbc"
+#define NID_des_cbc			31
+/* IV */
+#define OBJ_des_cbc			OBJ_algorithm,7L
+
+#define SN_des_ede			"DES-EDE"
+#define LN_des_ede			"des-ede"
+#define NID_des_ede			32
+/* ?? */
+#define OBJ_des_ede			OBJ_algorithm,17L
+
+#define SN_des_ede3			"DES-EDE3"
+#define LN_des_ede3			"des-ede3"
+#define NID_des_ede3			33
+
+#define SN_idea_cbc			"IDEA-CBC"
+#define LN_idea_cbc			"idea-cbc"
+#define NID_idea_cbc			34
+#define OBJ_idea_cbc			1L,3L,6L,1L,4L,1L,188L,7L,1L,1L,2L
+
+#define SN_idea_cfb64			"IDEA-CFB"
+#define LN_idea_cfb64			"idea-cfb"
+#define NID_idea_cfb64			35
+
+#define SN_idea_ecb			"IDEA-ECB"
+#define LN_idea_ecb			"idea-ecb"
+#define NID_idea_ecb			36
+
+#define SN_rc2_cbc			"RC2-CBC"
+#define LN_rc2_cbc			"rc2-cbc"
+#define NID_rc2_cbc			37
+#define OBJ_rc2_cbc			OBJ_rsadsi,3L,2L
+
+#define SN_rc2_ecb			"RC2-ECB"
+#define LN_rc2_ecb			"rc2-ecb"
+#define NID_rc2_ecb			38
+
+#define SN_rc2_cfb64			"RC2-CFB"
+#define LN_rc2_cfb64			"rc2-cfb"
+#define NID_rc2_cfb64			39
+
+#define SN_rc2_ofb64			"RC2-OFB"
+#define LN_rc2_ofb64			"rc2-ofb"
+#define NID_rc2_ofb64			40
+
+#define SN_sha				"SHA"
+#define LN_sha				"sha"
+#define NID_sha				41
+#define OBJ_sha				OBJ_algorithm,18L
+
+#define SN_shaWithRSAEncryption		"RSA-SHA"
+#define LN_shaWithRSAEncryption		"shaWithRSAEncryption"
+#define NID_shaWithRSAEncryption	42
+#define OBJ_shaWithRSAEncryption	OBJ_algorithm,15L
+
+#define SN_des_ede_cbc			"DES-EDE-CBC"
+#define LN_des_ede_cbc			"des-ede-cbc"
+#define NID_des_ede_cbc			43
+
+#define SN_des_ede3_cbc			"DES-EDE3-CBC"
+#define LN_des_ede3_cbc			"des-ede3-cbc"
+#define NID_des_ede3_cbc		44
+#define OBJ_des_ede3_cbc		OBJ_rsadsi,3L,7L
+
+#define SN_des_ofb64			"DES-OFB"
+#define LN_des_ofb64			"des-ofb"
+#define NID_des_ofb64			45
+#define OBJ_des_ofb64			OBJ_algorithm,8L
+
+#define SN_idea_ofb64			"IDEA-OFB"
+#define LN_idea_ofb64			"idea-ofb"
+#define NID_idea_ofb64			46
+
+#define LN_pkcs9			"pkcs9"
+#define NID_pkcs9			47
+#define OBJ_pkcs9			OBJ_pkcs,9L
+
+#define SN_pkcs9_emailAddress		"Email"
+#define LN_pkcs9_emailAddress		"emailAddress"
+#define NID_pkcs9_emailAddress		48
+#define OBJ_pkcs9_emailAddress		OBJ_pkcs9,1L
+
+#define LN_pkcs9_unstructuredName	"unstructuredName"
+#define NID_pkcs9_unstructuredName	49
+#define OBJ_pkcs9_unstructuredName	OBJ_pkcs9,2L
+
+#define LN_pkcs9_contentType		"contentType"
+#define NID_pkcs9_contentType		50
+#define OBJ_pkcs9_contentType		OBJ_pkcs9,3L
+
+#define LN_pkcs9_messageDigest		"messageDigest"
+#define NID_pkcs9_messageDigest		51
+#define OBJ_pkcs9_messageDigest		OBJ_pkcs9,4L
+
+#define LN_pkcs9_signingTime		"signingTime"
+#define NID_pkcs9_signingTime		52
+#define OBJ_pkcs9_signingTime		OBJ_pkcs9,5L
+
+#define LN_pkcs9_countersignature	"countersignature"
+#define NID_pkcs9_countersignature	53
+#define OBJ_pkcs9_countersignature	OBJ_pkcs9,6L
+
+#define LN_pkcs9_challengePassword	"challengePassword"
+#define NID_pkcs9_challengePassword	54
+#define OBJ_pkcs9_challengePassword	OBJ_pkcs9,7L
+
+#define LN_pkcs9_unstructuredAddress	"unstructuredAddress"
+#define NID_pkcs9_unstructuredAddress	55
+#define OBJ_pkcs9_unstructuredAddress	OBJ_pkcs9,8L
+
+#define LN_pkcs9_extCertAttributes	"extendedCertificateAttributes"
+#define NID_pkcs9_extCertAttributes	56
+#define OBJ_pkcs9_extCertAttributes	OBJ_pkcs9,9L
+
+#define SN_netscape			"Netscape"
+#define LN_netscape			"Netscape Communications Corp."
+#define NID_netscape			57
+#define OBJ_netscape			2L,16L,840L,1L,113730L
+
+#define SN_netscape_cert_extension	"nsCertExt"
+#define LN_netscape_cert_extension	"Netscape Certificate Extension"
+#define NID_netscape_cert_extension	58
+#define OBJ_netscape_cert_extension	OBJ_netscape,1L
+
+#define SN_netscape_data_type		"nsDataType"
+#define LN_netscape_data_type		"Netscape Data Type"
+#define NID_netscape_data_type		59
+#define OBJ_netscape_data_type		OBJ_netscape,2L
+
+#define SN_des_ede_cfb64		"DES-EDE-CFB"
+#define LN_des_ede_cfb64		"des-ede-cfb"
+#define NID_des_ede_cfb64		60
+
+#define SN_des_ede3_cfb64		"DES-EDE3-CFB"
+#define LN_des_ede3_cfb64		"des-ede3-cfb"
+#define NID_des_ede3_cfb64		61
+
+#define SN_des_ede_ofb64		"DES-EDE-OFB"
+#define LN_des_ede_ofb64		"des-ede-ofb"
+#define NID_des_ede_ofb64		62
+
+#define SN_des_ede3_ofb64		"DES-EDE3-OFB"
+#define LN_des_ede3_ofb64		"des-ede3-ofb"
+#define NID_des_ede3_ofb64		63
+
+/* I'm not sure about the object ID */
+#define SN_sha1				"SHA1"
+#define LN_sha1				"sha1"
+#define NID_sha1			64
+#define OBJ_sha1			OBJ_algorithm,26L
+/* 28 Jun 1996 - eay */
+/* #define OBJ_sha1			1L,3L,14L,2L,26L,05L <- wrong */
+
+#define SN_sha1WithRSAEncryption	"RSA-SHA1"
+#define LN_sha1WithRSAEncryption	"sha1WithRSAEncryption"
+#define NID_sha1WithRSAEncryption	65
+#define OBJ_sha1WithRSAEncryption	OBJ_pkcs,1L,5L
+
+#define SN_dsaWithSHA			"DSA-SHA"
+#define LN_dsaWithSHA			"dsaWithSHA"
+#define NID_dsaWithSHA			66
+#define OBJ_dsaWithSHA			OBJ_algorithm,13L
+
+#define SN_dsa_2			"DSA-old"
+#define LN_dsa_2			"dsaEncryption-old"
+#define NID_dsa_2			67
+#define OBJ_dsa_2			OBJ_algorithm,12L
+
+/* proposed by microsoft to RSA */
+#define SN_pbeWithSHA1AndRC2_CBC	"PBE-SHA1-RC2-64"
+#define LN_pbeWithSHA1AndRC2_CBC	"pbeWithSHA1AndRC2-CBC"
+#define NID_pbeWithSHA1AndRC2_CBC	68
+#define OBJ_pbeWithSHA1AndRC2_CBC	OBJ_pkcs,5L,11L 
+
+/* proposed by microsoft to RSA as pbeWithSHA1AndRC4: it is now
+ * defined explicitly in PKCS#5 v2.0 as id-PBKDF2 which is something
+ * completely different.
+ */
+#define LN_id_pbkdf2			"PBKDF2"
+#define NID_id_pbkdf2			69
+#define OBJ_id_pbkdf2			OBJ_pkcs,5L,12L 
+
+#define SN_dsaWithSHA1_2		"DSA-SHA1-old"
+#define LN_dsaWithSHA1_2		"dsaWithSHA1-old"
+#define NID_dsaWithSHA1_2		70
+/* Got this one from 'sdn706r20.pdf' which is actually an NSA document :-) */
+#define OBJ_dsaWithSHA1_2		OBJ_algorithm,27L
+
+#define SN_netscape_cert_type		"nsCertType"
+#define LN_netscape_cert_type		"Netscape Cert Type"
+#define NID_netscape_cert_type		71
+#define OBJ_netscape_cert_type		OBJ_netscape_cert_extension,1L
+
+#define SN_netscape_base_url		"nsBaseUrl"
+#define LN_netscape_base_url		"Netscape Base Url"
+#define NID_netscape_base_url		72
+#define OBJ_netscape_base_url		OBJ_netscape_cert_extension,2L
+
+#define SN_netscape_revocation_url	"nsRevocationUrl"
+#define LN_netscape_revocation_url	"Netscape Revocation Url"
+#define NID_netscape_revocation_url	73
+#define OBJ_netscape_revocation_url	OBJ_netscape_cert_extension,3L
+
+#define SN_netscape_ca_revocation_url	"nsCaRevocationUrl"
+#define LN_netscape_ca_revocation_url	"Netscape CA Revocation Url"
+#define NID_netscape_ca_revocation_url	74
+#define OBJ_netscape_ca_revocation_url	OBJ_netscape_cert_extension,4L
+
+#define SN_netscape_renewal_url		"nsRenewalUrl"
+#define LN_netscape_renewal_url		"Netscape Renewal Url"
+#define NID_netscape_renewal_url	75
+#define OBJ_netscape_renewal_url	OBJ_netscape_cert_extension,7L
+
+#define SN_netscape_ca_policy_url	"nsCaPolicyUrl"
+#define LN_netscape_ca_policy_url	"Netscape CA Policy Url"
+#define NID_netscape_ca_policy_url	76
+#define OBJ_netscape_ca_policy_url	OBJ_netscape_cert_extension,8L
+
+#define SN_netscape_ssl_server_name	"nsSslServerName"
+#define LN_netscape_ssl_server_name	"Netscape SSL Server Name"
+#define NID_netscape_ssl_server_name	77
+#define OBJ_netscape_ssl_server_name	OBJ_netscape_cert_extension,12L
+
+#define SN_netscape_comment		"nsComment"
+#define LN_netscape_comment		"Netscape Comment"
+#define NID_netscape_comment		78
+#define OBJ_netscape_comment		OBJ_netscape_cert_extension,13L
+
+#define SN_netscape_cert_sequence	"nsCertSequence"
+#define LN_netscape_cert_sequence	"Netscape Certificate Sequence"
+#define NID_netscape_cert_sequence	79
+#define OBJ_netscape_cert_sequence	OBJ_netscape_data_type,5L
+
+#define SN_desx_cbc			"DESX-CBC"
+#define LN_desx_cbc			"desx-cbc"
+#define NID_desx_cbc			80
+
+#define SN_ld_ce			"ld-ce"
+#define NID_ld_ce			81
+#define OBJ_ld_ce			2L,5L,29L
+
+#define SN_subject_key_identifier	"subjectKeyIdentifier"
+#define LN_subject_key_identifier	"X509v3 Subject Key Identifier"
+#define NID_subject_key_identifier	82
+#define OBJ_subject_key_identifier	OBJ_ld_ce,14L
+
+#define SN_key_usage			"keyUsage"
+#define LN_key_usage			"X509v3 Key Usage"
+#define NID_key_usage			83
+#define OBJ_key_usage			OBJ_ld_ce,15L
+
+#define SN_private_key_usage_period	"privateKeyUsagePeriod"
+#define LN_private_key_usage_period	"X509v3 Private Key Usage Period"
+#define NID_private_key_usage_period	84
+#define OBJ_private_key_usage_period	OBJ_ld_ce,16L
+
+#define SN_subject_alt_name		"subjectAltName"
+#define LN_subject_alt_name		"X509v3 Subject Alternative Name"
+#define NID_subject_alt_name		85
+#define OBJ_subject_alt_name		OBJ_ld_ce,17L
+
+#define SN_issuer_alt_name		"issuerAltName"
+#define LN_issuer_alt_name		"X509v3 Issuer Alternative Name"
+#define NID_issuer_alt_name		86
+#define OBJ_issuer_alt_name		OBJ_ld_ce,18L
+
+#define SN_basic_constraints		"basicConstraints"
+#define LN_basic_constraints		"X509v3 Basic Constraints"
+#define NID_basic_constraints		87
+#define OBJ_basic_constraints		OBJ_ld_ce,19L
+
+#define SN_crl_number			"crlNumber"
+#define LN_crl_number			"X509v3 CRL Number"
+#define NID_crl_number			88
+#define OBJ_crl_number			OBJ_ld_ce,20L
+
+#define SN_certificate_policies		"certificatePolicies"
+#define LN_certificate_policies		"X509v3 Certificate Policies"
+#define NID_certificate_policies	89
+#define OBJ_certificate_policies	OBJ_ld_ce,32L
+
+#define SN_authority_key_identifier	"authorityKeyIdentifier"
+#define LN_authority_key_identifier	"X509v3 Authority Key Identifier"
+#define NID_authority_key_identifier	90
+#define OBJ_authority_key_identifier	OBJ_ld_ce,35L
+
+#define SN_bf_cbc			"BF-CBC"
+#define LN_bf_cbc			"bf-cbc"
+#define NID_bf_cbc			91
+#define OBJ_bf_cbc			1L,3L,6L,1L,4L,1L,3029L,1L,2L
+
+#define SN_bf_ecb			"BF-ECB"
+#define LN_bf_ecb			"bf-ecb"
+#define NID_bf_ecb			92
+
+#define SN_bf_cfb64			"BF-CFB"
+#define LN_bf_cfb64			"bf-cfb"
+#define NID_bf_cfb64			93
+
+#define SN_bf_ofb64			"BF-OFB"
+#define LN_bf_ofb64			"bf-ofb"
+#define NID_bf_ofb64			94
+
+#define SN_mdc2				"MDC2"
+#define LN_mdc2				"mdc2"
+#define NID_mdc2			95
+#define OBJ_mdc2			2L,5L,8L,3L,101L
+/* An alternative?			1L,3L,14L,3L,2L,19L */
+
+#define SN_mdc2WithRSA			"RSA-MDC2"
+#define LN_mdc2WithRSA			"mdc2withRSA"
+#define NID_mdc2WithRSA			96
+#define OBJ_mdc2WithRSA			2L,5L,8L,3L,100L
+
+#define SN_rc4_40			"RC4-40"
+#define LN_rc4_40			"rc4-40"
+#define NID_rc4_40			97
+
+#define SN_rc2_40_cbc			"RC2-40-CBC"
+#define LN_rc2_40_cbc			"rc2-40-cbc"
+#define NID_rc2_40_cbc			98
+
+#define SN_givenName			"G"
+#define LN_givenName			"givenName"
+#define NID_givenName			99
+#define OBJ_givenName			OBJ_X509,42L
+
+#define SN_surname			"S"
+#define LN_surname			"surname"
+#define NID_surname			100
+#define OBJ_surname			OBJ_X509,4L
+
+#define SN_initials			"I"
+#define LN_initials			"initials"
+#define NID_initials			101
+#define OBJ_initials			OBJ_X509,43L
+
+#define SN_uniqueIdentifier		"UID"
+#define LN_uniqueIdentifier		"uniqueIdentifier"
+#define NID_uniqueIdentifier		102
+#define OBJ_uniqueIdentifier		OBJ_X509,45L
+
+#define SN_crl_distribution_points	"crlDistributionPoints"
+#define LN_crl_distribution_points	"X509v3 CRL Distribution Points"
+#define NID_crl_distribution_points	103
+#define OBJ_crl_distribution_points	OBJ_ld_ce,31L
+
+#define SN_md5WithRSA			"RSA-NP-MD5"
+#define LN_md5WithRSA			"md5WithRSA"
+#define NID_md5WithRSA			104
+#define OBJ_md5WithRSA			OBJ_algorithm,3L
+
+#define SN_serialNumber			"SN"
+#define LN_serialNumber			"serialNumber"
+#define NID_serialNumber		105
+#define OBJ_serialNumber		OBJ_X509,5L
+
+#define SN_title			"T"
+#define LN_title			"title"
+#define NID_title			106
+#define OBJ_title			OBJ_X509,12L
+
+#define SN_description			"D"
+#define LN_description			"description"
+#define NID_description			107
+#define OBJ_description			OBJ_X509,13L
+
+/* CAST5 is CAST-128, I'm just sticking with the documentation */
+#define SN_cast5_cbc			"CAST5-CBC"
+#define LN_cast5_cbc			"cast5-cbc"
+#define NID_cast5_cbc			108
+#define OBJ_cast5_cbc			1L,2L,840L,113533L,7L,66L,10L
+
+#define SN_cast5_ecb			"CAST5-ECB"
+#define LN_cast5_ecb			"cast5-ecb"
+#define NID_cast5_ecb			109
+
+#define SN_cast5_cfb64			"CAST5-CFB"
+#define LN_cast5_cfb64			"cast5-cfb"
+#define NID_cast5_cfb64			110
+
+#define SN_cast5_ofb64			"CAST5-OFB"
+#define LN_cast5_ofb64			"cast5-ofb"
+#define NID_cast5_ofb64			111
+
+#define LN_pbeWithMD5AndCast5_CBC	"pbeWithMD5AndCast5CBC"
+#define NID_pbeWithMD5AndCast5_CBC	112
+#define OBJ_pbeWithMD5AndCast5_CBC	1L,2L,840L,113533L,7L,66L,12L
+
+/* This is one sun will soon be using :-(
+ * id-dsa-with-sha1 ID  ::= {
+ *   iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 }
+ */
+#define SN_dsaWithSHA1			"DSA-SHA1"
+#define LN_dsaWithSHA1			"dsaWithSHA1"
+#define NID_dsaWithSHA1			113
+#define OBJ_dsaWithSHA1			1L,2L,840L,10040L,4L,3L
+
+#define NID_md5_sha1			114
+#define SN_md5_sha1			"MD5-SHA1"
+#define LN_md5_sha1			"md5-sha1"
+
+#define SN_sha1WithRSA			"RSA-SHA1-2"
+#define LN_sha1WithRSA			"sha1WithRSA"
+#define NID_sha1WithRSA			115
+#define OBJ_sha1WithRSA			OBJ_algorithm,29L
+
+#define SN_dsa				"DSA"
+#define LN_dsa				"dsaEncryption"
+#define NID_dsa				116
+#define OBJ_dsa				1L,2L,840L,10040L,4L,1L
+
+#define SN_ripemd160			"RIPEMD160"
+#define LN_ripemd160			"ripemd160"
+#define NID_ripemd160			117
+#define OBJ_ripemd160			1L,3L,36L,3L,2L,1L
+
+/* The name should actually be rsaSignatureWithripemd160, but I'm going
+ * to continue using the convention I'm using with the other ciphers */
+#define SN_ripemd160WithRSA		"RSA-RIPEMD160"
+#define LN_ripemd160WithRSA		"ripemd160WithRSA"
+#define NID_ripemd160WithRSA		119
+#define OBJ_ripemd160WithRSA		1L,3L,36L,3L,3L,1L,2L
+
+/* Taken from rfc2040
+ *  RC5_CBC_Parameters ::= SEQUENCE {
+ *	version           INTEGER (v1_0(16)),
+ *	rounds            INTEGER (8..127),
+ *	blockSizeInBits   INTEGER (64, 128),
+ *	iv                OCTET STRING OPTIONAL
+ *	}
+ */
+#define SN_rc5_cbc			"RC5-CBC"
+#define LN_rc5_cbc			"rc5-cbc"
+#define NID_rc5_cbc			120
+#define OBJ_rc5_cbc			OBJ_rsadsi,3L,8L
+
+#define SN_rc5_ecb			"RC5-ECB"
+#define LN_rc5_ecb			"rc5-ecb"
+#define NID_rc5_ecb			121
+
+#define SN_rc5_cfb64			"RC5-CFB"
+#define LN_rc5_cfb64			"rc5-cfb"
+#define NID_rc5_cfb64			122
+
+#define SN_rc5_ofb64			"RC5-OFB"
+#define LN_rc5_ofb64			"rc5-ofb"
+#define NID_rc5_ofb64			123
+
+#define SN_rle_compression		"RLE"
+#define LN_rle_compression		"run length compression"
+#define NID_rle_compression		124
+#define OBJ_rle_compression		1L,1L,1L,1L,666L,1L
+
+#define SN_zlib_compression		"ZLIB"
+#define LN_zlib_compression		"zlib compression"
+#define NID_zlib_compression		125
+#define OBJ_zlib_compression		1L,1L,1L,1L,666L,2L
+
+#define SN_ext_key_usage		"extendedKeyUsage"
+#define LN_ext_key_usage		"X509v3 Extended Key Usage"
+#define NID_ext_key_usage		126
+#define OBJ_ext_key_usage		OBJ_ld_ce,37
+
+#define SN_id_pkix			"PKIX"
+#define NID_id_pkix			127
+#define OBJ_id_pkix			1L,3L,6L,1L,5L,5L,7L
+
+#define SN_id_kp			"id-kp"
+#define NID_id_kp			128
+#define OBJ_id_kp			OBJ_id_pkix,3L
+
+/* PKIX extended key usage OIDs */
+
+#define SN_server_auth			"serverAuth"
+#define LN_server_auth			"TLS Web Server Authentication"
+#define NID_server_auth			129
+#define OBJ_server_auth			OBJ_id_kp,1L
+
+#define SN_client_auth			"clientAuth"
+#define LN_client_auth			"TLS Web Client Authentication"
+#define NID_client_auth			130
+#define OBJ_client_auth			OBJ_id_kp,2L
+
+#define SN_code_sign			"codeSigning"
+#define LN_code_sign			"Code Signing"
+#define NID_code_sign			131
+#define OBJ_code_sign			OBJ_id_kp,3L
+
+#define SN_email_protect		"emailProtection"
+#define LN_email_protect		"E-mail Protection"
+#define NID_email_protect		132
+#define OBJ_email_protect		OBJ_id_kp,4L
+
+#define SN_time_stamp			"timeStamping"
+#define LN_time_stamp			"Time Stamping"
+#define NID_time_stamp			133
+#define OBJ_time_stamp			OBJ_id_kp,8L
+
+/* Additional extended key usage OIDs: Microsoft */
+
+#define SN_ms_code_ind			"msCodeInd"
+#define LN_ms_code_ind			"Microsoft Individual Code Signing"
+#define NID_ms_code_ind			134
+#define OBJ_ms_code_ind			1L,3L,6L,1L,4L,1L,311L,2L,1L,21L
+
+#define SN_ms_code_com			"msCodeCom"
+#define LN_ms_code_com			"Microsoft Commercial Code Signing"
+#define NID_ms_code_com			135
+#define OBJ_ms_code_com			1L,3L,6L,1L,4L,1L,311L,2L,1L,22L
+
+#define SN_ms_ctl_sign			"msCTLSign"
+#define LN_ms_ctl_sign			"Microsoft Trust List Signing"
+#define NID_ms_ctl_sign			136
+#define OBJ_ms_ctl_sign			1L,3L,6L,1L,4L,1L,311L,10L,3L,1L
+
+#define SN_ms_sgc			"msSGC"
+#define LN_ms_sgc			"Microsoft Server Gated Crypto"
+#define NID_ms_sgc			137
+#define OBJ_ms_sgc			1L,3L,6L,1L,4L,1L,311L,10L,3L,3L
+
+#define SN_ms_efs			"msEFS"
+#define LN_ms_efs			"Microsoft Encrypted File System"
+#define NID_ms_efs			138
+#define OBJ_ms_efs			1L,3L,6L,1L,4L,1L,311L,10L,3L,4L
+
+/* Additional usage: Netscape */
+
+#define SN_ns_sgc			"nsSGC"
+#define LN_ns_sgc			"Netscape Server Gated Crypto"
+#define NID_ns_sgc			139
+#define OBJ_ns_sgc			OBJ_netscape,4L,1L
+
+#define SN_delta_crl			"deltaCRL"
+#define LN_delta_crl			"X509v3 Delta CRL Indicator"
+#define NID_delta_crl			140
+#define OBJ_delta_crl			OBJ_ld_ce,27L
+
+#define SN_crl_reason			"CRLReason"
+#define LN_crl_reason			"CRL Reason Code"
+#define NID_crl_reason			141
+#define OBJ_crl_reason			OBJ_ld_ce,21L
+
+#define SN_invalidity_date		"invalidityDate"
+#define LN_invalidity_date		"Invalidity Date"
+#define NID_invalidity_date		142
+#define OBJ_invalidity_date		OBJ_ld_ce,24L
+
+#define SN_sxnet			"SXNetID"
+#define LN_sxnet			"Strong Extranet ID"
+#define NID_sxnet			143
+#define OBJ_sxnet			1L,3L,101L,1L,4L,1L
+
+/* PKCS12 and related OBJECT IDENTIFIERS */
+
+#define OBJ_pkcs12			OBJ_pkcs,12L
+#define OBJ_pkcs12_pbeids		OBJ_pkcs12, 1
+
+#define SN_pbe_WithSHA1And128BitRC4	"PBE-SHA1-RC4-128"
+#define LN_pbe_WithSHA1And128BitRC4	"pbeWithSHA1And128BitRC4"
+#define NID_pbe_WithSHA1And128BitRC4	144
+#define OBJ_pbe_WithSHA1And128BitRC4	OBJ_pkcs12_pbeids, 1L
+
+#define SN_pbe_WithSHA1And40BitRC4	"PBE-SHA1-RC4-40"
+#define LN_pbe_WithSHA1And40BitRC4	"pbeWithSHA1And40BitRC4"
+#define NID_pbe_WithSHA1And40BitRC4	145
+#define OBJ_pbe_WithSHA1And40BitRC4	OBJ_pkcs12_pbeids, 2L
+
+#define SN_pbe_WithSHA1And3_Key_TripleDES_CBC	"PBE-SHA1-3DES"
+#define LN_pbe_WithSHA1And3_Key_TripleDES_CBC	"pbeWithSHA1And3-KeyTripleDES-CBC"
+#define NID_pbe_WithSHA1And3_Key_TripleDES_CBC	146
+#define OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC	OBJ_pkcs12_pbeids, 3L
+
+#define SN_pbe_WithSHA1And2_Key_TripleDES_CBC	"PBE-SHA1-2DES"
+#define LN_pbe_WithSHA1And2_Key_TripleDES_CBC	"pbeWithSHA1And2-KeyTripleDES-CBC"
+#define NID_pbe_WithSHA1And2_Key_TripleDES_CBC	147
+#define OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC	OBJ_pkcs12_pbeids, 4L
+
+#define SN_pbe_WithSHA1And128BitRC2_CBC		"PBE-SHA1-RC2-128"
+#define LN_pbe_WithSHA1And128BitRC2_CBC		"pbeWithSHA1And128BitRC2-CBC"
+#define NID_pbe_WithSHA1And128BitRC2_CBC	148
+#define OBJ_pbe_WithSHA1And128BitRC2_CBC	OBJ_pkcs12_pbeids, 5L
+
+#define SN_pbe_WithSHA1And40BitRC2_CBC	"PBE-SHA1-RC2-40"
+#define LN_pbe_WithSHA1And40BitRC2_CBC	"pbeWithSHA1And40BitRC2-CBC"
+#define NID_pbe_WithSHA1And40BitRC2_CBC	149
+#define OBJ_pbe_WithSHA1And40BitRC2_CBC	OBJ_pkcs12_pbeids, 6L
+
+#define OBJ_pkcs12_Version1	OBJ_pkcs12, 10L
+
+#define OBJ_pkcs12_BagIds	OBJ_pkcs12_Version1, 1L
+
+#define LN_keyBag		"keyBag"
+#define NID_keyBag		150
+#define OBJ_keyBag		OBJ_pkcs12_BagIds, 1L
+
+#define LN_pkcs8ShroudedKeyBag	"pkcs8ShroudedKeyBag"
+#define NID_pkcs8ShroudedKeyBag	151
+#define OBJ_pkcs8ShroudedKeyBag	OBJ_pkcs12_BagIds, 2L
+
+#define LN_certBag		"certBag"
+#define NID_certBag		152
+#define OBJ_certBag		OBJ_pkcs12_BagIds, 3L
+
+#define LN_crlBag		"crlBag"
+#define NID_crlBag		153
+#define OBJ_crlBag		OBJ_pkcs12_BagIds, 4L
+
+#define LN_secretBag		"secretBag"
+#define NID_secretBag		154
+#define OBJ_secretBag		OBJ_pkcs12_BagIds, 5L
+
+#define LN_safeContentsBag	"safeContentsBag"
+#define NID_safeContentsBag	155
+#define OBJ_safeContentsBag	OBJ_pkcs12_BagIds, 6L
+
+#define LN_friendlyName		"friendlyName"
+#define	NID_friendlyName	156
+#define OBJ_friendlyName	OBJ_pkcs9, 20L
+
+#define LN_localKeyID		"localKeyID"
+#define	NID_localKeyID		157
+#define OBJ_localKeyID		OBJ_pkcs9, 21L
+
+#define OBJ_certTypes		OBJ_pkcs9, 22L
+
+#define LN_x509Certificate	"x509Certificate"
+#define	NID_x509Certificate	158
+#define OBJ_x509Certificate	OBJ_certTypes, 1L
+
+#define LN_sdsiCertificate	"sdsiCertificate"
+#define	NID_sdsiCertificate	159
+#define OBJ_sdsiCertificate	OBJ_certTypes, 2L
+
+#define OBJ_crlTypes		OBJ_pkcs9, 23L
+
+#define LN_x509Crl		"x509Crl"
+#define	NID_x509Crl		160
+#define OBJ_x509Crl		OBJ_crlTypes, 1L
+
+/* PKCS#5 v2 OIDs */
+
+#define LN_pbes2		"PBES2"
+#define NID_pbes2		161
+#define OBJ_pbes2		OBJ_pkcs,5L,13L
+
+#define LN_pbmac1		"PBMAC1"
+#define NID_pbmac1		162
+#define OBJ_pbmac1		OBJ_pkcs,5L,14L
+
+#define LN_hmacWithSHA1		"hmacWithSHA1"
+#define NID_hmacWithSHA1	163
+#define OBJ_hmacWithSHA1	OBJ_rsadsi,2L,7L
+
+/* Policy Qualifier Ids */
+
+#define LN_id_qt_cps		"Policy Qualifier CPS"
+#define SN_id_qt_cps		"id-qt-cps"
+#define NID_id_qt_cps		164
+#define OBJ_id_qt_cps		OBJ_id_pkix,2L,1L
+
+#define LN_id_qt_unotice	"Policy Qualifier User Notice"
+#define SN_id_qt_unotice	"id-qt-unotice"
+#define NID_id_qt_unotice	165
+#define OBJ_id_qt_unotice	OBJ_id_pkix,2L,2L
+
+#define SN_rc2_64_cbc			"RC2-64-CBC"
+#define LN_rc2_64_cbc			"rc2-64-cbc"
+#define NID_rc2_64_cbc			166
+
+#define SN_SMIMECapabilities		"SMIME-CAPS"
+#define LN_SMIMECapabilities		"S/MIME Capabilities"
+#define NID_SMIMECapabilities		167
+#define OBJ_SMIMECapabilities		OBJ_pkcs9,15L
+
+#define SN_pbeWithMD2AndRC2_CBC		"PBE-MD2-RC2-64"
+#define LN_pbeWithMD2AndRC2_CBC		"pbeWithMD2AndRC2-CBC"
+#define NID_pbeWithMD2AndRC2_CBC	168
+#define OBJ_pbeWithMD2AndRC2_CBC	OBJ_pkcs,5L,4L
+
+#define SN_pbeWithMD5AndRC2_CBC		"PBE-MD5-RC2-64"
+#define LN_pbeWithMD5AndRC2_CBC		"pbeWithMD5AndRC2-CBC"
+#define NID_pbeWithMD5AndRC2_CBC	169
+#define OBJ_pbeWithMD5AndRC2_CBC	OBJ_pkcs,5L,6L
+
+#define SN_pbeWithSHA1AndDES_CBC	"PBE-SHA1-DES"
+#define LN_pbeWithSHA1AndDES_CBC	"pbeWithSHA1AndDES-CBC"
+#define NID_pbeWithSHA1AndDES_CBC	170
+#define OBJ_pbeWithSHA1AndDES_CBC	OBJ_pkcs,5L,10L
+
+/* Extension request OIDs */
+
+#define LN_ms_ext_req			"Microsoft Extension Request"
+#define SN_ms_ext_req			"msExtReq"
+#define NID_ms_ext_req			171
+#define OBJ_ms_ext_req			1L,3L,6L,1L,4L,1L,311L,2L,1L,14L
+
+#define LN_ext_req			"Extension Request"
+#define SN_ext_req			"extReq"
+#define NID_ext_req			172
+#define OBJ_ext_req			OBJ_pkcs9,14L
+
+#define SN_name				"name"
+#define LN_name				"name"
+#define NID_name			173
+#define OBJ_name			OBJ_X509,41L
+
+#define SN_dnQualifier			"dnQualifier"
+#define LN_dnQualifier			"dnQualifier"
+#define NID_dnQualifier			174
+#define OBJ_dnQualifier			OBJ_X509,46L
+
+#define SN_id_pe			"id-pe"
+#define NID_id_pe			175
+#define OBJ_id_pe			OBJ_id_pkix,1L
+
+#define SN_id_ad			"id-ad"
+#define NID_id_ad			176
+#define OBJ_id_ad			OBJ_id_pkix,48L
+
+#define SN_info_access			"authorityInfoAccess"
+#define LN_info_access			"Authority Information Access"
+#define NID_info_access			177
+#define OBJ_info_access			OBJ_id_pe,1L
+
+#define SN_ad_OCSP			"OCSP"
+#define LN_ad_OCSP			"OCSP"
+#define NID_ad_OCSP			178
+#define OBJ_ad_OCSP			OBJ_id_ad,1L
+
+#define SN_ad_ca_issuers		"caIssuers"
+#define LN_ad_ca_issuers		"CA Issuers"
+#define NID_ad_ca_issuers		179
+#define OBJ_ad_ca_issuers		OBJ_id_ad,2L
+
+#define SN_OCSP_sign			"OCSPSigning"
+#define LN_OCSP_sign			"OCSP Signing"
+#define NID_OCSP_sign			180
+#define OBJ_OCSP_sign			OBJ_id_kp,9L
+
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+
+#define	OBJ_NAME_TYPE_UNDEF		0x00
+#define	OBJ_NAME_TYPE_MD_METH		0x01
+#define	OBJ_NAME_TYPE_CIPHER_METH	0x02
+#define	OBJ_NAME_TYPE_PKEY_METH		0x03
+#define	OBJ_NAME_TYPE_COMP_METH		0x04
+#define	OBJ_NAME_TYPE_NUM		0x05
+
+#define	OBJ_NAME_ALIAS		0x8000
+
+
+typedef struct obj_name_st
+	{
+	int type;
+	int alias;
+	const char *name;
+	const char *data;
+	} OBJ_NAME;
+
+#define		OBJ_create_and_add_object(a,b,c) OBJ_create(a,b,c)
+
+
+int OBJ_NAME_init(void);
+int OBJ_NAME_new_index(unsigned long (*hash_func)(),int (*cmp_func)(),
+	void (*free_func)());
+const char *OBJ_NAME_get(const char *name,int type);
+int OBJ_NAME_add(const char *name,int type,const char *data);
+int OBJ_NAME_remove(const char *name,int type);
+void OBJ_NAME_cleanup(int type); /* -1 for everything */
+
+ASN1_OBJECT *	OBJ_dup(ASN1_OBJECT *o);
+ASN1_OBJECT *	OBJ_nid2obj(int n);
+const char *	OBJ_nid2ln(int n);
+const char *	OBJ_nid2sn(int n);
+int		OBJ_obj2nid(ASN1_OBJECT *o);
+ASN1_OBJECT *	OBJ_txt2obj(const char *s, int no_name);
+int	OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name);
+int		OBJ_txt2nid(char *s);
+int		OBJ_ln2nid(const char *s);
+int		OBJ_sn2nid(const char *s);
+int		OBJ_cmp(ASN1_OBJECT *a,ASN1_OBJECT *b);
+char *		OBJ_bsearch(char *key,char *base,int num,int size,int (*cmp)());
+
+void		ERR_load_OBJ_strings(void );
+
+int		OBJ_new_nid(int num);
+int		OBJ_add_object(ASN1_OBJECT *obj);
+int		OBJ_create(char *oid,char *sn,char *ln);
+void		OBJ_cleanup(void );
+int		OBJ_create_objects(BIO *in);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the OBJ functions. */
+
+/* Function codes. */
+#define OBJ_F_OBJ_CREATE				 100
+#define OBJ_F_OBJ_DUP					 101
+#define OBJ_F_OBJ_NID2LN				 102
+#define OBJ_F_OBJ_NID2OBJ				 103
+#define OBJ_F_OBJ_NID2SN				 104
+
+/* Reason codes. */
+#define OBJ_R_MALLOC_FAILURE				 100
+#define OBJ_R_UNKNOWN_NID				 101
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/objects/objects.txt b/crypto/openssl/crypto/objects/objects.txt
new file mode 100644
index 0000000..cb276e9
--- /dev/null
+++ b/crypto/openssl/crypto/objects/objects.txt
@@ -0,0 +1,40 @@
+1 2			: ISO member bodies
+1 2 840			: US (ANSI)
+1 2 840 113549		: rsadsi	: RSA Data Security, Inc.
+1 2 840 113549 1	: pkcs		: RSA Data Security, Inc. PKCS
+1 2 840 113549 1 1 1	: rsaEncryption
+1 2 840 113549 1 1 2	: md2withRSAEncryption
+1 2 840 113549 1 1 4	: md5withRSAEncryption
+1 2 840 113549 1 7	: pkcs-7
+1 2 840 113549 1 7 1	: pkcs-7-data
+1 2 840 113549 1 7 2	: pkcs-7-signedData
+1 2 840 113549 1 7 3	: pkcs-7-envelopedData
+1 2 840 113549 1 7 4	: pkcs-7-signedAndEnvelopedData
+1 2 840 113549 1 7 5	: pkcs-7-digestData
+1 2 840 113549 1 7 6	: pkcs-7-encryptedData
+1 2 840 113549 2 2	: md2
+1 2 840 113549 2 4	: md4
+1 2 840 113549 2 5	: md5
+1 2 840 113549 3 4	: rc4
+1 2 840 113549 5 1	: pbeWithMD2AndDES_CBC
+1 2 840 113549 5 3	: pbeWithMD5AndDES_CBC
+2 5			: X500		: directory services (X.500)
+2 5 4			: X509
+2 5 4 3			: commonName
+2 5 4 6			: countryName
+2 5 4 7			: localityName
+2 5 4 8			: stateOrProvinceName
+2 5 4 10		: organizationName
+2 5 4 11		: organizationalUnitName
+2 5 8			: directory services - algorithms
+2 5 8 1 1		: rsa
+
+algorithm 18		: sha
+encryptionAlgorithm 1	: rsa
+algorithm 11		: rsaSignature
+
+algorithm 6		: desECB
+algorithm 7		: desCBC
+algorithm 8		: desOFB
+algorithm 9		: desCFB
+algorithm 17		: desEDE2
diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h
new file mode 100644
index 0000000..2c6ddae
--- /dev/null
+++ b/crypto/openssl/crypto/opensslconf.h
@@ -0,0 +1,167 @@
+/* opensslconf.h */
+/* WARNING: Generated automatically from opensslconf.h.in by Configure. */
+
+/* OpenSSL was configured with the following options: */
+#ifdef OPENSSL_ALGORITHM_DEFINES
+   /* no ciphers excluded */
+#endif
+#ifdef OPENSSL_THREAD_DEFINES
+#endif
+#ifdef OPENSSL_OTHER_DEFINES
+#endif
+
+/* crypto/opensslconf.h.in */
+
+/* Generate 80386 code? */
+#undef I386_ONLY
+
+#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
+#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#define OPENSSLDIR "/usr/local/ssl"
+#endif
+#endif
+
+#define OPENSSL_UNISTD <unistd.h>
+
+#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
+#define IDEA_INT unsigned int
+#endif
+
+#if defined(HEADER_MD2_H) && !defined(MD2_INT)
+#define MD2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC2_H) && !defined(RC2_INT)
+/* I need to put in a mod for the alpha - eay */
+#define RC2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC4_H)
+#if !defined(RC4_INT)
+/* using int types make the structure larger but make the code faster
+ * on most boxes I have tested - up to %20 faster. */
+/*
+ * I don't know what does "most" mean, but declaring "int" is a must on:
+ * - Intel P6 because partial register stalls are very expensive;
+ * - elder Alpha because it lacks byte load/store instructions;
+ */
+#define RC4_INT unsigned int
+#endif
+#if !defined(RC4_CHUNK)
+/*
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
+#undef RC4_CHUNK
+#endif
+#endif
+
+#if defined(HEADER_DES_H) && !defined(DES_LONG)
+/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+#ifndef DES_LONG
+#define DES_LONG unsigned long
+#endif
+#endif
+
+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+#define CONFIG_HEADER_BN_H
+#undef BN_LLONG
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+/* The prime number generation stuff may not work when
+ * EIGHT_BIT but I don't care since I've only used this mode
+ * for debuging the bignum libraries */
+#undef SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT
+#define THIRTY_TWO_BIT
+#undef SIXTEEN_BIT
+#undef EIGHT_BIT
+#endif
+
+#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+#define CONFIG_HEADER_RC4_LOCL_H
+/* if this is defined data[i] is used instead of *data, this is a %20
+ * speedup on x86 */
+#undef RC4_INDEX
+#endif
+
+#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+#define CONFIG_HEADER_BF_LOCL_H
+#undef BF_PTR
+#endif /* HEADER_BF_LOCL_H */
+
+#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
+#define CONFIG_HEADER_DES_LOCL_H
+#ifndef DES_DEFAULT_OPTIONS
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#undef DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#undef DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#undef DES_UNROLL
+#endif
+
+/* These default values were supplied by
+ * Peter Gutman <pgut001@cs.auckland.ac.nz>
+ * They are only used if nothing else has been defined */
+#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
+/* Special defines which change the way the code is built depending on the
+   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
+   even newer MIPS CPU's, but at the moment one size fits all for
+   optimization options.  Older Sparc's work better with only UNROLL, but
+   there's no way to tell at compile time what it is you're running on */
+ 
+#if defined( sun )		/* Newer Sparc's */
+#  define DES_PTR
+#  define DES_RISC1
+#  define DES_UNROLL
+#elif defined( __ultrix )	/* Older MIPS */
+#  define DES_PTR
+#  define DES_RISC2
+#  define DES_UNROLL
+#elif defined( __osf1__ )	/* Alpha */
+#  define DES_PTR
+#  define DES_RISC2
+#elif defined ( _AIX )		/* RS6000 */
+  /* Unknown */
+#elif defined( __hpux )		/* HP-PA */
+  /* Unknown */
+#elif defined( __aux )		/* 68K */
+  /* Unknown */
+#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
+#  define DES_UNROLL
+#elif defined( __sgi )		/* Newer MIPS */
+#  define DES_PTR
+#  define DES_RISC2
+#  define DES_UNROLL
+#elif defined( i386 )		/* x86 boxes, should be gcc */
+#  define DES_PTR
+#  define DES_RISC1
+#  define DES_UNROLL
+#endif /* Systems-specific speed defines */
+#endif
+
+#endif /* DES_DEFAULT_OPTIONS */
+#endif /* HEADER_DES_LOCL_H */
diff --git a/crypto/openssl/crypto/opensslconf.h.in b/crypto/openssl/crypto/opensslconf.h.in
new file mode 100644
index 0000000..1b85ae5
--- /dev/null
+++ b/crypto/openssl/crypto/opensslconf.h.in
@@ -0,0 +1,155 @@
+/* crypto/opensslconf.h.in */
+
+/* Generate 80386 code? */
+#undef I386_ONLY
+
+#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
+#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#define OPENSSLDIR "/usr/local/ssl"
+#endif
+#endif
+
+#define OPENSSL_UNISTD <unistd.h>
+
+#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
+#define IDEA_INT unsigned int
+#endif
+
+#if defined(HEADER_MD2_H) && !defined(MD2_INT)
+#define MD2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC2_H) && !defined(RC2_INT)
+/* I need to put in a mod for the alpha - eay */
+#define RC2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC4_H)
+#if !defined(RC4_INT)
+/* using int types make the structure larger but make the code faster
+ * on most boxes I have tested - up to %20 faster. */
+/*
+ * I don't know what does "most" mean, but declaring "int" is a must on:
+ * - Intel P6 because partial register stalls are very expensive;
+ * - elder Alpha because it lacks byte load/store instructions;
+ */
+#define RC4_INT unsigned int
+#endif
+#if !defined(RC4_CHUNK)
+/*
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
+#undef RC4_CHUNK
+#endif
+#endif
+
+#if defined(HEADER_DES_H) && !defined(DES_LONG)
+/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+#ifndef DES_LONG
+#define DES_LONG unsigned long
+#endif
+#endif
+
+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+#define CONFIG_HEADER_BN_H
+#undef BN_LLONG
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+/* The prime number generation stuff may not work when
+ * EIGHT_BIT but I don't care since I've only used this mode
+ * for debuging the bignum libraries */
+#undef SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT
+#define THIRTY_TWO_BIT
+#undef SIXTEEN_BIT
+#undef EIGHT_BIT
+#endif
+
+#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+#define CONFIG_HEADER_RC4_LOCL_H
+/* if this is defined data[i] is used instead of *data, this is a %20
+ * speedup on x86 */
+#undef RC4_INDEX
+#endif
+
+#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+#define CONFIG_HEADER_BF_LOCL_H
+#undef BF_PTR
+#endif /* HEADER_BF_LOCL_H */
+
+#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
+#define CONFIG_HEADER_DES_LOCL_H
+#ifndef DES_DEFAULT_OPTIONS
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#undef DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#undef DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#undef DES_UNROLL
+#endif
+
+/* These default values were supplied by
+ * Peter Gutman <pgut001@cs.auckland.ac.nz>
+ * They are only used if nothing else has been defined */
+#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
+/* Special defines which change the way the code is built depending on the
+   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
+   even newer MIPS CPU's, but at the moment one size fits all for
+   optimization options.  Older Sparc's work better with only UNROLL, but
+   there's no way to tell at compile time what it is you're running on */
+ 
+#if defined( sun )		/* Newer Sparc's */
+#  define DES_PTR
+#  define DES_RISC1
+#  define DES_UNROLL
+#elif defined( __ultrix )	/* Older MIPS */
+#  define DES_PTR
+#  define DES_RISC2
+#  define DES_UNROLL
+#elif defined( __osf1__ )	/* Alpha */
+#  define DES_PTR
+#  define DES_RISC2
+#elif defined ( _AIX )		/* RS6000 */
+  /* Unknown */
+#elif defined( __hpux )		/* HP-PA */
+  /* Unknown */
+#elif defined( __aux )		/* 68K */
+  /* Unknown */
+#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
+#  define DES_UNROLL
+#elif defined( __sgi )		/* Newer MIPS */
+#  define DES_PTR
+#  define DES_RISC2
+#  define DES_UNROLL
+#elif defined( i386 )		/* x86 boxes, should be gcc */
+#  define DES_PTR
+#  define DES_RISC1
+#  define DES_UNROLL
+#endif /* Systems-specific speed defines */
+#endif
+
+#endif /* DES_DEFAULT_OPTIONS */
+#endif /* HEADER_DES_LOCL_H */
diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h
new file mode 100644
index 0000000..55ec973
--- /dev/null
+++ b/crypto/openssl/crypto/opensslv.h
@@ -0,0 +1,32 @@
+#ifndef HEADER_OPENSSLV_H
+#define HEADER_OPENSSLV_H
+
+/* Numeric release version identifier:
+ * MMNNFFPPS: major minor fix patch status
+ * The status nibble has one of the values 0 for development, 1 to e for betas
+ * 1 to 14, and f for release.  The patch level is exactly that.
+ * For example:
+ * 0.9.3-dev	  0x00903000
+ * 0.9.3-beta1	  0x00903001
+ * 0.9.3-beta2-dev 0x00903002
+ * 0.9.3-beta2    0x00903002 (same as ...beta2-dev)
+ * 0.9.3	  0x0090300f
+ * 0.9.3a	  0x0090301f
+ * 0.9.4 	  0x0090400f
+ * 1.2.3z	  0x102031af
+ *
+ * For continuity reasons (because 0.9.5 is already out, and is coded
+ * 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level
+ * part is slightly different, by setting the highest bit.  This means
+ * that 0.9.5a looks like this: 0x0090581f.  At 0.9.6, we can start
+ * with 0x0090600S...
+ *
+ * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
+ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+ *  major minor fix final patch/beta)
+ */
+#define OPENSSL_VERSION_NUMBER	0x0090581fL
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.5a 1 Apr 2000"
+#define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
+
+#endif /* HEADER_OPENSSLV_H */
diff --git a/crypto/openssl/crypto/pem/Makefile.save b/crypto/openssl/crypto/pem/Makefile.save
new file mode 100644
index 0000000..b4e7524
--- /dev/null
+++ b/crypto/openssl/crypto/pem/Makefile.save
@@ -0,0 +1,188 @@
+#
+# SSLeay/crypto/pem/Makefile
+#
+
+DIR=	pem
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= pem_sign.c pem_seal.c pem_info.c pem_lib.c pem_all.c pem_err.c
+
+LIBOBJ=	pem_sign.o pem_seal.o pem_info.o pem_lib.o pem_all.o pem_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= pem.h pem2.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links: $(EXHEADER)
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+pem_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_all.o: ../cryptlib.h
+pem_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pem_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pem_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pem_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_err.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_info.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_info.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_info.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_info.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_info.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_info.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_info.o: ../cryptlib.h
+pem_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+pem_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pem_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_lib.o: ../cryptlib.h
+pem_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_seal.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_seal.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_seal.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_seal.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pem_seal.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pem_seal.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pem_seal.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_seal.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pem_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pem_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_sign.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_sign.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pem_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pem_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pem_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_sign.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pem_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl
new file mode 100644
index 0000000..b4e7524
--- /dev/null
+++ b/crypto/openssl/crypto/pem/Makefile.ssl
@@ -0,0 +1,188 @@
+#
+# SSLeay/crypto/pem/Makefile
+#
+
+DIR=	pem
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= pem_sign.c pem_seal.c pem_info.c pem_lib.c pem_all.c pem_err.c
+
+LIBOBJ=	pem_sign.o pem_seal.o pem_info.o pem_lib.o pem_all.o pem_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= pem.h pem2.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links: $(EXHEADER)
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+pem_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_all.o: ../cryptlib.h
+pem_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pem_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pem_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pem_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_err.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_info.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_info.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_info.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_info.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_info.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_info.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_info.o: ../cryptlib.h
+pem_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+pem_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pem_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pem_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pem_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_lib.o: ../cryptlib.h
+pem_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_seal.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_seal.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_seal.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_seal.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pem_seal.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pem_seal.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pem_seal.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_seal.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pem_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pem_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pem_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pem_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pem_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pem_sign.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_sign.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pem_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pem_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pem_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_sign.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pem_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/pem/message b/crypto/openssl/crypto/pem/message
new file mode 100644
index 0000000..e8bf9d7
--- /dev/null
+++ b/crypto/openssl/crypto/pem/message
@@ -0,0 +1,16 @@
+-----BEGIN PRIVACY-ENHANCED MESSAGE-----
+Proc-Type: 4,ENCRYPTED
+Proc-Type: 4,MIC-ONLY
+Proc-Type: 4,MIC-CLEAR
+Content-Domain: RFC822
+DEK-Info: DES-CBC,0123456789abcdef
+Originator-Certificate
+ xxxx
+Issuer-Certificate
+ xxxx
+MIC-Info: RSA-MD5,RSA,
+ xxxx
+
+
+-----END PRIVACY-ENHANCED MESSAGE-----
+
diff --git a/crypto/openssl/crypto/pem/pem.h b/crypto/openssl/crypto/pem/pem.h
new file mode 100644
index 0000000..e4bae0b
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem.h
@@ -0,0 +1,663 @@
+/* crypto/pem/pem.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_PEM_H
+#define HEADER_PEM_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem2.h>
+
+#define PEM_BUFSIZE		1024
+
+#define PEM_OBJ_UNDEF		0
+#define PEM_OBJ_X509		1
+#define PEM_OBJ_X509_REQ	2
+#define PEM_OBJ_CRL		3
+#define PEM_OBJ_SSL_SESSION	4
+#define PEM_OBJ_PRIV_KEY	10
+#define PEM_OBJ_PRIV_RSA	11
+#define PEM_OBJ_PRIV_DSA	12
+#define PEM_OBJ_PRIV_DH		13
+#define PEM_OBJ_PUB_RSA		14
+#define PEM_OBJ_PUB_DSA		15
+#define PEM_OBJ_PUB_DH		16
+#define PEM_OBJ_DHPARAMS	17
+#define PEM_OBJ_DSAPARAMS	18
+#define PEM_OBJ_PRIV_RSA_PUBLIC	19
+
+#define PEM_ERROR		30
+#define PEM_DEK_DES_CBC         40
+#define PEM_DEK_IDEA_CBC        45
+#define PEM_DEK_DES_EDE         50
+#define PEM_DEK_DES_ECB         60
+#define PEM_DEK_RSA             70
+#define PEM_DEK_RSA_MD2         80
+#define PEM_DEK_RSA_MD5         90
+
+#define PEM_MD_MD2		NID_md2
+#define PEM_MD_MD5		NID_md5
+#define PEM_MD_SHA		NID_sha
+#define PEM_MD_MD2_RSA		NID_md2WithRSAEncryption
+#define PEM_MD_MD5_RSA		NID_md5WithRSAEncryption
+#define PEM_MD_SHA_RSA		NID_sha1WithRSAEncryption
+
+#define PEM_STRING_X509_OLD	"X509 CERTIFICATE"
+#define PEM_STRING_X509		"CERTIFICATE"
+#define PEM_STRING_X509_TRUSTED	"TRUSTED CERTIFICATE"
+#define PEM_STRING_X509_REQ_OLD	"NEW CERTIFICATE REQUEST"
+#define PEM_STRING_X509_REQ	"CERTIFICATE REQUEST"
+#define PEM_STRING_X509_CRL	"X509 CRL"
+#define PEM_STRING_EVP_PKEY	"ANY PRIVATE KEY"
+#define PEM_STRING_PUBLIC	"PUBLIC KEY"
+#define PEM_STRING_RSA		"RSA PRIVATE KEY"
+#define PEM_STRING_RSA_PUBLIC	"RSA PUBLIC KEY"
+#define PEM_STRING_DSA		"DSA PRIVATE KEY"
+#define PEM_STRING_DSA_PUBLIC	"DSA PUBLIC KEY"
+#define PEM_STRING_PKCS7	"PKCS7"
+#define PEM_STRING_PKCS8	"ENCRYPTED PRIVATE KEY"
+#define PEM_STRING_PKCS8INF	"PRIVATE KEY"
+#define PEM_STRING_DHPARAMS	"DH PARAMETERS"
+#define PEM_STRING_SSL_SESSION	"SSL SESSION PARAMETERS"
+#define PEM_STRING_DSAPARAMS	"DSA PARAMETERS"
+
+
+typedef struct PEM_Encode_Seal_st
+	{
+	EVP_ENCODE_CTX encode;
+	EVP_MD_CTX md;
+	EVP_CIPHER_CTX cipher;
+	} PEM_ENCODE_SEAL_CTX;
+
+/* enc_type is one off */
+#define PEM_TYPE_ENCRYPTED      10
+#define PEM_TYPE_MIC_ONLY       20
+#define PEM_TYPE_MIC_CLEAR      30
+#define PEM_TYPE_CLEAR		40
+
+typedef struct pem_recip_st
+	{
+	char *name;
+	X509_NAME *dn;
+
+	int cipher;
+	int key_enc;
+	char iv[8];
+	} PEM_USER;
+
+typedef struct pem_ctx_st
+	{
+	int type;		/* what type of object */
+
+	struct	{
+		int version;	
+		int mode;		
+		} proc_type;
+
+	char *domain;
+
+	struct	{
+		int cipher;
+		unsigned char iv[8];
+		} DEK_info;
+		
+	PEM_USER *originator;
+
+	int num_recipient;
+	PEM_USER **recipient;
+
+#ifdef HEADER_STACK_H
+	STACK *x509_chain;	/* certificate chain */
+#else
+	char *x509_chain;	/* certificate chain */
+#endif
+	EVP_MD *md;		/* signature type */
+
+	int md_enc;		/* is the md encrypted or not? */
+	int md_len;		/* length of md_data */
+	char *md_data;		/* message digest, could be pkey encrypted */
+
+	EVP_CIPHER *dec;	/* date encryption cipher */
+	int key_len;		/* key length */
+	unsigned char *key;	/* key */
+	unsigned char iv[8];	/* the iv */
+
+	
+	int  data_enc;		/* is the data encrypted */
+	int data_len;
+	unsigned char *data;
+	} PEM_CTX;
+
+/* These macros make the PEM_read/PEM_write functions easier to maintain and
+ * write. Now they are all implemented with either:
+ * IMPLEMENT_PEM_rw(...) or IMPLEMENT_PEM_rw_cb(...)
+ */
+
+#ifdef NO_FP_API
+
+#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/
+#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/
+#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/
+
+#else
+
+#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) \
+type *PEM_read_##name(FILE *fp, type **x, pem_password_cb *cb, void *u)\
+{ \
+return((type *)PEM_ASN1_read((char *(*)())d2i_##asn1, str,fp,(char **)x,\
+	cb,u)); \
+} \
+
+#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) \
+int PEM_write_##name(FILE *fp, type *x) \
+{ \
+return(PEM_ASN1_write((int (*)())i2d_##asn1,str,fp, (char *)x, \
+							 NULL,NULL,0,NULL,NULL)); \
+} 
+
+#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) \
+int PEM_write_##name(FILE *fp, type *x, const EVP_CIPHER *enc, \
+	     unsigned char *kstr, int klen, pem_password_cb *cb, \
+		  void *u) \
+	{ \
+	return(PEM_ASN1_write((int (*)())i2d_##asn1,str,fp, \
+		(char *)x,enc,kstr,klen,cb,u)); \
+	}
+
+#endif
+
+#define IMPLEMENT_PEM_read_bio(name, type, str, asn1) \
+type *PEM_read_bio_##name(BIO *bp, type **x, pem_password_cb *cb, void *u)\
+{ \
+return((type *)PEM_ASN1_read_bio((char *(*)())d2i_##asn1, str,bp,\
+							(char **)x,cb,u)); \
+}
+
+#define IMPLEMENT_PEM_write_bio(name, type, str, asn1) \
+int PEM_write_bio_##name(BIO *bp, type *x) \
+{ \
+return(PEM_ASN1_write_bio((int (*)())i2d_##asn1,str,bp, (char *)x, \
+							 NULL,NULL,0,NULL,NULL)); \
+}
+
+#define IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \
+int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
+	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u) \
+	{ \
+	return(PEM_ASN1_write_bio((int (*)())i2d_##asn1,str,bp, \
+		(char *)x,enc,kstr,klen,cb,u)); \
+	}
+
+#define IMPLEMENT_PEM_write(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_bio(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_fp(name, type, str, asn1) 
+
+#define IMPLEMENT_PEM_write_cb(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) 
+
+#define IMPLEMENT_PEM_read(name, type, str, asn1) \
+	IMPLEMENT_PEM_read_bio(name, type, str, asn1) \
+	IMPLEMENT_PEM_read_fp(name, type, str, asn1) 
+
+#define IMPLEMENT_PEM_rw(name, type, str, asn1) \
+	IMPLEMENT_PEM_read(name, type, str, asn1) \
+	IMPLEMENT_PEM_write(name, type, str, asn1)
+
+#define IMPLEMENT_PEM_rw_cb(name, type, str, asn1) \
+	IMPLEMENT_PEM_read(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_cb(name, type, str, asn1)
+
+/* These are the same except they are for the declarations */
+
+#if defined(WIN16) || defined(NO_FP_API)
+
+#define DECLARE_PEM_read_fp(name, type) /**/
+#define DECLARE_PEM_write_fp(name, type) /**/
+#define DECLARE_PEM_write_cb_fp(name, type) /**/
+
+#else
+
+#define DECLARE_PEM_read_fp(name, type) \
+	type *PEM_read_##name(FILE *fp, type **x, pem_password_cb *cb, void *u);
+
+#define DECLARE_PEM_write_fp(name, type) \
+	int PEM_write_##name(FILE *fp, type *x);
+
+#define DECLARE_PEM_write_cb_fp(name, type) \
+	int PEM_write_##name(FILE *fp, type *x, const EVP_CIPHER *enc, \
+	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u);
+
+#endif
+
+#ifdef HEADER_BIO_H
+#define DECLARE_PEM_read_bio(name, type) \
+	type *PEM_read_bio_##name(BIO *bp, type **x, pem_password_cb *cb, void *u);
+
+#define DECLARE_PEM_write_bio(name, type) \
+	int PEM_write_bio_##name(BIO *bp, type *x);
+
+#define DECLARE_PEM_write_cb_bio(name, type) \
+	int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
+	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u);
+
+#else
+
+#define DECLARE_PEM_read_bio(name, type) /**/
+#define DECLARE_PEM_write_bio(name, type) /**/
+#define DECLARE_PEM_write_cb_bio(name, type) /**/
+
+#endif
+
+#define DECLARE_PEM_write(name, type) \
+	DECLARE_PEM_write_bio(name, type) \
+	DECLARE_PEM_write_fp(name, type) 
+
+#define DECLARE_PEM_write_cb(name, type) \
+	DECLARE_PEM_write_cb_bio(name, type) \
+	DECLARE_PEM_write_cb_fp(name, type) 
+
+#define DECLARE_PEM_read(name, type) \
+	DECLARE_PEM_read_bio(name, type) \
+	DECLARE_PEM_read_fp(name, type)
+
+#define DECLARE_PEM_rw(name, type) \
+	DECLARE_PEM_read(name, type) \
+	DECLARE_PEM_write(name, type)
+
+#define DECLARE_PEM_rw_cb(name, type) \
+	DECLARE_PEM_read(name, type) \
+	DECLARE_PEM_write_cb(name, type)
+
+#ifdef SSLEAY_MACROS
+
+#define PEM_write_SSL_SESSION(fp,x) \
+		PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
+			PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
+#define PEM_write_X509(fp,x) \
+		PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \
+			(char *)x, NULL,NULL,0,NULL,NULL)
+#define PEM_write_X509_REQ(fp,x) PEM_ASN1_write( \
+		(int (*)())i2d_X509_REQ,PEM_STRING_X509_REQ,fp,(char *)x, \
+			NULL,NULL,0,NULL,NULL)
+#define PEM_write_X509_CRL(fp,x) \
+		PEM_ASN1_write((int (*)())i2d_X509_CRL,PEM_STRING_X509_CRL, \
+			fp,(char *)x, NULL,NULL,0,NULL,NULL)
+#define	PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \
+		PEM_ASN1_write((int (*)())i2d_RSAPrivateKey,PEM_STRING_RSA,fp,\
+			(char *)x,enc,kstr,klen,cb,u)
+#define	PEM_write_RSAPublicKey(fp,x) \
+		PEM_ASN1_write((int (*)())i2d_RSAPublicKey,\
+			PEM_STRING_RSA_PUBLIC,fp,(char *)x,NULL,NULL,0,NULL,NULL)
+#define	PEM_write_DSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \
+		PEM_ASN1_write((int (*)())i2d_DSAPrivateKey,PEM_STRING_DSA,fp,\
+			(char *)x,enc,kstr,klen,cb,u)
+#define	PEM_write_PrivateKey(bp,x,enc,kstr,klen,cb,u) \
+		PEM_ASN1_write((int (*)())i2d_PrivateKey,\
+		(((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),\
+			bp,(char *)x,enc,kstr,klen,cb,u)
+#define PEM_write_PKCS7(fp,x) \
+		PEM_ASN1_write((int (*)())i2d_PKCS7,PEM_STRING_PKCS7,fp, \
+			(char *)x, NULL,NULL,0,NULL,NULL)
+#define PEM_write_DHparams(fp,x) \
+		PEM_ASN1_write((int (*)())i2d_DHparams,PEM_STRING_DHPARAMS,fp,\
+			(char *)x,NULL,NULL,0,NULL,NULL)
+
+#define PEM_write_NETSCAPE_CERT_SEQUENCE(fp,x) \
+                PEM_ASN1_write((int (*)())i2d_NETSCAPE_CERT_SEQUENCE, \
+			PEM_STRING_X509,fp, \
+                        (char *)x, NULL,NULL,0,NULL,NULL)
+
+#define	PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
+	(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
+#define	PEM_read_X509(fp,x,cb,u) (X509 *)PEM_ASN1_read( \
+	(char *(*)())d2i_X509,PEM_STRING_X509,fp,(char **)x,cb,u)
+#define	PEM_read_X509_REQ(fp,x,cb,u) (X509_REQ *)PEM_ASN1_read( \
+	(char *(*)())d2i_X509_REQ,PEM_STRING_X509_REQ,fp,(char **)x,cb,u)
+#define	PEM_read_X509_CRL(fp,x,cb,u) (X509_CRL *)PEM_ASN1_read( \
+	(char *(*)())d2i_X509_CRL,PEM_STRING_X509_CRL,fp,(char **)x,cb,u)
+#define	PEM_read_RSAPrivateKey(fp,x,cb,u) (RSA *)PEM_ASN1_read( \
+	(char *(*)())d2i_RSAPrivateKey,PEM_STRING_RSA,fp,(char **)x,cb,u)
+#define	PEM_read_RSAPublicKey(fp,x,cb,u) (RSA *)PEM_ASN1_read( \
+	(char *(*)())d2i_RSAPublicKey,PEM_STRING_RSA_PUBLIC,fp,(char **)x,cb,u)
+#define	PEM_read_DSAPrivateKey(fp,x,cb,u) (DSA *)PEM_ASN1_read( \
+	(char *(*)())d2i_DSAPrivateKey,PEM_STRING_DSA,fp,(char **)x,cb,u)
+#define	PEM_read_PrivateKey(fp,x,cb,u) (EVP_PKEY *)PEM_ASN1_read( \
+	(char *(*)())d2i_PrivateKey,PEM_STRING_EVP_PKEY,fp,(char **)x,cb,u)
+#define	PEM_read_PKCS7(fp,x,cb,u) (PKCS7 *)PEM_ASN1_read( \
+	(char *(*)())d2i_PKCS7,PEM_STRING_PKCS7,fp,(char **)x,cb,u)
+#define	PEM_read_DHparams(fp,x,cb,u) (DH *)PEM_ASN1_read( \
+	(char *(*)())d2i_DHparams,PEM_STRING_DHPARAMS,fp,(char **)x,cb,u)
+
+#define PEM_read_NETSCAPE_CERT_SEQUENCE(fp,x,cb,u) \
+		(NETSCAPE_CERT_SEQUENCE *)PEM_ASN1_read( \
+        (char *(*)())d2i_NETSCAPE_CERT_SEQUENCE,PEM_STRING_X509,fp,\
+							(char **)x,cb,u)
+
+#define PEM_write_bio_SSL_SESSION(bp,x) \
+		PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
+			PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
+#define PEM_write_bio_X509(bp,x) \
+		PEM_ASN1_write_bio((int (*)())i2d_X509,PEM_STRING_X509,bp, \
+			(char *)x, NULL,NULL,0,NULL,NULL)
+#define PEM_write_bio_X509_REQ(bp,x) PEM_ASN1_write_bio( \
+		(int (*)())i2d_X509_REQ,PEM_STRING_X509_REQ,bp,(char *)x, \
+			NULL,NULL,0,NULL,NULL)
+#define PEM_write_bio_X509_CRL(bp,x) \
+		PEM_ASN1_write_bio((int (*)())i2d_X509_CRL,PEM_STRING_X509_CRL,\
+			bp,(char *)x, NULL,NULL,0,NULL,NULL)
+#define	PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \
+		PEM_ASN1_write_bio((int (*)())i2d_RSAPrivateKey,PEM_STRING_RSA,\
+			bp,(char *)x,enc,kstr,klen,cb,u)
+#define	PEM_write_bio_RSAPublicKey(bp,x) \
+		PEM_ASN1_write_bio((int (*)())i2d_RSAPublicKey, \
+			PEM_STRING_RSA_PUBLIC,\
+			bp,(char *)x,NULL,NULL,0,NULL,NULL)
+#define	PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \
+		PEM_ASN1_write_bio((int (*)())i2d_DSAPrivateKey,PEM_STRING_DSA,\
+			bp,(char *)x,enc,kstr,klen,cb,u)
+#define	PEM_write_bio_PrivateKey(bp,x,enc,kstr,klen,cb,u) \
+		PEM_ASN1_write_bio((int (*)())i2d_PrivateKey,\
+		(((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),\
+			bp,(char *)x,enc,kstr,klen,cb,u)
+#define PEM_write_bio_PKCS7(bp,x) \
+		PEM_ASN1_write_bio((int (*)())i2d_PKCS7,PEM_STRING_PKCS7,bp, \
+			(char *)x, NULL,NULL,0,NULL,NULL)
+#define PEM_write_bio_DHparams(bp,x) \
+		PEM_ASN1_write_bio((int (*)())i2d_DHparams,PEM_STRING_DHPARAMS,\
+			bp,(char *)x,NULL,NULL,0,NULL,NULL)
+#define PEM_write_bio_DSAparams(bp,x) \
+		PEM_ASN1_write_bio((int (*)())i2d_DSAparams, \
+			PEM_STRING_DSAPARAMS,bp,(char *)x,NULL,NULL,0,NULL,NULL)
+
+#define PEM_write_bio_NETSCAPE_CERT_SEQUENCE(bp,x) \
+                PEM_ASN1_write_bio((int (*)())i2d_NETSCAPE_CERT_SEQUENCE, \
+			PEM_STRING_X509,bp, \
+                        (char *)x, NULL,NULL,0,NULL,NULL)
+
+#define	PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
+#define	PEM_read_bio_X509(bp,x,cb,u) (X509 *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_X509,PEM_STRING_X509,bp,(char **)x,cb,u)
+#define	PEM_read_bio_X509_REQ(bp,x,cb,u) (X509_REQ *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_X509_REQ,PEM_STRING_X509_REQ,bp,(char **)x,cb,u)
+#define	PEM_read_bio_X509_CRL(bp,x,cb,u) (X509_CRL *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_X509_CRL,PEM_STRING_X509_CRL,bp,(char **)x,cb,u)
+#define	PEM_read_bio_RSAPrivateKey(bp,x,cb,u) (RSA *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_RSAPrivateKey,PEM_STRING_RSA,bp,(char **)x,cb,u)
+#define	PEM_read_bio_RSAPublicKey(bp,x,cb,u) (RSA *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_RSAPublicKey,PEM_STRING_RSA_PUBLIC,bp,(char **)x,cb,u)
+#define	PEM_read_bio_DSAPrivateKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_DSAPrivateKey,PEM_STRING_DSA,bp,(char **)x,cb,u)
+#define	PEM_read_bio_PrivateKey(bp,x,cb,u) (EVP_PKEY *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_PrivateKey,PEM_STRING_EVP_PKEY,bp,(char **)x,cb,u)
+
+#define	PEM_read_bio_PKCS7(bp,x,cb,u) (PKCS7 *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_PKCS7,PEM_STRING_PKCS7,bp,(char **)x,cb,u)
+#define	PEM_read_bio_DHparams(bp,x,cb,u) (DH *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_DHparams,PEM_STRING_DHPARAMS,bp,(char **)x,cb,u)
+#define	PEM_read_bio_DSAparams(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_DSAparams,PEM_STRING_DSAPARAMS,bp,(char **)x,cb,u)
+
+#define PEM_read_bio_NETSCAPE_CERT_SEQUENCE(bp,x,cb,u) \
+		(NETSCAPE_CERT_SEQUENCE *)PEM_ASN1_read_bio( \
+        (char *(*)())d2i_NETSCAPE_CERT_SEQUENCE,PEM_STRING_X509,bp,\
+							(char **)x,cb,u)
+
+#endif
+
+#if 1
+/* "userdata": new with OpenSSL 0.9.4 */
+typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata);
+#else
+/* OpenSSL 0.9.3, 0.9.3a */
+typedef int pem_password_cb(char *buf, int size, int rwflag);
+#endif
+
+int	PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher);
+int	PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data,long *len,
+	pem_password_cb *callback,void *u);
+
+#ifdef HEADER_BIO_H
+int	PEM_read_bio(BIO *bp, char **name, char **header,
+		unsigned char **data,long *len);
+int	PEM_write_bio(BIO *bp,const char *name,char *hdr,unsigned char *data,
+		long len);
+char *	PEM_ASN1_read_bio(char *(*d2i)(),const char *name,BIO *bp,char **x,
+		pem_password_cb *cb, void *u);
+int	PEM_ASN1_write_bio(int (*i2d)(),const char *name,BIO *bp,char *x,
+			   const EVP_CIPHER *enc,unsigned char *kstr,int klen,
+			   pem_password_cb *cb, void *u);
+STACK_OF(X509_INFO) *	PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);
+int	PEM_X509_INFO_write_bio(BIO *bp,X509_INFO *xi, EVP_CIPHER *enc,
+		unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
+#endif
+
+#ifndef WIN16
+int	PEM_read(FILE *fp, char **name, char **header,
+		unsigned char **data,long *len);
+int	PEM_write(FILE *fp,char *name,char *hdr,unsigned char *data,long len);
+char *	PEM_ASN1_read(char *(*d2i)(),const char *name,FILE *fp,char **x,
+	pem_password_cb *cb, void *u);
+int	PEM_ASN1_write(int (*i2d)(),const char *name,FILE *fp,char *x,
+		       const EVP_CIPHER *enc,unsigned char *kstr,int klen,
+		       pem_password_cb *callback, void *u);
+STACK_OF(X509_INFO) *	PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
+	pem_password_cb *cb, void *u);
+#endif
+
+int	PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type,
+		EVP_MD *md_type, unsigned char **ek, int *ekl,
+		unsigned char *iv, EVP_PKEY **pubk, int npubk);
+void	PEM_SealUpdate(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *out, int *outl,
+		unsigned char *in, int inl);
+int	PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig,int *sigl,
+		unsigned char *out, int *outl, EVP_PKEY *priv);
+
+void    PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
+void    PEM_SignUpdate(EVP_MD_CTX *ctx,unsigned char *d,unsigned int cnt);
+int	PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+		unsigned int *siglen, EVP_PKEY *pkey);
+
+void	ERR_load_PEM_strings(void);
+
+void	PEM_proc_type(char *buf, int type);
+void	PEM_dek_info(char *buf, const char *type, int len, char *str);
+
+#ifndef SSLEAY_MACROS
+
+#ifdef VMS
+#include <openssl/vms_idhacks.h>
+#endif
+
+DECLARE_PEM_rw(X509, X509)
+
+DECLARE_PEM_rw(X509_AUX, X509)
+
+DECLARE_PEM_rw(X509_REQ, X509_REQ)
+DECLARE_PEM_write(X509_REQ_NEW, X509_REQ)
+
+DECLARE_PEM_rw(X509_CRL, X509_CRL)
+
+DECLARE_PEM_rw(PKCS7, PKCS7)
+
+DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE)
+
+DECLARE_PEM_rw(PKCS8, X509_SIG)
+
+DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
+
+#ifndef NO_RSA
+
+DECLARE_PEM_rw_cb(RSAPrivateKey, RSA)
+
+DECLARE_PEM_rw(RSAPublicKey, RSA)
+DECLARE_PEM_rw(RSA_PUBKEY, RSA)
+
+#endif
+
+#ifndef NO_DSA
+
+DECLARE_PEM_rw_cb(DSAPrivateKey, DSA)
+
+DECLARE_PEM_rw(DSA_PUBKEY, DSA)
+
+DECLARE_PEM_rw(DSAparams, DSA)
+
+#endif
+
+#ifndef NO_DH
+
+DECLARE_PEM_rw(DHparams, DH)
+
+#endif
+
+DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY)
+
+DECLARE_PEM_rw(PUBKEY, EVP_PKEY)
+
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
+                                  char *, int, pem_password_cb *, void *);
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);
+
+int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
+			      char *kstr,int klen, pem_password_cb *cd, void *u);
+
+#endif /* SSLEAY_MACROS */
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the PEM functions. */
+
+/* Function codes. */
+#define PEM_F_D2I_PKCS8PRIVATEKEY_BIO			 120
+#define PEM_F_D2I_PKCS8PRIVATEKEY_FP			 121
+#define PEM_F_DEF_CALLBACK				 100
+#define PEM_F_LOAD_IV					 101
+#define PEM_F_PEM_ASN1_READ				 102
+#define PEM_F_PEM_ASN1_READ_BIO				 103
+#define PEM_F_PEM_ASN1_WRITE				 104
+#define PEM_F_PEM_ASN1_WRITE_BIO			 105
+#define PEM_F_PEM_DO_HEADER				 106
+#define PEM_F_PEM_F_DO_PK8KEY_FP			 122
+#define PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY		 118
+#define PEM_F_PEM_GET_EVP_CIPHER_INFO			 107
+#define PEM_F_PEM_READ					 108
+#define PEM_F_PEM_READ_BIO				 109
+#define PEM_F_PEM_SEALFINAL				 110
+#define PEM_F_PEM_SEALINIT				 111
+#define PEM_F_PEM_SIGNFINAL				 112
+#define PEM_F_PEM_WRITE					 113
+#define PEM_F_PEM_WRITE_BIO				 114
+#define PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY		 119
+#define PEM_F_PEM_X509_INFO_READ			 115
+#define PEM_F_PEM_X509_INFO_READ_BIO			 116
+#define PEM_F_PEM_X509_INFO_WRITE_BIO			 117
+
+/* Reason codes. */
+#define PEM_R_BAD_BASE64_DECODE				 100
+#define PEM_R_BAD_DECRYPT				 101
+#define PEM_R_BAD_END_LINE				 102
+#define PEM_R_BAD_IV_CHARS				 103
+#define PEM_R_BAD_PASSWORD_READ				 104
+#define PEM_R_ERROR_CONVERTING_PRIVATE_KEY		 115
+#define PEM_R_NOT_DEK_INFO				 105
+#define PEM_R_NOT_ENCRYPTED				 106
+#define PEM_R_NOT_PROC_TYPE				 107
+#define PEM_R_NO_START_LINE				 108
+#define PEM_R_PROBLEMS_GETTING_PASSWORD			 109
+#define PEM_R_PUBLIC_KEY_NO_RSA				 110
+#define PEM_R_READ_KEY					 111
+#define PEM_R_SHORT_HEADER				 112
+#define PEM_R_UNSUPPORTED_CIPHER			 113
+#define PEM_R_UNSUPPORTED_ENCRYPTION			 114
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/pem/pem2.h b/crypto/openssl/crypto/pem/pem2.h
new file mode 100644
index 0000000..4a016aa
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem2.h
@@ -0,0 +1,60 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * This header only exists to break a circular dependency between pem and err
+ * Ben 30 Jan 1999.
+ */
+
+void ERR_load_PEM_strings(void);
diff --git a/crypto/openssl/crypto/pem/pem_all.c b/crypto/openssl/crypto/pem/pem_all.c
new file mode 100644
index 0000000..dc9c35b
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem_all.c
@@ -0,0 +1,203 @@
+/* crypto/pem/pem_all.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+#ifndef NO_RSA
+static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
+#endif
+#ifndef NO_DSA
+static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa);
+#endif
+
+IMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509)
+
+IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
+
+IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)
+
+IMPLEMENT_PEM_write(X509_REQ_NEW, X509_REQ, PEM_STRING_X509_REQ_OLD, X509_REQ)
+
+IMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL)
+
+IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
+
+IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE,
+					PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE)
+
+IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)
+IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
+							 PKCS8_PRIV_KEY_INFO)
+
+#ifndef NO_RSA
+
+/* We treat RSA or DSA private keys as a special case.
+ *
+ * For private keys we read in an EVP_PKEY structure with
+ * PEM_read_bio_PrivateKey() and extract the relevant private
+ * key: this means can handle "traditional" and PKCS#8 formats
+ * transparently.
+ */
+
+static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa)
+{
+	RSA *rtmp;
+	if(!key) return NULL;
+	rtmp = EVP_PKEY_get1_RSA(key);
+	EVP_PKEY_free(key);
+	if(!rtmp) return NULL;
+	if(rsa) {
+		RSA_free(*rsa);
+		*rsa = rtmp;
+	}
+	return rtmp;
+}
+
+RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);
+	return pkey_get_rsa(pktmp, rsa);
+}
+
+#ifndef NO_FP_API
+
+RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
+	return pkey_get_rsa(pktmp, rsa);
+}
+
+#endif
+
+IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
+IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
+
+#endif
+
+#ifndef NO_DSA
+
+static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa)
+{
+	DSA *dtmp;
+	if(!key) return NULL;
+	dtmp = EVP_PKEY_get1_DSA(key);
+	EVP_PKEY_free(key);
+	if(!dtmp) return NULL;
+	if(dsa) {
+		DSA_free(*dsa);
+		*dsa = dtmp;
+	}
+	return dtmp;
+}
+
+DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);
+	return pkey_get_dsa(pktmp, dsa);
+}
+
+IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
+
+#ifndef NO_FP_API
+
+DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
+	return pkey_get_dsa(pktmp, dsa);
+}
+
+#endif
+
+IMPLEMENT_PEM_rw(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
+
+#endif
+
+#ifndef NO_DH
+
+IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
+
+#endif
+
+
+/* The PrivateKey case is not that straightforward.
+ *   IMPLEMENT_PEM_rw_cb(PrivateKey, EVP_PKEY, PEM_STRING_EVP_PKEY, PrivateKey)
+ * does not work, RSA and DSA keys have specific strings.
+ * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
+ * appropriate.)
+ */
+IMPLEMENT_PEM_read(PrivateKey, EVP_PKEY, PEM_STRING_EVP_PKEY, PrivateKey)
+IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)
+
+IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
diff --git a/crypto/openssl/crypto/pem/pem_err.c b/crypto/openssl/crypto/pem/pem_err.c
new file mode 100644
index 0000000..8b1789b
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem_err.c
@@ -0,0 +1,131 @@
+/* crypto/pem/pem_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA PEM_str_functs[]=
+	{
+{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_BIO,0),	"d2i_PKCS8PrivateKey_bio"},
+{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_FP,0),	"d2i_PKCS8PrivateKey_fp"},
+{ERR_PACK(0,PEM_F_DEF_CALLBACK,0),	"DEF_CALLBACK"},
+{ERR_PACK(0,PEM_F_LOAD_IV,0),	"LOAD_IV"},
+{ERR_PACK(0,PEM_F_PEM_ASN1_READ,0),	"PEM_ASN1_read"},
+{ERR_PACK(0,PEM_F_PEM_ASN1_READ_BIO,0),	"PEM_ASN1_read_bio"},
+{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE,0),	"PEM_ASN1_write"},
+{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE_BIO,0),	"PEM_ASN1_write_bio"},
+{ERR_PACK(0,PEM_F_PEM_DO_HEADER,0),	"PEM_do_header"},
+{ERR_PACK(0,PEM_F_PEM_F_DO_PK8KEY_FP,0),	"PEM_F_DO_PK8KEY_FP"},
+{ERR_PACK(0,PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY,0),	"PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
+{ERR_PACK(0,PEM_F_PEM_GET_EVP_CIPHER_INFO,0),	"PEM_get_EVP_CIPHER_INFO"},
+{ERR_PACK(0,PEM_F_PEM_READ,0),	"PEM_read"},
+{ERR_PACK(0,PEM_F_PEM_READ_BIO,0),	"PEM_read_bio"},
+{ERR_PACK(0,PEM_F_PEM_SEALFINAL,0),	"PEM_SealFinal"},
+{ERR_PACK(0,PEM_F_PEM_SEALINIT,0),	"PEM_SealInit"},
+{ERR_PACK(0,PEM_F_PEM_SIGNFINAL,0),	"PEM_SignFinal"},
+{ERR_PACK(0,PEM_F_PEM_WRITE,0),	"PEM_write"},
+{ERR_PACK(0,PEM_F_PEM_WRITE_BIO,0),	"PEM_write_bio"},
+{ERR_PACK(0,PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,0),	"PEM_write_bio_PKCS8PrivateKey"},
+{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ,0),	"PEM_X509_INFO_read"},
+{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ_BIO,0),	"PEM_X509_INFO_read_bio"},
+{ERR_PACK(0,PEM_F_PEM_X509_INFO_WRITE_BIO,0),	"PEM_X509_INFO_write_bio"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA PEM_str_reasons[]=
+	{
+{PEM_R_BAD_BASE64_DECODE                 ,"bad base64 decode"},
+{PEM_R_BAD_DECRYPT                       ,"bad decrypt"},
+{PEM_R_BAD_END_LINE                      ,"bad end line"},
+{PEM_R_BAD_IV_CHARS                      ,"bad iv chars"},
+{PEM_R_BAD_PASSWORD_READ                 ,"bad password read"},
+{PEM_R_ERROR_CONVERTING_PRIVATE_KEY      ,"error converting private key"},
+{PEM_R_NOT_DEK_INFO                      ,"not dek info"},
+{PEM_R_NOT_ENCRYPTED                     ,"not encrypted"},
+{PEM_R_NOT_PROC_TYPE                     ,"not proc type"},
+{PEM_R_NO_START_LINE                     ,"no start line"},
+{PEM_R_PROBLEMS_GETTING_PASSWORD         ,"problems getting password"},
+{PEM_R_PUBLIC_KEY_NO_RSA                 ,"public key no rsa"},
+{PEM_R_READ_KEY                          ,"read key"},
+{PEM_R_SHORT_HEADER                      ,"short header"},
+{PEM_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
+{PEM_R_UNSUPPORTED_ENCRYPTION            ,"unsupported encryption"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_PEM_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_PEM,PEM_str_functs);
+		ERR_load_strings(ERR_LIB_PEM,PEM_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c
new file mode 100644
index 0000000..b65239a
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem_info.c
@@ -0,0 +1,364 @@
+/* crypto/pem/pem_info.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#ifndef NO_FP_API
+STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u)
+	{
+        BIO *b;
+        STACK_OF(X509_INFO) *ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		PEMerr(PEM_F_PEM_X509_INFO_READ,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_X509_INFO_read_bio(b,sk,cb,u);
+        BIO_free(b);
+        return(ret);
+	}
+#endif
+
+STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u)
+	{
+	X509_INFO *xi=NULL;
+	char *name=NULL,*header=NULL,**pp;
+	unsigned char *data=NULL,*p;
+	long len,error=0;
+	int ok=0;
+	STACK_OF(X509_INFO) *ret=NULL;
+	unsigned int i,raw;
+	char *(*d2i)();
+
+	if (sk == NULL)
+		{
+		if ((ret=sk_X509_INFO_new_null()) == NULL)
+			{
+			PEMerr(PEM_F_PEM_X509_INFO_READ_BIO,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
+	else
+		ret=sk;
+
+	if ((xi=X509_INFO_new()) == NULL) goto err;
+	for (;;)
+		{
+		raw=0;
+		i=PEM_read_bio(bp,&name,&header,&data,&len);
+		if (i == 0)
+			{
+			error=ERR_GET_REASON(ERR_peek_error());
+			if (error == PEM_R_NO_START_LINE)
+				{
+				ERR_clear_error();
+				break;
+				}
+			goto err;
+			}
+start:
+		if (	(strcmp(name,PEM_STRING_X509) == 0) ||
+			(strcmp(name,PEM_STRING_X509_OLD) == 0))
+			{
+			d2i=(char *(*)())d2i_X509;
+			if (xi->x509 != NULL)
+				{
+				if (!sk_X509_INFO_push(ret,xi)) goto err;
+				if ((xi=X509_INFO_new()) == NULL) goto err;
+				goto start;
+				}
+			pp=(char **)&(xi->x509);
+			}
+		else if ((strcmp(name,PEM_STRING_X509_TRUSTED) == 0))
+			{
+			d2i=(char *(*)())d2i_X509_AUX;
+			if (xi->x509 != NULL)
+				{
+				if (!sk_X509_INFO_push(ret,xi)) goto err;
+				if ((xi=X509_INFO_new()) == NULL) goto err;
+				goto start;
+				}
+			pp=(char **)&(xi->x509);
+			}
+		else if (strcmp(name,PEM_STRING_X509_CRL) == 0)
+			{
+			d2i=(char *(*)())d2i_X509_CRL;
+			if (xi->crl != NULL)
+				{
+				if (!sk_X509_INFO_push(ret,xi)) goto err;
+				if ((xi=X509_INFO_new()) == NULL) goto err;
+				goto start;
+				}
+			pp=(char **)&(xi->crl);
+			}
+		else
+#ifndef NO_RSA
+			if (strcmp(name,PEM_STRING_RSA) == 0)
+			{
+			d2i=(char *(*)())d2i_RSAPrivateKey;
+			if (xi->x_pkey != NULL) 
+				{
+				if (!sk_X509_INFO_push(ret,xi)) goto err;
+				if ((xi=X509_INFO_new()) == NULL) goto err;
+				goto start;
+				}
+
+			xi->enc_data=NULL;
+			xi->enc_len=0;
+
+			xi->x_pkey=X509_PKEY_new();
+			if ((xi->x_pkey->dec_pkey=EVP_PKEY_new()) == NULL)
+				goto err;
+			xi->x_pkey->dec_pkey->type=EVP_PKEY_RSA;
+			pp=(char **)&(xi->x_pkey->dec_pkey->pkey.rsa);
+			if ((int)strlen(header) > 10) /* assume encrypted */
+				raw=1;
+			}
+		else
+#endif
+#ifndef NO_DSA
+			if (strcmp(name,PEM_STRING_DSA) == 0)
+			{
+			d2i=(char *(*)())d2i_DSAPrivateKey;
+			if (xi->x_pkey != NULL) 
+				{
+				if (!sk_X509_INFO_push(ret,xi)) goto err;
+				if ((xi=X509_INFO_new()) == NULL) goto err;
+				goto start;
+				}
+
+			xi->enc_data=NULL;
+			xi->enc_len=0;
+
+			xi->x_pkey=X509_PKEY_new();
+			if ((xi->x_pkey->dec_pkey=EVP_PKEY_new()) == NULL)
+				goto err;
+			xi->x_pkey->dec_pkey->type=EVP_PKEY_DSA;
+			pp=(char **)&(xi->x_pkey->dec_pkey->pkey.dsa);
+			if ((int)strlen(header) > 10) /* assume encrypted */
+				raw=1;
+			}
+		else
+#endif
+			{
+			d2i=NULL;
+			pp=NULL;
+			}
+
+		if (d2i != NULL)
+			{
+			if (!raw)
+				{
+				EVP_CIPHER_INFO cipher;
+
+				if (!PEM_get_EVP_CIPHER_INFO(header,&cipher))
+					goto err;
+				if (!PEM_do_header(&cipher,data,&len,cb,u))
+					goto err;
+				p=data;
+				if (d2i(pp,&p,len) == NULL)
+					{
+					PEMerr(PEM_F_PEM_X509_INFO_READ_BIO,ERR_R_ASN1_LIB);
+					goto err;
+					}
+				}
+			else
+				{ /* encrypted RSA data */
+				if (!PEM_get_EVP_CIPHER_INFO(header,
+					&xi->enc_cipher)) goto err;
+				xi->enc_data=(char *)data;
+				xi->enc_len=(int)len;
+				data=NULL;
+				}
+			}
+		else	{
+			/* unknown */
+			}
+		if (name != NULL) Free(name);
+		if (header != NULL) Free(header);
+		if (data != NULL) Free(data);
+		name=NULL;
+		header=NULL;
+		data=NULL;
+		}
+
+	/* if the last one hasn't been pushed yet and there is anything
+	 * in it then add it to the stack ... 
+	 */
+	if ((xi->x509 != NULL) || (xi->crl != NULL) ||
+		(xi->x_pkey != NULL) || (xi->enc_data != NULL))
+		{
+		if (!sk_X509_INFO_push(ret,xi)) goto err;
+		xi=NULL;
+		}
+	ok=1;
+err:
+	if (xi != NULL) X509_INFO_free(xi);
+	if (!ok)
+		{
+		for (i=0; ((int)i)<sk_X509_INFO_num(ret); i++)
+			{
+			xi=sk_X509_INFO_value(ret,i);
+			X509_INFO_free(xi);
+			}
+		if (ret != sk) sk_X509_INFO_free(ret);
+		ret=NULL;
+		}
+		
+	if (name != NULL) Free(name);
+	if (header != NULL) Free(header);
+	if (data != NULL) Free(data);
+	return(ret);
+	}
+
+
+/* A TJH addition */
+int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
+	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u)
+	{
+	EVP_CIPHER_CTX ctx;
+	int i,ret=0;
+	unsigned char *data=NULL;
+	const char *objstr=NULL;
+	char buf[PEM_BUFSIZE];
+	unsigned char *iv=NULL;
+	
+	if (enc != NULL)
+		{
+		objstr=OBJ_nid2sn(EVP_CIPHER_nid(enc));
+		if (objstr == NULL)
+			{
+			PEMerr(PEM_F_PEM_X509_INFO_WRITE_BIO,PEM_R_UNSUPPORTED_CIPHER);
+			goto err;
+			}
+		}
+
+	/* now for the fun part ... if we have a private key then 
+	 * we have to be able to handle a not-yet-decrypted key
+	 * being written out correctly ... if it is decrypted or
+	 * it is non-encrypted then we use the base code
+	 */
+	if (xi->x_pkey!=NULL)
+		{
+		if ( (xi->enc_data!=NULL) && (xi->enc_len>0) )
+			{
+			/* copy from wierdo names into more normal things */
+			iv=xi->enc_cipher.iv;
+			data=(unsigned char *)xi->enc_data;
+			i=xi->enc_len;
+
+			/* we take the encryption data from the
+			 * internal stuff rather than what the
+			 * user has passed us ... as we have to 
+			 * match exactly for some strange reason
+			 */
+			objstr=OBJ_nid2sn(
+				EVP_CIPHER_nid(xi->enc_cipher.cipher));
+			if (objstr == NULL)
+				{
+				PEMerr(PEM_F_PEM_X509_INFO_WRITE_BIO,PEM_R_UNSUPPORTED_CIPHER);
+				goto err;
+				}
+
+			/* create the right magic header stuff */
+			buf[0]='\0';
+			PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
+			PEM_dek_info(buf,objstr,8,(char *)iv);
+
+			/* use the normal code to write things out */
+			i=PEM_write_bio(bp,PEM_STRING_RSA,buf,data,i);
+			if (i <= 0) goto err;
+			}
+		else
+			{
+			/* Add DSA/DH */
+#ifndef NO_RSA
+			/* normal optionally encrypted stuff */
+			if (PEM_write_bio_RSAPrivateKey(bp,
+				xi->x_pkey->dec_pkey->pkey.rsa,
+				enc,kstr,klen,cb,u)<=0)
+				goto err;
+#endif
+			}
+		}
+
+	/* if we have a certificate then write it out now */
+	if ((xi->x509 != NULL) || (PEM_write_bio_X509(bp,xi->x509) <= 0))
+		goto err;
+
+	/* we are ignoring anything else that is loaded into the X509_INFO
+	 * structure for the moment ... as I don't need it so I'm not
+	 * coding it here and Eric can do it when this makes it into the
+	 * base library --tjh
+	 */
+
+	ret=1;
+
+err:
+	memset((char *)&ctx,0,sizeof(ctx));
+	memset(buf,0,PEM_BUFSIZE);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c
new file mode 100644
index 0000000..b5e0a65
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem_lib.c
@@ -0,0 +1,963 @@
+/* crypto/pem/pem_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#ifndef NO_DES
+#include <openssl/des.h>
+#endif
+
+const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT;
+
+#define MIN_LENGTH	4
+
+static int def_callback(char *buf, int num, int w, void *userdata);
+static int load_iv(unsigned char **fromp,unsigned char *to, int num);
+static int check_pem(const char *nm, const char *name);
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
+				int nid, const EVP_CIPHER *enc,
+				char *kstr, int klen,
+				pem_password_cb *cb, void *u);
+static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
+				int nid, const EVP_CIPHER *enc,
+				char *kstr, int klen,
+				pem_password_cb *cb, void *u);
+
+static int def_callback(char *buf, int num, int w, void *key)
+	{
+#ifdef NO_FP_API
+	/* We should not ever call the default callback routine from
+	 * windows. */
+	PEMerr(PEM_F_DEF_CALLBACK,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	return(-1);
+#else
+	int i,j;
+	const char *prompt;
+	if(key) {
+		i=strlen(key);
+		i=(i > num)?num:i;
+		memcpy(buf,key,i);
+		return(i);
+	}
+
+	prompt=EVP_get_pw_prompt();
+	if (prompt == NULL)
+		prompt="Enter PEM pass phrase:";
+
+	for (;;)
+		{
+		i=EVP_read_pw_string(buf,num,prompt,w);
+		if (i != 0)
+			{
+			PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
+			memset(buf,0,(unsigned int)num);
+			return(-1);
+			}
+		j=strlen(buf);
+		if (j < MIN_LENGTH)
+			{
+			fprintf(stderr,"phrase is too short, needs to be at least %d chars\n",MIN_LENGTH);
+			}
+		else
+			break;
+		}
+	return(j);
+#endif
+	}
+
+void PEM_proc_type(char *buf, int type)
+	{
+	const char *str;
+
+	if (type == PEM_TYPE_ENCRYPTED)
+		str="ENCRYPTED";
+	else if (type == PEM_TYPE_MIC_CLEAR)
+		str="MIC-CLEAR";
+	else if (type == PEM_TYPE_MIC_ONLY)
+		str="MIC-ONLY";
+	else
+		str="BAD-TYPE";
+		
+	strcat(buf,"Proc-Type: 4,");
+	strcat(buf,str);
+	strcat(buf,"\n");
+	}
+
+void PEM_dek_info(char *buf, const char *type, int len, char *str)
+	{
+	static unsigned char map[17]="0123456789ABCDEF";
+	long i;
+	int j;
+
+	strcat(buf,"DEK-Info: ");
+	strcat(buf,type);
+	strcat(buf,",");
+	j=strlen(buf);
+	for (i=0; i<len; i++)
+		{
+		buf[j+i*2]  =map[(str[i]>>4)&0x0f];
+		buf[j+i*2+1]=map[(str[i]   )&0x0f];
+		}
+	buf[j+i*2]='\n';
+	buf[j+i*2+1]='\0';
+	}
+
+#ifndef NO_FP_API
+char *PEM_ASN1_read(char *(*d2i)(), const char *name, FILE *fp, char **x,
+	     pem_password_cb *cb, void *u)
+	{
+        BIO *b;
+        char *ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		PEMerr(PEM_F_PEM_ASN1_READ,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_ASN1_read_bio(d2i,name,b,x,cb,u);
+        BIO_free(b);
+        return(ret);
+	}
+#endif
+
+static int check_pem(const char *nm, const char *name)
+{
+	/* Normal matching nm and name */
+	if (!strcmp(nm,name)) return 1;
+
+	/* Make PEM_STRING_EVP_PKEY match any private key */
+
+	if(!strcmp(nm,PEM_STRING_PKCS8) &&
+		!strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_PKCS8INF) &&
+		 !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_RSA) &&
+		!strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_DSA) &&
+		 !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	/* Permit older strings */
+
+	if(!strcmp(nm,PEM_STRING_X509_OLD) &&
+		!strcmp(name,PEM_STRING_X509)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_X509_REQ_OLD) &&
+		!strcmp(name,PEM_STRING_X509_REQ)) return 1;
+
+	/* Allow normal certs to be read as trusted certs */
+	if(!strcmp(nm,PEM_STRING_X509) &&
+		!strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_X509_OLD) &&
+		!strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;
+
+	/* Some CAs use PKCS#7 with CERTIFICATE headers */
+	if(!strcmp(nm, PEM_STRING_X509) &&
+		!strcmp(name, PEM_STRING_PKCS7)) return 1;
+
+	return 0;
+}
+
+char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
+	     pem_password_cb *cb, void *u)
+	{
+	EVP_CIPHER_INFO cipher;
+	char *nm=NULL,*header=NULL;
+	unsigned char *p=NULL,*data=NULL;
+	long len;
+	char *ret=NULL;
+
+	for (;;)
+		{
+		if (!PEM_read_bio(bp,&nm,&header,&data,&len)) {
+			if(ERR_GET_REASON(ERR_peek_error()) ==
+				PEM_R_NO_START_LINE)
+				ERR_add_error_data(2, "Expecting: ", name);
+			return(NULL);
+		}
+		if(check_pem(nm, name)) break;
+		Free(nm);
+		Free(header);
+		Free(data);
+		}
+	if (!PEM_get_EVP_CIPHER_INFO(header,&cipher)) goto err;
+	if (!PEM_do_header(&cipher,data,&len,cb,u)) goto err;
+	p=data;
+	if (strcmp(name,PEM_STRING_EVP_PKEY) == 0) {
+		if (strcmp(nm,PEM_STRING_RSA) == 0)
+			ret=d2i(EVP_PKEY_RSA,x,&p,len);
+		else if (strcmp(nm,PEM_STRING_DSA) == 0)
+			ret=d2i(EVP_PKEY_DSA,x,&p,len);
+		else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
+			PKCS8_PRIV_KEY_INFO *p8inf;
+			p8inf=d2i_PKCS8_PRIV_KEY_INFO(
+					(PKCS8_PRIV_KEY_INFO **) x, &p, len);
+			ret = (char *)EVP_PKCS82PKEY(p8inf);
+			PKCS8_PRIV_KEY_INFO_free(p8inf);
+		} else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
+			PKCS8_PRIV_KEY_INFO *p8inf;
+			X509_SIG *p8;
+			int klen;
+			char psbuf[PEM_BUFSIZE];
+			p8 = d2i_X509_SIG(NULL, &p, len);
+			if(!p8) goto p8err;
+			if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+			else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
+			if (klen <= 0) {
+				PEMerr(PEM_F_PEM_ASN1_READ_BIO,
+						PEM_R_BAD_PASSWORD_READ);
+				goto err;
+			}
+			p8inf = M_PKCS8_decrypt(p8, psbuf, klen);
+			X509_SIG_free(p8);
+			if(!p8inf) goto p8err;
+			ret = (char *)EVP_PKCS82PKEY(p8inf);
+			if(x) {
+				if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
+				*x = ret;
+			}
+			PKCS8_PRIV_KEY_INFO_free(p8inf);
+		}
+	} else	ret=d2i(x,&p,len);
+p8err:
+	if (ret == NULL)
+		PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+err:
+	Free(nm);
+	Free(header);
+	Free(data);
+	return(ret);
+	}
+
+#ifndef NO_FP_API
+int PEM_ASN1_write(int (*i2d)(), const char *name, FILE *fp, char *x,
+	     const EVP_CIPHER *enc, unsigned char *kstr, int klen,
+	     pem_password_cb *callback, void *u)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		PEMerr(PEM_F_PEM_ASN1_WRITE,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_ASN1_write_bio(i2d,name,b,x,enc,kstr,klen,callback,u);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
+	     const EVP_CIPHER *enc, unsigned char *kstr, int klen,
+	     pem_password_cb *callback, void *u)
+	{
+	EVP_CIPHER_CTX ctx;
+	int dsize=0,i,j,ret=0;
+	unsigned char *p,*data=NULL;
+	const char *objstr=NULL;
+	char buf[PEM_BUFSIZE];
+	unsigned char key[EVP_MAX_KEY_LENGTH];
+	unsigned char iv[EVP_MAX_IV_LENGTH];
+	
+	if (enc != NULL)
+		{
+		objstr=OBJ_nid2sn(EVP_CIPHER_nid(enc));
+		if (objstr == NULL)
+			{
+			PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_UNSUPPORTED_CIPHER);
+			goto err;
+			}
+		}
+
+	if ((dsize=i2d(x,NULL)) < 0)
+		{
+		PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE);
+		dsize=0;
+		goto err;
+		}
+	/* dzise + 8 bytes are needed */
+	data=(unsigned char *)Malloc((unsigned int)dsize+20);
+	if (data == NULL)
+		{
+		PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	p=data;
+	i=i2d(x,&p);
+
+	if (enc != NULL)
+		{
+		if (kstr == NULL)
+			{
+			if (callback == NULL)
+				klen=def_callback(buf,PEM_BUFSIZE,1,u);
+			else
+				klen=(*callback)(buf,PEM_BUFSIZE,1,u);
+			if (klen <= 0)
+				{
+				PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_READ_KEY);
+				goto err;
+				}
+#ifdef CHARSET_EBCDIC
+			/* Convert the pass phrase from EBCDIC */
+			ebcdic2ascii(buf, buf, klen);
+#endif
+			kstr=(unsigned char *)buf;
+			}
+		RAND_add(data,i,0);/* put in the RSA key. */
+		if (RAND_pseudo_bytes(iv,8) < 0)	/* Generate a salt */
+			goto err;
+		/* The 'iv' is used as the iv and as a salt.  It is
+		 * NOT taken from the BytesToKey function */
+		EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
+
+		if (kstr == (unsigned char *)buf) memset(buf,0,PEM_BUFSIZE);
+
+		buf[0]='\0';
+		PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
+		PEM_dek_info(buf,objstr,8,(char *)iv);
+		/* k=strlen(buf); */
+	
+		EVP_EncryptInit(&ctx,enc,key,iv);
+		EVP_EncryptUpdate(&ctx,data,&j,data,i);
+		EVP_EncryptFinal(&ctx,&(data[j]),&i);
+		i+=j;
+		ret=1;
+		}
+	else
+		{
+		ret=1;
+		buf[0]='\0';
+		}
+	i=PEM_write_bio(bp,name,buf,data,i);
+	if (i <= 0) ret=0;
+err:
+	memset(key,0,sizeof(key));
+	memset(iv,0,sizeof(iv));
+	memset((char *)&ctx,0,sizeof(ctx));
+	memset(buf,0,PEM_BUFSIZE);
+	memset(data,0,(unsigned int)dsize);
+	Free(data);
+	return(ret);
+	}
+
+int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
+	     pem_password_cb *callback,void *u)
+	{
+	int i,j,o,klen;
+	long len;
+	EVP_CIPHER_CTX ctx;
+	unsigned char key[EVP_MAX_KEY_LENGTH];
+	char buf[PEM_BUFSIZE];
+
+	len= *plen;
+
+	if (cipher->cipher == NULL) return(1);
+	if (callback == NULL)
+		klen=def_callback(buf,PEM_BUFSIZE,0,u);
+	else
+		klen=callback(buf,PEM_BUFSIZE,0,u);
+	if (klen <= 0)
+		{
+		PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_PASSWORD_READ);
+		return(0);
+		}
+#ifdef CHARSET_EBCDIC
+	/* Convert the pass phrase from EBCDIC */
+	ebcdic2ascii(buf, buf, klen);
+#endif
+
+	EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
+		(unsigned char *)buf,klen,1,key,NULL);
+
+	j=(int)len;
+	EVP_DecryptInit(&ctx,cipher->cipher,key,&(cipher->iv[0]));
+	EVP_DecryptUpdate(&ctx,data,&i,data,j);
+	o=EVP_DecryptFinal(&ctx,&(data[i]),&j);
+	EVP_CIPHER_CTX_cleanup(&ctx);
+	memset((char *)buf,0,sizeof(buf));
+	memset((char *)key,0,sizeof(key));
+	j+=i;
+	if (!o)
+		{
+		PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_DECRYPT);
+		return(0);
+		}
+	*plen=j;
+	return(1);
+	}
+
+int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
+	{
+	int o;
+	const EVP_CIPHER *enc=NULL;
+	char *p,c;
+
+	cipher->cipher=NULL;
+	if ((header == NULL) || (*header == '\0') || (*header == '\n'))
+		return(1);
+	if (strncmp(header,"Proc-Type: ",11) != 0)
+		{ PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_NOT_PROC_TYPE); return(0); }
+	header+=11;
+	if (*header != '4') return(0); header++;
+	if (*header != ',') return(0); header++;
+	if (strncmp(header,"ENCRYPTED",9) != 0)
+		{ PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_NOT_ENCRYPTED); return(0); }
+	for (; (*header != '\n') && (*header != '\0'); header++)
+		;
+	if (*header == '\0')
+		{ PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_SHORT_HEADER); return(0); }
+	header++;
+	if (strncmp(header,"DEK-Info: ",10) != 0)
+		{ PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_NOT_DEK_INFO); return(0); }
+	header+=10;
+
+	p=header;
+	for (;;)
+		{
+		c= *header;
+#ifndef CHARSET_EBCDIC
+		if (!(	((c >= 'A') && (c <= 'Z')) || (c == '-') ||
+			((c >= '0') && (c <= '9'))))
+			break;
+#else
+		if (!(	isupper(c) || (c == '-') ||
+			isdigit(c)))
+			break;
+#endif
+		header++;
+		}
+	*header='\0';
+	o=OBJ_sn2nid(p);
+	cipher->cipher=enc=EVP_get_cipherbyname(p);
+	*header=c;
+	header++;
+
+	if (enc == NULL)
+		{
+		PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION);
+		return(0);
+		}
+	if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),8)) return(0);
+
+	return(1);
+	}
+
+static int load_iv(unsigned char **fromp, unsigned char *to, int num)
+	{
+	int v,i;
+	unsigned char *from;
+
+	from= *fromp;
+	for (i=0; i<num; i++) to[i]=0;
+	num*=2;
+	for (i=0; i<num; i++)
+		{
+		if ((*from >= '0') && (*from <= '9'))
+			v= *from-'0';
+		else if ((*from >= 'A') && (*from <= 'F'))
+			v= *from-'A'+10;
+		else if ((*from >= 'a') && (*from <= 'f'))
+			v= *from-'a'+10;
+		else
+			{
+			PEMerr(PEM_F_LOAD_IV,PEM_R_BAD_IV_CHARS);
+			return(0);
+			}
+		from++;
+		to[i/2]|=v<<(long)((!(i&1))*4);
+		}
+
+	*fromp=from;
+	return(1);
+	}
+
+#ifndef NO_FP_API
+int PEM_write(FILE *fp, char *name, char *header, unsigned char *data,
+	     long len)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		PEMerr(PEM_F_PEM_WRITE,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_write_bio(b, name, header, data,len);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
+	     long len)
+	{
+	int nlen,n,i,j,outl;
+	unsigned char *buf;
+	EVP_ENCODE_CTX ctx;
+	int reason=ERR_R_BUF_LIB;
+	
+	EVP_EncodeInit(&ctx);
+	nlen=strlen(name);
+
+	if (	(BIO_write(bp,"-----BEGIN ",11) != 11) ||
+		(BIO_write(bp,name,nlen) != nlen) ||
+		(BIO_write(bp,"-----\n",6) != 6))
+		goto err;
+		
+	i=strlen(header);
+	if (i > 0)
+		{
+		if (	(BIO_write(bp,header,i) != i) ||
+			(BIO_write(bp,"\n",1) != 1))
+			goto err;
+		}
+
+	buf=(unsigned char *)Malloc(PEM_BUFSIZE*8);
+	if (buf == NULL)
+		{
+		reason=ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+
+	i=j=0;
+	while (len > 0)
+		{
+		n=(int)((len>(PEM_BUFSIZE*5))?(PEM_BUFSIZE*5):len);
+		EVP_EncodeUpdate(&ctx,buf,&outl,&(data[j]),n);
+		if ((outl) && (BIO_write(bp,(char *)buf,outl) != outl))
+			goto err;
+		i+=outl;
+		len-=n;
+		j+=n;
+		}
+	EVP_EncodeFinal(&ctx,buf,&outl);
+	if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err;
+	Free(buf);
+	if (	(BIO_write(bp,"-----END ",9) != 9) ||
+		(BIO_write(bp,name,nlen) != nlen) ||
+		(BIO_write(bp,"-----\n",6) != 6))
+		goto err;
+	return(i+outl);
+err:
+	PEMerr(PEM_F_PEM_WRITE_BIO,reason);
+	return(0);
+	}
+
+#ifndef NO_FP_API
+int PEM_read(FILE *fp, char **name, char **header, unsigned char **data,
+	     long *len)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		PEMerr(PEM_F_PEM_READ,ERR_R_BUF_LIB);
+                return(0);
+		}
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_read_bio(b, name, header, data,len);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
+	     long *len)
+	{
+	EVP_ENCODE_CTX ctx;
+	int end=0,i,k,bl=0,hl=0,nohead=0;
+	char buf[256];
+	BUF_MEM *nameB;
+	BUF_MEM *headerB;
+	BUF_MEM *dataB,*tmpB;
+	
+	nameB=BUF_MEM_new();
+	headerB=BUF_MEM_new();
+	dataB=BUF_MEM_new();
+	if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL))
+		{
+		PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+
+	buf[254]='\0';
+	for (;;)
+		{
+		i=BIO_gets(bp,buf,254);
+
+		if (i <= 0)
+			{
+			PEMerr(PEM_F_PEM_READ_BIO,PEM_R_NO_START_LINE);
+			goto err;
+			}
+
+		while ((i >= 0) && (buf[i] <= ' ')) i--;
+		buf[++i]='\n'; buf[++i]='\0';
+
+		if (strncmp(buf,"-----BEGIN ",11) == 0)
+			{
+			i=strlen(&(buf[11]));
+
+			if (strncmp(&(buf[11+i-6]),"-----\n",6) != 0)
+				continue;
+			if (!BUF_MEM_grow(nameB,i+9))
+				{
+				PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			memcpy(nameB->data,&(buf[11]),i-6);
+			nameB->data[i-6]='\0';
+			break;
+			}
+		}
+	hl=0;
+	if (!BUF_MEM_grow(headerB,256))
+		{ PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; }
+	headerB->data[0]='\0';
+	for (;;)
+		{
+		i=BIO_gets(bp,buf,254);
+		if (i <= 0) break;
+
+		while ((i >= 0) && (buf[i] <= ' ')) i--;
+		buf[++i]='\n'; buf[++i]='\0';
+
+		if (buf[0] == '\n') break;
+		if (!BUF_MEM_grow(headerB,hl+i+9))
+			{ PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; }
+		if (strncmp(buf,"-----END ",9) == 0)
+			{
+			nohead=1;
+			break;
+			}
+		memcpy(&(headerB->data[hl]),buf,i);
+		headerB->data[hl+i]='\0';
+		hl+=i;
+		}
+
+	bl=0;
+	if (!BUF_MEM_grow(dataB,1024))
+		{ PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; }
+	dataB->data[0]='\0';
+	if (!nohead)
+		{
+		for (;;)
+			{
+			i=BIO_gets(bp,buf,254);
+			if (i <= 0) break;
+
+			while ((i >= 0) && (buf[i] <= ' ')) i--;
+			buf[++i]='\n'; buf[++i]='\0';
+
+			if (i != 65) end=1;
+			if (strncmp(buf,"-----END ",9) == 0)
+				break;
+			if (i > 65) break;
+			if (!BUF_MEM_grow(dataB,i+bl+9))
+				{
+				PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			memcpy(&(dataB->data[bl]),buf,i);
+			dataB->data[bl+i]='\0';
+			bl+=i;
+			if (end)
+				{
+				buf[0]='\0';
+				i=BIO_gets(bp,buf,254);
+				if (i <= 0) break;
+
+				while ((i >= 0) && (buf[i] <= ' ')) i--;
+				buf[++i]='\n'; buf[++i]='\0';
+
+				break;
+				}
+			}
+		}
+	else
+		{
+		tmpB=headerB;
+		headerB=dataB;
+		dataB=tmpB;
+		bl=hl;
+		}
+	i=strlen(nameB->data);
+	if (	(strncmp(buf,"-----END ",9) != 0) ||
+		(strncmp(nameB->data,&(buf[9]),i) != 0) ||
+		(strncmp(&(buf[9+i]),"-----\n",6) != 0))
+		{
+		PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_END_LINE);
+		goto err;
+		}
+
+	EVP_DecodeInit(&ctx);
+	i=EVP_DecodeUpdate(&ctx,
+		(unsigned char *)dataB->data,&bl,
+		(unsigned char *)dataB->data,bl);
+	if (i < 0)
+		{
+		PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_BASE64_DECODE);
+		goto err;
+		}
+	i=EVP_DecodeFinal(&ctx,(unsigned char *)&(dataB->data[bl]),&k);
+	if (i < 0)
+		{
+		PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_BASE64_DECODE);
+		goto err;
+		}
+	bl+=k;
+
+	if (bl == 0) goto err;
+	*name=nameB->data;
+	*header=headerB->data;
+	*data=(unsigned char *)dataB->data;
+	*len=bl;
+	Free(nameB);
+	Free(headerB);
+	Free(dataB);
+	return(1);
+err:
+	BUF_MEM_free(nameB);
+	BUF_MEM_free(headerB);
+	BUF_MEM_free(dataB);
+	return(0);
+	}
+
+/* These functions write a private key in PKCS#8 format: it is a "drop in"
+ * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
+ * is NULL then it uses the unencrypted private key form. The 'nid' versions
+ * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
+ */
+
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	X509_SIG *p8;
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	char buf[PEM_BUFSIZE];
+	int ret;
+	if(!(p8inf = EVP_PKEY2PKCS8(x))) {
+		PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+					PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
+		return 0;
+	}
+	if(enc || (nid != -1)) {
+		if(!kstr) {
+			if(!cb) klen = def_callback(buf, PEM_BUFSIZE, 1, u);
+			else klen = cb(buf, PEM_BUFSIZE, 1, u);
+			if(klen <= 0) {
+				PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+								PEM_R_READ_KEY);
+				PKCS8_PRIV_KEY_INFO_free(p8inf);
+				return 0;
+			}
+				
+			kstr = buf;
+		}
+		p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
+		if(kstr == buf) memset(buf, 0, klen);
+		PKCS8_PRIV_KEY_INFO_free(p8inf);
+		if(isder) ret = i2d_PKCS8_bio(bp, p8);
+		else ret = PEM_write_bio_PKCS8(bp, p8);
+		X509_SIG_free(p8);
+		return ret;
+	} else {
+		if(isder) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+		else ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
+		PKCS8_PRIV_KEY_INFO_free(p8inf);
+		return ret;
+	}
+}
+
+/* Finally the DER version to read PKCS#8 encrypted private keys. It has to be
+ * here to access the default callback.
+ */
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+	PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+	X509_SIG *p8 = NULL;
+	int klen;
+	EVP_PKEY *ret;
+	char psbuf[PEM_BUFSIZE];
+	p8 = d2i_PKCS8_bio(bp, NULL);
+	if(!p8) return NULL;
+	if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+	else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
+	if (klen <= 0) {
+		PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
+		X509_SIG_free(p8);
+		return NULL;	
+	}
+	p8inf = M_PKCS8_decrypt(p8, psbuf, klen);
+	X509_SIG_free(p8);
+	if(!p8inf) return NULL;
+	ret = EVP_PKCS82PKEY(p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	if(!ret) return NULL;
+	if(x) {
+		if(*x) EVP_PKEY_free(*x);
+		*x = ret;
+	}
+	return ret;
+}
+
+#ifndef NO_FP_API
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+			      char *kstr, int klen, pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	BIO *bp;
+	int ret;
+	if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+		PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
+                return(0);
+	}
+	ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
+	BIO_free(bp);
+	return ret;
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+	BIO *bp;
+	EVP_PKEY *ret;
+	if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+		PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP,ERR_R_BUF_LIB);
+                return NULL;
+	}
+	ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
+	BIO_free(bp);
+	return ret;
+}
+
+#endif
diff --git a/crypto/openssl/crypto/pem/pem_seal.c b/crypto/openssl/crypto/pem/pem_seal.c
new file mode 100644
index 0000000..126e29d
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem_seal.c
@@ -0,0 +1,184 @@
+/* crypto/pem/pem_seal.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
+	     unsigned char **ek, int *ekl, unsigned char *iv, EVP_PKEY **pubk,
+	     int npubk)
+	{
+	unsigned char key[EVP_MAX_KEY_LENGTH];
+	int ret= -1;
+	int i,j,max=0;
+	char *s=NULL;
+
+	for (i=0; i<npubk; i++)
+		{
+		if (pubk[i]->type != EVP_PKEY_RSA)
+			{
+			PEMerr(PEM_F_PEM_SEALINIT,PEM_R_PUBLIC_KEY_NO_RSA);
+			goto err;
+			}
+		j=RSA_size(pubk[i]->pkey.rsa);
+		if (j > max) max=j;
+		}
+	s=(char *)Malloc(max*2);
+	if (s == NULL)
+		{
+		PEMerr(PEM_F_PEM_SEALINIT,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	EVP_EncodeInit(&(ctx->encode));
+	EVP_SignInit(&(ctx->md),md_type);
+
+	ret=EVP_SealInit(&(ctx->cipher),type,ek,ekl,iv,pubk,npubk);
+	if (!ret) goto err;
+
+	/* base64 encode the keys */
+	for (i=0; i<npubk; i++)
+		{
+		j=EVP_EncodeBlock((unsigned char *)s,ek[i],
+			RSA_size(pubk[i]->pkey.rsa));
+		ekl[i]=j;
+		memcpy(ek[i],s,j+1);
+		}
+
+	ret=npubk;
+err:
+	if (s != NULL) Free(s);
+	memset(key,0,EVP_MAX_KEY_LENGTH);
+	return(ret);
+	}
+
+void PEM_SealUpdate(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *out, int *outl,
+	     unsigned char *in, int inl)
+	{
+	unsigned char buffer[1600];
+	int i,j;
+
+	*outl=0;
+	EVP_SignUpdate(&(ctx->md),in,inl);
+	for (;;)
+		{
+		if (inl <= 0) break;
+		if (inl > 1200)
+			i=1200;
+		else
+			i=inl;
+		EVP_EncryptUpdate(&(ctx->cipher),buffer,&j,in,i);
+		EVP_EncodeUpdate(&(ctx->encode),out,&j,buffer,j);
+		*outl+=j;
+		out+=j;
+		in+=i;
+		inl-=i;
+		}
+	}
+
+int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl,
+	     unsigned char *out, int *outl, EVP_PKEY *priv)
+	{
+	unsigned char *s=NULL;
+	int ret=0,j;
+	unsigned int i;
+
+	if (priv->type != EVP_PKEY_RSA)
+		{
+		PEMerr(PEM_F_PEM_SEALFINAL,PEM_R_PUBLIC_KEY_NO_RSA);
+		goto err;
+		}
+	i=RSA_size(priv->pkey.rsa);
+	if (i < 100) i=100;
+	s=(unsigned char *)Malloc(i*2);
+	if (s == NULL)
+		{
+		PEMerr(PEM_F_PEM_SEALFINAL,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	EVP_EncryptFinal(&(ctx->cipher),s,(int *)&i);
+	EVP_EncodeUpdate(&(ctx->encode),out,&j,s,i);
+	*outl=j;
+	out+=j;
+	EVP_EncodeFinal(&(ctx->encode),out,&j);
+	*outl+=j;
+
+	if (!EVP_SignFinal(&(ctx->md),s,&i,priv)) goto err;
+	*sigl=EVP_EncodeBlock(sig,s,i);
+
+	ret=1;
+err:
+	memset((char *)&(ctx->md),0,sizeof(ctx->md));
+	memset((char *)&(ctx->cipher),0,sizeof(ctx->cipher));
+	if (s != NULL) Free(s);
+	return(ret);
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/crypto/pem/pem_sign.c b/crypto/openssl/crypto/pem/pem_sign.c
new file mode 100644
index 0000000..aabafb7
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pem_sign.c
@@ -0,0 +1,102 @@
+/* crypto/pem/pem_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+void PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+	{
+	EVP_DigestInit(ctx,type);
+	}
+
+void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data,
+	     unsigned int count)
+	{
+	EVP_DigestUpdate(ctx,data,count);
+	}
+
+int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
+	     EVP_PKEY *pkey)
+	{
+	unsigned char *m;
+	int i,ret=0;
+	unsigned int m_len;
+
+	m=(unsigned char *)Malloc(EVP_PKEY_size(pkey)+2);
+	if (m == NULL)
+		{
+		PEMerr(PEM_F_PEM_SIGNFINAL,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	if (EVP_SignFinal(ctx,m,&m_len,pkey) <= 0) goto err;
+
+	i=EVP_EncodeBlock(sigret,m,m_len);
+	*siglen=i;
+	ret=1;
+err:
+	/* ctx has been zeroed by EVP_SignFinal() */
+	if (m != NULL) Free(m);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/pem/pkcs7.lis b/crypto/openssl/crypto/pem/pkcs7.lis
new file mode 100644
index 0000000..be90c5d
--- /dev/null
+++ b/crypto/openssl/crypto/pem/pkcs7.lis
@@ -0,0 +1,22 @@
+21     0:d=0 hl=2 l=  0 cons: univ: SEQUENCE          
+ 00     2:d=0 hl=2 l=  9 prim: univ: OBJECT_IDENTIFIER :pkcs-7-signedData
+ 21    13:d=0 hl=2 l=  0 cons: cont: 00			# explicit tag
+  21    15:d=0 hl=2 l=  0 cons: univ: SEQUENCE          
+   00    17:d=0 hl=2 l=  1 prim: univ: INTEGER          # version 
+   20    20:d=0 hl=2 l=  0 cons: univ: SET               
+   21    22:d=0 hl=2 l=  0 cons: univ: SEQUENCE          
+    00    24:d=0 hl=2 l=  9 prim: univ: OBJECT_IDENTIFIER :pkcs-7-data
+    00    35:d=0 hl=2 l=  0 prim: univ: EOC               
+   21    37:d=0 hl=2 l=  0 cons: cont: 00               # cert tag
+    20    39:d=0 hl=4 l=545 cons: univ: SEQUENCE          
+    20   588:d=0 hl=4 l=524 cons: univ: SEQUENCE          
+    00  1116:d=0 hl=2 l=  0 prim: univ: EOC               
+   21  1118:d=0 hl=2 l=  0 cons: cont: 01		# crl tag
+    20  1120:d=0 hl=4 l=653 cons: univ: SEQUENCE          
+    20  1777:d=0 hl=4 l=285 cons: univ: SEQUENCE          
+    00  2066:d=0 hl=2 l=  0 prim: univ: EOC               
+   21  2068:d=0 hl=2 l=  0 cons: univ: SET              # signers 
+    00  2070:d=0 hl=2 l=  0 prim: univ: EOC               
+  00  2072:d=0 hl=2 l=  0 prim: univ: EOC               
+ 00  2074:d=0 hl=2 l=  0 prim: univ: EOC               
+00  2076:d=0 hl=2 l=  0 prim: univ: EOC               
diff --git a/crypto/openssl/crypto/perlasm/alpha.pl b/crypto/openssl/crypto/perlasm/alpha.pl
new file mode 100644
index 0000000..3dac571
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/alpha.pl
@@ -0,0 +1,434 @@
+#!/usr/local/bin/perl
+
+package alpha;
+use Carp qw(croak cluck);
+
+$label="100";
+
+$n_debug=0;
+$smear_regs=1;
+$reg_alloc=1;
+
+$align="3";
+$com_start="#";
+
+sub main'asm_init_output { @out=(); }
+sub main'asm_get_output { return(@out); }
+sub main'get_labels { return(@labels); }
+sub main'external_label { push(@labels,@_); }
+
+# General registers
+
+%regs=(	'r0',	'$0',
+	'r1',	'$1',
+	'r2',	'$2',
+	'r3',	'$3',
+	'r4',	'$4',
+	'r5',	'$5',
+	'r6',	'$6',
+	'r7',	'$7',
+	'r8',	'$8',
+	'r9',	'$22',
+	'r10',	'$23',
+	'r11',	'$24',
+	'r12',	'$25',
+	'r13',	'$27',
+	'r14',	'$28',
+	'r15',	'$21', # argc == 5
+	'r16',	'$20', # argc == 4
+	'r17',	'$19', # argc == 3
+	'r18',	'$18', # argc == 2
+	'r19',	'$17', # argc == 1
+	'r20',	'$16', # argc == 0
+	'r21',	'$9',  # save 0
+	'r22',	'$10', # save 1
+	'r23',	'$11', # save 2
+	'r24',	'$12', # save 3
+	'r25',	'$13', # save 4
+	'r26',	'$14', # save 5
+
+	'a0',	'$16',
+	'a1',	'$17',
+	'a2',	'$18',
+	'a3',	'$19',
+	'a4',	'$20',
+	'a5',	'$21',
+
+	's0',	'$9',
+	's1',	'$10',
+	's2',	'$11',
+	's3',	'$12',
+	's4',	'$13',
+	's5',	'$14',
+	'zero',	'$31',
+	'sp',	'$30',
+	);
+
+$main'reg_s0="r21";
+$main'reg_s1="r22";
+$main'reg_s2="r23";
+$main'reg_s3="r24";
+$main'reg_s4="r25";
+$main'reg_s5="r26";
+
+@reg=(  '$0', '$1' ,'$2' ,'$3' ,'$4' ,'$5' ,'$6' ,'$7' ,'$8',
+	'$22','$23','$24','$25','$20','$21','$27','$28');
+
+
+sub main'sub	{ &out3("subq",@_); }
+sub main'add	{ &out3("addq",@_); }
+sub main'mov	{ &out3("bis",$_[0],$_[0],$_[1]); }
+sub main'or	{ &out3("bis",@_); }
+sub main'bis	{ &out3("bis",@_); }
+sub main'br	{ &out1("br",@_); }
+sub main'ld	{ &out2("ldq",@_); }
+sub main'st	{ &out2("stq",@_); }
+sub main'cmpult	{ &out3("cmpult",@_); }
+sub main'cmplt	{ &out3("cmplt",@_); }
+sub main'bgt	{ &out2("bgt",@_); }
+sub main'ble	{ &out2("ble",@_); }
+sub main'blt	{ &out2("blt",@_); }
+sub main'mul	{ &out3("mulq",@_); }
+sub main'muh	{ &out3("umulh",@_); }
+
+$main'QWS=8;
+
+sub main'asm_add
+	{
+	push(@out,@_);
+	}
+
+sub main'asm_finish
+	{
+	&main'file_end();
+	print &main'asm_get_output();
+	}
+
+sub main'asm_init
+	{
+	($type,$fn)=@_;
+	$filename=$fn;
+
+	&main'asm_init_output();
+	&main'comment("Don't even think of reading this code");
+	&main'comment("It was automatically generated by $filename");
+	&main'comment("Which is a perl program used to generate the alpha assember.");
+	&main'comment("eric <eay\@cryptsoft.com>");
+	&main'comment("");
+
+	$filename =~ s/\.pl$//;
+	&main'file($filename);
+	}
+
+sub conv
+	{
+	local($r)=@_;
+	local($v);
+
+	return($regs{$r}) if defined($regs{$r});
+	return($r);
+	}
+
+sub main'QWPw
+	{
+	local($off,$reg)=@_;
+
+	return(&main'QWP($off*8,$reg));
+	}
+
+sub main'QWP
+	{
+	local($off,$reg)=@_;
+
+	$ret="$off(".&conv($reg).")";
+	return($ret);
+	}
+
+sub out3
+	{
+	local($name,$p1,$p2,$p3)=@_;
+
+	$p1=&conv($p1);
+	$p2=&conv($p2);
+	$p3=&conv($p3);
+	push(@out,"\t$name\t");
+	$l=length($p1)+1;
+	push(@out,$p1.",");
+	$ll=3-($l+9)/8;
+	$tmp1=sprintf("\t" x $ll);
+	push(@out,$tmp1);
+
+	$l=length($p2)+1;
+	push(@out,$p2.",");
+	$ll=3-($l+9)/8;
+	$tmp1=sprintf("\t" x $ll);
+	push(@out,$tmp1);
+
+	push(@out,&conv($p3)."\n");
+	}
+
+sub out2
+	{
+	local($name,$p1,$p2,$p3)=@_;
+
+	$p1=&conv($p1);
+	$p2=&conv($p2);
+	push(@out,"\t$name\t");
+	$l=length($p1)+1;
+	push(@out,$p1.",");
+	$ll=3-($l+9)/8;
+	$tmp1=sprintf("\t" x $ll);
+	push(@out,$tmp1);
+
+	push(@out,&conv($p2)."\n");
+	}
+
+sub out1
+	{
+	local($name,$p1)=@_;
+
+	$p1=&conv($p1);
+	push(@out,"\t$name\t".$p1."\n");
+	}
+
+sub out0
+	{
+	push(@out,"\t$_[0]\n");
+	}
+
+sub main'file
+	{
+	local($file)=@_;
+
+	local($tmp)=<<"EOF";
+ # DEC Alpha assember
+ # Generated from perl scripts contains in SSLeay
+	.file	1 "$file.s"
+	.set noat
+EOF
+	push(@out,$tmp);
+	}
+
+sub main'function_begin
+	{
+	local($func)=@_;
+
+print STDERR "$func\n";
+	local($tmp)=<<"EOF";
+	.text
+	.align $align
+	.globl $func
+	.ent $func
+${func}:
+${func}..ng:
+	.frame \$30,0,\$26,0
+	.prologue 0
+EOF
+	push(@out,$tmp);
+	$stack=0;
+	}
+
+sub main'function_end
+	{
+	local($func)=@_;
+
+	local($tmp)=<<"EOF";
+	ret	\$31,(\$26),1
+	.end $func
+EOF
+	push(@out,$tmp);
+	$stack=0;
+	%label=();
+	}
+
+sub main'function_end_A
+	{
+	local($func)=@_;
+
+	local($tmp)=<<"EOF";
+	ret	\$31,(\$26),1
+EOF
+	push(@out,$tmp);
+	}
+
+sub main'function_end_B
+	{
+	local($func)=@_;
+
+	$func=$under.$func;
+
+	push(@out,"\t.end $func\n");
+	$stack=0;
+	%label=();
+	}
+
+sub main'wparam
+	{
+	local($num)=@_;
+
+	if ($num < 6)
+		{
+		$num=20-$num;
+		return("r$num");
+		}
+	else
+		{ return(&main'QWP($stack+$num*8,"sp")); }
+	}
+
+sub main'stack_push
+	{
+	local($num)=@_;
+	$stack+=$num*8;
+	&main'sub("sp",$num*8,"sp");
+	}
+
+sub main'stack_pop
+	{
+	local($num)=@_;
+	$stack-=$num*8;
+	&main'add("sp",$num*8,"sp");
+	}
+
+sub main'swtmp
+	{
+	return(&main'QWP(($_[0])*8,"sp"));
+	}
+
+# Should use swtmp, which is above sp.  Linix can trash the stack above esp
+#sub main'wtmp
+#	{
+#	local($num)=@_;
+#
+#	return(&main'QWP(-($num+1)*4,"esp","",0));
+#	}
+
+sub main'comment
+	{
+	foreach (@_)
+		{
+		if (/^\s*$/)
+			{ push(@out,"\n"); }
+		else
+			{ push(@out,"\t$com_start $_ $com_end\n"); }
+		}
+	}
+
+sub main'label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}=$label;
+		$label++;
+		}
+	return('$'.$label{$_[0]});
+	}
+
+sub main'set_label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}=$label;
+		$label++;
+		}
+#	push(@out,".align $align\n") if ($_[1] != 0);
+	push(@out,'$'."$label{$_[0]}:\n");
+	}
+
+sub main'file_end
+	{
+	}
+
+sub main'data_word
+	{
+	push(@out,"\t.long $_[0]\n");
+	}
+
+@pool_free=();
+@pool_taken=();
+$curr_num=0;
+$max=0;
+
+sub main'init_pool
+	{
+	local($args)=@_;
+	local($i);
+
+	@pool_free=();
+	for ($i=(14+(6-$args)); $i >= 0; $i--)
+		{
+		push(@pool_free,"r$i");
+		}
+	print STDERR "START :register pool:@pool_free\n";
+	$curr_num=$max=0;
+	}
+
+sub main'fin_pool
+	{
+	printf STDERR "END %2d:register pool:@pool_free\n",$max;
+	}
+
+sub main'GR
+	{
+	local($r)=@_;
+	local($i,@n,$_);
+
+	foreach (@pool_free)
+		{
+		if ($r ne $_)
+			{ push(@n,$_); }
+		else
+			{
+			$curr_num++;
+			$max=$curr_num if ($curr_num > $max);
+			}
+		}
+	@pool_free=@n;
+print STDERR "GR:@pool_free\n" if $reg_alloc;
+	return(@_);
+	}
+
+sub main'NR
+	{
+	local($num)=@_;
+	local(@ret);
+
+	$num=1 if $num == 0;
+	($#pool_free >= ($num-1)) || croak "out of registers: want $num, have @pool_free";
+	while ($num > 0)
+		{
+		push(@ret,pop @pool_free);
+		$curr_num++;
+		$max=$curr_num if ($curr_num > $max);
+		$num--
+		}
+	print STDERR "nr @ret\n" if $n_debug;
+print STDERR "NR:@pool_free\n" if $reg_alloc;
+	return(@ret);
+
+	}
+
+sub main'FR
+	{
+	local(@r)=@_;
+	local(@a,$v,$w);
+
+	print STDERR "fr @r\n" if $n_debug;
+#	cluck "fr @r";
+	for $w (@pool_free)
+		{
+		foreach $v (@r)
+			{
+			croak "double register free of $v (@pool_free)" if $w eq $v;
+			}
+		}
+	foreach $v (@r)
+		{
+		croak "bad argument to FR" if ($v !~ /^r\d+$/);
+		if ($smear_regs)
+			{ unshift(@pool_free,$v); }
+		else	{ push(@pool_free,$v); }
+		$curr_num--;
+		}
+print STDERR "FR:@pool_free\n" if $reg_alloc;
+	}
+1;
diff --git a/crypto/openssl/crypto/perlasm/cbc.pl b/crypto/openssl/crypto/perlasm/cbc.pl
new file mode 100644
index 0000000..0145c4f
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/cbc.pl
@@ -0,0 +1,342 @@
+#!/usr/local/bin/perl
+
+# void des_ncbc_encrypt(input, output, length, schedule, ivec, enc)
+# des_cblock (*input);
+# des_cblock (*output);
+# long length;
+# des_key_schedule schedule;
+# des_cblock (*ivec);
+# int enc;
+#
+# calls 
+# des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+#
+
+#&cbc("des_ncbc_encrypt","des_encrypt",0);
+#&cbc("BF_cbc_encrypt","BF_encrypt","BF_encrypt",
+#	1,4,5,3,5,-1);
+#&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",
+#	0,4,5,3,5,-1);
+#&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",
+#	0,6,7,3,4,5);
+#
+# When doing a cipher that needs bigendian order,
+# for encrypt, the iv is kept in bigendian form,
+# while for decrypt, it is kept in little endian.
+sub cbc
+	{
+	local($name,$enc_func,$dec_func,$swap,$iv_off,$enc_off,$p1,$p2,$p3)=@_;
+	# name is the function name
+	# enc_func and dec_func and the functions to call for encrypt/decrypt
+	# swap is true if byte order needs to be reversed
+	# iv_off is parameter number for the iv 
+	# enc_off is parameter number for the encrypt/decrypt flag
+	# p1,p2,p3 are the offsets for parameters to be passed to the
+	# underlying calls.
+
+	&function_begin_B($name,"");
+	&comment("");
+
+	$in="esi";
+	$out="edi";
+	$count="ebp";
+
+	&push("ebp");
+	&push("ebx");
+	&push("esi");
+	&push("edi");
+
+	$data_off=4;
+	$data_off+=4 if ($p1 > 0);
+	$data_off+=4 if ($p2 > 0);
+	$data_off+=4 if ($p3 > 0);
+
+	&mov($count,	&wparam(2));	# length
+
+	&comment("getting iv ptr from parameter $iv_off");
+	&mov("ebx",	&wparam($iv_off));	# Get iv ptr
+
+	&mov($in,	&DWP(0,"ebx","",0));#	iv[0]
+	&mov($out,	&DWP(4,"ebx","",0));#	iv[1]
+
+	&push($out);
+	&push($in);
+	&push($out);	# used in decrypt for iv[1]
+	&push($in);	# used in decrypt for iv[0]
+
+	&mov("ebx",	"esp");		# This is the address of tin[2]
+
+	&mov($in,	&wparam(0));	# in
+	&mov($out,	&wparam(1));	# out
+
+	# We have loaded them all, how lets push things
+	&comment("getting encrypt flag from parameter $enc_off");
+	&mov("ecx",	&wparam($enc_off));	# Get enc flag
+	if ($p3 > 0)
+		{
+		&comment("get and push parameter $p3");
+		if ($enc_off != $p3)
+			{ &mov("eax",	&wparam($p3)); &push("eax"); }
+		else	{ &push("ecx"); }
+		}
+	if ($p2 > 0)
+		{
+		&comment("get and push parameter $p2");
+		if ($enc_off != $p2)
+			{ &mov("eax",	&wparam($p2)); &push("eax"); }
+		else	{ &push("ecx"); }
+		}
+	if ($p1 > 0)
+		{
+		&comment("get and push parameter $p1");
+		if ($enc_off != $p1)
+			{ &mov("eax",	&wparam($p1)); &push("eax"); }
+		else	{ &push("ecx"); }
+		}
+	&push("ebx");		# push data/iv
+
+	&cmp("ecx",0);
+	&jz(&label("decrypt"));
+
+	&and($count,0xfffffff8);
+	&mov("eax",	&DWP($data_off,"esp","",0));	# load iv[0]
+	&mov("ebx",	&DWP($data_off+4,"esp","",0));	# load iv[1]
+
+	&jz(&label("encrypt_finish"));
+
+	#############################################################
+
+	&set_label("encrypt_loop");
+	# encrypt start 
+	# "eax" and "ebx" hold iv (or the last cipher text)
+
+	&mov("ecx",	&DWP(0,$in,"",0));	# load first 4 bytes
+	&mov("edx",	&DWP(4,$in,"",0));	# second 4 bytes
+
+	&xor("eax",	"ecx");
+	&xor("ebx",	"edx");
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
+	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+
+	&call($enc_func);
+
+	&mov("eax",	&DWP($data_off,"esp","",0));
+	&mov("ebx",	&DWP($data_off+4,"esp","",0));
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov(&DWP(0,$out,"",0),"eax");
+	&mov(&DWP(4,$out,"",0),"ebx");
+
+	# eax and ebx are the next iv.
+
+	&add($in,	8);
+	&add($out,	8);
+
+	&sub($count,	8);
+	&jnz(&label("encrypt_loop"));
+
+###################################################################3
+	&set_label("encrypt_finish");
+	&mov($count,	&wparam(2));	# length
+	&and($count,	7);
+	&jz(&label("finish"));
+	&xor("ecx","ecx");
+	&xor("edx","edx");
+	&mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4));
+	&jmp_ptr($count);
+
+&set_label("ej7");
+	&xor("edx",		"edx") if $ppro; # ppro friendly
+	&movb(&HB("edx"),	&BP(6,$in,"",0));
+	&shl("edx",8);
+&set_label("ej6");
+	&movb(&HB("edx"),	&BP(5,$in,"",0));
+&set_label("ej5");
+	&movb(&LB("edx"),	&BP(4,$in,"",0));
+&set_label("ej4");
+	&mov("ecx",		&DWP(0,$in,"",0));
+	&jmp(&label("ejend"));
+&set_label("ej3");
+	&movb(&HB("ecx"),	&BP(2,$in,"",0));
+	&xor("ecx",		"ecx") if $ppro; # ppro friendly
+	&shl("ecx",8);
+&set_label("ej2");
+	&movb(&HB("ecx"),	&BP(1,$in,"",0));
+&set_label("ej1");
+	&movb(&LB("ecx"),	&BP(0,$in,"",0));
+&set_label("ejend");
+
+	&xor("eax",	"ecx");
+	&xor("ebx",	"edx");
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
+	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+
+	&call($enc_func);
+
+	&mov("eax",	&DWP($data_off,"esp","",0));
+	&mov("ebx",	&DWP($data_off+4,"esp","",0));
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov(&DWP(0,$out,"",0),"eax");
+	&mov(&DWP(4,$out,"",0),"ebx");
+
+	&jmp(&label("finish"));
+
+	#############################################################
+	#############################################################
+	&set_label("decrypt",1);
+	# decrypt start 
+	&and($count,0xfffffff8);
+	# The next 2 instructions are only for if the jz is taken
+	&mov("eax",	&DWP($data_off+8,"esp","",0));	# get iv[0]
+	&mov("ebx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
+	&jz(&label("decrypt_finish"));
+
+	&set_label("decrypt_loop");
+	&mov("eax",	&DWP(0,$in,"",0));	# load first 4 bytes
+	&mov("ebx",	&DWP(4,$in,"",0));	# second 4 bytes
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
+	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+
+	&call($dec_func);
+
+	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
+	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov("ecx",	&DWP($data_off+8,"esp","",0));	# get iv[0]
+	&mov("edx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
+
+	&xor("ecx",	"eax");
+	&xor("edx",	"ebx");
+
+	&mov("eax",	&DWP(0,$in,"",0));	# get old cipher text,
+	&mov("ebx",	&DWP(4,$in,"",0));	# next iv actually
+
+	&mov(&DWP(0,$out,"",0),"ecx");
+	&mov(&DWP(4,$out,"",0),"edx");
+
+	&mov(&DWP($data_off+8,"esp","",0),	"eax");	# save iv
+	&mov(&DWP($data_off+12,"esp","",0),	"ebx");	#
+
+	&add($in,	8);
+	&add($out,	8);
+
+	&sub($count,	8);
+	&jnz(&label("decrypt_loop"));
+############################ ENDIT #######################3
+	&set_label("decrypt_finish");
+	&mov($count,	&wparam(2));	# length
+	&and($count,	7);
+	&jz(&label("finish"));
+
+	&mov("eax",	&DWP(0,$in,"",0));	# load first 4 bytes
+	&mov("ebx",	&DWP(4,$in,"",0));	# second 4 bytes
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
+	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
+
+	&call($dec_func);
+
+	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
+	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
+
+	&bswap("eax")	if $swap;
+	&bswap("ebx")	if $swap;
+
+	&mov("ecx",	&DWP($data_off+8,"esp","",0));	# get iv[0]
+	&mov("edx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
+
+	&xor("ecx",	"eax");
+	&xor("edx",	"ebx");
+
+	# this is for when we exit
+	&mov("eax",	&DWP(0,$in,"",0));	# get old cipher text,
+	&mov("ebx",	&DWP(4,$in,"",0));	# next iv actually
+
+&set_label("dj7");
+	&rotr("edx",	16);
+	&movb(&BP(6,$out,"",0),	&LB("edx"));
+	&shr("edx",16);
+&set_label("dj6");
+	&movb(&BP(5,$out,"",0),	&HB("edx"));
+&set_label("dj5");
+	&movb(&BP(4,$out,"",0),	&LB("edx"));
+&set_label("dj4");
+	&mov(&DWP(0,$out,"",0),	"ecx");
+	&jmp(&label("djend"));
+&set_label("dj3");
+	&rotr("ecx",	16);
+	&movb(&BP(2,$out,"",0),	&LB("ecx"));
+	&shl("ecx",16);
+&set_label("dj2");
+	&movb(&BP(1,$in,"",0),	&HB("ecx"));
+&set_label("dj1");
+	&movb(&BP(0,$in,"",0),	&LB("ecx"));
+&set_label("djend");
+
+	# final iv is still in eax:ebx
+	&jmp(&label("finish"));
+
+
+############################ FINISH #######################3
+	&set_label("finish",1);
+	&mov("ecx",	&wparam($iv_off));	# Get iv ptr
+
+	#################################################
+	$total=16+4;
+	$total+=4 if ($p1 > 0);
+	$total+=4 if ($p2 > 0);
+	$total+=4 if ($p3 > 0);
+	&add("esp",$total);
+
+	&mov(&DWP(0,"ecx","",0),	"eax");	# save iv
+	&mov(&DWP(4,"ecx","",0),	"ebx");	# save iv
+
+	&function_end_A($name);
+
+	&set_label("cbc_enc_jmp_table",1);
+	&data_word("0");
+	&data_word(&label("ej1"));
+	&data_word(&label("ej2"));
+	&data_word(&label("ej3"));
+	&data_word(&label("ej4"));
+	&data_word(&label("ej5"));
+	&data_word(&label("ej6"));
+	&data_word(&label("ej7"));
+	&set_label("cbc_dec_jmp_table",1);
+	&data_word("0");
+	&data_word(&label("dj1"));
+	&data_word(&label("dj2"));
+	&data_word(&label("dj3"));
+	&data_word(&label("dj4"));
+	&data_word(&label("dj5"));
+	&data_word(&label("dj6"));
+	&data_word(&label("dj7"));
+
+	&function_end_B($name);
+	
+	}
+
+1;
diff --git a/crypto/openssl/crypto/perlasm/readme b/crypto/openssl/crypto/perlasm/readme
new file mode 100644
index 0000000..f02bbee
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/readme
@@ -0,0 +1,124 @@
+The perl scripts in this directory are my 'hack' to generate
+multiple different assembler formats via the one origional script.
+
+The way to use this library is to start with adding the path to this directory
+and then include it.
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+The first thing we do is setup the file and type of assember
+
+&asm_init($ARGV[0],$0);
+
+The first argument is the 'type'.  Currently
+'cpp', 'sol', 'a.out', 'elf' or 'win32'.
+Argument 2 is the file name.
+
+The reciprocal function is
+&asm_finish() which should be called at the end.
+
+There are 2 main 'packages'. x86ms.pl, which is the microsoft assembler,
+and x86unix.pl which is the unix (gas) version.
+
+Functions of interest are:
+&external_label("des_SPtrans");	declare and external variable
+&LB(reg);			Low byte for a register
+&HB(reg);			High byte for a register
+&BP(off,base,index,scale)	Byte pointer addressing
+&DWP(off,base,index,scale)	Word pointer addressing
+&stack_push(num)		Basically a 'sub esp, num*4' with extra
+&stack_pop(num)			inverse of stack_push
+&function_begin(name,extra)	Start a function with pushing of
+				edi, esi, ebx and ebp.  extra is extra win32
+				external info that may be required.
+&function_begin_B(name,extra)	Same as norma function_begin but no pushing.
+&function_end(name)		Call at end of function.
+&function_end_A(name)		Standard pop and ret, for use inside functions
+&function_end_B(name)		Call at end but with poping or 'ret'.
+&swtmp(num)			Address on stack temp word.
+&wparam(num)			Parameter number num, that was push
+				in C convention.  This all works over pushes
+				and pops.
+&comment("hello there")		Put in a comment.
+&label("loop")			Refer to a label, normally a jmp target.
+&set_label("loop")		Set a label at this point.
+&data_word(word)		Put in a word of data.
+
+So how does this all hold together?  Given
+
+int calc(int len, int *data)
+	{
+	int i,j=0;
+
+	for (i=0; i<len; i++)
+		{
+		j+=other(data[i]);
+		}
+	}
+
+So a very simple version of this function could be coded as
+
+	push(@INC,"perlasm","../../perlasm");
+	require "x86asm.pl";
+	
+	&asm_init($ARGV[0],"cacl.pl");
+
+	&external_label("other");
+
+	$tmp1=	"eax";
+	$j=	"edi";
+	$data=	"esi";
+	$i=	"ebp";
+
+	&comment("a simple function");
+	&function_begin("calc");
+	&mov(	$data,		&wparam(1)); # data
+	&xor(	$j,		$j);
+	&xor(	$i,		$i);
+
+	&set_label("loop");
+	&cmp(	$i,		&wparam(0));
+	&jge(	&label("end"));
+
+	&mov(	$tmp1,		&DWP(0,$data,$i,4));
+	&push(	$tmp1);
+	&call(	"other");
+	&add(	$j,		"eax");
+	&pop(	$tmp1);
+	&inc(	$i);
+	&jmp(	&label("loop"));
+
+	&set_label("end");
+	&mov(	"eax",		$j);
+
+	&function_end("calc");
+
+	&asm_finish();
+
+The above example is very very unoptimised but gives an idea of how
+things work.
+
+There is also a cbc mode function generator in cbc.pl
+
+&cbc(	$name,
+	$encrypt_function_name,
+	$decrypt_function_name,
+	$true_if_byte_swap_needed,
+	$parameter_number_for_iv,
+	$parameter_number_for_encrypt_flag,
+	$first_parameter_to_pass,
+	$second_parameter_to_pass,
+	$third_parameter_to_pass);
+
+So for example, given
+void BF_encrypt(BF_LONG *data,BF_KEY *key);
+void BF_decrypt(BF_LONG *data,BF_KEY *key);
+void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+        BF_KEY *ks, unsigned char *iv, int enc);
+
+&cbc("BF_cbc_encrypt","BF_encrypt","BF_encrypt",1,4,5,3,-1,-1);
+
+&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1);
+&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);
+
diff --git a/crypto/openssl/crypto/perlasm/x86asm.pl b/crypto/openssl/crypto/perlasm/x86asm.pl
new file mode 100644
index 0000000..81c6e64
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/x86asm.pl
@@ -0,0 +1,118 @@
+#!/usr/local/bin/perl
+
+# require 'x86asm.pl';
+# &asm_init("cpp","des-586.pl");
+# XXX
+# XXX
+# main'asm_finish
+
+sub main'asm_finish
+	{
+	&file_end();
+	&asm_finish_cpp() if $cpp;
+	print &asm_get_output();
+	}
+
+sub main'asm_init
+	{
+	($type,$fn,$i386)=@_;
+	$filename=$fn;
+
+	$cpp=$sol=$aout=$win32=$gaswin=0;
+	if (	($type eq "elf"))
+		{ require "x86unix.pl"; }
+	elsif (	($type eq "a.out"))
+		{ $aout=1; require "x86unix.pl"; }
+	elsif (	($type eq "gaswin"))
+		{ $gaswin=1; $aout=1; require "x86unix.pl"; }
+	elsif (	($type eq "sol"))
+		{ $sol=1; require "x86unix.pl"; }
+	elsif (	($type eq "cpp"))
+		{ $cpp=1; require "x86unix.pl"; }
+	elsif (	($type eq "win32"))
+		{ $win32=1; require "x86ms.pl"; }
+	elsif (	($type eq "win32n"))
+		{ $win32=1; require "x86nasm.pl"; }
+	else
+		{
+		print STDERR <<"EOF";
+Pick one target type from
+	elf	- linux, FreeBSD etc
+	a.out	- old linux
+	sol	- x86 solaris
+	cpp	- format so x86unix.cpp can be used
+	win32	- Windows 95/Windows NT
+	win32n	- Windows 95/Windows NT NASM format
+EOF
+		exit(1);
+		}
+
+	&asm_init_output();
+
+&comment("Don't even think of reading this code");
+&comment("It was automatically generated by $filename");
+&comment("Which is a perl program used to generate the x86 assember for");
+&comment("any of elf, a.out, BSDI, Win32, gaswin (for GNU as on Win32) or Solaris");
+&comment("eric <eay\@cryptsoft.com>");
+&comment("");
+
+	$filename =~ s/\.pl$//;
+	&file($filename);
+	}
+
+sub asm_finish_cpp
+	{
+	return unless $cpp;
+
+	local($tmp,$i);
+	foreach $i (&get_labels())
+		{
+		$tmp.="#define $i _$i\n";
+		}
+	print <<"EOF";
+/* Run the C pre-processor over this file with one of the following defined
+ * ELF - elf object files,
+ * OUT - a.out object files,
+ * BSDI - BSDI style a.out object files
+ * SOL - Solaris style elf
+ */
+
+#define TYPE(a,b)       .type   a,b
+#define SIZE(a,b)       .size   a,b
+
+#if defined(OUT) || (defined(BSDI) && !defined(ELF))
+$tmp
+#endif
+
+#ifdef OUT
+#define OK	1
+#define ALIGN	4
+#endif
+
+#if defined(BSDI) && !defined(ELF)
+#define OK              1
+#define ALIGN           4
+#undef SIZE
+#undef TYPE
+#define SIZE(a,b)
+#define TYPE(a,b)
+#endif
+
+#if defined(ELF) || defined(SOL)
+#define OK              1
+#define ALIGN           16
+#endif
+
+#ifndef OK
+You need to define one of
+ELF - elf systems - linux-elf, NetBSD and DG-UX
+OUT - a.out systems - linux-a.out and FreeBSD
+SOL - solaris systems, which are elf with strange comment lines
+BSDI - a.out with a very primative version of as.
+#endif
+
+/* Let the Assembler begin :-) */
+EOF
+	}
+
+1;
diff --git a/crypto/openssl/crypto/perlasm/x86ms.pl b/crypto/openssl/crypto/perlasm/x86ms.pl
new file mode 100644
index 0000000..2064523
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/x86ms.pl
@@ -0,0 +1,365 @@
+#!/usr/local/bin/perl
+
+package x86ms;
+
+$label="L000";
+
+%lb=(	'eax',	'al',
+	'ebx',	'bl',
+	'ecx',	'cl',
+	'edx',	'dl',
+	'ax',	'al',
+	'bx',	'bl',
+	'cx',	'cl',
+	'dx',	'dl',
+	);
+
+%hb=(	'eax',	'ah',
+	'ebx',	'bh',
+	'ecx',	'ch',
+	'edx',	'dh',
+	'ax',	'ah',
+	'bx',	'bh',
+	'cx',	'ch',
+	'dx',	'dh',
+	);
+
+sub main'asm_init_output { @out=(); }
+sub main'asm_get_output { return(@out); }
+sub main'get_labels { return(@labels); }
+sub main'external_label { push(@labels,@_); }
+
+sub main'LB
+	{
+	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
+	return($lb{$_[0]});
+	}
+
+sub main'HB
+	{
+	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
+	return($hb{$_[0]});
+	}
+
+sub main'BP
+	{
+	&get_mem("BYTE",@_);
+	}
+
+sub main'DWP
+	{
+	&get_mem("DWORD",@_);
+	}
+
+sub main'BC
+	{
+	return @_;
+	}
+
+sub main'DWC
+	{
+	return @_;
+	}
+
+sub main'stack_push
+	{
+	local($num)=@_;
+	$stack+=$num*4;
+	&main'sub("esp",$num*4);
+	}
+
+sub main'stack_pop
+	{
+	local($num)=@_;
+	$stack-=$num*4;
+	&main'add("esp",$num*4);
+	}
+
+sub get_mem
+	{
+	local($size,$addr,$reg1,$reg2,$idx)=@_;
+	local($t,$post);
+	local($ret)="$size PTR ";
+
+	$addr =~ s/^\s+//;
+	if ($addr =~ /^(.+)\+(.+)$/)
+		{
+		$reg2=&conv($1);
+		$addr="_$2";
+		}
+	elsif ($addr =~ /^[_a-zA-Z]/)
+		{
+		$addr="_$addr";
+		}
+
+	$reg1="$regs{$reg1}" if defined($regs{$reg1});
+	$reg2="$regs{$reg2}" if defined($regs{$reg2});
+	if (($addr ne "") && ($addr ne 0))
+		{
+		if ($addr !~ /^-/)
+			{ $ret.=$addr; }
+		else	{ $post=$addr; }
+		}
+	if ($reg2 ne "")
+		{
+		$t="";
+		$t="*$idx" if ($idx != 0);
+		$reg1="+".$reg1 if ("$reg1$post" ne "");
+		$ret.="[$reg2$t$reg1$post]";
+		}
+	else
+		{
+		$ret.="[$reg1$post]"
+		}
+	return($ret);
+	}
+
+sub main'mov	{ &out2("mov",@_); }
+sub main'movb	{ &out2("mov",@_); }
+sub main'and	{ &out2("and",@_); }
+sub main'or	{ &out2("or",@_); }
+sub main'shl	{ &out2("shl",@_); }
+sub main'shr	{ &out2("shr",@_); }
+sub main'xor	{ &out2("xor",@_); }
+sub main'xorb	{ &out2("xor",@_); }
+sub main'add	{ &out2("add",@_); }
+sub main'adc	{ &out2("adc",@_); }
+sub main'sub	{ &out2("sub",@_); }
+sub main'rotl	{ &out2("rol",@_); }
+sub main'rotr	{ &out2("ror",@_); }
+sub main'exch	{ &out2("xchg",@_); }
+sub main'cmp	{ &out2("cmp",@_); }
+sub main'lea	{ &out2("lea",@_); }
+sub main'mul	{ &out1("mul",@_); }
+sub main'div	{ &out1("div",@_); }
+sub main'dec	{ &out1("dec",@_); }
+sub main'inc	{ &out1("inc",@_); }
+sub main'jmp	{ &out1("jmp",@_); }
+sub main'jmp_ptr { &out1p("jmp",@_); }
+sub main'je	{ &out1("je",@_); }
+sub main'jle	{ &out1("jle",@_); }
+sub main'jz	{ &out1("jz",@_); }
+sub main'jge	{ &out1("jge",@_); }
+sub main'jl	{ &out1("jl",@_); }
+sub main'jb	{ &out1("jb",@_); }
+sub main'jc	{ &out1("jc",@_); }
+sub main'jnc	{ &out1("jnc",@_); }
+sub main'jnz	{ &out1("jnz",@_); }
+sub main'jne	{ &out1("jne",@_); }
+sub main'jno	{ &out1("jno",@_); }
+sub main'push	{ &out1("push",@_); $stack+=4; }
+sub main'pop	{ &out1("pop",@_); $stack-=4; }
+sub main'bswap	{ &out1("bswap",@_); &using486(); }
+sub main'not	{ &out1("not",@_); }
+sub main'call	{ &out1("call",'_'.$_[0]); }
+sub main'ret	{ &out0("ret"); }
+sub main'nop	{ &out0("nop"); }
+
+sub out2
+	{
+	local($name,$p1,$p2)=@_;
+	local($l,$t);
+
+	push(@out,"\t$name\t");
+	$t=&conv($p1).",";
+	$l=length($t);
+	push(@out,$t);
+	$l=4-($l+9)/8;
+	push(@out,"\t" x $l);
+	push(@out,&conv($p2));
+	push(@out,"\n");
+	}
+
+sub out0
+	{
+	local($name)=@_;
+
+	push(@out,"\t$name\n");
+	}
+
+sub out1
+	{
+	local($name,$p1)=@_;
+	local($l,$t);
+
+	push(@out,"\t$name\t".&conv($p1)."\n");
+	}
+
+sub conv
+	{
+	local($p)=@_;
+
+	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
+	return $p;
+	}
+
+sub using486
+	{
+	return if $using486;
+	$using486++;
+	grep(s/\.386/\.486/,@out);
+	}
+
+sub main'file
+	{
+	local($file)=@_;
+
+	local($tmp)=<<"EOF";
+	TITLE	$file.asm
+        .386
+.model FLAT
+EOF
+	push(@out,$tmp);
+	}
+
+sub main'function_begin
+	{
+	local($func,$extra)=@_;
+
+	push(@labels,$func);
+
+	local($tmp)=<<"EOF";
+_TEXT	SEGMENT
+PUBLIC	_$func
+$extra
+_$func PROC NEAR
+	push	ebp
+	push	ebx
+	push	esi
+	push	edi
+EOF
+	push(@out,$tmp);
+	$stack=20;
+	}
+
+sub main'function_begin_B
+	{
+	local($func,$extra)=@_;
+
+	local($tmp)=<<"EOF";
+_TEXT	SEGMENT
+PUBLIC	_$func
+$extra
+_$func PROC NEAR
+EOF
+	push(@out,$tmp);
+	$stack=4;
+	}
+
+sub main'function_end
+	{
+	local($func)=@_;
+
+	local($tmp)=<<"EOF";
+	pop	edi
+	pop	esi
+	pop	ebx
+	pop	ebp
+	ret
+_$func ENDP
+_TEXT	ENDS
+EOF
+	push(@out,$tmp);
+	$stack=0;
+	%label=();
+	}
+
+sub main'function_end_B
+	{
+	local($func)=@_;
+
+	local($tmp)=<<"EOF";
+_$func ENDP
+_TEXT	ENDS
+EOF
+	push(@out,$tmp);
+	$stack=0;
+	%label=();
+	}
+
+sub main'function_end_A
+	{
+	local($func)=@_;
+
+	local($tmp)=<<"EOF";
+	pop	edi
+	pop	esi
+	pop	ebx
+	pop	ebp
+	ret
+EOF
+	push(@out,$tmp);
+	}
+
+sub main'file_end
+	{
+	push(@out,"END\n");
+	}
+
+sub main'wparam
+	{
+	local($num)=@_;
+
+	return(&main'DWP($stack+$num*4,"esp","",0));
+	}
+
+sub main'swtmp
+	{
+	return(&main'DWP($_[0]*4,"esp","",0));
+	}
+
+# Should use swtmp, which is above esp.  Linix can trash the stack above esp
+#sub main'wtmp
+#	{
+#	local($num)=@_;
+#
+#	return(&main'DWP(-(($num+1)*4),"esp","",0));
+#	}
+
+sub main'comment
+	{
+	foreach (@_)
+		{
+		push(@out,"\t; $_\n");
+		}
+	}
+
+sub main'label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}="\$${label}${_[0]}";
+		$label++;
+		}
+	return($label{$_[0]});
+	}
+
+sub main'set_label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}="${label}${_[0]}";
+		$label++;
+		}
+	if((defined $_[2]) && ($_[2] == 1))
+		{
+		push(@out,"$label{$_[0]}::\n");
+		}
+	else
+		{
+		push(@out,"$label{$_[0]}:\n");
+		}
+	}
+
+sub main'data_word
+	{
+	push(@out,"\tDD\t$_[0]\n");
+	}
+
+sub out1p
+	{
+	local($name,$p1)=@_;
+	local($l,$t);
+
+	push(@out,"\t$name\t ".&conv($p1)."\n");
+	}
diff --git a/crypto/openssl/crypto/perlasm/x86nasm.pl b/crypto/openssl/crypto/perlasm/x86nasm.pl
new file mode 100644
index 0000000..b4da364
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/x86nasm.pl
@@ -0,0 +1,342 @@
+#!/usr/local/bin/perl
+
+package x86nasm;
+
+$label="L000";
+
+%lb=(	'eax',	'al',
+	'ebx',	'bl',
+	'ecx',	'cl',
+	'edx',	'dl',
+	'ax',	'al',
+	'bx',	'bl',
+	'cx',	'cl',
+	'dx',	'dl',
+	);
+
+%hb=(	'eax',	'ah',
+	'ebx',	'bh',
+	'ecx',	'ch',
+	'edx',	'dh',
+	'ax',	'ah',
+	'bx',	'bh',
+	'cx',	'ch',
+	'dx',	'dh',
+	);
+
+sub main'asm_init_output { @out=(); }
+sub main'asm_get_output { return(@out); }
+sub main'get_labels { return(@labels); }
+
+sub main'external_label
+{
+	push(@labels,@_);
+	foreach (@_) {
+		push(@out, "extern\t_$_\n");
+	}
+}
+
+sub main'LB
+	{
+	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
+	return($lb{$_[0]});
+	}
+
+sub main'HB
+	{
+	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
+	return($hb{$_[0]});
+	}
+
+sub main'BP
+	{
+	&get_mem("BYTE",@_);
+	}
+
+sub main'DWP
+	{
+	&get_mem("DWORD",@_);
+	}
+
+sub main'BC
+	{
+	return "BYTE @_";
+	}
+
+sub main'DWC
+	{
+	return "DWORD @_";
+	}
+
+sub main'stack_push
+	{
+	my($num)=@_;
+	$stack+=$num*4;
+	&main'sub("esp",$num*4);
+	}
+
+sub main'stack_pop
+	{
+	my($num)=@_;
+	$stack-=$num*4;
+	&main'add("esp",$num*4);
+	}
+
+sub get_mem
+	{
+	my($size,$addr,$reg1,$reg2,$idx)=@_;
+	my($t,$post);
+	my($ret)="[";
+	$addr =~ s/^\s+//;
+	if ($addr =~ /^(.+)\+(.+)$/)
+		{
+		$reg2=&conv($1);
+		$addr="_$2";
+		}
+	elsif ($addr =~ /^[_a-zA-Z]/)
+		{
+		$addr="_$addr";
+		}
+
+	$reg1="$regs{$reg1}" if defined($regs{$reg1});
+	$reg2="$regs{$reg2}" if defined($regs{$reg2});
+	if (($addr ne "") && ($addr ne 0))
+		{
+		if ($addr !~ /^-/)
+			{ $ret.="${addr}+"; }
+		else	{ $post=$addr; }
+		}
+	if ($reg2 ne "")
+		{
+		$t="";
+		$t="*$idx" if ($idx != 0);
+		$reg1="+".$reg1 if ("$reg1$post" ne "");
+		$ret.="$reg2$t$reg1$post]";
+		}
+	else
+		{
+		$ret.="$reg1$post]"
+		}
+	return($ret);
+	}
+
+sub main'mov	{ &out2("mov",@_); }
+sub main'movb	{ &out2("mov",@_); }
+sub main'and	{ &out2("and",@_); }
+sub main'or	{ &out2("or",@_); }
+sub main'shl	{ &out2("shl",@_); }
+sub main'shr	{ &out2("shr",@_); }
+sub main'xor	{ &out2("xor",@_); }
+sub main'xorb	{ &out2("xor",@_); }
+sub main'add	{ &out2("add",@_); }
+sub main'adc	{ &out2("adc",@_); }
+sub main'sub	{ &out2("sub",@_); }
+sub main'rotl	{ &out2("rol",@_); }
+sub main'rotr	{ &out2("ror",@_); }
+sub main'exch	{ &out2("xchg",@_); }
+sub main'cmp	{ &out2("cmp",@_); }
+sub main'lea	{ &out2("lea",@_); }
+sub main'mul	{ &out1("mul",@_); }
+sub main'div	{ &out1("div",@_); }
+sub main'dec	{ &out1("dec",@_); }
+sub main'inc	{ &out1("inc",@_); }
+sub main'jmp	{ &out1("jmp",@_); }
+sub main'jmp_ptr { &out1p("jmp",@_); }
+
+# This is a bit of a kludge: declare all branches as NEAR.
+sub main'je	{ &out1("je NEAR",@_); }
+sub main'jle	{ &out1("jle NEAR",@_); }
+sub main'jz	{ &out1("jz NEAR",@_); }
+sub main'jge	{ &out1("jge NEAR",@_); }
+sub main'jl	{ &out1("jl NEAR",@_); }
+sub main'jb	{ &out1("jb NEAR",@_); }
+sub main'jc	{ &out1("jc NEAR",@_); }
+sub main'jnc	{ &out1("jnc NEAR",@_); }
+sub main'jnz	{ &out1("jnz NEAR",@_); }
+sub main'jne	{ &out1("jne NEAR",@_); }
+sub main'jno	{ &out1("jno NEAR",@_); }
+
+sub main'push	{ &out1("push",@_); $stack+=4; }
+sub main'pop	{ &out1("pop",@_); $stack-=4; }
+sub main'bswap	{ &out1("bswap",@_); &using486(); }
+sub main'not	{ &out1("not",@_); }
+sub main'call	{ &out1("call",'_'.$_[0]); }
+sub main'ret	{ &out0("ret"); }
+sub main'nop	{ &out0("nop"); }
+
+sub out2
+	{
+	my($name,$p1,$p2)=@_;
+	my($l,$t);
+
+	push(@out,"\t$name\t");
+	$t=&conv($p1).",";
+	$l=length($t);
+	push(@out,$t);
+	$l=4-($l+9)/8;
+	push(@out,"\t" x $l);
+	push(@out,&conv($p2));
+	push(@out,"\n");
+	}
+
+sub out0
+	{
+	my($name)=@_;
+
+	push(@out,"\t$name\n");
+	}
+
+sub out1
+	{
+	my($name,$p1)=@_;
+	my($l,$t);
+	push(@out,"\t$name\t".&conv($p1)."\n");
+	}
+
+sub conv
+	{
+	my($p)=@_;
+	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
+	return $p;
+	}
+
+sub using486
+	{
+	return if $using486;
+	$using486++;
+	grep(s/\.386/\.486/,@out);
+	}
+
+sub main'file
+	{
+	push(@out, "segment .text\n");
+	}
+
+sub main'function_begin
+	{
+	my($func,$extra)=@_;
+
+	push(@labels,$func);
+	my($tmp)=<<"EOF";
+global	_$func
+_$func:
+	push	ebp
+	push	ebx
+	push	esi
+	push	edi
+EOF
+	push(@out,$tmp);
+	$stack=20;
+	}
+
+sub main'function_begin_B
+	{
+	my($func,$extra)=@_;
+	my($tmp)=<<"EOF";
+global	_$func
+_$func:
+EOF
+	push(@out,$tmp);
+	$stack=4;
+	}
+
+sub main'function_end
+	{
+	my($func)=@_;
+
+	my($tmp)=<<"EOF";
+	pop	edi
+	pop	esi
+	pop	ebx
+	pop	ebp
+	ret
+EOF
+	push(@out,$tmp);
+	$stack=0;
+	%label=();
+	}
+
+sub main'function_end_B
+	{
+	$stack=0;
+	%label=();
+	}
+
+sub main'function_end_A
+	{
+	my($func)=@_;
+
+	my($tmp)=<<"EOF";
+	pop	edi
+	pop	esi
+	pop	ebx
+	pop	ebp
+	ret
+EOF
+	push(@out,$tmp);
+	}
+
+sub main'file_end
+	{
+	}
+
+sub main'wparam
+	{
+	my($num)=@_;
+
+	return(&main'DWP($stack+$num*4,"esp","",0));
+	}
+
+sub main'swtmp
+	{
+	return(&main'DWP($_[0]*4,"esp","",0));
+	}
+
+# Should use swtmp, which is above esp.  Linix can trash the stack above esp
+#sub main'wtmp
+#	{
+#	my($num)=@_;
+#
+#	return(&main'DWP(-(($num+1)*4),"esp","",0));
+#	}
+
+sub main'comment
+	{
+	foreach (@_)
+		{
+		push(@out,"\t; $_\n");
+		}
+	}
+
+sub main'label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}="\$${label}${_[0]}";
+		$label++;
+		}
+	return($label{$_[0]});
+	}
+
+sub main'set_label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}="${label}${_[0]}";
+		$label++;
+		}
+	push(@out,"$label{$_[0]}:\n");
+	}
+
+sub main'data_word
+	{
+	push(@out,"\tDD\t$_[0]\n");
+	}
+
+sub out1p
+	{
+	my($name,$p1)=@_;
+	my($l,$t);
+
+	push(@out,"\t$name\t ".&conv($p1)."\n");
+	}
diff --git a/crypto/openssl/crypto/perlasm/x86unix.pl b/crypto/openssl/crypto/perlasm/x86unix.pl
new file mode 100644
index 0000000..309060e
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/x86unix.pl
@@ -0,0 +1,461 @@
+#!/usr/local/bin/perl
+
+package x86unix;
+
+$label="L000";
+
+$align=($main'aout)?"4":"16";
+$under=($main'aout)?"_":"";
+$com_start=($main'sol)?"/":"#";
+
+sub main'asm_init_output { @out=(); }
+sub main'asm_get_output { return(@out); }
+sub main'get_labels { return(@labels); }
+sub main'external_label { push(@labels,@_); }
+
+if ($main'cpp)
+	{
+	$align="ALIGN";
+	$under="";
+	$com_start='/*';
+	$com_end='*/';
+	}
+
+%lb=(	'eax',	'%al',
+	'ebx',	'%bl',
+	'ecx',	'%cl',
+	'edx',	'%dl',
+	'ax',	'%al',
+	'bx',	'%bl',
+	'cx',	'%cl',
+	'dx',	'%dl',
+	);
+
+%hb=(	'eax',	'%ah',
+	'ebx',	'%bh',
+	'ecx',	'%ch',
+	'edx',	'%dh',
+	'ax',	'%ah',
+	'bx',	'%bh',
+	'cx',	'%ch',
+	'dx',	'%dh',
+	);
+
+%regs=(	'eax',	'%eax',
+	'ebx',	'%ebx',
+	'ecx',	'%ecx',
+	'edx',	'%edx',
+	'esi',	'%esi',
+	'edi',	'%edi',
+	'ebp',	'%ebp',
+	'esp',	'%esp',
+	);
+
+%reg_val=(
+	'eax',	0x00,
+	'ebx',	0x03,
+	'ecx',	0x01,
+	'edx',	0x02,
+	'esi',	0x06,
+	'edi',	0x07,
+	'ebp',	0x05,
+	'esp',	0x04,
+	);
+
+sub main'LB
+	{
+	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
+	return($lb{$_[0]});
+	}
+
+sub main'HB
+	{
+	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
+	return($hb{$_[0]});
+	}
+
+sub main'DWP
+	{
+	local($addr,$reg1,$reg2,$idx)=@_;
+
+	$ret="";
+	$addr =~ s/(^|[+ \t])([A-Za-z_]+)($|[+ \t])/$1$under$2$3/;
+	$reg1="$regs{$reg1}" if defined($regs{$reg1});
+	$reg2="$regs{$reg2}" if defined($regs{$reg2});
+	$ret.=$addr if ($addr ne "") && ($addr ne 0);
+	if ($reg2 ne "")
+		{
+		if($idx ne "")
+		    { $ret.="($reg1,$reg2,$idx)"; }
+		else
+		    { $ret.="($reg1,$reg2)"; }
+	        }
+	else
+		{ $ret.="($reg1)" }
+	return($ret);
+	}
+
+sub main'BP
+	{
+	return(&main'DWP(@_));
+	}
+
+sub main'BC
+	{
+	return @_;
+	}
+
+sub main'DWC
+	{
+	return @_;
+	}
+
+#sub main'BP
+#	{
+#	local($addr,$reg1,$reg2,$idx)=@_;
+#
+#	$ret="";
+#
+#	$addr =~ s/(^|[+ \t])([A-Za-z_]+)($|[+ \t])/$1$under$2$3/;
+#	$reg1="$regs{$reg1}" if defined($regs{$reg1});
+#	$reg2="$regs{$reg2}" if defined($regs{$reg2});
+#	$ret.=$addr if ($addr ne "") && ($addr ne 0);
+#	if ($reg2 ne "")
+#		{ $ret.="($reg1,$reg2,$idx)"; }
+#	else
+#		{ $ret.="($reg1)" }
+#	return($ret);
+#	}
+
+sub main'mov	{ &out2("movl",@_); }
+sub main'movb	{ &out2("movb",@_); }
+sub main'and	{ &out2("andl",@_); }
+sub main'or	{ &out2("orl",@_); }
+sub main'shl	{ &out2("sall",@_); }
+sub main'shr	{ &out2("shrl",@_); }
+sub main'xor	{ &out2("xorl",@_); }
+sub main'xorb	{ &out2("xorb",@_); }
+sub main'add	{ &out2("addl",@_); }
+sub main'adc	{ &out2("adcl",@_); }
+sub main'sub	{ &out2("subl",@_); }
+sub main'rotl	{ &out2("roll",@_); }
+sub main'rotr	{ &out2("rorl",@_); }
+sub main'exch	{ &out2("xchg",@_); }
+sub main'cmp	{ &out2("cmpl",@_); }
+sub main'lea	{ &out2("leal",@_); }
+sub main'mul	{ &out1("mull",@_); }
+sub main'div	{ &out1("divl",@_); }
+sub main'jmp	{ &out1("jmp",@_); }
+sub main'jmp_ptr { &out1p("jmp",@_); }
+sub main'je	{ &out1("je",@_); }
+sub main'jle	{ &out1("jle",@_); }
+sub main'jne	{ &out1("jne",@_); }
+sub main'jnz	{ &out1("jnz",@_); }
+sub main'jz	{ &out1("jz",@_); }
+sub main'jge	{ &out1("jge",@_); }
+sub main'jl	{ &out1("jl",@_); }
+sub main'jb	{ &out1("jb",@_); }
+sub main'jc	{ &out1("jc",@_); }
+sub main'jnc	{ &out1("jnc",@_); }
+sub main'jno	{ &out1("jno",@_); }
+sub main'dec	{ &out1("decl",@_); }
+sub main'inc	{ &out1("incl",@_); }
+sub main'push	{ &out1("pushl",@_); $stack+=4; }
+sub main'pop	{ &out1("popl",@_); $stack-=4; }
+sub main'not	{ &out1("notl",@_); }
+sub main'call	{ &out1("call",$under.$_[0]); }
+sub main'ret	{ &out0("ret"); }
+sub main'nop	{ &out0("nop"); }
+
+# The bswapl instruction is new for the 486. Emulate if i386.
+sub main'bswap
+	{
+	if ($main'i386)
+		{
+		&main'comment("bswapl @_");
+		&main'exch(main'HB(@_),main'LB(@_));
+		&main'rotr(@_,16);
+		&main'exch(main'HB(@_),main'LB(@_));
+		}
+	else
+		{
+		&out1("bswapl",@_);
+		}
+	}
+
+sub out2
+	{
+	local($name,$p1,$p2)=@_;
+	local($l,$ll,$t);
+	local(%special)=(	"roll",0xD1C0,"rorl",0xD1C8,
+				"rcll",0xD1D0,"rcrl",0xD1D8,
+				"shll",0xD1E0,"shrl",0xD1E8,
+				"sarl",0xD1F8);
+	
+	if ((defined($special{$name})) && defined($regs{$p1}) && ($p2 == 1))
+		{
+		$op=$special{$name}|$reg_val{$p1};
+		$tmp1=sprintf(".byte %d\n",($op>>8)&0xff);
+		$tmp2=sprintf(".byte %d\t",$op     &0xff);
+		push(@out,$tmp1);
+		push(@out,$tmp2);
+
+		$p2=&conv($p2);
+		$p1=&conv($p1);
+		&main'comment("$name $p2 $p1");
+		return;
+		}
+
+	push(@out,"\t$name\t");
+	$t=&conv($p2).",";
+	$l=length($t);
+	push(@out,$t);
+	$ll=4-($l+9)/8;
+	$tmp1=sprintf("\t" x $ll);
+	push(@out,$tmp1);
+	push(@out,&conv($p1)."\n");
+	}
+
+sub out1
+	{
+	local($name,$p1)=@_;
+	local($l,$t);
+	local(%special)=("bswapl",0x0FC8);
+
+	if ((defined($special{$name})) && defined($regs{$p1}))
+		{
+		$op=$special{$name}|$reg_val{$p1};
+		$tmp1=sprintf(".byte %d\n",($op>>8)&0xff);
+		$tmp2=sprintf(".byte %d\t",$op     &0xff);
+		push(@out,$tmp1);
+		push(@out,$tmp2);
+
+		$p2=&conv($p2);
+		$p1=&conv($p1);
+		&main'comment("$name $p2 $p1");
+		return;
+		}
+
+	push(@out,"\t$name\t".&conv($p1)."\n");
+	}
+
+sub out1p
+	{
+	local($name,$p1)=@_;
+	local($l,$t);
+
+	push(@out,"\t$name\t*".&conv($p1)."\n");
+	}
+
+sub out0
+	{
+	push(@out,"\t$_[0]\n");
+	}
+
+sub conv
+	{
+	local($p)=@_;
+
+#	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
+
+	$p=$regs{$p} if (defined($regs{$p}));
+
+	$p =~ s/^(-{0,1}[0-9A-Fa-f]+)$/\$$1/;
+	$p =~ s/^(0x[0-9A-Fa-f]+)$/\$$1/;
+	return $p;
+	}
+
+sub main'file
+	{
+	local($file)=@_;
+
+	local($tmp)=<<"EOF";
+	.file	"$file.s"
+	.version	"01.01"
+gcc2_compiled.:
+EOF
+	push(@out,$tmp);
+	}
+
+sub main'function_begin
+	{
+	local($func)=@_;
+
+	&main'external_label($func);
+	$func=$under.$func;
+
+	local($tmp)=<<"EOF";
+.text
+	.align $align
+.globl $func
+EOF
+	push(@out,$tmp);
+	if ($main'cpp)
+		{ $tmp=push(@out,"\tTYPE($func,\@function)\n"); }
+	elsif ($main'gaswin)
+		{ $tmp=push(@out,"\t.def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
+	else	{ $tmp=push(@out,"\t.type\t$func,\@function\n"); }
+	push(@out,"$func:\n");
+	$tmp=<<"EOF";
+	pushl	%ebp
+	pushl	%ebx
+	pushl	%esi
+	pushl	%edi
+
+EOF
+	push(@out,$tmp);
+	$stack=20;
+	}
+
+sub main'function_begin_B
+	{
+	local($func,$extra)=@_;
+
+	&main'external_label($func);
+	$func=$under.$func;
+
+	local($tmp)=<<"EOF";
+.text
+	.align $align
+.globl $func
+EOF
+	push(@out,$tmp);
+	if ($main'cpp)
+		{ push(@out,"\tTYPE($func,\@function)\n"); }
+	elsif ($main'gaswin)
+		{ $tmp=push(@out,"\t.def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
+	else	{ push(@out,"\t.type	$func,\@function\n"); }
+	push(@out,"$func:\n");
+	$stack=4;
+	}
+
+sub main'function_end
+	{
+	local($func)=@_;
+
+	$func=$under.$func;
+
+	local($tmp)=<<"EOF";
+	popl	%edi
+	popl	%esi
+	popl	%ebx
+	popl	%ebp
+	ret
+.${func}_end:
+EOF
+	push(@out,$tmp);
+	if ($main'cpp)
+		{ push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
+	elsif ($main'gaswin)
+                { $tmp=push(@out,"\t.align 4\n"); }
+	else	{ push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
+	push(@out,".ident	\"$func\"\n");
+	$stack=0;
+	%label=();
+	}
+
+sub main'function_end_A
+	{
+	local($func)=@_;
+
+	local($tmp)=<<"EOF";
+	popl	%edi
+	popl	%esi
+	popl	%ebx
+	popl	%ebp
+	ret
+EOF
+	push(@out,$tmp);
+	}
+
+sub main'function_end_B
+	{
+	local($func)=@_;
+
+	$func=$under.$func;
+
+	push(@out,".L_${func}_end:\n");
+	if ($main'cpp)
+		{ push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
+        elsif ($main'gaswin)
+                { push(@out,"\t.align 4\n"); }
+	else	{ push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
+	push(@out,".ident	\"desasm.pl\"\n");
+	$stack=0;
+	%label=();
+	}
+
+sub main'wparam
+	{
+	local($num)=@_;
+
+	return(&main'DWP($stack+$num*4,"esp","",0));
+	}
+
+sub main'stack_push
+	{
+	local($num)=@_;
+	$stack+=$num*4;
+	&main'sub("esp",$num*4);
+	}
+
+sub main'stack_pop
+	{
+	local($num)=@_;
+	$stack-=$num*4;
+	&main'add("esp",$num*4);
+	}
+
+sub main'swtmp
+	{
+	return(&main'DWP($_[0]*4,"esp","",0));
+	}
+
+# Should use swtmp, which is above esp.  Linix can trash the stack above esp
+#sub main'wtmp
+#	{
+#	local($num)=@_;
+#
+#	return(&main'DWP(-($num+1)*4,"esp","",0));
+#	}
+
+sub main'comment
+	{
+	foreach (@_)
+		{
+		if (/^\s*$/)
+			{ push(@out,"\n"); }
+		else
+			{ push(@out,"\t$com_start $_ $com_end\n"); }
+		}
+	}
+
+sub main'label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}=".${label}${_[0]}";
+		$label++;
+		}
+	return($label{$_[0]});
+	}
+
+sub main'set_label
+	{
+	if (!defined($label{$_[0]}))
+		{
+		$label{$_[0]}=".${label}${_[0]}";
+		$label++;
+		}
+	push(@out,".align $align\n") if ($_[1] != 0);
+	push(@out,"$label{$_[0]}:\n");
+	}
+
+sub main'file_end
+	{
+	}
+
+sub main'data_word
+	{
+	push(@out,"\t.long $_[0]\n");
+	}
diff --git a/crypto/openssl/crypto/pkcs12/Makefile.save b/crypto/openssl/crypto/pkcs12/Makefile.save
new file mode 100644
index 0000000..ea97ab0
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/Makefile.save
@@ -0,0 +1,363 @@
+#
+# SSLeay/crypto/pkcs12/Makefile
+#
+
+DIR=	pkcs12
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= p12_add.c p12_attr.c p12_bags.c p12_crpt.c p12_crt.c p12_decr.c \
+	p12_init.c p12_key.c p12_kiss.c p12_lib.c p12_mac.c p12_mutl.c\
+	p12_sbag.c p12_utl.c p12_npas.c pk12err.c
+LIBOBJ= p12_add.o p12_attr.o p12_bags.o p12_crpt.o p12_crt.o p12_decr.o \
+	p12_init.o p12_key.o p12_kiss.o p12_lib.o p12_mac.o p12_mutl.o\
+	p12_sbag.o p12_utl.o p12_npas.o pk12err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=  pkcs12.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+p12_add.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_add.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_add.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_add.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_add.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_add.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_add.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_add.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_add.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_add.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_add.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_add.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_add.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_add.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_add.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_add.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_attr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_attr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_attr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_attr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_attr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_attr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_attr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_attr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_attr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_attr.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_attr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_bags.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_bags.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_bags.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_bags.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_bags.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_bags.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_bags.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_bags.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_bags.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_bags.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_bags.o: ../../include/openssl/opensslconf.h
+p12_bags.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_bags.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_bags.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_bags.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_bags.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_bags.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_bags.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_crpt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_crpt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_crpt.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crpt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_crpt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_crpt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_crpt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_crpt.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_crt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_crt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_crt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_crt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_crt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_crt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_crt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_crt.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_crt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_crt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_crt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_crt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_crt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_crt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_crt.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_crt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_decr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_decr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_decr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_decr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_decr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_decr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_decr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_decr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_decr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_decr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_decr.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_decr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_decr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_decr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_decr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_decr.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_decr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_init.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_init.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_init.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_init.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_init.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_init.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_init.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_init.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_init.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_init.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_init.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_init.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_init.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_init.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_init.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_key.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_key.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_key.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_key.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_key.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_key.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_kiss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_kiss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_kiss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_kiss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_kiss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_kiss.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_kiss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_kiss.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_kiss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_kiss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_kiss.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_kiss.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_kiss.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_kiss.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_kiss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_kiss.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_kiss.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_lib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p12_lib.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p12_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p12_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_lib.o: ../cryptlib.h
+p12_mac.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_mac.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_mac.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_mac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_mac.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_mac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_mac.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_mac.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_mac.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_mac.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_mac.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p12_mac.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_mac.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p12_mac.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p12_mac.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_mac.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_mac.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_mac.o: ../cryptlib.h
+p12_mutl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_mutl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_mutl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_mutl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_mutl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_mutl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_mutl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_mutl.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
+p12_mutl.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_mutl.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_mutl.o: ../../include/openssl/opensslconf.h
+p12_mutl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_mutl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+p12_mutl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p12_mutl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p12_mutl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_mutl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_mutl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_mutl.o: ../cryptlib.h
+p12_npas.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_npas.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_npas.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_npas.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_npas.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p12_npas.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_npas.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_npas.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_npas.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_npas.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+p12_npas.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+p12_npas.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_npas.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_npas.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_npas.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_npas.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_npas.o: ../../include/openssl/x509_vfy.h
+p12_sbag.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_sbag.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_sbag.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_sbag.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_sbag.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_sbag.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_sbag.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_sbag.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_sbag.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_sbag.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_sbag.o: ../../include/openssl/opensslconf.h
+p12_sbag.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_sbag.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_sbag.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_sbag.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_sbag.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_sbag.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_sbag.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_utl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_utl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_utl.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_utl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_utl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_utl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_utl.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_utl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pk12err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk12err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk12err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pk12err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk12err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk12err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk12err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk12err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk12err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk12err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+pk12err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+pk12err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk12err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk12err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk12err.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk12err.o: ../../include/openssl/x509_vfy.h
diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl
new file mode 100644
index 0000000..ea97ab0
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl
@@ -0,0 +1,363 @@
+#
+# SSLeay/crypto/pkcs12/Makefile
+#
+
+DIR=	pkcs12
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= p12_add.c p12_attr.c p12_bags.c p12_crpt.c p12_crt.c p12_decr.c \
+	p12_init.c p12_key.c p12_kiss.c p12_lib.c p12_mac.c p12_mutl.c\
+	p12_sbag.c p12_utl.c p12_npas.c pk12err.c
+LIBOBJ= p12_add.o p12_attr.o p12_bags.o p12_crpt.o p12_crt.o p12_decr.o \
+	p12_init.o p12_key.o p12_kiss.o p12_lib.o p12_mac.o p12_mutl.o\
+	p12_sbag.o p12_utl.o p12_npas.o pk12err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=  pkcs12.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+p12_add.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_add.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_add.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_add.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_add.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_add.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_add.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_add.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_add.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_add.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_add.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_add.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_add.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_add.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_add.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_add.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_attr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_attr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_attr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_attr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_attr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_attr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_attr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_attr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_attr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_attr.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_attr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_bags.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_bags.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_bags.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_bags.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_bags.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_bags.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_bags.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_bags.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_bags.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_bags.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_bags.o: ../../include/openssl/opensslconf.h
+p12_bags.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_bags.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_bags.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_bags.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_bags.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_bags.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_bags.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_crpt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_crpt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_crpt.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crpt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_crpt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_crpt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_crpt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_crpt.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_crt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_crt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_crt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_crt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_crt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_crt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_crt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_crt.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_crt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_crt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_crt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_crt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_crt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_crt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_crt.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_crt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_decr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_decr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_decr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_decr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_decr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_decr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_decr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_decr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_decr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_decr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_decr.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_decr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_decr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_decr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_decr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_decr.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_decr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_init.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_init.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_init.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_init.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_init.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_init.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_init.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_init.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_init.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_init.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_init.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_init.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_init.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_init.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_init.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_key.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_key.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_key.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_key.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_key.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_key.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_kiss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_kiss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_kiss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_kiss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_kiss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_kiss.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_kiss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_kiss.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_kiss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_kiss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_kiss.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_kiss.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_kiss.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_kiss.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_kiss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_kiss.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_kiss.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_lib.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p12_lib.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p12_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p12_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_lib.o: ../cryptlib.h
+p12_mac.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_mac.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_mac.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_mac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_mac.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_mac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_mac.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_mac.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_mac.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_mac.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_mac.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p12_mac.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_mac.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p12_mac.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p12_mac.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_mac.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_mac.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_mac.o: ../cryptlib.h
+p12_mutl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_mutl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_mutl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_mutl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_mutl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_mutl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_mutl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_mutl.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
+p12_mutl.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_mutl.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_mutl.o: ../../include/openssl/opensslconf.h
+p12_mutl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_mutl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+p12_mutl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+p12_mutl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+p12_mutl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_mutl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_mutl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_mutl.o: ../cryptlib.h
+p12_npas.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_npas.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_npas.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_npas.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_npas.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p12_npas.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_npas.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_npas.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_npas.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_npas.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+p12_npas.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+p12_npas.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_npas.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_npas.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_npas.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_npas.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_npas.o: ../../include/openssl/x509_vfy.h
+p12_sbag.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+p12_sbag.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p12_sbag.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_sbag.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_sbag.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_sbag.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+p12_sbag.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_sbag.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+p12_sbag.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+p12_sbag.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+p12_sbag.o: ../../include/openssl/opensslconf.h
+p12_sbag.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_sbag.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_sbag.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_sbag.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_sbag.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_sbag.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_sbag.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p12_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_utl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_utl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p12_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_utl.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+p12_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_utl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_utl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_utl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_utl.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_utl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pk12err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk12err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk12err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pk12err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk12err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk12err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk12err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk12err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk12err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk12err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+pk12err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+pk12err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk12err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk12err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk12err.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk12err.o: ../../include/openssl/x509_vfy.h
diff --git a/crypto/openssl/crypto/pkcs12/p12_add.c b/crypto/openssl/crypto/pkcs12/p12_add.c
new file mode 100644
index 0000000..d045cbb
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_add.c
@@ -0,0 +1,216 @@
+/* p12_add.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Pack an object into an OCTET STRING and turn into a safebag */
+
+PKCS12_SAFEBAG *PKCS12_pack_safebag (char *obj, int (*i2d)(), int nid1,
+	     int nid2)
+{
+	PKCS12_BAGS *bag;
+	PKCS12_SAFEBAG *safebag;
+	if (!(bag = PKCS12_BAGS_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	bag->type = OBJ_nid2obj(nid1);
+	if (!ASN1_pack_string(obj, i2d, &bag->value.octet)) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	if (!(safebag = PKCS12_SAFEBAG_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	safebag->value.bag = bag;
+	safebag->type = OBJ_nid2obj(nid2);
+	return safebag;
+}
+
+/* Turn PKCS8 object into a keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG (PKCS8_PRIV_KEY_INFO *p8)
+{
+	PKCS12_SAFEBAG *bag;
+	if (!(bag = PKCS12_SAFEBAG_new())) {
+		PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	bag->type = OBJ_nid2obj(NID_keyBag);
+	bag->value.keybag = p8;
+	return bag;
+}
+
+/* Turn PKCS8 object into a shrouded keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG (int pbe_nid, const char *pass,
+	     int passlen, unsigned char *salt, int saltlen, int iter,
+	     PKCS8_PRIV_KEY_INFO *p8)
+{
+	PKCS12_SAFEBAG *bag;
+
+	/* Set up the safe bag */
+	if (!(bag = PKCS12_SAFEBAG_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+	if (!(bag->value.shkeybag = 
+	  PKCS8_encrypt(pbe_nid, NULL, pass, passlen, salt, saltlen, iter,
+									 p8))) {
+		PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	return bag;
+}
+
+/* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
+PKCS7 *PKCS12_pack_p7data (STACK *sk)
+{
+	PKCS7 *p7;
+	if (!(p7 = PKCS7_new())) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	p7->type = OBJ_nid2obj(NID_pkcs7_data);
+	if (!(p7->d.data = M_ASN1_OCTET_STRING_new())) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	
+	if (!ASN1_seq_pack(sk, i2d_PKCS12_SAFEBAG, &p7->d.data->data,
+					&p7->d.data->length)) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE);
+		return NULL;
+	}
+	return p7;
+}
+
+/* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */
+
+PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
+	     unsigned char *salt, int saltlen, int iter, STACK *bags)
+{
+	PKCS7 *p7;
+	X509_ALGOR *pbe;
+	if (!(p7 = PKCS7_new())) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	if(!PKCS7_set_type(p7, NID_pkcs7_encrypted)) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
+				PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
+		return NULL;
+	}
+	if (!(pbe = PKCS5_pbe_set (pbe_nid, iter, salt, saltlen))) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
+	p7->d.encrypted->enc_data->algorithm = pbe;
+	M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
+	if (!(p7->d.encrypted->enc_data->enc_data =
+	PKCS12_i2d_encrypt (pbe, i2d_PKCS12_SAFEBAG, pass, passlen,
+				 (char *)bags, 1))) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR);
+		return NULL;
+	}
+
+	return p7;
+}
+
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
+			 const char *pass, int passlen,
+			 unsigned char *salt, int saltlen, int iter,
+						PKCS8_PRIV_KEY_INFO *p8inf)
+{
+	X509_SIG *p8;
+	X509_ALGOR *pbe;
+
+	if (!(p8 = X509_SIG_new())) {
+		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+	else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+	if(!pbe) {
+		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
+		goto err;
+	}
+	X509_ALGOR_free(p8->algor);
+	p8->algor = pbe;
+	M_ASN1_OCTET_STRING_free(p8->digest);
+	if (!(p8->digest = 
+	PKCS12_i2d_encrypt (pbe, i2d_PKCS8_PRIV_KEY_INFO, pass, passlen,
+						 (char *)p8inf, 0))) {
+		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
+		goto err;
+	}
+
+	return p8;
+
+	err:
+	X509_SIG_free(p8);
+	return NULL;
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_attr.c b/crypto/openssl/crypto/pkcs12/p12_attr.c
new file mode 100644
index 0000000..f559351
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_attr.c
@@ -0,0 +1,238 @@
+/* p12_attr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Add a local keyid to a safebag */
+
+int PKCS12_add_localkeyid (PKCS12_SAFEBAG *bag, unsigned char *name,
+	     int namelen)
+{
+	X509_ATTRIBUTE *attrib;
+	ASN1_BMPSTRING *oct;
+	ASN1_TYPE *keyid;
+	if (!(keyid = ASN1_TYPE_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	keyid->type = V_ASN1_OCTET_STRING;
+	if (!(oct = M_ASN1_OCTET_STRING_new())) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if (!M_ASN1_OCTET_STRING_set(oct, name, namelen)) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	keyid->value.octet_string = oct;
+	if (!(attrib = X509_ATTRIBUTE_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	attrib->object = OBJ_nid2obj(NID_localKeyID);
+	if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	sk_ASN1_TYPE_push (attrib->value.set,keyid);
+	attrib->set = 1;
+	if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new (NULL))) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
+	return 1;
+}
+
+/* Add key usage to PKCS#8 structure */
+
+int PKCS8_add_keyusage (PKCS8_PRIV_KEY_INFO *p8, int usage)
+{
+	X509_ATTRIBUTE *attrib;
+	ASN1_BIT_STRING *bstr;
+	ASN1_TYPE *keyid;
+	unsigned char us_val;
+	us_val = (unsigned char) usage;
+	if (!(keyid = ASN1_TYPE_new ())) {
+		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	keyid->type = V_ASN1_BIT_STRING;
+	if (!(bstr = M_ASN1_BIT_STRING_new())) {
+		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if (!M_ASN1_BIT_STRING_set(bstr, &us_val, 1)) {
+		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	keyid->value.bit_string = bstr;
+	if (!(attrib = X509_ATTRIBUTE_new ())) {
+		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	attrib->object = OBJ_nid2obj(NID_key_usage);
+	if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	sk_ASN1_TYPE_push (attrib->value.set,keyid);
+	attrib->set = 1;
+	if (!p8->attributes
+	    && !(p8->attributes = sk_X509_ATTRIBUTE_new (NULL))) {
+		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	sk_X509_ATTRIBUTE_push (p8->attributes, attrib);
+	return 1;
+}
+
+/* Add a friendlyname to a safebag */
+
+int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name,
+				 int namelen)
+{
+	unsigned char *uniname;
+	int ret, unilen;
+	if (!asc2uni(name, &uniname, &unilen)) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
+							ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	ret = PKCS12_add_friendlyname_uni (bag, uniname, unilen);
+	Free(uniname);
+	return ret;
+}
+	
+
+int PKCS12_add_friendlyname_uni (PKCS12_SAFEBAG *bag,
+				 const unsigned char *name, int namelen)
+{
+	X509_ATTRIBUTE *attrib;
+	ASN1_BMPSTRING *bmp;
+	ASN1_TYPE *fname;
+	/* Zap ending double null if included */
+	if(!name[namelen - 1] && !name[namelen - 2]) namelen -= 2;
+	if (!(fname = ASN1_TYPE_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+							ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	fname->type = V_ASN1_BMPSTRING;
+	if (!(bmp = M_ASN1_BMPSTRING_new())) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+							ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if (!(bmp->data = Malloc (namelen))) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+							ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	memcpy (bmp->data, name, namelen);
+	bmp->length = namelen;
+	fname->value.bmpstring = bmp;
+	if (!(attrib = X509_ATTRIBUTE_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+							ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	attrib->object = OBJ_nid2obj(NID_friendlyName);
+	if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME,
+							ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	sk_ASN1_TYPE_push (attrib->value.set,fname);
+	attrib->set = 1;
+	if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new (NULL))) {
+		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+							ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
+	return PKCS12_OK;
+}
+
+ASN1_TYPE *PKCS12_get_attr_gen (STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
+{
+	X509_ATTRIBUTE *attrib;
+	int i;
+	if (!attrs) return NULL;
+	for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) {
+		attrib = sk_X509_ATTRIBUTE_value (attrs, i);
+		if (OBJ_obj2nid (attrib->object) == attr_nid) {
+			if (sk_ASN1_TYPE_num (attrib->value.set))
+			    return sk_ASN1_TYPE_value(attrib->value.set, 0);
+			else return NULL;
+		}
+	}
+	return NULL;
+}
+
+char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
+{
+	ASN1_TYPE *atype;
+	if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) return NULL;
+	if (atype->type != V_ASN1_BMPSTRING) return NULL;
+	return uni2asc(atype->value.bmpstring->data,
+				 atype->value.bmpstring->length);
+}
+
diff --git a/crypto/openssl/crypto/pkcs12/p12_bags.c b/crypto/openssl/crypto/pkcs12/p12_bags.c
new file mode 100644
index 0000000..c358b06
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_bags.c
@@ -0,0 +1,192 @@
+/* p12_bags.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/pkcs12.h>
+
+int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp)
+{
+	int bagnid, v = 0;
+	M_ASN1_I2D_vars(a);
+	bagnid = OBJ_obj2nid (a->type);
+	M_ASN1_I2D_len (a->type, i2d_ASN1_OBJECT);
+	
+	switch (bagnid) {
+
+		case NID_x509Certificate:
+			M_ASN1_I2D_len_EXP_opt (a->value.x509cert,
+						 i2d_ASN1_OCTET_STRING, 0, v);
+		break;
+
+		case NID_x509Crl:
+			M_ASN1_I2D_len_EXP_opt (a->value.x509crl,
+						 i2d_ASN1_OCTET_STRING, 0, v);
+		break;
+
+		case NID_sdsiCertificate:
+			M_ASN1_I2D_len_EXP_opt (a->value.sdsicert,
+						 i2d_ASN1_IA5STRING, 0, v);
+		break;
+
+		default:
+			M_ASN1_I2D_len_EXP_opt (a->value.other,
+						 i2d_ASN1_TYPE, 0, v);
+		break;
+	}
+
+	M_ASN1_I2D_seq_total ();
+	
+	M_ASN1_I2D_put (a->type, i2d_ASN1_OBJECT);
+	
+	switch (bagnid) {
+
+		case NID_x509Certificate:
+			M_ASN1_I2D_put_EXP_opt (a->value.x509cert,
+						 i2d_ASN1_OCTET_STRING, 0, v);
+		break;
+
+		case NID_x509Crl:
+			M_ASN1_I2D_put_EXP_opt (a->value.x509crl,
+						 i2d_ASN1_OCTET_STRING, 0, v);
+		break;
+
+		case NID_sdsiCertificate:
+			M_ASN1_I2D_put_EXP_opt (a->value.sdsicert,
+						 i2d_ASN1_IA5STRING, 0, v);
+		break;
+
+		default:
+		M_ASN1_I2D_put_EXP_opt (a->value.other, i2d_ASN1_TYPE, 0, v);
+		break;
+	}
+	M_ASN1_I2D_finish();
+}
+
+PKCS12_BAGS *PKCS12_BAGS_new(void)
+{
+	PKCS12_BAGS *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PKCS12_BAGS);
+	ret->type=NULL;
+	ret->value.other=NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PKCS12_BAGS_NEW);
+}
+
+PKCS12_BAGS *d2i_PKCS12_BAGS(PKCS12_BAGS **a, unsigned char **pp,
+	     long length)
+{
+	int bagnid;
+	M_ASN1_D2I_vars(a,PKCS12_BAGS *,PKCS12_BAGS_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->type, d2i_ASN1_OBJECT);
+	bagnid = OBJ_obj2nid (ret->type);
+	switch (bagnid) {
+
+		case NID_x509Certificate:
+			M_ASN1_D2I_get_EXP_opt (ret->value.x509cert,
+						 d2i_ASN1_OCTET_STRING, 0);
+		break;
+
+		case NID_x509Crl:
+			M_ASN1_D2I_get_EXP_opt (ret->value.x509crl,
+						 d2i_ASN1_OCTET_STRING, 0);
+		break;
+
+		case NID_sdsiCertificate:
+			M_ASN1_D2I_get_EXP_opt (ret->value.sdsicert,
+						 d2i_ASN1_IA5STRING, 0);
+		break;
+
+		default:
+			M_ASN1_D2I_get_EXP_opt (ret->value.other,
+							 d2i_ASN1_TYPE, 0);
+		break;
+	}
+
+	M_ASN1_D2I_Finish(a, PKCS12_BAGS_free, ASN1_F_D2I_PKCS12_BAGS);
+}
+
+void PKCS12_BAGS_free (PKCS12_BAGS *a)
+{
+	if (a == NULL) return;
+	switch (OBJ_obj2nid(a->type)) {
+
+		case NID_x509Certificate:
+			M_ASN1_OCTET_STRING_free (a->value.x509cert);
+		break;
+
+		case NID_x509Crl:
+			M_ASN1_OCTET_STRING_free (a->value.x509crl);
+		break;
+
+		case NID_sdsiCertificate:
+			M_ASN1_IA5STRING_free (a->value.sdsicert);
+		break;
+
+		default:
+			ASN1_TYPE_free (a->value.other);
+		break;
+	}
+
+	ASN1_OBJECT_free (a->type);
+	Free (a);
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_crpt.c b/crypto/openssl/crypto/pkcs12/p12_crpt.c
new file mode 100644
index 0000000..7b96584
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_crpt.c
@@ -0,0 +1,124 @@
+/* p12_crpt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 specific PBE functions */
+
+void PKCS12_PBE_add(void)
+{
+#ifndef NO_RC4
+EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC4, EVP_rc4(), EVP_sha1(),
+							 PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC4, EVP_rc4_40(), EVP_sha1(),
+							 PKCS12_PBE_keyivgen);
+#endif
+#ifndef NO_DES
+EVP_PBE_alg_add(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+		 	EVP_des_ede3_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 
+			EVP_des_ede_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
+#endif
+#ifndef NO_RC2
+EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC2_CBC, EVP_rc2_cbc(),
+					EVP_sha1(), PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
+					EVP_sha1(), PKCS12_PBE_keyivgen);
+#endif
+}
+
+int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+		ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de)
+{
+	PBEPARAM *pbe;
+	int saltlen, iter;
+	unsigned char *salt, *pbuf;
+	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+
+	/* Extract useful info from parameter */
+	pbuf = param->value.sequence->data;
+	if (!param || (param->type != V_ASN1_SEQUENCE) ||
+	   !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
+		EVPerr(PKCS12_F_PKCS12_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
+	if (!pbe->iter) iter = 1;
+	else iter = ASN1_INTEGER_get (pbe->iter);
+	salt = pbe->salt->data;
+	saltlen = pbe->salt->length;
+	if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID,
+			     iter, EVP_CIPHER_key_length(cipher), key, md)) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_KEY_GEN_ERROR);
+		PBEPARAM_free(pbe);
+		return 0;
+	}
+	if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID,
+				iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_IV_GEN_ERROR);
+		PBEPARAM_free(pbe);
+		return 0;
+	}
+	PBEPARAM_free(pbe);
+	EVP_CipherInit(ctx, cipher, key, iv, en_de);
+	memset(key, 0, EVP_MAX_KEY_LENGTH);
+	memset(iv, 0, EVP_MAX_IV_LENGTH);
+	return 1;
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_crt.c b/crypto/openssl/crypto/pkcs12/p12_crt.c
new file mode 100644
index 0000000..ee8aed5
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_crt.c
@@ -0,0 +1,159 @@
+/* p12_crt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+	     STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
+	     int keytype)
+{
+	PKCS12 *p12;
+	STACK *bags, *safes;
+	PKCS12_SAFEBAG *bag;
+	PKCS8_PRIV_KEY_INFO *p8;
+	PKCS7 *authsafe;
+	X509 *tcert;
+	int i;
+	unsigned char keyid[EVP_MAX_MD_SIZE];
+	unsigned int keyidlen;
+
+	/* Set defaults */
+	if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+	if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+	if(!iter) iter = PKCS12_DEFAULT_ITER;
+	if(!mac_iter) mac_iter = 1;
+
+	if(!pkey || !cert) {
+		PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);
+		return NULL;
+	}
+
+	if(!(bags = sk_new (NULL))) {
+		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	/* Add user certificate */
+	if(!(bag = M_PKCS12_x5092certbag(cert))) return NULL;
+	if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;
+	X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+	if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;
+
+	if(!sk_push(bags, (char *)bag)) {
+		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	
+	/* Add all other certificates */
+	if(ca) {
+		for(i = 0; i < sk_X509_num(ca); i++) {
+			tcert = sk_X509_value(ca, i);
+			if(!(bag = M_PKCS12_x5092certbag(tcert))) return NULL;
+			if(!sk_push(bags, (char *)bag)) {
+				PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+				return NULL;
+			}
+		}
+	}
+
+	/* Turn certbags into encrypted authsafe */
+	authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0,
+					  iter, bags);
+	sk_pop_free(bags, PKCS12_SAFEBAG_free);
+
+	if (!authsafe) return NULL;
+
+	if(!(safes = sk_new (NULL)) || !sk_push(safes, (char *)authsafe)) {
+		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	/* Make a shrouded key bag */
+	if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL;
+	if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL;
+	bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8);
+	if(!bag) return NULL;
+	PKCS8_PRIV_KEY_INFO_free(p8);
+        if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL;
+	if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL;
+	if(!(bags = sk_new(NULL)) || !sk_push (bags, (char *)bag)) {
+		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	/* Turn it into unencrypted safe bag */
+	if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL;
+	sk_pop_free(bags, PKCS12_SAFEBAG_free);
+	if(!sk_push(safes, (char *)authsafe)) {
+		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;
+
+	if(!M_PKCS12_pack_authsafes (p12, safes)) return NULL;
+
+	sk_pop_free(safes, PKCS7_free);
+
+	if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL))
+	    return NULL;
+
+	return p12;
+
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_decr.c b/crypto/openssl/crypto/pkcs12/p12_decr.c
new file mode 100644
index 0000000..4be44ea
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_decr.c
@@ -0,0 +1,185 @@
+/* p12_decr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Define this to dump decrypted output to files called DERnnn */
+/*#define DEBUG_DECRYPT*/
+
+
+/* Encrypt/Decrypt a buffer based on password and algor, result in a
+ * Malloc'ed buffer
+ */
+
+unsigned char * PKCS12_pbe_crypt (X509_ALGOR *algor, const char *pass,
+	     int passlen, unsigned char *in, int inlen, unsigned char **data,
+	     int *datalen, int en_de)
+{
+	unsigned char *out;
+	int outlen, i;
+	EVP_CIPHER_CTX ctx;
+
+	/* Decrypt data */
+        if (!EVP_PBE_CipherInit (algor->algorithm, pass, passlen,
+					 algor->parameter, &ctx, en_de)) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
+		return NULL;
+	}
+
+	if(!(out = Malloc (inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	EVP_CipherUpdate (&ctx, out, &i, in, inlen);
+	outlen = i;
+	if(!EVP_CipherFinal (&ctx, out + i, &i)) {
+		Free (out);
+		PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
+		return NULL;
+	}
+	outlen += i;
+	if (datalen) *datalen = outlen;
+	if (data) *data = out;
+	return out;
+
+}
+
+/* Decrypt an OCTET STRING and decode ASN1 structure 
+ * if seq & 1 'obj' is a stack of structures to be encoded
+ * if seq & 2 zero buffer after use
+ * as a sequence.
+ */
+
+char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
+	     void (*free_func)(), const char *pass, int passlen,
+	     ASN1_OCTET_STRING *oct, int seq)
+{
+	unsigned char *out, *p;
+	char *ret;
+	int outlen;
+
+	if (!PKCS12_pbe_crypt (algor, pass, passlen, oct->data, oct->length,
+			       &out, &outlen, 0)) {
+		PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
+		return NULL;
+	}
+	p = out;
+#ifdef DEBUG_DECRYPT
+	{
+		FILE *op;
+
+		char fname[30];
+		static int fnm = 1;
+		sprintf(fname, "DER%d", fnm++);
+		op = fopen(fname, "wb");
+		fwrite (p, 1, outlen, op);
+		fclose(op);
+	}
+#endif
+	if (seq & 1) ret = (char *) d2i_ASN1_SET(NULL, &p, outlen, d2i,
+				free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+	else ret = d2i(NULL, &p, outlen);
+	if (seq & 2) memset(out, 0, outlen);
+	if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
+	Free (out);
+	return ret;
+}
+
+/* Encode ASN1 structure and encrypt, return OCTET STRING 
+ * if 'seq' is non-zero 'obj' is a stack of structures to be encoded
+ * as a sequence
+ */
+
+ASN1_OCTET_STRING *PKCS12_i2d_encrypt (X509_ALGOR *algor, int (*i2d)(),
+				       const char *pass, int passlen,
+				       char *obj, int seq)
+{
+	ASN1_OCTET_STRING *oct;
+	unsigned char *in, *p;
+	int inlen;
+	if (!(oct = M_ASN1_OCTET_STRING_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	if (seq) inlen = i2d_ASN1_SET((STACK *)obj, NULL, i2d, V_ASN1_SEQUENCE,
+						 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	else inlen = i2d (obj, NULL);
+	if (!inlen) {
+		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
+		return NULL;
+	}
+	if (!(in = Malloc (inlen))) {
+		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	p = in;
+	if (seq) i2d_ASN1_SET((STACK *)obj, &p, i2d, V_ASN1_SEQUENCE,
+						 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	else i2d (obj, &p);
+	if (!PKCS12_pbe_crypt (algor, pass, passlen, in, inlen, &oct->data,
+				 &oct->length, 1)) {
+		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
+		Free(in);
+		return NULL;
+	}
+	Free (in);
+	return oct;
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_init.c b/crypto/openssl/crypto/pkcs12/p12_init.c
new file mode 100644
index 0000000..d5d4884
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_init.c
@@ -0,0 +1,98 @@
+/* p12_init.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Initialise a PKCS12 structure to take data */
+
+PKCS12 *PKCS12_init (int mode)
+{
+	PKCS12 *pkcs12;
+	if (!(pkcs12 = PKCS12_new())) {
+		PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	if (!(pkcs12->version = M_ASN1_INTEGER_new ())) {
+		PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	ASN1_INTEGER_set(pkcs12->version, 3);
+	if (!(pkcs12->authsafes = PKCS7_new())) {
+		PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	pkcs12->authsafes->type = OBJ_nid2obj(mode);
+	switch (mode) {
+		case NID_pkcs7_data:
+			if (!(pkcs12->authsafes->d.data =
+				 M_ASN1_OCTET_STRING_new())) {
+			PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+			return NULL;
+		}
+		break;
+		default:
+			PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE);
+			PKCS12_free(pkcs12);
+			return NULL;
+		break;
+	}
+		
+	return pkcs12;
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c
new file mode 100644
index 0000000..b364671
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_key.c
@@ -0,0 +1,189 @@
+/* p12_key.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+
+/* Uncomment out this line to get debugging info about key generation */
+/*#define DEBUG_KEYGEN*/
+#ifdef DEBUG_KEYGEN
+#include <openssl/bio.h>
+extern BIO *bio_err;
+void h__dump (unsigned char *p, int len);
+#endif
+
+/* PKCS12 compatible key/IV generation */
+#ifndef min
+#define min(a,b) ((a) < (b) ? (a) : (b))
+#endif
+
+int PKCS12_key_gen_asc (const char *pass, int passlen, unsigned char *salt,
+	     int saltlen, int id, int iter, int n, unsigned char *out,
+	     const EVP_MD *md_type)
+{
+	int ret;
+	unsigned char *unipass;
+	int uniplen;
+	if (!asc2uni (pass, &unipass, &uniplen)) {
+		PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	ret = PKCS12_key_gen_uni (unipass, uniplen, salt, saltlen,
+						 id, iter, n, out, md_type);
+	memset(unipass, 0, uniplen);	/* Clear password from memory */
+	Free(unipass);
+	return ret;
+}
+
+int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt,
+	     int saltlen, int id, int iter, int n, unsigned char *out,
+	     const EVP_MD *md_type)
+{
+	unsigned char *B, *D, *I, *p, *Ai;
+	int Slen, Plen, Ilen;
+	int i, j, u, v;
+	BIGNUM *Ij, *Bpl1;	/* These hold Ij and B + 1 */
+	EVP_MD_CTX ctx;
+#ifdef  DEBUG_KEYGEN
+	unsigned char *tmpout = out;
+	int tmpn = n;
+#endif
+
+	if (!pass) {
+		PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+	}
+
+#ifdef  DEBUG_KEYGEN
+	fprintf(stderr, "KEYGEN DEBUG\n");
+	fprintf(stderr, "ID %d, ITER %d\n", id, iter);
+	fprintf(stderr, "Password (length %d):\n", passlen);
+	h__dump(pass, passlen);
+	fprintf(stderr, "Salt (length %d):\n", saltlen);
+	h__dump(salt, saltlen);
+#endif
+	v = EVP_MD_block_size (md_type);
+	u = EVP_MD_size (md_type);
+	D = Malloc (v);
+	Ai = Malloc (u);
+	B = Malloc (v + 1);
+	Slen = v * ((saltlen+v-1)/v);
+	Plen = v * ((passlen+v-1)/v);
+	Ilen = Slen + Plen;
+	I = Malloc (Ilen);
+	Ij = BN_new();
+	Bpl1 = BN_new();
+	if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
+		PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	for (i = 0; i < v; i++) D[i] = id;
+	p = I;
+	for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
+	for (i = 0; i < Plen; i++) *p++ = pass[i % passlen];
+	for (;;) {
+		EVP_DigestInit (&ctx, md_type);
+		EVP_DigestUpdate (&ctx, D, v);
+		EVP_DigestUpdate (&ctx, I, Ilen);
+		EVP_DigestFinal (&ctx, Ai, NULL);
+		for (j = 1; j < iter; j++) {
+			EVP_DigestInit (&ctx, md_type);
+			EVP_DigestUpdate (&ctx, Ai, u);
+			EVP_DigestFinal (&ctx, Ai, NULL);
+		}
+		memcpy (out, Ai, min (n, u));
+		if (u >= n) {
+			Free (Ai);
+			Free (B);
+			Free (D);
+			Free (I);
+			BN_free (Ij);
+			BN_free (Bpl1);
+#ifdef DEBUG_KEYGEN
+			fprintf(stderr, "Output KEY (length %d)\n", tmpn);
+			h__dump(tmpout, tmpn);
+#endif
+			return 1;	
+		}
+		n -= u;
+		out += u;
+		for (j = 0; j < v; j++) B[j] = Ai[j % u];
+		/* Work out B + 1 first then can use B as tmp space */
+		BN_bin2bn (B, v, Bpl1);
+		BN_add_word (Bpl1, 1);
+		for (j = 0; j < Ilen ; j+=v) {
+			BN_bin2bn (I + j, v, Ij);
+			BN_add (Ij, Ij, Bpl1);
+			BN_bn2bin (Ij, B);
+			/* If more than 2^(v*8) - 1 cut off MSB */
+			if (BN_num_bytes (Ij) > v) {
+				BN_bn2bin (Ij, B);
+				memcpy (I + j, B + 1, v);
+			} else BN_bn2bin (Ij, I + j);
+		}
+	}
+}
+#ifdef DEBUG_KEYGEN
+void h__dump (unsigned char *p, int len)
+{
+	for (; len --; p++) fprintf(stderr, "%02X", *p);
+	fprintf(stderr, "\n");	
+}
+#endif
diff --git a/crypto/openssl/crypto/pkcs12/p12_kiss.c b/crypto/openssl/crypto/pkcs12/p12_kiss.c
new file mode 100644
index 0000000..ee257ff
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_kiss.c
@@ -0,0 +1,254 @@
+/* p12_kiss.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Simplified PKCS#12 routines */
+
+static int parse_pk12( PKCS12 *p12, const char *pass, int passlen,
+		EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
+
+static int parse_bags( STACK *bags, const char *pass, int passlen,
+		EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
+		ASN1_OCTET_STRING **keyid, char *keymatch);
+
+static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+			EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
+			ASN1_OCTET_STRING **keyid, char *keymatch);
+
+/* Parse and decrypt a PKCS#12 structure returning user key, user cert
+ * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
+ * or it should point to a valid STACK structure. pkey and cert can be
+ * passed unitialised.
+ */
+
+int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+	     STACK_OF(X509) **ca)
+{
+
+	/* Check for NULL PKCS12 structure */
+
+	if(!p12)
+		{
+		PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+		return 0;
+		}
+
+	/* Allocate stack for ca certificates if needed */
+	if ((ca != NULL) && (*ca == NULL))
+		{
+		if (!(*ca = sk_X509_new(NULL)))
+			{
+			PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		}
+
+	if(pkey) *pkey = NULL;
+	if(cert) *cert = NULL;
+
+	/* Check the mac */
+
+	if (!PKCS12_verify_mac (p12, pass, -1))
+		{
+		PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE);
+		goto err;
+		}
+
+	if (!parse_pk12 (p12, pass, -1, pkey, cert, ca))
+		{
+		PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
+		goto err;
+		}
+
+	return 1;
+
+ err:
+
+	if (pkey && *pkey) EVP_PKEY_free (*pkey);
+	if (cert && *cert) X509_free (*cert);
+	if (ca) sk_X509_pop_free (*ca, X509_free);
+	return 0;
+
+}
+
+/* Parse the outer PKCS#12 structure */
+
+static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
+	     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+{
+	STACK *asafes, *bags;
+	int i, bagnid;
+	PKCS7 *p7;
+	ASN1_OCTET_STRING *keyid = NULL;
+	char keymatch = 0;
+	if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
+	for (i = 0; i < sk_num (asafes); i++) {
+		p7 = (PKCS7 *) sk_value (asafes, i);
+		bagnid = OBJ_obj2nid (p7->type);
+		if (bagnid == NID_pkcs7_data) {
+			bags = M_PKCS12_unpack_p7data (p7);
+		} else if (bagnid == NID_pkcs7_encrypted) {
+			bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
+		} else continue;
+		if (!bags) {
+			sk_pop_free (asafes, PKCS7_free);
+			return 0;
+		}
+	    	if (!parse_bags(bags, pass, passlen, pkey, cert, ca,
+							 &keyid, &keymatch)) {
+			sk_pop_free(bags, PKCS12_SAFEBAG_free);
+			sk_pop_free(asafes, PKCS7_free);
+			return 0;
+		}
+		sk_pop_free(bags, PKCS12_SAFEBAG_free);
+	}
+	sk_pop_free(asafes, PKCS7_free);
+	if (keyid) M_ASN1_OCTET_STRING_free(keyid);
+	return 1;
+}
+
+
+static int parse_bags (STACK *bags, const char *pass, int passlen,
+		       EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
+		       ASN1_OCTET_STRING **keyid, char *keymatch)
+{
+	int i;
+	for (i = 0; i < sk_num(bags); i++) {
+		if (!parse_bag((PKCS12_SAFEBAG *)sk_value (bags, i),
+			 pass, passlen, pkey, cert, ca, keyid,
+							 keymatch)) return 0;
+	}
+	return 1;
+}
+
+#define MATCH_KEY  0x1
+#define MATCH_CERT 0x2
+#define MATCH_ALL  0x3
+
+static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+		      EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
+		      ASN1_OCTET_STRING **keyid,
+	     char *keymatch)
+{
+	PKCS8_PRIV_KEY_INFO *p8;
+	X509 *x509;
+	ASN1_OCTET_STRING *lkey = NULL;
+	ASN1_TYPE *attrib;
+
+
+	if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
+		    			    lkey = attrib->value.octet_string;
+
+	/* Check for any local key id matching (if needed) */
+	if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
+		if (*keyid) {
+			if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
+		} else {
+			if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
+				PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE);
+				return 0;
+		    }
+		}
+	}
+	
+	switch (M_PKCS12_bag_type(bag))
+	{
+	case NID_keyBag:
+		if (!lkey || !pkey) return 1;	
+		if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) return 0;
+		*keymatch |= MATCH_KEY;
+	break;
+
+	case NID_pkcs8ShroudedKeyBag:
+		if (!lkey || !pkey) return 1;	
+		if (!(p8 = M_PKCS12_decrypt_skey(bag, pass, passlen)))
+				return 0;
+		*pkey = EVP_PKCS82PKEY(p8);
+		PKCS8_PRIV_KEY_INFO_free(p8);
+		if (!(*pkey)) return 0;
+		*keymatch |= MATCH_KEY;
+	break;
+
+	case NID_certBag:
+		if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
+								 return 1;
+		if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
+		if (lkey) {
+			*keymatch |= MATCH_CERT;
+			if (cert) *cert = x509;
+		} else {
+			if(ca) sk_X509_push (*ca, x509);
+			else X509_free(x509);
+		}
+	break;
+
+	case NID_safeContentsBag:
+		return parse_bags(bag->value.safes, pass, passlen,
+			 		pkey, cert, ca, keyid, keymatch);
+	break;
+
+	default:
+		return 1;
+	break;
+	}
+	return 1;
+}
+
diff --git a/crypto/openssl/crypto/pkcs12/p12_lib.c b/crypto/openssl/crypto/pkcs12/p12_lib.c
new file mode 100644
index 0000000..7ca9c14
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_lib.c
@@ -0,0 +1,111 @@
+/* p12_lib.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/pkcs12.h>
+
+int i2d_PKCS12(PKCS12 *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len (a->authsafes, i2d_PKCS7);
+	M_ASN1_I2D_len (a->mac, i2d_PKCS12_MAC_DATA);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put (a->authsafes, i2d_PKCS7);
+	M_ASN1_I2D_put (a->mac, i2d_PKCS12_MAC_DATA);
+
+	M_ASN1_I2D_finish();
+}
+
+PKCS12 *d2i_PKCS12(PKCS12 **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,PKCS12 *,PKCS12_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get (ret->authsafes, d2i_PKCS7);
+	M_ASN1_D2I_get_opt (ret->mac, d2i_PKCS12_MAC_DATA, V_ASN1_SEQUENCE);
+	M_ASN1_D2I_Finish(a, PKCS12_free, ASN1_F_D2I_PKCS12);
+}
+
+PKCS12 *PKCS12_new(void)
+{
+	PKCS12 *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PKCS12);
+	ret->version=NULL;
+	ret->mac=NULL;
+	ret->authsafes=NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PKCS12_NEW);
+}
+
+void PKCS12_free (PKCS12 *a)
+{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	PKCS12_MAC_DATA_free (a->mac);
+	PKCS7_free (a->authsafes);
+	Free (a);
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_mac.c b/crypto/openssl/crypto/pkcs12/p12_mac.c
new file mode 100644
index 0000000..f5ab0d6
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_mac.c
@@ -0,0 +1,110 @@
+/* p12_mac.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/pkcs12.h>
+
+int i2d_PKCS12_MAC_DATA(PKCS12_MAC_DATA *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+	M_ASN1_I2D_len (a->dinfo, i2d_X509_SIG);
+	M_ASN1_I2D_len (a->salt, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->dinfo, i2d_X509_SIG);
+	M_ASN1_I2D_put (a->salt, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_finish();
+}
+
+PKCS12_MAC_DATA *PKCS12_MAC_DATA_new(void)
+{
+	PKCS12_MAC_DATA *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PKCS12_MAC_DATA);
+	ret->dinfo = X509_SIG_new();
+	ret->salt = M_ASN1_OCTET_STRING_new();
+	ret->iter = NULL;
+	return(ret);
+	M_ASN1_New_Error(ASN1_F_PKCS12_MAC_DATA_NEW);
+}
+
+PKCS12_MAC_DATA *d2i_PKCS12_MAC_DATA(PKCS12_MAC_DATA **a, unsigned char **pp,
+	     long length)
+{
+	M_ASN1_D2I_vars(a,PKCS12_MAC_DATA *,PKCS12_MAC_DATA_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->dinfo, d2i_X509_SIG);
+	M_ASN1_D2I_get(ret->salt, d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_opt(ret->iter, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+	M_ASN1_D2I_Finish(a, PKCS12_MAC_DATA_free, ASN1_F_D2I_PKCS12_MAC_DATA);
+}
+
+void PKCS12_MAC_DATA_free (PKCS12_MAC_DATA *a)
+{
+	if (a == NULL) return;
+	X509_SIG_free (a->dinfo);
+	M_ASN1_OCTET_STRING_free(a->salt);
+	M_ASN1_INTEGER_free(a->iter);
+	Free (a);
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_mutl.c b/crypto/openssl/crypto/pkcs12/p12_mutl.c
new file mode 100644
index 0000000..369257e
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_mutl.c
@@ -0,0 +1,173 @@
+/* p12_mutl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef NO_HMAC
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include <openssl/pkcs12.h>
+
+/* Generate a MAC */
+int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
+		    unsigned char *mac, unsigned int *maclen)
+{
+	const EVP_MD *md_type;
+	HMAC_CTX hmac;
+	unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
+	int saltlen, iter;
+	salt = p12->mac->salt->data;
+	saltlen = p12->mac->salt->length;
+	if (!p12->mac->iter) iter = 1;
+	else iter = ASN1_INTEGER_get (p12->mac->iter);
+    	if(!(md_type =
+		 EVP_get_digestbyobj (p12->mac->dinfo->algor->algorithm))) {
+		PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
+		return 0;
+	}
+	if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
+				 PKCS12_MAC_KEY_LENGTH, key, md_type)) {
+		PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR);
+		return 0;
+	}
+	HMAC_Init (&hmac, key, PKCS12_MAC_KEY_LENGTH, md_type);
+    	HMAC_Update (&hmac, p12->authsafes->d.data->data,
+					 p12->authsafes->d.data->length);
+    	HMAC_Final (&hmac, mac, maclen);
+	return 1;
+}
+
+/* Verify the mac */
+int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
+{
+	unsigned char mac[EVP_MAX_MD_SIZE];
+	unsigned int maclen;
+	if(p12->mac == NULL) {
+		PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_ABSENT);
+		return 0;
+	}
+	if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
+		PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+		return 0;
+	}
+	if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
+	|| memcmp (mac, p12->mac->dinfo->digest->data, maclen)) {
+		PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_VERIFY_ERROR);
+		return 0;
+	}
+	return 1;
+}
+
+/* Set a mac */
+
+int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
+	     unsigned char *salt, int saltlen, int iter, EVP_MD *md_type)
+{
+	unsigned char mac[EVP_MAX_MD_SIZE];
+	unsigned int maclen;
+
+	if (!md_type) md_type = EVP_sha1();
+	if (PKCS12_setup_mac (p12, iter, salt, saltlen, md_type) ==
+				 	PKCS12_ERROR) {
+		PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_SETUP_ERROR);
+		return 0;
+	}
+	if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
+		PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+		return 0;
+	}
+	if (!(M_ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) {
+		PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_STRING_SET_ERROR);
+						return 0;
+	}
+	return 1;
+}
+
+/* Set up a mac structure */
+int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
+	     EVP_MD *md_type)
+{
+	if (!(p12->mac = PKCS12_MAC_DATA_new())) return PKCS12_ERROR;
+	if (iter > 1) {
+		if(!(p12->mac->iter = M_ASN1_INTEGER_new())) {
+			PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		ASN1_INTEGER_set(p12->mac->iter, iter);
+	}
+	if (!saltlen) saltlen = PKCS12_SALT_LEN;
+	p12->mac->salt->length = saltlen;
+	if (!(p12->mac->salt->data = Malloc (saltlen))) {
+		PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if (!salt) {
+		if (RAND_pseudo_bytes (p12->mac->salt->data, saltlen) < 0)
+			return 0;
+	}
+	else memcpy (p12->mac->salt->data, salt, saltlen);
+	p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
+	if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
+		PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
+	
+	return 1;
+}
+#endif
diff --git a/crypto/openssl/crypto/pkcs12/p12_npas.c b/crypto/openssl/crypto/pkcs12/p12_npas.c
new file mode 100644
index 0000000..ee71707
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_npas.c
@@ -0,0 +1,212 @@
+/* p12_npas.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 password change routine */
+
+static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass);
+static int newpass_bags(STACK *bags, char *oldpass,  char *newpass);
+static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass);
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
+
+/* 
+ * Change the password on a PKCS#12 structure.
+ */
+
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
+{
+
+/* Check for NULL PKCS12 structure */
+
+if(!p12) {
+	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+	return 0;
+}
+
+/* Check the mac */
+
+if (!PKCS12_verify_mac(p12, oldpass, -1)) {
+	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);
+	return 0;
+}
+
+if (!newpass_p12(p12, oldpass, newpass)) {
+	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);
+	return 0;
+}
+
+return 1;
+
+}
+
+/* Parse the outer PKCS#12 structure */
+
+static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
+{
+	STACK *asafes, *newsafes, *bags;
+	int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen;
+	PKCS7 *p7, *p7new;
+	ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
+	unsigned char mac[EVP_MAX_MD_SIZE];
+	unsigned int maclen;
+	if (!(asafes = M_PKCS12_unpack_authsafes(p12))) return 0;
+	if(!(newsafes = sk_new(NULL))) return 0;
+	for (i = 0; i < sk_num (asafes); i++) {
+		p7 = (PKCS7 *) sk_value(asafes, i);
+		bagnid = OBJ_obj2nid(p7->type);
+		if (bagnid == NID_pkcs7_data) {
+			bags = M_PKCS12_unpack_p7data(p7);
+		} else if (bagnid == NID_pkcs7_encrypted) {
+			bags = M_PKCS12_unpack_p7encdata(p7, oldpass, -1);
+			alg_get(p7->d.encrypted->enc_data->algorithm,
+				&pbe_nid, &pbe_iter, &pbe_saltlen);
+		} else continue;
+		if (!bags) {
+			sk_pop_free(asafes, PKCS7_free);
+			return 0;
+		}
+	    	if (!newpass_bags(bags, oldpass, newpass)) {
+			sk_pop_free(bags, PKCS12_SAFEBAG_free);
+			sk_pop_free(asafes, PKCS7_free);
+			return 0;
+		}
+		/* Repack bag in same form with new password */
+		if (bagnid == NID_pkcs7_data) p7new = PKCS12_pack_p7data(bags);
+		else p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL,
+						 pbe_saltlen, pbe_iter, bags);
+		sk_pop_free(bags, PKCS12_SAFEBAG_free);
+		if(!p7new) {
+			sk_pop_free(asafes, PKCS7_free);
+			return 0;
+		}
+		sk_push(newsafes, (char *)p7new);
+	}
+	sk_pop_free(asafes, PKCS7_free);
+
+	/* Repack safe: save old safe in case of error */
+
+	p12_data_tmp = p12->authsafes->d.data;
+	if(!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) goto saferr;
+	if(!M_PKCS12_pack_authsafes(p12, newsafes)) goto saferr;
+
+	if(!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr;
+	if(!(macnew = ASN1_OCTET_STRING_new())) goto saferr;
+	if(!ASN1_OCTET_STRING_set(macnew, mac, maclen)) goto saferr;
+	ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
+	p12->mac->dinfo->digest = macnew;
+	ASN1_OCTET_STRING_free(p12_data_tmp);
+
+	return 1;
+
+	saferr:
+	/* Restore old safe */
+	ASN1_OCTET_STRING_free(p12->authsafes->d.data);
+	ASN1_OCTET_STRING_free(macnew);
+	p12->authsafes->d.data = p12_data_tmp;
+	return 0;
+
+}
+
+
+static int newpass_bags(STACK *bags, char *oldpass,  char *newpass)
+{
+	int i;
+	for (i = 0; i < sk_num(bags); i++) {
+		if (!newpass_bag((PKCS12_SAFEBAG *)sk_value(bags, i),
+						 oldpass, newpass)) return 0;
+	}
+	return 1;
+}
+
+/* Change password of safebag: only needs handle shrouded keybags */
+
+static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
+{
+	PKCS8_PRIV_KEY_INFO *p8;
+	X509_SIG *p8new;
+	int p8_nid, p8_saltlen, p8_iter;
+
+	if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1;
+
+	if (!(p8 = M_PKCS12_decrypt_skey(bag, oldpass, -1))) return 0;
+	alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen);
+	if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
+						     p8_iter, p8))) return 0;
+	X509_SIG_free(bag->value.shkeybag);
+	bag->value.shkeybag = p8new;
+	return 1;
+}
+
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
+{
+        PBEPARAM *pbe;
+        unsigned char *p;
+        p = alg->parameter->value.sequence->data;
+        pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
+        *pnid = OBJ_obj2nid(alg->algorithm);
+	*piter = ASN1_INTEGER_get(pbe->iter);
+	*psaltlen = pbe->salt->length;
+        PBEPARAM_free(pbe);
+        return 0;
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_sbag.c b/crypto/openssl/crypto/pkcs12/p12_sbag.c
new file mode 100644
index 0000000..1b3adde
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_sbag.c
@@ -0,0 +1,227 @@
+/* p12_sbag.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/pkcs12.h>
+
+int i2d_PKCS12_SAFEBAG(PKCS12_SAFEBAG *a, unsigned char **pp)
+{
+	int bagnid, v = 0;
+	M_ASN1_I2D_vars(a);
+	bagnid = OBJ_obj2nid (a->type);
+	M_ASN1_I2D_len (a->type, i2d_ASN1_OBJECT);
+	
+	switch (bagnid) {
+
+		case NID_keyBag:
+			M_ASN1_I2D_len_EXP_opt (a->value.keybag,
+						 i2d_PKCS8_PRIV_KEY_INFO, 0, v);
+		break;
+
+		case NID_pkcs8ShroudedKeyBag:
+			M_ASN1_I2D_len_EXP_opt (a->value.shkeybag,
+						 i2d_X509_SIG, 0, v);
+		break;
+
+		case NID_safeContentsBag:
+			M_ASN1_I2D_len_EXP_SEQUENCE_opt (a->value.safes,
+				 i2d_PKCS12_SAFEBAG, 0, V_ASN1_SEQUENCE, v);
+		break;
+
+		case NID_certBag:
+		case NID_crlBag:
+		case NID_secretBag:
+			M_ASN1_I2D_len_EXP_opt (a->value.bag,
+						 i2d_PKCS12_BAGS, 0, v);
+		break;
+
+		default:
+			M_ASN1_I2D_len_EXP_opt (a->value.other,
+						 i2d_ASN1_TYPE, 0, v);
+		break;
+	}
+
+	M_ASN1_I2D_len_SET_type (X509_ATTRIBUTE,a->attrib, i2d_X509_ATTRIBUTE);
+
+	M_ASN1_I2D_seq_total ();
+	
+	M_ASN1_I2D_put (a->type, i2d_ASN1_OBJECT);
+
+	switch (bagnid) {
+
+		case NID_keyBag:
+			M_ASN1_I2D_put_EXP_opt (a->value.keybag,
+						 i2d_PKCS8_PRIV_KEY_INFO, 0, v);
+		break;
+
+		case NID_pkcs8ShroudedKeyBag:
+			M_ASN1_I2D_put_EXP_opt (a->value.shkeybag,
+						 i2d_X509_SIG, 0, v);
+		break;
+
+		case NID_safeContentsBag:
+			M_ASN1_I2D_put_EXP_SEQUENCE_opt (a->value.safes,
+				 i2d_PKCS12_SAFEBAG, 0, V_ASN1_SEQUENCE, v);
+		break;
+
+		case NID_certBag:
+		case NID_crlBag:
+		case NID_secretBag:
+			M_ASN1_I2D_put_EXP_opt (a->value.bag,
+						 i2d_PKCS12_BAGS, 0, v);
+		break;
+
+		default:
+			M_ASN1_I2D_put_EXP_opt (a->value.other,
+						 i2d_ASN1_TYPE, 0, v);
+		break;
+	}
+
+	M_ASN1_I2D_put_SET_type (X509_ATTRIBUTE, a->attrib, i2d_X509_ATTRIBUTE);
+
+	M_ASN1_I2D_finish();
+}
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_new(void)
+{
+	PKCS12_SAFEBAG *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PKCS12_SAFEBAG);
+	ret->type=NULL;
+	ret->value.other=NULL;
+	M_ASN1_New(ret->attrib, sk_X509_ATTRIBUTE_new_null);
+	ret->rest=NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PKCS12_SAFEBAG_NEW);
+}
+
+PKCS12_SAFEBAG *d2i_PKCS12_SAFEBAG(PKCS12_SAFEBAG **a, unsigned char **pp,
+	     long length)
+{
+	int bagnid;
+	M_ASN1_D2I_vars(a,PKCS12_SAFEBAG *,PKCS12_SAFEBAG_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->type, d2i_ASN1_OBJECT);
+	bagnid = OBJ_obj2nid (ret->type);
+
+	switch (bagnid) {
+
+		case NID_keyBag:
+			M_ASN1_D2I_get_EXP_opt (ret->value.keybag,
+						 d2i_PKCS8_PRIV_KEY_INFO, 0);
+		break;
+
+		case NID_pkcs8ShroudedKeyBag:
+			M_ASN1_D2I_get_EXP_opt (ret->value.shkeybag,
+						 	d2i_X509_SIG, 0);
+		break;
+
+		case NID_safeContentsBag:
+			M_ASN1_D2I_get_EXP_set_opt(ret->value.safes,
+				d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free,
+							 0, V_ASN1_SEQUENCE);
+		break;
+
+		case NID_certBag:
+		case NID_crlBag:
+		case NID_secretBag:
+			M_ASN1_D2I_get_EXP_opt (ret->value.bag,
+							 d2i_PKCS12_BAGS, 0);
+		break;
+
+		default:
+			M_ASN1_D2I_get_EXP_opt (ret->value.other,
+							 d2i_ASN1_TYPE, 0);
+		break;
+	}
+	M_ASN1_D2I_get_set_opt_type(X509_ATTRIBUTE,ret->attrib,
+				    d2i_X509_ATTRIBUTE,X509_ATTRIBUTE_free);
+	M_ASN1_D2I_Finish(a, PKCS12_SAFEBAG_free, ASN1_F_D2I_PKCS12_SAFEBAG);
+}
+
+void PKCS12_SAFEBAG_free (PKCS12_SAFEBAG *a)
+{
+	if (a == NULL) return;
+	switch (OBJ_obj2nid(a->type)) {
+
+		case NID_keyBag:
+			PKCS8_PRIV_KEY_INFO_free (a->value.keybag);
+		break;
+
+		case NID_pkcs8ShroudedKeyBag:
+			X509_SIG_free (a->value.shkeybag);
+		break;
+
+		case NID_certBag:
+		case NID_crlBag:
+		case NID_secretBag:
+			PKCS12_BAGS_free (a->value.bag);
+		break;
+
+		default:
+			ASN1_TYPE_free (a->value.other);
+		break;
+	}
+
+	ASN1_OBJECT_free (a->type);
+	sk_X509_ATTRIBUTE_pop_free (a->attrib, X509_ATTRIBUTE_free);
+	Free (a);
+}
diff --git a/crypto/openssl/crypto/pkcs12/p12_utl.c b/crypto/openssl/crypto/pkcs12/p12_utl.c
new file mode 100644
index 0000000..2adcbc9
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/p12_utl.c
@@ -0,0 +1,118 @@
+/* p12_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Cheap and nasty Unicode stuff */
+
+unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen)
+{
+	int ulen, i;
+	unsigned char *unitmp;
+	ulen = strlen(asc)*2  + 2;
+	if (!(unitmp = Malloc (ulen))) return NULL;
+	for (i = 0; i < ulen; i+=2) {
+		unitmp[i] = 0;
+		unitmp[i + 1] = asc[i>>1];
+	}
+	if (unilen) *unilen = ulen;
+	if (uni) *uni = unitmp;
+	return unitmp;
+}
+
+char *uni2asc (unsigned char *uni, int unilen)
+{
+	int asclen, i;
+	char *asctmp;
+	asclen = unilen / 2;
+	/* If no terminating zero allow for one */
+	if (uni[unilen - 1]) asclen++;
+	uni++;
+	if (!(asctmp = Malloc (asclen))) return NULL;
+	for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i];
+	asctmp[asclen - 1] = 0;
+	return asctmp;
+}
+
+int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12)
+{
+	return ASN1_i2d_bio((int(*)())i2d_PKCS12, bp, (unsigned char *)p12);
+}
+
+#ifndef NO_FP_API
+int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12)
+{
+	return ASN1_i2d_fp((int(*)())i2d_PKCS12, fp, (unsigned char *)p12);
+}
+#endif
+
+PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
+{
+	return (PKCS12 *)ASN1_d2i_bio((char *(*)())PKCS12_new,
+         (char *(*)())d2i_PKCS12, bp, (unsigned char **)p12);
+}
+#ifndef NO_FP_API
+PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
+{
+        return (PKCS12 *)ASN1_d2i_fp((char *(*)())PKCS12_new, 
+         (char *(*)())d2i_PKCS12, fp, (unsigned char **)(p12));
+}
+#endif
+
diff --git a/crypto/openssl/crypto/pkcs12/pk12err.c b/crypto/openssl/crypto/pkcs12/pk12err.c
new file mode 100644
index 0000000..12db54f
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/pk12err.c
@@ -0,0 +1,139 @@
+/* crypto/pkcs12/pk12err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA PKCS12_str_functs[]=
+	{
+{ERR_PACK(0,PKCS12_F_PARSE_BAGS,0),	"PARSE_BAGS"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME,0),	"PKCS12_ADD_FRIENDLYNAME"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,0),	"PKCS12_add_friendlyname_asc"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,0),	"PKCS12_add_friendlyname_uni"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_LOCALKEYID,0),	"PKCS12_add_localkeyid"},
+{ERR_PACK(0,PKCS12_F_PKCS12_CREATE,0),	"PKCS12_create"},
+{ERR_PACK(0,PKCS12_F_PKCS12_DECRYPT_D2I,0),	"PKCS12_decrypt_d2i"},
+{ERR_PACK(0,PKCS12_F_PKCS12_GEN_MAC,0),	"PKCS12_gen_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS12_I2D_ENCRYPT,0),	"PKCS12_i2d_encrypt"},
+{ERR_PACK(0,PKCS12_F_PKCS12_INIT,0),	"PKCS12_init"},
+{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_ASC,0),	"PKCS12_key_gen_asc"},
+{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0),	"PKCS12_key_gen_uni"},
+{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0),	"PKCS12_MAKE_KEYBAG"},
+{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0),	"PKCS12_MAKE_SHKEYBAG"},
+{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0),	"PKCS12_newpass"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0),	"PKCS12_pack_p7data"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0),	"PKCS12_pack_p7encdata"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0),	"PKCS12_pack_safebag"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PARSE,0),	"PKCS12_parse"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PBE_CRYPT,0),	"PKCS12_pbe_crypt"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PBE_KEYIVGEN,0),	"PKCS12_PBE_keyivgen"},
+{ERR_PACK(0,PKCS12_F_PKCS12_SETUP_MAC,0),	"PKCS12_setup_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS12_SET_MAC,0),	"PKCS12_set_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS8_ADD_KEYUSAGE,0),	"PKCS8_add_keyusage"},
+{ERR_PACK(0,PKCS12_F_PKCS8_ENCRYPT,0),	"PKCS8_encrypt"},
+{ERR_PACK(0,PKCS12_F_VERIFY_MAC,0),	"VERIFY_MAC"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA PKCS12_str_reasons[]=
+	{
+{PKCS12_R_CANT_PACK_STRUCTURE            ,"cant pack structure"},
+{PKCS12_R_DECODE_ERROR                   ,"decode error"},
+{PKCS12_R_ENCODE_ERROR                   ,"encode error"},
+{PKCS12_R_ENCRYPT_ERROR                  ,"encrypt error"},
+{PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE,"error setting encrypted data type"},
+{PKCS12_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
+{PKCS12_R_INVALID_NULL_PKCS12_POINTER    ,"invalid null pkcs12 pointer"},
+{PKCS12_R_IV_GEN_ERROR                   ,"iv gen error"},
+{PKCS12_R_KEY_GEN_ERROR                  ,"key gen error"},
+{PKCS12_R_MAC_ABSENT                     ,"mac absent"},
+{PKCS12_R_MAC_GENERATION_ERROR           ,"mac generation error"},
+{PKCS12_R_MAC_SETUP_ERROR                ,"mac setup error"},
+{PKCS12_R_MAC_STRING_SET_ERROR           ,"mac string set error"},
+{PKCS12_R_MAC_VERIFY_ERROR               ,"mac verify error"},
+{PKCS12_R_MAC_VERIFY_FAILURE             ,"mac verify failure"},
+{PKCS12_R_PARSE_ERROR                    ,"parse error"},
+{PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR  ,"pkcs12 algor cipherinit error"},
+{PKCS12_R_PKCS12_CIPHERFINAL_ERROR       ,"pkcs12 cipherfinal error"},
+{PKCS12_R_PKCS12_PBE_CRYPT_ERROR         ,"pkcs12 pbe crypt error"},
+{PKCS12_R_UNKNOWN_DIGEST_ALGORITHM       ,"unknown digest algorithm"},
+{PKCS12_R_UNSUPPORTED_PKCS12_MODE        ,"unsupported pkcs12 mode"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_PKCS12_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs);
+		ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/pkcs12/pkcs12.h b/crypto/openssl/crypto/pkcs12/pkcs12.h
new file mode 100644
index 0000000..dad356c
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs12/pkcs12.h
@@ -0,0 +1,340 @@
+/* pkcs12.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_PKCS12_H
+#define HEADER_PKCS12_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+
+#define PKCS12_KEY_ID	1
+#define PKCS12_IV_ID	2
+#define PKCS12_MAC_ID	3
+
+/* Default iteration count */
+#ifndef PKCS12_DEFAULT_ITER
+#define PKCS12_DEFAULT_ITER	PKCS5_DEFAULT_ITER
+#endif
+
+#define PKCS12_MAC_KEY_LENGTH 20
+
+#define PKCS12_SALT_LEN	8
+
+/* Uncomment out next line for unicode password and names, otherwise ASCII */
+
+/*#define PBE_UNICODE*/
+
+#ifdef PBE_UNICODE
+#define PKCS12_key_gen PKCS12_key_gen_uni
+#define PKCS12_add_friendlyname PKCS12_add_friendlyname_uni
+#else
+#define PKCS12_key_gen PKCS12_key_gen_asc
+#define PKCS12_add_friendlyname PKCS12_add_friendlyname_asc
+#endif
+
+/* MS key usage constants */
+
+#define KEY_EX	0x10
+#define KEY_SIG 0x80
+
+typedef struct {
+X509_SIG *dinfo;
+ASN1_OCTET_STRING *salt;
+ASN1_INTEGER *iter;	/* defaults to 1 */
+} PKCS12_MAC_DATA;
+
+typedef struct {
+ASN1_INTEGER *version;
+PKCS12_MAC_DATA *mac;
+PKCS7 *authsafes;
+} PKCS12;
+
+typedef struct {
+ASN1_OBJECT *type;
+union {
+	struct pkcs12_bag_st *bag; /* secret, crl and certbag */
+	struct pkcs8_priv_key_info_st	*keybag; /* keybag */
+	X509_SIG *shkeybag; /* shrouded key bag */
+	STACK /* PKCS12_SAFEBAG */ *safes;
+	ASN1_TYPE *other;
+}value;
+STACK_OF(X509_ATTRIBUTE) *attrib;
+ASN1_TYPE *rest;
+} PKCS12_SAFEBAG;
+
+typedef struct pkcs12_bag_st {
+ASN1_OBJECT *type;
+union {
+	ASN1_OCTET_STRING *x509cert;
+	ASN1_OCTET_STRING *x509crl;
+	ASN1_OCTET_STRING *octet;
+	ASN1_IA5STRING *sdsicert;
+	ASN1_TYPE *other; /* Secret or other bag */
+}value;
+} PKCS12_BAGS;
+
+#define PKCS12_ERROR	0
+#define PKCS12_OK	1
+
+#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type)
+#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type)
+#define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
+
+#define M_PKCS12_x5092certbag(x509) \
+PKCS12_pack_safebag ((char *)(x509), i2d_X509, NID_x509Certificate, NID_certBag)
+
+#define M_PKCS12_x509crl2certbag(crl) \
+PKCS12_pack_safebag ((char *)(crl), i2d_X509CRL, NID_x509Crl, NID_crlBag)
+
+#define M_PKCS12_certbag2x509(bg) \
+(X509 *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(char *(*)())d2i_X509)
+
+#define M_PKCS12_certbag2x509crl(bg) \
+(X509CRL *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(char *(*)())d2i_X509CRL)
+
+/*#define M_PKCS12_pkcs82rsa(p8) \
+(RSA *) ASN1_unpack_string ((p8)->pkey, (char *(*)())d2i_RSAPrivateKey)*/
+
+#define M_PKCS12_unpack_p7data(p7) \
+ASN1_seq_unpack ((p7)->d.data->data, p7->d.data->length, \
+			 (char *(*)())d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free)
+
+#define M_PKCS12_pack_authsafes(p12, safes) \
+ASN1_seq_pack((safes), (int (*)())i2d_PKCS7,\
+	&(p12)->authsafes->d.data->data, &(p12)->authsafes->d.data->length)
+
+#define M_PKCS12_unpack_authsafes(p12) \
+ASN1_seq_unpack((p12)->authsafes->d.data->data, \
+		(p12)->authsafes->d.data->length, (char *(*)())d2i_PKCS7, \
+							PKCS7_free)
+
+#define M_PKCS12_unpack_p7encdata(p7, pass, passlen) \
+(STACK *) PKCS12_decrypt_d2i ((p7)->d.encrypted->enc_data->algorithm,\
+			 (char *(*)())d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free, \
+							(pass), (passlen), \
+			(p7)->d.encrypted->enc_data->enc_data, 3)
+
+#define M_PKCS12_decrypt_skey(bag, pass, passlen) \
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((bag)->value.shkeybag->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free, \
+						(pass), (passlen), \
+			 (bag)->value.shkeybag->digest, 2)
+
+#define M_PKCS8_decrypt(p8, pass, passlen) \
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((p8)->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free,\
+			 (pass), (passlen), (p8)->digest, 2)
+
+#define PKCS12_get_attr(bag, attr_nid) \
+			 PKCS12_get_attr_gen(bag->attrib, attr_nid)
+
+#define PKCS8_get_attr(p8, attr_nid) \
+		PKCS12_get_attr_gen(p8->attributes, attr_nid)
+
+#define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0)
+
+
+PKCS12_SAFEBAG *PKCS12_pack_safebag(char *obj, int (*i2d)(), int nid1, int nid2);
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 
+			const char *pass, int passlen,
+			unsigned char *salt, int saltlen, int iter,
+			PKCS8_PRIV_KEY_INFO *p8);
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
+				     int passlen, unsigned char *salt,
+				     int saltlen, int iter,
+				     PKCS8_PRIV_KEY_INFO *p8);
+PKCS7 *PKCS12_pack_p7data(STACK *sk);
+PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
+			     unsigned char *salt, int saltlen, int iter,
+			     STACK *bags);
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen);
+int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
+				int namelen);
+int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
+				int namelen);
+int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
+ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid);
+char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
+unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
+				int passlen, unsigned char *in, int inlen,
+				unsigned char **data, int *datalen, int en_de);
+char *PKCS12_decrypt_d2i(X509_ALGOR *algor, char *(*d2i)(),
+			 void (*free_func)(), const char *pass, int passlen,
+			 ASN1_STRING *oct, int seq);
+ASN1_STRING *PKCS12_i2d_encrypt(X509_ALGOR *algor, int (*i2d)(),
+				const char *pass, int passlen, char *obj,
+				int seq);
+PKCS12 *PKCS12_init(int mode);
+int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
+		       int saltlen, int id, int iter, int n,
+		       unsigned char *out, const EVP_MD *md_type);
+int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type);
+int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+			 ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md_type,
+			 int en_de);
+int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+			 unsigned char *mac, unsigned int *maclen);
+int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen);
+int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
+		   unsigned char *salt, int saltlen, int iter,
+		   EVP_MD *md_type);
+int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
+					 int saltlen, EVP_MD *md_type);
+unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen);
+char *uni2asc(unsigned char *uni, int unilen);
+int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp);
+PKCS12_BAGS *PKCS12_BAGS_new(void);
+PKCS12_BAGS *d2i_PKCS12_BAGS(PKCS12_BAGS **a, unsigned char **pp, long length);
+void PKCS12_BAGS_free(PKCS12_BAGS *a);
+int i2d_PKCS12(PKCS12 *a, unsigned char **pp);
+PKCS12 *d2i_PKCS12(PKCS12 **a, unsigned char **pp, long length);
+PKCS12 *PKCS12_new(void);
+void PKCS12_free(PKCS12 *a);
+int i2d_PKCS12_MAC_DATA(PKCS12_MAC_DATA *a, unsigned char **pp);
+PKCS12_MAC_DATA *PKCS12_MAC_DATA_new(void);
+PKCS12_MAC_DATA *d2i_PKCS12_MAC_DATA(PKCS12_MAC_DATA **a, unsigned char **pp,
+								 long length);
+void PKCS12_MAC_DATA_free(PKCS12_MAC_DATA *a);
+int i2d_PKCS12_SAFEBAG(PKCS12_SAFEBAG *a, unsigned char **pp);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_new(void);
+PKCS12_SAFEBAG *d2i_PKCS12_SAFEBAG(PKCS12_SAFEBAG **a, unsigned char **pp,
+								 long length);
+void PKCS12_SAFEBAG_free(PKCS12_SAFEBAG *a);
+void ERR_load_PKCS12_strings(void);
+void PKCS12_PBE_add(void);
+int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+		 STACK_OF(X509) **ca);
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+			 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
+						 int mac_iter, int keytype);
+int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
+int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
+PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
+PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the PKCS12 functions. */
+
+/* Function codes. */
+#define PKCS12_F_PARSE_BAGS				 103
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME		 100
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC		 127
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI		 102
+#define PKCS12_F_PKCS12_ADD_LOCALKEYID			 104
+#define PKCS12_F_PKCS12_CREATE				 105
+#define PKCS12_F_PKCS12_DECRYPT_D2I			 106
+#define PKCS12_F_PKCS12_GEN_MAC				 107
+#define PKCS12_F_PKCS12_I2D_ENCRYPT			 108
+#define PKCS12_F_PKCS12_INIT				 109
+#define PKCS12_F_PKCS12_KEY_GEN_ASC			 110
+#define PKCS12_F_PKCS12_KEY_GEN_UNI			 111
+#define PKCS12_F_PKCS12_MAKE_KEYBAG			 112
+#define PKCS12_F_PKCS12_MAKE_SHKEYBAG			 113
+#define PKCS12_F_PKCS12_NEWPASS				 128
+#define PKCS12_F_PKCS12_PACK_P7DATA			 114
+#define PKCS12_F_PKCS12_PACK_P7ENCDATA			 115
+#define PKCS12_F_PKCS12_PACK_SAFEBAG			 117
+#define PKCS12_F_PKCS12_PARSE				 118
+#define PKCS12_F_PKCS12_PBE_CRYPT			 119
+#define PKCS12_F_PKCS12_PBE_KEYIVGEN			 120
+#define PKCS12_F_PKCS12_SETUP_MAC			 122
+#define PKCS12_F_PKCS12_SET_MAC				 123
+#define PKCS12_F_PKCS8_ADD_KEYUSAGE			 124
+#define PKCS12_F_PKCS8_ENCRYPT				 125
+#define PKCS12_F_VERIFY_MAC				 126
+
+/* Reason codes. */
+#define PKCS12_R_CANT_PACK_STRUCTURE			 100
+#define PKCS12_R_DECODE_ERROR				 101
+#define PKCS12_R_ENCODE_ERROR				 102
+#define PKCS12_R_ENCRYPT_ERROR				 103
+#define PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE	 120
+#define PKCS12_R_INVALID_NULL_ARGUMENT			 104
+#define PKCS12_R_INVALID_NULL_PKCS12_POINTER		 105
+#define PKCS12_R_IV_GEN_ERROR				 106
+#define PKCS12_R_KEY_GEN_ERROR				 107
+#define PKCS12_R_MAC_ABSENT				 108
+#define PKCS12_R_MAC_GENERATION_ERROR			 109
+#define PKCS12_R_MAC_SETUP_ERROR			 110
+#define PKCS12_R_MAC_STRING_SET_ERROR			 111
+#define PKCS12_R_MAC_VERIFY_ERROR			 112
+#define PKCS12_R_MAC_VERIFY_FAILURE			 113
+#define PKCS12_R_PARSE_ERROR				 114
+#define PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR		 115
+#define PKCS12_R_PKCS12_CIPHERFINAL_ERROR		 116
+#define PKCS12_R_PKCS12_PBE_CRYPT_ERROR			 117
+#define PKCS12_R_UNKNOWN_DIGEST_ALGORITHM		 118
+#define PKCS12_R_UNSUPPORTED_PKCS12_MODE		 119
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/pkcs7/Makefile.save b/crypto/openssl/crypto/pkcs7/Makefile.save
new file mode 100644
index 0000000..2b20d29
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/Makefile.save
@@ -0,0 +1,202 @@
+#
+# SSLeay/crypto/pkcs7/Makefile
+#
+
+DIR=	pkcs7
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+PEX_LIBS=
+EX_LIBS=
+ 
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c pk7_attr.c pk7_mime.c
+LIBOBJ= pk7_lib.o pkcs7err.o pk7_doit.o pk7_smime.o pk7_attr.o pk7_mime.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=  pkcs7.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:
+
+all:	lib
+
+testapps: enc dec sign verify
+
+enc: enc.o lib
+	$(CC) $(CFLAGS) -o enc enc.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
+
+dec: dec.o lib
+	$(CC) $(CFLAGS) -o dec dec.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
+
+sign: sign.o lib
+	$(CC) $(CFLAGS) -o sign sign.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
+
+verify: verify.o example.o lib
+	$(CC) $(CFLAGS) -o verify verify.o $(PEX_LIBS) example.o $(LIB) $(EX_LIBS)
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+pk7_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_attr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pk7_attr.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_attr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk7_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_attr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pk7_attr.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pk7_attr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_attr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_attr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_doit.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_doit.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_doit.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pk7_doit.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_doit.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+pk7_doit.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_doit.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+pk7_doit.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+pk7_doit.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_doit.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_doit.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pk7_doit.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk7_doit.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk7_doit.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_doit.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk7_doit.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pk7_doit.o: ../cryptlib.h
+pk7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pk7_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_lib.o: ../cryptlib.h
+pk7_mime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_mime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_mime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_mime.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_mime.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pk7_mime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_mime.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_mime.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_mime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_mime.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_mime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_mime.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pk7_mime.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk7_mime.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk7_mime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_mime.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk7_mime.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pk7_smime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_smime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_smime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_smime.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pk7_smime.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_smime.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+pk7_smime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_smime.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+pk7_smime.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+pk7_smime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_smime.o: ../../include/openssl/objects.h
+pk7_smime.o: ../../include/openssl/opensslconf.h
+pk7_smime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_smime.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_smime.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_smime.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_smime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_smime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_smime.o: ../../include/openssl/x509v3.h ../cryptlib.h
+pkcs7err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pkcs7err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pkcs7err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pkcs7err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pkcs7err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pkcs7err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pkcs7err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pkcs7err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pkcs7err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pkcs7err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pkcs7err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pkcs7err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pkcs7err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pkcs7err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pkcs7err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl
new file mode 100644
index 0000000..2b20d29
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl
@@ -0,0 +1,202 @@
+#
+# SSLeay/crypto/pkcs7/Makefile
+#
+
+DIR=	pkcs7
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+PEX_LIBS=
+EX_LIBS=
+ 
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c pk7_attr.c pk7_mime.c
+LIBOBJ= pk7_lib.o pkcs7err.o pk7_doit.o pk7_smime.o pk7_attr.o pk7_mime.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=  pkcs7.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:
+
+all:	lib
+
+testapps: enc dec sign verify
+
+enc: enc.o lib
+	$(CC) $(CFLAGS) -o enc enc.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
+
+dec: dec.o lib
+	$(CC) $(CFLAGS) -o dec dec.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
+
+sign: sign.o lib
+	$(CC) $(CFLAGS) -o sign sign.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
+
+verify: verify.o example.o lib
+	$(CC) $(CFLAGS) -o verify verify.o $(PEX_LIBS) example.o $(LIB) $(EX_LIBS)
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+pk7_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_attr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pk7_attr.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_attr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk7_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_attr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pk7_attr.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pk7_attr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_attr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_attr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_doit.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_doit.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_doit.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pk7_doit.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_doit.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+pk7_doit.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_doit.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+pk7_doit.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+pk7_doit.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_doit.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_doit.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pk7_doit.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk7_doit.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk7_doit.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_doit.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk7_doit.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pk7_doit.o: ../cryptlib.h
+pk7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pk7_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_lib.o: ../cryptlib.h
+pk7_mime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_mime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_mime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_mime.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_mime.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pk7_mime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_mime.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_mime.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_mime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_mime.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_mime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_mime.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pk7_mime.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk7_mime.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk7_mime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_mime.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk7_mime.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pk7_smime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_smime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_smime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_smime.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pk7_smime.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_smime.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+pk7_smime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_smime.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+pk7_smime.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+pk7_smime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_smime.o: ../../include/openssl/objects.h
+pk7_smime.o: ../../include/openssl/opensslconf.h
+pk7_smime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_smime.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_smime.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_smime.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_smime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_smime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_smime.o: ../../include/openssl/x509v3.h ../cryptlib.h
+pkcs7err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pkcs7err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pkcs7err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pkcs7err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pkcs7err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pkcs7err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pkcs7err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pkcs7err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pkcs7err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pkcs7err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pkcs7err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pkcs7err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pkcs7err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pkcs7err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pkcs7err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
diff --git a/crypto/openssl/crypto/pkcs7/README b/crypto/openssl/crypto/pkcs7/README
new file mode 100644
index 0000000..27001c6
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/README
@@ -0,0 +1,5 @@
+WARNING
+
+Everything in this directory is experimental and is subject to change.
+
+Do not rely on the stuff in here not changing in the next release
diff --git a/crypto/openssl/crypto/pkcs7/bio_ber.c b/crypto/openssl/crypto/pkcs7/bio_ber.c
new file mode 100644
index 0000000..4803966
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/bio_ber.c
@@ -0,0 +1,466 @@
+/* crypto/evp/bio_ber.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+
+static int ber_write(BIO *h,char *buf,int num);
+static int ber_read(BIO *h,char *buf,int size);
+/*static int ber_puts(BIO *h,char *str); */
+/*static int ber_gets(BIO *h,char *str,int size); */
+static long ber_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int ber_new(BIO *h);
+static int ber_free(BIO *data);
+static long ber_callback_ctrl(BIO *h,int cmd,void *(*fp)());
+#define BER_BUF_SIZE	(32)
+
+/* This is used to hold the state of the BER objects being read. */
+typedef struct ber_struct
+	{
+	int tag;
+	int class;
+	long length;
+	int inf;
+	int num_left;
+	int depth;
+	} BER_CTX;
+
+typedef struct bio_ber_struct
+	{
+	int tag;
+	int class;
+	long length;
+	int inf;
+
+	/* most of the following are used when doing non-blocking IO */
+	/* reading */
+	long num_left;	/* number of bytes still to read/write in block */
+	int depth;	/* used with indefinite encoding. */
+	int finished;	/* No more read data */
+
+	/* writting */ 
+	char *w_addr;
+	int w_offset;
+	int w_left;
+
+	int buf_len;
+	int buf_off;
+	unsigned char buf[BER_BUF_SIZE];
+	} BIO_BER_CTX;
+
+static BIO_METHOD methods_ber=
+	{
+	BIO_TYPE_CIPHER,"cipher",
+	ber_write,
+	ber_read,
+	NULL, /* ber_puts, */
+	NULL, /* ber_gets, */
+	ber_ctrl,
+	ber_new,
+	ber_free,
+	ber_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_ber(void)
+	{
+	return(&methods_ber);
+	}
+
+static int ber_new(BIO *bi)
+	{
+	BIO_BER_CTX *ctx;
+
+	ctx=(BIO_BER_CTX *)Malloc(sizeof(BIO_BER_CTX));
+	if (ctx == NULL) return(0);
+
+	memset((char *)ctx,0,sizeof(BIO_BER_CTX));
+
+	bi->init=0;
+	bi->ptr=(char *)ctx;
+	bi->flags=0;
+	return(1);
+	}
+
+static int ber_free(BIO *a)
+	{
+	BIO_BER_CTX *b;
+
+	if (a == NULL) return(0);
+	b=(BIO_BER_CTX *)a->ptr;
+	memset(a->ptr,0,sizeof(BIO_BER_CTX));
+	Free(a->ptr);
+	a->ptr=NULL;
+	a->init=0;
+	a->flags=0;
+	return(1);
+	}
+
+int bio_ber_get_header(BIO *bio, BIO_BER_CTX *ctx)
+	{
+	char buf[64];
+	int i,j,n;
+	int ret;
+	unsigned char *p;
+	unsigned long length
+	int tag;
+	int class;
+	long max;
+
+	BIO_clear_retry_flags(b);
+
+	/* Pack the buffer down if there is a hole at the front */
+	if (ctx->buf_off != 0)
+		{
+		p=ctx->buf;
+		j=ctx->buf_off;
+		n=ctx->buf_len-j;
+		for (i=0; i<n; i++)
+			{
+			p[0]=p[j];
+			p++;
+			}
+		ctx->buf_len-j;
+		ctx->buf_off=0;
+		}
+
+	/* If there is more room, read some more data */
+	i=BER_BUF_SIZE-ctx->buf_len;
+	if (i)
+		{
+		i=BIO_read(bio->next_bio,&(ctx->buf[ctx->buf_len]),i);
+		if (i <= 0)
+			{
+			BIO_copy_next_retry(b);
+			return(i);
+			}
+		else
+			ctx->buf_len+=i;
+		}
+
+	max=ctx->buf_len;
+	p=ctx->buf;
+	ret=ASN1_get_object(&p,&length,&tag,&class,max);
+
+	if (ret & 0x80)
+		{
+		if ((ctx->buf_len < BER_BUF_SIZE) &&
+			(ERR_GET_REASON(ERR_peek_error()) == ASN1_R_TOO_LONG))
+			{
+			ERR_get_error(); /* clear the error */
+			BIO_set_retry_read(b);
+			}
+		return(-1);
+		}
+
+	/* We have no error, we have a header, so make use of it */
+
+	if ((ctx->tag  >= 0) && (ctx->tag != tag))
+		{
+		BIOerr(BIO_F_BIO_BER_GET_HEADER,BIO_R_TAG_MISMATCH);
+		sprintf(buf,"tag=%d, got %d",ctx->tag,tag);
+		ERR_add_error_data(1,buf);
+		return(-1);
+		}
+	if (ret & 0x01)
+	if (ret & V_ASN1_CONSTRUCTED)
+	}
+	
+static int ber_read(BIO *b, char *out, int outl)
+	{
+	int ret=0,i,n;
+	BIO_BER_CTX *ctx;
+
+	BIO_clear_retry_flags(b);
+
+	if (out == NULL) return(0);
+	ctx=(BIO_BER_CTX *)b->ptr;
+
+	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+	if (ctx->finished) return(0);
+
+again:
+	/* First see if we are half way through reading a block */
+	if (ctx->num_left > 0)
+		{
+		if (ctx->num_left < outl)
+			n=ctx->num_left;
+		else
+			n=outl;
+		i=BIO_read(b->next_bio,out,n);
+		if (i <= 0)
+			{
+			BIO_copy_next_retry(b);
+			return(i);
+			}
+		ctx->num_left-=i;
+		outl-=i;
+		ret+=i;
+		if (ctx->num_left <= 0)
+			{
+			ctx->depth--;
+			if (ctx->depth <= 0)
+				ctx->finished=1;
+			}
+		if (outl <= 0)
+			return(ret);
+		else
+			goto again;
+		}
+	else	/* we need to read another BER header */
+		{
+		}
+	}
+
+static int ber_write(BIO *b, char *in, int inl)
+	{
+	int ret=0,n,i;
+	BIO_ENC_CTX *ctx;
+
+	ctx=(BIO_ENC_CTX *)b->ptr;
+	ret=inl;
+
+	BIO_clear_retry_flags(b);
+	n=ctx->buf_len-ctx->buf_off;
+	while (n > 0)
+		{
+		i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+		if (i <= 0)
+			{
+			BIO_copy_next_retry(b);
+			return(i);
+			}
+		ctx->buf_off+=i;
+		n-=i;
+		}
+	/* at this point all pending data has been written */
+
+	if ((in == NULL) || (inl <= 0)) return(0);
+
+	ctx->buf_off=0;
+	while (inl > 0)
+		{
+		n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
+		EVP_CipherUpdate(&(ctx->cipher),
+			(unsigned char *)ctx->buf,&ctx->buf_len,
+			(unsigned char *)in,n);
+		inl-=n;
+		in+=n;
+
+		ctx->buf_off=0;
+		n=ctx->buf_len;
+		while (n > 0)
+			{
+			i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+			if (i <= 0)
+				{
+				BIO_copy_next_retry(b);
+				return(i);
+				}
+			n-=i;
+			ctx->buf_off+=i;
+			}
+		ctx->buf_len=0;
+		ctx->buf_off=0;
+		}
+	BIO_copy_next_retry(b);
+	return(ret);
+	}
+
+static long ber_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	BIO *dbio;
+	BIO_ENC_CTX *ctx,*dctx;
+	long ret=1;
+	int i;
+
+	ctx=(BIO_ENC_CTX *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		ctx->ok=1;
+		ctx->finished=0;
+		EVP_CipherInit(&(ctx->cipher),NULL,NULL,NULL,
+			ctx->cipher.berrypt);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_EOF:	/* More to read */
+		if (ctx->cont <= 0)
+			ret=1;
+		else
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_WPENDING:
+		ret=ctx->buf_len-ctx->buf_off;
+		if (ret <= 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_PENDING: /* More to read in buffer */
+		ret=ctx->buf_len-ctx->buf_off;
+		if (ret <= 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_FLUSH:
+		/* do a final write */
+again:
+		while (ctx->buf_len != ctx->buf_off)
+			{
+			i=ber_write(b,NULL,0);
+			if (i < 0)
+				{
+				ret=i;
+				break;
+				}
+			}
+
+		if (!ctx->finished)
+			{
+			ctx->finished=1;
+			ctx->buf_off=0;
+			ret=EVP_CipherFinal(&(ctx->cipher),
+				(unsigned char *)ctx->buf,
+				&(ctx->buf_len));
+			ctx->ok=(int)ret;
+			if (ret <= 0) break;
+
+			/* push out the bytes */
+			goto again;
+			}
+		
+		/* Finally flush the underlying BIO */
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+	case BIO_C_GET_CIPHER_STATUS:
+		ret=(long)ctx->ok;
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+
+	case BIO_CTRL_DUP:
+		dbio=(BIO *)ptr;
+		dctx=(BIO_ENC_CTX *)dbio->ptr;
+		memcpy(&(dctx->cipher),&(ctx->cipher),sizeof(ctx->cipher));
+		dbio->init=1;
+		break;
+	default:
+		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+	}
+
+static long ber_callback_ctrl(BIO *b, int cmd, void *(*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+/*
+void BIO_set_cipher_ctx(b,c)
+BIO *b;
+EVP_CIPHER_ctx *c;
+	{
+	if (b == NULL) return;
+
+	if ((b->callback != NULL) &&
+		(b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,0L) <= 0))
+		return;
+
+	b->init=1;
+	ctx=(BIO_ENC_CTX *)b->ptr;
+	memcpy(ctx->cipher,c,sizeof(EVP_CIPHER_CTX));
+	
+	if (b->callback != NULL)
+		b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
+	}
+*/
+
+void BIO_set_cipher(BIO *b, EVP_CIPHER *c, unsigned char *k, unsigned char *i,
+	     int e)
+	{
+	BIO_ENC_CTX *ctx;
+
+	if (b == NULL) return;
+
+	if ((b->callback != NULL) &&
+		(b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,0L) <= 0))
+		return;
+
+	b->init=1;
+	ctx=(BIO_ENC_CTX *)b->ptr;
+	EVP_CipherInit(&(ctx->cipher),c,k,i,e);
+	
+	if (b->callback != NULL)
+		b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
+	}
+
diff --git a/crypto/openssl/crypto/pkcs7/dec.c b/crypto/openssl/crypto/pkcs7/dec.c
new file mode 100644
index 0000000..6752ec5
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/dec.c
@@ -0,0 +1,248 @@
+/* crypto/pkcs7/verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/asn1.h>
+
+int verify_callback(int ok, X509_STORE_CTX *ctx);
+
+BIO *bio_err=NULL;
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	char *keyfile=NULL;
+	BIO *in;
+	EVP_PKEY *pkey;
+	X509 *x509;
+	PKCS7 *p7;
+	PKCS7_SIGNER_INFO *si;
+	X509_STORE_CTX cert_ctx;
+	X509_STORE *cert_store=NULL;
+	BIO *data,*detached=NULL,*p7bio=NULL;
+	char buf[1024*4];
+	unsigned char *pp;
+	int i,printit=0;
+	STACK_OF(PKCS7_SIGNER_INFO) *sk;
+
+	OpenSSL_add_all_algorithms();
+	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+	data=BIO_new(BIO_s_file());
+	pp=NULL;
+	while (argc > 1)
+		{
+		argc--;
+		argv++;
+		if (strcmp(argv[0],"-p") == 0)
+			{
+			printit=1;
+			}
+		else if ((strcmp(argv[0],"-k") == 0) && (argc >= 2)) {
+			keyfile = argv[1];
+			argc-=1;
+			argv+=1;
+		} else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2))
+			{
+			detached=BIO_new(BIO_s_file());
+			if (!BIO_read_filename(detached,argv[1]))
+				goto err;
+			argc-=1;
+			argv+=1;
+			}
+		else break;
+		}
+
+	 if (!BIO_read_filename(data,argv[0])) goto err; 
+
+	if(!keyfile) {
+		fprintf(stderr, "No private key file specified\n");
+		goto err;
+	}
+
+        if ((in=BIO_new_file(keyfile,"r")) == NULL) goto err;
+        if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
+        BIO_reset(in);
+        if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL)
+		goto err;
+        BIO_free(in);
+
+	if (pp == NULL)
+		BIO_set_fp(data,stdin,BIO_NOCLOSE);
+
+
+	/* Load the PKCS7 object from a file */
+	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err;
+
+
+
+	/* This stuff is being setup for certificate verification.
+	 * When using SSL, it could be replaced with a 
+	 * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */
+	cert_store=X509_STORE_new();
+	X509_STORE_set_default_paths(cert_store);
+	X509_STORE_load_locations(cert_store,NULL,"../../certs");
+	X509_STORE_set_verify_cb_func(cert_store,verify_callback);
+
+	ERR_clear_error();
+
+	/* We need to process the data */
+	/* We cannot support detached encryption */
+	p7bio=PKCS7_dataDecode(p7,pkey,detached,x509);
+
+	if (p7bio == NULL)
+		{
+		printf("problems decoding\n");
+		goto err;
+		}
+
+	/* We now have to 'read' from p7bio to calculate digests etc. */
+	for (;;)
+		{
+		i=BIO_read(p7bio,buf,sizeof(buf));
+		/* print it? */
+		if (i <= 0) break;
+		fwrite(buf,1, i, stdout);
+		}
+
+	/* We can now verify signatures */
+	sk=PKCS7_get_signer_info(p7);
+	if (sk == NULL)
+		{
+		fprintf(stderr, "there are no signatures on this data\n");
+		}
+	else
+		{
+		/* Ok, first we need to, for each subject entry,
+		 * see if we can verify */
+		ERR_clear_error();
+		for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
+			{
+			si=sk_PKCS7_SIGNER_INFO_value(sk,i);
+			i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
+			if (i <= 0)
+				goto err;
+			else
+				fprintf(stderr,"Signature verified\n");
+			}
+		}
+	X509_STORE_free(cert_store);
+
+	exit(0);
+err:
+	ERR_load_crypto_strings();
+	ERR_print_errors_fp(stderr);
+	exit(1);
+	}
+
+/* should be X509 * but we can just have them as char *. */
+int verify_callback(int ok, X509_STORE_CTX *ctx)
+	{
+	char buf[256];
+	X509 *err_cert;
+	int err,depth;
+
+	err_cert=X509_STORE_CTX_get_current_cert(ctx);
+	err=	X509_STORE_CTX_get_error(ctx);
+	depth=	X509_STORE_CTX_get_error_depth(ctx);
+
+	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
+	if (!ok)
+		{
+		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
+			X509_verify_cert_error_string(err));
+		if (depth < 6)
+			{
+			ok=1;
+			X509_STORE_CTX_set_error(ctx,X509_V_OK);
+			}
+		else
+			{
+			ok=0;
+			X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
+			}
+		}
+	switch (ctx->error)
+		{
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
+		BIO_printf(bio_err,"issuer= %s\n",buf);
+		break;
+	case X509_V_ERR_CERT_NOT_YET_VALID:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+		BIO_printf(bio_err,"notBefore=");
+		ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
+		BIO_printf(bio_err,"\n");
+		break;
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+		BIO_printf(bio_err,"notAfter=");
+		ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
+		BIO_printf(bio_err,"\n");
+		break;
+		}
+	BIO_printf(bio_err,"verify return:%d\n",ok);
+	return(ok);
+	}
diff --git a/crypto/openssl/crypto/pkcs7/des.pem b/crypto/openssl/crypto/pkcs7/des.pem
new file mode 100644
index 0000000..62d1657
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/des.pem
@@ -0,0 +1,15 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEC2vXI1xQDW6lUHM3zQ
+/9uBEBOO5A3TtkrklAXq7v01gsIC21t52qSk36REXY+slhNZ0OQ349tgkTsoETHFLoEwMIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
+CSqGSIb3DQEBAQUABEB8ujxbabxXUYJhopuDm3oDq4JNqX6Io4p3ro+ShqfIndsXTZ1v5a2N
+WtLLCWlHn/habjBwZ/DgQgcKASbZ7QxNMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQIbsL5v1wX98KggAQoAaJ4WHm68fXY1WE5OIjfVBIDpO1K+i8dmKhjnAjrjoyZ9Bwc8rDL
+lgQg4CXb805h5xl+GfvSwUaHJayte1m2mcOhs3J2YyqbQ+MEIMIiJQccmhO3oDKm36CFvYR8
+5PjpclVcZyX2ngbwPFMnBAgy0clOAE6UKAAAAAAAAAAAAAA=
+
diff --git a/crypto/openssl/crypto/pkcs7/doc b/crypto/openssl/crypto/pkcs7/doc
new file mode 100644
index 0000000..d2e8b7b
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/doc
@@ -0,0 +1,24 @@
+int PKCS7_set_content_type(PKCS7 *p7, int type);
+Call to set the type of PKCS7 object we are working on
+
+int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
+	EVP_MD *dgst);
+Use this to setup a signer info
+There will also be functions to add signed and unsigned attributes.
+
+int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
+Add a signer info to the content.
+
+int PKCS7_add_certificae(PKCS7 *p7, X509 *x509);
+int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
+
+----
+
+p7=PKCS7_new();
+PKCS7_set_content_type(p7,NID_pkcs7_signed);
+
+signer=PKCS7_SINGNER_INFO_new();
+PKCS7_SIGNER_INFO_set(signer,x509,pkey,EVP_md5());
+PKCS7_add_signer(py,signer);
+
+we are now setup.
diff --git a/crypto/openssl/crypto/pkcs7/enc.c b/crypto/openssl/crypto/pkcs7/enc.c
new file mode 100644
index 0000000..2b56c2e
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/enc.c
@@ -0,0 +1,174 @@
+/* crypto/pkcs7/enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	X509 *x509;
+	PKCS7 *p7;
+	BIO *in;
+	BIO *data,*p7bio;
+	char buf[1024*4];
+	int i;
+	int nodetach=1;
+	char *keyfile = NULL;
+	const EVP_CIPHER *cipher=NULL;
+	STACK_OF(X509) *recips=NULL;
+
+	OpenSSL_add_all_algorithms();
+
+	data=BIO_new(BIO_s_file());
+	while(argc > 1)
+		{
+		if (strcmp(argv[1],"-nd") == 0)
+			{
+			nodetach=1;
+			argv++; argc--;
+			}
+		else if ((strcmp(argv[1],"-c") == 0) && (argc >= 2)) {
+			if(!(cipher = EVP_get_cipherbyname(argv[2]))) {
+				fprintf(stderr, "Unknown cipher %s\n", argv[2]);
+				goto err;
+			}
+			argc-=2;
+			argv+=2;
+		} else if ((strcmp(argv[1],"-k") == 0) && (argc >= 2)) {
+			keyfile = argv[2];
+			argc-=2;
+			argv+=2;
+			if (!(in=BIO_new_file(keyfile,"r"))) goto err;
+			if (!(x509=PEM_read_bio_X509(in,NULL,NULL,NULL)))
+				goto err;
+			if(!recips) recips = sk_X509_new_null();
+			sk_X509_push(recips, x509);
+			BIO_free(in);
+		} else break;
+	}
+
+	if(!recips) {
+		fprintf(stderr, "No recipients\n");
+		goto err;
+	}
+
+	if (!BIO_read_filename(data,argv[1])) goto err;
+
+	p7=PKCS7_new();
+#if 0
+	BIO_reset(in);
+	if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL)) == NULL) goto err;
+	BIO_free(in);
+	PKCS7_set_type(p7,NID_pkcs7_signedAndEnveloped);
+	 
+	if (PKCS7_add_signature(p7,x509,pkey,EVP_sha1()) == NULL) goto err;
+	/* we may want to add more */
+	PKCS7_add_certificate(p7,x509);
+#else
+	PKCS7_set_type(p7,NID_pkcs7_enveloped);
+#endif
+	if(!cipher)	{
+#ifndef NO_DES
+		cipher = EVP_des_ede3_cbc();
+#else
+		fprintf(stderr, "No cipher selected\n");
+		goto err;
+#endif
+	}
+
+	if (!PKCS7_set_cipher(p7,cipher)) goto err;
+	for(i = 0; i < sk_X509_num(recips); i++) {
+		if (!PKCS7_add_recipient(p7,sk_X509_value(recips, i))) goto err;
+	}
+	sk_X509_pop_free(recips, X509_free);
+
+	/* Set the content of the signed to 'data' */
+	/* PKCS7_content_new(p7,NID_pkcs7_data); not used in envelope */
+
+	/* could be used, but not in this version :-)
+	if (!nodetach) PKCS7_set_detached(p7,1);
+	*/
+
+	if ((p7bio=PKCS7_dataInit(p7,NULL)) == NULL) goto err;
+
+	for (;;)
+		{
+		i=BIO_read(data,buf,sizeof(buf));
+		if (i <= 0) break;
+		BIO_write(p7bio,buf,i);
+		}
+	BIO_flush(p7bio);
+
+	if (!PKCS7_dataFinal(p7,p7bio)) goto err;
+	BIO_free(p7bio);
+
+	PEM_write_PKCS7(stdout,p7);
+	PKCS7_free(p7);
+
+	exit(0);
+err:
+	ERR_load_crypto_strings();
+	ERR_print_errors_fp(stderr);
+	exit(1);
+	}
+
diff --git a/crypto/openssl/crypto/pkcs7/es1.pem b/crypto/openssl/crypto/pkcs7/es1.pem
new file mode 100644
index 0000000..47112a2
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/es1.pem
@@ -0,0 +1,66 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqGSIb3DQEBAQUABEDWak0y/5XZJhQJeCLo
+KECcHXkTEbjzYkYNHIinbiPmRK4QbNfs9z2mA3z/c2ykQ4eAqFR2jyNrUMN/+I5XEiv6MIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
+CSqGSIb3DQEBAQUABEAWg9+KgtCjc77Jdj1Ve4wGgHjVHbbSYEA1ZqKFDoi15vSr9hfpHmC4
+ycZzcRo16JkTfolefiHZzmyjVz94vSN6MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQI7X4Tk4mcbV6ggASBsHl1mCaJ3RhXWlNPCgCRU53d7M5x6TDZRkvwdtdvW96m1lupT03F
+XtonkBqk7oMkH7kGfs5/REQOPjx0QE2Ixmgt1W3szum82EZwA7pZNppcraK7W/odw/7bYZO+
+II3HPmRklE2N9qiu1LPaPUsnYogkO6SennyeL5tZ382vBweL/8pnG0qsbT1OBb65v+llnsjT
+pa1T/p+fIx/iJJGE6K9fYFokC6gXLQ6ozXRdOu5oBDB8mPCYYvAqKycidM/MrGGUkpEtS4f0
+lS31PwQi5YTim8Ig3/TOwVpPX32i46FTuEIEIMHkD/OvpfwCCzXUHHJnKnKUAUvIsSY3vGBs
+8ezpUDfBBBj9LHDy32hZ2tQilkDefP5VM2LLdrWgamYEgfiyITQvn08Ul5lQOQxbFKBheFq5
+otCCN4MR+w5eq12xQu6y+f9z0159ag2ru87D0lLtUtXXtCELbO1nUkT2sJ0k/iDs9TOXr6Cx
+go1XKYho83hlkXYiCteVizdAbgVGNsNRD4wtIdajsorET/LuJECgp11YeL9w1dlDB0HLEZfi
+XCsUphH4jGagba3hDeUSibnjSiJlN0ukfuQurBBbI2UkBAujiEAubKPn7C1FZJRSw6CPPX5t
+KEpmcqT1JNk6LO8Js6/1sCmmBh1VGCy1+EuTI9J1p7Dagf4nQ8cHitoCRpHuKZlFHnZyv7tw
+Rn/KOhHaYP2VzAh40gQIvKMAAWh9oFsEEIMwIoOmLwLH5wf+8QdbDhoECH8HwZt9a12dBAjL
+r4j2zlvtfgQIt7nmEM3wz1EECKlc3EIy1irCBBCAKINcermK3A+jI6ISN2RzBFA3dsh/xwMu
+l61aWMBBZzEz/SF92k6n35KZhCC0d6fIVC/1WMv0fnCwQ8oEDynSre216VEFiYKBaQLJe5o/
+mTAxC7Ht3goXnuc+i1FItOkLrgRI/wyvTICEn2WsNZiMADnGaee2bqPnUopo+VMGexJEtCPk
+l0ZNlDJGquPDkpUwaEtecVZzCNyVPYyyF4J/l8rmGDhDdYUIC8IKBEg/ip/E0BuubBLWVbv+
+HRl4QrnGpyCyeXRXXK603QP3sT1Zbbm1v5pI/loOhVHi724LmtXHSyp5qv9MDcxE1PoX10LY
+gBRtlwwESPeCF8bK5jk4xIQMhK5NMHj1Y1KQWTZ9NGITBL4hjRq2qp4Qk5GIpGgOVPopAuCo
+TIyPikpqBRNtLSPRSsDs6QPUPzWBh6JgxwRQblnDKKUkxUcnJiD4i9QtGa/ZabMn4KxtNOBL
+5JSh1nJkaLXCZY070131WWPAByLcd5TiXq8x84pmzV5NNk4tiMpoXhJNsx8e4rskQQlKd6ME
+SCe2eYDHKcKPX3WJbUzhrJSQ92/aWnI2iUY8WQ+kSNyiZ2QUjyuUg9Z66g/0d2STlvPOBHT/
+y5ODP2CwbcWX4QmCbUc9TT66fQRIrRVuwvtOfnUueyGgYhJ3HpAJfVaB/7kap5bj7Fi/azW4
+9JDfd1bC/W9h0Kyk7RO2gxvE0hIHc26mZJHTm9MNP5D328MnM2MdBEjKjQBtgrp+lFIii7MP
+nGHFTKUkG4WAIZJCf/CsT+p6/SW0qG71Me/YcSw5STB24j+a+HgMV8RVIeUlkP4z0IWWrSoB
+Gh4d/Z0EUMCVHs/HZ/bWgiyhtHpvuVAzidm8D81p1LJ5BQX5/5f/m+q5+fS/npL27dTEbNqs
+LSB6ij3MZAi7LwHWpTn9zWnDajCMEj9vlaV7mcKtHK5iBEg85agFi1h3MvicqLtoFe5hVv9T
+tG0j6CRkjkixPzivltlrf44KHv14gLM0XJxCGyq7vd3l8QYr3+9at0zNnX/yqTiBnsnE5dUE
+SIgrYuz87M2gi/ER9PcDoTtONH3+CkcqVy03q/Sj8cVWD/b1KgEhqnNOfc8Ak9PctyR/ItcR
+8Me5XVn1GJKkQJk4O29fxvgNoAQIrIESvUWGshAEQByXiFoFTDUByjTlgjcy77H1lrH+y3P/
+wAInJjJAut9kCNyGJV0PA4kdPB5USWltuO6t8gk4Pd2YBMl09zqUWkAEUCjFrtZ3mapjcGZI
+uQTASKR5LSjXoWxTT5gae/+64MerF/oCEeO3ehRTpjnPrsiRDo0rWIQTaj9+Nro8Z2xtWstw
+RnfoAHIxV1lEamPwjsceBEi2SD9hiifFeO5ECiVoaE1FdXUXhU+jwYAMx6jHWO9hMkYzS9pM
+Y3IyWR5ybtOjiQgkUdvRJPUPGf5DVVMPnymGX25aDh5PYpIESPbsM9akCpOOVuscywcUswmU
+o7dXvlB48WWCfg/al3BQKAZbn5ZXtWNwpUZkrEdHsrxAVv3rxRcdkT3Z1fzUbIuYkLJN200o
+WgRIJvn6RO8KEj7/HOg2sYuuM8nz1kR0TSgwX7/0y/7JfjBa0JIlP7o75sNJscE8oyoIMzuy
+Dvn6/U9g3BCDXn83A/s+ke60qn9gBFC6NAeLOlXal1YVWYhMQNOqCyUfAjiXBTawaysQb1Mk
+YgeNlF8xuEFcUQWIP+vNG7FJ5JPMaMRL4YEoaQ3sVFhYOERJR1cSb+8xt4QCYtBKQgRIUOmJ
+CHW5o1hXJWJiTkZK2qWFcEMzTINSj5EpYFySr8aVBjkRnI7vxegRT/+XZZXoYedQ3UNsnGI3
+DdkWii5VzX0PNF6C60pfBEiVpausYuX7Wjb3Lfm8cBj7GgN69i6Pm2gxtobVcmpo2nS4D714
+ePyhlX9n8kJ6QAcqWMRj22smDPrHVGNTizfzHBh5zNllK9gESJizILOWI327og3ZWp+qUht5
+kNDJCzMK7Z09UAy+h+vq0VTQuEo3FgLzVdqkJujjSL4Nx97lXg51AovrEn3nd4evydwcjKLX
+1wRIo72NaeWuUEQ+rt1SlCsOJ7k1ioJSqhrPOfvwcaFcb4beVet1JWiy4yvowTjLDGbUje2s
+xjrlVt4BJWI/uA6jbQsrxSe89ADZBAi5YAlR4qszeAQIXD3VSBVKbRUECNTtyvw9vvqXBAhb
+IZNn4H4cxgQI+XW7GkfL+ekECCCCg2reMyGDBAh1PYqkg3lw3gQQkNlggEPU+BH8eh7Gm7n7
+7AQIjC5EWbkil5cEEKcpuqwTWww/X89KnQAg8TcECJPomqHvrlZFBBiRSuIiHpmN+PaujXpv
+qZV2VhjkB2j09GEECOIdv8AVOJgKBAjlHgIqAD9jZQQIXHbs44+wogcEIGGqTACRJxrhMcMG
+X8drNjksIPt+snxTXUBIkTVpZWoABAh6unXPTyIr8QQgBF8xKoX27MWk7iTNmkSNZggZXa2a
+DWCGHSYLngbSOHIECD9XmO6VsvTgBAjfqB70CEW4WwQIVIBkbCocznUEEHB/zFXy/sR4OYHe
+UfbNPnIEEDWBB/NTCLMGE+o8BfyujcAECFik7GQnnF9VBBAhLXExQeWAofZNc6NtN7qZBCC1
+gVIS3ruTwKltmcrgx3heT3M8ZJhCfWa+6KzchnmKygQQ+1NL5sSzR4m/fdrqxHFyUAQYCT2x
+PamQr3wK3h0lyZER+4H0zPM86AhFBBC3CkmvL2vjflMfujnzPBVpBBge9rMbI5+0q9DLrTiT
+5F3AIgXLpD8PQWAECHkHVo6RomV3BAgMbi8E271UeAQIqtS8wnI3XngECG3TWmOMb3/iBEha
+y+mvCS6I3n3JfL8e1B5P4qX9/czJRaERLuKpGNjLiL4A+zxN0LZ0UHd0qfmJjwOTxAx3iJAC
+lGXX4nB9ATYPUT5EU+o1Y4sECN01pP6vWNIdBDAsiE0Ts8/9ltJlqX2B3AoOM4qOt9EaCjXf
+lB+aEmrhtjUwuZ6GqS5Ke7P6XnakTk4ECCLIMatNdootAAAAAAAAAAAAAA==
+-----END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/example.c b/crypto/openssl/crypto/pkcs7/example.c
new file mode 100644
index 0000000..f6656be
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/example.c
@@ -0,0 +1,328 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/pkcs7.h>
+#include <openssl/asn1_mac.h>
+
+int add_signed_time(PKCS7_SIGNER_INFO *si)
+	{
+	ASN1_UTCTIME *sign_time;
+
+	/* The last parameter is the amount to add/subtract from the current
+	 * time (in seconds) */
+	sign_time=X509_gmtime_adj(NULL,0);
+	PKCS7_add_signed_attribute(si,NID_pkcs9_signingTime,
+		V_ASN1_UTCTIME,(char *)sign_time);
+	return(1);
+	}
+
+ASN1_UTCTIME *get_signed_time(PKCS7_SIGNER_INFO *si)
+	{
+	ASN1_TYPE *so;
+
+	so=PKCS7_get_signed_attribute(si,NID_pkcs9_signingTime);
+	if (so->type == V_ASN1_UTCTIME)
+	    return so->value.utctime;
+	return NULL;
+	}
+	
+static int signed_string_nid= -1;
+
+void add_signed_string(PKCS7_SIGNER_INFO *si, char *str)
+	{
+	ASN1_OCTET_STRING *os;
+
+	/* To a an object of OID 1.2.3.4.5, which is an octet string */
+	if (signed_string_nid == -1)
+		signed_string_nid=
+			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+	os=ASN1_OCTET_STRING_new();
+	ASN1_OCTET_STRING_set(os,(unsigned char*)str,strlen(str));
+	/* When we add, we do not free */
+	PKCS7_add_signed_attribute(si,signed_string_nid,
+		V_ASN1_OCTET_STRING,(char *)os);
+	}
+
+int get_signed_string(PKCS7_SIGNER_INFO *si, char *buf, int len)
+	{
+	ASN1_TYPE *so;
+	ASN1_OCTET_STRING *os;
+	int i;
+
+	if (signed_string_nid == -1)
+		signed_string_nid=
+			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+	/* To retrieve */
+	so=PKCS7_get_signed_attribute(si,signed_string_nid);
+	if (so != NULL)
+		{
+		if (so->type == V_ASN1_OCTET_STRING)
+			{
+			os=so->value.octet_string;
+			i=os->length;
+			if ((i+1) > len)
+				i=len-1;
+			memcpy(buf,os->data,i);
+			return(i);
+			}
+		}
+	return(0);
+	}
+
+static int signed_seq2string_nid= -1;
+/* ########################################### */
+int add_signed_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
+	{
+	/* To add an object of OID 1.9.999, which is a sequence containing
+	 * 2 octet strings */
+	unsigned char *p;
+	ASN1_OCTET_STRING *os1,*os2;
+	ASN1_STRING *seq;
+	unsigned char *data;
+	int i,total;
+
+	if (signed_seq2string_nid == -1)
+		signed_seq2string_nid=
+			OBJ_create("1.9.9999","OID_example","Our example OID");
+
+	os1=ASN1_OCTET_STRING_new();
+	os2=ASN1_OCTET_STRING_new();
+	ASN1_OCTET_STRING_set(os1,(unsigned char*)str1,strlen(str1));
+	ASN1_OCTET_STRING_set(os2,(unsigned char*)str1,strlen(str1));
+	i =i2d_ASN1_OCTET_STRING(os1,NULL);
+	i+=i2d_ASN1_OCTET_STRING(os2,NULL);
+	total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
+
+	data=malloc(total);
+	p=data;
+	ASN1_put_object(&p,1,i,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+	i2d_ASN1_OCTET_STRING(os1,&p);
+	i2d_ASN1_OCTET_STRING(os2,&p);
+
+	seq=ASN1_STRING_new();
+	ASN1_STRING_set(seq,data,total);
+	free(data);
+	ASN1_OCTET_STRING_free(os1);
+	ASN1_OCTET_STRING_free(os2);
+
+	PKCS7_add_signed_attribute(si,signed_seq2string_nid,
+		V_ASN1_SEQUENCE,(char *)seq);
+	return(1);
+	}
+
+/* For this case, I will malloc the return strings */
+int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2)
+	{
+	ASN1_TYPE *so;
+
+	if (signed_seq2string_nid == -1)
+		signed_seq2string_nid=
+			OBJ_create("1.9.9999","OID_example","Our example OID");
+	/* To retrieve */
+	so=PKCS7_get_signed_attribute(si,signed_seq2string_nid);
+	if (so && (so->type == V_ASN1_SEQUENCE))
+		{
+		ASN1_CTX c;
+		ASN1_STRING *s;
+		long length;
+		ASN1_OCTET_STRING *os1,*os2;
+
+		s=so->value.sequence;
+		c.p=ASN1_STRING_data(s);
+		c.max=c.p+ASN1_STRING_length(s);
+		if (!asn1_GetSequence(&c,&length)) goto err;
+		/* Length is the length of the seqence */
+
+		c.q=c.p;
+		if ((os1=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+			goto err;
+		c.slen-=(c.p-c.q);
+
+		c.q=c.p;
+		if ((os2=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+			goto err;
+		c.slen-=(c.p-c.q);
+
+		if (!asn1_Finish(&c)) goto err;
+		*str1=malloc(os1->length+1);
+		*str2=malloc(os2->length+1);
+		memcpy(*str1,os1->data,os1->length);
+		memcpy(*str2,os2->data,os2->length);
+		(*str1)[os1->length]='\0';
+		(*str2)[os2->length]='\0';
+		ASN1_OCTET_STRING_free(os1);
+		ASN1_OCTET_STRING_free(os2);
+		return(1);
+		}
+err:
+	return(0);
+	}
+
+
+/* #######################################
+ * THE OTHER WAY TO DO THINGS
+ * #######################################
+ */
+X509_ATTRIBUTE *create_time(void)
+	{
+	ASN1_UTCTIME *sign_time;
+	X509_ATTRIBUTE *ret;
+
+	/* The last parameter is the amount to add/subtract from the current
+	 * time (in seconds) */
+	sign_time=X509_gmtime_adj(NULL,0);
+	ret=X509_ATTRIBUTE_create(NID_pkcs9_signingTime,
+		V_ASN1_UTCTIME,(char *)sign_time);
+	return(ret);
+	}
+
+ASN1_UTCTIME *sk_get_time(STACK_OF(X509_ATTRIBUTE) *sk)
+	{
+	ASN1_TYPE *so;
+	PKCS7_SIGNER_INFO si;
+
+	si.auth_attr=sk;
+	so=PKCS7_get_signed_attribute(&si,NID_pkcs9_signingTime);
+	if (so->type == V_ASN1_UTCTIME)
+	    return so->value.utctime;
+	return NULL;
+	}
+	
+X509_ATTRIBUTE *create_string(char *str)
+	{
+	ASN1_OCTET_STRING *os;
+	X509_ATTRIBUTE *ret;
+
+	/* To a an object of OID 1.2.3.4.5, which is an octet string */
+	if (signed_string_nid == -1)
+		signed_string_nid=
+			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+	os=ASN1_OCTET_STRING_new();
+	ASN1_OCTET_STRING_set(os,(unsigned char*)str,strlen(str));
+	/* When we add, we do not free */
+	ret=X509_ATTRIBUTE_create(signed_string_nid,
+		V_ASN1_OCTET_STRING,(char *)os);
+	return(ret);
+	}
+
+int sk_get_string(STACK_OF(X509_ATTRIBUTE) *sk, char *buf, int len)
+	{
+	ASN1_TYPE *so;
+	ASN1_OCTET_STRING *os;
+	int i;
+	PKCS7_SIGNER_INFO si;
+
+	si.auth_attr=sk;
+
+	if (signed_string_nid == -1)
+		signed_string_nid=
+			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+	/* To retrieve */
+	so=PKCS7_get_signed_attribute(&si,signed_string_nid);
+	if (so != NULL)
+		{
+		if (so->type == V_ASN1_OCTET_STRING)
+			{
+			os=so->value.octet_string;
+			i=os->length;
+			if ((i+1) > len)
+				i=len-1;
+			memcpy(buf,os->data,i);
+			return(i);
+			}
+		}
+	return(0);
+	}
+
+X509_ATTRIBUTE *add_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
+	{
+	/* To add an object of OID 1.9.999, which is a sequence containing
+	 * 2 octet strings */
+	unsigned char *p;
+	ASN1_OCTET_STRING *os1,*os2;
+	ASN1_STRING *seq;
+	X509_ATTRIBUTE *ret;
+	unsigned char *data;
+	int i,total;
+
+	if (signed_seq2string_nid == -1)
+		signed_seq2string_nid=
+			OBJ_create("1.9.9999","OID_example","Our example OID");
+
+	os1=ASN1_OCTET_STRING_new();
+	os2=ASN1_OCTET_STRING_new();
+	ASN1_OCTET_STRING_set(os1,(unsigned char*)str1,strlen(str1));
+	ASN1_OCTET_STRING_set(os2,(unsigned char*)str1,strlen(str1));
+	i =i2d_ASN1_OCTET_STRING(os1,NULL);
+	i+=i2d_ASN1_OCTET_STRING(os2,NULL);
+	total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
+
+	data=malloc(total);
+	p=data;
+	ASN1_put_object(&p,1,i,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+	i2d_ASN1_OCTET_STRING(os1,&p);
+	i2d_ASN1_OCTET_STRING(os2,&p);
+
+	seq=ASN1_STRING_new();
+	ASN1_STRING_set(seq,data,total);
+	free(data);
+	ASN1_OCTET_STRING_free(os1);
+	ASN1_OCTET_STRING_free(os2);
+
+	ret=X509_ATTRIBUTE_create(signed_seq2string_nid,
+		V_ASN1_SEQUENCE,(char *)seq);
+	return(ret);
+	}
+
+/* For this case, I will malloc the return strings */
+int sk_get_seq2string(STACK_OF(X509_ATTRIBUTE) *sk, char **str1, char **str2)
+	{
+	ASN1_TYPE *so;
+	PKCS7_SIGNER_INFO si;
+
+	if (signed_seq2string_nid == -1)
+		signed_seq2string_nid=
+			OBJ_create("1.9.9999","OID_example","Our example OID");
+
+	si.auth_attr=sk;
+	/* To retrieve */
+	so=PKCS7_get_signed_attribute(&si,signed_seq2string_nid);
+	if (so->type == V_ASN1_SEQUENCE)
+		{
+		ASN1_CTX c;
+		ASN1_STRING *s;
+		long length;
+		ASN1_OCTET_STRING *os1,*os2;
+
+		s=so->value.sequence;
+		c.p=ASN1_STRING_data(s);
+		c.max=c.p+ASN1_STRING_length(s);
+		if (!asn1_GetSequence(&c,&length)) goto err;
+		/* Length is the length of the seqence */
+
+		c.q=c.p;
+		if ((os1=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+			goto err;
+		c.slen-=(c.p-c.q);
+
+		c.q=c.p;
+		if ((os2=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+			goto err;
+		c.slen-=(c.p-c.q);
+
+		if (!asn1_Finish(&c)) goto err;
+		*str1=malloc(os1->length+1);
+		*str2=malloc(os2->length+1);
+		memcpy(*str1,os1->data,os1->length);
+		memcpy(*str2,os2->data,os2->length);
+		(*str1)[os1->length]='\0';
+		(*str2)[os2->length]='\0';
+		ASN1_OCTET_STRING_free(os1);
+		ASN1_OCTET_STRING_free(os2);
+		return(1);
+		}
+err:
+	return(0);
+	}
+
+
diff --git a/crypto/openssl/crypto/pkcs7/example.h b/crypto/openssl/crypto/pkcs7/example.h
new file mode 100644
index 0000000..96167de
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/example.h
@@ -0,0 +1,57 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+int add_signed_time(PKCS7_SIGNER_INFO *si);
+ASN1_UTCTIME *get_signed_time(PKCS7_SIGNER_INFO *si);
+int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2);
diff --git a/crypto/openssl/crypto/pkcs7/info.pem b/crypto/openssl/crypto/pkcs7/info.pem
new file mode 100644
index 0000000..989baf8
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/info.pem
@@ -0,0 +1,57 @@
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/infokey.pem b/crypto/openssl/crypto/pkcs7/infokey.pem
new file mode 100644
index 0000000..1e2acc9
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/infokey.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/p7/a1 b/crypto/openssl/crypto/pkcs7/p7/a1
new file mode 100644
index 0000000..56ca943
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/p7/a1
@@ -0,0 +1,2 @@
+j,H>_æá_­DôzEîLœ	VJ³ß觬¤””E3ûáYäx%_Àk
+3ê)DLScñ8%ôM
\ No newline at end of file
diff --git a/crypto/openssl/crypto/pkcs7/p7/a2 b/crypto/openssl/crypto/pkcs7/p7/a2
new file mode 100644
index 0000000..23d8fb5
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/p7/a2
@@ -0,0 +1 @@
+k~@a”,NâM͹¼	
<O( KP—騠¤K²>­×U¿o_½
BqrmÎ?Ù t?t÷�Ï�éId2‰Š
\ No newline at end of file
diff --git a/crypto/openssl/crypto/pkcs7/p7/cert.p7c b/crypto/openssl/crypto/pkcs7/p7/cert.p7c
new file mode 100644
index 0000000..2b75ec0
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/p7/cert.p7c
diff --git a/crypto/openssl/crypto/pkcs7/p7/smime.p7m b/crypto/openssl/crypto/pkcs7/p7/smime.p7m
new file mode 100644
index 0000000..2b6e6f8
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/p7/smime.p7m
diff --git a/crypto/openssl/crypto/pkcs7/p7/smime.p7s b/crypto/openssl/crypto/pkcs7/p7/smime.p7s
new file mode 100644
index 0000000..2b5d4fb
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/p7/smime.p7s
diff --git a/crypto/openssl/crypto/pkcs7/pk7_attr.c b/crypto/openssl/crypto/pkcs7/pk7_attr.c
new file mode 100644
index 0000000..3b9c0fe
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pk7_attr.c
@@ -0,0 +1,85 @@
+/* pk7_attr.c */
+/* S/MIME code.
+ * Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com) 
+ * All Rights Reserved. 
+ * Redistribution of this code without the authors permission is expressly
+ * prohibited.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs7.h>
+#include <openssl/err.h>
+
+int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK *cap)
+{
+	ASN1_STRING *seq;
+	unsigned char *p, *pp;
+	int len;
+	len=i2d_ASN1_SET(cap,NULL,i2d_X509_ALGOR, V_ASN1_SEQUENCE,
+						V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	if(!(pp=(unsigned char *)Malloc(len))) {
+		PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	p=pp;
+	i2d_ASN1_SET(cap,&p,i2d_X509_ALGOR, V_ASN1_SEQUENCE,
+						V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	if(!(seq = ASN1_STRING_new())) {
+		PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if(!ASN1_STRING_set (seq, pp, len)) {
+		PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	Free (pp);
+        return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+							V_ASN1_SEQUENCE, seq);
+}
+
+STACK *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
+{
+	ASN1_TYPE *cap;
+	unsigned char *p;
+	cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
+	if (!cap) return NULL;
+	p = cap->value.sequence->data;
+	return d2i_ASN1_SET (NULL, &p, cap->value.sequence->length, 
+		(char *(*)())d2i_X509_ALGOR, X509_ALGOR_free, V_ASN1_SEQUENCE,
+							 V_ASN1_UNIVERSAL);
+}
+
+/* Basic smime-capabilities OID and optional integer arg */
+int PKCS7_simple_smimecap(STACK *sk, int nid, int arg)
+{
+	X509_ALGOR *alg;
+	if(!(alg = X509_ALGOR_new())) {
+		PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	ASN1_OBJECT_free(alg->algorithm);
+	alg->algorithm = OBJ_nid2obj (nid);
+	if (arg > 0) {
+		ASN1_INTEGER *nbit;
+		if(!(alg->parameter = ASN1_TYPE_new())) {
+			PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		if(!(nbit = ASN1_INTEGER_new())) {
+			PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		if(!ASN1_INTEGER_set (nbit, arg)) {
+			PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		alg->parameter->value.integer = nbit;
+		alg->parameter->type = V_ASN1_INTEGER;
+	}
+	sk_push (sk, (char *)alg);
+	return 1;
+}
diff --git a/crypto/openssl/crypto/pkcs7/pk7_dgst.c b/crypto/openssl/crypto/pkcs7/pk7_dgst.c
new file mode 100644
index 0000000..90edfa5
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pk7_dgst.c
@@ -0,0 +1,66 @@
+/* crypto/pkcs7/pk7_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+
diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c
new file mode 100644
index 0000000..4ab24a8
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c
@@ -0,0 +1,960 @@
+/* crypto/pkcs7/pk7_doit.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
+			 void *value);
+static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
+
+BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
+	{
+	int i,j;
+	BIO *out=NULL,*btmp=NULL;
+	X509_ALGOR *xa;
+	const EVP_MD *evp_md;
+	const EVP_CIPHER *evp_cipher=NULL;
+	STACK_OF(X509_ALGOR) *md_sk=NULL;
+	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
+	X509_ALGOR *xalg=NULL;
+	PKCS7_RECIP_INFO *ri=NULL;
+	EVP_PKEY *pkey;
+
+	i=OBJ_obj2nid(p7->type);
+	p7->state=PKCS7_S_HEADER;
+
+	switch (i)
+		{
+	case NID_pkcs7_signed:
+		md_sk=p7->d.sign->md_algs;
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		rsk=p7->d.signed_and_enveloped->recipientinfo;
+		md_sk=p7->d.signed_and_enveloped->md_algs;
+		xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
+		evp_cipher=p7->d.signed_and_enveloped->enc_data->cipher;
+		if (evp_cipher == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+						PKCS7_R_CIPHER_NOT_INITIALIZED);
+			goto err;
+			}
+		break;
+	case NID_pkcs7_enveloped:
+		rsk=p7->d.enveloped->recipientinfo;
+		xalg=p7->d.enveloped->enc_data->algorithm;
+		evp_cipher=p7->d.enveloped->enc_data->cipher;
+		if (evp_cipher == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+						PKCS7_R_CIPHER_NOT_INITIALIZED);
+			goto err;
+			}
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
+	        goto err;
+		}
+
+	if (md_sk != NULL)
+		{
+		for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
+			{
+			xa=sk_X509_ALGOR_value(md_sk,i);
+			if ((btmp=BIO_new(BIO_f_md())) == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
+				goto err;
+				}
+
+			j=OBJ_obj2nid(xa->algorithm);
+			evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));
+			if (evp_md == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNKNOWN_DIGEST_TYPE);
+				goto err;
+				}
+
+			BIO_set_md(btmp,evp_md);
+			if (out == NULL)
+				out=btmp;
+			else
+				BIO_push(out,btmp);
+			btmp=NULL;
+			}
+		}
+
+	if (evp_cipher != NULL)
+		{
+		unsigned char key[EVP_MAX_KEY_LENGTH];
+		unsigned char iv[EVP_MAX_IV_LENGTH];
+		int keylen,ivlen;
+		int jj,max;
+		unsigned char *tmp;
+		EVP_CIPHER_CTX *ctx;
+
+		if ((btmp=BIO_new(BIO_f_cipher())) == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
+			goto err;
+			}
+		BIO_get_cipher_ctx(btmp, &ctx);
+		keylen=EVP_CIPHER_key_length(evp_cipher);
+		ivlen=EVP_CIPHER_iv_length(evp_cipher);
+		if (RAND_bytes(key,keylen) <= 0)
+			goto err;
+		xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
+		if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
+		EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
+
+		if (ivlen > 0) {
+			if (xalg->parameter == NULL) 
+						xalg->parameter=ASN1_TYPE_new();
+			if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0)
+								       goto err;
+		}
+
+		/* Lets do the pub key stuff :-) */
+		max=0;
+		for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
+			{
+			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
+			if (ri->cert == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_MISSING_CERIPEND_INFO);
+				goto err;
+				}
+			pkey=X509_get_pubkey(ri->cert);
+			jj=EVP_PKEY_size(pkey);
+			EVP_PKEY_free(pkey);
+			if (max < jj) max=jj;
+			}
+		if ((tmp=(unsigned char *)Malloc(max)) == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
+			{
+			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
+			pkey=X509_get_pubkey(ri->cert);
+			jj=EVP_PKEY_encrypt(tmp,key,keylen,pkey);
+			EVP_PKEY_free(pkey);
+			if (jj <= 0)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_EVP_LIB);
+				Free(tmp);
+				goto err;
+				}
+			M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
+			}
+		Free(tmp);
+		memset(key, 0, keylen);
+
+		if (out == NULL)
+			out=btmp;
+		else
+			BIO_push(out,btmp);
+		btmp=NULL;
+		}
+
+	if (bio == NULL) {
+		if (p7->detached)
+			bio=BIO_new(BIO_s_null());
+		else {
+			if (PKCS7_type_is_signed(p7) &&
+				PKCS7_type_is_data(p7->d.sign->contents)) {
+				ASN1_OCTET_STRING *os;
+				os=p7->d.sign->contents->d.data;
+				if (os->length > 0) bio = 
+					BIO_new_mem_buf(os->data, os->length);
+			} 
+			if(bio == NULL) {
+				bio=BIO_new(BIO_s_mem());
+				BIO_set_mem_eof_return(bio,0);
+			}
+		}
+	}
+	BIO_push(out,bio);
+	bio=NULL;
+	if (0)
+		{
+err:
+		if (out != NULL)
+			BIO_free_all(out);
+		if (btmp != NULL)
+			BIO_free_all(btmp);
+		out=NULL;
+		}
+	return(out);
+	}
+
+/* int */
+BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
+	{
+	int i,j;
+	BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL;
+	unsigned char *tmp=NULL;
+	X509_ALGOR *xa;
+	ASN1_OCTET_STRING *data_body=NULL;
+	const EVP_MD *evp_md;
+	const EVP_CIPHER *evp_cipher=NULL;
+	EVP_CIPHER_CTX *evp_ctx=NULL;
+	X509_ALGOR *enc_alg=NULL;
+	STACK_OF(X509_ALGOR) *md_sk=NULL;
+	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
+	X509_ALGOR *xalg=NULL;
+	PKCS7_RECIP_INFO *ri=NULL;
+#ifndef NO_RC2
+	char is_rc2 = 0;
+#endif
+/*	EVP_PKEY *pkey; */
+#if 0
+	X509_STORE_CTX s_ctx;
+#endif
+
+	i=OBJ_obj2nid(p7->type);
+	p7->state=PKCS7_S_HEADER;
+
+	switch (i)
+		{
+	case NID_pkcs7_signed:
+		data_body=p7->d.sign->contents->d.data;
+		md_sk=p7->d.sign->md_algs;
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		rsk=p7->d.signed_and_enveloped->recipientinfo;
+		md_sk=p7->d.signed_and_enveloped->md_algs;
+		data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
+		enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
+		evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)));
+		if (evp_cipher == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
+			goto err;
+			}
+		xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
+		break;
+	case NID_pkcs7_enveloped:
+		rsk=p7->d.enveloped->recipientinfo;
+		enc_alg=p7->d.enveloped->enc_data->algorithm;
+		data_body=p7->d.enveloped->enc_data->enc_data;
+		evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)));
+		if (evp_cipher == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
+			goto err;
+			}
+		xalg=p7->d.enveloped->enc_data->algorithm;
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
+	        goto err;
+		}
+
+	if(EVP_CIPHER_nid(evp_cipher) == NID_rc2_cbc)
+		{
+#ifndef NO_RC2		
+		is_rc2 = 1; 
+#else
+		PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
+		goto err;
+#endif
+		}
+
+	/* We will be checking the signature */
+	if (md_sk != NULL)
+		{
+		for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
+			{
+			xa=sk_X509_ALGOR_value(md_sk,i);
+			if ((btmp=BIO_new(BIO_f_md())) == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
+				goto err;
+				}
+
+			j=OBJ_obj2nid(xa->algorithm);
+			evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));
+			if (evp_md == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE);
+				goto err;
+				}
+
+			BIO_set_md(btmp,evp_md);
+			if (out == NULL)
+				out=btmp;
+			else
+				BIO_push(out,btmp);
+			btmp=NULL;
+			}
+		}
+
+	if (evp_cipher != NULL)
+		{
+#if 0
+		unsigned char key[EVP_MAX_KEY_LENGTH];
+		unsigned char iv[EVP_MAX_IV_LENGTH];
+		unsigned char *p;
+		int keylen,ivlen;
+		int max;
+		X509_OBJECT ret;
+#endif
+		int jj;
+
+		if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
+			goto err;
+			}
+
+		/* It was encrypted, we need to decrypt the secret key
+		 * with the private key */
+
+		/* Find the recipientInfo which matches the passed certificate
+		 * (if any)
+		 */
+
+		for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) {
+			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
+			if(!X509_NAME_cmp(ri->issuer_and_serial->issuer,
+					pcert->cert_info->issuer) &&
+			     !M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
+					ri->issuer_and_serial->serial)) break;
+			ri=NULL;
+		}
+		if (ri == NULL) {
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+				 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
+			return(NULL);
+		}
+
+		jj=EVP_PKEY_size(pkey);
+		tmp=(unsigned char *)Malloc(jj+10);
+		if (tmp == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+		jj=EVP_PKEY_decrypt(tmp, M_ASN1_STRING_data(ri->enc_key),
+			M_ASN1_STRING_length(ri->enc_key), pkey);
+		if (jj <= 0)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_EVP_LIB);
+			goto err;
+			}
+
+		evp_ctx=NULL;
+		BIO_get_cipher_ctx(etmp,&evp_ctx);
+		EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0);
+		if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
+			return(NULL);
+
+		if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) {
+			/* HACK: some S/MIME clients don't use the same key
+			 * and effective key length. The key length is
+			 * determined by the size of the decrypted RSA key.
+			 * So we hack things to manually set the RC2 key
+			 * because we currently can't do this with the EVP
+			 * interface.
+			 */
+#ifndef NO_RC2		
+			if(is_rc2) RC2_set_key(&(evp_ctx->c.rc2_ks),jj, tmp,
+					EVP_CIPHER_CTX_key_length(evp_ctx)*8);
+			else
+#endif
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+					PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH);
+				goto err;
+				}
+		} else EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0);
+
+		memset(tmp,0,jj);
+
+		if (out == NULL)
+			out=etmp;
+		else
+			BIO_push(out,etmp);
+		etmp=NULL;
+		}
+
+#if 1
+	if (p7->detached || (in_bio != NULL))
+		{
+		bio=in_bio;
+		}
+	else 
+		{
+#if 0
+		bio=BIO_new(BIO_s_mem());
+		/* We need to set this so that when we have read all
+		 * the data, the encrypt BIO, if present, will read
+		 * EOF and encode the last few bytes */
+		BIO_set_mem_eof_return(bio,0);
+
+		if (data_body->length > 0)
+			BIO_write(bio,(char *)data_body->data,data_body->length);
+#else
+		if (data_body->length > 0)
+		      bio = BIO_new_mem_buf(data_body->data,data_body->length);
+		else {
+			bio=BIO_new(BIO_s_mem());
+			BIO_set_mem_eof_return(bio,0);
+		}
+#endif
+		}
+	BIO_push(out,bio);
+	bio=NULL;
+#endif
+	if (0)
+		{
+err:
+		if (out != NULL) BIO_free_all(out);
+		if (btmp != NULL) BIO_free_all(btmp);
+		if (etmp != NULL) BIO_free_all(etmp);
+		if (bio != NULL) BIO_free_all(bio);
+		out=NULL;
+		}
+	if (tmp != NULL)
+		Free(tmp);
+	return(out);
+	}
+
+int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
+	{
+	int ret=0;
+	int i,j;
+	BIO *btmp;
+	BUF_MEM *buf_mem=NULL;
+	BUF_MEM *buf=NULL;
+	PKCS7_SIGNER_INFO *si;
+	EVP_MD_CTX *mdc,ctx_tmp;
+	STACK_OF(X509_ATTRIBUTE) *sk;
+	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
+	unsigned char *p,*pp=NULL;
+	int x;
+	ASN1_OCTET_STRING *os=NULL;
+
+	i=OBJ_obj2nid(p7->type);
+	p7->state=PKCS7_S_HEADER;
+
+	switch (i)
+		{
+	case NID_pkcs7_signedAndEnveloped:
+		/* XXXXXXXXXXXXXXXX */
+		si_sk=p7->d.signed_and_enveloped->signer_info;
+		os=M_ASN1_OCTET_STRING_new();
+		p7->d.signed_and_enveloped->enc_data->enc_data=os;
+		break;
+	case NID_pkcs7_enveloped:
+		/* XXXXXXXXXXXXXXXX */
+		os=M_ASN1_OCTET_STRING_new();
+		p7->d.enveloped->enc_data->enc_data=os;
+		break;
+	case NID_pkcs7_signed:
+		si_sk=p7->d.sign->signer_info;
+		os=p7->d.sign->contents->d.data;
+		/* If detached data then the content is excluded */
+		if(p7->detached) {
+			M_ASN1_OCTET_STRING_free(os);
+			p7->d.sign->contents->d.data = NULL;
+		}
+		break;
+		}
+
+	if (si_sk != NULL)
+		{
+		if ((buf=BUF_MEM_new()) == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
+			goto err;
+			}
+		for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++)
+			{
+			si=sk_PKCS7_SIGNER_INFO_value(si_sk,i);
+			if (si->pkey == NULL) continue;
+
+			j=OBJ_obj2nid(si->digest_alg->algorithm);
+
+			btmp=bio;
+			for (;;)
+				{
+				if ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) 
+					== NULL)
+					{
+					PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
+					goto err;
+					}
+				BIO_get_md_ctx(btmp,&mdc);
+				if (mdc == NULL)
+					{
+					PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_INTERNAL_ERROR);
+					goto err;
+					}
+				if (EVP_MD_CTX_type(mdc) == j)
+					break;
+				else
+					btmp=btmp->next_bio;
+				}
+			
+			/* We now have the EVP_MD_CTX, lets do the
+			 * signing. */
+			memcpy(&ctx_tmp,mdc,sizeof(ctx_tmp));
+			if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
+				goto err;
+				}
+
+			sk=si->auth_attr;
+
+			/* If there are attributes, we add the digest
+			 * attribute and only sign the attributes */
+			if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
+				{
+				unsigned char md_data[EVP_MAX_MD_SIZE];
+				unsigned int md_len;
+				ASN1_OCTET_STRING *digest;
+				ASN1_UTCTIME *sign_time;
+				const EVP_MD *md_tmp;
+
+				/* Add signing time */
+				sign_time=X509_gmtime_adj(NULL,0);
+				PKCS7_add_signed_attribute(si,
+					NID_pkcs9_signingTime,
+					V_ASN1_UTCTIME,sign_time);
+
+				/* Add digest */
+				md_tmp=EVP_MD_CTX_md(&ctx_tmp);
+				EVP_DigestFinal(&ctx_tmp,md_data,&md_len);
+				digest=M_ASN1_OCTET_STRING_new();
+				M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
+				PKCS7_add_signed_attribute(si,
+					NID_pkcs9_messageDigest,
+					V_ASN1_OCTET_STRING,digest);
+
+				/* Now sign the mess */
+				EVP_SignInit(&ctx_tmp,md_tmp);
+				x=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,
+					   i2d_X509_ATTRIBUTE,
+					   V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
+				pp=(unsigned char *)Malloc(x);
+				p=pp;
+				i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,
+				           i2d_X509_ATTRIBUTE,
+					   V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
+				EVP_SignUpdate(&ctx_tmp,pp,x);
+				Free(pp);
+				pp=NULL;
+				}
+
+			if (si->pkey->type == EVP_PKEY_DSA)
+				ctx_tmp.digest=EVP_dss1();
+
+			if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data,
+				(unsigned int *)&buf->length,si->pkey))
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_EVP_LIB);
+				goto err;
+				}
+			if (!ASN1_STRING_set(si->enc_digest,
+				(unsigned char *)buf->data,buf->length))
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_ASN1_LIB);
+				goto err;
+				}
+			}
+		}
+
+	if (!p7->detached)
+		{
+		btmp=BIO_find_type(bio,BIO_TYPE_MEM);
+		if (btmp == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+			goto err;
+			}
+		BIO_get_mem_ptr(btmp,&buf_mem);
+		/* Mark the BIO read only then we can use its copy of the data
+		 * instead of making an extra copy.
+		 */
+		BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
+		BIO_set_mem_eof_return(btmp, 0);
+		os->data = (unsigned char *)buf_mem->data;
+		os->length = buf_mem->length;
+#if 0
+		M_ASN1_OCTET_STRING_set(os,
+			(unsigned char *)buf_mem->data,buf_mem->length);
+#endif
+		}
+	if (pp != NULL) Free(pp);
+	pp=NULL;
+
+	ret=1;
+err:
+	if (buf != NULL) BUF_MEM_free(buf);
+	return(ret);
+	}
+
+int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
+	     PKCS7 *p7, PKCS7_SIGNER_INFO *si)
+	{
+	PKCS7_ISSUER_AND_SERIAL *ias;
+	int ret=0,i;
+	STACK_OF(X509) *cert;
+	X509 *x509;
+
+	if (PKCS7_type_is_signed(p7))
+		{
+		cert=p7->d.sign->cert;
+		}
+	else if (PKCS7_type_is_signedAndEnveloped(p7))
+		{
+		cert=p7->d.signed_and_enveloped->cert;
+		}
+	else
+		{
+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_WRONG_PKCS7_TYPE);
+		goto err;
+		}
+	/* XXXXXXXXXXXXXXXXXXXXXXX */
+	ias=si->issuer_and_serial;
+
+	x509=X509_find_by_issuer_and_serial(cert,ias->issuer,ias->serial);
+
+	/* were we able to find the cert in passed to us */
+	if (x509 == NULL)
+		{
+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_CERTIFICATE);
+		goto err;
+		}
+
+	/* Lets verify */
+	X509_STORE_CTX_init(ctx,cert_store,x509,cert);
+	X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
+	i=X509_verify_cert(ctx);
+	if (i <= 0) 
+		{
+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
+		X509_STORE_CTX_cleanup(ctx);
+		goto err;
+		}
+	X509_STORE_CTX_cleanup(ctx);
+
+	return PKCS7_signatureVerify(bio, p7, si, x509);
+	err:
+	return ret;
+	}
+
+int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
+								X509 *x509)
+	{
+	ASN1_OCTET_STRING *os;
+	EVP_MD_CTX mdc_tmp,*mdc;
+	unsigned char *pp,*p;
+	int ret=0,i;
+	int md_type;
+	STACK_OF(X509_ATTRIBUTE) *sk;
+	BIO *btmp;
+	EVP_PKEY *pkey;
+
+	if (!PKCS7_type_is_signed(p7) && 
+				!PKCS7_type_is_signedAndEnveloped(p7)) {
+		PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+						PKCS7_R_WRONG_PKCS7_TYPE);
+		goto err;
+	}
+
+	md_type=OBJ_obj2nid(si->digest_alg->algorithm);
+
+	btmp=bio;
+	for (;;)
+		{
+		if ((btmp == NULL) ||
+			((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL))
+			{
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+					PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
+			goto err;
+			}
+		BIO_get_md_ctx(btmp,&mdc);
+		if (mdc == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+							PKCS7_R_INTERNAL_ERROR);
+			goto err;
+			}
+		if (EVP_MD_CTX_type(mdc) == md_type)
+			break;
+		btmp=btmp->next_bio;	
+		}
+
+	/* mdc is the digest ctx that we want, unless there are attributes,
+	 * in which case the digest is the signed attributes */
+	memcpy(&mdc_tmp,mdc,sizeof(mdc_tmp));
+
+	sk=si->auth_attr;
+	if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
+		{
+		unsigned char md_dat[EVP_MAX_MD_SIZE];
+                unsigned int md_len;
+		ASN1_OCTET_STRING *message_digest;
+
+		EVP_DigestFinal(&mdc_tmp,md_dat,&md_len);
+		message_digest=PKCS7_digest_from_attributes(sk);
+		if (!message_digest)
+			{
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+					PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
+			goto err;
+			}
+		if ((message_digest->length != (int)md_len) ||
+			(memcmp(message_digest->data,md_dat,md_len)))
+			{
+#if 0
+{
+int ii;
+for (ii=0; ii<message_digest->length; ii++)
+	printf("%02X",message_digest->data[ii]); printf(" sent\n");
+for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
+}
+#endif
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+							PKCS7_R_DIGEST_FAILURE);
+			ret= -1;
+			goto err;
+			}
+
+		EVP_VerifyInit(&mdc_tmp,EVP_get_digestbynid(md_type));
+		/* Note: when forming the encoding of the attributes we
+		 * shouldn't reorder them or this will break the signature.
+		 * This is done by using the IS_SEQUENCE flag.
+		 */
+		i=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,i2d_X509_ATTRIBUTE,
+			V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
+		pp=Malloc(i);
+		p=pp;
+		i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,i2d_X509_ATTRIBUTE,
+			V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
+		EVP_VerifyUpdate(&mdc_tmp,pp,i);
+
+		Free(pp);
+		}
+
+	os=si->enc_digest;
+	pkey = X509_get_pubkey(x509);
+	if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
+
+	i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);
+	EVP_PKEY_free(pkey);
+	if (i <= 0)
+		{
+		PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+						PKCS7_R_SIGNATURE_FAILURE);
+		ret= -1;
+		goto err;
+		}
+	else
+		ret=1;
+err:
+	return(ret);
+	}
+
+PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
+	{
+	STACK_OF(PKCS7_RECIP_INFO) *rsk;
+	PKCS7_RECIP_INFO *ri;
+	int i;
+
+	i=OBJ_obj2nid(p7->type);
+	if (i != NID_pkcs7_signedAndEnveloped) return(NULL);
+	rsk=p7->d.signed_and_enveloped->recipientinfo;
+	ri=sk_PKCS7_RECIP_INFO_value(rsk,0);
+	if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL);
+	ri=sk_PKCS7_RECIP_INFO_value(rsk,idx);
+	return(ri->issuer_and_serial);
+	}
+
+ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid)
+	{
+	return(get_attribute(si->auth_attr,nid));
+	}
+
+ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
+	{
+	return(get_attribute(si->unauth_attr,nid));
+	}
+
+static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
+	{
+	int i;
+	X509_ATTRIBUTE *xa;
+	ASN1_OBJECT *o;
+
+	o=OBJ_nid2obj(nid);
+	if (!o || !sk) return(NULL);
+	for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+		{
+		xa=sk_X509_ATTRIBUTE_value(sk,i);
+		if (OBJ_cmp(xa->object,o) == 0)
+			{
+			if (xa->set && sk_ASN1_TYPE_num(xa->value.set))
+				return(sk_ASN1_TYPE_value(xa->value.set,0));
+			else
+				return(NULL);
+			}
+		}
+	return(NULL);
+	}
+
+ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+{
+	ASN1_TYPE *astype;
+	if(!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) return NULL;
+	return astype->value.octet_string;
+}
+
+int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
+				STACK_OF(X509_ATTRIBUTE) *sk)
+	{
+	int i;
+
+	if (p7si->auth_attr != NULL)
+		sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free);
+	p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk);
+	for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+		{
+		if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr,i,
+			X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
+		    == NULL)
+			return(0);
+		}
+	return(1);
+	}
+
+int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk)
+	{
+	int i;
+
+	if (p7si->unauth_attr != NULL)
+		sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr,
+					   X509_ATTRIBUTE_free);
+	p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk);
+	for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+		{
+		if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr,i,
+                        X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
+		    == NULL)
+			return(0);
+		}
+	return(1);
+	}
+
+int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+	     void *value)
+	{
+	return(add_attribute(&(p7si->auth_attr),nid,atrtype,value));
+	}
+
+int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+	     void *value)
+	{
+	return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value));
+	}
+
+static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
+			 void *value)
+	{
+	X509_ATTRIBUTE *attr=NULL;
+
+	if (*sk == NULL)
+		{
+		*sk = sk_X509_ATTRIBUTE_new(NULL);
+new_attrib:
+		attr=X509_ATTRIBUTE_create(nid,atrtype,value);
+		sk_X509_ATTRIBUTE_push(*sk,attr);
+		}
+	else
+		{
+		int i;
+
+		for (i=0; i<sk_X509_ATTRIBUTE_num(*sk); i++)
+			{
+			attr=sk_X509_ATTRIBUTE_value(*sk,i);
+			if (OBJ_obj2nid(attr->object) == nid)
+				{
+				X509_ATTRIBUTE_free(attr);
+				attr=X509_ATTRIBUTE_create(nid,atrtype,value);
+				sk_X509_ATTRIBUTE_set(*sk,i,attr);
+				goto end;
+				}
+			}
+		goto new_attrib;
+		}
+end:
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/pkcs7/pk7_enc.c b/crypto/openssl/crypto/pkcs7/pk7_enc.c
new file mode 100644
index 0000000..acbb189
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pk7_enc.c
@@ -0,0 +1,76 @@
+/* crypto/pkcs7/pk7_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+
+PKCS7_in_bio(PKCS7 *p7,BIO *in);
+PKCS7_out_bio(PKCS7 *p7,BIO *out);
+
+PKCS7_add_signer(PKCS7 *p7,X509 *cert,EVP_PKEY *key);
+PKCS7_cipher(PKCS7 *p7,EVP_CIPHER *cipher);
+
+PKCS7_Init(PKCS7 *p7);
+PKCS7_Update(PKCS7 *p7);
+PKCS7_Finish(PKCS7 *p7);
+
diff --git a/crypto/openssl/crypto/pkcs7/pk7_lib.c b/crypto/openssl/crypto/pkcs7/pk7_lib.c
new file mode 100644
index 0000000..45973fe
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pk7_lib.c
@@ -0,0 +1,469 @@
+/* crypto/pkcs7/pk7_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
+	{
+	int nid;
+	long ret;
+
+	nid=OBJ_obj2nid(p7->type);
+
+	switch (cmd)
+		{
+	case PKCS7_OP_SET_DETACHED_SIGNATURE:
+		if (nid == NID_pkcs7_signed)
+			{
+			ret=p7->detached=(int)larg;
+			}
+		else
+			{
+			PKCS7err(PKCS7_F_PKCS7_CTRL,PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
+			ret=0;
+			}
+		break;
+	case PKCS7_OP_GET_DETACHED_SIGNATURE:
+		if (nid == NID_pkcs7_signed)
+			{
+			ret=p7->detached;
+			}
+		else
+			{
+			PKCS7err(PKCS7_F_PKCS7_CTRL,PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
+			ret=0;
+			}
+			
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_CTRL,PKCS7_R_UNKNOWN_OPERATION);
+		ret=0;
+		}
+	return(ret);
+	}
+
+int PKCS7_content_new(PKCS7 *p7, int type)
+	{
+	PKCS7 *ret=NULL;
+
+	if ((ret=PKCS7_new()) == NULL) goto err;
+	if (!PKCS7_set_type(ret,type)) goto err;
+	if (!PKCS7_set_content(p7,ret)) goto err;
+
+	return(1);
+err:
+	if (ret != NULL) PKCS7_free(ret);
+	return(0);
+	}
+
+int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
+	{
+	int i;
+
+	i=OBJ_obj2nid(p7->type);
+	switch (i)
+		{
+	case NID_pkcs7_signed:
+		if (p7->d.sign->contents != NULL)
+			PKCS7_free(p7->d.sign->contents);
+		p7->d.sign->contents=p7_data;
+		break;
+	case NID_pkcs7_digest:
+	case NID_pkcs7_data:
+	case NID_pkcs7_enveloped:
+	case NID_pkcs7_signedAndEnveloped:
+	case NID_pkcs7_encrypted:
+	default:
+		PKCS7err(PKCS7_F_PKCS7_SET_CONTENT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
+		goto err;
+		}
+	return(1);
+err:
+	return(0);
+	}
+
+int PKCS7_set_type(PKCS7 *p7, int type)
+	{
+	ASN1_OBJECT *obj;
+
+	PKCS7_content_free(p7);
+	obj=OBJ_nid2obj(type); /* will not fail */
+
+	switch (type)
+		{
+	case NID_pkcs7_signed:
+		p7->type=obj;
+		if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL)
+			goto err;
+		ASN1_INTEGER_set(p7->d.sign->version,1);
+		break;
+	case NID_pkcs7_data:
+		p7->type=obj;
+		if ((p7->d.data=M_ASN1_OCTET_STRING_new()) == NULL)
+			goto err;
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		p7->type=obj;
+		if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
+			== NULL) goto err;
+		ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
+		break;
+	case NID_pkcs7_enveloped:
+		p7->type=obj;
+		if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
+			== NULL) goto err;
+		ASN1_INTEGER_set(p7->d.enveloped->version,0);
+		break;
+	case NID_pkcs7_encrypted:
+		p7->type=obj;
+		if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
+			== NULL) goto err;
+		ASN1_INTEGER_set(p7->d.encrypted->version,0);
+		break;
+
+	case NID_pkcs7_digest:
+	default:
+		PKCS7err(PKCS7_F_PKCS7_SET_TYPE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
+		goto err;
+		}
+	return(1);
+err:
+	return(0);
+	}
+
+int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
+	{
+	int i,j,nid;
+	X509_ALGOR *alg;
+	STACK_OF(PKCS7_SIGNER_INFO) *signer_sk;
+	STACK_OF(X509_ALGOR) *md_sk;
+
+	i=OBJ_obj2nid(p7->type);
+	switch (i)
+		{
+	case NID_pkcs7_signed:
+		signer_sk=	p7->d.sign->signer_info;
+		md_sk=		p7->d.sign->md_algs;
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		signer_sk=	p7->d.signed_and_enveloped->signer_info;
+		md_sk=		p7->d.signed_and_enveloped->md_algs;
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,PKCS7_R_WRONG_CONTENT_TYPE);
+		return(0);
+		}
+
+	nid=OBJ_obj2nid(psi->digest_alg->algorithm);
+
+	/* If the digest is not currently listed, add it */
+	j=0;
+	for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
+		{
+		alg=sk_X509_ALGOR_value(md_sk,i);
+		if (OBJ_obj2nid(alg->algorithm) == nid)
+			{
+			j=1;
+			break;
+			}
+		}
+	if (!j) /* we need to add another algorithm */
+		{
+		if(!(alg=X509_ALGOR_new())
+			|| !(alg->parameter = ASN1_TYPE_new())) {
+			PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,ERR_R_MALLOC_FAILURE);
+			return(0);
+		}
+		alg->algorithm=OBJ_nid2obj(nid);
+		alg->parameter->type = V_ASN1_NULL;
+		sk_X509_ALGOR_push(md_sk,alg);
+		}
+
+	sk_PKCS7_SIGNER_INFO_push(signer_sk,psi);
+	return(1);
+	}
+
+int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
+	{
+	int i;
+	STACK_OF(X509) **sk;
+
+	i=OBJ_obj2nid(p7->type);
+	switch (i)
+		{
+	case NID_pkcs7_signed:
+		sk= &(p7->d.sign->cert);
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		sk= &(p7->d.signed_and_enveloped->cert);
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE,PKCS7_R_WRONG_CONTENT_TYPE);
+		return(0);
+		}
+
+	if (*sk == NULL)
+		*sk=sk_X509_new_null();
+	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
+	sk_X509_push(*sk,x509);
+	return(1);
+	}
+
+int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
+	{
+	int i;
+	STACK_OF(X509_CRL) **sk;
+
+	i=OBJ_obj2nid(p7->type);
+	switch (i)
+		{
+	case NID_pkcs7_signed:
+		sk= &(p7->d.sign->crl);
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		sk= &(p7->d.signed_and_enveloped->crl);
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_ADD_CRL,PKCS7_R_WRONG_CONTENT_TYPE);
+		return(0);
+		}
+
+	if (*sk == NULL)
+		*sk=sk_X509_CRL_new_null();
+
+	CRYPTO_add(&crl->references,1,CRYPTO_LOCK_X509_CRL);
+	sk_X509_CRL_push(*sk,crl);
+	return(1);
+	}
+
+int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
+	     EVP_MD *dgst)
+	{
+	char is_dsa;
+	if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
+	else is_dsa = 0;
+	/* We now need to add another PKCS7_SIGNER_INFO entry */
+	ASN1_INTEGER_set(p7i->version,1);
+	X509_NAME_set(&p7i->issuer_and_serial->issuer,
+		X509_get_issuer_name(x509));
+
+	/* because ASN1_INTEGER_set is used to set a 'long' we will do
+	 * things the ugly way. */
+	M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
+	p7i->issuer_and_serial->serial=
+		M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+
+	/* lets keep the pkey around for a while */
+	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
+	p7i->pkey=pkey;
+
+	/* Set the algorithms */
+	if (is_dsa) p7i->digest_alg->algorithm=OBJ_nid2obj(NID_sha1);
+	else	
+		p7i->digest_alg->algorithm=OBJ_nid2obj(EVP_MD_type(dgst));
+
+	if (p7i->digest_alg->parameter != NULL)
+		ASN1_TYPE_free(p7i->digest_alg->parameter);
+	if ((p7i->digest_alg->parameter=ASN1_TYPE_new()) == NULL)
+		goto err;
+	p7i->digest_alg->parameter->type=V_ASN1_NULL;
+
+	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_PKEY_type(pkey->type));
+
+	if (p7i->digest_enc_alg->parameter != NULL)
+		ASN1_TYPE_free(p7i->digest_enc_alg->parameter);
+	if(is_dsa) p7i->digest_enc_alg->parameter = NULL;
+	else {
+		if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
+			goto err;
+		p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
+	}
+
+	return(1);
+err:
+	return(0);
+	}
+
+PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
+	     EVP_MD *dgst)
+	{
+	PKCS7_SIGNER_INFO *si;
+
+	if ((si=PKCS7_SIGNER_INFO_new()) == NULL) goto err;
+	if (!PKCS7_SIGNER_INFO_set(si,x509,pkey,dgst)) goto err;
+	if (!PKCS7_add_signer(p7,si)) goto err;
+	return(si);
+err:
+	return(NULL);
+	}
+
+STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
+	{
+	if (PKCS7_type_is_signed(p7))
+		{
+		return(p7->d.sign->signer_info);
+		}
+	else if (PKCS7_type_is_signedAndEnveloped(p7))
+		{
+		return(p7->d.signed_and_enveloped->signer_info);
+		}
+	else
+		return(NULL);
+	}
+
+PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
+	{
+	PKCS7_RECIP_INFO *ri;
+
+	if ((ri=PKCS7_RECIP_INFO_new()) == NULL) goto err;
+	if (!PKCS7_RECIP_INFO_set(ri,x509)) goto err;
+	if (!PKCS7_add_recipient_info(p7,ri)) goto err;
+	return(ri);
+err:
+	return(NULL);
+	}
+
+int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
+	{
+	int i;
+	STACK_OF(PKCS7_RECIP_INFO) *sk;
+
+	i=OBJ_obj2nid(p7->type);
+	switch (i)
+		{
+	case NID_pkcs7_signedAndEnveloped:
+		sk=	p7->d.signed_and_enveloped->recipientinfo;
+		break;
+	case NID_pkcs7_enveloped:
+		sk=	p7->d.enveloped->recipientinfo;
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,PKCS7_R_WRONG_CONTENT_TYPE);
+		return(0);
+		}
+
+	sk_PKCS7_RECIP_INFO_push(sk,ri);
+	return(1);
+	}
+
+int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
+	{
+	ASN1_INTEGER_set(p7i->version,0);
+	X509_NAME_set(&p7i->issuer_and_serial->issuer,
+		X509_get_issuer_name(x509));
+
+	M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
+	p7i->issuer_and_serial->serial=
+		M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+
+	X509_ALGOR_free(p7i->key_enc_algor);
+	p7i->key_enc_algor=(X509_ALGOR *)ASN1_dup(i2d_X509_ALGOR,
+		(char *(*)())d2i_X509_ALGOR,
+		(char *)x509->cert_info->key->algor);
+
+	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
+	p7i->cert=x509;
+
+	return(1);
+	}
+
+X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
+	{
+	if (PKCS7_type_is_signed(p7))
+		return(X509_find_by_issuer_and_serial(p7->d.sign->cert,
+			si->issuer_and_serial->issuer,
+			si->issuer_and_serial->serial));
+	else
+		return(NULL);
+	}
+
+int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
+	{
+	int i;
+	ASN1_OBJECT *objtmp;
+	PKCS7_ENC_CONTENT *ec;
+
+	i=OBJ_obj2nid(p7->type);
+	switch (i)
+		{
+	case NID_pkcs7_signedAndEnveloped:
+		ec=p7->d.signed_and_enveloped->enc_data;
+		break;
+	case NID_pkcs7_enveloped:
+		ec=p7->d.enveloped->enc_data;
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_WRONG_CONTENT_TYPE);
+		return(0);
+		}
+
+	/* Check cipher OID exists and has data in it*/
+	i = EVP_CIPHER_type(cipher);
+	if(i == NID_undef) {
+		PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
+		return(0);
+	}
+	objtmp = OBJ_nid2obj(i);
+
+	ec->cipher = cipher;
+	return 1;
+	}
+
diff --git a/crypto/openssl/crypto/pkcs7/pk7_mime.c b/crypto/openssl/crypto/pkcs7/pk7_mime.c
new file mode 100644
index 0000000..734643b
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pk7_mime.c
@@ -0,0 +1,673 @@
+/* pk7_mime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+
+/* MIME and related routines */
+
+/* MIME format structures
+ * Note that all are translated to lower case apart from
+ * parameter values. Quotes are stripped off
+ */
+
+typedef struct {
+char *name;				/* Name of line e.g. "content-type" */
+char *value;				/* Value of line e.g. "text/plain" */
+STACK /* MIME_PARAM */ *params;		/* Zero or more parameters */
+} MIME_HEADER;
+
+typedef struct {
+char *param_name;			/* Param name e.g. "micalg" */
+char *param_value;			/* Param value e.g. "sha1" */
+} MIME_PARAM;
+
+
+static int B64_write_PKCS7(BIO *bio, PKCS7 *p7);
+static PKCS7 *B64_read_PKCS7(BIO *bio);
+static char * strip_ends(char *name);
+static char * strip_start(char *name);
+static char * strip_end(char *name);
+static MIME_HEADER *mime_hdr_new(char *name, char *value);
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value);
+static STACK *mime_parse_hdr(BIO *bio);
+static int mime_hdr_cmp(MIME_HEADER **a, MIME_HEADER **b);
+static int mime_param_cmp(MIME_PARAM **a, MIME_PARAM **b);
+static void mime_param_free(MIME_PARAM *param);
+static int mime_bound_check(char *line, int linelen, char *bound, int blen);
+static int multi_split(BIO *bio, char *bound, STACK **ret);
+static int iscrlf(char c);
+static MIME_HEADER *mime_hdr_find(STACK *hdrs, char *name);
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
+static void mime_hdr_free(MIME_HEADER *hdr);
+
+#define MAX_SMLEN 1024
+#define mime_debug(x) /* x */
+
+
+typedef void (*stkfree)();
+
+/* Base 64 read and write of PKCS#7 structure */
+
+static int B64_write_PKCS7(BIO *bio, PKCS7 *p7)
+{
+	BIO *b64;
+	if(!(b64 = BIO_new(BIO_f_base64()))) {
+		PKCS7err(PKCS7_F_B64_WRITE_PKCS7,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	bio = BIO_push(b64, bio);
+	i2d_PKCS7_bio(bio, p7);
+	BIO_flush(bio);
+	bio = BIO_pop(bio);
+	BIO_free(b64);
+	return 1;
+}
+
+static PKCS7 *B64_read_PKCS7(BIO *bio)
+{
+	BIO *b64;
+	PKCS7 *p7;
+	if(!(b64 = BIO_new(BIO_f_base64()))) {
+		PKCS7err(PKCS7_F_B64_READ_PKCS7,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	bio = BIO_push(b64, bio);
+	if(!(p7 = d2i_PKCS7_bio(bio, NULL))) 
+		PKCS7err(PKCS7_F_B64_READ_PKCS7,PKCS7_R_DECODE_ERROR);
+	BIO_flush(bio);
+	bio = BIO_pop(bio);
+	BIO_free(b64);
+	return p7;
+}
+
+/* SMIME sender */
+
+int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
+{
+	char linebuf[MAX_SMLEN];
+	char bound[33], c;
+	int i;
+	if((flags & PKCS7_DETACHED) && data) {
+	/* We want multipart/signed */
+		/* Generate a random boundary */
+		RAND_pseudo_bytes((unsigned char *)bound, 32);
+		for(i = 0; i < 32; i++) {
+			c = bound[i] & 0xf;
+			if(c < 10) c += '0';
+			else c += 'A' - 10;
+			bound[i] = c;
+		}
+		bound[32] = 0;
+		BIO_printf(bio, "MIME-Version: 1.0\n");
+		BIO_printf(bio, "Content-Type: multipart/signed ; ");
+		BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; ");
+		BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound);
+		BIO_printf(bio, "This is an S/MIME signed message\n\n");
+		/* Now write out the first part */
+		BIO_printf(bio, "------%s\r\n", bound);
+		if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n");
+		while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) 
+						BIO_write(bio, linebuf, i);
+		BIO_printf(bio, "\n------%s\n", bound);
+
+		/* Headers for signature */
+
+		BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n");
+		BIO_printf(bio, "Content-Transfer-Encoding: base64\n");
+		BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n");
+		B64_write_PKCS7(bio, p7);
+		BIO_printf(bio,"\n------%s--\n\n", bound);
+		return 1;
+	}
+	/* MIME headers */
+	BIO_printf(bio, "MIME-Version: 1.0\n");
+	BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n");
+	BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n");
+	BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n");
+	B64_write_PKCS7(bio, p7);
+	BIO_printf(bio, "\n");
+	return 1;
+}
+
+/* SMIME reader: handle multipart/signed and opaque signing.
+ * in multipart case the content is placed in a memory BIO
+ * pointed to by "bcont". In opaque this is set to NULL
+ */
+
+PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont)
+{
+	BIO *p7in;
+	STACK *headers = NULL;
+	STACK *parts = NULL;
+	MIME_HEADER *hdr;
+	MIME_PARAM *prm;
+	PKCS7 *p7;
+	int ret;
+
+	if(bcont) *bcont = NULL;
+
+	if (!(headers = mime_parse_hdr(bio))) {
+		PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_PARSE_ERROR);
+		return NULL;
+	}
+
+	if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
+		sk_pop_free(headers, mime_hdr_free);
+		PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_CONTENT_TYPE);
+		return NULL;
+	}
+
+	/* Handle multipart/signed */
+
+	if(!strcmp(hdr->value, "multipart/signed")) {
+		/* Split into two parts */
+		prm = mime_param_find(hdr, "boundary");
+		if(!prm || !prm->param_value) {
+			sk_pop_free(headers, mime_hdr_free);
+			PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BOUNDARY);
+			return NULL;
+		}
+		ret = multi_split(bio, prm->param_value, &parts);
+		sk_pop_free(headers, mime_hdr_free);
+		if(!ret || (sk_num(parts) != 2) ) {
+			PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BODY_FAILURE);
+			sk_pop_free(parts, (stkfree)BIO_free);
+			return NULL;
+		}
+
+		/* Parse the signature piece */
+		p7in = (BIO *)sk_value(parts, 1);
+
+		if (!(headers = mime_parse_hdr(p7in))) {
+			PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_SIG_PARSE_ERROR);
+			sk_pop_free(parts, (stkfree)BIO_free);
+			return NULL;
+		}
+
+		/* Get content type */
+
+		if(!(hdr = mime_hdr_find(headers, "content-type")) ||
+								 !hdr->value) {
+			sk_pop_free(headers, mime_hdr_free);
+			PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_SIG_CONTENT_TYPE);
+			return NULL;
+		}
+
+		if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
+			strcmp(hdr->value, "application/pkcs7-signature")) {
+			sk_pop_free(headers, mime_hdr_free);
+			PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE);
+			ERR_add_error_data(2, "type: ", hdr->value);
+			sk_pop_free(parts, (stkfree)BIO_free);
+			return NULL;
+		}
+		sk_pop_free(headers, mime_hdr_free);
+		/* Read in PKCS#7 */
+		if(!(p7 = B64_read_PKCS7(p7in))) {
+			PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_PKCS7_SIG_PARSE_ERROR);
+			sk_pop_free(parts, (stkfree)BIO_free);
+			return NULL;
+		}
+
+		if(bcont) {
+			*bcont = (BIO *)sk_value(parts, 0);
+			BIO_free(p7in);
+			sk_free(parts);
+		} else sk_pop_free(parts, (stkfree)BIO_free);
+		return p7;
+	}
+		
+	/* OK, if not multipart/signed try opaque signature */
+
+	if (strcmp (hdr->value, "application/x-pkcs7-mime") &&
+	    strcmp (hdr->value, "application/pkcs7-mime")) {
+		PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_INVALID_MIME_TYPE);
+		ERR_add_error_data(2, "type: ", hdr->value);
+		sk_pop_free(headers, mime_hdr_free);
+		return NULL;
+	}
+
+	sk_pop_free(headers, mime_hdr_free);
+	
+	if(!(p7 = B64_read_PKCS7(bio))) {
+		PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_PKCS7_PARSE_ERROR);
+		return NULL;
+	}
+	return p7;
+
+}
+
+/* Copy text from one BIO to another making the output CRLF at EOL */
+int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
+{
+	char eol;
+	int len;
+	char linebuf[MAX_SMLEN];
+	if(flags & PKCS7_BINARY) {
+		while((len = BIO_read(in, linebuf, MAX_SMLEN)) > 0)
+						BIO_write(out, linebuf, len);
+		return 1;
+	}
+	if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
+	while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
+		eol = 0;
+		while(iscrlf(linebuf[len - 1])) {
+			len--;
+			eol = 1;
+		}	
+		BIO_write(out, linebuf, len);
+		if(eol) BIO_write(out, "\r\n", 2);
+	}
+	return 1;
+}
+
+/* Strip off headers if they are text/plain */
+int SMIME_text(BIO *in, BIO *out)
+{
+	char iobuf[4096];
+	int len;
+	STACK *headers;
+	MIME_HEADER *hdr;
+	if (!(headers = mime_parse_hdr(in))) {
+		PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_MIME_PARSE_ERROR);
+		return 0;
+	}
+	if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
+		PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_MIME_NO_CONTENT_TYPE);
+		sk_pop_free(headers, mime_hdr_free);
+		return 0;
+	}
+	if (strcmp (hdr->value, "text/plain")) {
+		PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_INVALID_MIME_TYPE);
+		ERR_add_error_data(2, "type: ", hdr->value);
+		sk_pop_free(headers, mime_hdr_free);
+		return 0;
+	}
+	sk_pop_free(headers, mime_hdr_free);
+	while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
+						BIO_write(out, iobuf, len);
+	return 1;
+}
+
+/* Split a multipart/XXX message body into component parts: result is
+ * canonical parts in a STACK of bios
+ */
+
+static int multi_split(BIO *bio, char *bound, STACK **ret)
+{
+	char linebuf[MAX_SMLEN];
+	int len, blen;
+	BIO *bpart = NULL;
+	STACK *parts;
+	char state, part, first;
+	blen = strlen(bound);
+	part = 0;
+	state = 0;
+	first = 1;
+	parts = sk_new(NULL);
+	*ret = parts;
+	while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
+		state = mime_bound_check(linebuf, len, bound, blen);
+		if(state == 1) {
+			first = 1;
+			part++;
+		} else if(state == 2) {
+			sk_push(parts, (char *)bpart);
+			return 1;
+		} else if(part) {
+			if(first) {
+				first = 0;
+				if(bpart) sk_push(parts, (char *)bpart);
+				bpart = BIO_new(BIO_s_mem());
+				
+			} else BIO_write(bpart, "\r\n", 2);
+			/* Strip CR+LF from linebuf */
+			while(iscrlf(linebuf[len - 1])) len--;
+			BIO_write(bpart, linebuf, len);
+		}
+	}
+	return 0;
+}
+
+static int iscrlf(char c)
+{
+	if(c == '\r' || c == '\n') return 1;
+	return 0;
+}
+
+/* This is the big one: parse MIME header lines up to message body */
+
+#define MIME_INVALID	0
+#define MIME_START	1
+#define MIME_TYPE	2
+#define MIME_NAME	3
+#define MIME_VALUE	4
+#define MIME_QUOTE	5
+#define MIME_COMMENT	6
+
+
+static STACK *mime_parse_hdr(BIO *bio)
+{
+	char *p, *q, c;
+	char *ntmp;
+	char linebuf[MAX_SMLEN];
+	MIME_HEADER *mhdr = NULL;
+	STACK *headers;
+	int len, state, save_state = 0;
+	headers = sk_new(mime_hdr_cmp);
+	while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
+	/* If whitespace at line start then continuation line */
+	if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME;
+	else state = MIME_START;
+	ntmp = NULL;
+	/* Go through all characters */
+	for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
+
+	/* State machine to handle MIME headers
+	 * if this looks horrible that's because it *is*
+         */
+
+		switch(state) {
+			case MIME_START:
+			if(c == ':') {
+				state = MIME_TYPE;
+				*p = 0;
+				ntmp = strip_ends(q);
+				q = p + 1;
+			}
+			break;
+
+			case MIME_TYPE:
+			if(c == ';') {
+				mime_debug("Found End Value\n");
+				*p = 0;
+				mhdr = mime_hdr_new(ntmp, strip_ends(q));
+				sk_push(headers, (char *)mhdr);
+				ntmp = NULL;
+				q = p + 1;
+				state = MIME_NAME;
+			} else if(c == '(') {
+				save_state = state;
+				state = MIME_COMMENT;
+			}
+			break;
+
+			case MIME_COMMENT:
+			if(c == ')') {
+				state = save_state;
+			}
+			break;
+
+			case MIME_NAME:
+			if(c == '=') {
+				state = MIME_VALUE;
+				*p = 0;
+				ntmp = strip_ends(q);
+				q = p + 1;
+			}
+			break ;
+
+			case MIME_VALUE:
+			if(c == ';') {
+				state = MIME_NAME;
+				*p = 0;
+				mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
+				ntmp = NULL;
+				q = p + 1;
+			} else if (c == '"') {
+				mime_debug("Found Quote\n");
+				state = MIME_QUOTE;
+			} else if(c == '(') {
+				save_state = state;
+				state = MIME_COMMENT;
+			}
+			break;
+
+			case MIME_QUOTE:
+			if(c == '"') {
+				mime_debug("Found Match Quote\n");
+				state = MIME_VALUE;
+			}
+			break;
+		}
+	}
+
+	if(state == MIME_TYPE) {
+		mhdr = mime_hdr_new(ntmp, strip_ends(q));
+		sk_push(headers, (char *)mhdr);
+	} else if(state == MIME_VALUE)
+			 mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
+	if(p == linebuf) break;	/* Blank line means end of headers */
+}
+
+return headers;
+
+}
+
+static char *strip_ends(char *name)
+{
+	return strip_end(strip_start(name));
+}
+
+/* Strip a parameter of whitespace from start of param */
+static char *strip_start(char *name)
+{
+	char *p, c;
+	/* Look for first non white space or quote */
+	for(p = name; (c = *p) ;p++) {
+		if(c == '"') {
+			/* Next char is start of string if non null */
+			if(p[1]) return p + 1;
+			/* Else null string */
+			return NULL;
+		}
+		if(!isspace((unsigned char)c)) return p;
+	}
+	return NULL;
+}
+
+/* As above but strip from end of string : maybe should handle brackets? */
+static char *strip_end(char *name)
+{
+	char *p, c;
+	if(!name) return NULL;
+	/* Look for first non white space or quote */
+	for(p = name + strlen(name) - 1; p >= name ;p--) {
+		c = *p;
+		if(c == '"') {
+			if(p - 1 == name) return NULL;
+			*p = 0;
+			return name;
+		}
+		if(isspace((unsigned char)c)) *p = 0;	
+		else return name;
+	}
+	return NULL;
+}
+
+static MIME_HEADER *mime_hdr_new(char *name, char *value)
+{
+	MIME_HEADER *mhdr;
+	char *tmpname, *tmpval, *p;
+	int c;
+	if(name) {
+		if(!(tmpname = BUF_strdup(name))) return NULL;
+		for(p = tmpname ; *p; p++) {
+			c = *p;
+			if(isupper(c)) {
+				c = tolower(c);
+				*p = c;
+			}
+		}
+	} else tmpname = NULL;
+	if(value) {
+		if(!(tmpval = BUF_strdup(value))) return NULL;
+		for(p = tmpval ; *p; p++) {
+			c = *p;
+			if(isupper(c)) {
+				c = tolower(c);
+				*p = c;
+			}
+		}
+	} else tmpval = NULL;
+	mhdr = (MIME_HEADER *) Malloc(sizeof(MIME_HEADER));
+	if(!mhdr) return NULL;
+	mhdr->name = tmpname;
+	mhdr->value = tmpval;
+	if(!(mhdr->params = sk_new(mime_param_cmp))) return NULL;
+	return mhdr;
+}
+		
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
+{
+	char *tmpname, *tmpval, *p;
+	int c;
+	MIME_PARAM *mparam;
+	if(name) {
+		tmpname = BUF_strdup(name);
+		if(!tmpname) return 0;
+		for(p = tmpname ; *p; p++) {
+			c = *p;
+			if(isupper(c)) {
+				c = tolower(c);
+				*p = c;
+			}
+		}
+	} else tmpname = NULL;
+	if(value) {
+		tmpval = BUF_strdup(value);
+		if(!tmpval) return 0;
+	} else tmpval = NULL;
+	/* Parameter values are case sensitive so leave as is */
+	mparam = (MIME_PARAM *) Malloc(sizeof(MIME_PARAM));
+	if(!mparam) return 0;
+	mparam->param_name = tmpname;
+	mparam->param_value = tmpval;
+	sk_push(mhdr->params, (char *)mparam);
+	return 1;
+}
+
+static int mime_hdr_cmp(MIME_HEADER **a, MIME_HEADER **b)
+{
+	return(strcmp((*a)->name, (*b)->name));
+}
+
+static int mime_param_cmp(MIME_PARAM **a, MIME_PARAM **b)
+{
+	return(strcmp((*a)->param_name, (*b)->param_name));
+}
+
+/* Find a header with a given name (if possible) */
+
+static MIME_HEADER *mime_hdr_find(STACK *hdrs, char *name)
+{
+	MIME_HEADER htmp;
+	int idx;
+	htmp.name = name;
+	idx = sk_find(hdrs, (char *)&htmp);
+	if(idx < 0) return NULL;
+	return (MIME_HEADER *)sk_value(hdrs, idx);
+}
+
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name)
+{
+	MIME_PARAM param;
+	int idx;
+	param.param_name = name;
+	idx = sk_find(hdr->params, (char *)&param);
+	if(idx < 0) return NULL;
+	return (MIME_PARAM *)sk_value(hdr->params, idx);
+}
+
+static void mime_hdr_free(MIME_HEADER *hdr)
+{
+	if(hdr->name) Free(hdr->name);
+	if(hdr->value) Free(hdr->value);
+	if(hdr->params) sk_pop_free(hdr->params, mime_param_free);
+	Free(hdr);
+}
+
+static void mime_param_free(MIME_PARAM *param)
+{
+	if(param->param_name) Free(param->param_name);
+	if(param->param_value) Free(param->param_value);
+	Free(param);
+}
+
+/* Check for a multipart boundary. Returns:
+ * 0 : no boundary
+ * 1 : part boundary
+ * 2 : final boundary
+ */
+static int mime_bound_check(char *line, int linelen, char *bound, int blen)
+{
+	if(linelen == -1) linelen = strlen(line);
+	if(blen == -1) blen = strlen(bound);
+	/* Quickly eliminate if line length too short */
+	if(blen + 2 > linelen) return 0;
+	/* Check for part boundary */
+	if(!strncmp(line, "--", 2) && !strncmp(line + 2, bound, blen)) {
+		if(!strncmp(line + blen + 2, "--", 2)) return 2;
+		else return 1;
+	}
+	return 0;
+}
diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c
new file mode 100644
index 0000000..b41f42e
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c
@@ -0,0 +1,427 @@
+/* pk7_smime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Simple PKCS#7 processing functions */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+							BIO *data, int flags)
+{
+	PKCS7 *p7;
+	PKCS7_SIGNER_INFO *si;
+	BIO *p7bio;
+	STACK *smcap;
+	int i;
+
+	if(!X509_check_private_key(signcert, pkey)) {
+		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                return NULL;
+	}
+
+	if(!(p7 = PKCS7_new())) {
+		PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	PKCS7_set_type(p7, NID_pkcs7_signed);
+
+	PKCS7_content_new(p7, NID_pkcs7_data);
+
+    	if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
+		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
+		return NULL;
+	}
+
+	if(!(flags & PKCS7_NOCERTS)) {
+		PKCS7_add_certificate(p7, signcert);
+		if(certs) for(i = 0; i < sk_X509_num(certs); i++)
+			PKCS7_add_certificate(p7, sk_X509_value(certs, i));
+	}
+
+	if(!(p7bio = PKCS7_dataInit(p7, NULL))) {
+		PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+
+	SMIME_crlf_copy(data, p7bio, flags);
+
+	if(!(flags & PKCS7_NOATTR)) {
+		PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
+				V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
+		/* Add SMIMECapabilities */
+		if(!(smcap = sk_new(NULL))) {
+			PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+			return NULL;
+		}
+#ifndef NO_DES
+		PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1);
+#endif
+#ifndef NO_RC2
+		PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128);
+		PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64);
+#endif
+#ifndef NO_DES
+		PKCS7_simple_smimecap (smcap, NID_des_cbc, -1);
+#endif
+#ifndef NO_RC2
+		PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40);
+#endif
+		PKCS7_add_attrib_smimecap (si, smcap);
+		sk_pop_free(smcap, X509_ALGOR_free);
+	}
+
+	if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
+
+        if (!PKCS7_dataFinal(p7,p7bio)) {
+		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN);
+		return NULL;
+	}
+
+        BIO_free_all(p7bio);
+	return p7;
+}
+
+int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+					BIO *indata, BIO *out, int flags)
+{
+	STACK_OF(X509) *signers;
+	X509 *signer;
+	STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+	PKCS7_SIGNER_INFO *si;
+	X509_STORE_CTX cert_ctx;
+	char buf[4096];
+	int i, j=0;
+	BIO *p7bio;
+	BIO *tmpout;
+
+	if(!p7) {
+		PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
+		return 0;
+	}
+
+	if(!PKCS7_type_is_signed(p7)) {
+		PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_WRONG_CONTENT_TYPE);
+		return 0;
+	}
+
+	/* Check for no data and no content: no data to verify signature */
+	if(PKCS7_get_detached(p7) && !indata) {
+		PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_CONTENT);
+		return 0;
+	}
+
+	/* Check for data and content: two sets of data */
+	if(!PKCS7_get_detached(p7) && indata) {
+				PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CONTENT_AND_DATA_PRESENT);
+		return 0;
+	}
+
+	sinfos = PKCS7_get_signer_info(p7);
+
+	if(!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos)) {
+		PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_SIGNATURES_ON_DATA);
+		return 0;
+	}
+
+
+	signers = PKCS7_get0_signers(p7, certs, flags);
+
+	if(!signers) return 0;
+
+	/* Now verify the certificates */
+
+	if (!(flags & PKCS7_NOVERIFY)) for (i = 0; i < sk_X509_num(signers); i++) {
+		signer = sk_X509_value (signers, i);
+		if (!(flags & PKCS7_NOCHAIN)) {
+			X509_STORE_CTX_init(&cert_ctx, store, signer,
+							p7->d.sign->cert);
+			X509_STORE_CTX_set_purpose(&cert_ctx,
+						X509_PURPOSE_SMIME_SIGN);
+		} else X509_STORE_CTX_init (&cert_ctx, store, signer, NULL);
+		i = X509_verify_cert(&cert_ctx);
+		if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
+		X509_STORE_CTX_cleanup(&cert_ctx);
+		if (i <= 0) {
+			PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR);
+			ERR_add_error_data(2, "Verify error:",
+					 X509_verify_cert_error_string(j));
+			sk_X509_free(signers);
+			return 0;
+		}
+		/* Check for revocation status here */
+	}
+
+	p7bio=PKCS7_dataInit(p7,indata);
+
+	if(flags & PKCS7_TEXT) {
+		if(!(tmpout = BIO_new(BIO_s_mem()))) {
+			PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+	} else tmpout = out;
+
+	/* We now have to 'read' from p7bio to calculate digests etc. */
+	for (;;)
+	{
+		i=BIO_read(p7bio,buf,sizeof(buf));
+		if (i <= 0) break;
+		if (tmpout) BIO_write(tmpout, buf, i);
+	}
+
+	if(flags & PKCS7_TEXT) {
+		if(!SMIME_text(tmpout, out)) {
+			PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_SMIME_TEXT_ERROR);
+			BIO_free(tmpout);
+			goto err;
+		}
+		BIO_free(tmpout);
+	}
+
+	/* Now Verify All Signatures */
+	if (!(flags & PKCS7_NOSIGS))
+	    for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
+		{
+		si=sk_PKCS7_SIGNER_INFO_value(sinfos,i);
+		signer = sk_X509_value (signers, i);
+		j=PKCS7_signatureVerify(p7bio,p7,si, signer);
+		if (j <= 0) {
+			PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_SIGNATURE_FAILURE);
+			goto err;
+		}
+	}
+
+	sk_X509_free(signers);
+	if(indata) BIO_pop(p7bio);
+	BIO_free_all(p7bio);
+
+	return 1;
+
+	err:
+
+	sk_X509_free(signers);
+	BIO_free(p7bio);
+
+	return 0;
+}
+
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
+{
+	STACK_OF(X509) *signers;
+	STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+	PKCS7_SIGNER_INFO *si;
+	PKCS7_ISSUER_AND_SERIAL *ias;
+	X509 *signer;
+	int i;
+
+	if(!p7) {
+		PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_INVALID_NULL_POINTER);
+		return NULL;
+	}
+
+	if(!PKCS7_type_is_signed(p7)) {
+		PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
+		return NULL;
+	}
+	if(!(signers = sk_X509_new(NULL))) {
+		PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	/* Collect all the signers together */
+
+	sinfos = PKCS7_get_signer_info(p7);
+
+	if(sk_PKCS7_SIGNER_INFO_num(sinfos) <= 0) {
+		PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_NO_SIGNERS);
+		return 0;
+	}
+
+	for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
+	{
+	    si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
+	    ias = si->issuer_and_serial;
+	    signer = NULL;
+		/* If any certificates passed they take priority */
+	    if (certs) signer = X509_find_by_issuer_and_serial (certs,
+					 	ias->issuer, ias->serial);
+	    if (!signer && !(flags & PKCS7_NOINTERN)
+			&& p7->d.sign->cert) signer =
+		              X509_find_by_issuer_and_serial (p7->d.sign->cert,
+					      	ias->issuer, ias->serial);
+	    if (!signer) {
+			PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND);
+			sk_X509_free(signers);
+			return 0;
+	    }
+
+	    sk_X509_push(signers, signer);
+	}
+	return signers;
+}
+
+
+/* Build a complete PKCS#7 enveloped data */
+
+PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher,
+								int flags)
+{
+	PKCS7 *p7;
+	BIO *p7bio = NULL;
+	int i;
+	X509 *x509;
+	if(!(p7 = PKCS7_new())) {
+		PKCS7err(PKCS7_F_PKCS7_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	PKCS7_set_type(p7, NID_pkcs7_enveloped);
+	if(!PKCS7_set_cipher(p7, cipher)) {
+		PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_ERROR_SETTING_CIPHER);
+		goto err;
+	}
+
+	for(i = 0; i < sk_X509_num(certs); i++) {
+		x509 = sk_X509_value(certs, i);
+		if(!PKCS7_add_recipient(p7, x509)) {
+			PKCS7err(PKCS7_F_PKCS7_ENCRYPT,
+					PKCS7_R_ERROR_ADDING_RECIPIENT);
+			goto err;
+		}
+	}
+
+	if(!(p7bio = PKCS7_dataInit(p7, NULL))) {
+		PKCS7err(PKCS7_F_PKCS7_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	SMIME_crlf_copy(in, p7bio, flags);
+
+	BIO_flush(p7bio);
+
+        if (!PKCS7_dataFinal(p7,p7bio)) {
+		PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_PKCS7_DATAFINAL_ERROR);
+		goto err;
+	}
+        BIO_free_all(p7bio);
+
+	return p7;
+
+	err:
+
+	BIO_free(p7bio);
+	PKCS7_free(p7);
+	return NULL;
+
+}
+
+int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
+{
+	BIO *tmpmem;
+	int ret, i;
+	char buf[4096];
+
+	if(!p7) {
+		PKCS7err(PKCS7_F_PKCS7_DECRYPT,PKCS7_R_INVALID_NULL_POINTER);
+		return 0;
+	}
+
+	if(!PKCS7_type_is_enveloped(p7)) {
+		PKCS7err(PKCS7_F_PKCS7_DECRYPT,PKCS7_R_WRONG_CONTENT_TYPE);
+		return 0;
+	}
+
+	if(!X509_check_private_key(cert, pkey)) {
+		PKCS7err(PKCS7_F_PKCS7_DECRYPT,
+				PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+		return 0;
+	}
+
+	if(!(tmpmem = PKCS7_dataDecode(p7, pkey, NULL, cert))) {
+		PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_DECRYPT_ERROR);
+		return 0;
+	}
+
+	if (flags & PKCS7_TEXT) {
+		BIO *tmpbuf, *bread;
+		/* Encrypt BIOs can't do BIO_gets() so add a buffer BIO */
+		if(!(tmpbuf = BIO_new(BIO_f_buffer()))) {
+			PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		if(!(bread = BIO_push(tmpbuf, tmpmem))) {
+			PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		ret = SMIME_text(bread, data);
+		BIO_free_all(bread);
+		return ret;
+	} else {
+		for(;;) {
+			i = BIO_read(tmpmem, buf, sizeof(buf));
+			if(i <= 0) break;
+			BIO_write(data, buf, i);
+		}
+		BIO_free_all(tmpmem);
+		return 1;
+	}
+}
diff --git a/crypto/openssl/crypto/pkcs7/pkcs7.h b/crypto/openssl/crypto/pkcs7/pkcs7.h
new file mode 100644
index 0000000..3ec725d
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pkcs7.h
@@ -0,0 +1,498 @@
+/* crypto/pkcs7/pkcs7.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_PKCS7_H
+#define HEADER_PKCS7_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+
+#ifdef VMS
+#include <openssl/vms_idhacks.h>
+#endif
+
+#ifdef WIN32
+/* Under Win32 thes are defined in wincrypt.h */
+#undef PKCS7_ISSUER_AND_SERIAL
+#undef PKCS7_SIGNER_INFO
+#endif
+
+/*
+Encryption_ID		DES-CBC
+Digest_ID		MD5
+Digest_Encryption_ID	rsaEncryption
+Key_Encryption_ID	rsaEncryption
+*/
+
+typedef struct pkcs7_issuer_and_serial_st
+	{
+	X509_NAME *issuer;
+	ASN1_INTEGER *serial;
+	} PKCS7_ISSUER_AND_SERIAL;
+
+typedef struct pkcs7_signer_info_st
+	{
+	ASN1_INTEGER 			*version;	/* version 1 */
+	PKCS7_ISSUER_AND_SERIAL		*issuer_and_serial;
+	X509_ALGOR			*digest_alg;
+	STACK_OF(X509_ATTRIBUTE)	*auth_attr;	/* [ 0 ] */
+	X509_ALGOR			*digest_enc_alg;
+	ASN1_OCTET_STRING		*enc_digest;
+	STACK_OF(X509_ATTRIBUTE)	*unauth_attr;	/* [ 1 ] */
+
+	/* The private key to sign with */
+	EVP_PKEY			*pkey;
+	} PKCS7_SIGNER_INFO;
+
+DECLARE_STACK_OF(PKCS7_SIGNER_INFO)
+DECLARE_ASN1_SET_OF(PKCS7_SIGNER_INFO)
+
+typedef struct pkcs7_recip_info_st
+	{
+	ASN1_INTEGER			*version;	/* version 0 */
+	PKCS7_ISSUER_AND_SERIAL		*issuer_and_serial;
+	X509_ALGOR			*key_enc_algor;
+	ASN1_OCTET_STRING		*enc_key;
+	X509				*cert; /* get the pub-key from this */
+	} PKCS7_RECIP_INFO;
+
+DECLARE_STACK_OF(PKCS7_RECIP_INFO)
+DECLARE_ASN1_SET_OF(PKCS7_RECIP_INFO)
+
+typedef struct pkcs7_signed_st
+	{
+	ASN1_INTEGER			*version;	/* version 1 */
+	STACK_OF(X509_ALGOR)		*md_algs;	/* md used */
+	STACK_OF(X509)			*cert;		/* [ 0 ] */
+	STACK_OF(X509_CRL)		*crl;		/* [ 1 ] */
+	STACK_OF(PKCS7_SIGNER_INFO)	*signer_info;
+
+	struct pkcs7_st			*contents;
+	} PKCS7_SIGNED;
+/* The above structure is very very similar to PKCS7_SIGN_ENVELOPE.
+ * How about merging the two */
+
+typedef struct pkcs7_enc_content_st
+	{
+	ASN1_OBJECT			*content_type;
+	X509_ALGOR			*algorithm;
+	ASN1_OCTET_STRING		*enc_data;	/* [ 0 ] */
+	const EVP_CIPHER		*cipher;
+	} PKCS7_ENC_CONTENT;
+
+typedef struct pkcs7_enveloped_st
+	{
+	ASN1_INTEGER			*version;	/* version 0 */
+	STACK_OF(PKCS7_RECIP_INFO)	*recipientinfo;
+	PKCS7_ENC_CONTENT		*enc_data;
+	} PKCS7_ENVELOPE;
+
+typedef struct pkcs7_signedandenveloped_st
+	{
+	ASN1_INTEGER			*version;	/* version 1 */
+	STACK_OF(X509_ALGOR)		*md_algs;	/* md used */
+	STACK_OF(X509)			*cert;		/* [ 0 ] */
+	STACK_OF(X509_CRL)		*crl;		/* [ 1 ] */
+	STACK_OF(PKCS7_SIGNER_INFO)	*signer_info;
+
+	PKCS7_ENC_CONTENT		*enc_data;
+	STACK_OF(PKCS7_RECIP_INFO)	*recipientinfo;
+	} PKCS7_SIGN_ENVELOPE;
+
+typedef struct pkcs7_digest_st
+	{
+	ASN1_INTEGER			*version;	/* version 0 */
+	X509_ALGOR			*md;		/* md used */
+	struct pkcs7_st 		*contents;
+	ASN1_OCTET_STRING		*digest;
+	} PKCS7_DIGEST;
+
+typedef struct pkcs7_encrypted_st
+	{
+	ASN1_INTEGER			*version;	/* version 0 */
+	PKCS7_ENC_CONTENT		*enc_data;
+	} PKCS7_ENCRYPT;
+
+typedef struct pkcs7_st
+	{
+	/* The following is non NULL if it contains ASN1 encoding of
+	 * this structure */
+	unsigned char *asn1;
+	long length;
+
+#define PKCS7_S_HEADER	0
+#define PKCS7_S_BODY	1
+#define PKCS7_S_TAIL	2
+	int state; /* used during processing */
+
+	int detached;
+
+	ASN1_OBJECT *type;
+	/* content as defined by the type */
+	/* all encryption/message digests are applied to the 'contents',
+	 * leaving out the 'type' field. */
+	union	{
+		char *ptr;
+
+		/* NID_pkcs7_data */
+		ASN1_OCTET_STRING *data;
+
+		/* NID_pkcs7_signed */
+		PKCS7_SIGNED *sign;
+
+		/* NID_pkcs7_enveloped */
+		PKCS7_ENVELOPE *enveloped;
+
+		/* NID_pkcs7_signedAndEnveloped */
+		PKCS7_SIGN_ENVELOPE *signed_and_enveloped;
+
+		/* NID_pkcs7_digest */
+		PKCS7_DIGEST *digest;
+
+		/* NID_pkcs7_encrypted */
+		PKCS7_ENCRYPT *encrypted;
+		} d;
+	} PKCS7;
+
+#define PKCS7_OP_SET_DETACHED_SIGNATURE	1
+#define PKCS7_OP_GET_DETACHED_SIGNATURE	2
+
+#define PKCS7_get_signed_attributes(si)	((si)->auth_attr)
+#define PKCS7_get_attributes(si)	((si)->unauth_attr)
+
+#define PKCS7_type_is_signed(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_signed)
+#define PKCS7_type_is_enveloped(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_enveloped)
+#define PKCS7_type_is_signedAndEnveloped(a) \
+		(OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped)
+#define PKCS7_type_is_data(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_data)
+
+#define PKCS7_set_detached(p,v) \
+		PKCS7_ctrl(p,PKCS7_OP_SET_DETACHED_SIGNATURE,v,NULL)
+#define PKCS7_get_detached(p) \
+		PKCS7_ctrl(p,PKCS7_OP_GET_DETACHED_SIGNATURE,0,NULL)
+
+#ifdef SSLEAY_MACROS
+#ifndef PKCS7_ISSUER_AND_SERIAL_digest
+#define PKCS7_ISSUER_AND_SERIAL_digest(data,type,md,len) \
+        ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,\
+	                (char *)data,md,len)
+#endif
+#endif
+
+/* S/MIME related flags */
+
+#define PKCS7_TEXT	0x1
+#define PKCS7_NOCERTS	0x2
+#define PKCS7_NOSIGS	0x4
+#define PKCS7_NOCHAIN	0x8
+#define PKCS7_NOINTERN	0x10
+#define PKCS7_NOVERIFY	0x20
+#define PKCS7_DETACHED	0x40
+#define PKCS7_BINARY	0x80
+#define PKCS7_NOATTR	0x100
+
+/* Flags: for compatibility with older code */
+
+#define SMIME_TEXT	PKCS7_TEXT
+#define SMIME_NOCERTS	PKCS7_NOCERTS
+#define SMIME_NOSIGS	PKCS7_NOSIGS
+#define SMIME_NOCHAIN	PKCS7_NOCHAIN
+#define SMIME_NOINTERN	PKCS7_NOINTERN
+#define SMIME_NOVERIFY	PKCS7_NOVERIFY
+#define SMIME_DETACHED	PKCS7_DETACHED
+#define SMIME_BINARY	PKCS7_BINARY
+#define SMIME_NOATTR	PKCS7_NOATTR
+
+PKCS7_ISSUER_AND_SERIAL *PKCS7_ISSUER_AND_SERIAL_new(void );
+void			PKCS7_ISSUER_AND_SERIAL_free(
+				PKCS7_ISSUER_AND_SERIAL *a);
+int 			i2d_PKCS7_ISSUER_AND_SERIAL(
+				PKCS7_ISSUER_AND_SERIAL *a,unsigned char **pp);
+PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
+				PKCS7_ISSUER_AND_SERIAL **a,
+				unsigned char **pp, long length);
+
+#ifndef SSLEAY_MACROS
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type,
+	unsigned char *md,unsigned int *len);
+#ifndef NO_FP_API
+PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);
+int i2d_PKCS7_fp(FILE *fp,PKCS7 *p7);
+#endif
+PKCS7 *PKCS7_dup(PKCS7 *p7);
+PKCS7 *d2i_PKCS7_bio(BIO *bp,PKCS7 **p7);
+int i2d_PKCS7_bio(BIO *bp,PKCS7 *p7);
+#endif
+
+PKCS7_SIGNER_INFO	*PKCS7_SIGNER_INFO_new(void);
+void			PKCS7_SIGNER_INFO_free(PKCS7_SIGNER_INFO *a);
+int 			i2d_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO *a,
+				unsigned char **pp);
+PKCS7_SIGNER_INFO	*d2i_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO **a,
+				unsigned char **pp,long length);
+
+PKCS7_RECIP_INFO	*PKCS7_RECIP_INFO_new(void);
+void			PKCS7_RECIP_INFO_free(PKCS7_RECIP_INFO *a);
+int 			i2d_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO *a,
+				unsigned char **pp);
+PKCS7_RECIP_INFO	*d2i_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO **a,
+				unsigned char **pp,long length);
+
+PKCS7_SIGNED		*PKCS7_SIGNED_new(void);
+void			PKCS7_SIGNED_free(PKCS7_SIGNED *a);
+int 			i2d_PKCS7_SIGNED(PKCS7_SIGNED *a,
+				unsigned char **pp);
+PKCS7_SIGNED		*d2i_PKCS7_SIGNED(PKCS7_SIGNED **a,
+				unsigned char **pp,long length);
+
+PKCS7_ENC_CONTENT	*PKCS7_ENC_CONTENT_new(void);
+void			PKCS7_ENC_CONTENT_free(PKCS7_ENC_CONTENT *a);
+int 			i2d_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT *a,
+				unsigned char **pp);
+PKCS7_ENC_CONTENT	*d2i_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT **a,
+				unsigned char **pp,long length);
+
+PKCS7_ENVELOPE		*PKCS7_ENVELOPE_new(void);
+void			PKCS7_ENVELOPE_free(PKCS7_ENVELOPE *a);
+int 			i2d_PKCS7_ENVELOPE(PKCS7_ENVELOPE *a,
+				unsigned char **pp);
+PKCS7_ENVELOPE		*d2i_PKCS7_ENVELOPE(PKCS7_ENVELOPE **a,
+				unsigned char **pp,long length);
+
+PKCS7_SIGN_ENVELOPE	*PKCS7_SIGN_ENVELOPE_new(void);
+void			PKCS7_SIGN_ENVELOPE_free(PKCS7_SIGN_ENVELOPE *a);
+int 			i2d_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE *a,
+				unsigned char **pp);
+PKCS7_SIGN_ENVELOPE	*d2i_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE **a,
+				unsigned char **pp,long length);
+
+PKCS7_DIGEST		*PKCS7_DIGEST_new(void);
+void			PKCS7_DIGEST_free(PKCS7_DIGEST *a);
+int 			i2d_PKCS7_DIGEST(PKCS7_DIGEST *a,
+				unsigned char **pp);
+PKCS7_DIGEST		*d2i_PKCS7_DIGEST(PKCS7_DIGEST **a,
+				unsigned char **pp,long length);
+
+PKCS7_ENCRYPT		*PKCS7_ENCRYPT_new(void);
+void			PKCS7_ENCRYPT_free(PKCS7_ENCRYPT *a);
+int 			i2d_PKCS7_ENCRYPT(PKCS7_ENCRYPT *a,
+				unsigned char **pp);
+PKCS7_ENCRYPT		*d2i_PKCS7_ENCRYPT(PKCS7_ENCRYPT **a,
+				unsigned char **pp,long length);
+
+PKCS7			*PKCS7_new(void);
+void			PKCS7_free(PKCS7 *a);
+void			PKCS7_content_free(PKCS7 *a);
+int 			i2d_PKCS7(PKCS7 *a,
+				unsigned char **pp);
+PKCS7			*d2i_PKCS7(PKCS7 **a,
+				unsigned char **pp,long length);
+
+void ERR_load_PKCS7_strings(void);
+
+
+long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg);
+
+int PKCS7_set_type(PKCS7 *p7, int type);
+int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data);
+int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
+	EVP_MD *dgst);
+int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
+int PKCS7_add_certificate(PKCS7 *p7, X509 *x509);
+int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
+int PKCS7_content_new(PKCS7 *p7, int nid);
+int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx,
+	BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si); 
+int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
+								X509 *x509);
+
+BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio);
+int PKCS7_dataFinal(PKCS7 *p7, BIO *bio);
+BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);
+
+
+PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
+	EVP_PKEY *pkey, EVP_MD *dgst);
+X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
+STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
+
+PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509);
+int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri);
+int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509);
+int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher);
+
+PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx);
+ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk);
+int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si,int nid,int type,
+	void *data);
+int PKCS7_add_attribute (PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+	void *value);
+ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid);
+ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid);
+int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
+				STACK_OF(X509_ATTRIBUTE) *sk);
+int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,STACK_OF(X509_ATTRIBUTE) *sk);
+
+
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+							BIO *data, int flags);
+int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+					BIO *indata, BIO *out, int flags);
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher,
+								int flags);
+int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
+
+int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK *cap);
+STACK *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si);
+int PKCS7_simple_smimecap(STACK *sk, int nid, int arg);
+
+int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags);
+PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont);
+int SMIME_crlf_copy(BIO *in, BIO *out, int flags);
+int SMIME_text(BIO *in, BIO *out);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the PKCS7 functions. */
+
+/* Function codes. */
+#define PKCS7_F_B64_READ_PKCS7				 120
+#define PKCS7_F_B64_WRITE_PKCS7				 121
+#define PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP		 118
+#define PKCS7_F_PKCS7_ADD_CERTIFICATE			 100
+#define PKCS7_F_PKCS7_ADD_CRL				 101
+#define PKCS7_F_PKCS7_ADD_RECIPIENT_INFO		 102
+#define PKCS7_F_PKCS7_ADD_SIGNER			 103
+#define PKCS7_F_PKCS7_CTRL				 104
+#define PKCS7_F_PKCS7_DATADECODE			 112
+#define PKCS7_F_PKCS7_DATAINIT				 105
+#define PKCS7_F_PKCS7_DATASIGN				 106
+#define PKCS7_F_PKCS7_DATAVERIFY			 107
+#define PKCS7_F_PKCS7_DECRYPT				 114
+#define PKCS7_F_PKCS7_ENCRYPT				 115
+#define PKCS7_F_PKCS7_GET0_SIGNERS			 124
+#define PKCS7_F_PKCS7_SET_CIPHER			 108
+#define PKCS7_F_PKCS7_SET_CONTENT			 109
+#define PKCS7_F_PKCS7_SET_TYPE				 110
+#define PKCS7_F_PKCS7_SIGN				 116
+#define PKCS7_F_PKCS7_SIGNATUREVERIFY			 113
+#define PKCS7_F_PKCS7_SIMPLE_SMIMECAP			 119
+#define PKCS7_F_PKCS7_VERIFY				 117
+#define PKCS7_F_SMIME_READ_PKCS7			 122
+#define PKCS7_F_SMIME_TEXT				 123
+
+/* Reason codes. */
+#define PKCS7_R_CERTIFICATE_VERIFY_ERROR		 117
+#define PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER		 144
+#define PKCS7_R_CIPHER_NOT_INITIALIZED			 116
+#define PKCS7_R_CONTENT_AND_DATA_PRESENT		 118
+#define PKCS7_R_DECODE_ERROR				 130
+#define PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH		 100
+#define PKCS7_R_DECRYPT_ERROR				 119
+#define PKCS7_R_DIGEST_FAILURE				 101
+#define PKCS7_R_ERROR_ADDING_RECIPIENT			 120
+#define PKCS7_R_ERROR_SETTING_CIPHER			 121
+#define PKCS7_R_INTERNAL_ERROR				 102
+#define PKCS7_R_INVALID_MIME_TYPE			 131
+#define PKCS7_R_INVALID_NULL_POINTER			 143
+#define PKCS7_R_MIME_NO_CONTENT_TYPE			 132
+#define PKCS7_R_MIME_PARSE_ERROR			 133
+#define PKCS7_R_MIME_SIG_PARSE_ERROR			 134
+#define PKCS7_R_MISSING_CERIPEND_INFO			 103
+#define PKCS7_R_NO_CONTENT				 122
+#define PKCS7_R_NO_CONTENT_TYPE				 135
+#define PKCS7_R_NO_MULTIPART_BODY_FAILURE		 136
+#define PKCS7_R_NO_MULTIPART_BOUNDARY			 137
+#define PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE	 115
+#define PKCS7_R_NO_SIGNATURES_ON_DATA			 123
+#define PKCS7_R_NO_SIGNERS				 142
+#define PKCS7_R_NO_SIG_CONTENT_TYPE			 138
+#define PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE	 104
+#define PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR		 124
+#define PKCS7_R_PKCS7_DATAFINAL_ERROR			 125
+#define PKCS7_R_PKCS7_DATASIGN				 126
+#define PKCS7_R_PKCS7_PARSE_ERROR			 139
+#define PKCS7_R_PKCS7_SIG_PARSE_ERROR			 140
+#define PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 127
+#define PKCS7_R_SIGNATURE_FAILURE			 105
+#define PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND		 128
+#define PKCS7_R_SIG_INVALID_MIME_TYPE			 141
+#define PKCS7_R_SMIME_TEXT_ERROR			 129
+#define PKCS7_R_UNABLE_TO_FIND_CERTIFICATE		 106
+#define PKCS7_R_UNABLE_TO_FIND_MEM_BIO			 107
+#define PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST		 108
+#define PKCS7_R_UNKNOWN_DIGEST_TYPE			 109
+#define PKCS7_R_UNKNOWN_OPERATION			 110
+#define PKCS7_R_UNSUPPORTED_CIPHER_TYPE			 111
+#define PKCS7_R_UNSUPPORTED_CONTENT_TYPE		 112
+#define PKCS7_R_WRONG_CONTENT_TYPE			 113
+#define PKCS7_R_WRONG_PKCS7_TYPE			 114
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/pkcs7/pkcs7err.c b/crypto/openssl/crypto/pkcs7/pkcs7err.c
new file mode 100644
index 0000000..8ded891
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/pkcs7err.c
@@ -0,0 +1,161 @@
+/* crypto/pkcs7/pkcs7err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/pkcs7.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA PKCS7_str_functs[]=
+	{
+{ERR_PACK(0,PKCS7_F_B64_READ_PKCS7,0),	"B64_READ_PKCS7"},
+{ERR_PACK(0,PKCS7_F_B64_WRITE_PKCS7,0),	"B64_WRITE_PKCS7"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,0),	"PKCS7_add_attrib_smimecap"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CERTIFICATE,0),	"PKCS7_add_certificate"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CRL,0),	"PKCS7_add_crl"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,0),	"PKCS7_add_recipient_info"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ADD_SIGNER,0),	"PKCS7_add_signer"},
+{ERR_PACK(0,PKCS7_F_PKCS7_CTRL,0),	"PKCS7_ctrl"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DATADECODE,0),	"PKCS7_dataDecode"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DATAINIT,0),	"PKCS7_dataInit"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0),	"PKCS7_DATASIGN"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DATAVERIFY,0),	"PKCS7_dataVerify"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DECRYPT,0),	"PKCS7_decrypt"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ENCRYPT,0),	"PKCS7_encrypt"},
+{ERR_PACK(0,PKCS7_F_PKCS7_GET0_SIGNERS,0),	"PKCS7_get0_signers"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SET_CIPHER,0),	"PKCS7_set_cipher"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SET_CONTENT,0),	"PKCS7_set_content"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SET_TYPE,0),	"PKCS7_set_type"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SIGN,0),	"PKCS7_sign"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SIGNATUREVERIFY,0),	"PKCS7_signatureVerify"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SIMPLE_SMIMECAP,0),	"PKCS7_simple_smimecap"},
+{ERR_PACK(0,PKCS7_F_PKCS7_VERIFY,0),	"PKCS7_verify"},
+{ERR_PACK(0,PKCS7_F_SMIME_READ_PKCS7,0),	"SMIME_read_PKCS7"},
+{ERR_PACK(0,PKCS7_F_SMIME_TEXT,0),	"SMIME_text"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA PKCS7_str_reasons[]=
+	{
+{PKCS7_R_CERTIFICATE_VERIFY_ERROR        ,"certificate verify error"},
+{PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER ,"cipher has no object identifier"},
+{PKCS7_R_CIPHER_NOT_INITIALIZED          ,"cipher not initialized"},
+{PKCS7_R_CONTENT_AND_DATA_PRESENT        ,"content and data present"},
+{PKCS7_R_DECODE_ERROR                    ,"decode error"},
+{PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH   ,"decrypted key is wrong length"},
+{PKCS7_R_DECRYPT_ERROR                   ,"decrypt error"},
+{PKCS7_R_DIGEST_FAILURE                  ,"digest failure"},
+{PKCS7_R_ERROR_ADDING_RECIPIENT          ,"error adding recipient"},
+{PKCS7_R_ERROR_SETTING_CIPHER            ,"error setting cipher"},
+{PKCS7_R_INTERNAL_ERROR                  ,"internal error"},
+{PKCS7_R_INVALID_MIME_TYPE               ,"invalid mime type"},
+{PKCS7_R_INVALID_NULL_POINTER            ,"invalid null pointer"},
+{PKCS7_R_MIME_NO_CONTENT_TYPE            ,"mime no content type"},
+{PKCS7_R_MIME_PARSE_ERROR                ,"mime parse error"},
+{PKCS7_R_MIME_SIG_PARSE_ERROR            ,"mime sig parse error"},
+{PKCS7_R_MISSING_CERIPEND_INFO           ,"missing ceripend info"},
+{PKCS7_R_NO_CONTENT                      ,"no content"},
+{PKCS7_R_NO_CONTENT_TYPE                 ,"no content type"},
+{PKCS7_R_NO_MULTIPART_BODY_FAILURE       ,"no multipart body failure"},
+{PKCS7_R_NO_MULTIPART_BOUNDARY           ,"no multipart boundary"},
+{PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE,"no recipient matches certificate"},
+{PKCS7_R_NO_SIGNATURES_ON_DATA           ,"no signatures on data"},
+{PKCS7_R_NO_SIGNERS                      ,"no signers"},
+{PKCS7_R_NO_SIG_CONTENT_TYPE             ,"no sig content type"},
+{PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE,"operation not supported on this type"},
+{PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR       ,"pkcs7 add signature error"},
+{PKCS7_R_PKCS7_DATAFINAL_ERROR           ,"pkcs7 datafinal error"},
+{PKCS7_R_PKCS7_DATASIGN                  ,"pkcs7 datasign"},
+{PKCS7_R_PKCS7_PARSE_ERROR               ,"pkcs7 parse error"},
+{PKCS7_R_PKCS7_SIG_PARSE_ERROR           ,"pkcs7 sig parse error"},
+{PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
+{PKCS7_R_SIGNATURE_FAILURE               ,"signature failure"},
+{PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND    ,"signer certificate not found"},
+{PKCS7_R_SIG_INVALID_MIME_TYPE           ,"sig invalid mime type"},
+{PKCS7_R_SMIME_TEXT_ERROR                ,"smime text error"},
+{PKCS7_R_UNABLE_TO_FIND_CERTIFICATE      ,"unable to find certificate"},
+{PKCS7_R_UNABLE_TO_FIND_MEM_BIO          ,"unable to find mem bio"},
+{PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST   ,"unable to find message digest"},
+{PKCS7_R_UNKNOWN_DIGEST_TYPE             ,"unknown digest type"},
+{PKCS7_R_UNKNOWN_OPERATION               ,"unknown operation"},
+{PKCS7_R_UNSUPPORTED_CIPHER_TYPE         ,"unsupported cipher type"},
+{PKCS7_R_UNSUPPORTED_CONTENT_TYPE        ,"unsupported content type"},
+{PKCS7_R_WRONG_CONTENT_TYPE              ,"wrong content type"},
+{PKCS7_R_WRONG_PKCS7_TYPE                ,"wrong pkcs7 type"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_PKCS7_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_functs);
+		ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/pkcs7/server.pem b/crypto/openssl/crypto/pkcs7/server.pem
new file mode 100644
index 0000000..750aac2
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/server.pem
@@ -0,0 +1,24 @@
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+-----BEGIN CERTIFICATE-----
+MIIB6TCCAVICAQAwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzQ2WhcNOTgwNjA5
+MTM1NzQ2WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
+cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
+Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
+Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB4TMR2CvacKE9wAsu9jyCX8YiW
+mgCM+YoP6kt4Zkj2z5IRfm7WrycKsnpnOR+tGeqAjkCeZ6/36o9l91RvPnN1VJ/i
+xQv2df0KFeMr00IkDdTNAdIWqFkSsZTAY2QAdgenb7MB1joejquYzO2DQIO7+wpH
+irObpESxAZLySCmPPg==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
+TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
+OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
+gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
+rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
+PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
+vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/sign.c b/crypto/openssl/crypto/pkcs7/sign.c
new file mode 100644
index 0000000..22290e1
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/sign.c
@@ -0,0 +1,154 @@
+/* crypto/pkcs7/sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	X509 *x509;
+	EVP_PKEY *pkey;
+	PKCS7 *p7;
+	PKCS7_SIGNER_INFO *si;
+	BIO *in;
+	BIO *data,*p7bio;
+	char buf[1024*4];
+	int i;
+	int nodetach=0;
+
+#ifndef NO_MD2
+	EVP_add_digest(EVP_md2());
+#endif
+#ifndef NO_MD5
+	EVP_add_digest(EVP_md5());
+#endif
+#ifndef NO_SHA1
+	EVP_add_digest(EVP_sha1());
+#endif
+#ifndef NO_MDC2
+	EVP_add_digest(EVP_mdc2());
+#endif
+
+	data=BIO_new(BIO_s_file());
+again:
+	if (argc > 1)
+		{
+		if (strcmp(argv[1],"-nd") == 0)
+			{
+			nodetach=1;
+			argv++; argc--;
+			goto again;
+			}
+		if (!BIO_read_filename(data,argv[1]))
+			goto err;
+		}
+	else
+		BIO_set_fp(data,stdin,BIO_NOCLOSE);
+
+	if ((in=BIO_new_file("server.pem","r")) == NULL) goto err;
+	if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
+	BIO_reset(in);
+	if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL) goto err;
+	BIO_free(in);
+
+	p7=PKCS7_new();
+	PKCS7_set_type(p7,NID_pkcs7_signed);
+	 
+	si=PKCS7_add_signature(p7,x509,pkey,EVP_sha1());
+	if (si == NULL) goto err;
+
+	/* If you do this then you get signing time automatically added */
+	PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
+						OBJ_nid2obj(NID_pkcs7_data));
+
+	/* we may want to add more */
+	PKCS7_add_certificate(p7,x509);
+
+	/* Set the content of the signed to 'data' */
+	PKCS7_content_new(p7,NID_pkcs7_data);
+
+	if (!nodetach)
+		PKCS7_set_detached(p7,1);
+
+	if ((p7bio=PKCS7_dataInit(p7,NULL)) == NULL) goto err;
+
+	for (;;)
+		{
+		i=BIO_read(data,buf,sizeof(buf));
+		if (i <= 0) break;
+		BIO_write(p7bio,buf,i);
+		}
+
+	if (!PKCS7_dataFinal(p7,p7bio)) goto err;
+	BIO_free(p7bio);
+
+	PEM_write_PKCS7(stdout,p7);
+	PKCS7_free(p7);
+
+	exit(0);
+err:
+	ERR_load_crypto_strings();
+	ERR_print_errors_fp(stderr);
+	exit(1);
+	}
+
diff --git a/crypto/openssl/crypto/pkcs7/t/3des.pem b/crypto/openssl/crypto/pkcs7/t/3des.pem
new file mode 100644
index 0000000..b2b5081
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/3des.pem
@@ -0,0 +1,16 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEC2vXI1xQDW6lUHM3zQ
+/9uBEBOO5A3TtkrklAXq7v01gsIC21t52qSk36REXY+slhNZ0OQ349tgkTsoETHFLoEwMIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
+CSqGSIb3DQEBAQUABEB8ujxbabxXUYJhopuDm3oDq4JNqX6Io4p3ro+ShqfIndsXTZ1v5a2N
+WtLLCWlHn/habjBwZ/DgQgcKASbZ7QxNMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQIbsL5v1wX98KggAQoAaJ4WHm68fXY1WE5OIjfVBIDpO1K+i8dmKhjnAjrjoyZ9Bwc8rDL
+lgQg4CXb805h5xl+GfvSwUaHJayte1m2mcOhs3J2YyqbQ+MEIMIiJQccmhO3oDKm36CFvYR8
+5PjpclVcZyX2ngbwPFMnBAgy0clOAE6UKAAAAAAAAAAAAAA=
+-----END PKCS7-----
+
diff --git a/crypto/openssl/crypto/pkcs7/t/3dess.pem b/crypto/openssl/crypto/pkcs7/t/3dess.pem
new file mode 100644
index 0000000..23f0135
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/3dess.pem
@@ -0,0 +1,32 @@
+-----BEGIN PKCS7-----
+MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
+CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
+SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
+BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
+9CWR6g==
+-----END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/c.pem b/crypto/openssl/crypto/pkcs7/t/c.pem
new file mode 100644
index 0000000..a4b55e3
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/c.pem
@@ -0,0 +1,48 @@
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/crypto/pkcs7/t/ff b/crypto/openssl/crypto/pkcs7/t/ff
new file mode 100644
index 0000000..23f0135
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/ff
@@ -0,0 +1,32 @@
+-----BEGIN PKCS7-----
+MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
+CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
+SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
+BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
+9CWR6g==
+-----END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-e b/crypto/openssl/crypto/pkcs7/t/msie-e
new file mode 100644
index 0000000..aafae69
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-e
@@ -0,0 +1,20 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
+BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
+aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABECMzu8y
+wQ/qZbO8cAGMRBF+mPruv3+Dvb9aWNZ2k8njUgqF6mcdhVB2MkGcsG3memRXJBixvMYWVkU3qK4Z
+VuKsMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
+BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
+SIb3DQEBAQUABEBcWwYFHJbJGhiztt7lzue3Lc9CH5WAbyR+2BZ3uv+JxZfRs1PuaWPOwRa0Vgs3
+YwSJoRfxQj2Gk0wFqG1qt6d1MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQI8vRlP/Nx
+2iSggASCAZhR5srxyspy7DfomRJ9ff8eMCtaNwEoEx7G25PZRonC57hBvGoScLtEPU3Wp9FEbPN7
+oJESeC+AqMTyTLNy8aQsyC5s53E9UkoIvg62ekYZBbXZqXsrxx4PhiiX3NH8GVh42phB0Chjw0nK
+HZeRDmxGY3Cmk+J+l0uVKxbNIfJIKOguLBnhqmnKH/PrnzDt591u0ULy2aTLqRm+4/1Yat/QPb6J
+eoKGwNPBbS9ogBdrCNCp9ZFg3Xar2AtQHzyTQIfYeH3SRQUpKmRm5U5o9p5emgEdT+ZfJm/J4tSH
+OmbgAFsbHQakA4MBZ4J5qfDJhOA2g5lWk1hIeu5Dn/AaLRZd0yz3oY0Ieo/erPWx/bCqtBzYbMe9
+qSFTedKlbc9EGe3opOTdBZVzK8KH3w3zsy5luxKdOUG59YYb5F1IZiWGiDyuo/HuacX+griu5LeD
+bEzOtZnko+TZXvWIko30fD79j3T4MRRhWXbgj2HKza+4vJ0mzcC/1+GPsJjAEAA/JgIEDU4w6/DI
+/HQHhLAO3G+9xKD7MvmrzkoAAAAAAAAAAAAA
+
+
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-e.pem b/crypto/openssl/crypto/pkcs7/t/msie-e.pem
new file mode 100644
index 0000000..a2a5e24
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-e.pem
@@ -0,0 +1,22 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIIDkAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
+bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
+aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
+uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQIzO7zLBD+pls7xwAYxEEX6Y+u6/f4O9
+v1pY1naTyeNSCoXqZx2FUHYyQZywbeZ6ZFckGLG8xhZWRTeorhlW4qwwgfACAQAw
+gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
+GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
+QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQFxbBgUclskaGLO23uXO57ctz0If
+lYBvJH7YFne6/4nFl9GzU+5pY87BFrRWCzdjBImhF/FCPYaTTAWobWq3p3UwggHD
+BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECPL0ZT/zcdokgIIBmFHmyvHK
+ynLsN+iZEn19/x4wK1o3ASgTHsbbk9lGicLnuEG8ahJwu0Q9Tdan0URs83ugkRJ4
+L4CoxPJMs3LxpCzILmzncT1SSgi+DrZ6RhkFtdmpeyvHHg+GKJfc0fwZWHjamEHQ
+KGPDScodl5EObEZjcKaT4n6XS5UrFs0h8kgo6C4sGeGqacof8+ufMO3n3W7RQvLZ
+pMupGb7j/Vhq39A9vol6gobA08FtL2iAF2sI0Kn1kWDddqvYC1AfPJNAh9h4fdJF
+BSkqZGblTmj2nl6aAR1P5l8mb8ni1Ic6ZuAAWxsdBqQDgwFngnmp8MmE4DaDmVaT
+WEh67kOf8BotFl3TLPehjQh6j96s9bH9sKq0HNhsx72pIVN50qVtz0QZ7eik5N0F
+lXMrwoffDfOzLmW7Ep05Qbn1hhvkXUhmJYaIPK6j8e5pxf6CuK7kt4NsTM61meSj
+5Nle9YiSjfR8Pv2PdPgxFGFZduCPYcrNr7i8nSbNwL/X4Y+wmMAQAD8mAgQNTjDr
+8Mj8dAeEsA7cb73EoPsy+avOSgAAAAA=
+-----END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-01 b/crypto/openssl/crypto/pkcs7/t/msie-enc-01
new file mode 100644
index 0000000..2c93ab6
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-enc-01
@@ -0,0 +1,62 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxgfMwgfACAQAwgZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0
+IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMT
+EkRFTU8gWkVSTyBWQUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQKvMaW8xh6oF/X+CJivz
+IZV7yHxlp4O3NHQtWG0A8MOZB+CtKlU7/6g5e/a9Du/TOqxRMqtYRp63pa2Q/mM4IYMwgAYJ
+KoZIhvcNAQcBMBoGCCqGSIb3DQMCMA4CAgCgBAifz6RvzOPYlKCABIGwxtGA/FLBBRs1wbBP
+gDCbSG0yCwjJNsFg89/k6xuXo8c5YTwsw8+XlIVq03navpew6XxxzY090rD2OJ0t6HA6GqrI
+pd8WiSh/Atqn0yfLFmkLqgIAPRfzxUxqUocxLpQsLIFp2YNUGE+yps+UZmIjw/WHfdqrcWTm
+STSvKuy3UkIJZCkGDBpTvqk4BFaHh4oTXEpgpNY+GKxjf9TDN9GQPqQZR7sgQki4t2g4/Saq
+Kl4EMISgluk6swdND0tiHY7v5d6YR29ePCl2/STJ98eJpWkEEC22GNNvOy7ru/Rv2He4MgQg
+optd7sk9MMd9xhJppg7CcH/yDx//HrtgpOcWmn6VxpgECFqon4uXkQtIBIH4PaNclFn7/hLx
+Pw2VmBGaC0SYF3U1jyN96EBxdjqy8Aa6ByMXYDW5BcfqniD5mYXfw+b81lh1kutxaPaV4YJ9
+ZlRUW752N7VHo/fG0/fukoe5W9a8kIhgLpygllb/GP4oSF4wM6n1/OgRzZj2IWFiobKO4d/t
+Mnh+C+PoEVAuFZcxQwi9GqvsK5OoIjVwNx0XcVSOl1TTYS9SwC7ugMBCab73JiruC24pL78Y
+M+NaIpIQ3On4DokJA2ZHtjBjZIxF4tKA144RvFN6pBd6TVE5XM6KD/Vh9bjSmujtEAfdQ3Te
+dvKJsbZuu0stErbvWcRy11I328l557EECAJT7d44OJ3rBBBj6bnnx6dDU2SRqp2CEoQaBAhK
+RBuyhNxkygQIOY9/NhwqAJAECOvX0Zd0DqgoBAjobPpMHhVV3gQQWLU2vEoZ51BwzxdzCmxO
+wwQI4oKfudaNqoAESKzBNAqv5kGumHOlMKsRfrs7jZCcSaOuEj97pYx08FLEgF23cav39MOQ
+NUEM1dNU+EYslL4o3RoSHRjUgPU+2t9c0prS9A/bPARIEOP94PynaTNxwHi3VTK7SzuQmgzA
+4n942E9joSiqsQPlsKAb3sPUaLC3SuUxSjNBgfpvD0bmrA/5h+WZoYXvIogFpwjkSmnFBEie
+0lh5Ov1aRrvCw5/j3Q/W/4ZtN5U+aeVBJMtA8n0Mxd5kPxHbNVh4oGprZ6wEegV8ht3voyZa
+mZ5Cyxc8ffMYnM/JJI6/oEYEUEMyyiS5FnYyvxKzfMtyn2lZ2st9nZGNNgMc9N62r5HgNbdD
+FHuRdKKzV+8kQfuMc3mOPpK1t9TFY+QgrxiB5p6S7VooI97YtP3PbfknszCEBEh4PdXYbbaR
+3AacN3Q5kYYmWsq3WW6xgrg0mmEGosGvwSQxBBuiXZrxScCa4ivEq05UZwyShePvKduOvnUE
+2zDO6IXFLZxhTZAESEm9/FovLgGAiJ7iMGmYvsISLJScwG4n+wrSaQNQXizs9N3ykys54wBN
+d/+BQ4F7pncHhDQ2Dyt5MekB8Y8iNOocUTFCu524vQRIaWCXmXP3vU7D21dp0XnAMzRQJ565
+JV3aHRoY7XDa4LePa7PP9ywyafOE5yCW7ndqx3J+2JhTDvSFsW8/q3H3iyeFhykuJVS6BFDK
+6CmKbnyyjOfE2iLGJmTFa905V2KrVDCmlEu/xyGMs80yTyZC+ySzM83FMVvLEQmSzcTNUZVp
+DfA1kNXbXkPouBXXT6g8r8JCRljaKKABmgRIlMheOJQRUUU4cgvhMreXPayhq5Ao4VMSCkA5
+hYRCBczm4Di/MMohF0SxIsdRY6gY9CPnrBXAsY6h1RbR7Tw0iQZmeXi52DCiBEj0by+SYMAa
+9z0CReIzl8JLL6EVIFz8kFxlkGWjr4dnOzhhPOq/mCpp0WxbavDfdhE87MdXJZBnLwoT62QG
+955HlAoEQBOGJbcESCgd5XSirZ9Y3AbCfuKOqoMBvEUGn+w/pMaqnGvnr5FZhuBDKrhRXqtx
+QsxA//drGUxsrZOuSL/0+fbvo7n2h1Z8Ny86jOvVZAQIAjw2l1Yc5RAESNc9i3I8pKEOVQf/
+UBczJ0NR9aTEF80dRg2lpXwD0ho4N0AvSiVbgxC7cPZHQwIqvq9LHRUs/4n+Vu3SVYU3cAxo
+lUTiCGUSlARIF+TD57SI5+RI+MNtnD9rs4E1ml51YoHGWFj3UPriDmY0FKEwIgqtMXMY3fZ9
+Kq8d83bjDzxwbDX7WwR7KbSeJWT42pCz7kM+BEjjPsOnZHuusXT3x2rrsBnYtYsbt98mSFiS
+KzTtFmXfkOBbCQdit1P76QnYJ1aXMGs6zP6GypQTadK/zYWvlm38QkVwueaJ0woESKW2pqKA
+70h2UMDHOrpepU1lj0YMzmotDHSTU3L909VvUMNg9uqfrQ6mSkb9j5Tl8oF2otOw5EzA1Yda
+KPmgsv62RWLYl80wXQRQwG0e/mgG75jp9lOhJdVXqcYbQpS9viwVaVkwH+69mu/bQI4gjoEs
+UYX6O71Re2z+cYhcm9UrK+DXuSFBXQOIlAFxKMW4B0apd6fU84FsZLMESOorXE5OE0A2B2ji
+J8QI0Exk4hUvWrMNJfUZwFyS7E05xV9ORuX1xmsKqkT4tVR5Nqln4vhvAY860VBoloz0CDkd
+8seSBEjeMgRI9FvpYuflIeHg9urkwp6N+1f0DrJJhJY9ZQ0HTQhziJmIfvbEjNqCl7hEC28+
+F8I5tuViLgfSwcFFCvnS6WFoN4X6QdFdqMCbBEjdlI1c+IQGA/IuTDMJYCuQ/v+8BG5ZeWVH
+icPZmXfRat9eFK1dGKAJef6+Tf9HPuDjSpDyffrifsp7Dc34lmm7GN1+ON3ZMtwEUNm6epb8
+1RKWjoI7jIKUV/M2p/0eeGSqs4b06KF/VR6dBwsJVL5DpnTsp3MV4j/CAOlRdSPZ5++tsKbM
+aplk+ceqQtpEFz1MYTtVV4+rlrWaBEA1okJyNZ5/tNOwM7B+XfOZ0xw+uyVi9v4byTZM2Qds
+J+d3YGYLAugTGHISLqQEerD8/gGK+/SL06b2gNedXPHtBAiBKX+Mdy3wFQQIqE9gVgvrFNUE
+CKKoTFoMGqnPBAjDPgLCklNfrwQI3Ek1vSq68w8ECBodu2FOZJVkBAgzwjfSr2N9WQQQTCoQ
+KkAbrS9tnjXn1I3+ZwQIrPx3eINo/YUECIeYWCFskxlYBAiDUdvZXwD3vgQIkEyZbbZWbUUE
+CH4+odl1Isk3BBj68fkqJ0fKJRWVLWuW/O3VE4BOPKwFlaIECFseVTdDUho8BAj+cOKvV2WA
+hgQgaXr+wwq+ItblG0Qxz8IVUXX6PV2mIdHwz4SCCvnCsaIECJhBYxdfLI/XBCDswamPn9MR
+yXi2HVQBineV+GtWVkIoZ2dCLFB9mQRMoAQI0nUR5a5AOJoECA+AunKlAlx8BAi5RtFeF4g1
+FQQIz/ie+16LlQcECOmNuVg5DXjMBAjH2nkfpXZgWwQIVdLuO/+kuHAECO/5rEHmyI9vBBD4
+16BU4Rd3YerDQnHtrwOQBCCkho1XxK5Maz8KLCNi20wvcGt8wsIXlj2h5q9ITBq7IgQQvKVY
+4OfJ7bKbItP2dylwQgQYPIGxwkkbRXNraONYvN19G8UdF35rFOuIBAjf0sKz/618ZQQIxObr
+xJkRe0sECIC+ssnjEb2NBBBI+XM4OntVWGsRV9Td3sFgBAinGwIroo8O0gQQMGAwgc9PaLaG
+gBCiwSTrYQQIVHjfCQgOtygEUIoraFoANfhZgIShpOd/RRxFU4/7xZR5tMdGoYz/g0thR0lM
++Hi88FtFD4mAh/Oat4Ri8B7bv04aokjN2UHz6nPbHHjZ8zIqpbYTCy043GNZBAhOqjyB2JbD
+NwQoR23XCYD9x6E20ChHJRXmaHwyMdYXKl5CUxypl7ois+sy2D7jDukS3wQIsTyyPgJi0GsA
+AAAAAAAAAAAA
+
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-01.pem b/crypto/openssl/crypto/pkcs7/t/msie-enc-01.pem
new file mode 100644
index 0000000..9abf00b
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-enc-01.pem
@@ -0,0 +1,66 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIILyAIBADGB8zCB8AIBADCBmTCBkjELMAkGA1UEBhMC
+QVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYD
+VQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBAgIEbjANBgkq
+hkiG9w0BAQEFAARAq8xpbzGHqgX9f4ImK/MhlXvIfGWng7c0dC1YbQDww5kH4K0q
+VTv/qDl79r0O79M6rFEyq1hGnrelrZD+YzghgzCCCssGCSqGSIb3DQEHATAaBggq
+hkiG9w0DAjAOAgIAoAQIn8+kb8zj2JSAggqgxtGA/FLBBRs1wbBPgDCbSG0yCwjJ
+NsFg89/k6xuXo8c5YTwsw8+XlIVq03navpew6XxxzY090rD2OJ0t6HA6GqrIpd8W
+iSh/Atqn0yfLFmkLqgIAPRfzxUxqUocxLpQsLIFp2YNUGE+yps+UZmIjw/WHfdqr
+cWTmSTSvKuy3UkIJZCkGDBpTvqk4BFaHh4oTXEpgpNY+GKxjf9TDN9GQPqQZR7sg
+Qki4t2g4/SaqKl6EoJbpOrMHTQ9LYh2O7+XemEdvXjwpdv0kyffHiaVpBBAtthjT
+bzsu67v0b9h3uDKim13uyT0wx33GEmmmDsJwf/IPH/8eu2Ck5xaafpXGmFqon4uX
+kQtIPaNclFn7/hLxPw2VmBGaC0SYF3U1jyN96EBxdjqy8Aa6ByMXYDW5BcfqniD5
+mYXfw+b81lh1kutxaPaV4YJ9ZlRUW752N7VHo/fG0/fukoe5W9a8kIhgLpygllb/
+GP4oSF4wM6n1/OgRzZj2IWFiobKO4d/tMnh+C+PoEVAuFZcxQwi9GqvsK5OoIjVw
+Nx0XcVSOl1TTYS9SwC7ugMBCab73JiruC24pL78YM+NaIpIQ3On4DokJA2ZHtjBj
+ZIxF4tKA144RvFN6pBd6TVE5XM6KD/Vh9bjSmujtEAfdQ3TedvKJsbZuu0stErbv
+WcRy11I328l557ECU+3eODid62PpuefHp0NTZJGqnYIShBpKRBuyhNxkyjmPfzYc
+KgCQ69fRl3QOqCjobPpMHhVV3li1NrxKGedQcM8XcwpsTsPigp+51o2qgKzBNAqv
+5kGumHOlMKsRfrs7jZCcSaOuEj97pYx08FLEgF23cav39MOQNUEM1dNU+EYslL4o
+3RoSHRjUgPU+2t9c0prS9A/bPBDj/eD8p2kzccB4t1Uyu0s7kJoMwOJ/eNhPY6Eo
+qrED5bCgG97D1Giwt0rlMUozQYH6bw9G5qwP+YflmaGF7yKIBacI5EppxZ7SWHk6
+/VpGu8LDn+PdD9b/hm03lT5p5UEky0DyfQzF3mQ/Eds1WHigamtnrAR6BXyG3e+j
+JlqZnkLLFzx98xicz8kkjr+gRkMyyiS5FnYyvxKzfMtyn2lZ2st9nZGNNgMc9N62
+r5HgNbdDFHuRdKKzV+8kQfuMc3mOPpK1t9TFY+QgrxiB5p6S7VooI97YtP3Pbfkn
+szCEeD3V2G22kdwGnDd0OZGGJlrKt1lusYK4NJphBqLBr8EkMQQbol2a8UnAmuIr
+xKtOVGcMkoXj7ynbjr51BNswzuiFxS2cYU2QSb38Wi8uAYCInuIwaZi+whIslJzA
+bif7CtJpA1BeLOz03fKTKznjAE13/4FDgXumdweENDYPK3kx6QHxjyI06hxRMUK7
+nbi9aWCXmXP3vU7D21dp0XnAMzRQJ565JV3aHRoY7XDa4LePa7PP9ywyafOE5yCW
+7ndqx3J+2JhTDvSFsW8/q3H3iyeFhykuJVS6yugpim58soznxNoixiZkxWvdOVdi
+q1QwppRLv8chjLPNMk8mQvskszPNxTFbyxEJks3EzVGVaQ3wNZDV215D6LgV10+o
+PK/CQkZY2iigAZqUyF44lBFRRThyC+Eyt5c9rKGrkCjhUxIKQDmFhEIFzObgOL8w
+yiEXRLEix1FjqBj0I+esFcCxjqHVFtHtPDSJBmZ5eLnYMKL0by+SYMAa9z0CReIz
+l8JLL6EVIFz8kFxlkGWjr4dnOzhhPOq/mCpp0WxbavDfdhE87MdXJZBnLwoT62QG
+955HlAoEQBOGJbcoHeV0oq2fWNwGwn7ijqqDAbxFBp/sP6TGqpxr56+RWYbgQyq4
+UV6rcULMQP/3axlMbK2Trki/9Pn276O59odWfDcvOozr1WQCPDaXVhzlENc9i3I8
+pKEOVQf/UBczJ0NR9aTEF80dRg2lpXwD0ho4N0AvSiVbgxC7cPZHQwIqvq9LHRUs
+/4n+Vu3SVYU3cAxolUTiCGUSlBfkw+e0iOfkSPjDbZw/a7OBNZpedWKBxlhY91D6
+4g5mNBShMCIKrTFzGN32fSqvHfN24w88cGw1+1sEeym0niVk+NqQs+5DPuM+w6dk
+e66xdPfHauuwGdi1ixu33yZIWJIrNO0WZd+Q4FsJB2K3U/vpCdgnVpcwazrM/obK
+lBNp0r/Nha+WbfxCRXC55onTCqW2pqKA70h2UMDHOrpepU1lj0YMzmotDHSTU3L9
+09VvUMNg9uqfrQ6mSkb9j5Tl8oF2otOw5EzA1YdaKPmgsv62RWLYl80wXcBtHv5o
+Bu+Y6fZToSXVV6nGG0KUvb4sFWlZMB/uvZrv20COII6BLFGF+ju9UXts/nGIXJvV
+Kyvg17khQV0DiJQBcSjFuAdGqXen1POBbGSz6itcTk4TQDYHaOInxAjQTGTiFS9a
+sw0l9RnAXJLsTTnFX05G5fXGawqqRPi1VHk2qWfi+G8BjzrRUGiWjPQIOR3yx5IE
+SN4y9FvpYuflIeHg9urkwp6N+1f0DrJJhJY9ZQ0HTQhziJmIfvbEjNqCl7hEC28+
+F8I5tuViLgfSwcFFCvnS6WFoN4X6QdFdqMCb3ZSNXPiEBgPyLkwzCWArkP7/vARu
+WXllR4nD2Zl30WrfXhStXRigCXn+vk3/Rz7g40qQ8n364n7Kew3N+JZpuxjdfjjd
+2TLc2bp6lvzVEpaOgjuMgpRX8zan/R54ZKqzhvTooX9VHp0HCwlUvkOmdOyncxXi
+P8IA6VF1I9nn762wpsxqmWT5x6pC2kQXPUxhO1VXj6uWtZo1okJyNZ5/tNOwM7B+
+XfOZ0xw+uyVi9v4byTZM2QdsJ+d3YGYLAugTGHISLqQEerD8/gGK+/SL06b2gNed
+XPHtgSl/jHct8BWoT2BWC+sU1aKoTFoMGqnPwz4CwpJTX6/cSTW9KrrzDxodu2FO
+ZJVkM8I30q9jfVlMKhAqQButL22eNefUjf5nrPx3eINo/YWHmFghbJMZWINR29lf
+APe+kEyZbbZWbUV+PqHZdSLJN/rx+SonR8olFZUta5b87dUTgE48rAWVolseVTdD
+Uho8/nDir1dlgIZpev7DCr4i1uUbRDHPwhVRdfo9XaYh0fDPhIIK+cKxophBYxdf
+LI/X7MGpj5/TEcl4th1UAYp3lfhrVlZCKGdnQixQfZkETKDSdRHlrkA4mg+AunKl
+Alx8uUbRXheINRXP+J77XouVB+mNuVg5DXjMx9p5H6V2YFtV0u47/6S4cO/5rEHm
+yI9v+NegVOEXd2Hqw0Jx7a8DkKSGjVfErkxrPwosI2LbTC9wa3zCwheWPaHmr0hM
+GrsivKVY4OfJ7bKbItP2dylwQjyBscJJG0Vza2jjWLzdfRvFHRd+axTriN/SwrP/
+rXxlxObrxJkRe0uAvrLJ4xG9jUj5czg6e1VYaxFX1N3ewWCnGwIroo8O0jBgMIHP
+T2i2hoAQosEk62FUeN8JCA63KIoraFoANfhZgIShpOd/RRxFU4/7xZR5tMdGoYz/
+g0thR0lM+Hi88FtFD4mAh/Oat4Ri8B7bv04aokjN2UHz6nPbHHjZ8zIqpbYTCy04
+3GNZTqo8gdiWwzdHbdcJgP3HoTbQKEclFeZofDIx1hcqXkJTHKmXuiKz6zLYPuMO
+6RLfsTyyPgJi0GsAAAAA
+-----END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-02 b/crypto/openssl/crypto/pkcs7/t/msie-enc-02
new file mode 100644
index 0000000..7017055
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-enc-02
@@ -0,0 +1,90 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
+BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
+aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABEACr4tn
+kSzvo3aIlHfJLGbfokNCV6FjdDP1vQhL+kdXONqcFCEf9ReETCvaHslIr/Wepc5j2hjZselzgqLn
+rM1ZMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
+BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
+SIb3DQEBAQUABEBanBxKOvUoRn3DiFY55lly2TPu2Cv+dI/GLrzW6qvnUMZPWGPGaUlPyWLMZrXJ
+xGXZUiRJKTBwDu91fnodUEK9MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQImxKZEDWP
+EuOggASCBACBi1bX/qc3geqFyfRpX7JyIo/g4CDr62GlwvassAGlIO8zJ5Z/UDIIooeV6QS4D4OW
+PymKd0WXhwcJI0yBcJTWEoxND27LM7CWFJpA07AoxVCRHTOPgm794NynLecNUOqVTFyS4CRuLhVG
+PAk0nFZG/RE2yMtx4rAkSiVgOexES7wq/xWuoDSSmuTMNQOTbKfkEKqdFLkM/d62gD2wnaph7vKk
+PPK82wdZP8rF3nUUC5c4ahbNoa8g+5B3tIF/Jz3ZZK3vGLU0IWO+i7W451dna13MglDDjXOeikNl
+XLsQdAVo0nsjfGu+f66besJojPzysNA+IEZl6gNWUetl9lim4SqrxubUExdS2rmXnXXmEuEW/HC7
+dlTAeYq5Clqx5id6slhC2C2oegMww3XH9yxHw6OqzvXY6pVPEScEtBMQLgaKFQT+m2SRtbTVFG7c
+QcnUODyVB1IbpQTF1DHeeOX1W/HfpWZym8dzkti6SCyeumHmqO406xDiIMVKtHOqM86nEHuAMZsr
+cLy+ey6TEJvR6S4N8QRzng8JJDZDTJXQN6q84aEudsnOrw2KyOVwPpI6ey4qBsHUgQ8kAFy5lsQa
+WV45h6exgUwbBcKLgPZGFj+OdD2RKJsTb83/UqbJS5Q/lGXhzBlnaYucyJxEprRxbntmcnOEPFJe
++tRDUwOTd7qlJljdhIJL+uDcooL9Ahgo6Cwep6tduekv2cSEohJeTE8Dvy34YRhMbLvnFNdmnpNy
+rNZDYVVxxaKoyd2AfB8NPFZh1VdAYfI3R1QAQ2kXEef5NNIfVQfMzD9akJn4RP+Kv32Qaxm4FrnK
+xmwRyGJShavIBc2ax+F1r1+NZXuSBHn5vfoRTxOk0ST4dXsw74dnlYUMRaSu4qqUdM9jsXSyeX4Z
+gQgkR2bkaYO6ezFgenFIa7QWVw8rXZAEZ5aibCxbnY1VE41PYIvhlLdbFJhH9gY22s+fFAuwnzyA
+SRjC40A9aAEItRlaPStWSGiqlLRgNkBBwdpv2l2YPBd2QzHx6ek6XGrvRJuAC+Nh62rtQKwpNH54
+YAOHW55maBFW2SQ3TF+cZ6NbbqhCmHTyyR7mcSYc9sXSVDWEhYKQ1iyU870zhHWVpvglZizZetJC
+ZFjYex3b1ngVdcgargOvpPq9urCKKi2mbkqv/EFpzSWGXkKSpfCG/XfMnEOtkNrB8S06vnk2JcJB
+OBqJot+uuSH5hOg0vTpxX2DuONJSiWSWyfRE/lTfJJFXwhod7SXclUyXPeSyibcSic2hVAzDmwjD
+31js/j2k02PI/agPhr3UQ8cMgcNAiaoCKbNaWfn6BGbCAbTchxzUlo2cSJiLlrX2IDZmfXbXmZCo
+m1smWIG+BIIEALiuAxDb6dWLAYyVBoN9hYI4AiPeZAY9MtvQ6AV8o2/EFm6PvYGXy3Hei5830CH0
+PBeX7Kdd6ff1y33TW/l5qSkIL1ULTGR7okFfJePHDmq1dFt6/JOMptiQ8WSu7CsJQvZ9VTFXeYFc
+ZqCPPZc1NrPegNK70Zf9QxWIbDAevJ5KLBf1c6j8pU2/6LnvDY6VjaTvYSgr7vTR8eVzH4Rm77W0
+iOHxg5VcODv6cGSVyuvbX8UAGo8Cmb58ERDtBDJBQXVpWKLNAuDJ9GX8n2zNkpjZLbPSkcmuhqGa
+BJBE/BaCTkUQWlY9dIbRtEnxIU1mfbPPdx1Ppa8DqGDjSOsQdKcKYNNZtayEw++EIpmpdBNsKphC
+fB8UEK2Wkk4ZVW+qyGoi/r0MFsvO1NmSOOZ0o/jy/YHmoeURHhPy97AO3eVTkEAa5CfJEJybmo56
+7CDw/FwoGAUCgsoz7rlxzMudr/IhHIH+APinncxXlHO2ecvHD9i8DaHGA8tVifgsUhqQoZieULut
+eF94O5UAxOkv41UZssYTwN4nYrN1QkesZl3BX4ORS4EE30/PQ23ARf3WZptZrCJevGm2ZYzGeh8x
+g17mCDfiLO+bff4qP/4mC96Pu4ia6j4to5BwKIJS/+DCuoD8WeSKF4pugXQkMUiHdQnNnVP9Sp2O
+/4ly5mO8JzrQC59V2bnTNBqPhpno8kfJvK5TypPSVC+bTzern3rJ6UceB3srcn9zxKx9GdNydJQj
+yWjv8ec3n3d1nuQwhz5Q053NBhIjwoGg3Go7LO6i78ZOlpF7dcoAO13NfHLyNjnyHCaiWtVRTct9
+rLf5vN00urSn8YJngHk1eTKK8nHGIcOg6YdYDOD2nE5XwRijKmieG8Xa3eKRzfbL06GrBQENle6J
+mC131bp3cRVxpjq+o6RAbGoMm4yICsL4eTarCQrsyHmoPHqr91UHo91avyxU7knWmEhX27ybmsrs
+8aeZwPHixL14TeyhruCqRVvkf1Ks7P+z8MPUboGNqQe2WLN8ktCGEr15O8MJR/em86G03Jfo4oaw
+/DVUH5RwLT6acedOGuzMh/2r8BcmemhVQ8/cWvV4YJ0tOW4hzyVHC5hQf8sZ3LzxXLH6Ohnrbprh
+xvrdbaSdChWZDDP0bCCbxEhkwuBkBeKZrMbwRTP+TPTPYLVTH/CmKLzKh/114tkGkyO3hHS4qExU
+V39F2Sj4mylx+hD0+20D9pntpNi7htccGlOm6yNM69at/3+kLgJJyoIlaxLcCUYHNMifDt+T3p/t
+5U4XmD53uUQ6M8dvj/udqPekNSUfse15yrd9pjOt5PcJuqW28q0sFHf9pHIgz3XZFMe5PD7ppw6r
+S+C6Ir4PrYIEggQA7ZDVtiCm+BbtNNB/UJm79/OQ5mp5bTI0kPmDeycaWTa0Ojpum+c/dpG/iJOB
+DICj7jHOXSHT7JlGyX6aSFJUltucAnZvwzhPDmdDaIDiKSk85GqgdDWVfGosSCX9Ph/T3WpIxnwf
+WSDRtIHkWTjly+pe4yy5K6/XISy/L5Zh/fhiI5fjHjgzmlibs2ru4nVw6hBhUvlSSe2BEs5d9h/y
+NH8Wy3qvb2D3jh7hkepFtZJGNTHp8ZUC7Ns2JIpQYObsaxdI65i3mMOu7fRwI+0/4ejsWhP6KCEi
+LgwvLg0qM82ma6YB7qHAHboaczRVEffDcJUG4a5uycB0DoZFn+uEaEFyili20hCn4hVfsqUQk2PT
+8Mo1tSl5e30xI1YJZrRgiJm9nHRX6fLizngP+ILJLPHZsPvlSVIfY+/v/FR8feKOjaGhyGF51BAx
+aM2NIQ4jMP5/X+U5gQybi0E6u7rroDhaHsKmCMgXqszwXWCpedA/sEbeHpiTC59YlPPSlIOMc9vP
+Ko/mQCfWy/9icUaIfKQldvkllUxxNkqu6AbIpHVscbAEzSPs5xbQXU8EZNNCDisFnnpY3nQ3eLnl
+m89saTJxRb7NWHRMlmPv7qgD7uMIq3vdOGA7i5wT9MeoNIgK1/DsgH30s6RWjJy4YyyLmRTXPzbj
+hbQVpEmiMRbEidIvUx2OjKVxVQIcgtLsa2lvHQ4XL1cpLr5GVtOgy0fMg5OCDUUDsvjgjgLQ3P2U
+p2nVY5FM6/QpPc5DTLuuR9ekI2/c9Biz09RtcYDUQK2ajdo8h1IyKqHFoB7h48OXxXKKY94DY0TG
+x6PonB/epj8orAw4QKmm5M0vXYwBOqRymCTHTqOJGObdLx1euFFyqguzHJOU2gAGZI0z9Lg1yRuF
+yhdPZyuniIcmtLNxRZ1duYHErcAyX56qndmLXt7UVkATai/rIMuoJLfAsUnVuTUS5p7tJM754UZT
+7lTcXvDJgOUNnBRaIcxC3pxvbrYDJ2iFJ72xkxUP2p74gucqg25XnCVmQuLg6zDDxF6CLuw9isxy
+Xg4pkneMN//7fpp8GYl9nyZm2yqYYM+jcw0fcVc64L+X4w/gL3H2UMGgxIHSJp7HIG7VKHtXrNyj
+dPXXPVUsMsAAimqOr0Lr2sZWirfuivLaPTqhbkvG5PF7K3gT80AOIcd/6EIHBy2hZ7ukfjHmdP4L
+yQOhTQklaKzGHI0mypq0uFLWJOUlZnVrMiLP1xrWkpC8Ro9eo6mfjjQ45z8adC43a47klwTEzvod
+3rNEFIGJJUEjAN3mbqie7IxoSJknBBJK0D9lZEQ8lZWlq7vuN8JdqPM6xh155jMVsPwjLK6Tzkj5
+BpRD9Tgm3u6HPQSCBADgkWEN75Mu9TGosXY0xm1k6K6sPv8L949CrLWo4r1I2LA072bTGvQP28Vs
+hUA76jgcT1ocC++9PoktIK10YCq5w+FfMAQ04KeCXuAdmiY2iAT4Slea61PMCMta3mVGyLUZCLEm
+P+I0UKR5mlO0fGEcjU9j8TmbjZqxNFqloLsU7oSi7Os0EtYHkdAVrExUyOc/ZDie6fBjdLTmLdCm
+bE9JNwjlbXypdTZupGgLNhKGDIskUAAMwZYayI6YfSIMkNCeAYTnjOuGZZ1msCXGXsfMBR1sfUIj
+9UeGjwD8gq+UVVHX/oeoH/m0eJ5ppqi3+nUlgc9DvpYsC/Fg0G2KuYb9B+VJ+a4GMzQSPREoFtQp
+B9dtLkBb7Ha/hpGWTIdqzW0eAo5llyN8FNvl2Fu2IcLaNmWFO69gLjRKQopp0dvFOuwAVI6fvGDj
+p1WigoNbFZl8N+iiWmzKOjoG2ZLbez1clZCms/JPJrXhEMMOxWpVzkQyN336VWHmGgMcjaKCGSeA
+2nnESIGuiCXMrkHlGfabYIsKcHFCo2t13uXyZPf0zSPTkuD0Eh92wqC9pvA3gvrrCUfo9Mn3bs+e
+KWKmDlpcs8mDn032oIg+zrQhIduMqXVn3evzeVM3B5MBOGMvg51/SXg7R+MC/463juQQEb9IVe/I
+YGnO//oWm9lw/377Af/qH+FnN02obJw1FvesQIs9e5RHNQykKbO+vmVJQl1nd9DZWrHDNO7/80Yz
+2hCm7Tws5nSRN2iFlyRaYJHr7ypxkU2rCak2r6ua7XDwu1qU2RT3+qPjT1RuxQ2oTlHyGkKPMZGC
+Rc+CSWz5aeeCmHZVwdb3nC8YpfsujMiYqygLeuQ82pjKuR7DIKGmnfcOLdv5F+Ek2Wyy0D98iSgk
++aoQGYLhL9llU13pn21uRsDY5uGcXiIw1IETFlTdgENEv8futZuJsegrp7fmFXyNoNyFNyypeDrM
+6ZqR4vKxFjg3tKKeVpkw/W4EAklzMxmNiazGNDBHsnYV3rwPlKa+HeeE2YxnsKwGLCNgRYUXTaJk
+461vS160z3dvh/mLfdZ7MYCkmO3bNE3ELUDAw7YQkSuo9ujzdFKte9LC34sjg9fOex3ThAg5Y50n
+wYm4zBmGM7yEqL8O6QgnM6tIDFS9XryDaLNzcGhMWqMvhzO6sC/AA2WfLgwS517Cp03IkJQWqG9q
+w52+E+GAtpioJfczEhlv9BrhjttdugRSjJrG8SYVYE4zG3Aur5eNBoGaALIOHOtPw8+JovQmIWcF
+oaJ/WQuglFrWtew51IK6F8RiHAOBVavZOuZcO7tV+5enVfreOd0rX8ZOy4hYmHhmF1hOrrWOn+Ee
+E0SYKonXN01BM9xMBIIBSLCvNAppnGPTUGjwbMJRg1VJ2KMiBWH5oJp8tyfIAxMuWFdtaLYbRSOD
+XbOAshPVK8JAY8DQDkzqaCTAkLTfSRAt9yY6SbUpMsRv7xa8nMZNJBJzJT9b/wNjgiOJgaGuJMkV
+2g/DX2jfP3PrMM/Sbnz7edORXHj1Pa5XTT8nG5MS0FuZgvevdq3o/gVVAz+ZCKOH3ShMzZvfp01l
+SX5gaJTflmU6cdNwtn2yZ6IScF7OrjUeA9iEoSVR9dQcA+4lB3RAG3LMwcnxXY35D7+PMJzHIZdF
+cSnq+n03ACY2/E/T31iijRH29rvYHGI+mP/ieYs45iq4fTWo6i1HofeWLdP0fX7xW3XO0/hWYFiw
+BxKu66whAbRhaib3XJNvetVs25ToYXyiDpjG+cd5rCMei8sGQwTBj9Zeh0URoeMW1inTP0JvCmMU
+rZgAAAAAAAAAAAAA
+
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-02.pem b/crypto/openssl/crypto/pkcs7/t/msie-enc-02.pem
new file mode 100644
index 0000000..279c5d8
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-enc-02.pem
@@ -0,0 +1,106 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIITQAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
+bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
+aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
+uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQAKvi2eRLO+jdoiUd8ksZt+iQ0JXoWN0
+M/W9CEv6R1c42pwUIR/1F4RMK9oeyUiv9Z6lzmPaGNmx6XOCoueszVkwgfACAQAw
+gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
+GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
+QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQFqcHEo69ShGfcOIVjnmWXLZM+7Y
+K/50j8YuvNbqq+dQxk9YY8ZpSU/JYsxmtcnEZdlSJEkpMHAO73V+eh1QQr0wghFz
+BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECJsSmRA1jxLjgIIRSIGLVtf+
+pzeB6oXJ9GlfsnIij+DgIOvrYaXC9qywAaUg7zMnln9QMgiih5XpBLgPg5Y/KYp3
+RZeHBwkjTIFwlNYSjE0PbsszsJYUmkDTsCjFUJEdM4+Cbv3g3Kct5w1Q6pVMXJLg
+JG4uFUY8CTScVkb9ETbIy3HisCRKJWA57ERLvCr/Fa6gNJKa5Mw1A5Nsp+QQqp0U
+uQz93raAPbCdqmHu8qQ88rzbB1k/ysXedRQLlzhqFs2hryD7kHe0gX8nPdlkre8Y
+tTQhY76LtbjnV2drXcyCUMONc56KQ2VcuxB0BWjSeyN8a75/rpt6wmiM/PKw0D4g
+RmXqA1ZR62X2WKbhKqvG5tQTF1LauZeddeYS4Rb8cLt2VMB5irkKWrHmJ3qyWELY
+Lah6AzDDdcf3LEfDo6rO9djqlU8RJwS0ExAuBooVBP6bZJG1tNUUbtxBydQ4PJUH
+UhulBMXUMd545fVb8d+lZnKbx3OS2LpILJ66Yeao7jTrEOIgxUq0c6ozzqcQe4Ax
+mytwvL57LpMQm9HpLg3xBHOeDwkkNkNMldA3qrzhoS52yc6vDYrI5XA+kjp7LioG
+wdSBDyQAXLmWxBpZXjmHp7GBTBsFwouA9kYWP450PZEomxNvzf9SpslLlD+UZeHM
+GWdpi5zInESmtHFue2Zyc4Q8Ul761ENTA5N3uqUmWN2Egkv64Nyigv0CGCjoLB6n
+q1256S/ZxISiEl5MTwO/LfhhGExsu+cU12aek3Ks1kNhVXHFoqjJ3YB8Hw08VmHV
+V0Bh8jdHVABDaRcR5/k00h9VB8zMP1qQmfhE/4q/fZBrGbgWucrGbBHIYlKFq8gF
+zZrH4XWvX41le5IEefm9+hFPE6TRJPh1ezDvh2eVhQxFpK7iqpR0z2OxdLJ5fhmB
+CCRHZuRpg7p7MWB6cUhrtBZXDytdkARnlqJsLFudjVUTjU9gi+GUt1sUmEf2Bjba
+z58UC7CfPIBJGMLjQD1oAQi1GVo9K1ZIaKqUtGA2QEHB2m/aXZg8F3ZDMfHp6Tpc
+au9Em4AL42Hrau1ArCk0fnhgA4dbnmZoEVbZJDdMX5xno1tuqEKYdPLJHuZxJhz2
+xdJUNYSFgpDWLJTzvTOEdZWm+CVmLNl60kJkWNh7HdvWeBV1yBquA6+k+r26sIoq
+LaZuSq/8QWnNJYZeQpKl8Ib9d8ycQ62Q2sHxLTq+eTYlwkE4Gomi3665IfmE6DS9
+OnFfYO440lKJZJbJ9ET+VN8kkVfCGh3tJdyVTJc95LKJtxKJzaFUDMObCMPfWOz+
+PaTTY8j9qA+GvdRDxwyBw0CJqgIps1pZ+foEZsIBtNyHHNSWjZxImIuWtfYgNmZ9
+dteZkKibWyZYgb64rgMQ2+nViwGMlQaDfYWCOAIj3mQGPTLb0OgFfKNvxBZuj72B
+l8tx3oufN9Ah9DwXl+ynXen39ct901v5eakpCC9VC0xke6JBXyXjxw5qtXRbevyT
+jKbYkPFkruwrCUL2fVUxV3mBXGagjz2XNTaz3oDSu9GX/UMViGwwHryeSiwX9XOo
+/KVNv+i57w2OlY2k72EoK+700fHlcx+EZu+1tIjh8YOVXDg7+nBklcrr21/FABqP
+Apm+fBEQ7QQyQUF1aViizQLgyfRl/J9szZKY2S2z0pHJroahmgSQRPwWgk5FEFpW
+PXSG0bRJ8SFNZn2zz3cdT6WvA6hg40jrEHSnCmDTWbWshMPvhCKZqXQTbCqYQnwf
+FBCtlpJOGVVvqshqIv69DBbLztTZkjjmdKP48v2B5qHlER4T8vewDt3lU5BAGuQn
+yRCcm5qOeuwg8PxcKBgFAoLKM+65cczLna/yIRyB/gD4p53MV5RztnnLxw/YvA2h
+xgPLVYn4LFIakKGYnlC7rXhfeDuVAMTpL+NVGbLGE8DeJ2KzdUJHrGZdwV+DkUuB
+BN9Pz0NtwEX91mabWawiXrxptmWMxnofMYNe5gg34izvm33+Kj/+Jgvej7uImuo+
+LaOQcCiCUv/gwrqA/FnkiheKboF0JDFIh3UJzZ1T/Uqdjv+JcuZjvCc60AufVdm5
+0zQaj4aZ6PJHybyuU8qT0lQvm083q596yelHHgd7K3J/c8SsfRnTcnSUI8lo7/Hn
+N593dZ7kMIc+UNOdzQYSI8KBoNxqOyzuou/GTpaRe3XKADtdzXxy8jY58hwmolrV
+UU3Lfay3+bzdNLq0p/GCZ4B5NXkyivJxxiHDoOmHWAzg9pxOV8EYoyponhvF2t3i
+kc32y9OhqwUBDZXuiZgtd9W6d3EVcaY6vqOkQGxqDJuMiArC+Hk2qwkK7Mh5qDx6
+q/dVB6PdWr8sVO5J1phIV9u8m5rK7PGnmcDx4sS9eE3soa7gqkVb5H9SrOz/s/DD
+1G6BjakHtlizfJLQhhK9eTvDCUf3pvOhtNyX6OKGsPw1VB+UcC0+mnHnThrszIf9
+q/AXJnpoVUPP3Fr1eGCdLTluIc8lRwuYUH/LGdy88Vyx+joZ626a4cb63W2knQoV
+mQwz9Gwgm8RIZMLgZAXimazG8EUz/kz0z2C1Ux/wpii8yof9deLZBpMjt4R0uKhM
+VFd/Rdko+JspcfoQ9PttA/aZ7aTYu4bXHBpTpusjTOvWrf9/pC4CScqCJWsS3AlG
+BzTInw7fk96f7eVOF5g+d7lEOjPHb4/7naj3pDUlH7Htecq3faYzreT3CbqltvKt
+LBR3/aRyIM912RTHuTw+6acOq0vguiK+D62C7ZDVtiCm+BbtNNB/UJm79/OQ5mp5
+bTI0kPmDeycaWTa0Ojpum+c/dpG/iJOBDICj7jHOXSHT7JlGyX6aSFJUltucAnZv
+wzhPDmdDaIDiKSk85GqgdDWVfGosSCX9Ph/T3WpIxnwfWSDRtIHkWTjly+pe4yy5
+K6/XISy/L5Zh/fhiI5fjHjgzmlibs2ru4nVw6hBhUvlSSe2BEs5d9h/yNH8Wy3qv
+b2D3jh7hkepFtZJGNTHp8ZUC7Ns2JIpQYObsaxdI65i3mMOu7fRwI+0/4ejsWhP6
+KCEiLgwvLg0qM82ma6YB7qHAHboaczRVEffDcJUG4a5uycB0DoZFn+uEaEFyili2
+0hCn4hVfsqUQk2PT8Mo1tSl5e30xI1YJZrRgiJm9nHRX6fLizngP+ILJLPHZsPvl
+SVIfY+/v/FR8feKOjaGhyGF51BAxaM2NIQ4jMP5/X+U5gQybi0E6u7rroDhaHsKm
+CMgXqszwXWCpedA/sEbeHpiTC59YlPPSlIOMc9vPKo/mQCfWy/9icUaIfKQldvkl
+lUxxNkqu6AbIpHVscbAEzSPs5xbQXU8EZNNCDisFnnpY3nQ3eLnlm89saTJxRb7N
+WHRMlmPv7qgD7uMIq3vdOGA7i5wT9MeoNIgK1/DsgH30s6RWjJy4YyyLmRTXPzbj
+hbQVpEmiMRbEidIvUx2OjKVxVQIcgtLsa2lvHQ4XL1cpLr5GVtOgy0fMg5OCDUUD
+svjgjgLQ3P2Up2nVY5FM6/QpPc5DTLuuR9ekI2/c9Biz09RtcYDUQK2ajdo8h1Iy
+KqHFoB7h48OXxXKKY94DY0TGx6PonB/epj8orAw4QKmm5M0vXYwBOqRymCTHTqOJ
+GObdLx1euFFyqguzHJOU2gAGZI0z9Lg1yRuFyhdPZyuniIcmtLNxRZ1duYHErcAy
+X56qndmLXt7UVkATai/rIMuoJLfAsUnVuTUS5p7tJM754UZT7lTcXvDJgOUNnBRa
+IcxC3pxvbrYDJ2iFJ72xkxUP2p74gucqg25XnCVmQuLg6zDDxF6CLuw9isxyXg4p
+kneMN//7fpp8GYl9nyZm2yqYYM+jcw0fcVc64L+X4w/gL3H2UMGgxIHSJp7HIG7V
+KHtXrNyjdPXXPVUsMsAAimqOr0Lr2sZWirfuivLaPTqhbkvG5PF7K3gT80AOIcd/
+6EIHBy2hZ7ukfjHmdP4LyQOhTQklaKzGHI0mypq0uFLWJOUlZnVrMiLP1xrWkpC8
+Ro9eo6mfjjQ45z8adC43a47klwTEzvod3rNEFIGJJUEjAN3mbqie7IxoSJknBBJK
+0D9lZEQ8lZWlq7vuN8JdqPM6xh155jMVsPwjLK6Tzkj5BpRD9Tgm3u6HPeCRYQ3v
+ky71MaixdjTGbWTorqw+/wv3j0KstajivUjYsDTvZtMa9A/bxWyFQDvqOBxPWhwL
+770+iS0grXRgKrnD4V8wBDTgp4Je4B2aJjaIBPhKV5rrU8wIy1reZUbItRkIsSY/
+4jRQpHmaU7R8YRyNT2PxOZuNmrE0WqWguxTuhKLs6zQS1geR0BWsTFTI5z9kOJ7p
+8GN0tOYt0KZsT0k3COVtfKl1Nm6kaAs2EoYMiyRQAAzBlhrIjph9IgyQ0J4BhOeM
+64ZlnWawJcZex8wFHWx9QiP1R4aPAPyCr5RVUdf+h6gf+bR4nmmmqLf6dSWBz0O+
+liwL8WDQbYq5hv0H5Un5rgYzNBI9ESgW1CkH120uQFvsdr+GkZZMh2rNbR4CjmWX
+I3wU2+XYW7Yhwto2ZYU7r2AuNEpCimnR28U67ABUjp+8YOOnVaKCg1sVmXw36KJa
+bMo6OgbZktt7PVyVkKaz8k8mteEQww7FalXORDI3ffpVYeYaAxyNooIZJ4DaecRI
+ga6IJcyuQeUZ9ptgiwpwcUKja3Xe5fJk9/TNI9OS4PQSH3bCoL2m8DeC+usJR+j0
+yfduz54pYqYOWlyzyYOfTfagiD7OtCEh24ypdWfd6/N5UzcHkwE4Yy+DnX9JeDtH
+4wL/jreO5BARv0hV78hgac7/+hab2XD/fvsB/+of4Wc3TahsnDUW96xAiz17lEc1
+DKQps76+ZUlCXWd30NlascM07v/zRjPaEKbtPCzmdJE3aIWXJFpgkevvKnGRTasJ
+qTavq5rtcPC7WpTZFPf6o+NPVG7FDahOUfIaQo8xkYJFz4JJbPlp54KYdlXB1vec
+Lxil+y6MyJirKAt65DzamMq5HsMgoaad9w4t2/kX4STZbLLQP3yJKCT5qhAZguEv
+2WVTXemfbW5GwNjm4ZxeIjDUgRMWVN2AQ0S/x+61m4mx6Cunt+YVfI2g3IU3LKl4
+OszpmpHi8rEWODe0op5WmTD9bgQCSXMzGY2JrMY0MEeydhXevA+Upr4d54TZjGew
+rAYsI2BFhRdNomTjrW9LXrTPd2+H+Yt91nsxgKSY7ds0TcQtQMDDthCRK6j26PN0
+Uq170sLfiyOD1857HdOECDljnSfBibjMGYYzvISovw7pCCczq0gMVL1evINos3Nw
+aExaoy+HM7qwL8ADZZ8uDBLnXsKnTciQlBaob2rDnb4T4YC2mKgl9zMSGW/0GuGO
+2126BFKMmsbxJhVgTjMbcC6vl40GgZoAsg4c60/Dz4mi9CYhZwWhon9ZC6CUWta1
+7DnUgroXxGIcA4FVq9k65lw7u1X7l6dV+t453Stfxk7LiFiYeGYXWE6utY6f4R4T
+RJgqidc3TUEz3EywrzQKaZxj01Bo8GzCUYNVSdijIgVh+aCafLcnyAMTLlhXbWi2
+G0Ujg12zgLIT1SvCQGPA0A5M6mgkwJC030kQLfcmOkm1KTLEb+8WvJzGTSQScyU/
+W/8DY4IjiYGhriTJFdoPw19o3z9z6zDP0m58+3nTkVx49T2uV00/JxuTEtBbmYL3
+r3at6P4FVQM/mQijh90oTM2b36dNZUl+YGiU35ZlOnHTcLZ9smeiEnBezq41HgPY
+hKElUfXUHAPuJQd0QBtyzMHJ8V2N+Q+/jzCcxyGXRXEp6vp9NwAmNvxP099Yoo0R
+9va72BxiPpj/4nmLOOYquH01qOotR6H3li3T9H1+8Vt1ztP4VmBYsAcSruusIQG0
+YWom91yTb3rVbNuU6GF8og6YxvnHeawjHovLBkMEwY/WXodFEaHjFtYp0z9Cbwpj
+FK2YAAAAAA==
+-----END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-s-a-e b/crypto/openssl/crypto/pkcs7/t/msie-s-a-e
new file mode 100644
index 0000000..0067794
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-s-a-e
@@ -0,0 +1,91 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
+BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
+aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABECjscaS
+G0U299fqiEAgTqTFQBp8Ai6zzjl557cVb3k6z4QZ7CbqBjSXAjLbh5e7S5Hd/FrFcDnxl1Ka06ha
+VHGPMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
+BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
+SIb3DQEBAQUABECsyHXZ1xaiv0UQRvOmVYsaF38AL2XX75wxbCsz5/wOg7g3RP4aicZxaR4sBog0
+f2G1o9om/hu+A0rIYF/L4/GUMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIsozQrnwj
+cc2ggASCBAAQz/LPoJe/+iYWeTwSebz6Q9UeKZzQ2UWm7GLtEM3s3c9SCvpmkwIRdEhLjWaBJMyI
+DiL7t1I1vMf9inB8LXgAcIEYkpNScjS8ERA9Ebb7ieNKSBg7w7B8ATHFxLSlDADqRgoZrB1Ctfgf
+ximp3EgxTgnhtyQhZxXW7kBQyFRwumplrJXOp7albP7IothrOKncw30IJT1fwPxWNMItI9juXF0U
+CbWVSjPzGBo4+XNXMvUO6MplOQEz/ywEQ9E8OZAQex1Zw9qq5ppsXB2pMsYV5sLJGikukMYKquiz
+3YK+tN6J8ahLcDUs+VGwqvZi17gpBTlbEP+ZmXJpnO63t1yTEB0V5AZcRKWUOhzlCBM5YUagqNoY
+cpsmSvOK6bYzkUKOrzWpDCAtGZ/Dvul5dTZZmxs2WpM+iyeHXMxO3huy8K1brPTqt1f1sHhuq1jD
+1eXedaCjIgUW9qV18vNAQCof/Yb6T/1fxztf/jD7pPLQJ+7LJkKCAEHGcaizpoKqhYcttaEhLq1G
+O+Ohqf7yFegMdTJ3wwP324w5ZYSU5fLo2Z34/Edf6EGvXyTIqVfAmEBALd6JGVdN5GlYYTxrL+eO
+P80Z4ao4YKoxwEmRp5bmQsQ8B29QhOFKmC6eiG5B96qLMtp7Zmu1grDNxTd6OXShWVwYARD0/B1P
+Sy0PAfk9Gb4fAkO9fZJDQYZ7s0mM5iOPEeSR7820TolOb+KfRabLA9d714jsc2jEykKlpP66Bh4j
+aCsyqJ0uUQcE8SnzrKAqGwgWiCGQpiTa+HBiP6eRlRGOKQj5Y06vcNx6Ija4cGe6+yCN8HV8tCY0
+okZK98NQCl5t79R/ZB2c3NvBJH+/g3ulU48ikT3tVmDxE3mOZofZyGFEM99P+YCMScLDxTl3hzGy
+0YkI8U855P7qOAbcFfh2T5n+LSELwLhbkymEfZT917GWTfmypBWMvJx0WHeDhKwQYPdzbKgWETnc
+yeKasaCW+oLdhBwrd6Ws2r4MA8cwiYXDLbwYmCxJA8VF++8kubF2HJOjSyMBS+QT2PSV/0D9UWoi
+Vfk7R4OvWBJVvq7nV+lXS0O5igjExxlmx1OaBfg7+Cr/MbK4zVNrKSJn82NnKKt6LC6RaTmvFYay
+0sDFxQ7Xo+Th6tDNKmKWJt6Kegfjc+qTWJTKb3kL+UI8vS0zTLy1+M/rZ4ekos/JiS5rYIcAswvg
+58kBgp/0rc6upBeWjBaK5O0aLAeBQfLulo1axWX04OSVKmYeoAltyR6UO9ME3acurQyg7Ta24yqO
+whi/PrIaEiO7dsWvFtzsshVzBLic02NlAkPkMUzliPYnZHWQglDAVxL5K2qhvK1OFCkQpIgBsBDM
+6KYRL/mkBIIEALIl927rIkaN37/BQIcxLcSa05YfC0Hl3mxWESt1A0D4lA37A9S8EbYmDfAYlMc0
+3HhZGdZEtawfpJFyDHzNZceNWBch6nxeNZCY4YFdsbzuGS0RKpwNA9S/czOJ4p9ymBCxuhGepI3U
+PKbC8C749Www1/wMdAot1n+K7M/PBGR8hWmaH5SS7U3yMwAB1fq2NDjx4ur+Um+MclSdN01MDXzG
+EO+eAo1pdAY8479234l8dB2YVAhZ1ZlJ4KmbqMKJrGJXnQUEYS6/cTDRjsUocsoW7uGg1ci2GiHa
+qjlkfpBfie3SdhFW/K8hwAH0HALs56oFN66wUkP/AaJAPfIUNhR6RpHKzZ9zCC42oB2mNawQRMnF
+ETBl1s/SwMxLKRp7jAfKs4NZxSY6I9z/2dTpzS3tsHMjxVDuxkolvRNWBILEMeL1CBvip2HhmoUw
+/Sz5NDgyzk1aQLV6DQNJ2RZLMZDRCtSwZSBu6lhhSgTJGazP0+NbqXXC5aQTrqrFIcWyDXz+ADle
+kszzYM/gSaQTCALTwfDDaU9Ek3xVgW+XBtExtJ3U+0AN3l0j86rUIdIvp6eWdxWQqv9LtpoorKMD
+KfUc5PYV09Z1JgsT4X51Zzq+74l5dz7udIM7UNbdTpmRm9PDj3TUbGCvNR9hqOEGTLbkvb1ZR24a
+h6uGRl2znB25IpDAGRhNRb9is/pO2tvHwHTDMOjrgvZG/pNvXgSUxz0pRjUjXIcqBe2X2gcQfeal
+r8gY76o83WEGL6ODryV9vTQVHt52+izgpYoBZaVlpgqbZl54c+OE0Zxf9RwXwDbcYu5Ku5E0MPL0
+qUjc0y2+Y6E4P5bAWaZGMGT+ORkyVUzcaWmM/+XlO7PER5wrWlCIMZCX1L/nvioY0q0CKqALn7DJ
+QU+qenbwrb6uwS7uNZY6V86s0aDYpU7yRyqxC5SbuyNJb02gdxUCgpIscFaMUjMVRml4M4BIjX/b
+U+HgHoVMUm8SnN9gRcT2izPrgOGVcMTJjfenzoCKoCPo9RjgGMctgB4DvKamErNU7OrilIfuoqzE
+PNSeP9SPw/zkDmNvMebM499We9CVnsHUWqF00/ZJWoua77+0f1bLS/tmci1JBvIcMo/4SJvgH+KF
+o0gijP9gqAPd5iCOnpnJlHUqRIym42SmyKEDuzdSwXKjAR6j7uXda39JyMJr8gGzEsu0jYRkAmj1
+YdiqwKXUcLMkcj1AKeU/PxTUVw0YKsv/rowrPYww3xQUWqNivrXB7GCHE3BzsYNdHsmziaGIXQbA
++EBHdkuKrM8BcC+fxhF/l/KUxngsD1E75IcUv8zFDF+sk4CBYHqks9S4JYlcubuizqsILbdGzIMN
+Z7w34k0XT+sEggQAyzr8MHeIJGsT+AYnZr08PeTbyr01JEoT7lPYT6PzX4F63QKKDl+mB+PwLMzY
+CXrxZcUmuay6/MV8w/f5T6vQXdoSw5puWodBYwVReYh1IaEN+jiTapm9YBVmcIsJPO6abHowknSV
+OWSvST0AtAX57fFOTckm+facfBK9s9T1lUUgF44Bh5e8f9qKqfOV44nqdCOEyUm0Dao497ieN4Eg
+XBLNvOZY9+irMiXjp0lcyFvhrJOczfyCr9EiiaiH1TfSzKGKsf2W84iKn/JH6x2eOo7xjwJ40BQD
+c6S1cUNEuqBhP6by0FioOXYOKVyifpxk84Eb+F/4CNdTJTvCPwsiegdfsX/Q53DvKVtXp9Ycam5J
+TmKRHXK/bMHF4ONv3p/O/kn/BqRx+fbbP2eMX8Z1F/ltHKfp6B+06HljUwQLBJs9XtCfqH5Zgdz9
+gad5WZF5ykFArmHDgeFlgggvbZ7z9vqnjN/TH68TxJzauYQ5vLHQ6wGXik4/4uq7/TqNmhxlQEM4
+zVkwsn203bUmKLyz+yl1zItDpn5zy1uXfGo99rBdUzdbdE9LmEFPMaFsaHd4a8oDaUroD7FgCbeD
+JJVld3ac6F8+3QbExPs48OrgA1kI3/UwXr52ldjiYzTLfAGR9BjqNFTw45FUHuMf8TEM5hcHx56w
+95eKAqraDk28o9k+M2UKpcmrdlWoWzdqVVFeWGpM8x9Y9Nt0lf/4VUQgrXjqTkUCQkJyqTeTeGgH
+rn3QBk2XAgpxZhaJs3InW0BkAlBmK99cMinUiJeFt5a4p5wPeXrVuh6V9m7Mpl9hzpogg++EZqah
+fzzNnDgxOZfW342DX052PdgXo0NnkhCk005LvFt6M2mRn0fLgNVfyUZZoOp8cO5ZWbhXXlrhrgUt
+j2zKPK6Q94Zj4kdXHBGpAkrB8ZQ4EGGODE0Dqusm8WPXzB+9236IMHPU7lFbyjBrFNI7O4jg+qRI
+Ipi+7tX0FsilqEbmjG+OPwhZXrdqUqyF+rjKQuSRq7lOeDB4c6S2dq4OOny01i5HCbbyc9UvSHRm
+hOhGqUlzHyHLo3W7j+26V/MhkDXJ+Tx+qfylv4pbliwTteJJj+CZwzjv29qb6lxYi+38Bw10ERap
+m8UCRFBecVN7xXlcIfyeAl666Vi7EBJZv3EdFNrx1nlLwM65nYya7uj6L7IwJWotIUx8E0XH0/cU
+xS/dG8bxf9L/8652h5gq3LI+wTNGuEX0DMuz7BGQG+NtgabrZ6SsKGthGa7eULTpz0McWTLRU0y/
+/tkckpm5pDnXSFbIMskwwjECz82UZBSPpigdN/Pjg5d+0yWu7s3VJxw4ENWPPpzZ+j7sOXmdvn9P
+O1tQd60EO+3awASCBAAZQvWV3/yJ6FxPttbP+qeURpJoPEZfpN2UYZmd8HqtR0YbaOZ6Rln9nvpd
+K9fylXdw9z2xeCbjDWUttJB4VqZxGJM8eCTC1VDVyAOsQ5n7SY55dMkQbU+o4Z/4J5m8+wz50BBI
+LfruL1eZ6/CF6CdvxVRiJ10sXc0Tn2sVMXqkw7Adp1GYoCI9c6VFSFK74+n+y7LVFQ5HBnbQyKJc
+dvdLOXwZOPaFHC5UNXRmOpcwdPqyXUe+xIsOMYbzdlAnI9eGDNeRDktUa/Rh0CbZCxjmJzoZEYOE
+ZjsYZlEfp1Kb61t8z4m28hGLEg88T1Ihmxa2HeUWes1RpmgIOP+/2Lb3smj/l/fpSu4gabFgyCAV
+H5HdCYMScUv8SVu55+tpeO8ELoHHQUXV4rr084O4budzhgNSOPyLGDl5sfDUXiyusPCxS4JVO/KY
+6V2Qrtg/q2wtmXpEkZnGT+Qi3WDzwt4W81alztnYMP17oGLmxX71KV9OEiMZjI4WaaGt+OOINLtR
+qefioZ1NI2L1s5M0tybwTsyU9WERM+3pUwXIfJVsbMZRlNaO2OogcHbaR4UWvhOj+3CTG1sThiYQ
+MxMnp1Rpqx3nhyzqLO3TRrkYvxnA3cdPBn9EeqpgBMg7X3hCiMV3Fl5cj/WOMhtHYgY7BgeCXo46
+EFVZ4+WroGZ46xGiRDiIblo8bzLd7QCxvukzxy3mUDgsZQ8pds4N28weSUhBk5MAPbfBpRvXUVJx
+MhKqXucQU1Md1qSGLbuuIQuz9pAGp1JFUx/vEkCgm74daSoVWCZuB+1ZE4f48clvrBj51xMNf8CP
+EFE7vySzVb6X2H1i5X3Z+Y3DdIcWw4Y2FClfcJk4Mwq8Cq2GALGFEge9YSEE9YmyuU6OFeU0ICon
+iXAgZ72SM8fBwJPruLFbdsNYKW+oAfmPisXSWMcZmdSbfk0GYv+vKtu3eegSbWw1UsCVtZOh9E5Z
+uQ83l59CBqO9sV/SFU3WrrJ0qNWxrmXu9nJn5Qf5iCRoFGYNHYHkIG5FS6N00GEDZxGkxmro2d++
+Adj5LVHc/b1cYWmrux+jEqI8ZK8cyTB0XMbBA/HYbx9NXazr7znP4/Mlv3pZToEcYt+lgLHAArtU
+AdhybhbLIwNMq0gr6EwtDklBa3ns4Wx/rJU8H7LGs6gV8uqeaSketv+nz+sQhfctxZ1rx+5qzXfy
+FOQVpO23KDQunBi1Bl9k61Di4q9JWcyADBXPHXJzp7mL8Fk7zdvMAEfuED1phdRm6GgDYoYUs4yQ
+IrhSjFlWyk7hT8475xk3BIv++obvWSAv/3+pF6A6U2RXDChVmnG0JnPa9wYYtdzBmLfZKBjX+DjD
+yEMsuhPsCzuN4R6tBIIBWCVRKmKwdkatmpsQBgDw48u0/Arffl5/DRlS9ee+QffFecUitDdCK+kt
+X5L2fGYrL5g6SltncMIeV1ptx4nuSjC/O944q1KYtqvQiPFWJqEXIRMNbbYOC47sjLza0tEFrimN
+wxcrWGSzsy5R9beFQ1aHPcMrDWfCoviNRk2qPtxuKIC5Qk2ZuOmJLjCiLwUGEb0/1Mpzv3MqQa7d
+mRayXg3DZWJPajxNZv6eS357ElMvwGQmqafb2mlQJwWLsg9m9PG7uqEoyrqSc6MiuY+icLEFib9j
+OfRQrx70rTSKUfTr4MtP0aZZAefjCrpVIyTekhFDOk0Nmx057eonlyGgmGpl5/Uo+t1J1Z11Ya/l
+bNbfmebRISJeTVW0I8FhseAZMI1GSwp/ludJxSLYOgyRkh+GX134MexNo7O9F1SxLCfWaSG9Fc3s
+5ify04ua9/t8SGrYZPm/l3MkAAAAAAAAAAAAAA==
+
+
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-s-a-e.pem b/crypto/openssl/crypto/pkcs7/t/msie-s-a-e.pem
new file mode 100644
index 0000000..55dbd8f
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/msie-s-a-e.pem
@@ -0,0 +1,106 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIITUAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
+bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
+aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
+uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQKOxxpIbRTb31+qIQCBOpMVAGnwCLrPO
+OXnntxVveTrPhBnsJuoGNJcCMtuHl7tLkd38WsVwOfGXUprTqFpUcY8wgfACAQAw
+gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
+GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
+QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQKzIddnXFqK/RRBG86ZVixoXfwAv
+ZdfvnDFsKzPn/A6DuDdE/hqJxnFpHiwGiDR/YbWj2ib+G74DSshgX8vj8ZQwghGD
+BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECLKM0K58I3HNgIIRWBDP8s+g
+l7/6JhZ5PBJ5vPpD1R4pnNDZRabsYu0Qzezdz1IK+maTAhF0SEuNZoEkzIgOIvu3
+UjW8x/2KcHwteABwgRiSk1JyNLwRED0RtvuJ40pIGDvDsHwBMcXEtKUMAOpGChms
+HUK1+B/GKancSDFOCeG3JCFnFdbuQFDIVHC6amWslc6ntqVs/sii2Gs4qdzDfQgl
+PV/A/FY0wi0j2O5cXRQJtZVKM/MYGjj5c1cy9Q7oymU5ATP/LARD0Tw5kBB7HVnD
+2qrmmmxcHakyxhXmwskaKS6Qxgqq6LPdgr603onxqEtwNSz5UbCq9mLXuCkFOVsQ
+/5mZcmmc7re3XJMQHRXkBlxEpZQ6HOUIEzlhRqCo2hhymyZK84rptjORQo6vNakM
+IC0Zn8O+6Xl1NlmbGzZakz6LJ4dczE7eG7LwrVus9Oq3V/WweG6rWMPV5d51oKMi
+BRb2pXXy80BAKh/9hvpP/V/HO1/+MPuk8tAn7ssmQoIAQcZxqLOmgqqFhy21oSEu
+rUY746Gp/vIV6Ax1MnfDA/fbjDllhJTl8ujZnfj8R1/oQa9fJMipV8CYQEAt3okZ
+V03kaVhhPGsv544/zRnhqjhgqjHASZGnluZCxDwHb1CE4UqYLp6IbkH3qosy2ntm
+a7WCsM3FN3o5dKFZXBgBEPT8HU9LLQ8B+T0Zvh8CQ719kkNBhnuzSYzmI48R5JHv
+zbROiU5v4p9FpssD13vXiOxzaMTKQqWk/roGHiNoKzKonS5RBwTxKfOsoCobCBaI
+IZCmJNr4cGI/p5GVEY4pCPljTq9w3HoiNrhwZ7r7II3wdXy0JjSiRkr3w1AKXm3v
+1H9kHZzc28Ekf7+De6VTjyKRPe1WYPETeY5mh9nIYUQz30/5gIxJwsPFOXeHMbLR
+iQjxTznk/uo4BtwV+HZPmf4tIQvAuFuTKYR9lP3XsZZN+bKkFYy8nHRYd4OErBBg
+93NsqBYROdzJ4pqxoJb6gt2EHCt3pazavgwDxzCJhcMtvBiYLEkDxUX77yS5sXYc
+k6NLIwFL5BPY9JX/QP1RaiJV+TtHg69YElW+rudX6VdLQ7mKCMTHGWbHU5oF+Dv4
+Kv8xsrjNU2spImfzY2coq3osLpFpOa8VhrLSwMXFDtej5OHq0M0qYpYm3op6B+Nz
+6pNYlMpveQv5Qjy9LTNMvLX4z+tnh6Siz8mJLmtghwCzC+DnyQGCn/Stzq6kF5aM
+Fork7RosB4FB8u6WjVrFZfTg5JUqZh6gCW3JHpQ70wTdpy6tDKDtNrbjKo7CGL8+
+shoSI7t2xa8W3OyyFXMEuJzTY2UCQ+QxTOWI9idkdZCCUMBXEvkraqG8rU4UKRCk
+iAGwEMzophEv+aSyJfdu6yJGjd+/wUCHMS3EmtOWHwtB5d5sVhErdQNA+JQN+wPU
+vBG2Jg3wGJTHNNx4WRnWRLWsH6SRcgx8zWXHjVgXIep8XjWQmOGBXbG87hktESqc
+DQPUv3MzieKfcpgQsboRnqSN1DymwvAu+PVsMNf8DHQKLdZ/iuzPzwRkfIVpmh+U
+ku1N8jMAAdX6tjQ48eLq/lJvjHJUnTdNTA18xhDvngKNaXQGPOO/dt+JfHQdmFQI
+WdWZSeCpm6jCiaxiV50FBGEuv3Ew0Y7FKHLKFu7hoNXIthoh2qo5ZH6QX4nt0nYR
+VvyvIcAB9BwC7OeqBTeusFJD/wGiQD3yFDYUekaRys2fcwguNqAdpjWsEETJxREw
+ZdbP0sDMSykae4wHyrODWcUmOiPc/9nU6c0t7bBzI8VQ7sZKJb0TVgSCxDHi9Qgb
+4qdh4ZqFMP0s+TQ4Ms5NWkC1eg0DSdkWSzGQ0QrUsGUgbupYYUoEyRmsz9PjW6l1
+wuWkE66qxSHFsg18/gA5XpLM82DP4EmkEwgC08Hww2lPRJN8VYFvlwbRMbSd1PtA
+Dd5dI/Oq1CHSL6enlncVkKr/S7aaKKyjAyn1HOT2FdPWdSYLE+F+dWc6vu+JeXc+
+7nSDO1DW3U6ZkZvTw4901GxgrzUfYajhBky25L29WUduGoerhkZds5wduSKQwBkY
+TUW/YrP6Ttrbx8B0wzDo64L2Rv6Tb14ElMc9KUY1I1yHKgXtl9oHEH3mpa/IGO+q
+PN1hBi+jg68lfb00FR7edvos4KWKAWWlZaYKm2ZeeHPjhNGcX/UcF8A23GLuSruR
+NDDy9KlI3NMtvmOhOD+WwFmmRjBk/jkZMlVM3GlpjP/l5TuzxEecK1pQiDGQl9S/
+574qGNKtAiqgC5+wyUFPqnp28K2+rsEu7jWWOlfOrNGg2KVO8kcqsQuUm7sjSW9N
+oHcVAoKSLHBWjFIzFUZpeDOASI1/21Ph4B6FTFJvEpzfYEXE9osz64DhlXDEyY33
+p86AiqAj6PUY4BjHLYAeA7ymphKzVOzq4pSH7qKsxDzUnj/Uj8P85A5jbzHmzOPf
+VnvQlZ7B1FqhdNP2SVqLmu+/tH9Wy0v7ZnItSQbyHDKP+Eib4B/ihaNIIoz/YKgD
+3eYgjp6ZyZR1KkSMpuNkpsihA7s3UsFyowEeo+7l3Wt/ScjCa/IBsxLLtI2EZAJo
+9WHYqsCl1HCzJHI9QCnlPz8U1FcNGCrL/66MKz2MMN8UFFqjYr61wexghxNwc7GD
+XR7Js4mhiF0GwPhAR3ZLiqzPAXAvn8YRf5fylMZ4LA9RO+SHFL/MxQxfrJOAgWB6
+pLPUuCWJXLm7os6rCC23RsyDDWe8N+JNF0/ryzr8MHeIJGsT+AYnZr08PeTbyr01
+JEoT7lPYT6PzX4F63QKKDl+mB+PwLMzYCXrxZcUmuay6/MV8w/f5T6vQXdoSw5pu
+WodBYwVReYh1IaEN+jiTapm9YBVmcIsJPO6abHowknSVOWSvST0AtAX57fFOTckm
++facfBK9s9T1lUUgF44Bh5e8f9qKqfOV44nqdCOEyUm0Dao497ieN4EgXBLNvOZY
+9+irMiXjp0lcyFvhrJOczfyCr9EiiaiH1TfSzKGKsf2W84iKn/JH6x2eOo7xjwJ4
+0BQDc6S1cUNEuqBhP6by0FioOXYOKVyifpxk84Eb+F/4CNdTJTvCPwsiegdfsX/Q
+53DvKVtXp9Ycam5JTmKRHXK/bMHF4ONv3p/O/kn/BqRx+fbbP2eMX8Z1F/ltHKfp
+6B+06HljUwQLBJs9XtCfqH5Zgdz9gad5WZF5ykFArmHDgeFlgggvbZ7z9vqnjN/T
+H68TxJzauYQ5vLHQ6wGXik4/4uq7/TqNmhxlQEM4zVkwsn203bUmKLyz+yl1zItD
+pn5zy1uXfGo99rBdUzdbdE9LmEFPMaFsaHd4a8oDaUroD7FgCbeDJJVld3ac6F8+
+3QbExPs48OrgA1kI3/UwXr52ldjiYzTLfAGR9BjqNFTw45FUHuMf8TEM5hcHx56w
+95eKAqraDk28o9k+M2UKpcmrdlWoWzdqVVFeWGpM8x9Y9Nt0lf/4VUQgrXjqTkUC
+QkJyqTeTeGgHrn3QBk2XAgpxZhaJs3InW0BkAlBmK99cMinUiJeFt5a4p5wPeXrV
+uh6V9m7Mpl9hzpogg++EZqahfzzNnDgxOZfW342DX052PdgXo0NnkhCk005LvFt6
+M2mRn0fLgNVfyUZZoOp8cO5ZWbhXXlrhrgUtj2zKPK6Q94Zj4kdXHBGpAkrB8ZQ4
+EGGODE0Dqusm8WPXzB+9236IMHPU7lFbyjBrFNI7O4jg+qRIIpi+7tX0FsilqEbm
+jG+OPwhZXrdqUqyF+rjKQuSRq7lOeDB4c6S2dq4OOny01i5HCbbyc9UvSHRmhOhG
+qUlzHyHLo3W7j+26V/MhkDXJ+Tx+qfylv4pbliwTteJJj+CZwzjv29qb6lxYi+38
+Bw10ERapm8UCRFBecVN7xXlcIfyeAl666Vi7EBJZv3EdFNrx1nlLwM65nYya7uj6
+L7IwJWotIUx8E0XH0/cUxS/dG8bxf9L/8652h5gq3LI+wTNGuEX0DMuz7BGQG+Nt
+gabrZ6SsKGthGa7eULTpz0McWTLRU0y//tkckpm5pDnXSFbIMskwwjECz82UZBSP
+pigdN/Pjg5d+0yWu7s3VJxw4ENWPPpzZ+j7sOXmdvn9PO1tQd60EO+3awBlC9ZXf
+/InoXE+21s/6p5RGkmg8Rl+k3ZRhmZ3weq1HRhto5npGWf2e+l0r1/KVd3D3PbF4
+JuMNZS20kHhWpnEYkzx4JMLVUNXIA6xDmftJjnl0yRBtT6jhn/gnmbz7DPnQEEgt
++u4vV5nr8IXoJ2/FVGInXSxdzROfaxUxeqTDsB2nUZigIj1zpUVIUrvj6f7LstUV
+DkcGdtDIolx290s5fBk49oUcLlQ1dGY6lzB0+rJdR77Eiw4xhvN2UCcj14YM15EO
+S1Rr9GHQJtkLGOYnOhkRg4RmOxhmUR+nUpvrW3zPibbyEYsSDzxPUiGbFrYd5RZ6
+zVGmaAg4/7/YtveyaP+X9+lK7iBpsWDIIBUfkd0JgxJxS/xJW7nn62l47wQugcdB
+RdXiuvTzg7hu53OGA1I4/IsYOXmx8NReLK6w8LFLglU78pjpXZCu2D+rbC2ZekSR
+mcZP5CLdYPPC3hbzVqXO2dgw/XugYubFfvUpX04SIxmMjhZpoa3444g0u1Gp5+Kh
+nU0jYvWzkzS3JvBOzJT1YREz7elTBch8lWxsxlGU1o7Y6iBwdtpHhRa+E6P7cJMb
+WxOGJhAzEyenVGmrHeeHLOos7dNGuRi/GcDdx08Gf0R6qmAEyDtfeEKIxXcWXlyP
+9Y4yG0diBjsGB4JejjoQVVnj5augZnjrEaJEOIhuWjxvMt3tALG+6TPHLeZQOCxl
+Dyl2zg3bzB5JSEGTkwA9t8GlG9dRUnEyEqpe5xBTUx3WpIYtu64hC7P2kAanUkVT
+H+8SQKCbvh1pKhVYJm4H7VkTh/jxyW+sGPnXEw1/wI8QUTu/JLNVvpfYfWLlfdn5
+jcN0hxbDhjYUKV9wmTgzCrwKrYYAsYUSB71hIQT1ibK5To4V5TQgKieJcCBnvZIz
+x8HAk+u4sVt2w1gpb6gB+Y+KxdJYxxmZ1Jt+TQZi/68q27d56BJtbDVSwJW1k6H0
+Tlm5DzeXn0IGo72xX9IVTdausnSo1bGuZe72cmflB/mIJGgUZg0dgeQgbkVLo3TQ
+YQNnEaTGaujZ374B2PktUdz9vVxhaau7H6MSojxkrxzJMHRcxsED8dhvH01drOvv
+Oc/j8yW/ellOgRxi36WAscACu1QB2HJuFssjA0yrSCvoTC0OSUFreezhbH+slTwf
+ssazqBXy6p5pKR62/6fP6xCF9y3FnWvH7mrNd/IU5BWk7bcoNC6cGLUGX2TrUOLi
+r0lZzIAMFc8dcnOnuYvwWTvN28wAR+4QPWmF1GboaANihhSzjJAiuFKMWVbKTuFP
+zjvnGTcEi/76hu9ZIC//f6kXoDpTZFcMKFWacbQmc9r3Bhi13MGYt9koGNf4OMPI
+Qyy6E+wLO43hHq0lUSpisHZGrZqbEAYA8OPLtPwK335efw0ZUvXnvkH3xXnFIrQ3
+QivpLV+S9nxmKy+YOkpbZ3DCHldabceJ7kowvzveOKtSmLar0IjxViahFyETDW22
+DguO7Iy82tLRBa4pjcMXK1hks7MuUfW3hUNWhz3DKw1nwqL4jUZNqj7cbiiAuUJN
+mbjpiS4woi8FBhG9P9TKc79zKkGu3ZkWsl4Nw2ViT2o8TWb+nkt+exJTL8BkJqmn
+29ppUCcFi7IPZvTxu7qhKMq6knOjIrmPonCxBYm/Yzn0UK8e9K00ilH06+DLT9Gm
+WQHn4wq6VSMk3pIRQzpNDZsdOe3qJ5choJhqZef1KPrdSdWddWGv5WzW35nm0SEi
+Xk1VtCPBYbHgGTCNRksKf5bnScUi2DoMkZIfhl9d+DHsTaOzvRdUsSwn1mkhvRXN
+7OYn8tOLmvf7fEhq2GT5v5dzJAAAAAA=
+-----END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/nav-smime b/crypto/openssl/crypto/pkcs7/t/nav-smime
new file mode 100644
index 0000000..6ee4b59
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/nav-smime
@@ -0,0 +1,157 @@
+From angela@c2.net.au Thu May 14 13:32:27 1998
+X-UIDL: 83c94dd550e54329bf9571b72038b8c8
+Return-Path: angela@c2.net.au
+Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id NAA27838 for <tjh@cryptsoft.com>; Thu, 14 May 1998 13:32:26 +1000 (EST)
+Message-ID: <355A6779.4B63E64C@cryptsoft.com>
+Date: Thu, 14 May 1998 13:39:37 +1000
+From: Angela van Lent <angela@c2.net.au>
+X-Mailer: Mozilla 4.03 [en] (Win95; U)
+MIME-Version: 1.0
+To: tjh@cryptsoft.com
+Subject: signed
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms9A58844C95949ECC78A1C54C"
+Content-Length: 2604
+Status: OR
+
+This is a cryptographically signed message in MIME format.
+
+--------------ms9A58844C95949ECC78A1C54C
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+
+signed body
+
+--------------ms9A58844C95949ECC78A1C54C
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+Content-Description: S/MIME Cryptographic Signature
+
+MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
+CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
+SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
+BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
+9CWR6g==
+--------------ms9A58844C95949ECC78A1C54C--
+
+
+From angela@c2.net.au Thu May 14 13:33:16 1998
+X-UIDL: 8f076c44ff7c5967fd5b00c4588a8731
+Return-Path: angela@c2.net.au
+Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id NAA27847 for <tjh@cryptsoft.com>; Thu, 14 May 1998 13:33:15 +1000 (EST)
+Message-ID: <355A67AB.2AF38806@cryptsoft.com>
+Date: Thu, 14 May 1998 13:40:27 +1000
+From: Angela van Lent <angela@c2.net.au>
+X-Mailer: Mozilla 4.03 [en] (Win95; U)
+MIME-Version: 1.0
+To: tjh@cryptsoft.com
+Subject: signed
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msD7863B84BD61E02C407F2F5E"
+Content-Length: 2679
+Status: OR
+
+This is a cryptographically signed message in MIME format.
+
+--------------msD7863B84BD61E02C407F2F5E
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+
+signed body 2
+
+--------------msD7863B84BD61E02C407F2F5E
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+Content-Description: S/MIME Cryptographic Signature
+
+MIIGVgYJKoZIhvcNAQcCoIIGRzCCBkMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggGzMIIBrwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN
+AQkFMQ8XDTk4MDUxNDAzNDAyN1owIwYJKoZIhvcNAQkEMRYEFOKcV8mNYJnM8rHQajcSEqJN
+rwdDMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsO
+AwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEADPE/N
+coH+zTFuX5YpolupTKxKK8eEjc48TuADuO8bIHHDE/fEYaWunlwDuTlcFJl1ig0idffPB1qC
+Zp8SSVVY
+--------------msD7863B84BD61E02C407F2F5E--
+
+
+From angela@c2.net.au Thu May 14 14:05:32 1998
+X-UIDL: a7d629b4b9acacaee8b39371b860a32a
+Return-Path: angela@c2.net.au
+Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id OAA28033 for <tjh@cryptsoft.com>; Thu, 14 May 1998 14:05:32 +1000 (EST)
+Message-ID: <355A6F3B.AC385981@cryptsoft.com>
+Date: Thu, 14 May 1998 14:12:43 +1000
+From: Angela van Lent <angela@c2.net.au>
+X-Mailer: Mozilla 4.03 [en] (Win95; U)
+MIME-Version: 1.0
+To: tjh@cryptsoft.com
+Subject: encrypted
+Content-Type: application/x-pkcs7-mime; name="smime.p7m"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7m"
+Content-Description: S/MIME Encrypted Message
+Content-Length: 905
+Status: OR
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEA92N29Yk39RUY2tIVd
+exGT2MFX3J6H8LB8aDRJjw7843ALgJ5zXpM5+f80QkAWwEN2A6Pl3VxiCeKLi435zXVyMIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0G
+CSqGSIb3DQEBAQUABECR9IfyHtvnjFmZ8B2oUCEs1vxMsG0u1kxKE4RMPFyDqDCEARq7zXMg
+nzSUI7Wgv5USSKDqcLRJeW+jvYURv/nJMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQIrLqrij2ZMpeggAQoibtn6reRZWuWk5Iv5IAhgitr8EYE4w4ySQ7EMB6mTlBoFpccUMWX
+BwQgQn1UoWCvYAlhDzURdbui64Dc0rS2wtj+kE/InS6y25EEEPe4NUKaF8/UlE+lo3LtILQE
+CL3uV8k7m0iqAAAAAAAAAAAAAA==
+
diff --git a/crypto/openssl/crypto/pkcs7/t/s.pem b/crypto/openssl/crypto/pkcs7/t/s.pem
new file mode 100644
index 0000000..4fa925b
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/s.pem
@@ -0,0 +1,57 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/crypto/pkcs7/t/server.pem b/crypto/openssl/crypto/pkcs7/t/server.pem
new file mode 100644
index 0000000..989baf8
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/t/server.pem
@@ -0,0 +1,57 @@
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/verify.c b/crypto/openssl/crypto/pkcs7/verify.c
new file mode 100644
index 0000000..49fc8d8
--- /dev/null
+++ b/crypto/openssl/crypto/pkcs7/verify.c
@@ -0,0 +1,262 @@
+/* crypto/pkcs7/verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include "example.h"
+
+int verify_callback(int ok, X509_STORE_CTX *ctx);
+
+BIO *bio_err=NULL;
+BIO *bio_out=NULL;
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	PKCS7 *p7;
+	PKCS7_SIGNER_INFO *si;
+	X509_STORE_CTX cert_ctx;
+	X509_STORE *cert_store=NULL;
+	BIO *data,*detached=NULL,*p7bio=NULL;
+	char buf[1024*4];
+	char *pp;
+	int i,printit=0;
+	STACK_OF(PKCS7_SIGNER_INFO) *sk;
+
+	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
+#ifndef NO_MD2
+	EVP_add_digest(EVP_md2());
+#endif
+#ifndef NO_MD5
+	EVP_add_digest(EVP_md5());
+#endif
+#ifndef NO_SHA1
+	EVP_add_digest(EVP_sha1());
+#endif
+#ifndef NO_MDC2
+	EVP_add_digest(EVP_mdc2());
+#endif
+
+	data=BIO_new(BIO_s_file());
+
+	pp=NULL;
+	while (argc > 1)
+		{
+		argc--;
+		argv++;
+		if (strcmp(argv[0],"-p") == 0)
+			{
+			printit=1;
+			}
+		else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2))
+			{
+			detached=BIO_new(BIO_s_file());
+			if (!BIO_read_filename(detached,argv[1]))
+				goto err;
+			argc--;
+			argv++;
+			}
+		else
+			{
+			pp=argv[0];
+			if (!BIO_read_filename(data,argv[0]))
+				goto err;
+			}
+		}
+
+	if (pp == NULL)
+		BIO_set_fp(data,stdin,BIO_NOCLOSE);
+
+
+	/* Load the PKCS7 object from a file */
+	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err;
+
+	/* This stuff is being setup for certificate verification.
+	 * When using SSL, it could be replaced with a 
+	 * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */
+	cert_store=X509_STORE_new();
+	X509_STORE_set_default_paths(cert_store);
+	X509_STORE_load_locations(cert_store,NULL,"../../certs");
+	X509_STORE_set_verify_cb_func(cert_store,verify_callback);
+
+	ERR_clear_error();
+
+	/* We need to process the data */
+	if ((PKCS7_get_detached(p7) || detached))
+		{
+		if (detached == NULL)
+			{
+			printf("no data to verify the signature on\n");
+			exit(1);
+			}
+		else
+			p7bio=PKCS7_dataInit(p7,detached);
+		}
+	else
+		{
+		p7bio=PKCS7_dataInit(p7,NULL);
+		}
+
+	/* We now have to 'read' from p7bio to calculate digests etc. */
+	for (;;)
+		{
+		i=BIO_read(p7bio,buf,sizeof(buf));
+		/* print it? */
+		if (i <= 0) break;
+		}
+
+	/* We can now verify signatures */
+	sk=PKCS7_get_signer_info(p7);
+	if (sk == NULL)
+		{
+		printf("there are no signatures on this data\n");
+		exit(1);
+		}
+
+	/* Ok, first we need to, for each subject entry, see if we can verify */
+	for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
+		{
+		ASN1_UTCTIME *tm;
+		char *str1,*str2;
+
+		si=sk_PKCS7_SIGNER_INFO_value(sk,i);
+		i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
+		if (i <= 0)
+			goto err;
+		printf("signer info\n");
+		if ((tm=get_signed_time(si)) != NULL)
+			{
+			BIO_printf(bio_out,"Signed time:");
+			ASN1_UTCTIME_print(bio_out,tm);
+			ASN1_UTCTIME_free(tm);
+			BIO_printf(bio_out,"\n");
+			}
+		if (get_signed_seq2string(si,&str1,&str2))
+			{
+			BIO_printf(bio_out,"String 1 is %s\n",str1);
+			BIO_printf(bio_out,"String 2 is %s\n",str2);
+			}
+
+		}
+
+	X509_STORE_free(cert_store);
+
+	printf("done\n");
+	exit(0);
+err:
+	ERR_load_crypto_strings();
+	ERR_print_errors_fp(stderr);
+	exit(1);
+	}
+
+/* should be X509 * but we can just have them as char *. */
+int verify_callback(int ok, X509_STORE_CTX *ctx)
+	{
+	char buf[256];
+	X509 *err_cert;
+	int err,depth;
+
+	err_cert=X509_STORE_CTX_get_current_cert(ctx);
+	err=	X509_STORE_CTX_get_error(ctx);
+	depth=	X509_STORE_CTX_get_error_depth(ctx);
+
+	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
+	if (!ok)
+		{
+		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
+			X509_verify_cert_error_string(err));
+		if (depth < 6)
+			{
+			ok=1;
+			X509_STORE_CTX_set_error(ctx,X509_V_OK);
+			}
+		else
+			{
+			ok=0;
+			X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
+			}
+		}
+	switch (ctx->error)
+		{
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
+		BIO_printf(bio_err,"issuer= %s\n",buf);
+		break;
+	case X509_V_ERR_CERT_NOT_YET_VALID:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+		BIO_printf(bio_err,"notBefore=");
+		ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
+		BIO_printf(bio_err,"\n");
+		break;
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+		BIO_printf(bio_err,"notAfter=");
+		ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
+		BIO_printf(bio_err,"\n");
+		break;
+		}
+	BIO_printf(bio_err,"verify return:%d\n",ok);
+	return(ok);
+	}
diff --git a/crypto/openssl/crypto/rand/Makefile.save b/crypto/openssl/crypto/rand/Makefile.save
new file mode 100644
index 0000000..2d4541f
--- /dev/null
+++ b/crypto/openssl/crypto/rand/Makefile.save
@@ -0,0 +1,92 @@
+#
+# SSLeay/crypto/rand/Makefile
+#
+
+DIR=	rand
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST= randtest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c
+LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rand.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+md_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+md_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_egd.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
+rand_err.o: ../../include/openssl/err.h ../../include/openssl/rand.h
+rand_lib.o: ../../include/openssl/rand.h
+randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+randfile.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl
new file mode 100644
index 0000000..2d4541f
--- /dev/null
+++ b/crypto/openssl/crypto/rand/Makefile.ssl
@@ -0,0 +1,92 @@
+#
+# SSLeay/crypto/rand/Makefile
+#
+
+DIR=	rand
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST= randtest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c
+LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rand.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+md_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+md_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_egd.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
+rand_err.o: ../../include/openssl/err.h ../../include/openssl/rand.h
+rand_lib.o: ../../include/openssl/rand.h
+randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+randfile.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c
new file mode 100644
index 0000000..da4258c
--- /dev/null
+++ b/crypto/openssl/crypto/rand/md_rand.c
@@ -0,0 +1,712 @@
+/* crypto/rand/md_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#define ENTROPY_NEEDED 16  /* require 128 bits = 16 bytes of randomness */
+
+#ifndef MD_RAND_DEBUG
+# ifndef NDEBUG
+#   define NDEBUG
+# endif
+#endif
+
+#include <assert.h>
+#include <stdio.h>
+#include <time.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
+#if !defined(NO_SHA) && !defined(NO_SHA1)
+#define USE_SHA1_RAND
+#elif !defined(NO_MD5)
+#define USE_MD5_RAND
+#elif !defined(NO_MDC2) && !defined(NO_DES)
+#define USE_MDC2_RAND
+#elif !defined(NO_MD2)
+#define USE_MD2_RAND
+#else
+#error No message digest algorithm available
+#endif
+#endif
+
+/* Changed how the state buffer used.  I now attempt to 'wrap' such
+ * that I don't run over the same locations the next time  go through
+ * the 1023 bytes - many thanks to
+ * Robert J. LeBlanc <rjl@renaissoft.com> for his comments
+ */
+
+#if defined(USE_MD5_RAND)
+#include <openssl/md5.h>
+#define MD_DIGEST_LENGTH	MD5_DIGEST_LENGTH
+#define MD_CTX			MD5_CTX
+#define MD_Init(a)		MD5_Init(a)
+#define MD_Update(a,b,c)	MD5_Update(a,b,c)
+#define	MD_Final(a,b)		MD5_Final(a,b)
+#define	MD(a,b,c)		MD5(a,b,c)
+#elif defined(USE_SHA1_RAND)
+#include <openssl/sha.h>
+#define MD_DIGEST_LENGTH	SHA_DIGEST_LENGTH
+#define MD_CTX			SHA_CTX
+#define MD_Init(a)		SHA1_Init(a)
+#define MD_Update(a,b,c)	SHA1_Update(a,b,c)
+#define	MD_Final(a,b)		SHA1_Final(a,b)
+#define	MD(a,b,c)		SHA1(a,b,c)
+#elif defined(USE_MDC2_RAND)
+#include <openssl/mdc2.h>
+#define MD_DIGEST_LENGTH	MDC2_DIGEST_LENGTH
+#define MD_CTX			MDC2_CTX
+#define MD_Init(a)		MDC2_Init(a)
+#define MD_Update(a,b,c)	MDC2_Update(a,b,c)
+#define	MD_Final(a,b)		MDC2_Final(a,b)
+#define	MD(a,b,c)		MDC2(a,b,c)
+#elif defined(USE_MD2_RAND)
+#include <openssl/md2.h>
+#define MD_DIGEST_LENGTH	MD2_DIGEST_LENGTH
+#define MD_CTX			MD2_CTX
+#define MD_Init(a)		MD2_Init(a)
+#define MD_Update(a,b,c)	MD2_Update(a,b,c)
+#define	MD_Final(a,b)		MD2_Final(a,b)
+#define	MD(a,b,c)		MD2(a,b,c)
+#endif
+
+#include <openssl/rand.h>
+
+#ifdef BN_DEBUG
+# define PREDICT
+#endif
+
+/* #define NORAND	1 */
+/* #define PREDICT	1 */
+
+#define STATE_SIZE	1023
+static int state_num=0,state_index=0;
+static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
+static unsigned char md[MD_DIGEST_LENGTH];
+static long md_count[2]={0,0};
+static double entropy=0;
+static int initialized=0;
+
+#ifdef PREDICT
+int rand_predictable=0;
+#endif
+
+const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT;
+
+static void ssleay_rand_cleanup(void);
+static void ssleay_rand_seed(const void *buf, int num);
+static void ssleay_rand_add(const void *buf, int num, double add_entropy);
+static int ssleay_rand_bytes(unsigned char *buf, int num);
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
+static int ssleay_rand_status(void);
+
+RAND_METHOD rand_ssleay_meth={
+	ssleay_rand_seed,
+	ssleay_rand_bytes,
+	ssleay_rand_cleanup,
+	ssleay_rand_add,
+	ssleay_rand_pseudo_bytes,
+	ssleay_rand_status
+	}; 
+
+RAND_METHOD *RAND_SSLeay(void)
+	{
+	return(&rand_ssleay_meth);
+	}
+
+static void ssleay_rand_cleanup(void)
+	{
+	memset(state,0,sizeof(state));
+	state_num=0;
+	state_index=0;
+	memset(md,0,MD_DIGEST_LENGTH);
+	md_count[0]=0;
+	md_count[1]=0;
+	entropy=0;
+	}
+
+static void ssleay_rand_add(const void *buf, int num, double add)
+	{
+	int i,j,k,st_idx;
+	long md_c[2];
+	unsigned char local_md[MD_DIGEST_LENGTH];
+	MD_CTX m;
+
+#ifdef NORAND
+	return;
+#endif
+
+	/*
+	 * (Based on the rand(3) manpage)
+	 *
+	 * The input is chopped up into units of 20 bytes (or less for
+	 * the last block).  Each of these blocks is run through the hash
+	 * function as follows:  The data passed to the hash function
+	 * is the current 'md', the same number of bytes from the 'state'
+	 * (the location determined by in incremented looping index) as
+	 * the current 'block', the new key data 'block', and 'count'
+	 * (which is incremented after each use).
+	 * The result of this is kept in 'md' and also xored into the
+	 * 'state' at the same locations that were used as input into the
+         * hash function.
+	 */
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	st_idx=state_index;
+
+	/* use our own copies of the counters so that even
+	 * if a concurrent thread seeds with exactly the
+	 * same data and uses the same subarray there's _some_
+	 * difference */
+	md_c[0] = md_count[0];
+	md_c[1] = md_count[1];
+
+	memcpy(local_md, md, sizeof md);
+
+	/* state_index <= state_num <= STATE_SIZE */
+	state_index += num;
+	if (state_index >= STATE_SIZE)
+		{
+		state_index%=STATE_SIZE;
+		state_num=STATE_SIZE;
+		}
+	else if (state_num < STATE_SIZE)	
+		{
+		if (state_index > state_num)
+			state_num=state_index;
+		}
+	/* state_index <= state_num <= STATE_SIZE */
+
+	/* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE]
+	 * are what we will use now, but other threads may use them
+	 * as well */
+
+	md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+	for (i=0; i<num; i+=MD_DIGEST_LENGTH)
+		{
+		j=(num-i);
+		j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j;
+
+		MD_Init(&m);
+		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+		k=(st_idx+j)-STATE_SIZE;
+		if (k > 0)
+			{
+			MD_Update(&m,&(state[st_idx]),j-k);
+			MD_Update(&m,&(state[0]),k);
+			}
+		else
+			MD_Update(&m,&(state[st_idx]),j);
+			
+		MD_Update(&m,buf,j);
+		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+		MD_Final(local_md,&m);
+		md_c[1]++;
+
+		buf=(const char *)buf + j;
+
+		for (k=0; k<j; k++)
+			{
+			/* Parallel threads may interfere with this,
+			 * but always each byte of the new state is
+			 * the XOR of some previous value of its
+			 * and local_md (itermediate values may be lost).
+			 * Alway using locking could hurt performance more
+			 * than necessary given that conflicts occur only
+			 * when the total seeding is longer than the random
+			 * state. */
+			state[st_idx++]^=local_md[k];
+			if (st_idx >= STATE_SIZE)
+				st_idx=0;
+			}
+		}
+	memset((char *)&m,0,sizeof(m));
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	/* Don't just copy back local_md into md -- this could mean that
+	 * other thread's seeding remains without effect (except for
+	 * the incremented counter).  By XORing it we keep at least as
+	 * much entropy as fits into md. */
+	for (k = 0; k < sizeof md; k++)
+		{
+		md[k] ^= local_md[k];
+		}
+	if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
+	    entropy += add;
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	
+#ifndef THREADS	
+	assert(md_c[1] == md_count[1]);
+#endif
+	}
+
+static void ssleay_rand_seed(const void *buf, int num)
+	{
+	ssleay_rand_add(buf, num, num);
+	}
+
+static void ssleay_rand_initialize(void)
+	{
+	unsigned long l;
+#ifndef GETPID_IS_MEANINGLESS
+	pid_t curr_pid = getpid();
+#endif
+#ifdef DEVRANDOM
+	FILE *fh;
+#endif
+
+#ifdef NORAND
+	return;
+#endif
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	/* put in some default random data, we need more than just this */
+#ifndef GETPID_IS_MEANINGLESS
+	l=curr_pid;
+	RAND_add(&l,sizeof(l),0);
+	l=getuid();
+	RAND_add(&l,sizeof(l),0);
+#endif
+	l=time(NULL);
+	RAND_add(&l,sizeof(l),0);
+
+#ifdef DEVRANDOM
+	/* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+	 * have this. Use /dev/urandom if you can as /dev/random may block
+	 * if it runs out of random entries.  */
+
+	if ((fh = fopen(DEVRANDOM, "r")) != NULL)
+		{
+		unsigned char tmpbuf[ENTROPY_NEEDED];
+		int n;
+		
+		setvbuf(fh, NULL, _IONBF, 0);
+		n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh);
+		fclose(fh);
+		RAND_add(tmpbuf,sizeof tmpbuf,n);
+		memset(tmpbuf,0,n);
+		}
+#endif
+#ifdef PURIFY
+	memset(state,0,STATE_SIZE);
+	memset(md,0,MD_DIGEST_LENGTH);
+#endif
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	initialized=1;
+	}
+
+static int ssleay_rand_bytes(unsigned char *buf, int num)
+	{
+	int i,j,k,st_num,st_idx;
+	int ok;
+	long md_c[2];
+	unsigned char local_md[MD_DIGEST_LENGTH];
+	MD_CTX m;
+#ifndef GETPID_IS_MEANINGLESS
+	pid_t curr_pid = getpid();
+#endif
+
+#ifdef PREDICT
+	if (rand_predictable)
+		{
+		static unsigned char val=0;
+
+		for (i=0; i<num; i++)
+			buf[i]=val++;
+		return(1);
+		}
+#endif
+
+	/*
+	 * (Based on the rand(3) manpage:)
+	 *
+	 * For each group of 10 bytes (or less), we do the following:
+	 *
+	 * Input into the hash function the top 10 bytes from the
+	 * local 'md' (which is initialized from the global 'md'
+	 * before any bytes are generated), the bytes that are
+	 * to be overwritten by the random bytes, and bytes from the
+	 * 'state' (incrementing looping index).  From this digest output
+	 * (which is kept in 'md'), the top (up to) 10 bytes are
+	 * returned to the caller and the bottom (up to) 10 bytes are xored
+	 * into the 'state'.
+	 * Finally, after we have finished 'num' random bytes for the
+	 * caller, 'count' (which is incremented) and the local and global 'md'
+	 * are fed into the hash function and the results are kept in the
+	 * global 'md'.
+	 */
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+	if (!initialized)
+		ssleay_rand_initialize();
+
+	ok = (entropy >= ENTROPY_NEEDED);
+	if (!ok)
+		{
+		/* If the PRNG state is not yet unpredictable, then seeing
+		 * the PRNG output may help attackers to determine the new
+		 * state; thus we have to decrease the entropy estimate.
+		 * Once we've had enough initial seeding we don't bother to
+		 * adjust the entropy count, though, because we're not ambitious
+		 * to provide *information-theoretic* randomness.
+		 */
+		entropy -= num;
+		if (entropy < 0)
+			entropy = 0;
+		}
+
+	st_idx=state_index;
+	st_num=state_num;
+	md_c[0] = md_count[0];
+	md_c[1] = md_count[1];
+	memcpy(local_md, md, sizeof md);
+
+	state_index+=num;
+	if (state_index > state_num)
+		state_index %= state_num;
+
+	/* state[st_idx], ..., state[(st_idx + num - 1) % st_num]
+	 * are now ours (but other threads may use them too) */
+
+	md_count[0] += 1;
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+	while (num > 0)
+		{
+		j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
+		num-=j;
+		MD_Init(&m);
+#ifndef GETPID_IS_MEANINGLESS
+		if (curr_pid) /* just in the first iteration to save time */
+			{
+			MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid);
+			curr_pid = 0;
+			}
+#endif
+		MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2);
+		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+#ifndef PURIFY
+		MD_Update(&m,buf,j); /* purify complains */
+#endif
+		k=(st_idx+j)-st_num;
+		if (k > 0)
+			{
+			MD_Update(&m,&(state[st_idx]),j-k);
+			MD_Update(&m,&(state[0]),k);
+			}
+		else
+			MD_Update(&m,&(state[st_idx]),j);
+		MD_Final(local_md,&m);
+
+		for (i=0; i<j; i++)
+			{
+			state[st_idx++]^=local_md[i]; /* may compete with other threads */
+			*(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
+			if (st_idx >= st_num)
+				st_idx=0;
+			}
+		}
+
+	MD_Init(&m);
+	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	MD_Update(&m,md,MD_DIGEST_LENGTH);
+	MD_Final(md,&m);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+	memset(&m,0,sizeof(m));
+	if (ok)
+		return(1);
+	else
+		{
+		RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
+		return(0);
+		}
+	}
+
+/* pseudo-random bytes that are guaranteed to be unique but not
+   unpredictable */
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 
+	{
+	int ret, err;
+
+	ret = RAND_bytes(buf, num);
+	if (ret == 0)
+		{
+		err = ERR_peek_error();
+		if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
+		    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
+			(void)ERR_get_error();
+		}
+	return (ret);
+	}
+
+static int ssleay_rand_status(void)
+	{
+	int ret;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+	if (!initialized)
+		ssleay_rand_initialize();
+	ret = entropy >= ENTROPY_NEEDED;
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+	return ret;
+	}
+
+#ifdef WINDOWS
+#include <windows.h>
+#include <openssl/rand.h>
+
+int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam)
+        {
+        double add_entropy=0;
+        SYSTEMTIME t;
+
+        switch (iMsg)
+                {
+        case WM_KEYDOWN:
+                        {
+                        static WPARAM key;
+                        if (key != wParam)
+                                add_entropy = 0.05;
+                        key = wParam;
+                        }
+                        break;
+	case WM_MOUSEMOVE:
+                        {
+                        static int lastx,lasty,lastdx,lastdy;
+                        int x,y,dx,dy;
+
+                        x=LOWORD(lParam);
+                        y=HIWORD(lParam);
+                        dx=lastx-x;
+                        dy=lasty-y;
+                        if (dx != 0 && dy != 0 && dx-lastdx != 0 && dy-lastdy != 0)
+                                add_entropy=.2;
+                        lastx=x, lasty=y;
+                        lastdx=dx, lastdy=dy;
+                        }
+		break;
+		}
+
+        GetSystemTime(&t);
+        RAND_add(&iMsg, sizeof(iMsg), add_entropy);
+	RAND_add(&wParam, sizeof(wParam), 0);
+	RAND_add(&lParam, sizeof(lParam), 0);
+        RAND_add(&t, sizeof(t), 0);
+
+	return (RAND_status());
+	}
+
+/*****************************************************************************
+ * Initialisation function for the SSL random generator.  Takes the contents
+ * of the screen as random seed.
+ *
+ * Created 960901 by Gertjan van Oosten, gertjan@West.NL, West Consulting B.V.
+ *
+ * Code adapted from
+ * <URL:http://www.microsoft.com/kb/developr/win_dk/q97193.htm>;
+ * the original copyright message is:
+ *
+ *   (C) Copyright Microsoft Corp. 1993.  All rights reserved.
+ *
+ *   You have a royalty-free right to use, modify, reproduce and
+ *   distribute the Sample Files (and/or any modified version) in
+ *   any way you find useful, provided that you agree that
+ *   Microsoft has no warranty obligations or liability for any
+ *   Sample Application Files which are modified.
+ */
+/*
+ * I have modified the loading of bytes via RAND_seed() mechanism since
+ * the original would have been very very CPU intensive since RAND_seed()
+ * does an MD5 per 16 bytes of input.  The cost to digest 16 bytes is the same
+ * as that to digest 56 bytes.  So under the old system, a screen of
+ * 1024*768*256 would have been CPU cost of approximately 49,000 56 byte MD5
+ * digests or digesting 2.7 mbytes.  What I have put in place would
+ * be 48 16k MD5 digests, or effectively 48*16+48 MD5 bytes or 816 kbytes
+ * or about 3.5 times as much.
+ * - eric 
+ */
+void RAND_screen(void)
+{
+  HDC		hScrDC;		/* screen DC */
+  HDC		hMemDC;		/* memory DC */
+  HBITMAP	hBitmap;	/* handle for our bitmap */
+  HBITMAP	hOldBitmap;	/* handle for previous bitmap */
+  BITMAP	bm;		/* bitmap properties */
+  unsigned int	size;		/* size of bitmap */
+  char		*bmbits;	/* contents of bitmap */
+  int		w;		/* screen width */
+  int		h;		/* screen height */
+  int		y;		/* y-coordinate of screen lines to grab */
+  int		n = 16;		/* number of screen lines to grab at a time */
+
+  /* Create a screen DC and a memory DC compatible to screen DC */
+  hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL);
+  hMemDC = CreateCompatibleDC(hScrDC);
+
+  /* Get screen resolution */
+  w = GetDeviceCaps(hScrDC, HORZRES);
+  h = GetDeviceCaps(hScrDC, VERTRES);
+
+  /* Create a bitmap compatible with the screen DC */
+  hBitmap = CreateCompatibleBitmap(hScrDC, w, n);
+
+  /* Select new bitmap into memory DC */
+  hOldBitmap = SelectObject(hMemDC, hBitmap);
+
+  /* Get bitmap properties */
+  GetObject(hBitmap, sizeof(BITMAP), (LPSTR)&bm);
+  size = (unsigned int)bm.bmWidthBytes * bm.bmHeight * bm.bmPlanes;
+
+  bmbits = Malloc(size);
+  if (bmbits) {
+    /* Now go through the whole screen, repeatedly grabbing n lines */
+    for (y = 0; y < h-n; y += n)
+    	{
+	unsigned char md[MD_DIGEST_LENGTH];
+
+	/* Bitblt screen DC to memory DC */
+	BitBlt(hMemDC, 0, 0, w, n, hScrDC, 0, y, SRCCOPY);
+
+	/* Copy bitmap bits from memory DC to bmbits */
+	GetBitmapBits(hBitmap, size, bmbits);
+
+	/* Get the MD5 of the bitmap */
+	MD(bmbits,size,md);
+
+	/* Seed the random generator with the MD5 digest */
+	RAND_seed(md, MD_DIGEST_LENGTH);
+	}
+
+    Free(bmbits);
+  }
+
+  /* Select old bitmap back into memory DC */
+  hBitmap = SelectObject(hMemDC, hOldBitmap);
+
+  /* Clean up */
+  DeleteObject(hBitmap);
+  DeleteDC(hMemDC);
+  DeleteDC(hScrDC);
+}
+#endif
diff --git a/crypto/openssl/crypto/rand/rand.h b/crypto/openssl/crypto/rand/rand.h
new file mode 100644
index 0000000..2973ee9
--- /dev/null
+++ b/crypto/openssl/crypto/rand/rand.h
@@ -0,0 +1,117 @@
+/* crypto/rand/rand.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RAND_H
+#define HEADER_RAND_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+typedef struct rand_meth_st
+	{
+	void (*seed)(const void *buf, int num);
+	int (*bytes)(unsigned char *buf, int num);
+	void (*cleanup)(void);
+	void (*add)(const void *buf, int num, double entropy);
+	int (*pseudorand)(unsigned char *buf, int num);
+	int (*status)(void);
+	} RAND_METHOD;
+
+#ifdef BN_DEBUG
+extern int rand_predictable;
+#endif
+
+void RAND_set_rand_method(RAND_METHOD *meth);
+RAND_METHOD *RAND_get_rand_method(void );
+RAND_METHOD *RAND_SSLeay(void);
+void RAND_cleanup(void );
+int  RAND_bytes(unsigned char *buf,int num);
+int  RAND_pseudo_bytes(unsigned char *buf,int num);
+void RAND_seed(const void *buf,int num);
+void RAND_add(const void *buf,int num,double entropy);
+int  RAND_load_file(const char *file,long max_bytes);
+int  RAND_write_file(const char *file);
+const char *RAND_file_name(char *file,int num);
+int RAND_status(void);
+int RAND_egd(const char *path);
+#if defined(WINDOWS) || defined(WIN32)
+#include <windows.h>
+void RAND_screen(void);
+int RAND_event(UINT, WPARAM, LPARAM);
+#endif
+void	ERR_load_RAND_strings(void);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the RAND functions. */
+
+/* Function codes. */
+#define RAND_F_SSLEAY_RAND_BYTES			 100
+
+/* Reason codes. */
+#define RAND_R_PRNG_NOT_SEEDED				 100
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/rand/rand_egd.c b/crypto/openssl/crypto/rand/rand_egd.c
new file mode 100644
index 0000000..380c782
--- /dev/null
+++ b/crypto/openssl/crypto/rand/rand_egd.c
@@ -0,0 +1,110 @@
+/* crypto/rand/rand_egd.c */
+/* Written by Ulf Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/rand.h>
+
+/* Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
+ */
+
+#if defined(WIN32) || defined(VMS) || defined(__VMS)
+int RAND_egd(const char *path)
+	{
+	return(-1);
+	}
+#else
+#include <openssl/opensslconf.h>
+#include OPENSSL_UNISTD
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <string.h>
+
+#ifndef offsetof
+#  define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
+#endif
+
+int RAND_egd(const char *path)
+	{
+	int ret = -1;
+	struct sockaddr_un addr;
+	int len, num;
+	int fd = -1;
+	unsigned char buf[256];
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sun_family = AF_UNIX;
+	if (strlen(path) > sizeof(addr.sun_path))
+		return (-1);
+	strcpy(addr.sun_path,path);
+	len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1) return (-1);
+	if (connect(fd, (struct sockaddr *)&addr, len) == -1) goto err;
+	buf[0] = 1;
+	buf[1] = 255;
+	write(fd, buf, 2);
+	if (read(fd, buf, 1) != 1) goto err;
+	if (buf[0] == 0) goto err;
+	num = read(fd, buf, 255);
+	if (num < 1) goto err;
+	RAND_seed(buf, num);
+	if (RAND_status() == 1)
+		ret = num;
+ err:
+	if (fd != -1) close(fd);
+	return(ret);
+	}
+#endif
diff --git a/crypto/openssl/crypto/rand/rand_err.c b/crypto/openssl/crypto/rand/rand_err.c
new file mode 100644
index 0000000..1af0aa0
--- /dev/null
+++ b/crypto/openssl/crypto/rand/rand_err.c
@@ -0,0 +1,94 @@
+/* crypto/rand/rand_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA RAND_str_functs[]=
+	{
+{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),	"SSLEAY_RAND_BYTES"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA RAND_str_reasons[]=
+	{
+{RAND_R_PRNG_NOT_SEEDED                  ,"PRNG not seeded"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_RAND_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_RAND,RAND_str_functs);
+		ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/rand/rand_lib.c b/crypto/openssl/crypto/rand/rand_lib.c
new file mode 100644
index 0000000..7da74aa
--- /dev/null
+++ b/crypto/openssl/crypto/rand/rand_lib.c
@@ -0,0 +1,117 @@
+/* crypto/rand/rand_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <openssl/rand.h>
+
+#ifdef NO_RAND
+static RAND_METHOD *rand_meth=NULL;
+#else
+extern RAND_METHOD rand_ssleay_meth;
+static RAND_METHOD *rand_meth= &rand_ssleay_meth;
+#endif
+
+void RAND_set_rand_method(RAND_METHOD *meth)
+	{
+	rand_meth=meth;
+	}
+
+RAND_METHOD *RAND_get_rand_method(void)
+	{
+	return(rand_meth);
+	}
+
+void RAND_cleanup(void)
+	{
+	if (rand_meth != NULL)
+		rand_meth->cleanup();
+	}
+
+void RAND_seed(const void *buf, int num)
+	{
+	if (rand_meth != NULL)
+		rand_meth->seed(buf,num);
+	}
+
+void RAND_add(const void *buf, int num, double entropy)
+	{
+	if (rand_meth != NULL)
+		rand_meth->add(buf,num,entropy);
+	}
+
+int RAND_bytes(unsigned char *buf, int num)
+	{
+	if (rand_meth != NULL)
+		return rand_meth->bytes(buf,num);
+	return(-1);
+	}
+
+int RAND_pseudo_bytes(unsigned char *buf, int num)
+	{
+	if (rand_meth != NULL)
+		return rand_meth->pseudorand(buf,num);
+	return(-1);
+	}
+
+int RAND_status(void)
+	{
+	if (rand_meth != NULL)
+		return rand_meth->status();
+	return 0;
+	}
diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c
new file mode 100644
index 0000000..9ff3974
--- /dev/null
+++ b/crypto/openssl/crypto/rand/randfile.c
@@ -0,0 +1,221 @@
+/* crypto/rand/randfile.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#ifdef VMS
+#include <unixio.h>
+#endif
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef MAC_OS_pre_X
+# include <stat.h>
+#else
+# include <sys/stat.h>
+#endif
+
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+
+#undef BUFSIZE
+#define BUFSIZE	1024
+#define RAND_DATA 1024
+
+/* #define RFILE ".rnd" - defined in ../../e_os.h */
+
+int RAND_load_file(const char *file, long bytes)
+	{
+	/* If bytes >= 0, read up to 'bytes' bytes.
+	 * if bytes == -1, read complete file. */
+
+	MS_STATIC unsigned char buf[BUFSIZE];
+	struct stat sb;
+	int i,ret=0,n;
+	FILE *in;
+
+	if (file == NULL) return(0);
+
+	i=stat(file,&sb);
+	/* If the state fails, put some crap in anyway */
+	RAND_add(&sb,sizeof(sb),0);
+	if (i < 0) return(0);
+	if (bytes == 0) return(ret);
+
+	in=fopen(file,"rb");
+	if (in == NULL) goto err;
+	for (;;)
+		{
+		if (bytes > 0)
+			n = (bytes < BUFSIZE)?(int)bytes:BUFSIZE;
+		else
+			n = BUFSIZE;
+		i=fread(buf,1,n,in);
+		if (i <= 0) break;
+		/* even if n != i, use the full array */
+		RAND_add(buf,n,i);
+		ret+=i;
+		if (bytes > 0)
+			{
+			bytes-=n;
+			if (bytes == 0) break;
+			}
+		}
+	fclose(in);
+	memset(buf,0,BUFSIZE);
+err:
+	return(ret);
+	}
+
+int RAND_write_file(const char *file)
+	{
+	unsigned char buf[BUFSIZE];
+	int i,ret=0,err=0;
+	FILE *out = NULL;
+	int n;
+	
+#if defined(O_CREAT) && defined(O_EXCL) && !defined(WIN32)
+	/* For some reason Win32 can't write to files created this way */
+
+        /* chmod(..., 0600) is too late to protect the file,
+         * permissions should be restrictive from the start */
+        int fd = open(file, O_CREAT | O_EXCL, 0600);
+        if (fd != -1)
+                out = fdopen(fd, "wb");
+#endif
+        if (out == NULL)
+                out = fopen(file,"wb");
+        if (out == NULL) goto err;
+
+#ifndef NO_CHMOD
+	chmod(file,0600);
+#endif
+	n=RAND_DATA;
+	for (;;)
+		{
+		i=(n > BUFSIZE)?BUFSIZE:n;
+		n-=BUFSIZE;
+		if (RAND_bytes(buf,i) <= 0)
+			err=1;
+		i=fwrite(buf,1,i,out);
+		if (i <= 0)
+			{
+			ret=0;
+			break;
+			}
+		ret+=i;
+		if (n <= 0) break;
+                }
+#ifdef VMS
+	/* Try to delete older versions of the file, until there aren't
+	   any */
+	{
+	char *tmpf;
+
+	tmpf = Malloc(strlen(file) + 4);  /* to add ";-1" and a nul */
+	if (tmpf)
+		{
+		strcpy(tmpf, file);
+		strcat(tmpf, ";-1");
+		while(delete(tmpf) == 0)
+			;
+		rename(file,";1"); /* Make sure it's version 1, or we
+				      will reach the limit (32767) at
+				      some point... */
+		}
+	}
+#endif /* VMS */
+
+	fclose(out);
+	memset(buf,0,BUFSIZE);
+err:
+	return(err ? -1 : ret);
+	}
+
+const char *RAND_file_name(char *buf, int size)
+	{
+	char *s;
+	char *ret=NULL;
+
+	s=getenv("RANDFILE");
+	if (s != NULL)
+		{
+		strncpy(buf,s,size-1);
+		buf[size-1]='\0';
+		ret=buf;
+		}
+	else
+		{
+		s=getenv("HOME");
+		if (s == NULL) return(RFILE);
+		if (((int)(strlen(s)+strlen(RFILE)+2)) > size)
+			return(RFILE);
+		strcpy(buf,s);
+#ifndef VMS
+		strcat(buf,"/");
+#endif
+		strcat(buf,RFILE);
+		ret=buf;
+		}
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/rand/randtest.c b/crypto/openssl/crypto/rand/randtest.c
new file mode 100644
index 0000000..da96e3f
--- /dev/null
+++ b/crypto/openssl/crypto/rand/randtest.c
@@ -0,0 +1,207 @@
+/* crypto/rand/randtest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/rand.h>
+
+/* some FIPS 140-1 random number test */
+/* some simple tests */
+
+int main()
+	{
+	unsigned char buf[2500];
+	int i,j,k,s,sign,nsign,err=0;
+	unsigned long n1;
+	unsigned long n2[16];
+	unsigned long runs[2][34];
+	/*double d; */
+	long d;
+
+	RAND_pseudo_bytes(buf,2500);
+
+	n1=0;
+	for (i=0; i<16; i++) n2[i]=0;
+	for (i=0; i<34; i++) runs[0][i]=runs[1][i]=0;
+
+	/* test 1 and 2 */
+	sign=0;
+	nsign=0;
+	for (i=0; i<2500; i++)
+		{
+		j=buf[i];
+
+		n2[j&0x0f]++;
+		n2[(j>>4)&0x0f]++;
+
+		for (k=0; k<8; k++)
+			{
+			s=(j&0x01);
+			if (s == sign)
+				nsign++;
+			else
+				{
+				if (nsign > 34) nsign=34;
+				if (nsign != 0)
+					{
+					runs[sign][nsign-1]++;
+					if (nsign > 6)
+						runs[sign][5]++;
+					}
+				sign=s;
+				nsign=1;
+				}
+
+			if (s) n1++;
+			j>>=1;
+			}
+		}
+		if (nsign > 34) nsign=34;
+		if (nsign != 0) runs[sign][nsign-1]++;
+
+	/* test 1 */
+	if (!((9654 < n1) && (n1 < 10346)))
+		{
+		printf("test 1 failed, X=%lu\n",n1);
+		err++;
+		}
+	printf("test 1 done\n");
+
+	/* test 2 */
+#ifdef undef
+	d=0;
+	for (i=0; i<16; i++)
+		d+=n2[i]*n2[i];
+	d=d*16.0/5000.0-5000.0;
+	if (!((1.03 < d) && (d < 57.4)))
+		{
+		printf("test 2 failed, X=%.2f\n",d);
+		err++;
+		}
+#endif
+	d=0;
+	for (i=0; i<16; i++)
+		d+=n2[i]*n2[i];
+	d=(d*8)/25-500000;
+	if (!((103 < d) && (d < 5740)))
+		{
+		printf("test 2 failed, X=%ld.%02ld\n",d/100L,d%100L);
+		err++;
+		}
+	printf("test 2 done\n");
+
+	/* test 3 */
+	for (i=0; i<2; i++)
+		{
+		if (!((2267 < runs[i][0]) && (runs[i][0] < 2733)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,1,runs[i][0]);
+			err++;
+			}
+		if (!((1079 < runs[i][1]) && (runs[i][1] < 1421)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,2,runs[i][1]);
+			err++;
+			}
+		if (!(( 502 < runs[i][2]) && (runs[i][2] <  748)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,3,runs[i][2]);
+			err++;
+			}
+		if (!(( 223 < runs[i][3]) && (runs[i][3] <  402)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,4,runs[i][3]);
+			err++;
+			}
+		if (!((  90 < runs[i][4]) && (runs[i][4] <  223)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,5,runs[i][4]);
+			err++;
+			}
+		if (!((  90 < runs[i][5]) && (runs[i][5] <  223)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,6,runs[i][5]);
+			err++;
+			}
+		}
+	printf("test 3 done\n");
+	
+	/* test 4 */
+	if (runs[0][33] != 0)
+		{
+		printf("test 4 failed, bit=%d run=%d num=%lu\n",
+			0,34,runs[0][33]);
+		err++;
+		}
+	if (runs[1][33] != 0)
+		{
+		printf("test 4 failed, bit=%d run=%d num=%lu\n",
+			1,34,runs[1][33]);
+		err++;
+		}
+	printf("test 4 done\n");
+	err=((err)?1:0);
+	exit(err);
+	return(err);
+	}
diff --git a/crypto/openssl/crypto/rc2/Makefile.save b/crypto/openssl/crypto/rc2/Makefile.save
new file mode 100644
index 0000000..542397d
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/Makefile.save
@@ -0,0 +1,90 @@
+#
+# SSLeay/crypto/rc2/Makefile
+#
+
+DIR=	rc2
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc2test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c rc2ofb64.c
+LIBOBJ=rc2_ecb.o rc2_skey.o rc2_cbc.o rc2cfb64.o rc2ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc2.h
+HEADER=	rc2_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rc2_cbc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2_cbc.o: rc2_locl.h
+rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rc2_ecb.o: ../../include/openssl/rc2.h rc2_locl.h
+rc2_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2_skey.o: rc2_locl.h
+rc2cfb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2cfb64.o: rc2_locl.h
+rc2ofb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2ofb64.o: rc2_locl.h
diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl
new file mode 100644
index 0000000..542397d
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/Makefile.ssl
@@ -0,0 +1,90 @@
+#
+# SSLeay/crypto/rc2/Makefile
+#
+
+DIR=	rc2
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc2test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c rc2ofb64.c
+LIBOBJ=rc2_ecb.o rc2_skey.o rc2_cbc.o rc2cfb64.o rc2ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc2.h
+HEADER=	rc2_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rc2_cbc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2_cbc.o: rc2_locl.h
+rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rc2_ecb.o: ../../include/openssl/rc2.h rc2_locl.h
+rc2_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2_skey.o: rc2_locl.h
+rc2cfb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2cfb64.o: rc2_locl.h
+rc2ofb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
+rc2ofb64.o: rc2_locl.h
diff --git a/crypto/openssl/crypto/rc2/Makefile.uni b/crypto/openssl/crypto/rc2/Makefile.uni
new file mode 100644
index 0000000..4dc20c6
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/Makefile.uni
@@ -0,0 +1,73 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+
+DIR=    rc2
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+RANLIB=         ranlib
+
+IDEA_ENC=rc2_cbc.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc2test
+APPS=rc2speed
+
+LIB=librc2.a
+LIBSRC=rc2_skey.c rc2_ecb.c rc2_cbc.c rc2cfb64.c rc2ofb64.c
+LIBOBJ=rc2_skey.o rc2_ecb.o $(IDEA_ENC) rc2cfb64.o rc2ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc2.h
+HEADER= rc2_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB):    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+
+test:	$(TEST)
+	./$(TEST)
+
+$(TEST): $(TEST).c $(LIB)
+	$(CC) -o $(TEST) $(CFLAGS) $(TEST).c $(LIB)
+
+$(APPS): $(APPS).c $(LIB)
+	$(CC) -o $(APPS) $(CFLAGS) $(APPS).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/rc2/rc2.h b/crypto/openssl/crypto/rc2/rc2.h
new file mode 100644
index 0000000..9571efb
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2.h
@@ -0,0 +1,99 @@
+/* crypto/rc2/rc2.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RC2_H
+#define HEADER_RC2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RC2
+#error RC2 is disabled.
+#endif
+
+#define RC2_ENCRYPT	1
+#define RC2_DECRYPT	0
+
+#include <openssl/opensslconf.h> /* RC2_INT */
+#define RC2_BLOCK	8
+#define RC2_KEY_LENGTH	16
+
+typedef struct rc2_key_st
+	{
+	RC2_INT data[64];
+	} RC2_KEY;
+
+ 
+void RC2_set_key(RC2_KEY *key, int len, unsigned char *data,int bits);
+void RC2_ecb_encrypt(unsigned char *in,unsigned char *out,RC2_KEY *key,
+	int enc);
+void RC2_encrypt(unsigned long *data,RC2_KEY *key);
+void RC2_decrypt(unsigned long *data,RC2_KEY *key);
+void RC2_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+	RC2_KEY *ks, unsigned char *iv, int enc);
+void RC2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	RC2_KEY *schedule, unsigned char *ivec, int *num, int enc);
+void RC2_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	RC2_KEY *schedule, unsigned char *ivec, int *num);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/rc2/rc2_cbc.c b/crypto/openssl/crypto/rc2/rc2_cbc.c
new file mode 100644
index 0000000..1202184
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2_cbc.c
@@ -0,0 +1,226 @@
+/* crypto/rc2/rc2_cbc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc2.h>
+#include "rc2_locl.h"
+
+void RC2_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+	     RC2_KEY *ks, unsigned char *iv, int encrypt)
+	{
+	register unsigned long tin0,tin1;
+	register unsigned long tout0,tout1,xor0,xor1;
+	register long l=length;
+	unsigned long tin[2];
+
+	if (encrypt)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			RC2_encrypt(tin,ks);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			RC2_encrypt(tin,ks);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+		}
+	else
+		{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			RC2_decrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			RC2_decrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
+void RC2_encrypt(unsigned long *d, RC2_KEY *key)
+	{
+	int i,n;
+	register RC2_INT *p0,*p1;
+	register RC2_INT x0,x1,x2,x3,t;
+	unsigned long l;
+
+	l=d[0];
+	x0=(RC2_INT)l&0xffff;
+	x1=(RC2_INT)(l>>16L);
+	l=d[1];
+	x2=(RC2_INT)l&0xffff;
+	x3=(RC2_INT)(l>>16L);
+
+	n=3;
+	i=5;
+
+	p0=p1= &(key->data[0]);
+	for (;;)
+		{
+		t=(x0+(x1& ~x3)+(x2&x3)+ *(p0++))&0xffff;
+		x0=(t<<1)|(t>>15);
+		t=(x1+(x2& ~x0)+(x3&x0)+ *(p0++))&0xffff;
+		x1=(t<<2)|(t>>14);
+		t=(x2+(x3& ~x1)+(x0&x1)+ *(p0++))&0xffff;
+		x2=(t<<3)|(t>>13);
+		t=(x3+(x0& ~x2)+(x1&x2)+ *(p0++))&0xffff;
+		x3=(t<<5)|(t>>11);
+
+		if (--i == 0)
+			{
+			if (--n == 0) break;
+			i=(n == 2)?6:5;
+
+			x0+=p1[x3&0x3f];
+			x1+=p1[x0&0x3f];
+			x2+=p1[x1&0x3f];
+			x3+=p1[x2&0x3f];
+			}
+		}
+
+	d[0]=(unsigned long)(x0&0xffff)|((unsigned long)(x1&0xffff)<<16L);
+	d[1]=(unsigned long)(x2&0xffff)|((unsigned long)(x3&0xffff)<<16L);
+	}
+
+void RC2_decrypt(unsigned long *d, RC2_KEY *key)
+	{
+	int i,n;
+	register RC2_INT *p0,*p1;
+	register RC2_INT x0,x1,x2,x3,t;
+	unsigned long l;
+
+	l=d[0];
+	x0=(RC2_INT)l&0xffff;
+	x1=(RC2_INT)(l>>16L);
+	l=d[1];
+	x2=(RC2_INT)l&0xffff;
+	x3=(RC2_INT)(l>>16L);
+
+	n=3;
+	i=5;
+
+	p0= &(key->data[63]);
+	p1= &(key->data[0]);
+	for (;;)
+		{
+		t=((x3<<11)|(x3>>5))&0xffff;
+		x3=(t-(x0& ~x2)-(x1&x2)- *(p0--))&0xffff;
+		t=((x2<<13)|(x2>>3))&0xffff;
+		x2=(t-(x3& ~x1)-(x0&x1)- *(p0--))&0xffff;
+		t=((x1<<14)|(x1>>2))&0xffff;
+		x1=(t-(x2& ~x0)-(x3&x0)- *(p0--))&0xffff;
+		t=((x0<<15)|(x0>>1))&0xffff;
+		x0=(t-(x1& ~x3)-(x2&x3)- *(p0--))&0xffff;
+
+		if (--i == 0)
+			{
+			if (--n == 0) break;
+			i=(n == 2)?6:5;
+
+			x3=(x3-p1[x2&0x3f])&0xffff;
+			x2=(x2-p1[x1&0x3f])&0xffff;
+			x1=(x1-p1[x0&0x3f])&0xffff;
+			x0=(x0-p1[x3&0x3f])&0xffff;
+			}
+		}
+
+	d[0]=(unsigned long)(x0&0xffff)|((unsigned long)(x1&0xffff)<<16L);
+	d[1]=(unsigned long)(x2&0xffff)|((unsigned long)(x3&0xffff)<<16L);
+	}
+
diff --git a/crypto/openssl/crypto/rc2/rc2_ecb.c b/crypto/openssl/crypto/rc2/rc2_ecb.c
new file mode 100644
index 0000000..7d77b91
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2_ecb.c
@@ -0,0 +1,88 @@
+/* crypto/rc2/rc2_ecb.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc2.h>
+#include "rc2_locl.h"
+#include <openssl/opensslv.h>
+
+const char *RC2_version="RC2" OPENSSL_VERSION_PTEXT;
+
+/* RC2 as implemented frm a posting from
+ * Newsgroups: sci.crypt
+ * Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
+ * Subject: Specification for Ron Rivests Cipher No.2
+ * Message-ID: <4fk39f$f70@net.auckland.ac.nz>
+ * Date: 11 Feb 1996 06:45:03 GMT
+ */
+
+void RC2_ecb_encrypt(unsigned char *in, unsigned char *out, RC2_KEY *ks,
+	     int encrypt)
+	{
+	unsigned long l,d[2];
+
+	c2l(in,l); d[0]=l;
+	c2l(in,l); d[1]=l;
+	if (encrypt)
+		RC2_encrypt(d,ks);
+	else
+		RC2_decrypt(d,ks);
+	l=d[0]; l2c(l,out);
+	l=d[1]; l2c(l,out);
+	l=d[0]=d[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/rc2/rc2_locl.h b/crypto/openssl/crypto/rc2/rc2_locl.h
new file mode 100644
index 0000000..565cd17
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2_locl.h
@@ -0,0 +1,156 @@
+/* crypto/rc2/rc2_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#undef c2l
+#define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
+			 l|=((unsigned long)(*((c)++)))<< 8L, \
+			 l|=((unsigned long)(*((c)++)))<<16L, \
+			 l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))    ; \
+			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+			case 4: l1 =((unsigned long)(*(--(c))))    ; \
+			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+				} \
+			}
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+#define C_RC2(n) \
+	t=(x0+(x1& ~x3)+(x2&x3)+ *(p0++))&0xffff; \
+	x0=(t<<1)|(t>>15); \
+	t=(x1+(x2& ~x0)+(x3&x0)+ *(p0++))&0xffff; \
+	x1=(t<<2)|(t>>14); \
+	t=(x2+(x3& ~x1)+(x0&x1)+ *(p0++))&0xffff; \
+	x2=(t<<3)|(t>>13); \
+	t=(x3+(x0& ~x2)+(x1&x2)+ *(p0++))&0xffff; \
+	x3=(t<<5)|(t>>11);
+
diff --git a/crypto/openssl/crypto/rc2/rc2_skey.c b/crypto/openssl/crypto/rc2/rc2_skey.c
new file mode 100644
index 0000000..7143c4e
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2_skey.c
@@ -0,0 +1,138 @@
+/* crypto/rc2/rc2_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc2.h>
+#include "rc2_locl.h"
+
+static unsigned char key_table[256]={
+	0xd9,0x78,0xf9,0xc4,0x19,0xdd,0xb5,0xed,0x28,0xe9,0xfd,0x79,
+	0x4a,0xa0,0xd8,0x9d,0xc6,0x7e,0x37,0x83,0x2b,0x76,0x53,0x8e,
+	0x62,0x4c,0x64,0x88,0x44,0x8b,0xfb,0xa2,0x17,0x9a,0x59,0xf5,
+	0x87,0xb3,0x4f,0x13,0x61,0x45,0x6d,0x8d,0x09,0x81,0x7d,0x32,
+	0xbd,0x8f,0x40,0xeb,0x86,0xb7,0x7b,0x0b,0xf0,0x95,0x21,0x22,
+	0x5c,0x6b,0x4e,0x82,0x54,0xd6,0x65,0x93,0xce,0x60,0xb2,0x1c,
+	0x73,0x56,0xc0,0x14,0xa7,0x8c,0xf1,0xdc,0x12,0x75,0xca,0x1f,
+	0x3b,0xbe,0xe4,0xd1,0x42,0x3d,0xd4,0x30,0xa3,0x3c,0xb6,0x26,
+	0x6f,0xbf,0x0e,0xda,0x46,0x69,0x07,0x57,0x27,0xf2,0x1d,0x9b,
+	0xbc,0x94,0x43,0x03,0xf8,0x11,0xc7,0xf6,0x90,0xef,0x3e,0xe7,
+	0x06,0xc3,0xd5,0x2f,0xc8,0x66,0x1e,0xd7,0x08,0xe8,0xea,0xde,
+	0x80,0x52,0xee,0xf7,0x84,0xaa,0x72,0xac,0x35,0x4d,0x6a,0x2a,
+	0x96,0x1a,0xd2,0x71,0x5a,0x15,0x49,0x74,0x4b,0x9f,0xd0,0x5e,
+	0x04,0x18,0xa4,0xec,0xc2,0xe0,0x41,0x6e,0x0f,0x51,0xcb,0xcc,
+	0x24,0x91,0xaf,0x50,0xa1,0xf4,0x70,0x39,0x99,0x7c,0x3a,0x85,
+	0x23,0xb8,0xb4,0x7a,0xfc,0x02,0x36,0x5b,0x25,0x55,0x97,0x31,
+	0x2d,0x5d,0xfa,0x98,0xe3,0x8a,0x92,0xae,0x05,0xdf,0x29,0x10,
+	0x67,0x6c,0xba,0xc9,0xd3,0x00,0xe6,0xcf,0xe1,0x9e,0xa8,0x2c,
+	0x63,0x16,0x01,0x3f,0x58,0xe2,0x89,0xa9,0x0d,0x38,0x34,0x1b,
+	0xab,0x33,0xff,0xb0,0xbb,0x48,0x0c,0x5f,0xb9,0xb1,0xcd,0x2e,
+	0xc5,0xf3,0xdb,0x47,0xe5,0xa5,0x9c,0x77,0x0a,0xa6,0x20,0x68,
+	0xfe,0x7f,0xc1,0xad,
+	};
+
+/* It has come to my attention that there are 2 versions of the RC2
+ * key schedule.  One which is normal, and anther which has a hook to
+ * use a reduced key length.
+ * BSAFE uses the 'retarded' version.  What I previously shipped is
+ * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
+ * a version where the bits parameter is the same as len*8 */
+void RC2_set_key(RC2_KEY *key, int len, unsigned char *data, int bits)
+	{
+	int i,j;
+	unsigned char *k;
+	RC2_INT *ki;
+	unsigned int c,d;
+
+	k= (unsigned char *)&(key->data[0]);
+	*k=0; /* for if there is a zero length key */
+
+	if (len > 128) len=128;
+	if (bits <= 0) bits=1024;
+	if (bits > 1024) bits=1024;
+
+	for (i=0; i<len; i++)
+		k[i]=data[i];
+
+	/* expand table */
+	d=k[len-1];
+	j=0;
+	for (i=len; i < 128; i++,j++)
+		{
+		d=key_table[(k[j]+d)&0xff];
+		k[i]=d;
+		}
+
+	/* hmm.... key reduction to 'bits' bits */
+
+	j=(bits+7)>>3;
+	i=128-j;
+	c= (0xff>>(-bits & 0x07));
+
+	d=key_table[k[i]&c];
+	k[i]=d;
+	while (i--)
+		{
+		d=key_table[k[i+j]^d];
+		k[i]=d;
+		}
+
+	/* copy from bytes into RC2_INT's */
+	ki= &(key->data[63]);
+	for (i=127; i>=0; i-=2)
+		*(ki--)=((k[i]<<8)|k[i-1])&0xffff;
+	}
+
diff --git a/crypto/openssl/crypto/rc2/rc2cfb64.c b/crypto/openssl/crypto/rc2/rc2cfb64.c
new file mode 100644
index 0000000..5e3fa07
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2cfb64.c
@@ -0,0 +1,121 @@
+/* crypto/rc2/rc2cfb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc2.h>
+#include "rc2_locl.h"
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+
+void RC2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	     RC2_KEY *schedule, unsigned char *ivec, int *num, int encrypt)
+	{
+	register unsigned long v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned long ti[2];
+	unsigned char *iv,c,cc;
+
+	iv=(unsigned char *)ivec;
+	if (encrypt)
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0); ti[0]=v0;
+				c2l(iv,v1); ti[1]=v1;
+				RC2_encrypt((unsigned long *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2c(t,iv);
+				t=ti[1]; l2c(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			c= *(in++)^iv[n];
+			*(out++)=c;
+			iv[n]=c;
+			n=(n+1)&0x07;
+			}
+		}
+	else
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0); ti[0]=v0;
+				c2l(iv,v1); ti[1]=v1;
+				RC2_encrypt((unsigned long *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2c(t,iv);
+				t=ti[1]; l2c(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			cc= *(in++);
+			c=iv[n];
+			iv[n]=cc;
+			*(out++)=c^cc;
+			n=(n+1)&0x07;
+			}
+		}
+	v0=v1=ti[0]=ti[1]=t=c=cc=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/rc2/rc2ofb64.c b/crypto/openssl/crypto/rc2/rc2ofb64.c
new file mode 100644
index 0000000..42cdd40
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2ofb64.c
@@ -0,0 +1,110 @@
+/* crypto/rc2/rc2ofb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc2.h>
+#include "rc2_locl.h"
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void RC2_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	     RC2_KEY *schedule, unsigned char *ivec, int *num)
+	{
+	register unsigned long v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned char d[8];
+	register char *dp;
+	unsigned long ti[2];
+	unsigned char *iv;
+	int save=0;
+
+	iv=(unsigned char *)ivec;
+	c2l(iv,v0);
+	c2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	dp=(char *)d;
+	l2c(v0,dp);
+	l2c(v1,dp);
+	while (l--)
+		{
+		if (n == 0)
+			{
+			RC2_encrypt((unsigned long *)ti,schedule);
+			dp=(char *)d;
+			t=ti[0]; l2c(t,dp);
+			t=ti[1]; l2c(t,dp);
+			save++;
+			}
+		*(out++)= *(in++)^d[n];
+		n=(n+1)&0x07;
+		}
+	if (save)
+		{
+		v0=ti[0];
+		v1=ti[1];
+		iv=(unsigned char *)ivec;
+		l2c(v0,iv);
+		l2c(v1,iv);
+		}
+	t=v0=v1=ti[0]=ti[1]=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/rc2/rc2speed.c b/crypto/openssl/crypto/rc2/rc2speed.c
new file mode 100644
index 0000000..9f7f5cc
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2speed.c
@@ -0,0 +1,274 @@
+/* crypto/rc2/rc2speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/rc2.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+#ifndef CLK_TCK
+#define HZ	100.0
+#endif
+#else /* CLK_TCK */
+#define HZ ((double)CLK_TCK)
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static unsigned char key[] ={
+			0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+			0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
+			};
+	RC2_KEY sch;
+	double a,b,c,d;
+#ifndef SIGALRM
+	long ca,cb,cc;
+#endif
+
+#ifndef TIMES
+	printf("To get the most accurate results, try to run this\n");
+	printf("program when this computer is idle.\n");
+#endif
+
+#ifndef SIGALRM
+	printf("First we calculate the approximate speed ...\n");
+	RC2_set_key(&sch,16,key,128);
+	count=10;
+	do	{
+		long i;
+		unsigned long data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			RC2_encrypt(data,&sch);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count/512;
+	cb=count;
+	cc=count*8/BUFSIZE+1;
+	printf("Doing RC2_set_key %ld times\n",ca);
+#define COND(d)	(count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+	printf("Doing RC2_set_key for 10 seconds\n");
+	alarm(10);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(ca); count+=4)
+		{
+		RC2_set_key(&sch,16,key,128);
+		RC2_set_key(&sch,16,key,128);
+		RC2_set_key(&sch,16,key,128);
+		RC2_set_key(&sch,16,key,128);
+		}
+	d=Time_F(STOP);
+	printf("%ld RC2_set_key's in %.2f seconds\n",count,d);
+	a=((double)COUNT(ca))/d;
+
+#ifdef SIGALRM
+	printf("Doing RC2_encrypt's for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing RC2_encrypt %ld times\n",cb);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cb); count+=4)
+		{
+		unsigned long data[2];
+
+		RC2_encrypt(data,&sch);
+		RC2_encrypt(data,&sch);
+		RC2_encrypt(data,&sch);
+		RC2_encrypt(data,&sch);
+		}
+	d=Time_F(STOP);
+	printf("%ld RC2_encrypt's in %.2f second\n",count,d);
+	b=((double)COUNT(cb)*8)/d;
+
+#ifdef SIGALRM
+	printf("Doing RC2_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+		BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing RC2_cbc_encrypt %ld times on %ld byte blocks\n",cc,
+		BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cc); count++)
+		RC2_cbc_encrypt(buf,buf,BUFSIZE,&sch,
+			&(key[0]),RC2_ENCRYPT);
+	d=Time_F(STOP);
+	printf("%ld RC2_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	c=((double)COUNT(cc)*BUFSIZE)/d;
+
+	printf("RC2 set_key       per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
+	printf("RC2 raw ecb bytes per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
+	printf("RC2 cbc     bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
diff --git a/crypto/openssl/crypto/rc2/rc2test.c b/crypto/openssl/crypto/rc2/rc2test.c
new file mode 100644
index 0000000..521269d
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rc2test.c
@@ -0,0 +1,269 @@
+/* crypto/rc2/rc2test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* This has been a quickly hacked 'ideatest.c'.  When I add tests for other
+ * RC2 modes, more of the code will be uncommented. */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_RC2
+int main(int argc, char *argv[])
+{
+    printf("No RC2 support\n");
+    return(0);
+}
+#else
+#include <openssl/rc2.h>
+
+static unsigned char RC2key[4][16]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+	 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F},
+	};
+
+static unsigned char RC2plain[4][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	};
+
+static unsigned char RC2cipher[4][8]={
+	{0x1C,0x19,0x8A,0x83,0x8D,0xF0,0x28,0xB7},
+	{0x21,0x82,0x9C,0x78,0xA9,0xF9,0xC0,0x74},
+	{0x13,0xDB,0x35,0x17,0xD3,0x21,0x86,0x9E},
+	{0x50,0xDC,0x01,0x62,0xBD,0x75,0x7F,0x31},
+	};
+/************/
+#ifdef undef
+unsigned char k[16]={
+	0x00,0x01,0x00,0x02,0x00,0x03,0x00,0x04,
+	0x00,0x05,0x00,0x06,0x00,0x07,0x00,0x08};
+
+unsigned char in[8]={0x00,0x00,0x00,0x01,0x00,0x02,0x00,0x03};
+unsigned char  c[8]={0x11,0xFB,0xED,0x2B,0x01,0x98,0x6D,0xE5};
+unsigned char out[80];
+
+char *text="Hello to all people out there";
+
+static unsigned char cfb_key[16]={
+	0xe1,0xf0,0xc3,0xd2,0xa5,0xb4,0x87,0x96,
+	0x69,0x78,0x4b,0x5a,0x2d,0x3c,0x0f,0x1e,
+	};
+static unsigned char cfb_iv[80]={0x34,0x12,0x78,0x56,0xab,0x90,0xef,0xcd};
+static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8];
+#define CFB_TEST_SIZE 24
+static unsigned char plain[CFB_TEST_SIZE]=
+        {
+        0x4e,0x6f,0x77,0x20,0x69,0x73,
+        0x20,0x74,0x68,0x65,0x20,0x74,
+        0x69,0x6d,0x65,0x20,0x66,0x6f,
+        0x72,0x20,0x61,0x6c,0x6c,0x20
+        };
+static unsigned char cfb_cipher64[CFB_TEST_SIZE]={
+	0x59,0xD8,0xE2,0x65,0x00,0x58,0x6C,0x3F,
+	0x2C,0x17,0x25,0xD0,0x1A,0x38,0xB7,0x2A,
+	0x39,0x61,0x37,0xDC,0x79,0xFB,0x9F,0x45
+
+/*	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+	0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
+	0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
+	}; 
+
+
+/*static int cfb64_test(unsigned char *cfb_cipher);*/
+static char *pt(unsigned char *p);
+#endif
+
+int main(int argc, char *argv[])
+	{
+	int i,n,err=0;
+	RC2_KEY key; 
+	unsigned char buf[8],buf2[8];
+
+	for (n=0; n<4; n++)
+		{
+		RC2_set_key(&key,16,&(RC2key[n][0]),0 /* or 1024 */);
+
+		RC2_ecb_encrypt(&(RC2plain[n][0]),buf,&key,RC2_ENCRYPT);
+		if (memcmp(&(RC2cipher[n][0]),buf,8) != 0)
+			{
+			printf("ecb rc2 error encrypting\n");
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",buf[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",RC2cipher[n][i]);
+			err=20;
+			printf("\n");
+			}
+
+		RC2_ecb_encrypt(buf,buf2,&key,RC2_DECRYPT);
+		if (memcmp(&(RC2plain[n][0]),buf2,8) != 0)
+			{
+			printf("ecb RC2 error decrypting\n");
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",buf[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",RC2plain[n][i]);
+			printf("\n");
+			err=3;
+			}
+		}
+
+	if (err == 0) printf("ecb RC2 ok\n");
+#ifdef undef
+	memcpy(iv,k,8);
+	idea_cbc_encrypt((unsigned char *)text,out,strlen(text)+1,&key,iv,1);
+	memcpy(iv,k,8);
+	idea_cbc_encrypt(out,out,8,&dkey,iv,0);
+	idea_cbc_encrypt(&(out[8]),&(out[8]),strlen(text)+1-8,&dkey,iv,0);
+	if (memcmp(text,out,strlen(text)+1) != 0)
+		{
+		printf("cbc idea bad\n");
+		err=4;
+		}
+	else
+		printf("cbc idea ok\n");
+
+	printf("cfb64 idea ");
+	if (cfb64_test(cfb_cipher64))
+		{
+		printf("bad\n");
+		err=5;
+		}
+	else
+		printf("ok\n");
+#endif
+
+	exit(err);
+	return(err);
+	}
+
+#ifdef undef
+static int cfb64_test(unsigned char *cfb_cipher)
+        {
+        IDEA_KEY_SCHEDULE eks,dks;
+        int err=0,i,n;
+
+        idea_set_encrypt_key(cfb_key,&eks);
+        idea_set_decrypt_key(&eks,&dks);
+        memcpy(cfb_tmp,cfb_iv,8);
+        n=0;
+        idea_cfb64_encrypt(plain,cfb_buf1,(long)12,&eks,
+                cfb_tmp,&n,IDEA_ENCRYPT);
+        idea_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
+                (long)CFB_TEST_SIZE-12,&eks,
+                cfb_tmp,&n,IDEA_ENCRYPT);
+        if (memcmp(cfb_cipher,cfb_buf1,CFB_TEST_SIZE) != 0)
+                {
+                err=1;
+                printf("idea_cfb64_encrypt encrypt error\n");
+                for (i=0; i<CFB_TEST_SIZE; i+=8)
+                        printf("%s\n",pt(&(cfb_buf1[i])));
+                }
+        memcpy(cfb_tmp,cfb_iv,8);
+        n=0;
+        idea_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,&eks,
+                cfb_tmp,&n,IDEA_DECRYPT);
+        idea_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
+                (long)CFB_TEST_SIZE-17,&dks,
+                cfb_tmp,&n,IDEA_DECRYPT);
+        if (memcmp(plain,cfb_buf2,CFB_TEST_SIZE) != 0)
+                {
+                err=1;
+                printf("idea_cfb_encrypt decrypt error\n");
+                for (i=0; i<24; i+=8)
+                        printf("%s\n",pt(&(cfb_buf2[i])));
+                }
+        return(err);
+        }
+
+static char *pt(unsigned char *p)
+	{
+	static char bufs[10][20];
+	static int bnum=0;
+	char *ret;
+	int i;
+	static char *f="0123456789ABCDEF";
+
+	ret= &(bufs[bnum++][0]);
+	bnum%=10;
+	for (i=0; i<8; i++)
+		{
+		ret[i*2]=f[(p[i]>>4)&0xf];
+		ret[i*2+1]=f[p[i]&0xf];
+		}
+	ret[16]='\0';
+	return(ret);
+	}
+	
+#endif
+#endif
diff --git a/crypto/openssl/crypto/rc2/rrc2.doc b/crypto/openssl/crypto/rc2/rrc2.doc
new file mode 100644
index 0000000..f93ee00
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/rrc2.doc
@@ -0,0 +1,219 @@
+>From cygnus.mincom.oz.au!minbne.mincom.oz.au!bunyip.cc.uq.oz.au!munnari.OZ.AU!comp.vuw.ac.nz!waikato!auckland.ac.nz!news Mon Feb 12 18:48:17 EST 1996
+Article 23601 of sci.crypt:
+Path: cygnus.mincom.oz.au!minbne.mincom.oz.au!bunyip.cc.uq.oz.au!munnari.OZ.AU!comp.vuw.ac.nz!waikato!auckland.ac.nz!news
+>From: pgut01@cs.auckland.ac.nz (Peter Gutmann)
+Newsgroups: sci.crypt
+Subject: Specification for Ron Rivests Cipher No.2
+Date: 11 Feb 1996 06:45:03 GMT
+Organization: University of Auckland
+Lines: 203
+Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
+Message-ID: <4fk39f$f70@net.auckland.ac.nz>
+NNTP-Posting-Host: cs26.cs.auckland.ac.nz
+X-Newsreader: NN version 6.5.0 #3 (NOV)
+
+
+
+
+                           Ron Rivest's Cipher No.2
+                           ------------------------
+ 
+Ron Rivest's Cipher No.2 (hereafter referred to as RRC.2, other people may
+refer to it by other names) is word oriented, operating on a block of 64 bits
+divided into four 16-bit words, with a key table of 64 words.  All data units
+are little-endian.  This functional description of the algorithm is based in
+the paper "The RC5 Encryption Algorithm" (RC5 is a trademark of RSADSI), using
+the same general layout, terminology, and pseudocode style.
+ 
+ 
+Notation and RRC.2 Primitive Operations
+ 
+RRC.2 uses the following primitive operations:
+ 
+1. Two's-complement addition of words, denoted by "+".  The inverse operation,
+   subtraction, is denoted by "-".
+2. Bitwise exclusive OR, denoted by "^".
+3. Bitwise AND, denoted by "&".
+4. Bitwise NOT, denoted by "~".
+5. A left-rotation of words; the rotation of word x left by y is denoted
+   x <<< y.  The inverse operation, right-rotation, is denoted x >>> y.
+ 
+These operations are directly and efficiently supported by most processors.
+ 
+ 
+The RRC.2 Algorithm
+ 
+RRC.2 consists of three components, a *key expansion* algorithm, an
+*encryption* algorithm, and a *decryption* algorithm.
+ 
+ 
+Key Expansion
+ 
+The purpose of the key-expansion routine is to expand the user's key K to fill
+the expanded key array S, so S resembles an array of random binary words
+determined by the user's secret key K.
+ 
+Initialising the S-box
+ 
+RRC.2 uses a single 256-byte S-box derived from the ciphertext contents of
+Beale Cipher No.1 XOR'd with a one-time pad.  The Beale Ciphers predate modern
+cryptography by enough time that there should be no concerns about trapdoors
+hidden in the data.  They have been published widely, and the S-box can be
+easily recreated from the one-time pad values and the Beale Cipher data taken
+from a standard source.  To initialise the S-box:
+ 
+  for i = 0 to 255 do
+    sBox[ i ] = ( beale[ i ] mod 256 ) ^ pad[ i ]
+ 
+The contents of Beale Cipher No.1 and the necessary one-time pad are given as
+an appendix at the end of this document.  For efficiency, implementors may wish
+to skip the Beale Cipher expansion and store the sBox table directly.
+ 
+Expanding the Secret Key to 128 Bytes
+ 
+The secret key is first expanded to fill 128 bytes (64 words).  The expansion
+consists of taking the sum of the first and last bytes in the user key, looking
+up the sum (modulo 256) in the S-box, and appending the result to the key.  The
+operation is repeated with the second byte and new last byte of the key until
+all 128 bytes have been generated.  Note that the following pseudocode treats
+the S array as an array of 128 bytes rather than 64 words.
+ 
+  for j = 0 to length-1 do
+    S[ j ] = K[ j ]
+  for j = length to 127 do
+    s[ j ] = sBox[ ( S[ j-length ] + S[ j-1 ] ) mod 256 ];
+ 
+At this point it is possible to perform a truncation of the effective key
+length to ease the creation of espionage-enabled software products.  However
+since the author cannot conceive why anyone would want to do this, it will not
+be considered further.
+ 
+The final phase of the key expansion involves replacing the first byte of S
+with the entry selected from the S-box:
+ 
+  S[ 0 ] = sBox[ S[ 0 ] ]
+ 
+ 
+Encryption
+ 
+The cipher has 16 full rounds, each divided into 4 subrounds.  Two of the full
+rounds perform an additional transformation on the data.  Note that the
+following pseudocode treats the S array as an array of 64 words rather than 128
+bytes.
+ 
+  for i = 0 to 15 do
+    j = i * 4;
+    word0 = ( word0 + ( word1 & ~word3 ) + ( word2 & word3 ) + S[ j+0 ] ) <<< 1
+    word1 = ( word1 + ( word2 & ~word0 ) + ( word3 & word0 ) + S[ j+1 ] ) <<< 2
+    word2 = ( word2 + ( word3 & ~word1 ) + ( word0 & word1 ) + S[ j+2 ] ) <<< 3
+    word3 = ( word3 + ( word0 & ~word2 ) + ( word1 & word2 ) + S[ j+3 ] ) <<< 5
+ 
+In addition the fifth and eleventh rounds add the contents of the S-box indexed
+by one of the data words to another of the data words following the four
+subrounds as follows:
+ 
+    word0 = word0 + S[ word3 & 63 ];
+    word1 = word1 + S[ word0 & 63 ];
+    word2 = word2 + S[ word1 & 63 ];
+    word3 = word3 + S[ word2 & 63 ];
+ 
+ 
+Decryption
+ 
+The decryption operation is simply the inverse of the encryption operation.
+Note that the following pseudocode treats the S array as an array of 64 words
+rather than 128 bytes.
+ 
+  for i = 15 downto 0 do
+    j = i * 4;
+    word3 = ( word3 >>> 5 ) - ( word0 & ~word2 ) - ( word1 & word2 ) - S[ j+3 ]
+    word2 = ( word2 >>> 3 ) - ( word3 & ~word1 ) - ( word0 & word1 ) - S[ j+2 ]
+    word1 = ( word1 >>> 2 ) - ( word2 & ~word0 ) - ( word3 & word0 ) - S[ j+1 ]
+    word0 = ( word0 >>> 1 ) - ( word1 & ~word3 ) - ( word2 & word3 ) - S[ j+0 ]
+ 
+In addition the fifth and eleventh rounds subtract the contents of the S-box
+indexed by one of the data words from another one of the data words following
+the four subrounds as follows:
+ 
+    word3 = word3 - S[ word2 & 63 ]
+    word2 = word2 - S[ word1 & 63 ]
+    word1 = word1 - S[ word0 & 63 ]
+    word0 = word0 - S[ word3 & 63 ]
+ 
+ 
+Test Vectors
+ 
+The following test vectors may be used to test the correctness of an RRC.2
+implementation:
+ 
+  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+  Cipher:   0x1C, 0x19, 0x8A, 0x83, 0x8D, 0xF0, 0x28, 0xB7
+ 
+  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+  Cipher:   0x21, 0x82, 0x9C, 0x78, 0xA9, 0xF9, 0xC0, 0x74
+ 
+  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+  Plain:    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+  Cipher:   0x13, 0xDB, 0x35, 0x17, 0xD3, 0x21, 0x86, 0x9E
+ 
+  Key:      0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+            0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+  Cipher:   0x50, 0xDC, 0x01, 0x62, 0xBD, 0x75, 0x7F, 0x31
+ 
+ 
+Appendix: Beale Cipher No.1, "The Locality of the Vault", and One-time Pad for
+          Creating the S-Box
+ 
+Beale Cipher No.1.
+ 
+  71, 194,  38,1701,  89,  76,  11,  83,1629,  48,  94,  63, 132,  16, 111,  95,
+  84, 341, 975,  14,  40,  64,  27,  81, 139, 213,  63,  90,1120,   8,  15,   3,
+ 126,2018,  40,  74, 758, 485, 604, 230, 436, 664, 582, 150, 251, 284, 308, 231,
+ 124, 211, 486, 225, 401, 370,  11, 101, 305, 139, 189,  17,  33,  88, 208, 193,
+ 145,   1,  94,  73, 416, 918, 263,  28, 500, 538, 356, 117, 136, 219,  27, 176,
+ 130,  10, 460,  25, 485,  18, 436,  65,  84, 200, 283, 118, 320, 138,  36, 416,
+ 280,  15,  71, 224, 961,  44,  16, 401,  39,  88,  61, 304,  12,  21,  24, 283,
+ 134,  92,  63, 246, 486, 682,   7, 219, 184, 360, 780,  18,  64, 463, 474, 131,
+ 160,  79,  73, 440,  95,  18,  64, 581,  34,  69, 128, 367, 460,  17,  81,  12,
+ 103, 820,  62, 110,  97, 103, 862,  70,  60,1317, 471, 540, 208, 121, 890, 346,
+  36, 150,  59, 568, 614,  13, 120,  63, 219, 812,2160,1780,  99,  35,  18,  21,
+ 136, 872,  15,  28, 170,  88,   4,  30,  44, 112,  18, 147, 436, 195, 320,  37,
+ 122, 113,   6, 140,   8, 120, 305,  42,  58, 461,  44, 106, 301,  13, 408, 680,
+  93,  86, 116, 530,  82, 568,   9, 102,  38, 416,  89,  71, 216, 728, 965, 818,
+   2,  38, 121, 195,  14, 326, 148, 234,  18,  55, 131, 234, 361, 824,   5,  81,
+ 623,  48, 961,  19,  26,  33,  10,1101, 365,  92,  88, 181, 275, 346, 201, 206
+ 
+One-time Pad.
+ 
+ 158, 186, 223,  97,  64, 145, 190, 190, 117, 217, 163,  70, 206, 176, 183, 194,
+ 146,  43, 248, 141,   3,  54,  72, 223, 233, 153,  91, 210,  36, 131, 244, 161,
+ 105, 120, 113, 191, 113,  86,  19, 245, 213, 221,  43,  27, 242, 157,  73, 213,
+ 193,  92, 166,  10,  23, 197, 112, 110, 193,  30, 156,  51, 125,  51, 158,  67,
+ 197, 215,  59, 218, 110, 246, 181,   0, 135,  76, 164,  97,  47,  87, 234, 108,
+ 144, 127,   6,   6, 222, 172,  80, 144,  22, 245, 207,  70, 227, 182, 146, 134,
+ 119, 176,  73,  58, 135,  69,  23, 198,   0, 170,  32, 171, 176, 129,  91,  24,
+ 126,  77, 248,   0, 118,  69,  57,  60, 190, 171, 217,  61, 136, 169, 196,  84,
+ 168, 167, 163, 102, 223,  64, 174, 178, 166, 239, 242, 195, 249,  92,  59,  38,
+ 241,  46, 236,  31,  59, 114,  23,  50, 119, 186,   7,  66, 212,  97, 222, 182,
+ 230, 118, 122,  86, 105,  92, 179, 243, 255, 189, 223, 164, 194, 215,  98,  44,
+  17,  20,  53, 153, 137, 224, 176, 100, 208, 114,  36, 200, 145, 150, 215,  20,
+  87,  44, 252,  20, 235, 242, 163, 132,  63,  18,   5, 122,  74,  97,  34,  97,
+ 142,  86, 146, 221, 179, 166, 161,  74,  69, 182,  88, 120, 128,  58,  76, 155,
+  15,  30,  77, 216, 165, 117, 107,  90, 169, 127, 143, 181, 208, 137, 200, 127,
+ 170, 195,  26,  84, 255, 132, 150,  58, 103, 250, 120, 221, 237,  37,   8,  99
+ 
+ 
+Implementation
+ 
+A non-US based programmer who has never seen any encryption code before will
+shortly be implementing RRC.2 based solely on this specification and not on
+knowledge of any other encryption algorithms.  Stand by.
+
+
+
diff --git a/crypto/openssl/crypto/rc2/tab.c b/crypto/openssl/crypto/rc2/tab.c
new file mode 100644
index 0000000..25dc14e
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/tab.c
@@ -0,0 +1,86 @@
+#include <stdio.h>
+
+unsigned char ebits_to_num[256]={
+	0xbd,0x56,0xea,0xf2,0xa2,0xf1,0xac,0x2a,
+	0xb0,0x93,0xd1,0x9c,0x1b,0x33,0xfd,0xd0,
+	0x30,0x04,0xb6,0xdc,0x7d,0xdf,0x32,0x4b,
+	0xf7,0xcb,0x45,0x9b,0x31,0xbb,0x21,0x5a,
+	0x41,0x9f,0xe1,0xd9,0x4a,0x4d,0x9e,0xda,
+	0xa0,0x68,0x2c,0xc3,0x27,0x5f,0x80,0x36,
+	0x3e,0xee,0xfb,0x95,0x1a,0xfe,0xce,0xa8,
+	0x34,0xa9,0x13,0xf0,0xa6,0x3f,0xd8,0x0c,
+	0x78,0x24,0xaf,0x23,0x52,0xc1,0x67,0x17,
+	0xf5,0x66,0x90,0xe7,0xe8,0x07,0xb8,0x60,
+	0x48,0xe6,0x1e,0x53,0xf3,0x92,0xa4,0x72,
+	0x8c,0x08,0x15,0x6e,0x86,0x00,0x84,0xfa,
+	0xf4,0x7f,0x8a,0x42,0x19,0xf6,0xdb,0xcd,
+	0x14,0x8d,0x50,0x12,0xba,0x3c,0x06,0x4e,
+	0xec,0xb3,0x35,0x11,0xa1,0x88,0x8e,0x2b,
+	0x94,0x99,0xb7,0x71,0x74,0xd3,0xe4,0xbf,
+	0x3a,0xde,0x96,0x0e,0xbc,0x0a,0xed,0x77,
+	0xfc,0x37,0x6b,0x03,0x79,0x89,0x62,0xc6,
+	0xd7,0xc0,0xd2,0x7c,0x6a,0x8b,0x22,0xa3,
+	0x5b,0x05,0x5d,0x02,0x75,0xd5,0x61,0xe3,
+	0x18,0x8f,0x55,0x51,0xad,0x1f,0x0b,0x5e,
+	0x85,0xe5,0xc2,0x57,0x63,0xca,0x3d,0x6c,
+	0xb4,0xc5,0xcc,0x70,0xb2,0x91,0x59,0x0d,
+	0x47,0x20,0xc8,0x4f,0x58,0xe0,0x01,0xe2,
+	0x16,0x38,0xc4,0x6f,0x3b,0x0f,0x65,0x46,
+	0xbe,0x7e,0x2d,0x7b,0x82,0xf9,0x40,0xb5,
+	0x1d,0x73,0xf8,0xeb,0x26,0xc7,0x87,0x97,
+	0x25,0x54,0xb1,0x28,0xaa,0x98,0x9d,0xa5,
+	0x64,0x6d,0x7a,0xd4,0x10,0x81,0x44,0xef,
+	0x49,0xd6,0xae,0x2e,0xdd,0x76,0x5c,0x2f,
+	0xa7,0x1c,0xc9,0x09,0x69,0x9a,0x83,0xcf,
+	0x29,0x39,0xb9,0xe9,0x4c,0xff,0x43,0xab,
+	};
+
+unsigned char num_to_ebits[256]={
+	0x5d,0xbe,0x9b,0x8b,0x11,0x99,0x6e,0x4d,
+	0x59,0xf3,0x85,0xa6,0x3f,0xb7,0x83,0xc5,
+	0xe4,0x73,0x6b,0x3a,0x68,0x5a,0xc0,0x47,
+	0xa0,0x64,0x34,0x0c,0xf1,0xd0,0x52,0xa5,
+	0xb9,0x1e,0x96,0x43,0x41,0xd8,0xd4,0x2c,
+	0xdb,0xf8,0x07,0x77,0x2a,0xca,0xeb,0xef,
+	0x10,0x1c,0x16,0x0d,0x38,0x72,0x2f,0x89,
+	0xc1,0xf9,0x80,0xc4,0x6d,0xae,0x30,0x3d,
+	0xce,0x20,0x63,0xfe,0xe6,0x1a,0xc7,0xb8,
+	0x50,0xe8,0x24,0x17,0xfc,0x25,0x6f,0xbb,
+	0x6a,0xa3,0x44,0x53,0xd9,0xa2,0x01,0xab,
+	0xbc,0xb6,0x1f,0x98,0xee,0x9a,0xa7,0x2d,
+	0x4f,0x9e,0x8e,0xac,0xe0,0xc6,0x49,0x46,
+	0x29,0xf4,0x94,0x8a,0xaf,0xe1,0x5b,0xc3,
+	0xb3,0x7b,0x57,0xd1,0x7c,0x9c,0xed,0x87,
+	0x40,0x8c,0xe2,0xcb,0x93,0x14,0xc9,0x61,
+	0x2e,0xe5,0xcc,0xf6,0x5e,0xa8,0x5c,0xd6,
+	0x75,0x8d,0x62,0x95,0x58,0x69,0x76,0xa1,
+	0x4a,0xb5,0x55,0x09,0x78,0x33,0x82,0xd7,
+	0xdd,0x79,0xf5,0x1b,0x0b,0xde,0x26,0x21,
+	0x28,0x74,0x04,0x97,0x56,0xdf,0x3c,0xf0,
+	0x37,0x39,0xdc,0xff,0x06,0xa4,0xea,0x42,
+	0x08,0xda,0xb4,0x71,0xb0,0xcf,0x12,0x7a,
+	0x4e,0xfa,0x6c,0x1d,0x84,0x00,0xc8,0x7f,
+	0x91,0x45,0xaa,0x2b,0xc2,0xb1,0x8f,0xd5,
+	0xba,0xf2,0xad,0x19,0xb2,0x67,0x36,0xf7,
+	0x0f,0x0a,0x92,0x7d,0xe3,0x9d,0xe9,0x90,
+	0x3e,0x23,0x27,0x66,0x13,0xec,0x81,0x15,
+	0xbd,0x22,0xbf,0x9f,0x7e,0xa9,0x51,0x4b,
+	0x4c,0xfb,0x02,0xd3,0x70,0x86,0x31,0xe7,
+	0x3b,0x05,0x03,0x54,0x60,0x48,0x65,0x18,
+	0xd2,0xcd,0x5f,0x32,0x88,0x0e,0x35,0xfd,
+	};
+	
+main()
+	{
+	int i,j;
+
+	for (i=0; i<256; i++)
+		{
+		for (j=0; j<256; j++)
+			if (ebits_to_num[j] == i)
+				{
+				printf("0x%02x,",j);
+				break;
+				}
+		}
+	}
diff --git a/crypto/openssl/crypto/rc2/version b/crypto/openssl/crypto/rc2/version
new file mode 100644
index 0000000..6f89d59
--- /dev/null
+++ b/crypto/openssl/crypto/rc2/version
@@ -0,0 +1,22 @@
+1.1 23/08/96 - eay
+	Changed RC2_set_key() so it now takes another argument.  Many
+	thanks to Peter Gutmann <pgut01@cs.auckland.ac.nz> for the
+	clarification and origional specification of RC2.  BSAFE uses
+	this last parameter, 'bits'.  It the key is 128 bits, BSAFE
+	also sets this parameter to 128.  The old behaviour can be
+	duplicated by setting this parameter to 1024.
+
+1.0 08/04/96 - eay
+	First version of SSLeay with rc2.  This has been written from the spec
+	posted sci.crypt.  It is in this directory under rrc2.doc
+	I have no test values for any mode other than ecb, my wrappers for the
+	other modes should be ok since they are basically the same as
+	the ones taken from idea and des :-).  I have implemented them as
+	little-endian operators.
+	While rc2 is included because it is used with SSL, I don't know how
+	far I trust it.  It is about the same speed as IDEA and DES.
+	So if you are paranoid, used Tripple DES, else IDEA.  If RC2
+	does get used more, perhaps more people will look for weaknesses in
+	it.
+	
+
diff --git a/crypto/openssl/crypto/rc4/Makefile.save b/crypto/openssl/crypto/rc4/Makefile.save
new file mode 100644
index 0000000..d3dff0f
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/Makefile.save
@@ -0,0 +1,113 @@
+#
+# SSLeay/crypto/rc4/Makefile
+#
+
+DIR=	rc4
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+RC4_ENC=rc4_enc.o
+# or use
+#RC4_ENC=asm/rx86-elf.o
+#RC4_ENC=asm/rx86-out.o
+#RC4_ENC=asm/rx86-sol.o
+#RC4_ENC=asm/rx86bdsi.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc4test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rc4_skey.c rc4_enc.c
+LIBOBJ=rc4_skey.o $(RC4_ENC)
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc4.h
+HEADER=	$(EXHEADER) rc4_locl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/rx86-elf.o: asm/rx86unix.cpp
+	$(CPP) -DELF -x c asm/rx86unix.cpp | as -o asm/rx86-elf.o
+
+# solaris
+asm/rx86-sol.o: asm/rx86unix.cpp
+	$(CC) -E -DSOL asm/rx86unix.cpp | sed 's/^#.*//' > asm/rx86-sol.s
+	as -o asm/rx86-sol.o asm/rx86-sol.s
+	rm -f asm/rx86-sol.s
+
+# a.out
+asm/rx86-out.o: asm/rx86unix.cpp
+	$(CPP) -DOUT asm/rx86unix.cpp | as -o asm/rx86-out.o
+
+# bsdi
+asm/rx86bsdi.o: asm/rx86unix.cpp
+	$(CPP) -DBSDI asm/rx86unix.cpp | sed 's/ :/:/' | as -o asm/rx86bsdi.o
+
+asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rc4-586.pl cpp >rx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/rx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rc4_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc4.h
+rc4_enc.o: rc4_locl.h
+rc4_skey.o: ../../include/openssl/opensslconf.h
+rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h
+rc4_skey.o: rc4_locl.h
diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl
new file mode 100644
index 0000000..53eac20
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/Makefile.ssl
@@ -0,0 +1,114 @@
+#
+# SSLeay/crypto/rc4/Makefile
+#
+
+DIR=	rc4
+TOP=	../..
+CC=	cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+RC4_ENC=rc4_enc.o
+# or use
+#RC4_ENC=asm/rx86-elf.o
+#RC4_ENC=asm/rx86-out.o
+#RC4_ENC=asm/rx86-sol.o
+#RC4_ENC=asm/rx86bdsi.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc4test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rc4_skey.c rc4_enc.c
+LIBOBJ=rc4_skey.o $(RC4_ENC)
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc4.h
+HEADER=	$(EXHEADER) rc4_locl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/rx86-elf.o: asm/rx86unix.cpp
+	$(CPP) -DELF -x c asm/rx86unix.cpp | as -o asm/rx86-elf.o
+
+# solaris
+asm/rx86-sol.o: asm/rx86unix.cpp
+	$(CC) -E -DSOL asm/rx86unix.cpp | sed 's/^#.*//' > asm/rx86-sol.s
+	as -o asm/rx86-sol.o asm/rx86-sol.s
+	rm -f asm/rx86-sol.s
+
+# a.out
+asm/rx86-out.o: asm/rx86unix.cpp
+	$(CPP) -DOUT asm/rx86unix.cpp | as -o asm/rx86-out.o
+
+# bsdi
+asm/rx86bsdi.o: asm/rx86unix.cpp
+	$(CPP) -DBSDI asm/rx86unix.cpp | sed 's/ :/:/' | as -o asm/rx86bsdi.o
+
+asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rc4-586.pl cpp >rx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/rx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rc4_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc4.h
+rc4_enc.o: rc4_locl.h
+rc4_skey.o: ../../include/openssl/opensslconf.h
+rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h
+rc4_skey.o: rc4_locl.h
diff --git a/crypto/openssl/crypto/rc4/Makefile.uni b/crypto/openssl/crypto/rc4/Makefile.uni
new file mode 100644
index 0000000..855d9e5
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/Makefile.uni
@@ -0,0 +1,103 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+DIR=    rc4
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+RANLIB=         ranlib
+
+RC4_ENC=rc4_enc.o
+# or use
+#RC4_ENC=asm/rx86-elf.o
+#RC4_ENC=asm/rx86-out.o
+#RC4_ENC=asm/rx86-sol.o
+#RC4_ENC=asm/rx86bdsi.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc4test
+APPS=rc4speed
+
+LIB=librc4.a
+LIBSRC=rc4_skey.c rc4_enc.c
+LIBOBJ=rc4_skey.o $(RC4_ENC)
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc4.h
+HEADER= $(EXHEADER) rc4_locl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB):    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+
+# elf
+asm/rx86-elf.o: asm/rx86unix.cpp
+	$(CPP) -DELF asm/rx86unix.cpp | as -o asm/rx86-elf.o
+
+# solaris
+asm/rx86-sol.o: asm/rx86unix.cpp
+	$(CC) -E -DSOL asm/rx86unix.cpp | sed 's/^#.*//' > asm/rx86-sol.s
+	as -o asm/rx86-sol.o asm/rx86-sol.s
+	rm -f asm/rx86-sol.s
+
+# a.out
+asm/rx86-out.o: asm/rx86unix.cpp
+	$(CPP) -DOUT asm/rx86unix.cpp | as -o asm/rx86-out.o
+
+# bsdi
+asm/rx86bsdi.o: asm/rx86unix.cpp
+	$(CPP) -DBSDI asm/rx86unix.cpp | as -o asm/rx86bsdi.o
+
+asm/rx86unix.cpp:
+	(cd asm; perl rc4-586.pl cpp >rx86unix.cpp)
+
+test:	$(TEST)
+	./$(TEST)
+
+$(TEST): $(TEST).c $(LIB)
+	$(CC) -o $(TEST) $(CFLAGS) $(TEST).c $(LIB)
+
+$(APPS): $(APPS).c $(LIB)
+	$(CC) -o $(APPS) $(CFLAGS) $(APPS).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/rc4/asm/rc4-586.pl b/crypto/openssl/crypto/rc4/asm/rc4-586.pl
new file mode 100644
index 0000000..7ef889e
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/asm/rc4-586.pl
@@ -0,0 +1,173 @@
+#!/usr/local/bin/perl
+
+# define for pentium pro friendly version
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],"rc4-586.pl");
+
+$tx="eax";
+$ty="ebx";
+$x="ecx";
+$y="edx";
+$in="esi";
+$out="edi";
+$d="ebp";
+
+&RC4("RC4");
+
+&asm_finish();
+
+sub RC4_loop
+	{
+	local($n,$p,$char)=@_;
+
+	&comment("Round $n");
+
+	if ($char)
+		{
+		if ($p >= 0)
+			{
+			 &mov($ty,	&swtmp(2));
+			&cmp($ty,	$in);
+			 &jle(&label("finished"));
+			&inc($in);
+			}
+		else
+			{
+			&add($ty,	8);
+			 &inc($in);
+			&cmp($ty,	$in);
+			 &jl(&label("finished"));
+			&mov(&swtmp(2),	$ty);
+			}
+		}
+	# Moved out
+	# &mov(	$tx,		&DWP(0,$d,$x,4)) if $p < 0;
+
+	 &add(	$y,		$tx);
+	&and(	$y,		0xff);
+	 &inc(	$x);			# NEXT ROUND 
+	&mov(	$ty,		&DWP(0,$d,$y,4));
+	 # XXX
+	&mov(	&DWP(-4,$d,$x,4),$ty);			# AGI
+	 &add(	$ty,		$tx);
+	&and(	$x,		0xff);	# NEXT ROUND
+	 &and(	$ty,		0xff);
+	&mov(	&DWP(0,$d,$y,4),$tx);
+	 &nop();
+	&mov(	$ty,		&DWP(0,$d,$ty,4));
+	 &mov(	$tx,		&DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
+	 # XXX
+
+	if (!$char)
+		{
+		#moved up into last round
+		if ($p >= 1)
+			{
+			&add(	$out,	8)
+			}
+		&movb(	&BP($n,"esp","",0),	&LB($ty));
+		}
+	else
+		{
+		# Note in+=8 has occured
+		&movb(	&HB($ty),	&BP(-1,$in,"",0));
+		 # XXX
+		&xorb(&LB($ty),		&HB($ty));
+		 # XXX
+		&movb(&BP($n,$out,"",0),&LB($ty));
+		}
+	}
+
+
+sub RC4
+	{
+	local($name)=@_;
+
+	&function_begin_B($name,"");
+
+	&comment("");
+
+	&push("ebp");
+	 &push("ebx");
+	&mov(	$d,	&wparam(0));	# key
+	 &mov(	$ty,	&wparam(1));	# num
+	&push("esi");
+	 &push("edi");
+
+	&mov(	$x,	&DWP(0,$d,"",1));
+	 &mov(	$y,	&DWP(4,$d,"",1));
+
+	&mov(	$in,	&wparam(2));
+	 &inc(	$x);
+
+	&stack_push(3);	# 3 temp variables
+	 &add(	$d,	8);
+	&and(	$x,		0xff);
+
+	 &lea(	$ty,	&DWP(-8,$ty,$in));
+
+	# check for 0 length input
+
+	&mov(	$out,	&wparam(3));
+	 &mov(	&swtmp(2),	$ty);	# this is now address to exit at
+	&mov(	$tx,	&DWP(0,$d,$x,4));
+
+	 &cmp(	$ty,	$in);
+	&jl(	&label("end")); # less than 8 bytes
+
+	&set_label("start");
+
+	# filling DELAY SLOT
+	&add(	$in,	8);
+
+	&RC4_loop(0,-1,0);
+	&RC4_loop(1,0,0);
+	&RC4_loop(2,0,0);
+	&RC4_loop(3,0,0);
+	&RC4_loop(4,0,0);
+	&RC4_loop(5,0,0);
+	&RC4_loop(6,0,0);
+	&RC4_loop(7,1,0);
+	
+	&comment("apply the cipher text");
+	# xor the cipher data with input
+
+	#&add(	$out,	8); #moved up into last round
+
+	&mov(	$tx,	&swtmp(0));
+	 &mov(	$ty,	&DWP(-8,$in,"",0));
+	&xor(	$tx,	$ty);
+	 &mov(	$ty,	&DWP(-4,$in,"",0)); 
+	&mov(	&DWP(-8,$out,"",0),	$tx);
+	 &mov(	$tx,	&swtmp(1));
+	&xor(	$tx,	$ty);
+	 &mov(	$ty,	&swtmp(2));	# load end ptr;
+	&mov(	&DWP(-4,$out,"",0),	$tx);
+	 &mov(	$tx,		&DWP(0,$d,$x,4));
+	&cmp($in,	$ty);
+	 &jle(&label("start"));
+
+	&set_label("end");
+
+	# There is quite a bit of extra crap in RC4_loop() for this
+	# first round
+	&RC4_loop(0,-1,1);
+	&RC4_loop(1,0,1);
+	&RC4_loop(2,0,1);
+	&RC4_loop(3,0,1);
+	&RC4_loop(4,0,1);
+	&RC4_loop(5,0,1);
+	&RC4_loop(6,1,1);
+
+	&set_label("finished");
+	&dec(	$x);
+	 &stack_pop(3);
+	&mov(	&DWP(-4,$d,"",0),$y);
+	 &movb(	&BP(-8,$d,"",0),&LB($x));
+
+	&function_end($name);
+	}
+
diff --git a/crypto/openssl/crypto/rc4/rc4.c b/crypto/openssl/crypto/rc4/rc4.c
new file mode 100644
index 0000000..709b7af
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4.c
@@ -0,0 +1,192 @@
+/* crypto/rc4/rc4.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/rc4.h>
+
+char *usage[]={
+"usage: rc4 args\n",
+"\n",
+" -in arg         - input file - default stdin\n",
+" -out arg        - output file - default stdout\n",
+" -key key        - password\n",
+NULL
+};
+
+int main(int argc, char *argv[])
+	{
+	FILE *in=NULL,*out=NULL;
+	char *infile=NULL,*outfile=NULL,*keystr=NULL;
+	RC4_KEY key;
+	char buf[BUFSIZ];
+	int badops=0,i;
+	char **pp;
+	unsigned char md[MD5_DIGEST_LENGTH];
+
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keystr= *(++argv);
+			}
+		else
+			{
+			fprintf(stderr,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		for (pp=usage; (*pp != NULL); pp++)
+			fprintf(stderr,*pp);
+		exit(1);
+		}
+
+	if (infile == NULL)
+		in=stdin;
+	else
+		{
+		in=fopen(infile,"r");
+		if (in == NULL)
+			{
+			perror("open");
+			exit(1);
+			}
+
+		}
+	if (outfile == NULL)
+		out=stdout;
+	else
+		{
+		out=fopen(outfile,"w");
+		if (out == NULL)
+			{
+			perror("open");
+			exit(1);
+			}
+		}
+		
+#ifdef MSDOS
+	/* This should set the file to binary mode. */
+	{
+#include <fcntl.h>
+	setmode(fileno(in),O_BINARY);
+	setmode(fileno(out),O_BINARY);
+	}
+#endif
+
+	if (keystr == NULL)
+		{ /* get key */
+		i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0);
+		if (i != 0)
+			{
+			memset(buf,0,BUFSIZ);
+			fprintf(stderr,"bad password read\n");
+			exit(1);
+			}
+		keystr=buf;
+		}
+
+	MD5((unsigned char *)keystr,(unsigned long)strlen(keystr),md);
+	memset(keystr,0,strlen(keystr));
+	RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
+	
+	for(;;)
+		{
+		i=fread(buf,1,BUFSIZ,in);
+		if (i == 0) break;
+		if (i < 0)
+			{
+			perror("read");
+			exit(1);
+			}
+		RC4(&key,(unsigned int)i,(unsigned char *)buf,
+			(unsigned char *)buf);
+		i=fwrite(buf,(unsigned int)i,1,out);
+		if (i != 1)
+			{
+			perror("write");
+			exit(1);
+			}
+		}
+	fclose(out);
+	fclose(in);
+	exit(0);
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/rc4/rc4.h b/crypto/openssl/crypto/rc4/rc4.h
new file mode 100644
index 0000000..8556ddd
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4.h
@@ -0,0 +1,88 @@
+/* crypto/rc4/rc4.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RC4_H
+#define HEADER_RC4_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RC4
+#error RC4 is disabled.
+#endif
+
+#include <openssl/opensslconf.h> /* RC4_INT */
+
+typedef struct rc4_key_st
+	{
+	RC4_INT x,y;
+	RC4_INT data[256];
+	} RC4_KEY;
+
+ 
+const char *RC4_options(void);
+void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
+		unsigned char *outdata);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/rc4/rc4_enc.c b/crypto/openssl/crypto/rc4/rc4_enc.c
new file mode 100644
index 0000000..d5f18a3
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4_enc.c
@@ -0,0 +1,315 @@
+/* crypto/rc4/rc4_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc4.h>
+#include "rc4_locl.h"
+
+/* RC4 as implemented from a posting from
+ * Newsgroups: sci.crypt
+ * From: sterndark@netcom.com (David Sterndark)
+ * Subject: RC4 Algorithm revealed.
+ * Message-ID: <sternCvKL4B.Hyy@netcom.com>
+ * Date: Wed, 14 Sep 1994 06:35:31 GMT
+ */
+
+void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
+	     unsigned char *outdata)
+	{
+        register RC4_INT *d;
+        register RC4_INT x,y,tx,ty;
+	int i;
+        
+        x=key->x;     
+        y=key->y;     
+        d=key->data; 
+
+#if defined(RC4_CHUNK)
+	/*
+	 * The original reason for implementing this(*) was the fact that
+	 * pre-21164a Alpha CPUs don't have byte load/store instructions
+	 * and e.g. a byte store has to be done with 64-bit load, shift,
+	 * and, or and finally 64-bit store. Peaking data and operating
+	 * at natural word size made it possible to reduce amount of
+	 * instructions as well as to perform early read-ahead without
+	 * suffering from RAW (read-after-write) hazard. This resulted
+	 * in ~40%(**) performance improvement on 21064 box with gcc.
+	 * But it's not only Alpha users who win here:-) Thanks to the
+	 * early-n-wide read-ahead this implementation also exhibits
+	 * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
+	 * on sizeof(RC4_INT)).
+	 *
+	 * (*)	"this" means code which recognizes the case when input
+	 *	and output pointers appear to be aligned at natural CPU
+	 *	word boundary
+	 * (**)	i.e. according to 'apps/openssl speed rc4' benchmark,
+	 *	crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
+	 *
+	 * Cavets.
+	 *
+	 * - RC4_CHUNK="unsigned long long" should be a #1 choice for
+	 *   UltraSPARC. Unfortunately gcc generates very slow code
+	 *   (2.5-3 times slower than one generated by Sun's WorkShop
+	 *   C) and therefore gcc (at least 2.95 and earlier) should
+	 *   always be told that RC4_CHUNK="unsigned long".
+	 *
+	 *					<appro@fy.chalmers.se>
+	 */
+
+# define RC4_STEP	( \
+			x=(x+1) &0xff,	\
+			tx=d[x],	\
+			y=(tx+y)&0xff,	\
+			ty=d[y],	\
+			d[y]=tx,	\
+			d[x]=ty,	\
+			(RC4_CHUNK)d[(tx+ty)&0xff]\
+			)
+
+	if ( ( ((unsigned long)indata  & (sizeof(RC4_CHUNK)-1)) | 
+	       ((unsigned long)outdata & (sizeof(RC4_CHUNK)-1)) ) == 0 )
+		{
+		RC4_CHUNK ichunk,otp;
+		const union { long one; char little; } is_endian = {1};
+
+		/*
+		 * I reckon we can afford to implement both endian
+		 * cases and to decide which way to take at run-time
+		 * because the machine code appears to be very compact
+		 * and redundant 1-2KB is perfectly tolerable (i.e.
+		 * in case the compiler fails to eliminate it:-). By
+		 * suggestion from Terrel Larson <terr@terralogic.net>
+		 * who also stands for the is_endian union:-)
+		 *
+		 * Special notes.
+		 *
+		 * - is_endian is declared automatic as doing otherwise
+		 *   (declaring static) prevents gcc from eliminating
+		 *   the redundant code;
+		 * - compilers (those I've tried) don't seem to have
+		 *   problems eliminating either the operators guarded
+		 *   by "if (sizeof(RC4_CHUNK)==8)" or the condition
+		 *   expressions themselves so I've got 'em to replace
+		 *   corresponding #ifdefs from the previous version;
+		 * - I chose to let the redundant switch cases when
+		 *   sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
+		 *   before);
+		 * - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
+		 *   [LB]ESHFT guards against "shift is out of range"
+		 *   warnings when sizeof(RC4_CHUNK)!=8 
+		 *
+		 *			<appro@fy.chalmers.se>
+		 */
+		if (!is_endian.little)
+			{	/* BIG-ENDIAN CASE */
+# define BESHFT(c)	(((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
+			for (;len&-sizeof(RC4_CHUNK);len-=sizeof(RC4_CHUNK))
+				{
+				ichunk  = *(RC4_CHUNK *)indata;
+				otp  = RC4_STEP<<BESHFT(0);
+				otp |= RC4_STEP<<BESHFT(1);
+				otp |= RC4_STEP<<BESHFT(2);
+				otp |= RC4_STEP<<BESHFT(3);
+				if (sizeof(RC4_CHUNK)==8)
+					{
+					otp |= RC4_STEP<<BESHFT(4);
+					otp |= RC4_STEP<<BESHFT(5);
+					otp |= RC4_STEP<<BESHFT(6);
+					otp |= RC4_STEP<<BESHFT(7);
+					}
+				*(RC4_CHUNK *)outdata = otp^ichunk;
+				indata  += sizeof(RC4_CHUNK);
+				outdata += sizeof(RC4_CHUNK);
+				}
+			if (len)
+				{
+				RC4_CHUNK mask=(RC4_CHUNK)-1, ochunk;
+
+				ichunk = *(RC4_CHUNK *)indata;
+				ochunk = *(RC4_CHUNK *)outdata;
+				otp = 0;
+				i = BESHFT(0);
+				mask <<= (sizeof(RC4_CHUNK)-len)<<3;
+				switch (len&(sizeof(RC4_CHUNK)-1))
+					{
+					case 7:	otp  = RC4_STEP<<i, i-=8;
+					case 6:	otp |= RC4_STEP<<i, i-=8;
+					case 5:	otp |= RC4_STEP<<i, i-=8;
+					case 4:	otp |= RC4_STEP<<i, i-=8;
+					case 3:	otp |= RC4_STEP<<i, i-=8;
+					case 2:	otp |= RC4_STEP<<i, i-=8;
+					case 1:	otp |= RC4_STEP<<i, i-=8;
+					case 0: ; /*
+						   * it's never the case,
+						   * but it has to be here
+						   * for ultrix?
+						   */
+					}
+				ochunk &= ~mask;
+				ochunk |= (otp^ichunk) & mask;
+				*(RC4_CHUNK *)outdata = ochunk;
+				}
+			key->x=x;     
+			key->y=y;
+			return;
+			}
+		else
+			{	/* LITTLE-ENDIAN CASE */
+# define LESHFT(c)	(((c)*8)&(sizeof(RC4_CHUNK)*8-1))
+			for (;len&-sizeof(RC4_CHUNK);len-=sizeof(RC4_CHUNK))
+				{
+				ichunk  = *(RC4_CHUNK *)indata;
+				otp  = RC4_STEP;
+				otp |= RC4_STEP<<8;
+				otp |= RC4_STEP<<16;
+				otp |= RC4_STEP<<24;
+				if (sizeof(RC4_CHUNK)==8)
+					{
+					otp |= RC4_STEP<<LESHFT(4);
+					otp |= RC4_STEP<<LESHFT(5);
+					otp |= RC4_STEP<<LESHFT(6);
+					otp |= RC4_STEP<<LESHFT(7);
+					}
+				*(RC4_CHUNK *)outdata = otp^ichunk;
+				indata  += sizeof(RC4_CHUNK);
+				outdata += sizeof(RC4_CHUNK);
+				}
+			if (len)
+				{
+				RC4_CHUNK mask=(RC4_CHUNK)-1, ochunk;
+
+				ichunk = *(RC4_CHUNK *)indata;
+				ochunk = *(RC4_CHUNK *)outdata;
+				otp = 0;
+				i   = 0;
+				mask >>= (sizeof(RC4_CHUNK)-len)<<3;
+				switch (len&(sizeof(RC4_CHUNK)-1))
+					{
+					case 7:	otp  = RC4_STEP,    i+=8;
+					case 6:	otp |= RC4_STEP<<i, i+=8;
+					case 5:	otp |= RC4_STEP<<i, i+=8;
+					case 4:	otp |= RC4_STEP<<i, i+=8;
+					case 3:	otp |= RC4_STEP<<i, i+=8;
+					case 2:	otp |= RC4_STEP<<i, i+=8;
+					case 1:	otp |= RC4_STEP<<i, i+=8;
+					case 0: ; /*
+						   * it's never the case,
+						   * but it has to be here
+						   * for ultrix?
+						   */
+					}
+				ochunk &= ~mask;
+				ochunk |= (otp^ichunk) & mask;
+				*(RC4_CHUNK *)outdata = ochunk;
+				}
+			key->x=x;     
+			key->y=y;
+			return;
+			}
+		}
+#endif
+#define LOOP(in,out) \
+		x=((x+1)&0xff); \
+		tx=d[x]; \
+		y=(tx+y)&0xff; \
+		d[x]=ty=d[y]; \
+		d[y]=tx; \
+		(out) = d[(tx+ty)&0xff]^ (in);
+
+#ifndef RC4_INDEX
+#define RC4_LOOP(a,b,i)	LOOP(*((a)++),*((b)++))
+#else
+#define RC4_LOOP(a,b,i)	LOOP(a[i],b[i])
+#endif
+
+	i=(int)(len>>3L);
+	if (i)
+		{
+		for (;;)
+			{
+			RC4_LOOP(indata,outdata,0);
+			RC4_LOOP(indata,outdata,1);
+			RC4_LOOP(indata,outdata,2);
+			RC4_LOOP(indata,outdata,3);
+			RC4_LOOP(indata,outdata,4);
+			RC4_LOOP(indata,outdata,5);
+			RC4_LOOP(indata,outdata,6);
+			RC4_LOOP(indata,outdata,7);
+#ifdef RC4_INDEX
+			indata+=8;
+			outdata+=8;
+#endif
+			if (--i == 0) break;
+			}
+		}
+	i=(int)len&0x07;
+	if (i)
+		{
+		for (;;)
+			{
+			RC4_LOOP(indata,outdata,0); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,1); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,2); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,3); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,4); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,5); if (--i == 0) break;
+			RC4_LOOP(indata,outdata,6); if (--i == 0) break;
+			}
+		}               
+	key->x=x;     
+	key->y=y;
+	}
diff --git a/crypto/openssl/crypto/rc4/rc4_locl.h b/crypto/openssl/crypto/rc4/rc4_locl.h
new file mode 100644
index 0000000..3bb80b6
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4_locl.h
@@ -0,0 +1,4 @@
+#ifndef HEADER_RC4_LOCL_H
+#define HEADER_RC4_LOCL_H
+#include <openssl/opensslconf.h>
+#endif
diff --git a/crypto/openssl/crypto/rc4/rc4_skey.c b/crypto/openssl/crypto/rc4/rc4_skey.c
new file mode 100644
index 0000000..bb10c1e
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4_skey.c
@@ -0,0 +1,117 @@
+/* crypto/rc4/rc4_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc4.h>
+#include "rc4_locl.h"
+#include <openssl/opensslv.h>
+
+const char *RC4_version="RC4" OPENSSL_VERSION_PTEXT;
+
+const char *RC4_options(void)
+	{
+#ifdef RC4_INDEX
+	if (sizeof(RC4_INT) == 1)
+		return("rc4(idx,char)");
+	else
+		return("rc4(idx,int)");
+#else
+	if (sizeof(RC4_INT) == 1)
+		return("rc4(ptr,char)");
+	else
+		return("rc4(ptr,int)");
+#endif
+	}
+
+/* RC4 as implemented from a posting from
+ * Newsgroups: sci.crypt
+ * From: sterndark@netcom.com (David Sterndark)
+ * Subject: RC4 Algorithm revealed.
+ * Message-ID: <sternCvKL4B.Hyy@netcom.com>
+ * Date: Wed, 14 Sep 1994 06:35:31 GMT
+ */
+
+void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+	{
+        register RC4_INT tmp;
+        register int id1,id2;
+        register RC4_INT *d;
+        unsigned int i;
+        
+        d= &(key->data[0]);
+	for (i=0; i<256; i++)
+		d[i]=i;
+        key->x = 0;     
+        key->y = 0;     
+        id1=id2=0;     
+
+#define SK_LOOP(n) { \
+		tmp=d[(n)]; \
+		id2 = (data[id1] + tmp + id2) & 0xff; \
+		if (++id1 == len) id1=0; \
+		d[(n)]=d[id2]; \
+		d[id2]=tmp; }
+
+	for (i=0; i < 256; i+=4)
+		{
+		SK_LOOP(i+0);
+		SK_LOOP(i+1);
+		SK_LOOP(i+2);
+		SK_LOOP(i+3);
+		}
+	}
+    
diff --git a/crypto/openssl/crypto/rc4/rc4s.cpp b/crypto/openssl/crypto/rc4/rc4s.cpp
new file mode 100644
index 0000000..3814fde
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4s.cpp
@@ -0,0 +1,73 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/rc4.h>
+
+void main(int argc,char *argv[])
+	{
+	unsigned char buffer[1024];
+	RC4_KEY ctx;
+	unsigned long s1,s2,e1,e2;
+	unsigned char k[16];
+	unsigned long data[2];
+	unsigned char iv[8];
+	int i,num=64,numm;
+	int j=0;
+
+	if (argc >= 2)
+		num=atoi(argv[1]);
+
+	if (num == 0) num=256;
+	if (num > 1024-16) num=1024-16;
+	numm=num+8;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<10; i++) /**/
+			{
+			RC4(&ctx,numm,buffer,buffer);
+			GetTSC(s1);
+			RC4(&ctx,numm,buffer,buffer);
+			GetTSC(e1);
+			GetTSC(s2);
+			RC4(&ctx,num,buffer,buffer);
+			GetTSC(e2);
+			RC4(&ctx,num,buffer,buffer);
+			}
+
+		printf("RC4 (%d bytes) %d %d (%d) - 8 bytes\n",num,
+			e1-s1,e2-s2,(e1-s1)-(e2-s2));
+		}
+	}
+
diff --git a/crypto/openssl/crypto/rc4/rc4speed.c b/crypto/openssl/crypto/rc4/rc4speed.c
new file mode 100644
index 0000000..b448f4a
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4speed.c
@@ -0,0 +1,250 @@
+/* crypto/rc4/rc4speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/rc4.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+#ifndef CLK_TCK
+#define HZ	100.0
+#else /* CLK_TCK */
+#define HZ ((double)CLK_TCK)
+#endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static unsigned char key[] ={
+			0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+			0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
+			};
+	RC4_KEY sch;
+	double a,b,c,d;
+#ifndef SIGALRM
+	long ca,cb,cc;
+#endif
+
+#ifndef TIMES
+	printf("To get the most accurate results, try to run this\n");
+	printf("program when this computer is idle.\n");
+#endif
+
+#ifndef SIGALRM
+	printf("First we calculate the approximate speed ...\n");
+	RC4_set_key(&sch,16,key);
+	count=10;
+	do	{
+		long i;
+		unsigned long data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			RC4(&sch,8,buf,buf);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count/512;
+	cc=count*8/BUFSIZE+1;
+	printf("Doing RC4_set_key %ld times\n",ca);
+#define COND(d)	(count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+	printf("Doing RC4_set_key for 10 seconds\n");
+	alarm(10);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(ca); count+=4)
+		{
+		RC4_set_key(&sch,16,key);
+		RC4_set_key(&sch,16,key);
+		RC4_set_key(&sch,16,key);
+		RC4_set_key(&sch,16,key);
+		}
+	d=Time_F(STOP);
+	printf("%ld RC4_set_key's in %.2f seconds\n",count,d);
+	a=((double)COUNT(ca))/d;
+
+#ifdef SIGALRM
+	printf("Doing RC4 on %ld byte blocks for 10 seconds\n",BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing RC4 %ld times on %ld byte blocks\n",cc,BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cc); count++)
+		RC4(&sch,BUFSIZE,buf,buf);
+	d=Time_F(STOP);
+	printf("%ld RC4's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	c=((double)COUNT(cc)*BUFSIZE)/d;
+
+	printf("RC4 set_key per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
+	printf("RC4   bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
+
diff --git a/crypto/openssl/crypto/rc4/rc4test.c b/crypto/openssl/crypto/rc4/rc4test.c
new file mode 100644
index 0000000..3914eb6
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rc4test.c
@@ -0,0 +1,201 @@
+/* crypto/rc4/rc4test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef NO_RC4
+int main(int argc, char *argv[])
+{
+    printf("No RC4 support\n");
+    return(0);
+}
+#else
+#include <openssl/rc4.h>
+
+static unsigned char keys[7][30]={
+	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
+	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
+	{8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{4,0xef,0x01,0x23,0x45},
+	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
+	{4,0xef,0x01,0x23,0x45},
+	};
+
+static unsigned char data_len[7]={8,8,8,20,28,10};
+static unsigned char data[7][30]={
+	{0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	   0x00,0x00,0x00,0x00,0xff},
+	{0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
+	   0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
+	   0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
+	   0x12,0x34,0x56,0x78,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
+	{0},
+	};
+
+static unsigned char output[7][30]={
+	{0x75,0xb7,0x87,0x80,0x99,0xe0,0xc5,0x96,0x00},
+	{0x74,0x94,0xc2,0xe7,0x10,0x4b,0x08,0x79,0x00},
+	{0xde,0x18,0x89,0x41,0xa3,0x37,0x5d,0x3a,0x00},
+	{0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,
+	 0xbd,0x61,0x5a,0x11,0x62,0xe1,0xc7,0xba,
+	 0x36,0xb6,0x78,0x58,0x00},
+	{0x66,0xa0,0x94,0x9f,0x8a,0xf7,0xd6,0x89,
+	 0x1f,0x7f,0x83,0x2b,0xa8,0x33,0xc0,0x0c,
+	 0x89,0x2e,0xbe,0x30,0x14,0x3c,0xe2,0x87,
+	 0x40,0x01,0x1e,0xcf,0x00},
+	{0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,0xbd,0x61,0x00},
+	{0},
+	};
+
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	int j;
+	unsigned char *p;
+	RC4_KEY key;
+	unsigned char buf[512],obuf[512];
+
+	for (i=0; i<512; i++) buf[i]=0x01;
+
+	for (i=0; i<6; i++)
+		{
+		RC4_set_key(&key,keys[i][0],&(keys[i][1]));
+		memset(obuf,0x00,sizeof(obuf));
+		RC4(&key,data_len[i],&(data[i][0]),obuf);
+		if (memcmp(obuf,output[i],data_len[i]+1) != 0)
+			{
+			printf("error calculating RC4\n");
+			printf("output:");
+			for (j=0; j<data_len[i]+1; j++)
+				printf(" %02x",obuf[j]);
+			printf("\n");
+			printf("expect:");
+			p= &(output[i][0]);
+			for (j=0; j<data_len[i]+1; j++)
+				printf(" %02x",*(p++));
+			printf("\n");
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		}
+	printf("test end processing ");
+	for (i=0; i<data_len[3]; i++)
+		{
+		RC4_set_key(&key,keys[3][0],&(keys[3][1]));
+		memset(obuf,0x00,sizeof(obuf));
+		RC4(&key,i,&(data[3][0]),obuf);
+		if ((memcmp(obuf,output[3],i) != 0) || (obuf[i] != 0))
+			{
+			printf("error in RC4 length processing\n");
+			printf("output:");
+			for (j=0; j<i+1; j++)
+				printf(" %02x",obuf[j]);
+			printf("\n");
+			printf("expect:");
+			p= &(output[3][0]);
+			for (j=0; j<i; j++)
+				printf(" %02x",*(p++));
+			printf(" 00\n");
+			err++;
+			}
+		else
+			{
+			printf(".");
+			fflush(stdout);
+			}
+		}
+	printf("done\n");
+	printf("test multi-call ");
+	for (i=0; i<data_len[3]; i++)
+		{
+		RC4_set_key(&key,keys[3][0],&(keys[3][1]));
+		memset(obuf,0x00,sizeof(obuf));
+		RC4(&key,i,&(data[3][0]),obuf);
+		RC4(&key,data_len[3]-i,&(data[3][i]),&(obuf[i]));
+		if (memcmp(obuf,output[3],data_len[3]+1) != 0)
+			{
+			printf("error in RC4 multi-call processing\n");
+			printf("output:");
+			for (j=0; j<data_len[3]+1; j++)
+				printf(" %02x",obuf[j]);
+			printf("\n");
+			printf("expect:");
+			p= &(output[3][0]);
+			for (j=0; j<data_len[3]+1; j++)
+				printf(" %02x",*(p++));
+			err++;
+			}
+		else
+			{
+			printf(".");
+			fflush(stdout);
+			}
+		}
+	printf("done\n");
+	exit(err);
+	return(0);
+	}
+#endif
diff --git a/crypto/openssl/crypto/rc4/rrc4.doc b/crypto/openssl/crypto/rc4/rrc4.doc
new file mode 100644
index 0000000..2f9a953
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/rrc4.doc
@@ -0,0 +1,278 @@
+Newsgroups: sci.crypt,alt.security,comp.security.misc,alt.privacy
+Path: ghost.dsi.unimi.it!univ-lyon1.fr!jussieu.fr!zaphod.crihan.fr!warwick!clyde.open.ac.uk!strath-cs!bnr.co.uk!bt!pipex!howland.reston.ans.net!europa.eng.gtefsd.com!MathWorks.Com!yeshua.marcam.com!charnel.ecst.csuchico.edu!csusac!csus.edu!netcom.com!sterndark
+From: sterndark@netcom.com (David Sterndark)
+Subject: RC4 Algorithm revealed.
+Message-ID: <sternCvKL4B.Hyy@netcom.com>
+Sender: sterndark@netcom.com 
+Organization: NETCOM On-line Communication Services (408 261-4700 guest)
+X-Newsreader: TIN [version 1.2 PL1]
+Date: Wed, 14 Sep 1994 06:35:31 GMT
+Lines: 263
+Xref: ghost.dsi.unimi.it sci.crypt:27332 alt.security:14732 comp.security.misc:11701 alt.privacy:16026
+
+I am shocked,  shocked, I tell you,  shocked, to discover
+that the cypherpunks have illegaly and criminally revealed
+a crucial RSA trade secret and harmed the security of
+America by reverse engineering the RC4 algorithm and
+publishing it to the world.
+ 
+On Saturday morning an anonymous cypherpunk wrote:
+ 
+ 
+   SUBJECT:  RC4 Source Code
+ 
+ 
+   I've tested this.  It is compatible with the RC4 object module
+   that comes in the various RSA toolkits.  
+ 
+   /* rc4.h */
+   typedef struct rc4_key
+   {      
+        unsigned char state[256];       
+        unsigned char x;        
+        unsigned char y;
+   } rc4_key;
+   void prepare_key(unsigned char *key_data_ptr,int key_data_len,
+   rc4_key *key);
+   void rc4(unsigned char *buffer_ptr,int buffer_len,rc4_key * key);
+   
+   
+   /*rc4.c */
+   #include "rc4.h"
+   static void swap_byte(unsigned char *a, unsigned char *b);
+   void prepare_key(unsigned char *key_data_ptr, int key_data_len,
+   rc4_key *key)
+   {
+        unsigned char swapByte;
+        unsigned char index1;
+        unsigned char index2;
+        unsigned char* state;
+        short counter;     
+        
+        state = &key->state[0];         
+        for(counter = 0; counter < 256; counter++)              
+        state[counter] = counter;               
+        key->x = 0;     
+        key->y = 0;     
+        index1 = 0;     
+        index2 = 0;             
+        for(counter = 0; counter < 256; counter++)      
+        {               
+             index2 = (key_data_ptr[index1] + state[counter] +
+                index2) % 256;                
+             swap_byte(&state[counter], &state[index2]);            
+   
+             index1 = (index1 + 1) % key_data_len;  
+        }       
+    }
+    
+    void rc4(unsigned char *buffer_ptr, int buffer_len, rc4_key *key)
+    { 
+        unsigned char x;
+        unsigned char y;
+        unsigned char* state;
+        unsigned char xorIndex;
+        short counter;              
+        
+        x = key->x;     
+        y = key->y;     
+        
+        state = &key->state[0];         
+        for(counter = 0; counter < buffer_len; counter ++)      
+        {               
+             x = (x + 1) % 256;                      
+             y = (state[x] + y) % 256;               
+             swap_byte(&state[x], &state[y]);                        
+                  
+             xorIndex = (state[x] + state[y]) % 256;                 
+                  
+             buffer_ptr[counter] ^= state[xorIndex];         
+         }               
+         key->x = x;     
+         key->y = y;
+    }
+    
+    static void swap_byte(unsigned char *a, unsigned char *b)
+    {
+        unsigned char swapByte; 
+        
+        swapByte = *a; 
+        *a = *b;      
+        *b = swapByte;
+    }
+ 
+ 
+ 
+Another cypherpunk, this one not anonymous, tested the
+output from this algorithm against the output from
+official RC4 object code
+ 
+ 
+   Date: Tue, 13 Sep 94 18:37:56 PDT
+   From: ekr@eit.COM (Eric Rescorla)
+   Message-Id: <9409140137.AA17743@eitech.eit.com>
+   Subject: RC4 compatibility testing
+   Cc: cypherpunks@toad.com
+   
+   One data point:
+   
+   I can't say anything about the internals of RC4 versus the
+   algorithm that Bill Sommerfeld is rightly calling 'Alleged RC4',
+   since I don't know anything about RC4's internals. 
+   
+   However, I do have a (legitimately acquired) copy of BSAFE2 and
+   so I'm able to compare the output of this algorithm to the output
+   of genuine RC4 as found in BSAFE. I chose a set of test vectors
+   and ran them through both algorithms. The algorithms appear to
+   give identical results, at least with these key/plaintext pairs.
+   
+   I note that this is the algorithm _without_ Hal Finney's
+   proposed modification
+   
+   (see <199409130605.XAA24133@jobe.shell.portal.com>).
+   
+   The vectors I used (together with the ciphertext they produce)
+   follow at the end of this message.
+   
+   -Ekr
+   
+   Disclaimer: This posting does not reflect the opinions of EIT.
+   
+   --------------------results follow--------------
+   Test vector 0
+   Key: 0x01 0x23 0x45 0x67 0x89 0xab 0xcd 0xef 
+   Input: 0x01 0x23 0x45 0x67 0x89 0xab 0xcd 0xef 
+   0 Output: 0x75 0xb7 0x87 0x80 0x99 0xe0 0xc5 0x96 
+   
+   Test vector 1
+   Key: 0x01 0x23 0x45 0x67 0x89 0xab 0xcd 0xef 
+   Input: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 
+   0 Output: 0x74 0x94 0xc2 0xe7 0x10 0x4b 0x08 0x79 
+   
+   Test vector 2
+   Key: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 
+   Input: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 
+   0 Output: 0xde 0x18 0x89 0x41 0xa3 0x37 0x5d 0x3a 
+   
+   Test vector 3
+   Key: 0xef 0x01 0x23 0x45 
+   Input: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 
+   0 Output: 0xd6 0xa1 0x41 0xa7 0xec 0x3c 0x38 0xdf 0xbd 0x61 
+   
+   Test vector 4
+   Key: 0x01 0x23 0x45 0x67 0x89 0xab 0xcd 0xef 
+   Input: 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 
+   0x01 
+   0 Output: 0x75 0x95 0xc3 0xe6 0x11 0x4a 0x09 0x78 0x0c 0x4a 0xd4 
+   0x52 0x33 0x8e 0x1f 0xfd 0x9a 0x1b 0xe9 0x49 0x8f 
+   0x81 0x3d 0x76 0x53 0x34 0x49 0xb6 0x77 0x8d 0xca 
+   0xd8 0xc7 0x8a 0x8d 0x2b 0xa9 0xac 0x66 0x08 0x5d 
+   0x0e 0x53 0xd5 0x9c 0x26 0xc2 0xd1 0xc4 0x90 0xc1 
+   0xeb 0xbe 0x0c 0xe6 0x6d 0x1b 0x6b 0x1b 0x13 0xb6 
+   0xb9 0x19 0xb8 0x47 0xc2 0x5a 0x91 0x44 0x7a 0x95 
+   0xe7 0x5e 0x4e 0xf1 0x67 0x79 0xcd 0xe8 0xbf 0x0a 
+   0x95 0x85 0x0e 0x32 0xaf 0x96 0x89 0x44 0x4f 0xd3 
+   0x77 0x10 0x8f 0x98 0xfd 0xcb 0xd4 0xe7 0x26 0x56 
+   0x75 0x00 0x99 0x0b 0xcc 0x7e 0x0c 0xa3 0xc4 0xaa 
+   0xa3 0x04 0xa3 0x87 0xd2 0x0f 0x3b 0x8f 0xbb 0xcd 
+   0x42 0xa1 0xbd 0x31 0x1d 0x7a 0x43 0x03 0xdd 0xa5 
+   0xab 0x07 0x88 0x96 0xae 0x80 0xc1 0x8b 0x0a 0xf6 
+   0x6d 0xff 0x31 0x96 0x16 0xeb 0x78 0x4e 0x49 0x5a 
+   0xd2 0xce 0x90 0xd7 0xf7 0x72 0xa8 0x17 0x47 0xb6 
+   0x5f 0x62 0x09 0x3b 0x1e 0x0d 0xb9 0xe5 0xba 0x53 
+   0x2f 0xaf 0xec 0x47 0x50 0x83 0x23 0xe6 0x71 0x32 
+   0x7d 0xf9 0x44 0x44 0x32 0xcb 0x73 0x67 0xce 0xc8 
+   0x2f 0x5d 0x44 0xc0 0xd0 0x0b 0x67 0xd6 0x50 0xa0 
+   0x75 0xcd 0x4b 0x70 0xde 0xdd 0x77 0xeb 0x9b 0x10 
+   0x23 0x1b 0x6b 0x5b 0x74 0x13 0x47 0x39 0x6d 0x62 
+   0x89 0x74 0x21 0xd4 0x3d 0xf9 0xb4 0x2e 0x44 0x6e 
+   0x35 0x8e 0x9c 0x11 0xa9 0xb2 0x18 0x4e 0xcb 0xef 
+   0x0c 0xd8 0xe7 0xa8 0x77 0xef 0x96 0x8f 0x13 0x90 
+   0xec 0x9b 0x3d 0x35 0xa5 0x58 0x5c 0xb0 0x09 0x29 
+   0x0e 0x2f 0xcd 0xe7 0xb5 0xec 0x66 0xd9 0x08 0x4b 
+   0xe4 0x40 0x55 0xa6 0x19 0xd9 0xdd 0x7f 0xc3 0x16 
+   0x6f 0x94 0x87 0xf7 0xcb 0x27 0x29 0x12 0x42 0x64 
+   0x45 0x99 0x85 0x14 0xc1 0x5d 0x53 0xa1 0x8c 0x86 
+   0x4c 0xe3 0xa2 0xb7 0x55 0x57 0x93 0x98 0x81 0x26 
+   0x52 0x0e 0xac 0xf2 0xe3 0x06 0x6e 0x23 0x0c 0x91 
+   0xbe 0xe4 0xdd 0x53 0x04 0xf5 0xfd 0x04 0x05 0xb3 
+   0x5b 0xd9 0x9c 0x73 0x13 0x5d 0x3d 0x9b 0xc3 0x35 
+   0xee 0x04 0x9e 0xf6 0x9b 0x38 0x67 0xbf 0x2d 0x7b 
+   0xd1 0xea 0xa5 0x95 0xd8 0xbf 0xc0 0x06 0x6f 0xf8 
+   0xd3 0x15 0x09 0xeb 0x0c 0x6c 0xaa 0x00 0x6c 0x80 
+   0x7a 0x62 0x3e 0xf8 0x4c 0x3d 0x33 0xc1 0x95 0xd2 
+   0x3e 0xe3 0x20 0xc4 0x0d 0xe0 0x55 0x81 0x57 0xc8 
+   0x22 0xd4 0xb8 0xc5 0x69 0xd8 0x49 0xae 0xd5 0x9d 
+   0x4e 0x0f 0xd7 0xf3 0x79 0x58 0x6b 0x4b 0x7f 0xf6 
+   0x84 0xed 0x6a 0x18 0x9f 0x74 0x86 0xd4 0x9b 0x9c 
+   0x4b 0xad 0x9b 0xa2 0x4b 0x96 0xab 0xf9 0x24 0x37 
+   0x2c 0x8a 0x8f 0xff 0xb1 0x0d 0x55 0x35 0x49 0x00 
+   0xa7 0x7a 0x3d 0xb5 0xf2 0x05 0xe1 0xb9 0x9f 0xcd 
+   0x86 0x60 0x86 0x3a 0x15 0x9a 0xd4 0xab 0xe4 0x0f 
+   0xa4 0x89 0x34 0x16 0x3d 0xdd 0xe5 0x42 0xa6 0x58 
+   0x55 0x40 0xfd 0x68 0x3c 0xbf 0xd8 0xc0 0x0f 0x12 
+   0x12 0x9a 0x28 0x4d 0xea 0xcc 0x4c 0xde 0xfe 0x58 
+   0xbe 0x71 0x37 0x54 0x1c 0x04 0x71 0x26 0xc8 0xd4 
+   0x9e 0x27 0x55 0xab 0x18 0x1a 0xb7 0xe9 0x40 0xb0 
+   0xc0 
+   
+
+
+-- 
+ ---------------------------------------------------------------------
+We have the right to defend ourselves and our
+property, because of the kind of animals that we              James A. Donald
+are.  True law derives from this right, not from
+the arbitrary power of the omnipotent state.                jamesd@netcom.com
+
+
diff --git a/crypto/openssl/crypto/rc5/Makefile.save b/crypto/openssl/crypto/rc5/Makefile.save
new file mode 100644
index 0000000..3d16856
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/Makefile.save
@@ -0,0 +1,112 @@
+#
+# SSLeay/crypto/rc5/Makefile
+#
+
+DIR=	rc5
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+RC5_ENC=		rc5_enc.o
+# or use
+#DES_ENC=	r586-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc5test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rc5_skey.c rc5_ecb.c rc5_enc.c rc5cfb64.c rc5ofb64.c 
+LIBOBJ=rc5_skey.o rc5_ecb.o $(RC5_ENC) rc5cfb64.o rc5ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc5.h
+HEADER=	rc5_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/r586-elf.o: asm/r586unix.cpp
+	$(CPP) -DELF -x c asm/r586unix.cpp | as -o asm/r586-elf.o
+
+# solaris
+asm/r586-sol.o: asm/r586unix.cpp
+	$(CC) -E -DSOL asm/r586unix.cpp | sed 's/^#.*//' > asm/r586-sol.s
+	as -o asm/r586-sol.o asm/r586-sol.s
+	rm -f asm/r586-sol.s
+
+# a.out
+asm/r586-out.o: asm/r586unix.cpp
+	$(CPP) -DOUT asm/r586unix.cpp | as -o asm/r586-out.o
+
+# bsdi
+asm/r586bsdi.o: asm/r586unix.cpp
+	$(CPP) -DBSDI asm/r586unix.cpp | sed 's/ :/:/' | as -o asm/r586bsdi.o
+
+asm/r586unix.cpp: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) rc5-586.pl cpp >r586unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/r586unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
+rc5_ecb.o: rc5_locl.h
+rc5_enc.o: ../../include/openssl/rc5.h rc5_locl.h
+rc5_skey.o: ../../include/openssl/rc5.h rc5_locl.h
+rc5cfb64.o: ../../include/openssl/rc5.h rc5_locl.h
+rc5ofb64.o: ../../include/openssl/rc5.h rc5_locl.h
diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl
new file mode 100644
index 0000000..3d16856
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/Makefile.ssl
@@ -0,0 +1,112 @@
+#
+# SSLeay/crypto/rc5/Makefile
+#
+
+DIR=	rc5
+TOP=	../..
+CC=	cc
+CPP=	$(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+RC5_ENC=		rc5_enc.o
+# or use
+#DES_ENC=	r586-elf.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc5test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rc5_skey.c rc5_ecb.c rc5_enc.c rc5cfb64.c rc5ofb64.c 
+LIBOBJ=rc5_skey.o rc5_ecb.o $(RC5_ENC) rc5cfb64.o rc5ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc5.h
+HEADER=	rc5_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/r586-elf.o: asm/r586unix.cpp
+	$(CPP) -DELF -x c asm/r586unix.cpp | as -o asm/r586-elf.o
+
+# solaris
+asm/r586-sol.o: asm/r586unix.cpp
+	$(CC) -E -DSOL asm/r586unix.cpp | sed 's/^#.*//' > asm/r586-sol.s
+	as -o asm/r586-sol.o asm/r586-sol.s
+	rm -f asm/r586-sol.s
+
+# a.out
+asm/r586-out.o: asm/r586unix.cpp
+	$(CPP) -DOUT asm/r586unix.cpp | as -o asm/r586-out.o
+
+# bsdi
+asm/r586bsdi.o: asm/r586unix.cpp
+	$(CPP) -DBSDI asm/r586unix.cpp | sed 's/ :/:/' | as -o asm/r586bsdi.o
+
+asm/r586unix.cpp: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) rc5-586.pl cpp >r586unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/r586unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
+rc5_ecb.o: rc5_locl.h
+rc5_enc.o: ../../include/openssl/rc5.h rc5_locl.h
+rc5_skey.o: ../../include/openssl/rc5.h rc5_locl.h
+rc5cfb64.o: ../../include/openssl/rc5.h rc5_locl.h
+rc5ofb64.o: ../../include/openssl/rc5.h rc5_locl.h
diff --git a/crypto/openssl/crypto/rc5/Makefile.uni b/crypto/openssl/crypto/rc5/Makefile.uni
new file mode 100644
index 0000000..4dc20c6
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/Makefile.uni
@@ -0,0 +1,73 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+
+DIR=    rc2
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+RANLIB=         ranlib
+
+IDEA_ENC=rc2_cbc.o
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rc2test
+APPS=rc2speed
+
+LIB=librc2.a
+LIBSRC=rc2_skey.c rc2_ecb.c rc2_cbc.c rc2cfb64.c rc2ofb64.c
+LIBOBJ=rc2_skey.o rc2_ecb.o $(IDEA_ENC) rc2cfb64.o rc2ofb64.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rc2.h
+HEADER= rc2_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB):    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+
+test:	$(TEST)
+	./$(TEST)
+
+$(TEST): $(TEST).c $(LIB)
+	$(CC) -o $(TEST) $(CFLAGS) $(TEST).c $(LIB)
+
+$(APPS): $(APPS).c $(LIB)
+	$(CC) -o $(APPS) $(CFLAGS) $(APPS).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/rc5/asm/rc5-586.pl b/crypto/openssl/crypto/rc5/asm/rc5-586.pl
new file mode 100644
index 0000000..edff1d1
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/asm/rc5-586.pl
@@ -0,0 +1,109 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+require "cbc.pl";
+
+&asm_init($ARGV[0],"rc5-586.pl");
+
+$RC5_MAX_ROUNDS=16;
+$RC5_32_OFF=($RC5_MAX_ROUNDS+2)*4;
+$A="edi";
+$B="esi";
+$S="ebp";
+$tmp1="eax";
+$r="ebx";
+$tmpc="ecx";
+$tmp4="edx";
+
+&RC5_32_encrypt("RC5_32_encrypt",1);
+&RC5_32_encrypt("RC5_32_decrypt",0);
+&cbc("RC5_32_cbc_encrypt","RC5_32_encrypt","RC5_32_decrypt",0,4,5,3,-1,-1);
+&asm_finish();
+
+sub RC5_32_encrypt
+	{
+	local($name,$enc)=@_;
+
+	&function_begin_B($name,"");
+
+	&comment("");
+
+	&push("ebp");
+	 &push("esi");
+	&push("edi");
+	 &mov($tmp4,&wparam(0));
+	&mov($S,&wparam(1));
+
+	&comment("Load the 2 words");
+	 &mov($A,&DWP(0,$tmp4,"",0));
+	&mov($B,&DWP(4,$tmp4,"",0));
+
+	&push($r);
+	 &mov($r,	&DWP(0,$S,"",0));
+
+	# encrypting part
+
+	if ($enc)
+		{
+		 &add($A,	&DWP(4+0,$S,"",0));
+		&add($B,	&DWP(4+4,$S,"",0));
+
+		for ($i=0; $i<$RC5_MAX_ROUNDS; $i++)
+			{
+			 &xor($A,	$B);
+			&mov($tmp1,	&DWP(12+$i*8,$S,"",0));
+			 &mov($tmpc,	$B);
+			&rotl($A,	&LB("ecx"));
+			&add($A,	$tmp1);
+
+			 &xor($B,	$A);
+			&mov($tmp1,	&DWP(16+$i*8,$S,"",0));
+			 &mov($tmpc,	$A);
+			&rotl($B,	&LB("ecx"));
+			&add($B,	$tmp1);
+			if (($i == 7) || ($i == 11))
+				{
+			 &cmp($r,	$i+1);
+			&je(&label("rc5_exit"));
+				}
+			}
+		}
+	else
+		{
+		 &cmp($r,	12);
+		&je(&label("rc5_dec_12"));
+		 &cmp($r,	8);
+		&je(&label("rc5_dec_8"));
+		for ($i=$RC5_MAX_ROUNDS; $i > 0; $i--)
+			{
+			&set_label("rc5_dec_$i") if ($i == 12) || ($i == 8);
+			 &mov($tmp1,	&DWP($i*8+8,$S,"",0));
+			&sub($B,	$tmp1);
+			 &mov($tmpc,	$A);
+			&rotr($B,	&LB("ecx"));
+			&xor($B,	$A);
+
+			 &mov($tmp1,	&DWP($i*8+4,$S,"",0));
+			&sub($A,	$tmp1);
+			 &mov($tmpc,	$B);
+			&rotr($A,	&LB("ecx"));
+			&xor($A,	$B);
+			}
+		 &sub($B,	&DWP(4+4,$S,"",0));
+		&sub($A,	&DWP(4+0,$S,"",0));
+		}
+
+	&set_label("rc5_exit");
+	 &mov(&DWP(0,$tmp4,"",0),$A);
+	&mov(&DWP(4,$tmp4,"",0),$B);
+
+	 &pop("ebx");
+	&pop("edi");
+	 &pop("esi");
+	&pop("ebp");
+	 &ret();
+	&function_end_B($name);
+	}
+
+
diff --git a/crypto/openssl/crypto/rc5/rc5.h b/crypto/openssl/crypto/rc5/rc5.h
new file mode 100644
index 0000000..38e9015
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5.h
@@ -0,0 +1,113 @@
+/* crypto/rc5/rc5.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RC5_H
+#define HEADER_RC5_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RC5
+#error RC5 is disabled.
+#endif
+
+#define RC5_ENCRYPT	1
+#define RC5_DECRYPT	0
+
+/* 32 bit.  For Alpha, things may get weird */
+#define RC5_32_INT unsigned long
+
+#define RC5_32_BLOCK		8
+#define RC5_32_KEY_LENGTH	16 /* This is a default, max is 255 */
+
+/* This are the only values supported.  Tweak the code if you want more
+ * The most supported modes will be
+ * RC5-32/12/16
+ * RC5-32/16/8
+ */
+#define RC5_8_ROUNDS	8
+#define RC5_12_ROUNDS	12
+#define RC5_16_ROUNDS	16
+
+typedef struct rc5_key_st
+	{
+	/* Number of rounds */
+	int rounds;
+	RC5_32_INT data[2*(RC5_16_ROUNDS+1)];
+	} RC5_32_KEY;
+
+ 
+void RC5_32_set_key(RC5_32_KEY *key, int len, unsigned char *data,
+	int rounds);
+void RC5_32_ecb_encrypt(unsigned char *in,unsigned char *out,RC5_32_KEY *key,
+	int enc);
+void RC5_32_encrypt(unsigned long *data,RC5_32_KEY *key);
+void RC5_32_decrypt(unsigned long *data,RC5_32_KEY *key);
+void RC5_32_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+	RC5_32_KEY *ks, unsigned char *iv, int enc);
+void RC5_32_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	RC5_32_KEY *schedule, unsigned char *ivec, int *num, int enc);
+void RC5_32_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	RC5_32_KEY *schedule, unsigned char *ivec, int *num);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/rc5/rc5_ecb.c b/crypto/openssl/crypto/rc5/rc5_ecb.c
new file mode 100644
index 0000000..17e877a
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5_ecb.c
@@ -0,0 +1,80 @@
+/* crypto/rc5/rc5_ecb.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc5.h>
+#include "rc5_locl.h"
+#include <openssl/opensslv.h>
+
+char *RC5_version="RC5" OPENSSL_VERSION_PTEXT;
+
+void RC5_32_ecb_encrypt(unsigned char *in, unsigned char *out, RC5_32_KEY *ks,
+	     int encrypt)
+	{
+	unsigned long l,d[2];
+
+	c2l(in,l); d[0]=l;
+	c2l(in,l); d[1]=l;
+	if (encrypt)
+		RC5_32_encrypt(d,ks);
+	else
+		RC5_32_decrypt(d,ks);
+	l=d[0]; l2c(l,out);
+	l=d[1]; l2c(l,out);
+	l=d[0]=d[1]=0;
+	}
+
diff --git a/crypto/openssl/crypto/rc5/rc5_enc.c b/crypto/openssl/crypto/rc5/rc5_enc.c
new file mode 100644
index 0000000..1124fd2
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5_enc.c
@@ -0,0 +1,214 @@
+/* crypto/rc5/rc5_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/rc5.h>
+#include "rc5_locl.h"
+
+void RC5_32_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+	     RC5_32_KEY *ks, unsigned char *iv, int encrypt)
+	{
+	register unsigned long tin0,tin1;
+	register unsigned long tout0,tout1,xor0,xor1;
+	register long l=length;
+	unsigned long tin[2];
+
+	if (encrypt)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			RC5_32_encrypt(tin,ks);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+			tin[0]=tin0;
+			tin[1]=tin1;
+			RC5_32_encrypt(tin,ks);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+		}
+	else
+		{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		iv-=8;
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			RC5_32_decrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			RC5_32_decrypt(tin,ks);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
+void RC5_32_encrypt(unsigned long *d, RC5_32_KEY *key)
+	{
+	RC5_32_INT a,b,*s;
+
+	s=key->data;
+
+	a=d[0]+s[0];
+	b=d[1]+s[1];
+	E_RC5_32(a,b,s, 2);
+	E_RC5_32(a,b,s, 4);
+	E_RC5_32(a,b,s, 6);
+	E_RC5_32(a,b,s, 8);
+	E_RC5_32(a,b,s,10);
+	E_RC5_32(a,b,s,12);
+	E_RC5_32(a,b,s,14);
+	E_RC5_32(a,b,s,16);
+	if (key->rounds == 12)
+		{
+		E_RC5_32(a,b,s,18);
+		E_RC5_32(a,b,s,20);
+		E_RC5_32(a,b,s,22);
+		E_RC5_32(a,b,s,24);
+		}
+	else if (key->rounds == 16)
+		{
+		/* Do a full expansion to avoid a jump */
+		E_RC5_32(a,b,s,18);
+		E_RC5_32(a,b,s,20);
+		E_RC5_32(a,b,s,22);
+		E_RC5_32(a,b,s,24);
+		E_RC5_32(a,b,s,26);
+		E_RC5_32(a,b,s,28);
+		E_RC5_32(a,b,s,30);
+		E_RC5_32(a,b,s,32);
+		}
+	d[0]=a;
+	d[1]=b;
+	}
+
+void RC5_32_decrypt(unsigned long *d, RC5_32_KEY *key)
+	{
+	RC5_32_INT a,b,*s;
+
+	s=key->data;
+
+	a=d[0];
+	b=d[1];
+	if (key->rounds == 16) 
+		{
+		D_RC5_32(a,b,s,32);
+		D_RC5_32(a,b,s,30);
+		D_RC5_32(a,b,s,28);
+		D_RC5_32(a,b,s,26);
+		/* Do a full expansion to avoid a jump */
+		D_RC5_32(a,b,s,24);
+		D_RC5_32(a,b,s,22);
+		D_RC5_32(a,b,s,20);
+		D_RC5_32(a,b,s,18);
+		}
+	else if (key->rounds == 12)
+		{
+		D_RC5_32(a,b,s,24);
+		D_RC5_32(a,b,s,22);
+		D_RC5_32(a,b,s,20);
+		D_RC5_32(a,b,s,18);
+		}
+	D_RC5_32(a,b,s,16);
+	D_RC5_32(a,b,s,14);
+	D_RC5_32(a,b,s,12);
+	D_RC5_32(a,b,s,10);
+	D_RC5_32(a,b,s, 8);
+	D_RC5_32(a,b,s, 6);
+	D_RC5_32(a,b,s, 4);
+	D_RC5_32(a,b,s, 2);
+	d[0]=a-s[0];
+	d[1]=b-s[1];
+	}
+
diff --git a/crypto/openssl/crypto/rc5/rc5_locl.h b/crypto/openssl/crypto/rc5/rc5_locl.h
new file mode 100644
index 0000000..ec33829
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5_locl.h
@@ -0,0 +1,187 @@
+/* crypto/rc5/rc5_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+
+#undef c2l
+#define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
+			 l|=((unsigned long)(*((c)++)))<< 8L, \
+			 l|=((unsigned long)(*((c)++)))<<16L, \
+			 l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))    ; \
+			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+			case 4: l1 =((unsigned long)(*(--(c))))    ; \
+			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+				} \
+			}
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+#if defined(WIN32) && defined(_MSC_VER)
+#define ROTATE_l32(a,n)     _lrotl(a,n)
+#define ROTATE_r32(a,n)     _lrotr(a,n)
+#else
+#define ROTATE_l32(a,n)     (((a)<<(n&0x1f))|(((a)&0xffffffff)>>(32-(n&0x1f))))
+#define ROTATE_r32(a,n)     (((a)<<(32-(n&0x1f)))|(((a)&0xffffffff)>>(n&0x1f)))
+#endif
+
+#define RC5_32_MASK	0xffffffffL
+
+#define RC5_16_P	0xB7E1
+#define RC5_16_Q	0x9E37
+#define RC5_32_P	0xB7E15163L
+#define RC5_32_Q	0x9E3779B9L
+#define RC5_64_P	0xB7E151628AED2A6BLL
+#define RC5_64_Q	0x9E3779B97F4A7C15LL
+
+#define E_RC5_32(a,b,s,n) \
+	a^=b; \
+	a=ROTATE_l32(a,b); \
+	a+=s[n]; \
+	a&=RC5_32_MASK; \
+	b^=a; \
+	b=ROTATE_l32(b,a); \
+	b+=s[n+1]; \
+	b&=RC5_32_MASK;
+
+#define D_RC5_32(a,b,s,n) \
+	b-=s[n+1]; \
+	b&=RC5_32_MASK; \
+	b=ROTATE_r32(b,a); \
+	b^=a; \
+	a-=s[n]; \
+	a&=RC5_32_MASK; \
+	a=ROTATE_r32(a,b); \
+	a^=b;
+
+
+
diff --git a/crypto/openssl/crypto/rc5/rc5_skey.c b/crypto/openssl/crypto/rc5/rc5_skey.c
new file mode 100644
index 0000000..64e1348
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5_skey.c
@@ -0,0 +1,113 @@
+/* crypto/rc5/rc5_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc5.h>
+#include "rc5_locl.h"
+
+void RC5_32_set_key(RC5_32_KEY *key, int len, unsigned char *data,
+	     int rounds)
+	{
+	RC5_32_INT L[64],l,ll,A,B,*S,k;
+	int i,j,m,c,t,ii,jj;
+
+	if (	(rounds != RC5_16_ROUNDS) &&
+		(rounds != RC5_12_ROUNDS) &&
+		(rounds != RC5_8_ROUNDS))
+		rounds=RC5_16_ROUNDS;
+
+	key->rounds=rounds;
+	S= &(key->data[0]);
+	j=0;
+	for (i=0; i<=(len-8); i+=8)
+		{
+		c2l(data,l);
+		L[j++]=l;
+		c2l(data,l);
+		L[j++]=l;
+		}
+	ii=len-i;
+	if (ii)
+		{
+		k=len&0x07;
+		c2ln(data,l,ll,k);
+		L[j+0]=l;
+		L[j+1]=ll;
+		}
+
+	c=(len+3)/4;
+	t=(rounds+1)*2;
+	S[0]=RC5_32_P;
+	for (i=1; i<t; i++)
+		S[i]=(S[i-1]+RC5_32_Q)&RC5_32_MASK;
+
+	j=(t>c)?t:c;
+	j*=3;
+	ii=jj=0;
+	A=B=0;
+	for (i=0; i<j; i++)
+		{
+		k=(S[ii]+A+B)&RC5_32_MASK;
+		A=S[ii]=ROTATE_l32(k,3);
+		m=(int)(A+B);
+		k=(L[jj]+A+B)&RC5_32_MASK;
+		B=L[jj]=ROTATE_l32(k,m);
+		if (++ii >= t) ii=0;
+		if (++jj >= c) jj=0;
+		}
+	}
+
diff --git a/crypto/openssl/crypto/rc5/rc5cfb64.c b/crypto/openssl/crypto/rc5/rc5cfb64.c
new file mode 100644
index 0000000..55e0308
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5cfb64.c
@@ -0,0 +1,121 @@
+/* crypto/rc5/rc5cfb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc5.h>
+#include "rc5_locl.h"
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+
+void RC5_32_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	     RC5_32_KEY *schedule, unsigned char *ivec, int *num, int encrypt)
+	{
+	register unsigned long v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned long ti[2];
+	unsigned char *iv,c,cc;
+
+	iv=(unsigned char *)ivec;
+	if (encrypt)
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0); ti[0]=v0;
+				c2l(iv,v1); ti[1]=v1;
+				RC5_32_encrypt((unsigned long *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2c(t,iv);
+				t=ti[1]; l2c(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			c= *(in++)^iv[n];
+			*(out++)=c;
+			iv[n]=c;
+			n=(n+1)&0x07;
+			}
+		}
+	else
+		{
+		while (l--)
+			{
+			if (n == 0)
+				{
+				c2l(iv,v0); ti[0]=v0;
+				c2l(iv,v1); ti[1]=v1;
+				RC5_32_encrypt((unsigned long *)ti,schedule);
+				iv=(unsigned char *)ivec;
+				t=ti[0]; l2c(t,iv);
+				t=ti[1]; l2c(t,iv);
+				iv=(unsigned char *)ivec;
+				}
+			cc= *(in++);
+			c=iv[n];
+			iv[n]=cc;
+			*(out++)=c^cc;
+			n=(n+1)&0x07;
+			}
+		}
+	v0=v1=ti[0]=ti[1]=t=c=cc=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/rc5/rc5ofb64.c b/crypto/openssl/crypto/rc5/rc5ofb64.c
new file mode 100644
index 0000000..fd2ecdd
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5ofb64.c
@@ -0,0 +1,110 @@
+/* crypto/rc5/rc5ofb64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/rc5.h>
+#include "rc5_locl.h"
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void RC5_32_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	     RC5_32_KEY *schedule, unsigned char *ivec, int *num)
+	{
+	register unsigned long v0,v1,t;
+	register int n= *num;
+	register long l=length;
+	unsigned char d[8];
+	register char *dp;
+	unsigned long ti[2];
+	unsigned char *iv;
+	int save=0;
+
+	iv=(unsigned char *)ivec;
+	c2l(iv,v0);
+	c2l(iv,v1);
+	ti[0]=v0;
+	ti[1]=v1;
+	dp=(char *)d;
+	l2c(v0,dp);
+	l2c(v1,dp);
+	while (l--)
+		{
+		if (n == 0)
+			{
+			RC5_32_encrypt((unsigned long *)ti,schedule);
+			dp=(char *)d;
+			t=ti[0]; l2c(t,dp);
+			t=ti[1]; l2c(t,dp);
+			save++;
+			}
+		*(out++)= *(in++)^d[n];
+		n=(n+1)&0x07;
+		}
+	if (save)
+		{
+		v0=ti[0];
+		v1=ti[1];
+		iv=(unsigned char *)ivec;
+		l2c(v0,iv);
+		l2c(v1,iv);
+		}
+	t=v0=v1=ti[0]=ti[1]=0;
+	*num=n;
+	}
+
diff --git a/crypto/openssl/crypto/rc5/rc5s.cpp b/crypto/openssl/crypto/rc5/rc5s.cpp
new file mode 100644
index 0000000..1c5518b
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5s.cpp
@@ -0,0 +1,70 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/rc5.h>
+
+void main(int argc,char *argv[])
+	{
+	RC5_32_KEY key;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+	static unsigned char d[16]={0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF};
+
+	RC5_32_set_key(&key, 16,d,12);
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			RC5_32_encrypt(&data[0],&key);
+			GetTSC(s1);
+			RC5_32_encrypt(&data[0],&key);
+			RC5_32_encrypt(&data[0],&key);
+			RC5_32_encrypt(&data[0],&key);
+			GetTSC(e1);
+			GetTSC(s2);
+			RC5_32_encrypt(&data[0],&key);
+			RC5_32_encrypt(&data[0],&key);
+			RC5_32_encrypt(&data[0],&key);
+			RC5_32_encrypt(&data[0],&key);
+			GetTSC(e2);
+			RC5_32_encrypt(&data[0],&key);
+			}
+
+		printf("cast %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/crypto/rc5/rc5speed.c b/crypto/openssl/crypto/rc5/rc5speed.c
new file mode 100644
index 0000000..05f5e0f
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5speed.c
@@ -0,0 +1,274 @@
+/* crypto/rc5/rc5speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#define TIMES
+#endif
+
+#include <stdio.h>
+
+#include <openssl/e_os2.h>
+#include OPENSSL_UNISTD_IO
+OPENSSL_DECLARE_EXIT
+
+#include <signal.h>
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include <openssl/rc5.h>
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+#ifndef CLK_TCK
+#define HZ	100.0
+#else /* CLK_TCK */
+#define HZ ((double)CLK_TCK)
+#endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+double Time_F(int s);
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+SIGRETTYPE sig_done(int sig);
+SIGRETTYPE sig_done(int sig)
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(int s)
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+int main(int argc, char **argv)
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static unsigned char key[] ={
+			0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
+			0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
+			};
+	RC5_32_KEY sch;
+	double a,b,c,d;
+#ifndef SIGALRM
+	long ca,cb,cc;
+#endif
+
+#ifndef TIMES
+	printf("To get the most accurate results, try to run this\n");
+	printf("program when this computer is idle.\n");
+#endif
+
+#ifndef SIGALRM
+	printf("First we calculate the approximate speed ...\n");
+	RC5_32_set_key(&sch,16,key,12);
+	count=10;
+	do	{
+		long i;
+		unsigned long data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			RC5_32_encrypt(data,&sch);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count/512;
+	cb=count;
+	cc=count*8/BUFSIZE+1;
+	printf("Doing RC5_32_set_key %ld times\n",ca);
+#define COND(d)	(count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c)	(run)
+#define COUNT(d) (count)
+	signal(SIGALRM,sig_done);
+	printf("Doing RC5_32_set_key for 10 seconds\n");
+	alarm(10);
+#endif
+
+	Time_F(START);
+	for (count=0,run=1; COND(ca); count+=4)
+		{
+		RC5_32_set_key(&sch,16,key,12);
+		RC5_32_set_key(&sch,16,key,12);
+		RC5_32_set_key(&sch,16,key,12);
+		RC5_32_set_key(&sch,16,key,12);
+		}
+	d=Time_F(STOP);
+	printf("%ld RC5_32_set_key's in %.2f seconds\n",count,d);
+	a=((double)COUNT(ca))/d;
+
+#ifdef SIGALRM
+	printf("Doing RC5_32_encrypt's for 10 seconds\n");
+	alarm(10);
+#else
+	printf("Doing RC5_32_encrypt %ld times\n",cb);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cb); count+=4)
+		{
+		unsigned long data[2];
+
+		RC5_32_encrypt(data,&sch);
+		RC5_32_encrypt(data,&sch);
+		RC5_32_encrypt(data,&sch);
+		RC5_32_encrypt(data,&sch);
+		}
+	d=Time_F(STOP);
+	printf("%ld RC5_32_encrypt's in %.2f second\n",count,d);
+	b=((double)COUNT(cb)*8)/d;
+
+#ifdef SIGALRM
+	printf("Doing RC5_32_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+		BUFSIZE);
+	alarm(10);
+#else
+	printf("Doing RC5_32_cbc_encrypt %ld times on %ld byte blocks\n",cc,
+		BUFSIZE);
+#endif
+	Time_F(START);
+	for (count=0,run=1; COND(cc); count++)
+		RC5_32_cbc_encrypt(buf,buf,BUFSIZE,&sch,
+			&(key[0]),RC5_ENCRYPT);
+	d=Time_F(STOP);
+	printf("%ld RC5_32_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+		count,BUFSIZE,d);
+	c=((double)COUNT(cc)*BUFSIZE)/d;
+
+	printf("RC5_32/12/16 set_key       per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
+	printf("RC5_32/12/16 raw ecb bytes per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
+	printf("RC5_32/12/16 cbc     bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
diff --git a/crypto/openssl/crypto/rc5/rc5test.c b/crypto/openssl/crypto/rc5/rc5test.c
new file mode 100644
index 0000000..634ceac
--- /dev/null
+++ b/crypto/openssl/crypto/rc5/rc5test.c
@@ -0,0 +1,384 @@
+/* crypto/rc5/rc5test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* This has been a quickly hacked 'ideatest.c'.  When I add tests for other
+ * RC5 modes, more of the code will be uncommented. */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_RC5
+int main(int argc, char *argv[])
+{
+    printf("No RC5 support\n");
+    return(0);
+}
+#else
+#include <openssl/rc5.h>
+
+static unsigned char RC5key[5][16]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x91,0x5f,0x46,0x19,0xbe,0x41,0xb2,0x51,
+	 0x63,0x55,0xa5,0x01,0x10,0xa9,0xce,0x91},
+	{0x78,0x33,0x48,0xe7,0x5a,0xeb,0x0f,0x2f,
+	 0xd7,0xb1,0x69,0xbb,0x8d,0xc1,0x67,0x87},
+	{0xdc,0x49,0xdb,0x13,0x75,0xa5,0x58,0x4f,
+	 0x64,0x85,0xb4,0x13,0xb5,0xf1,0x2b,0xaf},
+	{0x52,0x69,0xf1,0x49,0xd4,0x1b,0xa0,0x15,
+	 0x24,0x97,0x57,0x4d,0x7f,0x15,0x31,0x25},
+	};
+
+static unsigned char RC5plain[5][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x21,0xA5,0xDB,0xEE,0x15,0x4B,0x8F,0x6D},
+	{0xF7,0xC0,0x13,0xAC,0x5B,0x2B,0x89,0x52},
+	{0x2F,0x42,0xB3,0xB7,0x03,0x69,0xFC,0x92},
+	{0x65,0xC1,0x78,0xB2,0x84,0xD1,0x97,0xCC},
+	};
+
+static unsigned char RC5cipher[5][8]={
+	{0x21,0xA5,0xDB,0xEE,0x15,0x4B,0x8F,0x6D},
+	{0xF7,0xC0,0x13,0xAC,0x5B,0x2B,0x89,0x52},
+	{0x2F,0x42,0xB3,0xB7,0x03,0x69,0xFC,0x92},
+	{0x65,0xC1,0x78,0xB2,0x84,0xD1,0x97,0xCC},
+	{0xEB,0x44,0xE4,0x15,0xDA,0x31,0x98,0x24},
+	};
+
+#define RC5_CBC_NUM 27
+static unsigned char rc5_cbc_cipher[RC5_CBC_NUM][8]={
+	{0x7a,0x7b,0xba,0x4d,0x79,0x11,0x1d,0x1e},
+	{0x79,0x7b,0xba,0x4d,0x78,0x11,0x1d,0x1e},
+	{0x7a,0x7b,0xba,0x4d,0x79,0x11,0x1d,0x1f},
+	{0x7a,0x7b,0xba,0x4d,0x79,0x11,0x1d,0x1f},
+	{0x8b,0x9d,0xed,0x91,0xce,0x77,0x94,0xa6},
+	{0x2f,0x75,0x9f,0xe7,0xad,0x86,0xa3,0x78},
+	{0xdc,0xa2,0x69,0x4b,0xf4,0x0e,0x07,0x88},
+	{0xdc,0xa2,0x69,0x4b,0xf4,0x0e,0x07,0x88},
+	{0xdc,0xfe,0x09,0x85,0x77,0xec,0xa5,0xff},
+	{0x96,0x46,0xfb,0x77,0x63,0x8f,0x9c,0xa8},
+	{0xb2,0xb3,0x20,0x9d,0xb6,0x59,0x4d,0xa4},
+	{0x54,0x5f,0x7f,0x32,0xa5,0xfc,0x38,0x36},
+	{0x82,0x85,0xe7,0xc1,0xb5,0xbc,0x74,0x02},
+	{0xfc,0x58,0x6f,0x92,0xf7,0x08,0x09,0x34},
+	{0xcf,0x27,0x0e,0xf9,0x71,0x7f,0xf7,0xc4},
+	{0xe4,0x93,0xf1,0xc1,0xbb,0x4d,0x6e,0x8c},
+	{0x5c,0x4c,0x04,0x1e,0x0f,0x21,0x7a,0xc3},
+	{0x92,0x1f,0x12,0x48,0x53,0x73,0xb4,0xf7},
+	{0x5b,0xa0,0xca,0x6b,0xbe,0x7f,0x5f,0xad},
+	{0xc5,0x33,0x77,0x1c,0xd0,0x11,0x0e,0x63},
+	{0x29,0x4d,0xdb,0x46,0xb3,0x27,0x8d,0x60},
+	{0xda,0xd6,0xbd,0xa9,0xdf,0xe8,0xf7,0xe8},
+	{0x97,0xe0,0x78,0x78,0x37,0xed,0x31,0x7f},
+	{0x78,0x75,0xdb,0xf6,0x73,0x8c,0x64,0x78},
+	{0x8f,0x34,0xc3,0xc6,0x81,0xc9,0x96,0x95},
+	{0x7c,0xb3,0xf1,0xdf,0x34,0xf9,0x48,0x11},
+	{0x7f,0xd1,0xa0,0x23,0xa5,0xbb,0xa2,0x17},
+	};
+
+static unsigned char rc5_cbc_key[RC5_CBC_NUM][17]={
+	{ 1,0x00},
+	{ 1,0x00},
+	{ 1,0x00},
+	{ 1,0x00},
+	{ 1,0x00},
+	{ 1,0x11},
+	{ 1,0x00},
+	{ 4,0x00,0x00,0x00,0x00},
+	{ 1,0x00},
+	{ 1,0x00},
+	{ 1,0x00},
+	{ 1,0x00},
+	{ 4,0x01,0x02,0x03,0x04},
+	{ 4,0x01,0x02,0x03,0x04},
+	{ 4,0x01,0x02,0x03,0x04},
+	{ 8,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{ 8,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{ 8,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{ 8,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{16,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+	    0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{16,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+	    0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{16,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+	    0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{ 5,0x01,0x02,0x03,0x04,0x05},
+	{ 5,0x01,0x02,0x03,0x04,0x05},
+	{ 5,0x01,0x02,0x03,0x04,0x05},
+	{ 5,0x01,0x02,0x03,0x04,0x05},
+	{ 5,0x01,0x02,0x03,0x04,0x05},
+	};
+
+static unsigned char rc5_cbc_plain[RC5_CBC_NUM][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+	{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+	{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+	{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80},
+	{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+	{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+	{0x08,0x08,0x08,0x08,0x08,0x08,0x08,0x08},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x01},
+	};
+
+static int rc5_cbc_rounds[RC5_CBC_NUM]={
+	 0, 0, 0, 0, 0, 1, 2, 2,
+	 8, 8,12,16, 8,12,16,12,
+	 8,12,16, 8,12,16,12, 8,
+	 8, 8, 8,
+	};
+
+static unsigned char rc5_cbc_iv[RC5_CBC_NUM][8]={
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x78,0x75,0xdb,0xf6,0x73,0x8c,0x64,0x78},
+	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+	{0x7c,0xb3,0xf1,0xdf,0x34,0xf9,0x48,0x11},
+	};
+
+int main(int argc, char *argv[])
+	{
+	int i,n,err=0;
+	RC5_32_KEY key; 
+	unsigned char buf[8],buf2[8],ivb[8];
+
+	for (n=0; n<5; n++)
+		{
+		RC5_32_set_key(&key,16,&(RC5key[n][0]),12);
+
+		RC5_32_ecb_encrypt(&(RC5plain[n][0]),buf,&key,RC5_ENCRYPT);
+		if (memcmp(&(RC5cipher[n][0]),buf,8) != 0)
+			{
+			printf("ecb RC5 error encrypting (%d)\n",n+1);
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",buf[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",RC5cipher[n][i]);
+			err=20;
+			printf("\n");
+			}
+
+		RC5_32_ecb_encrypt(buf,buf2,&key,RC5_DECRYPT);
+		if (memcmp(&(RC5plain[n][0]),buf2,8) != 0)
+			{
+			printf("ecb RC5 error decrypting (%d)\n",n+1);
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",buf2[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",RC5plain[n][i]);
+			printf("\n");
+			err=3;
+			}
+		}
+	if (err == 0) printf("ecb RC5 ok\n");
+
+	for (n=0; n<RC5_CBC_NUM; n++)
+		{
+		i=rc5_cbc_rounds[n];
+		if (i < 8) continue;
+
+		RC5_32_set_key(&key,rc5_cbc_key[n][0],&(rc5_cbc_key[n][1]),i);
+
+		memcpy(ivb,&(rc5_cbc_iv[n][0]),8);
+		RC5_32_cbc_encrypt(&(rc5_cbc_plain[n][0]),buf,8,
+			&key,&(ivb[0]),RC5_ENCRYPT);
+
+		if (memcmp(&(rc5_cbc_cipher[n][0]),buf,8) != 0)
+			{
+			printf("cbc RC5 error encrypting (%d)\n",n+1);
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",buf[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",rc5_cbc_cipher[n][i]);
+			err=30;
+			printf("\n");
+			}
+
+		memcpy(ivb,&(rc5_cbc_iv[n][0]),8);
+		RC5_32_cbc_encrypt(buf,buf2,8,
+			&key,&(ivb[0]),RC5_DECRYPT);
+		if (memcmp(&(rc5_cbc_plain[n][0]),buf2,8) != 0)
+			{
+			printf("cbc RC5 error decrypting (%d)\n",n+1);
+			printf("got     :");
+			for (i=0; i<8; i++)
+				printf("%02X ",buf2[i]);
+			printf("\n");
+			printf("expected:");
+			for (i=0; i<8; i++)
+				printf("%02X ",rc5_cbc_plain[n][i]);
+			printf("\n");
+			err=3;
+			}
+		}
+	if (err == 0) printf("cbc RC5 ok\n");
+
+	exit(err);
+	return(err);
+	}
+
+#ifdef undef
+static int cfb64_test(unsigned char *cfb_cipher)
+        {
+        IDEA_KEY_SCHEDULE eks,dks;
+        int err=0,i,n;
+
+        idea_set_encrypt_key(cfb_key,&eks);
+        idea_set_decrypt_key(&eks,&dks);
+        memcpy(cfb_tmp,cfb_iv,8);
+        n=0;
+        idea_cfb64_encrypt(plain,cfb_buf1,(long)12,&eks,
+                cfb_tmp,&n,IDEA_ENCRYPT);
+        idea_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
+                (long)CFB_TEST_SIZE-12,&eks,
+                cfb_tmp,&n,IDEA_ENCRYPT);
+        if (memcmp(cfb_cipher,cfb_buf1,CFB_TEST_SIZE) != 0)
+                {
+                err=1;
+                printf("idea_cfb64_encrypt encrypt error\n");
+                for (i=0; i<CFB_TEST_SIZE; i+=8)
+                        printf("%s\n",pt(&(cfb_buf1[i])));
+                }
+        memcpy(cfb_tmp,cfb_iv,8);
+        n=0;
+        idea_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,&eks,
+                cfb_tmp,&n,IDEA_DECRYPT);
+        idea_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
+                (long)CFB_TEST_SIZE-17,&dks,
+                cfb_tmp,&n,IDEA_DECRYPT);
+        if (memcmp(plain,cfb_buf2,CFB_TEST_SIZE) != 0)
+                {
+                err=1;
+                printf("idea_cfb_encrypt decrypt error\n");
+                for (i=0; i<24; i+=8)
+                        printf("%s\n",pt(&(cfb_buf2[i])));
+                }
+        return(err);
+        }
+
+static char *pt(unsigned char *p)
+	{
+	static char bufs[10][20];
+	static int bnum=0;
+	char *ret;
+	int i;
+	static char *f="0123456789ABCDEF";
+
+	ret= &(bufs[bnum++][0]);
+	bnum%=10;
+	for (i=0; i<8; i++)
+		{
+		ret[i*2]=f[(p[i]>>4)&0xf];
+		ret[i*2+1]=f[p[i]&0xf];
+		}
+	ret[16]='\0';
+	return(ret);
+	}
+	
+#endif
+#endif
diff --git a/crypto/openssl/crypto/ripemd/Makefile.save b/crypto/openssl/crypto/ripemd/Makefile.save
new file mode 100644
index 0000000..79948bb
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/Makefile.save
@@ -0,0 +1,108 @@
+#
+# SSLeay/crypto/ripemd/Makefile
+#
+
+DIR=    ripemd
+TOP=    ../..
+CC=     cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+RIP_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rmdtest.c
+APPS=rmd160.c
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rmd_dgst.c rmd_one.c
+LIBOBJ=rmd_dgst.o rmd_one.o $(RMD160_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= ripemd.h
+HEADER= rmd_locl.h rmdconst.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/rm86-elf.o: asm/rm86unix.cpp
+	$(CPP) -DELF -x c asm/rm86unix.cpp | as -o asm/rm86-elf.o
+
+# solaris
+asm/rm86-sol.o: asm/rm86unix.cpp
+	$(CC) -E -DSOL asm/rm86unix.cpp | sed 's/^#.*//' > asm/rm86-sol.s
+	as -o asm/rm86-sol.o asm/rm86-sol.s
+	rm -f asm/rm86-sol.s
+
+# a.out
+asm/rm86-out.o: asm/rm86unix.cpp
+	$(CPP) -DOUT asm/rm86unix.cpp | as -o asm/rm86-out.o
+
+# bsdi
+asm/rm86bsdi.o: asm/rm86unix.cpp
+	$(CPP) -DBSDI asm/rm86unix.cpp | sed 's/ :/:/' | as -o asm/rm86bsdi.o
+
+asm/rm86unix.cpp: asm/rmd-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rmd-586.pl cpp >rm86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/rm86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rmd_dgst.o: ../../include/openssl/opensslconf.h
+rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
+rmd_dgst.o: ../md32_common.h rmd_locl.h rmdconst.h
+rmd_one.o: ../../include/openssl/ripemd.h
diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl
new file mode 100644
index 0000000..79948bb
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/Makefile.ssl
@@ -0,0 +1,108 @@
+#
+# SSLeay/crypto/ripemd/Makefile
+#
+
+DIR=    ripemd
+TOP=    ../..
+CC=     cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+RIP_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rmdtest.c
+APPS=rmd160.c
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rmd_dgst.c rmd_one.c
+LIBOBJ=rmd_dgst.o rmd_one.o $(RMD160_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= ripemd.h
+HEADER= rmd_locl.h rmdconst.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/rm86-elf.o: asm/rm86unix.cpp
+	$(CPP) -DELF -x c asm/rm86unix.cpp | as -o asm/rm86-elf.o
+
+# solaris
+asm/rm86-sol.o: asm/rm86unix.cpp
+	$(CC) -E -DSOL asm/rm86unix.cpp | sed 's/^#.*//' > asm/rm86-sol.s
+	as -o asm/rm86-sol.o asm/rm86-sol.s
+	rm -f asm/rm86-sol.s
+
+# a.out
+asm/rm86-out.o: asm/rm86unix.cpp
+	$(CPP) -DOUT asm/rm86unix.cpp | as -o asm/rm86-out.o
+
+# bsdi
+asm/rm86bsdi.o: asm/rm86unix.cpp
+	$(CPP) -DBSDI asm/rm86unix.cpp | sed 's/ :/:/' | as -o asm/rm86bsdi.o
+
+asm/rm86unix.cpp: asm/rmd-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rmd-586.pl cpp >rm86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/rm86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rmd_dgst.o: ../../include/openssl/opensslconf.h
+rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
+rmd_dgst.o: ../md32_common.h rmd_locl.h rmdconst.h
+rmd_one.o: ../../include/openssl/ripemd.h
diff --git a/crypto/openssl/crypto/ripemd/Makefile.uni b/crypto/openssl/crypto/ripemd/Makefile.uni
new file mode 100644
index 0000000..5310020
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/Makefile.uni
@@ -0,0 +1,109 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+DIR=    md5
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+
+MD5_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=md5test
+APPS=md5
+
+LIB=libmd5.a
+LIBSRC=md5_dgst.c md5_one.c
+LIBOBJ=md5_dgst.o md5_one.o $(MD5_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= md5.h
+HEADER= md5_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB):    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+
+# elf
+asm/mx86-elf.o: asm/mx86unix.cpp
+	$(CPP) -DELF asm/mx86unix.cpp | as -o asm/mx86-elf.o
+
+# solaris
+asm/mx86-sol.o: asm/mx86unix.cpp
+	$(CC) -E -DSOL asm/mx86unix.cpp | sed 's/^#.*//' > asm/mx86-sol.s
+	as -o asm/mx86-sol.o asm/mx86-sol.s
+	rm -f asm/mx86-sol.s
+
+# a.out
+asm/mx86-out.o: asm/mx86unix.cpp
+	$(CPP) -DOUT asm/mx86unix.cpp | as -o asm/mx86-out.o
+
+# bsdi
+asm/mx86bsdi.o: asm/mx86unix.cpp
+	$(CPP) -DBSDI asm/mx86unix.cpp | as -o asm/mx86bsdi.o
+
+asm/mx86unix.cpp:
+	(cd asm; perl md5-586.pl cpp >mx86unix.cpp)
+
+test:	$(TEST)
+	./$(TEST)
+
+$(TEST): $(TEST).c $(LIB)
+	$(CC) -o $(TEST) $(CFLAGS) $(TEST).c $(LIB)
+
+$(APPS): $(APPS).c $(LIB)
+	$(CC) -o $(APPS) $(CFLAGS) $(APPS).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) MD5_ASM_OBJ="" CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) MD5_ASM_OBJ="" CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+x86-elf:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-elf.o" CFLAG="-DELF -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-out:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-out.o" CFLAG="-DOUT -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-solaris:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-sol.o" CFLAG="-DSOL -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-bdsi:
+	$(MAKE) MD5_ASM_OBJ="asm/mx86-bdsi.o" CFLAG="-DBDSI -DMD5_ASM -DL_ENDIAN $(CFLAGS)" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/ripemd/README b/crypto/openssl/crypto/ripemd/README
new file mode 100644
index 0000000..7097707
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/README
@@ -0,0 +1,15 @@
+RIPEMD-160
+http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
+
+This is my implementation of RIPEMD-160.  The pentium assember is a little
+off the pace since I only get 1050 cycles, while the best is 1013.
+I have a few ideas for how to get another 20 or so cycles, but at
+this point I will not bother right now.  I belive the trick will be
+to remove my 'copy X array onto stack' until inside the RIP1() finctions the
+first time round.  To do this I need another register and will only have one
+temporary one.  A bit tricky....  I can also cleanup the saving of the 5 words
+after the first half of the calculation.  I should read the origional
+value, add then write.  Currently I just save the new and read the origioal.
+I then read both at the end.  Bad.
+
+eric (20-Jan-1998)
diff --git a/crypto/openssl/crypto/ripemd/asm/rips.cpp b/crypto/openssl/crypto/ripemd/asm/rips.cpp
new file mode 100644
index 0000000..f7a1367
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/asm/rips.cpp
@@ -0,0 +1,82 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/ripemd.h>
+
+#define ripemd160_block_x86 ripemd160_block_asm_host_order
+
+extern "C" {
+void ripemd160_block_x86(RIPEMD160_CTX *ctx, unsigned char *buffer,int num);
+}
+
+void main(int argc,char *argv[])
+	{
+	unsigned char buffer[64*256];
+	RIPEMD160_CTX ctx;
+	unsigned long s1,s2,e1,e2;
+	unsigned char k[16];
+	unsigned long data[2];
+	unsigned char iv[8];
+	int i,num=0,numm;
+	int j=0;
+
+	if (argc >= 2)
+		num=atoi(argv[1]);
+
+	if (num == 0) num=16;
+	if (num > 250) num=16;
+	numm=num+2;
+#if 0
+	num*=64;
+	numm*=64;
+#endif
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<10; i++) /**/
+			{
+			ripemd160_block_x86(&ctx,buffer,numm);
+			GetTSC(s1);
+			ripemd160_block_x86(&ctx,buffer,numm);
+			GetTSC(e1);
+			GetTSC(s2);
+			ripemd160_block_x86(&ctx,buffer,num);
+			GetTSC(e2);
+			ripemd160_block_x86(&ctx,buffer,num);
+			}
+		printf("ripemd160 (%d bytes) %d %d (%.2f)\n",num*64,
+			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
+		}
+	}
+
diff --git a/crypto/openssl/crypto/ripemd/asm/rmd-586.pl b/crypto/openssl/crypto/ripemd/asm/rmd-586.pl
new file mode 100644
index 0000000..0ab6f76
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/asm/rmd-586.pl
@@ -0,0 +1,590 @@
+#!/usr/local/bin/perl
+
+# Normal is the
+# ripemd160_block_asm_host_order(RIPEMD160_CTX *c, ULONG *X,int blocks);
+
+$normal=0;
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],$0);
+
+$A="ecx";
+$B="esi";
+$C="edi";
+$D="ebx";
+$E="ebp";
+$tmp1="eax";
+$tmp2="edx";
+
+$KL1=0x5A827999;
+$KL2=0x6ED9EBA1;
+$KL3=0x8F1BBCDC;
+$KL4=0xA953FD4E;
+$KR0=0x50A28BE6;
+$KR1=0x5C4DD124; 
+$KR2=0x6D703EF3;
+$KR3=0x7A6D76E9;
+
+
+@wl=(	 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14,15,
+	 7, 4,13, 1,10, 6,15, 3,12, 0, 9, 5, 2,14,11, 8,
+	 3,10,14, 4, 9,15, 8, 1, 2, 7, 0, 6,13,11, 5,12,
+	 1, 9,11,10, 0, 8,12, 4,13, 3, 7,15,14, 5, 6, 2,
+	 4, 0, 5, 9, 7,12, 2,10,14, 1, 3, 8,11, 6,15,13,
+	 );
+
+@wr=(	 5,14, 7, 0, 9, 2,11, 4,13, 6,15, 8, 1,10, 3,12,
+	 6,11, 3, 7, 0,13, 5,10,14,15, 8,12, 4, 9, 1, 2,
+	15, 5, 1, 3, 7,14, 6, 9,11, 8,12, 2,10, 0, 4,13,
+	 8, 6, 4, 1, 3,11,15, 0, 5,12, 2,13, 9, 7,10,14,
+	12,15,10, 4, 1, 5, 8, 7, 6, 2,13,14, 0, 3, 9,11,
+	);
+
+@sl=(	11,14,15,12, 5, 8, 7, 9,11,13,14,15, 6, 7, 9, 8,
+	 7, 6, 8,13,11, 9, 7,15, 7,12,15, 9,11, 7,13,12,
+	11,13, 6, 7,14, 9,13,15,14, 8,13, 6, 5,12, 7, 5,
+	11,12,14,15,14,15, 9, 8, 9,14, 5, 6, 8, 6, 5,12,
+	 9,15, 5,11, 6, 8,13,12, 5,12,13,14,11, 8, 5, 6,
+	 );
+
+@sr=(	 8, 9, 9,11,13,15,15, 5, 7, 7, 8,11,14,14,12, 6,
+	 9,13,15, 7,12, 8, 9,11, 7, 7,12, 7, 6,15,13,11,
+	 9, 7,15,11, 8, 6, 6,14,12,13, 5,14,13,13, 7, 5,
+	15, 5, 8,11,14,14, 6,14, 6, 9,12, 9,12, 5,15, 8,
+	 8, 5,12, 9,12, 5,14, 6, 8,13, 6, 5,15,13,11,11,
+ 	);
+
+&ripemd160_block("ripemd160_block_asm_host_order");
+&asm_finish();
+
+sub Xv
+	{
+	local($n)=@_;
+	return(&swtmp($n));
+	# tmp on stack
+	}
+
+sub Np
+	{
+	local($p)=@_;
+	local(%n)=($A,$E,$B,$A,$C,$B,$D,$C,$E,$D);
+	return($n{$p});
+	}
+
+sub RIP1
+	{
+	local($a,$b,$c,$d,$e,$pos,$s,$o,$pos2)=@_;
+
+	&comment($p++);
+	if ($p & 1)
+		{
+	 #&mov($tmp1,	$c) if $o == -1;
+	&xor($tmp1,	$d) if $o == -1;
+	 &mov($tmp2,	&Xv($pos));
+	&xor($tmp1,	$b);
+	 &add($a,	$tmp2);
+	&rotl($c,	10);
+	&add($a,	$tmp1);
+	 &mov($tmp1,	&Np($c));	# NEXT
+	 # XXX
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	else
+		{
+	 &xor($tmp1,	$d);
+	&mov($tmp2,	&Xv($pos));
+	 &xor($tmp1,	$b);
+	&add($a,	$tmp1);
+	 &mov($tmp1,	&Np($c)) if $o <= 0;
+	 &mov($tmp1,	-1) if $o == 1;
+	 # XXX if $o == 2;
+	&rotl($c,	10);
+	&add($a,	$tmp2);
+	 &xor($tmp1,	&Np($d)) if $o <= 0;
+	 &mov($tmp2,	&Xv($pos2)) if $o == 1;
+	 &mov($tmp2,	&wparam(0)) if $o == 2;
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	}
+
+sub RIP2
+	{
+	local($a,$b,$c,$d,$e,$pos,$pos2,$s,$K,$o)=@_;
+
+# XXXXXX
+	&comment($p++);
+	if ($p & 1)
+		{
+#	 &mov($tmp2,	&Xv($pos)) if $o < -1;
+#	&mov($tmp1,	-1) if $o < -1;
+
+	 &add($a,	$tmp2);
+	&mov($tmp2,	$c);
+	 &sub($tmp1,	$b);
+	&and($tmp2,	$b);
+	 &and($tmp1,	$d);
+	&or($tmp2,	$tmp1);
+	 &mov($tmp1,	&Xv($pos2)) if $o <= 0; # XXXXXXXXXXXXXX
+	 # XXX
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp2,1));
+	 &mov($tmp2,	-1) if $o <= 0;
+	 # XXX
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	else
+		{
+	 # XXX
+	 &add($a,	$tmp1);
+	&mov($tmp1,	$c);
+	 &sub($tmp2,	$b);
+	&and($tmp1,	$b);
+	 &and($tmp2,	$d);
+	if ($o != 2)
+		{
+	&or($tmp1,	$tmp2);
+	 &mov($tmp2,	&Xv($pos2)) if $o <= 0;
+	 &mov($tmp2,	-1) if $o == 1;
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp1,1));
+	 &mov($tmp1,	-1) if $o <= 0;
+	 &sub($tmp2,	&Np($c)) if $o == 1;
+		} else {
+	&or($tmp2,	$tmp1);
+	 &mov($tmp1,	&Np($c));
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp2,1));
+	 &xor($tmp1,	&Np($d));
+		}
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	}
+
+sub RIP3
+	{
+	local($a,$b,$c,$d,$e,$pos,$s,$K,$o,$pos2)=@_;
+
+	&comment($p++);
+	if ($p & 1)
+		{
+#	 &mov($tmp2,	-1) if $o < -1;
+#	&sub($tmp2,	$c) if $o < -1;
+	 &mov($tmp1,	&Xv($pos));
+	&or($tmp2,	$b);
+	 &add($a,	$tmp1);
+	&xor($tmp2,	$d);
+	 &mov($tmp1,	-1) if $o <= 0;		# NEXT
+	 # XXX
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp2,1));
+	 &sub($tmp1,	&Np($c)) if $o <= 0;	# NEXT
+	 # XXX
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	else
+		{
+	 &mov($tmp2,	&Xv($pos));
+	&or($tmp1,	$b);
+	 &add($a,	$tmp2);
+	&xor($tmp1,	$d);
+	 &mov($tmp2,	-1) if $o <= 0;		# NEXT
+	 &mov($tmp2,	-1) if $o == 1;
+	 &mov($tmp2,	&Xv($pos2)) if $o == 2;
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp1,1));
+	 &sub($tmp2,	&Np($c)) if $o <= 0;	# NEXT
+	 &mov($tmp1,	&Np($d)) if $o == 1;
+	 &mov($tmp1,	-1) if $o == 2;
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	}
+
+sub RIP4
+	{
+	local($a,$b,$c,$d,$e,$pos,$s,$K,$o)=@_;
+
+	&comment($p++);
+	if ($p & 1)
+		{
+#	 &mov($tmp2,	-1) if $o == -2;
+#	&mov($tmp1,	$d) if $o == -2;
+	 &sub($tmp2,	$d);
+	&and($tmp1,	$b);
+	 &and($tmp2,	$c);
+	&or($tmp2,	$tmp1);
+	 &mov($tmp1,	&Xv($pos));
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp2));
+	 &mov($tmp2,	-1) unless $o > 0;	# NEXT
+	 # XXX
+	&add($a,	$tmp1);
+	 &mov($tmp1,	&Np($d)) unless $o > 0; # NEXT
+	 # XXX
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	else
+		{
+	 &sub($tmp2,	$d);
+	&and($tmp1,	$b);
+	 &and($tmp2,	$c);
+	&or($tmp2,	$tmp1);
+	 &mov($tmp1,	&Xv($pos));
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp2));
+	 &mov($tmp2,	-1) if $o == 0;	# NEXT
+	 &mov($tmp2,	-1) if $o == 1;
+	 &mov($tmp2,	-1) if $o == 2;
+	 # XXX
+	&add($a,	$tmp1);
+	 &mov($tmp1,	&Np($d)) if $o == 0;	# NEXT
+	 &sub($tmp2,	&Np($d)) if $o == 1;
+	 &sub($tmp2,	&Np($c)) if $o == 2;
+	 # XXX
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	}
+
+sub RIP5
+	{
+	local($a,$b,$c,$d,$e,$pos,$s,$K,$o)=@_;
+
+	&comment($p++);
+	if ($p & 1)
+		{
+	 &mov($tmp2,	-1) if $o == -2;
+	&sub($tmp2,	$d) if $o == -2;
+	 &mov($tmp1,	&Xv($pos));
+	&or($tmp2,	$c);
+	 &add($a,	$tmp1);
+	&xor($tmp2,	$b);
+	 &mov($tmp1,	-1) if $o <= 0;
+	 # XXX
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp2,1));
+	 &sub($tmp1,	&Np($d)) if $o <= 0;
+	 # XXX
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	else
+		{
+	 &mov($tmp2,	&Xv($pos));
+	&or($tmp1,	$c);
+	 &add($a,	$tmp2);
+	&xor($tmp1,	$b);
+	 &mov($tmp2,	-1) if $o <= 0;
+	 &mov($tmp2,	&wparam(0)) if $o == 1;	# Middle code
+	 &mov($tmp2,	-1) if $o == 2;
+	&rotl($c,	10);
+	&lea($a,	&DWP($K,$a,$tmp1,1));
+	 &sub($tmp2,	&Np($d)) if $o <= 0;
+	 &mov(&swtmp(16),	$A) if $o == 1;
+	 &mov($tmp1,	&Np($d)) if $o == 2;
+	&rotl($a,	$s);
+	&add($a,	$e);
+		}
+	}
+
+sub ripemd160_block
+	{
+	local($name)=@_;
+
+	&function_begin_B($name,"",3);
+
+	# parameter 1 is the RIPEMD160_CTX structure.
+	# A	0
+	# B	4
+	# C	8
+	# D 	12
+	# E 	16
+
+	&mov($tmp2,	&wparam(0));
+	 &mov($tmp1,	&wparam(1));
+	&push("esi");
+	 &mov($A,	&DWP( 0,$tmp2,"",0));
+	&push("edi");
+	 &mov($B,	&DWP( 4,$tmp2,"",0));
+	&push("ebp");
+	 &mov($C,	&DWP( 8,$tmp2,"",0));
+	&push("ebx");
+	 &stack_push(16+5+6);
+			  # Special comment about the figure of 6.
+			  # Idea is to pad the current frame so
+			  # that the top of the stack gets fairly
+			  # aligned. Well, as you realize it would
+			  # always depend on how the frame below is
+			  # aligned. The good news are that gcc-2.95
+			  # and later does keep first argument at
+			  # least double-wise aligned.
+			  #			<appro@fy.chalmers.se>
+
+	&set_label("start") unless $normal;
+	&comment("");
+
+	# &mov($tmp1,	&wparam(1)); # Done at end of loop
+	# &mov($tmp2,	&wparam(0)); # Done at end of loop
+
+	for ($z=0; $z<16; $z+=2)
+		{
+		&mov($D,		&DWP( $z*4,$tmp1,"",0));
+		 &mov($E,		&DWP( ($z+1)*4,$tmp1,"",0));
+		&mov(&swtmp($z),	$D);
+		 &mov(&swtmp($z+1),	$E);
+		}
+	&mov($tmp1,	$C);
+	 &mov($D,	&DWP(12,$tmp2,"",0));
+	&mov($E,	&DWP(16,$tmp2,"",0));
+
+	&RIP1($A,$B,$C,$D,$E,$wl[ 0],$sl[ 0],-1);
+	&RIP1($E,$A,$B,$C,$D,$wl[ 1],$sl[ 1],0);
+	&RIP1($D,$E,$A,$B,$C,$wl[ 2],$sl[ 2],0);
+	&RIP1($C,$D,$E,$A,$B,$wl[ 3],$sl[ 3],0);
+	&RIP1($B,$C,$D,$E,$A,$wl[ 4],$sl[ 4],0);
+	&RIP1($A,$B,$C,$D,$E,$wl[ 5],$sl[ 5],0);
+	&RIP1($E,$A,$B,$C,$D,$wl[ 6],$sl[ 6],0);
+	&RIP1($D,$E,$A,$B,$C,$wl[ 7],$sl[ 7],0);
+	&RIP1($C,$D,$E,$A,$B,$wl[ 8],$sl[ 8],0);
+	&RIP1($B,$C,$D,$E,$A,$wl[ 9],$sl[ 9],0);
+	&RIP1($A,$B,$C,$D,$E,$wl[10],$sl[10],0);
+	&RIP1($E,$A,$B,$C,$D,$wl[11],$sl[11],0);
+	&RIP1($D,$E,$A,$B,$C,$wl[12],$sl[12],0);
+	&RIP1($C,$D,$E,$A,$B,$wl[13],$sl[13],0);
+	&RIP1($B,$C,$D,$E,$A,$wl[14],$sl[14],0);
+	&RIP1($A,$B,$C,$D,$E,$wl[15],$sl[15],1,$wl[16]);
+
+	&RIP2($E,$A,$B,$C,$D,$wl[16],$wl[17],$sl[16],$KL1,-1);
+	&RIP2($D,$E,$A,$B,$C,$wl[17],$wl[18],$sl[17],$KL1,0);
+	&RIP2($C,$D,$E,$A,$B,$wl[18],$wl[19],$sl[18],$KL1,0);
+	&RIP2($B,$C,$D,$E,$A,$wl[19],$wl[20],$sl[19],$KL1,0);
+	&RIP2($A,$B,$C,$D,$E,$wl[20],$wl[21],$sl[20],$KL1,0);
+	&RIP2($E,$A,$B,$C,$D,$wl[21],$wl[22],$sl[21],$KL1,0);
+	&RIP2($D,$E,$A,$B,$C,$wl[22],$wl[23],$sl[22],$KL1,0);
+	&RIP2($C,$D,$E,$A,$B,$wl[23],$wl[24],$sl[23],$KL1,0);
+	&RIP2($B,$C,$D,$E,$A,$wl[24],$wl[25],$sl[24],$KL1,0);
+	&RIP2($A,$B,$C,$D,$E,$wl[25],$wl[26],$sl[25],$KL1,0);
+	&RIP2($E,$A,$B,$C,$D,$wl[26],$wl[27],$sl[26],$KL1,0);
+	&RIP2($D,$E,$A,$B,$C,$wl[27],$wl[28],$sl[27],$KL1,0);
+	&RIP2($C,$D,$E,$A,$B,$wl[28],$wl[29],$sl[28],$KL1,0);
+	&RIP2($B,$C,$D,$E,$A,$wl[29],$wl[30],$sl[29],$KL1,0);
+	&RIP2($A,$B,$C,$D,$E,$wl[30],$wl[31],$sl[30],$KL1,0);
+	&RIP2($E,$A,$B,$C,$D,$wl[31],$wl[32],$sl[31],$KL1,1);
+
+	&RIP3($D,$E,$A,$B,$C,$wl[32],$sl[32],$KL2,-1);
+	&RIP3($C,$D,$E,$A,$B,$wl[33],$sl[33],$KL2,0);
+	&RIP3($B,$C,$D,$E,$A,$wl[34],$sl[34],$KL2,0);
+	&RIP3($A,$B,$C,$D,$E,$wl[35],$sl[35],$KL2,0);
+	&RIP3($E,$A,$B,$C,$D,$wl[36],$sl[36],$KL2,0);
+	&RIP3($D,$E,$A,$B,$C,$wl[37],$sl[37],$KL2,0);
+	&RIP3($C,$D,$E,$A,$B,$wl[38],$sl[38],$KL2,0);
+	&RIP3($B,$C,$D,$E,$A,$wl[39],$sl[39],$KL2,0);
+	&RIP3($A,$B,$C,$D,$E,$wl[40],$sl[40],$KL2,0);
+	&RIP3($E,$A,$B,$C,$D,$wl[41],$sl[41],$KL2,0);
+	&RIP3($D,$E,$A,$B,$C,$wl[42],$sl[42],$KL2,0);
+	&RIP3($C,$D,$E,$A,$B,$wl[43],$sl[43],$KL2,0);
+	&RIP3($B,$C,$D,$E,$A,$wl[44],$sl[44],$KL2,0);
+	&RIP3($A,$B,$C,$D,$E,$wl[45],$sl[45],$KL2,0);
+	&RIP3($E,$A,$B,$C,$D,$wl[46],$sl[46],$KL2,0);
+	&RIP3($D,$E,$A,$B,$C,$wl[47],$sl[47],$KL2,1);
+
+	&RIP4($C,$D,$E,$A,$B,$wl[48],$sl[48],$KL3,-1);
+	&RIP4($B,$C,$D,$E,$A,$wl[49],$sl[49],$KL3,0);
+	&RIP4($A,$B,$C,$D,$E,$wl[50],$sl[50],$KL3,0);
+	&RIP4($E,$A,$B,$C,$D,$wl[51],$sl[51],$KL3,0);
+	&RIP4($D,$E,$A,$B,$C,$wl[52],$sl[52],$KL3,0);
+	&RIP4($C,$D,$E,$A,$B,$wl[53],$sl[53],$KL3,0);
+	&RIP4($B,$C,$D,$E,$A,$wl[54],$sl[54],$KL3,0);
+	&RIP4($A,$B,$C,$D,$E,$wl[55],$sl[55],$KL3,0);
+	&RIP4($E,$A,$B,$C,$D,$wl[56],$sl[56],$KL3,0);
+	&RIP4($D,$E,$A,$B,$C,$wl[57],$sl[57],$KL3,0);
+	&RIP4($C,$D,$E,$A,$B,$wl[58],$sl[58],$KL3,0);
+	&RIP4($B,$C,$D,$E,$A,$wl[59],$sl[59],$KL3,0);
+	&RIP4($A,$B,$C,$D,$E,$wl[60],$sl[60],$KL3,0);
+	&RIP4($E,$A,$B,$C,$D,$wl[61],$sl[61],$KL3,0);
+	&RIP4($D,$E,$A,$B,$C,$wl[62],$sl[62],$KL3,0);
+	&RIP4($C,$D,$E,$A,$B,$wl[63],$sl[63],$KL3,1);
+
+	&RIP5($B,$C,$D,$E,$A,$wl[64],$sl[64],$KL4,-1);
+	&RIP5($A,$B,$C,$D,$E,$wl[65],$sl[65],$KL4,0);
+	&RIP5($E,$A,$B,$C,$D,$wl[66],$sl[66],$KL4,0);
+	&RIP5($D,$E,$A,$B,$C,$wl[67],$sl[67],$KL4,0);
+	&RIP5($C,$D,$E,$A,$B,$wl[68],$sl[68],$KL4,0);
+	&RIP5($B,$C,$D,$E,$A,$wl[69],$sl[69],$KL4,0);
+	&RIP5($A,$B,$C,$D,$E,$wl[70],$sl[70],$KL4,0);
+	&RIP5($E,$A,$B,$C,$D,$wl[71],$sl[71],$KL4,0);
+	&RIP5($D,$E,$A,$B,$C,$wl[72],$sl[72],$KL4,0);
+	&RIP5($C,$D,$E,$A,$B,$wl[73],$sl[73],$KL4,0);
+	&RIP5($B,$C,$D,$E,$A,$wl[74],$sl[74],$KL4,0);
+	&RIP5($A,$B,$C,$D,$E,$wl[75],$sl[75],$KL4,0);
+	&RIP5($E,$A,$B,$C,$D,$wl[76],$sl[76],$KL4,0);
+	&RIP5($D,$E,$A,$B,$C,$wl[77],$sl[77],$KL4,0);
+	&RIP5($C,$D,$E,$A,$B,$wl[78],$sl[78],$KL4,0);
+	&RIP5($B,$C,$D,$E,$A,$wl[79],$sl[79],$KL4,1);
+
+	# &mov($tmp2,	&wparam(0)); # moved into last RIP5
+	# &mov(&swtmp(16),	$A);
+	 &mov($A,	&DWP( 0,$tmp2,"",0));
+	&mov(&swtmp(16+1),	$B);
+	 &mov(&swtmp(16+2),	$C);
+	&mov($B,	&DWP( 4,$tmp2,"",0));
+	 &mov(&swtmp(16+3),	$D);
+	&mov($C,	&DWP( 8,$tmp2,"",0));
+	 &mov(&swtmp(16+4),	$E);
+	&mov($D,	&DWP(12,$tmp2,"",0));
+	 &mov($E,	&DWP(16,$tmp2,"",0));
+
+	&RIP5($A,$B,$C,$D,$E,$wr[ 0],$sr[ 0],$KR0,-2);
+	&RIP5($E,$A,$B,$C,$D,$wr[ 1],$sr[ 1],$KR0,0);
+	&RIP5($D,$E,$A,$B,$C,$wr[ 2],$sr[ 2],$KR0,0);
+	&RIP5($C,$D,$E,$A,$B,$wr[ 3],$sr[ 3],$KR0,0);
+	&RIP5($B,$C,$D,$E,$A,$wr[ 4],$sr[ 4],$KR0,0);
+	&RIP5($A,$B,$C,$D,$E,$wr[ 5],$sr[ 5],$KR0,0);
+	&RIP5($E,$A,$B,$C,$D,$wr[ 6],$sr[ 6],$KR0,0);
+	&RIP5($D,$E,$A,$B,$C,$wr[ 7],$sr[ 7],$KR0,0);
+	&RIP5($C,$D,$E,$A,$B,$wr[ 8],$sr[ 8],$KR0,0);
+	&RIP5($B,$C,$D,$E,$A,$wr[ 9],$sr[ 9],$KR0,0);
+	&RIP5($A,$B,$C,$D,$E,$wr[10],$sr[10],$KR0,0);
+	&RIP5($E,$A,$B,$C,$D,$wr[11],$sr[11],$KR0,0);
+	&RIP5($D,$E,$A,$B,$C,$wr[12],$sr[12],$KR0,0);
+	&RIP5($C,$D,$E,$A,$B,$wr[13],$sr[13],$KR0,0);
+	&RIP5($B,$C,$D,$E,$A,$wr[14],$sr[14],$KR0,0);
+	&RIP5($A,$B,$C,$D,$E,$wr[15],$sr[15],$KR0,2);
+
+	&RIP4($E,$A,$B,$C,$D,$wr[16],$sr[16],$KR1,-2);
+	&RIP4($D,$E,$A,$B,$C,$wr[17],$sr[17],$KR1,0);
+	&RIP4($C,$D,$E,$A,$B,$wr[18],$sr[18],$KR1,0);
+	&RIP4($B,$C,$D,$E,$A,$wr[19],$sr[19],$KR1,0);
+	&RIP4($A,$B,$C,$D,$E,$wr[20],$sr[20],$KR1,0);
+	&RIP4($E,$A,$B,$C,$D,$wr[21],$sr[21],$KR1,0);
+	&RIP4($D,$E,$A,$B,$C,$wr[22],$sr[22],$KR1,0);
+	&RIP4($C,$D,$E,$A,$B,$wr[23],$sr[23],$KR1,0);
+	&RIP4($B,$C,$D,$E,$A,$wr[24],$sr[24],$KR1,0);
+	&RIP4($A,$B,$C,$D,$E,$wr[25],$sr[25],$KR1,0);
+	&RIP4($E,$A,$B,$C,$D,$wr[26],$sr[26],$KR1,0);
+	&RIP4($D,$E,$A,$B,$C,$wr[27],$sr[27],$KR1,0);
+	&RIP4($C,$D,$E,$A,$B,$wr[28],$sr[28],$KR1,0);
+	&RIP4($B,$C,$D,$E,$A,$wr[29],$sr[29],$KR1,0);
+	&RIP4($A,$B,$C,$D,$E,$wr[30],$sr[30],$KR1,0);
+	&RIP4($E,$A,$B,$C,$D,$wr[31],$sr[31],$KR1,2);
+
+	&RIP3($D,$E,$A,$B,$C,$wr[32],$sr[32],$KR2,-2);
+	&RIP3($C,$D,$E,$A,$B,$wr[33],$sr[33],$KR2,0);
+	&RIP3($B,$C,$D,$E,$A,$wr[34],$sr[34],$KR2,0);
+	&RIP3($A,$B,$C,$D,$E,$wr[35],$sr[35],$KR2,0);
+	&RIP3($E,$A,$B,$C,$D,$wr[36],$sr[36],$KR2,0);
+	&RIP3($D,$E,$A,$B,$C,$wr[37],$sr[37],$KR2,0);
+	&RIP3($C,$D,$E,$A,$B,$wr[38],$sr[38],$KR2,0);
+	&RIP3($B,$C,$D,$E,$A,$wr[39],$sr[39],$KR2,0);
+	&RIP3($A,$B,$C,$D,$E,$wr[40],$sr[40],$KR2,0);
+	&RIP3($E,$A,$B,$C,$D,$wr[41],$sr[41],$KR2,0);
+	&RIP3($D,$E,$A,$B,$C,$wr[42],$sr[42],$KR2,0);
+	&RIP3($C,$D,$E,$A,$B,$wr[43],$sr[43],$KR2,0);
+	&RIP3($B,$C,$D,$E,$A,$wr[44],$sr[44],$KR2,0);
+	&RIP3($A,$B,$C,$D,$E,$wr[45],$sr[45],$KR2,0);
+	&RIP3($E,$A,$B,$C,$D,$wr[46],$sr[46],$KR2,0);
+	&RIP3($D,$E,$A,$B,$C,$wr[47],$sr[47],$KR2,2,$wr[48]);
+
+	&RIP2($C,$D,$E,$A,$B,$wr[48],$wr[49],$sr[48],$KR3,-2);
+	&RIP2($B,$C,$D,$E,$A,$wr[49],$wr[50],$sr[49],$KR3,0);
+	&RIP2($A,$B,$C,$D,$E,$wr[50],$wr[51],$sr[50],$KR3,0);
+	&RIP2($E,$A,$B,$C,$D,$wr[51],$wr[52],$sr[51],$KR3,0);
+	&RIP2($D,$E,$A,$B,$C,$wr[52],$wr[53],$sr[52],$KR3,0);
+	&RIP2($C,$D,$E,$A,$B,$wr[53],$wr[54],$sr[53],$KR3,0);
+	&RIP2($B,$C,$D,$E,$A,$wr[54],$wr[55],$sr[54],$KR3,0);
+	&RIP2($A,$B,$C,$D,$E,$wr[55],$wr[56],$sr[55],$KR3,0);
+	&RIP2($E,$A,$B,$C,$D,$wr[56],$wr[57],$sr[56],$KR3,0);
+	&RIP2($D,$E,$A,$B,$C,$wr[57],$wr[58],$sr[57],$KR3,0);
+	&RIP2($C,$D,$E,$A,$B,$wr[58],$wr[59],$sr[58],$KR3,0);
+	&RIP2($B,$C,$D,$E,$A,$wr[59],$wr[60],$sr[59],$KR3,0);
+	&RIP2($A,$B,$C,$D,$E,$wr[60],$wr[61],$sr[60],$KR3,0);
+	&RIP2($E,$A,$B,$C,$D,$wr[61],$wr[62],$sr[61],$KR3,0);
+	&RIP2($D,$E,$A,$B,$C,$wr[62],$wr[63],$sr[62],$KR3,0);
+	&RIP2($C,$D,$E,$A,$B,$wr[63],$wr[64],$sr[63],$KR3,2);
+
+	&RIP1($B,$C,$D,$E,$A,$wr[64],$sr[64],-2);
+	&RIP1($A,$B,$C,$D,$E,$wr[65],$sr[65],0);
+	&RIP1($E,$A,$B,$C,$D,$wr[66],$sr[66],0);
+	&RIP1($D,$E,$A,$B,$C,$wr[67],$sr[67],0);
+	&RIP1($C,$D,$E,$A,$B,$wr[68],$sr[68],0);
+	&RIP1($B,$C,$D,$E,$A,$wr[69],$sr[69],0);
+	&RIP1($A,$B,$C,$D,$E,$wr[70],$sr[70],0);
+	&RIP1($E,$A,$B,$C,$D,$wr[71],$sr[71],0);
+	&RIP1($D,$E,$A,$B,$C,$wr[72],$sr[72],0);
+	&RIP1($C,$D,$E,$A,$B,$wr[73],$sr[73],0);
+	&RIP1($B,$C,$D,$E,$A,$wr[74],$sr[74],0);
+	&RIP1($A,$B,$C,$D,$E,$wr[75],$sr[75],0);
+	&RIP1($E,$A,$B,$C,$D,$wr[76],$sr[76],0);
+	&RIP1($D,$E,$A,$B,$C,$wr[77],$sr[77],0);
+	&RIP1($C,$D,$E,$A,$B,$wr[78],$sr[78],0);
+	&RIP1($B,$C,$D,$E,$A,$wr[79],$sr[79],2);
+
+	# &mov($tmp2,	&wparam(0)); # Moved into last round
+
+	 &mov($tmp1,	&DWP( 4,$tmp2,"",0));	# ctx->B
+ 	&add($D,	$tmp1);	
+	 &mov($tmp1,	&swtmp(16+2));		# $c
+	&add($D,	$tmp1);
+
+	 &mov($tmp1,	&DWP( 8,$tmp2,"",0));	# ctx->C
+	&add($E,	$tmp1);	
+	 &mov($tmp1,	&swtmp(16+3));		# $d
+	&add($E,	$tmp1);
+
+	 &mov($tmp1,	&DWP(12,$tmp2,"",0));	# ctx->D
+	&add($A,	$tmp1);	
+	 &mov($tmp1,	&swtmp(16+4));		# $e
+	&add($A,	$tmp1);
+
+
+	 &mov($tmp1,	&DWP(16,$tmp2,"",0));	# ctx->E
+	&add($B,	$tmp1);	
+	 &mov($tmp1,	&swtmp(16+0));		# $a
+	&add($B,	$tmp1);
+
+	 &mov($tmp1,	&DWP( 0,$tmp2,"",0));	# ctx->A
+	&add($C,	$tmp1);	
+	 &mov($tmp1,	&swtmp(16+1));		# $b
+	&add($C,	$tmp1);
+
+	 &mov($tmp1,	&wparam(2));
+
+	&mov(&DWP( 0,$tmp2,"",0),	$D);
+	 &mov(&DWP( 4,$tmp2,"",0),	$E);
+	&mov(&DWP( 8,$tmp2,"",0),	$A);
+	 &sub($tmp1,1);
+	&mov(&DWP(12,$tmp2,"",0),	$B);
+	 &mov(&DWP(16,$tmp2,"",0),	$C);
+
+	&jle(&label("get_out"));
+
+	&mov(&wparam(2),$tmp1);
+	 &mov($C,	$A);
+	&mov($tmp1,	&wparam(1));
+	 &mov($A,	$D);
+	&add($tmp1,	64);
+	 &mov($B,	$E);
+	&mov(&wparam(1),$tmp1);
+
+	&jmp(&label("start"));
+
+	&set_label("get_out");
+
+	&stack_pop(16+5+6);
+
+	&pop("ebx");
+	&pop("ebp");
+	&pop("edi");
+	&pop("esi");
+	&ret();
+	&function_end_B($name);
+	}
+
diff --git a/crypto/openssl/crypto/ripemd/ripemd.h b/crypto/openssl/crypto/ripemd/ripemd.h
new file mode 100644
index 0000000..dd1627c
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/ripemd.h
@@ -0,0 +1,101 @@
+/* crypto/ripemd/ripemd.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RIPEMD_H
+#define HEADER_RIPEMD_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RIPEMD
+#error RIPEMD is disabled.
+#endif
+
+#if defined(WIN16) || defined(__LP32__)
+#define RIPEMD160_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define RIPEMD160_LONG unsigned long
+#define RIPEMD160_LONG_LOG2 3
+#else
+#define RIPEMD160_LONG unsigned int
+#endif
+
+#define RIPEMD160_CBLOCK	64
+#define RIPEMD160_LBLOCK	(RIPEMD160_CBLOCK/4)
+#define RIPEMD160_DIGEST_LENGTH	20
+
+typedef struct RIPEMD160state_st
+	{
+	RIPEMD160_LONG A,B,C,D,E;
+	RIPEMD160_LONG Nl,Nh;
+	RIPEMD160_LONG data[RIPEMD160_LBLOCK];
+	int num;
+	} RIPEMD160_CTX;
+
+void RIPEMD160_Init(RIPEMD160_CTX *c);
+void RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
+void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
+unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
+	unsigned char *md);
+void RIPEMD160_Transform(RIPEMD160_CTX *c, const unsigned char *b);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/ripemd/rmd160.c b/crypto/openssl/crypto/ripemd/rmd160.c
new file mode 100644
index 0000000..4f8b88a
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/rmd160.c
@@ -0,0 +1,127 @@
+/* crypto/ripemd/rmd160.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/ripemd.h>
+
+#define BUFSIZE	1024*16
+
+void do_fp(FILE *f);
+void pt(unsigned char *md);
+#ifndef _OSD_POSIX
+int read(int, void *, unsigned int);
+#endif
+
+int main(int argc, char **argv)
+	{
+	int i,err=0;
+	FILE *IN;
+
+	if (argc == 1)
+		{
+		do_fp(stdin);
+		}
+	else
+		{
+		for (i=1; i<argc; i++)
+			{
+			IN=fopen(argv[i],"r");
+			if (IN == NULL)
+				{
+				perror(argv[i]);
+				err++;
+				continue;
+				}
+			printf("RIPEMD160(%s)= ",argv[i]);
+			do_fp(IN);
+			fclose(IN);
+			}
+		}
+	exit(err);
+	}
+
+void do_fp(FILE *f)
+	{
+	RIPEMD160_CTX c;
+	unsigned char md[RIPEMD160_DIGEST_LENGTH];
+	int fd;
+	int i;
+	static unsigned char buf[BUFSIZE];
+
+	fd=fileno(f);
+	RIPEMD160_Init(&c);
+	for (;;)
+		{
+		i=read(fd,buf,BUFSIZE);
+		if (i <= 0) break;
+		RIPEMD160_Update(&c,buf,(unsigned long)i);
+		}
+	RIPEMD160_Final(&(md[0]),&c);
+	pt(md);
+	}
+
+void pt(unsigned char *md)
+	{
+	int i;
+
+	for (i=0; i<RIPEMD160_DIGEST_LENGTH; i++)
+		printf("%02x",md[i]);
+	printf("\n");
+	}
+
diff --git a/crypto/openssl/crypto/ripemd/rmd_dgst.c b/crypto/openssl/crypto/ripemd/rmd_dgst.c
new file mode 100644
index 0000000..bdfae27
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/rmd_dgst.c
@@ -0,0 +1,493 @@
+/* crypto/ripemd/rmd_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "rmd_locl.h"
+#include <openssl/opensslv.h>
+
+const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
+
+#  ifdef RMD160_ASM
+     void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p,int num);
+#    define ripemd160_block ripemd160_block_x86
+#  else
+     void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
+#  endif
+
+void RIPEMD160_Init(RIPEMD160_CTX *c)
+	{
+	c->A=RIPEMD160_A;
+	c->B=RIPEMD160_B;
+	c->C=RIPEMD160_C;
+	c->D=RIPEMD160_D;
+	c->E=RIPEMD160_E;
+	c->Nl=0;
+	c->Nh=0;
+	c->num=0;
+	}
+
+#ifndef ripemd160_block_host_order
+#ifdef X
+#undef X
+#endif
+#define X(i)	XX[i]
+void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
+	{
+	const RIPEMD160_LONG *XX=p;
+	register unsigned long A,B,C,D,E;
+	register unsigned long a,b,c,d,e;
+
+	for (;num--;XX+=HASH_LBLOCK)
+		{
+
+	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
+
+	RIP1(A,B,C,D,E,WL00,SL00);
+	RIP1(E,A,B,C,D,WL01,SL01);
+	RIP1(D,E,A,B,C,WL02,SL02);
+	RIP1(C,D,E,A,B,WL03,SL03);
+	RIP1(B,C,D,E,A,WL04,SL04);
+	RIP1(A,B,C,D,E,WL05,SL05);
+	RIP1(E,A,B,C,D,WL06,SL06);
+	RIP1(D,E,A,B,C,WL07,SL07);
+	RIP1(C,D,E,A,B,WL08,SL08);
+	RIP1(B,C,D,E,A,WL09,SL09);
+	RIP1(A,B,C,D,E,WL10,SL10);
+	RIP1(E,A,B,C,D,WL11,SL11);
+	RIP1(D,E,A,B,C,WL12,SL12);
+	RIP1(C,D,E,A,B,WL13,SL13);
+	RIP1(B,C,D,E,A,WL14,SL14);
+	RIP1(A,B,C,D,E,WL15,SL15);
+
+	RIP2(E,A,B,C,D,WL16,SL16,KL1);
+	RIP2(D,E,A,B,C,WL17,SL17,KL1);
+	RIP2(C,D,E,A,B,WL18,SL18,KL1);
+	RIP2(B,C,D,E,A,WL19,SL19,KL1);
+	RIP2(A,B,C,D,E,WL20,SL20,KL1);
+	RIP2(E,A,B,C,D,WL21,SL21,KL1);
+	RIP2(D,E,A,B,C,WL22,SL22,KL1);
+	RIP2(C,D,E,A,B,WL23,SL23,KL1);
+	RIP2(B,C,D,E,A,WL24,SL24,KL1);
+	RIP2(A,B,C,D,E,WL25,SL25,KL1);
+	RIP2(E,A,B,C,D,WL26,SL26,KL1);
+	RIP2(D,E,A,B,C,WL27,SL27,KL1);
+	RIP2(C,D,E,A,B,WL28,SL28,KL1);
+	RIP2(B,C,D,E,A,WL29,SL29,KL1);
+	RIP2(A,B,C,D,E,WL30,SL30,KL1);
+	RIP2(E,A,B,C,D,WL31,SL31,KL1);
+
+	RIP3(D,E,A,B,C,WL32,SL32,KL2);
+	RIP3(C,D,E,A,B,WL33,SL33,KL2);
+	RIP3(B,C,D,E,A,WL34,SL34,KL2);
+	RIP3(A,B,C,D,E,WL35,SL35,KL2);
+	RIP3(E,A,B,C,D,WL36,SL36,KL2);
+	RIP3(D,E,A,B,C,WL37,SL37,KL2);
+	RIP3(C,D,E,A,B,WL38,SL38,KL2);
+	RIP3(B,C,D,E,A,WL39,SL39,KL2);
+	RIP3(A,B,C,D,E,WL40,SL40,KL2);
+	RIP3(E,A,B,C,D,WL41,SL41,KL2);
+	RIP3(D,E,A,B,C,WL42,SL42,KL2);
+	RIP3(C,D,E,A,B,WL43,SL43,KL2);
+	RIP3(B,C,D,E,A,WL44,SL44,KL2);
+	RIP3(A,B,C,D,E,WL45,SL45,KL2);
+	RIP3(E,A,B,C,D,WL46,SL46,KL2);
+	RIP3(D,E,A,B,C,WL47,SL47,KL2);
+
+	RIP4(C,D,E,A,B,WL48,SL48,KL3);
+	RIP4(B,C,D,E,A,WL49,SL49,KL3);
+	RIP4(A,B,C,D,E,WL50,SL50,KL3);
+	RIP4(E,A,B,C,D,WL51,SL51,KL3);
+	RIP4(D,E,A,B,C,WL52,SL52,KL3);
+	RIP4(C,D,E,A,B,WL53,SL53,KL3);
+	RIP4(B,C,D,E,A,WL54,SL54,KL3);
+	RIP4(A,B,C,D,E,WL55,SL55,KL3);
+	RIP4(E,A,B,C,D,WL56,SL56,KL3);
+	RIP4(D,E,A,B,C,WL57,SL57,KL3);
+	RIP4(C,D,E,A,B,WL58,SL58,KL3);
+	RIP4(B,C,D,E,A,WL59,SL59,KL3);
+	RIP4(A,B,C,D,E,WL60,SL60,KL3);
+	RIP4(E,A,B,C,D,WL61,SL61,KL3);
+	RIP4(D,E,A,B,C,WL62,SL62,KL3);
+	RIP4(C,D,E,A,B,WL63,SL63,KL3);
+
+	RIP5(B,C,D,E,A,WL64,SL64,KL4);
+	RIP5(A,B,C,D,E,WL65,SL65,KL4);
+	RIP5(E,A,B,C,D,WL66,SL66,KL4);
+	RIP5(D,E,A,B,C,WL67,SL67,KL4);
+	RIP5(C,D,E,A,B,WL68,SL68,KL4);
+	RIP5(B,C,D,E,A,WL69,SL69,KL4);
+	RIP5(A,B,C,D,E,WL70,SL70,KL4);
+	RIP5(E,A,B,C,D,WL71,SL71,KL4);
+	RIP5(D,E,A,B,C,WL72,SL72,KL4);
+	RIP5(C,D,E,A,B,WL73,SL73,KL4);
+	RIP5(B,C,D,E,A,WL74,SL74,KL4);
+	RIP5(A,B,C,D,E,WL75,SL75,KL4);
+	RIP5(E,A,B,C,D,WL76,SL76,KL4);
+	RIP5(D,E,A,B,C,WL77,SL77,KL4);
+	RIP5(C,D,E,A,B,WL78,SL78,KL4);
+	RIP5(B,C,D,E,A,WL79,SL79,KL4);
+
+	a=A; b=B; c=C; d=D; e=E;
+	/* Do other half */
+	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
+
+	RIP5(A,B,C,D,E,WR00,SR00,KR0);
+	RIP5(E,A,B,C,D,WR01,SR01,KR0);
+	RIP5(D,E,A,B,C,WR02,SR02,KR0);
+	RIP5(C,D,E,A,B,WR03,SR03,KR0);
+	RIP5(B,C,D,E,A,WR04,SR04,KR0);
+	RIP5(A,B,C,D,E,WR05,SR05,KR0);
+	RIP5(E,A,B,C,D,WR06,SR06,KR0);
+	RIP5(D,E,A,B,C,WR07,SR07,KR0);
+	RIP5(C,D,E,A,B,WR08,SR08,KR0);
+	RIP5(B,C,D,E,A,WR09,SR09,KR0);
+	RIP5(A,B,C,D,E,WR10,SR10,KR0);
+	RIP5(E,A,B,C,D,WR11,SR11,KR0);
+	RIP5(D,E,A,B,C,WR12,SR12,KR0);
+	RIP5(C,D,E,A,B,WR13,SR13,KR0);
+	RIP5(B,C,D,E,A,WR14,SR14,KR0);
+	RIP5(A,B,C,D,E,WR15,SR15,KR0);
+
+	RIP4(E,A,B,C,D,WR16,SR16,KR1);
+	RIP4(D,E,A,B,C,WR17,SR17,KR1);
+	RIP4(C,D,E,A,B,WR18,SR18,KR1);
+	RIP4(B,C,D,E,A,WR19,SR19,KR1);
+	RIP4(A,B,C,D,E,WR20,SR20,KR1);
+	RIP4(E,A,B,C,D,WR21,SR21,KR1);
+	RIP4(D,E,A,B,C,WR22,SR22,KR1);
+	RIP4(C,D,E,A,B,WR23,SR23,KR1);
+	RIP4(B,C,D,E,A,WR24,SR24,KR1);
+	RIP4(A,B,C,D,E,WR25,SR25,KR1);
+	RIP4(E,A,B,C,D,WR26,SR26,KR1);
+	RIP4(D,E,A,B,C,WR27,SR27,KR1);
+	RIP4(C,D,E,A,B,WR28,SR28,KR1);
+	RIP4(B,C,D,E,A,WR29,SR29,KR1);
+	RIP4(A,B,C,D,E,WR30,SR30,KR1);
+	RIP4(E,A,B,C,D,WR31,SR31,KR1);
+
+	RIP3(D,E,A,B,C,WR32,SR32,KR2);
+	RIP3(C,D,E,A,B,WR33,SR33,KR2);
+	RIP3(B,C,D,E,A,WR34,SR34,KR2);
+	RIP3(A,B,C,D,E,WR35,SR35,KR2);
+	RIP3(E,A,B,C,D,WR36,SR36,KR2);
+	RIP3(D,E,A,B,C,WR37,SR37,KR2);
+	RIP3(C,D,E,A,B,WR38,SR38,KR2);
+	RIP3(B,C,D,E,A,WR39,SR39,KR2);
+	RIP3(A,B,C,D,E,WR40,SR40,KR2);
+	RIP3(E,A,B,C,D,WR41,SR41,KR2);
+	RIP3(D,E,A,B,C,WR42,SR42,KR2);
+	RIP3(C,D,E,A,B,WR43,SR43,KR2);
+	RIP3(B,C,D,E,A,WR44,SR44,KR2);
+	RIP3(A,B,C,D,E,WR45,SR45,KR2);
+	RIP3(E,A,B,C,D,WR46,SR46,KR2);
+	RIP3(D,E,A,B,C,WR47,SR47,KR2);
+
+	RIP2(C,D,E,A,B,WR48,SR48,KR3);
+	RIP2(B,C,D,E,A,WR49,SR49,KR3);
+	RIP2(A,B,C,D,E,WR50,SR50,KR3);
+	RIP2(E,A,B,C,D,WR51,SR51,KR3);
+	RIP2(D,E,A,B,C,WR52,SR52,KR3);
+	RIP2(C,D,E,A,B,WR53,SR53,KR3);
+	RIP2(B,C,D,E,A,WR54,SR54,KR3);
+	RIP2(A,B,C,D,E,WR55,SR55,KR3);
+	RIP2(E,A,B,C,D,WR56,SR56,KR3);
+	RIP2(D,E,A,B,C,WR57,SR57,KR3);
+	RIP2(C,D,E,A,B,WR58,SR58,KR3);
+	RIP2(B,C,D,E,A,WR59,SR59,KR3);
+	RIP2(A,B,C,D,E,WR60,SR60,KR3);
+	RIP2(E,A,B,C,D,WR61,SR61,KR3);
+	RIP2(D,E,A,B,C,WR62,SR62,KR3);
+	RIP2(C,D,E,A,B,WR63,SR63,KR3);
+
+	RIP1(B,C,D,E,A,WR64,SR64);
+	RIP1(A,B,C,D,E,WR65,SR65);
+	RIP1(E,A,B,C,D,WR66,SR66);
+	RIP1(D,E,A,B,C,WR67,SR67);
+	RIP1(C,D,E,A,B,WR68,SR68);
+	RIP1(B,C,D,E,A,WR69,SR69);
+	RIP1(A,B,C,D,E,WR70,SR70);
+	RIP1(E,A,B,C,D,WR71,SR71);
+	RIP1(D,E,A,B,C,WR72,SR72);
+	RIP1(C,D,E,A,B,WR73,SR73);
+	RIP1(B,C,D,E,A,WR74,SR74);
+	RIP1(A,B,C,D,E,WR75,SR75);
+	RIP1(E,A,B,C,D,WR76,SR76);
+	RIP1(D,E,A,B,C,WR77,SR77);
+	RIP1(C,D,E,A,B,WR78,SR78);
+	RIP1(B,C,D,E,A,WR79,SR79);
+
+	D     =ctx->B+c+D;
+	ctx->B=ctx->C+d+E;
+	ctx->C=ctx->D+e+A;
+	ctx->D=ctx->E+a+B;
+	ctx->E=ctx->A+b+C;
+	ctx->A=D;
+
+		}
+	}
+#endif
+
+#ifndef ripemd160_block_data_order
+#ifdef X
+#undef X
+#endif
+void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, int num)
+	{
+	const unsigned char *data=p;
+	register unsigned long A,B,C,D,E;
+	unsigned long a,b,c,d,e,l;
+#ifndef MD32_XARRAY
+	/* See comment in crypto/sha/sha_locl.h for details. */
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+# define X(i)	XX##i
+#else
+	RIPEMD160_LONG	XX[16];
+# define X(i)	XX[i]
+#endif
+
+	for (;num--;)
+		{
+
+	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
+
+	HOST_c2l(data,l); X( 0)=l;	HOST_c2l(data,l); X( 1)=l;
+	RIP1(A,B,C,D,E,WL00,SL00);	HOST_c2l(data,l); X( 2)=l;
+	RIP1(E,A,B,C,D,WL01,SL01);	HOST_c2l(data,l); X( 3)=l;
+	RIP1(D,E,A,B,C,WL02,SL02);	HOST_c2l(data,l); X( 4)=l;
+	RIP1(C,D,E,A,B,WL03,SL03);	HOST_c2l(data,l); X( 5)=l;
+	RIP1(B,C,D,E,A,WL04,SL04);	HOST_c2l(data,l); X( 6)=l;
+	RIP1(A,B,C,D,E,WL05,SL05);	HOST_c2l(data,l); X( 7)=l;
+	RIP1(E,A,B,C,D,WL06,SL06);	HOST_c2l(data,l); X( 8)=l;
+	RIP1(D,E,A,B,C,WL07,SL07);	HOST_c2l(data,l); X( 9)=l;
+	RIP1(C,D,E,A,B,WL08,SL08);	HOST_c2l(data,l); X(10)=l;
+	RIP1(B,C,D,E,A,WL09,SL09);	HOST_c2l(data,l); X(11)=l;
+	RIP1(A,B,C,D,E,WL10,SL10);	HOST_c2l(data,l); X(12)=l;
+	RIP1(E,A,B,C,D,WL11,SL11);	HOST_c2l(data,l); X(13)=l;
+	RIP1(D,E,A,B,C,WL12,SL12);	HOST_c2l(data,l); X(14)=l;
+	RIP1(C,D,E,A,B,WL13,SL13);	HOST_c2l(data,l); X(15)=l;
+	RIP1(B,C,D,E,A,WL14,SL14);
+	RIP1(A,B,C,D,E,WL15,SL15);
+
+	RIP2(E,A,B,C,D,WL16,SL16,KL1);
+	RIP2(D,E,A,B,C,WL17,SL17,KL1);
+	RIP2(C,D,E,A,B,WL18,SL18,KL1);
+	RIP2(B,C,D,E,A,WL19,SL19,KL1);
+	RIP2(A,B,C,D,E,WL20,SL20,KL1);
+	RIP2(E,A,B,C,D,WL21,SL21,KL1);
+	RIP2(D,E,A,B,C,WL22,SL22,KL1);
+	RIP2(C,D,E,A,B,WL23,SL23,KL1);
+	RIP2(B,C,D,E,A,WL24,SL24,KL1);
+	RIP2(A,B,C,D,E,WL25,SL25,KL1);
+	RIP2(E,A,B,C,D,WL26,SL26,KL1);
+	RIP2(D,E,A,B,C,WL27,SL27,KL1);
+	RIP2(C,D,E,A,B,WL28,SL28,KL1);
+	RIP2(B,C,D,E,A,WL29,SL29,KL1);
+	RIP2(A,B,C,D,E,WL30,SL30,KL1);
+	RIP2(E,A,B,C,D,WL31,SL31,KL1);
+
+	RIP3(D,E,A,B,C,WL32,SL32,KL2);
+	RIP3(C,D,E,A,B,WL33,SL33,KL2);
+	RIP3(B,C,D,E,A,WL34,SL34,KL2);
+	RIP3(A,B,C,D,E,WL35,SL35,KL2);
+	RIP3(E,A,B,C,D,WL36,SL36,KL2);
+	RIP3(D,E,A,B,C,WL37,SL37,KL2);
+	RIP3(C,D,E,A,B,WL38,SL38,KL2);
+	RIP3(B,C,D,E,A,WL39,SL39,KL2);
+	RIP3(A,B,C,D,E,WL40,SL40,KL2);
+	RIP3(E,A,B,C,D,WL41,SL41,KL2);
+	RIP3(D,E,A,B,C,WL42,SL42,KL2);
+	RIP3(C,D,E,A,B,WL43,SL43,KL2);
+	RIP3(B,C,D,E,A,WL44,SL44,KL2);
+	RIP3(A,B,C,D,E,WL45,SL45,KL2);
+	RIP3(E,A,B,C,D,WL46,SL46,KL2);
+	RIP3(D,E,A,B,C,WL47,SL47,KL2);
+
+	RIP4(C,D,E,A,B,WL48,SL48,KL3);
+	RIP4(B,C,D,E,A,WL49,SL49,KL3);
+	RIP4(A,B,C,D,E,WL50,SL50,KL3);
+	RIP4(E,A,B,C,D,WL51,SL51,KL3);
+	RIP4(D,E,A,B,C,WL52,SL52,KL3);
+	RIP4(C,D,E,A,B,WL53,SL53,KL3);
+	RIP4(B,C,D,E,A,WL54,SL54,KL3);
+	RIP4(A,B,C,D,E,WL55,SL55,KL3);
+	RIP4(E,A,B,C,D,WL56,SL56,KL3);
+	RIP4(D,E,A,B,C,WL57,SL57,KL3);
+	RIP4(C,D,E,A,B,WL58,SL58,KL3);
+	RIP4(B,C,D,E,A,WL59,SL59,KL3);
+	RIP4(A,B,C,D,E,WL60,SL60,KL3);
+	RIP4(E,A,B,C,D,WL61,SL61,KL3);
+	RIP4(D,E,A,B,C,WL62,SL62,KL3);
+	RIP4(C,D,E,A,B,WL63,SL63,KL3);
+
+	RIP5(B,C,D,E,A,WL64,SL64,KL4);
+	RIP5(A,B,C,D,E,WL65,SL65,KL4);
+	RIP5(E,A,B,C,D,WL66,SL66,KL4);
+	RIP5(D,E,A,B,C,WL67,SL67,KL4);
+	RIP5(C,D,E,A,B,WL68,SL68,KL4);
+	RIP5(B,C,D,E,A,WL69,SL69,KL4);
+	RIP5(A,B,C,D,E,WL70,SL70,KL4);
+	RIP5(E,A,B,C,D,WL71,SL71,KL4);
+	RIP5(D,E,A,B,C,WL72,SL72,KL4);
+	RIP5(C,D,E,A,B,WL73,SL73,KL4);
+	RIP5(B,C,D,E,A,WL74,SL74,KL4);
+	RIP5(A,B,C,D,E,WL75,SL75,KL4);
+	RIP5(E,A,B,C,D,WL76,SL76,KL4);
+	RIP5(D,E,A,B,C,WL77,SL77,KL4);
+	RIP5(C,D,E,A,B,WL78,SL78,KL4);
+	RIP5(B,C,D,E,A,WL79,SL79,KL4);
+
+	a=A; b=B; c=C; d=D; e=E;
+	/* Do other half */
+	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
+
+	RIP5(A,B,C,D,E,WR00,SR00,KR0);
+	RIP5(E,A,B,C,D,WR01,SR01,KR0);
+	RIP5(D,E,A,B,C,WR02,SR02,KR0);
+	RIP5(C,D,E,A,B,WR03,SR03,KR0);
+	RIP5(B,C,D,E,A,WR04,SR04,KR0);
+	RIP5(A,B,C,D,E,WR05,SR05,KR0);
+	RIP5(E,A,B,C,D,WR06,SR06,KR0);
+	RIP5(D,E,A,B,C,WR07,SR07,KR0);
+	RIP5(C,D,E,A,B,WR08,SR08,KR0);
+	RIP5(B,C,D,E,A,WR09,SR09,KR0);
+	RIP5(A,B,C,D,E,WR10,SR10,KR0);
+	RIP5(E,A,B,C,D,WR11,SR11,KR0);
+	RIP5(D,E,A,B,C,WR12,SR12,KR0);
+	RIP5(C,D,E,A,B,WR13,SR13,KR0);
+	RIP5(B,C,D,E,A,WR14,SR14,KR0);
+	RIP5(A,B,C,D,E,WR15,SR15,KR0);
+
+	RIP4(E,A,B,C,D,WR16,SR16,KR1);
+	RIP4(D,E,A,B,C,WR17,SR17,KR1);
+	RIP4(C,D,E,A,B,WR18,SR18,KR1);
+	RIP4(B,C,D,E,A,WR19,SR19,KR1);
+	RIP4(A,B,C,D,E,WR20,SR20,KR1);
+	RIP4(E,A,B,C,D,WR21,SR21,KR1);
+	RIP4(D,E,A,B,C,WR22,SR22,KR1);
+	RIP4(C,D,E,A,B,WR23,SR23,KR1);
+	RIP4(B,C,D,E,A,WR24,SR24,KR1);
+	RIP4(A,B,C,D,E,WR25,SR25,KR1);
+	RIP4(E,A,B,C,D,WR26,SR26,KR1);
+	RIP4(D,E,A,B,C,WR27,SR27,KR1);
+	RIP4(C,D,E,A,B,WR28,SR28,KR1);
+	RIP4(B,C,D,E,A,WR29,SR29,KR1);
+	RIP4(A,B,C,D,E,WR30,SR30,KR1);
+	RIP4(E,A,B,C,D,WR31,SR31,KR1);
+
+	RIP3(D,E,A,B,C,WR32,SR32,KR2);
+	RIP3(C,D,E,A,B,WR33,SR33,KR2);
+	RIP3(B,C,D,E,A,WR34,SR34,KR2);
+	RIP3(A,B,C,D,E,WR35,SR35,KR2);
+	RIP3(E,A,B,C,D,WR36,SR36,KR2);
+	RIP3(D,E,A,B,C,WR37,SR37,KR2);
+	RIP3(C,D,E,A,B,WR38,SR38,KR2);
+	RIP3(B,C,D,E,A,WR39,SR39,KR2);
+	RIP3(A,B,C,D,E,WR40,SR40,KR2);
+	RIP3(E,A,B,C,D,WR41,SR41,KR2);
+	RIP3(D,E,A,B,C,WR42,SR42,KR2);
+	RIP3(C,D,E,A,B,WR43,SR43,KR2);
+	RIP3(B,C,D,E,A,WR44,SR44,KR2);
+	RIP3(A,B,C,D,E,WR45,SR45,KR2);
+	RIP3(E,A,B,C,D,WR46,SR46,KR2);
+	RIP3(D,E,A,B,C,WR47,SR47,KR2);
+
+	RIP2(C,D,E,A,B,WR48,SR48,KR3);
+	RIP2(B,C,D,E,A,WR49,SR49,KR3);
+	RIP2(A,B,C,D,E,WR50,SR50,KR3);
+	RIP2(E,A,B,C,D,WR51,SR51,KR3);
+	RIP2(D,E,A,B,C,WR52,SR52,KR3);
+	RIP2(C,D,E,A,B,WR53,SR53,KR3);
+	RIP2(B,C,D,E,A,WR54,SR54,KR3);
+	RIP2(A,B,C,D,E,WR55,SR55,KR3);
+	RIP2(E,A,B,C,D,WR56,SR56,KR3);
+	RIP2(D,E,A,B,C,WR57,SR57,KR3);
+	RIP2(C,D,E,A,B,WR58,SR58,KR3);
+	RIP2(B,C,D,E,A,WR59,SR59,KR3);
+	RIP2(A,B,C,D,E,WR60,SR60,KR3);
+	RIP2(E,A,B,C,D,WR61,SR61,KR3);
+	RIP2(D,E,A,B,C,WR62,SR62,KR3);
+	RIP2(C,D,E,A,B,WR63,SR63,KR3);
+
+	RIP1(B,C,D,E,A,WR64,SR64);
+	RIP1(A,B,C,D,E,WR65,SR65);
+	RIP1(E,A,B,C,D,WR66,SR66);
+	RIP1(D,E,A,B,C,WR67,SR67);
+	RIP1(C,D,E,A,B,WR68,SR68);
+	RIP1(B,C,D,E,A,WR69,SR69);
+	RIP1(A,B,C,D,E,WR70,SR70);
+	RIP1(E,A,B,C,D,WR71,SR71);
+	RIP1(D,E,A,B,C,WR72,SR72);
+	RIP1(C,D,E,A,B,WR73,SR73);
+	RIP1(B,C,D,E,A,WR74,SR74);
+	RIP1(A,B,C,D,E,WR75,SR75);
+	RIP1(E,A,B,C,D,WR76,SR76);
+	RIP1(D,E,A,B,C,WR77,SR77);
+	RIP1(C,D,E,A,B,WR78,SR78);
+	RIP1(B,C,D,E,A,WR79,SR79);
+
+	D     =ctx->B+c+D;
+	ctx->B=ctx->C+d+E;
+	ctx->C=ctx->D+e+A;
+	ctx->D=ctx->E+a+B;
+	ctx->E=ctx->A+b+C;
+	ctx->A=D;
+
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/ripemd/rmd_locl.h b/crypto/openssl/crypto/ripemd/rmd_locl.h
new file mode 100644
index 0000000..f537b88
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/rmd_locl.h
@@ -0,0 +1,160 @@
+/* crypto/ripemd/rmd_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/opensslconf.h>
+#include <openssl/ripemd.h>
+
+#ifndef RIPEMD160_LONG_LOG2
+#define RIPEMD160_LONG_LOG2 2 /* default to 32 bits */
+#endif
+
+/*
+ * DO EXAMINE COMMENTS IN crypto/md5/md5_locl.h & crypto/md5/md5_dgst.c
+ * FOR EXPLANATIONS ON FOLLOWING "CODE."
+ *					<appro@fy.chalmers.se>
+ */
+#ifdef RMD160_ASM
+# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#  define ripemd160_block_host_order ripemd160_block_asm_host_order
+# endif
+#endif
+
+void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,int num);
+void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,int num);
+
+#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#define ripemd160_block_data_order ripemd160_block_host_order
+#endif
+
+#define DATA_ORDER_IS_LITTLE_ENDIAN
+
+#define HASH_LONG               RIPEMD160_LONG
+#define HASH_LONG_LOG2          RIPEMD160_LONG_LOG2
+#define HASH_CTX                RIPEMD160_CTX
+#define HASH_CBLOCK             RIPEMD160_CBLOCK
+#define HASH_LBLOCK             RIPEMD160_LBLOCK
+#define HASH_UPDATE             RIPEMD160_Update
+#define HASH_TRANSFORM          RIPEMD160_Transform
+#define HASH_FINAL              RIPEMD160_Final
+#define HASH_BLOCK_HOST_ORDER   ripemd160_block_host_order
+#define	HASH_MAKE_STRING(c,s)	do {	\
+	unsigned long ll;		\
+	ll=(c)->A; HOST_l2c(ll,(s));	\
+	ll=(c)->B; HOST_l2c(ll,(s));	\
+	ll=(c)->C; HOST_l2c(ll,(s));	\
+	ll=(c)->D; HOST_l2c(ll,(s));	\
+	ll=(c)->E; HOST_l2c(ll,(s));	\
+	} while (0)
+#if !defined(L_ENDIAN) || defined(ripemd160_block_data_order)
+#define HASH_BLOCK_DATA_ORDER   ripemd160_block_data_order
+#endif
+
+#include "md32_common.h"
+
+#if 0
+#define F1(x,y,z)	 ((x)^(y)^(z))
+#define F2(x,y,z)	(((x)&(y))|((~x)&z))
+#define F3(x,y,z)	(((x)|(~y))^(z))
+#define F4(x,y,z)	(((x)&(z))|((y)&(~(z))))
+#define F5(x,y,z)	 ((x)^((y)|(~(z))))
+#else
+/*
+ * Transformed F2 and F4 are courtesy of Wei Dai <weidai@eskimo.com>
+ */
+#define F1(x,y,z)	((x) ^ (y) ^ (z))
+#define F2(x,y,z)	((((y) ^ (z)) & (x)) ^ (z))
+#define F3(x,y,z)	(((~(y)) | (x)) ^ (z))
+#define F4(x,y,z)	((((x) ^ (y)) & (z)) ^ (y))
+#define F5(x,y,z)	(((~(z)) | (y)) ^ (x))
+#endif
+
+#define RIPEMD160_A	0x67452301L
+#define RIPEMD160_B	0xEFCDAB89L
+#define RIPEMD160_C	0x98BADCFEL
+#define RIPEMD160_D	0x10325476L
+#define RIPEMD160_E	0xC3D2E1F0L
+
+#include "rmdconst.h"
+
+#define RIP1(a,b,c,d,e,w,s) { \
+	a+=F1(b,c,d)+X(w); \
+        a=ROTATE(a,s)+e; \
+        c=ROTATE(c,10); }
+
+#define RIP2(a,b,c,d,e,w,s,K) { \
+	a+=F2(b,c,d)+X(w)+K; \
+        a=ROTATE(a,s)+e; \
+        c=ROTATE(c,10); }
+
+#define RIP3(a,b,c,d,e,w,s,K) { \
+	a+=F3(b,c,d)+X(w)+K; \
+        a=ROTATE(a,s)+e; \
+        c=ROTATE(c,10); }
+
+#define RIP4(a,b,c,d,e,w,s,K) { \
+	a+=F4(b,c,d)+X(w)+K; \
+        a=ROTATE(a,s)+e; \
+        c=ROTATE(c,10); }
+
+#define RIP5(a,b,c,d,e,w,s,K) { \
+	a+=F5(b,c,d)+X(w)+K; \
+        a=ROTATE(a,s)+e; \
+        c=ROTATE(c,10); }
+
diff --git a/crypto/openssl/crypto/ripemd/rmd_one.c b/crypto/openssl/crypto/ripemd/rmd_one.c
new file mode 100644
index 0000000..efdf2dd
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/rmd_one.c
@@ -0,0 +1,76 @@
+/* crypto/ripemd/rmd_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/ripemd.h>
+
+unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
+	     unsigned char *md)
+	{
+	RIPEMD160_CTX c;
+	static unsigned char m[RIPEMD160_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	RIPEMD160_Init(&c);
+	RIPEMD160_Update(&c,d,n);
+	RIPEMD160_Final(md,&c);
+	memset(&c,0,sizeof(c)); /* security consideration */
+	return(md);
+	}
+
diff --git a/crypto/openssl/crypto/ripemd/rmdconst.h b/crypto/openssl/crypto/ripemd/rmdconst.h
new file mode 100644
index 0000000..59c48de
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/rmdconst.h
@@ -0,0 +1,399 @@
+/* crypto/ripemd/rmdconst.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#define KL0 0x00000000L
+#define KL1 0x5A827999L
+#define KL2 0x6ED9EBA1L
+#define KL3 0x8F1BBCDCL
+#define KL4 0xA953FD4EL
+
+#define KR0 0x50A28BE6L
+#define KR1 0x5C4DD124L
+#define KR2 0x6D703EF3L
+#define KR3 0x7A6D76E9L
+#define KR4 0x00000000L
+
+#define WL00  0
+#define SL00 11
+#define WL01  1
+#define SL01 14
+#define WL02  2
+#define SL02 15
+#define WL03  3
+#define SL03 12
+#define WL04  4
+#define SL04  5
+#define WL05  5
+#define SL05  8
+#define WL06  6
+#define SL06  7
+#define WL07  7
+#define SL07  9
+#define WL08  8
+#define SL08 11
+#define WL09  9
+#define SL09 13
+#define WL10 10
+#define SL10 14
+#define WL11 11
+#define SL11 15
+#define WL12 12
+#define SL12  6
+#define WL13 13
+#define SL13  7
+#define WL14 14
+#define SL14  9
+#define WL15 15
+#define SL15  8
+
+#define WL16  7
+#define SL16  7
+#define WL17  4
+#define SL17  6
+#define WL18 13
+#define SL18  8
+#define WL19  1
+#define SL19 13
+#define WL20 10
+#define SL20 11
+#define WL21  6
+#define SL21  9
+#define WL22 15
+#define SL22  7
+#define WL23  3
+#define SL23 15
+#define WL24 12
+#define SL24  7
+#define WL25  0
+#define SL25 12
+#define WL26  9
+#define SL26 15
+#define WL27  5
+#define SL27  9
+#define WL28  2
+#define SL28 11
+#define WL29 14
+#define SL29  7
+#define WL30 11
+#define SL30 13
+#define WL31  8
+#define SL31 12
+
+#define WL32  3
+#define SL32 11
+#define WL33 10
+#define SL33 13
+#define WL34 14
+#define SL34  6
+#define WL35  4
+#define SL35  7
+#define WL36  9
+#define SL36 14
+#define WL37 15
+#define SL37  9
+#define WL38  8
+#define SL38 13
+#define WL39  1
+#define SL39 15
+#define WL40  2
+#define SL40 14
+#define WL41  7
+#define SL41  8
+#define WL42  0
+#define SL42 13
+#define WL43  6
+#define SL43  6
+#define WL44 13
+#define SL44  5
+#define WL45 11
+#define SL45 12
+#define WL46  5
+#define SL46  7
+#define WL47 12
+#define SL47  5
+
+#define WL48  1
+#define SL48 11
+#define WL49  9
+#define SL49 12
+#define WL50 11
+#define SL50 14
+#define WL51 10
+#define SL51 15
+#define WL52  0
+#define SL52 14
+#define WL53  8
+#define SL53 15
+#define WL54 12
+#define SL54  9
+#define WL55  4
+#define SL55  8
+#define WL56 13
+#define SL56  9
+#define WL57  3
+#define SL57 14
+#define WL58  7
+#define SL58  5
+#define WL59 15
+#define SL59  6
+#define WL60 14
+#define SL60  8
+#define WL61  5
+#define SL61  6
+#define WL62  6
+#define SL62  5
+#define WL63  2
+#define SL63 12
+
+#define WL64  4
+#define SL64  9
+#define WL65  0
+#define SL65 15
+#define WL66  5
+#define SL66  5
+#define WL67  9
+#define SL67 11
+#define WL68  7
+#define SL68  6
+#define WL69 12
+#define SL69  8
+#define WL70  2
+#define SL70 13
+#define WL71 10
+#define SL71 12
+#define WL72 14
+#define SL72  5
+#define WL73  1
+#define SL73 12
+#define WL74  3
+#define SL74 13
+#define WL75  8
+#define SL75 14
+#define WL76 11
+#define SL76 11
+#define WL77  6
+#define SL77  8
+#define WL78 15
+#define SL78  5
+#define WL79 13
+#define SL79  6
+
+#define WR00  5
+#define SR00  8
+#define WR01 14
+#define SR01  9
+#define WR02  7
+#define SR02  9
+#define WR03  0
+#define SR03 11
+#define WR04  9
+#define SR04 13
+#define WR05  2
+#define SR05 15
+#define WR06 11
+#define SR06 15
+#define WR07  4
+#define SR07  5
+#define WR08 13
+#define SR08  7
+#define WR09  6
+#define SR09  7
+#define WR10 15
+#define SR10  8
+#define WR11  8
+#define SR11 11
+#define WR12  1
+#define SR12 14
+#define WR13 10
+#define SR13 14
+#define WR14  3
+#define SR14 12
+#define WR15 12
+#define SR15  6
+
+#define WR16  6
+#define SR16  9
+#define WR17 11
+#define SR17 13
+#define WR18  3
+#define SR18 15
+#define WR19  7
+#define SR19  7
+#define WR20  0
+#define SR20 12
+#define WR21 13
+#define SR21  8
+#define WR22  5
+#define SR22  9
+#define WR23 10
+#define SR23 11
+#define WR24 14
+#define SR24  7
+#define WR25 15
+#define SR25  7
+#define WR26  8
+#define SR26 12
+#define WR27 12
+#define SR27  7
+#define WR28  4
+#define SR28  6
+#define WR29  9
+#define SR29 15
+#define WR30  1
+#define SR30 13
+#define WR31  2
+#define SR31 11
+
+#define WR32 15
+#define SR32  9
+#define WR33  5
+#define SR33  7
+#define WR34  1
+#define SR34 15
+#define WR35  3
+#define SR35 11
+#define WR36  7
+#define SR36  8
+#define WR37 14
+#define SR37  6
+#define WR38  6
+#define SR38  6
+#define WR39  9
+#define SR39 14
+#define WR40 11
+#define SR40 12
+#define WR41  8
+#define SR41 13
+#define WR42 12
+#define SR42  5
+#define WR43  2
+#define SR43 14
+#define WR44 10
+#define SR44 13
+#define WR45  0
+#define SR45 13
+#define WR46  4
+#define SR46  7
+#define WR47 13
+#define SR47  5
+
+#define WR48  8
+#define SR48 15
+#define WR49  6
+#define SR49  5
+#define WR50  4
+#define SR50  8
+#define WR51  1
+#define SR51 11
+#define WR52  3
+#define SR52 14
+#define WR53 11
+#define SR53 14
+#define WR54 15
+#define SR54  6
+#define WR55  0
+#define SR55 14
+#define WR56  5
+#define SR56  6
+#define WR57 12
+#define SR57  9
+#define WR58  2
+#define SR58 12
+#define WR59 13
+#define SR59  9
+#define WR60  9
+#define SR60 12
+#define WR61  7
+#define SR61  5
+#define WR62 10
+#define SR62 15
+#define WR63 14
+#define SR63  8
+
+#define WR64 12
+#define SR64  8
+#define WR65 15
+#define SR65  5
+#define WR66 10
+#define SR66 12
+#define WR67  4
+#define SR67  9
+#define WR68  1
+#define SR68 12
+#define WR69  5
+#define SR69  5
+#define WR70  8
+#define SR70 14
+#define WR71  7
+#define SR71  6
+#define WR72  6
+#define SR72  8
+#define WR73  2
+#define SR73 13
+#define WR74 13
+#define SR74  6
+#define WR75 14
+#define SR75  5
+#define WR76  0
+#define SR76 15
+#define WR77  3
+#define SR77 13
+#define WR78  9
+#define SR78 11
+#define WR79 11
+#define SR79 11
+
diff --git a/crypto/openssl/crypto/ripemd/rmdtest.c b/crypto/openssl/crypto/ripemd/rmdtest.c
new file mode 100644
index 0000000..5d79c99
--- /dev/null
+++ b/crypto/openssl/crypto/ripemd/rmdtest.c
@@ -0,0 +1,140 @@
+/* crypto/ripemd/rmdtest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_RIPEMD
+int main(int argc, char *argv[])
+{
+    printf("No ripemd support\n");
+    return(0);
+}
+#else
+#include <openssl/ripemd.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+static char *test[]={
+	"",
+	"a",
+	"abc",
+	"message digest",
+	"abcdefghijklmnopqrstuvwxyz",
+	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+	"12345678901234567890123456789012345678901234567890123456789012345678901234567890",
+	NULL,
+	};
+
+static char *ret[]={
+	"9c1185a5c5e9fc54612808977ee8f548b2258d31",
+	"0bdc9d2d256b3ee9daae347be6f4dc835a467ffe",
+	"8eb208f7e05d987a9b044a8e98c6b087f15a0bfc",
+	"5d0689ef49d2fae572b881b123a85ffa21595f36",
+	"f71c27109c692c1b56bbdceb5b9d2865b3708dbc",
+	"12a053384a9c0c88e405a06c27dcf49ada62eb2b",
+	"b0e20b6e3116640286ed3a87a5713079b21f5189",
+	"9b752e45573d4b39f4dbd3323cab82bf63326bfb",
+	};
+
+static char *pt(unsigned char *md);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	unsigned char **P,**R;
+	char *p;
+
+	P=(unsigned char **)test;
+	R=(unsigned char **)ret;
+	i=1;
+	while (*P != NULL)
+		{
+#ifdef CHARSET_EBCDIC
+		ebcdic2ascii((char *)*P, (char *)*P, strlen((char *)*P));
+#endif
+		p=pt(RIPEMD160(&(P[0][0]),(unsigned long)strlen((char *)*P),NULL));
+		if (strcmp(p,(char *)*R) != 0)
+			{
+			printf("error calculating RIPEMD160 on '%s'\n",*P);
+			printf("got %s instead of %s\n",p,*R);
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		i++;
+		R++;
+		P++;
+		}
+	exit(err);
+	return(0);
+	}
+
+static char *pt(unsigned char *md)
+	{
+	int i;
+	static char buf[80];
+
+	for (i=0; i<RIPEMD160_DIGEST_LENGTH; i++)
+		sprintf(&(buf[i*2]),"%02x",md[i]);
+	return(buf);
+	}
+#endif
diff --git a/crypto/openssl/crypto/rsa/Makefile.save b/crypto/openssl/crypto/rsa/Makefile.save
new file mode 100644
index 0000000..6f56d92
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/Makefile.save
@@ -0,0 +1,181 @@
+#
+# SSLeay/crypto/rsa/Makefile
+#
+
+DIR=	rsa
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rsa_test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
+	rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c
+LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
+	rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rsa.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+rsa_chk.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+rsa_chk.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_eay.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_eay.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+rsa_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+rsa_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_gen.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+rsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_gen.o: ../cryptlib.h
+rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_none.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_none.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_none.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_none.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_none.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_null.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_null.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_null.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_oaep.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_oaep.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_oaep.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_oaep.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_oaep.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_oaep.o: ../cryptlib.h
+rsa_pk1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_pk1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_pk1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_pk1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_pk1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_pk1.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+rsa_saos.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_saos.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+rsa_saos.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_saos.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_saos.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+rsa_saos.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_saos.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_saos.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+rsa_saos.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+rsa_saos.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_saos.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_saos.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_saos.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_saos.o: ../cryptlib.h
+rsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+rsa_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+rsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+rsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_sign.o: ../cryptlib.h
+rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_ssl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_ssl.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_ssl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_ssl.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl
new file mode 100644
index 0000000..6f56d92
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/Makefile.ssl
@@ -0,0 +1,181 @@
+#
+# SSLeay/crypto/rsa/Makefile
+#
+
+DIR=	rsa
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=rsa_test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
+	rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c
+LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
+	rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= rsa.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+rsa_chk.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+rsa_chk.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_eay.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_eay.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+rsa_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+rsa_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_gen.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
+rsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_gen.o: ../cryptlib.h
+rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_none.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_none.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_none.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_none.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_none.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_null.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_null.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_null.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_oaep.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_oaep.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_oaep.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_oaep.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_oaep.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_oaep.o: ../cryptlib.h
+rsa_pk1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_pk1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_pk1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_pk1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_pk1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_pk1.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+rsa_saos.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_saos.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+rsa_saos.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_saos.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_saos.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+rsa_saos.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_saos.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_saos.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+rsa_saos.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+rsa_saos.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_saos.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_saos.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_saos.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_saos.o: ../cryptlib.h
+rsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+rsa_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+rsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+rsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_sign.o: ../cryptlib.h
+rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_ssl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_ssl.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_ssl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_ssl.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h
new file mode 100644
index 0000000..b449228
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa.h
@@ -0,0 +1,340 @@
+/* crypto/rsa/rsa.h */
+/* $FreeBSD$ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RSA_H
+#define HEADER_RSA_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+
+#ifdef NO_RSA
+#error RSA is disabled.
+#endif
+
+typedef struct rsa_st RSA;
+
+typedef struct rsa_meth_st
+	{
+	const char *name;
+	int (*rsa_pub_enc)(int flen,unsigned char *from,unsigned char *to,
+			   RSA *rsa,int padding);
+	int (*rsa_pub_dec)(int flen,unsigned char *from,unsigned char *to,
+			   RSA *rsa,int padding);
+	int (*rsa_priv_enc)(int flen,unsigned char *from,unsigned char *to,
+			    RSA *rsa,int padding);
+	int (*rsa_priv_dec)(int flen,unsigned char *from,unsigned char *to,
+			    RSA *rsa,int padding);
+	int (*rsa_mod_exp)(BIGNUM *r0,BIGNUM *I,RSA *rsa); /* Can be null */
+	int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx,
+			  BN_MONT_CTX *m_ctx); /* Can be null */
+	int (*init)(RSA *rsa);		/* called at new */
+	int (*finish)(RSA *rsa);	/* called at free */
+	int flags;			/* RSA_METHOD_FLAG_* things */
+	char *app_data;			/* may be needed! */
+/* New sign and verify functions: some libraries don't allow arbitrary data
+ * to be signed/verified: this allows them to be used. Note: for this to work
+ * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
+ * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
+ * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
+ * option is set in 'flags'.
+ */
+	int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
+             unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+	int (*rsa_verify)(int dtype, unsigned char *m, unsigned int m_len,
+             unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+	} RSA_METHOD;
+
+struct rsa_st
+	{
+	/* The first parameter is used to pickup errors where
+	 * this is passed instead of aEVP_PKEY, it is set to 0 */
+	int pad;
+	int version;
+	RSA_METHOD *meth;
+	BIGNUM *n;
+	BIGNUM *e;
+	BIGNUM *d;
+	BIGNUM *p;
+	BIGNUM *q;
+	BIGNUM *dmp1;
+	BIGNUM *dmq1;
+	BIGNUM *iqmp;
+	/* be careful using this if the RSA structure is shared */
+	CRYPTO_EX_DATA ex_data;
+	int references;
+	int flags;
+
+	/* Used to cache montgomery values */
+	BN_MONT_CTX *_method_mod_n;
+	BN_MONT_CTX *_method_mod_p;
+	BN_MONT_CTX *_method_mod_q;
+
+	/* all BIGNUM values are actually in the following data, if it is not
+	 * NULL */
+	char *bignum_data;
+	BN_BLINDING *blinding;
+	};
+
+#define RSA_3	0x3L
+#define RSA_F4	0x10001L
+
+#define RSA_METHOD_FLAG_NO_CHECK	0x01 /* don't check pub/private match */
+
+#define RSA_FLAG_CACHE_PUBLIC		0x02
+#define RSA_FLAG_CACHE_PRIVATE		0x04
+#define RSA_FLAG_BLINDING		0x08
+#define RSA_FLAG_THREAD_SAFE		0x10
+/* This flag means the private key operations will be handled by rsa_mod_exp
+ * and that they do not depend on the private key components being present:
+ * for example a key stored in external hardware. Without this flag bn_mod_exp
+ * gets called when private key components are absent.
+ */
+#define RSA_FLAG_EXT_PKEY		0x20
+
+/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
+ */
+#define RSA_FLAG_SIGN_VER		0x40
+
+#define RSA_PKCS1_PADDING	1
+#define RSA_SSLV23_PADDING	2
+#define RSA_NO_PADDING		3
+#define RSA_PKCS1_OAEP_PADDING	4
+
+#define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
+#define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
+
+RSA *	RSA_new(void);
+RSA *	RSA_new_method(RSA_METHOD *method);
+int	RSA_size(RSA *);
+RSA *	RSA_generate_key(int bits, unsigned long e,void
+		(*callback)(int,int,void *),void *cb_arg);
+int	RSA_check_key(RSA *);
+	/* next 4 return -1 on error */
+int	RSA_public_encrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+int	RSA_private_encrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+int	RSA_public_decrypt(int flen, unsigned char *from, 
+		unsigned char *to, RSA *rsa,int padding);
+int	RSA_private_decrypt(int flen, unsigned char *from, 
+		unsigned char *to, RSA *rsa,int padding);
+void	RSA_free (RSA *r);
+
+int	RSA_flags(RSA *r);
+
+void RSA_set_default_method(RSA_METHOD *meth);
+RSA_METHOD *RSA_get_default_method(void);
+RSA_METHOD *RSA_get_method(RSA *rsa);
+RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+
+/* This function needs the memory locking malloc callbacks to be installed */
+int RSA_memory_lock(RSA *r);
+
+/* these are the actual SSLeay RSA functions */
+RSA_METHOD *RSA_PKCS1(void);
+
+RSA_METHOD *RSA_null_method(void);
+
+void	ERR_load_RSA_strings(void );
+
+RSA *	d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
+int	i2d_RSAPublicKey(RSA *a, unsigned char **pp);
+RSA *	d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
+int 	i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
+#ifndef NO_FP_API
+int	RSA_print_fp(FILE *fp, RSA *r,int offset);
+#endif
+
+#ifdef HEADER_BIO_H
+int	RSA_print(BIO *bp, RSA *r,int offset);
+#endif
+
+int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
+RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
+/* Naughty internal function required elsewhere, to handle a MS structure
+ * that is the same as the netscape one :-) */
+RSA *d2i_Netscape_RSA_2(RSA **a, unsigned char **pp, long length, int (*cb)());
+
+/* The following 2 functions sign and verify a X509_SIG ASN1 object
+ * inside PKCS#1 padded RSA encryption */
+int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+	unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+	unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+/* The following 2 function sign and verify a ASN1_OCTET_STRING
+ * object inside PKCS#1 padded RSA encryption */
+int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
+	unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+int RSA_verify_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
+	unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+void RSA_blinding_off(RSA *rsa);
+
+int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
+	unsigned char *f,int fl);
+int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen,
+	unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
+	unsigned char *f,int fl);
+int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
+	unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
+			       unsigned char *f,int fl,unsigned char *p,
+			       int pl);
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
+				 unsigned char *f,int fl,int rsa_len,
+				 unsigned char *p,int pl);
+int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
+	unsigned char *f,int fl);
+int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
+	unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_none(unsigned char *to,int tlen,
+	unsigned char *f,int fl);
+int RSA_padding_check_none(unsigned char *to,int tlen,
+	unsigned char *f,int fl,int rsa_len);
+
+int RSA_libversion();
+int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int RSA_set_ex_data(RSA *r,int idx,void *arg);
+void *RSA_get_ex_data(RSA *r, int idx);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the RSA functions. */
+
+/* Function codes. */
+#define RSA_F_MEMORY_LOCK				 100
+#define RSA_F_RSA_CHECK_KEY				 123
+#define RSA_F_RSA_EAY_PRIVATE_DECRYPT			 101
+#define RSA_F_RSA_EAY_PRIVATE_ENCRYPT			 102
+#define RSA_F_RSA_EAY_PUBLIC_DECRYPT			 103
+#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT			 104
+#define RSA_F_RSA_GENERATE_KEY				 105
+#define RSA_F_RSA_NEW_METHOD				 106
+#define RSA_F_RSA_NULL					 124
+#define RSA_F_RSA_PADDING_ADD_NONE			 107
+#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP		 121
+#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1		 108
+#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2		 109
+#define RSA_F_RSA_PADDING_ADD_SSLV23			 110
+#define RSA_F_RSA_PADDING_CHECK_NONE			 111
+#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP		 122
+#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1		 112
+#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2		 113
+#define RSA_F_RSA_PADDING_CHECK_SSLV23			 114
+#define RSA_F_RSA_PRINT					 115
+#define RSA_F_RSA_PRINT_FP				 116
+#define RSA_F_RSA_SIGN					 117
+#define RSA_F_RSA_SIGN_ASN1_OCTET_STRING		 118
+#define RSA_F_RSA_VERIFY				 119
+#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING		 120
+
+/* Reason codes. */
+#define RSA_R_ALGORITHM_MISMATCH			 100
+#define RSA_R_BAD_E_VALUE				 101
+#define RSA_R_BAD_FIXED_HEADER_DECRYPT			 102
+#define RSA_R_BAD_PAD_BYTE_COUNT			 103
+#define RSA_R_BAD_SIGNATURE				 104
+#define RSA_R_BLOCK_TYPE_IS_NOT_01			 106
+#define RSA_R_BLOCK_TYPE_IS_NOT_02			 107
+#define RSA_R_DATA_GREATER_THAN_MOD_LEN			 108
+#define RSA_R_DATA_TOO_LARGE				 109
+#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 110
+#define RSA_R_DATA_TOO_SMALL				 111
+#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE		 122
+#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY		 112
+#define RSA_R_DMP1_NOT_CONGRUENT_TO_D			 124
+#define RSA_R_DMQ1_NOT_CONGRUENT_TO_D			 125
+#define RSA_R_D_E_NOT_CONGRUENT_TO_1			 123
+#define RSA_R_INVALID_MESSAGE_LENGTH			 131
+#define RSA_R_IQMP_NOT_INVERSE_OF_Q			 126
+#define RSA_R_KEY_SIZE_TOO_SMALL			 120
+#define RSA_R_NULL_BEFORE_BLOCK_MISSING			 113
+#define RSA_R_N_DOES_NOT_EQUAL_P_Q			 127
+#define RSA_R_OAEP_DECODING_ERROR			 121
+#define RSA_R_PADDING_CHECK_FAILED			 114
+#define RSA_R_P_NOT_PRIME				 128
+#define RSA_R_Q_NOT_PRIME				 129
+#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
+#define RSA_R_SSLV3_ROLLBACK_ATTACK			 115
+#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
+#define RSA_R_UNKNOWN_ALGORITHM_TYPE			 117
+#define RSA_R_UNKNOWN_PADDING_TYPE			 118
+#define RSA_R_WRONG_SIGNATURE_LENGTH			 119
+
+#define RSALIB_OPENSSL	1
+#define RSALIB_RSAREF	2
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/rsa/rsa_chk.c b/crypto/openssl/crypto/rsa/rsa_chk.c
new file mode 100644
index 0000000..91b9115
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_chk.c
@@ -0,0 +1,184 @@
+/* crypto/rsa/rsa_chk.c  -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+
+
+int RSA_check_key(RSA *key)
+	{
+	BIGNUM *i, *j, *k, *l, *m;
+	BN_CTX *ctx;
+	int r;
+	int ret=1;
+	
+	i = BN_new();
+	j = BN_new();
+	k = BN_new();
+	l = BN_new();
+	m = BN_new();
+	ctx = BN_CTX_new();
+	if (i == NULL || j == NULL || k == NULL || l == NULL ||
+		m == NULL || ctx == NULL)
+		{
+		ret = -1;
+		RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	
+	/* p prime? */
+	r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL);
+	if (r != 1)
+		{
+		ret = r;
+		if (r != 0)
+			goto err;
+		RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
+		}
+	
+	/* q prime? */
+	r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL);
+	if (r != 1)
+		{
+		ret = r;
+		if (r != 0)
+			goto err;
+		RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
+		}
+	
+	/* n = p*q? */
+	r = BN_mul(i, key->p, key->q, ctx);
+	if (!r) { ret = -1; goto err; }
+	
+	if (BN_cmp(i, key->n) != 0)
+		{
+		ret = 0;
+		RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
+		}
+	
+	/* d*e = 1  mod lcm(p-1,q-1)? */
+
+	r = BN_sub(i, key->p, BN_value_one());
+	if (!r) { ret = -1; goto err; }
+	r = BN_sub(j, key->q, BN_value_one());
+	if (!r) { ret = -1; goto err; }
+
+	/* now compute k = lcm(i,j) */
+	r = BN_mul(l, i, j, ctx);
+	if (!r) { ret = -1; goto err; }
+	r = BN_gcd(m, i, j, ctx);
+	if (!r) { ret = -1; goto err; }
+	r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
+	if (!r) { ret = -1; goto err; }
+
+	r = BN_mod_mul(i, key->d, key->e, k, ctx);
+	if (!r) { ret = -1; goto err; }
+
+	if (!BN_is_one(i))
+		{
+		ret = 0;
+		RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
+		}
+	
+	if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL)
+		{
+		/* dmp1 = d mod (p-1)? */
+		r = BN_sub(i, key->p, BN_value_one());
+		if (!r) { ret = -1; goto err; }
+
+		r = BN_mod(j, key->d, i, ctx);
+		if (!r) { ret = -1; goto err; }
+
+		if (BN_cmp(j, key->dmp1) != 0)
+			{
+			ret = 0;
+			RSAerr(RSA_F_RSA_CHECK_KEY,
+				RSA_R_DMP1_NOT_CONGRUENT_TO_D);
+			}
+	
+		/* dmq1 = d mod (q-1)? */    
+		r = BN_sub(i, key->q, BN_value_one());
+		if (!r) { ret = -1; goto err; }
+	
+		r = BN_mod(j, key->d, i, ctx);
+		if (!r) { ret = -1; goto err; }
+
+		if (BN_cmp(j, key->dmq1) != 0)
+			{
+			ret = 0;
+			RSAerr(RSA_F_RSA_CHECK_KEY,
+				RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
+			}
+	
+		/* iqmp = q^-1 mod p? */
+		if(!BN_mod_inverse(i, key->q, key->p, ctx))
+			{
+			ret = -1;
+			goto err;
+			}
+
+		if (BN_cmp(i, key->iqmp) != 0)
+			{
+			ret = 0;
+			RSAerr(RSA_F_RSA_CHECK_KEY,
+				RSA_R_IQMP_NOT_INVERSE_OF_Q);
+			}
+		}
+
+ err:
+	if (i != NULL) BN_free(i);
+	if (j != NULL) BN_free(j);
+	if (k != NULL) BN_free(k);
+	if (l != NULL) BN_free(l);
+	if (m != NULL) BN_free(m);
+	if (ctx != NULL) BN_CTX_free(ctx);
+	return (ret);
+	}
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
new file mode 100644
index 0000000..f73d7b2
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -0,0 +1,490 @@
+/* crypto/rsa/rsa_eay.c */
+/* $FreeBSD$ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+
+static int RSA_eay_public_encrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_private_encrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_public_decrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_private_decrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
+static int RSA_eay_init(RSA *rsa);
+static int RSA_eay_finish(RSA *rsa);
+static RSA_METHOD rsa_pkcs1_eay_meth={
+	"Eric Young's PKCS#1 RSA",
+	RSA_eay_public_encrypt,
+	RSA_eay_public_decrypt,
+	RSA_eay_private_encrypt,
+	RSA_eay_private_decrypt,
+	RSA_eay_mod_exp,
+	BN_mod_exp_mont,
+	RSA_eay_init,
+	RSA_eay_finish,
+	0,
+	NULL,
+	};
+
+RSA_METHOD *RSA_PKCS1(void)
+	{
+	return(&rsa_pkcs1_eay_meth);
+	}
+
+static int RSA_eay_public_encrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	BIGNUM f,ret;
+	int i,j,k,num=0,r= -1;
+	unsigned char *buf=NULL;
+	BN_CTX *ctx=NULL;
+
+	BN_init(&f);
+	BN_init(&ret);
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	num=BN_num_bytes(rsa->n);
+	if ((buf=(unsigned char *)Malloc(num)) == NULL)
+		{
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	switch (padding)
+		{
+	case RSA_PKCS1_PADDING:
+		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
+		break;
+#ifndef NO_SHA
+	case RSA_PKCS1_OAEP_PADDING:
+	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
+		break;
+#endif
+	case RSA_SSLV23_PADDING:
+		i=RSA_padding_add_SSLv23(buf,num,from,flen);
+		break;
+	case RSA_NO_PADDING:
+		i=RSA_padding_add_none(buf,num,from,flen);
+		break;
+	default:
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+		goto err;
+		}
+	if (i <= 0) goto err;
+
+	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+	
+	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+		{
+		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
+			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
+			    goto err;
+		}
+
+	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+		rsa->_method_mod_n)) goto err;
+
+	/* put in leading 0 bytes if the number is less than the
+	 * length of the modulus */
+	j=BN_num_bytes(&ret);
+	i=BN_bn2bin(&ret,&(to[num-j]));
+	for (k=0; k<(num-i); k++)
+		to[k]=0;
+
+	r=num;
+err:
+	if (ctx != NULL) BN_CTX_free(ctx);
+	BN_clear_free(&f);
+	BN_clear_free(&ret);
+	if (buf != NULL) 
+		{
+		memset(buf,0,num);
+		Free(buf);
+		}
+	return(r);
+	}
+
+static int RSA_eay_private_encrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	BIGNUM f,ret;
+	int i,j,k,num=0,r= -1;
+	unsigned char *buf=NULL;
+	BN_CTX *ctx=NULL;
+
+	BN_init(&f);
+	BN_init(&ret);
+
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	num=BN_num_bytes(rsa->n);
+	if ((buf=(unsigned char *)Malloc(num)) == NULL)
+		{
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	switch (padding)
+		{
+	case RSA_PKCS1_PADDING:
+		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
+		break;
+	case RSA_NO_PADDING:
+		i=RSA_padding_add_none(buf,num,from,flen);
+		break;
+	case RSA_SSLV23_PADDING:
+	default:
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+		goto err;
+		}
+	if (i <= 0) goto err;
+
+	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+
+	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+		RSA_blinding_on(rsa,ctx);
+	if (rsa->flags & RSA_FLAG_BLINDING)
+		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+
+	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
+		((rsa->p != NULL) &&
+		(rsa->q != NULL) &&
+		(rsa->dmp1 != NULL) &&
+		(rsa->dmq1 != NULL) &&
+		(rsa->iqmp != NULL)) )
+		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+	else
+		{
+		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+		}
+
+	if (rsa->flags & RSA_FLAG_BLINDING)
+		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+
+	/* put in leading 0 bytes if the number is less than the
+	 * length of the modulus */
+	j=BN_num_bytes(&ret);
+	i=BN_bn2bin(&ret,&(to[num-j]));
+	for (k=0; k<(num-i); k++)
+		to[k]=0;
+
+	r=num;
+err:
+	if (ctx != NULL) BN_CTX_free(ctx);
+	BN_clear_free(&ret);
+	BN_clear_free(&f);
+	if (buf != NULL)
+		{
+		memset(buf,0,num);
+		Free(buf);
+		}
+	return(r);
+	}
+
+static int RSA_eay_private_decrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	BIGNUM f,ret;
+	int j,num=0,r= -1;
+	unsigned char *p;
+	unsigned char *buf=NULL;
+	BN_CTX *ctx=NULL;
+
+	BN_init(&f);
+	BN_init(&ret);
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+
+	num=BN_num_bytes(rsa->n);
+
+	if ((buf=(unsigned char *)Malloc(num)) == NULL)
+		{
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	/* This check was for equallity but PGP does evil things
+	 * and chops off the top '0' bytes */
+	if (flen > num)
+		{
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+		goto err;
+		}
+
+	/* make data into a big number */
+	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
+
+	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+		RSA_blinding_on(rsa,ctx);
+	if (rsa->flags & RSA_FLAG_BLINDING)
+		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+
+	/* do the decrypt */
+	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
+		((rsa->p != NULL) &&
+		(rsa->q != NULL) &&
+		(rsa->dmp1 != NULL) &&
+		(rsa->dmq1 != NULL) &&
+		(rsa->iqmp != NULL)) )
+		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+	else
+		{
+		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+			goto err;
+		}
+
+	if (rsa->flags & RSA_FLAG_BLINDING)
+		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+
+	p=buf;
+	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
+
+	switch (padding)
+		{
+	case RSA_PKCS1_PADDING:
+		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
+		break;
+#ifndef NO_SHA
+        case RSA_PKCS1_OAEP_PADDING:
+	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
+                break;
+#endif
+ 	case RSA_SSLV23_PADDING:
+		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
+		break;
+	case RSA_NO_PADDING:
+		r=RSA_padding_check_none(to,num,buf,j,num);
+		break;
+	default:
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+		goto err;
+		}
+	if (r < 0)
+		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
+
+err:
+	if (ctx != NULL) BN_CTX_free(ctx);
+	BN_clear_free(&f);
+	BN_clear_free(&ret);
+	if (buf != NULL)
+		{
+		memset(buf,0,num);
+		Free(buf);
+		}
+	return(r);
+	}
+
+static int RSA_eay_public_decrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	BIGNUM f,ret;
+	int i,num=0,r= -1;
+	unsigned char *p;
+	unsigned char *buf=NULL;
+	BN_CTX *ctx=NULL;
+
+	BN_init(&f);
+	BN_init(&ret);
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+
+	num=BN_num_bytes(rsa->n);
+	buf=(unsigned char *)Malloc(num);
+	if (buf == NULL)
+		{
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	/* This check was for equallity but PGP does evil things
+	 * and chops off the top '0' bytes */
+	if (flen > num)
+		{
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+		goto err;
+		}
+
+	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
+	/* do the decrypt */
+	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+		{
+		if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
+			if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
+			    goto err;
+		}
+
+	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+		rsa->_method_mod_n)) goto err;
+
+	p=buf;
+	i=BN_bn2bin(&ret,p);
+
+	switch (padding)
+		{
+	case RSA_PKCS1_PADDING:
+		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+		break;
+	case RSA_NO_PADDING:
+		r=RSA_padding_check_none(to,num,buf,i,num);
+		break;
+	default:
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+		goto err;
+		}
+	if (r < 0)
+		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
+
+err:
+	if (ctx != NULL) BN_CTX_free(ctx);
+	BN_clear_free(&f);
+	BN_clear_free(&ret);
+	if (buf != NULL)
+		{
+		memset(buf,0,num);
+		Free(buf);
+		}
+	return(r);
+	}
+
+static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+	{
+	BIGNUM r1,m1;
+	int ret=0;
+	BN_CTX *ctx;
+
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	BN_init(&m1);
+	BN_init(&r1);
+
+	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+		{
+		if (rsa->_method_mod_p == NULL)
+			{
+			if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
+				if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
+						     ctx))
+					goto err;
+			}
+		if (rsa->_method_mod_q == NULL)
+			{
+			if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
+				if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
+						     ctx))
+					goto err;
+			}
+		}
+
+	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
+	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+		rsa->_method_mod_q)) goto err;
+
+	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
+	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+		rsa->_method_mod_p)) goto err;
+
+	if (!BN_sub(r0,r0,&m1)) goto err;
+	/* This will help stop the size of r0 increasing, which does
+	 * affect the multiply if it optimised for a power of 2 size */
+	if (r0->neg)
+		if (!BN_add(r0,r0,rsa->p)) goto err;
+
+	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
+	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
+	/* If p < q it is occasionally possible for the correction of
+         * adding 'p' if r0 is negative above to leave the result still
+	 * negative. This can break the private key operations: the following
+	 * second correction should *always* correct this rare occurrence.
+	 * This will *never* happen with OpenSSL generated keys because
+         * they ensure p > q [steve]
+         */
+	if (r0->neg)
+		if (!BN_add(r0,r0,rsa->p)) goto err;
+	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
+	if (!BN_add(r0,&r1,&m1)) goto err;
+
+	ret=1;
+err:
+	BN_clear_free(&m1);
+	BN_clear_free(&r1);
+	BN_CTX_free(ctx);
+	return(ret);
+	}
+
+static int RSA_eay_init(RSA *rsa)
+	{
+	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
+	return(1);
+	}
+
+static int RSA_eay_finish(RSA *rsa)
+	{
+	if (rsa->_method_mod_n != NULL)
+		BN_MONT_CTX_free(rsa->_method_mod_n);
+	if (rsa->_method_mod_p != NULL)
+		BN_MONT_CTX_free(rsa->_method_mod_p);
+	if (rsa->_method_mod_q != NULL)
+		BN_MONT_CTX_free(rsa->_method_mod_q);
+	return(1);
+	}
+
+
diff --git a/crypto/openssl/crypto/rsa/rsa_err.c b/crypto/openssl/crypto/rsa/rsa_err.c
new file mode 100644
index 0000000..1cde7c0
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_err.c
@@ -0,0 +1,148 @@
+/* crypto/rsa/rsa_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA RSA_str_functs[]=
+	{
+{ERR_PACK(0,RSA_F_MEMORY_LOCK,0),	"MEMORY_LOCK"},
+{ERR_PACK(0,RSA_F_RSA_CHECK_KEY,0),	"RSA_check_key"},
+{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0),	"RSA_EAY_PRIVATE_DECRYPT"},
+{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0),	"RSA_EAY_PRIVATE_ENCRYPT"},
+{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0),	"RSA_EAY_PUBLIC_DECRYPT"},
+{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0),	"RSA_EAY_PUBLIC_ENCRYPT"},
+{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0),	"RSA_generate_key"},
+{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0),	"RSA_new_method"},
+{ERR_PACK(0,RSA_F_RSA_NULL,0),	"RSA_NULL"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0),	"RSA_padding_add_none"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0),	"RSA_padding_add_PKCS1_OAEP"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0),	"RSA_padding_add_PKCS1_type_1"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0),	"RSA_padding_add_PKCS1_type_2"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0),	"RSA_padding_add_SSLv23"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0),	"RSA_padding_check_none"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,0),	"RSA_padding_check_PKCS1_OAEP"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0),	"RSA_padding_check_PKCS1_type_1"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0),	"RSA_padding_check_PKCS1_type_2"},
+{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0),	"RSA_padding_check_SSLv23"},
+{ERR_PACK(0,RSA_F_RSA_PRINT,0),	"RSA_print"},
+{ERR_PACK(0,RSA_F_RSA_PRINT_FP,0),	"RSA_print_fp"},
+{ERR_PACK(0,RSA_F_RSA_SIGN,0),	"RSA_sign"},
+{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0),	"RSA_sign_ASN1_OCTET_STRING"},
+{ERR_PACK(0,RSA_F_RSA_VERIFY,0),	"RSA_verify"},
+{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0),	"RSA_verify_ASN1_OCTET_STRING"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA RSA_str_reasons[]=
+	{
+{RSA_R_ALGORITHM_MISMATCH                ,"algorithm mismatch"},
+{RSA_R_BAD_E_VALUE                       ,"bad e value"},
+{RSA_R_BAD_FIXED_HEADER_DECRYPT          ,"bad fixed header decrypt"},
+{RSA_R_BAD_PAD_BYTE_COUNT                ,"bad pad byte count"},
+{RSA_R_BAD_SIGNATURE                     ,"bad signature"},
+{RSA_R_BLOCK_TYPE_IS_NOT_01              ,"block type is not 01"},
+{RSA_R_BLOCK_TYPE_IS_NOT_02              ,"block type is not 02"},
+{RSA_R_DATA_GREATER_THAN_MOD_LEN         ,"data greater than mod len"},
+{RSA_R_DATA_TOO_LARGE                    ,"data too large"},
+{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
+{RSA_R_DATA_TOO_SMALL                    ,"data too small"},
+{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE       ,"data too small for key size"},
+{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY        ,"digest too big for rsa key"},
+{RSA_R_DMP1_NOT_CONGRUENT_TO_D           ,"dmp1 not congruent to d"},
+{RSA_R_DMQ1_NOT_CONGRUENT_TO_D           ,"dmq1 not congruent to d"},
+{RSA_R_D_E_NOT_CONGRUENT_TO_1            ,"d e not congruent to 1"},
+{RSA_R_INVALID_MESSAGE_LENGTH            ,"invalid message length"},
+{RSA_R_IQMP_NOT_INVERSE_OF_Q             ,"iqmp not inverse of q"},
+{RSA_R_KEY_SIZE_TOO_SMALL                ,"key size too small"},
+{RSA_R_NULL_BEFORE_BLOCK_MISSING         ,"null before block missing"},
+{RSA_R_N_DOES_NOT_EQUAL_P_Q              ,"n does not equal p q"},
+{RSA_R_OAEP_DECODING_ERROR               ,"oaep decoding error"},
+{RSA_R_PADDING_CHECK_FAILED              ,"padding check failed"},
+{RSA_R_P_NOT_PRIME                       ,"p not prime"},
+{RSA_R_Q_NOT_PRIME                       ,"q not prime"},
+{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED      ,"rsa operations not supported"},
+{RSA_R_SSLV3_ROLLBACK_ATTACK             ,"sslv3 rollback attack"},
+{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
+{RSA_R_UNKNOWN_ALGORITHM_TYPE            ,"unknown algorithm type"},
+{RSA_R_UNKNOWN_PADDING_TYPE              ,"unknown padding type"},
+{RSA_R_WRONG_SIGNATURE_LENGTH            ,"wrong signature length"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_RSA_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_RSA,RSA_str_functs);
+		ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/rsa/rsa_gen.c b/crypto/openssl/crypto/rsa/rsa_gen.c
new file mode 100644
index 0000000..95e636d
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_gen.c
@@ -0,0 +1,197 @@
+/* crypto/rsa/rsa_gen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+
+RSA *RSA_generate_key(int bits, unsigned long e_value,
+	     void (*callback)(int,int,void *), void *cb_arg)
+	{
+	RSA *rsa=NULL;
+	BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
+	int bitsp,bitsq,ok= -1,n=0,i;
+	BN_CTX *ctx=NULL,*ctx2=NULL;
+
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+	ctx2=BN_CTX_new();
+	if (ctx2 == NULL) goto err;
+	BN_CTX_start(ctx);
+	r0 = BN_CTX_get(ctx);
+	r1 = BN_CTX_get(ctx);
+	r2 = BN_CTX_get(ctx);
+	r3 = BN_CTX_get(ctx);
+	if (r3 == NULL) goto err;
+
+	bitsp=(bits+1)/2;
+	bitsq=bits-bitsp;
+	rsa=RSA_new();
+	if (rsa == NULL) goto err;
+
+	/* set e */ 
+	rsa->e=BN_new();
+	if (rsa->e == NULL) goto err;
+
+#if 1
+	/* The problem is when building with 8, 16, or 32 BN_ULONG,
+	 * unsigned long can be larger */
+	for (i=0; i<sizeof(unsigned long)*8; i++)
+		{
+		if (e_value & (1<<i))
+			BN_set_bit(rsa->e,i);
+		}
+#else
+	if (!BN_set_word(rsa->e,e_value)) goto err;
+#endif
+
+	/* generate p and q */
+	for (;;)
+		{
+		rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
+		if (rsa->p == NULL) goto err;
+		if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
+		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
+		if (BN_is_one(r1)) break;
+		if (callback != NULL) callback(2,n++,cb_arg);
+		BN_free(rsa->p);
+		}
+	if (callback != NULL) callback(3,0,cb_arg);
+	for (;;)
+		{
+		rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
+		if (rsa->q == NULL) goto err;
+		if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
+		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
+		if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
+			break;
+		if (callback != NULL) callback(2,n++,cb_arg);
+		BN_free(rsa->q);
+		}
+	if (callback != NULL) callback(3,1,cb_arg);
+	if (BN_cmp(rsa->p,rsa->q) < 0)
+		{
+		tmp=rsa->p;
+		rsa->p=rsa->q;
+		rsa->q=tmp;
+		}
+
+	/* calculate n */
+	rsa->n=BN_new();
+	if (rsa->n == NULL) goto err;
+	if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
+
+	/* calculate d */
+	if (!BN_sub(r1,rsa->p,BN_value_one())) goto err;	/* p-1 */
+	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;	/* q-1 */
+	if (!BN_mul(r0,r1,r2,ctx)) goto err;	/* (p-1)(q-1) */
+
+/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
+/*	for (;;)
+		{
+		if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
+		if (BN_is_one(r3)) break;
+
+		if (1)
+			{
+			if (!BN_add_word(rsa->e,2L)) goto err;
+			continue;
+			}
+		RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
+		goto err;
+		}
+*/
+	rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2);	/* d */
+	if (rsa->d == NULL) goto err;
+
+	/* calculate d mod (p-1) */
+	rsa->dmp1=BN_new();
+	if (rsa->dmp1 == NULL) goto err;
+	if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
+
+	/* calculate d mod (q-1) */
+	rsa->dmq1=BN_new();
+	if (rsa->dmq1 == NULL) goto err;
+	if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
+
+	/* calculate inverse of q mod p */
+	rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
+	if (rsa->iqmp == NULL) goto err;
+
+	ok=1;
+err:
+	if (ok == -1)
+		{
+		RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
+		ok=0;
+		}
+	BN_CTX_end(ctx);
+	BN_CTX_free(ctx);
+	BN_CTX_free(ctx2);
+	
+	if (!ok)
+		{
+		if (rsa != NULL) RSA_free(rsa);
+		return(NULL);
+		}
+	else
+		return(rsa);
+	}
+
diff --git a/crypto/openssl/crypto/rsa/rsa_intlstubs.c b/crypto/openssl/crypto/rsa/rsa_intlstubs.c
new file mode 100644
index 0000000..e9a0316
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_intlstubs.c
@@ -0,0 +1,39 @@
+/*-
+ * Copyright (c) 2000 Kris Kennaway <kris@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE. SO THERE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef NO_RSA
+#ifdef PIC
+#include <openssl/rsa.h>
+
+int RSA_libversion()
+{
+	return RSALIB_OPENSSL;
+}
+
+#endif /* PIC */
+#endif /* NO_RSA */
diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c
new file mode 100644
index 0000000..c2a0b03
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_lib.c
@@ -0,0 +1,330 @@
+/* crypto/rsa/rsa_lib.c */
+/* $FreeBSD$ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/lhash.h>
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+
+const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
+
+static RSA_METHOD *default_RSA_meth=NULL;
+static int rsa_meth_num=0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
+
+RSA *RSA_new(void)
+	{
+	return(RSA_new_method(NULL));
+	}
+
+void RSA_set_default_method(RSA_METHOD *meth)
+	{
+	default_RSA_meth=meth;
+	}
+
+RSA_METHOD *RSA_get_default_method(void)
+{
+	return default_RSA_meth;
+}
+
+RSA_METHOD *RSA_get_method(RSA *rsa)
+{
+	return rsa->meth;
+}
+
+RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth)
+{
+	RSA_METHOD *mtmp;
+	mtmp = rsa->meth;
+	if (mtmp->finish) mtmp->finish(rsa);
+	rsa->meth = meth;
+	if (meth->init) meth->init(rsa);
+	return mtmp;
+}
+
+RSA *RSA_new_method(RSA_METHOD *meth)
+	{
+	RSA *ret;
+
+	if (default_RSA_meth == NULL)
+		{
+#ifdef RSA_NULL
+		default_RSA_meth=RSA_null_method();
+#else
+		default_RSA_meth=RSA_PKCS1();
+#endif
+		}
+	ret=(RSA *)Malloc(sizeof(RSA));
+	if (ret == NULL)
+		{
+		RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+
+	if (meth == NULL)
+		ret->meth=default_RSA_meth;
+	else
+		ret->meth=meth;
+
+	ret->pad=0;
+	ret->version=0;
+	ret->n=NULL;
+	ret->e=NULL;
+	ret->d=NULL;
+	ret->p=NULL;
+	ret->q=NULL;
+	ret->dmp1=NULL;
+	ret->dmq1=NULL;
+	ret->iqmp=NULL;
+	ret->references=1;
+	ret->_method_mod_n=NULL;
+	ret->_method_mod_p=NULL;
+	ret->_method_mod_q=NULL;
+	ret->blinding=NULL;
+	ret->bignum_data=NULL;
+	ret->flags=ret->meth->flags;
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+		{
+		Free(ret);
+		ret=NULL;
+		}
+	else
+		CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
+	return(ret);
+	}
+
+void RSA_free(RSA *r)
+	{
+	int i;
+
+	if (r == NULL) return;
+
+	i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_RSA);
+#ifdef REF_PRINT
+	REF_PRINT("RSA",r);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"RSA_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
+
+	if (r->meth->finish != NULL)
+		r->meth->finish(r);
+
+	if (r->n != NULL) BN_clear_free(r->n);
+	if (r->e != NULL) BN_clear_free(r->e);
+	if (r->d != NULL) BN_clear_free(r->d);
+	if (r->p != NULL) BN_clear_free(r->p);
+	if (r->q != NULL) BN_clear_free(r->q);
+	if (r->dmp1 != NULL) BN_clear_free(r->dmp1);
+	if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
+	if (r->iqmp != NULL) BN_clear_free(r->iqmp);
+	if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
+	if (r->bignum_data != NULL) Free_locked(r->bignum_data);
+	Free(r);
+	}
+
+int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	rsa_meth_num++;
+	return(CRYPTO_get_ex_new_index(rsa_meth_num-1,
+		&rsa_meth,argl,argp,new_func,dup_func,free_func));
+        }
+
+int RSA_set_ex_data(RSA *r, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
+	}
+
+void *RSA_get_ex_data(RSA *r, int idx)
+	{
+	return(CRYPTO_get_ex_data(&r->ex_data,idx));
+	}
+
+int RSA_size(RSA *r)
+	{
+	return(BN_num_bytes(r->n));
+	}
+
+int RSA_public_encrypt(int flen, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
+	}
+
+int RSA_private_encrypt(int flen, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
+	}
+
+int RSA_private_decrypt(int flen, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
+	}
+
+int RSA_public_decrypt(int flen, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
+	}
+
+int RSA_flags(RSA *r)
+	{
+	return((r == NULL)?0:r->meth->flags);
+	}
+
+void RSA_blinding_off(RSA *rsa)
+	{
+	if (rsa->blinding != NULL)
+		{
+		BN_BLINDING_free(rsa->blinding);
+		rsa->blinding=NULL;
+		}
+	rsa->flags&= ~RSA_FLAG_BLINDING;
+	}
+
+int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
+	{
+	BIGNUM *A,*Ai;
+	BN_CTX *ctx;
+	int ret=0;
+
+	if (p_ctx == NULL)
+		{
+		if ((ctx=BN_CTX_new()) == NULL) goto err;
+		}
+	else
+		ctx=p_ctx;
+
+	if (rsa->blinding != NULL)
+		BN_BLINDING_free(rsa->blinding);
+
+	BN_CTX_start(ctx);
+	A = BN_CTX_get(ctx);
+	if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err;
+	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+
+	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+	    goto err;
+	rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
+	rsa->flags|=RSA_FLAG_BLINDING;
+	BN_free(Ai);
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	if (ctx != p_ctx) BN_CTX_free(ctx);
+	return(ret);
+	}
+
+int RSA_memory_lock(RSA *r)
+	{
+	int i,j,k,off;
+	char *p;
+	BIGNUM *bn,**t[6],*b;
+	BN_ULONG *ul;
+
+	if (r->d == NULL) return(1);
+	t[0]= &r->d;
+	t[1]= &r->p;
+	t[2]= &r->q;
+	t[3]= &r->dmp1;
+	t[4]= &r->dmq1;
+	t[5]= &r->iqmp;
+	k=sizeof(BIGNUM)*6;
+	off=k/sizeof(BN_ULONG)+1;
+	j=1;
+	for (i=0; i<6; i++)
+		j+= (*t[i])->top;
+	if ((p=Malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
+		{
+		RSAerr(RSA_F_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	bn=(BIGNUM *)p;
+	ul=(BN_ULONG *)&(p[off]);
+	for (i=0; i<6; i++)
+		{
+		b= *(t[i]);
+		*(t[i])= &(bn[i]);
+		memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM));
+		bn[i].flags=BN_FLG_STATIC_DATA;
+		bn[i].d=ul;
+		memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top);
+		ul+=b->top;
+		BN_clear_free(b);
+		}
+	
+	/* I should fix this so it can still be done */
+	r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC);
+
+	r->bignum_data=p;
+	return(1);
+	}
+
diff --git a/crypto/openssl/crypto/rsa/rsa_none.c b/crypto/openssl/crypto/rsa/rsa_none.c
new file mode 100644
index 0000000..f22fce5
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_none.c
@@ -0,0 +1,98 @@
+/* crypto/rsa/rsa_none.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+
+int RSA_padding_add_none(unsigned char *to, int tlen, unsigned char *from,
+	     int flen)
+	{
+	if (flen > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		return(0);
+		}
+
+	if (flen < tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_NONE,RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
+		return(0);
+		}
+	
+	memcpy(to,from,(unsigned int)flen);
+	return(1);
+	}
+
+int RSA_padding_check_none(unsigned char *to, int tlen, unsigned char *from,
+	     int flen, int num)
+	{
+
+	if (flen > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_NONE,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
+
+	memset(to,0,tlen-flen);
+	memcpy(to+tlen-flen,from,flen);
+	return(tlen);
+	}
+
diff --git a/crypto/openssl/crypto/rsa/rsa_null.c b/crypto/openssl/crypto/rsa/rsa_null.c
new file mode 100644
index 0000000..7b58a0e
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_null.c
@@ -0,0 +1,149 @@
+/* rsa_null.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+
+/* This is a dummy RSA implementation that just returns errors when called.
+ * It is designed to allow some RSA functions to work while stopping those
+ * covered by the RSA patent. That is RSA, encryption, decryption, signing
+ * and verify is not allowed but RSA key generation, key checking and other
+ * operations (like storing RSA keys) are permitted.
+ */
+
+static int RSA_null_public_encrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int RSA_null_private_encrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int RSA_null_public_decrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int RSA_null_private_decrypt(int flen, unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+#if 0 /* not currently used */
+static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
+#endif
+static int RSA_null_init(RSA *rsa);
+static int RSA_null_finish(RSA *rsa);
+static RSA_METHOD rsa_null_meth={
+	"Null RSA",
+	RSA_null_public_encrypt,
+	RSA_null_public_decrypt,
+	RSA_null_private_encrypt,
+	RSA_null_private_decrypt,
+	NULL, NULL,
+	RSA_null_init,
+	RSA_null_finish,
+	0,
+	NULL,
+	};
+
+RSA_METHOD *RSA_null_method(void)
+	{
+	return(&rsa_null_meth);
+	}
+
+static int RSA_null_public_encrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	return -1;
+	}
+
+static int RSA_null_private_encrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	return -1;
+	}
+
+static int RSA_null_private_decrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	return -1;
+	}
+
+static int RSA_null_public_decrypt(int flen, unsigned char *from,
+	     unsigned char *to, RSA *rsa, int padding)
+	{
+	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	return -1;
+	}
+
+#if 0 /* not currently used */
+static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+	{
+	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	return -1;
+	}
+#endif
+
+static int RSA_null_init(RSA *rsa)
+	{
+	return(1);
+	}
+
+static int RSA_null_finish(RSA *rsa)
+	{
+	return(1);
+	}
+
+
diff --git a/crypto/openssl/crypto/rsa/rsa_oaep.c b/crypto/openssl/crypto/rsa/rsa_oaep.c
new file mode 100644
index 0000000..1465c01
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_oaep.c
@@ -0,0 +1,163 @@
+/* crypto/rsa/rsa_oaep.c */
+/* Written by Ulf Moeller. This software is distributed on an "AS IS"
+   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
+
+/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+
+#if !defined(NO_SHA) && !defined(NO_SHA1)
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
+#include <openssl/rand.h>
+
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
+
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+	     unsigned char *from, int flen, unsigned char *param, int plen)
+    {
+    int i, emlen = tlen - 1;
+    unsigned char *db, *seed;
+    unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
+
+    if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+	{
+	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+	       RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+	return (0);
+	}
+
+    if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+	{
+	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+	return (0);
+	}
+    
+    dbmask = Malloc(emlen - SHA_DIGEST_LENGTH);
+    if (dbmask == NULL)
+	{
+	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+	return (0);
+	}
+
+    to[0] = 0;
+    seed = to + 1;
+    db = to + SHA_DIGEST_LENGTH + 1;
+
+    SHA1(param, plen, db);
+    memset(db + SHA_DIGEST_LENGTH, 0,
+	   emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+    db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+    memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+    if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
+    	return (0);
+#ifdef PKCS_TESTVECT
+    memcpy(seed,
+	   "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
+	   20);
+#endif
+
+    MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+	db[i] ^= dbmask[i];
+
+    MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+    for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+	seed[i] ^= seedmask[i];
+
+    Free(dbmask);
+    return (1);
+    }
+
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+	     unsigned char *from, int flen, int num, unsigned char *param,
+	     int plen)
+    {
+    int i, dblen, mlen = -1;
+    unsigned char *maskeddb;
+    int lzero;
+    unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+
+    if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+	{
+	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+	return (-1);
+	}
+
+    dblen = num - SHA_DIGEST_LENGTH;
+    db = Malloc(dblen);
+    if (db == NULL)
+	{
+	RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+	return (-1);
+	}
+
+    lzero = num - flen;
+    maskeddb = from - lzero + SHA_DIGEST_LENGTH;
+    
+    MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+    for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
+	seed[i] ^= from[i - lzero];
+  
+    MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < dblen; i++)
+	db[i] ^= maskeddb[i];
+
+    SHA1(param, plen, phash);
+
+    if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
+	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+    else
+	{
+	for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+	    if (db[i] != 0x00)
+		break;
+	if (db[i] != 0x01 || i++ >= dblen)
+	    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
+		   RSA_R_OAEP_DECODING_ERROR);
+	else
+	    {
+	    mlen = dblen - i;
+	    if (tlen < mlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+		mlen = -1;
+		}
+	    else
+		memcpy(to, db + i, mlen);
+	    }
+	}
+    Free(db);
+    return (mlen);
+    }
+
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
+    {
+    long i, outlen = 0;
+    unsigned char cnt[4];
+    SHA_CTX c;
+    unsigned char md[SHA_DIGEST_LENGTH];
+
+    for (i = 0; outlen < len; i++)
+	{
+	cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
+	  cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
+	SHA1_Init(&c);
+	SHA1_Update(&c, seed, seedlen);
+	SHA1_Update(&c, cnt, 4);
+	if (outlen + SHA_DIGEST_LENGTH <= len)
+	    {
+	    SHA1_Final(mask + outlen, &c);
+	    outlen += SHA_DIGEST_LENGTH;
+	    }
+	else
+	    {
+	    SHA1_Final(md, &c);
+	    memcpy(mask + outlen, md, len - outlen);
+	    outlen = len;
+	    }
+	}
+    return (0);
+    }
+#endif
diff --git a/crypto/openssl/crypto/rsa/rsa_oaep_test.c b/crypto/openssl/crypto/rsa/rsa_oaep_test.c
new file mode 100644
index 0000000..0d4e39d
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_oaep_test.c
@@ -0,0 +1,309 @@
+/* test vectors from p1ovect1.txt */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#ifdef NO_RSA
+int main(int argc, char *argv[])
+{
+    printf("No RSA support\n");
+    return(0);
+}
+#else
+#include <openssl/rsa.h>
+
+#define SetKey \
+  key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
+  key->e = BN_bin2bn(e, sizeof(e)-1, key->e); \
+  key->d = BN_bin2bn(d, sizeof(d)-1, key->d); \
+  key->p = BN_bin2bn(p, sizeof(p)-1, key->p); \
+  key->q = BN_bin2bn(q, sizeof(q)-1, key->q); \
+  key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); \
+  key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); \
+  key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); \
+  memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
+  return (sizeof(ctext_ex) - 1);
+
+static int key1(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
+"\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
+"\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
+"\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
+"\xF5";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
+"\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
+"\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
+"\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
+
+    static unsigned char p[] =
+"\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
+"\x0D";
+    
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x89";
+
+    static unsigned char dmp1[] =
+"\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
+"\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
+
+    static unsigned char dmq1[] =
+"\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
+"\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
+"\x51";
+
+    static unsigned char iqmp[] =
+"\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
+"\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
+
+    static unsigned char ctext_ex[] =
+"\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89"
+"\x2b\xfb\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52"
+"\x33\x89\x5c\x74\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44"
+"\xb0\x05\xc3\x9e\xd8\x27\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
+
+    SetKey;
+    }
+
+static int key2(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
+"\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
+"\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
+"\x34\x77\xCF";
+
+    static unsigned char e[] = "\x3";
+
+    static unsigned char d[] =
+"\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
+"\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
+"\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
+"\xE5\xEB";
+
+    static unsigned char p[] =
+"\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
+"\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
+    
+    static unsigned char dmp1[] =
+"\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
+"\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
+
+    static unsigned char dmq1[] =
+"\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
+"\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
+
+    static unsigned char iqmp[] =
+"\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
+"\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
+
+    static unsigned char ctext_ex[] =
+"\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a"
+"\x8b\x40\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4"
+"\x17\x53\x03\x29\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52"
+"\x62\x51";
+
+    SetKey;
+    }
+
+static int key3(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
+"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
+"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
+"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
+"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
+"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
+"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
+"\xCB";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
+"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
+"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
+"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
+"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
+"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
+"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
+"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
+"\xC1";
+
+    static unsigned char p[] =
+"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
+"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
+"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
+"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
+"\x99";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
+"\x03";
+
+    static unsigned char dmp1[] =
+"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
+"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
+"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
+"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
+
+    static unsigned char dmq1[] =
+"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
+"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
+    
+    static unsigned char iqmp[] =
+"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
+"\xF7";
+
+    static unsigned char ctext_ex[] =
+"\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7"
+"\x90\xc4\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce"
+"\xf0\xc4\x36\x6f\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3"
+"\xf2\xf1\x92\xdb\xea\xca\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06"
+"\x69\xac\x22\xe9\xf3\xa7\x85\x2e\x3c\x15\xd9\x13\xca\xb0\xb8\x86"
+"\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49\x54\x61\x03\x46\xf4\xd4"
+"\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a\x1f\xc4\x02\x6a"
+"\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20\x2f\xb1";
+
+    SetKey;
+    }
+
+static int pad_unknown(void)
+{
+    unsigned long l;
+    while ((l = ERR_get_error()) != 0)
+      if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE)
+	return(1);
+    return(0);
+}
+
+int main() 
+    {
+    int err=0;
+    int v;
+    RSA *key;
+    unsigned char ptext[256];
+    unsigned char ctext[256];
+    static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
+    unsigned char ctext_ex[256];
+    int plen;
+    int clen = 0;
+    int num;
+
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+	
+    plen = sizeof(ptext_ex) - 1;
+
+    for (v = 0; v < 3; v++)
+	{
+	key = RSA_new();
+	switch (v) {
+    case 0:
+	clen = key1(key, ctext_ex);
+	break;
+    case 1:
+	clen = key2(key, ctext_ex);
+	break;
+    case 2:
+	clen = key3(key, ctext_ex);
+	break;
+	}
+
+	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+				 RSA_PKCS1_PADDING);
+	if (num != clen)
+	    {
+	    printf("PKCS#1 v1.5 encryption failed!\n");
+	    err=1;
+	    goto oaep;
+	    }
+  
+	num = RSA_private_decrypt(num, ctext, ptext, key,
+				  RSA_PKCS1_PADDING);
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("PKCS#1 v1.5 decryption failed!\n");
+	    err=1;
+	    }
+	else
+	    printf("PKCS #1 v1.5 encryption/decryption ok\n");
+
+    oaep:
+	ERR_clear_error();
+	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+				 RSA_PKCS1_OAEP_PADDING);
+	if (num == -1 && pad_unknown())
+	    {
+	    printf("No OAEP support\n");
+	    goto next;
+	    }
+	if (num != clen)
+	    {
+	    printf("OAEP encryption failed!\n");
+	    err=1;
+	    goto next;
+	    }
+  
+	num = RSA_private_decrypt(num, ctext, ptext, key,
+				  RSA_PKCS1_OAEP_PADDING);
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("OAEP decryption (encrypted data) failed!\n");
+	    err=1;
+	    }
+	else if (memcmp(ctext, ctext_ex, num) == 0)
+	    {
+	    printf("OAEP test vector %d passed!\n", v);
+	    goto next;
+	    }
+    
+	/* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT).
+	   Try decrypting ctext_ex */
+
+	num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
+				  RSA_PKCS1_OAEP_PADDING);
+
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("OAEP decryption (test vector data) failed!\n");
+	    err=1;
+	    }
+	else
+	    printf("OAEP encryption/decryption ok\n");
+    next:
+	RSA_free(key);
+	}
+
+    ERR_remove_state(0);
+
+    CRYPTO_mem_leaks_fp(stdout);
+
+    return err;
+    }
+#endif
diff --git a/crypto/openssl/crypto/rsa/rsa_pk1.c b/crypto/openssl/crypto/rsa/rsa_pk1.c
new file mode 100644
index 0000000..48a32bc
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_pk1.c
@@ -0,0 +1,224 @@
+/* crypto/rsa/rsa_pk1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+
+int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+	     unsigned char *from, int flen)
+	{
+	int j;
+	unsigned char *p;
+
+	if (flen > (tlen-11))
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		return(0);
+		}
+	
+	p=(unsigned char *)to;
+
+	*(p++)=0;
+	*(p++)=1; /* Private Key BT (Block Type) */
+
+	/* pad out with 0xff data */
+	j=tlen-3-flen;
+	memset(p,0xff,j);
+	p+=j;
+	*(p++)='\0';
+	memcpy(p,from,(unsigned int)flen);
+	return(1);
+	}
+
+int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
+	     unsigned char *from, int flen, int num)
+	{
+	int i,j;
+	unsigned char *p;
+
+	p=from;
+	if ((num != (flen+1)) || (*(p++) != 01))
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BLOCK_TYPE_IS_NOT_01);
+		return(-1);
+		}
+
+	/* scan over padding data */
+	j=flen-1; /* one for type. */
+	for (i=0; i<j; i++)
+		{
+		if (*p != 0xff) /* should decrypt to 0xff */
+			{
+			if (*p == 0)
+				{ p++; break; }
+			else	{
+				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_FIXED_HEADER_DECRYPT);
+				return(-1);
+				}
+			}
+		p++;
+		}
+
+	if (i == j)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_NULL_BEFORE_BLOCK_MISSING);
+		return(-1);
+		}
+
+	if (i < 8)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_BAD_PAD_BYTE_COUNT);
+		return(-1);
+		}
+	i++; /* Skip over the '\0' */
+	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
+	memcpy(to,p,(unsigned int)j);
+
+	return(j);
+	}
+
+int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
+	     unsigned char *from, int flen)
+	{
+	int i,j;
+	unsigned char *p;
+	
+	if (flen > (tlen-11))
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		return(0);
+		}
+	
+	p=(unsigned char *)to;
+
+	*(p++)=0;
+	*(p++)=2; /* Public Key BT (Block Type) */
+
+	/* pad out with non-zero random data */
+	j=tlen-3-flen;
+
+	if (RAND_bytes(p,j) <= 0)
+		return(0);
+	for (i=0; i<j; i++)
+		{
+		if (*p == '\0')
+			do	{
+				if (RAND_bytes(p,1) <= 0)
+					return(0);
+				} while (*p == '\0');
+		p++;
+		}
+
+	*(p++)='\0';
+
+	memcpy(p,from,(unsigned int)flen);
+	return(1);
+	}
+
+int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+	     unsigned char *from, int flen, int num)
+	{
+	int i,j;
+	unsigned char *p;
+
+	p=from;
+	if ((num != (flen+1)) || (*(p++) != 02))
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
+		return(-1);
+		}
+#ifdef PKCS1_CHECK
+	return(num-11);
+#endif
+
+	/* scan over padding data */
+	j=flen-1; /* one for type. */
+	for (i=0; i<j; i++)
+		if (*(p++) == 0) break;
+
+	if (i == j)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING);
+		return(-1);
+		}
+
+	if (i < 8)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT);
+		return(-1);
+		}
+	i++; /* Skip over the '\0' */
+	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
+	memcpy(to,p,(unsigned int)j);
+
+	return(j);
+	}
+
diff --git a/crypto/openssl/crypto/rsa/rsa_saos.c b/crypto/openssl/crypto/rsa/rsa_saos.c
new file mode 100644
index 0000000..61efb0b
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_saos.c
@@ -0,0 +1,144 @@
+/* crypto/rsa/rsa_saos.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
+	     unsigned char *sigret, unsigned int *siglen, RSA *rsa)
+	{
+	ASN1_OCTET_STRING sig;
+	int i,j,ret=1;
+	unsigned char *p,*s;
+
+	sig.type=V_ASN1_OCTET_STRING;
+	sig.length=m_len;
+	sig.data=m;
+
+	i=i2d_ASN1_OCTET_STRING(&sig,NULL);
+	j=RSA_size(rsa);
+	if ((i-RSA_PKCS1_PADDING) > j)
+		{
+		RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+		return(0);
+		}
+	s=(unsigned char *)Malloc((unsigned int)j+1);
+	if (s == NULL)
+		{
+		RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	p=s;
+	i2d_ASN1_OCTET_STRING(&sig,&p);
+	i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
+	if (i <= 0)
+		ret=0;
+	else
+		*siglen=i;
+
+	memset(s,0,(unsigned int)j+1);
+	Free(s);
+	return(ret);
+	}
+
+int RSA_verify_ASN1_OCTET_STRING(int dtype, unsigned char *m,
+	     unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+	     RSA *rsa)
+	{
+	int i,ret=0;
+	unsigned char *p,*s;
+	ASN1_OCTET_STRING *sig=NULL;
+
+	if (siglen != (unsigned int)RSA_size(rsa))
+		{
+		RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_WRONG_SIGNATURE_LENGTH);
+		return(0);
+		}
+
+	s=(unsigned char *)Malloc((unsigned int)siglen);
+	if (s == NULL)
+		{
+		RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+
+	if (i <= 0) goto err;
+
+	p=s;
+	sig=d2i_ASN1_OCTET_STRING(NULL,&p,(long)i);
+	if (sig == NULL) goto err;
+
+	if (	((unsigned int)sig->length != m_len) ||
+		(memcmp(m,sig->data,m_len) != 0))
+		{
+		RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,RSA_R_BAD_SIGNATURE);
+		}
+	else
+		ret=1;
+err:
+	if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
+	memset(s,0,(unsigned int)siglen);
+	Free(s);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c
new file mode 100644
index 0000000..05bb7fb
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_sign.c
@@ -0,0 +1,221 @@
+/* crypto/rsa/rsa_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+/* Size of an SSL signature: MD5+SHA1 */
+#define SSL_SIG_LENGTH	36
+
+int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+	     unsigned char *sigret, unsigned int *siglen, RSA *rsa)
+	{
+	X509_SIG sig;
+	ASN1_TYPE parameter;
+	int i,j,ret=1;
+	unsigned char *p,*s = NULL;
+	X509_ALGOR algor;
+	ASN1_OCTET_STRING digest;
+	if(rsa->flags & RSA_FLAG_SIGN_VER)
+	      return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
+	/* Special case: SSL signature, just check the length */
+	if(type == NID_md5_sha1) {
+		if(m_len != SSL_SIG_LENGTH) {
+			RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
+			return(0);
+		}
+		i = SSL_SIG_LENGTH;
+		s = m;
+	} else {
+		sig.algor= &algor;
+		sig.algor->algorithm=OBJ_nid2obj(type);
+		if (sig.algor->algorithm == NULL)
+			{
+			RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
+			return(0);
+			}
+		if (sig.algor->algorithm->length == 0)
+			{
+			RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+			return(0);
+			}
+		parameter.type=V_ASN1_NULL;
+		parameter.value.ptr=NULL;
+		sig.algor->parameter= &parameter;
+
+		sig.digest= &digest;
+		sig.digest->data=m;
+		sig.digest->length=m_len;
+
+		i=i2d_X509_SIG(&sig,NULL);
+	}
+	j=RSA_size(rsa);
+	if ((i-RSA_PKCS1_PADDING) > j)
+		{
+		RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+		return(0);
+		}
+	if(type != NID_md5_sha1) {
+		s=(unsigned char *)Malloc((unsigned int)j+1);
+		if (s == NULL)
+			{
+			RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		p=s;
+		i2d_X509_SIG(&sig,&p);
+	}
+	i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
+	if (i <= 0)
+		ret=0;
+	else
+		*siglen=i;
+
+	if(type != NID_md5_sha1) {
+		memset(s,0,(unsigned int)j+1);
+		Free(s);
+	}
+	return(ret);
+	}
+
+int RSA_verify(int dtype, unsigned char *m, unsigned int m_len,
+	     unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
+	{
+	int i,ret=0,sigtype;
+	unsigned char *p,*s;
+	X509_SIG *sig=NULL;
+
+	if (siglen != (unsigned int)RSA_size(rsa))
+		{
+		RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
+		return(0);
+		}
+
+	if(rsa->flags & RSA_FLAG_SIGN_VER)
+	    return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
+
+	s=(unsigned char *)Malloc((unsigned int)siglen);
+	if (s == NULL)
+		{
+		RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
+			return(0);
+	}
+	i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+
+	if (i <= 0) goto err;
+
+	/* Special case: SSL signature */
+	if(dtype == NID_md5_sha1) {
+		if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
+				RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+		else ret = 1;
+	} else {
+		p=s;
+		sig=d2i_X509_SIG(NULL,&p,(long)i);
+
+		if (sig == NULL) goto err;
+		sigtype=OBJ_obj2nid(sig->algor->algorithm);
+
+
+	#ifdef RSA_DEBUG
+		/* put a backward compatibility flag in EAY */
+		fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
+			OBJ_nid2ln(dtype));
+	#endif
+		if (sigtype != dtype)
+			{
+			if (((dtype == NID_md5) &&
+				(sigtype == NID_md5WithRSAEncryption)) ||
+				((dtype == NID_md2) &&
+				(sigtype == NID_md2WithRSAEncryption)))
+				{
+				/* ok, we will let it through */
+	#if !defined(NO_STDIO) && !defined(WIN16)
+				fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
+	#endif
+				}
+			else
+				{
+				RSAerr(RSA_F_RSA_VERIFY,
+						RSA_R_ALGORITHM_MISMATCH);
+				goto err;
+				}
+			}
+		if (	((unsigned int)sig->digest->length != m_len) ||
+			(memcmp(m,sig->digest->data,m_len) != 0))
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			}
+		else
+			ret=1;
+	}
+err:
+	if (sig != NULL) X509_SIG_free(sig);
+	memset(s,0,(unsigned int)siglen);
+	Free(s);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/rsa/rsa_ssl.c b/crypto/openssl/crypto/rsa/rsa_ssl.c
new file mode 100644
index 0000000..81a857c
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_ssl.c
@@ -0,0 +1,154 @@
+/* crypto/rsa/rsa_ssl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+
+int RSA_padding_add_SSLv23(unsigned char *to, int tlen, unsigned char *from,
+	     int flen)
+	{
+	int i,j;
+	unsigned char *p;
+	
+	if (flen > (tlen-11))
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_SSLV23,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		return(0);
+		}
+	
+	p=(unsigned char *)to;
+
+	*(p++)=0;
+	*(p++)=2; /* Public Key BT (Block Type) */
+
+	/* pad out with non-zero random data */
+	j=tlen-3-8-flen;
+
+	if (RAND_bytes(p,j) <= 0)
+		return(0);
+	for (i=0; i<j; i++)
+		{
+		if (*p == '\0')
+			do	{
+				if (RAND_bytes(p,1) <= 0)
+					return(0);
+				} while (*p == '\0');
+		p++;
+		}
+
+	memset(p,3,8);
+	p+=8;
+	*(p++)='\0';
+
+	memcpy(p,from,(unsigned int)flen);
+	return(1);
+	}
+
+int RSA_padding_check_SSLv23(unsigned char *to, int tlen, unsigned char *from,
+	     int flen, int num)
+	{
+	int i,j,k;
+	unsigned char *p;
+
+	p=from;
+	if (flen < 10)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_SMALL);
+		return(-1);
+		}
+	if ((num != (flen+1)) || (*(p++) != 02))
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_BLOCK_TYPE_IS_NOT_02);
+		return(-1);
+		}
+
+	/* scan over padding data */
+	j=flen-1; /* one for type */
+	for (i=0; i<j; i++)
+		if (*(p++) == 0) break;
+
+	if ((i == j) || (i < 8))
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
+		return(-1);
+		}
+	for (k= -8; k<0; k++)
+		{
+		if (p[k] !=  0x03) break;
+		}
+	if (k == 0)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
+		return(-1);
+		}
+
+	i++; /* Skip over the '\0' */
+	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
+	memcpy(to,p,(unsigned int)j);
+
+	return(j);
+	}
+
diff --git a/crypto/openssl/crypto/rsa/rsa_stubs.c b/crypto/openssl/crypto/rsa/rsa_stubs.c
new file mode 100644
index 0000000..406d00a
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_stubs.c
@@ -0,0 +1,115 @@
+/*-
+ * Copyright (c) 2000 Peter Wemm <peter@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE. SO THERE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef NO_RSA
+
+#include <stdio.h>
+#include <syslog.h>
+#include <unistd.h>
+#include "cryptlib.h"
+#include <openssl/rsa.h>
+
+#define VERBOSE_STUBS	/* undef if you don't want missing rsaref reported */
+
+#ifdef PIC
+#include <dlfcn.h>
+
+#define RSAUSA_SHLIB	"librsaUSA.so"
+#define RSAINTL_SHLIB	"librsaINTL.so"
+
+static void *
+getsym(const char *sym)
+{
+    static void *rsalib;
+    static int whined;
+    void *ret = NULL;
+
+    if (!rsalib)
+	rsalib = dlopen(RSAINTL_SHLIB, RTLD_LAZY);
+    if (!rsalib)
+	rsalib = dlopen(RSAUSA_SHLIB, RTLD_LAZY);
+    if (rsalib)
+	ret = dlsym(rsalib, sym);
+#ifdef VERBOSE_STUBS
+    if (!ret && !whined) {
+	if (isatty(STDERR_FILENO)) {
+	    fprintf(stderr, "** %s: Unable to find an RSA implementation shared library.\n", sym);
+	    fprintf(stderr, "** Install either the USA (%s) or International (%s)\n", RSAUSA_SHLIB, RSAINTL_SHLIB);
+	    fprintf(stderr, "** RSA library on your system and run this program again.\n");
+	    fprintf(stderr, "** See the OpenSSL chapter in the FreeBSD Handbook, located at\n");
+	    fprintf(stderr, "** http://www.freebsd.org/handbook/openssl.html, for more information.\n");
+	} else {
+	    syslog(LOG_ERR, "%s: Unable to find an RSA implementation shared \
+library. Install either the USA (%s) or International (%s) RSA library on \
+your system and run this program again. See the OpenSSL chapter in the \
+FreeBSD Handbook, located at http://www.freebsd.org/handbook/openssl.html, \
+for more information.", sym, RSAUSA_SHLIB, RSAINTL_SHLIB);
+	}
+	whined = 1;
+     }
+#endif
+     return ret;
+}
+
+RSA_METHOD *
+RSA_PKCS1_stub(void)
+{
+    static RSA_METHOD * (*sym)(void);
+
+    if (sym || (sym = getsym("RSA_PKCS1")))
+	return sym();
+    return NULL;
+}
+__weak_reference(RSA_PKCS1_stub, RSA_PKCS1);
+
+void
+ERR_load_RSA_strings_stub(void)
+{
+    static void (*sym)(void);
+
+    if (sym || (sym = getsym("ERR_load_RSA_strings")))
+	sym();
+}
+__weak_reference(ERR_load_RSA_strings_stub, ERR_load_RSA_strings);
+
+int
+RSA_libversion_stub(void)
+{
+    static void (*sym)(void);
+
+    if (sym || (sym = getsym("RSA_libversion")))
+	sym();
+}
+__weak_reference(RSA_libversion_stub, RSA_libversion);
+
+#else	/* !PIC */
+
+/* Sigh, just get your own libs, ld(1) doesn't deal with weaks here */
+
+#endif	/* !PIC */
+#endif	/* NO_RSA */
diff --git a/crypto/openssl/crypto/rsa/rsa_test.c b/crypto/openssl/crypto/rsa/rsa_test.c
new file mode 100644
index 0000000..e5ae0c1
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_test.c
@@ -0,0 +1,314 @@
+/* test vectors from p1ovect1.txt */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#ifdef NO_RSA
+int main(int argc, char *argv[])
+{
+    printf("No RSA support\n");
+    return(0);
+}
+#else
+#include <openssl/rsa.h>
+
+#define SetKey \
+  key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
+  key->e = BN_bin2bn(e, sizeof(e)-1, key->e); \
+  key->d = BN_bin2bn(d, sizeof(d)-1, key->d); \
+  key->p = BN_bin2bn(p, sizeof(p)-1, key->p); \
+  key->q = BN_bin2bn(q, sizeof(q)-1, key->q); \
+  key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); \
+  key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); \
+  key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); \
+  memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
+  return (sizeof(ctext_ex) - 1);
+
+static int key1(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
+"\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
+"\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
+"\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
+"\xF5";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
+"\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
+"\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
+"\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
+
+    static unsigned char p[] =
+"\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
+"\x0D";
+    
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x89";
+
+    static unsigned char dmp1[] =
+"\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
+"\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
+
+    static unsigned char dmq1[] =
+"\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
+"\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
+"\x51";
+
+    static unsigned char iqmp[] =
+"\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
+"\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
+
+    static unsigned char ctext_ex[] =
+"\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89"
+"\x2b\xfb\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52"
+"\x33\x89\x5c\x74\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44"
+"\xb0\x05\xc3\x9e\xd8\x27\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
+
+    SetKey;
+    }
+
+static int key2(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
+"\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
+"\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
+"\x34\x77\xCF";
+
+    static unsigned char e[] = "\x3";
+
+    static unsigned char d[] =
+"\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
+"\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
+"\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
+"\xE5\xEB";
+
+    static unsigned char p[] =
+"\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
+"\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
+    
+    static unsigned char dmp1[] =
+"\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
+"\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
+
+    static unsigned char dmq1[] =
+"\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
+"\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
+
+    static unsigned char iqmp[] =
+"\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
+"\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
+
+    static unsigned char ctext_ex[] =
+"\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a"
+"\x8b\x40\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4"
+"\x17\x53\x03\x29\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52"
+"\x62\x51";
+
+    SetKey;
+    }
+
+static int key3(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
+"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
+"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
+"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
+"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
+"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
+"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
+"\xCB";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
+"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
+"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
+"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
+"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
+"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
+"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
+"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
+"\xC1";
+
+    static unsigned char p[] =
+"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
+"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
+"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
+"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
+"\x99";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
+"\x03";
+
+    static unsigned char dmp1[] =
+"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
+"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
+"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
+"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
+
+    static unsigned char dmq1[] =
+"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
+"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
+    
+    static unsigned char iqmp[] =
+"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
+"\xF7";
+
+    static unsigned char ctext_ex[] =
+"\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7"
+"\x90\xc4\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce"
+"\xf0\xc4\x36\x6f\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3"
+"\xf2\xf1\x92\xdb\xea\xca\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06"
+"\x69\xac\x22\xe9\xf3\xa7\x85\x2e\x3c\x15\xd9\x13\xca\xb0\xb8\x86"
+"\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49\x54\x61\x03\x46\xf4\xd4"
+"\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a\x1f\xc4\x02\x6a"
+"\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20\x2f\xb1";
+
+    SetKey;
+    }
+
+static int pad_unknown(void)
+{
+    unsigned long l;
+    while ((l = ERR_get_error()) != 0)
+      if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE)
+	return(1);
+    return(0);
+}
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int main(int argc, char *argv[])
+    {
+    int err=0;
+    int v;
+    RSA *key;
+    unsigned char ptext[256];
+    unsigned char ctext[256];
+    static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
+    unsigned char ctext_ex[256];
+    int plen;
+    int clen = 0;
+    int num;
+
+    RAND_seed(rnd_seed, sizeof rnd_seed); /* or OAEP may fail */
+
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+	
+    plen = sizeof(ptext_ex) - 1;
+
+    for (v = 0; v < 3; v++)
+	{
+	key = RSA_new();
+	switch (v) {
+    case 0:
+	clen = key1(key, ctext_ex);
+	break;
+    case 1:
+	clen = key2(key, ctext_ex);
+	break;
+    case 2:
+	clen = key3(key, ctext_ex);
+	break;
+	}
+
+	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+				 RSA_PKCS1_PADDING);
+	if (num != clen)
+	    {
+	    printf("PKCS#1 v1.5 encryption failed!\n");
+	    err=1;
+	    goto oaep;
+	    }
+  
+	num = RSA_private_decrypt(num, ctext, ptext, key,
+				  RSA_PKCS1_PADDING);
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("PKCS#1 v1.5 decryption failed!\n");
+	    err=1;
+	    }
+	else
+	    printf("PKCS #1 v1.5 encryption/decryption ok\n");
+
+    oaep:
+	ERR_clear_error();
+	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+				 RSA_PKCS1_OAEP_PADDING);
+	if (num == -1 && pad_unknown())
+	    {
+	    printf("No OAEP support\n");
+	    goto next;
+	    }
+	if (num != clen)
+	    {
+	    printf("OAEP encryption failed!\n");
+	    err=1;
+	    goto next;
+	    }
+  
+	num = RSA_private_decrypt(num, ctext, ptext, key,
+				  RSA_PKCS1_OAEP_PADDING);
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("OAEP decryption (encrypted data) failed!\n");
+	    err=1;
+	    }
+	else if (memcmp(ctext, ctext_ex, num) == 0)
+	    {
+	    printf("OAEP test vector %d passed!\n", v);
+	    goto next;
+	    }
+    
+	/* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT).
+	   Try decrypting ctext_ex */
+
+	num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
+				  RSA_PKCS1_OAEP_PADDING);
+
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("OAEP decryption (test vector data) failed!\n");
+	    err=1;
+	    }
+	else
+	    printf("OAEP encryption/decryption ok\n");
+    next:
+	RSA_free(key);
+	}
+
+    ERR_remove_state(0);
+
+    CRYPTO_mem_leaks_fp(stdout);
+
+    return err;
+    }
+#endif
diff --git a/crypto/openssl/crypto/sha/Makefile.save b/crypto/openssl/crypto/sha/Makefile.save
new file mode 100644
index 0000000..d30e724
--- /dev/null
+++ b/crypto/openssl/crypto/sha/Makefile.save
@@ -0,0 +1,111 @@
+#
+# SSLeay/crypto/sha/Makefile
+#
+
+DIR=    sha
+TOP=    ../..
+CC=     cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+SHA1_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=shatest.c sha1test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=sha_dgst.c sha1dgst.c sha_one.c sha1_one.c
+LIBOBJ=sha_dgst.o sha1dgst.o sha_one.o sha1_one.o $(SHA1_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= sha.h
+HEADER= sha_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/sx86-elf.o: asm/sx86unix.cpp
+	$(CPP) -DELF -x c asm/sx86unix.cpp | as -o asm/sx86-elf.o
+
+# solaris
+asm/sx86-sol.o: asm/sx86unix.cpp
+	$(CC) -E -DSOL asm/sx86unix.cpp | sed 's/^#.*//' > asm/sx86-sol.s
+	as -o asm/sx86-sol.o asm/sx86-sol.s
+	rm -f asm/sx86-sol.s
+
+# a.out
+asm/sx86-out.o: asm/sx86unix.cpp
+	$(CPP) -DOUT asm/sx86unix.cpp | as -o asm/sx86-out.o
+
+# bsdi
+asm/sx86bsdi.o: asm/sx86unix.cpp
+	$(CPP) -DBSDI asm/sx86unix.cpp | sed 's/ :/:/' | as -o asm/sx86bsdi.o
+
+asm/sx86unix.cpp: asm/sha1-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha1-586.pl cpp $(PROCESSOR) >sx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/sx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+sha1_one.o: ../../include/openssl/sha.h
+sha1dgst.o: ../../include/openssl/opensslconf.h
+sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
+sha1dgst.o: ../md32_common.h sha_locl.h
+sha_dgst.o: ../../include/openssl/opensslconf.h
+sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
+sha_dgst.o: ../md32_common.h sha_locl.h
+sha_one.o: ../../include/openssl/sha.h
diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl
new file mode 100644
index 0000000..0e6e7b8
--- /dev/null
+++ b/crypto/openssl/crypto/sha/Makefile.ssl
@@ -0,0 +1,112 @@
+#
+# SSLeay/crypto/sha/Makefile
+#
+
+DIR=    sha
+TOP=    ../..
+CC=     cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+SHA1_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=shatest.c sha1test.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=sha_dgst.c sha1dgst.c sha_one.c sha1_one.c
+LIBOBJ=sha_dgst.o sha1dgst.o sha_one.o sha1_one.o $(SHA1_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= sha.h
+HEADER= sha_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+# elf
+asm/sx86-elf.o: asm/sx86unix.cpp
+	$(CPP) -DELF -x c asm/sx86unix.cpp | as -o asm/sx86-elf.o
+
+# solaris
+asm/sx86-sol.o: asm/sx86unix.cpp
+	$(CC) -E -DSOL asm/sx86unix.cpp | sed 's/^#.*//' > asm/sx86-sol.s
+	as -o asm/sx86-sol.o asm/sx86-sol.s
+	rm -f asm/sx86-sol.s
+
+# a.out
+asm/sx86-out.o: asm/sx86unix.cpp
+	$(CPP) -DOUT asm/sx86unix.cpp | as -o asm/sx86-out.o
+
+# bsdi
+asm/sx86bsdi.o: asm/sx86unix.cpp
+	$(CPP) -DBSDI asm/sx86unix.cpp | sed 's/ :/:/' | as -o asm/sx86bsdi.o
+
+asm/sx86unix.cpp: asm/sha1-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha1-586.pl cpp $(PROCESSOR) >sx86unix.cpp)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f asm/sx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+sha1_one.o: ../../include/openssl/sha.h
+sha1dgst.o: ../../include/openssl/opensslconf.h
+sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
+sha1dgst.o: ../md32_common.h sha_locl.h
+sha_dgst.o: ../../include/openssl/opensslconf.h
+sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
+sha_dgst.o: ../md32_common.h sha_locl.h
+sha_one.o: ../../include/openssl/sha.h
diff --git a/crypto/openssl/crypto/sha/Makefile.uni b/crypto/openssl/crypto/sha/Makefile.uni
new file mode 100644
index 0000000..b7ec5ca
--- /dev/null
+++ b/crypto/openssl/crypto/sha/Makefile.uni
@@ -0,0 +1,122 @@
+# Targets
+# make          - twidle the options yourself :-)
+# make cc       - standard cc options
+# make gcc      - standard gcc options
+# make x86-elf  - linux-elf etc
+# make x86-out  - linux-a.out, FreeBSD etc
+# make x86-solaris
+# make x86-bdsi
+
+DIR=    sha
+TOP=    .
+CC=     gcc
+CFLAG=	-O3 -fomit-frame-pointer
+
+CPP=    $(CC) -E
+INCLUDES=
+INSTALLTOP=/usr/local/lib
+MAKE=           make
+MAKEDEPEND=     makedepend
+MAKEFILE=       Makefile.uni
+AR=             ar r
+
+SHA_ASM_OBJ=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+
+TEST1=shatest
+TEST2=sha1test
+APP1=sha
+APP2=sha1
+
+TEST=$(TEST1) $(TEST2)
+APPS=$(APP1) $(APP2)
+
+LIB=libsha.a
+LIBSRC=sha_dgst.c sha1dgst.c sha_one.c sha1_one.c
+LIBOBJ=sha_dgst.o sha1dgst.o sha_one.o sha1_one.o $(SHA_ASM_OBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= sha.h
+HEADER= sha_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+all:    $(LIB) $(TEST) $(APPS)
+
+$(LIB): $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+
+# elf
+asm/sx86-elf.o: asm/sx86unix.cpp
+	$(CPP) -DELF asm/sx86unix.cpp | as -o asm/sx86-elf.o
+
+# solaris
+asm/sx86-sol.o: asm/sx86unix.cpp
+	$(CC) -E -DSOL asm/sx86unix.cpp | sed 's/^#.*//' > asm/sx86-sol.s
+	as -o asm/sx86-sol.o asm/sx86-sol.s
+	rm -f asm/sx86-sol.s
+
+# a.out
+asm/sx86-out.o: asm/sx86unix.cpp
+	$(CPP) -DOUT asm/sx86unix.cpp | as -o asm/sx86-out.o
+
+# bsdi
+asm/sx86bsdi.o: asm/sx86unix.cpp
+	$(CPP) -DBSDI asm/sx86unix.cpp | as -o asm/sx86bsdi.o
+
+asm/sx86unix.cpp:
+	(cd asm; perl sha1-586.pl cpp >sx86unix.cpp)
+
+test:	$(TEST)
+	./$(TEST1)
+	./$(TEST2)
+
+$(TEST1): $(TEST1).c $(LIB)
+	$(CC) -o $(TEST1) $(CFLAGS) $(TEST1).c $(LIB)
+
+$(TEST2): $(TEST2).c $(LIB)
+	$(CC) -o $(TEST2) $(CFLAGS) $(TEST2).c $(LIB)
+
+$(APP1): $(APP1).c $(LIB)
+	$(CC) -o $(APP1) $(CFLAGS) $(APP1).c $(LIB)
+
+$(APP2): $(APP2).c $(LIB)
+	$(CC) -o $(APP2) $(CFLAGS) $(APP2).c $(LIB)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	/bin/rm -f $(LIB) $(TEST) $(APPS) *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+cc:
+	$(MAKE) SHA_ASM_OBJ="" CC="cc" CFLAG="-O" all
+
+gcc:
+	$(MAKE) SHA_ASM_OBJ="" CC="gcc" CFLAGS="-O3 -fomit-frame-pointer" all
+
+x86-elf:
+	$(MAKE) SHA_ASM_OBJ="asm/sx86-elf.o" CFLAG="-DELF -DSHA1_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-out:
+	$(MAKE) SHA_ASM_OBJ="asm/sx86-out.o" CFLAG="-DOUT -DSHA1_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-solaris:
+	$(MAKE) SHA_ASM_OBJ="asm/sx86-sol.o" CFLAG="-DSOL -DSHA1_ASM -DL_ENDIAN $(CFLAGS)" all
+
+x86-bdsi:
+	$(MAKE) SHA_ASM_OBJ="asm/sx86-bdsi.o" CFLAG="-DBDSI -DSHA1_ASM -DL_ENDIAN $(CFLAGS)" all
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/crypto/sha/asm/README b/crypto/openssl/crypto/sha/asm/README
new file mode 100644
index 0000000..b7e7557
--- /dev/null
+++ b/crypto/openssl/crypto/sha/asm/README
@@ -0,0 +1 @@
+C2.pl works
diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl
new file mode 100644
index 0000000..09df993
--- /dev/null
+++ b/crypto/openssl/crypto/sha/asm/sha1-586.pl
@@ -0,0 +1,538 @@
+#!/usr/local/bin/perl
+
+$normal=0;
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386");
+
+$A="eax";
+$B="ecx";
+$C="ebx";
+$D="edx";
+$E="edi";
+$T="esi";
+$tmp1="ebp";
+
+$off=9*4;
+
+@K=(0x5a827999,0x6ed9eba1,0x8f1bbcdc,0xca62c1d6);
+
+&sha1_block_data("sha1_block_asm_data_order");
+
+&asm_finish();
+
+sub Nn
+	{
+	local($p)=@_;
+	local(%n)=($A,$T,$B,$A,$C,$B,$D,$C,$E,$D,$T,$E);
+	return($n{$p});
+	}
+
+sub Np
+	{
+	local($p)=@_;
+	local(%n)=($A,$T,$B,$A,$C,$B,$D,$C,$E,$D,$T,$E);
+	local(%n)=($A,$B,$B,$C,$C,$D,$D,$E,$E,$T,$T,$A);
+	return($n{$p});
+	}
+
+sub Na
+	{
+	local($n)=@_;
+	return( (($n   )&0x0f),
+		(($n+ 2)&0x0f),
+		(($n+ 8)&0x0f),
+		(($n+13)&0x0f),
+		(($n+ 1)&0x0f));
+	}
+
+sub X_expand
+	{
+	local($in)=@_;
+
+	&comment("First, load the words onto the stack in network byte order");
+	for ($i=0; $i<16; $i+=2)
+		{
+		&mov($A,&DWP(($i+0)*4,$in,"",0));# unless $i == 0;
+		 &mov($B,&DWP(($i+1)*4,$in,"",0));
+		&bswap($A);
+		 &bswap($B);
+		&mov(&swtmp($i+0),$A);
+		 &mov(&swtmp($i+1),$B);
+		}
+
+	&comment("We now have the X array on the stack");
+	&comment("starting at sp-4");
+	}
+
+# Rules of engagement
+# F is always trashable at the start, the running total.
+# E becomes the next F so it can be trashed after it has been 'accumulated'
+# F becomes A in the next round.  We don't need to access it much.
+# During the X update part, the result ends up in $X[$n0].
+
+sub BODY_00_15
+	{
+	local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_;
+
+return if $n & 1;
+	&comment("00_15 $n");
+
+	 &mov($f,$c);
+
+	&mov($tmp1,$a);
+	 &xor($f,$d);			# F2
+
+	&rotl($tmp1,5);			# A2
+
+	&and($f,$b);			# F3
+	 &add($tmp1,$e);
+
+	&rotr($b,1);			# B1	<- F
+	 &mov($e,&swtmp($n));		# G1
+
+	&rotr($b,1);			# B1	<- F
+	 &xor($f,$d);			# F4
+
+	&lea($tmp1,&DWP($K,$tmp1,$e,1));
+
+############################
+#	&BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T);
+#	&BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E);
+$n++;
+	local($n0,$n1,$n2,$n3,$np)=&Na($n);
+	($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f);
+
+	 &mov($f,$c);
+
+	&add($a,$tmp1);		# MOVED DOWN
+	 &xor($f,$d);			# F2
+
+	&mov($tmp1,$a);
+	 &and($f,$b);			# F3
+
+	&rotl($tmp1,5);			# A2
+
+	&add($tmp1,$e);
+	 &mov($e,&swtmp($n));		# G1
+
+	&rotr($b,1);			# B1	<- F
+	 &xor($f,$d);			# F4
+
+	&rotr($b,1);			# B1	<- F
+	 &lea($tmp1,&DWP($K,$tmp1,$e,1));
+
+	&add($f,$tmp1);
+	}
+
+sub BODY_16_19
+	{
+	local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_;
+	local($n0,$n1,$n2,$n3,$np)=&Na($n);
+
+return if $n & 1;
+	&comment("16_19 $n");
+
+ &nop() if ($pos < 0);
+&mov($tmp1,&swtmp($n0));			# X1
+ &mov($f,&swtmp($n1));			# X2
+&xor($f,$tmp1);				# X3
+ &mov($tmp1,&swtmp($n2));		# X4
+&xor($f,$tmp1);				# X5
+ &mov($tmp1,&swtmp($n3));		# X6
+&xor($f,$tmp1);				# X7 - slot
+ &mov($tmp1,$c);			# F1
+&rotl($f,1);				# X8 - slot
+ &xor($tmp1,$d);			# F2
+&mov(&swtmp($n0),$f);			# X9 - anytime
+ &and($tmp1,$b);			# F3
+&lea($f,&DWP($K,$f,$e,1));		# tot=X+K+e
+ &xor($tmp1,$d);				# F4
+&mov($e,$a);				# A1
+ &add($f,$tmp1);			# tot+=F();
+
+&rotl($e,5);				# A2
+
+&rotr($b,1);				# B1	<- F
+ &add($f,$e);				# tot+=a
+
+############################
+#	&BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T);
+#	&BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E);
+$n++;
+	local($n0,$n1,$n2,$n3,$np)=&Na($n);
+	($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f);
+
+
+&mov($f,&swtmp($n0));			# X1
+ &mov($tmp1,&swtmp($n1));		# X2
+&xor($f,$tmp1);				# X3
+ &mov($tmp1,&swtmp($n2));		# X4
+&xor($f,$tmp1);				# X5
+ &mov($tmp1,&swtmp($n3));		# X6
+&rotr($c,1); #&rotr($b,1);		# B1	<- F # MOVED DOWN
+ &xor($f,$tmp1);				# X7 - slot
+&rotl($f,1);				# X8 - slot
+ &mov($tmp1,$c);			# F1
+&xor($tmp1,$d);			# F2
+ &mov(&swtmp($n0),$f);			# X9 - anytime
+&and($tmp1,$b);			# F3
+ &lea($f,&DWP($K,$f,$e,1));		# tot=X+K+e
+
+&xor($tmp1,$d);				# F4
+ &mov($e,$a);				# A1
+
+&rotl($e,5);				# A2
+
+&rotr($b,1);				# B1	<- F
+ &add($f,$e);				# tot+=a
+
+&rotr($b,1);				# B1	<- F
+ &add($f,$tmp1);			# tot+=F();
+
+	}
+
+sub BODY_20_39
+	{
+	local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_;
+
+	&comment("20_39 $n");
+	local($n0,$n1,$n2,$n3,$np)=&Na($n);
+
+&mov($f,&swtmp($n0));			# X1
+ &mov($tmp1,&swtmp($n1));		# X2
+&xor($f,$tmp1);				# X3
+ &mov($tmp1,&swtmp($n2));		# X4
+&xor($f,$tmp1);				# X5
+ &mov($tmp1,&swtmp($n3));		# X6
+&xor($f,$tmp1);				# X7 - slot
+ &mov($tmp1,$b);			# F1
+&rotl($f,1);				# X8 - slot
+ &xor($tmp1,$c);			# F2
+&mov(&swtmp($n0),$f);			# X9 - anytime
+ &xor($tmp1,$d);			# F3
+
+&lea($f,&DWP($K,$f,$e,1));		# tot=X+K+e
+ &mov($e,$a);				# A1
+
+&rotl($e,5);				# A2
+
+if ($n != 79) # last loop	
+	{
+	&rotr($b,1);				# B1	<- F
+	 &add($e,$tmp1);			# tmp1=F()+a
+
+	&rotr($b,1);				# B2	<- F
+	 &add($f,$e);				# tot+=tmp1;
+	}
+else
+	{
+	&add($e,$tmp1);				# tmp1=F()+a
+	 &mov($tmp1,&wparam(0));
+
+	&rotr($b,1);				# B1	<- F
+	 &add($f,$e);				# tot+=tmp1;
+
+	&rotr($b,1);				# B2	<- F
+	}
+	}
+
+sub BODY_40_59
+	{
+	local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_;
+
+	&comment("40_59 $n");
+	return if $n & 1;
+	local($n0,$n1,$n2,$n3,$np)=&Na($n);
+
+&mov($f,&swtmp($n0));			# X1
+ &mov($tmp1,&swtmp($n1));		# X2
+&xor($f,$tmp1);				# X3
+ &mov($tmp1,&swtmp($n2));		# X4
+&xor($f,$tmp1);				# X5
+ &mov($tmp1,&swtmp($n3));		# X6
+&xor($f,$tmp1);				# X7 - slot
+ &mov($tmp1,$b);			# F1
+&rotl($f,1);				# X8 - slot
+ &or($tmp1,$c);				# F2
+&mov(&swtmp($n0),$f);			# X9 - anytime
+ &and($tmp1,$d);			# F3
+
+&lea($f,&DWP($K,$f,$e,1));		# tot=X+K+e
+ &mov($e,$b);				# F4
+
+&rotr($b,1);				# B1	<- F
+ &and($e,$c);				# F5
+
+&or($tmp1,$e);				# F6
+ &mov($e,$a);				# A1
+
+&rotl($e,5);				# A2
+
+&add($tmp1,$e);			# tmp1=F()+a
+
+############################
+#	&BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T);
+#	&BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E);
+$n++;
+	local($n0,$n1,$n2,$n3,$np)=&Na($n);
+	($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f);
+
+ &mov($f,&swtmp($n0));			# X1
+&add($a,$tmp1);				# tot+=tmp1; # moved was add f,tmp1
+ &mov($tmp1,&swtmp($n1));		# X2
+&xor($f,$tmp1);				# X3
+ &mov($tmp1,&swtmp($n2));		# X4
+&xor($f,$tmp1);				# X5
+ &mov($tmp1,&swtmp($n3));		# X6
+&rotr($c,1);				# B2	<- F # moved was rotr b,1
+ &xor($f,$tmp1);			# X7 - slot
+&rotl($f,1);				# X8 - slot
+ &mov($tmp1,$b);			# F1
+&mov(&swtmp($n0),$f);			# X9 - anytime
+ &or($tmp1,$c);				# F2
+&lea($f,&DWP($K,$f,$e,1));		# tot=X+K+e
+ &mov($e,$b);				# F4
+&and($tmp1,$d);				# F3
+ &and($e,$c);				# F5
+
+&or($tmp1,$e);				# F6
+ &mov($e,$a);				# A1
+
+&rotl($e,5);				# A2
+
+&rotr($b,1);				# B1	<- F
+ &add($tmp1,$e);			# tmp1=F()+a
+
+&rotr($b,1);				# B2	<- F
+ &add($f,$tmp1);			# tot+=tmp1;
+	}
+
+sub BODY_60_79
+	{
+	&BODY_20_39(@_);
+	}
+
+sub sha1_block_host
+	{
+	local($name)=@_;
+
+	&function_begin_B($name,"");
+
+	# parameter 1 is the MD5_CTX structure.
+	# A	0
+	# B	4
+	# C	8
+	# D 	12
+	# E 	16
+
+	&mov("ecx",	&wparam(2));
+	 &push("esi");
+	&shl("ecx",6);
+	 &mov("esi",	&wparam(1));
+	&push("ebp");
+	 &add("ecx","esi");	# offset to leave on
+	&push("ebx");
+	 &mov("ebp",	&wparam(0));
+	&push("edi");
+	 &mov($D,	&DWP(12,"ebp","",0));
+	&stack_push(18+9);
+	 &mov($E,	&DWP(16,"ebp","",0));
+	&mov($C,	&DWP( 8,"ebp","",0));
+	 &mov(&swtmp(17),"ecx");
+
+	&comment("First we need to setup the X array");
+
+	for ($i=0; $i<16; $i+=2)
+		{
+		&mov($A,&DWP(($i+0)*4,"esi","",0));# unless $i == 0;
+		 &mov($B,&DWP(($i+1)*4,"esi","",0));
+		&mov(&swtmp($i+0),$A);
+		 &mov(&swtmp($i+1),$B);
+		}
+	&jmp(&label("shortcut"));
+	&function_end_B($name);
+	}
+
+
+sub sha1_block_data
+	{
+	local($name)=@_;
+
+	&function_begin_B($name,"");
+
+	# parameter 1 is the MD5_CTX structure.
+	# A	0
+	# B	4
+	# C	8
+	# D 	12
+	# E 	16
+
+	&mov("ecx",	&wparam(2));
+	 &push("esi");
+	&shl("ecx",6);
+	 &mov("esi",	&wparam(1));
+	&push("ebp");
+	 &add("ecx","esi");	# offset to leave on
+	&push("ebx");
+	 &mov("ebp",	&wparam(0));
+	&push("edi");
+	 &mov($D,	&DWP(12,"ebp","",0));
+	&stack_push(18+9);
+	 &mov($E,	&DWP(16,"ebp","",0));
+	&mov($C,	&DWP( 8,"ebp","",0));
+	 &mov(&swtmp(17),"ecx");
+
+	&comment("First we need to setup the X array");
+
+	&set_label("start") unless $normal;
+
+	&X_expand("esi");
+	 &mov(&wparam(1),"esi");
+
+	&set_label("shortcut", 0, 1);
+	&comment("");
+	&comment("Start processing");
+
+	# odd start
+	&mov($A,	&DWP( 0,"ebp","",0));
+	 &mov($B,	&DWP( 4,"ebp","",0));
+	$X="esp";
+	&BODY_00_15(-2,$K[0],$X, 0,$A,$B,$C,$D,$E,$T);
+	&BODY_00_15( 0,$K[0],$X, 1,$T,$A,$B,$C,$D,$E);
+	&BODY_00_15( 0,$K[0],$X, 2,$E,$T,$A,$B,$C,$D);
+	&BODY_00_15( 0,$K[0],$X, 3,$D,$E,$T,$A,$B,$C);
+	&BODY_00_15( 0,$K[0],$X, 4,$C,$D,$E,$T,$A,$B);
+	&BODY_00_15( 0,$K[0],$X, 5,$B,$C,$D,$E,$T,$A);
+	&BODY_00_15( 0,$K[0],$X, 6,$A,$B,$C,$D,$E,$T);
+	&BODY_00_15( 0,$K[0],$X, 7,$T,$A,$B,$C,$D,$E);
+	&BODY_00_15( 0,$K[0],$X, 8,$E,$T,$A,$B,$C,$D);
+	&BODY_00_15( 0,$K[0],$X, 9,$D,$E,$T,$A,$B,$C);
+	&BODY_00_15( 0,$K[0],$X,10,$C,$D,$E,$T,$A,$B);
+	&BODY_00_15( 0,$K[0],$X,11,$B,$C,$D,$E,$T,$A);
+	&BODY_00_15( 0,$K[0],$X,12,$A,$B,$C,$D,$E,$T);
+	&BODY_00_15( 0,$K[0],$X,13,$T,$A,$B,$C,$D,$E);
+	&BODY_00_15( 0,$K[0],$X,14,$E,$T,$A,$B,$C,$D);
+	&BODY_00_15( 1,$K[0],$X,15,$D,$E,$T,$A,$B,$C);
+	&BODY_16_19(-1,$K[0],$X,16,$C,$D,$E,$T,$A,$B);
+	&BODY_16_19( 0,$K[0],$X,17,$B,$C,$D,$E,$T,$A);
+	&BODY_16_19( 0,$K[0],$X,18,$A,$B,$C,$D,$E,$T);
+	&BODY_16_19( 1,$K[0],$X,19,$T,$A,$B,$C,$D,$E);
+
+	&BODY_20_39(-1,$K[1],$X,20,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39( 0,$K[1],$X,21,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39( 0,$K[1],$X,22,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39( 0,$K[1],$X,23,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39( 0,$K[1],$X,24,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39( 0,$K[1],$X,25,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39( 0,$K[1],$X,26,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39( 0,$K[1],$X,27,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39( 0,$K[1],$X,28,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39( 0,$K[1],$X,29,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39( 0,$K[1],$X,30,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39( 0,$K[1],$X,31,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39( 0,$K[1],$X,32,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39( 0,$K[1],$X,33,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39( 0,$K[1],$X,34,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39( 0,$K[1],$X,35,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39( 0,$K[1],$X,36,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39( 0,$K[1],$X,37,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39( 0,$K[1],$X,38,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39( 1,$K[1],$X,39,$D,$E,$T,$A,$B,$C);
+
+	&BODY_40_59(-1,$K[2],$X,40,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59( 0,$K[2],$X,41,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59( 0,$K[2],$X,44,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59( 0,$K[2],$X,45,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59( 0,$K[2],$X,46,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59( 0,$K[2],$X,47,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59( 0,$K[2],$X,48,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59( 0,$K[2],$X,49,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59( 0,$K[2],$X,50,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59( 0,$K[2],$X,51,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59( 0,$K[2],$X,52,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59( 0,$K[2],$X,53,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59( 0,$K[2],$X,54,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59( 0,$K[2],$X,55,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59( 0,$K[2],$X,56,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59( 0,$K[2],$X,57,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59( 0,$K[2],$X,58,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59( 1,$K[2],$X,59,$B,$C,$D,$E,$T,$A);
+
+	&BODY_60_79(-1,$K[3],$X,60,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79( 0,$K[3],$X,61,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79( 0,$K[3],$X,62,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79( 0,$K[3],$X,63,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79( 0,$K[3],$X,64,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79( 0,$K[3],$X,65,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79( 0,$K[3],$X,66,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79( 0,$K[3],$X,67,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79( 0,$K[3],$X,68,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79( 0,$K[3],$X,69,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79( 0,$K[3],$X,70,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79( 0,$K[3],$X,71,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79( 0,$K[3],$X,72,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79( 0,$K[3],$X,73,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79( 0,$K[3],$X,74,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79( 0,$K[3],$X,75,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79( 0,$K[3],$X,76,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79( 0,$K[3],$X,77,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79( 0,$K[3],$X,78,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79( 2,$K[3],$X,79,$T,$A,$B,$C,$D,$E);
+
+	&comment("End processing");
+	&comment("");
+	# D is the tmp value
+
+	# E -> A
+	# T -> B
+	# A -> C
+	# B -> D
+	# C -> E
+	# D -> T
+
+	# The last 2 have been moved into the last loop
+	# &mov($tmp1,&wparam(0));
+
+	 &mov($D,	&DWP(12,$tmp1,"",0));
+	&add($D,$B);
+	 &mov($B,	&DWP( 4,$tmp1,"",0));
+	&add($B,$T);
+	 &mov($T,	$A);
+	&mov($A,	&DWP( 0,$tmp1,"",0));
+	 &mov(&DWP(12,$tmp1,"",0),$D);
+
+	&add($A,$E);
+	 &mov($E,	&DWP(16,$tmp1,"",0));
+	&add($E,$C);
+	 &mov($C,	&DWP( 8,$tmp1,"",0));
+	&add($C,$T);
+
+	 &mov(&DWP( 0,$tmp1,"",0),$A);
+	&mov("esi",&wparam(1));
+	 &mov(&DWP( 8,$tmp1,"",0),$C);
+ 	&add("esi",64);
+	 &mov("eax",&swtmp(17));
+	&mov(&DWP(16,$tmp1,"",0),$E);
+	 &cmp("esi","eax");
+	&mov(&DWP( 4,$tmp1,"",0),$B);
+	 &jl(&label("start"));
+
+	&stack_pop(18+9);
+	 &pop("edi");
+	&pop("ebx");
+	 &pop("ebp");
+	&pop("esi");
+	 &ret();
+
+	# it has to reside within sha1_block_asm_host_order body
+	# because it calls &jmp(&label("shortcut"));
+	&sha1_block_host("sha1_block_asm_host_order");
+
+	&function_end_B($name);
+	}
+
diff --git a/crypto/openssl/crypto/sha/sha.c b/crypto/openssl/crypto/sha/sha.c
new file mode 100644
index 0000000..4212655
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha.c
@@ -0,0 +1,124 @@
+/* crypto/sha/sha.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/sha.h>
+
+#define BUFSIZE	1024*16
+
+void do_fp(FILE *f);
+void pt(unsigned char *md);
+int read(int, void *, unsigned int);
+int main(int argc, char **argv)
+	{
+	int i,err=0;
+	FILE *IN;
+
+	if (argc == 1)
+		{
+		do_fp(stdin);
+		}
+	else
+		{
+		for (i=1; i<argc; i++)
+			{
+			IN=fopen(argv[i],"r");
+			if (IN == NULL)
+				{
+				perror(argv[i]);
+				err++;
+				continue;
+				}
+			printf("SHA(%s)= ",argv[i]);
+			do_fp(IN);
+			fclose(IN);
+			}
+		}
+	exit(err);
+	}
+
+void do_fp(FILE *f)
+	{
+	SHA_CTX c;
+	unsigned char md[SHA_DIGEST_LENGTH];
+	int fd;
+	int i;
+	unsigned char buf[BUFSIZE];
+
+	fd=fileno(f);
+	SHA_Init(&c);
+	for (;;)
+		{
+		i=read(fd,buf,BUFSIZE);
+		if (i <= 0) break;
+		SHA_Update(&c,buf,(unsigned long)i);
+		}
+	SHA_Final(&(md[0]),&c);
+	pt(md);
+	}
+
+void pt(unsigned char *md)
+	{
+	int i;
+
+	for (i=0; i<SHA_DIGEST_LENGTH; i++)
+		printf("%02x",md[i]);
+	printf("\n");
+	}
+
diff --git a/crypto/openssl/crypto/sha/sha.h b/crypto/openssl/crypto/sha/sha.h
new file mode 100644
index 0000000..77f6d96
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha.h
@@ -0,0 +1,119 @@
+/* crypto/sha/sha.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_SHA_H
+#define HEADER_SHA_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#if defined(NO_SHA) || (defined(NO_SHA0) && defined(NO_SHA1))
+#error SHA is disabled.
+#endif
+
+/*
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
+ * ! SHA_LONG_LOG2 has to be defined along.                        !
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ */
+
+#if defined(WIN16) || defined(__LP32__)
+#define SHA_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define SHA_LONG unsigned long
+#define SHA_LONG_LOG2 3
+#else
+#define SHA_LONG unsigned int
+#endif
+
+#define SHA_LBLOCK	16
+#define SHA_CBLOCK	(SHA_LBLOCK*4)	/* SHA treats input data as a
+					 * contiguous array of 32 bit
+					 * wide big-endian values. */
+#define SHA_LAST_BLOCK  (SHA_CBLOCK-8)
+#define SHA_DIGEST_LENGTH 20
+
+typedef struct SHAstate_st
+	{
+	SHA_LONG h0,h1,h2,h3,h4;
+	SHA_LONG Nl,Nh;
+	SHA_LONG data[SHA_LBLOCK];
+	int num;
+	} SHA_CTX;
+
+#ifndef NO_SHA0
+void SHA_Init(SHA_CTX *c);
+void SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
+void SHA_Final(unsigned char *md, SHA_CTX *c);
+unsigned char *SHA(const unsigned char *d, unsigned long n,unsigned char *md);
+void SHA_Transform(SHA_CTX *c, const unsigned char *data);
+#endif
+#ifndef NO_SHA1
+void SHA1_Init(SHA_CTX *c);
+void SHA1_Update(SHA_CTX *c, const void *data, unsigned long len);
+void SHA1_Final(unsigned char *md, SHA_CTX *c);
+unsigned char *SHA1(const unsigned char *d, unsigned long n,unsigned char *md);
+void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
+#endif
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/sha/sha1.c b/crypto/openssl/crypto/sha/sha1.c
new file mode 100644
index 0000000..d350c88
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha1.c
@@ -0,0 +1,127 @@
+/* crypto/sha/sha1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/sha.h>
+
+#define BUFSIZE	1024*16
+
+void do_fp(FILE *f);
+void pt(unsigned char *md);
+#ifndef _OSD_POSIX
+int read(int, void *, unsigned int);
+#endif
+
+int main(int argc, char **argv)
+	{
+	int i,err=0;
+	FILE *IN;
+
+	if (argc == 1)
+		{
+		do_fp(stdin);
+		}
+	else
+		{
+		for (i=1; i<argc; i++)
+			{
+			IN=fopen(argv[i],"r");
+			if (IN == NULL)
+				{
+				perror(argv[i]);
+				err++;
+				continue;
+				}
+			printf("SHA1(%s)= ",argv[i]);
+			do_fp(IN);
+			fclose(IN);
+			}
+		}
+	exit(err);
+	}
+
+void do_fp(FILE *f)
+	{
+	SHA_CTX c;
+	unsigned char md[SHA_DIGEST_LENGTH];
+	int fd;
+	int i;
+	unsigned char buf[BUFSIZE];
+
+	fd=fileno(f);
+	SHA1_Init(&c);
+	for (;;)
+		{
+		i=read(fd,buf,BUFSIZE);
+		if (i <= 0) break;
+		SHA1_Update(&c,buf,(unsigned long)i);
+		}
+	SHA1_Final(&(md[0]),&c);
+	pt(md);
+	}
+
+void pt(unsigned char *md)
+	{
+	int i;
+
+	for (i=0; i<SHA_DIGEST_LENGTH; i++)
+		printf("%02x",md[i]);
+	printf("\n");
+	}
+
diff --git a/crypto/openssl/crypto/sha/sha1_one.c b/crypto/openssl/crypto/sha/sha1_one.c
new file mode 100644
index 0000000..861752e
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha1_one.c
@@ -0,0 +1,76 @@
+/* crypto/sha/sha1_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/sha.h>
+
+#ifndef NO_SHA1
+unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
+	{
+	SHA_CTX c;
+	static unsigned char m[SHA_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	SHA1_Init(&c);
+	SHA1_Update(&c,d,n);
+	SHA1_Final(md,&c);
+	memset(&c,0,sizeof(c));
+	return(md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/sha/sha1dgst.c b/crypto/openssl/crypto/sha/sha1dgst.c
new file mode 100644
index 0000000..c09edb4
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha1dgst.c
@@ -0,0 +1,73 @@
+/* crypto/sha/sha1dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#if !defined(NO_SHA1) && !defined(NO_SHA)
+
+#undef  SHA_0
+#define SHA_1
+
+#include <openssl/opensslv.h>
+
+const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
+
+/* The implementation is in ../md32_common.h */
+
+#include "sha_locl.h"
+
+#endif
+
diff --git a/crypto/openssl/crypto/sha/sha1s.cpp b/crypto/openssl/crypto/sha/sha1s.cpp
new file mode 100644
index 0000000..af23d1e
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha1s.cpp
@@ -0,0 +1,82 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/sha.h>
+
+#define sha1_block_x86 sha1_block_asm_data_order
+extern "C" {
+void sha1_block_x86(SHA_CTX *ctx, unsigned char *buffer,int num);
+}
+
+void main(int argc,char *argv[])
+	{
+	unsigned char buffer[64*256];
+	SHA_CTX ctx;
+	unsigned long s1,s2,e1,e2;
+	unsigned char k[16];
+	unsigned long data[2];
+	unsigned char iv[8];
+	int i,num=0,numm;
+	int j=0;
+
+	if (argc >= 2)
+		num=atoi(argv[1]);
+
+	if (num == 0) num=16;
+	if (num > 250) num=16;
+	numm=num+2;
+#if 0
+	num*=64;
+	numm*=64;
+#endif
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<10; i++) /**/
+			{
+			sha1_block_x86(&ctx,buffer,numm);
+			GetTSC(s1);
+			sha1_block_x86(&ctx,buffer,numm);
+			GetTSC(e1);
+			GetTSC(s2);
+			sha1_block_x86(&ctx,buffer,num);
+			GetTSC(e2);
+			sha1_block_x86(&ctx,buffer,num);
+			}
+
+		printf("sha1 (%d bytes) %d %d (%.2f)\n",num*64,
+			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
+		}
+	}
+
diff --git a/crypto/openssl/crypto/sha/sha1test.c b/crypto/openssl/crypto/sha/sha1test.c
new file mode 100644
index 0000000..688d06c
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha1test.c
@@ -0,0 +1,168 @@
+/* crypto/sha/sha1test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_SHA
+int main(int argc, char *argv[])
+{
+    printf("No SHA support\n");
+    return(0);
+}
+#else
+#include <openssl/sha.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+#undef SHA_0 /* FIPS 180 */
+#define  SHA_1 /* FIPS 180-1 */
+
+static char *test[]={
+	"abc",
+	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+	NULL,
+	};
+
+#ifdef SHA_0
+static char *ret[]={
+	"0164b8a914cd2a5e74c4f7ff082c4d97f1edf880",
+	"d2516ee1acfa5baf33dfc1c471e438449ef134c8",
+	};
+static char *bigret=
+	"3232affa48628a26653b5aaa44541fd90d690603";
+#endif
+#ifdef SHA_1
+static char *ret[]={
+	"a9993e364706816aba3e25717850c26c9cd0d89d",
+	"84983e441c3bd26ebaae4aa1f95129e5e54670f1",
+	};
+static char *bigret=
+	"34aa973cd4c4daa4f61eeb2bdbad27316534016f";
+#endif
+
+static char *pt(unsigned char *md);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	unsigned char **P,**R;
+	static unsigned char buf[1000];
+	char *p,*r;
+	SHA_CTX c;
+	unsigned char md[SHA_DIGEST_LENGTH];
+
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(test[0], test[0], strlen(test[0]));
+	ebcdic2ascii(test[1], test[1], strlen(test[1]));
+#endif
+
+	P=(unsigned char **)test;
+	R=(unsigned char **)ret;
+	i=1;
+	while (*P != NULL)
+		{
+		p=pt(SHA1(*P,(unsigned long)strlen((char *)*P),NULL));
+		if (strcmp(p,(char *)*R) != 0)
+			{
+			printf("error calculating SHA1 on '%s'\n",*P);
+			printf("got %s instead of %s\n",p,*R);
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		i++;
+		R++;
+		P++;
+		}
+
+	memset(buf,'a',1000);
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(buf, buf, 1000);
+#endif /*CHARSET_EBCDIC*/
+	SHA1_Init(&c);
+	for (i=0; i<1000; i++)
+		SHA1_Update(&c,buf,1000);
+	SHA1_Final(md,&c);
+	p=pt(md);
+
+	r=bigret;
+	if (strcmp(p,r) != 0)
+		{
+		printf("error calculating SHA1 on 'a' * 1000\n");
+		printf("got %s instead of %s\n",p,r);
+		err++;
+		}
+	else
+		printf("test 3 ok\n");
+	exit(err);
+	return(0);
+	}
+
+static char *pt(unsigned char *md)
+	{
+	int i;
+	static char buf[80];
+
+	for (i=0; i<SHA_DIGEST_LENGTH; i++)
+		sprintf(&(buf[i*2]),"%02x",md[i]);
+	return(buf);
+	}
+#endif
diff --git a/crypto/openssl/crypto/sha/sha_dgst.c b/crypto/openssl/crypto/sha/sha_dgst.c
new file mode 100644
index 0000000..894a962
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha_dgst.c
@@ -0,0 +1,73 @@
+/* crypto/sha/sha1dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#if !defined(NO_SHA0) && !defined(NO_SHA)
+
+#undef  SHA_1
+#define SHA_0
+
+#include <openssl/opensslv.h>
+
+const char *SHA_version="SHA" OPENSSL_VERSION_PTEXT;
+
+/* The implementation is in ../md32_common.h */
+
+#include "sha_locl.h"
+
+#endif
+
diff --git a/crypto/openssl/crypto/sha/sha_locl.h b/crypto/openssl/crypto/sha/sha_locl.h
new file mode 100644
index 0000000..2f8aef8
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha_locl.h
@@ -0,0 +1,471 @@
+/* crypto/sha/sha_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/opensslconf.h>
+#include <openssl/sha.h>
+
+#ifndef SHA_LONG_LOG2
+#define SHA_LONG_LOG2	2	/* default to 32 bits */
+#endif
+
+#define DATA_ORDER_IS_BIG_ENDIAN
+
+#define HASH_LONG               SHA_LONG
+#define HASH_LONG_LOG2          SHA_LONG_LOG2
+#define HASH_CTX                SHA_CTX
+#define HASH_CBLOCK             SHA_CBLOCK
+#define HASH_LBLOCK             SHA_LBLOCK
+#define HASH_MAKE_STRING(c,s)   do {	\
+	unsigned long ll;		\
+	ll=(c)->h0; HOST_l2c(ll,(s));	\
+	ll=(c)->h1; HOST_l2c(ll,(s));	\
+	ll=(c)->h2; HOST_l2c(ll,(s));	\
+	ll=(c)->h3; HOST_l2c(ll,(s));	\
+	ll=(c)->h4; HOST_l2c(ll,(s));	\
+	} while (0)
+
+#if defined(SHA_0)
+
+# define HASH_UPDATE             	SHA_Update
+# define HASH_TRANSFORM          	SHA_Transform
+# define HASH_FINAL              	SHA_Final
+# define HASH_INIT			SHA_Init
+# define HASH_BLOCK_HOST_ORDER   	sha_block_host_order
+# define HASH_BLOCK_DATA_ORDER   	sha_block_data_order
+# define Xupdate(a,ix,ia,ib,ic,id)	(ix=(a)=(ia^ib^ic^id))
+
+  void sha_block_host_order (SHA_CTX *c, const void *p,int num);
+  void sha_block_data_order (SHA_CTX *c, const void *p,int num);
+
+#elif defined(SHA_1)
+
+# define HASH_UPDATE             	SHA1_Update
+# define HASH_TRANSFORM          	SHA1_Transform
+# define HASH_FINAL              	SHA1_Final
+# define HASH_INIT			SHA1_Init
+# define HASH_BLOCK_HOST_ORDER   	sha1_block_host_order
+# define HASH_BLOCK_DATA_ORDER   	sha1_block_data_order
+# if defined(__MWERKS__) && defined(__MC68K__)
+   /* Metrowerks for Motorola fails otherwise:-( <appro@fy.chalmers.se> */
+#  define Xupdate(a,ix,ia,ib,ic,id)	do { (a)=(ia^ib^ic^id);		\
+					     ix=(a)=ROTATE((a),1);	\
+					} while (0)
+# else
+#  define Xupdate(a,ix,ia,ib,ic,id)	( (a)=(ia^ib^ic^id),	\
+					  ix=(a)=ROTATE((a),1)	\
+					)
+# endif
+
+# ifdef SHA1_ASM
+#  if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#   define sha1_block_host_order		sha1_block_asm_host_order
+#   define DONT_IMPLEMENT_BLOCK_HOST_ORDER
+#   define sha1_block_data_order		sha1_block_asm_data_order
+#   define DONT_IMPLEMENT_BLOCK_DATA_ORDER
+#   define HASH_BLOCK_DATA_ORDER_ALIGNED	sha1_block_asm_data_order
+#  endif
+# endif
+  void sha1_block_host_order (SHA_CTX *c, const void *p,int num);
+  void sha1_block_data_order (SHA_CTX *c, const void *p,int num);
+
+#else
+# error "Either SHA_0 or SHA_1 must be defined."
+#endif
+
+#include "md32_common.h"
+
+#define INIT_DATA_h0 0x67452301UL
+#define INIT_DATA_h1 0xefcdab89UL
+#define INIT_DATA_h2 0x98badcfeUL
+#define INIT_DATA_h3 0x10325476UL
+#define INIT_DATA_h4 0xc3d2e1f0UL
+
+void HASH_INIT (SHA_CTX *c)
+	{
+	c->h0=INIT_DATA_h0;
+	c->h1=INIT_DATA_h1;
+	c->h2=INIT_DATA_h2;
+	c->h3=INIT_DATA_h3;
+	c->h4=INIT_DATA_h4;
+	c->Nl=0;
+	c->Nh=0;
+	c->num=0;
+	}
+
+#define K_00_19	0x5a827999UL
+#define K_20_39 0x6ed9eba1UL
+#define K_40_59 0x8f1bbcdcUL
+#define K_60_79 0xca62c1d6UL
+
+/* As  pointed out by Wei Dai <weidai@eskimo.com>, F() below can be
+ * simplified to the code in F_00_19.  Wei attributes these optimisations
+ * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
+ * #define F(x,y,z) (((x) & (y))  |  ((~(x)) & (z)))
+ * I've just become aware of another tweak to be made, again from Wei Dai,
+ * in F_40_59, (x&a)|(y&a) -> (x|y)&a
+ */
+#define	F_00_19(b,c,d)	((((c) ^ (d)) & (b)) ^ (d)) 
+#define	F_20_39(b,c,d)	((b) ^ (c) ^ (d))
+#define F_40_59(b,c,d)	(((b) & (c)) | (((b)|(c)) & (d))) 
+#define	F_60_79(b,c,d)	F_20_39(b,c,d)
+
+#define BODY_00_15(i,a,b,c,d,e,f,xi) \
+	(f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
+	(b)=ROTATE((b),30);
+
+#define BODY_16_19(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \
+	Xupdate(f,xi,xa,xb,xc,xd); \
+	(f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
+	(b)=ROTATE((b),30);
+
+#define BODY_20_31(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \
+	Xupdate(f,xi,xa,xb,xc,xd); \
+	(f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \
+	(b)=ROTATE((b),30);
+
+#define BODY_32_39(i,a,b,c,d,e,f,xa,xb,xc,xd) \
+	Xupdate(f,xa,xa,xb,xc,xd); \
+	(f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \
+	(b)=ROTATE((b),30);
+
+#define BODY_40_59(i,a,b,c,d,e,f,xa,xb,xc,xd) \
+	Xupdate(f,xa,xa,xb,xc,xd); \
+	(f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \
+	(b)=ROTATE((b),30);
+
+#define BODY_60_79(i,a,b,c,d,e,f,xa,xb,xc,xd) \
+	Xupdate(f,xa,xa,xb,xc,xd); \
+	(f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \
+	(b)=ROTATE((b),30);
+
+#ifdef X
+#undef X
+#endif
+#ifndef MD32_XARRAY
+  /*
+   * Originally X was an array. As it's automatic it's natural
+   * to expect RISC compiler to accomodate at least part of it in
+   * the register bank, isn't it? Unfortunately not all compilers
+   * "find" this expectation reasonable:-( On order to make such
+   * compilers generate better code I replace X[] with a bunch of
+   * X0, X1, etc. See the function body below...
+   *					<appro@fy.chalmers.se>
+   */
+# define X(i)	XX##i
+#else
+  /*
+   * However! Some compilers (most notably HP C) get overwhelmed by
+   * that many local variables so that we have to have the way to
+   * fall down to the original behavior.
+   */
+# define X(i)	XX[i]
+#endif
+
+#ifndef DONT_IMPLEMENT_BLOCK_HOST_ORDER
+void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
+	{
+	const SHA_LONG *W=d;
+	register unsigned long A,B,C,D,E,T;
+#ifndef MD32_XARRAY
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+#else
+	SHA_LONG	XX[16];
+#endif
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	for (;;)
+		{
+	BODY_00_15( 0,A,B,C,D,E,T,W[ 0]);
+	BODY_00_15( 1,T,A,B,C,D,E,W[ 1]);
+	BODY_00_15( 2,E,T,A,B,C,D,W[ 2]);
+	BODY_00_15( 3,D,E,T,A,B,C,W[ 3]);
+	BODY_00_15( 4,C,D,E,T,A,B,W[ 4]);
+	BODY_00_15( 5,B,C,D,E,T,A,W[ 5]);
+	BODY_00_15( 6,A,B,C,D,E,T,W[ 6]);
+	BODY_00_15( 7,T,A,B,C,D,E,W[ 7]);
+	BODY_00_15( 8,E,T,A,B,C,D,W[ 8]);
+	BODY_00_15( 9,D,E,T,A,B,C,W[ 9]);
+	BODY_00_15(10,C,D,E,T,A,B,W[10]);
+	BODY_00_15(11,B,C,D,E,T,A,W[11]);
+	BODY_00_15(12,A,B,C,D,E,T,W[12]);
+	BODY_00_15(13,T,A,B,C,D,E,W[13]);
+	BODY_00_15(14,E,T,A,B,C,D,W[14]);
+	BODY_00_15(15,D,E,T,A,B,C,W[15]);
+
+	BODY_16_19(16,C,D,E,T,A,B,X( 0),W[ 0],W[ 2],W[ 8],W[13]);
+	BODY_16_19(17,B,C,D,E,T,A,X( 1),W[ 1],W[ 3],W[ 9],W[14]);
+	BODY_16_19(18,A,B,C,D,E,T,X( 2),W[ 2],W[ 4],W[10],W[15]);
+	BODY_16_19(19,T,A,B,C,D,E,X( 3),W[ 3],W[ 5],W[11],X( 0));
+
+	BODY_20_31(20,E,T,A,B,C,D,X( 4),W[ 4],W[ 6],W[12],X( 1));
+	BODY_20_31(21,D,E,T,A,B,C,X( 5),W[ 5],W[ 7],W[13],X( 2));
+	BODY_20_31(22,C,D,E,T,A,B,X( 6),W[ 6],W[ 8],W[14],X( 3));
+	BODY_20_31(23,B,C,D,E,T,A,X( 7),W[ 7],W[ 9],W[15],X( 4));
+	BODY_20_31(24,A,B,C,D,E,T,X( 8),W[ 8],W[10],X( 0),X( 5));
+	BODY_20_31(25,T,A,B,C,D,E,X( 9),W[ 9],W[11],X( 1),X( 6));
+	BODY_20_31(26,E,T,A,B,C,D,X(10),W[10],W[12],X( 2),X( 7));
+	BODY_20_31(27,D,E,T,A,B,C,X(11),W[11],W[13],X( 3),X( 8));
+	BODY_20_31(28,C,D,E,T,A,B,X(12),W[12],W[14],X( 4),X( 9));
+	BODY_20_31(29,B,C,D,E,T,A,X(13),W[13],W[15],X( 5),X(10));
+	BODY_20_31(30,A,B,C,D,E,T,X(14),W[14],X( 0),X( 6),X(11));
+	BODY_20_31(31,T,A,B,C,D,E,X(15),W[15],X( 1),X( 7),X(12));
+
+	BODY_32_39(32,E,T,A,B,C,D,X( 0),X( 2),X( 8),X(13));
+	BODY_32_39(33,D,E,T,A,B,C,X( 1),X( 3),X( 9),X(14));
+	BODY_32_39(34,C,D,E,T,A,B,X( 2),X( 4),X(10),X(15));
+	BODY_32_39(35,B,C,D,E,T,A,X( 3),X( 5),X(11),X( 0));
+	BODY_32_39(36,A,B,C,D,E,T,X( 4),X( 6),X(12),X( 1));
+	BODY_32_39(37,T,A,B,C,D,E,X( 5),X( 7),X(13),X( 2));
+	BODY_32_39(38,E,T,A,B,C,D,X( 6),X( 8),X(14),X( 3));
+	BODY_32_39(39,D,E,T,A,B,C,X( 7),X( 9),X(15),X( 4));
+
+	BODY_40_59(40,C,D,E,T,A,B,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(41,B,C,D,E,T,A,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(42,A,B,C,D,E,T,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(43,T,A,B,C,D,E,X(11),X(13),X( 3),X( 8));
+	BODY_40_59(44,E,T,A,B,C,D,X(12),X(14),X( 4),X( 9));
+	BODY_40_59(45,D,E,T,A,B,C,X(13),X(15),X( 5),X(10));
+	BODY_40_59(46,C,D,E,T,A,B,X(14),X( 0),X( 6),X(11));
+	BODY_40_59(47,B,C,D,E,T,A,X(15),X( 1),X( 7),X(12));
+	BODY_40_59(48,A,B,C,D,E,T,X( 0),X( 2),X( 8),X(13));
+	BODY_40_59(49,T,A,B,C,D,E,X( 1),X( 3),X( 9),X(14));
+	BODY_40_59(50,E,T,A,B,C,D,X( 2),X( 4),X(10),X(15));
+	BODY_40_59(51,D,E,T,A,B,C,X( 3),X( 5),X(11),X( 0));
+	BODY_40_59(52,C,D,E,T,A,B,X( 4),X( 6),X(12),X( 1));
+	BODY_40_59(53,B,C,D,E,T,A,X( 5),X( 7),X(13),X( 2));
+	BODY_40_59(54,A,B,C,D,E,T,X( 6),X( 8),X(14),X( 3));
+	BODY_40_59(55,T,A,B,C,D,E,X( 7),X( 9),X(15),X( 4));
+	BODY_40_59(56,E,T,A,B,C,D,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(57,D,E,T,A,B,C,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(58,C,D,E,T,A,B,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(59,B,C,D,E,T,A,X(11),X(13),X( 3),X( 8));
+
+	BODY_60_79(60,A,B,C,D,E,T,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(61,T,A,B,C,D,E,X(13),X(15),X( 5),X(10));
+	BODY_60_79(62,E,T,A,B,C,D,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(63,D,E,T,A,B,C,X(15),X( 1),X( 7),X(12));
+	BODY_60_79(64,C,D,E,T,A,B,X( 0),X( 2),X( 8),X(13));
+	BODY_60_79(65,B,C,D,E,T,A,X( 1),X( 3),X( 9),X(14));
+	BODY_60_79(66,A,B,C,D,E,T,X( 2),X( 4),X(10),X(15));
+	BODY_60_79(67,T,A,B,C,D,E,X( 3),X( 5),X(11),X( 0));
+	BODY_60_79(68,E,T,A,B,C,D,X( 4),X( 6),X(12),X( 1));
+	BODY_60_79(69,D,E,T,A,B,C,X( 5),X( 7),X(13),X( 2));
+	BODY_60_79(70,C,D,E,T,A,B,X( 6),X( 8),X(14),X( 3));
+	BODY_60_79(71,B,C,D,E,T,A,X( 7),X( 9),X(15),X( 4));
+	BODY_60_79(72,A,B,C,D,E,T,X( 8),X(10),X( 0),X( 5));
+	BODY_60_79(73,T,A,B,C,D,E,X( 9),X(11),X( 1),X( 6));
+	BODY_60_79(74,E,T,A,B,C,D,X(10),X(12),X( 2),X( 7));
+	BODY_60_79(75,D,E,T,A,B,C,X(11),X(13),X( 3),X( 8));
+	BODY_60_79(76,C,D,E,T,A,B,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(77,B,C,D,E,T,A,X(13),X(15),X( 5),X(10));
+	BODY_60_79(78,A,B,C,D,E,T,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(79,T,A,B,C,D,E,X(15),X( 1),X( 7),X(12));
+	
+	c->h0=(c->h0+E)&0xffffffffL; 
+	c->h1=(c->h1+T)&0xffffffffL;
+	c->h2=(c->h2+A)&0xffffffffL;
+	c->h3=(c->h3+B)&0xffffffffL;
+	c->h4=(c->h4+C)&0xffffffffL;
+
+	if (--num <= 0) break;
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	W+=SHA_LBLOCK;
+		}
+	}
+#endif
+
+#ifndef DONT_IMPLEMENT_BLOCK_DATA_ORDER
+void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
+	{
+	const unsigned char *data=p;
+	register unsigned long A,B,C,D,E,T,l;
+#ifndef MD32_XARRAY
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+#else
+	SHA_LONG	XX[16];
+#endif
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	for (;;)
+		{
+
+	HOST_c2l(data,l); X( 0)=l;		HOST_c2l(data,l); X( 1)=l;
+	BODY_00_15( 0,A,B,C,D,E,T,X( 0));	HOST_c2l(data,l); X( 2)=l;
+	BODY_00_15( 1,T,A,B,C,D,E,X( 1));	HOST_c2l(data,l); X( 3)=l;
+	BODY_00_15( 2,E,T,A,B,C,D,X( 2));	HOST_c2l(data,l); X( 4)=l;
+	BODY_00_15( 3,D,E,T,A,B,C,X( 3));	HOST_c2l(data,l); X( 5)=l;
+	BODY_00_15( 4,C,D,E,T,A,B,X( 4));	HOST_c2l(data,l); X( 6)=l;
+	BODY_00_15( 5,B,C,D,E,T,A,X( 5));	HOST_c2l(data,l); X( 7)=l;
+	BODY_00_15( 6,A,B,C,D,E,T,X( 6));	HOST_c2l(data,l); X( 8)=l;
+	BODY_00_15( 7,T,A,B,C,D,E,X( 7));	HOST_c2l(data,l); X( 9)=l;
+	BODY_00_15( 8,E,T,A,B,C,D,X( 8));	HOST_c2l(data,l); X(10)=l;
+	BODY_00_15( 9,D,E,T,A,B,C,X( 9));	HOST_c2l(data,l); X(11)=l;
+	BODY_00_15(10,C,D,E,T,A,B,X(10));	HOST_c2l(data,l); X(12)=l;
+	BODY_00_15(11,B,C,D,E,T,A,X(11));	HOST_c2l(data,l); X(13)=l;
+	BODY_00_15(12,A,B,C,D,E,T,X(12));	HOST_c2l(data,l); X(14)=l;
+	BODY_00_15(13,T,A,B,C,D,E,X(13));	HOST_c2l(data,l); X(15)=l;
+	BODY_00_15(14,E,T,A,B,C,D,X(14));
+	BODY_00_15(15,D,E,T,A,B,C,X(15));
+
+	BODY_16_19(16,C,D,E,T,A,B,X( 0),X( 0),X( 2),X( 8),X(13));
+	BODY_16_19(17,B,C,D,E,T,A,X( 1),X( 1),X( 3),X( 9),X(14));
+	BODY_16_19(18,A,B,C,D,E,T,X( 2),X( 2),X( 4),X(10),X(15));
+	BODY_16_19(19,T,A,B,C,D,E,X( 3),X( 3),X( 5),X(11),X( 0));
+
+	BODY_20_31(20,E,T,A,B,C,D,X( 4),X( 4),X( 6),X(12),X( 1));
+	BODY_20_31(21,D,E,T,A,B,C,X( 5),X( 5),X( 7),X(13),X( 2));
+	BODY_20_31(22,C,D,E,T,A,B,X( 6),X( 6),X( 8),X(14),X( 3));
+	BODY_20_31(23,B,C,D,E,T,A,X( 7),X( 7),X( 9),X(15),X( 4));
+	BODY_20_31(24,A,B,C,D,E,T,X( 8),X( 8),X(10),X( 0),X( 5));
+	BODY_20_31(25,T,A,B,C,D,E,X( 9),X( 9),X(11),X( 1),X( 6));
+	BODY_20_31(26,E,T,A,B,C,D,X(10),X(10),X(12),X( 2),X( 7));
+	BODY_20_31(27,D,E,T,A,B,C,X(11),X(11),X(13),X( 3),X( 8));
+	BODY_20_31(28,C,D,E,T,A,B,X(12),X(12),X(14),X( 4),X( 9));
+	BODY_20_31(29,B,C,D,E,T,A,X(13),X(13),X(15),X( 5),X(10));
+	BODY_20_31(30,A,B,C,D,E,T,X(14),X(14),X( 0),X( 6),X(11));
+	BODY_20_31(31,T,A,B,C,D,E,X(15),X(15),X( 1),X( 7),X(12));
+
+	BODY_32_39(32,E,T,A,B,C,D,X( 0),X( 2),X( 8),X(13));
+	BODY_32_39(33,D,E,T,A,B,C,X( 1),X( 3),X( 9),X(14));
+	BODY_32_39(34,C,D,E,T,A,B,X( 2),X( 4),X(10),X(15));
+	BODY_32_39(35,B,C,D,E,T,A,X( 3),X( 5),X(11),X( 0));
+	BODY_32_39(36,A,B,C,D,E,T,X( 4),X( 6),X(12),X( 1));
+	BODY_32_39(37,T,A,B,C,D,E,X( 5),X( 7),X(13),X( 2));
+	BODY_32_39(38,E,T,A,B,C,D,X( 6),X( 8),X(14),X( 3));
+	BODY_32_39(39,D,E,T,A,B,C,X( 7),X( 9),X(15),X( 4));
+
+	BODY_40_59(40,C,D,E,T,A,B,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(41,B,C,D,E,T,A,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(42,A,B,C,D,E,T,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(43,T,A,B,C,D,E,X(11),X(13),X( 3),X( 8));
+	BODY_40_59(44,E,T,A,B,C,D,X(12),X(14),X( 4),X( 9));
+	BODY_40_59(45,D,E,T,A,B,C,X(13),X(15),X( 5),X(10));
+	BODY_40_59(46,C,D,E,T,A,B,X(14),X( 0),X( 6),X(11));
+	BODY_40_59(47,B,C,D,E,T,A,X(15),X( 1),X( 7),X(12));
+	BODY_40_59(48,A,B,C,D,E,T,X( 0),X( 2),X( 8),X(13));
+	BODY_40_59(49,T,A,B,C,D,E,X( 1),X( 3),X( 9),X(14));
+	BODY_40_59(50,E,T,A,B,C,D,X( 2),X( 4),X(10),X(15));
+	BODY_40_59(51,D,E,T,A,B,C,X( 3),X( 5),X(11),X( 0));
+	BODY_40_59(52,C,D,E,T,A,B,X( 4),X( 6),X(12),X( 1));
+	BODY_40_59(53,B,C,D,E,T,A,X( 5),X( 7),X(13),X( 2));
+	BODY_40_59(54,A,B,C,D,E,T,X( 6),X( 8),X(14),X( 3));
+	BODY_40_59(55,T,A,B,C,D,E,X( 7),X( 9),X(15),X( 4));
+	BODY_40_59(56,E,T,A,B,C,D,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(57,D,E,T,A,B,C,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(58,C,D,E,T,A,B,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(59,B,C,D,E,T,A,X(11),X(13),X( 3),X( 8));
+
+	BODY_60_79(60,A,B,C,D,E,T,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(61,T,A,B,C,D,E,X(13),X(15),X( 5),X(10));
+	BODY_60_79(62,E,T,A,B,C,D,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(63,D,E,T,A,B,C,X(15),X( 1),X( 7),X(12));
+	BODY_60_79(64,C,D,E,T,A,B,X( 0),X( 2),X( 8),X(13));
+	BODY_60_79(65,B,C,D,E,T,A,X( 1),X( 3),X( 9),X(14));
+	BODY_60_79(66,A,B,C,D,E,T,X( 2),X( 4),X(10),X(15));
+	BODY_60_79(67,T,A,B,C,D,E,X( 3),X( 5),X(11),X( 0));
+	BODY_60_79(68,E,T,A,B,C,D,X( 4),X( 6),X(12),X( 1));
+	BODY_60_79(69,D,E,T,A,B,C,X( 5),X( 7),X(13),X( 2));
+	BODY_60_79(70,C,D,E,T,A,B,X( 6),X( 8),X(14),X( 3));
+	BODY_60_79(71,B,C,D,E,T,A,X( 7),X( 9),X(15),X( 4));
+	BODY_60_79(72,A,B,C,D,E,T,X( 8),X(10),X( 0),X( 5));
+	BODY_60_79(73,T,A,B,C,D,E,X( 9),X(11),X( 1),X( 6));
+	BODY_60_79(74,E,T,A,B,C,D,X(10),X(12),X( 2),X( 7));
+	BODY_60_79(75,D,E,T,A,B,C,X(11),X(13),X( 3),X( 8));
+	BODY_60_79(76,C,D,E,T,A,B,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(77,B,C,D,E,T,A,X(13),X(15),X( 5),X(10));
+	BODY_60_79(78,A,B,C,D,E,T,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(79,T,A,B,C,D,E,X(15),X( 1),X( 7),X(12));
+	
+	c->h0=(c->h0+E)&0xffffffffL; 
+	c->h1=(c->h1+T)&0xffffffffL;
+	c->h2=(c->h2+A)&0xffffffffL;
+	c->h3=(c->h3+B)&0xffffffffL;
+	c->h4=(c->h4+C)&0xffffffffL;
+
+	if (--num <= 0) break;
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+		}
+	}
+#endif
diff --git a/crypto/openssl/crypto/sha/sha_one.c b/crypto/openssl/crypto/sha/sha_one.c
new file mode 100644
index 0000000..2d955de
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha_one.c
@@ -0,0 +1,76 @@
+/* crypto/sha/sha_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/sha.h>
+
+#ifndef NO_SHA0
+unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
+	{
+	SHA_CTX c;
+	static unsigned char m[SHA_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	SHA_Init(&c);
+	SHA_Update(&c,d,n);
+	SHA_Final(md,&c);
+	memset(&c,0,sizeof(c));
+	return(md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/sha/shatest.c b/crypto/openssl/crypto/sha/shatest.c
new file mode 100644
index 0000000..a5786bb
--- /dev/null
+++ b/crypto/openssl/crypto/sha/shatest.c
@@ -0,0 +1,168 @@
+/* crypto/sha/shatest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_SHA
+int main(int argc, char *argv[])
+{
+    printf("No SHA support\n");
+    return(0);
+}
+#else
+#include <openssl/sha.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+#define SHA_0 /* FIPS 180 */
+#undef  SHA_1 /* FIPS 180-1 */
+
+static char *test[]={
+	"abc",
+	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+	NULL,
+	};
+
+#ifdef SHA_0
+static char *ret[]={
+	"0164b8a914cd2a5e74c4f7ff082c4d97f1edf880",
+	"d2516ee1acfa5baf33dfc1c471e438449ef134c8",
+	};
+static char *bigret=
+	"3232affa48628a26653b5aaa44541fd90d690603";
+#endif
+#ifdef SHA_1
+static char *ret[]={
+	"a9993e364706816aba3e25717850c26c9cd0d89d",
+	"84983e441c3bd26ebaae4aa1f95129e5e54670f1",
+	};
+static char *bigret=
+	"34aa973cd4c4daa4f61eeb2bdbad27316534016f";
+#endif
+
+static char *pt(unsigned char *md);
+int main(int argc, char *argv[])
+	{
+	int i,err=0;
+	unsigned char **P,**R;
+	static unsigned char buf[1000];
+	char *p,*r;
+	SHA_CTX c;
+	unsigned char md[SHA_DIGEST_LENGTH];
+
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(test[0], test[0], strlen(test[0]));
+	ebcdic2ascii(test[1], test[1], strlen(test[1]));
+#endif
+
+	P=(unsigned char **)test;
+	R=(unsigned char **)ret;
+	i=1;
+	while (*P != NULL)
+		{
+		p=pt(SHA(*P,(unsigned long)strlen((char *)*P),NULL));
+		if (strcmp(p,(char *)*R) != 0)
+			{
+			printf("error calculating SHA on '%s'\n",*P);
+			printf("got %s instead of %s\n",p,*R);
+			err++;
+			}
+		else
+			printf("test %d ok\n",i);
+		i++;
+		R++;
+		P++;
+		}
+
+	memset(buf,'a',1000);
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(buf, buf, 1000);
+#endif /*CHARSET_EBCDIC*/
+	SHA_Init(&c);
+	for (i=0; i<1000; i++)
+		SHA_Update(&c,buf,1000);
+	SHA_Final(md,&c);
+	p=pt(md);
+
+	r=bigret;
+	if (strcmp(p,r) != 0)
+		{
+		printf("error calculating SHA on '%s'\n",p);
+		printf("got %s instead of %s\n",p,r);
+		err++;
+		}
+	else
+		printf("test 3 ok\n");
+	exit(err);
+	return(0);
+	}
+
+static char *pt(unsigned char *md)
+	{
+	int i;
+	static char buf[80];
+
+	for (i=0; i<SHA_DIGEST_LENGTH; i++)
+		sprintf(&(buf[i*2]),"%02x",md[i]);
+	return(buf);
+	}
+#endif
diff --git a/crypto/openssl/crypto/stack/Makefile.save b/crypto/openssl/crypto/stack/Makefile.save
new file mode 100644
index 0000000..6199659
--- /dev/null
+++ b/crypto/openssl/crypto/stack/Makefile.save
@@ -0,0 +1,86 @@
+#
+# SSLeay/crypto/stack/Makefile
+#
+
+DIR=	stack
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=stack.c
+LIBOBJ=stack.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= stack.h safestack.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+stack.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+stack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+stack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+stack.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+stack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+stack.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl
new file mode 100644
index 0000000..6199659
--- /dev/null
+++ b/crypto/openssl/crypto/stack/Makefile.ssl
@@ -0,0 +1,86 @@
+#
+# SSLeay/crypto/stack/Makefile
+#
+
+DIR=	stack
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=stack.c
+LIBOBJ=stack.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= stack.h safestack.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+stack.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+stack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+stack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+stack.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+stack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+stack.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/stack/safestack.h b/crypto/openssl/crypto/stack/safestack.h
new file mode 100644
index 0000000..3893498
--- /dev/null
+++ b/crypto/openssl/crypto/stack/safestack.h
@@ -0,0 +1,129 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_SAFESTACK_H
+#define HEADER_SAFESTACK_H
+
+#include <openssl/stack.h>
+
+#define STACK_OF(type)	STACK_##type
+
+#define DECLARE_STACK_OF(type) \
+typedef struct stack_st_##type	\
+    { \
+    STACK stack; \
+    } STACK_OF(type); \
+STACK_OF(type) *sk_##type##_new(int (*cmp)(type **,type **)); \
+STACK_OF(type) *sk_##type##_new_null(void); \
+void sk_##type##_free(STACK_OF(type) *sk); \
+int sk_##type##_num(const STACK_OF(type) *sk); \
+type *sk_##type##_value(const STACK_OF(type) *sk,int n); \
+type *sk_##type##_set(STACK_OF(type) *sk,int n,type *v); \
+void sk_##type##_zero(STACK_OF(type) *sk); \
+int sk_##type##_push(STACK_OF(type) *sk,type *v); \
+int sk_##type##_unshift(STACK_OF(type) *sk,type *v); \
+int sk_##type##_find(STACK_OF(type) *sk,type *v); \
+type *sk_##type##_delete(STACK_OF(type) *sk,int n); \
+void sk_##type##_delete_ptr(STACK_OF(type) *sk,type *v); \
+int sk_##type##_insert(STACK_OF(type) *sk,type *v,int n); \
+int (*sk_##type##_set_cmp_func(STACK_OF(type) *sk, \
+			       int (*cmp)(type **,type **)))(type **,type **); \
+STACK_OF(type) *sk_##type##_dup(STACK_OF(type) *sk); \
+void sk_##type##_pop_free(STACK_OF(type) *sk,void (*func)(type *)); \
+type *sk_##type##_shift(STACK_OF(type) *sk); \
+type *sk_##type##_pop(STACK_OF(type) *sk); \
+void sk_##type##_sort(STACK_OF(type) *sk);
+
+#define IMPLEMENT_STACK_OF(type) \
+STACK_OF(type) *sk_##type##_new(int (*cmp)(type **,type **)) \
+    { return (STACK_OF(type) *)sk_new(cmp); } \
+STACK_OF(type) *sk_##type##_new_null() \
+    { return (STACK_OF(type) *)sk_new_null(); } \
+void sk_##type##_free(STACK_OF(type) *sk) \
+    { sk_free((STACK *)sk); } \
+int sk_##type##_num(const STACK_OF(type) *sk) \
+    { return M_sk_num((const STACK *)sk); } \
+type *sk_##type##_value(const STACK_OF(type) *sk,int n) \
+    { return (type *)sk_value((STACK *)sk,n); } \
+type *sk_##type##_set(STACK_OF(type) *sk,int n,type *v) \
+    { return (type *)(sk_set((STACK *)sk,n,(char *)v)); } \
+void sk_##type##_zero(STACK_OF(type) *sk) \
+    { sk_zero((STACK *)sk); } \
+int sk_##type##_push(STACK_OF(type) *sk,type *v) \
+    { return sk_push((STACK *)sk,(char *)v); } \
+int sk_##type##_unshift(STACK_OF(type) *sk,type *v) \
+    { return sk_unshift((STACK *)sk,(char *)v); } \
+int sk_##type##_find(STACK_OF(type) *sk,type *v) \
+    { return sk_find((STACK *)sk,(char *)v); } \
+type *sk_##type##_delete(STACK_OF(type) *sk,int n) \
+    { return (type *)sk_delete((STACK *)sk,n); } \
+void sk_##type##_delete_ptr(STACK_OF(type) *sk,type *v) \
+    { sk_delete_ptr((STACK *)sk,(char *)v); } \
+int sk_##type##_insert(STACK_OF(type) *sk,type *v,int n) \
+    { return sk_insert((STACK *)sk,(char *)v,n); } \
+int (*sk_##type##_set_cmp_func(STACK_OF(type) *sk, \
+			       int (*cmp)(type **,type **)))(type **,type **) \
+    { return (int (*)(type **,type **))sk_set_cmp_func((STACK *)sk,cmp); } \
+STACK_OF(type) *sk_##type##_dup(STACK_OF(type) *sk) \
+    { return (STACK_OF(type) *)sk_dup((STACK *)sk); } \
+void sk_##type##_pop_free(STACK_OF(type) *sk,void (*func)(type *)) \
+    { sk_pop_free((STACK *)sk,func); } \
+type *sk_##type##_shift(STACK_OF(type) *sk) \
+    { return (type *)sk_shift((STACK *)sk); } \
+type *sk_##type##_pop(STACK_OF(type) *sk) \
+    { return (type *)sk_pop((STACK *)sk); } \
+void sk_##type##_sort(STACK_OF(type) *sk) \
+    { sk_sort((STACK *)sk); }
+
+#endif /* ndef HEADER_SAFESTACK_H */
diff --git a/crypto/openssl/crypto/stack/stack.c b/crypto/openssl/crypto/stack/stack.c
new file mode 100644
index 0000000..58e9126
--- /dev/null
+++ b/crypto/openssl/crypto/stack/stack.c
@@ -0,0 +1,311 @@
+/* crypto/stack/stack.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Code for stacks
+ * Author - Eric Young v 1.0
+ * 1.2 eay 12-Mar-97 -	Modified sk_find so that it _DOES_ return the
+ *			lowest index for the searched item.
+ *
+ * 1.1 eay - Take from netdb and added to SSLeay
+ *
+ * 1.0 eay - First version 29/07/92
+ */
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/stack.h>
+
+#undef MIN_NODES
+#define MIN_NODES	4
+
+const char *STACK_version="Stack" OPENSSL_VERSION_PTEXT;
+
+#define	FP_ICC	(int (*)(const void *,const void *))
+#include <errno.h>
+
+int (*sk_set_cmp_func(STACK *sk, int (*c)()))(void)
+	{
+	int (*old)()=sk->comp;
+
+	if (sk->comp != c)
+		sk->sorted=0;
+	sk->comp=c;
+
+	return old;
+	}
+
+STACK *sk_dup(STACK *sk)
+	{
+	STACK *ret;
+	char **s;
+
+	if ((ret=sk_new(sk->comp)) == NULL) goto err;
+	s=(char **)Realloc((char *)ret->data,
+		(unsigned int)sizeof(char *)*sk->num_alloc);
+	if (s == NULL) goto err;
+	ret->data=s;
+
+	ret->num=sk->num;
+	memcpy(ret->data,sk->data,sizeof(char *)*sk->num);
+	ret->sorted=sk->sorted;
+	ret->num_alloc=sk->num_alloc;
+	ret->comp=sk->comp;
+	return(ret);
+err:
+	return(NULL);
+	}
+
+STACK *sk_new(int (*c)())
+	{
+	STACK *ret;
+	int i;
+
+	if ((ret=(STACK *)Malloc(sizeof(STACK))) == NULL)
+		goto err0;
+	if ((ret->data=(char **)Malloc(sizeof(char *)*MIN_NODES)) == NULL)
+		goto err1;
+	for (i=0; i<MIN_NODES; i++)
+		ret->data[i]=NULL;
+	ret->comp=c;
+	ret->num_alloc=MIN_NODES;
+	ret->num=0;
+	ret->sorted=0;
+	return(ret);
+err1:
+	Free(ret);
+err0:
+	return(NULL);
+	}
+
+int sk_insert(STACK *st, char *data, int loc)
+	{
+	char **s;
+
+	if(st == NULL) return 0;
+	if (st->num_alloc <= st->num+1)
+		{
+		s=(char **)Realloc((char *)st->data,
+			(unsigned int)sizeof(char *)*st->num_alloc*2);
+		if (s == NULL)
+			return(0);
+		st->data=s;
+		st->num_alloc*=2;
+		}
+	if ((loc >= (int)st->num) || (loc < 0))
+		st->data[st->num]=data;
+	else
+		{
+		int i;
+		char **f,**t;
+
+		f=(char **)st->data;
+		t=(char **)&(st->data[1]);
+		for (i=st->num; i>=loc; i--)
+			t[i]=f[i];
+			
+#ifdef undef /* no memmove on sunos :-( */
+		memmove( (char *)&(st->data[loc+1]),
+			(char *)&(st->data[loc]),
+			sizeof(char *)*(st->num-loc));
+#endif
+		st->data[loc]=data;
+		}
+	st->num++;
+	st->sorted=0;
+	return(st->num);
+	}
+
+char *sk_delete_ptr(STACK *st, char *p)
+	{
+	int i;
+
+	for (i=0; i<st->num; i++)
+		if (st->data[i] == p)
+			return(sk_delete(st,i));
+	return(NULL);
+	}
+
+char *sk_delete(STACK *st, int loc)
+	{
+	char *ret;
+	int i,j;
+
+	if ((st == NULL) || (st->num == 0) || (loc < 0)
+					 || (loc >= st->num)) return(NULL);
+
+	ret=st->data[loc];
+	if (loc != st->num-1)
+		{
+		j=st->num-1;
+		for (i=loc; i<j; i++)
+			st->data[i]=st->data[i+1];
+		/* In theory memcpy is not safe for this
+		 * memcpy( &(st->data[loc]),
+		 *	&(st->data[loc+1]),
+		 *	sizeof(char *)*(st->num-loc-1));
+		 */
+		}
+	st->num--;
+	return(ret);
+	}
+
+int sk_find(STACK *st, char *data)
+	{
+	char **r;
+	int i;
+	int (*comp_func)();
+	if(st == NULL) return -1;
+
+	if (st->comp == NULL)
+		{
+		for (i=0; i<st->num; i++)
+			if (st->data[i] == data)
+				return(i);
+		return(-1);
+		}
+	sk_sort(st);
+	if (data == NULL) return(-1);
+	comp_func=(int (*)())st->comp;
+	r=(char **)bsearch(&data,(char *)st->data,
+		st->num,sizeof(char *),FP_ICC comp_func);
+	if (r == NULL) return(-1);
+	i=(int)(r-st->data);
+	for ( ; i>0; i--)
+		if ((*st->comp)(&(st->data[i-1]),&data) < 0)
+			break;
+	return(i);
+	}
+
+int sk_push(STACK *st, char *data)
+	{
+	return(sk_insert(st,data,st->num));
+	}
+
+int sk_unshift(STACK *st, char *data)
+	{
+	return(sk_insert(st,data,0));
+	}
+
+char *sk_shift(STACK *st)
+	{
+	if (st == NULL) return(NULL);
+	if (st->num <= 0) return(NULL);
+	return(sk_delete(st,0));
+	}
+
+char *sk_pop(STACK *st)
+	{
+	if (st == NULL) return(NULL);
+	if (st->num <= 0) return(NULL);
+	return(sk_delete(st,st->num-1));
+	}
+
+void sk_zero(STACK *st)
+	{
+	if (st == NULL) return;
+	if (st->num <= 0) return;
+	memset((char *)st->data,0,sizeof(st->data)*st->num);
+	st->num=0;
+	}
+
+void sk_pop_free(STACK *st, void (*func)())
+	{
+	int i;
+
+	if (st == NULL) return;
+	for (i=0; i<st->num; i++)
+		if (st->data[i] != NULL)
+			func(st->data[i]);
+	sk_free(st);
+	}
+
+void sk_free(STACK *st)
+	{
+	if (st == NULL) return;
+	if (st->data != NULL) Free(st->data);
+	Free(st);
+	}
+
+int sk_num(STACK *st)
+{
+	if(st == NULL) return -1;
+	return st->num;
+}
+
+char *sk_value(STACK *st, int i)
+{
+	if(st == NULL) return NULL;
+	return st->data[i];
+}
+
+char *sk_set(STACK *st, int i, char *value)
+{
+	if(st == NULL) return NULL;
+	return (st->data[i] = value);
+}
+
+void sk_sort(STACK *st)
+    {
+    if (!st->sorted)
+	{
+	int (*comp_func)();
+
+	comp_func=(int (*)())st->comp;
+	qsort(st->data,st->num,sizeof(char *),FP_ICC comp_func);
+	st->sorted=1;
+	}
+    }
diff --git a/crypto/openssl/crypto/stack/stack.h b/crypto/openssl/crypto/stack/stack.h
new file mode 100644
index 0000000..a615d9b
--- /dev/null
+++ b/crypto/openssl/crypto/stack/stack.h
@@ -0,0 +1,107 @@
+/* crypto/stack/stack.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_STACK_H
+#define HEADER_STACK_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+typedef struct stack_st
+	{
+	int num;
+	char **data;
+	int sorted;
+
+	int num_alloc;
+	int (*comp)();
+	} STACK;
+
+
+#define sk_new_null()	sk_new(NULL)
+
+#define M_sk_num(sk)		((sk) ? (sk)->num:-1)
+#define M_sk_value(sk,n)	((sk) ? (sk)->data[n] : NULL)
+
+int sk_num(STACK *);
+char *sk_value(STACK *, int);
+
+char *sk_set(STACK *, int, char *);
+
+STACK *sk_new(int (*cmp)());
+void sk_free(STACK *);
+void sk_pop_free(STACK *st, void (*func)());
+int sk_insert(STACK *sk,char *data,int where);
+char *sk_delete(STACK *st,int loc);
+char *sk_delete_ptr(STACK *st, char *p);
+int sk_find(STACK *st,char *data);
+int sk_push(STACK *st,char *data);
+int sk_unshift(STACK *st,char *data);
+char *sk_shift(STACK *st);
+char *sk_pop(STACK *st);
+void sk_zero(STACK *st);
+int (*sk_set_cmp_func(STACK *sk, int (*c)()))();
+STACK *sk_dup(STACK *st);
+void sk_sort(STACK *st);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/threads/README b/crypto/openssl/crypto/threads/README
new file mode 100644
index 0000000..df6b26e
--- /dev/null
+++ b/crypto/openssl/crypto/threads/README
@@ -0,0 +1,14 @@
+Mutithreading testing area.
+
+Since this stuff is very very platorm specific, this is not part of the
+normal build.  Have a read of doc/threads.doc.
+
+mttest will do some testing and will currently build under Windows NT/95,
+Solaris and Linux.  The IRIX stuff is not finished.
+
+I have tested this program on a 12 CPU ultra sparc box (solaris 2.5.1)
+and things seem to work ok.
+
+The Linux pthreads package can be retrieved from 
+http://www.mit.edu:8001/people/proven/pthreads.html
+
diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c
new file mode 100644
index 0000000..24713a3
--- /dev/null
+++ b/crypto/openssl/crypto/threads/mttest.c
@@ -0,0 +1,1100 @@
+/* crypto/threads/mttest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#ifdef LINUX
+#include <typedefs.h>
+#endif
+#ifdef WIN32
+#include <windows.h>
+#endif
+#ifdef SOLARIS
+#include <synch.h>
+#include <thread.h>
+#endif
+#ifdef IRIX
+#include <ulocks.h>
+#include <sys/prctl.h>
+#endif
+#ifdef PTHREADS
+#include <pthread.h>
+#endif
+#include <openssl/lhash.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include "../../e_os.h"
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+#ifdef NO_FP_API
+#define APPS_WIN16
+#include "../buffer/bss_file.c"
+#endif
+
+#define TEST_SERVER_CERT "../../apps/server.pem"
+#define TEST_CLIENT_CERT "../../apps/client.pem"
+
+#define MAX_THREAD_NUMBER	100
+
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *xs);
+void thread_setup(void);
+void thread_cleanup(void);
+void do_threads(SSL_CTX *s_ctx,SSL_CTX *c_ctx);
+
+void irix_locking_callback(int mode,int type,char *file,int line);
+void solaris_locking_callback(int mode,int type,char *file,int line);
+void win32_locking_callback(int mode,int type,char *file,int line);
+void pthreads_locking_callback(int mode,int type,char *file,int line);
+
+unsigned long irix_thread_id(void );
+unsigned long solaris_thread_id(void );
+unsigned long pthreads_thread_id(void );
+
+BIO *bio_err=NULL;
+BIO *bio_stdout=NULL;
+
+static char *cipher=NULL;
+int verbose=0;
+#ifdef FIONBIO
+static int s_nbio=0;
+#endif
+
+int thread_number=10;
+int number_of_loops=10;
+int reconnect=0;
+int cache_stats=0;
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int doit(char *ctx[4]);
+static void print_stats(FILE *fp, SSL_CTX *ctx)
+{
+	fprintf(fp,"%4ld items in the session cache\n",
+		SSL_CTX_sess_number(ctx));
+	fprintf(fp,"%4d client connects (SSL_connect())\n",
+		SSL_CTX_sess_connect(ctx));
+	fprintf(fp,"%4d client connects that finished\n",
+		SSL_CTX_sess_connect_good(ctx));
+	fprintf(fp,"%4d server connects (SSL_accept())\n",
+		SSL_CTX_sess_accept(ctx));
+	fprintf(fp,"%4d server connects that finished\n",
+		SSL_CTX_sess_accept_good(ctx));
+	fprintf(fp,"%4d session cache hits\n",SSL_CTX_sess_hits(ctx));
+	fprintf(fp,"%4d session cache misses\n",SSL_CTX_sess_misses(ctx));
+	fprintf(fp,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ctx));
+	}
+
+static void sv_usage(void)
+	{
+	fprintf(stderr,"usage: ssltest [args ...]\n");
+	fprintf(stderr,"\n");
+	fprintf(stderr," -server_auth  - check server certificate\n");
+	fprintf(stderr," -client_auth  - do client authentication\n");
+	fprintf(stderr," -v            - more output\n");
+	fprintf(stderr," -CApath arg   - PEM format directory of CA's\n");
+	fprintf(stderr," -CAfile arg   - PEM format file of CA's\n");
+	fprintf(stderr," -threads arg  - number of threads\n");
+	fprintf(stderr," -loops arg    - number of 'connections', per thread\n");
+	fprintf(stderr," -reconnect    - reuse session-id's\n");
+	fprintf(stderr," -stats        - server session-id cache stats\n");
+	fprintf(stderr," -cert arg     - server certificate/key\n");
+	fprintf(stderr," -ccert arg    - client certificate/key\n");
+	fprintf(stderr," -ssl3         - just SSLv3n\n");
+	}
+
+int main(int argc, char *argv[])
+	{
+	char *CApath=NULL,*CAfile=NULL;
+	int badop=0;
+	int ret=1;
+	int client_auth=0;
+	int server_auth=0;
+	SSL_CTX *s_ctx=NULL;
+	SSL_CTX *c_ctx=NULL;
+	char *scert=TEST_SERVER_CERT;
+	char *ccert=TEST_CLIENT_CERT;
+	SSL_METHOD *ssl_method=SSLv23_method();
+
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+	if (bio_stdout == NULL)
+		bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
+	argc--;
+	argv++;
+
+	while (argc >= 1)
+		{
+		if	(strcmp(*argv,"-server_auth") == 0)
+			server_auth=1;
+		else if	(strcmp(*argv,"-client_auth") == 0)
+			client_auth=1;
+		else if	(strcmp(*argv,"-reconnect") == 0)
+			reconnect=1;
+		else if	(strcmp(*argv,"-stats") == 0)
+			cache_stats=1;
+		else if	(strcmp(*argv,"-ssl3") == 0)
+			ssl_method=SSLv3_method();
+		else if	(strcmp(*argv,"-ssl2") == 0)
+			ssl_method=SSLv2_method();
+		else if	(strcmp(*argv,"-CApath") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CApath= *(++argv);
+			}
+		else if	(strcmp(*argv,"-CAfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAfile= *(++argv);
+			}
+		else if	(strcmp(*argv,"-cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			scert= *(++argv);
+			}
+		else if	(strcmp(*argv,"-ccert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			ccert= *(++argv);
+			}
+		else if	(strcmp(*argv,"-threads") == 0)
+			{
+			if (--argc < 1) goto bad;
+			thread_number= atoi(*(++argv));
+			if (thread_number == 0) thread_number=1;
+			if (thread_number > MAX_THREAD_NUMBER)
+				thread_number=MAX_THREAD_NUMBER;
+			}
+		else if	(strcmp(*argv,"-loops") == 0)
+			{
+			if (--argc < 1) goto bad;
+			number_of_loops= atoi(*(++argv));
+			if (number_of_loops == 0) number_of_loops=1;
+			}
+		else
+			{
+			fprintf(stderr,"unknown option %s\n",*argv);
+			badop=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+	if (badop)
+		{
+bad:
+		sv_usage();
+		goto end;
+		}
+
+	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
+
+	SSL_load_error_strings();
+	OpenSSL_add_ssl_algorithms();
+
+	c_ctx=SSL_CTX_new(ssl_method);
+	s_ctx=SSL_CTX_new(ssl_method);
+	if ((c_ctx == NULL) || (s_ctx == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	SSL_CTX_set_session_cache_mode(s_ctx,
+		SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);
+	SSL_CTX_set_session_cache_mode(c_ctx,
+		SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);
+
+	if (!SSL_CTX_use_certificate_file(s_ctx,scert,SSL_FILETYPE_PEM))
+		{
+		ERR_print_errors(bio_err);
+		}
+	else if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx,scert,SSL_FILETYPE_PEM))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (client_auth)
+		{
+		SSL_CTX_use_certificate_file(c_ctx,ccert,
+			SSL_FILETYPE_PEM);
+		SSL_CTX_use_RSAPrivateKey_file(c_ctx,ccert,
+			SSL_FILETYPE_PEM);
+		}
+
+	if (	(!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
+		(!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(c_ctx)))
+		{
+		fprintf(stderr,"SSL_load_verify_locations\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (client_auth)
+		{
+		fprintf(stderr,"client authentication\n");
+		SSL_CTX_set_verify(s_ctx,
+			SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+			verify_callback);
+		}
+	if (server_auth)
+		{
+		fprintf(stderr,"server authentication\n");
+		SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
+			verify_callback);
+		}
+
+	thread_setup();
+	do_threads(s_ctx,c_ctx);
+	thread_cleanup();
+end:
+	
+	if (c_ctx != NULL) 
+		{
+		fprintf(stderr,"Client SSL_CTX stats then free it\n");
+		print_stats(stderr,c_ctx);
+		SSL_CTX_free(c_ctx);
+		}
+	if (s_ctx != NULL)
+		{
+		fprintf(stderr,"Server SSL_CTX stats then free it\n");
+		print_stats(stderr,s_ctx);
+		if (cache_stats)
+			{
+			fprintf(stderr,"-----\n");
+			lh_stats(SSL_CTX_sessions(s_ctx),stderr);
+			fprintf(stderr,"-----\n");
+		/*	lh_node_stats(SSL_CTX_sessions(s_ctx),stderr);
+			fprintf(stderr,"-----\n"); */
+			lh_node_usage_stats(SSL_CTX_sessions(s_ctx),stderr);
+			fprintf(stderr,"-----\n");
+			}
+		SSL_CTX_free(s_ctx);
+		fprintf(stderr,"done free\n");
+		}
+	exit(ret);
+	return(0);
+	}
+
+#define W_READ	1
+#define W_WRITE	2
+#define C_DONE	1
+#define S_DONE	2
+
+int ndoit(SSL_CTX *ssl_ctx[2])
+	{
+	int i;
+	int ret;
+	char *ctx[4];
+
+	ctx[0]=(char *)ssl_ctx[0];
+	ctx[1]=(char *)ssl_ctx[1];
+
+	if (reconnect)
+		{
+		ctx[2]=(char *)SSL_new(ssl_ctx[0]);
+		ctx[3]=(char *)SSL_new(ssl_ctx[1]);
+		}
+	else
+		{
+		ctx[2]=NULL;
+		ctx[3]=NULL;
+		}
+
+	fprintf(stdout,"started thread %lu\n",CRYPTO_thread_id());
+	for (i=0; i<number_of_loops; i++)
+		{
+/*		fprintf(stderr,"%4d %2d ctx->ref (%3d,%3d)\n",
+			CRYPTO_thread_id(),i,
+			ssl_ctx[0]->references,
+			ssl_ctx[1]->references); */
+	/*	pthread_delay_np(&tm);*/
+
+		ret=doit(ctx);
+		if (ret != 0)
+			{
+			fprintf(stdout,"error[%d] %lu - %d\n",
+				i,CRYPTO_thread_id(),ret);
+			return(ret);
+			}
+		}
+	fprintf(stdout,"DONE %lu\n",CRYPTO_thread_id());
+	if (reconnect)
+		{
+		SSL_free((SSL *)ctx[2]);
+		SSL_free((SSL *)ctx[3]);
+		}
+	return(0);
+	}
+
+int doit(char *ctx[4])
+	{
+	SSL_CTX *s_ctx,*c_ctx;
+	static char cbuf[200],sbuf[200];
+	SSL *c_ssl=NULL;
+	SSL *s_ssl=NULL;
+	BIO *c_to_s=NULL;
+	BIO *s_to_c=NULL;
+	BIO *c_bio=NULL;
+	BIO *s_bio=NULL;
+	int c_r,c_w,s_r,s_w;
+	int c_want,s_want;
+	int i;
+	int done=0;
+	int c_write,s_write;
+	int do_server=0,do_client=0;
+
+	s_ctx=(SSL_CTX *)ctx[0];
+	c_ctx=(SSL_CTX *)ctx[1];
+
+	if (ctx[2] != NULL)
+		s_ssl=(SSL *)ctx[2];
+	else
+		s_ssl=SSL_new(s_ctx);
+
+	if (ctx[3] != NULL)
+		c_ssl=(SSL *)ctx[3];
+	else
+		c_ssl=SSL_new(c_ctx);
+
+	if ((s_ssl == NULL) || (c_ssl == NULL)) goto err;
+
+	c_to_s=BIO_new(BIO_s_mem());
+	s_to_c=BIO_new(BIO_s_mem());
+	if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
+
+	c_bio=BIO_new(BIO_f_ssl());
+	s_bio=BIO_new(BIO_f_ssl());
+	if ((c_bio == NULL) || (s_bio == NULL)) goto err;
+
+	SSL_set_connect_state(c_ssl);
+	SSL_set_bio(c_ssl,s_to_c,c_to_s);
+	BIO_set_ssl(c_bio,c_ssl,(ctx[2] == NULL)?BIO_CLOSE:BIO_NOCLOSE);
+
+	SSL_set_accept_state(s_ssl);
+	SSL_set_bio(s_ssl,c_to_s,s_to_c);
+	BIO_set_ssl(s_bio,s_ssl,(ctx[3] == NULL)?BIO_CLOSE:BIO_NOCLOSE);
+
+	c_r=0; s_r=1;
+	c_w=1; s_w=0;
+	c_want=W_WRITE;
+	s_want=0;
+	c_write=1,s_write=0;
+
+	/* We can always do writes */
+	for (;;)
+		{
+		do_server=0;
+		do_client=0;
+
+		i=(int)BIO_pending(s_bio);
+		if ((i && s_r) || s_w) do_server=1;
+
+		i=(int)BIO_pending(c_bio);
+		if ((i && c_r) || c_w) do_client=1;
+
+		if (do_server && verbose)
+			{
+			if (SSL_in_init(s_ssl))
+				printf("server waiting in SSL_accept - %s\n",
+					SSL_state_string_long(s_ssl));
+			else if (s_write)
+				printf("server:SSL_write()\n");
+			else 
+				printf("server:SSL_read()\n");
+			}
+
+		if (do_client && verbose)
+			{
+			if (SSL_in_init(c_ssl))
+				printf("client waiting in SSL_connect - %s\n",
+					SSL_state_string_long(c_ssl));
+			else if (c_write)
+				printf("client:SSL_write()\n");
+			else
+				printf("client:SSL_read()\n");
+			}
+
+		if (!do_client && !do_server)
+			{
+			fprintf(stdout,"ERROR IN STARTUP\n");
+			break;
+			}
+		if (do_client && !(done & C_DONE))
+			{
+			if (c_write)
+				{
+				i=BIO_write(c_bio,"hello from client\n",18);
+				if (i < 0)
+					{
+					c_r=0;
+					c_w=0;
+					if (BIO_should_retry(c_bio))
+						{
+						if (BIO_should_read(c_bio))
+							c_r=1;
+						if (BIO_should_write(c_bio))
+							c_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						ERR_print_errors_fp(stderr);
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					/* ok */
+					c_write=0;
+					}
+				}
+			else
+				{
+				i=BIO_read(c_bio,cbuf,100);
+				if (i < 0)
+					{
+					c_r=0;
+					c_w=0;
+					if (BIO_should_retry(c_bio))
+						{
+						if (BIO_should_read(c_bio))
+							c_r=1;
+						if (BIO_should_write(c_bio))
+							c_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						ERR_print_errors_fp(stderr);
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					done|=C_DONE;
+#ifdef undef
+					fprintf(stdout,"CLIENT:from server:");
+					fwrite(cbuf,1,i,stdout);
+					fflush(stdout);
+#endif
+					}
+				}
+			}
+
+		if (do_server && !(done & S_DONE))
+			{
+			if (!s_write)
+				{
+				i=BIO_read(s_bio,sbuf,100);
+				if (i < 0)
+					{
+					s_r=0;
+					s_w=0;
+					if (BIO_should_retry(s_bio))
+						{
+						if (BIO_should_read(s_bio))
+							s_r=1;
+						if (BIO_should_write(s_bio))
+							s_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						ERR_print_errors_fp(stderr);
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					s_write=1;
+					s_w=1;
+#ifdef undef
+					fprintf(stdout,"SERVER:from client:");
+					fwrite(sbuf,1,i,stdout);
+					fflush(stdout);
+#endif
+					}
+				}
+			else
+				{
+				i=BIO_write(s_bio,"hello from server\n",18);
+				if (i < 0)
+					{
+					s_r=0;
+					s_w=0;
+					if (BIO_should_retry(s_bio))
+						{
+						if (BIO_should_read(s_bio))
+							s_r=1;
+						if (BIO_should_write(s_bio))
+							s_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						ERR_print_errors_fp(stderr);
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					s_write=0;
+					s_r=1;
+					done|=S_DONE;
+					}
+				}
+			}
+
+		if ((done & S_DONE) && (done & C_DONE)) break;
+		}
+
+	SSL_set_shutdown(c_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+	SSL_set_shutdown(s_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+
+#ifdef undef
+	fprintf(stdout,"DONE\n");
+#endif
+err:
+	/* We have to set the BIO's to NULL otherwise they will be
+	 * free()ed twice.  Once when th s_ssl is SSL_free()ed and
+	 * again when c_ssl is SSL_free()ed.
+	 * This is a hack required because s_ssl and c_ssl are sharing the same
+	 * BIO structure and SSL_set_bio() and SSL_free() automatically
+	 * BIO_free non NULL entries.
+	 * You should not normally do this or be required to do this */
+
+	if (s_ssl != NULL)
+		{
+		s_ssl->rbio=NULL;
+		s_ssl->wbio=NULL;
+		}
+	if (c_ssl != NULL)
+		{
+		c_ssl->rbio=NULL;
+		c_ssl->wbio=NULL;
+		}
+
+	/* The SSL's are optionally freed in the following calls */
+	if (c_to_s != NULL) BIO_free(c_to_s);
+	if (s_to_c != NULL) BIO_free(s_to_c);
+
+	if (c_bio != NULL) BIO_free(c_bio);
+	if (s_bio != NULL) BIO_free(s_bio);
+	return(0);
+	}
+
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
+	{
+	char *s, buf[256];
+
+	if (verbose)
+		{
+		s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
+				    buf,256);
+		if (s != NULL)
+			{
+			if (ok)
+				fprintf(stderr,"depth=%d %s\n",
+					ctx->error_depth,buf);
+			else
+				fprintf(stderr,"depth=%d error=%d %s\n",
+					ctx->error_depth,ctx->error,buf);
+			}
+		}
+	return(ok);
+	}
+
+#define THREAD_STACK_SIZE (16*1024)
+
+#ifdef WIN32
+
+static HANDLE *lock_cs;
+
+void thread_setup(void)
+	{
+	int i;
+
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(HANDLE));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_cs[i]=CreateMutex(NULL,FALSE,NULL);
+		}
+
+	CRYPTO_set_locking_callback((void (*)(int,int,char *,int))win32_locking_callback);
+	/* id callback defined */
+	}
+
+void thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		CloseHandle(lock_cs[i]);
+	Free(lock_cs);
+	}
+
+void win32_locking_callback(int mode, int type, char *file, int line)
+	{
+	if (mode & CRYPTO_LOCK)
+		{
+		WaitForSingleObject(lock_cs[type],INFINITE);
+		}
+	else
+		{
+		ReleaseMutex(lock_cs[type]);
+		}
+	}
+
+void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
+	{
+	double ret;
+	SSL_CTX *ssl_ctx[2];
+	DWORD thread_id[MAX_THREAD_NUMBER];
+	HANDLE thread_handle[MAX_THREAD_NUMBER];
+	int i;
+	SYSTEMTIME start,end;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	GetSystemTime(&start);
+	for (i=0; i<thread_number; i++)
+		{
+		thread_handle[i]=CreateThread(NULL,
+			THREAD_STACK_SIZE,
+			(LPTHREAD_START_ROUTINE)ndoit,
+			(void *)ssl_ctx,
+			0L,
+			&(thread_id[i]));
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i+=50)
+		{
+		int j;
+
+		j=(thread_number < (i+50))?(thread_number-i):50;
+
+		if (WaitForMultipleObjects(j,
+			(CONST HANDLE *)&(thread_handle[i]),TRUE,INFINITE)
+			== WAIT_FAILED)
+			{
+			fprintf(stderr,"WaitForMultipleObjects failed:%d\n",GetLastError());
+			exit(1);
+			}
+		}
+	GetSystemTime(&end);
+
+	if (start.wDayOfWeek > end.wDayOfWeek) end.wDayOfWeek+=7;
+	ret=(end.wDayOfWeek-start.wDayOfWeek)*24;
+
+	ret=(ret+end.wHour-start.wHour)*60;
+	ret=(ret+end.wMinute-start.wMinute)*60;
+	ret=(ret+end.wSecond-start.wSecond);
+	ret+=(end.wMilliseconds-start.wMilliseconds)/1000.0;
+
+	printf("win32 threads done - %.3f seconds\n",ret);
+	}
+
+#endif /* WIN32 */
+
+#ifdef SOLARIS
+
+static mutex_t *lock_cs;
+/*static rwlock_t *lock_cs; */
+static long *lock_count;
+
+void thread_setup(void)
+	{
+	int i;
+
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(mutex_t));
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_count[i]=0;
+		/* rwlock_init(&(lock_cs[i]),USYNC_THREAD,NULL); */
+		mutex_init(&(lock_cs[i]),USYNC_THREAD,NULL);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())solaris_thread_id);
+	CRYPTO_set_locking_callback((void (*)())solaris_locking_callback);
+	}
+
+void thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+
+	fprintf(stderr,"cleanup\n");
+
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		/* rwlock_destroy(&(lock_cs[i])); */
+		mutex_destroy(&(lock_cs[i]));
+		fprintf(stderr,"%8ld:%s\n",lock_count[i],CRYPTO_get_lock_name(i));
+		}
+	Free(lock_cs);
+	Free(lock_count);
+
+	fprintf(stderr,"done cleanup\n");
+
+	}
+
+void solaris_locking_callback(int mode, int type, char *file, int line)
+	{
+#ifdef undef
+	fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+		CRYPTO_thread_id(),
+		(mode&CRYPTO_LOCK)?"l":"u",
+		(type&CRYPTO_READ)?"r":"w",file,line);
+#endif
+
+	/*
+	if (CRYPTO_LOCK_SSL_CERT == type)
+	fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
+		CRYPTO_thread_id(),
+		mode,file,line);
+	*/
+	if (mode & CRYPTO_LOCK)
+		{
+	/*	if (mode & CRYPTO_READ)
+			rw_rdlock(&(lock_cs[type]));
+		else
+			rw_wrlock(&(lock_cs[type])); */
+
+		mutex_lock(&(lock_cs[type]));
+		lock_count[type]++;
+		}
+	else
+		{
+/*		rw_unlock(&(lock_cs[type]));  */
+		mutex_unlock(&(lock_cs[type]));
+		}
+	}
+
+void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
+	{
+	SSL_CTX *ssl_ctx[2];
+	thread_t thread_ctx[MAX_THREAD_NUMBER];
+	int i;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	thr_setconcurrency(thread_number);
+	for (i=0; i<thread_number; i++)
+		{
+		thr_create(NULL, THREAD_STACK_SIZE,
+			(void *(*)())ndoit,
+			(void *)ssl_ctx,
+			0L,
+			&(thread_ctx[i]));
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i++)
+		{
+		thr_join(thread_ctx[i],NULL,NULL);
+		}
+
+	printf("solaris threads done (%d,%d)\n",
+		s_ctx->references,c_ctx->references);
+	}
+
+unsigned long solaris_thread_id(void)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)thr_self();
+	return(ret);
+	}
+#endif /* SOLARIS */
+
+#ifdef IRIX
+
+
+static usptr_t *arena;
+static usema_t **lock_cs;
+
+void thread_setup(void)
+	{
+	int i;
+	char filename[20];
+
+	strcpy(filename,"/tmp/mttest.XXXXXX");
+	mktemp(filename);
+
+	usconfig(CONF_STHREADIOOFF);
+	usconfig(CONF_STHREADMALLOCOFF);
+	usconfig(CONF_INITUSERS,100);
+	usconfig(CONF_LOCKTYPE,US_DEBUGPLUS);
+	arena=usinit(filename);
+	unlink(filename);
+
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(usema_t *));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_cs[i]=usnewsema(arena,1);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())irix_thread_id);
+	CRYPTO_set_locking_callback((void (*)())irix_locking_callback);
+	}
+
+void thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		char buf[10];
+
+		sprintf(buf,"%2d:",i);
+		usdumpsema(lock_cs[i],stdout,buf);
+		usfreesema(lock_cs[i],arena);
+		}
+	Free(lock_cs);
+	}
+
+void irix_locking_callback(int mode, int type, char *file, int line)
+	{
+	if (mode & CRYPTO_LOCK)
+		{
+		printf("lock %d\n",type);
+		uspsema(lock_cs[type]);
+		}
+	else
+		{
+		printf("unlock %d\n",type);
+		usvsema(lock_cs[type]);
+		}
+	}
+
+void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
+	{
+	SSL_CTX *ssl_ctx[2];
+	int thread_ctx[MAX_THREAD_NUMBER];
+	int i;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	for (i=0; i<thread_number; i++)
+		{
+		thread_ctx[i]=sproc((void (*)())ndoit,
+			PR_SADDR|PR_SFDS,(void *)ssl_ctx);
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i++)
+		{
+		wait(NULL);
+		}
+
+	printf("irix threads done (%d,%d)\n",
+		s_ctx->references,c_ctx->references);
+	}
+
+unsigned long irix_thread_id(void)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)getpid();
+	return(ret);
+	}
+#endif /* IRIX */
+
+#ifdef PTHREADS
+
+static pthread_mutex_t *lock_cs;
+static long *lock_count;
+
+void thread_setup(void)
+	{
+	int i;
+
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_count[i]=0;
+		pthread_mutex_init(&(lock_cs[i]),NULL);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
+	CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
+	}
+
+void thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	fprintf(stderr,"cleanup\n");
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		pthread_mutex_destroy(&(lock_cs[i]));
+		fprintf(stderr,"%8ld:%s\n",lock_count[i],
+			CRYPTO_get_lock_name(i));
+		}
+	Free(lock_cs);
+	Free(lock_count);
+
+	fprintf(stderr,"done cleanup\n");
+	}
+
+void pthreads_locking_callback(int mode, int type, char *file,
+	     int line)
+      {
+#ifdef undef
+	fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+		CRYPTO_thread_id(),
+		(mode&CRYPTO_LOCK)?"l":"u",
+		(type&CRYPTO_READ)?"r":"w",file,line);
+#endif
+/*
+	if (CRYPTO_LOCK_SSL_CERT == type)
+		fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
+		CRYPTO_thread_id(),
+		mode,file,line);
+*/
+	if (mode & CRYPTO_LOCK)
+		{
+		pthread_mutex_lock(&(lock_cs[type]));
+		lock_count[type]++;
+		}
+	else
+		{
+		pthread_mutex_unlock(&(lock_cs[type]));
+		}
+	}
+
+void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
+	{
+	SSL_CTX *ssl_ctx[2];
+	pthread_t thread_ctx[MAX_THREAD_NUMBER];
+	int i;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	/*
+	thr_setconcurrency(thread_number);
+	*/
+	for (i=0; i<thread_number; i++)
+		{
+		pthread_create(&(thread_ctx[i]), NULL,
+			(void *(*)())ndoit, (void *)ssl_ctx);
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i++)
+		{
+		pthread_join(thread_ctx[i],NULL);
+		}
+
+	printf("pthreads threads done (%d,%d)\n",
+		s_ctx->references,c_ctx->references);
+	}
+
+unsigned long pthreads_thread_id(void)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)pthread_self();
+	return(ret);
+	}
+
+#endif /* PTHREADS */
+
+
+
diff --git a/crypto/openssl/crypto/threads/profile.sh b/crypto/openssl/crypto/threads/profile.sh
new file mode 100644
index 0000000..6e3e342
--- /dev/null
+++ b/crypto/openssl/crypto/threads/profile.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+cc -p -DSOLARIS -I../../include -g mttest.c -o mttest -L/usr/lib/libc -ldl -L../.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/crypto/openssl/crypto/threads/pthread.sh b/crypto/openssl/crypto/threads/pthread.sh
new file mode 100644
index 0000000..f1c4982
--- /dev/null
+++ b/crypto/openssl/crypto/threads/pthread.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+#
+# build using pthreads
+#
+# http://www.mit.edu:8001/people/proven/pthreads.html
+#
+/bin/rm -f mttest
+pgcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto 
+
diff --git a/crypto/openssl/crypto/threads/pthread2.sh b/crypto/openssl/crypto/threads/pthread2.sh
new file mode 100755
index 0000000..41264c6
--- /dev/null
+++ b/crypto/openssl/crypto/threads/pthread2.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+#
+# build using pthreads where it's already built into the system
+#
+/bin/rm -f mttest
+gcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto -lpthread
+
diff --git a/crypto/openssl/crypto/threads/purify.sh b/crypto/openssl/crypto/threads/purify.sh
new file mode 100644
index 0000000..6d44fe2
--- /dev/null
+++ b/crypto/openssl/crypto/threads/purify.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+purify cc -DSOLARIS -I../../include -g mttest.c -o mttest -L../.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/crypto/openssl/crypto/threads/solaris.sh b/crypto/openssl/crypto/threads/solaris.sh
new file mode 100644
index 0000000..bc93094
--- /dev/null
+++ b/crypto/openssl/crypto/threads/solaris.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+cc -DSOLARIS -I../../include -g mttest.c -o mttest -L../.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/crypto/openssl/crypto/threads/th-lock.c b/crypto/openssl/crypto/threads/th-lock.c
new file mode 100644
index 0000000..3ee9780
--- /dev/null
+++ b/crypto/openssl/crypto/threads/th-lock.c
@@ -0,0 +1,387 @@
+/* crypto/threads/th-lock.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#ifdef LINUX
+#include <typedefs.h>
+#endif
+#ifdef WIN32
+#include <windows.h>
+#endif
+#ifdef SOLARIS
+#include <synch.h>
+#include <thread.h>
+#endif
+#ifdef IRIX
+#include <ulocks.h>
+#include <sys/prctl.h>
+#endif
+#ifdef PTHREADS
+#include <pthread.h>
+#endif
+#include <openssl/lhash.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/e_os.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+void CRYPTO_thread_setup(void);
+void CRYPTO_thread_cleanup(void);
+
+static void irix_locking_callback(int mode,int type,char *file,int line);
+static void solaris_locking_callback(int mode,int type,char *file,int line);
+static void win32_locking_callback(int mode,int type,char *file,int line);
+static void pthreads_locking_callback(int mode,int type,char *file,int line);
+
+static unsigned long irix_thread_id(void );
+static unsigned long solaris_thread_id(void );
+static unsigned long pthreads_thread_id(void );
+
+/* usage:
+ * CRYPTO_thread_setup();
+ * application code
+ * CRYPTO_thread_cleanup();
+ */
+
+#define THREAD_STACK_SIZE (16*1024)
+
+#ifdef WIN32
+
+static HANDLE *lock_cs;
+
+void CRYPTO_thread_setup(void)
+	{
+	int i;
+
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(HANDLE));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_cs[i]=CreateMutex(NULL,FALSE,NULL);
+		}
+
+	CRYPTO_set_locking_callback((void (*)(int,int,char *,int))win32_locking_callback);
+	/* id callback defined */
+	return(1);
+	}
+
+static void CRYPTO_thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		CloseHandle(lock_cs[i]);
+	Free(lock_cs);
+	}
+
+void win32_locking_callback(int mode, int type, char *file, int line)
+	{
+	if (mode & CRYPTO_LOCK)
+		{
+		WaitForSingleObject(lock_cs[type],INFINITE);
+		}
+	else
+		{
+		ReleaseMutex(lock_cs[type]);
+		}
+	}
+
+#endif /* WIN32 */
+
+#ifdef SOLARIS
+
+#define USE_MUTEX
+
+#ifdef USE_MUTEX
+static mutex_t *lock_cs;
+#else
+static rwlock_t *lock_cs;
+#endif
+static long *lock_count;
+
+void CRYPTO_thread_setup(void)
+	{
+	int i;
+
+#ifdef USE_MUTEX
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(mutex_t));
+#else
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(rwlock_t));
+#endif
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_count[i]=0;
+#ifdef USE_MUTEX
+		mutex_init(&(lock_cs[i]),USYNC_THREAD,NULL);
+#else
+		rwlock_init(&(lock_cs[i]),USYNC_THREAD,NULL);
+#endif
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())solaris_thread_id);
+	CRYPTO_set_locking_callback((void (*)())solaris_locking_callback);
+	}
+
+void CRYPTO_thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+#ifdef USE_MUTEX
+		mutex_destroy(&(lock_cs[i]));
+#else
+		rwlock_destroy(&(lock_cs[i]));
+#endif
+		}
+	Free(lock_cs);
+	Free(lock_count);
+	}
+
+void solaris_locking_callback(int mode, int type, char *file, int line)
+	{
+#if 0
+	fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+		CRYPTO_thread_id(),
+		(mode&CRYPTO_LOCK)?"l":"u",
+		(type&CRYPTO_READ)?"r":"w",file,line);
+#endif
+
+#if 0
+	if (CRYPTO_LOCK_SSL_CERT == type)
+		fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
+			CRYPTO_thread_id(),
+			mode,file,line);
+#endif
+	if (mode & CRYPTO_LOCK)
+		{
+#ifdef USE_MUTEX
+		mutex_lock(&(lock_cs[type]));
+#else
+		if (mode & CRYPTO_READ)
+			rw_rdlock(&(lock_cs[type]));
+		else
+			rw_wrlock(&(lock_cs[type]));
+#endif
+		lock_count[type]++;
+		}
+	else
+		{
+#ifdef USE_MUTEX
+		mutex_unlock(&(lock_cs[type]));
+#else
+		rw_unlock(&(lock_cs[type]));
+#endif
+		}
+	}
+
+unsigned long solaris_thread_id(void)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)thr_self();
+	return(ret);
+	}
+#endif /* SOLARIS */
+
+#ifdef IRIX
+/* I don't think this works..... */
+
+static usptr_t *arena;
+static usema_t **lock_cs;
+
+void CRYPTO_thread_setup(void)
+	{
+	int i;
+	char filename[20];
+
+	strcpy(filename,"/tmp/mttest.XXXXXX");
+	mktemp(filename);
+
+	usconfig(CONF_STHREADIOOFF);
+	usconfig(CONF_STHREADMALLOCOFF);
+	usconfig(CONF_INITUSERS,100);
+	usconfig(CONF_LOCKTYPE,US_DEBUGPLUS);
+	arena=usinit(filename);
+	unlink(filename);
+
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(usema_t *));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_cs[i]=usnewsema(arena,1);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())irix_thread_id);
+	CRYPTO_set_locking_callback((void (*)())irix_locking_callback);
+	}
+
+void CRYPTO_thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		char buf[10];
+
+		sprintf(buf,"%2d:",i);
+		usdumpsema(lock_cs[i],stdout,buf);
+		usfreesema(lock_cs[i],arena);
+		}
+	Free(lock_cs);
+	}
+
+void irix_locking_callback(int mode, int type, char *file, int line)
+	{
+	if (mode & CRYPTO_LOCK)
+		{
+		uspsema(lock_cs[type]);
+		}
+	else
+		{
+		usvsema(lock_cs[type]);
+		}
+	}
+
+unsigned long irix_thread_id(void)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)getpid();
+	return(ret);
+	}
+#endif /* IRIX */
+
+/* Linux and a few others */
+#ifdef PTHREADS
+
+static pthread_mutex_t *lock_cs;
+static long *lock_count;
+
+void CRYPTO_thread_setup(void)
+	{
+	int i;
+
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		lock_count[i]=0;
+		pthread_mutex_init(&(lock_cs[i]),NULL);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
+	CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
+	}
+
+void thread_cleanup(void)
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_num_locks(); i++)
+		{
+		pthread_mutex_destroy(&(lock_cs[i]));
+		}
+	Free(lock_cs);
+	Free(lock_count);
+	}
+
+void pthreads_locking_callback(int mode, int type, char *file,
+	     int line)
+      {
+#if 0
+	fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+		CRYPTO_thread_id(),
+		(mode&CRYPTO_LOCK)?"l":"u",
+		(type&CRYPTO_READ)?"r":"w",file,line);
+#endif
+#if 0
+	if (CRYPTO_LOCK_SSL_CERT == type)
+		fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
+		CRYPTO_thread_id(),
+		mode,file,line);
+#endif
+	if (mode & CRYPTO_LOCK)
+		{
+		pthread_mutex_lock(&(lock_cs[type]));
+		lock_count[type]++;
+		}
+	else
+		{
+		pthread_mutex_unlock(&(lock_cs[type]));
+		}
+	}
+
+unsigned long pthreads_thread_id(void)
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)pthread_self();
+	return(ret);
+	}
+
+#endif /* PTHREADS */
+
diff --git a/crypto/openssl/crypto/tmdiff.c b/crypto/openssl/crypto/tmdiff.c
new file mode 100644
index 0000000..0ad8a9e
--- /dev/null
+++ b/crypto/openssl/crypto/tmdiff.c
@@ -0,0 +1,229 @@
+/* crypto/tmdiff.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include "cryptlib.h"
+#include <openssl/tmdiff.h>
+
+#ifdef TIMEB
+#undef WIN32
+#undef TIMES
+#endif
+
+#ifndef MSDOS
+#  ifndef WIN32
+#    if !defined(VMS) || defined(__DECC)
+#      define TIMES
+#    endif
+#  endif
+#endif
+
+#ifndef _IRIX
+#  include <time.h>
+#endif
+#ifdef TIMES
+#  include <sys/types.h>
+#  include <sys/times.h>
+#endif
+
+/* Depending on the VMS version, the tms structure is perhaps defined.
+   The __TMS macro will show if it was.  If it wasn't defined, we should
+   undefine TIMES, since that tells the rest of the program how things
+   should be handled.				-- Richard Levitte */
+#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#undef TIMES
+#endif
+
+#if defined(sun) || defined(__ultrix)
+#define _POSIX_SOURCE
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#ifdef WIN32
+#include <windows.h>
+#endif
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
+#   define HZ  100.0
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+typedef struct ms_tm
+	{
+#ifdef TIMES
+	struct tms ms_tms;
+#else
+#  ifdef WIN32
+	HANDLE thread_id;
+	FILETIME ms_win32;
+#  else
+	struct timeb ms_timeb;
+#  endif
+#endif
+	} MS_TM;
+
+char *ms_time_new(void)
+	{
+	MS_TM *ret;
+
+	ret=(MS_TM *)Malloc(sizeof(MS_TM));
+	if (ret == NULL)
+		return(NULL);
+	memset(ret,0,sizeof(MS_TM));
+#ifdef WIN32
+	ret->thread_id=GetCurrentThread();
+#endif
+	return((char *)ret);
+	}
+
+void ms_time_free(char *a)
+	{
+	if (a != NULL)
+		Free(a);
+	}
+
+void ms_time_get(char *a)
+	{
+	MS_TM *tm=(MS_TM *)a;
+#ifdef WIN32
+	FILETIME tmpa,tmpb,tmpc;
+#endif
+
+#ifdef TIMES
+	times(&tm->ms_tms);
+#else
+#  ifdef WIN32
+	GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32));
+#  else
+	ftime(&tm->ms_timeb);
+#  endif
+#endif
+	}
+
+double ms_time_diff(char *ap, char *bp)
+	{
+	MS_TM *a=(MS_TM *)ap;
+	MS_TM *b=(MS_TM *)bp;
+	double ret;
+
+#ifdef TIMES
+	ret=(b->ms_tms.tms_utime-a->ms_tms.tms_utime)/HZ;
+#else
+# ifdef WIN32
+	{
+#ifdef __GNUC__
+	signed long long la,lb;
+#else
+	signed _int64 la,lb;
+#endif
+	la=a->ms_win32.dwHighDateTime;
+	lb=b->ms_win32.dwHighDateTime;
+	la<<=32;
+	lb<<=32;
+	la+=a->ms_win32.dwLowDateTime;
+	lb+=b->ms_win32.dwLowDateTime;
+	ret=((double)(lb-la))/1e7;
+	}
+# else
+	ret=	 (double)(b->ms_timeb.time-a->ms_timeb.time)+
+		(((double)b->ms_timeb.millitm)-
+		((double)a->ms_timeb.millitm))/1000.0;
+#  endif
+#endif
+	return((ret < 0.0000001)?0.0000001:ret);
+	}
+
+int ms_time_cmp(char *ap, char *bp)
+	{
+	MS_TM *a=(MS_TM *)ap,*b=(MS_TM *)bp;
+	double d;
+	int ret;
+
+#ifdef TIMES
+	d=(b->ms_tms.tms_utime-a->ms_tms.tms_utime)/HZ;
+#else
+# ifdef WIN32
+	d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7;
+	d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7;
+# else
+	d=	 (double)(b->ms_timeb.time-a->ms_timeb.time)+
+		(((double)b->ms_timeb.millitm)-(double)a->ms_timeb.millitm)/1000.0;
+#  endif
+#endif
+	if (d == 0.0)
+		ret=0;
+	else if (d < 0)
+		ret= -1;
+	else
+		ret=1;
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/tmdiff.h b/crypto/openssl/crypto/tmdiff.h
new file mode 100644
index 0000000..41a8a1e
--- /dev/null
+++ b/crypto/openssl/crypto/tmdiff.h
@@ -0,0 +1,81 @@
+/* crypto/tmdiff.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Header for dynamic hash table routines
+ * Author - Eric Young
+ */
+
+#ifndef HEADER_TMDIFF_H
+#define HEADER_TMDIFF_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+char *ms_time_new(void );
+void ms_time_free(char *a);
+void ms_time_get(char *a);
+double ms_time_diff(char *start,char *end);
+int ms_time_cmp(char *ap,char *bp);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/crypto/openssl/crypto/txt_db/Makefile.save b/crypto/openssl/crypto/txt_db/Makefile.save
new file mode 100644
index 0000000..83ee50b
--- /dev/null
+++ b/crypto/openssl/crypto/txt_db/Makefile.save
@@ -0,0 +1,87 @@
+#
+# SSLeay/crypto/txt_db/Makefile
+#
+
+DIR=	txt_db
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=txt_db.c
+LIBOBJ=txt_db.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= txt_db.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+txt_db.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+txt_db.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+txt_db.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+txt_db.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+txt_db.o: ../../include/openssl/stack.h ../../include/openssl/txt_db.h
+txt_db.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl
new file mode 100644
index 0000000..83ee50b
--- /dev/null
+++ b/crypto/openssl/crypto/txt_db/Makefile.ssl
@@ -0,0 +1,87 @@
+#
+# SSLeay/crypto/txt_db/Makefile
+#
+
+DIR=	txt_db
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=txt_db.c
+LIBOBJ=txt_db.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= txt_db.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+txt_db.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+txt_db.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+txt_db.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+txt_db.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+txt_db.o: ../../include/openssl/stack.h ../../include/openssl/txt_db.h
+txt_db.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/txt_db/txt_db.c b/crypto/openssl/crypto/txt_db/txt_db.c
new file mode 100644
index 0000000..33acc81
--- /dev/null
+++ b/crypto/openssl/crypto/txt_db/txt_db.c
@@ -0,0 +1,383 @@
+/* crypto/txt_db/txt_db.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/txt_db.h>
+
+#undef BUFSIZE
+#define BUFSIZE	512
+
+const char *TXT_DB_version="TXT_DB" OPENSSL_VERSION_PTEXT;
+
+TXT_DB *TXT_DB_read(BIO *in, int num)
+	{
+	TXT_DB *ret=NULL;
+	int er=1;
+	int esc=0;
+	long ln=0;
+	int i,add,n;
+	int size=BUFSIZE;
+	int offset=0;
+	char *p,**pp,*f;
+	BUF_MEM *buf=NULL;
+
+	if ((buf=BUF_MEM_new()) == NULL) goto err;
+	if (!BUF_MEM_grow(buf,size)) goto err;
+
+	if ((ret=(TXT_DB *)Malloc(sizeof(TXT_DB))) == NULL)
+		goto err;
+	ret->num_fields=num;
+	ret->index=NULL;
+	ret->qual=NULL;
+	if ((ret->data=sk_new_null()) == NULL)
+		goto err;
+	if ((ret->index=(LHASH **)Malloc(sizeof(LHASH *)*num)) == NULL)
+		goto err;
+	if ((ret->qual=(int (**)())Malloc(sizeof(int (**)())*num)) == NULL)
+		goto err;
+	for (i=0; i<num; i++)
+		{
+		ret->index[i]=NULL;
+		ret->qual[i]=NULL;
+		}
+
+	add=(num+1)*sizeof(char *);
+	buf->data[size-1]='\0';
+	offset=0;
+	for (;;)
+		{
+		if (offset != 0)
+			{
+			size+=BUFSIZE;
+			if (!BUF_MEM_grow(buf,size)) goto err;
+			}
+		buf->data[offset]='\0';
+		BIO_gets(in,&(buf->data[offset]),size-offset);
+		ln++;
+		if (buf->data[offset] == '\0') break;
+		if ((offset == 0) && (buf->data[0] == '#')) continue;
+		i=strlen(&(buf->data[offset]));
+		offset+=i;
+		if (buf->data[offset-1] != '\n')
+			continue;
+		else
+			{
+			buf->data[offset-1]='\0'; /* blat the '\n' */
+			p=(char *)Malloc(add+offset);
+			offset=0;
+			}
+		pp=(char **)p;
+		p+=add;
+		n=0;
+		pp[n++]=p;
+		i=0;
+		f=buf->data;
+
+		esc=0;
+		for (;;)
+			{
+			if (*f == '\0') break;
+			if (*f == '\t')
+				{
+				if (esc)
+					p--;
+				else
+					{	
+					*(p++)='\0';
+					f++;
+					if (n >=  num) break;
+					pp[n++]=p;
+					continue;
+					}
+				}
+			esc=(*f == '\\');
+			*(p++)= *(f++);
+			}
+		*(p++)='\0';
+		if ((n != num) || (*f != '\0'))
+			{
+#if !defined(NO_STDIO) && !defined(WIN16)	/* temporaty fix :-( */
+			fprintf(stderr,"wrong number of fields on line %ld (looking for field %d, got %d, '%s' left)\n",ln,num,n,f);
+#endif
+			er=2;
+			goto err;
+			}
+		pp[n]=p;
+		if (!sk_push(ret->data,(char *)pp))
+			{
+#if !defined(NO_STDIO) && !defined(WIN16)	/* temporaty fix :-( */
+			fprintf(stderr,"failure in sk_push\n");
+#endif
+			er=2;
+			goto err;
+			}
+		}
+	er=0;
+err:
+	BUF_MEM_free(buf);
+	if (er)
+		{
+#if !defined(NO_STDIO) && !defined(WIN16)
+		if (er == 1) fprintf(stderr,"Malloc failure\n");
+#endif
+		if (ret->data != NULL) sk_free(ret->data);
+		if (ret->index != NULL) Free(ret->index);
+		if (ret->qual != NULL) Free(ret->qual);
+		if (ret != NULL) Free(ret);
+		return(NULL);
+		}
+	else
+		return(ret);
+	}
+
+char **TXT_DB_get_by_index(TXT_DB *db, int idx, char **value)
+	{
+	char **ret;
+	LHASH *lh;
+
+	if (idx >= db->num_fields)
+		{
+		db->error=DB_ERROR_INDEX_OUT_OF_RANGE;
+		return(NULL);
+		}
+	lh=db->index[idx];
+	if (lh == NULL)
+		{
+		db->error=DB_ERROR_NO_INDEX;
+		return(NULL);
+		}
+	ret=(char **)lh_retrieve(lh,value);
+	db->error=DB_ERROR_OK;
+	return(ret);
+	}
+
+int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(),
+	     unsigned long (*hash)(), int (*cmp)())
+	{
+	LHASH *idx;
+	char *r;
+	int i,n;
+
+	if (field >= db->num_fields)
+		{
+		db->error=DB_ERROR_INDEX_OUT_OF_RANGE;
+		return(0);
+		}
+	if ((idx=lh_new(hash,cmp)) == NULL)
+		{
+		db->error=DB_ERROR_MALLOC;
+		return(0);
+		}
+	n=sk_num(db->data);
+	for (i=0; i<n; i++)
+		{
+		r=(char *)sk_value(db->data,i);
+		if ((qual != NULL) && (qual(r) == 0)) continue;
+		if ((r=lh_insert(idx,r)) != NULL)
+			{
+			db->error=DB_ERROR_INDEX_CLASH;
+			db->arg1=sk_find(db->data,r);
+			db->arg2=i;
+			lh_free(idx);
+			return(0);
+			}
+		}
+	if (db->index[field] != NULL) lh_free(db->index[field]);
+	db->index[field]=idx;
+	db->qual[field]=qual;
+	return(1);
+	}
+
+long TXT_DB_write(BIO *out, TXT_DB *db)
+	{
+	long i,j,n,nn,l,tot=0;
+	char *p,**pp,*f;
+	BUF_MEM *buf=NULL;
+	long ret= -1;
+
+	if ((buf=BUF_MEM_new()) == NULL)
+		goto err;
+	n=sk_num(db->data);
+	nn=db->num_fields;
+	for (i=0; i<n; i++)
+		{
+		pp=(char **)sk_value(db->data,i);
+
+		l=0;
+		for (j=0; j<nn; j++)
+			{
+			if (pp[j] != NULL)
+				l+=strlen(pp[j]);
+			}
+		if (!BUF_MEM_grow(buf,(int)(l*2+nn))) goto err;
+
+		p=buf->data;
+		for (j=0; j<nn; j++)
+			{
+			f=pp[j];
+			if (f != NULL)
+				for (;;) 
+					{
+					if (*f == '\0') break;
+					if (*f == '\t') *(p++)='\\';
+					*(p++)= *(f++);
+					}
+			*(p++)='\t';
+			}
+		p[-1]='\n';
+		j=p-buf->data;
+		if (BIO_write(out,buf->data,(int)j) != j)
+			goto err;
+		tot+=j;
+		}
+	ret=tot;
+err:
+	if (buf != NULL) BUF_MEM_free(buf);
+	return(ret);
+	}
+
+int TXT_DB_insert(TXT_DB *db, char **row)
+	{
+	int i;
+	char **r;
+
+	for (i=0; i<db->num_fields; i++)
+		{
+		if (db->index[i] != NULL)
+			{
+			if ((db->qual[i] != NULL) &&
+				(db->qual[i](row) == 0)) continue;
+			r=(char **)lh_retrieve(db->index[i],row);
+			if (r != NULL)
+				{
+				db->error=DB_ERROR_INDEX_CLASH;
+				db->arg1=i;
+				db->arg_row=r;
+				goto err;
+				}
+			}
+		}
+	/* We have passed the index checks, now just append and insert */
+	if (!sk_push(db->data,(char *)row))
+		{
+		db->error=DB_ERROR_MALLOC;
+		goto err;
+		}
+
+	for (i=0; i<db->num_fields; i++)
+		{
+		if (db->index[i] != NULL)
+			{
+			if ((db->qual[i] != NULL) &&
+				(db->qual[i](row) == 0)) continue;
+			lh_insert(db->index[i],row);
+			}
+		}
+	return(1);
+err:
+	return(0);
+	}
+
+void TXT_DB_free(TXT_DB *db)
+	{
+	int i,n;
+	char **p,*max;
+
+	if(db == NULL)
+	    return;
+
+	if (db->index != NULL)
+		{
+		for (i=db->num_fields-1; i>=0; i--)
+			if (db->index[i] != NULL) lh_free(db->index[i]);
+		Free(db->index);
+		}
+	if (db->qual != NULL)
+		Free(db->qual);
+	if (db->data != NULL)
+		{
+		for (i=sk_num(db->data)-1; i>=0; i--)
+			{
+			/* check if any 'fields' have been allocated
+			 * from outside of the initial block */
+			p=(char **)sk_value(db->data,i);
+			max=p[db->num_fields]; /* last address */
+			if (max == NULL) /* new row */
+				{
+				for (n=0; n<db->num_fields; n++)
+					if (p[n] != NULL) Free(p[n]);
+				}
+			else
+				{
+				for (n=0; n<db->num_fields; n++)
+					{
+					if (((p[n] < (char *)p) || (p[n] > max))
+						&& (p[n] != NULL))
+						Free(p[n]);
+					}
+				}
+			Free(sk_value(db->data,i));
+			}
+		sk_free(db->data);
+		}
+	Free(db);
+	}
diff --git a/crypto/openssl/crypto/txt_db/txt_db.h b/crypto/openssl/crypto/txt_db/txt_db.h
new file mode 100644
index 0000000..58b9de1
--- /dev/null
+++ b/crypto/openssl/crypto/txt_db/txt_db.h
@@ -0,0 +1,105 @@
+/* crypto/txt_db/txt_db.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_TXT_DB_H
+#define HEADER_TXT_DB_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/stack.h>
+#include <openssl/lhash.h>
+
+#define DB_ERROR_OK			0
+#define DB_ERROR_MALLOC			1
+#define DB_ERROR_INDEX_CLASH    	2
+#define DB_ERROR_INDEX_OUT_OF_RANGE	3
+#define DB_ERROR_NO_INDEX		4
+#define DB_ERROR_INSERT_INDEX_CLASH    	5
+
+typedef struct txt_db_st
+	{
+	int num_fields;
+	STACK /* char ** */ *data;
+	LHASH **index;
+	int (**qual)();
+	long error;
+	long arg1;
+	long arg2;
+	char **arg_row;
+	} TXT_DB;
+
+#ifdef HEADER_BIO_H
+TXT_DB *TXT_DB_read(BIO *in, int num);
+long TXT_DB_write(BIO *out, TXT_DB *db);
+#else
+TXT_DB *TXT_DB_read(char *in, int num);
+long TXT_DB_write(char *out, TXT_DB *db);
+#endif
+int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(),
+	 unsigned long (*hash)(),int (*cmp)());
+void TXT_DB_free(TXT_DB *db);
+char **TXT_DB_get_by_index(TXT_DB *db, int idx, char **value);
+int TXT_DB_insert(TXT_DB *db,char **value);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/x509/Makefile.save b/crypto/openssl/crypto/x509/Makefile.save
new file mode 100644
index 0000000..973d49b
--- /dev/null
+++ b/crypto/openssl/crypto/x509/Makefile.save
@@ -0,0 +1,473 @@
+#
+# SSLeay/crypto/x509/Makefile
+#
+
+DIR=	x509
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
+	x509_obj.c x509_req.c x509spki.c x509_vfy.c \
+	x509_set.c x509rset.c x509_err.c \
+	x509name.c x509_v3.c x509_ext.c x509_att.c \
+	x509type.c x509_lu.c x_all.c x509_txt.c \
+	x509_trs.c by_file.c by_dir.c 
+LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
+	x509_obj.o x509_req.o x509spki.o x509_vfy.o \
+	x509_set.o x509rset.o x509_err.o \
+	x509name.o x509_v3.o x509_ext.o x509_att.o \
+	x509type.o x509_lu.o x_all.o x509_txt.o \
+	x509_trs.o by_file.o by_dir.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= x509.h x509_vfy.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+by_dir.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+by_dir.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+by_dir.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+by_dir.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+by_dir.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+by_dir.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+by_dir.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_dir.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+by_dir.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+by_dir.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+by_file.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+by_file.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+by_file.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+by_file.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+by_file.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+by_file.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+by_file.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+by_file.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+by_file.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+by_file.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_att.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_att.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_att.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_att.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_att.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_att.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_cmp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_cmp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_cmp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_cmp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_cmp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_d2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_d2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_d2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_d2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_d2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_d2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_d2.o: ../cryptlib.h
+x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_def.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_def.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_def.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_def.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_def.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_def.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_def.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_def.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_def.o: ../cryptlib.h
+x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x509_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_ext.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_ext.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_lu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_lu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_lu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509_lu.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_lu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x509_lu.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_obj.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_obj.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509_obj.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_obj.o: ../../include/openssl/opensslconf.h
+x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_obj.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_obj.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_obj.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_obj.o: ../cryptlib.h
+x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_r2x.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_r2x.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_r2x.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_r2x.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_r2x.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_r2x.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_r2x.o: ../cryptlib.h
+x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_req.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+x509_req.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+x509_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_req.o: ../cryptlib.h
+x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_set.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_set.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_set.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_set.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_set.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_set.o: ../cryptlib.h
+x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_txt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_txt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509_txt.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_txt.o: ../../include/openssl/opensslconf.h
+x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_txt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_txt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_txt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_txt.o: ../cryptlib.h
+x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_v3.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_v3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_v3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509name.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509name.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509name.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509name.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509name.o: ../cryptlib.h
+x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509rset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509rset.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509rset.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509rset.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509rset.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509rset.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509rset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509rset.o: ../cryptlib.h
+x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x509spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x509spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x509spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x509spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509spki.o: ../../include/openssl/opensslconf.h
+x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509spki.o: ../cryptlib.h
+x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509type.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509type.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509type.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509type.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509type.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509type.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509type.o: ../cryptlib.h
+x_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_all.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl
new file mode 100644
index 0000000..973d49b
--- /dev/null
+++ b/crypto/openssl/crypto/x509/Makefile.ssl
@@ -0,0 +1,473 @@
+#
+# SSLeay/crypto/x509/Makefile
+#
+
+DIR=	x509
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
+	x509_obj.c x509_req.c x509spki.c x509_vfy.c \
+	x509_set.c x509rset.c x509_err.c \
+	x509name.c x509_v3.c x509_ext.c x509_att.c \
+	x509type.c x509_lu.c x_all.c x509_txt.c \
+	x509_trs.c by_file.c by_dir.c 
+LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
+	x509_obj.o x509_req.o x509spki.o x509_vfy.o \
+	x509_set.o x509rset.o x509_err.o \
+	x509name.o x509_v3.o x509_ext.o x509_att.o \
+	x509type.o x509_lu.o x_all.o x509_txt.o \
+	x509_trs.o by_file.o by_dir.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= x509.h x509_vfy.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+by_dir.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+by_dir.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+by_dir.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+by_dir.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+by_dir.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+by_dir.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+by_dir.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_dir.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+by_dir.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+by_dir.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+by_file.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+by_file.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+by_file.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+by_file.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+by_file.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+by_file.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+by_file.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+by_file.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+by_file.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+by_file.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_att.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_att.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_att.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_att.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_att.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_att.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_cmp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_cmp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_cmp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_cmp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_cmp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_d2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_d2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_d2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_d2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_d2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_d2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_d2.o: ../cryptlib.h
+x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_def.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_def.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_def.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_def.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_def.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_def.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_def.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_def.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_def.o: ../cryptlib.h
+x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x509_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_ext.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_ext.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_lu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_lu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_lu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509_lu.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_lu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x509_lu.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_obj.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_obj.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509_obj.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_obj.o: ../../include/openssl/opensslconf.h
+x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_obj.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_obj.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_obj.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_obj.o: ../cryptlib.h
+x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_r2x.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_r2x.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_r2x.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_r2x.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_r2x.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_r2x.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_r2x.o: ../cryptlib.h
+x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_req.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+x509_req.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+x509_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_req.o: ../cryptlib.h
+x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_set.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_set.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_set.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_set.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_set.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_set.o: ../cryptlib.h
+x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_txt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_txt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509_txt.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_txt.o: ../../include/openssl/opensslconf.h
+x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_txt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_txt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_txt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_txt.o: ../cryptlib.h
+x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_v3.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_v3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_v3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509name.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509name.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509name.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509name.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509name.o: ../cryptlib.h
+x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509rset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509rset.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509rset.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509rset.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509rset.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509rset.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509rset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509rset.o: ../cryptlib.h
+x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x509spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x509spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x509spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x509spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509spki.o: ../../include/openssl/opensslconf.h
+x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509spki.o: ../cryptlib.h
+x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509type.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509type.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509type.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509type.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509type.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509type.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509type.o: ../cryptlib.h
+x_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_all.o: ../cryptlib.h
diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c
new file mode 100644
index 0000000..14d12c5
--- /dev/null
+++ b/crypto/openssl/crypto/x509/by_dir.c
@@ -0,0 +1,349 @@
+/* crypto/x509/by_dir.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <errno.h>
+
+#include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef MAC_OS_pre_X
+# include <stat.h>
+#else
+# include <sys/stat.h>
+#endif
+
+#include <openssl/lhash.h>
+#include <openssl/x509.h>
+
+typedef struct lookup_dir_st
+	{
+	BUF_MEM *buffer;
+	int num_dirs;
+	char **dirs;
+	int *dirs_type;
+	int num_dirs_alloced;
+	} BY_DIR;
+
+static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
+	char **ret);
+static int new_dir(X509_LOOKUP *lu);
+static void free_dir(X509_LOOKUP *lu);
+static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
+static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
+	X509_OBJECT *ret);
+X509_LOOKUP_METHOD x509_dir_lookup=
+	{
+	"Load certs from files in a directory",
+	new_dir,		/* new */
+	free_dir,		/* free */
+	NULL, 			/* init */
+	NULL,			/* shutdown */
+	dir_ctrl,		/* ctrl */
+	get_cert_by_subject,	/* get_by_subject */
+	NULL,			/* get_by_issuer_serial */
+	NULL,			/* get_by_fingerprint */
+	NULL,			/* get_by_alias */
+	};
+
+X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
+	{
+	return(&x509_dir_lookup);
+	}
+
+static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
+	     char **retp)
+	{
+	int ret=0;
+	BY_DIR *ld;
+	char *dir;
+
+	ld=(BY_DIR *)ctx->method_data;
+
+	switch (cmd)
+		{
+	case X509_L_ADD_DIR:
+		if (argl == X509_FILETYPE_DEFAULT)
+			{
+			ret=add_cert_dir(ld,X509_get_default_cert_dir(),
+				X509_FILETYPE_PEM);
+			if (!ret)
+				{
+				X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
+				}
+			else
+				{
+				dir=(char *)Getenv(X509_get_default_cert_dir_env());
+				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+				}
+			}
+		else
+			ret=add_cert_dir(ld,argp,(int)argl);
+		break;
+		}
+	return(ret);
+	}
+
+static int new_dir(X509_LOOKUP *lu)
+	{
+	BY_DIR *a;
+
+	if ((a=(BY_DIR *)Malloc(sizeof(BY_DIR))) == NULL)
+		return(0);
+	if ((a->buffer=BUF_MEM_new()) == NULL)
+		{
+		Free(a);
+		return(0);
+		}
+	a->num_dirs=0;
+	a->dirs=NULL;
+	a->dirs_type=NULL;
+	a->num_dirs_alloced=0;
+	lu->method_data=(char *)a;
+	return(1);
+	}
+
+static void free_dir(X509_LOOKUP *lu)
+	{
+	BY_DIR *a;
+	int i;
+
+	a=(BY_DIR *)lu->method_data;
+	for (i=0; i<a->num_dirs; i++)
+		if (a->dirs[i] != NULL) Free(a->dirs[i]);
+	if (a->dirs != NULL) Free(a->dirs);
+	if (a->dirs_type != NULL) Free(a->dirs_type);
+	if (a->buffer != NULL) BUF_MEM_free(a->buffer);
+	Free(a);
+	}
+
+static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
+	{
+	int j,len;
+	int *ip;
+	const char *s,*ss,*p;
+	char **pp;
+
+	if (dir == NULL || !*dir)
+	    {
+	    X509err(X509_F_ADD_CERT_DIR,X509_R_INVALID_DIRECTORY);
+	    return 0;
+	    }
+
+	s=dir;
+	p=s;
+	for (;;)
+		{
+		if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
+			{
+			ss=s;
+			s=p+1;
+			len=(int)(p-ss);
+			if (len == 0) continue;
+			for (j=0; j<ctx->num_dirs; j++)
+				if (strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0)
+					continue;
+			if (ctx->num_dirs_alloced < (ctx->num_dirs+1))
+				{
+				ctx->num_dirs_alloced+=10;
+				pp=(char **)Malloc(ctx->num_dirs_alloced*
+					sizeof(char *));
+				ip=(int *)Malloc(ctx->num_dirs_alloced*
+					sizeof(int));
+				if ((pp == NULL) || (ip == NULL))
+					{
+					X509err(X509_F_ADD_CERT_DIR,ERR_R_MALLOC_FAILURE);
+					return(0);
+					}
+				memcpy(pp,ctx->dirs,(ctx->num_dirs_alloced-10)*
+					sizeof(char *));
+				memcpy(ip,ctx->dirs_type,(ctx->num_dirs_alloced-10)*
+					sizeof(int));
+				if (ctx->dirs != NULL)
+					Free(ctx->dirs);
+				if (ctx->dirs_type != NULL)
+					Free(ctx->dirs_type);
+				ctx->dirs=pp;
+				ctx->dirs_type=ip;
+				}
+			ctx->dirs_type[ctx->num_dirs]=type;
+			ctx->dirs[ctx->num_dirs]=(char *)Malloc((unsigned int)len+1);
+			if (ctx->dirs[ctx->num_dirs] == NULL) return(0);
+			strncpy(ctx->dirs[ctx->num_dirs],ss,(unsigned int)len);
+			ctx->dirs[ctx->num_dirs][len]='\0';
+			ctx->num_dirs++;
+			}
+		if (*p == '\0') break;
+		p++;
+		}
+	return(1);
+	}
+
+static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
+	     X509_OBJECT *ret)
+	{
+	BY_DIR *ctx;
+	union	{
+		struct	{
+			X509 st_x509;
+			X509_CINF st_x509_cinf;
+			} x509;
+		struct	{
+			X509_CRL st_crl;
+			X509_CRL_INFO st_crl_info;
+			} crl;
+		} data;
+	int ok=0;
+	int i,j,k;
+	unsigned long h;
+	BUF_MEM *b=NULL;
+	struct stat st;
+	X509_OBJECT stmp,*tmp;
+	const char *postfix="";
+
+	if (name == NULL) return(0);
+
+	stmp.type=type;
+	if (type == X509_LU_X509)
+		{
+		data.x509.st_x509.cert_info= &data.x509.st_x509_cinf;
+		data.x509.st_x509_cinf.subject=name;
+		stmp.data.x509= &data.x509.st_x509;
+		postfix="";
+		}
+	else if (type == X509_LU_CRL)
+		{
+		data.crl.st_crl.crl= &data.crl.st_crl_info;
+		data.crl.st_crl_info.issuer=name;
+		stmp.data.crl= &data.crl.st_crl;
+		postfix="r";
+		}
+	else
+		{
+		X509err(X509_F_GET_CERT_BY_SUBJECT,X509_R_WRONG_LOOKUP_TYPE);
+		goto finish;
+		}
+
+	if ((b=BUF_MEM_new()) == NULL)
+		{
+		X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_BUF_LIB);
+		goto finish;
+		}
+	
+	ctx=(BY_DIR *)xl->method_data;
+
+	h=X509_NAME_hash(name);
+	for (i=0; i<ctx->num_dirs; i++)
+		{
+		j=strlen(ctx->dirs[i])+1+8+6+1+1;
+		if (!BUF_MEM_grow(b,j))
+			{
+			X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_MALLOC_FAILURE);
+			goto finish;
+			}
+		k=0;
+		for (;;)
+			{
+			sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h,
+				postfix,k);
+			k++;
+			if (stat(b->data,&st) < 0)
+				break;
+			/* found one. */
+			if (type == X509_LU_X509)
+				{
+				if ((X509_load_cert_file(xl,b->data,
+					ctx->dirs_type[i])) == 0)
+					break;
+				}
+			else if (type == X509_LU_CRL)
+				{
+				if ((X509_load_crl_file(xl,b->data,
+					ctx->dirs_type[i])) == 0)
+					break;
+				}
+			/* else case will caught higher up */
+			}
+
+		/* we have added it to the cache so now pull
+		 * it out again */
+		CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
+		tmp=(X509_OBJECT *)lh_retrieve(xl->store_ctx->certs,&stmp);
+		CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
+
+		if (tmp != NULL)
+			{
+			ok=1;
+			ret->type=tmp->type;
+			memcpy(&ret->data,&tmp->data,sizeof(ret->data));
+			/* If we were going to up the reference count,
+			 * we would need to do it on a perl 'type'
+			 * basis */
+	/*		CRYPTO_add(&tmp->data.x509->references,1,
+				CRYPTO_LOCK_X509);*/
+			goto finish;
+			}
+		}
+finish:
+	if (b != NULL) BUF_MEM_free(b);
+	return(ok);
+	}
+
diff --git a/crypto/openssl/crypto/x509/by_file.c b/crypto/openssl/crypto/x509/by_file.c
new file mode 100644
index 0000000..78e9240
--- /dev/null
+++ b/crypto/openssl/crypto/x509/by_file.c
@@ -0,0 +1,298 @@
+/* crypto/x509/by_file.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <errno.h>
+
+#include "cryptlib.h"
+#include <openssl/lhash.h>
+#include <openssl/buffer.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#ifndef NO_STDIO
+
+static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
+	long argl, char **ret);
+X509_LOOKUP_METHOD x509_file_lookup=
+	{
+	"Load file into cache",
+	NULL,		/* new */
+	NULL,		/* free */
+	NULL, 		/* init */
+	NULL,		/* shutdown */
+	by_file_ctrl,	/* ctrl */
+	NULL,		/* get_by_subject */
+	NULL,		/* get_by_issuer_serial */
+	NULL,		/* get_by_fingerprint */
+	NULL,		/* get_by_alias */
+	};
+
+X509_LOOKUP_METHOD *X509_LOOKUP_file(void)
+	{
+	return(&x509_file_lookup);
+	}
+
+static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
+	     char **ret)
+	{
+	int ok=0;
+	char *file;
+
+	switch (cmd)
+		{
+	case X509_L_FILE_LOAD:
+		if (argl == X509_FILETYPE_DEFAULT)
+			{
+			ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
+				X509_FILETYPE_PEM) != 0);
+			if (!ok)
+				{
+				X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
+				}
+			else
+				{
+				file=(char *)Getenv(X509_get_default_cert_file_env());
+				ok = (X509_load_cert_crl_file(ctx,file,
+					X509_FILETYPE_PEM) != 0);
+				}
+			}
+		else
+			{
+			if(argl == X509_FILETYPE_PEM)
+				ok = (X509_load_cert_crl_file(ctx,argp,
+					X509_FILETYPE_PEM) != 0);
+			else
+				ok = (X509_load_cert_file(ctx,argp,(int)argl) != 0);
+			}
+		break;
+		}
+	return(ok);
+	}
+
+int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
+	{
+	int ret=0;
+	BIO *in=NULL;
+	int i,count=0;
+	X509 *x=NULL;
+
+	if (file == NULL) return(1);
+	in=BIO_new(BIO_s_file_internal());
+
+	if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
+		{
+		X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_SYS_LIB);
+		goto err;
+		}
+
+	if (type == X509_FILETYPE_PEM)
+		{
+		for (;;)
+			{
+			x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
+			if (x == NULL)
+				{
+				if ((ERR_GET_REASON(ERR_peek_error()) ==
+					PEM_R_NO_START_LINE) && (count > 0))
+					{
+					ERR_clear_error();
+					break;
+					}
+				else
+					{
+					X509err(X509_F_X509_LOAD_CERT_FILE,
+						ERR_R_PEM_LIB);
+					goto err;
+					}
+				}
+			i=X509_STORE_add_cert(ctx->store_ctx,x);
+			if (!i) goto err;
+			count++;
+			X509_free(x);
+			x=NULL;
+			}
+		ret=count;
+		}
+	else if (type == X509_FILETYPE_ASN1)
+		{
+		x=d2i_X509_bio(in,NULL);
+		if (x == NULL)
+			{
+			X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		i=X509_STORE_add_cert(ctx->store_ctx,x);
+		if (!i) goto err;
+		ret=i;
+		}
+	else
+		{
+		X509err(X509_F_X509_LOAD_CERT_FILE,X509_R_BAD_X509_FILETYPE);
+		goto err;
+		}
+err:
+	if (x != NULL) X509_free(x);
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+
+int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
+	{
+	int ret=0;
+	BIO *in=NULL;
+	int i,count=0;
+	X509_CRL *x=NULL;
+
+	if (file == NULL) return(1);
+	in=BIO_new(BIO_s_file_internal());
+
+	if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
+		{
+		X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_SYS_LIB);
+		goto err;
+		}
+
+	if (type == X509_FILETYPE_PEM)
+		{
+		for (;;)
+			{
+			x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+			if (x == NULL)
+				{
+				if ((ERR_GET_REASON(ERR_peek_error()) ==
+					PEM_R_NO_START_LINE) && (count > 0))
+					{
+					ERR_clear_error();
+					break;
+					}
+				else
+					{
+					X509err(X509_F_X509_LOAD_CRL_FILE,
+						ERR_R_PEM_LIB);
+					goto err;
+					}
+				}
+			i=X509_STORE_add_crl(ctx->store_ctx,x);
+			if (!i) goto err;
+			count++;
+			X509_CRL_free(x);
+			x=NULL;
+			}
+		ret=count;
+		}
+	else if (type == X509_FILETYPE_ASN1)
+		{
+		x=d2i_X509_CRL_bio(in,NULL);
+		if (x == NULL)
+			{
+			X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		i=X509_STORE_add_crl(ctx->store_ctx,x);
+		if (!i) goto err;
+		ret=i;
+		}
+	else
+		{
+		X509err(X509_F_X509_LOAD_CRL_FILE,X509_R_BAD_X509_FILETYPE);
+		goto err;
+		}
+err:
+	if (x != NULL) X509_CRL_free(x);
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+
+int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
+{
+	STACK_OF(X509_INFO) *inf;
+	X509_INFO *itmp;
+	BIO *in;
+	int i, count = 0;
+	if(type != X509_FILETYPE_PEM)
+		return X509_load_cert_file(ctx, file, type);
+	in = BIO_new_file(file, "r");
+	if(!in) {
+		X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB);
+		return 0;
+	}
+	inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+	BIO_free(in);
+	if(!inf) {
+		X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
+		return 0;
+	}
+	for(i = 0; i < sk_X509_INFO_num(inf); i++) {
+		itmp = sk_X509_INFO_value(inf, i);
+		if(itmp->x509) {
+			X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
+			count++;
+		} else if(itmp->crl) {
+			X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
+			count++;
+		}
+	}
+	sk_X509_INFO_pop_free(inf, X509_INFO_free);
+	return count;
+}
+
+
+#endif /* NO_STDIO */
+
diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h
new file mode 100644
index 0000000..0192272
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509.h
@@ -0,0 +1,1204 @@
+/* crypto/x509/x509.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_X509_H
+#define HEADER_X509_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef VMS
+#undef X509_REVOKED_get_ext_by_critical
+#define X509_REVOKED_get_ext_by_critical X509_REVOKED_get_ext_by_critic
+#endif
+
+#include <openssl/stack.h>
+#include <openssl/asn1.h>
+#include <openssl/safestack.h>
+
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+#endif
+
+#ifndef NO_DSA
+#include <openssl/dsa.h>
+#endif
+
+#ifndef NO_DH
+#include <openssl/dh.h>
+#endif
+
+#include <openssl/evp.h>
+
+
+#ifdef WIN32
+/* Under Win32 this is defined in wincrypt.h */
+#undef X509_NAME
+#endif
+
+#define X509_FILETYPE_PEM	1
+#define X509_FILETYPE_ASN1	2
+#define X509_FILETYPE_DEFAULT	3
+
+#define X509v3_KU_DIGITAL_SIGNATURE	0x0080
+#define X509v3_KU_NON_REPUDIATION	0x0040
+#define X509v3_KU_KEY_ENCIPHERMENT	0x0020
+#define X509v3_KU_DATA_ENCIPHERMENT	0x0010
+#define X509v3_KU_KEY_AGREEMENT		0x0008
+#define X509v3_KU_KEY_CERT_SIGN		0x0004
+#define X509v3_KU_CRL_SIGN		0x0002
+#define X509v3_KU_ENCIPHER_ONLY		0x0001
+#define X509v3_KU_DECIPHER_ONLY		0x8000
+#define X509v3_KU_UNDEF			0xffff
+
+typedef struct X509_objects_st
+	{
+	int nid;
+	int (*a2i)();
+	int (*i2a)();
+	} X509_OBJECTS;
+
+typedef struct X509_algor_st
+	{
+	ASN1_OBJECT *algorithm;
+	ASN1_TYPE *parameter;
+	} X509_ALGOR;
+
+DECLARE_STACK_OF(X509_ALGOR)
+DECLARE_ASN1_SET_OF(X509_ALGOR)
+
+typedef struct X509_val_st
+	{
+	ASN1_UTCTIME *notBefore;
+	ASN1_UTCTIME *notAfter;
+	} X509_VAL;
+
+typedef struct X509_pubkey_st
+	{
+	X509_ALGOR *algor;
+	ASN1_BIT_STRING *public_key;
+	EVP_PKEY *pkey;
+	} X509_PUBKEY;
+
+typedef struct X509_sig_st
+	{
+	X509_ALGOR *algor;
+	ASN1_OCTET_STRING *digest;
+	} X509_SIG;
+
+typedef struct X509_name_entry_st
+	{
+	ASN1_OBJECT *object;
+	ASN1_STRING *value;
+	int set;
+	int size; 	/* temp variable */
+	} X509_NAME_ENTRY;
+
+DECLARE_STACK_OF(X509_NAME_ENTRY)
+DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
+
+/* we always keep X509_NAMEs in 2 forms. */
+typedef struct X509_name_st
+	{
+	STACK_OF(X509_NAME_ENTRY) *entries;
+	int modified;	/* true if 'bytes' needs to be built */
+#ifdef HEADER_BUFFER_H
+	BUF_MEM *bytes;
+#else
+	char *bytes;
+#endif
+	unsigned long hash; /* Keep the hash around for lookups */
+	} X509_NAME;
+
+DECLARE_STACK_OF(X509_NAME)
+
+#define X509_EX_V_NETSCAPE_HACK		0x8000
+#define X509_EX_V_INIT			0x0001
+typedef struct X509_extension_st
+	{
+	ASN1_OBJECT *object;
+	short critical;
+	short netscape_hack;
+	ASN1_OCTET_STRING *value;
+	struct v3_ext_method *method;	/* V3 method to use */
+	void *ext_val;			/* extension value */
+	} X509_EXTENSION;
+
+DECLARE_STACK_OF(X509_EXTENSION)
+DECLARE_ASN1_SET_OF(X509_EXTENSION)
+
+/* a sequence of these are used */
+typedef struct x509_attributes_st
+	{
+	ASN1_OBJECT *object;
+	int set; /* 1 for a set, 0 for a single item (which is wrong) */
+	union	{
+		char		*ptr;
+/* 1 */		STACK_OF(ASN1_TYPE) *set;
+/* 0 */		ASN1_TYPE	*single;
+		} value;
+	} X509_ATTRIBUTE;
+
+DECLARE_STACK_OF(X509_ATTRIBUTE)
+DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
+
+typedef struct X509_req_info_st
+	{
+	ASN1_INTEGER *version;
+	X509_NAME *subject;
+	X509_PUBKEY *pubkey;
+	/*  d=2 hl=2 l=  0 cons: cont: 00 */
+	STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
+	int req_kludge;
+	} X509_REQ_INFO;
+
+typedef struct X509_req_st
+	{
+	X509_REQ_INFO *req_info;
+	X509_ALGOR *sig_alg;
+	ASN1_BIT_STRING *signature;
+	int references;
+	} X509_REQ;
+
+typedef struct x509_cinf_st
+	{
+	ASN1_INTEGER *version;		/* [ 0 ] default of v1 */
+	ASN1_INTEGER *serialNumber;
+	X509_ALGOR *signature;
+	X509_NAME *issuer;
+	X509_VAL *validity;
+	X509_NAME *subject;
+	X509_PUBKEY *key;
+	ASN1_BIT_STRING *issuerUID;		/* [ 1 ] optional in v2 */
+	ASN1_BIT_STRING *subjectUID;		/* [ 2 ] optional in v2 */
+	STACK_OF(X509_EXTENSION) *extensions;	/* [ 3 ] optional in v3 */
+	} X509_CINF;
+
+/* This stuff is certificate "auxiliary info"
+ * it contains details which are useful in certificate
+ * stores and databases. When used this is tagged onto
+ * the end of the certificate itself
+ */
+
+typedef struct x509_cert_aux_st
+	{
+	STACK_OF(ASN1_OBJECT) *trust;		/* trusted uses */
+	STACK_OF(ASN1_OBJECT) *reject;		/* rejected uses */
+	ASN1_UTF8STRING *alias;			/* "friendly name" */
+	ASN1_OCTET_STRING *keyid;		/* key id of private key */
+	STACK_OF(X509_ALGOR) *other;		/* other unspecified info */
+	} X509_CERT_AUX;
+
+typedef struct x509_st
+	{
+	X509_CINF *cert_info;
+	X509_ALGOR *sig_alg;
+	ASN1_BIT_STRING *signature;
+	int valid;
+	int references;
+	char *name;
+	CRYPTO_EX_DATA ex_data;
+	/* These contain copies of various extension values */
+	long ex_pathlen;
+	unsigned long ex_flags;
+	unsigned long ex_kusage;
+	unsigned long ex_xkusage;
+	unsigned long ex_nscert;
+#ifndef NO_SHA
+	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+#endif
+	X509_CERT_AUX *aux;
+	} X509;
+
+DECLARE_STACK_OF(X509)
+DECLARE_ASN1_SET_OF(X509)
+
+/* This is used for a table of trust checking functions */
+
+typedef struct x509_trust_st {
+	int trust;
+	int flags;
+	int (*check_trust)(struct x509_trust_st *, X509 *, int);
+	char *name;
+	int arg1;
+	void *arg2;
+} X509_TRUST;
+
+DECLARE_STACK_OF(X509_TRUST)
+
+/* standard trust ids */
+
+#define X509_TRUST_DEFAULT	-1	/* Only valid in purpose settings */
+
+#define X509_TRUST_COMPAT	1
+#define X509_TRUST_SSL_CLIENT	2
+#define X509_TRUST_SSL_SERVER	3
+#define X509_TRUST_EMAIL	4
+#define X509_TRUST_OBJECT_SIGN	5
+
+/* Keep these up to date! */
+#define X509_TRUST_MIN		1
+#define X509_TRUST_MAX		5
+
+
+/* trust_flags values */
+#define	X509_TRUST_DYNAMIC 	1
+#define	X509_TRUST_DYNAMIC_NAME	2
+
+/* check_trust return codes */
+
+#define X509_TRUST_TRUSTED	1
+#define X509_TRUST_REJECTED	2
+#define X509_TRUST_UNTRUSTED	3
+
+typedef struct X509_revoked_st
+	{
+	ASN1_INTEGER *serialNumber;
+	ASN1_UTCTIME *revocationDate;
+	STACK_OF(X509_EXTENSION) /* optional */ *extensions;
+	int sequence; /* load sequence */
+	} X509_REVOKED;
+
+DECLARE_STACK_OF(X509_REVOKED)
+DECLARE_ASN1_SET_OF(X509_REVOKED)
+
+typedef struct X509_crl_info_st
+	{
+	ASN1_INTEGER *version;
+	X509_ALGOR *sig_alg;
+	X509_NAME *issuer;
+	ASN1_UTCTIME *lastUpdate;
+	ASN1_UTCTIME *nextUpdate;
+	STACK_OF(X509_REVOKED) *revoked;
+	STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
+	} X509_CRL_INFO;
+
+typedef struct X509_crl_st
+	{
+	/* actual signature */
+	X509_CRL_INFO *crl;
+	X509_ALGOR *sig_alg;
+	ASN1_BIT_STRING *signature;
+	int references;
+	} X509_CRL;
+
+DECLARE_STACK_OF(X509_CRL)
+DECLARE_ASN1_SET_OF(X509_CRL)
+
+typedef struct private_key_st
+	{
+	int version;
+	/* The PKCS#8 data types */
+	X509_ALGOR *enc_algor;
+	ASN1_OCTET_STRING *enc_pkey;	/* encrypted pub key */
+
+	/* When decrypted, the following will not be NULL */
+	EVP_PKEY *dec_pkey;
+
+	/* used to encrypt and decrypt */
+	int key_length;
+	char *key_data;
+	int key_free;	/* true if we should auto free key_data */
+
+	/* expanded version of 'enc_algor' */
+	EVP_CIPHER_INFO cipher;
+
+	int references;
+	} X509_PKEY;
+
+#ifdef HEADER_ENVELOPE_H
+typedef struct X509_info_st
+	{
+	X509 *x509;
+	X509_CRL *crl;
+	X509_PKEY *x_pkey;
+
+	EVP_CIPHER_INFO enc_cipher;
+	int enc_len;
+	char *enc_data;
+
+	int references;
+	} X509_INFO;
+
+DECLARE_STACK_OF(X509_INFO)
+#endif
+
+/* The next 2 structures and their 8 routines were sent to me by
+ * Pat Richard <patr@x509.com> and are used to manipulate
+ * Netscapes spki structures - useful if you are writing a CA web page
+ */
+typedef struct Netscape_spkac_st
+	{
+	X509_PUBKEY *pubkey;
+	ASN1_IA5STRING *challenge;	/* challenge sent in atlas >= PR2 */
+	} NETSCAPE_SPKAC;
+
+typedef struct Netscape_spki_st
+	{
+	NETSCAPE_SPKAC *spkac;	/* signed public key and challenge */
+	X509_ALGOR *sig_algor;
+	ASN1_BIT_STRING *signature;
+	} NETSCAPE_SPKI;
+
+/* Netscape certificate sequence structure */
+typedef struct Netscape_certificate_sequence
+	{
+	ASN1_OBJECT *type;
+	STACK_OF(X509) *certs;
+	} NETSCAPE_CERT_SEQUENCE;
+
+typedef struct CBCParameter_st
+	{
+	unsigned char iv[8];
+	} CBC_PARAM;
+
+/* Password based encryption structure */
+
+typedef struct PBEPARAM_st {
+ASN1_OCTET_STRING *salt;
+ASN1_INTEGER *iter;
+} PBEPARAM;
+
+/* Password based encryption V2 structures */
+
+typedef struct PBE2PARAM_st {
+X509_ALGOR *keyfunc;
+X509_ALGOR *encryption;
+} PBE2PARAM;
+
+typedef struct PBKDF2PARAM_st {
+ASN1_TYPE *salt;	/* Usually OCTET STRING but could be anything */
+ASN1_INTEGER *iter;
+ASN1_INTEGER *keylength;
+X509_ALGOR *prf;
+} PBKDF2PARAM;
+
+
+/* PKCS#8 private key info structure */
+
+typedef struct pkcs8_priv_key_info_st
+        {
+        int broken;     /* Flag for various broken formats */
+#define PKCS8_OK		0
+#define PKCS8_NO_OCTET		1
+#define PKCS8_EMBEDDED_PARAM	2
+#define PKCS8_NS_DB		3
+        ASN1_INTEGER *version;
+        X509_ALGOR *pkeyalg;
+        ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */
+        STACK_OF(X509_ATTRIBUTE) *attributes;
+        } PKCS8_PRIV_KEY_INFO;
+
+#include <openssl/x509_vfy.h>
+#include <openssl/pkcs7.h>
+
+#ifdef SSLEAY_MACROS
+#define X509_verify(a,r) ASN1_verify((int (*)())i2d_X509_CINF,a->sig_alg,\
+	a->signature,(char *)a->cert_info,r)
+#define X509_REQ_verify(a,r) ASN1_verify((int (*)())i2d_X509_REQ_INFO, \
+	a->sig_alg,a->signature,(char *)a->req_info,r)
+#define X509_CRL_verify(a,r) ASN1_verify((int (*)())i2d_X509_CRL_INFO, \
+	a->sig_alg, a->signature,(char *)a->crl,r)
+
+#define X509_sign(x,pkey,md) \
+	ASN1_sign((int (*)())i2d_X509_CINF, x->cert_info->signature, \
+		x->sig_alg, x->signature, (char *)x->cert_info,pkey,md)
+#define X509_REQ_sign(x,pkey,md) \
+	ASN1_sign((int (*)())i2d_X509_REQ_INFO,x->sig_alg, NULL, \
+		x->signature, (char *)x->req_info,pkey,md)
+#define X509_CRL_sign(x,pkey,md) \
+	ASN1_sign((int (*)())i2d_X509_CRL_INFO,x->crl->sig_alg,x->sig_alg, \
+		x->signature, (char *)x->crl,pkey,md)
+#define NETSCAPE_SPKI_sign(x,pkey,md) \
+	ASN1_sign((int (*)())i2d_NETSCAPE_SPKAC, x->sig_algor,NULL, \
+		x->signature, (char *)x->spkac,pkey,md)
+
+#define X509_dup(x509) (X509 *)ASN1_dup((int (*)())i2d_X509, \
+		(char *(*)())d2i_X509,(char *)x509)
+#define X509_ATTRIBUTE_dup(xa) (X509_ATTRIBUTE *)ASN1_dup(\
+		(int (*)())i2d_X509_ATTRIBUTE, \
+		(char *(*)())d2i_X509_ATTRIBUTE,(char *)xa)
+#define X509_EXTENSION_dup(ex) (X509_EXTENSION *)ASN1_dup( \
+		(int (*)())i2d_X509_EXTENSION, \
+		(char *(*)())d2i_X509_EXTENSION,(char *)ex)
+#define d2i_X509_fp(fp,x509) (X509 *)ASN1_d2i_fp((char *(*)())X509_new, \
+		(char *(*)())d2i_X509, (fp),(unsigned char **)(x509))
+#define i2d_X509_fp(fp,x509) ASN1_i2d_fp(i2d_X509,fp,(unsigned char *)x509)
+#define d2i_X509_bio(bp,x509) (X509 *)ASN1_d2i_bio((char *(*)())X509_new, \
+		(char *(*)())d2i_X509, (bp),(unsigned char **)(x509))
+#define i2d_X509_bio(bp,x509) ASN1_i2d_bio(i2d_X509,bp,(unsigned char *)x509)
+
+#define X509_CRL_dup(crl) (X509_CRL *)ASN1_dup((int (*)())i2d_X509_CRL, \
+		(char *(*)())d2i_X509_CRL,(char *)crl)
+#define d2i_X509_CRL_fp(fp,crl) (X509_CRL *)ASN1_d2i_fp((char *(*)()) \
+		X509_CRL_new,(char *(*)())d2i_X509_CRL, (fp),\
+		(unsigned char **)(crl))
+#define i2d_X509_CRL_fp(fp,crl) ASN1_i2d_fp(i2d_X509_CRL,fp,\
+		(unsigned char *)crl)
+#define d2i_X509_CRL_bio(bp,crl) (X509_CRL *)ASN1_d2i_bio((char *(*)()) \
+		X509_CRL_new,(char *(*)())d2i_X509_CRL, (bp),\
+		(unsigned char **)(crl))
+#define i2d_X509_CRL_bio(bp,crl) ASN1_i2d_bio(i2d_X509_CRL,bp,\
+		(unsigned char *)crl)
+
+#define PKCS7_dup(p7) (PKCS7 *)ASN1_dup((int (*)())i2d_PKCS7, \
+		(char *(*)())d2i_PKCS7,(char *)p7)
+#define d2i_PKCS7_fp(fp,p7) (PKCS7 *)ASN1_d2i_fp((char *(*)()) \
+		PKCS7_new,(char *(*)())d2i_PKCS7, (fp),\
+		(unsigned char **)(p7))
+#define i2d_PKCS7_fp(fp,p7) ASN1_i2d_fp(i2d_PKCS7,fp,\
+		(unsigned char *)p7)
+#define d2i_PKCS7_bio(bp,p7) (PKCS7 *)ASN1_d2i_bio((char *(*)()) \
+		PKCS7_new,(char *(*)())d2i_PKCS7, (bp),\
+		(unsigned char **)(p7))
+#define i2d_PKCS7_bio(bp,p7) ASN1_i2d_bio(i2d_PKCS7,bp,\
+		(unsigned char *)p7)
+
+#define X509_REQ_dup(req) (X509_REQ *)ASN1_dup((int (*)())i2d_X509_REQ, \
+		(char *(*)())d2i_X509_REQ,(char *)req)
+#define d2i_X509_REQ_fp(fp,req) (X509_REQ *)ASN1_d2i_fp((char *(*)())\
+		X509_REQ_new, (char *(*)())d2i_X509_REQ, (fp),\
+		(unsigned char **)(req))
+#define i2d_X509_REQ_fp(fp,req) ASN1_i2d_fp(i2d_X509_REQ,fp,\
+		(unsigned char *)req)
+#define d2i_X509_REQ_bio(bp,req) (X509_REQ *)ASN1_d2i_bio((char *(*)())\
+		X509_REQ_new, (char *(*)())d2i_X509_REQ, (bp),\
+		(unsigned char **)(req))
+#define i2d_X509_REQ_bio(bp,req) ASN1_i2d_bio(i2d_X509_REQ,bp,\
+		(unsigned char *)req)
+
+#define RSAPublicKey_dup(rsa) (RSA *)ASN1_dup((int (*)())i2d_RSAPublicKey, \
+		(char *(*)())d2i_RSAPublicKey,(char *)rsa)
+#define RSAPrivateKey_dup(rsa) (RSA *)ASN1_dup((int (*)())i2d_RSAPrivateKey, \
+		(char *(*)())d2i_RSAPrivateKey,(char *)rsa)
+
+#define d2i_RSAPrivateKey_fp(fp,rsa) (RSA *)ASN1_d2i_fp((char *(*)())\
+		RSA_new,(char *(*)())d2i_RSAPrivateKey, (fp), \
+		(unsigned char **)(rsa))
+#define i2d_RSAPrivateKey_fp(fp,rsa) ASN1_i2d_fp(i2d_RSAPrivateKey,fp, \
+		(unsigned char *)rsa)
+#define d2i_RSAPrivateKey_bio(bp,rsa) (RSA *)ASN1_d2i_bio((char *(*)())\
+		RSA_new,(char *(*)())d2i_RSAPrivateKey, (bp), \
+		(unsigned char **)(rsa))
+#define i2d_RSAPrivateKey_bio(bp,rsa) ASN1_i2d_bio(i2d_RSAPrivateKey,bp, \
+		(unsigned char *)rsa)
+
+#define d2i_RSAPublicKey_fp(fp,rsa) (RSA *)ASN1_d2i_fp((char *(*)())\
+		RSA_new,(char *(*)())d2i_RSAPublicKey, (fp), \
+		(unsigned char **)(rsa))
+#define i2d_RSAPublicKey_fp(fp,rsa) ASN1_i2d_fp(i2d_RSAPublicKey,fp, \
+		(unsigned char *)rsa)
+#define d2i_RSAPublicKey_bio(bp,rsa) (RSA *)ASN1_d2i_bio((char *(*)())\
+		RSA_new,(char *(*)())d2i_RSAPublicKey, (bp), \
+		(unsigned char **)(rsa))
+#define i2d_RSAPublicKey_bio(bp,rsa) ASN1_i2d_bio(i2d_RSAPublicKey,bp, \
+		(unsigned char *)rsa)
+
+#define d2i_DSAPrivateKey_fp(fp,dsa) (DSA *)ASN1_d2i_fp((char *(*)())\
+		DSA_new,(char *(*)())d2i_DSAPrivateKey, (fp), \
+		(unsigned char **)(dsa))
+#define i2d_DSAPrivateKey_fp(fp,dsa) ASN1_i2d_fp(i2d_DSAPrivateKey,fp, \
+		(unsigned char *)dsa)
+#define d2i_DSAPrivateKey_bio(bp,dsa) (DSA *)ASN1_d2i_bio((char *(*)())\
+		DSA_new,(char *(*)())d2i_DSAPrivateKey, (bp), \
+		(unsigned char **)(dsa))
+#define i2d_DSAPrivateKey_bio(bp,dsa) ASN1_i2d_bio(i2d_DSAPrivateKey,bp, \
+		(unsigned char *)dsa)
+
+#define X509_ALGOR_dup(xn) (X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,\
+		(char *(*)())d2i_X509_ALGOR,(char *)xn)
+
+#define X509_NAME_dup(xn) (X509_NAME *)ASN1_dup((int (*)())i2d_X509_NAME, \
+		(char *(*)())d2i_X509_NAME,(char *)xn)
+#define X509_NAME_ENTRY_dup(ne) (X509_NAME_ENTRY *)ASN1_dup( \
+		(int (*)())i2d_X509_NAME_ENTRY, \
+		(char *(*)())d2i_X509_NAME_ENTRY,\
+		(char *)ne)
+
+#define X509_digest(data,type,md,len) \
+	ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len)
+#define X509_NAME_digest(data,type,md,len) \
+	ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len)
+#ifndef PKCS7_ISSUER_AND_SERIAL_digest
+#define PKCS7_ISSUER_AND_SERIAL_digest(data,type,md,len) \
+	ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,\
+		(char *)data,md,len)
+#endif
+#endif
+
+#define X509_EXT_PACK_UNKNOWN	1
+#define X509_EXT_PACK_STRING	2
+
+#define		X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
+/* #define	X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
+#define		X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
+#define		X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
+#define		X509_extract_key(x)	X509_get_pubkey(x) /*****/
+#define		X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version)
+#define		X509_REQ_get_subject_name(x) ((x)->req_info->subject)
+#define		X509_REQ_extract_key(a)	X509_REQ_get_pubkey(a)
+#define		X509_name_cmp(a,b)	X509_NAME_cmp((a),(b))
+#define		X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
+
+#define		X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version)
+#define 	X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
+#define 	X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
+#define		X509_CRL_get_issuer(x) ((x)->crl->issuer)
+#define		X509_CRL_get_REVOKED(x) ((x)->crl->revoked)
+
+/* This one is only used so that a binary form can output, as in
+ * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) */
+#define 	X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
+
+
+const char *X509_verify_cert_error_string(long n);
+
+#ifndef SSLEAY_MACROS
+#ifdef HEADER_ENVELOPE_H
+int X509_verify(X509 *a, EVP_PKEY *r);
+
+int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
+int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
+int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
+
+NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len);
+char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
+
+int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
+
+int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
+int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
+int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
+int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
+
+int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
+int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
+	unsigned char *md,unsigned int *len);
+#endif
+
+#ifndef NO_FP_API
+X509 *d2i_X509_fp(FILE *fp, X509 **x509);
+int i2d_X509_fp(FILE *fp,X509 *x509);
+X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
+int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
+X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
+int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
+#ifndef NO_RSA
+RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
+int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
+RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
+int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
+RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
+int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
+#endif
+#ifndef NO_DSA
+DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
+int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
+DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
+int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
+#endif
+X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
+int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
+						PKCS8_PRIV_KEY_INFO **p8inf);
+int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
+int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
+int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
+#endif
+
+#ifdef HEADER_BIO_H
+X509 *d2i_X509_bio(BIO *bp,X509 **x509);
+int i2d_X509_bio(BIO *bp,X509 *x509);
+X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
+int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
+X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
+int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
+#ifndef NO_RSA
+RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
+int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
+RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
+int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
+RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
+int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
+#endif
+#ifndef NO_DSA
+DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
+int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
+DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
+int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
+#endif
+X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
+int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
+						PKCS8_PRIV_KEY_INFO **p8inf);
+int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
+int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
+int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
+#endif
+
+X509 *X509_dup(X509 *x509);
+X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa);
+X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
+X509_CRL *X509_CRL_dup(X509_CRL *crl);
+X509_REQ *X509_REQ_dup(X509_REQ *req);
+X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
+X509_NAME *X509_NAME_dup(X509_NAME *xn);
+X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
+#ifndef NO_RSA
+RSA *RSAPublicKey_dup(RSA *rsa);
+RSA *RSAPrivateKey_dup(RSA *rsa);
+#endif
+
+#endif /* !SSLEAY_MACROS */
+
+int		X509_cmp_current_time(ASN1_UTCTIME *s);
+ASN1_UTCTIME *	X509_gmtime_adj(ASN1_UTCTIME *s, long adj);
+
+const char *	X509_get_default_cert_area(void );
+const char *	X509_get_default_cert_dir(void );
+const char *	X509_get_default_cert_file(void );
+const char *	X509_get_default_cert_dir_env(void );
+const char *	X509_get_default_cert_file_env(void );
+const char *	X509_get_default_private_dir(void );
+
+X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
+X509 *		X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
+void ERR_load_X509_strings(void );
+
+X509_ALGOR *	X509_ALGOR_new(void );
+void		X509_ALGOR_free(X509_ALGOR *a);
+int		i2d_X509_ALGOR(X509_ALGOR *a,unsigned char **pp);
+X509_ALGOR *	d2i_X509_ALGOR(X509_ALGOR **a,unsigned char **pp,
+			long length);
+
+X509_VAL *	X509_VAL_new(void );
+void		X509_VAL_free(X509_VAL *a);
+int		i2d_X509_VAL(X509_VAL *a,unsigned char **pp);
+X509_VAL *	d2i_X509_VAL(X509_VAL **a,unsigned char **pp,
+			long length);
+
+X509_PUBKEY *	X509_PUBKEY_new(void );
+void		X509_PUBKEY_free(X509_PUBKEY *a);
+int		i2d_X509_PUBKEY(X509_PUBKEY *a,unsigned char **pp);
+X509_PUBKEY *	d2i_X509_PUBKEY(X509_PUBKEY **a,unsigned char **pp,
+			long length);
+int		X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
+EVP_PKEY *	X509_PUBKEY_get(X509_PUBKEY *key);
+int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
+					   STACK_OF(X509) *chain);
+int		i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
+EVP_PKEY *	d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp,
+			long length);
+#ifndef NO_RSA
+int		i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
+RSA *		d2i_RSA_PUBKEY(RSA **a,unsigned char **pp,
+			long length);
+#endif
+#ifndef NO_DSA
+int		i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
+DSA *		d2i_DSA_PUBKEY(DSA **a,unsigned char **pp,
+			long length);
+#endif
+
+X509_SIG *	X509_SIG_new(void );
+void		X509_SIG_free(X509_SIG *a);
+int		i2d_X509_SIG(X509_SIG *a,unsigned char **pp);
+X509_SIG *	d2i_X509_SIG(X509_SIG **a,unsigned char **pp,long length);
+
+X509_REQ_INFO *X509_REQ_INFO_new(void);
+void		X509_REQ_INFO_free(X509_REQ_INFO *a);
+int		i2d_X509_REQ_INFO(X509_REQ_INFO *a,unsigned char **pp);
+X509_REQ_INFO *d2i_X509_REQ_INFO(X509_REQ_INFO **a,unsigned char **pp,
+			long length);
+
+X509_REQ *	X509_REQ_new(void);
+void		X509_REQ_free(X509_REQ *a);
+int		i2d_X509_REQ(X509_REQ *a,unsigned char **pp);
+X509_REQ *	d2i_X509_REQ(X509_REQ **a,unsigned char **pp,long length);
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_new(void );
+void		X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
+int		i2d_X509_ATTRIBUTE(X509_ATTRIBUTE *a,unsigned char **pp);
+X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **a,unsigned char **pp,
+			long length);
+X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
+
+
+X509_EXTENSION *X509_EXTENSION_new(void );
+void		X509_EXTENSION_free(X509_EXTENSION *a);
+int		i2d_X509_EXTENSION(X509_EXTENSION *a,unsigned char **pp);
+X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **a,unsigned char **pp,
+			long length);
+
+X509_NAME_ENTRY *X509_NAME_ENTRY_new(void);
+void		X509_NAME_ENTRY_free(X509_NAME_ENTRY *a);
+int		i2d_X509_NAME_ENTRY(X509_NAME_ENTRY *a,unsigned char **pp);
+X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **a,unsigned char **pp,
+			long length);
+
+X509_NAME *	X509_NAME_new(void);
+void		X509_NAME_free(X509_NAME *a);
+int		i2d_X509_NAME(X509_NAME *a,unsigned char **pp);
+X509_NAME *	d2i_X509_NAME(X509_NAME **a,unsigned char **pp,long length);
+int		X509_NAME_set(X509_NAME **xn, X509_NAME *name);
+
+
+X509_CINF *	X509_CINF_new(void);
+void		X509_CINF_free(X509_CINF *a);
+int		i2d_X509_CINF(X509_CINF *a,unsigned char **pp);
+X509_CINF *	d2i_X509_CINF(X509_CINF **a,unsigned char **pp,long length);
+
+X509 *		X509_new(void);
+void		X509_free(X509 *a);
+int		i2d_X509(X509 *a,unsigned char **pp);
+X509 *		d2i_X509(X509 **a,unsigned char **pp,long length);
+int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int X509_set_ex_data(X509 *r, int idx, void *arg);
+void *X509_get_ex_data(X509 *r, int idx);
+int		i2d_X509_AUX(X509 *a,unsigned char **pp);
+X509 *		d2i_X509_AUX(X509 **a,unsigned char **pp,long length);
+
+X509_CERT_AUX *	X509_CERT_AUX_new(void);
+void		X509_CERT_AUX_free(X509_CERT_AUX *a);
+int		i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp);
+X509_CERT_AUX *	d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
+								long length);
+int X509_alias_set1(X509 *x, unsigned char *name, int len);
+unsigned char * X509_alias_get0(X509 *x, int *len);
+int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
+int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
+int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
+void X509_trust_clear(X509 *x);
+void X509_reject_clear(X509 *x);
+
+X509_REVOKED *	X509_REVOKED_new(void);
+void		X509_REVOKED_free(X509_REVOKED *a);
+int		i2d_X509_REVOKED(X509_REVOKED *a,unsigned char **pp);
+X509_REVOKED *	d2i_X509_REVOKED(X509_REVOKED **a,unsigned char **pp,long length);
+
+X509_CRL_INFO *X509_CRL_INFO_new(void);
+void		X509_CRL_INFO_free(X509_CRL_INFO *a);
+int		i2d_X509_CRL_INFO(X509_CRL_INFO *a,unsigned char **pp);
+X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a,unsigned char **pp,
+			long length);
+
+X509_CRL *	X509_CRL_new(void);
+void		X509_CRL_free(X509_CRL *a);
+int		i2d_X509_CRL(X509_CRL *a,unsigned char **pp);
+X509_CRL *	d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length);
+
+X509_PKEY *	X509_PKEY_new(void );
+void		X509_PKEY_free(X509_PKEY *a);
+int		i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
+X509_PKEY *	d2i_X509_PKEY(X509_PKEY **a,unsigned char **pp,long length);
+
+NETSCAPE_SPKI *	NETSCAPE_SPKI_new(void );
+void		NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
+int		i2d_NETSCAPE_SPKI(NETSCAPE_SPKI *a,unsigned char **pp);
+NETSCAPE_SPKI *	d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a,unsigned char **pp,
+			long length);
+
+NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void );
+void		NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *a);
+int		i2d_NETSCAPE_SPKAC(NETSCAPE_SPKAC *a,unsigned char **pp);
+NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **a,unsigned char **pp,
+		long length);
+
+
+int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **pp);
+NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void);
+NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a, unsigned char **pp, long length);
+void NETSCAPE_CERT_SEQUENCE_free(NETSCAPE_CERT_SEQUENCE *a);
+
+#ifdef HEADER_ENVELOPE_H
+X509_INFO *	X509_INFO_new(void);
+void		X509_INFO_free(X509_INFO *a);
+char *		X509_NAME_oneline(X509_NAME *a,char *buf,int size);
+
+int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
+	ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
+
+int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
+	unsigned char *md,unsigned int *len);
+
+int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
+	ASN1_BIT_STRING *signature,
+	char *data,EVP_PKEY *pkey, const EVP_MD *type);
+#endif
+
+int 		X509_set_version(X509 *x,long version);
+int 		X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
+ASN1_INTEGER *	X509_get_serialNumber(X509 *x);
+int 		X509_set_issuer_name(X509 *x, X509_NAME *name);
+X509_NAME *	X509_get_issuer_name(X509 *a);
+int 		X509_set_subject_name(X509 *x, X509_NAME *name);
+X509_NAME *	X509_get_subject_name(X509 *a);
+int 		X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm);
+int 		X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm);
+int 		X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
+EVP_PKEY *	X509_get_pubkey(X509 *x);
+int		X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
+
+int		X509_REQ_set_version(X509_REQ *x,long version);
+int		X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name);
+int		X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
+EVP_PKEY *	X509_REQ_get_pubkey(X509_REQ *req);
+int		X509_REQ_extension_nid(int nid);
+int *		X509_REQ_get_extension_nids(void);
+void		X509_REQ_set_extension_nids(int *nids);
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
+int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
+				int nid);
+int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts);
+int X509_REQ_get_attr_count(const X509_REQ *req);
+int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
+			  int lastpos);
+int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
+			  int lastpos);
+X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
+X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
+int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
+int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
+			ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len);
+int X509_REQ_add1_attr_by_NID(X509_REQ *req,
+			int nid, int type,
+			unsigned char *bytes, int len);
+int X509_REQ_add1_attr_by_txt(X509_REQ *req,
+			char *attrname, int type,
+			unsigned char *bytes, int len);
+
+int		X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
+
+int		X509_issuer_and_serial_cmp(X509 *a, X509 *b);
+unsigned long	X509_issuer_and_serial_hash(X509 *a);
+
+int		X509_issuer_name_cmp(X509 *a, X509 *b);
+unsigned long	X509_issuer_name_hash(X509 *a);
+
+int		X509_subject_name_cmp(X509 *a,X509 *b);
+unsigned long	X509_subject_name_hash(X509 *x);
+
+int		X509_cmp (X509 *a, X509 *b);
+int		X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
+unsigned long	X509_NAME_hash(X509_NAME *x);
+
+int		X509_CRL_cmp(X509_CRL *a,X509_CRL *b);
+#ifndef NO_FP_API
+int		X509_print_fp(FILE *bp,X509 *x);
+int		X509_CRL_print_fp(FILE *bp,X509_CRL *x);
+int		X509_REQ_print_fp(FILE *bp,X509_REQ *req);
+#endif
+
+#ifdef HEADER_BIO_H
+int		X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
+int		X509_print(BIO *bp,X509 *x);
+int		X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
+int		X509_CRL_print(BIO *bp,X509_CRL *x);
+int		X509_REQ_print(BIO *bp,X509_REQ *req);
+#endif
+
+int 		X509_NAME_entry_count(X509_NAME *name);
+int 		X509_NAME_get_text_by_NID(X509_NAME *name, int nid,
+			char *buf,int len);
+int		X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
+			char *buf,int len);
+
+/* NOTE: you should be passsing -1, not 0 as lastpos.  The functions that use
+ * lastpos, search after that position on. */
+int 		X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
+int 		X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj,
+			int lastpos);
+X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
+X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
+int 		X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne,
+			int loc, int set);
+int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len, int loc, int set);
+int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
+			unsigned char *bytes, int len, int loc, int set);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
+		char *field, int type, unsigned char *bytes, int len);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
+			int type,unsigned char *bytes, int len);
+int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+			unsigned char *bytes, int len, int loc, int set);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
+			ASN1_OBJECT *obj, int type,unsigned char *bytes,
+			int len);
+int 		X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
+			ASN1_OBJECT *obj);
+int 		X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
+			unsigned char *bytes, int len);
+ASN1_OBJECT *	X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
+ASN1_STRING *	X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
+
+int		X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
+int		X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
+				      int nid, int lastpos);
+int		X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
+				      ASN1_OBJECT *obj,int lastpos);
+int		X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
+					   int crit, int lastpos);
+X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
+X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
+STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
+					 X509_EXTENSION *ex, int loc);
+
+int		X509_get_ext_count(X509 *x);
+int		X509_get_ext_by_NID(X509 *x, int nid, int lastpos);
+int		X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos);
+int		X509_get_ext_by_critical(X509 *x, int crit, int lastpos);
+X509_EXTENSION *X509_get_ext(X509 *x, int loc);
+X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
+int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
+void	*	X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
+
+int		X509_CRL_get_ext_count(X509_CRL *x);
+int		X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
+int		X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos);
+int		X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos);
+X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
+X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
+int		X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
+void	*	X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
+
+int		X509_REVOKED_get_ext_count(X509_REVOKED *x);
+int		X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
+int		X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos);
+int		X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos);
+X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
+X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
+int		X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
+void	*	X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
+
+X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
+			int nid, int crit, ASN1_OCTET_STRING *data);
+X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
+			ASN1_OBJECT *obj,int crit,ASN1_OCTET_STRING *data);
+int		X509_EXTENSION_set_object(X509_EXTENSION *ex,ASN1_OBJECT *obj);
+int		X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
+int		X509_EXTENSION_set_data(X509_EXTENSION *ex,
+			ASN1_OCTET_STRING *data);
+ASN1_OBJECT *	X509_EXTENSION_get_object(X509_EXTENSION *ex);
+ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
+int		X509_EXTENSION_get_critical(X509_EXTENSION *ex);
+
+int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
+int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
+			  int lastpos);
+int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
+			  int lastpos);
+X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
+X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+					 X509_ATTRIBUTE *attr);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
+			ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
+			int nid, int type,
+			unsigned char *bytes, int len);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
+			char *attrname, int type,
+			unsigned char *bytes, int len);
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
+	     int atrtype, void *data, int len);
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
+	     ASN1_OBJECT *obj, int atrtype, void *data, int len);
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
+		char *atrname, int type, unsigned char *bytes, int len);
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj);
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len);
+void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+					int atrtype, void *data);
+int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
+ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
+ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+
+int		X509_verify_cert(X509_STORE_CTX *ctx);
+
+/* lookup a cert from a X509 STACK */
+X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
+				     ASN1_INTEGER *serial);
+X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
+
+int i2d_PBEPARAM(PBEPARAM *a, unsigned char **pp);
+PBEPARAM *PBEPARAM_new(void);
+PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length);
+void PBEPARAM_free(PBEPARAM *a);
+X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, int saltlen);
+X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
+					 unsigned char *salt, int saltlen);
+
+int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp);
+PBKDF2PARAM *PBKDF2PARAM_new(void);
+PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, unsigned char **pp, long length);
+void PBKDF2PARAM_free(PBKDF2PARAM *a);
+
+int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **pp);
+PBE2PARAM *PBE2PARAM_new(void);
+PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, unsigned char **pp, long length);
+void PBE2PARAM_free(PBE2PARAM *a);
+
+/* PKCS#8 utilities */
+
+int i2d_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO *a, unsigned char **pp);
+PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void);
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
+					 unsigned char **pp, long length);
+void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *a);
+
+EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken);
+PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
+
+int X509_check_trust(X509 *x, int id, int flags);
+int X509_TRUST_get_count(void);
+X509_TRUST * X509_TRUST_get0(int idx);
+int X509_TRUST_get_by_id(int id);
+int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+					char *name, int arg1, void *arg2);
+void X509_TRUST_cleanup(void);
+int X509_TRUST_get_flags(X509_TRUST *xp);
+char *X509_TRUST_get0_name(X509_TRUST *xp);
+int X509_TRUST_get_trust(X509_TRUST *xp);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the X509 functions. */
+
+/* Function codes. */
+#define X509_F_ADD_CERT_DIR				 100
+#define X509_F_BY_FILE_CTRL				 101
+#define X509_F_DIR_CTRL					 102
+#define X509_F_GET_CERT_BY_SUBJECT			 103
+#define X509_F_NETSCAPE_SPKI_B64_DECODE			 129
+#define X509_F_NETSCAPE_SPKI_B64_ENCODE			 130
+#define X509_F_X509V3_ADD_EXT				 104
+#define X509_F_X509_ADD_ATTR				 135
+#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID		 136
+#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ		 137
+#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT		 140
+#define X509_F_X509_ATTRIBUTE_GET0_DATA			 139
+#define X509_F_X509_ATTRIBUTE_SET1_DATA			 138
+#define X509_F_X509_CHECK_PRIVATE_KEY			 128
+#define X509_F_X509_EXTENSION_CREATE_BY_NID		 108
+#define X509_F_X509_EXTENSION_CREATE_BY_OBJ		 109
+#define X509_F_X509_GET_PUBKEY_PARAMETERS		 110
+#define X509_F_X509_LOAD_CERT_CRL_FILE			 132
+#define X509_F_X509_LOAD_CERT_FILE			 111
+#define X509_F_X509_LOAD_CRL_FILE			 112
+#define X509_F_X509_NAME_ADD_ENTRY			 113
+#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID		 114
+#define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT		 131
+#define X509_F_X509_NAME_ENTRY_SET_OBJECT		 115
+#define X509_F_X509_NAME_ONELINE			 116
+#define X509_F_X509_NAME_PRINT				 117
+#define X509_F_X509_PRINT_FP				 118
+#define X509_F_X509_PUBKEY_GET				 119
+#define X509_F_X509_PUBKEY_SET				 120
+#define X509_F_X509_REQ_PRINT				 121
+#define X509_F_X509_REQ_PRINT_FP			 122
+#define X509_F_X509_REQ_TO_X509				 123
+#define X509_F_X509_STORE_ADD_CERT			 124
+#define X509_F_X509_STORE_ADD_CRL			 125
+#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT		 134
+#define X509_F_X509_TO_X509_REQ				 126
+#define X509_F_X509_TRUST_ADD				 133
+#define X509_F_X509_VERIFY_CERT				 127
+
+/* Reason codes. */
+#define X509_R_BAD_X509_FILETYPE			 100
+#define X509_R_BASE64_DECODE_ERROR			 118
+#define X509_R_CANT_CHECK_DH_KEY			 114
+#define X509_R_CERT_ALREADY_IN_HASH_TABLE		 101
+#define X509_R_ERR_ASN1_LIB				 102
+#define X509_R_INVALID_DIRECTORY			 113
+#define X509_R_INVALID_FIELD_NAME			 119
+#define X509_R_KEY_TYPE_MISMATCH			 115
+#define X509_R_KEY_VALUES_MISMATCH			 116
+#define X509_R_LOADING_CERT_DIR				 103
+#define X509_R_LOADING_DEFAULTS				 104
+#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY		 105
+#define X509_R_SHOULD_RETRY				 106
+#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN	 107
+#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY		 108
+#define X509_R_UNKNOWN_KEY_TYPE				 117
+#define X509_R_UNKNOWN_NID				 109
+#define X509_R_UNKNOWN_PURPOSE_ID			 121
+#define X509_R_UNKNOWN_TRUST_ID				 120
+#define X509_R_UNSUPPORTED_ALGORITHM			 111
+#define X509_R_WRONG_LOOKUP_TYPE			 112
+#define X509_R_WRONG_TYPE				 122
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/x509/x509_att.c b/crypto/openssl/crypto/x509/x509_att.c
new file mode 100644
index 0000000..caafde6
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_att.c
@@ -0,0 +1,326 @@
+/* crypto/x509/x509_att.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/stack.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
+{
+	if (!x) return 0;
+	return(sk_X509_ATTRIBUTE_num(x));
+}
+
+int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
+			  int lastpos)
+{
+	ASN1_OBJECT *obj;
+
+	obj=OBJ_nid2obj(nid);
+	if (obj == NULL) return(-2);
+	return(X509at_get_attr_by_OBJ(x,obj,lastpos));
+}
+
+int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
+			  int lastpos)
+{
+	int n;
+	X509_ATTRIBUTE *ex;
+
+	if (sk == NULL) return(-1);
+	lastpos++;
+	if (lastpos < 0)
+		lastpos=0;
+	n=sk_X509_ATTRIBUTE_num(sk);
+	for ( ; lastpos < n; lastpos++)
+		{
+		ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
+		if (OBJ_cmp(ex->object,obj) == 0)
+			return(lastpos);
+		}
+	return(-1);
+}
+
+X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc)
+{
+	if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
+		return NULL;
+	else
+		return sk_X509_ATTRIBUTE_value(x,loc);
+}
+
+X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
+{
+	X509_ATTRIBUTE *ret;
+
+	if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
+		return(NULL);
+	ret=sk_X509_ATTRIBUTE_delete(x,loc);
+	return(ret);
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+					 X509_ATTRIBUTE *attr)
+{
+	X509_ATTRIBUTE *new_attr=NULL;
+	STACK_OF(X509_ATTRIBUTE) *sk=NULL;
+
+	if ((x != NULL) && (*x == NULL))
+		{
+		if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
+			goto err;
+		}
+	else
+		sk= *x;
+
+	if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
+		goto err2;
+	if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
+		goto err;
+	if ((x != NULL) && (*x == NULL))
+		*x=sk;
+	return(sk);
+err:
+	X509err(X509_F_X509_ADD_ATTR,ERR_R_MALLOC_FAILURE);
+err2:
+	if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
+	if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
+	return(NULL);
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
+			ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len)
+{
+	X509_ATTRIBUTE *attr;
+	STACK_OF(X509_ATTRIBUTE) *ret;
+	attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
+	if(!attr) return 0;
+	ret = X509at_add1_attr(x, attr);
+	X509_ATTRIBUTE_free(attr);
+	return ret;
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
+			int nid, int type,
+			unsigned char *bytes, int len)
+{
+	X509_ATTRIBUTE *attr;
+	STACK_OF(X509_ATTRIBUTE) *ret;
+	attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
+	if(!attr) return 0;
+	ret = X509at_add1_attr(x, attr);
+	X509_ATTRIBUTE_free(attr);
+	return ret;
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
+			char *attrname, int type,
+			unsigned char *bytes, int len)
+{
+	X509_ATTRIBUTE *attr;
+	STACK_OF(X509_ATTRIBUTE) *ret;
+	attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
+	if(!attr) return 0;
+	ret = X509at_add1_attr(x, attr);
+	X509_ATTRIBUTE_free(attr);
+	return ret;
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
+	     int atrtype, void *data, int len)
+{
+	ASN1_OBJECT *obj;
+	X509_ATTRIBUTE *ret;
+
+	obj=OBJ_nid2obj(nid);
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
+		return(NULL);
+		}
+	ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
+	if (ret == NULL) ASN1_OBJECT_free(obj);
+	return(ret);
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
+	     ASN1_OBJECT *obj, int atrtype, void *data, int len)
+{
+	X509_ATTRIBUTE *ret;
+
+	if ((attr == NULL) || (*attr == NULL))
+		{
+		if ((ret=X509_ATTRIBUTE_new()) == NULL)
+			{
+			X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		}
+	else
+		ret= *attr;
+
+	if (!X509_ATTRIBUTE_set1_object(ret,obj))
+		goto err;
+	if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
+		goto err;
+	
+	if ((attr != NULL) && (*attr == NULL)) *attr=ret;
+	return(ret);
+err:
+	if ((attr == NULL) || (ret != *attr))
+		X509_ATTRIBUTE_free(ret);
+	return(NULL);
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
+		char *atrname, int type, unsigned char *bytes, int len)
+	{
+	ASN1_OBJECT *obj;
+	X509_ATTRIBUTE *nattr;
+
+	obj=OBJ_txt2obj(atrname, 0);
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
+						X509_R_INVALID_FIELD_NAME);
+		ERR_add_error_data(2, "name=", atrname);
+		return(NULL);
+		}
+	nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
+	ASN1_OBJECT_free(obj);
+	return nattr;
+	}
+
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
+{
+	if ((attr == NULL) || (obj == NULL))
+		return(0);
+	ASN1_OBJECT_free(attr->object);
+	attr->object=OBJ_dup(obj);
+	return(1);
+}
+
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len)
+{
+	ASN1_TYPE *ttmp;
+	ASN1_STRING *stmp;
+	int atype;
+	if (!attr) return 0;
+	if(attrtype & MBSTRING_FLAG) {
+		stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
+						OBJ_obj2nid(attr->object));
+		if(!stmp) {
+			X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_ASN1_LIB);
+			return 0;
+		}
+		atype = stmp->type;
+	} else {
+		if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
+		if(!ASN1_STRING_set(stmp, data, len)) goto err;
+		atype = attrtype;
+	}
+	if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+	if(!(ttmp = ASN1_TYPE_new())) goto err;
+	if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
+	attr->set = 1;
+	ASN1_TYPE_set(ttmp, atype, stmp);
+	return 1;
+	err:
+	X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
+	return 0;
+}
+
+int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
+{
+	if(attr->set) return sk_ASN1_TYPE_num(attr->value.set);
+	if(attr->value.single) return 1;
+	return 0;
+}
+
+ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
+{
+	if (attr == NULL) return(NULL);
+	return(attr->object);
+}
+
+void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+					int atrtype, void *data)
+{
+	ASN1_TYPE *ttmp;
+	ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
+	if(!ttmp) return NULL;
+	if(atrtype != ASN1_TYPE_get(ttmp)){
+		X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
+		return NULL;
+	}
+	return ttmp->value.ptr;
+}
+
+ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
+{
+	if (attr == NULL) return(NULL);
+	if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
+	if(attr->set) return sk_ASN1_TYPE_value(attr->value.set, idx);
+	else return attr->value.single;
+}
diff --git a/crypto/openssl/crypto/x509/x509_cmp.c b/crypto/openssl/crypto/x509/x509_cmp.c
new file mode 100644
index 0000000..a8a5ca8
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_cmp.c
@@ -0,0 +1,308 @@
+/* crypto/x509/x509_cmp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int X509_issuer_and_serial_cmp(X509 *a, X509 *b)
+	{
+	int i;
+	X509_CINF *ai,*bi;
+
+	ai=a->cert_info;
+	bi=b->cert_info;
+	i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
+	if (i) return(i);
+	return(X509_NAME_cmp(ai->issuer,bi->issuer));
+	}
+
+#ifndef NO_MD5
+unsigned long X509_issuer_and_serial_hash(X509 *a)
+	{
+	unsigned long ret=0;
+	MD5_CTX ctx;
+	unsigned char md[16];
+	char str[256];
+
+	X509_NAME_oneline(a->cert_info->issuer,str,256);
+	ret=strlen(str);
+	MD5_Init(&ctx);
+	MD5_Update(&ctx,(unsigned char *)str,ret);
+	MD5_Update(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
+		(unsigned long)a->cert_info->serialNumber->length);
+	MD5_Final(&(md[0]),&ctx);
+	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+		)&0xffffffffL;
+	return(ret);
+	}
+#endif
+	
+int X509_issuer_name_cmp(X509 *a, X509 *b)
+	{
+	return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
+	}
+
+int X509_subject_name_cmp(X509 *a, X509 *b)
+	{
+	return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
+	}
+
+int X509_CRL_cmp(X509_CRL *a, X509_CRL *b)
+	{
+	return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
+	}
+
+X509_NAME *X509_get_issuer_name(X509 *a)
+	{
+	return(a->cert_info->issuer);
+	}
+
+unsigned long X509_issuer_name_hash(X509 *x)
+	{
+	return(X509_NAME_hash(x->cert_info->issuer));
+	}
+
+X509_NAME *X509_get_subject_name(X509 *a)
+	{
+	return(a->cert_info->subject);
+	}
+
+ASN1_INTEGER *X509_get_serialNumber(X509 *a)
+	{
+	return(a->cert_info->serialNumber);
+	}
+
+unsigned long X509_subject_name_hash(X509 *x)
+	{
+	return(X509_NAME_hash(x->cert_info->subject));
+	}
+
+#ifndef NO_SHA
+/* Compare two certificates: they must be identical for
+ * this to work.
+ */
+int X509_cmp(X509 *a, X509 *b)
+{
+	/* ensure hash is valid */
+	X509_check_purpose(a, -1, 0);
+	X509_check_purpose(b, -1, 0);
+
+	return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+}
+#endif
+
+int X509_NAME_cmp(X509_NAME *a, X509_NAME *b)
+	{
+	int i,j;
+	X509_NAME_ENTRY *na,*nb;
+
+	if (sk_X509_NAME_ENTRY_num(a->entries)
+	    != sk_X509_NAME_ENTRY_num(b->entries))
+		return sk_X509_NAME_ENTRY_num(a->entries)
+		  -sk_X509_NAME_ENTRY_num(b->entries);
+	for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
+		{
+		na=sk_X509_NAME_ENTRY_value(a->entries,i);
+		nb=sk_X509_NAME_ENTRY_value(b->entries,i);
+		j=na->value->length-nb->value->length;
+		if (j) return(j);
+		j=memcmp(na->value->data,nb->value->data,
+			na->value->length);
+		if (j) return(j);
+		j=na->set-nb->set;
+		if (j) return(j);
+		}
+
+	/* We will check the object types after checking the values
+	 * since the values will more often be different than the object
+	 * types. */
+	for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
+		{
+		na=sk_X509_NAME_ENTRY_value(a->entries,i);
+		nb=sk_X509_NAME_ENTRY_value(b->entries,i);
+		j=OBJ_cmp(na->object,nb->object);
+		if (j) return(j);
+		}
+	return(0);
+	}
+
+#ifndef NO_MD5
+/* I now DER encode the name and hash it.  Since I cache the DER encoding,
+ * this is reasonably efficient. */
+unsigned long X509_NAME_hash(X509_NAME *x)
+	{
+	unsigned long ret=0;
+	unsigned char md[16];
+	unsigned char str[256],*p,*pp;
+	int i;
+
+	i=i2d_X509_NAME(x,NULL);
+	if (i > sizeof(str))
+		p=Malloc(i);
+	else
+		p=str;
+
+	pp=p;
+	i2d_X509_NAME(x,&pp);
+	MD5((unsigned char *)p,i,&(md[0]));
+	if (p != str) Free(p);
+
+	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+		)&0xffffffffL;
+	return(ret);
+	}
+#endif
+
+/* Search a stack of X509 for a match */
+X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
+		ASN1_INTEGER *serial)
+	{
+	int i;
+	X509_CINF cinf;
+	X509 x,*x509=NULL;
+
+	if(!sk) return NULL;
+
+	x.cert_info= &cinf;
+	cinf.serialNumber=serial;
+	cinf.issuer=name;
+
+	for (i=0; i<sk_X509_num(sk); i++)
+		{
+		x509=sk_X509_value(sk,i);
+		if (X509_issuer_and_serial_cmp(x509,&x) == 0)
+			return(x509);
+		}
+	return(NULL);
+	}
+
+X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
+	{
+	X509 *x509;
+	int i;
+
+	for (i=0; i<sk_X509_num(sk); i++)
+		{
+		x509=sk_X509_value(sk,i);
+		if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
+			return(x509);
+		}
+	return(NULL);
+	}
+
+EVP_PKEY *X509_get_pubkey(X509 *x)
+	{
+	if ((x == NULL) || (x->cert_info == NULL))
+		return(NULL);
+	return(X509_PUBKEY_get(x->cert_info->key));
+	}
+
+int X509_check_private_key(X509 *x, EVP_PKEY *k)
+	{
+	EVP_PKEY *xk=NULL;
+	int ok=0;
+
+	xk=X509_get_pubkey(x);
+	if (xk->type != k->type)
+	    {
+	    X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
+	    goto err;
+	    }
+	switch (k->type)
+		{
+#ifndef NO_RSA
+	case EVP_PKEY_RSA:
+		if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0
+		    || BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0)
+		    {
+		    X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
+		    goto err;
+		    }
+		break;
+#endif
+#ifndef NO_DSA
+	case EVP_PKEY_DSA:
+		if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0)
+		    {
+		    X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
+		    goto err;
+		    }
+		break;
+#endif
+#ifndef NO_DH
+	case EVP_PKEY_DH:
+		/* No idea */
+	        X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
+		goto err;
+#endif
+	default:
+	        X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
+		goto err;
+		}
+
+	ok=1;
+err:
+	EVP_PKEY_free(xk);
+	return(ok);
+	}
diff --git a/crypto/openssl/crypto/x509/x509_d2.c b/crypto/openssl/crypto/x509/x509_d2.c
new file mode 100644
index 0000000..753d53e
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_d2.c
@@ -0,0 +1,107 @@
+/* crypto/x509/x509_d2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+
+#ifndef NO_STDIO
+int X509_STORE_set_default_paths(X509_STORE *ctx)
+	{
+	X509_LOOKUP *lookup;
+
+	lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
+	if (lookup == NULL) return(0);
+	X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+	lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
+	if (lookup == NULL) return(0);
+	X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+	
+	/* clear any errors */
+	ERR_clear_error();
+
+	return(1);
+	}
+
+int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
+		const char *path)
+	{
+	X509_LOOKUP *lookup;
+
+	if (file != NULL)
+		{
+		lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
+		if (lookup == NULL) return(0);
+		if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
+		    return(0);
+		}
+	if (path != NULL)
+		{
+		lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
+		if (lookup == NULL) return(0);
+		if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
+		    return(0);
+		}
+	if ((path == NULL) && (file == NULL))
+		return(0);
+	return(1);
+	}
+
+#endif
diff --git a/crypto/openssl/crypto/x509/x509_def.c b/crypto/openssl/crypto/x509/x509_def.c
new file mode 100644
index 0000000..e0ac151a
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_def.c
@@ -0,0 +1,81 @@
+/* crypto/x509/x509_def.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+
+const char *X509_get_default_private_dir(void)
+	{ return(X509_PRIVATE_DIR); }
+	
+const char *X509_get_default_cert_area(void)
+	{ return(X509_CERT_AREA); }
+
+const char *X509_get_default_cert_dir(void)
+	{ return(X509_CERT_DIR); }
+
+const char *X509_get_default_cert_file(void)
+	{ return(X509_CERT_FILE); }
+
+const char *X509_get_default_cert_dir_env(void)
+	{ return(X509_CERT_DIR_EVP); }
+
+const char *X509_get_default_cert_file_env(void)
+	{ return(X509_CERT_FILE_EVP); }
+
diff --git a/crypto/openssl/crypto/x509/x509_err.c b/crypto/openssl/crypto/x509/x509_err.c
new file mode 100644
index 0000000..848add5
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_err.c
@@ -0,0 +1,152 @@
+/* crypto/x509/x509_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA X509_str_functs[]=
+	{
+{ERR_PACK(0,X509_F_ADD_CERT_DIR,0),	"ADD_CERT_DIR"},
+{ERR_PACK(0,X509_F_BY_FILE_CTRL,0),	"BY_FILE_CTRL"},
+{ERR_PACK(0,X509_F_DIR_CTRL,0),	"DIR_CTRL"},
+{ERR_PACK(0,X509_F_GET_CERT_BY_SUBJECT,0),	"GET_CERT_BY_SUBJECT"},
+{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_DECODE,0),	"NETSCAPE_SPKI_b64_decode"},
+{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_ENCODE,0),	"NETSCAPE_SPKI_b64_encode"},
+{ERR_PACK(0,X509_F_X509V3_ADD_EXT,0),	"X509v3_add_ext"},
+{ERR_PACK(0,X509_F_X509_ADD_ATTR,0),	"X509_ADD_ATTR"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_NID,0),	"X509_ATTRIBUTE_create_by_NID"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,0),	"X509_ATTRIBUTE_create_by_OBJ"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,0),	"X509_ATTRIBUTE_create_by_txt"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_GET0_DATA,0),	"X509_ATTRIBUTE_get0_data"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_SET1_DATA,0),	"X509_ATTRIBUTE_set1_data"},
+{ERR_PACK(0,X509_F_X509_CHECK_PRIVATE_KEY,0),	"X509_check_private_key"},
+{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_NID,0),	"X509_EXTENSION_create_by_NID"},
+{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0),	"X509_EXTENSION_create_by_OBJ"},
+{ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0),	"X509_get_pubkey_parameters"},
+{ERR_PACK(0,X509_F_X509_LOAD_CERT_CRL_FILE,0),	"X509_load_cert_crl_file"},
+{ERR_PACK(0,X509_F_X509_LOAD_CERT_FILE,0),	"X509_load_cert_file"},
+{ERR_PACK(0,X509_F_X509_LOAD_CRL_FILE,0),	"X509_load_crl_file"},
+{ERR_PACK(0,X509_F_X509_NAME_ADD_ENTRY,0),	"X509_NAME_add_entry"},
+{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_NID,0),	"X509_NAME_ENTRY_create_by_NID"},
+{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,0),	"X509_NAME_ENTRY_create_by_txt"},
+{ERR_PACK(0,X509_F_X509_NAME_ENTRY_SET_OBJECT,0),	"X509_NAME_ENTRY_set_object"},
+{ERR_PACK(0,X509_F_X509_NAME_ONELINE,0),	"X509_NAME_oneline"},
+{ERR_PACK(0,X509_F_X509_NAME_PRINT,0),	"X509_NAME_print"},
+{ERR_PACK(0,X509_F_X509_PRINT_FP,0),	"X509_print_fp"},
+{ERR_PACK(0,X509_F_X509_PUBKEY_GET,0),	"X509_PUBKEY_get"},
+{ERR_PACK(0,X509_F_X509_PUBKEY_SET,0),	"X509_PUBKEY_set"},
+{ERR_PACK(0,X509_F_X509_REQ_PRINT,0),	"X509_REQ_print"},
+{ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0),	"X509_REQ_print_fp"},
+{ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},
+{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},
+{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},
+{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
+{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},
+{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA X509_str_reasons[]=
+	{
+{X509_R_BAD_X509_FILETYPE                ,"bad x509 filetype"},
+{X509_R_BASE64_DECODE_ERROR              ,"base64 decode error"},
+{X509_R_CANT_CHECK_DH_KEY                ,"cant check dh key"},
+{X509_R_CERT_ALREADY_IN_HASH_TABLE       ,"cert already in hash table"},
+{X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
+{X509_R_INVALID_DIRECTORY                ,"invalid directory"},
+{X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
+{X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
+{X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
+{X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
+{X509_R_LOADING_DEFAULTS                 ,"loading defaults"},
+{X509_R_NO_CERT_SET_FOR_US_TO_VERIFY     ,"no cert set for us to verify"},
+{X509_R_SHOULD_RETRY                     ,"should retry"},
+{X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN,"unable to find parameters in chain"},
+{X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},
+{X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},
+{X509_R_UNKNOWN_NID                      ,"unknown nid"},
+{X509_R_UNKNOWN_PURPOSE_ID               ,"unknown purpose id"},
+{X509_R_UNKNOWN_TRUST_ID                 ,"unknown trust id"},
+{X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},
+{X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},
+{X509_R_WRONG_TYPE                       ,"wrong type"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_X509_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_X509,X509_str_functs);
+		ERR_load_strings(ERR_LIB_X509,X509_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/x509/x509_ext.c b/crypto/openssl/crypto/x509/x509_ext.c
new file mode 100644
index 0000000..2955989
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_ext.c
@@ -0,0 +1,191 @@
+/* crypto/x509/x509_ext.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/stack.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+
+int X509_CRL_get_ext_count(X509_CRL *x)
+	{
+	return(X509v3_get_ext_count(x->crl->extensions));
+	}
+
+int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
+	{
+	return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
+	}
+
+int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
+	{
+	return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
+	}
+
+int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
+	{
+	return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
+	}
+
+X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
+	{
+	return(X509v3_get_ext(x->crl->extensions,loc));
+	}
+
+X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
+	{
+	return(X509v3_delete_ext(x->crl->extensions,loc));
+	}
+
+void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
+{
+	return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
+}
+
+int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
+	{
+	return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
+	}
+
+int X509_get_ext_count(X509 *x)
+	{
+	return(X509v3_get_ext_count(x->cert_info->extensions));
+	}
+
+int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
+	{
+	return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
+	}
+
+int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
+	{
+	return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
+	}
+
+int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
+	{
+	return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
+	}
+
+X509_EXTENSION *X509_get_ext(X509 *x, int loc)
+	{
+	return(X509v3_get_ext(x->cert_info->extensions,loc));
+	}
+
+X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
+	{
+	return(X509v3_delete_ext(x->cert_info->extensions,loc));
+	}
+
+int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
+	{
+	return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
+	}
+
+void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
+{
+	return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
+}
+
+int X509_REVOKED_get_ext_count(X509_REVOKED *x)
+	{
+	return(X509v3_get_ext_count(x->extensions));
+	}
+
+int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
+	{
+	return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
+	}
+
+int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
+	     int lastpos)
+	{
+	return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
+	}
+
+int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
+	{
+	return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
+	}
+
+X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
+	{
+	return(X509v3_get_ext(x->extensions,loc));
+	}
+
+X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
+	{
+	return(X509v3_delete_ext(x->extensions,loc));
+	}
+
+int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
+	{
+	return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
+	}
+
+void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
+{
+	return X509V3_get_d2i(x->extensions, nid, crit, idx);
+}
+
+IMPLEMENT_STACK_OF(X509_EXTENSION)
+IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/crypto/openssl/crypto/x509/x509_lu.c b/crypto/openssl/crypto/x509/x509_lu.c
new file mode 100644
index 0000000..a20006d
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_lu.c
@@ -0,0 +1,427 @@
+/* crypto/x509/x509_lu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/lhash.h>
+#include <openssl/x509.h>
+
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_meth=NULL;
+
+X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
+	{
+	X509_LOOKUP *ret;
+
+	ret=(X509_LOOKUP *)Malloc(sizeof(X509_LOOKUP));
+	if (ret == NULL) return(NULL);
+
+	ret->init=0;
+	ret->skip=0;
+	ret->method=method;
+	ret->method_data=NULL;
+	ret->store_ctx=NULL;
+	if ((method->new_item != NULL) && !method->new_item(ret))
+		{
+		Free(ret);
+		return(NULL);
+		}
+	return(ret);
+	}
+
+void X509_LOOKUP_free(X509_LOOKUP *ctx)
+	{
+	if (ctx == NULL) return;
+	if (	(ctx->method != NULL) &&
+		(ctx->method->free != NULL))
+		ctx->method->free(ctx);
+	Free(ctx);
+	}
+
+int X509_LOOKUP_init(X509_LOOKUP *ctx)
+	{
+	if (ctx->method == NULL) return(0);
+	if (ctx->method->init != NULL)
+		return(ctx->method->init(ctx));
+	else
+		return(1);
+	}
+
+int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
+	{
+	if (ctx->method == NULL) return(0);
+	if (ctx->method->shutdown != NULL)
+		return(ctx->method->shutdown(ctx));
+	else
+		return(1);
+	}
+
+int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
+	     char **ret)
+	{
+	if (ctx->method == NULL) return(-1);
+	if (ctx->method->ctrl != NULL)
+		return(ctx->method->ctrl(ctx,cmd,argc,argl,ret));
+	else
+		return(1);
+	}
+
+int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
+	     X509_OBJECT *ret)
+	{
+	if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
+		return(X509_LU_FAIL);
+	if (ctx->skip) return(0);
+	return(ctx->method->get_by_subject(ctx,type,name,ret));
+	}
+
+int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
+	     ASN1_INTEGER *serial, X509_OBJECT *ret)
+	{
+	if ((ctx->method == NULL) ||
+		(ctx->method->get_by_issuer_serial == NULL))
+		return(X509_LU_FAIL);
+	return(ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret));
+	}
+
+int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
+	     unsigned char *bytes, int len, X509_OBJECT *ret)
+	{
+	if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
+		return(X509_LU_FAIL);
+	return(ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret));
+	}
+
+int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
+	     X509_OBJECT *ret)
+	{
+	if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
+		return(X509_LU_FAIL);
+	return(ctx->method->get_by_alias(ctx,type,str,len,ret));
+	}
+
+static unsigned long x509_object_hash(X509_OBJECT *a)
+	{
+	unsigned long h;
+
+	switch (a->type)
+		{
+	case X509_LU_X509:
+		h=X509_NAME_hash(a->data.x509->cert_info->subject);
+		break;
+	case X509_LU_CRL:
+		h=X509_NAME_hash(a->data.crl->crl->issuer);
+		break;
+	default:
+		abort();
+		}
+	return(h);
+	}
+
+static int x509_object_cmp(X509_OBJECT *a, X509_OBJECT *b)
+	{
+	int ret;
+
+	ret=(a->type - b->type);
+	if (ret) return(ret);
+	switch (a->type)
+		{
+	case X509_LU_X509:
+		ret=X509_subject_name_cmp(a->data.x509,b->data.x509);
+		break;
+	case X509_LU_CRL:
+		ret=X509_CRL_cmp(a->data.crl,b->data.crl);
+		break;
+	default:
+		abort();
+		}
+	return(ret);
+	}
+
+X509_STORE *X509_STORE_new(void)
+	{
+	X509_STORE *ret;
+
+	if ((ret=(X509_STORE *)Malloc(sizeof(X509_STORE))) == NULL)
+		return(NULL);
+	ret->certs=lh_new(x509_object_hash,x509_object_cmp);
+	ret->cache=1;
+	ret->get_cert_methods=sk_X509_LOOKUP_new_null();
+	ret->verify=NULL;
+	ret->verify_cb=NULL;
+	memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
+	ret->references=1;
+	ret->depth=0;
+	return(ret);
+	}
+
+static void cleanup(X509_OBJECT *a)
+	{
+	if (a->type == X509_LU_X509)
+		{
+		X509_free(a->data.x509);
+		}
+	else if (a->type == X509_LU_CRL)
+		{
+		X509_CRL_free(a->data.crl);
+		}
+	else
+		abort();
+
+	Free(a);
+	}
+
+void X509_STORE_free(X509_STORE *vfy)
+	{
+	int i;
+	STACK_OF(X509_LOOKUP) *sk;
+	X509_LOOKUP *lu;
+
+	if(vfy == NULL)
+	    return;
+
+	sk=vfy->get_cert_methods;
+	for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
+		{
+		lu=sk_X509_LOOKUP_value(sk,i);
+		X509_LOOKUP_shutdown(lu);
+		X509_LOOKUP_free(lu);
+		}
+	sk_X509_LOOKUP_free(sk);
+
+	CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data);
+	lh_doall(vfy->certs,cleanup);
+	lh_free(vfy->certs);
+	Free(vfy);
+	}
+
+X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
+	{
+	int i;
+	STACK_OF(X509_LOOKUP) *sk;
+	X509_LOOKUP *lu;
+
+	sk=v->get_cert_methods;
+	for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
+		{
+		lu=sk_X509_LOOKUP_value(sk,i);
+		if (m == lu->method)
+			{
+			return(lu);
+			}
+		}
+	/* a new one */
+	lu=X509_LOOKUP_new(m);
+	if (lu == NULL)
+		return(NULL);
+	else
+		{
+		lu->store_ctx=v;
+		if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
+			return(lu);
+		else
+			{
+			X509_LOOKUP_free(lu);
+			return(NULL);
+			}
+		}
+	}
+
+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+	     X509_OBJECT *ret)
+	{
+	X509_STORE *ctx=vs->ctx;
+	X509_LOOKUP *lu;
+	X509_OBJECT stmp,*tmp;
+	int i,j;
+
+	tmp=X509_OBJECT_retrieve_by_subject(ctx->certs,type,name);
+
+	if (tmp == NULL)
+		{
+		for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
+			{
+			lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
+			j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
+			if (j < 0)
+				{
+				vs->current_method=j;
+				return(j);
+				}
+			else if (j)
+				{
+				tmp= &stmp;
+				break;
+				}
+			}
+		vs->current_method=0;
+		if (tmp == NULL)
+			return(0);
+		}
+
+/*	if (ret->data.ptr != NULL)
+		X509_OBJECT_free_contents(ret); */
+
+	ret->type=tmp->type;
+	ret->data.ptr=tmp->data.ptr;
+
+	X509_OBJECT_up_ref_count(ret);
+
+	return(1);
+	}
+
+void X509_OBJECT_up_ref_count(X509_OBJECT *a)
+	{
+	switch (a->type)
+		{
+	case X509_LU_X509:
+		CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
+		break;
+	case X509_LU_CRL:
+		CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
+		break;
+		}
+	}
+
+void X509_OBJECT_free_contents(X509_OBJECT *a)
+	{
+	switch (a->type)
+		{
+	case X509_LU_X509:
+		X509_free(a->data.x509);
+		break;
+	case X509_LU_CRL:
+		X509_CRL_free(a->data.crl);
+		break;
+		}
+	}
+
+X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
+	     X509_NAME *name)
+	{
+	X509_OBJECT stmp,*tmp;
+	X509 x509_s;
+	X509_CINF cinf_s;
+	X509_CRL crl_s;
+	X509_CRL_INFO crl_info_s;
+
+	stmp.type=type;
+	switch (type)
+		{
+	case X509_LU_X509:
+		stmp.data.x509= &x509_s;
+		x509_s.cert_info= &cinf_s;
+		cinf_s.subject=name;
+		break;
+	case X509_LU_CRL:
+		stmp.data.crl= &crl_s;
+		crl_s.crl= &crl_info_s;
+		crl_info_s.issuer=name;
+		break;
+	default:
+		abort();
+		}
+
+	tmp=(X509_OBJECT *)lh_retrieve(h,&stmp);
+	return(tmp);
+	}
+
+X509_STORE_CTX *X509_STORE_CTX_new(void)
+{
+	X509_STORE_CTX *ctx;
+	ctx = (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));
+	if(ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+	return ctx;
+}
+
+void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+{
+	X509_STORE_CTX_cleanup(ctx);
+	Free(ctx);
+}
+
+void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+	     STACK_OF(X509) *chain)
+	{
+	ctx->ctx=store;
+	ctx->current_method=0;
+	ctx->cert=x509;
+	ctx->untrusted=chain;
+	ctx->last_untrusted=0;
+	ctx->purpose=0;
+	ctx->trust=0;
+	ctx->valid=0;
+	ctx->chain=NULL;
+	ctx->depth=9;
+	ctx->error=0;
+	ctx->current_cert=NULL;
+	memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
+	}
+
+void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
+	{
+	if (ctx->chain != NULL)
+		{
+		sk_X509_pop_free(ctx->chain,X509_free);
+		ctx->chain=NULL;
+		}
+	CRYPTO_free_ex_data(x509_store_ctx_meth,ctx,&(ctx->ex_data));
+	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
+	}
+
+IMPLEMENT_STACK_OF(X509_LOOKUP)
diff --git a/crypto/openssl/crypto/x509/x509_obj.c b/crypto/openssl/crypto/x509/x509_obj.c
new file mode 100644
index 0000000..691b71f
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_obj.c
@@ -0,0 +1,223 @@
+/* crypto/x509/x509_obj.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/lhash.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/buffer.h>
+
+char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
+	{
+	X509_NAME_ENTRY *ne;
+int i;
+	int n,lold,l,l1,l2,num,j,type;
+	const char *s;
+	char *p;
+	unsigned char *q;
+	BUF_MEM *b=NULL;
+	static char hex[17]="0123456789ABCDEF";
+	int gs_doit[4];
+	char tmp_buf[80];
+#ifdef CHARSET_EBCDIC
+	char ebcdic_buf[1024];
+#endif
+
+	if (buf == NULL)
+		{
+		if ((b=BUF_MEM_new()) == NULL) goto err;
+		if (!BUF_MEM_grow(b,200)) goto err;
+		b->data[0]='\0';
+		len=200;
+		}
+	if (a == NULL)
+	    {
+	    if(b)
+		{
+		buf=b->data;
+		Free(b);
+		}
+	    strncpy(buf,"NO X509_NAME",len);
+	    return buf;
+	    }
+
+	len--; /* space for '\0' */
+	l=0;
+	for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
+		{
+		ne=sk_X509_NAME_ENTRY_value(a->entries,i);
+		n=OBJ_obj2nid(ne->object);
+		if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
+			{
+			i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
+			s=tmp_buf;
+			}
+		l1=strlen(s);
+
+		type=ne->value->type;
+		num=ne->value->length;
+		q=ne->value->data;
+#ifdef CHARSET_EBCDIC
+                if (type == V_ASN1_GENERALSTRING ||
+		    type == V_ASN1_VISIBLESTRING ||
+		    type == V_ASN1_PRINTABLESTRING ||
+		    type == V_ASN1_TELETEXSTRING ||
+		    type == V_ASN1_VISIBLESTRING ||
+		    type == V_ASN1_IA5STRING) {
+                        ascii2ebcdic(ebcdic_buf, q,
+				     (num > sizeof ebcdic_buf)
+				     ? sizeof ebcdic_buf : num);
+                        q=ebcdic_buf;
+		}
+#endif
+
+		if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
+			{
+			gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
+			for (j=0; j<num; j++)
+				if (q[j] != 0) gs_doit[j&3]=1;
+
+			if (gs_doit[0]|gs_doit[1]|gs_doit[2])
+				gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
+			else
+				{
+				gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
+				gs_doit[3]=1;
+				}
+			}
+		else
+			gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
+
+		for (l2=j=0; j<num; j++)
+			{
+			if (!gs_doit[j&3]) continue;
+			l2++;
+#ifndef CHARSET_EBCDIC
+			if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
+#else
+			if ((os_toascii[q[j]] < os_toascii[' ']) ||
+			    (os_toascii[q[j]] > os_toascii['~'])) l2+=3;
+#endif
+			}
+
+		lold=l;
+		l+=1+l1+1+l2;
+		if (b != NULL)
+			{
+			if (!BUF_MEM_grow(b,l+1)) goto err;
+			p= &(b->data[lold]);
+			}
+		else if (l > len)
+			{
+			break;
+			}
+		else
+			p= &(buf[lold]);
+		*(p++)='/';
+		memcpy(p,s,(unsigned int)l1); p+=l1;
+		*(p++)='=';
+
+#ifndef CHARSET_EBCDIC /* q was assigned above already. */
+		q=ne->value->data;
+#endif
+
+		for (j=0; j<num; j++)
+			{
+			if (!gs_doit[j&3]) continue;
+#ifndef CHARSET_EBCDIC
+			n=q[j];
+			if ((n < ' ') || (n > '~'))
+				{
+				*(p++)='\\';
+				*(p++)='x';
+				*(p++)=hex[(n>>4)&0x0f];
+				*(p++)=hex[n&0x0f];
+				}
+			else
+				*(p++)=n;
+#else
+			n=os_toascii[q[j]];
+			if ((n < os_toascii[' ']) ||
+			    (n > os_toascii['~']))
+				{
+				*(p++)='\\';
+				*(p++)='x';
+				*(p++)=hex[(n>>4)&0x0f];
+				*(p++)=hex[n&0x0f];
+				}
+			else
+				*(p++)=q[j];
+#endif
+			}
+		*p='\0';
+		}
+	if (b != NULL)
+		{
+		p=b->data;
+		Free(b);
+		}
+	else
+		p=buf;
+	return(p);
+err:
+	X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
+	if (b != NULL) BUF_MEM_free(b);
+	return(NULL);
+	}
+
diff --git a/crypto/openssl/crypto/x509/x509_r2x.c b/crypto/openssl/crypto/x509/x509_r2x.c
new file mode 100644
index 0000000..db05103
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_r2x.c
@@ -0,0 +1,110 @@
+/* crypto/x509/x509_r2x.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+
+X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
+	{
+	X509 *ret=NULL;
+	X509_CINF *xi=NULL;
+	X509_NAME *xn;
+
+	if ((ret=X509_new()) == NULL)
+		{
+		X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	/* duplicate the request */
+	xi=ret->cert_info;
+
+	if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
+		{
+		if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
+		if (!ASN1_INTEGER_set(xi->version,2)) goto err;
+/*		xi->extensions=ri->attributes; <- bad, should not ever be done
+		ri->attributes=NULL; */
+		}
+
+	xn=X509_REQ_get_subject_name(r);
+	X509_set_subject_name(ret,X509_NAME_dup(xn));
+	X509_set_issuer_name(ret,X509_NAME_dup(xn));
+
+	X509_gmtime_adj(xi->validity->notBefore,0);
+	X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days);
+
+	X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
+
+	if (!X509_sign(ret,pkey,EVP_md5()))
+		goto err;
+	if (0)
+		{
+err:
+		X509_free(ret);
+		ret=NULL;
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/x509/x509_req.c b/crypto/openssl/crypto/x509/x509_req.c
new file mode 100644
index 0000000..baef879
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_req.c
@@ -0,0 +1,278 @@
+/* crypto/x509/x509_req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/pem.h>
+
+X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
+	{
+	X509_REQ *ret;
+	X509_REQ_INFO *ri;
+	int i;
+	EVP_PKEY *pktmp;
+
+	ret=X509_REQ_new();
+	if (ret == NULL)
+		{
+		X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	ri=ret->req_info;
+
+	ri->version->length=1;
+	ri->version->data=(unsigned char *)Malloc(1);
+	if (ri->version->data == NULL) goto err;
+	ri->version->data[0]=0; /* version == 0 */
+
+	if (!X509_REQ_set_subject_name(ret,X509_get_subject_name(x)))
+		goto err;
+
+	pktmp = X509_get_pubkey(x);
+	i=X509_REQ_set_pubkey(ret,pktmp);
+	EVP_PKEY_free(pktmp);
+	if (!i) goto err;
+
+	if (pkey != NULL)
+		{
+		if (!X509_REQ_sign(ret,pkey,md))
+			goto err;
+		}
+	return(ret);
+err:
+	X509_REQ_free(ret);
+	return(NULL);
+	}
+
+EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
+	{
+	if ((req == NULL) || (req->req_info == NULL))
+		return(NULL);
+	return(X509_PUBKEY_get(req->req_info->pubkey));
+	}
+
+/* It seems several organisations had the same idea of including a list of
+ * extensions in a certificate request. There are at least two OIDs that are
+ * used and there may be more: so the list is configurable.
+ */
+
+static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef};
+
+static int *ext_nids = ext_nid_list;
+
+int X509_REQ_extension_nid(int req_nid)
+{
+	int i, nid;
+	for(i = 0; ; i++) {
+		nid = ext_nids[i];
+		if(nid == NID_undef) return 0;
+		else if (req_nid == nid) return 1;
+	}
+}
+
+int *X509_REQ_get_extension_nids(void)
+{
+	return ext_nids;
+}
+	
+void X509_REQ_set_extension_nids(int *nids)
+{
+	ext_nids = nids;
+}
+
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
+{
+	X509_ATTRIBUTE *attr;
+	STACK_OF(X509_ATTRIBUTE) *sk;
+	ASN1_TYPE *ext = NULL;
+	int i;
+	unsigned char *p;
+	if ((req == NULL) || (req->req_info == NULL))
+		return(NULL);
+	sk=req->req_info->attributes;
+        if (!sk) return NULL;
+	for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+		attr = sk_X509_ATTRIBUTE_value(sk, i);
+		if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
+			if(attr->set && sk_ASN1_TYPE_num(attr->value.set))
+				ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+			else ext = attr->value.single;
+			break;
+		}
+	}
+	if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL;
+	p = ext->value.sequence->data;
+	return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
+			ext->value.sequence->length,
+			d2i_X509_EXTENSION, X509_EXTENSION_free,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
+ * in case we want to create a non standard one.
+ */
+
+int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
+				int nid)
+{
+	unsigned char *p = NULL, *q;
+	long len;
+	ASN1_TYPE *at = NULL;
+	X509_ATTRIBUTE *attr = NULL;
+	if(!(at = ASN1_TYPE_new()) ||
+		!(at->value.sequence = ASN1_STRING_new())) goto err;
+
+	at->type = V_ASN1_SEQUENCE;
+	/* Generate encoding of extensions */
+	len = i2d_ASN1_SET_OF_X509_EXTENSION(exts, NULL, i2d_X509_EXTENSION,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	if(!(p = Malloc(len))) goto err;
+	q = p;
+	i2d_ASN1_SET_OF_X509_EXTENSION(exts, &q, i2d_X509_EXTENSION,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	at->value.sequence->data = p;
+	p = NULL;
+	at->value.sequence->length = len;
+	if(!(attr = X509_ATTRIBUTE_new())) goto err;
+	if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+	if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
+	at = NULL;
+	attr->set = 1;
+	attr->object = OBJ_nid2obj(nid);
+	if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
+	return 1;
+	err:
+	if(p) Free(p);
+	X509_ATTRIBUTE_free(attr);
+	ASN1_TYPE_free(at);
+	return 0;
+}
+/* This is the normal usage: use the "official" OID */
+int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
+{
+	return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
+}
+
+/* Request attribute functions */
+
+int X509_REQ_get_attr_count(const X509_REQ *req)
+{
+	return X509at_get_attr_count(req->req_info->attributes);
+}
+
+int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
+			  int lastpos)
+{
+	return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
+}
+
+int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
+			  int lastpos)
+{
+	return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
+}
+
+X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
+{
+	return X509at_get_attr(req->req_info->attributes, loc);
+}
+
+X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
+{
+	return X509at_delete_attr(req->req_info->attributes, loc);
+}
+
+int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
+{
+	if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
+	return 0;
+}
+
+int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
+			ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
+				type, bytes, len)) return 1;
+	return 0;
+}
+
+int X509_REQ_add1_attr_by_NID(X509_REQ *req,
+			int nid, int type,
+			unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
+				type, bytes, len)) return 1;
+	return 0;
+}
+
+int X509_REQ_add1_attr_by_txt(X509_REQ *req,
+			char *attrname, int type,
+			unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
+				type, bytes, len)) return 1;
+	return 0;
+}
diff --git a/crypto/openssl/crypto/x509/x509_set.c b/crypto/openssl/crypto/x509/x509_set.c
new file mode 100644
index 0000000..add842d
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_set.c
@@ -0,0 +1,150 @@
+/* crypto/x509/x509_set.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+int X509_set_version(X509 *x, long version)
+	{
+	if (x == NULL) return(0);
+	if (x->cert_info->version == NULL)
+		{
+		if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
+			return(0);
+		}
+	return(ASN1_INTEGER_set(x->cert_info->version,version));
+	}
+
+int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
+	{
+	ASN1_INTEGER *in;
+
+	if (x == NULL) return(0);
+	in=x->cert_info->serialNumber;
+	if (in != serial)
+		{
+		in=M_ASN1_INTEGER_dup(serial);
+		if (in != NULL)
+			{
+			M_ASN1_INTEGER_free(x->cert_info->serialNumber);
+			x->cert_info->serialNumber=in;
+			}
+		}
+	return(in != NULL);
+	}
+
+int X509_set_issuer_name(X509 *x, X509_NAME *name)
+	{
+	if ((x == NULL) || (x->cert_info == NULL)) return(0);
+	return(X509_NAME_set(&x->cert_info->issuer,name));
+	}
+
+int X509_set_subject_name(X509 *x, X509_NAME *name)
+	{
+	if ((x == NULL) || (x->cert_info == NULL)) return(0);
+	return(X509_NAME_set(&x->cert_info->subject,name));
+	}
+
+int X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm)
+	{
+	ASN1_UTCTIME *in;
+
+	if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
+	in=x->cert_info->validity->notBefore;
+	if (in != tm)
+		{
+		in=M_ASN1_UTCTIME_dup(tm);
+		if (in != NULL)
+			{
+			M_ASN1_UTCTIME_free(x->cert_info->validity->notBefore);
+			x->cert_info->validity->notBefore=in;
+			}
+		}
+	return(in != NULL);
+	}
+
+int X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm)
+	{
+	ASN1_UTCTIME *in;
+
+	if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
+	in=x->cert_info->validity->notAfter;
+	if (in != tm)
+		{
+		in=M_ASN1_UTCTIME_dup(tm);
+		if (in != NULL)
+			{
+			M_ASN1_UTCTIME_free(x->cert_info->validity->notAfter);
+			x->cert_info->validity->notAfter=in;
+			}
+		}
+	return(in != NULL);
+	}
+
+int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
+	{
+	if ((x == NULL) || (x->cert_info == NULL)) return(0);
+	return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
+	}
+
+
+
diff --git a/crypto/openssl/crypto/x509/x509_trs.c b/crypto/openssl/crypto/x509/x509_trs.c
new file mode 100644
index 0000000..c779aaf
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_trs.c
@@ -0,0 +1,264 @@
+/* x509_trs.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+
+static int tr_cmp(X509_TRUST **a, X509_TRUST **b);
+static void trtable_free(X509_TRUST *p);
+
+static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
+static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
+
+static int obj_trust(int id, X509 *x, int flags);
+static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
+
+/* WARNING: the following table should be kept in order of trust
+ * and without any gaps so we can just subtract the minimum trust
+ * value to get an index into the table
+ */
+
+static X509_TRUST trstandard[] = {
+{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
+{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
+{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL},
+{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+};
+
+#define X509_TRUST_COUNT	(sizeof(trstandard)/sizeof(X509_TRUST))
+
+IMPLEMENT_STACK_OF(X509_TRUST)
+
+static STACK_OF(X509_TRUST) *trtable = NULL;
+
+static int tr_cmp(X509_TRUST **a, X509_TRUST **b)
+{
+	return (*a)->trust - (*b)->trust;
+}
+
+int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
+{
+int (*oldtrust)(int , X509 *, int);
+oldtrust = default_trust;
+default_trust = trust;
+return oldtrust;
+}
+
+
+int X509_check_trust(X509 *x, int id, int flags)
+{
+	X509_TRUST *pt;
+	int idx;
+	if(id == -1) return 1;
+	idx = X509_TRUST_get_by_id(id);
+	if(idx == -1) return default_trust(id, x, flags);
+	pt = X509_TRUST_get0(idx);
+	return pt->check_trust(pt, x, flags);
+}
+
+int X509_TRUST_get_count(void)
+{
+	if(!trtable) return X509_TRUST_COUNT;
+	return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
+}
+
+X509_TRUST * X509_TRUST_get0(int idx)
+{
+	if(idx < 0) return NULL;
+	if(idx < X509_TRUST_COUNT) return trstandard + idx;
+	return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
+}
+
+int X509_TRUST_get_by_id(int id)
+{
+	X509_TRUST tmp;
+	int idx;
+	if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
+				 return id - X509_TRUST_MIN;
+	tmp.trust = id;
+	if(!trtable) return -1;
+	idx = sk_X509_TRUST_find(trtable, &tmp);
+	if(idx == -1) return -1;
+	return idx + X509_TRUST_COUNT;
+}
+
+int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+					char *name, int arg1, void *arg2)
+{
+	int idx;
+	X509_TRUST *trtmp;
+	/* This is set according to what we change: application can't set it */
+	flags &= ~X509_TRUST_DYNAMIC;
+	/* This will always be set for application modified trust entries */
+	flags |= X509_TRUST_DYNAMIC_NAME;
+	/* Get existing entry if any */
+	idx = X509_TRUST_get_by_id(id);
+	/* Need a new entry */
+	if(idx == -1) {
+		if(!(trtmp = Malloc(sizeof(X509_TRUST)))) {
+			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		trtmp->flags = X509_TRUST_DYNAMIC;
+	} else trtmp = X509_TRUST_get0(idx);
+
+	/* Free existing name if dynamic */
+	if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) Free(trtmp->name);
+	/* dup supplied name */
+	if(!(trtmp->name = BUF_strdup(name))) {
+		X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	/* Keep the dynamic flag of existing entry */
+	trtmp->flags &= X509_TRUST_DYNAMIC;
+	/* Set all other flags */
+	trtmp->flags |= flags;
+
+	trtmp->trust = id;
+	trtmp->check_trust = ck;
+	trtmp->arg1 = arg1;
+	trtmp->arg2 = arg2;
+
+	/* If its a new entry manage the dynamic table */
+	if(idx == -1) {
+		if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
+			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		if (!sk_X509_TRUST_push(trtable, trtmp)) {
+			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+	}
+	return 1;
+}
+
+static void trtable_free(X509_TRUST *p)
+	{
+	if(!p) return;
+	if (p->flags & X509_TRUST_DYNAMIC) 
+		{
+		if (p->flags & X509_TRUST_DYNAMIC_NAME)
+			Free(p->name);
+		Free(p);
+		}
+	}
+
+void X509_TRUST_cleanup(void)
+{
+	int i;
+	for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
+	sk_X509_TRUST_pop_free(trtable, trtable_free);
+	trtable = NULL;
+}
+
+int X509_TRUST_get_flags(X509_TRUST *xp)
+{
+	return xp->flags;
+}
+
+char *X509_TRUST_get0_name(X509_TRUST *xp)
+{
+	return xp->name;
+}
+
+int X509_TRUST_get_trust(X509_TRUST *xp)
+{
+	return xp->trust;
+}
+
+static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
+{
+	if(x->aux) return obj_trust(trust->arg1, x, flags);
+	/* we don't have any trust settings: for compatibility
+	 * we return trusted if it is self signed
+	 */
+	return trust_compat(trust, x, flags);
+}
+
+static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
+{
+	X509_check_purpose(x, -1, 0);
+	if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
+	else return X509_TRUST_UNTRUSTED;
+}
+
+static int obj_trust(int id, X509 *x, int flags)
+{
+	ASN1_OBJECT *obj;
+	int i;
+	X509_CERT_AUX *ax;
+	ax = x->aux;
+	if(!ax) return X509_TRUST_UNTRUSTED;
+	if(ax->reject) {
+		for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
+			obj = sk_ASN1_OBJECT_value(ax->reject, i);
+			if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
+		}
+	}	
+	if(ax->trust) {
+		for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
+			obj = sk_ASN1_OBJECT_value(ax->trust, i);
+			if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
+		}
+	}
+	return X509_TRUST_UNTRUSTED;
+}
+
diff --git a/crypto/openssl/crypto/x509/x509_txt.c b/crypto/openssl/crypto/x509/x509_txt.c
new file mode 100644
index 0000000..209cf53
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_txt.c
@@ -0,0 +1,141 @@
+/* crypto/x509/x509_txt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <errno.h>
+
+#include "cryptlib.h"
+#include <openssl/lhash.h>
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+
+const char *X509_verify_cert_error_string(long n)
+	{
+	static char buf[100];
+
+	switch ((int)n)
+		{
+	case X509_V_OK:
+		return("ok");
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+		return("unable to get issuer certificate");
+	case X509_V_ERR_UNABLE_TO_GET_CRL:
+		return("unable to get certificate CRL");
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+		return("unable to decrypt certificate's signature");
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+		return("unable to decrypt CRL's's signature");
+	case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+		return("unable to decode issuer public key");
+	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+		return("certificate signature failure");
+	case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+		return("CRL signature failure");
+	case X509_V_ERR_CERT_NOT_YET_VALID:
+		return("certificate is not yet valid");
+	case X509_V_ERR_CRL_NOT_YET_VALID:
+		return("CRL is not yet valid");
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+		return("Certificate has expired");
+	case X509_V_ERR_CRL_HAS_EXPIRED:
+		return("CRL has expired");
+	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+		return("format error in certificate's notBefore field");
+	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+		return("format error in certificate's notAfter field");
+	case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+		return("format error in CRL's lastUpdate field");
+	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+		return("format error in CRL's nextUpdate field");
+	case X509_V_ERR_OUT_OF_MEM:
+		return("out of memory");
+	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+		return("self signed certificate");
+	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+		return("self signed certificate in certificate chain");
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+		return("unable to get local issuer certificate");
+	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+		return("unable to verify the first certificate");
+	case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+		return("certificate chain too long");
+	case X509_V_ERR_CERT_REVOKED:
+		return("certificate revoked");
+	case X509_V_ERR_INVALID_CA:
+		return ("invalid CA certificate");
+	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+		return ("path length constraint exceeded");
+	case X509_V_ERR_INVALID_PURPOSE:
+		return ("unsupported certificate purpose");
+	case X509_V_ERR_CERT_UNTRUSTED:
+		return ("certificate not trusted");
+	case X509_V_ERR_CERT_REJECTED:
+		return ("certificate rejected");
+	case X509_V_ERR_APPLICATION_VERIFICATION:
+		return("application verification failure");
+	default:
+		sprintf(buf,"error number %ld",n);
+		return(buf);
+		}
+	}
+
+
diff --git a/crypto/openssl/crypto/x509/x509_v3.c b/crypto/openssl/crypto/x509/x509_v3.c
new file mode 100644
index 0000000..5288798
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_v3.c
@@ -0,0 +1,267 @@
+/* crypto/x509/x509_v3.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/stack.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
+	{
+	if (x == NULL) return(0);
+	return(sk_X509_EXTENSION_num(x));
+	}
+
+int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
+			  int lastpos)
+	{
+	ASN1_OBJECT *obj;
+
+	obj=OBJ_nid2obj(nid);
+	if (obj == NULL) return(-2);
+	return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
+	}
+
+int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
+			  int lastpos)
+	{
+	int n;
+	X509_EXTENSION *ex;
+
+	if (sk == NULL) return(-1);
+	lastpos++;
+	if (lastpos < 0)
+		lastpos=0;
+	n=sk_X509_EXTENSION_num(sk);
+	for ( ; lastpos < n; lastpos++)
+		{
+		ex=sk_X509_EXTENSION_value(sk,lastpos);
+		if (OBJ_cmp(ex->object,obj) == 0)
+			return(lastpos);
+		}
+	return(-1);
+	}
+
+int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
+			       int lastpos)
+	{
+	int n;
+	X509_EXTENSION *ex;
+
+	if (sk == NULL) return(-1);
+	lastpos++;
+	if (lastpos < 0)
+		lastpos=0;
+	n=sk_X509_EXTENSION_num(sk);
+	for ( ; lastpos < n; lastpos++)
+		{
+		ex=sk_X509_EXTENSION_value(sk,lastpos);
+		if (	(ex->critical && crit) ||
+			(!ex->critical && !crit))
+			return(lastpos);
+		}
+	return(-1);
+	}
+
+X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
+	{
+	if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
+		return NULL;
+	else
+		return sk_X509_EXTENSION_value(x,loc);
+	}
+
+X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
+	{
+	X509_EXTENSION *ret;
+
+	if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
+		return(NULL);
+	ret=sk_X509_EXTENSION_delete(x,loc);
+	return(ret);
+	}
+
+STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
+					 X509_EXTENSION *ex, int loc)
+	{
+	X509_EXTENSION *new_ex=NULL;
+	int n;
+	STACK_OF(X509_EXTENSION) *sk=NULL;
+
+	if ((x != NULL) && (*x == NULL))
+		{
+		if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
+			goto err;
+		}
+	else
+		sk= *x;
+
+	n=sk_X509_EXTENSION_num(sk);
+	if (loc > n) loc=n;
+	else if (loc < 0) loc=n;
+
+	if ((new_ex=X509_EXTENSION_dup(ex)) == NULL)
+		goto err2;
+	if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
+		goto err;
+	if ((x != NULL) && (*x == NULL))
+		*x=sk;
+	return(sk);
+err:
+	X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE);
+err2:
+	if (new_ex != NULL) X509_EXTENSION_free(new_ex);
+	if (sk != NULL) sk_X509_EXTENSION_free(sk);
+	return(NULL);
+	}
+
+X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
+	     int crit, ASN1_OCTET_STRING *data)
+	{
+	ASN1_OBJECT *obj;
+	X509_EXTENSION *ret;
+
+	obj=OBJ_nid2obj(nid);
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
+		return(NULL);
+		}
+	ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
+	if (ret == NULL) ASN1_OBJECT_free(obj);
+	return(ret);
+	}
+
+X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
+	     ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
+	{
+	X509_EXTENSION *ret;
+
+	if ((ex == NULL) || (*ex == NULL))
+		{
+		if ((ret=X509_EXTENSION_new()) == NULL)
+			{
+			X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		}
+	else
+		ret= *ex;
+
+	if (!X509_EXTENSION_set_object(ret,obj))
+		goto err;
+	if (!X509_EXTENSION_set_critical(ret,crit))
+		goto err;
+	if (!X509_EXTENSION_set_data(ret,data))
+		goto err;
+	
+	if ((ex != NULL) && (*ex == NULL)) *ex=ret;
+	return(ret);
+err:
+	if ((ex == NULL) || (ret != *ex))
+		X509_EXTENSION_free(ret);
+	return(NULL);
+	}
+
+int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
+	{
+	if ((ex == NULL) || (obj == NULL))
+		return(0);
+	ASN1_OBJECT_free(ex->object);
+	ex->object=OBJ_dup(obj);
+	return(1);
+	}
+
+int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
+	{
+	if (ex == NULL) return(0);
+	ex->critical=(crit)?0xFF:0;
+	return(1);
+	}
+
+int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
+	{
+	int i;
+
+	if (ex == NULL) return(0);
+	i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
+	if (!i) return(0);
+	return(1);
+	}
+
+ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
+	{
+	if (ex == NULL) return(NULL);
+	return(ex->object);
+	}
+
+ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
+	{
+	if (ex == NULL) return(NULL);
+	return(ex->value);
+	}
+
+int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
+	{
+	if (ex == NULL) return(0);
+	return(ex->critical);
+	}
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
new file mode 100644
index 0000000..3ddb230
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -0,0 +1,815 @@
+/* crypto/x509/x509_vfy.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <errno.h>
+
+#include "cryptlib.h"
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+
+static int null_callback(int ok,X509_STORE_CTX *e);
+static int check_chain_purpose(X509_STORE_CTX *ctx);
+static int check_trust(X509_STORE_CTX *ctx);
+static int internal_verify(X509_STORE_CTX *ctx);
+const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
+
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
+static int x509_store_ctx_num=0;
+#if 0
+static int x509_store_num=1;
+static STACK *x509_store_method=NULL;
+#endif
+
+static int null_callback(int ok, X509_STORE_CTX *e)
+	{
+	return(ok);
+	}
+
+#if 0
+static int x509_subject_cmp(X509 **a, X509 **b)
+	{
+	return(X509_subject_name_cmp(*a,*b));
+	}
+#endif
+
+int X509_verify_cert(X509_STORE_CTX *ctx)
+	{
+	X509 *x,*xtmp,*chain_ss=NULL;
+	X509_NAME *xn;
+	X509_OBJECT obj;
+	int depth,i,ok=0;
+	int num;
+	int (*cb)();
+	STACK_OF(X509) *sktmp=NULL;
+
+	if (ctx->cert == NULL)
+		{
+		X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
+		return(-1);
+		}
+
+	cb=ctx->ctx->verify_cb;
+	if (cb == NULL) cb=null_callback;
+
+	/* first we make sure the chain we are going to build is
+	 * present and that the first entry is in place */
+	if (ctx->chain == NULL)
+		{
+		if (	((ctx->chain=sk_X509_new_null()) == NULL) ||
+			(!sk_X509_push(ctx->chain,ctx->cert)))
+			{
+			X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+			goto end;
+			}
+		CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
+		ctx->last_untrusted=1;
+		}
+
+	/* We use a temporary STACK so we can chop and hack at it */
+	if (ctx->untrusted != NULL
+	    && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
+		{
+		X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+		goto end;
+		}
+
+	num=sk_X509_num(ctx->chain);
+	x=sk_X509_value(ctx->chain,num-1);
+	depth=ctx->depth;
+
+
+	for (;;)
+		{
+		/* If we have enough, we break */
+		if (depth < num) break; /* FIXME: If this happens, we should take
+		                         * note of it and, if appropriate, use the
+		                         * X509_V_ERR_CERT_CHAIN_TOO_LONG error
+		                         * code later.
+		                         */
+
+		/* If we are self signed, we break */
+		xn=X509_get_issuer_name(x);
+		if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
+			break;
+
+		/* If we were passed a cert chain, use it first */
+		if (ctx->untrusted != NULL)
+			{
+			xtmp=X509_find_by_subject(sktmp,xn);
+			if (xtmp != NULL)
+				{
+				if (!sk_X509_push(ctx->chain,xtmp))
+					{
+					X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+					goto end;
+					}
+				CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
+				sk_X509_delete_ptr(sktmp,xtmp);
+				ctx->last_untrusted++;
+				x=xtmp;
+				num++;
+				/* reparse the full chain for
+				 * the next one */
+				continue;
+				}
+			}
+		break;
+		}
+
+	/* at this point, chain should contain a list of untrusted
+	 * certificates.  We now need to add at least one trusted one,
+	 * if possible, otherwise we complain. */
+
+	i=sk_X509_num(ctx->chain);
+	x=sk_X509_value(ctx->chain,i-1);
+	xn = X509_get_subject_name(x);
+	if (X509_NAME_cmp(xn,X509_get_issuer_name(x))
+		== 0)
+		{
+		/* we have a self signed certificate */
+		if (sk_X509_num(ctx->chain) == 1)
+			{
+			/* We have a single self signed certificate: see if
+			 * we can find it in the store. We must have an exact
+			 * match to avoid possible impersonation.
+			 */
+			ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
+			if ((ok != X509_LU_X509) || X509_cmp(x, obj.data.x509)) 
+				{
+				ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+				ctx->current_cert=x;
+				ctx->error_depth=i-1;
+				if(ok == X509_LU_X509) X509_OBJECT_free_contents(&obj);
+				ok=cb(0,ctx);
+				if (!ok) goto end;
+				}
+			else 
+				{
+				/* We have a match: replace certificate with store version
+				 * so we get any trust settings.
+				 */
+				X509_free(x);
+				x = obj.data.x509;
+				sk_X509_set(ctx->chain, i - 1, x);
+				ctx->last_untrusted=0;
+				}
+			}
+		else
+			{
+			/* worry more about this one elsewhere */
+			chain_ss=sk_X509_pop(ctx->chain);
+			ctx->last_untrusted--;
+			num--;
+			x=sk_X509_value(ctx->chain,num-1);
+			}
+		}
+
+	/* We now lookup certs from the certificate store */
+	for (;;)
+		{
+		/* If we have enough, we break */
+		if (depth < num) break;
+
+		/* If we are self signed, we break */
+		xn=X509_get_issuer_name(x);
+		if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
+			break;
+
+		ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
+		if (ok != X509_LU_X509)
+			{
+			if (ok == X509_LU_RETRY)
+				{
+				X509_OBJECT_free_contents(&obj);
+				X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
+				return(ok);
+				}
+			else if (ok != X509_LU_FAIL)
+				{
+				X509_OBJECT_free_contents(&obj);
+				/* not good :-(, break anyway */
+				return(ok);
+				}
+			break;
+			}
+		x=obj.data.x509;
+		if (!sk_X509_push(ctx->chain,obj.data.x509))
+			{
+			X509_OBJECT_free_contents(&obj);
+			X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		num++;
+		}
+
+	/* we now have our chain, lets check it... */
+	xn=X509_get_issuer_name(x);
+	if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
+		{
+		if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
+			{
+			if (ctx->last_untrusted >= num)
+				ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+			else
+				ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+			ctx->current_cert=x;
+			}
+		else
+			{
+
+			sk_X509_push(ctx->chain,chain_ss);
+			num++;
+			ctx->last_untrusted=num;
+			ctx->current_cert=chain_ss;
+			ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+			chain_ss=NULL;
+			}
+
+		ctx->error_depth=num-1;
+		ok=cb(0,ctx);
+		if (!ok) goto end;
+		}
+
+	/* We have the chain complete: now we need to check its purpose */
+	if(ctx->purpose > 0) ok = check_chain_purpose(ctx);
+
+	if(!ok) goto end;
+
+	/* The chain extensions are OK: check trust */
+
+	if(ctx->trust > 0) ok = check_trust(ctx);
+
+	if(!ok) goto end;
+
+	/* We may as well copy down any DSA parameters that are required */
+	X509_get_pubkey_parameters(NULL,ctx->chain);
+
+	/* At this point, we have a chain and just need to verify it */
+	if (ctx->ctx->verify != NULL)
+		ok=ctx->ctx->verify(ctx);
+	else
+		ok=internal_verify(ctx);
+	if (0)
+		{
+end:
+		X509_get_pubkey_parameters(NULL,ctx->chain);
+		}
+	if (sktmp != NULL) sk_X509_free(sktmp);
+	if (chain_ss != NULL) X509_free(chain_ss);
+	return(ok);
+	}
+
+/* Check a certificate chains extensions for consistency
+ * with the supplied purpose
+ */
+
+static int check_chain_purpose(X509_STORE_CTX *ctx)
+{
+#ifdef NO_CHAIN_VERIFY
+	return 1;
+#else
+	int i, ok=0;
+	X509 *x;
+	int (*cb)();
+	cb=ctx->ctx->verify_cb;
+	if (cb == NULL) cb=null_callback;
+	/* Check all untrusted certificates */
+	for(i = 0; i < ctx->last_untrusted; i++) {
+		x = sk_X509_value(ctx->chain, i);
+		if(!X509_check_purpose(x, ctx->purpose, i)) {
+			if(i) ctx->error = X509_V_ERR_INVALID_CA;
+			else ctx->error = X509_V_ERR_INVALID_PURPOSE;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if(!ok) goto end;
+		}
+		/* Check pathlen */
+		if((i > 1) && (x->ex_pathlen != -1)
+					&& (i > (x->ex_pathlen + 1))) {
+			ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if(!ok) goto end;
+		}
+	}
+	ok = 1;
+	end:
+	return(ok);
+#endif
+}
+
+static int check_trust(X509_STORE_CTX *ctx)
+{
+#ifdef NO_CHAIN_VERIFY
+	return 1;
+#else
+	int i, ok;
+	X509 *x;
+	int (*cb)();
+	cb=ctx->ctx->verify_cb;
+	if (cb == NULL) cb=null_callback;
+/* For now just check the last certificate in the chain */
+	i = sk_X509_num(ctx->chain) - 1;
+	x = sk_X509_value(ctx->chain, i);
+	ok = X509_check_trust(x, ctx->trust, 0);
+	if(ok == X509_TRUST_TRUSTED) return 1;
+	ctx->error_depth = sk_X509_num(ctx->chain) - 1;
+	ctx->current_cert = x;
+	if(ok == X509_TRUST_REJECTED) ctx->error = X509_V_ERR_CERT_REJECTED;
+	else ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+	ok = cb(0, ctx);
+	return(ok);
+#endif
+}
+
+static int internal_verify(X509_STORE_CTX *ctx)
+	{
+	int i,ok=0,n;
+	X509 *xs,*xi;
+	EVP_PKEY *pkey=NULL;
+	int (*cb)();
+
+	cb=ctx->ctx->verify_cb;
+	if (cb == NULL) cb=null_callback;
+
+	n=sk_X509_num(ctx->chain);
+	ctx->error_depth=n-1;
+	n--;
+	xi=sk_X509_value(ctx->chain,n);
+	if (X509_NAME_cmp(X509_get_subject_name(xi),
+		X509_get_issuer_name(xi)) == 0)
+		xs=xi;
+	else
+		{
+		if (n <= 0)
+			{
+			ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+			ctx->current_cert=xi;
+			ok=cb(0,ctx);
+			goto end;
+			}
+		else
+			{
+			n--;
+			ctx->error_depth=n;
+			xs=sk_X509_value(ctx->chain,n);
+			}
+		}
+
+/*	ctx->error=0;  not needed */
+	while (n >= 0)
+		{
+		ctx->error_depth=n;
+		if (!xs->valid)
+			{
+			if ((pkey=X509_get_pubkey(xi)) == NULL)
+				{
+				ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+				ctx->current_cert=xi;
+				ok=(*cb)(0,ctx);
+				if (!ok) goto end;
+				}
+			if (X509_verify(xs,pkey) <= 0)
+				{
+				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
+				ctx->current_cert=xs;
+				ok=(*cb)(0,ctx);
+				if (!ok)
+					{
+					EVP_PKEY_free(pkey);
+					goto end;
+					}
+				}
+			EVP_PKEY_free(pkey);
+			pkey=NULL;
+
+			i=X509_cmp_current_time(X509_get_notBefore(xs));
+			if (i == 0)
+				{
+				ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+				ctx->current_cert=xs;
+				ok=(*cb)(0,ctx);
+				if (!ok) goto end;
+				}
+			if (i > 0)
+				{
+				ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
+				ctx->current_cert=xs;
+				ok=(*cb)(0,ctx);
+				if (!ok) goto end;
+				}
+			xs->valid=1;
+			}
+
+		i=X509_cmp_current_time(X509_get_notAfter(xs));
+		if (i == 0)
+			{
+			ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+			ctx->current_cert=xs;
+			ok=(*cb)(0,ctx);
+			if (!ok) goto end;
+			}
+
+		if (i < 0)
+			{
+			ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
+			ctx->current_cert=xs;
+			ok=(*cb)(0,ctx);
+			if (!ok) goto end;
+			}
+
+		/* CRL CHECK */
+
+		/* The last error (if any) is still in the error value */
+		ctx->current_cert=xs;
+		ok=(*cb)(1,ctx);
+		if (!ok) goto end;
+
+		n--;
+		if (n >= 0)
+			{
+			xi=xs;
+			xs=sk_X509_value(ctx->chain,n);
+			}
+		}
+	ok=1;
+end:
+	return(ok);
+	}
+
+int X509_cmp_current_time(ASN1_UTCTIME *ctm)
+	{
+	char *str;
+	ASN1_UTCTIME atm;
+	time_t offset;
+	char buff1[24],buff2[24],*p;
+	int i,j;
+
+	p=buff1;
+	i=ctm->length;
+	str=(char *)ctm->data;
+	if ((i < 11) || (i > 17)) return(0);
+	memcpy(p,str,10);
+	p+=10;
+	str+=10;
+
+	if ((*str == 'Z') || (*str == '-') || (*str == '+'))
+		{ *(p++)='0'; *(p++)='0'; }
+	else	{ *(p++)= *(str++); *(p++)= *(str++); }
+	*(p++)='Z';
+	*(p++)='\0';
+
+	if (*str == 'Z')
+		offset=0;
+	else
+		{
+		if ((*str != '+') && (str[5] != '-'))
+			return(0);
+		offset=((str[1]-'0')*10+(str[2]-'0'))*60;
+		offset+=(str[3]-'0')*10+(str[4]-'0');
+		if (*str == '-')
+			offset= -offset;
+		}
+	atm.type=V_ASN1_UTCTIME;
+	atm.length=sizeof(buff2);
+	atm.data=(unsigned char *)buff2;
+
+	X509_gmtime_adj(&atm,-offset*60);
+
+	i=(buff1[0]-'0')*10+(buff1[1]-'0');
+	if (i < 50) i+=100; /* cf. RFC 2459 */
+	j=(buff2[0]-'0')*10+(buff2[1]-'0');
+	if (j < 50) j+=100;
+
+	if (i < j) return (-1);
+	if (i > j) return (1);
+	i=strcmp(buff1,buff2);
+	if (i == 0) /* wait a second then return younger :-) */
+		return(-1);
+	else
+		return(i);
+	}
+
+ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj)
+	{
+	time_t t;
+
+	time(&t);
+	t+=adj;
+	return(ASN1_UTCTIME_set(s,t));
+	}
+
+int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
+	{
+	EVP_PKEY *ktmp=NULL,*ktmp2;
+	int i,j;
+
+	if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
+
+	for (i=0; i<sk_X509_num(chain); i++)
+		{
+		ktmp=X509_get_pubkey(sk_X509_value(chain,i));
+		if (ktmp == NULL)
+			{
+			X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
+			return(0);
+			}
+		if (!EVP_PKEY_missing_parameters(ktmp))
+			break;
+		else
+			{
+			EVP_PKEY_free(ktmp);
+			ktmp=NULL;
+			}
+		}
+	if (ktmp == NULL)
+		{
+		X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
+		return(0);
+		}
+
+	/* first, populate the other certs */
+	for (j=i-1; j >= 0; j--)
+		{
+		ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
+		EVP_PKEY_copy_parameters(ktmp2,ktmp);
+		EVP_PKEY_free(ktmp2);
+		}
+	
+	if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
+	EVP_PKEY_free(ktmp);
+	return(1);
+	}
+
+int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
+	{
+	X509_OBJECT *obj,*r;
+	int ret=1;
+
+	if (x == NULL) return(0);
+	obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	obj->type=X509_LU_X509;
+	obj->data.x509=x;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+	X509_OBJECT_up_ref_count(obj);
+
+	r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
+	if (r != NULL)
+		{ /* oops, put it back */
+		lh_delete(ctx->certs,obj);
+		X509_OBJECT_free_contents(obj);
+		Free(obj);
+		lh_insert(ctx->certs,r);
+		X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+		ret=0;
+		}
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+
+	return(ret);	
+	}
+
+int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
+	{
+	X509_OBJECT *obj,*r;
+	int ret=1;
+
+	if (x == NULL) return(0);
+	obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	obj->type=X509_LU_CRL;
+	obj->data.crl=x;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+	X509_OBJECT_up_ref_count(obj);
+
+	r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
+	if (r != NULL)
+		{ /* oops, put it back */
+		lh_delete(ctx->certs,obj);
+		X509_OBJECT_free_contents(obj);
+		Free(obj);
+		lh_insert(ctx->certs,r);
+		X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+		ret=0;
+		}
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+
+	return(ret);	
+	}
+
+int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+        x509_store_ctx_num++;
+        return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
+		&x509_store_ctx_method,
+                argl,argp,new_func,dup_func,free_func));
+        }
+
+int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
+	{
+	return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
+	}
+
+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
+	{
+	return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
+	}
+
+int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
+	{
+	return(ctx->error);
+	}
+
+void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
+	{
+	ctx->error=err;
+	}
+
+int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
+	{
+	return(ctx->error_depth);
+	}
+
+X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
+	{
+	return(ctx->current_cert);
+	}
+
+STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
+	{
+	return(ctx->chain);
+	}
+
+STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
+	{
+	int i;
+	X509 *x;
+	STACK_OF(X509) *chain;
+	if(!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
+	for(i = 0; i < sk_X509_num(chain); i++) {
+		x = sk_X509_value(chain, i);
+		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+	}
+	return(chain);
+	}
+
+void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
+	{
+	ctx->cert=x;
+	}
+
+void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+	{
+	ctx->untrusted=sk;
+	}
+
+int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
+	{
+	return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
+	}
+
+int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
+	{
+	return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
+	}
+
+/* This function is used to set the X509_STORE_CTX purpose and trust
+ * values. This is intended to be used when another structure has its
+ * own trust and purpose values which (if set) will be inherited by
+ * the ctx. If they aren't set then we will usually have a default
+ * purpose in mind which should then be used to set the trust value.
+ * An example of this is SSL use: an SSL structure will have its own
+ * purpose and trust settings which the application can set: if they
+ * aren't set then we use the default of SSL client/server.
+ */
+
+int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+				int purpose, int trust)
+{
+	int idx;
+	/* If purpose not set use default */
+	if(!purpose) purpose = def_purpose;
+	/* If we have a purpose then check it is valid */
+	if(purpose) {
+		X509_PURPOSE *ptmp;
+		idx = X509_PURPOSE_get_by_id(purpose);
+		if(idx == -1) {
+			X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+						X509_R_UNKNOWN_PURPOSE_ID);
+			return 0;
+		}
+		ptmp = X509_PURPOSE_get0(idx);
+		if(ptmp->trust == X509_TRUST_DEFAULT) {
+			idx = X509_PURPOSE_get_by_id(def_purpose);
+			if(idx == -1) {
+				X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+						X509_R_UNKNOWN_PURPOSE_ID);
+				return 0;
+			}
+			ptmp = X509_PURPOSE_get0(idx);
+		}
+		/* If trust not set then get from purpose default */
+		if(!trust) trust = ptmp->trust;
+	}
+	if(trust) {
+		idx = X509_TRUST_get_by_id(trust);
+		if(idx == -1) {
+			X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+						X509_R_UNKNOWN_TRUST_ID);
+			return 0;
+		}
+	}
+
+	if(purpose) ctx->purpose = purpose;
+	if(trust) ctx->trust = trust;
+	return 1;
+}
+
+
+IMPLEMENT_STACK_OF(X509)
+IMPLEMENT_ASN1_SET_OF(X509)
+
+IMPLEMENT_STACK_OF(X509_NAME)
+
+IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
+IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
diff --git a/crypto/openssl/crypto/x509/x509_vfy.h b/crypto/openssl/crypto/x509/x509_vfy.h
new file mode 100644
index 0000000..4637aec
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_vfy.h
@@ -0,0 +1,362 @@
+/* crypto/x509/x509_vfy.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_X509_H
+#include <openssl/x509.h>
+/* openssl/x509.h ends up #include-ing this file at about the only
+ * appropriate moment. */
+#endif
+
+#ifndef HEADER_X509_VFY_H
+#define HEADER_X509_VFY_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+
+/* Outer object */
+typedef struct x509_hash_dir_st
+	{
+	int num_dirs;
+	char **dirs;
+	int *dirs_type;
+	int num_dirs_alloced;
+	} X509_HASH_DIR_CTX;
+
+typedef struct x509_file_st
+	{
+	int num_paths;	/* number of paths to files or directories */
+	int num_alloced;
+	char **paths;	/* the list of paths or directories */
+	int *path_type;
+	} X509_CERT_FILE_CTX;
+
+/*******************************/
+/*
+SSL_CTX -> X509_STORE    
+		-> X509_LOOKUP
+			->X509_LOOKUP_METHOD
+		-> X509_LOOKUP
+			->X509_LOOKUP_METHOD
+ 
+SSL	-> X509_STORE_CTX
+		->X509_STORE    
+
+The X509_STORE holds the tables etc for verification stuff.
+A X509_STORE_CTX is used while validating a single certificate.
+The X509_STORE has X509_LOOKUPs for looking up certs.
+The X509_STORE then calls a function to actually verify the
+certificate chain.
+*/
+
+#define X509_LU_RETRY		-1
+#define X509_LU_FAIL		0
+#define X509_LU_X509		1
+#define X509_LU_CRL		2
+#define X509_LU_PKEY		3
+
+typedef struct x509_object_st
+	{
+	/* one of the above types */
+	int type;
+	union	{
+		char *ptr;
+		X509 *x509;
+		X509_CRL *crl;
+		EVP_PKEY *pkey;
+		} data;
+	} X509_OBJECT;
+
+typedef struct x509_lookup_st X509_LOOKUP;
+
+DECLARE_STACK_OF(X509_LOOKUP)
+
+/* This is a static that defines the function interface */
+typedef struct x509_lookup_method_st
+	{
+	const char *name;
+	int (*new_item)(X509_LOOKUP *ctx);
+	void (*free)(X509_LOOKUP *ctx);
+	int (*init)(X509_LOOKUP *ctx);
+	int (*shutdown)(X509_LOOKUP *ctx);
+	int (*ctrl)(X509_LOOKUP *ctx,int cmd,const char *argc,long argl,
+			char **ret);
+	int (*get_by_subject)(X509_LOOKUP *ctx,int type,X509_NAME *name,
+			      X509_OBJECT *ret);
+	int (*get_by_issuer_serial)(X509_LOOKUP *ctx,int type,X509_NAME *name,
+				    ASN1_INTEGER *serial,X509_OBJECT *ret);
+	int (*get_by_fingerprint)(X509_LOOKUP *ctx,int type,
+				  unsigned char *bytes,int len,
+				  X509_OBJECT *ret);
+	int (*get_by_alias)(X509_LOOKUP *ctx,int type,char *str,int len,
+			    X509_OBJECT *ret);
+	} X509_LOOKUP_METHOD;
+
+typedef struct x509_store_state_st X509_STORE_CTX;
+
+/* This is used to hold everything.  It is used for all certificate
+ * validation.  Once we have a certificate chain, the 'verify'
+ * function is then called to actually check the cert chain. */
+typedef struct x509_store_st
+	{
+	/* The following is a cache of trusted certs */
+	int cache; 	/* if true, stash any hits */
+#ifdef HEADER_LHASH_H
+	LHASH *certs;	/* cached certs; */ 
+#else
+	char *certs;
+#endif
+
+	/* These are external lookup methods */
+	STACK_OF(X509_LOOKUP) *get_cert_methods;
+	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
+	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */
+
+	CRYPTO_EX_DATA ex_data;
+	int references;
+	int depth;		/* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
+	}  X509_STORE;
+
+#define X509_STORE_set_depth(ctx,d)       ((ctx)->depth=(d))
+
+#define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
+#define X509_STORE_set_verify_func(ctx,func)	((ctx)->verify=(func))
+
+/* This is the functions plus an instance of the local variables. */
+struct x509_lookup_st
+	{
+	int init;			/* have we been started */
+	int skip;			/* don't use us. */
+	X509_LOOKUP_METHOD *method;	/* the functions */
+	char *method_data;		/* method data */
+
+	X509_STORE *store_ctx;	/* who owns us */
+	};
+
+/* This is a temporary used when processing cert chains.  Since the
+ * gathering of the cert chain can take some time (and have to be
+ * 'retried', this needs to be kept and passed around. */
+struct x509_store_state_st      /* X509_STORE_CTX */
+	{
+	X509_STORE *ctx;
+	int current_method;	/* used when looking up certs */
+
+	/* The following are set by the caller */
+	X509 *cert;		/* The cert to check */
+	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */
+	int purpose;		/* purpose to check untrusted certificates */
+	int trust;		/* trust setting to check */
+
+	/* The following is built up */
+	int depth;		/* how far to go looking up certs */
+	int valid;		/* if 0, rebuild chain */
+	int last_untrusted;	/* index of last untrusted cert */
+	STACK_OF(X509) *chain; 		/* chain of X509s - built up and trusted */
+
+	/* When something goes wrong, this is why */
+	int error_depth;
+	int error;
+	X509 *current_cert;
+
+	CRYPTO_EX_DATA ex_data;
+	};
+
+#define X509_STORE_CTX_set_depth(ctx,d)       ((ctx)->depth=(d))
+
+#define X509_STORE_CTX_set_app_data(ctx,data) \
+	X509_STORE_CTX_set_ex_data(ctx,0,data)
+#define X509_STORE_CTX_get_app_data(ctx) \
+	X509_STORE_CTX_get_ex_data(ctx,0)
+
+#define X509_L_FILE_LOAD	1
+#define X509_L_ADD_DIR		2
+
+#define X509_LOOKUP_load_file(x,name,type) \
+		X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
+
+#define X509_LOOKUP_add_dir(x,name,type) \
+		X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
+
+#define		X509_V_OK					0
+/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
+
+#define		X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT		2
+#define		X509_V_ERR_UNABLE_TO_GET_CRL			3
+#define		X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE	4
+#define		X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE	5
+#define		X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY	6
+#define		X509_V_ERR_CERT_SIGNATURE_FAILURE		7
+#define		X509_V_ERR_CRL_SIGNATURE_FAILURE		8
+#define		X509_V_ERR_CERT_NOT_YET_VALID			9	
+#define		X509_V_ERR_CERT_HAS_EXPIRED			10
+#define		X509_V_ERR_CRL_NOT_YET_VALID			11
+#define		X509_V_ERR_CRL_HAS_EXPIRED			12
+#define		X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD	13
+#define		X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD	14
+#define		X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD	15
+#define		X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD	16
+#define		X509_V_ERR_OUT_OF_MEM				17
+#define		X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT		18
+#define		X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN		19
+#define		X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY	20
+#define		X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE	21
+#define		X509_V_ERR_CERT_CHAIN_TOO_LONG			22
+#define		X509_V_ERR_CERT_REVOKED				23
+#define		X509_V_ERR_INVALID_CA				24
+#define		X509_V_ERR_PATH_LENGTH_EXCEEDED			25
+#define		X509_V_ERR_INVALID_PURPOSE			26
+#define		X509_V_ERR_CERT_UNTRUSTED			27
+#define		X509_V_ERR_CERT_REJECTED			28
+
+/* The application is not happy */
+#define		X509_V_ERR_APPLICATION_VERIFICATION		50
+
+		  /* These functions are being redefined in another directory,
+		     and clash when the linker is case-insensitive, so let's
+		     hide them a little, by giving them an extra 'o' at the
+		     beginning of the name... */
+#ifdef VMS
+#undef X509v3_cleanup_extensions
+#define X509v3_cleanup_extensions oX509v3_cleanup_extensions
+#undef X509v3_add_extension
+#define X509v3_add_extension oX509v3_add_extension
+#undef X509v3_add_netscape_extensions
+#define X509v3_add_netscape_extensions oX509v3_add_netscape_extensions
+#undef X509v3_add_standard_extensions
+#define X509v3_add_standard_extensions oX509v3_add_standard_extensions
+#endif
+
+#ifdef HEADER_LHASH_H
+X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h,int type,X509_NAME *name);
+#endif
+void X509_OBJECT_up_ref_count(X509_OBJECT *a);
+void X509_OBJECT_free_contents(X509_OBJECT *a);
+X509_STORE *X509_STORE_new(void );
+void X509_STORE_free(X509_STORE *v);
+
+X509_STORE_CTX *X509_STORE_CTX_new(void);
+void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
+void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
+			 X509 *x509, STACK_OF(X509) *chain);
+void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
+
+X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
+
+X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
+X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
+
+int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
+int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
+
+int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
+	X509_OBJECT *ret);
+
+int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
+	long argl, char **ret);
+
+#ifndef NO_STDIO
+int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
+int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
+int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
+#endif
+
+
+X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
+void X509_LOOKUP_free(X509_LOOKUP *ctx);
+int X509_LOOKUP_init(X509_LOOKUP *ctx);
+int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
+	X509_OBJECT *ret);
+int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
+	ASN1_INTEGER *serial, X509_OBJECT *ret);
+int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
+	unsigned char *bytes, int len, X509_OBJECT *ret);
+int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
+	int len, X509_OBJECT *ret);
+int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
+
+#ifndef NO_STDIO
+int	X509_STORE_load_locations (X509_STORE *ctx,
+		const char *file, const char *dir);
+int	X509_STORE_set_default_paths(X509_STORE *ctx);
+#endif
+
+int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int	X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,void *data);
+void *	X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
+int	X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
+void	X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
+int	X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
+X509 *	X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
+STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
+void	X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
+void	X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
+int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
+int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
+int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+				int purpose, int trust);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/crypto/x509/x509name.c b/crypto/openssl/crypto/x509/x509name.c
new file mode 100644
index 0000000..4c20e03
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509name.c
@@ -0,0 +1,383 @@
+/* crypto/x509/x509name.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/stack.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
+	{
+	ASN1_OBJECT *obj;
+
+	obj=OBJ_nid2obj(nid);
+	if (obj == NULL) return(-1);
+	return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
+	}
+
+int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
+	     int len)
+	{
+	int i;
+	ASN1_STRING *data;
+
+	i=X509_NAME_get_index_by_OBJ(name,obj,-1);
+	if (i < 0) return(-1);
+	data=X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i));
+	i=(data->length > (len-1))?(len-1):data->length;
+	if (buf == NULL) return(data->length);
+	memcpy(buf,data->data,i);
+	buf[i]='\0';
+	return(i);
+	}
+
+int X509_NAME_entry_count(X509_NAME *name)
+	{
+	if (name == NULL) return(0);
+	return(sk_X509_NAME_ENTRY_num(name->entries));
+	}
+
+int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
+	{
+	ASN1_OBJECT *obj;
+
+	obj=OBJ_nid2obj(nid);
+	if (obj == NULL) return(-2);
+	return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
+	}
+
+/* NOTE: you should be passsing -1, not 0 as lastpos */
+int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
+	     int lastpos)
+	{
+	int n;
+	X509_NAME_ENTRY *ne;
+	STACK_OF(X509_NAME_ENTRY) *sk;
+
+	if (name == NULL) return(-1);
+	if (lastpos < 0)
+		lastpos= -1;
+	sk=name->entries;
+	n=sk_X509_NAME_ENTRY_num(sk);
+	for (lastpos++; lastpos < n; lastpos++)
+		{
+		ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
+		if (OBJ_cmp(ne->object,obj) == 0)
+			return(lastpos);
+		}
+	return(-1);
+	}
+
+X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
+	{
+	if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
+	   || loc < 0)
+		return(NULL);
+	else
+		return(sk_X509_NAME_ENTRY_value(name->entries,loc));
+	}
+
+X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
+	{
+	X509_NAME_ENTRY *ret;
+	int i,n,set_prev,set_next;
+	STACK_OF(X509_NAME_ENTRY) *sk;
+
+	if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
+	    || loc < 0)
+		return(NULL);
+	sk=name->entries;
+	ret=sk_X509_NAME_ENTRY_delete(sk,loc);
+	n=sk_X509_NAME_ENTRY_num(sk);
+	name->modified=1;
+	if (loc == n) return(ret);
+
+	/* else we need to fixup the set field */
+	if (loc != 0)
+		set_prev=(sk_X509_NAME_ENTRY_value(sk,loc-1))->set;
+	else
+		set_prev=ret->set-1;
+	set_next=sk_X509_NAME_ENTRY_value(sk,loc)->set;
+
+	/* set_prev is the previous set
+	 * set is the current set
+	 * set_next is the following
+	 * prev  1 1	1 1	1 1	1 1
+	 * set   1	1	2	2
+	 * next  1 1	2 2	2 2	3 2
+	 * so basically only if prev and next differ by 2, then
+	 * re-number down by 1 */
+	if (set_prev+1 < set_next)
+		for (i=loc; i<n; i++)
+			sk_X509_NAME_ENTRY_value(sk,i)->set--;
+	return(ret);
+	}
+
+int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len, int loc, int set)
+{
+	X509_NAME_ENTRY *ne;
+	int ret;
+	ne = X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
+	if(!ne) return 0;
+	ret = X509_NAME_add_entry(name, ne, loc, set);
+	X509_NAME_ENTRY_free(ne);
+	return ret;
+}
+
+int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
+			unsigned char *bytes, int len, int loc, int set)
+{
+	X509_NAME_ENTRY *ne;
+	int ret;
+	ne = X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
+	if(!ne) return 0;
+	ret = X509_NAME_add_entry(name, ne, loc, set);
+	X509_NAME_ENTRY_free(ne);
+	return ret;
+}
+
+int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+			unsigned char *bytes, int len, int loc, int set)
+{
+	X509_NAME_ENTRY *ne;
+	int ret;
+	ne = X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
+	if(!ne) return 0;
+	ret = X509_NAME_add_entry(name, ne, loc, set);
+	X509_NAME_ENTRY_free(ne);
+	return ret;
+}
+
+/* if set is -1, append to previous set, 0 'a new one', and 1,
+ * prepend to the guy we are about to stomp on. */
+int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
+	     int set)
+	{
+	X509_NAME_ENTRY *new_name=NULL;
+	int n,i,inc;
+	STACK_OF(X509_NAME_ENTRY) *sk;
+
+	if (name == NULL) return(0);
+	sk=name->entries;
+	n=sk_X509_NAME_ENTRY_num(sk);
+	if (loc > n) loc=n;
+	else if (loc < 0) loc=n;
+
+	name->modified=1;
+
+	if (set == -1)
+		{
+		if (loc == 0)
+			{
+			set=0;
+			inc=1;
+			}
+		else
+			{
+			set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
+			inc=0;
+			}
+		}
+	else /* if (set >= 0) */
+		{
+		if (loc >= n)
+			{
+			if (loc != 0)
+				set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
+			else
+				set=0;
+			}
+		else
+			set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
+		inc=(set == 0)?1:0;
+		}
+
+	if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
+		goto err;
+	new_name->set=set;
+	if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc))
+		{
+		X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	if (inc)
+		{
+		n=sk_X509_NAME_ENTRY_num(sk);
+		for (i=loc+1; i<n; i++)
+			sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
+		}	
+	return(1);
+err:
+	if (new_name != NULL)
+		X509_NAME_ENTRY_free(new_name);
+	return(0);
+	}
+
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
+		char *field, int type, unsigned char *bytes, int len)
+	{
+	ASN1_OBJECT *obj;
+	X509_NAME_ENTRY *nentry;
+
+	obj=OBJ_txt2obj(field, 0);
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
+						X509_R_INVALID_FIELD_NAME);
+		ERR_add_error_data(2, "name=", field);
+		return(NULL);
+		}
+	nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
+	ASN1_OBJECT_free(obj);
+	return nentry;
+	}
+
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
+	     int type, unsigned char *bytes, int len)
+	{
+	ASN1_OBJECT *obj;
+	X509_NAME_ENTRY *nentry;
+
+	obj=OBJ_nid2obj(nid);
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
+		return(NULL);
+		}
+	nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
+	ASN1_OBJECT_free(obj);
+	return nentry;
+	}
+
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
+	     ASN1_OBJECT *obj, int type, unsigned char *bytes, int len)
+	{
+	X509_NAME_ENTRY *ret;
+
+	if ((ne == NULL) || (*ne == NULL))
+		{
+		if ((ret=X509_NAME_ENTRY_new()) == NULL)
+			return(NULL);
+		}
+	else
+		ret= *ne;
+
+	if (!X509_NAME_ENTRY_set_object(ret,obj))
+		goto err;
+	if (!X509_NAME_ENTRY_set_data(ret,type,bytes,len))
+		goto err;
+
+	if ((ne != NULL) && (*ne == NULL)) *ne=ret;
+	return(ret);
+err:
+	if ((ne == NULL) || (ret != *ne))
+		X509_NAME_ENTRY_free(ret);
+	return(NULL);
+	}
+
+int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
+	{
+	if ((ne == NULL) || (obj == NULL))
+		{
+		X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	ASN1_OBJECT_free(ne->object);
+	ne->object=OBJ_dup(obj);
+	return((ne->object == NULL)?0:1);
+	}
+
+int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
+	     unsigned char *bytes, int len)
+	{
+	int i;
+
+	if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
+	if((type > 0) && (type & MBSTRING_FLAG)) 
+		return ASN1_STRING_set_by_NID(&ne->value, bytes,
+						len, type,
+					OBJ_obj2nid(ne->object)) ? 1 : 0;
+	if (len < 0) len=strlen((char *)bytes);
+	i=ASN1_STRING_set(ne->value,bytes,len);
+	if (!i) return(0);
+	if (type != V_ASN1_UNDEF)
+		{
+		if (type == V_ASN1_APP_CHOOSE)
+			ne->value->type=ASN1_PRINTABLE_type(bytes,len);
+		else
+			ne->value->type=type;
+		}
+	return(1);
+	}
+
+ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
+	{
+	if (ne == NULL) return(NULL);
+	return(ne->object);
+	}
+
+ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
+	{
+	if (ne == NULL) return(NULL);
+	return(ne->value);
+	}
+
diff --git a/crypto/openssl/crypto/x509/x509rset.c b/crypto/openssl/crypto/x509/x509rset.c
new file mode 100644
index 0000000..d9f6b57
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509rset.c
@@ -0,0 +1,83 @@
+/* crypto/x509/x509rset.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+int X509_REQ_set_version(X509_REQ *x, long version)
+	{
+	if (x == NULL) return(0);
+	return(ASN1_INTEGER_set(x->req_info->version,version));
+	}
+
+int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
+	{
+	if ((x == NULL) || (x->req_info == NULL)) return(0);
+	return(X509_NAME_set(&x->req_info->subject,name));
+	}
+
+int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
+	{
+	if ((x == NULL) || (x->req_info == NULL)) return(0);
+	return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
+	}
+
diff --git a/crypto/openssl/crypto/x509/x509spki.c b/crypto/openssl/crypto/x509/x509spki.c
new file mode 100644
index 0000000..b35c3f9
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509spki.c
@@ -0,0 +1,121 @@
+/* x509spki.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/asn1_mac.h>
+
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
+{
+	if ((x == NULL) || (x->spkac == NULL)) return(0);
+	return(X509_PUBKEY_set(&(x->spkac->pubkey),pkey));
+}
+
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
+{
+	if ((x == NULL) || (x->spkac == NULL))
+		return(NULL);
+	return(X509_PUBKEY_get(x->spkac->pubkey));
+}
+
+/* Load a Netscape SPKI from a base64 encoded string */
+
+NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
+{
+	unsigned char *spki_der, *p;
+	int spki_len;
+	NETSCAPE_SPKI *spki;
+	if(len <= 0) len = strlen(str);
+	if (!(spki_der = Malloc(len + 1))) {
+		X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	spki_len = EVP_DecodeBlock(spki_der, (const unsigned char *)str, len);
+	if(spki_len < 0) {
+		X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
+						X509_R_BASE64_DECODE_ERROR);
+		Free(spki_der);
+		return NULL;
+	}
+	p = spki_der;
+	spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
+	Free(spki_der);
+	return spki;
+}
+
+/* Generate a base64 encoded string from an SPKI */
+
+char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
+{
+	unsigned char *der_spki, *p;
+	char *b64_str;
+	int der_len;
+	der_len = i2d_NETSCAPE_SPKI(spki, NULL);
+	der_spki = Malloc(der_len);
+	b64_str = Malloc(der_len * 2);
+	if(!der_spki || !b64_str) {
+		X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	p = der_spki;
+	i2d_NETSCAPE_SPKI(spki, &p);
+	EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
+	Free(der_spki);
+	return b64_str;
+}
diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c
new file mode 100644
index 0000000..8e78b34
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509type.c
@@ -0,0 +1,114 @@
+/* crypto/x509/x509type.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
+	{
+	EVP_PKEY *pk;
+	int ret=0,i;
+
+	if (x == NULL) return(0);
+
+	if (pkey == NULL)
+		pk=X509_get_pubkey(x);
+	else
+		pk=pkey;
+
+	if (pk == NULL) return(0);
+
+	switch (pk->type)
+		{
+	case EVP_PKEY_RSA:
+		ret=EVP_PK_RSA|EVP_PKT_SIGN;
+/*		if (!sign only extension) */
+			ret|=EVP_PKT_ENC;
+	break;
+	case EVP_PKEY_DSA:
+		ret=EVP_PK_DSA|EVP_PKT_SIGN;
+		break;
+	case EVP_PKEY_DH:
+		ret=EVP_PK_DH|EVP_PKT_EXCH;
+		break;
+	default:
+		break;
+		}
+
+	i=X509_get_signature_type(x);
+	switch (i)
+		{
+	case EVP_PKEY_RSA:
+		ret|=EVP_PKS_RSA;
+		break;
+	case EVP_PKS_DSA:
+		ret|=EVP_PKS_DSA;
+		break;
+	default:
+		break;
+		}
+
+	if (EVP_PKEY_size(pk) <= 512)
+		ret|=EVP_PKT_EXP;
+	if(pkey==NULL) EVP_PKEY_free(pk);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/crypto/x509/x_all.c b/crypto/openssl/crypto/x509/x_all.c
new file mode 100644
index 0000000..d2bf3c8
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x_all.c
@@ -0,0 +1,531 @@
+/* crypto/x509/x_all.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include <openssl/stack.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+int X509_verify(X509 *a, EVP_PKEY *r)
+	{
+	return(ASN1_verify((int (*)())i2d_X509_CINF,a->sig_alg,
+		a->signature,(char *)a->cert_info,r));
+	}
+
+int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
+	{
+	return( ASN1_verify((int (*)())i2d_X509_REQ_INFO,
+		a->sig_alg,a->signature,(char *)a->req_info,r));
+	}
+
+int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r)
+	{
+	return(ASN1_verify((int (*)())i2d_X509_CRL_INFO,
+		a->sig_alg, a->signature,(char *)a->crl,r));
+	}
+
+int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
+	{
+	return(ASN1_verify((int (*)())i2d_NETSCAPE_SPKAC,
+		a->sig_algor,a->signature, (char *)a->spkac,r));
+	}
+
+int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
+	{
+	return(ASN1_sign((int (*)())i2d_X509_CINF, x->cert_info->signature,
+		x->sig_alg, x->signature, (char *)x->cert_info,pkey,md));
+	}
+
+int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
+	{
+	return(ASN1_sign((int (*)())i2d_X509_REQ_INFO,x->sig_alg, NULL,
+		x->signature, (char *)x->req_info,pkey,md));
+	}
+
+int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
+	{
+	return(ASN1_sign((int (*)())i2d_X509_CRL_INFO,x->crl->sig_alg,
+		x->sig_alg, x->signature, (char *)x->crl,pkey,md));
+	}
+
+int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
+	{
+	return(ASN1_sign((int (*)())i2d_NETSCAPE_SPKAC, x->sig_algor,NULL,
+		x->signature, (char *)x->spkac,pkey,md));
+	}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa)
+	{
+	return((X509_ATTRIBUTE *)ASN1_dup((int (*)())i2d_X509_ATTRIBUTE,
+		(char *(*)())d2i_X509_ATTRIBUTE,(char *)xa));
+	}
+
+X509 *X509_dup(X509 *x509)
+	{
+	return((X509 *)ASN1_dup((int (*)())i2d_X509,
+		(char *(*)())d2i_X509,(char *)x509));
+	}
+
+X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex)
+	{
+	return((X509_EXTENSION *)ASN1_dup(
+		(int (*)())i2d_X509_EXTENSION,
+		(char *(*)())d2i_X509_EXTENSION,(char *)ex));
+	}
+
+#ifndef NO_FP_API
+X509 *d2i_X509_fp(FILE *fp, X509 **x509)
+	{
+	return((X509 *)ASN1_d2i_fp((char *(*)())X509_new,
+		(char *(*)())d2i_X509, (fp),(unsigned char **)(x509)));
+	}
+
+int i2d_X509_fp(FILE *fp, X509 *x509)
+	{
+	return(ASN1_i2d_fp(i2d_X509,fp,(unsigned char *)x509));
+	}
+#endif
+
+X509 *d2i_X509_bio(BIO *bp, X509 **x509)
+	{
+	return((X509 *)ASN1_d2i_bio((char *(*)())X509_new,
+		(char *(*)())d2i_X509, (bp),(unsigned char **)(x509)));
+	}
+
+int i2d_X509_bio(BIO *bp, X509 *x509)
+	{
+	return(ASN1_i2d_bio(i2d_X509,bp,(unsigned char *)x509));
+	}
+
+X509_CRL *X509_CRL_dup(X509_CRL *crl)
+	{
+	return((X509_CRL *)ASN1_dup((int (*)())i2d_X509_CRL,
+		(char *(*)())d2i_X509_CRL,(char *)crl));
+	}
+
+#ifndef NO_FP_API
+X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
+	{
+	return((X509_CRL *)ASN1_d2i_fp((char *(*)())
+		X509_CRL_new,(char *(*)())d2i_X509_CRL, (fp),
+		(unsigned char **)(crl)));
+	}
+
+int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
+	{
+	return(ASN1_i2d_fp(i2d_X509_CRL,fp,(unsigned char *)crl));
+	}
+#endif
+
+X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
+	{
+	return((X509_CRL *)ASN1_d2i_bio((char *(*)())
+		X509_CRL_new,(char *(*)())d2i_X509_CRL, (bp),
+		(unsigned char **)(crl)));
+	}
+
+int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
+	{
+	return(ASN1_i2d_bio(i2d_X509_CRL,bp,(unsigned char *)crl));
+	}
+
+PKCS7 *PKCS7_dup(PKCS7 *p7)
+	{
+	return((PKCS7 *)ASN1_dup((int (*)())i2d_PKCS7,
+		(char *(*)())d2i_PKCS7,(char *)p7));
+	}
+
+#ifndef NO_FP_API
+PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
+	{
+	return((PKCS7 *)ASN1_d2i_fp((char *(*)())
+		PKCS7_new,(char *(*)())d2i_PKCS7, (fp),
+		(unsigned char **)(p7)));
+	}
+
+int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
+	{
+	return(ASN1_i2d_fp(i2d_PKCS7,fp,(unsigned char *)p7));
+	}
+#endif
+
+PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
+	{
+	return((PKCS7 *)ASN1_d2i_bio((char *(*)())
+		PKCS7_new,(char *(*)())d2i_PKCS7, (bp),
+		(unsigned char **)(p7)));
+	}
+
+int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
+	{
+	return(ASN1_i2d_bio(i2d_PKCS7,bp,(unsigned char *)p7));
+	}
+
+X509_REQ *X509_REQ_dup(X509_REQ *req)
+	{
+	return((X509_REQ *)ASN1_dup((int (*)())i2d_X509_REQ,
+		(char *(*)())d2i_X509_REQ,(char *)req));
+	}
+
+#ifndef NO_FP_API
+X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
+	{
+	return((X509_REQ *)ASN1_d2i_fp((char *(*)())
+		X509_REQ_new, (char *(*)())d2i_X509_REQ, (fp),
+		(unsigned char **)(req)));
+	}
+
+int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
+	{
+	return(ASN1_i2d_fp(i2d_X509_REQ,fp,(unsigned char *)req));
+	}
+#endif
+
+X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
+	{
+	return((X509_REQ *)ASN1_d2i_bio((char *(*)())
+		X509_REQ_new, (char *(*)())d2i_X509_REQ, (bp),
+		(unsigned char **)(req)));
+	}
+
+int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
+	{
+	return(ASN1_i2d_bio(i2d_X509_REQ,bp,(unsigned char *)req));
+	}
+
+#ifndef NO_RSA
+RSA *RSAPublicKey_dup(RSA *rsa)
+	{
+	return((RSA *)ASN1_dup((int (*)())i2d_RSAPublicKey,
+		(char *(*)())d2i_RSAPublicKey,(char *)rsa));
+	}
+
+RSA *RSAPrivateKey_dup(RSA *rsa)
+	{
+	return((RSA *)ASN1_dup((int (*)())i2d_RSAPrivateKey,
+		(char *(*)())d2i_RSAPrivateKey,(char *)rsa));
+	}
+
+#ifndef NO_FP_API
+RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_fp((char *(*)())
+		RSA_new,(char *(*)())d2i_RSAPrivateKey, (fp),
+		(unsigned char **)(rsa)));
+	}
+
+int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
+	{
+	return(ASN1_i2d_fp(i2d_RSAPrivateKey,fp,(unsigned char *)rsa));
+	}
+
+RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_fp((char *(*)())
+		RSA_new,(char *(*)())d2i_RSAPublicKey, (fp),
+		(unsigned char **)(rsa)));
+	}
+
+RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_fp((char *(*)())
+		RSA_new,(char *(*)())d2i_RSA_PUBKEY, (fp),
+		(unsigned char **)(rsa)));
+	}
+
+int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
+	{
+	return(ASN1_i2d_fp(i2d_RSAPublicKey,fp,(unsigned char *)rsa));
+	}
+
+int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
+	{
+	return(ASN1_i2d_fp(i2d_RSA_PUBKEY,fp,(unsigned char *)rsa));
+	}
+#endif
+
+RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_bio((char *(*)())
+		RSA_new,(char *(*)())d2i_RSAPrivateKey, (bp),
+		(unsigned char **)(rsa)));
+	}
+
+int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
+	{
+	return(ASN1_i2d_bio(i2d_RSAPrivateKey,bp,(unsigned char *)rsa));
+	}
+
+RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_bio((char *(*)())
+		RSA_new,(char *(*)())d2i_RSAPublicKey, (bp),
+		(unsigned char **)(rsa)));
+	}
+
+RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_bio((char *(*)())
+		RSA_new,(char *(*)())d2i_RSA_PUBKEY, (bp),
+		(unsigned char **)(rsa)));
+	}
+
+int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
+	{
+	return(ASN1_i2d_bio(i2d_RSAPublicKey,bp,(unsigned char *)rsa));
+	}
+
+int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
+	{
+	return(ASN1_i2d_bio(i2d_RSA_PUBKEY,bp,(unsigned char *)rsa));
+	}
+#endif
+
+#ifndef NO_DSA
+#ifndef NO_FP_API
+DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
+	{
+	return((DSA *)ASN1_d2i_fp((char *(*)())
+		DSA_new,(char *(*)())d2i_DSAPrivateKey, (fp),
+		(unsigned char **)(dsa)));
+	}
+
+int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
+	{
+	return(ASN1_i2d_fp(i2d_DSAPrivateKey,fp,(unsigned char *)dsa));
+	}
+
+DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
+	{
+	return((DSA *)ASN1_d2i_fp((char *(*)())
+		DSA_new,(char *(*)())d2i_DSA_PUBKEY, (fp),
+		(unsigned char **)(dsa)));
+	}
+
+int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
+	{
+	return(ASN1_i2d_fp(i2d_DSA_PUBKEY,fp,(unsigned char *)dsa));
+	}
+#endif
+
+DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
+	{
+	return((DSA *)ASN1_d2i_bio((char *(*)())
+		DSA_new,(char *(*)())d2i_DSAPrivateKey, (bp),
+		(unsigned char **)(dsa)));
+	}
+
+int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
+	{
+	return(ASN1_i2d_bio(i2d_DSAPrivateKey,bp,(unsigned char *)dsa));
+	}
+
+DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
+	{
+	return((DSA *)ASN1_d2i_bio((char *(*)())
+		DSA_new,(char *(*)())d2i_DSA_PUBKEY, (bp),
+		(unsigned char **)(dsa)));
+	}
+
+int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
+	{
+	return(ASN1_i2d_bio(i2d_DSA_PUBKEY,bp,(unsigned char *)dsa));
+	}
+
+#endif
+
+X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn)
+	{
+	return((X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,
+	(char *(*)())d2i_X509_ALGOR,(char *)xn));
+	}
+
+X509_NAME *X509_NAME_dup(X509_NAME *xn)
+	{
+	return((X509_NAME *)ASN1_dup((int (*)())i2d_X509_NAME,
+		(char *(*)())d2i_X509_NAME,(char *)xn));
+	}
+
+X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
+	{
+	return((X509_NAME_ENTRY *)ASN1_dup((int (*)())i2d_X509_NAME_ENTRY,
+		(char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
+	}
+
+int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
+	     unsigned int *len)
+	{
+	return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
+	}
+
+int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
+	     unsigned int *len)
+	{
+	return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
+	}
+
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
+	     unsigned char *md, unsigned int *len)
+	{
+	return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,
+		(char *)data,md,len));
+	}
+
+
+#ifndef NO_FP_API
+X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
+	{
+	return((X509_SIG *)ASN1_d2i_fp((char *(*)())X509_SIG_new,
+		(char *(*)())d2i_X509_SIG, (fp),(unsigned char **)(p8)));
+	}
+
+int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8)
+	{
+	return(ASN1_i2d_fp(i2d_X509_SIG,fp,(unsigned char *)p8));
+	}
+#endif
+
+X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
+	{
+	return((X509_SIG *)ASN1_d2i_bio((char *(*)())X509_SIG_new,
+		(char *(*)())d2i_X509_SIG, (bp),(unsigned char **)(p8)));
+	}
+
+int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
+	{
+	return(ASN1_i2d_bio(i2d_X509_SIG,bp,(unsigned char *)p8));
+	}
+
+#ifndef NO_FP_API
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
+						 PKCS8_PRIV_KEY_INFO **p8inf)
+	{
+	return((PKCS8_PRIV_KEY_INFO *)ASN1_d2i_fp(
+		(char *(*)())PKCS8_PRIV_KEY_INFO_new,
+		(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (fp),
+				(unsigned char **)(p8inf)));
+	}
+
+int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
+	{
+	return(ASN1_i2d_fp(i2d_PKCS8_PRIV_KEY_INFO,fp,(unsigned char *)p8inf));
+	}
+
+int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
+	{
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	int ret;
+	p8inf = EVP_PKEY2PKCS8(key);
+	if(!p8inf) return 0;
+	ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	return ret;
+	}
+
+int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
+	{
+	return(ASN1_i2d_fp(i2d_PrivateKey,fp,(unsigned char *)pkey));
+	}
+
+EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
+{
+	return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new,
+		(char *(*)())d2i_AutoPrivateKey, (fp),(unsigned char **)(a)));
+}
+
+#endif
+
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
+						 PKCS8_PRIV_KEY_INFO **p8inf)
+	{
+	return((PKCS8_PRIV_KEY_INFO *)ASN1_d2i_bio(
+		(char *(*)())PKCS8_PRIV_KEY_INFO_new,
+		(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (bp),
+				(unsigned char **)(p8inf)));
+	}
+
+int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
+	{
+	return(ASN1_i2d_bio(i2d_PKCS8_PRIV_KEY_INFO,bp,(unsigned char *)p8inf));
+	}
+
+int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
+	{
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	int ret;
+	p8inf = EVP_PKEY2PKCS8(key);
+	if(!p8inf) return 0;
+	ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	return ret;
+	}
+
+int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
+	{
+	return(ASN1_i2d_bio(i2d_PrivateKey,bp,(unsigned char *)pkey));
+	}
+
+EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
+	{
+	return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
+		(char *(*)())d2i_AutoPrivateKey, (bp),(unsigned char **)(a)));
+	}
diff --git a/crypto/openssl/crypto/x509v3/Makefile.save b/crypto/openssl/crypto/x509v3/Makefile.save
new file mode 100644
index 0000000..8cf90be
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/Makefile.save
@@ -0,0 +1,469 @@
+#
+# SSLeay/crypto/x509v3/Makefile
+#
+
+DIR=	x509v3
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
+v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
+v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c
+LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
+v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= x509v3.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+v3_akey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_akey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_akey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_akey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_akey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_akey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_akey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_akey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_akey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_akey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_akey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_akey.o: ../cryptlib.h
+v3_alt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_alt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_alt.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_alt.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_alt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_alt.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_alt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_alt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_alt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_alt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_bcons.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_bcons.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_bcons.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_bcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_bcons.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_bcons.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_bcons.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_bcons.o: ../../include/openssl/opensslconf.h
+v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_bcons.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_bcons.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_bcons.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_conf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_conf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_conf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_conf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_conf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_conf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_conf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_cpols.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_cpols.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_cpols.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_cpols.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_cpols.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_cpols.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_cpols.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_cpols.o: ../../include/openssl/opensslconf.h
+v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_cpols.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_cpols.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_cpols.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_crld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_crld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_crld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_crld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_crld.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_crld.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_crld.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_crld.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_crld.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_crld.o: ../cryptlib.h
+v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_enum.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_enum.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_enum.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_enum.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_enum.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_enum.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_enum.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_enum.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_extku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_extku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_extku.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_extku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_extku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_extku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_extku.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_extku.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_extku.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_genn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_genn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_genn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_genn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_genn.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_genn.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_genn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_genn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_genn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_genn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_genn.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_genn.o: ../cryptlib.h
+v3_ia5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_ia5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_ia5.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_ia5.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_ia5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_ia5.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_ia5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_ia5.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_ia5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_ia5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_info.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_info.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_info.o: ../cryptlib.h
+v3_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_int.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_int.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_int.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_int.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_int.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_int.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_int.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_int.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_int.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h
+v3_pku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_pku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_pku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_pku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_pku.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_pku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_pku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_pku.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_pku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_pku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_pku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_pku.o: ../cryptlib.h
+v3_prn.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_prn.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_prn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_prn.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_prn.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_prn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_prn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_prn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_purp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_purp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_purp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_purp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_purp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_purp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_skey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_skey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_skey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_skey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_skey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_skey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_skey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_sxnet.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_sxnet.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_sxnet.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_sxnet.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_sxnet.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_sxnet.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_sxnet.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_sxnet.o: ../../include/openssl/opensslconf.h
+v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_sxnet.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_sxnet.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_sxnet.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_utl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_utl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_utl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_utl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_utl.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3err.o: ../../include/openssl/x509v3.h
diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl
new file mode 100644
index 0000000..8cf90be
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/Makefile.ssl
@@ -0,0 +1,469 @@
+#
+# SSLeay/crypto/x509v3/Makefile
+#
+
+DIR=	x509v3
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
+v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
+v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c
+LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
+v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= x509v3.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+v3_akey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_akey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_akey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_akey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_akey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_akey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_akey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_akey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_akey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_akey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_akey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_akey.o: ../cryptlib.h
+v3_alt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_alt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_alt.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_alt.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_alt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_alt.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_alt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_alt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_alt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_alt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_bcons.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_bcons.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_bcons.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_bcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_bcons.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_bcons.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_bcons.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_bcons.o: ../../include/openssl/opensslconf.h
+v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_bcons.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_bcons.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_bcons.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_conf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_conf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_conf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_conf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_conf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_conf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_conf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_cpols.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_cpols.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_cpols.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_cpols.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_cpols.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_cpols.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_cpols.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_cpols.o: ../../include/openssl/opensslconf.h
+v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_cpols.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_cpols.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_cpols.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_crld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_crld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_crld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_crld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_crld.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_crld.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_crld.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_crld.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_crld.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_crld.o: ../cryptlib.h
+v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_enum.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_enum.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_enum.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_enum.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_enum.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_enum.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_enum.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_enum.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_extku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_extku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_extku.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_extku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_extku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_extku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_extku.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_extku.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_extku.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_genn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_genn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_genn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_genn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_genn.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_genn.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_genn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_genn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_genn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_genn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_genn.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_genn.o: ../cryptlib.h
+v3_ia5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_ia5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_ia5.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_ia5.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_ia5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_ia5.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_ia5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_ia5.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_ia5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_ia5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_info.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_info.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_info.o: ../cryptlib.h
+v3_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_int.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_int.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_int.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_int.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_int.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_int.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_int.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_int.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_int.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h
+v3_pku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_pku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_pku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_pku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_pku.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_pku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_pku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_pku.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_pku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_pku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_pku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_pku.o: ../cryptlib.h
+v3_prn.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_prn.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_prn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_prn.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_prn.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_prn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_prn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_prn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_purp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_purp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_purp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_purp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_purp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_purp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_skey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_skey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_skey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_skey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_skey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_skey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_skey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_sxnet.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_sxnet.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_sxnet.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_sxnet.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_sxnet.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_sxnet.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_sxnet.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_sxnet.o: ../../include/openssl/opensslconf.h
+v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_sxnet.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_sxnet.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_sxnet.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_utl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_utl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_utl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_utl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_utl.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3err.o: ../../include/openssl/x509v3.h
diff --git a/crypto/openssl/crypto/x509v3/README b/crypto/openssl/crypto/x509v3/README
new file mode 100644
index 0000000..3b2cc04
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/README
@@ -0,0 +1,4 @@
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+
+This is ***VERY*** new experimental code and is likely to change
+considerably or vanish altogether.
diff --git a/crypto/openssl/crypto/x509v3/ext_dat.h b/crypto/openssl/crypto/x509v3/ext_dat.h
new file mode 100644
index 0000000..801a585
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/ext_dat.h
@@ -0,0 +1,97 @@
+/* ext_dat.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* This file contains a table of "standard" extensions */
+
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+
+/* This table will be searched using OBJ_bsearch so it *must* kept in
+ * order of the ext_nid values.
+ */
+
+static X509V3_EXT_METHOD *standard_exts[] = {
+&v3_nscert,
+&v3_ns_ia5_list[0],
+&v3_ns_ia5_list[1],
+&v3_ns_ia5_list[2],
+&v3_ns_ia5_list[3],
+&v3_ns_ia5_list[4],
+&v3_ns_ia5_list[5],
+&v3_ns_ia5_list[6],
+&v3_skey_id,
+&v3_key_usage,
+&v3_pkey_usage_period,
+&v3_alt[0],
+&v3_alt[1],
+&v3_bcons,
+&v3_crl_num,
+&v3_cpols,
+&v3_akey_id,
+&v3_crld,
+&v3_ext_ku,
+&v3_crl_reason,
+&v3_sxnet,
+&v3_info,
+};
+
+/* Number of standard extensions */
+
+#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
+
diff --git a/crypto/openssl/crypto/x509v3/tabtest.c b/crypto/openssl/crypto/x509v3/tabtest.c
new file mode 100644
index 0000000..dad0d38
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/tabtest.c
@@ -0,0 +1,88 @@
+/* tabtest.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Simple program to check the ext_dat.h is correct and print out
+ * problems if it is not.
+ */
+
+#include <stdio.h>
+
+#include <openssl/x509v3.h>
+
+#include "ext_dat.h"
+
+main()
+{
+	int i, prev = -1, bad = 0;
+	X509V3_EXT_METHOD **tmp;
+	i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *);
+	if(i != STANDARD_EXTENSION_COUNT)
+		fprintf(stderr, "Extension number invalid expecting %d\n", i);
+	tmp = standard_exts;
+	for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) {
+		if((*tmp)->ext_nid < prev) bad = 1;
+		prev = (*tmp)->ext_nid;
+		
+	}
+	if(bad) {
+		tmp = standard_exts;
+		fprintf(stderr, "Extensions out of order!\n");
+		for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++)
+		printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid));
+	} else fprintf(stderr, "Order OK\n");
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_akey.c b/crypto/openssl/crypto/x509v3/v3_akey.c
new file mode 100644
index 0000000..96c04fe
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_akey.c
@@ -0,0 +1,249 @@
+/* v3_akey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+			AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+			X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_akey_id = {
+NID_authority_key_identifier, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)AUTHORITY_KEYID_new,
+(X509V3_EXT_FREE)AUTHORITY_KEYID_free,
+(X509V3_EXT_D2I)d2i_AUTHORITY_KEYID,
+(X509V3_EXT_I2D)i2d_AUTHORITY_KEYID,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
+(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
+NULL,NULL,
+NULL
+};
+
+
+int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len_IMP_opt (a->issuer, i2d_GENERAL_NAMES);
+	M_ASN1_I2D_len_IMP_opt (a->serial, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING, 0);
+	M_ASN1_I2D_put_IMP_opt (a->issuer, i2d_GENERAL_NAMES, 1);
+	M_ASN1_I2D_put_IMP_opt (a->serial, i2d_ASN1_INTEGER, 2);
+
+	M_ASN1_I2D_finish();
+}
+
+AUTHORITY_KEYID *AUTHORITY_KEYID_new(void)
+{
+	AUTHORITY_KEYID *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, AUTHORITY_KEYID);
+	ret->keyid = NULL;
+	ret->issuer = NULL;
+	ret->serial = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_AUTHORITY_KEYID_NEW);
+}
+
+AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp,
+	     long length)
+{
+	M_ASN1_D2I_vars(a,AUTHORITY_KEYID *,AUTHORITY_KEYID_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_IMP_opt (ret->keyid, d2i_ASN1_OCTET_STRING, 0,
+							V_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_IMP_opt (ret->issuer, d2i_GENERAL_NAMES, 1,
+							V_ASN1_SEQUENCE);
+	M_ASN1_D2I_get_IMP_opt (ret->serial, d2i_ASN1_INTEGER, 2,
+							V_ASN1_INTEGER);
+	M_ASN1_D2I_Finish(a, AUTHORITY_KEYID_free, ASN1_F_D2I_AUTHORITY_KEYID);
+}
+
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
+{
+	if (a == NULL) return;
+	M_ASN1_OCTET_STRING_free(a->keyid);
+	sk_GENERAL_NAME_pop_free(a->issuer, GENERAL_NAME_free);
+	M_ASN1_INTEGER_free (a->serial);
+	Free (a);
+}
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+	     AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
+{
+	char *tmp;
+	if(akeyid->keyid) {
+		tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
+		X509V3_add_value("keyid", tmp, &extlist);
+		Free(tmp);
+	}
+	if(akeyid->issuer) 
+		extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
+	if(akeyid->serial) {
+		tmp = hex_to_string(akeyid->serial->data,
+						 akeyid->serial->length);
+		X509V3_add_value("serial", tmp, &extlist);
+		Free(tmp);
+	}
+	return extlist;
+}
+
+/* Currently two options:
+ * keyid: use the issuers subject keyid, the value 'always' means its is
+ * an error if the issuer certificate doesn't have a key id.
+ * issuer: use the issuers cert issuer and serial number. The default is
+ * to only use this if keyid is not present. With the option 'always'
+ * this is always included.
+ */
+
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+char keyid=0, issuer=0;
+int i;
+CONF_VALUE *cnf;
+ASN1_OCTET_STRING *ikeyid = NULL;
+X509_NAME *isname = NULL;
+STACK_OF(GENERAL_NAME) * gens = NULL;
+GENERAL_NAME *gen = NULL;
+ASN1_INTEGER *serial = NULL;
+X509_EXTENSION *ext;
+X509 *cert;
+AUTHORITY_KEYID *akeyid;
+for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+	cnf = sk_CONF_VALUE_value(values, i);
+	if(!strcmp(cnf->name, "keyid")) {
+		keyid = 1;
+		if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2;
+	} else if(!strcmp(cnf->name, "issuer")) {
+		issuer = 1;
+		if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2;
+	} else {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
+		ERR_add_error_data(2, "name=", cnf->name);
+		return NULL;
+	}
+}
+
+
+
+if(!ctx || !ctx->issuer_cert) {
+	if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
+	X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
+	return NULL;
+}
+
+cert = ctx->issuer_cert;
+
+if(keyid) {
+	i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
+	if((i >= 0)  && (ext = X509_get_ext(cert, i)))
+						 ikeyid = X509V3_EXT_d2i(ext);
+	if(keyid==2 && !ikeyid) {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
+		return NULL;
+	}
+}
+
+if((issuer && !ikeyid) || (issuer == 2)) {
+	isname = X509_NAME_dup(X509_get_issuer_name(cert));
+	serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+	if(!isname || !serial) {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
+		goto err;
+	}
+}
+
+if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
+
+if(isname) {
+	if(!(gens = sk_GENERAL_NAME_new(NULL)) || !(gen = GENERAL_NAME_new())
+		|| !sk_GENERAL_NAME_push(gens, gen)) {
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+	gen->type = GEN_DIRNAME;
+	gen->d.dirn = isname;
+}
+
+akeyid->issuer = gens;
+akeyid->serial = serial;
+akeyid->keyid = ikeyid;
+
+return akeyid;
+
+err:
+X509_NAME_free(isname);
+M_ASN1_INTEGER_free(serial);
+M_ASN1_OCTET_STRING_free(ikeyid);
+return NULL;
+
+}
+
diff --git a/crypto/openssl/crypto/x509v3/v3_alt.c b/crypto/openssl/crypto/x509v3/v3_alt.c
new file mode 100644
index 0000000..5ccd1e0
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_alt.c
@@ -0,0 +1,401 @@
+/* v3_alt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
+static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
+X509V3_EXT_METHOD v3_alt[] = {
+{ NID_subject_alt_name, 0,
+(X509V3_EXT_NEW)GENERAL_NAMES_new,
+(X509V3_EXT_FREE)GENERAL_NAMES_free,
+(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
+(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+(X509V3_EXT_V2I)v2i_subject_alt,
+NULL, NULL, NULL},
+{ NID_issuer_alt_name, 0,
+(X509V3_EXT_NEW)GENERAL_NAMES_new,
+(X509V3_EXT_FREE)GENERAL_NAMES_free,
+(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
+(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+(X509V3_EXT_V2I)v2i_issuer_alt,
+NULL, NULL, NULL},
+};
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+		STACK_OF(GENERAL_NAME) *gens, STACK_OF(CONF_VALUE) *ret)
+{
+	int i;
+	GENERAL_NAME *gen;
+	for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+		gen = sk_GENERAL_NAME_value(gens, i);
+		ret = i2v_GENERAL_NAME(method, gen, ret);
+	}
+	if(!ret) return sk_CONF_VALUE_new_null();
+	return ret;
+}
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
+				GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
+{
+	char oline[256];
+	unsigned char *p;
+	switch (gen->type)
+	{
+		case GEN_OTHERNAME:
+		X509V3_add_value("othername","<unsupported>", &ret);
+		break;
+
+		case GEN_X400:
+		X509V3_add_value("X400Name","<unsupported>", &ret);
+		break;
+
+		case GEN_EDIPARTY:
+		X509V3_add_value("EdiPartyName","<unsupported>", &ret);
+		break;
+
+		case GEN_EMAIL:
+		X509V3_add_value_uchar("email",gen->d.ia5->data, &ret);
+		break;
+
+		case GEN_DNS:
+		X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret);
+		break;
+
+		case GEN_URI:
+		X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret);
+		break;
+
+		case GEN_DIRNAME:
+		X509_NAME_oneline(gen->d.dirn, oline, 256);
+		X509V3_add_value("DirName",oline, &ret);
+		break;
+
+		case GEN_IPADD:
+		p = gen->d.ip->data;
+		/* BUG: doesn't support IPV6 */
+		if(gen->d.ip->length != 4) {
+			X509V3_add_value("IP Address","<invalid>", &ret);
+			break;
+		}
+		sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+		X509V3_add_value("IP Address",oline, &ret);
+		break;
+
+		case GEN_RID:
+		i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
+		X509V3_add_value("Registered ID",oline, &ret);
+		break;
+	}
+	return ret;
+}
+
+static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	STACK_OF(GENERAL_NAME) *gens = NULL;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+		X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if(!name_cmp(cnf->name, "issuer") && cnf->value &&
+						!strcmp(cnf->value, "copy")) {
+			if(!copy_issuer(ctx, gens)) goto err;
+		} else {
+			GENERAL_NAME *gen;
+			if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+								 goto err; 
+			sk_GENERAL_NAME_push(gens, gen);
+		}
+	}
+	return gens;
+	err:
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	return NULL;
+}
+
+/* Append subject altname of issuer to issuer alt name of subject */
+
+static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+{
+	STACK_OF(GENERAL_NAME) *ialt;
+	GENERAL_NAME *gen;
+	X509_EXTENSION *ext;
+	int i;
+	if(ctx && (ctx->flags == CTX_TEST)) return 1;
+	if(!ctx || !ctx->issuer_cert) {
+		X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS);
+		goto err;
+	}
+        i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
+	if(i < 0) return 1;
+        if(!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
+                        !(ialt = X509V3_EXT_d2i(ext)) ) {
+		X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR);
+		goto err;
+	}
+
+	for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
+		gen = sk_GENERAL_NAME_value(ialt, i);
+		if(!sk_GENERAL_NAME_push(gens, gen)) {
+			X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+	}
+	sk_GENERAL_NAME_free(ialt);
+
+	return 1;
+		
+	err:
+	return 0;
+	
+}
+
+static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	STACK_OF(GENERAL_NAME) *gens = NULL;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+		X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if(!name_cmp(cnf->name, "email") && cnf->value &&
+						!strcmp(cnf->value, "copy")) {
+			if(!copy_email(ctx, gens)) goto err;
+		} else {
+			GENERAL_NAME *gen;
+			if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+								 goto err; 
+			sk_GENERAL_NAME_push(gens, gen);
+		}
+	}
+	return gens;
+	err:
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	return NULL;
+}
+
+/* Copy any email addresses in a certificate or request to 
+ * GENERAL_NAMES
+ */
+
+static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+{
+	X509_NAME *nm;
+	ASN1_IA5STRING *email = NULL;
+	X509_NAME_ENTRY *ne;
+	GENERAL_NAME *gen = NULL;
+	int i;
+	if(ctx->flags == CTX_TEST) return 1;
+	if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
+		X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
+		goto err;
+	}
+	/* Find the subject name */
+	if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert);
+	else nm = X509_REQ_get_subject_name(ctx->subject_req);
+
+	/* Now add any email address(es) to STACK */
+	i = -1;
+	while((i = X509_NAME_get_index_by_NID(nm,
+					 NID_pkcs9_emailAddress, i)) > 0) {
+		ne = X509_NAME_get_entry(nm, i);
+		email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
+		if(!email || !(gen = GENERAL_NAME_new())) {
+			X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		gen->d.ia5 = email;
+		email = NULL;
+		gen->type = GEN_EMAIL;
+		if(!sk_GENERAL_NAME_push(gens, gen)) {
+			X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		gen = NULL;
+	}
+
+	
+	return 1;
+		
+	err:
+	GENERAL_NAME_free(gen);
+	M_ASN1_IA5STRING_free(email);
+	return 0;
+	
+}
+
+STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	GENERAL_NAME *gen;
+	STACK_OF(GENERAL_NAME) *gens = NULL;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+		X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+		sk_GENERAL_NAME_push(gens, gen);
+	}
+	return gens;
+	err:
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	return NULL;
+}
+
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+							 CONF_VALUE *cnf)
+{
+char is_string = 0;
+int type;
+GENERAL_NAME *gen = NULL;
+
+char *name, *value;
+
+name = cnf->name;
+value = cnf->value;
+
+if(!value) {
+	X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
+	return NULL;
+}
+
+if(!(gen = GENERAL_NAME_new())) {
+	X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+	return NULL;
+}
+
+if(!name_cmp(name, "email")) {
+	is_string = 1;
+	type = GEN_EMAIL;
+} else if(!name_cmp(name, "URI")) {
+	is_string = 1;
+	type = GEN_URI;
+} else if(!name_cmp(name, "DNS")) {
+	is_string = 1;
+	type = GEN_DNS;
+} else if(!name_cmp(name, "RID")) {
+	ASN1_OBJECT *obj;
+	if(!(obj = OBJ_txt2obj(value,0))) {
+		X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
+		ERR_add_error_data(2, "value=", value);
+		goto err;
+	}
+	gen->d.rid = obj;
+	type = GEN_RID;
+} else if(!name_cmp(name, "IP")) {
+	int i1,i2,i3,i4;
+	unsigned char ip[4];
+	if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) ||
+	    (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) ||
+	    (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) {
+		X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
+		ERR_add_error_data(2, "value=", value);
+		goto err;
+	}
+	ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4;
+	if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) ||
+		!ASN1_STRING_set(gen->d.ip, ip, 4)) {
+			X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+			goto err;
+	}
+	type = GEN_IPADD;
+} else {
+	X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION);
+	ERR_add_error_data(2, "name=", name);
+	goto err;
+}
+
+if(is_string) {
+	if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
+		      !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
+				       strlen(value))) {
+		X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+}
+
+gen->type = type;
+
+return gen;
+
+err:
+GENERAL_NAME_free(gen);
+return NULL;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_bcons.c b/crypto/openssl/crypto/x509v3/v3_bcons.c
new file mode 100644
index 0000000..1e3edc2
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_bcons.c
@@ -0,0 +1,164 @@
+/* v3_bcons.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
+static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_bcons = {
+NID_basic_constraints, 0,
+(X509V3_EXT_NEW)BASIC_CONSTRAINTS_new,
+(X509V3_EXT_FREE)BASIC_CONSTRAINTS_free,
+(X509V3_EXT_D2I)d2i_BASIC_CONSTRAINTS,
+(X509V3_EXT_I2D)i2d_BASIC_CONSTRAINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
+(X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
+NULL,NULL,
+NULL
+};
+
+
+int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+	if(a->ca) M_ASN1_I2D_len (a->ca, i2d_ASN1_BOOLEAN);
+	M_ASN1_I2D_len (a->pathlen, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total();
+
+	if (a->ca) M_ASN1_I2D_put (a->ca, i2d_ASN1_BOOLEAN);
+	M_ASN1_I2D_put (a->pathlen, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_finish();
+}
+
+BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void)
+{
+	BASIC_CONSTRAINTS *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, BASIC_CONSTRAINTS);
+	ret->ca = 0;
+	ret->pathlen = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_BASIC_CONSTRAINTS_NEW);
+}
+
+BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a,
+	     unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,BASIC_CONSTRAINTS *,BASIC_CONSTRAINTS_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	if((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) ==
+		 (V_ASN1_UNIVERSAL|V_ASN1_BOOLEAN) ) {
+			M_ASN1_D2I_get_int (ret->ca, d2i_ASN1_BOOLEAN);
+	}
+	M_ASN1_D2I_get_opt (ret->pathlen, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+	M_ASN1_D2I_Finish(a, BASIC_CONSTRAINTS_free, ASN1_F_D2I_BASIC_CONSTRAINTS);
+}
+
+void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
+{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free (a->pathlen);
+	Free (a);
+}
+
+static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+	     BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist)
+{
+	X509V3_add_value_bool("CA", bcons->ca, &extlist);
+	X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
+	return extlist;
+}
+
+static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+	BASIC_CONSTRAINTS *bcons=NULL;
+	CONF_VALUE *val;
+	int i;
+	if(!(bcons = BASIC_CONSTRAINTS_new())) {
+		X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+		val = sk_CONF_VALUE_value(values, i);
+		if(!strcmp(val->name, "CA")) {
+			if(!X509V3_get_value_bool(val, &bcons->ca)) goto err;
+		} else if(!strcmp(val->name, "pathlen")) {
+			if(!X509V3_get_value_int(val, &bcons->pathlen)) goto err;
+		} else {
+			X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
+			X509V3_conf_err(val);
+			goto err;
+		}
+	}
+	return bcons;
+	err:
+	BASIC_CONSTRAINTS_free(bcons);
+	return NULL;
+}
+
diff --git a/crypto/openssl/crypto/x509v3/v3_bitst.c b/crypto/openssl/crypto/x509v3/v3_bitst.c
new file mode 100644
index 0000000..0e1167d
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_bitst.c
@@ -0,0 +1,141 @@
+/* v3_bitst.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+				ASN1_BIT_STRING *bits,
+				STACK_OF(CONF_VALUE) *extlist);
+static BIT_STRING_BITNAME ns_cert_type_table[] = {
+{0, "SSL Client", "client"},
+{1, "SSL Server", "server"},
+{2, "S/MIME", "email"},
+{3, "Object Signing", "objsign"},
+{4, "Unused", "reserved"},
+{5, "SSL CA", "sslCA"},
+{6, "S/MIME CA", "emailCA"},
+{7, "Object Signing CA", "objCA"},
+{-1, NULL, NULL}
+};
+
+static BIT_STRING_BITNAME key_usage_type_table[] = {
+{0, "Digital Signature", "digitalSignature"},
+{1, "Non Repudiation", "nonRepudiation"},
+{2, "Key Encipherment", "keyEncipherment"},
+{3, "Data Encipherment", "dataEncipherment"},
+{4, "Key Agreement", "keyAgreement"},
+{5, "Certificate Sign", "keyCertSign"},
+{6, "CRL Sign", "cRLSign"},
+{7, "Encipher Only", "encipherOnly"},
+{8, "Decipher Only", "decipherOnly"},
+{-1, NULL, NULL}
+};
+
+
+
+X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
+X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
+
+static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+	     ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
+{
+	BIT_STRING_BITNAME *bnam;
+	for(bnam =method->usr_data; bnam->lname; bnam++) {
+		if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) 
+			X509V3_add_value(bnam->lname, NULL, &ret);
+	}
+	return ret;
+}
+	
+static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	CONF_VALUE *val;
+	ASN1_BIT_STRING *bs;
+	int i;
+	BIT_STRING_BITNAME *bnam;
+	if(!(bs = M_ASN1_BIT_STRING_new())) {
+		X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		for(bnam = method->usr_data; bnam->lname; bnam++) {
+			if(!strcmp(bnam->sname, val->name) ||
+				!strcmp(bnam->lname, val->name) ) {
+				ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1);
+				break;
+			}
+		}
+		if(!bnam->lname) {
+			X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
+					X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+			X509V3_conf_err(val);
+			M_ASN1_BIT_STRING_free(bs);
+			return NULL;
+		}
+	}
+	return bs;
+}
+	
+
diff --git a/crypto/openssl/crypto/x509v3/v3_conf.c b/crypto/openssl/crypto/x509v3/v3_conf.c
new file mode 100644
index 0000000..b2f0301
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_conf.c
@@ -0,0 +1,390 @@
+/* v3_conf.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* extension creation utilities */
+
+
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static int v3_check_critical(char **value);
+static int v3_check_generic(char **value);
+static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type);
+static char *conf_lhash_get_string(void *db, char *section, char *value);
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+						 int crit, void *ext_struc);
+/* LHASH *conf:  Config file    */
+/* char *name:  Name    */
+/* char *value:  Value    */
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+	     char *value)
+{
+	int crit;
+	int ext_type;
+	X509_EXTENSION *ret;
+	crit = v3_check_critical(&value);
+	if((ext_type = v3_check_generic(&value))) 
+		return v3_generic_extension(name, value, crit, ext_type);
+	ret = do_ext_conf(conf, ctx, OBJ_sn2nid(name), crit, value);
+	if(!ret) {
+		X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_ERROR_IN_EXTENSION);
+		ERR_add_error_data(4,"name=", name, ", value=", value);
+	}
+	return ret;
+}
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+	     char *value)
+{
+	int crit;
+	int ext_type;
+	crit = v3_check_critical(&value);
+	if((ext_type = v3_check_generic(&value))) 
+		return v3_generic_extension(OBJ_nid2sn(ext_nid),
+							 value, crit, ext_type);
+	return do_ext_conf(conf, ctx, ext_nid, crit, value);
+}
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+	     int crit, char *value)
+{
+	X509V3_EXT_METHOD *method;
+	X509_EXTENSION *ext;
+	STACK_OF(CONF_VALUE) *nval;
+	void *ext_struc;
+	if(ext_nid == NID_undef) {
+		X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
+		return NULL;
+	}
+	if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+		X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION);
+		return NULL;
+	}
+	/* Now get internal extension representation based on type */
+	if(method->v2i) {
+		if(*value == '@') nval = CONF_get_section(conf, value + 1);
+		else nval = X509V3_parse_list(value);
+		if(!nval) {
+			X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
+			ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
+			return NULL;
+		}
+		ext_struc = method->v2i(method, ctx, nval);
+		if(*value != '@') sk_CONF_VALUE_pop_free(nval,
+							 X509V3_conf_free);
+		if(!ext_struc) return NULL;
+	} else if(method->s2i) {
+		if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
+	} else if(method->r2i) {
+		if(!ctx->db) {
+			X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE);
+			return NULL;
+		}
+		if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
+	} else {
+		X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
+		ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
+		return NULL;
+	}
+
+	ext  = do_ext_i2d(method, ext_nid, crit, ext_struc);
+	method->ext_free(ext_struc);
+	return ext;
+
+}
+
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+						 int crit, void *ext_struc)
+{
+	unsigned char *ext_der, *p;
+	int ext_len;
+	ASN1_OCTET_STRING *ext_oct;
+	X509_EXTENSION *ext;
+	/* Convert internal representation to DER */
+	ext_len = method->i2d(ext_struc, NULL);
+	if(!(ext_der = Malloc(ext_len))) goto merr;
+	p = ext_der;
+	method->i2d(ext_struc, &p);
+	if(!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
+	ext_oct->data = ext_der;
+	ext_oct->length = ext_len;
+	
+	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
+	if(!ext) goto merr;
+	M_ASN1_OCTET_STRING_free(ext_oct);
+
+	return ext;
+
+	merr:
+	X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE);
+	return NULL;
+
+}
+
+/* Given an internal structure, nid and critical flag create an extension */
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
+{
+	X509V3_EXT_METHOD *method;
+	if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+		X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
+		return NULL;
+	}
+	return do_ext_i2d(method, ext_nid, crit, ext_struc);
+}
+
+/* Check the extension string for critical flag */
+static int v3_check_critical(char **value)
+{
+	char *p = *value;
+	if((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
+	p+=9;
+	while(isspace((unsigned char)*p)) p++;
+	*value = p;
+	return 1;
+}
+
+/* Check extension string for generic extension and return the type */
+static int v3_check_generic(char **value)
+{
+	char *p = *value;
+	if((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
+	p+=4;
+	while(isspace((unsigned char)*p)) p++;
+	*value = p;
+	return 1;
+}
+
+/* Create a generic extension: for now just handle DER type */
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
+	     int crit, int type)
+{
+unsigned char *ext_der=NULL;
+long ext_len;
+ASN1_OBJECT *obj=NULL;
+ASN1_OCTET_STRING *oct=NULL;
+X509_EXTENSION *extension=NULL;
+if(!(obj = OBJ_txt2obj(ext, 0))) {
+	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
+	ERR_add_error_data(2, "name=", ext);
+	goto err;
+}
+
+if(!(ext_der = string_to_hex(value, &ext_len))) {
+	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
+	ERR_add_error_data(2, "value=", value);
+	goto err;
+}
+
+if(!(oct = M_ASN1_OCTET_STRING_new())) {
+	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
+	goto err;
+}
+
+oct->data = ext_der;
+oct->length = ext_len;
+ext_der = NULL;
+
+extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
+
+err:
+ASN1_OBJECT_free(obj);
+M_ASN1_OCTET_STRING_free(oct);
+if(ext_der) Free(ext_der);
+return extension;
+}
+
+
+/* This is the main function: add a bunch of extensions based on a config file
+ * section
+ */
+
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+	     X509 *cert)
+{
+	X509_EXTENSION *ext;
+	STACK_OF(CONF_VALUE) *nval;
+	CONF_VALUE *val;	
+	int i;
+	if(!(nval = CONF_get_section(conf, section))) return 0;
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+								return 0;
+		if(cert) X509_add_ext(cert, ext, -1);
+		X509_EXTENSION_free(ext);
+	}
+	return 1;
+}
+
+/* Same as above but for a CRL */
+
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+	     X509_CRL *crl)
+{
+	X509_EXTENSION *ext;
+	STACK_OF(CONF_VALUE) *nval;
+	CONF_VALUE *val;	
+	int i;
+	if(!(nval = CONF_get_section(conf, section))) return 0;
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+								return 0;
+		if(crl) X509_CRL_add_ext(crl, ext, -1);
+		X509_EXTENSION_free(ext);
+	}
+	return 1;
+}
+
+/* Add extensions to certificate request */
+
+int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+	     X509_REQ *req)
+{
+	X509_EXTENSION *ext;
+	STACK_OF(X509_EXTENSION) *extlist = NULL;
+	STACK_OF(CONF_VALUE) *nval;
+	CONF_VALUE *val;	
+	int i;
+	if(!(nval = CONF_get_section(conf, section))) return 0;
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+								return 0;
+		if(!extlist) extlist = sk_X509_EXTENSION_new_null();
+		sk_X509_EXTENSION_push(extlist, ext);
+	}
+	if(req) i = X509_REQ_add_extensions(req, extlist);
+	else i = 1;
+	sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
+	return i;
+}
+
+/* Config database functions */
+
+char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
+{
+	if(ctx->db_meth->get_string)
+			return ctx->db_meth->get_string(ctx->db, name, section);
+	return NULL;
+}
+
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
+{
+	if(ctx->db_meth->get_section)
+			return ctx->db_meth->get_section(ctx->db, section);
+	return NULL;
+}
+
+void X509V3_string_free(X509V3_CTX *ctx, char *str)
+{
+	if(!str) return;
+	if(ctx->db_meth->free_string)
+			ctx->db_meth->free_string(ctx->db, str);
+}
+
+void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
+{
+	if(!section) return;
+	if(ctx->db_meth->free_section)
+			ctx->db_meth->free_section(ctx->db, section);
+}
+
+static char *conf_lhash_get_string(void *db, char *section, char *value)
+{
+	return CONF_get_string(db, section, value);
+}
+
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
+{
+	return CONF_get_section(db, section);
+}
+
+static X509V3_CONF_METHOD conf_lhash_method = {
+conf_lhash_get_string,
+conf_lhash_get_section,
+NULL,
+NULL
+};
+
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash)
+{
+	ctx->db_meth = &conf_lhash_method;
+	ctx->db = lhash;
+}
+
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
+	     X509_CRL *crl, int flags)
+{
+	ctx->issuer_cert = issuer;
+	ctx->subject_cert = subj;
+	ctx->crl = crl;
+	ctx->subject_req = req;
+	ctx->flags = flags;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_cpols.c b/crypto/openssl/crypto/x509v3/v3_cpols.c
new file mode 100644
index 0000000..466713b
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_cpols.c
@@ -0,0 +1,655 @@
+/* v3_cpols.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+/* Certificate policies extension support: this one is a bit complex... */
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
+static void print_notice(BIO *out, USERNOTICE *notice, int indent);
+static POLICYINFO *policy_section(X509V3_CTX *ctx,
+				 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
+					STACK_OF(CONF_VALUE) *unot, int ia5org);
+static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos);
+
+X509V3_EXT_METHOD v3_cpols = {
+NID_certificate_policies, 0,
+(X509V3_EXT_NEW)CERTIFICATEPOLICIES_new,
+(X509V3_EXT_FREE)CERTIFICATEPOLICIES_free,
+(X509V3_EXT_D2I)d2i_CERTIFICATEPOLICIES,
+(X509V3_EXT_I2D)i2d_CERTIFICATEPOLICIES,
+NULL, NULL,
+NULL, NULL,
+(X509V3_EXT_I2R)i2r_certpol,
+(X509V3_EXT_R2I)r2i_certpol,
+NULL
+};
+
+
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
+		X509V3_CTX *ctx, char *value)
+{
+	STACK_OF(POLICYINFO) *pols = NULL;
+	char *pstr;
+	POLICYINFO *pol;
+	ASN1_OBJECT *pobj;
+	STACK_OF(CONF_VALUE) *vals;
+	CONF_VALUE *cnf;
+	int i, ia5org;
+	pols = sk_POLICYINFO_new_null();
+	vals =  X509V3_parse_list(value);
+	ia5org = 0;
+	for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+		cnf = sk_CONF_VALUE_value(vals, i);
+		if(cnf->value || !cnf->name ) {
+			X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER);
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+		pstr = cnf->name;
+		if(!strcmp(pstr,"ia5org")) {
+			ia5org = 1;
+			continue;
+		} else if(*pstr == '@') {
+			STACK_OF(CONF_VALUE) *polsect;
+			polsect = X509V3_get_section(ctx, pstr + 1);
+			if(!polsect) {
+				X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION);
+
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol = policy_section(ctx, polsect, ia5org);
+			X509V3_section_free(ctx, polsect);
+			if(!pol) goto err;
+		} else {
+			if(!(pobj = OBJ_txt2obj(cnf->name, 0))) {
+				X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol = POLICYINFO_new();
+			pol->policyid = pobj;
+		}
+		sk_POLICYINFO_push(pols, pol);
+	}
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+	return pols;
+	err:
+	sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
+	return NULL;
+}
+
+static POLICYINFO *policy_section(X509V3_CTX *ctx,
+				STACK_OF(CONF_VALUE) *polstrs, int ia5org)
+{
+	int i;
+	CONF_VALUE *cnf;
+	POLICYINFO *pol;
+	POLICYQUALINFO *qual;
+	if(!(pol = POLICYINFO_new())) goto merr;
+	for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
+		cnf = sk_CONF_VALUE_value(polstrs, i);
+		if(!strcmp(cnf->name, "policyIdentifier")) {
+			ASN1_OBJECT *pobj;
+			if(!(pobj = OBJ_txt2obj(cnf->value, 0))) {
+				X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol->policyid = pobj;
+
+		} else if(!name_cmp(cnf->name, "CPS")) {
+			if(!pol->qualifiers) pol->qualifiers =
+						 sk_POLICYQUALINFO_new_null();
+			if(!(qual = POLICYQUALINFO_new())) goto merr;
+			if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+								 goto merr;
+			qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
+			qual->d.cpsuri = M_ASN1_IA5STRING_new();
+			if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
+						 strlen(cnf->value))) goto merr;
+		} else if(!name_cmp(cnf->name, "userNotice")) {
+			STACK_OF(CONF_VALUE) *unot;
+			if(*cnf->value != '@') {
+				X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			unot = X509V3_get_section(ctx, cnf->value + 1);
+			if(!unot) {
+				X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION);
+
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			qual = notice_section(ctx, unot, ia5org);
+			X509V3_section_free(ctx, unot);
+			if(!qual) goto err;
+			if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+								 goto merr;
+		} else {
+			X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION);
+
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+	}
+	if(!pol->policyid) {
+		X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER);
+		goto err;
+	}
+
+	return pol;
+
+	merr:
+	X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
+
+	err:
+	POLICYINFO_free(pol);
+	return NULL;
+	
+	
+}
+
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
+					STACK_OF(CONF_VALUE) *unot, int ia5org)
+{
+	int i;
+	CONF_VALUE *cnf;
+	USERNOTICE *not;
+	POLICYQUALINFO *qual;
+	if(!(qual = POLICYQUALINFO_new())) goto merr;
+	qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
+	if(!(not = USERNOTICE_new())) goto merr;
+	qual->d.usernotice = not;
+	for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
+		cnf = sk_CONF_VALUE_value(unot, i);
+		if(!strcmp(cnf->name, "explicitText")) {
+			not->exptext = M_ASN1_VISIBLESTRING_new();
+			if(!ASN1_STRING_set(not->exptext, cnf->value,
+						 strlen(cnf->value))) goto merr;
+		} else if(!strcmp(cnf->name, "organization")) {
+			NOTICEREF *nref;
+			if(!not->noticeref) {
+				if(!(nref = NOTICEREF_new())) goto merr;
+				not->noticeref = nref;
+			} else nref = not->noticeref;
+			if(ia5org) nref->organization = M_ASN1_IA5STRING_new();
+			else nref->organization = M_ASN1_VISIBLESTRING_new();
+			if(!ASN1_STRING_set(nref->organization, cnf->value,
+						 strlen(cnf->value))) goto merr;
+		} else if(!strcmp(cnf->name, "noticeNumbers")) {
+			NOTICEREF *nref;
+			STACK_OF(CONF_VALUE) *nos;
+			if(!not->noticeref) {
+				if(!(nref = NOTICEREF_new())) goto merr;
+				not->noticeref = nref;
+			} else nref = not->noticeref;
+			nos = X509V3_parse_list(cnf->value);
+			if(!nos || !sk_CONF_VALUE_num(nos)) {
+				X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			nref->noticenos = nref_nos(nos);
+			sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
+			if(!nref->noticenos) goto err;
+		} else {
+			X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
+
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+	}
+
+	if(not->noticeref && 
+	      (!not->noticeref->noticenos || !not->noticeref->organization)) {
+			X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
+			goto err;
+	}
+
+	return qual;
+
+	merr:
+	X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+	err:
+	POLICYQUALINFO_free(qual);
+	return NULL;
+}
+
+static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos)
+{
+	STACK *nnums;
+	CONF_VALUE *cnf;
+	ASN1_INTEGER *aint;
+	int i;
+	if(!(nnums = sk_new_null())) goto merr;
+	for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
+		cnf = sk_CONF_VALUE_value(nos, i);
+		if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+			X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
+			goto err;
+		}
+		if(!sk_push(nnums, (char *)aint)) goto merr;
+	}
+	return nnums;
+
+	merr:
+	X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+	err:
+	sk_pop_free(nnums, ASN1_STRING_free);
+	return NULL;
+}
+
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
+		BIO *out, int indent)
+{
+	int i;
+	POLICYINFO *pinfo;
+	/* First print out the policy OIDs */
+	for(i = 0; i < sk_POLICYINFO_num(pol); i++) {
+		pinfo = sk_POLICYINFO_value(pol, i);
+		BIO_printf(out, "%*sPolicy: ", indent, "");
+		i2a_ASN1_OBJECT(out, pinfo->policyid);
+		BIO_puts(out, "\n");
+		if(pinfo->qualifiers)
+			 print_qualifiers(out, pinfo->qualifiers, indent + 2);
+	}
+	return 1;
+}
+
+
+int i2d_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_POLICYINFO(a, pp, i2d_POLICYINFO, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new(void)
+{
+	return sk_POLICYINFO_new_null();
+}
+
+void CERTIFICATEPOLICIES_free(STACK_OF(POLICYINFO) *a)
+{
+	sk_POLICYINFO_pop_free(a, POLICYINFO_free);
+}
+
+STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) **a,
+		unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_POLICYINFO(a, pp, length, d2i_POLICYINFO,
+                         POLICYINFO_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(POLICYINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYINFO)
+
+int i2d_POLICYINFO(POLICYINFO *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->policyid, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+							 i2d_POLICYQUALINFO);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->policyid, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+							 i2d_POLICYQUALINFO);
+
+	M_ASN1_I2D_finish();
+}
+
+POLICYINFO *POLICYINFO_new(void)
+{
+	POLICYINFO *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, POLICYINFO);
+	ret->policyid = NULL;
+	ret->qualifiers = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_POLICYINFO_NEW);
+}
+
+POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, unsigned char **pp,long length)
+{
+	M_ASN1_D2I_vars(a,POLICYINFO *,POLICYINFO_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->policyid, d2i_ASN1_OBJECT);
+	if(!M_ASN1_D2I_end_sequence()) {
+		M_ASN1_D2I_get_seq_type (POLICYQUALINFO, ret->qualifiers,
+				 d2i_POLICYQUALINFO, POLICYQUALINFO_free);
+	}
+	M_ASN1_D2I_Finish(a, POLICYINFO_free, ASN1_F_D2I_POLICYINFO);
+}
+
+void POLICYINFO_free(POLICYINFO *a)
+{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->policyid);
+	sk_POLICYQUALINFO_pop_free(a->qualifiers, POLICYQUALINFO_free);
+	Free (a);
+}
+
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
+		int indent)
+{
+	POLICYQUALINFO *qualinfo;
+	int i;
+	for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
+		qualinfo = sk_POLICYQUALINFO_value(quals, i);
+		switch(OBJ_obj2nid(qualinfo->pqualid))
+		{
+			case NID_id_qt_cps:
+			BIO_printf(out, "%*sCPS: %s\n", indent, "",
+						qualinfo->d.cpsuri->data);
+			break;
+		
+			case NID_id_qt_unotice:
+			BIO_printf(out, "%*sUser Notice:\n", indent, "");
+			print_notice(out, qualinfo->d.usernotice, indent + 2);
+			break;
+
+			default:
+			BIO_printf(out, "%*sUnknown Qualifier: ",
+							 indent + 2, "");
+			
+			i2a_ASN1_OBJECT(out, qualinfo->pqualid);
+			BIO_puts(out, "\n");
+			break;
+		}
+	}
+}
+
+static void print_notice(BIO *out, USERNOTICE *notice, int indent)
+{
+	int i;
+	if(notice->noticeref) {
+		NOTICEREF *ref;
+		ref = notice->noticeref;
+		BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+						 ref->organization->data);
+		BIO_printf(out, "%*sNumber%s: ", indent, "",
+				 (sk_num(ref->noticenos) > 1) ? "s" : "");
+		for(i = 0; i < sk_num(ref->noticenos); i++) {
+			ASN1_INTEGER *num;
+			char *tmp;
+			num = (ASN1_INTEGER *)sk_value(ref->noticenos, i);
+			if(i) BIO_puts(out, ", ");
+			tmp = i2s_ASN1_INTEGER(NULL, num);
+			BIO_puts(out, tmp);
+			Free(tmp);
+		}
+		BIO_puts(out, "\n");
+	}
+	if(notice->exptext)
+		BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+							 notice->exptext->data);
+}
+		
+	
+
+int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->pqualid, i2d_ASN1_OBJECT);
+	switch(OBJ_obj2nid(a->pqualid)) {
+		case NID_id_qt_cps:
+		M_ASN1_I2D_len(a->d.cpsuri, i2d_ASN1_IA5STRING);
+		break;
+
+		case NID_id_qt_unotice:
+		M_ASN1_I2D_len(a->d.usernotice, i2d_USERNOTICE);
+		break;
+
+		default:
+		M_ASN1_I2D_len(a->d.other, i2d_ASN1_TYPE);
+		break;
+	}
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->pqualid, i2d_ASN1_OBJECT);
+	switch(OBJ_obj2nid(a->pqualid)) {
+		case NID_id_qt_cps:
+		M_ASN1_I2D_put(a->d.cpsuri, i2d_ASN1_IA5STRING);
+		break;
+
+		case NID_id_qt_unotice:
+		M_ASN1_I2D_put(a->d.usernotice, i2d_USERNOTICE);
+		break;
+
+		default:
+		M_ASN1_I2D_put(a->d.other, i2d_ASN1_TYPE);
+		break;
+	}
+
+	M_ASN1_I2D_finish();
+}
+
+POLICYQUALINFO *POLICYQUALINFO_new(void)
+{
+	POLICYQUALINFO *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, POLICYQUALINFO);
+	ret->pqualid = NULL;
+	ret->d.other = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_POLICYQUALINFO_NEW);
+}
+
+POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, unsigned char **pp,
+		long length)
+{
+	M_ASN1_D2I_vars(a,POLICYQUALINFO *,POLICYQUALINFO_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->pqualid, d2i_ASN1_OBJECT);
+	switch(OBJ_obj2nid(ret->pqualid)) {
+		case NID_id_qt_cps:
+		M_ASN1_D2I_get(ret->d.cpsuri, d2i_ASN1_IA5STRING);
+		break;
+
+		case NID_id_qt_unotice:
+		M_ASN1_D2I_get(ret->d.usernotice, d2i_USERNOTICE);
+		break;
+
+		default:
+		M_ASN1_D2I_get(ret->d.other, d2i_ASN1_TYPE);
+		break;
+	}
+	M_ASN1_D2I_Finish(a, POLICYQUALINFO_free, ASN1_F_D2I_POLICYQUALINFO);
+}
+
+void POLICYQUALINFO_free(POLICYQUALINFO *a)
+{
+	if (a == NULL) return;
+	switch(OBJ_obj2nid(a->pqualid)) {
+		case NID_id_qt_cps:
+		M_ASN1_IA5STRING_free(a->d.cpsuri);
+		break;
+
+		case NID_id_qt_unotice:
+		USERNOTICE_free(a->d.usernotice);
+		break;
+
+		default:
+		ASN1_TYPE_free(a->d.other);
+		break;
+	}
+	
+	ASN1_OBJECT_free(a->pqualid);
+	Free (a);
+}
+
+int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->noticeref, i2d_NOTICEREF);
+	M_ASN1_I2D_len (a->exptext, i2d_DISPLAYTEXT);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->noticeref, i2d_NOTICEREF);
+	M_ASN1_I2D_put (a->exptext, i2d_DISPLAYTEXT);
+
+	M_ASN1_I2D_finish();
+}
+
+USERNOTICE *USERNOTICE_new(void)
+{
+	USERNOTICE *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, USERNOTICE);
+	ret->noticeref = NULL;
+	ret->exptext = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_USERNOTICE_NEW);
+}
+
+USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, unsigned char **pp,long length)
+{
+	M_ASN1_D2I_vars(a,USERNOTICE *,USERNOTICE_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_opt(ret->noticeref, d2i_NOTICEREF, V_ASN1_SEQUENCE);
+	if (!M_ASN1_D2I_end_sequence()) {
+		M_ASN1_D2I_get(ret->exptext, d2i_DISPLAYTEXT);
+	}
+	M_ASN1_D2I_Finish(a, USERNOTICE_free, ASN1_F_D2I_USERNOTICE);
+}
+
+void USERNOTICE_free(USERNOTICE *a)
+{
+	if (a == NULL) return;
+	NOTICEREF_free(a->noticeref);
+	M_DISPLAYTEXT_free(a->exptext);
+	Free (a);
+}
+
+int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->organization, i2d_DISPLAYTEXT);
+	M_ASN1_I2D_len_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->organization, i2d_DISPLAYTEXT);
+	M_ASN1_I2D_put_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_finish();
+}
+
+NOTICEREF *NOTICEREF_new(void)
+{
+	NOTICEREF *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, NOTICEREF);
+	ret->organization = NULL;
+	ret->noticenos = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_NOTICEREF_NEW);
+}
+
+NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp,long length)
+{
+	M_ASN1_D2I_vars(a,NOTICEREF *,NOTICEREF_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	/* This is to cope with some broken encodings that use IA5STRING for
+         * the organization field
+	 */
+	M_ASN1_D2I_get_opt(ret->organization, d2i_ASN1_IA5STRING,
+							 V_ASN1_IA5STRING);
+	if(!ret->organization) {
+		 M_ASN1_D2I_get(ret->organization, d2i_DISPLAYTEXT);
+	}
+	M_ASN1_D2I_get_seq(ret->noticenos, d2i_ASN1_INTEGER, ASN1_STRING_free);
+	M_ASN1_D2I_Finish(a, NOTICEREF_free, ASN1_F_D2I_NOTICEREF);
+}
+
+void NOTICEREF_free(NOTICEREF *a)
+{
+	if (a == NULL) return;
+	M_DISPLAYTEXT_free(a->organization);
+	sk_pop_free(a->noticenos, ASN1_STRING_free);
+	Free (a);
+}
+
+IMPLEMENT_STACK_OF(POLICYQUALINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYQUALINFO)
diff --git a/crypto/openssl/crypto/x509v3/v3_crld.c b/crypto/openssl/crypto/x509v3/v3_crld.c
new file mode 100644
index 0000000..e459d25
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_crld.c
@@ -0,0 +1,285 @@
+/* v3_crld.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+		STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+X509V3_EXT_METHOD v3_crld = {
+NID_crl_distribution_points, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)CRL_DIST_POINTS_new,
+(X509V3_EXT_FREE)CRL_DIST_POINTS_free,
+(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS,
+(X509V3_EXT_I2D)i2d_CRL_DIST_POINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_crld,
+(X509V3_EXT_V2I)v2i_crld,
+NULL, NULL, NULL
+};
+
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+			STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+{
+	DIST_POINT *point;
+	int i;
+	for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
+		point = sk_DIST_POINT_value(crld, i);
+		if(point->distpoint->fullname) {
+			exts = i2v_GENERAL_NAMES(NULL,
+					 point->distpoint->fullname, exts);
+		}
+		if(point->reasons) 
+			X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
+		if(point->CRLissuer)
+			X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+		if(point->distpoint->relativename)
+		        X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
+	}
+	return exts;
+}
+
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	STACK_OF(DIST_POINT) *crld = NULL;
+	STACK_OF(GENERAL_NAME) *gens = NULL;
+	GENERAL_NAME *gen = NULL;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(crld = sk_DIST_POINT_new(NULL))) goto merr;
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		DIST_POINT *point;
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+		if(!(gens = GENERAL_NAMES_new())) goto merr;
+		if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+		gen = NULL;
+		if(!(point = DIST_POINT_new())) goto merr;
+		if(!sk_DIST_POINT_push(crld, point)) {
+			DIST_POINT_free(point);
+			goto merr;
+		}
+		if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+		point->distpoint->fullname = gens;
+		gens = NULL;
+	}
+	return crld;
+
+	merr:
+	X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+	err:
+	GENERAL_NAME_free(gen);
+	GENERAL_NAMES_free(gens);
+	sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+	return NULL;
+}
+
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void)
+{
+	return sk_DIST_POINT_new_null();
+}
+
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a)
+{
+	sk_DIST_POINT_pop_free(a, DIST_POINT_free);
+}
+
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+		unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT,
+                         DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(DIST_POINT)
+IMPLEMENT_ASN1_SET_OF(DIST_POINT)
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp)
+{
+	int v = 0;
+	M_ASN1_I2D_vars(a);
+	/* NB: underlying type is a CHOICE so need EXPLICIT tagging */
+	M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+	M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING);
+	M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+	M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1);
+	M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2);
+
+	M_ASN1_I2D_finish();
+}
+
+DIST_POINT *DIST_POINT_new(void)
+{
+	DIST_POINT *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, DIST_POINT);
+	ret->distpoint = NULL;
+	ret->reasons = NULL;
+	ret->CRLissuer = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW);
+}
+
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0);
+	M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1,
+							V_ASN1_BIT_STRING);
+	M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2,
+							V_ASN1_SEQUENCE);
+	M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT);
+}
+
+void DIST_POINT_free(DIST_POINT *a)
+{
+	if (a == NULL) return;
+	DIST_POINT_NAME_free(a->distpoint);
+	M_ASN1_BIT_STRING_free(a->reasons);
+	sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
+	Free (a);
+}
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	if(a->fullname) {
+		M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
+	} else {
+		M_ASN1_I2D_len_IMP_SET_opt_type(X509_NAME_ENTRY,
+				a->relativename, i2d_X509_NAME_ENTRY, 1);
+	}
+
+	/* Don't want a SEQUENCE so... */
+	if(pp == NULL) return ret;
+	p = *pp;
+
+	if(a->fullname) {
+		M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
+	} else {
+		M_ASN1_I2D_put_IMP_SET_opt_type(X509_NAME_ENTRY,
+				a->relativename, i2d_X509_NAME_ENTRY, 1);
+	}
+	M_ASN1_I2D_finish();
+}
+
+DIST_POINT_NAME *DIST_POINT_NAME_new(void)
+{
+	DIST_POINT_NAME *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, DIST_POINT_NAME);
+	ret->fullname = NULL;
+	ret->relativename = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW);
+}
+
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
+{
+	if (a == NULL) return;
+	sk_X509_NAME_ENTRY_pop_free(a->relativename, X509_NAME_ENTRY_free);
+	sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
+	Free (a);
+}
+
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+	     long length)
+{
+        unsigned char _tmp, tag;
+        M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        tag = _tmp & ~V_ASN1_CONSTRUCTED;
+	
+	if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) {
+		M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
+							V_ASN1_SEQUENCE);
+	} else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
+		M_ASN1_D2I_get_IMP_set_opt_type (X509_NAME_ENTRY,
+			ret->relativename, d2i_X509_NAME_ENTRY, X509_NAME_ENTRY_free, 1);
+	} else {
+		c.error = ASN1_R_BAD_TAG;
+		goto err;
+	}
+
+	M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME);
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_enum.c b/crypto/openssl/crypto/x509v3/v3_enum.c
new file mode 100644
index 0000000..aecfdc8
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_enum.c
@@ -0,0 +1,96 @@
+/* v3_enum.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unspecified", "unspecified"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "CACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{8, "Remove From CRL", "removeFromCRL"},
+{-1, NULL, NULL}
+};
+
+X509V3_EXT_METHOD v3_crl_reason = { 
+NID_crl_reason, 0,
+(X509V3_EXT_NEW)ASN1_ENUMERATED_new,
+(X509V3_EXT_FREE)ASN1_ENUMERATED_free,
+(X509V3_EXT_D2I)d2i_ASN1_ENUMERATED,
+(X509V3_EXT_I2D)i2d_ASN1_ENUMERATED,
+(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
+(X509V3_EXT_S2I)0,
+NULL, NULL, NULL, NULL, crl_reasons};
+
+
+char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
+	     ASN1_ENUMERATED *e)
+{
+	ENUMERATED_NAMES *enam;
+	long strval;
+	strval = ASN1_ENUMERATED_get(e);
+	for(enam = method->usr_data; enam->lname; enam++) {
+		if(strval == enam->bitnum) return BUF_strdup(enam->lname);
+	}
+	return i2s_ASN1_ENUMERATED(method, e);
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_extku.c b/crypto/openssl/crypto/x509v3/v3_extku.c
new file mode 100644
index 0000000..e039d21
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_extku.c
@@ -0,0 +1,150 @@
+/* v3_extku.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
+		STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *extlist);
+X509V3_EXT_METHOD v3_ext_ku = {
+NID_ext_key_usage, 0,
+(X509V3_EXT_NEW)ext_ku_new,
+(X509V3_EXT_FREE)ext_ku_free,
+(X509V3_EXT_D2I)d2i_ext_ku,
+(X509V3_EXT_I2D)i2d_ext_ku,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_ext_ku,
+(X509V3_EXT_V2I)v2i_ext_ku,
+NULL,NULL,
+NULL
+};
+
+STACK_OF(ASN1_OBJECT) *ext_ku_new(void)
+{
+	return sk_ASN1_OBJECT_new_null();
+}
+
+void ext_ku_free(STACK_OF(ASN1_OBJECT) *eku)
+{
+	sk_ASN1_OBJECT_pop_free(eku, ASN1_OBJECT_free);
+	return;
+}
+
+int i2d_ext_ku(STACK_OF(ASN1_OBJECT) *a, unsigned char **pp)
+{
+	return i2d_ASN1_SET_OF_ASN1_OBJECT(a, pp, i2d_ASN1_OBJECT,
+				V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+STACK_OF(ASN1_OBJECT) *d2i_ext_ku(STACK_OF(ASN1_OBJECT) **a,
+					unsigned char **pp, long length)
+{
+	return d2i_ASN1_SET_OF_ASN1_OBJECT(a, pp, length, d2i_ASN1_OBJECT,
+			 ASN1_OBJECT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+
+
+static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
+		STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *ext_list)
+{
+int i;
+ASN1_OBJECT *obj;
+char obj_tmp[80];
+for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+	obj = sk_ASN1_OBJECT_value(eku, i);
+	i2t_ASN1_OBJECT(obj_tmp, 80, obj);
+	X509V3_add_value(NULL, obj_tmp, &ext_list);
+}
+return ext_list;
+}
+
+static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+STACK_OF(ASN1_OBJECT) *extku;
+char *extval;
+ASN1_OBJECT *objtmp;
+CONF_VALUE *val;
+int i;
+
+if(!(extku = sk_ASN1_OBJECT_new(NULL))) {
+	X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
+	return NULL;
+}
+
+for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+	val = sk_CONF_VALUE_value(nval, i);
+	if(val->value) extval = val->value;
+	else extval = val->name;
+	if(!(objtmp = OBJ_txt2obj(extval, 0))) {
+		sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
+		X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+		X509V3_conf_err(val);
+		return NULL;
+	}
+	sk_ASN1_OBJECT_push(extku, objtmp);
+}
+return extku;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_genn.c b/crypto/openssl/crypto/x509v3/v3_genn.c
new file mode 100644
index 0000000..894afa7
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_genn.c
@@ -0,0 +1,291 @@
+/* v3_genn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **pp)
+{
+	unsigned char *p;
+	int ret;
+
+	ret = 0;
+
+	/* Save the location of initial TAG */
+	if(pp) p = *pp;
+	else p = NULL;
+
+	/* GEN_DNAME needs special treatment because of EXPLICIT tag */
+
+	if(a->type == GEN_DIRNAME) {
+		int v = 0;
+		M_ASN1_I2D_len_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
+		if(!p) return ret;
+		M_ASN1_I2D_put_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
+		*pp = p;
+		return ret;
+	}
+
+	switch(a->type) {
+
+		case GEN_X400:
+		case GEN_EDIPARTY:
+		ret = i2d_ASN1_TYPE(a->d.other, pp);
+		break;
+
+		case GEN_OTHERNAME:
+		ret = i2d_OTHERNAME(a->d.otherName, pp);
+		break;
+
+		case GEN_EMAIL:
+		case GEN_DNS:
+		case GEN_URI:
+		ret = i2d_ASN1_IA5STRING(a->d.ia5, pp);
+		break;
+
+		case GEN_IPADD:
+		ret = i2d_ASN1_OCTET_STRING(a->d.ip, pp);
+		break;
+	
+		case GEN_RID:
+		ret = i2d_ASN1_OBJECT(a->d.rid, pp);
+		break;
+	}
+	/* Replace TAG with IMPLICIT value */
+	if(p) *p = (*p & V_ASN1_CONSTRUCTED) | a->type;
+	return ret;
+}
+
+GENERAL_NAME *GENERAL_NAME_new()
+{
+	GENERAL_NAME *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, GENERAL_NAME);
+	ret->type = -1;
+	ret->d.ptr = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_GENERAL_NAME_NEW);
+}
+
+GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp,
+								 long length)
+{
+	unsigned char _tmp;
+	M_ASN1_D2I_vars(a,GENERAL_NAME *,GENERAL_NAME_new);
+	M_ASN1_D2I_Init();
+	c.slen = length;
+
+	_tmp = M_ASN1_next;
+	ret->type = _tmp & ~V_ASN1_CONSTRUCTED;
+
+	switch(ret->type) {
+		/* Just put these in a "blob" for now */
+		case GEN_X400:
+		case GEN_EDIPARTY:
+		M_ASN1_D2I_get_imp(ret->d.other, d2i_ASN1_TYPE,V_ASN1_SEQUENCE);
+		break;
+
+		case GEN_OTHERNAME:
+		M_ASN1_D2I_get_imp(ret->d.otherName, d2i_OTHERNAME,V_ASN1_SEQUENCE);
+		break;
+
+		case GEN_EMAIL:
+		case GEN_DNS:
+		case GEN_URI:
+		M_ASN1_D2I_get_imp(ret->d.ia5, d2i_ASN1_IA5STRING,
+							V_ASN1_IA5STRING);
+		break;
+
+		case GEN_DIRNAME:
+		M_ASN1_D2I_get_EXP_opt(ret->d.dirn, d2i_X509_NAME, 4);
+		break;
+
+		case GEN_IPADD:
+		M_ASN1_D2I_get_imp(ret->d.ip, d2i_ASN1_OCTET_STRING,
+							V_ASN1_OCTET_STRING);
+		break;
+	
+		case GEN_RID:
+		M_ASN1_D2I_get_imp(ret->d.rid, d2i_ASN1_OBJECT,V_ASN1_OBJECT);
+		break;
+
+		default:
+		c.error = ASN1_R_BAD_TAG;
+		goto err;
+	}
+
+	c.slen = 0;
+	M_ASN1_D2I_Finish(a, GENERAL_NAME_free, ASN1_F_D2I_GENERAL_NAME);
+}
+
+void GENERAL_NAME_free(GENERAL_NAME *a)
+{
+	if (a == NULL) return;
+	switch(a->type) {
+		case GEN_X400:
+		case GEN_EDIPARTY:
+		ASN1_TYPE_free(a->d.other);
+		break;
+
+		case GEN_OTHERNAME:
+		OTHERNAME_free(a->d.otherName);
+		break;
+
+		case GEN_EMAIL:
+		case GEN_DNS:
+		case GEN_URI:
+
+		M_ASN1_IA5STRING_free(a->d.ia5);
+		break;
+
+		case GEN_DIRNAME:
+		X509_NAME_free(a->d.dirn);
+		break;
+
+		case GEN_IPADD:
+		M_ASN1_OCTET_STRING_free(a->d.ip);
+		break;
+	
+		case GEN_RID:
+		ASN1_OBJECT_free(a->d.rid);
+		break;
+
+	}
+	Free (a);
+}
+
+/* Now the GeneralNames versions: a SEQUENCE OF GeneralName. These are needed as
+ * explicit functions.
+ */
+
+STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new()
+{
+	return sk_GENERAL_NAME_new(NULL);
+}
+
+void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *a)
+{
+	sk_GENERAL_NAME_pop_free(a, GENERAL_NAME_free);
+}
+
+STACK_OF(GENERAL_NAME) *d2i_GENERAL_NAMES(STACK_OF(GENERAL_NAME) **a,
+					 unsigned char **pp, long length)
+{
+return d2i_ASN1_SET_OF_GENERAL_NAME(a, pp, length, d2i_GENERAL_NAME,
+			 GENERAL_NAME_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+int i2d_GENERAL_NAMES(STACK_OF(GENERAL_NAME) *a, unsigned char **pp)
+{
+return i2d_ASN1_SET_OF_GENERAL_NAME(a, pp, i2d_GENERAL_NAME, V_ASN1_SEQUENCE,
+						 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+IMPLEMENT_STACK_OF(GENERAL_NAME)
+IMPLEMENT_ASN1_SET_OF(GENERAL_NAME)
+
+int i2d_OTHERNAME(OTHERNAME *a, unsigned char **pp)
+{
+	int v = 0;
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->type_id, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len_EXP_opt(a->value, i2d_ASN1_TYPE, 0, v);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->type_id, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put_EXP_opt(a->value, i2d_ASN1_TYPE, 0, v);
+
+	M_ASN1_I2D_finish();
+}
+
+OTHERNAME *OTHERNAME_new(void)
+{
+	OTHERNAME *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, OTHERNAME);
+	ret->type_id = OBJ_nid2obj(NID_undef);
+	M_ASN1_New(ret->value, ASN1_TYPE_new);
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_OTHERNAME_NEW);
+}
+
+OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,OTHERNAME *,OTHERNAME_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->type_id, d2i_ASN1_OBJECT);
+	M_ASN1_D2I_get_EXP_opt(ret->value, d2i_ASN1_TYPE, 0);
+	M_ASN1_D2I_Finish(a, OTHERNAME_free, ASN1_F_D2I_OTHERNAME);
+}
+
+void OTHERNAME_free(OTHERNAME *a)
+{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->type_id);
+	ASN1_TYPE_free(a->value);
+	Free (a);
+}
+
diff --git a/crypto/openssl/crypto/x509v3/v3_ia5.c b/crypto/openssl/crypto/x509v3/v3_ia5.c
new file mode 100644
index 0000000..af3525f
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_ia5.c
@@ -0,0 +1,113 @@
+/* v3_ia5.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+X509V3_EXT_METHOD v3_ns_ia5_list[] = { 
+EXT_IA5STRING(NID_netscape_base_url),
+EXT_IA5STRING(NID_netscape_revocation_url),
+EXT_IA5STRING(NID_netscape_ca_revocation_url),
+EXT_IA5STRING(NID_netscape_renewal_url),
+EXT_IA5STRING(NID_netscape_ca_policy_url),
+EXT_IA5STRING(NID_netscape_ssl_server_name),
+EXT_IA5STRING(NID_netscape_comment),
+EXT_END
+};
+
+
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+	     ASN1_IA5STRING *ia5)
+{
+	char *tmp;
+	if(!ia5 || !ia5->length) return NULL;
+	tmp = Malloc(ia5->length + 1);
+	memcpy(tmp, ia5->data, ia5->length);
+	tmp[ia5->length] = 0;
+	return tmp;
+}
+
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, char *str)
+{
+	ASN1_IA5STRING *ia5;
+	if(!str) {
+		X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT);
+		return NULL;
+	}
+	if(!(ia5 = M_ASN1_IA5STRING_new())) goto err;
+	if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
+			    strlen(str))) {
+		M_ASN1_IA5STRING_free(ia5);
+		goto err;
+	}
+#ifdef CHARSET_EBCDIC
+        ebcdic2ascii(ia5->data, ia5->data, ia5->length);
+#endif /*CHARSET_EBCDIC*/
+	return ia5;
+	err:
+	X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
+	return NULL;
+}
+
diff --git a/crypto/openssl/crypto/x509v3/v3_info.c b/crypto/openssl/crypto/x509v3/v3_info.c
new file mode 100644
index 0000000..78d2135
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_info.c
@@ -0,0 +1,236 @@
+/* v3_info.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+				STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+						STACK_OF(CONF_VALUE) *ret);
+static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+X509V3_EXT_METHOD v3_info =
+{ NID_info_access, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)AUTHORITY_INFO_ACCESS_new,
+(X509V3_EXT_FREE)AUTHORITY_INFO_ACCESS_free,
+(X509V3_EXT_D2I)d2i_AUTHORITY_INFO_ACCESS,
+(X509V3_EXT_I2D)i2d_AUTHORITY_INFO_ACCESS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
+(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
+NULL, NULL, NULL};
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+				STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+						STACK_OF(CONF_VALUE) *ret)
+{
+	ACCESS_DESCRIPTION *desc;
+	int i;
+	char objtmp[80], *ntmp;
+	CONF_VALUE *vtmp;
+	for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
+		desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
+		ret = i2v_GENERAL_NAME(method, desc->location, ret);
+		if(!ret) break;
+		vtmp = sk_CONF_VALUE_value(ret, i);
+		i2t_ASN1_OBJECT(objtmp, 80, desc->method);
+		ntmp = Malloc(strlen(objtmp) + strlen(vtmp->name) + 5);
+		if(!ntmp) {
+			X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
+					ERR_R_MALLOC_FAILURE);
+			return NULL;
+		}
+		strcpy(ntmp, objtmp);
+		strcat(ntmp, " - ");
+		strcat(ntmp, vtmp->name);
+		Free(vtmp->name);
+		vtmp->name = ntmp;
+		
+	}
+	if(!ret) return sk_CONF_VALUE_new_null();
+	return ret;
+}
+
+static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	STACK_OF(ACCESS_DESCRIPTION) *ainfo = NULL;
+	CONF_VALUE *cnf, ctmp;
+	ACCESS_DESCRIPTION *acc;
+	int i, objlen;
+	char *objtmp, *ptmp;
+	if(!(ainfo = sk_ACCESS_DESCRIPTION_new(NULL))) {
+		X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if(!(acc = ACCESS_DESCRIPTION_new())
+			|| !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
+			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		ptmp = strchr(cnf->name, ';');
+		if(!ptmp) {
+			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_INVALID_SYNTAX);
+			goto err;
+		}
+		objlen = ptmp - cnf->name;
+		ctmp.name = ptmp + 1;
+		ctmp.value = cnf->value;
+		if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
+								 goto err; 
+		if(!(objtmp = Malloc(objlen + 1))) {
+			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		strncpy(objtmp, cnf->name, objlen);
+		objtmp[objlen] = 0;
+		acc->method = OBJ_txt2obj(objtmp, 0);
+		if(!acc->method) {
+			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT);
+			ERR_add_error_data(2, "value=", objtmp);
+			Free(objtmp);
+			goto err;
+		}
+		Free(objtmp);
+
+	}
+	return ainfo;
+	err:
+	sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
+	return NULL;
+}
+
+int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->method, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len(a->location, i2d_GENERAL_NAME);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->method, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put(a->location, i2d_GENERAL_NAME);
+
+	M_ASN1_I2D_finish();
+}
+
+ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void)
+{
+	ACCESS_DESCRIPTION *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, ACCESS_DESCRIPTION);
+	ret->method = OBJ_nid2obj(NID_undef);
+	ret->location = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_ACCESS_DESCRIPTION_NEW);
+}
+
+ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, unsigned char **pp,
+	     long length)
+{
+	M_ASN1_D2I_vars(a,ACCESS_DESCRIPTION *,ACCESS_DESCRIPTION_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->method, d2i_ASN1_OBJECT);
+	M_ASN1_D2I_get(ret->location, d2i_GENERAL_NAME);
+	M_ASN1_D2I_Finish(a, ACCESS_DESCRIPTION_free, ASN1_F_D2I_ACCESS_DESCRIPTION);
+}
+
+void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
+{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->method);
+	GENERAL_NAME_free(a->location);
+	Free (a);
+}
+
+STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void)
+{
+	return sk_ACCESS_DESCRIPTION_new(NULL);
+}
+
+void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a)
+{
+	sk_ACCESS_DESCRIPTION_pop_free(a, ACCESS_DESCRIPTION_free);
+}
+
+STACK_OF(ACCESS_DESCRIPTION) *d2i_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) **a,
+					 unsigned char **pp, long length)
+{
+return d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, length, d2i_ACCESS_DESCRIPTION,
+			 ACCESS_DESCRIPTION_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+int i2d_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) *a, unsigned char **pp)
+{
+return i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, i2d_ACCESS_DESCRIPTION, V_ASN1_SEQUENCE,
+						 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+IMPLEMENT_STACK_OF(ACCESS_DESCRIPTION)
+IMPLEMENT_ASN1_SET_OF(ACCESS_DESCRIPTION)
+
+
diff --git a/crypto/openssl/crypto/x509v3/v3_int.c b/crypto/openssl/crypto/x509v3/v3_int.c
new file mode 100644
index 0000000..63c201e
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_int.c
@@ -0,0 +1,72 @@
+/* v3_int.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+X509V3_EXT_METHOD v3_crl_num = { 
+NID_crl_number, 0,
+(X509V3_EXT_NEW)ASN1_INTEGER_new,
+(X509V3_EXT_FREE)ASN1_INTEGER_free,
+(X509V3_EXT_D2I)d2i_ASN1_INTEGER,
+(X509V3_EXT_I2D)i2d_ASN1_INTEGER,
+(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+(X509V3_EXT_S2I)0,
+NULL, NULL, NULL, NULL, NULL};
+
diff --git a/crypto/openssl/crypto/x509v3/v3_lib.c b/crypto/openssl/crypto/x509v3/v3_lib.c
new file mode 100644
index 0000000..4242d13
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_lib.c
@@ -0,0 +1,221 @@
+/* v3_lib.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+#include "ext_dat.h"
+
+static STACK *ext_list = NULL;
+
+static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b);
+static void ext_list_free(X509V3_EXT_METHOD *ext);
+
+int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
+{
+	if(!ext_list && !(ext_list = sk_new(ext_cmp))) {
+		X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if(!sk_push(ext_list, (char *)ext)) {
+		X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	return 1;
+}
+
+static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b)
+{
+	return ((*a)->ext_nid - (*b)->ext_nid);
+}
+
+X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
+{
+	X509V3_EXT_METHOD tmp, *t = &tmp, **ret;
+	int idx;
+	if(nid < 0) return NULL;
+	tmp.ext_nid = nid;
+	ret = (X509V3_EXT_METHOD **) OBJ_bsearch((char *)&t,
+			(char *)standard_exts, STANDARD_EXTENSION_COUNT,
+			sizeof(X509V3_EXT_METHOD *), (int (*)())ext_cmp);
+	if(ret) return *ret;
+	if(!ext_list) return NULL;
+	idx = sk_find(ext_list, (char *)&tmp);
+	if(idx == -1) return NULL;
+	return (X509V3_EXT_METHOD *)sk_value(ext_list, idx);
+}
+
+X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
+{
+	int nid;
+	if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
+	return X509V3_EXT_get_nid(nid);
+}
+
+
+int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
+{
+	for(;extlist->ext_nid!=-1;extlist++) 
+			if(!X509V3_EXT_add(extlist)) return 0;
+	return 1;
+}
+
+int X509V3_EXT_add_alias(int nid_to, int nid_from)
+{
+	X509V3_EXT_METHOD *ext, *tmpext;
+	if(!(ext = X509V3_EXT_get_nid(nid_from))) {
+		X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
+		return 0;
+	}
+	if(!(tmpext = (X509V3_EXT_METHOD *)Malloc(sizeof(X509V3_EXT_METHOD)))) {
+		X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	*tmpext = *ext;
+	tmpext->ext_nid = nid_to;
+	tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
+	return X509V3_EXT_add(tmpext);
+}
+
+void X509V3_EXT_cleanup(void)
+{
+	sk_pop_free(ext_list, ext_list_free);
+	ext_list = NULL;
+}
+
+static void ext_list_free(X509V3_EXT_METHOD *ext)
+{
+	if(ext->ext_flags & X509V3_EXT_DYNAMIC) Free(ext);
+}
+
+/* Legacy function: we don't need to add standard extensions
+ * any more because they are now kept in ext_dat.h.
+ */
+
+int X509V3_add_standard_extensions(void)
+{
+	return 1;
+}
+
+/* Return an extension internal structure */
+
+void *X509V3_EXT_d2i(X509_EXTENSION *ext)
+{
+	X509V3_EXT_METHOD *method;
+	unsigned char *p;
+	if(!(method = X509V3_EXT_get(ext)) || !method->d2i) return NULL;
+	p = ext->value->data;
+	return method->d2i(NULL, &p, ext->value->length);
+}
+
+/* Get critical flag and decoded version of extension from a NID.
+ * The "idx" variable returns the last found extension and can
+ * be used to retrieve multiple extensions of the same NID.
+ * However multiple extensions with the same NID is usually
+ * due to a badly encoded certificate so if idx is NULL we
+ * choke if multiple extensions exist.
+ * The "crit" variable is set to the critical value.
+ * The return value is the decoded extension or NULL on
+ * error. The actual error can have several different causes,
+ * the value of *crit reflects the cause:
+ * >= 0, extension found but not decoded (reflects critical value).
+ * -1 extension not found.
+ * -2 extension occurs more than once.
+ */
+
+void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
+{
+	int lastpos, i;
+	X509_EXTENSION *ex, *found_ex = NULL;
+	if(!x) {
+		if(idx) *idx = -1;
+		if(crit) *crit = -1;
+		return NULL;
+	}
+	if(idx) lastpos = *idx + 1;
+	else lastpos = 0;
+	if(lastpos < 0) lastpos = 0;
+	for(i = lastpos; i < sk_X509_EXTENSION_num(x); i++)
+	{
+		ex = sk_X509_EXTENSION_value(x, i);
+		if(OBJ_obj2nid(ex->object) == nid) {
+			if(idx) {
+				*idx = i;
+				break;
+			} else if(found_ex) {
+				/* Found more than one */
+				if(crit) *crit = -2;
+				return NULL;
+			}
+			found_ex = ex;
+		}
+	}
+	if(found_ex) {
+		/* Found it */
+		if(crit) *crit = found_ex->critical;
+		return X509V3_EXT_d2i(found_ex);
+	}
+	
+	/* Extension not found */
+	if(idx) *idx = -1;
+	if(crit) *crit = -1;
+	return NULL;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_pku.c b/crypto/openssl/crypto/x509v3/v3_pku.c
new file mode 100644
index 0000000..30a62c6
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_pku.c
@@ -0,0 +1,151 @@
+/* v3_pku.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
+/*
+static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+*/
+X509V3_EXT_METHOD v3_pkey_usage_period = {
+NID_private_key_usage_period, 0,
+(X509V3_EXT_NEW)PKEY_USAGE_PERIOD_new,
+(X509V3_EXT_FREE)PKEY_USAGE_PERIOD_free,
+(X509V3_EXT_D2I)d2i_PKEY_USAGE_PERIOD,
+(X509V3_EXT_I2D)i2d_PKEY_USAGE_PERIOD,
+NULL, NULL, NULL, NULL,
+(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
+NULL
+};
+
+int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME);
+	M_ASN1_I2D_len_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME, 0);
+	M_ASN1_I2D_put_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME, 1);
+
+	M_ASN1_I2D_finish();
+}
+
+PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void)
+{
+	PKEY_USAGE_PERIOD *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, PKEY_USAGE_PERIOD);
+	ret->notBefore = NULL;
+	ret->notAfter = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_PKEY_USAGE_PERIOD_NEW);
+}
+
+PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a,
+	     unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,PKEY_USAGE_PERIOD *,PKEY_USAGE_PERIOD_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_IMP_opt (ret->notBefore, d2i_ASN1_GENERALIZEDTIME, 0,
+							V_ASN1_GENERALIZEDTIME);
+	M_ASN1_D2I_get_IMP_opt (ret->notAfter, d2i_ASN1_GENERALIZEDTIME, 1,
+							V_ASN1_GENERALIZEDTIME);
+	M_ASN1_D2I_Finish(a, PKEY_USAGE_PERIOD_free, ASN1_F_D2I_PKEY_USAGE_PERIOD);
+}
+
+void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
+{
+	if (a == NULL) return;
+	M_ASN1_GENERALIZEDTIME_free(a->notBefore);
+	M_ASN1_GENERALIZEDTIME_free(a->notAfter);
+	Free (a);
+}
+
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
+	     PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
+{
+	BIO_printf(out, "%*s", indent, "");
+	if(usage->notBefore) {
+		BIO_write(out, "Not Before: ", 12);
+		ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
+		if(usage->notAfter) BIO_write(out, ", ", 2);
+	}
+	if(usage->notAfter) {
+		BIO_write(out, "Not After: ", 11);
+		ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
+	}
+	return 1;
+}
+
+/*
+static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
+X509V3_EXT_METHOD *method;
+X509V3_CTX *ctx;
+STACK_OF(CONF_VALUE) *values;
+{
+return NULL;
+}
+*/
diff --git a/crypto/openssl/crypto/x509v3/v3_prn.c b/crypto/openssl/crypto/x509v3/v3_prn.c
new file mode 100644
index 0000000..bee624c
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_prn.c
@@ -0,0 +1,151 @@
+/* v3_prn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+/* Extension printing routines */
+
+/* Print out a name+value stack */
+
+void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
+{
+	int i;
+	CONF_VALUE *nval;
+	if(!val) return;
+	if(!ml || !sk_CONF_VALUE_num(val)) {
+		BIO_printf(out, "%*s", indent, "");
+		if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(val); i++) {
+		if(ml) BIO_printf(out, "%*s", indent, "");
+		else if(i > 0) BIO_printf(out, ", ");
+		nval = sk_CONF_VALUE_value(val, i);
+		if(!nval->name) BIO_puts(out, nval->value);
+		else if(!nval->value) BIO_puts(out, nval->name);
+#ifndef CHARSET_EBCDIC
+		else BIO_printf(out, "%s:%s", nval->name, nval->value);
+#else
+		else {
+			char tmp[10240]; /* 10k is BIO_printf's limit anyway */
+			ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1);
+			BIO_printf(out, "%s:%s", nval->name, tmp);
+		}
+#endif
+		if(ml) BIO_puts(out, "\n");
+	}
+}
+
+/* Main routine: print out a general extension */
+
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
+{
+	char *ext_str = NULL, *value = NULL;
+	unsigned char *p;
+	X509V3_EXT_METHOD *method;	
+	STACK_OF(CONF_VALUE) *nval = NULL;
+	int ok = 1;
+	if(!(method = X509V3_EXT_get(ext))) return 0;
+	p = ext->value->data;
+	if(!(ext_str = method->d2i(NULL, &p, ext->value->length))) return 0;
+	if(method->i2s) {
+		if(!(value = method->i2s(method, ext_str))) {
+			ok = 0;
+			goto err;
+		}
+#ifndef CHARSET_EBCDIC
+		BIO_printf(out, "%*s%s", indent, "", value);
+#else
+		{
+			char tmp[10240]; /* 10k is BIO_printf's limit anyway */
+			ascii2ebcdic(tmp, value, strlen(value)+1);
+			BIO_printf(out, "%*s%s", indent, "", tmp);
+		}
+#endif
+	} else if(method->i2v) {
+		if(!(nval = method->i2v(method, ext_str, NULL))) {
+			ok = 0;
+			goto err;
+		}
+		X509V3_EXT_val_prn(out, nval, indent,
+				 method->ext_flags & X509V3_EXT_MULTILINE);
+	} else if(method->i2r) {
+		if(!method->i2r(method, ext_str, out, indent)) ok = 0;
+	} else ok = 0;
+
+	err:
+		sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+		if(value) Free(value);
+		method->ext_free(ext_str);
+		return ok;
+}
+
+#ifndef NO_FP_API
+int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
+{
+	BIO *bio_tmp;
+	int ret;
+	if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;
+	ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
+	BIO_free(bio_tmp);
+	return ret;
+}
+#endif
diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c
new file mode 100644
index 0000000..5594a1d
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_purp.c
@@ -0,0 +1,463 @@
+/* v3_purp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+
+static void x509v3_cache_extensions(X509 *x);
+
+static int ca_check(X509 *x);
+static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
+static int purpose_smime(X509 *x, int ca);
+static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca);
+static int no_check(X509_PURPOSE *xp, X509 *x, int ca);
+
+static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b);
+static void xptable_free(X509_PURPOSE *p);
+
+static X509_PURPOSE xstandard[] = {
+	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
+	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
+	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
+	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
+	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
+	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
+	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
+};
+
+#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
+
+IMPLEMENT_STACK_OF(X509_PURPOSE)
+
+static STACK_OF(X509_PURPOSE) *xptable = NULL;
+
+static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b)
+{
+	return (*a)->purpose - (*b)->purpose;
+}
+
+int X509_check_purpose(X509 *x, int id, int ca)
+{
+	int idx;
+	X509_PURPOSE *pt;
+	if(!(x->ex_flags & EXFLAG_SET)) {
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		x509v3_cache_extensions(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+	}
+	if(id == -1) return 1;
+	idx = X509_PURPOSE_get_by_id(id);
+	if(idx == -1) return -1;
+	pt = X509_PURPOSE_get0(idx);
+	return pt->check_purpose(pt, x, ca);
+}
+
+int X509_PURPOSE_get_count(void)
+{
+	if(!xptable) return X509_PURPOSE_COUNT;
+	return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
+}
+
+X509_PURPOSE * X509_PURPOSE_get0(int idx)
+{
+	if(idx < 0) return NULL;
+	if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
+	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
+}
+
+int X509_PURPOSE_get_by_sname(char *sname)
+{
+	int i;
+	X509_PURPOSE *xptmp;
+	for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+		xptmp = X509_PURPOSE_get0(i);
+		if(!strcmp(xptmp->sname, sname)) return i;
+	}
+	return -1;
+}
+
+
+int X509_PURPOSE_get_by_id(int purpose)
+{
+	X509_PURPOSE tmp;
+	int idx;
+	if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
+		return purpose - X509_PURPOSE_MIN;
+	tmp.purpose = purpose;
+	if(!xptable) return -1;
+	idx = sk_X509_PURPOSE_find(xptable, &tmp);
+	if(idx == -1) return -1;
+	return idx + X509_PURPOSE_COUNT;
+}
+
+int X509_PURPOSE_add(int id, int trust, int flags,
+			int (*ck)(X509_PURPOSE *, X509 *, int),
+					char *name, char *sname, void *arg)
+{
+	int idx;
+	X509_PURPOSE *ptmp;
+	/* This is set according to what we change: application can't set it */
+	flags &= ~X509_PURPOSE_DYNAMIC;
+	/* This will always be set for application modified trust entries */
+	flags |= X509_PURPOSE_DYNAMIC_NAME;
+	/* Get existing entry if any */
+	idx = X509_PURPOSE_get_by_id(id);
+	/* Need a new entry */
+	if(idx == -1) {
+		if(!(ptmp = Malloc(sizeof(X509_PURPOSE)))) {
+			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		ptmp->flags = X509_PURPOSE_DYNAMIC;
+	} else ptmp = X509_PURPOSE_get0(idx);
+
+	/* Free existing name if dynamic */
+	if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
+		Free(ptmp->name);
+		Free(ptmp->sname);
+	}
+	/* dup supplied name */
+	ptmp->name = BUF_strdup(name);
+	ptmp->sname = BUF_strdup(sname);
+	if(!ptmp->name || !ptmp->sname) {
+		X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	/* Keep the dynamic flag of existing entry */
+	ptmp->flags &= X509_PURPOSE_DYNAMIC;
+	/* Set all other flags */
+	ptmp->flags |= flags;
+
+	ptmp->purpose = id;
+	ptmp->trust = trust;
+	ptmp->check_purpose = ck;
+	ptmp->usr_data = arg;
+
+	/* If its a new entry manage the dynamic table */
+	if(idx == -1) {
+		if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
+			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
+			X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+	}
+	return 1;
+}
+
+static void xptable_free(X509_PURPOSE *p)
+	{
+	if(!p) return;
+	if (p->flags & X509_PURPOSE_DYNAMIC) 
+		{
+		if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
+			Free(p->name);
+			Free(p->sname);
+		}
+		Free(p);
+		}
+	}
+
+void X509_PURPOSE_cleanup(void)
+{
+	int i;
+	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
+	for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
+	xptable = NULL;
+}
+
+int X509_PURPOSE_get_id(X509_PURPOSE *xp)
+{
+	return xp->purpose;
+}
+
+char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
+{
+	return xp->name;
+}
+
+char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
+{
+	return xp->sname;
+}
+
+int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
+{
+	return xp->trust;
+}
+
+#ifndef NO_SHA
+static void x509v3_cache_extensions(X509 *x)
+{
+	BASIC_CONSTRAINTS *bs;
+	ASN1_BIT_STRING *usage;
+	ASN1_BIT_STRING *ns;
+	STACK_OF(ASN1_OBJECT) *extusage;
+	int i;
+	if(x->ex_flags & EXFLAG_SET) return;
+	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
+	/* Does subject name match issuer ? */
+	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+			 x->ex_flags |= EXFLAG_SS;
+	/* V1 should mean no extensions ... */
+	if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
+	/* Handle basic constraints */
+	if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
+		if(bs->ca) x->ex_flags |= EXFLAG_CA;
+		if(bs->pathlen) {
+			if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
+						|| !bs->ca) {
+				x->ex_flags |= EXFLAG_INVALID;
+				x->ex_pathlen = 0;
+			} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+		} else x->ex_pathlen = -1;
+		BASIC_CONSTRAINTS_free(bs);
+		x->ex_flags |= EXFLAG_BCONS;
+	}
+	/* Handle key usage */
+	if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
+		if(usage->length > 0) {
+			x->ex_kusage = usage->data[0];
+			if(usage->length > 1) 
+				x->ex_kusage |= usage->data[1] << 8;
+		} else x->ex_kusage = 0;
+		x->ex_flags |= EXFLAG_KUSAGE;
+		ASN1_BIT_STRING_free(usage);
+	}
+	x->ex_xkusage = 0;
+	if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
+		x->ex_flags |= EXFLAG_XKUSAGE;
+		for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
+			switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
+				case NID_server_auth:
+				x->ex_xkusage |= XKU_SSL_SERVER;
+				break;
+
+				case NID_client_auth:
+				x->ex_xkusage |= XKU_SSL_CLIENT;
+				break;
+
+				case NID_email_protect:
+				x->ex_xkusage |= XKU_SMIME;
+				break;
+
+				case NID_code_sign:
+				x->ex_xkusage |= XKU_CODE_SIGN;
+				break;
+
+				case NID_ms_sgc:
+				case NID_ns_sgc:
+				x->ex_xkusage |= XKU_SGC;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
+	}
+
+	if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
+		if(ns->length > 0) x->ex_nscert = ns->data[0];
+		else x->ex_nscert = 0;
+		x->ex_flags |= EXFLAG_NSCERT;
+		ASN1_BIT_STRING_free(ns);
+	}
+	x->ex_flags |= EXFLAG_SET;
+}
+#endif
+
+/* CA checks common to all purposes
+ * return codes:
+ * 0 not a CA
+ * 1 is a CA
+ * 2 basicConstraints absent so "maybe" a CA
+ * 3 basicConstraints absent but self signed V1.
+ */
+
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
+static int ca_check(X509 *x)
+{
+	/* keyUsage if present should allow cert signing */
+	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
+	if(x->ex_flags & EXFLAG_BCONS) {
+		if(x->ex_flags & EXFLAG_CA) return 1;
+		/* If basicConstraints says not a CA then say so */
+		else return 0;
+	} else {
+		if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+		else return 2;
+	}
+}
+
+
+static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
+{
+	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
+	if(ca) {
+		int ca_ret;
+		ca_ret = ca_check(x);
+		if(!ca_ret) return 0;
+		/* check nsCertType if present */
+		if(x->ex_flags & EXFLAG_NSCERT) {
+			if(x->ex_nscert & NS_SSL_CA) return ca_ret;
+			return 0;
+		}
+		if(ca_ret != 2) return ca_ret;
+		else return 0;
+	}
+	/* We need to do digital signatures with it */
+	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
+	/* nsCertType if present should allow SSL client use */	
+	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
+	return 1;
+}
+
+static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+{
+	if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
+	/* Otherwise same as SSL client for a CA */
+	if(ca) return check_purpose_ssl_client(xp, x, 1);
+
+	if(ns_reject(x, NS_SSL_SERVER)) return 0;
+	/* Now as for keyUsage: we'll at least need to sign OR encipher */
+	if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
+	
+	return 1;
+
+}
+
+static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+{
+	int ret;
+	ret = check_purpose_ssl_server(xp, x, ca);
+	if(!ret || ca) return ret;
+	/* We need to encipher or Netscape complains */
+	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+	return ret;
+}
+
+/* common S/MIME checks */
+static int purpose_smime(X509 *x, int ca)
+{
+	if(xku_reject(x,XKU_SMIME)) return 0;
+	if(ca) {
+		int ca_ret;
+		ca_ret = ca_check(x);
+		if(!ca_ret) return 0;
+		/* check nsCertType if present */
+		if(x->ex_flags & EXFLAG_NSCERT) {
+			if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
+			return 0;
+		}
+		if(ca_ret != 2) return ca_ret;
+		else return 0;
+	}
+	if(x->ex_flags & EXFLAG_NSCERT) {
+		if(x->ex_nscert & NS_SMIME) return 1;
+		/* Workaround for some buggy certificates */
+		if(x->ex_nscert & NS_SSL_CLIENT) return 2;
+		return 0;
+	}
+	return 1;
+}
+
+static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
+{
+	int ret;
+	ret = purpose_smime(x, ca);
+	if(!ret || ca) return ret;
+	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+	return ret;
+}
+
+static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
+{
+	int ret;
+	ret = purpose_smime(x, ca);
+	if(!ret || ca) return ret;
+	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+	return ret;
+}
+
+static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
+{
+	if(ca) {
+		int ca_ret;
+		if((ca_ret = ca_check(x)) != 2) return ca_ret;
+		else return 0;
+	}
+	if(ku_reject(x, KU_CRL_SIGN)) return 0;
+	return 1;
+}
+
+static int no_check(X509_PURPOSE *xp, X509 *x, int ca)
+{
+	return 1;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_skey.c b/crypto/openssl/crypto/x509v3/v3_skey.c
new file mode 100644
index 0000000..939845f
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_skey.c
@@ -0,0 +1,149 @@
+/* v3_skey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+X509V3_EXT_METHOD v3_skey_id = { 
+NID_subject_key_identifier, 0,
+(X509V3_EXT_NEW)ASN1_OCTET_STRING_new,
+(X509V3_EXT_FREE)ASN1_OCTET_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_OCTET_STRING,
+(X509V3_EXT_I2D)i2d_ASN1_OCTET_STRING,
+(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
+(X509V3_EXT_S2I)s2i_skey_id,
+NULL, NULL, NULL, NULL, NULL};
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+	     ASN1_OCTET_STRING *oct)
+{
+	return hex_to_string(oct->data, oct->length);
+}
+
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, char *str)
+{
+	ASN1_OCTET_STRING *oct;
+	long length;
+
+	if(!(oct = M_ASN1_OCTET_STRING_new())) {
+		X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	if(!(oct->data = string_to_hex(str, &length))) {
+		M_ASN1_OCTET_STRING_free(oct);
+		return NULL;
+	}
+
+	oct->length = length;
+
+	return oct;
+
+}
+
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, char *str)
+{
+	ASN1_OCTET_STRING *oct;
+	ASN1_BIT_STRING *pk;
+	unsigned char pkey_dig[EVP_MAX_MD_SIZE];
+	EVP_MD_CTX md;
+	unsigned int diglen;
+
+	if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
+
+	if(!(oct = M_ASN1_OCTET_STRING_new())) {
+		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	if(ctx && (ctx->flags == CTX_TEST)) return oct;
+
+	if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
+		X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+		goto err;
+	}
+
+	if(ctx->subject_req) 
+		pk = ctx->subject_req->req_info->pubkey->public_key;
+	else pk = ctx->subject_cert->cert_info->key->public_key;
+
+	if(!pk) {
+		X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+		goto err;
+	}
+
+	EVP_DigestInit(&md, EVP_sha1());
+	EVP_DigestUpdate(&md, pk->data, pk->length);
+	EVP_DigestFinal(&md, pkey_dig, &diglen);
+
+	if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	return oct;
+	
+	err:
+	M_ASN1_OCTET_STRING_free(oct);
+	return NULL;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_sxnet.c b/crypto/openssl/crypto/x509v3/v3_sxnet.c
new file mode 100644
index 0000000..20ba8ac
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_sxnet.c
@@ -0,0 +1,340 @@
+/* v3_sxnet.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+/* Support for Thawte strong extranet extension */
+
+#define SXNET_TEST
+
+static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent);
+#ifdef SXNET_TEST
+static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+						STACK_OF(CONF_VALUE) *nval);
+#endif
+X509V3_EXT_METHOD v3_sxnet = {
+NID_sxnet, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)SXNET_new,
+(X509V3_EXT_FREE)SXNET_free,
+(X509V3_EXT_D2I)d2i_SXNET,
+(X509V3_EXT_I2D)i2d_SXNET,
+NULL, NULL,
+NULL, 
+#ifdef SXNET_TEST
+(X509V3_EXT_V2I)sxnet_v2i,
+#else
+NULL,
+#endif
+(X509V3_EXT_I2R)sxnet_i2r,
+NULL,
+NULL
+};
+
+
+int i2d_SXNET(SXNET *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
+
+	M_ASN1_I2D_finish();
+}
+
+SXNET *SXNET_new(void)
+{
+	SXNET *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, SXNET);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->ids,sk_SXNETID_new_null);
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_SXNET_NEW);
+}
+
+SXNET *d2i_SXNET(SXNET **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,SXNET *,SXNET_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get_seq_type (SXNETID, ret->ids, d2i_SXNETID, SXNETID_free);
+	M_ASN1_D2I_Finish(a, SXNET_free, ASN1_F_D2I_SXNET);
+}
+
+void SXNET_free(SXNET *a)
+{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->version);
+	sk_SXNETID_pop_free(a->ids, SXNETID_free);
+	Free (a);
+}
+
+int i2d_SXNETID(SXNETID *a, unsigned char **pp)
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->zone, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len (a->user, i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->zone, i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put (a->user, i2d_ASN1_OCTET_STRING);
+
+	M_ASN1_I2D_finish();
+}
+
+SXNETID *SXNETID_new(void)
+{
+	SXNETID *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, SXNETID);
+	ret->zone = NULL;
+	M_ASN1_New(ret->user,M_ASN1_OCTET_STRING_new);
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_SXNETID_NEW);
+}
+
+SXNETID *d2i_SXNETID(SXNETID **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,SXNETID *,SXNETID_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->zone, d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->user, d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_Finish(a, SXNETID_free, ASN1_F_D2I_SXNETID);
+}
+
+void SXNETID_free(SXNETID *a)
+{
+	if (a == NULL) return;
+	M_ASN1_INTEGER_free(a->zone);
+	M_ASN1_OCTET_STRING_free(a->user);
+	Free (a);
+}
+
+static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
+	     int indent)
+{
+	long v;
+	char *tmp;
+	SXNETID *id;
+	int i;
+	v = ASN1_INTEGER_get(sx->version);
+	BIO_printf(out, "%*sVersion: %d (0x%X)", indent, "", v + 1, v);
+	for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+		id = sk_SXNETID_value(sx->ids, i);
+		tmp = i2s_ASN1_INTEGER(NULL, id->zone);
+		BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
+		Free(tmp);
+		M_ASN1_OCTET_STRING_print(out, id->user);
+	}
+	return 1;
+}
+
+#ifdef SXNET_TEST
+
+/* NBB: this is used for testing only. It should *not* be used for anything
+ * else because it will just take static IDs from the configuration file and
+ * they should really be separate values for each user.
+ */
+
+
+static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+	     STACK_OF(CONF_VALUE) *nval)
+{
+	CONF_VALUE *cnf;
+	SXNET *sx = NULL;
+	int i;
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if(!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
+								 return NULL;
+	}
+	return sx;
+}
+		
+	
+#endif
+
+/* Strong Extranet utility functions */
+
+/* Add an id given the zone as an ASCII number */
+
+int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
+	     int userlen)
+{
+	ASN1_INTEGER *izone = NULL;
+	if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+		X509V3err(X509V3_F_SXNET_ADD_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+		return 0;
+	}
+	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+}
+
+/* Add an id given the zone as an unsigned long */
+
+int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
+	     int userlen)
+{
+	ASN1_INTEGER *izone = NULL;
+	if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+		X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE);
+		M_ASN1_INTEGER_free(izone);
+		return 0;
+	}
+	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+	
+}
+
+/* Add an id given the zone as an ASN1_INTEGER.
+ * Note this version uses the passed integer and doesn't make a copy so don't
+ * free it up afterwards.
+ */
+
+int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
+	     int userlen)
+{
+	SXNET *sx = NULL;
+	SXNETID *id = NULL;
+	if(!psx || !zone || !user) {
+		X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_INVALID_NULL_ARGUMENT);
+		return 0;
+	}
+	if(userlen == -1) userlen = strlen(user);
+	if(userlen > 64) {
+		X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_USER_TOO_LONG);
+		return 0;
+	}
+	if(!*psx) {
+		if(!(sx = SXNET_new())) goto err;
+		if(!ASN1_INTEGER_set(sx->version, 0)) goto err;
+		*psx = sx;
+	} else sx = *psx;
+	if(SXNET_get_id_INTEGER(sx, zone)) {
+		X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_DUPLICATE_ZONE_ID);
+		return 0;
+	}
+
+	if(!(id = SXNETID_new())) goto err;
+	if(userlen == -1) userlen = strlen(user);
+		
+	if(!M_ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
+	if(!sk_SXNETID_push(sx->ids, id)) goto err;
+	id->zone = zone;
+	return 1;
+	
+	err:
+	X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,ERR_R_MALLOC_FAILURE);
+	SXNETID_free(id);
+	SXNET_free(sx);
+	*psx = NULL;
+	return 0;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
+{
+	ASN1_INTEGER *izone = NULL;
+	ASN1_OCTET_STRING *oct;
+	if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+		X509V3err(X509V3_F_SXNET_GET_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+		return NULL;
+	}
+	oct = SXNET_get_id_INTEGER(sx, izone);
+	M_ASN1_INTEGER_free(izone);
+	return oct;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
+{
+	ASN1_INTEGER *izone = NULL;
+	ASN1_OCTET_STRING *oct;
+	if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+		X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE);
+		M_ASN1_INTEGER_free(izone);
+		return NULL;
+	}
+	oct = SXNET_get_id_INTEGER(sx, izone);
+	M_ASN1_INTEGER_free(izone);
+	return oct;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
+{
+	SXNETID *id;
+	int i;
+	for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+		id = sk_SXNETID_value(sx->ids, i);
+		if(!M_ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
+	}
+	return NULL;
+}
+
+IMPLEMENT_STACK_OF(SXNETID)
+IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/crypto/openssl/crypto/x509v3/v3_utl.c b/crypto/openssl/crypto/x509v3/v3_utl.c
new file mode 100644
index 0000000..4c2c4a9
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_utl.c
@@ -0,0 +1,418 @@
+/* v3_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static char *strip_spaces(char *name);
+
+/* Add a CONF_VALUE name value pair to stack */
+
+int X509V3_add_value(const char *name, const char *value,
+						STACK_OF(CONF_VALUE) **extlist)
+{
+	CONF_VALUE *vtmp = NULL;
+	char *tname = NULL, *tvalue = NULL;
+	if(name && !(tname = BUF_strdup(name))) goto err;
+	if(value && !(tvalue = BUF_strdup(value))) goto err;;
+	if(!(vtmp = (CONF_VALUE *)Malloc(sizeof(CONF_VALUE)))) goto err;
+	if(!*extlist && !(*extlist = sk_CONF_VALUE_new(NULL))) goto err;
+	vtmp->section = NULL;
+	vtmp->name = tname;
+	vtmp->value = tvalue;
+	if(!sk_CONF_VALUE_push(*extlist, vtmp)) goto err;
+	return 1;
+	err:
+	X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE);
+	if(vtmp) Free(vtmp);
+	if(tname) Free(tname);
+	if(tvalue) Free(tvalue);
+	return 0;
+}
+
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+			   STACK_OF(CONF_VALUE) **extlist)
+    {
+    return X509V3_add_value(name,(const char *)value,extlist);
+    }
+
+/* Free function for STACK_OF(CONF_VALUE) */
+
+void X509V3_conf_free(CONF_VALUE *conf)
+{
+	if(!conf) return;
+	if(conf->name) Free(conf->name);
+	if(conf->value) Free(conf->value);
+	if(conf->section) Free(conf->section);
+	Free(conf);
+}
+
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+						STACK_OF(CONF_VALUE) **extlist)
+{
+	if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
+	return X509V3_add_value(name, "FALSE", extlist);
+}
+
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+						STACK_OF(CONF_VALUE) **extlist)
+{
+	if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
+	return 1;
+}
+
+
+char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
+{
+	BIGNUM *bntmp = NULL;
+	char *strtmp = NULL;
+	if(!a) return NULL;
+	if(!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
+	    !(strtmp = BN_bn2dec(bntmp)) )
+		X509V3err(X509V3_F_I2S_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
+	BN_free(bntmp);
+	return strtmp;
+}
+
+char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
+{
+	BIGNUM *bntmp = NULL;
+	char *strtmp = NULL;
+	if(!a) return NULL;
+	if(!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
+	    !(strtmp = BN_bn2dec(bntmp)) )
+		X509V3err(X509V3_F_I2S_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+	BN_free(bntmp);
+	return strtmp;
+}
+
+ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
+{
+	BIGNUM *bn = NULL;
+	ASN1_INTEGER *aint;
+	bn = BN_new();
+	if(!value) {
+		X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
+		return 0;
+	}
+	if(!BN_dec2bn(&bn, value)) {
+		X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
+		return 0;
+	}
+
+	if(!(aint = BN_to_ASN1_INTEGER(bn, NULL))) {
+		X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
+		return 0;
+	}
+	BN_free(bn);
+	return aint;
+}
+
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+	     STACK_OF(CONF_VALUE) **extlist)
+{
+	char *strtmp;
+	int ret;
+	if(!aint) return 1;
+	if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0;
+	ret = X509V3_add_value(name, strtmp, extlist);
+	Free(strtmp);
+	return ret;
+}
+
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
+{
+	char *btmp;
+	if(!(btmp = value->value)) goto err;
+	if(!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
+		 || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
+		|| !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
+		*asn1_bool = 0xff;
+		return 1;
+	} else if(!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
+		 || !strcmp(btmp, "N") || !strcmp(btmp, "n")
+		|| !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
+		*asn1_bool = 0;
+		return 1;
+	}
+	err:
+	X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,X509V3_R_INVALID_BOOLEAN_STRING);
+	X509V3_conf_err(value);
+	return 0;
+}
+
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
+{
+	ASN1_INTEGER *itmp;
+	if(!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
+		X509V3_conf_err(value);
+		return 0;
+	}
+	*aint = itmp;
+	return 1;
+}
+
+#define HDR_NAME	1
+#define HDR_VALUE	2
+
+/*#define DEBUG*/
+
+STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
+{
+	char *p, *q, c;
+	char *ntmp, *vtmp;
+	STACK_OF(CONF_VALUE) *values = NULL;
+	char *linebuf;
+	int state;
+	/* We are going to modify the line so copy it first */
+	linebuf = BUF_strdup(line);
+	state = HDR_NAME;
+	ntmp = NULL;
+	/* Go through all characters */
+	for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
+
+		switch(state) {
+			case HDR_NAME:
+			if(c == ':') {
+				state = HDR_VALUE;
+				*p = 0;
+				ntmp = strip_spaces(q);
+				if(!ntmp) {
+					X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+					goto err;
+				}
+				q = p + 1;
+			} else if(c == ',') {
+				*p = 0;
+				ntmp = strip_spaces(q);
+				q = p + 1;
+#ifdef DEBUG
+				printf("%s\n", ntmp);
+#endif
+				if(!ntmp) {
+					X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+					goto err;
+				}
+				X509V3_add_value(ntmp, NULL, &values);
+			}
+			break ;
+
+			case HDR_VALUE:
+			if(c == ',') {
+				state = HDR_NAME;
+				*p = 0;
+				vtmp = strip_spaces(q);
+#ifdef DEBUG
+				printf("%s\n", ntmp);
+#endif
+				if(!vtmp) {
+					X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
+					goto err;
+				}
+				X509V3_add_value(ntmp, vtmp, &values);
+				ntmp = NULL;
+				q = p + 1;
+			}
+
+		}
+	}
+
+	if(state == HDR_VALUE) {
+		vtmp = strip_spaces(q);
+#ifdef DEBUG
+		printf("%s=%s\n", ntmp, vtmp);
+#endif
+		if(!vtmp) {
+			X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
+			goto err;
+		}
+		X509V3_add_value(ntmp, vtmp, &values);
+	} else {
+		ntmp = strip_spaces(q);
+#ifdef DEBUG
+		printf("%s\n", ntmp);
+#endif
+		if(!ntmp) {
+			X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+			goto err;
+		}
+		X509V3_add_value(ntmp, NULL, &values);
+	}
+Free(linebuf);
+return values;
+
+err:
+Free(linebuf);
+sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
+return NULL;
+
+}
+
+/* Delete leading and trailing spaces from a string */
+static char *strip_spaces(char *name)
+{
+	char *p, *q;
+	/* Skip over leading spaces */
+	p = name;
+	while(*p && isspace((unsigned char)*p)) p++;
+	if(!*p) return NULL;
+	q = p + strlen(p) - 1;
+	while((q != p) && isspace((unsigned char)*q)) q--;
+	if(p != q) q[1] = 0;
+	if(!*p) return NULL;
+	return p;
+}
+
+/* hex string utilities */
+
+/* Given a buffer of length 'len' return a Malloc'ed string with its
+ * hex representation
+ */
+
+char *hex_to_string(unsigned char *buffer, long len)
+{
+	char *tmp, *q;
+	unsigned char *p;
+	int i;
+	static char hexdig[] = "0123456789ABCDEF";
+	if(!buffer || !len) return NULL;
+	if(!(tmp = Malloc(len * 3 + 1))) {
+		X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	q = tmp;
+	for(i = 0, p = buffer; i < len; i++,p++) {
+		*q++ = hexdig[(*p >> 4) & 0xf];
+		*q++ = hexdig[*p & 0xf];
+		*q++ = ':';
+	}
+	q[-1] = 0;
+	return tmp;
+}
+
+/* Give a string of hex digits convert to
+ * a buffer
+ */
+
+unsigned char *string_to_hex(char *str, long *len)
+{
+	unsigned char *hexbuf, *q;
+	unsigned char ch, cl, *p;
+	if(!str) {
+		X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
+		return NULL;
+	}
+	if(!(hexbuf = Malloc(strlen(str) >> 1))) goto err;
+	for(p = (unsigned char *)str, q = hexbuf; *p;) {
+		ch = *p++;
+		if(ch == ':') continue;
+		cl = *p++;
+		if(!cl) {
+			X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
+			Free(hexbuf);
+			return NULL;
+		}
+		if(isupper(ch)) ch = tolower(ch);
+		if(isupper(cl)) cl = tolower(cl);
+
+		if((ch >= '0') && (ch <= '9')) ch -= '0';
+		else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
+		else goto badhex;
+
+		if((cl >= '0') && (cl <= '9')) cl -= '0';
+		else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
+		else goto badhex;
+
+		*q++ = (ch << 4) | cl;
+	}
+
+	if(len) *len = q - hexbuf;
+
+	return hexbuf;
+
+	err:
+	if(hexbuf) Free(hexbuf);
+	X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
+	return NULL;
+
+	badhex:
+	Free(hexbuf);
+	X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
+	return NULL;
+
+}
+
+/* V2I name comparison function: returns zero if 'name' matches
+ * cmp or cmp.*
+ */
+
+int name_cmp(const char *name, const char *cmp)
+{
+	int len, ret;
+	char c;
+	len = strlen(cmp);
+	if((ret = strncmp(name, cmp, len))) return ret;
+	c = name[len];
+	if(!c || (c=='.')) return 0;
+	return 1;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3conf.c b/crypto/openssl/crypto/x509v3/v3conf.c
new file mode 100644
index 0000000..21cf746
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3conf.c
@@ -0,0 +1,128 @@
+/* v3conf.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+/* Test application to add extensions from a config file */
+
+int main(int argc, char **argv)
+{
+	LHASH *conf;
+	X509 *cert;
+	FILE *inf;
+	char *conf_file;
+	int i;
+	int count;
+	X509_EXTENSION *ext;
+	X509V3_add_standard_extensions();
+	ERR_load_crypto_strings();
+	if(!argv[1]) {
+		fprintf(stderr, "Usage: v3conf cert.pem [file.cnf]\n");
+		exit(1);
+	}
+	conf_file = argv[2];
+	if(!conf_file) conf_file = "test.cnf";
+	conf = CONF_load(NULL, "test.cnf", NULL);
+	if(!conf) {
+		fprintf(stderr, "Error opening Config file %s\n", conf_file);
+		ERR_print_errors_fp(stderr);
+		exit(1);
+	}
+
+	inf = fopen(argv[1], "r");
+	if(!inf) {
+		fprintf(stderr, "Can't open certificate file %s\n", argv[1]);
+		exit(1);
+	}
+	cert = PEM_read_X509(inf, NULL, NULL);
+	if(!cert) {
+		fprintf(stderr, "Error reading certificate file %s\n", argv[1]);
+		exit(1);
+	}
+	fclose(inf);
+
+	sk_pop_free(cert->cert_info->extensions, X509_EXTENSION_free);
+	cert->cert_info->extensions = NULL;
+
+	if(!X509V3_EXT_add_conf(conf, NULL, "test_section", cert)) {
+		fprintf(stderr, "Error adding extensions\n");
+		ERR_print_errors_fp(stderr);
+		exit(1);
+	}
+
+	count = X509_get_ext_count(cert);
+	printf("%d extensions\n", count);
+	for(i = 0; i < count; i++) {
+		ext = X509_get_ext(cert, i);
+		printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
+		if(ext->critical) printf(",critical:\n");
+		else printf(":\n");
+		X509V3_EXT_print_fp(stdout, ext, 0);
+		printf("\n");
+		
+	}
+	return 0;
+}
+
diff --git a/crypto/openssl/crypto/x509v3/v3err.c b/crypto/openssl/crypto/x509v3/v3err.c
new file mode 100644
index 0000000..aa4a605
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3err.c
@@ -0,0 +1,176 @@
+/* crypto/x509v3/v3err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA X509V3_str_functs[]=
+	{
+{ERR_PACK(0,X509V3_F_COPY_EMAIL,0),	"COPY_EMAIL"},
+{ERR_PACK(0,X509V3_F_COPY_ISSUER,0),	"COPY_ISSUER"},
+{ERR_PACK(0,X509V3_F_DO_EXT_CONF,0),	"DO_EXT_CONF"},
+{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),	"DO_EXT_I2D"},
+{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"i2s_ASN1_ENUMERATED"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),	"i2s_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),	"I2V_AUTHORITY_INFO_ACCESS"},
+{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0),	"NOTICE_SECTION"},
+{ERR_PACK(0,X509V3_F_NREF_NOS,0),	"NREF_NOS"},
+{ERR_PACK(0,X509V3_F_POLICY_SECTION,0),	"POLICY_SECTION"},
+{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),	"R2I_CERTPOL"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),	"S2I_ASN1_IA5STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),	"s2i_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),	"s2i_ASN1_OCTET_STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0),	"S2I_ASN1_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),	"S2I_S2I_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),	"string_to_hex"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ASC,0),	"SXNET_ADD_ASC"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_INTEGER,0),	"SXNET_add_id_INTEGER"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0),	"SXNET_add_id_ulong"},
+{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0),	"SXNET_get_id_asc"},
+{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0),	"SXNET_get_id_ulong"},
+{ERR_PACK(0,X509V3_F_V2I_ACCESS_DESCRIPTION,0),	"V2I_ACCESS_DESCRIPTION"},
+{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),	"V2I_ASN1_BIT_STRING"},
+{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),	"V2I_AUTHORITY_KEYID"},
+{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),	"V2I_BASIC_CONSTRAINTS"},
+{ERR_PACK(0,X509V3_F_V2I_CRLD,0),	"V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),	"V2I_EXT_KU"},
+{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),	"v2i_GENERAL_NAME"},
+{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),	"v2i_GENERAL_NAMES"},
+{ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),	"V3_GENERIC_EXTENSION"},
+{ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),	"X509V3_add_value"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0),	"X509V3_EXT_add"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),	"X509V3_EXT_add_alias"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0),	"X509V3_EXT_conf"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0),	"X509V3_EXT_i2d"},
+{ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),	"X509V3_get_value_bool"},
+{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),	"X509V3_parse_list"},
+{ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0),	"X509_PURPOSE_add"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA X509V3_str_reasons[]=
+	{
+{X509V3_R_BAD_IP_ADDRESS                 ,"bad ip address"},
+{X509V3_R_BAD_OBJECT                     ,"bad object"},
+{X509V3_R_BN_DEC2BN_ERROR                ,"bn dec2bn error"},
+{X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
+{X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
+{X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
+{X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
+{X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
+{X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
+{X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
+{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
+{X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
+{X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
+{X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
+{X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
+{X509V3_R_INVALID_NAME                   ,"invalid name"},
+{X509V3_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
+{X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
+{X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
+{X509V3_R_INVALID_NUMBER                 ,"invalid number"},
+{X509V3_R_INVALID_NUMBERS                ,"invalid numbers"},
+{X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
+{X509V3_R_INVALID_OPTION                 ,"invalid option"},
+{X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_SECTION                ,"invalid section"},
+{X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
+{X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
+{X509V3_R_MISSING_VALUE                  ,"missing value"},
+{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
+{X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
+{X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
+{X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
+{X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
+{X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
+{X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
+{X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
+{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
+{X509V3_R_UNKNOWN_EXTENSION              ,"unknown extension"},
+{X509V3_R_UNKNOWN_EXTENSION_NAME         ,"unknown extension name"},
+{X509V3_R_UNKNOWN_OPTION                 ,"unknown option"},
+{X509V3_R_UNSUPPORTED_OPTION             ,"unsupported option"},
+{X509V3_R_USER_TOO_LONG                  ,"user too long"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_X509V3_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs);
+		ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/x509v3/v3prin.c b/crypto/openssl/crypto/x509v3/v3prin.c
new file mode 100644
index 0000000..ee79885
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3prin.c
@@ -0,0 +1,101 @@
+/* v3prin.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int main(int argc, char **argv)
+{
+	X509 *cert;
+	FILE *inf;
+	int i, count;
+	X509_EXTENSION *ext;
+	X509V3_add_standard_extensions();
+	ERR_load_crypto_strings();
+	if(!argv[1]) {
+		fprintf(stderr, "Usage v3prin cert.pem\n");
+		exit(1);
+	}
+	if(!(inf = fopen(argv[1], "r"))) {
+		fprintf(stderr, "Can't open %s\n", argv[1]);
+		exit(1);
+	}
+	if(!(cert = PEM_read_X509(inf, NULL, NULL))) {
+		fprintf(stderr, "Can't read certificate %s\n", argv[1]);
+		ERR_print_errors_fp(stderr);
+		exit(1);
+	}
+	fclose(inf);
+	count = X509_get_ext_count(cert);
+	printf("%d extensions\n", count);
+	for(i = 0; i < count; i++) {
+		ext = X509_get_ext(cert, i);
+		printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
+		if(!X509V3_EXT_print_fp(stdout, ext, 0, 0)) ERR_print_errors_fp(stderr);
+		printf("\n");
+		
+	}
+	return 0;
+}
diff --git a/crypto/openssl/crypto/x509v3/x509v3.h b/crypto/openssl/crypto/x509v3/x509v3.h
new file mode 100644
index 0000000..96ceb7c
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/x509v3.h
@@ -0,0 +1,644 @@
+/* x509v3.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_X509V3_H
+#define HEADER_X509V3_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/conf.h>
+
+/* Forward reference */
+struct v3_ext_method;
+struct v3_ext_ctx;
+
+/* Useful typedefs */
+
+typedef void * (*X509V3_EXT_NEW)(void);
+typedef void (*X509V3_EXT_FREE)(void *);
+typedef void * (*X509V3_EXT_D2I)(void *, unsigned char ** , long);
+typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
+typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
+typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values);
+typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext);
+typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent);
+typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+
+/* V3 extension structure */
+
+struct v3_ext_method {
+int ext_nid;
+int ext_flags;
+X509V3_EXT_NEW ext_new;
+X509V3_EXT_FREE ext_free;
+X509V3_EXT_D2I d2i;
+X509V3_EXT_I2D i2d;
+
+/* The following pair is used for string extensions */
+X509V3_EXT_I2S i2s;
+X509V3_EXT_S2I s2i;
+
+/* The following pair is used for multi-valued extensions */
+X509V3_EXT_I2V i2v;
+X509V3_EXT_V2I v2i;
+
+/* The following are used for raw extensions */
+X509V3_EXT_I2R i2r;
+X509V3_EXT_R2I r2i;
+
+void *usr_data;	/* Any extension specific data */
+};
+
+typedef struct X509V3_CONF_METHOD_st {
+char * (*get_string)(void *db, char *section, char *value);
+STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
+void (*free_string)(void *db, char * string);
+void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
+} X509V3_CONF_METHOD;
+
+/* Context specific info */
+struct v3_ext_ctx {
+#define CTX_TEST 0x1
+int flags;
+X509 *issuer_cert;
+X509 *subject_cert;
+X509_REQ *subject_req;
+X509_CRL *crl;
+X509V3_CONF_METHOD *db_meth;
+void *db;
+/* Maybe more here */
+};
+
+typedef struct v3_ext_method X509V3_EXT_METHOD;
+typedef struct v3_ext_ctx X509V3_CTX;
+
+/* ext_flags values */
+#define X509V3_EXT_DYNAMIC	0x1
+#define X509V3_EXT_CTX_DEP	0x2
+#define X509V3_EXT_MULTILINE	0x4
+
+typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
+
+typedef struct BASIC_CONSTRAINTS_st {
+int ca;
+ASN1_INTEGER *pathlen;
+} BASIC_CONSTRAINTS;
+
+
+typedef struct PKEY_USAGE_PERIOD_st {
+ASN1_GENERALIZEDTIME *notBefore;
+ASN1_GENERALIZEDTIME *notAfter;
+} PKEY_USAGE_PERIOD;
+
+typedef struct otherName_st {
+ASN1_OBJECT *type_id;
+ASN1_TYPE *value;
+} OTHERNAME;
+
+typedef struct GENERAL_NAME_st {
+
+#define GEN_OTHERNAME	(0|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_EMAIL	(1|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_DNS		(2|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_X400	(3|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_DIRNAME	(4|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_EDIPARTY	(5|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_URI		(6|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_IPADD	(7|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_RID		(8|V_ASN1_CONTEXT_SPECIFIC)
+
+int type;
+union {
+	char *ptr;
+	ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
+	ASN1_OCTET_STRING *ip; /* iPAddress */
+	X509_NAME *dirn;		/* dirn */
+	ASN1_OBJECT *rid; /* registeredID */
+	OTHERNAME *otherName; /* otherName */
+	ASN1_TYPE *other; /* ediPartyName, x400Address */
+} d;
+} GENERAL_NAME;
+
+typedef struct ACCESS_DESCRIPTION_st {
+	ASN1_OBJECT *method;
+	GENERAL_NAME *location;
+} ACCESS_DESCRIPTION;
+
+DECLARE_STACK_OF(GENERAL_NAME)
+DECLARE_ASN1_SET_OF(GENERAL_NAME)
+
+DECLARE_STACK_OF(ACCESS_DESCRIPTION)
+DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
+
+typedef struct DIST_POINT_NAME_st {
+/* NB: this is a CHOICE type and only one of these should be set */
+STACK_OF(GENERAL_NAME) *fullname;
+STACK_OF(X509_NAME_ENTRY) *relativename;
+} DIST_POINT_NAME;
+
+typedef struct DIST_POINT_st {
+DIST_POINT_NAME	*distpoint;
+ASN1_BIT_STRING *reasons;
+STACK_OF(GENERAL_NAME) *CRLissuer;
+} DIST_POINT;
+
+DECLARE_STACK_OF(DIST_POINT)
+DECLARE_ASN1_SET_OF(DIST_POINT)
+
+typedef struct AUTHORITY_KEYID_st {
+ASN1_OCTET_STRING *keyid;
+STACK_OF(GENERAL_NAME) *issuer;
+ASN1_INTEGER *serial;
+} AUTHORITY_KEYID;
+
+/* Strong extranet structures */
+
+typedef struct SXNET_ID_st {
+	ASN1_INTEGER *zone;
+	ASN1_OCTET_STRING *user;
+} SXNETID;
+
+DECLARE_STACK_OF(SXNETID)
+DECLARE_ASN1_SET_OF(SXNETID)
+
+typedef struct SXNET_st {
+	ASN1_INTEGER *version;
+	STACK_OF(SXNETID) *ids;
+} SXNET;
+
+typedef struct NOTICEREF_st {
+	ASN1_STRING *organization;
+	STACK *noticenos;
+} NOTICEREF;
+
+typedef struct USERNOTICE_st {
+	NOTICEREF *noticeref;
+	ASN1_STRING *exptext;
+} USERNOTICE;
+
+typedef struct POLICYQUALINFO_st {
+	ASN1_OBJECT *pqualid;
+	union {
+		ASN1_IA5STRING *cpsuri;
+		USERNOTICE *usernotice;
+		ASN1_TYPE *other;
+	} d;
+} POLICYQUALINFO;
+
+DECLARE_STACK_OF(POLICYQUALINFO)
+DECLARE_ASN1_SET_OF(POLICYQUALINFO)
+
+typedef struct POLICYINFO_st {
+	ASN1_OBJECT *policyid;
+	STACK_OF(POLICYQUALINFO) *qualifiers;
+} POLICYINFO;
+
+DECLARE_STACK_OF(POLICYINFO)
+DECLARE_ASN1_SET_OF(POLICYINFO)
+
+#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
+",name:", val->name, ",value:", val->value);
+
+#define X509V3_set_ctx_test(ctx) \
+			X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
+#define X509V3_set_ctx_nodb(ctx) ctx->db = NULL;
+
+#define EXT_BITSTRING(nid, table) { nid, 0, \
+			(X509V3_EXT_NEW)ASN1_BIT_STRING_new, \
+			(X509V3_EXT_FREE)ASN1_BIT_STRING_free, \
+			(X509V3_EXT_D2I)d2i_ASN1_BIT_STRING, \
+			(X509V3_EXT_I2D)i2d_ASN1_BIT_STRING, \
+			NULL, NULL, \
+			(X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
+			(X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
+			NULL, NULL, \
+			(char *)table}
+
+#define EXT_IA5STRING(nid) { nid, 0, \
+			(X509V3_EXT_NEW)ASN1_IA5STRING_new, \
+			(X509V3_EXT_FREE)ASN1_IA5STRING_free, \
+			(X509V3_EXT_D2I)d2i_ASN1_IA5STRING, \
+			(X509V3_EXT_I2D)i2d_ASN1_IA5STRING, \
+			(X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
+			(X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
+			NULL, NULL, NULL, NULL, \
+			NULL}
+
+#define EXT_END { -1, 0, NULL, NULL, NULL, NULL, NULL, NULL, \
+			 NULL, NULL, NULL, NULL, \
+			 NULL}
+
+
+/* X509_PURPOSE stuff */
+
+#define EXFLAG_BCONS		0x1
+#define EXFLAG_KUSAGE		0x2
+#define EXFLAG_XKUSAGE		0x4
+#define EXFLAG_NSCERT		0x8
+
+#define EXFLAG_CA		0x10
+#define EXFLAG_SS		0x20
+#define EXFLAG_V1		0x40
+#define EXFLAG_INVALID		0x80
+#define EXFLAG_SET		0x100
+
+#define KU_DIGITAL_SIGNATURE	0x0080
+#define KU_NON_REPUDIATION	0x0040
+#define KU_KEY_ENCIPHERMENT	0x0020
+#define KU_DATA_ENCIPHERMENT	0x0010
+#define KU_KEY_AGREEMENT	0x0008
+#define KU_KEY_CERT_SIGN	0x0004
+#define KU_CRL_SIGN		0x0002
+#define KU_ENCIPHER_ONLY	0x0001
+#define KU_DECIPHER_ONLY	0x8000
+
+#define NS_SSL_CLIENT		0x80
+#define NS_SSL_SERVER		0x40
+#define NS_SMIME		0x20
+#define NS_OBJSIGN		0x10
+#define NS_SSL_CA		0x04
+#define NS_SMIME_CA		0x02
+#define NS_OBJSIGN_CA		0x01
+
+#define XKU_SSL_SERVER		0x1	
+#define XKU_SSL_CLIENT		0x2
+#define XKU_SMIME		0x4
+#define XKU_CODE_SIGN		0x8
+#define XKU_SGC			0x10
+
+#define X509_PURPOSE_DYNAMIC	0x1
+#define X509_PURPOSE_DYNAMIC_NAME	0x2
+
+typedef struct x509_purpose_st {
+	int purpose;
+	int trust;		/* Default trust ID */
+	int flags;
+	int (*check_purpose)(struct x509_purpose_st *, X509 *, int);
+	char *name;
+	char *sname;
+	void *usr_data;
+} X509_PURPOSE;
+
+#define X509_PURPOSE_SSL_CLIENT		1
+#define X509_PURPOSE_SSL_SERVER		2
+#define X509_PURPOSE_NS_SSL_SERVER	3
+#define X509_PURPOSE_SMIME_SIGN		4
+#define X509_PURPOSE_SMIME_ENCRYPT	5
+#define X509_PURPOSE_CRL_SIGN		6
+#define X509_PURPOSE_ANY		7
+
+#define X509_PURPOSE_MIN		1
+#define X509_PURPOSE_MAX		7
+
+DECLARE_STACK_OF(X509_PURPOSE)
+
+void ERR_load_X509V3_strings(void);
+int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp);
+BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, unsigned char **pp, long length);
+BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);
+void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a);
+
+int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **pp);
+GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp, long length);
+GENERAL_NAME *GENERAL_NAME_new(void);
+void GENERAL_NAME_free(GENERAL_NAME *a);
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
+
+int i2d_SXNET(SXNET *a, unsigned char **pp);
+SXNET *d2i_SXNET(SXNET **a, unsigned char **pp, long length);
+SXNET *SXNET_new(void);
+void SXNET_free(SXNET *a);
+
+int i2d_SXNETID(SXNETID *a, unsigned char **pp);
+SXNETID *d2i_SXNETID(SXNETID **a, unsigned char **pp, long length);
+SXNETID *SXNETID_new(void);
+void SXNETID_free(SXNETID *a);
+
+int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen); 
+int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen); 
+int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen); 
+
+ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
+ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
+ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
+
+int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **pp);
+AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp, long length);
+AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
+
+int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp);
+PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, unsigned char **pp, long length);
+PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void);
+void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a);
+
+STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new(void);
+void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *a);
+STACK_OF(GENERAL_NAME) *d2i_GENERAL_NAMES(STACK_OF(GENERAL_NAME) **a, unsigned char **pp, long length);
+int i2d_GENERAL_NAMES(STACK_OF(GENERAL_NAME) *a, unsigned char **pp);
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+		STACK_OF(GENERAL_NAME) *gen, STACK_OF(CONF_VALUE) *extlist);
+STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+int i2d_OTHERNAME(OTHERNAME *a, unsigned char **pp);
+OTHERNAME *OTHERNAME_new(void);
+OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, unsigned char **pp, long length);
+void OTHERNAME_free(OTHERNAME *a);
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+
+int i2d_ext_ku(STACK_OF(ASN1_OBJECT) *a, unsigned char **pp);
+STACK_OF(ASN1_OBJECT) *d2i_ext_ku(STACK_OF(ASN1_OBJECT) **a,
+					unsigned char **pp, long length);
+void ext_ku_free(STACK_OF(ASN1_OBJECT) *a);
+STACK_OF(ASN1_OBJECT) *ext_ku_new(void);
+
+int i2d_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) *a, unsigned char **pp);
+STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new(void);
+void CERTIFICATEPOLICIES_free(STACK_OF(POLICYINFO) *a);
+STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) **a, unsigned char **pp, long length);
+
+int i2d_POLICYINFO(POLICYINFO *a, unsigned char **pp);
+POLICYINFO *POLICYINFO_new(void);
+POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, unsigned char **pp, long length);
+void POLICYINFO_free(POLICYINFO *a);
+
+int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **pp);
+POLICYQUALINFO *POLICYQUALINFO_new(void);
+POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, unsigned char **pp,
+								 long length);
+void POLICYQUALINFO_free(POLICYQUALINFO *a);
+
+int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp);
+USERNOTICE *USERNOTICE_new(void);
+USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, unsigned char **pp, long length);
+void USERNOTICE_free(USERNOTICE *a);
+
+int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp);
+NOTICEREF *NOTICEREF_new(void);
+NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length);
+void NOTICEREF_free(NOTICEREF *a);
+
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp);
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void);
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a);
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+                unsigned char **pp,long length);
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp);
+DIST_POINT *DIST_POINT_new(void);
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length);
+void DIST_POINT_free(DIST_POINT *a);
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp);
+DIST_POINT_NAME *DIST_POINT_NAME_new(void);
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+             long length);
+
+int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **pp);
+ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);
+void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a);
+ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, unsigned char **pp,
+             long length);
+
+STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void);
+void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a);
+STACK_OF(ACCESS_DESCRIPTION) *d2i_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) **a,
+					 unsigned char **pp, long length);
+int i2d_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) *a, unsigned char **pp);
+
+
+
+#ifdef HEADER_CONF_H
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
+void X509V3_conf_free(CONF_VALUE *val);
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
+int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+						STACK_OF(CONF_VALUE) **extlist);
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
+#endif
+
+char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
+void X509V3_string_free(X509V3_CTX *ctx, char *str);
+void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
+				 X509_REQ *req, X509_CRL *crl, int flags);
+
+int X509V3_add_value(const char *name, const char *value,
+						STACK_OF(CONF_VALUE) **extlist);
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+						STACK_OF(CONF_VALUE) **extlist);
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+						STACK_OF(CONF_VALUE) **extlist);
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+						STACK_OF(CONF_VALUE) **extlist);
+char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
+ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
+char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
+char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
+int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
+int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
+int X509V3_EXT_add_alias(int nid_to, int nid_from);
+void X509V3_EXT_cleanup(void);
+
+X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
+X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
+int X509V3_add_standard_extensions(void);
+STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line);
+void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
+
+char *hex_to_string(unsigned char *buffer, long len);
+unsigned char *string_to_hex(char *str, long *len);
+int name_cmp(const char *name, const char *cmp);
+
+void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
+								 int ml);
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
+int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
+
+int X509_check_purpose(X509 *x, int id, int ca);
+int X509_PURPOSE_get_count(void);
+X509_PURPOSE * X509_PURPOSE_get0(int idx);
+int X509_PURPOSE_get_by_sname(char *sname);
+int X509_PURPOSE_get_by_id(int id);
+int X509_PURPOSE_add(int id, int trust, int flags,
+			int (*ck)(X509_PURPOSE *, X509 *, int),
+				char *name, char *sname, void *arg);
+char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
+char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
+int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
+void X509_PURPOSE_cleanup(void);
+int X509_PURPOSE_get_id(X509_PURPOSE *);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the X509V3 functions. */
+
+/* Function codes. */
+#define X509V3_F_COPY_EMAIL				 122
+#define X509V3_F_COPY_ISSUER				 123
+#define X509V3_F_DO_EXT_CONF				 124
+#define X509V3_F_DO_EXT_I2D				 135
+#define X509V3_F_HEX_TO_STRING				 111
+#define X509V3_F_I2S_ASN1_ENUMERATED			 121
+#define X509V3_F_I2S_ASN1_INTEGER			 120
+#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS		 138
+#define X509V3_F_NOTICE_SECTION				 132
+#define X509V3_F_NREF_NOS				 133
+#define X509V3_F_POLICY_SECTION				 131
+#define X509V3_F_R2I_CERTPOL				 130
+#define X509V3_F_S2I_ASN1_IA5STRING			 100
+#define X509V3_F_S2I_ASN1_INTEGER			 108
+#define X509V3_F_S2I_ASN1_OCTET_STRING			 112
+#define X509V3_F_S2I_ASN1_SKEY_ID			 114
+#define X509V3_F_S2I_S2I_SKEY_ID			 115
+#define X509V3_F_STRING_TO_HEX				 113
+#define X509V3_F_SXNET_ADD_ASC				 125
+#define X509V3_F_SXNET_ADD_ID_INTEGER			 126
+#define X509V3_F_SXNET_ADD_ID_ULONG			 127
+#define X509V3_F_SXNET_GET_ID_ASC			 128
+#define X509V3_F_SXNET_GET_ID_ULONG			 129
+#define X509V3_F_V2I_ACCESS_DESCRIPTION			 139
+#define X509V3_F_V2I_ASN1_BIT_STRING			 101
+#define X509V3_F_V2I_AUTHORITY_KEYID			 119
+#define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
+#define X509V3_F_V2I_CRLD				 134
+#define X509V3_F_V2I_EXT_KU				 103
+#define X509V3_F_V2I_GENERAL_NAME			 117
+#define X509V3_F_V2I_GENERAL_NAMES			 118
+#define X509V3_F_V3_GENERIC_EXTENSION			 116
+#define X509V3_F_X509V3_ADD_VALUE			 105
+#define X509V3_F_X509V3_EXT_ADD				 104
+#define X509V3_F_X509V3_EXT_ADD_ALIAS			 106
+#define X509V3_F_X509V3_EXT_CONF			 107
+#define X509V3_F_X509V3_EXT_I2D				 136
+#define X509V3_F_X509V3_GET_VALUE_BOOL			 110
+#define X509V3_F_X509V3_PARSE_LIST			 109
+#define X509V3_F_X509_PURPOSE_ADD			 137
+
+/* Reason codes. */
+#define X509V3_R_BAD_IP_ADDRESS				 118
+#define X509V3_R_BAD_OBJECT				 119
+#define X509V3_R_BN_DEC2BN_ERROR			 100
+#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR		 101
+#define X509V3_R_DUPLICATE_ZONE_ID			 133
+#define X509V3_R_ERROR_CONVERTING_ZONE			 131
+#define X509V3_R_ERROR_IN_EXTENSION			 128
+#define X509V3_R_EXPECTED_A_SECTION_NAME		 137
+#define X509V3_R_EXTENSION_NAME_ERROR			 115
+#define X509V3_R_EXTENSION_NOT_FOUND			 102
+#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED	 103
+#define X509V3_R_EXTENSION_VALUE_ERROR			 116
+#define X509V3_R_ILLEGAL_HEX_DIGIT			 113
+#define X509V3_R_INVALID_BOOLEAN_STRING			 104
+#define X509V3_R_INVALID_EXTENSION_STRING		 105
+#define X509V3_R_INVALID_NAME				 106
+#define X509V3_R_INVALID_NULL_ARGUMENT			 107
+#define X509V3_R_INVALID_NULL_NAME			 108
+#define X509V3_R_INVALID_NULL_VALUE			 109
+#define X509V3_R_INVALID_NUMBER				 140
+#define X509V3_R_INVALID_NUMBERS			 141
+#define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
+#define X509V3_R_INVALID_OPTION				 138
+#define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
+#define X509V3_R_INVALID_SECTION			 135
+#define X509V3_R_INVALID_SYNTAX				 143
+#define X509V3_R_ISSUER_DECODE_ERROR			 126
+#define X509V3_R_MISSING_VALUE				 124
+#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS		 142
+#define X509V3_R_NO_CONFIG_DATABASE			 136
+#define X509V3_R_NO_ISSUER_CERTIFICATE			 121
+#define X509V3_R_NO_ISSUER_DETAILS			 127
+#define X509V3_R_NO_POLICY_IDENTIFIER			 139
+#define X509V3_R_NO_PUBLIC_KEY				 114
+#define X509V3_R_NO_SUBJECT_DETAILS			 125
+#define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
+#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS		 122
+#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID		 123
+#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111
+#define X509V3_R_UNKNOWN_EXTENSION			 129
+#define X509V3_R_UNKNOWN_EXTENSION_NAME			 130
+#define X509V3_R_UNKNOWN_OPTION				 120
+#define X509V3_R_UNSUPPORTED_OPTION			 117
+#define X509V3_R_USER_TOO_LONG				 132
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/demos/README b/crypto/openssl/demos/README
new file mode 100644
index 0000000..d2155ef
--- /dev/null
+++ b/crypto/openssl/demos/README
@@ -0,0 +1,9 @@
+NOTE: Don't expect any of these programs to work with current
+OpenSSL releases, or even with later SSLeay releases.
+
+Original README:
+=============================================================================
+
+Some demo programs sent to me by various people
+
+eric
diff --git a/crypto/openssl/demos/b64.c b/crypto/openssl/demos/b64.c
new file mode 100644
index 0000000..ad86bc9
--- /dev/null
+++ b/crypto/openssl/demos/b64.c
@@ -0,0 +1,270 @@
+/* demos/b64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "../apps/apps.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef SIZE
+#undef BSIZE
+#undef PROG
+
+#define SIZE	(512)
+#define BSIZE	(8*1024)
+#define	PROG	enc_main
+
+int main(argc,argv)
+int argc;
+char **argv;
+	{
+	char *strbuf=NULL;
+	unsigned char *buff=NULL,*bufsize=NULL;
+	int bsize=BSIZE,verbose=0;
+	int ret=1,inl;
+	unsigned char key[24],iv[MD5_DIGEST_LENGTH];
+	char *str=NULL;
+	char *hkey=NULL,*hiv=NULL;
+	int enc=1,printkey=0,i,base64=0;
+	int debug=0;
+	EVP_CIPHER *cipher=NULL,*c;
+	char *inf=NULL,*outf=NULL;
+	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
+#define PROG_NAME_SIZE  16
+        char pname[PROG_NAME_SIZE];
+
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE);
+
+	base64=1;
+
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if	(strcmp(*argv,"-e") == 0)
+			enc=1;
+		if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inf= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outf= *(++argv);
+			}
+		else if	(strcmp(*argv,"-d") == 0)
+			enc=0;
+		else if	(strcmp(*argv,"-v") == 0)
+			verbose=1;
+		else if	(strcmp(*argv,"-debug") == 0)
+			debug=1;
+		else if (strcmp(*argv,"-bufsize") == 0)
+			{
+			if (--argc < 1) goto bad;
+			bufsize=(unsigned char *)*(++argv);
+			}
+		else
+			{
+			BIO_printf(bio_err,"unknown option '%s'\n",*argv);
+bad:
+			BIO_printf(bio_err,"options are\n");
+			BIO_printf(bio_err,"%-14s input file\n","-in <file>");
+			BIO_printf(bio_err,"%-14s output file\n","-out <file>");
+			BIO_printf(bio_err,"%-14s encode\n","-e");
+			BIO_printf(bio_err,"%-14s decode\n","-d");
+			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
+
+			goto end;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (bufsize != NULL)
+		{
+		int i;
+		unsigned long n;
+
+		for (n=0; *bufsize; bufsize++)
+			{
+			i= *bufsize;
+			if ((i <= '9') && (i >= '0'))
+				n=n*10+i-'0';
+			else if (i == 'k')
+				{
+				n*=1024;
+				bufsize++;
+				break;
+				}
+			}
+		if (*bufsize != '\0')
+			{
+			BIO_printf(bio_err,"invalid 'bufsize' specified.\n");
+			goto end;
+			}
+
+		/* It must be large enough for a base64 encoded line */
+		if (n < 80) n=80;
+
+		bsize=(int)n;
+		if (verbose) BIO_printf(bio_err,"bufsize=%d\n",bsize);
+		}
+
+	strbuf=Malloc(SIZE);
+	buff=(unsigned char *)Malloc(EVP_ENCODE_LENGTH(bsize));
+	if ((buff == NULL) || (strbuf == NULL))
+		{
+		BIO_printf(bio_err,"Malloc failure\n");
+		goto end;
+		}
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+	if (debug)
+		{
+		BIO_set_callback(in,BIO_debug_callback);
+		BIO_set_callback(out,BIO_debug_callback);
+		BIO_set_callback_arg(in,bio_err);
+		BIO_set_callback_arg(out,bio_err);
+		}
+
+	if (inf == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,inf) <= 0)
+			{
+			perror(inf);
+			goto end;
+			}
+		}
+
+	if (outf == NULL)
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_write_filename(out,outf) <= 0)
+			{
+			perror(outf);
+			goto end;
+			}
+		}
+
+	rbio=in;
+	wbio=out;
+
+	if (base64)
+		{
+		if ((b64=BIO_new(BIO_f_base64())) == NULL)
+			goto end;
+		if (debug)
+			{
+			BIO_set_callback(b64,BIO_debug_callback);
+			BIO_set_callback_arg(b64,bio_err);
+			}
+		if (enc)
+			wbio=BIO_push(b64,wbio);
+		else
+			rbio=BIO_push(b64,rbio);
+		}
+
+	for (;;)
+		{
+		inl=BIO_read(rbio,(char *)buff,bsize);
+		if (inl <= 0) break;
+		if (BIO_write(wbio,(char *)buff,inl) != inl)
+			{
+			BIO_printf(bio_err,"error writing output file\n");
+			goto end;
+			}
+		}
+	BIO_flush(wbio);
+
+	ret=0;
+	if (verbose)
+		{
+		BIO_printf(bio_err,"bytes read   :%8ld\n",BIO_number_read(in));
+		BIO_printf(bio_err,"bytes written:%8ld\n",BIO_number_written(out));
+		}
+end:
+	if (strbuf != NULL) Free(strbuf);
+	if (buff != NULL) Free(buff);
+	if (in != NULL) BIO_free(in);
+	if (out != NULL) BIO_free(out);
+	if (benc != NULL) BIO_free(benc);
+	if (b64 != NULL) BIO_free(b64);
+	EXIT(ret);
+	}
+
diff --git a/crypto/openssl/demos/b64.pl b/crypto/openssl/demos/b64.pl
new file mode 100644
index 0000000..8aa5fb4
--- /dev/null
+++ b/crypto/openssl/demos/b64.pl
@@ -0,0 +1,20 @@
+#!/usr/local/bin/perl
+
+#
+# Make PEM encoded data have lines of 64 bytes of data
+#
+
+while (<>)
+	{
+	if (/^-----BEGIN/ .. /^-----END/)
+		{
+		if (/^-----BEGIN/) { $first=$_; next; }
+		if (/^-----END/) { $last=$_; next; }
+		$out.=$_;
+		}
+	}
+$out =~ s/\s//g;
+$out =~ s/(.{64})/$1\n/g;
+print "$first$out\n$last\n";
+
+
diff --git a/crypto/openssl/demos/bio/Makefile b/crypto/openssl/demos/bio/Makefile
new file mode 100644
index 0000000..4351540
--- /dev/null
+++ b/crypto/openssl/demos/bio/Makefile
@@ -0,0 +1,16 @@
+CC=cc
+CFLAGS= -g -I../../include
+LIBS= -L../.. ../../libssl.a ../../libcrypto.a
+EXAMPLES=saccept sconnect
+
+all: $(EXAMPLES) 
+
+saccept: saccept.o
+	$(CC) -o saccept saccept.o $(LIBS)
+
+sconnect: sconnect.o
+	$(CC) -o sconnect sconnect.o $(LIBS)
+
+clean:	
+	rm -f $(EXAMPLES) *.o
+
diff --git a/crypto/openssl/demos/bio/README b/crypto/openssl/demos/bio/README
new file mode 100644
index 0000000..0b24e5b
--- /dev/null
+++ b/crypto/openssl/demos/bio/README
@@ -0,0 +1,3 @@
+This directory contains some simple examples of the use of BIO's
+to simplify socket programming.
+
diff --git a/crypto/openssl/demos/bio/saccept.c b/crypto/openssl/demos/bio/saccept.c
new file mode 100644
index 0000000..933d669
--- /dev/null
+++ b/crypto/openssl/demos/bio/saccept.c
@@ -0,0 +1,107 @@
+/* NOCW */
+/* demos/bio/saccept.c */
+
+/* A minimal program to server an SSL connection.
+ * It uses blocking.
+ * saccept host:port
+ * host is the interface IP to use.  If any interface, use *:port
+ * The default it *:4433
+ *
+ * cc -I../../include saccept.c -L../.. -lssl -lcrypto
+ */
+
+#include <stdio.h>
+#include <signal.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#define CERT_FILE	"server.pem"
+
+BIO *in=NULL;
+
+void close_up()
+	{
+	if (in != NULL)
+		BIO_free(in);
+	}
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	char *port=NULL;
+	BIO *ssl_bio,*tmp;
+	SSL_CTX *ctx;
+	SSL *ssl;
+	char buf[512];
+	int ret=1,i;
+
+        if (argc <= 1)
+		port="*:4433";
+	else
+		port=argv[1];
+
+	signal(SIGINT,close_up);
+
+	SSL_load_error_strings();
+
+	/* Add ciphers and message digests */
+	OpenSSL_add_ssl_algorithms();
+
+	ctx=SSL_CTX_new(SSLv23_server_method());
+	if (!SSL_CTX_use_certificate_file(ctx,CERT_FILE,SSL_FILETYPE_PEM))
+		goto err;
+	if (!SSL_CTX_use_PrivateKey_file(ctx,CERT_FILE,SSL_FILETYPE_PEM))
+		goto err;
+	if (!SSL_CTX_check_private_key(ctx))
+		goto err;
+
+	/* Setup server side SSL bio */
+	ssl=SSL_new(ctx);
+	ssl_bio=BIO_new_ssl(ctx,0);
+
+	if ((in=BIO_new_accept(port)) == NULL) goto err;
+
+	/* This means that when a new connection is acceptede on 'in',
+	 * The ssl_bio will be 'dupilcated' and have the new socket
+	 * BIO push into it.  Basically it means the SSL BIO will be
+	 * automatically setup */
+	BIO_set_accept_bios(in,ssl_bio);
+
+again:
+	/* The first call will setup the accept socket, and the second
+	 * will get a socket.  In this loop, the first actual accept
+	 * will occur in the BIO_read() function. */
+
+	if (BIO_do_accept(in) <= 0) goto err;
+
+	for (;;)
+		{
+		i=BIO_read(in,buf,512);
+		if (i == 0)
+			{
+			/* If we have finished, remove the underlying
+			 * BIO stack so the next time we call any function
+			 * for this BIO, it will attempt to do an
+			 * accept */
+			printf("Done\n");
+			tmp=BIO_pop(in);
+			BIO_free_all(tmp);
+			goto again;
+			}
+		if (i < 0) goto err;
+		fwrite(buf,1,i,stdout);
+		fflush(stdout);
+		}
+
+	ret=0;
+err:
+	if (ret)
+		{
+		ERR_print_errors_fp(stderr);
+		}
+	if (in != NULL) BIO_free(in);
+	exit(ret);
+	return(!ret);
+	}
+
diff --git a/crypto/openssl/demos/bio/sconnect.c b/crypto/openssl/demos/bio/sconnect.c
new file mode 100644
index 0000000..87b380b
--- /dev/null
+++ b/crypto/openssl/demos/bio/sconnect.c
@@ -0,0 +1,116 @@
+/* NOCW */
+/* demos/bio/sconnect.c */
+
+/* A minimal program to do SSL to a passed host and port.
+ * It is actually using non-blocking IO but in a very simple manner
+ * sconnect host:port - it does a 'GET / HTTP/1.0'
+ *
+ * cc -I../../include sconnect.c -L../.. -lssl -lcrypto
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+extern int errno;
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	char *host;
+	BIO *out;
+	char buf[1024*10],*p;
+	SSL_CTX *ssl_ctx=NULL;
+	SSL *ssl;
+	BIO *ssl_bio;
+	int i,len,off,ret=1;
+
+	if (argc <= 1)
+		host="localhost:4433";
+	else
+		host=argv[1];
+
+	/* Lets get nice error messages */
+	SSL_load_error_strings();
+
+	/* Setup all the global SSL stuff */
+	OpenSSL_add_ssl_algorithms();
+	ssl_ctx=SSL_CTX_new(SSLv23_client_method());
+
+	/* Lets make a SSL structure */
+	ssl=SSL_new(ssl_ctx);
+	SSL_set_connect_state(ssl);
+
+	/* Use it inside an SSL BIO */
+	ssl_bio=BIO_new(BIO_f_ssl());
+	BIO_set_ssl(ssl_bio,ssl,BIO_CLOSE);
+
+	/* Lets use a connect BIO under the SSL BIO */
+	out=BIO_new(BIO_s_connect());
+	BIO_set_conn_hostname(out,host);
+	BIO_set_nbio(out,1);
+	out=BIO_push(ssl_bio,out);
+
+	p="GET / HTTP/1.0\r\n\r\n";
+	len=strlen(p);
+
+	off=0;
+	for (;;)
+		{
+		i=BIO_write(out,&(p[off]),len);
+		if (i <= 0)
+			{
+			if (BIO_should_retry(out))
+				{
+				fprintf(stderr,"write DELAY\n");
+				sleep(1);
+				continue;
+				}
+			else
+				{
+				goto err;
+				}
+			}
+		off+=i;
+		len-=i;
+		if (len <= 0) break;
+		}
+
+	for (;;)
+		{
+		i=BIO_read(out,buf,sizeof(buf));
+		if (i == 0) break;
+		if (i < 0)
+			{
+			if (BIO_should_retry(out))
+				{
+				fprintf(stderr,"read DELAY\n");
+				sleep(1);
+				continue;
+				}
+			goto err;
+			}
+		fwrite(buf,1,i,stdout);
+		}
+
+	ret=1;
+
+	if (0)
+		{
+err:
+		if (ERR_peek_error() == 0) /* system call error */
+			{
+			fprintf(stderr,"errno=%d ",errno);
+			perror("error");
+			}
+		else
+			ERR_print_errors_fp(stderr);
+		}
+	BIO_free_all(out);
+	if (ssl_ctx != NULL) SSL_CTX_free(ssl_ctx);
+	exit(!ret);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/demos/bio/server.pem b/crypto/openssl/demos/bio/server.pem
new file mode 100644
index 0000000..5cf1387
--- /dev/null
+++ b/crypto/openssl/demos/bio/server.pem
@@ -0,0 +1,30 @@
+subject=/C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+issuer= /C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+-----BEGIN X509 CERTIFICATE-----
+
+MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
+BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
+MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
+RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
+BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
+LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
+/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
+DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
+IMs6ZOZB
+-----END X509 CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+
+MIIBPAIBAAJBALcsJdxJxa5rQ8UuQcEubZV6OqkDUXhFDyrRWNGI9p+PH9n9pYfe
+Kl0xW+4kZr/AVdv+cMUsOV9an6gI/CEG1U8CAwEAAQJAXJMBZ34ZXHd1vtgL/3hZ
+hexKbVTx/djZO4imXO/dxPGRzG2ylYZpHmG32/T1kaHpZlCHoEPgHoSzmxYXfxjG
+sQIhAPmZ/bQOjmRUHM/VM2X5zrjjM6z18R1P6l3ObFwt9FGdAiEAu943Yh9SqMRw
+tL0xHGxKmM/YJueUw1gB6sLkETN71NsCIQCeT3RhoqXfrpXDoEcEU+gwzjI1bpxq
+agiNTOLfqGoA5QIhAIQFYjgzONxex7FLrsKBm16N2SFl5pXsN9SpRqqL2n63AiEA
+g9VNIQ3xwpw7og3IbONifeku+J9qGMGQJMKwSTwrFtI=
+-----END RSA PRIVATE KEY-----
+
+-----BEGIN DH PARAMETERS-----
+MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn
+a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC
+-----END DH PARAMETERS-----
+
diff --git a/crypto/openssl/demos/eay/Makefile b/crypto/openssl/demos/eay/Makefile
new file mode 100644
index 0000000..2d22eac
--- /dev/null
+++ b/crypto/openssl/demos/eay/Makefile
@@ -0,0 +1,24 @@
+CC=cc
+CFLAGS= -g -I../../include
+#LIBS=  -L../.. -lcrypto -lssl
+LIBS= -L../.. ../../libssl.a ../../libcrypto.a
+
+# the file conn.c requires a file "proxy.h" which I couldn't find...
+#EXAMPLES=base64 conn loadrsa
+EXAMPLES=base64 loadrsa
+
+all: $(EXAMPLES) 
+
+base64: base64.o
+	$(CC) -o base64 base64.o $(LIBS)
+#
+# sorry... can't find "proxy.h"
+#conn: conn.o
+#	$(CC) -o conn conn.o $(LIBS)
+
+loadrsa: loadrsa.o
+	$(CC) -o loadrsa loadrsa.o $(LIBS)
+
+clean:	
+	rm -f $(EXAMPLES) *.o
+
diff --git a/crypto/openssl/demos/eay/base64.c b/crypto/openssl/demos/eay/base64.c
new file mode 100644
index 0000000..4b8b062
--- /dev/null
+++ b/crypto/openssl/demos/eay/base64.c
@@ -0,0 +1,49 @@
+/* This is a simple example of using the base64 BIO to a memory BIO and then
+ * getting the data.
+ */
+#include <stdio.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+
+main()
+	{
+	int i;
+	BIO *mbio,*b64bio,*bio;
+	char buf[512];
+	char *p;
+
+	mbio=BIO_new(BIO_s_mem());
+	b64bio=BIO_new(BIO_f_base64());
+
+	bio=BIO_push(b64bio,mbio);
+	/* We now have bio pointing at b64->mem, the base64 bio encodes on
+	 * write and decodes on read */
+
+	for (;;)
+		{
+		i=fread(buf,1,512,stdin);
+		if (i <= 0) break;
+		BIO_write(bio,buf,i);
+		}
+	/* We need to 'flush' things to push out the encoding of the
+	 * last few bytes.  There is special encoding if it is not a
+	 * multiple of 3
+	 */
+	BIO_flush(bio);
+
+	printf("We have %d bytes available\n",BIO_pending(mbio));
+
+	/* We will now get a pointer to the data and the number of elements. */
+	/* hmm... this one was not defined by a macro in bio.h, it will be for
+	 * 0.9.1.  The other option is too just read from the memory bio.
+	 */
+	i=(int)BIO_ctrl(mbio,BIO_CTRL_INFO,0,(char *)&p);
+
+	printf("%d\n",i);
+	fwrite("---\n",1,4,stdout);
+	fwrite(p,1,i,stdout);
+	fwrite("---\n",1,4,stdout);
+
+	/* This call will walk the chain freeing all the BIOs */
+	BIO_free_all(bio);
+	}
diff --git a/crypto/openssl/demos/eay/conn.c b/crypto/openssl/demos/eay/conn.c
new file mode 100644
index 0000000..c4b8f51
--- /dev/null
+++ b/crypto/openssl/demos/eay/conn.c
@@ -0,0 +1,105 @@
+/* NOCW */
+/* demos/eay/conn.c */
+
+/* A minimal program to connect to a port using the sock4a protocol.
+ *
+ * cc -I../../include conn.c -L../.. -lcrypto
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+/* #include "proxy.h" */
+
+extern int errno;
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	PROXY *pxy;
+	char *host;
+	char buf[1024*10],*p;
+	BIO *bio;
+	int i,len,off,ret=1;
+
+	if (argc <= 1)
+		host="localhost:4433";
+	else
+		host=argv[1];
+
+	/* Lets get nice error messages */
+	ERR_load_crypto_strings();
+
+	/* First, configure proxy settings */
+	pxy=PROXY_new();
+	PROXY_add_server(pxy,PROXY_PROTOCOL_SOCKS,"gromit:1080");
+
+	bio=BIO_new(BIO_s_socks4a_connect());
+
+	BIO_set_conn_hostname(bio,host);
+	BIO_set_proxies(bio,pxy);
+	BIO_set_socks_userid(bio,"eay");
+	BIO_set_nbio(bio,1);
+
+	p="GET / HTTP/1.0\r\n\r\n";
+	len=strlen(p);
+
+	off=0;
+	for (;;)
+		{
+		i=BIO_write(bio,&(p[off]),len);
+		if (i <= 0)
+			{
+			if (BIO_should_retry(bio))
+				{
+				fprintf(stderr,"write DELAY\n");
+				sleep(1);
+				continue;
+				}
+			else
+				{
+				goto err;
+				}
+			}
+		off+=i;
+		len-=i;
+		if (len <= 0) break;
+		}
+
+	for (;;)
+		{
+		i=BIO_read(bio,buf,sizeof(buf));
+		if (i == 0) break;
+		if (i < 0)
+			{
+			if (BIO_should_retry(bio))
+				{
+				fprintf(stderr,"read DELAY\n");
+				sleep(1);
+				continue;
+				}
+			goto err;
+			}
+		fwrite(buf,1,i,stdout);
+		}
+
+	ret=1;
+
+	if (0)
+		{
+err:
+		if (ERR_peek_error() == 0) /* system call error */
+			{
+			fprintf(stderr,"errno=%d ",errno);
+			perror("error");
+			}
+		else
+			ERR_print_errors_fp(stderr);
+		}
+	BIO_free_all(bio);
+	if (pxy != NULL) PROXY_free(pxy);
+	exit(!ret);
+	return(ret);
+	}
+
diff --git a/crypto/openssl/demos/eay/loadrsa.c b/crypto/openssl/demos/eay/loadrsa.c
new file mode 100644
index 0000000..79f1885
--- /dev/null
+++ b/crypto/openssl/demos/eay/loadrsa.c
@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <openssl/rsa.h>
+
+/* This is a simple program to generate an RSA private key.  It then
+ * saves both the public and private key into a char array, then
+ * re-reads them.  It saves them as DER encoded binary data.
+ */
+
+void callback(stage,count,arg)
+int stage,count;
+char *arg;
+	{
+	FILE *out;
+
+	out=(FILE *)arg;
+	fprintf(out,"%d",stage);
+	if (stage == 3)
+		fprintf(out,"\n");
+	fflush(out);
+	}
+
+main()
+	{
+	RSA *rsa,*pub_rsa,*priv_rsa;
+	int len;
+	unsigned char buf[1024],*p;
+
+	rsa=RSA_generate_key(512,RSA_F4,callback,(char *)stdout);
+
+	p=buf;
+
+	/* Save the public key into buffer, we know it will be big enough
+	 * but we should really check how much space we need by calling the
+	 * i2d functions with a NULL second parameter */
+	len=i2d_RSAPublicKey(rsa,&p);
+	len+=i2d_RSAPrivateKey(rsa,&p);
+
+	printf("The public and private key are now both in a char array\n");
+	printf("and are taking up %d bytes\n",len);
+
+	RSA_free(rsa);
+
+	p=buf;
+	pub_rsa=d2i_RSAPublicKey(NULL,&p,(long)len);
+	len-=(p-buf);
+	priv_rsa=d2i_RSAPrivateKey(NULL,&p,(long)len);
+
+	if ((pub_rsa == NULL) || (priv_rsa == NULL))
+		ERR_print_errors_fp(stderr);
+
+	RSA_free(pub_rsa);
+	RSA_free(priv_rsa);
+	}
diff --git a/crypto/openssl/demos/maurice/Makefile b/crypto/openssl/demos/maurice/Makefile
new file mode 100644
index 0000000..f9bf622
--- /dev/null
+++ b/crypto/openssl/demos/maurice/Makefile
@@ -0,0 +1,59 @@
+CC=cc
+CFLAGS= -g -I../../include -Wall
+LIBS=  -L../.. -lcrypto
+EXAMPLES=example1 example2 example3 example4
+
+all: $(EXAMPLES) 
+
+example1: example1.o loadkeys.o 
+	$(CC) -o example1 example1.o loadkeys.o $(LIBS)
+
+example2: example2.o loadkeys.o
+	$(CC) -o example2 example2.o loadkeys.o $(LIBS)
+
+example3: example3.o 
+	$(CC) -o example3 example3.o $(LIBS)
+
+example4: example4.o
+	$(CC) -o example4 example4.o $(LIBS)
+
+clean:	
+	rm -f $(EXAMPLES) *.o
+
+test: all
+	@echo
+	@echo Example 1 Demonstrates the sealing and opening APIs
+	@echo Doing the encrypt side...
+	./example1 <README >t.t
+	@echo Doing the decrypt side...
+	./example1 -d <t.t >t.2
+	diff t.2 README
+	rm -f t.t t.2
+	@echo  example1 is OK
+
+	@echo
+	@echo Example2 Demonstrates rsa encryption and decryption
+	@echo   and it should just print \"This the clear text\"
+	./example2
+
+	@echo
+	@echo Example3 Demonstrates the use of symmetric block ciphers
+	@echo in this case it uses EVP_des_ede3_cbc
+	@echo i.e. triple DES in Cipher Block Chaining mode
+	@echo Doing the encrypt side...
+	./example3 ThisIsThePassword <README >t.t
+	@echo Doing the decrypt side...
+	./example3 -d ThisIsThePassword <t.t >t.2
+	diff t.2 README
+	rm -f t.t t.2
+	@echo  example3 is OK
+
+	@echo
+	@echo Example4 Demonstrates base64 encoding and decoding
+	@echo Doing the encrypt side...
+	./example4 <README >t.t
+	@echo Doing the decrypt side...
+	./example4 -d <t.t >t.2
+	diff t.2 README
+	rm -f t.t t.2
+	@echo example4 is OK
diff --git a/crypto/openssl/demos/maurice/README b/crypto/openssl/demos/maurice/README
new file mode 100644
index 0000000..29778d5
--- /dev/null
+++ b/crypto/openssl/demos/maurice/README
@@ -0,0 +1,34 @@
+From Maurice Gittens <mgittens@gits.nl>
+--
+	Example programs, demonstrating some basic SSLeay crypto library
+	operations, to help you not to make the same mistakes I did. 
+
+	The following files are present.
+	- loadkeys.c 	Demonstrates the loading and of public and 
+			private keys.
+	- loadkeys.h   	The interface for loadkeys.c
+	- example1.c    Demonstrates the sealing and opening API's
+	- example2.c  	Demonstrates rsa encryption and decryption
+	- example3.c    Demonstrates the use of symmetric block ciphers
+	- example4.c	Demonstrates base64 and decoding 		
+	- Makefile	A makefile you probably will have to adjust for
+			your environment
+	- README	this file
+
+
+	The programs were written by Maurice Gittens <mgittens@gits.nl>
+	with the necesary help from Eric Young <eay@cryptsoft.com> 
+	
+	You may do as you please with these programs, but please don't
+	pretend that you wrote them. 
+
+	To be complete: If you use these programs you acknowlegde that
+	you are aware that there is NO warranty of any kind associated
+	with these programs. I don't even claim that the programs work,
+	they are provided AS-IS.
+
+ 	January 1997
+
+	Maurice	
+
+
diff --git a/crypto/openssl/demos/maurice/cert.pem b/crypto/openssl/demos/maurice/cert.pem
new file mode 100644
index 0000000..e31a9ae
--- /dev/null
+++ b/crypto/openssl/demos/maurice/cert.pem
@@ -0,0 +1,77 @@
+issuer :/C=NL/SP=Brabant/L=Eindhoven/O=Gittens Information Systems B.V./OU=Certification Services/CN=ca.gits.nl/Email=mgittens@gits.nl
+subject:/C=NL/SP=Brabant/O=Gittens Information Systems B.V./OU=Certification Services/CN=caleb.gits.nl/Email=mgittens@gits.nl
+serial :01
+
+Certificate:
+    Data:
+        Version: 0 (0x0)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=NL, SP=Brabant, L=Eindhoven, O=Gittens Information Systems B.V., OU=Certification Services, CN=ca.gits.nl/Email=mgittens@gits.nl
+        Validity
+            Not Before: Jan  5 13:21:16 1997 GMT
+            Not After : Jul 24 13:21:16 1997 GMT
+        Subject: C=NL, SP=Brabant, O=Gittens Information Systems B.V., OU=Certification Services, CN=caleb.gits.nl/Email=mgittens@gits.nl
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:dd:82:a0:fe:a9:8d:6a:02:7e:78:d6:33:75:9b:
+                    82:01:4b:12:80:ea:6b:9b:83:9e:e3:ae:dc:f3:d0:
+                    71:7c:4b:ea:03:57:b4:cc:ba:44:5b:b8:4b:49:d3:
+                    f6:39:cc:3d:12:1f:da:58:26:27:bc:bc:ab:a4:6d:
+                    62:d1:91:5a:47:9f:80:40:c1:b9:fa:e3:1e:ef:52:
+                    78:46:26:43:65:1d:f2:6b:bf:ff:c0:81:66:14:cd:
+                    81:32:91:f1:f8:51:7d:0e:17:1f:27:fc:c7:51:fd:
+                    1c:73:41:e5:66:43:3c:67:a3:09:b9:5e:36:50:50:
+                    b1:e8:42:bd:5c:c6:2b:ec:a9:2c:fe:6a:fe:40:26:
+                    64:9e:b9:bf:2d:1d:fb:d0:48:5b:82:2a:8e:ab:a4:
+                    d5:7b:5f:26:84:8a:9a:69:5e:c1:71:e2:a9:59:4c:
+                    2a:76:f7:fd:f4:cf:3f:d3:ce:30:72:62:65:1c:e9:
+                    e9:ee:d2:fc:44:00:1e:e0:80:57:e9:41:b3:f0:44:
+                    e5:0f:77:3b:1a:1f:57:5e:94:1d:c3:a5:fa:af:41:
+                    8c:4c:30:6b:2b:00:84:52:0c:64:0c:a8:5b:17:16:
+                    d1:1e:f8:ea:72:01:47:9a:b9:21:95:f9:71:ed:7c:
+                    d2:93:54:0c:c5:9c:e8:e5:40:28:c5:a0:ca:b1:a9:
+                    20:f9
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md5withRSAEncryption
+        93:08:f9:e0:d4:c5:ca:95:de:4e:38:3b:28:87:e9:d3:b6:ce:
+        4f:69:2e:c9:09:57:2f:fa:e2:50:9f:39:ec:f3:84:e8:3a:8f:
+        9b:c3:06:62:90:49:93:6d:23:7a:2b:3d:7b:f9:46:32:18:d3:
+        87:44:49:f7:29:2f:f3:58:97:70:c3:45:5b:90:52:1c:df:fb:
+        a8:a3:a1:29:53:a3:4c:ed:d2:51:d0:44:98:a4:14:6f:76:9d:
+        0d:03:76:e5:d3:13:21:ce:a3:4d:2a:77:fe:ad:b3:47:6d:42:
+        b9:4a:0e:ff:61:f4:ec:62:b2:3b:00:9c:ac:16:a2:ec:19:c8:
+        c7:3d:d7:7d:97:cd:4d:1a:d2:00:07:4e:40:3d:b9:ba:1e:e2:
+        fe:81:28:57:b9:ad:2b:74:59:b0:9f:8b:a5:98:d3:75:06:67:
+        4a:04:11:b2:ea:1a:8c:e0:d4:be:c8:0c:46:76:7f:5f:5a:7b:
+        72:09:dd:b6:d3:6b:97:70:e8:7e:17:74:1c:f7:3a:5f:e3:fa:
+        c2:f7:95:bd:74:5e:44:4b:9b:bd:27:de:02:7f:87:1f:68:68:
+        60:b9:f4:1d:2b:7b:ce:ef:b1:7f:3a:be:b9:66:60:54:6f:0c:
+        a0:dd:8c:03:a7:f1:9f:f8:0e:8d:bb:c6:ba:77:61:f7:8e:be:
+        28:ba:d8:4f
+
+-----BEGIN CERTIFICATE-----
+MIIDzzCCArcCAQEwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAk5MMRAwDgYD
+VQQIEwdCcmFiYW50MRIwEAYDVQQHEwlFaW5kaG92ZW4xKTAnBgNVBAoTIEdpdHRl
+bnMgSW5mb3JtYXRpb24gU3lzdGVtcyBCLlYuMR8wHQYDVQQLExZDZXJ0aWZpY2F0
+aW9uIFNlcnZpY2VzMRMwEQYDVQQDEwpjYS5naXRzLm5sMR8wHQYJKoZIhvcNAQkB
+FhBtZ2l0dGVuc0BnaXRzLm5sMB4XDTk3MDEwNTEzMjExNloXDTk3MDcyNDEzMjEx
+NlowgaQxCzAJBgNVBAYTAk5MMRAwDgYDVQQIEwdCcmFiYW50MSkwJwYDVQQKEyBH
+aXR0ZW5zIEluZm9ybWF0aW9uIFN5c3RlbXMgQi5WLjEfMB0GA1UECxMWQ2VydGlm
+aWNhdGlvbiBTZXJ2aWNlczEWMBQGA1UEAxMNY2FsZWIuZ2l0cy5ubDEfMB0GCSqG
+SIb3DQEJARYQbWdpdHRlbnNAZ2l0cy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAN2CoP6pjWoCfnjWM3WbggFLEoDqa5uDnuOu3PPQcXxL6gNXtMy6
+RFu4S0nT9jnMPRIf2lgmJ7y8q6RtYtGRWkefgEDBufrjHu9SeEYmQ2Ud8mu//8CB
+ZhTNgTKR8fhRfQ4XHyf8x1H9HHNB5WZDPGejCbleNlBQsehCvVzGK+ypLP5q/kAm
+ZJ65vy0d+9BIW4Iqjquk1XtfJoSKmmlewXHiqVlMKnb3/fTPP9POMHJiZRzp6e7S
+/EQAHuCAV+lBs/BE5Q93OxofV16UHcOl+q9BjEwwaysAhFIMZAyoWxcW0R746nIB
+R5q5IZX5ce180pNUDMWc6OVAKMWgyrGpIPkCAwEAATANBgkqhkiG9w0BAQQFAAOC
+AQEAkwj54NTFypXeTjg7KIfp07bOT2kuyQlXL/riUJ857POE6DqPm8MGYpBJk20j
+eis9e/lGMhjTh0RJ9ykv81iXcMNFW5BSHN/7qKOhKVOjTO3SUdBEmKQUb3adDQN2
+5dMTIc6jTSp3/q2zR21CuUoO/2H07GKyOwCcrBai7BnIxz3XfZfNTRrSAAdOQD25
+uh7i/oEoV7mtK3RZsJ+LpZjTdQZnSgQRsuoajODUvsgMRnZ/X1p7cgndttNrl3Do
+fhd0HPc6X+P6wveVvXReREubvSfeAn+HH2hoYLn0HSt7zu+xfzq+uWZgVG8MoN2M
+A6fxn/gOjbvGundh946+KLrYTw==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/demos/maurice/example1.c b/crypto/openssl/demos/maurice/example1.c
new file mode 100644
index 0000000..0e70523
--- /dev/null
+++ b/crypto/openssl/demos/maurice/example1.c
@@ -0,0 +1,200 @@
+/* NOCW */
+/*
+	Please read the README file for condition of use, before
+	using this software.
+	
+	Maurice Gittens  <mgittens@gits.nl>   January 1997
+*/
+
+#include <unistd.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <fcntl.h>
+#include <strings.h>
+#include <stdlib.h>
+
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+
+#include "loadkeys.h"
+
+#define PUBFILE   "cert.pem"
+#define PRIVFILE  "privkey.pem"
+
+#define STDIN     0
+#define STDOUT    1 
+
+void main_encrypt(void);
+void main_decrypt(void);
+
+static const char *usage = "Usage: example1 [-d]\n";
+
+int main(int argc, char *argv[])
+{
+
+        ERR_load_crypto_strings();
+
+	if ((argc == 1))	
+	{
+		main_encrypt();
+	}	
+	else if ((argc == 2) && !strcmp(argv[1],"-d"))
+	{
+		main_decrypt();
+	}
+	else
+	{
+		printf("%s",usage);
+		exit(1);
+	}
+
+	return 0;		
+}
+
+void main_encrypt(void)
+{
+	unsigned int ebuflen;
+        EVP_CIPHER_CTX ectx;
+        unsigned char iv[EVP_MAX_IV_LENGTH];
+	unsigned char *ekey[1]; 
+	int readlen;
+	int ekeylen, net_ekeylen; 
+	EVP_PKEY *pubKey[1];
+	char buf[512];
+	char ebuf[512];
+	
+ 	memset(iv, '\0', sizeof(iv));
+
+        pubKey[0] = ReadPublicKey(PUBFILE);
+
+	if(!pubKey)
+	{
+           fprintf(stderr,"Error: can't load public key");
+           exit(1);
+        }      
+
+        ekey[0] = malloc(EVP_PKEY_size(pubKey[0]));  
+        if (!ekey[0])
+	{
+	   EVP_PKEY_free(pubKey[0]); 
+	   perror("malloc");
+	   exit(1);
+	}
+
+	EVP_SealInit(&ectx,
+                   EVP_des_ede3_cbc(),
+		   ekey,
+		   &ekeylen,
+		   iv,
+		   pubKey,
+		   1); 
+
+	net_ekeylen = htonl(ekeylen);	
+	write(STDOUT, (char*)&net_ekeylen, sizeof(net_ekeylen));
+        write(STDOUT, ekey[0], ekeylen);
+        write(STDOUT, iv, sizeof(iv));
+
+	while(1)
+	{
+		readlen = read(STDIN, buf, sizeof(buf));
+
+		if (readlen <= 0)
+		{
+		   if (readlen < 0)
+			perror("read");
+
+		   break;
+		}
+
+		EVP_SealUpdate(&ectx, ebuf, &ebuflen, buf, readlen);
+
+		write(STDOUT, ebuf, ebuflen);
+	}
+
+        EVP_SealFinal(&ectx, ebuf, &ebuflen);
+        
+	write(STDOUT, ebuf, ebuflen);
+
+        EVP_PKEY_free(pubKey[0]);
+	free(ekey[0]);
+}
+
+void main_decrypt(void)
+{
+	char buf[512];
+	char ebuf[512];
+	unsigned int buflen;
+        EVP_CIPHER_CTX ectx;
+        unsigned char iv[8];
+	unsigned char *encryptKey; 
+	unsigned int ekeylen; 
+	EVP_PKEY *privateKey;
+
+	memset(iv, '\0', sizeof(iv));
+
+	privateKey = ReadPrivateKey(PRIVFILE);
+	if (!privateKey)
+	{
+		fprintf(stderr, "Error: can't load private key");
+		exit(1);	
+	}
+
+     	read(STDIN, &ekeylen, sizeof(ekeylen));
+	ekeylen = ntohl(ekeylen);
+
+	if (ekeylen != EVP_PKEY_size(privateKey))
+	{
+        	EVP_PKEY_free(privateKey);
+		fprintf(stderr, "keylength mismatch");
+		exit(1);	
+	}
+
+	encryptKey = malloc(sizeof(char) * ekeylen);
+	if (!encryptKey)
+	{
+        	EVP_PKEY_free(privateKey);
+		perror("malloc");
+		exit(1);
+	}
+
+	read(STDIN, encryptKey, ekeylen);
+	read(STDIN, iv, sizeof(iv));
+
+	EVP_OpenInit(&ectx,
+		   EVP_des_ede3_cbc(), 
+		   encryptKey,
+		   ekeylen,
+		   iv,
+		   privateKey); 	
+
+	while(1)
+	{
+		int readlen = read(STDIN, ebuf, sizeof(ebuf));
+
+		if (readlen <= 0)
+		{
+			if (readlen < 0)
+				perror("read");
+
+			break;
+		}
+
+		EVP_OpenUpdate(&ectx, buf, &buflen, ebuf, readlen);
+
+		write(STDOUT, buf, buflen);
+	}
+
+        EVP_OpenFinal(&ectx, buf, &buflen);
+
+	write(STDOUT, buf, buflen);
+
+        EVP_PKEY_free(privateKey);
+	free(encryptKey);
+}
+
+
diff --git a/crypto/openssl/demos/maurice/example2.c b/crypto/openssl/demos/maurice/example2.c
new file mode 100644
index 0000000..57bce10
--- /dev/null
+++ b/crypto/openssl/demos/maurice/example2.c
@@ -0,0 +1,75 @@
+/* NOCW */
+/*
+        Please read the README file for condition of use, before
+        using this software.
+
+        Maurice Gittens  <mgittens@gits.nl>   January 1997
+*/
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <strings.h>
+
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+
+#include "loadkeys.h"
+
+#define PUBFILE   "cert.pem"
+#define PRIVFILE  "privkey.pem"
+#define STDIN     0
+#define STDOUT    1 
+
+int main()
+{
+        char *ct = "This the clear text";
+	char *buf;   
+	char *buf2;
+  	EVP_PKEY *pubKey;
+  	EVP_PKEY *privKey;
+	int len;
+
+        ERR_load_crypto_strings();
+
+        privKey = ReadPrivateKey(PRIVFILE);
+        if (!privKey) 
+	{  
+		ERR_print_errors_fp (stderr);    
+		exit (1);  
+	}
+
+        pubKey = ReadPublicKey(PUBFILE);  
+	if(!pubKey)
+	{
+	   EVP_PKEY_free(privKey);   
+           fprintf(stderr,"Error: can't load public key");
+	   exit(1);
+	}
+
+	/* No error checking */
+        buf = malloc(EVP_PKEY_size(pubKey));
+        buf2 = malloc(EVP_PKEY_size(pubKey));
+
+	len = RSA_public_encrypt(strlen(ct)+1, ct, buf, pubKey->pkey.rsa,RSA_PKCS1_PADDING);
+
+	if (len != EVP_PKEY_size(pubKey))
+	{
+	    fprintf(stderr,"Error: ciphertext should match length of key\n");
+	    exit(1);
+	}
+
+	RSA_private_decrypt(len, buf, buf2, privKey->pkey.rsa,RSA_PKCS1_PADDING);
+
+	printf("%s\n", buf2);
+
+	EVP_PKEY_free(privKey);
+	EVP_PKEY_free(pubKey);
+	free(buf);
+	free(buf2);
+        return 0;
+}
diff --git a/crypto/openssl/demos/maurice/example3.c b/crypto/openssl/demos/maurice/example3.c
new file mode 100644
index 0000000..c8462a4
--- /dev/null
+++ b/crypto/openssl/demos/maurice/example3.c
@@ -0,0 +1,85 @@
+/* NOCW */
+/*
+        Please read the README file for condition of use, before
+        using this software.
+
+        Maurice Gittens  <mgittens@gits.nl>   January 1997
+
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <openssl/evp.h>
+
+#define STDIN     	0
+#define STDOUT    	1
+#define BUFLEN	  	512 
+#define INIT_VECTOR 	"12345678"
+#define ENCRYPT		1
+#define DECRYPT         0
+#define ALG		EVP_des_ede3_cbc()
+
+static const char *usage = "Usage: example3 [-d] password\n";
+
+void do_cipher(char *,int);
+
+int main(int argc, char *argv[])
+{
+	if ((argc == 2))	
+	{
+		do_cipher(argv[1],ENCRYPT);
+	}	
+	else if ((argc == 3) && !strcmp(argv[1],"-d"))
+	{
+		do_cipher(argv[2],DECRYPT);
+	}
+	else
+	{
+		fprintf(stderr,"%s", usage);
+		exit(1);
+	}
+
+	return 0;		
+}
+
+void do_cipher(char *pw, int operation)
+{
+	char buf[BUFLEN];
+	char ebuf[BUFLEN + 8];
+	unsigned int ebuflen; /* rc; */
+        unsigned char iv[EVP_MAX_IV_LENGTH], key[EVP_MAX_KEY_LENGTH];
+	/* unsigned int ekeylen, net_ekeylen;  */
+	EVP_CIPHER_CTX ectx;
+        
+	memcpy(iv, INIT_VECTOR, sizeof(iv));
+
+	EVP_BytesToKey(ALG, EVP_md5(), "salu", pw, strlen(pw), 1, key, iv);
+
+	EVP_CipherInit(&ectx, ALG, key, iv, operation);
+
+	while(1)
+	{
+		int readlen = read(STDIN, buf, sizeof(buf));
+	
+		if (readlen <= 0)
+		{
+			if (!readlen)
+			   break;
+			else
+			{
+				perror("read");
+				exit(1);
+			}
+		}
+
+		EVP_CipherUpdate(&ectx, ebuf, &ebuflen, buf, readlen);
+
+		write(STDOUT, ebuf, ebuflen);
+	}
+
+        EVP_CipherFinal(&ectx, ebuf, &ebuflen); 
+
+	write(STDOUT, ebuf, ebuflen); 
+}
diff --git a/crypto/openssl/demos/maurice/example4.c b/crypto/openssl/demos/maurice/example4.c
new file mode 100644
index 0000000..ce62984
--- /dev/null
+++ b/crypto/openssl/demos/maurice/example4.c
@@ -0,0 +1,123 @@
+/* NOCW */
+/*
+        Please read the README file for condition of use, before
+        using this software.
+
+        Maurice Gittens  <mgittens@gits.nl>   January 1997
+
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <openssl/evp.h>
+
+#define STDIN     	0
+#define STDOUT    	1
+#define BUFLEN	  	512 
+
+static const char *usage = "Usage: example4 [-d]\n";
+
+void do_encode(void);
+void do_decode(void);
+
+int main(int argc, char *argv[])
+{
+	if ((argc == 1))	
+	{
+		do_encode();
+	}	
+	else if ((argc == 2) && !strcmp(argv[1],"-d"))
+	{
+		do_decode();
+	}
+	else
+	{
+		fprintf(stderr,"%s", usage);
+		exit(1);
+	}
+
+	return 0;		
+}
+
+void do_encode()
+{
+	char buf[BUFLEN];
+	char ebuf[BUFLEN+24];
+	unsigned int ebuflen;
+	EVP_ENCODE_CTX ectx;
+        
+	EVP_EncodeInit(&ectx);
+
+	while(1)
+	{
+		int readlen = read(STDIN, buf, sizeof(buf));
+	
+		if (readlen <= 0)
+		{
+			if (!readlen)
+			   break;
+			else
+			{
+				perror("read");
+				exit(1);
+			}
+		}
+
+		EVP_EncodeUpdate(&ectx, ebuf, &ebuflen, buf, readlen);
+
+		write(STDOUT, ebuf, ebuflen);
+	}
+
+        EVP_EncodeFinal(&ectx, ebuf, &ebuflen); 
+
+	write(STDOUT, ebuf, ebuflen);
+}
+
+void do_decode()
+{
+ 	char buf[BUFLEN];
+ 	char ebuf[BUFLEN+24];
+	unsigned int ebuflen;
+	EVP_ENCODE_CTX ectx;
+        
+	EVP_DecodeInit(&ectx);
+
+	while(1)
+	{
+		int readlen = read(STDIN, buf, sizeof(buf));
+		int rc;	
+	
+		if (readlen <= 0)
+		{
+			if (!readlen)
+			   break;
+			else
+			{
+				perror("read");
+				exit(1);
+			}
+		}
+
+		rc = EVP_DecodeUpdate(&ectx, ebuf, &ebuflen, buf, readlen);
+		if (rc <= 0)
+		{
+			if (!rc)
+			{
+				write(STDOUT, ebuf, ebuflen);
+				break;
+			}
+
+			fprintf(stderr, "Error: decoding message\n");
+			return;
+		}
+
+		write(STDOUT, ebuf, ebuflen);
+	}
+
+        EVP_DecodeFinal(&ectx, ebuf, &ebuflen); 
+
+	write(STDOUT, ebuf, ebuflen); 
+}
+
diff --git a/crypto/openssl/demos/maurice/loadkeys.c b/crypto/openssl/demos/maurice/loadkeys.c
new file mode 100644
index 0000000..0f34647
--- /dev/null
+++ b/crypto/openssl/demos/maurice/loadkeys.c
@@ -0,0 +1,77 @@
+/* NOCW */
+/*
+        Please read the README file for condition of use, before
+        using this software.
+
+        Maurice Gittens  <mgittens@gits.nl>   January 1997
+
+*/
+
+#include <unistd.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <fcntl.h>
+#include <strings.h>
+#include <stdlib.h>
+
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+
+EVP_PKEY * ReadPublicKey(const char *certfile)
+{
+  FILE *fp = fopen (certfile, "r");   
+  X509 *x509;
+  EVP_PKEY *pkey;
+
+  if (!fp) 
+     return NULL; 
+
+  x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509,
+                                   PEM_STRING_X509,
+                                   fp, NULL, NULL);
+
+  if (x509 == NULL) 
+  {  
+     ERR_print_errors_fp (stderr);
+     return NULL;   
+  }
+
+  fclose (fp);
+  
+  pkey=X509_extract_key(x509);
+
+  X509_free(x509);
+
+  if (pkey == NULL) 
+     ERR_print_errors_fp (stderr);
+
+  return pkey; 
+}
+
+EVP_PKEY *ReadPrivateKey(const char *keyfile)
+{
+	FILE *fp = fopen(keyfile, "r");
+	EVP_PKEY *pkey;
+
+	if (!fp)
+		return NULL;
+
+	pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey,
+                              PEM_STRING_EVP_PKEY,
+                              fp,
+                              NULL, NULL);
+
+	fclose (fp);
+
+  	if (pkey == NULL) 
+		ERR_print_errors_fp (stderr);   
+
+	return pkey;
+}
+
+
diff --git a/crypto/openssl/demos/maurice/loadkeys.h b/crypto/openssl/demos/maurice/loadkeys.h
new file mode 100644
index 0000000..d8fde86
--- /dev/null
+++ b/crypto/openssl/demos/maurice/loadkeys.h
@@ -0,0 +1,19 @@
+/* NOCW */
+/*
+        Please read the README file for condition of use, before
+        using this software.
+
+        Maurice Gittens  <mgittens@gits.nl>   January 1997
+
+*/
+
+#ifndef LOADKEYS_H_SEEN
+#define LOADKEYS_H_SEEN
+
+#include <openssl/evp.h>
+
+EVP_PKEY * ReadPublicKey(const char *certfile);
+EVP_PKEY *ReadPrivateKey(const char *keyfile);
+
+#endif
+
diff --git a/crypto/openssl/demos/maurice/privkey.pem b/crypto/openssl/demos/maurice/privkey.pem
new file mode 100644
index 0000000..fc3554e
--- /dev/null
+++ b/crypto/openssl/demos/maurice/privkey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3YKg/qmNagJ+eNYzdZuCAUsSgOprm4Oe467c89BxfEvqA1e0
+zLpEW7hLSdP2Ocw9Eh/aWCYnvLyrpG1i0ZFaR5+AQMG5+uMe71J4RiZDZR3ya7//
+wIFmFM2BMpHx+FF9DhcfJ/zHUf0cc0HlZkM8Z6MJuV42UFCx6EK9XMYr7Kks/mr+
+QCZknrm/LR370EhbgiqOq6TVe18mhIqaaV7BceKpWUwqdvf99M8/084wcmJlHOnp
+7tL8RAAe4IBX6UGz8ETlD3c7Gh9XXpQdw6X6r0GMTDBrKwCEUgxkDKhbFxbRHvjq
+cgFHmrkhlflx7XzSk1QMxZzo5UAoxaDKsakg+QIDAQABAoIBAQC0hnh083PnuJ6g
+Flob+B+stCUhYWtPc6ZzgphaMD+9ABV4oescipWZdooNYiyikBwZgFIvUvFBtTXh
+rLBDgUVlZ81beUb7/EvC2aBh818rsotWW0Sw/ARY4d7wetcL/EWBzUA8E5vR6wlb
+uZGelR9OiyYqp2h2bj1/v5yaVnuHxBeBj5clTHtPMXc+/70iUNBDMZ0ruZTdSwll
+e0DH8pp/5USYewlrKtRIJT7elC8LFMqEz4OpNvfaR2OEY0FatYYmSvQPNwV8/Eor
+XlNzRi9qD0uXbVexaAgQZ3/KZuAzUbOgwJZZXEAOGkZ/J1n08jljPXdU0o7bHhNl
+7siHbuEBAoGBAP53IvvJkhnH8Akf6E6sXelZkPKHnwDwfywDAiIhXza9DB1DViRS
+bZUB5gzcxmLGalex5+LcwZmsqFO5NXZ8SQeE9p0YT8yJsX4J1w9JzSvsWJBS2vyW
+Kbt21oG6JAGrWSGMIfxKpuahtWLf4JpGjftti0qIVQ60GKEPc1/xE2PZAoGBAN7Y
+nRPaUaqcIwbnH9kovOKwZ/PWREy1ecr3YXj65VYTnwSJHD0+CJa/DX8eB/G4AoNA
+Y2LPbq0Xu3+7SaUsO45VkaZuJmNwheUQ4tmyd/YdnVZ0AHXx1tvpR7QeO0WjnlNK
+mR+x00fetrff2Ypahs0wtU0Xf3F8ORgVB8jnxBIhAoGAcwf0PpI+g30Im3dbEsWE
+poogpiJ81HXjZ0fs3PTtD9eh9FCOTlkcxHFZR5M980TyqbX4t2tH8WpFpaNh8a/5
+a3bF7PoiiLnuDKXyHC0mnKZ42rU53VkcgGwWSAqXYFHPNwUcD+rHTBbp4kqGQ/eF
+E5XPk9/RY5YyVAyiAUr/kvECgYBvW1Ua75SxqbZDI8mhbZ79tGMt0NtubZz/1KCL
+oOxrGAD1dkJ7Q/1svunSpMIZgvcWeV1wqfFHY72ZNZC2jiTwmkffH9nlBPyTm92Q
+JYOWo/PUmMEGLyRL3gWrtxOtV/as7nEYCndmyZ8KwTxmy5fi/z0J2f0gS5AIPbIX
+LeGnoQKBgQDapjz9K4HWR5AMxyga4eiLIrmADySP846uz3eZIvTJQZ+6TAamvnno
+KbnU21cGq5HBBtxqQvGswLPGW9rZAgykHHJmYBUp0xv4+I4qHfXyD7QNmvq+Vxjj
+V2tgIafEpaf2ZsfM7BZeZz8MzeGcDwyrHtIO1FQiYN5Qz9Hq68XmVA==
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/demos/prime/Makefile b/crypto/openssl/demos/prime/Makefile
new file mode 100644
index 0000000..0166cd4
--- /dev/null
+++ b/crypto/openssl/demos/prime/Makefile
@@ -0,0 +1,20 @@
+CC=cc
+CFLAGS= -g -I../../include -Wall
+LIBS=  -L../.. -lcrypto
+EXAMPLES=prime
+
+all: $(EXAMPLES) 
+
+prime: prime.o
+	$(CC) -o prime prime.o $(LIBS)
+
+clean:	
+	rm -f $(EXAMPLES) *.o
+
+test: all
+	@echo Test creating a 128-bit prime
+	./prime 128
+	@echo Test creating a 256-bit prime
+	./prime 256
+	@echo Test creating a 512-bit prime
+	./prime 512
diff --git a/crypto/openssl/demos/prime/prime.c b/crypto/openssl/demos/prime/prime.c
new file mode 100644
index 0000000..103e0ef
--- /dev/null
+++ b/crypto/openssl/demos/prime/prime.c
@@ -0,0 +1,101 @@
+/* demos/prime/prime.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/bn.h>    
+
+void callback(type,num)
+int type,num;
+	{
+	if (type == 0)
+		fprintf(stderr,".");
+	else if (type == 1)
+		fprintf(stderr,"+");
+	else if (type == 2)
+		fprintf(stderr,"*");
+	fflush(stderr);
+	}
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	BIGNUM *rand;
+	int num=256;
+
+	/* we should really call RAND_seed(char *bytes,int num);
+	 * to fully initalise the random number generator */
+	if (argc >= 2)
+		{
+		num=atoi(argv[1]);
+		if (num == 0) num=256;
+		}
+
+	fprintf(stderr,"generate a strong prime\n");
+        rand=BN_generate_prime(NULL,num,1,NULL,NULL,callback,NULL);
+	/* change the third parameter to 1 for a strong prime */
+	fprintf(stderr,"\n");
+
+	BN_print_fp(stdout,rand);           
+	fprintf(stdout,"\n");
+	BN_free(rand); 
+	exit(0);
+	return(0);
+	}
+
diff --git a/crypto/openssl/demos/privkey.pem b/crypto/openssl/demos/privkey.pem
new file mode 100644
index 0000000..ddae240
--- /dev/null
+++ b/crypto/openssl/demos/privkey.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAN+FmbxmHVOp/RxtpMGz0DvQEBz1sDktHp19hIoMSu0YZift5MAu
+4xAEJYvWVCshDiyOTWsUBXwZkrkt87FyctkCAwEAAQJAG/vxBGpQb6IPo1iC0RF/
+F430BnwoBPCGLbeCOXpSgx5X+19vuTSdEqMgeNB6+aNb+XY/7mvVfCjyD6WZ0oxs
+JQIhAPO+uL9cP40lFs62pdL3QSWsh3VNDByvOtr9LpeaxBm/AiEA6sKVfXsDQ5hd
+SHt9U61r2r8Lcxmzi9Kw6JNqjMmzqWcCIQCKoRy+aZ8Tjdas9yDVHh+FZ90bEBkl
+b1xQFNOdEj8aTQIhAOJWrO6INYNsWTPS6+hLYZtLamyUsQj0H+B8kNQge/mtAiEA
+nBfvUl243qbqN8gF7Az1u33uc9FsPVvQPiBzLxZ4ixw=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/demos/selfsign.c b/crypto/openssl/demos/selfsign.c
new file mode 100644
index 0000000..68904c6
--- /dev/null
+++ b/crypto/openssl/demos/selfsign.c
@@ -0,0 +1,180 @@
+/* NOCW */
+/* cc -o ssdemo -I../include selfsign.c ../libcrypto.a */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/pem.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+int mkit(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
+
+int main()
+	{
+	BIO *bio_err;
+	X509 *x509=NULL;
+	EVP_PKEY *pkey=NULL;
+
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+	bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
+
+	mkit(&x509,&pkey,512,0,365);
+
+	RSA_print_fp(stdout,pkey->pkey.rsa,0);
+	X509_print_fp(stdout,x509);
+
+	PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL);
+	PEM_write_X509(stdout,x509);
+
+	X509_free(x509);
+	EVP_PKEY_free(pkey);
+
+#ifdef CUSTOM_EXT
+	/* Only needed if we add objects or custom extensions */
+	X509V3_EXT_cleanup();
+	OBJ_cleanup();
+#endif
+
+	CRYPTO_mem_leaks(bio_err);
+	BIO_free(bio_err);
+	return(0);
+	}
+
+#ifdef WIN16
+#  define MS_CALLBACK   _far _loadds
+#  define MS_FAR        _far
+#else
+#  define MS_CALLBACK
+#  define MS_FAR
+#endif
+
+static void MS_CALLBACK callback(p, n, arg)
+int p;
+int n;
+void *arg;
+	{
+	char c='B';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	fputc(c,stderr);
+	}
+
+int mkit(x509p,pkeyp,bits,serial,days)
+X509 **x509p;
+EVP_PKEY **pkeyp;
+int bits;
+int serial;
+int days;
+	{
+	X509 *x;
+	EVP_PKEY *pk;
+	RSA *rsa;
+	X509_NAME *name=NULL;
+	X509_NAME_ENTRY *ne=NULL;
+	X509_EXTENSION *ex=NULL;
+
+	
+	if ((pkeyp == NULL) || (*pkeyp == NULL))
+		{
+		if ((pk=EVP_PKEY_new()) == NULL)
+			{
+			abort(); 
+			return(0);
+			}
+		}
+	else
+		pk= *pkeyp;
+
+	if ((x509p == NULL) || (*x509p == NULL))
+		{
+		if ((x=X509_new()) == NULL)
+			goto err;
+		}
+	else
+		x= *x509p;
+
+	rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);
+	if (!EVP_PKEY_assign_RSA(pk,rsa))
+		{
+		abort();
+		goto err;
+		}
+	rsa=NULL;
+
+	X509_set_version(x,3);
+	ASN1_INTEGER_set(X509_get_serialNumber(x),serial);
+	X509_gmtime_adj(X509_get_notBefore(x),0);
+	X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
+	X509_set_pubkey(x,pk);
+
+	name=X509_get_subject_name(x);
+
+	/* This function creates and adds the entry, working out the
+	 * correct string type and performing checks on its length.
+	 * Normally we'd check the return value for errors...
+	 */
+	X509_NAME_add_entry_by_txt(name,"C",
+				MBSTRING_ASC, "UK", -1, -1, 0);
+	X509_NAME_add_entry_by_txt(name,"CN",
+				MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
+
+	X509_set_issuer_name(x,name);
+
+	/* Add extension using V3 code: we can set the config file as NULL
+	 * because we wont reference any other sections. We can also set
+         * the context to NULL because none of these extensions below will need
+	 * to access it.
+	 */
+
+	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_netscape_cert_type, "server");
+	X509_add_ext(x,ex,-1);
+	X509_EXTENSION_free(ex);
+
+	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_netscape_comment,
+						"example comment extension");
+	X509_add_ext(x,ex,-1);
+	X509_EXTENSION_free(ex);
+
+	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_netscape_ssl_server_name,
+							"www.openssl.org");
+
+	X509_add_ext(x,ex,-1);
+	X509_EXTENSION_free(ex);
+
+#if 0
+	/* might want something like this too.... */
+	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
+							"critical,CA:TRUE");
+
+
+	X509_add_ext(x,ex,-1);
+	X509_EXTENSION_free(ex);
+#endif
+
+#ifdef CUSTOM_EXT
+	/* Maybe even add our own extension based on existing */
+	{
+		int nid;
+		nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
+		X509V3_EXT_add_alias(nid, NID_netscape_comment);
+		ex = X509V3_EXT_conf_nid(NULL, NULL, nid,
+						"example comment alias");
+		X509_add_ext(x,ex,-1);
+		X509_EXTENSION_free(ex);
+	}
+#endif
+	
+	if (!X509_sign(x,pk,EVP_md5()))
+		goto err;
+
+	*x509p=x;
+	*pkeyp=pk;
+	return(1);
+err:
+	return(0);
+	}
diff --git a/crypto/openssl/demos/sign/Makefile b/crypto/openssl/demos/sign/Makefile
new file mode 100644
index 0000000..e6d391e
--- /dev/null
+++ b/crypto/openssl/demos/sign/Makefile
@@ -0,0 +1,15 @@
+CC=cc
+CFLAGS= -g -I../../include -Wall
+LIBS=  -L../.. -lcrypto
+EXAMPLES=sign
+
+all: $(EXAMPLES) 
+
+sign: sign.o
+	$(CC) -o sign sign.o $(LIBS)
+
+clean:	
+	rm -f $(EXAMPLES) *.o
+
+test: all
+	./sign
diff --git a/crypto/openssl/demos/sign/cert.pem b/crypto/openssl/demos/sign/cert.pem
new file mode 100644
index 0000000..9d7ac23
--- /dev/null
+++ b/crypto/openssl/demos/sign/cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv
+bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy
+dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X
+DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw
+EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l
+dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT
+EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw
+L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN
+BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX
+9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/demos/sign/key.pem b/crypto/openssl/demos/sign/key.pem
new file mode 100644
index 0000000..239ad66
--- /dev/null
+++ b/crypto/openssl/demos/sign/key.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ
+2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF
+oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr
+8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc
+a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7
+WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA
+6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/demos/sign/sig.txt b/crypto/openssl/demos/sign/sig.txt
new file mode 100644
index 0000000..5613c0e
--- /dev/null
+++ b/crypto/openssl/demos/sign/sig.txt
@@ -0,0 +1,158 @@
+From ssl-lists-owner@mincom.com Mon Sep 30 02:37:40 1996
+Received: from cygnus.mincom.oz.au by orb.mincom.oz.au with SMTP id AA11782
+  (5.65c/IDA-1.4.4 for eay); Mon, 30 Sep 1996 11:46:21 +1000
+Received: (from daemon@localhost) by cygnus.mincom.oz.au (8.7.5/8.7.3) id LAA18980 for ssl-users-outgoing; Mon, 30 Sep 1996 11:44:56 +1000 (EST)
+Received: from minbne.mincom.oz.au (minbne.mincom.oz.au [192.55.196.247]) by cygnus.mincom.oz.au (8.7.5/8.7.3) with SMTP id LAA18962 for <ssl-users@listserv.mincom.oz.au>; Mon, 30 Sep 1996 11:44:51 +1000 (EST)
+Received: by minbne.mincom.oz.au id AA22230
+  (5.65c/IDA-1.4.4 for ssl-users@listserv.mincom.oz.au); Mon, 30 Sep 1996 11:38:41 +1000
+Received: from brutus.neuronio.pt (brutus.neuronio.pt [193.126.253.2]) by bunyip.cc.uq.oz.au (8.7.6/8.7.3) with SMTP id LAA15824 for <ssl-users@mincom.com>; Mon, 30 Sep 1996 11:40:07 +1000
+Received: (from sampo@localhost) by brutus.neuronio.pt (8.6.11/8.6.11) id BAA08729; Mon, 30 Sep 1996 01:37:40 +0100
+Date: Mon, 30 Sep 1996 01:37:40 +0100
+Message-Id: <199609300037.BAA08729@brutus.neuronio.pt>
+From: Sampo Kellomaki <sampo@neuronio.pt>
+To: ssl-users@mincom.com
+Cc: sampo@brutus.neuronio.pt
+Subject: Signing with envelope routines
+Sender: ssl-lists-owner@mincom.com
+Precedence: bulk
+Status: RO
+X-Status: D
+
+
+I have been trying to figure out how to produce signatures with EVP_
+routines. I seem to be able to read in private key and sign some
+data ok, but I can't figure out how I am supposed to read in
+public key so that I could verify my signature. I use self signed
+certificate.
+
+I figured I should use
+	EVP_PKEY* pkey = PEM_ASN1_read(d2i_PrivateKey, PEM_STRING_EVP_PKEY,
+	                               fp, NULL, NULL);
+to read in private key and this seems to work Ok.
+
+However when I try analogous
+	EVP_PKEY* pkey = PEM_ASN1_read(d2i_PublicKey, PEM_STRING_X509,
+	                               fp, NULL, NULL);
+the program fails with
+
+error:0D09508D:asn1 encoding routines:D2I_PUBLICKEY:unknown public key type:d2i_pu.c:93
+error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:232
+
+I figured that the second argument to PEM_ASN1_read should match the
+name in my PEM encoded object, hence PEM_STRING_X509.
+PEM_STRING_EVP_PKEY seems to be somehow magical
+because it matches whatever private key there happens to be. I could
+not find a similar constant to use with getting the certificate, however.
+
+Is my approach of using PEM_ASN1_read correct? What should I pass in
+as name?  Can I use normal (or even self signed) X509 certificate for
+verifying the signature?
+
+When will SSLeay documentation be written ;-)? If I would contribute
+comments to the code, would Eric take time to review them and include
+them in distribution?
+
+I'm using SSLeay-0.6.4. My program is included below along with the
+key and cert that I use.
+
+--Sampo
+
+-----------------------------------
+/* sign-it.cpp  -  Simple test app using SSLeay envelopes to sign data
+   29.9.1996, Sampo Kellomaki <sampo@iki.fi> */
+
+#include <stdio.h>
+#include "rsa.h"
+#include "evp.h"
+#include "objects.h"
+#include "x509.h"
+#include "err.h"
+#include "pem.h"
+#include "ssl.h"
+
+void main ()
+{
+  int err;
+  int sig_len;
+  unsigned char sig_buf [4096];
+  const char certfile[] = "plain-cert.pem";
+  const char keyfile[]  = "plain-key.pem";
+  const char data[]     = "I owe you...";
+  EVP_MD_CTX     md_ctx;
+  EVP_PKEY*      pkey;
+  FILE*          fp;
+
+  SSL_load_error_strings();
+  
+  /* Read private key */
+  
+  fp = fopen (keyfile, "r");   if (fp == NULL) exit (1);
+  pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey,
+				   PEM_STRING_EVP_PKEY,
+				   fp,
+				   NULL, NULL);
+  if (pkey == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  fclose (fp);
+  
+  /* Do the signature */
+  
+  EVP_SignInit   (&md_ctx, EVP_md5());
+  EVP_SignUpdate (&md_ctx, data, strlen(data));
+  sig_len = sizeof(sig_buf);
+  err = EVP_SignFinal (&md_ctx,
+		       sig_buf, 
+		       &sig_len,
+		       pkey);
+  if (err != 1) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  EVP_PKEY_free (pkey);
+  
+  /* Read public key */
+  
+  fp = fopen (certfile, "r");   if (fp == NULL) exit (1);
+  pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PublicKey,
+				   PEM_STRING_X509,
+				   fp,
+				   NULL, NULL);
+  if (pkey == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  fclose (fp);
+  
+  /* Verify the signature */
+  
+  EVP_VerifyInit   (&md_ctx, EVP_md5());
+  EVP_VerifyUpdate (&md_ctx, data, strlen((char*)data));
+  err = EVP_VerifyFinal (&md_ctx,
+			 sig_buf,
+			 sig_len,
+			 pkey);
+  if (err != 1) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  EVP_PKEY_free (pkey);
+  printf ("Signature Verified Ok.\n");
+}
+/* EOF */
+--------------- plain-cert.pem -----------------
+-----BEGIN CERTIFICATE-----
+MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv
+bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy
+dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X
+DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw
+EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l
+dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT
+EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw
+L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN
+BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX
+9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=
+-----END CERTIFICATE-----
+---------------- plain-key.pem -----------------
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ
+2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF
+oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr
+8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc
+a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7
+WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA
+6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=
+-----END RSA PRIVATE KEY-----
+------------------------------------------------
+
diff --git a/crypto/openssl/demos/sign/sign.c b/crypto/openssl/demos/sign/sign.c
new file mode 100644
index 0000000..0fdf0de
--- /dev/null
+++ b/crypto/openssl/demos/sign/sign.c
@@ -0,0 +1,153 @@
+/* demos/sign/sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* sign-it.cpp  -  Simple test app using SSLeay envelopes to sign data
+   29.9.1996, Sampo Kellomaki <sampo@iki.fi> */
+
+/* converted to C - eay :-) */
+
+/* reformated a bit and converted to use the more common functions: this was
+ * initially written at the dawn of time :-) - Steve.
+ */
+
+#include <stdio.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+
+int main ()
+{
+  int err;
+  int sig_len;
+  unsigned char sig_buf [4096];
+  static char certfile[] = "cert.pem";
+  static char keyfile[]  = "key.pem";
+  static char data[]     = "I owe you...";
+  EVP_MD_CTX     md_ctx;
+  EVP_PKEY *      pkey;
+  FILE *          fp;
+  X509 *	x509;
+
+  /* Just load the crypto library error strings,
+   * SSL_load_error_strings() loads the crypto AND the SSL ones */
+  /* SSL_load_error_strings();*/
+  ERR_load_crypto_strings();
+  
+  /* Read private key */
+  
+  fp = fopen (keyfile, "r");
+  if (fp == NULL) exit (1);
+  pkey = PEM_read_PrivateKey(fp, NULL, NULL);
+  fclose (fp);
+
+  if (pkey == NULL) { 
+	ERR_print_errors_fp (stderr);
+	exit (1);
+  }
+  
+  /* Do the signature */
+  
+  EVP_SignInit   (&md_ctx, EVP_sha1());
+  EVP_SignUpdate (&md_ctx, data, strlen(data));
+  sig_len = sizeof(sig_buf);
+  err = EVP_SignFinal (&md_ctx, sig_buf, &sig_len, pkey);
+
+  if (err != 1) {
+	ERR_print_errors_fp(stderr);
+	exit (1);
+  }
+
+  EVP_PKEY_free (pkey);
+  
+  /* Read public key */
+  
+  fp = fopen (certfile, "r");
+  if (fp == NULL) exit (1);
+  x509 = PEM_read_X509(fp, NULL, NULL);
+  fclose (fp);
+
+  if (x509 == NULL) {
+	ERR_print_errors_fp (stderr);
+	exit (1);
+  }
+  
+  /* Get public key - eay */
+  pkey=X509_get_pubkey(x509);
+  if (pkey == NULL) {
+	ERR_print_errors_fp (stderr);
+	exit (1);
+  }
+
+  /* Verify the signature */
+  
+  EVP_VerifyInit   (&md_ctx, EVP_sha1());
+  EVP_VerifyUpdate (&md_ctx, data, strlen((char*)data));
+  err = EVP_VerifyFinal (&md_ctx, sig_buf, sig_len, pkey);
+  EVP_PKEY_free (pkey);
+
+  if (err != 1) {
+	ERR_print_errors_fp (stderr);
+	exit (1);
+  }
+  printf ("Signature Verified Ok.\n");
+  return(0);
+}
diff --git a/crypto/openssl/demos/sign/sign.txt b/crypto/openssl/demos/sign/sign.txt
new file mode 100644
index 0000000..2aa2b46
--- /dev/null
+++ b/crypto/openssl/demos/sign/sign.txt
@@ -0,0 +1,170 @@
+From ssl-lists-owner@mincom.com Mon Sep 30 22:43:15 1996
+Received: from cygnus.mincom.oz.au by orb.mincom.oz.au with SMTP id AA12802
+  (5.65c/IDA-1.4.4 for eay); Mon, 30 Sep 1996 12:45:43 +1000
+Received: (from daemon@localhost) by cygnus.mincom.oz.au (8.7.5/8.7.3) id MAA25922 for ssl-users-outgoing; Mon, 30 Sep 1996 12:43:43 +1000 (EST)
+Received: from orb.mincom.oz.au (eay@orb.mincom.oz.au [192.55.197.1]) by cygnus.mincom.oz.au (8.7.5/8.7.3) with SMTP id MAA25900 for <ssl-users@listserv.mincom.oz.au>; Mon, 30 Sep 1996 12:43:39 +1000 (EST)
+Received: by orb.mincom.oz.au id AA12688
+  (5.65c/IDA-1.4.4 for ssl-users@listserv.mincom.oz.au); Mon, 30 Sep 1996 12:43:16 +1000
+Date: Mon, 30 Sep 1996 12:43:15 +1000 (EST)
+From: Eric Young <eay@mincom.com>
+X-Sender: eay@orb
+To: Sampo Kellomaki <sampo@neuronio.pt>
+Cc: ssl-users@mincom.com, sampo@brutus.neuronio.pt
+Subject: Re: Signing with envelope routines
+In-Reply-To: <199609300037.BAA08729@brutus.neuronio.pt>
+Message-Id: <Pine.SOL.3.91.960930121504.11800Y-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Sender: ssl-lists-owner@mincom.com
+Precedence: bulk
+Status: O
+X-Status: 
+
+
+On Mon, 30 Sep 1996, Sampo Kellomaki wrote:
+> I have been trying to figure out how to produce signatures with EVP_
+> routines. I seem to be able to read in private key and sign some
+> data ok, but I can't figure out how I am supposed to read in
+> public key so that I could verify my signature. I use self signed
+> certificate.
+
+hmm... a rather poorly documented are of the library at this point in time.
+
+> I figured I should use
+> 	EVP_PKEY* pkey = PEM_ASN1_read(d2i_PrivateKey, PEM_STRING_EVP_PKEY,
+> 	                               fp, NULL, NULL);
+> to read in private key and this seems to work Ok.
+> 
+> However when I try analogous
+> 	EVP_PKEY* pkey = PEM_ASN1_read(d2i_PublicKey, PEM_STRING_X509,
+> 	                               fp, NULL, NULL);
+
+What you should do is 
+	X509 *x509=PEM_read_X509(fp,NULL,NULL);
+	/* which is the same as PEM_ASN1_read(d2i_X509,PEM_STRING_X509,fp,
+	 * NULL,NULL); */
+Then
+	EVP_PKEY *pkey=X509_extract_key(x509);
+
+There is also a X509_REQ_extract_key(req);
+which gets the public key from a certificate request.
+
+I re-worked quite a bit of this when I cleaned up the dependancy on
+RSA as the private key.
+
+> I figured that the second argument to PEM_ASN1_read should match the
+> name in my PEM encoded object, hence PEM_STRING_X509.
+> PEM_STRING_EVP_PKEY seems to be somehow magical
+> because it matches whatever private key there happens to be. I could
+> not find a similar constant to use with getting the certificate, however.
+
+:-), PEM_STRING_EVP_PKEY is 'magical' :-).  In theory I should be using a
+standard such as PKCS#8 to store the private key so that the type is 
+encoded in the asn.1 encoding of the object.
+
+> Is my approach of using PEM_ASN1_read correct? What should I pass in
+> as name?  Can I use normal (or even self signed) X509 certificate for
+> verifying the signature?
+
+The actual public key is kept in the certificate, so basically you have 
+to load the certificate and then 'unpack' the public key from the 
+certificate.
+
+> When will SSLeay documentation be written ;-)? If I would contribute
+> comments to the code, would Eric take time to review them and include
+> them in distribution?
+
+:-) After SSLv3 and PKCS#7 :-).  I actually started doing a function list 
+but what I really need to do is do quite a few 'this is how you do xyz' 
+type documents.  I suppose the current method is to post to ssl-users and 
+I'll respond :-).
+
+I'll add a 'demo' directory for the next release, I've appended a 
+modified version of your program that works, you were very close :-).
+
+eric
+
+/* sign-it.cpp  -  Simple test app using SSLeay envelopes to sign data
+   29.9.1996, Sampo Kellomaki <sampo@iki.fi> */
+
+/* converted to C - eay :-) */
+
+#include <stdio.h>
+#include "rsa.h"
+#include "evp.h"
+#include "objects.h"
+#include "x509.h"
+#include "err.h"
+#include "pem.h"
+#include "ssl.h"
+
+void main ()
+{
+  int err;
+  int sig_len;
+  unsigned char sig_buf [4096];
+  static char certfile[] = "plain-cert.pem";
+  static char keyfile[]  = "plain-key.pem";
+  static char data[]     = "I owe you...";
+  EVP_MD_CTX     md_ctx;
+  EVP_PKEY *      pkey;
+  FILE *          fp;
+  X509 *	x509;
+
+  /* Just load the crypto library error strings,
+   * SSL_load_error_strings() loads the crypto AND the SSL ones */
+  /* SSL_load_error_strings();*/
+  ERR_load_crypto_strings();
+  
+  /* Read private key */
+  
+  fp = fopen (keyfile, "r");   if (fp == NULL) exit (1);
+  pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey,
+				   PEM_STRING_EVP_PKEY,
+				   fp,
+				   NULL, NULL);
+  if (pkey == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  fclose (fp);
+  
+  /* Do the signature */
+  
+  EVP_SignInit   (&md_ctx, EVP_md5());
+  EVP_SignUpdate (&md_ctx, data, strlen(data));
+  sig_len = sizeof(sig_buf);
+  err = EVP_SignFinal (&md_ctx,
+		       sig_buf, 
+		       &sig_len,
+		       pkey);
+  if (err != 1) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  EVP_PKEY_free (pkey);
+  
+  /* Read public key */
+  
+  fp = fopen (certfile, "r");   if (fp == NULL) exit (1);
+  x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509,
+				   PEM_STRING_X509,
+				   fp, NULL, NULL);
+  if (x509 == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  fclose (fp);
+  
+  /* Get public key - eay */
+  pkey=X509_extract_key(x509);
+  if (pkey == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
+
+  /* Verify the signature */
+  
+  EVP_VerifyInit   (&md_ctx, EVP_md5());
+  EVP_VerifyUpdate (&md_ctx, data, strlen((char*)data));
+  err = EVP_VerifyFinal (&md_ctx,
+			 sig_buf,
+			 sig_len,
+			 pkey);
+  if (err != 1) {  ERR_print_errors_fp (stderr);    exit (1);  }
+  EVP_PKEY_free (pkey);
+  printf ("Signature Verified Ok.\n");
+}
+
+
+
+
+
diff --git a/crypto/openssl/demos/spkigen.c b/crypto/openssl/demos/spkigen.c
new file mode 100644
index 0000000..d878811
--- /dev/null
+++ b/crypto/openssl/demos/spkigen.c
@@ -0,0 +1,160 @@
+/* NOCW */
+/* demos/spkigen.c
+ * 18-Mar-1997 - eay - A quick hack :-) 
+ * 		version 1.1, it would probably help to save or load the
+ *		private key :-)
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/err.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+/* The following two don't exist in SSLeay but they are in here as
+ * examples */
+#define PEM_write_SPKI(fp,x) \
+	PEM_ASN1_write((int (*)())i2d_NETSCAPE_SPKI,"SPKI",fp,\
+			(char *)x,NULL,NULL,0,NULL)
+int SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
+
+/* These are defined in the next version of SSLeay */
+int EVP_PKEY_assign(EVP_PKEY *pkey, int type,char *key);
+#define RSA_F4	0x10001
+#define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
+					(char *)(rsa))
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	RSA *rsa=NULL;
+	NETSCAPE_SPKI *spki=NULL;
+	EVP_PKEY *pkey=NULL;
+	char buf[128];
+	int ok=0,i;
+	FILE *fp;
+
+	pkey=EVP_PKEY_new();
+	 
+	if (argc < 2)
+		{
+		/* Generate an RSA key, the random state should have been seeded
+		 * with lots of calls to RAND_seed(....) */
+		fprintf(stderr,"generating RSA key, could take some time...\n");
+		if ((rsa=RSA_generate_key(512,RSA_F4,NULL)) == NULL) goto err;
+		}
+	else
+		{
+		if ((fp=fopen(argv[1],"r")) == NULL)
+			{ perror(argv[1]); goto err; }
+		if ((rsa=PEM_read_RSAPrivateKey(fp,NULL,NULL)) == NULL)
+			goto err;
+		fclose(fp);
+		}
+	
+	if (!EVP_PKEY_assign_RSA(pkey,rsa)) goto err;
+	rsa=NULL;
+
+	/* lets make the spki and set the public key and challenge */
+	if ((spki=NETSCAPE_SPKI_new()) == NULL) goto err;
+
+	if (!SPKI_set_pubkey(spki,pkey)) goto err;
+
+	fprintf(stderr,"please enter challenge string:");
+	fflush(stderr);
+	fgets(buf,120,stdin);
+	i=strlen(buf);
+	if (i > 0) buf[--i]='\0';
+	if (!ASN1_STRING_set((ASN1_STRING *)spki->spkac->challenge,
+		buf,i)) goto err;
+
+	if (!NETSCAPE_SPKI_sign(spki,pkey,EVP_md5())) goto err;
+	PEM_write_SPKI(stdout,spki);
+	if (argc < 2)
+		PEM_write_RSAPrivateKey(stdout,pkey->pkey.rsa,NULL,NULL,0,NULL);
+
+	ok=1;
+err:
+	if (!ok)
+		{
+		fprintf(stderr,"something bad happened....");
+		ERR_print_errors_fp(stderr);
+		}
+	NETSCAPE_SPKI_free(spki);
+	EVP_PKEY_free(pkey);
+	exit(!ok);
+	}
+
+/* This function is in the next version of SSLeay */
+int EVP_PKEY_assign(pkey,type,key)
+EVP_PKEY *pkey;
+int type;
+char *key;
+	{
+	if (pkey == NULL) return(0);
+	if (pkey->pkey.ptr != NULL)
+		{
+		if (pkey->type == EVP_PKEY_RSA)
+			RSA_free(pkey->pkey.rsa);
+		/* else memory leak */
+		}
+	pkey->type=type;
+	pkey->pkey.ptr=key;
+	return(1);
+	}
+
+/* While I have a 
+ * X509_set_pubkey() and X509_REQ_set_pubkey(), SPKI_set_pubkey() does
+ * not currently exist so here is a version of it.
+ * The next SSLeay release will probably have
+ * X509_set_pubkey(),
+ * X509_REQ_set_pubkey() and
+ * NETSCAPE_SPKI_set_pubkey()
+ * as macros calling the same function */
+int SPKI_set_pubkey(x,pkey)
+NETSCAPE_SPKI *x;
+EVP_PKEY *pkey;
+	{
+	int ok=0;
+	X509_PUBKEY *pk;
+	X509_ALGOR *a;
+	ASN1_OBJECT *o;
+	unsigned char *s,*p;
+	int i;
+
+	if (x == NULL) return(0);
+
+	if ((pk=X509_PUBKEY_new()) == NULL) goto err;
+	a=pk->algor;
+
+	/* set the algorithm id */
+	if ((o=OBJ_nid2obj(pkey->type)) == NULL) goto err;
+	ASN1_OBJECT_free(a->algorithm);
+	a->algorithm=o;
+
+	/* Set the parameter list */
+	if ((a->parameter == NULL) || (a->parameter->type != V_ASN1_NULL))
+		{
+		ASN1_TYPE_free(a->parameter);
+		a->parameter=ASN1_TYPE_new();
+		a->parameter->type=V_ASN1_NULL;
+		}
+	i=i2d_PublicKey(pkey,NULL);
+	if ((s=(unsigned char *)malloc(i+1)) == NULL) goto err;
+	p=s;
+	i2d_PublicKey(pkey,&p);
+	if (!ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
+	free(s);
+
+	X509_PUBKEY_free(x->spkac->pubkey);
+	x->spkac->pubkey=pk;
+	pk=NULL;
+	ok=1;
+err:
+	if (pk != NULL) X509_PUBKEY_free(pk);
+	return(ok);
+	}
+
diff --git a/crypto/openssl/demos/ssl/cli.cpp b/crypto/openssl/demos/ssl/cli.cpp
new file mode 100644
index 0000000..daea2bd
--- /dev/null
+++ b/crypto/openssl/demos/ssl/cli.cpp
@@ -0,0 +1,110 @@
+/* cli.cpp  -  Minimal ssleay client for Unix
+   30.9.1996, Sampo Kellomaki <sampo@iki.fi> */
+
+/* mangled to work with SSLeay-0.9.0b and OpenSSL 0.9.2b
+   Simplified to be even more minimal
+   12/98 - 4/99 Wade Scholine <wades@mail.cybg.com> */
+
+#include <stdio.h>
+#include <memory.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+
+#define CHK_NULL(x) if ((x)==NULL) exit (1)
+#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
+#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
+
+void main ()
+{
+  int err;
+  int sd;
+  struct sockaddr_in sa;
+  SSL_CTX* ctx;
+  SSL*     ssl;
+  X509*    server_cert;
+  char*    str;
+  char     buf [4096];
+  SSL_METHOD *meth;
+
+  SSLeay_add_ssl_algorithms();
+  meth = SSLv2_client_method();
+  SSL_load_error_strings();
+  ctx = SSL_CTX_new (meth);                        CHK_NULL(ctx);
+
+  CHK_SSL(err);
+  
+  /* ----------------------------------------------- */
+  /* Create a socket and connect to server using normal socket calls. */
+  
+  sd = socket (AF_INET, SOCK_STREAM, 0);       CHK_ERR(sd, "socket");
+ 
+  memset (&sa, '\0', sizeof(sa));
+  sa.sin_family      = AF_INET;
+  sa.sin_addr.s_addr = inet_addr ("127.0.0.1");   /* Server IP */
+  sa.sin_port        = htons     (1111);          /* Server Port number */
+  
+  err = connect(sd, (struct sockaddr*) &sa,
+		sizeof(sa));                   CHK_ERR(err, "connect");
+
+  /* ----------------------------------------------- */
+  /* Now we have TCP conncetion. Start SSL negotiation. */
+  
+  ssl = SSL_new (ctx);                         CHK_NULL(ssl);    
+  SSL_set_fd (ssl, sd);
+  err = SSL_connect (ssl);                     CHK_SSL(err);
+    
+  /* Following two steps are optional and not required for
+     data exchange to be successful. */
+  
+  /* Get the cipher - opt */
+
+  printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
+  
+  /* Get server's certificate (note: beware of dynamic allocation) - opt */
+
+  server_cert = SSL_get_peer_certificate (ssl);       CHK_NULL(server_cert);
+  printf ("Server certificate:\n");
+  
+  str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
+  CHK_NULL(str);
+  printf ("\t subject: %s\n", str);
+  Free (str);
+
+  str = X509_NAME_oneline (X509_get_issuer_name  (server_cert),0,0);
+  CHK_NULL(str);
+  printf ("\t issuer: %s\n", str);
+  Free (str);
+
+  /* We could do all sorts of certificate verification stuff here before
+     deallocating the certificate. */
+
+  X509_free (server_cert);
+  
+  /* --------------------------------------------------- */
+  /* DATA EXCHANGE - Send a message and receive a reply. */
+
+  err = SSL_write (ssl, "Hello World!", strlen("Hello World!"));  CHK_SSL(err);
+  
+  err = SSL_read (ssl, buf, sizeof(buf) - 1);                     CHK_SSL(err);
+  buf[err] = '\0';
+  printf ("Got %d chars:'%s'\n", err, buf);
+  SSL_shutdown (ssl);  /* send SSL/TLS close_notify */
+
+  /* Clean up. */
+
+  close (sd);
+  SSL_free (ssl);
+  SSL_CTX_free (ctx);
+}
+/* EOF - cli.cpp */
diff --git a/crypto/openssl/demos/ssl/inetdsrv.cpp b/crypto/openssl/demos/ssl/inetdsrv.cpp
new file mode 100644
index 0000000..5b09227
--- /dev/null
+++ b/crypto/openssl/demos/ssl/inetdsrv.cpp
@@ -0,0 +1,98 @@
+/* inetdserv.cpp  -  Minimal ssleay server for Unix inetd.conf
+ * 30.9.1996, Sampo Kellomaki <sampo@iki.fi>
+ * From /etc/inetd.conf:
+ *     1111 stream tcp nowait sampo /usr/users/sampo/demo/inetdserv inetdserv
+ */
+
+#include <stdio.h>
+#include <errno.h>
+
+#include "rsa.h"       /* SSLeay stuff */
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+#define HOME "/usr/users/sampo/demo/"
+#define CERTF HOME "plain-cert.pem"
+#define KEYF  HOME "plain-key.pem"
+
+#define CHK_NULL(x) if ((x)==NULL) exit (1)
+#define CHK_ERR(err,s) if ((err)==-1) \
+                         { fprintf(log, "%s %d\n", (s), errno); exit(1); }
+#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(log); exit(2); }
+
+void main ()
+{
+  int err;
+  SSL_CTX* ctx;
+  SSL*     ssl;
+  X509*    client_cert;
+  char*    str;
+  char     buf [4096];
+  FILE* log;
+  
+  log = fopen ("/dev/console", "a");                     CHK_NULL(log);
+  fprintf (log, "inetdserv %ld\n", (long)getpid());
+  
+  SSL_load_error_strings();
+  ctx = SSL_CTX_new (); CHK_NULL(ctx);
+  
+  err = SSL_CTX_use_RSAPrivateKey_file (ctx, KEYF,  SSL_FILETYPE_PEM);
+  CHK_SSL (err);
+  
+  err = SSL_CTX_use_certificate_file   (ctx, CERTF, SSL_FILETYPE_PEM);
+  CHK_SSL (err);
+
+  /* inetd has already opened the TCP connection, so we can get right
+     down to business. */
+  
+  ssl = SSL_new (ctx);  CHK_NULL(ssl);
+  SSL_set_fd (ssl,  fileno(stdin));
+  err = SSL_accept (ssl);                                CHK_SSL(err);
+  
+  /* Get the cipher - opt */
+  
+  fprintf (log, "SSL connection using %s\n", SSL_get_cipher (ssl));
+  
+  /* Get client's certificate (note: beware of dynamic allocation) - opt */
+
+  client_cert = SSL_get_peer_certificate (ssl);
+  if (client_cert != NULL) {
+    fprintf (log, "Client certificate:\n");
+    
+    str = X509_NAME_oneline (X509_get_subject_name (client_cert));
+    CHK_NULL(str);
+    fprintf (log, "\t subject: %s\n", str);
+    Free (str);
+    
+    str = X509_NAME_oneline (X509_get_issuer_name  (client_cert));
+    CHK_NULL(str);
+    fprintf (log, "\t issuer: %s\n", str);
+    Free (str);
+    
+    /* We could do all sorts of certificate verification stuff here before
+       deallocating the certificate. */
+    
+    X509_free (client_cert);
+  } else
+    fprintf (log, "Client doe not have certificate.\n");
+
+  /* ------------------------------------------------- */
+  /* DATA EXCHANGE: Receive message and send reply  */
+  
+  err = SSL_read (ssl, buf, sizeof(buf) - 1);  CHK_SSL(err);
+  buf[err] = '\0';
+  fprintf (log, "Got %d chars:'%s'\n", err, buf);
+  
+  err = SSL_write (ssl, "Loud and clear.", strlen("Loud and clear."));
+  CHK_SSL(err);
+
+  /* Clean up. */
+
+  fclose (log);
+  SSL_free (ssl);
+  SSL_CTX_free (ctx);
+}
+/* EOF - inetdserv.cpp */
diff --git a/crypto/openssl/demos/ssl/serv.cpp b/crypto/openssl/demos/ssl/serv.cpp
new file mode 100644
index 0000000..aec610d
--- /dev/null
+++ b/crypto/openssl/demos/ssl/serv.cpp
@@ -0,0 +1,152 @@
+/* serv.cpp  -  Minimal ssleay server for Unix
+   30.9.1996, Sampo Kellomaki <sampo@iki.fi> */
+
+
+/* mangled to work with SSLeay-0.9.0b and OpenSSL 0.9.2b
+   Simplified to be even more minimal
+   12/98 - 4/99 Wade Scholine <wades@mail.cybg.com> */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <memory.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <openssl/rsa.h>       /* SSLeay stuff */
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+
+/* define HOME to be dir for key and cert files... */
+#define HOME "./"
+/* Make these what you want for cert & key files */
+#define CERTF  HOME "foo-cert.pem"
+#define KEYF  HOME  "foo-cert.pem"
+
+
+#define CHK_NULL(x) if ((x)==NULL) exit (1)
+#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
+#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
+
+void main ()
+{
+  int err;
+  int listen_sd;
+  int sd;
+  struct sockaddr_in sa_serv;
+  struct sockaddr_in sa_cli;
+  size_t client_len;
+  SSL_CTX* ctx;
+  SSL*     ssl;
+  X509*    client_cert;
+  char*    str;
+  char     buf [4096];
+  SSL_METHOD *meth;
+  
+  /* SSL preliminaries. We keep the certificate and key with the context. */
+
+  SSL_load_error_strings();
+  SSLeay_add_ssl_algorithms();
+  meth = SSLv23_server_method();
+  ctx = SSL_CTX_new (meth);
+  if (!ctx) {
+    ERR_print_errors_fp(stderr);
+    exit(2);
+  }
+  
+  if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
+    ERR_print_errors_fp(stderr);
+    exit(3);
+  }
+  if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
+    ERR_print_errors_fp(stderr);
+    exit(4);
+  }
+
+  if (!SSL_CTX_check_private_key(ctx)) {
+    fprintf(stderr,"Private key does not match the certificate public key\n");
+    exit(5);
+  }
+
+  /* ----------------------------------------------- */
+  /* Prepare TCP socket for receiving connections */
+
+  listen_sd = socket (AF_INET, SOCK_STREAM, 0);   CHK_ERR(listen_sd, "socket");
+  
+  memset (&sa_serv, '\0', sizeof(sa_serv));
+  sa_serv.sin_family      = AF_INET;
+  sa_serv.sin_addr.s_addr = INADDR_ANY;
+  sa_serv.sin_port        = htons (1111);          /* Server Port number */
+  
+  err = bind(listen_sd, (struct sockaddr*) &sa_serv,
+	     sizeof (sa_serv));                   CHK_ERR(err, "bind");
+	     
+  /* Receive a TCP connection. */
+	     
+  err = listen (listen_sd, 5);                    CHK_ERR(err, "listen");
+  
+  client_len = sizeof(sa_cli);
+  sd = accept (listen_sd, (struct sockaddr*) &sa_cli, &client_len);
+  CHK_ERR(sd, "accept");
+  close (listen_sd);
+
+  printf ("Connection from %lx, port %x\n",
+	  sa_cli.sin_addr.s_addr, sa_cli.sin_port);
+  
+  /* ----------------------------------------------- */
+  /* TCP connection is ready. Do server side SSL. */
+
+  ssl = SSL_new (ctx);                           CHK_NULL(ssl);
+  SSL_set_fd (ssl, sd);
+  err = SSL_accept (ssl);                        CHK_SSL(err);
+  
+  /* Get the cipher - opt */
+  
+  printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
+  
+  /* Get client's certificate (note: beware of dynamic allocation) - opt */
+
+  client_cert = SSL_get_peer_certificate (ssl);
+  if (client_cert != NULL) {
+    printf ("Client certificate:\n");
+    
+    str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
+    CHK_NULL(str);
+    printf ("\t subject: %s\n", str);
+    Free (str);
+    
+    str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0);
+    CHK_NULL(str);
+    printf ("\t issuer: %s\n", str);
+    Free (str);
+    
+    /* We could do all sorts of certificate verification stuff here before
+       deallocating the certificate. */
+    
+    X509_free (client_cert);
+  } else
+    printf ("Client does not have certificate.\n");
+
+  /* DATA EXCHANGE - Receive message and send reply. */
+
+  err = SSL_read (ssl, buf, sizeof(buf) - 1);                   CHK_SSL(err);
+  buf[err] = '\0';
+  printf ("Got %d chars:'%s'\n", err, buf);
+  
+  err = SSL_write (ssl, "I hear you.", strlen("I hear you."));  CHK_SSL(err);
+
+  /* Clean up. */
+
+  close (sd);
+  SSL_free (ssl);
+  SSL_CTX_free (ctx);
+}
+/* EOF - serv.cpp */
diff --git a/crypto/openssl/dep/crypto.txt b/crypto/openssl/dep/crypto.txt
new file mode 100644
index 0000000..9e5144f
--- /dev/null
+++ b/crypto/openssl/dep/crypto.txt
@@ -0,0 +1,1043 @@
+ASN1_BIT_STRING_asn1_meth
+ASN1_BIT_STRING_get_bit
+ASN1_BIT_STRING_set_bit
+ASN1_HEADER_free
+ASN1_HEADER_new
+ASN1_IA5STRING_asn1_meth
+ASN1_INTEGER_get
+ASN1_INTEGER_set
+ASN1_INTEGER_to_BN
+ASN1_OBJECT_create
+ASN1_OBJECT_free
+ASN1_OBJECT_new
+ASN1_PRINTABLE_type
+ASN1_STRING_cmp
+ASN1_STRING_dup
+ASN1_STRING_free
+ASN1_STRING_new
+ASN1_STRING_print
+ASN1_STRING_set
+ASN1_STRING_type_new
+ASN1_TYPE_free
+ASN1_TYPE_get
+ASN1_TYPE_new
+ASN1_TYPE_set
+ASN1_UNIVERSALSTRING_to_string
+ASN1_UTCTIME_check
+ASN1_UTCTIME_print
+ASN1_UTCTIME_set
+ASN1_check_infinite_end
+ASN1_d2i_bio
+ASN1_d2i_fp
+ASN1_digest
+ASN1_dup
+ASN1_get_object
+ASN1_i2d_bio
+ASN1_i2d_fp
+ASN1_object_size
+ASN1_parse
+ASN1_put_object
+ASN1_sign
+ASN1_verify
+BF_cbc_encrypt
+BF_cfb64_encrypt
+BF_decrypt
+BF_ecb_encrypt
+BF_encrypt
+BF_ofb64_encrypt
+BF_options
+BF_set_key
+BIO_ACCEPT_free
+BIO_ACCEPT_new
+BIO_CONNECT_free
+BIO_CONNECT_new
+BIO_accept
+BIO_copy_next_retry
+BIO_ctrl
+BIO_ctrl_int
+BIO_debug_callback
+BIO_dump
+BIO_dup_chain
+BIO_f_base64
+BIO_f_buffer
+BIO_f_cipher
+BIO_f_md
+BIO_f_nbio_test
+BIO_f_null
+BIO_f_proxy_server
+BIO_fd_non_fatal_error
+BIO_fd_should_retry
+BIO_find_type
+BIO_free
+BIO_free_all
+BIO_get_accept_socket
+BIO_get_ex_data
+BIO_get_ex_new_index
+BIO_get_filter_bio
+BIO_get_host_ip
+BIO_get_port
+BIO_get_retry_BIO
+BIO_get_retry_reason
+BIO_gethostbyname
+BIO_gets
+BIO_ghbn_ctrl
+BIO_new
+BIO_new_accept
+BIO_new_connect
+BIO_new_fd
+BIO_new_file
+BIO_new_fp
+BIO_new_socket
+BIO_pop
+BIO_printf
+BIO_ptr_ctrl
+BIO_push
+BIO_puts
+BIO_read
+BIO_s_accept
+BIO_s_connect
+BIO_s_fd
+BIO_s_file
+BIO_s_mem
+BIO_s_null
+BIO_s_proxy_client
+BIO_s_socket
+BIO_set
+BIO_set_cipher
+BIO_set_ex_data
+BIO_set_tcp_ndelay
+BIO_sock_cleanup
+BIO_sock_error
+BIO_sock_init
+BIO_sock_non_fatal_error
+BIO_sock_should_retry
+BIO_socket_ioctl
+BIO_write
+BN_BLINDING_convert
+BN_BLINDING_free
+BN_BLINDING_invert
+BN_BLINDING_new
+BN_BLINDING_update
+BN_CTX_free
+BN_CTX_new
+BN_MONT_CTX_free
+BN_MONT_CTX_new
+BN_MONT_CTX_set
+BN_add
+BN_add_word
+BN_bin2bn
+BN_bn2bin
+BN_bn2dec
+BN_bn2hex
+BN_bn2mpi
+BN_clear
+BN_clear_bit
+BN_clear_free
+BN_cmp
+BN_copy
+BN_dec2bn
+BN_div
+BN_div_word
+BN_dup
+BN_exp
+BN_free
+BN_from_montgomery
+BN_gcd
+BN_generate_prime
+BN_get_word
+BN_hex2bn
+BN_is_bit_set
+BN_is_prime
+BN_lshift
+BN_lshift1
+BN_mask_bits
+BN_mod
+BN_mod_exp
+BN_mod_exp_mont
+BN_mod_exp_recp
+BN_mod_exp_simple
+BN_mod_inverse
+BN_mod_mul
+BN_mod_mul_montgomery
+BN_mod_mul_reciprocal
+BN_mod_word
+BN_mpi2bn
+BN_mul
+BN_mul_word
+BN_new
+BN_num_bits
+BN_num_bits_word
+BN_options
+BN_print
+BN_print_fp
+BN_rand
+BN_reciprocal
+BN_rshift
+BN_rshift1
+BN_set_bit
+BN_set_word
+BN_sqr
+BN_sub
+BN_sub_word
+BN_to_ASN1_INTEGER
+BN_ucmp
+BN_value_one
+BUF_MEM_free
+BUF_MEM_grow
+BUF_MEM_new
+BUF_strdup
+CAST_cbc_encrypt
+CAST_cfb64_encrypt
+CAST_decrypt
+CAST_ecb_encrypt
+CAST_encrypt
+CAST_ofb64_encrypt
+CAST_set_key
+CONF_free
+CONF_get_number
+CONF_get_section
+CONF_get_string
+CONF_load
+CRYPTO_add_lock
+CRYPTO_dbg_free
+CRYPTO_dbg_malloc
+CRYPTO_dbg_realloc
+CRYPTO_dbg_remalloc
+CRYPTO_dup_ex_data
+CRYPTO_free
+CRYPTO_free_ex_data
+CRYPTO_get_add_lock_callback
+CRYPTO_get_ex_data
+CRYPTO_get_ex_new_index
+CRYPTO_get_id_callback
+CRYPTO_get_lock_name
+CRYPTO_get_locking_callback
+CRYPTO_get_mem_functions
+CRYPTO_get_new_lockid
+CRYPTO_lock
+CRYPTO_malloc
+CRYPTO_mem_ctrl
+CRYPTO_mem_leaks
+CRYPTO_mem_leaks_cb
+CRYPTO_mem_leaks_fp
+CRYPTO_new_ex_data
+CRYPTO_realloc
+CRYPTO_remalloc
+CRYPTO_set_add_lock_callback
+CRYPTO_set_ex_data
+CRYPTO_set_id_callback
+CRYPTO_set_locking_callback
+CRYPTO_set_mem_functions
+CRYPTO_thread_id
+DH_check
+DH_compute_key
+DH_free
+DH_generate_key
+DH_generate_parameters
+DH_new
+DH_size
+DHparams_print
+DHparams_print_fp
+DSA_free
+DSA_generate_key
+DSA_generate_parameters
+DSA_is_prime
+DSA_new
+DSA_print
+DSA_print_fp
+DSA_sign
+DSA_sign_setup
+DSA_size
+DSA_verify
+DSAparams_print
+DSAparams_print_fp
+ERR_clear_error
+ERR_error_string
+ERR_free_strings
+ERR_func_error_string
+ERR_get_err_state_table
+ERR_get_error
+ERR_get_error_line
+ERR_get_next_error_library
+ERR_get_state
+ERR_get_string_table
+ERR_lib_error_string
+ERR_load_ASN1_strings
+ERR_load_BIO_strings
+ERR_load_BN_strings
+ERR_load_BUF_strings
+ERR_load_CONF_strings
+ERR_load_CRYPTO_strings
+ERR_load_DH_strings
+ERR_load_DSA_strings
+ERR_load_ERR_strings
+ERR_load_EVP_strings
+ERR_load_OBJ_strings
+ERR_load_PEM_strings
+ERR_load_PKCS7_strings
+ERR_load_PROXY_strings
+ERR_load_RSA_strings
+ERR_load_X509_strings
+ERR_load_crypto_strings
+ERR_load_strings
+ERR_peek_error
+ERR_peek_error_line
+ERR_print_errors
+ERR_print_errors_fp
+ERR_put_error
+ERR_reason_error_string
+ERR_remove_state
+EVP_BytesToKey
+EVP_CIPHER_CTX_cleanup
+EVP_CIPHER_CTX_init
+EVP_CipherFinal
+EVP_CipherInit
+EVP_CipherUpdate
+EVP_DecodeBlock
+EVP_DecodeFinal
+EVP_DecodeInit
+EVP_DecodeUpdate
+EVP_DecryptFinal
+EVP_DecryptInit
+EVP_DecryptUpdate
+EVP_DigestFinal
+EVP_DigestInit
+EVP_DigestUpdate
+EVP_EncodeBlock
+EVP_EncodeFinal
+EVP_EncodeInit
+EVP_EncodeUpdate
+EVP_EncryptFinal
+EVP_EncryptInit
+EVP_EncryptUpdate
+EVP_OpenFinal
+EVP_OpenInit
+EVP_PKEY_assign
+EVP_PKEY_bits
+EVP_PKEY_cmp_parameters
+EVP_PKEY_copy_parameters
+EVP_PKEY_free
+EVP_PKEY_missing_parameters
+EVP_PKEY_new
+EVP_PKEY_save_parameters
+EVP_PKEY_size
+EVP_PKEY_type
+EVP_SealFinal
+EVP_SealInit
+EVP_SignFinal
+EVP_VerifyFinal
+EVP_add_alias
+EVP_add_cipher
+EVP_add_digest
+EVP_bf_cbc
+EVP_bf_cfb
+EVP_bf_ecb
+EVP_bf_ofb
+EVP_cast5_cbc
+EVP_cast5_cfb
+EVP_cast5_ecb
+EVP_cast5_ofb
+EVP_cleanup
+EVP_delete_alias
+EVP_des_cbc
+EVP_des_cfb
+EVP_des_ecb
+EVP_des_ede
+EVP_des_ede3
+EVP_des_ede3_cbc
+EVP_des_ede3_cfb
+EVP_des_ede3_ofb
+EVP_des_ede_cbc
+EVP_des_ede_cfb
+EVP_des_ede_ofb
+EVP_des_ofb
+EVP_desx_cbc
+EVP_dss
+EVP_dss1
+EVP_enc_null
+EVP_get_cipherbyname
+EVP_get_digestbyname
+EVP_get_pw_prompt
+EVP_idea_cbc
+EVP_idea_cfb
+EVP_idea_ecb
+EVP_idea_ofb
+EVP_md2
+EVP_md5
+EVP_md_null
+EVP_mdc2
+EVP_rc2_40_cbc
+EVP_rc2_cbc
+EVP_rc2_cfb
+EVP_rc2_ecb
+EVP_rc2_ofb
+EVP_rc4
+EVP_rc4_40
+EVP_read_pw_string
+EVP_set_pw_prompt
+EVP_sha
+EVP_sha1
+HMAC
+HMAC_Final
+HMAC_Init
+HMAC_Update
+HMAC_cleanup
+MD2
+MD2_Final
+MD2_Init
+MD2_Update
+MD2_options
+MD5
+MD5_Final
+MD5_Init
+MD5_Transform
+MD5_Update
+MDC2
+MDC2_Final
+MDC2_Init
+MDC2_Update
+NETSCAPE_SPKAC_free
+NETSCAPE_SPKAC_new
+NETSCAPE_SPKI_free
+NETSCAPE_SPKI_new
+NETSCAPE_SPKI_sign
+NETSCAPE_SPKI_verify
+OBJ_add_object
+OBJ_bsearch
+OBJ_cleanup
+OBJ_cmp
+OBJ_create
+OBJ_create_objects
+OBJ_dup
+OBJ_ln2nid
+OBJ_new_nid
+OBJ_nid2ln
+OBJ_nid2obj
+OBJ_nid2sn
+OBJ_obj2nid
+OBJ_sn2nid
+OBJ_txt2nid
+PEM_ASN1_read
+PEM_ASN1_read_bio
+PEM_ASN1_write
+PEM_ASN1_write_bio
+PEM_SealFinal
+PEM_SealInit
+PEM_SealUpdate
+PEM_SignFinal
+PEM_SignInit
+PEM_SignUpdate
+PEM_X509_INFO_read
+PEM_X509_INFO_read_bio
+PEM_X509_INFO_write_bio
+PEM_dek_info
+PEM_do_header
+PEM_get_EVP_CIPHER_INFO
+PEM_proc_type
+PEM_read
+PEM_read_DHparams
+PEM_read_DSAPrivateKey
+PEM_read_DSAparams
+PEM_read_PKCS7
+PEM_read_PrivateKey
+PEM_read_RSAPrivateKey
+PEM_read_RSAPublicKey
+PEM_read_X509
+PEM_read_X509_CRL
+PEM_read_X509_REQ
+PEM_read_bio
+PEM_read_bio_DHparams
+PEM_read_bio_DSAPrivateKey
+PEM_read_bio_DSAparams
+PEM_read_bio_PKCS7
+PEM_read_bio_PrivateKey
+PEM_read_bio_RSAPrivateKey
+PEM_read_bio_RSAPublicKey
+PEM_read_bio_X509
+PEM_read_bio_X509_CRL
+PEM_read_bio_X509_REQ
+PEM_write
+PEM_write_DHparams
+PEM_write_DSAPrivateKey
+PEM_write_DSAparams
+PEM_write_PKCS7
+PEM_write_PrivateKey
+PEM_write_RSAPrivateKey
+PEM_write_RSAPublicKey
+PEM_write_X509
+PEM_write_X509_CRL
+PEM_write_X509_REQ
+PEM_write_bio
+PEM_write_bio_DHparams
+PEM_write_bio_DSAPrivateKey
+PEM_write_bio_DSAparams
+PEM_write_bio_PKCS7
+PEM_write_bio_PrivateKey
+PEM_write_bio_RSAPrivateKey
+PEM_write_bio_RSAPublicKey
+PEM_write_bio_X509
+PEM_write_bio_X509_CRL
+PEM_write_bio_X509_REQ
+PKCS7_DIGEST_free
+PKCS7_DIGEST_new
+PKCS7_ENCRYPT_free
+PKCS7_ENCRYPT_new
+PKCS7_ENC_CONTENT_free
+PKCS7_ENC_CONTENT_new
+PKCS7_ENVELOPE_free
+PKCS7_ENVELOPE_new
+PKCS7_ISSUER_AND_SERIAL_digest
+PKCS7_ISSUER_AND_SERIAL_free
+PKCS7_ISSUER_AND_SERIAL_new
+PKCS7_RECIP_INFO_free
+PKCS7_RECIP_INFO_new
+PKCS7_SIGNED_free
+PKCS7_SIGNED_new
+PKCS7_SIGNER_INFO_free
+PKCS7_SIGNER_INFO_new
+PKCS7_SIGNER_INFO_set
+PKCS7_SIGN_ENVELOPE_free
+PKCS7_SIGN_ENVELOPE_new
+PKCS7_add_certificate
+PKCS7_add_crl
+PKCS7_add_signature
+PKCS7_add_signer
+PKCS7_cert_from_signer_info
+PKCS7_content_free
+PKCS7_content_new
+PKCS7_ctrl
+PKCS7_dataInit
+PKCS7_dataSign
+PKCS7_dataVerify
+PKCS7_dup
+PKCS7_free
+PKCS7_get_signer_info
+PKCS7_new
+PKCS7_set_content
+PKCS7_set_type
+PROXY_ENTRY_add_noproxy
+PROXY_ENTRY_clear_noproxy
+PROXY_ENTRY_free
+PROXY_ENTRY_get_noproxy
+PROXY_ENTRY_new
+PROXY_ENTRY_set_server
+PROXY_add_noproxy
+PROXY_add_server
+PROXY_check_by_host
+PROXY_check_url
+PROXY_clear_noproxy
+PROXY_free
+PROXY_get_noproxy
+PROXY_get_proxies
+PROXY_get_proxy_entry
+PROXY_load_conf
+PROXY_new
+PROXY_print
+RAND_bytes
+RAND_cleanup
+RAND_file_name
+RAND_load_file
+RAND_seed
+RAND_write_file
+RC2_cbc_encrypt
+RC2_cfb64_encrypt
+RC2_decrypt
+RC2_ecb_encrypt
+RC2_encrypt
+RC2_ofb64_encrypt
+RC2_set_key
+RC4
+RC4_options
+RC4_set_key
+RC5_32_cbc_encrypt
+RC5_32_cfb64_encrypt
+RC5_32_decrypt
+RC5_32_ecb_encrypt
+RC5_32_encrypt
+RC5_32_ofb64_encrypt
+RC5_32_set_key
+RIPEMD160
+RIPEMD160_Final
+RIPEMD160_Init
+RIPEMD160_Transform
+RIPEMD160_Update
+RSAPrivateKey_asn1_meth
+RSAPrivateKey_dup
+RSAPublicKey_dup
+RSA_PKCS1_SSLeay
+RSA_blinding_off
+RSA_blinding_on
+RSA_flags
+RSA_free
+RSA_generate_key
+RSA_get_ex_data
+RSA_get_ex_new_index
+RSA_new
+RSA_new_method
+RSA_padding_add_PKCS1_type_1
+RSA_padding_add_PKCS1_type_2
+RSA_padding_add_SSLv23
+RSA_padding_add_none
+RSA_padding_check_PKCS1_type_1
+RSA_padding_check_PKCS1_type_2
+RSA_padding_check_SSLv23
+RSA_padding_check_none
+RSA_print
+RSA_print_fp
+RSA_private_decrypt
+RSA_private_encrypt
+RSA_public_decrypt
+RSA_public_encrypt
+RSA_set_default_method
+RSA_set_ex_data
+RSA_sign
+RSA_sign_ASN1_OCTET_STRING
+RSA_size
+RSA_verify
+RSA_verify_ASN1_OCTET_STRING
+SHA
+SHA1
+SHA1_Final
+SHA1_Init
+SHA1_Transform
+SHA1_Update
+SHA_Final
+SHA_Init
+SHA_Transform
+SHA_Update
+SSLeay
+SSLeay_add_all_algorithms
+SSLeay_add_all_ciphers
+SSLeay_add_all_digests
+SSLeay_version
+TXT_DB_create_index
+TXT_DB_free
+TXT_DB_get_by_index
+TXT_DB_insert
+TXT_DB_read
+TXT_DB_write
+X509_ALGOR_free
+X509_ALGOR_new
+X509_ATTRIBUTE_free
+X509_ATTRIBUTE_new
+X509_CINF_free
+X509_CINF_new
+X509_CRL_INFO_free
+X509_CRL_INFO_new
+X509_CRL_add_ext
+X509_CRL_cmp
+X509_CRL_delete_ext
+X509_CRL_dup
+X509_CRL_free
+X509_CRL_get_ext
+X509_CRL_get_ext_by_NID
+X509_CRL_get_ext_by_OBJ
+X509_CRL_get_ext_by_critical
+X509_CRL_get_ext_count
+X509_CRL_new
+X509_CRL_sign
+X509_CRL_verify
+X509_EXTENSION_create_by_NID
+X509_EXTENSION_create_by_OBJ
+X509_EXTENSION_dup
+X509_EXTENSION_free
+X509_EXTENSION_get_critical
+X509_EXTENSION_get_data
+X509_EXTENSION_get_object
+X509_EXTENSION_new
+X509_EXTENSION_set_critical
+X509_EXTENSION_set_data
+X509_EXTENSION_set_object
+X509_INFO_free
+X509_INFO_new
+X509_LOOKUP_by_alias
+X509_LOOKUP_by_fingerprint
+X509_LOOKUP_by_issuer_serial
+X509_LOOKUP_by_subject
+X509_LOOKUP_ctrl
+X509_LOOKUP_file
+X509_LOOKUP_free
+X509_LOOKUP_hash_dir
+X509_LOOKUP_init
+X509_LOOKUP_new
+X509_LOOKUP_shutdown
+X509_NAME_ENTRY_create_by_NID
+X509_NAME_ENTRY_create_by_OBJ
+X509_NAME_ENTRY_dup
+X509_NAME_ENTRY_free
+X509_NAME_ENTRY_get_data
+X509_NAME_ENTRY_get_object
+X509_NAME_ENTRY_new
+X509_NAME_ENTRY_set_data
+X509_NAME_ENTRY_set_object
+X509_NAME_add_entry
+X509_NAME_cmp
+X509_NAME_delete_entry
+X509_NAME_digest
+X509_NAME_dup
+X509_NAME_entry_count
+X509_NAME_free
+X509_NAME_get_entry
+X509_NAME_get_index_by_NID
+X509_NAME_get_index_by_OBJ
+X509_NAME_get_text_by_NID
+X509_NAME_get_text_by_OBJ
+X509_NAME_hash
+X509_NAME_new
+X509_NAME_oneline
+X509_NAME_print
+X509_NAME_set
+X509_OBJECT_free_contents
+X509_OBJECT_retrive_by_subject
+X509_OBJECT_up_ref_count
+X509_PKEY_free
+X509_PKEY_new
+X509_PUBKEY_free
+X509_PUBKEY_get
+X509_PUBKEY_new
+X509_PUBKEY_set
+X509_REQ_INFO_free
+X509_REQ_INFO_new
+X509_REQ_dup
+X509_REQ_free
+X509_REQ_get_pubkey
+X509_REQ_new
+X509_REQ_print
+X509_REQ_print_fp
+X509_REQ_set_pubkey
+X509_REQ_set_subject_name
+X509_REQ_set_version
+X509_REQ_sign
+X509_REQ_to_X509
+X509_REQ_verify
+X509_REVOKED_add_ext
+X509_REVOKED_delete_ext
+X509_REVOKED_free
+X509_REVOKED_get_ext
+X509_REVOKED_get_ext_by_NID
+X509_REVOKED_get_ext_by_OBJ
+X509_REVOKED_get_ext_by_critical
+X509_REVOKED_get_ext_count
+X509_REVOKED_new
+X509_SIG_free
+X509_SIG_new
+X509_STORE_CTX_cleanup
+X509_STORE_CTX_get_chain
+X509_STORE_CTX_get_current_cert
+X509_STORE_CTX_get_error
+X509_STORE_CTX_get_error_depth
+X509_STORE_CTX_get_ex_data
+X509_STORE_CTX_get_ex_new_index
+X509_STORE_CTX_init
+X509_STORE_CTX_set_cert
+X509_STORE_CTX_set_chain
+X509_STORE_CTX_set_error
+X509_STORE_CTX_set_ex_data
+X509_STORE_add_cert
+X509_STORE_add_crl
+X509_STORE_add_lookup
+X509_STORE_free
+X509_STORE_get_by_subject
+X509_STORE_load_locations
+X509_STORE_new
+X509_STORE_set_default_paths
+X509_VAL_free
+X509_VAL_new
+X509_add_ext
+X509_asn1_meth
+X509_certificate_type
+X509_check_private_key
+X509_cmp_current_time
+X509_delete_ext
+X509_digest
+X509_dup
+X509_find_by_issuer_and_serial
+X509_find_by_subject
+X509_free
+X509_get_default_cert_area
+X509_get_default_cert_dir
+X509_get_default_cert_dir_env
+X509_get_default_cert_file
+X509_get_default_cert_file_env
+X509_get_default_private_dir
+X509_get_ext
+X509_get_ext_by_NID
+X509_get_ext_by_OBJ
+X509_get_ext_by_critical
+X509_get_ext_count
+X509_get_issuer_name
+X509_get_pubkey
+X509_get_pubkey_parameters
+X509_get_serialNumber
+X509_get_subject_name
+X509_gmtime_adj
+X509_issuer_and_serial_cmp
+X509_issuer_and_serial_hash
+X509_issuer_name_cmp
+X509_issuer_name_hash
+X509_load_cert_file
+X509_load_crl_file
+X509_new
+X509_print
+X509_print_fp
+X509_set_issuer_name
+X509_set_notAfter
+X509_set_notBefore
+X509_set_pubkey
+X509_set_serialNumber
+X509_set_subject_name
+X509_set_version
+X509_sign
+X509_subject_name_cmp
+X509_subject_name_hash
+X509_to_X509_REQ
+X509_verify
+X509_verify_cert
+X509_verify_cert_error_string
+X509v3_add_ext
+X509v3_add_extension
+X509v3_add_netscape_extensions
+X509v3_add_standard_extensions
+X509v3_cleanup_extensions
+X509v3_data_type_by_NID
+X509v3_data_type_by_OBJ
+X509v3_delete_ext
+X509v3_get_ext
+X509v3_get_ext_by_NID
+X509v3_get_ext_by_OBJ
+X509v3_get_ext_by_critical
+X509v3_get_ext_count
+X509v3_get_key_usage
+X509v3_pack_string
+X509v3_pack_type_by_NID
+X509v3_pack_type_by_OBJ
+X509v3_set_key_usage
+X509v3_unpack_string
+_des_crypt
+a2d_ASN1_OBJECT
+a2i_ASN1_INTEGER
+a2i_ASN1_STRING
+a2i_X509v3_key_usage
+asn1_Finish
+asn1_GetSequence
+bn_add_words
+bn_div64
+bn_expand2
+bn_mul_add_words
+bn_mul_words
+bn_qadd
+bn_qsub
+bn_sqr_words
+crypt
+d2i_ASN1_BIT_STRING
+d2i_ASN1_BOOLEAN
+d2i_ASN1_HEADER
+d2i_ASN1_IA5STRING
+d2i_ASN1_INTEGER
+d2i_ASN1_OBJECT
+d2i_ASN1_OCTET_STRING
+d2i_ASN1_PRINTABLE
+d2i_ASN1_PRINTABLESTRING
+d2i_ASN1_SET
+d2i_ASN1_T61STRING
+d2i_ASN1_TYPE
+d2i_ASN1_UTCTIME
+d2i_ASN1_bytes
+d2i_ASN1_type_bytes
+d2i_DHparams
+d2i_DSAPrivateKey
+d2i_DSAPrivateKey_bio
+d2i_DSAPrivateKey_fp
+d2i_DSAPublicKey
+d2i_DSAparams
+d2i_NETSCAPE_SPKAC
+d2i_NETSCAPE_SPKI
+d2i_Netscape_RSA
+d2i_Netscape_RSA_2
+d2i_PKCS7
+d2i_PKCS7_DIGEST
+d2i_PKCS7_ENCRYPT
+d2i_PKCS7_ENC_CONTENT
+d2i_PKCS7_ENVELOPE
+d2i_PKCS7_ISSUER_AND_SERIAL
+d2i_PKCS7_RECIP_INFO
+d2i_PKCS7_SIGNED
+d2i_PKCS7_SIGNER_INFO
+d2i_PKCS7_SIGN_ENVELOPE
+d2i_PKCS7_bio
+d2i_PKCS7_fp
+d2i_PrivateKey
+d2i_PublicKey
+d2i_RSAPrivateKey
+d2i_RSAPrivateKey_bio
+d2i_RSAPrivateKey_fp
+d2i_RSAPublicKey
+d2i_RSAPublicKey_bio
+d2i_RSAPublicKey_fp
+d2i_X509
+d2i_X509_ALGOR
+d2i_X509_ATTRIBUTE
+d2i_X509_CINF
+d2i_X509_CRL
+d2i_X509_CRL_INFO
+d2i_X509_CRL_bio
+d2i_X509_CRL_fp
+d2i_X509_EXTENSION
+d2i_X509_NAME
+d2i_X509_NAME_ENTRY
+d2i_X509_PKEY
+d2i_X509_PUBKEY
+d2i_X509_REQ
+d2i_X509_REQ_INFO
+d2i_X509_REQ_bio
+d2i_X509_REQ_fp
+d2i_X509_REVOKED
+d2i_X509_SIG
+d2i_X509_VAL
+d2i_X509_bio
+d2i_X509_fp
+des_cbc_cksum
+des_cbc_encrypt
+des_cblock_print_file
+des_cfb64_encrypt
+des_cfb_encrypt
+des_decrypt3
+des_ecb3_encrypt
+des_ecb_encrypt
+des_ede3_cbc_encrypt
+des_ede3_cfb64_encrypt
+des_ede3_ofb64_encrypt
+des_enc_read
+des_enc_write
+des_encrypt
+des_encrypt2
+des_encrypt3
+des_fcrypt
+des_is_weak_key
+des_key_sched
+des_ncbc_encrypt
+des_ofb64_encrypt
+des_ofb_encrypt
+des_options
+des_pcbc_encrypt
+des_quad_cksum
+des_random_key
+des_random_seed
+des_read_2passwords
+des_read_password
+des_read_pw
+des_read_pw_string
+des_set_key
+des_set_odd_parity
+des_string_to_2keys
+des_string_to_key
+des_xcbc_encrypt
+des_xwhite_in2out
+fcrypt_body
+i2a_ASN1_INTEGER
+i2a_ASN1_OBJECT
+i2a_ASN1_STRING
+i2a_X509v3_key_usage
+i2d_ASN1_BIT_STRING
+i2d_ASN1_BOOLEAN
+i2d_ASN1_HEADER
+i2d_ASN1_IA5STRING
+i2d_ASN1_INTEGER
+i2d_ASN1_OBJECT
+i2d_ASN1_OCTET_STRING
+i2d_ASN1_PRINTABLE
+i2d_ASN1_SET
+i2d_ASN1_TYPE
+i2d_ASN1_UTCTIME
+i2d_ASN1_bytes
+i2d_DHparams
+i2d_DSAPrivateKey
+i2d_DSAPrivateKey_bio
+i2d_DSAPrivateKey_fp
+i2d_DSAPublicKey
+i2d_DSAparams
+i2d_NETSCAPE_SPKAC
+i2d_NETSCAPE_SPKI
+i2d_Netscape_RSA
+i2d_PKCS7
+i2d_PKCS7_DIGEST
+i2d_PKCS7_ENCRYPT
+i2d_PKCS7_ENC_CONTENT
+i2d_PKCS7_ENVELOPE
+i2d_PKCS7_ISSUER_AND_SERIAL
+i2d_PKCS7_RECIP_INFO
+i2d_PKCS7_SIGNED
+i2d_PKCS7_SIGNER_INFO
+i2d_PKCS7_SIGN_ENVELOPE
+i2d_PKCS7_bio
+i2d_PKCS7_fp
+i2d_PrivateKey
+i2d_PublicKey
+i2d_RSAPrivateKey
+i2d_RSAPrivateKey_bio
+i2d_RSAPrivateKey_fp
+i2d_RSAPublicKey
+i2d_RSAPublicKey_bio
+i2d_RSAPublicKey_fp
+i2d_X509
+i2d_X509_ALGOR
+i2d_X509_ATTRIBUTE
+i2d_X509_CINF
+i2d_X509_CRL
+i2d_X509_CRL_INFO
+i2d_X509_CRL_bio
+i2d_X509_CRL_fp
+i2d_X509_EXTENSION
+i2d_X509_NAME
+i2d_X509_NAME_ENTRY
+i2d_X509_PKEY
+i2d_X509_PUBKEY
+i2d_X509_REQ
+i2d_X509_REQ_INFO
+i2d_X509_REQ_bio
+i2d_X509_REQ_fp
+i2d_X509_REVOKED
+i2d_X509_SIG
+i2d_X509_VAL
+i2d_X509_bio
+i2d_X509_fp
+i2t_ASN1_OBJECT
+idea_cbc_encrypt
+idea_cfb64_encrypt
+idea_ecb_encrypt
+idea_encrypt
+idea_ofb64_encrypt
+idea_options
+idea_set_decrypt_key
+idea_set_encrypt_key
+lh_delete
+lh_doall
+lh_doall_arg
+lh_free
+lh_insert
+lh_new
+lh_node_stats
+lh_node_stats_bio
+lh_node_usage_stats
+lh_node_usage_stats_bio
+lh_retrieve
+lh_stats
+lh_stats_bio
+lh_strhash
+ripemd160_block
+sha1_block
+sha_block
+sk_delete
+sk_delete_ptr
+sk_dup
+sk_find
+sk_free
+sk_insert
+sk_new
+sk_pop
+sk_pop_free
+sk_push
+sk_set_cmp_func
+sk_shift
+sk_unshift
+sk_zero
diff --git a/crypto/openssl/dep/files b/crypto/openssl/dep/files
new file mode 100644
index 0000000..85cd7a3
--- /dev/null
+++ b/crypto/openssl/dep/files
@@ -0,0 +1,566 @@
+./e_os.h
+
+./crypto/cryptall.h		CRYPTO
+./crypto/cryptlib.h		CRYPTO
+./crypto/crypto.c		CRYPTO
+./crypto/cversion.c		CRYPTO
+./crypto/date.h			CRYPTO
+./crypto/mem.c			CRYPTO
+./crypto/cpt_err.c		CRYPTO
+./crypto/ex_data.c		CRYPTO
+./crypto/crypto.h		CRYPTO
+./crypto/cryptlib.c		CRYPTO
+./crypto/tmdiff.c		CRYPTO
+
+./crypto/asn1/asn1.h		ASN1
+./crypto/asn1/asn1_mac.h	ASN1
+./crypto/asn1/asn1_err.c	ASN1
+./crypto/asn1/asn1_lib.c	ASN1
+./crypto/asn1/asn1_par.c	ASN1
+./crypto/asn1/a_bitstr.c	ASN1
+./crypto/asn1/a_bmp.c		ASN1
+./crypto/asn1/a_bool.c		ASN1
+./crypto/asn1/a_bytes.c		ASN1
+./crypto/asn1/a_d2i_fp.c	ASN1
+./crypto/asn1/a_digest.c	ASN1
+./crypto/asn1/a_dup.c		ASN1
+./crypto/asn1/a_hdr.c		ASN1
+./crypto/asn1/a_i2d_fp.c	ASN1
+./crypto/asn1/a_int.c		ASN1
+./crypto/asn1/a_meth.c		ASN1
+./crypto/asn1/a_object.c	ASN1
+./crypto/asn1/a_octet.c		ASN1
+./crypto/asn1/a_print.c		ASN1
+./crypto/asn1/a_set.c		ASN1
+./crypto/asn1/a_sign.c		ASN1
+./crypto/asn1/a_type.c		ASN1
+./crypto/asn1/a_utctm.c		ASN1
+./crypto/asn1/a_verify.c	ASN1
+./crypto/asn1/d2i_dhp.c		ASN1
+./crypto/asn1/d2i_dsap.c	ASN1
+./crypto/asn1/d2i_pr.c		ASN1
+./crypto/asn1/d2i_pu.c		ASN1
+./crypto/asn1/d2i_r_pr.c	ASN1
+./crypto/asn1/d2i_r_pu.c	ASN1
+./crypto/asn1/d2i_s_pr.c	ASN1
+./crypto/asn1/d2i_s_pu.c	ASN1
+./crypto/asn1/f_int.c		ASN1
+./crypto/asn1/f_string.c	ASN1
+./crypto/asn1/i2d_dhp.c		ASN1
+./crypto/asn1/i2d_dsap.c	ASN1
+./crypto/asn1/i2d_pr.c		ASN1
+./crypto/asn1/i2d_pu.c		ASN1
+./crypto/asn1/i2d_r_pr.c	ASN1
+./crypto/asn1/i2d_r_pu.c	ASN1
+./crypto/asn1/i2d_s_pr.c	ASN1
+./crypto/asn1/i2d_s_pu.c	ASN1
+./crypto/asn1/n_pkey.c		ASN1
+./crypto/asn1/p7_dgst.c		ASN1
+./crypto/asn1/p7_enc.c		ASN1
+./crypto/asn1/p7_enc_c.c	ASN1
+./crypto/asn1/p7_evp.c		ASN1
+./crypto/asn1/p7_i_s.c		ASN1
+./crypto/asn1/p7_lib.c		ASN1
+./crypto/asn1/p7_recip.c	ASN1
+./crypto/asn1/p7_signd.c	ASN1
+./crypto/asn1/p7_signi.c	ASN1
+./crypto/asn1/p7_s_e.c		ASN1
+./crypto/asn1/pk.c		ASN1
+./crypto/asn1/pkcs8.c		ASN1
+./crypto/asn1/t_pkey.c		ASN1
+./crypto/asn1/t_req.c		ASN1
+./crypto/asn1/t_x509.c		ASN1
+./crypto/asn1/x_algor.c		ASN1
+./crypto/asn1/x_attrib.c	ASN1
+./crypto/asn1/x_cinf.c		ASN1
+./crypto/asn1/x_crl.c		ASN1
+./crypto/asn1/x_exten.c		ASN1
+./crypto/asn1/x_info.c		ASN1
+./crypto/asn1/x_name.c		ASN1
+./crypto/asn1/x_pkey.c		ASN1
+./crypto/asn1/x_pubkey.c	ASN1
+./crypto/asn1/x_req.c		ASN1
+./crypto/asn1/x_sig.c		ASN1
+./crypto/asn1/x_spki.c		ASN1
+./crypto/asn1/x_val.c		ASN1
+./crypto/asn1/x_x509.c		ASN1
+
+./crypto/bf/blowfish.h		BF
+./crypto/bf/bf_pi.h		BF
+./crypto/bf/bf_locl.h		BF
+./crypto/bf/bfspeed.c		BF
+./crypto/bf/bftest.c		BF
+./crypto/bf/bf_cbc.c		BF
+./crypto/bf/bf_cfb64.c		BF
+./crypto/bf/bf_ecb.c		BF
+./crypto/bf/bf_enc.c		BF
+./crypto/bf/bf_ofb64.c		BF
+./crypto/bf/bf_opts.c		BF
+./crypto/bf/bf_skey.c		BF
+
+./crypto/bio/bio.h		BIO
+./crypto/bio/bf_buff.c		BIO
+./crypto/bio/bf_nbio.c		BIO
+./crypto/bio/bf_null.c		BIO
+./crypto/bio/bio_cb.c		BIO
+./crypto/bio/bio_err.c		BIO
+./crypto/bio/bio_lib.c		BIO
+./crypto/bio/bss_acpt.c		BIO
+./crypto/bio/bss_conn.c		BIO
+./crypto/bio/bss_fd.c		BIO
+./crypto/bio/bss_file.c		BIO
+./crypto/bio/bss_mem.c		BIO
+./crypto/bio/bss_null.c		BIO
+./crypto/bio/bss_rtcp.c		BIO
+./crypto/bio/bss_sock.c		BIO
+./crypto/bio/b_dump.c		BIO
+./crypto/bio/b_print.c		BIO
+./crypto/bio/b_sock.c		BIO
+
+./crypto/bn/bn.h		BN
+./crypto/bn/bn_lcl.h		BN
+./crypto/bn/bn_prime.h		BN
+./crypto/bn/bnspeed.c		BN
+./crypto/bn/bntest.c		BN
+./crypto/bn/bn_add.c		BN
+./crypto/bn/bn_bld.c		BN
+./crypto/bn/bn_blind.c		BN
+./crypto/bn/bn_div.c		BN
+./crypto/bn/bn_err.c		BN
+./crypto/bn/bn_exp.c		BN
+./crypto/bn/bn_gcd.c		BN
+./crypto/bn/bn_lib.c		BN
+./crypto/bn/bn_mod.c		BN
+./crypto/bn/bn_mont.c		BN
+./crypto/bn/bn_mul.c		BN
+./crypto/bn/bn_mulw.c		BN
+./crypto/bn/bn_prime.c		BN
+./crypto/bn/bn_print.c		BN
+./crypto/bn/bn_rand.c		BN
+./crypto/bn/bn_recp.c		BN
+./crypto/bn/bn_shift.c		BN
+./crypto/bn/bn_sqr.c		BN
+./crypto/bn/bn_sub.c		BN
+./crypto/bn/bn_word.c		BN
+./crypto/bn/bn_m.c		BN
+./crypto/bn/m.c			BN
+./crypto/bn/expspeed.c		BN
+./crypto/bn/bn_mpi.c		BN
+./crypto/bn/exptest.c		BN
+
+./crypto/buffer/buffer.c	BUFF
+./crypto/buffer/buffer.h	BUFF
+./crypto/buffer/buf_err.c	BUFF
+
+./crypto/cast/cast.h		CAST
+./crypto/cast/castopts.c	CAST
+./crypto/cast/casttest.c	CAST
+./crypto/cast/cast_lcl.h	CAST
+./crypto/cast/cast_s.h		CAST
+./crypto/cast/cast_spd.c	CAST
+./crypto/cast/c_cfb64.c		CAST
+./crypto/cast/c_ecb.c		CAST
+./crypto/cast/c_enc.c		CAST
+./crypto/cast/c_ofb64.c		CAST
+./crypto/cast/c_skey.c		CAST
+
+./crypto/conf/conf_lcl.h	CONF
+./crypto/conf/cnf_save.c	CONF
+./crypto/conf/conf.c		CONF
+./crypto/conf/conf.h		CONF
+./crypto/conf/conf_err.c	CONF
+
+./crypto/des/des.h		DES
+./crypto/des/des_locl.h		DES
+./crypto/des/spr.h		DES
+./crypto/des/podd.h		DES
+./crypto/des/sk.h		DES
+./crypto/des/cbc3_enc.c		DES
+./crypto/des/cbc_cksm.c		DES
+./crypto/des/cbc_enc.c		DES
+./crypto/des/cfb64ede.c		DES
+./crypto/des/cfb64enc.c		DES
+./crypto/des/cfb_enc.c		DES
+./crypto/des/des.c		DES
+./crypto/des/destest.c		DES
+./crypto/des/des_enc.c		DES
+./crypto/des/des_opts.c		DES
+./crypto/des/des_ver.h		DES
+./crypto/des/ecb3_enc.c		DES
+./crypto/des/ecb_enc.c		DES
+./crypto/des/ede_enc.c		DES
+./crypto/des/enc_read.c		DES
+./crypto/des/enc_writ.c		DES
+./crypto/des/fcrypt.c		DES
+./crypto/des/fcrypt_b.c		DES
+./crypto/des/ncbc_enc.c		DES
+./crypto/des/ofb64ede.c		DES
+./crypto/des/ofb64enc.c		DES
+./crypto/des/ofb_enc.c		DES
+./crypto/des/pcbc_enc.c		DES
+./crypto/des/qud_cksm.c		DES
+./crypto/des/rand_key.c		DES
+./crypto/des/read2pwd.c		DES
+./crypto/des/read_pwd.c		DES
+./crypto/des/rpc_des.h		DES
+./crypto/des/rpc_enc.c		DES
+./crypto/des/rpw.c		DES
+./crypto/des/set_key.c		DES
+./crypto/des/str2key.c		DES
+./crypto/des/supp.c		DES
+./crypto/des/xcbc_enc.c		DES
+
+./crypto/dh/dh.h		DH
+./crypto/dh/dh_check.c		DH
+./crypto/dh/dh_err.c		DH
+./crypto/dh/dh_gen.c		DH
+./crypto/dh/dh_key.c		DH
+./crypto/dh/dh_lib.c		DH
+./crypto/dh/p1024.c		DH
+./crypto/dh/p192.c		DH
+./crypto/dh/p512.c		DH
+./crypto/dh/dhtest.c		DH
+
+./crypto/dsa/dsa.h		DSA
+./crypto/dsa/dsagen.c		DSA
+./crypto/dsa/dsa_err.c		DSA
+./crypto/dsa/dsa_gen.c		DSA
+./crypto/dsa/dsa_key.c		DSA
+./crypto/dsa/dsa_lib.c		DSA
+./crypto/dsa/dsa_sign.c		DSA
+./crypto/dsa/dsa_vrf.c		DSA
+./crypto/dsa/dsatest.c		DSA
+
+./crypto/err/err.c		ERR
+./crypto/err/err.h		ERR
+./crypto/err/err_all.c		ERR
+./crypto/err/err_prn.c		ERR
+
+./crypto/evp/evp.h		EVP
+./crypto/evp/bio_b64.c		EVP
+./crypto/evp/bio_enc.c		EVP
+./crypto/evp/bio_md.c		EVP
+./crypto/evp/c_all.c		EVP
+./crypto/evp/digest.c		EVP
+./crypto/evp/encode.c		EVP
+./crypto/evp/evp_enc.c		EVP
+./crypto/evp/evp_err.c		EVP
+./crypto/evp/evp_key.c		EVP
+./crypto/evp/e_cbc_3d.c		EVP
+./crypto/evp/e_cbc_bf.c		EVP
+./crypto/evp/e_cbc_c.c		EVP
+./crypto/evp/e_cbc_d.c		EVP
+./crypto/evp/e_cbc_i.c		EVP
+./crypto/evp/e_cbc_r2.c		EVP
+./crypto/evp/e_cfb_3d.c		EVP
+./crypto/evp/e_cfb_bf.c		EVP
+./crypto/evp/e_cfb_c.c		EVP
+./crypto/evp/e_cfb_d.c		EVP
+./crypto/evp/e_cfb_i.c		EVP
+./crypto/evp/e_cfb_r2.c		EVP
+./crypto/evp/e_dsa.c		EVP
+./crypto/evp/e_ecb_3d.c		EVP
+./crypto/evp/e_ecb_bf.c		EVP
+./crypto/evp/e_ecb_c.c		EVP
+./crypto/evp/e_ecb_d.c		EVP
+./crypto/evp/e_ecb_i.c		EVP
+./crypto/evp/e_ecb_r2.c		EVP
+./crypto/evp/e_null.c		EVP
+./crypto/evp/e_ofb_3d.c		EVP
+./crypto/evp/e_ofb_bf.c		EVP
+./crypto/evp/e_ofb_c.c		EVP
+./crypto/evp/e_ofb_d.c		EVP
+./crypto/evp/e_ofb_i.c		EVP
+./crypto/evp/e_ofb_r2.c		EVP
+./crypto/evp/e_rc4.c		EVP
+./crypto/evp/e_xcbc_d.c		EVP
+./crypto/evp/m_dss.c		EVP
+./crypto/evp/m_dss1.c		EVP
+./crypto/evp/m_md2.c		EVP
+./crypto/evp/m_md5.c		EVP
+./crypto/evp/m_mdc2.c		EVP
+./crypto/evp/m_null.c		EVP
+./crypto/evp/m_sha.c		EVP
+./crypto/evp/m_sha1.c		EVP
+./crypto/evp/names.c		EVP
+./crypto/evp/p_lib.c		EVP
+./crypto/evp/p_open.c		EVP
+./crypto/evp/p_seal.c		EVP
+./crypto/evp/p_sign.c		EVP
+./crypto/evp/p_verify.c		EVP
+
+./crypto/hmac/hmac.c		HMAC
+./crypto/hmac/hmac.h		HMAC
+./crypto/hmac/hmactest.c	HMAC
+
+./crypto/idea/ideatest.c	IDEA
+./crypto/idea/idea_lcl.h	IDEA
+./crypto/idea/idea_spd.c	IDEA
+./crypto/idea/i_cbc.c		IDEA
+./crypto/idea/i_cfb64.c		IDEA
+./crypto/idea/i_ecb.c		IDEA
+./crypto/idea/i_ofb64.c		IDEA
+./crypto/idea/i_skey.c		IDEA
+./crypto/idea/idea.h		IDEA
+
+./crypto/lhash/lhash.c		LHASH
+./crypto/lhash/lhash.h		LHASH
+./crypto/lhash/lh_stats.c	LHASH
+./crypto/lhash/lh_test.c	LHASH
+
+./crypto/md2/md2.c		MD2
+./crypto/md2/md2test.c		MD2
+./crypto/md2/md2_dgst.c		MD2
+./crypto/md2/md2_one.c		MD2
+./crypto/md2/md2.h		MD2
+
+./crypto/md5/md5.c		MD5
+./crypto/md5/md5.h		MD5
+./crypto/md5/md5test.c		MD5
+./crypto/md5/md5_dgst.c		MD5
+./crypto/md5/md5_locl.h		MD5
+./crypto/md5/md5_one.c		MD5
+
+./crypto/mdc2/mdc2.h		MDC2
+./crypto/mdc2/mdc2dgst.c	MDC2
+./crypto/mdc2/mdc2test.c	MDC2
+./crypto/mdc2/mdc2_one.c	MDC2
+
+./crypto/objects/objects.h	OBJ
+./crypto/objects/obj_dat.c	OBJ
+./crypto/objects/obj_dat.h	OBJ
+./crypto/objects/obj_err.c	OBJ
+./crypto/objects/obj_lib.c	OBJ
+
+./crypto/pem/ctx_size.c		PEM
+./crypto/pem/pem.h		PEM
+./crypto/pem/pem_all.c		PEM
+./crypto/pem/pem_err.c		PEM
+./crypto/pem/pem_info.c		PEM
+./crypto/pem/pem_lib.c		PEM
+./crypto/pem/pem_seal.c		PEM
+./crypto/pem/pem_sign.c		PEM
+
+./crypto/pkcs7/pk7_dgst.c	PKCS7
+./crypto/pkcs7/pk7_doit.c	PKCS7
+./crypto/pkcs7/pk7_enc.c	PKCS7
+./crypto/pkcs7/pk7_lib.c	PKCS7
+./crypto/pkcs7/pkcs7.h		PKCS7
+./crypto/pkcs7/pkcs7err.c	PKCS7
+./crypto/pkcs7/sign.c		PKCS7
+
+./crypto/proxy/bf_proxy.c	PROXY
+./crypto/proxy/p2test.c		PROXY
+./crypto/proxy/p3test.c		PROXY
+./crypto/proxy/paccept.c	PROXY
+./crypto/proxy/proxy.c		PROXY
+./crypto/proxy/proxy.h		PROXY
+./crypto/proxy/ptest.c		PROXY
+./crypto/proxy/pxy_conf.c	PROXY
+./crypto/proxy/pxy_err.c	PROXY
+./crypto/proxy/pxy_txt.c	PROXY
+
+./crypto/rand/md_rand.c		RAND
+./crypto/rand/rand.h		RAND
+./crypto/rand/randfile.c	RAND
+./crypto/rand/randtest.c	RAND
+
+./crypto/rc2/rc2cfb64.c		RC2
+./crypto/rc2/rc2ofb64.c		RC2
+./crypto/rc2/rc2speed.c		RC2
+./crypto/rc2/rc2test.c		RC2
+./crypto/rc2/rc2_cbc.c		RC2
+./crypto/rc2/rc2_ecb.c		RC2
+./crypto/rc2/rc2_locl.h		RC2
+./crypto/rc2/rc2_skey.c		RC2
+./crypto/rc2/rc2.h		RC2
+
+./crypto/rc4/rc4.c		RC4
+./crypto/rc4/rc4speed.c		RC4
+./crypto/rc4/rc4test.c		RC4
+./crypto/rc4/rc4_enc.c		RC4
+./crypto/rc4/rc4_skey.c		RC4
+./crypto/rc4/rc4.h		RC4
+./crypto/rc4/rc4_locl.h		RC4
+
+./crypto/rsa/rsa.h		RSA
+./crypto/rsa/rsa_eay.c		RSA
+./crypto/rsa/rsa_err.c		RSA
+./crypto/rsa/rsa_gen.c		RSA
+./crypto/rsa/rsa_lib.c		RSA
+./crypto/rsa/rsa_saos.c		RSA
+./crypto/rsa/rsa_sign.c		RSA
+./crypto/rsa/rsa_ssl.c		RSA
+./crypto/rsa/rsa_pk1.c		RSA
+./crypto/rsa/rsa_none.c		RSA
+
+./crypto/sha/sha.h		SHA
+./crypto/sha/sha_locl.h		SHA
+./crypto/sha/sha.c		SHA0
+./crypto/sha/sha_dgst.c		SHA0
+./crypto/sha/sha_one.c		SHA0
+./crypto/sha/sha_sgst.c		SHA0
+./crypto/sha/shatest.c		SHA0
+./crypto/sha/sha1.c		SHA1
+./crypto/sha/sha1dgst.c		SHA1
+./crypto/sha/sha1_one.c		SHA1
+./crypto/sha/sha1test.c		SHA1
+
+./crypto/stack/stack.c		STACK
+./crypto/stack/stack.h		STACK
+
+./crypto/txt_db/txt_db.c	TXTDB
+./crypto/txt_db/txt_db.h	TXTDB
+
+./crypto/x509/by_dir.c		X509
+./crypto/x509/by_file.c		X509
+./crypto/x509/v3_net.c		X509
+./crypto/x509/v3_x509.c		X509
+./crypto/x509/x509.h		X509
+./crypto/x509/x509name.c	X509
+./crypto/x509/x509pack.c	X509
+./crypto/x509/x509rset.c	X509
+./crypto/x509/x509type.c	X509
+./crypto/x509/x509_cmp.c	X509
+./crypto/x509/x509_d2.c		X509
+./crypto/x509/x509_def.c	X509
+./crypto/x509/x509_err.c	X509
+./crypto/x509/x509_ext.c	X509
+./crypto/x509/x509_lu.c		X509
+./crypto/x509/x509_obj.c	X509
+./crypto/x509/x509_r2x.c	X509
+./crypto/x509/x509_req.c	X509
+./crypto/x509/x509_set.c	X509
+./crypto/x509/x509_txt.c	X509
+./crypto/x509/x509_v3.c		X509
+./crypto/x509/x509_vfy.c	X509
+./crypto/x509/x_all.c		X509
+./crypto/x509/x509_vfy.h	X509
+./crypto/x509v3/v3_ku.c		X509
+./crypto/x509v3/x509v3.h	X509
+
+./crypto/threads/mttest.c	THREADS
+./crypto/threads/th-lock.c	THREADS
+
+./crypto/ripemd/rmdtest.c	RMD160
+./crypto/ripemd/ripemd.h	RMD160
+./crypto/ripemd/rmdconst.h	RMD160
+./crypto/ripemd/rmd_locl.h	RMD160
+./crypto/ripemd/rmd_one.c	RMD160
+./crypto/ripemd/rmd160.c	RMD160
+./crypto/ripemd/rmd_dgst.c	RMD160
+
+./crypto/rc5/rc5_ecb.c		RC5
+./crypto/rc5/rc5cfb64.c		RC5
+./crypto/rc5/rc5ofb64.c		RC5
+./crypto/rc5/rc5speed.c		RC5
+./crypto/rc5/rc5test.c		RC5
+./crypto/rc5/rc5_enc.c		RC5
+./crypto/rc5/rc5.h		RC5
+./crypto/rc5/rc5_locl.h		RC5
+./crypto/rc5/rc5_skey.c		RC5
+
+./ssl/bio_ssl.c			SSL
+./ssl/pxy_ssl.c			SSL
+./ssl/s23_clnt.c		SSL
+./ssl/s23_lib.c			SSL
+./ssl/s23_meth.c		SSL
+./ssl/s23_pkt.c			SSL
+./ssl/s23_srvr.c		SSL
+./ssl/s2_clnt.c			SSL
+./ssl/s2_enc.c			SSL
+./ssl/s2_lib.c			SSL
+./ssl/s2_meth.c			SSL
+./ssl/s2_pkt.c			SSL
+./ssl/s2_srvr.c			SSL
+./ssl/s3_both.c			SSL
+./ssl/s3_clnt.c			SSL
+./ssl/s3_enc.c			SSL
+./ssl/s3_lib.c			SSL
+./ssl/s3_meth.c			SSL
+./ssl/s3_pkt.c			SSL
+./ssl/s3_srvr.c			SSL
+./ssl/ssl.c			SSL
+./ssl/ssl2.h			SSL
+./ssl/ssl23.h			SSL
+./ssl/ssl3.h			SSL
+./ssl/ssl_algs.c		SSL
+./ssl/ssl_asn1.c		SSL
+./ssl/ssl_cert.c		SSL
+./ssl/ssl_ciph.c		SSL
+./ssl/ssl_err.c			SSL
+./ssl/ssl_err2.c		SSL
+./ssl/ssl_lib.c			SSL
+./ssl/ssl_locl.h		SSL
+./ssl/ssl_rsa.c			SSL
+./ssl/ssl_sess.c		SSL
+./ssl/ssl_stat.c		SSL
+./ssl/ssl_task.c		SSL
+./ssl/ssl_txt.c			SSL
+./ssl/tls1.h			SSL
+./ssl/t1_lib.c			SSL
+./ssl/t1_enc.c			SSL
+./ssl/t1_meth.c			SSL
+./ssl/t1_srvr.c			SSL
+./ssl/t1_clnt.c			SSL
+./ssl/ssl.h			SSL
+./ssl/ssltest.c			SSL
+
+./rsaref/rsaref.c		RSAREF
+./rsaref/rsaref.h		RSAREF
+./rsaref/rsar_err.c		RSAREF
+
+./apps/apps.c			APPS
+./apps/apps.h			APPS
+./apps/asn1pars.c		APPS
+./apps/bf_perm.c		APPS
+./apps/bf_perm.h		APPS
+./apps/ca.c			APPS
+./apps/ciphers.c		APPS
+./apps/crl.c			APPS
+./apps/crl2p7.c			APPS
+./apps/dgst.c			APPS
+./apps/dh.c			APPS
+./apps/dsa.c			APPS
+./apps/dsaparam.c		APPS
+./apps/eay.c			APPS
+./apps/enc.c			APPS
+./apps/errstr.c			APPS
+./apps/speed.c			APPS
+./apps/gendh.c			APPS
+./apps/gendsa.c			APPS
+./apps/genrsa.c			APPS
+./apps/mybio_cb.c		APPS
+./apps/pem_mail.c		APPS
+./apps/pkcs7.c			APPS
+./apps/progs.h			APPS
+./apps/req.c			APPS
+./apps/rsa.c			APPS
+./apps/sess_id.c		APPS
+./apps/s_apps.h			APPS
+./apps/s_cb.c			APPS
+./apps/s_client.c		APPS
+./apps/s_server.c		APPS
+./apps/s_socket.c		APPS
+./apps/s_time.c			APPS
+./apps/testdsa.h		APPS
+./apps/testrsa.h		APPS
+./apps/verify.c			APPS
+./apps/version.c		APPS
+./apps/x509.c			APPS
+./apps/ssleay.c			APPS
+./apps/sp.c			APPS
+
+./demos/b64.c			DEMO
+./demos/bio/saccept.c		DEMO
+./demos/bio/sconnect.c		DEMO
+./demos/maurice/example1.c	DEMO
+./demos/maurice/example2.c	DEMO
+./demos/maurice/example3.c	DEMO
+./demos/maurice/example4.c	DEMO
+./demos/maurice/loadkeys.c	DEMO
+./demos/maurice/loadkeys.h	DEMO
+./demos/prime/prime.c		DEMO
+./demos/selfsign.c		DEMO
+./demos/spkigen.c		DEMO
+
diff --git a/crypto/openssl/dep/gen.pl b/crypto/openssl/dep/gen.pl
new file mode 100644
index 0000000..8ab6db5
--- /dev/null
+++ b/crypto/openssl/dep/gen.pl
@@ -0,0 +1,113 @@
+#!/usr/local/bin/perl
+
+require 'getopts.pl';
+
+$files="files";
+%have=();
+%missing=();
+%name=();
+%func=();
+
+&Getopts('Ff:');
+
+&load_file("files");
+foreach $file (@ARGV)
+	{ &do_nm($file); }
+
+if (defined($opt_f))
+	{
+	%a=();
+	$r=&list_files($opt_f,"",*a);
+	if ($opt_F)
+		{
+		foreach (sort split(/\n/,$r))
+			{ print "$_\n"; }
+		}
+	else
+		{ print $r; }
+	}
+else
+	{
+	for (sort keys %have)
+		{
+		print "$_:$have{$_}\n";
+		}
+	}
+
+sub list_files
+	{
+	local($f,$o,*done)=@_;
+	local($a,$_,$ff,$ret);
+
+	return if $f =~ /^\s*$/;
+
+	$done{$f}=1;
+	$ret.=$f."\n" if $opt_F;
+	foreach (split(/ /,$have{$f}))
+		{
+		$ret.="$o$f:$_\n" unless $opt_F;
+		}
+
+	foreach (split(/ /,$missing{$f}))
+		{
+		$ff=$func{$_};
+		next if defined($done{$ff});
+		$ret.=&list_files($ff,$o."	");
+		}
+	$ret;
+	}
+
+sub do_nm
+	{
+	local($file)=@_;
+	local($fname)="";
+
+	open(IN,"nm $file|") || die "unable to run 'nm $file|':$!\n";
+	while (<IN>)
+		{
+		chop;
+		next if /^\s*$/;
+		if (/^(.*)\.o:\s*$/)
+			{
+			$fname="$1.c";
+			next;
+			}
+		($type,$name)=/^.{8} (.) (.+)/;
+#		print "$fname $type $name\n";
+
+		if ($type eq "T")
+			{
+			$have{$fname}.="$name ";
+			$func{$name}=$fname;
+			}
+		elsif ($type eq "U")
+			{
+			$missing{$fname}.="$name ";
+			}
+		}
+	close(IN);
+	}
+
+sub load_file
+	{
+	local($file)=@_;
+
+	open(IN,"<$files") || die "unable to open $files:$!\n";
+
+	while (<IN>)
+		{
+		chop;
+		next if /^\s*$/;
+		($n)=/\/([^\/\s]+)\s+/;
+		($fn)=/^(\S+)\s/;
+#		print "$n - $fn\n";
+		if (defined($name{$n}))
+			{ print "$n already exists\n"; }
+		else
+			{ $name{$n}=$fn; }
+		}
+	close(IN);
+	@name=%name;
+	}
+
+
diff --git a/crypto/openssl/dep/ssl.txt b/crypto/openssl/dep/ssl.txt
new file mode 100644
index 0000000..7cd125a
--- /dev/null
+++ b/crypto/openssl/dep/ssl.txt
@@ -0,0 +1,156 @@
+BIO_f_ssl
+BIO_new_buffer_ssl_connect
+BIO_new_ssl
+BIO_new_ssl_connect
+BIO_proxy_ssl_copy_session_id
+BIO_ssl_copy_session_id
+BIO_ssl_shutdown
+ERR_load_SSL_strings
+SSL_CIPHER_description
+SSL_CIPHER_get_bits
+SSL_CIPHER_get_name
+SSL_CIPHER_get_version
+SSL_CTX_add_client_CA
+SSL_CTX_add_session
+SSL_CTX_check_private_key
+SSL_CTX_ctrl
+SSL_CTX_flush_sessions
+SSL_CTX_free
+SSL_CTX_get_client_CA_list
+SSL_CTX_get_ex_data
+SSL_CTX_get_ex_new_index
+SSL_CTX_get_quiet_shutdown
+SSL_CTX_get_verify_callback
+SSL_CTX_get_verify_mode
+SSL_CTX_load_verify_locations
+SSL_CTX_new
+SSL_CTX_remove_session
+SSL_CTX_set_cert_verify_cb
+SSL_CTX_set_cipher_list
+SSL_CTX_set_client_CA_list
+SSL_CTX_set_default_passwd_cb
+SSL_CTX_set_default_verify_paths
+SSL_CTX_set_ex_data
+SSL_CTX_set_quiet_shutdown
+SSL_CTX_set_ssl_version
+SSL_CTX_set_verify
+SSL_CTX_use_PrivateKey
+SSL_CTX_use_PrivateKey_ASN1
+SSL_CTX_use_PrivateKey_file
+SSL_CTX_use_RSAPrivateKey
+SSL_CTX_use_RSAPrivateKey_ASN1
+SSL_CTX_use_RSAPrivateKey_file
+SSL_CTX_use_certificate
+SSL_CTX_use_certificate_ASN1
+SSL_CTX_use_certificate_file
+SSL_SESSION_cmp
+SSL_SESSION_free
+SSL_SESSION_get_ex_data
+SSL_SESSION_get_ex_new_index
+SSL_SESSION_get_time
+SSL_SESSION_get_timeout
+SSL_SESSION_hash
+SSL_SESSION_new
+SSL_SESSION_print
+SSL_SESSION_print_fp
+SSL_SESSION_set_ex_data
+SSL_SESSION_set_time
+SSL_SESSION_set_timeout
+SSL_accept
+SSL_add_client_CA
+SSL_alert_desc_string
+SSL_alert_desc_string_long
+SSL_alert_type_string
+SSL_alert_type_string_long
+SSL_check_private_key
+SSL_clear
+SSL_connect
+SSL_copy_session_id
+SSL_ctrl
+SSL_do_handshake
+SSL_dup
+SSL_dup_CA_list
+SSL_free
+SSL_get_SSL_CTX
+SSL_get_certificate
+SSL_get_cipher_list
+SSL_get_ciphers
+SSL_get_client_CA_list
+SSL_get_current_cipher
+SSL_get_default_timeout
+SSL_get_error
+SSL_get_ex_data
+SSL_get_ex_new_index
+SSL_get_fd
+SSL_get_info_callback
+SSL_get_peer_cert_chain
+SSL_get_peer_certificate
+SSL_get_privatekey
+SSL_get_quiet_shutdown
+SSL_get_rbio
+SSL_get_read_ahead
+SSL_get_session
+SSL_get_shared_ciphers
+SSL_get_shutdown
+SSL_get_ssl_method
+SSL_get_verify_callback
+SSL_get_verify_mode
+SSL_get_verify_result
+SSL_get_version
+SSL_get_wbio
+SSL_load_client_CA_file
+SSL_load_error_strings
+SSL_new
+SSL_peek
+SSL_pending
+SSL_read
+SSL_renegotiate
+SSL_rstate_string
+SSL_rstate_string_long
+SSL_set_accept_state
+SSL_set_bio
+SSL_set_cipher_list
+SSL_set_client_CA_list
+SSL_set_connect_state
+SSL_set_ex_data
+SSL_set_fd
+SSL_set_info_callback
+SSL_set_quiet_shutdown
+SSL_set_read_ahead
+SSL_set_rfd
+SSL_set_session
+SSL_set_shutdown
+SSL_set_ssl_method
+SSL_set_verify
+SSL_set_verify_result
+SSL_set_wfd
+SSL_shutdown
+SSL_state
+SSL_state_string
+SSL_state_string_long
+SSL_use_PrivateKey
+SSL_use_PrivateKey_ASN1
+SSL_use_PrivateKey_file
+SSL_use_RSAPrivateKey
+SSL_use_RSAPrivateKey_ASN1
+SSL_use_RSAPrivateKey_file
+SSL_use_certificate
+SSL_use_certificate_ASN1
+SSL_use_certificate_file
+SSL_version
+SSL_write
+SSLeay_add_ssl_algorithms
+SSLv23_client_method
+SSLv23_method
+SSLv23_server_method
+SSLv2_client_method
+SSLv2_method
+SSLv2_server_method
+SSLv3_client_method
+SSLv3_method
+SSLv3_server_method
+TLSv1_client_method
+TLSv1_method
+TLSv1_server_method
+d2i_SSL_SESSION
+i2d_SSL_SESSION
diff --git a/crypto/openssl/doc/README b/crypto/openssl/doc/README
new file mode 100644
index 0000000..14469a8
--- /dev/null
+++ b/crypto/openssl/doc/README
@@ -0,0 +1,10 @@
+
+ apps/openssl.pod .... Documentation of OpenSSL `openssl' command
+ crypto/crypto.pod ... Documentation of OpenSSL crypto.h+libcrypto.a
+ ssl/ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a
+ openssl.txt ......... Assembled documentation files for OpenSSL [not final]
+ ssleay.txt .......... Assembled documentation of ancestor SSLeay [obsolete]
+
+ An archive of HTML documents for the SSLeay library is available from
+ http://www.columbia.edu/~ariel/ssleay/
+
diff --git a/crypto/openssl/doc/apps/CA.pl.pod b/crypto/openssl/doc/apps/CA.pl.pod
new file mode 100644
index 0000000..9d287f0
--- /dev/null
+++ b/crypto/openssl/doc/apps/CA.pl.pod
@@ -0,0 +1,167 @@
+
+=pod
+
+=head1 NAME
+
+CA.pl - friendlier interface for OpenSSL certificate programs
+
+=head1 SYNOPSIS
+
+B<CA.pl>
+[B<-?>]
+[B<-h>]
+[B<-help>]
+[B<-newcert>]
+[B<-newreq>]
+[B<-newca>]
+[B<-xsign>]
+[B<-sign>]
+[B<-signreq>]
+[B<-signcert>]
+[B<-verify>]
+[B<files>]
+
+=head1 DESCRIPTION
+
+The B<CA.pl> script is a perl script that supplies the relevant command line
+arguments to the B<openssl> command for some common certificate operations.
+It is intended to simplify the process of certificate creation and management
+by the use of some simple options.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<?>, B<-h>, B<-help>
+
+prints a usage message.
+
+=item B<-newcert>
+
+creates a new self signed certificate. The private key and certificate are
+written to the file "newreq.pem".
+
+=item B<-newreq>
+
+creates a new certificate request. The private key and request are
+written to the file "newreq.pem".
+
+=item B<-newca>
+
+creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
+and B<-xsign> options). The user is prompted to enter the filename of the CA
+certificates (which should also contain the private key) or by hitting ENTER
+details of the CA will be prompted for. The relevant files and directories
+are created in a directory called "demoCA" in the current directory.
+
+=item B<-pkcs12>
+
+create a PKCS#12 file containing the user certificate, private key and CA
+certificate. It expects the user certificate and private key to be in the
+file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
+it creates a file "newcert.p12". This command can thus be called after the
+B<-sign> option. The PKCS#12 file can be imported directly into a browser.
+If there is an additional argument on the command line it will be used as the
+"friendly name" for the certificate (which is typically displayed in the browser
+list box), otherwise the name "My Certificate" is used.
+
+=item B<-sign>, B<-signreq>, B<-xsign>
+
+calls the B<ca> program to sign a certificate request. It expects the request
+to be in the file "newreq.pem". The new certificate is written to the file
+"newcert.pem" except in the case of the B<-xcert> option when it is written
+to standard output.
+
+=item B<-signcert>
+
+this option is the same as B<-sign> except it expects a self signed certificate
+to be present in the file "newreq.pem".
+
+=item B<-verify>
+
+verifies certificates against the CA certificate for "demoCA". If no certificates
+are specified on the command line it tries to verify the file "newcert.pem". 
+
+=item B<files>
+
+one or more optional certificate file names for use with the B<-verify> command.
+
+=back
+
+=head1 EXAMPLES
+
+Create a CA hierarchy:
+
+ CA.pl -newca
+
+Complete certificate creation example: create a CA, create a request, sign
+the request and finally create a PKCS#12 file containing it.
+
+ CA.pl -newca
+ CA.pl -newreq
+ CA.pl -signreq
+ CA.pl -pkcs12 "My Test Certificate"
+
+=head1 DSA CERTIFICATES
+
+Although the B<CA.pl> creates RSA CAs and requests it is still possible to
+use it with DSA certificates and requests using the L<req(1)|req(1)> command
+directly. The following example shows the steps that would typically be taken.
+
+Create some DSA parameters:
+
+ openssl dsaparam -out dsap.pem 1024
+
+Create a DSA CA certificate and private key:
+
+ openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
+
+Create the CA directories and files:
+
+ CA.pl -newca
+
+enter cacert.pem when prompted for the CA file name.
+
+Create a DSA certificate request and privat key (a different set of parameters
+can optionally be created first):
+
+ openssl req -out newreq.pem -newkey dsa:dsap.pem 
+
+Sign the request:
+
+ CA.pl -signreq
+
+=head1 NOTES
+
+Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
+
+If the demoCA directory already exists then the B<-newca> command will not
+overwrite it and will do nothing. This can happen if a previous call using
+the B<-newca> option terminated abnormally. To get the correct behaviour
+delete the demoCA directory if it already exists.
+
+Under some environments it may not be possible to run the B<CA.pl> script
+directly (for example Win32) and the default configuration file location may
+be wrong. In this case the command:
+
+ perl -S CA.pl
+
+can be used and the B<OPENSSL_CONF> environment variable changed to point to 
+the correct path of the configuration file "openssl.cnf".
+
+The script is intended as a simple front end for the B<openssl> program for use
+by a beginner. Its behaviour isn't always what is wanted. For more control over the
+behaviour of the certificate commands call the B<openssl> command directly.
+
+=head1 ENVIRONMENT VARIABLES
+
+The variable B<OPENSSL_CONF> if defined allows an alternative configuration
+file location to be specified, it should contain the full path to the
+configuration file, not just its directory.
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>,
+L<config(5)|config(5)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/asn1parse.pod b/crypto/openssl/doc/apps/asn1parse.pod
new file mode 100644
index 0000000..e76e981
--- /dev/null
+++ b/crypto/openssl/doc/apps/asn1parse.pod
@@ -0,0 +1,129 @@
+=pod
+
+=head1 NAME
+
+asn1parse - ASN.1 parsing tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<asn1parse>
+[B<-inform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-offset number>]
+[B<-length number>]
+[B<-i>]
+[B<-oid filename>]
+[B<-strparse offset>]
+
+=head1 DESCRIPTION
+
+The B<asn1parse> command is a diagnostic utility that can parse ASN.1
+structures. It can also be used to extract data from ASN.1 formatted data.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform> B<DER|PEM>
+
+the input format. B<DER> is binary format and B<PEM> (the default) is base64
+encoded.
+
+=item B<-in filename>
+
+the input file, default is standard input
+
+=item B<-out filename>
+
+output file to place the DER encoded data into. If this
+option is not present then no data will be output. This is most useful when
+combined with the B<-strparse> option.
+
+=item B<-noout>
+
+don't output the parsed version of the input file.
+
+=item B<-offset number>
+
+starting offset to begin parsing, default is start of file.
+
+=item B<-length number>
+
+number of bytes to parse, default is until end of file.
+
+=item B<-i>
+
+indents the output according to the "depth" of the structures.
+
+=item B<-oid filename>
+
+a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
+file is described in the NOTES section below.
+
+=item B<-strparse offset>
+
+parse the contents octets of the ASN.1 object starting at B<offset>. This
+option can be used multiple times to "drill down" into a nested structure.
+
+
+=back
+
+=head2 OUTPUT
+
+The output will typically contain lines like this:
+
+  0:d=0  hl=4 l= 681 cons: SEQUENCE          
+
+.....
+
+  229:d=3  hl=3 l= 141 prim: BIT STRING        
+  373:d=2  hl=3 l= 162 cons: cont [ 3 ]        
+  376:d=3  hl=3 l= 159 cons: SEQUENCE          
+  379:d=4  hl=2 l=  29 cons: SEQUENCE          
+  381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
+  386:d=5  hl=2 l=  22 prim: OCTET STRING      
+  410:d=4  hl=2 l= 112 cons: SEQUENCE          
+  412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
+  417:d=5  hl=2 l= 105 prim: OCTET STRING      
+  524:d=4  hl=2 l=  12 cons: SEQUENCE          
+
+.....
+
+This example is part of a self signed certificate. Each line starts with the
+offset in decimal. B<d=XX> specifies the current depth. The depth is increased
+within the scope of any SET or SEQUENCE. B<hl=XX> gives the header length
+(tag and length octets) of the current type. B<l=XX> gives the length of
+the contents octets.
+
+The B<-i> option can be used to make the output more readable.
+
+Some knowledge of the ASN.1 structure is needed to interpret the output. 
+
+In this example the BIT STRING at offset 229 is the certificate public key.
+The contents octets of this will contain the public key information. This can
+be examined using the option B<-strparse 229> to yield:
+
+    0:d=0  hl=3 l= 137 cons: SEQUENCE          
+    3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
+  135:d=1  hl=2 l=   3 prim: INTEGER           :010001
+
+=head1 NOTES
+
+If an OID is not part of OpenSSL's internal table it will be represented in
+numerical form (for example 1.2.3.4). The file passed to the B<-oid> option 
+allows additional OIDs to be included. Each line consists of three columns,
+the first column is the OID in numerical format and should be followed by white
+space. The second column is the "short name" which is a single word followed
+by white space. The final column is the rest of the line and is the
+"long name". B<asn1parse> displays the long name. Example:
+
+C<1.2.3.4	shortName	A long name>
+
+=head1 BUGS
+
+There should be options to change the format of input lines. The output of some
+ASN.1 types is not well handled (if at all).
+
+=cut
diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod
new file mode 100644
index 0000000..03209aa
--- /dev/null
+++ b/crypto/openssl/doc/apps/ca.pod
@@ -0,0 +1,479 @@
+
+=pod
+
+=head1 NAME
+
+ca - sample minimal CA application
+
+=head1 SYNOPSIS
+
+B<openssl> B<ca>
+[B<-verbose>]
+[B<-config filename>]
+[B<-name section>]
+[B<-gencrl>]
+[B<-revoke file>]
+[B<-crldays days>]
+[B<-crlhours hours>]
+[B<-crlexts section>]
+[B<-startdate date>]
+[B<-enddate date>]
+[B<-days arg>]
+[B<-md arg>]
+[B<-policy arg>]
+[B<-keyfile arg>]
+[B<-key arg>]
+[B<-cert file>]
+[B<-in file>]
+[B<-out file>]
+[B<-notext>]
+[B<-outdir dir>]
+[B<-infiles>]
+[B<-spkac file>]
+[B<-ss_cert file>]
+[B<-preserveDN>]
+[B<-batch>]
+[B<-msie_hack>]
+[B<-extensions section>]
+
+=head1 DESCRIPTION
+
+The B<ca> command is a minimal CA application. It can be used
+to sign certificate requests in a variety of forms and generate
+CRLs it also maintains a text database of issued certificates
+and their status.
+
+The options descriptions will be divided into each purpose.
+
+=head1 CA OPTIONS
+
+=over 4
+
+=item B<-config filename>
+
+specifies the configuration file to use.
+
+=item B<-in filename>
+
+an input filename containing a single certificate request to be
+signed by the CA.
+
+=item B<-ss_cert filename>
+
+a single self signed certificate to be signed by the CA.
+
+=item B<-spkac filename>
+
+a file containing a single Netscape signed public key and challenge
+and additional field values to be signed by the CA. See the B<NOTES>
+section for information on the required format.
+
+=item B<-infiles>
+
+if present this should be the last option, all subsequent arguments
+are assumed to the the names of files containing certificate requests. 
+
+=item B<-out filename>
+
+the output file to output certificates to. The default is standard
+output. The certificate details will also be printed out to this
+file.
+
+=item B<-outdir directory>
+
+the directory to output certificates to. The certificate will be
+written to a filename consisting of the serial number in hex with
+".pem" appended.
+
+=item B<-cert>
+
+the CA certificate file.
+
+=item B<-keyfile filename>
+
+the private key to sign requests with.
+
+=item B<-key password>
+
+the password used to encrypt the private key. Since on some
+systems the command line arguments are visible (e.g. Unix with
+the 'ps' utility) this option should be used with caution.
+
+=item B<-verbose>
+
+this prints extra details about the operations being performed.
+
+=item B<-notext>
+
+don't output the text form of a certificate to the output file.
+
+=item B<-startdate date>
+
+this allows the start date to be explicitly set. The format of the
+date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
+
+=item B<-enddate date>
+
+this allows the expiry date to be explicitly set. The format of the
+date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
+
+=item B<-days arg>
+
+the number of days to certify the certificate for.
+
+=item B<-md alg>
+
+the message digest to use. Possible values include md5, sha1 and mdc2.
+This option also applies to CRLs.
+
+=item B<-policy arg>
+
+this option defines the CA "policy" to use. This is a section in
+the configuration file which decides which fields should be mandatory
+or match the CA certificate. Check out the B<POLICY FORMAT> section
+for more information.
+
+=item B<-msie_hack>
+
+this is a legacy option to make B<ca> work with very old versions of
+the IE certificate enrollment control "certenr3". It used UniversalStrings
+for almost everything. Since the old control has various security bugs
+its use is strongly discouraged. The newer control "Xenroll" does not
+need this option.
+
+=item B<-preserveDN>
+
+Normally the DN order of a certificate is the same as the order of the
+fields in the relevant policy section. When this option is set the order 
+is the same as the request. This is largely for compatibility with the
+older IE enrollment control which would only accept certificates if their
+DNs match the order of the request. This is not needed for Xenroll.
+
+=item B<-batch>
+
+this sets the batch mode. In this mode no questions will be asked
+and all certificates will be certified automatically.
+
+=item B<-extensions section>
+
+the section of the configuration file containing certificate extensions
+to be added when a certificate is issued. If no extension section is
+present then a V1 certificate is created. If the extension section
+is present (even if it is empty) then a V3 certificate is created.
+
+=back
+
+=head1 CRL OPTIONS
+
+=over 4
+
+=item B<-gencrl>
+
+this option generates a CRL based on information in the index file.
+
+=item B<-crldays num>
+
+the number of days before the next CRL is due. That is the days from
+now to place in the CRL nextUpdate field.
+
+=item B<-crlhours num>
+
+the number of hours before the next CRL is due.
+
+=item B<-revoke filename>
+
+a filename containing a certificate to revoke.
+
+=item B<-crlexts section>
+
+the section of the configuration file containing CRL extensions to
+include. If no CRL extension section is present then a V1 CRL is
+created, if the CRL extension section is present (even if it is
+empty) then a V2 CRL is created. The CRL extensions specified are
+CRL extensions and B<not> CRL entry extensions.  It should be noted
+that some software (for example Netscape) can't handle V2 CRLs. 
+
+=back
+
+=head1 CONFIGURATION FILE OPTIONS
+
+The options for B<ca> are contained in the B<ca> section of the
+configuration file. Many of these are identical to command line
+options. Where the option is present in the configuration file
+and the command line the command line value is used. Where an
+option is described as mandatory then it must be present in
+the configuration file or the command line equivalent (if
+any) used.
+
+=over 4
+
+=item B<oid_file>
+
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. 
+
+=item B<oid_section>
+
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used.
+
+=item B<new_certs_dir>
+
+the same as the B<-outdir> command line option. It specifies
+the directory where new certificates will be placed. Mandatory.
+
+=item B<certificate>
+
+the same as B<-cert>. It gives the file containing the CA
+certificate. Mandatory.
+
+=item B<private_key>
+
+same as the B<-keyfile> option. The file containing the
+CA private key. Mandatory.
+
+=item B<RANDFILE>
+
+a file used to read and write random number seed information, or
+an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+
+=item B<default_days>
+
+the same as the B<-days> option. The number of days to certify
+a certificate for. 
+
+=item B<default_startdate>
+
+the same as the B<-startdate> option. The start date to certify
+a certificate for. If not set the current time is used.
+
+=item B<default_enddate>
+
+the same as the B<-enddate> option. Either this option or
+B<default_days> (or the command line equivalents) must be
+present.
+
+=item B<default_crl_hours default_crl_days>
+
+the same as the B<-crlhours> and the B<-crldays> options. These
+will only be used if neither command line option is present. At
+least one of these must be present to generate a CRL.
+
+=item B<default_md>
+
+the same as the B<-md> option. The message digest to use. Mandatory.
+
+=item B<database>
+
+the text database file to use. Mandatory. This file must be present
+though initially it will be empty.
+
+=item B<serialfile>
+
+a text file containing the next serial number to use in hex. Mandatory.
+This file must be present and contain a valid serial number.
+
+=item B<x509_extensions>
+
+the same as B<-extensions>.
+
+=item B<crl_extensions>
+
+the same as B<-crlexts>.
+
+=item B<preserve>
+
+the same as B<-preserveDN>
+
+=item B<msie_hack>
+
+the same as B<-msie_hack>
+
+=item B<policy>
+
+the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
+for more information.
+
+=back
+
+=head1 POLICY FORMAT
+
+The policy section consists of a set of variables corresponding to
+certificate DN fields. If the value is "match" then the field value
+must match the same field in the CA certificate. If the value is
+"supplied" then it must be present. If the value is "optional" then
+it may be present. Any fields not mentioned in the policy section
+are silently deleted, unless the B<-preserveDN> option is set but
+this can be regarded more of a quirk than intended behaviour.
+
+=head1 SPKAC FORMAT
+
+The input to the B<-spkac> command line option is a Netscape
+signed public key and challenge. This will usually come from
+the B<KEYGEN> tag in an HTML form to create a new private key. 
+It is however possible to create SPKACs using the B<spkac> utility.
+
+The file should contain the variable SPKAC set to the value of
+the SPKAC and also the required DN components as name value pairs.
+If you need to include the same component twice then it can be
+preceded by a number and a '.'.
+
+=head1 EXAMPLES
+
+Note: these examples assume that the B<ca> directory structure is
+already set up and the relevant files already exist. This usually
+involves creating a CA certificate and private key with B<req>, a
+serial number file and an empty index file and placing them in
+the relevant directories.
+
+To use the sample configuration file below the directories demoCA,
+demoCA/private and demoCA/newcerts would be created. The CA
+certificate would be copied to demoCA/cacert.pem and its private
+key to demoCA/private/cakey.pem. A file demoCA/serial would be
+created containing for example "01" and the empty index file
+demoCA/index.txt.
+
+
+Sign a certificate request:
+
+ openssl ca -in req.pem -out newcert.pem
+
+Generate a CRL
+
+ openssl ca -gencrl -out crl.pem
+
+Sign several requests:
+
+ openssl ca -infiles req1.pem req2.pem req3.pem
+
+Certify a Netscape SPKAC:
+
+ openssl ca -spkac spkac.txt
+
+A sample SPKAC file (the SPKAC line has been truncated for clarity):
+
+ SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
+ CN=Steve Test
+ emailAddress=steve@openssl.org
+ 0.OU=OpenSSL Group
+ 1.OU=Another Group
+
+A sample configuration file with the relevant sections for B<ca>:
+
+ [ ca ]
+ default_ca      = CA_default            # The default ca section
+ 
+ [ CA_default ]
+
+ dir            = ./demoCA              # top dir
+ database       = $dir/index.txt        # index file.
+ new_certs_dir	= $dir/newcerts         # new certs dir
+ 
+ certificate    = $dir/cacert.pem       # The CA cert
+ serial         = $dir/serial           # serial no file
+ private_key    = $dir/private/cakey.pem# CA private key
+ RANDFILE       = $dir/private/.rand    # random number file
+ 
+ default_days   = 365                   # how long to certify for
+ default_crl_days= 30                   # how long before next CRL
+ default_md     = md5                   # md to use
+
+ policy         = policy_any            # default policy
+
+ [ policy_any ]
+ countryName            = supplied
+ stateOrProvinceName    = optional
+ organizationName       = optional
+ organizationalUnitName = optional
+ commonName             = supplied
+ emailAddress           = optional
+
+=head1 WARNINGS
+
+The B<ca> command is quirky and at times downright unfriendly.
+
+The B<ca> utility was originally meant as an example of how to do things
+in a CA. It was not supposed be be used as a full blown CA itself:
+nevertheless some people are using it for this purpose.
+
+The B<ca> command is effectively a single user command: no locking is
+done on the various files and attempts to run more than one B<ca> command
+on the same database can have unpredictable results.
+
+=head1 FILES
+
+Note: the location of all files can change either by compile time options,
+configuration file entries, environment variables or command line options.
+The values below reflect the default values.
+
+ /usr/local/ssl/lib/openssl.cnf - master configuration file
+ ./demoCA                       - main CA directory
+ ./demoCA/cacert.pem            - CA certificate
+ ./demoCA/private/cakey.pem     - CA private key
+ ./demoCA/serial                - CA serial number file
+ ./demoCA/serial.old            - CA serial number backup file
+ ./demoCA/index.txt             - CA text database file
+ ./demoCA/index.txt.old         - CA text database backup file
+ ./demoCA/certs                 - certificate output file
+ ./demoCA/.rnd                  - CA random seed information
+
+=head1 ENVIRONMENT VARIABLES
+
+B<OPENSSL_CONF> reflects the location of master configuration file it can
+be overridden by the B<-config> command line option.
+
+=head1 RESTRICTIONS
+
+The text database index file is a critical part of the process and 
+if corrupted it can be difficult to fix. It is theoretically possible
+to rebuild the index file from all the issued certificates and a current
+CRL: however there is no option to do this.
+
+CRL entry extensions cannot currently be created: only CRL extensions
+can be added.
+
+V2 CRL features like delta CRL support and CRL numbers are not currently
+supported.
+
+Although several requests can be input and handled at once it is only
+possible to include one SPKAC or self signed certificate.
+
+=head1 BUGS
+
+The use of an in memory text database can cause problems when large
+numbers of certificates are present because, as the name implies
+the database has to be kept in memory.
+
+Certificate request extensions are ignored: some kind of "policy" should
+be included to use certain static extensions and certain extensions
+from the request.
+
+It is not possible to certify two certificates with the same DN: this
+is a side effect of how the text database is indexed and it cannot easily
+be fixed without introducing other problems. Some S/MIME clients can use
+two certificates with the same DN for separate signing and encryption
+keys.
+
+The B<ca> command really needs rewriting or the required functionality
+exposed at either a command or interface level so a more friendly utility
+(perl script or GUI) can handle things properly. The scripts B<CA.sh> and
+B<CA.pl> help a little but not very much.
+
+Any fields in a request that are not present in a policy are silently
+deleted. This does not happen if the B<-preserveDN> option is used but
+the extra fields are not displayed when the user is asked to certify
+a request. The behaviour should be more friendly and configurable.
+
+Cancelling some commands by refusing to certify a certificate can
+create an empty file.
+
+=head1 SEE ALSO
+
+L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
+L<config(5)|config(5)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/ciphers.pod b/crypto/openssl/doc/apps/ciphers.pod
new file mode 100644
index 0000000..2301e28
--- /dev/null
+++ b/crypto/openssl/doc/apps/ciphers.pod
@@ -0,0 +1,342 @@
+=pod
+
+=head1 NAME
+
+ciphers - SSL cipher display and cipher list tool.
+
+=head1 SYNOPSIS
+
+B<openssl> B<ciphers>
+[B<-v>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<cipherlist>]
+
+=head1 DESCRIPTION
+
+The B<cipherlist> command converts OpenSSL cipher lists into ordered
+SSL cipher preference lists. It can be used as a test tool to determine
+the appropriate cipherlist.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-v>
+
+verbose option. List ciphers with a complete description of the authentication,
+key exchange, encryption and mac algorithms used along with any key size
+restrictions and whether the algorithm is classed as an "export" cipher.
+
+=item B<-ssl3>
+
+only include SSL v3 ciphers.
+
+=item B<-ssl2>
+
+only include SSL v2 ciphers.
+
+=item B<-tls1>
+
+only include TLS v1 ciphers.
+
+=item B<-h>, B<-?>
+
+print a brief usage message.
+
+=item B<cipherlist>
+
+a cipher list to convert to a cipher preference list. If it is not included
+then the default cipher list will be used. The format is described below.
+
+=back
+
+=head1 CIPHER LIST FORMAT
+
+The cipher list consists of one or more I<cipher strings> separated by colons.
+Commas or spaces are also acceptable separators but colons are normally used.
+
+The actual cipher string can take several different forms.
+
+It can consist of a single cipher suite such as B<RC4-SHA>.
+
+It can represent a list of cipher suites containing a certain algorithm, or
+cipher suites of a certain type. For example B<SHA1> represents all ciphers
+suites using the digest algorithm SHA1 and B<SSLv3> represents all SSL v3
+algorithms.
+
+Lists of cipher suites can be combined in a single cipher string using the
+B<+> character. This is used as a logical B<and> operation. For example
+B<SHA1+DES> represents all cipher suites containing the SHA1 B<and> the DES
+algorithms.
+
+Each cipher string can be optionally preceded by the characters B<!>,
+B<-> or B<+>.
+
+If B<!> is used then the ciphers are permanently deleted from the list.
+The ciphers deleted can never reappear in the list even if they are
+explicitly stated.
+
+If B<-> is used then the ciphers are deleted from the list, but some or
+all of the ciphers can be added again by later options.
+
+If B<+> is used then the ciphers are moved to the end of the list. This
+option doesn't add any new ciphers it just moves matching existing ones.
+
+If none of these characters is present then the string is just interpreted
+as a list of ciphers to be appended to the current preference list. If the
+list includes any ciphers already present they will be ignored: that is they
+will not moved to the end of the list.
+
+Additionally the cipher string B<@STRENGTH> can be used at any point to sort
+the current cipher list in order of encryption algorithm key length.
+
+=head1 CIPHER STRINGS
+
+The following is a list of all permitted cipher strings and their meanings.
+
+=over 4
+
+=item B<DEFAULT>
+
+the default cipher list. This is determined at compile time and is normally
+B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string
+specified.
+
+=item B<ALL>
+
+all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled.
+
+=item B<HIGH>
+
+"high" encryption cipher suites. This currently means those with key lengths larger
+than 128 bits.
+
+=item B<MEDIUM>
+
+"medium" encryption cipher suites, currently those using 128 bit encryption.
+
+=item B<LOW>
+
+"low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
+but excluding export cipher suites.
+
+=item B<EXP>, B<EXPORT>
+
+export encryption algorithms. Including 40 and 56 bits algorithms.
+
+=item B<EXPORT40>
+
+40 bit export encryption algorithms
+
+=item B<EXPORT56>
+
+56 bit export encryption algorithms.
+
+=item B<eNULL>, B<NULL>
+
+the "NULL" ciphers that is those offering no encryption. Because these offer no
+encryption at all and are a security risk they are disabled unless explicitly
+included.
+
+=item B<aNULL>
+
+the cipher suites offering no authentication. This is currently the anonymous
+DH algorithms. These cipher suites are vulnerable to a "man in the middle"
+attack and so their use is normally discouraged.
+
+=item B<kRSA>, B<RSA>
+
+cipher suites using RSA key exchange.
+
+=item B<kEDH>
+
+cipher suites using ephemeral DH key agreement.
+
+=item B<kDHr>, B<kDHd>
+
+cipher suites using DH key agreement and DH certificates signed by CAs with RSA
+and DSS keys respectively. Not implemented.
+
+=item B<aRSA>
+
+cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
+
+=item B<aDSS>, B<DSS>
+
+cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
+
+=item B<aDH>
+
+cipher suites effectively using DH authentication, i.e. the certificates carry
+DH keys.  Not implemented.
+
+=item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA>
+
+ciphers suites using FORTEZZA key exchange, authentication, encryption or all
+FORTEZZA algorithms. Not implemented.
+
+=item B<TLSv1>, B<SSLv3>, B<SSLv2>
+
+TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
+
+=item B<DH>
+
+cipher suites using DH, including anonymous DH.
+
+=item B<ADH>
+
+anonymous DH cipher suites.
+
+=item B<3DES>
+
+cipher suites using triple DES.
+
+=item B<DES>
+
+cipher suites using DES (not triple DES).
+
+=item B<RC4>
+
+cipher suites using RC4.
+
+=item B<RC2>
+
+cipher suites using RC2.
+
+=item B<IDEA>
+
+cipher suites using IDEA.
+
+=item B<MD5>
+
+cipher suites using MD5.
+
+=item B<SHA1>, B<SHA>
+
+cipher suites using SHA1.
+
+=back
+
+=head1 CIPHER SUITE NAMES
+
+The following lists give the SSL or TLS cipher suites names from the
+relevant specification and their OpenSSL equivalents.
+
+=head2 SSL v3.0 cipher suites.
+
+ SSL_RSA_WITH_NULL_MD5                   NULL-MD5
+ SSL_RSA_WITH_NULL_SHA                   NULL-SHA
+ SSL_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+ SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
+ SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
+ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+ SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+ SSL_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+ SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+ SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+
+ SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ SSL_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+ SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ SSL_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+ SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+ SSL_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+ SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+ SSL_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+ SSL_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+ SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+ SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+ SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+ SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
+ SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
+ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA       Not implemented.
+
+=head2 TLS v1.0 cipher suites.
+
+ TLS_RSA_WITH_NULL_MD5                   NULL-MD5
+ TLS_RSA_WITH_NULL_SHA                   NULL-SHA
+ TLS_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+ TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
+ TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
+ TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+ TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+ TLS_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+ TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+
+ TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ TLS_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+ TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+ TLS_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+ TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+ TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+ TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+ TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+ TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+=head2 Additional Export 1024 and other cipher suites
+
+Note: these ciphers can also be used in SSL v3.
+
+ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     EXP1024-DES-CBC-SHA
+ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      EXP1024-RC4-SHA
+ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
+ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
+ TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
+
+=head2 SSL v2.0 cipher suites.
+
+ SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
+ SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+ SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+ SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
+ SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+ SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
+
+=head1 NOTES
+
+The non-ephemeral DH modes are currently unimplemented in OpenSSL
+because there is no support for DH certificates.
+
+Some compiled versions of OpenSSL may not include all the ciphers
+listed here because some ciphers were excluded at compile time.
+
+=head1 EXAMPLES
+
+Verbose listing of all OpenSSL ciphers including NULL ciphers:
+
+ openssl ciphers -v 'ALL:eNULL'
+
+Include all ciphers except NULL and anonymous DH then sort by
+strength:
+
+ openssl ciphers -v 'ALL:!ADH:@STRENGTH'
+
+Include only 3DES ciphers and then place RSA ciphers last:
+
+ openssl ciphers -v '3DES:+RSA'
+
+=head1 SEE ALSO
+
+L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/config.pod b/crypto/openssl/doc/apps/config.pod
new file mode 100644
index 0000000..ce874a4
--- /dev/null
+++ b/crypto/openssl/doc/apps/config.pod
@@ -0,0 +1,138 @@
+
+=pod
+
+=head1 NAME
+
+config - OpenSSL CONF library configuration files
+
+=head1 DESCRIPTION
+
+The OpenSSL CONF library can be used to read configuration files.
+It is used for the OpenSSL master configuration file B<openssl.cnf>
+and in a few other places like B<SPKAC> files and certificate extension
+files for the B<x509> utility.
+
+A configuration file is divided into a number of sections. Each section
+starts with a line B<[ section_name ]> and ends when a new section is
+started or end of file is reached. A section name can consist of
+alphanumeric characters and underscores.
+
+The first section of a configuration file is special and is referred
+to as the B<default> section this is usually unnamed and is from the
+start of file until the first named section. When a name is being looked up
+it is first looked up in a named section (if any) and then the
+default section.
+
+The environment is mapped onto a section called B<ENV>.
+
+Comments can be included by preceding them with the B<#> character
+
+Each section in a configuration file consists of a number of name and
+value pairs of the form B<name=value>
+
+The B<name> string can contain any alphanumeric characters as well as
+a few punctuation symbols such as B<.> B<,> B<;> and B<_>.
+
+The B<value> string consists of the string following the B<=> character
+until end of line with any leading and trailing white space removed.
+
+The value string undergoes variable expansion. This can be done by
+including the form B<$var> or B<${var}>: this will substitute the value
+of the named variable in the current section. It is also possible to
+substitute a value from another section using the syntax B<$section::name>
+or B<${section::name}>. By using the form B<$ENV::name> environment
+variables can be substituted. It is also possible to assign values to
+environment variables by using the name B<ENV::name>, this will work
+if the program looks up environment variables using the B<CONF> library
+instead of calling B<getenv()> directly.
+
+It is possible to escape certain characters by using any kind of quote
+or the B<\> character. By making the last character of a line a B<\>
+a B<value> string can be spread across multiple lines. In addition
+the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
+
+=head1 NOTES
+
+If a configuration file attempts to expand a variable that doesn't exist
+then an error is flagged and the file will not load. This can happen
+if an attempt is made to expand an environment variable that doesn't
+exist. For example the default OpenSSL master configuration file used
+the value of B<HOME> which may not be defined on non Unix systems.
+
+This can be worked around by including a B<default> section to provide
+a default value: then if the environment lookup fails the default value
+will be used instead. For this to work properly the default value must
+be defined earlier in the configuration file than the expansion. See
+the B<EXAMPLES> section for an example of how to do this.
+
+If the same variable exists in the same section then all but the last
+value will be silently ignored. In certain circumstances such as with
+DNs the same field may occur multiple times. This is usually worked
+around by ignoring any characters before an initial B<.> e.g.
+
+ 1.OU="My first OU"
+ 2.OU="My Second OU"
+
+=head1 EXAMPLES
+
+Here is a sample configuration file using some of the features
+mentioned above.
+
+ # This is the default section.
+ 
+ HOME=/temp
+ RANDFILE= ${ENV::HOME}/.rnd
+ configdir=$ENV::HOME/config
+
+ [ section_one ]
+
+ # We are now in section one.
+
+ # Quotes permit leading and trailing whitespace
+ any = " any variable name "
+
+ other = A string that can \
+ cover several lines \
+ by including \\ characters
+
+ message = Hello World\n
+
+ [ section_two ]
+
+ greeting = $section_one::message
+
+This next example shows how to expand environment variables safely.
+
+Suppose you want a variable called B<tmpfile> to refer to a
+temporary filename. The directory it is placed in can determined by
+the the B<TEMP> or B<TMP> environment variables but they may not be
+set to any value at all. If you just include the environment variable
+names and the variable doesn't exist then this will cause an error when
+an attempt is made to load the configuration file. By making use of the
+default section both values can be looked up with B<TEMP> taking 
+priority and B</tmp> used if neither is defined:
+
+ TMP=/tmp
+ # The above value is used if TMP isn't in the environment
+ TEMP=$ENV::TMP
+ # The above value is used if TEMP isn't in the environment
+ tmpfile=${ENV::TEMP}/tmp.filename
+
+=head1 BUGS
+
+Currently there is no way to include characters using the octal B<\nnn>
+form. Strings are all null terminated so nulls cannot form part of
+the value.
+
+The escaping isn't quite right: if you want to use sequences like B<\n>
+you can't use any quote escaping on the same line.
+
+Files are loaded in a single pass. This means that an variable expansion
+will only work if the variables referenced are defined earlier in the
+file.
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>, L<req(1)|req(1)>, L<ca(1)|ca(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/crl.pod b/crypto/openssl/doc/apps/crl.pod
new file mode 100644
index 0000000..a40c873
--- /dev/null
+++ b/crypto/openssl/doc/apps/crl.pod
@@ -0,0 +1,117 @@
+=pod
+
+=head1 NAME
+
+crl - CRL utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<crl>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-text>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-hash>]
+[B<-issuer>]
+[B<-lastupdate>]
+[B<-nextupdate>]
+[B<-CAfile file>]
+[B<-CApath dir>]
+
+=head1 DESCRIPTION
+
+The B<crl> command processes CRL files in DER or PEM format.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. B<DER> format is DER encoded CRL
+structure. B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-text>
+
+print out the CRL in text form.
+
+=item B<-noout>
+
+don't output the encoded version of the CRL.
+
+=item B<-hash>
+
+output a hash of the issuer name. This can be use to lookup CRLs in
+a directory by issuer name.
+
+=item B<-issuer>
+
+output the issuer name.
+
+=item B<-lastupdate>
+
+output the lastUpdate field.
+
+=item B<-nextupdate>
+
+output the nextUpdate field.
+
+=item B<-CAfile file>
+
+verify the signature on a CRL by looking up the issuing certificate in
+B<file>
+
+=item B<-CApath dir>
+
+verify the signature on a CRL by looking up the issuing certificate in
+B<dir>. This directory must be a standard certificate directory: that
+is a hash of each subject name (using B<x509 -hash>) should be linked
+to each certificate.
+
+=back
+
+=head1 NOTES
+
+The PEM CRL format uses the header and footer lines:
+
+ -----BEGIN X509 CRL-----
+ -----END X509 CRL-----
+
+=head1 EXAMPLES
+
+Convert a CRL file from PEM to DER:
+
+ openssl crl -in crl.pem -outform DER -out crl.der
+
+Output the text form of a DER encoded certificate:
+
+ openssl crl -in crl.der -text -noout
+
+=head1 BUGS
+
+Ideally it should be possible to create a CRL using appropriate options
+and files too.
+
+=head1 SEE ALSO
+
+L<crl2pkcs7(1)|crl2pkcs7(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/crl2pkcs7.pod b/crypto/openssl/doc/apps/crl2pkcs7.pod
new file mode 100644
index 0000000..da199b0
--- /dev/null
+++ b/crypto/openssl/doc/apps/crl2pkcs7.pod
@@ -0,0 +1,90 @@
+=pod
+
+=head1 NAME
+
+crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates.
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs7>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-print_certs>]
+
+=head1 DESCRIPTION
+
+The B<crl2pkcs7> command takes an optional CRL and one or more
+certificates and converts them into a PKCS#7 degenerate "certificates
+only" structure.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the CRL input format. B<DER> format is DER encoded CRL
+structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the PKCS#7 structure output format. B<DER> format is DER
+encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-in filename>
+
+This specifies the input filename to read a CRL from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write the PKCS#7 structure to or standard
+output by default.
+
+=item B<-certfile filename>
+
+specifies a filename containing one or more certificates in B<PEM> format.
+All certificates in the file will be added to the PKCS#7 structure. This
+option can be used more than once to read certificates form multiple
+files.
+
+=item B<-nocrl>
+
+normally a CRL is included in the output file. With this option no CRL is
+included in the output file and a CRL is not read from the input file.
+
+=back
+
+=head1 EXAMPLES
+
+Create a PKCS#7 structure from a certificate and CRL:
+
+ openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
+
+Creates a PKCS#7 structure in DER format with no CRL from several
+different certificates:
+
+ openssl crl2pkcs7 -nocrl -certfile newcert.pem 
+	-certfile demoCA/cacert.pem -outform DER -out p7.der
+
+=head1 NOTES
+
+The output file is a PKCS#7 signed data structure containing no signers and
+just certificates and an optional CRL.
+
+This utility can be used to send certificates and CAs to Netscape as part of
+the certificate enrollment process. This involves sending the DER encoded output
+as MIME type application/x-x509-user-cert.
+
+The B<PEM> encoded form with the header and footer lines removed can be used to
+install user certificates and CAs in MSIE using the Xenroll control.
+
+=head1 SEE ALSO
+
+L<pkcs7(1)|pkcs7(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/dgst.pod b/crypto/openssl/doc/apps/dgst.pod
new file mode 100644
index 0000000..fcfd3ec
--- /dev/null
+++ b/crypto/openssl/doc/apps/dgst.pod
@@ -0,0 +1,49 @@
+=pod
+
+=head1 NAME
+
+dgst, md5, md2, sha1, sha, mdc2, ripemd160 - message digests
+
+=head1 SYNOPSIS
+
+B<openssl> B<dgst> 
+[B<-md5|-md2|-sha1|-sha|mdc2|-ripemd160>]
+[B<-c>]
+[B<-d>]
+[B<file...>]
+
+[B<md5|md2|sha1|sha|mdc2|ripemd160>]
+[B<-c>]
+[B<-d>]
+[B<file...>]
+
+=head1 DESCRIPTION
+
+The digest functions print out the message digest of a supplied file or files
+in hexadecimal form.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-c>
+
+print out the digest in two digit groups separated by colons.
+
+=item B<-d>
+
+print out BIO debugging information.
+
+=item B<file...>
+
+file or files to digest. If no files are specified then standard input is
+used.
+
+=back
+
+=head1 NOTES
+
+The digest of choice for all new applications is SHA1. Other digests are
+however still widely used.
+
+=cut
diff --git a/crypto/openssl/doc/apps/dhparam.pod b/crypto/openssl/doc/apps/dhparam.pod
new file mode 100644
index 0000000..15aabf4
--- /dev/null
+++ b/crypto/openssl/doc/apps/dhparam.pod
@@ -0,0 +1,133 @@
+=pod
+
+=head1 NAME
+
+dhparam - DH parameter manipulation and generation
+
+=head1 SYNOPSIS
+
+B<openssl dhparam>
+[B<-inform DER|PEM>]
+[B<-outform DER|PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-dsaparam>]
+[B<-noout>]
+[B<-text>]
+[B<-C>]
+[B<-2>]
+[B<-5>]
+[B<-rand> I<file(s)>]
+[I<numbits>]
+
+=head1 DESCRIPTION
+
+This command is used to manipulate DH parameter files.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with the PKCS#3 DHparameter structure. The PEM form is the
+default format: it consists of the B<DER> format base64 encoded with
+additional header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read parameters from or standard input if
+this option is not specified.
+
+=item B<-out> I<filename>
+
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should B<not> be the same
+as the input filename.
+
+=item B<-dsaparam>
+
+If this option is used, DSA rather than DH parameters are read or created;
+they are converted to DH format.  Otherwise, "strong" primes (such
+that (p-1)/2 is also prime) will be used for DH parameter generation.
+
+DH parameter generation with the B<-dsaparam> option is much faster,
+and the recommended exponent length is shorter, which makes DH key
+exchange more efficient.  Beware that with such DSA-style DH
+parameters, a fresh DH key should be created for each use to
+avoid small-subgroup attacks that may be possible otherwise.
+
+=item B<-2>, B<-5>
+
+The generator to use, either 2 or 5. 2 is the default. If present then the
+input file is ignored and parameters are generated instead.
+
+=item B<-rand> I<file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item I<numbits>
+
+this option specifies that a parameter set should be generated of size
+I<numbits>. It must be the last option. If not present then a value of 512
+is used. If this option is present then the input file is ignored and 
+parameters are generated instead.
+
+=item B<-noout>
+
+this option inhibits the output of the encoded version of the parameters.
+
+=item B<-text>
+
+this option prints out the DH parameters in human readable form.
+
+=item B<-C>
+
+this option converts the parameters into C code. The parameters can then
+be loaded by calling the B<get_dh>I<numbits>B<()> function.
+
+=back
+
+=head1 WARNINGS
+
+The program B<dhparam> combines the functionality of the programs B<dh> and
+B<gendh> in previous versions of OpenSSL and SSLeay. The B<dh> and B<gendh>
+programs are retained for now but may have different purposes in future 
+versions of OpenSSL.
+
+=head1 NOTES
+
+PEM format DH parameters use the header and footer lines:
+
+ -----BEGIN DH PARAMETERS-----
+ -----END DH PARAMETERS-----
+
+OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
+DH.
+
+This program manipulates DH parameters not keys.
+
+=head1 BUGS
+
+There should be a way to generate and manipulate DH keys.
+
+=head1 SEE ALSO
+
+L<dsaparam(1)|dsaparam(1)>
+
+=head1 HISTORY
+
+The B<dhparam> command was added in OpenSSL 0.9.5.
+The B<-dsaparam> option was added in OpenSSL 0.9.6.
+
+=cut
diff --git a/crypto/openssl/doc/apps/dsa.pod b/crypto/openssl/doc/apps/dsa.pod
new file mode 100644
index 0000000..28e534b
--- /dev/null
+++ b/crypto/openssl/doc/apps/dsa.pod
@@ -0,0 +1,150 @@
+=pod
+
+=head1 NAME
+
+dsa - DSA key processing
+
+=head1 SYNOPSIS
+
+B<openssl> B<dsa>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-modulus>]
+[B<-pubin>]
+[B<-pubout>]
+
+=head1 DESCRIPTION
+
+The B<dsa> command processes DSA keys. They can be converted between various
+forms and their components printed out. B<Note> This command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the B<pkcs8>
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option with a private key uses
+an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of
+version (currently zero), p, q, g, the public and private key components
+respectively as ASN.1 INTEGERs. When used with a public key it uses a
+SubjectPublicKeyInfo structure: it is an error if the key is not DSA.
+
+The B<PEM> form is the default format: it consists of the B<DER> format base64
+encoded with additional header and footer lines. In the case of a private key
+PKCS#8 format is also accepted.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output by
+is not specified. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the B<dsa> utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+prints out the public, private key components and parameters.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+this option prints out the value of the public key component of the key.
+
+=item B<-pubin>
+
+by default a private key is read from the input file: with this option a
+public key is read instead.
+
+=item B<-pubout>
+
+by default a private key is output. With this option a public
+key will be output instead. This option is automatically set if the input is
+a public key.
+
+=back
+
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN DSA PRIVATE KEY-----
+ -----END DSA PRIVATE KEY-----
+
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
+=head1 EXAMPLES
+
+To remove the pass phrase on a DSA private key:
+
+ openssl dsa -in key.pem -out keyout.pem
+
+To encrypt a private key using triple DES:
+
+ openssl dsa -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format: 
+
+ openssl dsa -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl dsa -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl dsa -in key.pem -pubout -out pubkey.pem
+
+=head1 SEE ALSO
+
+L<dsaparam(1)|dsaparam(1)>, L<gendsa(1)|gendsa(1)>, L<rsa(1)|rsa(1)>,
+L<genrsa(1)|genrsa(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/dsaparam.pod b/crypto/openssl/doc/apps/dsaparam.pod
new file mode 100644
index 0000000..8647f34
--- /dev/null
+++ b/crypto/openssl/doc/apps/dsaparam.pod
@@ -0,0 +1,102 @@
+=pod
+
+=head1 NAME
+
+dsaparam - DSA parameter manipulation and generation
+
+=head1 SYNOPSIS
+
+B<openssl dsaparam>
+[B<-inform DER|PEM>]
+[B<-outform DER|PEM>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-text>]
+[B<-C>]
+[B<-rand file(s)>]
+[B<-genkey>]
+[B<numbits>]
+
+=head1 DESCRIPTION
+
+This command is used to manipulate or generate DSA parameter files.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting
+of p, q and g respectively. The PEM form is the default format: it consists
+of the B<DER> format base64 encoded with additional header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read parameters from or standard input if
+this option is not specified. If the B<numbits> parameter is included then
+this option will be ignored.
+
+=item B<-out filename>
+
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should B<not> be the same
+as the input filename.
+
+=item B<-noout>
+
+this option inhibits the output of the encoded version of the parameters.
+
+=item B<-text>
+
+this option prints out the DSA parameters in human readable form.
+
+=item B<-C>
+
+this option converts the parameters into C code. The parameters can then
+be loaded by calling the B<get_dsaXXX()> function.
+
+=item B<-genkey>
+
+this option will generate a DSA either using the specified or generated
+parameters.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<numbits>
+
+this option specifies that a parameter set should be generated of size
+B<numbits>. It must be the last option. If this option is included then
+the input file (if any) is ignored.
+
+=back
+
+=head1 NOTES
+
+PEM format DSA parameters use the header and footer lines:
+
+ -----BEGIN DSA PARAMETERS-----
+ -----END DSA PARAMETERS-----
+
+DSA parameter generation is a slow process and as a result the same set of
+DSA parameters is often used to generate several distinct keys.
+
+=head1 SEE ALSO
+
+L<gendsa(1)|gendsa(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<rsa(1)|rsa(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/enc.pod b/crypto/openssl/doc/apps/enc.pod
new file mode 100644
index 0000000..e436ccc
--- /dev/null
+++ b/crypto/openssl/doc/apps/enc.pod
@@ -0,0 +1,257 @@
+=pod
+
+=head1 NAME
+
+enc - symmetric cipher routines
+
+=head1 SYNOPSIS
+
+B<openssl enc -ciphername>
+[B<-in filename>]
+[B<-out filename>]
+[B<-pass arg>]
+[B<-e>]
+[B<-d>]
+[B<-a>]
+[B<-A>]
+[B<-k password>]
+[B<-kfile filename>]
+[B<-K key>]
+[B<-iv IV>]
+[B<-p>]
+[B<-P>]
+[B<-bufsize number>]
+[B<-debug>]
+
+=head1 DESCRIPTION
+
+The symmetric cipher commands allow data to be encrypted or decrypted
+using various block and stream ciphers using keys based on passwords
+or explicitly provided. Base64 encoding or decoding can also be performed
+either by itself or in addition to the encryption or decryption.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+the input filename, standard input by default.
+
+=item B<-out filename>
+
+the output filename, standard output by default.
+
+=item B<-pass arg>
+
+the password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-salt>
+
+use a salt in the key derivation routines. This option should B<ALWAYS>
+be used unless compatibility with previous versions of OpenSSL or SSLeay
+is required. This option is only present on OpenSSL versions 0.9.5 or
+above.
+
+=item B<-nosalt>
+
+don't use a salt in the key derivation routines. This is the default for
+compatibility with previous versions of OpenSSL and SSLeay.
+
+=item B<-e>
+
+encrypt the input data: this is the default.
+
+=item B<-d>
+
+decrypt the input data.
+
+=item B<-a>
+
+base64 process the data. This means that if encryption is taking place
+the data is base64 encoded after encryption. If decryption is set then
+the input data is base64 decoded before being decrypted.
+
+=item B<-A>
+
+if the B<-a> option is set then base64 process the data on one line.
+
+=item B<-k password>
+
+the password to derive the key from. This is for compatibility with previous
+versions of OpenSSL. Superseded by the B<-pass> argument.
+
+=item B<-kfile filename>
+
+read the password to derive the key from the first line of B<filename>.
+This is for computability with previous versions of OpenSSL. Superseded by
+the B<-pass> argument.
+
+=item B<-S salt>
+
+the actual salt to use: this must be represented as a string comprised only
+of hex digits.
+
+=item B<-K key>
+
+the actual key to use: this must be represented as a string comprised only
+of hex digits.
+
+=item B<-iv IV>
+
+the actual IV to use: this must be represented as a string comprised only
+of hex digits.
+
+=item B<-p>
+
+print out the key and IV used.
+
+=item B<-P>
+
+print out the key and IV used then immediately exit: don't do any encryption
+or decryption.
+
+=item B<-bufsize number>
+
+set the buffer size for I/O
+
+=item B<-debug>
+
+debug the BIOs used for I/O.
+
+=back
+
+=head1 NOTES
+
+The program can be called either as B<openssl ciphername> or
+B<openssl enc -ciphername>.
+
+A password will be prompted for to derive the key and IV if necessary.
+
+The B<-salt> option should B<ALWAYS> be used if the key is being derived
+from a password unless you want compatibility with previous versions of
+OpenSSL and SSLeay.
+
+Without the B<-salt> option it is possible to perform efficient dictionary
+attacks on the password and to attack stream cipher encrypted data. The reason
+for this is that without the salt the same password always generates the same
+encryption key. When the salt is being used the first eight bytes of the
+encrypted data are reserved for the salt: it is generated at random when
+encrypting a file and read from the encrypted file when it is decrypted.
+
+Some of the ciphers do not have large keys and others have security
+implications if not used correctly. A beginner is advised to just use
+a strong block cipher in CBC mode such as bf or des3.
+
+All the block ciphers use PKCS#5 padding also known as standard block
+padding: this allows a rudimentary integrity or password check to be
+performed. However since the chance of random data passing the test is
+better than 1 in 256 it isn't a very good test.
+
+All RC2 ciphers have the same key and effective key length.
+
+Blowfish and RC5 algorithms use a 128 bit key.
+
+=head1 SUPPORTED CIPHERS
+
+ base64             Base 64
+
+ bf-cbc             Blowfish in CBC mode
+ bf                 Alias for bf-cbc
+ bf-cfb             Blowfish in CFB mode
+ bf-ecb             Blowfish in ECB mode
+ bf-ofb             Blowfish in OFB mode
+
+ cast-cbc           CAST in CBC mode
+ cast               Alias for cast-cbc
+ cast5-cbc          CAST5 in CBC mode
+ cast5-cfb          CAST5 in CFB mode
+ cast5-ecb          CAST5 in ECB mode
+ cast5-ofb          CAST5 in OFB mode
+
+ des-cbc            DES in CBC mode
+ des                Alias for des-cbc
+ des-cfb            DES in CBC mode
+ des-ofb            DES in OFB mode
+ des-ecb            DES in ECB mode
+
+ des-ede-cbc        Two key triple DES EDE in CBC mode
+ des-ede            Alias for des-ede
+ des-ede-cfb        Two key triple DES EDE in CFB mode
+ des-ede-ofb        Two key triple DES EDE in OFB mode
+
+ des-ede3-cbc       Three key triple DES EDE in CBC mode
+ des-ede3           Alias for des-ede3-cbc
+ des3               Alias for des-ede3-cbc
+ des-ede3-cfb       Three key triple DES EDE CFB mode
+ des-ede3-ofb       Three key triple DES EDE in OFB mode
+
+ desx               DESX algorithm.
+
+ idea-cbc           IDEA algorithm in CBC mode
+ idea               same as idea-cbc
+ idea-cfb           IDEA in CFB mode
+ idea-ecb           IDEA in ECB mode
+ idea-ofb           IDEA in OFB mode
+
+ rc2-cbc            128 bit RC2 in CBC mode
+ rc2                Alias for rc2-cbc
+ rc2-cfb            128 bit RC2 in CBC mode
+ rc2-ecb            128 bit RC2 in CBC mode
+ rc2-ofb            128 bit RC2 in CBC mode
+ rc2-64-cbc         64 bit RC2 in CBC mode
+ rc2-40-cbc         40 bit RC2 in CBC mode
+
+ rc4                128 bit RC4
+ rc4-64             64 bit RC4
+ rc4-40             40 bit RC4
+
+ rc5-cbc            RC5 cipher in CBC mode
+ rc5                Alias for rc5-cbc
+ rc5-cfb            RC5 cipher in CBC mode
+ rc5-ecb            RC5 cipher in CBC mode
+ rc5-ofb            RC5 cipher in CBC mode
+
+=head1 EXAMPLES
+
+Just base64 encode a binary file:
+
+ openssl base64 -in file.bin -out file.b64
+
+Decode the same file
+
+ openssl base64 -d -in file.b64 -out file.bin 
+
+Encrypt a file using triple DES in CBC mode using a prompted password:
+
+ openssl des3 -salt -in file.txt -out file.des3 
+
+Decrypt a file using a supplied password:
+
+ openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
+
+Encrypt a file then base64 encode it (so it can be sent via mail for example)
+using Blowfish in CBC mode:
+
+ openssl bf -a -salt -in file.txt -out file.bf
+
+Base64 decode a file then decrypt it:
+
+ openssl bf -d -salt -a -in file.bf -out file.txt
+
+Decrypt some data using a supplied 40 bit RC4 key:
+
+ openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
+
+=head1 BUGS
+
+The B<-A> option when used with large files doesn't work properly.
+
+There should be an option to allow an iteration count to be included.
+
+Like the EVP library the B<enc> program only supports a fixed number of
+algorithms with certain parameters. So if, for example, you want to use RC2
+with a 76 bit key or RC4 with an 84 bit key you can't use this program.
+
+=cut
diff --git a/crypto/openssl/doc/apps/gendsa.pod b/crypto/openssl/doc/apps/gendsa.pod
new file mode 100644
index 0000000..3314ace
--- /dev/null
+++ b/crypto/openssl/doc/apps/gendsa.pod
@@ -0,0 +1,58 @@
+=pod
+
+=head1 NAME
+
+gendsa - generate a DSA private key from a set of parameters
+
+=head1 SYNOPSIS
+
+B<openssl> B<gendsa>
+[B<-out filename>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-rand file(s)>]
+[B<paramfile>]
+
+=head1 DESCRIPTION
+
+The B<gendsa> command generates a DSA private key from a DSA parameter file
+(which will be typically generated by the B<openssl dsaparam> command).
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified no encryption is used.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<paramfile>
+
+This option specifies the DSA parameter file to use. The parameters in this
+file determine the size of the private key. DSA parameters can be generated
+and examined using the B<openssl dsaparam> command.
+
+=back
+
+=head1 NOTES
+
+DSA key generation is little more than random number generation so it is
+much quicker that RSA key generation for example.
+
+=head1 SEE ALSO
+
+L<dsaparam(1)|dsaparam(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<rsa(1)|rsa(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/genrsa.pod b/crypto/openssl/doc/apps/genrsa.pod
new file mode 100644
index 0000000..70d35fe
--- /dev/null
+++ b/crypto/openssl/doc/apps/genrsa.pod
@@ -0,0 +1,88 @@
+=pod
+
+=head1 NAME
+
+genrsa - generate an RSA private key
+
+=head1 SYNOPSIS
+
+B<openssl> B<genrsa>
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-f4>]
+[B<-3>]
+[B<-rand file(s)>]
+[B<numbits>]
+
+=head1 DESCRIPTION
+
+The B<genrsa> command generates an RSA private key.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-out filename>
+
+the output filename. If this argument is not specified then standard output is
+used.  
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. If none of these options is
+specified no encryption is used. If encryption is used a pass phrase is prompted
+for if it is not supplied via the B<-passout> argument.
+
+=item B<-F4|-3>
+
+the public exponent to use, either 65537 or 3. The default is 65537.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<numbits>
+
+the size of the private key to generate in bits. This must be the last option
+specified. The default is 512.
+
+=back
+
+=head1 NOTES
+
+RSA private key generation essentially involves the generation of two prime
+numbers. When generating a private key various symbols will be output to
+indicate the progress of the generation. A B<.> represents each number which
+has passed an initial sieve test, B<+> means a number has passed a single
+round of the Miller-Rabin primality test. A newline means that the number has
+passed all the prime tests (the actual number depends on the key size).
+
+Because key generation is a random process the time taken to generate a key
+may vary somewhat.
+
+=head1 BUGS
+
+A quirk of the prime generation algorithm is that it cannot generate small
+primes. Therefore the number of bits should not be less that 64. For typical
+private keys this will not matter because for security reasons they will
+be much larger (typically 1024 bits).
+
+=head1 SEE ALSO
+
+L<gendsa(1)|gendsa(1)>
+
+=cut
+
diff --git a/crypto/openssl/doc/apps/nseq.pod b/crypto/openssl/doc/apps/nseq.pod
new file mode 100644
index 0000000..989c310
--- /dev/null
+++ b/crypto/openssl/doc/apps/nseq.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+nseq - create or examine a netscape certificate sequence
+
+=head1 SYNOPSIS
+
+B<openssl> B<nseq>
+[B<-in filename>]
+[B<-out filename>]
+[B<-toseq>]
+
+=head1 DESCRIPTION
+
+The B<nseq> command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename or standard output by default.
+
+=item B<-toseq>
+
+normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it. With the B<-toseq> option the
+situation is reversed: a Netscape certificate sequence is created from
+a file of certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Output the certificates in a Netscape certificate sequence
+
+ openssl nseq -in nseq.pem -out certs.pem
+
+Create a Netscape certificate sequence
+
+ openssl nseq -in certs.pem -toseq -out nseq.pem
+
+=head1 NOTES
+
+The B<PEM> encoded form uses the same headers and footers as a certificate:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser: for example during certificate enrollment.
+It is used by Netscape certificate server for example.
+
+=head1 BUGS
+
+This program needs a few more options: like allowing DER or PEM input and
+output files and allowing multiple certificate files to be used.
+
+=cut
diff --git a/crypto/openssl/doc/apps/openssl.pod b/crypto/openssl/doc/apps/openssl.pod
new file mode 100644
index 0000000..2fc61b6
--- /dev/null
+++ b/crypto/openssl/doc/apps/openssl.pod
@@ -0,0 +1,325 @@
+
+=pod
+
+=head1 NAME
+
+openssl - OpenSSL command line tool
+
+=head1 SYNOPSIS
+
+B<openssl>
+I<command>
+[ I<command_opts> ]
+[ I<command_args> ]
+
+B<openssl> [ B<list-standard-commands> | B<list-message-digest-commands> | B<list-cipher-commands> ]
+
+B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
+
+=head1 DESCRIPTION
+
+OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
+v2/v3) and Transport Layer Security (TLS v1) network protocols and related
+cryptography standards required by them.
+
+The B<openssl> program is a command line tool for using the various
+cryptography functions of OpenSSL's B<crypto> library from the shell. 
+It can be used for 
+
+ o  Creation of RSA, DH and DSA key parameters
+ o  Creation of X.509 certificates, CSRs and CRLs 
+ o  Calculation of Message Digests
+ o  Encryption and Decryption with Ciphers
+ o  SSL/TLS Client and Server Tests
+ o  Handling of S/MIME signed or encrypted mail
+
+=head1 COMMAND SUMMARY
+
+The B<openssl> program provides a rich variety of commands (I<command> in the
+SYNOPSIS above), each of which often has a wealth of options and arguments
+(I<command_opts> and I<command_args> in the SYNOPSIS).
+
+The pseudo-commands B<list-standard-commands>, B<list-message-digest-commands>,
+and B<list-cipher-commands> output a list (one entry per line) of the names
+of all standard commands, message digest commands, or cipher commands,
+respectively, that are available in the present B<openssl> utility.
+
+The pseudo-command B<no->I<XXX> tests whether a command of the
+specified name is available.  If no command named I<XXX> exists, it
+returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
+and prints I<XXX>.  In both cases, the output goes to B<stdout> and
+nothing is printed to B<stderr>.  Additional command line arguments
+are always ignored.  Since for each cipher there is a command of the
+same name, this provides an easy way for shell scripts to test for the
+availability of ciphers in the B<openssl> program.  (B<no->I<XXX> is
+not able to detect pseudo-commands such as B<quit>,
+B<list->I<...>B<-commands>, or B<no->I<XXX> itself.)
+
+=head2 STANDARD COMMANDS
+
+=over 10
+
+=item L<B<asn1parse>|asn1parse(1)>
+
+Parse an ASN.1 sequence.
+
+=item L<B<ca>|ca(1)>
+
+Certificate Authority (CA) Management.  
+
+=item L<B<ciphers>|ciphers(1)>
+
+Cipher Suite Description Determination.
+
+=item L<B<crl>|crl(1)>
+
+Certificate Revocation List (CRL) Management.
+
+=item L<B<crl2pkcs7>|crl2pkcs7(1)>
+
+CRL to PKCS#7 Conversion.
+
+=item L<B<dgst>|dgst(1)>
+
+Message Digest Calculation.
+
+=item L<B<dh>|dh(1)>
+
+Diffie-Hellman Data Management.
+
+=item L<B<dsa>|dsa(1)>
+
+DSA Data Management.
+
+=item L<B<dsaparam>|dsaparam(1)>
+
+DSA Parameter Generation.
+
+=item L<B<enc>|enc(1)>
+
+Encoding with Ciphers.
+
+=item L<B<errstr>|errstr(1)>
+
+Error Number to Error String Conversion.
+
+=item L<B<gendh>|gendh(1)>
+
+Generation of Diffie-Hellman Parameters.
+
+=item L<B<gendsa>|gendsa(1)>
+
+Generation of DSA Parameters.
+
+=item L<B<genrsa>|genrsa(1)>
+
+Generation of RSA Parameters.
+
+=item L<B<passwd>|passwd(1)>
+
+Generation of hashed passwords.
+
+=item L<B<pkcs7>|pkcs7(1)>
+
+PKCS#7 Data Management.
+
+=item L<B<rand>|rand(1)>
+
+Generate pseudo-random bytes.
+
+=item L<B<req>|req(1)>
+
+X.509 Certificate Signing Request (CSR) Management.
+
+=item L<B<rsa>|rsa(1)>
+
+RSA Data Management.
+
+=item L<B<s_client>|s_client(1)>
+
+This implements a generic SSL/TLS client which can establish a transparent
+connection to a remote server speaking SSL/TLS. It's intended for testing
+purposes only and provides only rudimentary interface functionality but
+internally uses mostly all functionality of the OpenSSL B<ssl> library.
+
+=item L<B<s_server>|s_server(1)>
+
+This implements a generic SSL/TLS server which accepts connections from remote
+clients speaking SSL/TLS. It's intended for testing purposes only and provides
+only rudimentary interface functionality but internally uses mostly all
+functionality of the OpenSSL B<ssl> library.  It provides both an own command
+line oriented protocol for testing SSL functions and a simple HTTP response
+facility to emulate an SSL/TLS-aware webserver.
+
+=item L<B<s_time>|s_time(1)>
+
+SSL Connection Timer.
+
+=item L<B<sess_id>|sess_id(1)>
+
+SSL Session Data Management.
+
+=item L<B<smime>|smime(1)>
+
+S/MIME mail processing.
+
+=item L<B<speed>|speed(1)>
+
+Algorithm Speed Measurement.
+
+=item L<B<verify>|verify(1)>
+
+X.509 Certificate Verification.
+
+=item L<B<version>|version(1)>
+
+OpenSSL Version Information.
+
+=item L<B<x509>|x509(1)>
+
+X.509 Certificate Data Management.
+
+=back
+
+=head2 MESSAGE DIGEST COMMANDS
+
+=over 10
+
+=item B<md2>
+
+MD2 Digest
+
+=item B<md5>
+
+MD5 Digest
+
+=item B<mdc2>
+
+MDC2 Digest
+
+=item B<rmd160>
+
+RMD-160 Digest
+
+=item B<sha>            
+
+SHA Digest
+
+=item B<sha1>           
+
+SHA-1 Digest
+
+=back
+
+=head2 ENCODING AND CIPHER COMMANDS
+
+=over 10
+
+=item B<base64>
+
+Base64 Encoding
+
+=item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
+
+Blowfish Cipher
+
+=item B<cast cast-cbc>
+
+CAST Cipher
+
+=item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
+
+CAST5 Cipher
+
+=item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
+
+DES Cipher
+
+=item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
+
+Triple-DES Cipher
+
+=item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
+
+IDEA Cipher
+
+=item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
+
+RC2 Cipher
+
+=item B<rc4>
+
+RC4 Cipher
+
+=item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
+
+RC5 Cipher
+
+=back
+
+=head1 PASS PHRASE ARGUMENTS
+
+Several commands accept password arguments, typically using B<-passin>
+and B<-passout> for input and output passwords respectively. These allow
+the password to be obtained from a variety of sources. Both of these
+options take a single argument whose format is described below. If no
+password argument is given and a password is required then the user is
+prompted to enter one: this will typically be read from the current
+terminal with echoing turned off.
+
+=over 10
+
+=item B<pass:password>
+
+the actual password is B<password>. Since the password is visible
+to utilities (like 'ps' under Unix) this form should only be used
+where security is not important.
+
+=item B<env:var>
+
+obtain the password from the environment variable B<var>. Since
+the environment of other processes is visible on certain platforms
+(e.g. ps under certain Unix OSes) this option should be used with caution.
+
+=item B<file:pathname>
+
+the first line of B<pathname> is the password. If the same B<pathname>
+argument is supplied to B<-passin> and B<-passout> arguments then the first
+line will be used for the input password and the next line for the output
+password. B<pathname> need not refer to a regular file: it could for example
+refer to a device or named pipe.
+
+=item B<fd:number>
+
+read the password from the file descriptor B<number>. This can be used to
+send the data via a pipe for example.
+
+=item B<stdin>
+
+read the password from standard input.
+
+=back
+
+=head1 SEE ALSO
+
+L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>,
+L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkcs7(1)>, L<dgst(1)|dgst(1)>,
+L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
+L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>,
+L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
+L<passwd(1)|passwd(1)>,
+L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
+L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>, L<s_client(1)|s_client(1)>,
+L<s_server(1)|s_server(1)>, L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
+L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)> 
+
+=head1 HISTORY
+
+The openssl(1) document appeared in OpenSSL 0.9.2.
+The B<list->I<XXX>B<-commands> pseudo-commands were added in OpenSSL 0.9.3;
+the B<no->I<XXX> pseudo-commands were added in OpenSSL 0.9.5a.
+For notes on the availability of other commands, see their individual
+manual pages.
+
+=cut
diff --git a/crypto/openssl/doc/apps/passwd.pod b/crypto/openssl/doc/apps/passwd.pod
new file mode 100644
index 0000000..cee6a2f
--- /dev/null
+++ b/crypto/openssl/doc/apps/passwd.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+passwd - compute password hashes
+
+=head1 SYNOPSIS
+
+B<openssl passwd>
+[B<-crypt>]
+[B<-apr1>]
+[B<-salt> I<string>]
+[B<-in> I<file>]
+[B<-stdin>]
+[B<-quiet>]
+[B<-table>]
+{I<password>}
+
+=head1 DESCRIPTION
+
+The B<passwd> command computes the hash of a password typed at
+run-time or the hash of each password in a list.  The password list is
+taken from the named file for option B<-in file>, from stdin for
+option B<-stdin>, and from the command line otherwise.
+The Unix standard algorithm B<crypt> and the MD5-based B<apr1> algorithm
+are available.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-crypt>
+
+Use the B<crypt> algorithm (default).
+
+=item B<-apr1>
+
+Use the B<apr1> algorithm.
+
+=item B<-salt> I<string>
+
+Use the specified salt.
+
+=item B<-in> I<file>
+
+Read passwords from I<file>.
+
+=item B<-stdin>
+
+Read passwords from B<stdin>.
+
+=item B<-quiet>
+
+Don't output warnings when passwords given at the command line are truncated.
+
+=item B<-table>
+
+In the output list, prepend the cleartext password and a TAB character
+to each password hash.
+
+=back
+
+=head1 EXAMPLES
+
+B<openssl passwd -crypt -salt xx password> prints B<xxj31ZMTZzkVA>.
+
+B<openssl passwd -apr1 -salt xxxxxxxx password> prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>.
+
+=cut
diff --git a/crypto/openssl/doc/apps/pkcs12.pod b/crypto/openssl/doc/apps/pkcs12.pod
new file mode 100644
index 0000000..241f9c4
--- /dev/null
+++ b/crypto/openssl/doc/apps/pkcs12.pod
@@ -0,0 +1,310 @@
+
+=pod
+
+=head1 NAME
+
+pkcs12 - PKCS#12 file utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs12>
+[B<-export>]
+[B<-chain>]
+[B<-inkey filename>]
+[B<-certfile filename>]
+[B<-name name>]
+[B<-caname name>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-nomacver>]
+[B<-nocerts>]
+[B<-clcerts>]
+[B<-cacerts>]
+[B<-nokeys>]
+[B<-info>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-nodes>]
+[B<-noiter>]
+[B<-maciter>]
+[B<-twopass>]
+[B<-descert>]
+[B<-certpbe>]
+[B<-keypbe>]
+[B<-keyex>]
+[B<-keysig>]
+[B<-password arg>]
+[B<-passin arg>]
+[B<-passout arg>]
+[B<-rand file(s)>]
+
+=head1 DESCRIPTION
+
+The B<pkcs12> command allows PKCS#12 files (sometimes referred to as
+PFX files) to be created and parsed. PKCS#12 files are used by several
+programs including Netscape, MSIE and MS Outlook.
+
+=head1 COMMAND OPTIONS
+
+There are a lot of options the meaning of some depends of whether a PKCS#12 file
+is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12
+file can be created by using the B<-export> option (see below).
+
+=head1 PARSING OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies filename of the PKCS#12 file to be parsed. Standard input is used
+by default.
+
+=item B<-out filename>
+
+The filename to write certificates and private keys to, standard output by default.
+They are all written in PEM format.
+
+=item B<-pass arg>, B<-passin arg>
+
+the PKCS#12 file (i.e. input file) password source. For more information about the
+format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-passout arg>
+
+pass phrase source to encrypt any outputed private keys with. For more information
+about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-noout>
+
+this option inhibits output of the keys and certificates to the output file version
+of the PKCS#12 file.
+
+=item B<-clcerts>
+
+only output client certificates (not CA certificates).
+
+=item B<-cacerts>
+
+only output CA certificates (not client certificates).
+
+=item B<-nocerts>
+
+no certificates at all will be output.
+
+=item B<-nokeys>
+
+no private keys will be output.
+
+=item B<-info>
+
+output additional information about the PKCS#12 file structure, algorithms used and
+iteration counts.
+
+=item B<-des>
+
+use DES to encrypt private keys before outputting.
+
+=item B<-des3>
+
+use triple DES to encrypt private keys before outputting, this is the default.
+
+=item B<-idea>
+
+use IDEA to encrypt private keys before outputting.
+
+=item B<-nodes>
+
+don't encrypt the private keys at all.
+
+=item B<-nomacver>
+
+don't attempt to verify the integrity MAC before reading the file.
+
+=item B<-twopass>
+
+prompt for separate integrity and encryption passwords: most software
+always assumes these are the same so this option will render such
+PKCS#12 files unreadable.
+
+=back
+
+=head1 FILE CREATION OPTIONS
+
+=over 4
+
+=item B<-export>
+
+This option specifies that a PKCS#12 file will be created rather than
+parsed.
+
+=item B<-out filename>
+
+This specifies filename to write the PKCS#12 file to. Standard output is used
+by default.
+
+=item B<-in filename>
+
+The filename to read certificates and private keys from, standard input by default.
+They must all be in PEM format. The order doesn't matter but one private key and
+its corresponding certificate should be present. If additional certificates are
+present they will also be included in the PKCS#12 file.
+
+=item B<-inkey filename>
+
+file to read private key from. If not present then a private key must be present
+in the input file.
+
+=item B<-name friendlyname>
+
+This specifies the "friendly name" for the certificate and private key. This name
+is typically displayed in list boxes by software importing the file.
+
+=item B<-certfile filename>
+
+A filename to read additional certificates from.
+
+=item B<-caname friendlyname>
+
+This specifies the "friendly name" for other certificates. This option may be
+used multiple times to specify names for all certificates in the order they
+appear. Netscape ignores friendly names on other certificates whereas MSIE
+displays them.
+
+=item B<-pass arg>, B<-passout arg>
+
+the PKCS#12 file (i.e. output file) password source. For more information about
+the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-passin password>
+
+pass phrase source to decrypt any input private keys with. For more information
+about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-chain>
+
+if this option is present then an attempt is made to include the entire
+certificate chain of the user certificate. The standard CA store is used
+for this search. If the search fails it is considered a fatal error.
+
+=item B<-descert>
+
+encrypt the certificate using triple DES, this may render the PKCS#12
+file unreadable by some "export grade" software. By default the private
+key is encrypted using triple DES and the certificate using 40 bit RC2.
+
+=item B<-keypbe alg>, B<-certpbe alg>
+
+these options allow the algorithm used to encrypt the private key and
+certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms
+can be selected it is advisable only to use PKCS#12 algorithms. See the list
+in the B<NOTES> section for more information.
+
+=item B<-keyex|-keysig>
+
+specifies that the private key is to be used for key exchange or just signing.
+This option is only interpreted by MSIE and similar MS software. Normally
+"export grade" software will only allow 512 bit RSA keys to be used for
+encryption purposes but arbitrary length keys for signing. The B<-keysig>
+option marks the key for signing only. Signing only keys can be used for
+S/MIME signing, authenticode (ActiveX control signing)  and SSL client
+authentication, however due to a bug only MSIE 5.0 and later support
+the use of signing only keys for SSL client authentication.
+
+=item B<-nomaciter>, B<-noiter>
+
+these options affect the iteration counts on the MAC and key algorithms.
+Unless you wish to produce files compatible with MSIE 4.0 you should leave
+these options alone.
+
+To discourage attacks by using large dictionaries of common passwords the
+algorithm that derives keys from passwords can have an iteration count applied
+to it: this causes a certain part of the algorithm to be repeated and slows it
+down. The MAC is used to check the file integrity but since it will normally
+have the same password as the keys and certificates it could also be attacked.
+By default both MAC and encryption iteration counts are set to 2048, using
+these options the MAC and encryption iteration counts can be set to 1, since
+this reduces the file security you should not use these options unless you
+really have to. Most software supports both MAC and key iteration counts.
+MSIE 4.0 doesn't support MAC iteration counts so it needs the B<-nomaciter>
+option.
+
+=item B<-maciter>
+
+This option is included for compatibility with previous versions, it used
+to be needed to use MAC iterations counts but they are now used by default.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=back
+
+=head1 NOTES
+
+Although there are a large number of options most of them are very rarely
+used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
+for PKCS#12 file creation B<-export> and B<-name> are also used.
+
+If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
+then all certificates will be output in the order they appear in the input
+PKCS#12 files. There is no guarantee that the first certificate present is
+the one corresponding to the private key. Certain software which requires
+a private key and certificate and assumes the first certificate in the
+file is the one corresponding to the private key: this may not always
+be the case. Using the B<-clcerts> option will solve this problem by only
+outputing the certificate corresponding to the private key. If the CA
+certificates are required then they can be output to a separate file using
+the B<-nokeys -cacerts> options to just output CA certificates.
+
+The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
+algorithms for private keys and certificates to be specified. Normally
+the defaults are fine but occasionally software can't handle triple DES
+encrypted private keys, then the option B<-keypbe PBE-SHA1-RC2-40> can
+be used to reduce the private key encryption to 40 bit RC2. A complete
+description of all algorithms is contained in the B<pkcs8> manual page.
+
+=head1 EXAMPLES
+
+Parse a PKCS#12 file and output it to a file:
+
+ openssl pkcs12 -in file.p12 -out file.pem
+
+Output only client certificates to a file:
+
+ openssl pkcs12 -in file.p12 -clcerts -out file.pem
+
+Don't encrypt the private key:
+ 
+ openssl pkcs12 -in file.p12 -out file.pem -nodes
+
+Print some info about a PKCS#12 file:
+
+ openssl pkcs12 -in file.p12 -info -noout
+
+Create a PKCS#12 file:
+
+ openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
+
+Include some extra certificates:
+
+ openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
+  -certfile othercerts.pem
+
+=head1 BUGS
+
+Some would argue that the PKCS#12 standard is one big bug :-)
+
+=head1 SEE ALSO
+
+L<pkcs8(1)|pkcs8(1)>
+
diff --git a/crypto/openssl/doc/apps/pkcs7.pod b/crypto/openssl/doc/apps/pkcs7.pod
new file mode 100644
index 0000000..4e9bd6e
--- /dev/null
+++ b/crypto/openssl/doc/apps/pkcs7.pod
@@ -0,0 +1,97 @@
+=pod
+
+=head1 NAME
+
+pkcs7 - PKCS#7 utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs7>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-print_certs>]
+[B<-text>]
+[B<-noout>]
+
+=head1 DESCRIPTION
+
+The B<pkcs7> command processes PKCS#7 files in DER or PEM format.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. B<DER> format is DER encoded PKCS#7
+v1.5 structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-print_certs>
+
+prints out any certificates or CRLs contained in the file. They are
+preceded by their subject and issuer names in one line format.
+
+=item B<-text>
+
+prints out certificates details in full rather than just subject and
+issuer names.
+
+=item B<-noout>
+
+don't output the encoded version of the PKCS#7 structure (or certificates
+is B<-print_certs> is set).
+
+=back
+
+=head1 EXAMPLES
+
+Convert a PKCS#7 file from PEM to DER:
+
+ openssl pkcs7 -in file.pem -outform DER -out file.der
+
+Output all certificates in a file:
+
+ openssl pkcs7 -in file.pem -print_certs -out certs.pem
+
+=head1 NOTES
+
+The PEM PKCS#7 format uses the header and footer lines:
+
+ -----BEGIN PKCS7-----
+ -----END PKCS7-----
+
+For compatability with some CAs it will also accept:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+=head1 RESTRICTIONS
+
+There is no option to print out all the fields of a PKCS#7 file.
+
+This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they 
+cannot currently parse, for example, the new CMS as described in RFC2630.
+
+=head1 SEE ALSO
+
+L<crl2pkcs7(1)|crl2pkcs7(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/pkcs8.pod b/crypto/openssl/doc/apps/pkcs8.pod
new file mode 100644
index 0000000..a56b2dd
--- /dev/null
+++ b/crypto/openssl/doc/apps/pkcs8.pod
@@ -0,0 +1,235 @@
+=pod
+
+=head1 NAME
+
+pkcs8 - PKCS#8 format private key conversion tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs8>
+[B<-topk8>]
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-noiter>]
+[B<-nocrypt>]
+[B<-nooct>]
+[B<-embed>]
+[B<-nsdb>]
+[B<-v2 alg>]
+[B<-v1 alg>]
+
+=head1 DESCRIPTION
+
+The B<pkcs8> command processes private keys in PKCS#8 format. It can handle
+both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
+format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-topk8>
+
+Normally a PKCS#8 private key is expected on input and a traditional format
+private key will be written. With the B<-topk8> option the situation is
+reversed: it reads a traditional format private key and writes a PKCS#8
+format key.
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. If a PKCS#8 format key is expected on input
+then either a B<DER> or B<PEM> encoded version of a PKCS#8 key will be
+expected. Otherwise the B<DER> or B<PEM> format of the traditional format
+private key is used.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output by
+default. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-nocrypt>
+
+PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
+structures using an appropriate password based encryption algorithm. With
+this option an unencrypted PrivateKeyInfo structure is expected or output.
+This option does not encrypt private keys at all and should only be used
+when absolutely necessary. Certain software such as some versions of Java
+code signing software used unencrypted private keys.
+
+=item B<-nooct>
+
+This option generates RSA private keys in a broken format that some software
+uses. Specifically the private key should be enclosed in a OCTET STRING
+but some software just includes the structure itself without the
+surrounding OCTET STRING.
+
+=item B<-embed>
+
+This option generates DSA keys in a broken format. The DSA parameters are
+embedded inside the PrivateKey structure. In this form the OCTET STRING
+contains an ASN1 SEQUENCE consisting of two structures: a SEQUENCE containing
+the parameters and an ASN1 INTEGER containing the private key.
+
+=item B<-nsdb>
+
+This option generates DSA keys in a broken format compatible with Netscape
+private key databases. The PrivateKey contains a SEQUENCE consisting of
+the public and private keys respectively.
+
+=item B<-v2 alg>
+
+This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
+private keys are encrypted with the password based encryption algorithm
+called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
+was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
+the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
+encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
+not many implementations support PKCS#5 v2.0 yet. If you are just using
+private keys with OpenSSL then this doesn't matter.
+
+The B<alg> argument is the encryption algorithm to use, valid values include
+B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
+
+=item B<-v1 alg>
+
+This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
+list of possible algorithms is included below.
+
+=back
+
+=head1 NOTES
+
+The encrypted form of a PEM encode PKCS#8 files uses the following
+headers and footers:
+
+ -----BEGIN ENCRYPTED PRIVATE KEY-----
+ -----END ENCRYPTED PRIVATE KEY-----
+
+The unencrypted form uses:
+
+ -----BEGIN PRIVATE KEY-----
+ -----END PRIVATE KEY-----
+
+Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
+counts are more secure that those encrypted using the traditional
+SSLeay compatible formats. So if additional security is considered
+important the keys should be converted.
+
+The default encryption is only 56 bits because this is the encryption
+that most current implementations of PKCS#8 will support.
+
+Some software may use PKCS#12 password based encryption algorithms
+with PKCS#8 format private keys: these are handled automatically
+but there is no option to produce them.
+
+It is possible to write out DER encoded encrypted private keys in
+PKCS#8 format because the encryption details are included at an ASN1
+level whereas the traditional format includes them at a PEM level.
+
+=head1 PKCS#5 v1.5 and PKCS#12 algorithms.
+
+Various algorithms can be used with the B<-v1> command line option,
+including PKCS#5 v1.5 and PKCS#12. These are described in more detail
+below.
+
+=over 4
+
+=item B<PBE-MD2-DES PBE-MD5-DES>
+
+These algorithms were included in the original PKCS#5 v1.5 specification.
+They only offer 56 bits of protection since they both use DES.
+
+=item B<PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES>
+
+These algorithms are not mentioned in the original PKCS#5 v1.5 specification
+but they use the same key derivation algorithm and are supported by some
+software. They are mentioned in PKCS#5 v2.0. They use either 64 bit RC2 or
+56 bit DES.
+
+=item B<PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40>
+
+These algorithms use the PKCS#12 password based encryption algorithm and
+allow strong encryption algorithms like triple DES or 128 bit RC2 to be used.
+
+=back
+
+=head1 EXAMPLES
+
+Convert a private from traditional to PKCS#5 v2.0 format using triple
+DES:
+
+ openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
+
+Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
+(DES):
+
+ openssl pkcs8 -in key.pem -topk8 -out enckey.pem
+
+Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
+(3DES):
+
+ openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
+
+Read a DER unencrypted PKCS#8 format private key:
+
+ openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
+
+Convert a private key from any PKCS#8 format to traditional format:
+
+ openssl pkcs8 -in pk8.pem -out key.pem
+
+=head1 STANDARDS
+
+Test vectors from this PKCS#5 v2.0 implementation were posted to the
+pkcs-tng mailing list using triple DES, DES and RC2 with high iteration
+counts, several people confirmed that they could decrypt the private
+keys produced and Therefore it can be assumed that the PKCS#5 v2.0
+implementation is reasonably accurate at least as far as these
+algorithms are concerned.
+
+The format of PKCS#8 DSA (and other) private keys is not well documented:
+it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA
+PKCS#8 private key format complies with this standard.
+
+=head1 BUGS
+
+There should be an option that prints out the encryption algorithm
+in use and other details such as the iteration count.
+
+PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private
+key format for OpenSSL: for compatibility several of the utilities use
+the old format at present.
+
+=head1 SEE ALSO
+
+L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)> 
+
+=cut
diff --git a/crypto/openssl/doc/apps/rand.pod b/crypto/openssl/doc/apps/rand.pod
new file mode 100644
index 0000000..f81eab0
--- /dev/null
+++ b/crypto/openssl/doc/apps/rand.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+rand - generate pseudo-random bytes
+
+=head1 SYNOPSIS
+
+B<openssl rand>
+[B<-out> I<file>]
+[B<-rand> I<file(s)>]
+[B<-base64>]
+I<num>
+
+=head1 DESCRIPTION
+
+The B<rand> command outputs I<num> pseudo-random bytes after seeding
+the random number generater once.  As in other B<openssl> command
+line tools, PRNG seeding uses the file I<$HOME/>B<.rnd> or B<.rnd>
+in addition to the files given in the B<-rand> option.  A new
+I<$HOME>/B<.rnd> or B<.rnd> file will be written back if enough
+seeding was obtained from these sources.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-out> I<file>
+
+Write to I<file> instead of standard output.
+
+=item B<-rand> I<file(s)>
+
+Use specified file or files or EGD socket (see L<RAND_egd(3)|RAND_egd(3)>)
+for seeding the random number generator.
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<-base64>
+
+Perform base64 encoding on the output.
+
+=back
+
+=head1 SEE ALSO
+
+L<RAND_bytes(3)|RAND_bytes(3)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/req.pod b/crypto/openssl/doc/apps/req.pod
new file mode 100644
index 0000000..fde6ff2
--- /dev/null
+++ b/crypto/openssl/doc/apps/req.pod
@@ -0,0 +1,528 @@
+
+=pod
+
+=head1 NAME
+
+req - PKCS#10 certificate and certificate generating utility.
+
+=head1 SYNOPSIS
+
+B<openssl> B<req>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-text>]
+[B<-noout>]
+[B<-verify>]
+[B<-modulus>]
+[B<-new>]
+[B<-newkey rsa:bits>]
+[B<-newkey dsa:file>]
+[B<-nodes>]
+[B<-key filename>]
+[B<-keyform PEM|DER>]
+[B<-keyout filename>]
+[B<-[md5|sha1|md2|mdc2]>]
+[B<-config filename>]
+[B<-x509>]
+[B<-days n>]
+[B<-asn1-kludge>]
+[B<-newhdr>]
+[B<-extensions section>]
+[B<-reqexts section>]
+
+=head1 DESCRIPTION
+
+The B<req> command primarily creates and processes certificate requests
+in PKCS#10 format. It can additionally create self signed certificates
+for use as root CAs for example.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with the PKCS#10. The B<PEM> form is the default format: it
+consists of the B<DER> format base64 encoded with additional header and
+footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a request from or standard input
+if this option is not specified. A request is only read if the creation
+options (B<-new> and B<-newkey>) are not specified.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write to or standard output by
+default.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-text>
+
+prints out the certificate request in text form.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the request.
+
+=item B<-modulus>
+
+this option prints out the value of the modulus of the public key
+contained in the request.
+
+=item B<-verify>
+
+verifies the signature on the request.
+
+=item B<-new>
+
+this option generates a new certificate request. It will prompt
+the user for the relevant field values. The actual fields
+prompted for and their maximum and minimum sizes are specified
+in the configuration file and any requested extensions.
+
+If the B<-key> option is not used it will generate a new RSA private
+key using information specified in the configuration file.
+
+=item B<-newkey arg>
+
+this option creates a new certificate request and a new private
+key. The argument takes one of two forms. B<rsa:nbits>, where
+B<nbits> is the number of bits, generates an RSA key B<nbits>
+in size. B<dsa:filename> generates a DSA key using the parameters
+in the file B<filename>.
+
+=item B<-key filename>
+
+This specifies the file to read the private key from. It also
+accepts PKCS#8 format private keys for PEM format files.
+
+=item B<-keyform PEM|DER>
+
+the format of the private key file specified in the B<-key>
+argument. PEM is the default.
+
+=item B<-keyout filename>
+
+this gives the filename to write the newly created private key to.
+If this option is not specified then the filename present in the
+configuration file is used.
+
+=item B<-nodes>
+
+if this option is specified then if a private key is created it
+will not be encrypted.
+
+=item B<-[md5|sha1|md2|mdc2]>
+
+this specifies the message digest to sign the request with. This
+overrides the digest algorithm specified in the configuration file.
+This option is ignored for DSA requests: they always use SHA1.
+
+=item B<-config filename>
+
+this allows an alternative configuration file to be specified,
+this overrides the compile time filename or any specified in
+the B<OPENSSL_CONF> environment variable.
+
+=item B<-x509>
+
+this option outputs a self signed certificate instead of a certificate
+request. This is typically used to generate a test certificate or
+a self signed root CA. The extensions added to the certificate
+(if any) are specified in the configuration file.
+
+=item B<-days n>
+
+when the B<-x509> option is being used this specifies the number of
+days to certify the certificate for. The default is 30 days.
+
+=item B<-extensions section>
+=item B<-reqexts section>
+
+these options specify alternative sections to include certificate
+extensions (if the B<-x509> option is present) or certificate
+request extensions. This allows several different sections to
+be used in the same configuration file to specify requests for
+a variety of purposes.
+
+=item B<-asn1-kludge>
+
+by default the B<req> command outputs certificate requests containing
+no attributes in the correct PKCS#10 format. However certain CAs will only
+accept requests containing no attributes in an invalid form: this
+option produces this invalid format.
+
+More precisely the B<Attributes> in a PKCS#10 certificate request
+are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so
+if no attributes are present then they should be encoded as an
+empty B<SET OF>. The invalid form does not include the empty
+B<SET OF> whereas the correct form does.
+
+It should be noted that very few CAs still require the use of this option.
+
+=item B<-newhdr>
+
+Adds the word B<NEW> to the PEM file header and footer lines on the outputed
+request. Some software (Netscape certificate server) and some CAs need this.
+
+=back
+
+=head1 CONFIGURATION FILE FORMAT
+
+The configuration options are specified in the B<req> section of
+the configuration file. As with all configuration files if no
+value is specified in the specific section (i.e. B<req>) then
+the initial unnamed or B<default> section is searched too.
+
+The options available are described in detail below.
+
+=over 4
+
+=item B<input_password output_password>
+
+The passwords for the input private key file (if present) and
+the output private key file (if one will be created). The
+command line options B<passin> and B<passout> override the
+configuration file values.
+
+=item B<default_bits>
+
+This specifies the default key size in bits. If not specified then
+512 is used. It is used if the B<-new> option is used. It can be
+overridden by using the B<-newkey> option.
+
+=item B<default_keyfile>
+
+This is the default filename to write a private key to. If not
+specified the key is written to standard output. This can be
+overridden by the B<-keyout> option.
+
+=item B<oid_file>
+
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. 
+
+=item B<oid_section>
+
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used.
+
+=item B<RANDFILE>
+
+This specifies a filename in which random number seed information is
+placed and read from, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+It is used for private key generation.
+
+=item B<encrypt_key>
+
+If this is set to B<no> then if a private key is generated it is
+B<not> encrypted. This is equivalent to the B<-nodes> command line
+option. For compatibility B<encrypt_rsa_key> is an equivalent option.
+
+=item B<default_md>
+
+This option specifies the digest algorithm to use. Possible values
+include B<md5 sha1 mdc2>. If not present then MD5 is used. This
+option can be overridden on the command line.
+
+=item B<string_mask>
+
+This option masks out the use of certain string types in certain
+fields. Most users will not need to change this option.
+
+It can be set to several values B<default> which is also the default
+option uses PrintableStrings, T61Strings and BMPStrings if the 
+B<pkix> value is used then only PrintableStrings and BMPStrings will
+be used. This follows the PKIX recommendation in RFC2459. If the
+B<utf8only> option is used then only UTF8Strings will be used: this
+is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr>
+option just uses PrintableStrings and T61Strings: certain software has
+problems with BMPStrings and UTF8Strings: in particular Netscape.
+
+=item B<req_extensions>
+
+this specifies the configuration file section containing a list of
+extensions to add to the certificate request. It can be overridden
+by the B<-reqexts> command line switch.
+
+=item B<x509_extensions>
+
+this specifies the configuration file section containing a list of
+extensions to add to certificate generated when the B<-x509> switch
+is used. It can be overridden by the B<-extensions> command line switch.
+
+=item B<prompt>
+
+if set to the value B<no> this disables prompting of certificate fields
+and just takes values from the config file directly. It also changes the
+expected format of the B<distinguished_name> and B<attributes> sections.
+
+=item B<attributes>
+
+this specifies the section containing any request attributes: its format
+is the same as B<distinguished_name>. Typically these may contain the
+challengePassword or unstructuredName types. They are currently ignored
+by OpenSSL's request signing utilities but some CAs might want them.
+
+=item B<distinguished_name>
+
+This specifies the section containing the distinguished name fields to
+prompt for when generating a certificate or certificate request. The format
+is described in the next section.
+
+=back
+
+=head1 DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
+
+There are two separate formats for the distinguished name and attribute
+sections. If the B<prompt> option is set to B<no> then these sections
+just consist of field names and values: for example,
+
+ CN=My Name
+ OU=My Organization
+ emailAddress=someone@somewhere.org
+
+This allows external programs (e.g. GUI based) to generate a template file
+with all the field names and values and just pass it to B<req>. An example
+of this kind of configuration file is contained in the B<EXAMPLES> section.
+
+Alternatively if the B<prompt> option is absent or not set to B<no> then the
+file contains field prompting information. It consists of lines of the form:
+
+ fieldName="prompt"
+ fieldName_default="default field value"
+ fieldName_min= 2
+ fieldName_max= 4
+
+"fieldName" is the field name being used, for example commonName (or CN).
+The "prompt" string is used to ask the user to enter the relevant
+details. If the user enters nothing then the default value is used if no
+default value is present then the field is omitted. A field can
+still be omitted if a default value is present if the user just
+enters the '.' character.
+
+The number of characters entered must be between the fieldName_min and
+fieldName_max limits: there may be additional restrictions based
+on the field being used (for example countryName can only ever be
+two characters long and must fit in a PrintableString).
+
+Some fields (such as organizationName) can be used more than once
+in a DN. This presents a problem because configuration files will
+not recognize the same name occurring twice. To avoid this problem
+if the fieldName contains some characters followed by a full stop
+they will be ignored. So for example a second organizationName can
+be input by calling it "1.organizationName".
+
+The actual permitted field names are any object identifier short or
+long names. These are compiled into OpenSSL and include the usual
+values such as commonName, countryName, localityName, organizationName,
+organizationUnitName, stateOrPrivinceName. Additionally emailAddress
+is include as well as name, surname, givenName initials and dnQualifier.
+
+Additional object identifiers can be defined with the B<oid_file> or
+B<oid_section> options in the configuration file. Any additional fields
+will be treated as though they were a DirectoryString.
+
+
+=head1 EXAMPLES
+
+Examine and verify certificate request:
+
+ openssl req -in req.pem -text -verify -noout
+
+Create a private key and then generate a certificate request from it:
+
+ openssl genrsa -out key.pem 1024
+ openssl req -new -key key.pem -out req.pem
+
+The same but just using req:
+
+ openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
+
+Generate a self signed root certificate:
+
+ openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+
+Example of a file pointed to by the B<oid_file> option:
+
+ 1.2.3.4	shortName	A longer Name
+ 1.2.3.6	otherName	Other longer Name
+
+Example of a section pointed to by B<oid_section> making use of variable
+expansion:
+
+ testoid1=1.2.3.5
+ testoid2=${testoid1}.6
+
+Sample configuration file prompting for field values:
+
+ [ req ]
+ default_bits		= 1024
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+ x509_extensions	= v3_ca
+
+ dirstring_type = nobmp
+
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+ countryName_default		= AU
+ countryName_min		= 2
+ countryName_max		= 2
+
+ localityName			= Locality Name (eg, city)
+
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+
+ commonName			= Common Name (eg, YOUR name)
+ commonName_max			= 64
+
+ emailAddress			= Email Address
+ emailAddress_max		= 40
+
+ [ req_attributes ]
+ challengePassword		= A challenge password
+ challengePassword_min		= 4
+ challengePassword_max		= 20
+
+ [ v3_ca ]
+
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid:always,issuer:always
+ basicConstraints = CA:true
+
+Sample configuration containing all field values:
+
+
+ RANDFILE		= $ENV::HOME/.rnd
+
+ [ req ]
+ default_bits		= 1024
+ default_keyfile 	= keyfile.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+ prompt			= no
+ output_password	= mypass
+
+ [ req_distinguished_name ]
+ C			= GB
+ ST			= Test State or Province
+ L			= Test Locality
+ O			= Organization Name
+ OU			= Organizational Unit Name
+ CN			= Common Name
+ emailAddress		= test@email.address
+
+ [ req_attributes ]
+ challengePassword		= A challenge password
+
+
+=head1 NOTES
+
+The header and footer lines in the B<PEM> format are normally:
+
+ -----BEGIN CERTIFICATE REQUEST----
+ -----END CERTIFICATE REQUEST----
+
+some software (some versions of Netscape certificate server) instead needs:
+
+ -----BEGIN NEW CERTIFICATE REQUEST----
+ -----END NEW CERTIFICATE REQUEST----
+
+which is produced with the B<-newhdr> option but is otherwise compatible.
+Either form is accepted transparently on input.
+
+The certificate requests generated by B<Xenroll> with MSIE have extensions
+added. It includes the B<keyUsage> extension which determines the type of
+key (signature only or general purpose) and any additional OIDs entered
+by the script in an extendedKeyUsage extension.
+
+=head1 DIAGNOSTICS
+
+The following messages are frequently asked about:
+
+	Using configuration from /some/path/openssl.cnf
+	Unable to load config info
+
+This is followed some time later by...
+
+	unable to find 'distinguished_name' in config
+	problems making Certificate Request
+
+The first error message is the clue: it can't find the configuration
+file! Certain operations (like examining a certificate request) don't
+need a configuration file so its use isn't enforced. Generation of
+certificates or requests however does need a configuration file. This
+could be regarded as a bug.
+
+Another puzzling message is this:
+
+        Attributes:
+            a0:00
+
+this is displayed when no attributes are present and the request includes
+the correct empty B<SET OF> structure (the DER encoding of which is 0xa0
+0x00). If you just see:
+
+        Attributes:
+
+then the B<SET OF> is missing and the encoding is technically invalid (but
+it is tolerated). See the description of the command line option B<-asn1-kludge>
+for more information.
+
+=head1 ENVIRONMENT VARIABLES
+
+The variable B<OPENSSL_CONF> if defined allows an alternative configuration
+file location to be specified, it will be overridden by the B<-config> command
+line switch if it is present. For compatibility reasons the B<SSLEAY_CONF>
+environment variable serves the same purpose but its use is discouraged.
+
+=head1 BUGS
+
+OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
+treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
+This can cause problems if you need characters that aren't available in
+PrintableStrings and you don't want to or can't use BMPStrings.
+
+As a consequence of the T61String handling the only correct way to represent
+accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
+currently chokes on these. If you have to use accented characters with Netscape
+and MSIE then you currently need to use the invalid T61String form.
+
+The current prompting is not very friendly. It doesn't allow you to confirm what
+you've just entered. Other things like extensions in certificate requests are
+statically defined in the configuration file. Some of these: like an email
+address in subjectAltName should be input by the user.
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/rsa.pod b/crypto/openssl/doc/apps/rsa.pod
new file mode 100644
index 0000000..62ad62e
--- /dev/null
+++ b/crypto/openssl/doc/apps/rsa.pod
@@ -0,0 +1,156 @@
+
+=pod
+
+=head1 NAME
+
+rsa - RSA key processing tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<rsa>
+[B<-inform PEM|NET|DER>]
+[B<-outform PEM|NET|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-modulus>]
+[B<-check>]
+[B<-pubin>]
+[B<-pubout>]
+
+=head1 DESCRIPTION
+
+The B<rsa> command processes RSA keys. They can be converted between various
+forms and their components printed out. B<Note> this command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the B<pkcs8>
+utility.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|NET|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
+The B<PEM> form is the default format: it consists of the B<DER> format base64
+encoded with additional header and footer lines. On input PKCS#8 format private
+keys are also accepted. The B<NET> form is a format compatible with older Netscape
+servers and MS IIS, this uses unsalted RC4 for its encryption. It is not very
+secure and so should only be used when necessary.
+
+=item B<-outform DER|NET|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output if this
+option is not specified. If any encryption options are set then a pass phrase
+will be prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout password>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the B<rsa> utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+prints out the various public or private key components in
+plain text in addition to the encoded version. 
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+this option prints out the value of the modulus of the key.
+
+=item B<-check>
+
+this option checks the consistency of an RSA private key.
+
+=item B<-pubin>
+
+by default a private key is read from the input file: with this
+option a public key is read instead.
+
+=item B<-pubout>
+
+by default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
+
+=back
+
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
+=head1 EXAMPLES
+
+To remove the pass phrase on an RSA private key:
+
+ openssl rsa -in key.pem -out keyout.pem
+
+To encrypt a private key using triple DES:
+
+ openssl rsa -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format: 
+
+ openssl rsa -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl rsa -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl rsa -in key.pem -pubout -out pubkey.pem
+
+=head1 SEE ALSO
+
+L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)> 
+
+=cut
diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod
new file mode 100644
index 0000000..2f80375
--- /dev/null
+++ b/crypto/openssl/doc/apps/s_client.pod
@@ -0,0 +1,221 @@
+
+=pod
+
+=head1 NAME
+
+s_client - SSL/TLS client program
+
+=head1 SYNOPSIS
+
+B<openssl> B<s_client>
+[B<-connect> host:port>]
+[B<-verify depth>]
+[B<-cert filename>]
+[B<-key filename>]
+[B<-CApath directory>]
+[B<-CAfile filename>]
+[B<-reconnect>]
+[B<-pause>]
+[B<-showcerts>]
+[B<-debug>]
+[B<-nbio_test>]
+[B<-state>]
+[B<-nbio>]
+[B<-crlf>]
+[B<-ign_eof>]
+[B<-quiet>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<-no_ssl2>]
+[B<-no_ssl3>]
+[B<-no_tls1>]
+[B<-bugs>]
+[B<-cipher cipherlist>]
+
+=head1 DESCRIPTION
+
+The B<s_client> command implements a generic SSL/TLS client which connects
+to a remote host using SSL/TLS. It is a I<very> useful diagnostic tool for
+SSL servers.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-connect host:port>
+
+This specifies the host and optional port to connect to. If not specified
+then an attempt is made to connect to the local host on port 4433.
+
+=item B<-cert certname>
+
+The certificate to use, if one is requested by the server. The default is
+not to use a certificate.
+
+=item B<-key keyfile>
+
+The private key to use. If not specified then the certificate file will
+be used.
+
+=item B<-verify depth>
+
+The verify depth to use. This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen. As a side effect the connection
+will never fail due to a server certificate verify failure.
+
+=item B<-CApath directory>
+
+The directory to use for server certificate verification. This directory
+must be in "hash format", see B<verify> for more information. These are
+also used when building the client certificate chain.
+
+=item B<-CAfile file>
+
+A file containing trusted certificates to use during server authentication
+and to use when attempting to build the client certificate chain.
+
+=item B<-reconnect>
+
+reconnects to the same server 5 times using the same session ID, this can
+be used as a test that session caching is working.
+
+=item B<-pause>
+
+pauses 1 second between each read and write call.
+
+=item B<-showcerts>
+
+display the whole server certificate chain: normally only the server
+certificate itself is displayed.
+
+=item B<-prexit>
+
+print session information when the program exits. This will always attempt
+to print out information even if the connection fails. Normally information
+will only be printed out once if the connection succeeds. This option is useful
+because the cipher in use may be renegotiated or the connection may fail
+because a client certificate is required or is requested only after an
+attempt is made to access a certain URL. Note: the output produced by this
+option is not always accurate because a connection might never have been
+established.
+
+=item B<-state>
+
+prints out the SSL session states.
+
+=item B<-debug>
+
+print extensive debugging information including a hex dump of all traffic.
+
+=item B<-nbio_test>
+
+tests non-blocking I/O
+
+=item B<-nbio>
+
+turns on non-blocking I/O
+
+=item B<-crlf>
+
+this option translated a line feed from the terminal into CR+LF as required
+by some servers.
+
+=item B<-ign_eof>
+
+inhibit shutting down the connection when end of file is reached in the
+input.
+
+=item B<-quiet>
+
+inhibit printing of session and certificate information.  This implicitely
+turns on B<-ign_eof> as well.
+
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+
+these options disable the use of certain SSL or TLS protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+
+Unfortunately there are a lot of ancient and broken servers in use which
+cannot handle this technique and will fail to connect. Some servers only
+work if TLS is turned off with the B<-no_tls> option others will only
+support SSL v2 and may need the B<-ssl2> option.
+
+=item B<-bugs>
+
+there are several known bug in SSL and TLS implementations. Adding this
+option enables various workarounds.
+
+=item B<-cipher cipherlist>
+
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client. See the B<ciphers>
+command for more information.
+
+=back
+
+=head1 CONNECTED COMMANDS
+
+If a connection is established with an SSL server then any data received
+from the server is displayed and any key presses will be sent to the
+server. When used interactively (which means neither B<-quiet> nor B<-ign_eof>
+have been given), the session will be renegociated if the line begins with an
+B<R>, and if the line begins with a B<Q> or if end of file is reached, the
+connection will be closed down.
+
+=head1 NOTES
+
+B<s_client> can be used to debug SSL servers. To connect to an SSL HTTP
+server the command:
+
+ openssl s_client -connect servername:443
+
+would typically be used (https uses port 443). If the connection succeeds
+then an HTTP command can be given such as "GET /" to retrieve a web page.
+
+If the handshake fails then there are several possible causes, if it is
+nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> can be tried
+in case it is a buggy server. In particular you should play with these
+options B<before> submitting a bug report to an OpenSSL mailing list.
+
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from. This is normally because the server is not sending
+the clients certificate authority in its "acceptable CA list" when it
+requests a certificate. By using B<s_client> the CA list can be viewed
+and checked. However some servers only request client authentication
+after a specific URL is requested. To obtain the list in this case it
+is necessary to use the B<-prexit> command and send an HTTP request
+for an appropriate page.
+
+If a certificate is specified on the command line using the B<-cert>
+option it will not be used unless the server specifically requests
+a client certificate. Therefor merely including a client certificate
+on the command line is no guarantee that the certificate works.
+
+If there are problems verifying a server certificate then the
+B<-showcerts> option can be used to show the whole chain.
+
+=head1 BUGS
+
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of s_client is rather
+hard to read and not a model of how things should be done. A typical
+SSL client program would be much simpler.
+
+The B<-verify> option should really exit if the server verification
+fails.
+
+The B<-prexit> option is a bit of a hack. We should really report
+information whenever a session is renegotiated.
+
+=head1 SEE ALSO
+
+L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod
new file mode 100644
index 0000000..0f29c36
--- /dev/null
+++ b/crypto/openssl/doc/apps/s_server.pod
@@ -0,0 +1,265 @@
+
+=pod
+
+=head1 NAME
+
+s_server - SSL/TLS server program
+
+=head1 SYNOPSIS
+
+B<openssl> B<s_client>
+[B<-accept port>]
+[B<-context id>]
+[B<-verify depth>]
+[B<-Verify depth>]
+[B<-cert filename>]
+[B<-key keyfile>]
+[B<-dcert filename>]
+[B<-dkey keyfile>]
+[B<-dhparam filename>]
+[B<-nbio>]
+[B<-nbio_test>]
+[B<-crlf>]
+[B<-debug>]
+[B<-state>]
+[B<-CApath directory>]
+[B<-CAfile filename>]
+[B<-nocert>]
+[B<-cipher cipherlist>]
+[B<-quiet>]
+[B<-no_tmp_rsa>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<-no_ssl2>]
+[B<-no_ssl3>]
+[B<-no_tls1>]
+[B<-no_dhe>]
+[B<-bugs>]
+[B<-hack>]
+[B<-www>]
+[B<-WWW>]
+
+=head1 DESCRIPTION
+
+The B<s_server> command implements a generic SSL/TLS server which listens
+for connections on a given port using SSL/TLS.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-accept port>
+
+the TCP port to listen on for connections. If not specified 4433 is used.
+
+=item B<-context id>
+
+sets the SSL context id. It can be given any string value. If this option
+is not present a default value will be used.
+
+=item B<-cert certname>
+
+The certificate to use, most servers cipher suites require the use of a
+certificate and some require a certificate with a certain public key type:
+for example the DSS cipher suites require a certificate containing a DSS
+(DSA) key. If not specified then the filename "server.pem" will be used.
+
+=item B<-key keyfile>
+
+The private key to use. If not specified then the certificate file will
+be used.
+
+=item B<-dcert filename>, B<-dkey keyname>
+
+specify an additional certificate and private key, these behave in the
+same manner as the B<-cert> and B<-key> options except there is no default
+if they are not specified (no additional certificate and key is used). As
+noted above some cipher suites require a certificate containing a key of
+a certain type. Some cipher suites need a certificate carrying an RSA key
+and some a DSS (DSA) key. By using RSA and DSS certificates and keys
+a server can support clients which only support RSA or DSS cipher suites
+by using an appropriate certificate.
+
+=item B<-nocert>
+
+if this option is set then no certificate is used. This restricts the
+cipher suites available to the anonymous ones (currently just anonymous
+DH).
+
+=item B<-dhparam filename>
+
+the DH parameter file to use. The ephemeral DH cipher suites generate keys
+using a set of DH parameters. If not specified then an attempt is made to
+load the parameters from the server certificate file. If this fails then
+a static set of parameters hard coded into the s_server program will be used.
+
+=item B<-nodhe>
+
+if this option is set then no DH parameters will be loaded effectively
+disabling the ephemeral DH cipher suites.
+
+=item B<-no_tmp_rsa>
+
+certain export cipher suites sometimes use a temporary RSA key, this option
+disables temporary RSA key generation.
+
+=item B<-verify depth>, B<-Verify depth>
+
+The verify depth to use. This specifies the maximum length of the
+client certificate chain and makes the server request a certificate from
+the client. With the B<-verify> option a certificate is requested but the
+client does not have to send one, with the B<-Verify> option the client
+must supply a certificate or an error occurs.
+
+=item B<-CApath directory>
+
+The directory to use for client certificate verification. This directory
+must be in "hash format", see B<verify> for more information. These are
+also used when building the server certificate chain.
+
+=item B<-CAfile file>
+
+A file containing trusted certificates to use during client authentication
+and to use when attempting to build the server certificate chain. The list
+is also used in the list of acceptable client CAs passed to the client when
+a certificate is requested.
+
+=item B<-state>
+
+prints out the SSL session states.
+
+=item B<-debug>
+
+print extensive debugging information including a hex dump of all traffic.
+
+=item B<-nbio_test>
+
+tests non blocking I/O
+
+=item B<-nbio>
+
+turns on non blocking I/O
+
+=item B<-crlf>
+
+this option translated a line feed from the terminal into CR+LF.
+
+=item B<-quiet>
+
+inhibit printing of session and certificate information.
+
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+
+these options disable the use of certain SSL or TLS protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+
+=item B<-bugs>
+
+there are several known bug in SSL and TLS implementations. Adding this
+option enables various workarounds.
+
+=item B<-hack>
+
+this option enables a further workaround for some some early Netscape
+SSL code (?).
+
+=item B<-cipher cipherlist>
+
+this allows the cipher list used by the server to be modified.  When
+the client sends a list of supported ciphers the first client cipher
+also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist irrelevant. See
+the B<ciphers> command for more information.
+
+=item B<-www>
+
+sends a status message back to the client when it connects. This includes
+lots of information about the ciphers used and various session parameters.
+The output is in HTML format so this option will normally be used with a
+web browser.
+
+=item B<-WWW>
+
+emulates a simple web server. Pages will be resolved relative to the
+current directory, for example if the URL https://myhost/page.html is
+requested the file ./page.html will be loaded.
+
+=back
+
+=head1 CONNECTED COMMANDS
+
+If a connection request is established with an SSL client and neither the
+B<-www> nor the B<-WWW> option has been used then normally any data received
+from the client is displayed and any key presses will be sent to the client. 
+
+Certain single letter commands are also recognized which perform special
+operations: these are listed below.
+
+=over 4
+
+=item B<q>
+
+end the current SSL connection but still accept new connections.
+
+=item B<Q>
+
+end the current SSL connection and exit.
+
+=item B<r>
+
+renegotiate the SSL session.
+
+=item B<R>
+
+renegotiate the SSL session and request a client certificate.
+
+=item B<P>
+
+send some plain text down the underlying TCP connection: this should
+cause the client to disconnect due to a protocol violation.
+
+=item B<S>
+
+print out some session cache status information.
+
+=back
+
+=head1 NOTES
+
+B<s_server> can be used to debug SSL clients. To accept connections from
+a web browser the command:
+
+ openssl s_server -accept 443 -www
+
+can be used for example.
+
+Most web browsers (in particular Netscape and MSIE) only support RSA cipher
+suites, so they cannot connect to servers which don't use a certificate
+carrying an RSA key or a version of OpenSSL with RSA disabled.
+
+Although specifying an empty list of CAs when requesting a client certificate
+is strictly speaking a protocol violation, some SSL clients interpret this to
+mean any CA is acceptable. This is useful for debugging purposes.
+
+The session parameters can printed out using the B<sess_id> program.
+
+=head1 BUGS
+
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of s_server is rather
+hard to read and not a model of how things should be done. A typical
+SSL server program would be much simpler.
+
+The output of common ciphers is wrong: it just gives the list of ciphers that
+OpenSSL recognizes and the client supports.
+
+There should be a way for the B<s_server> program to print out details of any
+unknown cipher suites a client says it supports.
+
+=head1 SEE ALSO
+
+L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/sess_id.pod b/crypto/openssl/doc/apps/sess_id.pod
new file mode 100644
index 0000000..9988d2c
--- /dev/null
+++ b/crypto/openssl/doc/apps/sess_id.pod
@@ -0,0 +1,151 @@
+
+=pod
+
+=head1 NAME
+
+sess_id - SSL/TLS session handling utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<sess_id>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-text>]
+[B<-noout>]
+[B<-context ID>]
+
+=head1 DESCRIPTION
+
+The B<sess_id> process the encoded version of the SSL session structure
+and optionally prints out SSL session details (for example the SSL session
+master key) in human readable format. Since this is a diagnostic tool that
+needs some knowledge of the SSL protocol to use properly, most users will
+not need to use it.
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+format containing session details. The precise format can vary from one version
+to the next.  The B<PEM> form is the default format: it consists of the B<DER>
+format base64 encoded with additional header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read session information from or standard
+input by default.
+
+=item B<-out filename>
+
+This specifies the output filename to write session information to or standard
+output if this option is not specified.
+
+=item B<-text>
+
+prints out the various public or private key components in
+plain text in addition to the encoded version. 
+
+=item B<-cert>
+
+if a certificate is present in the session it will be output using this option,
+if the B<-text> option is also present then it will be printed out in text form.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the session.
+
+=item B<-context ID>
+
+this option can set the session id so the output session information uses the
+supplied ID. The ID can be any string of characters. This option wont normally
+be used.
+
+=back
+
+=head1 OUTPUT
+
+Typical output:
+
+ SSL-Session:
+     Protocol  : TLSv1
+     Cipher    : 0016
+     Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
+     Session-ID-ctx: 01000000
+     Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
+     Key-Arg   : None
+     Start Time: 948459261
+     Timeout   : 300 (sec)
+     Verify return code 0 (ok)
+
+Theses are described below in more detail.
+
+=over 4
+
+=item B<Protocol>
+
+this is the protocol in use TLSv1, SSLv3 or SSLv2.
+
+=item B<Cipher>
+
+the cipher used this is the actual raw SSL or TLS cipher code, see the SSL
+or TLS specifications for more information.
+
+=item B<Session-ID>
+
+the SSL session ID in hex format.
+
+=item B<Session-ID-ctx>
+
+the session ID context in hex format.
+
+=item B<Master-Key>
+
+this is the SSL session master key.
+
+=item B<Key-Arg>
+
+the key argument, this is only used in SSL v2.
+
+=item B<Start Time>
+
+this is the session start time represented as an integer in standard Unix format.
+
+=item B<Timeout>
+
+the timeout in seconds.
+
+=item B<Verify return code>
+
+this is the return code when an SSL client certificate is verified.
+
+=back
+
+=head1 NOTES
+
+The PEM encoded session format uses the header and footer lines:
+
+ -----BEGIN SSL SESSION PARAMETERS-----
+ -----END SSL SESSION PARAMETERS-----
+
+Since the SSL session output contains the master key it is possible to read the contents
+of an encrypted session using this information. Therefore appropriate security precautions
+should be taken if the information is being output by a "real" application. This is
+however strongly discouraged and should only be used for debugging purposes.
+
+=head1 BUGS
+
+The cipher and start time should be printed out in human readable form.
+
+=head1 SEE ALSO
+
+L<ciphers(1)|ciphers(1)>, L<s_server(1)|s_server(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod
new file mode 100644
index 0000000..631ecdc
--- /dev/null
+++ b/crypto/openssl/doc/apps/smime.pod
@@ -0,0 +1,325 @@
+=pod
+
+=head1 NAME
+
+smime - S/MIME utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<smime>
+[B<-encrypt>]
+[B<-decrypt>]
+[B<-sign>]
+[B<-verify>]
+[B<-pk7out>]
+[B<-des>]
+[B<-des3>]
+[B<-rc2-40>]
+[B<-rc2-64>]
+[B<-rc2-128>]
+[B<-in file>]
+[B<-certfile file>]
+[B<-signer file>]
+[B<-recip  file>]
+[B<-in file>]
+[B<-inkey file>]
+[B<-out file>]
+[B<-to addr>]
+[B<-from ad>]
+[B<-subject s>]
+[B<-text>]
+[B<-rand file(s)>]
+[cert.pem]...
+
+=head1 DESCRIPTION
+
+The B<smime> command handles S/MIME mail. It can encrypt, decrypt, sign and
+verify S/MIME messages.
+
+=head1 COMMAND OPTIONS
+
+There are five operation options that set the type of operation to be performed.
+The meaning of the other options varies according to the operation type.
+
+=over 4
+
+=item B<-encrypt>
+
+encrypt mail for the given recipient certificates. Input file is the message
+to be encrypted. The output file is the encrypted mail in MIME format.
+
+=item B<-decrypt>
+
+decrypt mail using the supplied certificate and private key. Expects an
+encrypted mail message in MIME format for the input file. The decrypted mail
+is written to the output file.
+
+=item B<-sign>
+
+sign mail using the supplied certificate and private key. Input file is
+the message to be signed. The signed message in MIME format is written
+to the output file.
+
+=item B<-verify>
+
+verify signed mail. Expects a signed mail message on input and outputs
+the signed data. Both clear text and opaque signing is supported.
+
+=item B<-pk7out>
+
+takes an input message and writes out a PEM encoded PKCS#7 structure.
+
+=item B<-in filename>
+
+the input message to be encrypted or signed or the MIME message to
+be decrypted or verified.
+
+=item B<-out filename>
+
+the message text that has been decrypted or verified or the output MIME
+format message that has been signed or verified.
+
+=item B<-text>
+
+this option adds plain text (text/plain) MIME headers to the supplied
+message if encrypting or signing. If decrypting or verifying it strips
+off text headers: if the decrypted or verified message is not of MIME 
+type text/plain then an error occurs.
+
+=item B<-CAfile file>
+
+a file containing trusted CA certificates, only used with B<-verify>.
+
+=item B<-CApath dir>
+
+a directory containing trusted CA certificates, only used with
+B<-verify>. This directory must be a standard certificate directory: that
+is a hash of each subject name (using B<x509 -hash>) should be linked
+to each certificate.
+
+=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128>
+
+the encryption algorithm to use. DES (56 bits), triple DES (168 bits)
+or 40, 64 or 128 bit RC2 respectively if not specified 40 bit RC2 is
+used. Only used with B<-encrypt>.
+
+=item B<-nointern>
+
+when verifying a message normally certificates (if any) included in
+the message are searched for the signing certificate. With this option
+only the certificates specified in the B<-certfile> option are used.
+The supplied certificates can still be used as untrusted CAs however.
+
+=item B<-noverify>
+
+do not verify the signers certificate of a signed message.
+
+=item B<-nochain>
+
+do not do chain verification of signers certificates: that is don't
+use the certificates in the signed message as untrusted CAs.
+
+=item B<-nosigs>
+
+don't try to verify the signatures on the message.
+
+=item B<-nocerts>
+
+when signing a message the signer's certificate is normally included
+with this option it is excluded. This will reduce the size of the
+signed message but the verifier must have a copy of the signers certificate
+available locally (passed using the B<-certfile> option for example).
+
+=item B<-noattr>
+
+normally when a message is signed a set of attributes are included which
+include the signing time and supported symmetric algorithms. With this
+option they are not included.
+
+=item B<-binary>
+
+normally the input message is converted to "canonical" format which is
+effectively using CR and LF as end of line: as required by the S/MIME
+specification. When this option is present no translation occurs. This
+is useful when handling binary data which may not be in MIME format.
+
+=item B<-nodetach>
+
+when signing a message use opaque signing: this form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME.  Without this option cleartext signing with
+the MIME type multipart/signed is used.
+
+=item B<-certfile file>
+
+allows additional certificates to be specified. When signing these will
+be included with the message. When verifying these will be searched for
+the signers certificates. The certificates should be in PEM format.
+
+=item B<-signer file>
+
+the signers certificate when signing a message. If a message is
+being verified then the signers certificates will be written to this
+file if the verification was successful.
+
+=item B<-recip file>
+
+the recipients certificate when decrypting a message. This certificate
+must match one of the recipients of the message or an error occurs.
+
+=item B<-inkey file>
+
+the private key to use when signing or decrypting. This must match the
+corresponding certificate. If this option is not specified then the
+private key must be included in the certificate file specified with
+the B<-recip> or B<-signer> file.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<cert.pem...>
+
+one or more certificates of message recipients: used when encrypting
+a message. 
+
+=item B<-to, -from, -subject>
+
+the relevant mail headers. These are included outside the signed
+portion of a message so they may be included manually. If signing
+then many S/MIME mail clients check the signers certificate's email
+address matches that specified in the From: address.
+
+=back
+
+=head1 NOTES
+
+The MIME message must be sent without any blank lines between the
+headers and the output. Some mail programs will automatically add
+a blank line. Piping the mail directly to sendmail is one way to
+achieve the correct format.
+
+The supplied message to be signed or encrypted must include the
+necessary MIME headers: or many S/MIME clients wont display it
+properly (if at all). You can use the B<-text> option to automatically
+add plain text headers.
+
+A "signed and encrypted" message is one where a signed message is
+then encrypted. This can be produced by encrypting an already signed
+message: see the examples section.
+
+This version of the program only allows one signer per message but it
+will verify multiple signers on received messages. Some S/MIME clients
+choke if a message contains multiple signers. It is possible to sign
+messages "in parallel" by signing an already signed message.
+
+The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
+clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
+encrypted data is used for other purposes.
+
+=head1 EXIT CODES
+
+=over 4
+
+=item 0
+
+the operation was completely successfully.
+
+=item 1 
+
+an error occurred parsing the command options.
+
+=item 2
+
+one of the input files could not be read.
+
+=item 3
+
+an error occurred creating the PKCS#7 file or when reading the MIME
+message.
+
+=item 4
+
+an error occurred decrypting or verifying the message.
+
+=item 5
+
+the message was verified correctly but an error occurred writing out
+the signers certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Create a cleartext signed message:
+
+ openssl smime -sign -in message.txt -text -out mail.msg \
+	-signer mycert.pem
+
+Create and opaque signed message
+
+ openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
+	-signer mycert.pem
+
+Create a signed message, include some additional certificates and
+read the private key from another file:
+
+ openssl smime -sign -in in.txt -text -out mail.msg \
+	-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
+
+Send a signed message under Unix directly to sendmail, including headers:
+
+ openssl smime -sign -in in.txt -text -signer mycert.pem \
+	-from steve@openssl.org -to someone@somewhere \
+	-subject "Signed message" | sendmail someone@somewhere
+
+Verify a message and extract the signer's certificate if successful:
+
+ openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
+
+Send encrypted mail using triple DES:
+
+ openssl smime -encrypt -in in.txt -from steve@openssl.org \
+	-to someone@somewhere -subject "Encrypted message" \
+	-des3 user.pem -out mail.msg
+
+Sign and encrypt mail:
+
+ openssl smime -sign -in ml.txt -signer my.pem -text \
+	| openssl -encrypt -out mail.msg \
+	-from steve@openssl.org -to someone@somewhere \
+	-subject "Signed and Encrypted message" -des3 user.pem
+
+Note: the encryption command does not include the B<-text> option because the message
+being encrypted already has MIME headers.
+
+Decrypt mail:
+
+ openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
+
+=head1 BUGS
+
+The MIME parser isn't very clever: it seems to handle most messages that I've thrown
+at it but it may choke on others.
+
+The code currently will only write out the signer's certificate to a file: if the
+signer has a separate encryption certificate this must be manually extracted. There
+should be some heuristic that determines the correct encryption certificate.
+
+Ideally a database should be maintained of a certificates for each email address.
+
+The code doesn't currently take note of the permitted symmetric encryption
+algorithms as supplied in the SMIMECapabilities signed attribute. this means the
+user has to manually include the correct encryption algorithm. It should store
+the list of permitted ciphers in a database and only use those.
+
+No revocation checking is done on the signer's certificate.
+
+The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
+structures may cause parsing errors.
+
+=cut
diff --git a/crypto/openssl/doc/apps/speed.pod b/crypto/openssl/doc/apps/speed.pod
new file mode 100644
index 0000000..fecd9a9
--- /dev/null
+++ b/crypto/openssl/doc/apps/speed.pod
@@ -0,0 +1,45 @@
+=pod
+
+=head1 NAME
+
+speed - test library performance
+
+=head1 SYNOPSIS
+
+B<openssl speed>
+[B<md2>]
+[B<mdc2>]
+[B<md5>]
+[B<hmac>]
+[B<sha1>]
+[B<rmd160>]
+[B<idea-cbc>]
+[B<rc2-cbc>]
+[B<rc5-cbc>]
+[B<bf-cbc>]
+[B<des-cbc>]
+[B<des-ede3>]
+[B<rc4>]
+[B<rsa512>]
+[B<rsa1024>]
+[B<rsa2048>]
+[B<rsa4096>]
+[B<dsa512>]
+[B<dsa1024>]
+[B<dsa2048>]
+[B<idea>]
+[B<rc2>]
+[B<des>]
+[B<rsa>]
+[B<blowfish>]
+
+=head1 DESCRIPTION
+
+This command is used to test the performance of cryptographic algorithms.
+
+=head1 OPTIONS
+
+If an option is given, B<speed> test that algorithm, otherwise all of
+the above are tested.
+
+=cut
diff --git a/crypto/openssl/doc/apps/spkac.pod b/crypto/openssl/doc/apps/spkac.pod
new file mode 100644
index 0000000..bb84dfb
--- /dev/null
+++ b/crypto/openssl/doc/apps/spkac.pod
@@ -0,0 +1,127 @@
+=pod
+
+=head1 NAME
+
+spkac - SPKAC printing and generating utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<spkac>
+[B<-in filename>]
+[B<-out filename>]
+[B<-key keyfile>]
+[B<-passin arg>]
+[B<-challenge string>]
+[B<-pubkey>]
+[B<-spkac spkacname>]
+[B<-spksect section>]
+[B<-noout>]
+[B<-verify>]
+
+
+=head1 DESCRIPTION
+
+The B<spkac> command processes Netscape signed public key and challenge
+(SPKAC) files. It can print out their contents, verify the signature and
+produce its own SPKACs from a supplied private key.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified. Ignored if the B<-key> option is used.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-key keyfile>
+
+create an SPKAC file using the private key in B<keyfile>. The
+B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
+present.
+
+=item B<-passin password>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-challenge string>
+
+specifies the challenge string if an SPKAC is being created.
+
+=item B<-spkac spkacname>
+
+allows an alternative name form the variable containing the
+SPKAC. The default is "SPKAC". This option affects both
+generated and input SPKAC files.
+
+=item B<-spksect section>
+
+allows an alternative name form the section containing the
+SPKAC. The default is the default section.
+
+=item B<-noout>
+
+don't output the text version of the SPKAC (not used if an
+SPKAC is being created).
+
+=item B<-pubkey>
+
+output the public key of an SPKAC (not used if an SPKAC is
+being created).
+
+=item B<-verify>
+
+verifies the digital signature on the supplied SPKAC.
+
+
+=back
+
+=head1 EXAMPLES
+
+Print out the contents of an SPKAC:
+
+ openssl spkac -in spkac.cnf
+
+Verify the signature of an SPKAC:
+
+ openssl spkac -in spkac.cnf -noout -verify
+
+Create an SPKAC using the challenge string "hello":
+
+ openssl spkac -key key.pem -challenge hello -out spkac.cnf
+
+Example of an SPKAC, (long lines split up for clarity):
+
+ SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\
+ PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\
+ PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\
+ 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\
+ 4=
+
+=head1 NOTES
+
+A created SPKAC with suitable DN components appended can be fed into
+the B<ca> utility.
+
+SPKACs are typically generated by Netscape when a form is submitted
+containing the B<KEYGEN> tag as part of the certificate enrollment
+process.
+
+The challenge string permits a primitive form of proof of possession
+of private key. By checking the SPKAC signature and a random challenge
+string some guarantee is given that the user knows the private key
+corresponding to the public key being certified. This is important in
+some applications. Without this it is possible for a previous SPKAC
+to be used in a "replay attack".
+
+=head1 SEE ALSO
+
+L<ca(1)|ca(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/verify.pod b/crypto/openssl/doc/apps/verify.pod
new file mode 100644
index 0000000..4a6572d
--- /dev/null
+++ b/crypto/openssl/doc/apps/verify.pod
@@ -0,0 +1,273 @@
+=pod
+
+=head1 NAME
+
+pkcs7 - PKCS#7 utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<verify>
+[B<-CApath directory>]
+[B<-CAfile file>]
+[B<-purpose purpose>]
+[B<-untrusted file>]
+[B<-help>]
+[B<-verbose>]
+[B<->]
+[certificates]
+
+
+=head1 DESCRIPTION
+
+The B<verify> command verifies certificate chains.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-CApath directory>
+
+A directory of trusted certificates. The certificates should have names
+of the form: hash.0 or have symbolic links to them of this
+form ("hash" is the hashed certificate subject name: see the B<-hash> option
+of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
+create symbolic links to a directory of certificates.
+
+=item B<-CAfile file>
+
+A file of trusted certificates. The file should contain multiple certificates
+in PEM format concatenated together.
+
+=item B<-untrusted file>
+
+A file of untrusted certificates. The file should contain multiple certificates
+
+=item B<-purpose purpose>
+
+the intended use for the certificate. Without this option no chain verification
+will be done. Currently accepted uses are B<sslclient>, B<sslserver>,
+B<nssslserver>, B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION>
+section for more information.
+
+=item B<-help>
+
+prints out a usage message.
+
+=item B<-verbose>
+
+print extra information about the operations being performed.
+
+=item B<->
+
+marks the last option. All arguments following this are assumed to be
+certificate files. This is useful if the first certificate filename begins
+with a B<->.
+
+=item B<certificates>
+
+one or more certificates to verify. If no certificate filenames are included
+then an attempt is made to read a certificate from standard input. They should
+all be in PEM format.
+
+
+=back
+
+=head1 VERIFY OPERATION
+
+The B<verify> program uses the same functions as the internal SSL and S/MIME
+verification, therefore this description applies to these verify operations
+too.
+
+There is one crucial difference between the verify operations performed
+by the B<verify> program: wherever possible an attempt is made to continue
+after an error whereas normally the verify operation would halt on the
+first error. This allows all the problems with a certificate chain to be
+determined.
+
+The verify operation consists of a number of separate steps.
+
+Firstly a certificate chain is built up starting from the supplied certificate
+and ending in the root CA. It is an error if the whole chain cannot be built
+up. The chain is built up by looking up a certificate whose subject name
+matches the issuer name of the current certificate. If a certificate is found
+whose subject and issuer names are identical it is assumed to be the root CA.
+The lookup first looks in the list of untrusted certificates and if no match
+is found the remaining lookups are from the trusted certificates. The root CA
+is always looked up in the trusted certificate list: if the certificate to
+verify is a root certificate then an exact match must be found in the trusted
+list.
+
+The second operation is to check every untrusted certificate's extensions for
+consistency with the supplied purpose. If the B<-purpose> option is not included
+then no checks are done. The supplied or "leaf" certificate must have extensions
+compatible with the supplied purpose and all other certificates must also be valid
+CA certificates. The precise extensions required are described in more detail in
+the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
+
+The third operation is to check the trust settings on the root CA. The root
+CA should be trusted for the supplied purpose. For compatibility with previous
+versions of SSLeay and OpenSSL a certificate with no trust settings is considered
+to be valid for all purposes. 
+
+The final operation is to check the validity of the certificate chain. The validity
+period is checked against the current system time and the notBefore and notAfter
+dates in the certificate. The certificate signatures are also checked at this
+point.
+
+If all operations complete successfully then certificate is considered valid. If
+any operation fails then the certificate is not valid.
+
+=head1 DIAGNOSTICS
+
+When a verify operation fails the output messages can be somewhat cryptic. The
+general form of the error message is:
+
+ server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+ error 24 at 1 depth lookup:invalid CA certificate
+
+The first line contains the name of the certificate being verified followed by
+the subject name of the certificate. The second line contains the error number
+and the depth. The depth is number of the certificate being verified when a
+problem was detected starting with zero for the certificate being verified itself
+then 1 for the CA that signed the certificate and so on. Finally a text version
+of the error number is presented.
+
+An exhaustive list of the error codes and messages is shown below, this also
+includes the name of the error code as defined in the header file x509_vfy.h
+Some of the error codes are defined but never returned: these are described
+as "unused".
+
+=over 4
+
+=item B<0 X509_V_OK: ok>
+
+the operation was successful.
+
+=item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
+
+the issuer certificate could not be found: this occurs if the issuer certificate
+of an untrusted certificate cannot be found.
+
+=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL>
+
+the CRL of a certificate could not be found. Unused.
+
+=item B<4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature>
+
+the certificate signature could not be decrypted. This means that the actual signature value
+could not be determined rather than it not matching the expected value, this is only
+meaningful for RSA keys.
+
+=item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
+
+the CRL signature could not be decrypted: this means that the actual signature value
+could not be determined rather than it not matching the expected value. Unused.
+
+=item B<6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key>
+
+the public key in the certificate SubjectPublicKeyInfo could not be read.
+
+=item B<7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
+
+the signature of the certificate is invalid.
+
+=item B<8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure>
+
+the signature of the certificate is invalid. Unused.
+
+=item B<9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
+
+the certificate is not yet valid: the notBefore date is after the current time.
+
+=item B<10 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
+
+the CRL is not yet valid. Unused.
+
+=item B<11 X509_V_ERR_CERT_HAS_EXPIRED: Certificate has expired>
+
+the certificate has expired: that is the notAfter date is before the current time.
+
+=item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
+
+the CRL has expired. Unused.
+
+=item B<13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field>
+
+the certificate notBefore field contains an invalid time.
+
+=item B<14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field>
+
+the certificate notAfter field contains an invalid time.
+
+=item B<15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field>
+
+the CRL lastUpdate field contains an invalid time. Unused.
+
+=item B<16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field>
+
+the CRL nextUpdate field contains an invalid time. Unused.
+
+=item B<17 X509_V_ERR_OUT_OF_MEM: out of memory>
+
+an error occurred trying to allocate memory. This should never happen.
+
+=item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
+
+the passed certificate is self signed and the same certificate cannot be found in the list of
+trusted certificates.
+
+=item B<19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain>
+
+the certificate chain could be built up using the untrusted certificates but the root could not
+be found locally.
+
+=item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
+
+the issuer certificate of a locally looked up certificate could not be found. This normally means
+the list of trusted certificates is not complete.
+
+=item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
+
+no signatures could be verified because the chain contains only one certificate and it is not
+self signed.
+
+=item B<22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
+
+the certificate chain length is greater than the supplied maximum depth. Unused.
+
+=item B<23 X509_V_ERR_CERT_REVOKED: certificate revoked>
+
+the certificate has been revoked. Unused.
+
+=item B<24 X509_V_ERR_INVALID_CA: invalid CA certificate>
+
+a CA certificate is invalid. Either it is not a CA or its extensions are not consistent
+with the supplied purpose.
+
+=item B<25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded>
+
+the basicConstraints pathlength parameter has been exceeded.
+
+=item B<26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose>
+
+the supplied certificate cannot be used for the specified purpose.
+
+=item B<27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
+
+the root CA is not marked as trusted for the specified purpose.
+
+=item B<28 X509_V_ERR_CERT_REJECTED: certificate rejected>
+
+the root CA is marked to reject the specified purpose.
+
+=item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
+
+an application specific error. Unused.
+
+=back
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>
+
+=cut
diff --git a/crypto/openssl/doc/apps/version.pod b/crypto/openssl/doc/apps/version.pod
new file mode 100644
index 0000000..5d261a6
--- /dev/null
+++ b/crypto/openssl/doc/apps/version.pod
@@ -0,0 +1,56 @@
+=pod
+
+=head1 NAME
+
+version - print OpenSSL version information
+
+=head1 SYNOPSIS
+
+B<openssl version>
+[B<-a>]
+[B<-v>]
+[B<-b>]
+[B<-o>]
+[B<-f>]
+[B<-p>]
+
+=head1 DESCRIPTION
+
+This command is used to print out version information about OpenSSL.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-a>
+
+all information, this is the same as setting all the other flags.
+
+=item B<-v>
+
+the current OpenSSL version.
+
+=item B<-b>
+
+the date the current version of OpenSSL was built.
+
+=item B<-o>
+
+option information: various options set when the library was built.
+
+=item B<-c>
+
+compilation flags.
+
+=item B<-p>
+
+platform setting.
+
+=back
+
+=head1 NOTES
+
+The output of B<openssl version -a> would typically be used when sending
+in a bug report.
+
+=cut
diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod
new file mode 100644
index 0000000..e4ae546
--- /dev/null
+++ b/crypto/openssl/doc/apps/x509.pod
@@ -0,0 +1,544 @@
+
+=pod
+
+=head1 NAME
+
+x509 - Certificate display and signing utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<x509>
+[B<-inform DER|PEM|NET>]
+[B<-outform DER|PEM|NET>]
+[B<-keyform DER|PEM>]
+[B<-CAform DER|PEM>]
+[B<-CAkeyform DER|PEM>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-serial>]
+[B<-hash>]
+[B<-subject>]
+[B<-issuer>]
+[B<-startdate>]
+[B<-enddate>]
+[B<-purpose>]
+[B<-dates>]
+[B<-modulus>]
+[B<-fingerprint>]
+[B<-alias>]
+[B<-noout>]
+[B<-trustout>]
+[B<-clrtrust>]
+[B<-clrreject>]
+[B<-addtrust arg>]
+[B<-addreject arg>]
+[B<-setalias arg>]
+[B<-days arg>]
+[B<-signkey filename>]
+[B<-x509toreq>]
+[B<-req>]
+[B<-CA filename>]
+[B<-CAkey filename>]
+[B<-CAcreateserial>]
+[B<-CAserial filename>]
+[B<-text>]
+[B<-C>]
+[B<-md2|-md5|-sha1|-mdc2>]
+[B<-clrext>]
+[B<-extfile filename>]
+[B<-extensions section>]
+
+=head1 DESCRIPTION
+
+The B<x509> command is a multi purpose certificate utility. It can be
+used to display certificate information, convert certificates to
+various forms, sign certificate requests like a "mini CA" or edit
+certificate trust settings.
+
+Since there are a large number of options they will split up into
+various sections.
+
+
+=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM|NET>
+
+This specifies the input format normally the command will expect an X509
+certificate but this can change if other options such as B<-req> are
+present. The DER format is the DER encoding of the certificate and PEM
+is the base64 encoding of the DER encoding with header and footer lines
+added. The NET option is an obscure Netscape server format that is now
+obsolete.
+
+=item B<-outform DER|PEM|NET>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a certificate from or standard input
+if this option is not specified.
+
+=item B<-out filename>
+
+This specifies the output filename to write to or standard output by
+default.
+
+=item B<-md2|-md5|-sha1|-mdc2>
+
+the digest to use. This affects any signing or display option that uses a message
+digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+specified then MD5 is used. If the key being used to sign with is a DSA key then
+this option has no effect: SHA1 is always used with DSA keys.
+
+
+=back
+
+=head1 DISPLAY OPTIONS
+
+Note: the B<-alias> and B<-purpose> options are also display options
+but are described in the B<TRUST OPTIONS> section.
+
+=over 4
+
+=item B<-text>
+
+prints out the certificate in text form. Full details are output including the
+public key, signature algorithms, issuer and subject names, serial number
+any extensions present and any trust settings.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the request.
+
+=item B<-modulus>
+
+this option prints out the value of the modulus of the public key
+contained in the certificate.
+
+=item B<-serial>
+
+outputs the certificate serial number.
+
+=item B<-hash>
+
+outputs the "hash" of the certificate subject name. This is used in OpenSSL to
+form an index to allow certificates in a directory to be looked up by subject
+name.
+
+=item B<-subject>
+
+outputs the subject name.
+
+=item B<-issuer>
+
+outputs the issuer name.
+
+=item B<-startdate>
+
+prints out the start date of the certificate, that is the notBefore date.
+
+=item B<-enddate>
+
+prints out the expiry date of the certificate, that is the notAfter date.
+
+=item B<-dates>
+
+prints out the start and expiry dates of a certificate.
+
+=item B<-fingerprint>
+
+prints out the digest of the DER encoded version of the whole certificate.
+
+=item B<-C>
+
+this outputs the certificate in the form of a C source file.
+
+=back
+
+=head1 TRUST SETTINGS
+
+Please note these options are currently experimental and may well change.
+
+A B<trusted certificate> is an ordinary certificate which has several
+additional pieces of information attached to it such as the permitted
+and prohibited uses of the certificate and an "alias".
+
+Normally when a certificate is being verified at least one certificate
+must be "trusted". By default a trusted certificate must be stored
+locally and must be a root CA: any certificate chain ending in this CA
+is then usable for any purpose.
+
+Trust settings currently are only used with a root CA. They allow a finer
+control over the purposes the root CA can be used for. For example a CA
+may be trusted for SSL client but not SSL server use.
+
+See the description of the B<verify> utility for more information on the
+meaning of trust settings.
+
+Future versions of OpenSSL will recognize trust settings on any
+certificate: not just root CAs.
+
+
+=over 4
+
+=item B<-trustout>
+
+this causes B<x509> to output a B<trusted> certificate. An ordinary
+or trusted certificate can be input but by default an ordinary
+certificate is output and any trust settings are discarded. With the
+B<-trustout> option a trusted certificate is output. A trusted
+certificate is automatically output if any trust settings are modified.
+
+=item B<-setalias arg>
+
+sets the alias of the certificate. This will allow the certificate
+to be referred to using a nickname for example "Steve's Certificate".
+
+=item B<-alias>
+
+outputs the certificate alias, if any.
+
+=item B<-clrtrust>
+
+clears all the permitted or trusted uses of the certificate.
+
+=item B<-clrreject>
+
+clears all the prohibited or rejected uses of the certificate.
+
+=item B<-addtrust arg>
+
+adds a trusted certificate use. Any object name can be used here
+but currently only B<clientAuth> (SSL client use), B<serverAuth>
+(SSL server use) and B<emailProtection> (S/MIME email) are used.
+Other OpenSSL applications may define additional uses.
+
+=item B<-addreject arg>
+
+adds a prohibited use. It accepts the same values as the B<-addtrust>
+option.
+
+=item B<-purpose>
+
+this option performs tests on the certificate extensions and outputs
+the results. For a more complete description see the B<CERTIFICATE
+EXTENSIONS> section.
+
+=back
+
+=head1 SIGNING OPTIONS
+
+The B<x509> utility can be used to sign certificates and requests: it
+can thus behave like a "mini CA".
+
+=over 4
+
+=item B<-signkey filename>
+
+this option causes the input file to be self signed using the supplied
+private key. 
+
+If the input file is a certificate it sets the issuer name to the
+subject name (i.e.  makes it self signed) changes the public key to the
+supplied value and changes the start and end dates. The start date is
+set to the current time and the end date is set to a value determined
+by the B<-days> option. Any certificate extensions are retained unless
+the B<-clrext> option is supplied.
+
+If the input is a certificate request then a self signed certificate
+is created using the supplied private key using the subject name in
+the request.
+
+=item B<-clrext>
+
+delete any extensions from a certificate. This option is used when a
+certificate is being created from another certificate (for example with
+the B<-signkey> or the B<-CA> options). Normally all extensions are
+retained.
+
+=item B<-keyform PEM|DER>
+
+specifies the format (DER or PEM) of the private key file used in the
+B<-signkey> option.
+
+=item B<-days arg>
+
+specifies the number of days to make a certificate valid for. The default
+is 30 days.
+
+=item B<-x509toreq>
+
+converts a certificate into a certificate request. The B<-signkey> option
+is used to pass the required private key.
+
+=item B<-req>
+
+by default a certificate is expected on input. With this option a
+certificate request is expected instead.
+
+=item B<-CA filename>
+
+specifies the CA certificate to be used for signing. When this option is
+present B<x509> behaves like a "mini CA". The input file is signed by this
+CA using this option: that is its issuer name is set to the subject name
+of the CA and it is digitally signed using the CAs private key.
+
+This option is normally combined with the B<-req> option. Without the
+B<-req> option the input is a certificate which must be self signed.
+
+=item B<-CAkey filename>
+
+sets the CA private key to sign a certificate with. If this option is
+not specified then it is assumed that the CA private key is present in
+the CA certificate file.
+
+=item B<-CAserial filename>
+
+sets the CA serial number file to use.
+
+When the B<-CA> option is used to sign a certificate it uses a serial
+number specified in a file. This file consist of one line containing
+an even number of hex digits with the serial number to use. After each
+use the serial number is incremented and written out to the file again.
+
+The default filename consists of the CA certificate file base name with
+".srl" appended. For example if the CA certificate file is called 
+"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
+
+=item B<-CAcreateserial filename>
+
+with this option the CA serial number file is created if it does not exist:
+it will contain the serial number "02" and the certificate being signed will
+have the 1 as its serial number. Normally if the B<-CA> option is specified
+and the serial number file does not exist it is an error.
+
+=item B<-extfile filename>
+
+file containing certificate extensions to use. If not specified then
+no extensions are added to the certificate.
+
+=item B<-extensions section>
+
+the section to add certificate extensions from. If this option is not
+specified then the extensions should either be contained in the unnamed
+(default) section or the default section should contain a variable called
+"extensions" which contains the section to use.
+
+=back
+
+=head1 EXAMPLES
+
+Note: in these examples the '\' means the example should be all on one
+line.
+
+Display the contents of a certificate:
+
+ openssl x509 -in cert.pem -noout -text
+
+Display the certificate serial number:
+
+ openssl x509 -in cert.pem -noout -serial
+
+Display the certificate MD5 fingerprint:
+
+ openssl x509 -in cert.pem -noout -fingerprint
+
+Display the certificate SHA1 fingerprint:
+
+ openssl x509 -sha1 -in cert.pem -noout -fingerprint
+
+Convert a certificate from PEM to DER format:
+
+ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
+
+Convert a certificate to a certificate request:
+
+ openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
+
+Convert a certificate request into a self signed certificate using
+extensions for a CA:
+
+ openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
+	-signkey key.pem -out cacert.pem
+
+Sign a certificate request using the CA certificate above and add user
+certificate extensions:
+
+ openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
+	-CA cacert.pem -CAkey key.pem -CAcreateserial
+
+
+Set a certificate to be trusted for SSL client use and change set its alias to
+"Steve's Class 1 CA"
+
+ openssl x509 -in cert.pem -addtrust sslclient \
+	-alias "Steve's Class 1 CA" -out trust.pem
+
+=head1 NOTES
+
+The PEM format uses the header and footer lines:
+
+ -----BEGIN CERTIFICATE----
+ -----END CERTIFICATE----
+
+it will also handle files containing:
+
+ -----BEGIN X509 CERTIFICATE----
+ -----END X509 CERTIFICATE----
+
+Trusted certificates have the lines
+
+ -----BEGIN TRUSTED CERTIFICATE----
+ -----END TRUSTED CERTIFICATE----
+
+The B<-fingerprint> option takes the digest of the DER encoded certificate.
+This is commonly called a "fingerprint". Because of the nature of message
+digests the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
+
+The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
+
+=head1 CERTIFICATE EXTENSIONS
+
+The B<-purpose> option checks the certificate extensions and determines
+what the certificate can be used for. The actual checks done are rather
+complex and include various hacks and workarounds to handle broken
+certificates and software.
+
+The same code is used when verifying untrusted certificates in chains
+so this section is useful if a chain is rejected by the verify code.
+
+The basicConstraints extension CA flag is used to determine whether the
+certificate can be used as a CA. If the CA flag is true then it is a CA,
+if the CA flag is false then it is not a CA. B<All> CAs should have the
+CA flag set to true.
+
+If the basicConstraints extension is absent then the certificate is
+considered to be a "possible CA" other extensions are checked according
+to the intended use of the certificate. A warning is given in this case
+because the certificate should really not be regarded as a CA: however
+it is allowed to be a CA to work around some broken software.
+
+If the certificate is a V1 certificate (and thus has no extensions) and
+it is self signed it is also assumed to be a CA but a warning is again
+given: this is to work around the problem of Verisign roots which are V1
+self signed certificates.
+
+If the keyUsage extension is present then additional restraints are
+made on the uses of the certificate. A CA certificate B<must> have the
+keyCertSign bit set if the keyUsage extension is present.
+
+The extended key usage extension places additional restrictions on the
+certificate uses. If this extension is present (whether critical or not)
+the key can only be used for the purposes specified.
+
+A complete description of each test is given below. The comments about
+basicConstraints and keyUsage and V1 certificates above apply to B<all>
+CA certificates.
+
+
+=over 4
+
+=item B<SSL Client>
+
+The extended key usage extension must be absent or include the "web client
+authentication" OID.  keyUsage must be absent or it must have the
+digitalSignature bit set. Netscape certificate type must be absent or it must
+have the SSL client bit set.
+
+=item B<SSL Client CA>
+
+The extended key usage extension must be absent or include the "web client
+authentication" OID. Netscape certificate type must be absent or it must have
+the SSL CA bit set: this is used as a work around if the basicConstraints
+extension is absent.
+
+=item B<SSL Server>
+
+The extended key usage extension must be absent or include the "web server
+authentication" and/or one of the SGC OIDs.  keyUsage must be absent or it
+must have the digitalSignature, the keyEncipherment set or both bits set.
+Netscape certificate type must be absent or have the SSL server bit set.
+
+=item B<SSL Server CA>
+
+The extended key usage extension must be absent or include the "web server
+authentication" and/or one of the SGC OIDs.  Netscape certificate type must
+be absent or the SSL CA bit must be set: this is used as a work around if the
+basicConstraints extension is absent.
+
+=item B<Netscape SSL Server>
+
+For Netscape SSL clients to connect to an SSL server it must have the
+keyEncipherment bit set if the keyUsage extension is present. This isn't
+always valid because some cipher suites use the key for digital signing.
+Otherwise it is the same as a normal SSL server.
+
+=item B<Common S/MIME Client Tests>
+
+The extended key usage extension must be absent or include the "email
+protection" OID. Netscape certificate type must be absent or should have the
+S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
+then the SSL client bit is tolerated as an alternative but a warning is shown:
+this is because some Verisign certificates don't set the S/MIME bit.
+
+=item B<S/MIME Signing>
+
+In addition to the common S/MIME client tests the digitalSignature bit must
+be set if the keyUsage extension is present.
+
+=item B<S/MIME Encryption>
+
+In addition to the common S/MIME tests the keyEncipherment bit must be set
+if the keyUsage extension is present.
+
+=item B<S/MIME CA>
+
+The extended key usage extension must be absent or include the "email
+protection" OID. Netscape certificate type must be absent or must have the
+S/MIME CA bit set: this is used as a work around if the basicConstraints
+extension is absent. 
+
+=item B<CRL Signing>
+
+The keyUsage extension must be absent or it must have the CRL signing bit
+set.
+
+=item B<CRL Signing CA>
+
+The normal CA tests apply. Except in this case the basicConstraints extension
+must be present.
+
+=back
+
+=head1 BUGS
+
+The way DNs are printed is in a "historical SSLeay" format which doesn't
+follow any published standard. It should follow some standard like RFC2253
+or RFC1779 with options to make the stuff more readable.
+
+Extensions in certificates are not transferred to certificate requests and
+vice versa.
+
+It is possible to produce invalid certificates or requests by specifying the
+wrong private key or using inconsistent options in some cases: these should
+be checked.
+
+There should be options to explicitly set such things as start and end
+dates rather than an offset from the current time.
+
+The code to implement the verify behaviour described in the B<TRUST SETTINGS>
+is currently being developed. It thus describes the intended behavior rather
+than the current behaviour. It is hoped that it will represent reality in
+OpenSSL 0.9.5 and later.
+
+=head1 SEE ALSO
+
+L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>
+
+=cut
diff --git a/crypto/openssl/doc/c-indentation.el b/crypto/openssl/doc/c-indentation.el
new file mode 100644
index 0000000..9111450
--- /dev/null
+++ b/crypto/openssl/doc/c-indentation.el
@@ -0,0 +1,45 @@
+; This Emacs Lisp file defines a C indentation style that closely
+; follows most aspects of the one that is used throughout SSLeay,
+; and hence in OpenSSL.
+; 
+; This definition is for the "CC mode" package, which is the default
+; mode for editing C source files in Emacs 20, not for the older
+; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;
+; Copy the definition in your .emacs file or use M-x eval-buffer.
+; To activate this indentation style, visit a C file, type
+; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;
+; Apparently statement blocks that are not introduced by a statement
+; such as "if" and that are not the body of a function cannot
+; be handled too well by CC mode with this indentation style.
+; The style defined below does not indent them at all.
+; To insert tabs manually, prefix them with ^Q (the "quoted-insert"
+; command of Emacs).  If you know a solution to this problem
+; or find other problems with this indentation style definition,
+; please send e-mail to bodo@openssl.org.
+
+(c-add-style "eay"
+	     '((c-basic-offset . 8)
+	       (c-comment-only-line-offset . 0)
+	       (c-hanging-braces-alist)
+	       (c-offsets-alist	. ((defun-open . +)
+				   (defun-block-intro . 0)
+				   (class-open . +)
+				   (class-close . +)
+				   (block-open . 0)
+				   (block-close . 0)
+				   (substatement-open . +)
+				   (statement . 0)
+				   (statement-block-intro . 0)
+				   (statement-case-open . +)
+				   (statement-case-intro . +)
+				   (case-label . -)
+				   (label . -)
+				   (arglist-cont-nonempty . +)
+				   (topmost-intro . -)
+				   (brace-list-close . +)
+				   (brace-list-intro . +)
+				   ))))
+
diff --git a/crypto/openssl/doc/crypto.pod b/crypto/openssl/doc/crypto.pod
new file mode 100644
index 0000000..9c8a143
--- /dev/null
+++ b/crypto/openssl/doc/crypto.pod
@@ -0,0 +1,27 @@
+
+=pod
+
+=head1 NAME
+
+Crypto - OpenSSL Cryptography library
+
+=head1 SYNOPSIS
+
+=head1 DESCRIPTION
+
+The OpenSSL B<crypto> library implements various cryptography standards
+related to the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
+(TLS v1) protocols. It provides a rich API which is documented here.
+
+...
+
+=head1 SEE ALSO
+
+openssl(1), ssl(3)
+
+=head1 HISTORY
+
+The crypto(3) document appeared in OpenSSL 0.9.2
+
+=cut
+
diff --git a/crypto/openssl/doc/crypto/BN_CTX_new.pod b/crypto/openssl/doc/crypto/BN_CTX_new.pod
new file mode 100644
index 0000000..c94d8c6
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_CTX_new.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+BN_CTX_new, BN_CTX_init, BN_CTX_free - allocate and free BN_CTX structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_CTX *BN_CTX_new(void);
+
+ void BN_CTX_init(BN_CTX *c);
+
+ void BN_CTX_free(BN_CTX *c);
+
+=head1 DESCRIPTION
+
+A B<BN_CTX> is a structure that holds B<BIGNUM> temporary variables used by
+library functions. Since dynamic memory allocation to create B<BIGNUM>s
+is rather expensive when used in conjunction with repeated subroutine
+calls, the B<BN_CTX> structure is used.
+
+BN_CTX_new() allocates and initializes a B<BN_CTX>
+structure. BN_CTX_init() initializes an existing uninitialized
+B<BN_CTX>.
+
+BN_CTX_free() frees the components of the B<BN_CTX>, and if it was
+created by BN_CTX_new(), also the structure itself.
+If L<BN_CTX_start(3)|BN_CTX_start(3)> has been used on the B<BN_CTX>,
+L<BN_CTX_end(3)|BN_CTX_end(3)> must be called before the B<BN_CTX>
+may be freed by BN_CTX_free().
+
+
+=head1 RETURN VALUES
+
+BN_CTX_new() returns a pointer to the B<BN_CTX>. If the allocation fails,
+it returns B<NULL> and sets an error code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+BN_CTX_init() and BN_CTX_free() have no return values.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<BN_CTX_start(3)|BN_CTX_start(3)>
+
+=head1 HISTORY
+
+BN_CTX_new() and BN_CTX_free() are available in all versions on SSLeay
+and OpenSSL. BN_CTX_init() was added in SSLeay 0.9.1b.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_CTX_start.pod b/crypto/openssl/doc/crypto/BN_CTX_start.pod
new file mode 100644
index 0000000..c30552b
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_CTX_start.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+BN_CTX_start, BN_CTX_get, BN_CTX_end - use temporary BIGNUM variables
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ void BN_CTX_start(BN_CTX *ctx);
+
+ BIGNUM *BN_CTX_get(BN_CTX *ctx);
+
+ void BN_CTX_end(BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+These functions are used to obtain temporary B<BIGNUM> variables from
+a B<BN_CTX> in order to save the overhead of repeatedly creating and
+freeing B<BIGNUM>s in functions that are called from inside a loop.
+
+A function must call BN_CTX_start() first. Then, BN_CTX_get() may be
+called repeatedly to obtain temporary B<BIGNUM>s. All BN_CTX_get()
+calls must be made before calling any other functions that use the
+B<ctx> as an argument.
+
+Finally, BN_CTX_end() must be called before returning from the function.
+When BN_CTX_end() is called, the B<BIGNUM> pointers obtained from
+BN_CTX_get() become invalid.
+
+=head1 RETURN VALUES
+
+BN_CTX_start() and BN_CTX_end() return no values.
+
+BN_CTX_get() returns a pointer to the B<BIGNUM>, or B<NULL> on error.
+Once BN_CTX_get() has failed, the subsequent calls will return B<NULL>
+as well, so it is sufficient to check the return value of the last
+BN_CTX_get() call. In case of an error, an error code is set, which
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+
+=head1 SEE ALSO
+
+L<BN_CTX_new(3)|BN_CTX_new(3)>
+
+=head1 HISTORY
+
+BN_CTX_start(), BN_CTX_get() and BN_CTX_end() were added in OpenSSL 0.9.5.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_add.pod b/crypto/openssl/doc/crypto/BN_add.pod
new file mode 100644
index 0000000..0541d45
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_add.pod
@@ -0,0 +1,99 @@
+=pod
+
+=head1 NAME
+
+BN_add, BN_sub, BN_mul, BN_div, BN_sqr, BN_mod, BN_mod_mul, BN_exp,
+BN_mod_exp, BN_gcd - arithmetic operations on BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+
+ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+
+ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
+ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
+         BN_CTX *ctx);
+
+ int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+
+ int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+
+ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+         BN_CTX *ctx);
+
+ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+
+ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+         const BIGNUM *m, BN_CTX *ctx);
+
+ int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+BN_add() adds B<a> and B<b> and places the result in B<r> (C<r=a+b>).
+B<r> may be the same B<BIGNUM> as B<a> or B<b>.
+
+BN_sub() subtracts B<b> from B<a> and places the result in B<r> (C<r=a-b>).
+
+BN_mul() multiplies B<a> and B<b> and places the result in B<r> (C<r=a*b>).
+B<r> may be the same B<BIGNUM> as B<a> or B<b>.
+For multiplication by powers of 2, use L<BN_lshift(3)|BN_lshift(3)>.
+
+BN_div() divides B<a> by B<d> and places the result in B<dv> and the
+remainder in B<rem> (C<dv=a/d, rem=a%d>). Either of B<dv> and B<rem> may
+be NULL, in which case the respective value is not returned.
+For division by powers of 2, use BN_rshift(3).
+
+BN_sqr() takes the square of B<a> and places the result in B<r>
+(C<r=a^2>). B<r> and B<a> may be the same B<BIGNUM>.
+This function is faster than BN_mul(r,a,a).
+
+BN_mod() find the remainder of B<a> divided by B<m> and places it in
+B<rem> (C<rem=a%m>).
+
+BN_mod_mul() multiplies B<a> by B<b> and finds the remainder when
+divided by B<m> (C<r=(a*b)%m>). B<r> may be the same B<BIGNUM> as B<a>
+or B<b>. For a more efficient algorithm, see
+L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>; for repeated
+computations using the same modulus, see L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>.
+
+BN_exp() raises B<a> to the B<p>-th power and places the result in B<r>
+(C<r=a^p>). This function is faster than repeated applications of
+BN_mul().
+
+BN_mod_exp() computes B<a> to the B<p>-th power modulo B<m> (C<r=a^p %
+m>). This function uses less time and space than BN_exp().
+
+BN_gcd() computes the greatest common divisor of B<a> and B<b> and
+places the result in B<r>. B<r> may be the same B<BIGNUM> as B<a> or
+B<b>.
+
+For all functions, B<ctx> is a previously allocated B<BN_CTX> used for
+temporary variables; see L<BN_CTX_new(3)|BN_CTX_new(3)>.
+
+Unless noted otherwise, the result B<BIGNUM> must be different from
+the arguments.
+
+=head1 RETURN VALUES
+
+For all functions, 1 is returned for success, 0 on error. The return
+value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)>
+
+=head1 HISTORY
+
+BN_add(), BN_sub(), BN_div(), BN_sqr(), BN_mod(), BN_mod_mul(),
+BN_mod_exp() and BN_gcd() are available in all versions of SSLeay and
+OpenSSL. The B<ctx> argument to BN_mul() was added in SSLeay
+0.9.1b. BN_exp() appeared in SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_add_word.pod b/crypto/openssl/doc/crypto/BN_add_word.pod
new file mode 100644
index 0000000..66bedfb
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_add_word.pod
@@ -0,0 +1,57 @@
+=pod
+
+=head1 NAME
+
+BN_add_word, BN_sub_word, BN_mul_word, BN_div_word, BN_mod_word - arithmetic
+functions on BIGNUMs with integers
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_add_word(BIGNUM *a, BN_ULONG w);
+
+ int BN_sub_word(BIGNUM *a, BN_ULONG w);
+
+ int BN_mul_word(BIGNUM *a, BN_ULONG w);
+
+ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+
+ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
+
+=head1 DESCRIPTION
+
+These functions perform arithmetic operations on BIGNUMs with unsigned
+integers. They are much more efficient than the normal BIGNUM
+arithmetic operations.
+
+BN_add_word() adds B<w> to B<a> (C<a+=w>).
+
+BN_sub_word() subtracts B<w> from B<a> (C<a-=w>).
+
+BN_mul_word() multiplies B<a> and B<w> (C<a*=b>).
+
+BN_div_word() divides B<a> by B<w> (C<a/=w>) and returns the remainder.
+
+BN_mod_word() returns the remainder of B<a> divided by B<w> (C<a%m>).
+
+For BN_div_word() and BN_mod_word(), B<w> must not be 0.
+
+=head1 RETURN VALUES
+
+BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0
+on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+BN_mod_word() and BN_div_word() return B<a>%B<w>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+
+=head1 HISTORY
+
+BN_add_word() and BN_mod_word() are available in all versions of
+SSLeay and OpenSSL. BN_div_word() was added in SSLeay 0.8, and
+BN_sub_word() and BN_mul_word() in SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_bn2bin.pod b/crypto/openssl/doc/crypto/BN_bn2bin.pod
new file mode 100644
index 0000000..05f9e62
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_bn2bin.pod
@@ -0,0 +1,95 @@
+=pod
+
+=head1 NAME
+
+BN_bn2bin, BN_bin2bn, BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn,
+BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn - format conversions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+
+ char *BN_bn2hex(const BIGNUM *a);
+ char *BN_bn2dec(const BIGNUM *a);
+ int BN_hex2bn(BIGNUM **a, const char *str);
+ int BN_dec2bn(BIGNUM **a, const char *str);
+
+ int BN_print(BIO *fp, const BIGNUM *a);
+ int BN_print_fp(FILE *fp, const BIGNUM *a);
+
+ int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
+
+=head1 DESCRIPTION
+
+BN_bn2bin() converts the absolute value of B<a> into big-endian form
+and stores it at B<to>. B<to> must point to BN_num_bytes(B<a>) bytes of
+memory.
+
+BN_bin2bn() converts the positive integer in big-endian form of length
+B<len> at B<s> into a B<BIGNUM> and places it in B<ret>. If B<ret> is
+NULL, a new B<BIGNUM> is created.
+
+BN_bn2hex() and BN_bn2dec() return printable strings containing the
+hexadecimal and decimal encoding of B<a> respectively. For negative
+numbers, the string is prefaced with a leading '-'. The string must be
+Free()d later.
+
+BN_hex2bn() converts the string B<str> containing a hexadecimal number
+to a B<BIGNUM> and stores it in **B<bn>. If *B<bn> is NULL, a new
+B<BIGNUM> is created. If B<bn> is NULL, it only computes the number's
+length in hexadecimal digits. If the string starts with '-', the
+number is negative. BN_dec2bn() is the same using the decimal system.
+
+BN_print() and BN_print_fp() write the hexadecimal encoding of B<a>,
+with a leading '-' for negative numbers, to the B<BIO> or B<FILE>
+B<fp>.
+
+BN_bn2mpi() and BN_mpi2bn() convert B<BIGNUM>s from and to a format
+that consists of the number's length in bytes represented as a 3-byte
+big-endian number, and the number itself in big-endian format, where
+the most significant bit signals a negative number (the representation
+of numbers with the MSB set is prefixed with null byte).
+
+BN_bn2mpi() stores the representation of B<a> at B<to>, where B<to>
+must be large enough to hold the result. The size can be determined by
+calling BN_bn2mpi(B<a>, NULL).
+
+BN_mpi2bn() converts the B<len> bytes long representation at B<s> to
+a B<BIGNUM> and stores it at B<ret>, or in a newly allocated B<BIGNUM>
+if B<ret> is NULL.
+
+=head1 RETURN VALUES
+
+BN_bn2bin() returns the length of the big-endian number placed at B<to>.
+BN_bin2bn() returns the B<BIGNUM>, NULL on error.
+
+BN_bn2hex() and BN_bn2dec() return a null-terminated string, or NULL
+on error. BN_hex2bn() and BN_dec2bn() return the number's length in
+hexadecimal or decimal digits, and 0 on error.
+
+BN_print_fp() and BN_print() return 1 on success, 0 on write errors.
+
+BN_bn2mpi() returns the length of the representation. BN_mpi2bn()
+returns the B<BIGNUM>, and NULL on error.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_zero(3)|BN_zero(3)>,
+L<ASN1_INTEGER_to_BN(3)|ASN1_INTEGER_to_BN(3)>,
+L<BN_num_bytes(3)|BN_num_bytes(3)>
+
+=head1 HISTORY
+
+BN_bn2bin(), BN_bin2bn(), BN_print_fp() and BN_print() are available
+in all versions of SSLeay and OpenSSL.
+
+BN_bn2hex(), BN_bn2dec(), BN_hex2bn(), BN_dec2bn(), BN_bn2mpi() and
+BN_mpi2bn() were added in SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_cmp.pod b/crypto/openssl/doc/crypto/BN_cmp.pod
new file mode 100644
index 0000000..23e9ed0
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_cmp.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_is_odd - BIGNUM comparison and test functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_cmp(BIGNUM *a, BIGNUM *b);
+ int BN_ucmp(BIGNUM *a, BIGNUM *b);
+
+ int BN_is_zero(BIGNUM *a);
+ int BN_is_one(BIGNUM *a);
+ int BN_is_word(BIGNUM *a, BN_ULONG w);
+ int BN_is_odd(BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_cmp() compares the numbers B<a> and B<b>. BN_ucmp() compares their
+absolute values.
+
+BN_is_zero(), BN_is_one() and BN_is_word() test if B<a> equals 0, 1,
+or B<w> respectively. BN_is_odd() tests if a is odd.
+
+BN_is_zero(), BN_is_one(), BN_is_word() and BN_is_odd() are macros.
+
+=head1 RETURN VALUES
+
+BN_cmp() returns -1 if B<a> E<lt> B<b>, 0 if B<a> == B<b> and 1 if
+B<a> E<gt> B<b>. BN_ucmp() is the same using the absolute values
+of B<a> and B<b>.
+
+BN_is_zero(), BN_is_one() BN_is_word() and BN_is_odd() return 1 if
+the condition is true, 0 otherwise.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=head1 HISTORY
+
+BN_cmp(), BN_ucmp(), BN_is_zero(), BN_is_one() and BN_is_word() are
+available in all versions of SSLeay and OpenSSL.
+BN_is_odd() was added in SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_copy.pod b/crypto/openssl/doc/crypto/BN_copy.pod
new file mode 100644
index 0000000..8ad25e7
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_copy.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+BN_copy, BN_dup - copy BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_copy(BIGNUM *to, const BIGNUM *from);
+
+ BIGNUM *BN_dup(const BIGNUM *from);
+
+=head1 DESCRIPTION
+
+BN_copy() copies B<from> to B<to>. BN_dup() creates a new B<BIGNUM>
+containing the value B<from>.
+
+=head1 RETURN VALUES
+
+BN_copy() returns B<to> on success, NULL on error. BN_dup() returns
+the new B<BIGNUM>, and NULL on error. The error codes can be obtained
+by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+BN_copy() and BN_dup() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_generate_prime.pod b/crypto/openssl/doc/crypto/BN_generate_prime.pod
new file mode 100644
index 0000000..638f651
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_generate_prime.pod
@@ -0,0 +1,102 @@
+=pod
+
+=head1 NAME
+
+BN_generate_prime, BN_is_prime, BN_is_prime_fasttest - generate primes and test for primality
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add,
+     BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
+
+ int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, 
+     void *), BN_CTX *ctx, void *cb_arg);
+
+ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
+     void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg,
+     int do_trial_division);
+
+=head1 DESCRIPTION
+
+BN_generate_prime() generates a pseudo-random prime number of B<num>
+bits.
+If B<ret> is not B<NULL>, it will be used to store the number.
+
+If B<callback> is not B<NULL>, it is called as follows:
+
+=over 4
+
+=item *
+
+B<callback(0, i, cb_arg)> is called after generating the i-th
+potential prime number.
+
+=item *
+
+While the number is being tested for primality, B<callback(1, j,
+cb_arg)> is called as described below.
+
+=item *
+
+When a prime has been found, B<callback(2, i, cb_arg)> is called.
+
+=back
+
+The prime may have to fulfill additional requirements for use in
+Diffie-Hellman key exchange:
+
+If B<add> is not B<NULL>, the prime will fulfill the condition p % B<add>
+== B<rem> (p % B<add> == 1 if B<rem> == B<NULL>) in order to suit a given
+generator.
+
+If B<safe> is true, it will be a safe prime (i.e. a prime p so
+that (p-1)/2 is also prime).
+
+The PRNG must be seeded prior to calling BN_generate_prime().
+The prime number generation has a negligible error probability.
+
+BN_is_prime() and BN_is_prime_fasttest() test if the number B<a> is
+prime.  The following tests are performed until one of them shows that
+B<a> is composite; if B<a> passes all these tests, it is considered
+prime.
+
+BN_is_prime_fasttest(), when called with B<do_trial_division == 1>,
+first attempts trial division by a number of small primes;
+if no divisors are found by this test and B<callback> is not B<NULL>,
+B<callback(1, -1, cb_arg)> is called.
+If B<do_trial_division == 0>, this test is skipped.
+
+Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin
+probabilistic primality test with B<checks> iterations. If
+B<checks == BN_prime_check>, a number of iterations is used that
+yields a false positive rate of at most 2^-80 for random input.
+
+If B<callback> is not B<NULL>, B<callback(1, j, cb_arg)> is called
+after the j-th iteration (j = 0, 1, ...). B<ctx> is a
+pre-allocated B<BN_CTX> (to save the overhead of allocating and
+freeing the structure in a loop), or B<NULL>.
+
+=head1 RETURN VALUES
+
+BN_generate_prime() returns the prime number on success, B<NULL> otherwise.
+
+BN_is_prime() returns 0 if the number is composite, 1 if it is
+prime with an error probability of less than 0.25^B<checks>, and
+-1 on error.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+The B<cb_arg> arguments to BN_generate_prime() and to BN_is_prime()
+were added in SSLeay 0.9.0. The B<ret> argument to BN_generate_prime()
+was added in SSLeay 0.9.1.
+BN_is_prime_fasttest() was added in OpenSSL 0.9.5.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_mod_inverse.pod b/crypto/openssl/doc/crypto/BN_mod_inverse.pod
new file mode 100644
index 0000000..49e62da
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_mod_inverse.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+BN_mod_inverse - compute inverse modulo n
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
+           BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+BN_mod_inverse() computes the inverse of B<a> modulo B<n>
+places the result in B<r> (C<(a*r)%n==1>). If B<r> is NULL,
+a new B<BIGNUM> is created.
+
+B<ctx> is a previously allocated B<BN_CTX> used for temporary
+variables. B<r> may be the same B<BIGNUM> as B<a> or B<n>.
+
+=head1 RETURN VALUES
+
+BN_mod_inverse() returns the B<BIGNUM> containing the inverse, and
+NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+
+=head1 HISTORY
+
+BN_mod_inverse() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod b/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod
new file mode 100644
index 0000000..0f0c137
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod
@@ -0,0 +1,95 @@
+=pod
+
+=head1 NAME
+
+BN_mod_mul_montgomery, BN_MONT_CTX_new, BN_MONT_CTX_init,
+BN_MONT_CTX_free, BN_MONT_CTX_set, BN_MONT_CTX_copy,
+BN_from_montgomery, BN_to_montgomery - Montgomery multiplication
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_MONT_CTX *BN_MONT_CTX_new(void);
+ void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+ void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+
+ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
+ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
+
+ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+         BN_MONT_CTX *mont, BN_CTX *ctx);
+
+ int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+
+ int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+These functions implement Montgomery multiplication. They are used
+automatically when L<BN_mod_exp(3)|BN_mod_exp(3)> is called with suitable input,
+but they may be useful when several operations are to be performed
+using the same modulus.
+
+BN_MONT_CTX_new() allocates and initializes a B<BN_MONT_CTX> structure.
+BN_MONT_CTX_init() initializes an existing uninitialized B<BN_MONT_CTX>.
+
+BN_MONT_CTX_set() sets up the B<mont> structure from the modulus B<m>
+by precomputing its inverse and a value R.
+
+BN_MONT_CTX_copy() copies the B<N_MONT_CTX> B<from> to B<to>.
+
+BN_MONT_CTX_free() frees the components of the B<BN_MONT_CTX>, and, if
+it was created by BN_MONT_CTX_new(), also the structure itself.
+
+BN_mod_mul_montgomery() computes Mont(B<a>,B<b>):=B<a>*B<b>*R^-1 and places
+the result in B<r>.
+
+BN_from_montgomery() performs the Montgomery reduction B<r> = B<a>*R^-1.
+
+BN_to_montgomery() computes Mont(B<a>,R^2).
+
+For all functions, B<ctx> is a previously allocated B<BN_CTX> used for
+temporary variables.
+
+The B<BN_MONT_CTX> structure is defined as follows:
+
+ typedef struct bn_mont_ctx_st
+        {
+        int ri;         /* number of bits in R */
+        BIGNUM RR;      /* R^2 (used to convert to Montgomery form) */
+        BIGNUM N;       /* The modulus */
+        BIGNUM Ni;      /* R*(1/R mod N) - N*Ni = 1
+                         * (Ni is only stored for bignum algorithm) */
+        BN_ULONG n0;    /* least significant word of Ni */
+        int flags;
+        } BN_MONT_CTX;
+
+BN_to_montgomery() is a macro.
+
+=head1 RETURN VALUES
+
+BN_MONT_CTX_new() returns the newly allocated B<BN_MONT_CTX>, and NULL
+on error.
+
+BN_MONT_CTX_init() and BN_MONT_CTX_free() have no return values.
+
+For the other functions, 1 is returned for success, 0 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<BN_CTX_new(3)|BN_CTX_new(3)>
+
+=head1 HISTORY
+
+BN_MONT_CTX_new(), BN_MONT_CTX_free(), BN_MONT_CTX_set(),
+BN_mod_mul_montgomery(), BN_from_montgomery() and BN_to_montgomery()
+are available in all versions of SSLeay and OpenSSL.
+
+BN_MONT_CTX_init() and BN_MONT_CTX_copy() were added in SSLeay 0.9.1b.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod b/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod
new file mode 100644
index 0000000..32432ce
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod
@@ -0,0 +1,81 @@
+=pod
+
+=head1 NAME
+
+BN_mod_mul_reciprocal, BN_RECP_CTX_new, BN_RECP_CTX_init,
+BN_RECP_CTX_free, BN_RECP_CTX_set - modular multiplication using
+reciprocal
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_RECP_CTX *BN_RECP_CTX_new(void);
+ void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+ void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+
+ int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
+
+ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *a, BN_RECP_CTX *recp,
+        BN_CTX *ctx);
+
+ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+        BN_RECP_CTX *recp, BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+BN_mod_mul_reciprocal() can be used to perform an efficient
+L<BN_mod_mul(3)|BN_mod_mul(3)> operation when the operation will be performed
+repeatedly with the same modulus. It computes B<r>=(B<a>*B<b>)%B<m>
+using B<recp>=1/B<m>, which is set as described below.  B<ctx> is a
+previously allocated B<BN_CTX> used for temporary variables.
+
+BN_RECP_CTX_new() allocates and initializes a B<BN_RECP> structure.
+BN_RECP_CTX_init() initializes an existing uninitialized B<BN_RECP>.
+
+BN_RECP_CTX_free() frees the components of the B<BN_RECP>, and, if it
+was created by BN_RECP_CTX_new(), also the structure itself.
+
+BN_RECP_CTX_set() stores B<m> in B<recp> and sets it up for computing
+1/B<m> and shifting it left by BN_num_bits(B<m>)+1 to make it an
+integer. The result and the number of bits it was shifted left will
+later be stored in B<recp>.
+
+BN_div_recp() divides B<a> by B<m> using B<recp>. It places the quotient
+in B<dv> and the remainder in B<rem>.
+
+The B<BN_RECP_CTX> structure is defined as follows:
+
+ typedef struct bn_recp_ctx_st
+	{
+	BIGNUM N;	/* the divisor */
+	BIGNUM Nr;	/* the reciprocal */
+	int num_bits;
+	int shift;
+	int flags;
+	} BN_RECP_CTX;
+
+It cannot be shared between threads.
+
+=head1 RETURN VALUES
+
+BN_RECP_CTX_new() returns the newly allocated B<BN_RECP_CTX>, and NULL
+on error.
+
+BN_RECP_CTX_init() and BN_RECP_CTX_free() have no return values.
+
+For the other functions, 1 is returned for success, 0 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<BN_CTX_new(3)|BN_CTX_new(3)>
+
+=head1 HISTORY
+
+B<BN_RECP_CTX> was added in SSLeay 0.9.0. Before that, the function
+BN_reciprocal() was used instead, and the BN_mod_mul_reciprocal()
+arguments were different.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_new.pod b/crypto/openssl/doc/crypto/BN_new.pod
new file mode 100644
index 0000000..c1394ff
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_new.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+BN_new, BN_init, BN_clear, BN_free, BN_clear_free - allocate and free BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_new(void);
+
+ void BN_init(BIGNUM *);
+
+ void BN_clear(BIGNUM *a);
+
+ void BN_free(BIGNUM *a);
+
+ void BN_clear_free(BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_new() allocated and initializes a B<BIGNUM> structure. BN_init()
+initializes an existing uninitialized B<BIGNUM>.
+
+BN_clear() is used to destroy sensitive data such as keys when they
+are no longer needed. It erases the memory used by B<a> and sets it
+to the value 0.
+
+BN_free() frees the components of the B<BIGNUM>, and if it was created
+by BN_new(), also the structure itself. BN_clear_free() additionally
+overwrites the data before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+BN_new() returns a pointer to the B<BIGNUM>. If the allocation fails,
+it returns B<NULL> and sets an error code that can be obtained
+by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+BN_init(), BN_clear(), BN_free() and BN_clear_free() have no return
+values.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+BN_new(), BN_clear(), BN_free() and BN_clear_free() are available in
+all versions on SSLeay and OpenSSL.  BN_init() was added in SSLeay
+0.9.1b.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_num_bytes.pod b/crypto/openssl/doc/crypto/BN_num_bytes.pod
new file mode 100644
index 0000000..61589fb
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_num_bytes.pod
@@ -0,0 +1,37 @@
+=pod
+
+=head1 NAME
+
+BN_num_bits, BN_num_bytes, BN_num_bits_word - get BIGNUM size
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_num_bytes(const BIGNUM *a);
+
+ int BN_num_bits(const BIGNUM *a);
+
+ int BN_num_bits_word(BN_ULONG w);
+
+=head1 DESCRIPTION
+
+These functions return the size of a B<BIGNUM> in bytes or bits,
+and the size of an unsigned integer in bits.
+
+BN_num_bytes() is a macro.
+
+=head1 RETURN VALUES
+
+The size.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=head1 HISTORY
+
+BN_num_bytes(), BN_num_bits() and BN_num_bits_word() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod
new file mode 100644
index 0000000..33363c9
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_rand.pod
@@ -0,0 +1,45 @@
+=pod
+
+=head1 NAME
+
+BN_rand, BN_pseudo_rand - generate pseudo-random number
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+=head1 DESCRIPTION
+
+BN_rand() generates a cryptographically strong pseudo-random number of
+B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
+two most significant bits of the number will be set to 1, so that the
+product of two such random numbers will always have 2*B<bits> length.
+If B<bottom> is true, the number will be odd.
+
+BN_pseudo_rand() does the same, but pseudo-random numbers generated by
+this function are not necessarily unpredictable. They can be used for
+non-cryptographic purposes and for certain purposes in cryptographic
+protocols, but usually not for key generation etc.
+
+The PRNG must be seeded prior to calling BN_rand().
+
+=head1 RETURN VALUES
+
+BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
+
+=head1 HISTORY
+
+BN_rand() is available in all versions of SSLeay and OpenSSL.
+BN_pseudo_rand() was added in OpenSSL 0.9.5.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_set_bit.pod b/crypto/openssl/doc/crypto/BN_set_bit.pod
new file mode 100644
index 0000000..b7c47b9
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_set_bit.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+BN_set_bit, BN_clear_bit, BN_is_bit_set, BN_mask_bits, BN_lshift,
+BN_lshift1, BN_rshift, BN_rshift1 - bit operations on BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_set_bit(BIGNUM *a, int n);
+ int BN_clear_bit(BIGNUM *a, int n);
+
+ int BN_is_bit_set(const BIGNUM *a, int n);
+
+ int BN_mask_bits(BIGNUM *a, int n);
+
+ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+ int BN_lshift1(BIGNUM *r, BIGNUM *a);
+
+ int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+ int BN_rshift1(BIGNUM *r, BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_set_bit() sets bit B<n> in B<a> to 1 (C<a|=(1E<lt>E<lt>n)>). The
+number is expanded if necessary.
+
+BN_clear_bit() sets bit B<n> in B<a> to 0 (C<a&=~(1E<lt>E<lt>n)>). An
+error occurs if B<a> is shorter than B<n> bits.
+
+BN_is_bit_set() tests if bit B<n> in B<a> is set.
+
+BN_mask_bits() truncates B<a> to an B<n> bit number
+(C<a&=~((~0)E<gt>E<gt>n)>).  An error occurs if B<a> already is
+shorter than B<n> bits.
+
+BN_lshift() shifts B<a> left by B<n> bits and places the result in
+B<r> (C<r=a*2^n>). BN_lshift1() shifts B<a> left by one and places
+the result in B<r> (C<r=2*a>).
+
+BN_rshift() shifts B<a> right by B<n> bits and places the result in
+B<r> (C<r=a/2^n>). BN_rshift1() shifts B<a> right by one and places
+the result in B<r> (C<r=a/2>).
+
+For the shift functions, B<r> and B<a> may be the same variable.
+
+=head1 RETURN VALUES
+
+BN_is_bit_set() returns 1 if the bit is set, 0 otherwise.
+
+All other functions return 1 for success, 0 on error. The error codes
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>, L<BN_add(3)|BN_add(3)>
+
+=head1 HISTORY
+
+BN_set_bit(), BN_clear_bit(), BN_is_bit_set(), BN_mask_bits(),
+BN_lshift(), BN_lshift1(), BN_rshift(), and BN_rshift1() are available
+in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_zero.pod b/crypto/openssl/doc/crypto/BN_zero.pod
new file mode 100644
index 0000000..165fd9a
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_zero.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+
+BN_zero, BN_one, BN_set_word, BN_get_word - BIGNUM assignment operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_zero(BIGNUM *a);
+ int BN_one(BIGNUM *a);
+
+ BIGNUM *BN_value_one(void);
+
+ int BN_set_word(BIGNUM *a, unsigned long w);
+ unsigned long BN_get_word(BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_zero(), BN_one() and BN_set_word() set B<a> to the values 0, 1 and
+B<w> respectively.  BN_zero() and BN_one() are macros.
+
+BN_value_one() returns a B<BIGNUM> constant of value 1. This constant
+is useful for use in comparisons and assignment.
+
+BN_get_word() returns B<a>, if it can be represented as an unsigned
+long.
+
+=head1 RETURN VALUES
+
+BN_get_word() returns the value B<a>, and 0xffffffffL if B<a> cannot
+be represented as an unsigned long.
+
+BN_zero(), BN_one() and BN_set_word() return 1 on success, 0 otherwise.
+BN_value_one() returns the constant.
+
+=head1 BUGS
+
+Someone might change the constant.
+
+If a B<BIGNUM> is equal to 0xffffffffL it can be represented as an
+unsigned long but this value is also returned on error.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
+
+=head1 HISTORY
+
+BN_zero(), BN_one() and BN_set_word() are available in all versions of
+SSLeay and OpenSSL. BN_value_one() and BN_get_word() were added in
+SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/CRYPTO_set_ex_data.pod b/crypto/openssl/doc/crypto/CRYPTO_set_ex_data.pod
new file mode 100644
index 0000000..1bd5bed
--- /dev/null
+++ b/crypto/openssl/doc/crypto/CRYPTO_set_ex_data.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+CRYPTO_set_ex_data, CRYPTO_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ int CRYPTO_set_ex_data(CRYPTO_EX_DATA *r, int idx, void *arg);
+
+ void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *r, int idx);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+These functions should only be used by applications to manipulate
+B<CRYPTO_EX_DATA> structures passed to the B<new_func()>, B<free_func()> and
+B<dup_func()> callbacks: as passed to B<RSA_get_ex_new_index()> for example.
+
+B<CRYPTO_set_ex_data()> is used to set application specific data, the data is
+supplied in the B<arg> parameter and its precise meaning is up to the
+application.
+
+B<CRYPTO_get_ex_data()> is used to retrieve application specific data. The data
+is returned to the application, this will be the same value as supplied to
+a previous B<CRYPTO_set_ex_data()> call.
+
+=head1 RETURN VALUES
+
+B<CRYPTO_set_ex_data()> returns 1 on success or 0 on failure.
+
+B<CRYPTO_get_ex_data()> returns the application data or 0 on failure. 0 may also
+be valid application data but currently it can only fail if given an invalid B<idx>
+parameter.
+
+On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
+L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>
+
+=head1 HISTORY
+
+CRYPTO_set_ex_data() and CRYPTO_get_ex_data() have been available since SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DH_generate_key.pod b/crypto/openssl/doc/crypto/DH_generate_key.pod
new file mode 100644
index 0000000..920995b
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DH_generate_key.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_generate_key(DH *dh);
+
+ int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+=head1 DESCRIPTION
+
+DH_generate_key() performs the first step of a Diffie-Hellman key
+exchange by generating private and public DH values. By calling
+DH_compute_key(), these are combined with the other party's public
+value to compute the shared key.
+
+DH_generate_key() expects B<dh> to contain the shared parameters
+B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
+unless B<dh-E<gt>priv_key> is already set, and computes the
+corresponding public value B<dh-E<gt>pub_key>, which can then be
+published.
+
+DH_compute_key() computes the shared secret from the private DH value
+in B<dh> and the other party's public value in B<pub_key> and stores
+it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory.
+
+=head1 RETURN VALUES
+
+DH_generate_key() returns 1 on success, 0 otherwise.
+
+DH_compute_key() returns the size of the shared secret on success, -1
+on error.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+
+=head1 HISTORY
+
+DH_generate_key() and DH_compute_key() are available in all versions
+of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DH_generate_parameters.pod b/crypto/openssl/doc/crypto/DH_generate_parameters.pod
new file mode 100644
index 0000000..a7d0c75
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DH_generate_parameters.pod
@@ -0,0 +1,72 @@
+=pod
+
+=head1 NAME
+
+DH_generate_parameters, DH_check - generate and check Diffie-Hellman parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *DH_generate_parameters(int prime_len, int generator,
+     void (*callback)(int, int, void *), void *cb_arg);
+
+ int DH_check(DH *dh, int *codes);
+
+=head1 DESCRIPTION
+
+DH_generate_parameters() generates Diffie-Hellman parameters that can
+be shared among a group of users, and returns them in a newly
+allocated B<DH> structure. The pseudo-random number generator must be
+seeded prior to calling DH_generate_parameters().
+
+B<prime_len> is the length in bits of the safe prime to be generated.
+B<generator> is a small number E<gt> 1, typically 2 or 5. 
+
+A callback function may be used to provide feedback about the progress
+of the key generation. If B<callback> is not B<NULL>, it will be
+called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime
+number is generated, and when a prime has been found, B<callback(3,
+0, cb_arg)> is called.
+
+DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
+a safe prime, and that B<g> is a suitable generator. In the case of an
+error, the bit flags DH_CHECK_P_NOT_SAFE_PRIME or
+DH_NOT_SUITABLE_GENERATOR are set in B<*codes>.
+DH_UNABLE_TO_CHECK_GENERATOR is set if the generator cannot be
+checked, i.e. it does not equal 2 or 5.
+
+=head1 RETURN VALUES
+
+DH_generate_parameters() returns a pointer to the DH structure, or
+NULL if the parameter generation fails. The error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+DH_check() returns 1 if the check could be performed, 0 otherwise.
+
+=head1 NOTES
+
+DH_generate_parameters() may run for several hours before finding a
+suitable prime.
+
+The parameters generated by DH_generate_parameters() are not to be
+used in signature schemes.
+
+=head1 BUGS
+
+If B<generator> is not 2 or 5, B<dh-E<gt>g>=B<generator> is not
+a usable generator.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)>
+
+=head1 HISTORY
+
+DH_check() is available in all versions of SSLeay and OpenSSL.
+The B<cb_arg> argument to DH_generate_parameters() was added in SSLeay 0.9.0.
+
+In versions before OpenSSL 0.9.5, DH_CHECK_P_NOT_STRONG_PRIME is used
+instead of DH_CHECK_P_NOT_SAFE_PRIME.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod b/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod
new file mode 100644
index 0000000..82e2548
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_get_ex_new_index(long argl, void *argp,
+		CRYPTO_EX_new *new_func,
+		CRYPTO_EX_dup *dup_func,
+		CRYPTO_EX_free *free_func);
+
+ int DH_set_ex_data(DH *d, int idx, void *arg);
+
+ char *DH_get_ex_data(DH *d, int idx);
+
+=head1 DESCRIPTION
+
+These functions handle application specific data in DH
+structures. Their usage is identical to that of
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
+as described in L<RSA_get_ex_new_index(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)>
+
+=head1 HISTORY
+
+DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are
+available since OpenSSL 0.9.5.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DH_new.pod b/crypto/openssl/doc/crypto/DH_new.pod
new file mode 100644
index 0000000..64624b9
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DH_new.pod
@@ -0,0 +1,40 @@
+=pod
+
+=head1 NAME
+
+DH_new, DH_free - allocate and free DH objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH* DH_new(void);
+
+ void DH_free(DH *dh);
+
+=head1 DESCRIPTION
+
+DH_new() allocates and initializes a B<DH> structure.
+
+DH_free() frees the B<DH> structure and its components. The values are
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DH_new() returns B<NULL> and sets an error
+code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+a pointer to the newly allocated structure.
+
+DH_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>,
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
+L<DH_generate_key(3)|DH_generate_key(3)>
+
+=head1 HISTORY
+
+DH_new() and DH_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DH_set_method.pod b/crypto/openssl/doc/crypto/DH_set_method.pod
new file mode 100644
index 0000000..a8f75bd
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DH_set_method.pod
@@ -0,0 +1,99 @@
+=pod
+
+=head1 NAME
+
+DH_set_default_method, DH_get_default_method, DH_set_method,
+DH_new_method, DH_OpenSSL - select DH method
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ void DH_set_default_method(DH_METHOD *meth);
+
+ DH_METHOD *DH_get_default_method(void);
+
+ DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+
+ DH *DH_new_method(DH_METHOD *meth);
+
+ DH_METHOD *DH_OpenSSL(void);
+
+=head1 DESCRIPTION
+
+A B<DH_METHOD> specifies the functions that OpenSSL uses for Diffie-Hellman
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation.
+DH_OpenSSL() returns a pointer to that method.
+
+DH_set_default_method() makes B<meth> the default method for all B<DH>
+structures created later.
+
+DH_get_default_method() returns a pointer to the current default
+method.
+
+DH_set_method() selects B<meth> for all operations using the structure B<dh>.
+
+DH_get_method() returns a pointer to the method currently selected
+for B<dh>.
+
+DH_new_method() allocates and initializes a B<DH> structure so that
+B<method> will be used for the DH operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE DH_METHOD STRUCTURE
+
+ typedef struct dh_meth_st
+ {
+     /* name of the implementation */
+	const char *name;
+
+     /* generate private and public DH values for key agreement */
+        int (*generate_key)(DH *dh);
+
+     /* compute shared secret */
+        int (*compute_key)(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+     /* compute r = a ^ p mod m (May be NULL for some implementations) */
+        int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx);
+
+     /* called at DH_new */
+        int (*init)(DH *dh);
+
+     /* called at DH_free */
+        int (*finish)(DH *dh);
+
+        int flags;
+
+        char *app_data; /* ?? */
+
+ } DH_METHOD;
+
+=head1 RETURN VALUES
+
+DH_OpenSSL(), DH_get_default_method() and DH_get_method() return
+pointers to the respective B<DH_METHOD>s.
+
+DH_set_default_method() returns no value.
+
+DH_set_method() returns a pointer to the B<DH_METHOD> previously
+associated with B<dh>.
+
+DH_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+returns a pointer to the newly allocated structure.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
+
+=head1 HISTORY
+
+DH_set_default_method(), DH_get_default_method(), DH_set_method(),
+DH_new_method() and DH_OpenSSL() were added in OpenSSL 0.9.4.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DH_size.pod b/crypto/openssl/doc/crypto/DH_size.pod
new file mode 100644
index 0000000..97f26fd
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DH_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DH_size - get Diffie-Hellman prime size
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_size(DH *dh);
+
+=head1 DESCRIPTION
+
+This function returns the Diffie-Hellman size in bytes. It can be used
+to determine how much memory must be allocated for the shared secret
+computed by DH_compute_key().
+
+B<dh-E<gt>p> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<DH_generate_key(3)|DH_generate_key(3)>
+
+=head1 HISTORY
+
+DH_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_SIG_new.pod b/crypto/openssl/doc/crypto/DSA_SIG_new.pod
new file mode 100644
index 0000000..6716555
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_SIG_new.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+DSA_SIG_new, DSA_SIG_free - allocate and free DSA signature objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA_SIG *DSA_SIG_new(void);
+
+ void	DSA_SIG_free(DSA_SIG *a);
+
+=head1 DESCRIPTION
+
+DSA_SIG_new() allocates and initializes a B<DSA_SIG> structure.
+
+DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
+values are erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DSA_SIG_new() returns B<NULL> and sets an
+error code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+to the newly allocated structure.
+
+DSA_SIG_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)>
+
+=head1 HISTORY
+
+DSA_SIG_new() and DSA_SIG_free() were added in OpenSSL 0.9.3.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_do_sign.pod b/crypto/openssl/doc/crypto/DSA_do_sign.pod
new file mode 100644
index 0000000..a24fd57
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_do_sign.pod
@@ -0,0 +1,47 @@
+=pod
+
+=head1 NAME
+
+DSA_do_sign, DSA_do_verify - raw DSA signature operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+
+ int DSA_do_verify(const unsigned char *dgst, int dgst_len,
+	     DSA_SIG *sig, DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_do_sign() computes a digital signature on the B<len> byte message
+digest B<dgst> using the private key B<dsa> and returns it in a
+newly allocated B<DSA_SIG> structure.
+
+L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
+of the signing operation in case signature generation is
+time-critical.
+
+DSA_do_verify() verifies that the signature B<sig> matches a given
+message digest B<dgst> of size B<len>.  B<dsa> is the signer's public
+key.
+
+=head1 RETURN VALUES
+
+DSA_do_sign() returns the signature, NULL on error.  DSA_do_verify()
+returns 1 for a valid signature, 0 for an incorrect signature and -1
+on error. The error codes can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
+L<DSA_sign(3)|DSA_sign(3)>
+
+=head1 HISTORY
+
+DSA_do_sign() and DSA_do_verify() were added in OpenSSL 0.9.3.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_dup_DH.pod b/crypto/openssl/doc/crypto/DSA_dup_DH.pod
new file mode 100644
index 0000000..29cb107
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_dup_DH.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DSA_dup_DH - create a DH structure out of DSA structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DH * DSA_dup_DH(DSA *r);
+
+=head1 DESCRIPTION
+
+DSA_dup_DH() duplicates DSA parameters/keys as DH parameters/keys. q
+is lost during that conversion, but the resulting DH parameters
+contain its length.
+
+=head1 RETURN VALUE
+
+DSA_dup_DH() returns the new B<DH> structure, and NULL on error. The
+error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTE
+
+Be careful to avoid small subgroup attacks when using this.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+DSA_dup_DH() was added in OpenSSL 0.9.4.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_generate_key.pod b/crypto/openssl/doc/crypto/DSA_generate_key.pod
new file mode 100644
index 0000000..52890db
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_generate_key.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DSA_generate_key - generate DSA key pair
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int DSA_generate_key(DSA *a);
+
+=head1 DESCRIPTION
+
+DSA_generate_key() expects B<a> to contain DSA parameters. It generates
+a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>.
+
+The PRNG must be seeded prior to calling DSA_generate_key().
+
+=head1 RETURN VALUE
+
+DSA_generate_key() returns 1 on success, 0 otherwise.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+
+=head1 HISTORY
+
+DSA_generate_key() is available since SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_generate_parameters.pod b/crypto/openssl/doc/crypto/DSA_generate_parameters.pod
new file mode 100644
index 0000000..43f60b0
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_generate_parameters.pod
@@ -0,0 +1,105 @@
+=pod
+
+=head1 NAME
+
+DSA_generate_parameters - generate DSA parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA *DSA_generate_parameters(int bits, unsigned char *seed,
+                int seed_len, int *counter_ret, unsigned long *h_ret,
+		void (*callback)(int, int, void *), void *cb_arg);
+
+=head1 DESCRIPTION
+
+DSA_generate_parameters() generates primes p and q and a generator g
+for use in the DSA.
+
+B<bits> is the length of the prime to be generated; the DSS allows a
+maximum of 1024 bits.
+
+If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
+generated at random. Otherwise, the seed is used to generate
+them. If the given seed does not yield a prime q, a new random
+seed is chosen and placed at B<seed>.
+
+DSA_generate_parameters() places the iteration count in
+*B<counter_ret> and a counter used for finding a generator in
+*B<h_ret>, unless these are B<NULL>.
+
+A callback function may be used to provide feedback about the progress
+of the key generation. If B<callback> is not B<NULL>, it will be
+called as follows:
+
+=over 4
+
+=item *
+
+When a candidate for q is generated, B<callback(0, m++, cb_arg)> is called
+(m is 0 for the first candidate).
+
+=item *
+
+When a candidate for q has passed a test by trial division,
+B<callback(1, -1, cb_arg)> is called.
+While a candidate for q is tested by Miller-Rabin primality tests,
+B<callback(1, i, cb_arg)> is called in the outer loop
+(once for each witness that confirms that the candidate may be prime);
+i is the loop counter (starting at 0).
+
+=item *
+
+When a prime q has been found, B<callback(2, 0, cb_arg)> and
+B<callback(3, 0, cb_arg)> are called.
+
+=item *
+
+Before a candidate for p (other than the first) is generated and tested,
+B<callback(0, counter, cb_arg)> is called.
+
+=item *
+
+When a candidate for p has passed the test by trial division,
+B<callback(1, -1, cb_arg)> is called.
+While it is tested by the Miller-Rabin primality test,
+B<callback(1, i, cb_arg)> is called in the outer loop
+(once for each witness that confirms that the candidate may be prime).
+i is the loop counter (starting at 0).
+
+=item *
+
+When p has been found, B<callback(2, 1, cb_arg)> is called.
+
+=item *
+
+When the generator has been found, B<callback(3, 1, cb_arg)> is called.
+
+=back
+
+=head1 RETURN VALUE
+
+DSA_generate_parameters() returns a pointer to the DSA structure, or
+B<NULL> if the parameter generation fails. The error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+Seed lengths E<gt> 20 are not supported.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_free(3)|DSA_free(3)>
+
+=head1 HISTORY
+
+DSA_generate_parameters() appeared in SSLeay 0.8. The B<cb_arg>
+argument was added in SSLeay 0.9.0.
+In versions up to OpenSSL 0.9.4, B<callback(1, ...)> was called
+in the inner loop of the Miller-Rabin test whenever it reached the
+squaring step (the parameters to B<callback> did not reveal how many
+witnesses had been tested); since OpenSSL 0.9.5, B<callback(1, ...)>
+is called as in BN_is_prime(3), i.e. once for each witness.
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_get_ex_new_index.pod b/crypto/openssl/doc/crypto/DSA_get_ex_new_index.pod
new file mode 100644
index 0000000..4612e70
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_get_ex_new_index.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application specific data to DSA structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/DSA.h>
+
+ int DSA_get_ex_new_index(long argl, void *argp,
+		CRYPTO_EX_new *new_func,
+		CRYPTO_EX_dup *dup_func,
+		CRYPTO_EX_free *free_func);
+
+ int DSA_set_ex_data(DSA *d, int idx, void *arg);
+
+ char *DSA_get_ex_data(DSA *d, int idx);
+
+=head1 DESCRIPTION
+
+These functions handle application specific data in DSA
+structures. Their usage is identical to that of
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
+as described in L<RSA_get_ex_new_index(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dsa(3)|dsa(3)>
+
+=head1 HISTORY
+
+DSA_get_ex_new_index(), DSA_set_ex_data() and DSA_get_ex_data() are
+available since OpenSSL 0.9.5.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_new.pod b/crypto/openssl/doc/crypto/DSA_new.pod
new file mode 100644
index 0000000..7dde544
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_new.pod
@@ -0,0 +1,41 @@
+=pod
+
+=head1 NAME
+
+DSA_new, DSA_free - allocate and free DSA objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA* DSA_new(void);
+
+ void DSA_free(DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_new() allocates and initializes a B<DSA> structure.
+
+DSA_free() frees the B<DSA> structure and its components. The values are
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DSA_new() returns B<NULL> and sets an error
+code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+to the newly allocated structure.
+
+DSA_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
+L<DSA_generate_key(3)|DSA_generate_key(3)>
+
+=head1 HISTORY
+
+DSA_new() and DSA_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_set_method.pod b/crypto/openssl/doc/crypto/DSA_set_method.pod
new file mode 100644
index 0000000..edec464
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_set_method.pod
@@ -0,0 +1,112 @@
+=pod
+
+=head1 NAME
+
+DSA_set_default_method, DSA_get_default_method, DSA_set_method,
+DSA_new_method, DSA_OpenSSL - select RSA method
+
+=head1 SYNOPSIS
+
+ #include <openssl/DSA.h>
+
+ void DSA_set_default_method(DSA_METHOD *meth);
+
+ DSA_METHOD *DSA_get_default_method(void);
+
+ DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
+
+ DSA *DSA_new_method(DSA_METHOD *meth);
+
+ DSA_METHOD *DSA_OpenSSL(void);
+
+=head1 DESCRIPTION
+
+A B<DSA_METHOD> specifies the functions that OpenSSL uses for DSA
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation.
+DSA_OpenSSL() returns a pointer to that method.
+
+DSA_set_default_method() makes B<meth> the default method for all B<DSA>
+structures created later.
+
+DSA_get_default_method() returns a pointer to the current default
+method.
+
+DSA_set_method() selects B<meth> for all operations using the structure B<DSA>.
+
+DSA_get_method() returns a pointer to the method currently selected
+for B<DSA>.
+
+DSA_new_method() allocates and initializes a B<DSA> structure so that
+B<method> will be used for the DSA operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE DSA_METHOD STRUCTURE
+
+struct
+ {
+     /* name of the implementation */
+        const char *name;
+
+     /* sign */
+	DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen,
+                                 DSA *dsa);
+
+     /* pre-compute k^-1 and r */
+	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+                                 BIGNUM **rp);
+
+     /* verify */
+	int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
+                                 DSA_SIG *sig, DSA *dsa);
+
+     /* compute rr = a1^p1 * a2^p2 mod m (May be NULL for some
+                                          implementations) */
+	int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                                 BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                                 BN_CTX *ctx, BN_MONT_CTX *in_mont);
+
+     /* compute r = a ^ p mod m (May be NULL for some implementations) */
+        int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                                 const BIGNUM *p, const BIGNUM *m,
+                                 BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+     /* called at DSA_new */
+        int (*init)(DSA *DSA);
+
+     /* called at DSA_free */
+        int (*finish)(DSA *DSA);
+
+        int flags;
+
+        char *app_data; /* ?? */
+
+ } DSA_METHOD;
+
+=head1 RETURN VALUES
+
+DSA_OpenSSL(), DSA_get_default_method() and DSA_get_method() return
+pointers to the respective B<DSA_METHOD>s.
+
+DSA_set_default_method() returns no value.
+
+DSA_set_method() returns a pointer to the B<DSA_METHOD> previously
+associated with B<dsa>.
+
+DSA_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
+fails. Otherwise it returns a pointer to the newly allocated
+structure.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
+
+=head1 HISTORY
+
+DSA_set_default_method(), DSA_get_default_method(), DSA_set_method(),
+DSA_new_method() and DSA_OpenSSL() were added in OpenSSL 0.9.4.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_sign.pod b/crypto/openssl/doc/crypto/DSA_sign.pod
new file mode 100644
index 0000000..f6e60a8
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_sign.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int	DSA_sign(int type, const unsigned char *dgst, int len,
+		unsigned char *sigret, unsigned int *siglen, DSA *dsa);
+
+ int	DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
+                BIGNUM **rp);
+
+ int	DSA_verify(int type, const unsigned char *dgst, int len,
+		unsigned char *sigbuf, int siglen, DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_sign() computes a digital signature on the B<len> byte message
+digest B<dgst> using the private key B<dsa> and places its ASN.1 DER
+encoding at B<sigret>. The length of the signature is places in
+*B<siglen>. B<sigret> must point to DSA_size(B<dsa>) bytes of memory.
+
+DSA_sign_setup() may be used to precompute part of the signing
+operation in case signature generation is time-critical. It expects
+B<dsa> to contain DSA parameters. It places the precomputed values
+in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing
+the old ones unless *B<kinvp> and *B<rp> are NULL. These values may
+be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>.
+B<ctx> is a pre-allocated B<BN_CTX> or NULL.
+
+DSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
+matches a given message digest B<dgst> of size B<len>.
+B<dsa> is the signer's public key.
+
+The B<type> parameter is ignored.
+
+The PRNG must be seeded before DSA_sign() (or DSA_sign_setup())
+is called.
+
+=head1 RETURN VALUES
+
+DSA_sign() and DSA_sign_setup() return 1 on success, 0 on error.
+DSA_verify() returns 1 for a valid signature, 0 for an incorrect
+signature and -1 on error. The error codes can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 CONFORMING TO
+
+US Federal Information Processing Standard FIPS 186 (Digital Signature
+Standard, DSS), ANSI X9.30
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_do_sign(3)|DSA_do_sign(3)>
+
+=head1 HISTORY
+
+DSA_sign() and DSA_verify() are available in all versions of SSLeay.
+DSA_sign_setup() was added in SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/DSA_size.pod b/crypto/openssl/doc/crypto/DSA_size.pod
new file mode 100644
index 0000000..23b6320
--- /dev/null
+++ b/crypto/openssl/doc/crypto/DSA_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DSA_size - get DSA signature size
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int DSA_size(DSA *dsa);
+
+=head1 DESCRIPTION
+
+This function returns the size of an ASN.1 encoded DSA signature in
+bytes. It can be used to determine how much memory must be allocated
+for a DSA signature.
+
+B<dsa-E<gt>q> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<DSA_sign(3)|DSA_sign(3)>
+
+=head1 HISTORY
+
+DSA_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_GET_LIB.pod b/crypto/openssl/doc/crypto/ERR_GET_LIB.pod
new file mode 100644
index 0000000..2a129da
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_GET_LIB.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON - get library, function and
+reason code
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ int ERR_GET_LIB(unsigned long e);
+
+ int ERR_GET_FUNC(unsigned long e);
+
+ int ERR_GET_REASON(unsigned long e);
+
+=head1 DESCRIPTION
+
+The error code returned by ERR_get_error() consists of a library
+number, function code and reason code. ERR_GET_LIB(), ERR_GET_FUNC()
+and ERR_GET_REASON() can be used to extract these.
+
+The library number and function code describe where the error
+occurred, the reason code is the information about what went wrong.
+
+Each sub-library of OpenSSL has a unique library number; function and
+reason codes are unique within each sub-library.  Note that different
+libraries may use the same value to signal different functions and
+reasons.
+
+B<ERR_R_...> reason codes such as B<ERR_R_MALLOC_FAILURE> are globally
+unique. However, when checking for sub-library specific reason codes,
+be sure to also compare the library number.
+
+ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are macros.
+
+=head1 RETURN VALUES
+
+The library number, function code and reason code respectively.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_clear_error.pod b/crypto/openssl/doc/crypto/ERR_clear_error.pod
new file mode 100644
index 0000000..566e1f4
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_clear_error.pod
@@ -0,0 +1,29 @@
+=pod
+
+=head1 NAME
+
+ERR_clear_error - clear the error queue
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_clear_error(void);
+
+=head1 DESCRIPTION
+
+ERR_clear_error() empties the current thread's error queue.
+
+=head1 RETURN VALUES
+
+ERR_clear_error() has no return value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ERR_clear_error() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_error_string.pod b/crypto/openssl/doc/crypto/ERR_error_string.pod
new file mode 100644
index 0000000..0d24175
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_error_string.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+ERR_error_string - obtain human-readable error message
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ char *ERR_error_string(unsigned long e, char *buf);
+
+ const char *ERR_lib_error_string(unsigned long e);
+ const char *ERR_func_error_string(unsigned long e);
+ const char *ERR_reason_error_string(unsigned long e);
+
+=head1 DESCRIPTION
+
+ERR_error_string() generates a human-readable string representing the
+error code B<e>, and places it at B<buf>. B<buf> must be at least 120
+bytes long. If B<buf> is B<NULL>, the error string is placed in a
+static buffer.
+
+The string will have the following format:
+
+ error:[error code]:[library name]:[function name]:[reason string]
+
+I<error code> is an 8 digit hexadecimal number, I<library name>,
+I<function name> and I<reason string> are ASCII text.
+
+ERR_lib_error_string(), ERR_func_error_string() and
+ERR_reason_error_string() return the library name, function
+name and reason string respectively.
+
+The OpenSSL error strings should be loaded by calling
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)> or, for SSL
+applications, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+first.
+If there is no text string registered for the given error code,
+the error string will contain the numeric code.
+
+L<ERR_print_errors(3)|ERR_print_errors(3)> can be used to print
+all error codes currently in the queue.
+
+=head1 RETURN VALUES
+
+ERR_error_string() returns a pointer to a static buffer containing the
+string if B<buf == NULL>, B<buf> otherwise.
+
+ERR_lib_error_string(), ERR_func_error_string() and
+ERR_reason_error_string() return the strings, and B<NULL> if
+none is registered for the error code.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+L<ERR_print_errors(3)|ERR_print_errors(3)>
+
+=head1 HISTORY
+
+ERR_error_string() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_get_error.pod b/crypto/openssl/doc/crypto/ERR_get_error.pod
new file mode 100644
index 0000000..75ece00
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_get_error.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+ERR_get_error, ERR_peek_error - obtain error code
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ unsigned long ERR_get_error(void);
+ unsigned long ERR_peek_error(void);
+
+ unsigned long ERR_get_error_line(const char **file, int *line);
+ unsigned long ERR_peek_error_line(const char **file, int *line);
+
+ unsigned long ERR_get_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+ unsigned long ERR_peek_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+
+=head1 DESCRIPTION
+
+ERR_get_error() returns the last error code from the thread's error
+queue and removes the entry. This function can be called repeatedly
+until there are no more error codes to return.
+
+ERR_peek_error() returns the last error code from the thread's
+error queue without modifying it.
+
+See L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> for obtaining information about
+location and reason of the error, and
+L<ERR_error_string(3)|ERR_error_string(3)> for human-readable error
+messages.
+
+ERR_get_error_line() and ERR_peek_error_line() are the same as the
+above, but they additionally store the file name and line number where
+the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
+
+ERR_get_error_line_data() and ERR_peek_error_line_data() store
+additional data and flags associated with the error code in *B<data>
+and *B<flags>, unless these are B<NULL>. *B<data> contains a string
+if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by Malloc(),
+*B<flags>&B<ERR_TXT_MALLOCED> is true.
+
+=head1 RETURN VALUES
+
+The error code, or 0 if there is no error in the queue.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>
+
+=head1 HISTORY
+
+ERR_get_error(), ERR_peek_error(), ERR_get_error_line() and
+ERR_peek_error_line() are available in all versions of SSLeay and
+OpenSSL. ERR_get_error_line_data() and ERR_peek_error_line_data()
+were added in SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_load_crypto_strings.pod b/crypto/openssl/doc/crypto/ERR_load_crypto_strings.pod
new file mode 100644
index 0000000..9bdec75
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_load_crypto_strings.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings -
+load and free error strings
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_load_crypto_strings(void);
+ void ERR_free_strings(void);
+
+ #include <openssl/ssl.h>
+
+ void SSL_load_error_strings(void);
+
+=head1 DESCRIPTION
+
+ERR_load_crypto_strings() registers the error strings for all
+B<libcrypto> functions. SSL_load_error_strings() does the same,
+but also registers the B<libssl> error strings.
+
+One of these functions should be called before generating
+textual error messages. However, this is not required when memory
+usage is an issue.
+
+ERR_free_strings() frees all previously loaded error strings.
+
+=head1 RETURN VALUES
+
+ERR_load_crypto_strings(), SSL_load_error_strings() and
+ERR_free_strings() return no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>
+
+=head1 HISTORY
+
+ERR_load_error_strings(), SSL_load_error_strings() and
+ERR_free_strings() are available in all versions of SSLeay and
+OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_load_strings.pod b/crypto/openssl/doc/crypto/ERR_load_strings.pod
new file mode 100644
index 0000000..5acdd0e
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_load_strings.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+ERR_load_strings, ERR_PACK, ERR_get_next_error_library - load
+arbitrary error strings
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
+
+ int ERR_get_next_error_library(void);
+
+ unsigned long ERR_PACK(int lib, int func, int reason);
+
+=head1 DESCRIPTION
+
+ERR_load_strings() registers error strings for library number B<lib>.
+
+B<str> is an array of error string data:
+
+ typedef struct ERR_string_data_st
+ {
+        unsigned long error;
+        char *string;
+ } ERR_STRING_DATA;
+
+The error code is generated from the library number and a function and
+reason code: B<error> = ERR_PACK(B<lib>, B<func>, B<reason>).
+ERR_PACK() is a macro.
+
+The last entry in the array is {0,0}.
+
+ERR_get_next_error_library() can be used to assign library numbers
+to user libraries at runtime.
+
+=head1 RETURN VALUE
+
+ERR_load_strings() returns no value. ERR_PACK() return the error code.
+ERR_get_next_error_library() returns a new library number.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+
+=head1 HISTORY
+
+ERR_load_error_strings() and ERR_PACK() are available in all versions
+of SSLeay and OpenSSL. ERR_get_next_error_library() was added in
+SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_print_errors.pod b/crypto/openssl/doc/crypto/ERR_print_errors.pod
new file mode 100644
index 0000000..b100a5f
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_print_errors.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+ERR_print_errors, ERR_print_errors_fp - print error messages
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_print_errors(BIO *bp);
+ void ERR_print_errors_fp(FILE *fp);
+
+=head1 DESCRIPTION
+
+ERR_print_errors() is a convenience function that prints the error
+strings for all errors that OpenSSL has recorded to B<bp>, thus
+emptying the error queue.
+
+ERR_print_errors_fp() is the same, except that the output goes to a
+B<FILE>.
+
+
+The error strings will have the following format:
+
+ [pid]:error:[error code]:[library name]:[function name]:[reason string]:[file name]:[line]:[optional text message]
+
+I<error code> is an 8 digit hexadecimal number. I<library name>,
+I<function name> and I<reason string> are ASCII text, as is I<optional
+text message> if one was set for the respective error code.
+
+If there is no text string registered for the given error code,
+the error string will contain the numeric code.
+
+=head1 RETURN VALUES
+
+ERR_print_errors() and ERR_print_errors_fp() return no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+
+=head1 HISTORY
+
+ERR_print_errors() and ERR_print_errors_fp()
+are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_put_error.pod b/crypto/openssl/doc/crypto/ERR_put_error.pod
new file mode 100644
index 0000000..acd241f
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_put_error.pod
@@ -0,0 +1,44 @@
+=pod
+
+=head1 NAME
+
+ERR_put_error, ERR_add_error_data - record an error
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_put_error(int lib, int func, int reason, const char *file,
+         int line);
+
+ void ERR_add_error_data(int num, ...);
+
+=head1 DESCRIPTION
+
+ERR_put_error() adds an error code to the thread's error queue. It
+signals that the error of reason code B<reason> occurred in function
+B<func> of library B<lib>, in line number B<line> of B<file>.
+This function is usually called by a macro.
+
+ERR_add_error_data() associates the concatenation of its B<num> string
+arguments with the error code added last.
+
+L<ERR_load_strings(3)|ERR_load_strings(3)> can be used to register
+error strings so that the application can a generate human-readable
+error messages for the error code.
+
+=head1 RETURN VALUES
+
+ERR_put_error() and ERR_add_error_data() return
+no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+
+=head1 HISTORY
+
+ERR_put_error() is available in all versions of SSLeay and OpenSSL.
+ERR_add_error_data() was added in SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ERR_remove_state.pod b/crypto/openssl/doc/crypto/ERR_remove_state.pod
new file mode 100644
index 0000000..ebcdc0f
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_remove_state.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+ERR_remove_state - free a thread's error queue
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_remove_state(unsigned long pid);
+
+=head1 DESCRIPTION
+
+ERR_remove_state() frees the error queue associated with thread B<pid>.
+If B<pid> == 0, the current thread will have its error queue removed.
+
+Since error queue data structures are allocated automatically for new
+threads, they must be freed when threads are terminated in oder to
+avoid memory leaks.
+
+=head1 RETURN VALUE
+
+ERR_remove_state() returns no value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>
+
+=head1 HISTORY
+
+ERR_remove_state() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
new file mode 100644
index 0000000..345b1dd
--- /dev/null
+++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
@@ -0,0 +1,197 @@
+=pod
+
+=head1 NAME
+
+EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal - EVP digest routines
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ void EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
+        unsigned int *s);
+
+ #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */
+
+ int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
+
+ #define EVP_MD_type(e)			((e)->type)
+ #define EVP_MD_pkey_type(e)		((e)->pkey_type)
+ #define EVP_MD_size(e)			((e)->md_size)
+ #define EVP_MD_block_size(e)		((e)->block_size)
+
+ #define EVP_MD_CTX_md(e)		(e)->digest)
+ #define EVP_MD_CTX_size(e)		EVP_MD_size((e)->digest)
+ #define EVP_MD_CTX_block_size(e)	EVP_MD_block_size((e)->digest)
+ #define EVP_MD_CTX_type(e)		EVP_MD_type((e)->digest)
+
+ EVP_MD *EVP_md_null(void);
+ EVP_MD *EVP_md2(void);
+ EVP_MD *EVP_md5(void);
+ EVP_MD *EVP_sha(void);
+ EVP_MD *EVP_sha1(void);
+ EVP_MD *EVP_dss(void);
+ EVP_MD *EVP_dss1(void);
+ EVP_MD *EVP_mdc2(void);
+ EVP_MD *EVP_ripemd160(void);
+
+ const EVP_MD *EVP_get_digestbyname(const char *name);
+ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
+ #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
+
+=head1 DESCRIPTION
+
+The EVP digest routines are a high level interface to message digests.
+
+EVP_DigestInit() initialises a digest context B<ctx> to use a digest
+B<type>: this will typically be supplied by a function such as
+EVP_sha1().
+
+EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
+digest context B<ctx>. This funtion can be called several times on the
+same B<ctx> to hash additional data.
+
+EVP_DigestFinal() retrieves the digest value from B<ctx> and places
+it in B<md>. If the B<s> parameter is not NULL then the number of
+bytes of data written (i.e. the length of the digest) will be written
+to the integer at B<s>, at most B<EVP_MAX_MD_SIZE> bytes will be written.
+After calling EVP_DigestFinal() no additional calls to EVP_DigestUpdate()
+can be made, but EVP_DigestInit() can be called to initialiase a new
+digest operation.
+
+EVP_MD_CTX_copy() can be used to copy the message digest state from
+B<in> to B<out>. This is useful if large amounts of data are to be
+hashed which only differ in the last few bytes.
+
+EVP_MD_size() and EVP_MD_CTX_size() return the size of the message digest
+when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure, i.e. the size of the
+hash.
+
+EVP_MD_block_size() and EVP_MD_CTX_block_size() return the block size of the
+message digest when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure.
+
+EVP_MD_type() and EVP_MD_CTX_type() return the NID of the OBJECT IDENTIFIER
+representing the given message digest when passed an B<EVP_MD> structure.
+For example EVP_MD_type(EVP_sha1()) returns B<NID_sha1>. This function is
+normally used when setting ASN1 OIDs.
+
+EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed
+B<EVP_MD_CTX>.
+
+EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
+with this digest. For example EVP_sha1() is associated with RSA so this will
+return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
+algorithms may not be retained in future versions of OpenSSL.
+
+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
+return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
+algorithms respectively. The associated signature algorithm is RSA in each case.
+
+EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
+algorithms but using DSS (DSA) for the signature algorithm.
+
+EVP_md_null() is a "null" message digest that does nothing: i.e. the hash it
+returns is of zero length.
+
+EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
+return an B<EVP_MD> structure when passed a digest name, a digest NID or
+an ASN1_OBJECT structure respectively. The digest table must be initialised
+using, for example, OpenSSL_add_all_digests() for these functions to work.
+
+=head1 RETURN VALUES
+
+EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() do not return values.
+
+EVP_MD_CTX_copy() returns 1 if successful or 0 for failure.
+
+EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
+corresponding OBJECT IDENTIFIER or NID_undef if none exists.
+
+EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(e), EVP_MD_size(),
+EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
+size in bytes.
+
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
+EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
+corresponding EVP_MD structures.
+
+EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
+return either an B<EVP_MD> structure or NULL if an error occurs.
+
+=head1 NOTES
+
+The B<EVP> interface to message digests should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the digest used and much more flexible.
+
+SHA1 is the digest of choice for new applications. The other digest algorithms
+are still in common use.
+
+=head1 EXAMPLE
+
+This example digests the data "Test Message\n" and "Hello World\n", using the
+digest name passed on the command line.
+
+ #include <stdio.h>
+ #include <openssl/evp.h>
+
+ main(int argc, char *argv[])
+ {
+ EVP_MD_CTX mdctx;
+ const EVP_MD *md;
+ char mess1[] = "Test Message\n";
+ char mess2[] = "Hello World\n";
+ unsigned char md_value[EVP_MAX_MD_SIZE];
+ int md_len, i;
+
+ OpenSSL_add_all_digests();
+
+ if(!argv[1]) {
+ 	printf("Usage: mdtest digestname\n");
+	exit(1);
+ }
+
+ md = EVP_get_digestbyname(argv[1]);
+
+ if(!md) {
+ 	printf("Unknown message digest %s\n", argv[1]);
+	exit(1);
+ }
+
+ EVP_DigestInit(&mdctx, md);
+ EVP_DigestUpdate(&mdctx, mess1, strlen(mess1));
+ EVP_DigestUpdate(&mdctx, mess2, strlen(mess2));
+ EVP_DigestFinal(&mdctx, md_value, &md_len);
+
+ printf("Digest is: ");
+ for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
+ printf("\n");
+ }
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+The link between digests and signing algorithms results in a situation where
+EVP_sha1() must be used with RSA and EVP_dss1() must be used with DSS
+even though they are identical digests.
+
+The size of an B<EVP_MD_CTX> structure is determined at compile time: this results
+in code that must be recompiled if the size of B<EVP_MD_CTX> increases.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_EncryptInit.pod b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
new file mode 100644
index 0000000..77ed4cc
--- /dev/null
+++ b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
@@ -0,0 +1,224 @@
+=pod
+
+=head1 NAME
+
+EVP_EncryptInit, EVP_EncryptUpdate, EVP_EncryptFinal - EVP cipher routines
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv);
+ void EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+ void EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv);
+ void EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ void EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv, int enc);
+ void EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ void EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
+
+ const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
+ #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
+ #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
+
+ #define EVP_CIPHER_nid(e)		((e)->nid)
+ #define EVP_CIPHER_block_size(e)	((e)->block_size)
+ #define EVP_CIPHER_key_length(e)	((e)->key_len)
+ #define EVP_CIPHER_iv_length(e)	((e)->iv_len)
+
+ int EVP_CIPHER_type(const EVP_CIPHER *ctx);
+ #define EVP_CIPHER_CTX_cipher(e)	((e)->cipher)
+ #define EVP_CIPHER_CTX_nid(e)		((e)->cipher->nid)
+ #define EVP_CIPHER_CTX_block_size(e)	((e)->cipher->block_size)
+ #define EVP_CIPHER_CTX_key_length(e)	((e)->cipher->key_len)
+ #define EVP_CIPHER_CTX_iv_length(e)	((e)->cipher->iv_len)
+ #define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
+
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
+=head1 DESCRIPTION
+
+The EVP cipher routines are a high level interface to certain
+symmetric ciphers.
+
+EVP_EncryptInit() initialises a cipher context B<ctx> for encryption
+with cipher B<type>. B<type> is normally supplied by a function such
+as EVP_des_cbc() . B<key> is the symmetric key to use and B<iv> is the
+IV to use (if necessary), the actual number of bytes used for the
+key and IV depends on the cipher. It is possible to set all parameters
+to NULL except B<type> in an initial call and supply the remaining
+parameters in subsequent calls. This is normally done when the 
+EVP_CIPHER_asn1_to_param() function is called to set the cipher
+parameters from an ASN1 AlgorithmIdentifier and the key from a
+different source.
+
+EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
+writes the encrypted version to B<out>. This function can be called
+multiple times to encrypt successive blocks of data. The amount
+of data written depends on the block alignment of the encrypted data:
+as a result the amount of data written may be anything from zero bytes
+to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
+room.  The actual number of bytes written is placed in B<outl>.
+
+EVP_EncryptFinal() encrypts the "final" data, that is any data that
+remains in a partial block. It uses L<standard block padding|/NOTES> (aka PKCS
+padding). The encrypted final data is written to B<out> which should
+have sufficient space for one cipher block. The number of bytes written
+is placed in B<outl>. After this function is called the encryption operation
+is finished and no further calls to EVP_EncryptUpdate() should be made.
+
+EVP_DecryptInit(), EVP_DecryptUpdate() and EVP_DecryptFinal() are the
+corresponding decryption operations. EVP_DecryptFinal() will return an
+error code if the final block is not correctly formatted. The parameters
+and restrictions are identical to the encryption operations except that
+the decrypted data buffer B<out> passed to EVP_DecryptUpdate() should
+have sufficient room for (B<inl> + cipher_block_size) bytes unless the
+cipher block size is 1 in which case B<inl> bytes is sufficient.
+
+EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal() are functions
+that can be used for decryption or encryption. The operation performed
+depends on the value of the B<enc> parameter. It should be set to 1 for
+encryption and 0 for decryption.
+
+EVP_CIPHER_CTX_cleanup() clears all information from a cipher context.
+It should be called after all operations using a cipher are complete
+so sensitive information does not remain in memory.
+
+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
+return an EVP_CIPHER structure when passed a cipher name, a NID or an
+ASN1_OBJECT structure.
+
+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when
+passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure.  The actual NID
+value is an internal value which may not have a corresponding OBJECT
+IDENTIFIER.
+
+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
+structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
+for all ciphers.
+
+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>.
+It will return zero if the cipher does not use an IV.  The constant
+B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
+
+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
+size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
+structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block
+length for all ciphers.
+
+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed
+cipher or context. This "type" is the actual NID of the cipher OBJECT
+IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and
+128 bit RC2 have the same NID. If the cipher does not have an object
+identifier or does not have ASN1 support this function will return
+B<NID_undef>.
+
+EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
+an B<EVP_CIPHER_CTX> structure.
+
+EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based
+on the passed cipher. This will typically include any parameters and an
+IV. The cipher IV (if any) must be set when this call is made. This call
+should be made before the cipher is actually "used" (before any
+EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function
+may fail if the cipher does not have any ASN1 support.
+
+EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1
+AlgorithmIdentifier "parameter". The precise effect depends on the cipher
+In the case of RC2, for example, it will set the IV and effective key length.
+This function should be called after the base cipher type is set but before
+the key is set. For example EVP_CipherInit() will be called with the IV and
+key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
+EVP_CipherInit() again with all parameters except the key set to NULL. It is
+possible for this function to fail if the cipher does not have any ASN1 support
+or the parameters cannot be set (for example the RC2 effective key length
+does not have an B<EVP_CIPHER> structure).
+
+=head1 RETURN VALUES
+
+EVP_EncryptInit(), EVP_EncryptUpdate() and EVP_EncryptFinal() do not return
+values.
+
+EVP_DecryptInit() and EVP_DecryptUpdate() do not return values.
+EVP_DecryptFinal() returns 0 if the decrypt failed or 1 for success.
+
+EVP_CipherInit() and EVP_CipherUpdate() do not return values.
+EVP_CipherFinal() returns 1 for a decryption failure or 1 for success, if
+the operation is encryption then it always returns 1.
+
+EVP_CIPHER_CTX_cleanup() does not return a value.
+
+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
+return an B<EVP_CIPHER> structure or NULL on error.
+
+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
+
+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
+size.
+
+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
+length.
+
+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
+length or zero if the cipher does not use an IV.
+
+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
+OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
+
+EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
+
+EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for 
+success or zero for failure.
+
+=head1 NOTES
+
+Where possible the B<EVP> interface to symmetric ciphers should be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the cipher used and much more flexible.
+
+PKCS padding works by adding B<n> padding bytes of value B<n> to make the total 
+length of the encrypted data a multiple of the block size. Padding is always
+added so if the data is already a multiple of the block size B<n> will equal
+the block size. For example if the block size is 8 and 11 bytes are to be
+encrypted then 5 padding bytes of value 5 will be added.
+
+When decrypting the final block is checked to see if it has the correct form.
+
+Although the decryption operation can produce an error, it is not a strong
+test that the input data or key is correct. A random block has better than
+1 in 256 chance of being of the correct format and problems with the
+input data earlier on will not produce a final decrypt error.
+
+=head1 BUGS
+
+The current B<EVP> cipher interface is not as flexible as it should be. Only
+certain "spot" encryption algorithms can be used for ciphers which have various
+parameters associated with them (RC2, RC5 for example) this is inadequate.
+
+Several of the functions do not return error codes because the software versions
+can never fail. This is not true of hardware versions.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_OpenInit.pod b/crypto/openssl/doc/crypto/EVP_OpenInit.pod
new file mode 100644
index 0000000..9707a4b
--- /dev/null
+++ b/crypto/openssl/doc/crypto/EVP_OpenInit.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal - EVP envelope decryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
+		int ekl,unsigned char *iv,EVP_PKEY *priv);
+ void EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+=head1 DESCRIPTION
+
+The EVP envelope routines are a high level interface to envelope
+decryption. They decrypt a public key encrypted symmetric key and
+then decrypt data using it.
+
+EVP_OpenInit() initialises a cipher context B<ctx> for decryption
+with cipher B<type>. It decrypts the encrypted symmetric key of length
+B<ekl> bytes passed in the B<ek> parameter using the private key B<priv>.
+The IV is supplied in the B<iv> parameter.
+
+EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties
+as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as 
+documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+page. 
+
+=head1 RETURN VALUES
+
+EVP_OpenInit() returns -1 on error or an non zero integer (actually the
+recovered secret key size) if successful.
+
+EVP_SealUpdate() does not return a value.
+
+EVP_SealFinal() returns 0 if the decrypt failed or 1 for success.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>,L<rand(3)|rand(3)>
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_SealInit(3)|EVP_SealInit(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_SealInit.pod b/crypto/openssl/doc/crypto/EVP_SealInit.pod
new file mode 100644
index 0000000..1579d11
--- /dev/null
+++ b/crypto/openssl/doc/crypto/EVP_SealInit.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+		int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+ void EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+=head1 DESCRIPTION
+
+The EVP envelope routines are a high level interface to envelope
+encryption. They generate a random key and then "envelope" it by
+using public key encryption. Data can then be encrypted using this
+key.
+
+EVP_SealInit() initialises a cipher context B<ctx> for encryption
+with cipher B<type> using a random secret key and IV supplied in
+the B<iv> parameter. B<type> is normally supplied by a function such
+as EVP_des_cbc(). The secret key is encrypted using one or more public
+keys, this allows the same encrypted data to be decrypted using any
+of the corresponding private keys. B<ek> is an array of buffers where
+the public key encrypted secret key will be written, each buffer must
+contain enough room for the corresponding encrypted key: that is
+B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual
+size of each encrypted secret key is written to the array B<ekl>. B<pubk> is
+an array of B<npubk> public keys.
+
+EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
+as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as 
+documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+page. 
+
+=head1 RETURN VALUES
+
+EVP_SealInit() returns -1 on error or B<npubk> if successful.
+
+EVP_SealUpdate() and EVP_SealFinal() do not return values.
+
+=head1 NOTES
+
+Because a random secret key is generated the random number generator
+must be seeded before calling EVP_SealInit().
+
+The public key must be RSA because it is the only OpenSSL public key
+algorithm that supports key transport.
+
+Envelope encryption is the usual method of using public key encryption
+on large amounts of data, this is because public key encryption is slow
+but symmetric encryption is fast. So symmetric encryption is used for
+bulk encryption and the small random symmetric key used is transferred
+using public key encryption.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>,L<rand(3)|rand(3)>
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_OpenInit(3)|EVP_OpenInit(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_SignInit.pod b/crypto/openssl/doc/crypto/EVP_SignInit.pod
new file mode 100644
index 0000000..bbc9203
--- /dev/null
+++ b/crypto/openssl/doc/crypto/EVP_SignInit.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+EVP_SignInit, EVP_SignUpdate, EVP_SignFinal - EVP signing functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *sig,unsigned int *s, EVP_PKEY *pkey);
+
+ int EVP_PKEY_size(EVP_PKEY *pkey);
+
+=head1 DESCRIPTION
+
+The EVP signature routines are a high level interface to digital
+signatures.
+
+EVP_SignInit() initialises a signing context B<ctx> to using digest
+B<type>: this will typically be supplied by a function such as
+EVP_sha1().
+
+EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
+signature context B<ctx>. This funtion can be called several times on the
+same B<ctx> to include additional data.
+
+EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
+and places the signature in B<sig>. If the B<s> parameter is not NULL
+then the number of bytes of data written (i.e. the length of the signature)
+will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
+will be written.  After calling EVP_SignFinal() no additional calls to
+EVP_SignUpdate() can be made, but EVP_SignInit() can be called to initialiase
+a new signature operation.
+
+EVP_PKEY_size() returns the maximum size of a signature in bytes. The actual
+signature returned by EVP_SignFinal() may be smaller.
+
+=head1 RETURN VALUES
+
+EVP_SignInit() and EVP_SignUpdate() do not return values.
+
+EVP_SignFinal() returns 1 for success and 0 for failure.
+
+EVP_PKEY_size() returns the maximum size of a signature in bytes.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the algorithm used and much more flexible.
+
+Due to the link between message digests and public key algorithms the correct
+digest algorithm must be used with the correct public key type. A list of
+algorithms and associated public key algorithms appears in 
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+
+When signing with DSA private keys the random number generator must be seeded
+or the operation will fail. The random number generator does not need to be
+seeded for RSA signatures.
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+=head1 SEE ALSO
+
+L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_VerifyInit.pod b/crypto/openssl/doc/crypto/EVP_VerifyInit.pod
new file mode 100644
index 0000000..3b5e07f
--- /dev/null
+++ b/crypto/openssl/doc/crypto/EVP_VerifyInit.pod
@@ -0,0 +1,71 @@
+=pod
+
+=head1 NAME
+
+EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey);
+
+=head1 DESCRIPTION
+
+The EVP signature verification routines are a high level interface to digital
+signatures.
+
+EVP_VerifyInit() initialises a verification context B<ctx> to using digest
+B<type>: this will typically be supplied by a function such as EVP_sha1().
+
+EVP_VerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
+verification context B<ctx>. This funtion can be called several times on the
+same B<ctx> to include additional data.
+
+EVP_VerifyFinal() verifies the data in B<ctx> using the public key B<pkey>
+and against the B<siglen> bytes at B<sigbuf>. After calling EVP_VerifyFinal()
+no additional calls to EVP_VerifyUpdate() can be made, but EVP_VerifyInit()
+can be called to initialiase a new verification operation.
+
+=head1 RETURN VALUES
+
+EVP_VerifyInit() and EVP_VerifyUpdate() do not return values.
+
+EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
+other error occurred.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the algorithm used and much more flexible.
+
+Due to the link between message digests and public key algorithms the correct
+digest algorithm must be used with the correct public key type. A list of
+algorithms and associated public key algorithms appears in 
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+=head1 SEE ALSO
+
+L<EVP_SignInit(3)|EVP_SignInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/crypto/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod
new file mode 100644
index 0000000..b0b1058
--- /dev/null
+++ b/crypto/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_VERSION_NUMBER, SSLeay - get OpenSSL version number
+
+=head1 SYNOPSIS
+
+ #include <openssl/opensslv.h>
+ #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
+
+ #include <openssl/crypto.h>
+ long SSLeay(void);
+
+=head1 DESCRIPTION
+
+OPENSSL_VERSION_NUMBER is a numeric release version identifier:
+
+ MMNNFFRBB major minor fix final beta/patch
+
+for example
+
+ 0x000904100 == 0.9.4 release
+ 0x000905000 == 0.9.5 dev
+
+Versions prior to 0.9.3 have identifiers E<lt> 0x0930.
+For backward compatibility, SSLEAY_VERSION_NUMBER is also defined.
+
+SSLeay() returns this number. The return value can be compared to the
+macro to make sure that the correct version of the library has been
+loaded, especially when using DLLs on Windows systems.
+
+=head1 RETURN VALUE
+
+The version number.
+
+=head1 SEE ALSO
+
+L<crypto(3)|crypto(3)>
+
+=head1 HISTORY
+
+SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL.
+OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod
new file mode 100644
index 0000000..1300fe1
--- /dev/null
+++ b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+OpenSSL_add_all_algorithms() - add algorithms to internal table
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void OpenSSL_add_all_algorithms(void);
+ void OpenSSL_add_all_ciphers(void);
+ void OpenSSL_add_all_digests(void);
+
+ void EVP_cleanup(void);
+
+=head1 DESCRIPTION
+
+OpenSSL keeps an internal table of digest algorithms and ciphers. It uses
+this table to lookup ciphers via functions such as EVP_get_cipher_byname().
+
+OpenSSL_add_all_digests() adds all digest algorithms to the table.
+
+OpenSSL_add_all_algorithms() adds all algorithms to the table (digests and
+ciphers).
+
+OpenSSL_add_all_ciphers() adds all encryption algorithms to the table including
+password based encryption algorithms.
+
+EVP_cleanup() removes all ciphers and digests from the table.
+
+=head1 RETURN VALUES
+
+None of the functions return a value.
+
+=head1 NOTES
+
+A typical application will will call OpenSSL_add_all_algorithms() initially and
+EVP_cleanup() before exiting.
+
+An application does not need to add algorithms to use them explicitly, for example
+by EVP_sha1(). It just needs to add them if it (or any of the functions it calls)
+needs to lookup algorithms.
+
+The cipher and digest lookup functions are used in many parts of the library. If
+the table is not initialised several functions will misbehave and complain they
+cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries.
+This is a common query in the OpenSSL mailing lists.
+
+Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a
+statically linked executable can be quite large. If this is important it is possible
+to just add the required ciphers and digests.
+
+=head1 BUGS
+
+Although the functions do not return error codes it is possible for them to fail.
+This will only happen as a result of a memory allocation failure so this is not
+too much of a problem in practice.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RAND_add.pod b/crypto/openssl/doc/crypto/RAND_add.pod
new file mode 100644
index 0000000..67c66f3
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RAND_add.pod
@@ -0,0 +1,77 @@
+=pod
+
+=head1 NAME
+
+RAND_add, RAND_seed, RAND_status, RAND_event, RAND_screen - add
+entropy to the PRNG
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_seed(const void *buf, int num);
+
+ void RAND_add(const void *buf, int num, double entropy);
+
+ int  RAND_status(void);
+
+ int  RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam);
+ void RAND_screen(void);
+
+=head1 DESCRIPTION
+
+RAND_add() mixes the B<num> bytes at B<buf> into the PRNG state. Thus,
+if the data at B<buf> are unpredictable to an adversary, this
+increases the uncertainty about the state and makes the PRNG output
+less predictable. Suitable input comes from user interaction (random
+key presses, mouse movements) and certain hardware events. The
+B<entropy> argument is (the lower bound of) an estimate of how much
+randomness is contained in B<buf>, measured in bytes. Details about
+sources of randomness and how to estimate their entropy can be found
+in the literature, e.g. RFC 1750.
+
+RAND_add() may be called with sensitive data such as user entered
+passwords. The seed values cannot be recovered from the PRNG output.
+
+OpenSSL makes sure that the PRNG state is unique for each thread. On
+systems that provide C</dev/urandom>, the randomness device is used
+to seed the PRNG transparently. However, on all other systems, the
+application is responsible for seeding the PRNG by calling RAND_add(),
+L<RAND_egd(3)|RAND_egd(3)>
+or L<RAND_load_file(3)|RAND_load_file(3)>.
+
+RAND_seed() is equivalent to RAND_add() when B<num == entropy>.
+
+RAND_event() collects the entropy from Windows events such as mouse
+movements and other user interaction. It should be called with the
+B<iMsg>, B<wParam> and B<lParam> arguments of I<all> messages sent to
+the window procedure. It will estimate the entropy contained in the
+event message (if any), and add it to the PRNG. The program can then
+process the messages as usual.
+
+The RAND_screen() function is available for the convenience of Windows
+programmers. It adds the current contents of the screen to the PRNG.
+For applications that can catch Windows events, seeding the PRNG by
+calling RAND_event() is a significantly better source of
+randomness. It should be noted that both methods cannot be used on
+servers that run without user interaction.
+
+=head1 RETURN VALUES
+
+RAND_status() and RAND_event() return 1 if the PRNG has been seeded
+with enough data, 0 otherwise.
+
+The other functions do not return values.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_egd(3)|RAND_egd(3)>,
+L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_seed() and RAND_screen() are available in all versions of SSLeay
+and OpenSSL. RAND_add() and RAND_status() have been added in OpenSSL
+0.9.5, RAND_event() in OpenSSL 0.9.5a.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RAND_bytes.pod b/crypto/openssl/doc/crypto/RAND_bytes.pod
new file mode 100644
index 0000000..b6ebd50
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RAND_bytes.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+RAND_bytes, RAND_pseudo_bytes - generate random data
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ int RAND_bytes(unsigned char *buf, int num);
+
+ int RAND_pseudo_bytes(unsigned char *buf, int num);
+
+=head1 DESCRIPTION
+
+RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
+into B<buf>. An error occurs if the PRNG has not been seeded with
+enough randomness to ensure an unpredictable byte sequence.
+
+RAND_pseudo_bytes() puts B<num> pseudo-random bytes into B<buf>.
+Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be
+unique if they are of sufficient length, but are not necessarily
+unpredictable. They can be used for non-cryptographic purposes and for
+certain purposes in cryptographic protocols, but usually not for key
+generation etc.
+
+=head1 RETURN VALUES
+
+RAND_bytes() returns 1 on success, 0 otherwise. The error code can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
+bytes generated are cryptographically strong, 0 otherwise. Both
+functions return -1 if they are not supported by the current RAND
+method.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<err(3)|err(3)>, L<RAND_add(3)|RAND_add(3)>
+
+=head1 HISTORY
+
+RAND_bytes() is available in all versions of SSLeay and OpenSSL.  It
+has a return value since OpenSSL 0.9.5. RAND_pseudo_bytes() was added
+in OpenSSL 0.9.5.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RAND_cleanup.pod b/crypto/openssl/doc/crypto/RAND_cleanup.pod
new file mode 100644
index 0000000..3a8f074
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RAND_cleanup.pod
@@ -0,0 +1,29 @@
+=pod
+
+=head1 NAME
+
+RAND_cleanup - erase the PRNG state
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_cleanup(void);
+
+=head1 DESCRIPTION
+
+RAND_cleanup() erases the memory used by the PRNG.
+
+=head1 RETURN VALUE
+
+RAND_cleanup() returns no value.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RAND_cleanup() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RAND_egd.pod b/crypto/openssl/doc/crypto/RAND_egd.pod
new file mode 100644
index 0000000..a40bd96
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RAND_egd.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+RAND_egd - query entropy gathering daemon
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ int RAND_egd(const char *path);
+
+=head1 DESCRIPTION
+
+RAND_egd() queries the entropy gathering daemon EGD on socket B<path>.
+
+EGD is available from http://www.lothar.com/tech/crypto/ (C<perl
+Makefile.PL; make; make install> to install). It is run as B<egd>
+I<path>, where I<path> is an absolute path designating a socket. When
+RAND_egd() is called with that path as an argument, it tries to read
+random bytes that EGD has collected. The read is performed in
+non-blocking mode.
+
+=head1 RETURN VALUE
+
+RAND_egd() returns the number of bytes read from the daemon on
+success, and -1 if the connection failed or the daemon did not return
+enough data to fully seed the PRNG.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_egd() is available since OpenSSL 0.9.5.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RAND_load_file.pod b/crypto/openssl/doc/crypto/RAND_load_file.pod
new file mode 100644
index 0000000..8dd700c
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RAND_load_file.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ const char *RAND_file_name(char *buf, int num);
+
+ int RAND_load_file(const char *filename, long max_bytes);
+
+ int RAND_write_file(const char *filename);
+
+=head1 DESCRIPTION
+
+RAND_file_name() generates a default path for the random seed
+file. B<buf> points to a buffer of size B<num> in which to store the
+filename. The seed file is $RANDFILE if that environment variable is
+set, $HOME/.rnd otherwise. If $HOME is not set either, or B<num> is
+too small for the path name, an error occurs.
+
+RAND_load_file() reads a number of bytes from file B<filename> and
+adds them to the PRNG. If B<max_bytes> is non-negative,
+up to to B<max_bytes> are read; starting with OpenSSL 0.9.5,
+if B<max_bytes> is -1, the complete file is read.
+
+RAND_write_file() writes a number of random bytes (currently 1024) to
+file B<filename> which can be used to initialize the PRNG by calling
+RAND_load_file() in a later session.
+
+=head1 RETURN VALUES
+
+RAND_load_file() returns the number of bytes read.
+
+RAND_write_file() returns the number of bytes written, and -1 if the
+bytes written were generated without appropriate seed.
+
+RAND_file_name() returns a pointer to B<buf> on success, and NULL on
+error.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_load_file(), RAND_write_file() and RAND_file_name() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RAND_set_rand_method.pod b/crypto/openssl/doc/crypto/RAND_set_rand_method.pod
new file mode 100644
index 0000000..464eba4
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RAND_set_rand_method.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay - select RAND method
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_set_rand_method(RAND_METHOD *meth);
+
+ RAND_METHOD *RAND_get_rand_method(void);
+
+ RAND_METHOD *RAND_SSLeay(void);
+
+=head1 DESCRIPTION
+
+A B<RAND_METHOD> specifies the functions that OpenSSL uses for random
+number generation. By modifying the method, alternative
+implementations such as hardware RNGs may be used.  Initially, the
+default is to use the OpenSSL internal implementation. RAND_SSLeay()
+returns a pointer to that method.
+
+RAND_set_rand_method() sets the RAND method to B<meth>.
+RAND_get_rand_method() returns a pointer to the current method.
+
+=head1 THE RAND_METHOD STRUCTURE
+
+ typedef struct rand_meth_st
+ {
+        void (*seed)(const void *buf, int num);
+        int (*bytes)(unsigned char *buf, int num);
+        void (*cleanup)(void);
+        void (*add)(const void *buf, int num, int entropy);
+        int (*pseudorand)(unsigned char *buf, int num);
+	int (*status)(void);
+ } RAND_METHOD;
+
+The components point to the implementation of RAND_seed(),
+RAND_bytes(), RAND_cleanup(), RAND_add(), RAND_pseudo_rand()
+and RAND_status().
+Each component may be NULL if the function is not implemented.
+
+=head1 RETURN VALUES
+
+RAND_set_rand_method() returns no value. RAND_get_rand_method() and
+RAND_SSLeay() return pointers to the respective methods.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RAND_set_rand_method(), RAND_get_rand_method() and RAND_SSLeay() are
+available in all versions of OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_blinding_on.pod b/crypto/openssl/doc/crypto/RSA_blinding_on.pod
new file mode 100644
index 0000000..fd2c69a
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_blinding_on.pod
@@ -0,0 +1,43 @@
+=pod
+
+=head1 NAME
+
+RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attacks
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+
+ void RSA_blinding_off(RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA is vulnerable to timing attacks. In a setup where attackers can
+measure the time of RSA decryption or signature operations, blinding
+must be used to protect the RSA operation from that attack.
+
+RSA_blinding_on() turns blinding on for key B<rsa> and generates a
+random blinding factor. B<ctx> is B<NULL> or a pre-allocated and
+initialized B<BN_CTX>. The random number generator must be seeded
+prior to calling RSA_blinding_on().
+
+RSA_blinding_off() turns blinding off and frees the memory used for
+the blinding factor.
+
+=head1 RETURN VALUES
+
+RSA_blinding_on() returns 1 on success, and 0 if an error occurred.
+
+RSA_blinding_off() returns no value.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RSA_blinding_on() and RSA_blinding_off() appeared in SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_check_key.pod b/crypto/openssl/doc/crypto/RSA_check_key.pod
new file mode 100644
index 0000000..79fed75
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_check_key.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+RSA_check_key - validate private RSA keys
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_check_key(RSA *rsa);
+
+=head1 DESCRIPTION
+
+This function validates RSA keys. It checks that B<p> and B<q> are
+in fact prime, and that B<n = p*q>.
+
+It also checks that B<d*e = 1 mod (p-1*q-1)>,
+and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>.
+
+The key's public components may not be B<NULL>.
+
+=head1 RETURN VALUE
+
+RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise.
+-1 is returned if an error occurs while checking the key.
+
+If the key is invalid or an error occurred, the reason code can be
+obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+RSA_check() appeared in OpenSSL 0.9.4.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_generate_key.pod b/crypto/openssl/doc/crypto/RSA_generate_key.pod
new file mode 100644
index 0000000..fdaddbc
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_generate_key.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+RSA_generate_key - generate RSA key pair
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA *RSA_generate_key(int num, unsigned long e,
+    void (*callback)(int,int,void *), void *cb_arg);
+
+=head1 DESCRIPTION
+
+RSA_generate_key() generates a key pair and returns it in a newly
+allocated B<RSA> structure. The pseudo-random number generator must
+be seeded prior to calling RSA_generate_key().
+
+The modulus size will be B<num> bits, and the public exponent will be
+B<e>. Key sizes with B<num> E<lt> 1024 should be considered insecure.
+The exponent is an odd number, typically 3 or 65535.
+
+A callback function may be used to provide feedback about the
+progress of the key generation. If B<callback> is not B<NULL>, it
+will be called as follows:
+
+=over 4
+
+=item *
+
+While a random prime number is generated, it is called as
+described in L<BN_generate_prime(3)|BN_generate_prime(3)>.
+
+=item *
+
+When the n-th randomly generated prime is rejected as not
+suitable for the key, B<callback(2, n, cb_arg)> is called.
+
+=item *
+
+When a random p has been found with p-1 relatively prime to B<e>,
+it is called as B<callback(3, 0, cb_arg)>.
+
+=back
+
+The process is then repeated for prime q with B<callback(3, 1, cb_arg)>.
+
+=head1 RETURN VALUE
+
+If key generation fails, RSA_generate_key() returns B<NULL>; the
+error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+B<callback(2, x, cb_arg)> is used with two different meanings.
+
+RSA_generate_key() goes into an infinite loop for illegal input values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)>
+
+=head1 HISTORY
+
+The B<cb_arg> argument was added in SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_get_ex_new_index.pod b/crypto/openssl/doc/crypto/RSA_get_ex_new_index.pod
new file mode 100644
index 0000000..920dc76
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_get_ex_new_index.pod
@@ -0,0 +1,122 @@
+=pod
+
+=head1 NAME
+
+RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application specific data to RSA structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_get_ex_new_index(long argl, void *argp,
+		CRYPTO_EX_new *new_func,
+		CRYPTO_EX_dup *dup_func,
+		CRYPTO_EX_free *free_func);
+
+ int RSA_set_ex_data(RSA *r, int idx, void *arg);
+
+ void *RSA_get_ex_data(RSA *r, int idx);
+
+ int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+
+ void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+
+ int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
+					int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+This has several potential uses, it can be used to cache data associated with
+a structure (for example the hash of some part of the structure) or some
+additional data (for example a handle to the data in an external library).
+
+Since the application data can be anything at all it is passed and retrieved
+as a B<void *> type.
+
+The B<RSA_get_ex_new_index()> function is initially called to "register" some
+new application specific data. It takes three optional function pointers which
+are called when the parent structure (in this case an RSA structure) is
+initially created, when it is copied and when it is freed up. If any or all of
+these function pointer arguments are not used they should be set to NULL. The
+precise manner in which these function pointers are called is described in more
+detail below. B<RSA_get_ex_new_index()> also takes additional long and pointer
+parameters which will be passed to the supplied functions but which otherwise
+have no special meaning. It returns an B<index> which should be stored
+(typically in a static variable) and passed used in the B<idx> parameter in
+the remaining functions. Each successful call to B<RSA_get_ex_new_index()>
+will return an index greater than any previously returned, this is important
+because the optional functions are called in order of increasing index value.
+
+B<RSA_set_ex_data()> is used to set application specific data, the data is
+supplied in the B<arg> parameter and its precise meaning is up to the
+application.
+
+B<RSA_get_ex_data()> is used to retrieve application specific data. The data
+is returned to the application, this will be the same value as supplied to
+a previous B<RSA_set_ex_data()> call.
+
+B<new_func()> is called when a structure is initially allocated (for example
+with B<RSA_new()>. The parent structure members will not have any meaningful
+values at this point. This function will typically be used to allocate any
+application specific structure.
+
+B<free_func()> is called when a structure is being freed up. The dynamic parent
+structure members should not be accessed because they will be freed up when
+this function is called.
+
+B<new_func()> and B<free_func()> take the same parameters. B<parent> is a
+pointer to the parent RSA structure. B<ptr> is a the application specific data
+(this wont be of much use in B<new_func()>. B<ad> is a pointer to the
+B<CRYPTO_EX_DATA> structure from the parent RSA structure: the functions
+B<CRYPTO_get_ex_data()> and B<CRYPTO_set_ex_data()> can be called to manipulate
+it. The B<idx> parameter is the index: this will be the same value returned by
+B<RSA_get_ex_new_index()> when the functions were initially registered. Finally
+the B<argl> and B<argp> parameters are the values originally passed to the same
+corresponding parameters when B<RSA_get_ex_new_index()> was called.
+
+B<dup_func()> is called when a structure is being copied. Pointers to the
+destination and source B<CRYPTO_EX_DATA> structures are passed in the B<to> and
+B<from> parameters respectively. The B<from_d> parameter is passed a pointer to
+the source application data when the function is called, when the function returns
+the value is copied to the destination: the application can thus modify the data
+pointed to by B<from_d> and have different values in the source and destination.
+The B<idx>, B<argl> and B<argp> parameters are the same as those in B<new_func()>
+and B<free_func()>.
+
+=head1 RETURN VALUES
+
+B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a valid
+index value).
+
+B<RSA_set_ex_data()> returns 1 on success or 0 on failure.
+
+B<RSA_get_ex_data()> returns the application data or 0 on failure. 0 may also
+be valid application data but currently it can only fail if given an invalid B<idx>
+parameter.
+
+B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
+
+On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+B<dup_func()> is currently never called.
+
+The return value of B<new_func()> is ignored.
+
+The B<new_func()> function isn't very useful because no meaningful values are
+present in the parent RSA structure when it is called.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=head1 HISTORY
+
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() are
+available since SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_new.pod b/crypto/openssl/doc/crypto/RSA_new.pod
new file mode 100644
index 0000000..f16490e
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_new.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+RSA_new, RSA_free - allocate and free RSA objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * RSA_new(void);
+
+ void RSA_free(RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_new() allocates and initializes an B<RSA> structure.
+
+RSA_free() frees the B<RSA> structure and its components. The key is
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, RSA_new() returns B<NULL> and sets an error
+code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+a pointer to the newly allocated structure.
+
+RSA_free() returns no value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_generate_key(3)|RSA_generate_key(3)>
+
+=head1 HISTORY
+
+RSA_new() and RSA_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/crypto/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
new file mode 100644
index 0000000..b8f678f
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -0,0 +1,124 @@
+=pod
+
+=head1 NAME
+
+RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
+RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
+RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
+RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
+RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
+padding
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+    unsigned char *f, int fl, unsigned char *p, int pl);
+
+ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len, unsigned char *p, int pl);
+
+ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_none(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_none(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+=head1 DESCRIPTION
+
+The RSA_padding_xxx_xxx() functions are called from the RSA encrypt,
+decrypt, sign and verify functions. Normally they should not be called
+from application programs.
+
+However, they can also be called directly to implement padding for other
+asymmetric ciphers. RSA_padding_add_PKCS1_OAEP() and
+RSA_padding_check_PKCS1_OAEP() may be used in an application combined
+with B<RSA_NO_PADDING> in order to implement OAEP with an encoding
+parameter.
+
+RSA_padding_add_xxx() encodes B<fl> bytes from B<f> so as to fit into
+B<tlen> bytes and stores the result at B<to>. An error occurs if B<fl>
+does not meet the size requirements of the encoding method.
+
+The following encoding methods are implemented:
+
+=over 4
+
+=item PKCS1_type_1
+
+PKCS #1 v2.0 EMSA-PKCS1-v1_5 (PKCS #1 v1.5 block type 1); used for signatures
+
+=item PKCS1_type_2
+
+PKCS #1 v2.0 EME-PKCS1-v1_5 (PKCS #1 v1.5 block type 2)
+
+=item PKCS1_OAEP
+
+PKCS #1 v2.0 EME-OAEP
+
+=item SSLv23
+
+PKCS #1 EME-PKCS1-v1_5 with SSL-specific modification
+
+=item none
+
+simply copy the data
+
+=back
+
+The random number generator must be seeded prior to calling
+RSA_padding_add_xxx().
+
+RSA_padding_check_xxx() verifies that the B<fl> bytes at B<f> contain
+a valid encoding for a B<rsa_len> byte RSA key in the respective
+encoding method and stores the recovered data of at most B<tlen> bytes
+(for B<RSA_NO_PADDING>: of size B<tlen>)
+at B<to>.
+
+For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
+of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
+
+=head1 RETURN VALUES
+
+The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
+The RSA_padding_check_xxx() functions return the length of the
+recovered data, -1 on error. Error codes can be obtained by calling
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
+L<RSA_private_decrypt(3)|RSA_private_decrypt(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+RSA_padding_add_PKCS1_type_1(), RSA_padding_check_PKCS1_type_1(),
+RSA_padding_add_PKCS1_type_2(), RSA_padding_check_PKCS1_type_2(),
+RSA_padding_add_SSLv23(), RSA_padding_check_SSLv23(),
+RSA_padding_add_none() and RSA_padding_check_none() appeared in
+SSLeay 0.9.0.
+
+RSA_padding_add_PKCS1_OAEP() and RSA_padding_check_PKCS1_OAEP() were
+added in OpenSSL 0.9.2b.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_print.pod b/crypto/openssl/doc/crypto/RSA_print.pod
new file mode 100644
index 0000000..dd968a5
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_print.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+RSA_print, RSA_print_fp, DHparams_print, DHparams_print_fp - print
+cryptographic parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_print(BIO *bp, RSA *x, int offset);
+ int RSA_print_fp(FILE *fp, RSA *x, int offset);
+
+ #include <openssl/dsa.h>
+
+ int DSAparams_print(BIO *bp, DSA *x);
+ int DSAparams_print_fp(FILE *fp, DSA *x);
+ int DSA_print(BIO *bp, DSA *x, int offset);
+ int DSA_print_fp(FILE *fp, DSA *x, int offset);
+
+ #include <openssl/dh.h>
+
+ int DHparams_print(BIO *bp, DH *x);
+ int DHparams_print_fp(FILE *fp, DH *x);
+
+=head1 DESCRIPTION
+
+A human-readable hexadecimal output of the components of the RSA
+key, DSA parameters or key or DH parameters is printed to B<bp> or B<fp>.
+
+The output lines are indented by B<offset> spaces.
+
+=head1 RETURN VALUES
+
+These functions return 1 on success, 0 on error.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
+
+=head1 HISTORY
+
+RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(),
+DH_print_fp() are available in all versions of SSLeay and OpenSSL.
+DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_private_encrypt.pod b/crypto/openssl/doc/crypto/RSA_private_encrypt.pod
new file mode 100644
index 0000000..6861a98
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_private_encrypt.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+RSA_private_encrypt, RSA_public_decrypt - low level signature operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_private_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_public_decrypt(int flen, unsigned char *from, 
+    unsigned char *to, RSA *rsa, int padding);
+
+=head1 DESCRIPTION
+
+These functions handle RSA signatures at a low level.
+
+RSA_private_encrypt() signs the B<flen> bytes at B<from> (usually a
+message digest with an algorithm identifier) using the private key
+B<rsa> and stores the signature in B<to>. B<to> must point to
+B<RSA_size(rsa)> bytes of memory.
+
+B<padding> denotes one of the following modes:
+
+=over 4
+
+=item RSA_PKCS1_PADDING
+
+PKCS #1 v1.5 padding. This function does not handle the
+B<algorithmIdentifier> specified in PKCS #1. When generating or
+verifying PKCS #1 signatures, L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be
+used.
+
+=item RSA_NO_PADDING
+
+Raw RSA signature. This mode should I<only> be used to implement
+cryptographically sound padding modes in the application code.
+Signing user data directly with RSA is insecure.
+
+=back
+
+RSA_public_decrypt() recovers the message digest from the B<flen>
+bytes long signature at B<from> using the signer's public key
+B<rsa>. B<to> must point to a memory section large enough to hold the
+message digest (which is smaller than B<RSA_size(rsa) -
+11>). B<padding> is the padding mode that was used to sign the data.
+
+=head1 RETURN VALUES
+
+RSA_private_encrypt() returns the size of the signature (i.e.,
+RSA_size(rsa)). RSA_public_decrypt() returns the size of the
+recovered message digest.
+
+On error, -1 is returned; the error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
+available since SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_public_encrypt.pod b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
new file mode 100644
index 0000000..910c475
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
@@ -0,0 +1,86 @@
+=pod
+
+=head1 NAME
+
+RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_public_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_private_decrypt(int flen, unsigned char *from,
+     unsigned char *to, RSA *rsa, int padding);
+
+=head1 DESCRIPTION
+
+RSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a
+session key) using the public key B<rsa> and stores the ciphertext in
+B<to>. B<to> must point to RSA_size(B<rsa>) bytes of memory.
+
+B<padding> denotes one of the following modes:
+
+=over 4
+
+=item RSA_PKCS1_PADDING
+
+PKCS #1 v1.5 padding. This currently is the most widely used mode.
+
+=item RSA_PKCS1_OAEP_PADDING
+
+EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty
+encoding parameter. This mode is recommended for all new applications.
+
+=item RSA_SSLV23_PADDING
+
+PKCS #1 v1.5 padding with an SSL-specific modification that denotes
+that the server is SSL3 capable.
+
+=item RSA_NO_PADDING
+
+Raw RSA encryption. This mode should I<only> be used to implement
+cryptographically sound padding modes in the application code.
+Encrypting user data directly with RSA is insecure.
+
+=back
+
+B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
+based padding modes, and less than RSA_size(B<rsa>) - 21 for
+RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded
+prior to calling RSA_public_encrypt().
+
+RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
+private key B<rsa> and stores the plaintext in B<to>. B<to> must point
+to a memory section large enough to hold the decrypted data (which is
+smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
+was used to encrypt the data.
+
+=head1 RETURN VALUES
+
+RSA_public_encrypt() returns the size of the encrypted data (i.e.,
+RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
+recovered plaintext.
+
+On error, -1 is returned; the error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
+
+=head1 NOTES
+
+The L<RSA_PKCS1_RSAref(3)|RSA_PKCS1_RSAref(3)> method supports only the RSA_PKCS1_PADDING mode.
+
+=head1 HISTORY
+
+The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
+available since SSLeay 0.9.0, OAEP was added in OpenSSL 0.9.2b.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_set_method.pod b/crypto/openssl/doc/crypto/RSA_set_method.pod
new file mode 100644
index 0000000..14b0b4c
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_set_method.pod
@@ -0,0 +1,154 @@
+=pod
+
+=head1 NAME
+
+RSA_set_default_method, RSA_get_default_method, RSA_set_method,
+RSA_get_method, RSA_PKCS1_SSLeay, RSA_PKCS1_RSAref,
+RSA_PKCS1_null_method, RSA_flags, RSA_new_method - select RSA method
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ void RSA_set_default_method(RSA_METHOD *meth);
+
+ RSA_METHOD *RSA_get_default_method(void);
+
+ RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+
+ RSA_METHOD *RSA_get_method(RSA *rsa);
+
+ RSA_METHOD *RSA_PKCS1_SSLeay(void);
+
+ RSA_METHOD *RSA_PKCS1_RSAref(void);
+
+ RSA_METHOD *RSA_null_method(void);
+
+ int RSA_flags(RSA *rsa);
+
+ RSA *RSA_new_method(RSA_METHOD *method);
+
+=head1 DESCRIPTION
+
+An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation,
+unless OpenSSL was configured with the C<rsaref> or C<-DRSA_NULL>
+options. RSA_PKCS1_SSLeay() returns a pointer to that method.
+
+RSA_PKCS1_RSAref() returns a pointer to a method that uses the RSAref
+library. This is the default method in the C<rsaref> configuration;
+the function is not available in other configurations.
+RSA_null_method() returns a pointer to a method that does not support
+the RSA transformation. It is the default if OpenSSL is compiled with
+C<-DRSA_NULL>. These methods may be useful in the USA because of a
+patent on the RSA cryptosystem.
+
+RSA_set_default_method() makes B<meth> the default method for all B<RSA>
+structures created later.
+
+RSA_get_default_method() returns a pointer to the current default
+method.
+
+RSA_set_method() selects B<meth> for all operations using the key
+B<rsa>.
+
+RSA_get_method() returns a pointer to the method currently selected
+for B<rsa>.
+
+RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
+
+RSA_new_method() allocates and initializes an B<RSA> structure so that
+B<method> will be used for the RSA operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE RSA_METHOD STRUCTURE
+
+ typedef struct rsa_meth_st
+ {
+     /* name of the implementation */
+	const char *name;
+
+     /* encrypt */
+	int (*rsa_pub_enc)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* verify arbitrary data */
+	int (*rsa_pub_dec)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* sign arbitrary data */
+	int (*rsa_priv_enc)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* decrypt */
+	int (*rsa_priv_dec)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some
+                                        implementations) */
+	int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+
+     /* compute r = a ^ p mod m (May be NULL for some implementations) */
+	int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+     /* called at RSA_new */
+	int (*init)(RSA *rsa);
+
+     /* called at RSA_free */
+	int (*finish)(RSA *rsa);
+
+     /* RSA_FLAG_EXT_PKEY        - rsa_mod_exp is called for private key
+      *                            operations, even if p,q,dmp1,dmq1,iqmp
+      *                            are NULL
+      * RSA_FLAG_SIGN_VER        - enable rsa_sign and rsa_verify
+      * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match
+      */
+	int flags;
+
+	char *app_data; /* ?? */
+
+     /* sign. For backward compatibility, this is used only
+      * if (flags & RSA_FLAG_SIGN_VER)
+      */
+	int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
+           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+
+     /* verify. For backward compatibility, this is used only
+      * if (flags & RSA_FLAG_SIGN_VER)
+      */
+	int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
+           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+ } RSA_METHOD;
+
+=head1 RETURN VALUES
+
+RSA_PKCS1_SSLeay(), RSA_PKCS1_RSAref(), RSA_PKCS1_null_method(),
+RSA_get_default_method() and RSA_get_method() return pointers to the
+respective B<RSA_METHOD>s.
+
+RSA_set_default_method() returns no value.
+
+RSA_set_method() returns a pointer to the B<RSA_METHOD> previously
+associated with B<rsa>.
+
+RSA_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+returns a pointer to the newly allocated structure.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
+
+=head1 HISTORY
+
+RSA_new_method() and RSA_set_default_method() appeared in SSLeay 0.8.
+RSA_get_default_method(), RSA_set_method() and RSA_get_method() as
+well as the rsa_sign and rsa_verify components of RSA_METHOD were
+added in OpenSSL 0.9.4.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_sign.pod b/crypto/openssl/doc/crypto/RSA_sign.pod
new file mode 100644
index 0000000..f0bf6ee
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_sign.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+RSA_sign, RSA_verify - RSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+
+ int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_sign() signs the message digest B<m> of size B<m_len> using the
+private key B<rsa> as specified in PKCS #1 v2.0. It stores the
+signature in B<sigret> and the signature size in B<siglen>. B<sigret>
+must point to RSA_size(B<rsa>) bytes of memory.
+
+B<type> denotes the message digest algorithm that was used to generate
+B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
+see L<objects(3)|objects(3)> for details. If B<type> is B<NID_md5_sha1>,
+an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
+and no algorithm identifier) is created.
+
+RSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
+matches a given message digest B<m> of size B<m_len>. B<type> denotes
+the message digest algorithm that was used to generate the signature.
+B<rsa> is the signer's public key.
+
+=head1 RETURN VALUES
+
+RSA_sign() returns 1 on success, 0 otherwise.  RSA_verify() returns 1
+on successful verification, 0 otherwise.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+Certain signatures with an improper algorithm identifier are accepted
+for compatibility with SSLeay 0.4.5 :-)
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> 
+
+=head1 HISTORY
+
+RSA_sign() and RSA_verify() are available in all versions of SSLeay
+and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
new file mode 100644
index 0000000..df9ceb3
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING - RSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
+    RSA *rsa);
+
+ int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+    RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_sign_ASN1_OCTET_STRING() signs the octet string B<m> of size
+B<m_len> using the private key B<rsa> represented in DER using PKCS #1
+padding. It stores the signature in B<sigret> and the signature size
+in B<siglen>. B<sigret> must point to B<RSA_size(rsa)> bytes of
+memory.
+
+B<dummy> is ignored.
+
+The random number generator must be seeded prior to calling RSA_sign_ASN1_OCTET_STRING().
+
+RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf>
+of size B<siglen> is the DER representation of a given octet string
+B<m> of size B<m_len>. B<dummy> is ignored. B<rsa> is the signer's
+public key.
+
+=head1 RETURN VALUES
+
+RSA_sign_ASN1_OCTET_STRING() returns 1 on success, 0 otherwise.
+RSA_verify_ASN1_OCTET_STRING() returns 1 on successful verification, 0
+otherwise.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+These functions serve no recognizable purpose.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>,
+L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
+L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+RSA_sign_ASN1_OCTET_STRING() and RSA_verify_ASN1_OCTET_STRING() were
+added in SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/RSA_size.pod b/crypto/openssl/doc/crypto/RSA_size.pod
new file mode 100644
index 0000000..b36b4d5
--- /dev/null
+++ b/crypto/openssl/doc/crypto/RSA_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+RSA_size - get RSA modulus size
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_size(RSA *rsa);
+
+=head1 DESCRIPTION
+
+This function returns the RSA modulus size in bytes. It can be used to
+determine how much memory must be allocated for an RSA encrypted
+value.
+
+B<rsa-E<gt>n> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>
+
+=head1 HISTORY
+
+RSA_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/blowfish.pod b/crypto/openssl/doc/crypto/blowfish.pod
new file mode 100644
index 0000000..e0b7774
--- /dev/null
+++ b/crypto/openssl/doc/crypto/blowfish.pod
@@ -0,0 +1,109 @@
+=pod
+
+=head1 NAME
+
+blowfish, BF_set_key, BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt,
+BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options - Blowfish encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/blowfish.h>
+
+ void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+
+ void BF_encrypt(BF_LONG *data,const BF_KEY *key);
+ void BF_decrypt(BF_LONG *data,const BF_KEY *key);
+ 
+ void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
+         BF_KEY *key, int enc);
+ void BF_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ 	 long length, BF_KEY *schedule, unsigned char *ivec, int enc);
+ void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+ 	 long length, BF_KEY *schedule, unsigned char *ivec, int *num,
+         int enc);
+ void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+ 	 long length, BF_KEY *schedule, unsigned char *ivec, int *num);
+ const char *BF_options(void);
+
+=head1 DESCRIPTION
+
+This library implements the Blowfish cipher, which is invented and described
+by Counterpane (see http://www.counterpane.com/blowfish/ ).
+
+Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
+It uses a variable size key, but typically, 128 bit (16 byte) keys are
+a considered good for strong encryption.  Blowfish can be used in the same
+modes as DES (see L<des_modes(7)|des_modes(7)>).  Blowfish is currently one
+of the faster block ciphers.  It is quite a bit faster than DES, and much
+faster than IDEA or RC2.
+
+Blowfish consists of a key setup phase and the actual encryption or decryption
+phase.
+
+BF_set_key() sets up the B<BF_KEY> B<key> using the B<len> bytes long key
+at B<data>.
+
+BF_encrypt() and BF_decrypt() are the lowest level functions for Blowfish
+encryption.  They encrypt/decrypt the first 64 bits of the vector pointed by
+B<data>, using the key B<key>.  These functions should not be used unless you
+implement 'modes' of Blowfish.
+
+BF_ecb_encrypt() is the basic Blowfish encryption and decryption function.
+It encrypts or decrypts the first 64 bits of B<in> using the key B<key>,
+putting the result in B<out>.  B<enc> decides if encryption (B<BF_ENCRYPT>)
+or decryption (B<BF_DECRYPT>) shall be performed.  The vector pointed at by
+B<in> and B<out> must be 64 bits in length, no less.  If they are larger,
+everything after the first 64 bits is ignored.
+
+The mode functions BF_cbc_encrypt(), BF_cfb64_encrypt() and BF_ofb64_encrypt()
+all operate on variable length data.  They all take an initialisation vector
+B<ivec> which needs to be passed along into the next call of the same function 
+for the same message.  B<ivec> may be initialised with anything, but the
+recipient needs to know what it was initialised with, or it won't be able
+to decrypt.  Some programs and protocols simplify this, like SSH, where
+B<ivec> is simply initialised to zero.
+BF_cbc_encrypt() operates of data that is a multiple of 8 bytes long, while
+BF_cfb64_encrypt() and BF_ofb64_encrypt() are used to encrypt an variable
+number of bytes (the amount does not have to be an exact multiple of 8).  The
+purpose of the latter two is to simulate stream ciphers, and therefore, they
+need the parameter B<num>, which is a pointer to an integer where the current
+offset in B<ivec> is stored between calls.  This integer must be initialised
+to zero when B<ivec> is initialised.
+
+BF_cbc_encrypt() is the Cipher Block Chaining function for Blowfish.  It
+encrypts or decrypts the 64 bits chunks of B<in> using the key B<schedule>,
+putting the result in B<out>.  B<enc> decides if encryption (BF_ENCRYPT) or
+decryption (BF_DECRYPT) shall be performed.  B<ivec> must point at an 8 byte
+long initialisation vector.
+
+BF_cfb64_encrypt() is the CFB mode for Blowfish with 64 bit feedback.
+It encrypts or decrypts the bytes in B<in> using the key B<schedule>,
+putting the result in B<out>.  B<enc> decides if encryption (B<BF_ENCRYPT>)
+or decryption (B<BF_DECRYPT>) shall be performed.  B<ivec> must point at an
+8 byte long initialisation vector. B<num> must point at an integer which must
+be initially zero.
+
+BF_ofb64_encrypt() is the OFB mode for Blowfish with 64 bit feedback.
+It uses the same parameters as BF_cfb64_encrypt(), which must be initialised
+the same way.
+
+=head1 RETURN VALUES
+
+None of the functions presented here return any value.
+
+=head1 NOTE
+
+Applications should use the higher level functions
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> etc. instead of calling the
+blowfish functions directly.
+
+=head1 SEE ALSO
+
+L<des_modes(7)|des_modes(7)>
+
+=head1 HISTORY
+
+The Blowfish functions are available in all versions of SSLeay and OpenSSL.
+
+=cut
+
diff --git a/crypto/openssl/doc/crypto/bn.pod b/crypto/openssl/doc/crypto/bn.pod
new file mode 100644
index 0000000..1504a1c
--- /dev/null
+++ b/crypto/openssl/doc/crypto/bn.pod
@@ -0,0 +1,148 @@
+=pod
+
+=head1 NAME
+
+bn - multiprecision integer arithmetics
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_new(void);
+ void BN_free(BIGNUM *a);
+ void BN_init(BIGNUM *);
+ void BN_clear(BIGNUM *a);
+ void BN_clear_free(BIGNUM *a);
+
+ BN_CTX *BN_CTX_new(void);
+ void BN_CTX_init(BN_CTX *c);
+ void BN_CTX_free(BN_CTX *c);
+
+ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+ BIGNUM *BN_dup(const BIGNUM *a);
+
+ int BN_num_bytes(const BIGNUM *a);
+ int BN_num_bits(const BIGNUM *a);
+ int BN_num_bits_word(BN_ULONG w);
+
+ int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
+         BN_CTX *ctx);
+ int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+ int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+         BN_CTX *ctx);
+ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+         const BIGNUM *m, BN_CTX *ctx);
+ int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
+ int BN_add_word(BIGNUM *a, BN_ULONG w);
+ int BN_sub_word(BIGNUM *a, BN_ULONG w);
+ int BN_mul_word(BIGNUM *a, BN_ULONG w);
+ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
+
+ int BN_cmp(BIGNUM *a, BIGNUM *b);
+ int BN_ucmp(BIGNUM *a, BIGNUM *b);
+ int BN_is_zero(BIGNUM *a);
+ int BN_is_one(BIGNUM *a);
+ int BN_is_word(BIGNUM *a, BN_ULONG w);
+ int BN_is_odd(BIGNUM *a);
+
+ int BN_zero(BIGNUM *a);
+ int BN_one(BIGNUM *a);
+ BIGNUM *BN_value_one(void);
+ int BN_set_word(BIGNUM *a, unsigned long w);
+ unsigned long BN_get_word(BIGNUM *a);
+
+ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
+         BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
+ int BN_is_prime(const BIGNUM *p, int nchecks,
+         void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg);
+
+ int BN_set_bit(BIGNUM *a, int n);
+ int BN_clear_bit(BIGNUM *a, int n);
+ int BN_is_bit_set(const BIGNUM *a, int n);
+ int BN_mask_bits(BIGNUM *a, int n);
+ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+ int BN_lshift1(BIGNUM *r, BIGNUM *a);
+ int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+ int BN_rshift1(BIGNUM *r, BIGNUM *a);
+
+ int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+ char *BN_bn2hex(const BIGNUM *a);
+ char *BN_bn2dec(const BIGNUM *a);
+ int BN_hex2bn(BIGNUM **a, const char *str);
+ int BN_dec2bn(BIGNUM **a, const char *str);
+ int BN_print(BIO *fp, const BIGNUM *a);
+ int BN_print_fp(FILE *fp, const BIGNUM *a);
+ int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
+
+ BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
+     BN_CTX *ctx);
+
+ BN_RECP_CTX *BN_RECP_CTX_new(void);
+ void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+ void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+ int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+        BN_RECP_CTX *recp, BN_CTX *ctx);
+
+ BN_MONT_CTX *BN_MONT_CTX_new(void);
+ void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+ void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
+ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
+ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+         BN_MONT_CTX *mont, BN_CTX *ctx);
+ int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+ int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+
+
+=head1 DESCRIPTION
+
+This library performs arithmetic operations on integers of arbitrary
+size. It was written for use in public key cryptography, such as RSA
+and Diffie-Hellman.
+
+It uses dynamic memory allocation for storing its data structures.
+That means that there is no limit on the size of the numbers
+manipulated by these functions, but return values must always be
+checked in case a memory allocation error has occurred.
+
+The basic object in this library is a B<BIGNUM>. It is used to hold a
+single large integer. This type should be considered opaque and fields
+should not be modified or accessed directly.
+
+The creation of B<BIGNUM> objects is described in L<BN_new(3)|BN_new(3)>;
+L<BN_add(3)|BN_add(3)> describes most of the arithmetic operations.
+Comparison is described in L<BN_cmp(3)|BN_cmp(3)>; L<BN_zero(3)|BN_zero(3)>
+describes certain assignments, L<BN_rand(3)|BN_rand(3)> the generation of
+random numbers, L<BN_generate_prime(3)|BN_generate_prime(3)> deals with prime
+numbers and L<BN_set_bit(3)|BN_set_bit(3)> with bit operations. The conversion
+of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
+
+=head1 SEE ALSO
+
+L<bn_internal(3)|bn_internal(3)>,
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<BN_new(3)|BN_new(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<BN_copy(3)|BN_copy(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
+L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
+L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
+L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
+L<BN_bn2bin(3)|BN_bn2bin(3)>, L<BN_mod_inverse(3)|BN_mod_inverse(3)>,
+L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>,
+L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)> 
+
+=cut
diff --git a/crypto/openssl/doc/crypto/bn_internal.pod b/crypto/openssl/doc/crypto/bn_internal.pod
new file mode 100644
index 0000000..5af0c79
--- /dev/null
+++ b/crypto/openssl/doc/crypto/bn_internal.pod
@@ -0,0 +1,225 @@
+=pod
+
+=head1 NAME
+
+bn_mul_words, bn_mul_add_words, bn_sqr_words, bn_div_words,
+bn_add_words, bn_sub_words, bn_mul_comba4, bn_mul_comba8,
+bn_sqr_comba4, bn_sqr_comba8, bn_cmp_words, bn_mul_normal,
+bn_mul_low_normal, bn_mul_recursive, bn_mul_part_recursive,
+bn_mul_low_recursive, bn_mul_high, bn_sqr_normal, bn_sqr_recursive,
+bn_expand, bn_wexpand, bn_expand2, bn_fix_top, bn_check_top,
+bn_print, bn_dump, bn_set_max, bn_set_high, bn_set_low - BIGNUM
+library internal functions
+
+=head1 SYNOPSIS
+
+ BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+ BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num,
+   BN_ULONG w);
+ void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
+ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+ BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,
+   int num);
+ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,
+   int num);
+
+ void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+ void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a);
+ void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a);
+
+ int bn_cmp_words(BN_ULONG *a, BN_ULONG *b, int n);
+
+ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b,
+   int nb);
+ void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
+ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+   BN_ULONG *tmp);
+ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
+   int tn, int n, BN_ULONG *tmp);
+ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
+   int n2, BN_ULONG *tmp);
+ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l,
+   int n2, BN_ULONG *tmp);
+
+ void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp);
+ void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *tmp);
+
+ void mul(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c);
+ void mul_add(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c);
+ void sqr(BN_ULONG r0, BN_ULONG r1, BN_ULONG a);
+
+ BIGNUM *bn_expand(BIGNUM *a, int bits);
+ BIGNUM *bn_wexpand(BIGNUM *a, int n);
+ BIGNUM *bn_expand2(BIGNUM *a, int n);
+ void bn_fix_top(BIGNUM *a);
+
+ void bn_check_top(BIGNUM *a);
+ void bn_print(BIGNUM *a);
+ void bn_dump(BN_ULONG *d, int n);
+ void bn_set_max(BIGNUM *a);
+ void bn_set_high(BIGNUM *r, BIGNUM *a, int n);
+ void bn_set_low(BIGNUM *r, BIGNUM *a, int n);
+
+=head1 DESCRIPTION
+
+This page documents the internal functions used by the OpenSSL
+B<BIGNUM> implementation. They are described here to facilitate
+debugging and extending the library. They are I<not> to be used by
+applications.
+
+=head2 The BIGNUM structure
+
+ typedef struct bignum_st
+        {
+        int top;      /* index of last used d (most significant word) */
+        BN_ULONG *d;  /* pointer to an array of 'BITS2' bit chunks */
+        int max;      /* size of the d array */
+        int neg;      /* sign */
+        } BIGNUM;
+
+The big number is stored in B<d>, a malloc()ed array of B<BN_ULONG>s,
+least significant first. A B<BN_ULONG> can be either 16, 32 or 64 bits
+in size (B<BITS2>), depending on the 'number of bits' specified in
+C<openssl/bn.h>.
+
+B<max> is the size of the B<d> array that has been allocated.  B<top>
+is the 'last' entry being used, so for a value of 4, bn.d[0]=4 and
+bn.top=1.  B<neg> is 1 if the number is negative.  When a B<BIGNUM> is
+B<0>, the B<d> field can be B<NULL> and B<top> == B<0>.
+
+Various routines in this library require the use of temporary
+B<BIGNUM> variables during their execution.  Since dynamic memory
+allocation to create B<BIGNUM>s is rather expensive when used in
+conjunction with repeated subroutine calls, the B<BN_CTX> structure is
+used.  This structure contains B<BN_CTX_NUM> B<BIGNUM>s, see
+L<BN_CTX_start(3)|BN_CTX_start(3)>.
+
+=head2 Low-level arithmetic operations
+
+These functions are implemented in C and for several platforms in
+assembly language:
+
+bn_mul_words(B<rp>, B<ap>, B<num>, B<w>) operates on the B<num> word
+arrays B<rp> and B<ap>.  It computes B<ap> * B<w>, places the result
+in B<rp>, and returns the high word (carry).
+
+bn_mul_add_words(B<rp>, B<ap>, B<num>, B<w>) operates on the B<num>
+word arrays B<rp> and B<ap>.  It computes B<ap> * B<w> + B<rp>, places
+the result in B<rp>, and returns the high word (carry).
+
+bn_sqr_words(B<rp>, B<ap>, B<n>) operates on the B<num> word array
+B<ap> and the 2*B<num> word array B<ap>.  It computes B<ap> * B<ap>
+word-wise, and places the low and high bytes of the result in B<rp>.
+
+bn_div_words(B<h>, B<l>, B<d>) divides the two word number (B<h>,B<l>)
+by B<d> and returns the result.
+
+bn_add_words(B<rp>, B<ap>, B<bp>, B<num>) operates on the B<num> word
+arrays B<ap>, B<bp> and B<rp>.  It computes B<ap> + B<bp>, places the
+result in B<rp>, and returns the high word (carry).
+
+bn_sub_words(B<rp>, B<ap>, B<bp>, B<num>) operates on the B<num> word
+arrays B<ap>, B<bp> and B<rp>.  It computes B<ap> - B<bp>, places the
+result in B<rp>, and returns the carry (1 if B<bp> E<gt> B<ap>, 0
+otherwise).
+
+bn_mul_comba4(B<r>, B<a>, B<b>) operates on the 4 word arrays B<a> and
+B<b> and the 8 word array B<r>.  It computes B<a>*B<b> and places the
+result in B<r>.
+
+bn_mul_comba8(B<r>, B<a>, B<b>) operates on the 8 word arrays B<a> and
+B<b> and the 16 word array B<r>.  It computes B<a>*B<b> and places the
+result in B<r>.
+
+bn_sqr_comba4(B<r>, B<a>, B<b>) operates on the 4 word arrays B<a> and
+B<b> and the 8 word array B<r>.
+
+bn_sqr_comba8(B<r>, B<a>, B<b>) operates on the 8 word arrays B<a> and
+B<b> and the 16 word array B<r>.
+
+The following functions are implemented in C:
+
+bn_cmp_words(B<a>, B<b>, B<n>) operates on the B<n> word arrays B<a>
+and B<b>.  It returns 1, 0 and -1 if B<a> is greater than, equal and
+less than B<b>.
+
+bn_mul_normal(B<r>, B<a>, B<na>, B<b>, B<nb>) operates on the B<na>
+word array B<a>, the B<nb> word array B<b> and the B<na>+B<nb> word
+array B<r>.  It computes B<a>*B<b> and places the result in B<r>.
+
+bn_mul_low_normal(B<r>, B<a>, B<b>, B<n>) operates on the B<n> word
+arrays B<r>, B<a> und B<b>.  It computes the B<n> low words of
+B<a>*B<b> and places the result in B<r>.
+
+bn_mul_recursive(B<r>, B<a>, B<b>, B<n2>, B<t>) operates on the B<n2>
+word arrays B<a> and B<b> and the 2*B<n2> word arrays B<r> and B<t>.
+B<n2> must be a power of 2.  It computes B<a>*B<b> and places the
+result in B<r>.
+
+bn_mul_part_recursive(B<r>, B<a>, B<b>, B<tn>, B<n>, B<tmp>) operates
+on the B<n>+B<tn> word arrays B<a> and B<b> and the 4*B<n> word arrays
+B<r> and B<tmp>.
+
+bn_mul_low_recursive(B<r>, B<a>, B<b>, B<n2>, B<tmp>) operates on the
+B<n2> word arrays B<r> and B<tmp> and the B<n2>/2 word arrays B<a>
+and B<b>.
+
+bn_mul_high(B<r>, B<a>, B<b>, B<l>, B<n2>, B<tmp>) operates on the
+B<n2> word arrays B<r>, B<a>, B<b> and B<l> (?) and the 3*B<n2> word
+array B<tmp>.
+
+BN_mul() calls bn_mul_normal(), or an optimized implementation if the
+factors have the same size: bn_mul_comba8() is used if they are 8
+words long, bn_mul_recursive() if they are larger than
+B<BN_MULL_SIZE_NORMAL> and the size is an exact multiple of the word
+size, and bn_mul_part_recursive() for others that are larger than
+B<BN_MULL_SIZE_NORMAL>.
+
+bn_sqr_normal(B<r>, B<a>, B<n>, B<tmp>) operates on the B<n> word array
+B<a> and the 2*B<n> word arrays B<tmp> and B<r>.
+
+The implementations use the following macros which, depending on the
+architecture, may use "long long" C operations or inline assembler.
+They are defined in C<bn_lcl.h>.
+
+mul(B<r>, B<a>, B<w>, B<c>) computes B<w>*B<a>+B<c> and places the
+low word of the result in B<r> and the high word in B<c>.
+
+mul_add(B<r>, B<a>, B<w>, B<c>) computes B<w>*B<a>+B<r>+B<c> and
+places the low word of the result in B<r> and the high word in B<c>.
+
+sqr(B<r0>, B<r1>, B<a>) computes B<a>*B<a> and places the low word
+of the result in B<r0> and the high word in B<r1>.
+
+=head2 Size changes
+
+bn_expand() ensures that B<b> has enough space for a B<bits> bit
+number.  bn_wexpand() ensures that B<b> has enough space for an
+B<n> word number.  If the number has to be expanded, both macros
+call bn_expand2(), which allocates a new B<d> array and copies the
+data.  They return B<NULL> on error, B<b> otherwise.
+
+The bn_fix_top() macro reduces B<a-E<gt>top> to point to the most
+significant non-zero word when B<a> has shrunk.
+
+=head2 Debugging
+
+bn_check_top() verifies that C<((a)-E<gt>top E<gt>= 0 && (a)-E<gt>top
+E<lt>= (a)-E<gt>max)>.  A violation will cause the program to abort.
+
+bn_print() prints B<a> to stderr. bn_dump() prints B<n> words at B<d>
+(in reverse order, i.e. most significant word first) to stderr.
+
+bn_set_max() makes B<a> a static number with a B<max> of its current size.
+This is used by bn_set_low() and bn_set_high() to make B<r> a read-only
+B<BIGNUM> that contains the B<n> low or high words of B<a>.
+
+If B<BN_DEBUG> is not defined, bn_check_top(), bn_print(), bn_dump()
+and bn_set_max() are defined as empty macros.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=cut
diff --git a/crypto/openssl/doc/crypto/buffer.pod b/crypto/openssl/doc/crypto/buffer.pod
new file mode 100644
index 0000000..7088f51
--- /dev/null
+++ b/crypto/openssl/doc/crypto/buffer.pod
@@ -0,0 +1,73 @@
+=pod
+
+=head1 NAME
+
+BUF_MEM_new, BUF_MEM_free, BUF_MEM_grow, BUF_strdup - simple
+character arrays structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/buffer.h>
+
+ BUF_MEM *BUF_MEM_new(void);
+
+ void	BUF_MEM_free(BUF_MEM *a);
+
+ int	BUF_MEM_grow(BUF_MEM *str, int len);
+
+ char *	BUF_strdup(const char *str);
+
+=head1 DESCRIPTION
+
+The buffer library handles simple character arrays. Buffers are used for
+various purposes in the library, most notably memory BIOs.
+
+The library uses the BUF_MEM structure defined in buffer.h:
+
+ typedef struct buf_mem_st
+ {
+        int length;     /* current number of bytes */
+        char *data;
+        int max;        /* size of buffer */
+ } BUF_MEM;
+
+B<length> is the current size of the buffer in bytes, B<max> is the amount of
+memory allocated to the buffer. There are three functions which handle these
+and one "miscellaneous" function.
+
+BUF_MEM_new() allocates a new buffer of zero size.
+
+BUF_MEM_free() frees up an already existing buffer. The data is zeroed
+before freeing up in case the buffer contains sensitive data.
+
+BUF_MEM_grow() changes the size of an already existing buffer to
+B<len>. Any data already in the buffer is preserved if it increases in
+size.
+
+BUF_strdup() copies a null terminated string into a block of allocated
+memory and returns a pointer to the allocated block.
+Unlike the standard C library strdup() this function uses Malloc() and so
+should be used in preference to the standard library strdup() because it can
+be used for memory leak checking or replacing the malloc() function.
+
+The memory allocated from BUF_strdup() should be freed up using the Free()
+function.
+
+=head1 RETURN VALUES
+
+BUF_MEM_new() returns the buffer or NULL on error.
+
+BUF_MEM_free() has no return value.
+
+BUF_MEM_grow() returns zero on error or the new size (i.e. B<len>).
+
+=head1 SEE ALSO
+
+L<bio(3)|bio(3)>
+
+=head1 HISTORY
+
+BUF_MEM_new(), BUF_MEM_free() and BUF_MEM_grow() are available in all
+versions of SSLeay and OpenSSL. BUF_strdup() was addded in SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/crypto.pod b/crypto/openssl/doc/crypto/crypto.pod
new file mode 100644
index 0000000..4b9ceac
--- /dev/null
+++ b/crypto/openssl/doc/crypto/crypto.pod
@@ -0,0 +1,67 @@
+=pod
+
+=head1 NAME
+
+crypto - OpenSSL cryptographic library
+
+=head1 SYNOPSIS
+
+=head1 DESCRIPTION
+
+The OpenSSL B<crypto> library implements a wide range of cryptographic
+algorithms used in various Internet standards. The services provided
+by this library are used by the OpenSSL implementations of SSL, TLS
+and S/MIME, and they have also been used to implement SSH, OpenPGP, and
+other cryptographic standards.
+
+=head1 OVERVIEW
+
+B<libcrypto> consists of a number of sub-libraries that implement the
+individual algorithms.
+
+The functionality includes symmetric encryption, public key
+cryptography and key agreement, certificate handling, cryptographic
+hash functions and a cryptographic pseudo-random number generator.
+
+=over 4
+
+=item SYMMETRIC CIPHERS
+
+L<blowfish(3)|blowfish(3)>, L<cast(3)|cast(3)>, L<des(3)|des(3)>,
+L<idea(3)|idea(3)>, L<rc2(3)|rc2(3)>, L<rc4(3)|rc4(3)>, L<rc5(3)|rc5(3)> 
+
+=item PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT
+
+L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rsa(3)|rsa(3)>
+
+=item CERTIFICATES
+
+L<x509(3)|x509(3)>, L<x509v3(3)|x509v3(3)>
+
+=item AUTHENTICATION CODES, HASH FUNCTIONS
+
+L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>,
+L<ripemd(3)|ripemd(3)>, L<sha(3)|sha(3)> 
+
+=item AUXILIARY FUNCTIONS
+
+L<err(3)|err(3)>, L<threads(3)|threads(3)>, L<rand(3)|rand(3)>
+
+=item INPUT/OUTPUT, DATA ENCODING
+
+L<asn1(3)|asn1(3)>, L<bio(3)|bio(3)>, L<evp(3)|evp(3)>, L<pem(3)|pem(3)>,
+L<pkcs7(3)|pkcs7(3)>, L<pkcs12(3)|pkcs12(3)> 
+
+=item INTERNAL FUNCTIONS
+
+L<bn(3)|bn(3)>, L<buffer(3)|buffer(3)>, L<lhash(3)|lhash(3)>,
+L<objects(3)|objects(3)>, L<stack(3)|stack(3)>,
+L<txt_db(3)|txt_db(3)> 
+
+=back
+
+=head1 SEE ALSO
+
+L<openssl(1)|openssl(1)>, L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/crypto/openssl/doc/crypto/d2i_DHparams.pod b/crypto/openssl/doc/crypto/d2i_DHparams.pod
new file mode 100644
index 0000000..a6d1743
--- /dev/null
+++ b/crypto/openssl/doc/crypto/d2i_DHparams.pod
@@ -0,0 +1,30 @@
+=pod
+
+=head1 NAME
+
+d2i_DHparams, i2d_DHparams - ...
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *d2i_DHparams(DH **a, unsigned char **pp, long length);
+ int i2d_DHparams(DH *a, unsigned char **pp);
+
+=head1 DESCRIPTION
+
+...
+
+=head1 RETURN VALUES
+
+...
+
+=head1 SEE ALSO
+
+...
+
+=head1 HISTORY
+
+...
+
+=cut
diff --git a/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod
new file mode 100644
index 0000000..ff4d0d5
--- /dev/null
+++ b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Netscape_RSA, d2i_Netscape_RSA - ...
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
+
+ RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
+
+ int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
+
+ RSA * d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
+
+=head1 DESCRIPTION
+
+...
+
+=head1 RETURN VALUES
+
+...
+
+=head1 SEE ALSO
+
+...
+
+=head1 HISTORY
+
+...
+
+=cut
diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod
new file mode 100644
index 0000000..c553210
--- /dev/null
+++ b/crypto/openssl/doc/crypto/des.pod
@@ -0,0 +1,376 @@
+=pod
+
+=head1 NAME
+
+des_random_key, des_set_key, des_key_sched, des_set_key_checked,
+des_set_key_unchecked, des_set_odd_parity, des_is_weak_key,
+des_ecb_encrypt, des_ecb2_encrypt, des_ecb3_encrypt, des_ncbc_encrypt,
+des_cfb_encrypt, des_ofb_encrypt, des_pcbc_encrypt, des_cfb64_encrypt,
+des_ofb64_encrypt, des_xcbc_encrypt, des_ede2_cbc_encrypt,
+des_ede2_cfb64_encrypt, des_ede2_ofb64_encrypt, des_ede3_cbc_encrypt,
+des_ede3_cbcm_encrypt, des_ede3_cfb64_encrypt, des_ede3_ofb64_encrypt,
+des_read_password, des_read_2passwords, des_read_pw_string,
+des_cbc_cksum, des_quad_cksum, des_string_to_key, des_string_to_2keys,
+des_fcrypt, des_crypt, des_enc_read, des_enc_write - DES encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/des.h>
+
+ void des_random_key(des_cblock *ret);
+
+ int des_set_key(const_des_cblock *key, des_key_schedule schedule);
+ int des_key_sched(const_des_cblock *key, des_key_schedule schedule);
+ int des_set_key_checked(const_des_cblock *key,
+        des_key_schedule schedule);
+ void des_set_key_unchecked(const_des_cblock *key,
+        des_key_schedule schedule);
+
+ void des_set_odd_parity(des_cblock *key);
+ int des_is_weak_key(const_des_cblock *key);
+
+ void des_ecb_encrypt(const_des_cblock *input, des_cblock *output, 
+        des_key_schedule ks, int enc);
+ void des_ecb2_encrypt(const_des_cblock *input, des_cblock *output, 
+        des_key_schedule ks1, des_key_schedule ks2, int enc);
+ void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output, 
+        des_key_schedule ks1, des_key_schedule ks2, 
+        des_key_schedule ks3, int enc);
+
+ void des_ncbc_encrypt(const unsigned char *input, unsigned char *output, 
+        long length, des_key_schedule schedule, des_cblock *ivec, 
+        int enc);
+ void des_cfb_encrypt(const unsigned char *in, unsigned char *out,
+        int numbits, long length, des_key_schedule schedule,
+        des_cblock *ivec, int enc);
+ void des_ofb_encrypt(const unsigned char *in, unsigned char *out,
+        int numbits, long length, des_key_schedule schedule,
+        des_cblock *ivec);
+ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, 
+        long length, des_key_schedule schedule, des_cblock *ivec, 
+        int enc);
+ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+        long length, des_key_schedule schedule, des_cblock *ivec,
+        int *num, int enc);
+ void des_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+        long length, des_key_schedule schedule, des_cblock *ivec,
+        int *num);
+
+ void des_xcbc_encrypt(const unsigned char *input, unsigned char *output, 
+        long length, des_key_schedule schedule, des_cblock *ivec, 
+        const_des_cblock *inw, const_des_cblock *outw, int enc);
+
+ void des_ede2_cbc_encrypt(const unsigned char *input,
+        unsigned char *output, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_cblock *ivec, int enc);
+ void des_ede2_cfb64_encrypt(const unsigned char *in,
+        unsigned char *out, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_cblock *ivec, int *num, int enc);
+ void des_ede2_ofb64_encrypt(const unsigned char *in,
+        unsigned char *out, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_cblock *ivec, int *num);
+
+ void des_ede3_cbc_encrypt(const unsigned char *input,
+        unsigned char *output, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3, des_cblock *ivec,
+        int enc);
+ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, 
+        long length, des_key_schedule ks1, des_key_schedule ks2, 
+        des_key_schedule ks3, des_cblock *ivec1, des_cblock *ivec2, 
+        int enc);
+ void des_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, 
+        long length, des_key_schedule ks1, des_key_schedule ks2,
+        des_key_schedule ks3, des_cblock *ivec, int *num, int enc);
+ void des_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, 
+        long length, des_key_schedule ks1, 
+        des_key_schedule ks2, des_key_schedule ks3, 
+        des_cblock *ivec, int *num);
+
+ int des_read_password(des_cblock *key, const char *prompt, int verify);
+ int des_read_2passwords(des_cblock *key1, des_cblock *key2, 
+        const char *prompt, int verify);
+ int des_read_pw_string(char *buf, int length, const char *prompt,
+        int verify);
+
+ DES_LONG des_cbc_cksum(const unsigned char *input, des_cblock *output, 
+        long length, des_key_schedule schedule, 
+        const_des_cblock *ivec);
+ DES_LONG des_quad_cksum(const unsigned char *input, des_cblock output[], 
+        long length, int out_count, des_cblock *seed);
+ void des_string_to_key(const char *str, des_cblock *key);
+ void des_string_to_2keys(const char *str, des_cblock *key1,
+        des_cblock *key2);
+
+ char *des_fcrypt(const char *buf, const char *salt, char *ret);
+ char *des_crypt(const char *buf, const char *salt);
+ char *crypt(const char *buf, const char *salt);
+
+ int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
+        des_cblock *iv);
+ int des_enc_write(int fd, const void *buf, int len,
+        des_key_schedule sched, des_cblock *iv);
+
+=head1 DESCRIPTION
+
+This library contains a fast implementation of the DES encryption
+algorithm.
+
+There are two phases to the use of DES encryption.  The first is the
+generation of a I<des_key_schedule> from a key, the second is the
+actual encryption.  A DES key is of type I<des_cblock>. This type is
+consists of 8 bytes with odd parity.  The least significant bit in
+each byte is the parity bit.  The key schedule is an expanded form of
+the key; it is used to speed the encryption process.
+
+des_random_key() generates a random key.  The PRNG must be seeded
+prior to using this function (see L<rand(3)|rand(3)>; for backward
+compatibility the function des_random_seed() is available as well).
+If the PRNG could not generate a secure key, 0 is returned.  In
+earlier versions of the library, des_random_key() did not generate
+secure keys.
+
+Before a DES key can be used, it must be converted into the
+architecture dependant I<des_key_schedule> via the
+des_set_key_checked() or des_set_key_unchecked() function.
+
+des_set_key_checked() will check that the key passed is of odd parity
+and is not a week or semi-weak key.  If the parity is wrong, then -1
+is returned.  If the key is a weak key, then -2 is returned.  If an
+error is returned, the key schedule is not generated.
+
+des_set_key() (called des_key_sched() in the MIT library) works like
+des_set_key_checked() if the I<des_check_key> flag is non-zero,
+otherwise like des_set_key_unchecked().  These functions are available
+for compatibility; it is recommended to use a function that does not
+depend on a global variable.
+
+des_set_odd_parity() (called des_fixup_key_parity() in the MIT
+library) sets the parity of the passed I<key> to odd.
+
+des_is_weak_key() returns 1 is the passed key is a weak key, 0 if it
+is ok.  The probability that a randomly generated key is weak is
+1/2^52, so it is not really worth checking for them.
+
+The following routines mostly operate on an input and output stream of
+I<des_cblock>s.
+
+des_ecb_encrypt() is the basic DES encryption routine that encrypts or
+decrypts a single 8-byte I<des_cblock> in I<electronic code book>
+(ECB) mode.  It always transforms the input data, pointed to by
+I<input>, into the output data, pointed to by the I<output> argument.
+If the I<encrypt> argument is non-zero (DES_ENCRYPT), the I<input>
+(cleartext) is encrypted in to the I<output> (ciphertext) using the
+key_schedule specified by the I<schedule> argument, previously set via
+I<des_set_key>. If I<encrypt> is zero (DES_DECRYPT), the I<input> (now
+ciphertext) is decrypted into the I<output> (now cleartext).  Input
+and output may overlap.  des_ecb_encrypt() does not return a value.
+
+des_ecb3_encrypt() encrypts/decrypts the I<input> block by using
+three-key Triple-DES encryption in ECB mode.  This involves encrypting
+the input with I<ks1>, decrypting with the key schedule I<ks2>, and
+then encrypting with I<ks3>.  This routine greatly reduces the chances
+of brute force breaking of DES and has the advantage of if I<ks1>,
+I<ks2> and I<ks3> are the same, it is equivalent to just encryption
+using ECB mode and I<ks1> as the key.
+
+The macro des_ecb2_encrypt() is provided to perform two-key Triple-DES
+encryption by using I<ks1> for the final encryption.
+
+des_ncbc_encrypt() encrypts/decrypts using the I<cipher-block-chaining>
+(CBC) mode of DES.  If the I<encrypt> argument is non-zero, the
+routine cipher-block-chain encrypts the cleartext data pointed to by
+the I<input> argument into the ciphertext pointed to by the I<output>
+argument, using the key schedule provided by the I<schedule> argument,
+and initialization vector provided by the I<ivec> argument.  If the
+I<length> argument is not an integral multiple of eight bytes, the
+last block is copied to a temporary area and zero filled.  The output
+is always an integral multiple of eight bytes.
+
+des_xcbc_encrypt() is RSA's DESX mode of DES.  It uses I<inw> and
+I<outw> to 'whiten' the encryption.  I<inw> and I<outw> are secret
+(unlike the iv) and are as such, part of the key.  So the key is sort
+of 24 bytes.  This is much better than CBC DES.
+
+des_ede3_cbc_encrypt() implements outer triple CBC DES encryption with
+three keys. This means that each DES operation inside the CBC mode is
+really an C<C=E(ks3,D(ks2,E(ks1,M)))>.  This mode is used by SSL.
+
+The des_ede2_cbc_encrypt() macro implements two-key Triple-DES by
+reusing I<ks1> for the final encryption.  C<C=E(ks1,D(ks2,E(ks1,M)))>.
+This form of Triple-DES is used by the RSAREF library.
+
+des_pcbc_encrypt() encrypt/decrypts using the propagating cipher block
+chaing mode used by Kerberos v4. Its parameters are the same as
+des_ncbc_encrypt().
+
+des_cfb_encrypt() encrypt/decrypts using cipher feedback mode.  This
+method takes an array of characters as input and outputs and array of
+characters.  It does not require any padding to 8 character groups.
+Note: the I<ivec> variable is changed and the new changed value needs to
+be passed to the next call to this function.  Since this function runs
+a complete DES ECB encryption per I<numbits>, this function is only
+suggested for use when sending small numbers of characters.
+
+des_cfb64_encrypt()
+implements CFB mode of DES with 64bit feedback.  Why is this
+useful you ask?  Because this routine will allow you to encrypt an
+arbitrary number of bytes, no 8 byte padding.  Each call to this
+routine will encrypt the input bytes to output and then update ivec
+and num.  num contains 'how far' we are though ivec.  If this does
+not make much sense, read more about cfb mode of DES :-).
+
+des_ede3_cfb64_encrypt() and des_ede2_cfb64_encrypt() is the same as
+des_cfb64_encrypt() except that Triple-DES is used.
+
+des_ofb_encrypt() encrypts using output feedback mode.  This method
+takes an array of characters as input and outputs and array of
+characters.  It does not require any padding to 8 character groups.
+Note: the I<ivec> variable is changed and the new changed value needs to
+be passed to the next call to this function.  Since this function runs
+a complete DES ECB encryption per numbits, this function is only
+suggested for use when sending small numbers of characters.
+
+des_ofb64_encrypt() is the same as des_cfb64_encrypt() using Output
+Feed Back mode.
+
+des_ede3_ofb64_encrypt() and des_ede2_ofb64_encrypt() is the same as
+des_ofb64_encrypt(), using Triple-DES.
+
+The following functions are included in the DES library for
+compatibility with the MIT Kerberos library. des_read_pw_string()
+is also available under the name EVP_read_pw_string().
+
+des_read_pw_string() writes the string specified by I<prompt> to
+standarf output, turns echo off and reads in input string from the
+terminal.  The string is returned in I<buf>, which must have space for
+at least I<length> bytes.  If I<verify> is set, the user is asked for
+the password twice and unless the two copies match, an error is
+returned.  A return code of -1 indicates a system error, 1 failure due
+to use interaction, and 0 is success.
+
+des_read_password() does the same and converts the password to a DES
+key by calling des_string_to_key(); des_read_2password() operates in
+the same way as des_read_password() except that it generates two keys
+by using the des_string_to_2key() function.  des_string_to_key() is
+available for backward compatibility with the MIT library.  New
+applications should use a cryptographic hash function.  The same
+applies for des_string_to_2key().
+
+des_cbc_cksum() produces an 8 byte checksum based on the input stream
+(via CBC encryption).  The last 4 bytes of the checksum are returned
+and the complete 8 bytes are placed in I<output>. This function is
+used by Kerberos v4.  Other applications should use
+L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead.
+
+des_quad_cksum() is a Kerberos v4 function.  It returns a 4 byte
+checksum from the input bytes.  The algorithm can be iterated over the
+input, depending on I<out_count>, 1, 2, 3 or 4 times.  If I<output> is
+non-NULL, the 8 bytes generated by each pass are written into
+I<output>.
+
+The following are DES-based tranformations:
+
+des_fcrypt() is a fast version of the unix crypt(3) function.  This
+version takes only a small amount of space relative to other fast
+crypt() implementations.  This is different to the normal crypt in
+that the third parameter is the buffer that the return value is
+written into.  It needs to be at least 14 bytes long.  This function
+is thread safe, unlike the normal crypt.
+
+des_crypt() is a faster replacement for the normal system crypt().
+This function calls des_fcrypt() with a static array passed as the
+third parameter.  This emulates the normal non-thread safe semantics
+of crypt(3).
+
+des_enc_write() writes I<len> bytes to file descriptor I<fd> from
+buffer I<buf>. The data is encrypted via I<pcbc_encrypt> (default)
+using I<sched> for the key and I<iv> as a starting vector.  The actual
+data send down I<fd> consists of 4 bytes (in network byte order)
+containing the length of the following encrypted data.  The encrypted
+data then follows, padded with random data out to a multiple of 8
+bytes.
+
+des_enc_read() is used to read I<len> bytes from file descriptor
+I<fd> into buffer I<buf>. The data being read from I<fd> is assumed to
+have come from des_enc_write() and is decrypted using I<sched> for
+the key schedule and I<iv> for the initial vector.
+
+B<Warning:> The data format used by des_enc_write() and des_enc_read()
+has a cryptographic weakness: When asked to write more than MAXWRITE
+bytes, des_enc_write() will split the data into several chunks that
+are all encrypted using the same IV.  So don't use these functions
+unless you are sure you know what you do (in which case you might not
+want to use them anyway).  They cannot handle non-blocking sockets.
+des_enc_read() uses an internal state and thus cannot be used on
+multiple files.
+
+I<des_rw_mode> is used to specify the encryption mode to use with
+des_enc_read() and des_end_write().  If set to I<DES_PCBC_MODE> (the
+default), des_pcbc_encrypt is used.  If set to I<DES_CBC_MODE>
+des_cbc_encrypt is used.
+
+=head1 NOTES
+
+Single-key DES is insecure due to its short key size.  ECB mode is
+not suitable for most applications; see L<des_modes(7)|des_modes(7)>.
+
+The L<evp(3)|evp(3)> library provides higher-level encryption functions.
+
+=head1 BUGS
+
+des_3cbc_encrypt() is flawed and must not be used in applications.
+
+des_cbc_encrypt() does not modify B<ivec>; use des_ncbc_encrypt()
+instead.
+
+des_cfb_encrypt() and des_ofb_encrypt() operates on input of 8 bits.
+What this means is that if you set numbits to 12, and length to 2, the
+first 12 bits will come from the 1st input byte and the low half of
+the second input byte.  The second 12 bits will have the low 8 bits
+taken from the 3rd input byte and the top 4 bits taken from the 4th
+input byte.  The same holds for output.  This function has been
+implemented this way because most people will be using a multiple of 8
+and because once you get into pulling bytes input bytes apart things
+get ugly!
+
+des_read_pw_string() is the most machine/OS dependent function and
+normally generates the most problems when porting this code.
+
+=head1 CONFORMING TO
+
+ANSI X3.106
+
+The B<des> library was written to be source code compatible with
+the MIT Kerberos library.
+
+=head1 SEE ALSO
+
+crypt(3), L<des_modes(3)|des_modes(3)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+des_cbc_cksum(), des_cbc_encrypt(), des_ecb_encrypt(),
+des_is_weak_key(), des_key_sched(), des_pcbc_encrypt(),
+des_quad_cksum(), des_random_key(), des_read_password() and
+des_string_to_key() are available in the MIT Kerberos library;
+des_check_key_parity(), des_fixup_key_parity() and des_is_weak_key()
+are available in newer versions of that library.
+
+des_set_key_checked() and des_set_key_unchecked() were added in
+OpenSSL 0.9.5.
+
+des_generate_random_block(), des_init_random_number_generator(),
+des_new_random_key(), des_set_random_generator_seed() and
+des_set_sequence_number() and des_rand_data() are used in newer
+versions of Kerberos but are not implemented here.
+
+des_random_key() generated cryptographically weak random data in
+SSLeay and in OpenSSL prior version 0.9.5, as well as in the original
+MIT library.
+
+=head1 AUTHOR
+
+Eric Young (eay@cryptsoft.com). Modified for the OpenSSL project
+(http://www.openssl.org).
+
+=cut
diff --git a/crypto/openssl/doc/crypto/des_modes.pod b/crypto/openssl/doc/crypto/des_modes.pod
new file mode 100644
index 0000000..1aa3ac7
--- /dev/null
+++ b/crypto/openssl/doc/crypto/des_modes.pod
@@ -0,0 +1,253 @@
+=pod
+
+=head1 NAME
+
+Modes of DES - the variants of DES and other crypto algorithms of OpenSSL
+
+=head1 DESCRIPTION
+
+Several crypto algorithms fo OpenSSL can be used in a number of modes.  Those
+are used for using block ciphers in a way similar to stream ciphers, among
+other things.
+
+=head1 OVERVIEW
+
+=head2 Electronic Codebook Mode (ECB)
+
+Normally, this is found as the function I<algorithm>_ecb_encrypt().
+
+=over 2
+
+=item *
+
+64 bits are enciphered at a time.
+
+=item *
+
+The order of the blocks can be rearranged without detection.
+
+=item *
+
+The same plaintext block always produces the same ciphertext block
+(for the same key) making it vulnerable to a 'dictionary attack'.
+
+=item *
+
+An error will only affect one ciphertext block.
+
+=back
+
+=head2 Cipher Block Chaining Mode (CBC)
+
+Normally, this is found as the function I<algorithm>_cbc_encrypt().
+Be aware that des_cbc_encrypt() is not really DES CBC (it does
+not update the IV); use des_ncbc_encrypt() instead.
+
+=over 2
+
+=item *
+
+a multiple of 64 bits are enciphered at a time.
+
+=item *
+
+The CBC mode produces the same ciphertext whenever the same
+plaintext is encrypted using the same key and starting variable.
+
+=item *
+
+The chaining operation makes the ciphertext blocks dependent on the
+current and all preceding plaintext blocks and therefore blocks can not
+be rearranged.
+
+=item *
+
+The use of different starting variables prevents the same plaintext
+enciphering to the same ciphertext.
+
+=item *
+
+An error will affect the current and the following ciphertext blocks.
+
+=back
+
+=head2 Cipher Feedback Mode (CFB)
+
+Normally, this is found as the function I<algorithm>_cfb_encrypt().
+
+=over 2
+
+=item *
+
+a number of bits (j) <= 64 are enciphered at a time.
+
+=item *
+
+The CFB mode produces the same ciphertext whenever the same
+plaintext is encrypted using the same key and starting variable.
+
+=item *
+
+The chaining operation makes the ciphertext variables dependent on the
+current and all preceding variables and therefore j-bit variables are
+chained together and can not be rearranged.
+
+=item *
+
+The use of different starting variables prevents the same plaintext
+enciphering to the same ciphertext.
+
+=item *
+
+The strength of the CFB mode depends on the size of k (maximal if
+j == k).  In my implementation this is always the case.
+
+=item *
+
+Selection of a small value for j will require more cycles through
+the encipherment algorithm per unit of plaintext and thus cause
+greater processing overheads.
+
+=item *
+
+Only multiples of j bits can be enciphered.
+
+=item *
+
+An error will affect the current and the following ciphertext variables.
+
+=back
+
+=head2 Output Feedback Mode (OFB)
+
+Normally, this is found as the function I<algorithm>_ofb_encrypt().
+
+=over 2
+
+
+=item *
+
+a number of bits (j) <= 64 are enciphered at a time.
+
+=item *
+
+The OFB mode produces the same ciphertext whenever the same
+plaintext enciphered using the same key and starting variable.  More
+over, in the OFB mode the same key stream is produced when the same
+key and start variable are used.  Consequently, for security reasons
+a specific start variable should be used only once for a given key.
+
+=item *
+
+The absence of chaining makes the OFB more vulnerable to specific attacks.
+
+=item *
+
+The use of different start variables values prevents the same
+plaintext enciphering to the same ciphertext, by producing different
+key streams.
+
+=item *
+
+Selection of a small value for j will require more cycles through
+the encipherment algorithm per unit of plaintext and thus cause
+greater processing overheads.
+
+=item *
+
+Only multiples of j bits can be enciphered.
+
+=item *
+
+OFB mode of operation does not extend ciphertext errors in the
+resultant plaintext output.  Every bit error in the ciphertext causes
+only one bit to be in error in the deciphered plaintext.
+
+=item *
+
+OFB mode is not self-synchronising.  If the two operation of
+encipherment and decipherment get out of synchronism, the system needs
+to be re-initialised.
+
+=item *
+
+Each re-initialisation should use a value of the start variable
+different from the start variable values used before with the same
+key.  The reason for this is that an identical bit stream would be
+produced each time from the same parameters.  This would be
+susceptible to a 'known plaintext' attack.
+
+=back
+
+=head2 Triple ECB Mode
+
+Normally, this is found as the function I<algorithm>_ecb3_encrypt().
+
+=over 2
+
+=item *
+
+Encrypt with key1, decrypt with key2 and encrypt with key3 again.
+
+=item *
+
+As for ECB encryption but increases the key length to 168 bits.
+There are theoretic attacks that can be used that make the effective
+key length 112 bits, but this attack also requires 2^56 blocks of
+memory, not very likely, even for the NSA.
+
+=item *
+
+If both keys are the same it is equivalent to encrypting once with
+just one key.
+
+=item *
+
+If the first and last key are the same, the key length is 112 bits.
+There are attacks that could reduce the key space to 55 bit's but it
+requires 2^56 blocks of memory.
+
+=item *
+
+If all 3 keys are the same, this is effectively the same as normal
+ecb mode.
+
+=back
+
+=head2 Triple CBC Mode
+
+Normally, this is found as the function I<algorithm>_ede3_cbc_encrypt().
+
+=over 2
+
+
+=item *
+
+Encrypt with key1, decrypt with key2 and then encrypt with key3.
+
+=item *
+
+As for CBC encryption but increases the key length to 168 bits with
+the same restrictions as for triple ecb mode.
+
+=back
+
+=head1 NOTES
+
+This text was been written in large parts by Eric Young in his original
+documentation for SSLeay, the predecessor of OpenSSL.  In turn, he attributed
+it to:
+
+	AS 2805.5.2
+	Australian Standard
+	Electronic funds transfer - Requirements for interfaces,
+	Part 5.2: Modes of operation for an n-bit block cipher algorithm
+	Appendix A
+
+=head1 SEE ALSO
+
+L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<idea(3)|idea(3)>,
+L<rc2(3)|rc2(3)>
+
+=cut
+
diff --git a/crypto/openssl/doc/crypto/dh.pod b/crypto/openssl/doc/crypto/dh.pod
new file mode 100644
index 0000000..0a9b7c0
--- /dev/null
+++ b/crypto/openssl/doc/crypto/dh.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+dh - Diffie-Hellman key agreement
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *	DH_new(void);
+ void	DH_free(DH *dh);
+
+ int	DH_size(DH *dh);
+
+ DH *	DH_generate_parameters(int prime_len, int generator,
+		void (*callback)(int, int, void *), void *cb_arg);
+ int	DH_check(DH *dh, int *codes);
+
+ int	DH_generate_key(DH *dh);
+ int	DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+ void DH_set_default_method(DH_METHOD *meth);
+ DH_METHOD *DH_get_default_method(void);
+ DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+ DH *DH_new_method(DH_METHOD *meth);
+ DH_METHOD *DH_OpenSSL(void);
+
+ int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+	     int (*dup_func)(), void (*free_func)());
+ int DH_set_ex_data(DH *d, int idx, char *arg);
+ char *DH_get_ex_data(DH *d, int idx);
+
+ DH *	d2i_DHparams(DH **a, unsigned char **pp, long length);
+ int	i2d_DHparams(DH *a, unsigned char **pp);
+
+ int	DHparams_print_fp(FILE *fp, DH *x);
+ int	DHparams_print(BIO *bp, DH *x);
+
+=head1 DESCRIPTION
+
+These functions implement the Diffie-Hellman key agreement protocol.
+The generation of shared DH parameters is described in
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>; L<DH_generate_key(3)|DH_generate_key(3)> describes how
+to perform a key agreement.
+
+The B<DH> structure consists of several BIGNUM components.
+
+ struct
+        {
+        BIGNUM *p;		// prime number (shared)
+        BIGNUM *g;		// generator of Z_p (shared)
+        BIGNUM *priv_key;	// private DH value x
+        BIGNUM *pub_key;	// public DH value g^x
+        // ...
+        };
+ DH
+
+=head1 SEE ALSO
+
+L<dhparam(1)|dhparam(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<DH_set_method(3)|DH_set_method(3)>,
+L<DH_new(3)|DH_new(3)>, L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>,
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
+L<DH_compute_key(3)|DH_compute_key(3)>, L<d2i_DHparams(3)|d2i_DHparams(3)>,
+L<RSA_print(3)|RSA_print(3)> 
+
+=cut
diff --git a/crypto/openssl/doc/crypto/dsa.pod b/crypto/openssl/doc/crypto/dsa.pod
new file mode 100644
index 0000000..2c09244
--- /dev/null
+++ b/crypto/openssl/doc/crypto/dsa.pod
@@ -0,0 +1,104 @@
+=pod
+
+=head1 NAME
+
+dsa - Digital Signature Algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA *	DSA_new(void);
+ void	DSA_free(DSA *dsa);
+
+ int	DSA_size(DSA *dsa);
+
+ DSA *	DSA_generate_parameters(int bits, unsigned char *seed,
+                int seed_len, int *counter_ret, unsigned long *h_ret,
+		void (*callback)(int, int, void *), void *cb_arg);
+
+ DH *	DSA_dup_DH(DSA *r);
+
+ int	DSA_generate_key(DSA *dsa);
+
+ int	DSA_sign(int dummy, const unsigned char *dgst, int len,
+		unsigned char *sigret, unsigned int *siglen, DSA *dsa);
+ int	DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
+                BIGNUM **rp);
+ int	DSA_verify(int dummy, const unsigned char *dgst, int len,
+		unsigned char *sigbuf, int siglen, DSA *dsa);
+
+ void DSA_set_default_method(DSA_METHOD *meth);
+ DSA_METHOD *DSA_get_default_method(void);
+ DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
+ DSA *DSA_new_method(DSA_METHOD *meth);
+ DSA_METHOD *DSA_OpenSSL(void);
+
+ int DSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+	     int (*dup_func)(), void (*free_func)());
+ int DSA_set_ex_data(DSA *d, int idx, char *arg);
+ char *DSA_get_ex_data(DSA *d, int idx);
+
+ DSA_SIG *DSA_SIG_new(void);
+ void	DSA_SIG_free(DSA_SIG *a);
+ int	i2d_DSA_SIG(DSA_SIG *a, unsigned char **pp);
+ DSA_SIG *d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length);
+
+ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ int	DSA_do_verify(const unsigned char *dgst, int dgst_len,
+	     DSA_SIG *sig, DSA *dsa);
+
+ DSA *	d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
+ DSA *	d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
+ DSA * 	d2i_DSAparams(DSA **a, unsigned char **pp, long length);
+ int	i2d_DSAPublicKey(DSA *a, unsigned char **pp);
+ int 	i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
+ int	i2d_DSAparams(DSA *a,unsigned char **pp);
+
+ int	DSAparams_print(BIO *bp, DSA *x);
+ int	DSAparams_print_fp(FILE *fp, DSA *x);
+ int	DSA_print(BIO *bp, DSA *x, int off);
+ int	DSA_print_fp(FILE *bp, DSA *x, int off);
+
+=head1 DESCRIPTION
+
+These functions implement the Digital Signature Algorithm (DSA).  The
+generation of shared DSA parameters is described in
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>;
+L<DSA_generate_key(3)|DSA_generate_key(3)> describes how to
+generate a signature key. Signature generation and verification are
+described in L<DSA_sign(3)|DSA_sign(3)>.
+
+The B<DSA> structure consists of several BIGNUM components.
+
+ struct
+        {
+        BIGNUM *p;		// prime number (public)
+        BIGNUM *q;		// 160-bit subprime, q | p-1 (public)
+        BIGNUM *g;		// generator of subgroup (public)
+        BIGNUM *priv_key;	// private key x
+        BIGNUM *pub_key;	// public key y = g^x
+        // ...
+        }
+ DSA;
+
+In public keys, B<priv_key> is NULL.
+
+=head1 CONFORMING TO
+
+US Federal Information Processing Standard FIPS 186 (Digital Signature
+Standard, DSS), ANSI X9.30
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<rsa(3)|rsa(3)>, L<sha(3)|sha(3)>, L<DSA_new(3)|DSA_new(3)>,
+L<DSA_size(3)|DSA_size(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
+L<DSA_dup_DH(3)|DSA_dup_DH(3)>,
+L<DSA_generate_key(3)|DSA_generate_key(3)>,
+L<DSA_sign(3)|DSA_sign(3)>, L<DSA_set_method(3)|DSA_set_method(3)>,
+L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
+L<RSA_print(3)|RSA_print(3)>
+
+=cut
diff --git a/crypto/openssl/doc/crypto/err.pod b/crypto/openssl/doc/crypto/err.pod
new file mode 100644
index 0000000..b824c92
--- /dev/null
+++ b/crypto/openssl/doc/crypto/err.pod
@@ -0,0 +1,187 @@
+=pod
+
+=head1 NAME
+
+err - error codes
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ unsigned long ERR_get_error(void);
+ unsigned long ERR_peek_error(void);
+ unsigned long ERR_get_error_line(const char **file, int *line);
+ unsigned long ERR_peek_error_line(const char **file, int *line);
+ unsigned long ERR_get_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+ unsigned long ERR_peek_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+
+ int ERR_GET_LIB(unsigned long e);
+ int ERR_GET_FUNC(unsigned long e);
+ int ERR_GET_REASON(unsigned long e);
+
+ void ERR_clear_error(void);
+
+ char *ERR_error_string(unsigned long e, char *buf);
+ const char *ERR_lib_error_string(unsigned long e);
+ const char *ERR_func_error_string(unsigned long e);
+ const char *ERR_reason_error_string(unsigned long e);
+
+ void ERR_print_errors(BIO *bp);
+ void ERR_print_errors_fp(FILE *fp);
+
+ void ERR_load_crypto_strings(void);
+ void ERR_free_strings(void);
+
+ void ERR_remove_state(unsigned long pid);
+
+ void ERR_put_error(int lib, int func, int reason, const char *file,
+         int line);
+ void ERR_add_error_data(int num, ...);
+
+ void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
+ unsigned long ERR_PACK(int lib, int func, int reason);
+ int ERR_get_next_error_library(void);
+
+=head1 DESCRIPTION
+
+When a call to the OpenSSL library fails, this is usually signalled
+by the return value, and an error code is stored in an error queue
+associated with the current thread. The B<err> library provides
+functions to obtain these error codes and textual error messages.
+
+The L<ERR_get_error(3)|ERR_get_error(3)> manpage describes how to
+access error codes.
+
+Error codes contain information about where the error occurred, and
+what went wrong. L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> describes how to
+extract this information. A method to obtain human-readable error
+messages is described in L<ERR_error_string(3)|ERR_error_string(3)>.
+
+L<ERR_clear_error(3)|ERR_clear_error(3)> can be used to clear the
+error queue.
+
+Note that L<ERR_remove_state(3)|ERR_remove_state(3)> should be used to
+avoid memory leaks when threads are terminated.
+
+=head1 ADDING NEW ERROR CODES TO OPENSSL
+
+See L<ERR_put_error(3)> if you want to record error codes in the
+OpenSSL error system from within your application.
+
+The remainder of this section is of interest only if you want to add
+new error codes to OpenSSL or add error codes from external libraries.
+
+=head2 Reporting errors
+
+Each sub-library has a specific macro XXXerr() that is used to report
+errors. Its first argument is a function code B<XXX_F_...>, the second
+argument is a reason code B<XXX_R_...>. Function codes are derived
+from the function names; reason codes consist of textual error
+descriptions. For example, the function ssl23_read() reports a
+"handshake failure" as follows:
+
+ SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
+
+Function and reason codes should consist of upper case characters,
+numbers and underscores only. The error file generation script translates
+function codes into function names by looking in the header files
+for an appropriate function name, if none is found it just uses
+the capitalized form such as "SSL23_READ" in the above example.
+
+The trailing section of a reason code (after the "_R_") is translated
+into lower case and underscores changed to spaces.
+
+When you are using new function or reason codes, run B<make errors>.
+The necessary B<#define>s will then automatically be added to the
+sub-library's header file.
+
+Although a library will normally report errors using its own specific
+XXXerr macro, another library's macro can be used. This is normally
+only done when a library wants to include ASN1 code which must use
+the ASN1err() macro.
+
+=head2 Adding new libraries
+
+When adding a new sub-library to OpenSSL, assign it a library number
+B<ERR_LIB_XXX>, define a macro XXXerr() (both in B<err.h>), add its
+name to B<ERR_str_libraries[]> (in B<crypto/err/err.c>), and add
+C<ERR_load_XXX_strings()> to the ERR_load_crypto_strings() function
+(in B<crypto/err/err_all.c>). Finally, add an entry
+
+ L	XXX	xxx.h	xxx_err.c
+
+to B<crypto/err/openssl.ec>, and add B<xxx_err.c> to the Makefile.
+Running B<make errors> will then generate a file B<xxx_err.c>, and
+add all error codes used in the library to B<xxx.h>.
+
+Additionally the library include file must have a certain form.
+Typically it will initially look like this:
+
+ #ifndef HEADER_XXX_H
+ #define HEADER_XXX_H
+
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+
+ /* Include files */
+
+ #include <openssl/bio.h>
+ #include <openssl/x509.h>
+
+ /* Macros, structures and function prototypes */
+
+
+ /* BEGIN ERROR CODES */
+
+The B<BEGIN ERROR CODES> sequence is used by the error code
+generation script as the point to place new error codes, any text
+after this point will be overwritten when B<make errors> is run.
+The closing #endif etc will be automatically added by the script.
+
+The generated C error code file B<xxx_err.c> will load the header
+files B<stdio.h>, B<openssl/err.h> and B<openssl/xxx.h> so the
+header file must load any additional header files containg any
+definitions it uses.
+
+=head1 USING ERROR CODES IN EXTERNAL LIBRARIES
+
+It is also possible to use OpenSSL's error code scheme in external
+libraries. The library needs to load its own codes and call the OpenSSL
+error code insertion script B<mkerr.pl> explicitly to add codes to
+the header file and generate the C error code file. This will normally
+be done if the external library needs to generate new ASN1 structures
+but it can also be used to add more general purpose error code handling.
+
+TBA more details
+
+=head1 INTERNALS
+
+The error queues are stored in a hash table with one B<ERR_STATE>
+entry for each pid. ERR_get_state() returns the current thread's
+B<ERR_STATE>. An B<ERR_STATE> can hold up to B<ERR_NUM_ERRORS> error
+codes. When more error codes are added, the old ones are overwritten,
+on the assumption that the most recent errors are most important.
+
+Error strings are also stored in hash table. The hash tables can
+be obtained by calling ERR_get_err_state_table(void) and
+ERR_get_string_table(void) respectively.
+
+=head1 SEE ALSO
+
+L<CRYPTO_set_id_callback(3)|CRYPTO_set_id_callback(3)>,
+L<CRYPTO_set_locking_callback(3)|<CRYPTO_set_locking_callback(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>,
+L<ERR_clear_error(3)|ERR_clear_error(3)>,
+L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_print_errors(3)|ERR_print_errors(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<ERR_remove_state(3)|ERR_remove_state(3)>,
+L<ERR_put_error(3)|ERR_put_error(3)>,
+L<ERR_load_strings(3)|ERR_load_strings(3)>,
+L<SSL_get_error(3)|SSL_get_error(3)>
+
+=cut
diff --git a/crypto/openssl/doc/crypto/hmac.pod b/crypto/openssl/doc/crypto/hmac.pod
new file mode 100644
index 0000000..45b6108
--- /dev/null
+++ b/crypto/openssl/doc/crypto/hmac.pod
@@ -0,0 +1,75 @@
+=pod
+
+=head1 NAME
+
+HMAC, HMAC_Init, HMAC_Update, HMAC_Final - HMAC message authentication code
+
+=head1 SYNOPSIS
+
+ #include <openssl/hmac.h>
+
+ unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
+               int key_len, const unsigned char *d, int n,
+               unsigned char *md, unsigned int *md_len);
+
+ void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
+               const EVP_MD *md);
+ void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
+ void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
+
+ void HMAC_cleanup(HMAC_CTX *ctx);
+
+=head1 DESCRIPTION
+
+HMAC is a MAC (message authentication code), i.e. a keyed hash
+function used for message authentication, which is based on a hash
+function.
+
+HMAC() computes the message authentication code of the B<n> bytes at
+B<d> using the hash function B<evp_md> and the key B<key> which is
+B<key_len> bytes long.
+
+It places the result in B<md> (which must have space for the output of
+the hash function, which is no more than B<EVP_MAX_MD_SIZE> bytes).
+If B<md> is NULL, the digest is placed in a static array.  The size of
+the output is placed in B<md_len>, unless it is B<NULL>.
+
+B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
+B<key> and B<evp_md> may be B<NULL> if a key and hash function have
+been set in a previous call to HMAC_Init() for that B<HMAC_CTX>.
+
+HMAC_cleanup() erases the key and other data from the B<HMAC_CTX>.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+HMAC_Init() initializes a B<HMAC_CTX> structure to use the hash
+function B<evp_md> and the key B<key> which is B<key_len> bytes long.
+
+HMAC_Update() can be called repeatedly with chunks of the message to
+be authenticated (B<len> bytes at B<data>).
+
+HMAC_Final() places the message authentication code in B<md>, which
+must have space for the hash function output.
+
+=head1 RETURN VALUES
+
+HMAC() returns a pointer to the message authentication code.
+
+HMAC_Init(), HMAC_Update(), HMAC_Final() and HMAC_cleanup() do not
+return values.
+
+=head1 CONFORMING TO
+
+RFC 2104
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<evp(3)|evp(3)>
+
+=head1 HISTORY
+
+HMAC(), HMAC_Init(), HMAC_Update(), HMAC_Final() and HMAC_cleanup()
+are available since SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/lh_stats.pod b/crypto/openssl/doc/crypto/lh_stats.pod
new file mode 100644
index 0000000..3eeaa72
--- /dev/null
+++ b/crypto/openssl/doc/crypto/lh_stats.pod
@@ -0,0 +1,60 @@
+=pod
+
+=head1 NAME
+
+lh_stats, lh_node_stats, lh_node_usage_stats, lh_stats_bio,
+lh_node_stats_bio, lh_node_usage_stats_bio - LHASH statistics
+
+=head1 SYNOPSIS
+
+ #include <openssl/lhash.h>
+
+ void lh_stats(LHASH *table, FILE *out);
+ void lh_node_stats(LHASH *table, FILE *out);
+ void lh_node_usage_stats(LHASH *table, FILE *out);
+
+ void lh_stats_bio(LHASH *table, BIO *out);
+ void lh_node_stats_bio(LHASH *table, BIO *out);
+ void lh_node_usage_stats_bio(LHASH *table, BIO *out);
+
+=head1 DESCRIPTION
+
+The B<LHASH> structure records statistics about most aspects of
+accessing the hash table.  This is mostly a legacy of Eric Young
+writing this library for the reasons of implementing what looked like
+a nice algorithm rather than for a particular software product.
+
+lh_stats() prints out statistics on the size of the hash table, how
+many entries are in it, and the number and result of calls to the
+routines in this library.
+
+lh_node_stats() prints the number of entries for each 'bucket' in the
+hash table.
+
+lh_node_usage_stats() prints out a short summary of the state of the
+hash table.  It prints the 'load' and the 'actual load'.  The load is
+the average number of data items per 'bucket' in the hash table.  The
+'actual load' is the average number of items per 'bucket', but only
+for buckets which contain entries.  So the 'actual load' is the
+average number of searches that will need to find an item in the hash
+table, while the 'load' is the average number that will be done to
+record a miss.
+
+lh_stats_bio(), lh_node_stats_bio() and lh_node_usage_stats_bio()
+are the same as the above, except that the output goes to a B<BIO>.
+
+=head1 RETURN VALUES
+
+These functions do not return values.
+
+=head1 SEE ALSO
+
+L<bio(3)|bio(3)>, L<lhash(3)|lhash(3)>
+
+=head1 HISTORY
+
+These functions are available in all versions of SSLeay and OpenSSL.
+
+This manpage is derived from the SSLeay documentation.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/lhash.pod b/crypto/openssl/doc/crypto/lhash.pod
new file mode 100644
index 0000000..af2c9a7
--- /dev/null
+++ b/crypto/openssl/doc/crypto/lhash.pod
@@ -0,0 +1,155 @@
+=pod
+
+=head1 NAME
+
+lh_new, lh_free, lh_insert, lh_delete, lh_retrieve, lh_doall,
+lh_doall_arg, lh_error - dynamic hash table
+
+=head1 SYNOPSIS
+
+ #include <openssl/lhash.h>
+
+ LHASH *lh_new(unsigned long (*hash)(/*void *a*/),
+          int (*compare)(/*void *a,void *b*/));
+ void lh_free(LHASH *table);
+
+ void *lh_insert(LHASH *table, void *data);
+ void *lh_delete(LHASH *table, void *data);
+ void *lh_retrieve(LHASH *table, void *data);
+
+ void lh_doall(LHASH *table, void (*func)(/*void *b*/));
+ void lh_doall_arg(LHASH *table, void (*func)(/*void *a,void *b*/),
+          void *arg);
+
+ int lh_error(LHASH *table);
+
+=head1 DESCRIPTION
+
+This library implements dynamic hash tables. The hash table entries
+can be arbitrary structures. Usually they consist of key and value
+fields.
+
+lh_new() creates a new B<LHASH> structure. B<hash> takes a pointer to
+the structure and returns an unsigned long hash value of its key
+field. The hash value is normally truncated to a power of 2, so make
+sure that your hash function returns well mixed low order
+bits. B<compare> takes two arguments, and returns 0 if their keys are
+equal, non-zero otherwise.
+
+lh_free() frees the B<LHASH> structure B<table>. Allocated hash table
+entries will not be freed; consider using lh_doall() to deallocate any
+remaining entries in the hash table.
+
+lh_insert() inserts the structure pointed to by B<data> into B<table>.
+If there already is an entry with the same key, the old value is
+replaced. Note that lh_insert() stores pointers, the data are not
+copied.
+
+lh_delete() deletes an entry from B<table>.
+
+lh_retrieve() looks up an entry in B<table>. Normally, B<data> is
+a structure with the key field(s) set; the function will return a
+pointer to a fully populated structure.
+
+lh_doall() will, for every entry in the hash table, call B<func> with
+the data item as parameters.
+This function can be quite useful when used as follows:
+ void cleanup(STUFF *a)
+  { STUFF_free(a); }
+ lh_doall(hash,cleanup);
+ lh_free(hash);
+This can be used to free all the entries. lh_free() then cleans up the
+'buckets' that point to nothing. When doing this, be careful if you
+delete entries from the hash table in B<func>: the table may decrease
+in size, moving item that you are currently on down lower in the hash
+table.  This could cause some entries to be skipped.  The best
+solution to this problem is to set hash-E<gt>down_load=0 before you
+start.  This will stop the hash table ever being decreased in size.
+
+lh_doall_arg() is the same as lh_doall() except that B<func> will
+be called with B<arg> as the second argument.
+
+lh_error() can be used to determine if an error occurred in the last
+operation. lh_error() is a macro.
+
+=head1 RETURN VALUES
+
+lh_new() returns B<NULL> on error, otherwise a pointer to the new
+B<LHASH> structure.
+
+When a hash table entry is replaced, lh_insert() returns the value
+being replaced. B<NULL> is returned on normal operation and on error.
+
+lh_delete() returns the entry being deleted.  B<NULL> is returned if
+there is no such value in the hash table.
+
+lh_retrieve() returns the hash table entry if it has been found,
+B<NULL> otherwise.
+
+lh_error() returns 1 if an error occurred in the last operation, 0
+otherwise.
+
+lh_free(), lh_doall() and lh_doall_arg() return no values.
+
+=head1 BUGS
+
+lh_insert() returns B<NULL> both for success and error.
+
+=head1 INTERNALS
+
+The following description is based on the SSLeay documentation:
+
+The B<lhash> library implements a hash table described in the
+I<Communications of the ACM> in 1991.  What makes this hash table
+different is that as the table fills, the hash table is increased (or
+decreased) in size via Realloc().  When a 'resize' is done, instead of
+all hashes being redistributed over twice as many 'buckets', one
+bucket is split.  So when an 'expand' is done, there is only a minimal
+cost to redistribute some values.  Subsequent inserts will cause more
+single 'bucket' redistributions but there will never be a sudden large
+cost due to redistributing all the 'buckets'.
+
+The state for a particular hash table is kept in the B<LHASH> structure.
+The decision to increase or decrease the hash table size is made
+depending on the 'load' of the hash table.  The load is the number of
+items in the hash table divided by the size of the hash table.  The
+default values are as follows.  If (hash->up_load E<lt> load) =E<gt>
+expand.  if (hash-E<gt>down_load E<gt> load) =E<gt> contract.  The
+B<up_load> has a default value of 1 and B<down_load> has a default value
+of 2.  These numbers can be modified by the application by just
+playing with the B<up_load> and B<down_load> variables.  The 'load' is
+kept in a form which is multiplied by 256.  So
+hash-E<gt>up_load=8*256; will cause a load of 8 to be set.
+
+If you are interested in performance the field to watch is
+num_comp_calls.  The hash library keeps track of the 'hash' value for
+each item so when a lookup is done, the 'hashes' are compared, if
+there is a match, then a full compare is done, and
+hash-E<gt>num_comp_calls is incremented.  If num_comp_calls is not equal
+to num_delete plus num_retrieve it means that your hash function is
+generating hashes that are the same for different values.  It is
+probably worth changing your hash function if this is the case because
+even if your hash table has 10 items in a 'bucket', it can be searched
+with 10 B<unsigned long> compares and 10 linked list traverses.  This
+will be much less expensive that 10 calls to you compare function.
+
+lh_strhash() is a demo string hashing function:
+
+ unsigned long lh_strhash(const char *c);
+
+Since the B<LHASH> routines would normally be passed structures, this
+routine would not normally be passed to lh_new(), rather it would be
+used in the function passed to lh_new().
+
+=head1 SEE ALSO
+
+L<lh_stats(3)|lh_stats(3)>
+
+=head1 HISTORY
+
+The B<lhash> library is available in all versions of SSLeay and OpenSSL.
+lh_error() was added in SSLeay 0.9.1b.
+
+This manpage is derived from the SSLeay documentation.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/md5.pod b/crypto/openssl/doc/crypto/md5.pod
new file mode 100644
index 0000000..d7c1200
--- /dev/null
+++ b/crypto/openssl/doc/crypto/md5.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+MD2, MD5, MD2_Init, MD2_Update, MD2_Final, MD5_Init, MD5_Update,
+MD5_Final - MD2 and MD5 hash functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/md2.h>
+
+ unsigned char *MD2(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void MD2_Init(MD2_CTX *c);
+ void MD2_Update(MD2_CTX *c, const unsigned char *data,
+                  unsigned long len);
+ void MD2_Final(unsigned char *md, MD2_CTX *c);
+
+
+ #include <openssl/md5.h>
+
+ unsigned char *MD5(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void MD5_Init(MD5_CTX *c);
+ void MD5_Update(MD5_CTX *c, const void *data,
+                  unsigned long len);
+ void MD5_Final(unsigned char *md, MD5_CTX *c);
+
+=head1 DESCRIPTION
+
+MD2 and MD5 are cryptographic hash functions with a 128 bit output.
+
+MD2() and MD5() compute the MD2 and MD5 message digest of the B<n>
+bytes at B<d> and place it in B<md> (which must have space for
+MD2_DIGEST_LENGTH == MD5_DIGEST_LENGTH == 16 bytes of output). If
+B<md> is NULL, the digest is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+MD2_Init() initializes a B<MD2_CTX> structure.
+
+MD2_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+MD2_Final() places the message digest in B<md>, which must have space
+for MD2_DIGEST_LENGTH == 16 bytes of output, and erases the B<MD2_CTX>.
+
+MD5_Init(), MD5_Update() and MD5_Final() are analogous using an
+B<MD5_CTX> structure.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+etc. instead of calling the hash functions directly.
+
+=head1 NOTE
+
+MD2 and MD5 are recommended only for compatibility with existing
+applications. In new applications, SHA-1 or RIPEMD-160 should be
+preferred.
+
+=head1 RETURN VALUES
+
+MD2() and MD5() return pointers to the hash value. 
+
+MD2_Init(), MD2_Update() MD2_Final(), MD5_Init(), MD5_Update() and
+MD5_Final() do not return values.
+
+=head1 CONFORMING TO
+
+RFC 1319, RFC 1321
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<ripemd(3)|ripemd(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+MD2(), MD2_Init(), MD2_Update() MD2_Final(), MD5(), MD5_Init(),
+MD5_Update() and MD5_Final() are available in all versions of SSLeay
+and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/mdc2.pod b/crypto/openssl/doc/crypto/mdc2.pod
new file mode 100644
index 0000000..11dc303
--- /dev/null
+++ b/crypto/openssl/doc/crypto/mdc2.pod
@@ -0,0 +1,64 @@
+=pod
+
+=head1 NAME
+
+MDC2, MDC2_Init, MDC2_Update, MDC2_Final - MDC2 hash function
+
+=head1 SYNOPSIS
+
+ #include <openssl/mdc2.h>
+
+ unsigned char *MDC2(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void MDC2_Init(MDC2_CTX *c);
+ void MDC2_Update(MDC2_CTX *c, const unsigned char *data,
+                  unsigned long len);
+ void MDC2_Final(unsigned char *md, MDC2_CTX *c);
+
+=head1 DESCRIPTION
+
+MDC2 is a method to construct hash functions with 128 bit output from
+block ciphers.  These functions are an implementation of MDC2 with
+DES.
+
+MDC2() computes the MDC2 message digest of the B<n>
+bytes at B<d> and places it in B<md> (which must have space for
+MDC2_DIGEST_LENGTH == 16 bytes of output). If B<md> is NULL, the digest
+is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+MDC2_Init() initializes a B<MDC2_CTX> structure.
+
+MDC2_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+MDC2_Final() places the message digest in B<md>, which must have space
+for MDC2_DIGEST_LENGTH == 16 bytes of output, and erases the B<MDC2_CTX>.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling the
+hash functions directly.
+
+=head1 RETURN VALUES
+
+MDC2() returns a pointer to the hash value. 
+
+MDC2_Init(), MDC2_Update() and MDC2_Final() do not return values.
+
+=head1 CONFORMING TO
+
+ISO/IEC 10118-2, with DES
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+MDC2(), MDC2_Init(), MDC2_Update() and MDC2_Final() are available since
+SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/rand.pod b/crypto/openssl/doc/crypto/rand.pod
new file mode 100644
index 0000000..295b681
--- /dev/null
+++ b/crypto/openssl/doc/crypto/rand.pod
@@ -0,0 +1,158 @@
+=pod
+
+=head1 NAME
+
+rand - pseudo-random number generator
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ int  RAND_bytes(unsigned char *buf,int num);
+ int  RAND_pseudo_bytes(unsigned char *buf,int num);
+
+ void RAND_seed(const void *buf,int num);
+ void RAND_add(const void *buf,int num,int entropy);
+ int  RAND_status(void);
+ void RAND_screen(void);
+
+ int  RAND_load_file(const char *file,long max_bytes);
+ int  RAND_write_file(const char *file);
+ const char *RAND_file_name(char *file,int num);
+
+ int  RAND_egd(const char *path);
+
+ void RAND_set_rand_method(RAND_METHOD *meth);
+ RAND_METHOD *RAND_get_rand_method(void);
+ RAND_METHOD *RAND_SSLeay(void);
+
+ void RAND_cleanup(void);
+
+=head1 DESCRIPTION
+
+These functions implement a cryptographically secure pseudo-random
+number generator (PRNG). It is used by other library functions for
+example to generate random keys, and applications can use it when they
+need randomness.
+
+A cryptographic PRNG must be seeded with unpredictable data such as
+mouse movements or keys pressed at random by the user. This is
+described in L<RAND_add(3)|RAND_add(3)>. Its state can be saved in a seed file
+(see L<RAND_load_file(3)|RAND_load_file(3)>) to avoid having to go through the
+seeding process whenever the application is started.
+
+L<RAND_bytes(3)|RAND_bytes(3)> describes how to obtain random data from the
+PRNG. 
+
+=head1 INTERNALS
+
+The RAND_SSLeay() method implements a PRNG based on a cryptographic
+hash function.
+
+The following description of its design is based on the SSLeay
+documentation:
+
+First up I will state the things I believe I need for a good RNG.
+
+=over 4
+
+=item 1
+
+A good hashing algorithm to mix things up and to convert the RNG 'state'
+to random numbers.
+
+=item 2
+
+An initial source of random 'state'.
+
+=item 3
+
+The state should be very large.  If the RNG is being used to generate
+4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum).
+If your RNG state only has 128 bits, you are obviously limiting the
+search space to 128 bits, not 2048.  I'm probably getting a little
+carried away on this last point but it does indicate that it may not be
+a bad idea to keep quite a lot of RNG state.  It should be easier to
+break a cipher than guess the RNG seed data.
+
+=item 4
+
+Any RNG seed data should influence all subsequent random numbers
+generated.  This implies that any random seed data entered will have
+an influence on all subsequent random numbers generated.
+
+=item 5
+
+When using data to seed the RNG state, the data used should not be
+extractable from the RNG state.  I believe this should be a
+requirement because one possible source of 'secret' semi random
+data would be a private key or a password.  This data must
+not be disclosed by either subsequent random numbers or a
+'core' dump left by a program crash.
+
+=item 6
+
+Given the same initial 'state', 2 systems should deviate in their RNG state
+(and hence the random numbers generated) over time if at all possible.
+
+=item 7
+
+Given the random number output stream, it should not be possible to determine
+the RNG state or the next random number.
+
+=back
+
+The algorithm is as follows.
+
+There is global state made up of a 1023 byte buffer (the 'state'), a
+working hash value ('md'), and a counter ('count').
+
+Whenever seed data is added, it is inserted into the 'state' as
+follows.
+
+The input is chopped up into units of 20 bytes (or less for
+the last block).  Each of these blocks is run through the hash
+function as follows:  The data passed to the hash function
+is the current 'md', the same number of bytes from the 'state'
+(the location determined by in incremented looping index) as
+the current 'block', the new key data 'block', and 'count'
+(which is incremented after each use).
+The result of this is kept in 'md' and also xored into the
+'state' at the same locations that were used as input into the
+hash function. I
+believe this system addresses points 1 (hash function; currently
+SHA-1), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash
+function and xor).
+
+When bytes are extracted from the RNG, the following process is used.
+For each group of 10 bytes (or less), we do the following:
+
+Input into the hash function the top 10 bytes from the local 'md'
+(which is initialized from the global 'md' before any bytes are
+generated), the bytes that are to be overwritten by the random bytes,
+and bytes from the 'state' (incrementing looping index). From this
+digest output (which is kept in 'md'), the top (up to) 10 bytes are
+returned to the caller and the bottom (up to) 10 bytes are xored into
+the 'state'.
+
+Finally, after we have finished 'num' random bytes for the caller,
+'count' (which is incremented) and the local and global 'md' are fed
+into the hash function and the results are kept in the global 'md'.
+
+I believe the above addressed points 1 (use of SHA-1), 6 (by hashing
+into the 'state' the 'old' data from the caller that is about to be
+overwritten) and 7 (by not using the 10 bytes given to the caller to
+update the 'state', but they are used to update 'md').
+
+So of the points raised, only 2 is not addressed (but see
+L<RAND_add(3)|RAND_add(3)>).
+
+=head1 SEE ALSO
+
+L<BN_rand(3)|BN_rand(3)>, L<RAND_add(3)|RAND_add(3)>,
+L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_egd(3)|RAND_egd(3)>,
+L<RAND_bytes(3)|RAND_bytes(3)>,
+L<RAND_set_rand_method(3)|RAND_set_rand_method(3)>,
+L<RAND_cleanup(3)|RAND_cleanup(3)> 
+
+=cut
diff --git a/crypto/openssl/doc/crypto/rc4.pod b/crypto/openssl/doc/crypto/rc4.pod
new file mode 100644
index 0000000..b6d3a43
--- /dev/null
+++ b/crypto/openssl/doc/crypto/rc4.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+RC4_set_key, RC4 - RC4 encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/rc4.h>
+
+ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+
+ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
+          unsigned char *outdata);
+
+=head1 DESCRIPTION
+
+This library implements the Alleged RC4 cipher, which is described for
+example in I<Applied Cryptography>.  It is believed to be compatible
+with RC4[TM], a proprietary cipher of RSA Security Inc.
+
+RC4 is a stream cipher with variable key length.  Typically, 128 bit
+(16 byte) keys are used for strong encryption, but shorter insecure
+key sizes have been widely used due to export restrictions.
+
+RC4 consists of a key setup phase and the actual encryption or
+decryption phase.
+
+RC4_set_key() sets up the B<RC4_KEY> B<key> using the B<len> bytes long
+key at B<data>.
+
+RC4() encrypts or decrypts the B<len> bytes of data at B<indata> using
+B<key> and places the result at B<outdata>.  Repeated RC4() calls with
+the same B<key> yield a continuous key stream.
+
+Since RC4 is a stream cipher (the input is XORed with a pseudo-random
+key stream to produce the output), decryption uses the same function
+calls as encryption.
+
+Applications should use the higher level functions
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+etc. instead of calling the RC4 functions directly.
+
+=head1 RETURN VALUES
+
+RC4_set_key() and RC4() do not return values.
+
+=head1 NOTE
+
+Certain conditions have to be observed to securely use stream ciphers.
+It is not permissible to perform multiple encryptions using the same
+key stream.
+
+=head1 SEE ALSO
+
+L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<rc2(3)|rc2(3)>
+
+=head1 HISTORY
+
+RC4_set_key() and RC4() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ripemd.pod b/crypto/openssl/doc/crypto/ripemd.pod
new file mode 100644
index 0000000..31054b6
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ripemd.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final -
+RIPEMD-160 hash function
+
+=head1 SYNOPSIS
+
+ #include <openssl/ripemd.h>
+
+ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void RIPEMD160_Init(RIPEMD160_CTX *c);
+ void RIPEMD160_Update(RIPEMD_CTX *c, const void *data,
+                  unsigned long len);
+ void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
+
+=head1 DESCRIPTION
+
+RIPEMD-160 is a cryptographic hash function with a
+160 bit output.
+
+RIPEMD160() computes the RIPEMD-160 message digest of the B<n>
+bytes at B<d> and places it in B<md> (which must have space for
+RIPEMD160_DIGEST_LENGTH == 20 bytes of output). If B<md> is NULL, the digest
+is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+RIPEMD160_Init() initializes a B<RIPEMD160_CTX> structure.
+
+RIPEMD160_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+RIPEMD160_Final() places the message digest in B<md>, which must have
+space for RIPEMD160_DIGEST_LENGTH == 20 bytes of output, and erases
+the B<RIPEMD160_CTX>.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling the
+hash functions directly.
+
+=head1 RETURN VALUES
+
+RIPEMD160() returns a pointer to the hash value. 
+
+RIPEMD160_Init(), RIPEMD160_Update() and RIPEMD160_Final() do not
+return values.
+
+=head1 CONFORMING TO
+
+ISO/IEC 10118-3 (draft) (??)
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<hmac(3)|hmac(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+RIPEMD160(), RIPEMD160_Init(), RIPEMD160_Update() and
+RIPEMD160_Final() are available since SSLeay 0.9.0.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/rsa.pod b/crypto/openssl/doc/crypto/rsa.pod
new file mode 100644
index 0000000..eb8ba61
--- /dev/null
+++ b/crypto/openssl/doc/crypto/rsa.pod
@@ -0,0 +1,116 @@
+=pod
+
+=head1 NAME
+
+rsa - RSA public key cryptosystem
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * RSA_new(void);
+ void RSA_free(RSA *rsa);
+
+ int RSA_public_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+ int RSA_private_decrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+ int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+ int RSA_size(RSA *rsa);
+
+ RSA *RSA_generate_key(int num, unsigned long e,
+    void (*callback)(int,int,void *), void *cb_arg);
+
+ int RSA_check_key(RSA *rsa);
+
+ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+ void RSA_blinding_off(RSA *rsa);
+
+ void RSA_set_default_method(RSA_METHOD *meth);
+ RSA_METHOD *RSA_get_default_method(void);
+ RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+ RSA_METHOD *RSA_get_method(RSA *rsa);
+ RSA_METHOD *RSA_PKCS1_SSLeay(void);
+ RSA_METHOD *RSA_PKCS1_RSAref(void);
+ RSA_METHOD *RSA_null_method(void);
+ int RSA_flags(RSA *rsa);
+ RSA *RSA_new_method(RSA_METHOD *method);
+
+ int RSA_print(BIO *bp, RSA *x, int offset);
+ int RSA_print_fp(FILE *fp, RSA *x, int offset);
+
+ int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+    int (*dup_func)(), void (*free_func)());
+ int RSA_set_ex_data(RSA *r,int idx,char *arg);
+ char *RSA_get_ex_data(RSA *r, int idx);
+
+ int RSA_private_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa,int padding);
+ int RSA_public_decrypt(int flen, unsigned char *from, 
+    unsigned char *to, RSA *rsa,int padding);
+
+ int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
+    RSA *rsa);
+ int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+    RSA *rsa);
+
+=head1 DESCRIPTION
+
+These functions implement RSA public key encryption and signatures
+as defined in PKCS #1 v2.0 [RFC 2437].
+
+The B<RSA> structure consists of several BIGNUM components. It can
+contain public as well as private RSA keys:
+
+ struct
+        {
+        BIGNUM *n;		// public modulus
+        BIGNUM *e;		// public exponent
+        BIGNUM *d;		// private exponent
+        BIGNUM *p;		// secret prime factor
+        BIGNUM *q;		// secret prime factor
+        BIGNUM *dmp1;		// d mod (p-1)
+        BIGNUM *dmq1;		// d mod (q-1)
+        BIGNUM *iqmp;		// q^-1 mod p
+	// ...
+        };
+ RSA
+
+In public keys, the private exponent and the related secret values are
+B<NULL>.
+
+B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp> may be B<NULL> in private
+keys, but the RSA operations are much faster when these values are
+available.
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 PATENTS
+
+RSA is covered by a US patent which expires in September 2000.
+
+=head1 SEE ALSO
+
+L<rsa(1)|rsa(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>,
+L<rand(3)|rand(3)>, L<RSA_new(3)|RSA_new(3)>,
+L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_size(3)|RSA_size(3)>,
+L<RSA_generate_key(3)|RSA_generate_key(3)>,
+L<RSA_check_key(3)|RSA_check_key(3)>,
+L<RSA_blinding_on(3)|RSA_blinding_on(3)>,
+L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<RSA_sign_ASN_OCTET_STRING(3)|RSA_sign_ASN_OCTET_STRING(3)>,
+L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> 
+
+=cut
diff --git a/crypto/openssl/doc/crypto/sha.pod b/crypto/openssl/doc/crypto/sha.pod
new file mode 100644
index 0000000..0ba315d
--- /dev/null
+++ b/crypto/openssl/doc/crypto/sha.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+SHA1, SHA1_Init, SHA1_Update, SHA1_Final - Secure Hash Algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/sha.h>
+
+ unsigned char *SHA1(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void SHA1_Init(SHA_CTX *c);
+ void SHA1_Update(SHA_CTX *c, const void *data,
+                  unsigned long len);
+ void SHA1_Final(unsigned char *md, SHA_CTX *c);
+
+=head1 DESCRIPTION
+
+SHA-1 (Secure Hash Algorithm) is a cryptographic hash function with a
+160 bit output.
+
+SHA1() computes the SHA-1 message digest of the B<n>
+bytes at B<d> and places it in B<md> (which must have space for
+SHA_DIGEST_LENGTH == 20 bytes of output). If B<md> is NULL, the digest
+is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+SHA1_Init() initializes a B<SHA_CTX> structure.
+
+SHA1_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+SHA1_Final() places the message digest in B<md>, which must have space
+for SHA_DIGEST_LENGTH == 20 bytes of output, and erases the B<SHA_CTX>.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+etc. instead of calling the hash functions directly.
+
+The predecessor of SHA-1, SHA, is also implemented, but it should be
+used only when backward compatibility is required.
+
+=head1 RETURN VALUES
+
+SHA1() returns a pointer to the hash value. 
+
+SHA1_Init(), SHA1_Update() and SHA1_Final() do not return values.
+
+=head1 CONFORMING TO
+
+SHA: US Federal Information Processing Standard FIPS PUB 180 (Secure Hash
+Standard),
+SHA-1: US Federal Information Processing Standard FIPS PUB 180-1 (Secure Hash
+Standard),
+ANSI X9.30
+
+=head1 SEE ALSO
+
+L<ripemd(3)|ripemd(3)>, L<hmac(3)|hmac(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+SHA1(), SHA1_Init(), SHA1_Update() and SHA1_Final() are available in all
+versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/threads.pod b/crypto/openssl/doc/crypto/threads.pod
new file mode 100644
index 0000000..5da056f
--- /dev/null
+++ b/crypto/openssl/doc/crypto/threads.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+CRYPTO_set_locking_callback, CRYPTO_set_id_callback - OpenSSL thread support
+
+=head1 SYNOPSIS
+
+ #include <openssl/crypto.h>
+
+ void CRYPTO_set_locking_callback(void (*locking_function)(int mode,
+        int n, const char *file, int line));
+
+ void CRYPTO_set_id_callback(unsigned long (*id_function)(void));
+
+ int CRYPTO_num_locks(void);
+
+=head1 DESCRIPTION
+
+OpenSSL can safely be used in multi-threaded applications provided
+that two callback functions are set.
+
+locking_function(int mode, int n, const char *file, int line) is
+needed to perform locking on shared data stuctures. Multi-threaded
+applications will crash at random if it is not set.
+
+locking_function() must be able to handle up to CRYPTO_num_locks()
+different mutex locks. It sets the B<n>-th lock if B<mode> &
+B<CRYPTO_LOCK>, and releases it otherwise.
+
+B<file> and B<line> are the file number of the function setting the
+lock. They can be useful for debugging.
+
+id_function(void) is a function that returns a thread ID. It is not
+needed on Windows nor on platforms where getpid() returns a different
+ID for each thread (most notably Linux).
+
+=head1 RETURN VALUES
+
+CRYPTO_num_locks() returns the required number of locks.
+The other functions return no values.
+
+=head1 NOTE
+
+You can find out if OpenSSL was configured with thread support:
+
+ #define OPENSSL_THREAD_DEFINES
+ #include <openssl/opensslconf.h>
+ #if defined(THREADS)
+   // thread support enabled
+ #else
+   // no thread support
+ #endif
+
+=head1 EXAMPLES
+
+B<crypto/threads/mttest.c> shows examples of the callback functions on
+Solaris, Irix and Win32.
+
+=head1 HISTORY
+
+CRYPTO_set_locking_callback() and CRYPTO_set_id_callback() are
+available in all versions of SSLeay and OpenSSL.
+CRYPTO_num_locks() was added in OpenSSL 0.9.4.
+
+=head1 SEE ALSO
+
+L<crypto(3)|crypto(3)>
+
+=cut
diff --git a/crypto/openssl/doc/openssl.pod b/crypto/openssl/doc/openssl.pod
new file mode 100644
index 0000000..561f01e
--- /dev/null
+++ b/crypto/openssl/doc/openssl.pod
@@ -0,0 +1,304 @@
+
+=pod
+
+=head1 NAME
+
+openssl - OpenSSL command line tool
+
+=head1 SYNOPSIS
+
+B<openssl>
+I<command>
+[ I<command_opts> ]
+[ I<command_args> ]
+
+=head1 DESCRIPTION
+
+OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
+v2/v3) and Transport Layer Security (TLS v1) network protocols and related
+cryptography standards required by them.
+
+The B<openssl> program is a command line tool for using the various
+cryptography functions of OpenSSL's B<crypto> library from the shell. 
+It can be used for 
+
+ o  Creation of RSA, DH and DSA key parameters
+ o  Creation of X.509 certificates, CSRs and CRLs 
+ o  Calculation of Message Digests
+ o  Encryption and Decryption with Ciphers
+ o  SSL/TLS Client and Server Tests
+
+=head1 COMMAND SUMMARY
+
+The B<openssl> program provides a rich variety of commands (I<command> in the
+SYNOPSIS above), each of which often has a wealth of options and arguments
+(I<command_opts> and I<command_args> in the SYNOPSIS).
+
+=head2 STANDARD COMMANDS
+
+=over 10
+
+=item B<asn1parse> 
+
+Parse an ASN.1 sequence.
+
+=item B<ca>
+
+Certificate Authority (CA) Management.  
+
+=item B<ciphers>
+
+Cipher Suite Description Determination.
+
+=item B<crl>
+
+Certificate Revocation List (CRL) Management.
+
+=item B<crl2pkcs7>      
+
+CRL2 to PKCS#7 Conversion.
+
+=item B<dgst>
+
+Message Digest Calculation.
+
+=item B<dh>
+
+Diffie-Hellman Data Management.
+
+=item B<dsa>
+
+DSA Data Management.
+
+=item B<dsaparam>
+
+DSA Parameter Generation.
+
+=item B<enc>            
+
+Encoding with Ciphers.
+
+=item B<errstr>
+
+Error Number to Error String Conversion.
+
+=item B<gendh>
+
+Generation of Diffie-Hellman Parameters.
+
+=item B<gendsa>
+
+Generation of DSA Parameters.
+
+=item B<genrsa>
+
+Generation of RSA Parameters.
+
+=item B<pkcs7>
+
+PKCS#7 Data Management.
+
+=item B<req>
+
+X.509 Certificate Signing Request (CSR) Management.
+
+=item B<rsa>
+
+RSA Data Management.
+
+=item B<s_client>
+
+This implements a generic SSL/TLS client which can establish a transparent
+connection to a remote server speaking SSL/TLS. It's intended for testing
+purposes only and provides only rudimentary interface functionality but
+internally uses mostly all functionality of the OpenSSL B<ssl> library.
+
+=item B<s_server>
+
+This implements a generic SSL/TLS server which accepts connections from remote
+clients speaking SSL/TLS. It's intended for testing purposes only and provides
+only rudimentary interface functionality but internally uses mostly all
+functionality of the OpenSSL B<ssl> library.  It provides both an own command
+line oriented protocol for testing SSL functions and a simple HTTP response
+facility to emulate an SSL/TLS-aware webserver.
+
+=item B<s_time>        
+
+SSL Connection Timer.
+
+=item B<sess_id>
+
+SSL Session Data Management.
+
+=item B<speed>
+
+Algorithm Speed Measurement.
+
+=item B<verify>
+
+X.509 Certificate Verification.
+
+=item B<version>
+
+OpenSSL Version Information.
+
+=item B<x509>           
+
+X.509 Certificate Data Management.
+
+=back
+
+=head2 MESSAGE DIGEST COMMANDS
+
+=over 10
+
+=item B<md2>
+
+MD2 Digest
+
+=item B<md5>
+
+MD5 Digest
+
+=item B<mdc2>
+
+MDC2 Digest
+
+=item B<rmd160>
+
+RMD-160 Digest
+
+=item B<sha>            
+
+SHA Digest
+
+=item B<sha1>           
+
+SHA-1 Digest
+
+=back
+
+=head2 ENCODING AND CIPHER COMMANDS
+
+=over 10
+
+=item B<base64>
+
+Base64 Encoding
+
+=item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
+
+Blowfish Cipher
+
+=item B<cast cast-cbc>
+
+CAST Cipher
+
+=item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
+
+CAST5 Cipher
+
+=item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
+
+DES Cipher
+
+=item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
+
+Triple-DES Cipher
+
+=item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
+
+IDEA Cipher
+
+=item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
+
+RC2 Cipher
+
+=item B<rc4>
+
+RC4 Cipher
+
+=item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
+
+RC5 Cipher
+
+=back
+
+=head1 DETAILED COMMAND DESCRIPTION
+
+The following is a detailed description of every B<openssl> I<command>.
+
+=over 4
+
+=item B<openssl> B<s_client>
+[B<-connect> I<host>B<:>I<port>]
+[B<-verify> I<arg>]
+[B<-cert> I<arg>]
+[B<-key> I<arg>]
+[B<-CApath> I<arg>]
+[B<-CAfile> I<arg>]
+[B<-reconnect>]
+[B<-pause>]
+[B<-debug>]
+[B<-nbio_test>]
+[B<-state>]
+[B<-nbio>]
+[B<-quiet>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<-no_ssl2>]
+[B<-no_ssl3>]
+[B<-no_tls1>]
+[B<-bugs>]
+[B<-cipher>]
+
+The B<s_client> command implements a generic SSL/TLS client which can
+establish a transparent connection to a remote I<host> and I<port> speaking
+SSL/TLS. 
+
+=item B<openssl> B<s_server>
+[B<-accept> I<port>]
+[B<-verify> I<arg>]
+[B<-Verify> I<arg>]
+[B<-cert> I<arg>]
+[B<-key> I<arg>]
+[B<-dcert> I<arg>]
+[B<-dkey> I<arg>]
+[B<-nbio>]
+[B<-nbio_test>]
+[B<-debug>]
+[B<-state>]
+[B<-CApath> I<arg>]
+[B<-CAfile> I<arg>]
+[B<-nocert>]
+[B<-cipher> I<arg>]
+[B<-quiet>]
+[B<-no_tmp_rsa>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<-no_ssl2>]
+[B<-no_ssl3>]
+[B<-no_tls1>]
+[B<-bugs>]
+[B<-www>]
+[B<-WWW>]
+
+The B<s_server> command implements a generic SSL/TLS server which accepts
+connections from remote clients on I<port> speaking SSL/TLS.
+
+=back
+
+...
+
+=head1 SEE ALSO
+
+crypto(3), ssl(3)
+
+=head1 HISTORY
+
+The openssl(3) document appeared in OpenSSL 0.9.2
+
+=cut
+
diff --git a/crypto/openssl/doc/openssl.txt b/crypto/openssl/doc/openssl.txt
new file mode 100644
index 0000000..880eace
--- /dev/null
+++ b/crypto/openssl/doc/openssl.txt
@@ -0,0 +1,1176 @@
+
+This is some preliminary documentation for OpenSSL.
+
+Contents:
+
+ OpenSSL X509V3 extension configuration
+ X509V3 Extension code: programmers guide
+ PKCS#12 Library
+
+
+==============================================================================
+               OpenSSL X509V3 extension configuration
+==============================================================================
+
+OpenSSL X509V3 extension configuration: preliminary documentation.
+
+INTRODUCTION.
+
+For OpenSSL 0.9.2 the extension code has be considerably enhanced. It is now
+possible to add and print out common X509 V3 certificate and CRL extensions.
+
+BEGINNERS NOTE
+
+For most simple applications you don't need to know too much about extensions:
+the default openssl.cnf values will usually do sensible things.
+
+If you want to know more you can initially quickly look through the sections
+describing how the standard OpenSSL utilities display and add extensions and
+then the list of supported extensions.
+
+For more technical information about the meaning of extensions see:
+
+http://www.imc.org/ietf-pkix/
+http://home.netscape.com/eng/security/certs.html
+
+PRINTING EXTENSIONS.
+
+Extension values are automatically printed out for supported extensions.
+
+openssl x509 -in cert.pem -text
+openssl crl -in crl.pem -text
+
+will give information in the extension printout, for example:
+
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15
+            X509v3 Authority Key Identifier: 
+                keyid:73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15, DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/Email=email@1.address/Email=email@2.address, serial:00
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Subject Alternative Name: 
+                email:email@1.address, email:email@2.address
+
+CONFIGURATION FILES.
+
+The OpenSSL utilities 'ca' and 'req' can now have extension sections listing
+which certificate extensions to include. In each case a line:
+
+x509_extensions = extension_section
+
+indicates which section contains the extensions. In the case of 'req' the
+extension section is used when the -x509 option is present to create a
+self signed root certificate.
+
+The 'x509' utility also supports extensions when it signs a certificate.
+The -extfile option is used to set the configuration file containing the
+extensions. In this case a line with:
+
+extensions = extension_section
+
+in the nameless (default) section is used. If no such line is included then
+it uses the default section.
+
+You can also add extensions to CRLs: a line
+
+crl_extensions = crl_extension_section
+
+will include extensions when the -gencrl option is used with the 'ca' utility.
+You can add any extension to a CRL but of the supported extensions only
+issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
+CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
+CRL entry extensions can be displayed.
+
+NB. At this time Netscape Communicator rejects V2 CRLs: to get an old V1 CRL
+you should not include a crl_extensions line in the configuration file.
+
+As with all configuration files you can use the inbuilt environment expansion
+to allow the values to be passed in the environment. Therefore if you have
+several extension sections used for different purposes you can have a line:
+
+x509_extensions = $ENV::ENV_EXT
+
+and set the ENV_EXT environment variable before calling the relevant utility.
+
+EXTENSION SYNTAX.
+
+Extensions have the basic form:
+
+extension_name=[critical,] extension_options
+
+the use of the critical option makes the extension critical. Extreme caution
+should be made when using the critical flag. If an extension is marked
+as critical then any client that does not understand the extension should
+reject it as invalid. Some broken software will reject certificates which
+have *any* critical extensions (these violates PKIX but we have to live
+with it).
+
+There are three main types of extension: string extensions, multi-valued
+extensions, and raw extensions.
+
+String extensions simply have a string which contains either the value itself
+or how it is obtained.
+
+For example:
+
+nsComment="This is a Comment"
+
+Multi-valued extensions have a short form and a long form. The short form
+is a list of names and values:
+
+basicConstraints=critical,CA:true,pathlen:1
+
+The long form allows the values to be placed in a separate section:
+
+basicConstraints=critical,@bs_section
+
+[bs_section]
+
+CA=true
+pathlen=1
+
+Both forms are equivalent. However it should be noted that in some cases the
+same name can appear multiple times, for example,
+
+subjectAltName=email:steve@here,email:steve@there
+
+in this case an equivalent long form is:
+
+subjectAltName=@alt_section
+
+[alt_section]
+
+email.1=steve@here
+email.2=steve@there
+
+This is because the configuration file code cannot handle the same name
+occurring twice in the same section.
+
+The syntax of raw extensions is governed by the extension code: it can
+for example contain data in multiple sections. The correct syntax to
+use is defined by the extension code itself: check out the certificate
+policies extension for an example.
+
+In addition it is also possible to use the word DER to include arbitrary
+data in any extension.
+
+1.2.3.4=critical,DER:01:02:03:04
+1.2.3.4=DER:01020304
+
+The value following DER is a hex dump of the DER encoding of the extension
+Any extension can be placed in this form to override the default behaviour.
+For example:
+
+basicConstraints=critical,DER:00:01:02:03
+
+WARNING: DER should be used with caution. It is possible to create totally
+invalid extensions unless care is taken.
+
+CURRENTLY SUPPORTED EXTENSIONS.
+
+If you aren't sure about extensions then they can be largely ignored: its only
+when you want to do things like restrict certificate usage when you need to
+worry about them. 
+
+The only extension that a beginner might want to look at is Basic Constraints.
+If in addition you want to try Netscape object signing the you should also
+look at Netscape Certificate Type.
+
+Literal String extensions.
+
+In each case the 'value' of the extension is placed directly in the
+extension. Currently supported extensions in this category are: nsBaseUrl,
+nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,
+nsSslServerName and nsComment.
+
+For example:
+
+nsComment="This is a test comment"
+
+Bit Strings.
+
+Bit string extensions just consist of a list of supported bits, currently
+two extensions are in this category: PKIX keyUsage and the Netscape specific
+nsCertType.
+
+nsCertType (netscape certificate type) takes the flags: client, server, email,
+objsign, reserved, sslCA, emailCA, objCA.
+
+keyUsage (PKIX key usage) takes the flags: digitalSignature, nonRepudiation,
+keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
+encipherOnly, decipherOnly.
+
+For example:
+
+nsCertType=server
+
+keyUsage=digitalSignature, nonRepudiation
+
+Hints on Netscape Certificate Type.
+
+Other than Basic Constraints this is the only extension a beginner might
+want to use, if you want to try Netscape object signing, otherwise it can
+be ignored.
+
+If you want a certificate that can be used just for object signing then:
+
+nsCertType=objsign
+
+will do the job. If you want to use it as a normal end user and server
+certificate as well then
+
+nsCertType=objsign,email,server
+
+is more appropriate. You cannot use a self signed certificate for object
+signing (well Netscape signtool can but it cheats!) so you need to create
+a CA certificate and sign an end user certificate with it.
+
+Side note: If you want to conform to the Netscape specifications then you
+should really also set:
+
+nsCertType=objCA
+
+in the *CA* certificate for just an object signing CA and
+
+nsCertType=objCA,emailCA,sslCA
+
+for everything. Current Netscape software doesn't enforce this so it can
+be omitted.
+
+Basic Constraints.
+
+This is generally the only extension you need to worry about for simple
+applications. If you want your certificate to be usable as a CA certificate
+(in addition to an end user certificate) then you set this to:
+
+basicConstraints=CA:TRUE
+
+if you want to be certain the certificate cannot be used as a CA then do:
+
+basicConstraints=CA:FALSE
+
+The rest of this section describes more advanced usage.
+
+Basic constraints is a multi-valued extension that supports a CA and an
+optional pathlen option. The CA option takes the values true and false and
+pathlen takes an integer. Note if the CA option is false the pathlen option
+should be omitted. 
+
+The pathlen parameter indicates the maximum number of CAs that can appear
+below this one in a chain. So if you have a CA with a pathlen of zero it can
+only be used to sign end user certificates and not further CAs. This all
+assumes that the software correctly interprets this extension of course.
+
+Examples:
+
+basicConstraints=CA:TRUE
+basicConstraints=critical,CA:TRUE, pathlen:0
+
+NOTE: for a CA to be considered valid it must have the CA option set to
+TRUE. An end user certificate MUST NOT have the CA value set to true.
+According to PKIX recommendations it should exclude the extension entirely,
+however some software may require CA set to FALSE for end entity certificates.
+
+Extended Key Usage.
+
+This extensions consists of a list of usages.
+
+These can either be object short names of the dotted numerical form of OIDs.
+While any OID can be used only certain values make sense. In particular the
+following PKIX, NS and MS values are meaningful:
+
+Value			Meaning
+-----			-------
+serverAuth		SSL/TLS Web Server Authentication.
+clientAuth		SSL/TLS Web Client Authentication.
+codeSigning		Code signing.
+emailProtection		E-mail Protection (S/MIME).
+timeStamping		Trusted Timestamping
+msCodeInd		Microsoft Individual Code Signing (authenticode)
+msCodeCom		Microsoft Commercial Code Signing (authenticode)
+msCTLSign		Microsoft Trust List Signing
+msSGC			Microsoft Server Gated Crypto
+msEFS			Microsoft Encrypted File System
+nsSGC			Netscape Server Gated Crypto
+
+For example, under IE5 a CA can be used for any purpose: by including a list
+of the above usages the CA can be restricted to only authorised uses.
+
+Note: software packages may place additional interpretations on certificate 
+use, in particular some usages may only work for selected CAs. Don't for example
+expect just including msSGC or nsSGC will automatically mean that a certificate
+can be used for SGC ("step up" encryption) otherwise anyone could use it.
+
+Examples:
+
+extendedKeyUsage=critical,codeSigning,1.2.3.4
+extendedKeyUsage=nsSGC,msSGC
+
+Subject Key Identifier.
+
+This is really a string extension and can take two possible values. Either
+a hex string giving details of the extension value to include or the word
+'hash' which then automatically follow PKIX guidelines in selecting and
+appropriate key identifier. The use of the hex string is strongly discouraged.
+
+Example: subjectKeyIdentifier=hash
+
+Authority Key Identifier.
+
+The authority key identifier extension permits two options. keyid and issuer:
+both can take the optional value "always".
+
+If the keyid option is present an attempt is made to copy the subject key
+identifier from the parent certificate. If the value "always" is present
+then an error is returned if the option fails.
+
+The issuer option copies the issuer and serial number from the issuer
+certificate. Normally this will only be done if the keyid option fails or
+is not included: the "always" flag will always include the value.
+
+Subject Alternative Name.
+
+The subject alternative name extension allows various literal values to be
+included in the configuration file. These include "email" (an email address)
+"URI" a uniform resource indicator, "DNS" (a DNS domain name), RID (a
+registered ID: OBJECT IDENTIFIER) and IP (and IP address).
+
+Also the email option include a special 'copy' value. This will automatically
+include and email addresses contained in the certificate subject name in
+the extension.
+
+Examples:
+
+subjectAltName=email:copy,email:my@other.address,URL:http://my.url.here/
+subjectAltName=email:my@other.address,RID:1.2.3.4
+
+Issuer Alternative Name.
+
+The issuer alternative name option supports all the literal options of
+subject alternative name. It does *not* support the email:copy option because
+that would not make sense. It does support an additional issuer:copy option
+that will copy all the subject alternative name values from the issuer 
+certificate (if possible).
+
+CRL distribution points.
+
+This is a multi-valued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+If you see this extension with <UNSUPPORTED> when you attempt to print it out
+or it doesn't appear to display correctly then let me know, including the
+certificate (mail me at steve@openssl.org) .
+
+Examples:
+
+crlDistributionPoints=URI:http://www.myhost.com/myca.crl
+crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl
+
+Certificate Policies.
+
+This is a RAW extension. It attempts to display the contents of this extension:
+unfortunately this extension is often improperly encoded.
+
+The certificate policies extension will rarely be used in practice: few
+software packages interpret it correctly or at all. IE5 does partially
+support this extension: but it needs the 'ia5org' option because it will
+only correctly support a broken encoding. Of the options below only the
+policy OID, explicitText and CPS options are displayed with IE5.
+
+All the fields of this extension can be set by using the appropriate syntax.
+
+If you follow the PKIX recommendations of not including any qualifiers and just
+using only one OID then you just include the value of that OID. Multiple OIDs
+can be set separated by commas, for example:
+
+certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section.
+This section can include explicitText, organization and noticeNumbers
+options. explicitText and organization are text strings, noticeNumbers is a
+comma separated list of numbers. The organization and noticeNumbers options
+(if included) must BOTH be present. If you use the userNotice option with IE5
+then you need the 'ia5org' option at the top level to modify the encoding:
+otherwise it will not be interpreted properly.
+
+Example:
+
+certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
+
+[polsect]
+
+policyIdentifier = 1.3.5.8
+CPS.1="http://my.host.name/"
+CPS.2="http://my.your.name/"
+userNotice.1=@notice
+
+[notice]
+
+explicitText="Explicit Text Here"
+organization="Organisation Name"
+noticeNumbers=1,2,3,4
+
+TECHNICAL NOTE: the ia5org option changes the type of the 'organization' field,
+according to PKIX it should be of type DisplayText but Verisign uses an 
+IA5STRING and IE5 needs this too.
+
+Display only extensions.
+
+Some extensions are only partially supported and currently are only displayed
+but cannot be set. These include private key usage period, CRL number, and
+CRL reason.
+
+==============================================================================
+		X509V3 Extension code: programmers guide
+==============================================================================
+
+The purpose of the extension code is twofold. It allows an extension to be
+created from a string or structure describing its contents and it prints out an
+extension in a human or machine readable form.
+
+1. Initialisation and cleanup.
+
+No special initialisation is needed before calling the extension functions.
+You used to have to call X509V3_add_standard_extensions(); but this is no longer
+required and this function no longer does anything.
+
+void X509V3_EXT_cleanup(void);
+
+This function should be called to cleanup the extension code if any custom
+extensions have been added. If no custom extensions have been added then this
+call does nothing. After this call all custom extension code is freed up but
+you can still use the standard extensions.
+
+2. Printing and parsing extensions.
+
+The simplest way to print out extensions is via the standard X509 printing
+routines: if you use the standard X509_print() function, the supported
+extensions will be printed out automatically.
+
+The following functions allow finer control over extension display:
+
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
+int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
+
+These two functions print out an individual extension to a BIO or FILE pointer.
+Currently the flag argument is unused and should be set to 0. The 'indent'
+argument is the number of spaces to indent each line.
+
+void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+
+This function parses an extension and returns its internal structure. The
+precise structure you get back depends on the extension being parsed. If the
+extension if basicConstraints you will get back a pointer to a
+BASIC_CONSTRAINTS structure. Check out the source in crypto/x509v3 for more
+details about the structures returned. The returned structure should be freed
+after use using the relevant free function, BASIC_CONSTRAINTS_free() for 
+example.
+
+3. Generating extensions.
+
+An extension will typically be generated from a configuration file, or some
+other kind of configuration database.
+
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+								 X509 *cert);
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+								 X509_CRL *crl);
+
+These functions add all the extensions in the given section to the given
+certificate or CRL. They will normally be called just before the certificate
+or CRL is due to be signed. Both return 0 on error on non zero for success.
+
+In each case 'conf' is the LHASH pointer of the configuration file to use
+and 'section' is the section containing the extension details.
+
+See the 'context functions' section for a description of the ctx parameter.
+
+
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+								 char *value);
+
+This function returns an extension based on a name and value pair, if the
+pair will not need to access other sections in a config file (or there is no
+config file) then the 'conf' parameter can be set to NULL.
+
+X509_EXTENSION *X509V3_EXT_conf_nid(char *conf, X509V3_CTX *ctx, int nid,
+								 char *value);
+
+This function creates an extension in the same way as X509V3_EXT_conf() but
+takes the NID of the extension rather than its name.
+
+For example to produce basicConstraints with the CA flag and a path length of
+10:
+
+x = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,"CA:TRUE,pathlen:10");
+
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
+
+This function sets up an extension from its internal structure. The ext_nid
+parameter is the NID of the extension and 'crit' is the critical flag.
+
+4. Context functions.
+
+The following functions set and manipulate an extension context structure.
+The purpose of the extension context is to allow the extension code to
+access various structures relating to the "environment" of the certificate:
+for example the issuers certificate or the certificate request.
+
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
+                                 X509_REQ *req, X509_CRL *crl, int flags);
+
+This function sets up an X509V3_CTX structure with details of the certificate
+environment: specifically the issuers certificate, the subject certificate,
+the certificate request and the CRL: if these are not relevant or not
+available then they can be set to NULL. The 'flags' parameter should be set
+to zero.
+
+X509V3_set_ctx_test(ctx)
+
+This macro is used to set the 'ctx' structure to a 'test' value: this is to
+allow the syntax of an extension (or configuration file) to be tested.
+
+X509V3_set_ctx_nodb(ctx)
+
+This macro is used when no configuration database is present.
+
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
+
+This function is used to set the configuration database when it is an LHASH
+structure: typically a configuration file.
+
+The following functions are used to access a configuration database: they
+should only be used in RAW extensions.
+
+char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
+
+This function returns the value of the parameter "name" in "section", or NULL
+if there has been an error.
+
+void X509V3_string_free(X509V3_CTX *ctx, char *str);
+
+This function frees up the string returned by the above function.
+
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
+
+This function returns a whole section as a STACK_OF(CONF_VALUE) .
+
+void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
+
+This function frees up the STACK returned by the above function.
+
+Note: it is possible to use the extension code with a custom configuration
+database. To do this the "db_meth" element of the X509V3_CTX structure should
+be set to an X509V3_CTX_METHOD structure. This structure contains the following
+function pointers:
+
+char * (*get_string)(void *db, char *section, char *value);
+STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
+void (*free_string)(void *db, char * string);
+void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
+
+these will be called and passed the 'db' element in the X509V3_CTX structure
+to access the database. If a given function is not implemented or not required
+it can be set to NULL.
+
+5. String helper functions.
+
+There are several "i2s" and "s2i" functions that convert structures to and
+from ASCII strings. In all the "i2s" cases the returned string should be
+freed using Free() after use. Since some of these are part of other extension
+code they may take a 'method' parameter. Unless otherwise stated it can be
+safely set to NULL.
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct);
+
+This returns a hex string from an ASN1_OCTET_STRING.
+
+char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
+char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
+
+These return a string decimal representations of an ASN1_INTEGER and an
+ASN1_ENUMERATED type, respectively.
+
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+                                                   X509V3_CTX *ctx, char *str);
+
+This converts an ASCII hex string to an ASN1_OCTET_STRING.
+
+ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
+
+This converts a decimal ASCII string into an ASN1_INTEGER.
+
+6. Multi valued extension helper functions.
+
+The following functions can be used to manipulate STACKs of CONF_VALUE
+structures, as used by multi valued extensions.
+
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
+
+This function expects a boolean value in 'value' and sets 'asn1_bool' to
+it. That is it sets it to 0 for FALSE or 0xff for TRUE. The following
+strings are acceptable: "TRUE", "true", "Y", "y", "YES", "yes", "FALSE"
+"false", "N", "n", "NO" or "no".
+
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
+
+This accepts a decimal integer of arbitrary length and sets an ASN1_INTEGER.
+
+int X509V3_add_value(const char *name, const char *value,
+						STACK_OF(CONF_VALUE) **extlist);
+
+This simply adds a string name and value pair.
+
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+                          			STACK_OF(CONF_VALUE) **extlist);
+
+The same as above but for an unsigned character value.
+
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+						STACK_OF(CONF_VALUE) **extlist);
+
+This adds either "TRUE" or "FALSE" depending on the value of 'asn1_bool'
+
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+						STACK_OF(CONF_VALUE) **extlist);
+
+This is the same as above except it adds nothing if asn1_bool is FALSE.
+
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+						STACK_OF(CONF_VALUE) **extlist);
+
+This function adds the value of the ASN1_INTEGER in decimal form.
+
+7. Other helper functions.
+
+<to be added>
+
+ADDING CUSTOM EXTENSIONS.
+
+Currently there are three types of supported extensions. 
+
+String extensions are simple strings where the value is placed directly in the
+extensions, and the string returned is printed out.
+
+Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs
+or return a STACK_OF(CONF_VALUE).
+
+Raw extensions are just passed a BIO or a value and it is the extensions
+responsibility to handle all the necessary printing.
+
+There are two ways to add an extension. One is simply as an alias to an already
+existing extension. An alias is an extension that is identical in ASN1 structure
+to an existing extension but has a different OBJECT IDENTIFIER. This can be
+done by calling:
+
+int X509V3_EXT_add_alias(int nid_to, int nid_from);
+
+'nid_to' is the new extension NID and 'nid_from' is the already existing
+extension NID.
+
+Alternatively an extension can be written from scratch. This involves writing
+the ASN1 code to encode and decode the extension and functions to print out and
+generate the extension from strings. The relevant functions are then placed in
+a X509V3_EXT_METHOD structure and int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
+called.
+
+The X509V3_EXT_METHOD structure is described below.
+
+strut {
+int ext_nid;
+int ext_flags;
+X509V3_EXT_NEW ext_new;
+X509V3_EXT_FREE ext_free;
+X509V3_EXT_D2I d2i;
+X509V3_EXT_I2D i2d;
+X509V3_EXT_I2S i2s;
+X509V3_EXT_S2I s2i;
+X509V3_EXT_I2V i2v;
+X509V3_EXT_V2I v2i;
+X509V3_EXT_R2I r2i;
+X509V3_EXT_I2R i2r;
+
+void *usr_data;
+};
+
+The elements have the following meanings.
+
+ext_nid		is the NID of the object identifier of the extension.
+
+ext_flags	is set of flags. Currently the only external flag is
+		X509V3_EXT_MULTILINE which means a multi valued extensions
+		should be printed on separate lines.
+
+usr_data	is an extension specific pointer to any relevant data. This
+		allows extensions to share identical code but have different
+		uses. An example of this is the bit string extension which uses
+		usr_data to contain a list of the bit names.
+
+All the remaining elements are function pointers.
+
+ext_new		is a pointer to a function that allocates memory for the
+		extension ASN1 structure: for example ASN1_OBJECT_new().
+
+ext_free	is a pointer to a function that free up memory of the extension
+		ASN1 structure: for example ASN1_OBJECT_free().
+
+d2i		is the standard ASN1 function that converts a DER buffer into
+		the internal ASN1 structure: for example d2i_ASN1_IA5STRING().
+
+i2d		is the standard ASN1 function that converts the internal
+		structure into the DER representation: for example
+		i2d_ASN1_IA5STRING().
+
+The remaining functions are depend on the type of extension. One i2X and
+one X2i should be set and the rest set to NULL. The types set do not need
+to match up, for example the extension could be set using the multi valued
+v2i function and printed out using the raw i2r.
+
+All functions have the X509V3_EXT_METHOD passed to them in the 'method'
+parameter and an X509V3_CTX structure. Extension code can then access the
+parent structure via the 'method' parameter to for example make use of the value
+of usr_data. If the code needs to use detail relating to the request it can
+use the 'ctx' parameter.
+
+A note should be given here about the 'flags' member of the 'ctx' parameter.
+If it has the value CTX_TEST then the configuration syntax is being checked
+and no actual certificate or CRL exists. Therefore any attempt in the config
+file to access such information should silently succeed. If the syntax is OK
+then it should simply return a (possibly bogus) extension, otherwise it
+should return NULL.
+
+char *i2s(struct v3_ext_method *method, void *ext);
+
+This function takes the internal structure in the ext parameter and returns
+a Malloc'ed string representing its value.
+
+void * s2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+
+This function takes the string representation in the ext parameter and returns
+an allocated internal structure: ext_free() will be used on this internal
+structure after use.
+
+i2v and v2i handle a STACK_OF(CONF_VALUE):
+
+typedef struct
+{
+        char *section;
+        char *name;
+        char *value;
+} CONF_VALUE;
+
+Only the name and value members are currently used.
+
+STACK_OF(CONF_VALUE) * i2v(struct v3_ext_method *method, void *ext);
+
+This function is passed the internal structure in the ext parameter and
+returns a STACK of CONF_VALUE structures. The values of name, value,
+section and the structure itself will be freed up with Free after use.
+Several helper functions are available to add values to this STACK.
+
+void * v2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx,
+						STACK_OF(CONF_VALUE) *values);
+
+This function takes a STACK_OF(CONF_VALUE) structures and should set the
+values of the external structure. This typically uses the name element to
+determine which structure element to set and the value element to determine
+what to set it to. Several helper functions are available for this
+purpose (see above).
+
+int i2r(struct v3_ext_method *method, void *ext, BIO *out, int indent);
+
+This function is passed the internal extension structure in the ext parameter
+and sends out a human readable version of the extension to out. The 'indent'
+parameter should be noted to determine the necessary amount of indentation
+needed on the output.
+
+void * r2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+
+This is just passed the string representation of the extension. It is intended
+to be used for more elaborate extensions where the standard single and multi
+valued options are insufficient. They can use the 'ctx' parameter to parse the
+configuration database themselves. See the context functions section for details
+of how to do this.
+
+Note: although this type takes the same parameters as the "r2s" function there
+is a subtle difference. Whereas an "r2i" function can access a configuration
+database an "s2i" function MUST NOT. This is so the internal code can safely
+assume that an "s2i" function will work without a configuration database.
+
+==============================================================================
+                            PKCS#12 Library
+==============================================================================
+
+This section describes the internal PKCS#12 support. There are very few
+differences between the old external library and the new internal code at
+present. This may well change because the external library will not be updated
+much in future.
+
+This version now includes a couple of high level PKCS#12 functions which
+generally "do the right thing" and should make it much easier to handle PKCS#12
+structures.
+
+HIGH LEVEL FUNCTIONS.
+
+For most applications you only need concern yourself with the high level
+functions. They can parse and generate simple PKCS#12 files as produced by
+Netscape and MSIE or indeed any compliant PKCS#12 file containing a single
+private key and certificate pair.
+
+1. Initialisation and cleanup.
+
+No special initialisation is needed for the internal PKCS#12 library: the 
+standard SSLeay_add_all_algorithms() is sufficient. If you do not wish to
+add all algorithms (you should at least add SHA1 though) then you can manually
+initialise the PKCS#12 library with:
+
+PKCS12_PBE_add();
+
+The memory allocated by the PKCS#12 library is freed up when EVP_cleanup() is
+called or it can be directly freed with:
+
+EVP_PBE_cleanup();
+
+after this call (or EVP_cleanup() ) no more PKCS#12 library functions should
+be called.
+
+2. I/O functions.
+
+i2d_PKCS12_bio(bp, p12)
+
+This writes out a PKCS12 structure to a BIO.
+
+i2d_PKCS12_fp(fp, p12)
+
+This is the same but for a FILE pointer.
+
+d2i_PKCS12_bio(bp, p12)
+
+This reads in a PKCS12 structure from a BIO.
+
+d2i_PKCS12_fp(fp, p12)
+
+This is the same but for a FILE pointer.
+
+3. High level functions.
+
+3.1 Parsing with PKCS12_parse().
+
+int PKCS12_parse(PKCS12 *p12, char *pass, EVP_PKEY **pkey, X509 **cert,
+								 STACK **ca);
+
+This function takes a PKCS12 structure and a password (ASCII, null terminated)
+and returns the private key, the corresponding certificate and any CA
+certificates. If any of these is not required it can be passed as a NULL.
+The 'ca' parameter should be either NULL, a pointer to NULL or a valid STACK
+structure. Typically to read in a PKCS#12 file you might do:
+
+p12 = d2i_PKCS12_fp(fp, NULL);
+PKCS12_parse(p12, password, &pkey, &cert, NULL); 	/* CAs not wanted */
+PKCS12_free(p12);
+
+3.2 PKCS#12 creation with PKCS12_create().
+
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+			STACK *ca, int nid_key, int nid_cert, int iter,
+						 int mac_iter, int keytype);
+
+This function will create a PKCS12 structure from a given password, name,
+private key, certificate and optional STACK of CA certificates. The remaining
+5 parameters can be set to 0 and sensible defaults will be used.
+
+The parameters nid_key and nid_cert are the key and certificate encryption
+algorithms, iter is the encryption iteration count, mac_iter is the MAC
+iteration count and keytype is the type of private key. If you really want
+to know what these last 5 parameters do then read the low level section.
+
+Typically to create a PKCS#12 file the following could be used:
+
+p12 = PKCS12_create(pass, "My Certificate", pkey, cert, NULL, 0,0,0,0,0);
+i2d_PKCS12_fp(fp, p12);
+PKCS12_free(p12);
+
+3.3 Changing a PKCS#12 structure password.
+
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
+
+This changes the password of an already existing PKCS#12 structure. oldpass
+is the old password and newpass is the new one. An error occurs if the old
+password is incorrect.
+
+LOW LEVEL FUNCTIONS.
+
+In some cases the high level functions do not provide the necessary
+functionality. For example if you want to generate or parse more complex
+PKCS#12 files. The sample pkcs12 application uses the low level functions
+to display details about the internal structure of a PKCS#12 file.
+
+Introduction.
+
+This is a brief description of how a PKCS#12 file is represented internally:
+some knowledge of PKCS#12 is assumed.
+
+A PKCS#12 object contains several levels.
+
+At the lowest level is a PKCS12_SAFEBAG. This can contain a certificate, a
+CRL, a private key, encrypted or unencrypted, a set of safebags (so the
+structure can be nested) or other secrets (not documented at present). 
+A safebag can optionally have attributes, currently these are: a unicode
+friendlyName (a Unicode string) or a localKeyID (a string of bytes).
+
+At the next level is an authSafe which is a set of safebags collected into
+a PKCS#7 ContentInfo. This can be just plain data, or encrypted itself.
+
+At the top level is the PKCS12 structure itself which contains a set of
+authSafes in an embedded PKCS#7 Contentinfo of type data. In addition it
+contains a MAC which is a kind of password protected digest to preserve
+integrity (so any unencrypted stuff below can't be tampered with).
+
+The reason for these levels is so various objects can be encrypted in various
+ways. For example you might want to encrypt a set of private keys with
+triple-DES and then include the related certificates either unencrypted or
+with lower encryption. Yes it's the dreaded crypto laws at work again which
+allow strong encryption on private keys and only weak encryption on other
+stuff.
+
+To build one of these things you turn all certificates and keys into safebags
+(with optional attributes). You collect the safebags into (one or more) STACKS
+and convert these into authsafes (encrypted or unencrypted).  The authsafes
+are collected into a STACK and added to a PKCS12 structure.  Finally a MAC
+inserted.
+
+Pulling one apart is basically the reverse process. The MAC is verified against
+the given password. The authsafes are extracted and each authsafe split into
+a set of safebags (possibly involving decryption). Finally the safebags are
+decomposed into the original keys and certificates and the attributes used to
+match up private key and certificate pairs.
+
+Anyway here are the functions that do the dirty work.
+
+1. Construction functions.
+
+1.1 Safebag functions.
+
+M_PKCS12_x5092certbag(x509)
+
+This macro takes an X509 structure and returns a certificate bag. The
+X509 structure can be freed up after calling this function.
+
+M_PKCS12_x509crl2certbag(crl)
+
+As above but for a CRL.
+
+PKCS8_PRIV_KEY_INFO *PKEY2PKCS8(EVP_PKEY *pkey)
+
+Take a private key and convert it into a PKCS#8 PrivateKeyInfo structure.
+Works for both RSA and DSA private keys. NB since the PKCS#8 PrivateKeyInfo
+structure contains a private key data in plain text form it should be free'd
+up as soon as it has been encrypted for security reasons (freeing up the
+structure zeros out the sensitive data). This can be done with
+PKCS8_PRIV_KEY_INFO_free().
+
+PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
+
+This sets the key type when a key is imported into MSIE or Outlook 98. Two
+values are currently supported: KEY_EX and KEY_SIG. KEY_EX is an exchange type
+key that can also be used for signing but its size is limited in the export
+versions of MS software to 512 bits, it is also the default. KEY_SIG is a
+signing only key but the keysize is unlimited (well 16K is supposed to work).
+If you are using the domestic version of MSIE then you can ignore this because
+KEY_EX is not limited and can be used for both.
+
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
+
+Convert a PKCS8 private key structure into a keybag. This routine embeds the
+p8 structure in the keybag so p8 should not be freed up or used after it is
+called.  The p8 structure will be freed up when the safebag is freed.
+
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
+
+Convert a PKCS#8 structure into a shrouded key bag (encrypted). p8 is not
+embedded and can be freed up after use.
+
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
+int PKCS12_add_friendlyname(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
+
+Add a local key id or a friendlyname to a safebag.
+
+1.2 Authsafe functions.
+
+PKCS7 *PKCS12_pack_p7data(STACK *sk)
+Take a stack of safebags and convert them into an unencrypted authsafe. The
+stack of safebags can be freed up after calling this function.
+
+PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, STACK *bags);
+
+As above but encrypted.
+
+1.3 PKCS12 functions.
+
+PKCS12 *PKCS12_init(int mode)
+
+Initialise a PKCS12 structure (currently mode should be NID_pkcs7_data).
+
+M_PKCS12_pack_authsafes(p12, safes)
+
+This macro takes a STACK of authsafes and adds them to a PKCS#12 structure.
+
+int PKCS12_set_mac(PKCS12 *p12, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, EVP_MD *md_type);
+
+Add a MAC to a PKCS12 structure. If EVP_MD is NULL use SHA-1, the spec suggests
+that SHA-1 should be used.
+
+2. Extraction Functions.
+
+2.1 Safebags.
+
+M_PKCS12_bag_type(bag)
+
+Return the type of "bag". Returns one of the following
+
+NID_keyBag
+NID_pkcs8ShroudedKeyBag			7
+NID_certBag				8
+NID_crlBag				9
+NID_secretBag				10
+NID_safeContentsBag			11
+
+M_PKCS12_cert_bag_type(bag)
+
+Returns type of certificate bag, following are understood.
+
+NID_x509Certificate			14
+NID_sdsiCertificate			15
+
+M_PKCS12_crl_bag_type(bag)
+
+Returns crl bag type, currently only NID_crlBag is recognised.
+
+M_PKCS12_certbag2x509(bag)
+
+This macro extracts an X509 certificate from a certificate bag.
+
+M_PKCS12_certbag2x509crl(bag)
+
+As above but for a CRL.
+
+EVP_PKEY * PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8)
+
+Extract a private key from a PKCS8 private key info structure.
+
+M_PKCS12_decrypt_skey(bag, pass, passlen) 
+
+Decrypt a shrouded key bag and return a PKCS8 private key info structure.
+Works with both RSA and DSA keys
+
+char *PKCS12_get_friendlyname(bag)
+
+Returns the friendlyName of a bag if present or NULL if none. The returned
+string is a null terminated ASCII string allocated with Malloc(). It should 
+thus be freed up with Free() after use.
+
+2.2 AuthSafe functions.
+
+M_PKCS12_unpack_p7data(p7)
+
+Extract a STACK of safe bags from a PKCS#7 data ContentInfo.
+
+#define M_PKCS12_unpack_p7encdata(p7, pass, passlen)
+
+As above but for an encrypted content info.
+
+2.3 PKCS12 functions.
+
+M_PKCS12_unpack_authsafes(p12)
+
+Extract a STACK of authsafes from a PKCS12 structure.
+
+M_PKCS12_mac_present(p12)
+
+Check to see if a MAC is present.
+
+int PKCS12_verify_mac(PKCS12 *p12, unsigned char *pass, int passlen)
+
+Verify a MAC on a PKCS12 structure. Returns an error if MAC not present.
+
+
+Notes.
+
+1. All the function return 0 or NULL on error.
+2. Encryption based functions take a common set of parameters. These are
+described below.
+
+pass, passlen
+ASCII password and length. The password on the MAC is called the "integrity
+password" the encryption password is called the "privacy password" in the
+PKCS#12 documentation. The passwords do not have to be the same. If -1 is
+passed for the length it is worked out by the function itself (currently
+this is sometimes done whatever is passed as the length but that may change).
+
+salt, saltlen
+A 'salt' if salt is NULL a random salt is used. If saltlen is also zero a
+default length is used.
+
+iter
+Iteration count. This is a measure of how many times an internal function is
+called to encrypt the data. The larger this value is the longer it takes, it
+makes dictionary attacks on passwords harder. NOTE: Some implementations do
+not support an iteration count on the MAC. If the password for the MAC and
+encryption is the same then there is no point in having a high iteration
+count for encryption if the MAC has no count. The MAC could be attacked
+and the password used for the main decryption.
+
+pbe_nid
+This is the NID of the password based encryption method used. The following are
+supported.
+NID_pbe_WithSHA1And128BitRC4
+NID_pbe_WithSHA1And40BitRC4
+NID_pbe_WithSHA1And3_Key_TripleDES_CBC
+NID_pbe_WithSHA1And2_Key_TripleDES_CBC
+NID_pbe_WithSHA1And128BitRC2_CBC
+NID_pbe_WithSHA1And40BitRC2_CBC
+
+Which you use depends on the implementation you are exporting to. "Export
+grade" (i.e. cryptographically challenged) products cannot support all
+algorithms. Typically you may be able to use any encryption on shrouded key
+bags but they must then be placed in an unencrypted authsafe. Other authsafes
+may only support 40bit encryption. Of course if you are using SSLeay
+throughout you can strongly encrypt everything and have high iteration counts
+on everything.
+
+3. For decryption routines only the password and length are needed.
+
+4. Unlike the external version the nid's of objects are the values of the
+constants: that is NID_certBag is the real nid, therefore there is no 
+PKCS12_obj_offset() function.  Note the object constants are not the same as
+those of the external version. If you use these constants then you will need
+to recompile your code.
+
+5. With the exception of PKCS12_MAKE_KEYBAG(), after calling any function or 
+macro of the form PKCS12_MAKE_SOMETHING(other) the "other" structure can be
+reused or freed up safely.
+
diff --git a/crypto/openssl/doc/openssl_button.gif b/crypto/openssl/doc/openssl_button.gif
new file mode 100644
index 0000000..3d3c90c
--- /dev/null
+++ b/crypto/openssl/doc/openssl_button.gif
diff --git a/crypto/openssl/doc/openssl_button.html b/crypto/openssl/doc/openssl_button.html
new file mode 100644
index 0000000..44c91bd
--- /dev/null
+++ b/crypto/openssl/doc/openssl_button.html
@@ -0,0 +1,7 @@
+
+<!-- the `Includes OpenSSL Cryptogaphy Software' button      -->
+<!-- freely usable by any application linked against OpenSSL -->
+<a   href="http://www.openssl.org/">
+<img src="openssl_button.gif" 
+     width=102 height=47 border=0></a>
+
diff --git a/crypto/openssl/doc/ssl.pod b/crypto/openssl/doc/ssl.pod
new file mode 100644
index 0000000..46ee443
--- /dev/null
+++ b/crypto/openssl/doc/ssl.pod
@@ -0,0 +1,633 @@
+
+=pod
+
+=head1 NAME
+
+SSL - OpenSSL SSL/TLS library
+
+=head1 SYNOPSIS
+
+=head1 DESCRIPTION
+
+The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
+Transport Layer Security (TLS v1) protocols. It provides a rich API which is
+documented here.
+
+=head1 HEADER FILES
+
+Currently the OpenSSL B<ssl> library provides the following C header files
+containing the prototypes for the data structures and and functions:
+
+=over 4
+
+=item B<ssl.h>
+
+That's the common header file for the SSL/TLS API.  Include it into your
+program to make the API of the B<ssl> library available. It internally
+includes both more private SSL headers and headers from the B<crypto> library.
+Whenever you need hard-core details on the internals of the SSL API, look
+inside this header file.
+
+=item B<ssl2.h>
+
+That's the sub header file dealing with the SSLv2 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<ssl3.h>
+
+That's the sub header file dealing with the SSLv3 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<ssl23.h>
+
+That's the sub header file dealing with the combined use of the SSLv2 and
+SSLv3 protocols.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<tls1.h>
+
+That's the sub header file dealing with the TLSv1 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=back
+
+=head1 DATA STRUCTURES
+
+Currently the OpenSSL B<ssl> library functions deals with the following data
+structures:
+
+=over 4
+
+=item B<SSL_METHOD> (SSL Method)
+
+That's a dispatch structure describing the internal B<ssl> library
+methods/functions which implement the various protocol versions (SSLv1, SSLv2
+and TLSv1). It's needed to create an B<SSL_CTX>.
+
+=item B<SSL_CIPHER> (SSL Cipher)
+
+This structure holds the algorithm information for a particular cipher which
+are a core part of the SSL/TLS protocol. The available ciphers are configured
+on a B<SSL_CTX> basis and the actually used ones are then part of the
+B<SSL_SESSION>.
+
+=item B<SSL_CTX> (SSL Context)
+
+That's the global context structure which is created by a server or client
+once per program life-time and which holds mainly default values for the
+B<SSL> structures which are later created for the connections.
+
+=item B<SSL_SESSION> (SSL Session)
+
+This is a structure containing the current SSL session details for a
+connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
+
+=item B<SSL> (SSL Connection)
+
+That's the main SSL/TLS structure which is created by a server or client per
+established connection. This actually is the core structure in the SSL API.
+Under run-time the application usually deals with this structure which has
+links to mostly all other structures.
+
+=back
+
+=head1 API FUNCTIONS
+
+Currently the OpenSSL B<ssl> library exports 214 API functions.
+They are documented in the following:
+
+=head2 DEALING WITH PROTOCOL METHODS
+
+Here we document the various API functions which deal with the SSL/TLS
+protocol methods defined in B<SSL_METHOD> structures.
+
+=over 4
+
+=item SSL_METHOD *B<SSLv2_client_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<SSLv2_server_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<SSLv2_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
+
+=item SSL_METHOD *B<SSLv3_client_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<SSLv3_server_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<SSLv3_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for combined client and server.
+
+=item SSL_METHOD *B<TLSv1_client_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<TLSv1_server_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<TLSv1_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for combined client and server.
+
+=back
+
+=head2 DEALING WITH CIPHERS
+
+Here we document the various API functions which deal with the SSL/TLS
+ciphers defined in B<SSL_CIPHER> structures.
+
+=over 4
+
+=item char *B<SSL_CIPHER_description>(SSL_CIPHER *cipher, char *buf, int len);
+
+Write a string to I<buf> (with a maximum size of I<len>) containing a human
+readable description of I<cipher>. Returns I<buf>.
+
+=item int B<SSL_CIPHER_get_bits>(SSL_CIPHER *cipher, int *alg_bits);
+
+Determine the number of bits in I<cipher>. Because of export crippled ciphers
+there are two bits: The bits the algorithm supports in general (stored to
+I<alg_bits>) and the bits which are actually used (the return value).
+
+=item char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
+
+Return the internal name of I<cipher> as a string. These are the various
+strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
+definitions in the header files.
+
+=item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
+
+Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
+SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
+in the specification the first time).
+
+=back
+
+=head2 DEALING WITH PROTOCOL CONTEXTS
+
+Here we document the various API functions which deal with the SSL/TLS
+protocol context defined in the B<SSL_CTX> structure.
+
+=over 4
+
+=item int B<SSL_CTX_add_client_CA>(SSL_CTX *ctx, X509 *x);
+
+=item long B<SSL_CTX_add_extra_chain_cert>(SSL_CTX *ctx, X509 *x509);
+
+=item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c);
+
+=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx);
+
+=item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg);
+
+=item void B<SSL_CTX_flush_sessions>(SSL_CTX *s, long t);
+
+=item void B<SSL_CTX_free>(SSL_CTX *a);
+
+=item char *B<SSL_CTX_get_app_data>(SSL_CTX *ctx);
+
+=item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx);
+
+=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx);
+
+=item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+
+=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx);
+
+=item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
+
+=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx);
+
+=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx);
+
+=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
+
+=item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_load_verify_locations>(SSL_CTX *ctx, char *CAfile, char *CApath);
+
+=item long B<SSL_CTX_need_tmp_RSA>(SSL_CTX *ctx);
+
+=item SSL_CTX *B<SSL_CTX_new>(SSL_METHOD *meth);
+
+=item int B<SSL_CTX_remove_session>(SSL_CTX *ctx, SSL_SESSION *c);
+
+=item int B<SSL_CTX_sess_accept>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_accept_good>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_accept_renegotiate>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_cache_full>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_cb_hits>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect_good>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect_renegotiate>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_get_cache_size>(SSL_CTX *ctx);
+
+=item SSL_SESSION *(*B<SSL_CTX_sess_get_get_cb>(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);
+
+=item int (*B<SSL_CTX_sess_get_new_cb>(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);
+
+=item void (*B<SSL_CTX_sess_get_remove_cb>(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);
+
+=item int B<SSL_CTX_sess_hits>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_misses>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_number>(SSL_CTX *ctx);
+
+=item void B<SSL_CTX_sess_set_cache_size>(SSL_CTX *ctx,t);
+
+=item void B<SSL_CTX_sess_set_get_cb>(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));
+
+=item void B<SSL_CTX_sess_set_new_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));
+
+=item void B<SSL_CTX_sess_set_remove_cb>(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));
+
+=item int B<SSL_CTX_sess_timeouts>(SSL_CTX *ctx);
+
+=item LHASH *B<SSL_CTX_sessions>(SSL_CTX *ctx);
+
+=item void B<SSL_CTX_set_app_data>(SSL_CTX *ctx, void *arg);
+
+=item void B<SSL_CTX_set_cert_store>(SSL_CTX *ctx, X509_STORE *cs);
+
+=item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(SSL_CTX *), char *arg)
+
+=item int B<SSL_CTX_set_cipher_list>(SSL_CTX *ctx, char *str);
+
+=item void B<SSL_CTX_set_client_CA_list>(SSL_CTX *ctx, STACK *list);
+
+=item void B<SSL_CTX_set_client_cert_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
+
+=item void B<SSL_CTX_set_default_passwd_cb>(SSL_CTX *ctx, int (*cb);(void))
+
+=item void B<SSL_CTX_set_default_read_ahead>(SSL_CTX *ctx, int m);
+
+=item int B<SSL_CTX_set_default_verify_paths>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_set_ex_data>(SSL_CTX *s, int idx, char *arg);
+
+=item void B<SSL_CTX_set_info_callback>(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));
+
+=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
+
+=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
+
+=item void B<SSL_CTX_set_session_cache_mode>(SSL_CTX *ctx, int mode);
+
+=item int B<SSL_CTX_set_ssl_version>(SSL_CTX *ctx, SSL_METHOD *meth);
+
+=item void B<SSL_CTX_set_timeout>(SSL_CTX *ctx, long t);
+
+=item long B<SSL_CTX_set_tmp_dh>(SSL_CTX* ctx, DH *dh);
+
+=item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void));
+
+=item long B<SSL_CTX_set_tmp_rsa>(SSL_CTX *ctx, RSA *rsa);
+
+=item SSL_CTX_set_tmp_rsa_callback
+
+C<long B<SSL_CTX_set_tmp_rsa_callback>(SSL_CTX *B<ctx>, RSA *(*B<cb>)(SSL *B<ssl>, int B<export>, int B<keylength>));>
+
+Sets the callback which will be called when a temporary private key is
+required. The B<C<export>> flag will be set if the reason for needing
+a temp key is that an export ciphersuite is in use, in which case,
+B<C<keylength>> will contain the required keylength in bits. Generate a key of
+appropriate size (using ???) and return it.
+
+=item SSL_set_tmp_rsa_callback
+
+long B<SSL_set_tmp_rsa_callback>(SSL *ssl, RSA *(*cb)(SSL *ssl, int export, int keylength));
+
+The same as L<"SSL_CTX_set_tmp_rsa_callback">, except it operates on an SSL
+session instead of a context.
+
+=item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
+
+=item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey);
+
+=item int B<SSL_CTX_use_PrivateKey_ASN1>(int type, SSL_CTX *ctx, unsigned char *d, long len);
+
+=item int B<SSL_CTX_use_PrivateKey_file>(SSL_CTX *ctx, char *file, int type);
+
+=item int B<SSL_CTX_use_RSAPrivateKey>(SSL_CTX *ctx, RSA *rsa);
+
+=item int B<SSL_CTX_use_RSAPrivateKey_ASN1>(SSL_CTX *ctx, unsigned char *d, long len);
+
+=item int B<SSL_CTX_use_RSAPrivateKey_file>(SSL_CTX *ctx, char *file, int type);
+
+=item int B<SSL_CTX_use_certificate>(SSL_CTX *ctx, X509 *x);
+
+=item int B<SSL_CTX_use_certificate_ASN1>(SSL_CTX *ctx, int len, unsigned char *d);
+
+=item int B<SSL_CTX_use_certificate_file>(SSL_CTX *ctx, char *file, int type);
+
+=back
+
+=head2 DEALING WITH SESSIONS
+
+Here we document the various API functions which deal with the SSL/TLS
+sessions defined in the B<SSL_SESSION> structures.
+
+=over 4
+
+=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b);
+
+=item void B<SSL_SESSION_free>(SSL_SESSION *ss);
+
+=item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s);
+
+=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx);
+
+=item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item long B<SSL_SESSION_get_time>(SSL_SESSION *s);
+
+=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s);
+
+=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a);
+
+=item SSL_SESSION *B<SSL_SESSION_new>(void);
+
+=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x);
+
+=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x);
+
+=item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a);
+
+=item int B<SSL_SESSION_set_ex_data>(SSL_SESSION *s, int idx, char *arg);
+
+=item long B<SSL_SESSION_set_time>(SSL_SESSION *s, long t);
+
+=item long B<SSL_SESSION_set_timeout>(SSL_SESSION *s, long t);
+
+=back
+
+=head2 DEALING WITH CONNECTIONS
+
+Here we document the various API functions which deal with the SSL/TLS
+connection defined in the B<SSL> structure.
+
+=over 4
+
+=item int B<SSL_accept>(SSL *ssl);
+
+=item int B<SSL_add_dir_cert_subjects_to_stack>(STACK *stack, const char *dir);
+
+=item int B<SSL_add_file_cert_subjects_to_stack>(STACK *stack, const char *file);
+
+=item int B<SSL_add_client_CA>(SSL *ssl, X509 *x);
+
+=item char *B<SSL_alert_desc_string>(int value);
+
+=item char *B<SSL_alert_desc_string_long>(int value);
+
+=item char *B<SSL_alert_type_string>(int value);
+
+=item char *B<SSL_alert_type_string_long>(int value);
+
+=item int B<SSL_check_private_key>(SSL *ssl);
+
+=item void B<SSL_clear>(SSL *ssl);
+
+=item long B<SSL_clear_num_renegotiations>(SSL *ssl);
+
+=item int B<SSL_connect>(SSL *ssl);
+
+=item void B<SSL_copy_session_id>(SSL *t, SSL *f);
+
+=item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg);
+
+=item int B<SSL_do_handshake>(SSL *ssl);
+
+=item SSL *B<SSL_dup>(SSL *ssl);
+
+=item STACK *B<SSL_dup_CA_list>(STACK *sk);
+
+=item void B<SSL_free>(SSL *ssl);
+
+=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl);
+
+=item char *B<SSL_get_app_data>(SSL *ssl);
+
+=item X509 *B<SSL_get_certificate>(SSL *ssl);
+
+=item SSL_CIPHER *B<SSL_get_cipher>(SSL *ssl);
+
+=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits);
+
+=item char *B<SSL_get_cipher_list>(SSL *ssl, int n);
+
+=item char *B<SSL_get_cipher_name>(SSL *ssl);
+
+=item char *B<SSL_get_cipher_version>(SSL *ssl);
+
+=item STACK *B<SSL_get_ciphers>(SSL *ssl);
+
+=item STACK *B<SSL_get_client_CA_list>(SSL *ssl);
+
+=item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl);
+
+=item long B<SSL_get_default_timeout>(SSL *ssl);
+
+=item int B<SSL_get_error>(SSL *ssl, int i);
+
+=item char *B<SSL_get_ex_data>(SSL *ssl, int idx);
+
+=item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void);
+
+=item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item int B<SSL_get_fd>(SSL *ssl);
+
+=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void)
+
+=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl);
+
+=item X509 *B<SSL_get_peer_certificate>(SSL *ssl);
+
+=item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl);
+
+=item int B<SSL_get_quiet_shutdown>(SSL *ssl);
+
+=item BIO *B<SSL_get_rbio>(SSL *ssl);
+
+=item int B<SSL_get_read_ahead>(SSL *ssl);
+
+=item SSL_SESSION *B<SSL_get_session>(SSL *ssl);
+
+=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len);
+
+=item int B<SSL_get_shutdown>(SSL *ssl);
+
+=item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
+
+=item int B<SSL_get_state>(SSL *ssl);
+
+=item long B<SSL_get_time>(SSL *ssl);
+
+=item long B<SSL_get_timeout>(SSL *ssl);
+
+=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void)
+
+=item int B<SSL_get_verify_mode>(SSL *ssl);
+
+=item long B<SSL_get_verify_result>(SSL *ssl);
+
+=item char *B<SSL_get_version>(SSL *ssl);
+
+=item BIO *B<SSL_get_wbio>(SSL *ssl);
+
+=item int B<SSL_in_accept_init>(SSL *ssl);
+
+=item int B<SSL_in_before>(SSL *ssl);
+
+=item int B<SSL_in_connect_init>(SSL *ssl);
+
+=item int B<SSL_in_init>(SSL *ssl);
+
+=item int B<SSL_is_init_finished>(SSL *ssl);
+
+=item STACK *B<SSL_load_client_CA_file>(char *file);
+
+=item void B<SSL_load_error_strings>(void);
+
+=item SSL *B<SSL_new>(SSL_CTX *ctx);
+
+=item long B<SSL_num_renegotiations>(SSL *ssl);
+
+=item int B<SSL_peek>(SSL *ssl, char *buf, int num);
+
+=item int B<SSL_pending>(SSL *ssl);
+
+=item int B<SSL_read>(SSL *ssl, char *buf, int num);
+
+=item int B<SSL_renegotiate>(SSL *ssl);
+
+=item char *B<SSL_rstate_string>(SSL *ssl);
+
+=item char *B<SSL_rstate_string_long>(SSL *ssl);
+
+=item long B<SSL_session_reused>(SSL *ssl);
+
+=item void B<SSL_set_accept_state>(SSL *ssl);
+
+=item void B<SSL_set_app_data>(SSL *ssl, char *arg);
+
+=item void B<SSL_set_bio>(SSL *ssl, BIO *rbio, BIO *wbio);
+
+=item int B<SSL_set_cipher_list>(SSL *ssl, char *str);
+
+=item void B<SSL_set_client_CA_list>(SSL *ssl, STACK *list);
+
+=item void B<SSL_set_connect_state>(SSL *ssl);
+
+=item int B<SSL_set_ex_data>(SSL *ssl, int idx, char *arg);
+
+=item int B<SSL_set_fd>(SSL *ssl, int fd);
+
+=item void B<SSL_set_info_callback>(SSL *ssl, void (*cb);(void))
+
+=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
+
+=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
+
+=item void B<SSL_set_read_ahead>(SSL *ssl, int yes);
+
+=item int B<SSL_set_rfd>(SSL *ssl, int fd);
+
+=item int B<SSL_set_session>(SSL *ssl, SSL_SESSION *session);
+
+=item void B<SSL_set_shutdown>(SSL *ssl, int mode);
+
+=item int B<SSL_set_ssl_method>(SSL *ssl, SSL_METHOD *meth);
+
+=item void B<SSL_set_time>(SSL *ssl, long t);
+
+=item void B<SSL_set_timeout>(SSL *ssl, long t);
+
+=item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void))
+
+=item void B<SSL_set_verify_result>(SSL *ssl, long arg);
+
+=item int B<SSL_set_wfd>(SSL *ssl, int fd);
+
+=item int B<SSL_shutdown>(SSL *ssl);
+
+=item int B<SSL_state>(SSL *ssl);
+
+=item char *B<SSL_state_string>(SSL *ssl);
+
+=item char *B<SSL_state_string_long>(SSL *ssl);
+
+=item long B<SSL_total_renegotiations>(SSL *ssl);
+
+=item int B<SSL_use_PrivateKey>(SSL *ssl, EVP_PKEY *pkey);
+
+=item int B<SSL_use_PrivateKey_ASN1>(int type, SSL *ssl, unsigned char *d, long len);
+
+=item int B<SSL_use_PrivateKey_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_use_RSAPrivateKey>(SSL *ssl, RSA *rsa);
+
+=item int B<SSL_use_RSAPrivateKey_ASN1>(SSL *ssl, unsigned char *d, long len);
+
+=item int B<SSL_use_RSAPrivateKey_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_use_certificate>(SSL *ssl, X509 *x);
+
+=item int B<SSL_use_certificate_ASN1>(SSL *ssl, int len, unsigned char *d);
+
+=item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_version>(SSL *ssl);
+
+=item int B<SSL_want>(SSL *ssl);
+
+=item int B<SSL_want_nothing>(SSL *ssl);
+
+=item int B<SSL_want_read>(SSL *ssl);
+
+=item int B<SSL_want_write>(SSL *ssl);
+
+=item int B<SSL_want_x509_lookup>(s);
+
+=item int B<SSL_write>(SSL *ssl, char *buf, int num);
+
+=back
+
+=head1 SEE ALSO
+
+openssl(1), crypto(3)
+
+=head1 HISTORY
+
+The ssl(3) document appeared in OpenSSL 0.9.2
+
+=cut
+
diff --git a/crypto/openssl/doc/ssl/SSL_get_error.pod b/crypto/openssl/doc/ssl/SSL_get_error.pod
new file mode 100644
index 0000000..9cacded
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_get_error.pod
@@ -0,0 +1,91 @@
+=pod
+
+=head1 NAME
+
+SSL_get_error - obtain result code for SSL I/O operation
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_get_error(SSL *ssl, int ret);
+
+=head1 DESCRIPTION
+
+SSL_get_error() returns a result code (suitable for the C "switch"
+statement) for a preceding call to SSL_connect(), SSL_accept(),
+SSL_read(), or SSL_write() on B<ssl>.  The value returned by that
+SSL I/O function must be passed to SSL_get_error() in parameter
+B<ret>.
+
+In addition to B<ssl> and B<ret>, SSL_get_error() inspects the
+current thread's OpenSSL error queue.  Thus, SSL_get_error() must be
+used in the same thread that performed the SSL I/O operation, and no
+other OpenSSL function calls should appear in between.  The current
+thread's error queue must be empty before the SSL I/O operation is
+attempted, or SSL_get_error() will not work reliably.
+
+=head1 RETURN VALUES
+
+The following return values can currently occur:
+
+=over 4
+
+=item SSL_ERROR_NONE
+
+The SSL I/O operation completed.  This result code is returned
+if and only if B<ret E<gt> 0>.
+
+=item SSL_ERROR_ZERO_RETURN
+
+The SSL connection has been closed.  If the protocol version is SSL 3.0
+or TLS 1.0, this result code is returned only if a closure
+alerts has occurred in the protocol, i.e. if the connection has been
+closed cleanly.
+
+=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
+
+The operation did not complete; the same SSL I/O function should be
+called again later.  There will be protocol progress if, by then, the
+underlying B<BIO> has data available for reading (if the result code is
+B<SSL_ERROR_WANT_READ>) or allows writing data (B<SSL_ERROR_WANT_WRITE>). 
+For socket B<BIO>s (e.g. when SSL_set_fd() was used) this means that
+select() or poll() on the underlying socket can be used to find out
+when the SSL I/O function should be retried.
+
+Caveat: Any SSL I/O function can lead to either of
+B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>, i.e. SSL_read()
+may want to write data and SSL_write() may want to read data.
+
+=item SSL_ERROR_WANT_X509_LOOKUP
+
+The operation did not complete because an application callback set by
+SSL_CTX_set_client_cert_cb() has asked to be called again.
+The SSL I/O function should be called again later.
+Details depend on the application.
+
+=item SSL_ERROR_SYSCALL
+
+Some I/O error occurred.  The OpenSSL error queue may contain more
+information on the error.  If the error queue is empty
+(i.e. ERR_get_error() returns 0), B<ret> can be used to find out more
+about the error: If B<ret == 0>, an EOF was observed that violates
+the protocol.  If B<ret == -1>, the underlying B<BIO> reported an
+I/O error (for socket I/O on Unix systems, consult B<errno> for details).
+
+=item SSL_ERROR_SSL
+
+A failure in the SSL library occurred, usually a protocol error.  The
+OpenSSL error queue contains more information on the error.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+SSL_get_error() was added in SSLeay 0.8.
+
+=cut
diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod
new file mode 100644
index 0000000..e538766
--- /dev/null
+++ b/crypto/openssl/doc/ssl/ssl.pod
@@ -0,0 +1,634 @@
+
+=pod
+
+=head1 NAME
+
+SSL - OpenSSL SSL/TLS library
+
+=head1 SYNOPSIS
+
+=head1 DESCRIPTION
+
+The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
+Transport Layer Security (TLS v1) protocols. It provides a rich API which is
+documented here.
+
+=head1 HEADER FILES
+
+Currently the OpenSSL B<ssl> library provides the following C header files
+containing the prototypes for the data structures and and functions:
+
+=over 4
+
+=item B<ssl.h>
+
+That's the common header file for the SSL/TLS API.  Include it into your
+program to make the API of the B<ssl> library available. It internally
+includes both more private SSL headers and headers from the B<crypto> library.
+Whenever you need hard-core details on the internals of the SSL API, look
+inside this header file.
+
+=item B<ssl2.h>
+
+That's the sub header file dealing with the SSLv2 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<ssl3.h>
+
+That's the sub header file dealing with the SSLv3 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<ssl23.h>
+
+That's the sub header file dealing with the combined use of the SSLv2 and
+SSLv3 protocols.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<tls1.h>
+
+That's the sub header file dealing with the TLSv1 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=back
+
+=head1 DATA STRUCTURES
+
+Currently the OpenSSL B<ssl> library functions deals with the following data
+structures:
+
+=over 4
+
+=item B<SSL_METHOD> (SSL Method)
+
+That's a dispatch structure describing the internal B<ssl> library
+methods/functions which implement the various protocol versions (SSLv1, SSLv2
+and TLSv1). It's needed to create an B<SSL_CTX>.
+
+=item B<SSL_CIPHER> (SSL Cipher)
+
+This structure holds the algorithm information for a particular cipher which
+are a core part of the SSL/TLS protocol. The available ciphers are configured
+on a B<SSL_CTX> basis and the actually used ones are then part of the
+B<SSL_SESSION>.
+
+=item B<SSL_CTX> (SSL Context)
+
+That's the global context structure which is created by a server or client
+once per program life-time and which holds mainly default values for the
+B<SSL> structures which are later created for the connections.
+
+=item B<SSL_SESSION> (SSL Session)
+
+This is a structure containing the current SSL session details for a
+connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
+
+=item B<SSL> (SSL Connection)
+
+That's the main SSL/TLS structure which is created by a server or client per
+established connection. This actually is the core structure in the SSL API.
+Under run-time the application usually deals with this structure which has
+links to mostly all other structures.
+
+=back
+
+=head1 API FUNCTIONS
+
+Currently the OpenSSL B<ssl> library exports 214 API functions.
+They are documented in the following:
+
+=head2 DEALING WITH PROTOCOL METHODS
+
+Here we document the various API functions which deal with the SSL/TLS
+protocol methods defined in B<SSL_METHOD> structures.
+
+=over 4
+
+=item SSL_METHOD *B<SSLv2_client_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<SSLv2_server_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<SSLv2_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
+
+=item SSL_METHOD *B<SSLv3_client_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<SSLv3_server_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<SSLv3_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for combined client and server.
+
+=item SSL_METHOD *B<TLSv1_client_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<TLSv1_server_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<TLSv1_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for combined client and server.
+
+=back
+
+=head2 DEALING WITH CIPHERS
+
+Here we document the various API functions which deal with the SSL/TLS
+ciphers defined in B<SSL_CIPHER> structures.
+
+=over 4
+
+=item char *B<SSL_CIPHER_description>(SSL_CIPHER *cipher, char *buf, int len);
+
+Write a string to I<buf> (with a maximum size of I<len>) containing a human
+readable description of I<cipher>. Returns I<buf>.
+
+=item int B<SSL_CIPHER_get_bits>(SSL_CIPHER *cipher, int *alg_bits);
+
+Determine the number of bits in I<cipher>. Because of export crippled ciphers
+there are two bits: The bits the algorithm supports in general (stored to
+I<alg_bits>) and the bits which are actually used (the return value).
+
+=item char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
+
+Return the internal name of I<cipher> as a string. These are the various
+strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
+definitions in the header files.
+
+=item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
+
+Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
+SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
+in the specification the first time).
+
+=back
+
+=head2 DEALING WITH PROTOCOL CONTEXTS
+
+Here we document the various API functions which deal with the SSL/TLS
+protocol context defined in the B<SSL_CTX> structure.
+
+=over 4
+
+=item int B<SSL_CTX_add_client_CA>(SSL_CTX *ctx, X509 *x);
+
+=item long B<SSL_CTX_add_extra_chain_cert>(SSL_CTX *ctx, X509 *x509);
+
+=item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c);
+
+=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx);
+
+=item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg);
+
+=item void B<SSL_CTX_flush_sessions>(SSL_CTX *s, long t);
+
+=item void B<SSL_CTX_free>(SSL_CTX *a);
+
+=item char *B<SSL_CTX_get_app_data>(SSL_CTX *ctx);
+
+=item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx);
+
+=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx);
+
+=item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+
+=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx);
+
+=item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
+
+=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx);
+
+=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx);
+
+=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
+
+=item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_load_verify_locations>(SSL_CTX *ctx, char *CAfile, char *CApath);
+
+=item long B<SSL_CTX_need_tmp_RSA>(SSL_CTX *ctx);
+
+=item SSL_CTX *B<SSL_CTX_new>(SSL_METHOD *meth);
+
+=item int B<SSL_CTX_remove_session>(SSL_CTX *ctx, SSL_SESSION *c);
+
+=item int B<SSL_CTX_sess_accept>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_accept_good>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_accept_renegotiate>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_cache_full>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_cb_hits>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect_good>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect_renegotiate>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_get_cache_size>(SSL_CTX *ctx);
+
+=item SSL_SESSION *(*B<SSL_CTX_sess_get_get_cb>(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);
+
+=item int (*B<SSL_CTX_sess_get_new_cb>(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);
+
+=item void (*B<SSL_CTX_sess_get_remove_cb>(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);
+
+=item int B<SSL_CTX_sess_hits>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_misses>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_number>(SSL_CTX *ctx);
+
+=item void B<SSL_CTX_sess_set_cache_size>(SSL_CTX *ctx,t);
+
+=item void B<SSL_CTX_sess_set_get_cb>(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));
+
+=item void B<SSL_CTX_sess_set_new_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));
+
+=item void B<SSL_CTX_sess_set_remove_cb>(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));
+
+=item int B<SSL_CTX_sess_timeouts>(SSL_CTX *ctx);
+
+=item LHASH *B<SSL_CTX_sessions>(SSL_CTX *ctx);
+
+=item void B<SSL_CTX_set_app_data>(SSL_CTX *ctx, void *arg);
+
+=item void B<SSL_CTX_set_cert_store>(SSL_CTX *ctx, X509_STORE *cs);
+
+=item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(SSL_CTX *), char *arg)
+
+=item int B<SSL_CTX_set_cipher_list>(SSL_CTX *ctx, char *str);
+
+=item void B<SSL_CTX_set_client_CA_list>(SSL_CTX *ctx, STACK *list);
+
+=item void B<SSL_CTX_set_client_cert_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
+
+=item void B<SSL_CTX_set_default_passwd_cb>(SSL_CTX *ctx, int (*cb);(void))
+
+=item void B<SSL_CTX_set_default_read_ahead>(SSL_CTX *ctx, int m);
+
+=item int B<SSL_CTX_set_default_verify_paths>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_set_ex_data>(SSL_CTX *s, int idx, char *arg);
+
+=item void B<SSL_CTX_set_info_callback>(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));
+
+=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
+
+=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
+
+=item void B<SSL_CTX_set_session_cache_mode>(SSL_CTX *ctx, int mode);
+
+=item int B<SSL_CTX_set_ssl_version>(SSL_CTX *ctx, SSL_METHOD *meth);
+
+=item void B<SSL_CTX_set_timeout>(SSL_CTX *ctx, long t);
+
+=item long B<SSL_CTX_set_tmp_dh>(SSL_CTX* ctx, DH *dh);
+
+=item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void));
+
+=item long B<SSL_CTX_set_tmp_rsa>(SSL_CTX *ctx, RSA *rsa);
+
+=item SSL_CTX_set_tmp_rsa_callback
+
+C<long B<SSL_CTX_set_tmp_rsa_callback>(SSL_CTX *B<ctx>, RSA *(*B<cb>)(SSL *B<ssl>, int B<export>, int B<keylength>));>
+
+Sets the callback which will be called when a temporary private key is
+required. The B<C<export>> flag will be set if the reason for needing
+a temp key is that an export ciphersuite is in use, in which case,
+B<C<keylength>> will contain the required keylength in bits. Generate a key of
+appropriate size (using ???) and return it.
+
+=item SSL_set_tmp_rsa_callback
+
+long B<SSL_set_tmp_rsa_callback>(SSL *ssl, RSA *(*cb)(SSL *ssl, int export, int keylength));
+
+The same as L<"SSL_CTX_set_tmp_rsa_callback">, except it operates on an SSL
+session instead of a context.
+
+=item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
+
+=item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey);
+
+=item int B<SSL_CTX_use_PrivateKey_ASN1>(int type, SSL_CTX *ctx, unsigned char *d, long len);
+
+=item int B<SSL_CTX_use_PrivateKey_file>(SSL_CTX *ctx, char *file, int type);
+
+=item int B<SSL_CTX_use_RSAPrivateKey>(SSL_CTX *ctx, RSA *rsa);
+
+=item int B<SSL_CTX_use_RSAPrivateKey_ASN1>(SSL_CTX *ctx, unsigned char *d, long len);
+
+=item int B<SSL_CTX_use_RSAPrivateKey_file>(SSL_CTX *ctx, char *file, int type);
+
+=item int B<SSL_CTX_use_certificate>(SSL_CTX *ctx, X509 *x);
+
+=item int B<SSL_CTX_use_certificate_ASN1>(SSL_CTX *ctx, int len, unsigned char *d);
+
+=item int B<SSL_CTX_use_certificate_file>(SSL_CTX *ctx, char *file, int type);
+
+=back
+
+=head2 DEALING WITH SESSIONS
+
+Here we document the various API functions which deal with the SSL/TLS
+sessions defined in the B<SSL_SESSION> structures.
+
+=over 4
+
+=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b);
+
+=item void B<SSL_SESSION_free>(SSL_SESSION *ss);
+
+=item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s);
+
+=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx);
+
+=item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item long B<SSL_SESSION_get_time>(SSL_SESSION *s);
+
+=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s);
+
+=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a);
+
+=item SSL_SESSION *B<SSL_SESSION_new>(void);
+
+=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x);
+
+=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x);
+
+=item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a);
+
+=item int B<SSL_SESSION_set_ex_data>(SSL_SESSION *s, int idx, char *arg);
+
+=item long B<SSL_SESSION_set_time>(SSL_SESSION *s, long t);
+
+=item long B<SSL_SESSION_set_timeout>(SSL_SESSION *s, long t);
+
+=back
+
+=head2 DEALING WITH CONNECTIONS
+
+Here we document the various API functions which deal with the SSL/TLS
+connection defined in the B<SSL> structure.
+
+=over 4
+
+=item int B<SSL_accept>(SSL *ssl);
+
+=item int B<SSL_add_dir_cert_subjects_to_stack>(STACK *stack, const char *dir);
+
+=item int B<SSL_add_file_cert_subjects_to_stack>(STACK *stack, const char *file);
+
+=item int B<SSL_add_client_CA>(SSL *ssl, X509 *x);
+
+=item char *B<SSL_alert_desc_string>(int value);
+
+=item char *B<SSL_alert_desc_string_long>(int value);
+
+=item char *B<SSL_alert_type_string>(int value);
+
+=item char *B<SSL_alert_type_string_long>(int value);
+
+=item int B<SSL_check_private_key>(SSL *ssl);
+
+=item void B<SSL_clear>(SSL *ssl);
+
+=item long B<SSL_clear_num_renegotiations>(SSL *ssl);
+
+=item int B<SSL_connect>(SSL *ssl);
+
+=item void B<SSL_copy_session_id>(SSL *t, SSL *f);
+
+=item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg);
+
+=item int B<SSL_do_handshake>(SSL *ssl);
+
+=item SSL *B<SSL_dup>(SSL *ssl);
+
+=item STACK *B<SSL_dup_CA_list>(STACK *sk);
+
+=item void B<SSL_free>(SSL *ssl);
+
+=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl);
+
+=item char *B<SSL_get_app_data>(SSL *ssl);
+
+=item X509 *B<SSL_get_certificate>(SSL *ssl);
+
+=item SSL_CIPHER *B<SSL_get_cipher>(SSL *ssl);
+
+=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits);
+
+=item char *B<SSL_get_cipher_list>(SSL *ssl, int n);
+
+=item char *B<SSL_get_cipher_name>(SSL *ssl);
+
+=item char *B<SSL_get_cipher_version>(SSL *ssl);
+
+=item STACK *B<SSL_get_ciphers>(SSL *ssl);
+
+=item STACK *B<SSL_get_client_CA_list>(SSL *ssl);
+
+=item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl);
+
+=item long B<SSL_get_default_timeout>(SSL *ssl);
+
+=item int B<SSL_get_error>(SSL *ssl, int i);
+
+=item char *B<SSL_get_ex_data>(SSL *ssl, int idx);
+
+=item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void);
+
+=item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item int B<SSL_get_fd>(SSL *ssl);
+
+=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void)
+
+=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl);
+
+=item X509 *B<SSL_get_peer_certificate>(SSL *ssl);
+
+=item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl);
+
+=item int B<SSL_get_quiet_shutdown>(SSL *ssl);
+
+=item BIO *B<SSL_get_rbio>(SSL *ssl);
+
+=item int B<SSL_get_read_ahead>(SSL *ssl);
+
+=item SSL_SESSION *B<SSL_get_session>(SSL *ssl);
+
+=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len);
+
+=item int B<SSL_get_shutdown>(SSL *ssl);
+
+=item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
+
+=item int B<SSL_get_state>(SSL *ssl);
+
+=item long B<SSL_get_time>(SSL *ssl);
+
+=item long B<SSL_get_timeout>(SSL *ssl);
+
+=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void)
+
+=item int B<SSL_get_verify_mode>(SSL *ssl);
+
+=item long B<SSL_get_verify_result>(SSL *ssl);
+
+=item char *B<SSL_get_version>(SSL *ssl);
+
+=item BIO *B<SSL_get_wbio>(SSL *ssl);
+
+=item int B<SSL_in_accept_init>(SSL *ssl);
+
+=item int B<SSL_in_before>(SSL *ssl);
+
+=item int B<SSL_in_connect_init>(SSL *ssl);
+
+=item int B<SSL_in_init>(SSL *ssl);
+
+=item int B<SSL_is_init_finished>(SSL *ssl);
+
+=item STACK *B<SSL_load_client_CA_file>(char *file);
+
+=item void B<SSL_load_error_strings>(void);
+
+=item SSL *B<SSL_new>(SSL_CTX *ctx);
+
+=item long B<SSL_num_renegotiations>(SSL *ssl);
+
+=item int B<SSL_peek>(SSL *ssl, char *buf, int num);
+
+=item int B<SSL_pending>(SSL *ssl);
+
+=item int B<SSL_read>(SSL *ssl, char *buf, int num);
+
+=item int B<SSL_renegotiate>(SSL *ssl);
+
+=item char *B<SSL_rstate_string>(SSL *ssl);
+
+=item char *B<SSL_rstate_string_long>(SSL *ssl);
+
+=item long B<SSL_session_reused>(SSL *ssl);
+
+=item void B<SSL_set_accept_state>(SSL *ssl);
+
+=item void B<SSL_set_app_data>(SSL *ssl, char *arg);
+
+=item void B<SSL_set_bio>(SSL *ssl, BIO *rbio, BIO *wbio);
+
+=item int B<SSL_set_cipher_list>(SSL *ssl, char *str);
+
+=item void B<SSL_set_client_CA_list>(SSL *ssl, STACK *list);
+
+=item void B<SSL_set_connect_state>(SSL *ssl);
+
+=item int B<SSL_set_ex_data>(SSL *ssl, int idx, char *arg);
+
+=item int B<SSL_set_fd>(SSL *ssl, int fd);
+
+=item void B<SSL_set_info_callback>(SSL *ssl, void (*cb);(void))
+
+=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
+
+=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
+
+=item void B<SSL_set_read_ahead>(SSL *ssl, int yes);
+
+=item int B<SSL_set_rfd>(SSL *ssl, int fd);
+
+=item int B<SSL_set_session>(SSL *ssl, SSL_SESSION *session);
+
+=item void B<SSL_set_shutdown>(SSL *ssl, int mode);
+
+=item int B<SSL_set_ssl_method>(SSL *ssl, SSL_METHOD *meth);
+
+=item void B<SSL_set_time>(SSL *ssl, long t);
+
+=item void B<SSL_set_timeout>(SSL *ssl, long t);
+
+=item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void))
+
+=item void B<SSL_set_verify_result>(SSL *ssl, long arg);
+
+=item int B<SSL_set_wfd>(SSL *ssl, int fd);
+
+=item int B<SSL_shutdown>(SSL *ssl);
+
+=item int B<SSL_state>(SSL *ssl);
+
+=item char *B<SSL_state_string>(SSL *ssl);
+
+=item char *B<SSL_state_string_long>(SSL *ssl);
+
+=item long B<SSL_total_renegotiations>(SSL *ssl);
+
+=item int B<SSL_use_PrivateKey>(SSL *ssl, EVP_PKEY *pkey);
+
+=item int B<SSL_use_PrivateKey_ASN1>(int type, SSL *ssl, unsigned char *d, long len);
+
+=item int B<SSL_use_PrivateKey_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_use_RSAPrivateKey>(SSL *ssl, RSA *rsa);
+
+=item int B<SSL_use_RSAPrivateKey_ASN1>(SSL *ssl, unsigned char *d, long len);
+
+=item int B<SSL_use_RSAPrivateKey_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_use_certificate>(SSL *ssl, X509 *x);
+
+=item int B<SSL_use_certificate_ASN1>(SSL *ssl, int len, unsigned char *d);
+
+=item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_version>(SSL *ssl);
+
+=item int B<SSL_want>(SSL *ssl);
+
+=item int B<SSL_want_nothing>(SSL *ssl);
+
+=item int B<SSL_want_read>(SSL *ssl);
+
+=item int B<SSL_want_write>(SSL *ssl);
+
+=item int B<SSL_want_x509_lookup>(s);
+
+=item int B<SSL_write>(SSL *ssl, char *buf, int num);
+
+=back
+
+=head1 SEE ALSO
+
+L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>,
+L<SSL_get_error(3)|SSL_get_error(3)>
+
+=head1 HISTORY
+
+The L<ssl(3)|ssl(3)> document appeared in OpenSSL 0.9.2
+
+=cut
+
diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt
new file mode 100644
index 0000000..3e964c2
--- /dev/null
+++ b/crypto/openssl/doc/ssleay.txt
@@ -0,0 +1,7014 @@
+
+Bundle of old SSLeay documentation files [OBSOLETE!]
+
+==== readme ========================================================
+
+This is the old 0.6.6 docuementation.  Most of the cipher stuff is still
+relevent but I'm working (very slowly) on new docuemtation.
+The current version can be found online at
+
+http://www.cryptsoft.com/ssleay/doc
+
+==== API.doc ========================================================
+
+SSL - SSLv2/v3/v23 etc.
+
+BIO - methods and how they plug together
+
+MEM - memory allocation callback
+
+CRYPTO - locking for threads
+
+EVP - Ciphers/Digests/signatures
+
+RSA - methods
+
+X509 - certificate retrieval
+
+X509 - validation
+
+X509 - X509v3 extensions
+
+Objects - adding object identifiers
+
+ASN.1 - parsing
+
+PEM - parsing
+
+==== ssl/readme =====================================================
+
+22 Jun 1996
+This file belongs in ../apps, but I'll leave it here because it deals
+with SSL :-)  It is rather dated but it gives you an idea of how
+things work.
+===
+
+17 Jul 1995
+I have been changing things quite a bit and have not fully updated
+this file, so take what you read with a grain of salt
+eric
+===
+The s_client and s_server programs can be used to test SSL capable
+IP/port addresses and the verification of the X509 certificates in use
+by these services.  I strongly advise having a look at the code to get
+an idea of how to use the authentication under SSLeay.  Any feedback
+on changes and improvements would be greatly accepted.
+
+This file will probably be gibberish unless you have read
+rfc1421, rfc1422, rfc1423 and rfc1424 which describe PEM
+authentication.
+
+A Brief outline (and examples) how to use them to do so.
+
+NOTE:
+The environment variable SSL_CIPER is used to specify the prefered
+cipher to use, play around with setting it's value to combinations of
+RC4-MD5, EXP-RC4-MD5, CBC-DES-MD5, CBC3-DES-MD5, CFB-DES-NULL
+in a : separated list.
+
+This directory contains 3 X509 certificates which can be used by these programs.
+client.pem: a file containing a certificate and private key to be used
+	by s_client.
+server.pem :a file containing a certificate and private key to be used
+	by s_server.
+eay1024.pem:the certificate used to sign client.pem and server.pem.
+	This would be your CA's certificate.  There is also a link
+	from the file a8556381.0 to eay1024.PEM.  The value a8556381
+	is returned by 'x509 -hash -noout <eay1024.pem' and is the
+	value used by X509 verification routines to 'find' this
+	certificte when search a directory for it.
+	[the above is not true any more, the CA cert is 
+	 ../certs/testca.pem which is signed by ../certs/mincomca.pem]
+
+When testing the s_server, you may get
+bind: Address already in use
+errors.  These indicate the port is still being held by the unix
+kernel and you are going to have to wait for it to let go of it.  If
+this is the case, remember to use the port commands on the s_server and
+s_client to talk on an alternative port.
+
+=====
+s_client.
+This program can be used to connect to any IP/hostname:port that is
+talking SSL.  Once connected, it will attempt to authenticate the
+certificate it was passed and if everything works as expected, a 2
+directional channel will be open.  Any text typed will be sent to the
+other end.  type Q<cr> to exit.  Flags are as follows.
+-host arg	: Arg is the host or IP address to connect to.
+-port arg	: Arg is the port to connect to (https is 443).
+-verify arg	: Turn on authentication of the server certificate.
+		: Arg specifies the 'depth', this will covered below.
+-cert arg	: The optional certificate to use.  This certificate
+		: will be returned to the server if the server
+		: requests it for client authentication.
+-key arg	: The private key that matches the certificate
+		: specified by the -cert option.  If this is not
+		: specified (but -cert is), the -cert file will be
+		: searched for the Private key.  Both files are
+		: assumed to be in PEM format.
+-CApath arg	: When to look for certificates when 'verifying' the
+		: certificate from the server.
+-CAfile arg	: A file containing certificates to be used for
+		: 'verifying' the server certificate.
+-reconnect	: Once a connection has been made, drop it and
+		: reconnect with same session-id.  This is for testing :-).
+
+The '-verify n' parameter specifies not only to verify the servers
+certificate but to also only take notice of 'n' levels.  The best way
+to explain is to show via examples.
+Given
+s_server -cert server.PEM is running.
+
+s_client
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+	issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify error:num=1:unable to get issuer certificate
+	verify return:1
+	CIPHER is CBC-DES-MD5
+What has happened is that the 'SSLeay demo server' certificate's
+issuer ('CA') could not be found but because verify is not on, we
+don't care and the connection has been made anyway.  It is now 'up'
+using CBC-DES-MD5 mode.  This is an unauthenticate secure channel.
+You may not be talking to the right person but the data going to them
+is encrypted.
+
+s_client -verify 0
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+	issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify error:num=1:unable to get issuer certificate
+	verify return:1
+	CIPHER is CBC-DES-MD5
+We are 'verifying' but only to depth 0, so since the 'SSLeay demo server'
+certificate passed the date and checksum, we are happy to proceed.
+
+s_client -verify 1
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+	issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify error:num=1:unable to get issuer certificate
+	verify return:0
+	ERROR
+	verify error:unable to get issuer certificate
+In this case we failed to make the connection because we could not
+authenticate the certificate because we could not find the
+'CA' certificate.
+
+s_client -verify 1 -CAfile eay1024.PEM
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+	verify return:1
+	depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify return:1
+	CIPHER is CBC-DES-MD5
+We loaded the certificates from the file eay1024.PEM.  Everything
+checked out and so we made the connection.
+
+s_client -verify 1 -CApath .
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+	verify return:1
+	depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify return:1
+	CIPHER is CBC-DES-MD5
+We looked in out local directory for issuer certificates and 'found'
+a8556381.0 and so everything is ok.
+
+It is worth noting that 'CA' is a self certified certificate.  If you
+are passed one of these, it will fail to 'verify' at depth 0 because
+we need to lookup the certifier of a certificate from some information
+that we trust and keep locally.
+
+SSL_CIPHER=CBC3-DES-MD5:RC4-MD5
+export SSL_CIPHER
+s_client -verify 10 -CApath . -reconnect
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+	verify return:1
+	depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify return:1
+	drop the connection and reconnect with the same session id
+	CIPHER is CBC3-DES-MD5
+This has done a full connection and then re-estabished it with the
+same session id but a new socket.  No RSA stuff occures on the second
+connection.  Note that we said we would prefer to use CBC3-DES-MD5
+encryption and so, since the server supports it, we are.
+
+=====
+s_server
+This program accepts SSL connections on a specified port
+Once connected, it will estabish an SSL connection and optionaly
+attempt to authenticate the client.  A 2 directional channel will be
+open.  Any text typed will be sent to the other end.  Type Q<cr> to exit.
+Flags are as follows.
+-port arg	: Arg is the port to listen on.
+-verify arg	: Turn on authentication of the client if they have a
+		: certificate.  Arg specifies the 'depth'.
+-Verify arg	: Turn on authentication of the client. If they don't
+		: have a valid certificate, drop the connection.
+-cert arg	: The certificate to use.  This certificate
+		: will be passed to the client.  If it is not
+		: specified, it will default to server.PEM
+-key arg	: The private key that matches the certificate
+		: specified by the -cert option.  If this is not
+		: specified (but -cert is), the -cert file will be
+		: searched for the Private key.  Both files are
+		: assumed to be in PEM format.  Default is server.PEM
+-CApath arg	: When to look for certificates when 'verifying' the
+		: certificate from the client.
+-CAfile arg	: A file containing certificates to be used for
+		: 'verifying' the client certificate.
+
+For the following 'demo'  I will specify the s_server command and
+the s_client command and then list the output from the s_server.
+s_server
+s_client
+	CONNECTED
+	CIPHER is CBC-DES-MD5
+Everything up and running
+
+s_server -verify 0
+s_client  
+	CONNECTED
+	CIPHER is CBC-DES-MD5
+Ok since no certificate was returned and we don't care.
+
+s_server -verify 0
+./s_client -cert client.PEM
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+	issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify error:num=1:unable to get issuer certificate
+	verify return:1
+	CIPHER is CBC-DES-MD5
+Ok since we were only verifying to level 0
+
+s_server -verify 4
+s_client -cert client.PEM
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+	issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify error:num=1:unable to get issuer certificate
+	verify return:0
+	ERROR
+	verify error:unable to get issuer certificate
+Bad because we could not authenticate the returned certificate.
+
+s_server -verify 4 -CApath .
+s_client -cert client.PEM
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+	verify return:1
+	depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify return:1
+	CIPHER is CBC-DES-MD5
+Ok because we could authenticate the returned certificate :-).
+
+s_server -Verify 0 -CApath .
+s_client
+	CONNECTED
+	ERROR
+	SSL error:function is:REQUEST_CERTIFICATE
+		 :error is   :client end did not return a certificate
+Error because no certificate returned.
+
+s_server -Verify 4 -CApath .
+s_client -cert client.PEM
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+	verify return:1
+	depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify return:1
+	CIPHER is CBC-DES-MD5
+Full authentication of the client.
+
+So in summary to do full authentication of both ends
+s_server -Verify 9 -CApath .
+s_client -cert client.PEM -CApath . -verify 9
+From the server side
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+	verify return:1
+	depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify return:1
+	CIPHER is CBC-DES-MD5
+From the client side
+	CONNECTED
+	depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+	verify return:1
+	depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+	verify return:1
+	CIPHER is CBC-DES-MD5
+
+For general probing of the 'internet https' servers for the
+distribution area, run
+s_client -host www.netscape.com -port 443 -verify 4 -CApath ../rsa/hash
+Then enter
+GET /
+and you should be talking to the https server on that host.
+
+www.rsa.com was refusing to respond to connections on 443 when I was
+testing.
+
+have fun :-).
+
+eric
+
+==== a_verify.doc ========================================================
+
+From eay@mincom.com Fri Oct  4 18:29:06 1996
+Received: by orb.mincom.oz.au id AA29080
+  (5.65c/IDA-1.4.4 for eay); Fri, 4 Oct 1996 08:29:07 +1000
+Date: Fri, 4 Oct 1996 08:29:06 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: wplatzer <wplatzer@iaik.tu-graz.ac.at>
+Cc: Eric Young <eay@mincom.oz.au>, SSL Mailing List <ssl-users@mincom.com>
+Subject: Re: Netscape's Public Key
+In-Reply-To: <19961003134837.NTM0049@iaik.tu-graz.ac.at>
+Message-Id: <Pine.SOL.3.91.961004081346.8018K-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: RO
+X-Status: 
+
+On Thu, 3 Oct 1996, wplatzer wrote:
+> I get Public Key from Netscape (Gold 3.0b4), but cannot do anything
+> with it... It looks like (asn1parse):
+> 
+> 0:d=0 hl=3 l=180 cons: SEQUENCE
+> 3:d=1 hl=2 l= 96 cons: SEQUENCE
+> 5:d=2 hl=2 l= 92 cons: SEQUENCE
+> 7:d=3 hl=2 l= 13 cons: SEQUENCE
+> 9:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
+> 20:d=4 hl=2 l= 0 prim: NULL
+> 22:d=3 hl=2 l= 75 prim: BIT STRING
+> 99:d=2 hl=2 l= 0 prim: IA5STRING :
+> 101:d=1 hl=2 l= 13 cons: SEQUENCE
+> 103:d=2 hl=2 l= 9 prim: OBJECT :md5withRSAEncryption
+> 114:d=2 hl=2 l= 0 prim: NULL
+> 116:d=1 hl=2 l= 65 prim: BIT STRING
+> 
+> The first BIT STRING is the public key and the second BIT STRING is 
+> the signature.
+> But a public key consists of the public exponent and the modulus. Are 
+> both numbers in the first BIT STRING?
+> Is there a document simply describing this coding stuff (checking 
+> signature, get the public key, etc.)?
+
+Minimal in SSLeay.  If you want to see what the modulus and exponent are,
+try asn1parse -offset 25 -length 75 <key.pem
+asn1parse will currently stuff up on the 'length 75' part (fixed in next 
+release) but it will print the stuff.  If you are after more 
+documentation on ASN.1, have a look at www.rsa.com and get their PKCS 
+documents, most of my initial work on SSLeay was done using them.
+
+As for SSLeay,
+util/crypto.num and util/ssl.num are lists of all exported functions in 
+the library (but not macros :-(.
+
+The ones for extracting public keys from certificates and certificate 
+requests are EVP_PKEY *      X509_REQ_extract_key(X509_REQ *req);
+EVP_PKEY *      X509_extract_key(X509 *x509);
+
+To verify a signature on a signed ASN.1 object
+int X509_verify(X509 *a,EVP_PKEY *key);
+int X509_REQ_verify(X509_REQ *a,EVP_PKEY *key);
+int X509_CRL_verify(X509_CRL *a,EVP_PKEY *key);
+int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a,EVP_PKEY *key);
+
+I should mention that EVP_PKEY can be used to hold a public or a private key,
+since for  things like RSA and DSS, a public key is just a subset of what 
+is stored for the private key.
+
+To sign any of the above structures
+
+int X509_sign(X509 *a,EVP_PKEY *key,EVP_MD *md);
+int X509_REQ_sign(X509_REQ *a,EVP_PKEY *key,EVP_MD *md);
+int X509_CRL_sign(X509_CRL *a,EVP_PKEY *key,EVP_MD *md);
+int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *a,EVP_PKEY *key,EVP_MD *md);
+
+where md is the message digest to sign with.
+
+There are all defined in x509.h and all the _sign and _verify functions are
+actually macros to the ASN1_sign() and ASN1_verify() functions.
+These functions will put the correct algorithm identifiers in the correct 
+places in the structures.
+
+eric
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@mincom.oz.au    | RTFM Win32 GetMessage().
+
+==== x509 =======================================================
+
+X509_verify()
+X509_sign()
+
+X509_get_version()
+X509_get_serialNumber()
+X509_get_issuer()
+X509_get_subject()
+X509_get_notBefore()
+X509_get_notAfter()
+X509_get_pubkey()
+
+X509_set_version()
+X509_set_serialNumber()
+X509_set_issuer()
+X509_set_subject()
+X509_set_notBefore()
+X509_set_notAfter()
+X509_set_pubkey()
+
+X509_get_extensions()
+X509_set_extensions()
+
+X509_EXTENSIONS_clear()
+X509_EXTENSIONS_retrieve()
+X509_EXTENSIONS_add()
+X509_EXTENSIONS_delete()
+
+==== x509 attribute ================================================
+
+PKCS7
+	STACK of X509_ATTRIBUTES
+		ASN1_OBJECT
+		STACK of ASN1_TYPE
+
+So it is
+
+p7.xa[].obj
+p7.xa[].data[]
+
+get_obj_by_nid(STACK , nid)
+get_num_by_nid(STACK , nid)
+get_data_by_nid(STACK , nid, index)
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_new(void );
+void		X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **ex,
+			int nid, STACK *value);
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **ex,
+			int nid, STACK *value);
+
+int		X509_ATTRIBUTE_set_object(X509_ATTRIBUTE *ex,ASN1_OBJECT *obj);
+int		X509_ATTRIBUTE_add_data(X509_ATTRIBUTE *ex, int index,
+			ASN1_TYPE *value);
+
+ASN1_OBJECT *	X509_ATTRIBUTE_get_object(X509_ATTRIBUTE *ex);
+int 		X509_ATTRIBUTE_get_num(X509_ATTRIBUTE *ne);
+ASN1_TYPE *	X509_ATTRIBUTE_get_data(X509_ATTRIBUTE *ne,int index);
+
+ASN1_TYPE *	X509_ATTRIBUTE_get_data_by_NID(X509_ATTRIBUTE *ne,
+			ASN1_OBJECT *obj);
+
+X509_ATTRIBUTE *PKCS7_get_s_att_by_NID(PKCS7 *p7,int nid);
+X509_ATTRIBUTE *PKCS7_get_u_att_by_NID(PKCS7 *p7,int nid);
+
+==== x509 v3 ========================================================
+
+The 'new' system.
+
+The X509_EXTENSION_METHOD includes extensions and attributes and/or names. 
+Basically everthing that can be added to an X509 with an OID identifying it.
+
+It operates via 2 methods per object id.
+int a2i_XXX(X509 *x,char *str,int len);
+int i2a_XXX(BIO *bp,X509 *x);
+
+The a2i_XXX function will add the object with a value converted from the
+string into the X509.  Len can be -1 in which case the length is calculated
+via strlen(str).   Applications can always use direct knowledge to load and
+unload the relevent objects themselves.
+
+i2a_XXX will print to the passed BIO, a text representation of the
+relevet object.  Use a memory BIO if you want it printed to a buffer :-).
+
+X509_add_by_NID(X509 *x,int nid,char *str,int len);
+X509_add_by_OBJ(X509 *x,ASN1_OBJECT *obj,char *str,int len);
+
+X509_print_by_name(BIO *bp,X509 *x);
+X509_print_by_NID(BIO *bp,X509 *x);
+X509_print_by_OBJ(BIO *bp,X509 *x);
+
+==== verify ========================================================
+
+X509_verify_cert_chain(
+	CERT_STORE *cert_store,
+	STACK /* X509 */ *certs,
+	int *verify_result,
+	int (*verify_error_callback)()
+	char *argument_to_callback, /* SSL */
+
+app_verify_callback(
+	char *app_verify_arg, /* from SSL_CTX */
+	STACK /* X509 */ *certs,
+	int *verify_result,
+	int (*verify_error_callback)()
+	SSL *s,
+
+int X509_verify_cert(
+	CERT_STORE *cert_store,
+	X509 *x509,
+	int *verify_result,
+	int (*verify_error_callback)(),
+	char *arg,
+
+==== apps.doc ========================================================
+
+The applications
+
+Ok, where to begin....
+In the begining, when SSLeay was small (April 1995), there
+were but few applications, they did happily cohabit in
+the one bin directory.  Then over time, they did multiply and grow,
+and they started to look like microsoft software; 500k to print 'hello world'.
+A new approach was needed.  They were coalessed into one 'Monolithic'
+application, ssleay.  This one program is composed of many programs that
+can all be compiled independantly.
+
+ssleay has 3 modes of operation.
+1) If the ssleay binaray has the name of one of its component programs, it
+executes that program and then exits.  This can be achieve by using hard or
+symbolic links, or failing that, just renaming the binary.
+2) If the first argument to ssleay is the name of one of the component
+programs, that program runs that program and then exits.
+3) If there are no arguments, ssleay enters a 'command' mode.  Each line is
+interpreted as a program name plus arguments.  After each 'program' is run,
+ssleay returns to the comand line.
+
+dgst	- message digests
+enc	- encryption and base64 encoding
+
+ans1parse - 'pulls' appart ASN.1 encoded objects like certificates.
+
+dh	- Diffle-Hellman parameter manipulation.
+rsa	- RSA manipulations.
+crl	- Certificate revokion list manipulations
+x509	- X509 cert fiddles, including signing.
+pkcs7	- pkcs7 manipulation, only DER versions right now.
+
+genrsa	- generate an RSA private key.
+gendh	- Generate a set of Diffle-Hellman parameters.
+req	- Generate a PKCS#10 object, a certificate request.
+
+s_client - SSL client program
+s_server - SSL server program
+s_time	 - A SSL protocol timing program
+s_mult	 - Another SSL server, but it multiplexes
+	   connections.
+s_filter - under development
+
+errstr	- Convert SSLeay error numbers to strings.
+ca	- Sign certificate requests, and generate
+	  certificate revokion lists
+crl2pkcs7 - put a crl and certifcates into a pkcs7 object.
+speed	- Benchmark the ciphers.
+verify	- Check certificates
+hashdir - under development
+
+[ there a now a few more options, play with the program to see what they
+  are ]
+
+==== asn1.doc ========================================================
+
+The ASN.1 Routines.
+
+ASN.1 is a specification for how to encode structured 'data' in binary form.
+The approach I have take to the manipulation of structures and their encoding
+into ASN.1 is as follows.
+
+For each distinct structure there are 4 function of the following form
+TYPE *TYPE_new(void);
+void TYPE_free(TYPE *);
+TYPE *d2i_TYPE(TYPE **a,unsigned char **pp,long length);
+long i2d_TYPE(TYPE *a,unsigned char **pp); 	/* CHECK RETURN VALUE */
+
+where TYPE is the type of the 'object'.  The TYPE that have these functions
+can be in one of 2 forms, either the internal C malloc()ed data structure
+or in the DER (a variant of ASN.1 encoding) binary encoding which is just
+an array of unsigned bytes.  The 'i2d' functions converts from the internal
+form to the DER form and the 'd2i' functions convert from the DER form to
+the internal form.
+
+The 'new' function returns a malloc()ed version of the structure with all
+substructures either created or left as NULL pointers.  For 'optional'
+fields, they are normally left as NULL to indicate no value.  For variable
+size sub structures (often 'SET OF' or 'SEQUENCE OF' in ASN.1 syntax) the
+STACK data type is used to hold the values.  Have a read of stack.doc
+and have a look at the relevant header files to see what I mean.  If there
+is an error while malloc()ing the structure, NULL is returned.
+
+The 'free' function will free() all the sub components of a particular
+structure.  If any of those sub components have been 'removed', replace
+them with NULL pointers, the 'free' functions are tolerant of NULL fields.
+
+The 'd2i' function copies a binary representation into a C structure.  It
+operates as follows.  'a' is a pointer to a pointer to
+the structure to populate, 'pp' is a pointer to a pointer to where the DER
+byte string is located and 'length' is the length of the '*pp' data.
+If there are no errors, a pointer to the populated structure is returned.
+If there is an error, NULL is returned.  Errors can occur because of
+malloc() failures but normally they will be due to syntax errors in the DER
+encoded data being parsed. It is also an error if there was an
+attempt to read more that 'length' bytes from '*p'.  If
+everything works correctly, the value in '*p' is updated
+to point at the location just beyond where the DER
+structure was read from.  In this way, chained calls to 'd2i' type
+functions can be made, with the pointer into the 'data' array being
+'walked' along the input byte array.
+Depending on the value passed for 'a', different things will be done.  If
+'a' is NULL, a new structure will be malloc()ed and returned.  If '*a' is
+NULL, a new structure will be malloc()ed and put into '*a' and returned.
+If '*a' is not NULL, the structure in '*a' will be populated, or in the
+case of an error, free()ed and then returned.
+Having these semantics means that a structure
+can call a 'd2i' function to populate a field and if the field is currently
+NULL, the structure will be created.
+
+The 'i2d' function type is used to copy a C structure to a byte array.
+The parameter 'a' is the structure to convert and '*p' is where to put it.
+As for the 'd2i' type structure, 'p' is updated to point after the last
+byte written.  If p is NULL, no data is written.  The function also returns
+the number of bytes written.  Where this becomes useful is that if the
+function is called with a NULL 'p' value, the length is returned.  This can
+then be used to malloc() an array of bytes and then the same function can
+be recalled passing the malloced array to be written to. e.g.
+
+int len;
+unsigned char *bytes,*p;
+len=i2d_X509(x,NULL);	/* get the size of the ASN1 encoding of 'x' */
+if ((bytes=(unsigned char *)malloc(len)) == NULL)
+	goto err;
+p=bytes;
+i2d_X509(x,&p);
+
+Please note that a new variable, 'p' was passed to i2d_X509.  After the
+call to i2d_X509 p has been incremented by len bytes.
+
+Now the reason for this functional organisation is that it allows nested
+structures to be built up by calling these functions as required.  There
+are various macros used to help write the general 'i2d', 'd2i', 'new' and
+'free' functions.  They are discussed in another file and would only be
+used by some-one wanting to add new structures to the library.  As you
+might be able to guess, the process of writing ASN.1 files can be a bit CPU
+expensive for complex structures.  I'm willing to live with this since the
+simpler library code make my life easier and hopefully most programs using
+these routines will have their execution profiles dominated by cipher or
+message digest routines.
+What follows is a list of 'TYPE' values and the corresponding ASN.1
+structure and where it is used.
+
+TYPE			ASN.1
+ASN1_INTEGER		INTEGER
+ASN1_BIT_STRING		BIT STRING
+ASN1_OCTET_STRING	OCTET STRING
+ASN1_OBJECT		OBJECT IDENTIFIER
+ASN1_PRINTABLESTRING	PrintableString
+ASN1_T61STRING		T61String
+ASN1_IA5STRING		IA5String
+ASN1_UTCTIME		UTCTime
+ASN1_TYPE		Any of the above mentioned types plus SEQUENCE and SET
+
+Most of the above mentioned types are actualled stored in the
+ASN1_BIT_STRING type and macros are used to differentiate between them.
+The 3 types used are
+
+typedef struct asn1_object_st
+	{
+	/* both null if a dynamic ASN1_OBJECT, one is
+	 * defined if a 'static' ASN1_OBJECT */
+	char *sn,*ln;
+	int nid;
+	int length;
+	unsigned char *data;
+	} ASN1_OBJECT;
+This is used to store ASN1 OBJECTS.  Read 'objects.doc' for details ono
+routines to manipulate this structure.  'sn' and 'ln' are used to hold text
+strings that represent the object (short name and long or lower case name).
+These are used by the 'OBJ' library.  'nid' is a number used by the OBJ
+library to uniquely identify objects.  The ASN1 routines will populate the
+'length' and 'data' fields which will contain the bit string representing
+the object.
+
+typedef struct asn1_bit_string_st
+	{
+	int length;
+	int type;
+	unsigned char *data;
+	} ASN1_BIT_STRING;
+This structure is used to hold all the other base ASN1 types except for
+ASN1_UTCTIME (which is really just a 'char *').  Length is the number of
+bytes held in data and type is the ASN1 type of the object (there is a list
+in asn1.h).
+
+typedef struct asn1_type_st
+	{
+	int type;
+	union	{
+		char *ptr;
+		ASN1_INTEGER *		integer;
+		ASN1_BIT_STRING *	bit_string;
+		ASN1_OCTET_STRING *	octet_string;
+		ASN1_OBJECT *		object;
+		ASN1_PRINTABLESTRING *	printablestring;
+		ASN1_T61STRING *	t61string;
+		ASN1_IA5STRING *	ia5string;
+		ASN1_UTCTIME *		utctime;
+		ASN1_BIT_STRING *	set;
+		ASN1_BIT_STRING *	sequence;
+		} value;
+	} ASN1_TYPE;
+This structure is used in a few places when 'any' type of object can be
+expected.
+
+X509			Certificate
+X509_CINF		CertificateInfo
+X509_ALGOR		AlgorithmIdentifier
+X509_NAME		Name			
+X509_NAME_ENTRY		A single sub component of the name.
+X509_VAL		Validity
+X509_PUBKEY		SubjectPublicKeyInfo
+The above mentioned types are declared in x509.h. They are all quite
+straight forward except for the X509_NAME/X509_NAME_ENTRY pair.
+A X509_NAME is a STACK (see stack.doc) of X509_NAME_ENTRY's.
+typedef struct X509_name_entry_st
+	{
+	ASN1_OBJECT *object;
+	ASN1_BIT_STRING *value;
+	int set;
+	int size; 	/* temp variable */
+	} X509_NAME_ENTRY;
+The size is a temporary variable used by i2d_NAME and set is the set number
+for the particular NAME_ENTRY.  A X509_NAME is encoded as a sequence of
+sequence of sets.  Normally each set contains only a single item.
+Sometimes it contains more.  Normally throughout this library there will be
+only one item per set.  The set field contains the 'set' that this entry is
+a member of.  So if you have just created a X509_NAME structure and
+populated it with X509_NAME_ENTRYs, you should then traverse the X509_NAME
+(which is just a STACK) and set the 'set/' field to incrementing numbers.
+For more details on why this is done, read the ASN.1 spec for Distinguished
+Names.
+
+X509_REQ		CertificateRequest
+X509_REQ_INFO		CertificateRequestInfo
+These are used to hold certificate requests.
+
+X509_CRL		CertificateRevocationList
+These are used to hold a certificate revocation list
+
+RSAPrivateKey		PrivateKeyInfo
+RSAPublicKey		PublicKeyInfo
+Both these 'function groups' operate on 'RSA' structures (see rsa.doc).
+The difference is that the RSAPublicKey operations only manipulate the m
+and e fields in the RSA structure.
+
+DSAPrivateKey		DSS private key
+DSAPublicKey		DSS public key
+Both these 'function groups' operate on 'DSS' structures (see dsa.doc).
+The difference is that the RSAPublicKey operations only manipulate the 
+XXX fields in the DSA structure.
+
+DHparams		DHParameter
+This is used to hold the p and g value for The Diffie-Hellman operation.
+The function deal with the 'DH' strucure (see dh.doc).
+
+Now all of these function types can be used with several other functions to give
+quite useful set of general manipulation routines.  Normally one would
+not uses these functions directly but use them via macros. 
+
+char *ASN1_dup(int (*i2d)(),char *(*d2i)(),char *x);
+'x' is the input structure case to a 'char *', 'i2d' is the 'i2d_TYPE'
+function for the type that 'x' is and d2i is the 'd2i_TYPE' function for the
+type that 'x' is.  As is obvious from the parameters, this function
+duplicates the strucutre by transforming it into the DER form and then
+re-loading it into a new strucutre and returning the new strucutre.  This
+is obviously a bit cpu intensive but when faced with a complex dynamic
+structure this is the simplest programming approach.  There are macros for
+duplicating the major data types but is simple to add extras.
+
+char *ASN1_d2i_fp(char *(*new)(),char *(*d2i)(),FILE *fp,unsigned char **x);
+'x' is a pointer to a pointer of the 'desired type'.  new and d2i are the
+corresponding 'TYPE_new' and 'd2i_TYPE' functions for the type and 'fp' is
+an open file pointer to read from.  This function reads from 'fp' as much
+data as it can and then uses 'd2i' to parse the bytes to load and return
+the parsed strucutre in 'x' (if it was non-NULL) and to actually return the
+strucutre.  The behavior of 'x' is as per all the other d2i functions.
+
+char *ASN1_d2i_bio(char *(*new)(),char *(*d2i)(),BIO *fp,unsigned char **x);
+The 'BIO' is the new IO type being used in SSLeay (see bio.doc).  This
+function is the same as ASN1_d2i_fp() except for the BIO argument.
+ASN1_d2i_fp() actually calls this function.
+
+int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x);
+'x' is converted to bytes by 'i2d' and then written to 'out'.  ASN1_i2d_fp
+and ASN1_d2i_fp are not really symetric since ASN1_i2d_fp will read all
+available data from the file pointer before parsing a single item while
+ASN1_i2d_fp can be used to write a sequence of data objects.  To read a
+series of objects from a file I would sugest loading the file into a buffer
+and calling the relevent 'd2i' functions.
+
+char *ASN1_d2i_bio(char *(*new)(),char *(*d2i)(),BIO *fp,unsigned char **x);
+This function is the same as ASN1_i2d_fp() except for the BIO argument.
+ASN1_i2d_fp() actually calls this function.
+
+char *	PEM_ASN1_read(char *(*d2i)(),char *name,FILE *fp,char **x,int (*cb)());
+This function will read the next PEM encoded (base64) object of the same
+type as 'x' (loaded by the d2i function).  'name' is the name that is in
+the '-----BEGIN name-----' that designates the start of that object type.
+If the data is encrypted, 'cb' will be called to prompt for a password.  If
+it is NULL a default function will be used to prompt from the password.
+'x' is delt with as per the standard 'd2i' function interface.  This
+function can be used to read a series of objects from a file.  While any
+data type can be encrypted (see PEM_ASN1_write) only RSA private keys tend
+to be encrypted.
+
+char *	PEM_ASN1_read_bio(char *(*d2i)(),char *name,BIO *fp,
+	char **x,int (*cb)());
+Same as PEM_ASN1_read() except using a BIO.  This is called by
+PEM_ASN1_read().
+
+int	PEM_ASN1_write(int (*i2d)(),char *name,FILE *fp,char *x,EVP_CIPHER *enc,
+		unsigned char *kstr,int klen,int (*callback)());
+
+int	PEM_ASN1_write_bio(int (*i2d)(),char *name,BIO *fp,
+		char *x,EVP_CIPHER *enc,unsigned char *kstr,int klen,
+		int (*callback)());
+
+int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
+	ASN1_BIT_STRING *signature, char *data, RSA *rsa, EVP_MD *type);
+int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
+	ASN1_BIT_STRING *signature,char *data, RSA *rsa);
+
+int ASN1_BIT_STRING_cmp(ASN1_BIT_STRING *a, ASN1_BIT_STRING *b);
+ASN1_BIT_STRING *ASN1_BIT_STRING_type_new(int type );
+
+int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
+void ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a);
+ASN1_UTCTIME *ASN1_UTCTIME_dup(ASN1_UTCTIME *a);
+
+ASN1_BIT_STRING *d2i_asn1_print_type(ASN1_BIT_STRING **a,unsigned char **pp,
+		long length,int type);
+
+int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
+			int (*func)(), int ex_tag, int ex_class);
+STACK *		d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
+			char *(*func)(), int ex_tag, int ex_class);
+
+int i2a_ASN1_OBJECT(BIO *bp,ASN1_OBJECT *object);
+int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a);
+int a2i_ASN1_INTEGER(BIO *bp,ASN1_INTEGER *bs,char *buf,int size);
+
+int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
+long ASN1_INTEGER_get(ASN1_INTEGER *a);
+ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai);
+BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai,BIGNUM *bn);
+
+/* given a string, return the correct type.  Max is the maximum number
+ * of bytes to parse.  It stops parsing when 'max' bytes have been
+ * processed or a '\0' is hit */
+int ASN1_PRINTABLE_type(unsigned char *s,int max);
+
+void ASN1_parse(BIO *fp,unsigned char *pp,long len);
+
+int i2d_ASN1_bytes(ASN1_BIT_STRING *a, unsigned char **pp, int tag, int class);
+ASN1_BIT_STRING *d2i_ASN1_bytes(ASN1_OCTET_STRING **a, unsigned char **pp,
+	long length, int Ptag, int Pclass);
+
+/* PARSING */
+int asn1_Finish(ASN1_CTX *c);
+
+/* SPECIALS */
+int ASN1_get_object(unsigned char **pp, long *plength, int *ptag,
+	int *pclass, long omax);
+int ASN1_check_infinite_end(unsigned char **p,long len);
+void ASN1_put_object(unsigned char **pp, int constructed, int length,
+	int tag, int class);
+int ASN1_object_size(int constructed, int length, int tag);
+
+X509 *	X509_get_cert(CERTIFICATE_CTX *ctx,X509_NAME * name,X509 *tmp_x509);
+int  	X509_add_cert(CERTIFICATE_CTX *ctx,X509 *);
+
+char *	X509_cert_verify_error_string(int n);
+int 	X509_add_cert_file(CERTIFICATE_CTX *c,char *file, int type);
+char *	X509_gmtime (char *s, long adj);
+int	X509_add_cert_dir (CERTIFICATE_CTX *c,char *dir, int type);
+int	X509_load_verify_locations (CERTIFICATE_CTX *ctx,
+		char *file_env, char *dir_env);
+int	X509_set_default_verify_paths(CERTIFICATE_CTX *cts);
+X509 *	X509_new_D2i_X509(int len, unsigned char *p);
+char *	X509_get_default_cert_area(void );
+char *	X509_get_default_cert_dir(void );
+char *	X509_get_default_cert_file(void );
+char *	X509_get_default_cert_dir_env(void );
+char *	X509_get_default_cert_file_env(void );
+char *	X509_get_default_private_dir(void );
+X509_REQ *X509_X509_TO_req(X509 *x, RSA *rsa);
+int	X509_cert_verify(CERTIFICATE_CTX *ctx,X509 *xs, int (*cb)()); 
+
+CERTIFICATE_CTX *CERTIFICATE_CTX_new();
+void CERTIFICATE_CTX_free(CERTIFICATE_CTX *c);
+
+void X509_NAME_print(BIO *fp, X509_NAME *name, int obase);
+int		X509_print_fp(FILE *fp,X509 *x);
+int		X509_print(BIO *fp,X509 *x);
+
+X509_INFO *	X509_INFO_new(void);
+void		X509_INFO_free(X509_INFO *a);
+
+char *		X509_NAME_oneline(X509_NAME *a);
+
+#define X509_verify(x,rsa)
+#define X509_REQ_verify(x,rsa)
+#define X509_CRL_verify(x,rsa)
+
+#define X509_sign(x,rsa,md)
+#define X509_REQ_sign(x,rsa,md)
+#define X509_CRL_sign(x,rsa,md)
+
+#define X509_dup(x509)
+#define d2i_X509_fp(fp,x509)
+#define i2d_X509_fp(fp,x509)
+#define d2i_X509_bio(bp,x509)
+#define i2d_X509_bio(bp,x509)
+
+#define X509_CRL_dup(crl)
+#define d2i_X509_CRL_fp(fp,crl)
+#define i2d_X509_CRL_fp(fp,crl)
+#define d2i_X509_CRL_bio(bp,crl)
+#define i2d_X509_CRL_bio(bp,crl)
+
+#define X509_REQ_dup(req)
+#define d2i_X509_REQ_fp(fp,req)
+#define i2d_X509_REQ_fp(fp,req)
+#define d2i_X509_REQ_bio(bp,req)
+#define i2d_X509_REQ_bio(bp,req)
+
+#define RSAPrivateKey_dup(rsa)
+#define d2i_RSAPrivateKey_fp(fp,rsa)
+#define i2d_RSAPrivateKey_fp(fp,rsa)
+#define d2i_RSAPrivateKey_bio(bp,rsa)
+#define i2d_RSAPrivateKey_bio(bp,rsa)
+
+#define X509_NAME_dup(xn)
+#define X509_NAME_ENTRY_dup(ne)
+
+void X509_REQ_print_fp(FILE *fp,X509_REQ *req);
+void X509_REQ_print(BIO *fp,X509_REQ *req);
+
+RSA *X509_REQ_extract_key(X509_REQ *req);
+RSA *X509_extract_key(X509 *x509);
+
+int		X509_issuer_and_serial_cmp(X509 *a, X509 *b);
+unsigned long	X509_issuer_and_serial_hash(X509 *a);
+
+X509_NAME *	X509_get_issuer_name(X509 *a);
+int		X509_issuer_name_cmp(X509 *a, X509 *b);
+unsigned long	X509_issuer_name_hash(X509 *a);
+
+X509_NAME *	X509_get_subject_name(X509 *a);
+int		X509_subject_name_cmp(X509 *a,X509 *b);
+unsigned long	X509_subject_name_hash(X509 *x);
+
+int		X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
+unsigned long	X509_NAME_hash(X509_NAME *x);
+
+
+==== bio.doc ========================================================
+
+BIO Routines
+
+This documentation is rather sparse, you are probably best 
+off looking at the code for specific details.
+
+The BIO library is a IO abstraction that was originally 
+inspired by the need to have callbacks to perform IO to FILE 
+pointers when using Windows 3.1 DLLs.  There are two types 
+of BIO; a source/sink type and a filter type.
+The source/sink methods are as follows:
+-	BIO_s_mem()  memory buffer - a read/write byte array that
+	grows until memory runs out :-).
+-	BIO_s_file()  FILE pointer - A wrapper around the normal 
+	'FILE *' commands, good for use with stdin/stdout.
+-	BIO_s_fd()  File descriptor - A wrapper around file 
+	descriptors, often used with pipes.
+-	BIO_s_socket()  Socket - Used around sockets.  It is 
+	mostly in the Microsoft world that sockets are different 
+	from file descriptors and there are all those ugly winsock 
+	commands.
+-	BIO_s_null()  Null - read nothing and write nothing.; a 
+	useful endpoint for filter type BIO's specifically things 
+	like the message digest BIO.
+
+The filter types are
+-	BIO_f_buffer()  IO buffering - does output buffering into 
+	larger chunks and performs input buffering to allow gets() 
+	type functions.
+-	BIO_f_md()  Message digest - a transparent filter that can 
+	be asked to return a message digest for the data that has 
+	passed through it.
+-	BIO_f_cipher()  Encrypt or decrypt all data passing 
+	through the filter.
+-	BIO_f_base64()  Base64 decode on read and encode on write.
+-	BIO_f_ssl()  A filter that performs SSL encryption on the 
+	data sent through it.
+
+Base BIO functions.
+The BIO library has a set of base functions that are 
+implemented for each particular type.  Filter BIOs will 
+normally call the equivalent function on the source/sink BIO 
+that they are layered on top of after they have performed 
+some modification to the data stream.  Multiple filter BIOs 
+can be 'push' into a stack of modifers, so to read from a 
+file, unbase64 it, then decrypt it, a BIO_f_cipher, 
+BIO_f_base64 and a BIO_s_file would probably be used.  If a 
+sha-1 and md5 message digest needed to be generated, a stack 
+two BIO_f_md() BIOs and a BIO_s_null() BIO could be used.
+The base functions are
+-	BIO *BIO_new(BIO_METHOD *type); Create  a new BIO of  type 'type'.
+-	int BIO_free(BIO *a); Free a BIO structure.  Depending on 
+	the configuration, this will free the underlying data 
+	object for a source/sink BIO.
+-	int BIO_read(BIO *b, char *data, int len); Read upto 'len' 
+	bytes into 'data'. 
+-	int BIO_gets(BIO *bp,char *buf, int size); Depending on 
+	the BIO, this can either be a 'get special' or a get one 
+	line of data, as per fgets();
+-	int BIO_write(BIO *b, char *data, int len); Write 'len' 
+	bytes from 'data' to the 'b' BIO.
+-	int BIO_puts(BIO *bp,char *buf); Either a 'put special' or 
+	a write null terminated string as per fputs().
+-	long BIO_ctrl(BIO *bp,int cmd,long larg,char *parg);  A 
+	control function which is used to manipulate the BIO 
+	structure and modify it's state and or report on it.  This 
+	function is just about never used directly, rather it 
+	should be used in conjunction with BIO_METHOD specific 
+	macros.
+-	BIO *BIO_push(BIO *new_top, BIO *old); new_top is apped to the
+	top of the 'old' BIO list.  new_top should be a filter BIO.
+	All writes will go through 'new_top' first and last on read.
+	'old' is returned.
+-	BIO *BIO_pop(BIO *bio); the new topmost BIO is returned, NULL if
+	there are no more.
+
+If a particular low level BIO method is not supported 
+(normally BIO_gets()), -2 will be returned if that method is 
+called.  Otherwise the IO methods (read, write, gets, puts) 
+will return the number of bytes read or written, and 0 or -1 
+for error (or end of input).  For the -1 case, 
+BIO_should_retry(bio) can be called to determine if it was a 
+genuine error or a temporary problem.  -2 will also be 
+returned if the BIO has not been initalised yet, in all 
+cases, the correct error codes are set (accessible via the 
+ERR library).
+
+
+The following functions are convenience functions:
+-	int BIO_printf(BIO *bio, char * format, ..);  printf but 
+	to a BIO handle.
+-	long BIO_ctrl_int(BIO *bp,int cmd,long larg,int iarg); a 
+	convenience function to allow a different argument types 
+	to be passed to BIO_ctrl().
+-	int BIO_dump(BIO *b,char *bytes,int len); output 'len' 
+	bytes from 'bytes' in a hex dump debug format.
+-	long BIO_debug_callback(BIO *bio, int cmd, char *argp, int 
+	argi, long argl, long ret) - a default debug BIO callback, 
+	this is mentioned below.  To use this one normally has to 
+	use the BIO_set_callback_arg() function to assign an 
+	output BIO for the callback to use.
+-	BIO *BIO_find_type(BIO *bio,int type); when there is a 'stack'
+	of BIOs, this function scan the list and returns the first
+	that is of type 'type', as listed in buffer.h under BIO_TYPE_XXX.
+-	void BIO_free_all(BIO *bio); Free the bio and all other BIOs
+	in the list.  It walks the bio->next_bio list.
+
+
+
+Extra commands are normally implemented as macros calling BIO_ctrl().
+-	BIO_number_read(BIO *bio) - the number of bytes processed 
+	by BIO_read(bio,.).
+-	BIO_number_written(BIO *bio) - the number of bytes written 
+	by BIO_write(bio,.).
+-	BIO_reset(BIO *bio) - 'reset' the BIO.
+-	BIO_eof(BIO *bio) - non zero if we are at the current end 
+	of input.
+-	BIO_set_close(BIO *bio, int close_flag) - set the close flag.
+-	BIO_get_close(BIO *bio) - return the close flag.
+	BIO_pending(BIO *bio) - return the number of bytes waiting 
+	to be read (normally buffered internally).
+-	BIO_flush(BIO *bio) - output any data waiting to be output.
+-	BIO_should_retry(BIO *io) - after a BIO_read/BIO_write 
+	operation returns 0 or -1, a call to this function will 
+	return non zero if you should retry the call later (this 
+	is for non-blocking IO).
+-	BIO_should_read(BIO *io) - we should retry when data can 
+	be read.
+-	BIO_should_write(BIO *io) - we should retry when data can 
+	be written.
+-	BIO_method_name(BIO *io) - return a string for the method name.
+-	BIO_method_type(BIO *io) - return the unique ID of the BIO method.
+-	BIO_set_callback(BIO *io,  long (*callback)(BIO *io, int 
+	cmd, char *argp, int argi, long argl, long ret); - sets 
+	the debug callback.
+-	BIO_get_callback(BIO *io) - return the assigned function 
+	as mentioned above.
+-	BIO_set_callback_arg(BIO *io, char *arg)  - assign some 
+	data against the BIO.  This is normally used by the debug 
+	callback but could in reality be used for anything.  To 
+	get an idea of how all this works, have a look at the code 
+	in the default debug callback mentioned above.  The 
+	callback can modify the return values.
+
+Details of the BIO_METHOD structure.
+typedef struct bio_method_st
+        {
+	int type;
+	char *name;
+	int (*bwrite)();
+	int (*bread)();
+	int (*bputs)();
+	int (*bgets)();
+	long (*ctrl)();
+	int (*create)();
+	int (*destroy)();
+	} BIO_METHOD;
+
+The 'type' is the numeric type of the BIO, these are listed in buffer.h;
+'Name' is a textual representation of the BIO 'type'.
+The 7 function pointers point to the respective function 
+methods, some of which can be NULL if not implemented.
+The BIO structure
+typedef struct bio_st
+	{
+	BIO_METHOD *method;
+	long (*callback)(BIO * bio, int mode, char *argp, int 
+		argi, long argl, long ret);
+	char *cb_arg; /* first argument for the callback */
+	int init;
+	int shutdown;
+	int flags;      /* extra storage */
+	int num;
+	char *ptr;
+	struct bio_st *next_bio; /* used by filter BIOs */
+	int references;
+	unsigned long num_read;
+	unsigned long num_write;
+	} BIO;
+
+-	'Method' is the BIO method.
+-	'callback', when configured, is called before and after 
+	each BIO method is called for that particular BIO.  This 
+	is intended primarily for debugging and of informational feedback.
+-	'init' is 0 when the BIO can be used for operation.  
+	Often, after a BIO is created, a number of operations may 
+	need to be performed before it is available for use.  An 
+	example is for BIO_s_sock().  A socket needs to be 
+	assigned to the BIO before it can be used.
+-	'shutdown', this flag indicates if the underlying 
+	comunication primative being used should be closed/freed 
+	when the BIO is closed.
+-	'flags' is used to hold extra state.  It is primarily used 
+	to hold information about why a non-blocking operation 
+	failed and to record startup protocol information for the 
+	SSL BIO.
+-	'num' and 'ptr' are used to hold instance specific state 
+	like file descriptors or local data structures.
+-	'next_bio' is used by filter BIOs to hold the pointer of the
+	next BIO in the chain. written data is sent to this BIO and
+	data read is taken from it.
+-	'references' is used to indicate the number of pointers to 
+	this structure.  This needs to be '1' before a call to 
+	BIO_free() is made if the BIO_free() function is to 
+	actually free() the structure, otherwise the reference 
+	count is just decreased.  The actual BIO subsystem does 
+	not really use this functionality but it is useful when 
+	used in more advanced applicaion.
+-	num_read and num_write are the total number of bytes 
+	read/written via the 'read()' and 'write()' methods.
+
+BIO_ctrl operations.
+The following is the list of standard commands passed as the 
+second parameter to BIO_ctrl() and should be supported by 
+all BIO as best as possible.  Some are optional, some are 
+manditory, in any case, where is makes sense, a filter BIO 
+should pass such requests to underlying BIO's.
+-	BIO_CTRL_RESET	- Reset the BIO back to an initial state.
+-	BIO_CTRL_EOF	- return 0 if we are not at the end of input, 
+	non 0 if we are.
+-	BIO_CTRL_INFO	- BIO specific special command, normal
+	information return.
+-	BIO_CTRL_SET	- set IO specific parameter.
+-	BIO_CTRL_GET	- get IO specific parameter.
+-	BIO_CTRL_GET_CLOSE - Get the close on BIO_free() flag, one 
+	of BIO_CLOSE or BIO_NOCLOSE.
+-	BIO_CTRL_SET_CLOSE - Set the close on BIO_free() flag.
+-	BIO_CTRL_PENDING - Return the number of bytes available 
+	for instant reading
+-	BIO_CTRL_FLUSH	- Output pending data, return number of bytes output.
+-	BIO_CTRL_SHOULD_RETRY - After an IO error (-1 returned) 
+	should we 'retry' when IO is possible on the underlying IO object.
+-	BIO_CTRL_RETRY_TYPE - What kind of IO are we waiting on.
+
+The following command is a special BIO_s_file() specific option.
+-	BIO_CTRL_SET_FILENAME - specify a file to open for IO.
+
+The BIO_CTRL_RETRY_TYPE needs a little more explanation.  
+When performing non-blocking IO, or say reading on a memory 
+BIO, when no data is present (or cannot be written), 
+BIO_read() and/or BIO_write() will return -1.  
+BIO_should_retry(bio) will return true if this is due to an 
+IO condition rather than an actual error.  In the case of 
+BIO_s_mem(), a read when there is no data will return -1 and 
+a should retry when there is more 'read' data.
+The retry type is deduced from 2 macros
+BIO_should_read(bio) and BIO_should_write(bio).
+Now while it may appear obvious that a BIO_read() failure 
+should indicate that a retry should be performed when more 
+read data is available, this is often not true when using 
+things like an SSL BIO.  During the SSL protocol startup 
+multiple reads and writes are performed, triggered by any 
+SSL_read or SSL_write.
+So to write code that will transparently handle either a 
+socket or SSL BIO,
+	i=BIO_read(bio,..)
+	if (I == -1)
+		{
+		if (BIO_should_retry(bio))
+			{
+			if (BIO_should_read(bio))
+				{
+				/* call us again when BIO can be read */
+				}
+			if (BIO_should_write(bio))
+				{
+				/* call us again when BIO can be written */
+				}
+			}
+		}
+
+At this point in time only read and write conditions can be 
+used but in the future I can see the situation for other 
+conditions, specifically with SSL there could be a condition 
+of a X509 certificate lookup taking place and so the non-
+blocking BIO_read would require a retry when the certificate 
+lookup subsystem has finished it's lookup.  This is all 
+makes more sense and is easy to use in a event loop type 
+setup.
+When using the SSL BIO, either SSL_read() or SSL_write()s 
+can be called during the protocol startup and things will 
+still work correctly.
+The nice aspect of the use of the BIO_should_retry() macro 
+is that all the errno codes that indicate a non-fatal error 
+are encapsulated in one place.  The Windows specific error 
+codes and WSAGetLastError() calls are also hidden from the 
+application.
+
+Notes on each BIO method.
+Normally buffer.h is just required but depending on the 
+BIO_METHOD, ssl.h or evp.h will also be required.
+
+BIO_METHOD *BIO_s_mem(void);
+-	BIO_set_mem_buf(BIO *bio, BUF_MEM *bm, int close_flag) - 
+	set the underlying BUF_MEM structure for the BIO to use.
+-	BIO_get_mem_ptr(BIO *bio, char **pp) - if pp is not NULL, 
+	set it to point to the memory array and return the number 
+	of bytes available.
+A read/write BIO.  Any data written is appended to the 
+memory array and any read is read from the front.  This BIO 
+can be used for read/write at the same time. BIO_gets() is 
+supported in the fgets() sense.
+BIO_CTRL_INFO can be used to retrieve pointers to the memory 
+buffer and it's length.
+
+BIO_METHOD *BIO_s_file(void);
+-	BIO_set_fp(BIO *bio, FILE *fp, int close_flag) - set 'FILE *' to use.
+-	BIO_get_fp(BIO *bio, FILE **fp) - get the 'FILE *' in use.
+-	BIO_read_filename(BIO *bio, char *name) - read from file.
+-	BIO_write_filename(BIO *bio, char *name) - write to file.
+-	BIO_append_filename(BIO *bio, char *name) - append to file.
+This BIO sits over the normal system fread()/fgets() type 
+functions. Gets() is supported.  This BIO in theory could be 
+used for read and write but it is best to think of each BIO 
+of this type as either a read or a write BIO, not both.
+
+BIO_METHOD *BIO_s_socket(void);
+BIO_METHOD *BIO_s_fd(void);
+-	BIO_sock_should_retry(int i) - the underlying function 
+	used to determine if a call should be retried; the 
+	argument is the '0' or '-1' returned by the previous BIO 
+	operation.
+-	BIO_fd_should_retry(int i) - same as the 
+-	BIO_sock_should_retry() except that it is different internally.
+-	BIO_set_fd(BIO *bio, int fd, int close_flag) - set the 
+	file descriptor to use
+-	BIO_get_fd(BIO *bio, int *fd) - get the file descriptor.
+These two methods are very similar.  Gets() is not 
+supported, if you want this functionality, put a 
+BIO_f_buffer() onto it.  This BIO is bi-directional if the 
+underlying file descriptor is.  This is normally the case 
+for sockets but not the case for stdio descriptors.
+
+BIO_METHOD *BIO_s_null(void);
+Read and write as much data as you like, it all disappears 
+into this BIO.
+
+BIO_METHOD *BIO_f_buffer(void);
+-	BIO_get_buffer_num_lines(BIO *bio) - return the number of 
+	complete lines in the buffer.
+-	BIO_set_buffer_size(BIO *bio, long size) - set the size of 
+	the buffers.
+This type performs input and output buffering.  It performs 
+both at the same time.  The size of the buffer can be set 
+via the set buffer size option.  Data buffered for output is 
+only written when the buffer fills.
+
+BIO_METHOD *BIO_f_ssl(void);
+-	BIO_set_ssl(BIO *bio, SSL *ssl, int close_flag) - the SSL 
+	structure to use.
+-	BIO_get_ssl(BIO *bio, SSL **ssl) - get the SSL structure 
+	in use.
+The SSL bio is a little different from normal BIOs because 
+the underlying SSL structure is a little different.  A SSL 
+structure performs IO via a read and write BIO.  These can 
+be different and are normally set via the
+SSL_set_rbio()/SSL_set_wbio() calls.  The SSL_set_fd() calls 
+are just wrappers that create socket BIOs and then call 
+SSL_set_bio() where the read and write BIOs are the same.  
+The BIO_push() operation makes the SSLs IO BIOs the same, so 
+make sure the BIO pushed is capable of two directional 
+traffic.  If it is not, you will have to install the BIOs 
+via the more conventional SSL_set_bio() call.  BIO_pop() will retrieve
+the 'SSL read' BIO.
+
+BIO_METHOD *BIO_f_md(void);
+-	BIO_set_md(BIO *bio, EVP_MD *md) - set the message digest 
+	to use.
+-	BIO_get_md(BIO *bio, EVP_MD **mdp) - return the digest 
+	method in use in mdp, return 0 if not set yet.
+-	BIO_reset() reinitializes the digest (EVP_DigestInit()) 
+	and passes the reset to the underlying BIOs.
+All data read or written via BIO_read() or BIO_write() to 
+this BIO will be added to the calculated digest.  This 
+implies that this BIO is only one directional.  If read and 
+write operations are performed, two separate BIO_f_md() BIOs 
+are reuqired to generate digests on both the input and the 
+output.  BIO_gets(BIO *bio, char *md, int size) will place the 
+generated digest into 'md' and return the number of bytes.  
+The EVP_MAX_MD_SIZE should probably be used to size the 'md' 
+array.  Reading the digest will also reset it.
+
+BIO_METHOD *BIO_f_cipher(void);
+-	BIO_reset() reinitializes the cipher.
+-	BIO_flush() should be called when the last bytes have been 
+	output to flush the final block of block ciphers.
+-	BIO_get_cipher_status(BIO *b), when called after the last 
+	read from a cipher BIO, returns non-zero if the data 
+	decrypted correctly, otherwise, 0.
+-	BIO_set_cipher(BIO *b, EVP_CIPHER *c, unsigned char *key, 
+	unsigned char *iv, int encrypt)   This function is used to 
+	setup a cipher BIO.  The length of key and iv are 
+	specified by the choice of EVP_CIPHER.  Encrypt is 1 to 
+	encrypt and 0 to decrypt.
+
+BIO_METHOD *BIO_f_base64(void);
+-	BIO_flush() should be called when the last bytes have been output.
+This BIO base64 encodes when writing and base64 decodes when 
+reading.  It will scan the input until a suitable begin line 
+is found.  After reading data, BIO_reset() will reset the 
+BIO to start scanning again.  Do not mix reading and writing 
+on the same base64 BIO.  It is meant as a single stream BIO.
+
+Directions	type
+both		BIO_s_mem()
+one/both	BIO_s_file()
+both		BIO_s_fd()
+both		BIO_s_socket() 
+both		BIO_s_null()
+both		BIO_f_buffer()
+one		BIO_f_md()  
+one		BIO_f_cipher()  
+one		BIO_f_base64()  
+both		BIO_f_ssl()
+
+It is easy to mix one and two directional BIOs, all one has 
+to do is to keep two separate BIO pointers for reading and 
+writing and be careful about usage of underlying BIOs.  The 
+SSL bio by it's very nature has to be two directional but 
+the BIO_push() command will push the one BIO into the SSL 
+BIO for both reading and writing.
+
+The best example program to look at is apps/enc.c and/or perhaps apps/dgst.c.
+
+
+==== blowfish.doc ========================================================
+
+The Blowfish library.
+
+Blowfish is a block cipher that operates on 64bit (8 byte) quantities.  It
+uses variable size key, but 128bit (16 byte) key would normally be considered
+good.  It can be used in all the modes that DES can be used.  This
+library implements the ecb, cbc, cfb64, ofb64 modes.
+
+Blowfish is quite a bit faster that DES, and much faster than IDEA or
+RC2.  It is one of the faster block ciphers.
+
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'blowfish.h'.
+
+All of the encryption functions take what is called an BF_KEY as an 
+argument.  An BF_KEY is an expanded form of the Blowfish key.
+For all modes of the Blowfish algorithm, the BF_KEY used for
+decryption is the same one that was used for encryption.
+
+The define BF_ENCRYPT is passed to specify encryption for the functions
+that require an encryption/decryption flag. BF_DECRYPT is passed to
+specify decryption.
+
+Please note that any of the encryption modes specified in my DES library
+could be used with Blowfish.  I have only implemented ecb, cbc, cfb64 and
+ofb64 for the following reasons.
+- ecb is the basic Blowfish encryption.
+- cbc is the normal 'chaining' form for block ciphers.
+- cfb64 can be used to encrypt single characters, therefore input and output
+  do not need to be a multiple of 8.
+- ofb64 is similar to cfb64 but is more like a stream cipher, not as
+  secure (not cipher feedback) but it does not have an encrypt/decrypt mode.
+- If you want triple Blowfish, thats 384 bits of key and you must be totally
+  obsessed with security.  Still, if you want it, it is simple enough to
+  copy the function from the DES library and change the des_encrypt to
+  BF_encrypt; an exercise left for the paranoid reader :-).
+
+The functions are as follows:
+
+void BF_set_key(
+BF_KEY *ks;
+int len;
+unsigned char *key;
+        BF_set_key converts an 'len' byte key into a BF_KEY.
+        A 'ks' is an expanded form of the 'key' which is used to
+        perform actual encryption.  It can be regenerated from the Blowfish key
+        so it only needs to be kept when encryption or decryption is about
+        to occur.  Don't save or pass around BF_KEY's since they
+        are CPU architecture dependent, 'key's are not.  Blowfish is an
+	interesting cipher in that it can be used with a variable length
+	key.  'len' is the length of 'key' to be used as the key.
+	A 'len' of 16 is recomended by me, but blowfish can use upto
+	72 bytes.  As a warning, blowfish has a very very slow set_key
+	function, it actually runs BF_encrypt 521 times.
+	
+void BF_encrypt(unsigned long *data, BF_KEY *key);
+void BF_decrypt(unsigned long *data, BF_KEY *key);
+	These are the Blowfish encryption function that gets called by just
+	about every other Blowfish routine in the library.  You should not
+	use this function except to implement 'modes' of Blowfish.
+	I say this because the
+	functions that call this routine do the conversion from 'char *' to
+	long, and this needs to be done to make sure 'non-aligned' memory
+	access do not occur.
+	Data is a pointer to 2 unsigned long's and key is the
+	BF_KEY to use. 
+
+void BF_ecb_encrypt(
+unsigned char *in,
+unsigned char *out,
+BF_KEY *key,
+int encrypt);
+	This is the basic Electronic Code Book form of Blowfish (in DES this
+	mode is called Electronic Code Book so I'm going to use the term
+	for blowfish as well.
+	Input is encrypted into output using the key represented by
+	key.  Depending on the encrypt, encryption or
+	decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+	
+void BF_cbc_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+BF_KEY *ks,
+unsigned char *ivec,
+int encrypt);
+	This routine implements Blowfish in Cipher Block Chaining mode.
+	Input, which should be a multiple of 8 bytes is encrypted
+	(or decrypted) to output which will also be a multiple of 8 bytes.
+	The number of bytes is in length (and from what I've said above,
+	should be a multiple of 8).  If length is not a multiple of 8, bad 
+	things will probably happen.  ivec is the initialisation vector.
+	This function updates iv after each call so that it can be passed to
+	the next call to BF_cbc_encrypt().
+	
+void BF_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+BF_KEY *schedule,
+unsigned char *ivec,
+int *num,
+int encrypt);
+	This is one of the more useful functions in this Blowfish library, it
+	implements CFB mode of Blowfish with 64bit feedback.
+	This allows you to encrypt an arbitrary number of bytes,
+	you do not require 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  Num contains 'how far' we are though ivec.
+	'Encrypt' is used to indicate encryption or decryption.
+	CFB64 mode operates by using the cipher to generate a stream
+	of bytes which is used to encrypt the plain text.
+	The cipher text is then encrypted to generate the next 64 bits to
+	be xored (incrementally) with the next 64 bits of plain
+	text.  As can be seen from this, to encrypt or decrypt,
+	the same 'cipher stream' needs to be generated but the way the next
+	block of data is gathered for encryption is different for
+	encryption and decryption.
+	
+void BF_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+BF_KEY *schedule,
+unsigned char *ivec,
+int *num);
+	This functions implements OFB mode of Blowfish with 64bit feedback.
+	This allows you to encrypt an arbitrary number of bytes,
+	you do not require 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  Num contains 'how far' we are though ivec.
+	This is in effect a stream cipher, there is no encryption or
+	decryption mode.
+	
+For reading passwords, I suggest using des_read_pw_string() from my DES library.
+To generate a password from a text string, I suggest using MD5 (or MD2) to
+produce a 16 byte message digest that can then be passed directly to
+BF_set_key().
+
+=====
+For more information about the specific Blowfish modes in this library
+(ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the
+documentation on my DES library.  What is said about DES is directly
+applicable for Blowfish.
+
+
+==== bn.doc ========================================================
+
+The Big Number library.
+
+#include "bn.h" when using this library.
+
+This big number library was written for use in implementing the RSA and DH
+public key encryption algorithms.  As such, features such as negative
+numbers have not been extensively tested but they should work as expected.
+This library uses dynamic memory allocation for storing its data structures
+and so there are no limit on the size of the numbers manipulated by these
+routines but there is always the requirement to check return codes from
+functions just in case a memory allocation error has occurred.
+
+The basic object in this library is a BIGNUM.  It is used to hold a single
+large integer.  This type should be considered opaque and fields should not
+be modified or accessed directly.
+typedef struct bignum_st
+	{
+	int top;	/* Index of last used d. */
+	BN_ULONG *d;	/* Pointer to an array of 'BITS2' bit chunks. */
+	int max;	/* Size of the d array. */
+	int neg;
+	} BIGNUM;
+The big number is stored in a malloced array of BN_ULONG's.  A BN_ULONG can
+be either 16, 32 or 64 bits in size, depending on the 'number of  bits'
+specified in bn.h. 
+The 'd' field is this array.  'max' is the size of the 'd' array that has
+been allocated.  'top' is the 'last' entry being used, so for a value of 4,
+bn.d[0]=4 and bn.top=1.  'neg' is 1 if the number is negative.
+When a BIGNUM is '0', the 'd' field can be NULL and top == 0.
+
+Various routines in this library require the use of 'temporary' BIGNUM
+variables during their execution.  Due to the use of dynamic memory
+allocation to create BIGNUMs being rather expensive when used in
+conjunction with repeated subroutine calls, the BN_CTX structure is
+used.  This structure contains BN_CTX BIGNUMs.  BN_CTX
+is the maximum number of temporary BIGNUMs any publicly exported 
+function will use.
+
+#define BN_CTX	12
+typedef struct bignum_ctx
+	{
+	int tos;			/* top of stack */
+	BIGNUM *bn[BN_CTX];	/* The variables */
+	} BN_CTX;
+
+The functions that follow have been grouped according to function.  Most
+arithmetic functions return a result in the first argument, sometimes this
+first argument can also be an input parameter, sometimes it cannot.  These
+restrictions are documented.
+
+extern BIGNUM *BN_value_one;
+There is one variable defined by this library, a BIGNUM which contains the
+number 1.  This variable is useful for use in comparisons and assignment.
+
+Get Size functions.
+
+int BN_num_bits(BIGNUM *a);
+	This function returns the size of 'a' in bits.
+	
+int BN_num_bytes(BIGNUM *a);
+	This function (macro) returns the size of 'a' in bytes.
+	For conversion of BIGNUMs to byte streams, this is the number of
+	bytes the output string will occupy.  If the output byte
+	format specifies that the 'top' bit indicates if the number is
+	signed, so an extra '0' byte is required if the top bit on a
+	positive number is being written, it is upto the application to
+	make this adjustment.  Like I said at the start, I don't
+	really support negative numbers :-).
+
+Creation/Destruction routines.
+
+BIGNUM *BN_new();
+	Return a new BIGNUM object.  The number initially has a value of 0.  If
+	there is an error, NULL is returned.
+	
+void	BN_free(BIGNUM *a);
+	Free()s a BIGNUM.
+	
+void	BN_clear(BIGNUM *a);
+	Sets 'a' to a value of 0 and also zeros all unused allocated
+	memory.  This function is used to clear a variable of 'sensitive'
+	data that was held in it.
+	
+void	BN_clear_free(BIGNUM *a);
+	This function zeros the memory used by 'a' and then free()'s it.
+	This function should be used to BN_free() BIGNUMS that have held
+	sensitive numeric values like RSA private key values.  Both this
+	function and BN_clear tend to only be used by RSA and DH routines.
+
+BN_CTX *BN_CTX_new(void);
+	Returns a new BN_CTX.  NULL on error.
+	
+void	BN_CTX_free(BN_CTX *c);
+	Free a BN_CTX structure.  The BIGNUMs in 'c' are BN_clear_free()ed.
+	
+BIGNUM *bn_expand(BIGNUM *b, int bits);
+	This is an internal function that should not normally be used.  It
+	ensures that 'b' has enough room for a 'bits' bit number.  It is
+	mostly used by the various BIGNUM routines.  If there is an error,
+	NULL is returned. if not, 'b' is returned.
+	
+BIGNUM *BN_copy(BIGNUM *to, BIGNUM *from);
+	The 'from' is copied into 'to'.  NULL is returned if there is an
+	error, otherwise 'to' is returned.
+
+BIGNUM *BN_dup(BIGNUM *a);
+	A new BIGNUM is created and returned containing the value of 'a'.
+	NULL is returned on error.
+
+Comparison and Test Functions.
+
+int BN_is_zero(BIGNUM *a)
+	Return 1 if 'a' is zero, else 0.
+
+int BN_is_one(a)
+	Return 1 is 'a' is one, else 0.
+
+int BN_is_word(a,w)
+	Return 1 if 'a' == w, else 0.  'w' is a BN_ULONG.
+
+int BN_cmp(BIGNUM *a, BIGNUM *b);
+	Return -1 if 'a' is less than 'b', 0 if 'a' and 'b' are the same
+	and 1 is 'a' is greater than 'b'.  This is a signed comparison.
+	
+int BN_ucmp(BIGNUM *a, BIGNUM *b);
+	This function is the same as BN_cmp except that the comparison
+	ignores the sign of the numbers.
+	
+Arithmetic Functions
+For all of these functions, 0 is returned if there is an error and 1 is
+returned for success.  The return value should always be checked.  eg.
+if (!BN_add(r,a,b)) goto err;
+Unless explicitly mentioned, the 'return' value can be one of the
+'parameters' to the function.
+
+int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+	Add 'a' and 'b' and return the result in 'r'.  This is r=a+b.
+	
+int BN_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+	Subtract 'a' from 'b' and put the result in 'r'. This is r=a-b.
+	
+int BN_lshift(BIGNUM *r, BIGNUM *a, int n);
+	Shift 'a' left by 'n' bits.  This is r=a*(2^n).
+	
+int BN_lshift1(BIGNUM *r, BIGNUM *a);
+	Shift 'a' left by 1 bit.  This form is more efficient than
+	BN_lshift(r,a,1).  This is r=a*2.
+	
+int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+	Shift 'a' right by 'n' bits.  This is r=int(a/(2^n)).
+	
+int BN_rshift1(BIGNUM *r, BIGNUM *a);
+	Shift 'a' right by 1 bit.  This form is more efficient than
+	BN_rshift(r,a,1).  This is r=int(a/2).
+	
+int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+	Multiply a by b and return the result in 'r'. 'r' must not be
+	either 'a' or 'b'.  It has to be a different BIGNUM.
+	This is r=a*b.
+
+int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+	Multiply a by a and return the result in 'r'. 'r' must not be
+	'a'.  This function is alot faster than BN_mul(r,a,a).  This is r=a*a.
+
+int BN_div(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx);
+	Divide 'm' by 'd' and return the result in 'dv' and the remainder
+	in 'rem'.  Either of 'dv' or 'rem' can be NULL in which case that
+	value is not returned.  'ctx' needs to be passed as a source of
+	temporary BIGNUM variables.
+	This is dv=int(m/d), rem=m%d.
+	
+int BN_mod(BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx);
+	Find the remainder of 'm' divided by 'd' and return it in 'rem'.
+	'ctx' holds the temporary BIGNUMs required by this function.
+	This function is more efficient than BN_div(NULL,rem,m,d,ctx);
+	This is rem=m%d.
+
+int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *m,BN_CTX *ctx);
+	Multiply 'a' by 'b' and return the remainder when divided by 'm'.
+	'ctx' holds the temporary BIGNUMs required by this function.
+	This is r=(a*b)%m.
+
+int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,BN_CTX *ctx);
+	Raise 'a' to the 'p' power and return the remainder when divided by
+	'm'.  'ctx' holds the temporary BIGNUMs required by this function.
+	This is r=(a^p)%m.
+
+int BN_reciprocal(BIGNUM *r, BIGNUM *m, BN_CTX *ctx);
+	Return the reciprocal of 'm'.  'ctx' holds the temporary variables
+	required.  This function returns -1 on error, otherwise it returns
+	the number of bits 'r' is shifted left to make 'r' into an integer.
+	This number of bits shifted is required in BN_mod_mul_reciprocal().
+	This is r=(1/m)<<(BN_num_bits(m)+1).
+	
+int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BIGNUM *m, 
+	BIGNUM *i, int nb, BN_CTX *ctx);
+	This function is used to perform an efficient BN_mod_mul()
+	operation.  If one is going to repeatedly perform BN_mod_mul() with
+	the same modulus is worth calculating the reciprocal of the modulus
+	and then using this function.  This operation uses the fact that
+	a/b == a*r where r is the reciprocal of b.  On modern computers
+	multiplication is very fast and big number division is very slow.
+	'x' is multiplied by 'y' and then divided by 'm' and the remainder
+	is returned.  'i' is the reciprocal of 'm' and 'nb' is the number
+	of bits as returned from BN_reciprocal().  Normal usage is as follows.
+	bn=BN_reciprocal(i,m);
+	for (...)
+		{ BN_mod_mul_reciprocal(r,x,y,m,i,bn,ctx); }
+	This is r=(x*y)%m.  Internally it is approximately
+	r=(x*y)-m*(x*y/m) or r=(x*y)-m*((x*y*i) >> bn)
+	This function is used in BN_mod_exp() and BN_is_prime().
+
+Assignment Operations
+
+int BN_one(BIGNUM *a)
+	Set 'a' to hold the value one.
+	This is a=1.
+	
+int BN_zero(BIGNUM *a)
+	Set 'a' to hold the value zero.
+	This is a=0.
+	
+int BN_set_word(BIGNUM *a, unsigned long w);
+	Set 'a' to hold the value of 'w'.  'w' is an unsigned long.
+	This is a=w.
+
+unsigned long BN_get_word(BIGNUM *a);
+	Returns 'a' in an unsigned long.  Not remarkably, often 'a' will
+	be biger than a word, in which case 0xffffffffL is returned.
+
+Word Operations
+These functions are much more efficient that the normal bignum arithmetic
+operations.
+
+BN_ULONG BN_mod_word(BIGNUM *a, unsigned long w);
+	Return the remainder of 'a' divided by 'w'.
+	This is return(a%w).
+	
+int BN_add_word(BIGNUM *a, unsigned long w);
+	Add 'w' to 'a'.  This function does not take the sign of 'a' into
+	account.  This is a+=w;
+	
+Bit operations.
+
+int BN_is_bit_set(BIGNUM *a, int n);
+	This function return 1 if bit 'n' is set in 'a' else 0.
+
+int BN_set_bit(BIGNUM *a, int n);
+	This function sets bit 'n' to 1 in 'a'. 
+	This is a&= ~(1<<n);
+
+int BN_clear_bit(BIGNUM *a, int n);
+	This function sets bit 'n' to zero in 'a'.  Return 0 if less
+	than 'n' bits in 'a' else 1.  This is a&= ~(1<<n);
+
+int BN_mask_bits(BIGNUM *a, int n);
+	Truncate 'a' to n bits long.  This is a&= ~((~0)<<n)
+
+Format conversion routines.
+
+BIGNUM *BN_bin2bn(unsigned char *s, int len,BIGNUM *ret);
+	This function converts 'len' bytes in 's' into a BIGNUM which
+	is put in 'ret'.  If ret is NULL, a new BIGNUM is created.
+	Either this new BIGNUM or ret is returned.  The number is
+	assumed to be in bigendian form in 's'.  By this I mean that
+	to 'ret' is created as follows for 'len' == 5.
+	ret = s[0]*2^32 + s[1]*2^24 + s[2]*2^16 + s[3]*2^8 + s[4];
+	This function cannot be used to convert negative numbers.  It
+	is always assumed the number is positive.  The application
+	needs to diddle the 'neg' field of th BIGNUM its self.
+	The better solution would be to save the numbers in ASN.1 format
+	since this is a defined standard for storing big numbers.
+	Look at the functions
+
+	ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai);
+	BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai,BIGNUM *bn);
+	int i2d_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
+	ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
+		long length;
+
+int BN_bn2bin(BIGNUM *a, unsigned char *to);
+	This function converts 'a' to a byte string which is put into
+	'to'.  The representation is big-endian in that the most
+	significant byte of 'a' is put into to[0].  This function
+	returns the number of bytes used to hold 'a'.  BN_num_bytes(a)
+	would return the same value and can be used to determine how
+	large 'to' needs to be.  If the number is negative, this
+	information is lost.  Since this library was written to
+	manipulate large positive integers, the inability to save and
+	restore them is not considered to be a problem by me :-).
+	As for BN_bin2bn(), look at the ASN.1 integer encoding funtions
+	for SSLeay.  They use BN_bin2bn() and BN_bn2bin() internally.
+	
+char *BN_bn2ascii(BIGNUM *a);
+	This function returns a malloc()ed string that contains the
+	ascii hexadecimal encoding of 'a'.  The number is in bigendian
+	format with a '-' in front if the number is negative.
+
+int BN_ascii2bn(BIGNUM **bn, char *a);
+	The inverse of BN_bn2ascii.  The function returns the number of
+	characters from 'a' were processed in generating a the bignum.
+	error is inticated by 0 being returned.  The number is a
+	hex digit string, optionally with a leading '-'.  If *bn
+	is null, a BIGNUM is created and returned via that variable.
+	
+int BN_print_fp(FILE *fp, BIGNUM *a);
+	'a' is printed to file pointer 'fp'.  It is in the same format
+	that is output from BN_bn2ascii().  0 is returned on error,
+	1 if things are ok.
+
+int BN_print(BIO *bp, BIGNUM *a);
+	Same as BN_print except that the output is done to the SSLeay libraries
+	BIO routines.  BN_print_fp() actually calls this function.
+
+Miscellaneous Routines.
+
+int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+	This function returns in 'rnd' a random BIGNUM that is bits
+	long.  If bottom is 1, the number returned is odd.  If top is set,
+	the top 2 bits of the number are set.  This is useful because if
+	this is set, 2 'n; bit numbers multiplied together will return a 2n
+	bit number.  If top was not set, they could produce a 2n-1 bit
+	number.
+
+BIGNUM *BN_mod_inverse(BIGNUM *a, BIGNUM *n,BN_CTX *ctx);
+	This function create a new BIGNUM and returns it.  This number
+	is the inverse mod 'n' of 'a'.  By this it is meant that the
+	returned value 'r' satisfies (a*r)%n == 1.  This function is
+	used in the generation of RSA keys.  'ctx', as per usual,
+	is used to hold temporary variables that are required by the
+	function.  NULL is returned on error.
+
+int BN_gcd(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_CTX *ctx);
+	'r' has the greatest common divisor of 'a' and 'b'.  'ctx' is
+	used for temporary variables and 0 is returned on error.
+
+int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(),BN_CTX *ctx,
+	char *cb_arg);
+	This function is used to check if a BIGNUM ('p') is prime.
+	It performs this test by using the Miller-Rabin randomised
+	primality test.  This is a probalistic test that requires a
+	number of rounds to ensure the number is prime to a high
+	degree of probability.  Since this can take quite some time, a
+	callback function can be passed and it will be called each
+	time 'p' passes a round of the prime testing.  'callback' will
+	be called as follows, callback(1,n,cb_arg) where n is the number of
+	the round, just passed.  As per usual 'ctx' contains temporary
+	variables used.  If ctx is NULL, it does not matter, a local version
+	will be malloced.  This parameter is present to save some mallocing
+	inside the function but probably could be removed.
+	0 is returned on error.
+	'ncheck' is the number of Miller-Rabin tests to run.  It is
+	suggested to use the value 'BN_prime_checks' by default.
+
+BIGNUM *BN_generate_prime(
+int bits,
+int strong,
+BIGNUM *a,
+BIGNUM *rems,
+void (*callback)());
+char *cb_arg
+	This function is used to generate prime numbers.  It returns a
+	new BIGNUM that has a high probability of being a prime.
+	'bits' is the number of bits that
+	are to be in the prime.  If 'strong' is true, the returned prime
+	will also be a strong prime ((p-1)/2 is also prime).
+	While searching for the prime ('p'), we
+	can add the requirement that the prime fill the following
+	condition p%a == rem.  This can be used to help search for
+	primes with specific features, which is required when looking
+	for primes suitable for use with certain 'g' values in the
+	Diffie-Hellman key exchange algorithm.  If 'a' is NULL,
+	this condition is not checked.  If rem is NULL, rem is assumed
+	to be 1.  Since this search for a prime
+	can take quite some time, if callback is not NULL, it is called
+	in the following situations.
+	We have a suspected prime (from a quick sieve),
+	callback(0,sus_prime++,cb_arg). Each item to be passed to BN_is_prime().
+	callback(1,round++,cb_arg).  Each successful 'round' in BN_is_prime().
+	callback(2,round,cb_arg). For each successful BN_is_prime() test.
+
+Hints
+-----
+
+DSA wants 64*32 to use word mont mul, but RSA wants to use full.
+
+==== callback.doc ========================================================
+
+Callback functions used in SSLeay.
+
+--------------------------
+The BIO library.  
+
+Each BIO structure can have a callback defined against it.  This callback is
+called 2 times for each BIO 'function'.  It is passed 6 parameters.
+BIO_debug_callback() is an example callback which is defined in
+crypto/buffer/bio_cb.c and is used in apps/dgst.c  This is intended mostly
+for debuging or to notify the application of IO.
+
+long BIO_debug_callback(BIO *bio,int cmd,char *argp,int argi,long argl,
+	long ret);
+bio is the BIO being called, cmd is the type of BIO function being called.
+Look at the BIO_CB_* defines in buffer.h.  Argp and argi are the arguments
+passed to BIO_read(), BIO_write, BIO_gets(), BIO_puts().  In the case of
+BIO_ctrl(), argl is also defined.  The first time the callback is called,
+before the underlying function has been executed, 0 is passed as 'ret', and
+if the return code from the callback is not > 0, the call is aborted
+and the returned <= 0 value is returned.
+The second time the callback is called, the 'cmd' value also has
+BIO_CB_RETURN logically 'or'ed with it.  The 'ret' value is the value returned
+from the actuall function call and whatever the callback returns is returned
+from the BIO function.
+
+BIO_set_callback(b,cb) can be used to set the callback function
+(b is a BIO), and BIO_set_callback_arg(b,arg) can be used to
+set the cb_arg argument in the BIO strucutre.  This field is only intended
+to be used by application, primarily in the callback function since it is
+accessable since the BIO is passed.
+
+--------------------------
+The PEM library.
+
+The pem library only really uses one type of callback,
+static int def_callback(char *buf, int num, int verify);
+which is used to return a password string if required.
+'buf' is the buffer to put the string in.  'num' is the size of 'buf'
+and 'verify' is used to indicate that the password should be checked.
+This last flag is mostly used when reading a password for encryption.
+
+For all of these functions, a NULL callback will call the above mentioned
+default callback.  This default function does not work under Windows 3.1.
+For other machines, it will use an application defined prompt string
+(EVP_set_pw_prompt(), which defines a library wide prompt string)
+if defined, otherwise it will use it's own PEM password prompt.
+It will then call EVP_read_pw_string() to get a password from the console.
+If your application wishes to use nice fancy windows to retrieve passwords,
+replace this function.  The callback should return the number of bytes read
+into 'buf'.  If the number of bytes <= 0, it is considered an error.
+
+Functions that take this callback are listed below.  For the 'read' type
+functions, the callback will only be required if the PEM data is encrypted.
+
+For the Write functions, normally a password can be passed in 'kstr', of
+'klen' bytes which will be used if the 'enc' cipher is not NULL.  If
+'kstr' is NULL, the callback will be used to retrieve a password.
+
+int PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data,long *len,
+	int (*callback)());
+char *PEM_ASN1_read_bio(char *(*d2i)(),char *name,BIO *bp,char **x,int (*cb)());
+char *PEM_ASN1_read(char *(*d2i)(),char *name,FILE *fp,char **x,int (*cb)());
+int PEM_ASN1_write_bio(int (*i2d)(),char *name,BIO *bp,char *x,
+	EVP_CIPHER *enc,unsigned char *kstr,int klen,int (*callback)());
+int PEM_ASN1_write(int (*i2d)(),char *name,FILE *fp,char *x,
+	EVP_CIPHER *enc,unsigned char *kstr,int klen,int (*callback)());
+STACK *PEM_X509_INFO_read(FILE *fp, STACK *sk, int (*cb)());
+STACK *PEM_X509_INFO_read_bio(BIO *fp, STACK *sk, int (*cb)());
+
+#define	PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb)
+#define	PEM_write_DSAPrivateKey(fp,x,enc,kstr,klen,cb)
+#define	PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb)
+#define	PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb)
+#define	PEM_read_SSL_SESSION(fp,x,cb)
+#define	PEM_read_X509(fp,x,cb)
+#define	PEM_read_X509_REQ(fp,x,cb)
+#define	PEM_read_X509_CRL(fp,x,cb)
+#define	PEM_read_RSAPrivateKey(fp,x,cb)
+#define	PEM_read_DSAPrivateKey(fp,x,cb)
+#define	PEM_read_PrivateKey(fp,x,cb)
+#define	PEM_read_PKCS7(fp,x,cb)
+#define	PEM_read_DHparams(fp,x,cb)
+#define	PEM_read_bio_SSL_SESSION(bp,x,cb)
+#define	PEM_read_bio_X509(bp,x,cb)
+#define	PEM_read_bio_X509_REQ(bp,x,cb)
+#define	PEM_read_bio_X509_CRL(bp,x,cb)
+#define	PEM_read_bio_RSAPrivateKey(bp,x,cb)
+#define	PEM_read_bio_DSAPrivateKey(bp,x,cb)
+#define	PEM_read_bio_PrivateKey(bp,x,cb)
+#define	PEM_read_bio_PKCS7(bp,x,cb)
+#define	PEM_read_bio_DHparams(bp,x,cb)
+int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
+RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
+
+Now you will notice that macros like
+#define PEM_write_X509(fp,x) \
+                PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \
+		                        (char *)x, NULL,NULL,0,NULL)
+Don't do encryption normally.  If you want to PEM encrypt your X509 structure,
+either just call PEM_ASN1_write directly or just define you own
+macro variant.  As you can see, this macro just sets all encryption related
+parameters to NULL.
+
+
+--------------------------
+The SSL library.
+
+#define SSL_set_info_callback(ssl,cb)
+#define SSL_CTX_set_info_callback(ctx,cb)
+void callback(SSL *ssl,int location,int ret)
+This callback is called each time around the SSL_connect()/SSL_accept() 
+state machine.  So it will be called each time the SSL protocol progresses.
+It is mostly present for use when debugging.  When SSL_connect() or
+SSL_accept() return, the location flag is SSL_CB_ACCEPT_EXIT or
+SSL_CB_CONNECT_EXIT and 'ret' is the value about to be returned.
+Have a look at the SSL_CB_* defines in ssl.h.  If an info callback is defined
+against the SSL_CTX, it is called unless there is one set against the SSL.
+Have a look at
+void client_info_callback() in apps/s_client() for an example.
+
+Certificate verification.
+void SSL_set_verify(SSL *s, int mode, int (*callback) ());
+void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*callback)());
+This callback is used to help verify client and server X509 certificates.
+It is actually passed to X509_cert_verify(), along with the SSL structure
+so you have to read about X509_cert_verify() :-).  The SSL_CTX version is used
+if the SSL version is not defined.  X509_cert_verify() is the function used
+by the SSL part of the library to verify certificates.  This function is
+nearly always defined by the application.
+
+void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg);
+int callback(char *arg,SSL *s,X509 *xs,STACK *cert_chain);
+This call is used to replace the SSLeay certificate verification code.
+The 'arg' is kept in the SSL_CTX and is passed to the callback.
+If the callback returns 0, the certificate is rejected, otherwise it
+is accepted.  The callback is replacing the X509_cert_verify() call.
+This feature is not often used, but if you wished to implement
+some totally different certificate authentication system, this 'hook' is
+vital.
+
+SSLeay keeps a cache of session-ids against each SSL_CTX.  These callbacks can
+be used to notify the application when a SSL_SESSION is added to the cache
+or to retrieve a SSL_SESSION that is not in the cache from the application.
+#define SSL_CTX_sess_set_get_cb(ctx,cb)
+SSL_SESSION *callback(SSL *s,char *session_id,int session_id_len,int *copy);
+If defined, this callback is called to return the SESSION_ID for the
+session-id in 'session_id', of 'session_id_len' bytes.  'copy' is set to 1
+if the server is to 'take a copy' of the SSL_SESSION structure.  It is 0
+if the SSL_SESSION is being 'passed in' so the SSLeay library is now
+responsible for 'free()ing' the structure.  Basically it is used to indicate
+if the reference count on the SSL_SESSION structure needs to be incremented.
+
+#define SSL_CTX_sess_set_new_cb(ctx,cb)
+int callback(SSL *s, SSL_SESSION *sess);
+When a new connection is established, if the SSL_SESSION is going to be added
+to the cache, this callback is called.  Return 1 if a 'copy' is required,
+otherwise, return 0.  This return value just causes the reference count
+to be incremented (on return of a 1), this means the application does
+not need to worry about incrementing the refernece count (and the
+locking that implies in a multi-threaded application).
+
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,int (*cb)());
+This sets the SSL password reading function.
+It is mostly used for windowing applications
+and used by PEM_read_bio_X509() and PEM_read_bio_RSAPrivateKey()
+calls inside the SSL library.   The only reason this is present is because the
+calls to PEM_* functions is hidden in the SSLeay library so you have to
+pass in the callback some how.
+
+#define SSL_CTX_set_client_cert_cb(ctx,cb)
+int callback(SSL *s,X509 **x509, EVP_PKEY **pkey);
+Called when a client certificate is requested but there is not one set
+against the SSL_CTX or the SSL.  If the callback returns 1, x509 and
+pkey need to point to valid data.  The library will free these when
+required so if the application wants to keep these around, increment
+their reference counts.  If 0 is returned, no client cert is
+available.  If -1 is returned, it is assumed that the callback needs
+to be called again at a later point in time.  SSL_connect will return
+-1 and SSL_want_x509_lookup(ssl) returns true.  Remember that
+application data can be attached to an SSL structure via the
+SSL_set_app_data(SSL *ssl,char *data) call.
+
+--------------------------
+The X509 library.
+
+int X509_cert_verify(CERTIFICATE_CTX *ctx,X509 *xs, int (*cb)(),
+	int *error,char *arg,STACK *cert_chain);
+int verify_callback(int ok,X509 *xs,X509 *xi,int depth,int error,char *arg,
+	STACK *cert_chain);
+
+X509_cert_verify() is used to authenticate X509 certificates.  The 'ctx' holds
+the details of the various caches and files used to locate certificates.
+'xs' is the certificate to verify and 'cb' is the application callback (more
+detail later).  'error' will be set to the error code and 'arg' is passed
+to the 'cb' callback.  Look at the VERIFY_* defines in crypto/x509/x509.h
+
+When ever X509_cert_verify() makes a 'negative' decision about a
+certitificate, the callback is called.  If everything checks out, the
+callback is called with 'VERIFY_OK' or 'VERIFY_ROOT_OK' (for a self
+signed cert that is not the passed certificate).
+
+The callback is passed the X509_cert_verify opinion of the certificate 
+in 'ok', the certificate in 'xs', the issuer certificate in 'xi',
+the 'depth' of the certificate in the verification 'chain', the
+VERIFY_* code in 'error' and the argument passed to X509_cert_verify()
+in 'arg'. cert_chain is a list of extra certs to use if they are not
+in the cache.
+
+The callback can be used to look at the error reason, and then return 0
+for an 'error' or '1' for ok.  This will override the X509_cert_verify()
+opinion of the certificates validity.  Processing will continue depending on
+the return value.  If one just wishes to use the callback for informational
+reason, just return the 'ok' parameter.
+
+--------------------------
+The BN and DH library.
+
+BIGNUM *BN_generate_prime(int bits,int strong,BIGNUM *add,
+	BIGNUM *rem,void (*callback)(int,int));
+int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int),
+
+Read doc/bn.doc for the description of these 2.
+
+DH *DH_generate_parameters(int prime_len,int generator,
+	void (*callback)(int,int));
+Read doc/bn.doc for the description of the callback, since it is just passed
+to BN_generate_prime(), except that it is also called as
+callback(3,0) by this function.
+
+--------------------------
+The CRYPTO library.
+
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,char *file,
+	int line));
+void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,
+	int type,char *file, int line));
+void CRYPTO_set_id_callback(unsigned long (*func)(void));
+
+Read threads.doc for info on these ones.
+
+
+==== cipher.doc ========================================================
+
+The Cipher subroutines.
+
+These routines require "evp.h" to be included.
+
+These functions are a higher level interface to the various cipher
+routines found in this library.  As such, they allow the same code to be
+used to encrypt and decrypt via different ciphers with only a change
+in an initial parameter.  These routines also provide buffering for block
+ciphers.
+
+These routines all take a pointer to the following structure to specify
+which cipher to use.  If you wish to use a new cipher with these routines,
+you would probably be best off looking an how an existing cipher is
+implemented and copying it.  At this point in time, I'm not going to go
+into many details.  This structure should be considered opaque
+
+typedef struct pem_cipher_st
+	{
+	int type;
+	int block_size;
+	int key_len;
+	int iv_len;
+	void (*enc_init)();	/* init for encryption */
+	void (*dec_init)();	/* init for decryption */
+	void (*do_cipher)();	/* encrypt data */
+	} EVP_CIPHER;
+	
+The type field is the object NID of the cipher type
+(read the section on Objects for an explanation of what a NID is).
+The cipher block_size is how many bytes need to be passed
+to the cipher at a time.  Key_len is the
+length of the key the cipher requires and iv_len is the length of the
+initialisation vector required.  enc_init is the function
+called to initialise the ciphers context for encryption and dec_init is the
+function to initialise for decryption (they need to be different, especially
+for the IDEA cipher).
+
+One reason for specifying the Cipher via a pointer to a structure
+is that if you only use des-cbc, only the des-cbc routines will
+be included when you link the program.  If you passed an integer
+that specified which cipher to use, the routine that mapped that
+integer to a set of cipher functions would cause all the ciphers
+to be link into the code.  This setup also allows new ciphers
+to be added by the application (with some restrictions).
+
+The thirteen ciphers currently defined in this library are
+
+EVP_CIPHER *EVP_des_ecb();     /* DES in ecb mode,     iv=0, block=8, key= 8 */
+EVP_CIPHER *EVP_des_ede();     /* DES in ecb ede mode, iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_des_ede3();    /* DES in ecb ede mode, iv=0, block=8, key=24 */
+EVP_CIPHER *EVP_des_cfb();     /* DES in cfb mode,     iv=8, block=1, key= 8 */
+EVP_CIPHER *EVP_des_ede_cfb(); /* DES in ede cfb mode, iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_des_ede3_cfb();/* DES in ede cfb mode, iv=8, block=1, key=24 */
+EVP_CIPHER *EVP_des_ofb();     /* DES in ofb mode,     iv=8, block=1, key= 8 */
+EVP_CIPHER *EVP_des_ede_ofb(); /* DES in ede ofb mode, iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_des_ede3_ofb();/* DES in ede ofb mode, iv=8, block=1, key=24 */
+EVP_CIPHER *EVP_des_cbc();     /* DES in cbc mode,     iv=8, block=8, key= 8 */
+EVP_CIPHER *EVP_des_ede_cbc(); /* DES in cbc ede mode, iv=8, block=8, key=16 */
+EVP_CIPHER *EVP_des_ede3_cbc();/* DES in cbc ede mode, iv=8, block=8, key=24 */
+EVP_CIPHER *EVP_desx_cbc();    /* DES in desx cbc mode,iv=8, block=8, key=24 */
+EVP_CIPHER *EVP_rc4();         /* RC4,                 iv=0, block=1, key=16 */
+EVP_CIPHER *EVP_idea_ecb();    /* IDEA in ecb mode,    iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_idea_cfb();    /* IDEA in cfb mode,    iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_idea_ofb();    /* IDEA in ofb mode,    iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_idea_cbc();    /* IDEA in cbc mode,    iv=8, block=8, key=16 */
+EVP_CIPHER *EVP_rc2_ecb();     /* RC2 in ecb mode,     iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_rc2_cfb();     /* RC2 in cfb mode,     iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_rc2_ofb();     /* RC2 in ofb mode,     iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_rc2_cbc();     /* RC2 in cbc mode,     iv=8, block=8, key=16 */
+EVP_CIPHER *EVP_bf_ecb();      /* Blowfish in ecb mode,iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_bf_cfb();      /* Blowfish in cfb mode,iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_bf_ofb();      /* Blowfish in ofb mode,iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_bf_cbc();      /* Blowfish in cbc mode,iv=8, block=8, key=16 */
+
+The meaning of the compound names is as follows.
+des	The base cipher is DES.
+idea	The base cipher is IDEA
+rc4	The base cipher is RC4-128
+rc2	The base cipher is RC2-128
+ecb	Electronic Code Book form of the cipher.
+cbc	Cipher Block Chaining form of the cipher.
+cfb	64 bit Cipher Feedback form of the cipher.
+ofb	64 bit Output Feedback form of the cipher.
+ede	The cipher is used in Encrypt, Decrypt, Encrypt mode.  The first
+	and last keys are the same.
+ede3	The cipher is used in Encrypt, Decrypt, Encrypt mode.
+
+All the Cipher routines take a EVP_CIPHER_CTX pointer as an argument.
+The state of the cipher is kept in this structure.
+
+typedef struct EVP_CIPHER_Ctx_st
+	{
+	EVP_CIPHER *cipher;
+	int encrypt;		/* encrypt or decrypt */
+	int buf_len;		/* number we have left */
+	unsigned char buf[8];
+	union	{
+		.... /* cipher specific stuff */
+		} c;
+	} EVP_CIPHER_CTX;
+
+Cipher is a pointer the the EVP_CIPHER for the current context.  The encrypt
+flag indicates encryption or decryption.  buf_len is the number of bytes
+currently being held in buf.
+The 'c' union holds the cipher specify context.
+
+The following functions are to be used.
+
+int EVP_read_pw_string(
+char *buf,
+int len,
+char *prompt,
+int verify,
+	This function is the same as des_read_pw_string() (des.doc).
+
+void EVP_set_pw_prompt(char *prompt);
+	This function sets the 'default' prompt to use to use in
+	EVP_read_pw_string when the prompt parameter is NULL.  If the
+	prompt parameter is NULL, this 'default prompt' feature is turned
+	off.  Be warned, this is a global variable so weird things
+	will happen if it is used under Win16 and care must be taken
+	with a multi-threaded version of the library.
+
+char *EVP_get_pw_prompt();
+	This returns a pointer to the default prompt string.  NULL
+	if it is not set.
+
+int EVP_BytesToKey(
+EVP_CIPHER *type,
+EVP_MD *md,
+unsigned char *salt,
+unsigned char *data,
+int datal,
+int count,
+unsigned char *key,
+unsigned char *iv);
+	This function is used to generate a key and an initialisation vector
+	for a specified cipher from a key string and a salt.  Type
+	specifies the cipher the 'key' is being generated for.  Md is the
+	message digest algorithm to use to generate the key and iv.  The salt
+	is an optional 8 byte object that is used to help seed the key
+	generator.
+	If the salt value is NULL, it is just not used.  Datal is the
+	number of bytes to use from 'data' in the key generation.  
+	This function returns the key size for the specified cipher, if
+	data is NULL, this value is returns and no other
+	computation is performed.  Count is
+	the number of times to loop around the key generator.  I would
+	suggest leaving it's value as 1.  Key and iv are the structures to
+	place the returning iv and key in.  If they are NULL, no value is
+	generated for that particular value.
+	The algorithm used is as follows
+	
+	/* M[] is an array of message digests
+	 * MD() is the message digest function */
+	M[0]=MD(data . salt);
+	for (i=1; i<count; i++) M[0]=MD(M[0]);
+
+	i=1
+	while (data still needed for key and iv)
+		{
+		M[i]=MD(M[i-1] . data . salt);
+		for (i=1; i<count; i++) M[i]=MD(M[i]);
+		i++;
+		}
+
+	If the salt is NULL, it is not used.
+	The digests are concatenated together.
+	M = M[0] . M[1] . M[2] .......
+
+	For key= 8, iv=8 => key=M[0.. 8], iv=M[ 9 .. 16].
+	For key=16, iv=0 => key=M[0..16].
+	For key=16, iv=8 => key=M[0..16], iv=M[17 .. 24].
+	For key=24, iv=8 => key=M[0..24], iv=M[25 .. 32].
+
+	This routine will produce DES-CBC keys and iv that are compatible
+	with the PKCS-5 standard when md2 or md5 are used.  If md5 is
+	used, the salt is NULL and count is 1, this routine will produce
+	the password to key mapping normally used with RC4.
+	I have attempted to logically extend the PKCS-5 standard to
+	generate keys and iv for ciphers that require more than 16 bytes,
+	if anyone knows what the correct standard is, please inform me.
+	When using sha or sha1, things are a bit different under this scheme,
+	since sha produces a 20 byte digest.  So for ciphers requiring
+	24 bits of data, 20 will come from the first MD and 4 will
+	come from the second.
+
+	I have considered having a separate function so this 'routine'
+	can be used without the requirement of passing a EVP_CIPHER *,
+	but I have decided to not bother.  If you wish to use the
+	function without official EVP_CIPHER structures, just declare
+	a local one and set the key_len and iv_len fields to the
+	length you desire.
+
+The following routines perform encryption and decryption 'by parts'.  By
+this I mean that there are groups of 3 routines.  An Init function that is
+used to specify a cipher and initialise data structures.  An Update routine
+that does encryption/decryption, one 'chunk' at a time.  And finally a
+'Final' function that finishes the encryption/decryption process.
+All these functions take a EVP_CIPHER pointer to specify which cipher to
+encrypt/decrypt with.  They also take a EVP_CIPHER_CTX object as an
+argument.  This structure is used to hold the state information associated
+with the operation in progress.
+
+void EVP_EncryptInit(
+EVP_CIPHER_CTX *ctx,
+EVP_CIPHER *type,
+unsigned char *key,
+unsigned char *iv);
+	This function initialise a EVP_CIPHER_CTX for encryption using the
+	cipher passed in the 'type' field.  The cipher is initialised to use
+	'key' as the key and 'iv' for the initialisation vector (if one is
+	required).  If the type, key or iv is NULL, the value currently in the
+	EVP_CIPHER_CTX is reused.  So to perform several decrypt
+	using the same cipher, key and iv, initialise with the cipher,
+	key and iv the first time and then for subsequent calls,
+	reuse 'ctx' but pass NULL for type, key and iv.  You must make sure
+	to pass a key that is large enough for a particular cipher.  I
+	would suggest using the EVP_BytesToKey() function.
+
+void EVP_EncryptUpdate(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl,
+unsigned char *in,
+int inl);
+	This function takes 'inl' bytes from 'in' and outputs bytes
+	encrypted by the cipher 'ctx' was initialised with into 'out'.  The
+	number of bytes written to 'out' is put into outl.  If a particular
+	cipher encrypts in blocks, less or more bytes than input may be
+	output.  Currently the largest block size used by supported ciphers
+	is 8 bytes, so 'out' should have room for 'inl+7' bytes.  Normally
+	EVP_EncryptInit() is called once, followed by lots and lots of
+	calls to EVP_EncryptUpdate, followed by a single EVP_EncryptFinal
+	call.
+
+void EVP_EncryptFinal(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl);
+	Because quite a large number of ciphers are block ciphers, there is
+	often an incomplete block to write out at the end of the
+	encryption.  EVP_EncryptFinal() performs processing on this last
+	block.  The last block in encoded in such a way that it is possible
+	to determine how many bytes in the last block are valid.  For 8 byte
+	block size ciphers, if only 5 bytes in the last block are valid, the
+	last three bytes will be filled with the value 3.  If only 2 were
+	valid, the other 6 would be filled with sixes.  If all 8 bytes are
+	valid, a extra 8 bytes are appended to the cipher stream containing
+	nothing but 8 eights.  These last bytes are output into 'out' and
+	the number of bytes written is put into 'outl'  These last bytes
+	are output into 'out' and the number of bytes written is put into
+	'outl'.  This form of block cipher finalisation is compatible with
+	PKCS-5.  Please remember that even if you are using ciphers like
+	RC4 that has no blocking and so the function will not write
+	anything into 'out', it would still be a good idea to pass a
+	variable for 'out' that can hold 8 bytes just in case the cipher is
+	changed some time in the future.  It should also be remembered
+	that the EVP_CIPHER_CTX contains the password and so when one has
+	finished encryption with a particular EVP_CIPHER_CTX, it is good
+	practice to zero the structure 
+	(ie. memset(ctx,0,sizeof(EVP_CIPHER_CTX)).
+	
+void EVP_DecryptInit(
+EVP_CIPHER_CTX *ctx,
+EVP_CIPHER *type,
+unsigned char *key,
+unsigned char *iv);
+	This function is basically the same as EVP_EncryptInit() accept that
+	is prepares the EVP_CIPHER_CTX for decryption.
+
+void EVP_DecryptUpdate(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl,
+unsigned char *in,
+int inl);
+	This function is basically the same as EVP_EncryptUpdate()
+	except that it performs decryption.  There is one
+	fundamental difference though.  'out' can not be the same as
+	'in' for any ciphers with a block size greater than 1 if more
+	than one call to EVP_DecryptUpdate() will be made.  This
+	is because this routine can hold a 'partial' block between
+	calls.  When a partial block is decrypted (due to more bytes
+	being passed via this function, they will be written to 'out'
+	overwriting the input bytes in 'in' that have not been read
+	yet.  From this it should also be noted that 'out' should
+	be at least one 'block size' larger than 'inl'.  This problem
+	only occurs on the second and subsequent call to
+	EVP_DecryptUpdate() when using a block cipher.
+
+int EVP_DecryptFinal(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl);
+	This function is different to EVP_EncryptFinal in that it 'removes'
+	any padding bytes appended when the data was encrypted.  Due to the
+	way in which 1 to 8 bytes may have been appended when encryption
+	using a block cipher, 'out' can end up with 0 to 7 bytes being put
+	into it.  When decoding the padding bytes, it is possible to detect
+	an incorrect decryption.  If the decryption appears to be wrong, 0
+	is returned.  If everything seems ok, 1 is returned.  For ciphers
+	with a block size of 1 (RC4), this function would normally not
+	return any bytes and would always return 1.  Just because this
+	function returns 1 does not mean the decryption was correct. It
+	would normally be wrong due to either the wrong key/iv or
+	corruption of the cipher data fed to EVP_DecryptUpdate().
+	As for EVP_EncryptFinal, it is a good idea to zero the
+	EVP_CIPHER_CTX after use since the structure contains the key used
+	to decrypt the data.
+	
+The following Cipher routines are convenience routines that call either
+EVP_EncryptXxx or EVP_DecryptXxx depending on weather the EVP_CIPHER_CTX
+was setup to encrypt or decrypt.  
+
+void EVP_CipherInit(
+EVP_CIPHER_CTX *ctx,
+EVP_CIPHER *type,
+unsigned char *key,
+unsigned char *iv,
+int enc);
+	This function take arguments that are the same as EVP_EncryptInit()
+	and EVP_DecryptInit() except for the extra 'enc' flag.  If 1, the
+	EVP_CIPHER_CTX is setup for encryption, if 0, decryption.
+
+void EVP_CipherUpdate(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl,
+unsigned char *in,
+int inl);
+	Again this function calls either EVP_EncryptUpdate() or
+	EVP_DecryptUpdate() depending on state in the 'ctx' structure.
+	As noted for EVP_DecryptUpdate(), when this routine is used
+	for decryption with block ciphers, 'out' should not be the
+	same as 'in'.
+
+int EVP_CipherFinal(
+EVP_CIPHER_CTX *ctx,
+unsigned char *outm,
+int *outl);
+	This routine call EVP_EncryptFinal() or EVP_DecryptFinal()
+	depending on the state information in 'ctx'.  1 is always returned
+	if the mode is encryption, otherwise the return value is the return
+	value of EVP_DecryptFinal().
+
+==== cipher.m ========================================================
+
+Date: Tue, 15 Oct 1996 08:16:14 +1000 (EST)
+From: Eric Young <eay@mincom.com>
+X-Sender: eay@orb
+To: Roland Haring <rharing@tandem.cl>
+Cc: ssl-users@mincom.com
+Subject: Re: Symmetric encryption with ssleay
+In-Reply-To: <m0vBpyq-00001aC@tandemnet.tandem.cl>
+Message-Id: <Pine.SOL.3.91.961015075623.11394A-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Sender: ssl-lists-owner@mincom.com
+Precedence: bulk
+Status: RO
+X-Status: 
+
+On Fri, 11 Oct 1996, Roland Haring wrote:
+> THE_POINT:
+> 	Would somebody be so kind to give me the minimum basic 
+> 	calls I need to do to libcrypto.a to get some text encrypted
+> 	and decrypted again? ...hopefully with code included to do
+> 	base64 encryption and decryption ... e.g. that sign-it.c code
+> 	posted some while ago was a big help :-) (please, do not point
+> 	me to apps/enc.c where I suspect my Heissenbug to be hidden :-)
+
+Ok, the base64 encoding stuff in 'enc.c' does the wrong thing sometimes 
+when the data is less than a line long (this is for decoding).  I'll dig 
+up the exact fix today and post it.  I am taking longer on 0.6.5 than I 
+intended so I'll just post this patch.
+
+The documentation to read is in
+doc/cipher.doc,
+doc/encode.doc (very sparse :-).
+and perhaps
+doc/digest.doc,
+
+The basic calls to encrypt with say triple DES are
+
+Given
+char key[EVP_MAX_KEY_LENGTH];
+char iv[EVP_MAX_IV_LENGTH];
+EVP_CIPHER_CTX ctx;
+unsigned char out[512+8];
+int outl;
+
+/* optional generation of key/iv data from text password using md5
+ * via an upward compatable verson of PKCS#5. */
+EVP_BytesToKey(EVP_des_ede3_cbc,EVP_md5,NULL,passwd,strlen(passwd),
+	key,iv);
+
+/* Initalise the EVP_CIPHER_CTX */
+EVP_EncryptInit(ctx,EVP_des_ede3_cbc,key,iv);
+
+while (....)
+	{
+	/* This is processing 512 bytes at a time, the bytes are being
+	 * copied into 'out', outl bytes are output.  'out' should not be the
+	 * same as 'in' for reasons mentioned in the documentation. */
+	EVP_EncryptUpdate(ctx,out,&outl,in,512);
+	}
+
+/* Output the last 'block'.  If the cipher is a block cipher, the last
+ * block is encoded in such a way so that a wrong decryption will normally be
+ * detected - again, one of the PKCS standards. */
+
+EVP_EncryptFinal(ctx,out,&outl);
+
+To decrypt, use the EVP_DecryptXXXXX functions except that EVP_DecryptFinal()
+will return 0 if the decryption fails (only detectable on block ciphers).
+
+You can also use
+EVP_CipherInit()
+EVP_CipherUpdate()
+EVP_CipherFinal()
+which does either encryption or decryption depending on an extra 
+parameter to EVP_CipherInit().
+
+
+To do the base64 encoding,
+EVP_EncodeInit()
+EVP_EncodeUpdate()
+EVP_EncodeFinal()
+
+EVP_DecodeInit()
+EVP_DecodeUpdate()
+EVP_DecodeFinal()
+
+where the encoding is quite simple, but the decoding can be a bit more 
+fun (due to dud input).
+
+EVP_DecodeUpdate() returns -1 for an error on an input line, 0 if the 
+'last line' was just processed, and 1 if more lines should be submitted.
+
+EVP_DecodeFinal() returns -1 for an error or 1 if things are ok.
+
+So the loop becomes
+EVP_DecodeInit(....)
+for (;;)
+	{
+	i=EVP_DecodeUpdate(....);
+	if (i < 0) goto err;
+
+	/* process the data */
+
+	if (i == 0) break;
+	}
+EVP_DecodeFinal(....);
+/* process the data */
+
+The problem in 'enc.c' is that I was stuff the processing up after the 
+EVP_DecodeFinal(...) when the for(..) loop was not being run (one line of 
+base64 data) and this was because 'enc.c' tries to scan over a file until
+it hits the first valid base64 encoded line.
+
+hope this helps a bit.
+eric
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@mincom.oz.au    | RTFM Win32 GetMessage().
+
+==== conf.doc ========================================================
+
+The CONF library.
+
+The CONF library is a simple set of routines that can be used to configure
+programs.  It is a superset of the genenv() function with some extra
+structure.
+
+The library consists of 5 functions.
+
+LHASH *CONF_load(LHASH *config,char *file);
+This function is called to load in a configuration file.  Multiple
+configuration files can be loaded, with each subsequent 'load' overwriting
+any already defined 'variables'.  If there is an error, NULL is returned.
+If config is NULL, a new LHASH structure is created and returned, otherwise
+the new data in the 'file' is loaded into the 'config' structure.
+
+void CONF_free(LHASH *config);
+This function free()s the data in config.
+
+char *CONF_get_string(LHASH *config,char *section,char *name);
+This function returns the string found in 'config' that corresponds to the
+'section' and 'name' specified.  Classes and the naming system used will be
+discussed later in this document.  If the variable is not defined, an NULL
+is returned.
+
+long CONF_get_long(LHASH *config,char *section, char *name);
+This function is the same as CONF_get_string() except that it converts the
+string to an long and returns it.  If variable is not a number or the
+variable does not exist, 0 is returned.  This is a little problematic but I
+don't know of a simple way around it.
+
+STACK *CONF_get_section(LHASH *config, char *section);
+This function returns a 'stack' of CONF_VALUE items that are all the
+items defined in a particular section.  DO NOT free() any of the
+variable returned.  They will disappear when CONF_free() is called.
+
+The 'lookup' model.
+The configuration file is divided into 'sections'.  Each section is started by
+a line of the form '[ section ]'.  All subsequent variable definitions are
+of this section.  A variable definition is a simple alpha-numeric name
+followed by an '=' and then the data.  A section or variable name can be
+described by a regular expression of the following form '[A-Za-z0-9_]+'.
+The value of the variable is the text after the '=' until the end of the
+line, stripped of leading and trailing white space.
+At this point I should mention that a '#' is a comment character, \ is the
+escape character, and all three types of quote can be used to stop any
+special interpretation of the data.
+Now when the data is being loaded, variable expansion can occur.  This is
+done by expanding any $NAME sequences into the value represented by the
+variable NAME.  If the variable is not in the current section, the different
+section can be specified by using the $SECTION::NAME form.  The ${NAME} form
+also works and is very useful for expanding variables inside strings.
+
+When a variable is looked up, there are 2 special section. 'default', which
+is the initial section, and 'ENV' which is the processes environment
+variables (accessed via getenv()).  When a variable is looked up, it is
+first 'matched' with it's section (if one was specified), if this fails, the
+'default' section is matched.
+If the 'lhash' variable passed was NULL, the environment is searched.
+
+Now why do we bother with sections?  So we can have multiple programs using
+the same configuration file, or multiple instances of the same program
+using different variables.  It also provides a nice mechanism to override
+the processes environment variables (eg ENV::HOME=/tmp).  If there is a
+program specific variable missing, we can have default values.
+Multiple configuration files can be loaded, with each new value clearing
+any predefined values.  A system config file can provide 'default' values,
+and application/usr specific files can provide overriding values.
+
+Examples
+
+# This is a simple example
+SSLEAY_HOME	= /usr/local/ssl
+ENV::PATH	= $SSLEAY_HOME/bin:$PATH	# override my path
+
+[X509]
+cert_dir	= $SSLEAY_HOME/certs	# /usr/local/ssl/certs
+
+[SSL]
+CIPHER		= DES-EDE-MD5:RC4-MD5
+USER_CERT	= $HOME/${USER}di'r 5'	# /home/eay/eaydir 5
+USER_CERT	= $HOME/\${USER}di\'r	# /home/eay/${USER}di'r
+USER_CERT	= "$HOME/${US"ER}di\'r	# $HOME/${USER}di'r
+
+TEST		= 1234\
+5678\
+9ab					# TEST=123456789ab
+TTT		= 1234\n\n		# TTT=1234<nl><nl>
+
+
+
+==== des.doc ========================================================
+
+The DES library.
+
+Please note that this library was originally written to operate with
+eBones, a version of Kerberos that had had encryption removed when it left
+the USA and then put back in.  As such there are some routines that I will
+advise not using but they are still in the library for historical reasons.
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'des.h'.
+
+All of the encryption functions take what is called a des_key_schedule as an 
+argument.  A des_key_schedule is an expanded form of the des key.
+A des_key is 8 bytes of odd parity, the type used to hold the key is a
+des_cblock.  A des_cblock is an array of 8 bytes, often in this library
+description I will refer to input bytes when the function specifies
+des_cblock's as input or output, this just means that the variable should
+be a multiple of 8 bytes.
+
+The define DES_ENCRYPT is passed to specify encryption, DES_DECRYPT to
+specify decryption.  The functions and global variable are as follows:
+
+int des_check_key;
+	DES keys are supposed to be odd parity.  If this variable is set to
+	a non-zero value, des_set_key() will check that the key has odd
+	parity and is not one of the known weak DES keys.  By default this
+	variable is turned off;
+	
+void des_set_odd_parity(
+des_cblock *key );
+	This function takes a DES key (8 bytes) and sets the parity to odd.
+	
+int des_is_weak_key(
+des_cblock *key );
+	This function returns a non-zero value if the DES key passed is a
+	weak, DES key.  If it is a weak key, don't use it, try a different
+	one.  If you are using 'random' keys, the chances of hitting a weak
+	key are 1/2^52 so it is probably not worth checking for them.
+	
+int des_set_key(
+des_cblock *key,
+des_key_schedule schedule);
+	Des_set_key converts an 8 byte DES key into a des_key_schedule.
+	A des_key_schedule is an expanded form of the key which is used to
+	perform actual encryption.  It can be regenerated from the DES key
+	so it only needs to be kept when encryption or decryption is about
+	to occur.  Don't save or pass around des_key_schedule's since they
+	are CPU architecture dependent, DES keys are not.  If des_check_key
+	is non zero, zero is returned if the key has the wrong parity or
+	the key is a weak key, else 1 is returned.
+	
+int des_key_sched(
+des_cblock *key,
+des_key_schedule schedule);
+	An alternative name for des_set_key().
+
+int des_rw_mode;		/* defaults to DES_PCBC_MODE */
+	This flag holds either DES_CBC_MODE or DES_PCBC_MODE (default).
+	This specifies the function to use in the enc_read() and enc_write()
+	functions.
+
+void des_encrypt(
+unsigned long *data,
+des_key_schedule ks,
+int enc);
+	This is the DES encryption function that gets called by just about
+	every other DES routine in the library.  You should not use this
+	function except to implement 'modes' of DES.  I say this because the
+	functions that call this routine do the conversion from 'char *' to
+	long, and this needs to be done to make sure 'non-aligned' memory
+	access do not occur.  The characters are loaded 'little endian',
+	have a look at my source code for more details on how I use this
+	function.
+	Data is a pointer to 2 unsigned long's and ks is the
+	des_key_schedule to use.  enc, is non zero specifies encryption,
+	zero if decryption.
+
+void des_encrypt2(
+unsigned long *data,
+des_key_schedule ks,
+int enc);
+	This functions is the same as des_encrypt() except that the DES
+	initial permutation (IP) and final permutation (FP) have been left
+	out.  As for des_encrypt(), you should not use this function.
+	It is used by the routines in my library that implement triple DES.
+	IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same
+	as des_encrypt() des_encrypt() des_encrypt() except faster :-).
+
+void des_ecb_encrypt(
+des_cblock *input,
+des_cblock *output,
+des_key_schedule ks,
+int enc);
+	This is the basic Electronic Code Book form of DES, the most basic
+	form.  Input is encrypted into output using the key represented by
+	ks.  If enc is non zero (DES_ENCRYPT), encryption occurs, otherwise
+	decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+	(the des_cblock structure is 8 chars).
+	
+void des_ecb3_encrypt(
+des_cblock *input,
+des_cblock *output,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+int enc);
+	This is the 3 key EDE mode of ECB DES.  What this means is that 
+	the 8 bytes of input is encrypted with ks1, decrypted with ks2 and
+	then encrypted again with ks3, before being put into output;
+	C=E(ks3,D(ks2,E(ks1,M))).  There is a macro, des_ecb2_encrypt()
+	that only takes 2 des_key_schedules that implements,
+	C=E(ks1,D(ks2,E(ks1,M))) in that the final encrypt is done with ks1.
+	
+void des_cbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+	This routine implements DES in Cipher Block Chaining mode.
+	Input, which should be a multiple of 8 bytes is encrypted
+	(or decrypted) to output which will also be a multiple of 8 bytes.
+	The number of bytes is in length (and from what I've said above,
+	should be a multiple of 8).  If length is not a multiple of 8, I'm
+	not being held responsible :-).  ivec is the initialisation vector.
+	This function does not modify this variable.  To correctly implement
+	cbc mode, you need to do one of 2 things; copy the last 8 bytes of
+	cipher text for use as the next ivec in your application,
+	or use des_ncbc_encrypt(). 
+	Only this routine has this problem with updating the ivec, all
+	other routines that are implementing cbc mode update ivec.
+	
+void des_ncbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk,
+des_cblock *ivec,
+int enc);
+	For historical reasons, des_cbc_encrypt() did not update the
+	ivec with the value requires so that subsequent calls to
+	des_cbc_encrypt() would 'chain'.  This was needed so that the same
+	'length' values would not need to be used when decrypting.
+	des_ncbc_encrypt() does the right thing.  It is the same as
+	des_cbc_encrypt accept that ivec is updates with the correct value
+	to pass in subsequent calls to des_ncbc_encrypt().  I advise using
+	des_ncbc_encrypt() instead of des_cbc_encrypt();
+
+void des_xcbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk,
+des_cblock *ivec,
+des_cblock *inw,
+des_cblock *outw,
+int enc);
+	This is RSA's DESX mode of DES.  It uses inw and outw to
+	'whiten' the encryption.  inw and outw are secret (unlike the iv)
+	and are as such, part of the key.  So the key is sort of 24 bytes.
+	This is much better than cbc des.
+	
+void des_3cbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk1,
+des_key_schedule sk2,
+des_cblock *ivec1,
+des_cblock *ivec2,
+int enc);
+	This function is flawed, do not use it.  I have left it in the
+	library because it is used in my des(1) program and will function
+	correctly when used by des(1).  If I removed the function, people
+	could end up unable to decrypt files.
+	This routine implements outer triple cbc encryption using 2 ks and
+	2 ivec's.  Use des_ede2_cbc_encrypt() instead.
+	
+void des_ede3_cbc_encrypt(
+des_cblock *input,
+des_cblock *output, 
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2, 
+des_key_schedule ks3, 
+des_cblock *ivec,
+int enc);
+	This function implements outer triple CBC DES encryption with 3
+	keys.  What this means is that each 'DES' operation
+	inside the cbc mode is really an C=E(ks3,D(ks2,E(ks1,M))).
+	Again, this is cbc mode so an ivec is requires.
+	This mode is used by SSL.
+	There is also a des_ede2_cbc_encrypt() that only uses 2
+	des_key_schedule's, the first being reused for the final
+	encryption.  C=E(ks1,D(ks2,E(ks1,M))).  This form of triple DES
+	is used by the RSAref library.
+	
+void des_pcbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+	This is Propagating Cipher Block Chaining mode of DES.  It is used
+	by Kerberos v4.  It's parameters are the same as des_ncbc_encrypt().
+	
+void des_cfb_encrypt(
+unsigned char *in,
+unsigned char *out,
+int numbits,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+	Cipher Feedback Back mode of DES.  This implementation 'feeds back'
+	in numbit blocks.  The input (and output) is in multiples of numbits
+	bits.  numbits should to be a multiple of 8 bits.  Length is the
+	number of bytes input.  If numbits is not a multiple of 8 bits,
+	the extra bits in the bytes will be considered padding.  So if
+	numbits is 12, for each 2 input bytes, the 4 high bits of the
+	second byte will be ignored.  So to encode 72 bits when using
+	a numbits of 12 take 12 bytes.  To encode 72 bits when using
+	numbits of 9 will take 16 bytes.  To encode 80 bits when using
+	numbits of 16 will take 10 bytes. etc, etc.  This padding will
+	apply to both input and output.
+
+	
+void des_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num,
+int enc);
+	This is one of the more useful functions in this DES library, it
+	implements CFB mode of DES with 64bit feedback.  Why is this
+	useful you ask?  Because this routine will allow you to encrypt an
+	arbitrary number of bytes, no 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  num contains 'how far' we are though ivec.  If this does
+	not make much sense, read more about cfb mode of DES :-).
+	
+void des_ede3_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+des_cblock *ivec,
+int *num,
+int enc);
+	Same as des_cfb64_encrypt() accept that the DES operation is
+	triple DES.  As usual, there is a macro for
+	des_ede2_cfb64_encrypt() which reuses ks1.
+
+void des_ofb_encrypt(
+unsigned char *in,
+unsigned char *out,
+int numbits,
+long length,
+des_key_schedule ks,
+des_cblock *ivec);
+	This is a implementation of Output Feed Back mode of DES.  It is
+	the same as des_cfb_encrypt() in that numbits is the size of the
+	units dealt with during input and output (in bits).
+	
+void des_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num);
+	The same as des_cfb64_encrypt() except that it is Output Feed Back
+	mode.
+
+void des_ede3_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+des_cblock *ivec,
+int *num);
+	Same as des_ofb64_encrypt() accept that the DES operation is
+	triple DES.  As usual, there is a macro for
+	des_ede2_ofb64_encrypt() which reuses ks1.
+
+int des_read_pw_string(
+char *buf,
+int length,
+char *prompt,
+int verify);
+	This routine is used to get a password from the terminal with echo
+	turned off.  Buf is where the string will end up and length is the
+	size of buf.  Prompt is a string presented to the 'user' and if
+	verify is set, the key is asked for twice and unless the 2 copies
+	match, an error is returned.  A return code of -1 indicates a
+	system error, 1 failure due to use interaction, and 0 is success.
+
+unsigned long des_cbc_cksum(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec);
+	This function produces an 8 byte checksum from input that it puts in
+	output and returns the last 4 bytes as a long.  The checksum is
+	generated via cbc mode of DES in which only the last 8 byes are
+	kept.  I would recommend not using this function but instead using
+	the EVP_Digest routines, or at least using MD5 or SHA.  This
+	function is used by Kerberos v4 so that is why it stays in the
+	library.
+	
+char *des_fcrypt(
+const char *buf,
+const char *salt
+char *ret);
+	This is my fast version of the unix crypt(3) function.  This version
+	takes only a small amount of space relative to other fast
+	crypt() implementations.  This is different to the normal crypt
+	in that the third parameter is the buffer that the return value
+	is written into.  It needs to be at least 14 bytes long.  This
+	function is thread safe, unlike the normal crypt.
+
+char *crypt(
+const char *buf,
+const char *salt);
+	This function calls des_fcrypt() with a static array passed as the
+	third parameter.  This emulates the normal non-thread safe semantics
+	of crypt(3).
+
+void des_string_to_key(
+char *str,
+des_cblock *key);
+	This function takes str and converts it into a DES key.  I would
+	recommend using MD5 instead and use the first 8 bytes of output.
+	When I wrote the first version of these routines back in 1990, MD5
+	did not exist but I feel these routines are still sound.  This
+	routines is compatible with the one in MIT's libdes.
+	
+void des_string_to_2keys(
+char *str,
+des_cblock *key1,
+des_cblock *key2);
+	This function takes str and converts it into 2 DES keys.
+	I would recommend using MD5 and using the 16 bytes as the 2 keys.
+	I have nothing against these 2 'string_to_key' routines, it's just
+	that if you say that your encryption key is generated by using the
+	16 bytes of an MD5 hash, every-one knows how you generated your
+	keys.
+
+int des_read_password(
+des_cblock *key,
+char *prompt,
+int verify);
+	This routine combines des_read_pw_string() with des_string_to_key().
+
+int des_read_2passwords(
+des_cblock *key1,
+des_cblock *key2,
+char *prompt,
+int verify);
+	This routine combines des_read_pw_string() with des_string_to_2key().
+
+void des_random_seed(
+des_cblock key);
+	This routine sets a starting point for des_random_key().
+	
+void des_random_key(
+des_cblock ret);
+	This function return a random key.  Make sure to 'seed' the random
+	number generator (with des_random_seed()) before using this function.
+	I personally now use a MD5 based random number system.
+
+int des_enc_read(
+int fd,
+char *buf,
+int len,
+des_key_schedule ks,
+des_cblock *iv);
+	This function will write to a file descriptor the encrypted data
+	from buf.  This data will be preceded by a 4 byte 'byte count' and
+	will be padded out to 8 bytes.  The encryption is either CBC of
+	PCBC depending on the value of des_rw_mode.  If it is DES_PCBC_MODE,
+	pcbc is used, if DES_CBC_MODE, cbc is used.  The default is to use
+	DES_PCBC_MODE.
+
+int des_enc_write(
+int fd,
+char *buf,
+int len,
+des_key_schedule ks,
+des_cblock *iv);
+	This routines read stuff written by des_enc_read() and decrypts it.
+	I have used these routines quite a lot but I don't believe they are
+	suitable for non-blocking io.  If you are after a full
+	authentication/encryption over networks, have a look at SSL instead.
+
+unsigned long des_quad_cksum(
+des_cblock *input,
+des_cblock *output,
+long length,
+int out_count,
+des_cblock *seed);
+	This is a function from Kerberos v4 that is not anything to do with
+	DES but was needed.  It is a cksum that is quicker to generate than
+	des_cbc_cksum();  I personally would use MD5 routines now.
+=====
+Modes of DES
+Quite a bit of the following information has been taken from
+	AS 2805.5.2
+	Australian Standard
+	Electronic funds transfer - Requirements for interfaces,
+	Part 5.2: Modes of operation for an n-bit block cipher algorithm
+	Appendix A
+
+There are several different modes in which DES can be used, they are
+as follows.
+
+Electronic Codebook Mode (ECB) (des_ecb_encrypt())
+- 64 bits are enciphered at a time.
+- The order of the blocks can be rearranged without detection.
+- The same plaintext block always produces the same ciphertext block
+  (for the same key) making it vulnerable to a 'dictionary attack'.
+- An error will only affect one ciphertext block.
+
+Cipher Block Chaining Mode (CBC) (des_cbc_encrypt())
+- a multiple of 64 bits are enciphered at a time.
+- The CBC mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext blocks dependent on the
+  current and all preceding plaintext blocks and therefore blocks can not
+  be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- An error will affect the current and the following ciphertext blocks.
+
+Cipher Feedback Mode (CFB) (des_cfb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The CFB mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext variables dependent on the
+  current and all preceding variables and therefore j-bit variables are
+  chained together and can not be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- The strength of the CFB mode depends on the size of k (maximal if
+  j == k).  In my implementation this is always the case.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- An error will affect the current and the following ciphertext variables.
+
+Output Feedback Mode (OFB) (des_ofb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The OFB mode produces the same ciphertext whenever the same
+  plaintext enciphered using the same key and starting variable.  More
+  over, in the OFB mode the same key stream is produced when the same
+  key and start variable are used.  Consequently, for security reasons
+  a specific start variable should be used only once for a given key.
+- The absence of chaining makes the OFB more vulnerable to specific attacks.
+- The use of different start variables values prevents the same
+  plaintext enciphering to the same ciphertext, by producing different
+  key streams.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- OFB mode of operation does not extend ciphertext errors in the
+  resultant plaintext output.  Every bit error in the ciphertext causes
+  only one bit to be in error in the deciphered plaintext.
+- OFB mode is not self-synchronising.  If the two operation of
+  encipherment and decipherment get out of synchronism, the system needs
+  to be re-initialised.
+- Each re-initialisation should use a value of the start variable
+ different from the start variable values used before with the same
+ key.  The reason for this is that an identical bit stream would be
+ produced each time from the same parameters.  This would be
+ susceptible to a ' known plaintext' attack.
+
+Triple ECB Mode (des_ecb3_encrypt())
+- Encrypt with key1, decrypt with key2 and encrypt with key3 again.
+- As for ECB encryption but increases the key length to 168 bits.
+  There are theoretic attacks that can be used that make the effective
+  key length 112 bits, but this attack also requires 2^56 blocks of
+  memory, not very likely, even for the NSA.
+- If both keys are the same it is equivalent to encrypting once with
+  just one key.
+- If the first and last key are the same, the key length is 112 bits.
+  There are attacks that could reduce the key space to 55 bit's but it
+  requires 2^56 blocks of memory.
+- If all 3 keys are the same, this is effectively the same as normal
+  ecb mode.
+
+Triple CBC Mode (des_ede3_cbc_encrypt())
+- Encrypt with key1, decrypt with key2 and then encrypt with key3.
+- As for CBC encryption but increases the key length to 168 bits with
+  the same restrictions as for triple ecb mode.
+
+==== digest.doc ========================================================
+
+
+The Message Digest subroutines.
+
+These routines require "evp.h" to be included.
+
+These functions are a higher level interface to the various message digest
+routines found in this library.  As such, they allow the same code to be
+used to digest via different algorithms with only a change in an initial
+parameter.  They are basically just a front-end to the MD2, MD5, SHA
+and SHA1
+routines.
+
+These routines all take a pointer to the following structure to specify
+which message digest algorithm to use.
+typedef struct evp_md_st
+	{
+	int type;
+	int pkey_type;
+	int md_size;
+	void (*init)();
+	void (*update)();
+	void (*final)();
+
+	int required_pkey_type; /*EVP_PKEY_xxx */
+	int (*sign)();
+	int (*verify)();
+	} EVP_MD;
+
+If additional message digest algorithms are to be supported, a structure of
+this type needs to be declared and populated and then the Digest routines
+can be used with that algorithm.  The type field is the object NID of the
+digest type (read the section on Objects for an explanation).  The pkey_type
+is the Object type to use when the a message digest is generated by there
+routines and then is to be signed with the pkey algorithm.  Md_size is
+the size of the message digest returned.  Init, update
+and final are the relevant functions to perform the message digest function
+by parts.  One reason for specifying the message digest to use via this
+mechanism is that if you only use md5, only the md5 routines will
+be included in you linked program.  If you passed an integer
+that specified which message digest to use, the routine that mapped that
+integer to a set of message digest functions would cause all the message
+digests functions to be link into the code.  This setup also allows new
+message digest functions to be added by the application.
+
+The six message digests defined in this library are
+
+EVP_MD *EVP_md2(void);	/* RSA sign/verify */
+EVP_MD *EVP_md5(void);	/* RSA sign/verify */
+EVP_MD *EVP_sha(void);	/* RSA sign/verify */
+EVP_MD *EVP_sha1(void);	/* RSA sign/verify */
+EVP_MD *EVP_dss(void);	/* DSA sign/verify */
+EVP_MD *EVP_dss1(void);	/* DSA sign/verify */
+
+All the message digest routines take a EVP_MD_CTX pointer as an argument.
+The state of the message digest is kept in this structure.
+
+typedef struct pem_md_ctx_st
+	{
+	EVP_MD *digest;
+	union	{
+		unsigned char base[4]; /* this is used in my library as a
+					* 'pointer' to all union elements
+					* structures. */
+		MD2_CTX md2;
+		MD5_CTX md5;
+		SHA_CTX sha;
+		} md;
+	} EVP_MD_CTX;
+
+The Digest functions are as follows.
+
+void EVP_DigestInit(
+EVP_MD_CTX *ctx,
+EVP_MD *type);
+	This function is used to initialise the EVP_MD_CTX.  The message
+	digest that will associated with 'ctx' is specified by 'type'.
+
+void EVP_DigestUpdate(
+EVP_MD_CTX *ctx,
+unsigned char *data,
+unsigned int cnt);
+	This function is used to pass more data to the message digest
+	function.  'cnt' bytes are digested from 'data'.
+
+void EVP_DigestFinal(
+EVP_MD_CTX *ctx,
+unsigned char *md,
+unsigned int *len);
+	This function finishes the digestion and puts the message digest
+	into 'md'.  The length of the message digest is put into len;
+	EVP_MAX_MD_SIZE is the size of the largest message digest that
+	can be returned from this function.  Len can be NULL if the
+	size of the digest is not required.
+	
+
+==== encode.doc ========================================================
+
+
+void    EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
+void    EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,
+		int *outl,unsigned char *in,int inl);
+void    EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl);
+int     EVP_EncodeBlock(unsigned char *t, unsigned char *f, int n);
+
+void    EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
+int     EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl,
+		unsigned char *in, int inl);
+int     EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
+		char *out, int *outl);
+int     EVP_DecodeBlock(unsigned char *t, unsigned
+		char *f, int n);
+
+
+==== envelope.doc ========================================================
+
+The following routines are use to create 'digital' envelopes.
+By this I mean that they perform various 'higher' level cryptographic
+functions.  Have a read of 'cipher.doc' and 'digest.doc' since those
+routines are used by these functions.
+cipher.doc contains documentation about the cipher part of the
+envelope library and digest.doc contatins the description of the
+message digests supported.
+
+To 'sign' a document involves generating a message digest and then encrypting
+the digest with an private key.
+
+#define EVP_SignInit(a,b)		EVP_DigestInit(a,b)
+#define EVP_SignUpdate(a,b,c)		EVP_DigestUpdate(a,b,c)
+Due to the fact this operation is basically just an extended message
+digest, the first 2 functions are macro calls to Digest generating
+functions.
+
+int     EVP_SignFinal(
+EVP_MD_CTX *ctx,
+unsigned char *md,
+unsigned int *s,
+EVP_PKEY *pkey);
+	This finalisation function finishes the generation of the message
+digest and then encrypts the digest (with the correct message digest 
+object identifier) with the EVP_PKEY private key.  'ctx' is the message digest
+context.  'md' will end up containing the encrypted message digest.  This
+array needs to be EVP_PKEY_size(pkey) bytes long.  's' will actually
+contain the exact length.  'pkey' of course is the private key.  It is
+one of EVP_PKEY_RSA or EVP_PKEY_DSA type.
+If there is an error, 0 is returned, otherwise 1.
+		
+Verify is used to check an signed message digest.
+
+#define EVP_VerifyInit(a,b)		EVP_DigestInit(a,b)
+#define EVP_VerifyUpdate(a,b,c)		EVP_DigestUpdate(a,b,c)
+Since the first step is to generate a message digest, the first 2 functions
+are macros.
+
+int EVP_VerifyFinal(
+EVP_MD_CTX *ctx,
+unsigned char *md,
+unsigned int s,
+EVP_PKEY *pkey);
+	This function finishes the generation of the message digest and then
+compares it with the supplied encrypted message digest.  'md' contains the
+'s' bytes of encrypted message digest.  'pkey' is used to public key decrypt
+the digest.  It is then compared with the message digest just generated.
+If they match, 1 is returned else 0.
+
+int	EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+		int *ekl, unsigned char *iv, EVP_PKEY **pubk, int npubk);
+Must have at least one public key, error is 0.  I should also mention that
+the buffers pointed to by 'ek' need to be EVP_PKEY_size(pubk[n]) is size.
+
+#define EVP_SealUpdate(a,b,c,d,e)	EVP_EncryptUpdate(a,b,c,d,e)	
+void	EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl);
+
+
+int	EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
+		int ekl,unsigned char *iv,EVP_PKEY *priv);
+0 on failure
+
+#define EVP_OpenUpdate(a,b,c,d,e)	EVP_DecryptUpdate(a,b,c,d,e)
+
+int	EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+Decrypt final return code
+
+
+==== error.doc ========================================================
+
+The error routines.
+
+The 'error' system I've implemented is intended to server 2 purpose, to
+record the reason why a command failed and to record where in the libraries
+the failure occurred.  It is more or less setup to record a 'trace' of which
+library components were being traversed when the error occurred.
+
+When an error is recorded, it is done so a as single unsigned long which is
+composed of three parts.  The top byte is the 'library' number, the middle
+12 bytes is the function code, and the bottom 12 bits is the 'reason' code.
+
+Each 'library', or should a say, 'section' of the SSLeay library has a
+different unique 'library' error number.  Each function in the library has
+a number that is unique for that library.  Each 'library' also has a number
+for each 'error reason' that is only unique for that 'library'.
+
+Due to the way these error routines record a 'error trace', there is an
+array per thread that is used to store the error codes.
+The various functions in this library are used to access
+and manipulate this array.
+
+void ERR_put_error(int lib, int func,int reason);
+	This routine records an error in library 'lib', function 'func'
+and reason 'reason'.  As errors get 'put' into the buffer, they wrap
+around and overwrite old errors if too many are written.  It is assumed
+that the last errors are the most important.
+
+unsigned long ERR_get_error(void );
+	This function returns the last error added to the error buffer.
+In effect it is popping the value off the buffer so repeated calls will
+continue to return values until there are no more errors to return in which
+case 0 is returned.
+
+unsigned long ERR_peek_error(void );
+	This function returns the value of the last error added to the
+error buffer but does not 'pop' it from the buffer.
+
+void ERR_clear_error(void );
+	This function clears the error buffer, discarding all unread
+errors.
+
+While the above described error system obviously produces lots of different
+error number, a method for 'reporting' these errors in a human readable
+form is required.  To achieve this, each library has the option of
+'registering' error strings.
+
+typedef struct ERR_string_data_st
+	{
+	unsigned long error;
+	char *string;
+	} ERR_STRING_DATA;
+
+The 'ERR_STRING_DATA' contains an error code and the corresponding text
+string.  To add new function error strings for a library, the
+ERR_STRING_DATA needs to be 'registered' with the library.
+
+void ERR_load_strings(unsigned long lib,ERR_STRING_DATA *err);
+	This function 'registers' the array of ERR_STRING_DATA pointed to by
+'err' as error text strings for the error library 'lib'.
+
+void ERR_free_strings(void);
+	This function free()s all the loaded error strings.
+
+char *ERR_error_string(unsigned long error,char *buf);
+	This function returns a text string that is a human readable
+version of the error represented by 'error'.  Buff should be at least 120
+bytes long and if it is NULL, the return value is a pointer to a static
+variable that will contain the error string, otherwise 'buf' is returned.
+If there is not a text string registered for a particular error, a text
+string containing the error number is returned instead.
+
+void ERR_print_errors(BIO *bp);
+void ERR_print_errors_fp(FILE *fp);
+	This function is a convenience routine that prints the error string
+for each error until all errors have been accounted for.
+
+char *ERR_lib_error_string(unsigned long e);
+char *ERR_func_error_string(unsigned long e);
+char *ERR_reason_error_string(unsigned long e);
+The above three functions return the 3 different components strings for the
+error 'e'.  ERR_error_string() uses these functions.
+
+void ERR_load_ERR_strings(void );
+	This function 'registers' the error strings for the 'ERR' module.
+
+void ERR_load_crypto_strings(void );
+	This function 'register' the error strings for just about every
+library in the SSLeay package except for the SSL routines.  There is no
+need to ever register any error text strings and you will probably save in
+program size.  If on the other hand you do 'register' all errors, it is
+quite easy to determine why a particular routine failed.
+
+As a final footnote as to why the error system is designed as it is.
+1) I did not want a single 'global' error code.
+2) I wanted to know which subroutine a failure occurred in.
+3) For Windows NT etc, it should be simple to replace the 'key' routines
+   with code to pass error codes back to the application.
+4) I wanted the option of meaningful error text strings.
+
+Late breaking news - the changes to support threads.
+
+Each 'thread' has an 'ERR_STATE' state associated with it.
+ERR_STATE *ERR_get_state(void ) will return the 'state' for the calling
+thread/process.
+
+ERR_remove_state(unsigned long pid); will 'free()' this state.  If pid == 0
+the current 'thread/process' will have it's error state removed.
+If you do not remove the error state of a thread, this could be considered a
+form of memory leak, so just after 'reaping' a thread that has died,
+call ERR_remove_state(pid).
+
+Have a read of thread.doc for more details for what is required for
+multi-threading support.  All the other error routines will
+work correctly when using threads.
+
+
+==== idea.doc ========================================================
+
+The IDEA library.
+IDEA is a block cipher that operates on 64bit (8 byte) quantities.  It
+uses a 128bit (16 byte) key.  It can be used in all the modes that DES can
+be used.  This library implements the ecb, cbc, cfb64 and ofb64 modes.
+
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'idea.h'.
+
+All of the encryption functions take what is called an IDEA_KEY_SCHEDULE as an 
+argument.  An IDEA_KEY_SCHEDULE is an expanded form of the idea key.
+For all modes of the IDEA algorithm, the IDEA_KEY_SCHEDULE used for
+decryption is different to the one used for encryption.
+
+The define IDEA_ENCRYPT is passed to specify encryption for the functions
+that require an encryption/decryption flag. IDEA_DECRYPT is passed to
+specify decryption.  For some mode there is no encryption/decryption
+flag since this is determined by the IDEA_KEY_SCHEDULE.
+
+So to encrypt you would do the following
+idea_set_encrypt_key(key,encrypt_ks);
+idea_ecb_encrypt(...,encrypt_ks);
+idea_cbc_encrypt(....,encrypt_ks,...,IDEA_ENCRYPT);
+
+To Decrypt
+idea_set_encrypt_key(key,encrypt_ks);
+idea_set_decrypt_key(encrypt_ks,decrypt_ks);
+idea_ecb_encrypt(...,decrypt_ks);
+idea_cbc_encrypt(....,decrypt_ks,...,IDEA_DECRYPT);
+
+Please note that any of the encryption modes specified in my DES library
+could be used with IDEA.  I have only implemented ecb, cbc, cfb64 and
+ofb64 for the following reasons.
+- ecb is the basic IDEA encryption.
+- cbc is the normal 'chaining' form for block ciphers.
+- cfb64 can be used to encrypt single characters, therefore input and output
+  do not need to be a multiple of 8.
+- ofb64 is similar to cfb64 but is more like a stream cipher, not as
+  secure (not cipher feedback) but it does not have an encrypt/decrypt mode.
+- If you want triple IDEA, thats 384 bits of key and you must be totally
+  obsessed with security.  Still, if you want it, it is simple enough to
+  copy the function from the DES library and change the des_encrypt to
+  idea_encrypt; an exercise left for the paranoid reader :-).
+
+The functions are as follows:
+
+void idea_set_encrypt_key(
+unsigned char *key;
+IDEA_KEY_SCHEDULE *ks);
+	idea_set_encrypt_key converts a 16 byte IDEA key into an
+	IDEA_KEY_SCHEDULE.  The IDEA_KEY_SCHEDULE is an expanded form of
+	the key which can be used to perform IDEA encryption.
+	An IDEA_KEY_SCHEDULE is an expanded form of the key which is used to
+	perform actual encryption.  It can be regenerated from the IDEA key
+	so it only needs to be kept when encryption is about
+	to occur.  Don't save or pass around IDEA_KEY_SCHEDULE's since they
+	are CPU architecture dependent, IDEA keys are not.
+	
+void idea_set_decrypt_key(
+IDEA_KEY_SCHEDULE *encrypt_ks,
+IDEA_KEY_SCHEDULE *decrypt_ks);
+	This functions converts an encryption IDEA_KEY_SCHEDULE into a
+	decryption IDEA_KEY_SCHEDULE.  For all decryption, this conversion
+	of the key must be done.  In some modes of IDEA, an
+	encryption/decryption flag is also required, this is because these
+	functions involve block chaining and the way this is done changes
+	depending on which of encryption of decryption is being done.
+	Please note that there is no quick way to generate the decryption
+	key schedule other than generating the encryption key schedule and
+	then converting it.
+
+void idea_encrypt(
+unsigned long *data,
+IDEA_KEY_SCHEDULE *ks);
+	This is the IDEA encryption function that gets called by just about
+	every other IDEA routine in the library.  You should not use this
+	function except to implement 'modes' of IDEA.  I say this because the
+	functions that call this routine do the conversion from 'char *' to
+	long, and this needs to be done to make sure 'non-aligned' memory
+	access do not occur.
+	Data is a pointer to 2 unsigned long's and ks is the
+	IDEA_KEY_SCHEDULE to use.  Encryption or decryption depends on the
+	IDEA_KEY_SCHEDULE.
+
+void idea_ecb_encrypt(
+unsigned char *input,
+unsigned char *output,
+IDEA_KEY_SCHEDULE *ks);
+	This is the basic Electronic Code Book form of IDEA (in DES this
+	mode is called Electronic Code Book so I'm going to use the term
+	for idea as well :-).
+	Input is encrypted into output using the key represented by
+	ks.  Depending on the IDEA_KEY_SCHEDULE, encryption or
+	decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+	
+void idea_cbc_encrypt(
+unsigned char *input,
+unsigned char *output,
+long length,
+IDEA_KEY_SCHEDULE *ks,
+unsigned char *ivec,
+int enc);
+	This routine implements IDEA in Cipher Block Chaining mode.
+	Input, which should be a multiple of 8 bytes is encrypted
+	(or decrypted) to output which will also be a multiple of 8 bytes.
+	The number of bytes is in length (and from what I've said above,
+	should be a multiple of 8).  If length is not a multiple of 8, bad 
+	things will probably happen.  ivec is the initialisation vector.
+	This function updates iv after each call so that it can be passed to
+	the next call to idea_cbc_encrypt().
+	
+void idea_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num,
+int enc);
+	This is one of the more useful functions in this IDEA library, it
+	implements CFB mode of IDEA with 64bit feedback.
+	This allows you to encrypt an arbitrary number of bytes,
+	you do not require 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  Num contains 'how far' we are though ivec.
+	Enc is used to indicate encryption or decryption.
+	One very important thing to remember is that when decrypting, use
+	the encryption form of the key.
+	CFB64 mode operates by using the cipher to
+	generate a stream of bytes which is used to encrypt the plain text.
+	The cipher text is then encrypted to generate the next 64 bits to
+	be xored (incrementally) with the next 64 bits of plain
+	text.  As can be seen from this, to encrypt or decrypt,
+	the same 'cipher stream' needs to be generated but the way the next
+	block of data is gathered for encryption is different for
+	encryption and decryption.  What this means is that to encrypt
+	idea_set_encrypt_key(key,ks);
+	idea_cfb64_encrypt(...,ks,..,IDEA_ENCRYPT)
+	do decrypt
+	idea_set_encrypt_key(key,ks)
+	idea_cfb64_encrypt(...,ks,...,IDEA_DECRYPT)
+	Note: The same IDEA_KEY_SCHEDULE but different encryption flags.
+	For idea_cbc or idea_ecb, idea_set_decrypt_key() would need to be
+	used to generate the IDEA_KEY_SCHEDULE for decryption.
+	The reason I'm stressing this point is that I just wasted 3 hours
+	today trying to decrypt using this mode and the decryption form of
+	the key :-(.
+	
+void idea_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num);
+	This functions implements OFB mode of IDEA with 64bit feedback.
+	This allows you to encrypt an arbitrary number of bytes,
+	you do not require 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  Num contains 'how far' we are though ivec.
+	This is in effect a stream cipher, there is no encryption or
+	decryption mode.  The same key and iv should be used to
+	encrypt and decrypt.
+	
+For reading passwords, I suggest using des_read_pw_string() from my DES library.
+To generate a password from a text string, I suggest using MD5 (or MD2) to
+produce a 16 byte message digest that can then be passed directly to
+idea_set_encrypt_key().
+
+=====
+For more information about the specific IDEA modes in this library
+(ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the
+documentation on my DES library.  What is said about DES is directly
+applicable for IDEA.
+
+
+==== legal.doc ========================================================
+
+From eay@mincom.com Thu Jun 27 00:25:45 1996
+Received: by orb.mincom.oz.au id AA15821
+  (5.65c/IDA-1.4.4 for eay); Wed, 26 Jun 1996 14:25:45 +1000
+Date: Wed, 26 Jun 1996 14:25:45 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: Ken Toll <ktoll@ren.digitalage.com>
+Cc: Eric Young <eay@mincom.oz.au>, ssl-talk@netscape.com
+Subject: Re: Unidentified subject!
+In-Reply-To: <9606261950.ZM28943@ren.digitalage.com>
+Message-Id: <Pine.SOL.3.91.960626131156.28573K-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: O
+X-Status: 
+
+
+This is a little off topic but since SSLeay is a free implementation of
+the SSLv2 protocol, I feel it is worth responding on the topic of if it 
+is actually legal for Americans to use free cryptographic software.
+
+On Wed, 26 Jun 1996, Ken Toll wrote:
+> Is the U.S the only country that SSLeay cannot be used commercially 
+> (because of RSAref) or is that going to be an issue with every country 
+> that a client/server application (non-web browser/server) is deployed 
+> and sold?
+
+>From what I understand, the software patents that apply to algorithms 
+like RSA and DH only apply in the USA.  The IDEA algorithm I believe is 
+patened in europe (USA?), but considing how little it is used by other SSL 
+implementations, it quite easily be left out of the SSLeay build
+(this can be done with a compile flag).
+
+Actually if the RSA patent did apply outside the USA, it could be rather
+interesting since RSA is not alowed to let RSA toolkits outside of the USA
+[1], and since these are the only forms that they will alow the algorithm
+to be used in, it would mean that non-one outside of the USA could produce
+public key software which would be a very strong statment for
+international patent law to make :-).  This logic is a little flawed but
+it still points out some of the more interesting permutations of USA
+patent law and ITAR restrictions. 
+
+Inside the USA there is also the unresolved issue of RC4/RC2 which were
+made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2).  I have
+copies of the origional postings if people are interested.  RSA I believe 
+claim that they were 'trade-secrets' and that some-one broke an NDA in 
+revealing them.  Other claim they reverse engineered the algorithms from 
+compiled binaries.  If the algorithms were reverse engineered, I belive 
+RSA had no legal leg to stand on.  If an NDA was broken, I don't know.
+Regardless, RSA, I belive, is willing to go to court over the issue so 
+licencing is probably the best idea, or at least talk to them.
+If there are people who actually know more about this, pease let me know, I 
+don't want to vilify or spread miss-information if I can help it.
+
+If you are not producing a web browser, it is easy to build SSLeay with
+RC2/RC4 removed. Since RC4 is the defacto standard cipher in 
+all web software (and it is damn fast) it is more or less required for 
+www use. For non www use of SSL, especially for an application where 
+interoperability with other vendors is not critical just leave it out.
+
+Removing IDEA, RC2 and RC4 would only leave DES and Triple DES but 
+they should be ok.  Considing that Triple DES can encrypt at rates of
+410k/sec on a pentium 100, and 940k/sec on a P6/200, this is quite 
+reasonable performance.  Single DES clocks in at 1160k/s and 2467k/s
+respectivly is actually quite fast for those not so paranoid (56 bit key).[1]
+
+> Is it possible to get a certificate for commercial use outside of the U.S.?
+yes.
+
+Thawte Consulting issues certificates (they are the people who sell the
+	Sioux httpd server and are based in South Africa)
+Verisign will issue certificates for Sioux (sold from South Africa), so this
+	proves that they will issue certificate for OS use if they are
+	happy with the quality of the software.
+
+(The above mentioned companies just the ones that I know for sure are issuing
+ certificates outside the USA).
+
+There is always the point that if you are using SSL for an intra net, 
+SSLeay provides programs that can be used so you can issue your own 
+certificates.  They need polishing but at least it is a good starting point.
+
+I am not doing anything outside Australian law by implementing these
+algorithms (to the best of my knowedge).  It is another example of how 
+the world legal system does not cope with the internet very well.
+
+I may start making shared libraries available (I have now got DLL's for 
+Windows).  This will mean that distributions into the usa could be 
+shipped with a version with a reduced cipher set and the versions outside 
+could use the DLL/shared library with all the ciphers (and without RSAref).
+
+This could be completly hidden from the application, so this would not 
+even require a re-linking.
+
+This is the reverse of what people were talking about doing to get around 
+USA export regulations :-)
+
+eric
+
+[1]:	The RSAref2.0 tookit is available on at least 3 ftp sites in Europe
+	and one in South Africa.
+
+[2]:	Since I always get questions when I post benchmark numbers :-),
+	DES performace figures are in 1000's of bytes per second in cbc 
+	mode using an 8192 byte buffer.  The pentium 100 was running Windows NT 
+	3.51 DLLs and the 686/200 was running NextStep.
+	I quote pentium 100 benchmarks because it is basically the
+	'entry level' computer that most people buy for personal use.
+	Windows 95 is the OS shipping on those boxes, so I'll give
+	NT numbers (the same Win32 runtime environment).  The 686
+	numbers are present as an indication of where we will be in a
+	few years.
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@mincom.oz.au    | RTFM Win32 GetMessage().
+
+
+
+==== lhash.doc ========================================================
+
+The LHASH library.
+
+I wrote this library in 1991 and have since forgotten why I called it lhash.
+It implements a hash table from an article I read at the
+time from 'Communications of the ACM'.  What makes this hash
+table different is that as the table fills, the hash table is
+increased (or decreased) in size via realloc().
+When a 'resize' is done, instead of all hashes being redistributed over
+twice as many 'buckets', one bucket is split.  So when an 'expand' is done,
+there is only a minimal cost to redistribute some values.  Subsequent
+inserts will cause more single 'bucket' redistributions but there will
+never be a sudden large cost due to redistributing all the 'buckets'.
+
+The state for a particular hash table is kept in the LHASH structure.
+The LHASH structure also records statistics about most aspects of accessing
+the hash table.  This is mostly a legacy of my writing this library for
+the reasons of implementing what looked like a nice algorithm rather than
+for a particular software product.
+
+Internal stuff you probably don't want to know about.
+The decision to increase or decrease the hash table size is made depending
+on the 'load' of the hash table.  The load is the number of items in the
+hash table divided by the size of the hash table.  The default values are
+as follows.  If (hash->up_load < load) => expand.
+if (hash->down_load > load) =>  contract.  The 'up_load' has a default value of
+1 and 'down_load' has a default value of 2.  These numbers can be modified
+by the application by just playing with the 'up_load' and 'down_load'
+variables.  The 'load' is kept in a form which is multiplied by 256.  So
+hash->up_load=8*256; will cause a load of 8 to be set.
+
+If you are interested in performance the field to watch is
+num_comp_calls.  The hash library keeps track of the 'hash' value for
+each item so when a lookup is done, the 'hashes' are compared, if
+there is a match, then a full compare is done, and
+hash->num_comp_calls is incremented.  If num_comp_calls is not equal
+to num_delete plus num_retrieve it means that your hash function is
+generating hashes that are the same for different values.  It is
+probably worth changing your hash function if this is the case because
+even if your hash table has 10 items in a 'bucked', it can be searched
+with 10 'unsigned long' compares and 10 linked list traverses.  This
+will be much less expensive that 10 calls to you compare function.
+
+LHASH *lh_new(
+unsigned long (*hash)(),
+int (*cmp)());
+	This function is used to create a new LHASH structure.  It is passed
+	function pointers that are used to store and retrieve values passed
+	into the hash table.  The 'hash'
+	function is a hashing function that will return a hashed value of
+	it's passed structure.  'cmp' is passed 2 parameters, it returns 0
+	is they are equal, otherwise, non zero.
+	If there are any problems (usually malloc failures), NULL is
+	returned, otherwise a new LHASH structure is returned.  The
+	hash value is normally truncated to a power of 2, so make sure
+	that your hash function returns well mixed low order bits.
+	
+void lh_free(
+LHASH *lh);
+	This function free()s a LHASH structure.  If there is malloced
+	data in the hash table, it will not be freed.  Consider using the
+	lh_doall function to deallocate any remaining entries in the hash
+	table.
+	
+char *lh_insert(
+LHASH *lh,
+char *data);
+	This function inserts the data pointed to by data into the lh hash
+	table.  If there is already and entry in the hash table entry, the
+	value being replaced is returned.  A NULL is returned if the new
+	entry does not clash with an entry already in the table (the normal
+	case) or on a malloc() failure (perhaps I should change this....).
+	The 'char *data' is exactly what is passed to the hash and
+	comparison functions specified in lh_new().
+	
+char *lh_delete(
+LHASH *lh,
+char *data);
+	This routine deletes an entry from the hash table.  The value being
+	deleted is returned.  NULL is returned if there is no such value in
+	the hash table.
+
+char *lh_retrieve(
+LHASH *lh,
+char *data);
+	If 'data' is in the hash table it is returned, else NULL is
+	returned.  The way these routines would normally be uses is that a
+	dummy structure would have key fields populated and then
+	ret=lh_retrieve(hash,&dummy);.  Ret would now be a pointer to a fully
+	populated structure.
+
+void lh_doall(
+LHASH *lh,
+void (*func)(char *a));
+	This function will, for every entry in the hash table, call function
+	'func' with the data item as parameters.
+	This function can be quite useful when used as follows.
+	void cleanup(STUFF *a)
+		{ STUFF_free(a); }
+	lh_doall(hash,cleanup);
+	lh_free(hash);
+	This can be used to free all the entries, lh_free() then
+	cleans up the 'buckets' that point to nothing.  Be careful
+	when doing this.  If you delete entries from the hash table,
+	in the call back function, the table may decrease in size,
+	moving item that you are
+	currently on down lower in the hash table.  This could cause
+	some entries to be skipped.  The best solution to this problem
+	is to set lh->down_load=0 before you start.  This will stop
+	the hash table ever being decreased in size.
+
+void lh_doall_arg(
+LHASH *lh;
+void(*func)(char *a,char *arg));
+char *arg;
+	This function is the same as lh_doall except that the function
+	called will be passed 'arg' as the second argument.
+	
+unsigned long lh_strhash(
+char *c);
+	This function is a demo string hashing function.  Since the LHASH
+	routines would normally be passed structures, this routine would
+	not normally be passed to lh_new(), rather it would be used in the
+	function passed to lh_new().
+
+The next three routines print out various statistics about the state of the
+passed hash table.  These numbers are all kept in the lhash structure.
+
+void lh_stats(
+LHASH *lh,
+FILE *out);
+	This function prints out statistics on the size of the hash table,
+	how many entries are in it, and the number and result of calls to
+	the routines in this library.
+
+void lh_node_stats(
+LHASH *lh,
+FILE *out);
+	For each 'bucket' in the hash table, the number of entries is
+	printed.
+	
+void lh_node_usage_stats(
+LHASH *lh,
+FILE *out);
+	This function prints out a short summary of the state of the hash
+	table.  It prints what I call the 'load' and the 'actual load'.
+	The load is the average number of data items per 'bucket' in the
+	hash table.  The 'actual load' is the average number of items per
+	'bucket', but only for buckets which contain entries.  So the
+	'actual load' is the average number of searches that will need to
+	find an item in the hash table, while the 'load' is the average number
+	that will be done to record a miss.
+
+==== md2.doc ========================================================
+
+The MD2 library.
+MD2 is a message digest algorithm that can be used to condense an arbitrary
+length message down to a 16 byte hash.  The functions all need to be passed
+a MD2_CTX which is used to hold the MD2 context during multiple MD2_Update()
+function calls.  The normal method of use for this library is as follows
+
+MD2_Init(...);
+MD2_Update(...);
+...
+MD2_Update(...);
+MD2_Final(...);
+
+This library requires the inclusion of 'md2.h'.
+
+The main negative about MD2 is that it is slow, especially when compared
+to MD5.
+
+The functions are as follows:
+
+void MD2_Init(
+MD2_CTX *c);
+	This function needs to be called to initiate a MD2_CTX structure for
+	use.
+	
+void MD2_Update(
+MD2_CTX *c;
+unsigned char *data;
+unsigned long len);
+	This updates the message digest context being generated with 'len'
+	bytes from the 'data' pointer.  The number of bytes can be any
+	length.
+
+void MD2_Final(
+unsigned char *md;
+MD2_CTX *c;
+	This function is called when a message digest of the data digested
+	with MD2_Update() is wanted.  The message digest is put in the 'md'
+	array and is MD2_DIGEST_LENGTH (16) bytes long.
+
+unsigned char *MD2(
+unsigned long n;
+unsigned char *d;
+unsigned char *md;
+	This function performs a MD2_Init(), followed by a MD2_Update()
+	followed by a MD2_Final() (using a local MD2_CTX).
+	The resulting digest is put into 'md' if it is not NULL.
+	Regardless of the value of 'md', the message
+	digest is returned from the function.  If 'md' was NULL, the message
+	digest returned is being stored in a static structure.
+
+==== md5.doc ========================================================
+
+The MD5 library.
+MD5 is a message digest algorithm that can be used to condense an arbitrary
+length message down to a 16 byte hash.  The functions all need to be passed
+a MD5_CTX which is used to hold the MD5 context during multiple MD5_Update()
+function calls.  This library also contains random number routines that are
+based on MD5
+
+The normal method of use for this library is as follows
+
+MD5_Init(...);
+MD5_Update(...);
+...
+MD5_Update(...);
+MD5_Final(...);
+
+This library requires the inclusion of 'md5.h'.
+
+The functions are as follows:
+
+void MD5_Init(
+MD5_CTX *c);
+	This function needs to be called to initiate a MD5_CTX structure for
+	use.
+	
+void MD5_Update(
+MD5_CTX *c;
+unsigned char *data;
+unsigned long len);
+	This updates the message digest context being generated with 'len'
+	bytes from the 'data' pointer.  The number of bytes can be any
+	length.
+
+void MD5_Final(
+unsigned char *md;
+MD5_CTX *c;
+	This function is called when a message digest of the data digested
+	with MD5_Update() is wanted.  The message digest is put in the 'md'
+	array and is MD5_DIGEST_LENGTH (16) bytes long.
+
+unsigned char *MD5(
+unsigned char *d;
+unsigned long n;
+unsigned char *md;
+	This function performs a MD5_Init(), followed by a MD5_Update()
+	followed by a MD5_Final() (using a local MD5_CTX).
+	The resulting digest is put into 'md' if it is not NULL.
+	Regardless of the value of 'md', the message
+	digest is returned from the function.  If 'md' was NULL, the message
+	digest returned is being stored in a static structure.
+
+
+==== memory.doc ========================================================
+
+In the interests of debugging SSLeay, there is an option to compile
+using some simple memory leak checking.
+
+All malloc(), free() and realloc() calls in SSLeay now go via
+Malloc(), Free() and Realloc() (except those in crypto/lhash).
+
+If CRYPTO_MDEBUG is defined, these calls are #defined to
+CRYPTO_malloc(), CRYPTO_free() and CRYPTO_realloc().
+If it is not defined, they are #defined to malloc(), free() and realloc().
+
+the CRYPTO_malloc() routines by default just call the underlying library
+functons.
+
+If CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) is called, memory leak detection is
+turned on.  CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) turns it off.
+
+When turned on, each Malloc() or Realloc() call is recored along with the file
+and line number from where the call was made.   (This is done using the
+lhash library which always uses normal system malloc(3) routines).
+
+void CRYPTO_mem_leaks(BIO *b);
+void CRYPTO_mem_leaks_fp(FILE *fp);
+These both print out the list of memory that has not been free()ed.
+This will probably be rather hard to read, but if you look for the 'top level'
+structure allocation, this will often give an idea as to what is not being
+free()ed.  I don't expect people to use this stuff normally.
+
+==== ca.1 ========================================================
+
+From eay@orb.mincom.oz.au Thu Dec 28 23:56:45 1995
+Received: by orb.mincom.oz.au id AA07374
+  (5.65c/IDA-1.4.4 for eay); Thu, 28 Dec 1995 13:56:45 +1000
+Date: Thu, 28 Dec 1995 13:56:45 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: sameer <sameer@c2.org>
+Cc: ssleay@mincom.oz.au
+Subject: Re: 'ca'
+In-Reply-To: <199512230440.UAA23410@infinity.c2.org>
+Message-Id: <Pine.SOL.3.91.951228133525.7269A-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: RO
+X-Status: 
+
+On Fri, 22 Dec 1995, sameer wrote:
+> 	I could use documentation on 'ca'. Thanks.
+
+Very quickly.
+The ca program uses the ssleay.conf file for most of its configuration
+
+./ca -help
+
+ -verbose        - Talk alot while doing things
+ -config file    - A config file. If you don't want to use the
+		   default config file
+ -name arg       - The particular CA definition to use
+	In the config file, the section to use for parameters.  This lets 
+	multiple setups to be contained in the one file.  By default, the 
+	default_ca variable is looked up in the [ ca ] section.  So in the 
+	shipped ssleay.conf, the CA definition used is CA_default.  It could be 
+	any other name.
+ -gencrl days    - Generate a new CRL, days is when the next CRL is due
+	This will generate a new certificate revocion list.
+ -days arg       - number of days to certify the certificate for
+	When certifiying certificates, this is the number of days to use.
+ -md arg         - md to use, one of md2, md5, sha or sha1
+ -policy arg     - The CA 'policy' to support
+	I'll describe this later, but there are 2 policies definied in the 
+	shipped ssleay.conf
+ -keyfile arg    - PEM RSA private key file
+ -key arg        - key to decode the RSA private key if it is encrypted
+	since we need to keep the CA's RSA key encrypted
+ -cert           - The CA certificate
+ -in file        - The input PEM encoded certificate request(s)
+ -out file       - Where to put the output file(s)
+ -outdir dir     - Where to put output certificates
+	The -out options concatinates all the output certificied
+	certificates to one file, -outdir puts them in a directory,
+	named by serial number.
+ -infiles ....   - The last argument, requests to process
+	The certificate requests to process, -in is the same.
+
+Just about all the above have default values defined in ssleay.conf.
+
+The key variables in ssleay.conf are (for the pariticular '-name' being 
+used, in the default, it is CA_default).
+
+dir is where all the CA database stuff is kept.
+certs is where all the previously issued certificates are kept.
+The database is a simple text database containing the following tab separated 
+fields.
+status: a value of 'R' - revoked, 'E' -expired or 'V' valid.
+issued date:  When the certificate was certified.
+revoked date:  When it was revoked, blank if not revoked.
+serial number:  The certificate serial number.
+certificate:	Where the certificate is located.
+CN:	The name of the certificate.
+
+The demo file has quite a few made up values it it.  The last 2 were 
+added by the ca program and are acurate.
+The CA program does not update the 'certificate' file correctly right now.
+The serial field should be unique as should the CN/status combination.
+The ca program checks these at startup.  What still needs to be 
+wrtten is a program to 'regenerate' the data base file from the issued 
+certificate list (and a CRL list).
+
+Back to the CA_default variables.
+
+Most of the variables are commented.
+
+policy is the default policy.
+
+Ok for policies, they define the order and which fields must be present 
+in the certificate request and what gets filled in.
+
+So a value of
+countryName             = match
+means that the country name must match the CA certificate.
+organizationalUnitName  = optional
+The org.Unit,Name does not have to be present and
+commonName              = supplied
+commonName must be supplied in the certificate request.
+
+For the 'policy_match' polocy, the order of the attributes in the 
+generated certiticate would be
+countryName
+stateOrProvinceName
+organizationName
+organizationalUnitName
+commonName
+emailAddress
+
+Have a play, it sort of makes sense.  If you think about how the persona 
+requests operate, it is similar to the 'policy_match' policy and the
+'policy_anything' is similar to what versign is doing.
+
+I hope this helps a bit.  Some backend scripts are definitly needed to 
+update the database and to make certificate revocion easy.  All 
+certificates issued should also be kept forever (or until they expire?)
+
+hope this helps
+eric (who has to run off an buy some cheap knee pads for the caving in 4 
+days time :-)
+
+--
+Eric Young                  | Signature removed since it was generating
+AARNet: eay@mincom.oz.au    | more followups than the message contents :-)
+
+
+==== ms3-ca.doc ========================================================
+
+Date: Mon, 9 Jun 97 08:00:33 +0200
+From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
+Subject: ms3-ca.doc
+Organization: TU Ilmenau, Fak. IA, FG Telematik
+Content-Length: 14575
+Status: RO
+X-Status: 
+
+Loading client certs into MSIE 3.01
+===================================
+
+This document conatains all the information necessary to succesfully set up 
+some scripts to issue client certs to Microsoft Internet Explorer. It 
+includes the required knowledge about the model MSIE uses for client 
+certification and includes complete sample scripts ready to play with. The 
+scripts were tested against a modified ca program of SSLeay 0.6.6 and should 
+work with the regular ca program that comes with version 0.8.0. I haven't 
+tested against MSIE 4.0
+
+You can use the information contained in this document in either way you 
+want. However if you feel it saved you a lot of time I ask you to be as fair 
+as to mention my name: Holger Reif <reif@prakinf.tu-ilmenau.de>.
+
+1.) The model used by MSIE
+--------------------------
+
+The Internet Explorer doesn't come with a embedded engine for installing 
+client certs like Netscape's Navigator. It rather uses the CryptoAPI (CAPI) 
+defined by Microsoft. CAPI comes with WindowsNT 4.0 or is installed together 
+with Internet Explorer since 3.01. The advantage of this approach is a higher 
+flexibility because the certificates in the (per user) system open 
+certificate store may be used by other applications as well. The drawback 
+however is that you need to do a bit more work to get a client cert issued.
+
+CAPI defines functions which will handle basic cryptographic work, eg. 
+generating keys, encrypting some data, signing text or building a certificate 
+request. The procedure is as follows: A CAPI function generates you a key 
+pair and saves it into the certificate store. After that one builds a 
+Distinguished Name. Together with that key pair another CAPI function forms a 
+PKCS#10 request which you somehow need to submit to a CA. Finally the issued 
+cert is given to a yet another CAPI function which saves it into the 
+certificate store.
+
+The certificate store with the user's keys and certs is in the registry. You 
+will find it under HKEY_CURRENT_USER/Software/Microsoft/Cryptography/ (I 
+leave it to you as a little exercise to figure out what all the entries mean 
+;-). Note that the keys are protected only with the user's usual Windows 
+login password.
+
+2.) The practical usage
+-----------------------
+
+Unfortunatly since CAPI is a system API you can't access its functions from 
+HTML code directly. For this purpose Microsoft provides a wrapper called 
+certenr3.dll. This DLL accesses the CAPI functions and provides an interface 
+usable from Visual Basic Script. One needs to install that library on the 
+computer which wants to have client cert. The easiest way is to load it as an 
+ActiveX control (certenr3.dll is properly authenticode signed by MS ;-). If 
+you have ever enrolled e cert request at a CA you will have installed it.
+
+At time of writing certenr3.dll is contained in 
+http://www.microsoft.com/workshop/prog/security/csa/certenr3.exe. It comes 
+with an README file which explains the available functions. It is labeled 
+beta but every CA seems to use it anyway. The license.txt allows you the 
+usage for your own purposes (as far as I understood) and a somehow limited 
+distribution. 
+
+The two functions of main interest are GenerateKeyPair and AcceptCredentials. 
+For complete explanation of all possible parameters see the README file. Here 
+are only minimal required parameters and their values.
+
+GenerateKeyPair(sessionID, FASLE, szName, 0, "ClientAuth", TRUE, FALSE, 1)
+- sessionID is a (locally to that computer) unique string to correlate the 
+generated key pair with a cert installed later.
+- szName is the DN of the form "C=DE; S=Thueringen; L=Ilmenau; CN=Holger 
+Reif; 1.2.840.113549.1.9.1=reif@prakinf.tu-ilmenau.de". Note that S is the 
+abreviation for StateOrProvince. The recognized abreviation include CN, O, C, 
+OU, G, I, L, S, T. If the abreviation is unknown (eg. for PKCS#9 email addr) 
+you need to use the full object identifier. The starting point for searching 
+them could be crypto/objects.h since all OIDs know to SSLeay are listed 
+there.
+- note: the possible ninth parameter which should give a default name to the 
+certificate storage location doesn't seem to work. Changes to the constant 
+values in the call above doesn't seem to make sense. You can't generate 
+PKCS#10 extensions with that function.
+
+The result of GenerateKeyPair is the base64 encoded PKCS#10 request. However 
+it has a little strange format that SSLeay doesn't accept. (BTW I feel the 
+decision of rejecting that format as standard conforming.) It looks like 
+follows:
+	1st line with 76 chars
+	2nd line with 76 chars
+	...
+	(n-2)th line with 76 chars
+	(n-1)th line contains a multiple of 4 chars less then 76 (possible 
+empty)
+	(n)th line has zero or 4 chars (then with 1 or 2 equal signs - the 
+		original text's lenght wasn'T a multiple of 3) 
+	The line separator has two chars: 0x0d 0x0a
+
+AcceptCredentials(sessionID, credentials, 0, FALSE)
+- sessionID needs to be the same as while generating the key pair
+- credentials is the base64 encoded PKCS#7 object containing the cert. 
+
+CRL's and CA certs are not required simply just the client cert. (It seems to 
+me that both are not even checked somehow.) The only format of the base64 
+encoded object I succesfully used was all characters in a very long string 
+without line feeds or carriage returns. (Hey, it doesn't matter, only a 
+computer reads it!)
+
+The result should be S_OK. For error handling see the example that comes with 
+certenr3.dll.
+
+A note about ASN.1 character encodings. certenr3.dll seems to know only about 
+2 of them: UniversalString and PrintableString. First it is definitely wrong 
+for an email address which is IA5STRING (checked by ssleay's ca). Second 
+unfortunately MSIE (at least until version 3.02) can't handle UniversalString 
+correctly - they just blow up you cert store! Therefore ssleay's ca (starting 
+from version 0.8.0) tries to convert the encodings automatically to IA5STRING 
+or TeletexString. The beef is it will work only for the latin-1 (western) 
+charset. Microsoft still has to do abit of homework...
+
+3.) An example
+--------------
+
+At least you need two steps: generating the key & request and then installing 
+the certificate. A real world CA would have some more steps involved, eg. 
+accepting some license. Note that both scripts shown below are just 
+experimental state without any warrenty!
+
+First how to generate a request. Note that we can't use a static page because 
+of the sessionID. I generate it from system time plus pid and hope it is 
+unique enough. Your are free to feed it through md5 to get more impressive 
+ID's ;-) Then the intended text is read in with sed which inserts the 
+sessionID. 
+
+-----BEGIN ms-enroll.cgi-----
+#!/bin/sh
+SESSION_ID=`date '+%y%m%d%H%M%S'`$$
+echo Content-type: text/html
+echo
+sed s/template_for_sessId/$SESSION_ID/ <<EOF
+<HTML><HEAD>
+<TITLE>Certificate Enrollment Test Page</TITLE>
+</HEAD><BODY>
+
+<OBJECT
+    classid="clsid:33BEC9E0-F78F-11cf-B782-00C04FD7BF43"
+    codebase=certenr3.dll
+    id=certHelper
+    >
+</OBJECT>
+
+<CENTER>
+<H2>enrollment for a personal cert</H2>
+<BR><HR WIDTH=50%><BR><P>
+<FORM NAME="MSIE_Enrollment" ACTION="ms-gencert.cgi" ENCTYPE=x-www-form-
+encoded METHOD=POST>
+<TABLE>
+    <TR><TD>Country</TD><TD><INPUT NAME="Country" VALUE=""></TD></TR>
+    <TR><TD>State</TD><TD><INPUT NAME="StateOrProvince" VALUE=""></TD></TR>
+    <TR><TD>Location</TD><TD><INPUT NAME="Location" VALUE=""></TD></TR>
+    <TR><TD>Organization</TD><TD><INPUT NAME="Organization" 
+VALUE=""></TD></TR>
+    <TR><TD>Organizational Unit</TD>
+        <TD><INPUT NAME="OrganizationalUnit" VALUE=""></TD></TR>
+    <TR><TD>Name</TD><TD><INPUT NAME="CommonName" VALUE=""></TD></TR>
+    <TR><TD>eMail Address</TD>
+        <TD><INPUT NAME="EmailAddress" VALUE=""></TD></TR>
+    <TR><TD></TD>
+        <TD><INPUT TYPE="BUTTON" NAME="submit" VALUE="Beantragen"></TD></TR>
+</TABLE>
+	<INPUT TYPE="hidden" NAME="SessionId" VALUE="template_for_sessId">
+	<INPUT TYPE="hidden" NAME="Request" VALUE="">
+</FORM>
+<BR><HR WIDTH=50%><BR><P>
+</CENTER>
+
+<SCRIPT LANGUAGE=VBS>
+    Dim DN
+
+    Sub Submit_OnClick
+	Dim TheForm
+	Set TheForm = Document.MSIE_Enrollment
+	sessionId	= TheForm.SessionId.value
+	reqHardware     = FALSE
+	C		= TheForm.Country.value
+	SP		= TheForm.StateOrProvince.value
+	L		= TheForm.Location.value
+	O		= TheForm.Organization.value
+	OU		= TheForm.OrganizationalUnit.value
+	CN              = TheForm.CommonName.value
+	Email		= TheForm.EmailAddress.value
+        szPurpose       = "ClientAuth"
+        doAcceptanceUINow   = FALSE
+        doOnline        = TRUE
+
+	DN = ""
+
+	Call Add_RDN("C", C)
+	Call Add_RDN("S", SP)
+	Call Add_RDN("L", L)
+	Call Add_RDN("O", O)
+	Call Add_RDN("OU", OU)
+	Call Add_RDN("CN", CN)
+	Call Add_RDN("1.2.840.113549.1.9.1", Email)
+		      ' rsadsi
+				     ' pkcs
+				       ' pkcs9
+					 ' eMailAddress
+        On Error Resume Next
+        sz10 = certHelper.GenerateKeyPair(sessionId, _
+                FALSE, DN, 0, ClientAuth, FASLE, TRUE, 1)_
+        theError = Err.Number
+        On Error Goto 0
+        if (sz10 = Empty OR theError <> 0) Then
+            sz = "The error '" & Hex(theError) & "' occurred." & chr(13) & _
+                chr(10) & "Your credentials could not be generated."
+            result = MsgBox(sz, 0, "Credentials Enrollment")
+            Exit Sub
+	else 
+	    TheForm.Request.value = sz10
+	    TheForm.Submit
+        end if
+    End Sub
+
+    Sub Add_RDN(sn, value)
+	if (value <> "") then
+	    if (DN <> "") then
+		DN = DN & "; "
+	    end if
+	    DN = DN & sn & "=" & value
+	end if
+    End Sub
+</SCRIPT>
+</BODY>
+</HTML>
+EOF
+-----END ms-enroll.cgi-----
+
+Second, how to extract the request and feed the certificate back? We need to 
+"normalize" the base64 encoding of the PKCS#10 format which means 
+regenerating the lines and wrapping with BEGIN and END line. This is done by 
+gawk. The request is taken by ca the normal way. Then the cert needs to be 
+packed into a PKCS#7 structure (note: the use of a CRL is necessary for 
+crl2pkcs7 as of version 0.6.6. Starting with 0.8.0 it it might probably be 
+ommited). Finally we need to format the PKCS#7 object and generate the HTML 
+text. I use two templates to have a clearer script.
+
+1st note: postit2 is slightly modified from a program I found at ncsa's ftp 
+site. Grab it from http://www.easterngraphics.com/certs/IX9704/postit2.c. You 
+need utils.c from there too.
+
+2nd note: I'm note quite sure wether the gawk script really handles all 
+possible inputs for the request right! Today I don't use this construction 
+anymore myself.
+
+3d note: the cert must be of version 3! This could be done with the nsComment 
+line in ssleay.cnf...
+
+------BEGIN ms-gencert.cgi-----
+#!/bin/sh
+FILE="/tmp/"`date '+%y%m%d%H%M%S'-`$$
+rm -f "$FILE".*
+
+HOME=`pwd`; export HOME  # as ssleay.cnf insists on having such an env var
+cd /usr/local/ssl #where demoCA (as named in ssleay.conf) is located
+
+postit2 -s " " -i 0x0d > "$FILE".inp  # process the FORM vars
+
+SESSION_ID=`gawk '$1 == "SessionId" { print $2; exit }' "$FILE".inp`
+
+gawk \
+	'BEGIN { \
+		OFS = ""; \
+		print "-----BEGIN CERTIFICATE REQUEST-----"; \
+		req_seen=0 \
+	} \
+	$1 == "Request" { \
+		req_seen=1; \
+		if (length($2) == 72) print($2); \
+		lastline=$2; \
+		next; \
+	} \
+	{ \
+		if (req_seen == 1) { \
+			if (length($1) >= 72) print($1); \
+			else if (length(lastline) < 72) { \
+				req_seen=0; \
+				print (lastline,$1); \
+			} \
+		lastline=$1; \
+		} \
+	} \
+	END { \
+		print "-----END CERTIFICATE REQUEST-----"; \
+	}' > "$FILE".pem < "$FILE".inp 
+
+ssleay ca -batch -in "$FILE".pem -key passwd -out "$FILE".out
+ssleay crl2pkcs7 -certfile "$FILE".out -out "$FILE".pkcs7 -in demoCA/crl.pem
+
+sed s/template_for_sessId/$SESSION_ID/ <ms-enroll2a.html >"$FILE".cert
+/usr/local/bin/gawk \
+	'BEGIN	{ \
+		OFS = ""; \
+		dq = sprintf("%c",34); \
+	} \
+	$0 ~ "PKCS7" { next; } \
+	{ \
+		print dq$0dq" & _"; \
+	}' <"$FILE".pkcs7 >> "$FILE".cert
+cat  ms-enroll2b.html >>"$FILE".cert
+
+echo Content-type: text/html
+echo Content-length: `wc -c "$FILE".cert`
+echo
+cat "$FILE".cert
+rm -f "$FILE".*
+-----END ms-gencert.cgi-----
+
+----BEGIN ms-enroll2a.html----
+<HTML><HEAD><TITLE>Certificate Acceptance Test Page</TITLE></HEAD><BODY>
+
+<OBJECT
+    classid="clsid:33BEC9E0-F78F-11cf-B782-00C04FD7BF43"
+    codebase=certenr3.dll
+    id=certHelper
+    >
+</OBJECT>
+
+<CENTER>
+<H2>Your personal certificate</H2>
+<BR><HR WIDTH=50%><BR><P>
+Press the button!
+<P><INPUT TYPE=BUTTON VALUE="Nimm mich!" NAME="InstallCert">
+</CENTER>
+<BR><HR WIDTH=50%><BR>
+
+<SCRIPT LANGUAGE=VBS>
+    Sub InstallCert_OnClick
+
+	sessionId	= "template_for_sessId"
+credentials = "" & _
+----END ms-enroll2a.html----
+
+----BEGIN ms-enroll2b.html----
+""
+        On Error Resume Next
+        result = certHelper.AcceptCredentials(sessionId, credentials, 0, 
+FALSE)
+        if (IsEmpty(result)) Then
+           sz = "The error '" & Err.Number & "' occurred." & chr(13) & 
+chr(10) & "This Digital ID could not be registered."
+           msgOut = MsgBox(sz, 0, "Credentials Registration Error")
+           navigate "error.html"
+        else
+           sz = "Digital ID successfully registered."
+           msgOut = MsgBox(sz, 0, "Credentials Registration")
+           navigate "success.html"
+        end if
+	Exit Sub
+    End Sub
+</SCRIPT>
+</BODY>
+</HTML>
+----END ms-enroll2b.html----
+
+4.) What do do with the cert?
+-----------------------------
+
+The cert is visible (without restarting MSIE) under the following menu:
+View->Options->Security->Personal certs. You can examine it's contents at 
+least partially.
+
+To use it for client authentication you need to use SSL3.0 (fortunately 
+SSLeay supports it with 0.8.0). Furthermore MSIE is told to only supports a 
+kind of automatic selection of certs (I personally wasn't able to test it 
+myself). But there is a requirement that the issuer of the server cert and 
+the issuer of the client cert needs to be the same (according to a developer 
+from MS). Which means: you need may more then one cert to talk to all 
+servers...
+
+I'm sure we will get a bit more experience after ApacheSSL is available for 
+SSLeay 0.8.8.
+
+
+I hope you enjoyed reading and that in future questions on this topic will 
+rarely appear on ssl-users@moncom.com ;-)
+
+Ilmenau, 9th of June 1997
+Holger Reif <reif@prakinf.tu-ilmenau.de>
+-- 
+read you later  -  Holger Reif
+----------------------------------------  Signaturprojekt Deutsche Einheit
+TU Ilmenau - Informatik - Telematik                      (Verdamp lang her)
+Holger.Reif@PrakInf.TU-Ilmenau.DE         Alt wie ein Baum werden, um ueber
+http://Remus.PrakInf.TU-Ilmenau.DE/Reif/  alle 7 Bruecken gehen zu koennen
+
+
+==== ns-ca.doc ========================================================
+
+The following documentation was supplied by Jeff Barber, who provided the
+patch to the CA program to add this functionality.
+
+eric
+--
+Jeff Barber                                Email: jeffb@issl.atl.hp.com
+
+Hewlett Packard                            Phone: (404) 648-9503
+Internet and System Security Lab           Fax:   (404) 648-9516
+
+                         oo
+---------------------cut /\ here for ns-ca.doc ------------------------------
+
+This document briefly describes how to use SSLeay to implement a 
+certificate authority capable of dynamically serving up client
+certificates for version 3.0 beta 5 (and presumably later) versions of
+the Netscape Navigator.  Before describing how this is done, it's
+important to understand a little about how the browser implements its
+client certificate support.  This is documented in some detail in the
+URLs based at <URL:http://home.netscape.com/eng/security/certs.html>.
+Here's a brief overview:
+
+-	The Navigator supports a new HTML tag "KEYGEN" which will cause
+	the browser to generate an RSA key pair when you submit a form
+	containing the tag.  The public key, along with an optional
+	challenge (supposedly provided for use in certificate revocation
+	but I don't use it) is signed, DER-encoded, base-64 encoded
+	and sent to the web server as the value of the variable
+	whose NAME is provided in the KEYGEN tag.  The private key is
+	stored by the browser in a local key database.
+
+	This "Signed Public Key And Challenge" (SPKAC) arrives formatted
+	into 64 character lines (which are of course URL-encoded when 
+	sent via HTTP -- i.e. spaces, newlines and most punctuatation are
+	encoded as "%HH" where HH is the hex equivalent of the ASCII code).
+	Note that the SPKAC does not contain the other usual attributes
+	of a certificate request, especially the subject name fields.
+	These must be otherwise encoded in the form for submission along
+	with the SPKAC.
+
+-	Either immediately (in response to this form submission), or at
+	some later date (a real CA will probably verify your identity in
+	some way before issuing the certificate), a web server can send a
+	certificate based on the public key and other attributes back to
+	the browser by encoding it in DER (the binary form) and sending it
+	to the browser as MIME type:
+	"Content-type: application/x-x509-user-cert"
+
+	The browser uses the public key encoded in the certificate to
+	associate the certificate with the appropriate private key in
+	its local key database.  Now, the certificate is "installed".
+
+-	When a server wants to require authentication based on client
+	certificates, it uses the right signals via the SSL protocol to
+	trigger the Navigator to ask you which certificate you want to
+	send.  Whether the certificate is accepted is dependent on CA
+	certificates and so forth installed in the server and is beyond
+	the scope of this document.
+
+
+Now, here's how the SSLeay package can be used to provide client 
+certficates:
+
+-	You prepare a file for input to the SSLeay ca application.
+	The file contains a number of "name = value" pairs that identify
+	the subject.  The names here are the same subject name component
+	identifiers used in the CA section of the lib/ssleay.conf file,
+	such as "emailAddress", "commonName" "organizationName" and so
+	forth.  Both the long version and the short version (e.g. "Email",
+	"CN", "O") can be used.
+
+	One more name is supported: this one is "SPKAC".  Its value
+	is simply the value of the base-64 encoded SPKAC sent by the
+	browser (with all the newlines and other space charaters
+	removed -- and newline escapes are NOT supported).
+
+	[ As of SSLeay 0.6.4, multiple lines are supported.
+	  Put a \ at the end of each line and it will be joined with the
+	  previous line with the '\n' removed - eay ]
+	
+	Here's a sample input file:
+
+C = US
+SP = Georgia
+O = Some Organization, Inc.
+OU = Netscape Compatibility Group
+CN = John X. Doe
+Email = jxdoe@someorg.com
+SPKAC = MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwmk6FMJ4uAVIYbcvIOx5+bDGTfvL8X5gE+R67ccMk6rCSGbVQz2cetyQtnI+VIs0NwdD6wjuSuVtVFbLoHonowIDAQABFgAwDQYJKoZIhvcNAQEEBQADQQBFZDUWFl6BJdomtN1Bi53mwijy1rRgJ4YirF15yBEDM3DjAQkKXHYOIX+qpz4KXKnl6EYxTnGSFL5wWt8X2iyx
+
+-	You execute the ca command (either from a CGI program run out of
+	the web server, or as a later manual task) giving it the above
+	file as input.  For example, if the file were named /tmp/cert.req,
+	you'd run:
+	$SSLDIR/bin/ca -spkac /tmp/cert.req -out /tmp/cert
+
+	The output is in DER format (binary) if a -out argument is 
+	provided, as above; otherwise, it's in the PEM format (base-64
+	encoded DER).  Also, the "-batch" switch is implied by the
+	"-spkac" so you don't get asked whether to complete the signing
+	(probably it shouldn't work this way but I was only interested
+	in hacking together an online CA that could be used for issuing
+	test certificates).
+
+	The "-spkac" capability doesn't support multiple files (I think).
+
+	Any CHALLENGE provided in the SPKAC is simply ignored.
+
+	The interactions between the identification fields you provide
+	and those identified in your lib/ssleay.conf are the same as if
+	you did an ordinary "ca -in infile -out outfile" -- that is, if
+	something is marked as required in the ssleay.conf file and it
+	isn't found in the -spkac file, the certificate won't be issued.
+
+-	Now, you pick up the output from /tmp/cert and pass it back to
+	the Navigator prepending the Content-type string described earlier.
+
+-	In order to run the ca command out of a CGI program, you must
+	provide a password to decrypt the CA's private key.  You can
+	do this by using "echo MyKeyPassword | $SSLDIR/bin/ca ..."
+	I think there's a way to not encrypt the key file in the first
+	place, but I didn't see how to do that, so I made a small change
+	to the library that allows the password to be accepted from a pipe.
+	Either way is UTTERLY INSECURE and a real CA would never do that.
+
+	[ You can use the 'ssleay rsa' command to remove the password
+	  from the private key, or you can use the '-key' option to the
+	  ca command to specify the decryption key on the command line
+	  or use the -nodes option when generating the key.
+	  ca will try to clear the command line version of the password
+	  but for quite a few operating systems, this is not possible.
+	  - eric ]
+
+So, what do you have to do to make use of this stuff to create an online 
+demo CA capability with SSLeay?
+
+1	Create an HTML form for your users.  The form should contain
+	fields for all of the required or optional fields in ssleay.conf.
+	The form must contain a KEYGEN tag somewhere with at least a NAME
+	attribute.
+
+2	Create a CGI program to process the form input submitted by the
+	browser.  The CGI program must URL-decode the variables and create
+	the file described above, containing subject identification info
+	as well as the SPKAC block.  It should then run the the ca program
+	with the -spkac option.  If it works (check the exit status),
+	return the new certificate with the appropriate MIME type.  If not,
+	return the output of the ca command with MIME type "text/plain".
+
+3	Set up your web server to accept connections signed by your demo
+	CA.  This probably involves obtaining the PEM-encoded CA certificate
+	(ordinarily in $SSLDIR/CA/cacert.pem) and installing it into a
+	server database.  See your server manual for instructions.
+
+
+==== obj.doc ========================================================
+
+The Object library.
+
+As part of my Crypto library, I found I required a method of identifying various
+objects.  These objects normally had 3 different values associated with
+them, a short text name, a long (or lower case) text name, and an
+ASN.1 Object Identifier (which is a sequence of numbers).
+This library contains a static list of objects and functions to lookup
+according to one type and to return the other types.
+
+To use these routines, 'Object.h' needs to be included.
+
+For each supported object, #define entries are defined as follows
+#define SN_Algorithm			"Algorithm"
+#define LN_algorithm			"algorithm"
+#define NID_algorithm			38
+#define OBJ_algorithm			1L,3L,14L,3L,2L
+
+SN_  stands for short name.
+LN_  stands for either long name or lowercase name.
+NID_ stands for Numeric ID.  I each object has a unique NID and this
+     should be used internally to identify objects.
+OBJ_ stands for ASN.1 Object Identifier or ASN1_OBJECT as defined in the
+     ASN1 routines.  These values are used in ASN1 encoding.
+
+The following functions are to be used to return pointers into a static
+definition of these types.  What this means is "don't try to free() any
+pointers returned from these functions.
+
+ASN1_OBJECT *OBJ_nid2obj(
+int n);
+	Return the ASN1_OBJECT that corresponds to a NID of n.
+	
+char *OBJ_nid2ln(
+int n);
+	Return the long/lower case name of the object represented by the
+	NID of n.
+	
+char *OBJ_nid2sn(
+int n);
+	Return the short name for the object represented by the NID of n.
+
+ASN1_OBJECT *OBJ_dup(
+ASN1_OBJECT *o);
+	Duplicate and return a new ASN1_OBJECT that is the same as the
+	passed parameter.
+	
+int OBJ_obj2nid(
+ASN1_OBJECT *o);
+	Given ASN1_OBJECT o, return the NID that corresponds.
+	
+int OBJ_ln2nid(
+char *s);
+	Given the long/lower case name 's', return the NID of the object.
+	
+int OBJ_sn2nid(
+char *s);
+	Given the short name 's', return the NID of the object.
+	
+char *OBJ_bsearch(
+char *key,
+char *base,
+int num,
+int size,
+int (*cmp)());
+	Since I have come across a few platforms that do not have the
+	bsearch() function, OBJ_bsearch is my version of that function.
+	Feel free to use this function, but you may as well just use the
+	normal system bsearch(3) if it is present.  This version also
+	has tolerance of being passed NULL pointers.
+
+==== keys ===========================================================
+
+EVP_PKEY_DSA
+EVP_PKEY_DSA2
+EVP_PKEY_DSA3
+EVP_PKEY_DSA4
+
+EVP_PKEY_RSA
+EVP_PKEY_RSA2
+
+valid DSA pkey types
+	NID_dsa
+	NID_dsaWithSHA
+	NID_dsaWithSHA1
+	NID_dsaWithSHA1_2
+
+valid RSA pkey types
+	NID_rsaEncryption
+	NID_rsa
+
+NID_dsaWithSHA	NID_dsaWithSHA			DSA		SHA
+NID_dsa		NID_dsaWithSHA1			DSA		SHA1
+NID_md2		NID_md2WithRSAEncryption	RSA-pkcs1	MD2
+NID_md5		NID_md5WithRSAEncryption	RSA-pkcs1	MD5
+NID_mdc2	NID_mdc2WithRSA			RSA-none	MDC2
+NID_ripemd160	NID_ripemd160WithRSA		RSA-pkcs1	RIPEMD160
+NID_sha		NID_shaWithRSAEncryption	RSA-pkcs1	SHA
+NID_sha1	NID_sha1WithRSAEncryption	RSA-pkcs1	SHA1
+
+==== rand.doc ========================================================
+
+My Random number library.
+
+These routines can be used to generate pseudo random numbers and can be
+used to 'seed' the pseudo random number generator (RNG).  The RNG make no
+effort to reproduce the same random number stream with each execution.
+Various other routines in the SSLeay library 'seed' the RNG when suitable
+'random' input data is available.  Read the section at the end for details
+on the design of the RNG.
+
+void RAND_bytes(
+unsigned char *buf,
+int num);
+	This routine puts 'num' random bytes into 'buf'.  One should make
+	sure RAND_seed() has been called before using this routine.
+	
+void RAND_seed(
+unsigned char *buf,
+int num);
+	This routine adds more 'seed' data the RNG state.  'num' bytes
+	are added to the RNG state, they are taken from 'buf'.  This
+	routine can be called with sensitive data such as user entered
+	passwords.  This sensitive data is in no way recoverable from
+	the RAND library routines or state.  Try to pass as much data
+	from 'random' sources as possible into the RNG via this function.
+	Also strongly consider using the RAND_load_file() and
+	RAND_write_file() routines.
+
+void RAND_cleanup();
+	When a program has finished with the RAND library, if it so
+	desires, it can 'zero' all RNG state.
+	
+The following 3 routines are convenience routines that can be used to
+'save' and 'restore' data from/to the RNG and it's state.
+Since the more 'random' data that is feed as seed data the better, why not
+keep it around between executions of the program?  Of course the
+application should pass more 'random' data in via RAND_seed() and 
+make sure no-one can read the 'random' data file.
+	
+char *RAND_file_name(
+char *buf,
+int size);
+	This routine returns a 'default' name for the location of a 'rand'
+	file.  The 'rand' file should keep a sequence of random bytes used
+	to initialise the RNG.  The filename is put in 'buf'.  Buf is 'size'
+	bytes long.  Buf is returned if things go well, if they do not,
+	NULL is returned.  The 'rand' file name is generated in the
+	following way.  First, if there is a 'RANDFILE' environment
+	variable, it is returned.  Second, if there is a 'HOME' environment
+	variable, $HOME/.rand is returned.  Third, NULL is returned.  NULL
+	is also returned if a buf would overflow.
+
+int RAND_load_file(
+char *file,
+long number);
+	This function 'adds' the 'file' into the RNG state.  It does this by
+	doing a RAND_seed() on the value returned from a stat() system call
+	on the file and if 'number' is non-zero, upto 'number' bytes read
+	from the file.  The number of bytes passed to RAND_seed() is returned.
+
+int RAND_write_file(
+char *file),
+	RAND_write_file() writes N random bytes to the file 'file', where
+	N is the size of the internal RND state (currently 1k).
+	This is a suitable method of saving RNG state for reloading via
+	RAND_load_file().
+
+What follows is a description of this RNG and a description of the rational
+behind it's design.
+
+It should be noted that this RNG is intended to be used to generate
+'random' keys for various ciphers including generation of DH and RSA keys.  
+
+It should also be noted that I have just created a system that I am happy with.
+It may be overkill but that does not worry me.  I have not spent that much
+time on this algorithm so if there are glaring errors, please let me know.
+Speed has not been a consideration in the design of these routines.
+
+First up I will state the things I believe I need for a good RNG.
+1) A good hashing algorithm to mix things up and to convert the RNG 'state'
+   to random numbers.
+2) An initial source of random 'state'.
+3) The state should be very large.  If the RNG is being used to generate
+   4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum).
+   If your RNG state only has 128 bits, you are obviously limiting the
+   search space to 128 bits, not 2048.  I'm probably getting a little
+   carried away on this last point but it does indicate that it may not be
+   a bad idea to keep quite a lot of RNG state.  It should be easier to
+   break a cipher than guess the RNG seed data.
+4) Any RNG seed data should influence all subsequent random numbers
+   generated.  This implies that any random seed data entered will have
+   an influence on all subsequent random numbers generated.
+5) When using data to seed the RNG state, the data used should not be
+   extractable from the RNG state.  I believe this should be a
+   requirement because one possible source of 'secret' semi random
+   data would be a private key or a password.  This data must
+   not be disclosed by either subsequent random numbers or a
+   'core' dump left by a program crash.
+6) Given the same initial 'state', 2 systems should deviate in their RNG state
+   (and hence the random numbers generated) over time if at all possible.
+7) Given the random number output stream, it should not be possible to determine
+   the RNG state or the next random number.
+
+
+The algorithm is as follows.
+
+There is global state made up of a 1023 byte buffer (the 'state'), a
+working message digest ('md') and a counter ('count').
+
+Whenever seed data is added, it is inserted into the 'state' as
+follows.
+	The input is chopped up into units of 16 bytes (or less for
+	the last block).  Each of these blocks is run through the MD5
+	message digest.  The data passed to the MD5 digest is the
+	current 'md', the same number of bytes from the 'state'
+	(the location determined by in incremented looping index) as
+	the current 'block' and the new key data 'block'.  The result
+	of this is kept in 'md' and also xored into the 'state' at the
+	same locations that were used as input into the MD5.
+	I believe this system addresses points 1 (MD5), 3 (the 'state'),
+	4 (via the 'md'), 5 (by the use of MD5 and xor).
+
+When bytes are extracted from the RNG, the following process is used.
+For each group of 8 bytes (or less), we do the following,
+	Input into MD5, the top 8 bytes from 'md', the byte that are
+	to be overwritten by the random bytes and bytes from the
+	'state' (incrementing looping index).  From this digest output
+	(which is kept in 'md'), the top (upto) 8 bytes are
+	returned to the caller and the bottom (upto) 8 bytes are xored
+	into the 'state'.
+	Finally, after we have finished 'generation' random bytes for the
+	called, 'count' (which is incremented) and 'md' are fed into MD5 and
+	the results are kept in 'md'.
+	I believe the above addressed points 1 (use of MD5), 6 (by
+	hashing into the 'state' the 'old' data from the caller that
+	is about to be overwritten) and 7 (by not using the 8 bytes
+	given to the caller to update the 'state', but they are used
+	to update 'md').
+
+So of the points raised, only 2 is not addressed, but sources of
+random data will always be a problem.
+	
+
+==== rc2.doc ========================================================
+
+The RC2 library.
+
+RC2 is a block cipher that operates on 64bit (8 byte) quantities.  It
+uses variable size key, but 128bit (16 byte) key would normally be considered
+good.  It can be used in all the modes that DES can be used.  This
+library implements the ecb, cbc, cfb64, ofb64 modes.
+
+I have implemented this library from an article posted to sci.crypt on
+11-Feb-1996.  I personally don't know how far to trust the RC2 cipher.
+While it is capable of having a key of any size, not much reseach has
+publically been done on it at this point in time (Apr-1996)
+since the cipher has only been public for a few months :-)
+It is of a similar speed to DES and IDEA, so unless it is required for
+meeting some standard (SSLv2, perhaps S/MIME), it would probably be advisable
+to stick to IDEA, or for the paranoid, Tripple DES.
+
+Mind you, having said all that, I should mention that I just read alot and
+implement ciphers, I'm a 'babe in the woods' when it comes to evaluating
+ciphers :-).
+
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'rc2.h'.
+
+All of the encryption functions take what is called an RC2_KEY as an 
+argument.  An RC2_KEY is an expanded form of the RC2 key.
+For all modes of the RC2 algorithm, the RC2_KEY used for
+decryption is the same one that was used for encryption.
+
+The define RC2_ENCRYPT is passed to specify encryption for the functions
+that require an encryption/decryption flag. RC2_DECRYPT is passed to
+specify decryption.
+
+Please note that any of the encryption modes specified in my DES library
+could be used with RC2.  I have only implemented ecb, cbc, cfb64 and
+ofb64 for the following reasons.
+- ecb is the basic RC2 encryption.
+- cbc is the normal 'chaining' form for block ciphers.
+- cfb64 can be used to encrypt single characters, therefore input and output
+  do not need to be a multiple of 8.
+- ofb64 is similar to cfb64 but is more like a stream cipher, not as
+  secure (not cipher feedback) but it does not have an encrypt/decrypt mode.
+- If you want triple RC2, thats 384 bits of key and you must be totally
+  obsessed with security.  Still, if you want it, it is simple enough to
+  copy the function from the DES library and change the des_encrypt to
+  RC2_encrypt; an exercise left for the paranoid reader :-).
+
+The functions are as follows:
+
+void RC2_set_key(
+RC2_KEY *ks;
+int len;
+unsigned char *key;
+int bits;
+        RC2_set_key converts an 'len' byte key into a RC2_KEY.
+        A 'ks' is an expanded form of the 'key' which is used to
+        perform actual encryption.  It can be regenerated from the RC2 key
+        so it only needs to be kept when encryption or decryption is about
+        to occur.  Don't save or pass around RC2_KEY's since they
+        are CPU architecture dependent, 'key's are not.  RC2 is an
+	interesting cipher in that it can be used with a variable length
+	key.  'len' is the length of 'key' to be used as the key.
+	A 'len' of 16 is recomended.  The 'bits' argument is an
+	interesting addition which I only found out about in Aug 96.
+	BSAFE uses this parameter to 'limit' the number of bits used
+	for the key.  To use the 'key' unmodified, set bits to 1024.
+	This is what old versions of my RC2 library did (SSLeay 0.6.3).
+	RSAs BSAFE library sets this parameter to be 128 if 128 bit
+	keys are being used.  So to be compatable with BSAFE, set it
+	to 128, if you don't want to reduce RC2's key length, leave it
+	at 1024.
+	
+void RC2_encrypt(
+unsigned long *data,
+RC2_KEY *key,
+int encrypt);
+	This is the RC2 encryption function that gets called by just about
+	every other RC2 routine in the library.  You should not use this
+	function except to implement 'modes' of RC2.  I say this because the
+	functions that call this routine do the conversion from 'char *' to
+	long, and this needs to be done to make sure 'non-aligned' memory
+	access do not occur.
+	Data is a pointer to 2 unsigned long's and key is the
+	RC2_KEY to use.  Encryption or decryption is indicated by 'encrypt'.
+	which can have the values RC2_ENCRYPT or RC2_DECRYPT.
+
+void RC2_ecb_encrypt(
+unsigned char *in,
+unsigned char *out,
+RC2_KEY *key,
+int encrypt);
+	This is the basic Electronic Code Book form of RC2 (in DES this
+	mode is called Electronic Code Book so I'm going to use the term
+	for rc2 as well.
+	Input is encrypted into output using the key represented by
+	key.  Depending on the encrypt, encryption or
+	decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+	
+void RC2_cbc_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+RC2_KEY *ks,
+unsigned char *ivec,
+int encrypt);
+	This routine implements RC2 in Cipher Block Chaining mode.
+	Input, which should be a multiple of 8 bytes is encrypted
+	(or decrypted) to output which will also be a multiple of 8 bytes.
+	The number of bytes is in length (and from what I've said above,
+	should be a multiple of 8).  If length is not a multiple of 8, bad 
+	things will probably happen.  ivec is the initialisation vector.
+	This function updates iv after each call so that it can be passed to
+	the next call to RC2_cbc_encrypt().
+	
+void RC2_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+RC2_KEY *schedule,
+unsigned char *ivec,
+int *num,
+int encrypt);
+	This is one of the more useful functions in this RC2 library, it
+	implements CFB mode of RC2 with 64bit feedback.
+	This allows you to encrypt an arbitrary number of bytes,
+	you do not require 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  Num contains 'how far' we are though ivec.
+	'Encrypt' is used to indicate encryption or decryption.
+	CFB64 mode operates by using the cipher to generate a stream
+	of bytes which is used to encrypt the plain text.
+	The cipher text is then encrypted to generate the next 64 bits to
+	be xored (incrementally) with the next 64 bits of plain
+	text.  As can be seen from this, to encrypt or decrypt,
+	the same 'cipher stream' needs to be generated but the way the next
+	block of data is gathered for encryption is different for
+	encryption and decryption.
+	
+void RC2_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+RC2_KEY *schedule,
+unsigned char *ivec,
+int *num);
+	This functions implements OFB mode of RC2 with 64bit feedback.
+	This allows you to encrypt an arbitrary number of bytes,
+	you do not require 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  Num contains 'how far' we are though ivec.
+	This is in effect a stream cipher, there is no encryption or
+	decryption mode.
+	
+For reading passwords, I suggest using des_read_pw_string() from my DES library.
+To generate a password from a text string, I suggest using MD5 (or MD2) to
+produce a 16 byte message digest that can then be passed directly to
+RC2_set_key().
+
+=====
+For more information about the specific RC2 modes in this library
+(ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the
+documentation on my DES library.  What is said about DES is directly
+applicable for RC2.
+
+
+==== rc4.doc ========================================================
+
+The RC4 library.
+RC4 is a stream cipher that operates on a byte stream.  It can be used with
+any length key but I would recommend normally using 16 bytes.
+
+This library requires the inclusion of 'rc4.h'.
+
+The RC4 encryption function takes what is called an RC4_KEY as an argument.
+The RC4_KEY is generated by the RC4_set_key function from the key bytes.
+
+RC4, being a stream cipher, does not have an encryption or decryption mode.
+It produces a stream of bytes that the input stream is xor'ed against and
+so decryption is just a case of 'encrypting' again with the same key.
+
+I have only put in one 'mode' for RC4 which is the normal one.  This means
+there is no initialisation vector and there is no feedback of the cipher
+text into the cipher.  This implies that you should not ever use the
+same key twice if you can help it.  If you do, you leave yourself open to
+known plain text attacks; if you know the plain text and
+corresponding cipher text in one message, all messages that used the same
+key can have the cipher text decoded for the corresponding positions in the
+cipher stream.
+
+The main positive feature of RC4 is that it is a very fast cipher; about 4
+times faster that DES.  This makes it ideally suited to protocols where the
+key is randomly chosen, like SSL.
+
+The functions are as follows:
+
+void RC4_set_key(
+RC4_KEY *key;
+int len;
+unsigned char *data);
+	This function initialises the RC4_KEY structure with the key passed
+	in 'data', which is 'len' bytes long.  The key data can be any
+	length but 16 bytes seems to be a good number.
+
+void RC4(
+RC4_KEY *key;
+unsigned long len;
+unsigned char *in;
+unsigned char *out);
+	Do the actual RC4 encryption/decryption.  Using the 'key', 'len'
+	bytes are transformed from 'in' to 'out'.  As mentioned above,
+	decryption is the operation as encryption.
+
+==== ref.doc ========================================================
+
+I have lots more references etc, and will update this list in the future,
+30 Aug 1996 - eay
+
+
+SSL	The SSL Protocol - from Netscapes.
+
+RC4	Newsgroups: sci.crypt
+	From: sterndark@netcom.com (David Sterndark)
+	Subject: RC4 Algorithm revealed.
+	Message-ID: <sternCvKL4B.Hyy@netcom.com>
+
+RC2	Newsgroups: sci.crypt
+	From: pgut01@cs.auckland.ac.nz (Peter Gutmann)
+	Subject: Specification for Ron Rivests Cipher No.2
+	Message-ID: <4fk39f$f70@net.auckland.ac.nz>
+
+MD2	RFC1319 The MD2 Message-Digest Algorithm
+MD5	RFC1321 The MD5 Message-Digest Algorithm
+
+X509 Certificates
+	RFC1421 Privacy Enhancement for Internet Electronic Mail: Part I
+	RFC1422 Privacy Enhancement for Internet Electronic Mail: Part II
+	RFC1423 Privacy Enhancement for Internet Electronic Mail: Part III
+	RFC1424 Privacy Enhancement for Internet Electronic Mail: Part IV
+
+RSA and various standard encoding
+	PKCS#1 RSA Encryption Standard
+	PKCS#5 Password-Based Encryption Standard
+	PKCS#7 Cryptographic Message Syntax Standard
+	A Layman's Guide to a Subset of ASN.1, BER, and DER
+	An Overview of the PKCS Standards
+	Some Examples of the PKCS Standards
+
+IDEA	Chapter 3 The Block Cipher IDEA
+
+RSA, prime number generation and bignum algorithms
+	Introduction To Algorithms,
+	Thomas Cormen, Charles Leiserson, Ronald Rivest,
+	Section 29 Arithmetic Circuits
+	Section 33 Number-Theoretic Algorithms
+
+Fast Private Key algorithm
+	Fast Decipherment Algorithm for RSA Public-Key Cryptosystem
+	J.-J. Quisquater and C. Couvreur, Electronics Letters,
+	14th October 1982, Vol. 18 No. 21
+
+Prime number generation and bignum algorithms.
+	PGP-2.3a
+
+==== rsa.doc ========================================================
+
+The RSA encryption and utility routines.
+
+The RSA routines are built on top of a big number library (the BN library).
+There are support routines in the X509 library for loading and manipulating
+the various objects in the RSA library.  When errors are returned, read
+about the ERR library for how to access the error codes.
+
+All RSA encryption is done according to the PKCS-1 standard which is
+compatible with PEM and RSAref.  This means that any values being encrypted
+must be less than the size of the modulus in bytes, minus 10, bytes long.
+
+This library uses RAND_bytes()() for it's random data, make sure to feed
+RAND_seed() with lots of interesting and varied data before using these
+routines.
+
+The RSA library has one specific data type, the RSA structure.
+It is composed of 8 BIGNUM variables (see the BN library for details) and
+can hold either a private RSA key or a public RSA key.
+Some RSA libraries have different structures for public and private keys, I
+don't.  For my libraries, a public key is determined by the fact that the
+RSA->d value is NULL.  These routines will operate on any size RSA keys.
+While I'm sure 4096 bit keys are very very secure, they take a lot longer
+to process that 1024 bit keys :-).
+
+The function in the RSA library are as follows.
+
+RSA *RSA_new();
+	This function creates a new RSA object.  The sub-fields of the RSA
+	type are also malloced so you should always use this routine to
+	create RSA variables.
+	
+void RSA_free(
+RSA *rsa);
+	This function 'frees' an RSA structure.  This routine should always
+	be used to free the RSA structure since it will also 'free' any
+	sub-fields of the RSA type that need freeing.
+	
+int RSA_size(
+RSA *rsa);	
+	This function returns the size of the RSA modulus in bytes.  Why do
+	I need this you may ask, well the reason is that when you encrypt
+	with RSA, the output string will be the size of the RSA modulus.
+	So the output for the RSA_encrypt and the input for the RSA_decrypt
+	routines need to be RSA_size() bytes long, because this is how many
+	bytes are expected.
+	
+For the following 4 RSA encryption routines, it should be noted that
+RSA_private_decrypt() should be used on the output from 
+RSA_public_encrypt() and RSA_public_decrypt() should be used on
+the output from RSA_private_encrypt().
+	
+int RSA_public_encrypt(
+int from_len;
+unsigned char *from	
+unsigned char *to	
+RSA *rsa);
+	This function implements RSA public encryption, the rsa variable
+	should be a public key (but can be a private key).  'from_len'
+	bytes taken from 'from' and encrypted and put into 'to'.  'to' needs
+	to be at least RSA_size(rsa) bytes long.  The number of bytes
+	written into 'to' is returned.  -1 is returned on an error.  The
+	operation performed is
+	to = from^rsa->e mod rsa->n.
+	
+int RSA_private_encrypt(
+int from_len;
+unsigned char *from	
+unsigned char *to	
+RSA *rsa);
+	This function implements RSA private encryption, the rsa variable
+	should be a private key.  'from_len' bytes taken from
+	'from' and encrypted and put into 'to'.  'to' needs
+	to be at least RSA_size(rsa) bytes long.  The number of bytes
+	written into 'to' is returned.  -1 is returned on an error.  The
+	operation performed is
+	to = from^rsa->d mod rsa->n.
+
+int RSA_public_decrypt(
+int from_len;
+unsigned char *from	
+unsigned char *to	
+RSA *rsa);
+	This function implements RSA public decryption, the rsa variable
+	should be a public key (but can be a private key).  'from_len'
+	bytes are taken from 'from' and decrypted.  The decrypted data is
+	put into 'to'.  The number of bytes encrypted is returned.  -1 is
+	returned to indicate an error. The operation performed is
+	to = from^rsa->e mod rsa->n.
+
+int RSA_private_decrypt(
+int from_len;
+unsigned char *from	
+unsigned char *to	
+RSA *rsa);
+	This function implements RSA private decryption, the rsa variable
+	should be a private key.  'from_len' bytes are taken
+	from 'from' and decrypted.  The decrypted data is
+	put into 'to'.  The number of bytes encrypted is returned.  -1 is
+	returned to indicate an error. The operation performed is
+	to = from^rsa->d mod rsa->n.
+
+int RSA_mod_exp(
+BIGNUM *n;
+BIGNUM *p;
+RSA *rsa);
+	Normally you will never use this routine.
+	This is really an internal function which is called by
+	RSA_private_encrypt() and RSA_private_decrypt().  It performs
+	n=n^p mod rsa->n except that it uses the 5 extra variables in the
+	RSA structure to make this more efficient.
+	
+RSA *RSA_generate_key(
+int bits;
+unsigned long e;
+void (*callback)();
+char *cb_arg;
+	This routine is used to generate RSA private keys.  It takes
+	quite a period of time to run and should only be used to
+	generate initial private keys that should then be stored
+	for later use.  The passed callback function 
+	will be called periodically so that feedback can be given
+	as to how this function is progressing.
+	'bits' is the length desired for the modulus, so it would be 1024
+	to generate a 1024 bit private key.
+	'e' is the value to use for the public exponent 'e'.  Traditionally
+	it is set to either 3 or 0x10001.
+	The callback function (if not NULL) is called in the following
+	situations.
+	when we have generated a suspected prime number to test,
+	callback(0,num1++,cb_arg).  When it passes a prime number test,
+	callback(1,num2++,cb_arg).  When it is rejected as one of
+	the 2 primes required due to gcd(prime,e value) != 0,
+	callback(2,num3++,cb_arg).  When finally accepted as one
+	of the 2 primes, callback(3,num4++,cb_arg).
+
+
+==== rsaref.doc ========================================================
+
+This package can be compiled to use the RSAref library.
+This library is not allowed outside of the USA but inside the USA it is
+claimed by RSA to be the only RSA public key library that can be used
+besides BSAFE..
+
+There are 2 files, rsaref/rsaref.c and rsaref/rsaref.h that contain the glue
+code to use RSAref.  These files were written by looking at the PGP
+source code and seeing which routines it used to access RSAref.
+I have also been sent by some-one a copy of the RSAref header file that
+contains the library error codes.
+
+[ Jun 1996 update - I have recently gotten hold of RSAref 2.0 from
+  South Africa and have been doing some performace tests. ]
+	
+They have now been tested against the recently announced RSAEURO
+library.
+
+There are 2 ways to use SSLeay and RSAref.  First, to build so that
+the programs must be linked with RSAref, add '-DRSAref' to CFLAG in the top
+level makefile and -lrsaref (or where ever you are keeping RSAref) to
+EX_LIBS.
+
+To build a makefile via util/mk1mf.pl to do this, use the 'rsaref' option.
+
+The second method is to build as per normal and link applications with
+the RSAglue library.  The correct library order would be
+cc -o cmd cmd.o -lssl -lRSAglue -lcrypto -lrsaref -ldes
+The RSAglue library is built in the rsa directory and is NOT
+automatically installed.
+
+Be warned that the RSAEURO library, that is claimed to be compatible
+with RSAref contains a different value for the maximum number of bits
+supported.  This changes structure sizes and so if you are using
+RSAEURO, change the value of RSAref_MAX_BITS in rsa/rsaref.h
+
+
+==== s_mult.doc ========================================================
+
+s_mult is a test program I hacked up on a Sunday for testing non-blocking
+IO.  It has a select loop at it's centre that handles multiple readers
+and writers.
+
+Try the following command
+ssleay s_mult -echo -nbio -ssl -v
+echo - sends any sent text back to the sender
+nbio - turns on non-blocking IO
+ssl  - accept SSL connections, default is normal text
+v    - print lots
+	type Q<cr> to quit
+
+In another window, run the following
+ssleay s_client -pause </etc/termcap
+
+The pause option puts in a 1 second pause in each read(2)/write(2) call
+so the other end will have read()s fail.
+
+==== session.doc ========================================================
+
+I have just checked over and re-worked the session stuff.
+The following brief example will ignore all setup information to do with
+authentication.
+
+Things operate as follows.
+
+The SSL environment has a 'context', a SSL_CTX structure.  This holds the
+cached SSL_SESSIONS (which can be reused) and the certificate lookup
+information.  Each SSL structure needs to be associated with a SSL_CTX.
+Normally only one SSL_CTX structure is needed per program.
+
+SSL_CTX *SSL_CTX_new(void ); 
+void    SSL_CTX_free(SSL_CTX *);
+These 2 functions create and destroy SSL_CTX structures
+
+The SSL_CTX has a session_cache_mode which is by default,
+in SSL_SESS_CACHE_SERVER mode.  What this means is that the library
+will automatically add new session-id's to the cache apon sucsessful
+SSL_accept() calls.
+If SSL_SESS_CACHE_CLIENT is set, then client certificates are also added
+to the cache.
+SSL_set_session_cache_mode(ctx,mode)  will set the 'mode' and
+SSL_get_session_cache_mode(ctx) will get the cache 'mode'.
+The modes can be
+SSL_SESS_CACHE_OFF	- no caching
+SSL_SESS_CACHE_CLIENT	- only SSL_connect()
+SSL_SESS_CACHE_SERVER	- only SSL_accept()
+SSL_SESS_NO_CACHE_BOTH	- Either SSL_accept() or SSL_connect().
+If SSL_SESS_CACHE_NO_AUTO_CLEAR is set, old timed out sessions are
+not automatically removed each 255, SSL_connect()s or SSL_accept()s.
+
+By default, apon every 255 successful SSL_connect() or SSL_accept()s,
+the cache is flush.  Please note that this could be expensive on
+a heavily loaded SSL server, in which case, turn this off and
+clear the cache of old entries 'manually' (with one of the functions
+listed below) every few hours.  Perhaps I should up this number, it is hard
+to say.  Remember, the '255' new calls is just a mechanims to get called
+every now and then, in theory at most 255 new session-id's will have been
+added but if 100 are added every minute, you would still have
+500 in the cache before any would start being flushed (assuming a 3 minute
+timeout)..
+
+int SSL_CTX_sess_hits(SSL_CTX *ctx);
+int SSL_CTX_sess_misses(SSL_CTX *ctx);
+int SSL_CTX_sess_timeouts(SSL_CTX *ctx);
+These 3 functions return statistics about the SSL_CTX.  These 3 are the
+number of session id reuses.  hits is the number of reuses, misses are the
+number of lookups that failed, and timeouts is the number of cached
+entries ignored because they had timeouted.
+
+ctx->new_session_cb is a function pointer to a function of type
+int new_session_callback(SSL *ssl,SSL_SESSION *new);
+This function, if set in the SSL_CTX structure is called whenever a new
+SSL_SESSION is added to the cache.  If the callback returns non-zero, it
+means that the application will have to do a SSL_SESSION_free()
+on the structure (this is
+to do with the cache keeping the reference counts correct, without the
+application needing to know about it.
+The 'active' parameter is the current SSL session for which this connection
+was created.
+
+void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,int (*cb)());
+to set the callback,
+int (*cb)() SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)
+to get the callback.
+
+If the 'get session' callback is set, when a session id is looked up and
+it is not in the session-id cache, this callback is called.  The callback is
+of the form
+SSL_SESSION *get_session_callback(unsigned char *sess_id,int sess_id_len,
+	int *copy);
+
+The get_session_callback is intended to return null if no session id is found.
+The reference count on the SSL_SESSION in incremented by the SSL library,
+if copy is 1.  Otherwise, the reference count is not modified.
+
+void SSL_CTX_sess_set_get_cb(ctx,cb) sets the callback and
+int (*cb)()SSL_CTX_sess_get_get_cb(ctx) returns the callback.
+
+These callbacks are basically indended to be used by processes to
+send their session-id's to other processes.  I currently have not implemented
+non-blocking semantics for these callbacks, it is upto the appication
+to make the callbacks effiecent if they require blocking (perhaps
+by 'saving' them and then 'posting them' when control returns from
+the SSL_accept().
+
+LHASH *SSL_CTX_sessions(SSL_CTX *ctx)
+This returns the session cache.  The lhash strucutre can be accessed for
+statistics about the cache.
+
+void lh_stats(LHASH *lh, FILE *out);
+void lh_node_stats(LHASH *lh, FILE *out);
+void lh_node_usage_stats(LHASH *lh, FILE *out);
+
+can be used to print details about it's activity and current state.
+You can also delve directly into the lhash structure for 14 different
+counters that are kept against the structure.  When I wrote the lhash library,
+I was interested in gathering statistics :-).
+Have a read of doc/lhash.doc in the SSLeay distribution area for more details
+on the lhash library.
+
+Now as mentioned ealier, when a SSL is created, it needs a SSL_CTX.
+SSL *   SSL_new(SSL_CTX *);
+
+This stores a session.  A session is secret information shared between 2
+SSL contexts.  It will only be created if both ends of the connection have
+authenticated their peer to their satisfaction.  It basically contains
+the information required to use a particular secret key cipher.
+
+To retrieve the SSL_CTX being used by a SSL,
+SSL_CTX *SSL_get_SSL_CTX(SSL *s);
+
+Now when a SSL session is established between to programs, the 'session'
+information that is cached in the SSL_CTX can me manipulated by the
+following functions.
+int SSL_set_session(SSL *s, SSL_SESSION *session);
+This will set the SSL_SESSION to use for the next SSL_connect().  If you use
+this function on an already 'open' established SSL connection, 'bad things
+will happen'.  This function is meaning-less when used on a ssl strucutre
+that is just about to be used in a SSL_accept() call since the
+SSL_accept() will either create a new session or retrieve one from the
+cache.
+
+SSL_SESSION *SSL_get_session(SSL *s);
+This will return the SSL_SESSION for the current SSL, NULL if there is
+no session associated with the SSL structure.
+
+The SSL sessions are kept in the SSL_CTX in a hash table, to remove a
+session
+void    SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
+and to add one
+int    SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
+SSL_CTX_add_session() returns 1 if the session was already in the cache (so it
+was not added).
+Whenever a new session is created via SSL_connect()/SSL_accept(),
+they are automatically added to the cache, depending on the session_cache_mode
+settings.  SSL_set_session()
+does not add it to the cache.  Just call SSL_CTX_add_session() if you do want the
+session added.  For a 'client' this would not normally be the case.
+SSL_CTX_add_session() is not normally ever used, except for doing 'evil' things
+which the next 2 funtions help you do.
+
+int     i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
+These 2 functions are in the standard ASN1 library form and can be used to
+load and save to a byte format, the SSL_SESSION structure.
+With these functions, you can save and read these structures to a files or
+arbitary byte string.
+The PEM_write_SSL_SESSION(fp,x) and PEM_read_SSL_SESSION(fp,x,cb) will
+write to a file pointer in base64 encoding.
+
+What you can do with this, is pass session information between separate
+processes.  Please note, that you will probably also need to modify the
+timeout information on the SSL_SESSIONs.
+
+long SSL_get_time(SSL_SESSION *s)
+will return the 'time' that the session
+was loaded.  The timeout is relative to this time.  This information is
+saved when the SSL_SESSION is converted to binarary but it is stored
+in as a unix long, which is rather OS dependant, but easy to convert back.
+
+long SSL_set_time(SSL_SESSION *s,long t) will set the above mentioned time.
+The time value is just the value returned from time(3), and should really
+be defined by be to be time_t.
+
+long SSL_get_timeout(SSL_SESSION *s);
+long SSL_set_timeout(SSL_SESSION *s,long t);
+These 2 retrieve and set the timeout which is just a number of secconds
+from the 'SSL_get_time()' value.  When this time period has elapesed,
+the session will no longer be in the cache (well it will actually be removed
+the next time it is attempted to be retrieved, so you could 'bump'
+the timeout so it remains valid).
+The 'time' and 'timeout' are set on a session when it is created, not reset
+each time it is reused.  If you did wish to 'bump it', just after establishing
+a connection, do a
+SSL_set_time(ssl,time(NULL));
+
+You can also use
+SSL_CTX_set_timeout(SSL_CTX *ctx,unsigned long t) and
+SSL_CTX_get_timeout(SSL_CTX *ctx) to manipulate the default timeouts for
+all SSL connections created against a SSL_CTX.  If you set a timeout in
+an SSL_CTX, all new SSL's created will inherit the timeout.  It can be over
+written by the SSL_set_timeout(SSL *s,unsigned long t) function call.
+If you 'set' the timeout back to 0, the system default will be used.
+
+SSL_SESSION *SSL_SESSION_new();
+void SSL_SESSION_free(SSL_SESSION *ses);
+These 2 functions are used to create and dispose of SSL_SESSION functions.
+You should not ever normally need to use them unless you are using 
+i2d_SSL_SESSION() and/or d2i_SSL_SESSION().  If you 'load' a SSL_SESSION
+via d2i_SSL_SESSION(), you will need to SSL_SESSION_free() it.
+Both SSL_set_session() and SSL_CTX_add_session() will 'take copies' of the
+structure (via reference counts) when it is passed to them.
+
+SSL_CTX_flush_sessions(ctx,time);
+The first function will clear all sessions from the cache, which have expired
+relative to 'time' (which could just be time(NULL)).
+
+SSL_CTX_flush_sessions(ctx,0);
+This is a special case that clears everything.
+
+As a final comment, a 'session' is not enough to establish a new
+connection.  If a session has timed out, a certificate and private key
+need to have been associated with the SSL structure.
+SSL_copy_session_id(SSL *to,SSL *from); will copy not only the session
+strucutre but also the private key and certificate associated with
+'from'.
+
+EXAMPLES.
+
+So lets play at being a wierd SSL server.
+
+/* setup a context */
+ctx=SSL_CTX_new();
+
+/* Lets load some session from binary into the cache, why one would do
+ * this is not toally clear, but passing between programs does make sense
+ * Perhaps you are using 4096 bit keys and are happy to keep them
+ * valid for a week, to avoid the RSA overhead of 15 seconds, I'm not toally
+ * sure, perhaps this is a process called from an SSL inetd and this is being 
+ * passed to the application. */
+session=d2i_SSL_SESSION(....)
+SSL_CTX_add_session(ctx,session);
+
+/* Lets even add a session from a file */
+session=PEM_read_SSL_SESSION(....)
+SSL_CTX_add_session(ctx,session);
+
+/* create a new SSL structure */
+ssl=SSL_new(ctx);
+
+/* At this point we want to be able to 'create' new session if
+ * required, so we need a certificate and RSAkey. */
+SSL_use_RSAPrivateKey_file(ssl,...)
+SSL_use_certificate_file(ssl,...)
+
+/* Now since we are a server, it make little sence to load a session against
+ * the ssl strucutre since a SSL_accept() will either create a new session or
+ * grab an existing one from the cache. */
+
+/* grab a socket descriptor */
+fd=accept(...);
+
+/* associated it with the ssl strucutre */
+SSL_set_fd(ssl,fd);
+
+SSL_accept(ssl); /* 'do' SSL using out cert and RSA key */
+
+/* Lets print out the session details or lets save it to a file,
+ * perhaps with a secret key cipher, so that we can pass it to the FBI
+ * when they want to decode the session :-).  While we have RSA
+ * this does not matter much but when I do SSLv3, this will allow a mechanism
+ * for the server/client to record the information needed to decode
+ * the traffic that went over the wire, even when using Diffie-Hellman */
+PEM_write_SSL_SESSION(SSL_get_session(ssl),stdout,....)
+
+Lets 'connect' back to the caller using the same session id.
+
+ssl2=SSL_new(ctx);
+fd2=connect(them);
+SSL_set_fd(ssl2,fd2);
+SSL_set_session(ssl2,SSL_get_session(ssl));
+SSL_connect(ssl2);
+
+/* what the hell, lets accept no more connections using this session */
+SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl),SSL_get_session(ssl));
+
+/* we could have just as easily used ssl2 since they both are using the
+ * same session.
+ * You will note that both ssl and ssl2 are still using the session, and
+ * the SSL_SESSION structure will be free()ed when both ssl and ssl2
+ * finish using the session.  Also note that you could continue to initiate
+ * connections using this session by doing SSL_get_session(ssl) to get the
+ * existing session, but SSL_accept() will not be able to find it to
+ * use for incoming connections.
+ * Of corse, the session will timeout at the far end and it will no
+ * longer be accepted after a while.  The time and timeout are ignored except
+ * by SSL_accept(). */
+
+/* Since we have had our server running for 10 weeks, and memory is getting
+ * short, perhaps we should clear the session cache to remove those
+ * 100000 session entries that have expired.  Some may consider this
+ * a memory leak :-) */
+
+SSL_CTX_flush_sessions(ctx,time(NULL));
+
+/* Ok, after a bit more time we wish to flush all sessions from the cache
+ * so that all new connections will be authenticated and incure the
+ * public key operation overhead */
+
+SSL_CTX_flush_sessions(ctx,0);
+
+/* As a final note, to copy everything to do with a SSL, use */
+SSL_copy_session_id(SSL *to,SSL *from);
+/* as this also copies the certificate and RSA key so new session can
+ * be established using the same details */
+
+
+==== sha.doc ========================================================
+
+The SHA (Secure Hash Algorithm) library.
+SHA is a message digest algorithm that can be used to condense an arbitrary
+length message down to a 20 byte hash.  The functions all need to be passed
+a SHA_CTX which is used to hold the SHA context during multiple SHA_Update()
+function calls.  The normal method of use for this library is as follows
+This library contains both SHA and SHA-1 digest algorithms.  SHA-1 is
+an update to SHA (which should really be called SHA-0 now) which
+tweaks the algorithm slightly.  The SHA-1 algorithm is used by simply
+using SHA1_Init(), SHA1_Update(), SHA1_Final() and SHA1() instead of the
+SHA*() calls
+
+SHA_Init(...);
+SHA_Update(...);
+...
+SHA_Update(...);
+SHA_Final(...);
+
+This library requires the inclusion of 'sha.h'.
+
+The functions are as follows:
+
+void SHA_Init(
+SHA_CTX *c);
+	This function needs to be called to initiate a SHA_CTX structure for
+	use.
+	
+void SHA_Update(
+SHA_CTX *c;
+unsigned char *data;
+unsigned long len);
+	This updates the message digest context being generated with 'len'
+	bytes from the 'data' pointer.  The number of bytes can be any
+	length.
+
+void SHA_Final(
+unsigned char *md;
+SHA_CTX *c;
+	This function is called when a message digest of the data digested
+	with SHA_Update() is wanted.  The message digest is put in the 'md'
+	array and is SHA_DIGEST_LENGTH (20) bytes long.
+
+unsigned char *SHA(
+unsigned char *d;
+unsigned long n;
+unsigned char *md;
+	This function performs a SHA_Init(), followed by a SHA_Update()
+	followed by a SHA_Final() (using a local SHA_CTX).
+	The resulting digest is put into 'md' if it is not NULL.
+	Regardless of the value of 'md', the message
+	digest is returned from the function.  If 'md' was NULL, the message
+	digest returned is being stored in a static structure.
+	
+
+==== speed.doc ========================================================
+
+To get an idea of the performance of this library, use
+ssleay speed
+
+perl util/sp-diff.pl file1 file2
+
+will print out the relative differences between the 2 files which are
+expected to be the output from the speed program.
+
+The performace of the library is very dependant on the Compiler
+quality and various flags used to build.
+
+---
+
+These are some numbers I did comparing RSAref and SSLeay on a Pentium 100.
+[ These numbers are all out of date, as of SSL - 0.6.1 the RSA
+operations are about 2 times faster, so check the version number ]
+
+RSA performance.
+
+SSLeay 0.6.0
+Pentium 100, 32meg, Windows NT Workstation 3.51
+linux - gcc v 2.7.0 -O3 -fomit-frame-pointer -m486
+and
+Windows NT  - Windows NT 3.51 - Visual C++ 4.1   - 586 code + 32bit assember
+Windows 3.1 - Windows NT 3.51 - Visual C++ 1.52c - 286 code + 32bit assember
+NT Dos Shell- Windows NT 3.51 - Visual C++ 1.52c - 286 code + 16bit assember
+
+Times are how long it takes to do an RSA private key operation.
+
+	       512bits 1024bits
+-------------------------------
+SSLeay NT dll	0.042s   0.202s see above
+SSLeay linux	0.046s   0.218s	Assember inner loops (normal build) 
+SSLeay linux	0.067s   0.380s Pure C code with BN_LLONG defined
+SSLeay W3.1 dll	0.108s 	 0.478s see above
+SSLeay linux	0.109s   0.713s C without BN_LLONG.
+RSAref2.0 linux	0.149s   0.936s
+SSLeay MS-DOS	0.197s   1.049s see above
+
+486DX66, 32meg, Windows NT Server 3.51
+	       512bits 1024bits
+-------------------------------
+SSLeay NT dll   0.084s	 0.495s	<- SSLeay 0.6.3
+SSLeay NT dll   0.154s   0.882s
+SSLeay W3.1 dll 0.335s   1.538s
+SSLeay MS-DOS	0.490s   2.790s
+
+What I find cute is that I'm still faster than RSAref when using standard C,
+without using the 'long long' data type :-), %35 faster for 512bit and we
+scale up to 3.2 times faster for the 'default linux' build.  I should mention
+that people should 'try' to use either x86-lnx.s (elf), x86-lnxa.s or
+x86-sol.s for any x86 based unix they are building on.  The only problems
+with be with syntax but the performance gain is quite large, especially for
+servers.  The code is very simple, you just need to modify the 'header'.
+
+The message is, if you are stuck using RSAref, the RSA performance will be
+bad. Considering the code was compiled for a pentium, the 486DX66 number
+would indicate 'Use RSAref and turn you Pentium 100 into a 486DX66' :-). 
+[ As of verson 0.6.1, it would be correct to say 'turn you pentium 100
+ into a 486DX33' :-) ]
+
+I won't tell people if the DLL's are using RSAref or my stuff if no-one
+asks :-).
+
+eric
+
+PS while I know I could speed things up further, I will probably not do
+   so due to the effort involved.  I did do some timings on the
+   SSLeay bignum format -> RSAref number format conversion that occurs
+   each time RSAref is used by SSLeay, and the numbers are trivial.
+   0.00012s a call for 512bit vs 0.149s for the time spent in the function.
+   0.00018s for 1024bit vs 0.938s.  Insignificant.
+   So the 'way to go', to support faster RSA libraries, if people are keen,
+   is to write 'glue' code in a similar way that I do for RSAref and send it
+   to me :-).
+   My base library still has the advantage of being able to operate on 
+   any size numbers, and is not that far from the performance from the
+   leaders in the field. (-%30?)
+   [ Well as of 0.6.1 I am now the leader in the filed on x86 (we at
+     least very close :-) ]
+
+   I suppose I should also mention some other numbers RSAref numbers, again
+   on my Pentium.
+		DES CBC		EDE-DES		MD5
+   RSAref linux	 830k/s		 302k/s		4390k/s
+   SSLeay linux  855k/s          319k/s        10025k/s
+   SSLeay NT	1158k/s		 410k/s	       10470k/s
+   SSLeay w31	 378k/s		 143k/s         2383k/s (fully 16bit)
+
+   Got to admit that Visual C++ 4.[01] is a damn fine compiler :-)
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@cryptsoft.com   | RTFM Win32 GetMessage().
+
+
+
+
+==== ssl-ciph.doc ========================================================
+
+This is a quick high level summery of how things work now.
+
+Each SSLv2 and SSLv3 cipher is composed of 4 major attributes plus a few extra
+minor ones.
+
+They are 'The key exchange algorithm', which is RSA for SSLv2 but can also
+be Diffle-Hellman for SSLv3.
+
+An 'Authenticion algorithm', which can be RSA, Diffle-Helman, DSS or
+none.
+
+The cipher
+
+The MAC digest.
+
+A cipher can also be an export cipher and is either an SSLv2 or a
+SSLv3 ciphers.
+
+To specify which ciphers to use, one can either specify all the ciphers,
+one at a time, or use 'aliases' to specify the preference and order for
+the ciphers.
+
+There are a large number of aliases, but the most importaint are
+kRSA, kDHr, kDHd and kEDH for key exchange types.
+
+aRSA, aDSS, aNULL and aDH for authentication
+DES, 3DES, RC4, RC2, IDEA and eNULL for ciphers
+MD5, SHA0 and SHA1 digests
+
+Now where this becomes interesting is that these can be put together to
+specify the order and ciphers you wish to use.
+
+To speed this up there are also aliases for certian groups of ciphers.
+The main ones are
+SSLv2	- all SSLv2 ciphers
+SSLv3	- all SSLv3 ciphers
+EXP	- all export ciphers
+LOW	- all low strngth ciphers (no export ciphers, normally single DES)
+MEDIUM	- 128 bit encryption
+HIGH	- Triple DES
+
+These aliases can be joined in a : separated list which specifies to
+add ciphers, move them to the current location and delete them.
+
+A simpler way to look at all of this is to use the 'ssleay ciphers -v' command.
+The default library cipher spec is
+!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP
+which means, first, remove from consideration any ciphers that do not
+authenticate.  Next up, use ciphers using RC4 and RSA.  Next include the HIGH,
+MEDIUM and the LOW security ciphers.  Finish up by adding all the export
+ciphers on the end, then 'pull' all the SSLv2 and export ciphers to
+the end of the list.
+
+The results are
+$ ssleay ciphers -v '!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP'
+
+RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
+RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
+EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
+EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
+DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
+IDEA-CBC-MD5            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
+EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
+EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
+DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
+DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
+DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
+IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5 
+RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
+RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
+EXP-EDH-RSA-DES-CBC     SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
+EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
+EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
+EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
+EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
+EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+
+I would recoment people use the 'ssleay ciphers -v "text"'
+command to check what they are going to use.
+
+Anyway, I'm falling asleep here so I'll do some more tomorrow.
+
+eric
+
+==== ssl.doc ========================================================
+
+SSL_CTX_sessions(SSL_CTX *ctx) - the session-id hash table.
+
+/* Session-id cache stats */
+SSL_CTX_sess_number
+SSL_CTX_sess_connect
+SSL_CTX_sess_connect_good
+SSL_CTX_sess_accept
+SSL_CTX_sess_accept_good
+SSL_CTX_sess_hits
+SSL_CTX_sess_cb_hits
+SSL_CTX_sess_misses
+SSL_CTX_sess_timeouts
+
+/* Session-id application notification callbacks */
+SSL_CTX_sess_set_new_cb
+SSL_CTX_sess_get_new_cb
+SSL_CTX_sess_set_get_cb
+SSL_CTX_sess_get_get_cb
+
+/* Session-id cache operation mode */
+SSL_CTX_set_session_cache_mode
+SSL_CTX_get_session_cache_mode
+
+/* Set default timeout values to use. */
+SSL_CTX_set_timeout
+SSL_CTX_get_timeout
+
+/* Global  SSL initalisation informational callback */
+SSL_CTX_set_info_callback
+SSL_CTX_get_info_callback
+SSL_set_info_callback
+SSL_get_info_callback
+
+/* If the SSL_accept/SSL_connect returned with -1, these indicate when
+ * we should re-call *.
+SSL_want
+SSL_want_nothing
+SSL_want_read
+SSL_want_write
+SSL_want_x509_lookup
+
+/* Where we are in SSL initalisation, used in non-blocking, perhaps
+ * have a look at ssl/bio_ssl.c */
+SSL_state
+SSL_is_init_finished
+SSL_in_init
+SSL_in_connect_init
+SSL_in_accept_init
+
+/* Used to set the 'inital' state so SSL_in_connect_init and SSL_in_accept_init
+ * can be used to work out which function to call. */
+SSL_set_connect_state
+SSL_set_accept_state
+
+/* Where to look for certificates for authentication */
+SSL_set_default_verify_paths /* calles SSL_load_verify_locations */
+SSL_load_verify_locations
+
+/* get info from an established connection */
+SSL_get_session
+SSL_get_certificate
+SSL_get_SSL_CTX
+
+SSL_CTX_new
+SSL_CTX_free
+SSL_new
+SSL_clear
+SSL_free
+
+SSL_CTX_set_cipher_list
+SSL_get_cipher
+SSL_set_cipher_list
+SSL_get_cipher_list
+SSL_get_shared_ciphers
+
+SSL_accept
+SSL_connect
+SSL_read
+SSL_write
+
+SSL_debug
+
+SSL_get_read_ahead
+SSL_set_read_ahead
+SSL_set_verify
+
+SSL_pending
+
+SSL_set_fd
+SSL_set_rfd
+SSL_set_wfd
+SSL_set_bio
+SSL_get_fd
+SSL_get_rbio
+SSL_get_wbio
+
+SSL_use_RSAPrivateKey
+SSL_use_RSAPrivateKey_ASN1
+SSL_use_RSAPrivateKey_file
+SSL_use_PrivateKey
+SSL_use_PrivateKey_ASN1
+SSL_use_PrivateKey_file
+SSL_use_certificate
+SSL_use_certificate_ASN1
+SSL_use_certificate_file
+
+ERR_load_SSL_strings
+SSL_load_error_strings
+
+/* human readable version of the 'state' of the SSL connection. */
+SSL_state_string
+SSL_state_string_long
+/* These 2 report what kind of IO operation the library was trying to
+ * perform last.  Probably not very usefull. */
+SSL_rstate_string
+SSL_rstate_string_long
+
+SSL_get_peer_certificate
+
+SSL_SESSION_new
+SSL_SESSION_print_fp
+SSL_SESSION_print
+SSL_SESSION_free
+i2d_SSL_SESSION
+d2i_SSL_SESSION
+
+SSL_get_time
+SSL_set_time
+SSL_get_timeout
+SSL_set_timeout
+SSL_copy_session_id
+SSL_set_session
+SSL_CTX_add_session
+SSL_CTX_remove_session
+SSL_CTX_flush_sessions
+
+BIO_f_ssl
+
+/* used to hold information as to why a certificate verification failed */
+SSL_set_verify_result
+SSL_get_verify_result
+
+/* can be used by the application to associate data with an SSL structure.
+ * It needs to be 'free()ed' by the application */
+SSL_set_app_data
+SSL_get_app_data
+
+/* The following all set values that are kept in the SSL_CTX but
+ * are used as the default values when an SSL session is created.
+ * They are over writen by the relevent SSL_xxxx functions */
+
+/* SSL_set_verify */
+void SSL_CTX_set_default_verify
+
+/* This callback, if set, totaly overrides the normal SSLeay verification
+ * functions and should return 1 on sucesss and 0 on failure */
+void SSL_CTX_set_cert_verify_callback
+
+/* The following are the same as the equivilent SSL_xxx functions.
+ * Only one copy of this information is kept and if a particular
+ * SSL structure has a local override, it is totally separate structure.
+ */
+int SSL_CTX_use_RSAPrivateKey
+int SSL_CTX_use_RSAPrivateKey_ASN1
+int SSL_CTX_use_RSAPrivateKey_file
+int SSL_CTX_use_PrivateKey
+int SSL_CTX_use_PrivateKey_ASN1
+int SSL_CTX_use_PrivateKey_file
+int SSL_CTX_use_certificate
+int SSL_CTX_use_certificate_ASN1
+int SSL_CTX_use_certificate_file
+
+
+==== ssl_ctx.doc ========================================================
+
+This is now a bit dated, quite a few of the SSL_ functions could be
+SSL_CTX_ functions.  I will update this in the future. 30 Aug 1996
+
+From eay@orb.mincom.oz.au Mon Dec 11 21:37:08 1995
+Received: by orb.mincom.oz.au id AA00696
+  (5.65c/IDA-1.4.4 for eay); Mon, 11 Dec 1995 11:37:08 +1000
+Date: Mon, 11 Dec 1995 11:37:08 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: sameer <sameer@c2.org>
+Cc: Eric Young <eay@mincom.oz.au>
+Subject: Re: PEM_readX509 oesn't seem to be working
+In-Reply-To: <199512110102.RAA12521@infinity.c2.org>
+Message-Id: <Pine.SOL.3.91.951211112115.28608D-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: RO
+X-Status: 
+
+On Sun, 10 Dec 1995, sameer wrote:
+> 	OK, that's solved. I've found out that it is saying "no
+> certificate set" in SSL_accept because s->conn == NULL
+> so there is some place I need to initialize s->conn that I am
+> not initializing it.
+
+The full order of things for a server should be.
+
+ctx=SSL_CTX_new();
+
+/* The next line should not really be using ctx->cert but I'll leave it 
+ * this way right now... I don't want a X509_ routine to know about an SSL
+ * structure, there should be an SSL_load_verify_locations... hmm, I may 
+ * add it tonight.
+ */
+X509_load_verify_locations(ctx->cert,CAfile,CApath);
+
+/* Ok now for each new connection we do the following */
+con=SSL_new(ctx);
+SSL_set_fd(con,s);
+SSL_set_verify(con,verify,verify_callback);
+
+/* set the certificate and private key to use. */
+SSL_use_certificate_ASN1(con,X509_certificate);
+SSL_use_RSAPrivateKey_ASN1(con,RSA_private_key);
+
+SSL_accept(con);
+
+SSL_read(con)/SSL_write(con);
+
+There is a bit more than that but that is basically the structure.
+
+Create a context and specify where to lookup certificates.
+
+foreach connection
+	{
+	create a SSL structure
+	set the certificate and private key
+	do a SSL_accept
+	
+	we should now be ok
+	}
+
+eric
+--
+Eric Young                  | Signature removed since it was generating
+AARNet: eay@mincom.oz.au    | more followups than the message contents :-)
+
+
+
+==== ssleay.doc ========================================================
+
+SSLeay: a cryptographic kitchen sink.
+
+1st December 1995
+Way back at the start of April 1995, I was looking for a mindless
+programming project.  A friend of mine (Tim Hudson) said "why don't you do SSL,
+it has DES encryption in it and I would not mind using it in a SSL telnet".
+While it was true I had written a DES library in previous years, litle
+did I know what an expansive task SSL would turn into.
+
+First of all, the SSL protocol contains DES encryption.  Well and good.  My
+DES library was fast and portable.  It also contained the RSA's RC4 stream
+cipher.  Again, not a problem, some-one had just posted to sci.crypt
+something that was claimed to be RC4.  It also contained IDEA, I had the
+specifications, not a problem to implement.  MD5, an RFC, trivial, at most
+I could spend a week or so trying to see if I could speed up the
+implementation.  All in all a nice set of ciphers.
+Then the first 'expantion of the scope', RSA public key
+encryption.  Since I did not knowing a thing about public key encryption
+or number theory, this appeared quite a daunting task.  Just writing a
+big number library would be problomatic in itself, let alone making it fast.
+At this point the scope of 'implementing SSL' expands eponentialy.
+First of all, the RSA private keys  were being kept in ASN.1 format.
+Thankfully the RSA PKCS series of documents explains this format.  So I now
+needed to be able to encode and decode arbitary ASN.1 objects.  The Public
+keys were embeded in X509 certificates.  Hmm... these are not only
+ASN.1 objects but they make up a heirachy of authentication.  To
+authenticate a X509 certificate one needs to retrieve it's issuers
+certificate etc etc.  Hmm..., so I also need to implement some kind
+of certificate management software.  I would also have to implement
+software to authenticate certificates.  At this point the support code made
+the SSL part of my library look quite small.
+Around this time, the first version of SSLeay was released.
+
+Ah, but here was the problem, I was not happy with the code so far.  As may
+have become obvious, I had been treating all of this as a learning
+exersize, so I have completely written the library myself.  As such, due
+to the way it had grown like a fungus, much of the library was not
+'elagent' or neat.  There were global and static variables all over the
+place, the SSL part did not even handle non-blocking IO.
+The Great rewrite began.
+
+As of this point in time, the 'Great rewrite' has almost finished.  So what
+follows is an approximate list of what is actually SSLeay 0.5.0
+
+/********* This needs to be updated for 0.6.0+ *************/
+
+---
+The library contains the following routines.  Please note that most of these
+functions are not specfic for SSL or any other particular cipher
+implementation.  I have tried to make all the routines as general purpose
+as possible.  So you should not think of this library as an SSL
+implemtation, but rather as a library of cryptographic functions
+that also contains SSL.  I refer to each of these function groupings as
+libraries since they are often capable of functioning as independant
+libraries
+
+First up, the general ciphers and message digests supported by the library.
+
+MD2	rfc???, a standard 'by parts' interface to this algorithm.
+MD5	rfc???, the same type of interface as for the MD2 library except a
+	different algorithm.
+SHA	THe Secure Hash Algorithm.  Again the same type of interface as
+	MD2/MD5 except the digest is 20 bytes.
+SHA1	The 'revised' version of SHA.  Just about identical to SHA except
+	for one tweak of an inner loop.
+DES	This is my libdes library that has been floating around for the last
+	few years.  It has been enhanced for no other reason than completeness.
+	It now supports ecb, cbc, cfb, ofb, cfb64, ofb64 in normal mode and
+	triple DES modes of ecb, cbc, cfb64 and ofb64.  cfb64 and ofb64 are
+	functional interfaces to the 64 bit modes of cfb and ofb used in
+	such a way thay they function as single character interfaces.
+RC4	The RSA Inc. stream cipher.
+RC2	The RSA Inc. block cipher.
+IDEA	An implmentation of the IDEA cipher, the library supports ecb, cbc,
+	cfb64 and ofb64 modes of operation.
+
+Now all the above mentioned ciphers and digests libraries support high
+speed, minimal 'crap in the way' type interfaces.  For fastest and
+lowest level access, these routines should be used directly.
+
+Now there was also the matter of public key crypto systems.  These are
+based on large integer arithmatic.
+
+BN	This is my large integer library.  It supports all the normal
+	arithmentic operations.  It uses malloc extensivly and as such has
+	no limits of the size of the numbers being manipulated.  If you
+	wish to use 4000 bit RSA moduli, these routines will handle it.
+	This library also contains routines to 'generate' prime numbers and
+	to test for primality.  The RSA and DH libraries sit on top of this
+	library.  As of this point in time, I don't support SHA, but
+	when I do add it, it will just sit on top of the routines contained
+	in this library.
+RSA	This implements the RSA public key algorithm.  It also contains
+	routines that will generate a new private/public key pair.
+	All the RSA functions conform to the PKCS#1 standard.
+DH	This is an implementation of the
+	Diffie-Hellman protocol.  There are all the require routines for
+	the protocol, plus extra routines that can be used to generate a
+	strong prime for use with a specified generator.  While this last
+	routine is not generally required by applications implementing DH,
+	It is present for completeness and because I thing it is much
+	better to be able to 'generate' your own 'magic' numbers as oposed
+	to using numbers suplied by others.  I conform to the PKCS#3
+	standard where required.
+
+You may have noticed the preceeding section mentions the 'generation' of
+prime numbers.  Now this requries the use of 'random numbers'. 
+
+RAND	This psuedo-random number library is based on MD5 at it's core
+	and a large internal state (2k bytes).  Once you have entered enough
+	seed data into this random number algorithm I don't feel
+	you will ever need to worry about it generating predictable output.
+	Due to the way I am writing a portable library, I have left the
+	issue of how to get good initial random seed data upto the
+	application but I do have support routines for saving and loading a
+	persistant random number state for use between program runs.
+	
+Now to make all these ciphers easier to use, a higher level
+interface was required.  In this form, the same function would be used to
+encrypt 'by parts', via any one of the above mentioned ciphers.
+
+EVP	The Digital EnVeloPe library is quite large.  At it's core are
+	function to perform encryption and decryption by parts while using
+	an initial parameter to specify which of the 17 different ciphers
+	or 4 different message digests to use.  On top of these are implmented
+	the digital signature functions, sign, verify, seal and open.
+	Base64 encoding of binary data is also done in this library.
+
+PEM	rfc???? describe the format for Privacy Enhanced eMail.
+	As part of this standard, methods of encoding digital enveloped
+	data is an ascii format are defined.  As such, I use a form of these
+	to encode enveloped data.  While at this point in time full support
+	for PEM has not been built into the library, a minimal subset of
+	the secret key and Base64 encoding is present.  These reoutines are
+	mostly used to Ascii encode binary data with a 'type' associated
+	with it and perhaps details of private key encryption used to
+	encrypt the data.
+	
+PKCS7	This is another Digital Envelope encoding standard which uses ASN.1
+	to encode the data.  At this point in time, while there are some
+	routines to encode and decode this binary format, full support is
+	not present.
+	
+As Mentioned, above, there are several different ways to encode
+data structures.
+
+ASN1	This library is more a set of primatives used to encode the packing
+	and unpacking of data structures.  It is used by the X509
+	certificate standard and by the PKCS standards which are used by
+	this library.  It also contains routines for duplicating and signing
+	the structures asocisated with X509.
+	
+X509	The X509 library contains routines for packing and unpacking,
+	verifying and just about every thing else you would want to do with
+	X509 certificates.
+
+PKCS7	PKCS-7 is a standard for encoding digital envelope data
+	structures.  At this point in time the routines will load and save
+	DER forms of these structees.  They need to be re-worked to support
+	the BER form which is the normal way PKCS-7 is encoded.  If the
+	previous 2 sentances don't make much sense, don't worry, this
+	library is not used by this version of SSLeay anyway.
+
+OBJ	ASN.1 uses 'object identifiers' to identify objects.  A set of
+	functions were requred to translate from ASN.1 to an intenger, to a
+	character string.  This library provieds these translations
+	
+Now I mentioned an X509 library.  X509 specified a hieachy of certificates
+which needs to be traversed to authenticate particular certificates.
+
+METH	This library is used to push 'methods' of retrieving certificates
+	into the library.  There are some supplied 'methods' with SSLeay
+	but applications can add new methods if they so desire.
+	This library has not been finished and is not being used in this
+	version.
+	
+Now all the above are required for use in the initial point of this project.
+
+SSL	The SSL protocol.  This is a full implmentation of SSL v 2.  It
+	support both server and client authentication.  SSL v 3 support
+	will be added when the SSL v 3 specification is released in it's
+	final form.
+
+Now quite a few of the above mentioned libraries rely on a few 'complex'
+data structures.  For each of these I have a library.
+
+Lhash	This is a hash table library which is used extensivly.
+
+STACK	An implemetation of a Stack data structure.
+
+BUF	A simple character array structure that also support a function to
+	check that the array is greater that a certain size, if it is not,
+	it is realloced so that is it.
+	
+TXT_DB	A simple memory based text file data base.  The application can specify
+	unique indexes that will be enforced at update time.
+
+CONF	Most of the programs written for this library require a configuration
+	file.  Instead of letting programs constantly re-implment this
+	subsystem, the CONF library provides a consistant and flexable
+	interface to not only configuration files but also environment
+	variables.
+
+But what about when something goes wrong?
+The one advantage (and perhaps disadvantage) of all of these
+functions being in one library was the ability to implement a
+single error reporting system.
+	
+ERR	This library is used to report errors.  The error system records
+	library number, function number (in the library) and reason
+	number.  Multiple errors can be reported so that an 'error' trace
+	is created.  The errors can be printed in numeric or textual form.
+
+
+==== ssluse.doc ========================================================
+
+We have an SSL_CTX which contains global information for lots of
+SSL connections.  The session-id cache and the certificate verificate cache.
+It also contains default values for use when certificates are used.
+
+SSL_CTX
+	default cipher list
+	session-id cache
+	certificate cache
+	default session-id timeout period
+	New session-id callback
+	Required session-id callback
+	session-id stats
+	Informational callback
+	Callback that is set, overrides the SSLeay X509 certificate
+	  verification
+	The default Certificate/Private Key pair
+	Default read ahead mode.
+	Default verify mode and verify callback.  These are not used
+	  if the over ride callback mentioned above is used.
+	
+Each SSL can have the following defined for it before a connection is made.
+
+Certificate
+Private key
+Ciphers to use
+Certificate verify mode and callback
+IO object to use in the comunication.
+Some 'read-ahead' mode information.
+A previous session-id to re-use.
+
+A connection is made by using SSL_connect or SSL_accept.
+When non-blocking IO is being used, there are functions that can be used
+to determin where and why the SSL_connect or SSL_accept did not complete.
+This information can be used to recall the functions when the 'error'
+condition has dissapeared.
+
+After the connection has been made, information can be retrived about the
+SSL session and the session-id values that have been decided apon.
+The 'peer' certificate can be retrieved.
+
+The session-id values include
+'start time'
+'timeout length'
+
+
+
+==== stack.doc ========================================================
+
+The stack data structure is used to store an ordered list of objects.
+It is basically misnamed to call it a stack but it can function that way
+and that is what I originally used it for.  Due to the way element
+pointers are kept in a malloc()ed array, the most efficient way to use this
+structure is to add and delete elements from the end via sk_pop() and
+sk_push().  If you wish to do 'lookups' sk_find() is quite efficient since
+it will sort the stack (if required) and then do a binary search to lookup 
+the requested item.  This sorting occurs automatically so just sk_push()
+elements on the stack and don't worry about the order.  Do remember that if
+you do a sk_find(), the order of the elements will change.
+
+You should never need to 'touch' this structure directly.
+typedef struct stack_st
+	{
+	unsigned int num;
+	char **data;
+	int sorted;
+
+	unsigned int num_alloc;
+	int (*comp)();
+	} STACK;
+
+'num' holds the number of elements in the stack, 'data' is the array of
+elements.  'sorted' is 1 is the list has been sorted, 0 if not.
+
+num_alloc is the number of 'nodes' allocated in 'data'.  When num becomes
+larger than num_alloc, data is realloced to a larger size.
+If 'comp' is set, it is a function that is used to compare 2 of the items
+in the stack.  The function should return -1, 0 or 1, depending on the
+ordering.
+
+#define sk_num(sk)	((sk)->num)
+#define sk_value(sk,n)	((sk)->data[n])
+
+These 2 macros should be used to access the number of elements in the
+'stack' and to access a pointer to one of the values.
+
+STACK *sk_new(int (*c)());
+	This creates a new stack.  If 'c', the comparison function, is not
+specified, the various functions that operate on a sorted 'stack' will not
+work (sk_find()).  NULL is returned on failure.
+
+void sk_free(STACK *);
+	This function free()'s a stack structure.  The elements in the
+stack will not be freed so one should 'pop' and free all elements from the
+stack before calling this function or call sk_pop_free() instead.
+
+void sk_pop_free(STACK *st; void (*func)());
+	This function calls 'func' for each element on the stack, passing
+the element as the argument.  sk_free() is then called to free the 'stack'
+structure.
+
+int sk_insert(STACK *sk,char *data,int where);
+	This function inserts 'data' into stack 'sk' at location 'where'.
+If 'where' is larger that the number of elements in the stack, the element
+is put at the end.  This function tends to be used by other 'stack'
+functions.  Returns 0 on failure, otherwise the number of elements in the
+new stack.
+
+char *sk_delete(STACK *st,int loc);
+	Remove the item a location 'loc' from the stack and returns it.
+Returns NULL if the 'loc' is out of range.
+
+char *sk_delete_ptr(STACK *st, char *p);
+	If the data item pointed to by 'p' is in the stack, it is deleted
+from the stack and returned.  NULL is returned if the element is not in the
+stack.
+
+int sk_find(STACK *st,char *data);
+	Returns the location that contains a value that is equal to 
+the 'data' item.  If the comparison function was not set, this function
+does a linear search.  This function actually qsort()s the stack if it is not
+in order and then uses bsearch() to do the initial search.  If the
+search fails,, -1 is returned.  For mutliple items with the same
+value, the index of the first in the array is returned.
+
+int sk_push(STACK *st,char *data);
+	Append 'data' to the stack.  0 is returned if there is a failure
+(due to a malloc failure), else 1.  This is 
+sk_insert(st,data,sk_num(st));
+
+int sk_unshift(STACK *st,char *data);
+	Prepend 'data' to the front (location 0) of the stack.  This is
+sk_insert(st,data,0);
+
+char *sk_shift(STACK *st);
+	Return and delete from the stack the first element in the stack.
+This is sk_delete(st,0);
+
+char *sk_pop(STACK *st);
+	Return and delete the last element on the stack.  This is
+sk_delete(st,sk_num(sk)-1);
+
+void sk_zero(STACK *st);
+	Removes all items from the stack.  It does not 'free'
+pointers but is a quick way to clear a 'stack of references'.
+
+==== threads.doc ========================================================
+
+How to compile SSLeay for multi-threading.
+
+Well basically it is quite simple, set the compiler flags and build.
+I have only really done much testing under Solaris and Windows NT.
+If you library supports localtime_r() and gmtime_r() add,
+-DTHREADS to the makefile parameters.  You can probably survive with out
+this define unless you are going to have multiple threads generating
+certificates at once.  It will not affect the SSL side of things.
+
+The approach I have taken to doing locking is to make the application provide
+callbacks to perform locking and so that the SSLeay library can distinguish
+between threads (for the error state).
+
+To have a look at an example program, 'cd mt; vi mttest.c'.
+To build under solaris, sh solaris.sh, for Windows NT or Windows 95,
+win32.bat
+
+This will build mttest which will fire up 10 threads that talk SSL
+to each other 10 times.
+To enable everything to work, the application needs to call
+
+CRYPTO_set_id_callback(id_function);
+CRYPTO_set_locking_callback(locking_function);
+
+before any multithreading is started.
+id_function does not need to be defined under Windows NT or 95, the
+correct function will be called if it is not.  Under unix, getpid()
+is call if the id_callback is not defined, for Solaris this is wrong
+(since threads id's are not pid's) but under Linux it is correct
+(threads are just processes sharing the data segement).
+
+The locking_callback is used to perform locking by the SSLeay library.
+eg.
+
+void solaris_locking_callback(mode,type,file,line)
+int mode;
+int type;
+char *file;
+int line;
+	{
+	if (mode & CRYPTO_LOCK)
+		mutex_lock(&(lock_cs[type]));
+	else
+		mutex_unlock(&(lock_cs[type]));
+	}
+
+Now in this case I have used mutexes instead of read/write locks, since they
+are faster and there are not many read locks in SSLeay, you may as well
+always use write locks.  file and line are __FILE__ and __LINE__ from
+the compile and can be usefull when debugging.
+
+Now as you can see, 'type' can be one of a range of values, these values are
+defined in crypto/crypto.h
+CRYPTO_get_lock_name(type) will return a text version of what the lock is.
+There are CRYPTO_NUM_LOCKS locks required, so under solaris, the setup
+for multi-threading can be
+
+static mutex_t lock_cs[CRYPTO_NUM_LOCKS];
+
+void thread_setup()
+	{
+	int i;
+
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		mutex_init(&(lock_cs[i]),USYNC_THREAD,NULL);
+	CRYPTO_set_id_callback((unsigned long (*)())solaris_thread_id);
+	CRYPTO_set_locking_callback((void (*)())solaris_locking_callback);
+	}
+
+As a final note, under Windows NT or Windows 95, you have to be careful
+not to mix the various threaded, unthreaded and debug libraries.
+Normally if they are mixed incorrectly, mttest will crash just after printing
+out some usage statistics at the end.  This is because the
+different system libraries use different malloc routines and if
+data is malloc()ed inside crypt32.dll or ssl32.dll and then free()ed by a
+different library malloc, things get very confused.
+
+The default SSLeay DLL builds use /MD, so if you use this on your
+application, things will work as expected.  If you use /MDd,
+you will probably have to rebuild SSLeay using this flag.
+I should modify util/mk1mf.pl so it does all this correctly, but 
+this has not been done yet.
+
+One last warning.  Because locking overheads are actually quite large, the
+statistics collected against the SSL_CTX for successfull connections etc
+are not locked when updated.  This does make it possible for these
+values to be slightly lower than they should be, if you are
+running multithreaded on a multi-processor box, but this does not really
+matter much.
+
+
+==== txt_db.doc ========================================================
+
+TXT_DB, a simple text based in memory database.
+
+It holds rows of ascii data, for which the only special character is '\0'.
+The rows can be of an unlimited length.
+
+==== why.doc ========================================================
+
+This file is more of a note for other people who wish to understand why
+the build environment is the way it is :-).
+
+The include files 'depend' as follows.
+Each of 
+crypto/*/*.c includes crypto/cryptlib.h
+ssl/*.c include ssl/ssl_locl.h
+apps/*.c include apps/apps.h
+crypto/cryptlib.h, ssl/ssl_locl.h and apps/apps.h
+all include e_os.h which contains OS/environment specific information.
+If you need to add something todo with a particular environment,
+add it to this file.  It is worth remembering that quite a few libraries,
+like lhash, des, md, sha etc etc do not include crypto/cryptlib.h.  This
+is because these libraries should be 'independantly compilable' and so I
+try to keep them this way.
+e_os.h is not so much a part of SSLeay, as the placing in one spot all the
+evil OS dependant muck.
+
+I wanted to automate as many things as possible.  This includes
+error number generation.  A
+make errors
+will scan the source files for error codes, append them to the correct
+header files, and generate the functions to print the text version
+of the error numbers.  So don't even think about adding error numbers by
+hand, put them in the form
+XXXerr(XXXX_F_XXXX,YYYY_R_YYYY);
+on line and it will be automatically picked up my a make errors.
+
+In a similar vein, programs to be added into ssleay in the apps directory
+just need to have an entry added to E_EXE in makefile.ssl and
+everthing will work as expected.  Don't edit progs.h by hand.
+
+make links re-generates the symbolic links that are used.  The reason why
+I keep everything in its own directory, and don't put all the
+test programs and header files in 'test' and 'include' is because I want
+to keep the 'sub-libraries' independant.  I still 'pull' out
+indervidual libraries for use in specific projects where the code is
+required.  I have used the 'lhash' library in just about every software
+project I have worked on :-).
+
+make depend generates dependancies and
+make dclean removes them.
+
+You will notice that I use perl quite a bit when I could be using 'sed'.
+The reason I decided to do this was to just stick to one 'extra' program.
+For Windows NT, I have perl and no sed.
+
+The util/mk1mf.pl program can be used to generate a single makefile.
+I use this because makefiles under Microsoft are horrific.
+Each C compiler seems to have different linker formats, which have
+to be used because the retarted C compilers explode when you do
+cl -o file *.o.
+
+Now some would argue that I should just use the single makefile.  I don't
+like it during develoment for 2 reasons.  First, the actuall make
+command takes a long time.  For my current setup, if I'm in
+crypto/bn and I type make, only the crypto/bn directory gets rebuilt,
+which is nice when you are modifying prototypes in bn.h which
+half the SSLeay depends on.  The second is that to add a new souce file
+I just plonk it in at the required spot in the local makefile.  This
+then alows me to keep things local, I don't need to modify a 'global'
+tables (the make for unix, the make for NT, the make for w31...).
+When I am ripping apart a library structure, it is nice to only
+have to worry about one directory :-).
+
+Having said all this, for the hell of it I put together 2 files that
+#include all the souce code (generated by doing a ls */*.o after a build).
+crypto.c takes only 30 seconds to build under NT and 2 minutes under linux
+for my pentium100.  Much faster that the normal build :-).
+Again, the problem is that when using libraries, every program linked
+to libcrypto.a would suddenly get 330k of library when it may only need
+1k.  This technique does look like a nice way to do shared libraries though.
+
+Oh yes, as a final note, to 'build' a distribution, I just type
+make dist.
+This cleans and packages everything.  The directory needs to be called
+SSLeay since the make does a 'cd ..' and renames and tars things up.
+
+==== req.1 ========================================================
+
+The 'req' command is used to manipulate and deal with pkcs#10
+certificate requests.
+
+It's default mode of operation is to load a certificate and then
+write it out again.
+
+By default the 'req' is read from stdin in 'PEM' format.
+The -inform option can be used to specify 'pem' format or 'der'
+format.  PEM format is the base64 encoding of the DER format.
+
+By default 'req' then writes the request back out. -outform can be used
+to indicate the desired output format, be it 'pem' or 'der'.
+
+To specify an input file, use the '-in' option and the '-out' option
+can be used to specify the output file.
+
+If you wish to perform a command and not output the certificate
+request afterwards, use the '-noout' option.
+
+When a certificate is loaded, it can be printed in a human readable
+ascii format via the '-text' option.
+
+To check that the signature on a certificate request is correct, use
+the '-verify' option to make sure that the private key contained in the
+certificate request corresponds to the signature.
+
+Besides the default mode, there is also the 'generate a certificate
+request' mode.  There are several flags that trigger this mode.
+
+-new will generate a new RSA key (if required) and then prompts
+the user for details for the certificate request.
+-newkey has an argument that is the number of bits to make the new
+key.  This function also triggers '-new'.
+
+The '-new' option can have a key to use specified instead of having to
+load one, '-key' is used to specify the file containg the key.
+-keyform can be used to specify the format of the key.  Only
+'pem' and 'der' formats are supported, later, 'netscape' format may be added.
+
+Finally there is the '-x509' options which makes req output a self
+signed x509 certificate instead of a certificate request.
+
+Now as you may have noticed, there are lots of default options that
+cannot be specified via the command line.  They are held in a 'template'
+or 'configuration file'.  The -config option specifies which configuration
+file to use.  See conf.doc for details on the syntax of this file.
+
+The req command uses the 'req' section of the config file.
+
+---
+# The following variables are defined.  For this example I will populate
+# the various values
+[ req ]
+default_bits	= 512		# default number of bits to use.
+default_keyfile	= testkey.pem	# Where to write the generated keyfile
+				# if not specified.
+distinguished_name= req_dn	# The section that contains the
+				# information about which 'object' we
+				# want to put in the DN.
+attributes	= req_attr	# The objects we want for the
+				# attributes field.
+encrypt_rsa_key	= no		# Should we encrypt newly generated
+				# keys.  I strongly recommend 'yes'.
+
+# The distinguished name section.  For the following entries, the
+# object names must exist in the SSLeay header file objects.h.  If they
+# do not, they will be silently ignored.  The entries have the following
+# format.
+# <object_name>		=> string to prompt with
+# <object_name>_default	=> default value for people
+# <object_name>_value	=> Automatically use this value for this field.
+# <object_name>_min	=> minimum number of characters for data (def. 0)
+# <object_name>_max	=> maximum number of characters for data (def. inf.)
+# All of these entries are optional except for the first one.
+[ req_dn ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Queensland
+
+localityName			= Locality Name (eg, city)
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Mincom Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= MTR
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 40
+
+# The next section is the attributes section.  This is exactly the
+# same as for the previous section except that the resulting objects are
+# put in the attributes field. 
+[ req_attr ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+----
+Also note that the order that attributes appear in this file is the
+order they will be put into the distinguished name.
+
+Once this request has been generated, it can be sent to a CA for
+certifying.
+
+----
+A few quick examples....
+
+To generate a new request and a new key
+req -new
+
+To generate a new request and a 1058 bit key
+req -newkey 1058
+
+To generate a new request using a pre-existing key
+req -new -key key.pem
+
+To generate a self signed x509 certificate from a certificate
+request using a supplied key, and we want to see the text form of the
+output certificate (which we will put in the file selfSign.pem
+req -x509 -in req.pem -key key.pem -text -out selfSign.pem
+
+Verify that the signature is correct on a certificate request.
+req -verify -in req.pem
+
+Verify that the signature was made using a specified public key.
+req -verify -in req.pem -key key.pem
+
+Print the contents of a certificate request
+req -text -in req.pem
+
+==== danger ========================================================
+
+If you specify a SSLv2 cipher, and the mode is SSLv23 and the server
+can talk SSLv3, it will claim there is no cipher since you should be
+using SSLv3.
+
+When tracing debug stuff, remember BIO_s_socket() is different to
+BIO_s_connect().
+
+BSD/OS assember is not working
+
diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h
new file mode 100644
index 0000000..dc28cd6
--- /dev/null
+++ b/crypto/openssl/e_os.h
@@ -0,0 +1,446 @@
+/* e_os.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_E_OS_H
+#define HEADER_E_OS_H
+
+#include <openssl/opensslconf.h>
+
+#include <openssl/e_os2.h>
+/* <openssl/e_os2.h> contains what we can justify to make visible
+ * to the outside; this file e_os.h is not part of the exported
+ * interface. */
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Used to checking reference counts, most while doing perl5 stuff :-) */
+#ifdef REF_PRINT
+#undef REF_PRINT
+#define REF_PRINT(a,b)	fprintf(stderr,"%08X:%4d:%s\n",(int)b,b->references,a)
+#endif
+
+#ifndef DEVRANDOM
+/* set this to your 'random' device if you have one.
+ * My default, we will try to read this file */
+#define DEVRANDOM "/dev/urandom"
+#endif
+
+#if defined(__MWERKS__) && defined(macintosh)
+# if macintosh==1
+#  ifndef MAC_OS_GUSI_SOURCE
+#    define MAC_OS_pre_X
+#    define NO_SYS_TYPES_H
+#  endif
+#  define NO_SYS_PARAM_H
+#  define NO_CHMOD
+#  define NO_SYSLOG
+#  undef  DEVRANDOM
+#  define GETPID_IS_MEANINGLESS
+# endif
+#endif
+
+/********************************************************************
+ The Microsoft section
+ ********************************************************************/
+/* The following is used becaue of the small stack in some
+ * Microsoft operating systems */
+#if defined(WIN16) || defined(MSDOS)
+#  define MS_STATIC	static
+#else
+#  define MS_STATIC
+#endif
+
+#if defined(_WIN32) && !defined(WIN32)
+#  define WIN32
+#endif
+
+#if defined(WIN32) || defined(WIN16)
+#  ifndef WINDOWS
+#    define WINDOWS
+#  endif
+#  ifndef MSDOS
+#    define MSDOS
+#  endif
+#endif
+
+#if defined(MSDOS) && !defined(GETPID_IS_MEANINGLESS)
+#  define GETPID_IS_MEANINGLESS
+#endif
+
+#ifdef WIN32
+#define get_last_sys_error()	GetLastError()
+#define clear_sys_error()	SetLastError(0)
+#if !defined(WINNT)
+#define WIN_CONSOLE_BUG
+#endif
+#else
+#define get_last_sys_error()	errno
+#define clear_sys_error()	errno=0
+#endif
+
+#ifdef WINDOWS
+#define get_last_socket_error()	WSAGetLastError()
+#define clear_socket_error()	WSASetLastError(0)
+#define readsocket(s,b,n)	recv((s),(b),(n),0)
+#define writesocket(s,b,n)	send((s),(b),(n),0)
+#define EADDRINUSE		WSAEADDRINUSE
+#elif defined(MAC_OS_pre_X)
+#define get_last_socket_error()	errno
+#define clear_socket_error()	errno=0
+#define closesocket(s)		MacSocket_close(s)
+#define readsocket(s,b,n)	MacSocket_recv((s),(b),(n),true)
+#define writesocket(s,b,n)	MacSocket_send((s),(b),(n))
+#else
+#define get_last_socket_error()	errno
+#define clear_socket_error()	errno=0
+#define ioctlsocket(a,b,c)	ioctl(a,b,c)
+#define closesocket(s)		close(s)
+#define readsocket(s,b,n)	read((s),(b),(n))
+#define writesocket(s,b,n)	write((s),(b),(n))
+#endif
+
+#ifdef WIN16
+#  define NO_FP_API
+#  define MS_CALLBACK	_far _loadds
+#  define MS_FAR	_far
+#else
+#  define MS_CALLBACK
+#  define MS_FAR
+#endif
+
+#ifdef NO_STDIO
+#  define NO_FP_API
+#endif
+
+#if defined(WINDOWS) || defined(MSDOS)
+
+#  ifndef S_IFDIR
+#    define S_IFDIR	_S_IFDIR
+#  endif
+
+#  ifndef S_IFMT
+#    define S_IFMT	_S_IFMT
+#  endif
+
+#  if !defined(WINNT)
+#    define NO_SYSLOG
+#  endif
+#  define NO_DIRENT
+
+#  ifdef WINDOWS
+#    include <windows.h>
+#    include <stddef.h>
+#    include <errno.h>
+#    include <string.h>
+#    include <malloc.h>
+#  endif
+#  include <io.h>
+#  include <fcntl.h>
+
+#  define ssize_t long
+
+#  if defined (__BORLANDC__)
+#    define _setmode setmode
+#    define _O_TEXT O_TEXT
+#    define _O_BINARY O_BINARY
+#    define _int64 __int64
+#    define _kbhit kbhit
+#  endif
+
+#  if defined(WIN16) && !defined(MONOLITH) && defined(SSLEAY) && defined(_WINEXITNOPERSIST)
+#    define EXIT(n) { if (n == 0) _wsetexit(_WINEXITNOPERSIST); return(n); }
+#  else
+#    define EXIT(n)		return(n);
+#  endif
+#  define LIST_SEPARATOR_CHAR ';'
+#  ifndef X_OK
+#    define X_OK	0
+#  endif
+#  ifndef W_OK
+#    define W_OK	2
+#  endif
+#  ifndef R_OK
+#    define R_OK	4
+#  endif
+#  define OPENSSL_CONF	"openssl.cnf"
+#  define SSLEAY_CONF	OPENSSL_CONF
+#  define NUL_DEV	"nul"
+#  define RFILE		".rnd"
+
+#else /* The non-microsoft world world */
+
+#  if defined(__VMS) && !defined(VMS)
+#  define VMS 1
+#  endif
+
+#  ifdef VMS
+  /* some programs don't include stdlib, so exit() and others give implicit 
+     function warnings */
+#    include <stdlib.h>
+#    if defined(__DECC)
+#      include <unistd.h>
+#    else
+#      include <unixlib.h>
+#    endif
+#    define OPENSSL_CONF	"openssl.cnf"
+#    define SSLEAY_CONF		OPENSSL_CONF
+#    define RFILE		".rnd"
+#    define LIST_SEPARATOR_CHAR ','
+#    define NUL_DEV		"NLA0:"
+  /* We need to do this since VMS has the following coding on status codes:
+
+     Bits 0-2: status type: 0 = warning, 1 = success, 2 = error, 3 = info ...
+               The important thing to know is that odd numbers are considered
+	       good, while even ones are considered errors.
+     Bits 3-15: actual status number
+     Bits 16-27: facility number.  0 is considered "unknown"
+     Bits 28-31: control bits.  If bit 28 is set, the shell won't try to
+                 output the message (which, for random codes, just looks ugly)
+
+     So, what we do here is to change 0 to 1 to get the default success status,
+     and everything else is shifted up to fit into the status number field, and
+     the status is tagged as an error, which I believe is what is wanted here.
+     -- Richard Levitte
+  */
+#    if !defined(MONOLITH) || defined(OPENSSL_C)
+#      define EXIT(n)		do { int __VMS_EXIT = n; \
+                                     if (__VMS_EXIT == 0) \
+				       __VMS_EXIT = 1; \
+				     else \
+				       __VMS_EXIT = (n << 3) | 2; \
+                                     __VMS_EXIT |= 0x10000000; \
+				     exit(__VMS_EXIT); \
+				     return(__VMS_EXIT); } while(0)
+#    else
+#      define EXIT(n)		return(n)
+#    endif
+#    define NO_SYS_PARAM_H
+#  else
+     /* !defined VMS */
+#    ifdef OPENSSL_UNISTD
+#      include OPENSSL_UNISTD
+#    else
+#      include <unistd.h>
+#    endif
+#    ifndef NO_SYS_TYPES_H
+#      include <sys/types.h>
+#    endif
+#    ifdef NeXT
+#      define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP
+                         * (unless when compiling with -D_POSIX_SOURCE,
+                         * which doesn't work for us) */
+#      define ssize_t int /* ditto */
+#    endif
+
+#    define OPENSSL_CONF	"openssl.cnf"
+#    define SSLEAY_CONF		OPENSSL_CONF
+#    define RFILE		".rnd"
+#    define LIST_SEPARATOR_CHAR ':'
+#    define NUL_DEV		"/dev/null"
+#    ifndef MONOLITH
+#      define EXIT(n)		exit(n); return(n)
+#    else
+#      define EXIT(n)		return(n)
+#    endif
+#  endif
+
+#  define SSLeay_getpid()	getpid()
+
+#endif
+
+
+/*************/
+
+#ifdef USE_SOCKETS
+#  if defined(WINDOWS) || defined(MSDOS)
+      /* windows world */
+
+#    ifdef NO_SOCK
+#      define SSLeay_Write(a,b,c)	(-1)
+#      define SSLeay_Read(a,b,c)	(-1)
+#      define SHUTDOWN(fd)		close(fd)
+#      define SHUTDOWN2(fd)		close(fd)
+#    else
+#      include <winsock.h>
+extern HINSTANCE _hInstance;
+#      define SSLeay_Write(a,b,c)	send((a),(b),(c),0)
+#      define SSLeay_Read(a,b,c)	recv((a),(b),(c),0)
+#      define SHUTDOWN(fd)		{ shutdown((fd),0); closesocket(fd); }
+#      define SHUTDOWN2(fd)		{ shutdown((fd),2); closesocket(fd); }
+#    endif
+
+#  elif defined(MAC_OS_pre_X)
+
+#    include "MacSocket.h"
+#    define SSLeay_Write(a,b,c)		MacSocket_send((a),(b),(c))
+#    define SSLeay_Read(a,b,c)		MacSocket_recv((a),(b),(c),true)
+#    define SHUTDOWN(fd)		MacSocket_close(fd)
+#    define SHUTDOWN2(fd)		MacSocket_close(fd)
+
+#  else
+
+#    ifndef NO_SYS_PARAM_H
+#      include <sys/param.h>
+#    endif
+#    include <sys/time.h> /* Needed under linux for FD_XXX */
+
+#    include <netdb.h>
+#    if defined(VMS) && !defined(__DECC)
+#      include <socket.h>
+#      include <in.h>
+#    else
+#      include <sys/socket.h>
+#      ifdef FILIO_H
+#        include <sys/filio.h> /* Added for FIONBIO under unixware */
+#      endif
+#      include <netinet/in.h>
+#    endif
+
+#    if defined(NeXT) || defined(_NEXT_SOURCE)
+#      include <sys/fcntl.h>
+#      include <sys/types.h>
+#    endif
+
+#    ifdef AIX
+#      include <sys/select.h>
+#    endif
+
+#    if defined(sun)
+#      include <sys/filio.h>
+#    else
+#      ifndef VMS
+#        include <sys/ioctl.h>
+#      else
+	 /* ioctl is only in VMS > 7.0 and when socketshr is not used */
+#        if !defined(TCPIP_TYPE_SOCKETSHR) && defined(__VMS_VER) && (__VMS_VER > 70000000)
+#          include <sys/ioctl.h>
+#        endif
+#      endif
+#    endif
+
+#    ifdef VMS
+#      include <unixio.h>
+#      if defined(TCPIP_TYPE_SOCKETSHR)
+#        include <socketshr.h>
+#      endif
+#    endif
+
+#    define SSLeay_Read(a,b,c)     read((a),(b),(c))
+#    define SSLeay_Write(a,b,c)    write((a),(b),(c))
+#    define SHUTDOWN(fd)    { shutdown((fd),0); closesocket((fd)); }
+#    define SHUTDOWN2(fd)   { shutdown((fd),2); closesocket((fd)); }
+#    define INVALID_SOCKET	(-1)
+#  endif
+#endif
+
+#if defined(__ultrix)
+#  ifndef ssize_t
+#    define ssize_t int 
+#  endif
+#endif
+
+#if defined(THREADS) || defined(sun)
+#ifndef _REENTRANT
+#define _REENTRANT
+#endif
+#endif
+
+/***********************************************/
+
+/* do we need to do this for getenv.
+ * Just define getenv for use under windows */
+
+#ifdef WIN16
+/* How to do this needs to be thought out a bit more.... */
+/*char *GETENV(char *);
+#define Getenv	GETENV*/
+#define Getenv	getenv
+#else
+#define Getenv getenv
+#endif
+
+#define DG_GCC_BUG	/* gcc < 2.6.3 on DGUX */
+
+#ifdef sgi
+#define IRIX_CC_BUG	/* all version of IRIX I've tested (4.* 5.*) */
+#endif
+#ifdef SNI
+#define IRIX_CC_BUG	/* CDS++ up to V2.0Bsomething suffered from the same bug.*/
+#endif
+
+#ifdef NO_MD2
+#define MD2_Init MD2Init
+#define MD2_Update MD2Update
+#define MD2_Final MD2Final
+#define MD2_DIGEST_LENGTH 16
+#endif
+#ifdef NO_MD5
+#define MD5_Init MD5Init 
+#define MD5_Update MD5Update
+#define MD5_Final MD5Final
+#define MD5_DIGEST_LENGTH 16
+#endif
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/crypto/openssl/e_os2.h b/crypto/openssl/e_os2.h
new file mode 100644
index 0000000..bd97b92
--- /dev/null
+++ b/crypto/openssl/e_os2.h
@@ -0,0 +1,38 @@
+/* e_os2.h */
+
+#ifndef HEADER_E_OS2_H
+#define HEADER_E_OS2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/opensslconf.h> /* OPENSSL_UNISTD */
+
+#ifdef MSDOS
+# define OPENSSL_UNISTD_IO <io.h>
+# define OPENSSL_DECLARE_EXIT extern void exit(int);
+#else
+# define OPENSSL_UNISTD_IO OPENSSL_UNISTD
+# define OPENSSL_DECLARE_EXIT /* declared in unistd.h */
+#endif
+
+/* Definitions of OPENSSL_GLOBAL and OPENSSL_EXTERN,
+   to define and declare certain global
+   symbols that, with some compilers under VMS, have to be defined and
+   declared explicitely with globaldef and globalref.  On other OS:es,
+   these macros are defined with something sensible. */
+
+#if defined(VMS) && !defined(__DECC)
+# define OPENSSL_EXTERN globalref
+# define OPENSSL_GLOBAL globaldef
+#else
+# define OPENSSL_EXTERN extern
+# define OPENSSL_GLOBAL
+#endif
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/mt/README b/crypto/openssl/mt/README
new file mode 100644
index 0000000..df6b26e
--- /dev/null
+++ b/crypto/openssl/mt/README
@@ -0,0 +1,14 @@
+Mutithreading testing area.
+
+Since this stuff is very very platorm specific, this is not part of the
+normal build.  Have a read of doc/threads.doc.
+
+mttest will do some testing and will currently build under Windows NT/95,
+Solaris and Linux.  The IRIX stuff is not finished.
+
+I have tested this program on a 12 CPU ultra sparc box (solaris 2.5.1)
+and things seem to work ok.
+
+The Linux pthreads package can be retrieved from 
+http://www.mit.edu:8001/people/proven/pthreads.html
+
diff --git a/crypto/openssl/mt/mttest.c b/crypto/openssl/mt/mttest.c
new file mode 100644
index 0000000..b2f3326
--- /dev/null
+++ b/crypto/openssl/mt/mttest.c
@@ -0,0 +1,1092 @@
+/* mt/mttest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#ifdef LINUX
+#include <typedefs.h>
+#endif
+#ifdef WIN32
+#include <windows.h>
+#endif
+#ifdef SOLARIS
+#include <synch.h>
+#include <thread.h>
+#endif
+#ifdef IRIX
+#include <ulocks.h>
+#include <sys/prctl.h>
+#endif
+#include <openssl/lhash.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include "../e_os.h"
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+#ifdef NO_FP_API
+#define APPS_WIN16
+#include "../crypto/buffer/bss_file.c"
+#endif
+
+#define TEST_SERVER_CERT "../apps/server.pem"
+#define TEST_CLIENT_CERT "../apps/client.pem"
+
+#define MAX_THREAD_NUMBER	100
+
+int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth,
+	int error,char *arg);
+void thread_setup(void);
+void thread_cleanup(void);
+void do_threads(SSL_CTX *s_ctx,SSL_CTX *c_ctx);
+
+void irix_locking_callback(int mode,int type,char *file,int line);
+void solaris_locking_callback(int mode,int type,char *file,int line);
+void win32_locking_callback(int mode,int type,char *file,int line);
+void pthreads_locking_callback(int mode,int type,char *file,int line);
+
+unsigned long irix_thread_id(void );
+unsigned long solaris_thread_id(void );
+unsigned long pthreads_thread_id(void );
+
+BIO *bio_err=NULL;
+BIO *bio_stdout=NULL;
+
+static char *cipher=NULL;
+int verbose=0;
+#ifdef FIONBIO
+static int s_nbio=0;
+#endif
+
+int thread_number=10;
+int number_of_loops=10;
+int reconnect=0;
+int cache_stats=0;
+
+int doit(char *ctx[4]);
+static void print_stats(fp,ctx)
+FILE *fp;
+SSL_CTX *ctx;
+{
+	fprintf(fp,"%4ld items in the session cache\n",
+		SSL_CTX_sess_number(ctx));
+	fprintf(fp,"%4d client connects (SSL_connect())\n",
+		SSL_CTX_sess_connect(ctx));
+	fprintf(fp,"%4d client connects that finished\n",
+		SSL_CTX_sess_connect_good(ctx));
+	fprintf(fp,"%4d server connects (SSL_accept())\n",
+		SSL_CTX_sess_accept(ctx));
+	fprintf(fp,"%4d server connects that finished\n",
+		SSL_CTX_sess_accept_good(ctx));
+	fprintf(fp,"%4d session cache hits\n",SSL_CTX_sess_hits(ctx));
+	fprintf(fp,"%4d session cache misses\n",SSL_CTX_sess_misses(ctx));
+	fprintf(fp,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ctx));
+	}
+
+static void sv_usage()
+	{
+	fprintf(stderr,"usage: ssltest [args ...]\n");
+	fprintf(stderr,"\n");
+	fprintf(stderr," -server_auth  - check server certificate\n");
+	fprintf(stderr," -client_auth  - do client authentication\n");
+	fprintf(stderr," -v            - more output\n");
+	fprintf(stderr," -CApath arg   - PEM format directory of CA's\n");
+	fprintf(stderr," -CAfile arg   - PEM format file of CA's\n");
+	fprintf(stderr," -threads arg  - number of threads\n");
+	fprintf(stderr," -loops arg    - number of 'connections', per thread\n");
+	fprintf(stderr," -reconnect    - reuse session-id's\n");
+	fprintf(stderr," -stats        - server session-id cache stats\n");
+	fprintf(stderr," -cert arg     - server certificate/key\n");
+	fprintf(stderr," -ccert arg    - client certificate/key\n");
+	fprintf(stderr," -ssl3         - just SSLv3n\n");
+	}
+
+int main(argc, argv)
+int argc;
+char *argv[];
+	{
+	char *CApath=NULL,*CAfile=NULL;
+	int badop=0;
+	int ret=1;
+	int client_auth=0;
+	int server_auth=0;
+	SSL_CTX *s_ctx=NULL;
+	SSL_CTX *c_ctx=NULL;
+	char *scert=TEST_SERVER_CERT;
+	char *ccert=TEST_CLIENT_CERT;
+	SSL_METHOD *ssl_method=SSLv23_method();
+
+	if (bio_err == NULL)
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+	if (bio_stdout == NULL)
+		bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
+	argc--;
+	argv++;
+
+	while (argc >= 1)
+		{
+		if	(strcmp(*argv,"-server_auth") == 0)
+			server_auth=1;
+		else if	(strcmp(*argv,"-client_auth") == 0)
+			client_auth=1;
+		else if	(strcmp(*argv,"-reconnect") == 0)
+			reconnect=1;
+		else if	(strcmp(*argv,"-stats") == 0)
+			cache_stats=1;
+		else if	(strcmp(*argv,"-ssl3") == 0)
+			ssl_method=SSLv3_method();
+		else if	(strcmp(*argv,"-ssl2") == 0)
+			ssl_method=SSLv2_method();
+		else if	(strcmp(*argv,"-CApath") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CApath= *(++argv);
+			}
+		else if	(strcmp(*argv,"-CAfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAfile= *(++argv);
+			}
+		else if	(strcmp(*argv,"-cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			scert= *(++argv);
+			}
+		else if	(strcmp(*argv,"-ccert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			ccert= *(++argv);
+			}
+		else if	(strcmp(*argv,"-threads") == 0)
+			{
+			if (--argc < 1) goto bad;
+			thread_number= atoi(*(++argv));
+			if (thread_number == 0) thread_number=1;
+			if (thread_number > MAX_THREAD_NUMBER)
+				thread_number=MAX_THREAD_NUMBER;
+			}
+		else if	(strcmp(*argv,"-loops") == 0)
+			{
+			if (--argc < 1) goto bad;
+			number_of_loops= atoi(*(++argv));
+			if (number_of_loops == 0) number_of_loops=1;
+			}
+		else
+			{
+			fprintf(stderr,"unknown option %s\n",*argv);
+			badop=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+	if (badop)
+		{
+bad:
+		sv_usage();
+		goto end;
+		}
+
+	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
+
+	SSL_load_error_strings();
+	SSLeay_add_ssl_algorithms();
+
+	c_ctx=SSL_CTX_new(ssl_method);
+	s_ctx=SSL_CTX_new(ssl_method);
+	if ((c_ctx == NULL) || (s_ctx == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	SSL_CTX_set_session_cache_mode(s_ctx,
+		SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);
+	SSL_CTX_set_session_cache_mode(c_ctx,
+		SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);
+
+	SSL_CTX_use_certificate_file(s_ctx,scert,SSL_FILETYPE_PEM);
+	SSL_CTX_use_RSAPrivateKey_file(s_ctx,scert,SSL_FILETYPE_PEM);
+
+	if (client_auth)
+		{
+		SSL_CTX_use_certificate_file(c_ctx,ccert,
+			SSL_FILETYPE_PEM);
+		SSL_CTX_use_RSAPrivateKey_file(c_ctx,ccert,
+			SSL_FILETYPE_PEM);
+		}
+
+	if (	(!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
+		(!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(c_ctx)))
+		{
+		fprintf(stderr,"SSL_load_verify_locations\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (client_auth)
+		{
+		fprintf(stderr,"client authentication\n");
+		SSL_CTX_set_verify(s_ctx,
+			SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+			verify_callback);
+		}
+	if (server_auth)
+		{
+		fprintf(stderr,"server authentication\n");
+		SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
+			verify_callback);
+		}
+
+	thread_setup();
+	do_threads(s_ctx,c_ctx);
+	thread_cleanup();
+end:
+	
+	if (c_ctx != NULL) 
+		{
+		fprintf(stderr,"Client SSL_CTX stats then free it\n");
+		print_stats(stderr,c_ctx);
+		SSL_CTX_free(c_ctx);
+		}
+	if (s_ctx != NULL)
+		{
+		fprintf(stderr,"Server SSL_CTX stats then free it\n");
+		print_stats(stderr,s_ctx);
+		if (cache_stats)
+			{
+			fprintf(stderr,"-----\n");
+			lh_stats(SSL_CTX_sessions(s_ctx),stderr);
+			fprintf(stderr,"-----\n");
+		/*	lh_node_stats(SSL_CTX_sessions(s_ctx),stderr);
+			fprintf(stderr,"-----\n"); */
+			lh_node_usage_stats(SSL_CTX_sessions(s_ctx),stderr);
+			fprintf(stderr,"-----\n");
+			}
+		SSL_CTX_free(s_ctx);
+		fprintf(stderr,"done free\n");
+		}
+	exit(ret);
+	return(0);
+	}
+
+#define W_READ	1
+#define W_WRITE	2
+#define C_DONE	1
+#define S_DONE	2
+
+int ndoit(ssl_ctx)
+SSL_CTX *ssl_ctx[2];
+	{
+	int i;
+	int ret;
+	char *ctx[4];
+
+	ctx[0]=(char *)ssl_ctx[0];
+	ctx[1]=(char *)ssl_ctx[1];
+
+	if (reconnect)
+		{
+		ctx[2]=(char *)SSL_new(ssl_ctx[0]);
+		ctx[3]=(char *)SSL_new(ssl_ctx[1]);
+		}
+	else
+		{
+		ctx[2]=NULL;
+		ctx[3]=NULL;
+		}
+
+	fprintf(stdout,"started thread %lu\n",CRYPTO_thread_id());
+	for (i=0; i<number_of_loops; i++)
+		{
+/*		fprintf(stderr,"%4d %2d ctx->ref (%3d,%3d)\n",
+			CRYPTO_thread_id(),i,
+			ssl_ctx[0]->references,
+			ssl_ctx[1]->references); */
+	/*	pthread_delay_np(&tm);*/
+
+		ret=doit(ctx);
+		if (ret != 0)
+			{
+			fprintf(stdout,"error[%d] %lu - %d\n",
+				i,CRYPTO_thread_id(),ret);
+			return(ret);
+			}
+		}
+	fprintf(stdout,"DONE %lu\n",CRYPTO_thread_id());
+	if (reconnect)
+		{
+		SSL_free((SSL *)ctx[2]);
+		SSL_free((SSL *)ctx[3]);
+		}
+	return(0);
+	}
+
+int doit(ctx)
+char *ctx[4];
+	{
+	SSL_CTX *s_ctx,*c_ctx;
+	static char cbuf[200],sbuf[200];
+	SSL *c_ssl=NULL;
+	SSL *s_ssl=NULL;
+	BIO *c_to_s=NULL;
+	BIO *s_to_c=NULL;
+	BIO *c_bio=NULL;
+	BIO *s_bio=NULL;
+	int c_r,c_w,s_r,s_w;
+	int c_want,s_want;
+	int i;
+	int done=0;
+	int c_write,s_write;
+	int do_server=0,do_client=0;
+
+	s_ctx=(SSL_CTX *)ctx[0];
+	c_ctx=(SSL_CTX *)ctx[1];
+
+	if (ctx[2] != NULL)
+		s_ssl=(SSL *)ctx[2];
+	else
+		s_ssl=SSL_new(s_ctx);
+
+	if (ctx[3] != NULL)
+		c_ssl=(SSL *)ctx[3];
+	else
+		c_ssl=SSL_new(c_ctx);
+
+	if ((s_ssl == NULL) || (c_ssl == NULL)) goto err;
+
+	c_to_s=BIO_new(BIO_s_mem());
+	s_to_c=BIO_new(BIO_s_mem());
+	if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
+
+	c_bio=BIO_new(BIO_f_ssl());
+	s_bio=BIO_new(BIO_f_ssl());
+	if ((c_bio == NULL) || (s_bio == NULL)) goto err;
+
+	SSL_set_connect_state(c_ssl);
+	SSL_set_bio(c_ssl,s_to_c,c_to_s);
+	BIO_set_ssl(c_bio,c_ssl,(ctx[2] == NULL)?BIO_CLOSE:BIO_NOCLOSE);
+
+	SSL_set_accept_state(s_ssl);
+	SSL_set_bio(s_ssl,c_to_s,s_to_c);
+	BIO_set_ssl(s_bio,s_ssl,(ctx[3] == NULL)?BIO_CLOSE:BIO_NOCLOSE);
+
+	c_r=0; s_r=1;
+	c_w=1; s_w=0;
+	c_want=W_WRITE;
+	s_want=0;
+	c_write=1,s_write=0;
+
+	/* We can always do writes */
+	for (;;)
+		{
+		do_server=0;
+		do_client=0;
+
+		i=(int)BIO_pending(s_bio);
+		if ((i && s_r) || s_w) do_server=1;
+
+		i=(int)BIO_pending(c_bio);
+		if ((i && c_r) || c_w) do_client=1;
+
+		if (do_server && verbose)
+			{
+			if (SSL_in_init(s_ssl))
+				printf("server waiting in SSL_accept - %s\n",
+					SSL_state_string_long(s_ssl));
+			else if (s_write)
+				printf("server:SSL_write()\n");
+			else 
+				printf("server:SSL_read()\n");
+			}
+
+		if (do_client && verbose)
+			{
+			if (SSL_in_init(c_ssl))
+				printf("client waiting in SSL_connect - %s\n",
+					SSL_state_string_long(c_ssl));
+			else if (c_write)
+				printf("client:SSL_write()\n");
+			else
+				printf("client:SSL_read()\n");
+			}
+
+		if (!do_client && !do_server)
+			{
+			fprintf(stdout,"ERROR IN STARTUP\n");
+			break;
+			}
+		if (do_client && !(done & C_DONE))
+			{
+			if (c_write)
+				{
+				i=BIO_write(c_bio,"hello from client\n",18);
+				if (i < 0)
+					{
+					c_r=0;
+					c_w=0;
+					if (BIO_should_retry(c_bio))
+						{
+						if (BIO_should_read(c_bio))
+							c_r=1;
+						if (BIO_should_write(c_bio))
+							c_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					/* ok */
+					c_write=0;
+					}
+				}
+			else
+				{
+				i=BIO_read(c_bio,cbuf,100);
+				if (i < 0)
+					{
+					c_r=0;
+					c_w=0;
+					if (BIO_should_retry(c_bio))
+						{
+						if (BIO_should_read(c_bio))
+							c_r=1;
+						if (BIO_should_write(c_bio))
+							c_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					done|=C_DONE;
+#ifdef undef
+					fprintf(stdout,"CLIENT:from server:");
+					fwrite(cbuf,1,i,stdout);
+					fflush(stdout);
+#endif
+					}
+				}
+			}
+
+		if (do_server && !(done & S_DONE))
+			{
+			if (!s_write)
+				{
+				i=BIO_read(s_bio,sbuf,100);
+				if (i < 0)
+					{
+					s_r=0;
+					s_w=0;
+					if (BIO_should_retry(s_bio))
+						{
+						if (BIO_should_read(s_bio))
+							s_r=1;
+						if (BIO_should_write(s_bio))
+							s_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						ERR_print_errors_fp(stderr);
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					s_write=1;
+					s_w=1;
+#ifdef undef
+					fprintf(stdout,"SERVER:from client:");
+					fwrite(sbuf,1,i,stdout);
+					fflush(stdout);
+#endif
+					}
+				}
+			else
+				{
+				i=BIO_write(s_bio,"hello from server\n",18);
+				if (i < 0)
+					{
+					s_r=0;
+					s_w=0;
+					if (BIO_should_retry(s_bio))
+						{
+						if (BIO_should_read(s_bio))
+							s_r=1;
+						if (BIO_should_write(s_bio))
+							s_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						ERR_print_errors_fp(stderr);
+						return(1);
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+					return(1);
+					}
+				else
+					{
+					s_write=0;
+					s_r=1;
+					done|=S_DONE;
+					}
+				}
+			}
+
+		if ((done & S_DONE) && (done & C_DONE)) break;
+		}
+
+	SSL_set_shutdown(c_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+	SSL_set_shutdown(s_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+
+#ifdef undef
+	fprintf(stdout,"DONE\n");
+#endif
+err:
+	/* We have to set the BIO's to NULL otherwise they will be
+	 * free()ed twice.  Once when th s_ssl is SSL_free()ed and
+	 * again when c_ssl is SSL_free()ed.
+	 * This is a hack required because s_ssl and c_ssl are sharing the same
+	 * BIO structure and SSL_set_bio() and SSL_free() automatically
+	 * BIO_free non NULL entries.
+	 * You should not normally do this or be required to do this */
+
+	if (s_ssl != NULL)
+		{
+		s_ssl->rbio=NULL;
+		s_ssl->wbio=NULL;
+		}
+	if (c_ssl != NULL)
+		{
+		c_ssl->rbio=NULL;
+		c_ssl->wbio=NULL;
+		}
+
+	/* The SSL's are optionally freed in the following calls */
+	if (c_to_s != NULL) BIO_free(c_to_s);
+	if (s_to_c != NULL) BIO_free(s_to_c);
+
+	if (c_bio != NULL) BIO_free(c_bio);
+	if (s_bio != NULL) BIO_free(s_bio);
+	return(0);
+	}
+
+int MS_CALLBACK verify_callback(ok, xs, xi, depth, error, arg)
+int ok;
+X509 *xs;
+X509 *xi;
+int depth;
+int error;
+char *arg;
+	{
+	char buf[256];
+
+	if (verbose)
+		{
+		X509_NAME_oneline(X509_get_subject_name(xs),buf,256);
+		if (ok)
+			fprintf(stderr,"depth=%d %s\n",depth,buf);
+		else
+			fprintf(stderr,"depth=%d error=%d %s\n",depth,error,buf);
+		}
+	return(ok);
+	}
+
+#define THREAD_STACK_SIZE (16*1024)
+
+#ifdef WIN32
+
+static PRLOCK lock_cs[CRYPTO_NUM_LOCKS];
+
+void thread_setup()
+	{
+	int i;
+
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		{
+		lock_cs[i]=CreateMutex(NULL,FALSE,NULL);
+		}
+
+	CRYPTO_set_locking_callback((void (*)(int,int,char *,int))win32_locking_callback);
+	/* id callback defined */
+	}
+
+void thread_cleanup()
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		CloseHandle(lock_cs[i]);
+	}
+
+void win32_locking_callback(mode,type,file,line)
+int mode;
+int type;
+char *file;
+int line;
+	{
+	if (mode & CRYPTO_LOCK)
+		{
+		WaitForSingleObject(lock_cs[type],INFINITE);
+		}
+	else
+		{
+		ReleaseMutex(lock_cs[type]);
+		}
+	}
+
+void do_threads(s_ctx,c_ctx)
+SSL_CTX *s_ctx,*c_ctx;
+	{
+	double ret;
+	SSL_CTX *ssl_ctx[2];
+	DWORD thread_id[MAX_THREAD_NUMBER];
+	HANDLE thread_handle[MAX_THREAD_NUMBER];
+	int i;
+	SYSTEMTIME start,end;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	GetSystemTime(&start);
+	for (i=0; i<thread_number; i++)
+		{
+		thread_handle[i]=CreateThread(NULL,
+			THREAD_STACK_SIZE,
+			(LPTHREAD_START_ROUTINE)ndoit,
+			(void *)ssl_ctx,
+			0L,
+			&(thread_id[i]));
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i+=50)
+		{
+		int j;
+
+		j=(thread_number < (i+50))?(thread_number-i):50;
+
+		if (WaitForMultipleObjects(j,
+			(CONST HANDLE *)&(thread_handle[i]),TRUE,INFINITE)
+			== WAIT_FAILED)
+			{
+			fprintf(stderr,"WaitForMultipleObjects failed:%d\n",GetLastError());
+			exit(1);
+			}
+		}
+	GetSystemTime(&end);
+
+	if (start.wDayOfWeek > end.wDayOfWeek) end.wDayOfWeek+=7;
+	ret=(end.wDayOfWeek-start.wDayOfWeek)*24;
+
+	ret=(ret+end.wHour-start.wHour)*60;
+	ret=(ret+end.wMinute-start.wMinute)*60;
+	ret=(ret+end.wSecond-start.wSecond);
+	ret+=(end.wMilliseconds-start.wMilliseconds)/1000.0;
+
+	printf("win32 threads done - %.3f seconds\n",ret);
+	}
+
+#endif /* WIN32 */
+
+#ifdef SOLARIS
+
+static mutex_t lock_cs[CRYPTO_NUM_LOCKS];
+/*static rwlock_t lock_cs[CRYPTO_NUM_LOCKS]; */
+static long lock_count[CRYPTO_NUM_LOCKS];
+
+void thread_setup()
+	{
+	int i;
+
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		{
+		lock_count[i]=0;
+		/* rwlock_init(&(lock_cs[i]),USYNC_THREAD,NULL); */
+		mutex_init(&(lock_cs[i]),USYNC_THREAD,NULL);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())solaris_thread_id);
+	CRYPTO_set_locking_callback((void (*)())solaris_locking_callback);
+	}
+
+void thread_cleanup()
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+fprintf(stderr,"cleanup\n");
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		{
+		/* rwlock_destroy(&(lock_cs[i])); */
+		mutex_destroy(&(lock_cs[i]));
+		fprintf(stderr,"%8ld:%s\n",lock_count[i],CRYPTO_get_lock_name(i));
+		}
+fprintf(stderr,"done cleanup\n");
+	}
+
+void solaris_locking_callback(mode,type,file,line)
+int mode;
+int type;
+char *file;
+int line;
+	{
+#ifdef undef
+fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+	CRYPTO_thread_id(),
+	(mode&CRYPTO_LOCK)?"l":"u",
+	(type&CRYPTO_READ)?"r":"w",file,line);
+#endif
+
+/*
+if (CRYPTO_LOCK_SSL_CERT == type)
+	fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
+		CRYPTO_thread_id(),
+		mode,file,line);
+*/
+	if (mode & CRYPTO_LOCK)
+		{
+	/*	if (mode & CRYPTO_READ)
+			rw_rdlock(&(lock_cs[type]));
+		else
+			rw_wrlock(&(lock_cs[type])); */
+
+		mutex_lock(&(lock_cs[type]));
+		lock_count[type]++;
+		}
+	else
+		{
+/*		rw_unlock(&(lock_cs[type]));  */
+		mutex_unlock(&(lock_cs[type]));
+		}
+	}
+
+void do_threads(s_ctx,c_ctx)
+SSL_CTX *s_ctx,*c_ctx;
+	{
+	SSL_CTX *ssl_ctx[2];
+	thread_t thread_ctx[MAX_THREAD_NUMBER];
+	int i;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	thr_setconcurrency(thread_number);
+	for (i=0; i<thread_number; i++)
+		{
+		thr_create(NULL, THREAD_STACK_SIZE,
+			(void *(*)())ndoit,
+			(void *)ssl_ctx,
+			0L,
+			&(thread_ctx[i]));
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i++)
+		{
+		thr_join(thread_ctx[i],NULL,NULL);
+		}
+
+	printf("solaris threads done (%d,%d)\n",
+		s_ctx->references,c_ctx->references);
+	}
+
+unsigned long solaris_thread_id()
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)thr_self();
+	return(ret);
+	}
+#endif /* SOLARIS */
+
+#ifdef IRIX
+
+
+static usptr_t *arena;
+static usema_t *lock_cs[CRYPTO_NUM_LOCKS];
+
+void thread_setup()
+	{
+	int i;
+	char filename[20];
+
+	strcpy(filename,"/tmp/mttest.XXXXXX");
+	mktemp(filename);
+
+	usconfig(CONF_STHREADIOOFF);
+	usconfig(CONF_STHREADMALLOCOFF);
+	usconfig(CONF_INITUSERS,100);
+	usconfig(CONF_LOCKTYPE,US_DEBUGPLUS);
+	arena=usinit(filename);
+	unlink(filename);
+
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		{
+		lock_cs[i]=usnewsema(arena,1);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())irix_thread_id);
+	CRYPTO_set_locking_callback((void (*)())irix_locking_callback);
+	}
+
+void thread_cleanup()
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		{
+		char buf[10];
+
+		sprintf(buf,"%2d:",i);
+		usdumpsema(lock_cs[i],stdout,buf);
+		usfreesema(lock_cs[i],arena);
+		}
+	}
+
+void irix_locking_callback(mode,type,file,line)
+int mode;
+int type;
+char *file;
+int line;
+	{
+	if (mode & CRYPTO_LOCK)
+		{
+		printf("lock %d\n",type);
+		uspsema(lock_cs[type]);
+		}
+	else
+		{
+		printf("unlock %d\n",type);
+		usvsema(lock_cs[type]);
+		}
+	}
+
+void do_threads(s_ctx,c_ctx)
+SSL_CTX *s_ctx,*c_ctx;
+	{
+	SSL_CTX *ssl_ctx[2];
+	int thread_ctx[MAX_THREAD_NUMBER];
+	int i;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	for (i=0; i<thread_number; i++)
+		{
+		thread_ctx[i]=sproc((void (*)())ndoit,
+			PR_SADDR|PR_SFDS,(void *)ssl_ctx);
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i++)
+		{
+		wait(NULL);
+		}
+
+	printf("irix threads done (%d,%d)\n",
+		s_ctx->references,c_ctx->references);
+	}
+
+unsigned long irix_thread_id()
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)getpid();
+	return(ret);
+	}
+#endif /* IRIX */
+
+#ifdef PTHREADS
+
+static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
+static long lock_count[CRYPTO_NUM_LOCKS];
+
+void thread_setup()
+	{
+	int i;
+
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		{
+		lock_count[i]=0;
+		pthread_mutex_init(&(lock_cs[i]),NULL);
+		}
+
+	CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
+	CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
+	}
+
+void thread_cleanup()
+	{
+	int i;
+
+	CRYPTO_set_locking_callback(NULL);
+	fprintf(stderr,"cleanup\n");
+	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+		{
+		pthread_mutex_destroy(&(lock_cs[i]));
+		fprintf(stderr,"%8ld:%s\n",lock_count[i],
+			CRYPTO_get_lock_name(i));
+		}
+	fprintf(stderr,"done cleanup\n");
+	}
+
+void pthreads_locking_callback(mode,type,file,line)
+int mode;
+int type;
+char *file;
+int line;
+      {
+#ifdef undef
+	fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+		CRYPTO_thread_id(),
+		(mode&CRYPTO_LOCK)?"l":"u",
+		(type&CRYPTO_READ)?"r":"w",file,line);
+#endif
+/*
+	if (CRYPTO_LOCK_SSL_CERT == type)
+		fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
+		CRYPTO_thread_id(),
+		mode,file,line);
+*/
+	if (mode & CRYPTO_LOCK)
+		{
+		pthread_mutex_lock(&(lock_cs[type]));
+		lock_count[type]++;
+		}
+	else
+		{
+		pthread_mutex_unlock(&(lock_cs[type]));
+		}
+	}
+
+void do_threads(s_ctx,c_ctx)
+SSL_CTX *s_ctx,*c_ctx;
+	{
+	SSL_CTX *ssl_ctx[2];
+	pthread_t thread_ctx[MAX_THREAD_NUMBER];
+	int i;
+
+	ssl_ctx[0]=s_ctx;
+	ssl_ctx[1]=c_ctx;
+
+	/*
+	thr_setconcurrency(thread_number);
+	*/
+	for (i=0; i<thread_number; i++)
+		{
+		pthread_create(&(thread_ctx[i]), NULL,
+			(void *(*)())ndoit, (void *)ssl_ctx);
+		}
+
+	printf("reaping\n");
+	for (i=0; i<thread_number; i++)
+		{
+		pthread_join(thread_ctx[i],NULL);
+		}
+
+	printf("pthreads threads done (%d,%d)\n",
+	s_ctx->references,c_ctx->references);
+	}
+
+unsigned long pthreads_thread_id()
+	{
+	unsigned long ret;
+
+	ret=(unsigned long)pthread_self();
+	return(ret);
+	}
+
+#endif /* PTHREADS */
+
+
+
diff --git a/crypto/openssl/mt/profile.sh b/crypto/openssl/mt/profile.sh
new file mode 100644
index 0000000..de5eb06
--- /dev/null
+++ b/crypto/openssl/mt/profile.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+cc -p -DSOLARIS -I../include -g mttest.c -o mttest -L/usr/lib/libc -ldl -L.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/crypto/openssl/mt/pthread.sh b/crypto/openssl/mt/pthread.sh
new file mode 100644
index 0000000..7d0b6e5
--- /dev/null
+++ b/crypto/openssl/mt/pthread.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+#
+# build using pthreads
+#
+# http://www.mit.edu:8001/people/proven/pthreads.html
+#
+/bin/rm -f mttest
+pgcc -DPTHREADS -I../include -g mttest.c -o mttest -L.. -lssl -lcrypto 
+
diff --git a/crypto/openssl/mt/purify.sh b/crypto/openssl/mt/purify.sh
new file mode 100644
index 0000000..57c4017
--- /dev/null
+++ b/crypto/openssl/mt/purify.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+purify cc -DSOLARIS -I../include -g mttest.c -o mttest -L.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/crypto/openssl/mt/solaris.sh b/crypto/openssl/mt/solaris.sh
new file mode 100644
index 0000000..f6a90b1
--- /dev/null
+++ b/crypto/openssl/mt/solaris.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+cc -DSOLARIS -I../include -g mttest.c -o mttest -L.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/crypto/openssl/openssl.doxy b/crypto/openssl/openssl.doxy
new file mode 100644
index 0000000..479c311
--- /dev/null
+++ b/crypto/openssl/openssl.doxy
@@ -0,0 +1,7 @@
+PROJECT_NAME=OpenSSL
+GENERATE_LATEX=no
+OUTPUT_DIRECTORY=doxygen
+INPUT=ssl include
+FILE_PATTERNS=*.c *.h
+RECURSIVE=yes
+PREDEFINED=DOXYGEN
diff --git a/crypto/openssl/perl/MANIFEST b/crypto/openssl/perl/MANIFEST
new file mode 100644
index 0000000..80c9007
--- /dev/null
+++ b/crypto/openssl/perl/MANIFEST
@@ -0,0 +1,17 @@
+README.1ST
+MANIFEST
+Makefile.PL
+typemap
+OpenSSL.pm
+OpenSSL.xs
+openssl.h
+openssl_bio.xs
+openssl_bn.xs
+openssl_cipher.xs
+openssl_digest.xs
+openssl_err.xs
+openssl_ssl.xs
+openssl_x509.xs
+t/01-use.t
+t/02-version.t
+t/03-bio.t
diff --git a/crypto/openssl/perl/Makefile.PL b/crypto/openssl/perl/Makefile.PL
new file mode 100644
index 0000000..2a67ad0
--- /dev/null
+++ b/crypto/openssl/perl/Makefile.PL
@@ -0,0 +1,45 @@
+##
+##  Makefile.PL -- Perl MakeMaker specification
+##
+
+open(IN,"<../Makefile.ssl") || die "unable to open Makefile.ssl!\n";
+while(<IN>) {
+    $V=$1 if (/^VERSION=(.*)$/);
+}
+close(IN);
+print "Configuring companion Perl module for OpenSSL $V\n";
+
+use ExtUtils::MakeMaker;
+
+WriteMakefile(
+    'OPTIMIZE'      => '',
+    'DISTNAME'      => "openssl-$V",
+    'NAME'          => 'OpenSSL',
+    'VERSION_FROM'  => 'OpenSSL.pm',
+    'LIBS'          => ( $^O eq 'MSWin32'
+                         ? [ '-L../out32dll -lssleay32 -llibeay32' ]
+                         : [ '-L.. -lssl -lcrypto' ]                 ),
+    'DEFINE'        => '',
+    'INC'           => '-I../include',
+    'H'             => ['openssl.h'],
+    'OBJECT' =>
+        'OpenSSL.o ' .
+        'openssl_bio.o ' .
+        'openssl_bn.o ' .
+        'openssl_cipher.o ' .
+        'openssl_digest.o ' .
+        'openssl_err.o ' .
+        'openssl_ssl.o ' .
+        'openssl_x509.o ',
+    'XS' => { 
+        'OpenSSL.xs'        =>  'OpenSSL.c',
+        'openssl_bio.xs'    =>  'openssl_bio.c',
+        'openssl_bn.xs'     =>  'openssl_bn.c',
+        'openssl_cipher.xs' =>  'openssl_cipher.c',
+        'openssl_digest.xs' =>  'openssl_digest.c',
+        'openssl_err.xs'    =>  'openssl_err.c',
+        'openssl_ssl.xs'    =>  'openssl_ssl.c',
+        'openssl_x509.xs'   =>  'openssl_x509.c',
+    },
+);
+
diff --git a/crypto/openssl/perl/OpenSSL.pm b/crypto/openssl/perl/OpenSSL.pm
new file mode 100644
index 0000000..ae7265a
--- /dev/null
+++ b/crypto/openssl/perl/OpenSSL.pm
@@ -0,0 +1,90 @@
+##
+##  OpenSSL.pm
+##
+
+package OpenSSL;
+
+require 5.000;
+use Exporter;
+use DynaLoader;
+
+@ISA    = qw(Exporter DynaLoader);
+@EXPORT = qw();
+
+$VERSION = '0.94';
+bootstrap OpenSSL;
+
+@OpenSSL::BN::ISA        = qw(OpenSSL::ERR);
+@OpenSSL::MD::ISA        = qw(OpenSSL::ERR);
+@OpenSSL::Cipher::ISA    = qw(OpenSSL::ERR);
+@OpenSSL::SSL::CTX::ISA  = qw(OpenSSL::ERR);
+@OpenSSL::BIO::ISA       = qw(OpenSSL::ERR);
+@OpenSSL::SSL::ISA       = qw(OpenSSL::ERR);
+
+@BN::ISA                 = qw(OpenSSL::BN);
+@MD::ISA                 = qw(OpenSSL::MD);
+@Cipher::ISA             = qw(OpenSSL::Cipher);
+@SSL::ISA                = qw(OpenSSL::SSL);
+@SSL::CTX::ISA           = qw(OpenSSL::SSL::CTX);
+@BIO::ISA                = qw(OpenSSL::BIO);
+
+@OpenSSL::MD::names = qw(
+    md2 md5 sha sha1 ripemd160 mdc2
+);
+
+@OpenSSL::Cipher::names = qw(
+    des-ecb des-cfb des-ofb des-cbc
+    des-ede des-ede-cfb des-ede-ofb des-ede-cbc
+    des-ede3 des-ede3-cfb des-ede3-ofb des-ede3-cbc
+    desx-cbc rc4 rc4-40
+    idea-ecb idea-cfb idea-ofb idea-cbc
+    rc2-ecb rc2-cbc rc2-40-cbc rc2-cfb rc2-ofb
+    bf-ecb bf-cfb bf-ofb bf-cbc
+    cast5-ecb cast5-cfb cast5-ofb cast5-cbc
+    rc5-ecb rc5-cfb rc5-ofb rc5-cbc
+);
+
+sub OpenSSL::SSL::CTX::new_ssl { 
+    OpenSSL::SSL::new($_[0]);
+}
+
+sub OpenSSL::ERR::error {
+    my($o) = @_;
+    my($s, $ret);
+
+    while (($s = $o->get_error()) != 0) {
+        $ret.=$s."\n";
+    }
+    return($ret);
+}
+
+@OpenSSL::Cipher::aliases = qw(
+    des desx des3 idea rc2 bf cast
+);
+
+package OpenSSL::BN;
+
+sub bnfix { 
+    (ref($_[0]) ne "OpenSSL::BN") ? OpenSSL::BN::dec2bn($_[0]) : $_[0]; 
+}
+
+use overload
+"="    => sub { dup($_[0]); },
+"+"    => sub { add($_[0],$_[1]); },
+"-"    => sub { ($_[1],$_[0])=($_[0],$_[1]) if $_[2]; OpenSSL::BN::sub($_[0],$_[1]); },
+"*"    => sub { mul($_[0],$_[1]); },
+"**"   => sub { ($_[1],$_[0])=($_[0],$_[1]) if $_[2]; OpenSSL::BN::exp($_[0],$_[1]); },
+"/"    => sub { ($_[1],$_[0])=($_[0],$_[1]) if $_[2]; (div($_[0],$_[1]))[0]; },
+"%"    => sub { ($_[1],$_[0])=($_[0],$_[1]) if $_[2]; mod($_[0],$_[1]); },
+"<<"   => sub { lshift($_[0],$_[1]); },
+">>"   => sub { rshift($_[0],$_[1]); },
+"<=>"  => sub { OpenSSL::BN::cmp($_[0],$_[1]); },
+'""'   => sub { bn2dec($_[0]); },
+'0+'   => sub { dec2bn($_[0]); },
+"bool" => sub { ref($_[0]) eq "OpenSSL::BN"; };
+
+sub OpenSSL::BIO::do_accept { 
+    OpenSSL::BIO::do_handshake(@_);
+}
+
+1;
diff --git a/crypto/openssl/perl/OpenSSL.xs b/crypto/openssl/perl/OpenSSL.xs
new file mode 100644
index 0000000..2267168
--- /dev/null
+++ b/crypto/openssl/perl/OpenSSL.xs
@@ -0,0 +1,82 @@
+/*
+**  OpenSSL.xs
+*/
+
+#include "openssl.h"
+
+SV *
+new_ref(type, obj, mort)
+  char *type;
+  char *obj;
+{
+    SV *ret;
+
+    if (mort)
+        ret = sv_newmortal();
+    else
+        ret = newSViv(0);
+#ifdef DEBUG
+    printf(">new_ref %d\n",type);
+#endif
+    sv_setref_pv(ret, type, (void *)obj);
+    return(ret);
+}
+
+int 
+ex_new(obj, data, ad, idx, argl, argp)
+  char *obj;
+  SV *data;
+  CRYPTO_EX_DATA *ad;
+  int idx;
+  long argl;
+  char *argp;
+{
+    SV *sv;
+
+#ifdef DEBUG
+    printf("ex_new %08X %s\n",obj,argp); 
+#endif
+    sv = sv_newmortal();
+    sv_setref_pv(sv, argp, (void *)obj);
+#ifdef DEBUG
+    printf("%d>new_ref '%s'\n", sv, argp);
+#endif
+    CRYPTO_set_ex_data(ad, idx, (char *)sv);
+    return(1);
+}
+
+void 
+ex_cleanup(obj, data, ad, idx, argl, argp)
+  char *obj;
+  SV *data;
+  CRYPTO_EX_DATA *ad;
+  int idx;
+  long argl;
+  char *argp;
+{
+    pr_name("ex_cleanup");
+#ifdef DEBUG
+    printf("ex_cleanup %08X %s\n", obj, argp);
+#endif
+    if (data != NULL)
+        SvREFCNT_dec((SV *)data);
+}
+
+MODULE = OpenSSL  PACKAGE = OpenSSL
+
+PROTOTYPES: ENABLE
+
+BOOT:
+    boot_bio();
+    boot_cipher();
+    boot_digest();
+    boot_err();
+    boot_ssl();
+    boot_OpenSSL__BN();
+    boot_OpenSSL__BIO();
+    boot_OpenSSL__Cipher();
+    boot_OpenSSL__MD();
+    boot_OpenSSL__ERR();
+    boot_OpenSSL__SSL();
+    boot_OpenSSL__X509();
+
diff --git a/crypto/openssl/perl/README.1ST b/crypto/openssl/perl/README.1ST
new file mode 100644
index 0000000..7b5a1aa
--- /dev/null
+++ b/crypto/openssl/perl/README.1ST
@@ -0,0 +1,4 @@
+
+  WARNING, this Perl interface to OpenSSL is horrible incomplete.
+  Don't expect it to be really useable!!
+
diff --git a/crypto/openssl/perl/openssl.h b/crypto/openssl/perl/openssl.h
new file mode 100644
index 0000000..2712324
--- /dev/null
+++ b/crypto/openssl/perl/openssl.h
@@ -0,0 +1,96 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "EXTERN.h"
+#include "perl.h"
+#include "XSUB.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+typedef struct datum_st {
+    char *dptr;
+    int dsize;
+} datum;
+
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+
+#ifdef DEBUG
+#define pr_name(name)           printf("%s\n",name)
+#define pr_name_d(name,p2)      printf("%s %d\n",name,p2)
+#define pr_name_dd(name,p2,p3)  printf("%s %d %d\n",name,p2,p3)
+#else
+#define pr_name(name)
+#define pr_name_d(name,p2)
+#define pr_name_dd(name,p2,p3)
+#endif
+
+SV *new_ref(char *type, char *obj, int mort);
+int ex_new(char *obj, SV *data, CRYPTO_EX_DATA *ad, int idx, long argl, char *argp);
+void ex_cleanup(char *obj, SV *data, CRYPTO_EX_DATA *ad, int idx, long argl, char *argp);
+
diff --git a/crypto/openssl/perl/openssl_bio.xs b/crypto/openssl/perl/openssl_bio.xs
new file mode 100644
index 0000000..06d61af
--- /dev/null
+++ b/crypto/openssl/perl/openssl_bio.xs
@@ -0,0 +1,450 @@
+
+#include "openssl.h"
+
+static int p5_bio_ex_bio_ptr = 0;
+static int p5_bio_ex_bio_callback = 0;
+static int p5_bio_ex_bio_callback_data = 0;
+
+static long 
+p5_bio_callback(bio,state,parg,cmd,larg,ret)
+  BIO  *bio;
+  int   state;
+  char *parg;
+  int   cmd;
+  long  larg;
+  int   ret;
+{
+    int i;
+    SV *me,*cb;
+
+    me = (SV *)BIO_get_ex_data(bio, p5_bio_ex_bio_ptr);
+    cb = (SV *)BIO_get_ex_data(bio, p5_bio_ex_bio_callback);
+    if (cb != NULL) {
+        dSP;
+
+        ENTER;
+        SAVETMPS;
+
+        PUSHMARK(sp);
+        XPUSHs(sv_2mortal(newSVsv(me)));
+        XPUSHs(sv_2mortal(newSViv(state)));
+        XPUSHs(sv_2mortal(newSViv(cmd)));
+        if ((state == BIO_CB_READ) || (state == BIO_CB_WRITE))
+            XPUSHs(sv_2mortal(newSVpv(parg,larg)));
+        else
+            XPUSHs(&sv_undef);
+        /* ptr one */
+        XPUSHs(sv_2mortal(newSViv(larg)));
+        XPUSHs(sv_2mortal(newSViv(ret)));
+        PUTBACK;
+
+        i = perl_call_sv(cb,G_SCALAR);
+
+        SPAGAIN;
+        if (i == 1)
+            ret = POPi;
+        else
+            ret = 1;
+        PUTBACK;
+        FREETMPS;
+        LEAVE;
+    }
+    else {
+        croak("Internal error in p5_bio_callback");
+    }
+    return(ret);
+}
+
+int 
+boot_bio(void)
+{
+    p5_bio_ex_bio_ptr = BIO_get_ex_new_index(0, "OpenSSL::BIO", ex_new, NULL, ex_cleanup);
+    p5_bio_ex_bio_callback = BIO_get_ex_new_index(0, "bio_callback", NULL, NULL, ex_cleanup);
+    p5_bio_ex_bio_callback_data = BIO_get_ex_new_index(0, "bio_callback_data", NULL, NULL, ex_cleanup);
+    return(1);
+}
+
+MODULE = OpenSSL::BIO  PACKAGE = OpenSSL::BIO  PREFIX = p5_BIO_
+
+PROTOTYPES: ENABLE
+VERSIONCHECK: DISABLE
+
+void
+p5_BIO_new_buffer_ssl_connect(...)
+    PROTOTYPE: ;$
+    PREINIT:
+        SSL_CTX *ctx;
+        BIO *bio;
+        SV *arg;
+    PPCODE:
+        if (items == 1)
+            arg = ST(0);
+        else if (items == 2)
+            arg = ST(1);
+        else
+            arg = NULL;
+        if ((arg == NULL) || !(sv_derived_from(arg,"OpenSSL::SSL::CTX")))
+            croak("Usage: OpenSSL::BIO::new_buffer_ssl_connect(SSL_CTX)");
+        else {
+            IV tmp = SvIV((SV *)SvRV(arg));
+            ctx = (SSL_CTX *)tmp;
+        }
+        EXTEND(sp, 1);
+        bio = BIO_new_buffer_ssl_connect(ctx);
+        arg = (SV *)BIO_get_ex_data(bio, p5_bio_ex_bio_ptr);
+        PUSHs(arg);
+    
+void
+p5_BIO_new_ssl_connect(...)
+    PROTOTYPE: ;$
+    PREINIT:
+        SSL_CTX *ctx;
+        BIO *bio;
+        SV *arg;
+    PPCODE:
+        if (items == 1)
+            arg = ST(0);
+        else if (items == 2)
+            arg = ST(1);
+        else
+            arg = NULL;
+        if ((arg == NULL) || !(sv_derived_from(arg,"OpenSSL::SSL::CTX")))
+            croak("Usage: OpenSSL::BIO::new_ssl_connect(SSL_CTX)");
+        else {
+            IV tmp = SvIV((SV *)SvRV(arg));
+            ctx = (SSL_CTX *)tmp;
+        }
+        EXTEND(sp,1);
+        bio = BIO_new_ssl_connect(ctx);
+        arg = (SV *)BIO_get_ex_data(bio,p5_bio_ex_bio_ptr);
+        PUSHs(arg);
+    
+void
+p5_BIO_new(...)
+    PROTOTYPE: ;$
+    PREINIT:
+        BIO *bio;
+        char *type;
+        SV *arg;
+    PPCODE:
+        pr_name("p5_BIO_new");
+        if ((items == 1) && SvPOK(ST(0)))
+            type = SvPV(ST(0),na);
+        else if ((items == 2) && SvPOK(ST(1)))
+            type = SvPV(ST(1),na);
+        else
+            croak("Usage: OpenSSL::BIO::new(type)");
+        EXTEND(sp,1);
+        if (strcmp(type, "mem") == 0)
+            bio=BIO_new(BIO_s_mem());
+        else if (strcmp(type, "socket") == 0)
+            bio=BIO_new(BIO_s_socket());
+        else if (strcmp(type, "connect") == 0)
+            bio=BIO_new(BIO_s_connect());
+        else if (strcmp(type, "accept") == 0)
+            bio=BIO_new(BIO_s_accept());
+        else if (strcmp(type, "fd") == 0)
+            bio=BIO_new(BIO_s_fd());
+        else if (strcmp(type, "file") == 0)
+            bio=BIO_new(BIO_s_file());
+        else if (strcmp(type, "null") == 0)
+            bio=BIO_new(BIO_s_null());
+        else if (strcmp(type, "ssl") == 0)
+            bio=BIO_new(BIO_f_ssl());
+        else if (strcmp(type, "buffer") == 0)
+            bio=BIO_new(BIO_f_buffer());
+        else
+            croak("unknown BIO type");
+        arg = (SV *)BIO_get_ex_data(bio,p5_bio_ex_bio_ptr);
+        PUSHs(arg);
+
+int
+p5_BIO_hostname(bio, name)
+    BIO *bio;
+    char *name;
+    PROTOTYPE: $$
+    CODE:
+        RETVAL = BIO_set_conn_hostname(bio, name);
+    OUTPUT:
+        RETVAL
+
+int
+p5_BIO_set_accept_port(bio, str)
+    BIO *bio;
+    char *str;
+    PROTOTYPE: $$
+    CODE:
+        RETVAL = BIO_set_accept_port(bio, str);
+    OUTPUT:
+        RETVAL
+
+int
+p5_BIO_do_handshake(bio)
+    BIO *bio;
+    PROTOTYPE: $
+    CODE:
+        RETVAL = BIO_do_handshake(bio);
+    OUTPUT:
+        RETVAL
+
+BIO *
+p5_BIO_push(b, bio)
+    BIO *b;
+    BIO *bio;
+    PROTOTYPE: $$
+    CODE:
+        /* This reference will be reduced when the reference is
+         * let go, and then when the BIO_free_all() is called
+         * inside the OpenSSL library by the BIO with this
+         * pushed into */
+        bio->references++;
+        RETVAL = BIO_push(b, bio);
+    OUTPUT:
+        RETVAL
+
+void
+p5_BIO_pop(b)
+    BIO *b
+    PROTOTYPE: $
+    PREINIT:
+        BIO *bio;
+        char *type;
+        SV *arg;
+    PPCODE:
+        bio = BIO_pop(b);
+        if (bio != NULL) {
+            /* This BIO will either be one created in the
+             * perl library, in which case it will have a perl
+             * SV, otherwise it will have been created internally,
+             * inside OpenSSL.  For the 'pushed in', it needs
+             * the reference count decremented. */
+            arg = (SV *)BIO_get_ex_data(bio, p5_bio_ex_bio_ptr);
+            if (arg == NULL) {
+                arg = new_ref("OpenSSL::BIO",(char *)bio,0);
+                BIO_set_ex_data(bio, p5_bio_ex_bio_ptr, (char *)arg);
+                PUSHs(arg);
+            }
+            else {
+                /* it was pushed in */
+                SvREFCNT_inc(arg);
+                PUSHs(arg);
+            }
+        }
+
+int
+p5_BIO_sysread(bio, in, num, ...)
+    BIO *bio;
+    SV *in;
+    int num;
+    PROTOTYPE: $$$;
+    PREINIT:
+        int i,n,olen;
+        int offset;
+        char *p;
+    CODE:
+        offset = 0;
+        if (!SvPOK(in))
+            sv_setpvn(in, "", 0);
+        SvPV(in, olen);
+        if (items > 3) {
+            offset = SvIV(ST(3));
+            if (offset < 0) {
+                if (-offset > olen)
+                    croak("Offset outside string");
+                offset+=olen;
+            }
+        }
+        if ((num+offset) > olen) {
+            SvGROW(in, num+offset+1);
+            p=SvPV(in, i);
+            memset(&(p[olen]), 0, (num+offset)-olen+1);
+        }
+        p = SvPV(in,n);
+        i = BIO_read(bio, p+offset, num);
+        RETVAL = i;
+        if (i <= 0) 
+            i = 0;
+        SvCUR_set(in, offset+i);
+    OUTPUT:
+        RETVAL
+
+int
+p5_BIO_syswrite(bio, in, ...)
+    BIO *bio;
+    SV *in;
+    PROTOTYPE: $$;
+    PREINIT:
+        char *ptr;
+        int len,in_len;
+        int offset=0;
+        int n;
+    CODE:
+        ptr = SvPV(in, in_len);
+        if (items > 2) {
+            len = SvOK(ST(2)) ? SvIV(ST(2)) : in_len;
+            if (items > 3) {
+                offset = SvIV(ST(3));
+                if (offset < 0) {
+                    if (-offset > in_len)
+                        croak("Offset outside string");
+                    offset+=in_len;
+                }
+                else if ((offset >= in_len) && (in_len > 0))
+                    croak("Offset outside string");
+            }
+            if (len >= (in_len-offset))
+                len = in_len-offset;
+        }
+        else
+            len = in_len;
+        RETVAL = BIO_write(bio, ptr+offset, len);
+    OUTPUT:
+        RETVAL
+
+void
+p5_BIO_getline(bio)
+    BIO *bio;
+    PROTOTYPE: $
+    PREINIT:
+        int i;
+        char *p;
+    PPCODE:
+        pr_name("p5_BIO_gets");
+        EXTEND(sp, 1);
+        PUSHs(sv_newmortal());
+        sv_setpvn(ST(0), "", 0);
+        SvGROW(ST(0), 1024);
+        p=SvPV(ST(0), na);
+        i = BIO_gets(bio, p, 1024);
+        if (i < 0) 
+            i = 0;
+        SvCUR_set(ST(0), i);
+
+int
+p5_BIO_flush(bio)
+    BIO *bio;
+    PROTOTYPE: $
+    CODE:
+        RETVAL = BIO_flush(bio);
+    OUTPUT:
+        RETVAL
+
+char *
+p5_BIO_type(bio)
+    BIO *bio;
+    PROTOTYPE: $
+    CODE:
+        RETVAL = bio->method->name;
+    OUTPUT:
+        RETVAL
+
+void
+p5_BIO_next_bio(b)
+    BIO *b
+    PROTOTYPE: $
+    PREINIT:
+        BIO *bio;
+        char *type;
+        SV *arg;
+    PPCODE:
+        bio = b->next_bio;
+        if (bio != NULL) {
+            arg = (SV *)BIO_get_ex_data(bio, p5_bio_ex_bio_ptr);
+            if (arg == NULL) {
+                arg = new_ref("OpenSSL::BIO", (char *)bio, 0);
+                BIO_set_ex_data(bio, p5_bio_ex_bio_ptr, (char *)arg);
+                bio->references++;
+                PUSHs(arg);
+            }
+            else {
+                SvREFCNT_inc(arg);
+                PUSHs(arg);
+            }
+        }
+
+int
+p5_BIO_puts(bio, in)
+    BIO *bio;
+    SV *in;
+    PROTOTYPE: $$
+    PREINIT:
+        char *ptr;
+    CODE:
+        ptr = SvPV(in,na);
+        RETVAL = BIO_puts(bio, ptr);
+    OUTPUT:
+        RETVAL
+
+void
+p5_BIO_set_callback(bio, cb,...)
+    BIO *bio;
+    SV *cb;
+    PROTOTYPE: $$;
+    PREINIT:
+        SV *arg  = NULL;
+        SV *arg2 = NULL;
+    CODE:
+        if (items > 3)
+            croak("Usage: OpenSSL::BIO::set_callback(bio,callback[,arg]");
+        if (items == 3) {
+            arg2 = sv_mortalcopy(ST(2));
+            SvREFCNT_inc(arg2);
+            BIO_set_ex_data(bio, p5_bio_ex_bio_callback_data, (char *)arg2);
+        }
+        arg = sv_mortalcopy(ST(1));
+        SvREFCNT_inc(arg);
+        BIO_set_ex_data(bio, p5_bio_ex_bio_callback, (char *)arg);
+        /* printf("%08lx < bio_ptr\n",BIO_get_ex_data(bio,p5_bio_ex_bio_ptr)); */
+        BIO_set_callback(bio, p5_bio_callback);
+
+void
+p5_BIO_DESTROY(bio)
+    BIO *bio
+    PROTOTYPE: $
+    PREINIT:
+        SV *sv;
+    PPCODE:
+        pr_name_d("p5_BIO_DESTROY",bio->references);
+        /* printf("p5_BIO_DESTROY <%s> %d\n",bio->method->name,bio->references); */
+        BIO_set_ex_data(bio,p5_bio_ex_bio_ptr,NULL);
+        BIO_free_all(bio);
+
+int
+p5_BIO_set_ssl(bio, ssl)
+    BIO *bio;
+    SSL *ssl;
+    PROTOTYPE: $$
+    CODE:
+        pr_name("p5_BIO_set_ssl");
+        ssl->references++;
+        RETVAL = BIO_set_ssl(bio, ssl, BIO_CLOSE);
+    OUTPUT:
+        RETVAL
+
+int
+p5_BIO_number_read(bio)
+    BIO *bio;
+    PROTOTYPE: $
+    CODE:
+        RETVAL = BIO_number_read(bio);
+    OUTPUT:
+        RETVAL
+
+int
+p5_BIO_number_written(bio)
+    BIO *bio;
+    PROTOTYPE: $
+    CODE:
+        RETVAL = BIO_number_written(bio);
+    OUTPUT:
+        RETVAL
+
+int
+p5_BIO_references(bio)
+    BIO *bio;
+    PROTOTYPE: $
+    CODE:
+        RETVAL = bio->references; 
+    OUTPUT:
+        RETVAL
+
diff --git a/crypto/openssl/perl/openssl_bn.xs b/crypto/openssl/perl/openssl_bn.xs
new file mode 100644
index 0000000..f79bf87
--- /dev/null
+++ b/crypto/openssl/perl/openssl_bn.xs
@@ -0,0 +1,593 @@
+
+#include "openssl.h"
+
+int sv_to_BIGNUM(var,arg,name)
+BIGNUM **var;
+SV *arg;
+char *name;
+	{
+	int ret=1;
+
+	if (sv_derived_from(arg,"OpenSSL::BN"))
+		{
+		IV tmp = SvIV((SV*)SvRV(arg));
+		*var = (BIGNUM *) tmp;
+		}
+	else if (SvIOK(arg)) {
+		SV *tmp=sv_newmortal();
+		*var=BN_new();
+		BN_set_word(*var,SvIV(arg));
+		sv_setref_pv(tmp,"OpenSSL::BN",(void*)*var);
+		}
+	else if (SvPOK(arg)) {
+		char *ptr;
+		STRLEN len;
+		SV *tmp=sv_newmortal();
+		*var=BN_new();
+		sv_setref_pv(tmp,"OpenSSL::BN", (void*)*var);
+		ptr=SvPV(arg,len);
+		SvGROW(arg,len+1);
+		ptr[len]='\0';
+		BN_dec2bn(var,ptr);
+		}
+	else
+		{
+		croak(name);
+		ret=0;
+		}
+	return(ret);
+	}
+
+typedef struct gpc_args_st {
+	SV *cb;
+	SV *arg;
+	} GPC_ARGS;
+
+static void generate_prime_callback(pos,num,arg)
+int pos;
+int num;
+char *arg;
+	{
+	dSP ;
+	int i;
+	GPC_ARGS *a=(GPC_ARGS *)arg;
+
+	ENTER ;
+	SAVETMPS ;
+
+	PUSHMARK(sp);
+	XPUSHs(sv_2mortal(newSViv(pos)));
+	XPUSHs(sv_2mortal(newSViv(num)));
+	XPUSHs(sv_2mortal(newSVsv(a->arg)));
+	PUTBACK;
+
+	i=perl_call_sv(a->cb,G_DISCARD);
+
+	SPAGAIN;
+
+	PUTBACK;
+	FREETMPS;
+	LEAVE;
+	}
+
+MODULE =  OpenSSL::BN	PACKAGE = OpenSSL::BN	PREFIX = p5_BN_
+
+PROTOTYPES: ENABLE
+VERSIONCHECK: DISABLE
+
+void
+p5_BN_new(...)
+	PREINIT:
+		BIGNUM *bn;
+		SV *arg;
+	PPCODE:
+		pr_name("p5_BN_new");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		bn=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)bn);
+
+void
+p5_BN_dup(a)
+	BIGNUM *a;
+	PREINIT:
+		BIGNUM *bn;
+	PPCODE:
+		pr_name("p5_BN_dup");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		bn=BN_dup(a);
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)bn);
+
+void
+p5_BN_rand(bits,...)
+	int bits;
+	PREINIT:
+		int top=1;
+		int bottom=0;
+		BIGNUM *ret;
+	PPCODE:	
+		pr_name("p5_BN_rand");
+		if ((items < 1) || (items > 3))
+			croak("Usage: OpenSSL::BN::rand(bits[,top_bit][,bottombit]");
+		if (items >= 2) top=(int)SvIV(ST(0));
+		if (items >= 3) bottom=(int)SvIV(ST(1));
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		BN_rand(ret,bits,top,bottom);
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+
+void
+p5_BN_bin2bn(a)
+	datum a;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_bin2bn");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_bin2bn(a.dptr,a.dsize,NULL);
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+
+void
+p5_BN_bn2bin(a)
+	BIGNUM *a;
+	PREINIT:
+		int i;
+	PPCODE:
+		pr_name("p5_BN_bn2bin");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		i=BN_num_bytes(a)+2;
+		sv_setpvn(ST(0),"",1);
+		SvGROW(ST(0),i+1);
+		SvCUR_set(ST(0),BN_bn2bin(a,SvPV(ST(0),na)));
+
+void
+p5_BN_mpi2bn(a)
+	datum a;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_mpi2bn");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_mpi2bn(a.dptr,a.dsize,NULL);
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+
+void
+p5_BN_bn2mpi(a)
+	BIGNUM *a;
+	PREINIT:
+		int i;
+	PPCODE:
+		pr_name("p5_BN_bn2mpi");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		i=BN_bn2mpi(a,NULL);
+		sv_setpvn(ST(0),"",1);
+		SvGROW(ST(0),i+1);
+		SvCUR_set(ST(0),BN_bn2mpi(a,SvPV(ST(0),na)));
+
+void
+p5_BN_hex2bn(a)
+	datum a;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_hex2bn");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_hex2bn(&ret,a.dptr);
+
+void
+p5_BN_dec2bn(a)
+	datum a;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_dec2bn");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_dec2bn(&ret,a.dptr);
+
+SV *
+p5_BN_bn2hex(a)
+	BIGNUM *a;
+	PREINIT:
+		char *ptr;
+		int i;
+	CODE:
+		pr_name("p5_BN_bn2hex");
+		ptr=BN_bn2hex(a);
+		RETVAL=newSVpv("",0);
+		i=strlen(ptr);
+		SvGROW(RETVAL,i+1);
+		memcpy(SvPV(RETVAL,na),ptr,i+1);
+		SvCUR_set(RETVAL,i);
+		Free(ptr);
+	OUTPUT:
+		RETVAL
+
+SV *
+p5_BN_bn2dec(a)
+	BIGNUM *a;
+	PREINIT:
+		char *ptr;
+		int i;
+	CODE:
+		pr_name("p5_BN_bn2dec");
+		ptr=BN_bn2dec(a);
+		RETVAL=newSVpv("",0);
+		i=strlen(ptr);
+		SvGROW(RETVAL,i+1);
+		memcpy(SvPV(RETVAL,na),ptr,i+1);
+		SvCUR_set(RETVAL,i);
+		Free(ptr);
+	OUTPUT:
+		RETVAL
+
+void
+p5_BN_add(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_add");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_add(ret,a,b);
+
+void
+p5_BN_sub(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_sub");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_sub(ret,a,b);
+
+void
+p5_BN_mul(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	PREINIT:
+		static BN_CTX *ctx=NULL;
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_mul");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_mul(ret,a,b,ctx);
+
+void
+p5_BN_div(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	PREINIT:
+		static BN_CTX *ctx=NULL;
+		BIGNUM *div,*mod;
+	PPCODE:
+		pr_name("p5_BN_div");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		EXTEND(sp,2);
+		PUSHs(sv_newmortal());
+		PUSHs(sv_newmortal());
+		div=BN_new();
+		mod=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)div);
+		sv_setref_pv(ST(1), "OpenSSL::BN", (void*)mod);
+		BN_div(div,mod,a,b,ctx);
+
+void
+p5_BN_mod(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	PREINIT:
+		static BN_CTX *ctx=NULL;
+		BIGNUM *rem;
+	PPCODE:
+		pr_name("p5_BN_mod");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		rem=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)rem);
+		BN_mod(rem,a,b,ctx);
+
+void
+p5_BN_exp(a,p)
+	BIGNUM *a;
+	BIGNUM *p;
+	PREINIT:
+		BIGNUM *ret;
+		static BN_CTX *ctx=NULL;
+	PPCODE:
+		pr_name("p5_BN_exp");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_exp(ret,a,p,ctx);
+
+void
+p5_BN_mod_mul(a,b,c)
+	BIGNUM *a;
+	BIGNUM *b;
+	BIGNUM *c;
+	PREINIT:
+		static BN_CTX *ctx=NULL;
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_mod_mul");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_mod_mul(ret,a,b,c,ctx);
+
+void
+p5_BN_mod_exp(a,b,c)
+	BIGNUM *a;
+	BIGNUM *b;
+	BIGNUM *c;
+	PREINIT:
+		static BN_CTX *ctx=NULL;
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_mod_exp");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_mod_exp(ret,a,b,c,ctx);
+
+void
+p5_BN_generate_prime(...)
+	PREINIT:
+		int bits=512;
+		int strong=0;
+		BIGNUM *ret=NULL;
+		SV *callback=NULL;
+		SV *cb_arg=NULL;
+		GPC_ARGS arg;
+		dSP;
+
+	PPCODE:
+		pr_name("p5_BN_generate_prime");
+		if ((items < 0) || (items > 4))
+			croak("Usage: OpenSSL::BN::generate_prime(a[,strong][,callback][,cb_arg]");
+		if (items >= 1) bits=(int)SvIV(ST(0));
+		if (items >= 2) strong=(int)SvIV(ST(1));
+		if (items >= 3) callback=ST(2);
+		if (items == 4) cb_arg=ST(3);
+
+		if (callback == NULL)
+			ret=BN_generate_prime(ret,bits,strong,NULL,NULL,NULL,NULL);
+		else
+			{
+			arg.cb=callback;
+			arg.arg=cb_arg;
+
+			ret=BN_generate_prime(ret,bits,strong,NULL,NULL,
+				generate_prime_callback,(char *)&arg);
+			}
+
+		SPAGAIN;
+		sp-=items; /* a bit evil that I do this */
+
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+
+void
+p5_BN_is_prime(p,...)
+	BIGNUM *p;
+	PREINIT:
+	int nchecks=5,ret;
+	SV *callback=NULL;
+	SV *cb_arg=NULL;
+	GPC_ARGS arg;
+	dSP;
+	static BN_CTX *ctx=NULL;
+	PPCODE:
+		pr_name("p5_BN_is_prime");
+		if ((items < 1) || (items > 4))
+			croak("Usage: OpenSSL::BN::is_prime(a[,ncheck][,callback][,callback_arg]");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		if (items >= 2) nchecks=(int)SvIV(ST(1));
+		if (items >= 3) callback=ST(2);
+		if (items >= 4) cb_arg=ST(3);
+		arg.arg=cb_arg; 
+		if (callback == NULL)
+			ret=BN_is_prime(p,nchecks,NULL,ctx,NULL);
+		else
+			{
+			arg.cb=callback;
+			arg.arg=cb_arg;
+			ret=BN_is_prime(p,nchecks,generate_prime_callback,
+				ctx,(char *)&arg);
+			}
+		SPAGAIN;
+		sp-=items; /* a bit evil */
+		PUSHs(sv_2mortal(newSViv(ret)));
+
+int
+p5_BN_num_bits(a)
+	BIGNUM *a;
+	CODE:
+		pr_name("p5_BN_num_bits");
+		RETVAL=BN_num_bits(a);
+	OUTPUT:
+		RETVAL
+
+int
+p5_BN_cmp(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	CODE:
+		pr_name("p5_BN_cmp");
+		RETVAL=BN_cmp(a,b);
+	OUTPUT:
+		RETVAL
+
+int
+p5_BN_ucmp(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	CODE:
+		pr_name("p5_BN_ucmp");
+		RETVAL=BN_ucmp(a,b);
+	OUTPUT:
+		RETVAL
+
+int
+p5_BN_is_bit_set(a,b)
+	BIGNUM *a;
+	int b;
+	CODE:
+		pr_name("p5_BN_is_bit_set");
+		RETVAL=BN_is_bit_set(a,b);
+	OUTPUT:
+		RETVAL
+
+void
+p5_BN_set_bit(a,b)
+	BIGNUM *a;
+	int b;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_set_bit");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_dup(a);
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_set_bit(ret,b);
+
+void
+p5_BN_clear_bit(a,b)
+	BIGNUM *a;
+	int b;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_clear_bit");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_dup(a);
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_clear_bit(ret,b);
+
+void
+p5_BN_lshift(a,b)
+	BIGNUM *a;
+	int b;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_lshift");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		if (b == 1)
+			BN_lshift1(ret,a);
+		else
+			BN_lshift(ret,a,b);
+
+void
+p5_BN_rshift(a,b)
+	BIGNUM *a;
+	int b;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_rshift");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		if (b == 1)
+			BN_rshift1(ret,a);
+		else
+			BN_rshift(ret,a,b);
+
+void
+p5_BN_mask_bits(a,b)
+	BIGNUM *a;
+	int b;
+	PREINIT:
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_mask_bits");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_dup(a);
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_mask_bits(ret,b);
+
+void
+p5_BN_clear(a)
+	BIGNUM *a;
+	PPCODE:
+		pr_name("p5_BN_clear");
+		BN_clear(a);
+
+void
+p5_BN_gcd(a,b)
+	BIGNUM *a;
+	BIGNUM *b;
+	PREINIT:
+		static BN_CTX *ctx=NULL;
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_gcd");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ret=BN_new();
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+		BN_gcd(ret,a,b,ctx);
+
+void
+p5_BN_mod_inverse(a,mod)
+	BIGNUM *a;
+	BIGNUM *mod;
+	PREINIT:
+		static BN_CTX *ctx=NULL;
+		BIGNUM *ret;
+	PPCODE:
+		pr_name("p5_BN_mod_inverse");
+		if (ctx == NULL) ctx=BN_CTX_new();
+		ret=BN_mod_inverse(ret,a,mod,ctx);
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		sv_setref_pv(ST(0), "OpenSSL::BN", (void*)ret);
+
+void
+p5_BN_DESTROY(bn)
+	BIGNUM *bn
+	CODE:
+	pr_name("p5_BN_DESTROY");
+	BN_free(bn);
+
diff --git a/crypto/openssl/perl/openssl_cipher.xs b/crypto/openssl/perl/openssl_cipher.xs
new file mode 100644
index 0000000..e9ff2a8
--- /dev/null
+++ b/crypto/openssl/perl/openssl_cipher.xs
@@ -0,0 +1,154 @@
+
+#include "openssl.h"
+
+int boot_cipher()
+	{
+        SSLeay_add_all_ciphers();
+	return(1);
+	}
+
+MODULE =  OpenSSL::Cipher	PACKAGE = OpenSSL::Cipher PREFIX = p5_EVP_C_
+
+PROTOTYPES: ENABLE
+VERSIONCHECK: DISABLE
+
+void
+p5_EVP_C_new(...)
+	PREINIT:
+		EVP_CIPHER_CTX *ctx;
+		const EVP_CIPHER *c;
+		char *name;
+	PPCODE:
+		if ((items == 1) && SvPOK(ST(0)))
+			name=SvPV(ST(0),na);
+		else if ((items == 2) && SvPOK(ST(1)))
+			name=SvPV(ST(1),na);
+		else
+			croak("Usage: OpenSSL::Cipher::new(type)");
+		PUSHs(sv_newmortal());
+		c=EVP_get_cipherbyname(name);
+		if (c != NULL)
+			{
+			ctx=malloc(sizeof(EVP_CIPHER_CTX));
+			EVP_EncryptInit(ctx,c,NULL,NULL);
+			sv_setref_pv(ST(0), "OpenSSL::Cipher", (void*)ctx);
+			}
+
+datum
+p5_EVP_C_name(ctx)
+	EVP_CIPHER_CTX *ctx
+	CODE:
+		RETVAL.dptr=OBJ_nid2ln(EVP_CIPHER_CTX_nid(ctx));
+		RETVAL.dsize=strlen(RETVAL.dptr);
+	OUTPUT:
+		RETVAL
+
+int
+p5_EVP_C_key_length(ctx)
+	EVP_CIPHER_CTX *ctx
+	CODE:
+		RETVAL=EVP_CIPHER_CTX_key_length(ctx);
+	OUTPUT:
+		RETVAL
+
+int
+p5_EVP_C_iv_length(ctx)
+	EVP_CIPHER_CTX *ctx
+	CODE:
+		RETVAL=EVP_CIPHER_CTX_iv_length(ctx);
+	OUTPUT:
+		RETVAL
+	
+int
+p5_EVP_C_block_size(ctx)
+	EVP_CIPHER_CTX *ctx
+	CODE:
+		RETVAL=EVP_CIPHER_CTX_block_size(ctx);
+	OUTPUT:
+		RETVAL
+	
+void
+p5_EVP_C_init(ctx,key,iv,enc)
+	EVP_CIPHER_CTX *ctx
+	datum key
+	datum iv
+	int enc
+	PREINIT:
+		char loc_iv[EVP_MAX_IV_LENGTH];
+		char loc_key[EVP_MAX_KEY_LENGTH];
+		char *ip=loc_iv,*kp=loc_key;
+		int i;
+		memset(loc_iv,0,EVP_MAX_IV_LENGTH);
+		memset(loc_key,0,EVP_MAX_KEY_LENGTH);
+	CODE:
+		i=key.dsize;
+		if (key.dsize > EVP_CIPHER_CTX_key_length(ctx))
+			i=EVP_CIPHER_CTX_key_length(ctx);
+		if (i > 0)
+			{
+			memset(kp,0,EVP_MAX_KEY_LENGTH);
+			memcpy(kp,key.dptr,i);
+			}
+		else
+			kp=NULL;
+		i=iv.dsize;
+		if (iv.dsize > EVP_CIPHER_CTX_iv_length(ctx))
+			i=EVP_CIPHER_CTX_iv_length(ctx);
+		if (i > 0)
+			{
+			memcpy(ip,iv.dptr,i);
+			memset(ip,0,EVP_MAX_IV_LENGTH);
+			}
+		else
+			ip=NULL;
+		EVP_CipherInit(ctx,EVP_CIPHER_CTX_cipher(ctx),kp,ip,enc);
+		memset(loc_key,0,sizeof(loc_key));
+		memset(loc_iv,0,sizeof(loc_iv));
+
+SV *
+p5_EVP_C_cipher(ctx,in)
+	EVP_CIPHER_CTX *ctx;
+	datum in;
+	CODE:
+		RETVAL=newSVpv("",0);
+		SvGROW(RETVAL,in.dsize+EVP_CIPHER_CTX_block_size(ctx)+1);
+		EVP_Cipher(ctx,SvPV(RETVAL,na),in.dptr,in.dsize);
+		SvCUR_set(RETVAL,in.dsize);
+	OUTPUT:
+		RETVAL
+
+SV *
+p5_EVP_C_update(ctx, in)
+	EVP_CIPHER_CTX *ctx
+	datum in
+	PREINIT:
+	int i;
+	CODE:
+		RETVAL=newSVpv("",0);
+		SvGROW(RETVAL,in.dsize+EVP_CIPHER_CTX_block_size(ctx)+1);
+		EVP_CipherUpdate(ctx,SvPV(RETVAL,na),&i,in.dptr,in.dsize);
+		SvCUR_set(RETVAL,i);
+	OUTPUT:
+		RETVAL
+
+SV *
+p5_EVP_C_final(ctx)
+	EVP_CIPHER_CTX *ctx
+	PREINIT:
+	int i;
+	CODE:
+		RETVAL=newSVpv("",0);
+		SvGROW(RETVAL,EVP_CIPHER_CTX_block_size(ctx)+1);
+		if (!EVP_CipherFinal(ctx,SvPV(RETVAL,na),&i))
+			sv_setpv(RETVAL,"BAD DECODE");
+		else
+			SvCUR_set(RETVAL,i);
+	OUTPUT:
+		RETVAL
+
+void
+p5_EVP_C_DESTROY(ctx)
+	EVP_CIPHER_CTX *ctx
+	CODE:
+	free((char *)ctx);
+
diff --git a/crypto/openssl/perl/openssl_digest.xs b/crypto/openssl/perl/openssl_digest.xs
new file mode 100644
index 0000000..6cd3018
--- /dev/null
+++ b/crypto/openssl/perl/openssl_digest.xs
@@ -0,0 +1,84 @@
+
+#include "openssl.h"
+
+int boot_digest()
+	{
+	SSLeay_add_all_digests();
+	return(1);
+	}
+
+MODULE =  OpenSSL::MD	PACKAGE = OpenSSL::MD	PREFIX = p5_EVP_MD_
+
+PROTOTYPES: ENABLE
+VERSIONCHECK: DISABLE
+
+# OpenSSL::MD::new(name) name= md2, md5, sha, sha1, or mdc2
+#	md->name() - returns the name
+#	md->init() - reinitalises the digest
+#	md->update(data) - adds more data to digest
+#	digest=md->final() - returns digest
+#
+
+void
+p5_EVP_MD_new(...)
+	PREINIT:
+		EVP_MD_CTX *ctx;
+		const EVP_MD *md;
+		char *name;
+	PPCODE:
+		if ((items == 1) && SvPOK(ST(0)))
+			name=SvPV(ST(0),na);
+		else if ((items == 2) && SvPOK(ST(1)))
+			name=SvPV(ST(1),na);
+		else
+			croak("Usage: OpenSSL::MD::new(type)");
+		PUSHs(sv_newmortal());
+		md=EVP_get_digestbyname(name);
+		if (md != NULL)
+			{
+			ctx=malloc(sizeof(EVP_MD_CTX));
+			EVP_DigestInit(ctx,md);
+			sv_setref_pv(ST(0), "OpenSSL::MD", (void*)ctx);
+			}
+
+datum
+p5_EVP_MD_name(ctx)
+	EVP_MD_CTX *ctx
+	CODE:
+		RETVAL.dptr=OBJ_nid2ln(EVP_MD_type(EVP_MD_CTX_type(ctx)));
+		RETVAL.dsize=strlen(RETVAL.dptr);
+	OUTPUT:
+		RETVAL
+	
+void
+p5_EVP_MD_init(ctx)
+	EVP_MD_CTX *ctx
+	CODE:
+		EVP_DigestInit(ctx,EVP_MD_CTX_type(ctx));
+
+void
+p5_EVP_MD_update(ctx, in)
+	EVP_MD_CTX *ctx
+	datum in
+	CODE:
+		EVP_DigestUpdate(ctx,in.dptr,in.dsize);
+
+datum
+p5_EVP_MD_final(ctx)
+	EVP_MD_CTX *ctx
+	PREINIT:
+		char md[EVP_MAX_MD_SIZE];
+		int len;
+	CODE:
+		EVP_DigestFinal(ctx,md,&len);
+		RETVAL.dptr=md;
+		RETVAL.dsize=len;
+	OUTPUT:
+		RETVAL
+
+void
+p5_EVP_MD_DESTROY(ctx)
+	EVP_MD_CTX *ctx
+	CODE:
+	free((char *)ctx);
+
diff --git a/crypto/openssl/perl/openssl_err.xs b/crypto/openssl/perl/openssl_err.xs
new file mode 100644
index 0000000..3a6f698
--- /dev/null
+++ b/crypto/openssl/perl/openssl_err.xs
@@ -0,0 +1,47 @@
+
+#include "openssl.h"
+
+int boot_err()
+	{
+	SSL_load_error_strings();
+	return(1);
+	}
+
+MODULE =  OpenSSL::ERR	PACKAGE = OpenSSL::ERR	PREFIX = p5_ERR_
+
+PROTOTYPES: ENABLE
+VERSIONCHECK: DISABLE
+
+#	md->error() - returns the last error in text or numeric context
+
+void
+p5_ERR_get_error(...)
+	PPCODE:
+		char buf[512];
+		unsigned long l;
+
+		pr_name("p5_ERR_get_code");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		l=ERR_get_error();
+		ERR_error_string(l,buf);
+		sv_setiv(ST(0),l);
+		sv_setpv(ST(0),buf);
+		SvIOK_on(ST(0));
+
+void
+p5_ERR_peek_error(...)
+	PPCODE:
+		char buf[512];
+		unsigned long l;
+
+		pr_name("p5_ERR_get_code");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		l=ERR_peek_error();
+		ERR_error_string(l,buf);
+		sv_setiv(ST(0),l);
+		sv_setpv(ST(0),buf);
+		SvIOK_on(ST(0));
+
+
diff --git a/crypto/openssl/perl/openssl_ssl.xs b/crypto/openssl/perl/openssl_ssl.xs
new file mode 100644
index 0000000..c7d1b17
--- /dev/null
+++ b/crypto/openssl/perl/openssl_ssl.xs
@@ -0,0 +1,483 @@
+
+#include "openssl.h"
+
+static int p5_ssl_ex_ssl_ptr=0;
+static int p5_ssl_ex_ssl_info_callback=0;
+static int p5_ssl_ex_ssl_ctx_ptr=0;
+static int p5_ssl_ctx_ex_ssl_info_callback=0;
+
+typedef struct ssl_ic_args_st {
+	SV *cb;
+	SV *arg;
+	} SSL_IC_ARGS;
+
+static void p5_ssl_info_callback(ssl,mode,ret)
+SSL *ssl;
+int mode;
+int ret;
+	{
+	int i;
+	SV *me,*cb;
+
+	me=(SV *)SSL_get_ex_data(ssl,p5_ssl_ex_ssl_ptr);
+	cb=(SV *)SSL_get_ex_data(ssl,p5_ssl_ex_ssl_info_callback);
+	if (cb == NULL)
+		cb=(SV *)SSL_CTX_get_ex_data(
+			SSL_get_SSL_CTX(ssl),p5_ssl_ctx_ex_ssl_info_callback);
+	if (cb != NULL)
+		{
+		dSP;
+
+		PUSHMARK(sp);
+		XPUSHs(me);
+		XPUSHs(sv_2mortal(newSViv(mode)));
+		XPUSHs(sv_2mortal(newSViv(ret)));
+		PUTBACK;
+
+		i=perl_call_sv(cb,G_DISCARD);
+		}
+	else
+		{
+		croak("Internal error in SSL p5_ssl_info_callback");
+		}
+	}
+
+int boot_ssl()
+	{
+	p5_ssl_ex_ssl_ptr=		
+		SSL_get_ex_new_index(0,"OpenSSL::SSL",ex_new,NULL,ex_cleanup);
+	p5_ssl_ex_ssl_info_callback=
+		SSL_get_ex_new_index(0,"ssl_info_callback",NULL,NULL,
+			ex_cleanup);
+	p5_ssl_ex_ssl_ctx_ptr=
+		SSL_get_ex_new_index(0,"ssl_ctx_ptr",NULL,NULL,
+			ex_cleanup);
+	p5_ssl_ctx_ex_ssl_info_callback=
+		SSL_CTX_get_ex_new_index(0,"ssl_ctx_info_callback",NULL,NULL,
+			ex_cleanup);
+	return(1);
+	}
+
+MODULE =  OpenSSL::SSL	PACKAGE = OpenSSL::SSL::CTX PREFIX = p5_SSL_CTX_
+
+PROTOTYPES: ENABLE
+VERSIONCHECK: DISABLE
+
+void
+p5_SSL_CTX_new(...)
+	PREINIT:
+		SSL_METHOD *meth;
+		SSL_CTX *ctx;
+		char *method;
+	PPCODE:
+		pr_name("p5_SSL_CTX_new");
+		if ((items == 1) && SvPOK(ST(0)))
+			method=SvPV(ST(0),na);
+		else if ((items == 2) && SvPOK(ST(1)))
+			method=SvPV(ST(1),na);
+		else
+			croak("Usage: OpenSSL::SSL::CTX::new(type)");
+			
+		if (strcmp(method,"SSLv3") == 0)
+			meth=SSLv3_method();
+		else if (strcmp(method,"SSLv3_client") == 0)
+			meth=SSLv3_client_method();
+		else if (strcmp(method,"SSLv3_server") == 0)
+			meth=SSLv3_server_method();
+		else if (strcmp(method,"SSLv23") == 0)
+			meth=SSLv23_method();
+		else if (strcmp(method,"SSLv23_client") == 0)
+			meth=SSLv23_client_method();
+		else if (strcmp(method,"SSLv23_server") == 0)
+			meth=SSLv23_server_method();
+		else if (strcmp(method,"SSLv2") == 0)
+			meth=SSLv2_method();
+		else if (strcmp(method,"SSLv2_client") == 0)
+			meth=SSLv2_client_method();
+		else if (strcmp(method,"SSLv2_server") == 0)
+			meth=SSLv2_server_method();
+		else if (strcmp(method,"TLSv1") == 0)
+			meth=TLSv1_method();
+		else if (strcmp(method,"TLSv1_client") == 0)
+			meth=TLSv1_client_method();
+		else if (strcmp(method,"TLSv1_server") == 0)
+			meth=TLSv1_server_method();
+		else
+			{
+			croak("Not a valid SSL method name, should be 'SSLv[23] [client|server]'");
+			}
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ctx=SSL_CTX_new(meth);
+		sv_setref_pv(ST(0), "OpenSSL::SSL::CTX", (void*)ctx);
+
+int
+p5_SSL_CTX_use_PrivateKey_file(ctx,file,...)
+	SSL_CTX *ctx;
+	char *file;
+	PREINIT:
+		int i=SSL_FILETYPE_PEM;
+		char *ptr;
+	CODE:
+		pr_name("p5_SSL_CTX_use_PrivateKey_file");
+		if (items > 3)
+			croak("OpenSSL::SSL::CTX::use_PrivateKey_file(ssl_ctx,file[,type])");
+		if (items == 3)
+			{
+			ptr=SvPV(ST(2),na);
+			if (strcmp(ptr,"der") == 0)
+				i=SSL_FILETYPE_ASN1;
+			else
+				i=SSL_FILETYPE_PEM;
+			}
+		RETVAL=SSL_CTX_use_RSAPrivateKey_file(ctx,file,i);
+	OUTPUT:
+		RETVAL
+
+int
+p5_SSL_CTX_set_options(ctx,...)
+	SSL_CTX *ctx;
+	PREINIT:
+		int i;
+		char *ptr;
+		SV *sv;
+	CODE:
+		pr_name("p5_SSL_CTX_set_options");
+
+		for (i=1; i<items; i++)
+			{
+			if (!SvPOK(ST(i)))
+				croak("Usage: OpenSSL::SSL_CTX::set_options(ssl_ctx[,option,value]+)");
+			ptr=SvPV(ST(i),na);
+			if (strcmp(ptr,"-info_callback") == 0)
+				{
+				SSL_CTX_set_info_callback(ctx,
+					p5_ssl_info_callback);
+				sv=sv_mortalcopy(ST(i+1));
+				SvREFCNT_inc(sv);
+				SSL_CTX_set_ex_data(ctx,
+					p5_ssl_ctx_ex_ssl_info_callback,
+						(char *)sv);
+				i++;
+				}
+			else
+				{
+				croak("OpenSSL::SSL_CTX::set_options(): unknown option");
+				}
+			}
+
+void
+p5_SSL_CTX_DESTROY(ctx)
+	SSL_CTX *ctx
+	PREINIT:
+		SV *sv;
+	PPCODE:
+		pr_name_d("p5_SSL_CTX_DESTROY",ctx->references);
+		SSL_CTX_free(ctx);
+
+MODULE =  OpenSSL::SSL	PACKAGE = OpenSSL::SSL PREFIX = p5_SSL_
+
+void
+p5_SSL_new(...)
+	PREINIT:
+		SV *sv_ctx;
+		SSL_CTX *ctx;
+		SSL *ssl;
+		SV *arg;
+	PPCODE:
+		pr_name("p5_SSL_new");
+		if ((items != 1) && (items != 2))
+			croak("Usage: OpenSSL::SSL::new(ssl_ctx)");
+		if (sv_derived_from(ST(items-1),"OpenSSL::SSL::CTX"))
+			{
+			IV tmp = SvIV((SV*)SvRV(ST(items-1)));
+			ctx=(SSL_CTX *)tmp;
+			sv_ctx=ST(items-1);
+			}
+		else
+			croak("ssl_ctx is not of type OpenSSL::SSL::CTX");
+
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		ssl=SSL_new(ctx);
+		sv_setref_pv(ST(0), "OpenSSL::SSL", (void*)ssl);
+
+		/* Now this is being a little hairy, we keep a pointer to
+		 * our perl reference.  We need to do a different one
+		 * to the one we return because it will have its reference
+		 * count dropped to 0 upon return and if we up its reference
+		 * count, it will never be DESTROYED */
+		arg=newSVsv(ST(0));
+		SSL_set_ex_data(ssl,p5_ssl_ex_ssl_ptr,(char *)arg);
+		SvREFCNT_inc(sv_ctx);
+		SSL_set_ex_data(ssl,p5_ssl_ex_ssl_ctx_ptr,(char *)sv_ctx);
+
+int
+p5_SSL_connect(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=SSL_connect(ssl);
+	OUTPUT:
+		RETVAL
+
+int
+p5_SSL_accept(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=SSL_connect(ssl);
+	OUTPUT:
+		RETVAL
+
+int
+p5_SSL_sysread(ssl,in,num, ...)
+	SSL *ssl;
+	SV *in;
+	int num;
+	PREINIT:
+		int i,n,olen;
+		int offset;
+		char *p;
+	CODE:
+		offset=0;
+		if (!SvPOK(in))
+			sv_setpvn(in,"",0);
+		SvPV(in,olen);
+		if (items > 3)
+			{
+			offset=SvIV(ST(3));
+			if (offset < 0)
+				{
+				if (-offset > olen)
+					croak("Offset outside string");
+				offset+=olen;
+				}
+			}
+		if ((num+offset) > olen)
+			{
+			SvGROW(in,num+offset+1);
+			p=SvPV(in,i);
+			memset(&(p[olen]),0,(num+offset)-olen+1);
+			}
+		p=SvPV(in,n);
+
+		i=SSL_read(ssl,p+offset,num);
+		RETVAL=i;
+		if (i <= 0) i=0;
+		SvCUR_set(in,offset+i);
+	OUTPUT:
+		RETVAL
+
+int
+p5_SSL_syswrite(ssl,in, ...)
+	SSL *ssl;
+	SV *in;
+	PREINIT:
+		char *ptr;
+		int len,in_len;
+		int offset=0;
+		int n;
+	CODE:
+		ptr=SvPV(in,in_len);
+		if (items > 2)
+			{
+			len=SvOK(ST(2))?SvIV(ST(2)):in_len;
+			if (items > 3)
+				{
+				offset=SvIV(ST(3));
+				if (offset < 0)
+					{
+					if (-offset > in_len)
+						croak("Offset outside string");
+					offset+=in_len;
+					}
+				else if ((offset >= in_len) && (in_len > 0))
+					croak("Offset outside string");
+				}
+			if (len >= (in_len-offset))
+				len=in_len-offset;
+			}
+		else
+			len=in_len;
+
+		RETVAL=SSL_write(ssl,ptr+offset,len);
+	OUTPUT:
+		RETVAL
+
+void
+p5_SSL_set_bio(ssl,bio)
+	SSL *ssl;
+	BIO *bio;
+	CODE:
+		bio->references++;
+		SSL_set_bio(ssl,bio,bio);
+
+int
+p5_SSL_set_options(ssl,...)
+	SSL *ssl;
+	PREINIT:
+		int i;
+		char *ptr;
+		SV *sv;
+	CODE:
+		pr_name("p5_SSL_set_options");
+
+		for (i=1; i<items; i++)
+			{
+			if (!SvPOK(ST(i)))
+				croak("Usage: OpenSSL::SSL::set_options(ssl[,option,value]+)");
+			ptr=SvPV(ST(i),na);
+			if (strcmp(ptr,"-info_callback") == 0)
+				{
+				SSL_set_info_callback(ssl,
+					p5_ssl_info_callback);
+				sv=sv_mortalcopy(ST(i+1));
+				SvREFCNT_inc(sv);
+				SSL_set_ex_data(ssl,
+					p5_ssl_ex_ssl_info_callback,(char *)sv);
+				i++;
+				}
+			else if (strcmp(ptr,"-connect_state") == 0)
+				{
+				SSL_set_connect_state(ssl);
+				}
+			else if (strcmp(ptr,"-accept_state") == 0)
+				{
+				SSL_set_accept_state(ssl);
+				}
+			else
+				{
+				croak("OpenSSL::SSL::set_options(): unknown option");
+				}
+			}
+
+void
+p5_SSL_state(ssl)
+	SSL *ssl;
+	PREINIT:
+		int state;
+	PPCODE:
+		pr_name("p5_SSL_state");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		state=SSL_state(ssl);
+		sv_setpv(ST(0),SSL_state_string_long(ssl));
+		sv_setiv(ST(0),state);
+		SvPOK_on(ST(0));
+
+void
+p5_SSL_DESTROY(ssl)
+	SSL *ssl;
+	CODE:
+	pr_name_dd("p5_SSL_DESTROY",ssl->references,ssl->ctx->references);
+#ifdef DEBUG
+	fprintf(stderr,"SSL_DESTROY %d\n",ssl->references);
+#endif
+	SSL_free(ssl);
+
+int
+p5_SSL_references(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=ssl->references;
+	OUTPUT:
+		RETVAL
+
+int
+p5_SSL_do_handshake(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=SSL_do_handshake(ssl);
+	OUTPUT:
+		RETVAL
+
+int
+p5_SSL_renegotiate(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=SSL_renegotiate(ssl);
+	OUTPUT:
+		RETVAL
+
+int
+p5_SSL_shutdown(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=SSL_shutdown(ssl);
+	OUTPUT:
+		RETVAL
+
+char *
+p5_SSL_get_version(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=SSL_get_version(ssl);
+	OUTPUT:
+		RETVAL
+
+SSL_CIPHER *
+p5_SSL_get_current_cipher(ssl)
+	SSL *ssl;
+	CODE:
+		RETVAL=SSL_get_current_cipher(ssl);
+	OUTPUT:
+		RETVAL
+
+X509 *
+p5_SSL_get_peer_certificate(ssl)
+	SSL *ssl
+	CODE:
+		RETVAL=SSL_get_peer_certificate(ssl);
+	OUTPUT:
+		RETVAL
+
+MODULE =  OpenSSL::SSL	PACKAGE = OpenSSL::SSL::CIPHER PREFIX = p5_SSL_CIPHER_
+
+int
+p5_SSL_CIPHER_get_bits(sc)
+	SSL_CIPHER *sc
+	PREINIT:
+		int i,ret;
+	PPCODE:
+		EXTEND(sp,2);
+		PUSHs(sv_newmortal());
+		PUSHs(sv_newmortal());
+		ret=SSL_CIPHER_get_bits(sc,&i);
+		sv_setiv(ST(0),(IV)ret);
+		sv_setiv(ST(1),(IV)i);
+
+char *
+p5_SSL_CIPHER_get_version(sc)
+	SSL_CIPHER *sc
+	CODE:
+		RETVAL=SSL_CIPHER_get_version(sc);
+	OUTPUT:
+		RETVAL
+
+char *
+p5_SSL_CIPHER_get_name(sc)
+	SSL_CIPHER *sc
+	CODE:
+		RETVAL=SSL_CIPHER_get_name(sc);
+	OUTPUT:
+		RETVAL
+
+MODULE =  OpenSSL::SSL	PACKAGE = OpenSSL::BIO PREFIX = p5_BIO_
+
+void
+p5_BIO_get_ssl(bio)
+	BIO *bio;
+	PREINIT:
+		SSL *ssl;
+		SV *ret;
+		int i;
+	PPCODE:
+		if ((i=BIO_get_ssl(bio,&ssl)) > 0)
+			{
+			ret=(SV *)SSL_get_ex_data(ssl,p5_ssl_ex_ssl_ptr);
+			ret=sv_mortalcopy(ret);
+			}
+		else
+			ret= &sv_undef;
+		EXTEND(sp,1);
+		PUSHs(ret);
+
diff --git a/crypto/openssl/perl/openssl_x509.xs b/crypto/openssl/perl/openssl_x509.xs
new file mode 100644
index 0000000..008d959
--- /dev/null
+++ b/crypto/openssl/perl/openssl_x509.xs
@@ -0,0 +1,75 @@
+
+#include "openssl.h"
+
+MODULE =  OpenSSL::X509	PACKAGE = OpenSSL::X509	PREFIX = p5_X509_
+
+PROTOTYPES: ENABLE
+VERSIONCHECK: DISABLE
+
+void
+p5_X509_new(void )
+	PREINIT:
+		X509 *x509;
+		SV *arg;
+	PPCODE:
+		pr_name("p5_X509_new");
+		EXTEND(sp,1);
+		PUSHs(sv_newmortal());
+		x509=X509_new();
+		sv_setref_pv(ST(0),"OpenSSL::X509",(void *)x509);
+
+char *
+p5_X509_get_subject_name(x509)
+	X509 *x509;
+	PREINIT:
+		char *p;
+		X509_NAME *name;
+		char buf[1024];
+		int i;
+	CODE:
+		name=X509_get_subject_name(x509);
+		X509_NAME_oneline(name,buf,sizeof(buf));
+		p= &(buf[0]);
+		RETVAL=p;
+	OUTPUT:
+		RETVAL
+
+char *
+p5_X509_get_issuer_name(x509)
+	X509 *x509;
+	PREINIT:
+		char *p;
+		X509_NAME *name;
+		char buf[1024];
+		int i;
+	CODE:
+		name=X509_get_issuer_name(x509);
+		X509_NAME_oneline(name,buf,sizeof(buf));
+		p= &(buf[0]);
+		RETVAL=p;
+	OUTPUT:
+		RETVAL
+
+int
+p5_X509_get_version(x509)
+	X509 *x509;
+	CODE:
+		RETVAL=X509_get_version(x509);
+	OUTPUT:
+		RETVAL
+
+BIGNUM *
+p5_X509_get_serialNumber(x509)
+	X509 *x509;
+	CODE:
+		RETVAL=ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
+	OUTPUT:
+		RETVAL
+
+void
+p5_X509_DESTROY(x509)
+	X509 *x509;
+	CODE:
+	pr_name("p5_X509_DESTROY");
+	X509_free(x509);
+
diff --git a/crypto/openssl/perl/t/01-use.t b/crypto/openssl/perl/t/01-use.t
new file mode 100644
index 0000000..e24fd1f
--- /dev/null
+++ b/crypto/openssl/perl/t/01-use.t
@@ -0,0 +1,13 @@
+
+BEGIN { 
+    $| = 1; 
+    print "1..1\n";
+}
+END {
+	print "not ok 1\n" unless $loaded;
+}
+use OpenSSL;
+$loaded = 1;
+print "ok 1\n";
+
+
diff --git a/crypto/openssl/perl/t/02-version.t b/crypto/openssl/perl/t/02-version.t
new file mode 100644
index 0000000..8b5f6a0
--- /dev/null
+++ b/crypto/openssl/perl/t/02-version.t
@@ -0,0 +1,10 @@
+
+print "1..1\n";
+use OpenSSL;
+if ($OpenSSL::VERSION ne '') {
+    print "ok 1\n";
+}
+else {
+    print "not ok 1\n";
+}
+
diff --git a/crypto/openssl/perl/t/03-bio.t b/crypto/openssl/perl/t/03-bio.t
new file mode 100644
index 0000000..e3ed7ed
--- /dev/null
+++ b/crypto/openssl/perl/t/03-bio.t
@@ -0,0 +1,16 @@
+
+BEGIN { 
+    $| = 1; 
+    print "1..1\n";
+}
+END {
+	print "not ok 1\n" unless $ok;
+}
+
+use OpenSSL;
+my $bio = OpenSSL::BIO::new("mem") || die;
+undef $bio;
+
+$ok = 1;
+print "ok 1\n";
+
diff --git a/crypto/openssl/perl/typemap b/crypto/openssl/perl/typemap
new file mode 100644
index 0000000..f67b598
--- /dev/null
+++ b/crypto/openssl/perl/typemap
@@ -0,0 +1,96 @@
+
+datum			T_DATUM
+EVP_MD_CTX *		T_MD_CTX
+EVP_CIPHER_CTX *	T_CIPHER_CTX
+BIGNUM *		T_BIGNUM
+SSL_METHOD *		T_SSL_METHOD
+SSL_CTX *		T_SSL_CTX
+SSL_CIPHER *		T_SSL_CIPHER
+SSL *			T_SSL
+BIO *			T_BIO
+X509 *			T_X509
+
+INPUT
+T_DATUM
+	$var.dptr=SvPV($arg,$var.dsize);
+T_MD_CTX
+	if (sv_derived_from($arg, \"OpenSSL::MD\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (EVP_MD_CTX *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::MD\")
+T_CIPHER_CTX
+	if (sv_derived_from($arg, \"OpenSSL::Cipher\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (EVP_CIPHER_CTX *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::Cipher\")
+T_BIGNUM
+	sv_to_BIGNUM(&($var),$arg,\"$var is not of type OpenSSL::MD, int or string\")
+T_SSL_METHOD
+	if (sv_derived_from($arg, \"OpenSSL::SSL::METHOD\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (SSL_METHOD *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::SSL::METHOD\")
+T_SSL_CTX
+	if (sv_derived_from($arg, \"OpenSSL::SSL::CTX\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (SSL_CTX *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::SSL::CTX\")
+T_SSL_CIPHER
+	if (sv_derived_from($arg, \"OpenSSL::SSL::CIPHER\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (SSL_CIPHER *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::SSL::CIPHER\")
+T_SSL
+	if (sv_derived_from($arg, \"OpenSSL::SSL\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (SSL *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::SSL\")
+T_BIO
+	if (sv_derived_from($arg, \"OpenSSL::BIO\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (BIO *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::BIO\")
+T_X509
+	if (sv_derived_from($arg, \"OpenSSL::X509\")) {
+		IV tmp = SvIV((SV*)SvRV($arg));
+		$var = (X509 *) tmp;
+		}
+	else
+		croak(\"$var is not of type OpenSSL::X509\")
+OUTPUT
+T_DATUM
+	sv_setpvn($arg,$var.dptr,$var.dsize);
+T_MD_CTX
+	sv_setref_pv($arg, \"OpenSSL::MD\", (void*)$var);
+T_CIPHER_CTX
+	sv_setref_pv($arg, \"OpenSSL::Cipher\", (void*)$var);
+T_BIGNUM
+	sv_setref_pv($arg, \"OpenSSL::BN\", (void*)$var);
+T_SSL_METHOD
+	sv_setref_pv($arg, \"OpenSSL::SSL::METHOD\", (void*)$var);
+T_SSL_CTX
+	sv_setref_pv($arg, \"OpenSSL::SSL::CTX\", (void*)$var);
+T_SSL_CIPHER
+	sv_setref_pv($arg, \"OpenSSL::SSL::CIPHER\", (void*)$var);
+T_SSL
+	sv_setref_pv($arg, \"OpenSSL::SSL\", (void*)$var);
+T_BIO
+	sv_setref_pv($arg, \"OpenSSL::BIO\", (void*)$var);
+T_X509
+	sv_setref_pv($arg, \"OpenSSL::X509\", (void*)$var);
+
+
diff --git a/crypto/openssl/rsaref/Makefile.save b/crypto/openssl/rsaref/Makefile.save
new file mode 100644
index 0000000..f338427
--- /dev/null
+++ b/crypto/openssl/rsaref/Makefile.save
@@ -0,0 +1,99 @@
+#
+# SSLeay/rsaref/Makefile
+#
+
+DIR=	rsaref
+TOP=	..
+CC=	cc
+INCLUDES= -I../crypto -I../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile rsaref-lib.com install.com
+TEST=
+APPS=
+
+LIB=$(TOP)/libRSAglue.a
+LIBSRC=	rsaref.c rsar_err.c
+LIBOBJ= rsaref.o rsar_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=	rsaref.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ..; $(MAKE) DIRS=rsaref all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
+
+install:
+	-@if [ "x`echo x $(EX_LIBS) | grep RSAglue`" != x ]; then \
+	    echo "installing libRSAglue.a"; \
+	    cp $(LIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
+	    $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
+	    chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
+	fi
+
+#	@for i in $(EXHEADER) ; \
+#	do  \
+#	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+#	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+#	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rsar_err.o: ../include/openssl/bn.h ../include/openssl/crypto.h
+rsar_err.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+rsar_err.o: ../include/openssl/opensslv.h ../include/openssl/rsa.h
+rsar_err.o: ../include/openssl/rsaref.h ../include/openssl/safestack.h
+rsar_err.o: ../include/openssl/stack.h
+rsaref.o: ../crypto/cryptlib.h ../include/openssl/bio.h ../include/openssl/bn.h
+rsaref.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+rsaref.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rsaref.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+rsaref.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
+rsaref.o: ../include/openssl/rsa.h ../include/openssl/rsaref.h
+rsaref.o: ../include/openssl/safestack.h ../include/openssl/stack.h
diff --git a/crypto/openssl/rsaref/Makefile.ssl b/crypto/openssl/rsaref/Makefile.ssl
new file mode 100644
index 0000000..f338427
--- /dev/null
+++ b/crypto/openssl/rsaref/Makefile.ssl
@@ -0,0 +1,99 @@
+#
+# SSLeay/rsaref/Makefile
+#
+
+DIR=	rsaref
+TOP=	..
+CC=	cc
+INCLUDES= -I../crypto -I../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile rsaref-lib.com install.com
+TEST=
+APPS=
+
+LIB=$(TOP)/libRSAglue.a
+LIBSRC=	rsaref.c rsar_err.c
+LIBOBJ= rsaref.o rsar_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=	rsaref.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ..; $(MAKE) DIRS=rsaref all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
+
+install:
+	-@if [ "x`echo x $(EX_LIBS) | grep RSAglue`" != x ]; then \
+	    echo "installing libRSAglue.a"; \
+	    cp $(LIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
+	    $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
+	    chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
+	fi
+
+#	@for i in $(EXHEADER) ; \
+#	do  \
+#	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+#	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+#	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rsar_err.o: ../include/openssl/bn.h ../include/openssl/crypto.h
+rsar_err.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+rsar_err.o: ../include/openssl/opensslv.h ../include/openssl/rsa.h
+rsar_err.o: ../include/openssl/rsaref.h ../include/openssl/safestack.h
+rsar_err.o: ../include/openssl/stack.h
+rsaref.o: ../crypto/cryptlib.h ../include/openssl/bio.h ../include/openssl/bn.h
+rsaref.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+rsaref.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rsaref.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+rsaref.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
+rsaref.o: ../include/openssl/rsa.h ../include/openssl/rsaref.h
+rsaref.o: ../include/openssl/safestack.h ../include/openssl/stack.h
diff --git a/crypto/openssl/rsaref/rsar_err.c b/crypto/openssl/rsaref/rsar_err.c
new file mode 100644
index 0000000..ba7b605
--- /dev/null
+++ b/crypto/openssl/rsaref/rsar_err.c
@@ -0,0 +1,120 @@
+/* rsaref/rsar_err.c */
+/* $FreeBSD$ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/rsaref.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA RSAREF_str_functs[]=
+	{
+{ERR_PACK(0,RSAREF_F_BN_REF_MOD_EXP,0),	"BN_REF_MOD_EXP"},
+{ERR_PACK(0,RSAREF_F_RSAREF_BN2BIN,0),	"RSAREF_BN2BIN"},
+{ERR_PACK(0,RSAREF_F_RSA_BN2BIN,0),	"RSA_BN2BIN"},
+{ERR_PACK(0,RSAREF_F_RSA_PRIVATE_DECRYPT,0),	"RSA_private_decrypt"},
+{ERR_PACK(0,RSAREF_F_RSA_PRIVATE_ENCRYPT,0),	"RSA_private_encrypt"},
+{ERR_PACK(0,RSAREF_F_RSA_PUBLIC_DECRYPT,0),	"RSA_public_decrypt"},
+{ERR_PACK(0,RSAREF_F_RSA_PUBLIC_ENCRYPT,0),	"RSA_public_encrypt"},
+{ERR_PACK(0,RSAREF_F_RSA_REF_BN2BIN,0),	"RSA_REF_BN2BIN"},
+{ERR_PACK(0,RSAREF_F_RSA_REF_MOD_EXP,0),	"RSA_REF_MOD_EXP"},
+{ERR_PACK(0,RSAREF_F_RSA_REF_PRIVATE_DECRYPT,0),	"RSA_REF_PRIVATE_DECRYPT"},
+{ERR_PACK(0,RSAREF_F_RSA_REF_PRIVATE_ENCRYPT,0),	"RSA_REF_PRIVATE_ENCRYPT"},
+{ERR_PACK(0,RSAREF_F_RSA_REF_PUBLIC_DECRYPT,0),	"RSA_REF_PUBLIC_DECRYPT"},
+{ERR_PACK(0,RSAREF_F_RSA_REF_PUBLIC_ENCRYPT,0),	"RSA_REF_PUBLIC_ENCRYPT"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA RSAREF_str_reasons[]=
+	{
+{RSAREF_R_CONTENT_ENCODING               ,"content encoding"},
+{RSAREF_R_DATA                           ,"data"},
+{RSAREF_R_DIGEST_ALGORITHM               ,"digest algorithm"},
+{RSAREF_R_ENCODING                       ,"encoding"},
+{RSAREF_R_ENCRYPTION_ALGORITHM           ,"encryption algorithm"},
+{RSAREF_R_KEY                            ,"key"},
+{RSAREF_R_KEY_ENCODING                   ,"key encoding"},
+{RSAREF_R_LEN                            ,"len"},
+{RSAREF_R_MODULUS_LEN                    ,"modulus len"},
+{RSAREF_R_NEED_RANDOM                    ,"need random"},
+{RSAREF_R_PRIVATE_KEY                    ,"private key"},
+{RSAREF_R_PUBLIC_KEY                     ,"public key"},
+{RSAREF_R_SIGNATURE                      ,"signature"},
+{RSAREF_R_SIGNATURE_ENCODING             ,"signature encoding"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_RSA_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_RSAREF,RSAREF_str_functs);
+		ERR_load_strings(ERR_LIB_RSAREF,RSAREF_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/rsaref/rsaref.c b/crypto/openssl/rsaref/rsaref.c
new file mode 100644
index 0000000..6748890
--- /dev/null
+++ b/crypto/openssl/rsaref/rsaref.c
@@ -0,0 +1,309 @@
+/* rsaref/rsaref.c */
+/* $FreeBSD$ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RSA
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rsaref.h>
+#include <openssl/rand.h>
+
+static int RSAref_bn2bin(BIGNUM * from, unsigned char* to, int max);
+#ifdef undef
+static BIGNUM* RSAref_bin2bn(unsigned char* from, BIGNUM * to, int max);
+#endif
+static int RSAref_Public_eay2ref(RSA * from, RSArefPublicKey * to);
+static int RSAref_Private_eay2ref(RSA * from, RSArefPrivateKey * to);
+int RSA_ref_private_decrypt(int len, unsigned char *from,
+	unsigned char *to, RSA *rsa, int padding);
+int RSA_ref_private_encrypt(int len, unsigned char *from,
+	unsigned char *to, RSA *rsa, int padding);
+int RSA_ref_public_encrypt(int len, unsigned char *from,
+	unsigned char *to, RSA *rsa, int padding);
+int RSA_ref_public_decrypt(int len, unsigned char *from,
+	unsigned char *to, RSA *rsa, int padding);
+static int BN_ref_mod_exp(BIGNUM *r,BIGNUM *a,const BIGNUM *p,const BIGNUM *m,
+			  BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int RSA_ref_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+static RSA_METHOD rsa_pkcs1_ref_meth={
+	"RSAref PKCS#1 RSA",
+	RSA_ref_public_encrypt,
+	RSA_ref_public_decrypt,
+	RSA_ref_private_encrypt,
+	RSA_ref_private_decrypt,
+	RSA_ref_mod_exp,
+	BN_ref_mod_exp,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	};
+
+RSA_METHOD *RSA_PKCS1(void)
+	{
+	return(&rsa_pkcs1_ref_meth);
+	}
+
+static int RSA_ref_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+	{
+	RSAREFerr(RSAREF_F_RSA_REF_MOD_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	return(0);
+	}
+
+static int BN_ref_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	RSAREFerr(RSAREF_F_BN_REF_MOD_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	return(0);
+	}
+
+/* unsigned char *to:  [max]    */
+static int RSAref_bn2bin(BIGNUM *from, unsigned char *to, int max)
+	{
+	int i;
+
+	i=BN_num_bytes(from);
+	if (i > max)
+		{
+		RSAREFerr(RSAREF_F_RSAREF_BN2BIN,RSAREF_R_LEN);
+		return(0);
+		}
+
+	memset(to,0,(unsigned int)max);
+	if (!BN_bn2bin(from,&(to[max-i])))
+		return(0);
+	return(1);
+	}
+
+#ifdef undef
+/* unsigned char *from:  [max]    */
+static BIGNUM *RSAref_bin2bn(unsigned char *from, BIGNUM *to, int max)
+	{
+	int i;
+	BIGNUM *ret;
+
+	for (i=0; i<max; i++)
+		if (from[i]) break;
+
+	ret=BN_bin2bn(&(from[i]),max-i,to);
+	return(ret);
+	}
+
+static int RSAref_Public_ref2eay(RSArefPublicKey *from, RSA *to)
+	{
+	to->n=RSAref_bin2bn(from->m,NULL,RSAref_MAX_LEN);
+	to->e=RSAref_bin2bn(from->e,NULL,RSAref_MAX_LEN);
+	if ((to->n == NULL) || (to->e == NULL)) return(0);
+	return(1);
+	}
+#endif
+
+static int RSAref_Public_eay2ref(RSA *from, RSArefPublicKey *to)
+	{
+	to->bits=BN_num_bits(from->n);
+	if (!RSAref_bn2bin(from->n,to->m,RSAref_MAX_LEN)) return(0);
+	if (!RSAref_bn2bin(from->e,to->e,RSAref_MAX_LEN)) return(0);
+	return(1);
+	}
+
+#ifdef undef
+static int RSAref_Private_ref2eay(RSArefPrivateKey *from, RSA *to)
+	{
+	if ((to->n=RSAref_bin2bn(from->m,NULL,RSAref_MAX_LEN)) == NULL)
+		return(0);
+	if ((to->e=RSAref_bin2bn(from->e,NULL,RSAref_MAX_LEN)) == NULL)
+		return(0);
+	if ((to->d=RSAref_bin2bn(from->d,NULL,RSAref_MAX_LEN)) == NULL)
+		return(0);
+	if ((to->p=RSAref_bin2bn(from->prime[0],NULL,RSAref_MAX_PLEN)) == NULL)
+		return(0);
+	if ((to->q=RSAref_bin2bn(from->prime[1],NULL,RSAref_MAX_PLEN)) == NULL)
+		return(0);
+	if ((to->dmp1=RSAref_bin2bn(from->pexp[0],NULL,RSAref_MAX_PLEN))
+		== NULL)
+		return(0);
+	if ((to->dmq1=RSAref_bin2bn(from->pexp[1],NULL,RSAref_MAX_PLEN))
+		== NULL)
+		return(0);
+	if ((to->iqmp=RSAref_bin2bn(from->coef,NULL,RSAref_MAX_PLEN)) == NULL)
+		return(0);
+	return(1);
+	}
+#endif
+
+static int RSAref_Private_eay2ref(RSA *from, RSArefPrivateKey *to)
+	{
+	to->bits=BN_num_bits(from->n);
+	if (!RSAref_bn2bin(from->n,to->m,RSAref_MAX_LEN)) return(0);
+	if (!RSAref_bn2bin(from->e,to->e,RSAref_MAX_LEN)) return(0);
+	if (!RSAref_bn2bin(from->d,to->d,RSAref_MAX_LEN)) return(0);
+	if (!RSAref_bn2bin(from->p,to->prime[0],RSAref_MAX_PLEN)) return(0);
+	if (!RSAref_bn2bin(from->q,to->prime[1],RSAref_MAX_PLEN)) return(0);
+	if (!RSAref_bn2bin(from->dmp1,to->pexp[0],RSAref_MAX_PLEN)) return(0);
+	if (!RSAref_bn2bin(from->dmq1,to->pexp[1],RSAref_MAX_PLEN)) return(0);
+	if (!RSAref_bn2bin(from->iqmp,to->coef,RSAref_MAX_PLEN)) return(0);
+	return(1);
+	}
+
+int RSA_ref_private_decrypt(int len, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	int i,outlen= -1;
+	RSArefPrivateKey RSAkey;
+
+	if (!RSAref_Private_eay2ref(rsa,&RSAkey))
+		goto err;
+	if ((i=RSAPrivateDecrypt(to,&outlen,from,len,&RSAkey)) != 0)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_DECRYPT,i);
+		outlen= -1;
+		}
+err:
+	memset(&RSAkey,0,sizeof(RSAkey));
+	return(outlen);
+	}
+
+int RSA_ref_private_encrypt(int len, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	int i,outlen= -1;
+	RSArefPrivateKey RSAkey;
+
+	if (padding != RSA_PKCS1_PADDING)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+		goto err;
+	}
+	if (!RSAref_Private_eay2ref(rsa,&RSAkey))
+		goto err;
+	if ((i=RSAPrivateEncrypt(to,&outlen,from,len,&RSAkey)) != 0)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_ENCRYPT,i);
+		outlen= -1;
+		}
+err:
+	memset(&RSAkey,0,sizeof(RSAkey));
+	return(outlen);
+	}
+
+int RSA_ref_public_decrypt(int len, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	int i,outlen= -1;
+	RSArefPublicKey RSAkey;
+
+	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
+		goto err;
+	if ((i=RSAPublicDecrypt(to,&outlen,from,len,&RSAkey)) != 0)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_DECRYPT,i);
+		outlen= -1;
+		}
+err:
+	memset(&RSAkey,0,sizeof(RSAkey));
+	return(outlen);
+	}
+
+int RSA_ref_public_encrypt(int len, unsigned char *from, unsigned char *to,
+	     RSA *rsa, int padding)
+	{
+	int outlen= -1;
+	int i;
+	RSArefPublicKey RSAkey;
+	RSARandomState rnd;
+	unsigned char buf[16];
+
+	if (padding != RSA_PKCS1_PADDING && padding != RSA_SSLV23_PADDING) 
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+		goto err;
+		}
+	
+	R_RandomInit(&rnd);
+	R_GetRandomBytesNeeded((unsigned int *)&i,&rnd);
+	while (i > 0)
+		{
+		if (RAND_bytes(buf,16) <= 0)
+			goto err;
+		R_RandomUpdate(&rnd,buf,(unsigned int)((i>16)?16:i));
+		i-=16;
+		}
+
+	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
+		goto err;
+	if ((i=RSAPublicEncrypt(to,&outlen,from,len,&RSAkey,&rnd)) != 0)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_ENCRYPT,i);
+		outlen= -1;
+		goto err;
+		}
+err:
+	memset(&RSAkey,0,sizeof(RSAkey));
+	R_RandomFinal(&rnd);
+	memset(&rnd,0,sizeof(rnd));
+	return(outlen);
+	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/rsaref/rsaref.h b/crypto/openssl/rsaref/rsaref.h
new file mode 100644
index 0000000..b9b3e61
--- /dev/null
+++ b/crypto/openssl/rsaref/rsaref.h
@@ -0,0 +1,181 @@
+/* rsaref/rsaref.h */
+/* $FreeBSD$ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RSAREF_H
+#define HEADER_RSAREF_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+ 
+#ifndef NO_RSA
+#include <openssl/rsa.h>
+
+/* RSAeuro */
+/*#define  RSAref_MAX_BITS		2048*/
+
+/* RSAref */
+#define  RSAref_MAX_BITS		1024
+
+#define RSAref_MIN_BITS		508
+#define RSAref_MAX_LEN		((RSAref_MAX_BITS+7)/8)
+#define RSAref_MAX_PBITS	(RSAref_MAX_BITS+1)/2
+#define RSAref_MAX_PLEN		((RSAref_MAX_PBITS+7)/8)
+
+typedef struct RSArefPublicKey_st
+	{
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+	} RSArefPublicKey;
+
+typedef struct RSArefPrivateKey_st
+	{
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+	unsigned char d[RSAref_MAX_LEN];
+	unsigned char prime[2][RSAref_MAX_PLEN];/* p & q */
+	unsigned char pexp[2][RSAref_MAX_PLEN];	/* dmp1 & dmq1 */
+	unsigned char coef[RSAref_MAX_PLEN];	/* iqmp */
+	} RSArefPrivateKey;
+
+typedef struct RSARandomState_st
+	{
+	unsigned int needed;
+	unsigned char state[16];
+	unsigned int outputnum;
+	unsigned char output[16];
+	} RSARandomState;
+
+#define RE_CONTENT_ENCODING 0x0400
+#define RE_DATA 0x0401
+#define RE_DIGEST_ALGORITHM 0x0402
+#define RE_ENCODING 0x0403
+#define RE_KEY 0x0404
+#define RE_KEY_ENCODING 0x0405
+#define RE_LEN 0x0406
+#define RE_MODULUS_LEN 0x0407
+#define RE_NEED_RANDOM 0x0408
+#define RE_PRIVATE_KEY 0x0409
+#define RE_PUBLIC_KEY 0x040a
+#define RE_SIGNATURE 0x040b
+#define RE_SIGNATURE_ENCODING 0x040c
+#define RE_ENCRYPTION_ALGORITHM 0x040d
+
+int RSAPrivateDecrypt(unsigned char *to, int *outlen, unsigned char *from,
+	int len, RSArefPrivateKey *RSAkey);
+int RSAPrivateEncrypt(unsigned char *to, int *outlen, unsigned char *from,
+	int len, RSArefPrivateKey *RSAkey);
+int RSAPublicDecrypt(unsigned char *to, int *outlen, unsigned char *from,
+	int len, RSArefPublicKey *RSAkey);
+int RSAPublicEncrypt(unsigned char *to, int *outlen, unsigned char *from,
+	int len, RSArefPublicKey *RSAkey,RSARandomState *rnd);
+int R_RandomInit(RSARandomState *rnd);
+int R_GetRandomBytesNeeded(unsigned int *,RSARandomState *rnd);
+int R_RandomUpdate(RSARandomState *rnd, unsigned char *data, unsigned int n);
+int R_RandomFinal(RSARandomState *rnd);
+
+void ERR_load_RSA_strings(void );
+RSA_METHOD *RSA_PKCS1(void );
+#endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the RSAREF functions. */
+
+/* Function codes. */
+#define RSAREF_F_BN_REF_MOD_EXP				 100
+#define RSAREF_F_RSAREF_BN2BIN				 101
+#define RSAREF_F_RSA_BN2BIN				 102
+#define RSAREF_F_RSA_PRIVATE_DECRYPT			 103
+#define RSAREF_F_RSA_PRIVATE_ENCRYPT			 104
+#define RSAREF_F_RSA_PUBLIC_DECRYPT			 105
+#define RSAREF_F_RSA_PUBLIC_ENCRYPT			 106
+#define RSAREF_F_RSA_REF_BN2BIN				 107
+#define RSAREF_F_RSA_REF_MOD_EXP			 108
+#define RSAREF_F_RSA_REF_PRIVATE_DECRYPT		 109
+#define RSAREF_F_RSA_REF_PRIVATE_ENCRYPT		 110
+#define RSAREF_F_RSA_REF_PUBLIC_DECRYPT			 111
+#define RSAREF_F_RSA_REF_PUBLIC_ENCRYPT			 112
+
+/* Reason codes. */
+#define RSAREF_R_CONTENT_ENCODING			 0x0400
+#define RSAREF_R_DATA					 0x0401
+#define RSAREF_R_DIGEST_ALGORITHM			 0x0402
+#define RSAREF_R_ENCODING				 0x0403
+#define RSAREF_R_ENCRYPTION_ALGORITHM			 0x040d
+#define RSAREF_R_KEY					 0x0404
+#define RSAREF_R_KEY_ENCODING				 0x0405
+#define RSAREF_R_LEN					 0x0406
+#define RSAREF_R_MODULUS_LEN				 0x0407
+#define RSAREF_R_NEED_RANDOM				 0x0408
+#define RSAREF_R_PRIVATE_KEY				 0x0409
+#define RSAREF_R_PUBLIC_KEY				 0x040a
+#define RSAREF_R_SIGNATURE				 0x040b
+#define RSAREF_R_SIGNATURE_ENCODING			 0x040c
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/rsaref/rsaref_stubs.c b/crypto/openssl/rsaref/rsaref_stubs.c
new file mode 100644
index 0000000..d2a032c
--- /dev/null
+++ b/crypto/openssl/rsaref/rsaref_stubs.c
@@ -0,0 +1,193 @@
+/*
+ * $FreeBSD$
+ *
+ * Copyright (c) 2000
+ *	Jordan Hubbard.  All rights reserved.
+ *
+ * Stub functions for RSA code.  If you link with this code, you will
+ * get a full set of weak symbol references to the rsaref library
+ * functions which are required by openssl.  These can then be occluded
+ * by the real rsaref library by explicitly linking with it or, failing
+ * that, these stub functions will also attempt to find an appropriate
+ * rsaref library in the search path and do the link-up at runtime.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer,
+ *    verbatim and that no modifications are made prior to this
+ *    point in the file.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY JORDAN HUBBARD ``AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL JORDAN HUBBARD OR HIS PETS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, LIFE OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE. SO THERE.
+ *
+ */
+
+#ifndef NO_RSA
+
+#include <stdio.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <openssl/rsa.h>
+
+#define VERBOSE_STUBS	/* undef if you don't want missing rsaref reported */
+
+#ifdef PIC
+#include <dlfcn.h>
+
+#define RSA_SHLIB	"librsaref.so"	/* be more exact if you need to */
+
+static void *
+getsym(const char *sym)
+{
+    static void *rsalib;
+    static int whined;
+    void *ret = NULL;
+
+    if (!rsalib)
+	rsalib = dlopen(RSA_SHLIB, RTLD_LAZY);
+    if (rsalib)
+	ret = dlsym(rsalib, sym);
+#ifdef VERBOSE_STUBS
+    if (!ret && !whined) {
+	if (isatty(STDERR_FILENO)) {
+	    fprintf(stderr, "** %s: Unable to find an RSAREF shared library (%s).\n", sym, RSA_SHLIB);
+	    fprintf(stderr, "** Install the /usr/ports/security/rsaref port or package and run this\n");
+	    fprintf(stderr, "** program again. See the OpenSSL chapter in the FreeBSD Handbook, located at\n");
+	    fprintf(stderr, "** http://www.freebsd.org/handbook/openssl.html, for more information.\n");
+	} else {
+	    syslog(LOG_ERR, "** %s: Unable to find an RSAREF shared library \
+(%s). Install the /usr/ports/security/rsaref port or package and run this \
+program again. See the OpenSSL chapter in the FreeBSD Handbook, located at \
+http://www.freebsd.org/handbook/openssl.html, for more information.", \
+sym, RSA_SHLIB);
+	}
+	whined = 1;
+     }
+#endif
+     return ret;
+}
+
+int
+RSAPrivateDecrypt_stub(unsigned char *output, unsigned int *outlen,
+    unsigned char *input, int inputlen, void *RSAkey)
+{
+    static int (*sym)(unsigned char *, unsigned int *, unsigned char *, int, void *);
+
+    if (sym || (sym = getsym("RSAPrivateDecrypt")))
+	return sym(output, outlen, input, inputlen, RSAkey);
+    return 0;
+}
+__weak_reference(RSAPrivateDecrypt_stub, RSAPrivateDecrypt);
+
+
+int
+RSAPrivateEncrypt_stub(unsigned char *output, unsigned int *outlen,
+    unsigned char *input, int inputlen, void *RSAkey)
+{
+    static int (*sym)(unsigned char *, unsigned int *, unsigned char *, int, void *);
+
+    if (sym || (sym = getsym("RSAPrivateEncrypt")))
+	return sym(output, outlen, input, inputlen, RSAkey);
+    return 0;
+}
+__weak_reference(RSAPrivateEncrypt_stub, RSAPrivateEncrypt);
+
+int
+RSAPublicDecrypt_stub(unsigned char *output, unsigned int *outlen,
+    unsigned char *input, int inputlen, void *RSAkey)
+{
+    static int (*sym)(unsigned char *, unsigned int *, unsigned char *, int, void *);
+
+    if (sym || (sym = getsym("RSAPublicDecrypt")))
+	return sym(output, outlen, input, inputlen, RSAkey);
+    return 0;
+}
+__weak_reference(RSAPublicDecrypt_stub, RSAPublicDecrypt);
+
+int
+RSAPublicEncrypt_stub(unsigned char *output, unsigned int *outlen,
+    unsigned char *input, int inputlen, void *RSAkey, void *randomStruct)
+{
+    static int (*sym)(unsigned char *, unsigned int *, unsigned char *, int,
+	void *, void *);
+
+    if (sym || (sym = getsym("RSAPublicEncrypt")))
+	return sym(output, outlen, input, inputlen, RSAkey, randomStruct);
+    return 0;
+}
+__weak_reference(RSAPublicEncrypt_stub, RSAPublicEncrypt);
+
+int
+R_GetRandomBytesNeeded_stub(unsigned int *bytesNeeded, void *randomStruct) 
+{
+    static int (*sym)(unsigned int *, void *);
+
+    if (sym || (sym = getsym("R_GetRandomBytesNeeded")))
+	return sym(bytesNeeded, randomStruct);
+    return 0;
+}
+__weak_reference(R_GetRandomBytesNeeded_stub, R_GetRandomBytesNeeded);
+
+void
+R_RandomFinal_stub(void *randomStruct)
+{
+    static void (*sym)(void *);
+
+    if (sym || (sym = getsym("R_RandomFinal")))
+	sym(randomStruct);
+}
+__weak_reference(R_RandomFinal_stub, R_RandomFinal);
+
+int
+R_RandomInit_stub(void *randomStruct)
+{
+    static int (*sym)(void *);
+
+    if (sym || (sym = getsym("R_RandomInit")))
+	sym(randomStruct);
+    return 0;
+}
+__weak_reference(R_RandomInit_stub, R_RandomInit);
+
+int
+R_RandomUpdate_stub(void *randomStruct,
+    unsigned char *block, unsigned int blockLen) 
+{
+    static int (*sym)(void *, unsigned char *, unsigned int);
+
+    if (sym || (sym = getsym("R_RandomUpdate")))
+	sym(randomStruct, block, blockLen);
+    return 0;
+}
+__weak_reference(R_RandomUpdate_stub, R_RandomUpdate);
+
+int
+RSA_libversion()
+{
+	return RSALIB_RSAREF;
+}
+
+#else	/* !PIC */
+
+/* Failsafe glue for static linking.  Link but complain like hell. */
+
+/* actually, this creates all sorts of ld(1) problems, forget it for now */
+
+#endif	/* !PIC */
+
+#endif	/* !NO_RSA */
diff --git a/crypto/openssl/shlib/Makefile.hpux10-cc b/crypto/openssl/shlib/Makefile.hpux10-cc
new file mode 100644
index 0000000..4dc62eb
--- /dev/null
+++ b/crypto/openssl/shlib/Makefile.hpux10-cc
@@ -0,0 +1,51 @@
+# Makefile.hpux-cc
+
+major=1
+
+slib=libssl
+sh_slib=$(slib).so.$(major)
+
+clib=libcrypto
+sh_clib=$(clib).so.$(major)
+
+all : $(clib).sl $(slib).sl
+
+
+$(clib)_pic.a : $(clib).a
+	echo "Copying $? to $@"
+	cp -p $? $@
+
+$(slib)_pic.a : $(slib).a
+	echo "Copying $? to $@"
+	cp -p $? $@
+
+$(sh_clib) : $(clib)_pic.a
+	echo "collecting all object files for $@"
+	find . -name \*.o -print > allobjs
+	for obj in `ar t $(clib)_pic.a`; \
+	do \
+		grep /$$obj allobjs; \
+	done >objlist
+	echo "linking $@"
+	ld -b -s -z +h $@ -o $@ `cat objlist` -lc 
+	rm allobjs objlist
+
+$(clib).sl : $(sh_clib)
+	rm -f $@
+	ln -s $? $@
+
+$(sh_slib) : $(slib)_pic.a $(clib).sl
+	echo "collecting all object files for $@"
+	find . -name \*.o -print > allobjs
+	for obj in `ar t $(slib)_pic.a`; \
+	do \
+		grep /$$obj allobjs; \
+	done >objlist
+	echo "linking $@"
+	ld -b -s -z +h $@ +b /usr/local/ssl/lib:/usr/lib -o $@ `cat objlist` \
+			-L. -lcrypto -lc
+	rm -f allobjs objlist
+        
+$(slib).sl : $(sh_slib)
+	rm -f $@
+	ln -s $? $@
diff --git a/crypto/openssl/shlib/README b/crypto/openssl/shlib/README
new file mode 100644
index 0000000..fea07a5
--- /dev/null
+++ b/crypto/openssl/shlib/README
@@ -0,0 +1 @@
+Only the windows NT and, linux builds have been tested for SSLeay 0.8.0
diff --git a/crypto/openssl/shlib/hpux10-cc.sh b/crypto/openssl/shlib/hpux10-cc.sh
new file mode 100644
index 0000000..903baaa
--- /dev/null
+++ b/crypto/openssl/shlib/hpux10-cc.sh
@@ -0,0 +1,90 @@
+#!/usr/bin/sh
+#
+# Run this script from the OpenSSL root directory:
+# sh shlib/hpux10-cc.sh
+# 
+# HP-UX (10.20) shared library installation:
+# Compile and install OpenSSL with best possible optimization:
+# - shared libraries are compiled and installed with +O4 optimization
+# - executable(s) are compiled and installed with +O4 optimization
+# - static libraries are compiled and installed with +O3 optimization,
+#   to avoid the time consuming +O4 link-time optimization when using
+#   these libraries. (The shared libs are already optimized during build
+#   at +O4.)
+#
+# This script must be run with appropriate privileges to install into
+# /usr/local/ssl. HP-UX prevents used executables and shared libraries
+# from being deleted or overwritten. Stop all processes using already
+# installed items of OpenSSL.
+#
+# WARNING: At high optimization levels, HP's ANSI-C compiler can chew up
+#          large amounts of memory and CPU time. Make sure to have at least
+#          128MB of RAM available and that your kernel is configured to allow
+#          at least 128MB data size (maxdsiz parameter).
+#          The installation process can take several hours, even on fast
+#          machines. +O4 optimization of the libcrypto.sl shared library may
+#          take 1 hour on a C200 (200MHz PA8200 CPU), +O3 compilation of
+#          fcrypt_b.c can take 20 minutes on this machine. Stay patient.
+#
+# SITEFLAGS: site specific flags. I do use +DAportable, since I have to
+# support older PA1.1-type CPUs. Your mileage may vary.
+# +w1 enables enhanced warnings, useful when working with snaphots.
+#
+SITEFLAGS="+DAportable +w1"
+#
+# Set the default additions to build with HP-UX.
+# -D_REENTRANT must/should be defined on HP-UX manually, since we do call
+# Configure directly.
+# +Oall increases the optimization done.
+#
+MYFLAGS="-D_REENTRANT +Oall $SITEFLAGS"
+
+# Configure for pic and build the static pic libraries
+perl5 Configure hpux-parisc-cc-o4 +z ${MYFLAGS}
+make clean
+make DIRS="crypto ssl"
+# Rename the static pic libs and build dynamic libraries from them
+# Be prepared to see a lot of warnings about shared libraries being built
+# with optimizations higher than +O2. When using these libraries, it is
+# not possible to replace internal library functions with functions from
+# the program to be linked.
+#
+make -f shlib/Makefile.hpux10-cc
+
+# Copy the libraries to /usr/local/ssl/lib (they have to be in their
+# final location when linking applications).
+# If the directories are still there, no problem.
+mkdir /usr/local
+mkdir /usr/local/ssl
+mkdir /usr/local/ssl/lib
+chmod 444 lib*_pic.a
+chmod 555 lib*.so.1
+cp -p lib*_pic.a lib*.so.1 /usr/local/ssl/lib
+(cd /usr/local/ssl/lib ; ln -sf libcrypto.so.1 libcrypto.sl ; ln -sf libssl.so.1 libssl.sl)
+
+# Reconfigure without pic to compile the executables. Unfortunately, while
+# performing this task we have to recompile the library components, even
+# though we use the already installed shared libs anyway.
+#
+perl5 Configure hpux-parisc-cc-o4 ${MYFLAGS}
+
+make clean
+
+# Hack the Makefiles to pick up the dynamic libraries during linking
+#
+sed 's/^PEX_LIBS=.*$/PEX_LIBS=-L\/usr\/local\/ssl\/lib -Wl,+b,\/usr\/local\/ssl\/lib:\/usr\/lib/' Makefile.ssl >xxx; mv xxx Makefile.ssl
+sed 's/-L\.\.//' apps/Makefile.ssl >xxx; mv xxx apps/Makefile.ssl
+sed 's/-L\.\.//' test/Makefile.ssl >xxx; mv xxx test/Makefile.ssl
+# Build the static libs and the executables in one make.
+make
+# Install everything
+make install
+
+# Finally build the static libs with +O3. This time we only need the libraries,
+# once created, they are simply copied into place.
+#
+perl5 Configure hpux-parisc-cc ${MYFLAGS}
+make clean
+make DIRS="crypto ssl"
+chmod 644 libcrypto.a libssl.a
+cp -p libcrypto.a libssl.a /usr/local/ssl/lib
diff --git a/crypto/openssl/shlib/irix.sh b/crypto/openssl/shlib/irix.sh
new file mode 100644
index 0000000..22e4e6a
--- /dev/null
+++ b/crypto/openssl/shlib/irix.sh
@@ -0,0 +1,7 @@
+FLAGS="-DTERMIOS -O2 -mips2 -DB_ENDIAN -fomit-frame-pointer -Wall -Iinclude"
+SHFLAGS="-DPIC -fpic"
+
+gcc -c -Icrypto $SHFLAGS $FLAGS -o crypto.o crypto/crypto.c
+ld -shared -o libcrypto.so crypto.o
+gcc -c -Issl $SHFLAGS $FLAGS -o ssl.o ssl/ssl.c
+ld -shared -o libssl.so ssl.o
diff --git a/crypto/openssl/shlib/solaris-sc4.sh b/crypto/openssl/shlib/solaris-sc4.sh
new file mode 100755
index 0000000..b0766b3
--- /dev/null
+++ b/crypto/openssl/shlib/solaris-sc4.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+major="1"
+
+slib=libssl
+sh_slib=$slib.so.$major
+
+clib=libcrypto
+sh_clib=$clib.so.$major
+
+echo collecting all object files for $clib.so
+OBJS=
+find . -name \*.o -print > allobjs
+for obj in `ar t libcrypto.a`
+do
+	OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $clib.so
+cc -G -o $sh_clib -h $sh_clib $OBJS -lnsl -lsocket
+
+rm -f $clib.so
+ln -s $sh_clib $clib.so
+
+echo collecting all object files for $slib.so
+OBJS=
+for obj in `ar t libssl.a`
+do
+	OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $slib.so
+cc -G -o $sh_slib -h $sh_slib $OBJS -L. -lcrypto
+	
+rm -f $slib.so
+ln -s $sh_slib $slib.so
+
+rm -f allobjs
+
+mv libRSAglue.a libRSAglue.a.orig
+mv libcrypto.a  libcrypto.a.orig
+mv libssl.a     libssl.a.orig 
diff --git a/crypto/openssl/shlib/solaris.sh b/crypto/openssl/shlib/solaris.sh
new file mode 100644
index 0000000..03475f1
--- /dev/null
+++ b/crypto/openssl/shlib/solaris.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+echo "#define DATE      \"`date`\"" >crypto/date.h
+
+major="0"
+minor="8.0"
+slib=libssl
+clib=libcrypto
+CC=gcc
+CPP='gcc -E'
+AS=as
+#FLAGS='-DTERMIO -O3 -DL_ENDIAN -fomit-frame-pointer -mv8 -Wall'
+FLAGS='-DTERMIO -g2 -ggdb -DL_ENDIAN -Wall -DREF_CHECK -DCRYPTO_MDEBUG'
+INCLUDE='-Iinclude -Icrypto -Issl'
+SHFLAGS='-DPIC -fpic'
+
+CFLAGS="$FLAGS $INCLUDE $SHFLAGS"
+ASM_OBJ="";
+
+echo compiling bignum assember
+$AS -o bn_asm.o crypto/bn/asm/sparc.s
+CFLAGS="$CFLAGS -DBN_ASM"
+ASM_OBJ="$ASM_OBJ bn_asm.o"
+
+echo compiling $clib
+$CC -c $CFLAGS -DCFLAGS="\"$FLAGS\"" -o crypto.o crypto/crypto.c
+
+echo linking $clib.so
+gcc $CFLAGS -shared -o $clib.so.$major.$minor crypto.o $ASM_OBJ -lnsl -lsocket
+
+echo compiling $slib.so
+$CC -c $CFLAGS -o ssl.o ssl/ssl.c
+
+echo building $slib.so
+gcc $CFLAGS -shared -o $slib.so ssl.o -L. -lcrypto
+
diff --git a/crypto/openssl/shlib/sun.sh b/crypto/openssl/shlib/sun.sh
new file mode 100644
index 0000000..a890bbd
--- /dev/null
+++ b/crypto/openssl/shlib/sun.sh
@@ -0,0 +1,8 @@
+FLAGS="-DTERMIO -O3 -DB_ENDIAN -fomit-frame-pointer -mv8 -Wall -Iinclude"
+SHFLAGS="-DPIC -fpic"
+
+gcc -c -Icrypto $SHFLAGS -fpic $FLAGS -o crypto.o crypto/crypto.c
+ld -G -z text -o libcrypto.so crypto.o
+
+gcc -c -Issl $SHFLAGS $FLAGS -o ssl.o ssl/ssl.c
+ld -G -z text -o libssl.so ssl.o
diff --git a/crypto/openssl/ssl/Makefile.save b/crypto/openssl/ssl/Makefile.save
new file mode 100644
index 0000000..04ed4b3
--- /dev/null
+++ b/crypto/openssl/ssl/Makefile.save
@@ -0,0 +1,831 @@
+#
+# SSLeay/ssl/Makefile
+#
+
+DIR=	ssl
+TOP=	..
+CC=	cc
+INCLUDES= -I../crypto -I../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README ssl-lib.com install.com
+TEST=ssltest.c
+APPS=
+
+LIB=$(TOP)/libssl.a
+LIBSRC=	\
+	s2_meth.c   s2_srvr.c s2_clnt.c  s2_lib.c  s2_enc.c s2_pkt.c \
+	s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c \
+	s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \
+	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c \
+	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
+	ssl_ciph.c ssl_stat.c ssl_rsa.c \
+	ssl_asn1.c ssl_txt.c ssl_algs.c \
+	bio_ssl.c ssl_err.c
+LIBOBJ= \
+	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
+	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o \
+	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
+	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o \
+	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
+	ssl_ciph.o ssl_stat.o ssl_rsa.o \
+	ssl_asn1.o ssl_txt.o ssl_algs.o \
+	bio_ssl.o ssl_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h
+HEADER=	$(EXHEADER) ssl_locl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bio_ssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+bio_ssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+bio_ssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+bio_ssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+bio_ssl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+bio_ssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+bio_ssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+bio_ssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+bio_ssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+bio_ssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+bio_ssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+bio_ssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+bio_ssl.o: ../include/openssl/x509_vfy.h
+s23_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s23_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_both.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_both.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_both.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_both.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_both.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_both.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_both.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_both.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_both.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_both.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_both.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_both.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_algs.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_algs.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_algs.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_algs.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_algs.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_algs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_algs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_algs.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h
+ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_asn1.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_cert.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_cert.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_cert.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_cert.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_cert.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
+ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_cert.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_cert.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_cert.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_cert.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_cert.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
+ssl_cert.o: ssl_locl.h
+ssl_ciph.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_ciph.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_ciph.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_ciph.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_ciph.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_ciph.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_ciph.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err.o: ../include/openssl/x509_vfy.h
+ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err2.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err2.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err2.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err2.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err2.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err2.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err2.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err2.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err2.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err2.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err2.o: ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_lib.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_lib.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/x509v3.h ssl_locl.h
+ssl_rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_rsa.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_rsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_sess.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_sess.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_sess.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_stat.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_stat.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_stat.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_stat.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_stat.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_stat.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_stat.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_txt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_txt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_txt.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_txt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_txt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_txt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_txt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+t1_enc.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+t1_enc.o: ../include/openssl/md2.h ../include/openssl/md5.h
+t1_enc.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+t1_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_enc.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl
new file mode 100644
index 0000000..04ed4b3
--- /dev/null
+++ b/crypto/openssl/ssl/Makefile.ssl
@@ -0,0 +1,831 @@
+#
+# SSLeay/ssl/Makefile
+#
+
+DIR=	ssl
+TOP=	..
+CC=	cc
+INCLUDES= -I../crypto -I../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README ssl-lib.com install.com
+TEST=ssltest.c
+APPS=
+
+LIB=$(TOP)/libssl.a
+LIBSRC=	\
+	s2_meth.c   s2_srvr.c s2_clnt.c  s2_lib.c  s2_enc.c s2_pkt.c \
+	s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c \
+	s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \
+	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c \
+	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
+	ssl_ciph.c ssl_stat.c ssl_rsa.c \
+	ssl_asn1.c ssl_txt.c ssl_algs.c \
+	bio_ssl.c ssl_err.c
+LIBOBJ= \
+	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
+	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o \
+	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
+	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o \
+	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
+	ssl_ciph.o ssl_stat.o ssl_rsa.o \
+	ssl_asn1.o ssl_txt.o ssl_algs.o \
+	bio_ssl.o ssl_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h
+HEADER=	$(EXHEADER) ssl_locl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bio_ssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+bio_ssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+bio_ssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+bio_ssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+bio_ssl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+bio_ssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+bio_ssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+bio_ssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+bio_ssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+bio_ssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+bio_ssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+bio_ssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+bio_ssl.o: ../include/openssl/x509_vfy.h
+s23_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s23_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_both.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_both.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_both.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_both.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_both.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_both.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_both.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_both.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_both.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_both.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_both.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_both.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_algs.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_algs.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_algs.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_algs.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_algs.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_algs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_algs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_algs.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h
+ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_asn1.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_cert.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_cert.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_cert.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_cert.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_cert.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
+ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_cert.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_cert.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_cert.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_cert.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_cert.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
+ssl_cert.o: ssl_locl.h
+ssl_ciph.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_ciph.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_ciph.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_ciph.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_ciph.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_ciph.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_ciph.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err.o: ../include/openssl/x509_vfy.h
+ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err2.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err2.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err2.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err2.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err2.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err2.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err2.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err2.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err2.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err2.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err2.o: ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_lib.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_lib.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/x509v3.h ssl_locl.h
+ssl_rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_rsa.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_rsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_sess.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_sess.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_sess.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_stat.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_stat.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_stat.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_stat.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_stat.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_stat.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_stat.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_txt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_txt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_txt.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_txt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_txt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_txt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_txt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+t1_enc.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+t1_enc.o: ../include/openssl/md2.h ../include/openssl/md5.h
+t1_enc.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+t1_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_enc.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
diff --git a/crypto/openssl/ssl/bio_ssl.c b/crypto/openssl/ssl/bio_ssl.c
new file mode 100644
index 0000000..d73c41a
--- /dev/null
+++ b/crypto/openssl/ssl/bio_ssl.c
@@ -0,0 +1,586 @@
+/* ssl/bio_ssl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+static int ssl_write(BIO *h,char *buf,int num);
+static int ssl_read(BIO *h,char *buf,int size);
+static int ssl_puts(BIO *h,char *str);
+static long ssl_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int ssl_new(BIO *h);
+static int ssl_free(BIO *data);
+static long ssl_callback_ctrl(BIO *h,int cmd,void (*fp)());
+typedef struct bio_ssl_st
+	{
+	SSL *ssl; /* The ssl handle :-) */
+	/* re-negotiate every time the total number of bytes is this size */
+	int num_renegotiates;
+	unsigned long renegotiate_count;
+	unsigned long byte_count;
+	unsigned long renegotiate_timeout;
+	unsigned long last_time;
+	} BIO_SSL;
+
+static BIO_METHOD methods_sslp=
+	{
+	BIO_TYPE_SSL,"ssl",
+	ssl_write,
+	ssl_read,
+	ssl_puts,
+	NULL, /* ssl_gets, */
+	ssl_ctrl,
+	ssl_new,
+	ssl_free,
+	ssl_callback_ctrl,
+	};
+
+BIO_METHOD *BIO_f_ssl(void)
+	{
+	return(&methods_sslp);
+	}
+
+static int ssl_new(BIO *bi)
+	{
+	BIO_SSL *bs;
+
+	bs=(BIO_SSL *)Malloc(sizeof(BIO_SSL));
+	if (bs == NULL)
+		{
+		BIOerr(BIO_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	memset(bs,0,sizeof(BIO_SSL));
+	bi->init=0;
+	bi->ptr=(char *)bs;
+	bi->flags=0;
+	return(1);
+	}
+
+static int ssl_free(BIO *a)
+	{
+	BIO_SSL *bs;
+
+	if (a == NULL) return(0);
+	bs=(BIO_SSL *)a->ptr;
+	if (bs->ssl != NULL) SSL_shutdown(bs->ssl);
+	if (a->shutdown)
+		{
+		if (a->init && (bs->ssl != NULL))
+			SSL_free(bs->ssl);
+		a->init=0;
+		a->flags=0;
+		}
+	if (a->ptr != NULL)
+		Free(a->ptr);
+	return(1);
+	}
+	
+static int ssl_read(BIO *b, char *out, int outl)
+	{
+	int ret=1;
+	BIO_SSL *sb;
+	SSL *ssl;
+	int retry_reason=0;
+	int r=0;
+
+	if (out == NULL) return(0);
+	sb=(BIO_SSL *)b->ptr;
+	ssl=sb->ssl;
+
+	BIO_clear_retry_flags(b);
+
+#if 0
+	if (!SSL_is_init_finished(ssl))
+		{
+/*		ret=SSL_do_handshake(ssl); */
+		if (ret > 0)
+			{
+
+			outflags=(BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
+			ret= -1;
+			goto end;
+			}
+		}
+#endif
+/*	if (ret > 0) */
+	ret=SSL_read(ssl,out,outl);
+
+	switch (SSL_get_error(ssl,ret))
+		{
+	case SSL_ERROR_NONE:
+		if (ret <= 0) break;
+		if (sb->renegotiate_count > 0)
+			{
+			sb->byte_count+=ret;
+			if (sb->byte_count > sb->renegotiate_count)
+				{
+				sb->byte_count=0;
+				sb->num_renegotiates++;
+				SSL_renegotiate(ssl);
+				r=1;
+				}
+			}
+		if ((sb->renegotiate_timeout > 0) && (!r))
+			{
+			unsigned long tm;
+
+			tm=(unsigned long)time(NULL);
+			if (tm > sb->last_time+sb->renegotiate_timeout)
+				{
+				sb->last_time=tm;
+				sb->num_renegotiates++;
+				SSL_renegotiate(ssl);
+				}
+			}
+
+		break;
+	case SSL_ERROR_WANT_READ:
+		BIO_set_retry_read(b);
+		break;
+	case SSL_ERROR_WANT_WRITE:
+		BIO_set_retry_write(b);
+		break;
+	case SSL_ERROR_WANT_X509_LOOKUP:
+		BIO_set_retry_special(b);
+		retry_reason=BIO_RR_SSL_X509_LOOKUP;
+		break;
+	case SSL_ERROR_WANT_CONNECT:
+		BIO_set_retry_special(b);
+		retry_reason=BIO_RR_CONNECT;
+		break;
+	case SSL_ERROR_SYSCALL:
+	case SSL_ERROR_SSL:
+	case SSL_ERROR_ZERO_RETURN:
+	default:
+		break;
+		}
+
+	b->retry_reason=retry_reason;
+	return(ret);
+	}
+
+static int ssl_write(BIO *b, char *out, int outl)
+	{
+	int ret,r=0;
+	int retry_reason=0;
+	SSL *ssl;
+	BIO_SSL *bs;
+
+	if (out == NULL) return(0);
+	bs=(BIO_SSL *)b->ptr;
+	ssl=bs->ssl;
+
+	BIO_clear_retry_flags(b);
+
+/*	ret=SSL_do_handshake(ssl);
+	if (ret > 0) */
+	ret=SSL_write(ssl,out,outl);
+
+	switch (SSL_get_error(ssl,ret))
+		{
+	case SSL_ERROR_NONE:
+		if (ret <= 0) break;
+		if (bs->renegotiate_count > 0)
+			{
+			bs->byte_count+=ret;
+			if (bs->byte_count > bs->renegotiate_count)
+				{
+				bs->byte_count=0;
+				bs->num_renegotiates++;
+				SSL_renegotiate(ssl);
+				r=1;
+				}
+			}
+		if ((bs->renegotiate_timeout > 0) && (!r))
+			{
+			unsigned long tm;
+
+			tm=(unsigned long)time(NULL);
+			if (tm > bs->last_time+bs->renegotiate_timeout)
+				{
+				bs->last_time=tm;
+				bs->num_renegotiates++;
+				SSL_renegotiate(ssl);
+				}
+			}
+		break;
+	case SSL_ERROR_WANT_WRITE:
+		BIO_set_retry_write(b);
+		break;
+	case SSL_ERROR_WANT_READ:
+		BIO_set_retry_read(b);
+		break;
+	case SSL_ERROR_WANT_X509_LOOKUP:
+		BIO_set_retry_special(b);
+		retry_reason=BIO_RR_SSL_X509_LOOKUP;
+		break;
+	case SSL_ERROR_WANT_CONNECT:
+		BIO_set_retry_special(b);
+		retry_reason=BIO_RR_CONNECT;
+	case SSL_ERROR_SYSCALL:
+	case SSL_ERROR_SSL:
+	default:
+		break;
+		}
+
+	b->retry_reason=retry_reason;
+	return(ret);
+	}
+
+static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr)
+	{
+	SSL **sslp,*ssl;
+	BIO_SSL *bs;
+	BIO *dbio,*bio;
+	long ret=1;
+
+	bs=(BIO_SSL *)b->ptr;
+	ssl=bs->ssl;
+	if ((ssl == NULL)  && (cmd != BIO_C_SET_SSL))
+		return(0);
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		SSL_shutdown(ssl);
+
+		if (ssl->handshake_func == ssl->method->ssl_connect)
+			SSL_set_connect_state(ssl);
+		else if (ssl->handshake_func == ssl->method->ssl_accept)
+			SSL_set_accept_state(ssl);
+
+		SSL_clear(ssl);
+
+		if (b->next_bio != NULL)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		else if (ssl->rbio != NULL)
+			ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
+		else
+			ret=1;
+		break;
+	case BIO_CTRL_INFO:
+		ret=0;
+		break;
+	case BIO_C_SSL_MODE:
+		if (num) /* client mode */
+			SSL_set_connect_state(ssl);
+		else
+			SSL_set_accept_state(ssl);
+		break;
+	case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT:
+		ret=bs->renegotiate_timeout;
+		if (num < 60) num=5;
+		bs->renegotiate_timeout=(unsigned long)num;
+		bs->last_time=(unsigned long)time(NULL);
+		break;
+	case BIO_C_SET_SSL_RENEGOTIATE_BYTES:
+		ret=bs->renegotiate_count;
+		if ((long)num >=512)
+			bs->renegotiate_count=(unsigned long)num;
+		break;
+	case BIO_C_GET_SSL_NUM_RENEGOTIATES:
+		ret=bs->num_renegotiates;
+		break;
+	case BIO_C_SET_SSL:
+		if (ssl != NULL)
+			ssl_free(b);
+		b->shutdown=(int)num;
+		ssl=(SSL *)ptr;
+		((BIO_SSL *)b->ptr)->ssl=ssl;
+		bio=SSL_get_rbio(ssl);
+		if (bio != NULL)
+			{
+			if (b->next_bio != NULL)
+				BIO_push(bio,b->next_bio);
+			b->next_bio=bio;
+			CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO);
+			}
+		b->init=1;
+		break;
+	case BIO_C_GET_SSL:
+		if (ptr != NULL)
+			{
+			sslp=(SSL **)ptr;
+			*sslp=ssl;
+			}
+		else
+			ret=0;
+		break;
+	case BIO_CTRL_GET_CLOSE:
+		ret=b->shutdown;
+		break;
+	case BIO_CTRL_SET_CLOSE:
+		b->shutdown=(int)num;
+		break;
+	case BIO_CTRL_WPENDING:
+		ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_PENDING:
+		ret=SSL_pending(ssl);
+		if (ret == 0)
+			ret=BIO_pending(ssl->rbio);
+		break;
+	case BIO_CTRL_FLUSH:
+		BIO_clear_retry_flags(b);
+		ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
+		BIO_copy_next_retry(b);
+		break;
+	case BIO_CTRL_PUSH:
+		if ((b->next_bio != NULL) && (b->next_bio != ssl->rbio))
+			{
+			SSL_set_bio(ssl,b->next_bio,b->next_bio);
+			CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
+			}
+		break;
+	case BIO_CTRL_POP:
+		/* ugly bit of a hack */
+		if (ssl->rbio != ssl->wbio) /* we are in trouble :-( */
+			{
+			BIO_free_all(ssl->wbio);
+			}
+		ssl->wbio=NULL;
+		ssl->rbio=NULL;
+		break;
+	case BIO_C_DO_STATE_MACHINE:
+		BIO_clear_retry_flags(b);
+
+		b->retry_reason=0;
+		ret=(int)SSL_do_handshake(ssl);
+
+		switch (SSL_get_error(ssl,(int)ret))
+			{
+		case SSL_ERROR_WANT_READ:
+			BIO_set_flags(b,
+				BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
+			break;
+		case SSL_ERROR_WANT_WRITE:
+			BIO_set_flags(b,
+				BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY);
+			break;
+		case SSL_ERROR_WANT_CONNECT:
+			BIO_set_flags(b,
+				BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY);
+			b->retry_reason=b->next_bio->retry_reason;
+			break;
+		default:
+			break;
+			}
+		break;
+	case BIO_CTRL_DUP:
+		dbio=(BIO *)ptr;
+		if (((BIO_SSL *)dbio->ptr)->ssl != NULL)
+			SSL_free(((BIO_SSL *)dbio->ptr)->ssl);
+		((BIO_SSL *)dbio->ptr)->ssl=SSL_dup(ssl);
+		((BIO_SSL *)dbio->ptr)->renegotiate_count=
+			((BIO_SSL *)b->ptr)->renegotiate_count;
+		((BIO_SSL *)dbio->ptr)->byte_count=
+			((BIO_SSL *)b->ptr)->byte_count;
+		((BIO_SSL *)dbio->ptr)->renegotiate_timeout=
+			((BIO_SSL *)b->ptr)->renegotiate_timeout;
+		((BIO_SSL *)dbio->ptr)->last_time=
+			((BIO_SSL *)b->ptr)->last_time;
+		ret=(((BIO_SSL *)dbio->ptr)->ssl != NULL);
+		break;
+	case BIO_C_GET_FD:
+		ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
+		break;
+	case BIO_CTRL_SET_CALLBACK:
+		{
+#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
+		BIOerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ret = -1;
+#else
+		ret=0;
+#endif
+		}
+		break;
+	case BIO_CTRL_GET_CALLBACK:
+		{
+		void (**fptr)();
+
+		fptr=(void (**)())ptr;
+		*fptr=SSL_get_info_callback(ssl);
+		}
+		break;
+	default:
+		ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
+		break;
+		}
+	return(ret);
+	}
+
+static long ssl_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	SSL *ssl;
+	BIO_SSL *bs;
+	long ret=1;
+
+	bs=(BIO_SSL *)b->ptr;
+	ssl=bs->ssl;
+	switch (cmd)
+		{
+	case BIO_CTRL_SET_CALLBACK:
+		{
+		SSL_set_info_callback(ssl,fp);
+		}
+		break;
+	default:
+		ret=BIO_callback_ctrl(ssl->rbio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
+static int ssl_puts(BIO *bp, char *str)
+	{
+	int n,ret;
+
+	n=strlen(str);
+	ret=BIO_write(bp,str,n);
+	return(ret);
+	}
+
+BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx)
+	{
+	BIO *ret=NULL,*buf=NULL,*ssl=NULL;
+
+	if ((buf=BIO_new(BIO_f_buffer())) == NULL)
+		return(NULL);
+	if ((ssl=BIO_new_ssl_connect(ctx)) == NULL)
+		goto err;
+	if ((ret=BIO_push(buf,ssl)) == NULL)
+		goto err;
+	return(ret);
+err:
+	if (buf != NULL) BIO_free(buf);
+	if (ssl != NULL) BIO_free(ssl);
+	return(NULL);
+	}
+
+BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
+	{
+	BIO *ret=NULL,*con=NULL,*ssl=NULL;
+
+	if ((con=BIO_new(BIO_s_connect())) == NULL)
+		return(NULL);
+	if ((ssl=BIO_new_ssl(ctx,1)) == NULL)
+		goto err;
+	if ((ret=BIO_push(ssl,con)) == NULL)
+		goto err;
+	return(ret);
+err:
+	if (con != NULL) BIO_free(con);
+	if (ret != NULL) BIO_free(ret);
+	return(NULL);
+	}
+
+BIO *BIO_new_ssl(SSL_CTX *ctx, int client)
+	{
+	BIO *ret;
+	SSL *ssl;
+
+	if ((ret=BIO_new(BIO_f_ssl())) == NULL)
+		return(NULL);
+	if ((ssl=SSL_new(ctx)) == NULL)
+		{
+		BIO_free(ret);
+		return(NULL);
+		}
+	if (client)
+		SSL_set_connect_state(ssl);
+	else
+		SSL_set_accept_state(ssl);
+		
+	BIO_set_ssl(ret,ssl,BIO_CLOSE);
+	return(ret);
+	}
+
+int BIO_ssl_copy_session_id(BIO *t, BIO *f)
+	{
+	t=BIO_find_type(t,BIO_TYPE_SSL);
+	f=BIO_find_type(f,BIO_TYPE_SSL);
+	if ((t == NULL) || (f == NULL))
+		return(0);
+	if (	(((BIO_SSL *)t->ptr)->ssl == NULL) || 
+		(((BIO_SSL *)f->ptr)->ssl == NULL))
+		return(0);
+	SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl,((BIO_SSL *)f->ptr)->ssl);
+	return(1);
+	}
+
+void BIO_ssl_shutdown(BIO *b)
+	{
+	SSL *s;
+
+	while (b != NULL)
+		{
+		if (b->method->type == BIO_TYPE_SSL)
+			{
+			s=((BIO_SSL *)b->ptr)->ssl;
+			SSL_shutdown(s);
+			break;
+			}
+		b=b->next_bio;
+		}
+	}
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
new file mode 100644
index 0000000..c6b2323
--- /dev/null
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -0,0 +1,475 @@
+/* ssl/s23_clnt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *ssl23_get_client_method(int ver);
+static int ssl23_client_hello(SSL *s);
+static int ssl23_get_server_hello(SSL *s);
+static SSL_METHOD *ssl23_get_client_method(int ver)
+	{
+#ifndef NO_SSL2
+	if (ver == SSL2_VERSION)
+		return(SSLv2_client_method());
+#endif
+	if (ver == SSL3_VERSION)
+		return(SSLv3_client_method());
+	else if (ver == TLS1_VERSION)
+		return(TLSv1_client_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv23_client_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv23_client_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv23_client_data,
+			(char *)sslv23_base_method(),sizeof(SSL_METHOD));
+		SSLv23_client_data.ssl_connect=ssl23_connect;
+		SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
+		init=0;
+		}
+	return(&SSLv23_client_data);
+	}
+
+int ssl23_connect(SSL *s)
+	{
+	BUF_MEM *buf;
+	unsigned long Time=time(NULL);
+	void (*cb)()=NULL;
+	int ret= -1;
+	int new_state,state;
+
+	RAND_add(&Time,sizeof(Time),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+	
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
+	s->in_handshake++;
+
+	for (;;)
+		{
+		state=s->state;
+
+		switch(s->state)
+			{
+		case SSL_ST_BEFORE:
+		case SSL_ST_CONNECT:
+		case SSL_ST_BEFORE|SSL_ST_CONNECT:
+		case SSL_ST_OK|SSL_ST_CONNECT:
+
+			if (s->session != NULL)
+				{
+				SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE);
+				ret= -1;
+				goto end;
+				}
+			s->server=0;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			/* s->version=TLS1_VERSION; */
+			s->type=SSL_ST_CONNECT;
+
+			if (s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
+					{
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
+
+			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
+
+			ssl3_init_finished_mac(s);
+
+			s->state=SSL23_ST_CW_CLNT_HELLO_A;
+			s->ctx->stats.sess_connect++;
+			s->init_num=0;
+			break;
+
+		case SSL23_ST_CW_CLNT_HELLO_A:
+		case SSL23_ST_CW_CLNT_HELLO_B:
+
+			s->shutdown=0;
+			ret=ssl23_client_hello(s);
+			if (ret <= 0) goto end;
+			s->state=SSL23_ST_CR_SRVR_HELLO_A;
+			s->init_num=0;
+
+			break;
+
+		case SSL23_ST_CR_SRVR_HELLO_A:
+		case SSL23_ST_CR_SRVR_HELLO_B:
+			ret=ssl23_get_server_hello(s);
+			if (ret >= 0) cb=NULL;
+			goto end;
+			/* break; */
+
+		default:
+			SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE);
+			ret= -1;
+			goto end;
+			/* break; */
+			}
+
+		if (s->debug) { (void)BIO_flush(s->wbio); }
+
+		if ((cb != NULL) && (s->state != state))
+			{
+			new_state=s->state;
+			s->state=state;
+			cb(s,SSL_CB_CONNECT_LOOP,1);
+			s->state=new_state;
+			}
+		}
+end:
+	s->in_handshake--;
+	if (cb != NULL)
+		cb(s,SSL_CB_CONNECT_EXIT,ret);
+	return(ret);
+	}
+
+
+static int ssl23_client_hello(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+	int i,ch_len;
+
+	buf=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
+		{
+#if 0
+		/* don't reuse session-id's */
+		if (!ssl_get_new_session(s,0))
+			{
+			return(-1);
+			}
+#endif
+
+		p=s->s3->client_random;
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
+
+		/* Do the message type and length last */
+		d= &(buf[2]);
+		p=d+9;
+
+		*(d++)=SSL2_MT_CLIENT_HELLO;
+		if (!(s->options & SSL_OP_NO_TLSv1))
+			{
+			*(d++)=TLS1_VERSION_MAJOR;
+			*(d++)=TLS1_VERSION_MINOR;
+			s->client_version=TLS1_VERSION;
+			}
+		else if (!(s->options & SSL_OP_NO_SSLv3))
+			{
+			*(d++)=SSL3_VERSION_MAJOR;
+			*(d++)=SSL3_VERSION_MINOR;
+			s->client_version=SSL3_VERSION;
+			}
+		else if (!(s->options & SSL_OP_NO_SSLv2))
+			{
+			*(d++)=SSL2_VERSION_MAJOR;
+			*(d++)=SSL2_VERSION_MINOR;
+			s->client_version=SSL2_VERSION;
+			}
+		else
+			{
+			SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
+			return(-1);
+			}
+
+		/* Ciphers supported */
+		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p);
+		if (i == 0)
+			{
+			/* no ciphers */
+			SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+			return(-1);
+			}
+		s2n(i,d);
+		p+=i;
+
+		/* put in the session-id, zero since there is no
+		 * reuse. */
+#if 0
+		s->session->session_id_length=0;
+#endif
+		s2n(0,d);
+
+		if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
+			ch_len=SSL2_CHALLENGE_LENGTH;
+		else
+			ch_len=SSL2_MAX_CHALLENGE_LENGTH;
+
+		/* write out sslv2 challenge */
+		if (SSL3_RANDOM_SIZE < ch_len)
+			i=SSL3_RANDOM_SIZE;
+		else
+			i=ch_len;
+		s2n(i,d);
+		memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
+		RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+		memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+		p+=i;
+
+		i= p- &(buf[2]);
+		buf[0]=((i>>8)&0xff)|0x80;
+		buf[1]=(i&0xff);
+
+		s->state=SSL23_ST_CW_CLNT_HELLO_B;
+		/* number of bytes to write */
+		s->init_num=i+2;
+		s->init_off=0;
+
+		ssl3_finish_mac(s,&(buf[2]),i);
+		}
+
+	/* SSL3_ST_CW_CLNT_HELLO_B */
+	return(ssl23_write_bytes(s));
+	}
+
+static int ssl23_get_server_hello(SSL *s)
+	{
+	char buf[8];
+	unsigned char *p;
+	int i;
+	int n;
+
+	n=ssl23_read_bytes(s,7);
+
+	if (n != 7) return(n);
+	p=s->packet;
+
+	memcpy(buf,p,n);
+
+	if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
+		(p[5] == 0x00) && (p[6] == 0x02))
+		{
+#ifdef NO_SSL2
+		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+		goto err;
+#else
+		/* we are talking sslv2 */
+		/* we need to clean up the SSLv3 setup and put in the
+		 * sslv2 stuff. */
+		int ch_len;
+
+		if (s->options & SSL_OP_NO_SSLv2)
+			{
+			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+			goto err;
+			}
+		if (s->s2 == NULL)
+			{
+			if (!ssl2_new(s))
+				goto err;
+			}
+		else
+			ssl2_clear(s);
+
+		if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
+			ch_len=SSL2_CHALLENGE_LENGTH;
+		else
+			ch_len=SSL2_MAX_CHALLENGE_LENGTH;
+
+		/* write out sslv2 challenge */
+		i=(SSL3_RANDOM_SIZE < ch_len)
+			?SSL3_RANDOM_SIZE:ch_len;
+		s->s2->challenge_length=i;
+		memcpy(s->s2->challenge,
+			&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+
+		if (s->s3 != NULL) ssl3_free(s);
+
+		if (!BUF_MEM_grow(s->init_buf,
+			SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+			{
+			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
+			goto err;
+			}
+
+		s->state=SSL2_ST_GET_SERVER_HELLO_A;
+		s->s2->ssl2_rollback=1;
+
+		/* setup the 5 bytes we have read so we get them from
+		 * the sslv2 buffer */
+		s->rstate=SSL_ST_READ_HEADER;
+		s->packet_length=n;
+		s->packet= &(s->s2->rbuf[0]);
+		memcpy(s->packet,buf,n);
+		s->s2->rbuf_left=n;
+		s->s2->rbuf_offs=0;
+
+		/* we have already written one */
+		s->s2->write_sequence=1;
+
+		s->method=SSLv2_client_method();
+		s->handshake_func=s->method->ssl_connect;
+#endif
+		}
+	else if ((p[0] == SSL3_RT_HANDSHAKE) &&
+		 (p[1] == SSL3_VERSION_MAJOR) &&
+		 ((p[2] == SSL3_VERSION_MINOR) ||
+		  (p[2] == TLS1_VERSION_MINOR)) &&
+		 (p[5] == SSL3_MT_SERVER_HELLO))
+		{
+		/* we have sslv3 or tls1 */
+
+		if (!ssl_init_wbio_buffer(s,1)) goto err;
+
+		/* we are in this state */
+		s->state=SSL3_ST_CR_SRVR_HELLO_A;
+
+		/* put the 5 bytes we have read into the input buffer
+		 * for SSLv3 */
+		s->rstate=SSL_ST_READ_HEADER;
+		s->packet_length=n;
+		s->packet= &(s->s3->rbuf.buf[0]);
+		memcpy(s->packet,buf,n);
+		s->s3->rbuf.left=n;
+		s->s3->rbuf.offset=0;
+
+		if ((p[2] == SSL3_VERSION_MINOR) &&
+			!(s->options & SSL_OP_NO_SSLv3))
+			{
+			s->version=SSL3_VERSION;
+			s->method=SSLv3_client_method();
+			}
+		else if ((p[2] == TLS1_VERSION_MINOR) &&
+			!(s->options & SSL_OP_NO_TLSv1))
+			{
+			s->version=TLS1_VERSION;
+			s->method=TLSv1_client_method();
+			}
+		else
+			{
+			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+			goto err;
+			}
+			
+		s->handshake_func=s->method->ssl_connect;
+		}
+	else if ((p[0] == SSL3_RT_ALERT) &&
+		 (p[1] == SSL3_VERSION_MAJOR) &&
+		 ((p[2] == SSL3_VERSION_MINOR) ||
+		  (p[2] == TLS1_VERSION_MINOR)) &&
+		 (p[3] == 0) &&
+		 (p[4] == 2))
+		{
+		void (*cb)()=NULL;
+		int j;
+
+		/* An alert */
+		if (s->info_callback != NULL)
+			cb=s->info_callback;
+		else if (s->ctx->info_callback != NULL)
+			cb=s->ctx->info_callback;
+ 
+		i=p[5];
+		if (cb != NULL)
+			{
+			j=(i<<8)|p[6];
+			cb(s,SSL_CB_READ_ALERT,j);
+			}
+
+		s->rwstate=SSL_NOTHING;
+		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
+		goto err;
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNKNOWN_PROTOCOL);
+		goto err;
+		}
+	s->init_num=0;
+
+	/* Since, if we are sending a ssl23 client hello, we are not
+	 * reusing a session-id */
+	if (!ssl_get_new_session(s,0))
+		goto err;
+
+	s->first_packet=1;
+	return(SSL_connect(s));
+err:
+	return(-1);
+	}
+
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
new file mode 100644
index 0000000..bc77e84
--- /dev/null
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -0,0 +1,228 @@
+/* ssl/s23_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+static int ssl23_num_ciphers(void );
+static SSL_CIPHER *ssl23_get_cipher(unsigned int u);
+static int ssl23_read(SSL *s, void *buf, int len);
+static int ssl23_write(SSL *s, const void *buf, int len);
+static long ssl23_default_timeout(void );
+static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
+static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
+const char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
+
+static SSL_METHOD SSLv23_data= {
+	TLS1_VERSION,
+	tls1_new,
+	tls1_clear,
+	tls1_free,
+	ssl_undefined_function,
+	ssl_undefined_function,
+	ssl23_read,
+	(int (*)(struct ssl_st *, char *, int))ssl_undefined_function,
+	ssl23_write,
+	ssl_undefined_function,
+	ssl_undefined_function,
+	ssl_ok,
+	ssl3_ctrl,
+	ssl3_ctx_ctrl,
+	ssl23_get_cipher_by_char,
+	ssl23_put_cipher_by_char,
+	ssl_undefined_function,
+	ssl23_num_ciphers,
+	ssl23_get_cipher,
+	ssl_bad_method,
+	ssl23_default_timeout,
+	&ssl3_undef_enc_method,
+	ssl_undefined_function,
+	ssl3_callback_ctrl,
+	ssl3_ctx_callback_ctrl,
+	};
+
+static long ssl23_default_timeout(void)
+	{
+	return(300);
+	}
+
+SSL_METHOD *sslv23_base_method(void)
+	{
+	return(&SSLv23_data);
+	}
+
+static int ssl23_num_ciphers(void)
+	{
+	return(ssl3_num_ciphers()
+#ifndef NO_SSL2
+	       + ssl2_num_ciphers()
+#endif
+	    );
+	}
+
+static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
+	{
+	unsigned int uu=ssl3_num_ciphers();
+
+	if (u < uu)
+		return(ssl3_get_cipher(u));
+	else
+#ifndef NO_SSL2
+		return(ssl2_get_cipher(u-uu));
+#else
+		return(NULL);
+#endif
+	}
+
+/* This function needs to check if the ciphers required are actually
+ * available */
+static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
+	{
+	SSL_CIPHER c,*cp;
+	unsigned long id;
+	int n;
+
+	n=ssl3_num_ciphers();
+	id=0x03000000|((unsigned long)p[0]<<16L)|
+		((unsigned long)p[1]<<8L)|(unsigned long)p[2];
+	c.id=id;
+	cp=ssl3_get_cipher_by_char(p);
+#ifndef NO_SSL2
+	if (cp == NULL)
+		cp=ssl2_get_cipher_by_char(p);
+#endif
+	return(cp);
+	}
+
+static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
+	{
+	long l;
+
+	/* We can write SSLv2 and SSLv3 ciphers */
+	if (p != NULL)
+		{
+		l=c->id;
+		p[0]=((unsigned char)(l>>16L))&0xFF;
+		p[1]=((unsigned char)(l>> 8L))&0xFF;
+		p[2]=((unsigned char)(l     ))&0xFF;
+		}
+	return(3);
+	}
+
+static int ssl23_read(SSL *s, void *buf, int len)
+	{
+	int n;
+
+#if 0
+	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
+		{
+		s->rwstate=SSL_NOTHING;
+		return(0);
+		}
+#endif
+	clear_sys_error();
+	if (SSL_in_init(s) && (!s->in_handshake))
+		{
+		n=s->handshake_func(s);
+		if (n < 0) return(n);
+		if (n == 0)
+			{
+			SSLerr(SSL_F_SSL23_READ,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		return(SSL_read(s,buf,len));
+		}
+	else
+		{
+		ssl_undefined_function(s);
+		return(-1);
+		}
+	}
+
+static int ssl23_write(SSL *s, const void *buf, int len)
+	{
+	int n;
+
+#if 0
+	if (s->shutdown & SSL_SENT_SHUTDOWN)
+		{
+		s->rwstate=SSL_NOTHING;
+		return(0);
+		}
+#endif
+	clear_sys_error();
+	if (SSL_in_init(s) && (!s->in_handshake))
+		{
+		n=s->handshake_func(s);
+		if (n < 0) return(n);
+		if (n == 0)
+			{
+			SSLerr(SSL_F_SSL23_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		return(SSL_write(s,buf,len));
+		}
+	else
+		{
+		ssl_undefined_function(s);
+		return(-1);
+		}
+	}
diff --git a/crypto/openssl/ssl/s23_meth.c b/crypto/openssl/ssl/s23_meth.c
new file mode 100644
index 0000000..b52ca1d
--- /dev/null
+++ b/crypto/openssl/ssl/s23_meth.c
@@ -0,0 +1,92 @@
+/* ssl/s23_meth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *ssl23_get_method(int ver);
+static SSL_METHOD *ssl23_get_method(int ver)
+	{
+	if (ver == SSL2_VERSION)
+		return(SSLv23_method());
+	else if (ver == SSL3_VERSION)
+		return(SSLv3_method());
+	else if (ver == TLS1_VERSION)
+		return(TLSv1_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv23_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv23_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
+			sizeof(SSL_METHOD));
+		SSLv23_data.ssl_connect=ssl23_connect;
+		SSLv23_data.ssl_accept=ssl23_accept;
+		SSLv23_data.get_ssl_method=ssl23_get_method;
+		init=0;
+		}
+	return(&SSLv23_data);
+	}
+
diff --git a/crypto/openssl/ssl/s23_pkt.c b/crypto/openssl/ssl/s23_pkt.c
new file mode 100644
index 0000000..f45e1ce
--- /dev/null
+++ b/crypto/openssl/ssl/s23_pkt.c
@@ -0,0 +1,117 @@
+/* ssl/s23_pkt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
+#include "ssl_locl.h"
+
+int ssl23_write_bytes(SSL *s)
+	{
+	int i,num,tot;
+	char *buf;
+
+	buf=s->init_buf->data;
+	tot=s->init_off;
+	num=s->init_num;
+	for (;;)
+		{
+		s->rwstate=SSL_WRITING;
+		i=BIO_write(s->wbio,&(buf[tot]),num);
+		if (i <= 0)
+			{
+			s->init_off=tot;
+			s->init_num=num;
+			return(i);
+			}
+		s->rwstate=SSL_NOTHING;
+		if (i == num) return(tot+i);
+
+		num-=i;
+		tot+=i;
+		}
+	}
+
+/* return regularly only when we have read (at least) 'n' bytes */
+int ssl23_read_bytes(SSL *s, int n)
+	{
+	unsigned char *p;
+	int j;
+
+	if (s->packet_length < (unsigned int)n)
+		{
+		p=s->packet;
+
+		for (;;)
+			{
+			s->rwstate=SSL_READING;
+			j=BIO_read(s->rbio,(char *)&(p[s->packet_length]),
+				n-s->packet_length);
+			if (j <= 0)
+				return(j);
+			s->rwstate=SSL_NOTHING;
+			s->packet_length+=j;
+			if (s->packet_length >= (unsigned int)n)
+				return(s->packet_length);
+			}
+		}
+	return(n);
+	}
+
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
new file mode 100644
index 0000000..c1c2e9d
--- /dev/null
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -0,0 +1,570 @@
+/* ssl/s23_srvr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *ssl23_get_server_method(int ver);
+int ssl23_get_client_hello(SSL *s);
+static SSL_METHOD *ssl23_get_server_method(int ver)
+	{
+#ifndef NO_SSL2
+	if (ver == SSL2_VERSION)
+		return(SSLv2_server_method());
+#endif
+	if (ver == SSL3_VERSION)
+		return(SSLv3_server_method());
+	else if (ver == TLS1_VERSION)
+		return(TLSv1_server_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv23_server_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv23_server_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv23_server_data,
+			(char *)sslv23_base_method(),sizeof(SSL_METHOD));
+		SSLv23_server_data.ssl_accept=ssl23_accept;
+		SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
+		init=0;
+		}
+	return(&SSLv23_server_data);
+	}
+
+int ssl23_accept(SSL *s)
+	{
+	BUF_MEM *buf;
+	unsigned long Time=time(NULL);
+	void (*cb)()=NULL;
+	int ret= -1;
+	int new_state,state;
+
+	RAND_add(&Time,sizeof(Time),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+	
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
+	s->in_handshake++;
+
+	for (;;)
+		{
+		state=s->state;
+
+		switch(s->state)
+			{
+		case SSL_ST_BEFORE:
+		case SSL_ST_ACCEPT:
+		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
+		case SSL_ST_OK|SSL_ST_ACCEPT:
+
+			s->server=1;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			/* s->version=SSL3_VERSION; */
+			s->type=SSL_ST_ACCEPT;
+
+			if (s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
+					{
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
+
+			ssl3_init_finished_mac(s);
+
+			s->state=SSL23_ST_SR_CLNT_HELLO_A;
+			s->ctx->stats.sess_accept++;
+			s->init_num=0;
+			break;
+
+		case SSL23_ST_SR_CLNT_HELLO_A:
+		case SSL23_ST_SR_CLNT_HELLO_B:
+
+			s->shutdown=0;
+			ret=ssl23_get_client_hello(s);
+			if (ret >= 0) cb=NULL;
+			goto end;
+			/* break; */
+
+		default:
+			SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE);
+			ret= -1;
+			goto end;
+			/* break; */
+			}
+
+		if ((cb != NULL) && (s->state != state))
+			{
+			new_state=s->state;
+			s->state=state;
+			cb(s,SSL_CB_ACCEPT_LOOP,1);
+			s->state=new_state;
+			}
+		}
+end:
+	if (cb != NULL)
+		cb(s,SSL_CB_ACCEPT_EXIT,ret);
+	s->in_handshake--;
+	return(ret);
+	}
+
+
+int ssl23_get_client_hello(SSL *s)
+	{
+	char buf_space[11]; /* Request this many bytes in initial read.
+	                     * We can detect SSL 3.0/TLS 1.0 Client Hellos
+	                     * ('type == 3') correctly only when the following
+	                     * is in a single record, which is not guaranteed by
+	                     * the protocol specification:
+	                     * Byte  Content
+	                     *  0     type            \
+	                     *  1/2   version          > record header
+	                     *  3/4   length          /
+	                     *  5     msg_type        \
+	                     *  6-8   length           > Client Hello message
+	                     *  9/10  client_version  /
+	                     */
+	char *buf= &(buf_space[0]);
+	unsigned char *p,*d,*dd;
+	unsigned int i;
+	unsigned int csl,sil,cl;
+	int n=0,j;
+	int type=0;
+	int v[2];
+#ifndef NO_RSA
+	int use_sslv2_strong=0;
+#endif
+
+	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
+		{
+		/* read the initial header */
+		v[0]=v[1]=0;
+
+		if (!ssl3_setup_buffers(s)) goto err;
+
+		n=ssl23_read_bytes(s, sizeof buf_space);
+		if (n != sizeof buf_space) return(n); /* n == -1 || n == 0 */
+
+		p=s->packet;
+
+		memcpy(buf,p,n);
+
+		if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
+			{
+			/*
+			 * SSLv2 header
+			 */
+			if ((p[3] == 0x00) && (p[4] == 0x02))
+				{
+				v[0]=p[3]; v[1]=p[4];
+				/* SSLv2 */
+				if (!(s->options & SSL_OP_NO_SSLv2))
+					type=1;
+				}
+			else if (p[3] == SSL3_VERSION_MAJOR)
+				{
+				v[0]=p[3]; v[1]=p[4];
+				/* SSLv3/TLSv1 */
+				if (p[4] >= TLS1_VERSION_MINOR)
+					{
+					if (!(s->options & SSL_OP_NO_TLSv1))
+						{
+						s->version=TLS1_VERSION;
+						/* type=2; */ /* done later to survive restarts */
+						s->state=SSL23_ST_SR_CLNT_HELLO_B;
+						}
+					else if (!(s->options & SSL_OP_NO_SSLv3))
+						{
+						s->version=SSL3_VERSION;
+						/* type=2; */
+						s->state=SSL23_ST_SR_CLNT_HELLO_B;
+						}
+					else if (!(s->options & SSL_OP_NO_SSLv2))
+						{
+						type=1;
+						}
+					}
+				else if (!(s->options & SSL_OP_NO_SSLv3))
+					{
+					s->version=SSL3_VERSION;
+					/* type=2; */
+					s->state=SSL23_ST_SR_CLNT_HELLO_B;
+					}
+				else if (!(s->options & SSL_OP_NO_SSLv2))
+					type=1;
+
+				if (s->options & SSL_OP_NON_EXPORT_FIRST)
+					/* Not only utterly confusing, but broken
+					 * ('fractured programming'?) -- the details
+					 * of this block nearly make it work
+					 * as intended in this environment, but on one
+					 * of the fine points (w.r.t. restarts) it fails.
+					 * The obvious fix would be even more devastating
+					 * to program structure; if you want the functionality,
+					 * throw this away and implement it in a way
+					 * that makes sense */
+					{
+#if 0
+					STACK_OF(SSL_CIPHER) *sk;
+					SSL_CIPHER *c;
+					int ne2,ne3;
+
+					j=((p[0]&0x7f)<<8)|p[1];
+					if (j > (1024*4))
+						{
+						SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
+						goto err;
+						}
+
+					n=ssl23_read_bytes(s,j+2);
+					if (n <= 0) return(n);
+					p=s->packet;
+
+					if ((buf=Malloc(n)) == NULL)
+						{
+						SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
+						goto err;
+						}
+					memcpy(buf,p,n);
+
+					p+=5;
+					n2s(p,csl);
+					p+=4;
+
+					sk=ssl_bytes_to_cipher_list(
+						s,p,csl,NULL);
+					if (sk != NULL)
+						{
+						ne2=ne3=0;
+						for (j=0; j<sk_SSL_CIPHER_num(sk); j++)
+							{
+							c=sk_SSL_CIPHER_value(sk,j);
+							if (!SSL_C_IS_EXPORT(c))
+								{
+								if ((c->id>>24L) == 2L)
+									ne2=1;
+								else
+									ne3=1;
+								}
+							}
+						if (ne2 && !ne3)
+							{
+							type=1;
+							use_sslv2_strong=1;
+							goto next_bit;
+							}
+						}
+#else
+					SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION);
+					goto err;
+#endif
+					}
+				}
+			}
+		else if ((p[0] == SSL3_RT_HANDSHAKE) &&
+			 (p[1] == SSL3_VERSION_MAJOR) &&
+			 (p[5] == SSL3_MT_CLIENT_HELLO) &&
+			 ((p[3] == 0 && p[4] < 5 /* silly record length? */)
+				|| (p[9] == p[1])))
+			{
+			/*
+			 * SSLv3 or tls1 header
+			 */
+			
+			v[0]=p[1]; /* major version */
+			/* We must look at client_version inside the Client Hello message
+			 * to get the correct minor version: */
+			v[1]=p[10];
+			/* However if we have only a pathologically small fragment of the
+			 * Client Hello message, we simply use the version from the
+			 * record header -- this is incorrect but unlikely to fail in
+			 * practice */
+			if (p[3] == 0 && p[4] < 6)
+				v[1]=p[2];
+			if (v[1] >= TLS1_VERSION_MINOR)
+				{
+				if (!(s->options & SSL_OP_NO_TLSv1))
+					{
+					s->version=TLS1_VERSION;
+					type=3;
+					}
+				else if (!(s->options & SSL_OP_NO_SSLv3))
+					{
+					s->version=SSL3_VERSION;
+					type=3;
+					}
+				}
+			else if (!(s->options & SSL_OP_NO_SSLv3))
+				{
+				s->version=SSL3_VERSION;
+				type=3;
+				}
+			}
+		else if ((strncmp("GET ", (char *)p,4) == 0) ||
+			 (strncmp("POST ",(char *)p,5) == 0) ||
+			 (strncmp("HEAD ",(char *)p,5) == 0) ||
+			 (strncmp("PUT ", (char *)p,4) == 0))
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST);
+			goto err;
+			}
+		else if (strncmp("CONNECT",(char *)p,7) == 0)
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST);
+			goto err;
+			}
+		}
+
+	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
+		{
+		/* we have SSLv3/TLSv1 in an SSLv2 header
+		 * (other cases skip this state) */
+
+		type=2;
+		p=s->packet;
+		v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
+		v[1] = p[4];
+
+		n=((p[0]&0x7f)<<8)|p[1];
+		if (n > (1024*4))
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
+			goto err;
+			}
+
+		j=ssl23_read_bytes(s,n+2);
+		if (j <= 0) return(j);
+
+		ssl3_finish_mac(s,&(s->packet[2]),s->packet_length-2);
+
+		p=s->packet;
+		p+=5;
+		n2s(p,csl);
+		n2s(p,sil);
+		n2s(p,cl);
+		d=(unsigned char *)s->init_buf->data;
+		if ((csl+sil+cl+11) != s->packet_length)
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
+			goto err;
+			}
+
+		*(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
+		*(d++) = v[1];
+
+		/* lets populate the random area */
+		/* get the challenge_length */
+		i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl;
+		memset(d,0,SSL3_RANDOM_SIZE);
+		memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i);
+		d+=SSL3_RANDOM_SIZE;
+
+		/* no session-id reuse */
+		*(d++)=0;
+
+		/* ciphers */
+		j=0;
+		dd=d;
+		d+=2;
+		for (i=0; i<csl; i+=3)
+			{
+			if (p[i] != 0) continue;
+			*(d++)=p[i+1];
+			*(d++)=p[i+2];
+			j+=2;
+			}
+		s2n(j,dd);
+
+		/* COMPRESSION */
+		*(d++)=1;
+		*(d++)=0;
+		
+		i=(d-(unsigned char *)s->init_buf->data);
+
+		/* get the data reused from the init_buf */
+		s->s3->tmp.reuse_message=1;
+		s->s3->tmp.message_type=SSL3_MT_CLIENT_HELLO;
+		s->s3->tmp.message_size=i;
+		}
+
+	/* imaginary new state (for program structure): */
+	/* s->state = SSL23_SR_CLNT_HELLO_C */
+
+	if (type == 1)
+		{
+#ifdef NO_SSL2
+		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+		goto err;
+#else
+		/* we are talking sslv2 */
+		/* we need to clean up the SSLv3/TLSv1 setup and put in the
+		 * sslv2 stuff. */
+
+		if (s->s2 == NULL)
+			{
+			if (!ssl2_new(s))
+				goto err;
+			}
+		else
+			ssl2_clear(s);
+
+		if (s->s3 != NULL) ssl3_free(s);
+
+		if (!BUF_MEM_grow(s->init_buf,
+			SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+			{
+			goto err;
+			}
+
+		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
+		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
+			use_sslv2_strong)
+			s->s2->ssl2_rollback=0;
+		else
+			s->s2->ssl2_rollback=1;
+
+		/* setup the n bytes we have read so we get them from
+		 * the sslv2 buffer */
+		s->rstate=SSL_ST_READ_HEADER;
+		s->packet_length=n;
+		s->packet= &(s->s2->rbuf[0]);
+		memcpy(s->packet,buf,n);
+		s->s2->rbuf_left=n;
+		s->s2->rbuf_offs=0;
+
+		s->method=SSLv2_server_method();
+		s->handshake_func=s->method->ssl_accept;
+#endif
+		}
+
+	if ((type == 2) || (type == 3))
+		{
+		/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+
+		if (!ssl_init_wbio_buffer(s,1)) goto err;
+
+		/* we are in this state */
+		s->state=SSL3_ST_SR_CLNT_HELLO_A;
+
+		if (type == 3)
+			{
+			/* put the 'n' bytes we have read into the input buffer
+			 * for SSLv3 */
+			s->rstate=SSL_ST_READ_HEADER;
+			s->packet_length=n;
+			s->packet= &(s->s3->rbuf.buf[0]);
+			memcpy(s->packet,buf,n);
+			s->s3->rbuf.left=n;
+			s->s3->rbuf.offset=0;
+			}
+		else
+			{
+			s->packet_length=0;
+			s->s3->rbuf.left=0;
+			s->s3->rbuf.offset=0;
+			}
+
+		if (s->version == TLS1_VERSION)
+			s->method = TLSv1_server_method();
+		else
+			s->method = SSLv3_server_method();
+#if 0 /* ssl3_get_client_hello does this */
+		s->client_version=(v[0]<<8)|v[1];
+#endif
+		s->handshake_func=s->method->ssl_accept;
+		}
+	
+	if ((type < 1) || (type > 3))
+		{
+		/* bad, very bad */
+		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL);
+		goto err;
+		}
+	s->init_num=0;
+
+	if (buf != buf_space) Free(buf);
+	s->first_packet=1;
+	return(SSL_accept(s));
+err:
+	if (buf != buf_space) Free(buf);
+	return(-1);
+	}
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
new file mode 100644
index 0000000..5781f98
--- /dev/null
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -0,0 +1,994 @@
+/* ssl/s2_clnt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include "ssl_locl.h"
+#ifndef NO_SSL2
+#include <stdio.h>
+#include <openssl/rand.h>
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+
+static SSL_METHOD *ssl2_get_client_method(int ver);
+static int get_server_finished(SSL *s);
+static int get_server_verify(SSL *s);
+static int get_server_hello(SSL *s);
+static int client_hello(SSL *s); 
+static int client_master_key(SSL *s);
+static int client_finished(SSL *s);
+static int client_certificate(SSL *s);
+static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
+	unsigned char *to,int padding);
+#define BREAK	break
+
+static SSL_METHOD *ssl2_get_client_method(int ver)
+	{
+	if (ver == SSL2_VERSION)
+		return(SSLv2_client_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv2_client_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv2_client_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
+			sizeof(SSL_METHOD));
+		SSLv2_client_data.ssl_connect=ssl2_connect;
+		SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
+		init=0;
+		}
+	return(&SSLv2_client_data);
+	}
+
+int ssl2_connect(SSL *s)
+	{
+	unsigned long l=time(NULL);
+	BUF_MEM *buf=NULL;
+	int ret= -1;
+	void (*cb)()=NULL;
+	int new_state,state;
+
+	RAND_add(&l,sizeof(l),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+
+	/* init things to blank */
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+	s->in_handshake++;
+
+	for (;;)
+		{
+		state=s->state;
+
+		switch (s->state)
+			{
+		case SSL_ST_BEFORE:
+		case SSL_ST_CONNECT:
+		case SSL_ST_BEFORE|SSL_ST_CONNECT:
+		case SSL_ST_OK|SSL_ST_CONNECT:
+
+			s->server=0;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			s->version=SSL2_VERSION;
+			s->type=SSL_ST_CONNECT;
+
+			buf=s->init_buf;
+			if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
+				{
+				ret= -1;
+				goto end;
+				}
+			if (!BUF_MEM_grow(buf,
+				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+				{
+				ret= -1;
+				goto end;
+				}
+			s->init_buf=buf;
+			s->init_num=0;
+			s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
+			s->ctx->stats.sess_connect++;
+			s->handshake_func=ssl2_connect;
+			BREAK;
+
+		case SSL2_ST_SEND_CLIENT_HELLO_A:
+		case SSL2_ST_SEND_CLIENT_HELLO_B:
+			s->shutdown=0;
+			ret=client_hello(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_GET_SERVER_HELLO_A;
+			BREAK;
+		
+		case SSL2_ST_GET_SERVER_HELLO_A:
+		case SSL2_ST_GET_SERVER_HELLO_B:
+			ret=get_server_hello(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			if (!s->hit) /* new session */
+				{
+				s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_A;
+				BREAK; 
+				}
+			else
+				{
+				s->state=SSL2_ST_CLIENT_START_ENCRYPTION;
+				break;
+				}
+	
+		case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:
+		case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:
+			ret=client_master_key(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_CLIENT_START_ENCRYPTION;
+			break;
+
+		case SSL2_ST_CLIENT_START_ENCRYPTION:
+			/* Ok, we now have all the stuff needed to
+			 * start encrypting, so lets fire it up :-) */
+			if (!ssl2_enc_init(s,1))
+				{
+				ret= -1;
+				goto end;
+				}
+			s->s2->clear_text=0;
+			s->state=SSL2_ST_SEND_CLIENT_FINISHED_A;
+			break;
+
+		case SSL2_ST_SEND_CLIENT_FINISHED_A:
+		case SSL2_ST_SEND_CLIENT_FINISHED_B:
+			ret=client_finished(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_GET_SERVER_VERIFY_A;
+			break;
+
+		case SSL2_ST_GET_SERVER_VERIFY_A:
+		case SSL2_ST_GET_SERVER_VERIFY_B:
+			ret=get_server_verify(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_GET_SERVER_FINISHED_A;
+			break;
+
+		case SSL2_ST_GET_SERVER_FINISHED_A:
+		case SSL2_ST_GET_SERVER_FINISHED_B:
+			ret=get_server_finished(s);
+			if (ret <= 0) goto end;
+			break;
+
+		case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:
+		case SSL2_ST_SEND_CLIENT_CERTIFICATE_B:
+		case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:
+		case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:
+		case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:
+			ret=client_certificate(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_GET_SERVER_FINISHED_A;
+			break;
+
+		case SSL_ST_OK:
+			if (s->init_buf != NULL)
+				{
+				BUF_MEM_free(s->init_buf);
+				s->init_buf=NULL;
+				}
+			s->init_num=0;
+		/*	ERR_clear_error();*/
+
+			/* If we want to cache session-ids in the client
+			 * and we successfully add the session-id to the
+			 * cache, and there is a callback, then pass it out.
+			 * 26/11/96 - eay - only add if not a re-used session.
+			 */
+
+			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
+			if (s->hit) s->ctx->stats.sess_hit++;
+
+			ret=1;
+			/* s->server=0; */
+			s->ctx->stats.sess_connect_good++;
+
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+
+			goto end;
+			/* break; */
+		default:
+			SSLerr(SSL_F_SSL2_CONNECT,SSL_R_UNKNOWN_STATE);
+			return(-1);
+			/* break; */
+			}
+
+		if ((cb != NULL) && (s->state != state))
+			{
+			new_state=s->state;
+			s->state=state;
+			cb(s,SSL_CB_CONNECT_LOOP,1);
+			s->state=new_state;
+			}
+		}
+end:
+	s->in_handshake--;
+	if (cb != NULL) 
+		cb(s,SSL_CB_CONNECT_EXIT,ret);
+	return(ret);
+	}
+
+static int get_server_hello(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p;
+	int i,j;
+	STACK_OF(SSL_CIPHER) *sk=NULL,*cl;
+
+	buf=(unsigned char *)s->init_buf->data;
+	p=buf;
+	if (s->state == SSL2_ST_GET_SERVER_HELLO_A)
+		{
+		i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num);
+		if (i < (11-s->init_num)) 
+			return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
+
+		if (*(p++) != SSL2_MT_SERVER_HELLO)
+			{
+			if (p[-1] != SSL2_MT_ERROR)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				SSLerr(SSL_F_GET_SERVER_HELLO,
+					SSL_R_READ_WRONG_PACKET_TYPE);
+				}
+			else
+				SSLerr(SSL_F_GET_SERVER_HELLO,
+					SSL_R_PEER_ERROR);
+			return(-1);
+			}
+#ifdef __APPLE_CC__
+		/* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug
+		 * workaround. <appro@fy.chalmers.se> */
+		s->hit=(i=*(p++))?1:0;
+#else
+		s->hit=(*(p++))?1:0;
+#endif
+		s->s2->tmp.cert_type= *(p++);
+		n2s(p,i);
+		if (i < s->version) s->version=i;
+		n2s(p,i); s->s2->tmp.cert_length=i;
+		n2s(p,i); s->s2->tmp.csl=i;
+		n2s(p,i); s->s2->tmp.conn_id_length=i;
+		s->state=SSL2_ST_GET_SERVER_HELLO_B;
+		s->init_num=0;
+		}
+
+	/* SSL2_ST_GET_SERVER_HELLO_B */
+	j=s->s2->tmp.cert_length+s->s2->tmp.csl+s->s2->tmp.conn_id_length
+		- s->init_num;
+	i=ssl2_read(s,(char *)&(buf[s->init_num]),j);
+	if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
+
+	/* things are looking good */
+
+	p=buf;
+	if (s->hit)
+		{
+		if (s->s2->tmp.cert_length != 0) 
+			{
+			SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_LENGTH_NOT_ZERO);
+			return(-1);
+			}
+		if (s->s2->tmp.cert_type != 0)
+			{
+			if (!(s->options &
+				SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG))
+				{
+				SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_TYPE_NOT_ZERO);
+				return(-1);
+				}
+			}
+		if (s->s2->tmp.csl != 0)
+			{
+			SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CIPHER_LIST_NOT_ZERO);
+			return(-1);
+			}
+		}
+	else
+		{
+#ifdef undef
+		/* very bad */
+		memset(s->session->session_id,0,
+			SSL_MAX_SSL_SESSION_ID_LENGTH_IN_BYTES);
+		s->session->session_id_length=0;
+		*/
+#endif
+
+		/* we need to do this in case we were trying to reuse a 
+		 * client session but others are already reusing it.
+		 * If this was a new 'blank' session ID, the session-id
+		 * length will still be 0 */
+		if (s->session->session_id_length > 0)
+			{
+			if (!ssl_get_new_session(s,0))
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				return(-1);
+				}
+			}
+
+		if (ssl2_set_certificate(s,s->s2->tmp.cert_type,
+			s->s2->tmp.cert_length,p) <= 0)
+			{
+			ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
+			return(-1);
+			}
+		p+=s->s2->tmp.cert_length;
+
+		if (s->s2->tmp.csl == 0)
+			{
+			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+			SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_LIST);
+			return(-1);
+			}
+
+		/* We have just received a list of ciphers back from the
+		 * server.  We need to get the ones that match, then select
+		 * the one we want the most :-). */
+
+		/* load the ciphers */
+		sk=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.csl,
+					    &s->session->ciphers);
+		p+=s->s2->tmp.csl;
+		if (sk == NULL)
+			{
+			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+			SSLerr(SSL_F_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
+			return(-1);
+			}
+
+		sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
+
+		/* get the array of ciphers we will accept */
+		cl=ssl_get_ciphers_by_id(s);
+
+		/* In theory we could have ciphers sent back that we
+		 * don't want to use but that does not matter since we
+		 * will check against the list we originally sent and
+		 * for performance reasons we should not bother to match
+		 * the two lists up just to check. */
+		for (i=0; i<sk_SSL_CIPHER_num(cl); i++)
+			{
+			if (sk_SSL_CIPHER_find(sk,
+					       sk_SSL_CIPHER_value(cl,i)) >= 0)
+				break;
+			}
+
+		if (i >= sk_SSL_CIPHER_num(cl))
+			{
+			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+			SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH);
+			return(-1);
+			}
+		s->session->cipher=sk_SSL_CIPHER_value(cl,i);
+
+
+		if (s->session->peer != NULL) /* can't happen*/
+			{
+			ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+			SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+			return(-1);
+			}
+
+		s->session->peer = s->session->sess_cert->peer_key->x509;
+		/* peer_key->x509 has been set by ssl2_set_certificate. */
+		CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
+		}
+
+	if (s->session->peer != s->session->sess_cert->peer_key->x509)
+		/* can't happen */
+		{
+		ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+		SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+		return(-1);
+		}
+		
+	s->s2->conn_id_length=s->s2->tmp.conn_id_length;
+	memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
+	return(1);
+	}
+
+static int client_hello(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+/*	CIPHER **cipher;*/
+	int i,n,j;
+
+	buf=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL2_ST_SEND_CLIENT_HELLO_A)
+		{
+		if ((s->session == NULL) ||
+			(s->session->ssl_version != s->version))
+			{
+			if (!ssl_get_new_session(s,0))
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				return(-1);
+				}
+			}
+		/* else use the pre-loaded session */
+
+		p=buf;					/* header */
+		d=p+9;					/* data section */
+		*(p++)=SSL2_MT_CLIENT_HELLO;		/* type */
+		s2n(SSL2_VERSION,p);			/* version */
+		n=j=0;
+
+		n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d);
+		d+=n;
+
+		if (n == 0)
+			{
+			SSLerr(SSL_F_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+			return(-1);
+			}
+
+		s2n(n,p);			/* cipher spec num bytes */
+
+		if ((s->session->session_id_length > 0) &&
+			(s->session->session_id_length <=
+			SSL2_MAX_SSL_SESSION_ID_LENGTH))
+			{
+			i=s->session->session_id_length;
+			s2n(i,p);		/* session id length */
+			memcpy(d,s->session->session_id,(unsigned int)i);
+			d+=i;
+			}
+		else
+			{
+			s2n(0,p);
+			}
+
+		s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
+		s2n(SSL2_CHALLENGE_LENGTH,p);		/* challenge length */
+		/*challenge id data*/
+		RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
+		memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
+		d+=SSL2_CHALLENGE_LENGTH;
+
+		s->state=SSL2_ST_SEND_CLIENT_HELLO_B;
+		s->init_num=d-buf;
+		s->init_off=0;
+		}
+	/* SSL2_ST_SEND_CLIENT_HELLO_B */
+	return(ssl2_do_write(s));
+	}
+
+static int client_master_key(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+	int clear,enc,karg,i;
+	SSL_SESSION *sess;
+	const EVP_CIPHER *c;
+	const EVP_MD *md;
+
+	buf=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
+		{
+
+		if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
+			{
+			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+			return(-1);
+			}
+		sess=s->session;
+		p=buf;
+		d=p+10;
+		*(p++)=SSL2_MT_CLIENT_MASTER_KEY;/* type */
+
+		i=ssl_put_cipher_by_char(s,sess->cipher,p);
+		p+=i;
+
+		/* make key_arg data */
+		i=EVP_CIPHER_iv_length(c);
+		sess->key_arg_length=i;
+		if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
+
+		/* make a master key */
+		i=EVP_CIPHER_key_length(c);
+		sess->master_key_length=i;
+		if (i > 0)
+			{
+			if (RAND_bytes(sess->master_key,i) <= 0)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				return(-1);
+				}
+			}
+
+		if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
+			enc=8;
+		else if (SSL_C_IS_EXPORT(sess->cipher))
+			enc=5;
+		else
+			enc=i;
+
+		if (i < enc)
+			{
+			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_CIPHER_TABLE_SRC_ERROR);
+			return(-1);
+			}
+		clear=i-enc;
+		s2n(clear,p);
+		memcpy(d,sess->master_key,(unsigned int)clear);
+		d+=clear;
+
+		enc=ssl_rsa_public_encrypt(sess->sess_cert,enc,
+			&(sess->master_key[clear]),d,
+			(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
+		if (enc <= 0)
+			{
+			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PUBLIC_KEY_ENCRYPT_ERROR);
+			return(-1);
+			}
+#ifdef PKCS1_CHECK
+		if (s->options & SSL_OP_PKCS1_CHECK_1) d[1]++;
+		if (s->options & SSL_OP_PKCS1_CHECK_2)
+			sess->master_key[clear]++;
+#endif
+		s2n(enc,p);
+		d+=enc;
+		karg=sess->key_arg_length;	
+		s2n(karg,p); /* key arg size */
+		memcpy(d,sess->key_arg,(unsigned int)karg);
+		d+=karg;
+
+		s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_B;
+		s->init_num=d-buf;
+		s->init_off=0;
+		}
+
+	/* SSL2_ST_SEND_CLIENT_MASTER_KEY_B */
+	return(ssl2_do_write(s));
+	}
+
+static int client_finished(SSL *s)
+	{
+	unsigned char *p;
+
+	if (s->state == SSL2_ST_SEND_CLIENT_FINISHED_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		*(p++)=SSL2_MT_CLIENT_FINISHED;
+		memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
+
+		s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
+		s->init_num=s->s2->conn_id_length+1;
+		s->init_off=0;
+		}
+	return(ssl2_do_write(s));
+	}
+
+/* read the data and then respond */
+static int client_certificate(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+	int i;
+	unsigned int n;
+	int cert_ch_len=0;
+	unsigned char *cert_ch;
+
+	buf=(unsigned char *)s->init_buf->data;
+	cert_ch= &(buf[2]);
+
+	/* We have a cert associated with the SSL, so attach it to
+	 * the session if it does not have one */
+
+	if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
+		{
+		i=ssl2_read(s,(char *)&(buf[s->init_num]),
+			SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
+		if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
+			return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
+
+		/* type=buf[0]; */
+		/* type eq x509 */
+		if (buf[1] != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
+			{
+			ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
+			SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE);
+			return(-1);
+			}
+		cert_ch_len=i-1;
+
+		if ((s->cert == NULL) ||
+			(s->cert->key->x509 == NULL) ||
+			(s->cert->key->privatekey == NULL))
+			{
+			s->state=SSL2_ST_X509_GET_CLIENT_CERTIFICATE;
+			}
+		else
+			s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
+		}
+
+	if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE)
+		{
+		X509 *x509=NULL;
+		EVP_PKEY *pkey=NULL;
+
+		/* If we get an error we need to
+		 * ssl->rwstate=SSL_X509_LOOKUP;
+		 * return(error);
+		 * We should then be retried when things are ok and we
+		 * can get a cert or not */
+
+		i=0;
+		if (s->ctx->client_cert_cb != NULL)
+			{
+			i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+			}
+
+		if (i < 0)
+			{
+			s->rwstate=SSL_X509_LOOKUP;
+			return(-1);
+			}
+		s->rwstate=SSL_NOTHING;
+
+		if ((i == 1) && (pkey != NULL) && (x509 != NULL))
+			{
+			s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
+			if (	!SSL_use_certificate(s,x509) || 
+				!SSL_use_PrivateKey(s,pkey))
+				{
+				i=0;
+				}
+			X509_free(x509);
+			EVP_PKEY_free(pkey);
+			}
+		else if (i == 1)
+			{
+			if (x509 != NULL) X509_free(x509);
+			if (pkey != NULL) EVP_PKEY_free(pkey);
+			SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
+			i=0;
+			}
+
+		if (i == 0)
+			{
+			/* We have no client certificate to respond with
+			 * so send the correct error message back */
+			s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_B;
+			p=buf;
+			*(p++)=SSL2_MT_ERROR;
+			s2n(SSL2_PE_NO_CERTIFICATE,p);
+			s->init_off=0;
+			s->init_num=3;
+			/* Write is done at the end */
+			}
+		}
+
+	if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_B)
+		{
+		return(ssl2_do_write(s));
+		}
+
+	if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_C)
+		{
+		EVP_MD_CTX ctx;
+
+		/* ok, now we calculate the checksum
+		 * do it first so we can reuse buf :-) */
+		p=buf;
+		EVP_SignInit(&ctx,s->ctx->rsa_md5);
+		EVP_SignUpdate(&ctx,s->s2->key_material,
+			(unsigned int)s->s2->key_material_length);
+		EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
+		n=i2d_X509(s->session->sess_cert->peer_key->x509,&p);
+		EVP_SignUpdate(&ctx,buf,(unsigned int)n);
+
+		p=buf;
+		d=p+6;
+		*(p++)=SSL2_MT_CLIENT_CERTIFICATE;
+		*(p++)=SSL2_CT_X509_CERTIFICATE;
+		n=i2d_X509(s->cert->key->x509,&d);
+		s2n(n,p);
+
+		if (!EVP_SignFinal(&ctx,d,&n,s->cert->key->privatekey))
+			{
+			/* this is not good.  If things have failed it
+			 * means there so something wrong with the key.
+			 * We will continue with a 0 length signature
+			 */
+			}
+		memset(&ctx,0,sizeof(ctx));
+		s2n(n,p);
+		d+=n;
+
+		s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_D;
+		s->init_num=d-buf;
+		s->init_off=0;
+		}
+	/* if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_D) */
+	return(ssl2_do_write(s));
+	}
+
+static int get_server_verify(SSL *s)
+	{
+	unsigned char *p;
+	int i;
+
+	p=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL2_ST_GET_SERVER_VERIFY_A)
+		{
+		i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
+		if (i < (1-s->init_num)) 
+			return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
+
+		s->state= SSL2_ST_GET_SERVER_VERIFY_B;
+		s->init_num=0;
+		if (*p != SSL2_MT_SERVER_VERIFY)
+			{
+			if (p[0] != SSL2_MT_ERROR)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				SSLerr(SSL_F_GET_SERVER_VERIFY,
+					SSL_R_READ_WRONG_PACKET_TYPE);
+				}
+			else
+				SSLerr(SSL_F_GET_SERVER_VERIFY,
+					SSL_R_PEER_ERROR);
+			return(-1);
+			}
+		}
+	
+	p=(unsigned char *)s->init_buf->data;
+	i=ssl2_read(s,(char *)&(p[s->init_num]),
+		(unsigned int)s->s2->challenge_length-s->init_num);
+	if (i < ((int)s->s2->challenge_length-s->init_num))
+		return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
+	if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0)
+		{
+		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+		SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
+		return(-1);
+		}
+	return(1);
+	}
+
+static int get_server_finished(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p;
+	int i;
+
+	buf=(unsigned char *)s->init_buf->data;
+	p=buf;
+	if (s->state == SSL2_ST_GET_SERVER_FINISHED_A)
+		{
+		i=ssl2_read(s,(char *)&(buf[s->init_num]),1-s->init_num);
+		if (i < (1-s->init_num))
+			return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
+		s->init_num=i;
+		if (*p == SSL2_MT_REQUEST_CERTIFICATE)
+			{
+			s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_A;
+			return(1);
+			}
+		else if (*p != SSL2_MT_SERVER_FINISHED)
+			{
+			if (p[0] != SSL2_MT_ERROR)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
+				}
+			else
+				SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR);
+			return(-1);
+			}
+		s->state=SSL_ST_OK;
+		s->init_num=0;
+		}
+
+	i=ssl2_read(s,(char *)&(buf[s->init_num]),
+		SSL2_SSL_SESSION_ID_LENGTH-s->init_num);
+	if (i < (SSL2_SSL_SESSION_ID_LENGTH-s->init_num))
+		return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
+
+	if (!s->hit) /* new session */
+		{
+		/* new session-id */
+		/* Make sure we were not trying to re-use an old SSL_SESSION
+		 * or bad things can happen */
+		/* ZZZZZZZZZZZZZ */
+		s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
+		memcpy(s->session->session_id,p,SSL2_SSL_SESSION_ID_LENGTH);
+		}
+	else
+		{
+		if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
+			{
+			if (memcmp(buf,s->session->session_id,
+				(unsigned int)s->session->session_id_length) != 0)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_SSL_SESSION_ID_IS_DIFFERENT);
+				return(-1);
+				}
+			}
+		}
+	return(1);
+	}
+
+/* loads in the certificate from the server */
+int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
+	{
+	STACK_OF(X509) *sk=NULL;
+	EVP_PKEY *pkey=NULL;
+	SESS_CERT *sc=NULL;
+	int i;
+	X509 *x509=NULL;
+	int ret=0;
+	
+	x509=d2i_X509(NULL,&data,(long)len);
+	if (x509 == NULL)
+		{
+		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_X509_LIB);
+		goto err;
+		}
+
+	if ((sk=sk_X509_new_null()) == NULL || !sk_X509_push(sk,x509))
+		{
+		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	i=ssl_verify_cert_chain(s,sk);
+		
+	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
+		{
+		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
+		goto err;
+		}
+
+	/* server's cert for this session */
+	sc=ssl_sess_cert_new();
+	if (sc == NULL)
+		{
+		ret= -1;
+		goto err;
+		}
+	if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
+	s->session->sess_cert=sc;
+
+	sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509=x509;
+	sc->peer_key= &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]);
+
+	pkey=X509_get_pubkey(x509);
+	x509=NULL;
+	if (pkey == NULL)
+		{
+		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY);
+		goto err;
+		}
+	if (pkey->type != EVP_PKEY_RSA)
+		{
+		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_PUBLIC_KEY_NOT_RSA);
+		goto err;
+		}
+
+	if (!ssl_set_peer_cert_type(sc,SSL2_CT_X509_CERTIFICATE))
+		goto err;
+	ret=1;
+err:
+	sk_X509_free(sk);
+	X509_free(x509);
+	EVP_PKEY_free(pkey);
+	return(ret);
+	}
+
+static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
+	     unsigned char *to, int padding)
+	{
+	EVP_PKEY *pkey=NULL;
+	int i= -1;
+
+	if ((sc == NULL) || (sc->peer_key->x509 == NULL) ||
+		((pkey=X509_get_pubkey(sc->peer_key->x509)) == NULL))
+		{
+		SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_NO_PUBLICKEY);
+		return(-1);
+		}
+	if (pkey->type != EVP_PKEY_RSA)
+		{
+		SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
+		goto end;
+		}
+
+	/* we have the public key */
+	i=RSA_public_encrypt(len,from,to,pkey->pkey.rsa,padding);
+	if (i < 0)
+		SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,ERR_R_RSA_LIB);
+end:
+	EVP_PKEY_free(pkey);
+	return(i);
+	}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
new file mode 100644
index 0000000..204acd7
--- /dev/null
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -0,0 +1,189 @@
+/* ssl/s2_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include "ssl_locl.h"
+#ifndef NO_SSL2
+#include <stdio.h>
+
+int ssl2_enc_init(SSL *s, int client)
+	{
+	/* Max number of bytes needed */
+	EVP_CIPHER_CTX *rs,*ws;
+	const EVP_CIPHER *c;
+	const EVP_MD *md;
+	int num;
+
+	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
+		{
+		ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+		SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+		return(0);
+		}
+
+	s->read_hash=md;
+	s->write_hash=md;
+
+	if ((s->enc_read_ctx == NULL) &&
+		((s->enc_read_ctx=(EVP_CIPHER_CTX *)
+		Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+		goto err;
+	if ((s->enc_write_ctx == NULL) &&
+		((s->enc_write_ctx=(EVP_CIPHER_CTX *)
+		Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+		goto err;
+
+	rs= s->enc_read_ctx;
+	ws= s->enc_write_ctx;
+
+	EVP_CIPHER_CTX_init(rs);
+	EVP_CIPHER_CTX_init(ws);
+
+	num=c->key_len;
+	s->s2->key_material_length=num*2;
+
+	ssl2_generate_key_material(s);
+
+	EVP_EncryptInit(ws,c,&(s->s2->key_material[(client)?num:0]),
+		s->session->key_arg);
+	EVP_DecryptInit(rs,c,&(s->s2->key_material[(client)?0:num]),
+		s->session->key_arg);
+	s->s2->read_key=  &(s->s2->key_material[(client)?0:num]);
+	s->s2->write_key= &(s->s2->key_material[(client)?num:0]);
+	return(1);
+err:
+	SSLerr(SSL_F_SSL2_ENC_INIT,ERR_R_MALLOC_FAILURE);
+	return(0);
+	}
+
+/* read/writes from s->s2->mac_data using length for encrypt and 
+ * decrypt.  It sets the s->s2->padding, s->[rw]length and
+ * s->s2->pad_data ptr if we are encrypting */
+void ssl2_enc(SSL *s, int send)
+	{
+	EVP_CIPHER_CTX *ds;
+	unsigned long l;
+	int bs;
+
+	if (send)
+		{
+		ds=s->enc_write_ctx;
+		l=s->s2->wlength;
+		}
+	else
+		{
+		ds=s->enc_read_ctx;
+		l=s->s2->rlength;
+		}
+
+	/* check for NULL cipher */
+	if (ds == NULL) return;
+
+
+	bs=ds->cipher->block_size;
+	/* This should be using (bs-1) and bs instead of 7 and 8, but
+	 * what the hell. */
+	if (bs == 8)
+		l=(l+7)/8*8;
+
+	EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l);
+	}
+
+void ssl2_mac(SSL *s, unsigned char *md, int send)
+	{
+	EVP_MD_CTX c;
+	unsigned char sequence[4],*p,*sec,*act;
+	unsigned long seq;
+	unsigned int len;
+
+	if (send)
+		{
+		seq=s->s2->write_sequence;
+		sec=s->s2->write_key;
+		len=s->s2->wact_data_length;
+		act=s->s2->wact_data;
+		}
+	else
+		{
+		seq=s->s2->read_sequence;
+		sec=s->s2->read_key;
+		len=s->s2->ract_data_length;
+		act=s->s2->ract_data;
+		}
+
+	p= &(sequence[0]);
+	l2n(seq,p);
+
+	/* There has to be a MAC algorithm. */
+	EVP_DigestInit(&c,s->read_hash);
+	EVP_DigestUpdate(&c,sec,
+		EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
+	EVP_DigestUpdate(&c,act,len); 
+	/* the above line also does the pad data */
+	EVP_DigestUpdate(&c,sequence,4); 
+	EVP_DigestFinal(&c,md,NULL);
+	/* some would say I should zero the md context */
+	}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
new file mode 100644
index 0000000..8230f3b
--- /dev/null
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -0,0 +1,484 @@
+/* ssl/s2_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include "ssl_locl.h"
+#ifndef NO_SSL2
+#include <stdio.h>
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/md5.h>
+
+static long ssl2_default_timeout(void );
+const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
+
+#define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
+
+OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
+/* NULL_WITH_MD5 v3 */
+#if 0
+	{
+	1,
+	SSL2_TXT_NULL_WITH_MD5,
+	SSL2_CK_NULL_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	0,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+#endif
+/* RC4_128_EXPORT40_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
+	SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+	SSL_EXPORT|SSL_EXP40,
+	SSL2_CF_5_BYTE_ENC,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* RC4_128_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_RC4_128_WITH_MD5,
+	SSL2_CK_RC4_128_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* RC2_128_CBC_EXPORT40_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
+	SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+	SSL_EXPORT|SSL_EXP40,
+	SSL2_CF_5_BYTE_ENC,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* RC2_128_CBC_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_RC2_128_CBC_WITH_MD5,
+	SSL2_CK_RC2_128_CBC_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* IDEA_128_CBC_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_IDEA_128_CBC_WITH_MD5,
+	SSL2_CK_IDEA_128_CBC_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* DES_64_CBC_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_DES_64_CBC_WITH_MD5,
+	SSL2_CK_DES_64_CBC_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2,
+	SSL_NOT_EXP|SSL_LOW,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* DES_192_EDE3_CBC_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
+	SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* RC4_64_WITH_MD5 */
+#if 1
+	{
+	1,
+	SSL2_TXT_RC4_64_WITH_MD5,
+	SSL2_CK_RC4_64_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+	SSL_NOT_EXP|SSL_LOW,
+	SSL2_CF_8_BYTE_ENC,
+	64,
+	64,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+#endif
+/* NULL SSLeay (testing) */
+#if 0
+	{	
+	0,
+	SSL2_TXT_NULL,
+	SSL2_CK_NULL,
+	0,
+	0,
+	0,
+	0,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+#endif
+
+/* end of list :-) */
+	};
+
+static SSL_METHOD SSLv2_data= {
+	SSL2_VERSION,
+	ssl2_new,	/* local */
+	ssl2_clear,	/* local */
+	ssl2_free,	/* local */
+	ssl_undefined_function,
+	ssl_undefined_function,
+	ssl2_read,
+	ssl2_peek,
+	ssl2_write,
+	ssl2_shutdown,
+	ssl_ok,	/* NULL - renegotiate */
+	ssl_ok,	/* NULL - check renegotiate */
+	ssl2_ctrl,	/* local */
+	ssl2_ctx_ctrl,	/* local */
+	ssl2_get_cipher_by_char,
+	ssl2_put_cipher_by_char,
+	ssl2_pending,
+	ssl2_num_ciphers,
+	ssl2_get_cipher,
+	ssl_bad_method,
+	ssl2_default_timeout,
+	&ssl3_undef_enc_method,
+	ssl_undefined_function,
+	ssl2_callback_ctrl,	/* local */
+	ssl2_ctx_callback_ctrl,	/* local */
+	};
+
+static long ssl2_default_timeout(void)
+	{
+	return(300);
+	}
+
+SSL_METHOD *sslv2_base_method(void)
+	{
+	return(&SSLv2_data);
+	}
+
+int ssl2_num_ciphers(void)
+	{
+	return(SSL2_NUM_CIPHERS);
+	}
+
+SSL_CIPHER *ssl2_get_cipher(unsigned int u)
+	{
+	if (u < SSL2_NUM_CIPHERS)
+		return(&(ssl2_ciphers[SSL2_NUM_CIPHERS-1-u]));
+	else
+		return(NULL);
+	}
+
+int ssl2_pending(SSL *s)
+	{
+	return(s->s2->ract_data_length);
+	}
+
+int ssl2_new(SSL *s)
+	{
+	SSL2_STATE *s2;
+
+	if ((s2=Malloc(sizeof *s2)) == NULL) goto err;
+	memset(s2,0,sizeof *s2);
+
+	if ((s2->rbuf=Malloc(
+		SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+	if ((s2->wbuf=Malloc(
+		SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+	s->s2=s2;
+
+	ssl2_clear(s);
+	return(1);
+err:
+	if (s2 != NULL)
+		{
+		if (s2->wbuf != NULL) Free(s2->wbuf);
+		if (s2->rbuf != NULL) Free(s2->rbuf);
+		Free(s2);
+		}
+	return(0);
+	}
+
+void ssl2_free(SSL *s)
+	{
+	SSL2_STATE *s2;
+
+	if(s == NULL)
+	    return;
+
+	s2=s->s2;
+	if (s2->rbuf != NULL) Free(s2->rbuf);
+	if (s2->wbuf != NULL) Free(s2->wbuf);
+	memset(s2,0,sizeof *s2);
+	Free(s2);
+	s->s2=NULL;
+	}
+
+void ssl2_clear(SSL *s)
+	{
+	SSL2_STATE *s2;
+	unsigned char *rbuf,*wbuf;
+
+	s2=s->s2;
+
+	rbuf=s2->rbuf;
+	wbuf=s2->wbuf;
+
+	memset(s2,0,sizeof *s2);
+
+	s2->rbuf=rbuf;
+	s2->wbuf=wbuf;
+	s2->clear_text=1;
+	s->packet=s2->rbuf;
+	s->version=SSL2_VERSION;
+	s->packet_length=0;
+	}
+
+long ssl2_ctrl(SSL *s, int cmd, long larg, char *parg)
+	{
+	int ret=0;
+
+	switch(cmd)
+		{
+	case SSL_CTRL_GET_SESSION_REUSED:
+		ret=s->hit;
+		break;
+	default:
+		break;
+		}
+	return(ret);
+	}
+
+long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)())
+	{
+	return(0);
+	}
+
+long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
+	{
+	return(0);
+	}
+
+long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+	{
+	return(0);
+	}
+
+/* This function needs to check if the ciphers required are actually
+ * available */
+SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
+	{
+	static int init=1;
+	static SSL_CIPHER *sorted[SSL2_NUM_CIPHERS];
+	SSL_CIPHER c,*cp= &c,**cpp;
+	unsigned long id;
+	int i;
+
+	if (init)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
+
+		for (i=0; i<SSL2_NUM_CIPHERS; i++)
+			sorted[i]= &(ssl2_ciphers[i]);
+
+		qsort(  (char *)sorted,
+			SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+			FP_ICC ssl_cipher_ptr_id_cmp);
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+		init=0;
+		}
+
+	id=0x02000000L|((unsigned long)p[0]<<16L)|
+		((unsigned long)p[1]<<8L)|(unsigned long)p[2];
+	c.id=id;
+	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
+		(char *)sorted,
+		SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+		(int (*)())ssl_cipher_ptr_id_cmp);
+	if ((cpp == NULL) || !(*cpp)->valid)
+		return(NULL);
+	else
+		return(*cpp);
+	}
+
+int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
+	{
+	long l;
+
+	if (p != NULL)
+		{
+		l=c->id;
+		if ((l & 0xff000000) != 0x02000000) return(0);
+		p[0]=((unsigned char)(l>>16L))&0xFF;
+		p[1]=((unsigned char)(l>> 8L))&0xFF;
+		p[2]=((unsigned char)(l     ))&0xFF;
+		}
+	return(3);
+	}
+
+void ssl2_generate_key_material(SSL *s)
+	{
+	unsigned int i;
+	MD5_CTX ctx;
+	unsigned char *km;
+	unsigned char c='0';
+
+#ifdef CHARSET_EBCDIC
+	c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0',
+				see SSLv2 docu */
+#endif
+
+	km=s->s2->key_material;
+	for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
+		{
+		MD5_Init(&ctx);
+
+		MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
+		MD5_Update(&ctx,&c,1);
+		c++;
+		MD5_Update(&ctx,s->s2->challenge,s->s2->challenge_length);
+		MD5_Update(&ctx,s->s2->conn_id,s->s2->conn_id_length);
+		MD5_Final(km,&ctx);
+		km+=MD5_DIGEST_LENGTH;
+		}
+	}
+
+void ssl2_return_error(SSL *s, int err)
+	{
+	if (!s->error)
+		{
+		s->error=3;
+		s->error_code=err;
+
+		ssl2_write_error(s);
+		}
+	}
+
+
+void ssl2_write_error(SSL *s)
+	{
+	unsigned char buf[3];
+	int i,error;
+
+	buf[0]=SSL2_MT_ERROR;
+	buf[1]=(s->error_code>>8)&0xff;
+	buf[2]=(s->error_code)&0xff;
+
+/*	state=s->rwstate;*/
+	error=s->error;
+	s->error=0;
+	i=ssl2_write(s,&(buf[3-error]),error);
+/*	if (i == error) s->rwstate=state; */
+
+	if (i < 0)
+		s->error=error;
+	else if (i != s->error)
+		s->error=error-i;
+	/* else
+		s->error=0; */
+	}
+
+int ssl2_shutdown(SSL *s)
+	{
+	s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+	return(1);
+	}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c
new file mode 100644
index 0000000..01cc05f
--- /dev/null
+++ b/crypto/openssl/ssl/s2_meth.c
@@ -0,0 +1,97 @@
+/* ssl/s2_meth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include "ssl_locl.h"
+#ifndef NO_SSL2
+#include <stdio.h>
+#include <openssl/objects.h>
+
+static SSL_METHOD *ssl2_get_method(int ver);
+static SSL_METHOD *ssl2_get_method(int ver)
+	{
+	if (ver == SSL2_VERSION)
+		return(SSLv2_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv2_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv2_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
+			sizeof(SSL_METHOD));
+		SSLv2_data.ssl_connect=ssl2_connect;
+		SSLv2_data.ssl_accept=ssl2_accept;
+		SSLv2_data.get_ssl_method=ssl2_get_method;
+		init=0;
+		}
+	return(&SSLv2_data);
+	}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
new file mode 100644
index 0000000..7eb4673
--- /dev/null
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -0,0 +1,650 @@
+/* ssl/s2_pkt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include "ssl_locl.h"
+#ifndef NO_SSL2
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+
+static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
+static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
+static int write_pending(SSL *s, const unsigned char *buf, unsigned int len);
+static int ssl_mt_error(int n);
+int ssl2_peek(SSL *s, char *buf, int len)
+	{
+	int ret;
+
+	ret=ssl2_read(s,buf,len);
+	if (ret > 0)
+	        {
+		s->s2->ract_data_length+=ret;
+		s->s2->ract_data-=ret;
+		}
+	return(ret);
+	}
+
+/* SSL_read -
+ * This routine will return 0 to len bytes, decrypted etc if required.
+ */
+int ssl2_read(SSL *s, void *buf, int len)
+	{
+	int n;
+	unsigned char mac[MAX_MAC_SIZE];
+	unsigned char *p;
+	int i;
+	unsigned int mac_size=0;
+
+ssl2_read_again:
+	if (SSL_in_init(s) && !s->in_handshake)
+		{
+		n=s->handshake_func(s);
+		if (n < 0) return(n);
+		if (n == 0)
+			{
+			SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		}
+
+	clear_sys_error();
+	s->rwstate=SSL_NOTHING;
+	if (len <= 0) return(len);
+
+	if (s->s2->ract_data_length != 0) /* read from buffer */
+		{
+		if (len > s->s2->ract_data_length)
+			n=s->s2->ract_data_length;
+		else
+			n=len;
+
+		memcpy(buf,s->s2->ract_data,(unsigned int)n);
+		s->s2->ract_data_length-=n;
+		s->s2->ract_data+=n;
+		if (s->s2->ract_data_length == 0)
+			s->rstate=SSL_ST_READ_HEADER;
+		return(n);
+		}
+
+	if (s->rstate == SSL_ST_READ_HEADER)
+		{
+		if (s->first_packet)
+			{
+			n=read_n(s,5,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0);
+			if (n <= 0) return(n); /* error or non-blocking */
+			s->first_packet=0;
+			p=s->packet;
+			if (!((p[0] & 0x80) && (
+				(p[2] == SSL2_MT_CLIENT_HELLO) ||
+				(p[2] == SSL2_MT_SERVER_HELLO))))
+				{
+				SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET);
+				return(-1);
+				}
+			}
+		else
+			{
+			n=read_n(s,2,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0);
+			if (n <= 0) return(n); /* error or non-blocking */
+			}
+		/* part read stuff */
+
+		s->rstate=SSL_ST_READ_BODY;
+		p=s->packet;
+		/* Do header */
+		/*s->s2->padding=0;*/
+		s->s2->escape=0;
+		s->s2->rlength=(((unsigned int)p[0])<<8)|((unsigned int)p[1]);
+		if ((p[0] & TWO_BYTE_BIT))		/* Two byte header? */
+			{
+			s->s2->three_byte_header=0;
+			s->s2->rlength&=TWO_BYTE_MASK;	
+			}
+		else
+			{
+			s->s2->three_byte_header=1;
+			s->s2->rlength&=THREE_BYTE_MASK;
+
+			/* security >s2->escape */
+			s->s2->escape=((p[0] & SEC_ESC_BIT))?1:0;
+			}
+		}
+
+	if (s->rstate == SSL_ST_READ_BODY)
+		{
+		n=s->s2->rlength+2+s->s2->three_byte_header;
+		if (n > (int)s->packet_length)
+			{
+			n-=s->packet_length;
+			i=read_n(s,(unsigned int)n,(unsigned int)n,1);
+			if (i <= 0) return(i); /* ERROR */
+			}
+
+		p= &(s->packet[2]);
+		s->rstate=SSL_ST_READ_HEADER;
+		if (s->s2->three_byte_header)
+			s->s2->padding= *(p++);
+		else	s->s2->padding=0;
+
+		/* Data portion */
+		if (s->s2->clear_text)
+			{
+			s->s2->mac_data=p;
+			s->s2->ract_data=p;
+			s->s2->pad_data=NULL;
+			}
+		else
+			{
+			mac_size=EVP_MD_size(s->read_hash);
+			s->s2->mac_data=p;
+			s->s2->ract_data= &p[mac_size];
+			s->s2->pad_data= &p[mac_size+
+				s->s2->rlength-s->s2->padding];
+			}
+
+		s->s2->ract_data_length=s->s2->rlength;
+		/* added a check for length > max_size in case
+		 * encryption was not turned on yet due to an error */
+		if ((!s->s2->clear_text) &&
+			(s->s2->rlength >= mac_size))
+			{
+			ssl2_enc(s,0);
+			s->s2->ract_data_length-=mac_size;
+			ssl2_mac(s,mac,0);
+			s->s2->ract_data_length-=s->s2->padding;
+			if (	(memcmp(mac,s->s2->mac_data,
+				(unsigned int)mac_size) != 0) ||
+				(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
+				{
+				SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE);
+				return(-1);
+				}
+			}
+		INC32(s->s2->read_sequence); /* expect next number */
+		/* s->s2->ract_data is now available for processing */
+
+#if 1
+		/* How should we react when a packet containing 0
+		 * bytes is received?  (Note that SSLeay/OpenSSL itself
+		 * never sends such packets; see ssl2_write.)
+		 * Returning 0 would be interpreted by the caller as
+		 * indicating EOF, so it's not a good idea.
+		 * Instead, we just continue reading.  Note that using
+		 * select() for blocking sockets *never* guarantees
+		 * that the next SSL_read will not block -- the available
+		 * data may contain incomplete packets, and except for SSL 2
+		 * renegotiation can confuse things even more. */
+
+		goto ssl2_read_again; /* This should really be
+				       * "return ssl2_read(s,buf,len)",
+				       * but that would allow for
+				       * denial-of-service attacks if a
+				       * C compiler is used that does not
+				       * recognize end-recursion. */
+#else
+		/* If a 0 byte packet was sent, return 0, otherwise
+		 * we play havoc with people using select with
+		 * blocking sockets.  Let them handle a packet at a time,
+		 * they should really be using non-blocking sockets. */
+		if (s->s2->ract_data_length == 0)
+			return(0);
+		return(ssl2_read(s,buf,len));
+#endif
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE);
+			return(-1);
+		}
+	}
+
+static int read_n(SSL *s, unsigned int n, unsigned int max,
+	     unsigned int extend)
+	{
+	int i,off,newb;
+
+	/* if there is stuff still in the buffer from a previous read,
+	 * and there is more than we want, take some. */
+	if (s->s2->rbuf_left >= (int)n)
+		{
+		if (extend)
+			s->packet_length+=n;
+		else
+			{
+			s->packet= &(s->s2->rbuf[s->s2->rbuf_offs]);
+			s->packet_length=n;
+			}
+		s->s2->rbuf_left-=n;
+		s->s2->rbuf_offs+=n;
+		return(n);
+		}
+
+	if (!s->read_ahead) max=n;
+	if (max > (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2))
+		max=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2;
+	
+
+	/* Else we want more than we have.
+	 * First, if there is some left or we want to extend */
+	off=0;
+	if ((s->s2->rbuf_left != 0) || ((s->packet_length != 0) && extend))
+		{
+		newb=s->s2->rbuf_left;
+		if (extend)
+			{
+			off=s->packet_length;
+			if (s->packet != s->s2->rbuf)
+				memcpy(s->s2->rbuf,s->packet,
+					(unsigned int)newb+off);
+			}
+		else if (s->s2->rbuf_offs != 0)
+			{
+			memcpy(s->s2->rbuf,&(s->s2->rbuf[s->s2->rbuf_offs]),
+				(unsigned int)newb);
+			s->s2->rbuf_offs=0;
+			}
+		s->s2->rbuf_left=0;
+		}
+	else
+		newb=0;
+
+	/* off is the offset to start writing too.
+	 * r->s2->rbuf_offs is the 'unread data', now 0. 
+	 * newb is the number of new bytes so far
+	 */
+	s->packet=s->s2->rbuf;
+	while (newb < (int)n)
+		{
+		clear_sys_error();
+		if (s->rbio != NULL)
+			{
+			s->rwstate=SSL_READING;
+			i=BIO_read(s->rbio,(char *)&(s->s2->rbuf[off+newb]),
+				max-newb);
+			}
+		else
+			{
+			SSLerr(SSL_F_READ_N,SSL_R_READ_BIO_NOT_SET);
+			i= -1;
+			}
+#ifdef PKT_DEBUG
+		if (s->debug & 0x01) sleep(1);
+#endif
+		if (i <= 0)
+			{
+			s->s2->rbuf_left+=newb;
+			return(i);
+			}
+		newb+=i;
+		}
+
+	/* record unread data */
+	if (newb > (int)n)
+		{
+		s->s2->rbuf_offs=n+off;
+		s->s2->rbuf_left=newb-n;
+		}
+	else
+		{
+		s->s2->rbuf_offs=0;
+		s->s2->rbuf_left=0;
+		}
+	if (extend)
+		s->packet_length+=n;
+	else
+		s->packet_length=n;
+	s->rwstate=SSL_NOTHING;
+	return(n);
+	}
+
+int ssl2_write(SSL *s, const void *_buf, int len)
+	{
+	const unsigned char *buf=_buf;
+	unsigned int n,tot;
+	int i;
+
+	if (SSL_in_init(s) && !s->in_handshake)
+		{
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL2_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		}
+
+	if (s->error)
+		{
+		ssl2_write_error(s);
+		if (s->error)
+			return(-1);
+		}
+
+	clear_sys_error();
+	s->rwstate=SSL_NOTHING;
+	if (len <= 0) return(len);
+
+	tot=s->s2->wnum;
+	s->s2->wnum=0;
+
+	n=(len-tot);
+	for (;;)
+		{
+		i=do_ssl_write(s,&(buf[tot]),n);
+		if (i <= 0)
+			{
+			s->s2->wnum=tot;
+			return(i);
+			}
+		if ((i == (int)n) ||
+			(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))
+			{
+			return(tot+i);
+			}
+		
+		n-=i;
+		tot+=i;
+		}
+	}
+
+static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
+	{
+	int i;
+
+	/* s->s2->wpend_len != 0 MUST be true. */
+
+	/* check that they have given us the same buffer to
+	 * write */
+	if ((s->s2->wpend_tot > (int)len) ||
+		((s->s2->wpend_buf != buf) &&
+		 !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)))
+		{
+		SSLerr(SSL_F_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
+		return(-1);
+		}
+
+	for (;;)
+		{
+		clear_sys_error();
+		if (s->wbio != NULL)
+			{
+			s->rwstate=SSL_WRITING;
+			i=BIO_write(s->wbio,
+				(char *)&(s->s2->write_ptr[s->s2->wpend_off]),
+				(unsigned int)s->s2->wpend_len);
+			}
+		else
+			{
+			SSLerr(SSL_F_WRITE_PENDING,SSL_R_WRITE_BIO_NOT_SET);
+			i= -1;
+			}
+#ifdef PKT_DEBUG
+		if (s->debug & 0x01) sleep(1);
+#endif
+		if (i == s->s2->wpend_len)
+			{
+			s->s2->wpend_len=0;
+			s->rwstate=SSL_NOTHING;
+			return(s->s2->wpend_ret);
+			}
+		else if (i <= 0)
+			return(i);
+		s->s2->wpend_off+=i;
+		s->s2->wpend_len-=i;
+		}
+	}
+
+static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
+	{
+	unsigned int j,k,olen,p,mac_size,bs;
+	register unsigned char *pp;
+
+	olen=len;
+
+	/* first check if there is data from an encryption waiting to
+	 * be sent - it must be sent because the other end is waiting.
+	 * This will happen with non-blocking IO.  We print it and then
+	 * return.
+	 */
+	if (s->s2->wpend_len != 0) return(write_pending(s,buf,len));
+
+	/* set mac_size to mac size */
+	if (s->s2->clear_text)
+		mac_size=0;
+	else
+		mac_size=EVP_MD_size(s->write_hash);
+
+	/* lets set the pad p */
+	if (s->s2->clear_text)
+		{
+		if (len > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER)
+			len=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
+		p=0;
+		s->s2->three_byte_header=0;
+		/* len=len; */
+		}
+	else
+		{
+		bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx);
+		j=len+mac_size;
+		if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) &&
+			(!s->s2->escape))
+			{
+			if (j > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER)
+				j=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
+			/* set k to the max number of bytes with 2
+			 * byte header */
+			k=j-(j%bs);
+			/* how many data bytes? */
+			len=k-mac_size; 
+			s->s2->three_byte_header=0;
+			p=0;
+			}
+		else if ((bs <= 1) && (!s->s2->escape))
+			{
+			/* len=len; */
+			s->s2->three_byte_header=0;
+			p=0;
+			}
+		else /* 3 byte header */
+			{
+			/*len=len; */
+			p=(j%bs);
+			p=(p == 0)?0:(bs-p);
+			if (s->s2->escape)
+				s->s2->three_byte_header=1;
+			else
+				s->s2->three_byte_header=(p == 0)?0:1;
+			}
+		}
+	/* mac_size is the number of MAC bytes
+	 * len is the number of data bytes we are going to send
+	 * p is the number of padding bytes
+	 * if p == 0, it is a 2 byte header */
+
+	s->s2->wlength=len;
+	s->s2->padding=p;
+	s->s2->mac_data= &(s->s2->wbuf[3]);
+	s->s2->wact_data= &(s->s2->wbuf[3+mac_size]);
+	/* we copy the data into s->s2->wbuf */
+	memcpy(s->s2->wact_data,buf,len);
+#ifdef PURIFY
+	if (p)
+		memset(&(s->s2->wact_data[len]),0,p);
+#endif
+
+	if (!s->s2->clear_text)
+		{
+		s->s2->wact_data_length=len+p;
+		ssl2_mac(s,s->s2->mac_data,1);
+		s->s2->wlength+=p+mac_size;
+		ssl2_enc(s,1);
+		}
+
+	/* package up the header */
+	s->s2->wpend_len=s->s2->wlength;
+	if (s->s2->three_byte_header) /* 3 byte header */
+		{
+		pp=s->s2->mac_data;
+		pp-=3;
+		pp[0]=(s->s2->wlength>>8)&(THREE_BYTE_MASK>>8);
+		if (s->s2->escape) pp[0]|=SEC_ESC_BIT;
+		pp[1]=s->s2->wlength&0xff;
+		pp[2]=s->s2->padding;
+		s->s2->wpend_len+=3;
+		}
+	else
+		{
+		pp=s->s2->mac_data;
+		pp-=2;
+		pp[0]=((s->s2->wlength>>8)&(TWO_BYTE_MASK>>8))|TWO_BYTE_BIT;
+		pp[1]=s->s2->wlength&0xff;
+		s->s2->wpend_len+=2;
+		}
+	s->s2->write_ptr=pp;
+	
+	INC32(s->s2->write_sequence); /* expect next number */
+
+	/* lets try to actually write the data */
+	s->s2->wpend_tot=olen;
+	s->s2->wpend_buf=buf;
+
+	s->s2->wpend_ret=len;
+
+	s->s2->wpend_off=0;
+	return(write_pending(s,buf,olen));
+	}
+
+int ssl2_part_read(SSL *s, unsigned long f, int i)
+	{
+	unsigned char *p;
+	int j;
+
+	/* check for error */
+	if ((s->init_num == 0) && (i >= 3))
+		{
+		p=(unsigned char *)s->init_buf->data;
+		if (p[0] == SSL2_MT_ERROR)
+			{
+			j=(p[1]<<8)|p[2];
+			SSLerr((int)f,ssl_mt_error(j));
+			}
+		}
+
+	if (i < 0)
+		{
+		/* ssl2_return_error(s); */
+		/* for non-blocking io,
+		 * this is not fatal */
+		return(i);
+		}
+	else
+		{
+		s->init_num+=i;
+		return(0);
+		}
+	}
+
+int ssl2_do_write(SSL *s)
+	{
+	int ret;
+
+	ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num);
+	if (ret == s->init_num)
+		return(1);
+	if (ret < 0)
+		return(-1);
+	s->init_off+=ret;
+	s->init_num-=ret;
+	return(0);
+	}
+
+static int ssl_mt_error(int n)
+	{
+	int ret;
+
+	switch (n)
+		{
+	case SSL2_PE_NO_CIPHER:
+		ret=SSL_R_PEER_ERROR_NO_CIPHER;
+		break;
+	case SSL2_PE_NO_CERTIFICATE:
+		ret=SSL_R_PEER_ERROR_NO_CERTIFICATE;
+		break;
+	case SSL2_PE_BAD_CERTIFICATE:
+		ret=SSL_R_PEER_ERROR_CERTIFICATE;
+		break;
+	case SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE:
+		ret=SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
+		break;
+	default:
+		ret=SSL_R_UNKNOWN_REMOTE_ERROR_TYPE;
+		break;
+		}
+	return(ret);
+	}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
new file mode 100644
index 0000000..51c70df
--- /dev/null
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -0,0 +1,977 @@
+/* ssl/s2_srvr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
+ */
+
+#include "ssl_locl.h"
+#ifndef NO_SSL2
+#include <stdio.h>
+#include <openssl/bio.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+
+static SSL_METHOD *ssl2_get_server_method(int ver);
+static int get_client_master_key(SSL *s);
+static int get_client_hello(SSL *s);
+static int server_hello(SSL *s); 
+static int get_client_finished(SSL *s);
+static int server_verify(SSL *s);
+static int server_finish(SSL *s);
+static int request_certificate(SSL *s);
+static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
+	unsigned char *to,int padding);
+#define BREAK	break
+
+static SSL_METHOD *ssl2_get_server_method(int ver)
+	{
+	if (ver == SSL2_VERSION)
+		return(SSLv2_server_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv2_server_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv2_server_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
+			sizeof(SSL_METHOD));
+		SSLv2_server_data.ssl_accept=ssl2_accept;
+		SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
+		init=0;
+		}
+	return(&SSLv2_server_data);
+	}
+
+int ssl2_accept(SSL *s)
+	{
+	unsigned long l=time(NULL);
+	BUF_MEM *buf=NULL;
+	int ret= -1;
+	long num1;
+	void (*cb)()=NULL;
+	int new_state,state;
+
+	RAND_add(&l,sizeof(l),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+
+	/* init things to blank */
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+	s->in_handshake++;
+
+	if (s->cert == NULL)
+		{
+		SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
+		return(-1);
+		}
+
+	clear_sys_error();
+	for (;;)
+		{
+		state=s->state;
+
+		switch (s->state)
+			{
+		case SSL_ST_BEFORE:
+		case SSL_ST_ACCEPT:
+		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
+		case SSL_ST_OK|SSL_ST_ACCEPT:
+
+			s->server=1;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			s->version=SSL2_VERSION;
+			s->type=SSL_ST_ACCEPT;
+
+			buf=s->init_buf;
+			if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
+				{ ret= -1; goto end; }
+			if (!BUF_MEM_grow(buf,(int)
+				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+				{ ret= -1; goto end; }
+			s->init_buf=buf;
+			s->init_num=0;
+			s->ctx->stats.sess_accept++;
+			s->handshake_func=ssl2_accept;
+			s->state=SSL2_ST_GET_CLIENT_HELLO_A;
+			BREAK;
+
+		case SSL2_ST_GET_CLIENT_HELLO_A:
+		case SSL2_ST_GET_CLIENT_HELLO_B:
+		case SSL2_ST_GET_CLIENT_HELLO_C:
+			s->shutdown=0;
+			ret=get_client_hello(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_SEND_SERVER_HELLO_A;
+			BREAK;
+
+		case SSL2_ST_SEND_SERVER_HELLO_A:
+		case SSL2_ST_SEND_SERVER_HELLO_B:
+			ret=server_hello(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			if (!s->hit)
+				{
+				s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A;
+				BREAK;
+				}
+			else
+				{
+				s->state=SSL2_ST_SERVER_START_ENCRYPTION;
+				BREAK;
+				}
+		case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
+		case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
+			ret=get_client_master_key(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_SERVER_START_ENCRYPTION;
+			BREAK;
+
+		case SSL2_ST_SERVER_START_ENCRYPTION:
+			/* Ok we how have sent all the stuff needed to
+			 * start encrypting, the next packet back will
+			 * be encrypted. */
+			if (!ssl2_enc_init(s,0))
+				{ ret= -1; goto end; }
+			s->s2->clear_text=0;
+			s->state=SSL2_ST_SEND_SERVER_VERIFY_A;
+			BREAK;
+
+		case SSL2_ST_SEND_SERVER_VERIFY_A:
+		case SSL2_ST_SEND_SERVER_VERIFY_B:
+			ret=server_verify(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			if (s->hit)
+				{
+				/* If we are in here, we have been
+				 * buffering the output, so we need to
+				 * flush it and remove buffering from
+				 * future traffic */
+				s->state=SSL2_ST_SEND_SERVER_VERIFY_C;
+				BREAK;
+				}
+			else
+				{
+				s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
+				break;
+				}
+
+ 		case SSL2_ST_SEND_SERVER_VERIFY_C:
+ 			/* get the number of bytes to write */
+ 			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
+ 			if (num1 != 0)
+ 				{
+				s->rwstate=SSL_WRITING;
+ 				num1=BIO_flush(s->wbio);
+ 				if (num1 <= 0) { ret= -1; goto end; }
+				s->rwstate=SSL_NOTHING;
+				}
+
+ 			/* flushed and now remove buffering */
+ 			s->wbio=BIO_pop(s->wbio);
+
+ 			s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
+  			BREAK;
+
+		case SSL2_ST_GET_CLIENT_FINISHED_A:
+		case SSL2_ST_GET_CLIENT_FINISHED_B:
+			ret=get_client_finished(s);
+			if (ret <= 0)
+				goto end;
+			s->init_num=0;
+			s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
+			BREAK;
+
+		case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
+		case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
+		case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
+		case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
+			/* don't do a 'request certificate' if we
+			 * don't want to, or we already have one, and
+			 * we only want to do it once. */
+			if (!(s->verify_mode & SSL_VERIFY_PEER) ||
+				((s->session->peer != NULL) &&
+				(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
+				{
+				s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
+				break;
+				}
+			else
+				{
+				ret=request_certificate(s);
+				if (ret <= 0) goto end;
+				s->init_num=0;
+				s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
+				}
+			BREAK;
+
+		case SSL2_ST_SEND_SERVER_FINISHED_A:
+		case SSL2_ST_SEND_SERVER_FINISHED_B:
+			ret=server_finish(s);
+			if (ret <= 0) goto end;
+			s->init_num=0;
+			s->state=SSL_ST_OK;
+			break;
+
+		case SSL_ST_OK:
+			BUF_MEM_free(s->init_buf);
+			ssl_free_wbio_buffer(s);
+			s->init_buf=NULL;
+			s->init_num=0;
+		/*	ERR_clear_error();*/
+
+			ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
+
+			s->ctx->stats.sess_accept_good++;
+			/* s->server=1; */
+			ret=1;
+
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+
+			goto end;
+			/* BREAK; */
+
+		default:
+			SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE);
+			ret= -1;
+			goto end;
+			/* BREAK; */
+			}
+		
+		if ((cb != NULL) && (s->state != state))
+			{
+			new_state=s->state;
+			s->state=state;
+			cb(s,SSL_CB_ACCEPT_LOOP,1);
+			s->state=new_state;
+			}
+		}
+end:
+	s->in_handshake--;
+	if (cb != NULL)
+		cb(s,SSL_CB_ACCEPT_EXIT,ret);
+	return(ret);
+	}
+
+static int get_client_master_key(SSL *s)
+	{
+	int is_export,i,n,keya,ek;
+	unsigned char *p;
+	SSL_CIPHER *cp;
+	const EVP_CIPHER *c;
+	const EVP_MD *md;
+
+	p=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A)
+		{
+		i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num);
+
+		if (i < (10-s->init_num))
+			return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
+		if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY)
+			{
+			if (p[-1] != SSL2_MT_ERROR)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE);
+				}
+			else
+				SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
+					SSL_R_PEER_ERROR);
+			return(-1);
+			}
+
+		cp=ssl2_get_cipher_by_char(p);
+		if (cp == NULL)
+			{
+			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
+				SSL_R_NO_CIPHER_MATCH);
+			return(-1);
+			}
+		s->session->cipher= cp;
+
+		p+=3;
+		n2s(p,i); s->s2->tmp.clear=i;
+		n2s(p,i); s->s2->tmp.enc=i;
+		n2s(p,i); s->session->key_arg_length=i;
+		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
+		s->init_num=0;
+		}
+
+	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
+	p=(unsigned char *)s->init_buf->data;
+	keya=s->session->key_arg_length;
+	n=s->s2->tmp.clear+s->s2->tmp.enc+keya - s->init_num;
+	i=ssl2_read(s,(char *)&(p[s->init_num]),n);
+	if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
+
+	memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
+		(unsigned int)keya);
+
+	if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
+		{
+		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
+		return(-1);
+		}
+	i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
+		&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
+		(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
+
+	is_export=SSL_C_IS_EXPORT(s->session->cipher);
+	
+	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
+		{
+		ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+		return(0);
+		}
+
+	if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
+		{
+		is_export=1;
+		ek=8;
+		}
+	else
+		ek=5;
+
+	/* bad decrypt */
+#if 1
+	/* If a bad decrypt, continue with protocol but with a
+	 * dud master secret */
+	if ((i < 0) ||
+		((!is_export && (i != EVP_CIPHER_key_length(c)))
+		|| (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
+			EVP_CIPHER_key_length(c))))))
+		{
+		if (is_export)
+			i=ek;
+		else
+			i=EVP_CIPHER_key_length(c);
+		RAND_pseudo_bytes(p,i);
+		}
+#else
+	if (i < 0)
+		{
+		error=1;
+		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT);
+		}
+	/* incorrect number of key bytes for non export cipher */
+	else if ((!is_export && (i != EVP_CIPHER_key_length(c)))
+		|| (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
+			EVP_CIPHER_key_length(c)))))
+		{
+		error=1;
+		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS);
+		}
+	if (error)
+		{
+		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+		return(-1);
+		}
+#endif
+
+	if (is_export) i+=s->s2->tmp.clear;
+	s->session->master_key_length=i;
+	memcpy(s->session->master_key,p,(unsigned int)i);
+	return(1);
+	}
+
+static int get_client_hello(SSL *s)
+	{
+	int i,n;
+	unsigned char *p;
+	STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
+	STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
+	int z;
+
+	/* This is a bit of a hack to check for the correct packet
+	 * type the first time round. */
+	if (s->state == SSL2_ST_GET_CLIENT_HELLO_A)
+		{
+		s->first_packet=1;
+		s->state=SSL2_ST_GET_CLIENT_HELLO_B;
+		}
+
+	p=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL2_ST_GET_CLIENT_HELLO_B)
+		{
+		i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num);
+		if (i < (9-s->init_num)) 
+			return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
+	
+		if (*(p++) != SSL2_MT_CLIENT_HELLO)
+			{
+			if (p[-1] != SSL2_MT_ERROR)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE);
+				}
+			else
+				SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
+			return(-1);
+			}
+		n2s(p,i);
+		if (i < s->version) s->version=i;
+		n2s(p,i); s->s2->tmp.cipher_spec_length=i;
+		n2s(p,i); s->s2->tmp.session_id_length=i;
+		n2s(p,i); s->s2->challenge_length=i;
+		if (	(i < SSL2_MIN_CHALLENGE_LENGTH) ||
+			(i > SSL2_MAX_CHALLENGE_LENGTH))
+			{
+			SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH);
+			return(-1);
+			}
+		s->state=SSL2_ST_GET_CLIENT_HELLO_C;
+		s->init_num=0;
+		}
+
+	/* SSL2_ST_GET_CLIENT_HELLO_C */
+	p=(unsigned char *)s->init_buf->data;
+	n=s->s2->tmp.cipher_spec_length+s->s2->challenge_length+
+		s->s2->tmp.session_id_length-s->init_num;
+	i=ssl2_read(s,(char *)&(p[s->init_num]),n);
+	if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
+
+	/* get session-id before cipher stuff so we can get out session
+	 * structure if it is cached */
+	/* session-id */
+	if ((s->s2->tmp.session_id_length != 0) && 
+		(s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH))
+		{
+		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+		SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH);
+		return(-1);
+		}
+
+	if (s->s2->tmp.session_id_length == 0)
+		{
+		if (!ssl_get_new_session(s,1))
+			{
+			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+			return(-1);
+			}
+		}
+	else
+		{
+		i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]),
+			s->s2->tmp.session_id_length);
+		if (i == 1)
+			{ /* previous session */
+			s->hit=1;
+			}
+		else if (i == -1)
+			{
+			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+			return(-1);
+			}
+		else
+			{
+			if (s->cert == NULL)
+				{
+				ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
+				SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET);
+				return(-1);
+				}
+
+			if (!ssl_get_new_session(s,1))
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				return(-1);
+				}
+			}
+		}
+
+	if (!s->hit)
+		{
+		cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length,
+			&s->session->ciphers);
+		if (cs == NULL) goto mem_err;
+
+		cl=ssl_get_ciphers_by_id(s);
+
+		for (z=0; z<sk_SSL_CIPHER_num(cs); z++)
+			{
+			if (sk_SSL_CIPHER_find(cl,sk_SSL_CIPHER_value(cs,z)) < 0)
+				{
+				sk_SSL_CIPHER_delete(cs,z);
+				z--;
+				}
+			}
+
+		/* s->session->ciphers should now have a list of
+		 * ciphers that are on both the client and server.
+		 * This list is ordered by the order the client sent
+		 * the ciphers.
+		 */
+		}
+	p+=s->s2->tmp.cipher_spec_length;
+	/* done cipher selection */
+
+	/* session id extracted already */
+	p+=s->s2->tmp.session_id_length;
+
+	/* challenge */
+	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
+	return(1);
+mem_err:
+	SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
+	return(0);
+	}
+
+static int server_hello(SSL *s)
+	{
+	unsigned char *p,*d;
+	int n,hit;
+	STACK_OF(SSL_CIPHER) *sk;
+
+	p=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
+		{
+		d=p+11;
+		*(p++)=SSL2_MT_SERVER_HELLO;		/* type */
+		hit=s->hit;
+		*(p++)=(unsigned char)hit;
+#if 1
+		if (!hit)
+			{
+			if (s->session->sess_cert != NULL)
+				/* This can't really happen because get_client_hello
+				 * has called ssl_get_new_session, which does not set
+				 * sess_cert. */
+				ssl_sess_cert_free(s->session->sess_cert);
+			s->session->sess_cert = ssl_sess_cert_new();
+			if (s->session->sess_cert == NULL)
+				{
+				SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
+				return(-1);
+				}
+			}
+		/* If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
+		 * depending on whether it survived in the internal cache
+		 * or was retrieved from an external cache.
+		 * If it is NULL, we cannot put any useful data in it anyway,
+		 * so we don't touch it.
+		 */
+
+#else /* That's what used to be done when cert_st and sess_cert_st were
+	   * the same. */
+		if (!hit)
+			{			/* else add cert to session */
+			CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
+			if (s->session->sess_cert != NULL)
+				ssl_cert_free(s->session->sess_cert);
+			s->session->sess_cert=s->cert;		
+			}
+		else	/* We have a session id-cache hit, if the
+			 * session-id has no certificate listed against
+			 * the 'cert' structure, grab the 'old' one
+			 * listed against the SSL connection */
+			{
+			if (s->session->sess_cert == NULL)
+				{
+				CRYPTO_add(&s->cert->references,1,
+					CRYPTO_LOCK_SSL_CERT);
+				s->session->sess_cert=s->cert;
+				}
+			}
+#endif
+
+		if (s->cert == NULL)
+			{
+			ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
+			SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
+			return(-1);
+			}
+
+		if (hit)
+			{
+			*(p++)=0;		/* no certificate type */
+			s2n(s->version,p);	/* version */
+			s2n(0,p);		/* cert len */
+			s2n(0,p);		/* ciphers len */
+			}
+		else
+			{
+			/* EAY EAY */
+			/* put certificate type */
+			*(p++)=SSL2_CT_X509_CERTIFICATE;
+			s2n(s->version,p);	/* version */
+			n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
+			s2n(n,p);		/* certificate length */
+			i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d);
+			n=0;
+			
+			/* lets send out the ciphers we like in the
+			 * prefered order */
+			sk= s->session->ciphers;
+			n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d);
+			d+=n;
+			s2n(n,p);		/* add cipher length */
+			}
+
+		/* make and send conn_id */
+		s2n(SSL2_CONNECTION_ID_LENGTH,p);	/* add conn_id length */
+		s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
+		RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
+		memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
+		d+=SSL2_CONNECTION_ID_LENGTH;
+
+		s->state=SSL2_ST_SEND_SERVER_HELLO_B;
+		s->init_num=d-(unsigned char *)s->init_buf->data;
+		s->init_off=0;
+		}
+	/* SSL2_ST_SEND_SERVER_HELLO_B */
+ 	/* If we are using TCP/IP, the performance is bad if we do 2
+ 	 * writes without a read between them.  This occurs when
+ 	 * Session-id reuse is used, so I will put in a buffering module
+ 	 */
+ 	if (s->hit)
+ 		{
+		if (!ssl_init_wbio_buffer(s,1)) return(-1);
+ 		}
+ 
+	return(ssl2_do_write(s));
+	}
+
+static int get_client_finished(SSL *s)
+	{
+	unsigned char *p;
+	int i;
+
+	p=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A)
+		{
+		i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
+		if (i < 1-s->init_num)
+			return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
+
+		if (*p != SSL2_MT_CLIENT_FINISHED)
+			{
+			if (*p != SSL2_MT_ERROR)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
+				}
+			else
+				SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
+			return(-1);
+			}
+		s->init_num=0;
+		s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
+		}
+
+	/* SSL2_ST_GET_CLIENT_FINISHED_B */
+	i=ssl2_read(s,(char *)&(p[s->init_num]),s->s2->conn_id_length-s->init_num);
+	if (i < (int)s->s2->conn_id_length-s->init_num)
+		{
+		return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
+		}
+	if (memcmp(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length) != 0)
+		{
+		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+		SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
+		return(-1);
+		}
+	return(1);
+	}
+
+static int server_verify(SSL *s)
+	{
+	unsigned char *p;
+
+	if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		*(p++)=SSL2_MT_SERVER_VERIFY;
+		memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
+		/* p+=s->s2->challenge_length; */
+
+		s->state=SSL2_ST_SEND_SERVER_VERIFY_B;
+		s->init_num=s->s2->challenge_length+1;
+		s->init_off=0;
+		}
+	return(ssl2_do_write(s));
+	}
+
+static int server_finish(SSL *s)
+	{
+	unsigned char *p;
+
+	if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		*(p++)=SSL2_MT_SERVER_FINISHED;
+
+		memcpy(p,s->session->session_id,
+			(unsigned int)s->session->session_id_length);
+		/* p+=s->session->session_id_length; */
+
+		s->state=SSL2_ST_SEND_SERVER_FINISHED_B;
+		s->init_num=s->session->session_id_length+1;
+		s->init_off=0;
+		}
+
+	/* SSL2_ST_SEND_SERVER_FINISHED_B */
+	return(ssl2_do_write(s));
+	}
+
+/* send the request and check the response */
+static int request_certificate(SSL *s)
+	{
+	unsigned char *p,*p2,*buf2;
+	unsigned char *ccd;
+	int i,j,ctype,ret= -1;
+	X509 *x509=NULL;
+	STACK_OF(X509) *sk=NULL;
+
+	ccd=s->s2->tmp.ccl;
+	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		*(p++)=SSL2_MT_REQUEST_CERTIFICATE;
+		*(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
+		RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+		memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+
+		s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
+		s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2;
+		s->init_off=0;
+		}
+
+	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B)
+		{
+		i=ssl2_do_write(s);
+		if (i <= 0)
+			{
+			ret=i;
+			goto end;
+			}
+
+		s->init_num=0;
+		s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
+		}
+
+	if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num);
+		if (i < 3)
+			{
+			ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
+			goto end;
+			}
+
+		if ((*p == SSL2_MT_ERROR) && (i >= 3))
+			{
+			n2s(p,i);
+			if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+				{
+				ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
+				SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+				goto end;
+				}
+			ret=1;
+			goto end;
+			}
+		if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (i < 6))
+			{
+			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+			SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ);
+			goto end;
+			}
+		/* ok we have a response */
+		/* certificate type, there is only one right now. */
+		ctype= *(p++);
+		if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
+			{
+			ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
+			SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT);
+			goto end;
+			}
+		n2s(p,i); s->s2->tmp.clen=i;
+		n2s(p,i); s->s2->tmp.rlen=i;
+		s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
+		s->init_num=0;
+		}
+
+	/* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
+	p=(unsigned char *)s->init_buf->data;
+	j=s->s2->tmp.clen+s->s2->tmp.rlen-s->init_num;
+	i=ssl2_read(s,(char *)&(p[s->init_num]),j);
+	if (i < j) 
+		{
+		ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
+		goto end;
+		}
+
+	x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen);
+	if (x509 == NULL)
+		{
+		SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB);
+		goto msg_end;
+		}
+
+	if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509)))
+		{
+		SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+		goto msg_end;
+		}
+
+	i=ssl_verify_cert_chain(s,sk);
+
+	if (i)	/* we like the packet, now check the chksum */
+		{
+		EVP_MD_CTX ctx;
+		EVP_PKEY *pkey=NULL;
+
+		EVP_VerifyInit(&ctx,s->ctx->rsa_md5);
+		EVP_VerifyUpdate(&ctx,s->s2->key_material,
+			(unsigned int)s->s2->key_material_length);
+		EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+
+		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
+		buf2=Malloc((unsigned int)i);
+		if (buf2 == NULL)
+			{
+			SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+			goto msg_end;
+			}
+		p2=buf2;
+		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
+		EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
+		Free(buf2);
+
+		pkey=X509_get_pubkey(x509);
+		if (pkey == NULL) goto end;
+		i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey);
+		EVP_PKEY_free(pkey);
+		memset(&ctx,0,sizeof(ctx));
+
+		if (i) 
+			{
+			if (s->session->peer != NULL)
+				X509_free(s->session->peer);
+			s->session->peer=x509;
+			CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
+			s->session->verify_result = s->verify_result;
+			ret=1;
+			goto end;
+			}
+		else
+			{
+			SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM);
+			goto msg_end;
+			}
+		}
+	else
+		{
+msg_end:
+		ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
+		}
+end:
+	sk_X509_free(sk);
+	X509_free(x509);
+	return(ret);
+	}
+
+static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
+	     unsigned char *to, int padding)
+	{
+	RSA *rsa;
+	int i;
+
+	if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))
+		{
+		SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY);
+		return(-1);
+		}
+	if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA)
+		{
+		SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
+		return(-1);
+		}
+	rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
+
+	/* we have the public key */
+	i=RSA_private_decrypt(len,from,to,rsa,padding);
+	if (i < 0)
+		SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
+	return(i);
+	}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c
new file mode 100644
index 0000000..03e0c38
--- /dev/null
+++ b/crypto/openssl/ssl/s3_both.c
@@ -0,0 +1,588 @@
+/* ssl/s3_both.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include "ssl_locl.h"
+
+/* send s->init_buf in records of type 'type' */
+int ssl3_do_write(SSL *s, int type)
+	{
+	int ret;
+
+	ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
+	                     s->init_num);
+	if (ret < 0) return(-1);
+	if (type == SSL3_RT_HANDSHAKE)
+		/* should not be done for 'Hello Request's, but in that case
+		 * we'll ignore the result anyway */
+		ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret);
+	
+	if (ret == s->init_num)
+		return(1);
+	s->init_off+=ret;
+	s->init_num-=ret;
+	return(0);
+	}
+
+int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
+	{
+	unsigned char *p,*d;
+	int i;
+	unsigned long l;
+
+	if (s->state == a)
+		{
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[4]);
+
+		i=s->method->ssl3_enc->final_finish_mac(s,
+			&(s->s3->finish_dgst1),
+			&(s->s3->finish_dgst2),
+			sender,slen,s->s3->tmp.finish_md);
+		s->s3->tmp.finish_md_len = i;
+		memcpy(p, s->s3->tmp.finish_md, i);
+		p+=i;
+		l=i;
+
+#ifdef WIN16
+		/* MSVC 1.5 does not clear the top bytes of the word unless
+		 * I do this.
+		 */
+		l&=0xffff;
+#endif
+
+		*(d++)=SSL3_MT_FINISHED;
+		l2n3(l,d);
+		s->init_num=(int)l+4;
+		s->init_off=0;
+
+		s->state=b;
+		}
+
+	/* SSL3_ST_SEND_xxxxxx_HELLO_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+int ssl3_get_finished(SSL *s, int a, int b)
+	{
+	int al,i,ok;
+	long n;
+	unsigned char *p;
+
+	/* the mac has already been generated when we received the
+	 * change cipher spec message and is in s->s3->tmp.peer_finish_md
+	 */ 
+
+	n=ssl3_get_message(s,
+		a,
+		b,
+		SSL3_MT_FINISHED,
+		64, /* should actually be 36+4 :-) */
+		&ok);
+
+	if (!ok) return((int)n);
+
+	/* If this occurs, we have missed a message */
+	if (!s->s3->change_cipher_spec)
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_GOT_A_FIN_BEFORE_A_CCS);
+		goto f_err;
+		}
+	s->s3->change_cipher_spec=0;
+
+	p = (unsigned char *)s->init_buf->data;
+	i = s->s3->tmp.peer_finish_md_len;
+
+	if (i != n)
+		{
+		al=SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_BAD_DIGEST_LENGTH);
+		goto f_err;
+		}
+
+	if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
+		{
+		al=SSL_AD_DECRYPT_ERROR;
+		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
+		goto f_err;
+		}
+
+	return(1);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+	return(0);
+	}
+
+/* for these 2 messages, we need to
+ * ssl->enc_read_ctx			re-init
+ * ssl->s3->read_sequence		zero
+ * ssl->s3->read_mac_secret		re-init
+ * ssl->session->read_sym_enc		assign
+ * ssl->session->read_compression	assign
+ * ssl->session->read_hash		assign
+ */
+int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
+	{ 
+	unsigned char *p;
+
+	if (s->state == a)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		*p=SSL3_MT_CCS;
+		s->init_num=1;
+		s->init_off=0;
+
+		s->state=b;
+		}
+
+	/* SSL3_ST_CW_CHANGE_B */
+	return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
+	}
+
+unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
+	{
+	unsigned char *p;
+	int n,i;
+	unsigned long l=7;
+	BUF_MEM *buf;
+	X509_STORE_CTX xs_ctx;
+	X509_OBJECT obj;
+
+	/* TLSv1 sends a chain with nothing in it, instead of an alert */
+	buf=s->init_buf;
+	if (!BUF_MEM_grow(buf,(int)(10)))
+		{
+		SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+		return(0);
+		}
+	if (x != NULL)
+		{
+		X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL);
+
+		for (;;)
+			{
+			n=i2d_X509(x,NULL);
+			if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+				{
+				SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+				return(0);
+				}
+			p=(unsigned char *)&(buf->data[l]);
+			l2n3(n,p);
+			i2d_X509(x,&p);
+			l+=n+3;
+			if (X509_NAME_cmp(X509_get_subject_name(x),
+				X509_get_issuer_name(x)) == 0) break;
+
+			i=X509_STORE_get_by_subject(&xs_ctx,X509_LU_X509,
+				X509_get_issuer_name(x),&obj);
+			if (i <= 0) break;
+			x=obj.data.x509;
+			/* Count is one too high since the X509_STORE_get uped the
+			 * ref count */
+			X509_free(x);
+			}
+
+		X509_STORE_CTX_cleanup(&xs_ctx);
+		}
+
+	/* Thawte special :-) */
+	if (s->ctx->extra_certs != NULL)
+	for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
+		{
+		x=sk_X509_value(s->ctx->extra_certs,i);
+		n=i2d_X509(x,NULL);
+		if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+			{
+			SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+			return(0);
+			}
+		p=(unsigned char *)&(buf->data[l]);
+		l2n3(n,p);
+		i2d_X509(x,&p);
+		l+=n+3;
+		}
+
+	l-=7;
+	p=(unsigned char *)&(buf->data[4]);
+	l2n3(l,p);
+	l+=3;
+	p=(unsigned char *)&(buf->data[0]);
+	*(p++)=SSL3_MT_CERTIFICATE;
+	l2n3(l,p);
+	l+=4;
+	return(l);
+	}
+
+/* Obtain handshake message of message type 'mt' (any if mt == -1),
+ * maximum acceptable body length 'max'.
+ * The first four bytes (msg_type and length) are read in state 'st1',
+ * the body is read in state 'stn'.
+ */
+long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
+	{
+	unsigned char *p;
+	unsigned long l;
+	long n;
+	int i,al;
+
+	if (s->s3->tmp.reuse_message)
+		{
+		s->s3->tmp.reuse_message=0;
+		if ((mt >= 0) && (s->s3->tmp.message_type != mt))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
+			goto f_err;
+			}
+		*ok=1;
+		return((int)s->s3->tmp.message_size);
+		}
+
+	p=(unsigned char *)s->init_buf->data;
+
+	if (s->state == st1) /* s->init_num < 4 */
+		{
+		int skip_message;
+
+		do
+			{
+			while (s->init_num < 4)
+				{
+				i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
+					4 - s->init_num);
+				if (i <= 0)
+					{
+					s->rwstate=SSL_READING;
+					*ok = 0;
+					return i;
+					}
+				s->init_num+=i;
+				}
+			
+			skip_message = 0;
+			if (!s->server)
+				if (p[0] == SSL3_MT_HELLO_REQUEST)
+					/* The server may always send 'Hello Request' messages --
+					 * we are doing a handshake anyway now, so ignore them
+					 * if their format is correct. Does not count for
+					 * 'Finished' MAC. */
+					if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
+						skip_message = 1;
+			}
+		while (skip_message);
+
+		/* s->init_num == 4 */
+
+		if ((mt >= 0) && (*p != mt))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
+			goto f_err;
+			}
+		if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
+					(st1 == SSL3_ST_SR_CERT_A) &&
+					(stn == SSL3_ST_SR_CERT_B))
+			{
+			/* At this point we have got an MS SGC second client
+			 * hello (maybe we should always allow the client to
+			 * start a new handshake?). We need to restart the mac.
+			 * Don't increment {num,total}_renegotiations because
+			 * we have not completed the handshake. */
+			ssl3_init_finished_mac(s);
+			}
+
+		ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 4);
+			
+		s->s3->tmp.message_type= *(p++);
+
+		n2l3(p,l);
+		if (l > (unsigned long)max)
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+			goto f_err;
+			}
+		if (l && !BUF_MEM_grow(s->init_buf,(int)l))
+			{
+			SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
+			goto err;
+			}
+		s->s3->tmp.message_size=l;
+		s->state=stn;
+
+		s->init_num=0;
+		}
+
+	/* next state (stn) */
+	p=(unsigned char *)s->init_buf->data;
+	n=s->s3->tmp.message_size;
+	while (n > 0)
+		{
+		i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n);
+		if (i <= 0)
+			{
+			s->rwstate=SSL_READING;
+			*ok = 0;
+			return i;
+			}
+		s->init_num += i;
+		n -= i;
+		}
+	ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num);
+	*ok=1;
+	return s->init_num;
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	*ok=0;
+	return(-1);
+	}
+
+int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
+	{
+	EVP_PKEY *pk;
+	int ret= -1,i,j;
+
+	if (pkey == NULL)
+		pk=X509_get_pubkey(x);
+	else
+		pk=pkey;
+	if (pk == NULL) goto err;
+
+	i=pk->type;
+	if (i == EVP_PKEY_RSA)
+		{
+		ret=SSL_PKEY_RSA_ENC;
+		if (x != NULL)
+			{
+			j=X509_get_ext_count(x);
+			/* check to see if this is a signing only certificate */
+			/* EAY EAY EAY EAY */
+			}
+		}
+	else if (i == EVP_PKEY_DSA)
+		{
+		ret=SSL_PKEY_DSA_SIGN;
+		}
+	else if (i == EVP_PKEY_DH)
+		{
+		/* if we just have a key, we needs to be guess */
+
+		if (x == NULL)
+			ret=SSL_PKEY_DH_DSA;
+		else
+			{
+			j=X509_get_signature_type(x);
+			if (j == EVP_PKEY_RSA)
+				ret=SSL_PKEY_DH_RSA;
+			else if (j== EVP_PKEY_DSA)
+				ret=SSL_PKEY_DH_DSA;
+			else ret= -1;
+			}
+		}
+	else
+		ret= -1;
+
+err:
+	if(!pkey) EVP_PKEY_free(pk);
+	return(ret);
+	}
+
+int ssl_verify_alarm_type(long type)
+	{
+	int al;
+
+	switch(type)
+		{
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+	case X509_V_ERR_UNABLE_TO_GET_CRL:
+		al=SSL_AD_UNKNOWN_CA;
+		break;
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+	case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+	case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+	case X509_V_ERR_CERT_NOT_YET_VALID:
+	case X509_V_ERR_CRL_NOT_YET_VALID:
+		al=SSL_AD_BAD_CERTIFICATE;
+		break;
+	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+	case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+		al=SSL_AD_DECRYPT_ERROR;
+		break;
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+	case X509_V_ERR_CRL_HAS_EXPIRED:
+		al=SSL_AD_CERTIFICATE_EXPIRED;
+		break;
+	case X509_V_ERR_CERT_REVOKED:
+		al=SSL_AD_CERTIFICATE_REVOKED;
+		break;
+	case X509_V_ERR_OUT_OF_MEM:
+		al=SSL_AD_INTERNAL_ERROR;
+		break;
+	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+	case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+		al=SSL_AD_UNKNOWN_CA;
+		break;
+	case X509_V_ERR_APPLICATION_VERIFICATION:
+		al=SSL_AD_HANDSHAKE_FAILURE;
+		break;
+	default:
+		al=SSL_AD_CERTIFICATE_UNKNOWN;
+		break;
+		}
+	return(al);
+	}
+
+int ssl3_setup_buffers(SSL *s)
+	{
+	unsigned char *p;
+	unsigned int extra;
+
+	if (s->s3->rbuf.buf == NULL)
+		{
+		if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+			extra=SSL3_RT_MAX_EXTRA;
+		else
+			extra=0;
+		if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE+extra))
+			== NULL)
+			goto err;
+		s->s3->rbuf.buf=p;
+		}
+
+	if (s->s3->wbuf.buf == NULL)
+		{
+		if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE))
+			== NULL)
+			goto err;
+		s->s3->wbuf.buf=p;
+		}
+	s->packet= &(s->s3->rbuf.buf[0]);
+	return(1);
+err:
+	SSLerr(SSL_F_SSL3_SETUP_BUFFERS,ERR_R_MALLOC_FAILURE);
+	return(0);
+	}
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
new file mode 100644
index 0000000..0c8f551
--- /dev/null
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -0,0 +1,1730 @@
+/* ssl/s3_clnt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *ssl3_get_client_method(int ver);
+static int ssl3_client_hello(SSL *s);
+static int ssl3_get_server_hello(SSL *s);
+static int ssl3_get_certificate_request(SSL *s);
+static int ca_dn_cmp(X509_NAME **a,X509_NAME **b);
+static int ssl3_get_server_done(SSL *s);
+static int ssl3_send_client_verify(SSL *s);
+static int ssl3_send_client_certificate(SSL *s);
+static int ssl3_send_client_key_exchange(SSL *s);
+static int ssl3_get_key_exchange(SSL *s);
+static int ssl3_get_server_certificate(SSL *s);
+static int ssl3_check_cert_and_algorithm(SSL *s);
+static SSL_METHOD *ssl3_get_client_method(int ver)
+	{
+	if (ver == SSL3_VERSION)
+		return(SSLv3_client_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv3_client_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv3_client_data;
+
+	if (init)
+		{
+		init=0;
+		memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
+			sizeof(SSL_METHOD));
+		SSLv3_client_data.ssl_connect=ssl3_connect;
+		SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+		}
+	return(&SSLv3_client_data);
+	}
+
+int ssl3_connect(SSL *s)
+	{
+	BUF_MEM *buf;
+	unsigned long Time=time(NULL),l;
+	long num1;
+	void (*cb)()=NULL;
+	int ret= -1;
+	int new_state,state,skip=0;;
+
+	RAND_add(&Time,sizeof(Time),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+	
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
+	s->in_handshake++;
+
+	for (;;)
+		{
+		state=s->state;
+
+		switch(s->state)
+			{
+		case SSL_ST_RENEGOTIATE:
+			s->new_session=1;
+			s->state=SSL_ST_CONNECT;
+			s->ctx->stats.sess_connect_renegotiate++;
+			/* break */
+		case SSL_ST_BEFORE:
+		case SSL_ST_CONNECT:
+		case SSL_ST_BEFORE|SSL_ST_CONNECT:
+		case SSL_ST_OK|SSL_ST_CONNECT:
+
+			s->server=0;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			if ((s->version & 0xff00 ) != 0x0300)
+				abort();
+			/* s->version=SSL3_VERSION; */
+			s->type=SSL_ST_CONNECT;
+
+			if (s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
+					{
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
+
+			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
+
+			/* setup buffing BIO */
+			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
+
+			/* don't push the buffering BIO quite yet */
+
+			ssl3_init_finished_mac(s);
+
+			s->state=SSL3_ST_CW_CLNT_HELLO_A;
+			s->ctx->stats.sess_connect++;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_CLNT_HELLO_A:
+		case SSL3_ST_CW_CLNT_HELLO_B:
+
+			s->shutdown=0;
+			ret=ssl3_client_hello(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CR_SRVR_HELLO_A;
+			s->init_num=0;
+
+			/* turn on buffering for the next lot of output */
+			if (s->bbio != s->wbio)
+				s->wbio=BIO_push(s->bbio,s->wbio);
+
+			break;
+
+		case SSL3_ST_CR_SRVR_HELLO_A:
+		case SSL3_ST_CR_SRVR_HELLO_B:
+			ret=ssl3_get_server_hello(s);
+			if (ret <= 0) goto end;
+			if (s->hit)
+				s->state=SSL3_ST_CR_FINISHED_A;
+			else
+				s->state=SSL3_ST_CR_CERT_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CR_CERT_A:
+		case SSL3_ST_CR_CERT_B:
+			/* Check if it is anon DH */
+			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+				{
+				ret=ssl3_get_server_certificate(s);
+				if (ret <= 0) goto end;
+				}
+			else
+				skip=1;
+			s->state=SSL3_ST_CR_KEY_EXCH_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CR_KEY_EXCH_A:
+		case SSL3_ST_CR_KEY_EXCH_B:
+			ret=ssl3_get_key_exchange(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CR_CERT_REQ_A;
+			s->init_num=0;
+
+			/* at this point we check that we have the
+			 * required stuff from the server */
+			if (!ssl3_check_cert_and_algorithm(s))
+				{
+				ret= -1;
+				goto end;
+				}
+			break;
+
+		case SSL3_ST_CR_CERT_REQ_A:
+		case SSL3_ST_CR_CERT_REQ_B:
+			ret=ssl3_get_certificate_request(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CR_SRVR_DONE_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CR_SRVR_DONE_A:
+		case SSL3_ST_CR_SRVR_DONE_B:
+			ret=ssl3_get_server_done(s);
+			if (ret <= 0) goto end;
+			if (s->s3->tmp.cert_req)
+				s->state=SSL3_ST_CW_CERT_A;
+			else
+				s->state=SSL3_ST_CW_KEY_EXCH_A;
+			s->init_num=0;
+
+			break;
+
+		case SSL3_ST_CW_CERT_A:
+		case SSL3_ST_CW_CERT_B:
+		case SSL3_ST_CW_CERT_C:
+		case SSL3_ST_CW_CERT_D:
+			ret=ssl3_send_client_certificate(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_KEY_EXCH_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_KEY_EXCH_A:
+		case SSL3_ST_CW_KEY_EXCH_B:
+			ret=ssl3_send_client_key_exchange(s);
+			if (ret <= 0) goto end;
+			l=s->s3->tmp.new_cipher->algorithms;
+			/* EAY EAY EAY need to check for DH fix cert
+			 * sent back */
+			/* For TLS, cert_req is set to 2, so a cert chain
+			 * of nothing is sent, but no verify packet is sent */
+			if (s->s3->tmp.cert_req == 1)
+				{
+				s->state=SSL3_ST_CW_CERT_VRFY_A;
+				}
+			else
+				{
+				s->state=SSL3_ST_CW_CHANGE_A;
+				s->s3->change_cipher_spec=0;
+				}
+
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_CERT_VRFY_A:
+		case SSL3_ST_CW_CERT_VRFY_B:
+			ret=ssl3_send_client_verify(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_CHANGE_A;
+			s->init_num=0;
+			s->s3->change_cipher_spec=0;
+			break;
+
+		case SSL3_ST_CW_CHANGE_A:
+		case SSL3_ST_CW_CHANGE_B:
+			ret=ssl3_send_change_cipher_spec(s,
+				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_FINISHED_A;
+			s->init_num=0;
+
+			s->session->cipher=s->s3->tmp.new_cipher;
+			if (s->s3->tmp.new_compression == NULL)
+				s->session->compress_meth=0;
+			else
+				s->session->compress_meth=
+					s->s3->tmp.new_compression->id;
+			if (!s->method->ssl3_enc->setup_key_block(s))
+				{
+				ret= -1;
+				goto end;
+				}
+
+			if (!s->method->ssl3_enc->change_cipher_state(s,
+				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
+				{
+				ret= -1;
+				goto end;
+				}
+
+			break;
+
+		case SSL3_ST_CW_FINISHED_A:
+		case SSL3_ST_CW_FINISHED_B:
+			ret=ssl3_send_finished(s,
+				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
+				s->method->ssl3_enc->client_finished_label,
+				s->method->ssl3_enc->client_finished_label_len);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_FLUSH;
+
+			/* clear flags */
+			s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
+			if (s->hit)
+				{
+				s->s3->tmp.next_state=SSL_ST_OK;
+				if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
+					{
+					s->state=SSL_ST_OK;
+					s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
+					s->s3->delay_buf_pop_ret=0;
+					}
+				}
+			else
+				{
+				s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+				}
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CR_FINISHED_A:
+		case SSL3_ST_CR_FINISHED_B:
+
+			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+				SSL3_ST_CR_FINISHED_B);
+			if (ret <= 0) goto end;
+
+			if (s->hit)
+				s->state=SSL3_ST_CW_CHANGE_A;
+			else
+				s->state=SSL_ST_OK;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_FLUSH:
+			/* number of bytes to be flushed */
+			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
+			if (num1 > 0)
+				{
+				s->rwstate=SSL_WRITING;
+				num1=BIO_flush(s->wbio);
+				if (num1 <= 0) { ret= -1; goto end; }
+				s->rwstate=SSL_NOTHING;
+				}
+
+			s->state=s->s3->tmp.next_state;
+			break;
+
+		case SSL_ST_OK:
+			/* clean a few things up */
+			ssl3_cleanup_key_block(s);
+
+			if (s->init_buf != NULL)
+				{
+				BUF_MEM_free(s->init_buf);
+				s->init_buf=NULL;
+				}
+
+			/* If we are not 'joining' the last two packets,
+			 * remove the buffering now */
+			if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+				ssl_free_wbio_buffer(s);
+			/* else do it later in ssl3_write */
+
+			s->init_num=0;
+			s->new_session=0;
+
+			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
+			if (s->hit) s->ctx->stats.sess_hit++;
+
+			ret=1;
+			/* s->server=0; */
+			s->handshake_func=ssl3_connect;
+			s->ctx->stats.sess_connect_good++;
+
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+
+			goto end;
+			/* break; */
+			
+		default:
+			SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
+			ret= -1;
+			goto end;
+			/* break; */
+			}
+
+		/* did we do anything */
+		if (!s->s3->tmp.reuse_message && !skip)
+			{
+			if (s->debug)
+				{
+				if ((ret=BIO_flush(s->wbio)) <= 0)
+					goto end;
+				}
+
+			if ((cb != NULL) && (s->state != state))
+				{
+				new_state=s->state;
+				s->state=state;
+				cb(s,SSL_CB_CONNECT_LOOP,1);
+				s->state=new_state;
+				}
+			}
+		skip=0;
+		}
+end:
+	if (cb != NULL)
+		cb(s,SSL_CB_CONNECT_EXIT,ret);
+	s->in_handshake--;
+	return(ret);
+	}
+
+
+static int ssl3_client_hello(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+	int i,j;
+	unsigned long Time,l;
+	SSL_COMP *comp;
+
+	buf=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
+		{
+		if ((s->session == NULL) ||
+			(s->session->ssl_version != s->version) ||
+			(s->session->not_resumable))
+			{
+			if (!ssl_get_new_session(s,0))
+				goto err;
+			}
+		/* else use the pre-loaded session */
+
+		p=s->s3->client_random;
+		Time=time(NULL);			/* Time */
+		l2n(Time,p);
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+
+		/* Do the message type and length last */
+		d=p= &(buf[4]);
+
+		*(p++)=s->version>>8;
+		*(p++)=s->version&0xff;
+		s->client_version=s->version;
+
+		/* Random stuff */
+		memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
+		p+=SSL3_RANDOM_SIZE;
+
+		/* Session ID */
+		if (s->new_session)
+			i=0;
+		else
+			i=s->session->session_id_length;
+		*(p++)=i;
+		if (i != 0)
+			{
+			memcpy(p,s->session->session_id,i);
+			p+=i;
+			}
+		
+		/* Ciphers supported */
+		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+			goto err;
+			}
+		s2n(i,p);
+		p+=i;
+
+		/* COMPRESSION */
+		if (s->ctx->comp_methods == NULL)
+			j=0;
+		else
+			j=sk_SSL_COMP_num(s->ctx->comp_methods);
+		*(p++)=1+j;
+		for (i=0; i<j; i++)
+			{
+			comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
+			*(p++)=comp->id;
+			}
+		*(p++)=0; /* Add the NULL method */
+		
+		l=(p-d);
+		d=buf;
+		*(d++)=SSL3_MT_CLIENT_HELLO;
+		l2n3(l,d);
+
+		s->state=SSL3_ST_CW_CLNT_HELLO_B;
+		/* number of bytes to write */
+		s->init_num=p-buf;
+		s->init_off=0;
+		}
+
+	/* SSL3_ST_CW_CLNT_HELLO_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+static int ssl3_get_server_hello(SSL *s)
+	{
+	STACK_OF(SSL_CIPHER) *sk;
+	SSL_CIPHER *c;
+	unsigned char *p,*d;
+	int i,al,ok;
+	unsigned int j;
+	long n;
+	SSL_COMP *comp;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_CR_SRVR_HELLO_A,
+		SSL3_ST_CR_SRVR_HELLO_B,
+		SSL3_MT_SERVER_HELLO,
+		300, /* ?? */
+		&ok);
+
+	if (!ok) return((int)n);
+	d=p=(unsigned char *)s->init_buf->data;
+
+	if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
+		{
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
+		s->version=(s->version&0xff00)|p[1];
+		al=SSL_AD_PROTOCOL_VERSION;
+		goto f_err;
+		}
+	p+=2;
+
+	/* load the server hello data */
+	/* load the server random */
+	memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
+	p+=SSL3_RANDOM_SIZE;
+
+	/* get the session-id */
+	j= *(p++);
+
+	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
+		{
+		/* SSLref returns 16 :-( */
+		if (j < SSL2_SSL_SESSION_ID_LENGTH)
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
+			goto f_err;
+			}
+		}
+	if (j != 0 && j == s->session->session_id_length
+	    && memcmp(p,s->session->session_id,j) == 0)
+	    {
+	    if(s->sid_ctx_length != s->session->sid_ctx_length
+	       || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
+		{
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+		goto f_err;
+		}
+	    s->hit=1;
+	    }
+	else	/* a miss or crap from the other end */
+		{
+		/* If we were trying for session-id reuse, make a new
+		 * SSL_SESSION so we don't stuff up other people */
+		s->hit=0;
+		if (s->session->session_id_length > 0)
+			{
+			if (!ssl_get_new_session(s,0))
+				{
+				al=SSL_AD_INTERNAL_ERROR;
+				goto f_err;
+				}
+			}
+		s->session->session_id_length=j;
+		memcpy(s->session->session_id,p,j); /* j could be 0 */
+		}
+	p+=j;
+	c=ssl_get_cipher_by_char(s,p);
+	if (c == NULL)
+		{
+		/* unknown cipher */
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
+		goto f_err;
+		}
+	p+=ssl_put_cipher_by_char(s,NULL,NULL);
+
+	sk=ssl_get_ciphers_by_id(s);
+	i=sk_SSL_CIPHER_find(sk,c);
+	if (i < 0)
+		{
+		/* we did not say we would use this cipher */
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
+		goto f_err;
+		}
+
+	if (s->hit && (s->session->cipher != c))
+		{
+		if (!(s->options &
+			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+			goto f_err;
+			}
+		}
+	s->s3->tmp.new_cipher=c;
+
+	/* lets get the compression algorithm */
+	/* COMPRESSION */
+	j= *(p++);
+	if (j == 0)
+		comp=NULL;
+	else
+		comp=ssl3_comp_find(s->ctx->comp_methods,j);
+	
+	if ((j != 0) && (comp == NULL))
+		{
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
+		goto f_err;
+		}
+	else
+		{
+		s->s3->tmp.new_compression=comp;
+		}
+
+	if (p != (d+n))
+		{
+		/* wrong packet length */
+		al=SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
+		goto err;
+		}
+
+	return(1);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(-1);
+	}
+
+static int ssl3_get_server_certificate(SSL *s)
+	{
+	int al,i,ok,ret= -1;
+	unsigned long n,nc,llen,l;
+	X509 *x=NULL;
+	unsigned char *p,*d,*q;
+	STACK_OF(X509) *sk=NULL;
+	SESS_CERT *sc;
+	EVP_PKEY *pkey=NULL;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_CR_CERT_A,
+		SSL3_ST_CR_CERT_B,
+		-1,
+#if defined(MSDOS) && !defined(WIN32)
+		1024*30, /* 30k max cert list :-) */
+#else
+		1024*100, /* 100k max cert list :-) */
+#endif
+		&ok);
+
+	if (!ok) return((int)n);
+
+	if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
+		{
+		s->s3->tmp.reuse_message=1;
+		return(1);
+		}
+
+	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
+		goto f_err;
+		}
+	d=p=(unsigned char *)s->init_buf->data;
+
+	if ((sk=sk_X509_new_null()) == NULL)
+		{
+		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	n2l3(p,llen);
+	if (llen+3 != n)
+		{
+		al=SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
+		goto f_err;
+		}
+	for (nc=0; nc<llen; )
+		{
+		n2l3(p,l);
+		if ((l+nc+3) > llen)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
+			goto f_err;
+			}
+
+		q=p;
+		x=d2i_X509(NULL,&q,l);
+		if (x == NULL)
+			{
+			al=SSL_AD_BAD_CERTIFICATE;
+			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
+			goto f_err;
+			}
+		if (q != (p+l))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
+			goto f_err;
+			}
+		if (!sk_X509_push(sk,x))
+			{
+			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		x=NULL;
+		nc+=l+3;
+		p=q;
+		}
+
+	i=ssl_verify_cert_chain(s,sk);
+	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
+		{
+		al=ssl_verify_alarm_type(s->verify_result);
+		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
+		goto f_err; 
+		}
+
+	sc=ssl_sess_cert_new();
+	if (sc == NULL) goto err;
+
+	if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
+	s->session->sess_cert=sc;
+
+	sc->cert_chain=sk;
+	/* Inconsistency alert: cert_chain does include the peer's
+	 * certificate, which we don't include in s3_srvr.c */
+	x=sk_X509_value(sk,0);
+	sk=NULL;
+
+	pkey=X509_get_pubkey(x);
+
+	if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
+		{
+		x=NULL;
+		al=SSL3_AL_FATAL;
+		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
+		goto f_err;
+		}
+
+	i=ssl_cert_type(x,pkey);
+	if (i < 0)
+		{
+		x=NULL;
+		al=SSL3_AL_FATAL;
+		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+		goto f_err;
+		}
+
+	sc->peer_cert_type=i;
+	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+	if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen?
+										 * We just created sc a couple of
+										 * lines ago. */
+		X509_free(sc->peer_pkeys[i].x509);
+	sc->peer_pkeys[i].x509=x;
+	sc->peer_key= &(sc->peer_pkeys[i]);
+
+	if (s->session->peer != NULL)
+		X509_free(s->session->peer);
+	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+	s->session->peer=x;
+
+	x=NULL;
+	ret=1;
+
+	if (0)
+		{
+f_err:
+		ssl3_send_alert(s,SSL3_AL_FATAL,al);
+		}
+err:
+	EVP_PKEY_free(pkey);
+	X509_free(x);
+	sk_X509_pop_free(sk,X509_free);
+	return(ret);
+	}
+
+static int ssl3_get_key_exchange(SSL *s)
+	{
+#ifndef NO_RSA
+	unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
+#endif
+	EVP_MD_CTX md_ctx;
+	unsigned char *param,*p;
+	int al,i,j,param_len,ok;
+	long n,alg;
+	EVP_PKEY *pkey=NULL;
+#ifndef NO_RSA
+	RSA *rsa=NULL;
+#endif
+#ifndef NO_DH
+	DH *dh=NULL;
+#endif
+
+	n=ssl3_get_message(s,
+		SSL3_ST_CR_KEY_EXCH_A,
+		SSL3_ST_CR_KEY_EXCH_B,
+		-1,
+		1024*8, /* ?? */
+		&ok);
+
+	if (!ok) return((int)n);
+
+	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
+		{
+		s->s3->tmp.reuse_message=1;
+		return(1);
+		}
+
+	param=p=(unsigned char *)s->init_buf->data;
+
+	if (s->session->sess_cert != NULL)
+		{
+#ifndef NO_RSA
+		if (s->session->sess_cert->peer_rsa_tmp != NULL)
+			{
+			RSA_free(s->session->sess_cert->peer_rsa_tmp);
+			s->session->sess_cert->peer_rsa_tmp=NULL;
+			}
+#endif
+#ifndef NO_DH
+		if (s->session->sess_cert->peer_dh_tmp)
+			{
+			DH_free(s->session->sess_cert->peer_dh_tmp);
+			s->session->sess_cert->peer_dh_tmp=NULL;
+			}
+#endif
+		}
+	else
+		{
+		s->session->sess_cert=ssl_sess_cert_new();
+		}
+
+	param_len=0;
+	alg=s->s3->tmp.new_cipher->algorithms;
+
+#ifndef NO_RSA
+	if (alg & SSL_kRSA)
+		{
+		if ((rsa=RSA_new()) == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		n2s(p,i);
+		param_len=i+2;
+		if (param_len > n)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
+			goto f_err;
+			}
+		if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
+			goto err;
+			}
+		p+=i;
+
+		n2s(p,i);
+		param_len+=i+2;
+		if (param_len > n)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
+			goto f_err;
+			}
+		if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
+			goto err;
+			}
+		p+=i;
+		n-=param_len;
+
+		/* this should be because we are using an export cipher */
+		if (alg & SSL_aRSA)
+			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+		else
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+			goto err;
+			}
+		s->session->sess_cert->peer_rsa_tmp=rsa;
+		rsa=NULL;
+		}
+	else
+#endif
+#ifndef NO_DH
+		if (alg & SSL_kEDH)
+		{
+		if ((dh=DH_new()) == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
+			goto err;
+			}
+		n2s(p,i);
+		param_len=i+2;
+		if (param_len > n)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
+			goto f_err;
+			}
+		if (!(dh->p=BN_bin2bn(p,i,NULL)))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
+			goto err;
+			}
+		p+=i;
+
+		n2s(p,i);
+		param_len+=i+2;
+		if (param_len > n)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
+			goto f_err;
+			}
+		if (!(dh->g=BN_bin2bn(p,i,NULL)))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
+			goto err;
+			}
+		p+=i;
+
+		n2s(p,i);
+		param_len+=i+2;
+		if (param_len > n)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
+			goto f_err;
+			}
+		if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
+			goto err;
+			}
+		p+=i;
+		n-=param_len;
+
+#ifndef NO_RSA
+		if (alg & SSL_aRSA)
+			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+		else
+#endif
+#ifndef NO_DSA
+		if (alg & SSL_aDSS)
+			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
+#endif
+		/* else anonymous DH, so no certificate or pkey. */
+
+		s->session->sess_cert->peer_dh_tmp=dh;
+		dh=NULL;
+		}
+	else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
+		{
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
+		goto f_err;
+		}
+#endif
+	if (alg & SSL_aFZA)
+		{
+		al=SSL_AD_HANDSHAKE_FAILURE;
+		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
+		goto f_err;
+		}
+
+
+	/* p points to the next byte, there are 'n' bytes left */
+
+
+	/* if it was signed, check the signature */
+	if (pkey != NULL)
+		{
+		n2s(p,i);
+		n-=2;
+		j=EVP_PKEY_size(pkey);
+
+		if ((i != n) || (n > j) || (n <= 0))
+			{
+			/* wrong packet length */
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
+			goto f_err;
+			}
+
+#ifndef NO_RSA
+		if (pkey->type == EVP_PKEY_RSA)
+			{
+			int num;
+
+			j=0;
+			q=md_buf;
+			for (num=2; num > 0; num--)
+				{
+				EVP_DigestInit(&md_ctx,(num == 2)
+					?s->ctx->md5:s->ctx->sha1);
+				EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+				EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+				EVP_DigestUpdate(&md_ctx,param,param_len);
+				EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i);
+				q+=i;
+				j+=i;
+				}
+			i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
+								pkey->pkey.rsa);
+			if (i < 0)
+				{
+				al=SSL_AD_DECRYPT_ERROR;
+				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
+				goto f_err;
+				}
+			if (i == 0)
+				{
+				/* bad signature */
+				al=SSL_AD_DECRYPT_ERROR;
+				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
+				goto f_err;
+				}
+			}
+		else
+#endif
+#ifndef NO_DSA
+			if (pkey->type == EVP_PKEY_DSA)
+			{
+			/* lets do DSS */
+			EVP_VerifyInit(&md_ctx,EVP_dss1());
+			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+			EVP_VerifyUpdate(&md_ctx,param,param_len);
+			if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
+				{
+				/* bad signature */
+				al=SSL_AD_DECRYPT_ERROR;
+				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
+				goto f_err;
+				}
+			}
+		else
+#endif
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+			goto err;
+			}
+		}
+	else
+		{
+		/* still data left over */
+		if (!(alg & SSL_aNULL))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+			goto err;
+			}
+		if (n != 0)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
+			goto f_err;
+			}
+		}
+	EVP_PKEY_free(pkey);
+	return(1);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	EVP_PKEY_free(pkey);
+#ifndef NO_RSA
+	if (rsa != NULL)
+		RSA_free(rsa);
+#endif
+#ifndef NO_DH
+	if (dh != NULL)
+		DH_free(dh);
+#endif
+	return(-1);
+	}
+
+static int ssl3_get_certificate_request(SSL *s)
+	{
+	int ok,ret=0;
+	unsigned long n,nc,l;
+	unsigned int llen,ctype_num,i;
+	X509_NAME *xn=NULL;
+	unsigned char *p,*d,*q;
+	STACK_OF(X509_NAME) *ca_sk=NULL;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_CR_CERT_REQ_A,
+		SSL3_ST_CR_CERT_REQ_B,
+		-1,
+#if defined(MSDOS) && !defined(WIN32)
+		1024*30,  /* 30k max cert list :-) */
+#else
+		1024*100, /* 100k max cert list :-) */
+#endif
+		&ok);
+
+	if (!ok) return((int)n);
+
+	s->s3->tmp.cert_req=0;
+
+	if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
+		{
+		s->s3->tmp.reuse_message=1;
+		return(1);
+		}
+
+	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
+		{
+		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
+		goto err;
+		}
+
+	/* TLS does not like anon-DH with client cert */
+	if (s->version > SSL3_VERSION)
+		{
+		l=s->s3->tmp.new_cipher->algorithms;
+		if (l & SSL_aNULL)
+			{
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
+			goto err;
+			}
+		}
+
+	d=p=(unsigned char *)s->init_buf->data;
+
+	if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
+		{
+		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	/* get the certificate types */
+	ctype_num= *(p++);
+	if (ctype_num > SSL3_CT_NUMBER)
+		ctype_num=SSL3_CT_NUMBER;
+	for (i=0; i<ctype_num; i++)
+		s->s3->tmp.ctype[i]= p[i];
+	p+=ctype_num;
+
+	/* get the CA RDNs */
+	n2s(p,llen);
+#if 0
+{
+FILE *out;
+out=fopen("/tmp/vsign.der","w");
+fwrite(p,1,llen,out);
+fclose(out);
+}
+#endif
+
+	if ((llen+ctype_num+2+1) != n)
+		{
+		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
+		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
+		goto err;
+		}
+
+	for (nc=0; nc<llen; )
+		{
+		n2s(p,l);
+		if ((l+nc+2) > llen)
+			{
+			if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
+				goto cont; /* netscape bugs */
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
+			goto err;
+			}
+
+		q=p;
+
+		if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
+			{
+			/* If netscape tolerance is on, ignore errors */
+			if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
+				goto cont;
+			else
+				{
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
+				SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
+				goto err;
+				}
+			}
+
+		if (q != (p+l))
+			{
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
+			goto err;
+			}
+		if (!sk_X509_NAME_push(ca_sk,xn))
+			{
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+		p+=l;
+		nc+=l+2;
+		}
+
+	if (0)
+		{
+cont:
+		ERR_clear_error();
+		}
+
+	/* we should setup a certificate to return.... */
+	s->s3->tmp.cert_req=1;
+	s->s3->tmp.ctype_num=ctype_num;
+	if (s->s3->tmp.ca_names != NULL)
+		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+	s->s3->tmp.ca_names=ca_sk;
+	ca_sk=NULL;
+
+	ret=1;
+err:
+	if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
+	return(ret);
+	}
+
+static int ca_dn_cmp(X509_NAME **a, X509_NAME **b)
+	{
+	return(X509_NAME_cmp(*a,*b));
+	}
+
+static int ssl3_get_server_done(SSL *s)
+	{
+	int ok,ret=0;
+	long n;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_CR_SRVR_DONE_A,
+		SSL3_ST_CR_SRVR_DONE_B,
+		SSL3_MT_SERVER_DONE,
+		30, /* should be very small, like 0 :-) */
+		&ok);
+
+	if (!ok) return((int)n);
+	if (n > 0)
+		{
+		/* should contain no data */
+		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
+		SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
+		}
+	ret=1;
+	return(ret);
+	}
+
+static int ssl3_send_client_key_exchange(SSL *s)
+	{
+	unsigned char *p,*d;
+	int n;
+	unsigned long l;
+#ifndef NO_RSA
+	unsigned char *q;
+	EVP_PKEY *pkey=NULL;
+#endif
+
+	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
+		{
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[4]);
+
+		l=s->s3->tmp.new_cipher->algorithms;
+
+#ifndef NO_RSA
+		if (l & SSL_kRSA)
+			{
+			RSA *rsa;
+			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+
+			if (s->session->sess_cert->peer_rsa_tmp != NULL)
+				rsa=s->session->sess_cert->peer_rsa_tmp;
+			else
+				{
+				pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+				if ((pkey == NULL) ||
+					(pkey->type != EVP_PKEY_RSA) ||
+					(pkey->pkey.rsa == NULL))
+					{
+					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+					goto err;
+					}
+				rsa=pkey->pkey.rsa;
+				EVP_PKEY_free(pkey);
+				}
+				
+			tmp_buf[0]=s->client_version>>8;
+			tmp_buf[1]=s->client_version&0xff;
+			if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+					goto err;
+
+			s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
+
+			q=p;
+			/* Fix buf for TLS and beyond */
+			if (s->version > SSL3_VERSION)
+				p+=2;
+			n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
+				tmp_buf,p,rsa,RSA_PKCS1_PADDING);
+#ifdef PKCS1_CHECK
+			if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
+			if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
+#endif
+			if (n <= 0)
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
+				goto err;
+				}
+
+			/* Fix buf for TLS and beyond */
+			if (s->version > SSL3_VERSION)
+				{
+				s2n(n,q);
+				n+=2;
+				}
+
+			s->session->master_key_length=
+				s->method->ssl3_enc->generate_master_secret(s,
+					s->session->master_key,
+					tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
+			memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
+			}
+		else
+#endif
+#ifndef NO_DH
+		if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+			{
+			DH *dh_srvr,*dh_clnt;
+
+			if (s->session->sess_cert->peer_dh_tmp != NULL)
+				dh_srvr=s->session->sess_cert->peer_dh_tmp;
+			else
+				{
+				/* we get them from the cert */
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
+				goto err;
+				}
+			
+			/* generate a new random key */
+			if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+			if (!DH_generate_key(dh_clnt))
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+
+			/* use the 'p' output buffer for the DH key, but
+			 * make sure to clear it out afterwards */
+
+			n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
+
+			if (n <= 0)
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+
+			/* generate master key from the result */
+			s->session->master_key_length=
+				s->method->ssl3_enc->generate_master_secret(s,
+					s->session->master_key,p,n);
+			/* clean up */
+			memset(p,0,n);
+
+			/* send off the data */
+			n=BN_num_bytes(dh_clnt->pub_key);
+			s2n(n,p);
+			BN_bn2bin(dh_clnt->pub_key,p);
+			n+=2;
+
+			DH_free(dh_clnt);
+
+			/* perhaps clean things up a bit EAY EAY EAY EAY*/
+			}
+		else
+#endif
+			{
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+			goto err;
+			}
+		
+		*(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
+		l2n3(n,d);
+
+		s->state=SSL3_ST_CW_KEY_EXCH_B;
+		/* number of bytes to write */
+		s->init_num=n+4;
+		s->init_off=0;
+		}
+
+	/* SSL3_ST_CW_KEY_EXCH_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+static int ssl3_send_client_verify(SSL *s)
+	{
+	unsigned char *p,*d;
+	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+	EVP_PKEY *pkey;
+#ifndef NO_RSA
+	unsigned u=0;
+#endif
+	unsigned long n;
+#ifndef NO_DSA
+	int j;
+#endif
+
+	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
+		{
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[4]);
+		pkey=s->cert->key->privatekey;
+
+		s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
+			&(data[MD5_DIGEST_LENGTH]));
+
+#ifndef NO_RSA
+		if (pkey->type == EVP_PKEY_RSA)
+			{
+			s->method->ssl3_enc->cert_verify_mac(s,
+				&(s->s3->finish_dgst1),&(data[0]));
+			if (RSA_sign(NID_md5_sha1, data,
+					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
+					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
+				goto err;
+				}
+			s2n(u,p);
+			n=u+2;
+			}
+		else
+#endif
+#ifndef NO_DSA
+			if (pkey->type == EVP_PKEY_DSA)
+			{
+			if (!DSA_sign(pkey->save_type,
+				&(data[MD5_DIGEST_LENGTH]),
+				SHA_DIGEST_LENGTH,&(p[2]),
+				(unsigned int *)&j,pkey->pkey.dsa))
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
+				goto err;
+				}
+			s2n(j,p);
+			n=j+2;
+			}
+		else
+#endif
+			{
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR);
+			goto err;
+			}
+		*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
+		l2n3(n,d);
+
+		s->init_num=(int)n+4;
+		s->init_off=0;
+		}
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+static int ssl3_send_client_certificate(SSL *s)
+	{
+	X509 *x509=NULL;
+	EVP_PKEY *pkey=NULL;
+	int i;
+	unsigned long l;
+
+	if (s->state ==	SSL3_ST_CW_CERT_A)
+		{
+		if ((s->cert == NULL) ||
+			(s->cert->key->x509 == NULL) ||
+			(s->cert->key->privatekey == NULL))
+			s->state=SSL3_ST_CW_CERT_B;
+		else
+			s->state=SSL3_ST_CW_CERT_C;
+		}
+
+	/* We need to get a client cert */
+	if (s->state == SSL3_ST_CW_CERT_B)
+		{
+		/* If we get an error, we need to
+		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
+		 * We then get retied later */
+		i=0;
+		if (s->ctx->client_cert_cb != NULL)
+			i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+		if (i < 0)
+			{
+			s->rwstate=SSL_X509_LOOKUP;
+			return(-1);
+			}
+		s->rwstate=SSL_NOTHING;
+		if ((i == 1) && (pkey != NULL) && (x509 != NULL))
+			{
+			s->state=SSL3_ST_CW_CERT_B;
+			if (	!SSL_use_certificate(s,x509) ||
+				!SSL_use_PrivateKey(s,pkey))
+				i=0;
+			}
+		else if (i == 1)
+			{
+			i=0;
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
+			}
+
+		if (x509 != NULL) X509_free(x509);
+		if (pkey != NULL) EVP_PKEY_free(pkey);
+		if (i == 0)
+			{
+			if (s->version == SSL3_VERSION)
+				{
+				s->s3->tmp.cert_req=0;
+				ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
+				return(1);
+				}
+			else
+				{
+				s->s3->tmp.cert_req=2;
+				}
+			}
+
+		/* Ok, we have a cert */
+		s->state=SSL3_ST_CW_CERT_C;
+		}
+
+	if (s->state == SSL3_ST_CW_CERT_C)
+		{
+		s->state=SSL3_ST_CW_CERT_D;
+		l=ssl3_output_cert_chain(s,
+			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		s->init_num=(int)l;
+		s->init_off=0;
+		}
+	/* SSL3_ST_CW_CERT_D */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+#define has_bits(i,m)	(((i)&(m)) == (m))
+
+static int ssl3_check_cert_and_algorithm(SSL *s)
+	{
+	int i,idx;
+	long algs;
+	EVP_PKEY *pkey=NULL;
+	SESS_CERT *sc;
+#ifndef NO_RSA
+	RSA *rsa;
+#endif
+#ifndef NO_DH
+	DH *dh;
+#endif
+
+	sc=s->session->sess_cert;
+
+	if (sc == NULL)
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR);
+		goto err;
+		}
+
+	algs=s->s3->tmp.new_cipher->algorithms;
+
+	/* we don't have a certificate */
+	if (algs & (SSL_aDH|SSL_aNULL))
+		return(1);
+
+#ifndef NO_RSA
+	rsa=s->session->sess_cert->peer_rsa_tmp;
+#endif
+#ifndef NO_DH
+	dh=s->session->sess_cert->peer_dh_tmp;
+#endif
+
+	/* This is the passed certificate */
+
+	idx=sc->peer_cert_type;
+	pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
+	i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
+	EVP_PKEY_free(pkey);
+
+	
+	/* Check that we have a certificate if we require one */
+	if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
+		goto f_err;
+		}
+#ifndef NO_DSA
+	else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
+		goto f_err;
+		}
+#endif
+#ifndef NO_RSA
+	if ((algs & SSL_kRSA) &&
+		!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
+		goto f_err;
+		}
+#endif
+#ifndef NO_DH
+	if ((algs & SSL_kEDH) &&
+		!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
+		goto f_err;
+		}
+	else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
+		goto f_err;
+		}
+#ifndef NO_DSA
+	else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
+		{
+		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
+		goto f_err;
+		}
+#endif
+#endif
+
+	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
+		{
+#ifndef NO_RSA
+		if (algs & SSL_kRSA)
+			{
+			if (rsa == NULL
+			    || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
+				{
+				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
+				goto f_err;
+				}
+			}
+		else
+#endif
+#ifndef NO_DH
+			if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+			    {
+			    if (dh == NULL
+				|| DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
+				{
+				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
+				goto f_err;
+				}
+			}
+		else
+#endif
+			{
+			SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
+			goto f_err;
+			}
+		}
+	return(1);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+err:
+	return(0);
+	}
+
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
new file mode 100644
index 0000000..df4acab
--- /dev/null
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -0,0 +1,583 @@
+/* ssl/s3_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include "ssl_locl.h"
+
+static unsigned char ssl3_pad_1[48]={
+	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
+	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
+	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
+	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
+	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
+	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 };
+
+static unsigned char ssl3_pad_2[48]={
+	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
+	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
+	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
+	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
+	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
+	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
+
+static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
+	const char *sender, int len, unsigned char *p);
+
+static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
+	{
+	MD5_CTX m5;
+	SHA_CTX s1;
+	unsigned char buf[8],smd[SHA_DIGEST_LENGTH];
+	unsigned char c='A';
+	int i,j,k;
+
+#ifdef CHARSET_EBCDIC
+	c = os_toascii[c]; /*'A' in ASCII */
+#endif
+	k=0;
+	for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
+		{
+		k++;
+		for (j=0; j<k; j++)
+			buf[j]=c;
+		c++;
+		SHA1_Init(  &s1);
+		SHA1_Update(&s1,buf,k);
+		SHA1_Update(&s1,s->session->master_key,
+			s->session->master_key_length);
+		SHA1_Update(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
+		SHA1_Update(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
+		SHA1_Final( smd,&s1);
+
+		MD5_Init(  &m5);
+		MD5_Update(&m5,s->session->master_key,
+			s->session->master_key_length);
+		MD5_Update(&m5,smd,SHA_DIGEST_LENGTH);
+		if ((i+MD5_DIGEST_LENGTH) > num)
+			{
+			MD5_Final(smd,&m5);
+			memcpy(km,smd,(num-i));
+			}
+		else
+			MD5_Final(km,&m5);
+
+		km+=MD5_DIGEST_LENGTH;
+		}
+	memset(smd,0,SHA_DIGEST_LENGTH);
+	}
+
+int ssl3_change_cipher_state(SSL *s, int which)
+	{
+	unsigned char *p,*key_block,*mac_secret;
+	unsigned char exp_key[EVP_MAX_KEY_LENGTH];
+	unsigned char exp_iv[EVP_MAX_KEY_LENGTH];
+	unsigned char *ms,*key,*iv,*er1,*er2;
+	EVP_CIPHER_CTX *dd;
+	const EVP_CIPHER *c;
+	COMP_METHOD *comp;
+	const EVP_MD *m;
+	MD5_CTX md;
+	int exp,n,i,j,k,cl;
+
+	exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+	c=s->s3->tmp.new_sym_enc;
+	m=s->s3->tmp.new_hash;
+	if (s->s3->tmp.new_compression == NULL)
+		comp=NULL;
+	else
+		comp=s->s3->tmp.new_compression->method;
+	key_block=s->s3->tmp.key_block;
+
+	if (which & SSL3_CC_READ)
+		{
+		if ((s->enc_read_ctx == NULL) &&
+			((s->enc_read_ctx=(EVP_CIPHER_CTX *)
+			Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+			goto err;
+		dd= s->enc_read_ctx;
+		s->read_hash=m;
+		/* COMPRESS */
+		if (s->expand != NULL)
+			{
+			COMP_CTX_free(s->expand);
+			s->expand=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->expand=COMP_CTX_new(comp);
+			if (s->expand == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			if (s->s3->rrec.comp == NULL)
+				s->s3->rrec.comp=(unsigned char *)
+					Malloc(SSL3_RT_MAX_PLAIN_LENGTH);
+			if (s->s3->rrec.comp == NULL)
+				goto err;
+			}
+		memset(&(s->s3->read_sequence[0]),0,8);
+		mac_secret= &(s->s3->read_mac_secret[0]);
+		}
+	else
+		{
+		if ((s->enc_write_ctx == NULL) &&
+			((s->enc_write_ctx=(EVP_CIPHER_CTX *)
+			Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+			goto err;
+		dd= s->enc_write_ctx;
+		s->write_hash=m;
+		/* COMPRESS */
+		if (s->compress != NULL)
+			{
+			COMP_CTX_free(s->compress);
+			s->compress=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->compress=COMP_CTX_new(comp);
+			if (s->compress == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			}
+		memset(&(s->s3->write_sequence[0]),0,8);
+		mac_secret= &(s->s3->write_mac_secret[0]);
+		}
+
+	EVP_CIPHER_CTX_init(dd);
+
+	p=s->s3->tmp.key_block;
+	i=EVP_MD_size(m);
+	cl=EVP_CIPHER_key_length(c);
+	j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+		 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+	/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
+	k=EVP_CIPHER_iv_length(c);
+	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
+		(which == SSL3_CHANGE_CIPHER_SERVER_READ))
+		{
+		ms=  &(p[ 0]); n=i+i;
+		key= &(p[ n]); n+=j+j;
+		iv=  &(p[ n]); n+=k+k;
+		er1= &(s->s3->client_random[0]);
+		er2= &(s->s3->server_random[0]);
+		}
+	else
+		{
+		n=i;
+		ms=  &(p[ n]); n+=i+j;
+		key= &(p[ n]); n+=j+k;
+		iv=  &(p[ n]); n+=k;
+		er1= &(s->s3->server_random[0]);
+		er2= &(s->s3->client_random[0]);
+		}
+
+	if (n > s->s3->tmp.key_block_length)
+		{
+		SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR);
+		goto err2;
+		}
+
+	memcpy(mac_secret,ms,i);
+	if (exp)
+		{
+		/* In here I set both the read and write key/iv to the
+		 * same value since only the correct one will be used :-).
+		 */
+		MD5_Init(&md);
+		MD5_Update(&md,key,j);
+		MD5_Update(&md,er1,SSL3_RANDOM_SIZE);
+		MD5_Update(&md,er2,SSL3_RANDOM_SIZE);
+		MD5_Final(&(exp_key[0]),&md);
+		key= &(exp_key[0]);
+
+		if (k > 0)
+			{
+			MD5_Init(&md);
+			MD5_Update(&md,er1,SSL3_RANDOM_SIZE);
+			MD5_Update(&md,er2,SSL3_RANDOM_SIZE);
+			MD5_Final(&(exp_iv[0]),&md);
+			iv= &(exp_iv[0]);
+			}
+		}
+
+	s->session->key_arg_length=0;
+
+	EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
+
+	memset(&(exp_key[0]),0,sizeof(exp_key));
+	memset(&(exp_iv[0]),0,sizeof(exp_iv));
+	return(1);
+err:
+	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
+err2:
+	return(0);
+	}
+
+int ssl3_setup_key_block(SSL *s)
+	{
+	unsigned char *p;
+	const EVP_CIPHER *c;
+	const EVP_MD *hash;
+	int num;
+	SSL_COMP *comp;
+
+	if (s->s3->tmp.key_block_length != 0)
+		return(1);
+
+	if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
+		{
+		SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+		return(0);
+		}
+
+	s->s3->tmp.new_sym_enc=c;
+	s->s3->tmp.new_hash=hash;
+	s->s3->tmp.new_compression=comp;
+
+	num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
+	num*=2;
+
+	ssl3_cleanup_key_block(s);
+
+	if ((p=Malloc(num)) == NULL)
+		goto err;
+
+	s->s3->tmp.key_block_length=num;
+	s->s3->tmp.key_block=p;
+
+	ssl3_generate_key_block(s,p,num);
+
+	return(1);
+err:
+	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
+	return(0);
+	}
+
+void ssl3_cleanup_key_block(SSL *s)
+	{
+	if (s->s3->tmp.key_block != NULL)
+		{
+		memset(s->s3->tmp.key_block,0,
+			s->s3->tmp.key_block_length);
+		Free(s->s3->tmp.key_block);
+		s->s3->tmp.key_block=NULL;
+		}
+	s->s3->tmp.key_block_length=0;
+	}
+
+int ssl3_enc(SSL *s, int send)
+	{
+	SSL3_RECORD *rec;
+	EVP_CIPHER_CTX *ds;
+	unsigned long l;
+	int bs,i;
+	const EVP_CIPHER *enc;
+
+	if (send)
+		{
+		ds=s->enc_write_ctx;
+		rec= &(s->s3->wrec);
+		if (s->enc_write_ctx == NULL)
+			enc=NULL;
+		else
+			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
+		}
+	else
+		{
+		ds=s->enc_read_ctx;
+		rec= &(s->s3->rrec);
+		if (s->enc_read_ctx == NULL)
+			enc=NULL;
+		else
+			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
+		}
+
+	if ((s->session == NULL) || (ds == NULL) ||
+		(enc == NULL))
+		{
+		memcpy(rec->data,rec->input,rec->length);
+		rec->input=rec->data;
+		}
+	else
+		{
+		l=rec->length;
+		bs=EVP_CIPHER_block_size(ds->cipher);
+
+		/* COMPRESS */
+
+		/* This should be using (bs-1) and bs instead of 7 and 8 */
+		if ((bs != 1) && send)
+			{
+			i=bs-((int)l%bs);
+
+			/* we need to add 'i-1' padding bytes */
+			l+=i;
+			rec->length+=i;
+			rec->input[l-1]=(i-1);
+			}
+
+		EVP_Cipher(ds,rec->data,rec->input,l);
+
+		if ((bs != 1) && !send)
+			{
+			i=rec->data[l-1]+1;
+			if (i > bs)
+				{
+				SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR);
+				return(0);
+				}
+			rec->length-=i;
+			}
+		}
+	return(1);
+	}
+
+void ssl3_init_finished_mac(SSL *s)
+	{
+	EVP_DigestInit(&(s->s3->finish_dgst1),s->ctx->md5);
+	EVP_DigestInit(&(s->s3->finish_dgst2),s->ctx->sha1);
+	}
+
+void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
+	{
+	EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len);
+	EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len);
+	}
+
+int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
+	{
+	return(ssl3_handshake_mac(s,ctx,NULL,0,p));
+	}
+
+int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
+	     const char *sender, int len, unsigned char *p)
+	{
+	int ret;
+
+	ret=ssl3_handshake_mac(s,ctx1,sender,len,p);
+	p+=ret;
+	ret+=ssl3_handshake_mac(s,ctx2,sender,len,p);
+	return(ret);
+	}
+
+static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
+	     const char *sender, int len, unsigned char *p)
+	{
+	unsigned int ret;
+	int npad,n;
+	unsigned int i;
+	unsigned char md_buf[EVP_MAX_MD_SIZE];
+	EVP_MD_CTX ctx;
+
+	EVP_MD_CTX_copy(&ctx,in_ctx);
+
+	n=EVP_MD_CTX_size(&ctx);
+	npad=(48/n)*n;
+
+	if (sender != NULL)
+		EVP_DigestUpdate(&ctx,sender,len);
+	EVP_DigestUpdate(&ctx,s->session->master_key,
+		s->session->master_key_length);
+	EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
+	EVP_DigestFinal(&ctx,md_buf,&i);
+
+	EVP_DigestInit(&ctx,EVP_MD_CTX_md(&ctx));
+	EVP_DigestUpdate(&ctx,s->session->master_key,
+		s->session->master_key_length);
+	EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
+	EVP_DigestUpdate(&ctx,md_buf,i);
+	EVP_DigestFinal(&ctx,p,&ret);
+
+	memset(&ctx,0,sizeof(EVP_MD_CTX));
+
+	return((int)ret);
+	}
+
+int ssl3_mac(SSL *ssl, unsigned char *md, int send)
+	{
+	SSL3_RECORD *rec;
+	unsigned char *mac_sec,*seq;
+	EVP_MD_CTX md_ctx;
+	const EVP_MD *hash;
+	unsigned char *p,rec_char;
+	unsigned int md_size;
+	int npad,i;
+
+	if (send)
+		{
+		rec= &(ssl->s3->wrec);
+		mac_sec= &(ssl->s3->write_mac_secret[0]);
+		seq= &(ssl->s3->write_sequence[0]);
+		hash=ssl->write_hash;
+		}
+	else
+		{
+		rec= &(ssl->s3->rrec);
+		mac_sec= &(ssl->s3->read_mac_secret[0]);
+		seq= &(ssl->s3->read_sequence[0]);
+		hash=ssl->read_hash;
+		}
+
+	md_size=EVP_MD_size(hash);
+	npad=(48/md_size)*md_size;
+
+	/* Chop the digest off the end :-) */
+
+	EVP_DigestInit(  &md_ctx,hash);
+	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
+	EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
+	EVP_DigestUpdate(&md_ctx,seq,8);
+	rec_char=rec->type;
+	EVP_DigestUpdate(&md_ctx,&rec_char,1);
+	p=md;
+	s2n(rec->length,p);
+	EVP_DigestUpdate(&md_ctx,md,2);
+	EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
+	EVP_DigestFinal( &md_ctx,md,NULL);
+
+	EVP_DigestInit(  &md_ctx,hash);
+	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
+	EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
+	EVP_DigestUpdate(&md_ctx,md,md_size);
+	EVP_DigestFinal( &md_ctx,md,&md_size);
+
+	for (i=7; i>=0; i--)
+		if (++seq[i]) break; 
+
+	return(md_size);
+	}
+
+int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
+	     int len)
+	{
+	static const unsigned char *salt[3]={
+#ifndef CHARSET_EBCDIC
+		(const unsigned char *)"A",
+		(const unsigned char *)"BB",
+		(const unsigned char *)"CCC",
+#else
+		(const unsigned char *)"\x41",
+		(const unsigned char *)"\x42\x42",
+		(const unsigned char *)"\x43\x43\x43",
+#endif
+		};
+	unsigned char buf[EVP_MAX_MD_SIZE];
+	EVP_MD_CTX ctx;
+	int i,ret=0;
+	unsigned int n;
+
+	for (i=0; i<3; i++)
+		{
+		EVP_DigestInit(&ctx,s->ctx->sha1);
+		EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
+		EVP_DigestUpdate(&ctx,p,len);
+		EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
+			SSL3_RANDOM_SIZE);
+		EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
+			SSL3_RANDOM_SIZE);
+		EVP_DigestFinal(&ctx,buf,&n);
+
+		EVP_DigestInit(&ctx,s->ctx->md5);
+		EVP_DigestUpdate(&ctx,p,len);
+		EVP_DigestUpdate(&ctx,buf,n);
+		EVP_DigestFinal(&ctx,out,&n);
+		out+=n;
+		ret+=n;
+		}
+	return(ret);
+	}
+
+int ssl3_alert_code(int code)
+	{
+	switch (code)
+		{
+	case SSL_AD_CLOSE_NOTIFY:	return(SSL3_AD_CLOSE_NOTIFY);
+	case SSL_AD_UNEXPECTED_MESSAGE:	return(SSL3_AD_UNEXPECTED_MESSAGE);
+	case SSL_AD_BAD_RECORD_MAC:	return(SSL3_AD_BAD_RECORD_MAC);
+	case SSL_AD_DECRYPTION_FAILED:	return(SSL3_AD_BAD_RECORD_MAC);
+	case SSL_AD_RECORD_OVERFLOW:	return(SSL3_AD_BAD_RECORD_MAC);
+	case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
+	case SSL_AD_HANDSHAKE_FAILURE:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_NO_CERTIFICATE:	return(SSL3_AD_NO_CERTIFICATE);
+	case SSL_AD_BAD_CERTIFICATE:	return(SSL3_AD_BAD_CERTIFICATE);
+	case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
+	case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
+	case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
+	case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
+	case SSL_AD_ILLEGAL_PARAMETER:	return(SSL3_AD_ILLEGAL_PARAMETER);
+	case SSL_AD_UNKNOWN_CA:		return(SSL3_AD_BAD_CERTIFICATE);
+	case SSL_AD_ACCESS_DENIED:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_DECODE_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_DECRYPT_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_EXPORT_RESTRICTION:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_PROTOCOL_VERSION:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_INSUFFICIENT_SECURITY:return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_INTERNAL_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_USER_CANCELLED:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_NO_RENEGOTIATION:	return(-1); /* Don't send it :-) */
+	default:			return(-1);
+		}
+	}
+
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
new file mode 100644
index 0000000..7ada26c
--- /dev/null
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -0,0 +1,1339 @@
+/* ssl/s3_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
+
+#define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
+
+static long ssl3_default_timeout(void );
+
+OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+/* The RSA ciphers */
+/* Cipher 01 */
+	{
+	1,
+	SSL3_TXT_RSA_NULL_MD5,
+	SSL3_CK_RSA_NULL_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
+	0,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 02 */
+	{
+	1,
+	SSL3_TXT_RSA_NULL_SHA,
+	SSL3_CK_RSA_NULL_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
+	0,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/* anon DH */
+/* Cipher 17 */
+	{
+	1,
+	SSL3_TXT_ADH_RC4_40_MD5,
+	SSL3_CK_ADH_RC4_40_MD5,
+	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 18 */
+	{
+	1,
+	SSL3_TXT_ADH_RC4_128_MD5,
+	SSL3_CK_ADH_RC4_128_MD5,
+	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 19 */
+	{
+	1,
+	SSL3_TXT_ADH_DES_40_CBC_SHA,
+	SSL3_CK_ADH_DES_40_CBC_SHA,
+	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 1A */
+	{
+	1,
+	SSL3_TXT_ADH_DES_64_CBC_SHA,
+	SSL3_CK_ADH_DES_64_CBC_SHA,
+	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 1B */
+	{
+	1,
+	SSL3_TXT_ADH_DES_192_CBC_SHA,
+	SSL3_CK_ADH_DES_192_CBC_SHA,
+	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/* RSA again */
+/* Cipher 03 */
+	{
+	1,
+	SSL3_TXT_RSA_RC4_40_MD5,
+	SSL3_CK_RSA_RC4_40_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 04 */
+	{
+	1,
+	SSL3_TXT_RSA_RC4_128_MD5,
+	SSL3_CK_RSA_RC4_128_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 05 */
+	{
+	1,
+	SSL3_TXT_RSA_RC4_128_SHA,
+	SSL3_CK_RSA_RC4_128_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 06 */
+	{
+	1,
+	SSL3_TXT_RSA_RC2_40_MD5,
+	SSL3_CK_RSA_RC2_40_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 07 */
+	{
+	1,
+	SSL3_TXT_RSA_IDEA_128_SHA,
+	SSL3_CK_RSA_IDEA_128_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 08 */
+	{
+	1,
+	SSL3_TXT_RSA_DES_40_CBC_SHA,
+	SSL3_CK_RSA_DES_40_CBC_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 09 */
+	{
+	1,
+	SSL3_TXT_RSA_DES_64_CBC_SHA,
+	SSL3_CK_RSA_DES_64_CBC_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 0A */
+	{
+	1,
+	SSL3_TXT_RSA_DES_192_CBC3_SHA,
+	SSL3_CK_RSA_DES_192_CBC3_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/*  The DH ciphers */
+/* Cipher 0B */
+	{
+	0,
+	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
+	SSL3_CK_DH_DSS_DES_40_CBC_SHA,
+	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 0C */
+	{
+	0,
+	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
+	SSL3_CK_DH_DSS_DES_64_CBC_SHA,
+	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 0D */
+	{
+	0,
+	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
+	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
+	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 0E */
+	{
+	0,
+	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
+	SSL3_CK_DH_RSA_DES_40_CBC_SHA,
+	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 0F */
+	{
+	0,
+	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
+	SSL3_CK_DH_RSA_DES_64_CBC_SHA,
+	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 10 */
+	{
+	0,
+	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
+	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
+	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/* The Ephemeral DH ciphers */
+/* Cipher 11 */
+	{
+	1,
+	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
+	SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
+	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 12 */
+	{
+	1,
+	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
+	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
+	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 13 */
+	{
+	1,
+	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
+	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
+	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 14 */
+	{
+	1,
+	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
+	SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
+	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 15 */
+	{
+	1,
+	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
+	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
+	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 16 */
+	{
+	1,
+	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
+	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
+	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/* Fortezza */
+/* Cipher 1C */
+	{
+	0,
+	SSL3_TXT_FZA_DMS_NULL_SHA,
+	SSL3_CK_FZA_DMS_NULL_SHA,
+	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
+	0,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/* Cipher 1D */
+	{
+	0,
+	SSL3_TXT_FZA_DMS_FZA_SHA,
+	SSL3_CK_FZA_DMS_FZA_SHA,
+	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
+	0,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/* Cipher 1E */
+	{
+	0,
+	SSL3_TXT_FZA_DMS_RC4_SHA,
+	SSL3_CK_FZA_DMS_RC4_SHA,
+	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
+	/* New TLS Export CipherSuites */
+	/* Cipher 60 */
+	    {
+	    1,
+	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
+	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
+	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
+	    0,
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 61 */
+	    {
+	    1,
+	    TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+	    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
+	    0,
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 62 */
+	    {
+	    1,
+	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
+	    0,
+	    56,
+	    56,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 63 */
+	    {
+	    1,
+	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
+	    0,
+	    56,
+	    56,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 64 */
+	    {
+	    1,
+	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
+	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
+	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
+	    0,
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 65 */
+	    {
+	    1,
+	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
+	    0,
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
+	    },
+	/* Cipher 66 */
+	    {
+	    1,
+	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
+	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
+	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP,
+	    0,
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS
+	    },
+#endif
+
+/* end of list */
+	};
+
+static SSL3_ENC_METHOD SSLv3_enc_data={
+	ssl3_enc,
+	ssl3_mac,
+	ssl3_setup_key_block,
+	ssl3_generate_master_secret,
+	ssl3_change_cipher_state,
+	ssl3_final_finish_mac,
+	MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
+	ssl3_cert_verify_mac,
+	SSL3_MD_CLIENT_FINISHED_CONST,4,
+	SSL3_MD_SERVER_FINISHED_CONST,4,
+	ssl3_alert_code,
+	};
+
+static SSL_METHOD SSLv3_data= {
+	SSL3_VERSION,
+	ssl3_new,
+	ssl3_clear,
+	ssl3_free,
+	ssl_undefined_function,
+	ssl_undefined_function,
+	ssl3_read,
+	ssl3_peek,
+	ssl3_write,
+	ssl3_shutdown,
+	ssl3_renegotiate,
+	ssl3_renegotiate_check,
+	ssl3_ctrl,
+	ssl3_ctx_ctrl,
+	ssl3_get_cipher_by_char,
+	ssl3_put_cipher_by_char,
+	ssl3_pending,
+	ssl3_num_ciphers,
+	ssl3_get_cipher,
+	ssl_bad_method,
+	ssl3_default_timeout,
+	&SSLv3_enc_data,
+	ssl_undefined_function,
+	ssl3_callback_ctrl,
+	ssl3_ctx_callback_ctrl,
+	};
+
+static long ssl3_default_timeout(void)
+	{
+	/* 2 hours, the 24 hours mentioned in the SSLv3 spec
+	 * is way too long for http, the cache would over fill */
+	return(60*60*2);
+	}
+
+SSL_METHOD *sslv3_base_method(void)
+	{
+	return(&SSLv3_data);
+	}
+
+int ssl3_num_ciphers(void)
+	{
+	return(SSL3_NUM_CIPHERS);
+	}
+
+SSL_CIPHER *ssl3_get_cipher(unsigned int u)
+	{
+	if (u < SSL3_NUM_CIPHERS)
+		return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
+	else
+		return(NULL);
+	}
+
+/* The problem is that it may not be the correct record type */
+int ssl3_pending(SSL *s)
+	{
+	return(s->s3->rrec.length);
+	}
+
+int ssl3_new(SSL *s)
+	{
+	SSL3_STATE *s3;
+
+	if ((s3=Malloc(sizeof *s3)) == NULL) goto err;
+	memset(s3,0,sizeof *s3);
+
+	s->s3=s3;
+
+	s->method->ssl_clear(s);
+	return(1);
+err:
+	return(0);
+	}
+
+void ssl3_free(SSL *s)
+	{
+	if(s == NULL)
+	    return;
+
+	ssl3_cleanup_key_block(s);
+	if (s->s3->rbuf.buf != NULL)
+		Free(s->s3->rbuf.buf);
+	if (s->s3->wbuf.buf != NULL)
+		Free(s->s3->wbuf.buf);
+	if (s->s3->rrec.comp != NULL)
+		Free(s->s3->rrec.comp);
+#ifndef NO_DH
+	if (s->s3->tmp.dh != NULL)
+		DH_free(s->s3->tmp.dh);
+#endif
+	if (s->s3->tmp.ca_names != NULL)
+		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+	memset(s->s3,0,sizeof *s->s3);
+	Free(s->s3);
+	s->s3=NULL;
+	}
+
+void ssl3_clear(SSL *s)
+	{
+	unsigned char *rp,*wp;
+
+	ssl3_cleanup_key_block(s);
+	if (s->s3->tmp.ca_names != NULL)
+		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+
+	if (s->s3->rrec.comp != NULL)
+		{
+		Free(s->s3->rrec.comp);
+		s->s3->rrec.comp=NULL;
+		}
+#ifndef NO_DH
+	if (s->s3->tmp.dh != NULL)
+		DH_free(s->s3->tmp.dh);
+#endif
+
+	rp=s->s3->rbuf.buf;
+	wp=s->s3->wbuf.buf;
+
+	memset(s->s3,0,sizeof *s->s3);
+	if (rp != NULL) s->s3->rbuf.buf=rp;
+	if (wp != NULL) s->s3->wbuf.buf=wp;
+
+	ssl_free_wbio_buffer(s);
+
+	s->packet_length=0;
+	s->s3->renegotiate=0;
+	s->s3->total_renegotiations=0;
+	s->s3->num_renegotiations=0;
+	s->s3->in_read_app_data=0;
+	s->version=SSL3_VERSION;
+	}
+
+long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
+	{
+	int ret=0;
+
+#if !defined(NO_DSA) || !defined(NO_RSA)
+	if (
+#ifndef NO_RSA
+	    cmd == SSL_CTRL_SET_TMP_RSA ||
+	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
+#endif
+#ifndef NO_DSA
+	    cmd == SSL_CTRL_SET_TMP_DH ||
+	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
+#endif
+		0)
+		{
+		if (!ssl_cert_inst(&s->cert))
+		    	{
+			SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		}
+#endif
+
+	switch (cmd)
+		{
+	case SSL_CTRL_GET_SESSION_REUSED:
+		ret=s->hit;
+		break;
+	case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
+		break;
+	case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
+		ret=s->s3->num_renegotiations;
+		break;
+	case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
+		ret=s->s3->num_renegotiations;
+		s->s3->num_renegotiations=0;
+		break;
+	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
+		ret=s->s3->total_renegotiations;
+		break;
+	case SSL_CTRL_GET_FLAGS:
+		ret=(int)(s->s3->flags);
+		break;
+#ifndef NO_RSA
+	case SSL_CTRL_NEED_TMP_RSA:
+		if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
+		    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
+		     (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
+			ret = 1;
+		break;
+	case SSL_CTRL_SET_TMP_RSA:
+		{
+			RSA *rsa = (RSA *)parg;
+			if (rsa == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
+				return(ret);
+				}
+			if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
+				return(ret);
+				}
+			if (s->cert->rsa_tmp != NULL)
+				RSA_free(s->cert->rsa_tmp);
+			s->cert->rsa_tmp = rsa;
+			ret = 1;
+		}
+		break;
+	case SSL_CTRL_SET_TMP_RSA_CB:
+		{
+		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(ret);
+		}
+		break;
+#endif
+#ifndef NO_DH
+	case SSL_CTRL_SET_TMP_DH:
+		{
+			DH *dh = (DH *)parg;
+			if (dh == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
+				return(ret);
+				}
+			if ((dh = DHparams_dup(dh)) == NULL)
+				{
+				SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+				return(ret);
+				}
+			if (!(s->options & SSL_OP_SINGLE_DH_USE))
+				{
+				if (!DH_generate_key(dh))
+					{
+					DH_free(dh);
+					SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+					return(ret);
+					}
+				}
+			if (s->cert->dh_tmp != NULL)
+				DH_free(s->cert->dh_tmp);
+			s->cert->dh_tmp = dh;
+			ret = 1;
+		}
+		break;
+	case SSL_CTRL_SET_TMP_DH_CB:
+		{
+		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(ret);
+		}
+		break;
+#endif
+	default:
+		break;
+		}
+	return(ret);
+	}
+
+long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
+	{
+	int ret=0;
+
+#if !defined(NO_DSA) || !defined(NO_RSA)
+	if (
+#ifndef NO_RSA
+	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
+#endif
+#ifndef NO_DSA
+	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
+#endif
+		0)
+		{
+		if (!ssl_cert_inst(&s->cert))
+			{
+			SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		}
+#endif
+
+	switch (cmd)
+		{
+#ifndef NO_RSA
+	case SSL_CTRL_SET_TMP_RSA_CB:
+		{
+		s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
+#ifndef NO_DH
+	case SSL_CTRL_SET_TMP_DH_CB:
+		{
+		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
+	default:
+		break;
+		}
+	return(ret);
+	}
+
+long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
+	{
+	CERT *cert;
+
+	cert=ctx->cert;
+
+	switch (cmd)
+		{
+#ifndef NO_RSA
+	case SSL_CTRL_NEED_TMP_RSA:
+		if (	(cert->rsa_tmp == NULL) &&
+			((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
+			 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
+			)
+			return(1);
+		else
+			return(0);
+		/* break; */
+	case SSL_CTRL_SET_TMP_RSA:
+		{
+		RSA *rsa;
+		int i;
+
+		rsa=(RSA *)parg;
+		i=1;
+		if (rsa == NULL)
+			i=0;
+		else
+			{
+			if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
+				i=0;
+			}
+		if (!i)
+			{
+			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
+			return(0);
+			}
+		else
+			{
+			if (cert->rsa_tmp != NULL)
+				RSA_free(cert->rsa_tmp);
+			cert->rsa_tmp=rsa;
+			return(1);
+			}
+		}
+		/* break; */
+	case SSL_CTRL_SET_TMP_RSA_CB:
+		{
+		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(0);
+		}
+		break;
+#endif
+#ifndef NO_DH
+	case SSL_CTRL_SET_TMP_DH:
+		{
+		DH *new=NULL,*dh;
+
+		dh=(DH *)parg;
+		if ((new=DHparams_dup(dh)) == NULL)
+			{
+			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
+			return 0;
+			}
+		if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
+			{
+			if (!DH_generate_key(new))
+				{
+				SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
+				DH_free(new);
+				return 0;
+				}
+			}
+		if (cert->dh_tmp != NULL)
+			DH_free(cert->dh_tmp);
+		cert->dh_tmp=new;
+		return 1;
+		}
+		/*break; */
+	case SSL_CTRL_SET_TMP_DH_CB:
+		{
+		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(0);
+		}
+		break;
+#endif
+	/* A Thawte special :-) */
+	case SSL_CTRL_EXTRA_CHAIN_CERT:
+		if (ctx->extra_certs == NULL)
+			{
+			if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
+				return(0);
+			}
+		sk_X509_push(ctx->extra_certs,(X509 *)parg);
+		break;
+
+	default:
+		return(0);
+		}
+	return(1);
+	}
+
+long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+	{
+	CERT *cert;
+
+	cert=ctx->cert;
+
+	switch (cmd)
+		{
+#ifndef NO_RSA
+	case SSL_CTRL_SET_TMP_RSA_CB:
+		{
+		cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
+#ifndef NO_DH
+	case SSL_CTRL_SET_TMP_DH_CB:
+		{
+		cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
+	default:
+		return(0);
+		}
+	return(1);
+	}
+
+/* This function needs to check if the ciphers required are actually
+ * available */
+SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
+	{
+	static int init=1;
+	static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
+	SSL_CIPHER c,*cp= &c,**cpp;
+	unsigned long id;
+	int i;
+
+	if (init)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
+
+		for (i=0; i<SSL3_NUM_CIPHERS; i++)
+			sorted[i]= &(ssl3_ciphers[i]);
+
+		qsort(	(char *)sorted,
+			SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+			FP_ICC ssl_cipher_ptr_id_cmp);
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+
+		init=0;
+		}
+
+	id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
+	c.id=id;
+	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
+		(char *)sorted,
+		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+		(int (*)())ssl_cipher_ptr_id_cmp);
+	if ((cpp == NULL) || !(*cpp)->valid)
+		return(NULL);
+	else
+		return(*cpp);
+	}
+
+int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
+	{
+	long l;
+
+	if (p != NULL)
+		{
+		l=c->id;
+		if ((l & 0xff000000) != 0x03000000) return(0);
+		p[0]=((unsigned char)(l>> 8L))&0xFF;
+		p[1]=((unsigned char)(l     ))&0xFF;
+		}
+	return(2);
+	}
+
+SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
+	     STACK_OF(SSL_CIPHER) *pref)
+	{
+	SSL_CIPHER *c,*ret=NULL;
+	int i,j,ok;
+	CERT *cert;
+	unsigned long alg,mask,emask;
+
+	/* Let's see which ciphers we can support */
+	cert=s->cert;
+
+	sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
+
+#ifdef CIPHER_DEBUG
+	printf("Have:\n");
+	for(i=0 ; i < sk_num(pref) ; ++i)
+	    {
+	    c=(SSL_CIPHER *)sk_value(pref,i);
+	    printf("%p:%s\n",c,c->name);
+	    }
+#endif
+
+	for (i=0; i<sk_SSL_CIPHER_num(have); i++)
+		{
+		c=sk_SSL_CIPHER_value(have,i);
+
+		ssl_set_cert_masks(cert,c);
+		mask=cert->mask;
+		emask=cert->export_mask;
+			
+		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+		if (SSL_C_IS_EXPORT(c))
+			{
+			ok=((alg & emask) == alg)?1:0;
+#ifdef CIPHER_DEBUG
+			printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
+			       c,c->name);
+#endif
+			}
+		else
+			{
+			ok=((alg & mask) == alg)?1:0;
+#ifdef CIPHER_DEBUG
+			printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
+			       c->name);
+#endif
+			}
+
+		if (!ok) continue;
+	
+		j=sk_SSL_CIPHER_find(pref,c);
+		if (j >= 0)
+			{
+			ret=sk_SSL_CIPHER_value(pref,j);
+			break;
+			}
+		}
+	return(ret);
+	}
+
+int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
+	{
+	int ret=0;
+	unsigned long alg;
+
+	alg=s->s3->tmp.new_cipher->algorithms;
+
+#ifndef NO_DH
+	if (alg & (SSL_kDHr|SSL_kEDH))
+		{
+#  ifndef NO_RSA
+		p[ret++]=SSL3_CT_RSA_FIXED_DH;
+#  endif
+#  ifndef NO_DSA
+		p[ret++]=SSL3_CT_DSS_FIXED_DH;
+#  endif
+		}
+	if ((s->version == SSL3_VERSION) &&
+		(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
+		{
+#  ifndef NO_RSA
+		p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
+#  endif
+#  ifndef NO_DSA
+		p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
+#  endif
+		}
+#endif /* !NO_DH */
+#ifndef NO_RSA
+	p[ret++]=SSL3_CT_RSA_SIGN;
+#endif
+#ifndef NO_DSA
+	p[ret++]=SSL3_CT_DSS_SIGN;
+#endif
+	return(ret);
+	}
+
+int ssl3_shutdown(SSL *s)
+	{
+
+	/* Don't do anything much if we have not done the handshake or
+	 * we don't want to send messages :-) */
+	if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
+		{
+		s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+		return(1);
+		}
+
+	if (!(s->shutdown & SSL_SENT_SHUTDOWN))
+		{
+		s->shutdown|=SSL_SENT_SHUTDOWN;
+#if 1
+		ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
+#endif
+		/* our shutdown alert has been sent now, and if it still needs
+	 	 * to be written, s->s3->alert_dispatch will be true */
+		}
+	else if (s->s3->alert_dispatch)
+		{
+		/* resend it if not sent */
+#if 1
+		ssl3_dispatch_alert(s);
+#endif
+		}
+	else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
+		{
+		/* If we are waiting for a close from our peer, we are closed */
+		ssl3_read_bytes(s,0,NULL,0);
+		}
+
+	if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
+		!s->s3->alert_dispatch)
+		return(1);
+	else
+		return(0);
+	}
+
+int ssl3_write(SSL *s, const void *buf, int len)
+	{
+	int ret,n;
+
+#if 0
+	if (s->shutdown & SSL_SEND_SHUTDOWN)
+		{
+		s->rwstate=SSL_NOTHING;
+		return(0);
+		}
+#endif
+	clear_sys_error();
+	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
+
+	/* This is an experimental flag that sends the
+	 * last handshake message in the same packet as the first
+	 * use data - used to see if it helps the TCP protocol during
+	 * session-id reuse */
+	/* The second test is because the buffer may have been removed */
+	if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
+		{
+		/* First time through, we write into the buffer */
+		if (s->s3->delay_buf_pop_ret == 0)
+			{
+			ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
+					     buf,len);
+			if (ret <= 0) return(ret);
+
+			s->s3->delay_buf_pop_ret=ret;
+			}
+
+		s->rwstate=SSL_WRITING;
+		n=BIO_flush(s->wbio);
+		if (n <= 0) return(n);
+		s->rwstate=SSL_NOTHING;
+
+		/* We have flushed the buffer, so remove it */
+		ssl_free_wbio_buffer(s);
+		s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
+
+		ret=s->s3->delay_buf_pop_ret;
+		s->s3->delay_buf_pop_ret=0;
+		}
+	else
+		{
+		ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
+				     buf,len);
+		if (ret <= 0) return(ret);
+		}
+
+	return(ret);
+	}
+
+int ssl3_read(SSL *s, void *buf, int len)
+	{
+	int ret;
+	
+	clear_sys_error();
+	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
+	s->s3->in_read_app_data=1;
+	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
+	if ((ret == -1) && (s->s3->in_read_app_data == 0))
+		{
+		/* ssl3_read_bytes decided to call s->handshake_func, which
+		 * called ssl3_read_bytes to read handshake data.
+		 * However, ssl3_read_bytes actually found application data
+		 * and thinks that application data makes sense here (signalled
+		 * by resetting 'in_read_app_data', strangely); so disable
+		 * handshake processing and try to read application data again. */
+		s->in_handshake++;
+		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
+		s->in_handshake--;
+		}
+	else
+		s->s3->in_read_app_data=0;
+
+	return(ret);
+	}
+
+int ssl3_peek(SSL *s, char *buf, int len)
+	{
+	SSL3_RECORD *rr;
+	int n;
+
+	rr= &(s->s3->rrec);
+	if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA))
+		{
+		n=ssl3_read(s,buf,1);
+		if (n <= 0) return(n);
+		rr->length++;
+		rr->off--;
+		}
+
+	if ((unsigned int)len > rr->length)
+		n=rr->length;
+	else
+		n=len;
+	memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
+	return(n);
+	}
+
+int ssl3_renegotiate(SSL *s)
+	{
+	if (s->handshake_func == NULL)
+		return(1);
+
+	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+		return(0);
+
+	s->s3->renegotiate=1;
+	return(1);
+	}
+
+int ssl3_renegotiate_check(SSL *s)
+	{
+	int ret=0;
+
+	if (s->s3->renegotiate)
+		{
+		if (	(s->s3->rbuf.left == 0) &&
+			(s->s3->wbuf.left == 0) &&
+			!SSL_in_init(s))
+			{
+/*
+if we are the server, and we have sent a 'RENEGOTIATE' message, we
+need to go to SSL_ST_ACCEPT.
+*/
+			/* SSL_ST_ACCEPT */
+			s->state=SSL_ST_RENEGOTIATE;
+			s->s3->renegotiate=0;
+			s->s3->num_renegotiations++;
+			s->s3->total_renegotiations++;
+			ret=1;
+			}
+		}
+	return(ret);
+	}
+
diff --git a/crypto/openssl/ssl/s3_meth.c b/crypto/openssl/ssl/s3_meth.c
new file mode 100644
index 0000000..81bcad8
--- /dev/null
+++ b/crypto/openssl/ssl/s3_meth.c
@@ -0,0 +1,88 @@
+/* ssl/s3_meth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *ssl3_get_method(int ver);
+static SSL_METHOD *ssl3_get_method(int ver)
+	{
+	if (ver == SSL3_VERSION)
+		return(SSLv3_method());
+	else 
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv3_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv3_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
+			sizeof(SSL_METHOD));
+		SSLv3_data.ssl_connect=ssl3_connect;
+		SSLv3_data.ssl_accept=ssl3_accept;
+		SSLv3_data.get_ssl_method=ssl3_get_method;
+		init=0;
+		}
+	return(&SSLv3_data);
+	}
+
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
new file mode 100644
index 0000000..eb96531
--- /dev/null
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -0,0 +1,1194 @@
+/* ssl/s3_pkt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
+#include "ssl_locl.h"
+
+static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+			 unsigned int len);
+static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
+			      unsigned int len);
+static int ssl3_get_record(SSL *s);
+static int do_compress(SSL *ssl);
+static int do_uncompress(SSL *ssl);
+static int do_change_cipher_spec(SSL *ssl);
+
+/* used only by ssl3_get_record */
+static int ssl3_read_n(SSL *s, int n, int max, int extend)
+	{
+	/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
+	 * packet by another n bytes.
+	 * The packet will be in the sub-array of s->s3->rbuf.buf specified
+	 * by s->packet and s->packet_length.
+	 * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
+	 * [plus s->packet_length bytes if extend == 1].)
+	 */
+	int i,off,newb;
+
+	if (!extend)
+		{
+		/* start with empty packet ... */
+		if (s->s3->rbuf.left == 0)
+			s->s3->rbuf.offset = 0;
+		s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset;
+		s->packet_length = 0;
+		/* ... now we can act as if 'extend' was set */
+		}
+
+	/* if there is enough in the buffer from a previous read, take some */
+	if (s->s3->rbuf.left >= (int)n)
+		{
+		s->packet_length+=n;
+		s->s3->rbuf.left-=n;
+		s->s3->rbuf.offset+=n;
+		return(n);
+		}
+
+	/* else we need to read more data */
+	if (!s->read_ahead)
+		max=n;
+
+	{
+		/* avoid buffer overflow */
+		int max_max = SSL3_RT_MAX_PACKET_SIZE - s->packet_length;
+		if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+			max_max += SSL3_RT_MAX_EXTRA;
+		if (max > max_max)
+			max = max_max;
+	}
+	if (n > max) /* does not happen */
+		{
+		SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR);
+		return -1;
+		}
+
+	off = s->packet_length;
+	newb = s->s3->rbuf.left;
+	/* Move any available bytes to front of buffer:
+	 * 'off' bytes already pointed to by 'packet',
+	 * 'newb' extra ones at the end */
+	if (s->packet != s->s3->rbuf.buf)
+		{
+		/*  off > 0 */
+		memmove(s->s3->rbuf.buf, s->packet, off+newb);
+		s->packet = s->s3->rbuf.buf;
+		}
+
+	while (newb < n)
+		{
+		/* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
+		 * to read in more until we have off+n (up to off+max if possible) */
+
+		clear_sys_error();
+		if (s->rbio != NULL)
+			{
+			s->rwstate=SSL_READING;
+			i=BIO_read(s->rbio,	&(s->s3->rbuf.buf[off+newb]), max-newb);
+			}
+		else
+			{
+			SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
+			i = -1;
+			}
+
+		if (i <= 0)
+			{
+			s->s3->rbuf.left = newb;
+			return(i);
+			}
+		newb+=i;
+		}
+
+	/* done reading, now the book-keeping */
+	s->s3->rbuf.offset = off + n;
+	s->s3->rbuf.left = newb - n;
+	s->packet_length += n;
+	s->rwstate=SSL_NOTHING;
+	return(n);
+	}
+
+/* Call this to get a new input record.
+ * It will return <= 0 if more data is needed, normally due to an error
+ * or non-blocking IO.
+ * When it finishes, one packet has been decoded and can be found in
+ * ssl->s3->rrec.type    - is the type of record
+ * ssl->s3->rrec.data, 	 - data
+ * ssl->s3->rrec.length, - number of bytes
+ */
+/* used only by ssl3_read_bytes */
+static int ssl3_get_record(SSL *s)
+	{
+	int ssl_major,ssl_minor,al;
+	int n,i,ret= -1;
+	SSL3_RECORD *rr;
+	SSL_SESSION *sess;
+	unsigned char *p;
+	unsigned char md[EVP_MAX_MD_SIZE];
+	short version;
+	unsigned int mac_size;
+	int clear=0,extra;
+
+	rr= &(s->s3->rrec);
+	sess=s->session;
+
+	if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+		extra=SSL3_RT_MAX_EXTRA;
+	else
+		extra=0;
+
+again:
+	/* check if we have the header */
+	if (	(s->rstate != SSL_ST_READ_BODY) ||
+		(s->packet_length < SSL3_RT_HEADER_LENGTH)) 
+		{
+		n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH,
+			SSL3_RT_MAX_PACKET_SIZE,0);
+		if (n <= 0) return(n); /* error or non-blocking */
+		s->rstate=SSL_ST_READ_BODY;
+
+		p=s->packet;
+
+		/* Pull apart the header into the SSL3_RECORD */
+		rr->type= *(p++);
+		ssl_major= *(p++);
+		ssl_minor= *(p++);
+		version=(ssl_major<<8)|ssl_minor;
+		n2s(p,rr->length);
+
+		/* Lets check version */
+		if (s->first_packet)
+			{
+			s->first_packet=0;
+			}
+		else
+			{
+			if (version != s->version)
+				{
+				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+				/* Send back error using their
+				 * version number :-) */
+				s->version=version;
+				al=SSL_AD_PROTOCOL_VERSION;
+				goto f_err;
+				}
+			}
+
+		if ((version>>8) != SSL3_VERSION_MAJOR)
+			{
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+			goto err;
+			}
+
+		if (rr->length > 
+			(unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+			{
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
+			goto f_err;
+			}
+
+		/* now s->rstate == SSL_ST_READ_BODY */
+		}
+
+	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
+
+	if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
+		{
+		/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
+		i=rr->length;
+		n=ssl3_read_n(s,i,i,1);
+		if (n <= 0) return(n); /* error or non-blocking io */
+		/* now n == rr->length,
+		 * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
+		}
+
+	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
+
+	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
+	 * and we have that many bytes in s->packet
+	 */
+	rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
+
+	/* ok, we can now read from 's->packet' data into 'rr'
+	 * rr->input points at rr->length bytes, which
+	 * need to be copied into rr->data by either
+	 * the decryption or by the decompression
+	 * When the data is 'copied' into the rr->data buffer,
+	 * rr->input will be pointed at the new buffer */ 
+
+	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
+	 * rr->length bytes of encrypted compressed stuff. */
+
+	/* check is not needed I believe */
+	if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
+		{
+		al=SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+		goto f_err;
+		}
+
+	/* decrypt in place in 'rr->input' */
+	rr->data=rr->input;
+
+	if (!s->method->ssl3_enc->enc(s,0))
+		{
+		al=SSL_AD_DECRYPT_ERROR;
+		goto f_err;
+		}
+#ifdef TLS_DEBUG
+printf("dec %d\n",rr->length);
+{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
+printf("\n");
+#endif
+	/* r->length is now the compressed data plus mac */
+	if (	(sess == NULL) ||
+		(s->enc_read_ctx == NULL) ||
+		(s->read_hash == NULL))
+		clear=1;
+
+	if (!clear)
+		{
+		mac_size=EVP_MD_size(s->read_hash);
+
+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
+			{
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+			goto f_err;
+			}
+		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+		if (rr->length < mac_size)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+			goto f_err;
+			}
+		rr->length-=mac_size;
+		i=s->method->ssl3_enc->mac(s,md,0);
+		if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+			{
+			al=SSL_AD_BAD_RECORD_MAC;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE);
+			ret= -1;
+			goto f_err;
+			}
+		}
+
+	/* r->length is now just compressed */
+	if (s->expand != NULL)
+		{
+		if (rr->length > 
+			(unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
+			{
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+			goto f_err;
+			}
+		if (!do_uncompress(s))
+			{
+			al=SSL_AD_DECOMPRESSION_FAILURE;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
+			goto f_err;
+			}
+		}
+
+	if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra)
+		{
+		al=SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
+		goto f_err;
+		}
+
+	rr->off=0;
+	/* So at this point the following is true
+	 * ssl->s3->rrec.type 	is the type of record
+	 * ssl->s3->rrec.length	== number of bytes in record
+	 * ssl->s3->rrec.off	== offset to first valid byte
+	 * ssl->s3->rrec.data	== where to take bytes from, increment
+	 *			   after use :-).
+	 */
+
+	/* we have pulled in a full packet so zero things */
+	s->packet_length=0;
+
+	/* just read a 0 length packet */
+	if (rr->length == 0) goto again;
+
+	return(1);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(ret);
+	}
+
+static int do_uncompress(SSL *ssl)
+	{
+	int i;
+	SSL3_RECORD *rr;
+
+	rr= &(ssl->s3->rrec);
+	i=COMP_expand_block(ssl->expand,rr->comp,
+		SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
+	if (i < 0)
+		return(0);
+	else
+		rr->length=i;
+	rr->data=rr->comp;
+
+	return(1);
+	}
+
+static int do_compress(SSL *ssl)
+	{
+	int i;
+	SSL3_RECORD *wr;
+
+	wr= &(ssl->s3->wrec);
+	i=COMP_compress_block(ssl->compress,wr->data,
+		SSL3_RT_MAX_COMPRESSED_LENGTH,
+		wr->input,(int)wr->length);
+	if (i < 0)
+		return(0);
+	else
+		wr->length=i;
+
+	wr->input=wr->data;
+	return(1);
+	}
+
+/* Call this to write data in records of type 'type'
+ * It will return <= 0 if not all data has been sent or non-blocking IO.
+ */
+int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
+	{
+	const unsigned char *buf=buf_;
+	unsigned int tot,n,nw;
+	int i;
+
+	s->rwstate=SSL_NOTHING;
+	tot=s->s3->wnum;
+	s->s3->wnum=0;
+
+	if (SSL_in_init(s) && !s->in_handshake)
+		{
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		}
+
+	n=(len-tot);
+	for (;;)
+		{
+		if (n > SSL3_RT_MAX_PLAIN_LENGTH)
+			nw=SSL3_RT_MAX_PLAIN_LENGTH;
+		else
+			nw=n;
+
+		i=do_ssl3_write(s,type,&(buf[tot]),nw);
+		if (i <= 0)
+			{
+			s->s3->wnum=tot;
+			return(i);
+			}
+
+		if ((i == (int)n) ||
+			(type == SSL3_RT_APPLICATION_DATA &&
+			 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
+			{
+			return(tot+i);
+			}
+
+		n-=i;
+		tot+=i;
+		}
+	}
+
+static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+			 unsigned int len)
+	{
+	unsigned char *p,*plen;
+	int i,mac_size,clear=0;
+	SSL3_RECORD *wr;
+	SSL3_BUFFER *wb;
+	SSL_SESSION *sess;
+
+	/* first check is there is a SSL3_RECORD still being written
+	 * out.  This will happen with non blocking IO */
+	if (s->s3->wbuf.left != 0)
+		return(ssl3_write_pending(s,type,buf,len));
+
+	/* If we have an alert to send, lets send it */
+	if (s->s3->alert_dispatch)
+		{
+		i=ssl3_dispatch_alert(s);
+		if (i <= 0)
+			return(i);
+		/* if it went, fall through and send more stuff */
+		}
+
+	if (len == 0) return(len);
+
+	wr= &(s->s3->wrec);
+	wb= &(s->s3->wbuf);
+	sess=s->session;
+
+	if (	(sess == NULL) ||
+		(s->enc_write_ctx == NULL) ||
+		(s->write_hash == NULL))
+		clear=1;
+
+	if (clear)
+		mac_size=0;
+	else
+		mac_size=EVP_MD_size(s->write_hash);
+
+	p=wb->buf;
+
+	/* write the header */
+	*(p++)=type&0xff;
+	wr->type=type;
+
+	*(p++)=(s->version>>8);
+	*(p++)=s->version&0xff;
+
+	/* record where we are to write out packet length */
+	plen=p; 
+	p+=2;
+
+	/* lets setup the record stuff. */
+	wr->data=p;
+	wr->length=(int)len;
+	wr->input=(unsigned char *)buf;
+
+	/* we now 'read' from wr->input, wr->length bytes into
+	 * wr->data */
+
+	/* first we compress */
+	if (s->compress != NULL)
+		{
+		if (!do_compress(s))
+			{
+			SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
+			goto err;
+			}
+		}
+	else
+		{
+		memcpy(wr->data,wr->input,wr->length);
+		wr->input=wr->data;
+		}
+
+	/* we should still have the output to wr->data and the input
+	 * from wr->input.  Length should be wr->length.
+	 * wr->data still points in the wb->buf */
+
+	if (mac_size != 0)
+		{
+		s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
+		wr->length+=mac_size;
+		wr->input=p;
+		wr->data=p;
+		}
+
+	/* ssl3_enc can only have an error on read */
+	s->method->ssl3_enc->enc(s,1);
+
+	/* record length after mac and block padding */
+	s2n(wr->length,plen);
+
+	/* we should now have
+	 * wr->data pointing to the encrypted data, which is
+	 * wr->length long */
+	wr->type=type; /* not needed but helps for debugging */
+	wr->length+=SSL3_RT_HEADER_LENGTH;
+
+	/* Now lets setup wb */
+	wb->left=wr->length;
+	wb->offset=0;
+
+	s->s3->wpend_tot=len;
+	s->s3->wpend_buf=buf;
+	s->s3->wpend_type=type;
+	s->s3->wpend_ret=len;
+
+	/* we now just need to write the buffer */
+	return(ssl3_write_pending(s,type,buf,len));
+err:
+	return(-1);
+	}
+
+/* if s->s3->wbuf.left != 0, we need to call this */
+static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
+			      unsigned int len)
+	{
+	int i;
+
+/* XXXX */
+	if ((s->s3->wpend_tot > (int)len)
+		|| ((s->s3->wpend_buf != buf) &&
+			!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
+		|| (s->s3->wpend_type != type))
+		{
+		SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
+		return(-1);
+		}
+
+	for (;;)
+		{
+		clear_sys_error();
+		if (s->wbio != NULL)
+			{
+			s->rwstate=SSL_WRITING;
+			i=BIO_write(s->wbio,
+				(char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
+				(unsigned int)s->s3->wbuf.left);
+			}
+		else
+			{
+			SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
+			i= -1;
+			}
+		if (i == s->s3->wbuf.left)
+			{
+			s->s3->wbuf.left=0;
+			s->rwstate=SSL_NOTHING;
+			return(s->s3->wpend_ret);
+			}
+		else if (i <= 0)
+			return(i);
+		s->s3->wbuf.offset+=i;
+		s->s3->wbuf.left-=i;
+		}
+	}
+
+/* Return up to 'len' payload bytes received in 'type' records.
+ * 'type' is one of the following:
+ *
+ *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
+ *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
+ *   -  0 (during a shutdown, no data has to be returned)
+ *
+ * If we don't have stored data to work from, read a SSL/TLS record first
+ * (possibly multiple records if we still don't have anything to return).
+ *
+ * This function must handle any surprises the peer may have for us, such as
+ * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
+ * a surprise, but handled as if it were), or renegotiation requests.
+ * Also if record payloads contain fragments too small to process, we store
+ * them until there is enough for the respective protocol (the record protocol
+ * may use arbitrary fragmentation and even interleaving):
+ *     Change cipher spec protocol
+ *             just 1 byte needed, no need for keeping anything stored
+ *     Alert protocol
+ *             2 bytes needed (AlertLevel, AlertDescription)
+ *     Handshake protocol
+ *             4 bytes needed (HandshakeType, uint24 length) -- we just have
+ *             to detect unexpected Client Hello and Hello Request messages
+ *             here, anything else is handled by higher layers
+ *     Application data protocol
+ *             none of our business
+ */
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
+	{
+	int al,i,j,ret;
+	unsigned int n;
+	SSL3_RECORD *rr;
+	void (*cb)()=NULL;
+
+	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
+		if (!ssl3_setup_buffers(s))
+			return(-1);
+
+	if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+		{
+		SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
+		return -1;
+		}
+
+	if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
+		/* (partially) satisfy request from storage */
+		{
+		unsigned char *src = s->s3->handshake_fragment;
+		unsigned char *dst = buf;
+		unsigned int k;
+
+		n = 0;
+		while ((len > 0) && (s->s3->handshake_fragment_len > 0))
+			{
+			*dst++ = *src++;
+			len--; s->s3->handshake_fragment_len--;
+			n++;
+			}
+		/* move any remaining fragment bytes: */
+		for (k = 0; k < s->s3->handshake_fragment_len; k++)
+			s->s3->handshake_fragment[k] = *src++;
+		return n;
+	}
+
+	/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
+
+	if (!s->in_handshake && SSL_in_init(s))
+		{
+		/* type == SSL3_RT_APPLICATION_DATA */
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		}
+start:
+	s->rwstate=SSL_NOTHING;
+
+	/* s->s3->rrec.type	    - is the type of record
+	 * s->s3->rrec.data,    - data
+	 * s->s3->rrec.off,     - offset into 'data' for next read
+	 * s->s3->rrec.length,  - number of bytes. */
+	rr = &(s->s3->rrec);
+
+	/* get new packet */
+	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
+		{
+		ret=ssl3_get_record(s);
+		if (ret <= 0) return(ret);
+		}
+
+	/* we now have a packet which can be read and processed */
+
+	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+	                               * reset by ssl3_get_finished */
+		&& (rr->type != SSL3_RT_HANDSHAKE))
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
+		goto err;
+		}
+
+	/* If the other end has shutdown, throw anything we read away */
+	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
+		{
+		rr->length=0;
+		s->rwstate=SSL_NOTHING;
+		return(0);
+		}
+
+
+	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
+		{
+		/* make sure that we are not getting application data when we
+		 * are doing a handshake for the first time */
+		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
+			(s->enc_read_ctx == NULL))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+			goto f_err;
+			}
+
+		if (len <= 0) return(len);
+
+		if ((unsigned int)len > rr->length)
+			n = rr->length;
+		else
+			n = (unsigned int)len;
+
+		memcpy(buf,&(rr->data[rr->off]),n);
+		rr->length-=n;
+		rr->off+=n;
+		if (rr->length == 0)
+			{
+			s->rstate=SSL_ST_READ_HEADER;
+			rr->off=0;
+			}
+		return(n);
+		}
+
+
+	/* If we get here, then type != rr->type; if we have a handshake
+	 * message, then it was unexpected (Hello Request or Client Hello). */
+
+	/* In case of record types for which we have 'fragment' storage,
+	 * fill that so that we can process the data at a fixed place.
+	 */
+		{
+		unsigned int dest_maxlen = 0;
+		unsigned char *dest = NULL;
+		unsigned int *dest_len = NULL;
+
+		if (rr->type == SSL3_RT_HANDSHAKE)
+			{
+			dest_maxlen = sizeof s->s3->handshake_fragment;
+			dest = s->s3->handshake_fragment;
+			dest_len = &s->s3->handshake_fragment_len;
+			}
+		else if (rr->type == SSL3_RT_ALERT)
+			{
+			dest_maxlen = sizeof s->s3->alert_fragment;
+			dest = s->s3->alert_fragment;
+			dest_len = &s->s3->alert_fragment_len;
+			}
+
+		if (dest_maxlen > 0)
+			{
+			n = dest_maxlen - *dest_len; /* available space in 'dest' */
+			if (rr->length < n)
+				n = rr->length; /* available bytes */
+
+			/* now move 'n' bytes: */
+			while (n-- > 0)
+				{
+				dest[(*dest_len)++] = rr->data[rr->off++];
+				rr->length--;
+				}
+
+			if (*dest_len < dest_maxlen)
+				goto start; /* fragment was too small */
+			}
+		}
+
+	/* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
+	 * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
+	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+
+	/* If we are a client, check for an incoming 'Hello Request': */
+	if ((!s->server) &&
+		(s->s3->handshake_fragment_len >= 4) &&
+		(s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
+		(s->session != NULL) && (s->session->cipher != NULL))
+		{
+		s->s3->handshake_fragment_len = 0;
+
+		if ((s->s3->handshake_fragment[1] != 0) ||
+			(s->s3->handshake_fragment[2] != 0) ||
+			(s->s3->handshake_fragment[3] != 0))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
+			goto err;
+			}
+
+		if (SSL_is_init_finished(s) &&
+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+			!s->s3->renegotiate)
+			{
+			ssl3_renegotiate(s);
+			if (ssl3_renegotiate_check(s))
+				{
+				i=s->handshake_func(s);
+				if (i < 0) return(i);
+				if (i == 0)
+					{
+					SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+					return(-1);
+					}
+
+				if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+					{
+					BIO *bio;
+					/* In the case where we try to read application data
+					 * the first time, but we trigger an SSL handshake, we
+					 * return -1 with the retry option set.  I do this
+					 * otherwise renegotiation can cause nasty problems 
+					 * in the blocking world */ /* ? */
+					s->rwstate=SSL_READING;
+					bio=SSL_get_rbio(s);
+					BIO_clear_retry_flags(bio);
+					BIO_set_retry_read(bio);
+					return(-1);
+					}
+				}
+			}
+		/* we either finished a handshake or ignored the request,
+		 * now try again to obtain the (application) data we were asked for */
+		goto start;
+		}
+
+	if (s->s3->alert_fragment_len >= 2)
+		{
+		int alert_level = s->s3->alert_fragment[0];
+		int alert_descr = s->s3->alert_fragment[1];
+
+		s->s3->alert_fragment_len = 0;
+
+		if (s->info_callback != NULL)
+			cb=s->info_callback;
+		else if (s->ctx->info_callback != NULL)
+			cb=s->ctx->info_callback;
+
+		if (cb != NULL)
+			{
+			j = (alert_level << 8) | alert_descr;
+			cb(s, SSL_CB_READ_ALERT, j);
+			}
+
+		if (alert_level == 1) /* warning */
+			{
+			s->s3->warn_alert = alert_descr;
+			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
+				{
+				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+				return(0);
+				}
+			}
+		else if (alert_level == 2) /* fatal */
+			{
+			char tmp[16];
+
+			s->rwstate=SSL_NOTHING;
+			s->s3->fatal_alert = alert_descr;
+			SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+			sprintf(tmp,"%d",alert_descr);
+			ERR_add_error_data(2,"SSL alert number ",tmp);
+			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
+			SSL_CTX_remove_session(s->ctx,s->session);
+			return(0);
+			}
+		else
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+			goto f_err;
+			}
+
+		goto start;
+		}
+
+	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
+		{
+		s->rwstate=SSL_NOTHING;
+		rr->length=0;
+		return(0);
+		}
+
+	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+		{
+		/* 'Change Cipher Spec' is just a single byte, so we know
+		 * exactly what the record payload has to look like */
+		if (	(rr->length != 1) || (rr->off != 0) ||
+			(rr->data[0] != SSL3_MT_CCS))
+			{
+			i=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+			goto err;
+			}
+
+		rr->length=0;
+		s->s3->change_cipher_spec=1;
+		if (!do_change_cipher_spec(s))
+			goto err;
+		else
+			goto start;
+		}
+
+	/* Unexpected handshake message (Client Hello, or protocol violation) */
+	if ((s->s3->handshake_fragment_len >= 4) &&	!s->in_handshake)
+		{
+		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+			{
+#if 0 /* worked only because C operator preferences are not as expected (and
+       * because this is not really needed for clients except for detecting
+       * protocol violations): */
+			s->state=SSL_ST_BEFORE|(s->server)
+				?SSL_ST_ACCEPT
+				:SSL_ST_CONNECT;
+#else
+			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
+#endif
+			s->new_session=1;
+			}
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+
+		if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+			{
+			BIO *bio;
+			/* In the case where we try to read application data
+			 * the first time, but we trigger an SSL handshake, we
+			 * return -1 with the retry option set.  I do this
+			 * otherwise renegotiation can cause nasty problems 
+			 * in the blocking world */ /* ? */
+			s->rwstate=SSL_READING;
+			bio=SSL_get_rbio(s);
+			BIO_clear_retry_flags(bio);
+			BIO_set_retry_read(bio);
+			return(-1);
+			}
+		goto start;
+		}
+
+	switch (rr->type)
+		{
+	default:
+#ifndef NO_TLS
+		/* TLS just ignores unknown message types */
+		if (s->version == TLS1_VERSION)
+			{
+			goto start;
+			}
+#endif
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+		goto f_err;
+	case SSL3_RT_CHANGE_CIPHER_SPEC:
+	case SSL3_RT_ALERT:
+	case SSL3_RT_HANDSHAKE:
+		/* we already handled all of these, with the possible exception
+		 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
+		 * should not happen when type != rr->type */
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR);
+		goto f_err;
+	case SSL3_RT_APPLICATION_DATA:
+		/* At this point, we were expecting handshake data,
+		 * but have application data.  If the library was
+		 * running inside ssl3_read() (i.e. in_read_app_data
+		 * is set) and it makes sense to read application data
+		 * at this point (session renegotiation not yet started),
+		 * we will indulge it.
+		 */
+		if (s->s3->in_read_app_data &&
+			(s->s3->total_renegotiations != 0) &&
+			((
+				(s->state & SSL_ST_CONNECT) &&
+				(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
+				(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
+				) || (
+					(s->state & SSL_ST_ACCEPT) &&
+					(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
+					(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
+					)
+				))
+			{
+			s->s3->in_read_app_data=0;
+			return(-1);
+			}
+		else
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+			goto f_err;
+			}
+		}
+	/* not reached */
+
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(-1);
+	}
+
+static int do_change_cipher_spec(SSL *s)
+	{
+	int i;
+	const char *sender;
+	int slen;
+
+	if (s->state & SSL_ST_ACCEPT)
+		i=SSL3_CHANGE_CIPHER_SERVER_READ;
+	else
+		i=SSL3_CHANGE_CIPHER_CLIENT_READ;
+
+	if (s->s3->tmp.key_block == NULL)
+		{
+		s->session->cipher=s->s3->tmp.new_cipher;
+		if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
+		}
+
+	if (!s->method->ssl3_enc->change_cipher_state(s,i))
+		return(0);
+
+	/* we have to record the message digest at
+	 * this point so we can get it before we read
+	 * the finished message */
+	if (s->state & SSL_ST_CONNECT)
+		{
+		sender=s->method->ssl3_enc->server_finished_label;
+		slen=s->method->ssl3_enc->server_finished_label_len;
+		}
+	else
+		{
+		sender=s->method->ssl3_enc->client_finished_label;
+		slen=s->method->ssl3_enc->client_finished_label_len;
+		}
+
+	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
+		&(s->s3->finish_dgst1),
+		&(s->s3->finish_dgst2),
+		sender,slen,s->s3->tmp.peer_finish_md);
+
+	return(1);
+	}
+
+void ssl3_send_alert(SSL *s, int level, int desc)
+	{
+	/* Map tls/ssl alert value to correct one */
+	desc=s->method->ssl3_enc->alert_value(desc);
+	if (desc < 0) return;
+	/* If a fatal one, remove from cache */
+	if ((level == 2) && (s->session != NULL))
+		SSL_CTX_remove_session(s->ctx,s->session);
+
+	s->s3->alert_dispatch=1;
+	s->s3->send_alert[0]=level;
+	s->s3->send_alert[1]=desc;
+	if (s->s3->wbuf.left == 0) /* data still being written out */
+		ssl3_dispatch_alert(s);
+	/* else data is still being written out, we will get written
+	 * some time in the future */
+	}
+
+int ssl3_dispatch_alert(SSL *s)
+	{
+	int i,j;
+	void (*cb)()=NULL;
+
+	s->s3->alert_dispatch=0;
+	i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2);
+	if (i <= 0)
+		{
+		s->s3->alert_dispatch=1;
+		}
+	else
+		{
+		/* If it is important, send it now.  If the message
+		 * does not get sent due to non-blocking IO, we will
+		 * not worry too much. */
+		if (s->s3->send_alert[0] == SSL3_AL_FATAL)
+			(void)BIO_flush(s->wbio);
+
+		if (s->info_callback != NULL)
+			cb=s->info_callback;
+		else if (s->ctx->info_callback != NULL)
+			cb=s->ctx->info_callback;
+
+		if (cb != NULL)
+			{
+			j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
+			cb(s,SSL_CB_WRITE_ALERT,j);
+			}
+		}
+	return(i);
+	}
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
new file mode 100644
index 0000000..e23ca20
--- /dev/null
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -0,0 +1,1740 @@
+/* ssl/s3_srvr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#define REUSE_CIPHER_BUG
+#define NETSCAPE_HANG_BUG
+
+
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *ssl3_get_server_method(int ver);
+static int ssl3_get_client_hello(SSL *s);
+static int ssl3_check_client_hello(SSL *s);
+static int ssl3_send_server_hello(SSL *s);
+static int ssl3_send_server_key_exchange(SSL *s);
+static int ssl3_send_certificate_request(SSL *s);
+static int ssl3_send_server_done(SSL *s);
+static int ssl3_get_client_key_exchange(SSL *s);
+static int ssl3_get_client_certificate(SSL *s);
+static int ssl3_get_cert_verify(SSL *s);
+static int ssl3_send_hello_request(SSL *s);
+
+static SSL_METHOD *ssl3_get_server_method(int ver)
+	{
+	if (ver == SSL3_VERSION)
+		return(SSLv3_server_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *SSLv3_server_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD SSLv3_server_data;
+
+	if (init)
+		{
+		memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
+			sizeof(SSL_METHOD));
+		SSLv3_server_data.ssl_accept=ssl3_accept;
+		SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+		init=0;
+		}
+	return(&SSLv3_server_data);
+	}
+
+int ssl3_accept(SSL *s)
+	{
+	BUF_MEM *buf;
+	unsigned long l,Time=time(NULL);
+	void (*cb)()=NULL;
+	long num1;
+	int ret= -1;
+	int new_state,state,skip=0;
+
+	RAND_add(&Time,sizeof(Time),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+
+	/* init things to blank */
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+	s->in_handshake++;
+
+	if (s->cert == NULL)
+		{
+		SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
+		return(-1);
+		}
+
+	for (;;)
+		{
+		state=s->state;
+
+		switch (s->state)
+			{
+		case SSL_ST_RENEGOTIATE:
+			s->new_session=1;
+			/* s->state=SSL_ST_ACCEPT; */
+
+		case SSL_ST_BEFORE:
+		case SSL_ST_ACCEPT:
+		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
+		case SSL_ST_OK|SSL_ST_ACCEPT:
+
+			s->server=1;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			if ((s->version>>8) != 3)
+				abort();
+			s->type=SSL_ST_ACCEPT;
+
+			if (s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
+					{
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
+
+			if (!ssl3_setup_buffers(s))
+				{
+				ret= -1;
+				goto end;
+				}
+
+			/* Ok, we now need to push on a buffering BIO so that
+			 * the output is sent in a way that TCP likes :-)
+			 */
+			if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
+
+			s->init_num=0;
+
+			if (s->state != SSL_ST_RENEGOTIATE)
+				{
+				ssl3_init_finished_mac(s);
+				s->state=SSL3_ST_SR_CLNT_HELLO_A;
+				s->ctx->stats.sess_accept++;
+				}
+			else
+				{
+				s->ctx->stats.sess_accept_renegotiate++;
+				s->state=SSL3_ST_SW_HELLO_REQ_A;
+				}
+			break;
+
+		case SSL3_ST_SW_HELLO_REQ_A:
+		case SSL3_ST_SW_HELLO_REQ_B:
+
+			s->shutdown=0;
+			ret=ssl3_send_hello_request(s);
+			if (ret <= 0) goto end;
+			s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
+			s->state=SSL3_ST_SW_FLUSH;
+			s->init_num=0;
+
+			ssl3_init_finished_mac(s);
+			break;
+
+		case SSL3_ST_SW_HELLO_REQ_C:
+			s->state=SSL_ST_OK;
+			ret=1;
+			goto end;
+			/* break; */
+
+		case SSL3_ST_SR_CLNT_HELLO_A:
+		case SSL3_ST_SR_CLNT_HELLO_B:
+		case SSL3_ST_SR_CLNT_HELLO_C:
+
+			s->shutdown=0;
+			ret=ssl3_get_client_hello(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_SW_SRVR_HELLO_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_SRVR_HELLO_A:
+		case SSL3_ST_SW_SRVR_HELLO_B:
+			ret=ssl3_send_server_hello(s);
+			if (ret <= 0) goto end;
+
+			if (s->hit)
+				s->state=SSL3_ST_SW_CHANGE_A;
+			else
+				s->state=SSL3_ST_SW_CERT_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_CERT_A:
+		case SSL3_ST_SW_CERT_B:
+			/* Check if it is anon DH */
+			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+				{
+				ret=ssl3_send_server_certificate(s);
+				if (ret <= 0) goto end;
+				}
+			else
+				skip=1;
+			s->state=SSL3_ST_SW_KEY_EXCH_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_KEY_EXCH_A:
+		case SSL3_ST_SW_KEY_EXCH_B:
+			l=s->s3->tmp.new_cipher->algorithms;
+
+			/* clear this, it may get reset by
+			 * send_server_key_exchange */
+			if (s->options & SSL_OP_EPHEMERAL_RSA)
+				s->s3->tmp.use_rsa_tmp=1;
+			else
+				s->s3->tmp.use_rsa_tmp=0;
+
+			/* only send if a DH key exchange, fortezza or
+			 * RSA but we have a sign only certificate */
+			if (s->s3->tmp.use_rsa_tmp
+			    || (l & (SSL_DH|SSL_kFZA))
+			    || ((l & SSL_kRSA)
+				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
+					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
+					)
+				    )
+				)
+			    )
+				{
+				ret=ssl3_send_server_key_exchange(s);
+				if (ret <= 0) goto end;
+				}
+			else
+				skip=1;
+
+			s->state=SSL3_ST_SW_CERT_REQ_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_CERT_REQ_A:
+		case SSL3_ST_SW_CERT_REQ_B:
+			if (/* don't request cert unless asked for it: */
+				!(s->verify_mode & SSL_VERIFY_PEER) ||
+				/* if SSL_VERIFY_CLIENT_ONCE is set,
+				 * don't request cert during re-negotiation: */
+				((s->session->peer != NULL) &&
+				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
+				/* never request cert in anonymous ciphersuites
+				 * (see section "Certificate request" in SSL 3 drafts
+				 * and in RFC 2246): */
+				((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
+				 /* ... except when the application insists on verification
+				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
+				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
+				{
+				/* no cert request */
+				skip=1;
+				s->s3->tmp.cert_request=0;
+				s->state=SSL3_ST_SW_SRVR_DONE_A;
+				}
+			else
+				{
+				s->s3->tmp.cert_request=1;
+				ret=ssl3_send_certificate_request(s);
+				if (ret <= 0) goto end;
+#ifndef NETSCAPE_HANG_BUG
+				s->state=SSL3_ST_SW_SRVR_DONE_A;
+#else
+				s->state=SSL3_ST_SW_FLUSH;
+				s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
+#endif
+				s->init_num=0;
+				}
+			break;
+
+		case SSL3_ST_SW_SRVR_DONE_A:
+		case SSL3_ST_SW_SRVR_DONE_B:
+			ret=ssl3_send_server_done(s);
+			if (ret <= 0) goto end;
+			s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
+			s->state=SSL3_ST_SW_FLUSH;
+			s->init_num=0;
+			break;
+		
+		case SSL3_ST_SW_FLUSH:
+			/* number of bytes to be flushed */
+			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
+			if (num1 > 0)
+				{
+				s->rwstate=SSL_WRITING;
+				num1=BIO_flush(s->wbio);
+				if (num1 <= 0) { ret= -1; goto end; }
+				s->rwstate=SSL_NOTHING;
+				}
+
+			s->state=s->s3->tmp.next_state;
+			break;
+
+		case SSL3_ST_SR_CERT_A:
+		case SSL3_ST_SR_CERT_B:
+			/* Check for second client hello (MS SGC) */
+			ret = ssl3_check_client_hello(s);
+			if (ret <= 0)
+				goto end;
+			if (ret == 2)
+				s->state = SSL3_ST_SR_CLNT_HELLO_C;
+			else {
+				/* could be sent for a DH cert, even if we
+				 * have not asked for it :-) */
+				ret=ssl3_get_client_certificate(s);
+				if (ret <= 0) goto end;
+				s->init_num=0;
+				s->state=SSL3_ST_SR_KEY_EXCH_A;
+			}
+			break;
+
+		case SSL3_ST_SR_KEY_EXCH_A:
+		case SSL3_ST_SR_KEY_EXCH_B:
+			ret=ssl3_get_client_key_exchange(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_SR_CERT_VRFY_A;
+			s->init_num=0;
+
+			/* We need to get hashes here so if there is
+			 * a client cert, it can be verified */ 
+			s->method->ssl3_enc->cert_verify_mac(s,
+				&(s->s3->finish_dgst1),
+				&(s->s3->tmp.cert_verify_md[0]));
+			s->method->ssl3_enc->cert_verify_mac(s,
+				&(s->s3->finish_dgst2),
+				&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
+
+			break;
+
+		case SSL3_ST_SR_CERT_VRFY_A:
+		case SSL3_ST_SR_CERT_VRFY_B:
+
+			/* we should decide if we expected this one */
+			ret=ssl3_get_cert_verify(s);
+			if (ret <= 0) goto end;
+
+			s->state=SSL3_ST_SR_FINISHED_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SR_FINISHED_A:
+		case SSL3_ST_SR_FINISHED_B:
+			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
+				SSL3_ST_SR_FINISHED_B);
+			if (ret <= 0) goto end;
+			if (s->hit)
+				s->state=SSL_ST_OK;
+			else
+				s->state=SSL3_ST_SW_CHANGE_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_CHANGE_A:
+		case SSL3_ST_SW_CHANGE_B:
+
+			s->session->cipher=s->s3->tmp.new_cipher;
+			if (!s->method->ssl3_enc->setup_key_block(s))
+				{ ret= -1; goto end; }
+
+			ret=ssl3_send_change_cipher_spec(s,
+				SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
+
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_SW_FINISHED_A;
+			s->init_num=0;
+
+			if (!s->method->ssl3_enc->change_cipher_state(s,
+				SSL3_CHANGE_CIPHER_SERVER_WRITE))
+				{
+				ret= -1;
+				goto end;
+				}
+
+			break;
+
+		case SSL3_ST_SW_FINISHED_A:
+		case SSL3_ST_SW_FINISHED_B:
+			ret=ssl3_send_finished(s,
+				SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
+				s->method->ssl3_enc->server_finished_label,
+				s->method->ssl3_enc->server_finished_label_len);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_SW_FLUSH;
+			if (s->hit)
+				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+			else
+				s->s3->tmp.next_state=SSL_ST_OK;
+			s->init_num=0;
+			break;
+
+		case SSL_ST_OK:
+			/* clean a few things up */
+			ssl3_cleanup_key_block(s);
+
+			BUF_MEM_free(s->init_buf);
+			s->init_buf=NULL;
+
+			/* remove buffering on output */
+			ssl_free_wbio_buffer(s);
+
+			s->new_session=0;
+			s->init_num=0;
+
+			ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
+
+			s->ctx->stats.sess_accept_good++;
+			/* s->server=1; */
+			s->handshake_func=ssl3_accept;
+			ret=1;
+
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+
+			goto end;
+			/* break; */
+
+		default:
+			SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
+			ret= -1;
+			goto end;
+			/* break; */
+			}
+		
+		if (!s->s3->tmp.reuse_message && !skip)
+			{
+			if (s->debug)
+				{
+				if ((ret=BIO_flush(s->wbio)) <= 0)
+					goto end;
+				}
+
+
+			if ((cb != NULL) && (s->state != state))
+				{
+				new_state=s->state;
+				s->state=state;
+				cb(s,SSL_CB_ACCEPT_LOOP,1);
+				s->state=new_state;
+				}
+			}
+		skip=0;
+		}
+end:
+	/* BIO_flush(s->wbio); */
+
+	if (cb != NULL)
+		cb(s,SSL_CB_ACCEPT_EXIT,ret);
+	s->in_handshake--;
+	return(ret);
+	}
+
+static int ssl3_send_hello_request(SSL *s)
+	{
+	unsigned char *p;
+
+	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		*(p++)=SSL3_MT_HELLO_REQUEST;
+		*(p++)=0;
+		*(p++)=0;
+		*(p++)=0;
+
+		s->state=SSL3_ST_SW_HELLO_REQ_B;
+		/* number of bytes to write */
+		s->init_num=4;
+		s->init_off=0;
+		}
+
+	/* SSL3_ST_SW_HELLO_REQ_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+static int ssl3_check_client_hello(SSL *s)
+	{
+	int ok;
+	long n;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_SR_CERT_A,
+		SSL3_ST_SR_CERT_B,
+		-1,
+		SSL3_RT_MAX_PLAIN_LENGTH,
+		&ok);
+	if (!ok) return((int)n);
+	s->s3->tmp.reuse_message = 1;
+	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
+		{
+		/* Throw away what we have done so far in the current handshake,
+		 * which will now be aborted. (A full SSL_clear would be too much.)
+		 * I hope that tmp.dh is the only thing that may need to be cleared
+		 * when a handshake is not completed ... */
+#ifndef NO_DH
+		if (s->s3->tmp.dh != NULL)
+			{
+			DH_free(s->s3->tmp.dh);
+			s->s3->tmp.dh = NULL;
+			}
+#endif
+		return 2;
+		}
+	return 1;
+}
+
+static int ssl3_get_client_hello(SSL *s)
+	{
+	int i,j,ok,al,ret= -1;
+	long n;
+	unsigned long id;
+	unsigned char *p,*d,*q;
+	SSL_CIPHER *c;
+	SSL_COMP *comp=NULL;
+	STACK_OF(SSL_CIPHER) *ciphers=NULL;
+
+	/* We do this so that we will respond with our native type.
+	 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
+	 * This down switching should be handled by a different method.
+	 * If we are SSLv3, we will respond with SSLv3, even if prompted with
+	 * TLSv1.
+	 */
+	if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
+		{
+		s->first_packet=1;
+		s->state=SSL3_ST_SR_CLNT_HELLO_B;
+		}
+	n=ssl3_get_message(s,
+		SSL3_ST_SR_CLNT_HELLO_B,
+		SSL3_ST_SR_CLNT_HELLO_C,
+		SSL3_MT_CLIENT_HELLO,
+		SSL3_RT_MAX_PLAIN_LENGTH,
+		&ok);
+
+	if (!ok) return((int)n);
+	d=p=(unsigned char *)s->init_buf->data;
+
+	/* use version from inside client hello, not from record header
+	 * (may differ: see RFC 2246, Appendix E, second paragraph) */
+	s->client_version=(((int)p[0])<<8)|(int)p[1];
+	p+=2;
+
+	/* load the client random */
+	memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
+	p+=SSL3_RANDOM_SIZE;
+
+	/* get the session-id */
+	j= *(p++);
+
+	s->hit=0;
+	if (j == 0)
+		{
+		if (!ssl_get_new_session(s,1))
+			goto err;
+		}
+	else
+		{
+		i=ssl_get_prev_session(s,p,j);
+		if (i == 1)
+			{ /* previous session */
+			s->hit=1;
+			}
+		else if (i == -1)
+			goto err;
+		else /* i == 0 */
+			{
+			if (!ssl_get_new_session(s,1))
+				goto err;
+			}
+		}
+
+	p+=j;
+	n2s(p,i);
+	if ((i == 0) && (j != 0))
+		{
+		/* we need a cipher if we are not resuming a session */
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
+		goto f_err;
+		}
+	if ((i+p) > (d+n))
+		{
+		/* not enough data */
+		al=SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
+		goto f_err;
+		}
+	if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
+		== NULL))
+		{
+		goto err;
+		}
+	p+=i;
+
+	/* If it is a hit, check that the cipher is in the list */
+	if ((s->hit) && (i > 0))
+		{
+		j=0;
+		id=s->session->cipher->id;
+
+#ifdef CIPHER_DEBUG
+		printf("client sent %d ciphers\n",sk_num(ciphers));
+#endif
+		for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
+			{
+			c=sk_SSL_CIPHER_value(ciphers,i);
+#ifdef CIPHER_DEBUG
+			printf("client [%2d of %2d]:%s\n",
+				i,sk_num(ciphers),SSL_CIPHER_get_name(c));
+#endif
+			if (c->id == id)
+				{
+				j=1;
+				break;
+				}
+			}
+		if (j == 0)
+			{
+			if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
+				{
+				/* Very bad for multi-threading.... */
+				s->session->cipher=sk_SSL_CIPHER_value(ciphers,
+								       0);
+				}
+			else
+				{
+				/* we need to have the cipher in the cipher
+				 * list if we are asked to reuse it */
+				al=SSL_AD_ILLEGAL_PARAMETER;
+				SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
+				goto f_err;
+				}
+			}
+		}
+
+	/* compression */
+	i= *(p++);
+	q=p;
+	for (j=0; j<i; j++)
+		{
+		if (p[j] == 0) break;
+		}
+
+	p+=i;
+	if (j >= i)
+		{
+		/* no compress */
+		al=SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
+		goto f_err;
+		}
+
+	/* Worst case, we will use the NULL compression, but if we have other
+	 * options, we will now look for them.  We have i-1 compression
+	 * algorithms from the client, starting at q. */
+	s->s3->tmp.new_compression=NULL;
+	if (s->ctx->comp_methods != NULL)
+		{ /* See if we have a match */
+		int m,nn,o,v,done=0;
+
+		nn=sk_SSL_COMP_num(s->ctx->comp_methods);
+		for (m=0; m<nn; m++)
+			{
+			comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
+			v=comp->id;
+			for (o=0; o<i; o++)
+				{
+				if (v == q[o])
+					{
+					done=1;
+					break;
+					}
+				}
+			if (done) break;
+			}
+		if (done)
+			s->s3->tmp.new_compression=comp;
+		else
+			comp=NULL;
+		}
+
+	/* TLS does not mind if there is extra stuff */
+	if (s->version == SSL3_VERSION)
+		{
+		if (p > (d+n))
+			{
+			/* wrong number of bytes,
+			 * there could be more to follow */
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
+			goto f_err;
+			}
+		}
+
+	/* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
+	 * pick a cipher */
+
+	if (!s->hit)
+		{
+		s->session->compress_meth=(comp == NULL)?0:comp->id;
+		if (s->session->ciphers != NULL)
+			sk_SSL_CIPHER_free(s->session->ciphers);
+		s->session->ciphers=ciphers;
+		if (ciphers == NULL)
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
+			goto f_err;
+			}
+		ciphers=NULL;
+		c=ssl3_choose_cipher(s,s->session->ciphers,
+				     ssl_get_ciphers_by_id(s));
+
+		if (c == NULL)
+			{
+			al=SSL_AD_HANDSHAKE_FAILURE;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
+			goto f_err;
+			}
+		s->s3->tmp.new_cipher=c;
+		}
+	else
+		{
+		/* Session-id reuse */
+#ifdef REUSE_CIPHER_BUG
+		STACK_OF(SSL_CIPHER) *sk;
+		SSL_CIPHER *nc=NULL;
+		SSL_CIPHER *ec=NULL;
+
+		if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
+			{
+			sk=s->session->ciphers;
+			for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+				{
+				c=sk_SSL_CIPHER_value(sk,i);
+				if (c->algorithms & SSL_eNULL)
+					nc=c;
+				if (SSL_C_IS_EXPORT(c))
+					ec=c;
+				}
+			if (nc != NULL)
+				s->s3->tmp.new_cipher=nc;
+			else if (ec != NULL)
+				s->s3->tmp.new_cipher=ec;
+			else
+				s->s3->tmp.new_cipher=s->session->cipher;
+			}
+		else
+#endif
+		s->s3->tmp.new_cipher=s->session->cipher;
+		}
+	
+	/* we now have the following setup. 
+	 * client_random
+	 * cipher_list 		- our prefered list of ciphers
+	 * ciphers 		- the clients prefered list of ciphers
+	 * compression		- basically ignored right now
+	 * ssl version is set	- sslv3
+	 * s->session		- The ssl session has been setup.
+	 * s->hit		- session reuse flag
+	 * s->tmp.new_cipher	- the new cipher to use.
+	 */
+
+	ret=1;
+	if (0)
+		{
+f_err:
+		ssl3_send_alert(s,SSL3_AL_FATAL,al);
+		}
+err:
+	if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
+	return(ret);
+	}
+
+static int ssl3_send_server_hello(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+	int i,sl;
+	unsigned long l,Time;
+
+	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
+		{
+		buf=(unsigned char *)s->init_buf->data;
+		p=s->s3->server_random;
+		Time=time(NULL);			/* Time */
+		l2n(Time,p);
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		/* Do the message type and length last */
+		d=p= &(buf[4]);
+
+		*(p++)=s->version>>8;
+		*(p++)=s->version&0xff;
+
+		/* Random stuff */
+		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
+		p+=SSL3_RANDOM_SIZE;
+
+		/* now in theory we have 3 options to sending back the
+		 * session id.  If it is a re-use, we send back the
+		 * old session-id, if it is a new session, we send
+		 * back the new session-id or we send back a 0 length
+		 * session-id if we want it to be single use.
+		 * Currently I will not implement the '0' length session-id
+		 * 12-Jan-98 - I'll now support the '0' length stuff.
+		 */
+		if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
+			s->session->session_id_length=0;
+
+		sl=s->session->session_id_length;
+		*(p++)=sl;
+		memcpy(p,s->session->session_id,sl);
+		p+=sl;
+
+		/* put the cipher */
+		i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
+		p+=i;
+
+		/* put the compression method */
+		if (s->s3->tmp.new_compression == NULL)
+			*(p++)=0;
+		else
+			*(p++)=s->s3->tmp.new_compression->id;
+
+		/* do the header */
+		l=(p-d);
+		d=buf;
+		*(d++)=SSL3_MT_SERVER_HELLO;
+		l2n3(l,d);
+
+		s->state=SSL3_ST_CW_CLNT_HELLO_B;
+		/* number of bytes to write */
+		s->init_num=p-buf;
+		s->init_off=0;
+		}
+
+	/* SSL3_ST_CW_CLNT_HELLO_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+static int ssl3_send_server_done(SSL *s)
+	{
+	unsigned char *p;
+
+	if (s->state == SSL3_ST_SW_SRVR_DONE_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+
+		/* do the header */
+		*(p++)=SSL3_MT_SERVER_DONE;
+		*(p++)=0;
+		*(p++)=0;
+		*(p++)=0;
+
+		s->state=SSL3_ST_SW_SRVR_DONE_B;
+		/* number of bytes to write */
+		s->init_num=4;
+		s->init_off=0;
+		}
+
+	/* SSL3_ST_CW_CLNT_HELLO_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+static int ssl3_send_server_key_exchange(SSL *s)
+	{
+#ifndef NO_RSA
+	unsigned char *q;
+	int j,num;
+	RSA *rsa;
+	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+	unsigned int u;
+#endif
+#ifndef NO_DH
+	DH *dh=NULL,*dhp;
+#endif
+	EVP_PKEY *pkey;
+	unsigned char *p,*d;
+	int al,i;
+	unsigned long type;
+	int n;
+	CERT *cert;
+	BIGNUM *r[4];
+	int nr[4],kn;
+	BUF_MEM *buf;
+	EVP_MD_CTX md_ctx;
+
+	if (s->state == SSL3_ST_SW_KEY_EXCH_A)
+		{
+		type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
+		cert=s->cert;
+
+		buf=s->init_buf;
+
+		r[0]=r[1]=r[2]=r[3]=NULL;
+		n=0;
+#ifndef NO_RSA
+		if (type & SSL_kRSA)
+			{
+			rsa=cert->rsa_tmp;
+			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
+				{
+				rsa=s->cert->rsa_tmp_cb(s,
+				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+				if(rsa == NULL)
+				{
+					al=SSL_AD_HANDSHAKE_FAILURE;
+					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
+					goto f_err;
+				}
+				CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
+				cert->rsa_tmp=rsa;
+				}
+			if (rsa == NULL)
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
+				goto f_err;
+				}
+			r[0]=rsa->n;
+			r[1]=rsa->e;
+			s->s3->tmp.use_rsa_tmp=1;
+			}
+		else
+#endif
+#ifndef NO_DH
+			if (type & SSL_kEDH)
+			{
+			dhp=cert->dh_tmp;
+			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
+				dhp=s->cert->dh_tmp_cb(s,
+				      !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+			if (dhp == NULL)
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
+				goto f_err;
+				}
+
+			if (s->s3->tmp.dh != NULL)
+				{
+				DH_free(dh);
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR);
+				goto err;
+				}
+
+			if ((dh=DHparams_dup(dhp)) == NULL)
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+
+			s->s3->tmp.dh=dh;
+			if ((dhp->pub_key == NULL ||
+			     dhp->priv_key == NULL ||
+			     (s->options & SSL_OP_SINGLE_DH_USE)))
+				{
+				if(!DH_generate_key(dh))
+				    {
+				    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+					   ERR_R_DH_LIB);
+				    goto err;
+				    }
+				}
+			else
+				{
+				dh->pub_key=BN_dup(dhp->pub_key);
+				dh->priv_key=BN_dup(dhp->priv_key);
+				if ((dh->pub_key == NULL) ||
+					(dh->priv_key == NULL))
+					{
+					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
+					goto err;
+					}
+				}
+			r[0]=dh->p;
+			r[1]=dh->g;
+			r[2]=dh->pub_key;
+			}
+		else 
+#endif
+			{
+			al=SSL_AD_HANDSHAKE_FAILURE;
+			SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
+			goto f_err;
+			}
+		for (i=0; r[i] != NULL; i++)
+			{
+			nr[i]=BN_num_bytes(r[i]);
+			n+=2+nr[i];
+			}
+
+		if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+			{
+			if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
+				== NULL)
+				{
+				al=SSL_AD_DECODE_ERROR;
+				goto f_err;
+				}
+			kn=EVP_PKEY_size(pkey);
+			}
+		else
+			{
+			pkey=NULL;
+			kn=0;
+			}
+
+		if (!BUF_MEM_grow(buf,n+4+kn))
+			{
+			SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
+			goto err;
+			}
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[4]);
+
+		for (i=0; r[i] != NULL; i++)
+			{
+			s2n(nr[i],p);
+			BN_bn2bin(r[i],p);
+			p+=nr[i];
+			}
+
+		/* not anonymous */
+		if (pkey != NULL)
+			{
+			/* n is the length of the params, they start at &(d[4])
+			 * and p points to the space at the end. */
+#ifndef NO_RSA
+			if (pkey->type == EVP_PKEY_RSA)
+				{
+				q=md_buf;
+				j=0;
+				for (num=2; num > 0; num--)
+					{
+					EVP_DigestInit(&md_ctx,(num == 2)
+						?s->ctx->md5:s->ctx->sha1);
+					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+					EVP_DigestUpdate(&md_ctx,&(d[4]),n);
+					EVP_DigestFinal(&md_ctx,q,
+						(unsigned int *)&i);
+					q+=i;
+					j+=i;
+					}
+				if (RSA_sign(NID_md5_sha1, md_buf, j,
+					&(p[2]), &u, pkey->pkey.rsa) <= 0)
+					{
+					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
+					goto err;
+					}
+				s2n(u,p);
+				n+=u+2;
+				}
+			else
+#endif
+#if !defined(NO_DSA)
+				if (pkey->type == EVP_PKEY_DSA)
+				{
+				/* lets do DSS */
+				EVP_SignInit(&md_ctx,EVP_dss1());
+				EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+				EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+				EVP_SignUpdate(&md_ctx,&(d[4]),n);
+				if (!EVP_SignFinal(&md_ctx,&(p[2]),
+					(unsigned int *)&i,pkey))
+					{
+					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
+					goto err;
+					}
+				s2n(i,p);
+				n+=i+2;
+				}
+			else
+#endif
+				{
+				/* Is this error check actually needed? */
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
+				goto f_err;
+				}
+			}
+
+		*(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
+		l2n3(n,d);
+
+		/* we should now have things packed up, so lets send
+		 * it off */
+		s->init_num=n+4;
+		s->init_off=0;
+		}
+
+	s->state = SSL3_ST_SW_KEY_EXCH_B;
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(-1);
+	}
+
+static int ssl3_send_certificate_request(SSL *s)
+	{
+	unsigned char *p,*d;
+	int i,j,nl,off,n;
+	STACK_OF(X509_NAME) *sk=NULL;
+	X509_NAME *name;
+	BUF_MEM *buf;
+
+	if (s->state == SSL3_ST_SW_CERT_REQ_A)
+		{
+		buf=s->init_buf;
+
+		d=p=(unsigned char *)&(buf->data[4]);
+
+		/* get the list of acceptable cert types */
+		p++;
+		n=ssl3_get_req_cert_type(s,p);
+		d[0]=n;
+		p+=n;
+		n++;
+
+		off=n;
+		p+=2;
+		n+=2;
+
+		sk=SSL_get_client_CA_list(s);
+		nl=0;
+		if (sk != NULL)
+			{
+			for (i=0; i<sk_X509_NAME_num(sk); i++)
+				{
+				name=sk_X509_NAME_value(sk,i);
+				j=i2d_X509_NAME(name,NULL);
+				if (!BUF_MEM_grow(buf,4+n+j+2))
+					{
+					SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+					goto err;
+					}
+				p=(unsigned char *)&(buf->data[4+n]);
+				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
+					{
+					s2n(j,p);
+					i2d_X509_NAME(name,&p);
+					n+=2+j;
+					nl+=2+j;
+					}
+				else
+					{
+					d=p;
+					i2d_X509_NAME(name,&p);
+					j-=2; s2n(j,d); j+=2;
+					n+=j;
+					nl+=j;
+					}
+				}
+			}
+		/* else no CA names */
+		p=(unsigned char *)&(buf->data[4+off]);
+		s2n(nl,p);
+
+		d=(unsigned char *)buf->data;
+		*(d++)=SSL3_MT_CERTIFICATE_REQUEST;
+		l2n3(n,d);
+
+		/* we should now have things packed up, so lets send
+		 * it off */
+
+		s->init_num=n+4;
+		s->init_off=0;
+#ifdef NETSCAPE_HANG_BUG
+		p=(unsigned char *)s->init_buf->data + s->init_num;
+
+		/* do the header */
+		*(p++)=SSL3_MT_SERVER_DONE;
+		*(p++)=0;
+		*(p++)=0;
+		*(p++)=0;
+		s->init_num += 4;
+#endif
+
+		}
+
+	/* SSL3_ST_SW_CERT_REQ_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+static int ssl3_get_client_key_exchange(SSL *s)
+	{
+	int i,al,ok;
+	long n;
+	unsigned long l;
+	unsigned char *p;
+#ifndef NO_RSA
+	RSA *rsa=NULL;
+	EVP_PKEY *pkey=NULL;
+#endif
+#ifndef NO_DH
+	BIGNUM *pub=NULL;
+	DH *dh_srvr;
+#endif
+
+	n=ssl3_get_message(s,
+		SSL3_ST_SR_KEY_EXCH_A,
+		SSL3_ST_SR_KEY_EXCH_B,
+		SSL3_MT_CLIENT_KEY_EXCHANGE,
+		400, /* ???? */
+		&ok);
+
+	if (!ok) return((int)n);
+	p=(unsigned char *)s->init_buf->data;
+
+	l=s->s3->tmp.new_cipher->algorithms;
+
+#ifndef NO_RSA
+	if (l & SSL_kRSA)
+		{
+		/* FIX THIS UP EAY EAY EAY EAY */
+		if (s->s3->tmp.use_rsa_tmp)
+			{
+			if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
+				rsa=s->cert->rsa_tmp;
+			/* Don't do a callback because rsa_tmp should
+			 * be sent already */
+			if (rsa == NULL)
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
+				goto f_err;
+
+				}
+			}
+		else
+			{
+			pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
+			if (	(pkey == NULL) ||
+				(pkey->type != EVP_PKEY_RSA) ||
+				(pkey->pkey.rsa == NULL))
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
+				goto f_err;
+				}
+			rsa=pkey->pkey.rsa;
+			}
+
+		/* TLS */
+		if (s->version > SSL3_VERSION)
+			{
+			n2s(p,i);
+			if (n != i+2)
+				{
+				if (!(s->options & SSL_OP_TLS_D5_BUG))
+					{
+					SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+					goto err;
+					}
+				else
+					p-=2;
+				}
+			else
+				n=i;
+			}
+
+		i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
+
+		if (i != SSL_MAX_MASTER_KEY_LENGTH)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
+			goto f_err;
+			}
+
+		if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff)))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+			goto f_err;
+			}
+
+		s->session->master_key_length=
+			s->method->ssl3_enc->generate_master_secret(s,
+				s->session->master_key,
+				p,i);
+		memset(p,0,i);
+		}
+	else
+#endif
+#ifndef NO_DH
+		if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+		{
+		n2s(p,i);
+		if (n != i+2)
+			{
+			if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
+				{
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
+				goto err;
+				}
+			else
+				{
+				p-=2;
+				i=(int)n;
+				}
+			}
+
+		if (n == 0L) /* the parameters are in the cert */
+			{
+			al=SSL_AD_HANDSHAKE_FAILURE;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
+			goto f_err;
+			}
+		else
+			{
+			if (s->s3->tmp.dh == NULL)
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
+				goto f_err;
+				}
+			else
+				dh_srvr=s->s3->tmp.dh;
+			}
+
+		pub=BN_bin2bn(p,i,NULL);
+		if (pub == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
+			goto err;
+			}
+
+		i=DH_compute_key(p,pub,dh_srvr);
+
+		if (i <= 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+			goto err;
+			}
+
+		DH_free(s->s3->tmp.dh);
+		s->s3->tmp.dh=NULL;
+
+		BN_clear_free(pub);
+		pub=NULL;
+		s->session->master_key_length=
+			s->method->ssl3_enc->generate_master_secret(s,
+				s->session->master_key,p,i);
+		}
+	else
+#endif
+		{
+		al=SSL_AD_HANDSHAKE_FAILURE;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
+		goto f_err;
+		}
+
+	return(1);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+#if !defined(NO_DH) || !defined(NO_RSA)
+err:
+#endif
+	return(-1);
+	}
+
+static int ssl3_get_cert_verify(SSL *s)
+	{
+	EVP_PKEY *pkey=NULL;
+	unsigned char *p;
+	int al,ok,ret=0;
+	long n;
+	int type=0,i,j;
+	X509 *peer;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_SR_CERT_VRFY_A,
+		SSL3_ST_SR_CERT_VRFY_B,
+		-1,
+		512, /* 512? */
+		&ok);
+
+	if (!ok) return((int)n);
+
+	if (s->session->peer != NULL)
+		{
+		peer=s->session->peer;
+		pkey=X509_get_pubkey(peer);
+		type=X509_certificate_type(peer,pkey);
+		}
+	else
+		{
+		peer=NULL;
+		pkey=NULL;
+		}
+
+	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
+		{
+		s->s3->tmp.reuse_message=1;
+		if ((peer != NULL) && (type | EVP_PKT_SIGN))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
+			goto f_err;
+			}
+		ret=1;
+		goto end;
+		}
+
+	if (peer == NULL)
+		{
+		SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		goto f_err;
+		}
+
+	if (!(type & EVP_PKT_SIGN))
+		{
+		SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		goto f_err;
+		}
+
+	if (s->s3->change_cipher_spec)
+		{
+		SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		goto f_err;
+		}
+
+	/* we now have a signature that we need to verify */
+	p=(unsigned char *)s->init_buf->data;
+	n2s(p,i);
+	n-=2;
+	if (i > n)
+		{
+		SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
+		al=SSL_AD_DECODE_ERROR;
+		goto f_err;
+		}
+
+	j=EVP_PKEY_size(pkey);
+	if ((i > j) || (n > j) || (n <= 0))
+		{
+		SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
+		al=SSL_AD_DECODE_ERROR;
+		goto f_err;
+		}
+
+#ifndef NO_RSA 
+	if (pkey->type == EVP_PKEY_RSA)
+		{
+		i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
+			MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 
+							pkey->pkey.rsa);
+		if (i < 0)
+			{
+			al=SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
+			goto f_err;
+			}
+		if (i == 0)
+			{
+			al=SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
+			goto f_err;
+			}
+		}
+	else
+#endif
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+		{
+		j=DSA_verify(pkey->save_type,
+			&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
+			SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
+		if (j <= 0)
+			{
+			/* bad signature */
+			al=SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
+			goto f_err;
+			}
+		}
+	else
+#endif
+		{
+		SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
+		al=SSL_AD_UNSUPPORTED_CERTIFICATE;
+		goto f_err;
+		}
+
+
+	ret=1;
+	if (0)
+		{
+f_err:
+		ssl3_send_alert(s,SSL3_AL_FATAL,al);
+		}
+end:
+	EVP_PKEY_free(pkey);
+	return(ret);
+	}
+
+static int ssl3_get_client_certificate(SSL *s)
+	{
+	int i,ok,al,ret= -1;
+	X509 *x=NULL;
+	unsigned long l,nc,llen,n;
+	unsigned char *p,*d,*q;
+	STACK_OF(X509) *sk=NULL;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_SR_CERT_A,
+		SSL3_ST_SR_CERT_B,
+		-1,
+#if defined(MSDOS) && !defined(WIN32)
+		1024*30, /* 30k max cert list :-) */
+#else
+		1024*100, /* 100k max cert list :-) */
+#endif
+		&ok);
+
+	if (!ok) return((int)n);
+
+	if	(s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
+		{
+		if (	(s->verify_mode & SSL_VERIFY_PEER) &&
+			(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+			al=SSL_AD_HANDSHAKE_FAILURE;
+			goto f_err;
+			}
+		/* If tls asked for a client cert, the client must return a 0 list */
+		if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			goto f_err;
+			}
+		s->s3->tmp.reuse_message=1;
+		return(1);
+		}
+
+	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
+		goto f_err;
+		}
+	d=p=(unsigned char *)s->init_buf->data;
+
+	if ((sk=sk_X509_new_null()) == NULL)
+		{
+		SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	n2l3(p,llen);
+	if (llen+3 != n)
+		{
+		al=SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
+		goto f_err;
+		}
+	for (nc=0; nc<llen; )
+		{
+		n2l3(p,l);
+		if ((l+nc+3) > llen)
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
+			goto f_err;
+			}
+
+		q=p;
+		x=d2i_X509(NULL,&p,l);
+		if (x == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
+			goto err;
+			}
+		if (p != (q+l))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
+			goto f_err;
+			}
+		if (!sk_X509_push(sk,x))
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		x=NULL;
+		nc+=l+3;
+		}
+
+	if (sk_X509_num(sk) <= 0)
+		{
+		/* TLS does not mind 0 certs returned */
+		if (s->version == SSL3_VERSION)
+			{
+			al=SSL_AD_HANDSHAKE_FAILURE;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
+			goto f_err;
+			}
+		/* Fail for TLS only if we required a certificate */
+		else if ((s->verify_mode & SSL_VERIFY_PEER) &&
+			 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+			al=SSL_AD_HANDSHAKE_FAILURE;
+			goto f_err;
+			}
+		}
+	else
+		{
+		i=ssl_verify_cert_chain(s,sk);
+		if (!i)
+			{
+			al=ssl_verify_alarm_type(s->verify_result);
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
+			goto f_err;
+			}
+		}
+
+	if (s->session->peer != NULL) /* This should not be needed */
+		X509_free(s->session->peer);
+	s->session->peer=sk_X509_shift(sk);
+	s->session->verify_result = s->verify_result;
+
+	/* With the current implementation, sess_cert will always be NULL
+	 * when we arrive here. */
+	if (s->session->sess_cert == NULL)
+		{
+		s->session->sess_cert = ssl_sess_cert_new();
+		if (s->session->sess_cert == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
+	if (s->session->sess_cert->cert_chain != NULL)
+		sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
+	s->session->sess_cert->cert_chain=sk;
+	/* Inconsistency alert: cert_chain does *not* include the
+	 * peer's own certificate, while we do include it in s3_clnt.c */
+
+	sk=NULL;
+
+	ret=1;
+	if (0)
+		{
+f_err:
+		ssl3_send_alert(s,SSL3_AL_FATAL,al);
+		}
+err:
+	if (x != NULL) X509_free(x);
+	if (sk != NULL) sk_X509_pop_free(sk,X509_free);
+	return(ret);
+	}
+
+int ssl3_send_server_certificate(SSL *s)
+	{
+	unsigned long l;
+	X509 *x;
+
+	if (s->state == SSL3_ST_SW_CERT_A)
+		{
+		x=ssl_get_server_send_cert(s);
+		if (x == NULL)
+			{
+			SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
+			return(0);
+			}
+
+		l=ssl3_output_cert_chain(s,x);
+		s->state=SSL3_ST_SW_CERT_B;
+		s->init_num=(int)l;
+		s->init_off=0;
+		}
+
+	/* SSL3_ST_SW_CERT_B */
+	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+	}
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
new file mode 100644
index 0000000..bb846f4
--- /dev/null
+++ b/crypto/openssl/ssl/ssl.h
@@ -0,0 +1,1533 @@
+/* ssl/ssl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_SSL_H 
+#define HEADER_SSL_H 
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/safestack.h>
+
+/* SSLeay version number for ASN.1 encoding of the session information */
+/* Version 0 - initial version
+ * Version 1 - added the optional peer certificate
+ */
+#define SSL_SESSION_ASN1_VERSION 0x0001
+
+/* text strings for the ciphers */
+#define SSL_TXT_NULL_WITH_MD5		SSL2_TXT_NULL_WITH_MD5			
+#define SSL_TXT_RC4_128_WITH_MD5	SSL2_TXT_RC4_128_WITH_MD5		
+#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5	
+#define SSL_TXT_RC2_128_CBC_WITH_MD5	SSL2_TXT_RC2_128_CBC_WITH_MD5		
+#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5	
+#define SSL_TXT_IDEA_128_CBC_WITH_MD5	SSL2_TXT_IDEA_128_CBC_WITH_MD5		
+#define SSL_TXT_DES_64_CBC_WITH_MD5	SSL2_TXT_DES_64_CBC_WITH_MD5		
+#define SSL_TXT_DES_64_CBC_WITH_SHA	SSL2_TXT_DES_64_CBC_WITH_SHA		
+#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5	
+#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA	
+
+#define SSL_MAX_SSL_SESSION_ID_LENGTH		32
+#define SSL_MAX_SID_CTX_LENGTH			32
+
+#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES	(512/8)
+#define SSL_MAX_KEY_ARG_LENGTH			8
+#define SSL_MAX_MASTER_KEY_LENGTH		48
+
+/* These are used to specify which ciphers to use and not to use */
+#define SSL_TXT_LOW		"LOW"
+#define SSL_TXT_MEDIUM		"MEDIUM"
+#define SSL_TXT_HIGH		"HIGH"
+#define SSL_TXT_kFZA		"kFZA"
+#define	SSL_TXT_aFZA		"aFZA"
+#define SSL_TXT_eFZA		"eFZA"
+#define SSL_TXT_FZA		"FZA"
+
+#define	SSL_TXT_aNULL		"aNULL"
+#define	SSL_TXT_eNULL		"eNULL"
+#define	SSL_TXT_NULL		"NULL"
+
+#define SSL_TXT_kRSA		"kRSA"
+#define SSL_TXT_kDHr		"kDHr"
+#define SSL_TXT_kDHd		"kDHd"
+#define SSL_TXT_kEDH		"kEDH"
+#define	SSL_TXT_aRSA		"aRSA"
+#define	SSL_TXT_aDSS		"aDSS"
+#define	SSL_TXT_aDH		"aDH"
+#define	SSL_TXT_DSS		"DSS"
+#define SSL_TXT_DH		"DH"
+#define SSL_TXT_EDH		"EDH"
+#define SSL_TXT_ADH		"ADH"
+#define SSL_TXT_RSA		"RSA"
+#define SSL_TXT_DES		"DES"
+#define SSL_TXT_3DES		"3DES"
+#define SSL_TXT_RC4		"RC4"
+#define SSL_TXT_RC2		"RC2"
+#define SSL_TXT_IDEA		"IDEA"
+#define SSL_TXT_MD5		"MD5"
+#define SSL_TXT_SHA1		"SHA1"
+#define SSL_TXT_SHA		"SHA"
+#define SSL_TXT_EXP		"EXP"
+#define SSL_TXT_EXPORT		"EXPORT"
+#define SSL_TXT_EXP40		"EXPORT40"
+#define SSL_TXT_EXP56		"EXPORT56"
+#define SSL_TXT_SSLV2		"SSLv2"
+#define SSL_TXT_SSLV3		"SSLv3"
+#define SSL_TXT_TLSV1		"TLSv1"
+#define SSL_TXT_ALL		"ALL"
+
+/* 'DEFAULT' at the start of the cipher list insert the following string
+ * in addition to this being the default cipher string */
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
+
+/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
+#define SSL_SENT_SHUTDOWN	1
+#define SSL_RECEIVED_SHUTDOWN	2
+
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#if (defined(NO_RSA) || defined(NO_MD5)) && !defined(NO_SSL2)
+#define NO_SSL2
+#endif
+
+#define SSL_FILETYPE_ASN1	X509_FILETYPE_ASN1
+#define SSL_FILETYPE_PEM	X509_FILETYPE_PEM
+
+/* This is needed to stop compilers complaining about the
+ * 'struct ssl_st *' function parameters used to prototype callbacks
+ * in SSL_CTX. */
+typedef struct ssl_st *ssl_crock_st;
+
+/* used to hold info on the particular ciphers used */
+typedef struct ssl_cipher_st
+	{
+	int valid;
+	const char *name;		/* text name */
+	unsigned long id;		/* id, 4 bytes, first is version */
+	unsigned long algorithms;	/* what ciphers are used */
+	unsigned long algo_strength;	/* strength and export flags */
+	unsigned long algorithm2;	/* Extra flags */
+	int strength_bits;		/* Number of bits really used */
+	int alg_bits;			/* Number of bits for algorithm */
+	unsigned long mask;		/* used for matching */
+	unsigned long mask_strength;	/* also used for matching */
+	} SSL_CIPHER;
+
+DECLARE_STACK_OF(SSL_CIPHER)
+
+typedef struct ssl_st SSL;
+typedef struct ssl_ctx_st SSL_CTX;
+
+/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
+typedef struct ssl_method_st
+	{
+	int version;
+	int (*ssl_new)(SSL *s);
+	void (*ssl_clear)(SSL *s);
+	void (*ssl_free)(SSL *s);
+	int (*ssl_accept)(SSL *s);
+	int (*ssl_connect)(SSL *s);
+	int (*ssl_read)(SSL *s,void *buf,int len);
+	int (*ssl_peek)(SSL *s,char *buf,int len);
+	int (*ssl_write)(SSL *s,const void *buf,int len);
+	int (*ssl_shutdown)(SSL *s);
+	int (*ssl_renegotiate)(SSL *s);
+	int (*ssl_renegotiate_check)(SSL *s);
+	long (*ssl_ctrl)(SSL *s,int cmd,long larg,char *parg);
+	long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,char *parg);
+	SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
+	int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
+	int (*ssl_pending)(SSL *s);
+	int (*num_ciphers)(void);
+	SSL_CIPHER *(*get_cipher)(unsigned ncipher);
+	struct ssl_method_st *(*get_ssl_method)(int version);
+	long (*get_timeout)(void);
+	struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
+	int (*ssl_version)();
+	long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)());
+	long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)());
+	} SSL_METHOD;
+
+/* Lets make this into an ASN.1 type structure as follows
+ * SSL_SESSION_ID ::= SEQUENCE {
+ *	version 		INTEGER,	-- structure version number
+ *	SSLversion 		INTEGER,	-- SSL version number
+ *	Cipher 			OCTET_STRING,	-- the 3 byte cipher ID
+ *	Session_ID 		OCTET_STRING,	-- the Session ID
+ *	Master_key 		OCTET_STRING,	-- the master key
+ *	Key_Arg [ 0 ] IMPLICIT	OCTET_STRING,	-- the optional Key argument
+ *	Time [ 1 ] EXPLICIT	INTEGER,	-- optional Start Time
+ *	Timeout [ 2 ] EXPLICIT	INTEGER,	-- optional Timeout ins seconds
+ *	Peer [ 3 ] EXPLICIT	X509,		-- optional Peer Certificate
+ *	Session_ID_context [ 4 ] EXPLICIT OCTET_STRING,   -- the Session ID context
+ *	Verify_result [ 5 ] EXPLICIT INTEGER    -- X509_V_... code for `Peer'
+ *	Compression [6] IMPLICIT ASN1_OBJECT	-- compression OID XXXXX
+ *	}
+ * Look in ssl/ssl_asn1.c for more details
+ * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
+ */
+typedef struct ssl_session_st
+	{
+	int ssl_version;	/* what ssl version session info is
+				 * being kept in here? */
+
+	/* only really used in SSLv2 */
+	unsigned int key_arg_length;
+	unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
+	int master_key_length;
+	unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
+	/* session_id - valid? */
+	unsigned int session_id_length;
+	unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+	/* this is used to determine whether the session is being reused in
+	 * the appropriate context. It is up to the application to set this,
+	 * via SSL_new */
+	unsigned int sid_ctx_length;
+	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+
+	int not_resumable;
+
+	/* The cert is the certificate used to establish this connection */
+	struct sess_cert_st /* SESS_CERT */ *sess_cert;
+
+	/* This is the cert for the other end.
+	 * On clients, it will be the same as sess_cert->peer_key->x509
+	 * (the latter is not enough as sess_cert is not retained
+	 * in the external representation of sessions, see ssl_asn1.c). */
+	X509 *peer;
+	/* when app_verify_callback accepts a session where the peer's certificate
+	 * is not ok, we must remember the error for session reuse: */
+	long verify_result; /* only for servers */
+
+	int references;
+	long timeout;
+	long time;
+
+	int compress_meth;		/* Need to lookup the method */
+
+	SSL_CIPHER *cipher;
+	unsigned long cipher_id;	/* when ASN.1 loaded, this
+					 * needs to be used to load
+					 * the 'cipher' structure */
+
+	STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
+
+	CRYPTO_EX_DATA ex_data; /* application specific data */
+
+	/* These are used to make removal of session-ids more
+	 * efficient and to implement a maximum cache size. */
+	struct ssl_session_st *prev,*next;
+	} SSL_SESSION;
+
+#define SSL_OP_MICROSOFT_SESS_ID_BUG			0x00000001L
+#define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
+#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L
+#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
+#define SSL_OP_TLS_D5_BUG				0x00000100L
+#define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
+#define SSL_OP_TLS_ROLLBACK_BUG				0x00000400L
+
+/* If set, always create a new key when using tmp_dh parameters */
+#define SSL_OP_SINGLE_DH_USE				0x00100000L
+/* Set to also use the tmp_rsa key when doing RSA operations. */
+#define SSL_OP_EPHEMERAL_RSA				0x00200000L
+
+/* The next flag deliberately changes the ciphertest, this is a check
+ * for the PKCS#1 attack */
+#define SSL_OP_PKCS1_CHECK_1				0x08000000L
+#define SSL_OP_PKCS1_CHECK_2				0x10000000L
+#define SSL_OP_NETSCAPE_CA_DN_BUG			0x20000000L
+/* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */
+#define SSL_OP_NON_EXPORT_FIRST 			0x40000000L
+#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x80000000L
+#define SSL_OP_ALL					0x000FFFFFL
+
+#define SSL_OP_NO_SSLv2					0x01000000L
+#define SSL_OP_NO_SSLv3					0x02000000L
+#define SSL_OP_NO_TLSv1					0x04000000L
+
+/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
+ * when just a single record has been written): */
+#define SSL_MODE_ENABLE_PARTIAL_WRITE       0x00000001L
+/* Make it possible to retry SSL_write() with changed buffer location
+ * (buffer contents must stay the same!); this is not the default to avoid
+ * the misconception that non-blocking SSL_write() behaves like
+ * non-blocking write(): */
+#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
+
+/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
+ * they cannot be used to clear bits. */
+
+#define SSL_CTX_set_options(ctx,op) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL)
+#define SSL_CTX_get_options(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
+#define SSL_set_options(ssl,op) \
+	SSL_ctrl(ssl,SSL_CTRL_OPTIONS,op,NULL)
+#define SSL_get_options(ssl) \
+        SSL_ctrl(ssl,SSL_CTRL_OPTIONS,0,NULL)
+
+#define SSL_CTX_set_mode(ctx,op) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,op,NULL)
+#define SSL_CTX_get_mode(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,0,NULL)
+#define SSL_set_mode(ssl,op) \
+	SSL_ctrl(ssl,SSL_CTRL_MODE,op,NULL)
+#define SSL_get_mode(ssl) \
+        SSL_ctrl(ssl,SSL_CTRL_MODE,0,NULL)
+
+#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT	(1024*20)
+
+typedef struct ssl_comp_st
+{
+    int id;
+    char *name;
+#ifdef HEADER_COMP_H
+    COMP_METHOD *method;
+#else
+    char *method;
+#endif
+} SSL_COMP;
+
+DECLARE_STACK_OF(SSL_COMP)
+
+struct ssl_ctx_st
+	{
+	SSL_METHOD *method;
+	unsigned long options;
+	unsigned long mode;
+
+	STACK_OF(SSL_CIPHER) *cipher_list;
+	/* same as above but sorted for lookup */
+	STACK_OF(SSL_CIPHER) *cipher_list_by_id;
+
+	struct x509_store_st /* X509_STORE */ *cert_store;
+	struct lhash_st /* LHASH */ *sessions;	/* a set of SSL_SESSIONs */
+	/* Most session-ids that will be cached, default is
+	 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
+	unsigned long session_cache_size;
+	struct ssl_session_st *session_cache_head;
+	struct ssl_session_st *session_cache_tail;
+
+	/* This can have one of 2 values, ored together,
+	 * SSL_SESS_CACHE_CLIENT,
+	 * SSL_SESS_CACHE_SERVER,
+	 * Default is SSL_SESSION_CACHE_SERVER, which means only
+	 * SSL_accept which cache SSL_SESSIONS. */
+	int session_cache_mode;
+
+	/* If timeout is not 0, it is the default timeout value set
+	 * when SSL_new() is called.  This has been put in to make
+	 * life easier to set things up */
+	long session_timeout;
+
+	/* If this callback is not null, it will be called each
+	 * time a session id is added to the cache.  If this function
+	 * returns 1, it means that the callback will do a
+	 * SSL_SESSION_free() when it has finished using it.  Otherwise,
+	 * on 0, it means the callback has finished with it.
+	 * If remove_session_cb is not null, it will be called when
+	 * a session-id is removed from the cache.  After the call,
+	 * OpenSSL will SSL_SESSION_free() it. */
+	int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
+	void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
+	SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
+		unsigned char *data,int len,int *copy);
+	struct
+		{
+		int sess_connect;	/* SSL new conn - started */
+		int sess_connect_renegotiate;/* SSL reneg - requested */
+		int sess_connect_good;	/* SSL new conne/reneg - finished */
+		int sess_accept;	/* SSL new accept - started */
+		int sess_accept_renegotiate;/* SSL reneg - requested */
+		int sess_accept_good;	/* SSL accept/reneg - finished */
+		int sess_miss;		/* session lookup misses  */
+		int sess_timeout;	/* reuse attempt on timeouted session */
+		int sess_cache_full;	/* session removed due to full cache */
+		int sess_hit;		/* session reuse actually done */
+		int sess_cb_hit;	/* session-id that was not
+					 * in the cache was
+					 * passed back via the callback.  This
+					 * indicates that the application is
+					 * supplying session-id's from other
+					 * processes - spooky :-) */
+		} stats;
+
+	int references;
+
+/**/	void (*info_callback)();
+
+	/* if defined, these override the X509_verify_cert() calls */
+/**/	int (*app_verify_callback)();
+/**/	char *app_verify_arg; /* never used; should be void * */
+
+	/* default values to use in SSL structures */
+/**/	struct cert_st /* CERT */ *cert;
+/**/	int read_ahead;
+/**/	int verify_mode;
+/**/	int verify_depth;
+/**/	unsigned int sid_ctx_length;
+/**/	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+/**/	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
+
+	int purpose;		/* Purpose setting */
+	int trust;		/* Trust setting */
+
+	/* Default password callback. */
+/**/	pem_password_cb *default_passwd_callback;
+
+	/* Default password callback user data. */
+/**/	void *default_passwd_callback_userdata;
+
+	/* get client cert callback */
+/**/	int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
+
+	/* what we put in client cert requests */
+	STACK_OF(X509_NAME) *client_CA;
+
+/**/	int quiet_shutdown;
+
+	CRYPTO_EX_DATA ex_data;
+
+	const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
+	const EVP_MD *md5;	/* For SSLv3/TLSv1 'ssl3-md5' */
+	const EVP_MD *sha1;   /* For SSLv3/TLSv1 'ssl3->sha1' */
+
+	STACK_OF(X509) *extra_certs;
+        STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
+	};
+
+#define SSL_SESS_CACHE_OFF			0x0000
+#define SSL_SESS_CACHE_CLIENT			0x0001
+#define SSL_SESS_CACHE_SERVER			0x0002
+#define SSL_SESS_CACHE_BOTH	(SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
+#define SSL_SESS_CACHE_NO_AUTO_CLEAR		0x0080
+/* This one, when set, makes the server session-id lookup not look
+ * in the cache.  If there is an application get_session callback
+ * defined, this will still get called. */
+#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP	0x0100
+
+  struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
+#define SSL_CTX_sess_number(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
+#define SSL_CTX_sess_connect(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
+#define SSL_CTX_sess_connect_good(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
+#define SSL_CTX_sess_connect_renegotiate(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
+#define SSL_CTX_sess_accept_renegotiate(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept_good(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
+#define SSL_CTX_sess_hits(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
+#define SSL_CTX_sess_cb_hits(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
+#define SSL_CTX_sess_misses(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
+#define SSL_CTX_sess_timeouts(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
+#define SSL_CTX_sess_cache_full(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
+
+#define SSL_CTX_sess_set_new_cb(ctx,cb)	((ctx)->new_session_cb=(cb))
+#define SSL_CTX_sess_get_new_cb(ctx)	((ctx)->new_session_cb)
+#define SSL_CTX_sess_set_remove_cb(ctx,cb)	((ctx)->remove_session_cb=(cb))
+#define SSL_CTX_sess_get_remove_cb(ctx)	((ctx)->remove_session_cb)
+#define SSL_CTX_sess_set_get_cb(ctx,cb)	((ctx)->get_session_cb=(cb))
+#define SSL_CTX_sess_get_get_cb(ctx)	((ctx)->get_session_cb)
+#define SSL_CTX_set_info_callback(ctx,cb)	((ctx)->info_callback=(cb))
+#define SSL_CTX_get_info_callback(ctx)		((ctx)->info_callback)
+#define SSL_CTX_set_client_cert_cb(ctx,cb)	((ctx)->client_cert_cb=(cb))
+#define SSL_CTX_get_client_cert_cb(ctx)		((ctx)->client_cert_cb)
+
+#define SSL_NOTHING	1
+#define SSL_WRITING	2
+#define SSL_READING	3
+#define SSL_X509_LOOKUP	4
+
+/* These will only be used when doing non-blocking IO */
+#define SSL_want_nothing(s)	(SSL_want(s) == SSL_NOTHING)
+#define SSL_want_read(s)	(SSL_want(s) == SSL_READING)
+#define SSL_want_write(s)	(SSL_want(s) == SSL_WRITING)
+#define SSL_want_x509_lookup(s)	(SSL_want(s) == SSL_X509_LOOKUP)
+
+struct ssl_st
+	{
+	/* protocol version
+	 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION)
+	 */
+	int version;
+	int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
+
+	SSL_METHOD *method; /* SSLv3 */
+
+	/* There are 2 BIO's even though they are normally both the
+	 * same.  This is so data can be read and written to different
+	 * handlers */
+
+#ifdef HEADER_BIO_H
+	BIO *rbio; /* used by SSL_read */
+	BIO *wbio; /* used by SSL_write */
+	BIO *bbio; /* used during session-id reuse to concatinate
+		    * messages */
+#else
+	char *rbio; /* used by SSL_read */
+	char *wbio; /* used by SSL_write */
+	char *bbio;
+#endif
+	/* This holds a variable that indicates what we were doing
+	 * when a 0 or -1 is returned.  This is needed for
+	 * non-blocking IO so we know what request needs re-doing when
+	 * in SSL_accept or SSL_connect */
+	int rwstate;
+
+	/* true when we are actually in SSL_accept() or SSL_connect() */
+	int in_handshake;
+	int (*handshake_func)();
+
+	/* Imagine that here's a boolean member "init" that is
+	 * switched as soon as SSL_set_{accept/connect}_state
+	 * is called for the first time, so that "state" and
+	 * "handshake_func" are properly initialized.  But as
+	 * handshake_func is == 0 until then, we use this
+	 * test instead of an "init" member.
+	 */
+
+	int server;	/* are we the server side? - mostly used by SSL_clear*/
+
+	int new_session;/* 1 if we are to use a new session */
+	int quiet_shutdown;/* don't send shutdown packets */
+	int shutdown;	/* we have shut things down, 0x01 sent, 0x02
+			 * for received */
+	int state;	/* where we are */
+	int rstate;	/* where we are when reading */
+
+	BUF_MEM *init_buf;	/* buffer used during init */
+	int init_num;		/* amount read/written */
+	int init_off;		/* amount read/written */
+
+	/* used internally to point at a raw packet */
+	unsigned char *packet;
+	unsigned int packet_length;
+
+	struct ssl2_state_st *s2; /* SSLv2 variables */
+	struct ssl3_state_st *s3; /* SSLv3 variables */
+
+	int read_ahead;		/* Read as many input bytes as possible
+	               	 	 * (for non-blocking reads) */
+	int hit;		/* reusing a previous session */
+
+	int purpose;		/* Purpose setting */
+	int trust;		/* Trust setting */
+
+	/* crypto */
+	STACK_OF(SSL_CIPHER) *cipher_list;
+	STACK_OF(SSL_CIPHER) *cipher_list_by_id;
+
+	/* These are the ones being used, the ones in SSL_SESSION are
+	 * the ones to be 'copied' into these ones */
+
+	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
+	const EVP_MD *read_hash;		/* used for mac generation */
+#ifdef HEADER_COMP_H
+	COMP_CTX *expand;			/* uncompress */
+#else
+	char *expand;
+#endif
+
+	EVP_CIPHER_CTX *enc_write_ctx;		/* cryptographic state */
+	const EVP_MD *write_hash;		/* used for mac generation */
+#ifdef HEADER_COMP_H
+	COMP_CTX *compress;			/* compression */
+#else
+	char *compress;	
+#endif
+
+	/* session info */
+
+	/* client cert? */
+	/* This is used to hold the server certificate used */
+	struct cert_st /* CERT */ *cert;
+
+	/* the session_id_context is used to ensure sessions are only reused
+	 * in the appropriate context */
+	unsigned int sid_ctx_length;
+	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+
+	/* This can also be in the session once a session is established */
+	SSL_SESSION *session;
+
+	/* Used in SSL2 and SSL3 */
+	int verify_mode;	/* 0 don't care about verify failure.
+				 * 1 fail if verify fails */
+	int verify_depth;
+	int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+	void (*info_callback)(); /* optional informational callback */
+
+	int error;		/* error bytes to be written */
+	int error_code;		/* actual code */
+
+	SSL_CTX *ctx;
+	/* set this flag to 1 and a sleep(1) is put into all SSL_read()
+	 * and SSL_write() calls, good for nbio debuging :-) */
+	int debug;	
+
+	/* extra application data */
+	long verify_result;
+	CRYPTO_EX_DATA ex_data;
+
+	/* for server side, keep the list of CA_dn we can use */
+	STACK_OF(X509_NAME) *client_CA;
+
+	int references;
+	unsigned long options; /* protocol behaviour */
+	unsigned long mode; /* API behaviour */
+	int first_packet;
+	int client_version;	/* what was passed, used for
+				 * SSLv3/TLS rollback check */
+	};
+
+#include <openssl/ssl2.h>
+#include <openssl/ssl3.h>
+#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
+#include <openssl/ssl23.h>
+
+/* compatibility */
+#define SSL_set_app_data(s,arg)		(SSL_set_ex_data(s,0,(char *)arg))
+#define SSL_get_app_data(s)		(SSL_get_ex_data(s,0))
+#define SSL_SESSION_set_app_data(s,a)	(SSL_SESSION_set_ex_data(s,0,(char *)a))
+#define SSL_SESSION_get_app_data(s)	(SSL_SESSION_get_ex_data(s,0))
+#define SSL_CTX_get_app_data(ctx)	(SSL_CTX_get_ex_data(ctx,0))
+#define SSL_CTX_set_app_data(ctx,arg)	(SSL_CTX_set_ex_data(ctx,0,(char *)arg))
+
+/* The following are the possible values for ssl->state are are
+ * used to indicate where we are up to in the SSL connection establishment.
+ * The macros that follow are about the only things you should need to use
+ * and even then, only when using non-blocking IO.
+ * It can also be useful to work out where you were when the connection
+ * failed */
+
+#define SSL_ST_CONNECT			0x1000
+#define SSL_ST_ACCEPT			0x2000
+#define SSL_ST_MASK			0x0FFF
+#define SSL_ST_INIT			(SSL_ST_CONNECT|SSL_ST_ACCEPT)
+#define SSL_ST_BEFORE			0x4000
+#define SSL_ST_OK			0x03
+#define SSL_ST_RENEGOTIATE		(0x04|SSL_ST_INIT)
+
+#define SSL_CB_LOOP			0x01
+#define SSL_CB_EXIT			0x02
+#define SSL_CB_READ			0x04
+#define SSL_CB_WRITE			0x08
+#define SSL_CB_ALERT			0x4000 /* used in callback */
+#define SSL_CB_READ_ALERT		(SSL_CB_ALERT|SSL_CB_READ)
+#define SSL_CB_WRITE_ALERT		(SSL_CB_ALERT|SSL_CB_WRITE)
+#define SSL_CB_ACCEPT_LOOP		(SSL_ST_ACCEPT|SSL_CB_LOOP)
+#define SSL_CB_ACCEPT_EXIT		(SSL_ST_ACCEPT|SSL_CB_EXIT)
+#define SSL_CB_CONNECT_LOOP		(SSL_ST_CONNECT|SSL_CB_LOOP)
+#define SSL_CB_CONNECT_EXIT		(SSL_ST_CONNECT|SSL_CB_EXIT)
+#define SSL_CB_HANDSHAKE_START		0x10
+#define SSL_CB_HANDSHAKE_DONE		0x20
+
+/* Is the SSL_connection established? */
+#define SSL_get_state(a)		SSL_state(a)
+#define SSL_is_init_finished(a)		(SSL_state(a) == SSL_ST_OK)
+#define SSL_in_init(a)			(SSL_state(a)&SSL_ST_INIT)
+#define SSL_in_before(a)		(SSL_state(a)&SSL_ST_BEFORE)
+#define SSL_in_connect_init(a)		(SSL_state(a)&SSL_ST_CONNECT)
+#define SSL_in_accept_init(a)		(SSL_state(a)&SSL_ST_ACCEPT)
+
+/* The following 2 states are kept in ssl->rstate when reads fail,
+ * you should not need these */
+#define SSL_ST_READ_HEADER			0xF0
+#define SSL_ST_READ_BODY			0xF1
+#define SSL_ST_READ_DONE			0xF2
+
+/* Obtain latest Finished message
+ *   -- that we sent (SSL_get_finished)
+ *   -- that we expected from peer (SSL_get_peer_finished).
+ * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+
+/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
+ * are 'ored' with SSL_VERIFY_PEER if they are desired */
+#define SSL_VERIFY_NONE			0x00
+#define SSL_VERIFY_PEER			0x01
+#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT	0x02
+#define SSL_VERIFY_CLIENT_ONCE		0x04
+
+#define OpenSSL_add_ssl_algorithms()	SSL_library_init()
+#define SSLeay_add_ssl_algorithms()	SSL_library_init()
+
+/* this is for backward compatibility */
+#if 0 /* NEW_SSLEAY */
+#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
+#define SSL_set_pref_cipher(c,n)	SSL_set_cipher_list(c,n)
+#define SSL_add_session(a,b)            SSL_CTX_add_session((a),(b))
+#define SSL_remove_session(a,b)		SSL_CTX_remove_session((a),(b))
+#define SSL_flush_sessions(a,b)		SSL_CTX_flush_sessions((a),(b))
+#endif
+/* More backward compatibility */
+#define SSL_get_cipher(s) \
+		SSL_CIPHER_get_name(SSL_get_current_cipher(s))
+#define SSL_get_cipher_bits(s,np) \
+		SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
+#define SSL_get_cipher_version(s) \
+		SSL_CIPHER_get_version(SSL_get_current_cipher(s))
+#define SSL_get_cipher_name(s) \
+		SSL_CIPHER_get_name(SSL_get_current_cipher(s))
+#define SSL_get_time(a)		SSL_SESSION_get_time(a)
+#define SSL_set_time(a,b)	SSL_SESSION_set_time((a),(b))
+#define SSL_get_timeout(a)	SSL_SESSION_get_timeout(a)
+#define SSL_set_timeout(a,b)	SSL_SESSION_set_timeout((a),(b))
+
+#if 1 /*SSLEAY_MACROS*/
+#define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \
+	(char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \
+	(bp),(unsigned char **)(s_id))
+#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \
+	bp,(unsigned char *)s_id)
+#define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
+	(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
+#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
+	(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
+#define PEM_write_SSL_SESSION(fp,x) \
+	PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
+		PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
+#define PEM_write_bio_SSL_SESSION(bp,x) \
+	PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
+		PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
+#endif
+
+#define SSL_AD_REASON_OFFSET		1000
+/* These alert types are for SSLv3 and TLSv1 */
+#define SSL_AD_CLOSE_NOTIFY		SSL3_AD_CLOSE_NOTIFY
+#define SSL_AD_UNEXPECTED_MESSAGE	SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
+#define SSL_AD_BAD_RECORD_MAC		SSL3_AD_BAD_RECORD_MAC     /* fatal */
+#define SSL_AD_DECRYPTION_FAILED	TLS1_AD_DECRYPTION_FAILED
+#define SSL_AD_RECORD_OVERFLOW		TLS1_AD_RECORD_OVERFLOW
+#define SSL_AD_DECOMPRESSION_FAILURE	SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
+#define SSL_AD_HANDSHAKE_FAILURE	SSL3_AD_HANDSHAKE_FAILURE/* fatal */
+#define SSL_AD_NO_CERTIFICATE		SSL3_AD_NO_CERTIFICATE /* Not for TLS */
+#define SSL_AD_BAD_CERTIFICATE		SSL3_AD_BAD_CERTIFICATE
+#define SSL_AD_UNSUPPORTED_CERTIFICATE	SSL3_AD_UNSUPPORTED_CERTIFICATE
+#define SSL_AD_CERTIFICATE_REVOKED	SSL3_AD_CERTIFICATE_REVOKED
+#define SSL_AD_CERTIFICATE_EXPIRED	SSL3_AD_CERTIFICATE_EXPIRED
+#define SSL_AD_CERTIFICATE_UNKNOWN	SSL3_AD_CERTIFICATE_UNKNOWN
+#define SSL_AD_ILLEGAL_PARAMETER	SSL3_AD_ILLEGAL_PARAMETER   /* fatal */
+#define SSL_AD_UNKNOWN_CA		TLS1_AD_UNKNOWN_CA	/* fatal */
+#define SSL_AD_ACCESS_DENIED		TLS1_AD_ACCESS_DENIED	/* fatal */
+#define SSL_AD_DECODE_ERROR		TLS1_AD_DECODE_ERROR	/* fatal */
+#define SSL_AD_DECRYPT_ERROR		TLS1_AD_DECRYPT_ERROR
+#define SSL_AD_EXPORT_RESTRICTION	TLS1_AD_EXPORT_RESTRICTION/* fatal */
+#define SSL_AD_PROTOCOL_VERSION		TLS1_AD_PROTOCOL_VERSION /* fatal */
+#define SSL_AD_INSUFFICIENT_SECURITY	TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
+#define SSL_AD_INTERNAL_ERROR		TLS1_AD_INTERNAL_ERROR	/* fatal */
+#define SSL_AD_USER_CANCELLED		TLS1_AD_USER_CANCELLED
+#define SSL_AD_NO_RENEGOTIATION		TLS1_AD_NO_RENEGOTIATION
+
+#define SSL_ERROR_NONE			0
+#define SSL_ERROR_SSL			1
+#define SSL_ERROR_WANT_READ		2
+#define SSL_ERROR_WANT_WRITE		3
+#define SSL_ERROR_WANT_X509_LOOKUP	4
+#define SSL_ERROR_SYSCALL		5 /* look at error stack/return value/errno */
+#define SSL_ERROR_ZERO_RETURN		6
+#define SSL_ERROR_WANT_CONNECT		7
+
+#define SSL_CTRL_NEED_TMP_RSA			1
+#define SSL_CTRL_SET_TMP_RSA			2
+#define SSL_CTRL_SET_TMP_DH			3
+#define SSL_CTRL_SET_TMP_RSA_CB			4
+#define SSL_CTRL_SET_TMP_DH_CB			5
+/* Add these ones */
+#define SSL_CTRL_GET_SESSION_REUSED		6
+#define SSL_CTRL_GET_CLIENT_CERT_REQUEST	7
+#define SSL_CTRL_GET_NUM_RENEGOTIATIONS		8
+#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS	9
+#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS	10
+#define SSL_CTRL_GET_FLAGS			11
+#define SSL_CTRL_EXTRA_CHAIN_CERT		12
+
+/* Stats */
+#define SSL_CTRL_SESS_NUMBER			20
+#define SSL_CTRL_SESS_CONNECT			21
+#define SSL_CTRL_SESS_CONNECT_GOOD		22
+#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE	23
+#define SSL_CTRL_SESS_ACCEPT			24
+#define SSL_CTRL_SESS_ACCEPT_GOOD		25
+#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE	26
+#define SSL_CTRL_SESS_HIT			27
+#define SSL_CTRL_SESS_CB_HIT			28
+#define SSL_CTRL_SESS_MISSES			29
+#define SSL_CTRL_SESS_TIMEOUTS			30
+#define SSL_CTRL_SESS_CACHE_FULL		31
+#define SSL_CTRL_OPTIONS			32
+#define SSL_CTRL_MODE			33
+
+#define SSL_CTRL_GET_READ_AHEAD			40
+#define SSL_CTRL_SET_READ_AHEAD			41
+#define SSL_CTRL_SET_SESS_CACHE_SIZE		42
+#define SSL_CTRL_GET_SESS_CACHE_SIZE		43
+#define SSL_CTRL_SET_SESS_CACHE_MODE		44
+#define SSL_CTRL_GET_SESS_CACHE_MODE		45
+
+#define SSL_session_reused(ssl) \
+	SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
+#define SSL_num_renegotiations(ssl) \
+	SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
+#define SSL_clear_num_renegotiations(ssl) \
+	SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
+#define SSL_total_renegotiations(ssl) \
+	SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
+
+#define SSL_CTX_need_tmp_RSA(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
+#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
+#define SSL_CTX_set_tmp_dh(ctx,dh) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+
+#define SSL_need_tmp_RSA(ssl) \
+	SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
+#define SSL_set_tmp_rsa(ssl,rsa) \
+	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
+#define SSL_set_tmp_dh(ssl,dh) \
+	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+
+#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
+
+/* VMS uses only 31 characters for symbols. */
+#ifdef VMS
+#undef SSL_CTX_set_cert_verify_callback
+#define SSL_CTX_set_cert_verify_callback SSL_CTX_set_cert_verify_cb
+#undef SSL_CTX_use_certificate_chain_file
+#define SSL_CTX_use_certificate_chain_file SSL_CTX_use_cert_chain_file
+#undef SSL_CTX_set_default_verify_paths
+#define SSL_CTX_set_default_verify_paths SSL_CTX_set_def_verify_paths
+#undef SSL_get_ex_data_X509_STORE_CTX_idx
+#define SSL_get_ex_data_X509_STORE_CTX_idx SSL_get_ex_data_X509_STOR_CTX_i
+#undef SSL_add_file_cert_subjects_to_stack
+#define SSL_add_file_cert_subjects_to_stack SSL_add_file_cert_sub_to_stack
+#undef SSL_add_dir_cert_subjects_to_stack
+#define SSL_add_dir_cert_subjects_to_stack SSL_add_dir_cert_sub_to_stack
+#endif
+
+#ifdef HEADER_BIO_H
+BIO_METHOD *BIO_f_ssl(void);
+BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
+BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
+BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
+int BIO_ssl_copy_session_id(BIO *to,BIO *from);
+void BIO_ssl_shutdown(BIO *ssl_bio);
+
+#endif
+
+int	SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
+SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
+void	SSL_CTX_free(SSL_CTX *);
+long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
+long SSL_CTX_get_timeout(SSL_CTX *ctx);
+X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
+int SSL_want(SSL *s);
+int	SSL_clear(SSL *s);
+
+void	SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
+
+SSL_CIPHER *SSL_get_current_cipher(SSL *s);
+int	SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
+char *	SSL_CIPHER_get_version(SSL_CIPHER *c);
+const char *	SSL_CIPHER_get_name(SSL_CIPHER *c);
+
+int	SSL_get_fd(SSL *s);
+const char  * SSL_get_cipher_list(SSL *s,int n);
+char *	SSL_get_shared_ciphers(SSL *s, char *buf, int len);
+int	SSL_get_read_ahead(SSL * s);
+int	SSL_pending(SSL *s);
+#ifndef NO_SOCK
+int	SSL_set_fd(SSL *s, int fd);
+int	SSL_set_rfd(SSL *s, int fd);
+int	SSL_set_wfd(SSL *s, int fd);
+#endif
+#ifdef HEADER_BIO_H
+void	SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
+BIO *	SSL_get_rbio(SSL *s);
+BIO *	SSL_get_wbio(SSL *s);
+#endif
+int	SSL_set_cipher_list(SSL *s, const char *str);
+void	SSL_set_read_ahead(SSL *s, int yes);
+int	SSL_get_verify_mode(SSL *s);
+int	SSL_get_verify_depth(SSL *s);
+int	(*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
+void	SSL_set_verify(SSL *s, int mode,
+		       int (*callback)(int ok,X509_STORE_CTX *ctx));
+void	SSL_set_verify_depth(SSL *s, int depth);
+#ifndef NO_RSA
+int	SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
+#endif
+int	SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
+int	SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
+int	SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
+int	SSL_use_certificate(SSL *ssl, X509 *x);
+int	SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
+
+#ifndef NO_STDIO
+int	SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
+int	SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
+int	SSL_use_certificate_file(SSL *ssl, const char *file, int type);
+int	SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+int	SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+int	SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
+int	SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
+int	SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
+					    const char *file);
+int	SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
+					   const char *dir);
+#endif
+
+void	ERR_load_SSL_strings(void );
+void	SSL_load_error_strings(void );
+char * 	SSL_state_string(SSL *s);
+char * 	SSL_rstate_string(SSL *s);
+char * 	SSL_state_string_long(SSL *s);
+char * 	SSL_rstate_string_long(SSL *s);
+long	SSL_SESSION_get_time(SSL_SESSION *s);
+long	SSL_SESSION_set_time(SSL_SESSION *s, long t);
+long	SSL_SESSION_get_timeout(SSL_SESSION *s);
+long	SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
+void	SSL_copy_session_id(SSL *to,SSL *from);
+
+SSL_SESSION *SSL_SESSION_new(void);
+unsigned long SSL_SESSION_hash(SSL_SESSION *a);
+int	SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
+#ifndef NO_FP_API
+int	SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
+#endif
+#ifdef HEADER_BIO_H
+int	SSL_SESSION_print(BIO *fp,SSL_SESSION *ses);
+#endif
+void	SSL_SESSION_free(SSL_SESSION *ses);
+int	i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
+int	SSL_set_session(SSL *to, SSL_SESSION *session);
+int	SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
+int	SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
+
+#ifdef HEADER_X509_H
+X509 *	SSL_get_peer_certificate(SSL *s);
+#endif
+
+STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
+
+#ifdef VMS
+#define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud
+#endif
+
+int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
+int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
+void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
+			int (*callback)(int, X509_STORE_CTX *));
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(),char *arg);
+#ifndef NO_RSA
+int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
+#endif
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
+int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
+int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
+	unsigned char *d, long len);
+int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
+
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+
+int SSL_CTX_check_private_key(SSL_CTX *ctx);
+int SSL_check_private_key(SSL *ctx);
+
+int	SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
+				       unsigned int sid_ctx_len);
+
+SSL *	SSL_new(SSL_CTX *ctx);
+int	SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
+				   unsigned int sid_ctx_len);
+
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
+int SSL_set_purpose(SSL *s, int purpose);
+int SSL_CTX_set_trust(SSL_CTX *s, int trust);
+int SSL_set_trust(SSL *s, int trust);
+
+void	SSL_free(SSL *ssl);
+int 	SSL_accept(SSL *ssl);
+int 	SSL_connect(SSL *ssl);
+int 	SSL_read(SSL *ssl,char *buf,int num);
+int 	SSL_peek(SSL *ssl,char *buf,int num);
+int 	SSL_write(SSL *ssl,const char *buf,int num);
+long	SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
+long	SSL_callback_ctrl(SSL *, int, void (*)());
+long	SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
+long	SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
+
+int	SSL_get_error(SSL *s,int ret_code);
+const char *SSL_get_version(SSL *s);
+
+/* This sets the 'default' SSL version that SSL_new() will create */
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
+
+SSL_METHOD *SSLv2_method(void);		/* SSLv2 */
+SSL_METHOD *SSLv2_server_method(void);	/* SSLv2 */
+SSL_METHOD *SSLv2_client_method(void);	/* SSLv2 */
+
+SSL_METHOD *SSLv3_method(void);		/* SSLv3 */
+SSL_METHOD *SSLv3_server_method(void);	/* SSLv3 */
+SSL_METHOD *SSLv3_client_method(void);	/* SSLv3 */
+
+SSL_METHOD *SSLv23_method(void);	/* SSLv3 but can rollback to v2 */
+SSL_METHOD *SSLv23_server_method(void);	/* SSLv3 but can rollback to v2 */
+SSL_METHOD *SSLv23_client_method(void);	/* SSLv3 but can rollback to v2 */
+
+SSL_METHOD *TLSv1_method(void);		/* TLSv1.0 */
+SSL_METHOD *TLSv1_server_method(void);	/* TLSv1.0 */
+SSL_METHOD *TLSv1_client_method(void);	/* TLSv1.0 */
+
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
+
+int SSL_do_handshake(SSL *s);
+int SSL_renegotiate(SSL *s);
+int SSL_shutdown(SSL *s);
+
+SSL_METHOD *SSL_get_ssl_method(SSL *s);
+int SSL_set_ssl_method(SSL *s,SSL_METHOD *method);
+char *SSL_alert_type_string_long(int value);
+char *SSL_alert_type_string(int value);
+char *SSL_alert_desc_string_long(int value);
+char *SSL_alert_desc_string(int value);
+
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
+int SSL_add_client_CA(SSL *ssl,X509 *x);
+int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
+
+void SSL_set_connect_state(SSL *s);
+void SSL_set_accept_state(SSL *s);
+
+long SSL_get_default_timeout(SSL *s);
+
+int SSL_library_init(void );
+
+char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
+
+SSL *SSL_dup(SSL *ssl);
+
+X509 *SSL_get_certificate(SSL *ssl);
+/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
+
+void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
+int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+void SSL_set_quiet_shutdown(SSL *ssl,int mode);
+int SSL_get_quiet_shutdown(SSL *ssl);
+void SSL_set_shutdown(SSL *ssl,int mode);
+int SSL_get_shutdown(SSL *ssl);
+int SSL_version(SSL *ssl);
+int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+	const char *CApath);
+#define SSL_get0_session SSL_get_session /* just peek at pointer */
+SSL_SESSION *SSL_get_session(SSL *ssl);
+SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
+SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+void SSL_set_info_callback(SSL *ssl,void (*cb)());
+void (*SSL_get_info_callback(SSL *ssl))();
+int SSL_state(SSL *ssl);
+
+void SSL_set_verify_result(SSL *ssl,long v);
+long SSL_get_verify_result(SSL *ssl);
+
+int SSL_set_ex_data(SSL *ssl,int idx,void *data);
+void *SSL_get_ex_data(SSL *ssl,int idx);
+int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+
+int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
+void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
+int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+
+int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
+void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
+int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+
+int SSL_get_ex_data_X509_STORE_CTX_idx(void );
+
+#define SSL_CTX_sess_set_cache_size(ctx,t) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
+#define SSL_CTX_sess_get_cache_size(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
+#define SSL_CTX_set_session_cache_mode(ctx,m) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
+#define SSL_CTX_get_session_cache_mode(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
+
+#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
+#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
+#define SSL_CTX_get_read_ahead(ctx) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
+#define SSL_CTX_set_read_ahead(ctx,m) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
+
+     /* NB: the keylength is only applicable when is_export is true */
+#ifndef NO_RSA
+void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
+				  RSA *(*cb)(SSL *ssl,int is_export,
+					     int keylength));
+
+void SSL_set_tmp_rsa_callback(SSL *ssl,
+				  RSA *(*cb)(SSL *ssl,int is_export,
+					     int keylength));
+#endif
+#ifndef NO_DH
+void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
+				 DH *(*dh)(SSL *ssl,int is_export,
+					   int keylength));
+void SSL_set_tmp_dh_callback(SSL *ssl,
+				 DH *(*dh)(SSL *ssl,int is_export,
+					   int keylength));
+#endif
+
+#ifdef HEADER_COMP_H
+int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
+#else
+int SSL_COMP_add_compression_method(int id,char *cm);
+#endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the SSL functions. */
+
+/* Function codes. */
+#define SSL_F_CLIENT_CERTIFICATE			 100
+#define SSL_F_CLIENT_HELLO				 101
+#define SSL_F_CLIENT_MASTER_KEY				 102
+#define SSL_F_D2I_SSL_SESSION				 103
+#define SSL_F_DO_SSL3_WRITE				 104
+#define SSL_F_GET_CLIENT_FINISHED			 105
+#define SSL_F_GET_CLIENT_HELLO				 106
+#define SSL_F_GET_CLIENT_MASTER_KEY			 107
+#define SSL_F_GET_SERVER_FINISHED			 108
+#define SSL_F_GET_SERVER_HELLO				 109
+#define SSL_F_GET_SERVER_VERIFY				 110
+#define SSL_F_I2D_SSL_SESSION				 111
+#define SSL_F_READ_N					 112
+#define SSL_F_REQUEST_CERTIFICATE			 113
+#define SSL_F_SERVER_HELLO				 114
+#define SSL_F_SSL23_ACCEPT				 115
+#define SSL_F_SSL23_CLIENT_HELLO			 116
+#define SSL_F_SSL23_CONNECT				 117
+#define SSL_F_SSL23_GET_CLIENT_HELLO			 118
+#define SSL_F_SSL23_GET_SERVER_HELLO			 119
+#define SSL_F_SSL23_READ				 120
+#define SSL_F_SSL23_WRITE				 121
+#define SSL_F_SSL2_ACCEPT				 122
+#define SSL_F_SSL2_CONNECT				 123
+#define SSL_F_SSL2_ENC_INIT				 124
+#define SSL_F_SSL2_READ					 125
+#define SSL_F_SSL2_SET_CERTIFICATE			 126
+#define SSL_F_SSL2_WRITE				 127
+#define SSL_F_SSL3_ACCEPT				 128
+#define SSL_F_SSL3_CALLBACK_CTRL			 233
+#define SSL_F_SSL3_CHANGE_CIPHER_STATE			 129
+#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM		 130
+#define SSL_F_SSL3_CLIENT_HELLO				 131
+#define SSL_F_SSL3_CONNECT				 132
+#define SSL_F_SSL3_CTRL					 213
+#define SSL_F_SSL3_CTX_CTRL				 133
+#define SSL_F_SSL3_ENC					 134
+#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST		 135
+#define SSL_F_SSL3_GET_CERT_VERIFY			 136
+#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE		 137
+#define SSL_F_SSL3_GET_CLIENT_HELLO			 138
+#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE		 139
+#define SSL_F_SSL3_GET_FINISHED				 140
+#define SSL_F_SSL3_GET_KEY_EXCHANGE			 141
+#define SSL_F_SSL3_GET_MESSAGE				 142
+#define SSL_F_SSL3_GET_RECORD				 143
+#define SSL_F_SSL3_GET_SERVER_CERTIFICATE		 144
+#define SSL_F_SSL3_GET_SERVER_DONE			 145
+#define SSL_F_SSL3_GET_SERVER_HELLO			 146
+#define SSL_F_SSL3_OUTPUT_CERT_CHAIN			 147
+#define SSL_F_SSL3_READ_BYTES				 148
+#define SSL_F_SSL3_READ_N				 149
+#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST		 150
+#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE		 151
+#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE		 152
+#define SSL_F_SSL3_SEND_CLIENT_VERIFY			 153
+#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE		 154
+#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE		 155
+#define SSL_F_SSL3_SETUP_BUFFERS			 156
+#define SSL_F_SSL3_SETUP_KEY_BLOCK			 157
+#define SSL_F_SSL3_WRITE_BYTES				 158
+#define SSL_F_SSL3_WRITE_PENDING			 159
+#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK	 215
+#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK	 216
+#define SSL_F_SSL_BAD_METHOD				 160
+#define SSL_F_SSL_BYTES_TO_CIPHER_LIST			 161
+#define SSL_F_SSL_CERT_DUP				 221
+#define SSL_F_SSL_CERT_INST				 222
+#define SSL_F_SSL_CERT_INSTANTIATE			 214
+#define SSL_F_SSL_CERT_NEW				 162
+#define SSL_F_SSL_CHECK_PRIVATE_KEY			 163
+#define SSL_F_SSL_CIPHER_PROCESS_RULESTR		 230
+#define SSL_F_SSL_CIPHER_STRENGTH_SORT			 231
+#define SSL_F_SSL_CLEAR					 164
+#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD		 165
+#define SSL_F_SSL_CREATE_CIPHER_LIST			 166
+#define SSL_F_SSL_CTRL					 232
+#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
+#define SSL_F_SSL_CTX_NEW				 169
+#define SSL_F_SSL_CTX_SET_PURPOSE			 226
+#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT		 219
+#define SSL_F_SSL_CTX_SET_SSL_VERSION			 170
+#define SSL_F_SSL_CTX_SET_TRUST				 229
+#define SSL_F_SSL_CTX_USE_CERTIFICATE			 171
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1		 172
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE	 220
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE		 173
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY			 174
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1		 175
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE		 176
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY			 177
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1		 178
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE		 179
+#define SSL_F_SSL_DO_HANDSHAKE				 180
+#define SSL_F_SSL_GET_NEW_SESSION			 181
+#define SSL_F_SSL_GET_PREV_SESSION			 217
+#define SSL_F_SSL_GET_SERVER_SEND_CERT			 182
+#define SSL_F_SSL_GET_SIGN_PKEY				 183
+#define SSL_F_SSL_INIT_WBIO_BUFFER			 184
+#define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
+#define SSL_F_SSL_NEW					 186
+#define SSL_F_SSL_READ					 223
+#define SSL_F_SSL_RSA_PRIVATE_DECRYPT			 187
+#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT			 188
+#define SSL_F_SSL_SESSION_NEW				 189
+#define SSL_F_SSL_SESSION_PRINT_FP			 190
+#define SSL_F_SSL_SESS_CERT_NEW				 225
+#define SSL_F_SSL_SET_CERT				 191
+#define SSL_F_SSL_SET_FD				 192
+#define SSL_F_SSL_SET_PKEY				 193
+#define SSL_F_SSL_SET_PURPOSE				 227
+#define SSL_F_SSL_SET_RFD				 194
+#define SSL_F_SSL_SET_SESSION				 195
+#define SSL_F_SSL_SET_SESSION_ID_CONTEXT		 218
+#define SSL_F_SSL_SET_TRUST				 228
+#define SSL_F_SSL_SET_WFD				 196
+#define SSL_F_SSL_SHUTDOWN				 224
+#define SSL_F_SSL_UNDEFINED_FUNCTION			 197
+#define SSL_F_SSL_USE_CERTIFICATE			 198
+#define SSL_F_SSL_USE_CERTIFICATE_ASN1			 199
+#define SSL_F_SSL_USE_CERTIFICATE_FILE			 200
+#define SSL_F_SSL_USE_PRIVATEKEY			 201
+#define SSL_F_SSL_USE_PRIVATEKEY_ASN1			 202
+#define SSL_F_SSL_USE_PRIVATEKEY_FILE			 203
+#define SSL_F_SSL_USE_RSAPRIVATEKEY			 204
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1		 205
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE		 206
+#define SSL_F_SSL_VERIFY_CERT_CHAIN			 207
+#define SSL_F_SSL_WRITE					 208
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE			 209
+#define SSL_F_TLS1_ENC					 210
+#define SSL_F_TLS1_SETUP_KEY_BLOCK			 211
+#define SSL_F_WRITE_PENDING				 212
+
+/* Reason codes. */
+#define SSL_R_APP_DATA_IN_HANDSHAKE			 100
+#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
+#define SSL_R_BAD_ALERT_RECORD				 101
+#define SSL_R_BAD_AUTHENTICATION_TYPE			 102
+#define SSL_R_BAD_CHANGE_CIPHER_SPEC			 103
+#define SSL_R_BAD_CHECKSUM				 104
+#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK		 106
+#define SSL_R_BAD_DECOMPRESSION				 107
+#define SSL_R_BAD_DH_G_LENGTH				 108
+#define SSL_R_BAD_DH_PUB_KEY_LENGTH			 109
+#define SSL_R_BAD_DH_P_LENGTH				 110
+#define SSL_R_BAD_DIGEST_LENGTH				 111
+#define SSL_R_BAD_DSA_SIGNATURE				 112
+#define SSL_R_BAD_HELLO_REQUEST				 105
+#define SSL_R_BAD_LENGTH				 271
+#define SSL_R_BAD_MAC_DECODE				 113
+#define SSL_R_BAD_MESSAGE_TYPE				 114
+#define SSL_R_BAD_PACKET_LENGTH				 115
+#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER		 116
+#define SSL_R_BAD_RESPONSE_ARGUMENT			 117
+#define SSL_R_BAD_RSA_DECRYPT				 118
+#define SSL_R_BAD_RSA_ENCRYPT				 119
+#define SSL_R_BAD_RSA_E_LENGTH				 120
+#define SSL_R_BAD_RSA_MODULUS_LENGTH			 121
+#define SSL_R_BAD_RSA_SIGNATURE				 122
+#define SSL_R_BAD_SIGNATURE				 123
+#define SSL_R_BAD_SSL_FILETYPE				 124
+#define SSL_R_BAD_SSL_SESSION_ID_LENGTH			 125
+#define SSL_R_BAD_STATE					 126
+#define SSL_R_BAD_WRITE_RETRY				 127
+#define SSL_R_BIO_NOT_SET				 128
+#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG			 129
+#define SSL_R_BN_LIB					 130
+#define SSL_R_CA_DN_LENGTH_MISMATCH			 131
+#define SSL_R_CA_DN_TOO_LONG				 132
+#define SSL_R_CCS_RECEIVED_EARLY			 133
+#define SSL_R_CERTIFICATE_VERIFY_FAILED			 134
+#define SSL_R_CERT_LENGTH_MISMATCH			 135
+#define SSL_R_CHALLENGE_IS_DIFFERENT			 136
+#define SSL_R_CIPHER_CODE_WRONG_LENGTH			 137
+#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE		 138
+#define SSL_R_CIPHER_TABLE_SRC_ERROR			 139
+#define SSL_R_COMPRESSED_LENGTH_TOO_LONG		 140
+#define SSL_R_COMPRESSION_FAILURE			 141
+#define SSL_R_COMPRESSION_LIBRARY_ERROR			 142
+#define SSL_R_CONNECTION_ID_IS_DIFFERENT		 143
+#define SSL_R_CONNECTION_TYPE_NOT_SET			 144
+#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 145
+#define SSL_R_DATA_LENGTH_TOO_LONG			 146
+#define SSL_R_DECRYPTION_FAILED				 147
+#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 148
+#define SSL_R_DIGEST_CHECK_FAILED			 149
+#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
+#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY		 1092
+#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 151
+#define SSL_R_EXCESSIVE_MESSAGE_SIZE			 152
+#define SSL_R_EXTRA_DATA_IN_MESSAGE			 153
+#define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 154
+#define SSL_R_HTTPS_PROXY_REQUEST			 155
+#define SSL_R_HTTP_REQUEST				 156
+#define SSL_R_INTERNAL_ERROR				 157
+#define SSL_R_INVALID_CHALLENGE_LENGTH			 158
+#define SSL_R_INVALID_COMMAND				 280
+#define SSL_R_INVALID_PURPOSE				 278
+#define SSL_R_INVALID_TRUST				 279
+#define SSL_R_LENGTH_MISMATCH				 159
+#define SSL_R_LENGTH_TOO_SHORT				 160
+#define SSL_R_LIBRARY_BUG				 274
+#define SSL_R_LIBRARY_HAS_NO_CIPHERS			 161
+#define SSL_R_MISSING_DH_DSA_CERT			 162
+#define SSL_R_MISSING_DH_KEY				 163
+#define SSL_R_MISSING_DH_RSA_CERT			 164
+#define SSL_R_MISSING_DSA_SIGNING_CERT			 165
+#define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 166
+#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 167
+#define SSL_R_MISSING_RSA_CERTIFICATE			 168
+#define SSL_R_MISSING_RSA_ENCRYPTING_CERT		 169
+#define SSL_R_MISSING_RSA_SIGNING_CERT			 170
+#define SSL_R_MISSING_TMP_DH_KEY			 171
+#define SSL_R_MISSING_TMP_RSA_KEY			 172
+#define SSL_R_MISSING_TMP_RSA_PKEY			 173
+#define SSL_R_MISSING_VERIFY_MESSAGE			 174
+#define SSL_R_NON_SSLV2_INITIAL_PACKET			 175
+#define SSL_R_NO_CERTIFICATES_RETURNED			 176
+#define SSL_R_NO_CERTIFICATE_ASSIGNED			 177
+#define SSL_R_NO_CERTIFICATE_RETURNED			 178
+#define SSL_R_NO_CERTIFICATE_SET			 179
+#define SSL_R_NO_CERTIFICATE_SPECIFIED			 180
+#define SSL_R_NO_CIPHERS_AVAILABLE			 181
+#define SSL_R_NO_CIPHERS_PASSED				 182
+#define SSL_R_NO_CIPHERS_SPECIFIED			 183
+#define SSL_R_NO_CIPHER_LIST				 184
+#define SSL_R_NO_CIPHER_MATCH				 185
+#define SSL_R_NO_CLIENT_CERT_RECEIVED			 186
+#define SSL_R_NO_COMPRESSION_SPECIFIED			 187
+#define SSL_R_NO_METHOD_SPECIFIED			 188
+#define SSL_R_NO_PRIVATEKEY				 189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 190
+#define SSL_R_NO_PROTOCOLS_AVAILABLE			 191
+#define SSL_R_NO_PUBLICKEY				 192
+#define SSL_R_NO_SHARED_CIPHER				 193
+#define SSL_R_NO_VERIFY_CALLBACK			 194
+#define SSL_R_NULL_SSL_CTX				 195
+#define SSL_R_NULL_SSL_METHOD_PASSED			 196
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 197
+#define SSL_R_PACKET_LENGTH_TOO_LONG			 198
+#define SSL_R_PATH_TOO_LONG				 270
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 199
+#define SSL_R_PEER_ERROR				 200
+#define SSL_R_PEER_ERROR_CERTIFICATE			 201
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE			 202
+#define SSL_R_PEER_ERROR_NO_CIPHER			 203
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	 204
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG			 205
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS		 206
+#define SSL_R_PROTOCOL_IS_SHUTDOWN			 207
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR			 208
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 209
+#define SSL_R_PUBLIC_KEY_NOT_RSA			 210
+#define SSL_R_READ_BIO_NOT_SET				 211
+#define SSL_R_READ_WRONG_PACKET_TYPE			 212
+#define SSL_R_RECORD_LENGTH_MISMATCH			 213
+#define SSL_R_RECORD_TOO_LARGE				 214
+#define SSL_R_REQUIRED_CIPHER_MISSING			 215
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 218
+#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED		 277
+#define SSL_R_SHORT_READ				 219
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 220
+#define SSL_R_SSL23_DOING_SESSION_ID_REUSE		 221
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 222
+#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
+#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
+#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED		 1045
+#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED		 1044
+#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN		 1046
+#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE		 1030
+#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE		 1040
+#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER		 1047
+#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE		 1041
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE	 223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE	 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER		 225
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
+#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE		 1010
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE	 227
+#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE	 1043
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION	 228
+#define SSL_R_SSL_HANDSHAKE_FAILURE			 229
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS		 230
+#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG		 273
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT		 231
+#define SSL_R_TLSV1_ALERT_ACCESS_DENIED			 1049
+#define SSL_R_TLSV1_ALERT_DECODE_ERROR			 1050
+#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED		 1021
+#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR			 1051
+#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION		 1060
+#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY		 1071
+#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR		 1080
+#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		 1100
+#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION		 1070
+#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW		 1022
+#define SSL_R_TLSV1_ALERT_UNKNOWN_CA			 1048
+#define SSL_R_TLSV1_ALERT_USER_CANCELLED		 1090
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 232
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 234
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 235
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 236
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY		 237
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS		 238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS	 239
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD			 240
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES		 241
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES		 242
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES		 243
+#define SSL_R_UNEXPECTED_MESSAGE			 244
+#define SSL_R_UNEXPECTED_RECORD				 245
+#define SSL_R_UNINITIALIZED				 276
+#define SSL_R_UNKNOWN_ALERT_TYPE			 246
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 247
+#define SSL_R_UNKNOWN_CIPHER_RETURNED			 248
+#define SSL_R_UNKNOWN_CIPHER_TYPE			 249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE			 250
+#define SSL_R_UNKNOWN_PKEY_TYPE				 251
+#define SSL_R_UNKNOWN_PROTOCOL				 252
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
+#define SSL_R_UNKNOWN_SSL_VERSION			 254
+#define SSL_R_UNKNOWN_STATE				 255
+#define SSL_R_UNSUPPORTED_CIPHER			 256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
+#define SSL_R_UNSUPPORTED_OPTION			 1091
+#define SSL_R_UNSUPPORTED_PROTOCOL			 258
+#define SSL_R_UNSUPPORTED_SSL_VERSION			 259
+#define SSL_R_WRITE_BIO_NOT_SET				 260
+#define SSL_R_WRONG_CIPHER_RETURNED			 261
+#define SSL_R_WRONG_MESSAGE_TYPE			 262
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 263
+#define SSL_R_WRONG_SIGNATURE_LENGTH			 264
+#define SSL_R_WRONG_SIGNATURE_SIZE			 265
+#define SSL_R_WRONG_SSL_VERSION				 266
+#define SSL_R_WRONG_VERSION_NUMBER			 267
+#define SSL_R_X509_LIB					 268
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/ssl/ssl2.h b/crypto/openssl/ssl/ssl2.h
new file mode 100644
index 0000000..01d41c8
--- /dev/null
+++ b/crypto/openssl/ssl/ssl2.h
@@ -0,0 +1,265 @@
+/* ssl/ssl2.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_SSL2_H 
+#define HEADER_SSL2_H 
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Protocol Version Codes */
+#define SSL2_VERSION		0x0002
+#define SSL2_VERSION_MAJOR	0x00
+#define SSL2_VERSION_MINOR	0x02
+/* #define SSL2_CLIENT_VERSION	0x0002 */
+/* #define SSL2_SERVER_VERSION	0x0002 */
+
+/* Protocol Message Codes */
+#define SSL2_MT_ERROR			0
+#define SSL2_MT_CLIENT_HELLO		1
+#define SSL2_MT_CLIENT_MASTER_KEY	2
+#define SSL2_MT_CLIENT_FINISHED		3
+#define SSL2_MT_SERVER_HELLO		4
+#define SSL2_MT_SERVER_VERIFY		5
+#define SSL2_MT_SERVER_FINISHED		6
+#define SSL2_MT_REQUEST_CERTIFICATE	7
+#define SSL2_MT_CLIENT_CERTIFICATE	8
+
+/* Error Message Codes */
+#define SSL2_PE_UNDEFINED_ERROR		0x0000
+#define SSL2_PE_NO_CIPHER		0x0001
+#define SSL2_PE_NO_CERTIFICATE		0x0002
+#define SSL2_PE_BAD_CERTIFICATE		0x0004
+#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
+
+/* Cipher Kind Values */
+#define SSL2_CK_NULL_WITH_MD5			0x02000000 /* v3 */
+#define SSL2_CK_RC4_128_WITH_MD5		0x02010080
+#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5	0x02020080
+#define SSL2_CK_RC2_128_CBC_WITH_MD5		0x02030080
+#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5	0x02040080
+#define SSL2_CK_IDEA_128_CBC_WITH_MD5		0x02050080
+#define SSL2_CK_DES_64_CBC_WITH_MD5		0x02060040
+#define SSL2_CK_DES_64_CBC_WITH_SHA		0x02060140 /* v3 */
+#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5	0x020700c0
+#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA	0x020701c0 /* v3 */
+#define SSL2_CK_RC4_64_WITH_MD5			0x02080080 /* MS hack */
+ 
+#define SSL2_CK_DES_64_CFB64_WITH_MD5_1		0x02ff0800 /* SSLeay */
+#define SSL2_CK_NULL				0x02ff0810 /* SSLeay */
+
+#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1	"DES-CFB-M1"
+#define SSL2_TXT_NULL_WITH_MD5			"NULL-MD5"
+#define SSL2_TXT_RC4_128_WITH_MD5		"RC4-MD5"
+#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5	"EXP-RC4-MD5"
+#define SSL2_TXT_RC2_128_CBC_WITH_MD5		"RC2-CBC-MD5"
+#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5	"EXP-RC2-CBC-MD5"
+#define SSL2_TXT_IDEA_128_CBC_WITH_MD5		"IDEA-CBC-MD5"
+#define SSL2_TXT_DES_64_CBC_WITH_MD5		"DES-CBC-MD5"
+#define SSL2_TXT_DES_64_CBC_WITH_SHA		"DES-CBC-SHA"
+#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5	"DES-CBC3-MD5"
+#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA	"DES-CBC3-SHA"
+#define SSL2_TXT_RC4_64_WITH_MD5		"RC4-64-MD5"
+
+#define SSL2_TXT_NULL				"NULL"
+
+/* Flags for the SSL_CIPHER.algorithm2 field */
+#define SSL2_CF_5_BYTE_ENC			0x01
+#define SSL2_CF_8_BYTE_ENC			0x02
+
+/* Certificate Type Codes */
+#define SSL2_CT_X509_CERTIFICATE		0x01
+
+/* Authentication Type Code */
+#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION		0x01
+
+#define SSL2_MAX_SSL_SESSION_ID_LENGTH		32
+
+/* Upper/Lower Bounds */
+#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS	256
+#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER	(unsigned int)32767 
+#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER	16383 /**/
+
+#define SSL2_CHALLENGE_LENGTH	16
+/*#define SSL2_CHALLENGE_LENGTH	32 */
+#define SSL2_MIN_CHALLENGE_LENGTH	16
+#define SSL2_MAX_CHALLENGE_LENGTH	32
+#define SSL2_CONNECTION_ID_LENGTH	16
+#define SSL2_MAX_CONNECTION_ID_LENGTH	16
+#define SSL2_SSL_SESSION_ID_LENGTH	16
+#define SSL2_MAX_CERT_CHALLENGE_LENGTH	32
+#define SSL2_MIN_CERT_CHALLENGE_LENGTH	16
+#define SSL2_MAX_KEY_MATERIAL_LENGTH	24
+
+#ifndef HEADER_SSL_LOCL_H
+#define  CERT		char
+#endif
+
+typedef struct ssl2_state_st
+	{
+	int three_byte_header;
+	int clear_text;		/* clear text */
+	int escape;		/* not used in SSLv2 */
+	int ssl2_rollback;	/* used if SSLv23 rolled back to SSLv2 */
+
+	/* non-blocking io info, used to make sure the same
+	 * args were passwd */
+	unsigned int wnum;	/* number of bytes sent so far */
+	int wpend_tot;
+	const unsigned char *wpend_buf;
+
+	int wpend_off;	/* offset to data to write */
+	int wpend_len; 	/* number of bytes passwd to write */
+	int wpend_ret; 	/* number of bytes to return to caller */
+
+	/* buffer raw data */
+	int rbuf_left;
+	int rbuf_offs;
+	unsigned char *rbuf;
+	unsigned char *wbuf;
+
+	unsigned char *write_ptr;/* used to point to the start due to
+				  * 2/3 byte header. */
+
+	unsigned int padding;
+	unsigned int rlength; /* passed to ssl2_enc */
+	int ract_data_length; /* Set when things are encrypted. */
+	unsigned int wlength; /* passed to ssl2_enc */
+	int wact_data_length; /* Set when things are decrypted. */
+	unsigned char *ract_data;
+	unsigned char *wact_data;
+	unsigned char *mac_data;
+	unsigned char *pad_data;
+
+	unsigned char *read_key;
+	unsigned char *write_key;
+
+		/* Stuff specifically to do with this SSL session */
+	unsigned int challenge_length;
+	unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
+	unsigned int conn_id_length;
+	unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
+	unsigned int key_material_length;
+	unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
+
+	unsigned long read_sequence;
+	unsigned long write_sequence;
+
+	struct	{
+		unsigned int conn_id_length;
+		unsigned int cert_type;	
+		unsigned int cert_length;
+		int csl; 
+		int clear;
+		unsigned int enc; 
+		unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
+		int cipher_spec_length;
+		unsigned int session_id_length;
+		unsigned int clen;
+		unsigned int rlen;
+		} tmp;
+	} SSL2_STATE;
+
+/* SSLv2 */
+/* client */
+#define SSL2_ST_SEND_CLIENT_HELLO_A		(0x10|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_HELLO_B		(0x11|SSL_ST_CONNECT)
+#define SSL2_ST_GET_SERVER_HELLO_A		(0x20|SSL_ST_CONNECT)
+#define SSL2_ST_GET_SERVER_HELLO_B		(0x21|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A	(0x30|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B	(0x31|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_FINISHED_A		(0x40|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_FINISHED_B		(0x41|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A	(0x50|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B	(0x51|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C	(0x52|SSL_ST_CONNECT)
+#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D	(0x53|SSL_ST_CONNECT)
+#define SSL2_ST_GET_SERVER_VERIFY_A		(0x60|SSL_ST_CONNECT)
+#define SSL2_ST_GET_SERVER_VERIFY_B		(0x61|SSL_ST_CONNECT)
+#define SSL2_ST_GET_SERVER_FINISHED_A		(0x70|SSL_ST_CONNECT)
+#define SSL2_ST_GET_SERVER_FINISHED_B		(0x71|SSL_ST_CONNECT)
+#define SSL2_ST_CLIENT_START_ENCRYPTION		(0x80|SSL_ST_CONNECT)
+#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE	(0x90|SSL_ST_CONNECT)
+/* server */
+#define SSL2_ST_GET_CLIENT_HELLO_A		(0x10|SSL_ST_ACCEPT)
+#define SSL2_ST_GET_CLIENT_HELLO_B		(0x11|SSL_ST_ACCEPT)
+#define SSL2_ST_GET_CLIENT_HELLO_C		(0x12|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_SERVER_HELLO_A		(0x20|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_SERVER_HELLO_B		(0x21|SSL_ST_ACCEPT)
+#define SSL2_ST_GET_CLIENT_MASTER_KEY_A		(0x30|SSL_ST_ACCEPT)
+#define SSL2_ST_GET_CLIENT_MASTER_KEY_B		(0x31|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_SERVER_VERIFY_A		(0x40|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_SERVER_VERIFY_B		(0x41|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_SERVER_VERIFY_C		(0x42|SSL_ST_ACCEPT)
+#define SSL2_ST_GET_CLIENT_FINISHED_A		(0x50|SSL_ST_ACCEPT)
+#define SSL2_ST_GET_CLIENT_FINISHED_B		(0x51|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_SERVER_FINISHED_A		(0x60|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_SERVER_FINISHED_B		(0x61|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A	(0x70|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B	(0x71|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C	(0x72|SSL_ST_ACCEPT)
+#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D	(0x73|SSL_ST_ACCEPT)
+#define SSL2_ST_SERVER_START_ENCRYPTION		(0x80|SSL_ST_ACCEPT)
+#define SSL2_ST_X509_GET_SERVER_CERTIFICATE	(0x90|SSL_ST_ACCEPT)
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/ssl/ssl23.h b/crypto/openssl/ssl/ssl23.h
new file mode 100644
index 0000000..d322898
--- /dev/null
+++ b/crypto/openssl/ssl/ssl23.h
@@ -0,0 +1,83 @@
+/* ssl/ssl23.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_SSL23_H 
+#define HEADER_SSL23_H 
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/*client */
+/* write to server */
+#define SSL23_ST_CW_CLNT_HELLO_A	(0x210|SSL_ST_CONNECT)
+#define SSL23_ST_CW_CLNT_HELLO_B	(0x211|SSL_ST_CONNECT)
+/* read from server */
+#define SSL23_ST_CR_SRVR_HELLO_A	(0x220|SSL_ST_CONNECT)
+#define SSL23_ST_CR_SRVR_HELLO_B	(0x221|SSL_ST_CONNECT)
+
+/* server */
+/* read from client */
+#define SSL23_ST_SR_CLNT_HELLO_A	(0x210|SSL_ST_ACCEPT)
+#define SSL23_ST_SR_CLNT_HELLO_B	(0x211|SSL_ST_ACCEPT)
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/ssl/ssl3.h b/crypto/openssl/ssl/ssl3.h
new file mode 100644
index 0000000..f616763
--- /dev/null
+++ b/crypto/openssl/ssl/ssl3.h
@@ -0,0 +1,426 @@
+/* ssl/ssl3.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_SSL3_H 
+#define HEADER_SSL3_H 
+
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+#include <openssl/ssl.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define SSL3_CK_RSA_NULL_MD5			0x03000001
+#define SSL3_CK_RSA_NULL_SHA			0x03000002
+#define SSL3_CK_RSA_RC4_40_MD5 			0x03000003
+#define SSL3_CK_RSA_RC4_128_MD5			0x03000004
+#define SSL3_CK_RSA_RC4_128_SHA			0x03000005
+#define SSL3_CK_RSA_RC2_40_MD5			0x03000006
+#define SSL3_CK_RSA_IDEA_128_SHA		0x03000007
+#define SSL3_CK_RSA_DES_40_CBC_SHA		0x03000008
+#define SSL3_CK_RSA_DES_64_CBC_SHA		0x03000009
+#define SSL3_CK_RSA_DES_192_CBC3_SHA		0x0300000A
+
+#define SSL3_CK_DH_DSS_DES_40_CBC_SHA		0x0300000B
+#define SSL3_CK_DH_DSS_DES_64_CBC_SHA		0x0300000C
+#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 	0x0300000D
+#define SSL3_CK_DH_RSA_DES_40_CBC_SHA		0x0300000E
+#define SSL3_CK_DH_RSA_DES_64_CBC_SHA		0x0300000F
+#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 	0x03000010
+
+#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA		0x03000011
+#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA		0x03000012
+#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA	0x03000013
+#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA		0x03000014
+#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA		0x03000015
+#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA	0x03000016
+
+#define SSL3_CK_ADH_RC4_40_MD5			0x03000017
+#define SSL3_CK_ADH_RC4_128_MD5			0x03000018
+#define SSL3_CK_ADH_DES_40_CBC_SHA		0x03000019
+#define SSL3_CK_ADH_DES_64_CBC_SHA		0x0300001A
+#define SSL3_CK_ADH_DES_192_CBC_SHA		0x0300001B
+
+#define SSL3_CK_FZA_DMS_NULL_SHA		0x0300001C
+#define SSL3_CK_FZA_DMS_FZA_SHA			0x0300001D
+#define SSL3_CK_FZA_DMS_RC4_SHA			0x0300001E
+
+#define SSL3_TXT_RSA_NULL_MD5			"NULL-MD5"
+#define SSL3_TXT_RSA_NULL_SHA			"NULL-SHA"
+#define SSL3_TXT_RSA_RC4_40_MD5 		"EXP-RC4-MD5"
+#define SSL3_TXT_RSA_RC4_128_MD5		"RC4-MD5"
+#define SSL3_TXT_RSA_RC4_128_SHA		"RC4-SHA"
+#define SSL3_TXT_RSA_RC2_40_MD5			"EXP-RC2-CBC-MD5"
+#define SSL3_TXT_RSA_IDEA_128_SHA		"IDEA-CBC-SHA"
+#define SSL3_TXT_RSA_DES_40_CBC_SHA		"EXP-DES-CBC-SHA"
+#define SSL3_TXT_RSA_DES_64_CBC_SHA		"DES-CBC-SHA"
+#define SSL3_TXT_RSA_DES_192_CBC3_SHA		"DES-CBC3-SHA"
+
+#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA		"EXP-DH-DSS-DES-CBC-SHA"
+#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA		"DH-DSS-DES-CBC-SHA"
+#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA 	"DH-DSS-DES-CBC3-SHA"
+#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA		"EXP-DH-RSA-DES-CBC-SHA"
+#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA		"DH-RSA-DES-CBC-SHA"
+#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA 	"DH-RSA-DES-CBC3-SHA"
+
+#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA		"EXP-EDH-DSS-DES-CBC-SHA"
+#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA		"EDH-DSS-DES-CBC-SHA"
+#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA	"EDH-DSS-DES-CBC3-SHA"
+#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA		"EXP-EDH-RSA-DES-CBC-SHA"
+#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA		"EDH-RSA-DES-CBC-SHA"
+#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA	"EDH-RSA-DES-CBC3-SHA"
+
+#define SSL3_TXT_ADH_RC4_40_MD5			"EXP-ADH-RC4-MD5"
+#define SSL3_TXT_ADH_RC4_128_MD5		"ADH-RC4-MD5"
+#define SSL3_TXT_ADH_DES_40_CBC_SHA		"EXP-ADH-DES-CBC-SHA"
+#define SSL3_TXT_ADH_DES_64_CBC_SHA		"ADH-DES-CBC-SHA"
+#define SSL3_TXT_ADH_DES_192_CBC_SHA		"ADH-DES-CBC3-SHA"
+
+#define SSL3_TXT_FZA_DMS_NULL_SHA		"FZA-NULL-SHA"
+#define SSL3_TXT_FZA_DMS_FZA_SHA		"FZA-FZA-CBC-SHA"
+#define SSL3_TXT_FZA_DMS_RC4_SHA		"FZA-RC4-SHA"
+
+#define SSL3_SSL_SESSION_ID_LENGTH		32
+#define SSL3_MAX_SSL_SESSION_ID_LENGTH		32
+
+#define SSL3_MASTER_SECRET_SIZE			48
+#define SSL3_RANDOM_SIZE			32
+#define SSL3_SESSION_ID_SIZE			32
+#define SSL3_RT_HEADER_LENGTH			5
+
+/* Due to MS stuffing up, this can change.... */
+#if defined(WIN16) || (defined(MSDOS) && !defined(WIN32))
+#define SSL3_RT_MAX_EXTRA			(14000)
+#else
+#define SSL3_RT_MAX_EXTRA			(16384)
+#endif
+
+#define SSL3_RT_MAX_PLAIN_LENGTH		16384
+#define SSL3_RT_MAX_COMPRESSED_LENGTH	(1024+SSL3_RT_MAX_PLAIN_LENGTH)
+#define SSL3_RT_MAX_ENCRYPTED_LENGTH	(1024+SSL3_RT_MAX_COMPRESSED_LENGTH)
+#define SSL3_RT_MAX_PACKET_SIZE		(SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
+#define SSL3_RT_MAX_DATA_SIZE			(1024*1024)
+
+#define SSL3_MD_CLIENT_FINISHED_CONST	"\x43\x4C\x4E\x54"
+#define SSL3_MD_SERVER_FINISHED_CONST	"\x53\x52\x56\x52"
+
+#define SSL3_VERSION			0x0300
+#define SSL3_VERSION_MAJOR		0x03
+#define SSL3_VERSION_MINOR		0x00
+
+#define SSL3_RT_CHANGE_CIPHER_SPEC	20
+#define SSL3_RT_ALERT			21
+#define SSL3_RT_HANDSHAKE		22
+#define SSL3_RT_APPLICATION_DATA	23
+
+#define SSL3_AL_WARNING			1
+#define SSL3_AL_FATAL			2
+
+#define SSL3_AD_CLOSE_NOTIFY		 0
+#define SSL3_AD_UNEXPECTED_MESSAGE	10	/* fatal */
+#define SSL3_AD_BAD_RECORD_MAC		20	/* fatal */
+#define SSL3_AD_DECOMPRESSION_FAILURE	30	/* fatal */
+#define SSL3_AD_HANDSHAKE_FAILURE	40	/* fatal */
+#define SSL3_AD_NO_CERTIFICATE		41
+#define SSL3_AD_BAD_CERTIFICATE		42
+#define SSL3_AD_UNSUPPORTED_CERTIFICATE	43
+#define SSL3_AD_CERTIFICATE_REVOKED	44
+#define SSL3_AD_CERTIFICATE_EXPIRED	45
+#define SSL3_AD_CERTIFICATE_UNKNOWN	46
+#define SSL3_AD_ILLEGAL_PARAMETER	47	/* fatal */
+
+typedef struct ssl3_record_st
+	{
+/*r */	int type;               /* type of record */
+/*rw*/	unsigned int length;    /* How many bytes available */
+/*r */	unsigned int off;       /* read/write offset into 'buf' */
+/*rw*/	unsigned char *data;    /* pointer to the record data */
+/*rw*/	unsigned char *input;   /* where the decode bytes are */
+/*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
+	} SSL3_RECORD;
+
+typedef struct ssl3_buffer_st
+	{
+	unsigned char *buf;	/* SSL3_RT_MAX_PACKET_SIZE bytes (more if
+	                   	 * SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER is set) */
+	int offset;		/* where to 'copy from' */
+	int left;		/* how many bytes left */
+	} SSL3_BUFFER;
+
+#define SSL3_CT_RSA_SIGN			1
+#define SSL3_CT_DSS_SIGN			2
+#define SSL3_CT_RSA_FIXED_DH			3
+#define SSL3_CT_DSS_FIXED_DH			4
+#define SSL3_CT_RSA_EPHEMERAL_DH		5
+#define SSL3_CT_DSS_EPHEMERAL_DH		6
+#define SSL3_CT_FORTEZZA_DMS			20
+#define SSL3_CT_NUMBER				7
+
+#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS	0x0001
+#define SSL3_FLAGS_DELAY_CLIENT_FINISHED	0x0002
+#define SSL3_FLAGS_POP_BUFFER			0x0004
+#define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
+
+typedef struct ssl3_state_st
+	{
+	long flags;
+	int delay_buf_pop_ret;
+
+	unsigned char read_sequence[8];
+	unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
+	unsigned char write_sequence[8];
+	unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
+
+	unsigned char server_random[SSL3_RANDOM_SIZE];
+	unsigned char client_random[SSL3_RANDOM_SIZE];
+
+	SSL3_BUFFER rbuf;	/* read IO goes into here */
+	SSL3_BUFFER wbuf;	/* write IO goes into here */
+
+	SSL3_RECORD rrec;	/* each decoded record goes in here */
+	SSL3_RECORD wrec;	/* goes out from here */
+
+	/* storage for Alert/Handshake protocol data received but not
+	 * yet processed by ssl3_read_bytes: */
+	unsigned char alert_fragment[2];
+	unsigned int alert_fragment_len;
+	unsigned char handshake_fragment[4];
+	unsigned int handshake_fragment_len;
+
+	/* partial write - check the numbers match */
+	unsigned int wnum;	/* number of bytes sent so far */
+	int wpend_tot;		/* number bytes written */
+	int wpend_type;
+	int wpend_ret;		/* number of bytes submitted */
+	const unsigned char *wpend_buf;
+
+	/* used during startup, digest all incoming/outgoing packets */
+	EVP_MD_CTX finish_dgst1;
+	EVP_MD_CTX finish_dgst2;
+
+	/* this is set whenerver we see a change_cipher_spec message
+	 * come in when we are not looking for one */
+	int change_cipher_spec;
+
+	int warn_alert;
+	int fatal_alert;
+	/* we allow one fatal and one warning alert to be outstanding,
+	 * send close alert via the warning alert */
+	int alert_dispatch;
+	unsigned char send_alert[2];
+
+	/* This flag is set when we should renegotiate ASAP, basically when
+	 * there is no more data in the read or write buffers */
+	int renegotiate;
+	int total_renegotiations;
+	int num_renegotiations;
+
+	int in_read_app_data;
+
+	struct	{
+		/* actually only needs to be 16+20 */
+		unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
+
+		/* actually only need to be 16+20 for SSLv3 and 12 for TLS */
+		unsigned char finish_md[EVP_MAX_MD_SIZE*2];
+		int finish_md_len;
+		unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
+		int peer_finish_md_len;
+		
+		unsigned long message_size;
+		int message_type;
+
+		/* used to hold the new cipher we are going to use */
+		SSL_CIPHER *new_cipher;
+#ifndef NO_DH
+		DH *dh;
+#endif
+		/* used when SSL_ST_FLUSH_DATA is entered */
+		int next_state;			
+
+		int reuse_message;
+
+		/* used for certificate requests */
+		int cert_req;
+		int ctype_num;
+		char ctype[SSL3_CT_NUMBER];
+		STACK_OF(X509_NAME) *ca_names;
+
+		int use_rsa_tmp;
+
+		int key_block_length;
+		unsigned char *key_block;
+
+		const EVP_CIPHER *new_sym_enc;
+		const EVP_MD *new_hash;
+#ifdef HEADER_COMP_H
+		const SSL_COMP *new_compression;
+#else
+		char *new_compression;
+#endif
+		int cert_request;
+		} tmp;
+
+	} SSL3_STATE;
+
+/* SSLv3 */
+/*client */
+/* extra state */
+#define SSL3_ST_CW_FLUSH		(0x100|SSL_ST_CONNECT)
+/* write to server */
+#define SSL3_ST_CW_CLNT_HELLO_A		(0x110|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CLNT_HELLO_B		(0x111|SSL_ST_CONNECT)
+/* read from server */
+#define SSL3_ST_CR_SRVR_HELLO_A		(0x120|SSL_ST_CONNECT)
+#define SSL3_ST_CR_SRVR_HELLO_B		(0x121|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_A		(0x130|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_B		(0x131|SSL_ST_CONNECT)
+#define SSL3_ST_CR_KEY_EXCH_A		(0x140|SSL_ST_CONNECT)
+#define SSL3_ST_CR_KEY_EXCH_B		(0x141|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_REQ_A		(0x150|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_REQ_B		(0x151|SSL_ST_CONNECT)
+#define SSL3_ST_CR_SRVR_DONE_A		(0x160|SSL_ST_CONNECT)
+#define SSL3_ST_CR_SRVR_DONE_B		(0x161|SSL_ST_CONNECT)
+/* write to server */
+#define SSL3_ST_CW_CERT_A		(0x170|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CERT_B		(0x171|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CERT_C		(0x172|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CERT_D		(0x173|SSL_ST_CONNECT)
+#define SSL3_ST_CW_KEY_EXCH_A		(0x180|SSL_ST_CONNECT)
+#define SSL3_ST_CW_KEY_EXCH_B		(0x181|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CERT_VRFY_A		(0x190|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CERT_VRFY_B		(0x191|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CHANGE_A		(0x1A0|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CHANGE_B		(0x1A1|SSL_ST_CONNECT)
+#define SSL3_ST_CW_FINISHED_A		(0x1B0|SSL_ST_CONNECT)
+#define SSL3_ST_CW_FINISHED_B		(0x1B1|SSL_ST_CONNECT)
+/* read from server */
+#define SSL3_ST_CR_CHANGE_A		(0x1C0|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CHANGE_B		(0x1C1|SSL_ST_CONNECT)
+#define SSL3_ST_CR_FINISHED_A		(0x1D0|SSL_ST_CONNECT)
+#define SSL3_ST_CR_FINISHED_B		(0x1D1|SSL_ST_CONNECT)
+
+/* server */
+/* extra state */
+#define SSL3_ST_SW_FLUSH		(0x100|SSL_ST_ACCEPT)
+/* read from client */
+/* Do not change the number values, they do matter */
+#define SSL3_ST_SR_CLNT_HELLO_A		(0x110|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CLNT_HELLO_B		(0x111|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CLNT_HELLO_C		(0x112|SSL_ST_ACCEPT)
+/* write to client */
+#define SSL3_ST_SW_HELLO_REQ_A		(0x120|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_HELLO_REQ_B		(0x121|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_HELLO_REQ_C		(0x122|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_SRVR_HELLO_A		(0x130|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_SRVR_HELLO_B		(0x131|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_A		(0x140|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_B		(0x141|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_KEY_EXCH_A		(0x150|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_KEY_EXCH_B		(0x151|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_REQ_A		(0x160|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_REQ_B		(0x161|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_SRVR_DONE_A		(0x170|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_SRVR_DONE_B		(0x171|SSL_ST_ACCEPT)
+/* read from client */
+#define SSL3_ST_SR_CERT_A		(0x180|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CERT_B		(0x181|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_KEY_EXCH_A		(0x190|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_KEY_EXCH_B		(0x191|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CERT_VRFY_A		(0x1A0|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CERT_VRFY_B		(0x1A1|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CHANGE_A		(0x1B0|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CHANGE_B		(0x1B1|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_FINISHED_A		(0x1C0|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_FINISHED_B		(0x1C1|SSL_ST_ACCEPT)
+/* write to client */
+#define SSL3_ST_SW_CHANGE_A		(0x1D0|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CHANGE_B		(0x1D1|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_FINISHED_A		(0x1E0|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_FINISHED_B		(0x1E1|SSL_ST_ACCEPT)
+
+#define SSL3_MT_HELLO_REQUEST			0
+#define SSL3_MT_CLIENT_HELLO			1
+#define SSL3_MT_SERVER_HELLO			2
+#define SSL3_MT_CERTIFICATE			11
+#define SSL3_MT_SERVER_KEY_EXCHANGE		12
+#define SSL3_MT_CERTIFICATE_REQUEST		13
+#define SSL3_MT_SERVER_DONE			14
+#define SSL3_MT_CERTIFICATE_VERIFY		15
+#define SSL3_MT_CLIENT_KEY_EXCHANGE		16
+#define SSL3_MT_FINISHED			20
+
+#define SSL3_MT_CCS				1
+
+/* These are used when changing over to a new cipher */
+#define SSL3_CC_READ		0x01
+#define SSL3_CC_WRITE		0x02
+#define SSL3_CC_CLIENT		0x10
+#define SSL3_CC_SERVER		0x20
+#define SSL3_CHANGE_CIPHER_CLIENT_WRITE	(SSL3_CC_CLIENT|SSL3_CC_WRITE)	
+#define SSL3_CHANGE_CIPHER_SERVER_READ	(SSL3_CC_SERVER|SSL3_CC_READ)
+#define SSL3_CHANGE_CIPHER_CLIENT_READ	(SSL3_CC_CLIENT|SSL3_CC_READ)
+#define SSL3_CHANGE_CIPHER_SERVER_WRITE	(SSL3_CC_SERVER|SSL3_CC_WRITE)
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/ssl/ssl_algs.c b/crypto/openssl/ssl/ssl_algs.c
new file mode 100644
index 0000000..a91ee6d
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_algs.c
@@ -0,0 +1,103 @@
+/* ssl/ssl_algs.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include <openssl/lhash.h>
+#include "ssl_locl.h"
+
+int SSL_library_init(void)
+	{
+#ifndef NO_DES
+	EVP_add_cipher(EVP_des_cbc());
+	EVP_add_cipher(EVP_des_ede3_cbc());
+#endif
+#ifndef NO_IDEA
+	EVP_add_cipher(EVP_idea_cbc());
+#endif
+#ifndef NO_RC4
+	EVP_add_cipher(EVP_rc4());
+#endif  
+#ifndef NO_RC2
+	EVP_add_cipher(EVP_rc2_cbc());
+#endif  
+
+#ifndef NO_MD2
+	EVP_add_digest(EVP_md2());
+#endif
+#ifndef NO_MD5
+	EVP_add_digest(EVP_md5());
+	EVP_add_digest_alias(SN_md5,"ssl2-md5");
+	EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef NO_SHA
+	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
+	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+#endif
+#if !defined(NO_SHA) && !defined(NO_DSA)
+	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+#endif
+
+	/* If you want support for phased out ciphers, add the following */
+#if 0
+	EVP_add_digest(EVP_sha());
+	EVP_add_digest(EVP_dss());
+#endif
+	return(1);
+	}
+
diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c
new file mode 100644
index 0000000..e77cddd
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_asn1.c
@@ -0,0 +1,349 @@
+/* ssl/ssl_asn1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include "ssl_locl.h"
+
+typedef struct ssl_session_asn1_st
+	{
+	ASN1_INTEGER version;
+	ASN1_INTEGER ssl_version;
+	ASN1_OCTET_STRING cipher;
+	ASN1_OCTET_STRING master_key;
+	ASN1_OCTET_STRING session_id;
+	ASN1_OCTET_STRING session_id_context;
+	ASN1_OCTET_STRING key_arg;
+	ASN1_INTEGER time;
+	ASN1_INTEGER timeout;
+	ASN1_INTEGER verify_result;
+	} SSL_SESSION_ASN1;
+
+int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
+	{
+#define LSIZE2 (sizeof(long)*2)
+	int v1=0,v2=0,v3=0,v4=0,v5=0;
+	unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
+	unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
+	long l;
+	SSL_SESSION_ASN1 a;
+	M_ASN1_I2D_vars(in);
+
+	if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
+		return(0);
+
+	/* Note that I cheat in the following 2 assignments.  I know
+	 * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
+	 * is > sizeof(long)+1, the buffer will not be re-Malloc()ed.
+	 * This is a bit evil but makes things simple, no dynamic allocation
+	 * to clean up :-) */
+	a.version.length=LSIZE2;
+	a.version.type=V_ASN1_INTEGER;
+	a.version.data=ibuf1;
+	ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
+
+	a.ssl_version.length=LSIZE2;
+	a.ssl_version.type=V_ASN1_INTEGER;
+	a.ssl_version.data=ibuf2;
+	ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
+
+	a.cipher.type=V_ASN1_OCTET_STRING;
+	a.cipher.data=buf;
+
+	if (in->cipher == NULL)
+		l=in->cipher_id;
+	else
+		l=in->cipher->id;
+	if (in->ssl_version == SSL2_VERSION)
+		{
+		a.cipher.length=3;
+		buf[0]=((unsigned char)(l>>16L))&0xff;
+		buf[1]=((unsigned char)(l>> 8L))&0xff;
+		buf[2]=((unsigned char)(l     ))&0xff;
+		}
+	else
+		{
+		a.cipher.length=2;
+		buf[0]=((unsigned char)(l>>8L))&0xff;
+		buf[1]=((unsigned char)(l    ))&0xff;
+		}
+
+	a.master_key.length=in->master_key_length;
+	a.master_key.type=V_ASN1_OCTET_STRING;
+	a.master_key.data=in->master_key;
+
+	a.session_id.length=in->session_id_length;
+	a.session_id.type=V_ASN1_OCTET_STRING;
+	a.session_id.data=in->session_id;
+
+	a.session_id_context.length=in->sid_ctx_length;
+	a.session_id_context.type=V_ASN1_OCTET_STRING;
+	a.session_id_context.data=in->sid_ctx;
+
+	a.key_arg.length=in->key_arg_length;
+	a.key_arg.type=V_ASN1_OCTET_STRING;
+	a.key_arg.data=in->key_arg;
+
+	if (in->time != 0L)
+		{
+		a.time.length=LSIZE2;
+		a.time.type=V_ASN1_INTEGER;
+		a.time.data=ibuf3;
+		ASN1_INTEGER_set(&(a.time),in->time);
+		}
+
+	if (in->timeout != 0L)
+		{
+		a.timeout.length=LSIZE2;
+		a.timeout.type=V_ASN1_INTEGER;
+		a.timeout.data=ibuf4;
+		ASN1_INTEGER_set(&(a.timeout),in->timeout);
+		}
+
+	if (in->verify_result != X509_V_OK)
+		{
+		a.verify_result.length=LSIZE2;
+		a.verify_result.type=V_ASN1_INTEGER;
+		a.verify_result.data=ibuf5;
+		ASN1_INTEGER_set(&a.verify_result,in->verify_result);
+		}
+
+	M_ASN1_I2D_len(&(a.version),		i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(&(a.ssl_version),	i2d_ASN1_INTEGER);
+	M_ASN1_I2D_len(&(a.cipher),		i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len(&(a.session_id),		i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len(&(a.master_key),		i2d_ASN1_OCTET_STRING);
+	if (in->key_arg_length > 0)
+		M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
+	if (in->time != 0L)
+		M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
+	if (in->timeout != 0L)
+		M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
+	if (in->peer != NULL)
+		M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
+	M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
+	if (in->verify_result != X509_V_OK)
+		M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(&(a.version),		i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(&(a.ssl_version),	i2d_ASN1_INTEGER);
+	M_ASN1_I2D_put(&(a.cipher),		i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_put(&(a.session_id),		i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_put(&(a.master_key),		i2d_ASN1_OCTET_STRING);
+	if (in->key_arg_length > 0)
+		M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
+	if (in->time != 0L)
+		M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
+	if (in->timeout != 0L)
+		M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
+	if (in->peer != NULL)
+		M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
+	M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
+			       v4);
+	if (in->verify_result != X509_V_OK)
+		M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
+	M_ASN1_I2D_finish();
+	}
+
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
+	     long length)
+	{
+	int version,ssl_version=0,i;
+	long id;
+	ASN1_INTEGER ai,*aip;
+	ASN1_OCTET_STRING os,*osp;
+	M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
+
+	aip= &ai;
+	osp= &os;
+
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+
+	ai.data=NULL; ai.length=0;
+	M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
+	version=(int)ASN1_INTEGER_get(aip);
+	if (ai.data != NULL) { Free(ai.data); ai.data=NULL; ai.length=0; }
+
+	/* we don't care about the version right now :-) */
+	M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
+	ssl_version=(int)ASN1_INTEGER_get(aip);
+	ret->ssl_version=ssl_version;
+	if (ai.data != NULL) { Free(ai.data); ai.data=NULL; ai.length=0; }
+
+	os.data=NULL; os.length=0;
+	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
+	if (ssl_version == SSL2_VERSION)
+		{
+		if (os.length != 3)
+			{
+			c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+			goto err;
+			}
+		id=0x02000000L|
+			((unsigned long)os.data[0]<<16L)|
+			((unsigned long)os.data[1]<< 8L)|
+			 (unsigned long)os.data[2];
+		}
+	else if ((ssl_version>>8) == 3)
+		{
+		if (os.length != 2)
+			{
+			c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+			goto err;
+			}
+		id=0x03000000L|
+			((unsigned long)os.data[0]<<8L)|
+			 (unsigned long)os.data[1];
+		}
+	else
+		{
+		SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
+		return(NULL);
+		}
+	
+	ret->cipher=NULL;
+	ret->cipher_id=id;
+
+	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
+	if ((ssl_version>>8) == SSL3_VERSION)
+		i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
+	else /* if (ssl_version == SSL2_VERSION) */
+		i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
+
+	if (os.length > i)
+		os.length=i;
+
+	ret->session_id_length=os.length;
+	memcpy(ret->session_id,os.data,os.length);
+
+	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
+	if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
+		ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
+	else
+		ret->master_key_length=os.length;
+	memcpy(ret->master_key,os.data,ret->master_key_length);
+
+	os.length=0;
+	M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
+	if (os.length > SSL_MAX_KEY_ARG_LENGTH)
+		ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
+	else
+		ret->key_arg_length=os.length;
+	memcpy(ret->key_arg,os.data,ret->key_arg_length);
+	if (os.data != NULL) Free(os.data);
+
+	ai.length=0;
+	M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
+	if (ai.data != NULL)
+		{
+		ret->time=ASN1_INTEGER_get(aip);
+		Free(ai.data); ai.data=NULL; ai.length=0;
+		}
+	else
+		ret->time=time(NULL);
+
+	ai.length=0;
+	M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
+	if (ai.data != NULL)
+		{
+		ret->timeout=ASN1_INTEGER_get(aip);
+		Free(ai.data); ai.data=NULL; ai.length=0;
+		}
+	else
+		ret->timeout=3;
+
+	if (ret->peer != NULL)
+		{
+		X509_free(ret->peer);
+		ret->peer=NULL;
+		}
+	M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
+
+	os.length=0;
+	os.data=NULL;
+	M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
+
+	if(os.data != NULL)
+	    {
+	    if (os.length > SSL_MAX_SID_CTX_LENGTH)
+		SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
+	    ret->sid_ctx_length=os.length;
+	    memcpy(ret->sid_ctx,os.data,os.length);
+	    Free(os.data); os.data=NULL; os.length=0;
+	    }
+	else
+	    ret->sid_ctx_length=0;
+
+	ai.length=0;
+	M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
+	if (ai.data != NULL)
+		{
+		ret->verify_result=ASN1_INTEGER_get(aip);
+		Free(ai.data); ai.data=NULL; ai.length=0;
+		}
+	else
+		ret->verify_result=X509_V_OK;
+
+	M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
+	}
diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c
new file mode 100644
index 0000000..0596b7c
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_cert.c
@@ -0,0 +1,752 @@
+/*! \file ssl/ssl_cert.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
+#include <dirent.h>
+#endif
+
+#ifdef NeXT
+#include <sys/dir.h>
+#define dirent direct
+#endif
+
+#include <openssl/objects.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include "ssl_locl.h"
+
+int SSL_get_ex_data_X509_STORE_CTX_idx(void)
+	{
+	static int ssl_x509_store_ctx_idx= -1;
+
+	if (ssl_x509_store_ctx_idx < 0)
+		{
+		ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
+			0,"SSL for verify callback",NULL,NULL,NULL);
+		}
+	return(ssl_x509_store_ctx_idx);
+	}
+
+CERT *ssl_cert_new(void)
+	{
+	CERT *ret;
+
+	ret=(CERT *)Malloc(sizeof(CERT));
+	if (ret == NULL)
+		{
+		SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	memset(ret,0,sizeof(CERT));
+
+	ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
+	ret->references=1;
+
+	return(ret);
+	}
+
+CERT *ssl_cert_dup(CERT *cert)
+	{
+	CERT *ret;
+	int i;
+
+	ret = (CERT *)Malloc(sizeof(CERT));
+	if (ret == NULL)
+		{
+		SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+
+	memset(ret, 0, sizeof(CERT));
+
+	ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
+	/* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
+	 * if you find that more readable */
+
+	ret->valid = cert->valid;
+	ret->mask = cert->mask;
+	ret->export_mask = cert->export_mask;
+
+#ifndef NO_RSA
+	if (cert->rsa_tmp != NULL)
+		{
+		ret->rsa_tmp = cert->rsa_tmp;
+		CRYPTO_add(&ret->rsa_tmp->references, 1, CRYPTO_LOCK_RSA);
+		}
+	ret->rsa_tmp_cb = cert->rsa_tmp_cb;
+#endif
+
+#ifndef NO_DH
+	if (cert->dh_tmp != NULL)
+		{
+		/* DH parameters don't have a reference count */
+		ret->dh_tmp = DHparams_dup(cert->dh_tmp);
+		if (ret->dh_tmp == NULL)
+			{
+			SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
+			goto err;
+			}
+		if (cert->dh_tmp->priv_key)
+			{
+			BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
+			if (!b)
+				{
+				SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+				goto err;
+				}
+			ret->dh_tmp->priv_key = b;
+			}
+		if (cert->dh_tmp->pub_key)
+			{
+			BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
+			if (!b)
+				{
+				SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+				goto err;
+				}
+			ret->dh_tmp->pub_key = b;
+			}
+		}
+	ret->dh_tmp_cb = cert->dh_tmp_cb;
+#endif
+
+	for (i = 0; i < SSL_PKEY_NUM; i++)
+		{
+		if (cert->pkeys[i].x509 != NULL)
+			{
+			ret->pkeys[i].x509 = cert->pkeys[i].x509;
+			CRYPTO_add(&ret->pkeys[i].x509->references, 1,
+				CRYPTO_LOCK_X509);
+			}
+		
+		if (cert->pkeys[i].privatekey != NULL)
+			{
+			ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
+			CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
+				CRYPTO_LOCK_EVP_PKEY);
+
+			switch(i) 
+				{
+				/* If there was anything special to do for
+				 * certain types of keys, we'd do it here.
+				 * (Nothing at the moment, I think.) */
+
+			case SSL_PKEY_RSA_ENC:
+			case SSL_PKEY_RSA_SIGN:
+				/* We have an RSA key. */
+				break;
+				
+			case SSL_PKEY_DSA_SIGN:
+				/* We have a DSA key. */
+				break;
+				
+			case SSL_PKEY_DH_RSA:
+			case SSL_PKEY_DH_DSA:
+				/* We have a DH key. */
+				break;
+				
+			default:
+				/* Can't happen. */
+				SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
+				}
+			}
+		}
+	
+	/* ret->extra_certs *should* exist, but currently the own certificate
+	 * chain is held inside SSL_CTX */
+
+	ret->references=1;
+
+	return(ret);
+	
+err:
+#ifndef NO_RSA
+	if (ret->rsa_tmp != NULL)
+		RSA_free(ret->rsa_tmp);
+#endif
+#ifndef NO_DH
+	if (ret->dh_tmp != NULL)
+		DH_free(ret->dh_tmp);
+#endif
+
+	for (i = 0; i < SSL_PKEY_NUM; i++)
+		{
+		if (ret->pkeys[i].x509 != NULL)
+			X509_free(ret->pkeys[i].x509);
+		if (ret->pkeys[i].privatekey != NULL)
+			EVP_PKEY_free(ret->pkeys[i].privatekey);
+		}
+
+	return NULL;
+	}
+
+
+void ssl_cert_free(CERT *c)
+	{
+	int i;
+
+	if(c == NULL)
+	    return;
+
+	i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
+#ifdef REF_PRINT
+	REF_PRINT("CERT",c);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"ssl_cert_free, bad reference count\n");
+		abort(); /* ok */
+		}
+#endif
+
+#ifndef NO_RSA
+	if (c->rsa_tmp) RSA_free(c->rsa_tmp);
+#endif
+#ifndef NO_DH
+	if (c->dh_tmp) DH_free(c->dh_tmp);
+#endif
+
+	for (i=0; i<SSL_PKEY_NUM; i++)
+		{
+		if (c->pkeys[i].x509 != NULL)
+			X509_free(c->pkeys[i].x509);
+		if (c->pkeys[i].privatekey != NULL)
+			EVP_PKEY_free(c->pkeys[i].privatekey);
+#if 0
+		if (c->pkeys[i].publickey != NULL)
+			EVP_PKEY_free(c->pkeys[i].publickey);
+#endif
+		}
+	Free(c);
+	}
+
+int ssl_cert_inst(CERT **o)
+	{
+	/* Create a CERT if there isn't already one
+	 * (which cannot really happen, as it is initially created in
+	 * SSL_CTX_new; but the earlier code usually allows for that one
+	 * being non-existant, so we follow that behaviour, as it might
+	 * turn out that there actually is a reason for it -- but I'm
+	 * not sure that *all* of the existing code could cope with
+	 * s->cert being NULL, otherwise we could do without the
+	 * initialization in SSL_CTX_new).
+	 */
+	
+	if (o == NULL) 
+		{
+		SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (*o == NULL)
+		{
+		if ((*o = ssl_cert_new()) == NULL)
+			{
+			SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		}
+	return(1);
+	}
+
+
+SESS_CERT *ssl_sess_cert_new(void)
+	{
+	SESS_CERT *ret;
+
+	ret = Malloc(sizeof *ret);
+	if (ret == NULL)
+		{
+		SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+
+	memset(ret, 0 ,sizeof *ret);
+	ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
+	ret->references = 1;
+
+	return ret;
+	}
+
+void ssl_sess_cert_free(SESS_CERT *sc)
+	{
+	int i;
+
+	if (sc == NULL)
+		return;
+
+	i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
+#ifdef REF_PRINT
+	REF_PRINT("SESS_CERT", sc);
+#endif
+	if (i > 0)
+		return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
+		abort(); /* ok */
+		}
+#endif
+
+	/* i == 0 */
+	if (sc->cert_chain != NULL)
+		sk_X509_pop_free(sc->cert_chain, X509_free);
+	for (i = 0; i < SSL_PKEY_NUM; i++)
+		{
+		if (sc->peer_pkeys[i].x509 != NULL)
+			X509_free(sc->peer_pkeys[i].x509);
+#if 0 /* We don't have the peer's private key.  These lines are just
+	   * here as a reminder that we're still using a not-quite-appropriate
+	   * data structure. */
+		if (sc->peer_pkeys[i].privatekey != NULL)
+			EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
+#endif
+		}
+
+#ifndef NO_RSA
+	if (sc->peer_rsa_tmp != NULL)
+		RSA_free(sc->peer_rsa_tmp);
+#endif
+#ifndef NO_DH
+	if (sc->peer_dh_tmp != NULL)
+		DH_free(sc->peer_dh_tmp);
+#endif
+
+	Free(sc);
+	}
+
+int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
+	{
+	sc->peer_cert_type = type;
+	return(1);
+	}
+
+int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
+	{
+	X509 *x;
+	int i;
+	X509_STORE_CTX ctx;
+
+	if ((sk == NULL) || (sk_X509_num(sk) == 0))
+		return(0);
+
+	x=sk_X509_value(sk,0);
+	X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
+	if (SSL_get_verify_depth(s) >= 0)
+		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
+	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
+	/* We need to set the verify purpose. The purpose can be determined by
+	 * the context: if its a server it will verify SSL client certificates
+	 * or vice versa.
+         */
+
+	if(s->server) i = X509_PURPOSE_SSL_CLIENT;
+	else i = X509_PURPOSE_SSL_SERVER;
+
+	X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
+
+	if (s->ctx->app_verify_callback != NULL)
+		i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
+	else
+		{
+#ifndef NO_X509_VERIFY
+		i=X509_verify_cert(&ctx);
+#else
+		i=0;
+		ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
+		SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
+#endif
+		}
+
+	s->verify_result=ctx.error;
+	X509_STORE_CTX_cleanup(&ctx);
+
+	return(i);
+	}
+
+static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *list)
+	{
+	if (*ca_list != NULL)
+		sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
+
+	*ca_list=list;
+	}
+
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
+	{
+	int i;
+	STACK_OF(X509_NAME) *ret;
+	X509_NAME *name;
+
+	ret=sk_X509_NAME_new_null();
+	for (i=0; i<sk_X509_NAME_num(sk); i++)
+		{
+		name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
+		if ((name == NULL) || !sk_X509_NAME_push(ret,name))
+			{
+			sk_X509_NAME_pop_free(ret,X509_NAME_free);
+			return(NULL);
+			}
+		}
+	return(ret);
+	}
+
+void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *list)
+	{
+	set_client_CA_list(&(s->client_CA),list);
+	}
+
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list)
+	{
+	set_client_CA_list(&(ctx->client_CA),list);
+	}
+
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
+	{
+	return(ctx->client_CA);
+	}
+
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
+	{
+	if (s->type == SSL_ST_CONNECT)
+		{ /* we are in the client */
+		if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
+			(s->s3 != NULL))
+			return(s->s3->tmp.ca_names);
+		else
+			return(NULL);
+		}
+	else
+		{
+		if (s->client_CA != NULL)
+			return(s->client_CA);
+		else
+			return(s->ctx->client_CA);
+		}
+	}
+
+static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
+	{
+	X509_NAME *name;
+
+	if (x == NULL) return(0);
+	if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
+		return(0);
+		
+	if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
+		return(0);
+
+	if (!sk_X509_NAME_push(*sk,name))
+		{
+		X509_NAME_free(name);
+		return(0);
+		}
+	return(1);
+	}
+
+int SSL_add_client_CA(SSL *ssl,X509 *x)
+	{
+	return(add_client_CA(&(ssl->client_CA),x));
+	}
+
+int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
+	{
+	return(add_client_CA(&(ctx->client_CA),x));
+	}
+
+static int xname_cmp(X509_NAME **a,X509_NAME **b)
+	{
+	return(X509_NAME_cmp(*a,*b));
+	}
+
+#ifndef NO_STDIO
+/*!
+ * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
+ * it doesn't really have anything to do with clients (except that a common use
+ * for a stack of CAs is to send it to the client). Actually, it doesn't have
+ * much to do with CAs, either, since it will load any old cert.
+ * \param file the file containing one or more certs.
+ * \return a ::STACK containing the certs.
+ */
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
+	{
+	BIO *in;
+	X509 *x=NULL;
+	X509_NAME *xn=NULL;
+	STACK_OF(X509_NAME) *ret,*sk;
+
+	ret=sk_X509_NAME_new(NULL);
+	sk=sk_X509_NAME_new(xname_cmp);
+
+	in=BIO_new(BIO_s_file_internal());
+
+	if ((ret == NULL) || (sk == NULL) || (in == NULL))
+		{
+		SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	
+	if (!BIO_read_filename(in,file))
+		goto err;
+
+	for (;;)
+		{
+		if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
+			break;
+		if ((xn=X509_get_subject_name(x)) == NULL) goto err;
+		/* check for duplicates */
+		xn=X509_NAME_dup(xn);
+		if (xn == NULL) goto err;
+		if (sk_X509_NAME_find(sk,xn) >= 0)
+			X509_NAME_free(xn);
+		else
+			{
+			sk_X509_NAME_push(sk,xn);
+			sk_X509_NAME_push(ret,xn);
+			}
+		}
+
+	if (0)
+		{
+err:
+		if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
+		ret=NULL;
+		}
+	if (sk != NULL) sk_X509_NAME_free(sk);
+	if (in != NULL) BIO_free(in);
+	if (x != NULL) X509_free(x);
+	return(ret);
+	}
+#endif
+
+/*!
+ * Add a file of certs to a stack.
+ * \param stack the stack to add to.
+ * \param file the file to add from. All certs in this file that are not
+ * already in the stack will be added.
+ * \return 1 for success, 0 for failure. Note that in the case of failure some
+ * certs may have been added to \c stack.
+ */
+
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+					const char *file)
+    {
+    BIO *in;
+    X509 *x=NULL;
+    X509_NAME *xn=NULL;
+    int ret=1;
+    int (*oldcmp)(X509_NAME **a, X509_NAME **b);
+
+    oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
+
+    in=BIO_new(BIO_s_file_internal());
+
+    if (in == NULL)
+	{
+	SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
+	goto err;
+	}
+	
+    if (!BIO_read_filename(in,file))
+	goto err;
+
+    for (;;)
+	{
+	if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
+	    break;
+	if ((xn=X509_get_subject_name(x)) == NULL) goto err;
+	xn=X509_NAME_dup(xn);
+	if (xn == NULL) goto err;
+	if (sk_X509_NAME_find(stack,xn) >= 0)
+	    X509_NAME_free(xn);
+	else
+	    sk_X509_NAME_push(stack,xn);
+	}
+
+    if (0)
+	{
+err:
+	ret=0;
+	}
+    if(in != NULL)
+	BIO_free(in);
+    if(x != NULL)
+	X509_free(x);
+
+    sk_X509_NAME_set_cmp_func(stack,oldcmp);
+
+    return ret;
+    }
+
+/*!
+ * Add a directory of certs to a stack.
+ * \param stack the stack to append to.
+ * \param dir the directory to append from. All files in this directory will be
+ * examined as potential certs. Any that are acceptable to
+ * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
+ * included.
+ * \return 1 for success, 0 for failure. Note that in the case of failure some
+ * certs may have been added to \c stack.
+ */
+
+#ifndef WIN32
+#ifndef VMS			/* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
+
+int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+				       const char *dir)
+    {
+    DIR *d;
+    struct dirent *dstruct;
+    int ret = 0;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+    d = opendir(dir);
+
+    /* Note that a side effect is that the CAs will be sorted by name */
+    if(!d)
+	{
+	SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+	ERR_add_error_data(3, "opendir('", dir, "')");
+	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+	goto err;
+	}
+
+    while((dstruct=readdir(d)))
+	{
+	char buf[1024];
+
+	if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
+	    {
+	    SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+	    goto err;
+	    }
+	
+	sprintf(buf,"%s/%s",dir,dstruct->d_name);
+	if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
+	    goto err;
+	}
+    ret = 1;
+
+err:	
+    CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+    return ret;
+    }
+
+#endif
+#endif
+#endif
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
new file mode 100644
index 0000000..7436a50
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -0,0 +1,1069 @@
+/* ssl/ssl_ciph.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+#include "ssl_locl.h"
+
+#define SSL_ENC_DES_IDX		0
+#define SSL_ENC_3DES_IDX	1
+#define SSL_ENC_RC4_IDX		2
+#define SSL_ENC_RC2_IDX		3
+#define SSL_ENC_IDEA_IDX	4
+#define SSL_ENC_eFZA_IDX	5
+#define SSL_ENC_NULL_IDX	6
+#define SSL_ENC_NUM_IDX		7
+
+static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
+	NULL,NULL,NULL,NULL,NULL,NULL,
+	};
+
+static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
+
+#define SSL_MD_MD5_IDX	0
+#define SSL_MD_SHA1_IDX	1
+#define SSL_MD_NUM_IDX	2
+static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
+	NULL,NULL,
+	};
+
+#define CIPHER_ADD	1
+#define CIPHER_KILL	2
+#define CIPHER_DEL	3
+#define CIPHER_ORD	4
+#define CIPHER_SPECIAL	5
+
+typedef struct cipher_order_st
+	{
+	SSL_CIPHER *cipher;
+	int active;
+	int dead;
+	struct cipher_order_st *next,*prev;
+	} CIPHER_ORDER;
+
+static const SSL_CIPHER cipher_aliases[]={
+	/* Don't include eNULL unless specifically enabled */
+	{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+	{0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kDHd,0,SSL_kDHd,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kEDH,0,SSL_kEDH,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kFZA,0,SSL_kFZA,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_DH,	0,SSL_DH,    0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_EDH,	0,SSL_EDH,   0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
+
+	{0,SSL_TXT_aRSA,0,SSL_aRSA,  0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aDSS,0,SSL_aDSS,  0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aFZA,0,SSL_aFZA,  0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aDH, 0,SSL_aDH,   0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_DSS,	0,SSL_DSS,   0,0,0,0,SSL_AUTH_MASK,0},
+
+	{0,SSL_TXT_DES,	0,SSL_DES,   0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_3DES,0,SSL_3DES,  0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_RC4,	0,SSL_RC4,   0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_RC2,	0,SSL_RC2,   0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_IDEA,0,SSL_IDEA,  0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_eFZA,0,SSL_eFZA,  0,0,0,0,SSL_ENC_MASK,0},
+
+	{0,SSL_TXT_MD5,	0,SSL_MD5,   0,0,0,0,SSL_MAC_MASK,0},
+	{0,SSL_TXT_SHA1,0,SSL_SHA1,  0,0,0,0,SSL_MAC_MASK,0},
+	{0,SSL_TXT_SHA,	0,SSL_SHA,   0,0,0,0,SSL_MAC_MASK,0},
+
+	{0,SSL_TXT_NULL,0,SSL_NULL,  0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_RSA,	0,SSL_RSA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
+	{0,SSL_TXT_ADH,	0,SSL_ADH,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
+	{0,SSL_TXT_FZA,	0,SSL_FZA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
+
+	{0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
+	{0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
+	{0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
+
+	{0,SSL_TXT_EXP   ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
+	{0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
+	{0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+	};
+
+static int init_ciphers=1;
+
+static void load_ciphers(void)
+	{
+	init_ciphers=0;
+	ssl_cipher_methods[SSL_ENC_DES_IDX]= 
+		EVP_get_cipherbyname(SN_des_cbc);
+	ssl_cipher_methods[SSL_ENC_3DES_IDX]=
+		EVP_get_cipherbyname(SN_des_ede3_cbc);
+	ssl_cipher_methods[SSL_ENC_RC4_IDX]=
+		EVP_get_cipherbyname(SN_rc4);
+	ssl_cipher_methods[SSL_ENC_RC2_IDX]= 
+		EVP_get_cipherbyname(SN_rc2_cbc);
+	ssl_cipher_methods[SSL_ENC_IDEA_IDX]= 
+		EVP_get_cipherbyname(SN_idea_cbc);
+
+	ssl_digest_methods[SSL_MD_MD5_IDX]=
+		EVP_get_digestbyname(SN_md5);
+	ssl_digest_methods[SSL_MD_SHA1_IDX]=
+		EVP_get_digestbyname(SN_sha1);
+	}
+
+int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
+	     const EVP_MD **md, SSL_COMP **comp)
+	{
+	int i;
+	SSL_CIPHER *c;
+
+	c=s->cipher;
+	if (c == NULL) return(0);
+	if (comp != NULL)
+		{
+		SSL_COMP ctmp;
+
+		if (s->compress_meth == 0)
+			*comp=NULL;
+		else if (ssl_comp_methods == NULL)
+			{
+			/* bad */
+			*comp=NULL;
+			}
+		else
+			{
+
+			ctmp.id=s->compress_meth;
+			i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
+			if (i >= 0)
+				*comp=sk_SSL_COMP_value(ssl_comp_methods,i);
+			else
+				*comp=NULL;
+			}
+		}
+
+	if ((enc == NULL) || (md == NULL)) return(0);
+
+	switch (c->algorithms & SSL_ENC_MASK)
+		{
+	case SSL_DES:
+		i=SSL_ENC_DES_IDX;
+		break;
+	case SSL_3DES:
+		i=SSL_ENC_3DES_IDX;
+		break;
+	case SSL_RC4:
+		i=SSL_ENC_RC4_IDX;
+		break;
+	case SSL_RC2:
+		i=SSL_ENC_RC2_IDX;
+		break;
+	case SSL_IDEA:
+		i=SSL_ENC_IDEA_IDX;
+		break;
+	case SSL_eNULL:
+		i=SSL_ENC_NULL_IDX;
+		break;
+	default:
+		i= -1;
+		break;
+		}
+
+	if ((i < 0) || (i > SSL_ENC_NUM_IDX))
+		*enc=NULL;
+	else
+		{
+		if (i == SSL_ENC_NULL_IDX)
+			*enc=EVP_enc_null();
+		else
+			*enc=ssl_cipher_methods[i];
+		}
+
+	switch (c->algorithms & SSL_MAC_MASK)
+		{
+	case SSL_MD5:
+		i=SSL_MD_MD5_IDX;
+		break;
+	case SSL_SHA1:
+		i=SSL_MD_SHA1_IDX;
+		break;
+	default:
+		i= -1;
+		break;
+		}
+	if ((i < 0) || (i > SSL_MD_NUM_IDX))
+		*md=NULL;
+	else
+		*md=ssl_digest_methods[i];
+
+	if ((*enc != NULL) && (*md != NULL))
+		return(1);
+	else
+		return(0);
+	}
+
+#define ITEM_SEP(a) \
+	(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
+
+static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
+	     CIPHER_ORDER **tail)
+	{
+	if (curr == *tail) return;
+	if (curr == *head)
+		*head=curr->next;
+	if (curr->prev != NULL)
+		curr->prev->next=curr->next;
+	if (curr->next != NULL) /* should always be true */
+		curr->next->prev=curr->prev;
+	(*tail)->next=curr;
+	curr->prev= *tail;
+	curr->next=NULL;
+	*tail=curr;
+	}
+
+static unsigned long ssl_cipher_get_disabled(void)
+	{
+	unsigned long mask;
+
+	mask = SSL_kFZA;
+#ifdef NO_RSA
+	mask |= SSL_aRSA|SSL_kRSA;
+#endif
+#ifdef NO_DSA
+	mask |= SSL_aDSS;
+#endif
+#ifdef NO_DH
+	mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
+#endif
+
+#ifdef SSL_FORBID_ENULL
+	mask |= SSL_eNULL;
+#endif
+
+	mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
+	mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
+	mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
+	mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
+	mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
+	mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
+
+	mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
+	mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
+
+	return(mask);
+	}
+
+static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
+		int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list,
+		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+	{
+	int i, list_num;
+	SSL_CIPHER *c;
+
+	/*
+	 * We have num_of_ciphers descriptions compiled in, depending on the
+	 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
+	 * These will later be sorted in a linked list with at most num
+	 * entries.
+	 */
+
+	/* Get the initial list of ciphers */
+	list_num = 0;	/* actual count of ciphers */
+	for (i = 0; i < num_of_ciphers; i++)
+		{
+		c = ssl_method->get_cipher(i);
+		/* drop those that use any of that is not available */
+		if ((c != NULL) && c->valid && !(c->algorithms & mask))
+			{
+			list[list_num].cipher = c;
+			list[list_num].next = NULL;
+			list[list_num].prev = NULL;
+			list[list_num].active = 0;
+			list_num++;
+			/*
+			if (!sk_push(ca_list,(char *)c)) goto err;
+			*/
+			}
+		}
+
+	/*
+	 * Prepare linked list from list entries
+	 */	
+	for (i = 1; i < list_num - 1; i++)
+		{
+		list[i].prev = &(list[i-1]);
+		list[i].next = &(list[i+1]);
+		}
+	if (list_num > 0)
+		{
+		(*head_p) = &(list[0]);
+		(*head_p)->prev = NULL;
+		(*head_p)->next = &(list[1]);
+		(*tail_p) = &(list[list_num - 1]);
+		(*tail_p)->prev = &(list[list_num - 2]);
+		(*tail_p)->next = NULL;
+		}
+	}
+
+static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
+			int num_of_group_aliases, unsigned long mask,
+			CIPHER_ORDER *head)
+	{
+	CIPHER_ORDER *ciph_curr;
+	SSL_CIPHER **ca_curr;
+	int i;
+
+	/*
+	 * First, add the real ciphers as already collected
+	 */
+	ciph_curr = head;
+	ca_curr = ca_list;
+	while (ciph_curr != NULL)
+		{
+		*ca_curr = ciph_curr->cipher;
+		ca_curr++;
+		ciph_curr = ciph_curr->next;
+		}
+
+	/*
+	 * Now we add the available ones from the cipher_aliases[] table.
+	 * They represent either an algorithm, that must be fully
+	 * supported (not match any bit in mask) or represent a cipher
+	 * strength value (will be added in any case because algorithms=0).
+	 */
+	for (i = 0; i < num_of_group_aliases; i++)
+		{
+		if ((i == 0) ||		/* always fetch "ALL" */
+		    !(cipher_aliases[i].algorithms & mask))
+			{
+			*ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
+			ca_curr++;
+			}
+		}
+
+	*ca_curr = NULL;	/* end of list */
+	}
+
+static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
+		unsigned long algo_strength, unsigned long mask_strength,
+		int rule, int strength_bits, CIPHER_ORDER *list,
+		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+	{
+	CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
+	SSL_CIPHER *cp;
+	unsigned long ma, ma_s;
+
+#ifdef CIPHER_DEBUG
+	printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
+		rule, algorithms, mask, algo_strength, mask_strength,
+		strength_bits);
+#endif
+
+	curr = head = *head_p;
+	curr2 = head;
+	tail2 = tail = *tail_p;
+	for (;;)
+		{
+		if ((curr == NULL) || (curr == tail2)) break;
+		curr = curr2;
+		curr2 = curr->next;
+
+		cp = curr->cipher;
+
+		/*
+		 * Selection criteria is either the number of strength_bits
+		 * or the algorithm used.
+		 */
+		if (strength_bits == -1)
+			{
+			ma = mask & cp->algorithms;
+			ma_s = mask_strength & cp->algo_strength;
+
+#ifdef CIPHER_DEBUG
+			printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
+			printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
+#endif
+			/*
+			 * Select: if none of the mask bit was met from the
+			 * cipher or not all of the bits were met, the
+			 * selection does not apply.
+			 */
+			if (((ma == 0) && (ma_s == 0)) ||
+			    ((ma & algorithms) != ma) ||
+			    ((ma_s & algo_strength) != ma_s))
+				continue; /* does not apply */
+			}
+		else if (strength_bits != cp->strength_bits)
+			continue;	/* does not apply */
+
+#ifdef CIPHER_DEBUG
+		printf("Action = %d\n", rule);
+#endif
+
+		/* add the cipher if it has not been added yet. */
+		if (rule == CIPHER_ADD)
+			{
+			if (!curr->active)
+				{
+				ll_append_tail(&head, curr, &tail);
+				curr->active = 1;
+				}
+			}
+		/* Move the added cipher to this location */
+		else if (rule == CIPHER_ORD)
+			{
+			if (curr->active)
+				{
+				ll_append_tail(&head, curr, &tail);
+				}
+			}
+		else if	(rule == CIPHER_DEL)
+			curr->active = 0;
+		else if (rule == CIPHER_KILL)
+			{
+			if (head == curr)
+				head = curr->next;
+			else
+				curr->prev->next = curr->next;
+			if (tail == curr)
+				tail = curr->prev;
+			curr->active = 0;
+			if (curr->next != NULL)
+				curr->next->prev = curr->prev;
+			if (curr->prev != NULL)
+				curr->prev->next = curr->next;
+			curr->next = NULL;
+			curr->prev = NULL;
+			}
+		}
+
+	*head_p = head;
+	*tail_p = tail;
+	}
+
+static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p,
+				     CIPHER_ORDER **tail_p)
+	{
+	int max_strength_bits, i, *number_uses;
+	CIPHER_ORDER *curr;
+
+	/*
+	 * This routine sorts the ciphers with descending strength. The sorting
+	 * must keep the pre-sorted sequence, so we apply the normal sorting
+	 * routine as '+' movement to the end of the list.
+	 */
+	max_strength_bits = 0;
+	curr = *head_p;
+	while (curr != NULL)
+		{
+		if (curr->active &&
+		    (curr->cipher->strength_bits > max_strength_bits))
+		    max_strength_bits = curr->cipher->strength_bits;
+		curr = curr->next;
+		}
+
+	number_uses = Malloc((max_strength_bits + 1) * sizeof(int));
+	if (!number_uses)
+	{
+		SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
+		return(0);
+	}
+	memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
+
+	/*
+	 * Now find the strength_bits values actually used
+	 */
+	curr = *head_p;
+	while (curr != NULL)
+		{
+		if (curr->active)
+			number_uses[curr->cipher->strength_bits]++;
+		curr = curr->next;
+		}
+	/*
+	 * Go through the list of used strength_bits values in descending
+	 * order.
+	 */
+	for (i = max_strength_bits; i >= 0; i--)
+		if (number_uses[i] > 0)
+			ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
+					list, head_p, tail_p);
+
+	Free(number_uses);
+	return(1);
+	}
+
+static int ssl_cipher_process_rulestr(const char *rule_str,
+		CIPHER_ORDER *list, CIPHER_ORDER **head_p,
+		CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
+	{
+	unsigned long algorithms, mask, algo_strength, mask_strength;
+	const char *l, *start, *buf;
+	int j, multi, found, rule, retval, ok, buflen;
+	char ch;
+
+	retval = 1;
+	l = rule_str;
+	for (;;)
+		{
+		ch = *l;
+
+		if (ch == '\0')
+			break;		/* done */
+		if (ch == '-')
+			{ rule = CIPHER_DEL; l++; }
+		else if (ch == '+')
+			{ rule = CIPHER_ORD; l++; }
+		else if (ch == '!')
+			{ rule = CIPHER_KILL; l++; }
+		else if (ch == '@')
+			{ rule = CIPHER_SPECIAL; l++; }
+		else
+			{ rule = CIPHER_ADD; }
+
+		if (ITEM_SEP(ch))
+			{
+			l++;
+			continue;
+			}
+
+		algorithms = mask = algo_strength = mask_strength = 0;
+
+		start=l;
+		for (;;)
+			{
+			ch = *l;
+			buf = l;
+			buflen = 0;
+#ifndef CHARSET_EBCDIC
+			while (	((ch >= 'A') && (ch <= 'Z')) ||
+				((ch >= '0') && (ch <= '9')) ||
+				((ch >= 'a') && (ch <= 'z')) ||
+				 (ch == '-'))
+#else
+			while (	isalnum(ch) || (ch == '-'))
+#endif
+				 {
+				 ch = *(++l);
+				 buflen++;
+				 }
+
+			if (buflen == 0)
+				{
+				/*
+				 * We hit something we cannot deal with,
+				 * it is no command or separator nor
+				 * alphanumeric, so we call this an error.
+				 */
+				SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+				       SSL_R_INVALID_COMMAND);
+				retval = found = 0;
+				l++;
+				break;
+				}
+
+			if (rule == CIPHER_SPECIAL)
+				{
+				found = 0; /* unused -- avoid compiler warning */
+				break;	/* special treatment */
+				}
+
+			/* check for multi-part specification */
+			if (ch == '+')
+				{
+				multi=1;
+				l++;
+				}
+			else
+				multi=0;
+
+			/*
+			 * Now search for the cipher alias in the ca_list. Be careful
+			 * with the strncmp, because the "buflen" limitation
+			 * will make the rule "ADH:SOME" and the cipher
+			 * "ADH-MY-CIPHER" look like a match for buflen=3.
+			 * So additionally check whether the cipher name found
+			 * has the correct length. We can save a strlen() call:
+			 * just checking for the '\0' at the right place is
+			 * sufficient, we have to strncmp() anyway.
+			 */
+			 j = found = 0;
+			 while (ca_list[j])
+				{
+				if ((ca_list[j]->name[buflen] == '\0') &&
+				    !strncmp(buf, ca_list[j]->name, buflen))
+					{
+					found = 1;
+					break;
+					}
+				else
+					j++;
+				}
+			if (!found)
+				break;	/* ignore this entry */
+
+			algorithms |= ca_list[j]->algorithms;
+			mask |= ca_list[j]->mask;
+			algo_strength |= ca_list[j]->algo_strength;
+			mask_strength |= ca_list[j]->mask_strength;
+
+			if (!multi) break;
+			}
+
+		/*
+		 * Ok, we have the rule, now apply it
+		 */
+		if (rule == CIPHER_SPECIAL)
+			{	/* special command */
+			ok = 0;
+			if ((buflen == 8) &&
+				!strncmp(buf, "STRENGTH", 8))
+				ok = ssl_cipher_strength_sort(list,
+					head_p, tail_p);
+			else
+				SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+					SSL_R_INVALID_COMMAND);
+			if (ok == 0)
+				retval = 0;
+			/*
+			 * We do not support any "multi" options
+			 * together with "@", so throw away the
+			 * rest of the command, if any left, until
+			 * end or ':' is found.
+			 */
+			while ((*l != '\0') && ITEM_SEP(*l))
+				l++;
+			}
+		else if (found)
+			{
+			ssl_cipher_apply_rule(algorithms, mask,
+				algo_strength, mask_strength, rule, -1,
+				list, head_p, tail_p);
+			}
+		else
+			{
+			while ((*l != '\0') && ITEM_SEP(*l))
+				l++;
+			}
+		if (*l == '\0') break; /* done */
+		}
+
+	return(retval);
+	}
+
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+		STACK_OF(SSL_CIPHER) **cipher_list,
+		STACK_OF(SSL_CIPHER) **cipher_list_by_id,
+		const char *rule_str)
+	{
+	int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
+	unsigned long disabled_mask;
+	STACK_OF(SSL_CIPHER) *cipherstack;
+	const char *rule_p;
+	CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr;
+	SSL_CIPHER **ca_list = NULL;
+
+	/*
+	 * Return with error if nothing to do.
+	 */
+	if (rule_str == NULL) return(NULL);
+
+	if (init_ciphers) load_ciphers();
+
+	/*
+	 * To reduce the work to do we only want to process the compiled
+	 * in algorithms, so we first get the mask of disabled ciphers.
+	 */
+	disabled_mask = ssl_cipher_get_disabled();
+
+	/*
+	 * Now we have to collect the available ciphers from the compiled
+	 * in ciphers. We cannot get more than the number compiled in, so
+	 * it is used for allocation.
+	 */
+	num_of_ciphers = ssl_method->num_ciphers();
+	list = (CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
+	if (list == NULL)
+		{
+		SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+		return(NULL);	/* Failure */
+		}
+
+	ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
+				   list, &head, &tail);
+
+	/*
+	 * We also need cipher aliases for selecting based on the rule_str.
+	 * There might be two types of entries in the rule_str: 1) names
+	 * of ciphers themselves 2) aliases for groups of ciphers.
+	 * For 1) we need the available ciphers and for 2) the cipher
+	 * groups of cipher_aliases added together in one list (otherwise
+	 * we would be happy with just the cipher_aliases table).
+	 */
+	num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
+	num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+	ca_list =
+		(SSL_CIPHER **)Malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+	if (ca_list == NULL)
+		{
+		Free(list);
+		SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+		return(NULL);	/* Failure */
+		}
+	ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
+				   head);
+
+	/*
+	 * If the rule_string begins with DEFAULT, apply the default rule
+	 * before using the (possibly available) additional rules.
+	 */
+	ok = 1;
+	rule_p = rule_str;
+	if (strncmp(rule_str,"DEFAULT",7) == 0)
+		{
+		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
+			list, &head, &tail, ca_list);
+		rule_p += 7;
+		if (*rule_p == ':')
+			rule_p++;
+		}
+
+	if (ok && (strlen(rule_p) > 0))
+		ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail,
+						ca_list);
+
+	Free(ca_list);	/* Not needed anymore */
+
+	if (!ok)
+		{	/* Rule processing failure */
+		Free(list);
+		return(NULL);
+		}
+	/*
+	 * Allocate new "cipherstack" for the result, return with error
+	 * if we cannot get one.
+	 */
+	if ((cipherstack = sk_SSL_CIPHER_new(NULL)) == NULL)
+		{
+		Free(list);
+		return(NULL);
+		}
+
+	/*
+	 * The cipher selection for the list is done. The ciphers are added
+	 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
+	 */
+	for (curr = head; curr != NULL; curr = curr->next)
+		{
+		if (curr->active)
+			{
+			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
+#ifdef CIPHER_DEBUG
+			printf("<%s>\n",curr->cipher->name);
+#endif
+			}
+		}
+	Free(list);	/* Not needed any longer */
+
+	/*
+	 * The following passage is a little bit odd. If pointer variables
+	 * were supplied to hold STACK_OF(SSL_CIPHER) return information,
+	 * the old memory pointed to is free()ed. Then, however, the
+	 * cipher_list entry will be assigned just a copy of the returned
+	 * cipher stack. For cipher_list_by_id a copy of the cipher stack
+	 * will be created. See next comment...
+	 */
+	if (cipher_list != NULL)
+		{
+		if (*cipher_list != NULL)
+			sk_SSL_CIPHER_free(*cipher_list);
+		*cipher_list = cipherstack;
+		}
+
+	if (cipher_list_by_id != NULL)
+		{
+		if (*cipher_list_by_id != NULL)
+			sk_SSL_CIPHER_free(*cipher_list_by_id);
+		*cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack);
+		}
+
+	/*
+	 * Now it is getting really strange. If something failed during
+	 * the previous pointer assignment or if one of the pointers was
+	 * not requested, the error condition is met. That might be
+	 * discussable. The strange thing is however that in this case
+	 * the memory "ret" pointed to is "free()ed" and hence the pointer
+	 * cipher_list becomes wild. The memory reserved for
+	 * cipher_list_by_id however is not "free()ed" and stays intact.
+	 */
+	if (	(cipher_list_by_id == NULL) ||
+		(*cipher_list_by_id == NULL) ||
+		(cipher_list == NULL) ||
+		(*cipher_list == NULL))
+		{
+		sk_SSL_CIPHER_free(cipherstack);
+		return(NULL);
+		}
+
+	sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
+
+	return(cipherstack);
+	}
+
+char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
+	{
+	int is_export,pkl,kl;
+	char *ver,*exp;
+	char *kx,*au,*enc,*mac;
+	unsigned long alg,alg2,alg_s;
+	static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
+	
+	alg=cipher->algorithms;
+	alg_s=cipher->algo_strength;
+	alg2=cipher->algorithm2;
+
+	is_export=SSL_C_IS_EXPORT(cipher);
+	pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
+	kl=SSL_C_EXPORT_KEYLENGTH(cipher);
+	exp=is_export?" export":"";
+
+	if (alg & SSL_SSLV2)
+		ver="SSLv2";
+	else if (alg & SSL_SSLV3)
+		ver="SSLv3";
+	else
+		ver="unknown";
+
+	switch (alg&SSL_MKEY_MASK)
+		{
+	case SSL_kRSA:
+		kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
+		break;
+	case SSL_kDHr:
+		kx="DH/RSA";
+		break;
+	case SSL_kDHd:
+		kx="DH/DSS";
+		break;
+	case SSL_kFZA:
+		kx="Fortezza";
+		break;
+	case SSL_kEDH:
+		kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
+		break;
+	default:
+		kx="unknown";
+		}
+
+	switch (alg&SSL_AUTH_MASK)
+		{
+	case SSL_aRSA:
+		au="RSA";
+		break;
+	case SSL_aDSS:
+		au="DSS";
+		break;
+	case SSL_aDH:
+		au="DH";
+		break;
+	case SSL_aFZA:
+	case SSL_aNULL:
+		au="None";
+		break;
+	default:
+		au="unknown";
+		break;
+		}
+
+	switch (alg&SSL_ENC_MASK)
+		{
+	case SSL_DES:
+		enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
+		break;
+	case SSL_3DES:
+		enc="3DES(168)";
+		break;
+	case SSL_RC4:
+		enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
+		  :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
+		break;
+	case SSL_RC2:
+		enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
+		break;
+	case SSL_IDEA:
+		enc="IDEA(128)";
+		break;
+	case SSL_eFZA:
+		enc="Fortezza";
+		break;
+	case SSL_eNULL:
+		enc="None";
+		break;
+	default:
+		enc="unknown";
+		break;
+		}
+
+	switch (alg&SSL_MAC_MASK)
+		{
+	case SSL_MD5:
+		mac="MD5";
+		break;
+	case SSL_SHA1:
+		mac="SHA1";
+		break;
+	default:
+		mac="unknown";
+		break;
+		}
+
+	if (buf == NULL)
+		{
+		buf=Malloc(128);
+		if (buf == NULL) return("Malloc Error");
+		}
+	else if (len < 128)
+		return("Buffer too small");
+
+	sprintf(buf,format,cipher->name,ver,kx,au,enc,mac,exp);
+	return(buf);
+	}
+
+char *SSL_CIPHER_get_version(SSL_CIPHER *c)
+	{
+	int i;
+
+	if (c == NULL) return("(NONE)");
+	i=(int)(c->id>>24L);
+	if (i == 3)
+		return("TLSv1/SSLv3");
+	else if (i == 2)
+		return("SSLv2");
+	else
+		return("unknown");
+	}
+
+/* return the actual cipher being used */
+const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
+	{
+	if (c != NULL)
+		return(c->name);
+	return("(NONE)");
+	}
+
+/* number of bits for symmetric cipher */
+int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
+	{
+	int ret=0;
+
+	if (c != NULL)
+		{
+		if (alg_bits != NULL) *alg_bits = c->alg_bits;
+		ret = c->strength_bits;
+		}
+	return(ret);
+	}
+
+SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
+	{
+	SSL_COMP *ctmp;
+	int i,nn;
+
+	if ((n == 0) || (sk == NULL)) return(NULL);
+	nn=sk_SSL_COMP_num(sk);
+	for (i=0; i<nn; i++)
+		{
+		ctmp=sk_SSL_COMP_value(sk,i);
+		if (ctmp->id == n)
+			return(ctmp);
+		}
+	return(NULL);
+	}
+
+static int sk_comp_cmp(SSL_COMP **a,SSL_COMP **b)
+	{
+	return((*a)->id-(*b)->id);
+	}
+
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
+	{
+	return(ssl_comp_methods);
+	}
+
+int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
+	{
+	SSL_COMP *comp;
+	STACK_OF(SSL_COMP) *sk;
+
+	comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP));
+	comp->id=id;
+	comp->method=cm;
+	if (ssl_comp_methods == NULL)
+		sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+	else
+		sk=ssl_comp_methods;
+	if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
+		{
+		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	else
+		return(1);
+	}
+
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
new file mode 100644
index 0000000..642c3f9
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -0,0 +1,430 @@
+/* ssl/ssl_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA SSL_str_functs[]=
+	{
+{ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0),	"CLIENT_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_CLIENT_HELLO,0),	"CLIENT_HELLO"},
+{ERR_PACK(0,SSL_F_CLIENT_MASTER_KEY,0),	"CLIENT_MASTER_KEY"},
+{ERR_PACK(0,SSL_F_D2I_SSL_SESSION,0),	"d2i_SSL_SESSION"},
+{ERR_PACK(0,SSL_F_DO_SSL3_WRITE,0),	"DO_SSL3_WRITE"},
+{ERR_PACK(0,SSL_F_GET_CLIENT_FINISHED,0),	"GET_CLIENT_FINISHED"},
+{ERR_PACK(0,SSL_F_GET_CLIENT_HELLO,0),	"GET_CLIENT_HELLO"},
+{ERR_PACK(0,SSL_F_GET_CLIENT_MASTER_KEY,0),	"GET_CLIENT_MASTER_KEY"},
+{ERR_PACK(0,SSL_F_GET_SERVER_FINISHED,0),	"GET_SERVER_FINISHED"},
+{ERR_PACK(0,SSL_F_GET_SERVER_HELLO,0),	"GET_SERVER_HELLO"},
+{ERR_PACK(0,SSL_F_GET_SERVER_VERIFY,0),	"GET_SERVER_VERIFY"},
+{ERR_PACK(0,SSL_F_I2D_SSL_SESSION,0),	"i2d_SSL_SESSION"},
+{ERR_PACK(0,SSL_F_READ_N,0),	"READ_N"},
+{ERR_PACK(0,SSL_F_REQUEST_CERTIFICATE,0),	"REQUEST_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SERVER_HELLO,0),	"SERVER_HELLO"},
+{ERR_PACK(0,SSL_F_SSL23_ACCEPT,0),	"SSL23_ACCEPT"},
+{ERR_PACK(0,SSL_F_SSL23_CLIENT_HELLO,0),	"SSL23_CLIENT_HELLO"},
+{ERR_PACK(0,SSL_F_SSL23_CONNECT,0),	"SSL23_CONNECT"},
+{ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0),	"SSL23_GET_CLIENT_HELLO"},
+{ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0),	"SSL23_GET_SERVER_HELLO"},
+{ERR_PACK(0,SSL_F_SSL23_READ,0),	"SSL23_READ"},
+{ERR_PACK(0,SSL_F_SSL23_WRITE,0),	"SSL23_WRITE"},
+{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0),	"SSL2_ACCEPT"},
+{ERR_PACK(0,SSL_F_SSL2_CONNECT,0),	"SSL2_CONNECT"},
+{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0),	"SSL2_ENC_INIT"},
+{ERR_PACK(0,SSL_F_SSL2_READ,0),	"SSL2_READ"},
+{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0),	"SSL2_SET_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SSL2_WRITE,0),	"SSL2_WRITE"},
+{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0),	"SSL3_ACCEPT"},
+{ERR_PACK(0,SSL_F_SSL3_CALLBACK_CTRL,0),	"SSL3_CALLBACK_CTRL"},
+{ERR_PACK(0,SSL_F_SSL3_CHANGE_CIPHER_STATE,0),	"SSL3_CHANGE_CIPHER_STATE"},
+{ERR_PACK(0,SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,0),	"SSL3_CHECK_CERT_AND_ALGORITHM"},
+{ERR_PACK(0,SSL_F_SSL3_CLIENT_HELLO,0),	"SSL3_CLIENT_HELLO"},
+{ERR_PACK(0,SSL_F_SSL3_CONNECT,0),	"SSL3_CONNECT"},
+{ERR_PACK(0,SSL_F_SSL3_CTRL,0),	"SSL3_CTRL"},
+{ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0),	"SSL3_CTX_CTRL"},
+{ERR_PACK(0,SSL_F_SSL3_ENC,0),	"SSL3_ENC"},
+{ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0),	"SSL3_GET_CERTIFICATE_REQUEST"},
+{ERR_PACK(0,SSL_F_SSL3_GET_CERT_VERIFY,0),	"SSL3_GET_CERT_VERIFY"},
+{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_CERTIFICATE,0),	"SSL3_GET_CLIENT_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_HELLO,0),	"SSL3_GET_CLIENT_HELLO"},
+{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,0),	"SSL3_GET_CLIENT_KEY_EXCHANGE"},
+{ERR_PACK(0,SSL_F_SSL3_GET_FINISHED,0),	"SSL3_GET_FINISHED"},
+{ERR_PACK(0,SSL_F_SSL3_GET_KEY_EXCHANGE,0),	"SSL3_GET_KEY_EXCHANGE"},
+{ERR_PACK(0,SSL_F_SSL3_GET_MESSAGE,0),	"SSL3_GET_MESSAGE"},
+{ERR_PACK(0,SSL_F_SSL3_GET_RECORD,0),	"SSL3_GET_RECORD"},
+{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_CERTIFICATE,0),	"SSL3_GET_SERVER_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0),	"SSL3_GET_SERVER_DONE"},
+{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0),	"SSL3_GET_SERVER_HELLO"},
+{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0),	"SSL3_OUTPUT_CERT_CHAIN"},
+{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0),	"SSL3_READ_BYTES"},
+{ERR_PACK(0,SSL_F_SSL3_READ_N,0),	"SSL3_READ_N"},
+{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0),	"SSL3_SEND_CERTIFICATE_REQUEST"},
+{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,0),	"SSL3_SEND_CLIENT_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,0),	"SSL3_SEND_CLIENT_KEY_EXCHANGE"},
+{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_VERIFY,0),	"SSL3_SEND_CLIENT_VERIFY"},
+{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_CERTIFICATE,0),	"SSL3_SEND_SERVER_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,0),	"SSL3_SEND_SERVER_KEY_EXCHANGE"},
+{ERR_PACK(0,SSL_F_SSL3_SETUP_BUFFERS,0),	"SSL3_SETUP_BUFFERS"},
+{ERR_PACK(0,SSL_F_SSL3_SETUP_KEY_BLOCK,0),	"SSL3_SETUP_KEY_BLOCK"},
+{ERR_PACK(0,SSL_F_SSL3_WRITE_BYTES,0),	"SSL3_WRITE_BYTES"},
+{ERR_PACK(0,SSL_F_SSL3_WRITE_PENDING,0),	"SSL3_WRITE_PENDING"},
+{ERR_PACK(0,SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,0),	"SSL_add_dir_cert_subjects_to_stack"},
+{ERR_PACK(0,SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,0),	"SSL_add_file_cert_subjects_to_stack"},
+{ERR_PACK(0,SSL_F_SSL_BAD_METHOD,0),	"SSL_BAD_METHOD"},
+{ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0),	"SSL_BYTES_TO_CIPHER_LIST"},
+{ERR_PACK(0,SSL_F_SSL_CERT_DUP,0),	"SSL_CERT_DUP"},
+{ERR_PACK(0,SSL_F_SSL_CERT_INST,0),	"SSL_CERT_INST"},
+{ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0),	"SSL_CERT_INSTANTIATE"},
+{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0),	"SSL_CERT_NEW"},
+{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0),	"SSL_check_private_key"},
+{ERR_PACK(0,SSL_F_SSL_CIPHER_PROCESS_RULESTR,0),	"SSL_CIPHER_PROCESS_RULESTR"},
+{ERR_PACK(0,SSL_F_SSL_CIPHER_STRENGTH_SORT,0),	"SSL_CIPHER_STRENGTH_SORT"},
+{ERR_PACK(0,SSL_F_SSL_CLEAR,0),	"SSL_clear"},
+{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0),	"SSL_COMP_add_compression_method"},
+{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0),	"SSL_CREATE_CIPHER_LIST"},
+{ERR_PACK(0,SSL_F_SSL_CTRL,0),	"SSL_ctrl"},
+{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0),	"SSL_CTX_check_private_key"},
+{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0),	"SSL_CTX_new"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_PURPOSE,0),	"SSL_CTX_set_purpose"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,0),	"SSL_CTX_set_session_id_context"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0),	"SSL_CTX_set_ssl_version"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_TRUST,0),	"SSL_CTX_set_trust"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0),	"SSL_CTX_use_certificate"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0),	"SSL_CTX_use_certificate_ASN1"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,0),	"SSL_CTX_use_certificate_chain_file"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,0),	"SSL_CTX_use_certificate_file"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY,0),	"SSL_CTX_use_PrivateKey"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,0),	"SSL_CTX_use_PrivateKey_ASN1"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,0),	"SSL_CTX_use_PrivateKey_file"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,0),	"SSL_CTX_use_RSAPrivateKey"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,0),	"SSL_CTX_use_RSAPrivateKey_ASN1"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,0),	"SSL_CTX_use_RSAPrivateKey_file"},
+{ERR_PACK(0,SSL_F_SSL_DO_HANDSHAKE,0),	"SSL_do_handshake"},
+{ERR_PACK(0,SSL_F_SSL_GET_NEW_SESSION,0),	"SSL_GET_NEW_SESSION"},
+{ERR_PACK(0,SSL_F_SSL_GET_PREV_SESSION,0),	"SSL_GET_PREV_SESSION"},
+{ERR_PACK(0,SSL_F_SSL_GET_SERVER_SEND_CERT,0),	"SSL_GET_SERVER_SEND_CERT"},
+{ERR_PACK(0,SSL_F_SSL_GET_SIGN_PKEY,0),	"SSL_GET_SIGN_PKEY"},
+{ERR_PACK(0,SSL_F_SSL_INIT_WBIO_BUFFER,0),	"SSL_INIT_WBIO_BUFFER"},
+{ERR_PACK(0,SSL_F_SSL_LOAD_CLIENT_CA_FILE,0),	"SSL_load_client_CA_file"},
+{ERR_PACK(0,SSL_F_SSL_NEW,0),	"SSL_new"},
+{ERR_PACK(0,SSL_F_SSL_READ,0),	"SSL_read"},
+{ERR_PACK(0,SSL_F_SSL_RSA_PRIVATE_DECRYPT,0),	"SSL_RSA_PRIVATE_DECRYPT"},
+{ERR_PACK(0,SSL_F_SSL_RSA_PUBLIC_ENCRYPT,0),	"SSL_RSA_PUBLIC_ENCRYPT"},
+{ERR_PACK(0,SSL_F_SSL_SESSION_NEW,0),	"SSL_SESSION_new"},
+{ERR_PACK(0,SSL_F_SSL_SESSION_PRINT_FP,0),	"SSL_SESSION_print_fp"},
+{ERR_PACK(0,SSL_F_SSL_SESS_CERT_NEW,0),	"SSL_SESS_CERT_NEW"},
+{ERR_PACK(0,SSL_F_SSL_SET_CERT,0),	"SSL_SET_CERT"},
+{ERR_PACK(0,SSL_F_SSL_SET_FD,0),	"SSL_set_fd"},
+{ERR_PACK(0,SSL_F_SSL_SET_PKEY,0),	"SSL_SET_PKEY"},
+{ERR_PACK(0,SSL_F_SSL_SET_PURPOSE,0),	"SSL_set_purpose"},
+{ERR_PACK(0,SSL_F_SSL_SET_RFD,0),	"SSL_set_rfd"},
+{ERR_PACK(0,SSL_F_SSL_SET_SESSION,0),	"SSL_set_session"},
+{ERR_PACK(0,SSL_F_SSL_SET_SESSION_ID_CONTEXT,0),	"SSL_set_session_id_context"},
+{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0),	"SSL_set_trust"},
+{ERR_PACK(0,SSL_F_SSL_SET_WFD,0),	"SSL_set_wfd"},
+{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0),	"SSL_shutdown"},
+{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0),	"SSL_UNDEFINED_FUNCTION"},
+{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0),	"SSL_use_certificate"},
+{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0),	"SSL_use_certificate_ASN1"},
+{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_FILE,0),	"SSL_use_certificate_file"},
+{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY,0),	"SSL_use_PrivateKey"},
+{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_ASN1,0),	"SSL_use_PrivateKey_ASN1"},
+{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_FILE,0),	"SSL_use_PrivateKey_file"},
+{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0),	"SSL_use_RSAPrivateKey"},
+{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0),	"SSL_use_RSAPrivateKey_ASN1"},
+{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0),	"SSL_use_RSAPrivateKey_file"},
+{ERR_PACK(0,SSL_F_SSL_VERIFY_CERT_CHAIN,0),	"SSL_VERIFY_CERT_CHAIN"},
+{ERR_PACK(0,SSL_F_SSL_WRITE,0),	"SSL_write"},
+{ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0),	"TLS1_CHANGE_CIPHER_STATE"},
+{ERR_PACK(0,SSL_F_TLS1_ENC,0),	"TLS1_ENC"},
+{ERR_PACK(0,SSL_F_TLS1_SETUP_KEY_BLOCK,0),	"TLS1_SETUP_KEY_BLOCK"},
+{ERR_PACK(0,SSL_F_WRITE_PENDING,0),	"WRITE_PENDING"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA SSL_str_reasons[]=
+	{
+{SSL_R_APP_DATA_IN_HANDSHAKE             ,"app data in handshake"},
+{SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT,"attempt to reuse session in different context"},
+{SSL_R_BAD_ALERT_RECORD                  ,"bad alert record"},
+{SSL_R_BAD_AUTHENTICATION_TYPE           ,"bad authentication type"},
+{SSL_R_BAD_CHANGE_CIPHER_SPEC            ,"bad change cipher spec"},
+{SSL_R_BAD_CHECKSUM                      ,"bad checksum"},
+{SSL_R_BAD_DATA_RETURNED_BY_CALLBACK     ,"bad data returned by callback"},
+{SSL_R_BAD_DECOMPRESSION                 ,"bad decompression"},
+{SSL_R_BAD_DH_G_LENGTH                   ,"bad dh g length"},
+{SSL_R_BAD_DH_PUB_KEY_LENGTH             ,"bad dh pub key length"},
+{SSL_R_BAD_DH_P_LENGTH                   ,"bad dh p length"},
+{SSL_R_BAD_DIGEST_LENGTH                 ,"bad digest length"},
+{SSL_R_BAD_DSA_SIGNATURE                 ,"bad dsa signature"},
+{SSL_R_BAD_HELLO_REQUEST                 ,"bad hello request"},
+{SSL_R_BAD_LENGTH                        ,"bad length"},
+{SSL_R_BAD_MAC_DECODE                    ,"bad mac decode"},
+{SSL_R_BAD_MESSAGE_TYPE                  ,"bad message type"},
+{SSL_R_BAD_PACKET_LENGTH                 ,"bad packet length"},
+{SSL_R_BAD_PROTOCOL_VERSION_NUMBER       ,"bad protocol version number"},
+{SSL_R_BAD_RESPONSE_ARGUMENT             ,"bad response argument"},
+{SSL_R_BAD_RSA_DECRYPT                   ,"bad rsa decrypt"},
+{SSL_R_BAD_RSA_ENCRYPT                   ,"bad rsa encrypt"},
+{SSL_R_BAD_RSA_E_LENGTH                  ,"bad rsa e length"},
+{SSL_R_BAD_RSA_MODULUS_LENGTH            ,"bad rsa modulus length"},
+{SSL_R_BAD_RSA_SIGNATURE                 ,"bad rsa signature"},
+{SSL_R_BAD_SIGNATURE                     ,"bad signature"},
+{SSL_R_BAD_SSL_FILETYPE                  ,"bad ssl filetype"},
+{SSL_R_BAD_SSL_SESSION_ID_LENGTH         ,"bad ssl session id length"},
+{SSL_R_BAD_STATE                         ,"bad state"},
+{SSL_R_BAD_WRITE_RETRY                   ,"bad write retry"},
+{SSL_R_BIO_NOT_SET                       ,"bio not set"},
+{SSL_R_BLOCK_CIPHER_PAD_IS_WRONG         ,"block cipher pad is wrong"},
+{SSL_R_BN_LIB                            ,"bn lib"},
+{SSL_R_CA_DN_LENGTH_MISMATCH             ,"ca dn length mismatch"},
+{SSL_R_CA_DN_TOO_LONG                    ,"ca dn too long"},
+{SSL_R_CCS_RECEIVED_EARLY                ,"ccs received early"},
+{SSL_R_CERTIFICATE_VERIFY_FAILED         ,"certificate verify failed"},
+{SSL_R_CERT_LENGTH_MISMATCH              ,"cert length mismatch"},
+{SSL_R_CHALLENGE_IS_DIFFERENT            ,"challenge is different"},
+{SSL_R_CIPHER_CODE_WRONG_LENGTH          ,"cipher code wrong length"},
+{SSL_R_CIPHER_OR_HASH_UNAVAILABLE        ,"cipher or hash unavailable"},
+{SSL_R_CIPHER_TABLE_SRC_ERROR            ,"cipher table src error"},
+{SSL_R_COMPRESSED_LENGTH_TOO_LONG        ,"compressed length too long"},
+{SSL_R_COMPRESSION_FAILURE               ,"compression failure"},
+{SSL_R_COMPRESSION_LIBRARY_ERROR         ,"compression library error"},
+{SSL_R_CONNECTION_ID_IS_DIFFERENT        ,"connection id is different"},
+{SSL_R_CONNECTION_TYPE_NOT_SET           ,"connection type not set"},
+{SSL_R_DATA_BETWEEN_CCS_AND_FINISHED     ,"data between ccs and finished"},
+{SSL_R_DATA_LENGTH_TOO_LONG              ,"data length too long"},
+{SSL_R_DECRYPTION_FAILED                 ,"decryption failed"},
+{SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG   ,"dh public value length is wrong"},
+{SSL_R_DIGEST_CHECK_FAILED               ,"digest check failed"},
+{SSL_R_ENCRYPTED_LENGTH_TOO_LONG         ,"encrypted length too long"},
+{SSL_R_ERROR_GENERATING_TMP_RSA_KEY      ,"error generating tmp rsa key"},
+{SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST     ,"error in received cipher list"},
+{SSL_R_EXCESSIVE_MESSAGE_SIZE            ,"excessive message size"},
+{SSL_R_EXTRA_DATA_IN_MESSAGE             ,"extra data in message"},
+{SSL_R_GOT_A_FIN_BEFORE_A_CCS            ,"got a fin before a ccs"},
+{SSL_R_HTTPS_PROXY_REQUEST               ,"https proxy request"},
+{SSL_R_HTTP_REQUEST                      ,"http request"},
+{SSL_R_INTERNAL_ERROR                    ,"internal error"},
+{SSL_R_INVALID_CHALLENGE_LENGTH          ,"invalid challenge length"},
+{SSL_R_INVALID_COMMAND                   ,"invalid command"},
+{SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
+{SSL_R_INVALID_TRUST                     ,"invalid trust"},
+{SSL_R_LENGTH_MISMATCH                   ,"length mismatch"},
+{SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
+{SSL_R_LIBRARY_BUG                       ,"library bug"},
+{SSL_R_LIBRARY_HAS_NO_CIPHERS            ,"library has no ciphers"},
+{SSL_R_MISSING_DH_DSA_CERT               ,"missing dh dsa cert"},
+{SSL_R_MISSING_DH_KEY                    ,"missing dh key"},
+{SSL_R_MISSING_DH_RSA_CERT               ,"missing dh rsa cert"},
+{SSL_R_MISSING_DSA_SIGNING_CERT          ,"missing dsa signing cert"},
+{SSL_R_MISSING_EXPORT_TMP_DH_KEY         ,"missing export tmp dh key"},
+{SSL_R_MISSING_EXPORT_TMP_RSA_KEY        ,"missing export tmp rsa key"},
+{SSL_R_MISSING_RSA_CERTIFICATE           ,"missing rsa certificate"},
+{SSL_R_MISSING_RSA_ENCRYPTING_CERT       ,"missing rsa encrypting cert"},
+{SSL_R_MISSING_RSA_SIGNING_CERT          ,"missing rsa signing cert"},
+{SSL_R_MISSING_TMP_DH_KEY                ,"missing tmp dh key"},
+{SSL_R_MISSING_TMP_RSA_KEY               ,"missing tmp rsa key"},
+{SSL_R_MISSING_TMP_RSA_PKEY              ,"missing tmp rsa pkey"},
+{SSL_R_MISSING_VERIFY_MESSAGE            ,"missing verify message"},
+{SSL_R_NON_SSLV2_INITIAL_PACKET          ,"non sslv2 initial packet"},
+{SSL_R_NO_CERTIFICATES_RETURNED          ,"no certificates returned"},
+{SSL_R_NO_CERTIFICATE_ASSIGNED           ,"no certificate assigned"},
+{SSL_R_NO_CERTIFICATE_RETURNED           ,"no certificate returned"},
+{SSL_R_NO_CERTIFICATE_SET                ,"no certificate set"},
+{SSL_R_NO_CERTIFICATE_SPECIFIED          ,"no certificate specified"},
+{SSL_R_NO_CIPHERS_AVAILABLE              ,"no ciphers available"},
+{SSL_R_NO_CIPHERS_PASSED                 ,"no ciphers passed"},
+{SSL_R_NO_CIPHERS_SPECIFIED              ,"no ciphers specified"},
+{SSL_R_NO_CIPHER_LIST                    ,"no cipher list"},
+{SSL_R_NO_CIPHER_MATCH                   ,"no cipher match"},
+{SSL_R_NO_CLIENT_CERT_RECEIVED           ,"no client cert received"},
+{SSL_R_NO_COMPRESSION_SPECIFIED          ,"no compression specified"},
+{SSL_R_NO_METHOD_SPECIFIED               ,"no method specified"},
+{SSL_R_NO_PRIVATEKEY                     ,"no privatekey"},
+{SSL_R_NO_PRIVATE_KEY_ASSIGNED           ,"no private key assigned"},
+{SSL_R_NO_PROTOCOLS_AVAILABLE            ,"no protocols available"},
+{SSL_R_NO_PUBLICKEY                      ,"no publickey"},
+{SSL_R_NO_SHARED_CIPHER                  ,"no shared cipher"},
+{SSL_R_NO_VERIFY_CALLBACK                ,"no verify callback"},
+{SSL_R_NULL_SSL_CTX                      ,"null ssl ctx"},
+{SSL_R_NULL_SSL_METHOD_PASSED            ,"null ssl method passed"},
+{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED   ,"old session cipher not returned"},
+{SSL_R_PACKET_LENGTH_TOO_LONG            ,"packet length too long"},
+{SSL_R_PATH_TOO_LONG                     ,"path too long"},
+{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
+{SSL_R_PEER_ERROR                        ,"peer error"},
+{SSL_R_PEER_ERROR_CERTIFICATE            ,"peer error certificate"},
+{SSL_R_PEER_ERROR_NO_CERTIFICATE         ,"peer error no certificate"},
+{SSL_R_PEER_ERROR_NO_CIPHER              ,"peer error no cipher"},
+{SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"peer error unsupported certificate type"},
+{SSL_R_PRE_MAC_LENGTH_TOO_LONG           ,"pre mac length too long"},
+{SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS ,"problems mapping cipher functions"},
+{SSL_R_PROTOCOL_IS_SHUTDOWN              ,"protocol is shutdown"},
+{SSL_R_PUBLIC_KEY_ENCRYPT_ERROR          ,"public key encrypt error"},
+{SSL_R_PUBLIC_KEY_IS_NOT_RSA             ,"public key is not rsa"},
+{SSL_R_PUBLIC_KEY_NOT_RSA                ,"public key not rsa"},
+{SSL_R_READ_BIO_NOT_SET                  ,"read bio not set"},
+{SSL_R_READ_WRONG_PACKET_TYPE            ,"read wrong packet type"},
+{SSL_R_RECORD_LENGTH_MISMATCH            ,"record length mismatch"},
+{SSL_R_RECORD_TOO_LARGE                  ,"record too large"},
+{SSL_R_REQUIRED_CIPHER_MISSING           ,"required cipher missing"},
+{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO        ,"reuse cert length not zero"},
+{SSL_R_REUSE_CERT_TYPE_NOT_ZERO          ,"reuse cert type not zero"},
+{SSL_R_REUSE_CIPHER_LIST_NOT_ZERO        ,"reuse cipher list not zero"},
+{SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED  ,"session id context uninitialized"},
+{SSL_R_SHORT_READ                        ,"short read"},
+{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
+{SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
+{SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
+{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
+{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
+{SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED   ,"sslv3 alert certificate expired"},
+{SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED   ,"sslv3 alert certificate revoked"},
+{SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN   ,"sslv3 alert certificate unknown"},
+{SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE ,"sslv3 alert decompression failure"},
+{SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE     ,"sslv3 alert handshake failure"},
+{SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER     ,"sslv3 alert illegal parameter"},
+{SSL_R_SSLV3_ALERT_NO_CERTIFICATE        ,"sslv3 alert no certificate"},
+{SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE,"sslv3 alert peer error certificate"},
+{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE,"sslv3 alert peer error no certificate"},
+{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER  ,"sslv3 alert peer error no cipher"},
+{SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"sslv3 alert peer error unsupported certificate type"},
+{SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE    ,"sslv3 alert unexpected message"},
+{SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE,"sslv3 alert unknown remote error type"},
+{SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE,"sslv3 alert unsupported certificate"},
+{SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"},
+{SSL_R_SSL_HANDSHAKE_FAILURE             ,"ssl handshake failure"},
+{SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS        ,"ssl library has no ciphers"},
+{SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG   ,"ssl session id context too long"},
+{SSL_R_SSL_SESSION_ID_IS_DIFFERENT       ,"ssl session id is different"},
+{SSL_R_TLSV1_ALERT_ACCESS_DENIED         ,"tlsv1 alert access denied"},
+{SSL_R_TLSV1_ALERT_DECODE_ERROR          ,"tlsv1 alert decode error"},
+{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED     ,"tlsv1 alert decryption failed"},
+{SSL_R_TLSV1_ALERT_DECRYPT_ERROR         ,"tlsv1 alert decrypt error"},
+{SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION    ,"tlsv1 alert export restriction"},
+{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"},
+{SSL_R_TLSV1_ALERT_INTERNAL_ERROR        ,"tlsv1 alert internal error"},
+{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION      ,"tlsv1 alert no renegotiation"},
+{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION      ,"tlsv1 alert protocol version"},
+{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW       ,"tlsv1 alert record overflow"},
+{SSL_R_TLSV1_ALERT_UNKNOWN_CA            ,"tlsv1 alert unknown ca"},
+{SSL_R_TLSV1_ALERT_USER_CANCELLED        ,"tlsv1 alert user cancelled"},
+{SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
+{SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
+{SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
+{SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER   ,"tried to use unsupported cipher"},
+{SSL_R_UNABLE_TO_DECODE_DH_CERTS         ,"unable to decode dh certs"},
+{SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY      ,"unable to extract public key"},
+{SSL_R_UNABLE_TO_FIND_DH_PARAMETERS      ,"unable to find dh parameters"},
+{SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS,"unable to find public key parameters"},
+{SSL_R_UNABLE_TO_FIND_SSL_METHOD         ,"unable to find ssl method"},
+{SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES  ,"unable to load ssl2 md5 routines"},
+{SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES  ,"unable to load ssl3 md5 routines"},
+{SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES ,"unable to load ssl3 sha1 routines"},
+{SSL_R_UNEXPECTED_MESSAGE                ,"unexpected message"},
+{SSL_R_UNEXPECTED_RECORD                 ,"unexpected record"},
+{SSL_R_UNINITIALIZED                     ,"uninitialized"},
+{SSL_R_UNKNOWN_ALERT_TYPE                ,"unknown alert type"},
+{SSL_R_UNKNOWN_CERTIFICATE_TYPE          ,"unknown certificate type"},
+{SSL_R_UNKNOWN_CIPHER_RETURNED           ,"unknown cipher returned"},
+{SSL_R_UNKNOWN_CIPHER_TYPE               ,"unknown cipher type"},
+{SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE         ,"unknown key exchange type"},
+{SSL_R_UNKNOWN_PKEY_TYPE                 ,"unknown pkey type"},
+{SSL_R_UNKNOWN_PROTOCOL                  ,"unknown protocol"},
+{SSL_R_UNKNOWN_REMOTE_ERROR_TYPE         ,"unknown remote error type"},
+{SSL_R_UNKNOWN_SSL_VERSION               ,"unknown ssl version"},
+{SSL_R_UNKNOWN_STATE                     ,"unknown state"},
+{SSL_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
+{SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM ,"unsupported compression algorithm"},
+{SSL_R_UNSUPPORTED_OPTION                ,"unsupported option"},
+{SSL_R_UNSUPPORTED_PROTOCOL              ,"unsupported protocol"},
+{SSL_R_UNSUPPORTED_SSL_VERSION           ,"unsupported ssl version"},
+{SSL_R_WRITE_BIO_NOT_SET                 ,"write bio not set"},
+{SSL_R_WRONG_CIPHER_RETURNED             ,"wrong cipher returned"},
+{SSL_R_WRONG_MESSAGE_TYPE                ,"wrong message type"},
+{SSL_R_WRONG_NUMBER_OF_KEY_BITS          ,"wrong number of key bits"},
+{SSL_R_WRONG_SIGNATURE_LENGTH            ,"wrong signature length"},
+{SSL_R_WRONG_SIGNATURE_SIZE              ,"wrong signature size"},
+{SSL_R_WRONG_SSL_VERSION                 ,"wrong ssl version"},
+{SSL_R_WRONG_VERSION_NUMBER              ,"wrong version number"},
+{SSL_R_X509_LIB                          ,"x509 lib"},
+{SSL_R_X509_VERIFICATION_SETUP_PROBLEMS  ,"x509 verification setup problems"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_SSL_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_SSL,SSL_str_functs);
+		ERR_load_strings(ERR_LIB_SSL,SSL_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/ssl/ssl_err2.c b/crypto/openssl/ssl/ssl_err2.c
new file mode 100644
index 0000000..cc089a6
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_err2.c
@@ -0,0 +1,70 @@
+/* ssl/ssl_err2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+void SSL_load_error_strings(void)
+	{
+#ifndef NO_ERR
+	ERR_load_crypto_strings();
+	ERR_load_SSL_strings();
+#endif
+	}
+
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
new file mode 100644
index 0000000..c515c41
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -0,0 +1,2061 @@
+/*! \file ssl/ssl_lib.c
+ *  \brief Version independent SSL functions.
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include <openssl/lhash.h>
+#include <openssl/x509v3.h>
+#include "ssl_locl.h"
+
+const char *SSL_version_str=OPENSSL_VERSION_TEXT;
+
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
+static int ssl_meth_num=0;
+static int ssl_ctx_meth_num=0;
+
+OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
+	/* evil casts, but these functions are only called if there's a library bug */
+	(int (*)(SSL *,int))ssl_undefined_function,
+	(int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
+	ssl_undefined_function,
+	(int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
+	(int (*)(SSL*, int))ssl_undefined_function,
+	(int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
+	};
+
+int SSL_clear(SSL *s)
+	{
+	int state;
+
+	if (s->method == NULL)
+		{
+		SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
+		return(0);
+		}
+
+	s->error=0;
+	s->hit=0;
+	s->shutdown=0;
+
+#if 0 /* Disabled since version 1.10 of this file (early return not
+       * needed because SSL_clear is not called when doing renegotiation) */
+	/* This is set if we are doing dynamic renegotiation so keep
+	 * the old cipher.  It is sort of a SSL_clear_lite :-) */
+	if (s->new_session) return(1);
+#else
+	if (s->new_session)
+		{
+		SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR);
+		return 0;
+		}
+#endif
+
+	state=s->state; /* Keep to check if we throw away the session-id */
+	s->type=0;
+
+	s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
+
+	s->version=s->method->version;
+	s->client_version=s->version;
+	s->rwstate=SSL_NOTHING;
+	s->rstate=SSL_ST_READ_HEADER;
+	s->read_ahead=s->ctx->read_ahead;
+
+	if (s->init_buf != NULL)
+		{
+		BUF_MEM_free(s->init_buf);
+		s->init_buf=NULL;
+		}
+
+	ssl_clear_cipher_ctx(s);
+
+	if (ssl_clear_bad_session(s))
+		{
+		SSL_SESSION_free(s->session);
+		s->session=NULL;
+		}
+
+	s->first_packet=0;
+
+#if 1
+	/* Check to see if we were changed into a different method, if
+	 * so, revert back if we are not doing session-id reuse. */
+	if ((s->session == NULL) && (s->method != s->ctx->method))
+		{
+		s->method->ssl_free(s);
+		s->method=s->ctx->method;
+		if (!s->method->ssl_new(s))
+			return(0);
+		}
+	else
+#endif
+		s->method->ssl_clear(s);
+	return(1);
+	}
+
+/** Used to change an SSL_CTXs default SSL method type */
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
+	{
+	STACK_OF(SSL_CIPHER) *sk;
+
+	ctx->method=meth;
+
+	sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
+		&(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
+	if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
+		{
+		SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+		return(0);
+		}
+	return(1);
+	}
+
+SSL *SSL_new(SSL_CTX *ctx)
+	{
+	SSL *s;
+
+	if (ctx == NULL)
+		{
+		SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
+		return(NULL);
+		}
+	if (ctx->method == NULL)
+		{
+		SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
+		return(NULL);
+		}
+
+	s=(SSL *)Malloc(sizeof(SSL));
+	if (s == NULL) goto err;
+	memset(s,0,sizeof(SSL));
+
+	if (ctx->cert != NULL)
+		{
+		/* Earlier library versions used to copy the pointer to
+		 * the CERT, not its contents; only when setting new
+		 * parameters for the per-SSL copy, ssl_cert_new would be
+		 * called (and the direct reference to the per-SSL_CTX
+		 * settings would be lost, but those still were indirectly
+		 * accessed for various purposes, and for that reason they
+		 * used to be known as s->ctx->default_cert).
+		 * Now we don't look at the SSL_CTX's CERT after having
+		 * duplicated it once. */
+
+		s->cert = ssl_cert_dup(ctx->cert);
+		if (s->cert == NULL)
+			goto err;
+		}
+	else
+		s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
+	s->sid_ctx_length=ctx->sid_ctx_length;
+	memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
+	s->verify_mode=ctx->verify_mode;
+	s->verify_depth=ctx->verify_depth;
+	s->verify_callback=ctx->default_verify_callback;
+	s->purpose = ctx->purpose;
+	s->trust = ctx->trust;
+	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
+	s->ctx=ctx;
+
+	s->verify_result=X509_V_OK;
+
+	s->method=ctx->method;
+
+	if (!s->method->ssl_new(s))
+		goto err;
+
+	s->quiet_shutdown=ctx->quiet_shutdown;
+	s->references=1;
+	s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
+	s->options=ctx->options;
+	s->mode=ctx->mode;
+	SSL_clear(s);
+
+	CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
+
+	return(s);
+err:
+	if (s != NULL)
+		{
+		if (s->cert != NULL)
+			ssl_cert_free(s->cert);
+		if (s->ctx != NULL)
+			SSL_CTX_free(s->ctx); /* decrement reference count */
+		Free(s);
+		}
+	SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
+	return(NULL);
+	}
+
+int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
+				   unsigned int sid_ctx_len)
+    {
+    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+	{
+	SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+	return 0;
+	}
+    ctx->sid_ctx_length=sid_ctx_len;
+    memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
+
+    return 1;
+    }
+
+int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
+			       unsigned int sid_ctx_len)
+    {
+    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+	{
+	SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+	return 0;
+	}
+    ssl->sid_ctx_length=sid_ctx_len;
+    memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
+
+    return 1;
+    }
+
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
+{
+	if(X509_PURPOSE_get_by_id(purpose) == -1) {
+		SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+		return 0;
+	}
+	s->purpose = purpose;
+	return 1;
+}
+
+int SSL_set_purpose(SSL *s, int purpose)
+{
+	if(X509_PURPOSE_get_by_id(purpose) == -1) {
+		SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+		return 0;
+	}
+	s->purpose = purpose;
+	return 1;
+}
+	
+int SSL_CTX_set_trust(SSL_CTX *s, int trust)
+{
+	if(X509_TRUST_get_by_id(trust) == -1) {
+		SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST);
+		return 0;
+	}
+	s->trust = trust;
+	return 1;
+}
+
+int SSL_set_trust(SSL *s, int trust)
+{
+	if(X509_TRUST_get_by_id(trust) == -1) {
+		SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST);
+		return 0;
+	}
+	s->trust = trust;
+	return 1;
+}
+
+void SSL_free(SSL *s)
+	{
+	int i;
+
+	if(s == NULL)
+	    return;
+
+	i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
+#ifdef REF_PRINT
+	REF_PRINT("SSL",s);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"SSL_free, bad reference count\n");
+		abort(); /* ok */
+		}
+#endif
+
+	CRYPTO_free_ex_data(ssl_meth,(char *)s,&s->ex_data);
+
+	if (s->bbio != NULL)
+		{
+		/* If the buffering BIO is in place, pop it off */
+		if (s->bbio == s->wbio)
+			{
+			s->wbio=BIO_pop(s->wbio);
+			}
+		BIO_free(s->bbio);
+		s->bbio=NULL;
+		}
+	if (s->rbio != NULL)
+		BIO_free_all(s->rbio);
+	if ((s->wbio != NULL) && (s->wbio != s->rbio))
+		BIO_free_all(s->wbio);
+
+	if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
+
+	/* add extra stuff */
+	if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
+	if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
+
+	/* Make the next call work :-) */
+	if (s->session != NULL)
+		{
+		ssl_clear_bad_session(s);
+		SSL_SESSION_free(s->session);
+		}
+
+	ssl_clear_cipher_ctx(s);
+
+	if (s->cert != NULL) ssl_cert_free(s->cert);
+	/* Free up if allocated */
+
+	if (s->ctx) SSL_CTX_free(s->ctx);
+
+	if (s->client_CA != NULL)
+		sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
+
+	if (s->method != NULL) s->method->ssl_free(s);
+
+	Free(s);
+	}
+
+void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
+	{
+	/* If the output buffering BIO is still in place, remove it
+	 */
+	if (s->bbio != NULL)
+		{
+		if (s->wbio == s->bbio)
+			{
+			s->wbio=s->wbio->next_bio;
+			s->bbio->next_bio=NULL;
+			}
+		}
+	if ((s->rbio != NULL) && (s->rbio != rbio))
+		BIO_free_all(s->rbio);
+	if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
+		BIO_free_all(s->wbio);
+	s->rbio=rbio;
+	s->wbio=wbio;
+	}
+
+BIO *SSL_get_rbio(SSL *s)
+	{ return(s->rbio); }
+
+BIO *SSL_get_wbio(SSL *s)
+	{ return(s->wbio); }
+
+int SSL_get_fd(SSL *s)
+	{
+	int ret= -1;
+	BIO *b,*r;
+
+	b=SSL_get_rbio(s);
+	r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
+	if (r != NULL)
+		BIO_get_fd(r,&ret);
+	return(ret);
+	}
+
+#ifndef NO_SOCK
+int SSL_set_fd(SSL *s,int fd)
+	{
+	int ret=0;
+	BIO *bio=NULL;
+
+	bio=BIO_new(BIO_s_socket());
+
+	if (bio == NULL)
+		{
+		SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
+		goto err;
+		}
+	BIO_set_fd(bio,fd,BIO_NOCLOSE);
+	SSL_set_bio(s,bio,bio);
+	ret=1;
+err:
+	return(ret);
+	}
+
+int SSL_set_wfd(SSL *s,int fd)
+	{
+	int ret=0;
+	BIO *bio=NULL;
+
+	if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
+		|| ((int)BIO_get_fd(s->rbio,NULL) != fd))
+		{
+		bio=BIO_new(BIO_s_socket());
+
+		if (bio == NULL)
+			{ SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
+		BIO_set_fd(bio,fd,BIO_NOCLOSE);
+		SSL_set_bio(s,SSL_get_rbio(s),bio);
+		}
+	else
+		SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
+	ret=1;
+err:
+	return(ret);
+	}
+
+int SSL_set_rfd(SSL *s,int fd)
+	{
+	int ret=0;
+	BIO *bio=NULL;
+
+	if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
+		|| ((int)BIO_get_fd(s->wbio,NULL) != fd))
+		{
+		bio=BIO_new(BIO_s_socket());
+
+		if (bio == NULL)
+			{
+			SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
+			goto err;
+			}
+		BIO_set_fd(bio,fd,BIO_NOCLOSE);
+		SSL_set_bio(s,bio,SSL_get_wbio(s));
+		}
+	else
+		SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
+	ret=1;
+err:
+	return(ret);
+	}
+#endif
+
+
+/* return length of latest Finished message we sent, copy to 'buf' */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+	{
+	size_t ret = 0;
+	
+	if (s->s3 != NULL)
+		{
+		ret = s->s3->tmp.finish_md_len;
+		if (count > ret)
+			count = ret;
+		memcpy(buf, s->s3->tmp.finish_md, count);
+		}
+	return ret;
+	}
+
+/* return length of latest Finished message we expected, copy to 'buf' */
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+	{
+	size_t ret = 0;
+	
+	if (s->s3 != NULL)
+		{
+		ret = s->s3->tmp.peer_finish_md_len;
+		if (count > ret)
+			count = ret;
+		memcpy(buf, s->s3->tmp.peer_finish_md, count);
+		}
+	return ret;
+	}
+
+
+int SSL_get_verify_mode(SSL *s)
+	{
+	return(s->verify_mode);
+	}
+
+int SSL_get_verify_depth(SSL *s)
+	{
+	return(s->verify_depth);
+	}
+
+int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
+	{
+	return(s->verify_callback);
+	}
+
+int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
+	{
+	return(ctx->verify_mode);
+	}
+
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+	{
+	return(ctx->verify_depth);
+	}
+
+int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
+	{
+	return(ctx->default_verify_callback);
+	}
+
+void SSL_set_verify(SSL *s,int mode,
+		    int (*callback)(int ok,X509_STORE_CTX *ctx))
+	{
+	s->verify_mode=mode;
+	if (callback != NULL)
+		s->verify_callback=callback;
+	}
+
+void SSL_set_verify_depth(SSL *s,int depth)
+	{
+	s->verify_depth=depth;
+	}
+
+void SSL_set_read_ahead(SSL *s,int yes)
+	{
+	s->read_ahead=yes;
+	}
+
+int SSL_get_read_ahead(SSL *s)
+	{
+	return(s->read_ahead);
+	}
+
+int SSL_pending(SSL *s)
+	{
+	return(s->method->ssl_pending(s));
+	}
+
+X509 *SSL_get_peer_certificate(SSL *s)
+	{
+	X509 *r;
+	
+	if ((s == NULL) || (s->session == NULL))
+		r=NULL;
+	else
+		r=s->session->peer;
+
+	if (r == NULL) return(r);
+
+	CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
+
+	return(r);
+	}
+
+STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
+	{
+	STACK_OF(X509) *r;
+	
+	if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
+		r=NULL;
+	else
+		r=s->session->sess_cert->cert_chain;
+
+	/* If we are a client, cert_chain includes the peer's own
+	 * certificate; if we are a server, it does not. */
+	
+	return(r);
+	}
+
+/* Now in theory, since the calling process own 't' it should be safe to
+ * modify.  We need to be able to read f without being hassled */
+void SSL_copy_session_id(SSL *t,SSL *f)
+	{
+	CERT *tmp;
+
+	/* Do we need to to SSL locking? */
+	SSL_set_session(t,SSL_get_session(f));
+
+	/* what if we are setup as SSLv2 but want to talk SSLv3 or
+	 * vice-versa */
+	if (t->method != f->method)
+		{
+		t->method->ssl_free(t);	/* cleanup current */
+		t->method=f->method;	/* change method */
+		t->method->ssl_new(t);	/* setup new */
+		}
+
+	tmp=t->cert;
+	if (f->cert != NULL)
+		{
+		CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
+		t->cert=f->cert;
+		}
+	else
+		t->cert=NULL;
+	if (tmp != NULL) ssl_cert_free(tmp);
+	SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
+	}
+
+/* Fix this so it checks all the valid key/cert options */
+int SSL_CTX_check_private_key(SSL_CTX *ctx)
+	{
+	if (	(ctx == NULL) ||
+		(ctx->cert == NULL) ||
+		(ctx->cert->key->x509 == NULL))
+		{
+		SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
+		return(0);
+		}
+	if 	(ctx->cert->key->privatekey == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
+		return(0);
+		}
+	return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
+	}
+
+/* Fix this function so that it takes an optional type parameter */
+int SSL_check_private_key(SSL *ssl)
+	{
+	if (ssl == NULL)
+		{
+		SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (ssl->cert == NULL)
+		{
+                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
+		return 0;
+		}
+	if (ssl->cert->key->x509 == NULL)
+		{
+		SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
+		return(0);
+		}
+	if (ssl->cert->key->privatekey == NULL)
+		{
+		SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
+		return(0);
+		}
+	return(X509_check_private_key(ssl->cert->key->x509,
+		ssl->cert->key->privatekey));
+	}
+
+int SSL_accept(SSL *s)
+	{
+	if (s->handshake_func == 0)
+		/* Not properly initialized yet */
+		SSL_set_accept_state(s);
+
+	return(s->method->ssl_accept(s));
+	}
+
+int SSL_connect(SSL *s)
+	{
+	if (s->handshake_func == 0)
+		/* Not properly initialized yet */
+		SSL_set_connect_state(s);
+
+	return(s->method->ssl_connect(s));
+	}
+
+long SSL_get_default_timeout(SSL *s)
+	{
+	return(s->method->get_timeout());
+	}
+
+int SSL_read(SSL *s,char *buf,int num)
+	{
+	if (s->handshake_func == 0)
+		{
+		SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
+		return -1;
+		}
+
+	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
+		{
+		s->rwstate=SSL_NOTHING;
+		return(0);
+		}
+	return(s->method->ssl_read(s,buf,num));
+	}
+
+int SSL_peek(SSL *s,char *buf,int num)
+	{
+	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
+		{
+		return(0);
+		}
+	return(s->method->ssl_peek(s,buf,num));
+	}
+
+int SSL_write(SSL *s,const char *buf,int num)
+	{
+	if (s->handshake_func == 0)
+		{
+		SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
+		return -1;
+		}
+
+	if (s->shutdown & SSL_SENT_SHUTDOWN)
+		{
+		s->rwstate=SSL_NOTHING;
+		SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
+		return(-1);
+		}
+	return(s->method->ssl_write(s,buf,num));
+	}
+
+int SSL_shutdown(SSL *s)
+	{
+	/* Note that this function behaves differently from what one might
+	 * expect.  Return values are 0 for no success (yet),
+	 * 1 for success; but calling it once is usually not enough,
+	 * even if blocking I/O is used (see ssl3_shutdown).
+	 */
+
+	if (s->handshake_func == 0)
+		{
+		SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
+		return -1;
+		}
+
+	if ((s != NULL) && !SSL_in_init(s))
+		return(s->method->ssl_shutdown(s));
+	else
+		return(1);
+	}
+
+int SSL_renegotiate(SSL *s)
+	{
+	s->new_session=1;
+	return(s->method->ssl_renegotiate(s));
+	}
+
+long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
+	{
+	long l;
+
+	switch (cmd)
+		{
+	case SSL_CTRL_GET_READ_AHEAD:
+		return(s->read_ahead);
+	case SSL_CTRL_SET_READ_AHEAD:
+		l=s->read_ahead;
+		s->read_ahead=larg;
+		return(l);
+	case SSL_CTRL_OPTIONS:
+		return(s->options|=larg);
+	case SSL_CTRL_MODE:
+		return(s->mode|=larg);
+	default:
+		return(s->method->ssl_ctrl(s,cmd,larg,parg));
+		}
+	}
+
+long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
+	{
+	switch(cmd)
+		{
+	default:
+		return(s->method->ssl_callback_ctrl(s,cmd,fp));
+		}
+	}
+
+struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
+	{
+	return ctx->sessions;
+	}
+
+long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
+	{
+	long l;
+
+	switch (cmd)
+		{
+	case SSL_CTRL_GET_READ_AHEAD:
+		return(ctx->read_ahead);
+	case SSL_CTRL_SET_READ_AHEAD:
+		l=ctx->read_ahead;
+		ctx->read_ahead=larg;
+		return(l);
+
+	case SSL_CTRL_SET_SESS_CACHE_SIZE:
+		l=ctx->session_cache_size;
+		ctx->session_cache_size=larg;
+		return(l);
+	case SSL_CTRL_GET_SESS_CACHE_SIZE:
+		return(ctx->session_cache_size);
+	case SSL_CTRL_SET_SESS_CACHE_MODE:
+		l=ctx->session_cache_mode;
+		ctx->session_cache_mode=larg;
+		return(l);
+	case SSL_CTRL_GET_SESS_CACHE_MODE:
+		return(ctx->session_cache_mode);
+
+	case SSL_CTRL_SESS_NUMBER:
+		return(ctx->sessions->num_items);
+	case SSL_CTRL_SESS_CONNECT:
+		return(ctx->stats.sess_connect);
+	case SSL_CTRL_SESS_CONNECT_GOOD:
+		return(ctx->stats.sess_connect_good);
+	case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
+		return(ctx->stats.sess_connect_renegotiate);
+	case SSL_CTRL_SESS_ACCEPT:
+		return(ctx->stats.sess_accept);
+	case SSL_CTRL_SESS_ACCEPT_GOOD:
+		return(ctx->stats.sess_accept_good);
+	case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
+		return(ctx->stats.sess_accept_renegotiate);
+	case SSL_CTRL_SESS_HIT:
+		return(ctx->stats.sess_hit);
+	case SSL_CTRL_SESS_CB_HIT:
+		return(ctx->stats.sess_cb_hit);
+	case SSL_CTRL_SESS_MISSES:
+		return(ctx->stats.sess_miss);
+	case SSL_CTRL_SESS_TIMEOUTS:
+		return(ctx->stats.sess_timeout);
+	case SSL_CTRL_SESS_CACHE_FULL:
+		return(ctx->stats.sess_cache_full);
+	case SSL_CTRL_OPTIONS:
+		return(ctx->options|=larg);
+	case SSL_CTRL_MODE:
+		return(ctx->mode|=larg);
+	default:
+		return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+		}
+	}
+
+long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+	{
+	switch(cmd)
+		{
+	default:
+		return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
+		}
+	}
+
+int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b)
+	{
+	long l;
+
+	l=a->id-b->id;
+	if (l == 0L)
+		return(0);
+	else
+		return((l > 0)?1:-1);
+	}
+
+int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp)
+	{
+	long l;
+
+	l=(*ap)->id-(*bp)->id;
+	if (l == 0L)
+		return(0);
+	else
+		return((l > 0)?1:-1);
+	}
+
+/** return a STACK of the ciphers available for the SSL and in order of
+ * preference */
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
+	{
+	if ((s != NULL) && (s->cipher_list != NULL))
+		{
+		return(s->cipher_list);
+		}
+	else if ((s->ctx != NULL) &&
+		(s->ctx->cipher_list != NULL))
+		{
+		return(s->ctx->cipher_list);
+		}
+	return(NULL);
+	}
+
+/** return a STACK of the ciphers available for the SSL and in order of
+ * algorithm id */
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
+	{
+	if ((s != NULL) && (s->cipher_list_by_id != NULL))
+		{
+		return(s->cipher_list_by_id);
+		}
+	else if ((s != NULL) && (s->ctx != NULL) &&
+		(s->ctx->cipher_list_by_id != NULL))
+		{
+		return(s->ctx->cipher_list_by_id);
+		}
+	return(NULL);
+	}
+
+/** The old interface to get the same thing as SSL_get_ciphers() */
+const char *SSL_get_cipher_list(SSL *s,int n)
+	{
+	SSL_CIPHER *c;
+	STACK_OF(SSL_CIPHER) *sk;
+
+	if (s == NULL) return(NULL);
+	sk=SSL_get_ciphers(s);
+	if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
+		return(NULL);
+	c=sk_SSL_CIPHER_value(sk,n);
+	if (c == NULL) return(NULL);
+	return(c->name);
+	}
+
+/** specify the ciphers to be used by default by the SSL_CTX */
+int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
+	{
+	STACK_OF(SSL_CIPHER) *sk;
+	
+	sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
+		&ctx->cipher_list_by_id,str);
+/* XXXX */
+	return((sk == NULL)?0:1);
+	}
+
+/** specify the ciphers to be used by the SSL */
+int SSL_set_cipher_list(SSL *s,const char *str)
+	{
+	STACK_OF(SSL_CIPHER) *sk;
+	
+	sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
+		&s->cipher_list_by_id,str);
+/* XXXX */
+	return((sk == NULL)?0:1);
+	}
+
+/* works well for SSLv2, not so good for SSLv3 */
+char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
+	{
+	char *p;
+	const char *cp;
+	STACK_OF(SSL_CIPHER) *sk;
+	SSL_CIPHER *c;
+	int i;
+
+	if ((s->session == NULL) || (s->session->ciphers == NULL) ||
+		(len < 2))
+		return(NULL);
+
+	p=buf;
+	sk=s->session->ciphers;
+	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+		{
+		/* Decrement for either the ':' or a '\0' */
+		len--;
+		c=sk_SSL_CIPHER_value(sk,i);
+		for (cp=c->name; *cp; )
+			{
+			if (len-- == 0)
+				{
+				*p='\0';
+				return(buf);
+				}
+			else
+				*(p++)= *(cp++);
+			}
+		*(p++)=':';
+		}
+	p[-1]='\0';
+	return(buf);
+	}
+
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
+	{
+	int i,j=0;
+	SSL_CIPHER *c;
+	unsigned char *q;
+
+	if (sk == NULL) return(0);
+	q=p;
+
+	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+		{
+		c=sk_SSL_CIPHER_value(sk,i);
+		j=ssl_put_cipher_by_char(s,c,p);
+		p+=j;
+		}
+	return(p-q);
+	}
+
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
+					       STACK_OF(SSL_CIPHER) **skp)
+	{
+	SSL_CIPHER *c;
+	STACK_OF(SSL_CIPHER) *sk;
+	int i,n;
+
+	n=ssl_put_cipher_by_char(s,NULL,NULL);
+	if ((num%n) != 0)
+		{
+		SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
+		return(NULL);
+		}
+	if ((skp == NULL) || (*skp == NULL))
+		sk=sk_SSL_CIPHER_new(NULL); /* change perhaps later */
+	else
+		{
+		sk= *skp;
+		sk_SSL_CIPHER_zero(sk);
+		}
+
+	for (i=0; i<num; i+=n)
+		{
+		c=ssl_get_cipher_by_char(s,p);
+		p+=n;
+		if (c != NULL)
+			{
+			if (!sk_SSL_CIPHER_push(sk,c))
+				{
+				SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			}
+		}
+
+	if (skp != NULL)
+		*skp=sk;
+	return(sk);
+err:
+	if ((skp == NULL) || (*skp == NULL))
+		sk_SSL_CIPHER_free(sk);
+	return(NULL);
+	}
+
+unsigned long SSL_SESSION_hash(SSL_SESSION *a)
+	{
+	unsigned long l;
+
+	l=(unsigned long)
+		((unsigned int) a->session_id[0]     )|
+		((unsigned int) a->session_id[1]<< 8L)|
+		((unsigned long)a->session_id[2]<<16L)|
+		((unsigned long)a->session_id[3]<<24L);
+	return(l);
+	}
+
+int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
+	{
+	if (a->ssl_version != b->ssl_version)
+		return(1);
+	if (a->session_id_length != b->session_id_length)
+		return(1);
+	return(memcmp(a->session_id,b->session_id,a->session_id_length));
+	}
+
+SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
+	{
+	SSL_CTX *ret=NULL;
+	
+	if (meth == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
+		return(NULL);
+		}
+
+	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+		goto err;
+		}
+	ret=(SSL_CTX *)Malloc(sizeof(SSL_CTX));
+	if (ret == NULL)
+		goto err;
+
+	memset(ret,0,sizeof(SSL_CTX));
+
+	ret->method=meth;
+
+	ret->cert_store=NULL;
+	ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
+	ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
+	ret->session_cache_head=NULL;
+	ret->session_cache_tail=NULL;
+
+	/* We take the system default */
+	ret->session_timeout=meth->get_timeout();
+
+	ret->new_session_cb=NULL;
+	ret->remove_session_cb=NULL;
+	ret->get_session_cb=NULL;
+
+	memset((char *)&ret->stats,0,sizeof(ret->stats));
+
+	ret->references=1;
+	ret->quiet_shutdown=0;
+
+/*	ret->cipher=NULL;*/
+/*	ret->s2->challenge=NULL;
+	ret->master_key=NULL;
+	ret->key_arg=NULL;
+	ret->s2->conn_id=NULL; */
+
+	ret->info_callback=NULL;
+
+	ret->app_verify_callback=NULL;
+	ret->app_verify_arg=NULL;
+
+	ret->read_ahead=0;
+	ret->verify_mode=SSL_VERIFY_NONE;
+	ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
+	ret->default_verify_callback=NULL;
+	if ((ret->cert=ssl_cert_new()) == NULL)
+		goto err;
+
+	ret->default_passwd_callback=NULL;
+	ret->default_passwd_callback_userdata=NULL;
+	ret->client_cert_cb=NULL;
+
+	ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp);
+	if (ret->sessions == NULL) goto err;
+	ret->cert_store=X509_STORE_new();
+	if (ret->cert_store == NULL) goto err;
+
+	ssl_create_cipher_list(ret->method,
+		&ret->cipher_list,&ret->cipher_list_by_id,
+		SSL_DEFAULT_CIPHER_LIST);
+	if (ret->cipher_list == NULL
+	    || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
+		goto err2;
+		}
+
+	if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
+		goto err2;
+		}
+	if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+		goto err2;
+		}
+	if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+		goto err2;
+		}
+
+	if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
+		goto err;
+
+	CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
+
+	ret->extra_certs=NULL;
+	ret->comp_methods=SSL_COMP_get_compression_methods();
+
+	return(ret);
+err:
+	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
+err2:
+	if (ret != NULL) SSL_CTX_free(ret);
+	return(NULL);
+	}
+
+static void SSL_COMP_free(SSL_COMP *comp)
+    { Free(comp); }
+
+void SSL_CTX_free(SSL_CTX *a)
+	{
+	int i;
+
+	if (a == NULL) return;
+
+	i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
+#ifdef REF_PRINT
+	REF_PRINT("SSL_CTX",a);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"SSL_CTX_free, bad reference count\n");
+		abort(); /* ok */
+		}
+#endif
+	CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data);
+
+	if (a->sessions != NULL)
+		{
+		SSL_CTX_flush_sessions(a,0);
+		lh_free(a->sessions);
+		}
+	if (a->cert_store != NULL)
+		X509_STORE_free(a->cert_store);
+	if (a->cipher_list != NULL)
+		sk_SSL_CIPHER_free(a->cipher_list);
+	if (a->cipher_list_by_id != NULL)
+		sk_SSL_CIPHER_free(a->cipher_list_by_id);
+	if (a->cert != NULL)
+		ssl_cert_free(a->cert);
+	if (a->client_CA != NULL)
+		sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
+	if (a->extra_certs != NULL)
+		sk_X509_pop_free(a->extra_certs,X509_free);
+	if (a->comp_methods != NULL)
+		sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
+	Free(a);
+	}
+
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
+	{
+	ctx->default_passwd_callback=cb;
+	}
+
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
+	{
+	ctx->default_passwd_callback_userdata=u;
+	}
+
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg)
+	{
+	/* now
+	 *     int (*cb)(X509_STORE_CTX *),
+	 * but should be
+	 *     int (*cb)(X509_STORE_CTX *, void *arg)
+	 */
+	ctx->app_verify_callback=cb;
+	ctx->app_verify_arg=arg; /* never used */
+	}
+
+void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
+	{
+	ctx->verify_mode=mode;
+	ctx->default_verify_callback=cb;
+	/* This needs cleaning up EAY EAY EAY */
+	X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
+	}
+
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
+	{
+	ctx->verify_depth=depth;
+	}
+
+void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
+	{
+	CERT_PKEY *cpk;
+	int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
+	int rsa_enc_export,dh_rsa_export,dh_dsa_export;
+	int rsa_tmp_export,dh_tmp_export,kl;
+	unsigned long mask,emask;
+
+	if (c == NULL) return;
+
+	kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
+
+#ifndef NO_RSA
+	rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
+	rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
+		(rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
+#else
+	rsa_tmp=rsa_tmp_export=0;
+#endif
+#ifndef NO_DH
+	dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
+	dh_tmp_export=(c->dh_tmp_cb != NULL ||
+		(dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
+#else
+	dh_tmp=dh_tmp_export=0;
+#endif
+
+	cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
+	rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
+	rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
+	cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
+	rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+	cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
+	dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+	cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
+	dh_rsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+	dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
+	cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
+/* FIX THIS EAY EAY EAY */
+	dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+	dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
+
+	mask=0;
+	emask=0;
+
+#ifdef CIPHER_DEBUG
+	printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+		rsa_tmp,rsa_tmp_export,dh_tmp,
+		rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
+#endif
+
+	if (rsa_enc || (rsa_tmp && rsa_sign))
+		mask|=SSL_kRSA;
+	if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
+		emask|=SSL_kRSA;
+
+#if 0
+	/* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
+	if (	(dh_tmp || dh_rsa || dh_dsa) && 
+		(rsa_enc || rsa_sign || dsa_sign))
+		mask|=SSL_kEDH;
+	if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
+		(rsa_enc || rsa_sign || dsa_sign))
+		emask|=SSL_kEDH;
+#endif
+
+	if (dh_tmp_export) 
+		emask|=SSL_kEDH;
+
+	if (dh_tmp)
+		mask|=SSL_kEDH;
+
+	if (dh_rsa) mask|=SSL_kDHr;
+	if (dh_rsa_export) emask|=SSL_kDHr;
+
+	if (dh_dsa) mask|=SSL_kDHd;
+	if (dh_dsa_export) emask|=SSL_kDHd;
+
+	if (rsa_enc || rsa_sign)
+		{
+		mask|=SSL_aRSA;
+		emask|=SSL_aRSA;
+		}
+
+	if (dsa_sign)
+		{
+		mask|=SSL_aDSS;
+		emask|=SSL_aDSS;
+		}
+
+	mask|=SSL_aNULL;
+	emask|=SSL_aNULL;
+
+	c->mask=mask;
+	c->export_mask=emask;
+	c->valid=1;
+	}
+
+/* THIS NEEDS CLEANING UP */
+X509 *ssl_get_server_send_cert(SSL *s)
+	{
+	unsigned long alg,mask,kalg;
+	CERT *c;
+	int i,is_export;
+
+	c=s->cert;
+	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
+	alg=s->s3->tmp.new_cipher->algorithms;
+	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+	mask=is_export?c->export_mask:c->mask;
+	kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+
+	if 	(kalg & SSL_kDHr)
+		i=SSL_PKEY_DH_RSA;
+	else if (kalg & SSL_kDHd)
+		i=SSL_PKEY_DH_DSA;
+	else if (kalg & SSL_aDSS)
+		i=SSL_PKEY_DSA_SIGN;
+	else if (kalg & SSL_aRSA)
+		{
+		if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
+			i=SSL_PKEY_RSA_SIGN;
+		else
+			i=SSL_PKEY_RSA_ENC;
+		}
+	else /* if (kalg & SSL_aNULL) */
+		{
+		SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR);
+		return(NULL);
+		}
+	if (c->pkeys[i].x509 == NULL) return(NULL);
+	return(c->pkeys[i].x509);
+	}
+
+EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
+	{
+	unsigned long alg;
+	CERT *c;
+
+	alg=cipher->algorithms;
+	c=s->cert;
+
+	if ((alg & SSL_aDSS) &&
+		(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
+		return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
+	else if (alg & SSL_aRSA)
+		{
+		if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
+			return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
+		else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
+			return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
+		else
+			return(NULL);
+		}
+	else /* if (alg & SSL_aNULL) */
+		{
+		SSLerr(SSL_F_SSL_GET_SIGN_PKEY,SSL_R_INTERNAL_ERROR);
+		return(NULL);
+		}
+	}
+
+void ssl_update_cache(SSL *s,int mode)
+	{
+	int i;
+
+	/* If the session_id_length is 0, we are not supposed to cache it,
+	 * and it would be rather hard to do anyway :-) */
+	if (s->session->session_id_length == 0) return;
+
+	if ((s->ctx->session_cache_mode & mode)
+		&& (!s->hit)
+		&& SSL_CTX_add_session(s->ctx,s->session)
+		&& (s->ctx->new_session_cb != NULL))
+		{
+		CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
+		if (!s->ctx->new_session_cb(s,s->session))
+			SSL_SESSION_free(s->session);
+		}
+
+	/* auto flush every 255 connections */
+	i=s->ctx->session_cache_mode;
+	if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
+		((i & mode) == mode))
+		{
+		if (  (((mode & SSL_SESS_CACHE_CLIENT)
+			?s->ctx->stats.sess_connect_good
+			:s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
+			{
+			SSL_CTX_flush_sessions(s->ctx,time(NULL));
+			}
+		}
+	}
+
+SSL_METHOD *SSL_get_ssl_method(SSL *s)
+	{
+	return(s->method);
+	}
+
+int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
+	{
+	int conn= -1;
+	int ret=1;
+
+	if (s->method != meth)
+		{
+		if (s->handshake_func != NULL)
+			conn=(s->handshake_func == s->method->ssl_connect);
+
+		if (s->method->version == meth->version)
+			s->method=meth;
+		else
+			{
+			s->method->ssl_free(s);
+			s->method=meth;
+			ret=s->method->ssl_new(s);
+			}
+
+		if (conn == 1)
+			s->handshake_func=meth->ssl_connect;
+		else if (conn == 0)
+			s->handshake_func=meth->ssl_accept;
+		}
+	return(ret);
+	}
+
+int SSL_get_error(SSL *s,int i)
+	{
+	int reason;
+	unsigned long l;
+	BIO *bio;
+
+	if (i > 0) return(SSL_ERROR_NONE);
+
+	/* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
+	 * etc, where we do encode the error */
+	if ((l=ERR_peek_error()) != 0)
+		{
+		if (ERR_GET_LIB(l) == ERR_LIB_SYS)
+			return(SSL_ERROR_SYSCALL);
+		else
+			return(SSL_ERROR_SSL);
+		}
+
+	if ((i < 0) && SSL_want_read(s))
+		{
+		bio=SSL_get_rbio(s);
+		if (BIO_should_read(bio))
+			return(SSL_ERROR_WANT_READ);
+		else if (BIO_should_write(bio))
+			/* This one doesn't make too much sense ... We never try
+			 * to write to the rbio, and an application program where
+			 * rbio and wbio are separate couldn't even know what it
+			 * should wait for.
+			 * However if we ever set s->rwstate incorrectly
+			 * (so that we have SSL_want_read(s) instead of
+			 * SSL_want_write(s)) and rbio and wbio *are* the same,
+			 * this test works around that bug; so it might be safer
+			 * to keep it. */
+			return(SSL_ERROR_WANT_WRITE);
+		else if (BIO_should_io_special(bio))
+			{
+			reason=BIO_get_retry_reason(bio);
+			if (reason == BIO_RR_CONNECT)
+				return(SSL_ERROR_WANT_CONNECT);
+			else
+				return(SSL_ERROR_SYSCALL); /* unknown */
+			}
+		}
+
+	if ((i < 0) && SSL_want_write(s))
+		{
+		bio=SSL_get_wbio(s);
+		if (BIO_should_write(bio))
+			return(SSL_ERROR_WANT_WRITE);
+		else if (BIO_should_read(bio))
+			/* See above (SSL_want_read(s) with BIO_should_write(bio)) */
+			return(SSL_ERROR_WANT_READ);
+		else if (BIO_should_io_special(bio))
+			{
+			reason=BIO_get_retry_reason(bio);
+			if (reason == BIO_RR_CONNECT)
+				return(SSL_ERROR_WANT_CONNECT);
+			else
+				return(SSL_ERROR_SYSCALL);
+			}
+		}
+	if ((i < 0) && SSL_want_x509_lookup(s))
+		{
+		return(SSL_ERROR_WANT_X509_LOOKUP);
+		}
+
+	if (i == 0)
+		{
+		if (s->version == SSL2_VERSION)
+			{
+			/* assume it is the socket being closed */
+			return(SSL_ERROR_ZERO_RETURN);
+			}
+		else
+			{
+			if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
+				(s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
+				return(SSL_ERROR_ZERO_RETURN);
+			}
+		}
+	return(SSL_ERROR_SYSCALL);
+	}
+
+int SSL_do_handshake(SSL *s)
+	{
+	int ret=1;
+
+	if (s->handshake_func == NULL)
+		{
+		SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
+		return(-1);
+		}
+
+	s->method->ssl_renegotiate_check(s);
+
+	if (SSL_in_init(s) || SSL_in_before(s))
+		{
+		ret=s->handshake_func(s);
+		}
+	return(ret);
+	}
+
+/* For the next 2 functions, SSL_clear() sets shutdown and so
+ * one of these calls will reset it */
+void SSL_set_accept_state(SSL *s)
+	{
+	s->server=1;
+	s->shutdown=0;
+	s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
+	s->handshake_func=s->method->ssl_accept;
+	/* clear the current cipher */
+	ssl_clear_cipher_ctx(s);
+	}
+
+void SSL_set_connect_state(SSL *s)
+	{
+	s->server=0;
+	s->shutdown=0;
+	s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
+	s->handshake_func=s->method->ssl_connect;
+	/* clear the current cipher */
+	ssl_clear_cipher_ctx(s);
+	}
+
+int ssl_undefined_function(SSL *s)
+	{
+	SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	return(0);
+	}
+
+SSL_METHOD *ssl_bad_method(int ver)
+	{
+	SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	return(NULL);
+	}
+
+const char *SSL_get_version(SSL *s)
+	{
+	if (s->version == TLS1_VERSION)
+		return("TLSv1");
+	else if (s->version == SSL3_VERSION)
+		return("SSLv3");
+	else if (s->version == SSL2_VERSION)
+		return("SSLv2");
+	else
+		return("unknown");
+	}
+
+SSL *SSL_dup(SSL *s)
+	{
+	STACK_OF(X509_NAME) *sk;
+	X509_NAME *xn;
+	SSL *ret;
+	int i;
+		 
+	if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
+	    return(NULL);
+			  
+	if (s->session != NULL)
+		{
+		/* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
+		SSL_copy_session_id(ret,s);
+		}
+	else
+		{
+		/* No session has been established yet, so we have to expect
+		 * that s->cert or ret->cert will be changed later --
+		 * they should not both point to the same object,
+		 * and thus we can't use SSL_copy_session_id. */
+
+		ret->method = s->method;
+		ret->method->ssl_new(ret);
+
+		if (s->cert != NULL)
+			{
+			ret->cert = ssl_cert_dup(s->cert);
+			if (ret->cert == NULL)
+				goto err;
+			}
+				
+		SSL_set_session_id_context(ret,
+			s->sid_ctx, s->sid_ctx_length);
+		}
+
+	SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
+	SSL_set_verify(ret,SSL_get_verify_mode(s),
+		SSL_get_verify_callback(s));
+	SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
+
+	SSL_set_info_callback(ret,SSL_get_info_callback(s));
+	
+	ret->debug=s->debug;
+	ret->options=s->options;
+
+	/* copy app data, a little dangerous perhaps */
+	if (!CRYPTO_dup_ex_data(ssl_meth,&ret->ex_data,&s->ex_data))
+		goto err;
+
+	/* setup rbio, and wbio */
+	if (s->rbio != NULL)
+		{
+		if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
+			goto err;
+		}
+	if (s->wbio != NULL)
+		{
+		if (s->wbio != s->rbio)
+			{
+			if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
+				goto err;
+			}
+		else
+			ret->wbio=ret->rbio;
+		}
+
+	/* dup the cipher_list and cipher_list_by_id stacks */
+	if (s->cipher_list != NULL)
+		{
+		if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
+			goto err;
+		}
+	if (s->cipher_list_by_id != NULL)
+		if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
+			== NULL)
+			goto err;
+
+	/* Dup the client_CA list */
+	if (s->client_CA != NULL)
+		{
+		if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
+		ret->client_CA=sk;
+		for (i=0; i<sk_X509_NAME_num(sk); i++)
+			{
+			xn=sk_X509_NAME_value(sk,i);
+			if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
+				{
+				X509_NAME_free(xn);
+				goto err;
+				}
+			}
+		}
+
+	ret->shutdown=s->shutdown;
+	ret->state=s->state;
+	ret->handshake_func=s->handshake_func;
+	ret->server=s->server;
+
+	if (0)
+		{
+err:
+		if (ret != NULL) SSL_free(ret);
+		ret=NULL;
+		}
+	return(ret);
+	}
+
+void ssl_clear_cipher_ctx(SSL *s)
+	{
+	if (s->enc_read_ctx != NULL)
+		{
+		EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
+		Free(s->enc_read_ctx);
+		s->enc_read_ctx=NULL;
+		}
+	if (s->enc_write_ctx != NULL)
+		{
+		EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
+		Free(s->enc_write_ctx);
+		s->enc_write_ctx=NULL;
+		}
+	if (s->expand != NULL)
+		{
+		COMP_CTX_free(s->expand);
+		s->expand=NULL;
+		}
+	if (s->compress != NULL)
+		{
+		COMP_CTX_free(s->compress);
+		s->compress=NULL;
+		}
+	}
+
+/* Fix this function so that it takes an optional type parameter */
+X509 *SSL_get_certificate(SSL *s)
+	{
+	if (s->cert != NULL)
+		return(s->cert->key->x509);
+	else
+		return(NULL);
+	}
+
+/* Fix this function so that it takes an optional type parameter */
+EVP_PKEY *SSL_get_privatekey(SSL *s)
+	{
+	if (s->cert != NULL)
+		return(s->cert->key->privatekey);
+	else
+		return(NULL);
+	}
+
+SSL_CIPHER *SSL_get_current_cipher(SSL *s)
+	{
+	if ((s->session != NULL) && (s->session->cipher != NULL))
+		return(s->session->cipher);
+	return(NULL);
+	}
+
+int ssl_init_wbio_buffer(SSL *s,int push)
+	{
+	BIO *bbio;
+
+	if (s->bbio == NULL)
+		{
+		bbio=BIO_new(BIO_f_buffer());
+		if (bbio == NULL) return(0);
+		s->bbio=bbio;
+		}
+	else
+		{
+		bbio=s->bbio;
+		if (s->bbio == s->wbio)
+			s->wbio=BIO_pop(s->wbio);
+		}
+	(void)BIO_reset(bbio);
+/*	if (!BIO_set_write_buffer_size(bbio,16*1024)) */
+	if (!BIO_set_read_buffer_size(bbio,1))
+		{
+		SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
+		return(0);
+		}
+	if (push)
+		{
+		if (s->wbio != bbio)
+			s->wbio=BIO_push(bbio,s->wbio);
+		}
+	else
+		{
+		if (s->wbio == bbio)
+			s->wbio=BIO_pop(bbio);
+		}
+	return(1);
+	}
+
+void ssl_free_wbio_buffer(SSL *s)
+	{
+	BIO *under;
+
+	if (s->bbio == NULL) return;
+
+	if (s->bbio == s->wbio)
+		{
+		/* remove buffering */
+		under=BIO_pop(s->wbio);
+		if (under != NULL)
+			s->wbio=under;
+		else
+			abort(); /* ok */
+		}
+	BIO_free(s->bbio);
+	s->bbio=NULL;
+	}
+	
+void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
+	{
+	ctx->quiet_shutdown=mode;
+	}
+
+int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
+	{
+	return(ctx->quiet_shutdown);
+	}
+
+void SSL_set_quiet_shutdown(SSL *s,int mode)
+	{
+	s->quiet_shutdown=mode;
+	}
+
+int SSL_get_quiet_shutdown(SSL *s)
+	{
+	return(s->quiet_shutdown);
+	}
+
+void SSL_set_shutdown(SSL *s,int mode)
+	{
+	s->shutdown=mode;
+	}
+
+int SSL_get_shutdown(SSL *s)
+	{
+	return(s->shutdown);
+	}
+
+int SSL_version(SSL *s)
+	{
+	return(s->version);
+	}
+
+SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
+	{
+	return(ssl->ctx);
+	}
+
+#ifndef NO_STDIO
+int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
+	{
+	return(X509_STORE_set_default_paths(ctx->cert_store));
+	}
+
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+		const char *CApath)
+	{
+	return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
+	}
+#endif
+
+void SSL_set_info_callback(SSL *ssl,void (*cb)())
+	{
+	ssl->info_callback=cb;
+	}
+
+void (*SSL_get_info_callback(SSL *ssl))(void)
+	{
+	return((void (*)())ssl->info_callback);
+	}
+
+int SSL_state(SSL *ssl)
+	{
+	return(ssl->state);
+	}
+
+void SSL_set_verify_result(SSL *ssl,long arg)
+	{
+	ssl->verify_result=arg;
+	}
+
+long SSL_get_verify_result(SSL *ssl)
+	{
+	return(ssl->verify_result);
+	}
+
+int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+			 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
+	{
+	ssl_meth_num++;
+	return(CRYPTO_get_ex_new_index(ssl_meth_num-1,
+		&ssl_meth,argl,argp,new_func,dup_func,free_func));
+	}
+
+int SSL_set_ex_data(SSL *s,int idx,void *arg)
+	{
+	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
+	}
+
+void *SSL_get_ex_data(SSL *s,int idx)
+	{
+	return(CRYPTO_get_ex_data(&s->ex_data,idx));
+	}
+
+int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+			     CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
+	{
+	ssl_ctx_meth_num++;
+	return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1,
+		&ssl_ctx_meth,argl,argp,new_func,dup_func,free_func));
+	}
+
+int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
+	{
+	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
+	}
+
+void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
+	{
+	return(CRYPTO_get_ex_data(&s->ex_data,idx));
+	}
+
+int ssl_ok(SSL *s)
+	{
+	return(1);
+	}
+
+X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
+	{
+	return(ctx->cert_store);
+	}
+
+void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
+	{
+	if (ctx->cert_store != NULL)
+		X509_STORE_free(ctx->cert_store);
+	ctx->cert_store=store;
+	}
+
+int SSL_want(SSL *s)
+	{
+	return(s->rwstate);
+	}
+
+/*!
+ * \brief Set the callback for generating temporary RSA keys.
+ * \param ctx the SSL context.
+ * \param cb the callback
+ */
+
+#ifndef NO_RSA
+void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
+							  int is_export,
+							  int keylength))
+    {
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    }
+
+void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
+						  int is_export,
+						  int keylength))
+    {
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    }
+#endif
+
+#ifdef DOXYGEN
+/*!
+ * \brief The RSA temporary key callback function.
+ * \param ssl the SSL session.
+ * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
+ * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
+ * of the required key in bits.
+ * \return the temporary RSA key.
+ * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
+ */
+
+RSA *cb(SSL *ssl,int is_export,int keylength)
+    {}
+#endif
+
+/*!
+ * \brief Set the callback for generating temporary DH keys.
+ * \param ctx the SSL context.
+ * \param dh the callback
+ */
+
+#ifndef NO_DH
+void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
+							int keylength))
+    {
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+    }
+
+void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
+						int keylength))
+    {
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+    }
+#endif
+
+#if defined(_WINDLL) && defined(WIN16)
+#include "../crypto/bio/bss_file.c"
+#endif
+
+IMPLEMENT_STACK_OF(SSL_CIPHER)
+IMPLEMENT_STACK_OF(SSL_COMP)
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
new file mode 100644
index 0000000..9a52bab
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -0,0 +1,555 @@
+/* ssl/ssl_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_SSL_LOCL_H
+#define HEADER_SSL_LOCL_H
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <errno.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/buffer.h>
+#include <openssl/comp.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/stack.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#define PKCS1_CHECK
+
+#define c2l(c,l)	(l = ((unsigned long)(*((c)++)))     , \
+			 l|=(((unsigned long)(*((c)++)))<< 8), \
+			 l|=(((unsigned long)(*((c)++)))<<16), \
+			 l|=(((unsigned long)(*((c)++)))<<24))
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24)&0xff))
+
+#define n2l(c,l)	(l =((unsigned long)(*((c)++)))<<24, \
+			 l|=((unsigned long)(*((c)++)))<<16, \
+			 l|=((unsigned long)(*((c)++)))<< 8, \
+			 l|=((unsigned long)(*((c)++))))
+
+#define l2n(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+			 *((c)++)=(unsigned char)(((l)    )&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+				} \
+			}
+
+#define n2s(c,s)	((s=(((unsigned int)(c[0]))<< 8)| \
+			    (((unsigned int)(c[1]))    )),c+=2)
+#define s2n(s,c)	((c[0]=(unsigned char)(((s)>> 8)&0xff), \
+			  c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
+
+#define n2l3(c,l)	((l =(((unsigned long)(c[0]))<<16)| \
+			     (((unsigned long)(c[1]))<< 8)| \
+			     (((unsigned long)(c[2]))    )),c+=3)
+
+#define l2n3(l,c)	((c[0]=(unsigned char)(((l)>>16)&0xff), \
+			  c[1]=(unsigned char)(((l)>> 8)&0xff), \
+			  c[2]=(unsigned char)(((l)    )&0xff)),c+=3)
+
+/* LOCAL STUFF */
+
+#define SSL_DECRYPT	0
+#define SSL_ENCRYPT	1
+
+#define TWO_BYTE_BIT	0x80
+#define SEC_ESC_BIT	0x40
+#define TWO_BYTE_MASK	0x7fff
+#define THREE_BYTE_MASK	0x3fff
+
+#define INC32(a)	((a)=((a)+1)&0xffffffffL)
+#define DEC32(a)	((a)=((a)-1)&0xffffffffL)
+#define MAX_MAC_SIZE	20 /* up from 16 for SSLv3 */
+
+/*
+ * Define the Bitmasks for SSL_CIPHER.algorithms.
+ * This bits are used packed as dense as possible. If new methods/ciphers
+ * etc will be added, the bits a likely to change, so this information
+ * is for internal library use only, even though SSL_CIPHER.algorithms
+ * can be publicly accessed.
+ * Use the according functions for cipher management instead.
+ *
+ * The bit mask handling in the selection and sorting scheme in
+ * ssl_create_cipher_list() has only limited capabilities, reflecting
+ * that the different entities within are mutually exclusive:
+ * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
+ */
+#define SSL_MKEY_MASK		0x0000001FL
+#define SSL_kRSA		0x00000001L /* RSA key exchange */
+#define SSL_kDHr		0x00000002L /* DH cert RSA CA cert */
+#define SSL_kDHd		0x00000004L /* DH cert DSA CA cert */
+#define SSL_kFZA		0x00000008L
+#define SSL_kEDH		0x00000010L /* tmp DH key no DH cert */
+#define SSL_EDH			(SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
+
+#define SSL_AUTH_MASK		0x000003e0L
+#define SSL_aRSA		0x00000020L /* Authenticate with RSA */
+#define SSL_aDSS 		0x00000040L /* Authenticate with DSS */
+#define SSL_DSS 		SSL_aDSS
+#define SSL_aFZA 		0x00000080L
+#define SSL_aNULL 		0x00000100L /* no Authenticate, ADH */
+#define SSL_aDH 		0x00000200L /* no Authenticate, ADH */
+
+#define SSL_NULL		(SSL_eNULL)
+#define SSL_ADH			(SSL_kEDH|SSL_aNULL)
+#define SSL_RSA			(SSL_kRSA|SSL_aRSA)
+#define SSL_DH			(SSL_kDHr|SSL_kDHd|SSL_kEDH)
+#define SSL_FZA			(SSL_aFZA|SSL_kFZA|SSL_eFZA)
+
+#define SSL_ENC_MASK		0x0001Fc00L
+#define SSL_DES			0x00000400L
+#define SSL_3DES		0x00000800L
+#define SSL_RC4			0x00001000L
+#define SSL_RC2			0x00002000L
+#define SSL_IDEA		0x00004000L
+#define SSL_eFZA		0x00008000L
+#define SSL_eNULL		0x00010000L
+
+#define SSL_MAC_MASK		0x00060000L
+#define SSL_MD5			0x00020000L
+#define SSL_SHA1		0x00040000L
+#define SSL_SHA			(SSL_SHA1)
+
+#define SSL_SSL_MASK		0x00180000L
+#define SSL_SSLV2		0x00080000L
+#define SSL_SSLV3		0x00100000L
+#define SSL_TLSV1		SSL_SSLV3	/* for now */
+
+/* we have used 001fffff - 11 bits left to go */
+
+/*
+ * Export and cipher strength information. For each cipher we have to decide
+ * whether it is exportable or not. This information is likely to change
+ * over time, since the export control rules are no static technical issue.
+ *
+ * Independent of the export flag the cipher strength is sorted into classes.
+ * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
+ * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
+ * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
+ * since SSL_EXP64 could be similar to SSL_LOW.
+ * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
+ * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
+ * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
+ * be possible.
+ */
+#define SSL_EXP_MASK		0x00000003L
+#define SSL_NOT_EXP		0x00000001L
+#define SSL_EXPORT		0x00000002L
+
+#define SSL_STRONG_MASK		0x0000007cL
+#define SSL_EXP40		0x00000004L
+#define SSL_MICRO		(SSL_EXP40)
+#define SSL_EXP56		0x00000008L
+#define SSL_MINI		(SSL_EXP56)
+#define SSL_LOW			0x00000010L
+#define SSL_MEDIUM		0x00000020L
+#define SSL_HIGH		0x00000040L
+
+/* we have used 0000007f - 25 bits left to go */
+
+/*
+ * Macros to check the export status and cipher strength for export ciphers.
+ * Even though the macros for EXPORT and EXPORT40/56 have similar names,
+ * their meaning is different:
+ * *_EXPORT macros check the 'exportable' status.
+ * *_EXPORT40/56 macros are used to check whether a certain cipher strength
+ *          is given.
+ * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
+ * algorithm structure element to be passed (algorithms, algo_strength) and no
+ * typechecking can be done as they are all of type unsigned long, their
+ * direct usage is discouraged.
+ * Use the SSL_C_* macros instead.
+ */
+#define SSL_IS_EXPORT(a)	((a)&SSL_EXPORT)
+#define SSL_IS_EXPORT56(a)	((a)&SSL_EXP56)
+#define SSL_IS_EXPORT40(a)	((a)&SSL_EXP40)
+#define SSL_C_IS_EXPORT(c)	SSL_IS_EXPORT((c)->algo_strength)
+#define SSL_C_IS_EXPORT56(c)	SSL_IS_EXPORT56((c)->algo_strength)
+#define SSL_C_IS_EXPORT40(c)	SSL_IS_EXPORT40((c)->algo_strength)
+
+#define SSL_EXPORT_KEYLENGTH(a,s)	(SSL_IS_EXPORT40(s) ? 5 : \
+				 ((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
+#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
+#define SSL_C_EXPORT_KEYLENGTH(c)	SSL_EXPORT_KEYLENGTH((c)->algorithms, \
+				(c)->algo_strength)
+#define SSL_C_EXPORT_PKEYLENGTH(c)	SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
+
+
+#define SSL_ALL			0xffffffffL
+#define SSL_ALL_CIPHERS		(SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
+				SSL_MAC_MASK)
+#define SSL_ALL_STRENGTHS	(SSL_EXP_MASK|SSL_STRONG_MASK)
+
+/* Mostly for SSLv3 */
+#define SSL_PKEY_RSA_ENC	0
+#define SSL_PKEY_RSA_SIGN	1
+#define SSL_PKEY_DSA_SIGN	2
+#define SSL_PKEY_DH_RSA		3
+#define SSL_PKEY_DH_DSA		4
+#define SSL_PKEY_NUM		5
+
+/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
+ * 	    <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
+ * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
+ * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
+ * SSL_aRSA <- RSA_ENC | RSA_SIGN
+ * SSL_aDSS <- DSA_SIGN
+ */
+
+/*
+#define CERT_INVALID		0
+#define CERT_PUBLIC_KEY		1
+#define CERT_PRIVATE_KEY	2
+*/
+
+typedef struct cert_pkey_st
+	{
+	X509 *x509;
+	EVP_PKEY *privatekey;
+	} CERT_PKEY;
+
+typedef struct cert_st
+	{
+	/* Current active set */
+	CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
+			 * Probably it would make more sense to store
+			 * an index, not a pointer. */
+ 
+	/* The following masks are for the key and auth
+	 * algorithms that are supported by the certs below */
+	int valid;
+	unsigned long mask;
+	unsigned long export_mask;
+#ifndef NO_RSA
+	RSA *rsa_tmp;
+	RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
+#endif
+#ifndef NO_DH
+	DH *dh_tmp;
+	DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
+#endif
+
+	CERT_PKEY pkeys[SSL_PKEY_NUM];
+
+	int references; /* >1 only if SSL_copy_session_id is used */
+	} CERT;
+
+
+typedef struct sess_cert_st
+	{
+	STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
+
+	/* The 'peer_...' members are used only by clients. */
+	int peer_cert_type;
+
+	CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
+	CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
+	/* Obviously we don't have the private keys of these,
+	 * so maybe we shouldn't even use the CERT_PKEY type here. */
+
+#ifndef NO_RSA
+	RSA *peer_rsa_tmp; /* not used for SSL 2 */
+#endif
+#ifndef NO_DH
+	DH *peer_dh_tmp; /* not used for SSL 2 */
+#endif
+
+	int references; /* actually always 1 at the moment */
+	} SESS_CERT;
+
+
+/*#define MAC_DEBUG	*/
+
+/*#define ERR_DEBUG	*/
+/*#define ABORT_DEBUG	*/
+/*#define PKT_DEBUG 1   */
+/*#define DES_DEBUG	*/
+/*#define DES_OFB_DEBUG	*/
+/*#define SSL_DEBUG	*/
+/*#define RSA_DEBUG	*/ 
+/*#define IDEA_DEBUG	*/ 
+
+#define FP_ICC  (int (*)(const void *,const void *))
+#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
+		((ssl)->method->put_cipher_by_char((ciph),(ptr)))
+#define ssl_get_cipher_by_char(ssl,ptr) \
+		((ssl)->method->get_cipher_by_char(ptr))
+
+/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
+ * It is a bit of a mess of functions, but hell, think of it as
+ * an opaque structure :-) */
+typedef struct ssl3_enc_method
+	{
+	int (*enc)(SSL *, int);
+	int (*mac)(SSL *, unsigned char *, int);
+	int (*setup_key_block)(SSL *);
+	int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
+	int (*change_cipher_state)(SSL *, int);
+	int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *);
+	int finish_mac_length;
+	int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned char *);
+	const char *client_finished_label;
+	int client_finished_label_len;
+	const char *server_finished_label;
+	int server_finished_label_len;
+	int (*alert_value)(int);
+	} SSL3_ENC_METHOD;
+
+/* Used for holding the relevant compression methods loaded into SSL_CTX */
+typedef struct ssl3_comp_st
+	{
+	int comp_id;	/* The identifier byte for this compression type */
+	char *name;	/* Text name used for the compression type */
+	COMP_METHOD *method; /* The method :-) */
+	} SSL3_COMP;
+
+OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method;
+OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
+OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
+
+#ifdef VMS
+#undef SSL_COMP_get_compression_methods
+#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods
+#endif
+
+
+SSL_METHOD *ssl_bad_method(int ver);
+SSL_METHOD *sslv2_base_method(void);
+SSL_METHOD *sslv23_base_method(void);
+SSL_METHOD *sslv3_base_method(void);
+
+void ssl_clear_cipher_ctx(SSL *s);
+int ssl_clear_bad_session(SSL *s);
+CERT *ssl_cert_new(void);
+CERT *ssl_cert_dup(CERT *cert);
+int ssl_cert_inst(CERT **o);
+void ssl_cert_free(CERT *c);
+SESS_CERT *ssl_sess_cert_new(void);
+void ssl_sess_cert_free(SESS_CERT *sc);
+int ssl_set_peer_cert_type(SESS_CERT *c, int type);
+int ssl_get_new_session(SSL *s, int session);
+int ssl_get_prev_session(SSL *s, unsigned char *session,int len);
+int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b);
+int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp);
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
+					       STACK_OF(SSL_CIPHER) **skp);
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p);
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
+					     STACK_OF(SSL_CIPHER) **pref,
+					     STACK_OF(SSL_CIPHER) **sorted,
+					     const char *rule_str);
+void ssl_update_cache(SSL *s, int mode);
+int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
+		       SSL_COMP **comp);
+int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
+int ssl_undefined_function(SSL *s);
+X509 *ssl_get_server_send_cert(SSL *);
+EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
+int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
+void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
+int ssl_verify_alarm_type(long type);
+
+int ssl2_enc_init(SSL *s, int client);
+void ssl2_generate_key_material(SSL *s);
+void ssl2_enc(SSL *s,int send_data);
+void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
+SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
+int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
+int ssl2_part_read(SSL *s, unsigned long f, int i);
+int ssl2_do_write(SSL *s);
+int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data);
+void ssl2_return_error(SSL *s,int reason);
+void ssl2_write_error(SSL *s);
+int ssl2_num_ciphers(void);
+SSL_CIPHER *ssl2_get_cipher(unsigned int u);
+int	ssl2_new(SSL *s);
+void	ssl2_free(SSL *s);
+int	ssl2_accept(SSL *s);
+int	ssl2_connect(SSL *s);
+int	ssl2_read(SSL *s, void *buf, int len);
+int	ssl2_peek(SSL *s, char *buf, int len);
+int	ssl2_write(SSL *s, const void *buf, int len);
+int	ssl2_shutdown(SSL *s);
+void	ssl2_clear(SSL *s);
+long	ssl2_ctrl(SSL *s,int cmd, long larg, char *parg);
+long	ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long	ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
+long	ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
+int	ssl2_pending(SSL *s);
+
+SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
+int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
+void ssl3_init_finished_mac(SSL *s);
+int ssl3_send_server_certificate(SSL *s);
+int ssl3_get_finished(SSL *s,int state_a,int state_b);
+int ssl3_setup_key_block(SSL *s);
+int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
+int ssl3_change_cipher_state(SSL *s,int which);
+void ssl3_cleanup_key_block(SSL *s);
+int ssl3_do_write(SSL *s,int type);
+void ssl3_send_alert(SSL *s,int level, int desc);
+int ssl3_generate_master_secret(SSL *s, unsigned char *out,
+	unsigned char *p, int len);
+int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
+long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
+int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
+int ssl3_num_ciphers(void);
+SSL_CIPHER *ssl3_get_cipher(unsigned int u);
+int ssl3_renegotiate(SSL *ssl); 
+int ssl3_renegotiate_check(SSL *ssl); 
+int ssl3_dispatch_alert(SSL *s);
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len);
+int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
+int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
+	const char *sender, int slen,unsigned char *p);
+int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
+void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
+int ssl3_enc(SSL *s, int send_data);
+int ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
+unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
+SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *have,
+			       STACK_OF(SSL_CIPHER) *pref);
+int	ssl3_setup_buffers(SSL *s);
+int	ssl3_new(SSL *s);
+void	ssl3_free(SSL *s);
+int	ssl3_accept(SSL *s);
+int	ssl3_connect(SSL *s);
+int	ssl3_read(SSL *s, void *buf, int len);
+int	ssl3_peek(SSL *s,char *buf, int len);
+int	ssl3_write(SSL *s, const void *buf, int len);
+int	ssl3_shutdown(SSL *s);
+void	ssl3_clear(SSL *s);
+long	ssl3_ctrl(SSL *s,int cmd, long larg, char *parg);
+long	ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long	ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
+long	ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
+int	ssl3_pending(SSL *s);
+
+int ssl23_accept(SSL *s);
+int ssl23_connect(SSL *s);
+int ssl23_read_bytes(SSL *s, int n);
+int ssl23_write_bytes(SSL *s);
+
+int tls1_new(SSL *s);
+void tls1_free(SSL *s);
+void tls1_clear(SSL *s);
+long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
+long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)());
+SSL_METHOD *tlsv1_base_method(void );
+
+int ssl_init_wbio_buffer(SSL *s, int push);
+void ssl_free_wbio_buffer(SSL *s);
+
+int tls1_change_cipher_state(SSL *s, int which);
+int tls1_setup_key_block(SSL *s);
+int tls1_enc(SSL *s, int snd);
+int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
+	const char *str, int slen, unsigned char *p);
+int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
+int tls1_mac(SSL *ssl, unsigned char *md, int snd);
+int tls1_generate_master_secret(SSL *s, unsigned char *out,
+	unsigned char *p, int len);
+int tls1_alert_code(int code);
+int ssl3_alert_code(int code);
+int ssl_ok(SSL *s);
+
+SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+
+
+#endif
diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c
new file mode 100644
index 0000000..6ec7a5c
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_rsa.c
@@ -0,0 +1,815 @@
+/* ssl/ssl_rsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/bio.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include "ssl_locl.h"
+
+static int ssl_set_cert(CERT *c, X509 *x509);
+static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
+int SSL_use_certificate(SSL *ssl, X509 *x)
+	{
+	if (x == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (!ssl_cert_inst(&ssl->cert))
+		{
+		SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	return(ssl_set_cert(ssl->cert,x));
+	}
+
+#ifndef NO_STDIO
+int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
+	{
+	int j;
+	BIO *in;
+	int ret=0;
+	X509 *x=NULL;
+
+	in=BIO_new(BIO_s_file_internal());
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
+		goto end;
+		}
+
+	if (BIO_read_filename(in,file) <= 0)
+		{
+		SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
+		goto end;
+		}
+	if (type == SSL_FILETYPE_ASN1)
+		{
+		j=ERR_R_ASN1_LIB;
+		x=d2i_X509_bio(in,NULL);
+		}
+	else if (type == SSL_FILETYPE_PEM)
+		{
+		j=ERR_R_PEM_LIB;
+		x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
+		goto end;
+		}
+
+	if (x == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
+		goto end;
+		}
+
+	ret=SSL_use_certificate(ssl,x);
+end:
+	if (x != NULL) X509_free(x);
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+#endif
+
+int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
+	{
+	X509 *x;
+	int ret;
+
+	x=d2i_X509(NULL,&d,(long)len);
+	if (x == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
+		return(0);
+		}
+
+	ret=SSL_use_certificate(ssl,x);
+	X509_free(x);
+	return(ret);
+	}
+
+#ifndef NO_RSA
+int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
+	{
+	EVP_PKEY *pkey;
+	int ret;
+
+	if (rsa == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (!ssl_cert_inst(&ssl->cert))
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	if ((pkey=EVP_PKEY_new()) == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
+		return(0);
+		}
+
+	CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
+	EVP_PKEY_assign_RSA(pkey,rsa);
+
+	ret=ssl_set_pkey(ssl->cert,pkey);
+	EVP_PKEY_free(pkey);
+	return(ret);
+	}
+#endif
+
+static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
+	{
+	int i,ok=0,bad=0;
+
+	i=ssl_cert_type(NULL,pkey);
+	if (i < 0)
+		{
+		SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+		return(0);
+		}
+
+	if (c->pkeys[i].x509 != NULL)
+		{
+		EVP_PKEY *pktmp;
+		pktmp =	X509_get_pubkey(c->pkeys[i].x509);
+		EVP_PKEY_copy_parameters(pktmp,pkey);
+		EVP_PKEY_free(pktmp);
+		ERR_clear_error();
+
+#ifndef NO_RSA
+		/* Don't check the public/private key, this is mostly
+		 * for smart cards. */
+		if ((pkey->type == EVP_PKEY_RSA) &&
+			(RSA_flags(pkey->pkey.rsa) &
+			 RSA_METHOD_FLAG_NO_CHECK))
+			 ok=1;
+		else
+#endif
+			if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+			{
+			if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
+				{
+				i=(i == SSL_PKEY_DH_RSA)?
+					SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
+
+				if (c->pkeys[i].x509 == NULL)
+					ok=1;
+				else
+					{
+					if (!X509_check_private_key(
+						c->pkeys[i].x509,pkey))
+						bad=1;
+					else
+						ok=1;
+					}
+				}
+			else
+				bad=1;
+			}
+		else
+			ok=1;
+		}
+	else
+		ok=1;
+
+	if (bad)
+		{
+		X509_free(c->pkeys[i].x509);
+		c->pkeys[i].x509=NULL;
+		return(0);
+		}
+
+	if (c->pkeys[i].privatekey != NULL)
+		EVP_PKEY_free(c->pkeys[i].privatekey);
+	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
+	c->pkeys[i].privatekey=pkey;
+	c->key= &(c->pkeys[i]);
+
+	c->valid=0;
+	return(1);
+	}
+
+#ifndef NO_RSA
+#ifndef NO_STDIO
+int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
+	{
+	int j,ret=0;
+	BIO *in;
+	RSA *rsa=NULL;
+
+	in=BIO_new(BIO_s_file_internal());
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
+		goto end;
+		}
+
+	if (BIO_read_filename(in,file) <= 0)
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
+		goto end;
+		}
+	if	(type == SSL_FILETYPE_ASN1)
+		{
+		j=ERR_R_ASN1_LIB;
+		rsa=d2i_RSAPrivateKey_bio(in,NULL);
+		}
+	else if (type == SSL_FILETYPE_PEM)
+		{
+		j=ERR_R_PEM_LIB;
+		rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
+			ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
+		goto end;
+		}
+	if (rsa == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
+		goto end;
+		}
+	ret=SSL_use_RSAPrivateKey(ssl,rsa);
+	RSA_free(rsa);
+end:
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+#endif
+
+int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
+	{
+	int ret;
+	unsigned char *p;
+	RSA *rsa;
+
+	p=d;
+	if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
+		return(0);
+		}
+
+	ret=SSL_use_RSAPrivateKey(ssl,rsa);
+	RSA_free(rsa);
+	return(ret);
+	}
+#endif /* !NO_RSA */
+
+int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
+	{
+	int ret;
+
+	if (pkey == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (!ssl_cert_inst(&ssl->cert))
+		{
+		SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	ret=ssl_set_pkey(ssl->cert,pkey);
+	return(ret);
+	}
+
+#ifndef NO_STDIO
+int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
+	{
+	int j,ret=0;
+	BIO *in;
+	EVP_PKEY *pkey=NULL;
+
+	in=BIO_new(BIO_s_file_internal());
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
+		goto end;
+		}
+
+	if (BIO_read_filename(in,file) <= 0)
+		{
+		SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
+		goto end;
+		}
+	if (type == SSL_FILETYPE_PEM)
+		{
+		j=ERR_R_PEM_LIB;
+		pkey=PEM_read_bio_PrivateKey(in,NULL,
+			ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
+		goto end;
+		}
+	if (pkey == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
+		goto end;
+		}
+	ret=SSL_use_PrivateKey(ssl,pkey);
+	EVP_PKEY_free(pkey);
+end:
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+#endif
+
+int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len)
+	{
+	int ret;
+	unsigned char *p;
+	EVP_PKEY *pkey;
+
+	p=d;
+	if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
+		{
+		SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
+		return(0);
+		}
+
+	ret=SSL_use_PrivateKey(ssl,pkey);
+	EVP_PKEY_free(pkey);
+	return(ret);
+	}
+
+int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
+	{
+	if (x == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (!ssl_cert_inst(&ctx->cert))
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	return(ssl_set_cert(ctx->cert, x));
+	}
+
+static int ssl_set_cert(CERT *c, X509 *x)
+	{
+	EVP_PKEY *pkey;
+	int i,ok=0,bad=0;
+
+	pkey=X509_get_pubkey(x);
+	if (pkey == NULL)
+		{
+		SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
+		return(0);
+		}
+
+	i=ssl_cert_type(x,pkey);
+	if (i < 0)
+		{
+		SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+		EVP_PKEY_free(pkey);
+		return(0);
+		}
+
+	if (c->pkeys[i].privatekey != NULL)
+		{
+		EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
+		ERR_clear_error();
+
+#ifndef NO_RSA
+		/* Don't check the public/private key, this is mostly
+		 * for smart cards. */
+		if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
+			(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
+			 RSA_METHOD_FLAG_NO_CHECK))
+			 ok=1;
+		else
+#endif
+		{
+		if (!X509_check_private_key(x,c->pkeys[i].privatekey))
+			{
+			if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
+				{
+				i=(i == SSL_PKEY_DH_RSA)?
+					SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
+
+				if (c->pkeys[i].privatekey == NULL)
+					ok=1;
+				else
+					{
+					if (!X509_check_private_key(x,
+						c->pkeys[i].privatekey))
+						bad=1;
+					else
+						ok=1;
+					}
+				}
+			else
+				bad=1;
+			}
+		else
+			ok=1;
+		} /* NO_RSA */
+		}
+	else
+		ok=1;
+
+	EVP_PKEY_free(pkey);
+	if (bad)
+		{
+		EVP_PKEY_free(c->pkeys[i].privatekey);
+		c->pkeys[i].privatekey=NULL;
+		}
+
+	if (c->pkeys[i].x509 != NULL)
+		X509_free(c->pkeys[i].x509);
+	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+	c->pkeys[i].x509=x;
+	c->key= &(c->pkeys[i]);
+
+	c->valid=0;
+	return(1);
+	}
+
+#ifndef NO_STDIO
+int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
+	{
+	int j;
+	BIO *in;
+	int ret=0;
+	X509 *x=NULL;
+
+	in=BIO_new(BIO_s_file_internal());
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
+		goto end;
+		}
+
+	if (BIO_read_filename(in,file) <= 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
+		goto end;
+		}
+	if (type == SSL_FILETYPE_ASN1)
+		{
+		j=ERR_R_ASN1_LIB;
+		x=d2i_X509_bio(in,NULL);
+		}
+	else if (type == SSL_FILETYPE_PEM)
+		{
+		j=ERR_R_PEM_LIB;
+		x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
+		goto end;
+		}
+
+	if (x == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
+		goto end;
+		}
+
+	ret=SSL_CTX_use_certificate(ctx,x);
+end:
+	if (x != NULL) X509_free(x);
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+#endif
+
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
+	{
+	X509 *x;
+	int ret;
+
+	x=d2i_X509(NULL,&d,(long)len);
+	if (x == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
+		return(0);
+		}
+
+	ret=SSL_CTX_use_certificate(ctx,x);
+	X509_free(x);
+	return(ret);
+	}
+
+#ifndef NO_RSA
+int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
+	{
+	int ret;
+	EVP_PKEY *pkey;
+
+	if (rsa == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (!ssl_cert_inst(&ctx->cert))
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	if ((pkey=EVP_PKEY_new()) == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
+		return(0);
+		}
+
+	CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
+	EVP_PKEY_assign_RSA(pkey,rsa);
+
+	ret=ssl_set_pkey(ctx->cert, pkey);
+	EVP_PKEY_free(pkey);
+	return(ret);
+	}
+
+#ifndef NO_STDIO
+int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
+	{
+	int j,ret=0;
+	BIO *in;
+	RSA *rsa=NULL;
+
+	in=BIO_new(BIO_s_file_internal());
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
+		goto end;
+		}
+
+	if (BIO_read_filename(in,file) <= 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
+		goto end;
+		}
+	if	(type == SSL_FILETYPE_ASN1)
+		{
+		j=ERR_R_ASN1_LIB;
+		rsa=d2i_RSAPrivateKey_bio(in,NULL);
+		}
+	else if (type == SSL_FILETYPE_PEM)
+		{
+		j=ERR_R_PEM_LIB;
+		rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
+			ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
+		goto end;
+		}
+	if (rsa == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
+		goto end;
+		}
+	ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
+	RSA_free(rsa);
+end:
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+#endif
+
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
+	{
+	int ret;
+	unsigned char *p;
+	RSA *rsa;
+
+	p=d;
+	if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
+		return(0);
+		}
+
+	ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
+	RSA_free(rsa);
+	return(ret);
+	}
+#endif /* !NO_RSA */
+
+int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
+	{
+	if (pkey == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
+		return(0);
+		}
+	if (!ssl_cert_inst(&ctx->cert))
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	return(ssl_set_pkey(ctx->cert,pkey));
+	}
+
+#ifndef NO_STDIO
+int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
+	{
+	int j,ret=0;
+	BIO *in;
+	EVP_PKEY *pkey=NULL;
+
+	in=BIO_new(BIO_s_file_internal());
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
+		goto end;
+		}
+
+	if (BIO_read_filename(in,file) <= 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
+		goto end;
+		}
+	if (type == SSL_FILETYPE_PEM)
+		{
+		j=ERR_R_PEM_LIB;
+		pkey=PEM_read_bio_PrivateKey(in,NULL,
+			ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+		}
+	else
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
+		goto end;
+		}
+	if (pkey == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
+		goto end;
+		}
+	ret=SSL_CTX_use_PrivateKey(ctx,pkey);
+	EVP_PKEY_free(pkey);
+end:
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+#endif
+
+int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
+	     long len)
+	{
+	int ret;
+	unsigned char *p;
+	EVP_PKEY *pkey;
+
+	p=d;
+	if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
+		return(0);
+		}
+
+	ret=SSL_CTX_use_PrivateKey(ctx,pkey);
+	EVP_PKEY_free(pkey);
+	return(ret);
+	}
+
+
+#ifndef NO_STDIO
+/* Read a file that contains our certificate in "PEM" format,
+ * possibly followed by a sequence of CA certificates that should be
+ * sent to the peer in the Certificate message.
+ */
+int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
+	{
+	BIO *in;
+	int ret=0;
+	X509 *x=NULL;
+
+	in=BIO_new(BIO_s_file_internal());
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
+		goto end;
+		}
+
+	if (BIO_read_filename(in,file) <= 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
+		goto end;
+		}
+
+	x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+	if (x == NULL)
+		{
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
+		goto end;
+		}
+
+	ret=SSL_CTX_use_certificate(ctx,x);
+	if (ERR_peek_error() != 0)
+		ret = 0;  /* Key/certificate mismatch doesn't imply ret==0 ... */
+	if (ret)
+		{
+		/* If we could set up our certificate, now proceed to
+		 * the CA certificates.
+		 */
+		X509 *ca;
+		int r;
+		unsigned long err;
+		
+		if (ctx->extra_certs != NULL) 
+			{
+			sk_X509_pop_free(ctx->extra_certs, X509_free);
+			ctx->extra_certs = NULL;
+			}
+
+		while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
+			!= NULL)
+			{
+			r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+			if (!r) 
+				{
+				X509_free(ca);
+				ret = 0;
+				goto end;
+				}
+			/* Note that we must not free r if it was successfully
+			 * added to the chain (while we must free the main
+			 * certificate, since its reference count is increased
+			 * by SSL_CTX_use_certificate). */
+			}
+		/* When the while loop ends, it's usually just EOF. */
+		err = ERR_peek_error();
+		if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
+			(void) ERR_get_error();
+		else 
+			ret = 0; /* some real error */
+		}
+
+end:
+	if (x != NULL) X509_free(x);
+	if (in != NULL) BIO_free(in);
+	return(ret);
+	}
+#endif
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
new file mode 100644
index 0000000..9e01f72
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -0,0 +1,680 @@
+/* ssl/ssl_sess.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/lhash.h>
+#include <openssl/rand.h>
+#include "ssl_locl.h"
+
+static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
+static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
+static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
+static int ssl_session_num=0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL;
+
+SSL_SESSION *SSL_get_session(SSL *ssl)
+/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
+	{
+	return(ssl->session);
+	}
+
+SSL_SESSION *SSL_get1_session(SSL *ssl)
+/* variant of SSL_get_session: caller really gets something */
+	{
+	SSL_SESSION *sess;
+	/* Need to lock this all up rather than just use CRYPTO_add so that
+	 * somebody doesn't free ssl->session between when we check it's
+	 * non-null and when we up the reference count. */
+	CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+	sess = ssl->session;
+	if(sess)
+		sess->references++;
+	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+	return(sess);
+	}
+
+int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+	{
+	ssl_session_num++;
+	return(CRYPTO_get_ex_new_index(ssl_session_num-1,
+		&ssl_session_meth,
+		argl,argp,new_func,dup_func,free_func));
+	}
+
+int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
+	}
+
+void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx)
+	{
+	return(CRYPTO_get_ex_data(&s->ex_data,idx));
+	}
+
+SSL_SESSION *SSL_SESSION_new(void)
+	{
+	SSL_SESSION *ss;
+
+	ss=(SSL_SESSION *)Malloc(sizeof(SSL_SESSION));
+	if (ss == NULL)
+		{
+		SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	memset(ss,0,sizeof(SSL_SESSION));
+
+	ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
+	ss->references=1;
+	ss->timeout=60*5+4; /* 5 minute timeout by default */
+	ss->time=time(NULL);
+	ss->prev=NULL;
+	ss->next=NULL;
+	ss->compress_meth=0;
+	CRYPTO_new_ex_data(ssl_session_meth,ss,&ss->ex_data);
+	return(ss);
+	}
+
+int ssl_get_new_session(SSL *s, int session)
+	{
+	/* This gets used by clients and servers. */
+
+	SSL_SESSION *ss=NULL;
+
+	if ((ss=SSL_SESSION_new()) == NULL) return(0);
+
+	/* If the context has a default timeout, use it */
+	if (s->ctx->session_timeout == 0)
+		ss->timeout=SSL_get_default_timeout(s);
+	else
+		ss->timeout=s->ctx->session_timeout;
+
+	if (s->session != NULL)
+		{
+		SSL_SESSION_free(s->session);
+		s->session=NULL;
+		}
+
+	if (session)
+		{
+		if (s->version == SSL2_VERSION)
+			{
+			ss->ssl_version=SSL2_VERSION;
+			ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
+			}
+		else if (s->version == SSL3_VERSION)
+			{
+			ss->ssl_version=SSL3_VERSION;
+			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+			}
+		else if (s->version == TLS1_VERSION)
+			{
+			ss->ssl_version=TLS1_VERSION;
+			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+			}
+		else
+			{
+			SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
+			SSL_SESSION_free(ss);
+			return(0);
+			}
+
+		for (;;)
+			{
+			SSL_SESSION *r;
+
+			RAND_pseudo_bytes(ss->session_id,ss->session_id_length);
+			CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+			r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, ss);
+			CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+			if (r == NULL) break;
+			/* else - woops a session_id match */
+			/* XXX We should also check the external cache --
+			 * but the probability of a collision is negligible, and
+			 * we could not prevent the concurrent creation of sessions
+			 * with identical IDs since we currently don't have means
+			 * to atomically check whether a session ID already exists
+			 * and make a reservation for it if it does not
+			 * (this problem applies to the internal cache as well).
+			 */
+			}
+		}
+	else
+		{
+		ss->session_id_length=0;
+		}
+
+	memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
+	ss->sid_ctx_length=s->sid_ctx_length;
+	s->session=ss;
+	ss->ssl_version=s->version;
+	ss->verify_result = X509_V_OK;
+
+	return(1);
+	}
+
+int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
+	{
+	/* This is used only by servers. */
+
+	SSL_SESSION *ret=NULL,data;
+	int fatal = 0;
+
+	data.ssl_version=s->version;
+	data.session_id_length=len;
+	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
+		goto err;
+	memcpy(data.session_id,session_id,len);
+
+	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
+		{
+		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+		ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
+		if (ret != NULL)
+		    /* don't allow other threads to steal it: */
+		    CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+		}
+
+	if (ret == NULL)
+		{
+		int copy=1;
+	
+		s->ctx->stats.sess_miss++;
+		ret=NULL;
+		if (s->ctx->get_session_cb != NULL
+		    && (ret=s->ctx->get_session_cb(s,session_id,len,&copy))
+		       != NULL)
+			{
+			s->ctx->stats.sess_cb_hit++;
+
+			/* Increment reference count now if the session callback
+			 * asks us to do so (note that if the session structures
+			 * returned by the callback are shared between threads,
+			 * it must handle the reference count itself [i.e. copy == 0],
+			 * or things won't be thread-safe). */
+			if (copy)
+				CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+
+			/* The following should not return 1, otherwise,
+			 * things are very strange */
+			SSL_CTX_add_session(s->ctx,ret);
+			}
+		if (ret == NULL)
+			goto err;
+		}
+
+	/* Now ret is non-NULL, and we own one of its reference counts. */
+
+	if((s->verify_mode&SSL_VERIFY_PEER)
+	   && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
+	       || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
+	    {
+		/* We've found the session named by the client, but we don't
+		 * want to use it in this context. */
+		
+		if (s->sid_ctx_length == 0)
+			{
+			/* application should have used SSL[_CTX]_set_session_id_context
+			 * -- we could tolerate this and just pretend we never heard
+			 * of this session, but then applications could effectively
+			 * disable the session cache by accident without anyone noticing */
+
+			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+			fatal = 1;
+			goto err;
+			}
+		else
+			{
+#if 0 /* The client cannot always know when a session is not appropriate,
+	   * so we shouldn't generate an error message. */
+
+			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+#endif
+			goto err; /* treat like cache miss */
+			}
+		}
+
+	if (ret->cipher == NULL)
+		{
+		unsigned char buf[5],*p;
+		unsigned long l;
+
+		p=buf;
+		l=ret->cipher_id;
+		l2n(l,p);
+		if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
+			ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
+		else 
+			ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
+		if (ret->cipher == NULL)
+			goto err;
+		}
+
+
+#if 0 /* This is way too late. */
+
+	/* If a thread got the session, then 'swaped', and another got
+	 * it and then due to a time-out decided to 'Free' it we could
+	 * be in trouble.  So I'll increment it now, then double decrement
+	 * later - am I speaking rubbish?. */
+	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+#endif
+
+	if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
+		{
+		s->ctx->stats.sess_timeout++;
+		/* remove it from the cache */
+		SSL_CTX_remove_session(s->ctx,ret);
+		goto err;
+		}
+
+	s->ctx->stats.sess_hit++;
+
+	/* ret->time=time(NULL); */ /* rezero timeout? */
+	/* again, just leave the session 
+	 * if it is the same session, we have just incremented and
+	 * then decremented the reference count :-) */
+	if (s->session != NULL)
+		SSL_SESSION_free(s->session);
+	s->session=ret;
+	s->verify_result = s->session->verify_result;
+	return(1);
+
+ err:
+	if (ret != NULL)
+		SSL_SESSION_free(ret);
+	if (fatal)
+		return -1;
+	else
+		return 0;
+	}
+
+int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
+	{
+	int ret=0;
+	SSL_SESSION *s;
+
+	/* add just 1 reference count for the SSL_CTX's session cache
+	 * even though it has two ways of access: each session is in a
+	 * doubly linked list and an lhash */
+	CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
+	/* if session c is in already in cache, we take back the increment later */
+
+	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+	s=(SSL_SESSION *)lh_insert(ctx->sessions,c);
+	
+	/* s != NULL iff we already had a session with the given PID.
+	 * In this case, s == c should hold (then we did not really modify
+	 * ctx->sessions), or we're in trouble. */
+	if (s != NULL && s != c)
+		{
+		/* We *are* in trouble ... */
+		SSL_SESSION_list_remove(ctx,s);
+		SSL_SESSION_free(s);
+		/* ... so pretend the other session did not exist in cache
+		 * (we cannot handle two SSL_SESSION structures with identical
+		 * session ID in the same cache, which could happen e.g. when
+		 * two threads concurrently obtain the same session from an external
+		 * cache) */
+		s = NULL;
+		}
+
+ 	/* Put at the head of the queue unless it is already in the cache */
+	if (s == NULL)
+		SSL_SESSION_list_add(ctx,c);
+
+	if (s != NULL)
+		{
+		/* existing cache entry -- decrement previously incremented reference
+		 * count because it already takes into account the cache */
+
+		SSL_SESSION_free(s); /* s == c */
+		ret=0;
+		}
+	else
+		{
+		/* new cache entry -- remove old ones if cache has become too large */
+		
+		ret=1;
+
+		if (SSL_CTX_sess_get_cache_size(ctx) > 0)
+			{
+			while (SSL_CTX_sess_number(ctx) >
+				SSL_CTX_sess_get_cache_size(ctx))
+				{
+				if (!remove_session_lock(ctx,
+					ctx->session_cache_tail, 0))
+					break;
+				else
+					ctx->stats.sess_cache_full++;
+				}
+			}
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+	return(ret);
+	}
+
+int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
+{
+	return remove_session_lock(ctx, c, 1);
+}
+
+static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
+	{
+	SSL_SESSION *r;
+	int ret=0;
+
+	if ((c != NULL) && (c->session_id_length != 0))
+		{
+		if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+		r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
+		if (r != NULL)
+			{
+			ret=1;
+			SSL_SESSION_list_remove(ctx,c);
+			}
+
+		if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+
+		if (ret)
+			{
+			r->not_resumable=1;
+			if (ctx->remove_session_cb != NULL)
+				ctx->remove_session_cb(ctx,r);
+			SSL_SESSION_free(r);
+			}
+		}
+	else
+		ret=0;
+	return(ret);
+	}
+
+void SSL_SESSION_free(SSL_SESSION *ss)
+	{
+	int i;
+
+	if(ss == NULL)
+	    return;
+
+	i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
+#ifdef REF_PRINT
+	REF_PRINT("SSL_SESSION",ss);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
+		abort(); /* ok */
+		}
+#endif
+
+	CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data);
+
+	memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
+	memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
+	memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
+	if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
+	if (ss->peer != NULL) X509_free(ss->peer);
+	if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
+	memset(ss,0,sizeof(*ss));
+	Free(ss);
+	}
+
+int SSL_set_session(SSL *s, SSL_SESSION *session)
+	{
+	int ret=0;
+	SSL_METHOD *meth;
+
+	if (session != NULL)
+		{
+		meth=s->ctx->method->get_ssl_method(session->ssl_version);
+		if (meth == NULL)
+			meth=s->method->get_ssl_method(session->ssl_version);
+		if (meth == NULL)
+			{
+			SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
+			return(0);
+			}
+
+		if (meth != s->method)
+			{
+			if (!SSL_set_ssl_method(s,meth))
+				return(0);
+			if (s->ctx->session_timeout == 0)
+				session->timeout=SSL_get_default_timeout(s);
+			else
+				session->timeout=s->ctx->session_timeout;
+			}
+
+		/* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
+		CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
+		if (s->session != NULL)
+			SSL_SESSION_free(s->session);
+		s->session=session;
+		/* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
+		ret=1;
+		}
+	else
+		{
+		if (s->session != NULL)
+			{
+			SSL_SESSION_free(s->session);
+			s->session=NULL;
+			}
+
+		meth=s->ctx->method;
+		if (meth != s->method)
+			{
+			if (!SSL_set_ssl_method(s,meth))
+				return(0);
+			}
+		ret=1;
+		}
+	return(ret);
+	}
+
+long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
+	{
+	if (s == NULL) return(0);
+	s->timeout=t;
+	return(1);
+	}
+
+long SSL_SESSION_get_timeout(SSL_SESSION *s)
+	{
+	if (s == NULL) return(0);
+	return(s->timeout);
+	}
+
+long SSL_SESSION_get_time(SSL_SESSION *s)
+	{
+	if (s == NULL) return(0);
+	return(s->time);
+	}
+
+long SSL_SESSION_set_time(SSL_SESSION *s, long t)
+	{
+	if (s == NULL) return(0);
+	s->time=t;
+	return(t);
+	}
+
+long SSL_CTX_set_timeout(SSL_CTX *s, long t)
+	{
+	long l;
+	if (s == NULL) return(0);
+	l=s->session_timeout;
+	s->session_timeout=t;
+	return(l);
+	}
+
+long SSL_CTX_get_timeout(SSL_CTX *s)
+	{
+	if (s == NULL) return(0);
+	return(s->session_timeout);
+	}
+
+typedef struct timeout_param_st
+	{
+	SSL_CTX *ctx;
+	long time;
+	LHASH *cache;
+	} TIMEOUT_PARAM;
+
+static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
+	{
+	if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
+		{
+		/* The reason we don't call SSL_CTX_remove_session() is to
+		 * save on locking overhead */
+		lh_delete(p->cache,s);
+		SSL_SESSION_list_remove(p->ctx,s);
+		s->not_resumable=1;
+		if (p->ctx->remove_session_cb != NULL)
+			p->ctx->remove_session_cb(p->ctx,s);
+		SSL_SESSION_free(s);
+		}
+	}
+
+void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
+	{
+	unsigned long i;
+	TIMEOUT_PARAM tp;
+
+	tp.ctx=s;
+	tp.cache=s->sessions;
+	if (tp.cache == NULL) return;
+	tp.time=t;
+	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+	i=tp.cache->down_load;
+	tp.cache->down_load=0;
+	lh_doall_arg(tp.cache,(void (*)())timeout,&tp);
+	tp.cache->down_load=i;
+	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+	}
+
+int ssl_clear_bad_session(SSL *s)
+	{
+	if (	(s->session != NULL) &&
+		!(s->shutdown & SSL_SENT_SHUTDOWN) &&
+		!(SSL_in_init(s) || SSL_in_before(s)))
+		{
+		SSL_CTX_remove_session(s->ctx,s->session);
+		return(1);
+		}
+	else
+		return(0);
+	}
+
+/* locked by SSL_CTX in the calling function */
+static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
+	{
+	if ((s->next == NULL) || (s->prev == NULL)) return;
+
+	if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
+		{ /* last element in list */
+		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
+			{ /* only one element in list */
+			ctx->session_cache_head=NULL;
+			ctx->session_cache_tail=NULL;
+			}
+		else
+			{
+			ctx->session_cache_tail=s->prev;
+			s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
+			}
+		}
+	else
+		{
+		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
+			{ /* first element in list */
+			ctx->session_cache_head=s->next;
+			s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+			}
+		else
+			{ /* middle of list */
+			s->next->prev=s->prev;
+			s->prev->next=s->next;
+			}
+		}
+	s->prev=s->next=NULL;
+	}
+
+static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
+	{
+	if ((s->next != NULL) && (s->prev != NULL))
+		SSL_SESSION_list_remove(ctx,s);
+
+	if (ctx->session_cache_head == NULL)
+		{
+		ctx->session_cache_head=s;
+		ctx->session_cache_tail=s;
+		s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+		s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
+		}
+	else
+		{
+		s->next=ctx->session_cache_head;
+		s->next->prev=s;
+		s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+		ctx->session_cache_head=s;
+		}
+	}
+
diff --git a/crypto/openssl/ssl/ssl_stat.c b/crypto/openssl/ssl/ssl_stat.c
new file mode 100644
index 0000000..8e12461
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_stat.c
@@ -0,0 +1,454 @@
+/* ssl/ssl_stat.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "ssl_locl.h"
+
+char *SSL_state_string_long(SSL *s)
+	{
+	char *str;
+
+	switch (s->state)
+		{
+case SSL_ST_BEFORE: str="before SSL initialization"; break;
+case SSL_ST_ACCEPT: str="before accept initialization"; break;
+case SSL_ST_CONNECT: str="before connect initialization"; break;
+case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
+case SSL_ST_RENEGOTIATE:	str="SSL renegotiate ciphers"; break;
+case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
+case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
+case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
+case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
+#ifndef NO_SSL2
+case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
+case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
+case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
+case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
+case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
+case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
+case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
+case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
+case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
+case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
+case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
+case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
+case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
+case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
+case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
+case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
+case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
+case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
+case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
+case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
+case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
+case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
+case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
+case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
+case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
+case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
+case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
+case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
+case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
+case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
+#endif
+
+#ifndef NO_SSL3
+/* SSLv3 additions */
+case SSL3_ST_CW_CLNT_HELLO_A:	str="SSLv3 write client hello A"; break;
+case SSL3_ST_CW_CLNT_HELLO_B:	str="SSLv3 write client hello B"; break;
+case SSL3_ST_CR_SRVR_HELLO_A:	str="SSLv3 read server hello A"; break;
+case SSL3_ST_CR_SRVR_HELLO_B:	str="SSLv3 read server hello B"; break;
+case SSL3_ST_CR_CERT_A:		str="SSLv3 read server certificate A"; break;
+case SSL3_ST_CR_CERT_B:		str="SSLv3 read server certificate B"; break;
+case SSL3_ST_CR_KEY_EXCH_A:	str="SSLv3 read server key exchange A"; break;
+case SSL3_ST_CR_KEY_EXCH_B:	str="SSLv3 read server key exchange B"; break;
+case SSL3_ST_CR_CERT_REQ_A:	str="SSLv3 read server certificate request A"; break;
+case SSL3_ST_CR_CERT_REQ_B:	str="SSLv3 read server certificate request B"; break;
+case SSL3_ST_CR_SRVR_DONE_A:	str="SSLv3 read server done A"; break;
+case SSL3_ST_CR_SRVR_DONE_B:	str="SSLv3 read server done B"; break;
+case SSL3_ST_CW_CERT_A:		str="SSLv3 write client certificate A"; break;
+case SSL3_ST_CW_CERT_B:		str="SSLv3 write client certificate B"; break;
+case SSL3_ST_CW_CERT_C:		str="SSLv3 write client certificate C"; break;
+case SSL3_ST_CW_CERT_D:		str="SSLv3 write client certificate D"; break;
+case SSL3_ST_CW_KEY_EXCH_A:	str="SSLv3 write client key exchange A"; break;
+case SSL3_ST_CW_KEY_EXCH_B:	str="SSLv3 write client key exchange B"; break;
+case SSL3_ST_CW_CERT_VRFY_A:	str="SSLv3 write certificate verify A"; break;
+case SSL3_ST_CW_CERT_VRFY_B:	str="SSLv3 write certificate verify A"; break;
+
+case SSL3_ST_CW_CHANGE_A:
+case SSL3_ST_SW_CHANGE_A:	str="SSLv3 write change cipher spec A"; break;
+case SSL3_ST_CW_CHANGE_B:	
+case SSL3_ST_SW_CHANGE_B:	str="SSLv3 write change cipher spec B"; break;
+case SSL3_ST_CW_FINISHED_A:	
+case SSL3_ST_SW_FINISHED_A:	str="SSLv3 write finished A"; break;
+case SSL3_ST_CW_FINISHED_B:	
+case SSL3_ST_SW_FINISHED_B:	str="SSLv3 write finished A"; break;
+case SSL3_ST_CR_CHANGE_A:	
+case SSL3_ST_SR_CHANGE_A:	str="SSLv3 read change cipher spec A"; break;
+case SSL3_ST_CR_CHANGE_B:	
+case SSL3_ST_SR_CHANGE_B:	str="SSLv3 read change cipher spec B"; break;
+case SSL3_ST_CR_FINISHED_A:	
+case SSL3_ST_SR_FINISHED_A:	str="SSLv3 read finished A"; break;
+case SSL3_ST_CR_FINISHED_B:	
+case SSL3_ST_SR_FINISHED_B:	str="SSLv3 read finished B"; break;
+
+case SSL3_ST_CW_FLUSH:
+case SSL3_ST_SW_FLUSH:		str="SSLv3 flush data"; break;
+
+case SSL3_ST_SR_CLNT_HELLO_A:	str="SSLv3 read client hello A"; break;
+case SSL3_ST_SR_CLNT_HELLO_B:	str="SSLv3 read client hello B"; break;
+case SSL3_ST_SR_CLNT_HELLO_C:	str="SSLv3 read client hello C"; break;
+case SSL3_ST_SW_HELLO_REQ_A:	str="SSLv3 write hello request A"; break;
+case SSL3_ST_SW_HELLO_REQ_B:	str="SSLv3 write hello request B"; break;
+case SSL3_ST_SW_HELLO_REQ_C:	str="SSLv3 write hello request C"; break;
+case SSL3_ST_SW_SRVR_HELLO_A:	str="SSLv3 write server hello A"; break;
+case SSL3_ST_SW_SRVR_HELLO_B:	str="SSLv3 write server hello B"; break;
+case SSL3_ST_SW_CERT_A:		str="SSLv3 write certificate A"; break;
+case SSL3_ST_SW_CERT_B:		str="SSLv3 write certificate B"; break;
+case SSL3_ST_SW_KEY_EXCH_A:	str="SSLv3 write key exchange A"; break;
+case SSL3_ST_SW_KEY_EXCH_B:	str="SSLv3 write key exchange B"; break;
+case SSL3_ST_SW_CERT_REQ_A:	str="SSLv3 write certificate request A"; break;
+case SSL3_ST_SW_CERT_REQ_B:	str="SSLv3 write certificate request B"; break;
+case SSL3_ST_SW_SRVR_DONE_A:	str="SSLv3 write server done A"; break;
+case SSL3_ST_SW_SRVR_DONE_B:	str="SSLv3 write server done B"; break;
+case SSL3_ST_SR_CERT_A:		str="SSLv3 read client certificate A"; break;
+case SSL3_ST_SR_CERT_B:		str="SSLv3 read client certificate B"; break;
+case SSL3_ST_SR_KEY_EXCH_A:	str="SSLv3 read client key exchange A"; break;
+case SSL3_ST_SR_KEY_EXCH_B:	str="SSLv3 read client key exchange B"; break;
+case SSL3_ST_SR_CERT_VRFY_A:	str="SSLv3 read certificate verify A"; break;
+case SSL3_ST_SR_CERT_VRFY_B:	str="SSLv3 read certificate verify B"; break;
+#endif
+
+#if !defined(NO_SSL2) && !defined(NO_SSL3)
+/* SSLv2/v3 compatibility states */
+/* client */
+case SSL23_ST_CW_CLNT_HELLO_A:	str="SSLv2/v3 write client hello A"; break;
+case SSL23_ST_CW_CLNT_HELLO_B:	str="SSLv2/v3 write client hello B"; break;
+case SSL23_ST_CR_SRVR_HELLO_A:	str="SSLv2/v3 read server hello A"; break;
+case SSL23_ST_CR_SRVR_HELLO_B:	str="SSLv2/v3 read server hello B"; break;
+/* server */
+case SSL23_ST_SR_CLNT_HELLO_A:	str="SSLv2/v3 read client hello A"; break;
+case SSL23_ST_SR_CLNT_HELLO_B:	str="SSLv2/v3 read client hello B"; break;
+#endif
+
+default:	str="unknown state"; break;
+		}
+	return(str);
+	}
+
+char *SSL_rstate_string_long(SSL *s)
+	{
+	char *str;
+
+	switch (s->rstate)
+		{
+	case SSL_ST_READ_HEADER: str="read header"; break;
+	case SSL_ST_READ_BODY: str="read body"; break;
+	case SSL_ST_READ_DONE: str="read done"; break;
+	default: str="unknown"; break;
+		}
+	return(str);
+	}
+
+char *SSL_state_string(SSL *s)
+	{
+	char *str;
+
+	switch (s->state)
+		{
+case SSL_ST_BEFORE:				str="PINIT "; break;
+case SSL_ST_ACCEPT:				str="AINIT "; break;
+case SSL_ST_CONNECT:				str="CINIT "; break;
+case SSL_ST_OK:			 		str="SSLOK "; break;
+#ifndef NO_SSL2
+case SSL2_ST_CLIENT_START_ENCRYPTION:		str="2CSENC"; break;
+case SSL2_ST_SERVER_START_ENCRYPTION:		str="2SSENC"; break;
+case SSL2_ST_SEND_CLIENT_HELLO_A:		str="2SCH_A"; break;
+case SSL2_ST_SEND_CLIENT_HELLO_B:		str="2SCH_B"; break;
+case SSL2_ST_GET_SERVER_HELLO_A:		str="2GSH_A"; break;
+case SSL2_ST_GET_SERVER_HELLO_B:		str="2GSH_B"; break;
+case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:		str="2SCMKA"; break;
+case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:		str="2SCMKB"; break;
+case SSL2_ST_SEND_CLIENT_FINISHED_A:		str="2SCF_A"; break;
+case SSL2_ST_SEND_CLIENT_FINISHED_B:		str="2SCF_B"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:		str="2SCC_A"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_B:		str="2SCC_B"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:		str="2SCC_C"; break;
+case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:		str="2SCC_D"; break;
+case SSL2_ST_GET_SERVER_VERIFY_A:		str="2GSV_A"; break;
+case SSL2_ST_GET_SERVER_VERIFY_B:		str="2GSV_B"; break;
+case SSL2_ST_GET_SERVER_FINISHED_A:		str="2GSF_A"; break;
+case SSL2_ST_GET_SERVER_FINISHED_B:		str="2GSF_B"; break;
+case SSL2_ST_GET_CLIENT_HELLO_A:		str="2GCH_A"; break;
+case SSL2_ST_GET_CLIENT_HELLO_B:		str="2GCH_B"; break;
+case SSL2_ST_GET_CLIENT_HELLO_C:		str="2GCH_C"; break;
+case SSL2_ST_SEND_SERVER_HELLO_A:		str="2SSH_A"; break;
+case SSL2_ST_SEND_SERVER_HELLO_B:		str="2SSH_B"; break;
+case SSL2_ST_GET_CLIENT_MASTER_KEY_A:		str="2GCMKA"; break;
+case SSL2_ST_GET_CLIENT_MASTER_KEY_B:		str="2GCMKA"; break;
+case SSL2_ST_SEND_SERVER_VERIFY_A:		str="2SSV_A"; break;
+case SSL2_ST_SEND_SERVER_VERIFY_B:		str="2SSV_B"; break;
+case SSL2_ST_SEND_SERVER_VERIFY_C:		str="2SSV_C"; break;
+case SSL2_ST_GET_CLIENT_FINISHED_A:		str="2GCF_A"; break;
+case SSL2_ST_GET_CLIENT_FINISHED_B:		str="2GCF_B"; break;
+case SSL2_ST_SEND_SERVER_FINISHED_A:		str="2SSF_A"; break;
+case SSL2_ST_SEND_SERVER_FINISHED_B:		str="2SSF_B"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:	str="2SRC_A"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:	str="2SRC_B"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:	str="2SRC_C"; break;
+case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:	str="2SRC_D"; break;
+case SSL2_ST_X509_GET_SERVER_CERTIFICATE:	str="2X9GSC"; break;
+case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:	str="2X9GCC"; break;
+#endif
+
+#ifndef NO_SSL3
+/* SSLv3 additions */
+case SSL3_ST_SW_FLUSH:
+case SSL3_ST_CW_FLUSH:				str="3FLUSH"; break;
+case SSL3_ST_CW_CLNT_HELLO_A:			str="3WCH_A"; break;
+case SSL3_ST_CW_CLNT_HELLO_B:			str="3WCH_B"; break;
+case SSL3_ST_CR_SRVR_HELLO_A:			str="3RSH_A"; break;
+case SSL3_ST_CR_SRVR_HELLO_B:			str="3RSH_B"; break;
+case SSL3_ST_CR_CERT_A:				str="3RSC_A"; break;
+case SSL3_ST_CR_CERT_B:				str="3RSC_B"; break;
+case SSL3_ST_CR_KEY_EXCH_A:			str="3RSKEA"; break;
+case SSL3_ST_CR_KEY_EXCH_B:			str="3RSKEB"; break;
+case SSL3_ST_CR_CERT_REQ_A:			str="3RCR_A"; break;
+case SSL3_ST_CR_CERT_REQ_B:			str="3RCR_B"; break;
+case SSL3_ST_CR_SRVR_DONE_A:			str="3RSD_A"; break;
+case SSL3_ST_CR_SRVR_DONE_B:			str="3RSD_B"; break;
+case SSL3_ST_CW_CERT_A:				str="3WCC_A"; break;
+case SSL3_ST_CW_CERT_B:				str="3WCC_B"; break;
+case SSL3_ST_CW_CERT_C:				str="3WCC_C"; break;
+case SSL3_ST_CW_CERT_D:				str="3WCC_D"; break;
+case SSL3_ST_CW_KEY_EXCH_A:			str="3WCKEA"; break;
+case SSL3_ST_CW_KEY_EXCH_B:			str="3WCKEB"; break;
+case SSL3_ST_CW_CERT_VRFY_A:			str="3WCV_A"; break;
+case SSL3_ST_CW_CERT_VRFY_B:			str="3WCV_B"; break;
+
+case SSL3_ST_SW_CHANGE_A:
+case SSL3_ST_CW_CHANGE_A:			str="3WCCSA"; break;
+case SSL3_ST_SW_CHANGE_B:
+case SSL3_ST_CW_CHANGE_B:			str="3WCCSB"; break;
+case SSL3_ST_SW_FINISHED_A:
+case SSL3_ST_CW_FINISHED_A:			str="3WFINA"; break;
+case SSL3_ST_SW_FINISHED_B:
+case SSL3_ST_CW_FINISHED_B:			str="3WFINB"; break;
+case SSL3_ST_SR_CHANGE_A:
+case SSL3_ST_CR_CHANGE_A:			str="3RCCSA"; break;
+case SSL3_ST_SR_CHANGE_B:
+case SSL3_ST_CR_CHANGE_B:			str="3RCCSB"; break;
+case SSL3_ST_SR_FINISHED_A:
+case SSL3_ST_CR_FINISHED_A:			str="3RFINA"; break;
+case SSL3_ST_SR_FINISHED_B:
+case SSL3_ST_CR_FINISHED_B:			str="3RFINB"; break;
+
+case SSL3_ST_SW_HELLO_REQ_A:			str="3WHR_A"; break;
+case SSL3_ST_SW_HELLO_REQ_B:			str="3WHR_B"; break;
+case SSL3_ST_SW_HELLO_REQ_C:			str="3WHR_C"; break;
+case SSL3_ST_SR_CLNT_HELLO_A:			str="3RCH_A"; break;
+case SSL3_ST_SR_CLNT_HELLO_B:			str="3RCH_B"; break;
+case SSL3_ST_SR_CLNT_HELLO_C:			str="3RCH_C"; break;
+case SSL3_ST_SW_SRVR_HELLO_A:			str="3WSH_A"; break;
+case SSL3_ST_SW_SRVR_HELLO_B:			str="3WSH_B"; break;
+case SSL3_ST_SW_CERT_A:				str="3WSC_A"; break;
+case SSL3_ST_SW_CERT_B:				str="3WSC_B"; break;
+case SSL3_ST_SW_KEY_EXCH_A:			str="3WSKEA"; break;
+case SSL3_ST_SW_KEY_EXCH_B:			str="3WSKEB"; break;
+case SSL3_ST_SW_CERT_REQ_A:			str="3WCR_A"; break;
+case SSL3_ST_SW_CERT_REQ_B:			str="3WCR_B"; break;
+case SSL3_ST_SW_SRVR_DONE_A:			str="3WSD_A"; break;
+case SSL3_ST_SW_SRVR_DONE_B:			str="3WSD_B"; break;
+case SSL3_ST_SR_CERT_A:				str="3RCC_A"; break;
+case SSL3_ST_SR_CERT_B:				str="3RCC_B"; break;
+case SSL3_ST_SR_KEY_EXCH_A:			str="3RCKEA"; break;
+case SSL3_ST_SR_KEY_EXCH_B:			str="3RCKEB"; break;
+case SSL3_ST_SR_CERT_VRFY_A:			str="3RCV_A"; break;
+case SSL3_ST_SR_CERT_VRFY_B:			str="3RCV_B"; break;
+#endif
+
+#if !defined(NO_SSL2) && !defined(NO_SSL3)
+/* SSLv2/v3 compatibility states */
+/* client */
+case SSL23_ST_CW_CLNT_HELLO_A:			str="23WCHA"; break;
+case SSL23_ST_CW_CLNT_HELLO_B:			str="23WCHB"; break;
+case SSL23_ST_CR_SRVR_HELLO_A:			str="23RSHA"; break;
+case SSL23_ST_CR_SRVR_HELLO_B:			str="23RSHA"; break;
+/* server */
+case SSL23_ST_SR_CLNT_HELLO_A:			str="23RCHA"; break;
+case SSL23_ST_SR_CLNT_HELLO_B:			str="23RCHB"; break;
+#endif
+
+default:					str="UNKWN "; break;
+		}
+	return(str);
+	}
+
+char *SSL_alert_type_string_long(int value)
+	{
+	value>>=8;
+	if (value == SSL3_AL_WARNING)
+		return("warning");
+	else if (value == SSL3_AL_FATAL)
+		return("fatal");
+	else
+		return("unknown");
+	}
+
+char *SSL_alert_type_string(int value)
+	{
+	value>>=8;
+	if (value == SSL3_AL_WARNING)
+		return("W");
+	else if (value == SSL3_AL_FATAL)
+		return("F");
+	else
+		return("U");
+	}
+
+char *SSL_alert_desc_string(int value)
+	{
+	char *str;
+
+	switch (value & 0xff)
+		{
+	case SSL3_AD_CLOSE_NOTIFY:		str="CN"; break;
+	case SSL3_AD_UNEXPECTED_MESSAGE:	str="UM"; break;
+	case SSL3_AD_BAD_RECORD_MAC:		str="BM"; break;
+	case SSL3_AD_DECOMPRESSION_FAILURE:	str="DF"; break;
+	case SSL3_AD_HANDSHAKE_FAILURE:		str="HF"; break;
+	case SSL3_AD_NO_CERTIFICATE:		str="NC"; break;
+	case SSL3_AD_BAD_CERTIFICATE:		str="BC"; break;
+	case SSL3_AD_UNSUPPORTED_CERTIFICATE:	str="UC"; break;
+	case SSL3_AD_CERTIFICATE_REVOKED:	str="CR"; break;
+	case SSL3_AD_CERTIFICATE_EXPIRED:	str="CE"; break;
+	case SSL3_AD_CERTIFICATE_UNKNOWN:	str="CU"; break;
+	case SSL3_AD_ILLEGAL_PARAMETER:		str="IP"; break;
+	default:				str="UK"; break;
+		}
+	return(str);
+	}
+
+char *SSL_alert_desc_string_long(int value)
+	{
+	char *str;
+
+	switch (value & 0xff)
+		{
+	case SSL3_AD_CLOSE_NOTIFY:
+		str="close notify";
+		break;
+	case SSL3_AD_UNEXPECTED_MESSAGE:
+		str="unexpected_message";
+		break;
+	case SSL3_AD_BAD_RECORD_MAC:
+		str="bad record mac";
+		break;
+	case SSL3_AD_DECOMPRESSION_FAILURE:
+		str="decompression failure";
+		break;
+	case SSL3_AD_HANDSHAKE_FAILURE:
+		str="handshake failure";
+		break;
+	case SSL3_AD_NO_CERTIFICATE:
+		str="no certificate";
+		break;
+	case SSL3_AD_BAD_CERTIFICATE:
+		str="bad certificate";
+		break;
+	case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+		str="unsupported certificate";
+		break;
+	case SSL3_AD_CERTIFICATE_REVOKED:
+		str="certificate revoked";
+		break;
+	case SSL3_AD_CERTIFICATE_EXPIRED:
+		str="certificate expired";
+		break;
+	case SSL3_AD_CERTIFICATE_UNKNOWN:
+		str="certificate unknown";
+		break;
+	case SSL3_AD_ILLEGAL_PARAMETER:
+		str="illegal parameter";
+		break;
+	default: str="unknown"; break;
+		}
+	return(str);
+	}
+
+char *SSL_rstate_string(SSL *s)
+	{
+	char *str;
+
+	switch (s->rstate)
+		{
+	case SSL_ST_READ_HEADER:str="RH"; break;
+	case SSL_ST_READ_BODY:	str="RB"; break;
+	case SSL_ST_READ_DONE:	str="RD"; break;
+	default: str="unknown"; break;
+		}
+	return(str);
+	}
diff --git a/crypto/openssl/ssl/ssl_task.c b/crypto/openssl/ssl/ssl_task.c
new file mode 100644
index 0000000..cac701a
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_task.c
@@ -0,0 +1,369 @@
+/* ssl/ssl_task.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* VMS */
+/*
+ * DECnet object for servicing SSL.  We accept the inbound and speak a
+ * simple protocol for multiplexing the 2 data streams (application and
+ * ssl data) over this logical link.
+ *
+ * Logical names:
+ *    SSL_CIPHER	Defines a list of cipher specifications the server
+ *			will support in order of preference.
+ *    SSL_SERVER_CERTIFICATE
+ *			Points to PEM (privacy enhanced mail) file that
+ *			contains the server certificate and private password.
+ *    SYS$NET		Logical created by netserver.exe as hook for completing
+ *			DECnet logical link.
+ *
+ * Each NSP message sent over the DECnet link has the following structure:
+ *    struct rpc_msg { 
+ *      char channel;
+ *      char function;
+ *      short length;
+ *      char data[MAX_DATA];
+ *    } msg;
+ *
+ * The channel field designates the virtual data stream this message applies
+ * to and is one of:
+ *   A - Application data (payload).
+ *   R - Remote client connection that initiated the SSL connection.  Encrypted
+ *       data is sent over this connection.
+ *   G - General data, reserved for future use.
+ *
+ * The data streams are half-duplex read/write and have following functions:
+ *   G - Get, requests that up to msg.length bytes of data be returned.  The
+ *       data is returned in the next 'C' function response that matches the
+ *       requesting channel.
+ *   P - Put, requests that the first msg.length bytes of msg.data be appended
+ *       to the designated stream.
+ *   C - Confirms a get or put.  Every get and put will get a confirm response,
+ *       you cannot initiate another function on a channel until the previous
+ *       operation has been confirmed.
+ *
+ *  The 2 channels may interleave their operations, for example:
+ *        Server msg           Client msg
+ *         A, Get, 4092          ---->
+ *                               <----  R, get, 4092
+ *         R, Confirm, {hello}   ---->
+ *                               <----  R, put, {srv hello}
+ *         R, Confirm, 0         ---->
+ *                               .		(SSL handshake completed)
+ *                               .              (read first app data).
+ *                               <----  A, confirm, {http data}
+ *         A, Put, {http data}   ---->
+ *                               <----  A, confirm, 0
+ *
+ *  The length field is not permitted to be larger that 4092 bytes.
+ *
+ * Author: Dave Jones
+ * Date:   22-JUL-1996
+ */
+#include <stdlib.h>
+#include <stdio.h>
+#include <iodef.h>		/* VMS IO$_ definitions */
+#include <descrip.h>		/* VMS string descriptors */
+extern int SYS$QIOW(), SYS$ASSIGN();
+int LIB$INIT_TIMER(), LIB$SHOW_TIMER();
+
+#include <string.h>		/* from ssltest.c */
+#include <errno.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/buffer.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth,
+	int error);
+BIO *bio_err=NULL;
+BIO *bio_stdout=NULL;
+BIO_METHOD *BIO_s_rtcp();
+
+static char *cipher=NULL;
+int verbose=1;
+#ifdef FIONBIO
+static int s_nbio=0;
+#endif
+#define TEST_SERVER_CERT "SSL_SERVER_CERTIFICATE"
+/*************************************************************************/
+struct rpc_msg {		/* Should have member alignment inhibited */
+   char channel;		/* 'A'-app data. 'R'-remote client 'G'-global */
+   char function;		/* 'G'-get, 'P'-put, 'C'-confirm, 'X'-close */
+   unsigned short int length;	/* Amount of data returned or max to return */
+   char data[4092];		/* variable data */
+};
+#define RPC_HDR_SIZE (sizeof(struct rpc_msg) - 4092)
+
+static $DESCRIPTOR(sysnet, "SYS$NET");
+typedef unsigned short io_channel;
+
+struct io_status {
+    unsigned short status;
+    unsigned short count;
+    unsigned long stsval;
+};
+int doit(io_channel chan, SSL_CTX *s_ctx );
+/*****************************************************************************/
+/* Decnet I/O routines.
+ */
+static int get ( io_channel chan, char *buffer, int maxlen, int *length )
+{
+    int status;
+    struct io_status iosb;
+    status = SYS$QIOW ( 0, chan, IO$_READVBLK, &iosb, 0, 0,
+	buffer, maxlen, 0, 0, 0, 0 );
+    if ( (status&1) == 1 ) status = iosb.status;
+    if ( (status&1) == 1 ) *length = iosb.count;
+    return status;
+}
+
+static int put ( io_channel chan, char *buffer, int length )
+{
+    int status;
+    struct io_status iosb;
+    status = SYS$QIOW ( 0, chan, IO$_WRITEVBLK, &iosb, 0, 0,
+	buffer, length, 0, 0, 0, 0 );
+    if ( (status&1) == 1 ) status = iosb.status;
+    return status;
+}
+/***************************************************************************/
+/* Handle operations on the 'G' channel.
+ */
+static int general_request ( io_channel chan, struct rpc_msg *msg, int length )
+{
+    return 48;
+}
+/***************************************************************************/
+int main ( int argc, char **argv )
+{
+    int status, length;
+    io_channel chan;
+    struct rpc_msg msg;
+
+	char *CApath=NULL,*CAfile=NULL;
+	int badop=0;
+	int ret=1;
+	int client_auth=0;
+	int server_auth=0;
+	SSL_CTX *s_ctx=NULL;
+    /*
+     * Confirm logical link with initiating client.
+     */
+    LIB$INIT_TIMER();
+    status = SYS$ASSIGN ( &sysnet, &chan, 0, 0, 0 );
+    printf("status of assign to SYS$NET: %d\n", status );
+    /*
+     * Initialize standard out and error files.
+     */
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE);
+	if (bio_stdout == NULL)
+		if ((bio_stdout=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_stdout,stdout,BIO_NOCLOSE);
+    /*
+     * get the preferred cipher list and other initialization
+     */
+	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
+	printf("cipher list: %s\n", cipher ? cipher : "{undefined}" );
+
+	SSL_load_error_strings();
+	OpenSSL_add_all_algorithms();
+
+/* DRM, this was the original, but there is no such thing as SSLv2()
+	s_ctx=SSL_CTX_new(SSLv2());
+*/
+	s_ctx=SSL_CTX_new(SSLv2_server_method());
+
+	if (s_ctx == NULL) goto end;
+
+	SSL_CTX_use_certificate_file(s_ctx,TEST_SERVER_CERT,SSL_FILETYPE_PEM);
+	SSL_CTX_use_RSAPrivateKey_file(s_ctx,TEST_SERVER_CERT,SSL_FILETYPE_PEM);
+	printf("Loaded server certificate: '%s'\n", TEST_SERVER_CERT );
+
+    /*
+     * Take commands from client until bad status.
+     */
+    LIB$SHOW_TIMER();
+    status = doit ( chan, s_ctx );
+    LIB$SHOW_TIMER();
+    /*
+     * do final cleanup and exit.
+     */
+end:
+	if (s_ctx != NULL) SSL_CTX_free(s_ctx);
+    LIB$SHOW_TIMER();
+    return 1;
+}
+
+int doit(io_channel chan, SSL_CTX *s_ctx )
+{
+    int status, length, link_state;
+     struct rpc_msg msg;
+	static char cbuf[200],sbuf[200];
+	SSL *s_ssl=NULL;
+	BIO *c_to_s=NULL;
+	BIO *s_to_c=NULL;
+	BIO *c_bio=NULL;
+	BIO *s_bio=NULL;
+	int i;
+	int done=0;
+
+	s_ssl=SSL_new(s_ctx);
+	if (s_ssl == NULL) goto err;
+
+	c_to_s=BIO_new(BIO_s_rtcp());
+	s_to_c=BIO_new(BIO_s_rtcp());
+	if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
+/* original, DRM 24-SEP-1997
+	BIO_set_fd ( c_to_s, "", chan );
+	BIO_set_fd ( s_to_c, "", chan );
+*/
+	BIO_set_fd ( c_to_s, 0, chan );
+	BIO_set_fd ( s_to_c, 0, chan );
+
+	c_bio=BIO_new(BIO_f_ssl());
+	s_bio=BIO_new(BIO_f_ssl());
+	if ((c_bio == NULL) || (s_bio == NULL)) goto err;
+
+	SSL_set_accept_state(s_ssl);
+	SSL_set_bio(s_ssl,c_to_s,s_to_c);
+	BIO_set_ssl(s_bio,s_ssl,BIO_CLOSE);
+
+	/* We can always do writes */
+	printf("Begin doit main loop\n");
+	/*
+	 * Link states: 0-idle, 1-read pending, 2-write pending, 3-closed.
+	 */
+	for (link_state = 0; link_state < 3; ) {
+	    /*
+	     * Wait for remote end to request data action on A channel.
+	     */
+	    while ( link_state == 0 ) {
+		status = get ( chan, (char *) &msg, sizeof(msg), &length );
+		if ( (status&1) == 0 ) {
+		    printf("Error in main loop get: %d\n", status );
+		    link_state = 3;
+		    break;
+		}
+	   	if ( length < RPC_HDR_SIZE ) {
+		    printf("Error in main loop get size: %d\n", length );
+		    break;
+		    link_state = 3;
+		}
+	   	if ( msg.channel != 'A' ) {
+		    printf("Error in main loop, unexpected channel: %c\n", 
+			msg.channel );
+		    break;
+		    link_state = 3;
+		}
+		if ( msg.function == 'G' ) {
+		    link_state = 1;
+		} else if ( msg.function == 'P' ) {
+		    link_state = 2;	/* write pending */
+		} else if ( msg.function == 'X' ) {
+		    link_state = 3;
+		} else {
+		    link_state = 3;
+		}
+	    }
+	    if ( link_state == 1 ) {
+		i = BIO_read ( s_bio, msg.data, msg.length );
+		if ( i < 0 ) link_state = 3;
+		else {
+		    msg.channel = 'A';
+		    msg.function = 'C';		/* confirm */
+		    msg.length = i;
+		    status = put ( chan, (char *) &msg, i+RPC_HDR_SIZE );
+		    if ( (status&1) == 0 ) break;
+		    link_state = 0;
+		}
+	    } else if ( link_state == 2 ) {
+		i = BIO_write ( s_bio, msg.data, msg.length );
+		if ( i < 0 ) link_state = 3;
+		else {
+		    msg.channel = 'A';
+		    msg.function = 'C';		/* confirm */
+		    msg.length = 0;
+		    status = put ( chan, (char *) &msg, RPC_HDR_SIZE );
+		    if ( (status&1) == 0 ) break;
+		    link_state = 0;
+		}
+	    }
+	}
+	fprintf(stdout,"DONE\n");
+err:
+	/* We have to set the BIO's to NULL otherwise they will be
+	 * free()ed twice.  Once when th s_ssl is SSL_free()ed and
+	 * again when c_ssl is SSL_free()ed.
+	 * This is a hack required because s_ssl and c_ssl are sharing the same
+	 * BIO structure and SSL_set_bio() and SSL_free() automatically
+	 * BIO_free non NULL entries.
+	 * You should not normally do this or be required to do this */
+	s_ssl->rbio=NULL;
+	s_ssl->wbio=NULL;
+
+	if (c_to_s != NULL) BIO_free(c_to_s);
+	if (s_to_c != NULL) BIO_free(s_to_c);
+	if (c_bio != NULL) BIO_free(c_bio);
+	if (s_bio != NULL) BIO_free(s_bio);
+	return(0);
+}
diff --git a/crypto/openssl/ssl/ssl_txt.c b/crypto/openssl/ssl/ssl_txt.c
new file mode 100644
index 0000000..c07d957
--- /dev/null
+++ b/crypto/openssl/ssl/ssl_txt.c
@@ -0,0 +1,176 @@
+/* ssl/ssl_txt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include "ssl_locl.h"
+
+#ifndef NO_FP_API
+int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
+	{
+	BIO *b;
+	int ret;
+
+	if ((b=BIO_new(BIO_s_file_internal())) == NULL)
+		{
+		SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
+		return(0);
+		}
+	BIO_set_fp(b,fp,BIO_NOCLOSE);
+	ret=SSL_SESSION_print(b,x);
+	BIO_free(b);
+	return(ret);
+	}
+#endif
+
+int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
+	{
+	unsigned int i;
+	char str[128],*s;
+
+	if (x == NULL) goto err;
+	if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
+	if (x->ssl_version == SSL2_VERSION)
+		s="SSLv2";
+	else if (x->ssl_version == SSL3_VERSION)
+		s="SSLv3";
+	else if (x->ssl_version == TLS1_VERSION)
+		s="TLSv1";
+	else
+		s="unknown";
+	sprintf(str,"    Protocol  : %s\n",s);
+	if (BIO_puts(bp,str) <= 0) goto err;
+
+	if (x->cipher == NULL)
+		{
+		if (((x->cipher_id) & 0xff000000) == 0x02000000)
+			sprintf(str,"    Cipher    : %06lX\n",x->cipher_id&0xffffff);
+		else
+			sprintf(str,"    Cipher    : %04lX\n",x->cipher_id&0xffff);
+		}
+	else
+		sprintf(str,"    Cipher    : %s\n",(x->cipher == NULL)?"unknown":x->cipher->name);
+	if (BIO_puts(bp,str) <= 0) goto err;
+	if (BIO_puts(bp,"    Session-ID: ") <= 0) goto err;
+	for (i=0; i<x->session_id_length; i++)
+		{
+		sprintf(str,"%02X",x->session_id[i]);
+		if (BIO_puts(bp,str) <= 0) goto err;
+		}
+	if (BIO_puts(bp,"\n    Session-ID-ctx: ") <= 0) goto err;
+	for (i=0; i<x->sid_ctx_length; i++)
+		{
+		sprintf(str,"%02X",x->sid_ctx[i]);
+		if (BIO_puts(bp,str) <= 0) goto err;
+		}
+	if (BIO_puts(bp,"\n    Master-Key: ") <= 0) goto err;
+	for (i=0; i<(unsigned int)x->master_key_length; i++)
+		{
+		sprintf(str,"%02X",x->master_key[i]);
+		if (BIO_puts(bp,str) <= 0) goto err;
+		}
+	if (BIO_puts(bp,"\n    Key-Arg   : ") <= 0) goto err;
+	if (x->key_arg_length == 0)
+		{
+		if (BIO_puts(bp,"None") <= 0) goto err;
+		}
+	else
+		for (i=0; i<x->key_arg_length; i++)
+			{
+			sprintf(str,"%02X",x->key_arg[i]);
+			if (BIO_puts(bp,str) <= 0) goto err;
+			}
+	if (x->compress_meth != 0)
+		{
+		SSL_COMP *comp;
+
+		ssl_cipher_get_evp(x,NULL,NULL,&comp);
+		if (comp == NULL)
+			{
+			sprintf(str,"\n   Compression: %d",x->compress_meth);
+			if (BIO_puts(bp,str) <= 0) goto err;
+			}
+		else
+			{
+			sprintf(str,"\n   Compression: %d (%s)",
+				comp->id,comp->method->name);
+			if (BIO_puts(bp,str) <= 0) goto err;
+			}
+		}	
+	if (x->time != 0L)
+		{
+		sprintf(str,"\n    Start Time: %ld",x->time);
+		if (BIO_puts(bp,str) <= 0) goto err;
+		}
+	if (x->timeout != 0L)
+		{
+		sprintf(str,"\n    Timeout   : %ld (sec)",x->timeout);
+		if (BIO_puts(bp,str) <= 0) goto err;
+		}
+	if (BIO_puts(bp,"\n") <= 0) goto err;
+
+	if (BIO_puts(bp, "    Verify return code: ") <= 0) goto err;
+	sprintf(str, "%ld (%s)\n", x->verify_result, 
+			X509_verify_cert_error_string(x->verify_result));
+	if (BIO_puts(bp,str) <= 0) goto err;
+		
+	return(1);
+err:
+	return(0);
+	}
+
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
new file mode 100644
index 0000000..dde3579
--- /dev/null
+++ b/crypto/openssl/ssl/ssltest.c
@@ -0,0 +1,1357 @@
+/* ssl/ssltest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#ifdef WINDOWS
+#include "../crypto/bio/bss_file.c"
+#endif
+
+#ifdef VMS
+#  define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
+#  define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
+#else
+#  define TEST_SERVER_CERT "../apps/server.pem"
+#  define TEST_CLIENT_CERT "../apps/client.pem"
+#endif
+
+static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+#ifndef NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
+#endif
+#ifndef NO_DH
+static DH *get_dh512(void);
+static DH *get_dh1024(void);
+static DH *get_dh1024dsa(void);
+#endif
+
+static BIO *bio_err=NULL;
+static BIO *bio_stdout=NULL;
+
+static char *cipher=NULL;
+static int verbose=0;
+static int debug=0;
+#if 0
+/* Not used yet. */
+#ifdef FIONBIO
+static int s_nbio=0;
+#endif
+#endif
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
+int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
+static void sv_usage(void)
+	{
+	fprintf(stderr,"usage: ssltest [args ...]\n");
+	fprintf(stderr,"\n");
+	fprintf(stderr," -server_auth  - check server certificate\n");
+	fprintf(stderr," -client_auth  - do client authentication\n");
+	fprintf(stderr," -v            - more output\n");
+	fprintf(stderr," -d            - debug output\n");
+	fprintf(stderr," -reuse        - use session-id reuse\n");
+	fprintf(stderr," -num <val>    - number of connections to perform\n");
+	fprintf(stderr," -bytes <val>  - number of bytes to swap between client/server\n");
+#ifndef NO_DH
+	fprintf(stderr," -dhe1024      - use 1024 bit key (safe prime) for DHE\n");
+	fprintf(stderr," -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
+	fprintf(stderr," -no_dhe       - disable DHE\n");
+#endif
+#ifndef NO_SSL2
+	fprintf(stderr," -ssl2         - use SSLv2\n");
+#endif
+#ifndef NO_SSL3
+	fprintf(stderr," -ssl3         - use SSLv3\n");
+#endif
+#ifndef NO_TLS1
+	fprintf(stderr," -tls1         - use TLSv1\n");
+#endif
+	fprintf(stderr," -CApath arg   - PEM format directory of CA's\n");
+	fprintf(stderr," -CAfile arg   - PEM format file of CA's\n");
+	fprintf(stderr," -cert arg     - Server certificate file\n");
+	fprintf(stderr," -key arg      - Server key file (default: same as -cert)\n");
+	fprintf(stderr," -c_cert arg   - Client certificate file\n");
+	fprintf(stderr," -c_key arg    - Client key file (default: same as -c_cert)\n");
+	fprintf(stderr," -cipher arg   - The cipher list\n");
+	fprintf(stderr," -bio_pair     - Use BIO pairs\n");
+	fprintf(stderr," -f            - Test even cases that can't work\n");
+	fprintf(stderr," -time         - measure processor time used by client and server\n");
+	}
+
+static void print_details(SSL *c_ssl, const char *prefix)
+	{
+	SSL_CIPHER *ciph;
+	X509 *cert;
+		
+	ciph=SSL_get_current_cipher(c_ssl);
+	BIO_printf(bio_stdout,"%s%s, cipher %s %s",
+		prefix,
+		SSL_get_version(c_ssl),
+		SSL_CIPHER_get_version(ciph),
+		SSL_CIPHER_get_name(ciph));
+	cert=SSL_get_peer_certificate(c_ssl);
+	if (cert != NULL)
+		{
+		EVP_PKEY *pkey = X509_get_pubkey(cert);
+		if (pkey != NULL)
+			{
+			if (0) 
+				;
+#ifndef NO_RSA
+			else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
+				&& pkey->pkey.rsa->n != NULL)
+				{
+				BIO_printf(bio_stdout, ", %d bit RSA",
+					BN_num_bits(pkey->pkey.rsa->n));
+				}
+#endif
+#ifndef NO_DSA
+			else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
+				&& pkey->pkey.dsa->p != NULL)
+				{
+				BIO_printf(bio_stdout, ", %d bit DSA",
+					BN_num_bits(pkey->pkey.dsa->p));
+				}
+#endif
+			EVP_PKEY_free(pkey);
+			}
+		X509_free(cert);
+		}
+	/* The SSL API does not allow us to look at temporary RSA/DH keys,
+	 * otherwise we should print their lengths too */
+	BIO_printf(bio_stdout,"\n");
+	}
+
+int main(int argc, char *argv[])
+	{
+	char *CApath=NULL,*CAfile=NULL;
+	int badop=0;
+	int bio_pair=0;
+	int force=0;
+	int tls1=0,ssl2=0,ssl3=0,ret=1;
+	int client_auth=0;
+	int server_auth=0,i;
+	char *server_cert=TEST_SERVER_CERT;
+	char *server_key=NULL;
+	char *client_cert=TEST_CLIENT_CERT;
+	char *client_key=NULL;
+	SSL_CTX *s_ctx=NULL;
+	SSL_CTX *c_ctx=NULL;
+	SSL_METHOD *meth=NULL;
+	SSL *c_ssl,*s_ssl;
+	int number=1,reuse=0;
+	long bytes=1L;
+#ifndef NO_DH
+	DH *dh;
+	int dhe1024 = 0, dhe1024dsa = 0;
+#endif
+	int no_dhe = 0;
+	int print_time = 0;
+	clock_t s_time = 0, c_time = 0;
+
+	verbose = 0;
+	debug = 0;
+	cipher = 0;
+	
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
+	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+	bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
+
+	argc--;
+	argv++;
+
+	while (argc >= 1)
+		{
+		if	(strcmp(*argv,"-server_auth") == 0)
+			server_auth=1;
+		else if	(strcmp(*argv,"-client_auth") == 0)
+			client_auth=1;
+		else if	(strcmp(*argv,"-v") == 0)
+			verbose=1;
+		else if	(strcmp(*argv,"-d") == 0)
+			debug=1;
+		else if	(strcmp(*argv,"-reuse") == 0)
+			reuse=1;
+#ifndef NO_DH
+		else if	(strcmp(*argv,"-dhe1024") == 0)
+			dhe1024=1;
+		else if	(strcmp(*argv,"-dhe1024dsa") == 0)
+			dhe1024dsa=1;
+#endif
+		else if	(strcmp(*argv,"-no_dhe") == 0)
+			no_dhe=1;
+		else if	(strcmp(*argv,"-ssl2") == 0)
+			ssl2=1;
+		else if	(strcmp(*argv,"-tls1") == 0)
+			tls1=1;
+		else if	(strcmp(*argv,"-ssl3") == 0)
+			ssl3=1;
+		else if	(strncmp(*argv,"-num",4) == 0)
+			{
+			if (--argc < 1) goto bad;
+			number= atoi(*(++argv));
+			if (number == 0) number=1;
+			}
+		else if	(strcmp(*argv,"-bytes") == 0)
+			{
+			if (--argc < 1) goto bad;
+			bytes= atol(*(++argv));
+			if (bytes == 0L) bytes=1L;
+			i=strlen(argv[0]);
+			if (argv[0][i-1] == 'k') bytes*=1024L;
+			if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
+			}
+		else if	(strcmp(*argv,"-cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			server_cert= *(++argv);
+			}
+		else if	(strcmp(*argv,"-s_cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			server_cert= *(++argv);
+			}
+		else if	(strcmp(*argv,"-key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			server_key= *(++argv);
+			}
+		else if	(strcmp(*argv,"-s_key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			server_key= *(++argv);
+			}
+		else if	(strcmp(*argv,"-c_cert") == 0)
+			{
+			if (--argc < 1) goto bad;
+			client_cert= *(++argv);
+			}
+		else if	(strcmp(*argv,"-c_key") == 0)
+			{
+			if (--argc < 1) goto bad;
+			client_key= *(++argv);
+			}
+		else if	(strcmp(*argv,"-cipher") == 0)
+			{
+			if (--argc < 1) goto bad;
+			cipher= *(++argv);
+			}
+		else if	(strcmp(*argv,"-CApath") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CApath= *(++argv);
+			}
+		else if	(strcmp(*argv,"-CAfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			CAfile= *(++argv);
+			}
+		else if	(strcmp(*argv,"-bio_pair") == 0)
+			{
+			bio_pair = 1;
+			}
+		else if	(strcmp(*argv,"-f") == 0)
+			{
+			force = 1;
+			}
+		else if	(strcmp(*argv,"-time") == 0)
+			{
+			print_time = 1;
+			}
+		else
+			{
+			fprintf(stderr,"unknown option %s\n",*argv);
+			badop=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+	if (badop)
+		{
+bad:
+		sv_usage();
+		goto end;
+		}
+
+	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
+		{
+		fprintf(stderr, "This case cannot work.  Use -f to perform "
+			"the test anyway (and\n-d to see what happens), "
+			"or add one of -ssl2, -ssl3, -tls1, -reuse\n"
+			"to avoid protocol mismatch.\n");
+		exit(1);
+		}
+
+	if (print_time)
+		{
+		if (!bio_pair)
+			{
+			fprintf(stderr, "Using BIO pair (-bio_pair)\n");
+			bio_pair = 1;
+			}
+		if (number < 50 && !force)
+			fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
+		}
+
+/*	if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
+
+	SSL_library_init();
+	SSL_load_error_strings();
+
+#if !defined(NO_SSL2) && !defined(NO_SSL3)
+	if (ssl2)
+		meth=SSLv2_method();
+	else 
+	if (tls1)
+		meth=TLSv1_method();
+	else
+	if (ssl3)
+		meth=SSLv3_method();
+	else
+		meth=SSLv23_method();
+#else
+#ifdef NO_SSL2
+	meth=SSLv3_method();
+#else
+	meth=SSLv2_method();
+#endif
+#endif
+
+	c_ctx=SSL_CTX_new(meth);
+	s_ctx=SSL_CTX_new(meth);
+	if ((c_ctx == NULL) || (s_ctx == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (cipher != NULL)
+		{
+		SSL_CTX_set_cipher_list(c_ctx,cipher);
+		SSL_CTX_set_cipher_list(s_ctx,cipher);
+		}
+
+#ifndef NO_DH
+	if (!no_dhe)
+		{
+		if (dhe1024dsa)
+			{
+			/* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
+			SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+			dh=get_dh1024dsa();
+			}
+		else if (dhe1024)
+			dh=get_dh1024();
+		else
+			dh=get_dh512();
+		SSL_CTX_set_tmp_dh(s_ctx,dh);
+		DH_free(dh);
+		}
+#else
+	(void)no_dhe;
+#endif
+
+#ifndef NO_RSA
+	SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
+#endif
+
+	if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
+		{
+		ERR_print_errors(bio_err);
+		}
+	else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
+		(server_key?server_key:server_cert), SSL_FILETYPE_PEM))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (client_auth)
+		{
+		SSL_CTX_use_certificate_file(c_ctx,client_cert,
+			SSL_FILETYPE_PEM);
+		SSL_CTX_use_PrivateKey_file(c_ctx,
+			(client_key?client_key:client_cert),
+			SSL_FILETYPE_PEM);
+		}
+
+	if (	(!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
+		(!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
+		(!SSL_CTX_set_default_verify_paths(c_ctx)))
+		{
+		/* fprintf(stderr,"SSL_load_verify_locations\n"); */
+		ERR_print_errors(bio_err);
+		/* goto end; */
+		}
+
+	if (client_auth)
+		{
+		BIO_printf(bio_err,"client authentication\n");
+		SSL_CTX_set_verify(s_ctx,
+			SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+			verify_callback);
+		}
+	if (server_auth)
+		{
+		BIO_printf(bio_err,"server authentication\n");
+		SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
+			verify_callback);
+		}
+	
+	{
+		int session_id_context = 0;
+		SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
+	}
+
+	c_ssl=SSL_new(c_ctx);
+	s_ssl=SSL_new(s_ctx);
+
+	for (i=0; i<number; i++)
+		{
+		if (!reuse) SSL_set_session(c_ssl,NULL);
+		if (bio_pair)
+			ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
+		else
+			ret=doit(s_ssl,c_ssl,bytes);
+		}
+
+	if (!verbose)
+		{
+		print_details(c_ssl, "");
+		}
+	if ((number > 1) || (bytes > 1L))
+		BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
+	if (print_time)
+		{
+#ifdef CLOCKS_PER_SEC
+		/* "To determine the time in seconds, the value returned
+		 * by the clock function should be divided by the value
+		 * of the macro CLOCKS_PER_SEC."
+		 *                                       -- ISO/IEC 9899 */
+		BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
+			"Approximate total client time: %6.2f s\n",
+			(double)s_time/CLOCKS_PER_SEC,
+			(double)c_time/CLOCKS_PER_SEC);
+#else
+		/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
+		 *                            -- cc on NeXTstep/OpenStep */
+		BIO_printf(bio_stdout,
+			"Approximate total server time: %6.2f units\n"
+			"Approximate total client time: %6.2f units\n",
+			(double)s_time,
+			(double)c_time);
+#endif
+		}
+
+	SSL_free(s_ssl);
+	SSL_free(c_ssl);
+
+end:
+	if (s_ctx != NULL) SSL_CTX_free(s_ctx);
+	if (c_ctx != NULL) SSL_CTX_free(c_ctx);
+
+	if (bio_stdout != NULL) BIO_free(bio_stdout);
+
+	ERR_free_strings();
+	ERR_remove_state(0);
+	EVP_cleanup();
+	CRYPTO_mem_leaks(bio_err);
+	if (bio_err != NULL) BIO_free(bio_err);
+	EXIT(ret);
+	}
+
+int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
+	clock_t *s_time, clock_t *c_time)
+	{
+	long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
+	BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
+	BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
+	int ret = 1;
+	
+	size_t bufsiz = 256; /* small buffer for testing */
+
+	if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
+		goto err;
+	if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
+		goto err;
+	
+	s_ssl_bio = BIO_new(BIO_f_ssl());
+	if (!s_ssl_bio)
+		goto err;
+
+	c_ssl_bio = BIO_new(BIO_f_ssl());
+	if (!c_ssl_bio)
+		goto err;
+
+	SSL_set_connect_state(c_ssl);
+	SSL_set_bio(c_ssl, client, client);
+	(void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
+
+	SSL_set_accept_state(s_ssl);
+	SSL_set_bio(s_ssl, server, server);
+	(void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
+
+	do
+		{
+		/* c_ssl_bio:          SSL filter BIO
+		 *
+		 * client:             pseudo-I/O for SSL library
+		 *
+		 * client_io:          client's SSL communication; usually to be
+		 *                     relayed over some I/O facility, but in this
+		 *                     test program, we're the server, too:
+		 *
+		 * server_io:          server's SSL communication
+		 *
+		 * server:             pseudo-I/O for SSL library
+		 *
+		 * s_ssl_bio:          SSL filter BIO
+		 *
+		 * The client and the server each employ a "BIO pair":
+		 * client + client_io, server + server_io.
+		 * BIO pairs are symmetric.  A BIO pair behaves similar
+		 * to a non-blocking socketpair (but both endpoints must
+		 * be handled by the same thread).
+		 * [Here we could connect client and server to the ends
+		 * of a single BIO pair, but then this code would be less
+		 * suitable as an example for BIO pairs in general.]
+		 *
+		 * Useful functions for querying the state of BIO pair endpoints:
+		 *
+		 * BIO_ctrl_pending(bio)              number of bytes we can read now
+		 * BIO_ctrl_get_read_request(bio)     number of bytes needed to fulfil
+		 *                                      other side's read attempt
+		 * BIO_ctrl_get_write_guarantee(bio)   number of bytes we can write now
+		 *
+		 * ..._read_request is never more than ..._write_guarantee;
+		 * it depends on the application which one you should use.
+		 */
+
+		/* We have non-blocking behaviour throughout this test program, but
+		 * can be sure that there is *some* progress in each iteration; so
+		 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
+		 * -- we just try everything in each iteration
+		 */
+
+			{
+			/* CLIENT */
+		
+			MS_STATIC char cbuf[1024*8];
+			int i, r;
+			clock_t c_clock = clock();
+
+			if (debug)
+				if (SSL_in_init(c_ssl))
+					printf("client waiting in SSL_connect - %s\n",
+						SSL_state_string_long(c_ssl));
+
+			if (cw_num > 0)
+				{
+				/* Write to server. */
+				
+				if (cw_num > (long)sizeof cbuf)
+					i = sizeof cbuf;
+				else
+					i = (int)cw_num;
+				r = BIO_write(c_ssl_bio, cbuf, i);
+				if (r < 0)
+					{
+					if (!BIO_should_retry(c_ssl_bio))
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						goto err;
+						}
+					/* BIO_should_retry(...) can just be ignored here.
+					 * The library expects us to call BIO_write with
+					 * the same arguments again, and that's what we will
+					 * do in the next iteration. */
+					}
+				else if (r == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("client wrote %d\n", r);
+					cw_num -= r;				
+					}
+				}
+
+			if (cr_num > 0)
+				{
+				/* Read from server. */
+
+				r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
+				if (r < 0)
+					{
+					if (!BIO_should_retry(c_ssl_bio))
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						goto err;
+						}
+					/* Again, "BIO_should_retry" can be ignored. */
+					}
+				else if (r == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("client read %d\n", r);
+					cr_num -= r;
+					}
+				}
+
+			/* c_time and s_time increments will typically be very small
+			 * (depending on machine speed and clock tick intervals),
+			 * but sampling over a large number of connections should
+			 * result in fairly accurate figures.  We cannot guarantee
+			 * a lot, however -- if each connection lasts for exactly
+			 * one clock tick, it will be counted only for the client
+			 * or only for the server or even not at all.
+			 */
+			*c_time += (clock() - c_clock);
+			}
+
+			{
+			/* SERVER */
+		
+			MS_STATIC char sbuf[1024*8];
+			int i, r;
+			clock_t s_clock = clock();
+
+			if (debug)
+				if (SSL_in_init(s_ssl))
+					printf("server waiting in SSL_accept - %s\n",
+						SSL_state_string_long(s_ssl));
+
+			if (sw_num > 0)
+				{
+				/* Write to client. */
+				
+				if (sw_num > (long)sizeof sbuf)
+					i = sizeof sbuf;
+				else
+					i = (int)sw_num;
+				r = BIO_write(s_ssl_bio, sbuf, i);
+				if (r < 0)
+					{
+					if (!BIO_should_retry(s_ssl_bio))
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						goto err;
+						}
+					/* Ignore "BIO_should_retry". */
+					}
+				else if (r == 0)
+					{
+					fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("server wrote %d\n", r);
+					sw_num -= r;				
+					}
+				}
+
+			if (sr_num > 0)
+				{
+				/* Read from client. */
+
+				r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
+				if (r < 0)
+					{
+					if (!BIO_should_retry(s_ssl_bio))
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						goto err;
+						}
+					/* blah, blah */
+					}
+				else if (r == 0)
+					{
+					fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("server read %d\n", r);
+					sr_num -= r;
+					}
+				}
+
+			*s_time += (clock() - s_clock);
+			}
+			
+			{
+			/* "I/O" BETWEEN CLIENT AND SERVER. */
+
+			size_t r1, r2;
+			BIO *io1 = server_io, *io2 = client_io;
+			/* we use the non-copying interface for io1
+			 * and the standard BIO_write/BIO_read interface for io2
+			 */
+			
+			static int prev_progress = 1;
+			int progress = 0;
+			
+			/* io1 to io2 */
+			do
+				{
+				size_t num;
+				int r;
+
+				r1 = BIO_ctrl_pending(io1);
+				r2 = BIO_ctrl_get_write_guarantee(io2);
+
+				num = r1;
+				if (r2 < num)
+					num = r2;
+				if (num)
+					{
+					char *dataptr;
+
+					if (INT_MAX < num) /* yeah, right */
+						num = INT_MAX;
+					
+					r = BIO_nread(io1, &dataptr, (int)num);
+					assert(r > 0);
+					assert(r <= (int)num);
+					/* possibly r < num (non-contiguous data) */
+					num = r;
+					r = BIO_write(io2, dataptr, (int)num);
+					if (r != (int)num) /* can't happen */
+						{
+						fprintf(stderr, "ERROR: BIO_write could not write "
+							"BIO_ctrl_get_write_guarantee() bytes");
+						goto err;
+						}
+					progress = 1;
+
+					if (debug)
+						printf((io1 == client_io) ?
+							"C->S relaying: %d bytes\n" :
+							"S->C relaying: %d bytes\n",
+							(int)num);
+					}
+				}
+			while (r1 && r2);
+
+			/* io2 to io1 */
+			{
+				size_t num;
+				int r;
+
+				r1 = BIO_ctrl_pending(io2);
+				r2 = BIO_ctrl_get_read_request(io1);
+				/* here we could use ..._get_write_guarantee instead of
+				 * ..._get_read_request, but by using the latter
+				 * we test restartability of the SSL implementation
+				 * more thoroughly */
+				num = r1;
+				if (r2 < num)
+					num = r2;
+				if (num)
+					{
+					char *dataptr;
+					
+					if (INT_MAX < num)
+						num = INT_MAX;
+
+					if (num > 1)
+						--num; /* test restartability even more thoroughly */
+					
+					r = BIO_nwrite(io1, &dataptr, (int)num);
+					assert(r > 0);
+					assert(r <= (int)num);
+					num = r;
+					r = BIO_read(io2, dataptr, (int)num);
+					if (r != (int)num) /* can't happen */
+						{
+						fprintf(stderr, "ERROR: BIO_read could not read "
+							"BIO_ctrl_pending() bytes");
+						goto err;
+						}
+					progress = 1;
+					
+					if (debug)
+						printf((io2 == client_io) ?
+							"C->S relaying: %d bytes\n" :
+							"S->C relaying: %d bytes\n",
+							(int)num);
+					}
+			} /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
+
+			if (!progress && !prev_progress)
+				if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
+					{
+					fprintf(stderr, "ERROR: got stuck\n");
+					if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
+						{
+						fprintf(stderr, "This can happen for SSL2 because "
+							"CLIENT-FINISHED and SERVER-VERIFY are written \n"
+							"concurrently ...");
+						if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
+							&& strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
+							{
+							fprintf(stderr, " ok.\n");
+							goto end;
+							}
+						}
+					fprintf(stderr, " ERROR.\n");
+					goto err;
+					}
+			prev_progress = progress;
+			}
+		}
+	while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
+
+	if (verbose)
+		print_details(c_ssl, "DONE via BIO pair: ");
+end:
+	ret = 0;
+
+ err:
+	ERR_print_errors(bio_err);
+	
+	if (server)
+		BIO_free(server);
+	if (server_io)
+		BIO_free(server_io);
+	if (client)
+		BIO_free(client);
+	if (client_io)
+		BIO_free(client_io);
+	if (s_ssl_bio)
+		BIO_free(s_ssl_bio);
+	if (c_ssl_bio)
+		BIO_free(c_ssl_bio);
+
+	return ret;
+	}
+
+
+#define W_READ	1
+#define W_WRITE	2
+#define C_DONE	1
+#define S_DONE	2
+
+int doit(SSL *s_ssl, SSL *c_ssl, long count)
+	{
+	MS_STATIC char cbuf[1024*8],sbuf[1024*8];
+	long cw_num=count,cr_num=count;
+	long sw_num=count,sr_num=count;
+	int ret=1;
+	BIO *c_to_s=NULL;
+	BIO *s_to_c=NULL;
+	BIO *c_bio=NULL;
+	BIO *s_bio=NULL;
+	int c_r,c_w,s_r,s_w;
+	int c_want,s_want;
+	int i,j;
+	int done=0;
+	int c_write,s_write;
+	int do_server=0,do_client=0;
+
+	c_to_s=BIO_new(BIO_s_mem());
+	s_to_c=BIO_new(BIO_s_mem());
+	if ((s_to_c == NULL) || (c_to_s == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	c_bio=BIO_new(BIO_f_ssl());
+	s_bio=BIO_new(BIO_f_ssl());
+	if ((c_bio == NULL) || (s_bio == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	SSL_set_connect_state(c_ssl);
+	SSL_set_bio(c_ssl,s_to_c,c_to_s);
+	BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
+
+	SSL_set_accept_state(s_ssl);
+	SSL_set_bio(s_ssl,c_to_s,s_to_c);
+	BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
+
+	c_r=0; s_r=1;
+	c_w=1; s_w=0;
+	c_want=W_WRITE;
+	s_want=0;
+	c_write=1,s_write=0;
+
+	/* We can always do writes */
+	for (;;)
+		{
+		do_server=0;
+		do_client=0;
+
+		i=(int)BIO_pending(s_bio);
+		if ((i && s_r) || s_w) do_server=1;
+
+		i=(int)BIO_pending(c_bio);
+		if ((i && c_r) || c_w) do_client=1;
+
+		if (do_server && debug)
+			{
+			if (SSL_in_init(s_ssl))
+				printf("server waiting in SSL_accept - %s\n",
+					SSL_state_string_long(s_ssl));
+/*			else if (s_write)
+				printf("server:SSL_write()\n");
+			else
+				printf("server:SSL_read()\n"); */
+			}
+
+		if (do_client && debug)
+			{
+			if (SSL_in_init(c_ssl))
+				printf("client waiting in SSL_connect - %s\n",
+					SSL_state_string_long(c_ssl));
+/*			else if (c_write)
+				printf("client:SSL_write()\n");
+			else
+				printf("client:SSL_read()\n"); */
+			}
+
+		if (!do_client && !do_server)
+			{
+			fprintf(stdout,"ERROR IN STARTUP\n");
+			ERR_print_errors(bio_err);
+			break;
+			}
+		if (do_client && !(done & C_DONE))
+			{
+			if (c_write)
+				{
+				j=(cw_num > (long)sizeof(cbuf))
+					?sizeof(cbuf):(int)cw_num;
+				i=BIO_write(c_bio,cbuf,j);
+				if (i < 0)
+					{
+					c_r=0;
+					c_w=0;
+					if (BIO_should_retry(c_bio))
+						{
+						if (BIO_should_read(c_bio))
+							c_r=1;
+						if (BIO_should_write(c_bio))
+							c_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						ERR_print_errors(bio_err);
+						goto err;
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("client wrote %d\n",i);
+					/* ok */
+					s_r=1;
+					c_write=0;
+					cw_num-=i;
+					}
+				}
+			else
+				{
+				i=BIO_read(c_bio,cbuf,sizeof(cbuf));
+				if (i < 0)
+					{
+					c_r=0;
+					c_w=0;
+					if (BIO_should_retry(c_bio))
+						{
+						if (BIO_should_read(c_bio))
+							c_r=1;
+						if (BIO_should_write(c_bio))
+							c_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in CLIENT\n");
+						ERR_print_errors(bio_err);
+						goto err;
+						}
+					}
+				else if (i == 0)
+					{
+					fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("client read %d\n",i);
+					cr_num-=i;
+					if (sw_num > 0)
+						{
+						s_write=1;
+						s_w=1;
+						}
+					if (cr_num <= 0)
+						{
+						s_write=1;
+						s_w=1;
+						done=S_DONE|C_DONE;
+						}
+					}
+				}
+			}
+
+		if (do_server && !(done & S_DONE))
+			{
+			if (!s_write)
+				{
+				i=BIO_read(s_bio,sbuf,sizeof(cbuf));
+				if (i < 0)
+					{
+					s_r=0;
+					s_w=0;
+					if (BIO_should_retry(s_bio))
+						{
+						if (BIO_should_read(s_bio))
+							s_r=1;
+						if (BIO_should_write(s_bio))
+							s_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						ERR_print_errors(bio_err);
+						goto err;
+						}
+					}
+				else if (i == 0)
+					{
+					ERR_print_errors(bio_err);
+					fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("server read %d\n",i);
+					sr_num-=i;
+					if (cw_num > 0)
+						{
+						c_write=1;
+						c_w=1;
+						}
+					if (sr_num <= 0)
+						{
+						s_write=1;
+						s_w=1;
+						c_write=0;
+						}
+					}
+				}
+			else
+				{
+				j=(sw_num > (long)sizeof(sbuf))?
+					sizeof(sbuf):(int)sw_num;
+				i=BIO_write(s_bio,sbuf,j);
+				if (i < 0)
+					{
+					s_r=0;
+					s_w=0;
+					if (BIO_should_retry(s_bio))
+						{
+						if (BIO_should_read(s_bio))
+							s_r=1;
+						if (BIO_should_write(s_bio))
+							s_w=1;
+						}
+					else
+						{
+						fprintf(stderr,"ERROR in SERVER\n");
+						ERR_print_errors(bio_err);
+						goto err;
+						}
+					}
+				else if (i == 0)
+					{
+					ERR_print_errors(bio_err);
+					fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
+					goto err;
+					}
+				else
+					{
+					if (debug)
+						printf("server wrote %d\n",i);
+					sw_num-=i;
+					s_write=0;
+					c_r=1;
+					if (sw_num <= 0)
+						done|=S_DONE;
+					}
+				}
+			}
+
+		if ((done & S_DONE) && (done & C_DONE)) break;
+		}
+
+	if (verbose)
+		print_details(c_ssl, "DONE: ");
+	ret=0;
+err:
+	/* We have to set the BIO's to NULL otherwise they will be
+	 * Free()ed twice.  Once when th s_ssl is SSL_free()ed and
+	 * again when c_ssl is SSL_free()ed.
+	 * This is a hack required because s_ssl and c_ssl are sharing the same
+	 * BIO structure and SSL_set_bio() and SSL_free() automatically
+	 * BIO_free non NULL entries.
+	 * You should not normally do this or be required to do this */
+	if (s_ssl != NULL)
+		{
+		s_ssl->rbio=NULL;
+		s_ssl->wbio=NULL;
+		}
+	if (c_ssl != NULL)
+		{
+		c_ssl->rbio=NULL;
+		c_ssl->wbio=NULL;
+		}
+
+	if (c_to_s != NULL) BIO_free(c_to_s);
+	if (s_to_c != NULL) BIO_free(s_to_c);
+	if (c_bio != NULL) BIO_free_all(c_bio);
+	if (s_bio != NULL) BIO_free_all(s_bio);
+	return(ret);
+	}
+
+static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
+	{
+	char *s,buf[256];
+
+	s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,256);
+	if (s != NULL)
+		{
+		if (ok)
+			fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);
+		else
+			fprintf(stderr,"depth=%d error=%d %s\n",
+				ctx->error_depth,ctx->error,buf);
+		}
+
+	if (ok == 0)
+		{
+		switch (ctx->error)
+			{
+		case X509_V_ERR_CERT_NOT_YET_VALID:
+		case X509_V_ERR_CERT_HAS_EXPIRED:
+		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+			ok=1;
+			}
+		}
+
+	return(ok);
+	}
+
+#ifndef NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
+	{
+	static RSA *rsa_tmp=NULL;
+
+	if (rsa_tmp == NULL)
+		{
+		BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
+		(void)BIO_flush(bio_err);
+		rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
+		BIO_printf(bio_err,"\n");
+		(void)BIO_flush(bio_err);
+		}
+	return(rsa_tmp);
+	}
+#endif
+
+#ifndef NO_DH
+/* These DH parameters have been generated as follows:
+ *    $ openssl dhparam -C -noout 512
+ *    $ openssl dhparam -C -noout 1024
+ *    $ openssl dhparam -C -noout -dsaparam 1024
+ * (The third function has been renamed to avoid name conflicts.)
+ */
+DH *get_dh512()
+	{
+	static unsigned char dh512_p[]={
+		0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
+		0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
+		0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
+		0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
+		0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
+		0x02,0xC5,0xAE,0x23,
+		};
+	static unsigned char dh512_g[]={
+		0x02,
+		};
+	DH *dh;
+
+	if ((dh=DH_new()) == NULL) return(NULL);
+	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+	if ((dh->p == NULL) || (dh->g == NULL))
+		{ DH_free(dh); return(NULL); }
+	return(dh);
+	}
+
+DH *get_dh1024()
+	{
+	static unsigned char dh1024_p[]={
+		0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
+		0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
+		0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
+		0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
+		0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
+		0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
+		0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
+		0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
+		0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
+		0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
+		0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
+		};
+	static unsigned char dh1024_g[]={
+		0x02,
+		};
+	DH *dh;
+
+	if ((dh=DH_new()) == NULL) return(NULL);
+	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
+	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+	if ((dh->p == NULL) || (dh->g == NULL))
+		{ DH_free(dh); return(NULL); }
+	return(dh);
+	}
+
+DH *get_dh1024dsa()
+	{
+	static unsigned char dh1024_p[]={
+		0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
+		0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
+		0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
+		0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
+		0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
+		0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
+		0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
+		0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
+		0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
+		0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
+		0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
+		};
+	static unsigned char dh1024_g[]={
+		0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
+		0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
+		0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
+		0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
+		0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
+		0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
+		0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
+		0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
+		0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
+		0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
+		0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
+		};
+	DH *dh;
+
+	if ((dh=DH_new()) == NULL) return(NULL);
+	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
+	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+	if ((dh->p == NULL) || (dh->g == NULL))
+		{ DH_free(dh); return(NULL); }
+	dh->length = 160;
+	return(dh);
+	}
+#endif
diff --git a/crypto/openssl/ssl/t1_clnt.c b/crypto/openssl/ssl/t1_clnt.c
new file mode 100644
index 0000000..9745630
--- /dev/null
+++ b/crypto/openssl/ssl/t1_clnt.c
@@ -0,0 +1,90 @@
+/* ssl/t1_clnt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *tls1_get_client_method(int ver);
+static SSL_METHOD *tls1_get_client_method(int ver)
+	{
+	if (ver == TLS1_VERSION)
+		return(TLSv1_client_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *TLSv1_client_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD TLSv1_client_data;
+
+	if (init)
+		{
+		memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
+			sizeof(SSL_METHOD));
+		TLSv1_client_data.ssl_connect=ssl3_connect;
+		TLSv1_client_data.get_ssl_method=tls1_get_client_method;
+		init=0;
+		}
+	return(&TLSv1_client_data);
+	}
+
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
new file mode 100644
index 0000000..279e45d
--- /dev/null
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -0,0 +1,633 @@
+/* ssl/t1_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/comp.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include "ssl_locl.h"
+
+static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+			int sec_len, unsigned char *seed, int seed_len,
+			unsigned char *out, int olen)
+	{
+	int chunk,n;
+	unsigned int j;
+	HMAC_CTX ctx;
+	HMAC_CTX ctx_tmp;
+	unsigned char A1[HMAC_MAX_MD_CBLOCK];
+	unsigned int A1_len;
+	
+	chunk=EVP_MD_size(md);
+
+	HMAC_Init(&ctx,sec,sec_len,md);
+	HMAC_Update(&ctx,seed,seed_len);
+	HMAC_Final(&ctx,A1,&A1_len);
+
+	n=0;
+	for (;;)
+		{
+		HMAC_Init(&ctx,NULL,0,NULL); /* re-init */
+		HMAC_Update(&ctx,A1,A1_len);
+		memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */
+		HMAC_Update(&ctx,seed,seed_len);
+
+		if (olen > chunk)
+			{
+			HMAC_Final(&ctx,out,&j);
+			out+=j;
+			olen-=j;
+			HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
+			}
+		else	/* last one */
+			{
+			HMAC_Final(&ctx,A1,&A1_len);
+			memcpy(out,A1,olen);
+			break;
+			}
+		}
+	HMAC_cleanup(&ctx);
+	HMAC_cleanup(&ctx_tmp);
+	memset(A1,0,sizeof(A1));
+	}
+
+static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
+		     unsigned char *label, int label_len,
+		     const unsigned char *sec, int slen, unsigned char *out1,
+		     unsigned char *out2, int olen)
+	{
+	int len,i;
+	const unsigned char *S1,*S2;
+
+	len=slen/2;
+	S1=sec;
+	S2= &(sec[len]);
+	len+=(slen&1); /* add for odd, make longer */
+
+	
+	tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
+	tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
+
+	for (i=0; i<olen; i++)
+		out1[i]^=out2[i];
+	}
+
+static void tls1_generate_key_block(SSL *s, unsigned char *km,
+	     unsigned char *tmp, int num)
+	{
+	unsigned char *p;
+	unsigned char buf[SSL3_RANDOM_SIZE*2+
+		TLS_MD_MAX_CONST_SIZE];
+	p=buf;
+
+	memcpy(p,TLS_MD_KEY_EXPANSION_CONST,
+		TLS_MD_KEY_EXPANSION_CONST_SIZE);
+	p+=TLS_MD_KEY_EXPANSION_CONST_SIZE;
+	memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
+	p+=SSL3_RANDOM_SIZE;
+	memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
+	p+=SSL3_RANDOM_SIZE;
+
+	tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
+		 s->session->master_key,s->session->master_key_length,
+		 km,tmp,num);
+	}
+
+int tls1_change_cipher_state(SSL *s, int which)
+	{
+	static const unsigned char empty[]="";
+	unsigned char *p,*key_block,*mac_secret;
+	unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
+		SSL3_RANDOM_SIZE*2];
+	unsigned char tmp1[EVP_MAX_KEY_LENGTH];
+	unsigned char tmp2[EVP_MAX_KEY_LENGTH];
+	unsigned char iv1[EVP_MAX_IV_LENGTH*2];
+	unsigned char iv2[EVP_MAX_IV_LENGTH*2];
+	unsigned char *ms,*key,*iv,*er1,*er2;
+	int client_write;
+	EVP_CIPHER_CTX *dd;
+	const EVP_CIPHER *c;
+	const SSL_COMP *comp;
+	const EVP_MD *m;
+	int _exp,n,i,j,k,exp_label_len,cl;
+
+	_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+	c=s->s3->tmp.new_sym_enc;
+	m=s->s3->tmp.new_hash;
+	comp=s->s3->tmp.new_compression;
+	key_block=s->s3->tmp.key_block;
+
+	if (which & SSL3_CC_READ)
+		{
+		if ((s->enc_read_ctx == NULL) &&
+			((s->enc_read_ctx=(EVP_CIPHER_CTX *)
+			Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+			goto err;
+		dd= s->enc_read_ctx;
+		s->read_hash=m;
+		if (s->expand != NULL)
+			{
+			COMP_CTX_free(s->expand);
+			s->expand=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->expand=COMP_CTX_new(comp->method);
+			if (s->expand == NULL)
+				{
+				SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			if (s->s3->rrec.comp == NULL)
+				s->s3->rrec.comp=(unsigned char *)
+					Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
+			if (s->s3->rrec.comp == NULL)
+				goto err;
+			}
+		memset(&(s->s3->read_sequence[0]),0,8);
+		mac_secret= &(s->s3->read_mac_secret[0]);
+		}
+	else
+		{
+		if ((s->enc_write_ctx == NULL) &&
+			((s->enc_write_ctx=(EVP_CIPHER_CTX *)
+			Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+			goto err;
+		dd= s->enc_write_ctx;
+		s->write_hash=m;
+		if (s->compress != NULL)
+			{
+			COMP_CTX_free(s->compress);
+			s->compress=NULL;
+			}
+		if (comp != NULL)
+			{
+			s->compress=COMP_CTX_new(comp->method);
+			if (s->compress == NULL)
+				{
+				SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+				goto err2;
+				}
+			}
+		memset(&(s->s3->write_sequence[0]),0,8);
+		mac_secret= &(s->s3->write_mac_secret[0]);
+		}
+
+	EVP_CIPHER_CTX_init(dd);
+
+	p=s->s3->tmp.key_block;
+	i=EVP_MD_size(m);
+	cl=EVP_CIPHER_key_length(c);
+	j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+		  cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+	/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
+	k=EVP_CIPHER_iv_length(c);
+	er1= &(s->s3->client_random[0]);
+	er2= &(s->s3->server_random[0]);
+	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
+		(which == SSL3_CHANGE_CIPHER_SERVER_READ))
+		{
+		ms=  &(p[ 0]); n=i+i;
+		key= &(p[ n]); n+=j+j;
+		iv=  &(p[ n]); n+=k+k;
+		exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
+		exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
+		client_write=1;
+		}
+	else
+		{
+		n=i;
+		ms=  &(p[ n]); n+=i+j;
+		key= &(p[ n]); n+=j+k;
+		iv=  &(p[ n]); n+=k;
+		exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
+		exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
+		client_write=0;
+		}
+
+	if (n > s->s3->tmp.key_block_length)
+		{
+		SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR);
+		goto err2;
+		}
+
+	memcpy(mac_secret,ms,i);
+#ifdef TLS_DEBUG
+printf("which = %04X\nmac key=",which);
+{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
+#endif
+	if (_exp)
+		{
+		/* In here I set both the read and write key/iv to the
+		 * same value since only the correct one will be used :-).
+		 */
+		p=buf;
+		memcpy(p,exp_label,exp_label_len);
+		p+=exp_label_len;
+		memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
+		p+=SSL3_RANDOM_SIZE;
+		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
+		p+=SSL3_RANDOM_SIZE;
+		tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
+			 tmp1,tmp2,EVP_CIPHER_key_length(c));
+		key=tmp1;
+
+		if (k > 0)
+			{
+			p=buf;
+			memcpy(p,TLS_MD_IV_BLOCK_CONST,
+				TLS_MD_IV_BLOCK_CONST_SIZE);
+			p+=TLS_MD_IV_BLOCK_CONST_SIZE;
+			memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
+			p+=SSL3_RANDOM_SIZE;
+			memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
+			p+=SSL3_RANDOM_SIZE;
+			tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
+				 iv1,iv2,k*2);
+			if (client_write)
+				iv=iv1;
+			else
+				iv= &(iv1[k]);
+			}
+		}
+
+	s->session->key_arg_length=0;
+
+	EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
+#ifdef TLS_DEBUG
+printf("which = %04X\nkey=",which);
+{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
+printf("\niv=");
+{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
+printf("\n");
+#endif
+
+	memset(tmp1,0,sizeof(tmp1));
+	memset(tmp2,0,sizeof(tmp1));
+	memset(iv1,0,sizeof(iv1));
+	memset(iv2,0,sizeof(iv2));
+	return(1);
+err:
+	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
+err2:
+	return(0);
+	}
+
+int tls1_setup_key_block(SSL *s)
+	{
+	unsigned char *p1,*p2;
+	const EVP_CIPHER *c;
+	const EVP_MD *hash;
+	int num;
+	SSL_COMP *comp;
+
+	if (s->s3->tmp.key_block_length != 0)
+		return(1);
+
+	if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
+		{
+		SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+		return(0);
+		}
+
+	s->s3->tmp.new_sym_enc=c;
+	s->s3->tmp.new_hash=hash;
+
+	num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
+	num*=2;
+
+	ssl3_cleanup_key_block(s);
+
+	if ((p1=(unsigned char *)Malloc(num)) == NULL)
+		goto err;
+	if ((p2=(unsigned char *)Malloc(num)) == NULL)
+		goto err;
+
+	s->s3->tmp.key_block_length=num;
+	s->s3->tmp.key_block=p1;
+
+
+#ifdef TLS_DEBUG
+printf("client random\n");
+{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
+printf("server random\n");
+{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
+printf("pre-master\n");
+{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
+#endif
+	tls1_generate_key_block(s,p1,p2,num);
+	memset(p2,0,num);
+	Free(p2);
+#ifdef TLS_DEBUG
+printf("\nkey block\n");
+{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
+#endif
+
+	return(1);
+err:
+	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
+	return(0);
+	}
+
+int tls1_enc(SSL *s, int send)
+	{
+	SSL3_RECORD *rec;
+	EVP_CIPHER_CTX *ds;
+	unsigned long l;
+	int bs,i,ii,j,k,n=0;
+	const EVP_CIPHER *enc;
+
+	if (send)
+		{
+		if (s->write_hash != NULL)
+			n=EVP_MD_size(s->write_hash);
+		ds=s->enc_write_ctx;
+		rec= &(s->s3->wrec);
+		if (s->enc_write_ctx == NULL)
+			enc=NULL;
+		else
+			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
+		}
+	else
+		{
+		if (s->read_hash != NULL)
+			n=EVP_MD_size(s->read_hash);
+		ds=s->enc_read_ctx;
+		rec= &(s->s3->rrec);
+		if (s->enc_read_ctx == NULL)
+			enc=NULL;
+		else
+			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
+		}
+
+	if ((s->session == NULL) || (ds == NULL) ||
+		(enc == NULL))
+		{
+		memcpy(rec->data,rec->input,rec->length);
+		rec->input=rec->data;
+		}
+	else
+		{
+		l=rec->length;
+		bs=EVP_CIPHER_block_size(ds->cipher);
+
+		if ((bs != 1) && send)
+			{
+			i=bs-((int)l%bs);
+
+			/* Add weird padding of upto 256 bytes */
+
+			/* we need to add 'i' padding bytes of value j */
+			j=i-1;
+			if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
+				{
+				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
+					j++;
+				}
+			for (k=(int)l; k<(int)(l+i); k++)
+				rec->input[k]=j;
+			l+=i;
+			rec->length+=i;
+			}
+
+		EVP_Cipher(ds,rec->data,rec->input,l);
+
+		if ((bs != 1) && !send)
+			{
+			ii=i=rec->data[l-1];
+			i++;
+			if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
+				{
+				/* First packet is even in size, so check */
+				if ((memcmp(s->s3->read_sequence,
+					"\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
+					s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
+				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
+					i--;
+				}
+			if (i > (int)rec->length)
+				{
+				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
+				return(0);
+				}
+			for (j=(int)(l-i); j<(int)l; j++)
+				{
+				if (rec->data[j] != ii)
+					{
+					SSLerr(SSL_F_TLS1_ENC,SSL_R_DECRYPTION_FAILED);
+					ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
+					return(0);
+					}
+				}
+			rec->length-=i;
+			}
+		}
+	return(1);
+	}
+
+int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
+	{
+	unsigned int ret;
+	EVP_MD_CTX ctx;
+
+	EVP_MD_CTX_copy(&ctx,in_ctx);
+	EVP_DigestFinal(&ctx,out,&ret);
+	return((int)ret);
+	}
+
+int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
+	     const char *str, int slen, unsigned char *out)
+	{
+	unsigned int i;
+	EVP_MD_CTX ctx;
+	unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+	unsigned char *q,buf2[12];
+
+	q=buf;
+	memcpy(q,str,slen);
+	q+=slen;
+
+	EVP_MD_CTX_copy(&ctx,in1_ctx);
+	EVP_DigestFinal(&ctx,q,&i);
+	q+=i;
+	EVP_MD_CTX_copy(&ctx,in2_ctx);
+	EVP_DigestFinal(&ctx,q,&i);
+	q+=i;
+
+	tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
+		s->session->master_key,s->session->master_key_length,
+		out,buf2,12);
+	memset(&ctx,0,sizeof(EVP_MD_CTX));
+
+	return((int)12);
+	}
+
+int tls1_mac(SSL *ssl, unsigned char *md, int send)
+	{
+	SSL3_RECORD *rec;
+	unsigned char *mac_sec,*seq;
+	const EVP_MD *hash;
+	unsigned int md_size;
+	int i;
+	HMAC_CTX hmac;
+	unsigned char buf[5]; 
+
+	if (send)
+		{
+		rec= &(ssl->s3->wrec);
+		mac_sec= &(ssl->s3->write_mac_secret[0]);
+		seq= &(ssl->s3->write_sequence[0]);
+		hash=ssl->write_hash;
+		}
+	else
+		{
+		rec= &(ssl->s3->rrec);
+		mac_sec= &(ssl->s3->read_mac_secret[0]);
+		seq= &(ssl->s3->read_sequence[0]);
+		hash=ssl->read_hash;
+		}
+
+	md_size=EVP_MD_size(hash);
+
+	buf[0]=rec->type;
+	buf[1]=TLS1_VERSION_MAJOR;
+	buf[2]=TLS1_VERSION_MINOR;
+	buf[3]=rec->length>>8;
+	buf[4]=rec->length&0xff;
+
+	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
+	HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash);
+	HMAC_Update(&hmac,seq,8);
+	HMAC_Update(&hmac,buf,5);
+	HMAC_Update(&hmac,rec->input,rec->length);
+	HMAC_Final(&hmac,md,&md_size);
+
+#ifdef TLS_DEBUG
+printf("sec=");
+{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
+printf("seq=");
+{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
+printf("buf=");
+{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
+printf("rec=");
+{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
+#endif
+
+	for (i=7; i>=0; i--)
+		if (++seq[i]) break; 
+
+#ifdef TLS_DEBUG
+{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
+#endif
+	return(md_size);
+	}
+
+int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
+	     int len)
+	{
+	unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
+	unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
+
+	/* Setup the stuff to munge */
+	memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
+		TLS_MD_MASTER_SECRET_CONST_SIZE);
+	memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]),
+		s->s3->client_random,SSL3_RANDOM_SIZE);
+	memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]),
+		s->s3->server_random,SSL3_RANDOM_SIZE);
+	tls1_PRF(s->ctx->md5,s->ctx->sha1,
+		buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
+		s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
+	return(SSL3_MASTER_SECRET_SIZE);
+	}
+
+int tls1_alert_code(int code)
+	{
+	switch (code)
+		{
+	case SSL_AD_CLOSE_NOTIFY:	return(SSL3_AD_CLOSE_NOTIFY);
+	case SSL_AD_UNEXPECTED_MESSAGE:	return(SSL3_AD_UNEXPECTED_MESSAGE);
+	case SSL_AD_BAD_RECORD_MAC:	return(SSL3_AD_BAD_RECORD_MAC);
+	case SSL_AD_DECRYPTION_FAILED:	return(TLS1_AD_DECRYPTION_FAILED);
+	case SSL_AD_RECORD_OVERFLOW:	return(TLS1_AD_RECORD_OVERFLOW);
+	case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
+	case SSL_AD_HANDSHAKE_FAILURE:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_NO_CERTIFICATE:	return(-1);
+	case SSL_AD_BAD_CERTIFICATE:	return(SSL3_AD_BAD_CERTIFICATE);
+	case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
+	case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
+	case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
+	case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
+	case SSL_AD_ILLEGAL_PARAMETER:	return(SSL3_AD_ILLEGAL_PARAMETER);
+	case SSL_AD_UNKNOWN_CA:		return(TLS1_AD_UNKNOWN_CA);
+	case SSL_AD_ACCESS_DENIED:	return(TLS1_AD_ACCESS_DENIED);
+	case SSL_AD_DECODE_ERROR:	return(TLS1_AD_DECODE_ERROR);
+	case SSL_AD_DECRYPT_ERROR:	return(TLS1_AD_DECRYPT_ERROR);
+	case SSL_AD_EXPORT_RESTRICTION:	return(TLS1_AD_EXPORT_RESTRICTION);
+	case SSL_AD_PROTOCOL_VERSION:	return(TLS1_AD_PROTOCOL_VERSION);
+	case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
+	case SSL_AD_INTERNAL_ERROR:	return(TLS1_AD_INTERNAL_ERROR);
+	case SSL_AD_USER_CANCELLED:	return(TLS1_AD_USER_CANCELLED);
+	case SSL_AD_NO_RENEGOTIATION:	return(TLS1_AD_NO_RENEGOTIATION);
+	default:			return(-1);
+		}
+	}
+
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
new file mode 100644
index 0000000..ca6c03d
--- /dev/null
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -0,0 +1,149 @@
+/* ssl/t1_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
+
+static long tls1_default_timeout(void);
+
+static SSL3_ENC_METHOD TLSv1_enc_data={
+	tls1_enc,
+	tls1_mac,
+	tls1_setup_key_block,
+	tls1_generate_master_secret,
+	tls1_change_cipher_state,
+	tls1_final_finish_mac,
+	TLS1_FINISH_MAC_LENGTH,
+	tls1_cert_verify_mac,
+	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
+	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
+	tls1_alert_code,
+	};
+
+static SSL_METHOD TLSv1_data= {
+	TLS1_VERSION,
+	tls1_new,
+	tls1_clear,
+	tls1_free,
+	ssl_undefined_function,
+	ssl_undefined_function,
+	ssl3_read,
+	ssl3_peek,
+	ssl3_write,
+	ssl3_shutdown,
+	ssl3_renegotiate,
+	ssl3_renegotiate_check,
+	ssl3_ctrl,
+	ssl3_ctx_ctrl,
+	ssl3_get_cipher_by_char,
+	ssl3_put_cipher_by_char,
+	ssl3_pending,
+	ssl3_num_ciphers,
+	ssl3_get_cipher,
+	ssl_bad_method,
+	tls1_default_timeout,
+	&TLSv1_enc_data,
+	ssl_undefined_function,
+	ssl3_callback_ctrl,
+	ssl3_ctx_callback_ctrl,
+	};
+
+static long tls1_default_timeout(void)
+	{
+	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
+	 * is way too long for http, the cache would over fill */
+	return(60*60*2);
+	}
+
+SSL_METHOD *tlsv1_base_method(void)
+	{
+	return(&TLSv1_data);
+	}
+
+int tls1_new(SSL *s)
+	{
+	if (!ssl3_new(s)) return(0);
+	s->method->ssl_clear(s);
+	return(1);
+	}
+
+void tls1_free(SSL *s)
+	{
+	ssl3_free(s);
+	}
+
+void tls1_clear(SSL *s)
+	{
+	ssl3_clear(s);
+	s->version=TLS1_VERSION;
+	}
+
+#if 0
+long tls1_ctrl(SSL *s, int cmd, long larg, char *parg)
+	{
+	return(0);
+	}
+
+long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)())
+	{
+	return(0);
+	}
+#endif
diff --git a/crypto/openssl/ssl/t1_meth.c b/crypto/openssl/ssl/t1_meth.c
new file mode 100644
index 0000000..9bb36a7
--- /dev/null
+++ b/crypto/openssl/ssl/t1_meth.c
@@ -0,0 +1,88 @@
+/* ssl/t1_meth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *tls1_get_method(int ver);
+static SSL_METHOD *tls1_get_method(int ver)
+	{
+	if (ver == TLS1_VERSION)
+		return(TLSv1_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *TLSv1_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD TLSv1_data;
+
+	if (init)
+		{
+		memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
+			sizeof(SSL_METHOD));
+		TLSv1_data.ssl_connect=ssl3_connect;
+		TLSv1_data.ssl_accept=ssl3_accept;
+		TLSv1_data.get_ssl_method=tls1_get_method;
+		init=0;
+		}
+	return(&TLSv1_data);
+	}
+
diff --git a/crypto/openssl/ssl/t1_srvr.c b/crypto/openssl/ssl/t1_srvr.c
new file mode 100644
index 0000000..996b7ca
--- /dev/null
+++ b/crypto/openssl/ssl/t1_srvr.c
@@ -0,0 +1,91 @@
+/* ssl/t1_srvr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *tls1_get_server_method(int ver);
+static SSL_METHOD *tls1_get_server_method(int ver)
+	{
+	if (ver == TLS1_VERSION)
+		return(TLSv1_server_method());
+	else
+		return(NULL);
+	}
+
+SSL_METHOD *TLSv1_server_method(void)
+	{
+	static int init=1;
+	static SSL_METHOD TLSv1_server_data;
+
+	if (init)
+		{
+		memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
+			sizeof(SSL_METHOD));
+		TLSv1_server_data.ssl_accept=ssl3_accept;
+		TLSv1_server_data.get_ssl_method=tls1_get_server_method;
+		init=0;
+		}
+	return(&TLSv1_server_data);
+	}
+
diff --git a/crypto/openssl/ssl/tls1.h b/crypto/openssl/ssl/tls1.h
new file mode 100644
index 0000000..6e2b06d
--- /dev/null
+++ b/crypto/openssl/ssl/tls1.h
@@ -0,0 +1,153 @@
+/* ssl/tls1.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_TLS1_H 
+#define HEADER_TLS1_H 
+
+#include <openssl/buffer.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	1
+
+#define TLS1_VERSION			0x0301
+#define TLS1_VERSION_MAJOR		0x03
+#define TLS1_VERSION_MINOR		0x01
+
+#define TLS1_AD_DECRYPTION_FAILED	21
+#define TLS1_AD_RECORD_OVERFLOW		22
+#define TLS1_AD_UNKNOWN_CA		48	/* fatal */
+#define TLS1_AD_ACCESS_DENIED		49	/* fatal */
+#define TLS1_AD_DECODE_ERROR		50	/* fatal */
+#define TLS1_AD_DECRYPT_ERROR		51
+#define TLS1_AD_EXPORT_RESTRICTION	60	/* fatal */
+#define TLS1_AD_PROTOCOL_VERSION	70	/* fatal */
+#define TLS1_AD_INSUFFICIENT_SECURITY	71	/* fatal */
+#define TLS1_AD_INTERNAL_ERROR		80	/* fatal */
+#define TLS1_AD_USER_CANCELLED		90
+#define TLS1_AD_NO_RENEGOTIATION	100
+
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5		0x03000060
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5	0x03000061
+#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA		0x03000062
+#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA	0x03000063
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA		0x03000064
+#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA	0x03000065
+#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA		0x03000066
+
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5		"EXP1024-RC4-MD5"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5	"EXP1024-RC2-CBC-MD5"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA	"EXP1024-DES-CBC-SHA"
+#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA	"EXP1024-DHE-DSS-DES-CBC-SHA"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA		"EXP1024-RC4-SHA"
+#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA	"EXP1024-DHE-DSS-RC4-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA		"DHE-DSS-RC4-SHA"
+
+
+#define TLS_CT_RSA_SIGN			1
+#define TLS_CT_DSS_SIGN			2
+#define TLS_CT_RSA_FIXED_DH		3
+#define TLS_CT_DSS_FIXED_DH		4
+#define TLS_CT_NUMBER			4
+
+#define TLS1_FINISH_MAC_LENGTH		12
+
+#define TLS_MD_MAX_CONST_SIZE			20
+#define TLS_MD_CLIENT_FINISH_CONST		"client finished"
+#define TLS_MD_CLIENT_FINISH_CONST_SIZE		15
+#define TLS_MD_SERVER_FINISH_CONST		"server finished"
+#define TLS_MD_SERVER_FINISH_CONST_SIZE		15
+#define TLS_MD_SERVER_WRITE_KEY_CONST		"server write key"
+#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE	16
+#define TLS_MD_KEY_EXPANSION_CONST		"key expansion"
+#define TLS_MD_KEY_EXPANSION_CONST_SIZE		13
+#define TLS_MD_CLIENT_WRITE_KEY_CONST		"client write key"
+#define TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE	16
+#define TLS_MD_SERVER_WRITE_KEY_CONST		"server write key"
+#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE	16
+#define TLS_MD_IV_BLOCK_CONST			"IV block"
+#define TLS_MD_IV_BLOCK_CONST_SIZE		8
+#define TLS_MD_MASTER_SECRET_CONST		"master secret"
+#define TLS_MD_MASTER_SECRET_CONST_SIZE		13
+
+#ifdef CHARSET_EBCDIC
+#undef TLS_MD_CLIENT_FINISH_CONST
+#define TLS_MD_CLIENT_FINISH_CONST    "\x63\x6c\x69\x65\x6e\x74\x20\x66\x69\x6e\x69\x73\x68\x65\x64"  /*client finished*/
+#undef TLS_MD_SERVER_FINISH_CONST
+#define TLS_MD_SERVER_FINISH_CONST    "\x73\x65\x72\x76\x65\x72\x20\x66\x69\x6e\x69\x73\x68\x65\x64"  /*server finished*/
+#undef TLS_MD_SERVER_WRITE_KEY_CONST
+#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*server write key*/
+#undef TLS_MD_KEY_EXPANSION_CONST
+#define TLS_MD_KEY_EXPANSION_CONST    "\x6b\x65\x79\x20\x65\x78\x70\x61\x6e\x73\x69\x6f\x6e"  /*key expansion*/
+#undef TLS_MD_CLIENT_WRITE_KEY_CONST
+#define TLS_MD_CLIENT_WRITE_KEY_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*client write key*/
+#undef TLS_MD_SERVER_WRITE_KEY_CONST
+#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*server write key*/
+#undef TLS_MD_IV_BLOCK_CONST
+#define TLS_MD_IV_BLOCK_CONST         "\x49\x56\x20\x62\x6c\x6f\x63\x6b"  /*IV block*/
+#undef TLS_MD_MASTER_SECRET_CONST
+#define TLS_MD_MASTER_SECRET_CONST    "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"  /*master secret*/
+#endif
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/test/CAss.cnf b/crypto/openssl/test/CAss.cnf
new file mode 100644
index 0000000..b941b7a
--- /dev/null
+++ b/crypto/openssl/test/CAss.cnf
@@ -0,0 +1,25 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= ./.rnd
+
+####################################################################
+[ req ]
+default_bits		= 512
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= sha1
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_value		= AU
+
+organizationName		= Organization Name (eg, company)
+organizationName_value		= Dodgy Brothers
+
+commonName			= Common Name (eg, YOUR name)
+commonName_value		= Dodgy CA
diff --git a/crypto/openssl/test/CAssdh.cnf b/crypto/openssl/test/CAssdh.cnf
new file mode 100644
index 0000000..4e0a908
--- /dev/null
+++ b/crypto/openssl/test/CAssdh.cnf
@@ -0,0 +1,24 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# hacked by iang to do DH certs - CA
+
+RANDFILE              = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name    = req_distinguished_name
+encrypt_rsa_key               = no
+
+[ req_distinguished_name ]
+countryName                   = Country Name (2 letter code)
+countryName_default           = CU
+countryName_value             = CU
+
+organizationName              = Organization Name (eg, company)
+organizationName_value                = La Junta de la Revolucion
+
+commonName                    = Common Name (eg, YOUR name)
+commonName_value              = Junta
+
diff --git a/crypto/openssl/test/CAssdsa.cnf b/crypto/openssl/test/CAssdsa.cnf
new file mode 100644
index 0000000..a6b4d18
--- /dev/null
+++ b/crypto/openssl/test/CAssdsa.cnf
@@ -0,0 +1,23 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# hacked by iang to do DSA certs - CA
+
+RANDFILE              = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name    = req_distinguished_name
+encrypt_rsa_key               = no
+
+[ req_distinguished_name ]
+countryName                   = Country Name (2 letter code)
+countryName_default           = ES
+countryName_value             = ES
+
+organizationName              = Organization Name (eg, company)
+organizationName_value                = Hermanos Locos
+
+commonName                    = Common Name (eg, YOUR name)
+commonName_value              = Hermanos Locos CA
diff --git a/crypto/openssl/test/CAssrsa.cnf b/crypto/openssl/test/CAssrsa.cnf
new file mode 100644
index 0000000..eb24a6d
--- /dev/null
+++ b/crypto/openssl/test/CAssrsa.cnf
@@ -0,0 +1,24 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# create RSA certs - CA
+
+RANDFILE              = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name    = req_distinguished_name
+encrypt_key           = no
+
+[ req_distinguished_name ]
+countryName                   = Country Name (2 letter code)
+countryName_default           = ES
+countryName_value             = ES
+
+organizationName              = Organization Name (eg, company)
+organizationName_value                = Hermanos Locos
+
+commonName                    = Common Name (eg, YOUR name)
+commonName_value              = Hermanos Locos CA
+
diff --git a/crypto/openssl/test/Makefile.save b/crypto/openssl/test/Makefile.save
new file mode 100644
index 0000000..a2db754
--- /dev/null
+++ b/crypto/openssl/test/Makefile.save
@@ -0,0 +1,400 @@
+#
+# test/Makefile.ssl
+#
+
+DIR=		test
+TOP=		..
+CC=		cc
+INCLUDES=	-I../include
+CFLAG=		-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=	/usr/local/ssl
+MAKEFILE=	Makefile.ssl
+MAKE=		make -f $(MAKEFILE)
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+PERL=		perl
+
+PEX_LIBS=
+EX_LIBS= #-lnsl -lsocket
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile.ssl maketests.com \
+	tests.com testenc.com tx509.com trsa.com tcrl.com tsid.com treq.com \
+	tpkcs7.com tpkcs7d.com tverify.com testgen.com testss.com testssl.com \
+	testca.com VMSca-response.1 VMSca-response.2
+
+DLIBCRYPTO= ../libcrypto.a
+DLIBSSL= ../libssl.a
+LIBCRYPTO= -L.. -lcrypto
+LIBSSL= -L.. -lssl
+
+BNTEST=		bntest
+EXPTEST=	exptest
+IDEATEST=	ideatest
+SHATEST=	shatest
+SHA1TEST=	sha1test
+MDC2TEST=	mdc2test
+RMDTEST=	rmdtest
+MD2TEST=	md2test
+MD5TEST=	md5test
+HMACTEST=	hmactest
+RC2TEST=	rc2test
+RC4TEST=	rc4test
+RC5TEST=	rc5test
+BFTEST=		bftest
+CASTTEST=	casttest
+DESTEST=	destest
+RANDTEST=	randtest
+DHTEST=		dhtest
+DSATEST=	dsatest
+METHTEST=	methtest
+SSLTEST=	ssltest
+RSATEST=	rsa_test
+
+EXE=	$(BNTEST) $(IDEATEST) $(MD2TEST)  $(MD5TEST) $(HMACTEST) \
+	$(RC2TEST) $(RC4TEST) $(RC5TEST) \
+	$(DESTEST) $(SHATEST) $(SHA1TEST) $(MDC2TEST) $(RMDTEST) \
+	$(RANDTEST) $(DHTEST) \
+	$(BFTEST) $(CASTTEST) $(SSLTEST) $(EXPTEST) $(DSATEST) $(RSATEST)
+
+# $(METHTEST)
+
+OBJ=	$(BNTEST).o $(IDEATEST).o $(MD2TEST).o  $(MD5TEST).o $(HMACTEST).o \
+	$(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \
+	$(DESTEST).o $(SHATEST).o $(SHA1TEST).o $(MDC2TEST).o $(RMDTEST).o \
+	$(RANDTEST).o $(DHTEST).o $(CASTTEST).o \
+	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o  $(EXPTEST).o $(RSATEST).o
+SRC=	$(BNTEST).c $(IDEATEST).c $(MD2TEST).c  $(MD5TEST).c  $(HMACTEST).c \
+	$(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \
+	$(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \
+	$(RANDTEST).c $(DHTEST).c $(CASTTEST).c \
+	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c   $(EXPTEST).c $(RSATEST).c
+
+EXHEADER= 
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	exe
+
+exe:	$(EXE)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@@$(TOP)/util/point.sh Makefile.ssl Makefile
+
+errors:
+
+install:
+
+tags:
+	ctags $(SRC)
+
+tests:	exe apps \
+	test_des test_idea test_sha test_md5 test_hmac test_md2 test_mdc2 \
+	test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast \
+	test_rand test_bn test_enc test_x509 test_rsa test_crl test_sid \
+	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
+	test_ss test_ca test_ssl
+
+apps:
+	@(cd ../apps; $(MAKE)  CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' all)
+
+test_des:
+	./$(DESTEST)
+
+test_idea:
+	./$(IDEATEST)
+
+test_sha:
+	./$(SHATEST)
+	./$(SHA1TEST)
+
+test_mdc2:
+	./$(MDC2TEST)
+
+test_md5:
+	./$(MD5TEST)
+
+test_hmac:
+	./$(HMACTEST)
+
+test_md2:
+	./$(MD2TEST)
+
+test_rmd:
+	./$(RMDTEST)
+
+test_bf:
+	./$(BFTEST)
+
+test_cast:
+	./$(CASTTEST)
+
+test_rc2:
+	./$(RC2TEST)
+
+test_rc4:
+	./$(RC4TEST)
+
+test_rc5:
+	./$(RC5TEST)
+
+test_rand:
+	./$(RANDTEST)
+
+test_enc:
+	@sh ./testenc
+
+test_x509:
+	echo test normal x509v1 certificate
+	sh ./tx509 2>/dev/null
+	echo test first x509v3 certificate
+	sh ./tx509 v3-cert1.pem 2>/dev/null
+	echo test second x509v3 certificate
+	sh ./tx509 v3-cert2.pem 2>/dev/null
+
+test_rsa:
+	@sh ./trsa 2>/dev/null
+	./$(RSATEST)
+
+test_crl:
+	@sh ./tcrl 2>/dev/null
+
+test_sid:
+	@sh ./tsid 2>/dev/null
+
+test_req:
+	@sh ./treq 2>/dev/null
+	@sh ./treq testreq2.pem 2>/dev/null
+
+test_pkcs7:
+	@sh ./tpkcs7 2>/dev/null
+	@sh ./tpkcs7d 2>/dev/null
+
+test_bn:
+	@echo starting big number library test, could take a while...
+	@./$(BNTEST) >tmp.bntest
+	@echo quit >>tmp.bntest
+	@echo "running bc"
+	@bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"'
+	@echo 'test a^b%c implementations'
+	./$(EXPTEST)
+
+test_verify:
+	@echo "The following command should have some OK's and some failures"
+	@echo "There are definitly a few expired certificates"
+	../apps/openssl verify -CApath ../certs ../certs/*.pem
+
+test_dh:
+	@echo "Generate a set of DH parameters"
+	./$(DHTEST)
+
+test_dsa:
+	@echo "Generate a set of DSA parameters"
+	./$(DSATEST)
+	./$(DSATEST) -app2_1
+
+test_gen:
+	@echo "Generate and verify a certificate request"
+	@sh ./testgen
+
+test_ss keyU.ss certU.ss certCA.ss: testss
+	@echo "Generate and certify a test certificate"
+	@sh ./testss
+
+test_ssl: keyU.ss certU.ss certCA.ss
+	@echo "test SSL protocol"
+	@sh ./testssl keyU.ss certU.ss certCA.ss
+
+test_ca:
+	@if ../apps/openssl no-rsa; then \
+	  echo "skipping CA.sh test -- requires RSA"; \
+	else \
+	  echo "Generate and certify a test certificate via the 'ca' program"; \
+	  sh ./testca; \
+ 	fi
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f .rnd tmp.bntest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log
+
+$(DLIBSSL):
+	(cd ../ssl; $(MAKE))
+
+$(DLIBCRYPTO):
+	(cd ../crypto; $(MAKE))
+
+$(RSATEST): $(RSATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(BNTEST): $(BNTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(SHATEST): $(SHATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(BFTEST): $(BFTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(DESTEST): $(DESTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(DHTEST): $(DHTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(DSATEST): $(DSATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
+	$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bftest.o: ../include/openssl/blowfish.h
+bntest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+bntest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+bntest.o: ../include/openssl/cast.h ../include/openssl/crypto.h
+bntest.o: ../include/openssl/des.h ../include/openssl/dh.h
+bntest.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+bntest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+bntest.o: ../include/openssl/evp.h ../include/openssl/idea.h
+bntest.o: ../include/openssl/md2.h ../include/openssl/md5.h
+bntest.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+bntest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+bntest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+bntest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+bntest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+bntest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h
+bntest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+casttest.o: ../include/openssl/cast.h
+destest.o: ../include/openssl/des.h ../include/openssl/e_os2.h
+destest.o: ../include/openssl/opensslconf.h
+dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+dhtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+dhtest.o: ../include/openssl/stack.h
+dsatest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+dsatest.o: ../include/openssl/dsa.h ../include/openssl/err.h
+dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+dsatest.o: ../include/openssl/stack.h
+exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+exptest.o: ../include/openssl/crypto.h ../include/openssl/err.h
+exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+exptest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+exptest.o: ../include/openssl/stack.h
+hmactest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+hmactest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+hmactest.o: ../include/openssl/cast.h ../include/openssl/crypto.h
+hmactest.o: ../include/openssl/des.h ../include/openssl/dh.h
+hmactest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+hmactest.o: ../include/openssl/idea.h ../include/openssl/md2.h
+hmactest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+hmactest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+hmactest.o: ../include/openssl/opensslv.h ../include/openssl/rc2.h
+hmactest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+hmactest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+hmactest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+hmactest.o: ../include/openssl/stack.h
+ideatest.o: ../include/openssl/idea.h ../include/openssl/opensslconf.h
+md2test.o: ../include/openssl/md2.h ../include/openssl/opensslconf.h
+md5test.o: ../include/openssl/md5.h
+mdc2test.o: ../include/openssl/des.h ../include/openssl/e_os2.h
+mdc2test.o: ../include/openssl/mdc2.h ../include/openssl/opensslconf.h
+randtest.o: ../include/openssl/rand.h
+rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h
+rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h
+rc5test.o: ../include/openssl/rc5.h
+rmdtest.o: ../include/openssl/ripemd.h
+rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
+rsa_test.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rsa_test.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
+rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rsa_test.o: ../include/openssl/stack.h
+sha1test.o: ../include/openssl/sha.h
+shatest.o: ../include/openssl/sha.h
+ssltest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssltest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssltest.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssltest.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssltest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssltest.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssltest.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssltest.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssltest.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssltest.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssltest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssltest.o: ../include/openssl/x509_vfy.h
diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl
new file mode 100644
index 0000000..a2db754
--- /dev/null
+++ b/crypto/openssl/test/Makefile.ssl
@@ -0,0 +1,400 @@
+#
+# test/Makefile.ssl
+#
+
+DIR=		test
+TOP=		..
+CC=		cc
+INCLUDES=	-I../include
+CFLAG=		-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=	/usr/local/ssl
+MAKEFILE=	Makefile.ssl
+MAKE=		make -f $(MAKEFILE)
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+PERL=		perl
+
+PEX_LIBS=
+EX_LIBS= #-lnsl -lsocket
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile.ssl maketests.com \
+	tests.com testenc.com tx509.com trsa.com tcrl.com tsid.com treq.com \
+	tpkcs7.com tpkcs7d.com tverify.com testgen.com testss.com testssl.com \
+	testca.com VMSca-response.1 VMSca-response.2
+
+DLIBCRYPTO= ../libcrypto.a
+DLIBSSL= ../libssl.a
+LIBCRYPTO= -L.. -lcrypto
+LIBSSL= -L.. -lssl
+
+BNTEST=		bntest
+EXPTEST=	exptest
+IDEATEST=	ideatest
+SHATEST=	shatest
+SHA1TEST=	sha1test
+MDC2TEST=	mdc2test
+RMDTEST=	rmdtest
+MD2TEST=	md2test
+MD5TEST=	md5test
+HMACTEST=	hmactest
+RC2TEST=	rc2test
+RC4TEST=	rc4test
+RC5TEST=	rc5test
+BFTEST=		bftest
+CASTTEST=	casttest
+DESTEST=	destest
+RANDTEST=	randtest
+DHTEST=		dhtest
+DSATEST=	dsatest
+METHTEST=	methtest
+SSLTEST=	ssltest
+RSATEST=	rsa_test
+
+EXE=	$(BNTEST) $(IDEATEST) $(MD2TEST)  $(MD5TEST) $(HMACTEST) \
+	$(RC2TEST) $(RC4TEST) $(RC5TEST) \
+	$(DESTEST) $(SHATEST) $(SHA1TEST) $(MDC2TEST) $(RMDTEST) \
+	$(RANDTEST) $(DHTEST) \
+	$(BFTEST) $(CASTTEST) $(SSLTEST) $(EXPTEST) $(DSATEST) $(RSATEST)
+
+# $(METHTEST)
+
+OBJ=	$(BNTEST).o $(IDEATEST).o $(MD2TEST).o  $(MD5TEST).o $(HMACTEST).o \
+	$(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \
+	$(DESTEST).o $(SHATEST).o $(SHA1TEST).o $(MDC2TEST).o $(RMDTEST).o \
+	$(RANDTEST).o $(DHTEST).o $(CASTTEST).o \
+	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o  $(EXPTEST).o $(RSATEST).o
+SRC=	$(BNTEST).c $(IDEATEST).c $(MD2TEST).c  $(MD5TEST).c  $(HMACTEST).c \
+	$(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \
+	$(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \
+	$(RANDTEST).c $(DHTEST).c $(CASTTEST).c \
+	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c   $(EXPTEST).c $(RSATEST).c
+
+EXHEADER= 
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	exe
+
+exe:	$(EXE)
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@@$(TOP)/util/point.sh Makefile.ssl Makefile
+
+errors:
+
+install:
+
+tags:
+	ctags $(SRC)
+
+tests:	exe apps \
+	test_des test_idea test_sha test_md5 test_hmac test_md2 test_mdc2 \
+	test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast \
+	test_rand test_bn test_enc test_x509 test_rsa test_crl test_sid \
+	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
+	test_ss test_ca test_ssl
+
+apps:
+	@(cd ../apps; $(MAKE)  CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' all)
+
+test_des:
+	./$(DESTEST)
+
+test_idea:
+	./$(IDEATEST)
+
+test_sha:
+	./$(SHATEST)
+	./$(SHA1TEST)
+
+test_mdc2:
+	./$(MDC2TEST)
+
+test_md5:
+	./$(MD5TEST)
+
+test_hmac:
+	./$(HMACTEST)
+
+test_md2:
+	./$(MD2TEST)
+
+test_rmd:
+	./$(RMDTEST)
+
+test_bf:
+	./$(BFTEST)
+
+test_cast:
+	./$(CASTTEST)
+
+test_rc2:
+	./$(RC2TEST)
+
+test_rc4:
+	./$(RC4TEST)
+
+test_rc5:
+	./$(RC5TEST)
+
+test_rand:
+	./$(RANDTEST)
+
+test_enc:
+	@sh ./testenc
+
+test_x509:
+	echo test normal x509v1 certificate
+	sh ./tx509 2>/dev/null
+	echo test first x509v3 certificate
+	sh ./tx509 v3-cert1.pem 2>/dev/null
+	echo test second x509v3 certificate
+	sh ./tx509 v3-cert2.pem 2>/dev/null
+
+test_rsa:
+	@sh ./trsa 2>/dev/null
+	./$(RSATEST)
+
+test_crl:
+	@sh ./tcrl 2>/dev/null
+
+test_sid:
+	@sh ./tsid 2>/dev/null
+
+test_req:
+	@sh ./treq 2>/dev/null
+	@sh ./treq testreq2.pem 2>/dev/null
+
+test_pkcs7:
+	@sh ./tpkcs7 2>/dev/null
+	@sh ./tpkcs7d 2>/dev/null
+
+test_bn:
+	@echo starting big number library test, could take a while...
+	@./$(BNTEST) >tmp.bntest
+	@echo quit >>tmp.bntest
+	@echo "running bc"
+	@bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"'
+	@echo 'test a^b%c implementations'
+	./$(EXPTEST)
+
+test_verify:
+	@echo "The following command should have some OK's and some failures"
+	@echo "There are definitly a few expired certificates"
+	../apps/openssl verify -CApath ../certs ../certs/*.pem
+
+test_dh:
+	@echo "Generate a set of DH parameters"
+	./$(DHTEST)
+
+test_dsa:
+	@echo "Generate a set of DSA parameters"
+	./$(DSATEST)
+	./$(DSATEST) -app2_1
+
+test_gen:
+	@echo "Generate and verify a certificate request"
+	@sh ./testgen
+
+test_ss keyU.ss certU.ss certCA.ss: testss
+	@echo "Generate and certify a test certificate"
+	@sh ./testss
+
+test_ssl: keyU.ss certU.ss certCA.ss
+	@echo "test SSL protocol"
+	@sh ./testssl keyU.ss certU.ss certCA.ss
+
+test_ca:
+	@if ../apps/openssl no-rsa; then \
+	  echo "skipping CA.sh test -- requires RSA"; \
+	else \
+	  echo "Generate and certify a test certificate via the 'ca' program"; \
+	  sh ./testca; \
+ 	fi
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f .rnd tmp.bntest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log
+
+$(DLIBSSL):
+	(cd ../ssl; $(MAKE))
+
+$(DLIBCRYPTO):
+	(cd ../crypto; $(MAKE))
+
+$(RSATEST): $(RSATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(BNTEST): $(BNTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(SHATEST): $(SHATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(BFTEST): $(BFTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(DESTEST): $(DESTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(DHTEST): $(DHTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(DSATEST): $(DSATEST).o $(DLIBCRYPTO)
+	$(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
+	$(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
+$(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
+	$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bftest.o: ../include/openssl/blowfish.h
+bntest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+bntest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+bntest.o: ../include/openssl/cast.h ../include/openssl/crypto.h
+bntest.o: ../include/openssl/des.h ../include/openssl/dh.h
+bntest.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+bntest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+bntest.o: ../include/openssl/evp.h ../include/openssl/idea.h
+bntest.o: ../include/openssl/md2.h ../include/openssl/md5.h
+bntest.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+bntest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+bntest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+bntest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+bntest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+bntest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h
+bntest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+casttest.o: ../include/openssl/cast.h
+destest.o: ../include/openssl/des.h ../include/openssl/e_os2.h
+destest.o: ../include/openssl/opensslconf.h
+dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+dhtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+dhtest.o: ../include/openssl/stack.h
+dsatest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+dsatest.o: ../include/openssl/dsa.h ../include/openssl/err.h
+dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+dsatest.o: ../include/openssl/stack.h
+exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+exptest.o: ../include/openssl/crypto.h ../include/openssl/err.h
+exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+exptest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+exptest.o: ../include/openssl/stack.h
+hmactest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+hmactest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+hmactest.o: ../include/openssl/cast.h ../include/openssl/crypto.h
+hmactest.o: ../include/openssl/des.h ../include/openssl/dh.h
+hmactest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+hmactest.o: ../include/openssl/idea.h ../include/openssl/md2.h
+hmactest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+hmactest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+hmactest.o: ../include/openssl/opensslv.h ../include/openssl/rc2.h
+hmactest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+hmactest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+hmactest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+hmactest.o: ../include/openssl/stack.h
+ideatest.o: ../include/openssl/idea.h ../include/openssl/opensslconf.h
+md2test.o: ../include/openssl/md2.h ../include/openssl/opensslconf.h
+md5test.o: ../include/openssl/md5.h
+mdc2test.o: ../include/openssl/des.h ../include/openssl/e_os2.h
+mdc2test.o: ../include/openssl/mdc2.h ../include/openssl/opensslconf.h
+randtest.o: ../include/openssl/rand.h
+rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h
+rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h
+rc5test.o: ../include/openssl/rc5.h
+rmdtest.o: ../include/openssl/ripemd.h
+rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
+rsa_test.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rsa_test.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
+rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rsa_test.o: ../include/openssl/stack.h
+sha1test.o: ../include/openssl/sha.h
+shatest.o: ../include/openssl/sha.h
+ssltest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssltest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssltest.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssltest.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssltest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssltest.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssltest.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssltest.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssltest.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssltest.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssltest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssltest.o: ../include/openssl/x509_vfy.h
diff --git a/crypto/openssl/test/Sssdsa.cnf b/crypto/openssl/test/Sssdsa.cnf
new file mode 100644
index 0000000..8e170a2
--- /dev/null
+++ b/crypto/openssl/test/Sssdsa.cnf
@@ -0,0 +1,27 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# hacked by iang to do DSA certs - Server
+
+RANDFILE              = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name    = req_distinguished_name
+encrypt_rsa_key               = no
+
+[ req_distinguished_name ]
+countryName                   = Country Name (2 letter code)
+countryName_default           = ES
+countryName_value             = ES
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Tortilleras S.A.
+
+0.commonName                  = Common Name (eg, YOUR name)
+0.commonName_value            = Torti
+
+1.commonName                  = Common Name (eg, YOUR name)
+1.commonName_value            = Gordita
+
diff --git a/crypto/openssl/test/Sssrsa.cnf b/crypto/openssl/test/Sssrsa.cnf
new file mode 100644
index 0000000..8c79a03
--- /dev/null
+++ b/crypto/openssl/test/Sssrsa.cnf
@@ -0,0 +1,26 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# create RSA certs - Server
+
+RANDFILE              = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name    = req_distinguished_name
+encrypt_key           = no
+
+[ req_distinguished_name ]
+countryName                   = Country Name (2 letter code)
+countryName_default           = ES
+countryName_value             = ES
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Tortilleras S.A.
+
+0.commonName                  = Common Name (eg, YOUR name)
+0.commonName_value            = Torti
+
+1.commonName                  = Common Name (eg, YOUR name)
+1.commonName_value            = Gordita
diff --git a/crypto/openssl/test/Uss.cnf b/crypto/openssl/test/Uss.cnf
new file mode 100644
index 0000000..c89692d
--- /dev/null
+++ b/crypto/openssl/test/Uss.cnf
@@ -0,0 +1,28 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= ./.rnd
+
+####################################################################
+[ req ]
+default_bits		= 512
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= md2
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_value		= AU
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
diff --git a/crypto/openssl/test/VMSca-response.1 b/crypto/openssl/test/VMSca-response.1
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/crypto/openssl/test/VMSca-response.1
@@ -0,0 +1 @@
+
diff --git a/crypto/openssl/test/VMSca-response.2 b/crypto/openssl/test/VMSca-response.2
new file mode 100644
index 0000000..9b48ee4
--- /dev/null
+++ b/crypto/openssl/test/VMSca-response.2
@@ -0,0 +1,2 @@
+y
+y
diff --git a/crypto/openssl/test/dsa-ca.pem b/crypto/openssl/test/dsa-ca.pem
new file mode 100644
index 0000000..9eb08f3
--- /dev/null
+++ b/crypto/openssl/test/dsa-ca.pem
@@ -0,0 +1,43 @@
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,C5B6C7CC9E1FE2C0
+
+svCXBcBRhMuU22UXOfiKZA+thmz6KYXpt1Yg5Rd+TYQcQ1MdvNy0B0tkP1SxzDq0
+Xh1eMeTML9/9/0rKakgNXXXbpi5RB8t6BmwRSyej89F7nn1mtR3qzoyPRpp15SDl
+Tn67C+2v+HDF3MFk88hiNCYkNbcmi7TWvChsl8N1r7wdZwtIox56yXdgxw6ZIpa/
+par0oUCzN7fiavPgCWz1kfPNSaBQSdxwH7TZi5tMHAr0J3C7a7QRnZfE09R59Uqr
+zslrq+ndIw1BZAxoY0SlBu+iFOVaBVlwToC4AsHkv7j7l8ITtr7f42YbBa44D9TO
+uOhONmkk/v3Fso4RaOEzdKZC+hnmmzvHs6TiTWm6yzJgSFwyOUK0eGmKEeVxpcH5
+rUOlHOwzen+FFtocZDZAfdFnb7QY7L/boQvyA5A+ZbRG4DUpmBQeQsSaICHM5Rxx
+1QaLF413VNPXTLPbW0ilSc2H8x2iZTIVKfd33oSO6NhXPtSYQgfecEF4BvNHY5c4
+HovjT4mckbK95bcBzoCHu43vuSQkmZzdYo/ydSZt6zoPavbBLueTpgSbdXiDi827
+MVqOsYxGCb+kez0FoDSTgw==
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
+ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
+sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
+rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
+cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
+bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
+CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
+F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
+vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
+AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
+3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
+AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
+AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
+ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
+MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
+MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
+C1Q=
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/test/dsa-pca.pem b/crypto/openssl/test/dsa-pca.pem
new file mode 100644
index 0000000..e3641ad
--- /dev/null
+++ b/crypto/openssl/test/dsa-pca.pem
@@ -0,0 +1,49 @@
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,F80EEEBEEA7386C4
+
+GZ9zgFcHOlnhPoiSbVi/yXc9mGoj44A6IveD4UlpSEUt6Xbse3Fr0KHIUyQ3oGnS
+mClKoAp/eOTb5Frhto85SzdsxYtac+X1v5XwdzAMy2KowHVk1N8A5jmE2OlkNPNt
+of132MNlo2cyIRYaa35PPYBGNCmUm7YcYS8O90YtkrQZZTf4+2C4kllhMcdkQwkr
+FWSWC8YOQ7w0LHb4cX1FejHHom9Nd/0PN3vn3UyySvfOqoR7nbXkrpHXmPIr0hxX
+RcF0aXcV/CzZ1/nfXWQf4o3+oD0T22SDoVcZY60IzI0oIc3pNCbDV3uKNmgekrFd
+qOUJ+QW8oWp7oefRx62iBfIeC8DZunohMXaWAQCU0sLQOR4yEdeUCnzCSywe0bG1
+diD0KYaEe+Yub1BQH4aLsBgDjardgpJRTQLq0DUvw0/QGO1irKTJzegEDNVBKrVn
+V4AHOKT1CUKqvGNRP1UnccUDTF6miOAtaj/qpzra7sSk7dkGBvIEeFoAg84kfh9h
+hVvF1YyzC9bwZepruoqoUwke/WdNIR5ymOVZ/4Liw0JdIOcq+atbdRX08niqIRkf
+dsZrUj4leo3zdefYUQ7w4N2Ns37yDFq7
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
+MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
+lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
+Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
+5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
+aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
+kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
+QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
+6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
+yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
+z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
+nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
+ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
+R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
+JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
+BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
+mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
+VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
+uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
+AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
+5rKUjNBhSg==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/test/methtest.c b/crypto/openssl/test/methtest.c
new file mode 100644
index 0000000..06ccb3b
--- /dev/null
+++ b/crypto/openssl/test/methtest.c
@@ -0,0 +1,105 @@
+/* test/methtest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+#include "meth.h"
+#include <openssl/err.h>
+
+int main(argc,argv)
+int argc;
+char *argv[];
+	{
+	METHOD_CTX *top,*tmp1,*tmp2;
+
+	top=METH_new(x509_lookup()); /* get a top level context */
+	if (top == NULL) goto err;
+
+	tmp1=METH_new(x509_by_file());
+	if (top == NULL) goto err;
+	METH_arg(tmp1,METH_TYPE_FILE,"cafile1");
+	METH_arg(tmp1,METH_TYPE_FILE,"cafile2");
+	METH_push(top,METH_X509_CA_BY_SUBJECT,tmp1);
+
+	tmp2=METH_new(x509_by_dir());
+	METH_arg(tmp2,METH_TYPE_DIR,"/home/eay/.CAcerts");
+	METH_arg(tmp2,METH_TYPE_DIR,"/home/eay/SSLeay/certs");
+	METH_arg(tmp2,METH_TYPE_DIR,"/usr/local/ssl/certs");
+	METH_push(top,METH_X509_CA_BY_SUBJECT,tmp2);
+
+/*	tmp=METH_new(x509_by_issuer_dir);
+	METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts");
+	METH_push(top,METH_X509_BY_ISSUER,tmp);
+
+	tmp=METH_new(x509_by_issuer_primary);
+	METH_arg(tmp,METH_TYPE_FILE,"/home/eay/.mycerts/primary.pem");
+	METH_push(top,METH_X509_BY_ISSUER,tmp);
+*/
+
+	METH_init(top);
+	METH_control(tmp1,METH_CONTROL_DUMP,stdout);
+	METH_control(tmp2,METH_CONTROL_DUMP,stdout);
+	exit(0);
+err:
+	ERR_load_crypto_strings();
+	ERR_print_errors_fp(stderr);
+	exit(1);
+	return(0);
+	}
diff --git a/crypto/openssl/test/pkcs7-1.pem b/crypto/openssl/test/pkcs7-1.pem
new file mode 100644
index 0000000..c47b27a
--- /dev/null
+++ b/crypto/openssl/test/pkcs7-1.pem
@@ -0,0 +1,15 @@
+-----BEGIN PKCS7-----
+MIICUAYJKoZIhvcNAQcCoIICQTCCAj0CAQExDjAMBggqhkiG9w0CAgUAMCgGCSqG
+SIb3DQEHAaAbBBlFdmVyeW9uZSBnZXRzIEZyaWRheSBvZmYuoIIBXjCCAVowggEE
+AgQUAAApMA0GCSqGSIb3DQEBAgUAMCwxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRF
+eGFtcGxlIE9yZ2FuaXphdGlvbjAeFw05MjA5MDkyMjE4MDZaFw05NDA5MDkyMjE4
+MDVaMEIxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlv
+bjEUMBIGA1UEAxMLVGVzdCBVc2VyIDEwWzANBgkqhkiG9w0BAQEFAANKADBHAkAK
+ZnkdxpiBaN56t3QZu3+wwAHGJxAnAHUUKULhmo2MUdBTs+N4Kh3l3Fr06+mUaBcB
+FKHf5nzcmpr1XWVWILurAgMBAAEwDQYJKoZIhvcNAQECBQADQQBFGqHhqncgSl/N
+9XYGnQL3MsJvNnsNV4puZPOakR9Hld8JlDQFEaDR30ogsmp3TMrvdfxpLlTCoZN8
+BxEmnZsWMYGbMIGYAgEBMDQwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEV4YW1w
+bGUgT3JnYW5pemF0aW9uAgQUAAApMAwGCCqGSIb3DQICBQAwDQYJKoZIhvcNAQEB
+BQAEQAX6aoEvx9+L9PJUJQngPoRuEbnGIL4gCe+0QO+8xmkhaZSsBPNBtX0FIC1C
+j7Kie1x339mxW/w9VZNTUDQQweHh
+-----END PKCS7-----
diff --git a/crypto/openssl/test/pkcs7.pem b/crypto/openssl/test/pkcs7.pem
new file mode 100644
index 0000000..d55c60b
--- /dev/null
+++ b/crypto/openssl/test/pkcs7.pem
@@ -0,0 +1,54 @@
+     MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIE+DCCBGGg
+     AwIBAgIQaGSF/JpbS1C223+yrc+N1DANBgkqhkiG9w0BAQQFADBiMREwDwYDVQQH
+     EwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1Zl
+     cmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwHhcNOTYw
+     ODEyMDAwMDAwWhcNOTYwODE3MjM1OTU5WjCCASAxETAPBgNVBAcTCEludGVybmV0
+     MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
+     c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjE3MDUGA1UECxMuRGlnaXRh
+     bCBJRCBDbGFzcyAxIC0gU01JTUUgVmVyaVNpZ24sIEluYy4gVEVTVDFGMEQGA1UE
+     CxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJl
+     Zi4sTElBQi5MVEQoYyk5NjEZMBcGA1UEAxMQQWxleGFuZHJlIERlYWNvbjEgMB4G
+     CSqGSIb3DQEJARYRYWxleEB2ZXJpc2lnbi5jb20wWzANBgkqhkiG9w0BAQEFAANK
+     ADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDORl8htdXYhF5iBGUx1GYaK6KF+bK/CCI0
+     l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMBAAGjggIyMIICLjAJBgNVHRMEAjAAMIIC
+     HwYDVR0DBIICFjCCAhIwggIOMIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMg
+     Y2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVzIGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1
+     c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhlIFZlcmlTaWduIENlcnRpZmlj
+     YXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUgYXQ6IGh0
+     dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBDUFMtcmVx
+     dWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu
+     LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBU
+     ZWwuICsxICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2ln
+     biwgSW5jLiAgQWxsIFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVT
+     IERJU0NMQUlNRUQgYW5kIExJQUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcB
+     AQGhDgYMYIZIAYb4RQEHAQECMCwwKhYoaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
+     L3JlcG9zaXRvcnkvQ1BTIDANBgkqhkiG9w0BAQQFAAOBgQAimWMGQwwwxk+b3KAL
+     HlSWXtU7LWHe29CEG8XeVNTvrqs6SBqT7OoENOkGxpfdpVgZ3Qw2SKjxDvbvpfSF
+     slsqcxWSgB/hWuaVuZCkvTw/dYGGOxkTJGxvDCfl1PZjX4dKbatslsi9Z9HpGWT7
+     ttItRwKqcBKgmCJvKi1pGWED0zCCAnkwggHioAMCAQICEDURpVKQb+fQKaRAGdQR
+     /D4wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlT
+     aWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRp
+     ZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDYyNzAwMDAwMFoXDTk3MDYyNzIzNTk1
+     OVowYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
+     MTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJz
+     Y3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FKbPTdAFDdjKI9Bv
+     qrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7jW80GqLd5HUQq7XPy
+     sVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW7s987Lrb
+     P2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTAPBgNVHRMECDAGAQH/AgEBMAsG
+     A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAgQwDQYJKoZIhvcNAQECBQADgYEA
+     KeXHoBmnbxRCgk0jM9e9mDppdxpsipIna/J8DOHEUuD4nONAr4+xOg73SBl026n7
+     Bk55A2wvAMGo7+kKTZ+rHaFDDcmq4O+rzFri2RIOeGAncj1IcGptAQhvXoIhFMG4
+     Jlzg1KlHZHqy7D3jex78zcSU7kKOu8f5tAX1jC3+sToAAKGAMIIBJzCBkTANBgkq
+     hkiG9w0BAQIFADBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNp
+     Z24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlk
+     dWFsIFN1YnNjcmliZXIXDTk2MDcwMTE3MzA0MFoXDTk3MDcwMTAwMDAwMFowDQYJ
+     KoZIhvcNAQECBQADgYEAGLuQ6PX8A7AiqBEtWzYtl6lZNSDI0bR5YUo+D2Jzkw30
+     dxQnJSbKXEc6XYuzAW5HvrzATXu5c19WWPT4cRDwmjH71i9QcDysWwf/wE0qGTiW
+     I3tQT0I5VGh7jIJD07nlBw3R4Xl8dH9kr85JsWinqDH5YKpIo9o8knY5n7+qjOow
+     ggEkMIGOMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5W
+     ZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBD
+     ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eRcNOTYwNzE2MjMxMTI5WhcNOTYwODE1MDAw
+     MDAwWjANBgkqhkiG9w0BAQIFAAOBgQAXsLE4vnsY6sY67QrmWec7iaU2ehzxanEK
+     /9wKHZNuhlNzk+qGZZw2evxfUe2OaRbYpl8zuZvhK9BHD3ad14OSe9/zx5hOPgP/
+     DQXt6R4R8Q/1JheBrolrgbavjvI2wKS8/Psp2prBrkF4T48+AKRmS8Zzh1guxgvP
+     b+xSu/jH0gAAMYAAAAAAAAAAAA==
diff --git a/crypto/openssl/test/r160test.c b/crypto/openssl/test/r160test.c
new file mode 100644
index 0000000..a172e39
--- /dev/null
+++ b/crypto/openssl/test/r160test.c
@@ -0,0 +1,57 @@
+/* test/r160test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
diff --git a/crypto/openssl/test/tcrl b/crypto/openssl/test/tcrl
new file mode 100644
index 0000000..acaf8f3
--- /dev/null
+++ b/crypto/openssl/test/tcrl
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+PATH=../apps:$PATH
+export PATH
+
+cmd='../apps/openssl crl'
+
+if [ "$1"x != "x" ]; then
+	t=$1
+else
+	t=testcrl.pem
+fi
+
+echo testing crl conversions
+cp $t fff.p
+
+echo "p -> d"
+$cmd -in fff.p -inform p -outform d >f.d
+if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in fff.p -inform p -outform t >f.t
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in fff.p -inform p -outform p >f.p
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> d"
+$cmd -in f.d -inform d -outform d >ff.d1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> d"
+#$cmd -in f.t -inform t -outform d >ff.d2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> d"
+$cmd -in f.p -inform p -outform d >ff.d3
+if [ $? != 0 ]; then exit 1; fi
+
+#echo "d -> t"
+#$cmd -in f.d -inform d -outform t >ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#echo "t -> t"
+#$cmd -in f.t -inform t -outform t >ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in f.p -inform p -outform t >ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> p"
+$cmd -in f.d -inform d -outform p >ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> p"
+#$cmd -in f.t -inform t -outform p >ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in f.p -inform p -outform p >ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp fff.p f.p
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp fff.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+#cmp f.t ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+cmp f.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp f.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+/bin/rm -f f.* ff.* fff.*
+exit 0
diff --git a/crypto/openssl/test/test.cnf b/crypto/openssl/test/test.cnf
new file mode 100644
index 0000000..faad391
--- /dev/null
+++ b/crypto/openssl/test/test.cnf
@@ -0,0 +1,88 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= ./.rnd
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/new_certs	# default place for new certs.
+
+certificate	= $dir/CAcert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/CAkey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 512
+default_keyfile 	= testkey.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_value		= AU
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Queensland
+stateOrProvinceName_value	=
+
+localityName			= Locality Name (eg, city)
+localityName_value		= Brisbane
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= 
+organizationName_value		= CryptSoft Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	=
+organizationalUnitName_value	= .
+
+commonName			= Common Name (eg, YOUR name)
+commonName_value		= Eric Young
+
+emailAddress			= Email Address
+emailAddress_value		= eay@mincom.oz.au
diff --git a/crypto/openssl/test/testca b/crypto/openssl/test/testca
new file mode 100644
index 0000000..88c186b
--- /dev/null
+++ b/crypto/openssl/test/testca
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+SH="/bin/sh"
+PATH=../apps:$PATH
+export SH PATH
+
+SSLEAY_CONFIG="-config CAss.cnf"
+export SSLEAY_CONFIG
+
+/bin/rm -fr demoCA
+$SH ../apps/CA.sh -newca <<EOF
+EOF
+
+if [ $? != 0 ]; then
+	exit 1;
+fi
+
+SSLEAY_CONFIG="-config Uss.cnf"
+export SSLEAY_CONFIG
+$SH ../apps/CA.sh -newreq
+if [ $? != 0 ]; then
+	exit 1;
+fi
+
+
+SSLEAY_CONFIG="-config ../apps/openssl.cnf"
+export SSLEAY_CONFIG
+$SH ../apps/CA.sh -sign  <<EOF
+y
+y
+EOF
+if [ $? != 0 ]; then
+	exit 1;
+fi
+
+
+$SH ../apps/CA.sh -verify newcert.pem
+if [ $? != 0 ]; then
+	exit 1;
+fi
+
+/bin/rm -fr demoCA newcert.pem newreq.pem
+#usage: CA -newcert|-newreq|-newca|-sign|-verify
+
diff --git a/crypto/openssl/test/testcrl.pem b/crypto/openssl/test/testcrl.pem
new file mode 100644
index 0000000..0989788
--- /dev/null
+++ b/crypto/openssl/test/testcrl.pem
@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT
+F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy
+IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw
+MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw
+MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw
+MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw
+MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw
+MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw
+MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw
+NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw
+NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF
+AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ
+wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt
+JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v
+-----END X509 CRL-----
diff --git a/crypto/openssl/test/testenc b/crypto/openssl/test/testenc
new file mode 100644
index 0000000..0656c7f
--- /dev/null
+++ b/crypto/openssl/test/testenc
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+testsrc=Makefile.ssl
+test=./p
+cmd=../apps/openssl
+
+cat $testsrc >$test;
+
+echo cat
+$cmd enc < $test > $test.cipher
+$cmd enc < $test.cipher >$test.clear
+cmp $test $test.clear
+if [ $? != 0 ]
+then
+	exit 1
+else
+	/bin/rm $test.cipher $test.clear
+fi
+echo base64
+$cmd enc -a -e < $test > $test.cipher
+$cmd enc -a -d < $test.cipher >$test.clear
+cmp $test $test.clear
+if [ $? != 0 ]
+then
+	exit 1
+else
+	/bin/rm $test.cipher $test.clear
+fi
+
+for i in `$cmd list-cipher-commands`
+do
+	echo $i
+	$cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher
+	$cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
+	cmp $test $test.$i.clear
+	if [ $? != 0 ]
+	then
+		exit 1
+	else
+		/bin/rm $test.$i.cipher $test.$i.clear
+	fi
+
+	echo $i base64
+	$cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher
+	$cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
+	cmp $test $test.$i.clear
+	if [ $? != 0 ]
+	then
+		exit 1
+	else
+		/bin/rm $test.$i.cipher $test.$i.clear
+	fi
+done
+rm -f $test
diff --git a/crypto/openssl/test/testgen b/crypto/openssl/test/testgen
new file mode 100644
index 0000000..6a4b6b9
--- /dev/null
+++ b/crypto/openssl/test/testgen
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+T=testcert
+KEY=512
+CA=../certs/testca.pem
+
+/bin/rm -f $T.1 $T.2 $T.key
+
+PATH=../apps:$PATH;
+export PATH
+
+echo "generating certificate request"
+
+echo "string to make the random number generator think it has entropy" >> ./.rnd
+
+if ../apps/openssl no-rsa; then
+  req_new='-newkey dsa:../apps/dsa512.pem'
+else
+  req_new='-new'
+  echo "There should be a 2 sequences of .'s and some +'s."
+  echo "There should not be more that at most 80 per line"
+fi
+
+echo "This could take some time."
+
+../apps/openssl req -config test.cnf $req_new -out testreq.pem
+if [ $? != 0 ]; then
+echo problems creating request
+exit 1
+fi
+
+../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
+if [ $? != 0 ]; then
+echo signature on req is wrong
+exit 1
+fi
+
+exit 0
diff --git a/crypto/openssl/test/testp7.pem b/crypto/openssl/test/testp7.pem
new file mode 100644
index 0000000..6bba16f
--- /dev/null
+++ b/crypto/openssl/test/testp7.pem
@@ -0,0 +1,46 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHAqCAMIIIBwIBATEAMIAGCSqGSIb3DQEHAQAAoIIGPDCCBHIw
+ggQcoAMCAQICEHkvjiX1iVGQMenF9HgIjI8wDQYJKoZIhvcNAQEEBQAwYjERMA8G
+A1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQL
+EytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMB4X
+DTk2MDcxOTAwMDAwMFoXDTk3MDMzMDIzNTk1OVowgdUxETAPBgNVBAcTCEludGVy
+bmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24g
+Q2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjEoMCYGA1UECxMfRGln
+aXRhbCBJRCBDbGFzcyAxIC0gU01JTUUgVGVzdDFHMEUGA1UECxM+d3d3LnZlcmlz
+aWduLmNvbS9yZXBvc2l0b3J5L0NQUy0xLjAgSW5jLiBieSBSZWYuLExJQUIuTFRE
+KGMpOTYwWzANBgkqhkiG9w0BAQEFAANKADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDO
+Rl8htdXYhF5iBGUx1GYaK6KF+bK/CCI0l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMB
+AAGjggI5MIICNTAJBgNVHRMEAjAAMIICJgYDVR0DBIICHTCCAhkwggIVMIICEQYL
+YIZIAYb4RQEHAQEwggIAFoIBq1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz
+IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0
+bywgdGhlIFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50
+IChDUFMpLCBhdmFpbGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D
+UFMtMS4wOyBieSBFLW1haWwgYXQgQ1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsg
+b3IgYnkgbWFpbCBhdCBWZXJpU2lnbiwgSW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBN
+b3VudGFpbiBWaWV3LCBDQSA5NDA0MyBVU0EgVGVsLiArMSAoNDE1KSA5NjEtODgz
+MCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMg
+UmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVEIGFuZCBMSUFC
+SUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEHAQEBoQ4GDGCGSAGG+EUBBwEBAjAv
+MC0WK2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUy0xLgMw
+DQYJKoZIhvcNAQEEBQADQQDAmA7km/3iJWEsWN9Z2WU2gmZAknx45WnDKHxMa3Bf
+gNsh6BLk/ngkJKjNKTDR13XVHqEPUY1flbjATZputw1GMIIBwjCCAWygAwIBAgIQ
+fAmE6tW5ERSQWDneu3KfSTANBgkqhkiG9w0BAQIFADA+MQswCQYDVQQGEwJVUzEX
+MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xFjAUBgNVBAsTDVRFU1QgUm9vdCBQQ0Ew
+HhcNOTYwNzE3MDAwMDAwWhcNOTcwNzE3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRl
+cm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWdu
+IENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwXDANBgkqhkiG9w0B
+AQEFAANLADBIAkEA7Fc6zYJw4WwCWa1ni3fYNbzGSQNluuw990024GusjLfhEk1h
+MsIUukTT/n8yxoO7rYp4x+LS+tHF2tBtuxg7CwIDAQABoyIwIDALBgNVHQ8EBAMC
+AQYwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEBAgUAA0EAFKem0cJGg9nd
+TAbP5o1HIEyNn11ZlvLU5v1Hejs1MKQt72IMm4jjgOH+pjguXW8lB6yzrK4oVOO2
+UNCaNQ1H26GCAa0wgcEwbTANBgkqhkiG9w0BAQIFADA+MQswCQYDVQQGEwJVUzEX
+MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xFjAUBgNVBAsTDVRFU1QgUm9vdCBQQ0EX
+DTk2MDcxNzE3NDQwOVoXDTk4MDcxNzAwMDAwMFowDQYJKoZIhvcNAQECBQADQQB4
+rQNP8QLpAox83odQDE/5dqAuvDfshW/miTxwQTMXOoBtjGiowTcG+YXF1JZTJRMT
+jQN47tdH+6MCKt7N8MddMIHmMIGRMA0GCSqGSIb3DQEBAgUAMGIxETAPBgNVBAcT
+CEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy
+aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlchcNOTYwNzE3
+MTc1OTI5WhcNOTcwNzE4MDAwMDAwWjANBgkqhkiG9w0BAQIFAANBALm1VmE7FrEJ
+rLXvX/lIDMPAZIw5TNuX8EC6wn5ppy8Y3sHstdJEkTsqVGiS2/q+KEQC3NHxvV32
+bGooiIKLUB4xAAAAAAA=
+-----END PKCS7-----
diff --git a/crypto/openssl/test/testreq2.pem b/crypto/openssl/test/testreq2.pem
new file mode 100644
index 0000000..c3cdcff
--- /dev/null
+++ b/crypto/openssl/test/testreq2.pem
@@ -0,0 +1,7 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIHaMIGFAgEAMA4xDDAKBgNVBAMTA2NuNDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
+QQCQsnkyUGDY2R3mYoeTprFJKgWuJ3f1jUjlIuW5+wfAUoeMt35c4vcFZ2mIBpEG
+DtzkNQN1kr2O9ldm9zYnYhyhAgMBAAGgEjAQBgorBgEEAYI3AgEOMQIwADANBgkq
+hkiG9w0BAQQFAANBAAb2szZgVIxg3vK6kYLjGSBISyuzcXJ6IvuPW6M+yzi1Qgoi
+gQhazHTJp91T8ItZEzUJGZSZl2e5iXlnffWB+/U=
+-----END CERTIFICATE REQUEST-----
diff --git a/crypto/openssl/test/testrsa.pem b/crypto/openssl/test/testrsa.pem
new file mode 100644
index 0000000..aad2106
--- /dev/null
+++ b/crypto/openssl/test/testrsa.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I
+Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R
+rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy
+oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S
+mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz
+rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA
+mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/test/testsid.pem b/crypto/openssl/test/testsid.pem
new file mode 100644
index 0000000..7ffd008
--- /dev/null
+++ b/crypto/openssl/test/testsid.pem
@@ -0,0 +1,12 @@
+-----BEGIN SSL SESSION PARAMETERS-----
+MIIB1gIBAQIBAgQDAQCABBCi11xa5qkOP8xrr02K/NQCBBBkIYQZM0Bt95W0EHNV
+bA58oQYCBDIBr7WiBAICASyjggGGMIIBgjCCASwCAQMwDQYJKoZIhvcNAQEEBQAw
+ODELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3Jz
+YSB0ZXN0IENBMB4XDTk1MTAwOTIzMzEzNFoXDTk4MDcwNTIzMzEzNFowYDELMAkG
+A1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRk
+LjELMAkGA1UECxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIGNsaWVudDBcMA0G
+CSqGSIb3DQEBAQUAA0sAMEgCQQC4pcXEL1lgVA+B5Q3TcuW/O3LZHoA73IYm8oFD
+TezgCDhL2RTMn+seKWF36UtJKRIOBU9jZHCVVd0Me5ls6BEjAgMBAAEwDQYJKoZI
+hvcNAQEEBQADQQBoIpOcwUY1qlVF7j3ROSGvUsbvByOBFmYWkIBgsCqR+9qo1A7L
+CrWF5i8LWt/vLwAHaxWNx2YuBJMFyuK81fTvpA0EC3Rlc3Rjb250ZXh0
+-----END SSL SESSION PARAMETERS-----
diff --git a/crypto/openssl/test/testss b/crypto/openssl/test/testss
new file mode 100644
index 0000000..2f600f0
--- /dev/null
+++ b/crypto/openssl/test/testss
@@ -0,0 +1,97 @@
+#!/bin/sh
+
+digest='-md5'
+reqcmd="../apps/openssl req"
+x509cmd="../apps/openssl x509 $digest"
+verifycmd="../apps/openssl verify"
+dummycnf="../apps/openssl.cnf"
+
+CAkey="keyCA.ss"
+CAcert="certCA.ss"
+CAreq="reqCA.ss"
+CAconf="CAss.cnf"
+CAreq2="req2CA.ss"	# temp
+
+Uconf="Uss.cnf"
+Ukey="keyU.ss"
+Ureq="reqU.ss"
+Ucert="certU.ss"
+
+echo
+echo "make a certificate request using 'req'"
+
+if ../apps/openssl no-rsa; then
+  req_new='-newkey dsa:../apps/dsa512.pem'
+else
+  req_new='-new'
+fi
+
+$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss
+if [ $? != 0 ]; then
+	echo "error using 'req' to generate a certificate request"
+	exit 1
+fi
+echo
+echo "convert the certificate request into a self signed certificate using 'x509'"
+$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'x509' to self sign a certificate request"
+	exit 1
+fi
+
+echo
+echo "convert a certificate into a certificate request using 'x509'"
+$x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'x509' convert a certificate to a certificate request"
+	exit 1
+fi
+
+$reqcmd -config $dummycnf -verify -in $CAreq -noout
+if [ $? != 0 ]; then
+	echo first generated request is invalid
+	exit 1
+fi
+
+$reqcmd -config $dummycnf -verify -in $CAreq2 -noout
+if [ $? != 0 ]; then
+	echo second generated request is invalid
+	exit 1
+fi
+
+$verifycmd -CAfile $CAcert $CAcert
+if [ $? != 0 ]; then
+	echo first generated cert is invalid
+	exit 1
+fi
+
+echo
+echo "make another certificate request using 'req'"
+$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'req' to generate a certificate request"
+	exit 1
+fi
+
+echo
+echo "sign certificate request with the just created CA via 'x509'"
+$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'x509' to sign a certificate request"
+	exit 1
+fi
+
+$verifycmd -CAfile $CAcert $Ucert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
+
+echo
+echo The generated CA certificate is $CAcert
+echo The generated CA private key is $CAkey
+
+echo The generated user certificate is $Ucert
+echo The generated user private key is $Ukey
+
+/bin/rm err.ss
+exit 0
diff --git a/crypto/openssl/test/testssl b/crypto/openssl/test/testssl
new file mode 100644
index 0000000..2151a64
--- /dev/null
+++ b/crypto/openssl/test/testssl
@@ -0,0 +1,128 @@
+#!/bin/sh
+
+if [ "$1" = "" ]; then
+  key=../apps/server.pem
+else
+  key="$1"
+fi
+if [ "$2" = "" ]; then
+  cert=../apps/server.pem
+else
+  cert="$2"
+fi
+ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
+
+if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
+  dsa_cert=YES
+else
+  dsa_cert=NO
+fi
+
+if [ "$3" = "" ]; then
+  CA="-CApath ../certs"
+else
+  CA="-CAfile $3"
+fi
+
+#############################################################################
+
+echo test sslv2
+$ssltest -ssl2 || exit 1
+
+echo test sslv2 with server authentication
+$ssltest -ssl2 -server_auth $CA || exit 1
+
+if [ $dsa_cert = NO ]; then
+  echo test sslv2 with client authentication
+  $ssltest -ssl2 -client_auth $CA || exit 1
+
+  echo test sslv2 with both client and server authentication
+  $ssltest -ssl2 -server_auth -client_auth $CA || exit 1
+fi
+
+echo test sslv3
+$ssltest -ssl3 || exit 1
+
+echo test sslv3 with server authentication
+$ssltest -ssl3 -server_auth $CA || exit 1
+
+echo test sslv3 with client authentication
+$ssltest -ssl3 -client_auth $CA || exit 1
+
+echo test sslv3 with both client and server authentication
+$ssltest -ssl3 -server_auth -client_auth $CA || exit 1
+
+echo test sslv2/sslv3
+$ssltest || exit 1
+
+echo test sslv2/sslv3 with server authentication
+$ssltest -server_auth $CA || exit 1
+
+echo test sslv2/sslv3 with client authentication
+$ssltest -client_auth $CA || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication
+$ssltest -server_auth -client_auth $CA || exit 1
+
+echo test sslv2 via BIO pair
+$ssltest -bio_pair -ssl2 || exit 1
+
+echo test sslv2 with server authentication via BIO pair
+$ssltest -bio_pair -ssl2 -server_auth $CA || exit 1
+
+if [ $dsa_cert = NO ]; then
+  echo test sslv2 with client authentication via BIO pair
+  $ssltest -bio_pair -ssl2 -client_auth $CA || exit 1
+
+  echo test sslv2 with both client and server authentication via BIO pair
+  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA || exit 1
+fi
+
+echo test sslv3 via BIO pair
+$ssltest -bio_pair -ssl3 || exit 1
+
+echo test sslv3 with server authentication via BIO pair
+$ssltest -bio_pair -ssl3 -server_auth $CA || exit 1
+
+echo test sslv3 with client authentication via BIO pair
+$ssltest -bio_pair -ssl3 -client_auth $CA || exit 1
+
+echo test sslv3 with both client and server authentication via BIO pair
+$ssltest -bio_pair -ssl3 -server_auth -client_auth $CA || exit 1
+
+echo test sslv2/sslv3 via BIO pair
+$ssltest || exit 1
+
+if [ $dsa_cert = NO ]; then
+  echo test sslv2/sslv3 w/o DHE via BIO pair
+  $ssltest -bio_pair -no_dhe || exit 1
+fi
+
+echo test sslv2/sslv3 with 1024bit DHE via BIO pair
+$ssltest -bio_pair -dhe1024dsa -v || exit 1
+
+echo test sslv2/sslv3 with server authentication
+$ssltest -bio_pair -server_auth $CA || exit 1
+
+echo test sslv2/sslv3 with client authentication via BIO pair
+$ssltest -bio_pair -client_auth $CA || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair
+$ssltest -bio_pair -server_auth -client_auth $CA || exit 1
+
+#############################################################################
+
+echo test tls1 with 1024bit anonymous DH, multiple handshakes
+$ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time || exit 1
+
+if ../apps/openssl no-rsa; then
+  echo skipping RSA tests
+else
+  echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
+  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time || exit 1
+
+  echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1
+fi
+
+exit 0
diff --git a/crypto/openssl/test/testx509.pem b/crypto/openssl/test/testx509.pem
new file mode 100644
index 0000000..8a85d14
--- /dev/null
+++ b/crypto/openssl/test/testx509.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
+BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz
+MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
+RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF
+AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO
+/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE
+Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ
+zl9HYIMxATFyqSiD9jsx
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/test/times b/crypto/openssl/test/times
new file mode 100644
index 0000000..49aeebf
--- /dev/null
+++ b/crypto/openssl/test/times
@@ -0,0 +1,113 @@
+
+More number for the questions about SSL overheads....
+
+The following numbers were generated on a pentium pro 200, running linux.
+They give an indication of the SSL protocol and encryption overheads.
+
+The program that generated them is an unreleased version of ssl/ssltest.c
+which is the SSLeay ssl protocol testing program.  It is a single process that
+talks both sides of the SSL protocol via a non-blocking memory buffer
+interface.
+
+How do I read this?  The protocol and cipher are reasonable obvious.
+The next number is the number of connections being made.  The next is the
+number of bytes exchanged bewteen the client and server side of the protocol.
+This is the number of bytes that the client sends to the server, and then
+the server sends back.  Because this is all happening in one process,
+the data is being encrypted, decrypted, encrypted and then decrypted again.
+It is a round trip of that many bytes.  Because the one process performs
+both the client and server sides of the protocol and it sends this many bytes
+each direction, multiply this number by 4 to generate the number
+of bytes encrypted/decrypted/MACed.  The first time value is how many seconds
+elapsed doing a full SSL handshake, the second is the cost of one
+full handshake and the rest being session-id reuse.
+
+SSLv2 RC4-MD5      1000 x      1   12.83s   0.70s
+SSLv3 NULL-MD5     1000 x      1   14.35s   1.47s
+SSLv3 RC4-MD5      1000 x      1   14.46s   1.56s
+SSLv3 RC4-MD5      1000 x      1   51.93s   1.62s 1024bit RSA
+SSLv3 RC4-SHA      1000 x      1   14.61s   1.83s
+SSLv3 DES-CBC-SHA  1000 x      1   14.70s   1.89s
+SSLv3 DES-CBC3-SHA 1000 x      1   15.16s   2.16s
+
+SSLv2 RC4-MD5      1000 x   1024   13.72s   1.27s
+SSLv3 NULL-MD5     1000 x   1024   14.79s   1.92s
+SSLv3 RC4-MD5      1000 x   1024   52.58s   2.29s 1024bit RSA
+SSLv3 RC4-SHA      1000 x   1024   15.39s   2.67s
+SSLv3 DES-CBC-SHA  1000 x   1024   16.45s   3.55s
+SSLv3 DES-CBC3-SHA 1000 x   1024   18.21s   5.38s
+
+SSLv2 RC4-MD5      1000 x  10240   18.97s   6.52s
+SSLv3 NULL-MD5     1000 x  10240   17.79s   5.11s
+SSLv3 RC4-MD5      1000 x  10240   20.25s   7.90s
+SSLv3 RC4-MD5      1000 x  10240   58.26s   8.08s 1024bit RSA
+SSLv3 RC4-SHA      1000 x  10240   22.96s  11.44s
+SSLv3 DES-CBC-SHA  1000 x  10240   30.65s  18.41s
+SSLv3 DES-CBC3-SHA 1000 x  10240   47.04s  34.53s
+
+SSLv2 RC4-MD5      1000 x 102400   70.22s  57.74s
+SSLv3 NULL-MD5     1000 x 102400   43.73s  31.03s
+SSLv3 RC4-MD5      1000 x 102400   71.32s  58.83s
+SSLv3 RC4-MD5      1000 x 102400  109.66s  59.20s 1024bit RSA
+SSLv3 RC4-SHA      1000 x 102400   95.88s  82.21s
+SSLv3 DES-CBC-SHA  1000 x 102400  173.22s 160.55s
+SSLv3 DES-CBC3-SHA 1000 x 102400  336.61s 323.82s
+
+What does this all mean?  Well for a server, with no session-id reuse, with
+a transfer size of 10240 bytes, using RC4-MD5 and a 512bit server key,
+a pentium pro 200 running linux can handle the SSLv3 protocol overheads of
+about 49 connections a second.  Reality will be quite different :-).
+
+Remeber the first number is 1000 full ssl handshakes, the second is
+1 full and 999 with session-id reuse.  The RSA overheads for each exchange
+would be one public and one private operation, but the protocol/MAC/cipher
+cost would be quite similar in both the client and server.
+
+eric (adding numbers to speculation)
+
+--- Appendix ---
+- The time measured is user time but these number a very rough.
+- Remember this is the cost of both client and server sides of the protocol.
+- The TCP/kernal overhead of connection establishment is normally the
+  killer in SSL.  Often delays in the TCP protocol will make session-id
+  reuse look slower that new sessions, but this would not be the case on
+  a loaded server.
+- The TCP round trip latencies, while slowing indervidual connections,
+  would have minimal impact on throughput.
+- Instead of sending one 102400 byte buffer, one 8k buffer is sent until
+- the required number of bytes are processed.
+- The SSLv3 connections were actually SSLv2 compatable SSLv3 headers.
+- A 512bit server key was being used except where noted.
+- No server key verification was being performed on the client side of the
+  protocol.  This would slow things down very little.
+- The library being used is SSLeay 0.8.x.
+- The normal mesauring system was commands of the form
+  time ./ssltest -num 1000 -bytes 102400 -cipher DES-CBC-SHA -reuse
+  This modified version of ssltest should be in the next public release of
+  SSLeay.
+
+The general cipher performace number for this platform are
+
+SSLeay 0.8.2a 04-Sep-1997
+built on Fri Sep  5 17:37:05 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
+C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized 
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               131.02k      368.41k      500.57k      549.21k      566.09k
+mdc2              535.60k      589.10k      595.88k      595.97k      594.54k
+md5              1801.53k     9674.77k    17484.03k    21849.43k    23592.96k
+sha              1261.63k     5533.25k     9285.63k    11187.88k    11913.90k
+sha1             1103.13k     4782.53k     7933.78k     9472.34k    10070.70k
+rc4             10722.53k    14443.93k    15215.79k    15299.24k    15219.59k
+des cbc          3286.57k     3827.73k     3913.39k     3931.82k     3926.70k
+des ede3         1443.50k     1549.08k     1561.17k     1566.38k     1564.67k
+idea cbc         2203.64k     2508.16k     2538.33k     2543.62k     2547.71k
+rc2 cbc          1430.94k     1511.59k     1524.82k     1527.13k     1523.33k
+blowfish cbc     4716.07k     5965.82k     6190.17k     6243.67k     6234.11k
+                  sign    verify
+rsa  512 bits   0.0100s   0.0011s
+rsa 1024 bits   0.0451s   0.0012s
+rsa 2048 bits   0.2605s   0.0086s
+rsa 4096 bits   1.6883s   0.0302s
+
diff --git a/crypto/openssl/test/tpkcs7 b/crypto/openssl/test/tpkcs7
new file mode 100644
index 0000000..15bbba4
--- /dev/null
+++ b/crypto/openssl/test/tpkcs7
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+PATH=../apps:$PATH
+export PATH
+
+cmd='../apps/openssl pkcs7'
+
+if [ "$1"x != "x" ]; then
+	t=$1
+else
+	t=testp7.pem
+fi
+
+echo testing pkcs7 conversions
+cp $t fff.p
+
+echo "p -> d"
+$cmd -in fff.p -inform p -outform d >f.d
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in fff.p -inform p -outform p >f.p
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> d"
+$cmd -in f.d -inform d -outform d >ff.d1
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> d"
+$cmd -in f.p -inform p -outform d >ff.d3
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> p"
+$cmd -in f.d -inform d -outform p >ff.p1
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in f.p -inform p -outform p >ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp fff.p f.p
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp f.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+/bin/rm -f f.* ff.* fff.*
+exit 0
diff --git a/crypto/openssl/test/tpkcs7d b/crypto/openssl/test/tpkcs7d
new file mode 100644
index 0000000..46e5aa2
--- /dev/null
+++ b/crypto/openssl/test/tpkcs7d
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+PATH=../apps:$PATH
+export PATH
+
+cmd='../apps/openssl pkcs7'
+
+if [ "$1"x != "x" ]; then
+	t=$1
+else
+	t=pkcs7-1.pem
+fi
+
+echo "testing pkcs7 conversions (2)"
+cp $t fff.p
+
+echo "p -> d"
+$cmd -in fff.p -inform p -outform d >f.d
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in fff.p -inform p -outform p >f.p
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> d"
+$cmd -in f.d -inform d -outform d >ff.d1
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> d"
+$cmd -in f.p -inform p -outform d >ff.d3
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> p"
+$cmd -in f.d -inform d -outform p >ff.p1
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in f.p -inform p -outform p >ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp f.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+/bin/rm -f f.* ff.* fff.*
+exit 0
diff --git a/crypto/openssl/test/treq b/crypto/openssl/test/treq
new file mode 100644
index 0000000..9f5eb7e
--- /dev/null
+++ b/crypto/openssl/test/treq
@@ -0,0 +1,86 @@
+#!/bin/sh
+
+PATH=../apps:$PATH
+export PATH
+
+cmd='../apps/openssl req -config ../apps/openssl.cnf'
+
+if [ "$1"x != "x" ]; then
+	t=$1
+else
+	t=testreq.pem
+fi
+
+if $cmd -in $t -inform p -noout -text | fgrep 'Unknown Public Key'; then
+  echo "skipping req conversion test for $t"
+  exit 0
+fi
+
+echo testing req conversions
+cp $t fff.p
+
+echo "p -> d"
+$cmd -in fff.p -inform p -outform d >f.d
+if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in fff.p -inform p -outform t >f.t
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in fff.p -inform p -outform p >f.p
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> d"
+$cmd -verify -in f.d -inform d -outform d >ff.d1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> d"
+#$cmd -in f.t -inform t -outform d >ff.d2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> d"
+$cmd -verify -in f.p -inform p -outform d >ff.d3
+if [ $? != 0 ]; then exit 1; fi
+
+#echo "d -> t"
+#$cmd -in f.d -inform d -outform t >ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#echo "t -> t"
+#$cmd -in f.t -inform t -outform t >ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in f.p -inform p -outform t >ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> p"
+$cmd -in f.d -inform d -outform p >ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> p"
+#$cmd -in f.t -inform t -outform p >ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in f.p -inform p -outform p >ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp fff.p f.p
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp fff.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+#cmp f.t ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+cmp f.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp f.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+/bin/rm -f f.* ff.* fff.*
+exit 0
diff --git a/crypto/openssl/test/trsa b/crypto/openssl/test/trsa
new file mode 100644
index 0000000..bd6c076
--- /dev/null
+++ b/crypto/openssl/test/trsa
@@ -0,0 +1,86 @@
+#!/bin/sh
+
+PATH=../apps:$PATH
+export PATH
+
+if ../apps/openssl no-rsa; then
+  echo skipping rsa conversion test
+  exit 0
+fi
+
+cmd='../apps/openssl rsa'
+
+if [ "$1"x != "x" ]; then
+	t=$1
+else
+	t=testrsa.pem
+fi
+
+echo testing rsa conversions
+cp $t fff.p
+
+echo "p -> d"
+$cmd -in fff.p -inform p -outform d >f.d
+if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in fff.p -inform p -outform t >f.t
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in fff.p -inform p -outform p >f.p
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> d"
+$cmd -in f.d -inform d -outform d >ff.d1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> d"
+#$cmd -in f.t -inform t -outform d >ff.d2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> d"
+$cmd -in f.p -inform p -outform d >ff.d3
+if [ $? != 0 ]; then exit 1; fi
+
+#echo "d -> t"
+#$cmd -in f.d -inform d -outform t >ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#echo "t -> t"
+#$cmd -in f.t -inform t -outform t >ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in f.p -inform p -outform t >ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> p"
+$cmd -in f.d -inform d -outform p >ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> p"
+#$cmd -in f.t -inform t -outform p >ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in f.p -inform p -outform p >ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp fff.p f.p
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp fff.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+#cmp f.t ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+cmp f.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp f.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+/bin/rm -f f.* ff.* fff.*
+exit 0
diff --git a/crypto/openssl/test/tsid b/crypto/openssl/test/tsid
new file mode 100644
index 0000000..9e08545
--- /dev/null
+++ b/crypto/openssl/test/tsid
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+PATH=../apps:$PATH
+export PATH
+
+cmd='../apps/openssl sess_id'
+
+if [ "$1"x != "x" ]; then
+	t=$1
+else
+	t=testsid.pem
+fi
+
+echo testing session-id conversions
+cp $t fff.p
+
+echo "p -> d"
+$cmd -in fff.p -inform p -outform d >f.d
+if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in fff.p -inform p -outform t >f.t
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in fff.p -inform p -outform p >f.p
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> d"
+$cmd -in f.d -inform d -outform d >ff.d1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> d"
+#$cmd -in f.t -inform t -outform d >ff.d2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> d"
+$cmd -in f.p -inform p -outform d >ff.d3
+if [ $? != 0 ]; then exit 1; fi
+
+#echo "d -> t"
+#$cmd -in f.d -inform d -outform t >ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#echo "t -> t"
+#$cmd -in f.t -inform t -outform t >ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#echo "p -> t"
+#$cmd -in f.p -inform p -outform t >ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> p"
+$cmd -in f.d -inform d -outform p >ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#echo "t -> p"
+#$cmd -in f.t -inform t -outform p >ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in f.p -inform p -outform p >ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp fff.p f.p
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp fff.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+#cmp f.t ff.t1
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t2
+#if [ $? != 0 ]; then exit 1; fi
+#cmp f.t ff.t3
+#if [ $? != 0 ]; then exit 1; fi
+
+cmp f.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+#cmp f.p ff.p2
+#if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+/bin/rm -f f.* ff.* fff.*
+exit 0
diff --git a/crypto/openssl/test/tx509 b/crypto/openssl/test/tx509
new file mode 100644
index 0000000..35169f3
--- /dev/null
+++ b/crypto/openssl/test/tx509
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+PATH=../apps:$PATH
+export PATH
+
+cmd='../apps/openssl x509'
+
+if [ "$1"x != "x" ]; then
+	t=$1
+else
+	t=testx509.pem
+fi
+
+echo testing X509 conversions
+cp $t fff.p
+
+echo "p -> d"
+$cmd -in fff.p -inform p -outform d >f.d
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> n"
+$cmd -in fff.p -inform p -outform n >f.n
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in fff.p -inform p -outform p >f.p
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> d"
+$cmd -in f.d -inform d -outform d >ff.d1
+if [ $? != 0 ]; then exit 1; fi
+echo "n -> d"
+$cmd -in f.n -inform n -outform d >ff.d2
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> d"
+$cmd -in f.p -inform p -outform d >ff.d3
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> n"
+$cmd -in f.d -inform d -outform n >ff.n1
+if [ $? != 0 ]; then exit 1; fi
+echo "n -> n"
+$cmd -in f.n -inform n -outform n >ff.n2
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> n"
+$cmd -in f.p -inform p -outform n >ff.n3
+if [ $? != 0 ]; then exit 1; fi
+
+echo "d -> p"
+$cmd -in f.d -inform d -outform p >ff.p1
+if [ $? != 0 ]; then exit 1; fi
+echo "n -> p"
+$cmd -in f.n -inform n -outform p >ff.p2
+if [ $? != 0 ]; then exit 1; fi
+echo "p -> p"
+$cmd -in f.p -inform p -outform p >ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp fff.p f.p
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p2
+if [ $? != 0 ]; then exit 1; fi
+cmp fff.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp f.n ff.n1
+if [ $? != 0 ]; then exit 1; fi
+cmp f.n ff.n2
+if [ $? != 0 ]; then exit 1; fi
+cmp f.n ff.n3
+if [ $? != 0 ]; then exit 1; fi
+
+cmp f.p ff.p1
+if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p2
+if [ $? != 0 ]; then exit 1; fi
+cmp f.p ff.p3
+if [ $? != 0 ]; then exit 1; fi
+
+/bin/rm -f f.* ff.* fff.*
+exit 0
diff --git a/crypto/openssl/test/v3-cert1.pem b/crypto/openssl/test/v3-cert1.pem
new file mode 100644
index 0000000..0da253d
--- /dev/null
+++ b/crypto/openssl/test/v3-cert1.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjTCCAfigAwIBAgIEMaYgRzALBgkqhkiG9w0BAQQwRTELMAkGA1UEBhMCVVMx
+NjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlz
+dHJhdGlvbjAmFxE5NjA1MjgxMzQ5MDUrMDgwMBcROTgwNTI4MTM0OTA1KzA4MDAw
+ZzELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
+ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEgMAkGA1UEBRMCMTYwEwYDVQQDEwxTdGV2
+ZSBTY2hvY2gwWDALBgkqhkiG9w0BAQEDSQAwRgJBALrAwyYdgxmzNP/ts0Uyf6Bp
+miJYktU/w4NG67ULaN4B5CnEz7k57s9o3YY3LecETgQ5iQHmkwlYDTL2fTgVfw0C
+AQOjgaswgagwZAYDVR0ZAQH/BFowWDBWMFQxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
+Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
+DTALBgNVBAMTBENSTDEwFwYDVR0BAQH/BA0wC4AJODMyOTcwODEwMBgGA1UdAgQR
+MA8ECTgzMjk3MDgyM4ACBSAwDQYDVR0KBAYwBAMCBkAwCwYJKoZIhvcNAQEEA4GB
+AH2y1VCEw/A4zaXzSYZJTTUi3uawbbFiS2yxHvgf28+8Js0OHXk1H1w2d6qOHH21
+X82tZXd/0JtG0g1T9usFFBDvYK8O0ebgz/P5ELJnBL2+atObEuJy1ZZ0pBDWINR3
+WkDNLCGiTkCKp0F5EWIrVDwh54NNevkCQRZita+z4IBO
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/test/v3-cert2.pem b/crypto/openssl/test/v3-cert2.pem
new file mode 100644
index 0000000..de0723f
--- /dev/null
+++ b/crypto/openssl/test/v3-cert2.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIEMeZfHzANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJD
+YTEPMA0GA1UEBxMGTmVwZWFuMR4wHAYDVQQLExVObyBMaWFiaWxpdHkgQWNjZXB0
+ZWQxHzAdBgNVBAoTFkZvciBEZW1vIFB1cnBvc2VzIE9ubHkxHDAaBgNVBAMTE0Vu
+dHJ1c3QgRGVtbyBXZWIgQ0EwHhcNOTYwNzEyMTQyMDE1WhcNOTYxMDEyMTQyMDE1
+WjB0MSQwIgYJKoZIhvcNAQkBExVjb29rZUBpc3NsLmF0bC5ocC5jb20xCzAJBgNV
+BAYTAlVTMScwJQYDVQQLEx5IZXdsZXR0IFBhY2thcmQgQ29tcGFueSAoSVNTTCkx
+FjAUBgNVBAMTDVBhdWwgQS4gQ29va2UwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+6ceSq9a9AU6g+zBwaL/yVmW1/9EE8s5you1mgjHnj0wAILuoB3L6rm6jmFRy7QZT
+G43IhVZdDua4e+5/n1ZslwIDAQABo2MwYTARBglghkgBhvhCAQEEBAMCB4AwTAYJ
+YIZIAYb4QgENBD8WPVRoaXMgY2VydGlmaWNhdGUgaXMgb25seSBpbnRlbmRlZCBm
+b3IgZGVtb25zdHJhdGlvbiBwdXJwb3Nlcy4wDQYJKoZIhvcNAQEEBQADgYEAi8qc
+F3zfFqy1sV8NhjwLVwOKuSfhR/Z8mbIEUeSTlnH3QbYt3HWZQ+vXI8mvtZoBc2Fz
+lexKeIkAZXCesqGbs6z6nCt16P6tmdfbZF3I3AWzLquPcOXjPf4HgstkyvVBn0Ap
+jAFN418KF/Cx4qyHB4cjdvLrRjjQLnb2+ibo7QU=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/times/090/586-100.nt b/crypto/openssl/times/090/586-100.nt
new file mode 100644
index 0000000..297ec3e
--- /dev/null
+++ b/crypto/openssl/times/090/586-100.nt
@@ -0,0 +1,32 @@
+SSLeay 0.9.0 08-Apr-1998
+built on Wed Apr  8 12:47:17 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(
+ptr2)
+C flags:cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN
+-DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 92.25k      256.80k      347.01k      380.40k      390.31k
+mdc2               240.72k      251.10k      252.00k      250.80k      251.40k
+md5               1013.61k     5651.94k    11831.61k    16294.89k    17901.43k
+hmac(md5)          419.50k     2828.07k     7770.11k    13824.34k    17091.70k
+sha1               524.31k     2721.45k     5216.15k     6766.10k     7308.42k
+rmd160             462.09k     2288.59k     4260.77k     5446.44k     5841.65k
+rc4               7895.90k    10326.73k    10555.43k    10728.22k    10429.44k
+des cbc           2036.86k     2208.92k     2237.68k     2237.20k     2181.35k
+des ede3           649.92k      739.42k      749.07k      748.86k      738.27k
+idea cbc           823.19k      885.10k      894.92k      896.45k      891.87k
+rc2 cbc            792.63k      859.00k      867.45k      868.96k      865.30k
+rc5-32/12 cbc     3502.26k     4026.79k     4107.23k     4121.76k     4073.72k
+blowfish cbc      3752.96k     4026.79k     4075.31k     3965.87k     3892.26k
+cast cbc          2566.27k     2807.43k     2821.79k     2792.48k     2719.34k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0179s   0.0020s     56.0    501.7
+rsa 1024 bits   0.0950s   0.0060s     10.5    166.6
+rsa 2048 bits   0.6299s   0.0209s      1.6     47.8
+rsa 4096 bits   4.5870s   0.0787s      0.2     12.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0180s   0.0339s     55.6     29.5
+dsa 1024 bits   0.0555s   0.1076s     18.0      9.3
+dsa 2048 bits   0.1971s   0.3918s      5.1      2.6
+
diff --git a/crypto/openssl/times/091/486-50.nt b/crypto/openssl/times/091/486-50.nt
new file mode 100644
index 0000000..84820d9
--- /dev/null
+++ b/crypto/openssl/times/091/486-50.nt
@@ -0,0 +1,30 @@
+486-50 NT 4.0
+
+SSLeay 0.9.1a 06-Jul-1998
+built on Sat Jul 18 18:03:20 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
+C flags:cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 28.77k       80.30k      108.50k      118.98k      122.47k
+mdc2                51.52k       54.06k       54.54k       54.65k       54.62k
+md5                304.39k     1565.04k     3061.54k     3996.10k     4240.10k
+hmac(md5)          119.53k      793.23k     2061.29k     3454.95k     4121.76k
+sha1               127.51k      596.93k     1055.54k     1313.84k     1413.18k
+rmd160             128.50k      572.49k     1001.03k     1248.01k     1323.63k
+rc4               1224.40k     1545.11k     1590.29k     1600.20k     1576.90k
+des cbc            448.19k      503.45k      512.30k      513.30k      508.23k
+des ede3           148.66k      162.48k      163.68k      163.94k      164.24k
+idea cbc           194.18k      211.10k      212.99k      213.18k      212.64k
+rc2 cbc            245.78k      271.01k      274.12k      274.38k      273.52k
+rc5-32/12 cbc     1252.48k     1625.20k     1700.03k     1711.12k     1677.18k
+blowfish cbc       725.16k      828.26k      850.01k      846.99k      833.79k
+cast cbc           643.30k      717.22k      739.48k      741.57k      735.33k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0904s   0.0104s     11.1     96.2
+rsa 1024 bits   0.5968s   0.0352s      1.7     28.4
+rsa 2048 bits   3.8860s   0.1017s      0.3      9.8
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.1006s   0.1249s      9.9      8.0
+dsa 1024 bits   0.3306s   0.4093s      3.0      2.4
+dsa 2048 bits   0.9454s   1.1707s      1.1      0.9
diff --git a/crypto/openssl/times/091/586-100.lnx b/crypto/openssl/times/091/586-100.lnx
new file mode 100644
index 0000000..92892a6
--- /dev/null
+++ b/crypto/openssl/times/091/586-100.lnx
@@ -0,0 +1,32 @@
+Pentium 100mhz, linux
+
+SSLeay 0.9.0a 14-Apr-1998
+built on Fri Apr 17 08:47:07 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 56.65k      153.88k      208.47k      229.03k      237.57k
+mdc2               189.59k      204.95k      206.93k      208.90k      209.56k
+md5               1019.48k     5882.41k    12085.42k    16376.49k    18295.47k
+hmac(md5)          415.86k     2887.85k     7891.29k    13894.66k    17446.23k
+sha1               540.68k     2791.96k     5289.30k     6813.01k     7432.87k
+rmd160             298.37k     1846.87k     3869.10k     5273.94k     5892.78k
+rc4               7870.87k    10438.10k    10857.13k    10729.47k    10788.86k
+des cbc           1960.60k     2226.37k     2241.88k     2054.83k     2181.80k
+des ede3           734.44k      739.69k      779.43k      750.25k      772.78k
+idea cbc           654.07k      711.00k      716.89k      718.51k      720.90k
+rc2 cbc            648.83k      701.91k      708.61k      708.95k      709.97k
+rc5-32/12 cbc     3504.71k     4054.76k     4131.41k     4105.56k     4134.23k
+blowfish cbc      3762.25k     4313.79k     4460.54k     4356.78k     4317.18k
+cast cbc          2755.01k     3038.91k     3076.44k     3027.63k     2998.27k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0195s   0.0019s     51.4    519.9
+rsa 1024 bits   0.1000s   0.0059s     10.0    168.2
+rsa 2048 bits   0.6406s   0.0209s      1.6     47.8
+rsa 4096 bits   4.6100s   0.0787s      0.2     12.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0188s   0.0360s     53.1     27.8
+dsa 1024 bits   0.0570s   0.1126s     17.5      8.9
+dsa 2048 bits   0.1990s   0.3954s      5.0      2.5
+
diff --git a/crypto/openssl/times/091/68000.bsd b/crypto/openssl/times/091/68000.bsd
new file mode 100644
index 0000000..a3a14e8
--- /dev/null
+++ b/crypto/openssl/times/091/68000.bsd
@@ -0,0 +1,32 @@
+Motorolla 68020 20mhz, NetBSD
+
+SSLeay 0.9.0t 29-May-1998
+built on Fri Jun  5 12:42:23 EST 1998
+options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,16,long) idea(int) blowfish(idx) 
+C flags:gcc -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               2176.00      5994.67      8079.73      8845.18      9077.01 
+mdc2              5730.67      6122.67      6167.66      6176.51      6174.87 
+md5                 29.10k      127.31k      209.66k      250.50k      263.99k
+hmac(md5)           12.33k       73.02k      160.17k      228.04k      261.15k
+sha1                11.27k       49.37k       84.31k      102.40k      109.23k
+rmd160              11.69k       48.62k       78.76k       93.15k       98.41k
+rc4                117.96k      148.94k      152.57k      153.09k      152.92k
+des cbc             27.13k       30.06k       30.38k       30.38k       30.53k
+des ede3            10.51k       10.94k       11.01k       11.01k       11.01k
+idea cbc            26.74k       29.23k       29.45k       29.60k       29.74k
+rc2 cbc             34.27k       39.39k       40.03k       40.07k       40.16k
+rc5-32/12 cbc       64.31k       83.18k       85.70k       86.70k       87.09k
+blowfish cbc        48.86k       59.18k       60.07k       60.42k       60.78k
+cast cbc            42.67k       50.01k       50.86k       51.20k       51.37k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.7738s   0.0774s      1.3     12.9
+rsa 1024 bits   4.3967s   0.2615s      0.2      3.8
+rsa 2048 bits  29.5200s   0.9664s      0.0      1.0
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.7862s   0.9709s      1.3      1.0
+dsa 1024 bits   2.5375s   3.1625s      0.4      0.3
+dsa 2048 bits   9.2150s  11.8200s      0.1      0.1
+
+
diff --git a/crypto/openssl/times/091/686-200.lnx b/crypto/openssl/times/091/686-200.lnx
new file mode 100644
index 0000000..bb857d4
--- /dev/null
+++ b/crypto/openssl/times/091/686-200.lnx
@@ -0,0 +1,32 @@
+Pentium Pro 200mhz, linux
+
+SSLeay 0.9.0d 26-Apr-1998
+built on Sun Apr 26 10:25:33 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                130.58k      364.54k      499.24k      545.79k      561.66k
+mdc2               526.68k      579.72k      588.37k      588.80k      589.82k
+md5               1917.71k    11434.69k    22512.21k    29495.30k    32677.89k
+hmac(md5)          749.18k     5264.83k    14227.20k    25018.71k    31760.38k
+sha1              1343.83k     6436.29k    11702.78k    14664.70k    15829.67k
+rmd160            1038.05k     5138.77k     8985.51k    10985.13k    11799.21k
+rc4              14891.04k    21334.06k    22376.79k    22579.54k    22574.42k
+des cbc           4131.97k     4568.31k     4645.29k     4631.21k     4572.73k
+des ede3          1567.17k     1631.13k     1657.32k     1653.08k     1643.86k
+idea cbc          2427.23k     2671.21k     2716.67k     2723.84k     2733.40k
+rc2 cbc           1629.90k     1767.38k     1788.50k     1797.12k     1799.51k
+rc5-32/12 cbc    10290.55k    13161.60k    13744.55k    14011.73k    14123.01k
+blowfish cbc      5896.42k     6920.77k     7122.01k     7151.62k     7146.15k
+cast cbc          6037.71k     6935.19k     7101.35k     7145.81k     7116.12k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0070s   0.0007s    142.6   1502.9
+rsa 1024 bits   0.0340s   0.0019s     29.4    513.3
+rsa 2048 bits   0.2087s   0.0066s      4.8    151.3
+rsa 4096 bits   1.4700s   0.0242s      0.7     41.2
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0064s   0.0121s    156.1     82.9
+dsa 1024 bits   0.0184s   0.0363s     54.4     27.5
+dsa 2048 bits   0.0629s   0.1250s     15.9      8.0
+
diff --git a/crypto/openssl/times/091/alpha064.osf b/crypto/openssl/times/091/alpha064.osf
new file mode 100644
index 0000000..a8e7fdf
--- /dev/null
+++ b/crypto/openssl/times/091/alpha064.osf
@@ -0,0 +1,32 @@
+Alpha EV4.5 (21064) 275mhz, OSF1 V4.0
+SSLeay 0.9.0g 01-May-1998
+built on Mon May  4 17:26:09 CST 1998
+options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx) 
+C flags:cc -tune host -O4 -readonly_strings
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                119.58k      327.48k      443.28k      480.09k      495.16k
+mdc2               436.67k      456.35k      465.42k      466.57k      469.01k
+md5               1459.34k     6566.46k    11111.91k    13375.30k    14072.60k
+hmac(md5)          597.90k     3595.45k     8180.88k    12099.49k    13884.46k
+sha1               707.01k     3253.09k     6131.73k     7798.23k     8439.67k
+rmd160             618.57k     2729.07k     4711.33k     5825.16k     6119.23k
+rc4               8796.43k     9393.62k     9548.88k     9378.77k     9472.57k
+des cbc           2165.97k     2514.90k     2586.27k     2572.93k     2639.08k
+des ede3           945.44k     1004.03k     1005.96k     1017.33k     1020.85k
+idea cbc          1498.81k     1629.11k     1637.28k     1625.50k     1641.11k
+rc2 cbc           1866.00k     2044.92k     2067.12k     2064.00k     2068.96k
+rc5-32/12 cbc     4366.97k     5521.32k     5687.50k     5729.16k     5736.96k
+blowfish cbc      3997.31k     4790.60k     4937.84k     4954.56k     5024.85k
+cast cbc          2900.19k     3673.30k     3803.73k     3823.93k     3890.25k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0069s   0.0006s    144.2   1545.8
+rsa 1024 bits   0.0304s   0.0018s     32.9    552.6
+rsa 2048 bits   0.1887s   0.0062s      5.3    161.4
+rsa 4096 bits   1.3667s   0.0233s      0.7     42.9
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0067s   0.0123s    149.6     81.1
+dsa 1024 bits   0.0177s   0.0332s     56.6     30.1
+dsa 2048 bits   0.0590s   0.1162s     16.9      8.6
+
+
diff --git a/crypto/openssl/times/091/alpha164.lnx b/crypto/openssl/times/091/alpha164.lnx
new file mode 100644
index 0000000..c994662
--- /dev/null
+++ b/crypto/openssl/times/091/alpha164.lnx
@@ -0,0 +1,32 @@
+Alpha EV5.6 (21164A) 533mhz, Linux 2.0.32
+
+SSLeay 0.9.0p 22-May-1998
+built on Sun May 27 14:23:38 GMT 2018
+options:bn(64,64) md2(int) rc4(ptr,int) des(idx,risc1,16,long) idea(int) blowfish(idx) 
+C flags:gcc -O3
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                295.78k      825.34k     1116.42k     1225.10k     1262.65k
+mdc2               918.16k     1017.55k     1032.18k     1034.24k     1035.60k
+md5               3574.93k    15517.05k    25482.67k    30434.31k    32210.51k
+hmac(md5)         1261.54k     7757.15k    18025.46k    27081.21k    31653.27k
+sha1              2251.89k    10056.84k    16990.19k    20651.04k    21973.29k
+rmd160            1615.49k     7017.13k    11601.11k    13875.62k    14690.31k
+rc4              22435.16k    24476.40k    24349.95k    23042.36k    24581.53k
+des cbc           5198.38k     6559.04k     6775.43k     6827.87k     6875.82k
+des ede3          2257.73k     2602.18k     2645.60k     2657.12k     2670.59k
+idea cbc          3694.42k     4125.61k     4180.74k     4193.28k     4192.94k
+rc2 cbc           4642.47k     5323.85k     5415.42k     5435.86k     5434.03k
+rc5-32/12 cbc     9705.26k    13277.79k    13843.46k    13989.66k    13987.57k
+blowfish cbc      7861.28k    10852.34k    11447.98k    11616.97k    11667.54k
+cast cbc          6718.13k     8599.98k     8967.17k     9070.81k     9099.28k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0018s   0.0002s    555.9   6299.5
+rsa 1024 bits   0.0081s   0.0005s    123.3   2208.7
+rsa 2048 bits   0.0489s   0.0015s     20.4    648.5
+rsa 4096 bits   0.3402s   0.0057s      2.9    174.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0019s   0.0032s    529.0    310.2
+dsa 1024 bits   0.0047s   0.0086s    214.1    115.7
+dsa 2048 bits   0.0150s   0.0289s     66.7     34.6
+
diff --git a/crypto/openssl/times/091/alpha164.osf b/crypto/openssl/times/091/alpha164.osf
new file mode 100644
index 0000000..df712c6
--- /dev/null
+++ b/crypto/openssl/times/091/alpha164.osf
@@ -0,0 +1,31 @@
+Alpha EV5.6 (21164A) 400mhz, OSF1 V4.0
+
+SSLeay 0.9.0 10-Apr-1998
+built on Sun Apr 19 07:54:37 EST 1998
+options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) idea(int) blowfish(idx) 
+C flags:cc -O4 -tune host -fast
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                276.30k      762.07k     1034.35k     1134.07k     1160.53k
+mdc2               814.99k      845.83k      849.09k      850.33k      849.24k
+md5               2468.43k    10945.27k    17963.48k    21430.89k    22544.38k
+hmac(md5)         1002.48k     6023.98k    13430.99k    19344.17k    22351.80k
+sha1              1984.93k     8882.47k    14856.47k    17878.70k    18955.10k
+rmd160            1286.96k     5595.52k     9167.00k    10957.74k    11582.30k
+rc4              15948.15k    16710.29k    16793.20k    17929.50k    18474.56k
+des cbc           3416.04k     4149.37k     4296.25k     4328.89k     4327.57k
+des ede3          1540.14k     1683.36k     1691.14k     1705.90k     1705.22k
+idea cbc          2795.87k     3192.93k     3238.13k     3238.17k     3256.66k
+rc2 cbc           3529.00k     4069.93k     4135.79k     4135.25k     4160.07k
+rc5-32/12 cbc     7212.35k     9849.71k    10260.91k    10423.38k    10439.99k
+blowfish cbc      6061.75k     8363.50k     8706.80k     8779.40k     8784.55k
+cast cbc          5401.75k     6433.31k     6638.18k     6662.40k     6702.80k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0022s   0.0002s    449.6   4916.2
+rsa 1024 bits   0.0105s   0.0006s     95.3   1661.2
+rsa 2048 bits   0.0637s   0.0020s     15.7    495.6
+rsa 4096 bits   0.4457s   0.0075s      2.2    132.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0028s   0.0048s    362.2    210.4
+dsa 1024 bits   0.0064s   0.0123s    155.2     81.6
+dsa 2048 bits   0.0201s   0.0394s     49.7     25.4
diff --git a/crypto/openssl/times/091/mips-rel.pl b/crypto/openssl/times/091/mips-rel.pl
new file mode 100644
index 0000000..4b25093
--- /dev/null
+++ b/crypto/openssl/times/091/mips-rel.pl
@@ -0,0 +1,21 @@
+#!/usr/local/bin/perl
+
+&doit(100,"Pentium   100 32",0.0195,0.1000,0.6406,4.6100);	# pentium-100
+&doit(200,"PPro      200 32",0.0070,0.0340,0.2087,1.4700);	# pentium-100
+&doit( 25,"R3000      25 32",0.0860,0.4825,3.2417,23.8833);	# R3000-25
+&doit(200,"R4400     200 32",0.0137,0.0717,0.4730,3.4367);	# R4400 32bit
+&doit(180,"R10000    180 32",0.0061,0.0311,0.1955,1.3871);	# R10000 32bit
+&doit(180,"R10000    180 64",0.0034,0.0149,0.0880,0.5933);	# R10000 64bit
+&doit(400,"DEC 21164 400 64",0.0022,0.0105,0.0637,0.4457);	# R10000 64bit
+
+sub doit
+	{
+	local($mhz,$label,@data)=@_;
+
+	for ($i=0; $i <= $#data; $i++)
+		{
+		$data[$i]=1/$data[$i]*200/$mhz;
+		}
+	printf("%s %6.1f %6.1f %6.1f %6.1f\n",$label,@data);
+	}
+
diff --git a/crypto/openssl/times/091/r10000.irx b/crypto/openssl/times/091/r10000.irx
new file mode 100644
index 0000000..237ee5d
--- /dev/null
+++ b/crypto/openssl/times/091/r10000.irx
@@ -0,0 +1,37 @@
+MIPS R10000 32kI+32kD 180mhz, IRIX 6.4
+
+Using crypto/bn/mips3.s
+
+This is built for n32, which is faster for all benchmarks than the n64
+compilation model
+
+SSLeay 0.9.0b 19-Apr-1998
+built on Sat Apr 25 12:43:14 EST 1998
+options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
+C flags:cc -use_readonly_const -O2 -DTERMIOS -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                126.38k      349.38k      472.67k      517.01k      529.81k
+mdc2               501.64k      545.87k      551.80k      553.64k      554.41k
+md5               1825.77k     7623.64k    12630.47k    15111.74k    16012.09k
+hmac(md5)          780.81k     4472.86k     9667.22k    13802.67k    15777.89k
+sha1              1375.52k     6213.91k    11037.30k    13682.01k    14714.09k
+rmd160             856.72k     3454.40k     5598.33k     6689.94k     7073.48k
+rc4              11260.93k    13311.50k    13360.05k    13322.17k    13364.39k
+des cbc           2770.78k     3055.42k     3095.18k     3092.48k     3103.03k
+des ede3          1023.22k     1060.58k     1063.81k     1070.37k     1064.54k
+idea cbc          3029.09k     3334.30k     3375.29k     3375.65k     3380.64k
+rc2 cbc           2307.45k     2470.72k     2501.25k     2500.68k     2500.55k
+rc5-32/12 cbc     6770.91k     8629.89k     8909.58k     9009.64k     9044.95k
+blowfish cbc      4796.53k     5598.20k     5717.14k     5755.11k     5749.86k
+cast cbc          3986.20k     4426.17k     4465.04k     4476.84k     4475.08k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0034s   0.0003s    296.1   3225.4
+rsa 1024 bits   0.0139s   0.0008s     71.8   1221.8
+rsa 2048 bits   0.0815s   0.0026s     12.3    380.3
+rsa 4096 bits   0.5656s   0.0096s      1.8    103.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0034s   0.0061s    290.8    164.9
+dsa 1024 bits   0.0084s   0.0161s    119.1     62.3
+dsa 2048 bits   0.0260s   0.0515s     38.5     19.4
+
diff --git a/crypto/openssl/times/091/r3000.ult b/crypto/openssl/times/091/r3000.ult
new file mode 100644
index 0000000..ecd3390
--- /dev/null
+++ b/crypto/openssl/times/091/r3000.ult
@@ -0,0 +1,32 @@
+MIPS R3000 64kI+64kD 25mhz, ultrix 4.3
+
+SSLeay 0.9.0b 19-Apr-1998
+built on Thu Apr 23 07:22:31 EST 1998
+options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(idx) 
+C flags:cc -O2 -DL_ENDIAN -DNOPROTO -DNOCONST
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 14.63k       40.65k       54.70k       60.07k       61.78k
+mdc2                29.43k       37.27k       38.23k       38.57k       38.60k
+md5                140.04k      676.59k     1283.84k     1654.10k     1802.24k
+hmac(md5)           60.51k      378.90k      937.82k     1470.46k     1766.74k
+sha1                60.77k      296.79k      525.40k      649.90k      699.05k
+rmd160              48.82k      227.16k      417.19k      530.31k      572.05k
+rc4                904.76k      996.20k     1007.53k     1015.65k     1010.35k
+des cbc            178.87k      209.39k      213.42k      215.55k      214.53k
+des ede3            74.25k       79.30k       80.40k       80.21k       80.14k
+idea cbc           181.02k      209.37k      214.44k      214.36k      213.83k
+rc2 cbc            161.52k      184.98k      187.99k      188.76k      189.05k
+rc5-32/12 cbc      398.99k      582.91k      614.66k      626.07k      621.87k
+blowfish cbc       296.38k      387.69k      405.50k      412.57k      410.05k
+cast cbc           214.76k      260.63k      266.92k      268.63k      258.26k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0870s   0.0089s     11.5    112.4
+rsa 1024 bits   0.4881s   0.0295s      2.0     33.9
+rsa 2048 bits   3.2750s   0.1072s      0.3      9.3
+rsa 4096 bits  23.9833s   0.4093s      0.0      2.4
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0898s   0.1706s     11.1      5.9
+dsa 1024 bits   0.2847s   0.5565s      3.5      1.8
+dsa 2048 bits   1.0267s   2.0433s      1.0      0.5
+
diff --git a/crypto/openssl/times/091/r4400.irx b/crypto/openssl/times/091/r4400.irx
new file mode 100644
index 0000000..9b96ca1
--- /dev/null
+++ b/crypto/openssl/times/091/r4400.irx
@@ -0,0 +1,32 @@
+R4400 16kI+16kD 200mhz, Irix 5.3
+
+SSLeay 0.9.0e 27-Apr-1998
+built on Sun Apr 26 07:26:05 PDT 1998
+options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
+C flags:cc -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 79.80k      220.59k      298.01k      327.06k      338.60k
+mdc2               262.74k      285.30k      289.16k      288.36k      288.49k
+md5                930.35k     4167.13k     7167.91k     8678.23k     9235.86k
+hmac(md5)          399.44k     2367.57k     5370.74k     7884.28k     9076.98k
+sha1               550.96k     2488.17k     4342.76k     5362.50k     5745.40k
+rmd160             424.58k     1752.83k     2909.67k     3486.08k     3702.89k
+rc4               6687.79k     7834.63k     7962.61k     8035.65k     7915.28k
+des cbc           1544.20k     1725.94k     1748.35k     1758.17k     1745.61k
+des ede3           587.29k      637.75k      645.93k      643.17k      646.01k
+idea cbc          1575.52k     1719.75k     1732.41k     1736.69k     1740.11k
+rc2 cbc           1496.21k     1629.90k     1643.19k     1652.14k     1646.62k
+rc5-32/12 cbc     3452.48k     4276.47k     4390.74k     4405.25k     4400.12k
+blowfish cbc      2354.58k     3242.36k     3401.11k     3433.65k     3383.65k
+cast cbc          1942.22k     2152.28k     2187.51k     2185.67k     2177.20k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0130s   0.0014s     76.9    729.8
+rsa 1024 bits   0.0697s   0.0043s     14.4    233.9
+rsa 2048 bits   0.4664s   0.0156s      2.1     64.0
+rsa 4096 bits   3.4067s   0.0586s      0.3     17.1
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0140s   0.0261s     71.4     38.4
+dsa 1024 bits   0.0417s   0.0794s     24.0     12.6
+dsa 2048 bits   0.1478s   0.2929s      6.8      3.4
+
diff --git a/crypto/openssl/times/100.lnx b/crypto/openssl/times/100.lnx
new file mode 100644
index 0000000..d0f4537
--- /dev/null
+++ b/crypto/openssl/times/100.lnx
@@ -0,0 +1,32 @@
+SSLeay 0.8.4c 03-Aug-1999
+built on Tue Nov  4 02:52:29 EST 1997
+options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                53.27k      155.95k      201.30k      216.41k      236.78k
+mdc2              192.98k      207.98k      206.76k      206.17k      208.87k
+md5               993.15k     5748.27k    11944.70k    16477.53k    18287.27k
+hmac(md5)         404.97k     2787.58k     7690.07k    13744.43k    17601.88k
+sha1              563.24k     2851.67k     5363.71k     6879.23k     7441.07k
+rc4              7876.70k    10400.85k    10825.90k    10943.49k    10745.17k
+des cbc          2047.39k     2188.25k     2188.29k     2239.49k     2233.69k
+des ede3          660.55k      764.01k      773.55k      779.21k      780.97k
+idea cbc          653.93k      708.48k      715.43k      719.87k      720.90k
+rc2 cbc           648.08k      702.23k      708.78k      711.00k      709.97k
+blowfish cbc     3764.39k     4288.66k     4375.04k     4497.07k     4423.68k
+cast cbc         2757.14k     2993.75k     3035.31k     3078.90k     3055.62k
+
+blowfish cbc     3258.81k     3673.47k     3767.30k     3774.12k     3719.17k
+cast cbc         2677.05k     3164.78k     3273.05k     3287.38k     3244.03k
+
+
+                  sign    verify
+rsa  512 bits   0.0213s   0.0020s
+rsa 1024 bits   0.1073s   0.0063s
+rsa 2048 bits   0.6873s   0.0224s
+rsa 4096 bits   4.9333s   0.0845s
+                  sign    verify
+dsa  512 bits   0.0201s   0.0385s
+dsa 1024 bits   0.0604s   0.1190s
+dsa 2048 bits   0.2121s   0.4229s
diff --git a/crypto/openssl/times/100.nt b/crypto/openssl/times/100.nt
new file mode 100644
index 0000000..0dd7cfc
--- /dev/null
+++ b/crypto/openssl/times/100.nt
@@ -0,0 +1,29 @@
+SSLeay 0.8.4c 03-Aug-1999
+built on Tue Aug  3 09:49:58 EST 1999
+options:bn(64,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(
+ptr2)
+C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DBN
+_ASM -DMD5_ASM -DSHA1_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                93.07k      258.38k      349.03k      382.83k      392.87k
+mdc2              245.80k      259.02k      259.34k      259.16k      260.14k
+md5              1103.42k     6017.65k    12210.49k    16552.11k    18291.77k
+hmac(md5)         520.15k     3394.00k     8761.86k    14593.96k    17742.40k
+sha1              538.06k     2726.76k     5242.22k     6821.12k     7426.18k
+rc4              8283.90k    10513.09k    10886.38k    10929.50k    10816.75k
+des cbc          2073.10k     2232.91k     2251.61k     2256.46k     2232.44k
+des ede3          758.85k      782.46k      786.14k      786.08k      781.24k
+idea cbc          831.02k      892.63k      901.07k      903.48k      901.85k
+rc2 cbc           799.89k      866.09k      873.96k      876.22k      874.03k
+blowfish cbc     3835.32k     4418.78k     4511.94k     4494.54k     4416.92k
+cast cbc         2974.68k     3272.71k     3313.04k     3335.17k     3261.51k
+                  sign    verify
+rsa  512 bits   0.0202s   0.0019s
+rsa 1024 bits   0.1029s   0.0062s
+rsa 2048 bits   0.6770s   0.0220s
+rsa 4096 bits   4.8770s   0.0838s
+                  sign    verify
+dsa  512 bits   0.0191s   0.0364s
+dsa 1024 bits   0.0590s   0.1141s
+dsa 2048 bits   0.2088s   0.4171s
diff --git a/crypto/openssl/times/200.lnx b/crypto/openssl/times/200.lnx
new file mode 100644
index 0000000..fd7e7f4
--- /dev/null
+++ b/crypto/openssl/times/200.lnx
@@ -0,0 +1,30 @@
+This machine was slightly loaded :-(
+
+SSLeay 0.8.4c 03-Aug-1999
+built on Tue Nov  4 02:52:29 EST 1997
+options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               130.86k      365.31k      499.60k      547.75k      561.41k
+mdc2              526.03k      581.38k      587.12k      586.31k      589.60k
+md5              1919.49k    11173.23k    22387.60k    29553.47k    32587.21k
+hmac(md5)         747.09k     5248.35k    14275.44k    24713.26k    31737.13k
+sha1             1336.63k     6400.50k    11668.67k    14648.83k    15700.85k
+rc4             15002.32k    21327.21k    22301.63k    22503.78k    22549.26k
+des cbc          4115.16k     4521.08k     4632.37k     4607.28k     4570.57k
+des ede3         1540.29k     1609.76k     1623.64k     1620.76k     1624.18k
+idea cbc         2405.08k     2664.78k     2704.22k     2713.95k     2716.29k
+rc2 cbc          1634.07k     1764.30k     1780.23k     1790.27k     1788.12k
+blowfish cbc     5993.98k     6927.27k     7083.61k     7088.40k     7123.72k
+cast cbc         5981.52k     6900.44k     7079.70k     7110.40k     7057.72k
+                  sign    verify
+rsa  512 bits   0.0085s   0.0007s
+rsa 1024 bits   0.0377s   0.0020s
+rsa 2048 bits   0.2176s   0.0067s
+rsa 4096 bits   1.4800s   0.0242s
+sign    verify
+dsa  512 bits   0.0071s   0.0132s
+dsa 1024 bits   0.0192s   0.0376s
+dsa 2048 bits   0.0638s   0.1280s
+
diff --git a/crypto/openssl/times/486-66.dos b/crypto/openssl/times/486-66.dos
new file mode 100644
index 0000000..1644bf8
--- /dev/null
+++ b/crypto/openssl/times/486-66.dos
@@ -0,0 +1,22 @@
+MS-dos static libs, 16bit C build, 16bit assember
+
+SSLeay 0.6.1
+options:bn(32,16) md2(char) rc4(idx,int) des(ptr,long) idea(short)
+C flags:cl /ALw /Gx- /Gf /f- /Ocgnotb2 /G2 /W3 /WX -DL_ENDIAN /nologo -DMSDOS -D
+NO_SOCK
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             18.62k       55.54k       76.88k       85.39k       86.52k
+md5             94.03k      442.06k      794.38k      974.51k     1061.31k
+sha             38.37k      166.23k      272.78k      331.41k      353.77k
+sha1            34.38k      147.77k      244.77k      292.57k      312.08k
+rc4            641.25k      795.34k      817.16k      829.57k      817.16k
+des cfb        111.46k      118.08k      120.69k      119.16k      119.37k
+des cbc        122.96k      135.69k      137.10k      135.69k      135.40k
+des ede3        48.01k       50.92k       50.32k       50.96k       50.96k
+idea cfb        97.09k      100.21k      100.36k      101.14k      100.98k
+idea cbc       102.08k      109.41k      111.46k      111.65k      110.52k
+rc2 cfb        120.47k      125.55k      125.79k      125.55k      125.55k
+rc2 cbc        129.77k      140.33k      143.72k      142.16k      141.85k
+rsa  512 bits   0.264s
+rsa 1024 bits   1.494s
diff --git a/crypto/openssl/times/486-66.nt b/crypto/openssl/times/486-66.nt
new file mode 100644
index 0000000..b26a900
--- /dev/null
+++ b/crypto/openssl/times/486-66.nt
@@ -0,0 +1,22 @@
+SSLeay 0.6.1 02-Jul-1996
+built on Fri Jul 10 09:53:15 EST 1996
+options:bn(64,32) md2(int) rc4(idx,int) des(idx,long) idea(int)
+C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /nologo -DWIN32 -DL_ENDIAN /MD
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             38.27k      107.28k      145.43k      159.60k      164.15k
+md5            399.00k     1946.13k     3610.80k     4511.94k     4477.27k
+sha            182.04k      851.26k     1470.65k     1799.20k     1876.48k
+sha1           151.83k      756.55k     1289.76k     1567.38k     1625.70k
+rc4           1853.92k     2196.25k     2232.91k     2241.31k     2152.96k
+des cfb        360.58k      382.69k      384.94k      386.07k      377.19k
+des cbc        376.10k      431.87k      436.32k      437.78k      430.45k
+des ede3       152.55k      160.38k      161.51k      161.33k      159.98k
+idea cfb       245.59k      255.60k      256.65k      257.16k      254.61k
+idea cbc       257.16k      276.12k      279.05k      279.11k      276.70k
+rc2 cfb        280.25k      293.49k      294.74k      294.15k      291.47k
+rc2 cbc        295.47k      321.57k      324.76k      324.76k      320.00k
+rsa  512 bits   0.084s
+rsa 1024 bits   0.495s
+rsa 2048 bits   3.435s
+
diff --git a/crypto/openssl/times/486-66.w31 b/crypto/openssl/times/486-66.w31
new file mode 100644
index 0000000..381f149
--- /dev/null
+++ b/crypto/openssl/times/486-66.w31
@@ -0,0 +1,23 @@
+Windows 3.1 DLL's, 16 bit C with 32bit assember
+
+SSLeay 0.6.1 02-Jul-1996
+built on Wed Jul 10 09:53:15 EST 1996
+options:bn(32,32) md2(char) rc4(idx,int) des(ptr,long) idea(short)
+C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DWIN16
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             18.94k       54.27k       73.43k       80.91k       83.75k
+md5             78.96k      391.26k      734.30k      919.80k      992.97k
+sha             39.01k      168.04k      280.67k      336.08k      359.10k
+sha1            35.20k      150.14k      247.31k      294.54k      313.94k
+rc4            509.61k      655.36k      678.43k      677.02k      670.10k
+des cfb         97.09k      104.69k      106.56k      105.70k      106.56k
+des cbc        116.82k      129.77k      131.07k      131.07k      131.07k
+des ede3        44.22k       47.90k       48.53k       48.47k       47.86k
+idea cfb        83.49k       87.03k       87.03k       87.15k       87.73k
+idea cbc        89.04k       96.23k       96.95k       97.81k       97.09k
+rc2 cfb        108.32k      113.58k      113.78k      114.57k      114.77k
+rc2 cbc        118.08k      131.07k      134.02k      134.02k      132.66k
+rsa  512 bits   0.181s
+rsa 1024 bits   0.846s
+
diff --git a/crypto/openssl/times/5.lnx b/crypto/openssl/times/5.lnx
new file mode 100644
index 0000000..1c1e392a
--- /dev/null
+++ b/crypto/openssl/times/5.lnx
@@ -0,0 +1,29 @@
+SSLeay 0.8.5g 24-Jan-1998
+built on Tue Jan 27 08:11:42 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 56.55k      156.69k      211.63k      231.77k      238.71k
+mdc2               192.26k      208.09k      210.09k      209.58k      210.26k
+md5                991.04k     5745.51k    11932.67k    16465.24k    18306.39k
+hmac(md5)          333.99k     2383.89k     6890.67k    13133.82k    17397.08k
+sha1               571.68k     2883.88k     5379.07k     6880.26k     7443.80k
+rmd160             409.41k     2212.91k     4225.45k     5456.55k     5928.28k
+rc4               6847.57k     8596.22k     8901.80k     8912.90k     8850.09k
+des cbc           2046.29k     2229.78k     2254.76k     2259.97k     2233.69k
+des ede3           751.11k      779.95k      783.96k      784.38k      780.97k
+idea cbc           653.40k      708.29k      718.42k      720.21k      720.90k
+rc2 cbc            647.19k      702.46k      709.21k      710.66k      709.97k
+rc5-32/12 cbc     3498.18k     4054.12k     4133.46k     4151.64k     4139.69k
+blowfish cbc      3763.95k     4437.74k     4532.74k     4515.50k     4448.26k
+cast cbc          2754.22k     3020.67k     3079.08k     3069.95k     3036.50k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0207s   0.0020s     48.3    511.3
+rsa 1024 bits   0.1018s   0.0059s      9.8    169.6
+rsa 2048 bits   0.6438s   0.0208s      1.6     48.0
+rsa 4096 bits   4.6033s   0.0793s      0.2     12.6
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0190s   0.0359s     52.6     27.8
+dsa 1024 bits   0.0566s   0.1109s     17.7      9.0
+dsa 2048 bits   0.1988s   0.3915s      5.0      2.6
diff --git a/crypto/openssl/times/586-085i.nt b/crypto/openssl/times/586-085i.nt
new file mode 100644
index 0000000..8a57975
--- /dev/null
+++ b/crypto/openssl/times/586-085i.nt
@@ -0,0 +1,29 @@
+SSLeay 0.8.5i 28-Jan-1998
+built on Wed Jan 28 18:00:07 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
+C flags:cl /MT /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 92.74k      257.59k      348.16k      381.79k      392.14k
+mdc2               227.65k      247.82k      249.90k      250.65k      250.20k
+md5               1089.54k     5966.29k    12104.77k    16493.53k    18204.44k
+hmac(md5)          513.53k     3361.36k     8725.41k    14543.36k    17593.56k
+sha1               580.74k     2880.51k     5376.62k     6865.78k     7413.05k
+rmd160             508.06k     2427.96k     4385.51k     5510.84k     5915.80k
+rc4               8004.40k    10408.74k    10794.48k    10884.12k    10728.22k
+des cbc           2057.24k     2222.97k     2246.79k     2209.39k     2223.44k
+des ede3           739.42k      761.99k      765.48k      760.26k      760.97k
+idea cbc           827.08k      889.60k      898.83k      901.15k      897.98k
+rc2 cbc            795.64k      861.04k      871.13k      872.58k      871.13k
+rc5-32/12 cbc     3597.17k     4139.66k     4204.39k     4223.02k     4204.39k
+blowfish cbc      3807.47k     3996.10k     4156.07k     4204.39k     4105.62k
+cast cbc          2777.68k     2814.21k     2892.62k     2916.76k     2868.88k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0178s   0.0018s     56.3    541.6
+rsa 1024 bits   0.0945s   0.0059s     10.6    168.3
+rsa 2048 bits   0.6269s   0.0208s      1.6     48.0
+rsa 4096 bits   4.5560s   0.0784s      0.2     12.8
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0178s   0.0340s     56.2     29.4
+dsa 1024 bits   0.0552s   0.1077s     18.1      9.3
+dsa 2048 bits   0.1963s   0.3811s      5.1      2.6
diff --git a/crypto/openssl/times/586-100.LN3 b/crypto/openssl/times/586-100.LN3
new file mode 100644
index 0000000..a6fa818
--- /dev/null
+++ b/crypto/openssl/times/586-100.LN3
@@ -0,0 +1,26 @@
+SSLeay 0.8.3v 15-Oct-1997
+built on Wed Oct 15 10:05:00 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DX86_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                56.27k      156.76k      211.46k      231.77k      238.71k
+mdc2              188.74k      206.12k      207.70k      207.87k      208.18k
+md5               991.56k     5718.31k    11748.61k    16090.79k    17850.37k
+hmac(md5)         387.56k     2636.01k     7327.83k    13340.33k    17091.24k
+sha1              463.55k     2274.18k     4071.17k     5072.90k     5447.68k
+rc4              3673.94k     4314.52k     4402.26k     4427.09k     4407.30k
+des cbc          2023.79k     2209.77k     2233.34k     2220.71k     2222.76k
+des ede3          747.17k      778.54k      781.57k      778.24k      778.24k
+idea cbc          614.64k      678.04k      683.52k      685.06k      685.40k
+rc2 cbc           536.83k      574.10k      578.05k      579.24k      578.90k
+blowfish cbc     3673.39k     4354.58k     4450.22k     4429.48k     4377.26k
+                  sign    verify
+rsa  512 bits   0.0217s   0.0021s
+rsa 1024 bits   0.1083s   0.0064s
+rsa 2048 bits   0.6867s   0.0223s
+rsa 4096 bits   4.9400s   0.0846s
+                  sign    verify
+dsa  512 bits   0.0203s   0.0387s
+dsa 1024 bits   0.0599s   0.1170s
+dsa 2048 bits   0.2115s   0.4242s
diff --git a/crypto/openssl/times/586-100.NT2 b/crypto/openssl/times/586-100.NT2
new file mode 100644
index 0000000..7f8c167
--- /dev/null
+++ b/crypto/openssl/times/586-100.NT2
@@ -0,0 +1,26 @@
+SSLeay 0.8.3e 30-Sep-1997
+built on Tue Sep 30 14:52:58 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
+C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DX86_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                92.99k      257.59k      348.16k      381.47k      392.14k
+mdc2              223.77k      235.30k      237.15k      236.77k      237.29k
+md5               862.53k     4222.17k     7842.75k     9925.00k    10392.23k
+sha               491.34k     2338.61k     4062.28k     4986.10k     5307.90k
+sha1              494.38k     2234.94k     3838.83k     4679.58k     4980.18k
+rc4              6338.10k     7489.83k     7676.25k     7698.80k     7631.56k
+des cbc          1654.17k     1917.66k     1961.05k     1968.05k     1960.69k
+des ede3          691.17k      739.42k      744.13k      745.82k      741.40k
+idea cbc          788.46k      870.33k      879.16k      881.38k      879.90k
+rc2 cbc           794.44k      859.63k      868.24k      869.68k      867.45k
+blowfish cbc     2379.88k     3017.48k     3116.12k     3134.76k     3070.50k
+                  sign    verify
+rsa  512 bits   0.0204s   0.0027s
+rsa 1024 bits   0.1074s   0.0032s
+rsa 2048 bits   0.6890s   0.0246s
+rsa 4096 bits   5.0180s   0.0911s
+                  sign    verify
+dsa  512 bits   0.0201s   0.0376s
+dsa 1024 bits   0.0608s   0.1193s
+dsa 2048 bits   0.2133s   0.4294s
diff --git a/crypto/openssl/times/586-100.dos b/crypto/openssl/times/586-100.dos
new file mode 100644
index 0000000..3085c256
--- /dev/null
+++ b/crypto/openssl/times/586-100.dos
@@ -0,0 +1,24 @@
+ms-dos static libs, 16 bit C and 16 bit assmber 
+
+SSLeay 0.6.1 02-Jul-1996
+built on Tue Jul  9 22:52:54 EST 1996
+options:bn(32,16) md2(char) rc4(idx,int) des(ptr,long) idea(short)
+C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DMSDOS -DNO_SOCK
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             45.99k      130.75k      176.53k      199.35k      203.21k
+md5            236.17k     1072.16k     1839.61k     2221.56k     2383.13k
+sha            107.97k      459.10k      757.64k      908.64k      954.99k
+sha1            96.95k      409.92k      672.16k      788.40k      844.26k
+rc4           1659.14k     1956.30k     2022.72k     2022.72k     2022.72k
+des cfb        313.57k      326.86k      326.86k      331.83k      326.86k
+des cbc        345.84k      378.82k      378.82k      384.38k      378.82k
+des ede3       139.59k      144.66k      144.61k      144.45k      143.29k
+idea cfb       262.67k      274.21k      274.21k      274.21k      274.21k
+idea cbc       284.32k      318.14k      318.14k      318.14k      318.14k
+rc2 cfb        265.33k      274.21k      277.69k      277.11k      277.69k
+rc2 cbc        283.71k      310.60k      309.86k      313.57k      314.32k
+rsa  512 bits   0.104s
+rsa 1024 bits   0.566s
+rsa 2048 bits   3.680s
+rsa 4096 bits  26.740s
diff --git a/crypto/openssl/times/586-100.ln4 b/crypto/openssl/times/586-100.ln4
new file mode 100644
index 0000000..14a9db9
--- /dev/null
+++ b/crypto/openssl/times/586-100.ln4
@@ -0,0 +1,26 @@
+SSLeay 0.8.3aa 24-Oct-1997
+built on Mon Oct 27 10:16:25 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                56.78k      156.71k      211.46k      231.77k      238.71k
+mdc2              187.45k      200.49k      201.64k      202.75k      202.77k
+md5              1002.51k     5798.66k    11967.15k    16449.19k    18251.78k
+hmac(md5)         468.71k     3173.46k     8386.99k    14305.56k    17607.34k
+sha1              586.98k     2934.87k     5393.58k     6863.19k     7408.30k
+rc4              3675.10k     4314.15k     4402.77k     4427.78k     4404.57k
+des cbc          1902.96k     2202.01k     2242.30k     2252.46k     2236.42k
+des ede3          700.15k      774.23k      783.70k      781.62k      783.70k
+idea cbc          618.46k      677.93k      683.61k      685.40k      685.40k
+rc2 cbc           536.97k      573.87k      577.96k      579.24k      578.90k
+blowfish cbc     3672.66k     4271.89k     4428.80k     4469.76k     4374.53k
+                  sign    verify
+rsa  512 bits   0.0213s   0.0021s
+rsa 1024 bits   0.1075s   0.0063s
+rsa 2048 bits   0.6853s   0.0224s
+rsa 4096 bits   4.9400s   0.0845s
+                  sign    verify
+dsa  512 bits   0.0203s   0.0380s
+dsa 1024 bits   0.0600s   0.1189s
+dsa 2048 bits   0.2110s   0.4250s
diff --git a/crypto/openssl/times/586-100.lnx b/crypto/openssl/times/586-100.lnx
new file mode 100644
index 0000000..0c05173
--- /dev/null
+++ b/crypto/openssl/times/586-100.lnx
@@ -0,0 +1,23 @@
+SSLeay 0.7.3 30-Apr-1997
+built on Mon May 12 04:13:55 EST 1997
+options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
+C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                72.95k      202.77k      274.01k      300.37k      309.23k
+md5               770.57k     4094.02k     7409.41k     9302.36k     9986.05k
+sha               363.05k     1571.07k     2613.85k     3134.81k     3320.49k
+sha1              340.94k     1462.85k     2419.20k     2892.12k     3042.35k
+rc4              3676.91k     4314.94k     4407.47k     4430.51k     4412.76k
+des cbc          1489.95k     1799.08k     1841.66k     1851.73k     1848.66k
+des ede3          621.93k      711.19k      726.10k      729.77k      729.09k
+idea cbc          618.16k      676.99k      683.09k      684.37k      683.59k
+rc2 cbc           537.59k      573.93k      578.56k      579.58k      579.70k
+blowfish cbc     2077.57k     2682.20k     2827.18k     2840.92k     2842.62k
+rsa  512 bits   0.024s   0.003
+rsa 1024 bits   0.120s   0.003
+rsa 2048 bits   0.751s   0.026
+rsa 4096 bits   5.320s   0.096
+dsa  512 bits   0.022s   0.042
+dsa 1024 bits   0.065s   0.126
+dsa 2048 bits   0.227s   0.449
diff --git a/crypto/openssl/times/586-100.nt b/crypto/openssl/times/586-100.nt
new file mode 100644
index 0000000..9adcac3
--- /dev/null
+++ b/crypto/openssl/times/586-100.nt
@@ -0,0 +1,23 @@
+SSLeay 0.7.3 30-Apr-1997
+built on Mon May 19 10:47:38 EST 1997
+options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
+C flags not available
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                89.57k      245.94k      331.59k      362.95k      373.29k
+md5               858.93k     4175.51k     7700.21k     9715.78k    10369.11k
+sha               466.18k     2103.67k     3607.69k     4399.31k     4669.16k
+sha1              449.59k     2041.02k     3496.13k     4256.45k     4512.92k
+rc4              5862.55k     7447.27k     7698.80k     7768.38k     7653.84k
+des cbc          1562.71k     1879.84k     1928.24k     1938.93k     1911.02k
+des ede3          680.27k      707.97k      728.62k      733.15k      725.98k
+idea cbc          797.46k      885.85k      895.68k      898.06k      896.45k
+rc2 cbc           609.46k      648.75k      654.01k      654.42k      653.60k
+blowfish cbc     2357.94k     3000.22k     3106.89k     3134.76k     3080.42k
+rsa  512 bits   0.022s   0.003
+rsa 1024 bits   0.112s   0.003
+rsa 2048 bits   0.726s   0.026
+rsa 4096 bits   5.268s   0.095
+dsa  512 bits   0.021s   0.039
+dsa 1024 bits   0.063s   0.127
+dsa 2048 bits   0.224s   0.451
diff --git a/crypto/openssl/times/586-100.ntx b/crypto/openssl/times/586-100.ntx
new file mode 100644
index 0000000..35166a5
--- /dev/null
+++ b/crypto/openssl/times/586-100.ntx
@@ -0,0 +1,30 @@
+SSLeay 0.8.5f 22-Jan-1998
+built on Wed Jan 21 17:11:53 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(
+ptr2)
+C flags:cl /MT /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN
+-DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                92.99k      257.43k      347.84k      381.82k      392.14k
+mdc2              232.19k      253.68k      257.57k      258.70k      258.70k
+md5              1094.09k     5974.79k    12139.81k    16487.04k    18291.77k
+hmac(md5)         375.70k     2590.04k     7309.70k    13469.18k    17447.19k
+sha1              613.78k     2982.93k     5446.44k     6889.46k     7424.86k
+rmd160            501.23k     2405.68k     4367.25k     5503.61k     5915.80k
+rc4              8167.75k    10429.44k    10839.12k    10929.50k    10772.30k
+des cbc          2057.24k     2218.27k     2237.20k     2227.69k     2213.59k
+des ede3          719.63k      727.11k      728.77k      719.56k      722.97k
+idea cbc          827.67k      888.85k      898.06k      900.30k      898.75k
+rc2 cbc           797.46k      862.53k      870.33k      872.58k      870.40k
+blowfish cbc     3835.32k     4435.60k     4513.89k     4513.89k     4416.92k
+cast cbc         2785.06k     3052.62k     3088.59k     3034.95k     3034.95k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0202s   0.0020s     49.4    500.2
+rsa 1024 bits   0.1030s   0.0063s      9.7    159.4
+rsa 2048 bits   0.6740s   0.0223s      1.5     44.9
+rsa 4096 bits   4.8970s   0.0844s      0.2     11.8
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0191s   0.0361s     52.4     27.7
+dsa 1024 bits   0.0587s   0.1167s     17.0      8.6
+dsa 2048 bits   0.2091s   0.4123s      4.8      2.4
diff --git a/crypto/openssl/times/586-100.w31 b/crypto/openssl/times/586-100.w31
new file mode 100644
index 0000000..d5b1c10
--- /dev/null
+++ b/crypto/openssl/times/586-100.w31
@@ -0,0 +1,27 @@
+Pentium 100, Windows 3.1 DLL's, 16 bit C, 32bit assember.
+
+Running under Windows NT 4.0 Beta 2
+
+SSLeay 0.6.4 20-Aug-1996
+built on Thu Aug 22 08:44:21 EST 1996
+options:bn(32,32) md2(char) rc4(idx,int) des(ptr,long) idea(short)
+C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DWIN16
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             45.83k      128.82k      180.17k      194.90k      198.59k
+md5            224.82k     1038.19k     1801.68k     2175.47k     2330.17k
+sha            105.11k      448.11k      739.48k      884.13k      944.66k
+sha1            94.71k      402.99k      667.88k      795.58k      844.26k
+rc4           1614.19k     1956.30k     2022.72k     2022.72k     2022.72k
+des cfb        291.27k      318.14k      318.14k      318.14k      322.84k
+des cbc        326.86k      356.17k      362.08k      362.08k      367.15k
+des ede3       132.40k      139.57k      139.53k      139.37k      140.97k
+idea cfb       265.33k      280.67k      280.67k      277.69k      281.27k
+idea cbc       274.21k      302.01k      306.24k      306.24k      305.53k
+rc2 cfb        264.79k      274.21k      274.78k      274.21k      274.21k
+rc2 cbc        281.27k      306.24k      309.86k      305.53k      309.86k
+rsa  512 bits   0.058s
+rsa 1024 bits   0.280s
+rsa 2048 bits   1.430s
+rsa 4096 bits  10.600s
+
diff --git a/crypto/openssl/times/586-1002.lnx b/crypto/openssl/times/586-1002.lnx
new file mode 100644
index 0000000..d830bce
--- /dev/null
+++ b/crypto/openssl/times/586-1002.lnx
@@ -0,0 +1,26 @@
+SSLeay 0.8.3e 30-Sep-1997
+built on Wed Oct  1 03:01:44 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DX86_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                56.21k      156.57k      211.29k      231.77k      237.92k
+mdc2              170.99k      191.70k      193.90k      195.58k      195.95k
+md5               770.50k     3961.96k     7291.22k     9250.82k     9942.36k
+sha               344.93k     1520.77k     2569.81k     3108.52k     3295.91k
+sha1              326.20k     1423.74k     2385.15k     2870.95k     3041.96k
+rc4              3672.88k     4309.65k     4374.41k     4408.66k     4355.41k
+des cbc          1349.73k     1689.05k     1735.34k     1748.99k     1739.43k
+des ede3          638.70k      704.00k      711.85k      714.41k      712.70k
+idea cbc          619.55k      677.33k      683.26k      685.06k      685.40k
+rc2 cbc           521.18k      571.20k      573.46k      578.90k      578.90k
+blowfish cbc     2079.67k     2592.49k     2702.34k     2730.33k     2695.17k
+                  sign    verify
+rsa  512 bits   0.0213s   0.0026s
+rsa 1024 bits   0.1099s   0.0031s
+rsa 2048 bits   0.7007s   0.0248s
+rsa 4096 bits   5.0500s   0.0921s
+                  sign    verify
+dsa  512 bits   0.0203s   0.0389s
+dsa 1024 bits   0.0614s   0.1222s
+dsa 2048 bits   0.2149s   0.4283s
diff --git a/crypto/openssl/times/586p-100.lnx b/crypto/openssl/times/586p-100.lnx
new file mode 100644
index 0000000..561eb31
--- /dev/null
+++ b/crypto/openssl/times/586p-100.lnx
@@ -0,0 +1,26 @@
+Pentium 100 - Linux 1.2.13 - gcc 2.7.2p
+This is the pentium specific version of gcc
+
+SSLeay 0.6.4 20-Aug-1996
+built on Thu Aug 22 08:27:58 EST 1996
+options:bn(64,32) md2(char) rc4(idx,int) des(idx,long) idea(int)
+C flags:gcc -DL_ENDIAN -DTERMIO -O6 -fomit-frame-pointer -mpentium -Wall
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             74.90k      208.43k      282.11k      309.59k      318.43k
+md5            807.08k     4205.67k     7801.51k     9958.06k    10810.71k
+sha            405.98k     1821.55k     3119.10k     3799.04k     4052.31k
+sha1           389.13k     1699.50k     2852.78k     3437.57k     3656.36k
+rc4           3621.15k     4130.07k     4212.74k     4228.44k     4213.42k
+des cfb        794.39k      828.37k      831.74k      832.51k      832.85k
+des cbc        817.68k      886.17k      894.72k      896.00k      892.93k
+des ede3       308.83k      323.29k      324.61k      324.95k      324.95k
+idea cfb       690.41k      715.39k      718.51k      719.19k      718.17k
+idea cbc       696.80k      760.60k      767.32k      768.68k      770.05k
+rc2 cfb        619.91k      639.74k      642.30k      642.73k      641.71k
+rc2 cbc        631.99k      671.42k      676.35k      676.18k      677.21k
+rsa  512 bits   0.025s
+rsa 1024 bits   0.123s
+rsa 2048 bits   0.756s
+rsa 4096 bits   5.365s
+
diff --git a/crypto/openssl/times/686-200.bsd b/crypto/openssl/times/686-200.bsd
new file mode 100644
index 0000000..f23c580
--- /dev/null
+++ b/crypto/openssl/times/686-200.bsd
@@ -0,0 +1,25 @@
+Pentium Pro 200mhz
+FreeBSD 2.1.5
+gcc 2.7.2.2
+
+SSLeay 0.7.0 30-Jan-1997
+built on Tue Apr 22 12:14:36 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
+C flags:gcc -DTERMIOS -D_ANSI_SOURCE -fomit-frame-pointer -O3 -m486 -Wall
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               130.99k      367.68k      499.09k      547.04k      566.50k
+md5              1924.98k     8293.50k    13464.41k    16010.39k    16820.68k
+sha              1250.75k     5330.43k     8636.88k    10227.36k    10779.14k
+sha1             1071.55k     4572.50k     7459.98k     8791.96k     9341.61k
+rc4             10724.22k    14546.25k    15240.18k    15259.50k    15265.63k
+des cbc          3309.11k     3883.01k     3968.25k     3971.86k     3979.14k
+des ede3         1442.98k     1548.33k     1562.48k     1562.00k     1563.33k
+idea cbc         2195.69k     2506.39k     2529.59k     2545.66k     2546.54k
+rc2 cbc           806.00k      833.52k      837.58k      838.52k      836.69k
+blowfish cbc     4687.34k     5949.97k     6182.43k     6248.11k     6226.09k
+rsa  512 bits   0.010s
+rsa 1024 bits   0.045s
+rsa 2048 bits   0.260s
+rsa 4096 bits   1.690s
+
diff --git a/crypto/openssl/times/686-200.lnx b/crypto/openssl/times/686-200.lnx
new file mode 100644
index 0000000..a10cc2f
--- /dev/null
+++ b/crypto/openssl/times/686-200.lnx
@@ -0,0 +1,26 @@
+SSLeay 0.8.2a 04-Sep-1997
+built on Fri Sep  5 17:37:05 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               131.02k      368.41k      500.57k      549.21k      566.09k
+mdc2              535.60k      589.10k      595.88k      595.97k      594.54k
+md5              1801.53k     9674.77k    17484.03k    21849.43k    23592.96k
+sha              1261.63k     5533.25k     9285.63k    11187.88k    11913.90k
+sha1             1103.13k     4782.53k     7933.78k     9472.34k    10070.70k
+rc4             10722.53k    14443.93k    15215.79k    15299.24k    15219.59k
+des cbc          3286.57k     3827.73k     3913.39k     3931.82k     3926.70k
+des ede3         1443.50k     1549.08k     1561.17k     1566.38k     1564.67k
+idea cbc         2203.64k     2508.16k     2538.33k     2543.62k     2547.71k
+rc2 cbc          1430.94k     1511.59k     1524.82k     1527.13k     1523.33k
+blowfish cbc     4716.07k     5965.82k     6190.17k     6243.67k     6234.11k
+                  sign    verify
+rsa  512 bits   0.0100s   0.0011s
+rsa 1024 bits   0.0451s   0.0012s
+rsa 2048 bits   0.2605s   0.0086s
+rsa 4096 bits   1.6883s   0.0302s
+                  sign    verify
+dsa  512 bits   0.0083s   0.0156s
+dsa 1024 bits   0.0228s   0.0454s
+dsa 2048 bits   0.0719s   0.1446s
+
diff --git a/crypto/openssl/times/686-200.nt b/crypto/openssl/times/686-200.nt
new file mode 100644
index 0000000..c8cbaa0
--- /dev/null
+++ b/crypto/openssl/times/686-200.nt
@@ -0,0 +1,24 @@
+built on Tue May 13 08:24:51 EST 1997
+options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfi
+sh(ptr2)
+C flags not available
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               156.39k      427.99k      576.14k      628.36k      647.27k
+md5              2120.48k    10255.02k    18396.07k    22795.13k    24244.53k
+sha              1468.59k     6388.89k    10686.12k    12826.62k    13640.01k
+sha1             1393.46k     6013.34k     9974.56k    11932.59k    12633.45k
+rc4             13833.46k    19275.29k    20321.24k    20281.93k    20520.08k
+des cbc          3382.50k     4104.02k     4152.78k     4194.30k     4194.30k
+des ede3         1465.51k     1533.00k     1549.96k     1553.29k     1570.29k
+idea cbc         2579.52k     3079.52k     3130.08k     3153.61k     3106.89k
+rc2 cbc          1204.57k     1276.42k     1285.81k     1289.76k     1285.81k
+blowfish cbc     5229.81k     6374.32k     6574.14k     6574.14k     6594.82k
+rsa  512 bits   0.008s   0.001
+rsa 1024 bits   0.038s   0.001
+rsa 2048 bits   0.231s   0.008
+rsa 4096 bits   1.540s   0.027
+dsa  512 bits   0.007s   0.013
+dsa 1024 bits   0.021s   0.040
+dsa 2048 bits   0.066s   0.130
+
diff --git a/crypto/openssl/times/L1 b/crypto/openssl/times/L1
new file mode 100644
index 0000000..09253d7
--- /dev/null
+++ b/crypto/openssl/times/L1
@@ -0,0 +1,27 @@
+SSLeay 0.8.3ad 27-Oct-1997
+built on Wed Oct 29 00:36:17 EST 1997
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                56.16k      156.50k      211.46k      231.77k      238.71k
+mdc2              183.37k      205.21k      205.57k      209.92k      207.53k
+md5              1003.65k     5605.56k    11628.54k    15887.70k    17522.69k
+hmac(md5)         411.24k     2803.46k     7616.94k    13475.84k    16864.60k
+sha1              542.66k     2843.50k     5320.53k     6833.49k     7389.18k
+rc4              3677.15k     4313.73k     4407.89k     4429.82k     4404.57k
+des cbc          1787.94k     2174.51k     2236.76k     2249.73k     2230.95k
+des ede3          719.46k      777.26k      784.81k      780.29k      783.70k
+idea cbc          619.56k      677.89k      684.12k      685.40k      685.40k
+rc2 cbc           537.51k      573.93k      578.47k      579.24k      578.90k
+blowfish cbc     3226.76k     4221.65k     4424.19k     4468.39k     4377.26k
+cast cbc         2866.13k     3165.35k     3263.15k     3287.04k     3233.11k
+                  sign    verify
+rsa  512 bits   0.0212s   0.0021s
+rsa 1024 bits   0.1072s   0.0064s
+rsa 2048 bits   0.6853s   0.0222s
+rsa 4096 bits   4.9300s   0.0848s
+                  sign    verify
+dsa  512 bits   0.0200s   0.0380s
+dsa 1024 bits   0.0600s   0.1180s
+dsa 2048 bits   0.2110s   0.4221s
diff --git a/crypto/openssl/times/R10000.t b/crypto/openssl/times/R10000.t
new file mode 100644
index 0000000..6b3874c
--- /dev/null
+++ b/crypto/openssl/times/R10000.t
@@ -0,0 +1,24 @@
+IRIX 6.2 - R10000 195mhz
+SLeay 0.6.5a 06-Dec-1996
+built on Tue Dec 24 03:51:45 EST 1996
+options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int)
+C flags:cc -O2 -DTERMIOS -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2            156.34k      424.03k      571.88k      628.88k      646.01k
+md5           1885.02k     8181.72k    13440.53k    16020.60k    16947.54k
+sha           1587.12k     7022.05k    11951.24k    14440.12k    15462.74k
+sha1          1413.13k     6215.86k    10571.16k    12736.22k    13628.51k
+rc4          10556.28k    11974.08k    12077.10k    12111.38k    12103.20k
+des cfb       2977.71k     3252.27k     3284.36k     3302.66k     3290.54k
+des cbc       3298.31k     3704.96k     3771.30k     3730.73k     3778.80k
+des ede3      1278.28k     1328.82k     1342.66k     1339.82k     1343.27k
+idea cfb      2843.34k     3138.04k     3180.95k     3176.46k     3188.54k
+idea cbc      3115.21k     3558.03k     3590.61k     3591.24k     3601.18k
+rc2 cfb       2006.66k     2133.33k     2149.03k     2159.36k     2149.71k
+rc2 cbc       2167.07k     2315.30k     2338.05k     2329.34k     2333.90k
+rsa  512 bits   0.008s
+rsa 1024 bits   0.043s
+rsa 2048 bits   0.280s
+rsa 4096 bits   2.064s
+
diff --git a/crypto/openssl/times/R4400.t b/crypto/openssl/times/R4400.t
new file mode 100644
index 0000000..af8848f
--- /dev/null
+++ b/crypto/openssl/times/R4400.t
@@ -0,0 +1,26 @@
+IRIX 5.3
+R4400 200mhz
+cc -O2
+SSLeay 0.6.5a 06-Dec-1996
+built on Mon Dec 23 11:51:11 EST 1996
+options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int)
+C flags:cc -O2 -DTERMIOS -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2            100.62k      280.25k      380.15k      416.02k      428.82k
+md5            828.62k     3525.05k     6311.98k     7742.51k     8328.04k
+sha            580.04k     2513.74k     4251.73k     5101.04k     5394.80k
+sha1           520.23k     2382.94k     4107.82k     5024.62k     5362.56k
+rc4           5871.53k     6323.08k     6357.49k     6392.04k     6305.45k
+des cfb       1016.76k     1156.72k     1176.59k     1180.55k     1181.65k
+des cbc       1016.38k     1303.81k     1349.10k     1359.41k     1356.62k
+des ede3       607.39k      650.74k      655.11k      657.52k      654.18k
+idea cfb      1296.10k     1348.66k     1353.80k     1358.75k     1355.40k
+idea cbc      1453.90k     1554.68k     1567.84k     1569.89k     1573.57k
+rc2 cfb       1199.86k     1251.69k     1253.57k     1259.56k     1251.31k
+rc2 cbc       1334.60k     1428.55k     1441.89k     1445.42k     1441.45k
+rsa  512 bits   0.024s
+rsa 1024 bits   0.125s
+rsa 2048 bits   0.806s
+rsa 4096 bits   5.800s
+
diff --git a/crypto/openssl/times/aix.t b/crypto/openssl/times/aix.t
new file mode 100644
index 0000000..4f24e39
--- /dev/null
+++ b/crypto/openssl/times/aix.t
@@ -0,0 +1,34 @@
+from Paco Garcia <pgarcia@ctv.es>
+This machine is a Bull Estrella  Minitower Model MT604-100
+Processor        : PPC604 
+P.Speed          : 100Mhz 
+Data/Instr Cache :    16 K
+L2 Cache         :   256 K
+PCI BUS Speed    :    33 Mhz
+TransfRate PCI   :   132 MB/s
+Memory           :    96 MB
+
+AIX 4.1.4
+
+SSLeay 0.6.6 14-Jan-1997
+built on Mon Jan 13 21:36:03 CUT 1997
+options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish
+(idx)
+C flags:cc -O -DAIX -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                53.83k      147.46k      197.63k      215.72k     221.70k
+md5              1278.13k     5354.77k     8679.60k    10195.09k   10780.56k
+sha              1055.34k     4600.37k     7721.30k     9298.94k    9868.63k
+sha1              276.90k     1270.25k     2187.95k     2666.84k    2850.82k
+rc4              4660.57k     5268.93k     5332.48k     5362.47k    5346.65k
+des cbc          1774.16k     1981.10k     1979.56k     2032.71k    1972.25k
+des ede3          748.81k      781.42k      785.66k      785.75k     780.84k
+idea cbc         2066.19k     2329.58k     2378.91k     2379.86k    2380.89k
+rc2 cbc          1278.53k     1379.69k     1389.99k     1393.66k    1389.91k
+blowfish cbc     2812.91k     3307.90k     3364.91k     3386.37k    3374.32k
+rsa  512 bits   0.019s
+rsa 1024 bits   0.096s
+rsa 2048 bits   0.614s
+rsa 4096 bits   4.433s
+
diff --git a/crypto/openssl/times/aixold.t b/crypto/openssl/times/aixold.t
new file mode 100644
index 0000000..0b51412
--- /dev/null
+++ b/crypto/openssl/times/aixold.t
@@ -0,0 +1,23 @@
+SSLeay 0.7.3r 20-May-1997
+built on Mon Jun  2 04:06:32 EST 1997
+options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish(idx)
+C flags:cc -O -DAIX -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                19.09k       52.47k       71.23k       77.49k       78.93k
+md5               214.56k      941.21k     1585.43k     1883.12k     1988.70k
+sha               118.35k      521.65k      860.28k     1042.27k     1100.46k
+sha1              109.52k      478.98k      825.90k      995.48k     1049.69k
+rc4              1263.63k     1494.24k     1545.70k     1521.66k     1518.99k
+des cbc           259.62k      286.55k      287.15k      288.15k      289.45k
+des ede3          104.92k      107.88k      109.27k      109.25k      109.96k
+idea cbc          291.63k      320.07k      319.40k      320.51k      318.27k
+rc2 cbc           220.04k      237.76k      241.44k      245.90k      244.08k
+blowfish cbc      407.95k      474.83k      480.99k      485.71k      481.07k
+rsa  512 bits   0.157s   0.019
+rsa 1024 bits   0.908s   0.023
+rsa 2048 bits   6.225s   0.218
+rsa 4096 bits  46.500s   0.830
+dsa  512 bits   0.159s   0.312
+dsa 1024 bits   0.536s   1.057
+dsa 2048 bits   1.970s   3.977
diff --git a/crypto/openssl/times/alpha.t b/crypto/openssl/times/alpha.t
new file mode 100644
index 0000000..3a7c6c4
--- /dev/null
+++ b/crypto/openssl/times/alpha.t
@@ -0,0 +1,81 @@
+SSLeay-051 Alpha gcc -O3 64Bit (assember bn_mul)
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             44.40k      121.56k      162.73k      179.20k      185.01k
+md5            780.85k     3278.53k     5281.52k     6327.98k     6684.67k
+sha            501.40k     2249.19k     3855.27k     4801.19k     5160.96k
+sha-1          384.99k     1759.72k     3113.64k     3946.92k     4229.80k
+rc4           3505.05k     3724.54k     3723.78k     3555.33k     3694.68k
+des cfb        946.96k     1015.27k     1021.87k     1033.56k     1037.65k
+des cbc       1001.24k     1220.20k     1243.31k     1272.73k     1265.87k
+des ede3       445.34k      491.65k      500.53k      502.10k      502.44k
+idea cfb       643.53k      667.49k      663.81k      666.28k      664.51k
+idea cbc       650.42k      735.41k      733.27k      742.74k      745.47k
+rsa  512 bits   0.031s
+rsa 1024 bits   0.141s
+rsa 2048 bits   0.844s
+rsa 4096 bits   6.033s
+
+SSLeay-051 Alpha cc -O2 64bit (assember bn_mul)
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             45.37k      122.86k      165.97k      182.95k      188.42k
+md5            842.42k     3629.93k     5916.76k     7039.17k     7364.61k
+sha            498.93k     2197.23k     3895.60k     4756.48k     5132.13k
+sha-1          382.02k     1757.21k     3112.53k     3865.23k     4128.77k
+rc4           2975.25k     3049.33k     3180.97k     3214.68k     3424.26k
+des cfb        901.55k      990.83k     1006.08k     1011.19k     1004.89k
+des cbc        947.84k     1127.84k     1163.67k     1162.24k     1157.80k
+des ede3       435.62k      485.57k      493.67k      491.52k      491.52k
+idea cfb       629.31k      648.66k      647.77k      648.53k      649.90k
+idea cbc       565.15k      608.00k      613.46k      613.38k      617.13k
+rsa  512 bits   0.030s
+rsa 1024 bits   0.141s
+rsa 2048 bits   0.854s
+rsa 4096 bits   6.067s
+
+des cfb        718.28k      822.64k      833.11k      836.27k      841.05k
+des cbc        806.10k      951.42k      975.83k      983.73k      991.23k
+des ede3       329.50k      379.11k      387.95k      387.41k      388.33k
+
+des cfb        871.62k      948.65k      951.81k      953.00k      955.58k
+des cbc        953.60k     1174.27k     1206.70k     1216.10k     1216.44k
+des ede3       349.34k      418.05k      427.26k      429.74k      431.45k
+
+
+
+
+SSLeay-045c Alpha gcc -O3 64Bit
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             44.95k      122.22k      164.27k      180.62k      184.66k
+md5            808.71k     3371.95k     5415.68k     6385.66k     6684.67k
+sha            493.68k     2162.05k     3725.82k     4552.02k     4838.74k
+rc4           3317.32k     3649.09k     3728.30k     3744.09k     3691.86k
+cfb des        996.45k     1050.77k     1058.30k     1059.16k     1064.96k
+cbc des       1096.52k     1255.49k     1282.13k     1289.90k     1299.80k
+ede3 des       482.14k      513.51k      518.66k      520.19k      521.39k
+cfb idea       519.90k      533.40k      535.21k      535.55k      535.21k
+cbc idea       619.34k      682.21k      688.04k      689.15k      690.86k
+rsa  512 bits   0.050s
+rsa 1024 bits   0.279s
+rsa 2048 bits   1.908s
+rsa 4096 bits  14.750s
+
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             37.31k      102.77k      137.64k      151.55k      155.78k
+md5            516.65k     2535.21k     4655.72k     5859.66k     6343.34k
+rc4           3519.61k     3707.01k     3746.86k     3755.39k     3675.48k
+cfb des        780.27k      894.68k      913.10k      921.26k      922.97k
+cbc des        867.54k     1040.13k     1074.17k     1075.54k     1084.07k
+ede3 des       357.19k      397.36k      398.08k      402.28k      401.41k
+cbc idea       646.53k      686.44k      694.03k      691.20k      693.59k
+rsa  512 bits   0.046s
+rsa 1024 bits   0.270s
+rsa 2048 bits   1.858s
+rsa 4096 bits  14.350s
+
+md2      C      37.83k      103.17k      137.90k      150.87k      155.37k
+md2      L      37.30k      102.04k      139.01k      152.74k      155.78k
+rc4       I   3532.24k     3718.08k     3750.83k     3768.78k     3694.59k
+rc4      CI   2662.97k     2873.26k     2907.22k     2920.63k     2886.31k
+rc4      LI   3514.63k     3738.72k     3747.41k     3752.96k     3708.49k
+cbc idea S     619.01k      658.68k      661.50k      662.53k      663.55k
+cbc idea  L    645.69k      684.22k      694.55k      692.57k      690.86k
diff --git a/crypto/openssl/times/alpha400.t b/crypto/openssl/times/alpha400.t
new file mode 100644
index 0000000..079e0d1
--- /dev/null
+++ b/crypto/openssl/times/alpha400.t
@@ -0,0 +1,25 @@
+Alpha EV5.6 (21164A) 400mhz
+
+SSLeay 0.7.3r 20-May-1997
+built on Mon Jun  2 03:39:58 EST 1997
+options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx)
+C flags:cc -arch host -tune host -fast -std -O4 -inline speed
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               274.98k      760.96k     1034.27k     1124.69k     1148.69k
+md5              2524.46k    11602.60k    19838.81k    24075.26k    25745.10k
+sha              1848.46k     8335.66k    14232.49k    17247.91k    18530.30k
+sha1             1639.67k     7336.53k    12371.80k    14807.72k    15870.63k
+rc4             17950.93k    19390.66k    19652.44k    19700.39k    19412.31k
+des cbc          4018.59k     4872.06k     4988.76k     5003.26k     4995.73k
+des ede3         1809.11k     1965.67k     1984.26k     1986.90k     1982.46k
+idea cbc         2848.82k     3204.33k     3250.26k     3257.34k     3260.42k
+rc2 cbc          3766.08k     4349.50k     4432.21k     4448.94k     4448.26k
+blowfish cbc     6694.88k     9042.35k     9486.93k     9598.98k     9624.91k
+rsa  512 bits   0.003s   0.000
+rsa 1024 bits   0.013s   0.000
+rsa 2048 bits   0.081s   0.003
+rsa 4096 bits   0.577s   0.011
+dsa  512 bits   0.003s   0.005
+dsa 1024 bits   0.007s   0.014
+dsa 2048 bits   0.025s   0.050
diff --git a/crypto/openssl/times/cyrix100.lnx b/crypto/openssl/times/cyrix100.lnx
new file mode 100644
index 0000000..010a221
--- /dev/null
+++ b/crypto/openssl/times/cyrix100.lnx
@@ -0,0 +1,22 @@
+SSLeay 0.6.6 06-Dec-1996
+built on Fri Dec  6 10:05:20 GMT 1996
+options:bn(64,32) md2(char) rc4(idx,int) des(idx,risc,16,long) idea(int)
+C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             36.77k      102.48k      138.00k      151.57k      155.78k
+md5            513.59k     2577.22k     4623.51k     5768.99k     6214.53k
+sha            259.89k     1105.45k     1814.97k     2156.16k     2292.13k
+sha1           242.43k     1040.95k     1719.44k     2049.74k     2164.64k
+rc4           1984.48k     2303.41k     2109.37k     2071.47k     1985.61k
+des cfb        712.08k      758.29k      753.17k      752.06k      748.67k
+des cbc        787.37k      937.64k      956.77k      961.61k      957.54k
+des ede3       353.97k      377.28k      379.99k      379.34k      379.11k
+idea cfb       403.80k      418.50k      416.60k      415.78k      415.03k
+idea cbc       426.54k      466.40k      471.31k      472.67k      473.14k
+rc2 cfb        405.15k      420.05k      418.16k      416.72k      416.36k
+rc2 cbc        428.21k      468.43k      473.09k      472.59k      474.70k
+rsa  512 bits   0.040s
+rsa 1024 bits   0.195s
+rsa 2048 bits   1.201s
+rsa 4096 bits   8.700s
diff --git a/crypto/openssl/times/dgux-x86.t b/crypto/openssl/times/dgux-x86.t
new file mode 100644
index 0000000..70635c5
--- /dev/null
+++ b/crypto/openssl/times/dgux-x86.t
@@ -0,0 +1,23 @@
+version:SSLeay 0.5.2c 15-May-1996
+built Fri Jun 14 19:47:04 EST 1996
+options:bn(LLONG,thirty_two) md2(CHAR) rc4(IDX,int) des(ary,long) idea(int)
+C flags:gcc -O3 -fomit-frame-pointer -DL_ENDIAN
+
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2            113.86k      316.48k      428.36k      467.63k      481.56k
+md5           1001.99k     5037.99k     9545.94k    12036.95k    11800.38k
+sha            628.77k     2743.48k     5113.42k     6206.99k     6165.42k
+sha1           583.83k     2638.66k     4538.85k     5532.09k     5917.04k
+rc4           5493.27k     6369.39k     6511.30k     6577.83k     6486.73k
+des cfb       1219.01k     1286.06k     1299.33k     1288.87k     1381.72k
+des cbc       1360.58k     1469.04k     1456.96k     1454.08k     1513.57k
+des ede3       544.45k      567.84k      568.99k      570.37k      566.09k
+idea cfb      1012.39k     1056.30k     1063.52k      989.17k      863.24k
+idea cbc       985.36k     1090.44k     1105.92k     1108.65k     1090.17k
+rc2 cfb        963.86k      979.06k      995.30k      937.35k      827.39k
+rc2 cbc        951.72k     1042.11k     1049.60k     1047.21k     1059.11k
+rsa  512 bits   0.032s
+rsa 1024 bits   0.159s
+rsa 2048 bits   1.025s
+rsa 4096 bits   7.270s
+
diff --git a/crypto/openssl/times/dgux.t b/crypto/openssl/times/dgux.t
new file mode 100644
index 0000000..c7f7564
--- /dev/null
+++ b/crypto/openssl/times/dgux.t
@@ -0,0 +1,17 @@
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             38.54k      106.28k      144.00k      157.46k      161.72k
+md5            323.23k     1471.62k     2546.11k     3100.20k     3309.57k
+rc4        I  1902.74k     2055.20k     2080.42k     2077.88k     2065.46k
+cfb des        456.23k      475.22k      481.79k      488.42k      487.17k
+cbc des        484.30k      537.50k      553.09k      558.08k      558.67k
+ede3 des       199.97k      209.05k      211.03k      211.85k      212.78k
+cbc idea       478.50k      519.33k      523.42k      525.09k      526.44k
+rsa  512 bits   0.159s !RSA_LLONG
+rsa 1024 bits   1.053s
+rsa 2048 bits   7.600s
+rsa 4096 bits  59.760s
+
+md2       C     30.53k       83.58k      112.84k      123.22k      126.24k
+rc4           1844.56k     1975.50k     1997.73k     1994.95k     1984.88k
+rc4       C   1800.09k     1968.85k     1995.20k     1992.36k     1996.80k
+rc4       CI  1830.81k     2035.75k     2067.28k     2070.23k     2062.77k
diff --git a/crypto/openssl/times/hpux-acc.t b/crypto/openssl/times/hpux-acc.t
new file mode 100644
index 0000000..0c0e936
--- /dev/null
+++ b/crypto/openssl/times/hpux-acc.t
@@ -0,0 +1,25 @@
+HPUX 887
+
+SSLeay 0.7.3r 20-May-1997
+built on Mon Jun  2 02:59:45 EST 1997
+options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
+C flags:cc -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit +O4 -Wl,-a,archive
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                58.99k      166.85k      225.07k      247.21k      253.76k
+md5               639.22k     2726.98k     4477.25k     5312.69k     5605.20k
+sha               381.08k     1661.49k     2793.84k     3368.86k     3581.23k
+sha1              349.54k     1514.56k     2536.63k     3042.59k     3224.39k
+rc4              2891.10k     4238.01k     4464.11k     4532.49k     4545.87k
+des cbc           717.05k      808.76k      820.14k      821.97k      821.96k
+des ede3          288.21k      303.50k      303.69k      305.82k      305.14k
+idea cbc          325.83k      334.36k      335.89k      336.61k      333.43k
+rc2 cbc           793.00k      915.81k      926.69k      933.28k      929.53k
+blowfish cbc     1561.91k     2051.97k     2122.65k     2139.40k     2145.92k
+rsa  512 bits   0.031s   0.004
+rsa 1024 bits   0.164s   0.004
+rsa 2048 bits   1.055s   0.037
+rsa 4096 bits   7.600s   0.137
+dsa  512 bits   0.029s   0.057
+dsa 1024 bits   0.092s   0.177
+dsa 2048 bits   0.325s   0.646
diff --git a/crypto/openssl/times/hpux-kr.t b/crypto/openssl/times/hpux-kr.t
new file mode 100644
index 0000000..ad4a0ad
--- /dev/null
+++ b/crypto/openssl/times/hpux-kr.t
@@ -0,0 +1,23 @@
+SSLeay 0.7.3r 20-May-1997
+built on Mon Jun  2 02:17:35 EST 1997
+options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,cisc,16,long) idea(int) blowfish(idx)
+C flags:cc -DB_ENDIAN -DNOCONST -DNOPROTO -D_HPUX_SOURCE
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                35.30k       98.36k      133.41k      146.34k      150.69k
+md5               391.20k     1737.31k     2796.65k     3313.75k     3503.74k
+sha               189.55k      848.14k     1436.72k     1735.87k     1848.03k
+sha1              175.30k      781.14k     1310.32k     1575.61k     1675.81k
+rc4              2070.55k     2501.47k     2556.65k     2578.34k     2584.91k
+des cbc           465.13k      536.85k      545.87k      547.86k      548.89k
+des ede3          190.05k      200.99k      202.31k      202.22k      202.75k
+idea cbc          263.44k      277.77k      282.13k      281.51k      283.15k
+rc2 cbc           448.37k      511.39k      519.54k      522.00k      521.31k
+blowfish cbc      839.98k     1097.70k     1131.16k     1145.64k     1144.67k
+rsa  512 bits   0.048s   0.005
+rsa 1024 bits   0.222s   0.006
+rsa 2048 bits   1.272s   0.042
+rsa 4096 bits   8.445s   0.149
+dsa  512 bits   0.041s   0.077
+dsa 1024 bits   0.111s   0.220
+dsa 2048 bits   0.363s   0.726
diff --git a/crypto/openssl/times/hpux.t b/crypto/openssl/times/hpux.t
new file mode 100644
index 0000000..dcf7615
--- /dev/null
+++ b/crypto/openssl/times/hpux.t
@@ -0,0 +1,86 @@
+HP-UX A.09.05 9000/712
+
+SSLeay 0.6.6 14-Jan-1997
+built on Tue Jan 14 16:36:31 WET 1997
+options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) 
+blowfish(idx)
+C flags:cc -DB_ENDIAN -D_HPUX_SOURCE -Aa +ESlit +O2 -Wl,-a,archive
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                66.56k      184.92k      251.82k      259.86k      282.62k
+md5               615.54k     2805.92k     4764.30k     5724.21k     6084.39k
+sha               358.23k     1616.46k     2781.50k     3325.72k     3640.89k
+sha1              327.50k     1497.98k     2619.44k     3220.26k     3460.85k
+rc4              3500.47k     3890.99k     3943.81k     3883.74k     3900.02k
+des cbc           742.65k      871.66k      887.15k      891.21k      895.40k
+des ede3          302.42k      322.50k      324.46k      326.66k      326.05k
+idea cbc          664.41k      755.87k      765.61k      772.70k      773.69k
+rc2 cbc           798.78k      931.04k      947.69k      950.31k      952.04k
+blowfish cbc     1353.32k     1932.29k     2021.93k     2047.02k     2053.66k
+rsa  512 bits   0.059s
+rsa 1024 bits   0.372s
+rsa 2048 bits   2.697s
+rsa 4096 bits  20.790s
+
+SSLeay 0.6.6 14-Jan-1997
+built on Tue Jan 14 15:37:30 WET 1997
+options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) 
+blowfish(idx)
+C flags:gcc -DB_ENDIAN -O3
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                44.91k      122.57k      167.71k      183.89k      190.24k
+md5               532.50k     2316.27k     3965.72k     4740.11k     5055.06k
+sha               363.76k     1684.09k     2978.53k     3730.86k     3972.72k
+sha1              385.76k     1743.53k     2997.69k     3650.74k     3899.08k
+rc4              3178.84k     3621.31k     3672.71k     3684.01k     3571.54k
+des cbc           733.00k      844.70k      863.28k      863.72k      868.73k
+des ede3          289.99k      308.94k      310.11k      309.64k      312.08k
+idea cbc          624.07k      713.91k      724.76k      723.35k      725.13k
+rc2 cbc           704.34k      793.39k      804.25k      805.99k      782.63k
+blowfish cbc     1371.24k     1823.66k     1890.05k     1915.51k     1920.12k
+rsa  512 bits   0.030s
+rsa 1024 bits   0.156s
+rsa 2048 bits   1.113s
+rsa 4096 bits   7.480s
+
+
+HPUX B.10.01 V 9000/887 - HP92453-01 A.10.11 HP C Compiler
+SSLeay 0.5.2 - -Aa +ESlit +Oall +O4 -Wl,-a,archive
+
+HPUX A.09.04 B 9000/887
+
+ssleay 0.5.1 gcc v 2.7.0 -O3 -mpa-risc-1-1
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             53.00k      166.81k      205.66k      241.95k      242.20k
+md5            743.22k     3128.44k     6031.85k     6142.07k     7025.26k
+sha            481.30k     2008.24k     3361.31k     3985.07k     4180.74k
+sha-1          463.60k     1916.15k     3139.24k     3786.27k     3997.70k
+rc4           3708.61k     4125.16k     4547.53k     4206.21k     4390.07k
+des cfb        665.91k      705.97k      698.48k      694.25k      666.08k
+des cbc        679.80k      741.90k      769.85k      747.62k      719.47k
+des ede3       264.31k      270.22k      265.63k      273.07k      273.07k
+idea cfb       635.91k      673.40k      605.60k      699.53k      672.36k
+idea cbc       705.85k      774.63k      750.60k      715.83k      721.50k
+rsa  512 bits   0.066s
+rsa 1024 bits   0.372s
+rsa 2048 bits   2.177s
+rsa 4096 bits  16.230s
+
+HP92453-01 A.09.61 HP C Compiler
+ssleay 0.5.1 cc -Ae +ESlit +Oall -Wl,-a,archive
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             58.69k      163.30k      213.57k      230.40k      254.23k
+md5            608.60k     2596.82k     3871.43k     4684.10k     4763.88k
+sha            343.26k     1482.43k     2316.80k     2766.27k     2860.26k
+sha-1          319.15k     1324.13k     2106.03k     2527.82k     2747.95k
+rc4           2467.47k     3374.41k     3265.49k     3354.39k     3368.55k
+des cfb        812.05k      814.90k      851.20k      819.20k      854.56k
+des cbc        836.35k      994.06k      916.02k     1020.01k      988.14k
+des ede3       369.78k      389.15k      401.01k      382.94k      408.03k
+idea cfb       290.40k      298.06k      286.11k      296.92k      299.46k
+idea cbc       301.30k      297.72k      304.34k      300.10k      309.70k
+rsa  512 bits   0.350s
+rsa 1024 bits   2.635s
+rsa 2048 bits  19.930s
+
diff --git a/crypto/openssl/times/p2.w95 b/crypto/openssl/times/p2.w95
new file mode 100644
index 0000000..82d1e55
--- /dev/null
+++ b/crypto/openssl/times/p2.w95
@@ -0,0 +1,22 @@
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               235.90k      652.30k      893.36k      985.74k      985.74k
+mdc2              779.61k      816.81k      825.65k      816.01k      825.65k
+md5              2788.77k    13508.23k    24672.38k    30504.03k    33156.55k
+sha              1938.22k     8397.01k    14122.24k    16980.99k    18196.55k
+sha1             1817.29k     7832.50k    13168.93k    15738.48k    16810.84k
+rc4             15887.52k    21709.65k    22745.68k    22995.09k    22995.09k
+des cbc          4599.02k     5377.31k     5377.31k     5533.38k     5533.38k
+des ede3         1899.59k     2086.71k     2086.67k     2086.51k     2085.90k
+idea cbc         3350.08k     3934.62k     3979.42k     4017.53k     4017.53k
+rc2 cbc          1534.13k     1630.76k     1625.70k     1644.83k     1653.91k
+blowfish cbc     6678.83k     8490.49k     8701.88k     8848.74k     8886.24k
+                  sign    verify
+rsa  512 bits   0.0062s   0.0008s
+rsa 1024 bits   0.0287s   0.0009s
+rsa 2048 bits   0.1785s   0.0059s
+rsa 4096 bits   1.1300s   0.0205s
+                  sign    verify
+dsa  512 bits   0.0055s   0.0100s
+dsa 1024 bits   0.0154s   0.0299s
+dsa 2048 bits   0.0502s   0.0996s
diff --git a/crypto/openssl/times/pent2.t b/crypto/openssl/times/pent2.t
new file mode 100644
index 0000000..b6dc269
--- /dev/null
+++ b/crypto/openssl/times/pent2.t
@@ -0,0 +1,24 @@
+pentium 2, 266mhz, Visual C++ 5.0, Windows 95
+
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               235.90k      652.30k      893.36k      985.74k      985.74k
+mdc2              779.61k      816.81k      825.65k      816.01k      825.65k
+md5              2788.77k    13508.23k    24672.38k    30504.03k    33156.55k
+sha              1938.22k     8397.01k    14122.24k    16980.99k    18196.55k
+sha1             1817.29k     7832.50k    13168.93k    15738.48k    16810.84k
+rc4             15887.52k    21709.65k    22745.68k    22995.09k    22995.09k
+des cbc          4599.02k     5377.31k     5377.31k     5533.38k     5533.38k
+des ede3         1899.59k     2086.71k     2086.67k     2086.51k     2085.90k
+idea cbc         3350.08k     3934.62k     3979.42k     4017.53k     4017.53k
+rc2 cbc          1534.13k     1630.76k     1625.70k     1644.83k     1653.91k
+blowfish cbc     6678.83k     8490.49k     8701.88k     8848.74k     8886.24k
+                  sign    verify
+rsa  512 bits   0.0062s   0.0008s
+rsa 1024 bits   0.0287s   0.0009s
+rsa 2048 bits   0.1785s   0.0059s
+rsa 4096 bits   1.1300s   0.0205s
+                  sign    verify
+dsa  512 bits   0.0055s   0.0100s
+dsa 1024 bits   0.0154s   0.0299s
+dsa 2048 bits   0.0502s   0.0996s
diff --git a/crypto/openssl/times/readme b/crypto/openssl/times/readme
new file mode 100644
index 0000000..7074f58
--- /dev/null
+++ b/crypto/openssl/times/readme
@@ -0,0 +1,11 @@
+The 'times' in this directory are not all for the most recent version of
+the library and it should be noted that on some CPUs (specifically sparc
+and Alpha), the locations of files in the application after linking can
+make upto a %10 speed difference when running benchmarks on things like
+cbc mode DES.  To put it mildly this can be very anoying.
+
+About the only way to get around this would be to compile the library as one
+object file, or to 'include' the source files in a specific order.
+
+The best way to get an idea of the 'raw' DES speed is to build the 
+'speed' program in crypto/des.
diff --git a/crypto/openssl/times/s586-100.lnx b/crypto/openssl/times/s586-100.lnx
new file mode 100644
index 0000000..cbc3e3c
--- /dev/null
+++ b/crypto/openssl/times/s586-100.lnx
@@ -0,0 +1,25 @@
+Shared library build
+
+SSLeay 0.7.3 30-Apr-1997
+built on Tue May 13 03:43:56 EST 1997
+options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
+C flags:-DTERMIO -O3 -DL_ENDIAN -fomit-frame-pointer -m486 -Wall
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                68.95k      191.40k      258.22k      283.31k      291.21k
+md5               627.37k     3064.75k     5370.15k     6765.91k     7255.38k
+sha               323.35k     1431.32k     2417.07k     2916.69k     3102.04k
+sha1              298.08k     1318.34k     2228.82k     2694.83k     2864.47k
+rc4              3404.13k     4026.33k     4107.43k     4136.28k     4117.85k
+des cbc          1414.60k     1782.53k     1824.24k     1847.64k     1840.47k
+des ede3          588.36k      688.19k      700.33k      702.46k      704.51k
+idea cbc          582.96k      636.71k      641.54k      642.39k      642.30k
+rc2 cbc           569.34k      612.37k      617.64k      617.47k      619.86k
+blowfish cbc     2015.77k     2534.49k     2609.65k     2607.10k     2615.98k
+rsa  512 bits   0.027s   0.003
+rsa 1024 bits   0.128s   0.003
+rsa 2048 bits   0.779s   0.027
+rsa 4096 bits   5.450s   0.098
+dsa  512 bits   0.024s   0.045
+dsa 1024 bits   0.068s   0.132
+dsa 2048 bits   0.231s   0.469
diff --git a/crypto/openssl/times/s586-100.nt b/crypto/openssl/times/s586-100.nt
new file mode 100644
index 0000000..8e3baf6
--- /dev/null
+++ b/crypto/openssl/times/s586-100.nt
@@ -0,0 +1,23 @@
+SSLeay 0.7.3 30-Apr-1997
+built on Mon May 19 10:47:38 EST 1997
+options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
+C flags not available
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                90.26k      248.57k      335.06k      366.09k      376.64k
+md5               863.95k     4205.24k     7628.78k     9582.60k    10290.25k
+sha               463.93k     2102.51k     3623.28k     4417.85k     4695.29k
+sha1              458.23k     2005.88k     3385.78k     4094.00k     4340.13k
+rc4              5843.60k     7543.71k     7790.31k     7836.89k     7791.47k
+des cbc          1583.95k     1910.67k     1960.69k     1972.12k     1946.13k
+des ede3          654.79k      722.60k      740.97k      745.82k      738.27k
+idea cbc          792.04k      876.96k      887.35k      892.63k      890.36k
+rc2 cbc           603.50k      652.38k      661.85k      662.69k      661.44k
+blowfish cbc     2379.88k     3043.76k     3153.61k     3153.61k     3134.76k
+rsa  512 bits   0.022s   0.003
+rsa 1024 bits   0.111s   0.003
+rsa 2048 bits   0.716s   0.025
+rsa 4096 bits   5.188s   0.094
+dsa  512 bits   0.020s   0.039
+dsa 1024 bits   0.062s   0.124
+dsa 2048 bits   0.221s   0.441
diff --git a/crypto/openssl/times/sgi.t b/crypto/openssl/times/sgi.t
new file mode 100644
index 0000000..7963610
--- /dev/null
+++ b/crypto/openssl/times/sgi.t
@@ -0,0 +1,29 @@
+SGI Challenge R4400 200mhz IRIX 5.3 - gcc (2.6.3)
+SSLeay 0.6.1 02-Jul-1996
+built on Tue Jul  2 16:25:30 EST 1996
+options:bn(64,32) md2(char) rc4(idx,char) des(idx,long) idea(int)
+C flags:gcc -O2 -mips2 -DTERMIOS -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2             96.53k      266.70k      360.09k      393.70k      405.07k
+md5            971.15k     4382.56k     7406.90k     8979.99k     9559.18k
+sha            596.86k     2832.26k     4997.30k     6277.75k     6712.89k
+sha1           578.34k     2630.16k     4632.05k     5684.34k     6083.37k
+rc4           5641.12k     6821.76k     6996.13k     7052.61k     6913.32k
+des cfb       1354.86k     1422.11k     1434.58k     1433.24k     1432.89k
+des cbc       1467.13k     1618.92k     1630.08k     1637.00k     1629.62k
+des ede3       566.13k      591.91k      596.86k      596.18k      592.54k
+idea cfb      1190.60k     1264.49k     1270.38k     1267.84k     1272.37k
+idea cbc      1271.45k     1410.37k     1422.49k     1426.46k     1421.73k
+rc2 cfb       1285.73k     1371.40k     1380.92k     1383.13k     1379.23k
+rc2 cbc       1386.61k     1542.10k     1562.49k     1572.45k     1567.93k
+rsa  512 bits   0.018s
+rsa 1024 bits   0.106s
+rsa 2048 bits   0.738s
+rsa 4096 bits   5.535s
+
+version:SSLeay 0.5.2c 15-May-1996
+rsa  512 bits   0.035s
+rsa 1024 bits   0.204s
+rsa 2048 bits   1.423s
+rsa 4096 bits  10.800s
diff --git a/crypto/openssl/times/sparc.t b/crypto/openssl/times/sparc.t
new file mode 100644
index 0000000..1611f76
--- /dev/null
+++ b/crypto/openssl/times/sparc.t
@@ -0,0 +1,26 @@
+gcc 2.7.2
+Sparc 10 - Solaris 2.3 - 50mhz
+SSLeay 0.7.3r 20-May-1997
+built on Mon Jun  2 00:55:51 EST 1997
+options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
+C flags:gcc -O3 -fomit-frame-pointer -mv8 -Wall
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                54.88k      154.52k      210.35k      231.08k      237.21k
+md5               550.75k     2460.49k     4116.01k     4988.74k     5159.86k
+sha               340.28k     1461.76k     2430.10k     2879.87k     2999.15k
+sha1              307.27k     1298.41k     2136.26k     2540.07k     2658.28k
+rc4              2652.21k     2805.24k     3301.63k     4003.98k     4071.18k
+des cbc           811.78k      903.93k      914.19k      921.60k      932.29k
+des ede3          328.21k      344.93k      349.64k      351.48k      345.07k
+idea cbc          685.06k      727.42k      734.41k      730.11k      739.21k
+rc2 cbc           718.59k      777.02k      781.96k      784.38k      782.60k
+blowfish cbc     1268.85k     1520.64k     1568.88k     1587.54k     1591.98k
+rsa  512 bits   0.037s   0.005
+rsa 1024 bits   0.213s   0.006
+rsa 2048 bits   1.471s   0.053
+rsa 4096 bits  11.100s   0.202
+dsa  512 bits   0.038s   0.074
+dsa 1024 bits   0.128s   0.248
+dsa 2048 bits   0.473s   0.959
+
diff --git a/crypto/openssl/times/sparc2 b/crypto/openssl/times/sparc2
new file mode 100644
index 0000000..4b0dd80
--- /dev/null
+++ b/crypto/openssl/times/sparc2
@@ -0,0 +1,21 @@
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                14.56k       40.25k       54.95k       60.13k       62.18k
+mdc2               53.59k       57.45k       58.11k       58.21k       58.51k
+md5               176.95k      764.75k     1270.36k     1520.14k     1608.36k
+hmac(md5)          55.88k      369.70k      881.15k     1337.05k     1567.40k
+sha1               92.69k      419.75k      723.63k      878.82k      939.35k
+rc4              1247.28k     1414.09k     1434.30k     1434.34k     1441.13k
+des cbc           284.41k      318.58k      323.07k      324.09k      323.87k
+des ede3          109.99k      119.99k      121.60k      121.87k      121.66k
+idea cbc           43.06k       43.68k       43.84k       43.64k       44.07k
+rc2 cbc           278.85k      311.44k      316.50k      316.57k      317.37k
+blowfish cbc      468.89k      569.35k      581.61k      568.34k      559.54k
+cast cbc          285.84k      338.79k      345.71k      346.19k      341.09k
+                  sign    verify
+rsa  512 bits   0.4175s   0.0519s
+rsa 1024 bits   2.9325s   0.1948s
+rsa 2048 bits  22.3600s   0.7669s
+		  sign    verify
+dsa  512 bits   0.5178s   1.0300s
+dsa 1024 bits   1.8780s   3.7167s
+dsa 2048 bits   7.3500s  14.4800s
diff --git a/crypto/openssl/times/sparcLX.t b/crypto/openssl/times/sparcLX.t
new file mode 100644
index 0000000..2fdaed7
--- /dev/null
+++ b/crypto/openssl/times/sparcLX.t
@@ -0,0 +1,22 @@
+Sparc Station LX
+SSLeay 0.7.3 30-Apr-1997
+built on Thu May  1 10:44:02 EST 1997
+options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
+C flags:gcc -O3 -fomit-frame-pointer -mv8 -Wall
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                17.60k       48.72k       66.47k       72.70k       74.72k
+md5               226.24k     1082.21k     1982.72k     2594.02k     2717.01k
+sha                71.38k      320.71k      551.08k      677.76k      720.90k
+sha1               63.08k      280.79k      473.86k      576.94k      608.94k
+rc4              1138.30k     1257.67k     1304.49k     1377.78k     1364.42k
+des cbc           265.34k      308.85k      314.28k      315.39k      317.20k
+des ede3           83.23k       93.13k       94.04k       94.50k       94.63k
+idea cbc          254.48k      274.26k      275.88k      274.68k      275.80k
+rc2 cbc           328.27k      375.39k      381.43k      381.61k      380.83k
+blowfish cbc      487.00k      498.02k      510.12k      515.41k      516.10k
+rsa  512 bits   0.093s
+rsa 1024 bits   0.537s
+rsa 2048 bits   3.823s
+rsa 4096 bits  28.650s
+
diff --git a/crypto/openssl/times/usparc.t b/crypto/openssl/times/usparc.t
new file mode 100644
index 0000000..2215624
--- /dev/null
+++ b/crypto/openssl/times/usparc.t
@@ -0,0 +1,25 @@
+Sparc 2000? - Solaris 2.5.1 - 167mhz Ultra sparc
+
+SSLeay 0.7.3r 20-May-1997
+built on Mon Jun  2 02:25:48 EST 1997
+options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) idea(int) blowfish(ptr)
+C flags:cc cc -xtarget=ultra -xarch=v8plus -Xa -xO5 -Xa -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               135.23k      389.87k      536.66k      591.87k      603.48k
+md5              1534.38k     6160.41k     9842.69k    11446.95k    11993.09k
+sha              1178.30k     5020.74k     8532.22k    10275.50k    11010.05k
+sha1             1114.22k     4703.94k     7703.81k     9236.14k     9756.67k
+rc4             10818.03k    13327.57k    13711.10k    13810.69k    13836.29k
+des cbc          3052.44k     3320.02k     3356.25k     3369.98k     3295.91k
+des ede3         1310.32k     1359.98k     1367.47k     1362.94k     1362.60k
+idea cbc         1749.52k     1833.13k     1844.74k     1848.32k     1848.66k
+rc2 cbc          1950.25k     2053.23k     2064.21k     2072.58k     2072.58k
+blowfish cbc     4927.16k     5659.75k     5762.73k     5797.55k     5805.40k
+rsa  512 bits   0.021s   0.003
+rsa 1024 bits   0.126s   0.003
+rsa 2048 bits   0.888s   0.032
+rsa 4096 bits   6.770s   0.122
+dsa  512 bits   0.022s   0.043
+dsa 1024 bits   0.076s   0.151
+dsa 2048 bits   0.286s   0.574
diff --git a/crypto/openssl/times/x86/bfs.cpp b/crypto/openssl/times/x86/bfs.cpp
new file mode 100644
index 0000000..d74c457
--- /dev/null
+++ b/crypto/openssl/times/x86/bfs.cpp
@@ -0,0 +1,67 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/blowfish.h>
+
+void main(int argc,char *argv[])
+	{
+	BF_KEY key;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			BF_encrypt(&data[0],&key);
+			GetTSC(s1);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			GetTSC(e1);
+			GetTSC(s2);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			BF_encrypt(&data[0],&key);
+			GetTSC(e2);
+			BF_encrypt(&data[0],&key);
+			}
+
+		printf("blowfish %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/times/x86/casts.cpp b/crypto/openssl/times/x86/casts.cpp
new file mode 100644
index 0000000..7661191
--- /dev/null
+++ b/crypto/openssl/times/x86/casts.cpp
@@ -0,0 +1,67 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/cast.h>
+
+void main(int argc,char *argv[])
+	{
+	CAST_KEY key;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			CAST_encrypt(&data[0],&key);
+			GetTSC(s1);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			GetTSC(e1);
+			GetTSC(s2);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			CAST_encrypt(&data[0],&key);
+			GetTSC(e2);
+			CAST_encrypt(&data[0],&key);
+			}
+
+		printf("cast %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/times/x86/des3s.cpp b/crypto/openssl/times/x86/des3s.cpp
new file mode 100644
index 0000000..02d527c
--- /dev/null
+++ b/crypto/openssl/times/x86/des3s.cpp
@@ -0,0 +1,67 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/des.h>
+
+void main(int argc,char *argv[])
+	{
+	des_key_schedule key1,key2,key3;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			des_encrypt3(&data[0],key1,key2,key3);
+			GetTSC(s1);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			GetTSC(e1);
+			GetTSC(s2);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			des_encrypt3(&data[0],key1,key2,key3);
+			GetTSC(e2);
+			des_encrypt3(&data[0],key1,key2,key3);
+			}
+
+		printf("des %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/times/x86/dess.cpp b/crypto/openssl/times/x86/dess.cpp
new file mode 100644
index 0000000..753e67a
--- /dev/null
+++ b/crypto/openssl/times/x86/dess.cpp
@@ -0,0 +1,67 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/des.h>
+
+void main(int argc,char *argv[])
+	{
+	des_key_schedule key;
+	unsigned long s1,s2,e1,e2;
+	unsigned long data[2];
+	int i,j;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<1000; i++) /**/
+			{
+			des_encrypt(&data[0],key,1);
+			GetTSC(s1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			GetTSC(e1);
+			GetTSC(s2);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			des_encrypt(&data[0],key,1);
+			GetTSC(e2);
+			des_encrypt(&data[0],key,1);
+			}
+
+		printf("des %d %d (%d)\n",
+			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+		}
+	}
+
diff --git a/crypto/openssl/times/x86/md5s.cpp b/crypto/openssl/times/x86/md5s.cpp
new file mode 100644
index 0000000..dd343fd
--- /dev/null
+++ b/crypto/openssl/times/x86/md5s.cpp
@@ -0,0 +1,78 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/md5.h>
+
+extern "C" {
+void md5_block_x86(MD5_CTX *ctx, unsigned char *buffer,int num);
+}
+
+void main(int argc,char *argv[])
+	{
+	unsigned char buffer[64*256];
+	MD5_CTX ctx;
+	unsigned long s1,s2,e1,e2;
+	unsigned char k[16];
+	unsigned long data[2];
+	unsigned char iv[8];
+	int i,num=0,numm;
+	int j=0;
+
+	if (argc >= 2)
+		num=atoi(argv[1]);
+
+	if (num == 0) num=16;
+	if (num > 250) num=16;
+	numm=num+2;
+	num*=64;
+	numm*=64;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<10; i++) /**/
+			{
+			md5_block_x86(&ctx,buffer,numm);
+			GetTSC(s1);
+			md5_block_x86(&ctx,buffer,numm);
+			GetTSC(e1);
+			GetTSC(s2);
+			md5_block_x86(&ctx,buffer,num);
+			GetTSC(e2);
+			md5_block_x86(&ctx,buffer,num);
+			}
+		printf("md5 (%d bytes) %d %d (%.2f)\n",num,
+			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
+		}
+	}
+
diff --git a/crypto/openssl/times/x86/rc4s.cpp b/crypto/openssl/times/x86/rc4s.cpp
new file mode 100644
index 0000000..3814fde
--- /dev/null
+++ b/crypto/openssl/times/x86/rc4s.cpp
@@ -0,0 +1,73 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/rc4.h>
+
+void main(int argc,char *argv[])
+	{
+	unsigned char buffer[1024];
+	RC4_KEY ctx;
+	unsigned long s1,s2,e1,e2;
+	unsigned char k[16];
+	unsigned long data[2];
+	unsigned char iv[8];
+	int i,num=64,numm;
+	int j=0;
+
+	if (argc >= 2)
+		num=atoi(argv[1]);
+
+	if (num == 0) num=256;
+	if (num > 1024-16) num=1024-16;
+	numm=num+8;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<10; i++) /**/
+			{
+			RC4(&ctx,numm,buffer,buffer);
+			GetTSC(s1);
+			RC4(&ctx,numm,buffer,buffer);
+			GetTSC(e1);
+			GetTSC(s2);
+			RC4(&ctx,num,buffer,buffer);
+			GetTSC(e2);
+			RC4(&ctx,num,buffer,buffer);
+			}
+
+		printf("RC4 (%d bytes) %d %d (%d) - 8 bytes\n",num,
+			e1-s1,e2-s2,(e1-s1)-(e2-s2));
+		}
+	}
+
diff --git a/crypto/openssl/times/x86/sha1s.cpp b/crypto/openssl/times/x86/sha1s.cpp
new file mode 100644
index 0000000..3103e18
--- /dev/null
+++ b/crypto/openssl/times/x86/sha1s.cpp
@@ -0,0 +1,79 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+	       : "=eax" (tsc)
+	       :
+	       : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/sha.h>
+
+extern "C" {
+void sha1_block_x86(SHA_CTX *ctx, unsigned char *buffer,int num);
+}
+
+void main(int argc,char *argv[])
+	{
+	unsigned char buffer[64*256];
+	SHA_CTX ctx;
+	unsigned long s1,s2,e1,e2;
+	unsigned char k[16];
+	unsigned long data[2];
+	unsigned char iv[8];
+	int i,num=0,numm;
+	int j=0;
+
+	if (argc >= 2)
+		num=atoi(argv[1]);
+
+	if (num == 0) num=16;
+	if (num > 250) num=16;
+	numm=num+2;
+	num*=64;
+	numm*=64;
+
+	for (j=0; j<6; j++)
+		{
+		for (i=0; i<10; i++) /**/
+			{
+			sha1_block_x86(&ctx,buffer,numm);
+			GetTSC(s1);
+			sha1_block_x86(&ctx,buffer,numm);
+			GetTSC(e1);
+			GetTSC(s2);
+			sha1_block_x86(&ctx,buffer,num);
+			GetTSC(e2);
+			sha1_block_x86(&ctx,buffer,num);
+			}
+
+		printf("sha1 (%d bytes) %d %d (%.2f)\n",num,
+			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
+		}
+	}
+
diff --git a/crypto/openssl/tools/Makefile.ssl b/crypto/openssl/tools/Makefile.ssl
new file mode 100644
index 0000000..7e6285b
--- /dev/null
+++ b/crypto/openssl/tools/Makefile.ssl
@@ -0,0 +1,61 @@
+#
+# SSLeay/tools/Makefile
+#
+
+DIR=	tools
+TOP=	..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile.ssl
+TEST=
+APPS= c_rehash
+MISC_APPS= c_hash c_info c_issuer c_name
+
+all:
+
+install:
+	@for i in $(APPS) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+	chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	done;
+	@for i in $(MISC_APPS) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
+	chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	done;
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+
+lint:
+
+tags:
+
+errors:
+
+depend:
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+errors:
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/tools/c_hash b/crypto/openssl/tools/c_hash
new file mode 100644
index 0000000..5e0a908
--- /dev/null
+++ b/crypto/openssl/tools/c_hash
@@ -0,0 +1,9 @@
+#!/bin/sh
+# print out the hash values 
+#
+
+for i in $*
+do
+	h=`openssl x509 -hash -noout -in $i`
+	echo "$h.0 => $i"
+done
diff --git a/crypto/openssl/tools/c_info b/crypto/openssl/tools/c_info
new file mode 100644
index 0000000..0e1e633
--- /dev/null
+++ b/crypto/openssl/tools/c_info
@@ -0,0 +1,12 @@
+#!/bin/sh
+#
+# print the subject
+#
+
+for i in $*
+do
+	n=`openssl x509 -subject -issuer -enddate -noout -in $i`
+	echo "$i"
+	echo "$n"
+	echo "--------"
+done
diff --git a/crypto/openssl/tools/c_issuer b/crypto/openssl/tools/c_issuer
new file mode 100644
index 0000000..4c69120
--- /dev/null
+++ b/crypto/openssl/tools/c_issuer
@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+# print out the issuer
+#
+
+for i in $*
+do
+	n=`openssl x509 -issuer -noout -in $i`
+	echo "$i\t$n"
+done
diff --git a/crypto/openssl/tools/c_name b/crypto/openssl/tools/c_name
new file mode 100644
index 0000000..28800c0
--- /dev/null
+++ b/crypto/openssl/tools/c_name
@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+# print the subject
+#
+
+for i in $*
+do
+	n=`openssl x509 -subject -noout -in $i`
+	echo "$i	$n"
+done
diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash
new file mode 100644
index 0000000..cc3b658
--- /dev/null
+++ b/crypto/openssl/tools/c_rehash
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# redo the hashes for the certificates in your cert path or the ones passed
+# on the command line.
+#
+
+if [ "$OPENSSL"x = "x" -o ! -x "$OPENSSL" ]; then
+	OPENSSL='openssl'
+	export OPENSSL
+fi
+DIR=/usr/local/ssl
+PATH=$DIR/bin:$PATH
+
+if [ ! -f "$OPENSSL" ]; then
+    found=0
+    for dir in . `echo $PATH | sed -e 's/:/ /g'`; do
+        if [ -f "$dir/$OPENSSL" ]; then
+            found=1
+            break
+        fi
+    done
+    if [ $found = 0 ]; then
+        echo "c_rehash: rehashing skipped ('openssl' program not available)" 1>&2
+        exit 0
+    fi
+fi
+
+SSL_DIR=$DIR/certs
+
+if [ "$*" = "" ]; then
+	CERTS=${*:-${SSL_CERT_DIR:-$SSL_DIR}}
+else
+	CERTS=$*
+fi
+
+IFS=': '
+for i in $CERTS
+do
+  (
+  IFS=' '
+  if [ -d $i -a -w $i ]; then
+    cd $i
+    echo "Doing $i"
+    for i in *.pem
+    do
+      if [ $i != '*.pem' ]; then
+        h=`$OPENSSL x509 -hash -noout -in $i`
+	if [ "x$h" = "x" ]; then
+	  echo $i does not contain a certificate
+	else
+          if [ -f $h.0 ]; then
+            /bin/rm -f $h.0
+          fi
+          echo "$i => $h.0"
+          ln -s $i $h.0
+	fi
+      fi
+    done
+  fi
+  )
+done
diff --git a/crypto/openssl/tools/c_rehash.in b/crypto/openssl/tools/c_rehash.in
new file mode 100644
index 0000000..cc3b658
--- /dev/null
+++ b/crypto/openssl/tools/c_rehash.in
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# redo the hashes for the certificates in your cert path or the ones passed
+# on the command line.
+#
+
+if [ "$OPENSSL"x = "x" -o ! -x "$OPENSSL" ]; then
+	OPENSSL='openssl'
+	export OPENSSL
+fi
+DIR=/usr/local/ssl
+PATH=$DIR/bin:$PATH
+
+if [ ! -f "$OPENSSL" ]; then
+    found=0
+    for dir in . `echo $PATH | sed -e 's/:/ /g'`; do
+        if [ -f "$dir/$OPENSSL" ]; then
+            found=1
+            break
+        fi
+    done
+    if [ $found = 0 ]; then
+        echo "c_rehash: rehashing skipped ('openssl' program not available)" 1>&2
+        exit 0
+    fi
+fi
+
+SSL_DIR=$DIR/certs
+
+if [ "$*" = "" ]; then
+	CERTS=${*:-${SSL_CERT_DIR:-$SSL_DIR}}
+else
+	CERTS=$*
+fi
+
+IFS=': '
+for i in $CERTS
+do
+  (
+  IFS=' '
+  if [ -d $i -a -w $i ]; then
+    cd $i
+    echo "Doing $i"
+    for i in *.pem
+    do
+      if [ $i != '*.pem' ]; then
+        h=`$OPENSSL x509 -hash -noout -in $i`
+	if [ "x$h" = "x" ]; then
+	  echo $i does not contain a certificate
+	else
+          if [ -f $h.0 ]; then
+            /bin/rm -f $h.0
+          fi
+          echo "$i => $h.0"
+          ln -s $i $h.0
+	fi
+      fi
+    done
+  fi
+  )
+done
diff --git a/crypto/openssl/util/FreeBSD.sh b/crypto/openssl/util/FreeBSD.sh
new file mode 100755
index 0000000..db8edfc
--- /dev/null
+++ b/crypto/openssl/util/FreeBSD.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+perl util/perlpath.pl /usr/bin
+perl util/ssldir.pl /usr/local  
+perl util/mk1mf.pl FreeBSD >Makefile.FreeBSD
+perl Configure FreeBSD
diff --git a/crypto/openssl/util/add_cr.pl b/crypto/openssl/util/add_cr.pl
new file mode 100755
index 0000000..c7b62c1
--- /dev/null
+++ b/crypto/openssl/util/add_cr.pl
@@ -0,0 +1,123 @@
+#!/usr/local/bin/perl
+#
+# This adds a copyright message to a souce code file.
+# It also gets the file name correct.
+#
+# perl util/add_cr.pl *.[ch] */*.[ch] */*/*.[ch]
+#
+
+foreach (@ARGV)
+	{
+	&dofile($_);
+	}
+
+sub dofile
+	{
+	local($file)=@_;
+
+	open(IN,"<$file") || die "unable to open $file:$!\n";
+
+	print STDERR "doing $file\n";
+	@in=<IN>;
+
+	return(1) if ($in[0] =~ / NOCW /);
+
+	@out=();
+	open(OUT,">$file.out") || die "unable to open $file.$$:$!\n";
+	push(@out,"/* $file */\n");
+	if (($in[1] !~ /^\/\* Copyright \(C\) [0-9-]+ Eric Young \(eay\@cryptsoft.com\)/))
+		{
+		push(@out,&Copyright);
+		$i=2;
+		@a=grep(/ Copyright \(C\) /,@in);
+		if ($#a >= 0)
+			{
+			while (($i <= $#in) && ($in[$i] ne " */\n"))
+				{ $i++; }
+			$i++ if ($in[$i] eq " */\n");
+
+			while (($i <= $#in) && ($in[$i] =~ /^\s*$/))
+				{ $i++; }
+
+			push(@out,"\n");
+			for ( ; $i <= $#in; $i++)
+				{ push(@out,$in[$i]); }
+			}
+		else
+			{ push(@out,@in); }
+		}
+	else
+		{
+		shift(@in);
+		push(@out,@in);
+		}
+	print OUT @out;
+	close(IN);
+	close(OUT);
+	rename("$file","$file.orig") || die "unable to rename $file:$!\n";
+	rename("$file.out",$file) || die "unable to rename $file.out:$!\n";
+	}
+
+
+
+sub Copyright
+	{
+	return <<'EOF';
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+EOF
+	}
diff --git a/crypto/openssl/util/bat.sh b/crypto/openssl/util/bat.sh
new file mode 100755
index 0000000..c6f48e8
--- /dev/null
+++ b/crypto/openssl/util/bat.sh
@@ -0,0 +1,132 @@
+#!/usr/local/bin/perl
+
+$infile="/home/eay/ssl/SSLeay/MINFO";
+
+open(IN,"<$infile") || die "unable to open $infile:$!\n";
+$_=<IN>;
+for (;;)
+	{
+	chop;
+
+	($key,$val)=/^([^=]+)=(.*)/;
+	if ($key eq "RELATIVE_DIRECTORY")
+		{
+		if ($lib ne "")
+			{
+			$uc=$lib;
+			$uc =~ s/^lib(.*)\.a/$1/;
+			$uc =~ tr/a-z/A-Z/;
+			$lib_nam{$uc}=$uc;
+			$lib_obj{$uc}.=$libobj." ";
+			}
+		last if ($val eq "FINISHED");
+		$lib="";
+		$libobj="";
+		$dir=$val;
+		}
+
+	if ($key eq "TEST")
+		{ $test.=&var_add($dir,$val); }
+
+	if (($key eq "PROGS") || ($key eq "E_OBJ"))
+		{ $e_exe.=&var_add($dir,$val); }
+
+	if ($key eq "LIB")
+		{
+		$lib=$val;
+		$lib =~ s/^.*\/([^\/]+)$/$1/;
+		}
+
+	if ($key eq "EXHEADER")
+		{ $exheader.=&var_add($dir,$val); }
+
+	if ($key eq "HEADER")
+		{ $header.=&var_add($dir,$val); }
+
+	if ($key eq "LIBSRC")
+		{ $libsrc.=&var_add($dir,$val); }
+
+	if (!($_=<IN>))
+		{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }
+	}
+close(IN);
+
+@a=split(/\s+/,$libsrc);
+foreach (@a)
+	{
+	print "${_}.c\n";
+	}
+
+sub var_add
+	{
+	local($dir,$val)=@_;
+	local(@a,$_,$ret);
+
+	return("") if $no_idea && $dir =~ /\/idea/;
+	return("") if $no_rc2  && $dir =~ /\/rc2/;
+	return("") if $no_rc4  && $dir =~ /\/rc4/;
+	return("") if $no_rsa  && $dir =~ /\/rsa/;
+	return("") if $no_rsa  && $dir =~ /^rsaref/;
+	return("") if $no_dsa  && $dir =~ /\/dsa/;
+	return("") if $no_dh   && $dir =~ /\/dh/;
+	if ($no_des && $dir =~ /\/des/)
+		{
+		if ($val =~ /read_pwd/)
+			{ return("$dir/read_pwd "); }
+		else
+			{ return(""); }
+		}
+	return("") if $no_mdc2 && $dir =~ /\/mdc2/;
+	return("") if $no_sock && $dir =~ /\/proxy/;
+	return("") if $no_bf   && $dir =~ /\/bf/;
+	return("") if $no_cast && $dir =~ /\/cast/;
+
+	$val =~ s/^\s*(.*)\s*$/$1/;
+	@a=split(/\s+/,$val);
+	grep(s/\.[och]$//,@a);
+
+	@a=grep(!/^e_.*_3d$/,@a) if $no_des;
+	@a=grep(!/^e_.*_d$/,@a) if $no_des;
+	@a=grep(!/^e_.*_i$/,@a) if $no_idea;
+	@a=grep(!/^e_.*_r2$/,@a) if $no_rc2;
+	@a=grep(!/^e_.*_bf$/,@a) if $no_bf;
+	@a=grep(!/^e_.*_c$/,@a) if $no_cast;
+	@a=grep(!/^e_rc4$/,@a) if $no_rc4;
+
+	@a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2;
+	@a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3;
+
+	@a=grep(!/(_sock$)|(_acpt$)|(_conn$)|(^pxy_)/,@a) if $no_sock;
+
+	@a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2;
+	@a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5;
+
+	@a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa;
+	@a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa;
+	@a=grep(!/(^pem_seal$)/,@a) if $no_rsa;
+
+	@a=grep(!/(m_dss$)|(m_dss1$)/,@a) if $no_dsa;
+	@a=grep(!/(^d2i_s_)|(^i2d_s_)|(_dsap$)/,@a) if $no_dsa;
+
+	@a=grep(!/^n_pkey$/,@a) if $no_rsa || $no_rc4;
+
+	@a=grep(!/_dhp$/,@a) if $no_dh;
+
+	@a=grep(!/(^sha[^1])|(_sha$)|(m_dss$)/,@a) if $no_sha;
+	@a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
+	@a=grep(!/_mdc2$/,@a) if $no_mdc2;
+
+	@a=grep(!/(^rsa$)|(^genrsa$)|(^req$)|(^ca$)/,@a) if $no_rsa;
+	@a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa;
+	@a=grep(!/^gendsa$/,@a) if $no_sha1;
+	@a=grep(!/(^dh$)|(^gendh$)/,@a) if $no_dh;
+
+	@a=grep(!/(^dh)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
+
+	grep($_="$dir/$_",@a);
+	@a=grep(!/(^|\/)s_/,@a) if $no_sock;
+	@a=grep(!/(^|\/)bio_sock/,@a) if $no_sock;
+	$ret=join(' ',@a)." ";
+	return($ret);
+	}
+
diff --git a/crypto/openssl/util/ck_errf.pl b/crypto/openssl/util/ck_errf.pl
new file mode 100755
index 0000000..7a24d6c
--- /dev/null
+++ b/crypto/openssl/util/ck_errf.pl
@@ -0,0 +1,45 @@
+#!/usr/local/bin/perl
+#
+# This is just a quick script to scan for cases where the 'error'
+# function name in a XXXerr() macro is wrong.
+# 
+# Run in the top level by going
+# perl util/ck_errf.pl */*.c */*/*.c
+#
+
+foreach $file (@ARGV)
+	{
+	open(IN,"<$file") || die "unable to open $file\n";
+	$func="";
+	while (<IN>)
+		{
+		if (/^[a-zA-Z].+[\s*]([A-Za-z_0-9]+)\(.*\)/)
+			{
+			$func=$1;
+			$func =~ tr/A-Z/a-z/;
+			}
+		if (/([A-Z0-9]+)err\(([^,]+)/)
+			{
+			next if ($func eq "");
+			$errlib=$1;
+			$n=$2;
+			if ($n !~ /([^_]+)_F_(.+)$/)
+				{
+		#		print "check -$file:$.:$func:$n\n";
+				next;
+				}
+			$lib=$1;
+			$n=$2;
+
+			if ($lib ne $errlib)
+				{ print "$file:$.:$func:$n\n"; next; }
+
+			$n =~ tr/A-Z/a-z/;
+			if (($n ne $func) && ($errlib ne "SYS"))
+				{ print "$file:$.:$func:$n\n"; next; }
+	#		print "$func:$1\n";
+			}
+		}
+	close(IN);
+        }
+
diff --git a/crypto/openssl/util/clean-depend.pl b/crypto/openssl/util/clean-depend.pl
new file mode 100755
index 0000000..af676af
--- /dev/null
+++ b/crypto/openssl/util/clean-depend.pl
@@ -0,0 +1,38 @@
+#!/usr/local/bin/perl -w
+# Clean the dependency list in a makefile of standard includes...
+# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
+
+use strict;
+
+while(<STDIN>) {
+    print;
+    last if /^# DO NOT DELETE THIS LINE/;
+}
+
+my %files;
+
+while(<STDIN>) {
+    my ($file,$deps)=/^(.*): (.*)$/;
+    next if !defined $deps;
+    my @deps=split ' ',$deps;
+    @deps=grep(!/^\/usr\/include/,@deps);
+    @deps=grep(!/^\/usr\/lib\/gcc-lib/,@deps);
+    push @{$files{$file}},@deps;
+}
+
+my $file;
+foreach $file (sort keys %files) {
+    my $len=0;
+    my $dep;
+    foreach $dep (sort @{$files{$file}}) {
+	$len=0 if $len+length($dep)+1 >= 80;
+	if($len == 0) {
+	    print "\n$file:";
+	    $len=length($file)+1;
+	}
+	print " $dep";
+	$len+=length($dep)+1;
+    }
+}
+
+print "\n";
diff --git a/crypto/openssl/util/deleof.pl b/crypto/openssl/util/deleof.pl
new file mode 100755
index 0000000..155acd8
--- /dev/null
+++ b/crypto/openssl/util/deleof.pl
@@ -0,0 +1,7 @@
+#!/usr/local/bin/perl
+
+while (<>)
+	{
+	print
+	last if (/^# DO NOT DELETE THIS LINE/);
+	}
diff --git a/crypto/openssl/util/do_ms.sh b/crypto/openssl/util/do_ms.sh
new file mode 100755
index 0000000..515b074
--- /dev/null
+++ b/crypto/openssl/util/do_ms.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# generate the Microsoft makefiles and .def files
+#
+
+PATH=util:../util:$PATH
+
+# perl util/mk1mf.pl no-sock VC-MSDOS >ms/msdos.mak
+# perl util/mk1mf.pl VC-W31-32 >ms/w31.mak
+perl util/mk1mf.pl dll VC-WIN16 >ms/w31dll.mak
+# perl util/mk1mf.pl VC-WIN32 >ms/nt.mak
+perl util/mk1mf.pl dll VC-WIN32 >ms/ntdll.mak
+perl util/mk1mf.pl Mingw32 >ms/mingw32.mak
+perl util/mk1mf.pl Mingw32-files >ms/mingw32f.mak
+
+perl util/mkdef.pl 16 libeay > ms/libeay16.def
+perl util/mkdef.pl 32 libeay > ms/libeay32.def
+perl util/mkdef.pl 16 ssleay > ms/ssleay16.def
+perl util/mkdef.pl 32 ssleay > ms/ssleay32.def
diff --git a/crypto/openssl/util/domd b/crypto/openssl/util/domd
new file mode 100755
index 0000000..9f75131
--- /dev/null
+++ b/crypto/openssl/util/domd
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Do a makedepend, only leave out the standard headers
+# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
+
+TOP=$1
+shift
+
+cp Makefile.ssl Makefile.save
+makedepend -f Makefile.ssl $@
+perl $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+mv Makefile.new Makefile.ssl
diff --git a/crypto/openssl/util/err-ins.pl b/crypto/openssl/util/err-ins.pl
new file mode 100755
index 0000000..31b70df
--- /dev/null
+++ b/crypto/openssl/util/err-ins.pl
@@ -0,0 +1,33 @@
+#!/usr/local/bin/perl
+#
+# tack error codes onto the end of a file
+#
+
+open(ERR,$ARGV[0]) || die "unable to open error file '$ARGV[0]':$!\n";
+@err=<ERR>;
+close(ERR);
+
+open(IN,$ARGV[1]) || die "unable to open header file '$ARGV[1]':$!\n";
+
+@out="";
+while (<IN>)
+	{
+	push(@out,$_);
+	last if /BEGIN ERROR CODES/;
+	}
+close(IN);
+
+open(OUT,">$ARGV[1]") || die "unable to open header file '$ARGV[1]':$1\n";
+print OUT @out;
+print OUT @err;
+print OUT <<"EOF";
+ 
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
+EOF
+close(OUT);
+
+
diff --git a/crypto/openssl/util/files.pl b/crypto/openssl/util/files.pl
new file mode 100755
index 0000000..41f033e
--- /dev/null
+++ b/crypto/openssl/util/files.pl
@@ -0,0 +1,61 @@
+#!/usr/local/bin/perl
+#
+# used to generate the file MINFO for use by util/mk1mf.pl
+# It is basically a list of all variables from the passed makefile
+#
+
+$s="";
+while (<>)
+	{
+	chop;
+	s/#.*//;
+	if (/^(\S+)\s*=\s*(.*)$/)
+		{
+		$o="";
+		($s,$b)=($1,$2);
+		for (;;)
+			{
+			if ($b =~ /\\$/)
+				{
+				chop($b);
+				$o.=$b." ";
+				$b=<>;
+				chop($b);
+				}
+			else
+				{
+				$o.=$b." ";
+				last;
+				}
+			}
+		$o =~ s/^\s+//;
+		$o =~ s/\s+$//;
+		$o =~ s/\s+/ /g;
+
+		$o =~ s/\$[({]([^)}]+)[)}]/$sym{$1}/g;
+		$sym{$s}=$o;
+		}
+	}
+
+$pwd=`pwd`; chop($pwd);
+
+if ($sym{'TOP'} eq ".")
+	{
+	$n=0;
+	$dir=".";
+	}
+else	{
+	$n=split(/\//,$sym{'TOP'});
+	@_=split(/\//,$pwd);
+	$z=$#_-$n+1;
+	foreach $i ($z .. $#_) { $dir.=$_[$i]."/"; }
+	chop($dir);
+	}
+
+print "RELATIVE_DIRECTORY=$dir\n";
+
+foreach (sort keys %sym)
+	{
+	print "$_=$sym{$_}\n";
+	}
+print "RELATIVE_DIRECTORY=\n";
diff --git a/crypto/openssl/util/fixNT.sh b/crypto/openssl/util/fixNT.sh
new file mode 100755
index 0000000..ce4f192
--- /dev/null
+++ b/crypto/openssl/util/fixNT.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# clean up the mess that NT makes of my source tree
+#
+
+if [ -f makefile.ssl -a ! -f Makefile.ssl ]; then
+	/bin/mv makefile.ssl Makefile.ssl
+fi
+chmod +x Configure util/*
+echo cleaning
+/bin/rm -f `find . -name '*.$$$' -print` 2>/dev/null >/dev/null
+echo 'removing those damn ^M'
+perl -pi -e 's/\015//' `find . -type 'f' -print |grep -v '.obj$' |grep -v '.der$' |grep -v '.gz'`
+make -f Makefile.ssl links
diff --git a/crypto/openssl/util/install.sh b/crypto/openssl/util/install.sh
new file mode 100755
index 0000000..e1d0c98
--- /dev/null
+++ b/crypto/openssl/util/install.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5; it is not part of GNU.
+#
+# $XConsortium: install.sh,v 1.2 89/12/18 14:47:22 jim Exp $
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+doit="${DOITPROG:-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG:-mv}"
+cpprog="${CPPROG:-cp}"
+chmodprog="${CHMODPROG:-chmod}"
+chownprog="${CHOWNPROG:-chown}"
+chgrpprog="${CHGRPPROG:-chgrp}"
+stripprog="${STRIPPROG:-strip}"
+rmprog="${RMPROG:-rm}"
+
+instcmd="$mvprog"
+chmodcmd=""
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+src=""
+dst=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:  no input file specified"
+	exit 1
+fi
+
+if [ x"$dst" = x ]
+then
+	echo "install:  no destination specified"
+	exit 1
+fi
+
+
+# if destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+if [ -d $dst ]
+then
+	dst="$dst"/`basename $src`
+fi
+
+
+# get rid of the old one and mode the new one in
+
+$doit $rmcmd $dst
+$doit $instcmd $src $dst
+
+
+# and set any options; do chmod last to preserve setuid bits
+
+if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; fi
+if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; fi
+if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; fi
+if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; fi
+
+exit 0
diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num
new file mode 100755
index 0000000..f611d6b
--- /dev/null
+++ b/crypto/openssl/util/libeay.num
@@ -0,0 +1,2232 @@
+SSLeay					1
+SSLeay_version				2
+ASN1_BIT_STRING_asn1_meth		3
+ASN1_HEADER_free			4
+ASN1_HEADER_new				5
+ASN1_IA5STRING_asn1_meth		6
+ASN1_INTEGER_get			7
+ASN1_INTEGER_set			8
+ASN1_INTEGER_to_BN			9
+ASN1_OBJECT_create			10
+ASN1_OBJECT_free			11
+ASN1_OBJECT_new				12
+ASN1_PRINTABLE_type			13
+ASN1_STRING_cmp				14
+ASN1_STRING_dup				15
+ASN1_STRING_free			16
+ASN1_STRING_new				17
+ASN1_STRING_print			18
+ASN1_STRING_set				19
+ASN1_STRING_type_new			20
+ASN1_TYPE_free				21
+ASN1_TYPE_new				22
+ASN1_UNIVERSALSTRING_to_string		23
+ASN1_UTCTIME_check			24
+ASN1_UTCTIME_print			25
+ASN1_UTCTIME_set			26
+ASN1_check_infinite_end			27
+ASN1_d2i_bio				28
+ASN1_d2i_fp				29
+ASN1_digest				30
+ASN1_dup				31
+ASN1_get_object				32
+ASN1_i2d_bio				33
+ASN1_i2d_fp				34
+ASN1_object_size			35
+ASN1_parse				36
+ASN1_put_object				37
+ASN1_sign				38
+ASN1_verify				39
+BF_cbc_encrypt				40
+BF_cfb64_encrypt			41
+BF_ecb_encrypt				42
+BF_encrypt				43
+BF_ofb64_encrypt			44
+BF_options				45
+BF_set_key				46
+BIO_CONNECT_free			47
+BIO_CONNECT_new				48
+BIO_accept				51
+BIO_ctrl				52
+BIO_int_ctrl				53
+BIO_debug_callback			54
+BIO_dump				55
+BIO_dup_chain				56
+BIO_f_base64				57
+BIO_f_buffer				58
+BIO_f_cipher				59
+BIO_f_md				60
+BIO_f_null				61
+BIO_f_proxy_server			62
+BIO_fd_non_fatal_error			63
+BIO_fd_should_retry			64
+BIO_find_type				65
+BIO_free				66
+BIO_free_all				67
+BIO_get_accept_socket			69
+BIO_get_filter_bio			70
+BIO_get_host_ip				71
+BIO_get_port				72
+BIO_get_retry_BIO			73
+BIO_get_retry_reason			74
+BIO_gethostbyname			75
+BIO_gets				76
+BIO_new					78
+BIO_new_accept				79
+BIO_new_connect				80
+BIO_new_fd				81
+BIO_new_file				82
+BIO_new_fp				83
+BIO_new_socket				84
+BIO_pop					85
+BIO_printf				86
+BIO_push				87
+BIO_puts				88
+BIO_read				89
+BIO_s_accept				90
+BIO_s_connect				91
+BIO_s_fd				92
+BIO_s_file				93
+BIO_s_mem				95
+BIO_s_null				96
+BIO_s_proxy_client			97
+BIO_s_socket				98
+BIO_set					100
+BIO_set_cipher				101
+BIO_set_tcp_ndelay			102
+BIO_sock_cleanup			103
+BIO_sock_error				104
+BIO_sock_init				105
+BIO_sock_non_fatal_error		106
+BIO_sock_should_retry			107
+BIO_socket_ioctl			108
+BIO_write				109
+BN_CTX_free				110
+BN_CTX_new				111
+BN_MONT_CTX_free			112
+BN_MONT_CTX_new				113
+BN_MONT_CTX_set				114
+BN_add					115
+BN_add_word				116
+BN_hex2bn				117
+BN_bin2bn				118
+BN_bn2hex				119
+BN_bn2bin				120
+BN_clear				121
+BN_clear_bit				122
+BN_clear_free				123
+BN_cmp					124
+BN_copy					125
+BN_div					126
+BN_div_word				127
+BN_dup					128
+BN_free					129
+BN_from_montgomery			130
+BN_gcd					131
+BN_generate_prime			132
+BN_get_word				133
+BN_is_bit_set				134
+BN_is_prime				135
+BN_lshift				136
+BN_lshift1				137
+BN_mask_bits				138
+BN_mod					139
+BN_mod_exp				140
+BN_mod_exp_mont				141
+BN_mod_exp_recp				142
+BN_mod_exp_simple			143
+BN_mod_inverse				144
+BN_mod_mul				145
+BN_mod_mul_montgomery			146
+BN_mod_mul_reciprocal			147
+BN_mod_word				148
+BN_mul					149
+BN_new					150
+BN_num_bits				151
+BN_num_bits_word			152
+BN_options				153
+BN_print				154
+BN_print_fp				155
+BN_rand					156
+BN_reciprocal				157
+BN_rshift				158
+BN_rshift1				159
+BN_set_bit				160
+BN_set_word				161
+BN_sqr					162
+BN_sub					163
+BN_to_ASN1_INTEGER			164
+BN_ucmp					165
+BN_value_one				166
+BUF_MEM_free				167
+BUF_MEM_grow				168
+BUF_MEM_new				169
+BUF_strdup				170
+CONF_free				171
+CONF_get_number				172
+CONF_get_section			173
+CONF_get_string				174
+CONF_load				175
+CRYPTO_add_lock				176
+CRYPTO_dbg_free				177
+CRYPTO_dbg_malloc			178
+CRYPTO_dbg_realloc			179
+CRYPTO_dbg_remalloc			180
+CRYPTO_free				181
+CRYPTO_get_add_lock_callback		182
+CRYPTO_get_id_callback			183
+CRYPTO_get_lock_name			184
+CRYPTO_get_locking_callback		185
+CRYPTO_get_mem_functions		186
+CRYPTO_lock				187
+CRYPTO_malloc				188
+CRYPTO_mem_ctrl				189
+CRYPTO_mem_leaks			190
+CRYPTO_mem_leaks_cb			191
+CRYPTO_mem_leaks_fp			192
+CRYPTO_realloc				193
+CRYPTO_remalloc				194
+CRYPTO_set_add_lock_callback		195
+CRYPTO_set_id_callback			196
+CRYPTO_set_locking_callback		197
+CRYPTO_set_mem_functions		198
+CRYPTO_thread_id			199
+DH_check				200
+DH_compute_key				201
+DH_free					202
+DH_generate_key				203
+DH_generate_parameters			204
+DH_new					205
+DH_size					206
+DHparams_print				207
+DHparams_print_fp			208
+DSA_free				209
+DSA_generate_key			210
+DSA_generate_parameters			211
+DSA_is_prime				212
+DSA_new					213
+DSA_print				214
+DSA_print_fp				215
+DSA_sign				216
+DSA_sign_setup				217
+DSA_size				218
+DSA_verify				219
+DSAparams_print				220
+DSAparams_print_fp			221
+ERR_clear_error				222
+ERR_error_string			223
+ERR_free_strings			224
+ERR_func_error_string			225
+ERR_get_err_state_table			226
+ERR_get_error				227
+ERR_get_error_line			228
+ERR_get_state				229
+ERR_get_string_table			230
+ERR_lib_error_string			231
+ERR_load_ASN1_strings			232
+ERR_load_BIO_strings			233
+ERR_load_BN_strings			234
+ERR_load_BUF_strings			235
+ERR_load_CONF_strings			236
+ERR_load_DH_strings			237
+ERR_load_DSA_strings			238
+ERR_load_ERR_strings			239
+ERR_load_EVP_strings			240
+ERR_load_OBJ_strings			241
+ERR_load_PEM_strings			242
+ERR_load_PROXY_strings			243
+ERR_load_RSA_strings			244
+ERR_load_X509_strings			245
+ERR_load_crypto_strings			246
+ERR_load_strings			247
+ERR_peek_error				248
+ERR_peek_error_line			249
+ERR_print_errors			250
+ERR_print_errors_fp			251
+ERR_put_error				252
+ERR_reason_error_string			253
+ERR_remove_state			254
+EVP_BytesToKey				255
+EVP_CIPHER_CTX_cleanup			256
+EVP_CipherFinal				257
+EVP_CipherInit				258
+EVP_CipherUpdate			259
+EVP_DecodeBlock				260
+EVP_DecodeFinal				261
+EVP_DecodeInit				262
+EVP_DecodeUpdate			263
+EVP_DecryptFinal			264
+EVP_DecryptInit				265
+EVP_DecryptUpdate			266
+EVP_DigestFinal				267
+EVP_DigestInit				268
+EVP_DigestUpdate			269
+EVP_EncodeBlock				270
+EVP_EncodeFinal				271
+EVP_EncodeInit				272
+EVP_EncodeUpdate			273
+EVP_EncryptFinal			274
+EVP_EncryptInit				275
+EVP_EncryptUpdate			276
+EVP_OpenFinal				277
+EVP_OpenInit				278
+EVP_PKEY_assign				279
+EVP_PKEY_copy_parameters		280
+EVP_PKEY_free				281
+EVP_PKEY_missing_parameters		282
+EVP_PKEY_new				283
+EVP_PKEY_save_parameters		284
+EVP_PKEY_size				285
+EVP_PKEY_type				286
+EVP_SealFinal				287
+EVP_SealInit				288
+EVP_SignFinal				289
+EVP_VerifyFinal				290
+EVP_add_alias				291
+EVP_add_cipher				292
+EVP_add_digest				293
+EVP_bf_cbc				294
+EVP_bf_cfb				295
+EVP_bf_ecb				296
+EVP_bf_ofb				297
+EVP_cleanup				298
+EVP_des_cbc				299
+EVP_des_cfb				300
+EVP_des_ecb				301
+EVP_des_ede				302
+EVP_des_ede3				303
+EVP_des_ede3_cbc			304
+EVP_des_ede3_cfb			305
+EVP_des_ede3_ofb			306
+EVP_des_ede_cbc				307
+EVP_des_ede_cfb				308
+EVP_des_ede_ofb				309
+EVP_des_ofb				310
+EVP_desx_cbc				311
+EVP_dss					312
+EVP_dss1				313
+EVP_enc_null				314
+EVP_get_cipherbyname			315
+EVP_get_digestbyname			316
+EVP_get_pw_prompt			317
+EVP_idea_cbc				318
+EVP_idea_cfb				319
+EVP_idea_ecb				320
+EVP_idea_ofb				321
+EVP_md2					322
+EVP_md5					323
+EVP_md_null				324
+EVP_rc2_cbc				325
+EVP_rc2_cfb				326
+EVP_rc2_ecb				327
+EVP_rc2_ofb				328
+EVP_rc4					329
+EVP_read_pw_string			330
+EVP_set_pw_prompt			331
+EVP_sha					332
+EVP_sha1				333
+MD2					334
+MD2_Final				335
+MD2_Init				336
+MD2_Update				337
+MD2_options				338
+MD5					339
+MD5_Final				340
+MD5_Init				341
+MD5_Update				342
+MDC2					343
+MDC2_Final				344
+MDC2_Init				345
+MDC2_Update				346
+NETSCAPE_SPKAC_free			347
+NETSCAPE_SPKAC_new			348
+NETSCAPE_SPKI_free			349
+NETSCAPE_SPKI_new			350
+NETSCAPE_SPKI_sign			351
+NETSCAPE_SPKI_verify			352
+OBJ_add_object				353
+OBJ_bsearch				354
+OBJ_cleanup				355
+OBJ_cmp					356
+OBJ_create				357
+OBJ_dup					358
+OBJ_ln2nid				359
+OBJ_new_nid				360
+OBJ_nid2ln				361
+OBJ_nid2obj				362
+OBJ_nid2sn				363
+OBJ_obj2nid				364
+OBJ_sn2nid				365
+OBJ_txt2nid				366
+PEM_ASN1_read				367
+PEM_ASN1_read_bio			368
+PEM_ASN1_write				369
+PEM_ASN1_write_bio			370
+PEM_SealFinal				371
+PEM_SealInit				372
+PEM_SealUpdate				373
+PEM_SignFinal				374
+PEM_SignInit				375
+PEM_SignUpdate				376
+PEM_X509_INFO_read			377
+PEM_X509_INFO_read_bio			378
+PEM_X509_INFO_write_bio			379
+PEM_dek_info				380
+PEM_do_header				381
+PEM_get_EVP_CIPHER_INFO			382
+PEM_proc_type				383
+PEM_read				384
+PEM_read_DHparams			385
+PEM_read_DSAPrivateKey			386
+PEM_read_DSAparams			387
+PEM_read_PKCS7				388
+PEM_read_PrivateKey			389
+PEM_read_RSAPrivateKey			390
+PEM_read_X509				391
+PEM_read_X509_CRL			392
+PEM_read_X509_REQ			393
+PEM_read_bio				394
+PEM_read_bio_DHparams			395
+PEM_read_bio_DSAPrivateKey		396
+PEM_read_bio_DSAparams			397
+PEM_read_bio_PKCS7			398
+PEM_read_bio_PrivateKey			399
+PEM_read_bio_RSAPrivateKey		400
+PEM_read_bio_X509			401
+PEM_read_bio_X509_CRL			402
+PEM_read_bio_X509_REQ			403
+PEM_write				404
+PEM_write_DHparams			405
+PEM_write_DSAPrivateKey			406
+PEM_write_DSAparams			407
+PEM_write_PKCS7				408
+PEM_write_PrivateKey			409
+PEM_write_RSAPrivateKey			410
+PEM_write_X509				411
+PEM_write_X509_CRL			412
+PEM_write_X509_REQ			413
+PEM_write_bio				414
+PEM_write_bio_DHparams			415
+PEM_write_bio_DSAPrivateKey		416
+PEM_write_bio_DSAparams			417
+PEM_write_bio_PKCS7			418
+PEM_write_bio_PrivateKey		419
+PEM_write_bio_RSAPrivateKey		420
+PEM_write_bio_X509			421
+PEM_write_bio_X509_CRL			422
+PEM_write_bio_X509_REQ			423
+PKCS7_DIGEST_free			424
+PKCS7_DIGEST_new			425
+PKCS7_ENCRYPT_free			426
+PKCS7_ENCRYPT_new			427
+PKCS7_ENC_CONTENT_free			428
+PKCS7_ENC_CONTENT_new			429
+PKCS7_ENVELOPE_free			430
+PKCS7_ENVELOPE_new			431
+PKCS7_ISSUER_AND_SERIAL_digest		432
+PKCS7_ISSUER_AND_SERIAL_free		433
+PKCS7_ISSUER_AND_SERIAL_new		434
+PKCS7_RECIP_INFO_free			435
+PKCS7_RECIP_INFO_new			436
+PKCS7_SIGNED_free			437
+PKCS7_SIGNED_new			438
+PKCS7_SIGNER_INFO_free			439
+PKCS7_SIGNER_INFO_new			440
+PKCS7_SIGN_ENVELOPE_free		441
+PKCS7_SIGN_ENVELOPE_new			442
+PKCS7_dup				443
+PKCS7_free				444
+PKCS7_new				445
+PROXY_ENTRY_add_noproxy			446
+PROXY_ENTRY_clear_noproxy		447
+PROXY_ENTRY_free			448
+PROXY_ENTRY_get_noproxy			449
+PROXY_ENTRY_new				450
+PROXY_ENTRY_set_server			451
+PROXY_add_noproxy			452
+PROXY_add_server			453
+PROXY_check_by_host			454
+PROXY_check_url				455
+PROXY_clear_noproxy			456
+PROXY_free				457
+PROXY_get_noproxy			458
+PROXY_get_proxies			459
+PROXY_get_proxy_entry			460
+PROXY_load_conf				461
+PROXY_new				462
+PROXY_print				463
+RAND_bytes				464
+RAND_cleanup				465
+RAND_file_name				466
+RAND_load_file				467
+RAND_screen				468
+RAND_seed				469
+RAND_write_file				470
+RC2_cbc_encrypt				471
+RC2_cfb64_encrypt			472
+RC2_ecb_encrypt				473
+RC2_encrypt				474
+RC2_ofb64_encrypt			475
+RC2_set_key				476
+RC4					477
+RC4_options				478
+RC4_set_key				479
+RSAPrivateKey_asn1_meth			480
+RSAPrivateKey_dup			481
+RSAPublicKey_dup			482
+RSA_PKCS1_SSLeay			483
+RSA_free				484
+RSA_generate_key			485
+RSA_new					486
+RSA_new_method				487
+RSA_print				488
+RSA_print_fp				489
+RSA_private_decrypt			490
+RSA_private_encrypt			491
+RSA_public_decrypt			492
+RSA_public_encrypt			493
+RSA_set_default_method			494
+RSA_sign				495
+RSA_sign_ASN1_OCTET_STRING		496
+RSA_size				497
+RSA_verify				498
+RSA_verify_ASN1_OCTET_STRING		499
+SHA					500
+SHA1					501
+SHA1_Final				502
+SHA1_Init				503
+SHA1_Update				504
+SHA_Final				505
+SHA_Init				506
+SHA_Update				507
+OpenSSL_add_all_algorithms		508
+OpenSSL_add_all_ciphers			509
+OpenSSL_add_all_digests			510
+TXT_DB_create_index			511
+TXT_DB_free				512
+TXT_DB_get_by_index			513
+TXT_DB_insert				514
+TXT_DB_read				515
+TXT_DB_write				516
+X509_ALGOR_free				517
+X509_ALGOR_new				518
+X509_ATTRIBUTE_free			519
+X509_ATTRIBUTE_new			520
+X509_CINF_free				521
+X509_CINF_new				522
+X509_CRL_INFO_free			523
+X509_CRL_INFO_new			524
+X509_CRL_add_ext			525
+X509_CRL_cmp				526
+X509_CRL_delete_ext			527
+X509_CRL_dup				528
+X509_CRL_free				529
+X509_CRL_get_ext			530
+X509_CRL_get_ext_by_NID			531
+X509_CRL_get_ext_by_OBJ			532
+X509_CRL_get_ext_by_critical		533
+X509_CRL_get_ext_count			534
+X509_CRL_new				535
+X509_CRL_sign				536
+X509_CRL_verify				537
+X509_EXTENSION_create_by_NID		538
+X509_EXTENSION_create_by_OBJ		539
+X509_EXTENSION_dup			540
+X509_EXTENSION_free			541
+X509_EXTENSION_get_critical		542
+X509_EXTENSION_get_data			543
+X509_EXTENSION_get_object		544
+X509_EXTENSION_new			545
+X509_EXTENSION_set_critical		546
+X509_EXTENSION_set_data			547
+X509_EXTENSION_set_object		548
+X509_INFO_free				549
+X509_INFO_new				550
+X509_LOOKUP_by_alias			551
+X509_LOOKUP_by_fingerprint		552
+X509_LOOKUP_by_issuer_serial		553
+X509_LOOKUP_by_subject			554
+X509_LOOKUP_ctrl			555
+X509_LOOKUP_file			556
+X509_LOOKUP_free			557
+X509_LOOKUP_hash_dir			558
+X509_LOOKUP_init			559
+X509_LOOKUP_new				560
+X509_LOOKUP_shutdown			561
+X509_NAME_ENTRY_create_by_NID		562
+X509_NAME_ENTRY_create_by_OBJ		563
+X509_NAME_ENTRY_dup			564
+X509_NAME_ENTRY_free			565
+X509_NAME_ENTRY_get_data		566
+X509_NAME_ENTRY_get_object		567
+X509_NAME_ENTRY_new			568
+X509_NAME_ENTRY_set_data		569
+X509_NAME_ENTRY_set_object		570
+X509_NAME_add_entry			571
+X509_NAME_cmp				572
+X509_NAME_delete_entry			573
+X509_NAME_digest			574
+X509_NAME_dup				575
+X509_NAME_entry_count			576
+X509_NAME_free				577
+X509_NAME_get_entry			578
+X509_NAME_get_index_by_NID		579
+X509_NAME_get_index_by_OBJ		580
+X509_NAME_get_text_by_NID		581
+X509_NAME_get_text_by_OBJ		582
+X509_NAME_hash				583
+X509_NAME_new				584
+X509_NAME_oneline			585
+X509_NAME_print				586
+X509_NAME_set				587
+X509_OBJECT_free_contents		588
+X509_OBJECT_retrieve_by_subject		589
+X509_OBJECT_up_ref_count		590
+X509_PKEY_free				591
+X509_PKEY_new				592
+X509_PUBKEY_free			593
+X509_PUBKEY_get				594
+X509_PUBKEY_new				595
+X509_PUBKEY_set				596
+X509_REQ_INFO_free			597
+X509_REQ_INFO_new			598
+X509_REQ_dup				599
+X509_REQ_free				600
+X509_REQ_get_pubkey			601
+X509_REQ_new				602
+X509_REQ_print				603
+X509_REQ_print_fp			604
+X509_REQ_set_pubkey			605
+X509_REQ_set_subject_name		606
+X509_REQ_set_version			607
+X509_REQ_sign				608
+X509_REQ_to_X509			609
+X509_REQ_verify				610
+X509_REVOKED_add_ext			611
+X509_REVOKED_delete_ext			612
+X509_REVOKED_free			613
+X509_REVOKED_get_ext			614
+X509_REVOKED_get_ext_by_NID		615
+X509_REVOKED_get_ext_by_OBJ		616
+X509_REVOKED_get_ext_by_critical	617
+X509_REVOKED_get_ext_count		618
+X509_REVOKED_new			619
+X509_SIG_free				620
+X509_SIG_new				621
+X509_STORE_CTX_cleanup			622
+X509_STORE_CTX_init			623
+X509_STORE_add_cert			624
+X509_STORE_add_lookup			625
+X509_STORE_free				626
+X509_STORE_get_by_subject		627
+X509_STORE_load_locations		628
+X509_STORE_new				629
+X509_STORE_set_default_paths		630
+X509_VAL_free				631
+X509_VAL_new				632
+X509_add_ext				633
+X509_asn1_meth				634
+X509_certificate_type			635
+X509_check_private_key			636
+X509_cmp_current_time			637
+X509_delete_ext				638
+X509_digest				639
+X509_dup				640
+X509_free				641
+X509_get_default_cert_area		642
+X509_get_default_cert_dir		643
+X509_get_default_cert_dir_env		644
+X509_get_default_cert_file		645
+X509_get_default_cert_file_env		646
+X509_get_default_private_dir		647
+X509_get_ext				648
+X509_get_ext_by_NID			649
+X509_get_ext_by_OBJ			650
+X509_get_ext_by_critical		651
+X509_get_ext_count			652
+X509_get_issuer_name			653
+X509_get_pubkey				654
+X509_get_pubkey_parameters		655
+X509_get_serialNumber			656
+X509_get_subject_name			657
+X509_gmtime_adj				658
+X509_issuer_and_serial_cmp		659
+X509_issuer_and_serial_hash		660
+X509_issuer_name_cmp			661
+X509_issuer_name_hash			662
+X509_load_cert_file			663
+X509_new				664
+X509_print				665
+X509_print_fp				666
+X509_set_issuer_name			667
+X509_set_notAfter			668
+X509_set_notBefore			669
+X509_set_pubkey				670
+X509_set_serialNumber			671
+X509_set_subject_name			672
+X509_set_version			673
+X509_sign				674
+X509_subject_name_cmp			675
+X509_subject_name_hash			676
+X509_to_X509_REQ			677
+X509_verify				678
+X509_verify_cert			679
+X509_verify_cert_error_string		680
+X509v3_add_ext				681
+X509v3_add_extension			682
+X509v3_add_netscape_extensions		683
+X509v3_add_standard_extensions		684
+X509v3_cleanup_extensions		685
+X509v3_data_type_by_NID			686
+X509v3_data_type_by_OBJ			687
+X509v3_delete_ext			688
+X509v3_get_ext				689
+X509v3_get_ext_by_NID			690
+X509v3_get_ext_by_OBJ			691
+X509v3_get_ext_by_critical		692
+X509v3_get_ext_count			693
+X509v3_pack_string			694
+X509v3_pack_type_by_NID			695
+X509v3_pack_type_by_OBJ			696
+X509v3_unpack_string			697
+_des_crypt				698
+a2d_ASN1_OBJECT				699
+a2i_ASN1_INTEGER			700
+a2i_ASN1_STRING				701
+asn1_Finish				702
+asn1_GetSequence			703
+bn_div_words				704
+bn_expand2				705
+bn_mul_add_words			706
+bn_mul_words				707
+BN_uadd					708
+BN_usub					709
+bn_sqr_words				710
+crypt					711
+d2i_ASN1_BIT_STRING			712
+d2i_ASN1_BOOLEAN			713
+d2i_ASN1_HEADER				714
+d2i_ASN1_IA5STRING			715
+d2i_ASN1_INTEGER			716
+d2i_ASN1_OBJECT				717
+d2i_ASN1_OCTET_STRING			718
+d2i_ASN1_PRINTABLE			719
+d2i_ASN1_PRINTABLESTRING		720
+d2i_ASN1_SET				721
+d2i_ASN1_T61STRING			722
+d2i_ASN1_TYPE				723
+d2i_ASN1_UTCTIME			724
+d2i_ASN1_bytes				725
+d2i_ASN1_type_bytes			726
+d2i_DHparams				727
+d2i_DSAPrivateKey			728
+d2i_DSAPrivateKey_bio			729
+d2i_DSAPrivateKey_fp			730
+d2i_DSAPublicKey			731
+d2i_DSAparams				732
+d2i_NETSCAPE_SPKAC			733
+d2i_NETSCAPE_SPKI			734
+d2i_Netscape_RSA			735
+d2i_PKCS7				736
+d2i_PKCS7_DIGEST			737
+d2i_PKCS7_ENCRYPT			738
+d2i_PKCS7_ENC_CONTENT			739
+d2i_PKCS7_ENVELOPE			740
+d2i_PKCS7_ISSUER_AND_SERIAL		741
+d2i_PKCS7_RECIP_INFO			742
+d2i_PKCS7_SIGNED			743
+d2i_PKCS7_SIGNER_INFO			744
+d2i_PKCS7_SIGN_ENVELOPE			745
+d2i_PKCS7_bio				746
+d2i_PKCS7_fp				747
+d2i_PrivateKey				748
+d2i_PublicKey				749
+d2i_RSAPrivateKey			750
+d2i_RSAPrivateKey_bio			751
+d2i_RSAPrivateKey_fp			752
+d2i_RSAPublicKey			753
+d2i_X509				754
+d2i_X509_ALGOR				755
+d2i_X509_ATTRIBUTE			756
+d2i_X509_CINF				757
+d2i_X509_CRL				758
+d2i_X509_CRL_INFO			759
+d2i_X509_CRL_bio			760
+d2i_X509_CRL_fp				761
+d2i_X509_EXTENSION			762
+d2i_X509_NAME				763
+d2i_X509_NAME_ENTRY			764
+d2i_X509_PKEY				765
+d2i_X509_PUBKEY				766
+d2i_X509_REQ				767
+d2i_X509_REQ_INFO			768
+d2i_X509_REQ_bio			769
+d2i_X509_REQ_fp				770
+d2i_X509_REVOKED			771
+d2i_X509_SIG				772
+d2i_X509_VAL				773
+d2i_X509_bio				774
+d2i_X509_fp				775
+des_cbc_cksum				777
+des_cbc_encrypt				778
+des_cblock_print_file			779
+des_cfb64_encrypt			780
+des_cfb_encrypt				781
+des_decrypt3				782
+des_ecb3_encrypt			783
+des_ecb_encrypt				784
+des_ede3_cbc_encrypt			785
+des_ede3_cfb64_encrypt			786
+des_ede3_ofb64_encrypt			787
+des_enc_read				788
+des_enc_write				789
+des_encrypt				790
+des_encrypt2				791
+des_encrypt3				792
+des_fcrypt				793
+des_is_weak_key				794
+des_key_sched				795
+des_ncbc_encrypt			796
+des_ofb64_encrypt			797
+des_ofb_encrypt				798
+des_options				799
+des_pcbc_encrypt			800
+des_quad_cksum				801
+des_random_key				802
+des_random_seed				803
+des_read_2passwords			804
+des_read_password			805
+des_read_pw				806
+des_read_pw_string			807
+des_set_key				808
+des_set_odd_parity			809
+des_string_to_2keys			810
+des_string_to_key			811
+des_xcbc_encrypt			812
+des_xwhite_in2out			813
+fcrypt_body				814
+i2a_ASN1_INTEGER			815
+i2a_ASN1_OBJECT				816
+i2a_ASN1_STRING				817
+i2d_ASN1_BIT_STRING			818
+i2d_ASN1_BOOLEAN			819
+i2d_ASN1_HEADER				820
+i2d_ASN1_IA5STRING			821
+i2d_ASN1_INTEGER			822
+i2d_ASN1_OBJECT				823
+i2d_ASN1_OCTET_STRING			824
+i2d_ASN1_PRINTABLE			825
+i2d_ASN1_SET				826
+i2d_ASN1_TYPE				827
+i2d_ASN1_UTCTIME			828
+i2d_ASN1_bytes				829
+i2d_DHparams				830
+i2d_DSAPrivateKey			831
+i2d_DSAPrivateKey_bio			832
+i2d_DSAPrivateKey_fp			833
+i2d_DSAPublicKey			834
+i2d_DSAparams				835
+i2d_NETSCAPE_SPKAC			836
+i2d_NETSCAPE_SPKI			837
+i2d_Netscape_RSA			838
+i2d_PKCS7				839
+i2d_PKCS7_DIGEST			840
+i2d_PKCS7_ENCRYPT			841
+i2d_PKCS7_ENC_CONTENT			842
+i2d_PKCS7_ENVELOPE			843
+i2d_PKCS7_ISSUER_AND_SERIAL		844
+i2d_PKCS7_RECIP_INFO			845
+i2d_PKCS7_SIGNED			846
+i2d_PKCS7_SIGNER_INFO			847
+i2d_PKCS7_SIGN_ENVELOPE			848
+i2d_PKCS7_bio				849
+i2d_PKCS7_fp				850
+i2d_PrivateKey				851
+i2d_PublicKey				852
+i2d_RSAPrivateKey			853
+i2d_RSAPrivateKey_bio			854
+i2d_RSAPrivateKey_fp			855
+i2d_RSAPublicKey			856
+i2d_X509				857
+i2d_X509_ALGOR				858
+i2d_X509_ATTRIBUTE			859
+i2d_X509_CINF				860
+i2d_X509_CRL				861
+i2d_X509_CRL_INFO			862
+i2d_X509_CRL_bio			863
+i2d_X509_CRL_fp				864
+i2d_X509_EXTENSION			865
+i2d_X509_NAME				866
+i2d_X509_NAME_ENTRY			867
+i2d_X509_PKEY				868
+i2d_X509_PUBKEY				869
+i2d_X509_REQ				870
+i2d_X509_REQ_INFO			871
+i2d_X509_REQ_bio			872
+i2d_X509_REQ_fp				873
+i2d_X509_REVOKED			874
+i2d_X509_SIG				875
+i2d_X509_VAL				876
+i2d_X509_bio				877
+i2d_X509_fp				878
+idea_cbc_encrypt			879
+idea_cfb64_encrypt			880
+idea_ecb_encrypt			881
+idea_encrypt				882
+idea_ofb64_encrypt			883
+idea_options				884
+idea_set_decrypt_key			885
+idea_set_encrypt_key			886
+lh_delete				887
+lh_doall				888
+lh_doall_arg				889
+lh_free					890
+lh_insert				891
+lh_new					892
+lh_node_stats				893
+lh_node_stats_bio			894
+lh_node_usage_stats			895
+lh_node_usage_stats_bio			896
+lh_retrieve				897
+lh_stats				898
+lh_stats_bio				899
+lh_strhash				900
+sk_delete				901
+sk_delete_ptr				902
+sk_dup					903
+sk_find					904
+sk_free					905
+sk_insert				906
+sk_new					907
+sk_pop					908
+sk_pop_free				909
+sk_push					910
+sk_set_cmp_func				911
+sk_shift				912
+sk_unshift				913
+sk_zero					914
+BIO_f_nbio_test				915
+ASN1_TYPE_get				916
+ASN1_TYPE_set				917
+PKCS7_content_free			918
+ERR_load_PKCS7_strings			919
+X509_find_by_issuer_and_serial		920
+X509_find_by_subject			921
+PKCS7_ctrl				927
+PKCS7_set_type				928
+PKCS7_set_content			929
+PKCS7_SIGNER_INFO_set			930
+PKCS7_add_signer			931
+PKCS7_add_certificate			932
+PKCS7_add_crl				933
+PKCS7_content_new			934
+PKCS7_dataSign				935
+PKCS7_dataVerify			936
+PKCS7_dataInit				937
+PKCS7_add_signature			938
+PKCS7_cert_from_signer_info		939
+PKCS7_get_signer_info			940
+EVP_delete_alias			941
+EVP_mdc2				942
+PEM_read_bio_RSAPublicKey		943
+PEM_write_bio_RSAPublicKey		944
+d2i_RSAPublicKey_bio			945
+i2d_RSAPublicKey_bio			946
+PEM_read_RSAPublicKey			947
+PEM_write_RSAPublicKey			949
+d2i_RSAPublicKey_fp			952
+i2d_RSAPublicKey_fp			954
+BIO_copy_next_retry			955
+RSA_flags				956
+X509_STORE_add_crl			957
+X509_load_crl_file			958
+EVP_rc2_40_cbc				959
+EVP_rc4_40				960
+EVP_CIPHER_CTX_init			961
+HMAC					962
+HMAC_Init				963
+HMAC_Update				964
+HMAC_Final				965
+ERR_get_next_error_library		966
+EVP_PKEY_cmp_parameters			967
+HMAC_cleanup				968
+BIO_ptr_ctrl				969
+BIO_new_file_internal			970
+BIO_new_fp_internal			971
+BIO_s_file_internal			972
+BN_BLINDING_convert			973
+BN_BLINDING_invert			974
+BN_BLINDING_update			975
+RSA_blinding_on				977
+RSA_blinding_off			978
+i2t_ASN1_OBJECT				979
+BN_BLINDING_new				980
+BN_BLINDING_free			981
+EVP_cast5_cbc				983
+EVP_cast5_cfb				984
+EVP_cast5_ecb				985
+EVP_cast5_ofb				986
+BF_decrypt				987
+CAST_set_key				988
+CAST_encrypt				989
+CAST_decrypt				990
+CAST_ecb_encrypt			991
+CAST_cbc_encrypt			992
+CAST_cfb64_encrypt			993
+CAST_ofb64_encrypt			994
+RC2_decrypt				995
+OBJ_create_objects			997
+BN_exp					998
+BN_mul_word				999
+BN_sub_word				1000
+BN_dec2bn				1001
+BN_bn2dec				1002
+BIO_ghbn_ctrl				1003
+CRYPTO_free_ex_data			1004
+CRYPTO_get_ex_data			1005
+CRYPTO_set_ex_data			1007
+ERR_load_CRYPTO_strings			1009
+ERR_load_CRYPTOlib_strings		1009
+EVP_PKEY_bits				1010
+MD5_Transform				1011
+SHA1_Transform				1012
+SHA_Transform				1013
+X509_STORE_CTX_get_chain		1014
+X509_STORE_CTX_get_current_cert		1015
+X509_STORE_CTX_get_error		1016
+X509_STORE_CTX_get_error_depth		1017
+X509_STORE_CTX_get_ex_data		1018
+X509_STORE_CTX_set_cert			1020
+X509_STORE_CTX_set_chain		1021
+X509_STORE_CTX_set_error		1022
+X509_STORE_CTX_set_ex_data		1023
+CRYPTO_dup_ex_data			1025
+CRYPTO_get_new_lockid			1026
+CRYPTO_new_ex_data			1027
+RSA_set_ex_data				1028
+RSA_get_ex_data				1029
+RSA_get_ex_new_index			1030
+RSA_padding_add_PKCS1_type_1		1031
+RSA_padding_add_PKCS1_type_2		1032
+RSA_padding_add_SSLv23			1033
+RSA_padding_add_none			1034
+RSA_padding_check_PKCS1_type_1		1035
+RSA_padding_check_PKCS1_type_2		1036
+RSA_padding_check_SSLv23		1037
+RSA_padding_check_none			1038
+bn_add_words				1039
+d2i_Netscape_RSA_2			1040
+CRYPTO_get_ex_new_index			1041
+RIPEMD160_Init				1042
+RIPEMD160_Update			1043
+RIPEMD160_Final				1044
+RIPEMD160				1045
+RIPEMD160_Transform			1046
+RC5_32_set_key				1047
+RC5_32_ecb_encrypt			1048
+RC5_32_encrypt				1049
+RC5_32_decrypt				1050
+RC5_32_cbc_encrypt			1051
+RC5_32_cfb64_encrypt			1052
+RC5_32_ofb64_encrypt			1053
+BN_bn2mpi				1058
+BN_mpi2bn				1059
+ASN1_BIT_STRING_get_bit			1060
+ASN1_BIT_STRING_set_bit			1061
+BIO_get_ex_data				1062
+BIO_get_ex_new_index			1063
+BIO_set_ex_data				1064
+X509_STORE_CTX_get_ex_new_index		1065
+X509v3_get_key_usage			1066
+X509v3_set_key_usage			1067
+a2i_X509v3_key_usage			1068
+i2a_X509v3_key_usage			1069
+EVP_PKEY_decrypt			1070
+EVP_PKEY_encrypt			1071
+PKCS7_RECIP_INFO_set			1072
+PKCS7_add_recipient			1073
+PKCS7_add_recipient_info		1074
+PKCS7_set_cipher			1075
+ASN1_TYPE_get_int_octetstring		1076
+ASN1_TYPE_get_octetstring		1077
+ASN1_TYPE_set_int_octetstring		1078
+ASN1_TYPE_set_octetstring		1079
+ASN1_UTCTIME_set_string			1080
+ERR_add_error_data			1081
+ERR_set_error_data			1082
+EVP_CIPHER_asn1_to_param		1083
+EVP_CIPHER_param_to_asn1		1084
+EVP_CIPHER_get_asn1_iv			1085
+EVP_CIPHER_set_asn1_iv			1086
+EVP_rc5_32_12_16_cbc			1087
+EVP_rc5_32_12_16_cfb			1088
+EVP_rc5_32_12_16_ecb			1089
+EVP_rc5_32_12_16_ofb			1090
+asn1_add_error				1091
+d2i_ASN1_BMPSTRING			1092
+i2d_ASN1_BMPSTRING			1093
+BIO_f_ber				1094
+BN_init					1095
+COMP_CTX_new				1096
+COMP_CTX_free				1097
+COMP_CTX_compress_block			1098
+COMP_CTX_expand_block			1099
+X509_STORE_CTX_get_ex_new_index		1100
+OBJ_NAME_add				1101
+BIO_socket_nbio				1102
+EVP_rc2_64_cbc				1103
+OBJ_NAME_cleanup			1104
+OBJ_NAME_get				1105
+OBJ_NAME_init				1106
+OBJ_NAME_new_index			1107
+OBJ_NAME_remove				1108
+BN_MONT_CTX_copy			1109
+BIO_new_socks4a_connect			1110
+BIO_s_socks4a_connect			1111
+PROXY_set_connect_mode			1112
+RAND_SSLeay				1113
+RAND_set_rand_method			1114
+RSA_memory_lock				1115
+bn_sub_words				1116
+bn_mul_normal				1117
+bn_mul_comba8				1118
+bn_mul_comba4				1119
+bn_sqr_normal				1120
+bn_sqr_comba8				1121
+bn_sqr_comba4				1122
+bn_cmp_words				1123
+bn_mul_recursive			1124
+bn_mul_part_recursive			1125
+bn_sqr_recursive			1126
+bn_mul_low_normal			1127
+BN_RECP_CTX_init			1128
+BN_RECP_CTX_new				1129
+BN_RECP_CTX_free			1130
+BN_RECP_CTX_set				1131
+BN_mod_mul_reciprocal			1132
+BN_mod_exp_recp				1133
+BN_div_recp				1134
+BN_CTX_init				1135
+BN_MONT_CTX_init			1136
+RAND_get_rand_method			1137
+PKCS7_add_attribute			1138
+PKCS7_add_signed_attribute		1139
+PKCS7_digest_from_attributes		1140
+PKCS7_get_attribute			1141
+PKCS7_get_issuer_and_serial		1142
+PKCS7_get_signed_attribute		1143
+COMP_compress_block			1144
+COMP_expand_block			1145
+COMP_rle				1146
+COMP_zlib				1147
+ms_time_diff				1148
+ms_time_new				1149
+ms_time_free				1150
+ms_time_cmp				1151
+ms_time_get				1152
+PKCS7_set_attributes			1153
+PKCS7_set_signed_attributes		1154
+X509_ATTRIBUTE_create			1155
+X509_ATTRIBUTE_dup			1156
+ASN1_GENERALIZEDTIME_check		1157
+ASN1_GENERALIZEDTIME_print		1158
+ASN1_GENERALIZEDTIME_set		1159
+ASN1_GENERALIZEDTIME_set_string		1160
+ASN1_TIME_print				1161
+BASIC_CONSTRAINTS_free			1162
+BASIC_CONSTRAINTS_new			1163
+ERR_load_X509V3_strings			1164
+NETSCAPE_CERT_SEQUENCE_free		1165
+NETSCAPE_CERT_SEQUENCE_new		1166
+OBJ_txt2obj				1167
+PEM_read_NETSCAPE_CERT_SEQUENCE		1168
+PEM_read_bio_NETSCAPE_CERT_SEQUENCE	1169
+PEM_write_NETSCAPE_CERT_SEQUENCE	1170
+PEM_write_bio_NETSCAPE_CERT_SEQUENCE	1171
+X509V3_EXT_add				1172
+X509V3_EXT_add_alias			1173
+X509V3_EXT_add_conf			1174
+X509V3_EXT_cleanup			1175
+X509V3_EXT_conf				1176
+X509V3_EXT_conf_nid			1177
+X509V3_EXT_get				1178
+X509V3_EXT_get_nid			1179
+X509V3_EXT_print			1180
+X509V3_EXT_print_fp			1181
+X509V3_add_standard_extensions		1182
+X509V3_add_value			1183
+X509V3_add_value_bool			1184
+X509V3_add_value_int			1185
+X509V3_conf_free			1186
+X509V3_get_value_bool			1187
+X509V3_get_value_int			1188
+X509V3_parse_list			1189
+d2i_ASN1_GENERALIZEDTIME		1190
+d2i_ASN1_TIME				1191
+d2i_BASIC_CONSTRAINTS			1192
+d2i_NETSCAPE_CERT_SEQUENCE		1193
+d2i_ext_ku				1194
+ext_ku_free				1195
+ext_ku_new				1196
+i2d_ASN1_GENERALIZEDTIME		1197
+i2d_ASN1_TIME				1198
+i2d_BASIC_CONSTRAINTS			1199
+i2d_NETSCAPE_CERT_SEQUENCE		1200
+i2d_ext_ku				1201
+EVP_MD_CTX_copy				1202
+i2d_ASN1_ENUMERATED                     1203
+d2i_ASN1_ENUMERATED                     1204
+ASN1_ENUMERATED_set                     1205
+ASN1_ENUMERATED_get                     1206
+BN_to_ASN1_ENUMERATED                   1207
+ASN1_ENUMERATED_to_BN                   1208
+i2a_ASN1_ENUMERATED                     1209
+a2i_ASN1_ENUMERATED                     1210
+i2d_GENERAL_NAME                        1211
+d2i_GENERAL_NAME                        1212
+GENERAL_NAME_new                        1213
+GENERAL_NAME_free                       1214
+GENERAL_NAMES_new                       1215
+GENERAL_NAMES_free                      1216
+d2i_GENERAL_NAMES                       1217
+i2d_GENERAL_NAMES                       1218
+i2v_GENERAL_NAMES                       1219
+i2s_ASN1_OCTET_STRING                   1220
+s2i_ASN1_OCTET_STRING                   1221
+X509V3_EXT_check_conf                   1222
+hex_to_string                           1223
+string_to_hex                           1224
+des_ede3_cbcm_encrypt                   1225
+RSA_padding_add_PKCS1_OAEP              1226
+RSA_padding_check_PKCS1_OAEP            1227
+X509_CRL_print_fp                       1228
+X509_CRL_print                          1229
+i2v_GENERAL_NAME                        1230
+v2i_GENERAL_NAME                        1231
+i2d_PKEY_USAGE_PERIOD                   1232
+d2i_PKEY_USAGE_PERIOD                   1233
+PKEY_USAGE_PERIOD_new                   1234
+PKEY_USAGE_PERIOD_free                  1235
+v2i_GENERAL_NAMES                       1236
+i2s_ASN1_INTEGER                        1237
+X509V3_EXT_d2i                          1238
+name_cmp                                1239
+str_dup                                 1240
+i2s_ASN1_ENUMERATED                     1241
+i2s_ASN1_ENUMERATED_TABLE               1242
+BIO_s_log                               1243
+BIO_f_reliable                          1244
+PKCS7_dataFinal                         1245
+PKCS7_dataDecode                        1246
+X509V3_EXT_CRL_add_conf                 1247
+BN_set_params                           1248
+BN_get_params                           1249
+BIO_get_ex_num                          1250
+BIO_set_ex_free_func                    1251
+EVP_ripemd160                           1252
+ASN1_TIME_set                           1253
+i2d_AUTHORITY_KEYID                     1254
+d2i_AUTHORITY_KEYID                     1255
+AUTHORITY_KEYID_new                     1256
+AUTHORITY_KEYID_free                    1257
+ASN1_seq_unpack                         1258
+ASN1_seq_pack                           1259
+ASN1_unpack_string                      1260
+ASN1_pack_string                        1261
+PKCS12_pack_safebag                     1262
+PKCS12_MAKE_KEYBAG                      1263
+PKCS8_encrypt                           1264
+PKCS12_MAKE_SHKEYBAG                    1265
+PKCS12_pack_p7data                      1266
+PKCS12_pack_p7encdata                   1267
+PKCS12_add_localkeyid                   1268
+PKCS12_add_friendlyname_asc             1269
+PKCS12_add_friendlyname_uni             1270
+PKCS12_get_friendlyname                 1271
+PKCS12_pbe_crypt                        1272
+PKCS12_decrypt_d2i                      1273
+PKCS12_i2d_encrypt                      1274
+PKCS12_init                             1275
+PKCS12_key_gen_asc                      1276
+PKCS12_key_gen_uni                      1277
+PKCS12_gen_mac                          1278
+PKCS12_verify_mac                       1279
+PKCS12_set_mac                          1280
+PKCS12_setup_mac                        1281
+asc2uni                                 1282
+uni2asc                                 1283
+i2d_PKCS12_BAGS                         1284
+PKCS12_BAGS_new                         1285
+d2i_PKCS12_BAGS                         1286
+PKCS12_BAGS_free                        1287
+i2d_PKCS12                              1288
+d2i_PKCS12                              1289
+PKCS12_new                              1290
+PKCS12_free                             1291
+i2d_PKCS12_MAC_DATA                     1292
+PKCS12_MAC_DATA_new                     1293
+d2i_PKCS12_MAC_DATA                     1294
+PKCS12_MAC_DATA_free                    1295
+i2d_PKCS12_SAFEBAG                      1296
+PKCS12_SAFEBAG_new                      1297
+d2i_PKCS12_SAFEBAG                      1298
+PKCS12_SAFEBAG_free                     1299
+ERR_load_PKCS12_strings                 1300
+PKCS12_PBE_add                          1301
+PKCS8_add_keyusage                      1302
+PKCS12_get_attr_gen                     1303
+PKCS12_parse                            1304
+PKCS12_create                           1305
+i2d_PKCS12_bio                          1306
+i2d_PKCS12_fp                           1307
+d2i_PKCS12_bio                          1308
+d2i_PKCS12_fp                           1309
+i2d_PBEPARAM                            1310
+PBEPARAM_new                            1311
+d2i_PBEPARAM                            1312
+PBEPARAM_free                           1313
+i2d_PKCS8_PRIV_KEY_INFO                 1314
+PKCS8_PRIV_KEY_INFO_new                 1315
+d2i_PKCS8_PRIV_KEY_INFO                 1316
+PKCS8_PRIV_KEY_INFO_free                1317
+EVP_PKCS82PKEY                          1318
+EVP_PKEY2PKCS8                          1319
+PKCS8_set_broken                        1320
+EVP_PBE_ALGOR_CipherInit                1321
+EVP_PBE_alg_add                         1322
+PKCS5_pbe_set                           1323
+EVP_PBE_cleanup                         1324
+i2d_SXNET                               1325
+d2i_SXNET                               1326
+SXNET_new                               1327
+SXNET_free                              1328
+i2d_SXNETID                             1329
+d2i_SXNETID                             1330
+SXNETID_new                             1331
+SXNETID_free                            1332
+DSA_SIG_new                             1333
+DSA_SIG_free                            1334
+DSA_do_sign                             1335
+DSA_do_verify                           1336
+d2i_DSA_SIG                             1337
+i2d_DSA_SIG                             1338
+i2d_ASN1_VISIBLESTRING                  1339
+d2i_ASN1_VISIBLESTRING                  1340
+i2d_ASN1_UTF8STRING                     1341
+d2i_ASN1_UTF8STRING                     1342
+i2d_DIRECTORYSTRING                     1343
+d2i_DIRECTORYSTRING                     1344
+i2d_DISPLAYTEXT                         1345
+d2i_DISPLAYTEXT                         1346
+sk_X509_NAME_new                        1347
+sk_X509_NAME_new_null                   1348
+sk_X509_NAME_free                       1349
+sk_X509_NAME_num                        1350
+sk_X509_NAME_value                      1351
+sk_X509_NAME_set                        1352
+sk_X509_NAME_zero                       1353
+sk_X509_NAME_push                       1354
+sk_X509_NAME_pop                        1355
+sk_X509_NAME_find                       1356
+sk_X509_NAME_delete                     1357
+sk_X509_NAME_delete_ptr                 1358
+sk_X509_NAME_set_cmp_func               1359
+sk_X509_NAME_dup                        1360
+sk_X509_NAME_pop_free                   1361
+sk_X509_NAME_shift                      1362
+sk_X509_new                             1363
+sk_X509_new_null                        1364
+sk_X509_free                            1365
+sk_X509_num                             1366
+sk_X509_value                           1367
+sk_X509_set                             1368
+sk_X509_zero                            1369
+sk_X509_push                            1370
+sk_X509_pop                             1371
+sk_X509_find                            1372
+sk_X509_delete                          1373
+sk_X509_delete_ptr                      1374
+sk_X509_set_cmp_func                    1375
+sk_X509_dup                             1376
+sk_X509_pop_free                        1377
+sk_X509_shift                           1378
+d2i_ASN1_SET_OF_X509                    1379
+i2d_ASN1_SET_OF_X509                    1380
+sk_X509_ATTRIBUTE_new                   1381
+sk_X509_ATTRIBUTE_new_null              1382
+sk_X509_ATTRIBUTE_free                  1383
+sk_X509_ATTRIBUTE_num                   1384
+sk_X509_ATTRIBUTE_value                 1385
+sk_X509_ATTRIBUTE_set                   1386
+sk_X509_ATTRIBUTE_zero                  1387
+sk_X509_ATTRIBUTE_push                  1388
+sk_X509_ATTRIBUTE_pop                   1389
+sk_X509_ATTRIBUTE_find                  1390
+sk_X509_ATTRIBUTE_delete                1391
+sk_X509_ATTRIBUTE_delete_ptr            1392
+sk_X509_ATTRIBUTE_set_cmp_func          1393
+sk_X509_ATTRIBUTE_dup                   1394
+sk_X509_ATTRIBUTE_pop_free              1395
+sk_X509_ATTRIBUTE_shift                 1396
+i2d_PBKDF2PARAM                         1397
+PBKDF2PARAM_new                         1398
+d2i_PBKDF2PARAM                         1399
+PBKDF2PARAM_free                        1400
+i2d_PBE2PARAM                           1401
+PBE2PARAM_new                           1402
+d2i_PBE2PARAM                           1403
+PBE2PARAM_free                          1404
+sk_GENERAL_NAME_new                     1405
+sk_GENERAL_NAME_new_null                1406
+sk_GENERAL_NAME_free                    1407
+sk_GENERAL_NAME_num                     1408
+sk_GENERAL_NAME_value                   1409
+sk_GENERAL_NAME_set                     1410
+sk_GENERAL_NAME_zero                    1411
+sk_GENERAL_NAME_push                    1412
+sk_GENERAL_NAME_pop                     1413
+sk_GENERAL_NAME_find                    1414
+sk_GENERAL_NAME_delete                  1415
+sk_GENERAL_NAME_delete_ptr              1416
+sk_GENERAL_NAME_set_cmp_func            1417
+sk_GENERAL_NAME_dup                     1418
+sk_GENERAL_NAME_pop_free                1419
+sk_GENERAL_NAME_shift                   1420
+d2i_ASN1_SET_OF_GENERAL_NAME            1421
+i2d_ASN1_SET_OF_GENERAL_NAME            1422
+sk_SXNETID_new                          1423
+sk_SXNETID_new_null                     1424
+sk_SXNETID_free                         1425
+sk_SXNETID_num                          1426
+sk_SXNETID_value                        1427
+sk_SXNETID_set                          1428
+sk_SXNETID_zero                         1429
+sk_SXNETID_push                         1430
+sk_SXNETID_pop                          1431
+sk_SXNETID_find                         1432
+sk_SXNETID_delete                       1433
+sk_SXNETID_delete_ptr                   1434
+sk_SXNETID_set_cmp_func                 1435
+sk_SXNETID_dup                          1436
+sk_SXNETID_pop_free                     1437
+sk_SXNETID_shift                        1438
+d2i_ASN1_SET_OF_SXNETID                 1439
+i2d_ASN1_SET_OF_SXNETID                 1440
+sk_POLICYQUALINFO_new                   1441
+sk_POLICYQUALINFO_new_null              1442
+sk_POLICYQUALINFO_free                  1443
+sk_POLICYQUALINFO_num                   1444
+sk_POLICYQUALINFO_value                 1445
+sk_POLICYQUALINFO_set                   1446
+sk_POLICYQUALINFO_zero                  1447
+sk_POLICYQUALINFO_push                  1448
+sk_POLICYQUALINFO_pop                   1449
+sk_POLICYQUALINFO_find                  1450
+sk_POLICYQUALINFO_delete                1451
+sk_POLICYQUALINFO_delete_ptr            1452
+sk_POLICYQUALINFO_set_cmp_func          1453
+sk_POLICYQUALINFO_dup                   1454
+sk_POLICYQUALINFO_pop_free              1455
+sk_POLICYQUALINFO_shift                 1456
+d2i_ASN1_SET_OF_POLICYQUALINFO          1457
+i2d_ASN1_SET_OF_POLICYQUALINFO          1458
+sk_POLICYINFO_new                       1459
+sk_POLICYINFO_new_null                  1460
+sk_POLICYINFO_free                      1461
+sk_POLICYINFO_num                       1462
+sk_POLICYINFO_value                     1463
+sk_POLICYINFO_set                       1464
+sk_POLICYINFO_zero                      1465
+sk_POLICYINFO_push                      1466
+sk_POLICYINFO_pop                       1467
+sk_POLICYINFO_find                      1468
+sk_POLICYINFO_delete                    1469
+sk_POLICYINFO_delete_ptr                1470
+sk_POLICYINFO_set_cmp_func              1471
+sk_POLICYINFO_dup                       1472
+sk_POLICYINFO_pop_free                  1473
+sk_POLICYINFO_shift                     1474
+d2i_ASN1_SET_OF_POLICYINFO              1475
+i2d_ASN1_SET_OF_POLICYINFO              1476
+SXNET_add_id_asc                        1477
+SXNET_add_id_ulong                      1478
+SXNET_add_id_INTEGER                    1479
+SXNET_get_id_asc                        1480
+SXNET_get_id_ulong                      1481
+SXNET_get_id_INTEGER                    1482
+X509V3_set_conf_lhash                   1483
+i2d_CERTIFICATEPOLICIES                 1484
+CERTIFICATEPOLICIES_new                 1485
+CERTIFICATEPOLICIES_free                1486
+d2i_CERTIFICATEPOLICIES                 1487
+i2d_POLICYINFO                          1488
+POLICYINFO_new                          1489
+d2i_POLICYINFO                          1490
+POLICYINFO_free                         1491
+i2d_POLICYQUALINFO                      1492
+POLICYQUALINFO_new                      1493
+d2i_POLICYQUALINFO                      1494
+POLICYQUALINFO_free                     1495
+i2d_USERNOTICE                          1496
+USERNOTICE_new                          1497
+d2i_USERNOTICE                          1498
+USERNOTICE_free                         1499
+i2d_NOTICEREF                           1500
+NOTICEREF_new                           1501
+d2i_NOTICEREF                           1502
+NOTICEREF_free                          1503
+X509V3_get_string                       1504
+X509V3_get_section                      1505
+X509V3_string_free                      1506
+X509V3_section_free                     1507
+X509V3_set_ctx                          1508
+s2i_ASN1_INTEGER                        1509
+CRYPTO_set_locked_mem_functions         1510
+CRYPTO_get_locked_mem_functions         1511
+CRYPTO_malloc_locked                    1512
+CRYPTO_free_locked                      1513
+BN_mod_exp2_mont                        1514
+ERR_get_error_line_data                 1515
+ERR_peek_error_line_data                1516
+PKCS12_PBE_keyivgen                     1517
+X509_ALGOR_dup                          1518
+sk_DIST_POINT_new                       1519
+sk_DIST_POINT_new_null                  1520
+sk_DIST_POINT_free                      1521
+sk_DIST_POINT_num                       1522
+sk_DIST_POINT_value                     1523
+sk_DIST_POINT_set                       1524
+sk_DIST_POINT_zero                      1525
+sk_DIST_POINT_push                      1526
+sk_DIST_POINT_pop                       1527
+sk_DIST_POINT_find                      1528
+sk_DIST_POINT_delete                    1529
+sk_DIST_POINT_delete_ptr                1530
+sk_DIST_POINT_set_cmp_func              1531
+sk_DIST_POINT_dup                       1532
+sk_DIST_POINT_pop_free                  1533
+sk_DIST_POINT_shift                     1534
+d2i_ASN1_SET_OF_DIST_POINT              1535
+i2d_ASN1_SET_OF_DIST_POINT              1536
+i2d_CRL_DIST_POINTS                     1537
+CRL_DIST_POINTS_new                     1538
+CRL_DIST_POINTS_free                    1539
+d2i_CRL_DIST_POINTS                     1540
+i2d_DIST_POINT                          1541
+DIST_POINT_new                          1542
+d2i_DIST_POINT                          1543
+DIST_POINT_free                         1544
+i2d_DIST_POINT_NAME                     1545
+DIST_POINT_NAME_new                     1546
+DIST_POINT_NAME_free                    1547
+d2i_DIST_POINT_NAME                     1548
+X509V3_add_value_uchar                  1549
+sk_X509_INFO_new                        1550
+sk_X509_EXTENSION_new                   1551
+sk_X509_NAME_ENTRY_unshift              1552
+sk_ASN1_TYPE_value                      1553
+sk_X509_EXTENSION_find                  1554
+d2i_ASN1_SET_OF_X509_ATTRIBUTE          1555
+sk_ASN1_TYPE_pop                        1556
+sk_X509_EXTENSION_set_cmp_func          1557
+sk_ASN1_TYPE_new_null                   1558
+sk_X509_NAME_ENTRY_delete               1559
+i2d_ASN1_SET_OF_ASN1_TYPE               1560
+sk_X509_NAME_ENTRY_dup                  1561
+sk_X509_unshift                         1562
+sk_X509_NAME_unshift                    1563
+sk_ASN1_TYPE_num                        1564
+sk_X509_EXTENSION_new_null              1565
+sk_X509_INFO_value                      1566
+d2i_ASN1_SET_OF_X509_EXTENSION          1567
+sk_X509_INFO_delete_ptr                 1568
+sk_X509_NAME_ENTRY_new                  1569
+sk_DIST_POINT_insert                    1570
+sk_ASN1_TYPE_set_cmp_func               1571
+sk_X509_EXTENSION_value                 1572
+sk_DIST_POINT_unshift                   1573
+d2i_ASN1_SET_OF_X509_NAME_ENTRY         1574
+sk_X509_INFO_pop                        1575
+sk_X509_EXTENSION_pop                   1576
+sk_X509_NAME_ENTRY_shift                1577
+sk_X509_INFO_num                        1578
+sk_X509_EXTENSION_num                   1579
+sk_X509_INFO_pop_free                   1580
+sk_POLICYQUALINFO_unshift               1581
+sk_POLICYINFO_unshift                   1582
+sk_X509_NAME_ENTRY_new_null             1583
+sk_X509_NAME_ENTRY_pop                  1584
+sk_X509_ATTRIBUTE_unshift               1585
+sk_X509_NAME_ENTRY_num                  1586
+sk_GENERAL_NAME_unshift                 1587
+sk_X509_INFO_free                       1588
+d2i_ASN1_SET_OF_ASN1_TYPE               1589
+sk_X509_INFO_insert                     1590
+sk_X509_NAME_ENTRY_value                1591
+sk_POLICYQUALINFO_insert                1592
+sk_ASN1_TYPE_set                        1593
+sk_X509_EXTENSION_delete_ptr            1594
+sk_X509_INFO_unshift                    1595
+sk_ASN1_TYPE_unshift                    1596
+sk_ASN1_TYPE_free                       1597
+sk_ASN1_TYPE_delete_ptr                 1598
+sk_ASN1_TYPE_pop_free                   1599
+sk_X509_EXTENSION_unshift               1600
+sk_X509_EXTENSION_pop_free              1601
+sk_X509_NAME_ENTRY_set_cmp_func         1602
+sk_ASN1_TYPE_insert                     1603
+sk_X509_NAME_ENTRY_free                 1604
+sk_SXNETID_insert                       1605
+sk_X509_NAME_insert                     1606
+sk_X509_insert                          1607
+sk_X509_INFO_delete                     1608
+sk_X509_INFO_set_cmp_func               1609
+sk_X509_ATTRIBUTE_insert                1610
+sk_X509_INFO_zero                       1611
+sk_X509_INFO_set                        1612
+sk_X509_EXTENSION_set                   1613
+sk_X509_EXTENSION_free                  1614
+i2d_ASN1_SET_OF_X509_ATTRIBUTE          1615
+sk_SXNETID_unshift                      1616
+sk_X509_INFO_push                       1617
+sk_X509_EXTENSION_insert                1618
+sk_X509_INFO_new_null                   1619
+sk_ASN1_TYPE_dup                        1620
+sk_X509_INFO_find                       1621
+sk_POLICYINFO_insert                    1622
+sk_ASN1_TYPE_zero                       1623
+i2d_ASN1_SET_OF_X509_EXTENSION          1624
+sk_X509_NAME_ENTRY_set                  1625
+sk_ASN1_TYPE_push                       1626
+sk_X509_NAME_ENTRY_insert               1627
+sk_ASN1_TYPE_new                        1628
+sk_GENERAL_NAME_insert                  1629
+sk_ASN1_TYPE_shift                      1630
+sk_ASN1_TYPE_delete                     1631
+sk_X509_NAME_ENTRY_pop_free             1632
+i2d_ASN1_SET_OF_X509_NAME_ENTRY         1633
+sk_X509_NAME_ENTRY_zero                 1634
+sk_ASN1_TYPE_find                       1635
+sk_X509_NAME_ENTRY_delete_ptr           1636
+sk_X509_NAME_ENTRY_push                 1637
+sk_X509_EXTENSION_zero                  1638
+sk_X509_INFO_shift                      1639
+sk_X509_INFO_dup                        1640
+sk_X509_EXTENSION_dup                   1641
+sk_X509_EXTENSION_delete                1642
+sk_X509_EXTENSION_shift                 1643
+sk_X509_EXTENSION_push                  1644
+sk_X509_NAME_ENTRY_find                 1645
+X509V3_EXT_i2d                          1646
+X509V3_EXT_val_prn                      1647
+X509V3_EXT_add_list                     1648
+EVP_CIPHER_type                         1649
+EVP_PBE_CipherInit                      1650
+X509V3_add_value_bool_nf                1651
+d2i_ASN1_UINTEGER                       1652
+sk_value                                1653
+sk_num                                  1654
+sk_set                                  1655
+sk_X509_REVOKED_set_cmp_func            1656
+sk_X509_REVOKED_unshift                 1657
+sk_X509_REVOKED_dup                     1658
+sk_X509_REVOKED_free                    1659
+sk_X509_REVOKED_new                     1660
+i2d_ASN1_SET_OF_X509_REVOKED            1661
+sk_X509_REVOKED_shift                   1662
+sk_X509_REVOKED_delete_ptr              1663
+sk_X509_REVOKED_pop_free                1664
+sk_X509_REVOKED_insert                  1665
+sk_X509_REVOKED_zero                    1666
+sk_X509_REVOKED_pop                     1667
+sk_X509_REVOKED_value                   1668
+sk_X509_REVOKED_num                     1669
+sk_X509_REVOKED_push                    1670
+sk_sort                                 1671
+sk_X509_REVOKED_find                    1672
+sk_X509_REVOKED_delete                  1673
+d2i_ASN1_SET_OF_X509_REVOKED            1674
+sk_X509_REVOKED_new_null                1675
+sk_X509_REVOKED_set                     1676
+sk_X509_ALGOR_new                       1677
+sk_X509_CRL_set_cmp_func                1678
+sk_X509_CRL_set                         1679
+sk_X509_ALGOR_unshift                   1680
+sk_X509_CRL_free                        1681
+i2d_ASN1_SET_OF_X509_ALGOR              1682
+sk_X509_ALGOR_pop                       1683
+sk_X509_CRL_unshift                     1684
+i2d_ASN1_SET_OF_X509_CRL                1685
+sk_X509_ALGOR_num                       1686
+sk_X509_CRL_insert                      1687
+sk_X509_CRL_pop_free                    1688
+sk_X509_CRL_delete_ptr                  1689
+sk_X509_ALGOR_insert                    1690
+sk_X509_CRL_dup                         1691
+sk_X509_CRL_zero                        1692
+sk_X509_CRL_new                         1693
+sk_X509_CRL_push                        1694
+sk_X509_ALGOR_new_null                  1695
+d2i_ASN1_SET_OF_X509_ALGOR              1696
+sk_X509_CRL_shift                       1697
+sk_X509_CRL_find                        1698
+sk_X509_CRL_delete                      1699
+sk_X509_ALGOR_free                      1700
+sk_X509_ALGOR_delete                    1701
+d2i_ASN1_SET_OF_X509_CRL                1702
+sk_X509_ALGOR_delete_ptr                1703
+sk_X509_CRL_pop                         1704
+sk_X509_ALGOR_set                       1705
+sk_X509_CRL_num                         1706
+sk_X509_CRL_value                       1707
+sk_X509_ALGOR_shift                     1708
+sk_X509_ALGOR_zero                      1709
+sk_X509_CRL_new_null                    1710
+sk_X509_ALGOR_push                      1711
+sk_X509_ALGOR_value                     1712
+sk_X509_ALGOR_find                      1713
+sk_X509_ALGOR_set_cmp_func              1714
+sk_X509_ALGOR_dup                       1715
+sk_X509_ALGOR_pop_free                  1716
+sk_PKCS7_SIGNER_INFO_new                1717
+sk_PKCS7_SIGNER_INFO_zero               1718
+sk_PKCS7_SIGNER_INFO_unshift            1719
+sk_PKCS7_RECIP_INFO_dup                 1720
+sk_PKCS7_SIGNER_INFO_insert             1721
+sk_PKCS7_SIGNER_INFO_push               1722
+i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO       1723
+sk_PKCS7_RECIP_INFO_new                 1724
+sk_X509_LOOKUP_new_null                 1725
+sk_PKCS7_SIGNER_INFO_find               1726
+sk_PKCS7_SIGNER_INFO_set_cmp_func       1727
+sk_X509_LOOKUP_zero                     1728
+sk_PKCS7_RECIP_INFO_shift               1729
+sk_PKCS7_RECIP_INFO_new_null            1730
+sk_PKCS7_SIGNER_INFO_shift              1731
+sk_PKCS7_SIGNER_INFO_pop                1732
+sk_PKCS7_SIGNER_INFO_pop_free           1733
+sk_X509_LOOKUP_push                     1734
+sk_X509_LOOKUP_dup                      1735
+sk_PKCS7_SIGNER_INFO_num                1736
+sk_X509_LOOKUP_find                     1737
+i2d_ASN1_SET_OF_PKCS7_RECIP_INFO        1738
+sk_X509_LOOKUP_new                      1739
+sk_PKCS7_SIGNER_INFO_delete             1740
+sk_PKCS7_RECIP_INFO_set_cmp_func        1741
+sk_PKCS7_SIGNER_INFO_delete_ptr         1742
+sk_PKCS7_RECIP_INFO_pop                 1743
+sk_X509_LOOKUP_insert                   1744
+sk_PKCS7_RECIP_INFO_value               1745
+sk_PKCS7_RECIP_INFO_num                 1746
+sk_PKCS7_SIGNER_INFO_value              1747
+d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO       1748
+sk_X509_LOOKUP_pop                      1749
+sk_X509_LOOKUP_num                      1750
+sk_X509_LOOKUP_delete                   1751
+sk_PKCS7_RECIP_INFO_free                1752
+d2i_ASN1_SET_OF_PKCS7_RECIP_INFO        1753
+sk_PKCS7_SIGNER_INFO_set                1754
+sk_X509_LOOKUP_pop_free                 1755
+sk_X509_LOOKUP_shift                    1756
+sk_X509_LOOKUP_unshift                  1757
+sk_PKCS7_SIGNER_INFO_new_null           1758
+sk_PKCS7_RECIP_INFO_delete_ptr          1759
+sk_PKCS7_RECIP_INFO_pop_free            1760
+sk_PKCS7_RECIP_INFO_insert              1761
+sk_PKCS7_SIGNER_INFO_free               1762
+sk_PKCS7_RECIP_INFO_set                 1763
+sk_PKCS7_RECIP_INFO_zero                1764
+sk_X509_LOOKUP_value                    1765
+sk_PKCS7_RECIP_INFO_push                1766
+sk_PKCS7_RECIP_INFO_unshift             1767
+sk_X509_LOOKUP_set_cmp_func             1768
+sk_X509_LOOKUP_free                     1769
+sk_PKCS7_SIGNER_INFO_dup                1770
+sk_X509_LOOKUP_delete_ptr               1771
+sk_X509_LOOKUP_set                      1772
+sk_PKCS7_RECIP_INFO_find                1773
+sk_PKCS7_RECIP_INFO_delete              1774
+PKCS5_PBE_add                           1775
+PEM_write_bio_PKCS8                     1776
+i2d_PKCS8_fp                            1777
+PEM_read_bio_PKCS8_PRIV_KEY_INFO        1778
+d2i_PKCS8_bio                           1779
+d2i_PKCS8_PRIV_KEY_INFO_fp              1780
+PEM_write_bio_PKCS8_PRIV_KEY_INFO       1781
+PEM_read_PKCS8                          1782
+d2i_PKCS8_PRIV_KEY_INFO_bio             1783
+d2i_PKCS8_fp                            1784
+PEM_write_PKCS8                         1785
+PEM_read_PKCS8_PRIV_KEY_INFO            1786
+PEM_read_bio_PKCS8                      1787
+PEM_write_PKCS8_PRIV_KEY_INFO           1788
+PKCS5_PBE_keyivgen                      1789
+i2d_PKCS8_bio                           1790
+i2d_PKCS8_PRIV_KEY_INFO_fp              1791
+i2d_PKCS8_PRIV_KEY_INFO_bio             1792
+BIO_s_bio                               1793
+PKCS5_pbe2_set                          1794
+PKCS5_PBKDF2_HMAC_SHA1                  1795
+PKCS5_v2_PBE_keyivgen                   1796
+PEM_write_bio_PKCS8PrivateKey           1797
+PEM_write_PKCS8PrivateKey               1798
+BIO_ctrl_get_read_request               1799
+BIO_ctrl_pending                        1800
+BIO_ctrl_wpending                       1801
+BIO_new_bio_pair                        1802
+BIO_ctrl_get_write_guarantee            1803
+CRYPTO_num_locks                        1804
+CONF_load_bio                           1805
+CONF_load_fp                            1806
+sk_CONF_VALUE_delete                    1807
+sk_CONF_VALUE_pop                       1808
+sk_CONF_VALUE_num                       1809
+sk_CONF_VALUE_pop_free                  1810
+sk_CONF_VALUE_free                      1811
+sk_CONF_VALUE_shift                     1812
+sk_CONF_VALUE_unshift                   1813
+sk_CONF_VALUE_value                     1814
+sk_CONF_VALUE_set                       1815
+sk_CONF_VALUE_zero                      1816
+sk_CONF_VALUE_push                      1817
+sk_CONF_VALUE_delete_ptr                1818
+sk_CONF_VALUE_find                      1819
+sk_CONF_VALUE_set_cmp_func              1820
+sk_CONF_VALUE_new_null                  1821
+sk_CONF_VALUE_dup                       1822
+sk_CONF_VALUE_insert                    1823
+sk_CONF_VALUE_new                       1824
+sk_ASN1_OBJECT_find                     1825
+sk_ASN1_OBJECT_pop_free                 1826
+sk_ASN1_OBJECT_dup                      1827
+sk_ASN1_OBJECT_delete_ptr               1828
+sk_ASN1_OBJECT_new                      1829
+sk_ASN1_OBJECT_unshift                  1830
+sk_ASN1_OBJECT_delete                   1831
+sk_ASN1_OBJECT_shift                    1832
+sk_ASN1_OBJECT_pop                      1833
+sk_ASN1_OBJECT_num                      1834
+sk_ASN1_OBJECT_value                    1835
+sk_ASN1_OBJECT_new_null                 1836
+i2d_ASN1_SET_OF_ASN1_OBJECT             1837
+sk_ASN1_OBJECT_free                     1838
+sk_ASN1_OBJECT_set                      1839
+sk_ASN1_OBJECT_set_cmp_func             1840
+sk_ASN1_OBJECT_zero                     1841
+sk_ASN1_OBJECT_insert                   1842
+sk_ASN1_OBJECT_push                     1843
+d2i_ASN1_SET_OF_ASN1_OBJECT             1844
+PKCS7_signatureVerify                   1845
+RSA_set_method                          1846
+RSA_get_method                          1847
+RSA_get_default_method                  1848
+sk_CONF_VALUE_sort                      1849
+sk_X509_REVOKED_sort                    1850
+sk_X509_ATTRIBUTE_sort                  1851
+sk_X509_INFO_sort                       1852
+sk_POLICYINFO_sort                      1853
+sk_GENERAL_NAME_sort                    1854
+sk_X509_sort                            1855
+sk_X509_NAME_sort                       1856
+sk_ASN1_TYPE_sort                       1857
+sk_X509_ALGOR_sort                      1858
+sk_PKCS7_RECIP_INFO_sort                1859
+sk_X509_NAME_ENTRY_sort                 1860
+sk_X509_EXTENSION_sort                  1861
+sk_SXNETID_sort                         1862
+sk_ASN1_OBJECT_sort                     1863
+sk_PKCS7_SIGNER_INFO_sort               1864
+sk_X509_LOOKUP_sort                     1865
+sk_POLICYQUALINFO_sort                  1866
+sk_X509_CRL_sort                        1867
+sk_DIST_POINT_sort                      1868
+RSA_check_key                           1869
+OBJ_obj2txt                             1870
+DSA_dup_DH                              1871
+X509_REQ_get_extensions                 1872
+X509_REQ_set_extension_nids             1873
+BIO_nwrite                              1874
+X509_REQ_extension_nid                  1875
+BIO_nread                               1876
+X509_REQ_get_extension_nids              1877
+BIO_nwrite0                             1878
+X509_REQ_add_extensions_nid             1879
+BIO_nread0                              1880
+X509_REQ_add_extensions                 1881
+BIO_new_mem_buf                         1882
+DH_set_ex_data                          1883
+DH_set_method                           1884
+DSA_OpenSSL                             1885
+DH_get_ex_data                          1886
+DH_get_ex_new_index                     1887
+DSA_new_method                          1888
+DH_new_method                           1889
+DH_OpenSSL                              1890
+DSA_get_ex_new_index                    1891
+DH_get_default_method                   1892
+DSA_set_ex_data                         1893
+DH_set_default_method                   1894
+DSA_get_ex_data                         1895
+X509V3_EXT_REQ_add_conf                 1896
+NETSCAPE_SPKI_print                     1897
+NETSCAPE_SPKI_set_pubkey                1898
+NETSCAPE_SPKI_b64_encode                1899
+NETSCAPE_SPKI_get_pubkey                1900
+NETSCAPE_SPKI_b64_decode                1901
+UTF8_putc                               1902
+UTF8_getc                               1903
+RSA_null_method                         1904
+ASN1_tag2str                            1905
+BIO_ctrl_reset_read_request             1906
+DISPLAYTEXT_new                         1907
+ASN1_GENERALIZEDTIME_free               1908
+X509_REVOKED_get_ext_d2i                1909
+X509_set_ex_data                        1910
+X509_reject_set_bit_asc                 1911
+X509_NAME_add_entry_by_txt              1912
+sk_X509_TRUST_pop                       1913
+X509_NAME_add_entry_by_NID              1914
+X509_PURPOSE_get0                       1915
+sk_ACCESS_DESCRIPTION_shift             1916
+PEM_read_X509_AUX                       1917
+d2i_AUTHORITY_INFO_ACCESS               1918
+sk_X509_TRUST_set_cmp_func              1919
+sk_X509_TRUST_free                      1920
+PEM_write_PUBKEY                        1921
+sk_X509_TRUST_num                       1922
+sk_ACCESS_DESCRIPTION_delete            1923
+sk_ASN1_STRING_TABLE_value              1924
+ACCESS_DESCRIPTION_new                  1925
+X509_CERT_AUX_free                      1926
+d2i_ACCESS_DESCRIPTION                  1927
+X509_trust_clear                        1928
+sk_X509_PURPOSE_value                   1929
+sk_X509_PURPOSE_zero                    1930
+X509_TRUST_add                          1931
+ASN1_VISIBLESTRING_new                  1932
+X509_alias_set1                         1933
+ASN1_PRINTABLESTRING_free               1934
+EVP_PKEY_get1_DSA                       1935
+ASN1_BMPSTRING_new                      1936
+ASN1_mbstring_copy                      1937
+ASN1_UTF8STRING_new                     1938
+sk_ACCESS_DESCRIPTION_set               1939
+sk_X509_PURPOSE_pop                     1940
+DSA_get_default_method                  1941
+sk_X509_PURPOSE_push                    1942
+sk_X509_PURPOSE_delete                  1943
+sk_X509_PURPOSE_num                     1944
+i2d_ASN1_SET_OF_ACCESS_DESCRIPTION      1945
+ASN1_T61STRING_free                     1946
+sk_ACCESS_DESCRIPTION_free              1947
+sk_ASN1_STRING_TABLE_pop                1948
+DSA_set_method                          1949
+X509_get_ex_data                        1950
+ASN1_STRING_type                        1951
+X509_PURPOSE_get_by_sname               1952
+sk_X509_PURPOSE_find                    1953
+ASN1_TIME_free                          1954
+ASN1_OCTET_STRING_cmp                   1955
+sk_ACCESS_DESCRIPTION_value             1956
+ASN1_BIT_STRING_new                     1957
+X509_get_ext_d2i                        1958
+PEM_read_bio_X509_AUX                   1959
+ASN1_STRING_set_default_mask_asc        1960
+PEM_write_bio_RSA_PUBKEY                1961
+sk_ASN1_STRING_TABLE_num                1962
+ASN1_INTEGER_cmp                        1963
+d2i_RSA_PUBKEY_fp                       1964
+sk_ACCESS_DESCRIPTION_unshift           1965
+sk_ASN1_STRING_TABLE_delete_ptr         1966
+X509_trust_set_bit_asc                  1967
+PEM_write_bio_DSA_PUBKEY                1968
+X509_STORE_CTX_free                     1969
+EVP_PKEY_set1_DSA                       1970
+i2d_DSA_PUBKEY_fp                       1971
+X509_load_cert_crl_file                 1972
+ASN1_TIME_new                           1973
+i2d_RSA_PUBKEY                          1974
+sk_X509_TRUST_pop_free                  1975
+X509_STORE_CTX_purpose_inherit          1976
+PEM_read_RSA_PUBKEY                     1977
+sk_X509_TRUST_zero                      1978
+sk_ACCESS_DESCRIPTION_pop_free          1979
+d2i_X509_AUX                            1980
+i2d_DSA_PUBKEY                          1981
+X509_CERT_AUX_print                     1982
+sk_X509_PURPOSE_new_null                1983
+PEM_read_DSA_PUBKEY                     1984
+i2d_RSA_PUBKEY_bio                      1985
+ASN1_BIT_STRING_num_asc                 1986
+i2d_PUBKEY                              1987
+ASN1_UTCTIME_free                       1988
+DSA_set_default_method                  1989
+X509_PURPOSE_get_by_id                  1990
+sk_X509_TRUST_push                      1991
+sk_ASN1_STRING_TABLE_sort               1992
+sk_X509_PURPOSE_set_cmp_func            1993
+ACCESS_DESCRIPTION_free                 1994
+PEM_read_bio_PUBKEY                     1995
+ASN1_STRING_set_by_NID                  1996
+X509_PURPOSE_get_id                     1997
+DISPLAYTEXT_free                        1998
+OTHERNAME_new                           1999
+sk_X509_TRUST_find                      2000
+X509_CERT_AUX_new                       2001
+sk_ACCESS_DESCRIPTION_dup               2002
+sk_ASN1_STRING_TABLE_pop_free           2003
+sk_ASN1_STRING_TABLE_unshift            2004
+sk_X509_TRUST_shift                     2005
+sk_ACCESS_DESCRIPTION_zero              2006
+X509_TRUST_cleanup                      2007
+X509_NAME_add_entry_by_OBJ              2008
+X509_CRL_get_ext_d2i                    2009
+sk_X509_TRUST_set                       2010
+X509_PURPOSE_get0_name                  2011
+PEM_read_PUBKEY                         2012
+sk_ACCESS_DESCRIPTION_new               2013
+i2d_DSA_PUBKEY_bio                      2014
+i2d_OTHERNAME                           2015
+ASN1_OCTET_STRING_free                  2016
+ASN1_BIT_STRING_set_asc                 2017
+sk_ACCESS_DESCRIPTION_push              2018
+X509_get_ex_new_index                   2019
+ASN1_STRING_TABLE_cleanup               2020
+X509_TRUST_get_by_id                    2021
+X509_PURPOSE_get_trust                  2022
+ASN1_STRING_length                      2023
+d2i_ASN1_SET_OF_ACCESS_DESCRIPTION      2024
+ASN1_PRINTABLESTRING_new                2025
+X509V3_get_d2i                          2026
+ASN1_ENUMERATED_free                    2027
+i2d_X509_CERT_AUX                       2028
+sk_ACCESS_DESCRIPTION_find              2029
+X509_STORE_CTX_set_trust                2030
+sk_X509_PURPOSE_unshift                 2031
+ASN1_STRING_set_default_mask            2032
+X509_STORE_CTX_new                      2033
+EVP_PKEY_get1_RSA                       2034
+sk_X509_PURPOSE_set                     2035
+sk_ASN1_STRING_TABLE_insert             2036
+sk_X509_PURPOSE_sort                    2037
+DIRECTORYSTRING_free                    2038
+PEM_write_X509_AUX                      2039
+ASN1_OCTET_STRING_set                   2040
+d2i_DSA_PUBKEY_fp                       2041
+sk_ASN1_STRING_TABLE_free               2042
+sk_X509_TRUST_value                     2043
+d2i_RSA_PUBKEY                          2044
+sk_ASN1_STRING_TABLE_set                2045
+X509_TRUST_get0_name                    2046
+X509_TRUST_get0                         2047
+AUTHORITY_INFO_ACCESS_free              2048
+ASN1_IA5STRING_new                      2049
+d2i_DSA_PUBKEY                          2050
+X509_check_purpose                      2051
+ASN1_ENUMERATED_new                     2052
+d2i_RSA_PUBKEY_bio                      2053
+d2i_PUBKEY                              2054
+X509_TRUST_get_trust                    2055
+X509_TRUST_get_flags                    2056
+ASN1_BMPSTRING_free                     2057
+ASN1_T61STRING_new                      2058
+sk_X509_TRUST_unshift                   2059
+ASN1_UTCTIME_new                        2060
+sk_ACCESS_DESCRIPTION_pop               2061
+i2d_AUTHORITY_INFO_ACCESS               2062
+EVP_PKEY_set1_RSA                       2063
+X509_STORE_CTX_set_purpose              2064
+ASN1_IA5STRING_free                     2065
+PEM_write_bio_X509_AUX                  2066
+X509_PURPOSE_get_count                  2067
+CRYPTO_add_info                         2068
+sk_ACCESS_DESCRIPTION_num               2069
+sk_ASN1_STRING_TABLE_set_cmp_func       2070
+X509_NAME_ENTRY_create_by_txt           2071
+ASN1_STRING_get_default_mask            2072
+sk_X509_TRUST_dup                       2073
+X509_alias_get0                         2074
+ASN1_STRING_data                        2075
+sk_X509_TRUST_insert                    2076
+i2d_ACCESS_DESCRIPTION                  2077
+X509_trust_set_bit                      2078
+sk_X509_PURPOSE_delete_ptr              2079
+ASN1_BIT_STRING_free                    2080
+PEM_read_bio_RSA_PUBKEY                 2081
+X509_add1_reject_object                 2082
+X509_check_trust                        2083
+sk_X509_TRUST_new_null                  2084
+sk_ACCESS_DESCRIPTION_new_null          2085
+sk_ACCESS_DESCRIPTION_delete_ptr        2086
+sk_X509_TRUST_sort                      2087
+PEM_read_bio_DSA_PUBKEY                 2088
+sk_X509_TRUST_new                       2089
+X509_PURPOSE_add                        2090
+ASN1_STRING_TABLE_get                   2091
+ASN1_UTF8STRING_free                    2092
+d2i_DSA_PUBKEY_bio                      2093
+sk_ASN1_STRING_TABLE_delete             2094
+PEM_write_RSA_PUBKEY                    2095
+d2i_OTHERNAME                           2096
+sk_ACCESS_DESCRIPTION_insert            2097
+X509_reject_set_bit                     2098
+sk_X509_TRUST_delete_ptr                2099
+sk_X509_PURPOSE_pop_free                2100
+PEM_write_DSA_PUBKEY                    2101
+sk_X509_PURPOSE_free                    2102
+sk_X509_PURPOSE_dup                     2103
+sk_ASN1_STRING_TABLE_zero               2104
+X509_PURPOSE_get0_sname                 2105
+sk_ASN1_STRING_TABLE_shift              2106
+EVP_PKEY_set1_DH                        2107
+ASN1_OCTET_STRING_dup                   2108
+ASN1_BIT_STRING_set                     2109
+X509_TRUST_get_count                    2110
+ASN1_INTEGER_free                       2111
+OTHERNAME_free                          2112
+i2d_RSA_PUBKEY_fp                       2113
+ASN1_INTEGER_dup                        2114
+d2i_X509_CERT_AUX                       2115
+sk_ASN1_STRING_TABLE_new_null           2116
+PEM_write_bio_PUBKEY                    2117
+ASN1_VISIBLESTRING_free                 2118
+X509_PURPOSE_cleanup                    2119
+sk_ASN1_STRING_TABLE_push               2120
+sk_ASN1_STRING_TABLE_dup                2121
+sk_X509_PURPOSE_shift                   2122
+ASN1_mbstring_ncopy                     2123
+sk_X509_PURPOSE_new                     2124
+sk_X509_PURPOSE_insert                  2125
+ASN1_GENERALIZEDTIME_new                2126
+sk_ACCESS_DESCRIPTION_sort              2127
+EVP_PKEY_get1_DH                        2128
+sk_ACCESS_DESCRIPTION_set_cmp_func      2129
+ASN1_OCTET_STRING_new                   2130
+ASN1_INTEGER_new                        2131
+i2d_X509_AUX                            2132
+sk_ASN1_STRING_TABLE_find               2133
+ASN1_BIT_STRING_name_print              2134
+X509_cmp                                2135
+ASN1_STRING_length_set                  2136
+DIRECTORYSTRING_new                     2137
+sk_ASN1_STRING_TABLE_new                2138
+sk_X509_TRUST_delete                    2139
+X509_add1_trust_object                  2140
+PKCS12_newpass                          2141
+SMIME_write_PKCS7                       2142
+SMIME_read_PKCS7                        2143
+des_set_key_checked                     2144
+PKCS7_verify                            2145
+PKCS7_encrypt                           2146
+des_set_key_unchecked                   2147
+SMIME_crlf_copy                         2148
+i2d_ASN1_PRINTABLESTRING                2149
+PKCS7_get0_signers                      2150
+PKCS7_decrypt                           2151
+SMIME_text                              2152
+PKCS7_simple_smimecap                   2153
+PKCS7_get_smimecap                      2154
+PKCS7_sign                              2155
+PKCS7_add_attrib_smimecap               2156
+CRYPTO_dbg_set_options                  2157
+CRYPTO_remove_all_info                  2158
+CRYPTO_get_mem_debug_functions          2159
+CRYPTO_is_mem_check_on                  2160
+CRYPTO_set_mem_debug_functions          2161
+CRYPTO_pop_info                         2162
+CRYPTO_push_info_                       2163
+CRYPTO_set_mem_debug_options            2164
+PEM_write_PKCS8PrivateKey_nid           2165
+PEM_write_bio_PKCS8PrivateKey_nid       2166
+d2i_PKCS8PrivateKey_bio                 2167
+ASN1_NULL_free                          2168
+d2i_ASN1_NULL                           2169
+ASN1_NULL_new                           2170
+i2d_PKCS8PrivateKey_bio                 2171
+i2d_PKCS8PrivateKey_fp                  2172
+i2d_ASN1_NULL                           2173
+i2d_PKCS8PrivateKey_nid_fp              2174
+d2i_PKCS8PrivateKey_fp                  2175
+i2d_PKCS8PrivateKey_nid_bio             2176
+i2d_PKCS8PrivateKeyInfo_fp              2177
+i2d_PKCS8PrivateKeyInfo_bio             2178
+PEM_cb                                  2179
+i2d_PrivateKey_fp                       2180
+d2i_PrivateKey_bio                      2181
+d2i_PrivateKey_fp                       2182
+i2d_PrivateKey_bio                      2183
+X509_reject_clear                       2184
+X509_TRUST_set_default                  2185
+d2i_AutoPrivateKey                      2186
+X509_ATTRIBUTE_get0_type                2187
+X509_ATTRIBUTE_set1_data                2188
+X509at_get_attr                         2189
+X509at_get_attr_count                   2190
+X509_ATTRIBUTE_create_by_NID            2191
+X509_ATTRIBUTE_set1_object              2192
+X509_ATTRIBUTE_count                    2193
+X509_ATTRIBUTE_create_by_OBJ            2194
+X509_ATTRIBUTE_get0_object              2195
+X509at_get_attr_by_NID                  2196
+X509at_add1_attr                        2197
+X509_ATTRIBUTE_get0_data                2198
+X509at_delete_attr                      2199
+X509at_get_attr_by_OBJ                  2200
+RAND_add                                2201
+BIO_number_written                      2202
+BIO_number_read                         2203
+X509_STORE_CTX_get1_chain               2204
+ERR_load_RAND_strings                   2205
+RAND_pseudo_bytes                       2206
+X509_REQ_get_attr_by_NID                2207
+X509_REQ_get_attr                       2208
+X509_REQ_add1_attr_by_NID               2209
+X509_REQ_get_attr_by_OBJ                2210
+X509at_add1_attr_by_NID                 2211
+X509_REQ_add1_attr_by_OBJ               2212
+X509_REQ_get_attr_count                 2213
+X509_REQ_add1_attr                      2214
+X509_REQ_delete_attr                    2215
+X509at_add1_attr_by_OBJ                 2216
+X509_REQ_add1_attr_by_txt               2217
+X509_ATTRIBUTE_create_by_txt            2218
+X509at_add1_attr_by_txt                 2219
+sk_CRYPTO_EX_DATA_FUNCS_delete          2220
+sk_CRYPTO_EX_DATA_FUNCS_set             2221
+sk_CRYPTO_EX_DATA_FUNCS_unshift         2222
+sk_CRYPTO_EX_DATA_FUNCS_new_null        2223
+sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func    2224
+sk_CRYPTO_EX_DATA_FUNCS_sort            2225
+sk_CRYPTO_EX_DATA_FUNCS_dup             2226
+sk_CRYPTO_EX_DATA_FUNCS_shift           2227
+sk_CRYPTO_EX_DATA_FUNCS_value           2228
+sk_CRYPTO_EX_DATA_FUNCS_pop             2229
+sk_CRYPTO_EX_DATA_FUNCS_push            2230
+sk_CRYPTO_EX_DATA_FUNCS_find            2231
+sk_CRYPTO_EX_DATA_FUNCS_new             2232
+sk_CRYPTO_EX_DATA_FUNCS_free            2233
+sk_CRYPTO_EX_DATA_FUNCS_delete_ptr      2234
+sk_CRYPTO_EX_DATA_FUNCS_num             2235
+sk_CRYPTO_EX_DATA_FUNCS_pop_free        2236
+sk_CRYPTO_EX_DATA_FUNCS_insert          2237
+sk_CRYPTO_EX_DATA_FUNCS_zero            2238
+BN_pseudo_rand                          2239
+BN_is_prime_fasttest                    2240
+BN_CTX_end                              2241
+BN_CTX_start                            2242
+BN_CTX_get                              2243
+EVP_PKEY2PKCS8_broken                   2244
+ASN1_STRING_TABLE_add                   2245
+CRYPTO_dbg_get_options                  2246
+AUTHORITY_INFO_ACCESS_new               2247
+CRYPTO_get_mem_debug_options            2248
+des_crypt                               2249
+PEM_write_bio_X509_REQ_NEW              2250
+PEM_write_X509_REQ_NEW                  2251
+BIO_callback_ctrl                       2252
+RAND_egd                                2253
+RAND_status                             2254
+bn_dump1                                2255
+des_check_key_parity                    2256
+lh_num_items                            2257
+RAND_event                              2258
diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl
new file mode 100755
index 0000000..100d76f
--- /dev/null
+++ b/crypto/openssl/util/mk1mf.pl
@@ -0,0 +1,876 @@
+#!/usr/local/bin/perl
+# A bit of an evil hack but it post processes the file ../MINFO which
+# is generated by `make files` in the top directory.
+# This script outputs one mega makefile that has no shell stuff or any
+# funny stuff
+#
+
+$INSTALLTOP="/usr/local/ssl";
+$OPTIONS="";
+$ssl_version="";
+$banner="\t\@echo Building OpenSSL";
+
+open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
+while(<IN>) {
+    $ssl_version=$1 if (/^VERSION=(.*)$/);
+    $OPTIONS=$1 if (/^OPTIONS=(.*)$/);
+    $INSTALLTOP=$1 if (/^INSTALLTOP=(.*$)/);
+}
+close(IN);
+
+die "Makefile.ssl is not the toplevel Makefile!\n" if $ssl_version eq "";
+
+$infile="MINFO";
+
+%ops=(
+	"VC-WIN32",   "Microsoft Visual C++ [4-6] - Windows NT or 9X",
+	"VC-NT",   "Microsoft Visual C++ [4-6] - Windows NT ONLY",
+	"VC-W31-16",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 286",
+	"VC-WIN16",   "Alias for VC-W31-32",
+	"VC-W31-32",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 386+",
+	"VC-MSDOS","Microsoft Visual C++ 1.52 - MSDOS",
+	"Mingw32", "GNU C++ - Windows NT or 9x",
+	"Mingw32-files", "Create files with DOS copy ...",
+	"BC-NT",   "Borland C++ 4.5 - Windows NT",
+	"BC-W31",  "Borland C++ 4.5 - Windows 3.1 - PROBABLY NOT WORKING",
+	"BC-MSDOS","Borland C++ 4.5 - MSDOS",
+	"linux-elf","Linux elf",
+	"ultrix-mips","DEC mips ultrix",
+	"FreeBSD","FreeBSD distribution",
+	"default","cc under unix",
+	);
+
+$platform="";
+foreach (@ARGV)
+	{
+	if (!&read_options && !defined($ops{$_}))
+		{
+		print STDERR "unknown option - $_\n";
+		print STDERR "usage: perl mk1mf.pl [options] [system]\n";
+		print STDERR "\nwhere [system] can be one of the following\n";
+		foreach $i (sort keys %ops)
+		{ printf STDERR "\t%-10s\t%s\n",$i,$ops{$i}; }
+		print STDERR <<"EOF";
+and [options] can be one of
+	no-md2 no-md5 no-sha no-mdc2 no-ripemd  - Skip this digest
+	no-rc2 no-rc4 no-idea no-des no-bf no-cast - Skip this symetric cipher
+	no-rc5
+	no-rsa no-dsa no-dh			- Skip this public key cipher
+	no-ssl2 no-ssl3				- Skip this version of SSL
+	just-ssl				- remove all non-ssl keys/digest
+	no-asm 					- No x86 asm
+	nasm 					- Use NASM for x86 asm
+	gaswin					- Use GNU as with Mingw32
+	no-socks				- No socket code
+	no-err					- No error strings
+	dll/shlib				- Build shared libraries (MS)
+	debug					- Debug build
+	gcc					- Use Gcc (unix)
+	rsaref					- Build to require RSAref
+
+Values that can be set
+TMP=tmpdir OUT=outdir SRC=srcdir BIN=binpath INC=header-outdir CC=C-compiler
+
+-L<ex_lib_path> -l<ex_lib>			- extra library flags (unix)
+-<ex_cc_flags>					- extra 'cc' flags,
+						  added (MS), or replace (unix)
+EOF
+		exit(1);
+		}
+	$platform=$_;
+	}
+foreach (split / /, $OPTIONS)
+	{
+	print STDERR "unknown option - $_\n" if !&read_options;
+	}
+
+$no_mdc2=1 if ($no_des);
+
+$no_ssl3=1 if ($no_md5 || $no_sha);
+$no_ssl3=1 if ($no_rsa && $no_dh);
+
+$no_ssl2=1 if ($no_md5 || $no_rsa);
+$no_ssl2=1 if ($no_rsa);
+
+$out_def="out";
+$inc_def="outinc";
+$tmp_def="tmp";
+
+$mkdir="mkdir";
+
+($ssl,$crypto)=("ssl","crypto");
+$RSAglue="RSAglue";
+$ranlib="echo ranlib";
+
+$cc=(defined($VARS{'CC'}))?$VARS{'CC'}:'cc';
+$src_dir=(defined($VARS{'SRC'}))?$VARS{'SRC'}:'.';
+$bin_dir=(defined($VARS{'BIN'}))?$VARS{'BIN'}:'';
+
+# $bin_dir.=$o causes a core dump on my sparc :-(
+
+$NT=0;
+
+push(@INC,"util/pl","pl");
+if ($platform eq "VC-MSDOS")
+	{
+	$asmbits=16;
+	$msdos=1;
+	require 'VC-16.pl';
+	}
+elsif ($platform eq "VC-W31-16")
+	{
+	$asmbits=16;
+	$msdos=1; $win16=1;
+	require 'VC-16.pl';
+	}
+elsif (($platform eq "VC-W31-32") || ($platform eq "VC-WIN16"))
+	{
+	$asmbits=32;
+	$msdos=1; $win16=1;
+	require 'VC-16.pl';
+	}
+elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT"))
+	{
+	$NT = 1 if $platform eq "VC-NT";
+	require 'VC-32.pl';
+	}
+elsif ($platform eq "Mingw32")
+	{
+	require 'Mingw32.pl';
+	}
+elsif ($platform eq "Mingw32-files")
+	{
+	require 'Mingw32f.pl';
+	}
+elsif ($platform eq "BC-NT")
+	{
+	$bc=1;
+	require 'BC-32.pl';
+	}
+elsif ($platform eq "BC-W31")
+	{
+	$bc=1;
+	$msdos=1; $w16=1;
+	require 'BC-16.pl';
+	}
+elsif ($platform eq "BC-Q16")
+	{
+	$msdos=1; $w16=1; $shlib=0; $qw=1;
+	require 'BC-16.pl';
+	}
+elsif ($platform eq "BC-MSDOS")
+	{
+	$asmbits=16;
+	$msdos=1;
+	require 'BC-16.pl';
+	}
+elsif ($platform eq "FreeBSD")
+	{
+	require 'unix.pl';
+	$cflags='-DTERMIO -D_ANSI_SOURCE -O2 -fomit-frame-pointer';
+	}
+elsif ($platform eq "linux-elf")
+	{
+	require "unix.pl";
+	require "linux.pl";
+	$unix=1;
+	}
+elsif ($platform eq "ultrix-mips")
+	{
+	require "unix.pl";
+	require "ultrix.pl";
+	$unix=1;
+	}
+else
+	{
+	require "unix.pl";
+
+	$unix=1;
+	$cflags.=' -DTERMIO';
+	}
+
+$out_dir=(defined($VARS{'OUT'}))?$VARS{'OUT'}:$out_def.($debug?".dbg":"");
+$tmp_dir=(defined($VARS{'TMP'}))?$VARS{'TMP'}:$tmp_def.($debug?".dbg":"");
+$inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def;
+
+$bin_dir=$bin_dir.$o unless ((substr($bin_dir,-1,1) eq $o) || ($bin_dir eq ''));
+
+$cflags.=" -DNO_IDEA" if $no_idea;
+$cflags.=" -DNO_RC2"  if $no_rc2;
+$cflags.=" -DNO_RC4"  if $no_rc4;
+$cflags.=" -DNO_RC5"  if $no_rc5;
+$cflags.=" -DNO_MD2"  if $no_md2;
+$cflags.=" -DNO_MD5"  if $no_md5;
+$cflags.=" -DNO_SHA"  if $no_sha;
+$cflags.=" -DNO_SHA1" if $no_sha1;
+$cflags.=" -DNO_RIPEMD" if $no_rmd160;
+$cflags.=" -DNO_MDC2" if $no_mdc2;
+$cflags.=" -DNO_BF"  if $no_bf;
+$cflags.=" -DNO_CAST" if $no_cast;
+$cflags.=" -DNO_DES"  if $no_des;
+$cflags.=" -DNO_RSA"  if $no_rsa;
+$cflags.=" -DNO_DSA"  if $no_dsa;
+$cflags.=" -DNO_DH"   if $no_dh;
+$cflags.=" -DNO_SOCK" if $no_sock;
+$cflags.=" -DNO_SSL2" if $no_ssl2;
+$cflags.=" -DNO_SSL3" if $no_ssl3;
+$cflags.=" -DNO_ERR"  if $no_err;
+$cflags.=" -DRSAref"  if $rsaref ne "";
+
+if ($unix)
+	{ $cflags="$c_flags" if ($c_flags ne ""); }
+else	{ $cflags="$c_flags$cflags" if ($c_flags ne ""); }
+
+$ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
+
+if ($msdos)
+	{
+	$banner ="\t\@echo Make sure you have run 'perl Configure $platform' in the\n";
+	$banner.="\t\@echo top level directory, if you don't have perl, you will\n";
+	$banner.="\t\@echo need to probably edit crypto/bn/bn.h, check the\n";
+	$banner.="\t\@echo documentation for details.\n";
+	}
+
+# have to do this to allow $(CC) under unix
+$link="$bin_dir$link" if ($link !~ /^\$/);
+
+$INSTALLTOP =~ s|/|$o|g;
+
+$defs= <<"EOF";
+# This makefile has been automatically generated from the OpenSSL distribution.
+# This single makefile will build the complete OpenSSL distribution and
+# by default leave the 'intertesting' output files in .${o}out and the stuff
+# that needs deleting in .${o}tmp.
+# The file was generated by running 'make makefile.one', which
+# does a 'make files', which writes all the environment variables from all
+# the makefiles to the file call MINFO.  This file is used by
+# util${o}mk1mf.pl to generate makefile.one.
+# The 'makefile per directory' system suites me when developing this
+# library and also so I can 'distribute' indervidual library sections.
+# The one monster makefile better suits building in non-unix
+# environments.
+
+INSTALLTOP=$INSTALLTOP
+
+# Set your compiler options
+PLATFORM=$platform
+CC=$bin_dir${cc}
+CFLAG=$cflags
+APP_CFLAG=$app_cflag
+LIB_CFLAG=$lib_cflag
+SHLIB_CFLAG=$shl_cflag
+APP_EX_OBJ=$app_ex_obj
+SHLIB_EX_OBJ=$shlib_ex_obj
+# add extra libraries to this define, for solaris -lsocket -lnsl would
+# be added
+EX_LIBS=$ex_libs
+
+# The OpenSSL directory
+SRC_D=$src_dir
+
+LINK=$link
+LFLAGS=$lflags
+
+BN_ASM_OBJ=$bn_asm_obj
+BN_ASM_SRC=$bn_asm_src
+DES_ENC_OBJ=$des_enc_obj
+DES_ENC_SRC=$des_enc_src
+BF_ENC_OBJ=$bf_enc_obj
+BF_ENC_SRC=$bf_enc_src
+CAST_ENC_OBJ=$cast_enc_obj
+CAST_ENC_SRC=$cast_enc_src
+RC4_ENC_OBJ=$rc4_enc_obj
+RC4_ENC_SRC=$rc4_enc_src
+RC5_ENC_OBJ=$rc5_enc_obj
+RC5_ENC_SRC=$rc5_enc_src
+MD5_ASM_OBJ=$md5_asm_obj
+MD5_ASM_SRC=$md5_asm_src
+SHA1_ASM_OBJ=$sha1_asm_obj
+SHA1_ASM_SRC=$sha1_asm_src
+RMD160_ASM_OBJ=$rmd160_asm_obj
+RMD160_ASM_SRC=$rmd160_asm_src
+
+# The output directory for everything intersting
+OUT_D=$out_dir
+# The output directory for all the temporary muck
+TMP_D=$tmp_dir
+# The output directory for the header files
+INC_D=$inc_dir
+INCO_D=$inc_dir${o}openssl
+
+CP=$cp
+RM=$rm
+RANLIB=$ranlib
+MKDIR=$mkdir
+MKLIB=$bin_dir$mklib
+MLFLAGS=$mlflags
+ASM=$bin_dir$asm
+
+######################################################
+# You should not need to touch anything below this point
+######################################################
+
+E_EXE=openssl
+SSL=$ssl
+CRYPTO=$crypto
+RSAGLUE=$RSAglue
+
+# BIN_D  - Binary output directory
+# TEST_D - Binary test file output directory
+# LIB_D  - library output directory
+# Note: if you change these point to different directories then uncomment out
+# the lines around the 'NB' comment below.
+# 
+BIN_D=\$(OUT_D)
+TEST_D=\$(OUT_D)
+LIB_D=\$(OUT_D)
+
+# INCL_D - local library directory
+# OBJ_D  - temp object file directory
+OBJ_D=\$(TMP_D)
+INCL_D=\$(TMP_D)
+
+O_SSL=     \$(LIB_D)$o$plib\$(SSL)$shlibp
+O_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
+O_RSAGLUE= \$(LIB_D)$o$plib\$(RSAGLUE)$libp
+SO_SSL=    $plib\$(SSL)$so_shlibp
+SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
+L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
+L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
+
+L_LIBS= \$(L_SSL) \$(L_CRYPTO)
+#L_LIBS= \$(O_SSL) \$(O_RSAGLUE) -lrsaref \$(O_CRYPTO)
+
+######################################################
+# Don't touch anything below this point
+######################################################
+
+INC=-I\$(INC_D) -I\$(INCL_D)
+APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)
+LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)
+SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)
+LIBS_DEP=\$(O_CRYPTO) \$(O_RSAGLUE) \$(O_SSL)
+
+#############################################
+EOF
+
+$rules=<<"EOF";
+all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe
+
+banner:
+$banner
+
+\$(TMP_D):
+	\$(MKDIR) \$(TMP_D)
+# NB: uncomment out these lines if BIN_D, TEST_D and LIB_D are different
+#\$(BIN_D):
+#	\$(MKDIR) \$(BIN_D)
+#
+#\$(TEST_D):
+#	\$(MKDIR) \$(TEST_D)
+
+\$(LIB_D):
+	\$(MKDIR) \$(LIB_D)
+
+\$(INCO_D): \$(INC_D)
+	\$(MKDIR) \$(INCO_D)
+
+\$(INC_D):
+	\$(MKDIR) \$(INC_D)
+
+headers: \$(HEADER) \$(EXHEADER)
+
+lib: \$(LIBS_DEP)
+
+exe: \$(T_EXE) \$(BIN_D)$o\$(E_EXE)$exep
+
+install:
+	\$(MKDIR) \$(INSTALLTOP)
+	\$(MKDIR) \$(INSTALLTOP)${o}bin
+	\$(MKDIR) \$(INSTALLTOP)${o}include
+	\$(MKDIR) \$(INSTALLTOP)${o}include${o}openssl
+	\$(MKDIR) \$(INSTALLTOP)${o}lib
+	\$(CP) \$(INCO_D)${o}*.\[ch\] \$(INSTALLTOP)${o}include${o}openssl
+	\$(CP) \$(BIN_D)$o\$(E_EXE)$exep \$(INSTALLTOP)${o}bin
+	\$(CP) \$(O_SSL) \$(INSTALLTOP)${o}lib
+	\$(CP) \$(O_CRYPTO) \$(INSTALLTOP)${o}lib
+
+clean:
+	\$(RM) \$(TMP_D)$o*.*
+
+vclean:
+	\$(RM) \$(TMP_D)$o*.*
+	\$(RM) \$(OUT_D)$o*.*
+
+EOF
+    
+my $platform_cpp_symbol = "MK1MF_PLATFORM_$platform";
+$platform_cpp_symbol =~ s/-/_/g;
+if (open(IN,"crypto/buildinf.h"))
+	{
+	# Remove entry for this platform in existing file buildinf.h.
+
+	my $old_buildinf_h = "";
+	while (<IN>)
+		{
+		if (/^\#ifdef $platform_cpp_symbol$/)
+			{
+			while (<IN>) { last if (/^\#endif/); }
+			}
+		else
+			{
+			$old_buildinf_h .= $_;
+			}
+		}
+	close(IN);
+
+	open(OUT,">crypto/buildinf.h") || die "Can't open buildinf.h";
+	print OUT $old_buildinf_h;
+	close(OUT);
+	}
+
+open (OUT,">>crypto/buildinf.h") || die "Can't open buildinf.h";
+printf OUT <<EOF;
+#ifdef $platform_cpp_symbol
+  /* auto-generated/updated by util/mk1mf.pl for crypto/cversion.c */
+  #define CFLAGS "$cc $cflags"
+  #define PLATFORM "$platform"
+EOF
+printf OUT "  #define DATE \"%s\"\n", scalar gmtime();
+printf OUT "#endif\n";
+close(OUT);
+
+#############################################
+# We parse in input file and 'store' info for later printing.
+open(IN,"<$infile") || die "unable to open $infile:$!\n";
+$_=<IN>;
+for (;;)
+	{
+	chop;
+
+	($key,$val)=/^([^=]+)=(.*)/;
+	if ($key eq "RELATIVE_DIRECTORY")
+		{
+		if ($lib ne "")
+			{
+			$uc=$lib;
+			$uc =~ s/^lib(.*)\.a/$1/;
+			$uc =~ tr/a-z/A-Z/;
+			$lib_nam{$uc}=$uc;
+			$lib_obj{$uc}.=$libobj." ";
+			}
+		last if ($val eq "FINISHED");
+		$lib="";
+		$libobj="";
+		$dir=$val;
+		}
+
+	if ($key eq "TEST")
+		{ $test.=&var_add($dir,$val); }
+
+	if (($key eq "PROGS") || ($key eq "E_OBJ"))
+		{ $e_exe.=&var_add($dir,$val); }
+
+	if ($key eq "LIB")
+		{
+		$lib=$val;
+		$lib =~ s/^.*\/([^\/]+)$/$1/;
+		}
+
+	if ($key eq "EXHEADER")
+		{ $exheader.=&var_add($dir,$val); }
+
+	if ($key eq "HEADER")
+		{ $header.=&var_add($dir,$val); }
+
+	if ($key eq "LIBOBJ")
+		{ $libobj=&var_add($dir,$val); }
+
+	if (!($_=<IN>))
+		{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }
+	}
+close(IN);
+
+# Strip of trailing ' '
+foreach (keys %lib_obj) { $lib_obj{$_}=&clean_up_ws($lib_obj{$_}); }
+$test=&clean_up_ws($test);
+$e_exe=&clean_up_ws($e_exe);
+$exheader=&clean_up_ws($exheader);
+$header=&clean_up_ws($header);
+
+# First we strip the exheaders from the headers list
+foreach (split(/\s+/,$exheader)){ $h{$_}=1; }
+foreach (split(/\s+/,$header))	{ $h.=$_." " unless $h{$_}; }
+chop($h); $header=$h;
+
+$defs.=&do_defs("HEADER",$header,"\$(INCL_D)",".h");
+$rules.=&do_copy_rule("\$(INCL_D)",$header,".h");
+
+$defs.=&do_defs("EXHEADER",$exheader,"\$(INCO_D)",".h");
+$rules.=&do_copy_rule("\$(INCO_D)",$exheader,".h");
+
+$defs.=&do_defs("T_OBJ",$test,"\$(OBJ_D)",$obj);
+$rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
+
+$defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);
+$rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');
+
+foreach (values %lib_nam)
+	{
+	$lib_obj=$lib_obj{$_};
+	local($slib)=$shlib;
+
+	$slib=0 if ($_ eq "RSAGLUE");
+
+	if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
+		{
+		$rules.="\$(O_SSL):\n\n"; 
+		next;
+		}
+
+	if (($_ eq "RSAGLUE") && $no_rsa)
+		{
+		$rules.="\$(O_RSAGLUE):\n\n"; 
+		next;
+		}
+
+	if (($bn_asm_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s\S*\/bn_asm\S*/ \$(BN_ASM_OBJ)/;
+		$rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src);
+		}
+	if (($des_enc_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s\S*des_enc\S*/ \$(DES_ENC_OBJ)/;
+		$lib_obj =~ s/\s\S*\/fcrypt_b\S*\s*/ /;
+		$rules.=&do_asm_rule($des_enc_obj,$des_enc_src);
+		}
+	if (($bf_enc_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s\S*\/bf_enc\S*/ \$(BF_ENC_OBJ)/;
+		$rules.=&do_asm_rule($bf_enc_obj,$bf_enc_src);
+		}
+	if (($cast_enc_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/(\s\S*\/c_enc\S*)/ \$(CAST_ENC_OBJ)/;
+		$rules.=&do_asm_rule($cast_enc_obj,$cast_enc_src);
+		}
+	if (($rc4_enc_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s\S*\/rc4_enc\S*/ \$(RC4_ENC_OBJ)/;
+		$rules.=&do_asm_rule($rc4_enc_obj,$rc4_enc_src);
+		}
+	if (($rc5_enc_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s\S*\/rc5_enc\S*/ \$(RC5_ENC_OBJ)/;
+		$rules.=&do_asm_rule($rc5_enc_obj,$rc5_enc_src);
+		}
+	if (($md5_asm_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s(\S*\/md5_dgst\S*)/ $1 \$(MD5_ASM_OBJ)/;
+		$rules.=&do_asm_rule($md5_asm_obj,$md5_asm_src);
+		}
+	if (($sha1_asm_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s(\S*\/sha1dgst\S*)/ $1 \$(SHA1_ASM_OBJ)/;
+		$rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src);
+		}
+	if (($rmd160_asm_obj ne "") && ($_ eq "CRYPTO"))
+		{
+		$lib_obj =~ s/\s(\S*\/rmd_dgst\S*)/ $1 \$(RMD160_ASM_OBJ)/;
+		$rules.=&do_asm_rule($rmd160_asm_obj,$rmd160_asm_src);
+		}
+	$defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
+	$lib=($slib)?" \$(SHLIB_CFLAGS)":" \$(LIB_CFLAGS)";
+	$rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);
+	}
+
+$defs.=&do_defs("T_EXE",$test,"\$(TEST_D)",$exep);
+foreach (split(/\s+/,$test))
+	{
+	$t=&bname($_);
+	$tt="\$(OBJ_D)${o}$t${obj}";
+	$rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+	}
+
+$rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
+$rules.= &do_lib_rule("\$(RSAGLUEOBJ)","\$(O_RSAGLUE)",$RSAglue,0,"")
+	unless $no_rsa;
+$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
+
+$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+
+print $defs;
+print "###################################################################\n";
+print $rules;
+
+###############################################
+# strip off any trailing .[och] and append the relative directory
+# also remembering to do nothing if we are in one of the dropped
+# directories
+sub var_add
+	{
+	local($dir,$val)=@_;
+	local(@a,$_,$ret);
+
+	return("") if $no_idea && $dir =~ /\/idea/;
+	return("") if $no_rc2  && $dir =~ /\/rc2/;
+	return("") if $no_rc4  && $dir =~ /\/rc4/;
+	return("") if $no_rc5  && $dir =~ /\/rc5/;
+	return("") if $no_rsa  && $dir =~ /\/rsa/;
+	return("") if $no_rsa  && $dir =~ /^rsaref/;
+	return("") if $no_dsa  && $dir =~ /\/dsa/;
+	return("") if $no_dh   && $dir =~ /\/dh/;
+	if ($no_des && $dir =~ /\/des/)
+		{
+		if ($val =~ /read_pwd/)
+			{ return("$dir/read_pwd "); }
+		else
+			{ return(""); }
+		}
+	return("") if $no_mdc2 && $dir =~ /\/mdc2/;
+	return("") if $no_sock && $dir =~ /\/proxy/;
+	return("") if $no_bf   && $dir =~ /\/bf/;
+	return("") if $no_cast && $dir =~ /\/cast/;
+
+	$val =~ s/^\s*(.*)\s*$/$1/;
+	@a=split(/\s+/,$val);
+	grep(s/\.[och]$//,@a);
+
+	@a=grep(!/^e_.*_3d$/,@a) if $no_des;
+	@a=grep(!/^e_.*_d$/,@a) if $no_des;
+	@a=grep(!/^e_.*_i$/,@a) if $no_idea;
+	@a=grep(!/^e_.*_r2$/,@a) if $no_rc2;
+	@a=grep(!/^e_.*_r5$/,@a) if $no_rc5;
+	@a=grep(!/^e_.*_bf$/,@a) if $no_bf;
+	@a=grep(!/^e_.*_c$/,@a) if $no_cast;
+	@a=grep(!/^e_rc4$/,@a) if $no_rc4;
+
+	@a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2;
+	@a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3;
+
+	@a=grep(!/(_sock$)|(_acpt$)|(_conn$)|(^pxy_)/,@a) if $no_sock;
+
+	@a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2;
+	@a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5;
+	@a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160;
+
+	@a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa;
+	@a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa;
+	@a=grep(!/(^pem_seal$)/,@a) if $no_rsa;
+
+	@a=grep(!/(m_dss$)|(m_dss1$)/,@a) if $no_dsa;
+	@a=grep(!/(^d2i_s_)|(^i2d_s_)|(_dsap$)/,@a) if $no_dsa;
+
+	@a=grep(!/^n_pkey$/,@a) if $no_rsa || $no_rc4;
+
+	@a=grep(!/_dhp$/,@a) if $no_dh;
+
+	@a=grep(!/(^sha[^1])|(_sha$)|(m_dss$)/,@a) if $no_sha;
+	@a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
+	@a=grep(!/_mdc2$/,@a) if $no_mdc2;
+
+	@a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa;
+	@a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa;
+	@a=grep(!/^gendsa$/,@a) if $no_sha1;
+	@a=grep(!/(^dh$)|(^gendh$)/,@a) if $no_dh;
+
+	@a=grep(!/(^dh)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
+
+	grep($_="$dir/$_",@a);
+	@a=grep(!/(^|\/)s_/,@a) if $no_sock;
+	@a=grep(!/(^|\/)bio_sock/,@a) if $no_sock;
+	$ret=join(' ',@a)." ";
+	return($ret);
+	}
+
+# change things so that each 'token' is only separated by one space
+sub clean_up_ws
+	{
+	local($w)=@_;
+
+	$w =~ s/^\s*(.*)\s*$/$1/;
+	$w =~ s/\s+/ /g;
+	return($w);
+	}
+
+sub do_defs
+	{
+	local($var,$files,$location,$postfix)=@_;
+	local($_,$ret,$pf);
+	local(*OUT,$tmp,$t);
+
+	$files =~ s/\//$o/g if $o ne '/';
+	$ret="$var="; 
+	$n=1;
+	$Vars{$var}.="";
+	foreach (split(/ /,$files))
+		{
+		$orig=$_;
+		$_=&bname($_) unless /^\$/;
+		if ($n++ == 2)
+			{
+			$n=0;
+			$ret.="\\\n\t";
+			}
+		if (($_ =~ /bss_file/) && ($postfix eq ".h"))
+			{ $pf=".c"; }
+		else	{ $pf=$postfix; }
+		if ($_ =~ /BN_ASM/)	{ $t="$_ "; }
+		elsif ($_ =~ /DES_ENC/)	{ $t="$_ "; }
+		elsif ($_ =~ /BF_ENC/)	{ $t="$_ "; }
+		elsif ($_ =~ /CAST_ENC/){ $t="$_ "; }
+		elsif ($_ =~ /RC4_ENC/)	{ $t="$_ "; }
+		elsif ($_ =~ /RC5_ENC/)	{ $t="$_ "; }
+		elsif ($_ =~ /MD5_ASM/)	{ $t="$_ "; }
+		elsif ($_ =~ /SHA1_ASM/){ $t="$_ "; }
+		elsif ($_ =~ /RMD160_ASM/){ $t="$_ "; }
+		else	{ $t="$location${o}$_$pf "; }
+
+		$Vars{$var}.="$t ";
+		$ret.=$t;
+		}
+	chop($ret);
+	$ret.="\n\n";
+	return($ret);
+	}
+
+# return the name with the leading path removed
+sub bname
+	{
+	local($ret)=@_;
+	$ret =~ s/^.*[\\\/]([^\\\/]+)$/$1/;
+	return($ret);
+	}
+
+
+##############################################################
+# do a rule for each file that says 'compile' to new direcory
+# compile the files in '$files' into $to
+sub do_compile_rule
+	{
+	local($to,$files,$ex)=@_;
+	local($ret,$_,$n);
+	
+	$files =~ s/\//$o/g if $o ne '/';
+	foreach (split(/\s+/,$files))
+		{
+		$n=&bname($_);
+		$ret.=&cc_compile_target("$to${o}$n$obj","${_}.c",$ex)
+		}
+	return($ret);
+	}
+
+##############################################################
+# do a rule for each file that says 'compile' to new direcory
+sub cc_compile_target
+	{
+	local($target,$source,$ex_flags)=@_;
+	local($ret);
+	
+	$ex_flags.=" -DMK1MF_BUILD -D$platform_cpp_symbol" if ($source =~ /cversion/);
+	$target =~ s/\//$o/g if $o ne "/";
+	$source =~ s/\//$o/g if $o ne "/";
+	$ret ="$target: \$(SRC_D)$o$source\n\t";
+	$ret.="\$(CC) ${ofile}$target $ex_flags -c \$(SRC_D)$o$source\n\n";
+	return($ret);
+	}
+
+##############################################################
+sub do_asm_rule
+	{
+	local($target,$src)=@_;
+	local($ret,@s,@t,$i);
+
+	$target =~ s/\//$o/g if $o ne "/";
+	$src =~ s/\//$o/g if $o ne "/";
+
+	@s=split(/\s+/,$src);
+	@t=split(/\s+/,$target);
+
+	for ($i=0; $i<=$#s; $i++)
+		{
+		$ret.="$t[$i]: $s[$i]\n";
+		$ret.="\t\$(ASM) $afile$t[$i] \$(SRC_D)$o$s[$i]\n\n";
+		}
+	return($ret);
+	}
+
+sub do_shlib_rule
+	{
+	local($n,$def)=@_;
+	local($ret,$nn);
+	local($t);
+
+	($nn=$n) =~ tr/a-z/A-Z/;
+	$ret.="$n.dll: \$(${nn}OBJ)\n";
+	if ($vc && $w32)
+		{
+		$ret.="\t\$(MKSHLIB) $efile$n.dll $def @<<\n  \$(${nn}OBJ_F)\n<<\n";
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+# do a rule for each file that says 'copy' to new direcory on change
+sub do_copy_rule
+	{
+	local($to,$files,$p)=@_;
+	local($ret,$_,$n,$pp);
+	
+	$files =~ s/\//$o/g if $o ne '/';
+	foreach (split(/\s+/,$files))
+		{
+		$n=&bname($_);
+		if ($n =~ /bss_file/)
+			{ $pp=".c"; }
+		else	{ $pp=$p; }
+		$ret.="$to${o}$n$pp: \$(SRC_D)$o$_$pp\n\t\$(CP) \$(SRC_D)$o$_$pp $to${o}$n$pp\n\n";
+		}
+	return($ret);
+	}
+
+sub read_options
+	{
+	if    (/^no-rc2$/)	{ $no_rc2=1; }
+	elsif (/^no-rc4$/)	{ $no_rc4=1; }
+	elsif (/^no-rc5$/)	{ $no_rc5=1; }
+	elsif (/^no-idea$/)	{ $no_idea=1; }
+	elsif (/^no-des$/)	{ $no_des=1; }
+	elsif (/^no-bf$/)	{ $no_bf=1; }
+	elsif (/^no-cast$/)	{ $no_cast=1; }
+	elsif (/^no-md2$/)  	{ $no_md2=1; }
+	elsif (/^no-md5$/)	{ $no_md5=1; }
+	elsif (/^no-sha$/)	{ $no_sha=1; }
+	elsif (/^no-sha1$/)	{ $no_sha1=1; }
+	elsif (/^no-ripemd$/)	{ $no_ripemd=1; }
+	elsif (/^no-mdc2$/)	{ $no_mdc2=1; }
+	elsif (/^no-patents$/)	{ $no_rc2=$no_rc4=$no_rc5=$no_idea=$no_rsa=1; }
+	elsif (/^no-rsa$/)	{ $no_rsa=1; }
+	elsif (/^no-dsa$/)	{ $no_dsa=1; }
+	elsif (/^no-dh$/)	{ $no_dh=1; }
+	elsif (/^no-hmac$/)	{ $no_hmac=1; }
+	elsif (/^no-asm$/)	{ $no_asm=1; }
+	elsif (/^nasm$/)	{ $nasm=1; }
+	elsif (/^gaswin$/)	{ $gaswin=1; }
+	elsif (/^no-ssl2$/)	{ $no_ssl2=1; }
+	elsif (/^no-ssl3$/)	{ $no_ssl3=1; }
+	elsif (/^no-err$/)	{ $no_err=1; }
+	elsif (/^no-sock$/)	{ $no_sock=1; }
+
+	elsif (/^just-ssl$/)	{ $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
+				  $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
+				  $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; }
+
+	elsif (/^rsaref$/)	{ $rsaref=1; }
+	elsif (/^gcc$/)		{ $gcc=1; }
+	elsif (/^debug$/)	{ $debug=1; }
+	elsif (/^shlib$/)	{ $shlib=1; }
+	elsif (/^dll$/)		{ $shlib=1; }
+	elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
+	elsif (/^-[lL].*$/)	{ $l_flags.="$_ "; }
+	elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
+		{ $c_flags.="$_ "; }
+	else { return(0); }
+	return(1);
+	}
diff --git a/crypto/openssl/util/mkcerts.sh b/crypto/openssl/util/mkcerts.sh
new file mode 100755
index 0000000..5f8a1da
--- /dev/null
+++ b/crypto/openssl/util/mkcerts.sh
@@ -0,0 +1,220 @@
+#!bin/sh
+
+# This script will re-make all the required certs.
+# cd apps
+# sh ../util/mkcerts.sh
+# mv ca-cert.pem pca-cert.pem ../certs
+# cd ..
+# cat certs/*.pem >>apps/server.pem
+# cat certs/*.pem >>apps/server2.pem
+# SSLEAY=`pwd`/apps/ssleay; export SSLEAY
+# sh tools/c_rehash certs
+#
+ 
+CAbits=1024
+SSLEAY="../apps/ssleay"
+CONF="-config ../apps/ssleay.cnf"
+
+# create pca request.
+echo creating $CAbits bit PCA cert request
+$SSLEAY req $CONF \
+	-new -md5 -newkey $CAbits \
+	-keyout pca-key.pem \
+	-out pca-req.pem -nodes >/dev/null <<EOF
+AU
+Queensland
+.
+CryptSoft Pty Ltd
+.
+Test PCA (1024 bit)
+
+
+
+EOF
+
+if [ $? != 0 ]; then
+	echo problems generating PCA request
+	exit 1
+fi
+
+#sign it.
+echo
+echo self signing PCA
+$SSLEAY x509 -md5 -days 1461 \
+	-req -signkey pca-key.pem \
+	-CAcreateserial -CAserial pca-cert.srl \
+	-in pca-req.pem -out pca-cert.pem
+
+if [ $? != 0 ]; then
+	echo problems self signing PCA cert
+	exit 1
+fi
+echo
+
+# create ca request.
+echo creating $CAbits bit CA cert request
+$SSLEAY req $CONF \
+	-new -md5 -newkey $CAbits \
+	-keyout ca-key.pem \
+	-out ca-req.pem -nodes >/dev/null <<EOF
+AU
+Queensland
+.
+CryptSoft Pty Ltd
+.
+Test CA (1024 bit)
+
+
+
+EOF
+
+if [ $? != 0 ]; then
+	echo problems generating CA request
+	exit 1
+fi
+
+#sign it.
+echo
+echo signing CA
+$SSLEAY x509 -md5 -days 1461 \
+	-req \
+	-CAcreateserial -CAserial pca-cert.srl \
+	-CA pca-cert.pem -CAkey pca-key.pem \
+	-in ca-req.pem -out ca-cert.pem
+
+if [ $? != 0 ]; then
+	echo problems signing CA cert
+	exit 1
+fi
+echo
+
+# create server request.
+echo creating 512 bit server cert request
+$SSLEAY req $CONF \
+	-new -md5 -newkey 512 \
+	-keyout s512-key.pem \
+	-out s512-req.pem -nodes >/dev/null <<EOF
+AU
+Queensland
+.
+CryptSoft Pty Ltd
+.
+Server test cert (512 bit)
+
+
+
+EOF
+
+if [ $? != 0 ]; then
+	echo problems generating 512 bit server cert request
+	exit 1
+fi
+
+#sign it.
+echo
+echo signing 512 bit server cert
+$SSLEAY x509 -md5 -days 365 \
+	-req \
+	-CAcreateserial -CAserial ca-cert.srl \
+	-CA ca-cert.pem -CAkey ca-key.pem \
+	-in s512-req.pem -out server.pem
+
+if [ $? != 0 ]; then
+	echo problems signing 512 bit server cert
+	exit 1
+fi
+echo
+
+# create 1024 bit server request.
+echo creating 1024 bit server cert request
+$SSLEAY req $CONF \
+	-new -md5 -newkey 1024 \
+	-keyout s1024key.pem \
+	-out s1024req.pem -nodes >/dev/null <<EOF
+AU
+Queensland
+.
+CryptSoft Pty Ltd
+.
+Server test cert (1024 bit)
+
+
+
+EOF
+
+if [ $? != 0 ]; then
+	echo problems generating 1024 bit server cert request
+	exit 1
+fi
+
+#sign it.
+echo
+echo signing 1024 bit server cert
+$SSLEAY x509 -md5 -days 365 \
+	-req \
+	-CAcreateserial -CAserial ca-cert.srl \
+	-CA ca-cert.pem -CAkey ca-key.pem \
+	-in s1024req.pem -out server2.pem
+
+if [ $? != 0 ]; then
+	echo problems signing 1024 bit server cert
+	exit 1
+fi
+echo
+
+# create 512 bit client request.
+echo creating 512 bit client cert request
+$SSLEAY req $CONF \
+	-new -md5 -newkey 512 \
+	-keyout c512-key.pem \
+	-out c512-req.pem -nodes >/dev/null <<EOF
+AU
+Queensland
+.
+CryptSoft Pty Ltd
+.
+Client test cert (512 bit)
+
+
+
+EOF
+
+if [ $? != 0 ]; then
+	echo problems generating 512 bit client cert request
+	exit 1
+fi
+
+#sign it.
+echo
+echo signing 512 bit client cert
+$SSLEAY x509 -md5 -days 365 \
+	-req \
+	-CAcreateserial -CAserial ca-cert.srl \
+	-CA ca-cert.pem -CAkey ca-key.pem \
+	-in c512-req.pem -out client.pem
+
+if [ $? != 0 ]; then
+	echo problems signing 512 bit client cert
+	exit 1
+fi
+
+echo cleanup
+
+cat pca-key.pem  >> pca-cert.pem
+cat ca-key.pem   >> ca-cert.pem
+cat s512-key.pem >> server.pem
+cat s1024key.pem >> server2.pem
+cat c512-key.pem >> client.pem
+
+for i in pca-cert.pem ca-cert.pem server.pem server2.pem client.pem
+do
+$SSLEAY x509 -issuer -subject -in $i -noout >$$
+cat $$
+/bin/cat $i >>$$
+/bin/mv $$ $i
+done
+
+#/bin/rm -f *key.pem *req.pem *.srl
+
+echo Finished
+
diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl
new file mode 100755
index 0000000..4e2845a
--- /dev/null
+++ b/crypto/openssl/util/mkdef.pl
@@ -0,0 +1,527 @@
+#!/usr/local/bin/perl -w
+#
+# generate a .def file
+#
+# It does this by parsing the header files and looking for the
+# prototyped functions: it then prunes the output.
+#
+
+my $crypto_num="util/libeay.num";
+my $ssl_num=   "util/ssleay.num";
+
+my $do_update = 0;
+my $do_crypto = 0;
+my $do_ssl = 0;
+my $do_ctest = 0;
+my $rsaref = 0;
+
+my $W32=1;
+my $NT=0;
+# Set this to make typesafe STACK definitions appear in DEF
+my $safe_stack_def = 1;
+
+my $options="";
+open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
+while(<IN>) {
+    $options=$1 if (/^OPTIONS=(.*)$/);
+}
+close(IN);
+
+# The following ciphers may be excluded (by Configure). This means functions
+# defined with ifndef(NO_XXX) are not included in the .def file, and everything
+# in directory xxx is ignored.
+my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
+my $no_cast; my $no_md2; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
+my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0;
+
+foreach (@ARGV, split(/ /, $options))
+	{
+	$W32=1 if $_ eq "32";
+	$W32=0 if $_ eq "16";
+	if($_ eq "NT") {
+		$W32 = 1;
+		$NT = 1;
+	}
+	$do_ssl=1 if $_ eq "ssleay";
+	$do_ssl=1 if $_ eq "ssl";
+	$do_crypto=1 if $_ eq "libeay";
+	$do_crypto=1 if $_ eq "crypto";
+	$do_update=1 if $_ eq "update";
+	$do_ctest=1 if $_ eq "ctest";
+	$rsaref=1 if $_ eq "rsaref";
+
+	if    (/^no-rc2$/)      { $no_rc2=1; }
+	elsif (/^no-rc4$/)      { $no_rc4=1; }
+	elsif (/^no-rc5$/)      { $no_rc5=1; }
+	elsif (/^no-idea$/)     { $no_idea=1; }
+	elsif (/^no-des$/)      { $no_des=1; }
+	elsif (/^no-bf$/)       { $no_bf=1; }
+	elsif (/^no-cast$/)     { $no_cast=1; }
+	elsif (/^no-md2$/)      { $no_md2=1; }
+	elsif (/^no-md5$/)      { $no_md5=1; }
+	elsif (/^no-sha$/)      { $no_sha=1; }
+	elsif (/^no-ripemd$/)   { $no_ripemd=1; }
+	elsif (/^no-mdc2$/)     { $no_mdc2=1; }
+	elsif (/^no-rsa$/)      { $no_rsa=1; }
+	elsif (/^no-dsa$/)      { $no_dsa=1; }
+	elsif (/^no-dh$/)       { $no_dh=1; }
+	elsif (/^no-hmac$/)	{ $no_hmac=1; }
+	}
+
+
+if (!$do_ssl && !$do_crypto)
+	{
+	print STDERR "usage: $0 ( ssl | crypto ) [ 16 | 32 | NT ] [rsaref]\n";
+	exit(1);
+	}
+
+%ssl_list=&load_numbers($ssl_num);
+$max_ssl = $max_num;
+%crypto_list=&load_numbers($crypto_num);
+$max_crypto = $max_num;
+
+my $ssl="ssl/ssl.h";
+
+my $crypto ="crypto/crypto.h";
+$crypto.=" crypto/des/des.h" unless $no_des;
+$crypto.=" crypto/idea/idea.h" unless $no_idea;
+$crypto.=" crypto/rc4/rc4.h" unless $no_rc4;
+$crypto.=" crypto/rc5/rc5.h" unless $no_rc5;
+$crypto.=" crypto/rc2/rc2.h" unless $no_rc2;
+$crypto.=" crypto/bf/blowfish.h" unless $no_bf;
+$crypto.=" crypto/cast/cast.h" unless $no_cast;
+$crypto.=" crypto/md2/md2.h" unless $no_md2;
+$crypto.=" crypto/md5/md5.h" unless $no_md5;
+$crypto.=" crypto/mdc2/mdc2.h" unless $no_mdc2;
+$crypto.=" crypto/sha/sha.h" unless $no_sha;
+$crypto.=" crypto/ripemd/ripemd.h" unless $no_ripemd;
+
+$crypto.=" crypto/bn/bn.h";
+$crypto.=" crypto/rsa/rsa.h" unless $no_rsa;
+$crypto.=" crypto/dsa/dsa.h" unless $no_dsa;
+$crypto.=" crypto/dh/dh.h" unless $no_dh;
+$crypto.=" crypto/hmac/hmac.h" unless $no_hmac;
+
+$crypto.=" crypto/stack/stack.h";
+$crypto.=" crypto/buffer/buffer.h";
+$crypto.=" crypto/bio/bio.h";
+$crypto.=" crypto/lhash/lhash.h";
+$crypto.=" crypto/conf/conf.h";
+$crypto.=" crypto/txt_db/txt_db.h";
+
+$crypto.=" crypto/evp/evp.h";
+$crypto.=" crypto/objects/objects.h";
+$crypto.=" crypto/pem/pem.h";
+#$crypto.=" crypto/meth/meth.h";
+$crypto.=" crypto/asn1/asn1.h";
+$crypto.=" crypto/asn1/asn1_mac.h";
+$crypto.=" crypto/err/err.h";
+$crypto.=" crypto/pkcs7/pkcs7.h";
+$crypto.=" crypto/pkcs12/pkcs12.h";
+$crypto.=" crypto/x509/x509.h";
+$crypto.=" crypto/x509/x509_vfy.h";
+$crypto.=" crypto/x509v3/x509v3.h";
+$crypto.=" crypto/rand/rand.h";
+$crypto.=" crypto/comp/comp.h";
+$crypto.=" crypto/tmdiff.h";
+
+my @ssl_func = &do_defs("SSLEAY", $ssl);
+my @crypto_func = &do_defs("LIBEAY", $crypto);
+
+
+if ($do_update) {
+
+if ($do_ssl == 1) {
+	open(OUT, ">>$ssl_num");
+	&update_numbers(*OUT,"SSLEAY",*ssl_list,$max_ssl, @ssl_func);
+	close OUT;
+}
+
+if($do_crypto == 1) {
+	open(OUT, ">>$crypto_num");
+	&update_numbers(*OUT,"LIBEAY",*crypto_list,$max_crypto, @crypto_func);
+	close OUT;
+} 
+
+} elsif ($do_ctest) {
+
+	print <<"EOF";
+
+/* Test file to check all DEF file symbols are present by trying
+ * to link to all of them. This is *not* intended to be run!
+ */
+
+int main()
+{
+EOF
+	&print_test_file(*STDOUT,"SSLEAY",*ssl_list,@ssl_func)
+		if $do_ssl == 1;
+
+	&print_test_file(*STDOUT,"LIBEAY",*crypto_list,@crypto_func)
+		if $do_crypto == 1;
+
+	print "}\n";
+
+} else {
+
+	&print_def_file(*STDOUT,"SSLEAY",*ssl_list,@ssl_func)
+		if $do_ssl == 1;
+
+	&print_def_file(*STDOUT,"LIBEAY",*crypto_list,@crypto_func)
+		if $do_crypto == 1;
+
+}
+
+
+sub do_defs
+{
+	my($name,$files)=@_;
+	my $file;
+	my @ret;
+	my %funcs;
+	my $cpp;
+
+	foreach $file (split(/\s+/,$files))
+		{
+		open(IN,"<$file") || die "unable to open $file:$!\n";
+		my $line = "", my $def= "";
+		my %tag = (
+			FreeBSD		=> 0,
+			NOPROTO		=> 0,
+			WIN16		=> 0,
+			PERL5		=> 0,
+			_WINDLL		=> 0,
+			NO_FP_API	=> 0,
+			CONST_STRICT	=> 0,
+			TRUE		=> 1,
+			NO_RC2		=> 0,
+			NO_RC4		=> 0,
+			NO_RC5		=> 0,
+			NO_IDEA		=> 0,
+			NO_DES		=> 0,
+			NO_BF		=> 0,
+			NO_CAST		=> 0,
+			NO_MD2		=> 0,
+			NO_MD5		=> 0,
+			NO_SHA		=> 0,
+			NO_RIPEMD	=> 0,
+			NO_MDC2		=> 0,
+			NO_RSA		=> 0,
+			NO_DSA		=> 0,
+			NO_DH		=> 0,
+			NO_HMAC		=> 0,
+		);
+		while(<IN>) {
+			last if (/BEGIN ERROR CODES/);
+			if ($line ne '') {
+				$_ = $line . $_;
+				$line = '';
+			}
+
+			if (/\\$/) {
+				$line = $_;
+				next;
+			}
+
+	    		$cpp = 1 if /^#.*ifdef.*cplusplus/;
+			if ($cpp) {
+				$cpp = 0 if /^#.*endif/;
+				next;
+	    		}
+
+			s/\/\*.*?\*\///gs;                   # ignore comments
+			s/{[^{}]*}//gs;                      # ignore {} blocks
+			if (/^\#\s*ifndef (.*)/) {
+				push(@tag,$1);
+				$tag{$1}=-1;
+				next;
+			} elsif (/^\#\s*if !defined\(([^\)]+)\)/) {
+				push(@tag,$1);
+				$tag{$1}=-1;
+				next;
+			} elsif (/^\#\s*ifdef (.*)/) {
+				push(@tag,$1);
+				$tag{$1}=1;
+				next;
+			} elsif (/^\#\s*if defined(.*)/) {
+				push(@tag,$1);
+				$tag{$1}=1;
+				next;
+			} elsif (/^\#\s*endif/) {
+				$tag{$tag[$#tag]}=0;
+				pop(@tag);
+				next;
+			} elsif (/^\#\s*else/) {
+				my $t=$tag[$#tag];
+				$tag{$t}= -$tag{$t};
+				next;
+			} elsif (/^\#\s*if\s+1/) {
+				# Dummy tag
+				push(@tag,"TRUE");
+				$tag{"TRUE"}=1;
+				next;
+			} elsif (/^\#\s*if\s+0/) {
+				# Dummy tag
+				push(@tag,"TRUE");
+				$tag{"TRUE"}=-1;
+				next;
+			} elsif (/^\#/) {
+				next;
+			}
+			if ($safe_stack_def &&
+				/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) {
+				$funcs{"sk_${1}_new"} = 1;
+				$funcs{"sk_${1}_new_null"} = 1;
+				$funcs{"sk_${1}_free"} = 1;
+				$funcs{"sk_${1}_num"} = 1;
+				$funcs{"sk_${1}_value"} = 1;
+				$funcs{"sk_${1}_set"} = 1;
+				$funcs{"sk_${1}_zero"} = 1;
+				$funcs{"sk_${1}_push"} = 1;
+				$funcs{"sk_${1}_unshift"} = 1;
+				$funcs{"sk_${1}_find"} = 1;
+				$funcs{"sk_${1}_delete"} = 1;
+				$funcs{"sk_${1}_delete_ptr"} = 1;
+				$funcs{"sk_${1}_insert"} = 1;
+				$funcs{"sk_${1}_set_cmp_func"} = 1;
+				$funcs{"sk_${1}_dup"} = 1;
+				$funcs{"sk_${1}_pop_free"} = 1;
+				$funcs{"sk_${1}_shift"} = 1;
+				$funcs{"sk_${1}_pop"} = 1;
+				$funcs{"sk_${1}_sort"} = 1;
+			} elsif ($safe_stack_def &&
+				/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
+				$funcs{"d2i_ASN1_SET_OF_${1}"} = 1;
+				$funcs{"i2d_ASN1_SET_OF_${1}"} = 1;
+			} elsif (/^DECLARE_PEM_rw\s*\(\s*(\w*)\s*,/ ||
+				     /^DECLARE_PEM_rw_cb\s*\(\s*(\w*)\s*,/ ) {
+				if($W32) {
+					$funcs{"PEM_read_${1}"} = 1;
+					$funcs{"PEM_write_${1}"} = 1;
+				}
+				$funcs{"PEM_read_bio_${1}"} = 1;
+				$funcs{"PEM_write_bio_${1}"} = 1;
+			} elsif (/^DECLARE_PEM_write\s*\(\s*(\w*)\s*,/ ||
+				     /^DECLARE_PEM_write_cb\s*\(\s*(\w*)\s*,/ ) {
+				if($W32) {
+					$funcs{"PEM_write_${1}"} = 1;
+				}
+				$funcs{"PEM_write_bio_${1}"} = 1;
+			} elsif (/^DECLARE_PEM_read\s*\(\s*(\w*)\s*,/ ||
+				     /^DECLARE_PEM_read_cb\s*\(\s*(\w*)\s*,/ ) {
+				if($W32) {
+					$funcs{"PEM_read_${1}"} = 1;
+				}
+				$funcs{"PEM_read_bio_${1}"} = 1;
+			} elsif (
+				($tag{'TRUE'} != -1) &&
+				($tag{'FreeBSD'} != 1) &&
+				($tag{'CONST_STRICT'} != 1) &&
+				(($W32 && ($tag{'WIN16'} != 1)) ||
+				 (!$W32 && ($tag{'WIN16'} != -1))) &&
+				($tag{'PERL5'} != 1) &&
+#				($tag{'_WINDLL'} != -1) &&
+				((!$W32 && $tag{'_WINDLL'} != -1) ||
+				 ($W32 && $tag{'_WINDLL'} != 1)) &&
+				((($tag{'NO_FP_API'} != 1) && $W32) ||
+				 (($tag{'NO_FP_API'} != -1) && !$W32)) &&
+				($tag{'NO_RC2'} == 0  || !$no_rc2) &&
+				($tag{'NO_RC4'} == 0  || !$no_rc4) &&
+				($tag{'NO_RC5'} == 0  || !$no_rc5) &&
+				($tag{'NO_IDEA'} == 0 || !$no_idea) &&
+				($tag{'NO_DES'} == 0  || !$no_des) &&
+				($tag{'NO_BF'} == 0   || !$no_bf) &&
+				($tag{'NO_CAST'} == 0 || !$no_cast) &&
+				($tag{'NO_MD2'} == 0  || !$no_md2) &&
+				($tag{'NO_MD5'} == 0  || !$no_md5) &&
+				($tag{'NO_SHA'} == 0  || !$no_sha) &&
+				($tag{'NO_RIPEMD'} == 0 || !$no_ripemd) &&
+				($tag{'NO_MDC2'} == 0 || !$no_mdc2) &&
+				($tag{'NO_RSA'} == 0  || !$no_rsa) &&
+				($tag{'NO_DSA'} == 0  || !$no_dsa) &&
+				($tag{'NO_DH'} == 0   || !$no_dh) &&
+				($tag{'NO_HMAC'} == 0 || !$no_hmac))
+				{
+					if (/{|\/\*/) { # }
+						$line = $_;
+					} else {
+						$def .= $_;
+					}
+				}
+			}
+		close(IN);
+
+		foreach (split /;/, $def) {
+			s/^[\n\s]*//g;
+			s/[\n\s]*$//g;
+			next if(/typedef\W/);
+			next if(/EVP_bf/ and $no_bf);
+			next if(/EVP_cast/ and $no_cast);
+			next if(/EVP_des/ and $no_des);
+			next if(/EVP_dss/ and $no_dsa);
+			next if(/EVP_idea/ and $no_idea);
+			next if(/EVP_md2/ and $no_md2);
+			next if(/EVP_md5/ and $no_md5);
+			next if(/EVP_rc2/ and $no_rc2);
+			next if(/EVP_rc4/ and $no_rc4);
+			next if(/EVP_rc5/ and $no_rc5);
+			next if(/EVP_ripemd/ and $no_ripemd);
+			next if(/EVP_sha/ and $no_sha);
+			if (/\(\*(\w*)\([^\)]+/) {
+				$funcs{$1} = 1;
+			} elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) {
+				# K&R C
+				next;
+			} elsif (/\w+\W+\w+\W*\(.*\)$/s) {
+				while (not /\(\)$/s) {
+					s/[^\(\)]*\)$/\)/s;
+					s/\([^\(\)]*\)\)$/\)/s;
+				}
+				s/\(void\)//;
+				/(\w+)\W*\(\)/s;
+				$funcs{$1} = 1;
+			} elsif (/\(/ and not (/=/)) {
+				print STDERR "File $file: cannot parse: $_;\n";
+			}
+		}
+	}
+
+	# Prune the returned functions
+
+        delete $funcs{"SSL_add_dir_cert_subjects_to_stack"};
+        delete $funcs{"RSA_PKCS1_RSAref"} unless $rsaref;
+        delete $funcs{"bn_dump1"};
+
+	if($W32) {
+		delete $funcs{"BIO_s_file_internal"};
+		delete $funcs{"BIO_new_file_internal"};
+		delete $funcs{"BIO_new_fp_internal"};
+	} else {
+		if(exists $funcs{"ERR_load_CRYPTO_strings"}) {
+			delete $funcs{"ERR_load_CRYPTO_strings"};
+			$funcs{"ERR_load_CRYPTOlib_strings"} = 1;
+		}
+		delete $funcs{"BIO_s_file"};
+		delete $funcs{"BIO_new_file"};
+		delete $funcs{"BIO_new_fp"};
+	}
+	if (!$NT) {
+		delete $funcs{"BIO_s_log"};
+	}
+
+	push @ret, keys %funcs;
+
+	return(@ret);
+}
+
+sub print_test_file
+{
+	(*OUT,my $name,*nums,my @functions)=@_;
+	my $n = 1; my @e; my @r;
+	my $func;
+
+	(@e)=grep(/^SSLeay/,@functions);
+	(@r)=grep(!/^SSLeay/,@functions);
+	@functions=((sort @e),(sort @r));
+
+	foreach $func (@functions) {
+		if (!defined($nums{$func})) {
+			printf STDERR "$func does not have a number assigned\n"
+					if(!$do_update);
+		} else {
+			$n=$nums{$func};
+			print OUT "\t$func();\n";
+		}
+	}
+}
+
+sub print_def_file
+{
+	(*OUT,my $name,*nums,my @functions)=@_;
+	my $n = 1; my @e; my @r;
+
+	if ($W32)
+		{ $name.="32"; }
+	else
+		{ $name.="16"; }
+
+	print OUT <<"EOF";
+;
+; Definition file for the DLL version of the $name library from OpenSSL
+;
+
+LIBRARY         $name
+
+DESCRIPTION     'OpenSSL $name - http://www.openssl.org/'
+
+EOF
+
+	if (!$W32) {
+		print <<"EOF";
+CODE            PRELOAD MOVEABLE
+DATA            PRELOAD MOVEABLE SINGLE
+
+EXETYPE		WINDOWS
+
+HEAPSIZE	4096
+STACKSIZE	8192
+
+EOF
+	}
+
+	print "EXPORTS\n";
+
+
+	(@e)=grep(/^SSLeay/,@functions);
+	(@r)=grep(!/^SSLeay/,@functions);
+	@functions=((sort @e),(sort @r));
+
+	foreach $func (@functions) {
+		if (!defined($nums{$func})) {
+			printf STDERR "$func does not have a number assigned\n"
+					if(!$do_update);
+		} else {
+			$n=$nums{$func};
+			printf OUT "    %s%-40s@%d\n",($W32)?"":"_",$func,$n;
+		}
+	}
+	printf OUT "\n";
+}
+
+sub load_numbers
+{
+	my($name)=@_;
+	my(@a,%ret);
+
+	$max_num = 0;
+
+	open(IN,"<$name") || die "unable to open $name:$!\n";
+	while (<IN>) {
+		chop;
+		s/#.*$//;
+		next if /^\s*$/;
+		@a=split;
+		$ret{$a[0]}=$a[1];
+		$max_num = $a[1] if $a[1] > $max_num;
+	}
+	close(IN);
+	return(%ret);
+}
+
+sub update_numbers
+{
+	(*OUT,$name,*nums,my $start_num, my @functions)=@_;
+	my $new_funcs = 0;
+	print STDERR "Updating $name\n";
+	foreach $func (@functions) {
+		if (!exists $nums{$func}) {
+			$new_funcs++;
+			printf OUT "%s%-40s%d\n","",$func, ++$start_num;
+		}
+	}
+	if($new_funcs) {
+		print STDERR "$new_funcs New Functions added\n";
+	} else {
+		print STDERR "No New Functions Added\n";
+	}
+}
diff --git a/crypto/openssl/util/mkdir-p.pl b/crypto/openssl/util/mkdir-p.pl
new file mode 100755
index 0000000..6c69c2d
--- /dev/null
+++ b/crypto/openssl/util/mkdir-p.pl
@@ -0,0 +1,33 @@
+#!/usr/local/bin/perl
+
+# mkdir-p.pl
+
+# On some systems, the -p option to mkdir (= also create any missing parent
+# directories) is not available.
+
+my $arg;
+
+foreach $arg (@ARGV) {
+  &do_mkdir_p($arg);
+}
+
+
+sub do_mkdir_p {
+  local($dir) = @_;
+
+  $dir =~ s|/*\Z(?!\n)||s;
+
+  if (-d $dir) {
+    return;
+  }
+
+  if ($dir =~ m|[^/]/|s) {
+    local($parent) = $dir;
+    $parent =~ s|[^/]*\Z(?!\n)||s;
+
+    do_mkdir_p($parent);
+  }
+
+  mkdir($dir, 0777) || die "Cannot create directory $dir: $!\n";
+  print "created directory `$dir'\n";
+}
diff --git a/crypto/openssl/util/mkerr.pl b/crypto/openssl/util/mkerr.pl
new file mode 100644
index 0000000..8e18f3c
--- /dev/null
+++ b/crypto/openssl/util/mkerr.pl
@@ -0,0 +1,519 @@
+#!/usr/local/bin/perl -w
+
+my $config = "crypto/err/openssl.ec";
+my $debug = 0;
+my $rebuild = 0;
+my $static = 1;
+my $recurse = 0;
+my $reindex = 0;
+my $dowrite = 0;
+
+
+while (@ARGV) {
+	my $arg = $ARGV[0];
+	if($arg eq "-conf") {
+		shift @ARGV;
+		$config = shift @ARGV;
+	} elsif($arg eq "-debug") {
+		$debug = 1;
+		shift @ARGV;
+	} elsif($arg eq "-rebuild") {
+		$rebuild = 1;
+		shift @ARGV;
+	} elsif($arg eq "-recurse") {
+		$recurse = 1;
+		shift @ARGV;
+	} elsif($arg eq "-reindex") {
+		$reindex = 1;
+		shift @ARGV;
+	} elsif($arg eq "-nostatic") {
+		$static = 0;
+		shift @ARGV;
+	} elsif($arg eq "-write") {
+		$dowrite = 1;
+		shift @ARGV;
+	} else {
+		last;
+	}
+}
+
+if($recurse) {
+	@source = (<crypto/*.c>, <crypto/*/*.c>, ,<rsaref/*.c>, <ssl/*.c>);
+} else {
+	@source = @ARGV;
+}
+
+# Read in the config file
+
+open(IN, "<$config") || die "Can't open config file $config";
+
+# Parse config file
+
+while(<IN>)
+{
+	if(/^L\s+(\S+)\s+(\S+)\s+(\S+)/) {
+		$hinc{$1} = $2;
+		$cskip{$3} = $1;
+		if($3 ne "NONE") {
+			$csrc{$1} = $3;
+			$fmax{$1} = 99;
+			$rmax{$1} = 99;
+			$fnew{$1} = 0;
+			$rnew{$1} = 0;
+		}
+	} elsif (/^F\s+(\S+)/) {
+	# Add extra function with $1
+	} elsif (/^R\s+(\S+)\s+(\S+)/) {
+		$rextra{$1} = $2;
+		$rcodes{$1} = $2;
+	}
+}
+
+close IN;
+
+# Scan each header file in turn and make a list of error codes
+# and function names
+
+while (($lib, $hdr) = each %hinc)
+{
+	next if($hdr eq "NONE");
+	print STDERR "Scanning header file $hdr\n" if $debug; 
+	open(IN, "<$hdr") || die "Can't open Header file $hdr\n";
+	my $line = "", $def= "";
+	while(<IN>) {
+	    last if(/BEGIN\s+ERROR\s+CODES/);
+	    if ($line ne '') {
+		$_ = $line . $_;
+		$line = '';
+	    }
+
+	    if (/\\$/) {
+		$line = $_;
+		next;
+	    }
+
+	    $cpp = 1 if /^#.*ifdef.*cplusplus/;  # skip "C" declaration
+	    if ($cpp) {
+		$cpp = 0 if /^#.*endif/;
+		next;
+	    }
+
+	    next if (/^#/);                      # skip preprocessor directives
+
+	    s/\/\*.*?\*\///gs;                   # ignore comments
+	    s/{[^{}]*}//gs;                      # ignore {} blocks
+
+	    if (/{|\/\*/) { # Add a } so editor works...
+		$line = $_;
+	    } else {
+		$def .= $_;
+	    }
+	}
+
+	foreach (split /;/, $def) {
+	    s/^[\n\s]*//g;
+	    s/[\n\s]*$//g;
+	    next if(/typedef\W/);
+	    if (/\(\*(\w*)\([^\)]+/) {
+		my $name = $1;
+		$name =~ tr/[a-z]/[A-Z]/;
+		$ftrans{$name} = $1;
+	    } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){
+		# K&R C
+		next ;
+	    } elsif (/\w+\W+\w+\W*\(.*\)$/s) {
+		while (not /\(\)$/s) {
+		    s/[^\(\)]*\)$/\)/s;
+		    s/\([^\(\)]*\)\)$/\)/s;
+		}
+		s/\(void\)//;
+		/(\w+)\W*\(\)/s;
+		my $name = $1;
+		$name =~ tr/[a-z]/[A-Z]/;
+		$ftrans{$name} = $1;
+	    } elsif (/\(/ and not (/=/ or /DECLARE_STACK/)) {
+		print STDERR "Header $hdr: cannot parse: $_;\n";
+	    }
+	}
+
+	next if $reindex;
+
+	# Scan function and reason codes and store them: keep a note of the
+	# maximum code used.
+
+	while(<IN>) {
+		if(/^#define\s+(\S+)\s+(\S+)/) {
+			$name = $1;
+			$code = $2;
+			unless($name =~ /^${lib}_([RF])_(\w+)$/) {
+				print STDERR "Invalid error code $name\n";
+				next;
+			}
+			if($1 eq "R") {
+				$rcodes{$name} = $code;
+				if(!(exists $rextra{$name}) &&
+					 ($code > $rmax{$lib}) ) {
+					$rmax{$lib} = $code;
+				}
+			} else {
+				if($code > $fmax{$lib}) {
+					$fmax{$lib} = $code;
+				}
+				$fcodes{$name} = $code;
+			}
+		}
+	}
+	close IN;
+}
+
+# Scan each C source file and look for function and reason codes
+# This is done by looking for strings that "look like" function or
+# reason codes: basically anything consisting of all upper case and
+# numerics which has _F_ or _R_ in it and which has the name of an
+# error library at the start. This seems to work fine except for the
+# oddly named structure BIO_F_CTX which needs to be ignored.
+# If a code doesn't exist in list compiled from headers then mark it
+# with the value "X" as a place holder to give it a value later.
+# Store all function and reason codes found in %ufcodes and %urcodes
+# so all those unreferenced can be printed out.
+
+
+foreach $file (@source) {
+	# Don't parse the error source file.
+	next if exists $cskip{$file};
+	open(IN, "<$file") || die "Can't open source file $file\n";
+	while(<IN>) {
+		if(/(([A-Z0-9]+)_F_([A-Z0-9_]+))/) {
+			next unless exists $csrc{$2};
+			next if($1 eq "BIO_F_BUFFER_CTX");
+			$ufcodes{$1} = 1;
+			if(!exists $fcodes{$1}) {
+				$fcodes{$1} = "X";
+				$fnew{$2}++;
+			}
+			$notrans{$1} = 1 unless exists $ftrans{$3};
+		}
+		if(/(([A-Z0-9]+)_R_[A-Z0-9_]+)/) {
+			next unless exists $csrc{$2};
+			$urcodes{$1} = 1;
+			if(!exists $rcodes{$1}) {
+				$rcodes{$1} = "X";
+				$rnew{$2}++;
+			}
+		} 
+	}
+	close IN;
+}
+
+# Now process each library in turn.
+
+foreach $lib (keys %csrc)
+{
+	my $hfile = $hinc{$lib};
+	my $cfile = $csrc{$lib};
+	if(!$fnew{$lib} && !$rnew{$lib}) {
+		print STDERR "$lib:\t\tNo new error codes\n";
+		next unless $rebuild;
+	} else {
+		print STDERR "$lib:\t\t$fnew{$lib} New Functions,";
+		print STDERR " $rnew{$lib} New Reasons.\n";
+		next unless $dowrite;
+	}
+
+	# If we get here then we have some new error codes so we
+	# need to rebuild the header file and C file.
+
+	# Make a sorted list of error and reason codes for later use.
+
+	my @function = sort grep(/^${lib}_/,keys %fcodes);
+	my @reasons = sort grep(/^${lib}_/,keys %rcodes);
+
+	# Rewrite the header file
+
+	open(IN, "<$hfile") || die "Can't Open Header File $hfile\n";
+
+	# Copy across the old file
+	while(<IN>) {
+		push @out, $_;
+		last if (/BEGIN ERROR CODES/);
+	}
+	close IN;
+
+	open (OUT, ">$hfile") || die "Can't Open File $hfile for writing\n";
+
+	print OUT @out;
+	undef @out;
+	print OUT <<"EOF";
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the $lib functions. */
+
+/* Function codes. */
+EOF
+
+	foreach $i (@function) {
+		$z=6-int(length($i)/8);
+		if($fcodes{$i} eq "X") {
+			$fcodes{$i} = ++$fmax{$lib};
+			print STDERR "New Function code $i\n" if $debug;
+		}
+		printf OUT "#define $i%s $fcodes{$i}\n","\t" x $z;
+	}
+
+	print OUT "\n/* Reason codes. */\n";
+
+	foreach $i (@reasons) {
+		$z=6-int(length($i)/8);
+		if($rcodes{$i} eq "X") {
+			$rcodes{$i} = ++$rmax{$lib};
+			print STDERR "New Reason code   $i\n" if $debug;
+		}
+		printf OUT "#define $i%s $rcodes{$i}\n","\t" x $z;
+	}
+	print OUT <<"EOF";
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
+EOF
+	close OUT;
+
+	# Rewrite the C source file containing the error details.
+
+	# First, read any existing reason string definitions:
+	my %err_reason_strings;
+	if (open(IN,"<$cfile")) {
+		while (<IN>) {
+			if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) {
+				$err_reason_strings{$1} = $2;
+			}
+		}
+		close(IN);
+	}
+
+	my $hincf;
+	if($static) {
+		$hfile =~ /([^\/]+)$/;
+		$hincf = "<openssl/$1>";
+	} else {
+		$hincf = "\"$hfile\"";
+	}
+
+
+	open (OUT,">$cfile") || die "Can't open $cfile for writing";
+
+	print OUT <<"EOF";
+/* $cfile */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core\@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay\@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh\@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include $hincf
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA ${lib}_str_functs[]=
+	{
+EOF
+	# Add each function code: if a function name is found then use it.
+	foreach $i (@function) {
+		my $fn;
+		$i =~ /^${lib}_F_(\S+)$/;
+		$fn = $1;
+		if(exists $ftrans{$fn}) {
+			$fn = $ftrans{$fn};
+		}
+		print OUT "{ERR_PACK(0,$i,0),\t\"$fn\"},\n";
+	}
+	print OUT <<"EOF";
+{0,NULL}
+	};
+
+static ERR_STRING_DATA ${lib}_str_reasons[]=
+	{
+EOF
+	# Add each reason code.
+	foreach $i (@reasons) {
+		my $rn;
+		my $nspc = 0;
+		if (exists $err_reason_strings{$i}) {
+			$rn = $err_reason_strings{$i};
+		} else {
+			$i =~ /^${lib}_R_(\S+)$/;
+			$rn = $1;
+			$rn =~ tr/_[A-Z]/ [a-z]/;
+		}
+		$nspc = 40 - length($i) unless length($i) > 40;
+		$nspc = " " x $nspc;
+		print OUT "{${i}${nspc},\"$rn\"},\n";
+	}
+if($static) {
+	print OUT <<"EOF";
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_${lib}_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_${lib},${lib}_str_functs);
+		ERR_load_strings(ERR_LIB_${lib},${lib}_str_reasons);
+#endif
+
+		}
+	}
+EOF
+} else {
+	print OUT <<"EOF";
+{0,NULL}
+	};
+
+#endif
+
+#ifdef ${lib}_LIB_NAME
+static ERR_STRING_DATA ${lib}_lib_name[]=
+        {
+{0	,${lib}_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+int ${lib}_lib_error_code=0;
+
+void ERR_load_${lib}_strings(void)
+	{
+	static int init=1;
+
+	if (${lib}_lib_error_code == 0)
+		${lib}_lib_error_code=ERR_get_next_error_library();
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(${lib}_lib_error_code,${lib}_str_functs);
+		ERR_load_strings(${lib}_lib_error_code,${lib}_str_reasons);
+#endif
+
+#ifdef ${lib}_LIB_NAME
+		${lib}_lib_name->error = ERR_PACK(${lib}_lib_error_code,0,0);
+		ERR_load_strings(0,${lib}_lib_name);
+#endif
+		}
+	}
+
+void ERR_${lib}_error(int function, int reason, char *file, int line)
+	{
+	if (${lib}_lib_error_code == 0)
+		${lib}_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(${lib}_lib_error_code,function,reason,file,line);
+	}
+EOF
+
+}
+
+	close OUT;
+	undef %err_reason_strings;
+}
+
+if($debug && defined(%notrans)) {
+	print STDERR "The following function codes were not translated:\n";
+	foreach(sort keys %notrans)
+	{
+		print STDERR "$_\n";
+	}
+}
+
+# Make a list of unreferenced function and reason codes
+
+foreach (keys %fcodes) {
+	push (@funref, $_) unless exists $ufcodes{$_};
+}
+
+foreach (keys %rcodes) {
+	push (@runref, $_) unless exists $urcodes{$_};
+}
+
+if($debug && defined(@funref) ) {
+	print STDERR "The following function codes were not referenced:\n";
+	foreach(sort @funref)
+	{
+		print STDERR "$_\n";
+	}
+}
+
+if($debug && defined(@runref) ) {
+	print STDERR "The following reason codes were not referenced:\n";
+	foreach(sort @runref)
+	{
+		print STDERR "$_\n";
+	}
+}
diff --git a/crypto/openssl/util/mkfiles.pl b/crypto/openssl/util/mkfiles.pl
new file mode 100755
index 0000000..6fa424b
--- /dev/null
+++ b/crypto/openssl/util/mkfiles.pl
@@ -0,0 +1,110 @@
+#!/usr/local/bin/perl
+#
+# This is a hacked version of files.pl for systems that can't do a 'make files'.
+# Do a perl util/mkminfo.pl >MINFO to build MINFO
+# Written by Steve Henson 1999.
+
+# List of directories to process
+
+my @dirs = (
+".",
+"crypto",
+"crypto/md2",
+"crypto/md5",
+"crypto/sha",
+"crypto/mdc2",
+"crypto/hmac",
+"crypto/ripemd",
+"crypto/des",
+"crypto/rc2",
+"crypto/rc4",
+"crypto/rc5",
+"crypto/idea",
+"crypto/bf",
+"crypto/cast",
+"crypto/bn",
+"crypto/rsa",
+"crypto/dsa",
+"crypto/dh",
+"crypto/buffer",
+"crypto/bio",
+"crypto/stack",
+"crypto/lhash",
+"crypto/rand",
+"crypto/err",
+"crypto/objects",
+"crypto/evp",
+"crypto/asn1",
+"crypto/pem",
+"crypto/x509",
+"crypto/x509v3",
+"crypto/conf",
+"crypto/txt_db",
+"crypto/pkcs7",
+"crypto/pkcs12",
+"crypto/comp",
+"ssl",
+"rsaref",
+"apps",
+"test",
+"tools"
+);
+
+foreach (@dirs) {
+	&files_dir ($_, "Makefile.ssl");
+}
+
+exit(0);
+
+sub files_dir
+{
+my ($dir, $makefile) = @_;
+
+my %sym;
+
+open (IN, "$dir/$makefile") || die "Can't open $dir/$makefile";
+
+my $s="";
+
+while (<IN>)
+	{
+	chop;
+	s/#.*//;
+	if (/^(\S+)\s*=\s*(.*)$/)
+		{
+		$o="";
+		($s,$b)=($1,$2);
+		for (;;)
+			{
+			if ($b =~ /\\$/)
+				{
+				chop($b);
+				$o.=$b." ";
+				$b=<IN>;
+				chop($b);
+				}
+			else
+				{
+				$o.=$b." ";
+				last;
+				}
+			}
+		$o =~ s/^\s+//;
+		$o =~ s/\s+$//;
+		$o =~ s/\s+/ /g;
+
+		$o =~ s/\$[({]([^)}]+)[)}]/$sym{$1}/g;
+		$sym{$s}=$o;
+		}
+	}
+
+print "RELATIVE_DIRECTORY=$dir\n";
+
+foreach (sort keys %sym)
+	{
+	print "$_=$sym{$_}\n";
+	}
+print "RELATIVE_DIRECTORY=\n";
+
+close (IN);
+}
diff --git a/crypto/openssl/util/mklink.pl b/crypto/openssl/util/mklink.pl
new file mode 100755
index 0000000..de55582
--- /dev/null
+++ b/crypto/openssl/util/mklink.pl
@@ -0,0 +1,55 @@
+#!/usr/local/bin/perl
+
+# mklink.pl
+
+# The first command line argument is a non-empty relative path
+# specifying the "from" directory.
+# Each other argument is a file name not containing / and
+# names a file in the current directory.
+#
+# For each of these files, we create in the "from" directory a link
+# of the same name pointing to the local file.
+#
+# We assume that the directory structure is a tree, i.e. that it does
+# not contain symbolic links and that the parent of / is never referenced.
+# Apart from this, this script should be able to handle even the most
+# pathological cases.
+
+my $from = shift;
+my @files = @ARGV;
+
+my @from_path = split(/\//, $from);
+my $pwd = `pwd`;
+chop($pwd);
+my @pwd_path = split(/\//, $pwd);
+
+my @to_path = ();
+
+my $dirname;
+foreach $dirname (@from_path) {
+
+    # In this loop, @to_path always is a relative path from
+    # @pwd_path (interpreted is an absolute path) to the original pwd.
+
+    # At the end, @from_path (as a relative path from the original pwd)
+    # designates the same directory as the absolute path @pwd_path,
+    # which means that @to_path then is a path from there to the original pwd.
+
+    next if ($dirname eq "" || $dirname eq ".");
+
+    if ($dirname eq "..") {
+	@to_path = (pop(@pwd_path), @to_path);
+    } else {
+	@to_path = ("..", @to_path);
+	push(@pwd_path, $dirname);
+    }
+}
+
+my $to = join('/', @to_path);
+
+my $file;
+foreach $file (@files) {
+#    print "ln -s $to/$file $from/$file\n";
+    symlink("$to/$file", "$from/$file");
+    print $file . " => $from/$file\n";
+}
diff --git a/crypto/openssl/util/perlpath.pl b/crypto/openssl/util/perlpath.pl
new file mode 100755
index 0000000..a1f236b
--- /dev/null
+++ b/crypto/openssl/util/perlpath.pl
@@ -0,0 +1,35 @@
+#!/usr/local/bin/perl
+#
+# modify the '#!/usr/local/bin/perl'
+# line in all scripts that rely on perl.
+#
+
+require "find.pl";
+
+$#ARGV == 0 || print STDERR "usage: perlpath newpath  (eg /usr/bin)\n";
+&find(".");
+
+sub wanted
+	{
+	return unless /\.pl$/ || /^[Cc]onfigur/;
+
+	open(IN,"<$_") || die "unable to open $dir/$_:$!\n";
+	@a=<IN>;
+	close(IN);
+
+	if (-d $ARGV[0]) {
+		$a[0]="#!$ARGV[0]/perl\n";
+	}
+	else {
+		$a[0]="#!$ARGV[0]\n";
+	}
+
+	# Playing it safe...
+	$new="$_.new";
+	open(OUT,">$new") || die "unable to open $dir/$new:$!\n";
+	print OUT @a;
+	close(OUT);
+
+	rename($new,$_) || die "unable to rename $dir/$new:$!\n";
+	chmod(0755,$_) || die "unable to chmod $dir/$new:$!\n";
+	}
diff --git a/crypto/openssl/util/pl/BC-16.pl b/crypto/openssl/util/pl/BC-16.pl
new file mode 100644
index 0000000..6c6df4f
--- /dev/null
+++ b/crypto/openssl/util/pl/BC-16.pl
@@ -0,0 +1,146 @@
+#!/usr/local/bin/perl
+# VCw16lib.pl - the file for Visual C++ 1.52b for windows, static libraries
+#
+
+$o='\\';
+$cp='copy';
+$rm='del';
+
+# C compiler stuff
+$cc='bcc';
+
+if ($debug)
+	{ $op="-v "; }
+else	{ $op="-O "; }
+
+$cflags="-d -ml $op -DL_ENDIAN";
+# I add the stack opt
+$base_lflags="/c /C";
+$lflags="$base_lflags";
+
+if ($win16)
+	{
+	$shlib=1;
+	$cflags.=" -DWINDOWS -DWIN16";
+	$app_cflag="-W";
+	$lib_cflag="-WD";
+	$lflags.="/Twe";
+	}
+else
+	{
+	$cflags.=" -DMSDOS";
+	$lflags.=" /Tde";
+	}
+
+if ($shlib)
+	{
+	$mlflags=" /Twd $base_lflags"; # stack if defined in .def file
+	$libs="libw ldllcew";
+	$no_asm=1;
+	}
+else
+	{ $mlflags=''; }
+
+$obj='.obj';
+$ofile="-o";
+
+# EXE linking stuff
+$link="tlink";
+$efile="";
+$exep='.exe';
+$ex_libs="CL";
+$ex_libs.=$no_sock?"":" winsock.lib";
+
+$app_ex_obj="C0L.obj ";
+$shlib_ex_obj="" if ($shlib);
+
+# static library stuff
+$mklib='tlib';
+$ranlib='echo no ranlib';
+$plib="";
+$libp=".lib";
+$shlibp=($shlib)?".dll":".lib";
+$lfile='';
+
+$asm='bcc -c -B -Tml';
+$afile='/o';
+if ($no_asm)
+	{
+	$bn_asm_obj='';
+	$bn_asm_src='';
+	}
+elsif ($asmbits == 32)
+	{
+	$bn_asm_obj='crypto\bn\asm\x86w32.obj';
+	$bn_asm_src='crypto\bn\asm\x86w32.asm';
+	}
+else
+	{
+	$bn_asm_obj='crypto\bn\asm\x86w16.obj';
+	$bn_asm_src='crypto\bn\asm\x86w16.asm';
+	}
+
+sub do_lib_rule
+	{
+	local($target,$name,$shlib)=@_;
+	local($ret,$Name);
+
+	$taget =~ s/\//$o/g if $o ne '/';
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+	$ret.="$target: \$(${Name}OBJ)\n";
+	$ret.="\t\$(RM) \$(O_$Name)\n";
+
+	# Due to a pathetic line length limit, I unwrap the args.
+	local($lib_names)="";
+	local($dll_names)="";
+	foreach $_ (sort split(/\s+/,$Vars{"${Name}OBJ"}))
+		{
+		$lib_names.="  +$_ &\n";
+		$dll_names.="  $_\n";
+		}
+
+	if (!$shlib)
+		{
+		$ret.="\t\$(MKLIB) $target & <<|\n$lib_names\n,\n|\n";
+		}
+	else
+		{
+		local($ex)=($Name eq "SSL")?' $(L_CRYPTO) winsock':"";
+		$ret.="\t\$(LINK) \$(MLFLAGS) @&&|\n";
+		$ret.=$dll_names;
+		$ret.="\n  $target\n\n  $ex $libs\nms$o${name}16.def;\n|\n";
+		($out_lib=$target) =~ s/O_/L_/;
+		$ret.="\timplib /nowep $out_lib $target\n\n";
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$f,$_,@f);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($targer);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="  \$(LINK) @&&|";
+	
+	# Due to a pathetic line length limit, I have to unwrap the args.
+	$ret.=" \$(LFLAGS) ";
+	if ($files =~ /\(([^)]*)\)$/)
+		{
+		$ret.=" \$(APP_EX_OBJ)";
+		foreach $_ (sort split(/\s+/,$Vars{$1}))
+			{ $ret.="\n  $r $_ +"; }
+		chop($ret);
+		$ret.="\n";
+		}
+	else
+		{ $ret.="\n $r \$(APP_EX_OBJ) $files\n"; }
+	$ret.="  $target\n\n  $libs\n\n|\n\n";
+	return($ret);
+	}
+
+1;
diff --git a/crypto/openssl/util/pl/BC-32.pl b/crypto/openssl/util/pl/BC-32.pl
new file mode 100644
index 0000000..7f57809
--- /dev/null
+++ b/crypto/openssl/util/pl/BC-32.pl
@@ -0,0 +1,136 @@
+#!/usr/local/bin/perl
+# Borland C++ builder 3 and 4 -- Janez Jere <jj@void.si>
+#
+
+$ssl=	"ssleay32";
+$crypto="libeay32";
+$RSAref="RSAref32";
+
+$o='\\';
+$cp='copy';
+$rm='del';
+
+# C compiler stuff
+$cc='bcc32';
+$lflags="-ap -Tpe -x -Gn ";
+$mlflags='';
+
+$out_def="out32";
+$tmp_def="tmp32";
+$inc_def="inc32";
+#enable max error messages, disable most common warnings
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DWINDOWS -DWIN32 -DL_ENDIAN ";
+if ($debug)
+{
+    $cflags.="-Od -y -v -vi- -D_DEBUG";
+    $mlflags.=' ';
+}
+else
+{
+    $cflags.="-O2 -ff -fp";
+}
+
+$obj='.obj';
+$ofile="-o";
+
+# EXE linking stuff
+$link="ilink32";
+$efile="";
+$exep='.exe';
+if ($no_sock)
+	{ $ex_libs=""; }
+else	{ $ex_libs="cw32mt.lib import32.lib"; }
+
+# static library stuff
+$mklib='tlib /P64';
+$ranlib='';
+$plib="";
+$libp=".lib";
+$shlibp=($shlib)?".dll":".lib";
+$lfile='';
+
+$shlib_ex_obj="";
+$app_ex_obj="c0x32.obj"; 
+
+$asm='n_o_T_a_s_m';
+$asm.=" /Zi" if $debug;
+$afile='/Fo';
+
+$bn_mulw_obj='';
+$bn_mulw_src='';
+$des_enc_obj='';
+$des_enc_src='';
+$bf_enc_obj='';
+$bf_enc_src='';
+
+if (!$no_asm)
+	{
+	$bn_mulw_obj='crypto\bn\asm\bn-win32.obj';
+	$bn_mulw_src='crypto\bn\asm\bn-win32.asm';
+	$des_enc_obj='crypto\des\asm\d-win32.obj crypto\des\asm\y-win32.obj';
+	$des_enc_src='crypto\des\asm\d-win32.asm crypto\des\asm\y-win32.asm';
+	$bf_enc_obj='crypto\bf\asm\b-win32.obj';
+	$bf_enc_src='crypto\bf\asm\b-win32.asm';
+	$cast_enc_obj='crypto\cast\asm\c-win32.obj';
+	$cast_enc_src='crypto\cast\asm\c-win32.asm';
+	$rc4_enc_obj='crypto\rc4\asm\r4-win32.obj';
+	$rc4_enc_src='crypto\rc4\asm\r4-win32.asm';
+	$rc5_enc_obj='crypto\rc5\asm\r5-win32.obj';
+	$rc5_enc_src='crypto\rc5\asm\r5-win32.asm';
+	$md5_asm_obj='crypto\md5\asm\m5-win32.obj';
+	$md5_asm_src='crypto\md5\asm\m5-win32.asm';
+	$sha1_asm_obj='crypto\sha\asm\s1-win32.obj';
+	$sha1_asm_src='crypto\sha\asm\s1-win32.asm';
+	$rmd160_asm_obj='crypto\ripemd\asm\rm-win32.obj';
+	$rmd160_asm_src='crypto\ripemd\asm\rm-win32.asm';
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
+	}
+
+if ($shlib)
+	{
+	$mlflags.=" $lflags /dll";
+#	$cflags =~ s| /MD| /MT|;
+	$lib_cflag=" /GD -D_WINDLL -D_DLL";
+	$out_def="out32dll";
+	$tmp_def="tmp32dll";
+	}
+
+sub do_lib_rule
+	{
+	local($objs,$target,$name,$shlib)=@_;
+	local($ret,$Name);
+
+	$taget =~ s/\//$o/g if $o ne '/';
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+#	$target="\$(LIB_D)$o$target";
+	$ret.="$target: $objs\n";
+	if (!$shlib)
+		{
+		#		$ret.="\t\$(RM) \$(O_$Name)\n";
+		$ret.="\techo LIB $<\n";    
+                $ret.="\t&\$(MKLIB) $lfile$target -+\$**\n";
+		}
+	else
+		{
+		local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
+		$ex.=' wsock32.lib gdi32.lib';
+		$ret.="\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($targer);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n\n";
+	return($ret);
+	}
+
+1;
diff --git a/crypto/openssl/util/pl/Mingw32.pl b/crypto/openssl/util/pl/Mingw32.pl
new file mode 100644
index 0000000..2d33c91
--- /dev/null
+++ b/crypto/openssl/util/pl/Mingw32.pl
@@ -0,0 +1,80 @@
+#!/usr/local/bin/perl
+#
+# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) 
+# $FreeBSD$
+#
+
+$o='/';
+$cp='cp';
+$rm='rem'; # use 'rm -f' if using GNU file utilities
+$mkdir='gmkdir';
+
+# gcc wouldn't accept backslashes in paths
+#$o='\\';
+#$cp='copy';
+#$rm='del';
+
+# C compiler stuff
+
+$cc='gcc';
+if ($debug)
+	{ $cflags="-g2 -ggdb"; }
+else
+	{ $cflags="-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall"; }
+
+$obj='.o';
+$ofile='-o ';
+
+# EXE linking stuff
+$link='${CC}';
+$lflags='${CFLAGS}';
+$efile='-o ';
+$exep='';
+$ex_libs="-lwsock32 -lgdi32";
+
+# static library stuff
+$mklib='ar r';
+$mlflags='';
+$ranlib='ranlib';
+$plib='lib';
+$libp=".a";
+$shlibp=".a";
+$lfile='';
+
+$asm='as';
+$afile='-o ';
+$bn_asm_obj="";
+$bn_asm_src="";
+$des_enc_obj="";
+$des_enc_src="";
+$bf_enc_obj="";
+$bf_enc_src="";
+
+sub do_lib_rule
+	{
+	local($obj,$target,$name,$shlib)=@_;
+	local($ret,$_,$Name);
+
+	$target =~ s/\//$o/g if $o ne '/';
+	$target="$target";
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+	$ret.="$target: \$(${Name}OBJ)\n";
+	$ret.="\t\$(RM) $target\n";
+	$ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
+	$ret.="\t\$(RANLIB) $target\n\n";
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($target);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+	return($ret);
+	}
+1;
+
diff --git a/crypto/openssl/util/pl/Mingw32f.pl b/crypto/openssl/util/pl/Mingw32f.pl
new file mode 100644
index 0000000..a53c537
--- /dev/null
+++ b/crypto/openssl/util/pl/Mingw32f.pl
@@ -0,0 +1,73 @@
+#!/usr/local/bin/perl
+#
+# Mingw32f.pl -- copy files; Mingw32.pl is needed to do the compiling. 
+#
+
+$o='\\';
+$cp='copy';
+$rm='del';
+
+# C compiler stuff
+
+$cc='gcc';
+if ($debug)
+	{ $cflags="-g2 -ggdb"; }
+else
+	{ $cflags="-O3 -fomit-frame-pointer"; }
+
+$obj='.o';
+$ofile='-o ';
+
+# EXE linking stuff
+$link='${CC}';
+$lflags='${CFLAGS}';
+$efile='-o ';
+$exep='';
+$ex_libs="-lwsock32 -lgdi32";
+
+# static library stuff
+$mklib='ar r';
+$mlflags='';
+$ranlib='ranlib';
+$plib='lib';
+$libp=".a";
+$shlibp=".a";
+$lfile='';
+
+$asm='as';
+$afile='-o ';
+$bn_asm_obj="";
+$bn_asm_src="";
+$des_enc_obj="";
+$des_enc_src="";
+$bf_enc_obj="";
+$bf_enc_src="";
+
+sub do_lib_rule
+	{
+	local($obj,$target,$name,$shlib)=@_;
+	local($ret,$_,$Name);
+
+	$target =~ s/\//$o/g if $o ne '/';
+	$target="$target";
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+	$ret.="$target: \$(${Name}OBJ)\n";
+	$ret.="\t\$(RM) $target\n";
+	$ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
+	$ret.="\t\$(RANLIB) $target\n\n";
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($target);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+	return($ret);
+	}
+1;
+
diff --git a/crypto/openssl/util/pl/VC-16.pl b/crypto/openssl/util/pl/VC-16.pl
new file mode 100644
index 0000000..a5079d4
--- /dev/null
+++ b/crypto/openssl/util/pl/VC-16.pl
@@ -0,0 +1,173 @@
+#!/usr/local/bin/perl
+# VCw16lib.pl - the file for Visual C++ 1.52b for windows, static libraries
+#
+
+$ssl=	"ssleay16";
+$crypto="libeay16";
+$RSAref="RSAref16";
+
+$o='\\';
+$cp='copy';
+$rm='del';
+
+# C compiler stuff
+$cc='cl';
+
+$out_def="out16";
+$tmp_def="tmp16";
+$inc_def="inc16";
+
+if ($debug)
+	{
+	$op="/Od /Zi /Zd";
+	$base_lflags="/CO";
+	}
+else	{
+	$op="/G2 /f- /Ocgnotb2";
+	}
+$base_lflags.=" /FARCALL /NOLOGO /NOD /SEG:1024 /ONERROR:NOEXE /NOE /PACKC:60000";
+if ($win16) { $base_lflags.=" /PACKD:60000"; }
+
+$cflags="/ALw /Gx- /Gt256 /Gf $op /W3 /WX -DL_ENDIAN /nologo";
+# I add the stack opt
+$lflags="$base_lflags /STACK:20000";
+
+if ($win16)
+	{
+	$cflags.=" -DWINDOWS -DWIN16";
+	$app_cflag="/Gw /FPi87";
+	$lib_cflag="/Gw";
+	$lib_cflag.=" -D_WINDLL -D_DLL" if $shlib;
+	$lib_cflag.=" -DWIN16TTY" if !$shlib;
+	$lflags.=" /ALIGN:256";
+	$ex_libs.="oldnames llibcewq libw";
+	}
+else
+	{
+	$no_sock=1;
+	$cflags.=" -DMSDOS";
+	$lflags.=" /EXEPACK";
+	$ex_libs.="oldnames.lib llibce.lib";
+	}
+
+if ($shlib)
+	{
+	$mlflags="$base_lflags";
+	$libs="oldnames ldllcew libw";
+	$shlib_ex_obj="";
+#	$no_asm=1;
+	$out_def="out16dll";
+	$tmp_def="tmp16dll";
+	}
+else
+	{ $mlflags=''; }
+
+$app_ex_obj="setargv.obj";
+
+$obj='.obj';
+$ofile="/Fo";
+
+# EXE linking stuff
+$link="link";
+$efile="";
+$exep='.exe';
+$ex_libs.=$no_sock?"":" winsock";
+
+# static library stuff
+$mklib='lib /PAGESIZE:1024';
+$ranlib='';
+$plib="";
+$libp=".lib";
+$shlibp=($shlib)?".dll":".lib";
+$lfile='';
+
+$asm='ml /Cp /c /Cx';
+$afile='/Fo';
+
+$bn_asm_obj='';
+$bn_asm_src='';
+$des_enc_obj='';
+$des_enc_src='';
+$bf_enc_obj='';
+$bf_enc_src='';
+
+if (!$no_asm)
+	{
+	if ($asmbits == 32)
+		{
+		$bn_asm_obj='crypto\bn\asm\x86w32.obj';
+		$bn_asm_src='crypto\bn\asm\x86w32.asm';
+		}
+	else
+		{
+		$bn_asm_obj='crypto\bn\asm\x86w16.obj';
+		$bn_asm_src='crypto\bn\asm\x86w16.asm';
+		}
+	}
+
+sub do_lib_rule
+	{
+	local($objs,$target,$name,$shlib)=@_;
+	local($ret,$Name);
+
+	$taget =~ s/\//$o/g if $o ne '/';
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+#	$target="\$(LIB_D)$o$target";
+	$ret.="$target: $objs\n";
+#	$ret.="\t\$(RM) \$(O_$Name)\n";
+
+	# Due to a pathetic line length limit, I unwrap the args.
+	local($lib_names)="";
+	local($dll_names)="  \$(SHLIB_EX_OBJ) +\n";
+	($obj)= ($objs =~ /\((.*)\)/);
+	foreach $_ (sort split(/\s+/,$Vars{$obj}))
+		{
+		$lib_names.="+$_ &\n";
+		$dll_names.="  $_ +\n";
+		}
+
+	if (!$shlib)
+		{
+		$ret.="\tdel $target\n";
+		$ret.="\t\$(MKLIB) @<<\n$target\ny\n$lib_names\n\n<<\n";
+		}
+	else
+		{
+		local($ex)=($target =~ /O_SSL/)?'$(L_CRYPTO)':"";
+		$ex.=' winsock';
+		$ret.="\t\$(LINK) \$(MLFLAGS) @<<\n";
+		$ret.=$dll_names;
+		$ret.="\n  $target\n\n  $ex $libs\nms$o${name}.def;\n<<\n";
+		($out_lib=$target) =~ s/O_/L_/;
+		$ret.="\timplib /noignorecase /nowep $out_lib $target\n";
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$f,$_,@f);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($targer);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="  \$(LINK) \$(LFLAGS) @<<\n";
+	
+	# Due to a pathetic line length limit, I have to unwrap the args.
+	if ($files =~ /\(([^)]*)\)$/)
+		{
+		@a=('$(APP_EX_OBJ)');
+		push(@a,sort split(/\s+/,$Vars{$1}));
+		for $_ (@a)
+			{ $ret.="  $_ +\n"; }
+		}
+	else
+		{ $ret.="  \$(APP_EX_OBJ) $files"; }
+	$ret.="\n  $target\n\n  $libs\n\n<<\n\n";
+	return($ret);
+	}
+
+1;
diff --git a/crypto/openssl/util/pl/VC-32.pl b/crypto/openssl/util/pl/VC-32.pl
new file mode 100644
index 0000000..046f0e2
--- /dev/null
+++ b/crypto/openssl/util/pl/VC-32.pl
@@ -0,0 +1,140 @@
+#!/usr/local/bin/perl
+# VCw32lib.pl - the file for Visual C++ 4.[01] for windows NT, static libraries
+#
+
+$ssl=	"ssleay32";
+$crypto="libeay32";
+$RSAref="RSAref32";
+
+$o='\\';
+$cp='copy nul+';	# Timestamps get stuffed otherwise
+$rm='del';
+
+# C compiler stuff
+$cc='cl';
+$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN';
+$lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
+$mlflags='';
+
+$out_def="out32";
+$tmp_def="tmp32";
+$inc_def="inc32";
+
+if ($debug)
+	{
+	$cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DWIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG";
+	$lflags.=" /debug";
+	$mlflags.=' /debug';
+	}
+$cflags .= " -DWINNT" if $NT == 1;
+
+$obj='.obj';
+$ofile="/Fo";
+
+# EXE linking stuff
+$link="link";
+$efile="/out:";
+$exep='.exe';
+if ($no_sock)
+	{ $ex_libs=""; }
+else	{ $ex_libs="wsock32.lib user32.lib gdi32.lib"; }
+
+# static library stuff
+$mklib='lib';
+$ranlib='';
+$plib="";
+$libp=".lib";
+$shlibp=($shlib)?".dll":".lib";
+$lfile='/out:';
+
+$shlib_ex_obj="";
+$app_ex_obj="setargv.obj";
+if ($nasm) {
+	$asm='nasmw -f win32';
+	$afile='-o ';
+} else {
+	$asm='ml /Cp /coff /c /Cx';
+	$asm.=" /Zi" if $debug;
+	$afile='/Fo';
+}
+
+$bn_asm_obj='';
+$bn_asm_src='';
+$des_enc_obj='';
+$des_enc_src='';
+$bf_enc_obj='';
+$bf_enc_src='';
+
+if (!$no_asm)
+	{
+	$bn_asm_obj='crypto\bn\asm\bn-win32.obj';
+	$bn_asm_src='crypto\bn\asm\bn-win32.asm';
+	$des_enc_obj='crypto\des\asm\d-win32.obj crypto\des\asm\y-win32.obj';
+	$des_enc_src='crypto\des\asm\d-win32.asm crypto\des\asm\y-win32.asm';
+	$bf_enc_obj='crypto\bf\asm\b-win32.obj';
+	$bf_enc_src='crypto\bf\asm\b-win32.asm';
+	$cast_enc_obj='crypto\cast\asm\c-win32.obj';
+	$cast_enc_src='crypto\cast\asm\c-win32.asm';
+	$rc4_enc_obj='crypto\rc4\asm\r4-win32.obj';
+	$rc4_enc_src='crypto\rc4\asm\r4-win32.asm';
+	$rc5_enc_obj='crypto\rc5\asm\r5-win32.obj';
+	$rc5_enc_src='crypto\rc5\asm\r5-win32.asm';
+	$md5_asm_obj='crypto\md5\asm\m5-win32.obj';
+	$md5_asm_src='crypto\md5\asm\m5-win32.asm';
+	$sha1_asm_obj='crypto\sha\asm\s1-win32.obj';
+	$sha1_asm_src='crypto\sha\asm\s1-win32.asm';
+	$rmd160_asm_obj='crypto\ripemd\asm\rm-win32.obj';
+	$rmd160_asm_src='crypto\ripemd\asm\rm-win32.asm';
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
+	}
+
+if ($shlib)
+	{
+	$mlflags.=" $lflags /dll";
+#	$cflags =~ s| /MD| /MT|;
+	$lib_cflag=" /GD -D_WINDLL -D_DLL";
+	$out_def="out32dll";
+	$tmp_def="tmp32dll";
+	}
+
+$cflags.=" /Fd$out_def";
+
+sub do_lib_rule
+	{
+	local($objs,$target,$name,$shlib)=@_;
+	local($ret,$Name);
+
+	$taget =~ s/\//$o/g if $o ne '/';
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+#	$target="\$(LIB_D)$o$target";
+	$ret.="$target: $objs\n";
+	if (!$shlib)
+		{
+#		$ret.="\t\$(RM) \$(O_$Name)\n";
+		$ret.="\t\$(MKLIB) $lfile$target @<<\n  $objs\n<<\n";
+		}
+	else
+		{
+		local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
+		$ex.=' wsock32.lib gdi32.lib advapi32.lib';
+		$ret.="\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($targer);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
+	$ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n\n";
+	return($ret);
+	}
+
+1;
diff --git a/crypto/openssl/util/pl/linux.pl b/crypto/openssl/util/pl/linux.pl
new file mode 100644
index 0000000..a8cfdc5
--- /dev/null
+++ b/crypto/openssl/util/pl/linux.pl
@@ -0,0 +1,100 @@
+#!/usr/local/bin/perl
+#
+# linux.pl - the standard unix makefile stuff.
+#
+
+$o='/';
+$cp='/bin/cp';
+$rm='/bin/rm -f';
+
+# C compiler stuff
+
+$cc='gcc';
+if ($debug)
+	{ $cflags="-g2 -ggdb -DREF_CHECK -DCRYPTO_MDEBUG"; }
+else
+	{ $cflags="-O3 -fomit-frame-pointer"; }
+
+if (!$no_asm)
+	{
+	$bn_asm_obj='$(OBJ_D)/bn86-elf.o';
+	$bn_asm_src='crypto/bn/asm/bn86unix.cpp';
+	$des_enc_obj='$(OBJ_D)/dx86-elf.o $(OBJ_D)/yx86-elf.o';
+	$des_enc_src='crypto/des/asm/dx86unix.cpp crypto/des/asm/yx86unix.cpp';
+	$bf_enc_obj='$(OBJ_D)/bx86-elf.o';
+	$bf_enc_src='crypto/bf/asm/bx86unix.cpp';
+	$cast_enc_obj='$(OBJ_D)/cx86-elf.o';
+	$cast_enc_src='crypto/cast/asm/cx86unix.cpp';
+	$rc4_enc_obj='$(OBJ_D)/rx86-elf.o';
+	$rc4_enc_src='crypto/rc4/asm/rx86unix.cpp';
+	$rc5_enc_obj='$(OBJ_D)/r586-elf.o';
+	$rc5_enc_src='crypto/rc5/asm/r586unix.cpp';
+	$md5_asm_obj='$(OBJ_D)/mx86-elf.o';
+	$md5_asm_src='crypto/md5/asm/mx86unix.cpp';
+	$rmd160_asm_obj='$(OBJ_D)/rm86-elf.o';
+	$rmd160_asm_src='crypto/ripemd/asm/rm86unix.cpp';
+	$sha1_asm_obj='$(OBJ_D)/sx86-elf.o';
+	$sha1_asm_src='crypto/sha/asm/sx86unix.cpp';
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM";
+	}
+
+$cflags.=" -DTERMIO -DL_ENDIAN -m486 -Wall";
+
+if ($shlib)
+	{
+	$shl_cflag=" -DPIC -fpic";
+	$shlibp=".so.$ssl_version";
+	$so_shlibp=".so";
+	}
+
+sub do_shlib_rule
+	{
+	local($obj,$target,$name,$shlib,$so_name)=@_;
+	local($ret,$_,$Name);
+
+	$target =~ s/\//$o/g if $o ne '/';
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+	$ret.="$target: \$(${Name}OBJ)\n";
+	$ret.="\t\$(RM) target\n";
+	$ret.="\tgcc \${CFLAGS} -shared -Wl,-soname,$target -o $target \$(${Name}OBJ)\n";
+	($t=$target) =~ s/(^.*)\/[^\/]*$/$1/;
+	if ($so_name ne "")
+		{
+		$ret.="\t\$(RM) \$(LIB_D)$o$so_name\n";
+		$ret.="\tln -s $target \$(LIB_D)$o$so_name\n\n";
+		}
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($target);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+	return($ret);
+	}
+
+sub do_asm_rule
+	{
+	local($target,$src)=@_;
+	local($ret,@s,@t,$i);
+
+	$target =~ s/\//$o/g if $o ne "/";
+	$src =~ s/\//$o/g if $o ne "/";
+
+	@s=split(/\s+/,$src);
+	@t=split(/\s+/,$target);
+
+	for ($i=0; $i<=$#s; $i++)
+		{
+		$ret.="$t[$i]: $s[$i]\n";
+		$ret.="\tgcc -E -DELF \$(SRC_D)$o$s[$i]|\$(AS) $afile$t[$i]\n\n";
+		}
+	return($ret);
+	}
+
+1;
diff --git a/crypto/openssl/util/pl/ultrix.pl b/crypto/openssl/util/pl/ultrix.pl
new file mode 100644
index 0000000..ea370c7
--- /dev/null
+++ b/crypto/openssl/util/pl/ultrix.pl
@@ -0,0 +1,38 @@
+#!/usr/local/bin/perl
+#
+# linux.pl - the standard unix makefile stuff.
+#
+
+$o='/';
+$cp='/bin/cp';
+$rm='/bin/rm -f';
+
+# C compiler stuff
+
+$cc='cc';
+if ($debug)
+	{ $cflags="-g -DREF_CHECK -DCRYPTO_MDEBUG"; }
+else
+	{ $cflags="-O2"; }
+
+$cflags.=" -std1 -DL_ENDIAN";
+
+if (!$no_asm)
+	{
+	$bn_asm_obj='$(OBJ_D)/mips1.o';
+	$bn_asm_src='crypto/bn/asm/mips1.s';
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($target);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+	return($ret);
+	}
+
+1;
diff --git a/crypto/openssl/util/pl/unix.pl b/crypto/openssl/util/pl/unix.pl
new file mode 100644
index 0000000..146611a
--- /dev/null
+++ b/crypto/openssl/util/pl/unix.pl
@@ -0,0 +1,96 @@
+#!/usr/local/bin/perl
+#
+# unix.pl - the standard unix makefile stuff.
+#
+
+$o='/';
+$cp='/bin/cp';
+$rm='/bin/rm -f';
+
+# C compiler stuff
+
+if ($gcc)
+	{
+	$cc='gcc';
+	if ($debug)
+		{ $cflags="-g2 -ggdb"; }
+	else
+		{ $cflags="-O3 -fomit-frame-pointer"; }
+	}
+else
+	{
+	$cc='cc';
+	if ($debug)
+		{ $cflags="-g"; }
+	else
+		{ $cflags="-O"; }
+	}
+$obj='.o';
+$ofile='-o ';
+
+# EXE linking stuff
+$link='${CC}';
+$lflags='${CFLAGS}';
+$efile='-o ';
+$exep='';
+$ex_libs="";
+
+# static library stuff
+$mklib='ar r';
+$mlflags='';
+$ranlib=&which("ranlib") or $ranlib="true";
+$plib='lib';
+$libp=".a";
+$shlibp=".a";
+$lfile='';
+
+$asm='as';
+$afile='-o ';
+$bn_asm_obj="";
+$bn_asm_src="";
+$des_enc_obj="";
+$des_enc_src="";
+$bf_enc_obj="";
+$bf_enc_src="";
+
+sub do_lib_rule
+	{
+	local($obj,$target,$name,$shlib)=@_;
+	local($ret,$_,$Name);
+
+	$target =~ s/\//$o/g if $o ne '/';
+	$target="$target";
+	($Name=$name) =~ tr/a-z/A-Z/;
+
+	$ret.="$target: \$(${Name}OBJ)\n";
+	$ret.="\t\$(RM) $target\n";
+	$ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
+	$ret.="\t\$(RANLIB) $target\n\n";
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+	
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($target);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+	return($ret);
+	}
+
+sub which
+	{
+	my ($name)=@_;
+	my $path;
+	foreach $path (split /:/, $ENV{PATH})
+		{
+		if (-x "$path/$name")
+			{
+			return "$path/$name";
+			}
+		}
+	}
+
+1;
diff --git a/crypto/openssl/util/pod2man.pl b/crypto/openssl/util/pod2man.pl
new file mode 100755
index 0000000..f5ec076
--- /dev/null
+++ b/crypto/openssl/util/pod2man.pl
@@ -0,0 +1,1181 @@
+: #!/usr/bin/perl-5.005
+    eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
+	if $running_under_some_shell;
+
+$DEF_PM_SECTION = '3pm' || '3';
+
+=head1 NAME
+
+pod2man - translate embedded Perl pod directives into man pages
+
+=head1 SYNOPSIS
+
+B<pod2man>
+[ B<--section=>I<manext> ]
+[ B<--release=>I<relpatch> ]
+[ B<--center=>I<string> ]
+[ B<--date=>I<string> ]
+[ B<--fixed=>I<font> ]
+[ B<--official> ]
+[ B<--lax> ]
+I<inputfile>
+
+=head1 DESCRIPTION
+
+B<pod2man> converts its input file containing embedded pod directives (see
+L<perlpod>) into nroff source suitable for viewing with nroff(1) or
+troff(1) using the man(7) macro set.
+
+Besides the obvious pod conversions, B<pod2man> also takes care of
+func(), func(n), and simple variable references like $foo or @bar so
+you don't have to use code escapes for them; complex expressions like
+C<$fred{'stuff'}> will still need to be escaped, though.  Other nagging
+little roffish things that it catches include translating the minus in
+something like foo-bar, making a long dash--like this--into a real em
+dash, fixing up "paired quotes", putting a little space after the
+parens in something like func(), making C++ and PI look right, making
+double underbars have a little tiny space between them, making ALLCAPS
+a teeny bit smaller in troff(1), and escaping backslashes so you don't
+have to.
+
+=head1 OPTIONS
+
+=over 8
+
+=item center
+
+Set the centered header to a specific string.  The default is
+"User Contributed Perl Documentation", unless the C<--official> flag is
+given, in which case the default is "Perl Programmers Reference Guide".
+
+=item date
+
+Set the left-hand footer string to this value.  By default,
+the modification date of the input file will be used.
+
+=item fixed
+
+The fixed font to use for code refs.  Defaults to CW.
+
+=item official
+
+Set the default header to indicate that this page is of
+the standard release in case C<--center> is not given.
+
+=item release
+
+Set the centered footer.  By default, this is the current
+perl release.
+
+=item section
+
+Set the section for the C<.TH> macro.  The standard conventions on
+sections are to use 1 for user commands,  2 for system calls, 3 for
+functions, 4 for devices, 5 for file formats, 6 for games, 7 for
+miscellaneous information, and 8 for administrator commands.  This works
+best if you put your Perl man pages in a separate tree, like
+F</usr/local/perl/man/>.  By default, section 1 will be used
+unless the file ends in F<.pm> in which case section 3 will be selected.
+
+=item lax
+
+Don't complain when required sections aren't present.
+
+=back
+
+=head1 Anatomy of a Proper Man Page
+
+For those not sure of the proper layout of a man page, here's
+an example of the skeleton of a proper man page.  Head of the
+major headers should be setout as a C<=head1> directive, and
+are historically written in the rather startling ALL UPPER CASE
+format, although this is not mandatory.
+Minor headers may be included using C<=head2>, and are
+typically in mixed case.
+
+=over 10
+
+=item NAME
+
+Mandatory section; should be a comma-separated list of programs or
+functions documented by this podpage, such as:
+
+    foo, bar - programs to do something
+
+=item SYNOPSIS
+
+A short usage summary for programs and functions, which
+may someday be deemed mandatory.
+
+=item DESCRIPTION
+
+Long drawn out discussion of the program.  It's a good idea to break this
+up into subsections using the C<=head2> directives, like
+
+    =head2 A Sample Subection
+
+    =head2 Yet Another Sample Subection
+
+=item OPTIONS
+
+Some people make this separate from the description.
+
+=item RETURN VALUE
+
+What the program or function returns if successful.
+
+=item ERRORS
+
+Exceptions, return codes, exit stati, and errno settings.
+
+=item EXAMPLES
+
+Give some example uses of the program.
+
+=item ENVIRONMENT
+
+Envariables this program might care about.
+
+=item FILES
+
+All files used by the program.  You should probably use the FE<lt>E<gt>
+for these.
+
+=item SEE ALSO
+
+Other man pages to check out, like man(1), man(7), makewhatis(8), or catman(8).
+
+=item NOTES
+
+Miscellaneous commentary.
+
+=item CAVEATS
+
+Things to take special care with; sometimes called WARNINGS.
+
+=item DIAGNOSTICS
+
+All possible messages the program can print out--and
+what they mean.
+
+=item BUGS
+
+Things that are broken or just don't work quite right.
+
+=item RESTRICTIONS
+
+Bugs you don't plan to fix :-)
+
+=item AUTHOR
+
+Who wrote it (or AUTHORS if multiple).
+
+=item HISTORY
+
+Programs derived from other sources sometimes have this, or
+you might keep a modification log here.
+
+=back
+
+=head1 EXAMPLES
+
+    pod2man program > program.1
+    pod2man some_module.pm > /usr/perl/man/man3/some_module.3
+    pod2man --section=7 note.pod > note.7
+
+=head1 DIAGNOSTICS
+
+The following diagnostics are generated by B<pod2man>.  Items
+marked "(W)" are non-fatal, whereas the "(F)" errors will cause
+B<pod2man> to immediately exit with a non-zero status.
+
+=over 4
+
+=item bad option in paragraph %d of %s: ``%s'' should be [%s]<%s>
+
+(W) If you start include an option, you should set it off
+as bold, italic, or code.
+
+=item can't open %s: %s
+
+(F) The input file wasn't available for the given reason.
+
+=item Improper man page - no dash in NAME header in paragraph %d of %s
+
+(W) The NAME header did not have an isolated dash in it.  This is
+considered important.
+
+=item Invalid man page - no NAME line in %s
+
+(F) You did not include a NAME header, which is essential.
+
+=item roff font should be 1 or 2 chars, not `%s'  (F)
+
+(F) The font specified with the C<--fixed> option was not
+a one- or two-digit roff font.
+
+=item %s is missing required section: %s
+
+(W) Required sections include NAME, DESCRIPTION, and if you're
+using a section starting with a 3, also a SYNOPSIS.  Actually,
+not having a NAME is a fatal.
+
+=item Unknown escape: %s in %s
+
+(W) An unknown HTML entity (probably for an 8-bit character) was given via
+a C<EE<lt>E<gt>> directive.  Besides amp, lt, gt, and quot, recognized
+entities are Aacute, aacute, Acirc, acirc, AElig, aelig, Agrave, agrave,
+Aring, aring, Atilde, atilde, Auml, auml, Ccedil, ccedil, Eacute, eacute,
+Ecirc, ecirc, Egrave, egrave, ETH, eth, Euml, euml, Iacute, iacute, Icirc,
+icirc, Igrave, igrave, Iuml, iuml, Ntilde, ntilde, Oacute, oacute, Ocirc,
+ocirc, Ograve, ograve, Oslash, oslash, Otilde, otilde, Ouml, ouml, szlig,
+THORN, thorn, Uacute, uacute, Ucirc, ucirc, Ugrave, ugrave, Uuml, uuml,
+Yacute, yacute, and yuml.
+
+=item Unmatched =back
+
+(W) You have a C<=back> without a corresponding C<=over>.
+
+=item Unrecognized pod directive: %s
+
+(W) You specified a pod directive that isn't in the known list of
+C<=head1>, C<=head2>, C<=item>, C<=over>, C<=back>, or C<=cut>.
+
+
+=back
+
+=head1 NOTES
+
+If you would like to print out a lot of man page continuously, you
+probably want to set the C and D registers to set contiguous page
+numbering and even/odd paging, at least on some versions of man(7).
+Settting the F register will get you some additional experimental
+indexing:
+
+    troff -man -rC1 -rD1 -rF1 perl.1 perldata.1 perlsyn.1 ...
+
+The indexing merely outputs messages via C<.tm> for each
+major page, section, subsection, item, and any C<XE<lt>E<gt>>
+directives.
+
+
+=head1 RESTRICTIONS
+
+None at this time.
+
+=head1 BUGS
+
+The =over and =back directives don't really work right.  They
+take absolute positions instead of offsets, don't nest well, and
+making people count is suboptimal in any event.
+
+=head1 AUTHORS
+
+Original prototype by Larry Wall, but so massively hacked over by
+Tom Christiansen such that Larry probably doesn't recognize it anymore.
+
+=cut
+
+$/ = "";
+$cutting = 1;
+@Indices = ();
+
+# We try first to get the version number from a local binary, in case we're
+# running an installed version of Perl to produce documentation from an
+# uninstalled newer version's pod files.
+if ($^O ne 'plan9' and $^O ne 'dos' and $^O ne 'os2' and $^O ne 'MSWin32') {
+  my $perl = (-x './perl' && -f './perl' ) ?
+                 './perl' :
+                 ((-x '../perl' && -f '../perl') ?
+                      '../perl' :
+                      '');
+  ($version,$patch) = `$perl -e 'print $]'` =~ /^(\d\.\d{3})(\d{2})?/ if $perl;
+}
+# No luck; we'll just go with the running Perl's version
+($version,$patch) = $] =~ /^(.{5})(\d{2})?/ unless $version;
+$DEF_RELEASE  = "perl $version";
+$DEF_RELEASE .= ", patch $patch" if $patch;
+
+
+sub makedate {
+    my $secs = shift;
+    my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($secs);
+    my $mname = (qw{Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec})[$mon];
+    $year += 1900;
+    return "$mday/$mname/$year";
+}
+
+use Getopt::Long;
+
+$DEF_SECTION = 1;
+$DEF_CENTER = "User Contributed Perl Documentation";
+$STD_CENTER = "Perl Programmers Reference Guide";
+$DEF_FIXED = 'CW';
+$DEF_LAX = 0;
+
+sub usage {
+    warn "$0: @_\n" if @_;
+    die <<EOF;
+usage: $0 [options] podpage
+Options are:
+	--section=manext      (default "$DEF_SECTION")
+	--release=relpatch    (default "$DEF_RELEASE")
+	--center=string       (default "$DEF_CENTER")
+	--date=string         (default "$DEF_DATE")
+	--fixed=font	      (default "$DEF_FIXED")
+	--official	      (default NOT)
+	--lax                 (default NOT)
+EOF
+}
+
+$uok = GetOptions( qw(
+	section=s
+	release=s
+	center=s
+	date=s
+	fixed=s
+	official
+	lax
+	help));
+
+$DEF_DATE = makedate((stat($ARGV[0]))[9] || time());
+
+usage("Usage error!") unless $uok;
+usage() if $opt_help;
+usage("Need one and only one podpage argument") unless @ARGV == 1;
+
+$section = $opt_section || ($ARGV[0] =~ /\.pm$/
+				? $DEF_PM_SECTION : $DEF_SECTION);
+$RP = $opt_release || $DEF_RELEASE;
+$center = $opt_center || ($opt_official ? $STD_CENTER : $DEF_CENTER);
+$lax = $opt_lax || $DEF_LAX;
+
+$CFont = $opt_fixed || $DEF_FIXED;
+
+if (length($CFont) == 2) {
+    $CFont_embed = "\\f($CFont";
+}
+elsif (length($CFont) == 1) {
+    $CFont_embed = "\\f$CFont";
+}
+else {
+    die "roff font should be 1 or 2 chars, not `$CFont_embed'";
+}
+
+$date = $opt_date || $DEF_DATE;
+
+for (qw{NAME DESCRIPTION}) {
+# for (qw{NAME DESCRIPTION AUTHOR}) {
+    $wanna_see{$_}++;
+}
+$wanna_see{SYNOPSIS}++ if $section =~ /^3/;
+
+
+$name = @ARGV ? $ARGV[0] : "<STDIN>";
+$Filename = $name;
+if ($section =~ /^1/) {
+    require File::Basename;
+    $name = uc File::Basename::basename($name);
+}
+$name =~ s/\.(pod|p[lm])$//i;
+
+# Lose everything up to the first of
+#     */lib/*perl*	standard or site_perl module
+#     */*perl*/lib	from -D prefix=/opt/perl
+#     */*perl*/		random module hierarchy
+# which works.
+$name =~ s-//+-/-g;
+if ($name =~ s-^.*?/lib/[^/]*perl[^/]*/--i
+	or $name =~ s-^.*?/[^/]*perl[^/]*/lib/--i
+	or $name =~ s-^.*?/[^/]*perl[^/]*/--i) {
+    # Lose ^site(_perl)?/.
+    $name =~ s-^site(_perl)?/--;
+    # Lose ^arch/.	(XXX should we use Config? Just for archname?)
+    $name =~ s~^(.*-$^O|$^O-.*)/~~o;
+    # Lose ^version/.
+    $name =~ s-^\d+\.\d+/--;
+}
+
+# Translate Getopt/Long to Getopt::Long, etc.
+$name =~ s(/)(::)g;
+
+if ($name ne 'something') {
+    FCHECK: {
+	open(F, "< $ARGV[0]") || die "can't open $ARGV[0]: $!";
+	while (<F>) {
+	    next unless /^=\b/;
+	    if (/^=head1\s+NAME\s*$/) {  # an /m would forgive mistakes
+		$_ = <F>;
+		unless (/\s*-+\s+/) {
+		    $oops++;
+		    warn "$0: Improper man page - no dash in NAME header in paragraph $. of $ARGV[0]\n"
+                } else {
+		    my @n = split /\s+-+\s+/;
+		    if (@n != 2) {
+			$oops++;
+			warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n"
+		    }
+		    else {
+			%namedesc = @n;
+		    }
+		}
+		last FCHECK;
+	    }
+	    next if /^=cut\b/;	# DB_File and Net::Ping have =cut before NAME
+	    next if /^=pod\b/;  # It is OK to have =pod before NAME
+	    die "$0: Invalid man page - 1st pod line is not NAME in $ARGV[0]\n" unless $lax;
+	}
+	die "$0: Invalid man page - no documentation in $ARGV[0]\n" unless $lax;
+    }
+    close F;
+}
+
+print <<"END";
+.rn '' }`
+''' \$RCSfile\$\$Revision\$\$Date\$
+'''
+''' \$Log\$
+'''
+.de Sh
+.br
+.if t .Sp
+.ne 5
+.PP
+\\fB\\\\\$1\\fR
+.PP
+..
+.de Sp
+.if t .sp .5v
+.if n .sp
+..
+.de Ip
+.br
+.ie \\\\n(.\$>=3 .ne \\\\\$3
+.el .ne 3
+.IP "\\\\\$1" \\\\\$2
+..
+.de Vb
+.ft $CFont
+.nf
+.ne \\\\\$1
+..
+.de Ve
+.ft R
+
+.fi
+..
+'''
+'''
+'''     Set up \\*(-- to give an unbreakable dash;
+'''     string Tr holds user defined translation string.
+'''     Bell System Logo is used as a dummy character.
+'''
+.tr \\(*W-|\\(bv\\*(Tr
+.ie n \\{\\
+.ds -- \\(*W-
+.ds PI pi
+.if (\\n(.H=4u)&(1m=24u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-12u'-\\" diablo 10 pitch
+.if (\\n(.H=4u)&(1m=20u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-8u'-\\" diablo 12 pitch
+.ds L" ""
+.ds R" ""
+'''   \\*(M", \\*(S", \\*(N" and \\*(T" are the equivalent of
+'''   \\*(L" and \\*(R", except that they are used on ".xx" lines,
+'''   such as .IP and .SH, which do another additional levels of
+'''   double-quote interpretation
+.ds M" """
+.ds S" """
+.ds N" """""
+.ds T" """""
+.ds L' '
+.ds R' '
+.ds M' '
+.ds S' '
+.ds N' '
+.ds T' '
+'br\\}
+.el\\{\\
+.ds -- \\(em\\|
+.tr \\*(Tr
+.ds L" ``
+.ds R" ''
+.ds M" ``
+.ds S" ''
+.ds N" ``
+.ds T" ''
+.ds L' `
+.ds R' '
+.ds M' `
+.ds S' '
+.ds N' `
+.ds T' '
+.ds PI \\(*p
+'br\\}
+END
+
+print <<'END';
+.\"	If the F register is turned on, we'll generate
+.\"	index entries out stderr for the following things:
+.\"		TH	Title 
+.\"		SH	Header
+.\"		Sh	Subsection 
+.\"		Ip	Item
+.\"		X<>	Xref  (embedded
+.\"	Of course, you have to process the output yourself
+.\"	in some meaninful fashion.
+.if \nF \{
+.de IX
+.tm Index:\\$1\t\\n%\t"\\$2"
+..
+.nr % 0
+.rr F
+.\}
+END
+
+print <<"END";
+.TH $name $section "$RP" "$date" "$center"
+.UC
+END
+
+push(@Indices, qq{.IX Title "$name $section"});
+
+while (($name, $desc) = each %namedesc) {
+    for ($name, $desc) { s/^\s+//; s/\s+$//; }
+    push(@Indices, qq(.IX Name "$name - $desc"\n));
+}
+
+print <<'END';
+.if n .hy 0
+.if n .na
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.de CQ          \" put $1 in typewriter font
+END
+print ".ft $CFont\n";
+print <<'END';
+'if n "\c
+'if t \\&\\$1\c
+'if n \\&\\$1\c
+'if n \&"
+\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
+'.ft R
+..
+.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
+.	\" AM - accent mark definitions
+.bd B 3
+.	\" fudge factors for nroff and troff
+.if n \{\
+.	ds #H 0
+.	ds #V .8m
+.	ds #F .3m
+.	ds #[ \f1
+.	ds #] \fP
+.\}
+.if t \{\
+.	ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.	ds #V .6m
+.	ds #F 0
+.	ds #[ \&
+.	ds #] \&
+.\}
+.	\" simple accents for nroff and troff
+.if n \{\
+.	ds ' \&
+.	ds ` \&
+.	ds ^ \&
+.	ds , \&
+.	ds ~ ~
+.	ds ? ?
+.	ds ! !
+.	ds /
+.	ds q
+.\}
+.if t \{\
+.	ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.	ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.	ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.	ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.	ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.	ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
+.	ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
+.	ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.	ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
+.\}
+.	\" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
+.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
+.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
+.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.ds oe o\h'-(\w'o'u*4/10)'e
+.ds Oe O\h'-(\w'O'u*4/10)'E
+.	\" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.	\" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.	ds : e
+.	ds 8 ss
+.	ds v \h'-1'\o'\(aa\(ga'
+.	ds _ \h'-1'^
+.	ds . \h'-1'.
+.	ds 3 3
+.	ds o a
+.	ds d- d\h'-1'\(ga
+.	ds D- D\h'-1'\(hy
+.	ds th \o'bp'
+.	ds Th \o'LP'
+.	ds ae ae
+.	ds Ae AE
+.	ds oe oe
+.	ds Oe OE
+.\}
+.rm #[ #] #H #V #F C
+END
+
+$indent = 0;
+
+$begun = "";
+
+# Unrolling [^A-Z>]|[A-Z](?!<) gives:    // MRE pp 165.
+my $nonest = '(?:[^A-Z>]*(?:[A-Z](?!<)[^A-Z>]*)*)';
+
+while (<>) {
+    if ($cutting) {
+	next unless /^=/;
+	$cutting = 0;
+    }
+    if ($begun) {
+	if (/^=end\s+$begun/) {
+            $begun = "";
+	}
+	elsif ($begun =~ /^(roff|man)$/) {
+	    print STDOUT $_;
+        }
+	next;
+    }
+    chomp;
+
+    # Translate verbatim paragraph
+
+    if (/^\s/) {
+	@lines = split(/\n/);
+	for (@lines) {
+	    1 while s
+		{^( [^\t]* ) \t ( \t* ) }
+		{ $1 . ' ' x (8 - (length($1)%8) + 8 * (length($2))) }ex;
+	    s/\\/\\e/g;
+	    s/\A/\\&/s;
+	}
+	$lines = @lines;
+	makespace() unless $verbatim++;
+	print ".Vb $lines\n";
+	print join("\n", @lines), "\n";
+	print ".Ve\n";
+	$needspace = 0;
+	next;
+    }
+
+    $verbatim = 0;
+
+    if (/^=for\s+(\S+)\s*/s) {
+	if ($1 eq "man" or $1 eq "roff") {
+	    print STDOUT $',"\n\n";
+	} else {
+	    # ignore unknown for
+	}
+	next;
+    }
+    elsif (/^=begin\s+(\S+)\s*/s) {
+	$begun = $1;
+	if ($1 eq "man" or $1 eq "roff") {
+	    print STDOUT $'."\n\n";
+	}
+	next;
+    }
+
+    # check for things that'll hosed our noremap scheme; affects $_
+    init_noremap();
+
+    if (!/^=item/) {
+
+	# trofficate backslashes; must do it before what happens below
+	s/\\/noremap('\\e')/ge;
+
+	# protect leading periods and quotes against *roff
+	# mistaking them for directives
+	s/^(?:[A-Z]<)?[.']/\\&$&/gm;
+
+	# first hide the escapes in case we need to
+	# intuit something and get it wrong due to fmting
+
+	1 while s/([A-Z]<$nonest>)/noremap($1)/ge;
+
+	# func() is a reference to a perl function
+	s{
+	    \b
+	    (
+		[:\w]+ \(\)
+	    )
+	} {I<$1>}gx;
+
+	# func(n) is a reference to a perl function or a man page
+	s{
+	    ([:\w]+)
+	    (
+		\( [^\051]+ \)
+	    )
+	} {I<$1>\\|$2}gx;
+
+	# convert simple variable references
+	s/(\s+)([\$\@%][\w:]+)(?!\()/${1}C<$2>/g;
+
+	if (m{ (
+		    [\-\w]+
+		    \(
+			[^\051]*?
+			[\@\$,]
+			[^\051]*?
+		    \)
+		)
+	    }x && $` !~ /([LCI]<[^<>]*|-)$/ && !/^=\w/)
+	{
+	    warn "$0: bad option in paragraph $. of $ARGV: ``$1'' should be [LCI]<$1>\n";
+	    $oops++;
+	}
+
+	while (/(-[a-zA-Z])\b/g && $` !~ /[\w\-]$/) {
+	    warn "$0: bad option in paragraph $. of $ARGV: ``$1'' should be [CB]<$1>\n";
+	    $oops++;
+	}
+
+	# put it back so we get the <> processed again;
+	clear_noremap(0); # 0 means leave the E's
+
+    } else {
+	# trofficate backslashes
+	s/\\/noremap('\\e')/ge;
+
+    }
+
+    # need to hide E<> first; they're processed in clear_noremap
+    s/(E<[^<>]+>)/noremap($1)/ge;
+
+
+    $maxnest = 10;
+    while ($maxnest-- && /[A-Z]</) {
+
+	# can't do C font here
+	s/([BI])<($nonest)>/font($1) . $2 . font('R')/eg;
+
+	# files and filelike refs in italics
+	s/F<($nonest)>/I<$1>/g;
+
+	# no break -- usually we want C<> for this
+	s/S<($nonest)>/nobreak($1)/eg;
+
+	# LREF: a la HREF L<show this text|man/section>
+	s:L<([^|>]+)\|[^>]+>:$1:g;
+
+	# LREF: a manpage(3f)
+	s:L<([a-zA-Z][^\s\/]+)(\([^\)]+\))?>:the I<$1>$2 manpage:g;
+
+	# LREF: an =item on another manpage
+	s{
+	    L<
+		([^/]+)
+		/
+		(
+		    [:\w]+
+		    (\(\))?
+		)
+	    >
+	} {the C<$2> entry in the I<$1> manpage}gx;
+
+	# LREF: an =item on this manpage
+	s{
+	   ((?:
+	    L<
+		/
+		(
+		    [:\w]+
+		    (\(\))?
+		)
+	    >
+	    (,?\s+(and\s+)?)?
+	  )+)
+	} { internal_lrefs($1) }gex;
+
+	# LREF: a =head2 (head1?), maybe on a manpage, maybe right here
+	# the "func" can disambiguate
+	s{
+	    L<
+		(?:
+		    ([a-zA-Z]\S+?) /
+		)?
+		"?(.*?)"?
+	    >
+	}{
+	    do {
+		$1 	# if no $1, assume it means on this page.
+		    ?  "the section on I<$2> in the I<$1> manpage"
+		    :  "the section on I<$2>"
+	    }
+	}gesx; # s in case it goes over multiple lines, so . matches \n
+
+	s/Z<>/\\&/g;
+
+	# comes last because not subject to reprocessing
+	s/C<($nonest)>/noremap("${CFont_embed}${1}\\fR")/eg;
+    }
+
+    if (s/^=//) {
+	$needspace = 0;		# Assume this.
+
+	s/\n/ /g;
+
+	($Cmd, $_) = split(' ', $_, 2);
+
+	$dotlevel = 1;
+	if ($Cmd eq 'head1') {
+	   $dotlevel = 1;
+	}
+	elsif ($Cmd eq 'head2') {
+	   $dotlevel = 1;
+	}
+	elsif ($Cmd eq 'item') {
+	   $dotlevel = 2;
+	}
+
+	if (defined $_) {
+	    &escapes($dotlevel);
+	    s/"/""/g;
+	}
+
+	clear_noremap(1);
+
+	if ($Cmd eq 'cut') {
+	    $cutting = 1;
+	}
+	elsif ($Cmd eq 'head1') {
+	    s/\s+$//;
+	    delete $wanna_see{$_} if exists $wanna_see{$_};
+	    print qq{.SH "$_"\n};
+      push(@Indices, qq{.IX Header "$_"\n});
+	}
+	elsif ($Cmd eq 'head2') {
+	    print qq{.Sh "$_"\n};
+      push(@Indices, qq{.IX Subsection "$_"\n});
+	}
+	elsif ($Cmd eq 'over') {
+	    push(@indent,$indent);
+	    $indent += ($_ + 0) || 5;
+	}
+	elsif ($Cmd eq 'back') {
+	    $indent = pop(@indent);
+	    warn "$0: Unmatched =back in paragraph $. of $ARGV\n" unless defined $indent;
+	    $needspace = 1;
+	}
+	elsif ($Cmd eq 'item') {
+	    s/^\*( |$)/\\(bu$1/g;
+	    # if you know how to get ":s please do
+	    s/\\\*\(L"([^"]+?)\\\*\(R"/'$1'/g;
+	    s/\\\*\(L"([^"]+?)""/'$1'/g;
+	    s/[^"]""([^"]+?)""[^"]/'$1'/g;
+	    # here do something about the $" in perlvar?
+	    print STDOUT qq{.Ip "$_" $indent\n};
+      push(@Indices, qq{.IX Item "$_"\n});
+	}
+	elsif ($Cmd eq 'pod') {
+	    # this is just a comment
+	} 
+	else {
+	    warn "$0: Unrecognized pod directive in paragraph $. of $ARGV: $Cmd\n";
+	}
+    }
+    else {
+	if ($needspace) {
+	    &makespace;
+	}
+	&escapes(0);
+	clear_noremap(1);
+	print $_, "\n";
+	$needspace = 1;
+    }
+}
+
+print <<"END";
+
+.rn }` ''
+END
+
+if (%wanna_see && !$lax) {
+    @missing = keys %wanna_see;
+    warn "$0: $Filename is missing required section"
+	.  (@missing > 1 && "s")
+	.  ": @missing\n";
+    $oops++;
+}
+
+foreach (@Indices) { print "$_\n"; }
+
+exit;
+#exit ($oops != 0);
+
+#########################################################################
+
+sub nobreak {
+    my $string = shift;
+    $string =~ s/ /\\ /g;
+    $string;
+}
+
+sub escapes {
+    my $indot = shift;
+
+    s/X<(.*?)>/mkindex($1)/ge;
+
+    # translate the minus in foo-bar into foo\-bar for roff
+    s/([^0-9a-z-])-([^-])/$1\\-$2/g;
+
+    # make -- into the string version \*(-- (defined above)
+    s/\b--\b/\\*(--/g;
+    s/"--([^"])/"\\*(--$1/g;  # should be a better way
+    s/([^"])--"/$1\\*(--"/g;
+
+    # fix up quotes; this is somewhat tricky
+    my $dotmacroL = 'L';
+    my $dotmacroR = 'R';
+    if ( $indot == 1 ) {
+	$dotmacroL = 'M';
+	$dotmacroR = 'S';
+    }  
+    elsif ( $indot >= 2 ) {
+	$dotmacroL = 'N';
+	$dotmacroR = 'T';
+    }  
+    if (!/""/) {
+	s/(^|\s)(['"])/noremap("$1\\*($dotmacroL$2")/ge;
+	s/(['"])($|[\-\s,;\\!?.])/noremap("\\*($dotmacroR$1$2")/ge;
+    }
+
+    #s/(?!")(?:.)--(?!")(?:.)/\\*(--/g;
+    #s/(?:(?!")(?:.)--(?:"))|(?:(?:")--(?!")(?:.))/\\*(--/g;
+
+
+    # make sure that func() keeps a bit a space tween the parens
+    ### s/\b\(\)/\\|()/g;
+    ### s/\b\(\)/(\\|)/g;
+
+    # make C++ into \*C+, which is a squinched version (defined above)
+    s/\bC\+\+/\\*(C+/g;
+
+    # make double underbars have a little tiny space between them
+    s/__/_\\|_/g;
+
+    # PI goes to \*(PI (defined above)
+    s/\bPI\b/noremap('\\*(PI')/ge;
+
+    # make all caps a teeny bit smaller, but don't muck with embedded code literals
+    my $hidCFont = font('C');
+    if ($Cmd !~ /^head1/) { # SH already makes smaller
+	# /g isn't enough; 1 while or we'll be off
+
+#	1 while s{
+#	    (?!$hidCFont)(..|^.|^)
+#	    \b
+#	    (
+#		[A-Z][\/A-Z+:\-\d_$.]+
+#	    )
+#	    (s?) 		
+#	    \b
+#	} {$1\\s-1$2\\s0}gmox;
+
+	1 while s{
+	    (?!$hidCFont)(..|^.|^)
+	    (
+		\b[A-Z]{2,}[\/A-Z+:\-\d_\$]*\b
+	    )
+	} {
+	    $1 . noremap( '\\s-1' .  $2 . '\\s0' )
+	}egmox;
+
+    }
+}
+
+# make troff just be normal, but make small nroff get quoted
+# decided to just put the quotes in the text; sigh;
+sub ccvt {
+    local($_,$prev) = @_;
+    noremap(qq{.CQ "$_" \n\\&});
+}
+
+sub makespace {
+    if ($indent) {
+	print ".Sp\n";
+    }
+    else {
+	print ".PP\n";
+    }
+}
+
+sub mkindex {
+    my ($entry) = @_;
+    my @entries = split m:\s*/\s*:, $entry;
+    push @Indices, ".IX Xref " . join ' ', map {qq("$_")} @entries;
+    return '';
+}
+
+sub font {
+    local($font) = shift;
+    return '\\f' . noremap($font);
+}
+
+sub noremap {
+    local($thing_to_hide) = shift;
+    $thing_to_hide =~ tr/\000-\177/\200-\377/;
+    return $thing_to_hide;
+}
+
+sub init_noremap {
+	# escape high bit characters in input stream
+	s/([\200-\377])/"E<".ord($1).">"/ge;
+}
+
+sub clear_noremap {
+    my $ready_to_print = $_[0];
+
+    tr/\200-\377/\000-\177/;
+
+    # trofficate backslashes
+    # s/(?!\\e)(?:..|^.|^)\\/\\e/g;
+
+    # now for the E<>s, which have been hidden until now
+    # otherwise the interative \w<> processing would have
+    # been hosed by the E<gt>
+    s {
+	    E<
+	    (
+	        ( \d + ) 
+	        | ( [A-Za-z]+ )	
+	    )
+	    >	
+    } {
+	 do {
+	     defined $2
+		? chr($2)
+		:	
+	     exists $HTML_Escapes{$3}
+		? do { $HTML_Escapes{$3} }
+		: do {
+		    warn "$0: Unknown escape in paragraph $. of $ARGV: ``$&''\n";
+		    "E<$1>";
+		}
+	 }
+    }egx if $ready_to_print;
+}
+
+sub internal_lrefs {
+    local($_) = shift;
+    local $trailing_and = s/and\s+$// ? "and " : "";
+
+    s{L</([^>]+)>}{$1}g;
+    my(@items) = split( /(?:,?\s+(?:and\s+)?)/ );
+    my $retstr = "the ";
+    my $i;
+    for ($i = 0; $i <= $#items; $i++) {
+	$retstr .= "C<$items[$i]>";
+	$retstr .= ", " if @items > 2 && $i != $#items;
+	$retstr .= " and " if $i+2 == @items;
+    }
+
+    $retstr .= " entr" . ( @items > 1  ? "ies" : "y" )
+	    .  " elsewhere in this document";
+    # terminal space to avoid words running together (pattern used
+    # strips terminal spaces)
+    $retstr .= " " if length $trailing_and;
+    $retstr .=  $trailing_and;
+
+    return $retstr;
+
+}
+
+BEGIN {
+%HTML_Escapes = (
+    'amp'	=>	'&',	#   ampersand
+    'lt'	=>	'<',	#   left chevron, less-than
+    'gt'	=>	'>',	#   right chevron, greater-than
+    'quot'	=>	'"',	#   double quote
+
+    "Aacute"	=>	"A\\*'",	#   capital A, acute accent
+    "aacute"	=>	"a\\*'",	#   small a, acute accent
+    "Acirc"	=>	"A\\*^",	#   capital A, circumflex accent
+    "acirc"	=>	"a\\*^",	#   small a, circumflex accent
+    "AElig"	=>	'\*(AE',	#   capital AE diphthong (ligature)
+    "aelig"	=>	'\*(ae',	#   small ae diphthong (ligature)
+    "Agrave"	=>	"A\\*`",	#   capital A, grave accent
+    "agrave"	=>	"A\\*`",	#   small a, grave accent
+    "Aring"	=>	'A\\*o',	#   capital A, ring
+    "aring"	=>	'a\\*o',	#   small a, ring
+    "Atilde"	=>	'A\\*~',	#   capital A, tilde
+    "atilde"	=>	'a\\*~',	#   small a, tilde
+    "Auml"	=>	'A\\*:',	#   capital A, dieresis or umlaut mark
+    "auml"	=>	'a\\*:',	#   small a, dieresis or umlaut mark
+    "Ccedil"	=>	'C\\*,',	#   capital C, cedilla
+    "ccedil"	=>	'c\\*,',	#   small c, cedilla
+    "Eacute"	=>	"E\\*'",	#   capital E, acute accent
+    "eacute"	=>	"e\\*'",	#   small e, acute accent
+    "Ecirc"	=>	"E\\*^",	#   capital E, circumflex accent
+    "ecirc"	=>	"e\\*^",	#   small e, circumflex accent
+    "Egrave"	=>	"E\\*`",	#   capital E, grave accent
+    "egrave"	=>	"e\\*`",	#   small e, grave accent
+    "ETH"	=>	'\\*(D-',	#   capital Eth, Icelandic
+    "eth"	=>	'\\*(d-',	#   small eth, Icelandic
+    "Euml"	=>	"E\\*:",	#   capital E, dieresis or umlaut mark
+    "euml"	=>	"e\\*:",	#   small e, dieresis or umlaut mark
+    "Iacute"	=>	"I\\*'",	#   capital I, acute accent
+    "iacute"	=>	"i\\*'",	#   small i, acute accent
+    "Icirc"	=>	"I\\*^",	#   capital I, circumflex accent
+    "icirc"	=>	"i\\*^",	#   small i, circumflex accent
+    "Igrave"	=>	"I\\*`",	#   capital I, grave accent
+    "igrave"	=>	"i\\*`",	#   small i, grave accent
+    "Iuml"	=>	"I\\*:",	#   capital I, dieresis or umlaut mark
+    "iuml"	=>	"i\\*:",	#   small i, dieresis or umlaut mark
+    "Ntilde"	=>	'N\*~',		#   capital N, tilde
+    "ntilde"	=>	'n\*~',		#   small n, tilde
+    "Oacute"	=>	"O\\*'",	#   capital O, acute accent
+    "oacute"	=>	"o\\*'",	#   small o, acute accent
+    "Ocirc"	=>	"O\\*^",	#   capital O, circumflex accent
+    "ocirc"	=>	"o\\*^",	#   small o, circumflex accent
+    "Ograve"	=>	"O\\*`",	#   capital O, grave accent
+    "ograve"	=>	"o\\*`",	#   small o, grave accent
+    "Oslash"	=>	"O\\*/",	#   capital O, slash
+    "oslash"	=>	"o\\*/",	#   small o, slash
+    "Otilde"	=>	"O\\*~",	#   capital O, tilde
+    "otilde"	=>	"o\\*~",	#   small o, tilde
+    "Ouml"	=>	"O\\*:",	#   capital O, dieresis or umlaut mark
+    "ouml"	=>	"o\\*:",	#   small o, dieresis or umlaut mark
+    "szlig"	=>	'\*8',		#   small sharp s, German (sz ligature)
+    "THORN"	=>	'\\*(Th',	#   capital THORN, Icelandic
+    "thorn"	=>	'\\*(th',,	#   small thorn, Icelandic
+    "Uacute"	=>	"U\\*'",	#   capital U, acute accent
+    "uacute"	=>	"u\\*'",	#   small u, acute accent
+    "Ucirc"	=>	"U\\*^",	#   capital U, circumflex accent
+    "ucirc"	=>	"u\\*^",	#   small u, circumflex accent
+    "Ugrave"	=>	"U\\*`",	#   capital U, grave accent
+    "ugrave"	=>	"u\\*`",	#   small u, grave accent
+    "Uuml"	=>	"U\\*:",	#   capital U, dieresis or umlaut mark
+    "uuml"	=>	"u\\*:",	#   small u, dieresis or umlaut mark
+    "Yacute"	=>	"Y\\*'",	#   capital Y, acute accent
+    "yacute"	=>	"y\\*'",	#   small y, acute accent
+    "yuml"	=>	"y\\*:",	#   small y, dieresis or umlaut mark
+);
+}
+
diff --git a/crypto/openssl/util/point.sh b/crypto/openssl/util/point.sh
new file mode 100755
index 0000000..47543c8
--- /dev/null
+++ b/crypto/openssl/util/point.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+rm -f $2
+ln -s $1 $2
+echo "$2 => $1"
+
diff --git a/crypto/openssl/util/selftest.pl b/crypto/openssl/util/selftest.pl
new file mode 100644
index 0000000..04b4425
--- /dev/null
+++ b/crypto/openssl/util/selftest.pl
@@ -0,0 +1,188 @@
+#!/usr/local/bin/perl -w
+#
+# Run the test suite and generate a report
+#
+
+if (! -f "Configure") {
+    print "Please run perl util/selftest.pl in the OpenSSL directory.\n";
+    exit 1;
+}
+
+my $report="testlog";
+my $os="??";
+my $version="??";
+my $platform0="??";
+my $platform="??";
+my $options="??";
+my $last="??";
+my $ok=0;
+my $cc="cc";
+my $cversion="??";
+my $sep="-----------------------------------------------------------------------------\n";
+
+open(OUT,">$report") or die;
+
+print OUT "OpenSSL self-test report:\n\n";
+
+$uname=`uname -a`;
+$uname="??\n" if $uname eq "";
+
+$c=`sh config -t`;
+foreach $_ (split("\n",$c)) {
+    $os=$1 if (/Operating system: (.*)$/);
+    $platform0=$1 if (/Configuring for (.*)$/);
+}
+
+system "sh config" if (! -f "Makefile.ssl");
+
+if (open(IN,"<Makefile.ssl")) {
+    while (<IN>) {
+	$version=$1 if (/^VERSION=(.*)$/);
+	$platform=$1 if (/^PLATFORM=(.*)$/);
+	$options=$1 if (/^OPTIONS=(.*)$/);
+	$cc=$1 if (/^CC= *(.*)$/);
+    }
+    close(IN);
+} else {
+    print OUT "Error running config!\n";
+}
+
+$cversion=`$cc -v 2>&1`;
+$cversion=`$cc -V 2>&1` if $cversion =~ "usage";
+$cversion=`$cc --version` if $cversion eq "";
+$cversion =~ s/Reading specs.*\n//;
+$cversion =~ s/usage.*\n//;
+chomp $cversion;
+
+if (open(IN,"<CHANGES")) {
+    while(<IN>) {
+	if (/\*\) (.{0,55})/) {
+	    $last=$1;
+	    last;
+	}
+    }
+    close(IN);
+}
+
+print OUT "OpenSSL version:  $version\n";
+print OUT "Last change:      $last...\n";
+print OUT "Options:          $options\n" if $options ne "";
+print OUT "OS (uname):       $uname";
+print OUT "OS (config):      $os\n";
+print OUT "Target (default): $platform0\n";
+print OUT "Target:           $platform\n";
+print OUT "Compiler:         $cversion\n";
+print OUT "\n";
+
+print "Checking compiler...\n";
+if (open(TEST,">cctest.c")) {
+    print TEST "#include <stdio.h>\nmain(){printf(\"Hello world\\n\");}\n";
+    close(TEST);
+    system("$cc -o cctest cctest.c");
+    if (`./cctest` !~ /Hello world/) {
+	print OUT "Compiler doesn't work.\n";
+	goto err;
+    }
+    system("ar r cctest.a /dev/null");
+    if (not -f "cctest.a") {
+	print OUT "Check your archive tool (ar).\n";
+	goto err;
+    }
+} else {
+    print OUT "Can't create cctest.c\n";
+}
+if (open(TEST,">cctest.c")) {
+    print TEST "#include <openssl/opensslv.h>\nmain(){printf(OPENSSL_VERSION_TEXT);}\n";
+    close(TEST);
+    system("$cc -o cctest -Iinclude cctest.c");
+    $cctest = `./cctest`;
+    if ($cctest !~ /OpenSSL $version/) {
+	if ($cctest =~ /OpenSSL/) {
+	    print OUT "#include uses headers from different OpenSSL version!\n";
+	} else {
+	    print OUT "Can't compile test program!\n";
+	}
+	goto err;
+    }
+} else {
+    print OUT "Can't create cctest.c\n";
+}
+
+print "Running make...\n";
+if (system("make 2>&1 | tee make.log") > 255) {
+
+    print OUT "make failed!\n";
+    if (open(IN,"<make.log")) {
+	print OUT $sep;
+	while (<IN>) {
+	    print OUT;
+	}
+	close(IN);
+	print OUT $sep;
+    } else {
+	print OUT "make.log not found!\n";
+    }
+    goto err;
+}
+
+$_=$options;
+s/no-asm//;
+if (/no-/)
+{
+    print OUT "Test skipped.\n";
+    goto err;
+}
+
+print "Running make test...\n";
+if (system("make test 2>&1 | tee maketest.log") > 255)
+ {
+    print OUT "make test failed!\n";
+} else {
+    $ok=1;
+}
+
+if ($ok and open(IN,"<maketest.log")) {
+    while (<IN>) {
+	$ok=2 if /^platform: $platform/;
+    }
+    close(IN);
+}
+
+if ($ok != 2) {
+    print OUT "Failure!\n";
+    if (open(IN,"<make.log")) {
+	print OUT $sep;
+	while (<IN>) {
+	    print OUT;
+	}
+	close(IN);
+	print OUT $sep;
+    } else {
+	print OUT "make.log not found!\n";
+    }
+    if (open(IN,"<maketest.log")) {
+	while (<IN>) {
+	    print OUT;
+	}
+	close(IN);
+	print OUT $sep;
+    } else {
+	print OUT "maketest.log not found!\n";
+    }
+} else {
+    print OUT "Test passed.\n";
+}
+err:
+close(OUT);
+
+print "\n";
+open(IN,"<$report") or die;
+while (<IN>) {
+    if (/$sep/) {
+	print "[...]\n";
+	last;
+    }
+    print;
+}
+print "\nTest report in file $report\n";
+
diff --git a/crypto/openssl/util/sep_lib.sh b/crypto/openssl/util/sep_lib.sh
new file mode 100755
index 0000000..34c2c9f
--- /dev/null
+++ b/crypto/openssl/util/sep_lib.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+cwd=`pwd`
+/bin/rm -fr tmp/*
+
+cd crypto/des
+make -f Makefile.uni tar
+make -f Makefile.uni tar_lit
+/bin/mv libdes.tgz $cwd/tmp
+/bin/mv libdes-l.tgz $cwd/tmp
+cd $cwd
+
+for name in md5 sha cast bf idea rc4 rc2
+do
+	echo doing $name
+	(cd crypto; tar cfh - $name)|(cd tmp; tar xf -)
+	cd tmp/$name
+	/bin/rm -f Makefile
+	/bin/rm -f Makefile.ssl
+	/bin/rm -f Makefile.ssl.orig
+	/bin/rm -f *.old
+	/bin/mv Makefile.uni Makefile
+
+	if [ -d asm ]; then
+		mkdir asm/perlasm
+		cp $cwd/crypto/perlasm/*.pl asm/perlasm
+	fi
+	cd ..
+	tar cf - $name|gzip >$name.tgz
+#	/bin/rm -fr $name
+	cd $cwd
+done
+
+
diff --git a/crypto/openssl/util/sp-diff.pl b/crypto/openssl/util/sp-diff.pl
new file mode 100755
index 0000000..f81e502
--- /dev/null
+++ b/crypto/openssl/util/sp-diff.pl
@@ -0,0 +1,80 @@
+#!/usr/local/bin/perl
+#
+# This file takes as input, the files that have been output from
+# ssleay speed.
+# It prints a table of the relative differences with %100 being 'no difference'
+#
+
+($#ARGV == 1) || die "$0 speedout1 speedout2\n";
+
+%one=&loadfile($ARGV[0]);
+%two=&loadfile($ARGV[1]);
+
+$line=0;
+foreach $a ("md2","md5","sha","sha1","rc4","des cfb","des cbc","des ede3",
+	"idea cfb","idea cbc","rc2 cfb","rc2 cbc","blowfish cbc","cast cbc")
+	{
+	if (defined($one{$a,8}) && defined($two{$a,8}))
+		{
+		print "type              8 byte%    64 byte%   256 byte%  1024 byte%  8192 byte%\n"
+			unless $line;
+		$line++;
+		printf "%-12s ",$a;
+		foreach $b (8,64,256,1024,8192)
+			{
+			$r=$two{$a,$b}/$one{$a,$b}*100;
+			printf "%12.2f",$r;
+			}
+		print "\n";
+		}
+	}
+
+foreach $a	(
+		"rsa  512","rsa 1024","rsa 2048","rsa 4096",
+		"dsa  512","dsa 1024","dsa 2048",
+		)
+	{
+	if (defined($one{$a,1}) && defined($two{$a,1}))
+		{
+		$r1=($one{$a,1}/$two{$a,1})*100;
+		$r2=($one{$a,2}/$two{$a,2})*100;
+		printf "$a bits %%    %6.2f %%    %6.2f\n",$r1,$r2;
+		}
+	}
+
+sub loadfile
+	{
+	local($file)=@_;
+	local($_,%ret);
+
+	open(IN,"<$file") || die "unable to open '$file' for input\n";
+	$header=1;
+	while (<IN>)
+		{
+		$header=0 if /^[dr]sa/;
+		if (/^type/) { $header=0; next; }
+		next if $header;
+		chop;
+		@a=split;
+		if ($a[0] =~ /^[dr]sa$/)
+			{
+			($n,$t1,$t2)=($_ =~ /^([dr]sa\s+\d+)\s+bits\s+([.\d]+)s\s+([.\d]+)/);
+			$ret{$n,1}=$t1;
+			$ret{$n,2}=$t2;
+			}
+		else
+			{
+			$n=join(' ',grep(/[^k]$/,@a));
+			@k=grep(s/k$//,@a);
+			
+			$ret{$n,   8}=$k[0];
+			$ret{$n,  64}=$k[1];
+			$ret{$n, 256}=$k[2];
+			$ret{$n,1024}=$k[3];
+			$ret{$n,8192}=$k[4];
+			}
+		}
+	close(IN);
+	return(%ret);
+	}
+
diff --git a/crypto/openssl/util/speed.sh b/crypto/openssl/util/speed.sh
new file mode 100755
index 0000000..f489706
--- /dev/null
+++ b/crypto/openssl/util/speed.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+#
+# This is a ugly script use, in conjuction with editing the 'b'
+# configuration in the $(TOP)/Configure script which will
+# output when finished a file called speed.log which is the
+# timings of SSLeay with various options turned on or off.
+#
+# from the $(TOP) directory
+# Edit Configure, modifying things to do with the b/bl-4c-2c etc
+# configurations.
+#
+
+make clean
+perl Configure b
+make
+apps/ssleay version -v -b -f >speed.1
+apps/ssleay speed >speed.1l
+
+perl Configure bl-4c-2c
+/bin/rm -f crypto/rc4/*.o crypto/bn/bn*.o crypto/md2/md2_dgst.o
+make
+apps/ssleay speed rc4 rsa md2 >speed.2l
+
+perl Configure bl-4c-ri
+/bin/rm -f crypto/rc4/rc4*.o
+make
+apps/ssleay speed rc4 >speed.3l
+
+perl Configure b2-is-ri-dp
+/bin/rm -f crypto/idea/i_*.o crypto/rc4/*.o crypto/des/ecb_enc.o crypto/bn/bn*.o
+apps/ssleay speed rsa rc4 idea des >speed.4l
+
+cat speed.1 >speed.log
+cat speed.1l >>speed.log
+perl util/sp-diff.pl speed.1l speed.2l >>speed.log
+perl util/sp-diff.pl speed.1l speed.3l >>speed.log
+perl util/sp-diff.pl speed.1l speed.4l >>speed.log
+
diff --git a/crypto/openssl/util/src-dep.pl b/crypto/openssl/util/src-dep.pl
new file mode 100755
index 0000000..ad997e4
--- /dev/null
+++ b/crypto/openssl/util/src-dep.pl
@@ -0,0 +1,147 @@
+#!/usr/local/bin/perl
+
+# we make up an array of
+# $file{function_name}=filename;
+# $unres{filename}="func1 func2 ...."
+$debug=1;
+#$nm_func="parse_linux";
+$nm_func="parse_solaris";
+
+foreach (@ARGV)
+	{
+	&$nm_func($_);
+	}
+
+foreach $file (sort keys %unres)
+	{
+	@a=split(/\s+/,$unres{$file});
+	%ff=();
+	foreach $func (@a)
+		{
+		$f=$file{$func};
+		$ff{$f}=1 if $f ne "";
+		}
+
+	foreach $a (keys %ff)
+		{ $we_need{$file}.="$a "; }
+	}
+
+foreach $file (sort keys %we_need)
+	{
+#	print "	$file $we_need{$file}\n";
+	foreach $bit (split(/\s+/,$we_need{$file}))
+		{ push(@final,&walk($bit)); }
+
+	foreach (@final) { $fin{$_}=1; }
+	@final="";
+	foreach (sort keys %fin)
+		{ push(@final,$_); }
+
+	print "$file: @final\n";
+	}
+
+sub walk
+	{
+	local($f)=@_;
+	local(@a,%seen,@ret,$r);
+
+	@ret="";
+	$f =~ s/^\s+//;
+	$f =~ s/\s+$//;
+	return "" if ($f =~ "^\s*$");
+
+	return(split(/\s/,$done{$f})) if defined ($done{$f});
+
+	return if $in{$f} > 0;
+	$in{$f}++;
+	push(@ret,$f);
+	foreach $r (split(/\s+/,$we_need{$f}))
+		{
+		push(@ret,&walk($r));
+		}
+	$in{$f}--;
+	$done{$f}=join(" ",@ret);
+	return(@ret);
+	}
+
+sub parse_linux
+	{
+	local($name)=@_;
+
+	open(IN,"nm $name|") || die "unable to run 'nn $name':$!\n";
+	while (<IN>)
+		{
+		chop;
+		next if /^\s*$/;
+		if (/^[^[](.*):$/)
+			{
+			$file=$1;
+			$file="$1.c" if /\[(.*).o\]/;
+			print STDERR "$file\n";
+			$we_need{$file}=" ";
+			next;
+			}
+
+		@a=split(/\s*\|\s*/);
+		next unless $#a == 7;
+		next unless $a[4] eq "GLOB";
+		if ($a[6] eq "UNDEF")
+			{
+			$unres{$file}.=$a[7]." ";
+			}
+		else
+			{
+			if ($file{$a[7]} ne "")
+				{
+				print STDERR "duplicate definition of $a[7],\n$file{$a[7]} and $file \n";
+				}
+			else
+				{
+				$file{$a[7]}=$file;
+				}
+			}
+		}
+	close(IN);
+	}
+
+sub parse_solaris
+	{
+	local($name)=@_;
+
+	open(IN,"nm $name|") || die "unable to run 'nn $name':$!\n";
+	while (<IN>)
+		{
+		chop;
+		next if /^\s*$/;
+		if (/^(\S+):$/)
+			{
+			$file=$1;
+			#$file="$1.c" if $file =~ /^(.*).o$/;
+			print STDERR "$file\n";
+			$we_need{$file}=" ";
+			next;
+			}
+		@a=split(/\s*\|\s*/);
+		next unless $#a == 7;
+		next unless $a[4] eq "GLOB";
+		if ($a[6] eq "UNDEF")
+			{
+			$unres{$file}.=$a[7]." ";
+			print STDERR "$file needs $a[7]\n" if $debug;
+			}
+		else
+			{
+			if ($file{$a[7]} ne "")
+				{
+				print STDERR "duplicate definition of $a[7],\n$file{$a[7]} and $file \n";
+				}
+			else
+				{
+				$file{$a[7]}=$file;
+				print STDERR "$file has $a[7]\n" if $debug;
+				}
+			}
+		}
+	close(IN);
+	}
+
diff --git a/crypto/openssl/util/ssleay.num b/crypto/openssl/util/ssleay.num
new file mode 100755
index 0000000..32b2e96
--- /dev/null
+++ b/crypto/openssl/util/ssleay.num
@@ -0,0 +1,227 @@
+ERR_load_SSL_strings			1
+SSL_CIPHER_description			2
+SSL_CTX_add_client_CA			3
+SSL_CTX_add_session			4
+SSL_CTX_check_private_key		5
+SSL_CTX_ctrl				6
+SSL_CTX_flush_sessions			7
+SSL_CTX_free				8
+SSL_CTX_get_client_CA_list		9
+SSL_CTX_get_verify_callback		10
+SSL_CTX_get_verify_mode			11
+SSL_CTX_new				12
+SSL_CTX_remove_session			13
+SSL_CTX_set_cert_verify_cb		14
+SSL_CTX_set_cipher_list			15
+SSL_CTX_set_client_CA_list		16
+SSL_CTX_set_default_passwd_cb		17
+SSL_CTX_set_ssl_version			19
+SSL_CTX_set_verify			21
+SSL_CTX_use_PrivateKey			22
+SSL_CTX_use_PrivateKey_ASN1		23
+SSL_CTX_use_PrivateKey_file		24
+SSL_CTX_use_RSAPrivateKey		25
+SSL_CTX_use_RSAPrivateKey_ASN1		26
+SSL_CTX_use_RSAPrivateKey_file		27
+SSL_CTX_use_certificate			28
+SSL_CTX_use_certificate_ASN1		29
+SSL_CTX_use_certificate_file		30
+SSL_SESSION_free			31
+SSL_SESSION_new				32
+SSL_SESSION_print			33
+SSL_SESSION_print_fp			34
+SSL_accept				35
+SSL_add_client_CA			36
+SSL_alert_desc_string			37
+SSL_alert_desc_string_long		38
+SSL_alert_type_string			39
+SSL_alert_type_string_long		40
+SSL_check_private_key			41
+SSL_clear				42
+SSL_connect				43
+SSL_copy_session_id			44
+SSL_ctrl				45
+SSL_dup					46
+SSL_dup_CA_list				47
+SSL_free				48
+SSL_get_certificate			49
+SSL_get_cipher_list			52
+SSL_get_ciphers				55
+SSL_get_client_CA_list			56
+SSL_get_default_timeout			57
+SSL_get_error				58
+SSL_get_fd				59
+SSL_get_peer_cert_chain			60
+SSL_get_peer_certificate		61
+SSL_get_rbio				63
+SSL_get_read_ahead			64
+SSL_get_shared_ciphers			65
+SSL_get_ssl_method			66
+SSL_get_verify_callback			69
+SSL_get_verify_mode			70
+SSL_get_version				71
+SSL_get_wbio				72
+SSL_load_client_CA_file			73
+SSL_load_error_strings			74
+SSL_new					75
+SSL_peek				76
+SSL_pending				77
+SSL_read				78
+SSL_renegotiate				79
+SSL_rstate_string			80
+SSL_rstate_string_long			81
+SSL_set_accept_state			82
+SSL_set_bio				83
+SSL_set_cipher_list			84
+SSL_set_client_CA_list			85
+SSL_set_connect_state			86
+SSL_set_fd				87
+SSL_set_read_ahead			88
+SSL_set_rfd				89
+SSL_set_session				90
+SSL_set_ssl_method			91
+SSL_set_verify				94
+SSL_set_wfd				95
+SSL_shutdown				96
+SSL_state_string			97
+SSL_state_string_long			98
+SSL_use_PrivateKey			99
+SSL_use_PrivateKey_ASN1			100
+SSL_use_PrivateKey_file			101
+SSL_use_RSAPrivateKey			102
+SSL_use_RSAPrivateKey_ASN1		103
+SSL_use_RSAPrivateKey_file		104
+SSL_use_certificate			105
+SSL_use_certificate_ASN1		106
+SSL_use_certificate_file		107
+SSL_write				108
+SSLeay_add_ssl_algorithms		109
+SSLv23_client_method			110
+SSLv23_method				111
+SSLv23_server_method			112
+SSLv2_client_method			113
+SSLv2_method				114
+SSLv2_server_method			115
+SSLv3_client_method			116
+SSLv3_method				117
+SSLv3_server_method			118
+d2i_SSL_SESSION				119
+i2d_SSL_SESSION				120
+BIO_f_ssl				121
+BIO_new_ssl				122
+BIO_proxy_ssl_copy_session_id		123
+BIO_ssl_copy_session_id			124
+SSL_do_handshake			125
+SSL_get_privatekey			126
+SSL_get_current_cipher			127
+SSL_CIPHER_get_bits			128
+SSL_CIPHER_get_version			129
+SSL_CIPHER_get_name			130
+BIO_ssl_shutdown			131
+SSL_SESSION_cmp				132
+SSL_SESSION_hash			133
+SSL_SESSION_get_time			134
+SSL_SESSION_set_time			135
+SSL_SESSION_get_timeout			136
+SSL_SESSION_set_timeout			137
+SSL_CTX_get_ex_data			138
+SSL_CTX_get_quiet_shutdown		140
+SSL_CTX_load_verify_locations		141
+SSL_CTX_set_default_verify_paths	142
+SSL_CTX_set_ex_data			143
+SSL_CTX_set_quiet_shutdown		145
+SSL_SESSION_get_ex_data			146
+SSL_SESSION_set_ex_data			148
+SSL_get_SSL_CTX				150
+SSL_get_ex_data				151
+SSL_get_quiet_shutdown			153
+SSL_get_session				154
+SSL_get_shutdown			155
+SSL_get_verify_result			157
+SSL_set_ex_data				158
+SSL_set_info_callback			160
+SSL_set_quiet_shutdown			161
+SSL_set_shutdown			162
+SSL_set_verify_result			163
+SSL_version				164
+SSL_get_info_callback			165
+SSL_state				166
+SSL_CTX_get_ex_new_index		167
+SSL_SESSION_get_ex_new_index		168
+SSL_get_ex_new_index			169
+TLSv1_method				170
+TLSv1_server_method			171
+TLSv1_client_method			172
+BIO_new_buffer_ssl_connect		173
+BIO_new_ssl_connect			174
+SSL_get_ex_data_X509_STORE_CTX_idx	175
+SSL_CTX_set_tmp_dh_callback		176
+SSL_CTX_set_tmp_rsa_callback		177
+SSL_CTX_set_timeout                     178
+SSL_CTX_get_timeout                     179
+SSL_CTX_get_cert_store                  180
+SSL_CTX_set_cert_store                  181
+SSL_want                                182
+SSL_library_init                        183
+SSL_COMP_add_compression_method         184
+SSL_add_file_cert_subjects_to_stack     185
+SSL_set_tmp_rsa_callback                186
+SSL_set_tmp_dh_callback                 187
+SSL_add_dir_cert_subjects_to_stack      188
+SSL_set_session_id_context              189
+sk_SSL_CIPHER_new                       190
+sk_SSL_CIPHER_new_null                  191
+sk_SSL_CIPHER_free                      192
+sk_SSL_CIPHER_num                       193
+sk_SSL_CIPHER_value                     194
+sk_SSL_CIPHER_set                       195
+sk_SSL_CIPHER_zero                      196
+sk_SSL_CIPHER_push                      197
+sk_SSL_CIPHER_pop                       198
+sk_SSL_CIPHER_find                      199
+sk_SSL_CIPHER_delete                    200
+sk_SSL_CIPHER_delete_ptr                201
+sk_SSL_CIPHER_set_cmp_func              202
+sk_SSL_CIPHER_dup                       203
+sk_SSL_CIPHER_pop_free                  204
+sk_SSL_CIPHER_shift                     205
+sk_SSL_COMP_new                         206
+sk_SSL_COMP_new_null                    207
+sk_SSL_COMP_free                        208
+sk_SSL_COMP_num                         209
+sk_SSL_COMP_value                       210
+sk_SSL_COMP_set                         211
+sk_SSL_COMP_zero                        212
+sk_SSL_COMP_push                        213
+sk_SSL_COMP_pop                         214
+sk_SSL_COMP_find                        215
+sk_SSL_COMP_delete                      216
+sk_SSL_COMP_delete_ptr                  217
+sk_SSL_COMP_set_cmp_func                218
+sk_SSL_COMP_dup                         219
+sk_SSL_COMP_pop_free                    220
+sk_SSL_COMP_shift                       221
+SSL_CTX_use_certificate_chain_file      222
+sk_SSL_COMP_insert                      223
+sk_SSL_CIPHER_insert                    224
+SSL_CTX_set_verify_depth                225
+SSL_set_verify_depth                    226
+sk_SSL_CIPHER_unshift                   227
+SSL_CTX_get_verify_depth                228
+SSL_get_verify_depth                    229
+sk_SSL_COMP_unshift                     230
+SSL_CTX_set_session_id_context          231
+SSL_CTX_set_cert_verify_callback        232
+sk_SSL_COMP_sort                        233
+sk_SSL_CIPHER_sort                      234
+SSL_CTX_set_default_passwd_cb_userdata  235
+SSL_set_purpose                         236
+SSL_CTX_set_trust                       237
+SSL_CTX_set_purpose                     238
+SSL_set_trust                           239
+SSL_get_finished                        240
+SSL_get_peer_finished                   241
+SSL_get1_session                        242
+SSL_CTX_callback_ctrl                   243
+SSL_callback_ctrl                       244
+SSL_CTX_sessions                        245
diff --git a/crypto/openssl/util/tab_num.pl b/crypto/openssl/util/tab_num.pl
new file mode 100755
index 0000000..a81ed0e
--- /dev/null
+++ b/crypto/openssl/util/tab_num.pl
@@ -0,0 +1,17 @@
+#!/usr/local/bin/perl
+
+$num=1;
+$width=40;
+
+while (<>)
+	{
+	chop;
+
+	$i=length($_);
+
+	$n=$width-$i;
+	$i=int(($n+7)/8);
+	print $_.("\t" x $i).$num."\n";
+	$num++;
+	}
+
diff --git a/crypto/openssl/util/x86asm.sh b/crypto/openssl/util/x86asm.sh
new file mode 100755
index 0000000..d2090a9
--- /dev/null
+++ b/crypto/openssl/util/x86asm.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+echo Generating x86 assember
+echo Bignum
+(cd crypto/bn/asm; perl x86.pl cpp > bn86unix.cpp)
+(cd crypto/bn/asm; perl x86.pl win32 > bn-win32.asm)
+
+echo DES
+(cd crypto/des/asm; perl des-586.pl cpp > dx86unix.cpp)
+(cd crypto/des/asm; perl des-586.pl win32 > d-win32.asm)
+
+echo "crypt(3)"
+(cd crypto/des/asm; perl crypt586.pl cpp > yx86unix.cpp)
+(cd crypto/des/asm; perl crypt586.pl win32 > y-win32.asm)
+
+echo Blowfish
+(cd crypto/bf/asm; perl bf-586.pl cpp > bx86unix.cpp)
+(cd crypto/bf/asm; perl bf-586.pl win32 > b-win32.asm)
+
+echo CAST5
+(cd crypto/cast/asm; perl cast-586.pl cpp > cx86unix.cpp)
+(cd crypto/cast/asm; perl cast-586.pl win32 > c-win32.asm)
+
+echo RC4
+(cd crypto/rc4/asm; perl rc4-586.pl cpp > rx86unix.cpp)
+(cd crypto/rc4/asm; perl rc4-586.pl win32 > r4-win32.asm)
+
+echo MD5
+(cd crypto/md5/asm; perl md5-586.pl cpp > mx86unix.cpp)
+(cd crypto/md5/asm; perl md5-586.pl win32 > m5-win32.asm)
+
+echo SHA1
+(cd crypto/sha/asm; perl sha1-586.pl cpp > sx86unix.cpp)
+(cd crypto/sha/asm; perl sha1-586.pl win32 > s1-win32.asm)
+
+echo RIPEMD160
+(cd crypto/ripemd/asm; perl rmd-586.pl cpp > rm86unix.cpp)
+(cd crypto/ripemd/asm; perl rmd-586.pl win32 > rm-win32.asm)
+
+echo RC5/32
+(cd crypto/rc5/asm; perl rc5-586.pl cpp > r586unix.cpp)
+(cd crypto/rc5/asm; perl rc5-586.pl win32 > r5-win32.asm)
diff --git a/crypto/telnet/arpa/telnet.h b/crypto/telnet/arpa/telnet.h
new file mode 100644
index 0000000..d794267
--- /dev/null
+++ b/crypto/telnet/arpa/telnet.h
@@ -0,0 +1,342 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnet.h	8.2 (Berkeley) 12/15/93
+ * $FreeBSD$
+ */
+
+#ifndef _ARPA_TELNET_H_
+#define	_ARPA_TELNET_H_
+
+/*
+ * Definitions for the TELNET protocol.
+ */
+#define	IAC	255		/* interpret as command: */
+#define	DONT	254		/* you are not to use option */
+#define	DO	253		/* please, you use option */
+#define	WONT	252		/* I won't use option */
+#define	WILL	251		/* I will use option */
+#define	SB	250		/* interpret as subnegotiation */
+#define	GA	249		/* you may reverse the line */
+#define	EL	248		/* erase the current line */
+#define	EC	247		/* erase the current character */
+#define	AYT	246		/* are you there */
+#define	AO	245		/* abort output--but let prog finish */
+#define	IP	244		/* interrupt process--permanently */
+#define	BREAK	243		/* break */
+#define	DM	242		/* data mark--for connect. cleaning */
+#define	NOP	241		/* nop */
+#define	SE	240		/* end sub negotiation */
+#define EOR     239             /* end of record (transparent mode) */
+#define	ABORT	238		/* Abort process */
+#define	SUSP	237		/* Suspend process */
+#define	xEOF	236		/* End of file: EOF is already used... */
+
+#define SYNCH	242		/* for telfunc calls */
+
+#ifdef TELCMDS
+char *telcmds[] = {
+	"EOF", "SUSP", "ABORT", "EOR",
+	"SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
+	"EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC",
+	0
+};
+#else
+extern char *telcmds[];
+#endif
+
+#define	TELCMD_FIRST	xEOF
+#define	TELCMD_LAST	IAC
+#define	TELCMD_OK(x)	((unsigned int)(x) <= TELCMD_LAST && \
+			 (unsigned int)(x) >= TELCMD_FIRST)
+#define	TELCMD(x)	telcmds[(x)-TELCMD_FIRST]
+
+/* telnet options */
+#define TELOPT_BINARY	0	/* 8-bit data path */
+#define TELOPT_ECHO	1	/* echo */
+#define	TELOPT_RCP	2	/* prepare to reconnect */
+#define	TELOPT_SGA	3	/* suppress go ahead */
+#define	TELOPT_NAMS	4	/* approximate message size */
+#define	TELOPT_STATUS	5	/* give status */
+#define	TELOPT_TM	6	/* timing mark */
+#define	TELOPT_RCTE	7	/* remote controlled transmission and echo */
+#define TELOPT_NAOL 	8	/* negotiate about output line width */
+#define TELOPT_NAOP 	9	/* negotiate about output page size */
+#define TELOPT_NAOCRD	10	/* negotiate about CR disposition */
+#define TELOPT_NAOHTS	11	/* negotiate about horizontal tabstops */
+#define TELOPT_NAOHTD	12	/* negotiate about horizontal tab disposition */
+#define TELOPT_NAOFFD	13	/* negotiate about formfeed disposition */
+#define TELOPT_NAOVTS	14	/* negotiate about vertical tab stops */
+#define TELOPT_NAOVTD	15	/* negotiate about vertical tab disposition */
+#define TELOPT_NAOLFD	16	/* negotiate about output LF disposition */
+#define TELOPT_XASCII	17	/* extended ascic character set */
+#define	TELOPT_LOGOUT	18	/* force logout */
+#define	TELOPT_BM	19	/* byte macro */
+#define	TELOPT_DET	20	/* data entry terminal */
+#define	TELOPT_SUPDUP	21	/* supdup protocol */
+#define	TELOPT_SUPDUPOUTPUT 22	/* supdup output */
+#define	TELOPT_SNDLOC	23	/* send location */
+#define	TELOPT_TTYPE	24	/* terminal type */
+#define	TELOPT_EOR	25	/* end or record */
+#define	TELOPT_TUID	26	/* TACACS user identification */
+#define	TELOPT_OUTMRK	27	/* output marking */
+#define	TELOPT_TTYLOC	28	/* terminal location number */
+#define	TELOPT_3270REGIME 29	/* 3270 regime */
+#define	TELOPT_X3PAD	30	/* X.3 PAD */
+#define	TELOPT_NAWS	31	/* window size */
+#define	TELOPT_TSPEED	32	/* terminal speed */
+#define	TELOPT_LFLOW	33	/* remote flow control */
+#define TELOPT_LINEMODE	34	/* Linemode option */
+#define TELOPT_XDISPLOC	35	/* X Display Location */
+#define TELOPT_OLD_ENVIRON 36	/* Old - Environment variables */
+#define	TELOPT_AUTHENTICATION 37/* Authenticate */
+#define	TELOPT_ENCRYPT	38	/* Encryption option */
+#define TELOPT_NEW_ENVIRON 39	/* New - Environment variables */
+#define	TELOPT_EXOPL	255	/* extended-options-list */
+
+
+#define	NTELOPTS	(1+TELOPT_NEW_ENVIRON)
+#ifdef TELOPTS
+char *telopts[NTELOPTS+1] = {
+	"BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
+	"STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
+	"NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
+	"NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO",
+	"DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT",
+	"SEND LOCATION", "TERMINAL TYPE", "END OF RECORD",
+	"TACACS UID", "OUTPUT MARKING", "TTYLOC",
+	"3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW",
+	"LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION",
+	"ENCRYPT", "NEW-ENVIRON",
+	0
+};
+#define	TELOPT_FIRST	TELOPT_BINARY
+#define	TELOPT_LAST	TELOPT_NEW_ENVIRON
+#define	TELOPT_OK(x)	((unsigned int)(x) <= TELOPT_LAST)
+#define	TELOPT(x)	telopts[(x)-TELOPT_FIRST]
+#endif
+
+/* sub-option qualifiers */
+#define	TELQUAL_IS	0	/* option is... */
+#define	TELQUAL_SEND	1	/* send option */
+#define	TELQUAL_INFO	2	/* ENVIRON: informational version of IS */
+#define	TELQUAL_REPLY	2	/* AUTHENTICATION: client version of IS */
+#define	TELQUAL_NAME	3	/* AUTHENTICATION: client version of IS */
+
+#define	LFLOW_OFF		0	/* Disable remote flow control */
+#define	LFLOW_ON		1	/* Enable remote flow control */
+#define	LFLOW_RESTART_ANY	2	/* Restart output on any char */
+#define	LFLOW_RESTART_XON	3	/* Restart output only on XON */
+
+/*
+ * LINEMODE suboptions
+ */
+
+#define	LM_MODE		1
+#define	LM_FORWARDMASK	2
+#define	LM_SLC		3
+
+#define	MODE_EDIT	0x01
+#define	MODE_TRAPSIG	0x02
+#define	MODE_ACK	0x04
+#define MODE_SOFT_TAB	0x08
+#define MODE_LIT_ECHO	0x10
+
+#define	MODE_MASK	0x1f
+
+/* Not part of protocol, but needed to simplify things... */
+#define MODE_FLOW		0x0100
+#define MODE_ECHO		0x0200
+#define MODE_INBIN		0x0400
+#define MODE_OUTBIN		0x0800
+#define MODE_FORCE		0x1000
+
+#define	SLC_SYNCH	1
+#define	SLC_BRK		2
+#define	SLC_IP		3
+#define	SLC_AO		4
+#define	SLC_AYT		5
+#define	SLC_EOR		6
+#define	SLC_ABORT	7
+#define	SLC_EOF		8
+#define	SLC_SUSP	9
+#define	SLC_EC		10
+#define	SLC_EL		11
+#define	SLC_EW		12
+#define	SLC_RP		13
+#define	SLC_LNEXT	14
+#define	SLC_XON		15
+#define	SLC_XOFF	16
+#define	SLC_FORW1	17
+#define	SLC_FORW2	18
+#define SLC_MCL         19
+#define SLC_MCR         20
+#define SLC_MCWL        21
+#define SLC_MCWR        22
+#define SLC_MCBOL       23
+#define SLC_MCEOL       24
+#define SLC_INSRT       25
+#define SLC_OVER        26
+#define SLC_ECR         27
+#define SLC_EWR         28
+#define SLC_EBOL        29
+#define SLC_EEOL        30
+
+#define	NSLC		30
+
+/*
+ * For backwards compatability, we define SLC_NAMES to be the
+ * list of names if SLC_NAMES is not defined.
+ */
+#define	SLC_NAMELIST	"0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \
+			"ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \
+			"LNEXT", "XON", "XOFF", "FORW1", "FORW2",	\
+			"MCL", "MCR", "MCWL", "MCWR", "MCBOL",		\
+			"MCEOL", "INSRT", "OVER", "ECR", "EWR",		\
+			"EBOL", "EEOL",					\
+			0
+
+#ifdef	SLC_NAMES
+char *slc_names[] = {
+	SLC_NAMELIST
+};
+#else
+extern char *slc_names[];
+#define	SLC_NAMES SLC_NAMELIST
+#endif
+
+#define	SLC_NAME_OK(x)	((unsigned int)(x) <= NSLC)
+#define SLC_NAME(x)	slc_names[x]
+
+#define	SLC_NOSUPPORT	0
+#define	SLC_CANTCHANGE	1
+#define	SLC_VARIABLE	2
+#define	SLC_DEFAULT	3
+#define	SLC_LEVELBITS	0x03
+
+#define	SLC_FUNC	0
+#define	SLC_FLAGS	1
+#define	SLC_VALUE	2
+
+#define	SLC_ACK		0x80
+#define	SLC_FLUSHIN	0x40
+#define	SLC_FLUSHOUT	0x20
+
+#define	OLD_ENV_VAR	1
+#define	OLD_ENV_VALUE	0
+#define	NEW_ENV_VAR	0
+#define	NEW_ENV_VALUE	1
+#define	ENV_ESC		2
+#define ENV_USERVAR	3
+
+/*
+ * AUTHENTICATION suboptions
+ */
+
+/*
+ * Who is authenticating who ...
+ */
+#define	AUTH_WHO_CLIENT		0	/* Client authenticating server */
+#define	AUTH_WHO_SERVER		1	/* Server authenticating client */
+#define	AUTH_WHO_MASK		1
+
+/*
+ * amount of authentication done
+ */
+#define	AUTH_HOW_ONE_WAY	0
+#define	AUTH_HOW_MUTUAL		2
+#define	AUTH_HOW_MASK		2
+
+#define	AUTHTYPE_NULL		0
+#define	AUTHTYPE_KERBEROS_V4	1
+#define	AUTHTYPE_KERBEROS_V5	2
+#define	AUTHTYPE_SPX		3
+#define	AUTHTYPE_MINK		4
+#define AUTHTYPE_SRA		6
+#define	AUTHTYPE_CNT		7
+
+#define	AUTHTYPE_TEST		99
+
+#ifdef	AUTH_NAMES
+char *authtype_names[] = {
+	"NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK", NULL, "SRA",
+	0
+};
+#else
+extern char *authtype_names[];
+#endif
+
+#define	AUTHTYPE_NAME_OK(x)	((unsigned int)(x) < AUTHTYPE_CNT)
+#define	AUTHTYPE_NAME(x)	authtype_names[x]
+
+/*
+ * ENCRYPTion suboptions
+ */
+#define	ENCRYPT_IS		0	/* I pick encryption type ... */
+#define	ENCRYPT_SUPPORT		1	/* I support encryption types ... */
+#define	ENCRYPT_REPLY		2	/* Initial setup response */
+#define	ENCRYPT_START		3	/* Am starting to send encrypted */
+#define	ENCRYPT_END		4	/* Am ending encrypted */
+#define	ENCRYPT_REQSTART	5	/* Request you start encrypting */
+#define	ENCRYPT_REQEND		6	/* Request you end encrypting */
+#define	ENCRYPT_ENC_KEYID	7
+#define	ENCRYPT_DEC_KEYID	8
+#define	ENCRYPT_CNT		9
+
+#define	ENCTYPE_ANY		0
+#define	ENCTYPE_DES_CFB64	1
+#define	ENCTYPE_DES_OFB64	2
+#define	ENCTYPE_CNT		3
+
+#ifdef	ENCRYPT_NAMES
+char *encrypt_names[] = {
+	"IS", "SUPPORT", "REPLY", "START", "END",
+	"REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID",
+	0
+};
+char *enctype_names[] = {
+	"ANY", "DES_CFB64",  "DES_OFB64",
+	0
+};
+#else
+extern char *encrypt_names[];
+extern char *enctype_names[];
+#endif
+
+
+#define	ENCRYPT_NAME_OK(x)	((unsigned int)(x) < ENCRYPT_CNT)
+#define	ENCRYPT_NAME(x)		encrypt_names[x]
+
+#define	ENCTYPE_NAME_OK(x)	((unsigned int)(x) < ENCTYPE_CNT)
+#define	ENCTYPE_NAME(x)		enctype_names[x]
+
+#endif /* !_TELNET_H_ */
diff --git a/crypto/telnet/libtelnet/auth-proto.h b/crypto/telnet/libtelnet/auth-proto.h
new file mode 100644
index 0000000..e6b8481
--- /dev/null
+++ b/crypto/telnet/libtelnet/auth-proto.h
@@ -0,0 +1,109 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth-proto.h	8.1 (Berkeley) 6/4/93
+ * $FreeBSD$
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+#if	defined(AUTHENTICATION)
+Authenticator *findauthenticator P((int, int));
+
+void auth_init P((char *, int));
+int auth_cmd P((int, char **));
+void auth_request P((void));
+void auth_send P((unsigned char *, int));
+void auth_send_retry P((void));
+void auth_is P((unsigned char *, int));
+void auth_reply P((unsigned char *, int));
+void auth_finished P((Authenticator *, int));
+int auth_wait P((char *));
+void auth_disable_name P((char *));
+void auth_gen_printsub P((unsigned char *, int, unsigned char *, int));
+void auth_name P((unsigned char *, int));
+void auth_printsub P((unsigned char *, int, unsigned char *, int));
+int auth_sendname P((unsigned char *, int));
+void auth_encrypt_user P((char *));
+
+#ifdef	KRB4
+int kerberos4_init P((Authenticator *, int));
+int kerberos4_send P((Authenticator *));
+void kerberos4_is P((Authenticator *, unsigned char *, int));
+void kerberos4_reply P((Authenticator *, unsigned char *, int));
+int kerberos4_status P((Authenticator *, char *, int));
+void kerberos4_printsub P((unsigned char *, int, unsigned char *, int));
+#endif
+
+#ifdef	KRB5
+int kerberos5_init P((Authenticator *, int));
+int kerberos5_send P((Authenticator *));
+void kerberos5_is P((Authenticator *, unsigned char *, int));
+void kerberos5_reply P((Authenticator *, unsigned char *, int));
+int kerberos5_status P((Authenticator *, char *, int));
+void kerberos5_printsub P((unsigned char *, int, unsigned char *, int));
+#endif
+#ifdef SRA
+int sra_init P((Authenticator *, int));
+int sra_send P((Authenticator *));
+void sra_is P((Authenticator *, unsigned char *, int));
+void sra_reply P((Authenticator *, unsigned char *, int));
+int sra_status P((Authenticator *, char *, int));
+void sra_printsub P((unsigned char *, int, unsigned char *, int));
+#endif
+#endif
diff --git a/crypto/telnet/libtelnet/auth.c b/crypto/telnet/libtelnet/auth.c
new file mode 100644
index 0000000..8bdb2ca
--- /dev/null
+++ b/crypto/telnet/libtelnet/auth.c
@@ -0,0 +1,686 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)auth.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#if	defined(AUTHENTICATION)
+#include <stdio.h>
+#include <sys/types.h>
+#include <signal.h>
+#define	AUTH_NAMES
+#include <arpa/telnet.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#include <unistd.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc-proto.h"
+#include "auth-proto.h"
+
+#define	typemask(x)		(1<<((x)-1))
+
+#ifdef	KRB4_ENCPWD
+extern krb4encpwd_init();
+extern krb4encpwd_send();
+extern krb4encpwd_is();
+extern krb4encpwd_reply();
+extern krb4encpwd_status();
+extern krb4encpwd_printsub();
+#endif
+
+#ifdef	RSA_ENCPWD
+extern rsaencpwd_init();
+extern rsaencpwd_send();
+extern rsaencpwd_is();
+extern rsaencpwd_reply();
+extern rsaencpwd_status();
+extern rsaencpwd_printsub();
+#endif
+
+int auth_debug_mode = 0;
+static 	char	*Name = "Noname";
+static	int	Server = 0;
+static	Authenticator	*authenticated = 0;
+static	int	authenticating = 0;
+static	int	validuser = 0;
+static	unsigned char	_auth_send_data[256];
+static	unsigned char	*auth_send_data;
+static	int	auth_send_cnt = 0;
+
+int auth_onoff(char *type, int on);
+void auth_encrypt_user(char *name);
+
+/*
+ * Authentication types supported.  Plese note that these are stored
+ * in priority order, i.e. try the first one first.
+ */
+Authenticator authenticators[] = {
+#ifdef	SPX
+	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				spx_init,
+				spx_send,
+				spx_is,
+				spx_reply,
+				spx_status,
+				spx_printsub },
+	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				spx_init,
+				spx_send,
+				spx_is,
+				spx_reply,
+				spx_status,
+				spx_printsub },
+#endif
+#ifdef	KRB5
+# ifdef	ENCRYPTION
+	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				kerberos5_init,
+				kerberos5_send,
+				kerberos5_is,
+				kerberos5_reply,
+				kerberos5_status,
+				kerberos5_printsub },
+# endif	/* ENCRYPTION */
+	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				kerberos5_init,
+				kerberos5_send,
+				kerberos5_is,
+				kerberos5_reply,
+				kerberos5_status,
+				kerberos5_printsub },
+#endif
+#ifdef	KRB4
+# ifdef ENCRYPTION
+	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				kerberos4_init,
+				kerberos4_send,
+				kerberos4_is,
+				kerberos4_reply,
+				kerberos4_status,
+				kerberos4_printsub },
+# endif	/* ENCRYPTION */
+	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				kerberos4_init,
+				kerberos4_send,
+				kerberos4_is,
+				kerberos4_reply,
+				kerberos4_status,
+				kerberos4_printsub },
+#endif
+#ifdef	KRB4_ENCPWD
+	{ AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				krb4encpwd_init,
+				krb4encpwd_send,
+				krb4encpwd_is,
+				krb4encpwd_reply,
+				krb4encpwd_status,
+				krb4encpwd_printsub },
+#endif
+#ifdef	RSA_ENCPWD
+	{ AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				rsaencpwd_init,
+				rsaencpwd_send,
+				rsaencpwd_is,
+				rsaencpwd_reply,
+				rsaencpwd_status,
+				rsaencpwd_printsub },
+#endif
+#ifdef SRA
+	{ AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				sra_init,
+				sra_send,
+				sra_is,
+				sra_reply,
+				sra_status,
+				sra_printsub },
+
+#endif
+	{ 0, },
+};
+
+static Authenticator NoAuth = { 0 };
+
+static int	i_support = 0;
+static int	i_wont_support = 0;
+
+	Authenticator *
+findauthenticator(type, way)
+	int type;
+	int way;
+{
+	Authenticator *ap = authenticators;
+
+	while (ap->type && (ap->type != type || ap->way != way))
+		++ap;
+	return(ap->type ? ap : 0);
+}
+
+	void
+auth_init(name, server)
+	char *name;
+	int server;
+{
+	Authenticator *ap = authenticators;
+
+	Server = server;
+	Name = name;
+
+	i_support = 0;
+	authenticated = 0;
+	authenticating = 0;
+	while (ap->type) {
+		if (!ap->init || (*ap->init)(ap, server)) {
+			i_support |= typemask(ap->type);
+			if (auth_debug_mode)
+				printf(">>>%s: I support auth type %d %d\r\n",
+					Name,
+					ap->type, ap->way);
+		}
+		else if (auth_debug_mode)
+			printf(">>>%s: Init failed: auth type %d %d\r\n",
+				Name, ap->type, ap->way);
+		++ap;
+	}
+}
+
+	void
+auth_disable_name(name)
+	char *name;
+{
+	int x;
+	for (x = 0; x < AUTHTYPE_CNT; ++x) {
+		if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
+			i_wont_support |= typemask(x);
+			break;
+		}
+	}
+}
+
+	int
+getauthmask(type, maskp)
+	char *type;
+	int *maskp;
+{
+	register int x;
+
+	if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
+		*maskp = -1;
+		return(1);
+	}
+
+	for (x = 1; x < AUTHTYPE_CNT; ++x) {
+		if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
+			*maskp = typemask(x);
+			return(1);
+		}
+	}
+	return(0);
+}
+
+	int
+auth_enable(type)
+	char *type;
+{
+	return(auth_onoff(type, 1));
+}
+
+	int
+auth_disable(type)
+	char *type;
+{
+	return(auth_onoff(type, 0));
+}
+
+	int
+auth_onoff(type, on)
+	char *type;
+	int on;
+{
+	int i, mask = -1;
+	Authenticator *ap;
+
+	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
+		printf("auth %s 'type'\n", on ? "enable" : "disable");
+		printf("Where 'type' is one of:\n");
+		printf("\t%s\n", AUTHTYPE_NAME(0));
+		mask = 0;
+		for (ap = authenticators; ap->type; ap++) {
+			if ((mask & (i = typemask(ap->type))) != 0)
+				continue;
+			mask |= i;
+			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+		}
+		return(0);
+	}
+
+	if (!getauthmask(type, &mask)) {
+		printf("%s: invalid authentication type\n", type);
+		return(0);
+	}
+	if (on)
+		i_wont_support &= ~mask;
+	else
+		i_wont_support |= mask;
+	return(1);
+}
+
+	int
+auth_togdebug(on)
+	int on;
+{
+	if (on < 0)
+		auth_debug_mode ^= 1;
+	else
+		auth_debug_mode = on;
+	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
+	return(1);
+}
+
+	int
+auth_status()
+{
+	Authenticator *ap;
+	int i, mask;
+
+	if (i_wont_support == -1)
+		printf("Authentication disabled\n");
+	else
+		printf("Authentication enabled\n");
+
+	mask = 0;
+	for (ap = authenticators; ap->type; ap++) {
+		if ((mask & (i = typemask(ap->type))) != 0)
+			continue;
+		mask |= i;
+		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
+			(i_wont_support & typemask(ap->type)) ?
+					"disabled" : "enabled");
+	}
+	return(1);
+}
+
+/*
+ * This routine is called by the server to start authentication
+ * negotiation.
+ */
+	void
+auth_request()
+{
+	static unsigned char str_request[64] = { IAC, SB,
+						 TELOPT_AUTHENTICATION,
+						 TELQUAL_SEND, };
+	Authenticator *ap = authenticators;
+	unsigned char *e = str_request + 4;
+
+	if (!authenticating) {
+		authenticating = 1;
+		while (ap->type) {
+			if (i_support & ~i_wont_support & typemask(ap->type)) {
+				if (auth_debug_mode) {
+					printf(">>>%s: Sending type %d %d\r\n",
+						Name, ap->type, ap->way);
+				}
+				*e++ = ap->type;
+				*e++ = ap->way;
+			}
+			++ap;
+		}
+		*e++ = IAC;
+		*e++ = SE;
+		net_write(str_request, e - str_request);
+		printsub('>', &str_request[2], e - str_request - 2);
+	}
+}
+
+/*
+ * This is called when an AUTH SEND is received.
+ * It should never arrive on the server side (as only the server can
+ * send an AUTH SEND).
+ * You should probably respond to it if you can...
+ *
+ * If you want to respond to the types out of order (i.e. even
+ * if he sends  LOGIN KERBEROS and you support both, you respond
+ * with KERBEROS instead of LOGIN (which is against what the
+ * protocol says)) you will have to hack this code...
+ */
+	void
+auth_send(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Authenticator *ap;
+	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
+					    TELQUAL_IS, AUTHTYPE_NULL, 0,
+					    IAC, SE };
+	if (Server) {
+		if (auth_debug_mode) {
+			printf(">>>%s: auth_send called!\r\n", Name);
+		}
+		return;
+	}
+
+	if (auth_debug_mode) {
+		printf(">>>%s: auth_send got:", Name);
+		printd(data, cnt); printf("\r\n");
+	}
+
+	/*
+	 * Save the data, if it is new, so that we can continue looking
+	 * at it if the authorization we try doesn't work
+	 */
+	if (data < _auth_send_data ||
+	    data > _auth_send_data + sizeof(_auth_send_data)) {
+		auth_send_cnt = cnt > sizeof(_auth_send_data)
+					? sizeof(_auth_send_data)
+					: cnt;
+		memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
+		auth_send_data = _auth_send_data;
+	} else {
+		/*
+		 * This is probably a no-op, but we just make sure
+		 */
+		auth_send_data = data;
+		auth_send_cnt = cnt;
+	}
+	while ((auth_send_cnt -= 2) >= 0) {
+		if (auth_debug_mode)
+			printf(">>>%s: He supports %d\r\n",
+				Name, *auth_send_data);
+		if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
+			ap = findauthenticator(auth_send_data[0],
+					       auth_send_data[1]);
+			if (ap && ap->send) {
+				if (auth_debug_mode)
+					printf(">>>%s: Trying %d %d\r\n",
+						Name, auth_send_data[0],
+							auth_send_data[1]);
+				if ((*ap->send)(ap)) {
+					/*
+					 * Okay, we found one we like
+					 * and did it.
+					 * we can go home now.
+					 */
+					if (auth_debug_mode)
+						printf(">>>%s: Using type %d\r\n",
+							Name, *auth_send_data);
+					auth_send_data += 2;
+					return;
+				}
+			}
+			/* else
+			 *	just continue on and look for the
+			 *	next one if we didn't do anything.
+			 */
+		}
+		auth_send_data += 2;
+	}
+	net_write(str_none, sizeof(str_none));
+	printsub('>', &str_none[2], sizeof(str_none) - 2);
+	if (auth_debug_mode)
+		printf(">>>%s: Sent failure message\r\n", Name);
+	auth_finished(0, AUTH_REJECT);
+#ifdef KANNAN
+	/*
+	 *  We requested strong authentication, however no mechanisms worked.
+	 *  Therefore, exit on client end.
+	 */
+	printf("Unable to securely authenticate user ... exit\n");
+	exit(0);
+#endif /* KANNAN */
+}
+
+	void
+auth_send_retry()
+{
+	/*
+	 * if auth_send_cnt <= 0 then auth_send will end up rejecting
+	 * the authentication and informing the other side of this.
+	 */
+	auth_send(auth_send_data, auth_send_cnt);
+}
+
+	void
+auth_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Authenticator *ap;
+
+	if (cnt < 2)
+		return;
+
+	if (data[0] == AUTHTYPE_NULL) {
+		auth_finished(0, AUTH_REJECT);
+		return;
+	}
+
+	if ((ap = findauthenticator(data[0], data[1]))) {
+		if (ap->is)
+			(*ap->is)(ap, data+2, cnt-2);
+	} else if (auth_debug_mode)
+		printf(">>>%s: Invalid authentication in IS: %d\r\n",
+			Name, *data);
+}
+
+	void
+auth_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Authenticator *ap;
+
+	if (cnt < 2)
+		return;
+
+	if ((ap = findauthenticator(data[0], data[1]))) {
+		if (ap->reply)
+			(*ap->reply)(ap, data+2, cnt-2);
+	} else if (auth_debug_mode)
+		printf(">>>%s: Invalid authentication in SEND: %d\r\n",
+			Name, *data);
+}
+
+	void
+auth_name(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	unsigned char savename[256];
+
+	if (cnt < 1) {
+		if (auth_debug_mode)
+			printf(">>>%s: Empty name in NAME\r\n", Name);
+		return;
+	}
+	if (cnt > sizeof(savename) - 1) {
+		if (auth_debug_mode)
+			printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
+					Name, cnt, sizeof(savename)-1);
+		return;
+	}
+	memmove((void *)savename, (void *)data, cnt);
+	savename[cnt] = '\0';	/* Null terminate */
+	if (auth_debug_mode)
+		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
+	auth_encrypt_user(savename);
+}
+
+	int
+auth_sendname(cp, len)
+	unsigned char *cp;
+	int len;
+{
+	static unsigned char str_request[256+6]
+			= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
+	register unsigned char *e = str_request + 4;
+	register unsigned char *ee = &str_request[sizeof(str_request)-2];
+
+	while (--len >= 0) {
+		if ((*e++ = *cp++) == IAC)
+			*e++ = IAC;
+		if (e >= ee)
+			return(0);
+	}
+	*e++ = IAC;
+	*e++ = SE;
+	net_write(str_request, e - str_request);
+	printsub('>', &str_request[2], e - &str_request[2]);
+	return(1);
+}
+
+	void
+auth_finished(ap, result)
+	Authenticator *ap;
+	int result;
+{
+	if (!(authenticated = ap))
+		authenticated = &NoAuth;
+	validuser = result;
+}
+
+	/* ARGSUSED */
+	static void
+auth_intr(sig)
+	int sig;
+{
+	auth_finished(0, AUTH_REJECT);
+}
+
+	int
+auth_wait(name)
+	char *name;
+{
+	if (auth_debug_mode)
+		printf(">>>%s: in auth_wait.\r\n", Name);
+
+	if (Server && !authenticating)
+		return(0);
+
+	(void) signal(SIGALRM, auth_intr);
+	alarm(30);
+	while (!authenticated)
+		if (telnet_spin())
+			break;
+	alarm(0);
+	(void) signal(SIGALRM, SIG_DFL);
+
+	/*
+	 * Now check to see if the user is valid or not
+	 */
+	if (!authenticated || authenticated == &NoAuth)
+		return(AUTH_REJECT);
+
+	if (validuser == AUTH_VALID)
+		validuser = AUTH_USER;
+
+	if (authenticated->status)
+		validuser = (*authenticated->status)(authenticated,
+						     name, validuser);
+	return(validuser);
+}
+
+	void
+auth_debug(mode)
+	int mode;
+{
+	auth_debug_mode = mode;
+}
+
+	void
+auth_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	Authenticator *ap;
+
+	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
+		(*ap->printsub)(data, cnt, buf, buflen);
+	else
+		auth_gen_printsub(data, cnt, buf, buflen);
+}
+
+	void
+auth_gen_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	register unsigned char *cp;
+	unsigned char tbuf[16];
+
+	cnt -= 3;
+	data += 3;
+	buf[buflen-1] = '\0';
+	buf[buflen-2] = '*';
+	buflen -= 2;
+	for (; cnt > 0; cnt--, data++) {
+		sprintf((char *)tbuf, " %d", *data);
+		for (cp = tbuf; *cp && buflen > 0; --buflen)
+			*buf++ = *cp++;
+		if (buflen <= 0)
+			return;
+	}
+	*buf = '\0';
+}
+#endif
diff --git a/crypto/telnet/libtelnet/auth.h b/crypto/telnet/libtelnet/auth.h
new file mode 100644
index 0000000..615e8a0
--- /dev/null
+++ b/crypto/telnet/libtelnet/auth.h
@@ -0,0 +1,87 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef	__AUTH__
+#define	__AUTH__
+
+#define	AUTH_REJECT	0	/* Rejected */
+#define	AUTH_UNKNOWN	1	/* We don't know who he is, but he's okay */
+#define	AUTH_OTHER	2	/* We know him, but not his name */
+#define	AUTH_USER	3	/* We know he name */
+#define	AUTH_VALID	4	/* We know him, and he needs no password */
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define P(x)	x
+#else
+#define P(x)	()
+#endif
+#endif
+
+typedef struct XauthP {
+	int	type;
+	int	way;
+	int	(*init) P((struct XauthP *, int));
+	int	(*send) P((struct XauthP *));
+	void	(*is) P((struct XauthP *, unsigned char *, int));
+	void	(*reply) P((struct XauthP *, unsigned char *, int));
+	int	(*status) P((struct XauthP *, char *, int));
+	void	(*printsub) P((unsigned char *, int, unsigned char *, int));
+} Authenticator;
+
+#include "auth-proto.h"
+
+extern auth_debug_mode;
+#endif
diff --git a/crypto/telnet/libtelnet/enc-proto.h b/crypto/telnet/libtelnet/enc-proto.h
new file mode 100644
index 0000000..bbbc07c
--- /dev/null
+++ b/crypto/telnet/libtelnet/enc-proto.h
@@ -0,0 +1,129 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)enc-proto.h	8.1 (Berkeley) 6/4/93
+ * $FreeBSD$
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+#ifdef	ENCRYPTION
+void encrypt_init P((char *, int));
+Encryptions *findencryption P((int));
+void encrypt_send_supprt P((void));
+void encrypt_auto P((int));
+void decrypt_auto P((int));
+void encrypt_is P((unsigned char *, int));
+void encrypt_reply P((unsigned char *, int));
+void encrypt_start_input P((int));
+void encrypt_session_key P((Session_Key *, int));
+void encrypt_end_input P((void));
+void encrypt_start_output P((int));
+void encrypt_end_output P((void));
+void encrypt_send_request_start P((void));
+void encrypt_send_request_end P((void));
+void encrypt_send_end P((void));
+void encrypt_wait P((void));
+void encrypt_send_support P((void));
+void encrypt_send_keyid P((int, unsigned char *, int, int));
+void encrypt_start P((unsigned char *, int));
+void encrypt_end P((void));
+void encrypt_support P((unsigned char *, int));
+void encrypt_request_start P((unsigned char *, int));
+void encrypt_request_end P((void));
+void encrypt_enc_keyid P((unsigned char *, int));
+void encrypt_dec_keyid P((unsigned char *, int));
+void encrypt_printsub P((unsigned char *, int, unsigned char *, int));
+int net_write P((unsigned char *, int));
+
+#ifndef	TELENTD
+int encrypt_cmd P((int, char **));
+void encrypt_display P((void));
+#endif
+
+#ifdef DES_ENCRYPTION
+void krbdes_encrypt P((unsigned char *, int));
+int krbdes_decrypt P((int));
+int krbdes_is P((unsigned char *, int));
+int krbdes_reply P((unsigned char *, int));
+void krbdes_init P((int));
+int krbdes_start P((int, int));
+void krbdes_session P((Session_Key *, int));
+void krbdes_printsub P((unsigned char *, int, unsigned char *, int));
+
+void cfb64_encrypt P((unsigned char *, int));
+int cfb64_decrypt P((int));
+void cfb64_init P((int));
+int cfb64_start P((int, int));
+int cfb64_is P((unsigned char *, int));
+int cfb64_reply P((unsigned char *, int));
+void cfb64_session P((Session_Key *, int));
+int cfb64_keyid P((int, unsigned char *, int *));
+void cfb64_printsub P((unsigned char *, int, unsigned char *, int));
+
+void ofb64_encrypt P((unsigned char *, int));
+int ofb64_decrypt P((int));
+void ofb64_init P((int));
+int ofb64_start P((int, int));
+int ofb64_is P((unsigned char *, int));
+int ofb64_reply P((unsigned char *, int));
+void ofb64_session P((Session_Key *, int));
+int ofb64_keyid P((int, unsigned char *, int *));
+void ofb64_printsub P((unsigned char *, int, unsigned char *, int));
+#endif /* DES_ENCRYPTION */
+
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/enc_des.c b/crypto/telnet/libtelnet/enc_des.c
new file mode 100644
index 0000000..c0f669b
--- /dev/null
+++ b/crypto/telnet/libtelnet/enc_des.c
@@ -0,0 +1,722 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)enc_des.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+#ifdef	ENCRYPTION
+# ifdef	AUTHENTICATION
+#  ifdef DES_ENCRYPTION
+#include <arpa/telnet.h>
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+
+#include <openssl/des.h>
+#include <string.h>
+#include "encrypt.h"
+#include "key-proto.h"
+#include "misc-proto.h"
+
+extern encrypt_debug_mode;
+
+#define	CFB	0
+#define	OFB	1
+
+#define	NO_SEND_IV	1
+#define	NO_RECV_IV	2
+#define	NO_KEYID	4
+#define	IN_PROGRESS	(NO_SEND_IV|NO_RECV_IV|NO_KEYID)
+#define	SUCCESS		0
+#define	FAILED		-1
+
+
+struct fb {
+	Block krbdes_key;
+	Schedule krbdes_sched;
+	Block temp_feed;
+	unsigned char fb_feed[64];
+	int need_start;
+	int state[2];
+	int keyid[2];
+	int once;
+	struct stinfo {
+		Block		str_output;
+		Block		str_feed;
+		Block		str_iv;
+		Block		str_ikey;
+		Schedule	str_sched;
+		int		str_index;
+		int		str_flagshift;
+	} streams[2];
+};
+
+static struct fb fb[2];
+
+struct keyidlist {
+	char	*keyid;
+	int	keyidlen;
+	char	*key;
+	int	keylen;
+	int	flags;
+} keyidlist [] = {
+	{ "\0", 1, 0, 0, 0 },		/* default key of zero */
+	{ 0, 0, 0, 0, 0 }
+};
+
+#define	KEYFLAG_MASK	03
+
+#define	KEYFLAG_NOINIT	00
+#define	KEYFLAG_INIT	01
+#define	KEYFLAG_OK	02
+#define	KEYFLAG_BAD	03
+
+#define	KEYFLAG_SHIFT	2
+
+#define	SHIFT_VAL(a,b)	(KEYFLAG_SHIFT*((a)+((b)*2)))
+
+#define	FB64_IV		1
+#define	FB64_IV_OK	2
+#define	FB64_IV_BAD	3
+
+
+void fb64_stream_iv P((Block, struct stinfo *));
+void fb64_init P((struct fb *));
+static int fb64_start P((struct fb *, int, int));
+int fb64_is P((unsigned char *, int, struct fb *));
+int fb64_reply P((unsigned char *, int, struct fb *));
+static void fb64_session P((Session_Key *, int, struct fb *));
+void fb64_stream_key P((Block, struct stinfo *));
+int fb64_keyid P((int, unsigned char *, int *, struct fb *));
+
+	void
+cfb64_init(server)
+	int server;
+{
+	fb64_init(&fb[CFB]);
+	fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB);
+}
+
+	void
+ofb64_init(server)
+	int server;
+{
+	fb64_init(&fb[OFB]);
+	fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB);
+}
+
+	void
+fb64_init(fbp)
+	register struct fb *fbp;
+{
+	memset((void *)fbp, 0, sizeof(*fbp));
+	fbp->state[0] = fbp->state[1] = FAILED;
+	fbp->fb_feed[0] = IAC;
+	fbp->fb_feed[1] = SB;
+	fbp->fb_feed[2] = TELOPT_ENCRYPT;
+	fbp->fb_feed[3] = ENCRYPT_IS;
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ *	 2: Not yet.  Other things (like getting the key from
+ *	    Kerberos) have to happen before we can continue.
+ */
+	int
+cfb64_start(dir, server)
+	int dir;
+	int server;
+{
+	return(fb64_start(&fb[CFB], dir, server));
+}
+	int
+ofb64_start(dir, server)
+	int dir;
+	int server;
+{
+	return(fb64_start(&fb[OFB], dir, server));
+}
+
+	static int
+fb64_start(fbp, dir, server)
+	struct fb *fbp;
+	int dir;
+	int server;
+{
+	int x;
+	unsigned char *p;
+	register int state;
+
+	switch (dir) {
+	case DIR_DECRYPT:
+		/*
+		 * This is simply a request to have the other side
+		 * start output (our input).  He will negotiate an
+		 * IV so we need not look for it.
+		 */
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		break;
+
+	case DIR_ENCRYPT:
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		else if ((state & NO_SEND_IV) == 0)
+			break;
+
+		if (!VALIDKEY(fbp->krbdes_key)) {
+			fbp->need_start = 1;
+			break;
+		}
+		state &= ~NO_SEND_IV;
+		state |= NO_RECV_IV;
+		if (encrypt_debug_mode)
+			printf("Creating new feed\r\n");
+		/*
+		 * Create a random feed and send it over.
+		 */
+		des_new_random_key((Block *)fbp->temp_feed);
+		des_ecb_encrypt((Block *)fbp->temp_feed, (Block *)fbp->temp_feed,
+				fbp->krbdes_sched, 1);
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_IS;
+		p++;
+		*p++ = FB64_IV;
+		for (x = 0; x < sizeof(Block); ++x) {
+			if ((*p++ = fbp->temp_feed[x]) == IAC)
+				*p++ = IAC;
+		}
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		net_write(fbp->fb_feed, p - fbp->fb_feed);
+		break;
+	default:
+		return(FAILED);
+	}
+	return(fbp->state[dir-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+	int
+cfb64_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_is(data, cnt, &fb[CFB]));
+}
+	int
+ofb64_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_is(data, cnt, &fb[OFB]));
+}
+
+	int
+fb64_is(data, cnt, fbp)
+	unsigned char *data;
+	int cnt;
+	struct fb *fbp;
+{
+	unsigned char *p;
+	register int state = fbp->state[DIR_DECRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV:
+		if (cnt != sizeof(Block)) {
+			if (encrypt_debug_mode)
+				printf("CFB64: initial vector failed on size\r\n");
+			state = FAILED;
+			goto failure;
+		}
+
+		if (encrypt_debug_mode)
+			printf("CFB64: initial vector received\r\n");
+
+		if (encrypt_debug_mode)
+			printf("Initializing Decrypt stream\r\n");
+
+		fb64_stream_iv((void *)data, &fbp->streams[DIR_DECRYPT-1]);
+
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_OK;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", *(data-1));
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		/*
+		 * We failed.  Send an FB64_IV_BAD option
+		 * to the other side so it will know that
+		 * things failed.
+		 */
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_BAD;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		break;
+	}
+	return(fbp->state[DIR_DECRYPT-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+	int
+cfb64_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_reply(data, cnt, &fb[CFB]));
+}
+	int
+ofb64_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_reply(data, cnt, &fb[OFB]));
+}
+
+
+	int
+fb64_reply(data, cnt, fbp)
+	unsigned char *data;
+	int cnt;
+	struct fb *fbp;
+{
+	register int state = fbp->state[DIR_ENCRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV_OK:
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		state &= ~NO_RECV_IV;
+		encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1);
+		break;
+
+	case FB64_IV_BAD:
+		memset(fbp->temp_feed, 0, sizeof(Block));
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		state = FAILED;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", data[-1]);
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		state = FAILED;
+		break;
+	}
+	return(fbp->state[DIR_ENCRYPT-1] = state);
+}
+
+	void
+cfb64_session(key, server)
+	Session_Key *key;
+	int server;
+{
+	fb64_session(key, server, &fb[CFB]);
+}
+
+	void
+ofb64_session(key, server)
+	Session_Key *key;
+	int server;
+{
+	fb64_session(key, server, &fb[OFB]);
+}
+
+	static void
+fb64_session(key, server, fbp)
+	Session_Key *key;
+	int server;
+	struct fb *fbp;
+{
+
+	if (!key || key->type != SK_DES) {
+		if (encrypt_debug_mode)
+			printf("Can't set krbdes's session key (%d != %d)\r\n",
+				key ? key->type : -1, SK_DES);
+		return;
+	}
+	memmove((void *)fbp->krbdes_key, (void *)key->data, sizeof(Block));
+
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]);
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
+
+	if (fbp->once == 0) {
+		des_set_random_generator_seed((Block *)fbp->krbdes_key);
+		fbp->once = 1;
+	}
+	des_key_sched((Block *)fbp->krbdes_key, fbp->krbdes_sched);
+	/*
+	 * Now look to see if krbdes_start() was was waiting for
+	 * the key to show up.  If so, go ahead an call it now
+	 * that we have the key.
+	 */
+	if (fbp->need_start) {
+		fbp->need_start = 0;
+		fb64_start(fbp, DIR_ENCRYPT, server);
+	}
+}
+
+/*
+ * We only accept a keyid of 0.  If we get a keyid of
+ * 0, then mark the state as SUCCESS.
+ */
+	int
+cfb64_keyid(dir, kp, lenp)
+	int dir, *lenp;
+	unsigned char *kp;
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[CFB]));
+}
+
+	int
+ofb64_keyid(dir, kp, lenp)
+	int dir, *lenp;
+	unsigned char *kp;
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[OFB]));
+}
+
+	int
+fb64_keyid(dir, kp, lenp, fbp)
+	int dir, *lenp;
+	unsigned char *kp;
+	struct fb *fbp;
+{
+	register int state = fbp->state[dir-1];
+
+	if (*lenp != 1 || (*kp != '\0')) {
+		*lenp = 0;
+		return(state);
+	}
+
+	if (state == FAILED)
+		state = IN_PROGRESS;
+
+	state &= ~NO_KEYID;
+
+	return(fbp->state[dir-1] = state);
+}
+
+	void
+fb64_printsub(data, cnt, buf, buflen, type)
+	unsigned char *data, *buf, *type;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+	char *cp;
+
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
+	buflen -= 1;
+
+	switch(data[2]) {
+	case FB64_IV:
+		sprintf(lbuf, "%s_IV", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_OK:
+		sprintf(lbuf, "%s_IV_OK", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_BAD:
+		sprintf(lbuf, "%s_IV_BAD", type);
+		cp = lbuf;
+		goto common;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[2]);
+		cp = lbuf;
+	common:
+		for (; (buflen > 0) && (*buf = *cp++); buf++)
+			buflen--;
+		for (i = 3; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++)
+				buflen--;
+		}
+		break;
+	}
+}
+
+	void
+cfb64_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	fb64_printsub(data, cnt, buf, buflen, "CFB64");
+}
+
+	void
+ofb64_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	fb64_printsub(data, cnt, buf, buflen, "OFB64");
+}
+
+	void
+fb64_stream_iv(seed, stp)
+	Block seed;
+	register struct stinfo *stp;
+{
+
+	memmove((void *)stp->str_iv, (void *)seed, sizeof(Block));
+	memmove((void *)stp->str_output, (void *)seed, sizeof(Block));
+
+	des_key_sched((Block *)stp->str_ikey, stp->str_sched);
+
+	stp->str_index = sizeof(Block);
+}
+
+	void
+fb64_stream_key(key, stp)
+	Block key;
+	register struct stinfo *stp;
+{
+	memmove((void *)stp->str_ikey, (void *)key, sizeof(Block));
+	des_key_sched((Block *)key, stp->str_sched);
+
+	memmove((void *)stp->str_output, (void *)stp->str_iv, sizeof(Block));
+
+	stp->str_index = sizeof(Block);
+}
+
+/*
+ * DES 64 bit Cipher Feedback
+ *
+ *     key --->+-----+
+ *          +->| DES |--+
+ *          |  +-----+  |
+ *	    |           v
+ *  INPUT --(--------->(+)+---> DATA
+ *          |             |
+ *	    +-------------+
+ *
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	On = Dn ^ Vn
+ *	V(n+1) = DES(On, key)
+ */
+
+	void
+cfb64_encrypt(s, c)
+	register unsigned char *s;
+	int c;
+{
+	register struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1];
+	register int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(Block)) {
+			Block b;
+			des_ecb_encrypt((Block *)stp->str_output, (Block *)b, stp->str_sched, 1);
+			memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+			index = 0;
+		}
+
+		/* On encryption, we store (feed ^ data) which is cypher */
+		*s = stp->str_output[index] = (stp->str_feed[index] ^ *s);
+		s++;
+		index++;
+	}
+	stp->str_index = index;
+}
+
+	int
+cfb64_decrypt(data)
+	int data;
+{
+	register struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(Block)) {
+		Block b;
+		des_ecb_encrypt((Block *)stp->str_output, (Block *)b, stp->str_sched, 1);
+		memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */
+	}
+
+	/* On decryption we store (data) which is cypher. */
+	stp->str_output[index] = data;
+	return(data ^ stp->str_feed[index]);
+}
+
+/*
+ * DES 64 bit Output Feedback
+ *
+ * key --->+-----+
+ *	+->| DES |--+
+ *	|  +-----+  |
+ *	+-----------+
+ *	            v
+ *  INPUT -------->(+) ----> DATA
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	V(n+1) = DES(Vn, key)
+ *	On = Dn ^ Vn
+ */
+	void
+ofb64_encrypt(s, c)
+	register unsigned char *s;
+	int c;
+{
+	register struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1];
+	register int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(Block)) {
+			Block b;
+			des_ecb_encrypt((Block *)stp->str_feed, (Block *)b, stp->str_sched, 1);
+			memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+			index = 0;
+		}
+		*s++ ^= stp->str_feed[index];
+		index++;
+	}
+	stp->str_index = index;
+}
+
+	int
+ofb64_decrypt(data)
+	int data;
+{
+	register struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(Block)) {
+		Block b;
+		des_ecb_encrypt((Block *)stp->str_feed, (Block *)b, stp->str_sched, 1);
+		memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */
+	}
+
+	return(data ^ stp->str_feed[index]);
+}
+#  endif /* DES_ENCRYPTION */
+# endif	/* AUTHENTICATION */
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/encrypt.c b/crypto/telnet/libtelnet/encrypt.c
new file mode 100644
index 0000000..bb3a43c
--- /dev/null
+++ b/crypto/telnet/libtelnet/encrypt.c
@@ -0,0 +1,1028 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)encrypt.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef	ENCRYPTION
+
+#define	ENCRYPT_NAMES
+#include <stdio.h>
+#include <arpa/telnet.h>
+
+#include "encrypt.h"
+#include "misc.h"
+
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+/*
+ * These functions pointers point to the current routines
+ * for encrypting and decrypting data.
+ */
+void	(*encrypt_output) P((unsigned char *, int));
+int	(*decrypt_input) P((int));
+
+int EncryptType(char *type, char *mode);
+int EncryptStart(char *mode);
+int EncryptStop(char *mode);
+int EncryptStartInput(void);
+int EncryptStartOutput(void);
+int EncryptStopInput(void);
+int EncryptStopOutput(void);
+
+int Ambiguous(char **s);
+int isprefix(char *s1, char *s2);
+char **genget(char *name, char **table, int stlen);
+
+int encrypt_debug_mode = 0;
+static int decrypt_mode = 0;
+static int encrypt_mode = 0;
+static int encrypt_verbose = 0;
+static int autoencrypt = 0;
+static int autodecrypt = 0;
+static int havesessionkey = 0;
+static int Server = 0;
+static char *Name = "Noname";
+
+#define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
+
+static long i_support_encrypt = 0
+#ifdef DES_ENCRYPTION
+ | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
+#endif
+ |0;
+static long i_support_decrypt = 0
+#ifdef DES_ENCRYPTION
+ | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
+#endif
+ |0;
+
+static long i_wont_support_encrypt = 0;
+static long i_wont_support_decrypt = 0;
+#define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
+#define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
+
+static long remote_supports_encrypt = 0;
+static long remote_supports_decrypt = 0;
+
+static Encryptions encryptions[] = {
+#ifdef	DES_ENCRYPTION
+    { "DES_CFB64",	ENCTYPE_DES_CFB64,
+			cfb64_encrypt,
+			cfb64_decrypt,
+			cfb64_init,
+			cfb64_start,
+			cfb64_is,
+			cfb64_reply,
+			cfb64_session,
+			cfb64_keyid,
+			cfb64_printsub },
+    { "DES_OFB64",	ENCTYPE_DES_OFB64,
+			ofb64_encrypt,
+			ofb64_decrypt,
+			ofb64_init,
+			ofb64_start,
+			ofb64_is,
+			ofb64_reply,
+			ofb64_session,
+			ofb64_keyid,
+			ofb64_printsub },
+#endif	/* DES_ENCRYPTION */
+    { 0, },
+};
+
+static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
+					 ENCRYPT_SUPPORT };
+static unsigned char str_suplen = 0;
+static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
+static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
+
+	Encryptions *
+findencryption(type)
+	int type;
+{
+	Encryptions *ep = encryptions;
+
+	if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
+		return(0);
+	while (ep->type && ep->type != type)
+		++ep;
+	return(ep->type ? ep : 0);
+}
+
+	Encryptions *
+finddecryption(type)
+	int type;
+{
+	Encryptions *ep = encryptions;
+
+	if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
+		return(0);
+	while (ep->type && ep->type != type)
+		++ep;
+	return(ep->type ? ep : 0);
+}
+
+#define	MAXKEYLEN 64
+
+static struct key_info {
+	unsigned char keyid[MAXKEYLEN];
+	int keylen;
+	int dir;
+	int *modep;
+	Encryptions *(*getcrypt)();
+} ki[2] = {
+	{ { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
+	{ { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
+};
+
+static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
+
+	void
+encrypt_init(name, server)
+	char *name;
+	int server;
+{
+	Encryptions *ep = encryptions;
+
+	Name = name;
+	Server = server;
+	i_support_encrypt = i_support_decrypt = 0;
+	remote_supports_encrypt = remote_supports_decrypt = 0;
+	encrypt_mode = 0;
+	decrypt_mode = 0;
+	encrypt_output = 0;
+	decrypt_input = 0;
+#ifdef notdef
+	encrypt_verbose = !server;
+#endif
+
+	str_suplen = 4;
+
+	while (ep->type) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: I will support %s\r\n",
+				Name, ENCTYPE_NAME(ep->type));
+		i_support_encrypt |= typemask(ep->type);
+		i_support_decrypt |= typemask(ep->type);
+		if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
+			if ((str_send[str_suplen++] = ep->type) == IAC)
+				str_send[str_suplen++] = IAC;
+		if (ep->init)
+			(*ep->init)(Server);
+		++ep;
+	}
+	str_send[str_suplen++] = IAC;
+	str_send[str_suplen++] = SE;
+}
+
+	void
+encrypt_list_types()
+{
+	Encryptions *ep = encryptions;
+
+	printf("Valid encryption types:\n");
+	while (ep->type) {
+		printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
+		++ep;
+	}
+}
+
+	int
+EncryptEnable(type, mode)
+	char *type, *mode;
+{
+	if (isprefix(type, "help") || isprefix(type, "?")) {
+		printf("Usage: encrypt enable <type> [input|output]\n");
+		encrypt_list_types();
+		return(0);
+	}
+	if (EncryptType(type, mode))
+		return(EncryptStart(mode));
+	return(0);
+}
+
+	int
+EncryptDisable(type, mode)
+	char *type, *mode;
+{
+	register Encryptions *ep;
+	int ret = 0;
+
+	if (isprefix(type, "help") || isprefix(type, "?")) {
+		printf("Usage: encrypt disable <type> [input|output]\n");
+		encrypt_list_types();
+	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
+						sizeof(Encryptions))) == 0) {
+		printf("%s: invalid encryption type\n", type);
+	} else if (Ambiguous((char **)ep)) {
+		printf("Ambiguous type '%s'\n", type);
+	} else {
+		if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
+			if (decrypt_mode == ep->type)
+				EncryptStopInput();
+			i_wont_support_decrypt |= typemask(ep->type);
+			ret = 1;
+		}
+		if ((mode == 0) || (isprefix(mode, "output"))) {
+			if (encrypt_mode == ep->type)
+				EncryptStopOutput();
+			i_wont_support_encrypt |= typemask(ep->type);
+			ret = 1;
+		}
+		if (ret == 0)
+			printf("%s: invalid encryption mode\n", mode);
+	}
+	return(ret);
+}
+
+	int
+EncryptType(type, mode)
+	char *type;
+	char *mode;
+{
+	register Encryptions *ep;
+	int ret = 0;
+
+	if (isprefix(type, "help") || isprefix(type, "?")) {
+		printf("Usage: encrypt type <type> [input|output]\n");
+		encrypt_list_types();
+	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
+						sizeof(Encryptions))) == 0) {
+		printf("%s: invalid encryption type\n", type);
+	} else if (Ambiguous((char **)ep)) {
+		printf("Ambiguous type '%s'\n", type);
+	} else {
+		if ((mode == 0) || isprefix(mode, "input")) {
+			decrypt_mode = ep->type;
+			i_wont_support_decrypt &= ~typemask(ep->type);
+			ret = 1;
+		}
+		if ((mode == 0) || isprefix(mode, "output")) {
+			encrypt_mode = ep->type;
+			i_wont_support_encrypt &= ~typemask(ep->type);
+			ret = 1;
+		}
+		if (ret == 0)
+			printf("%s: invalid encryption mode\n", mode);
+	}
+	return(ret);
+}
+
+	int
+EncryptStart(mode)
+	char *mode;
+{
+	register int ret = 0;
+	if (mode) {
+		if (isprefix(mode, "input"))
+			return(EncryptStartInput());
+		if (isprefix(mode, "output"))
+			return(EncryptStartOutput());
+		if (isprefix(mode, "help") || isprefix(mode, "?")) {
+			printf("Usage: encrypt start [input|output]\n");
+			return(0);
+		}
+		printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
+		return(0);
+	}
+	ret += EncryptStartInput();
+	ret += EncryptStartOutput();
+	return(ret);
+}
+
+	int
+EncryptStartInput()
+{
+	if (decrypt_mode) {
+		encrypt_send_request_start();
+		return(1);
+	}
+	printf("No previous decryption mode, decryption not enabled\r\n");
+	return(0);
+}
+
+	int
+EncryptStartOutput()
+{
+	if (encrypt_mode) {
+		encrypt_start_output(encrypt_mode);
+		return(1);
+	}
+	printf("No previous encryption mode, encryption not enabled\r\n");
+	return(0);
+}
+
+	int
+EncryptStop(mode)
+	char *mode;
+{
+	int ret = 0;
+	if (mode) {
+		if (isprefix(mode, "input"))
+			return(EncryptStopInput());
+		if (isprefix(mode, "output"))
+			return(EncryptStopOutput());
+		if (isprefix(mode, "help") || isprefix(mode, "?")) {
+			printf("Usage: encrypt stop [input|output]\n");
+			return(0);
+		}
+		printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
+		return(0);
+	}
+	ret += EncryptStopInput();
+	ret += EncryptStopOutput();
+	return(ret);
+}
+
+	int
+EncryptStopInput()
+{
+	encrypt_send_request_end();
+	return(1);
+}
+
+	int
+EncryptStopOutput()
+{
+	encrypt_send_end();
+	return(1);
+}
+
+	void
+encrypt_display()
+{
+	if (encrypt_output)
+		printf("Currently encrypting output with %s\r\n",
+			ENCTYPE_NAME(encrypt_mode));
+	if (decrypt_input)
+		printf("Currently decrypting input with %s\r\n",
+			ENCTYPE_NAME(decrypt_mode));
+}
+
+	int
+EncryptStatus()
+{
+	if (encrypt_output)
+		printf("Currently encrypting output with %s\r\n",
+			ENCTYPE_NAME(encrypt_mode));
+	else if (encrypt_mode) {
+		printf("Currently output is clear text.\r\n");
+		printf("Last encryption mode was %s\r\n",
+			ENCTYPE_NAME(encrypt_mode));
+	}
+	if (decrypt_input) {
+		printf("Currently decrypting input with %s\r\n",
+			ENCTYPE_NAME(decrypt_mode));
+	} else if (decrypt_mode) {
+		printf("Currently input is clear text.\r\n");
+		printf("Last decryption mode was %s\r\n",
+			ENCTYPE_NAME(decrypt_mode));
+	}
+	return 1;
+}
+
+	void
+encrypt_send_support()
+{
+	if (str_suplen) {
+		/*
+		 * If the user has requested that decryption start
+		 * immediatly, then send a "REQUEST START" before
+		 * we negotiate the type.
+		 */
+		if (!Server && autodecrypt)
+			encrypt_send_request_start();
+		net_write(str_send, str_suplen);
+		printsub('>', &str_send[2], str_suplen - 2);
+		str_suplen = 0;
+	}
+}
+
+	int
+EncryptDebug(on)
+	int on;
+{
+	if (on < 0)
+		encrypt_debug_mode ^= 1;
+	else
+		encrypt_debug_mode = on;
+	printf("Encryption debugging %s\r\n",
+		encrypt_debug_mode ? "enabled" : "disabled");
+	return(1);
+}
+
+	int
+EncryptVerbose(on)
+	int on;
+{
+	if (on < 0)
+		encrypt_verbose ^= 1;
+	else
+		encrypt_verbose = on;
+	printf("Encryption %s verbose\r\n",
+		encrypt_verbose ? "is" : "is not");
+	return(1);
+}
+
+	int
+EncryptAutoEnc(on)
+	int on;
+{
+	encrypt_auto(on);
+	printf("Automatic encryption of output is %s\r\n",
+		autoencrypt ? "enabled" : "disabled");
+	return(1);
+}
+
+	int
+EncryptAutoDec(on)
+	int on;
+{
+	decrypt_auto(on);
+	printf("Automatic decryption of input is %s\r\n",
+		autodecrypt ? "enabled" : "disabled");
+	return(1);
+}
+
+/*
+ * Called when ENCRYPT SUPPORT is received.
+ */
+	void
+encrypt_support(typelist, cnt)
+	unsigned char *typelist;
+	int cnt;
+{
+	register int type, use_type = 0;
+	Encryptions *ep;
+
+	/*
+	 * Forget anything the other side has previously told us.
+	 */
+	remote_supports_decrypt = 0;
+
+	while (cnt-- > 0) {
+		type = *typelist++;
+		if (encrypt_debug_mode)
+			printf(">>>%s: He is supporting %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME(type), type);
+		if ((type < ENCTYPE_CNT) &&
+		    (I_SUPPORT_ENCRYPT & typemask(type))) {
+			remote_supports_decrypt |= typemask(type);
+			if (use_type == 0)
+				use_type = type;
+		}
+	}
+	if (use_type) {
+		ep = findencryption(use_type);
+		if (!ep)
+			return;
+		type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
+		if (encrypt_debug_mode)
+			printf(">>>%s: (*ep->start)() returned %d\r\n",
+					Name, type);
+		if (type < 0)
+			return;
+		encrypt_mode = use_type;
+		if (type == 0)
+			encrypt_start_output(use_type);
+	}
+}
+
+	void
+encrypt_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Encryptions *ep;
+	register int type, ret;
+
+	if (--cnt < 0)
+		return;
+	type = *data++;
+	if (type < ENCTYPE_CNT)
+		remote_supports_encrypt |= typemask(type);
+	if (!(ep = finddecryption(type))) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		return;
+	}
+	if (!ep->is) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		ret = 0;
+	} else {
+		ret = (*ep->is)(data, cnt);
+		if (encrypt_debug_mode)
+			printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
+				(ret < 0) ? "FAIL " :
+				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+	}
+	if (ret < 0) {
+		autodecrypt = 0;
+	} else {
+		decrypt_mode = type;
+		if (ret == 0 && autodecrypt)
+			encrypt_send_request_start();
+	}
+}
+
+	void
+encrypt_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Encryptions *ep;
+	register int ret, type;
+
+	if (--cnt < 0)
+		return;
+	type = *data++;
+	if (!(ep = findencryption(type))) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		return;
+	}
+	if (!ep->reply) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		ret = 0;
+	} else {
+		ret = (*ep->reply)(data, cnt);
+		if (encrypt_debug_mode)
+			printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
+				data, cnt,
+				(ret < 0) ? "FAIL " :
+				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+	}
+	if (encrypt_debug_mode)
+		printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
+	if (ret < 0) {
+		autoencrypt = 0;
+	} else {
+		encrypt_mode = type;
+		if (ret == 0 && autoencrypt)
+			encrypt_start_output(type);
+	}
+}
+
+/*
+ * Called when a ENCRYPT START command is received.
+ */
+	void
+encrypt_start(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Encryptions *ep;
+
+	if (!decrypt_mode) {
+		/*
+		 * Something is wrong.  We should not get a START
+		 * command without having already picked our
+		 * decryption scheme.  Send a REQUEST-END to
+		 * attempt to clear the channel...
+		 */
+		printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
+		encrypt_send_request_end();
+		return;
+	}
+
+	if ((ep = finddecryption(decrypt_mode))) {
+		decrypt_input = ep->input;
+		if (encrypt_verbose)
+			printf("[ Input is now decrypted with type %s ]\r\n",
+				ENCTYPE_NAME(decrypt_mode));
+		if (encrypt_debug_mode)
+			printf(">>>%s: Start to decrypt input with type %s\r\n",
+				Name, ENCTYPE_NAME(decrypt_mode));
+	} else {
+		printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
+				Name,
+				ENCTYPE_NAME_OK(decrypt_mode)
+					? ENCTYPE_NAME(decrypt_mode)
+					: "(unknown)",
+				decrypt_mode);
+		encrypt_send_request_end();
+	}
+}
+
+	void
+encrypt_session_key(key, server)
+	Session_Key *key;
+	int server;
+{
+	Encryptions *ep = encryptions;
+
+	havesessionkey = 1;
+
+	while (ep->type) {
+		if (ep->session)
+			(*ep->session)(key, server);
+#ifdef notdef
+		if (!encrypt_output && autoencrypt && !server)
+			encrypt_start_output(ep->type);
+		if (!decrypt_input && autodecrypt && !server)
+			encrypt_send_request_start();
+#endif
+		++ep;
+	}
+}
+
+/*
+ * Called when ENCRYPT END is received.
+ */
+	void
+encrypt_end()
+{
+	decrypt_input = 0;
+	if (encrypt_debug_mode)
+		printf(">>>%s: Input is back to clear text\r\n", Name);
+	if (encrypt_verbose)
+		printf("[ Input is now clear text ]\r\n");
+}
+
+/*
+ * Called when ENCRYPT REQUEST-END is received.
+ */
+	void
+encrypt_request_end()
+{
+	encrypt_send_end();
+}
+
+/*
+ * Called when ENCRYPT REQUEST-START is received.  If we receive
+ * this before a type is picked, then that indicates that the
+ * other side wants us to start encrypting data as soon as we
+ * can.
+ */
+	void
+encrypt_request_start(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	if (encrypt_mode == 0)  {
+		if (Server)
+			autoencrypt = 1;
+		return;
+	}
+	encrypt_start_output(encrypt_mode);
+}
+
+static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
+
+	void
+encrypt_enc_keyid(keyid, len)
+	unsigned char *keyid;
+	int len;
+{
+	encrypt_keyid(&ki[1], keyid, len);
+}
+
+	void
+encrypt_dec_keyid(keyid, len)
+	unsigned char *keyid;
+	int len;
+{
+	encrypt_keyid(&ki[0], keyid, len);
+}
+
+	void
+encrypt_keyid(kp, keyid, len)
+	struct key_info *kp;
+	unsigned char *keyid;
+	int len;
+{
+	Encryptions *ep;
+	int dir = kp->dir;
+	register int ret = 0;
+
+	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+		if (len == 0)
+			return;
+		kp->keylen = 0;
+	} else if (len == 0) {
+		/*
+		 * Empty option, indicates a failure.
+		 */
+		if (kp->keylen == 0)
+			return;
+		kp->keylen = 0;
+		if (ep->keyid)
+			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+
+	} else if ((len != kp->keylen) ||
+		   (memcmp(keyid, kp->keyid, len) != 0)) {
+		/*
+		 * Length or contents are different
+		 */
+		kp->keylen = len;
+		memmove(kp->keyid, keyid, len);
+		if (ep->keyid)
+			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+	} else {
+		if (ep->keyid)
+			ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
+		if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
+			encrypt_start_output(*kp->modep);
+		return;
+	}
+
+	encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
+}
+
+	void
+encrypt_send_keyid(dir, keyid, keylen, saveit)
+	int dir;
+	unsigned char *keyid;
+	int keylen;
+	int saveit;
+{
+	unsigned char *strp;
+
+	str_keyid[3] = (dir == DIR_ENCRYPT)
+			? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
+	if (saveit) {
+		struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
+		memmove(kp->keyid, keyid, keylen);
+		kp->keylen = keylen;
+	}
+
+	for (strp = &str_keyid[4]; keylen > 0; --keylen) {
+		if ((*strp++ = *keyid++) == IAC)
+			*strp++ = IAC;
+	}
+	*strp++ = IAC;
+	*strp++ = SE;
+	net_write(str_keyid, strp - str_keyid);
+	printsub('>', &str_keyid[2], strp - str_keyid - 2);
+}
+
+	void
+encrypt_auto(on)
+	int on;
+{
+	if (on < 0)
+		autoencrypt ^= 1;
+	else
+		autoencrypt = on ? 1 : 0;
+}
+
+	void
+decrypt_auto(on)
+	int on;
+{
+	if (on < 0)
+		autodecrypt ^= 1;
+	else
+		autodecrypt = on ? 1 : 0;
+}
+
+	void
+encrypt_start_output(type)
+	int type;
+{
+	Encryptions *ep;
+	register unsigned char *p;
+	register int i;
+
+	if (!(ep = findencryption(type))) {
+		if (encrypt_debug_mode) {
+			printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		}
+		return;
+	}
+	if (ep->start) {
+		i = (*ep->start)(DIR_ENCRYPT, Server);
+		if (encrypt_debug_mode) {
+			printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
+				Name,
+				(i < 0) ? "failed" :
+					"initial negotiation in progress",
+				i, ENCTYPE_NAME(type));
+		}
+		if (i)
+			return;
+	}
+	p = str_start + 3;
+	*p++ = ENCRYPT_START;
+	for (i = 0; i < ki[0].keylen; ++i) {
+		if ((*p++ = ki[0].keyid[i]) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	net_write(str_start, p - str_start);
+	net_encrypt();
+	printsub('>', &str_start[2], p - &str_start[2]);
+	/*
+	 * If we are already encrypting in some mode, then
+	 * encrypt the ring (which includes our request) in
+	 * the old mode, mark it all as "clear text" and then
+	 * switch to the new mode.
+	 */
+	encrypt_output = ep->output;
+	encrypt_mode = type;
+	if (encrypt_debug_mode)
+		printf(">>>%s: Started to encrypt output with type %s\r\n",
+			Name, ENCTYPE_NAME(type));
+	if (encrypt_verbose)
+		printf("[ Output is now encrypted with type %s ]\r\n",
+			ENCTYPE_NAME(type));
+}
+
+	void
+encrypt_send_end()
+{
+	if (!encrypt_output)
+		return;
+
+	str_end[3] = ENCRYPT_END;
+	net_write(str_end, sizeof(str_end));
+	net_encrypt();
+	printsub('>', &str_end[2], sizeof(str_end) - 2);
+	/*
+	 * Encrypt the output buffer now because it will not be done by
+	 * netflush...
+	 */
+	encrypt_output = 0;
+	if (encrypt_debug_mode)
+		printf(">>>%s: Output is back to clear text\r\n", Name);
+	if (encrypt_verbose)
+		printf("[ Output is now clear text ]\r\n");
+}
+
+	void
+encrypt_send_request_start()
+{
+	register unsigned char *p;
+	register int i;
+
+	p = &str_start[3];
+	*p++ = ENCRYPT_REQSTART;
+	for (i = 0; i < ki[1].keylen; ++i) {
+		if ((*p++ = ki[1].keyid[i]) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	net_write(str_start, p - str_start);
+	printsub('>', &str_start[2], p - &str_start[2]);
+	if (encrypt_debug_mode)
+		printf(">>>%s: Request input to be encrypted\r\n", Name);
+}
+
+	void
+encrypt_send_request_end()
+{
+	str_end[3] = ENCRYPT_REQEND;
+	net_write(str_end, sizeof(str_end));
+	printsub('>', &str_end[2], sizeof(str_end) - 2);
+
+	if (encrypt_debug_mode)
+		printf(">>>%s: Request input to be clear text\r\n", Name);
+}
+
+	void
+encrypt_wait()
+{
+	if (encrypt_debug_mode)
+		printf(">>>%s: in encrypt_wait\r\n", Name);
+	if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
+		return;
+	while (autoencrypt && !encrypt_output)
+		if (telnet_spin())
+			return;
+}
+
+	void
+encrypt_debug(mode)
+	int mode;
+{
+	encrypt_debug_mode = mode;
+}
+
+	void
+encrypt_gen_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char tbuf[16], *cp;
+
+	cnt -= 2;
+	data += 2;
+	buf[buflen-1] = '\0';
+	buf[buflen-2] = '*';
+	buflen -= 2;;
+	for (; cnt > 0; cnt--, data++) {
+		sprintf(tbuf, " %d", *data);
+		for (cp = tbuf; *cp && buflen > 0; --buflen)
+			*buf++ = *cp++;
+		if (buflen <= 0)
+			return;
+	}
+	*buf = '\0';
+}
+
+	void
+encrypt_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	Encryptions *ep;
+	register int type = data[1];
+
+	for (ep = encryptions; ep->type && ep->type != type; ep++)
+		;
+
+	if (ep->printsub)
+		(*ep->printsub)(data, cnt, buf, buflen);
+	else
+		encrypt_gen_printsub(data, cnt, buf, buflen);
+}
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/encrypt.h b/crypto/telnet/libtelnet/encrypt.h
new file mode 100644
index 0000000..869ad75
--- /dev/null
+++ b/crypto/telnet/libtelnet/encrypt.h
@@ -0,0 +1,114 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)encrypt.h	8.1 (Berkeley) 6/4/93
+ * $FreeBSD$
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef	ENCRYPTION
+# ifndef __ENCRYPTION__
+# define __ENCRYPTION__
+
+#define	DIR_DECRYPT		1
+#define	DIR_ENCRYPT		2
+
+#include <openssl/des.h>
+typedef	unsigned char Block[8];
+typedef unsigned char *BlockT;
+#if 0
+typedef struct { Block __; } Schedule[16];
+#else
+#define Schedule des_key_schedule
+#endif
+
+#define	VALIDKEY(key)	( key[0] | key[1] | key[2] | key[3] | \
+			  key[4] | key[5] | key[6] | key[7])
+
+#define	SAMEKEY(k1, k2)	(!bcmp((void *)k1, (void *)k2, sizeof(Block)))
+
+typedef	struct {
+	short		type;
+	int		length;
+	unsigned char	*data;
+} Session_Key;
+
+# if !defined(P)
+#  ifdef __STDC__
+#   define P(x)	x
+#  else
+#   define P(x)	()
+#  endif
+# endif
+
+typedef struct {
+	char	*name;
+	int	type;
+	void	(*output) P((unsigned char *, int));
+	int	(*input) P((int));
+	void	(*init) P((int));
+	int	(*start) P((int, int));
+	int	(*is) P((unsigned char *, int));
+	int	(*reply) P((unsigned char *, int));
+	void	(*session) P((Session_Key *, int));
+	int	(*keyid) P((int, unsigned char *, int *));
+	void	(*printsub) P((unsigned char *, int, unsigned char *, int));
+} Encryptions;
+
+#define	SK_DES		1	/* Matched Kerberos v5 KEYTYPE_DES */
+
+#include "enc-proto.h"
+
+extern int encrypt_debug_mode;
+extern int (*decrypt_input) P((int));
+extern void (*encrypt_output) P((unsigned char *, int));
+# endif /* __ENCRYPTION__ */
+#endif /* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/genget.c b/crypto/telnet/libtelnet/genget.c
new file mode 100644
index 0000000..9f56ab0
--- /dev/null
+++ b/crypto/telnet/libtelnet/genget.c
@@ -0,0 +1,109 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)genget.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+
+#include <ctype.h>
+
+#define	LOWER(x) (isupper(x) ? tolower(x) : (x))
+/*
+ * The prefix function returns 0 if *s1 is not a prefix
+ * of *s2.  If *s1 exactly matches *s2, the negative of
+ * the length is returned.  If *s1 is a prefix of *s2,
+ * the length of *s1 is returned.
+ */
+	int
+isprefix(s1, s2)
+	register char *s1, *s2;
+{
+	char *os1;
+	register char c1, c2;
+
+	if (*s1 == '\0')
+		return(-1);
+	os1 = s1;
+	c1 = *s1;
+	c2 = *s2;
+	while (LOWER(c1) == LOWER(c2)) {
+		if (c1 == '\0')
+			break;
+		c1 = *++s1;
+		c2 = *++s2;
+	}
+	return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1)));
+}
+
+static char *ambiguous;		/* special return value for command routines */
+
+	char **
+genget(name, table, stlen)
+	char	*name;		/* name to match */
+	char	**table;	/* name entry in table */
+	int	stlen;
+{
+	register char **c, **found;
+	register int n;
+
+	if (name == 0)
+	    return 0;
+
+	found = 0;
+	for (c = table; *c != 0; c = (char **)((char *)c + stlen)) {
+		if ((n = isprefix(name, *c)) == 0)
+			continue;
+		if (n < 0)		/* exact match */
+			return(c);
+		if (found)
+			return(&ambiguous);
+		found = c;
+	}
+	return(found);
+}
+
+/*
+ * Function call version of Ambiguous()
+ */
+	int
+Ambiguous(s)
+	char **s;
+{
+	return(s == &ambiguous);
+}
diff --git a/crypto/telnet/libtelnet/getent.c b/crypto/telnet/libtelnet/getent.c
new file mode 100644
index 0000000..7d43a8e
--- /dev/null
+++ b/crypto/telnet/libtelnet/getent.c
@@ -0,0 +1,73 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)getent.c	8.2 (Berkeley) 12/15/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+static char *area;
+
+/*ARGSUSED*/
+getent(cp, name)
+char *cp, *name;
+{
+#ifdef	HAS_CGETENT
+	char *dba[2];
+
+	dba[0] = "/etc/gettytab";
+	dba[1] = 0;
+	return((cgetent(&area, dba, name) == 0) ? 1 : 0);
+#else
+	return(0);
+#endif
+}
+
+#ifndef	SOLARIS
+/*ARGSUSED*/
+char *
+Getstr(id, cpp)
+char *id, **cpp;
+{
+# ifdef	HAS_CGETENT
+	char *answer;
+	return((cgetstr(area, id, &answer) > 0) ? answer : 0);
+# else
+	return(0);
+# endif
+}
+#endif
diff --git a/crypto/telnet/libtelnet/kerberos.c b/crypto/telnet/libtelnet/kerberos.c
new file mode 100644
index 0000000..3b6155e
--- /dev/null
+++ b/crypto/telnet/libtelnet/kerberos.c
@@ -0,0 +1,552 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)kerberos.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef	KRB4
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <openssl/des.h>	/* BSD wont include this in krb.h, so we do it here */
+#include <krb.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int kerberos4_cksum P((unsigned char *, int));
+int kuserok P((AUTH_DAT *, char *));
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V4, };
+
+#define	KRB_AUTH	0		/* Authentication data follows */
+#define	KRB_REJECT	1		/* Rejected (reason might follow) */
+#define	KRB_ACCEPT	2		/* Accepted */
+#define	KRB_CHALLENGE	3		/* Challenge for mutual auth. */
+#define	KRB_RESPONSE	4		/* Response for mutual auth. */
+
+#define KRB_SERVICE_NAME   "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	AUTH_DAT adat = { 0 };
+#ifdef	ENCRYPTION
+static Block	session_key	= { 0 };
+static des_key_schedule sched;
+static Block	challenge	= { 0 };
+#endif	/* ENCRYPTION */
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (auth_debug_mode) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+kerberos4_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	FILE *fp;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		if ((fp = fopen(KEYFILE, "r")) == NULL)
+			return(0);
+		fclose(fp);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
+int dst_realm_sz = REALM_SZ;
+
+	int
+kerberos4_send(ap)
+	Authenticator *ap;
+{
+	KTEXT_ST auth;
+	char instance[INST_SZ];
+	char *realm;
+	char *krb_realmofhost();
+	char *krb_get_phost();
+	CREDENTIALS cred;
+	int r;
+
+	printf("[ Trying KERBEROS4 ... ]\n");
+	if (!UserNameRequested) {
+		if (auth_debug_mode) {
+			printf("Kerberos V4: no user name supplied\r\n");
+		}
+		return(0);
+	}
+
+	memset(instance, 0, sizeof(instance));
+
+	if ((realm = krb_get_phost(RemoteHostName)))
+		strncpy(instance, realm, sizeof(instance));
+
+	instance[sizeof(instance)-1] = '\0';
+
+	realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
+
+	if (!realm) {
+		printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
+		return(0);
+	}
+	if ((r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L))) {
+		printf("mk_req failed: %s\r\n", krb_err_txt[r]);
+		return(0);
+	}
+	if ((r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred))) {
+		printf("get_cred failed: %s\r\n", krb_err_txt[r]);
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		if (auth_debug_mode)
+			printf("Not enough room for user name\r\n");
+		return(0);
+	}
+	if (auth_debug_mode)
+		printf("Sent %d bytes of authentication data\r\n", auth.length);
+	if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) {
+		if (auth_debug_mode)
+			printf("Not enough room for authentication data\r\n");
+		return(0);
+	}
+#ifdef	ENCRYPTION
+	/*
+	 * If we are doing mutual authentication, get set up to send
+	 * the challenge, and verify it when the response comes back.
+	 */
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		register int i;
+
+		des_key_sched(&cred.session, sched);
+		des_init_random_number_generator(&cred.session);
+		des_new_random_key(&session_key);
+		des_ecb_encrypt(&session_key, &session_key, sched, 0);
+		des_ecb_encrypt(&session_key, &challenge, sched, 0);
+		/*
+		 * Increment the challenge by 1, and encrypt it for
+		 * later comparison.
+		 */
+		for (i = 7; i >= 0; --i) {
+			register int x;
+			x = (unsigned int)challenge[i] + 1;
+			challenge[i] = x;	/* ignore overflow */
+			if (x < 256)		/* if no overflow, all done */
+				break;
+		}
+		des_ecb_encrypt(&challenge, &challenge, sched, 1);
+	}
+#endif	/* ENCRYPTION */
+
+	if (auth_debug_mode) {
+		printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+		printd(auth.dat, auth.length);
+		printf("\r\n");
+		printf("Sent Kerberos V4 credentials to server\r\n");
+	}
+	return(1);
+}
+
+	void
+kerberos4_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+#ifdef	ENCRYPTION
+	Session_Key skey;
+	Block datablock;
+#endif	/* ENCRYPTION */
+	char realm[REALM_SZ];
+	char instance[INST_SZ];
+	int r;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_AUTH:
+		if (krb_get_lrealm(realm, 1) != KSUCCESS) {
+			Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			if (auth_debug_mode)
+				printf("No local realm\r\n");
+			return;
+		}
+		memmove((void *)auth.dat, (void *)data, auth.length = cnt);
+		if (auth_debug_mode) {
+			printf("Got %d bytes of authentication data\r\n", cnt);
+			printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+			printd(auth.dat, auth.length);
+			printf("\r\n");
+		}
+		instance[0] = '*'; instance[1] = 0;
+		if ((r = krb_rd_req(&auth, KRB_SERVICE_NAME,
+				   instance, 0, &adat, ""))) {
+			if (auth_debug_mode)
+				printf("Kerberos failed him as %s\r\n", name);
+			Data(ap, KRB_REJECT, (void *)krb_err_txt[r], -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+#ifdef	ENCRYPTION
+		memmove((void *)session_key, (void *)adat.session, sizeof(Block));
+#endif	/* ENCRYPTION */
+		krb_kntoln(&adat, name);
+
+		if (UserNameRequested && !kuserok(&adat, UserNameRequested))
+			Data(ap, KRB_ACCEPT, (void *)0, 0);
+		else
+			Data(ap, KRB_REJECT,
+				(void *)"user is not authorized", -1);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	case KRB_CHALLENGE:
+#ifndef	ENCRYPTION
+		Data(ap, KRB_RESPONSE, (void *)0, 0);
+#else	/* ENCRYPTION */
+		if (!VALIDKEY(session_key)) {
+			/*
+			 * We don't have a valid session key, so just
+			 * send back a response with an empty session
+			 * key.
+			 */
+			Data(ap, KRB_RESPONSE, (void *)0, 0);
+			break;
+		}
+
+		/*
+		 * Initialize the random number generator since it's
+		 * used later on by the encryption routine.
+		 */
+		des_init_random_number_generator(&session_key);
+		des_key_sched(&session_key, sched);
+		memmove((void *)datablock, (void *)data, sizeof(Block));
+		/*
+		 * Take the received encrypted challenge, and encrypt
+		 * it again to get a unique session_key for the
+		 * ENCRYPT option.
+		 */
+		des_ecb_encrypt(&datablock, &session_key, sched, 1);
+		skey.type = SK_DES;
+		skey.length = 8;
+		skey.data = session_key;
+		encrypt_session_key(&skey, 1);
+		/*
+		 * Now decrypt the received encrypted challenge,
+		 * increment by one, re-encrypt it and send it back.
+		 */
+		des_ecb_encrypt(&datablock, &challenge, sched, 0);
+		for (r = 7; r >= 0; r--) {
+			register int t;
+			t = (unsigned int)challenge[r] + 1;
+			challenge[r] = t;	/* ignore overflow */
+			if (t < 256)		/* if no overflow, all done */
+				break;
+		}
+		des_ecb_encrypt(&challenge, &challenge, sched, 1);
+		Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
+#endif	/* ENCRYPTION */
+		break;
+
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		Data(ap, KRB_REJECT, 0, 0);
+		break;
+	}
+}
+
+	void
+kerberos4_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+#ifdef	ENCRYPTION
+	Session_Key skey;
+#endif	/* ENCRYPTION */
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_REJECT:
+		if (cnt > 0) {
+			printf("[ Kerberos V4 refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ Kerberos V4 refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB_ACCEPT:
+		printf("[ Kerberos V4 accepts you ]\n");
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+			/*
+			 * Send over the encrypted challenge.
+		 	 */
+#ifndef	ENCRYPTION
+			Data(ap, KRB_CHALLENGE, (void *)0, 0);
+#else	/* ENCRYPTION */
+			Data(ap, KRB_CHALLENGE, (void *)session_key,
+						sizeof(session_key));
+			des_ecb_encrypt(&session_key, &session_key, sched, 1);
+			skey.type = SK_DES;
+			skey.length = 8;
+			skey.data = session_key;
+			encrypt_session_key(&skey, 0);
+#endif	/* ENCRYPTION */
+			return;
+		}
+		auth_finished(ap, AUTH_USER);
+		return;
+	case KRB_RESPONSE:
+#ifdef	ENCRYPTION
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+		if ((cnt != sizeof(Block)) ||
+		    (0 != memcmp((void *)data, (void *)challenge,
+						sizeof(challenge))))
+		{
+#endif	/* ENCRYPTION */
+			printf("[ Kerberos V4 challenge failed!!! ]\r\n");
+			auth_send_retry();
+			return;
+#ifdef	ENCRYPTION
+		}
+		printf("[ Kerberos V4 challenge successful ]\r\n");
+		auth_finished(ap, AUTH_USER);
+#endif	/* ENCRYPTION */
+		break;
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		return;
+	}
+}
+
+	int
+kerberos4_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else
+		return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+kerberos4_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case KRB_AUTH:			/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB_CHALLENGE:
+		strncpy((char *)buf, " CHALLENGE", buflen);
+		goto common2;
+
+	case KRB_RESPONSE:
+		strncpy((char *)buf, " RESPONSE", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+	int
+kerberos4_cksum(d, n)
+	unsigned char *d;
+	int n;
+{
+	int ck = 0;
+
+	/*
+	 * A comment is probably needed here for those not
+	 * well versed in the "C" language.  Yes, this is
+	 * supposed to be a "switch" with the body of the
+	 * "switch" being a "while" statement.  The whole
+	 * purpose of the switch is to allow us to jump into
+	 * the middle of the while() loop, and then not have
+	 * to do any more switch()s.
+	 *
+	 * Some compilers will spit out a warning message
+	 * about the loop not being entered at the top.
+	 */
+	switch (n&03)
+	while (n > 0) {
+	case 0:
+		ck ^= (int)*d++ << 24;
+		--n;
+	case 3:
+		ck ^= (int)*d++ << 16;
+		--n;
+	case 2:
+		ck ^= (int)*d++ << 8;
+		--n;
+	case 1:
+		ck ^= (int)*d++;
+		--n;
+	}
+	return(ck);
+}
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/kerberos5.c b/crypto/telnet/libtelnet/kerberos5.c
new file mode 100644
index 0000000..bcf1a9f
--- /dev/null
+++ b/crypto/telnet/libtelnet/kerberos5.c
@@ -0,0 +1,764 @@
+/*
+ *	$Source: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/kerberos5.c,v $
+ *	$Author: tytso $
+ *	$Id: kerberos5.c,v 1.1 1997/09/04 06:11:15 markm Exp $
+ */
+
+#if !defined(lint) && !defined(SABER)
+static
+#ifdef __STDC__
+const
+#endif
+char rcsid_kerberos5_c[] = "$Id: kerberos5.c,v 1.1 1997/09/04 06:11:15 markm Exp $";
+#endif /* lint */
+
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)kerberos5.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#ifdef	KRB5
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <krb5/krb5.h>
+#include <krb5/asn1.h>
+#include <krb5/crc-32.h>
+#include <krb5/los-proto.h>
+#include <krb5/ext-proto.h>
+#include <com_err.h>
+#include <netdb.h>
+#include <ctype.h>
+
+/* kerberos 5 include files (ext-proto.h) will get an appropriate stdlib.h
+   and string.h/strings.h */
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern auth_debug_mode;
+
+#ifdef	FORWARD
+int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
+
+/* These values need to be the same as those defined in telnet/main.c. */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+void kerberos5_forward();
+
+#endif	/* FORWARD */
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V5, };
+/*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };*/
+
+#define	KRB_AUTH		0	/* Authentication data follows */
+#define	KRB_REJECT		1	/* Rejected (reason might follow) */
+#define	KRB_ACCEPT		2	/* Accepted */
+#define	KRB_RESPONSE		3	/* Response for mutual auth. */
+
+#ifdef	FORWARD
+#define KRB_FORWARD     	4       /* Forwarded credentials follow */
+#define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
+#define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
+#endif	/* FORWARD */
+
+static	krb5_data auth;
+	/* telnetd gets session key from here */
+static	krb5_tkt_authent *authdat = NULL;
+/* telnet matches the AP_REQ and AP_REP with this */
+static	krb5_authenticator authenticator;
+
+/* some compilers can't hack void *, so we use the Kerberos krb5_pointer,
+   which is either void * or char *, depending on the compiler. */
+
+#define Voidptr krb5_pointer
+
+Block	session_key;
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	Voidptr d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (auth_debug_mode) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - &str_data[2]);
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+kerberos5_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	if (server)
+		str_data[3] = TELQUAL_REPLY;
+	else
+		str_data[3] = TELQUAL_IS;
+	krb5_init_ets();
+	return(1);
+}
+
+	int
+kerberos5_send(ap)
+	Authenticator *ap;
+{
+	char **realms;
+	char *name;
+	char *p1, *p2;
+	krb5_checksum ksum;
+	krb5_octet sum[CRC32_CKSUM_LENGTH];
+ 	krb5_principal server;
+	krb5_error_code r;
+	krb5_ccache ccache;
+	krb5_creds creds;		/* telnet gets session key from here */
+	extern krb5_flags krb5_kdc_default_options;
+	int ap_opts;
+
+#ifdef	ENCRYPTION
+	krb5_keyblock *newkey = 0;
+#endif	/* ENCRYPTION */
+
+	ksum.checksum_type = CKSUMTYPE_CRC32;
+	ksum.contents = sum;
+	ksum.length = sizeof(sum);
+	memset((Voidptr )sum, 0, sizeof(sum));
+
+	if (!UserNameRequested) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: no user name supplied\r\n");
+		}
+		return(0);
+	}
+
+	if (r = krb5_cc_default(&ccache)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: could not get default ccache\r\n");
+		}
+		return(0);
+	}
+
+	if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) {
+		if (auth_debug_mode)
+			printf("Out of memory for hostname in Kerberos V5\r\n");
+		return(0);
+	}
+
+	if (r = krb5_get_host_realm(RemoteHostName, &realms)) {
+		if (auth_debug_mode)
+			printf("Kerberos V5: no realm for %s\r\n", RemoteHostName);
+		free(name);
+		return(0);
+	}
+
+	p1 = RemoteHostName;
+	p2 = name;
+
+	while (*p2 = *p1++) {
+		if (isupper(*p2))
+			*p2 |= 040;
+		++p2;
+	}
+
+	if (r = krb5_build_principal_ext(&server,
+					 strlen(realms[0]), realms[0],
+					 4, "host",
+					 p2 - name, name,
+					 0)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: failure setting up principal (%s)\r\n",
+			       error_message(r));
+		}
+		free(name);
+		krb5_free_host_realm(realms);
+		return(0);
+	}
+
+
+	memset((char *)&creds, 0, sizeof(creds));
+	creds.server = server;
+
+	if (r = krb5_cc_get_principal(ccache, &creds.client)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: failure on principal (%s)\r\n",
+				error_message(r));
+		}
+		free(name);
+		krb5_free_principal(server);
+		krb5_free_host_realm(realms);
+		return(0);
+	}
+
+	if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: failure on credentials(%d)\r\n",r);
+		}
+		free(name);
+		krb5_free_host_realm(realms);
+		krb5_free_principal(server);
+		return(0);
+	}
+
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+	    ap_opts = AP_OPTS_MUTUAL_REQUIRED;
+	else
+	    ap_opts = 0;
+
+	r = krb5_mk_req_extended(ap_opts, &ksum, krb5_kdc_default_options, 0,
+#ifdef	ENCRYPTION
+				 &newkey,
+#else	/* ENCRYPTION */
+				 0,
+#endif	/* ENCRYPTION */
+				 ccache, &creds, &authenticator, &auth);
+	/* don't let the key get freed if we clean up the authenticator */
+	authenticator.subkey = 0;
+
+	free(name);
+	krb5_free_host_realm(realms);
+	krb5_free_principal(server);
+#ifdef	ENCRYPTION
+	if (newkey) {
+	    /* keep the key in our private storage, but don't use it
+	       yet---see kerberos5_reply() below */
+	    if (newkey->keytype != KEYTYPE_DES) {
+		if (creds.keyblock.keytype == KEYTYPE_DES)
+		    /* use the session key in credentials instead */
+		    memmove((char *)session_key,
+			   (char *)creds.keyblock.contents, sizeof(Block));
+		else
+		    /* XXX ? */;
+	    } else {
+		memmove((char *)session_key, (char *)newkey->contents,
+		       sizeof(Block));
+	    }
+	    krb5_free_keyblock(newkey);
+	}
+#endif	/* ENCRYPTION */
+	if (r) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: mk_req failed (%s)\r\n",
+			       error_message(r));
+		}
+		return(0);
+	}
+
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		if (auth_debug_mode)
+			printf("Not enough room for user name\r\n");
+		return(0);
+	}
+	if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
+		if (auth_debug_mode)
+			printf("Not enough room for authentication data\r\n");
+		return(0);
+	}
+	if (auth_debug_mode) {
+		printf("Sent Kerberos V5 credentials to server\r\n");
+	}
+	return(1);
+}
+
+	void
+kerberos5_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	int r;
+	struct hostent *hp;
+	char *p1, *p2;
+	static char *realm = NULL;
+	krb5_principal server;
+	krb5_ap_rep_enc_part reply;
+	krb5_data outbuf;
+#ifdef ENCRYPTION
+	Session_Key skey;
+#endif	/* ENCRYPTION */
+	char *name;
+	char *getenv();
+	krb5_data inbuf;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_AUTH:
+		auth.data = (char *)data;
+		auth.length = cnt;
+
+		if (!(hp = gethostbyname(LocalHostName))) {
+			if (auth_debug_mode)
+				printf("Cannot resolve local host name\r\n");
+			Data(ap, KRB_REJECT, "Unknown local hostname.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		if (!realm && (krb5_get_default_realm(&realm))) {
+			if (auth_debug_mode)
+				printf("Could not get default realm\r\n");
+			Data(ap, KRB_REJECT, "Could not get default realm.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		if ((name = malloc(strlen(hp->h_name)+1)) == NULL) {
+			if (auth_debug_mode)
+				printf("Out of memory for hostname in Kerberos V5\r\n");
+			Data(ap, KRB_REJECT, "Out of memory.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		p1 = hp->h_name;
+		p2 = name;
+
+		while (*p2 = *p1++) {
+			if (isupper(*p2))
+				*p2 |= 040;
+			++p2;
+		}
+
+		if (authdat)
+			krb5_free_tkt_authent(authdat);
+
+		r = krb5_build_principal_ext(&server,
+					     strlen(realm), realm,
+					     4, "host",
+					     p2 - name, name,
+					     0);
+		if (!r) {
+		    r = krb5_rd_req_simple(&auth, server, 0, &authdat);
+		    krb5_free_principal(server);
+		}
+		if (r) {
+			char errbuf[128];
+
+		    errout:
+			authdat = 0;
+			(void) strcpy(errbuf, "Read req failed: ");
+			(void) strcat(errbuf, error_message(r));
+			Data(ap, KRB_REJECT, errbuf, -1);
+			if (auth_debug_mode)
+				printf("%s\r\n", errbuf);
+			return;
+		}
+		free(name);
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		    /* do ap_rep stuff here */
+		    reply.ctime = authdat->authenticator->ctime;
+		    reply.cusec = authdat->authenticator->cusec;
+		    reply.subkey = 0;	/* use the one he gave us, so don't
+					   need to return one here */
+		    reply.seq_number = 0; /* we don't do seq #'s. */
+
+		    if (r = krb5_mk_rep(&reply,
+					authdat->authenticator->subkey ?
+					authdat->authenticator->subkey :
+					authdat->ticket->enc_part2->session,
+					&outbuf)) {
+			goto errout;
+		    }
+		    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
+		}
+		if (krb5_unparse_name(authdat->ticket->enc_part2 ->client,
+				      					&name))
+			name = 0;
+		Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
+		if (auth_debug_mode) {
+			printf("Kerberos5 identifies him as ``%s''\r\n",
+							name ? name : "");
+		}
+		auth_finished(ap, AUTH_USER);
+
+		free(name);
+	    	if (authdat->authenticator->subkey &&
+		    authdat->authenticator->subkey->keytype == KEYTYPE_DES) {
+		    memmove((Voidptr )session_key,
+			   (Voidptr )authdat->authenticator->subkey->contents,
+			   sizeof(Block));
+		} else if (authdat->ticket->enc_part2->session->keytype ==
+			   KEYTYPE_DES) {
+		    memmove((Voidptr )session_key,
+			(Voidptr )authdat->ticket->enc_part2->session->contents,
+			sizeof(Block));
+		} else
+		    break;
+
+#ifdef ENCRYPTION
+		skey.type = SK_DES;
+		skey.length = 8;
+		skey.data = session_key;
+		encrypt_session_key(&skey, 1);
+#endif	/* ENCRYPTION */
+		break;
+#ifdef	FORWARD
+	case KRB_FORWARD:
+		inbuf.data = (char *)data;
+		inbuf.length = cnt;
+		if (r = rd_and_store_for_creds(&inbuf, authdat->ticket,
+					       UserNameRequested)) {
+		    char errbuf[128];
+
+		    (void) strcpy(errbuf, "Read forwarded creds failed: ");
+		    (void) strcat(errbuf, error_message(r));
+		    Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
+		    if (auth_debug_mode)
+		      printf("Could not read forwarded credentials\r\n");
+		}
+		else
+		  Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+		  if (auth_debug_mode)
+		    printf("Forwarded credentials obtained\r\n");
+		break;
+#endif	/* FORWARD */
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		Data(ap, KRB_REJECT, 0, 0);
+		break;
+	}
+}
+
+	void
+kerberos5_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	static int mutual_complete = 0;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_REJECT:
+		if (cnt > 0) {
+			printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ Kerberos V5 refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB_ACCEPT:
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
+		    !mutual_complete) {
+		    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\n");
+		    auth_send_retry();
+		    return;
+		}
+		if (cnt)
+		    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\n", cnt, data);
+		else
+		    printf("[ Kerberos V5 accepts you ]\n");
+		auth_finished(ap, AUTH_USER);
+#ifdef	FORWARD
+		if (forward_flags & OPTS_FORWARD_CREDS)
+		  kerberos5_forward(ap);
+#endif	/* FORWARD */
+		break;
+	case KRB_RESPONSE:
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		    /* the rest of the reply should contain a krb_ap_rep */
+		    krb5_ap_rep_enc_part *reply;
+		    krb5_data inbuf;
+		    krb5_error_code r;
+		    krb5_keyblock tmpkey;
+
+		    inbuf.length = cnt;
+		    inbuf.data = (char *)data;
+
+		    tmpkey.keytype = KEYTYPE_DES;
+		    tmpkey.contents = session_key;
+		    tmpkey.length = sizeof(Block);
+
+		    if (r = krb5_rd_rep(&inbuf, &tmpkey, &reply)) {
+			printf("[ Mutual authentication failed: %s ]\n",
+			       error_message(r));
+			auth_send_retry();
+			return;
+		    }
+		    if (reply->ctime != authenticator.ctime ||
+			reply->cusec != authenticator.cusec) {
+			printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\n");
+			auth_send_retry();
+			return;
+		    }
+		    krb5_free_ap_rep_enc_part(reply);
+#ifdef	ENCRYPTION
+			skey.type = SK_DES;
+			skey.length = 8;
+			skey.data = session_key;
+			encrypt_session_key(&skey, 0);
+#endif	/* ENCRYPTION */
+		    mutual_complete = 1;
+		}
+		return;
+#ifdef	FORWARD
+	case KRB_FORWARD_ACCEPT:
+		printf("[ Kerberos V5 accepted forwarded credentials ]\n");
+		return;
+	case KRB_FORWARD_REJECT:
+		printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
+				cnt, data);
+		return;
+#endif	/* FORWARD */
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		return;
+	}
+}
+
+	int
+kerberos5_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested &&
+	    krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested))
+	{
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else
+		return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+kerberos5_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+
+	case KRB_AUTH:			/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB_RESPONSE:
+		strncpy((char *)buf, " RESPONSE", buflen);
+		goto common2;
+
+#ifdef	FORWARD
+	case KRB_FORWARD:		/* Forwarded credentials follow */
+		strncpy((char *)buf, " FORWARD", buflen);
+		goto common2;
+
+	case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
+		strncpy((char *)buf, " FORWARD_ACCEPT", buflen);
+		goto common2;
+
+	case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
+					       /* (reason might follow) */
+		strncpy((char *)buf, " FORWARD_REJECT", buflen);
+		goto common2;
+#endif	/* FORWARD */
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+#ifdef	FORWARD
+	void
+kerberos5_forward(ap)
+     Authenticator *ap;
+{
+    struct hostent *hp;
+    krb5_creds *local_creds;
+    krb5_error_code r;
+    krb5_data forw_creds;
+    extern krb5_cksumtype krb5_kdc_req_sumtype;
+    krb5_ccache ccache;
+    int i;
+
+    if (!(local_creds = (krb5_creds *)
+	  calloc(1, sizeof(*local_creds)))) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not allocate memory for credentials\r\n");
+	return;
+    }
+
+    if (r = krb5_sname_to_principal(RemoteHostName, "host", 1,
+				    &local_creds->server)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not build server name - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    if (r = krb5_cc_default(&ccache)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not get default ccache - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    if (r = krb5_cc_get_principal(ccache, &local_creds->client)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not get default principal - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    /* Get ticket from credentials cache */
+    if (r = krb5_get_credentials(KRB5_GC_CACHED, ccache, local_creds)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not obtain credentials - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    if (r = get_for_creds(ETYPE_DES_CBC_CRC,
+			  krb5_kdc_req_sumtype,
+			  RemoteHostName,
+			  local_creds->client,
+			  &local_creds->keyblock,
+			  forward_flags & OPTS_FORWARDABLE_CREDS,
+			  &forw_creds)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: error getting forwarded creds - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    /* Send forwarded credentials */
+    if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) {
+	if (auth_debug_mode)
+	  printf("Not enough room for authentication data\r\n");
+    }
+    else {
+	if (auth_debug_mode)
+	  printf("Forwarded local Kerberos V5 credentials to server\r\n");
+    }
+
+    krb5_free_creds(local_creds);
+}
+#endif	/* FORWARD */
+
+#endif /* KRB5 */
diff --git a/crypto/telnet/libtelnet/key-proto.h b/crypto/telnet/libtelnet/key-proto.h
new file mode 100644
index 0000000..9668a77
--- /dev/null
+++ b/crypto/telnet/libtelnet/key-proto.h
@@ -0,0 +1,71 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)key-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef	__KEY_PROTO__
+#define	__KEY_PROTO__
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+int key_file_exists P((void));
+void key_lookup P((unsigned char *, Block));
+void key_stream_init P((Block, Block, int));
+unsigned char key_stream P((int, int));
+#endif
diff --git a/crypto/telnet/libtelnet/krb4encpwd.c b/crypto/telnet/libtelnet/krb4encpwd.c
new file mode 100644
index 0000000..3184a52
--- /dev/null
+++ b/crypto/telnet/libtelnet/krb4encpwd.c
@@ -0,0 +1,447 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)krb4encpwd.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+
+#ifdef	KRB4_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <pwd.h>
+#include <stdio.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int krb_mk_encpwd_req P((KTEXT, char *, char *, char *, char *, char *, char *));
+int krb_rd_encpwd_req P((KTEXT, char *, char *, u_long, AUTH_DAT *, char *, char *, char *, char *));
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KRB4_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	KRB4_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	KRB4_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define KRB4_ENCPWD_ACCEPT	2	/* Accepted */
+#define	KRB4_ENCPWD_CHALLENGE	3	/* Challenge for mutual auth. */
+#define	KRB4_ENCPWD_ACK		4	/* Acknowledge */
+
+#define KRB_SERVICE_NAME    "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	char user_passwd[ANAME_SZ];
+static	AUTH_DAT adat = { 0 };
+#ifdef	ENCRYPTION
+static Block	session_key	= { 0 };
+#endif	/* ENCRYPTION */
+static char  challenge[REALM_SZ];
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+krb4encpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char hostname[80], *cp, *realm;
+	C_Block skey;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+	} else {
+		str_data[3] = TELQUAL_IS;
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		cp = strchr(hostname, '.');
+		if (*cp != NULL) *cp = NULL;
+		if (read_service_key(KRB_SERVICE_NAME, hostname, realm, 0,
+					KEYFILE, (char *)skey)) {
+		  return(0);
+		}
+	}
+	return(1);
+}
+
+	int
+krb4encpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying KRB4ENCPWD ... ]\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, KRB4_ENCPWD_ACK, (void *)NULL, 0)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+krb4encpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	Block datablock;
+	char  r_passwd[ANAME_SZ], r_user[ANAME_SZ];
+	char  lhostname[ANAME_SZ], *cp;
+	int r;
+	time_t now;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_AUTH:
+		memmove((void *)auth.dat, (void *)data, auth.length = cnt);
+
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_rd_encpwd_req(&auth, KRB_SERVICE_NAME, lhostname, 0, &adat, NULL, challenge, r_user, r_passwd)) {
+			Data(ap, KRB4_ENCPWD_REJECT, (void *)"Auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, KRB4_ENCPWD_REJECT, (void *)"Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		memmove((void *)session_key, (void *)adat.session, sizeof(Block));
+		Data(ap, KRB4_ENCPWD_ACCEPT, (void *)0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 *  Take the received random challenge text and save
+		 *  for future authentication.
+		 */
+		memmove((void *)challenge, (void *)data, sizeof(Block));
+		break;
+
+
+	case KRB4_ENCPWD_ACK:
+		/*
+		 *  Receive ack, if mutual then send random challenge
+		 */
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		  register int i;
+
+		  time(&now);
+		  sprintf(challenge, "%x", now);
+		  Data(ap, KRB4_ENCPWD_CHALLENGE, (void *)challenge, strlen(challenge));
+		}
+		break;
+
+	default:
+		Data(ap, KRB4_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+krb4encpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST krb_token;
+	Block enckey;
+	CREDENTIALS cred;
+	int r;
+	char	randchal[REALM_SZ], instance[ANAME_SZ], *cp;
+	char	hostname[80], *realm;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ KRB4_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ KRB4_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB4_ENCPWD_ACCEPT:
+		printf("[ KRB4_ENCPWD accepts you ]\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		memmove((void *)challenge, (void *)data, cnt);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		local_des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		strcpy(instance, RemoteHostName);
+		if ((cp = strchr(instance, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_mk_encpwd_req(&krb_token, KRB_SERVICE_NAME, instance, realm, Challenge, UserNameRequested, user_passwd)) {
+		  krb_token.length = 0;
+		}
+
+		if (!Data(ap, KRB4_ENCPWD_AUTH, (void *)krb_token.dat, krb_token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+krb4encpwd_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && passwdok(UserNameRequested, UserPassword)) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+krb4encpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB4_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB4_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case KRB4_ENCPWD_AUTH:		/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		strncpy((char *)buf, " CHALLENGE", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_ACK:
+		strncpy((char *)buf, " ACK", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/misc-proto.h b/crypto/telnet/libtelnet/misc-proto.h
new file mode 100644
index 0000000..e5f334a
--- /dev/null
+++ b/crypto/telnet/libtelnet/misc-proto.h
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef	__MISC_PROTO__
+#define	__MISC_PROTO__
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+void auth_encrypt_init P((char *, char *, char *, int));
+void auth_encrypt_connect P((int));
+void printd P((unsigned char *, int));
+
+/*
+ * These functions are imported from the application
+ */
+int net_write P((unsigned char *, int));
+void net_encrypt P((void));
+int telnet_spin P((void));
+char *telnet_getenv P((char *));
+char *telnet_gets P((char *, char *, int, int));
+#endif
diff --git a/crypto/telnet/libtelnet/misc.c b/crypto/telnet/libtelnet/misc.c
new file mode 100644
index 0000000..c486418
--- /dev/null
+++ b/crypto/telnet/libtelnet/misc.c
@@ -0,0 +1,103 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)misc.c	8.1 (Berkeley) 6/4/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "misc.h"
+#include "auth.h"
+#include "encrypt.h"
+
+char *RemoteHostName;
+char *LocalHostName;
+char *UserNameRequested = 0;
+int ConnectedCount = 0;
+
+	void
+auth_encrypt_init(local, remote, name, server)
+	char *local;
+	char *remote;
+	char *name;
+	int server;
+{
+	RemoteHostName = remote;
+	LocalHostName = local;
+#if	defined(AUTHENTICATION)
+	auth_init(name, server);
+#endif
+#ifdef	ENCRYPTION
+	encrypt_init(name, server);
+#endif	/* ENCRYPTION */
+	if (UserNameRequested) {
+		free(UserNameRequested);
+		UserNameRequested = 0;
+	}
+}
+
+	void
+auth_encrypt_user(name)
+	char *name;
+{
+	extern char *strdup();
+
+	if (UserNameRequested)
+		free(UserNameRequested);
+	UserNameRequested = name ? strdup(name) : 0;
+}
+
+	void
+auth_encrypt_connect(cnt)
+	int cnt;
+{
+}
+
+	void
+printd(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	if (cnt > 16)
+		cnt = 16;
+	while (cnt-- > 0) {
+		printf(" %02x", *data);
+		++data;
+	}
+}
diff --git a/crypto/telnet/libtelnet/misc.h b/crypto/telnet/libtelnet/misc.h
new file mode 100644
index 0000000..41ffa7f
--- /dev/null
+++ b/crypto/telnet/libtelnet/misc.h
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc.h	8.1 (Berkeley) 6/4/93
+ */
+
+extern char *UserNameRequested;
+extern char *LocalHostName;
+extern char *RemoteHostName;
+extern int ConnectedCount;
+extern int ReservedPort;
+
+#include "misc-proto.h"
diff --git a/crypto/telnet/libtelnet/pk.c b/crypto/telnet/libtelnet/pk.c
new file mode 100644
index 0000000..9af8915
--- /dev/null
+++ b/crypto/telnet/libtelnet/pk.c
@@ -0,0 +1,267 @@
+/* public key routines */
+/* $FreeBSD$ */
+/* functions:
+	genkeys(char *public, char *secret)
+	common_key(char *secret, char *public, desData *deskey)
+        pk_encode(char *in, *out, DesData *deskey);
+        pk_decode(char *in, *out, DesData *deskey);
+      where
+	char public[HEXKEYBYTES + 1];
+	char secret[HEXKEYBYTES + 1];
+ */
+
+#include <stdio.h>
+#include <sys/time.h>
+#include <string.h>
+#include <fcntl.h>
+#include <openssl/des.h>
+#include "mp.h"
+#include "pk.h"
+#if defined(SOLARIS2) || defined(LINUX)
+#include <stdlib.h>
+#endif
+ 
+/*
+ * Choose top 128 bits of the common key to use as our idea key.
+ */
+static
+extractideakey(ck, ideakey)
+        MINT *ck;
+        IdeaData *ideakey;
+{
+        MINT *a;
+        MINT *z;
+        short r;
+        int i;
+        short base = (1 << 8);
+        char *k;
+
+        z = itom(0);
+        a = itom(0);
+        madd(ck, z, a);
+        for (i = 0; i < ((KEYSIZE - 128) / 8); i++) {
+                sdiv(a, base, a, &r);
+        }
+        k = (char *)ideakey;
+        for (i = 0; i < 16; i++) {
+                sdiv(a, base, a, &r);
+                *k++ = r;
+        }
+	mfree(z);
+        mfree(a);
+}
+
+/*
+ * Choose middle 64 bits of the common key to use as our des key, possibly
+ * overwriting the lower order bits by setting parity. 
+ */
+static
+extractdeskey(ck, deskey)
+        MINT *ck;
+        DesData *deskey;
+{
+        MINT *a;
+        MINT *z;
+        short r;
+        int i;
+        short base = (1 << 8);
+        char *k;
+
+        z = itom(0);
+        a = itom(0);
+        madd(ck, z, a);
+        for (i = 0; i < ((KEYSIZE - 64) / 2) / 8; i++) {
+                sdiv(a, base, a, &r);
+        }
+        k = (char *)deskey;
+        for (i = 0; i < 8; i++) {
+                sdiv(a, base, a, &r);
+                *k++ = r;
+        }
+	mfree(z);
+        mfree(a);
+}
+
+/*
+ * get common key from my secret key and his public key
+ */
+void common_key(char *xsecret, char *xpublic, IdeaData *ideakey, DesData *deskey)
+{
+        MINT *public;
+        MINT *secret;
+        MINT *common;
+	MINT *modulus = xtom(HEXMODULUS);
+
+        public = xtom(xpublic);
+        secret = xtom(xsecret);
+        common = itom(0);
+        pow(public, secret, modulus, common);
+        extractdeskey(common, deskey);
+        extractideakey(common, ideakey);
+#if DES_OSTHOLM
+	des_fixup_key_parity(deskey);
+#else
+	des_set_odd_parity(deskey);
+#endif
+        mfree(common);
+        mfree(secret);
+        mfree(public);
+	mfree(modulus);
+}
+
+
+/*
+ * Generate a seed
+ */
+void getseed(seed, seedsize)
+        char *seed;
+        int seedsize;
+{
+        int i,f;
+        int rseed;
+        struct timeval tv;
+	long devrand;
+
+        (void)gettimeofday(&tv, (struct timezone *)NULL);
+        rseed = tv.tv_sec + tv.tv_usec;
+/* XXX What the hell is this?! */
+        for (i = 0; i < 8; i++) {
+                rseed ^= (rseed << 8);
+        }
+
+	f=open("/dev/random",O_NONBLOCK|O_RDONLY);
+	if (f>=0)
+	{
+		read(f,&devrand,sizeof(devrand));
+		close(f);
+	}
+        srand48((long)rseed^devrand);
+
+        for (i = 0; i < seedsize; i++) {
+                seed[i] = (lrand48() & 0xff);
+        }
+}
+
+
+/*
+ * Generate a random public/secret key pair
+ */
+void genkeys(public, secret)
+        char *public;
+        char *secret;
+{
+        int i;
+ 
+#       define BASEBITS (8*sizeof(short) - 1)
+#       define BASE (1 << BASEBITS)
+ 
+        MINT *pk = itom(0);
+        MINT *sk = itom(0);
+        MINT *tmp;
+        MINT *base = itom(BASE);
+        MINT *root = itom(PROOT);
+        MINT *modulus = xtom(HEXMODULUS);
+        short r;
+        unsigned short seed[KEYSIZE/BASEBITS + 1];
+        char *xkey;
+
+        getseed((char *)seed, sizeof(seed));    
+        for (i = 0; i < KEYSIZE/BASEBITS + 1; i++) {
+                r = seed[i] % BASE;
+                tmp = itom(r);
+                mult(sk, base, sk);
+                madd(sk, tmp, sk);
+                mfree(tmp);  
+        }
+        tmp = itom(0);
+        mdiv(sk, modulus, tmp, sk);
+        mfree(tmp);
+        pow(root, sk, modulus, pk); 
+        xkey = mtox(sk);   
+        adjust(secret, xkey);
+        xkey = mtox(pk);
+        adjust(public, xkey);
+        mfree(sk);
+        mfree(base);
+        mfree(pk);
+        mfree(root);
+        mfree(modulus);
+} 
+
+/*
+ * Adjust the input key so that it is 0-filled on the left
+ */
+adjust(keyout, keyin)
+        char keyout[HEXKEYBYTES+1];
+        char *keyin;
+{
+        char *p;
+        char *s;
+
+        for (p = keyin; *p; p++) 
+                ;
+        for (s = keyout + HEXKEYBYTES; p >= keyin; p--, s--) {
+                *s = *p;
+        }
+        while (s >= keyout) {
+                *s-- = '0';
+        }
+}
+
+static char hextab[17] = "0123456789ABCDEF";
+
+/* given a DES key, cbc encrypt and translate input to terminated hex */
+void pk_encode(in, out, key)
+char *in,*out;
+DesData *key;
+{
+	char buf[256];
+	DesData i;
+	des_key_schedule k;
+	int l,op,deslen;
+
+	memset(&i,0,sizeof(i));
+	memset(buf,0,sizeof(buf));
+	deslen = ((strlen(in) + 7)/8)*8;
+	des_key_sched(key, k);
+	des_cbc_encrypt((des_cblock *)in,(des_cblock *)buf,deslen,
+		k,&i,DES_ENCRYPT);
+	for (l=0,op=0;l<deslen;l++) {
+		out[op++] = hextab[(buf[l] & 0xf0) >> 4];
+		out[op++] = hextab[(buf[l] & 0x0f)];
+	}
+	out[op] = '\0';
+}
+
+/* given a DES key, translate input from hex and decrypt */
+void pk_decode(in, out, key)
+char *in,*out;
+DesData *key;
+{
+	char buf[256];
+	DesData i;
+	des_key_schedule k;
+	int l,n1,n2,op;
+
+	memset(&i,0,sizeof(i));
+	memset(buf,0,sizeof(buf));
+	for (l=0,op=0;l<strlen(in)/2;l++,op+=2) {
+		if(in[op] == '0' && in[op+1] == '0') {
+			buf[l] = '\0';
+			break;
+		}
+		if (in[op] > '9')
+			n1 = in[op] - 'A' + 10;
+		else
+			n1 = in[op] - '0';
+		if (in[op+1] > '9')
+			n2 = in[op+1] - 'A' + 10;
+		else
+			n2 = in[op+1] - '0';
+		buf[l] = n1*16 +n2;
+	}
+	des_key_sched(key, k);
+	des_cbc_encrypt((des_cblock *)buf,(des_cblock *)out,strlen(in)/2,
+		k,&i,DES_DECRYPT);
+	out[strlen(in)/2] = '\0';
+}
diff --git a/crypto/telnet/libtelnet/pk.h b/crypto/telnet/libtelnet/pk.h
new file mode 100644
index 0000000..6a84ac5
--- /dev/null
+++ b/crypto/telnet/libtelnet/pk.h
@@ -0,0 +1,42 @@
+/* header for the des routines that we will use */
+/* $FreeBSD$ */
+
+typedef unsigned char byte, DesData[ 8], IdeaData[16];
+#if 0
+typedef unsigned long word, DesKeys[32];
+#else
+#define DesKeys des_key_schedule
+#endif
+
+#define DES_DECRYPT 0
+#define DES_ENCRYPT 1
+
+#if 0
+extern void des_fixup_key_parity();	/* (DesData *key) */
+extern int des_key_sched(); 	/* (DesData *key, DesKeys *m) */
+extern int des_ecb_encrypt();	/* (DesData *src, *dst, DesKeys *m, int mode) */
+extern int des_cbc_encrypt();   /* (char *src, *dst, int length,
+				    DesKeys *m, DesData *init, int mode) */
+#endif
+
+/* public key routines */
+/* functions:
+	genkeys(char *public, char *secret)
+	common_key(char *secret, char *public, desData *deskey)
+      where
+	char public[HEXKEYBYTES + 1];
+	char secret[HEXKEYBYTES + 1];
+ */
+
+#define HEXMODULUS "d4a0ba0250b6fd2ec626e7efd637df76c716e22d0944b88b"
+#define HEXKEYBYTES 48
+#define KEYSIZE 192
+#define KEYBYTES 24
+#define PROOT 3
+
+extern void genkeys(char *public, char *secret);
+extern void common_key(char *secret, char *public, IdeaData *common,
+  DesData *deskey);
+extern void pk_encode(char *in, char *out, DesData *deskey);
+extern void pk_decode(char *in, char *out, DesData *deskey);
+
diff --git a/crypto/telnet/libtelnet/read_password.c b/crypto/telnet/libtelnet/read_password.c
new file mode 100644
index 0000000..f977290
--- /dev/null
+++ b/crypto/telnet/libtelnet/read_password.c
@@ -0,0 +1,149 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)read_password.c	8.3 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+/*
+ * $Source: /mit/kerberos/src/lib/des/RCS/read_password.c,v $
+ * $Author: jon $
+ *
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * This routine prints the supplied string to standard
+ * output as a prompt, and reads a password string without
+ * echoing.
+ */
+
+#if	defined(RSA_ENCPWD) || defined(KRB4_ENCPWD)
+
+#include <stdio.h>
+#include <strings.h>
+#include <sys/ioctl.h>
+#include <signal.h>
+#include <setjmp.h>
+
+static jmp_buf env;
+
+/*** Routines ****************************************************** */
+/*
+ * This version just returns the string, doesn't map to key.
+ *
+ * Returns 0 on success, non-zero on failure.
+ */
+
+int
+local_des_read_pw_string(s,max,prompt,verify)
+    char *s;
+    int	max;
+    char *prompt;
+    int	verify;
+{
+    int ok = 0;
+    char *ptr;
+
+    jmp_buf old_env;
+    struct sgttyb tty_state;
+    char key_string[BUFSIZ];
+
+    if (max > BUFSIZ) {
+	return -1;
+    }
+
+    /* XXX assume jmp_buf is typedef'ed to an array */
+    memmove((char *)env, (char *)old_env, sizeof(env));
+    if (setjmp(env))
+	goto lose;
+
+    /* save terminal state*/
+    if (ioctl(0,TIOCGETP,(char *)&tty_state) == -1)
+	return -1;
+/*
+    push_signals();
+*/
+    /* Turn off echo */
+    tty_state.sg_flags &= ~ECHO;
+    if (ioctl(0,TIOCSETP,(char *)&tty_state) == -1)
+	return -1;
+    while (!ok) {
+	(void) printf("%s", prompt);
+	(void) fflush(stdout);
+	while (!fgets(s, max, stdin));
+
+	if ((ptr = strchr(s, '\n')))
+	    *ptr = '\0';
+	if (verify) {
+	    printf("\nVerifying, please re-enter %s",prompt);
+	    (void) fflush(stdout);
+	    if (!fgets(key_string, sizeof(key_string), stdin)) {
+		clearerr(stdin);
+		continue;
+	    }
+	    if ((ptr = strchr(key_string, '\n')))
+	    *ptr = '\0';
+	    if (strcmp(s,key_string)) {
+		printf("\n\07\07Mismatch - try again\n");
+		(void) fflush(stdout);
+		continue;
+	    }
+	}
+	ok = 1;
+    }
+
+lose:
+    if (!ok)
+	memset(s, 0, max);
+    printf("\n");
+    /* turn echo back on */
+    tty_state.sg_flags |= ECHO;
+    if (ioctl(0,TIOCSETP,(char *)&tty_state))
+	ok = 0;
+/*
+    pop_signals();
+*/
+    memmove((char *)old_env, (char *)env, sizeof(env));
+    if (verify)
+	memset(key_string, 0, sizeof (key_string));
+    s[max-1] = 0;		/* force termination */
+    return !ok;			/* return nonzero if not okay */
+}
+#endif	/* defined(RSA_ENCPWD) || defined(KRB4_ENCPWD) */
diff --git a/crypto/telnet/libtelnet/rsaencpwd.c b/crypto/telnet/libtelnet/rsaencpwd.c
new file mode 100644
index 0000000..5906d99
--- /dev/null
+++ b/crypto/telnet/libtelnet/rsaencpwd.c
@@ -0,0 +1,492 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)rsaencpwd.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+
+#ifdef	RSA_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <pwd.h>
+#include <stdio.h>
+
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+#include "cdc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_RSA_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	RSA_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	RSA_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define RSA_ENCPWD_ACCEPT	2	/* Accepted */
+#define	RSA_ENCPWD_CHALLENGEKEY	3	/* Challenge and public key */
+
+#define NAME_SZ   40
+#define CHAL_SZ   20
+#define PWD_SZ    40
+
+static	KTEXT_ST auth;
+static	char name[NAME_SZ];
+static	char user_passwd[PWD_SZ];
+static  char key_file[2*NAME_SZ];
+static  char lhostname[NAME_SZ];
+static char  challenge[CHAL_SZ];
+static int   challenge_len;
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	if (type != NULL) *p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+rsaencpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char  *cp;
+	FILE  *fp;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		memset(key_file, 0, sizeof(key_file));
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+		strcpy(key_file, "/etc/.");
+		strcat(key_file, lhostname);
+		strcat(key_file, "_privkey");
+		if ((fp=fopen(key_file, "r"))==NULL) return(0);
+		fclose(fp);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+rsaencpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying RSAENCPWD ... ]\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+	if (!Data(ap, NULL, (void *)NULL, 0)) {
+		return(0);
+	}
+
+
+	return(1);
+}
+
+	void
+rsaencpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	Block datablock;
+	char  r_passwd[PWD_SZ], r_user[NAME_SZ];
+	char  *cp, key[160];
+	char  chalkey[160], *ptr;
+	FILE  *fp;
+	int r, i, j, chalkey_len, len;
+	time_t now;
+
+	cnt--;
+	switch (*data++) {
+	case RSA_ENCPWD_AUTH:
+		memmove((void *)auth.dat, (void *)data, auth.length = cnt);
+
+		if ((fp=fopen(key_file, "r"))==NULL) {
+		  Data(ap, RSA_ENCPWD_REJECT, (void *)"Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		/*
+		 *  get privkey
+		 */
+		fscanf(fp, "%x;", &len);
+		for (i=0;i<len;i++) {
+		  j = getc(fp);  key[i]=j;
+		}
+		fclose(fp);
+
+		r = accept_rsa_encpwd(&auth, key, challenge,
+				      challenge_len, r_passwd);
+		if (r < 0) {
+		  Data(ap, RSA_ENCPWD_REJECT, (void *)"Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (rsaencpwd_passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, RSA_ENCPWD_REJECT, (void *)"Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		Data(ap, RSA_ENCPWD_ACCEPT, (void *)0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+
+	case IAC:
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) {
+		  register int i;
+
+
+		  time(&now);
+		  if ((now % 2) == 0) {
+		    sprintf(challenge, "%x", now);
+		    challenge_len = strlen(challenge);
+		  } else {
+		    strcpy(challenge, "randchal");
+		    challenge_len = 8;
+		  }
+
+		  if ((fp=fopen(key_file, "r"))==NULL) {
+		    Data(ap, RSA_ENCPWD_REJECT, (void *)"Auth failed", -1);
+		    auth_finished(ap, AUTH_REJECT);
+		    return;
+		  }
+		  /*
+		   *  skip privkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);
+		  }
+		  /*
+		   * get pubkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);  key[i]=j;
+		  }
+		  fclose(fp);
+		  chalkey[0] = 0x30;
+		  ptr = (char *) &chalkey[1];
+		  chalkey_len = 1+NumEncodeLengthOctets(i)+i+1+NumEncodeLengthOctets(challenge_len)+challenge_len;
+		  EncodeLength(ptr, chalkey_len);
+		  ptr +=NumEncodeLengthOctets(chalkey_len);
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  *ptr++ = challenge_len;
+		  memmove(ptr, challenge, challenge_len);
+		  ptr += challenge_len;
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  EncodeLength(ptr, i);
+		  ptr += NumEncodeLengthOctets(i);
+		  memmove(ptr, key, i);
+		  chalkey_len = 1+NumEncodeLengthOctets(chalkey_len)+chalkey_len;
+		  Data(ap, RSA_ENCPWD_CHALLENGEKEY, (void *)chalkey, chalkey_len);
+		}
+		break;
+
+	default:
+		Data(ap, RSA_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+rsaencpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST token;
+	Block enckey;
+	int r, pubkey_len;
+	char	randchal[CHAL_SZ], *cp;
+	char	chalkey[160], pubkey[128], *ptr;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case RSA_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ RSA_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ RSA_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case RSA_ENCPWD_ACCEPT:
+		printf("[ RSA_ENCPWD accepts you ]\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case RSA_ENCPWD_CHALLENGEKEY:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		memmove((void *)chalkey, (void *)data, cnt);
+		ptr = (char *) &chalkey[0];
+		ptr += DecodeHeaderLength(chalkey);
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		challenge_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(challenge_len);
+		memmove(challenge, ptr, challenge_len);
+		ptr += challenge_len;
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		pubkey_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(pubkey_len);
+		memmove(pubkey, ptr, pubkey_len);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		local_des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		r = init_rsa_encpwd(&token, user_passwd, challenge, challenge_len, pubkey);
+		if (r < 0) {
+		  token.length = 1;
+		}
+
+		if (!Data(ap, RSA_ENCPWD_AUTH, (void *)token.dat, token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+rsaencpwd_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && rsaencpwd_passwdok(UserNameRequested, UserPassword)) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+rsaencpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case RSA_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case RSA_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case RSA_ENCPWD_AUTH:		/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case RSA_ENCPWD_CHALLENGEKEY:
+		strncpy((char *)buf, " CHALLENGEKEY", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int rsaencpwd_passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/spx.c b/crypto/telnet/libtelnet/spx.c
new file mode 100644
index 0000000..75d6e3e
--- /dev/null
+++ b/crypto/telnet/libtelnet/spx.c
@@ -0,0 +1,592 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)spx.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#ifdef	SPX
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include "gssapi_defs.h"
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include <pwd.h>
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_SPX, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	SPX_AUTH	0		/* Authentication data follows */
+#define	SPX_REJECT	1		/* Rejected (reason might follow) */
+#define SPX_ACCEPT	2		/* Accepted */
+
+#ifdef	ENCRYPTION
+static Block	session_key	= { 0 };
+#endif	/* ENCRYPTION */
+static Block	challenge	= { 0 };
+
+
+/*******************************************************************/
+
+gss_OID_set		actual_mechs;
+gss_OID			actual_mech_type, output_name_type;
+int			major_status, status, msg_ctx = 0, new_status;
+int			req_flags = 0, ret_flags, lifetime_rec;
+gss_cred_id_t		gss_cred_handle;
+gss_ctx_id_t		actual_ctxhandle, context_handle;
+gss_buffer_desc		output_token, input_token, input_name_buffer;
+gss_buffer_desc		status_string;
+gss_name_t		desired_targname, src_name;
+gss_channel_bindings	input_chan_bindings;
+char			lhostname[GSS_C_MAX_PRINTABLE_NAME];
+char			targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+int			to_addr=0, from_addr=0;
+char			*address;
+gss_buffer_desc		fullname_buffer;
+gss_OID			fullname_type;
+gss_cred_id_t		gss_delegated_cred_handle;
+
+/*******************************************************************/
+
+
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+spx_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	gss_cred_id_t	tmp_cred_handle;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		gethostname(lhostname, sizeof(lhostname));
+		strcpy(targ_printable, "SERVICE:rcmd@");
+		strcat(targ_printable, lhostname);
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&tmp_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+		if (major_status != GSS_S_COMPLETE) return(0);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+spx_send(ap)
+	Authenticator *ap;
+{
+	Block enckey;
+	int r;
+
+	gss_OID	actual_mech_type, output_name_type;
+	int	msg_ctx = 0, new_status, status;
+	int	req_flags = 0, ret_flags, lifetime_rec, major_status;
+	gss_buffer_desc  output_token, input_token, input_name_buffer;
+	gss_buffer_desc  output_name_buffer, status_string;
+	gss_name_t    desired_targname;
+	gss_channel_bindings  input_chan_bindings;
+	char targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+	int  from_addr=0, to_addr=0, myhostlen, j;
+	int  deleg_flag=1, mutual_flag=0, replay_flag=0, seq_flag=0;
+	char *address;
+
+	printf("[ Trying SPX ... ]\n");
+	strcpy(targ_printable, "SERVICE:rcmd@");
+	strcat(targ_printable, RemoteHostName);
+
+	input_name_buffer.length = strlen(targ_printable);
+	input_name_buffer.value = targ_printable;
+
+	if (!UserNameRequested) {
+		return(0);
+	}
+
+	major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+
+	major_status = gss_display_name(&status,
+					desired_targname,
+					&output_name_buffer,
+					&output_name_type);
+
+	printf("target is '%s'\n", output_name_buffer.value); fflush(stdout);
+
+	major_status = gss_release_buffer(&status, &output_name_buffer);
+
+	input_chan_bindings = (gss_channel_bindings)
+	  malloc(sizeof(gss_channel_bindings_desc));
+
+	input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->initiator_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->initiator_address.value = (char *) address;
+	address[0] = ((from_addr & 0xff000000) >> 24);
+	address[1] = ((from_addr & 0xff0000) >> 16);
+	address[2] = ((from_addr & 0xff00) >> 8);
+	address[3] = (from_addr & 0xff);
+	input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->acceptor_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->acceptor_address.value = (char *) address;
+	address[0] = ((to_addr & 0xff000000) >> 24);
+	address[1] = ((to_addr & 0xff0000) >> 16);
+	address[2] = ((to_addr & 0xff00) >> 8);
+	address[3] = (to_addr & 0xff);
+	input_chan_bindings->application_data.length = 0;
+
+	req_flags = 0;
+	if (deleg_flag)  req_flags = req_flags | 1;
+	if (mutual_flag) req_flags = req_flags | 2;
+	if (replay_flag) req_flags = req_flags | 4;
+	if (seq_flag)    req_flags = req_flags | 8;
+
+	major_status = gss_init_sec_context(&status,         /* minor status */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					GSS_C_NO_BUFFER,     /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+	if ((major_status != GSS_S_COMPLETE) &&
+	    (major_status != GSS_S_CONTINUE_NEEDED)) {
+	  gss_display_status(&new_status,
+				status,
+				GSS_C_MECH_CODE,
+				GSS_C_NULL_OID,
+				&msg_ctx,
+				&status_string);
+	  printf("%s\n", status_string.value);
+	  return(0);
+	}
+
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, SPX_AUTH, (void *)output_token.value, output_token.length)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+spx_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	Block datablock;
+	int r;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_AUTH:
+		input_token.length = cnt;
+		input_token.value = (char *) data;
+
+		gethostname(lhostname, sizeof(lhostname));
+
+		strcpy(targ_printable, "SERVICE:rcmd@");
+		strcat(targ_printable, lhostname);
+
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&gss_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+
+		major_status = gss_release_name(&status, desired_targname);
+
+		input_chan_bindings = (gss_channel_bindings)
+		  malloc(sizeof(gss_channel_bindings_desc));
+
+		input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->initiator_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->initiator_address.value = (char *) address;
+		address[0] = ((from_addr & 0xff000000) >> 24);
+		address[1] = ((from_addr & 0xff0000) >> 16);
+		address[2] = ((from_addr & 0xff00) >> 8);
+		address[3] = (from_addr & 0xff);
+		input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->acceptor_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->acceptor_address.value = (char *) address;
+		address[0] = ((to_addr & 0xff000000) >> 24);
+		address[1] = ((to_addr & 0xff0000) >> 16);
+		address[2] = ((to_addr & 0xff00) >> 8);
+		address[3] = (to_addr & 0xff);
+		input_chan_bindings->application_data.length = 0;
+
+		major_status = gss_accept_sec_context(&status,
+						&context_handle,
+						gss_cred_handle,
+						&input_token,
+						input_chan_bindings,
+						&src_name,
+						&actual_mech_type,
+						&output_token,
+						&ret_flags,
+						&lifetime_rec,
+						&gss_delegated_cred_handle);
+
+
+		if (major_status != GSS_S_COMPLETE) {
+
+		  major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+			Data(ap, SPX_REJECT, (void *)"auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+
+		Data(ap, SPX_ACCEPT, (void *)output_token.value, output_token.length);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	default:
+		Data(ap, SPX_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+spx_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_REJECT:
+		if (cnt > 0) {
+			printf("[ SPX refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ SPX refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case SPX_ACCEPT:
+		printf("[ SPX accepts you ]\n");
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+			/*
+			 * Send over the encrypted challenge.
+		 	 */
+		  input_token.value = (char *) data;
+		  input_token.length = cnt;
+
+		  major_status = gss_init_sec_context(&status, /* minor stat */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					&input_token,        /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+		  if (major_status != GSS_S_COMPLETE) {
+		    gss_display_status(&new_status,
+					status,
+					GSS_C_MECH_CODE,
+					GSS_C_NULL_OID,
+					&msg_ctx,
+					&status_string);
+		    printf("[ SPX mutual response fails ... '%s' ]\r\n",
+			 status_string.value);
+		    auth_send_retry();
+		    return;
+		  }
+		}
+		auth_finished(ap, AUTH_USER);
+		return;
+
+	default:
+		return;
+	}
+}
+
+	int
+spx_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+
+	gss_buffer_desc  fullname_buffer, acl_file_buffer;
+	gss_OID          fullname_type;
+	char acl_file[160], fullname[160];
+	int major_status, status = 0;
+	struct passwd  *pwd;
+
+	/*
+	 * hard code fullname to
+	 *   "SPX:/C=US/O=Digital/OU=LKG/OU=Sphinx/OU=Users/CN=Kannan Alagappan"
+	 * and acl_file to "~kannan/.sphinx"
+	 */
+
+	pwd = getpwnam(UserNameRequested);
+	if (pwd == NULL) {
+	  return(AUTH_USER);   /*  not authenticated  */
+	}
+
+	strcpy(acl_file, pwd->pw_dir);
+	strcat(acl_file, "/.sphinx");
+	acl_file_buffer.value = acl_file;
+	acl_file_buffer.length = strlen(acl_file);
+
+	major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+	if (level < AUTH_USER)
+		return(level);
+
+	major_status = gss__check_acl(&status, &fullname_buffer,
+					&acl_file_buffer);
+
+	if (major_status == GSS_S_COMPLETE) {
+	  strcpy(name, UserNameRequested);
+	  return(AUTH_VALID);
+	} else {
+	   return(AUTH_USER);
+	}
+
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+spx_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case SPX_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case SPX_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case SPX_AUTH:			/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/sra.c b/crypto/telnet/libtelnet/sra.c
new file mode 100644
index 0000000..95ac9fd
--- /dev/null
+++ b/crypto/telnet/libtelnet/sra.c
@@ -0,0 +1,480 @@
+/* $FreeBSD$ */
+
+#ifdef	SRA
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "auth.h"
+#include "misc.h"
+#include "encrypt.h"
+#include "pk.h"
+
+char pka[HEXKEYBYTES+1], ska[HEXKEYBYTES+1], pkb[HEXKEYBYTES+1];
+char *user,*pass,*xuser,*xpass;
+DesData ck;
+IdeaData ik;
+
+extern int auth_debug_mode;
+static sra_valid = 0;
+static passwd_sent = 0;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_SRA, };
+
+#define SRA_KEY	0
+#define SRA_USER 1
+#define SRA_CONTINUE 2
+#define SRA_PASS 3
+#define SRA_ACCEPT 4
+#define SRA_REJECT 5
+
+/* support routine to send out authentication message */
+static int Data(ap, type, d, c)
+Authenticator *ap;
+int type;
+void *d;
+int c;
+{
+        unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+        if (auth_debug_mode) {
+                printf("%s:%d: [%d] (%d)",
+                        str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+                        str_data[3],
+                        type, c);
+                printd(d, c);
+                printf("\r\n");
+        }
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+        while (c-- > 0) {
+                if ((*p++ = *cd++) == IAC)
+                        *p++ = IAC;
+        }
+        *p++ = IAC;
+        *p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+        return(net_write(str_data, p - str_data));
+}
+
+int sra_init(ap, server)
+Authenticator *ap;
+int server;
+{
+	if (server)
+		str_data[3] = TELQUAL_REPLY;
+	else
+		str_data[3] = TELQUAL_IS;
+
+	user = (char *)malloc(256);
+	xuser = (char *)malloc(512);
+	pass = (char *)malloc(256);
+	xpass = (char *)malloc(512);
+	passwd_sent = 0;
+	
+	genkeys(pka,ska);
+	return(1);
+}
+
+/* client received a go-ahead for sra */
+int sra_send(ap)
+Authenticator *ap;
+{
+	/* send PKA */
+
+	if (auth_debug_mode)
+		printf("Sent PKA to server.\r\n" );
+	printf("Trying SRA secure login:\r\n");
+	if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
+		if (auth_debug_mode)
+			printf("Not enough room for authentication data\r\n");
+		return(0);
+	}
+
+	return(1);
+}
+
+/* server received an IS -- could be SRA KEY, USER, or PASS */
+void sra_is(ap, data, cnt)
+Authenticator *ap;
+unsigned char *data;
+int cnt;
+{
+	int valid;
+	Session_Key skey;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+
+	case SRA_KEY:
+		if (cnt < HEXKEYBYTES) {
+			Data(ap, SRA_REJECT, (void *)0, 0);
+			auth_finished(ap, AUTH_USER);
+			if (auth_debug_mode) {
+				printf("SRA user rejected for bad PKB\r\n");
+			}
+			return;
+		}
+		if (auth_debug_mode)
+			printf("Sent pka\r\n");
+		if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
+			if (auth_debug_mode)
+				printf("Not enough room\r\n");
+			return;
+		}
+		memcpy(pkb,data,HEXKEYBYTES);
+		pkb[HEXKEYBYTES] = '\0';
+		common_key(ska,pkb,&ik,&ck);
+		break;
+
+	case SRA_USER:
+		/* decode KAB(u) */
+		memcpy(xuser,data,cnt);
+		xuser[cnt] = '\0';
+		pk_decode(xuser,user,&ck);
+		auth_encrypt_user(user);
+		Data(ap, SRA_CONTINUE, (void *)0, 0);
+
+		break;
+
+	case SRA_PASS:
+		/* decode KAB(P) */
+		memcpy(xpass,data,cnt);
+		xpass[cnt] = '\0';
+		pk_decode(xpass,pass,&ck);
+
+		/* check user's password */
+		valid = check_user(user,pass);
+
+		if(valid) {
+			Data(ap, SRA_ACCEPT, (void *)0, 0);
+#ifdef DES_ENCRYPTION
+			skey.data = ck;
+			skey.type = SK_DES;
+			skey.length = 8;
+			encrypt_session_key(&skey, 1);
+#endif
+
+			sra_valid = 1;
+			auth_finished(ap, AUTH_VALID);
+			if (auth_debug_mode) {
+				printf("SRA user accepted\r\n");
+			}
+		}
+		else {
+			Data(ap, SRA_CONTINUE, (void *)0, 0);
+/*
+			Data(ap, SRA_REJECT, (void *)0, 0);
+			sra_valid = 0;
+			auth_finished(ap, AUTH_REJECT);
+*/
+			if (auth_debug_mode) {
+				printf("SRA user failed\r\n");
+			}
+		}
+		break;
+
+	default:
+		if (auth_debug_mode)
+			printf("Unknown SRA option %d\r\n", data[-1]);
+		Data(ap, SRA_REJECT, 0, 0);
+		sra_valid = 0;
+		auth_finished(ap, AUTH_REJECT);
+		break;
+	}
+}
+
+extern char *getpass();
+
+/* client received REPLY -- could be SRA KEY, CONTINUE, ACCEPT, or REJECT */
+void sra_reply(ap, data, cnt)
+Authenticator *ap;
+unsigned char *data;
+int cnt;
+{
+	extern char *telnet_gets();
+	char uprompt[256],tuser[256];
+	Session_Key skey;
+	int i;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+
+	case SRA_KEY:
+		/* calculate common key */
+		if (cnt < HEXKEYBYTES) {
+			if (auth_debug_mode) {
+				printf("SRA user rejected for bad PKB\r\n");
+			}
+			return;
+		}
+		memcpy(pkb,data,HEXKEYBYTES);
+		pkb[HEXKEYBYTES] = '\0';		
+
+		common_key(ska,pkb,&ik,&ck);
+
+	enc_user:
+
+		/* encode user */
+		memset(tuser,0,sizeof(tuser));
+		sprintf(uprompt,"User (%s): ",UserNameRequested);
+		telnet_gets(uprompt,tuser,255,1);
+		if (tuser[0] == '\n' || tuser[0] == '\r' )
+			strcpy(user,UserNameRequested);
+		else {
+			/* telnet_gets leaves the newline on */
+			for(i=0;i<sizeof(tuser);i++) {
+				if (tuser[i] == '\n') {
+					tuser[i] = '\0';
+					break;
+				}
+			}
+			strcpy(user,tuser);
+		}
+		pk_encode(user,xuser,&ck);
+
+		/* send it off */
+		if (auth_debug_mode)
+			printf("Sent KAB(U)\r\n");
+		if (!Data(ap, SRA_USER, (void *)xuser, strlen(xuser))) {
+			if (auth_debug_mode)
+				printf("Not enough room\r\n");
+			return;
+		}
+		break;
+
+	case SRA_CONTINUE:
+		if (passwd_sent) {
+			passwd_sent = 0;
+			printf("[ SRA login failed ]\r\n");
+			goto enc_user;
+		}
+		/* encode password */
+		memset(pass,0,sizeof(pass));
+		telnet_gets("Password: ",pass,255,0);
+		pk_encode(pass,xpass,&ck);
+		/* send it off */
+		if (auth_debug_mode)
+			printf("Sent KAB(P)\r\n");
+		if (!Data(ap, SRA_PASS, (void *)xpass, strlen(xpass))) {
+			if (auth_debug_mode)
+				printf("Not enough room\r\n");
+			return;
+		}
+		passwd_sent = 1;
+		break;
+
+	case SRA_REJECT:
+		printf("[ SRA refuses authentication ]\r\n");
+		printf("Trying plaintext login:\r\n");
+		auth_finished(0,AUTH_REJECT);
+		return;
+
+	case SRA_ACCEPT:
+		printf("[ SRA accepts you ]\r\n");
+#ifdef DES_ENCRYPTION
+		skey.data = ck;
+		skey.type = SK_DES;
+		skey.length = 8;
+		encrypt_session_key(&skey, 0);
+#endif
+
+		auth_finished(ap, AUTH_VALID);
+		return;
+	default:
+		if (auth_debug_mode)
+			printf("Unknown SRA option %d\r\n", data[-1]);
+		return;
+	}
+}
+
+int sra_status(ap, name, level)
+Authenticator *ap;
+char *name;
+int level;
+{
+	if (level < AUTH_USER)
+		return(level);
+	if (UserNameRequested && sra_valid) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else
+		return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void sra_printsub(data, cnt, buf, buflen)
+unsigned char *data, *buf;
+int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+
+	case SRA_CONTINUE:
+		strncpy((char *)buf, " CONTINUE ", buflen);
+		goto common;
+
+	case SRA_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case SRA_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case SRA_KEY:			/* Authentication data follows */
+		strncpy((char *)buf, " KEY ", buflen);
+		goto common2;
+
+	case SRA_USER:
+		strncpy((char *)buf, " USER ", buflen);
+		goto common2;
+
+	case SRA_PASS:
+		strncpy((char *)buf, " PASS ", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+struct	passwd *pw;
+
+/*
+ * Helper function for sgetpwnam().
+ */
+char *
+sgetsave(s)
+	char *s;
+{
+	char *new = malloc((unsigned) strlen(s) + 1);
+
+	if (new == NULL) {
+		return(NULL);
+	}
+	(void) strcpy(new, s);
+	return (new);
+}
+
+#include <pwd.h>
+#include <syslog.h>
+#ifdef USE_SHADOW
+#include <shadow.h>
+#endif
+
+
+struct passwd *
+sgetpwnam(name)
+	char *name;
+{
+	static struct passwd save;
+	register struct passwd *p;
+	char *sgetsave();
+
+	if ((p = getpwnam(name)) == NULL)
+		return (p);
+	if (save.pw_name) {
+		free(save.pw_name);
+		free(save.pw_passwd);
+		free(save.pw_gecos);
+		free(save.pw_dir);
+		free(save.pw_shell);
+	}
+	save = *p;
+	save.pw_name = sgetsave(p->pw_name);
+	save.pw_passwd = sgetsave(p->pw_passwd);
+	save.pw_gecos = sgetsave(p->pw_gecos);
+	save.pw_dir = sgetsave(p->pw_dir);
+	save.pw_shell = sgetsave(p->pw_shell);
+#if 0
+syslog(LOG_WARNING,"%s\n",save.pw_name);
+syslog(LOG_WARNING,"%s\n",save.pw_passwd);
+syslog(LOG_WARNING,"%s\n",save.pw_gecos);
+syslog(LOG_WARNING,"%s\n",save.pw_dir);
+#endif
+#ifdef USE_SHADOW
+        {
+                struct spwd *sp;
+                sp = getspnam(name);
+                free(save.pw_passwd);
+                save.pw_passwd  = sgetsave(sp->sp_pwdp);
+        }
+#endif 
+	return (&save);
+}
+
+char *crypt();
+
+int check_user(name, pass)
+char *name;
+char *pass;
+{
+	register char *cp;
+	char *xpasswd, *salt;
+
+	if (pw = sgetpwnam(name)) {
+		if (pw->pw_shell == NULL) {
+			pw = (struct passwd *) NULL;
+			return(0);
+		}
+
+		salt = pw->pw_passwd;
+		xpasswd = crypt(pass, salt);
+		/* The strcmp does not catch null passwords! */
+		if (pw == NULL || *pw->pw_passwd == '\0' ||
+			strcmp(xpasswd, pw->pw_passwd)) {
+			pw = (struct passwd *) NULL;
+			return(0);
+		}
+		return(1);
+	}
+	return(0);
+}
+
+
+#endif
+
diff --git a/crypto/telnet/telnet/authenc.c b/crypto/telnet/telnet/authenc.c
new file mode 100644
index 0000000..47b242f
--- /dev/null
+++ b/crypto/telnet/telnet/authenc.c
@@ -0,0 +1,116 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)authenc.c	8.1 (Berkeley) 6/6/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <libtelnet/encrypt.h>
+#include <libtelnet/misc.h>
+
+#include "general.h"
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+
+	int
+net_write(str, len)
+	unsigned char *str;
+	int len;
+{
+	if (NETROOM() > len) {
+		ring_supply_data(&netoring, str, len);
+		if (str[0] == IAC && str[1] == SE)
+			printsub('>', &str[2], len-2);
+		return(len);
+	}
+	return(0);
+}
+
+	void
+net_encrypt()
+{
+#ifdef	ENCRYPTION
+	if (encrypt_output)
+		ring_encrypt(&netoring, encrypt_output);
+	else
+		ring_clearto(&netoring);
+#endif	/* ENCRYPTION */
+}
+
+	int
+telnet_spin()
+{
+	return(-1);
+}
+
+	char *
+telnet_getenv(val)
+	char *val;
+{
+	return((char *)env_getvalue((unsigned char *)val));
+}
+
+	char *
+telnet_gets(prompt, result, length, echo)
+	char *prompt;
+	char *result;
+	int length;
+	int echo;
+{
+	extern char *getpass();
+	extern int globalmode;
+	int om = globalmode;
+	char *res;
+
+	TerminalNewMode(-1);
+	if (echo) {
+		printf("%s", prompt);
+		res = fgets(result, length, stdin);
+	} else if ((res = getpass(prompt))) {
+		strncpy(result, res, length);
+		res = result;
+	}
+	TerminalNewMode(om);
+	return(res);
+}
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
diff --git a/crypto/telnet/telnet/commands.c b/crypto/telnet/telnet/commands.c
new file mode 100644
index 0000000..282695c
--- /dev/null
+++ b/crypto/telnet/telnet/commands.c
@@ -0,0 +1,3237 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)commands.c	8.4 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+#if	defined(unix)
+#include <sys/param.h>
+#if	defined(CRAY) || defined(sysV88)
+#include <sys/types.h>
+#endif
+#include <sys/file.h>
+#else
+#include <sys/types.h>
+#endif	/* defined(unix) */
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifdef	CRAY
+#include <fcntl.h>
+#endif	/* CRAY */
+
+#include <signal.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <varargs.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <arpa/telnet.h>
+
+#include "general.h"
+
+#include "ring.h"
+
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+#if !defined(CRAY) && !defined(sysV88)
+#include <netinet/in_systm.h>
+# if (defined(vax) || defined(tahoe) || defined(hp300)) && !defined(ultrix)
+# include <machine/endian.h>
+# endif /* vax */
+#endif /* !defined(CRAY) && !defined(sysV88) */
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+
+
+#ifndef	MAXHOSTNAMELEN
+#define	MAXHOSTNAMELEN 64
+#endif	MAXHOSTNAMELEN
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+int tos = -1;
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+char	*hostname;
+static char _hostname[MAXHOSTNAMELEN];
+
+extern char *getenv();
+
+extern int isprefix();
+extern char **genget();
+extern int Ambiguous();
+
+static int help(int argc, char *argv[]);
+static int call();
+static void cmdrc(char *m1, char *m2);
+static int switch_af(struct addrinfo **aip);
+
+int quit(void);
+
+typedef struct {
+	char	*name;		/* command name */
+	char	*help;		/* help string (NULL for no help) */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+} Command;
+
+static char line[256];
+static char saveline[256];
+static int margc;
+static char *margv[20];
+
+#if	defined(SKEY)
+#include <sys/wait.h>
+#define PATH_SKEY	"/usr/bin/key"
+    int
+skey_calc(argc, argv)
+	int argc;
+	char **argv;
+{
+	int status;
+
+	if(argc != 3) {
+		printf("%s sequence challenge\n", argv[0]);
+		return;
+	}
+
+	switch(fork()) {
+	case 0:
+		execv(PATH_SKEY, argv);
+		exit (1);
+	case -1:
+		perror("fork");
+		break;
+	default:
+		(void) wait(&status);
+		if (WIFEXITED(status))
+			return (WEXITSTATUS(status));
+		return (0);
+	}
+}
+#endif
+
+    static void
+makeargv()
+{
+    register char *cp, *cp2, c;
+    register char **argp = margv;
+
+    margc = 0;
+    cp = line;
+    if (*cp == '!') {		/* Special case shell escape */
+	strcpy(saveline, line);	/* save for shell command */
+	*argp++ = "!";		/* No room in string to get this */
+	margc++;
+	cp++;
+    }
+    while ((c = *cp)) {
+	register int inquote = 0;
+	while (isspace(c))
+	    c = *++cp;
+	if (c == '\0')
+	    break;
+	*argp++ = cp;
+	margc += 1;
+	for (cp2 = cp; c != '\0'; c = *++cp) {
+	    if (inquote) {
+		if (c == inquote) {
+		    inquote = 0;
+		    continue;
+		}
+	    } else {
+		if (c == '\\') {
+		    if ((c = *++cp) == '\0')
+			break;
+		} else if (c == '"') {
+		    inquote = '"';
+		    continue;
+		} else if (c == '\'') {
+		    inquote = '\'';
+		    continue;
+		} else if (isspace(c))
+		    break;
+	    }
+	    *cp2++ = c;
+	}
+	*cp2 = '\0';
+	if (c == '\0')
+	    break;
+	cp++;
+    }
+    *argp++ = 0;
+}
+
+/*
+ * Make a character string into a number.
+ *
+ * Todo:  1.  Could take random integers (12, 0x12, 012, 0b1).
+ */
+
+	static int
+special(s)
+	register char *s;
+{
+	register char c;
+	char b;
+
+	switch (*s) {
+	case '^':
+		b = *++s;
+		if (b == '?') {
+		    c = b | 0x40;		/* DEL */
+		} else {
+		    c = b & 0x1f;
+		}
+		break;
+	default:
+		c = *s;
+		break;
+	}
+	return c;
+}
+
+/*
+ * Construct a control character sequence
+ * for a special character.
+ */
+	static char *
+control(c)
+	register cc_t c;
+{
+	static char buf[5];
+	/*
+	 * The only way I could get the Sun 3.5 compiler
+	 * to shut up about
+	 *	if ((unsigned int)c >= 0x80)
+	 * was to assign "c" to an unsigned int variable...
+	 * Arggg....
+	 */
+	register unsigned int uic = (unsigned int)c;
+
+	if (uic == 0x7f)
+		return ("^?");
+	if (c == (cc_t)_POSIX_VDISABLE) {
+		return "off";
+	}
+	if (uic >= 0x80) {
+		buf[0] = '\\';
+		buf[1] = ((c>>6)&07) + '0';
+		buf[2] = ((c>>3)&07) + '0';
+		buf[3] = (c&07) + '0';
+		buf[4] = 0;
+	} else if (uic >= 0x20) {
+		buf[0] = c;
+		buf[1] = 0;
+	} else {
+		buf[0] = '^';
+		buf[1] = '@'+c;
+		buf[2] = 0;
+	}
+	return (buf);
+}
+
+
+
+/*
+ *	The following are data structures and routines for
+ *	the "send" command.
+ *
+ */
+
+struct sendlist {
+    char	*name;		/* How user refers to it (case independent) */
+    char	*help;		/* Help information (0 ==> no help) */
+    int		needconnect;	/* Need to be connected */
+    int		narg;		/* Number of arguments */
+    int		(*handler)();	/* Routine to perform (for special ops) */
+    int		nbyte;		/* Number of bytes to send this command */
+    int		what;		/* Character to be sent (<0 ==> special) */
+};
+
+
+static int
+	send_esc P((void)),
+	send_help P((void)),
+	send_docmd P((char *)),
+	send_dontcmd P((char *)),
+	send_willcmd P((char *)),
+	send_wontcmd P((char *));
+
+static struct sendlist Sendlist[] = {
+    { "ao",	"Send Telnet Abort output",		1, 0, 0, 2, AO },
+    { "ayt",	"Send Telnet 'Are You There'",		1, 0, 0, 2, AYT },
+    { "brk",	"Send Telnet Break",			1, 0, 0, 2, BREAK },
+    { "break",	0,					1, 0, 0, 2, BREAK },
+    { "ec",	"Send Telnet Erase Character",		1, 0, 0, 2, EC },
+    { "el",	"Send Telnet Erase Line",		1, 0, 0, 2, EL },
+    { "escape",	"Send current escape character",	1, 0, send_esc, 1, 0 },
+    { "ga",	"Send Telnet 'Go Ahead' sequence",	1, 0, 0, 2, GA },
+    { "ip",	"Send Telnet Interrupt Process",	1, 0, 0, 2, IP },
+    { "intp",	0,					1, 0, 0, 2, IP },
+    { "interrupt", 0,					1, 0, 0, 2, IP },
+    { "intr",	0,					1, 0, 0, 2, IP },
+    { "nop",	"Send Telnet 'No operation'",		1, 0, 0, 2, NOP },
+    { "eor",	"Send Telnet 'End of Record'",		1, 0, 0, 2, EOR },
+    { "abort",	"Send Telnet 'Abort Process'",		1, 0, 0, 2, ABORT },
+    { "susp",	"Send Telnet 'Suspend Process'",	1, 0, 0, 2, SUSP },
+    { "eof",	"Send Telnet End of File Character",	1, 0, 0, 2, xEOF },
+    { "synch",	"Perform Telnet 'Synch operation'",	1, 0, dosynch, 2, 0 },
+    { "getstatus", "Send request for STATUS",		1, 0, get_status, 6, 0 },
+    { "?",	"Display send options",			0, 0, send_help, 0, 0 },
+    { "help",	0,					0, 0, send_help, 0, 0 },
+    { "do",	0,					0, 1, send_docmd, 3, 0 },
+    { "dont",	0,					0, 1, send_dontcmd, 3, 0 },
+    { "will",	0,					0, 1, send_willcmd, 3, 0 },
+    { "wont",	0,					0, 1, send_wontcmd, 3, 0 },
+    { 0 }
+};
+
+#define	GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \
+				sizeof(struct sendlist)))
+
+    static int
+sendcmd(argc, argv)
+    int  argc;
+    char **argv;
+{
+    int count;		/* how many bytes we are going to need to send */
+    int i;
+    struct sendlist *s;	/* pointer to current command */
+    int success = 0;
+    int needconnect = 0;
+
+    if (argc < 2) {
+	printf("need at least one argument for 'send' command\n");
+	printf("'send ?' for help\n");
+	return 0;
+    }
+    /*
+     * First, validate all the send arguments.
+     * In addition, we see how much space we are going to need, and
+     * whether or not we will be doing a "SYNCH" operation (which
+     * flushes the network queue).
+     */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	s = GETSEND(argv[i]);
+	if (s == 0) {
+	    printf("Unknown send argument '%s'\n'send ?' for help.\n",
+			argv[i]);
+	    return 0;
+	} else if (Ambiguous(s)) {
+	    printf("Ambiguous send argument '%s'\n'send ?' for help.\n",
+			argv[i]);
+	    return 0;
+	}
+	if (i + s->narg >= argc) {
+	    fprintf(stderr,
+	    "Need %d argument%s to 'send %s' command.  'send %s ?' for help.\n",
+		s->narg, s->narg == 1 ? "" : "s", s->name, s->name);
+	    return 0;
+	}
+	count += s->nbyte;
+	if (s->handler == send_help) {
+	    send_help();
+	    return 0;
+	}
+
+	i += s->narg;
+	needconnect += s->needconnect;
+    }
+    if (!connected && needconnect) {
+	printf("?Need to be connected first.\n");
+	printf("'send ?' for help\n");
+	return 0;
+    }
+    /* Now, do we have enough room? */
+    if (NETROOM() < count) {
+	printf("There is not enough room in the buffer TO the network\n");
+	printf("to process your request.  Nothing will be done.\n");
+	printf("('send synch' will throw away most data in the network\n");
+	printf("buffer, if this might help.)\n");
+	return 0;
+    }
+    /* OK, they are all OK, now go through again and actually send */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	if ((s = GETSEND(argv[i])) == 0) {
+	    fprintf(stderr, "Telnet 'send' error - argument disappeared!\n");
+	    (void) quit();
+	    /*NOTREACHED*/
+	}
+	if (s->handler) {
+	    count++;
+	    success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0,
+				  (s->narg > 1) ? argv[i+2] : 0);
+	    i += s->narg;
+	} else {
+	    NET2ADD(IAC, s->what);
+	    printoption("SENT", IAC, s->what);
+	}
+    }
+    return (count == success);
+}
+
+    static int
+send_esc()
+{
+    NETADD(escape);
+    return 1;
+}
+
+    static int
+send_docmd(name)
+    char *name;
+{
+    return(send_tncmd(send_do, "do", name));
+}
+
+    static int
+send_dontcmd(name)
+    char *name;
+{
+    return(send_tncmd(send_dont, "dont", name));
+}
+    static int
+send_willcmd(name)
+    char *name;
+{
+    return(send_tncmd(send_will, "will", name));
+}
+    static int
+send_wontcmd(name)
+    char *name;
+{
+    return(send_tncmd(send_wont, "wont", name));
+}
+
+    int
+send_tncmd(func, cmd, name)
+    void	(*func)();
+    char	*cmd, *name;
+{
+    char **cpp;
+    extern char *telopts[];
+    register int val = 0;
+
+    if (isprefix(name, "help") || isprefix(name, "?")) {
+	register int col, len;
+
+	printf("Usage: send %s <value|option>\n", cmd);
+	printf("\"value\" must be from 0 to 255\n");
+	printf("Valid options are:\n\t");
+
+	col = 8;
+	for (cpp = telopts; *cpp; cpp++) {
+	    len = strlen(*cpp) + 3;
+	    if (col + len > 65) {
+		printf("\n\t");
+		col = 8;
+	    }
+	    printf(" \"%s\"", *cpp);
+	    col += len;
+	}
+	printf("\n");
+	return 0;
+    }
+    cpp = (char **)genget(name, telopts, sizeof(char *));
+    if (Ambiguous(cpp)) {
+	fprintf(stderr,"'%s': ambiguous argument ('send %s ?' for help).\n",
+					name, cmd);
+	return 0;
+    }
+    if (cpp) {
+	val = cpp - telopts;
+    } else {
+	register char *cp = name;
+
+	while (*cp >= '0' && *cp <= '9') {
+	    val *= 10;
+	    val += *cp - '0';
+	    cp++;
+	}
+	if (*cp != 0) {
+	    fprintf(stderr, "'%s': unknown argument ('send %s ?' for help).\n",
+					name, cmd);
+	    return 0;
+	} else if (val < 0 || val > 255) {
+	    fprintf(stderr, "'%s': bad value ('send %s ?' for help).\n",
+					name, cmd);
+	    return 0;
+	}
+    }
+    if (!connected) {
+	printf("?Need to be connected first.\n");
+	return 0;
+    }
+    (*func)(val, 1);
+    return 1;
+}
+
+    static int
+send_help()
+{
+    struct sendlist *s;	/* pointer to current command */
+    for (s = Sendlist; s->name; s++) {
+	if (s->help)
+	    printf("%-15s %s\n", s->name, s->help);
+    }
+    return(0);
+}
+
+/*
+ * The following are the routines and data structures referred
+ * to by the arguments to the "toggle" command.
+ */
+
+    static int
+lclchars()
+{
+    donelclchars = 1;
+    return 1;
+}
+
+    static int
+togdebug()
+{
+#ifndef	NOT43
+    if (net > 0 &&
+	(SetSockOpt(net, SOL_SOCKET, SO_DEBUG, debug)) < 0) {
+	    perror("setsockopt (SO_DEBUG)");
+    }
+#else	/* NOT43 */
+    if (debug) {
+	if (net > 0 && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0)
+	    perror("setsockopt (SO_DEBUG)");
+    } else
+	printf("Cannot turn off socket debugging\n");
+#endif	/* NOT43 */
+    return 1;
+}
+
+
+    static int
+togcrlf()
+{
+    if (crlf) {
+	printf("Will send carriage returns as telnet <CR><LF>.\n");
+    } else {
+	printf("Will send carriage returns as telnet <CR><NUL>.\n");
+    }
+    return 1;
+}
+
+int binmode;
+
+    static int
+togbinary(val)
+    int val;
+{
+    donebinarytoggle = 1;
+
+    if (val >= 0) {
+	binmode = val;
+    } else {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+				my_want_state_is_do(TELOPT_BINARY)) {
+	    binmode = 1;
+	} else if (my_want_state_is_wont(TELOPT_BINARY) &&
+				my_want_state_is_dont(TELOPT_BINARY)) {
+	    binmode = 0;
+	}
+	val = binmode ? 0 : 1;
+    }
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+					my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already operating in binary mode with remote host.\n");
+	} else {
+	    printf("Negotiating binary mode with remote host.\n");
+	    tel_enter_binary(3);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY) &&
+					my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already in network ascii mode with remote host.\n");
+	} else {
+	    printf("Negotiating network ascii mode with remote host.\n");
+	    tel_leave_binary(3);
+	}
+    }
+    return 1;
+}
+
+    static int
+togrbinary(val)
+    int val;
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_do(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already receiving in binary mode.\n");
+	} else {
+	    printf("Negotiating binary mode on input.\n");
+	    tel_enter_binary(1);
+	}
+    } else {
+	if (my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already receiving in network ascii mode.\n");
+	} else {
+	    printf("Negotiating network ascii mode on input.\n");
+	    tel_leave_binary(1);
+	}
+    }
+    return 1;
+}
+
+    static int
+togxbinary(val)
+    int val;
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_will(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY)) {
+	    printf("Already transmitting in binary mode.\n");
+	} else {
+	    printf("Negotiating binary mode on output.\n");
+	    tel_enter_binary(2);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    printf("Already transmitting in network ascii mode.\n");
+	} else {
+	    printf("Negotiating network ascii mode on output.\n");
+	    tel_leave_binary(2);
+	}
+    }
+    return 1;
+}
+
+
+static int togglehelp P((void));
+#if	defined(AUTHENTICATION)
+extern int auth_togdebug P((int));
+#endif
+#ifdef	ENCRYPTION
+extern int EncryptAutoEnc P((int));
+extern int EncryptAutoDec P((int));
+extern int EncryptDebug P((int));
+extern int EncryptVerbose P((int));
+#endif	/* ENCRYPTION */
+
+struct togglelist {
+    char	*name;		/* name of toggle */
+    char	*help;		/* help message */
+    int		(*handler)();	/* routine to do actual setting */
+    int		*variable;
+    char	*actionexplanation;
+};
+
+static struct togglelist Togglelist[] = {
+    { "autoflush",
+	"flushing of output when sending interrupt characters",
+	    0,
+		&autoflush,
+		    "flush output when sending interrupt characters" },
+    { "autosynch",
+	"automatic sending of interrupt characters in urgent mode",
+	    0,
+		&autosynch,
+		    "send interrupt characters in urgent mode" },
+#if	defined(AUTHENTICATION)
+    { "autologin",
+	"automatic sending of login and/or authentication info",
+	    0,
+		&autologin,
+		    "send login name and/or authentication information" },
+    { "authdebug",
+	"Toggle authentication debugging",
+	    auth_togdebug,
+		0,
+		     "print authentication debugging information" },
+#endif
+#ifdef	ENCRYPTION
+    { "autoencrypt",
+	"automatic encryption of data stream",
+	    EncryptAutoEnc,
+		0,
+		    "automatically encrypt output" },
+    { "autodecrypt",
+	"automatic decryption of data stream",
+	    EncryptAutoDec,
+		0,
+		    "automatically decrypt input" },
+    { "verbose_encrypt",
+	"Toggle verbose encryption output",
+	    EncryptVerbose,
+		0,
+		    "print verbose encryption output" },
+    { "encdebug",
+	"Toggle encryption debugging",
+	    EncryptDebug,
+		0,
+		    "print encryption debugging information" },
+#endif	/* ENCRYPTION */
+    { "skiprc",
+	"don't read ~/.telnetrc file",
+	    0,
+		&skiprc,
+		    "skip reading of ~/.telnetrc file" },
+    { "binary",
+	"sending and receiving of binary data",
+	    togbinary,
+		0,
+		    0 },
+    { "inbinary",
+	"receiving of binary data",
+	    togrbinary,
+		0,
+		    0 },
+    { "outbinary",
+	"sending of binary data",
+	    togxbinary,
+		0,
+		    0 },
+    { "crlf",
+	"sending carriage returns as telnet <CR><LF>",
+	    togcrlf,
+		&crlf,
+		    0 },
+    { "crmod",
+	"mapping of received carriage returns",
+	    0,
+		&crmod,
+		    "map carriage return on output" },
+    { "localchars",
+	"local recognition of certain control characters",
+	    lclchars,
+		&localchars,
+		    "recognize certain control characters" },
+    { " ", "", 0 },		/* empty line */
+#if	defined(unix) && defined(TN3270)
+    { "apitrace",
+	"(debugging) toggle tracing of API transactions",
+	    0,
+		&apitrace,
+		    "trace API transactions" },
+    { "cursesdata",
+	"(debugging) toggle printing of hexadecimal curses data",
+	    0,
+		&cursesdata,
+		    "print hexadecimal representation of curses data" },
+#endif	/* defined(unix) && defined(TN3270) */
+    { "debug",
+	"debugging",
+	    togdebug,
+		&debug,
+		    "turn on socket level debugging" },
+    { "netdata",
+	"printing of hexadecimal network data (debugging)",
+	    0,
+		&netdata,
+		    "print hexadecimal representation of network traffic" },
+    { "prettydump",
+	"output of \"netdata\" to user readable format (debugging)",
+	    0,
+		&prettydump,
+		    "print user readable output for \"netdata\"" },
+    { "options",
+	"viewing of options processing (debugging)",
+	    0,
+		&showoptions,
+		    "show option processing" },
+#if	defined(unix)
+    { "termdata",
+	"(debugging) toggle printing of hexadecimal terminal data",
+	    0,
+		&termdata,
+		    "print hexadecimal representation of terminal traffic" },
+#endif	/* defined(unix) */
+    { "?",
+	0,
+	    togglehelp },
+    { "help",
+	0,
+	    togglehelp },
+    { 0 }
+};
+
+    static int
+togglehelp()
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s toggle %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+    printf("\n");
+    printf("%-15s %s\n", "?", "display help information");
+    return 0;
+}
+
+    static void
+settogglehelp(set)
+    int set;
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s %s\n", c->name, set ? "enable" : "disable",
+						c->help);
+	    else
+		printf("\n");
+	}
+    }
+}
+
+#define	GETTOGGLE(name) (struct togglelist *) \
+		genget(name, (char **) Togglelist, sizeof(struct togglelist))
+
+    static int
+toggle(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    int retval = 1;
+    char *name;
+    struct togglelist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'toggle' command.  'toggle ?' for help.\n");
+	return 0;
+    }
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	c = GETTOGGLE(name);
+	if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('toggle ?' for help).\n",
+					name);
+	    return 0;
+	} else if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('toggle ?' for help).\n",
+					name);
+	    return 0;
+	} else {
+	    if (c->variable) {
+		*c->variable = !*c->variable;		/* invert it */
+		if (c->actionexplanation) {
+		    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler) {
+		retval &= (*c->handler)(-1);
+	    }
+	}
+    }
+    return retval;
+}
+
+/*
+ * The following perform the "set" command.
+ */
+
+#ifdef	USE_TERMIO
+struct termio new_tc = { 0 };
+#endif
+
+struct setlist {
+    char *name;				/* name */
+    char *help;				/* help information */
+    void (*handler)();
+    cc_t *charp;			/* where it is located at */
+};
+
+static struct setlist Setlist[] = {
+#ifdef	KLUDGELINEMODE
+    { "echo", 	"character to toggle local echoing on/off", 0, &echoc },
+#endif
+    { "escape",	"character to escape back to telnet command mode", 0, &escape },
+    { "rlogin", "rlogin escape character", 0, &rlogin },
+    { "tracefile", "file to write trace information to", SetNetTrace, (cc_t *)NetTraceFile},
+    { " ", "" },
+    { " ", "The following need 'localchars' to be toggled true", 0, 0 },
+    { "flushoutput", "character to cause an Abort Output", 0, termFlushCharp },
+    { "interrupt", "character to cause an Interrupt Process", 0, termIntCharp },
+    { "quit",	"character to cause an Abort process", 0, termQuitCharp },
+    { "eof",	"character to cause an EOF ", 0, termEofCharp },
+    { " ", "" },
+    { " ", "The following are for local editing in linemode", 0, 0 },
+    { "erase",	"character to use to erase a character", 0, termEraseCharp },
+    { "kill",	"character to use to erase a line", 0, termKillCharp },
+    { "lnext",	"character to use for literal next", 0, termLiteralNextCharp },
+    { "susp",	"character to cause a Suspend Process", 0, termSuspCharp },
+    { "reprint", "character to use for line reprint", 0, termRprntCharp },
+    { "worderase", "character to use to erase a word", 0, termWerasCharp },
+    { "start",	"character to use for XON", 0, termStartCharp },
+    { "stop",	"character to use for XOFF", 0, termStopCharp },
+    { "forw1",	"alternate end of line character", 0, termForw1Charp },
+    { "forw2",	"alternate end of line character", 0, termForw2Charp },
+    { "ayt",	"alternate AYT character", 0, termAytCharp },
+    { 0 }
+};
+
+#if	defined(CRAY) && !defined(__STDC__)
+/* Work around compiler bug in pcc 4.1.5 */
+    void
+_setlist_init()
+{
+#ifndef	KLUDGELINEMODE
+#define	N 5
+#else
+#define	N 6
+#endif
+	Setlist[N+0].charp = &termFlushChar;
+	Setlist[N+1].charp = &termIntChar;
+	Setlist[N+2].charp = &termQuitChar;
+	Setlist[N+3].charp = &termEofChar;
+	Setlist[N+6].charp = &termEraseChar;
+	Setlist[N+7].charp = &termKillChar;
+	Setlist[N+8].charp = &termLiteralNextChar;
+	Setlist[N+9].charp = &termSuspChar;
+	Setlist[N+10].charp = &termRprntChar;
+	Setlist[N+11].charp = &termWerasChar;
+	Setlist[N+12].charp = &termStartChar;
+	Setlist[N+13].charp = &termStopChar;
+	Setlist[N+14].charp = &termForw1Char;
+	Setlist[N+15].charp = &termForw2Char;
+	Setlist[N+16].charp = &termAytChar;
+#undef	N
+}
+#endif	/* defined(CRAY) && !defined(__STDC__) */
+
+    static struct setlist *
+getset(name)
+    char *name;
+{
+    return (struct setlist *)
+		genget(name, (char **) Setlist, sizeof(struct setlist));
+}
+
+    void
+set_escape_char(s)
+    char *s;
+{
+	if (rlogin != _POSIX_VDISABLE) {
+		rlogin = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet rlogin escape character is '%s'.\n",
+					control(rlogin));
+	} else {
+		escape = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet escape character is '%s'.\n", control(escape));
+	}
+}
+
+    static int
+setcmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    int value;
+    struct setlist *ct;
+    struct togglelist *c;
+
+    if (argc < 2 || argc > 3) {
+	printf("Format is 'set Name Value'\n'set ?' for help.\n");
+	return 0;
+    }
+    if ((argc == 2) && (isprefix(argv[1], "?") || isprefix(argv[1], "help"))) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\n", ct->name, ct->help);
+	printf("\n");
+	settogglehelp(1);
+	printf("%-15s %s\n", "?", "display help information");
+	return 0;
+    }
+
+    ct = getset(argv[1]);
+    if (ct == 0) {
+	c = GETTOGGLE(argv[1]);
+	if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('set ?' for help).\n",
+			argv[1]);
+	    return 0;
+	} else if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+			argv[1]);
+	    return 0;
+	}
+	if (c->variable) {
+	    if ((argc == 2) || (strcmp("on", argv[2]) == 0))
+		*c->variable = 1;
+	    else if (strcmp("off", argv[2]) == 0)
+		*c->variable = 0;
+	    else {
+		printf("Format is 'set togglename [on|off]'\n'set ?' for help.\n");
+		return 0;
+	    }
+	    if (c->actionexplanation) {
+		printf("%s %s.\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+	    }
+	}
+	if (c->handler)
+	    (*c->handler)(1);
+    } else if (argc != 3) {
+	printf("Format is 'set Name Value'\n'set ?' for help.\n");
+	return 0;
+    } else if (Ambiguous(ct)) {
+	fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+			argv[1]);
+	return 0;
+    } else if (ct->handler) {
+	(*ct->handler)(argv[2]);
+	printf("%s set to \"%s\".\n", ct->name, (char *)ct->charp);
+    } else {
+	if (strcmp("off", argv[2])) {
+	    value = special(argv[2]);
+	} else {
+	    value = _POSIX_VDISABLE;
+	}
+	*(ct->charp) = (cc_t)value;
+	printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+    }
+    slc_check();
+    return 1;
+}
+
+    static int
+unsetcmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct setlist *ct;
+    struct togglelist *c;
+    register char *name;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'unset' command.  'unset ?' for help.\n");
+	return 0;
+    }
+    if (isprefix(argv[1], "?") || isprefix(argv[1], "help")) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\n", ct->name, ct->help);
+	printf("\n");
+	settogglehelp(0);
+	printf("%-15s %s\n", "?", "display help information");
+	return 0;
+    }
+
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	ct = getset(name);
+	if (ct == 0) {
+	    c = GETTOGGLE(name);
+	    if (c == 0) {
+		fprintf(stderr, "'%s': unknown argument ('unset ?' for help).\n",
+			name);
+		return 0;
+	    } else if (Ambiguous(c)) {
+		fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+			name);
+		return 0;
+	    }
+	    if (c->variable) {
+		*c->variable = 0;
+		if (c->actionexplanation) {
+		    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler)
+		(*c->handler)(0);
+	} else if (Ambiguous(ct)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+			name);
+	    return 0;
+	} else if (ct->handler) {
+	    (*ct->handler)(0);
+	    printf("%s reset to \"%s\".\n", ct->name, (char *)ct->charp);
+	} else {
+	    *(ct->charp) = _POSIX_VDISABLE;
+	    printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+	}
+    }
+    return 1;
+}
+
+/*
+ * The following are the data structures and routines for the
+ * 'mode' command.
+ */
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+
+    static int
+dokludgemode()
+{
+    kludgelinemode = 1;
+    send_wont(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_SGA, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+#endif
+
+    static int
+dolinemode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_dont(TELOPT_SGA, 1);
+#endif
+    send_will(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+
+    static int
+docharmode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_do(TELOPT_SGA, 1);
+    else
+#endif
+    send_wont(TELOPT_LINEMODE, 1);
+    send_do(TELOPT_ECHO, 1);
+    return 1;
+}
+
+    static int
+dolmmode(bit, on)
+    int bit, on;
+{
+    unsigned char c;
+    extern int linemode;
+
+    if (my_want_state_is_wont(TELOPT_LINEMODE)) {
+	printf("?Need to have LINEMODE option enabled first.\n");
+	printf("'mode ?' for help.\n");
+	return 0;
+    }
+
+    if (on)
+	c = (linemode | bit);
+    else
+	c = (linemode & ~bit);
+    lm_mode(&c, 1, 1);
+    return 1;
+}
+
+    int
+setmod(bit)
+{
+    return dolmmode(bit, 1);
+}
+
+    int
+clearmode(bit)
+{
+    return dolmmode(bit, 0);
+}
+
+struct modelist {
+	char	*name;		/* command name */
+	char	*help;		/* help string */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+	int	arg1;
+};
+
+extern int modehelp();
+
+static struct modelist ModeList[] = {
+    { "character", "Disable LINEMODE option",	docharmode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or disable obsolete line-by-line mode)", 0 },
+#endif
+    { "line",	"Enable LINEMODE option",	dolinemode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or enable obsolete line-by-line mode)", 0 },
+#endif
+    { "", "", 0 },
+    { "",	"These require the LINEMODE option to be enabled", 0 },
+    { "isig",	"Enable signal trapping",	setmod, 1, MODE_TRAPSIG },
+    { "+isig",	0,				setmod, 1, MODE_TRAPSIG },
+    { "-isig",	"Disable signal trapping",	clearmode, 1, MODE_TRAPSIG },
+    { "edit",	"Enable character editing",	setmod, 1, MODE_EDIT },
+    { "+edit",	0,				setmod, 1, MODE_EDIT },
+    { "-edit",	"Disable character editing",	clearmode, 1, MODE_EDIT },
+    { "softtabs", "Enable tab expansion",	setmod, 1, MODE_SOFT_TAB },
+    { "+softtabs", 0,				setmod, 1, MODE_SOFT_TAB },
+    { "-softtabs", "Disable character editing",	clearmode, 1, MODE_SOFT_TAB },
+    { "litecho", "Enable literal character echo", setmod, 1, MODE_LIT_ECHO },
+    { "+litecho", 0,				setmod, 1, MODE_LIT_ECHO },
+    { "-litecho", "Disable literal character echo", clearmode, 1, MODE_LIT_ECHO },
+    { "help",	0,				modehelp, 0 },
+#ifdef	KLUDGELINEMODE
+    { "kludgeline", 0,				dokludgemode, 1 },
+#endif
+    { "", "", 0 },
+    { "?",	"Print help information",	modehelp, 0 },
+    { 0 },
+};
+
+
+    int
+modehelp()
+{
+    struct modelist *mt;
+
+    printf("format is:  'mode Mode', where 'Mode' is one of:\n\n");
+    for (mt = ModeList; mt->name; mt++) {
+	if (mt->help) {
+	    if (*mt->help)
+		printf("%-15s %s\n", mt->name, mt->help);
+	    else
+		printf("\n");
+	}
+    }
+    return 0;
+}
+
+#define	GETMODECMD(name) (struct modelist *) \
+		genget(name, (char **) ModeList, sizeof(struct modelist))
+
+    static int
+modecmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct modelist *mt;
+
+    if (argc != 2) {
+	printf("'mode' command requires an argument\n");
+	printf("'mode ?' for help.\n");
+    } else if ((mt = GETMODECMD(argv[1])) == 0) {
+	fprintf(stderr, "Unknown mode '%s' ('mode ?' for help).\n", argv[1]);
+    } else if (Ambiguous(mt)) {
+	fprintf(stderr, "Ambiguous mode '%s' ('mode ?' for help).\n", argv[1]);
+    } else if (mt->needconnect && !connected) {
+	printf("?Need to be connected first.\n");
+	printf("'mode ?' for help.\n");
+    } else if (mt->handler) {
+	return (*mt->handler)(mt->arg1);
+    }
+    return 0;
+}
+
+/*
+ * The following data structures and routines implement the
+ * "display" command.
+ */
+
+    static int
+display(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct togglelist *tl;
+    struct setlist *sl;
+
+#define	dotog(tl)	if (tl->variable && tl->actionexplanation) { \
+			    if (*tl->variable) { \
+				printf("will"); \
+			    } else { \
+				printf("won't"); \
+			    } \
+			    printf(" %s.\n", tl->actionexplanation); \
+			}
+
+#define	doset(sl)   if (sl->name && *sl->name != ' ') { \
+			if (sl->handler == 0) \
+			    printf("%-15s [%s]\n", sl->name, control(*sl->charp)); \
+			else \
+			    printf("%-15s \"%s\"\n", sl->name, (char *)sl->charp); \
+		    }
+
+    if (argc == 1) {
+	for (tl = Togglelist; tl->name; tl++) {
+	    dotog(tl);
+	}
+	printf("\n");
+	for (sl = Setlist; sl->name; sl++) {
+	    doset(sl);
+	}
+    } else {
+	int i;
+
+	for (i = 1; i < argc; i++) {
+	    sl = getset(argv[i]);
+	    tl = GETTOGGLE(argv[i]);
+	    if (Ambiguous(sl) || Ambiguous(tl)) {
+		printf("?Ambiguous argument '%s'.\n", argv[i]);
+		return 0;
+	    } else if (!sl && !tl) {
+		printf("?Unknown argument '%s'.\n", argv[i]);
+		return 0;
+	    } else {
+		if (tl) {
+		    dotog(tl);
+		}
+		if (sl) {
+		    doset(sl);
+		}
+	    }
+	}
+    }
+/*@*/optionstatus();
+#ifdef	ENCRYPTION
+    EncryptStatus();
+#endif	/* ENCRYPTION */
+    return 1;
+#undef	doset
+#undef	dotog
+}
+
+/*
+ * The following are the data structures, and many of the routines,
+ * relating to command processing.
+ */
+
+/*
+ * Set the escape character.
+ */
+	static int
+setescape(argc, argv)
+	int argc;
+	char *argv[];
+{
+	register char *arg;
+	char buf[50];
+
+	printf(
+	    "Deprecated usage - please use 'set escape%s%s' in the future.\n",
+				(argc > 2)? " ":"", (argc > 2)? argv[1]: "");
+	if (argc > 2)
+		arg = argv[1];
+	else {
+		printf("new escape character: ");
+		(void) fgets(buf, sizeof(buf), stdin);
+		arg = buf;
+	}
+	if (arg[0] != '\0')
+		escape = arg[0];
+	if (!In3270) {
+		printf("Escape character is '%s'.\n", control(escape));
+	}
+	(void) fflush(stdout);
+	return 1;
+}
+
+    /*VARARGS*/
+    static int
+togcrmod()
+{
+    crmod = !crmod;
+    printf("Deprecated usage - please use 'toggle crmod' in the future.\n");
+    printf("%s map carriage return on output.\n", crmod ? "Will" : "Won't");
+    (void) fflush(stdout);
+    return 1;
+}
+
+    /*VARARGS*/
+    int
+suspend()
+{
+#ifdef	SIGTSTP
+    setcommandmode();
+    {
+	long oldrows, oldcols, newrows, newcols, err;
+
+	err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+	(void) kill(0, SIGTSTP);
+	/*
+	 * If we didn't get the window size before the SUSPEND, but we
+	 * can get them now (?), then send the NAWS to make sure that
+	 * we are set up for the right window size.
+	 */
+	if (TerminalWindowSize(&newrows, &newcols) && connected &&
+	    (err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		sendnaws();
+	}
+    }
+    /* reget parameters in case they were changed */
+    TerminalSaveState();
+    setconnmode(0);
+#else
+    printf("Suspend is not supported.  Try the '!' command instead\n");
+#endif
+    return 1;
+}
+
+#if	!defined(TN3270)
+    /*ARGSUSED*/
+    int
+shell(argc, argv)
+    int argc;
+    char *argv[];
+{
+    long oldrows, oldcols, newrows, newcols, err;
+
+    setcommandmode();
+
+    err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+    switch(vfork()) {
+    case -1:
+	perror("Fork failed\n");
+	break;
+
+    case 0:
+	{
+	    /*
+	     * Fire up the shell in the child.
+	     */
+	    register char *shellp, *shellname;
+	    extern char *strrchr();
+
+	    shellp = getenv("SHELL");
+	    if (shellp == NULL)
+		shellp = "/bin/sh";
+	    if ((shellname = strrchr(shellp, '/')) == 0)
+		shellname = shellp;
+	    else
+		shellname++;
+	    if (argc > 1)
+		execl(shellp, shellname, "-c", &saveline[1], 0);
+	    else
+		execl(shellp, shellname, 0);
+	    perror("Execl");
+	    _exit(1);
+	}
+    default:
+	    (void)wait((int *)0);	/* Wait for the shell to complete */
+
+	    if (TerminalWindowSize(&newrows, &newcols) && connected &&
+		(err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		    sendnaws();
+	    }
+	    break;
+    }
+    return 1;
+}
+#else	/* !defined(TN3270) */
+extern int shell();
+#endif	/* !defined(TN3270) */
+
+    /*VARARGS*/
+    static int
+bye(argc, argv)
+    int  argc;		/* Number of arguments */
+    char *argv[];	/* arguments */
+{
+    extern int resettermname;
+
+    if (connected) {
+	(void) shutdown(net, 2);
+	printf("Connection closed.\n");
+	(void) NetClose(net);
+	connected = 0;
+	resettermname = 1;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
+	/* reset options */
+	tninit();
+#if	defined(TN3270)
+	SetIn3270();		/* Get out of 3270 mode */
+#endif	/* defined(TN3270) */
+    }
+    if ((argc != 2) || (strcmp(argv[1], "fromquit") != 0)) {
+	longjmp(toplevel, 1);
+	/* NOTREACHED */
+    }
+    return 1;			/* Keep lint, etc., happy */
+}
+
+/*VARARGS*/
+	int
+quit()
+{
+	(void) call(bye, "bye", "fromquit", 0);
+	Exit(0);
+	/*NOTREACHED*/
+}
+
+/*VARARGS*/
+	int
+logout()
+{
+	send_do(TELOPT_LOGOUT, 1);
+	(void) netflush();
+	return 1;
+}
+
+
+/*
+ * The SLC command.
+ */
+
+struct slclist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	arg;
+};
+
+static void slc_help();
+
+struct slclist SlcList[] = {
+    { "export",	"Use local special character definitions",
+						slc_mode_export,	0 },
+    { "import",	"Use remote special character definitions",
+						slc_mode_import,	1 },
+    { "check",	"Verify remote special character definitions",
+						slc_mode_import,	0 },
+    { "help",	0,				slc_help,		0 },
+    { "?",	"Print help information",	slc_help,		0 },
+    { 0 },
+};
+
+    static void
+slc_help()
+{
+    struct slclist *c;
+
+    for (c = SlcList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+}
+
+    static struct slclist *
+getslc(name)
+    char *name;
+{
+    return (struct slclist *)
+		genget(name, (char **) SlcList, sizeof(struct slclist));
+}
+
+    static int
+slccmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct slclist *c;
+
+    if (argc != 2) {
+	fprintf(stderr,
+	    "Need an argument to 'slc' command.  'slc ?' for help.\n");
+	return 0;
+    }
+    c = getslc(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('slc ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('slc ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    (*c->handler)(c->arg);
+    slcstate();
+    return 1;
+}
+
+/*
+ * The ENVIRON command.
+ */
+
+struct envlist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	narg;
+};
+
+extern struct env_lst *
+	env_define P((unsigned char *, unsigned char *));
+extern void
+	env_undefine P((unsigned char *)),
+	env_export P((unsigned char *)),
+	env_unexport P((unsigned char *)),
+	env_send P((unsigned char *)),
+#if defined(OLD_ENVIRON) && defined(ENV_HACK)
+	env_varval P((unsigned char *)),
+#endif
+	env_list P((void));
+static void
+	env_help P((void));
+
+struct envlist EnvList[] = {
+    { "define",	"Define an environment variable",
+						(void (*)())env_define,	2 },
+    { "undefine", "Undefine an environment variable",
+						env_undefine,	1 },
+    { "export",	"Mark an environment variable for automatic export",
+						env_export,	1 },
+    { "unexport", "Don't mark an environment variable for automatic export",
+						env_unexport,	1 },
+    { "send",	"Send an environment variable", env_send,	1 },
+    { "list",	"List the current environment variables",
+						env_list,	0 },
+#if defined(OLD_ENVIRON) && defined(ENV_HACK)
+    { "varval", "Reverse VAR and VALUE (auto, right, wrong, status)",
+						env_varval,    1 },
+#endif
+    { "help",	0,				env_help,		0 },
+    { "?",	"Print help information",	env_help,		0 },
+    { 0 },
+};
+
+    static void
+env_help()
+{
+    struct envlist *c;
+
+    for (c = EnvList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+}
+
+    static struct envlist *
+getenvcmd(name)
+    char *name;
+{
+    return (struct envlist *)
+		genget(name, (char **) EnvList, sizeof(struct envlist));
+}
+
+	int
+env_cmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct envlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'environ' command.  'environ ?' for help.\n");
+	return 0;
+    }
+    c = getenvcmd(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('environ ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('environ ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'environ %s' command.  'environ ?' for help.\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    (*c->handler)(argv[2], argv[3]);
+    return 1;
+}
+
+struct env_lst {
+	struct env_lst *next;	/* pointer to next structure */
+	struct env_lst *prev;	/* pointer to previous structure */
+	unsigned char *var;	/* pointer to variable name */
+	unsigned char *value;	/* pointer to variable value */
+	int export;		/* 1 -> export with default list of variables */
+	int welldefined;	/* A well defined variable */
+};
+
+struct env_lst envlisthead;
+
+	struct env_lst *
+env_find(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		if (strcmp((char *)ep->var, (char *)var) == 0)
+			return(ep);
+	}
+	return(NULL);
+}
+
+	void
+env_init()
+{
+	extern char **environ;
+	register char **epp, *cp;
+	register struct env_lst *ep;
+	extern char *strchr();
+
+	for (epp = environ; *epp; epp++) {
+		if ((cp = strchr(*epp, '='))) {
+			*cp = '\0';
+			ep = env_define((unsigned char *)*epp,
+					(unsigned char *)cp+1);
+			ep->export = 0;
+			*cp = '=';
+		}
+	}
+	/*
+	 * Special case for DISPLAY variable.  If it is ":0.0" or
+	 * "unix:0.0", we have to get rid of "unix" and insert our
+	 * hostname.
+	 */
+	if ((ep = env_find("DISPLAY"))
+	    && ((*ep->value == ':')
+		|| (strncmp((char *)ep->value, "unix:", 5) == 0))) {
+		char hbuf[256+1];
+		char *cp2 = strchr((char *)ep->value, ':');
+
+		gethostname(hbuf, 256);
+		hbuf[256] = '\0';
+		cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
+		sprintf((char *)cp, "%s%s", hbuf, cp2);
+		free(ep->value);
+		ep->value = (unsigned char *)cp;
+	}
+	/*
+	 * If USER is not defined, but LOGNAME is, then add
+	 * USER with the value from LOGNAME.  By default, we
+	 * don't export the USER variable.
+	 */
+	if ((env_find("USER") == NULL) && (ep = env_find("LOGNAME"))) {
+		env_define((unsigned char *)"USER", ep->value);
+		env_unexport((unsigned char *)"USER");
+	}
+	env_export((unsigned char *)"DISPLAY");
+	env_export((unsigned char *)"PRINTER");
+}
+
+	struct env_lst *
+env_define(var, value)
+	unsigned char *var, *value;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+	} else {
+		ep = (struct env_lst *)malloc(sizeof(struct env_lst));
+		ep->next = envlisthead.next;
+		envlisthead.next = ep;
+		ep->prev = &envlisthead;
+		if (ep->next)
+			ep->next->prev = ep;
+	}
+	ep->welldefined = opt_welldefined(var);
+	ep->export = 1;
+	ep->var = (unsigned char *)strdup((char *)var);
+	ep->value = (unsigned char *)strdup((char *)value);
+	return(ep);
+}
+
+	void
+env_undefine(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		ep->prev->next = ep->next;
+		if (ep->next)
+			ep->next->prev = ep->prev;
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+		free(ep);
+	}
+}
+
+	void
+env_export(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 1;
+}
+
+	void
+env_unexport(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 0;
+}
+
+	void
+env_send(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if (my_state_is_wont(TELOPT_NEW_ENVIRON)
+#ifdef	OLD_ENVIRON
+	    && my_state_is_wont(TELOPT_OLD_ENVIRON)
+#endif
+		) {
+		fprintf(stderr,
+		    "Cannot send '%s': Telnet ENVIRON option not enabled\n",
+									var);
+		return;
+	}
+	ep = env_find(var);
+	if (ep == 0) {
+		fprintf(stderr, "Cannot send '%s': variable not defined\n",
+									var);
+		return;
+	}
+	env_opt_start_info();
+	env_opt_add(ep->var);
+	env_opt_end(0);
+}
+
+	void
+env_list()
+{
+	register struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		printf("%c %-20s %s\n", ep->export ? '*' : ' ',
+					ep->var, ep->value);
+	}
+}
+
+	unsigned char *
+env_default(init, welldefined)
+	int init;
+{
+	static struct env_lst *nep = NULL;
+
+	if (init) {
+		nep = &envlisthead;
+		return(NULL);
+	}
+	if (nep) {
+		while ((nep = nep->next)) {
+			if (nep->export && (nep->welldefined == welldefined))
+				return(nep->var);
+		}
+	}
+	return(NULL);
+}
+
+	unsigned char *
+env_getvalue(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		return(ep->value);
+	return(NULL);
+}
+
+#if defined(OLD_ENVIRON) && defined(ENV_HACK)
+	void
+env_varval(what)
+	unsigned char *what;
+{
+	extern int old_env_var, old_env_value, env_auto;
+	int len = strlen((char *)what);
+
+	if (len == 0)
+		goto unknown;
+
+	if (strncasecmp((char *)what, "status", len) == 0) {
+		if (env_auto)
+			printf("%s%s", "VAR and VALUE are/will be ",
+					"determined automatically\n");
+		if (old_env_var == OLD_ENV_VAR)
+			printf("VAR and VALUE set to correct definitions\n");
+		else
+			printf("VAR and VALUE definitions are reversed\n");
+	} else if (strncasecmp((char *)what, "auto", len) == 0) {
+		env_auto = 1;
+		old_env_var = OLD_ENV_VALUE;
+		old_env_value = OLD_ENV_VAR;
+	} else if (strncasecmp((char *)what, "right", len) == 0) {
+		env_auto = 0;
+		old_env_var = OLD_ENV_VAR;
+		old_env_value = OLD_ENV_VALUE;
+	} else if (strncasecmp((char *)what, "wrong", len) == 0) {
+		env_auto = 0;
+		old_env_var = OLD_ENV_VALUE;
+		old_env_value = OLD_ENV_VAR;
+	} else {
+unknown:
+		printf("Unknown \"varval\" command. (\"auto\", \"right\", \"wrong\", \"status\")\n");
+	}
+}
+#endif
+
+#if	defined(AUTHENTICATION)
+/*
+ * The AUTHENTICATE command.
+ */
+
+struct authlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	narg;
+};
+
+extern int
+	auth_enable P((char *)),
+	auth_disable P((char *)),
+	auth_status P((void));
+static int
+	auth_help P((void));
+
+struct authlist AuthList[] = {
+    { "status",	"Display current status of authentication information",
+						auth_status,	0 },
+    { "disable", "Disable an authentication type ('auth disable ?' for more)",
+						auth_disable,	1 },
+    { "enable", "Enable an authentication type ('auth enable ?' for more)",
+						auth_enable,	1 },
+    { "help",	0,				auth_help,		0 },
+    { "?",	"Print help information",	auth_help,		0 },
+    { 0 },
+};
+
+    static int
+auth_help()
+{
+    struct authlist *c;
+
+    for (c = AuthList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+    return 0;
+}
+
+	int
+auth_cmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct authlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'auth' command.  'auth ?' for help.\n");
+	return 0;
+    }
+
+    c = (struct authlist *)
+		genget(argv[1], (char **) AuthList, sizeof(struct authlist));
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('auth ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('auth ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'auth %s' command.  'auth ?' for help.\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    return((*c->handler)(argv[2], argv[3]));
+}
+#endif
+
+#ifdef	ENCRYPTION
+/*
+ * The ENCRYPT command.
+ */
+
+struct encryptlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	needconnect;
+	int	minarg;
+	int	maxarg;
+};
+
+extern int
+	EncryptEnable P((char *, char *)),
+	EncryptDisable P((char *, char *)),
+	EncryptType P((char *, char *)),
+	EncryptStart P((char *)),
+	EncryptStartInput P((void)),
+	EncryptStartOutput P((void)),
+	EncryptStop P((char *)),
+	EncryptStopInput P((void)),
+	EncryptStopOutput P((void)),
+	EncryptStatus P((void));
+static int
+	EncryptHelp P((void));
+
+struct encryptlist EncryptList[] = {
+    { "enable", "Enable encryption. ('encrypt enable ?' for more)",
+						EncryptEnable, 1, 1, 2 },
+    { "disable", "Disable encryption. ('encrypt enable ?' for more)",
+						EncryptDisable, 0, 1, 2 },
+    { "type", "Set encryption type. ('encrypt type ?' for more)",
+						EncryptType, 0, 1, 1 },
+    { "start", "Start encryption. ('encrypt start ?' for more)",
+						EncryptStart, 1, 0, 1 },
+    { "stop", "Stop encryption. ('encrypt stop ?' for more)",
+						EncryptStop, 1, 0, 1 },
+    { "input", "Start encrypting the input stream",
+						EncryptStartInput, 1, 0, 0 },
+    { "-input", "Stop encrypting the input stream",
+						EncryptStopInput, 1, 0, 0 },
+    { "output", "Start encrypting the output stream",
+						EncryptStartOutput, 1, 0, 0 },
+    { "-output", "Stop encrypting the output stream",
+						EncryptStopOutput, 1, 0, 0 },
+
+    { "status",	"Display current status of authentication information",
+						EncryptStatus,	0, 0, 0 },
+    { "help",	0,				EncryptHelp,	0, 0, 0 },
+    { "?",	"Print help information",	EncryptHelp,	0, 0, 0 },
+    { 0 },
+};
+
+    static int
+EncryptHelp()
+{
+    struct encryptlist *c;
+
+    for (c = EncryptList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+    return 0;
+}
+
+	int
+encrypt_cmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct encryptlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'encrypt' command.  'encrypt ?' for help.\n");
+	return 0;
+    }
+
+    c = (struct encryptlist *)
+		genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist));
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('encrypt ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('encrypt ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    argc -= 2;
+    if (argc < c->minarg || argc > c->maxarg) {
+	if (c->minarg == c->maxarg) {
+	    fprintf(stderr, "Need %s%d argument%s ",
+		c->minarg < argc ? "only " : "", c->minarg,
+		c->minarg == 1 ? "" : "s");
+	} else {
+	    fprintf(stderr, "Need %s%d-%d arguments ",
+		c->maxarg < argc ? "only " : "", c->minarg, c->maxarg);
+	}
+	fprintf(stderr, "to 'encrypt %s' command.  'encrypt ?' for help.\n",
+		c->name);
+	return 0;
+    }
+    if (c->needconnect && !connected) {
+	if (!(argc && (isprefix(argv[2], "help") || isprefix(argv[2], "?")))) {
+	    printf("?Need to be connected first.\n");
+	    return 0;
+	}
+    }
+    return ((*c->handler)(argc > 0 ? argv[2] : 0,
+			argc > 1 ? argv[3] : 0,
+			argc > 2 ? argv[4] : 0));
+}
+#endif	/* ENCRYPTION */
+
+#if	defined(unix) && defined(TN3270)
+    static void
+filestuff(fd)
+    int fd;
+{
+    int res;
+
+#ifdef	F_GETOWN
+    setconnmode(0);
+    res = fcntl(fd, F_GETOWN, 0);
+    setcommandmode();
+
+    if (res == -1) {
+	perror("fcntl");
+	return;
+    }
+    printf("\tOwner is %d.\n", res);
+#endif
+
+    setconnmode(0);
+    res = fcntl(fd, F_GETFL, 0);
+    setcommandmode();
+
+    if (res == -1) {
+	perror("fcntl");
+	return;
+    }
+#ifdef notdef
+    printf("\tFlags are 0x%x: %s\n", res, decodeflags(res));
+#endif
+}
+#endif /* defined(unix) && defined(TN3270) */
+
+/*
+ * Print status about the connection.
+ */
+    /*ARGSUSED*/
+    static int
+status(argc, argv)
+    int	 argc;
+    char *argv[];
+{
+    if (connected) {
+	printf("Connected to %s.\n", hostname);
+	if ((argc < 2) || strcmp(argv[1], "notmuch")) {
+	    int mode = getconnmode();
+
+	    if (my_want_state_is_will(TELOPT_LINEMODE)) {
+		printf("Operating with LINEMODE option\n");
+		printf("%s line editing\n", (mode&MODE_EDIT) ? "Local" : "No");
+		printf("%s catching of signals\n",
+					(mode&MODE_TRAPSIG) ? "Local" : "No");
+		slcstate();
+#ifdef	KLUDGELINEMODE
+	    } else if (kludgelinemode && my_want_state_is_dont(TELOPT_SGA)) {
+		printf("Operating in obsolete linemode\n");
+#endif
+	    } else {
+		printf("Operating in single character mode\n");
+		if (localchars)
+		    printf("Catching signals locally\n");
+	    }
+	    printf("%s character echo\n", (mode&MODE_ECHO) ? "Local" : "Remote");
+	    if (my_want_state_is_will(TELOPT_LFLOW))
+		printf("%s flow control\n", (mode&MODE_FLOW) ? "Local" : "No");
+#ifdef	ENCRYPTION
+	    encrypt_display();
+#endif	/* ENCRYPTION */
+	}
+    } else {
+	printf("No connection.\n");
+    }
+#   if !defined(TN3270)
+    printf("Escape character is '%s'.\n", control(escape));
+    (void) fflush(stdout);
+#   else /* !defined(TN3270) */
+    if ((!In3270) && ((argc < 2) || strcmp(argv[1], "notmuch"))) {
+	printf("Escape character is '%s'.\n", control(escape));
+    }
+#   if defined(unix)
+    if ((argc >= 2) && !strcmp(argv[1], "everything")) {
+	printf("SIGIO received %d time%s.\n",
+				sigiocount, (sigiocount == 1)? "":"s");
+	if (In3270) {
+	    printf("Process ID %d, process group %d.\n",
+					    getpid(), getpgrp(getpid()));
+	    printf("Terminal input:\n");
+	    filestuff(tin);
+	    printf("Terminal output:\n");
+	    filestuff(tout);
+	    printf("Network socket:\n");
+	    filestuff(net);
+	}
+    }
+    if (In3270 && transcom) {
+       printf("Transparent mode command is '%s'.\n", transcom);
+    }
+#   endif /* defined(unix) */
+    (void) fflush(stdout);
+    if (In3270) {
+	return 0;
+    }
+#   endif /* defined(TN3270) */
+    return 1;
+}
+
+#ifdef	SIGINFO
+/*
+ * Function that gets called when SIGINFO is received.
+ */
+	void
+ayt_status()
+{
+    (void) call(status, "status", "notmuch", 0);
+}
+#endif
+
+static const char *
+sockaddr_ntop(sa)
+    struct sockaddr *sa;
+{
+    void *addr;
+    static char addrbuf[INET6_ADDRSTRLEN];
+
+    switch (sa->sa_family) {
+    case AF_INET:
+	addr = &((struct sockaddr_in *)sa)->sin_addr;
+	break;
+#ifdef INET6
+    case AF_INET6:
+	addr = &((struct sockaddr_in6 *)sa)->sin6_addr;
+	break;
+#endif
+    default:
+	return NULL;
+    }
+    inet_ntop(sa->sa_family, addr, addrbuf, sizeof(addrbuf));
+    return addrbuf;
+}
+
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+static int
+setpolicy(net, res, policy)
+	int net;
+	struct addrinfo *res;
+	char *policy;
+{
+	char *buf;
+	int level;
+	int optname;
+
+	if (policy == NULL)
+		return 0;
+
+	buf = ipsec_set_policy(policy, strlen(policy));
+	if (buf == NULL) {
+		printf("%s\n", ipsec_strerror());
+		return -1;
+	}
+	level = res->ai_family == AF_INET ? IPPROTO_IP : IPPROTO_IPV6;
+	optname = res->ai_family == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY;
+	if (setsockopt(net, level, optname, buf, ipsec_get_policylen(buf)) < 0){
+		perror("setsockopt");
+		return -1;
+	}
+
+	free(buf);
+}
+#endif
+
+#ifdef INET6
+/*
+ * When an Address Family related error happend, check if retry with
+ * another AF is possible or not.
+ * Return 1, if retry with another af is OK. Else, return 0.
+ */
+static int
+switch_af(aip)
+    struct addrinfo **aip;
+{
+    int nextaf;
+    struct addrinfo *ai;
+
+    ai = *aip;
+    nextaf = (ai->ai_family == AF_INET) ? AF_INET6 : AF_INET;
+    do
+        ai=ai->ai_next;
+    while (ai != NULL && ai->ai_family != nextaf);
+    *aip = ai;
+    if (*aip != NULL) {
+        return 1;
+    }
+    return 0;
+}
+#endif
+
+    int
+tn(argc, argv)
+    int argc;
+    char *argv[];
+{
+    char *srp = 0, *strrchr();
+    int proto, opt;
+    int sourceroute(), srlen;
+    int srcroute = 0, result;
+    char *cmd, *hostp = 0, *portp = 0, *user = 0;
+    char *src_addr = NULL;
+    struct addrinfo hints, *res, *res0 = NULL, *src_res, *src_res0 = NULL;
+    int error = 0, af_error = 0;
+
+    if (connected) {
+	printf("?Already connected to %s\n", hostname);
+	setuid(getuid());
+	return 0;
+    }
+    if (argc < 2) {
+	(void) strcpy(line, "open ");
+	printf("(to) ");
+	(void) fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
+	makeargv();
+	argc = margc;
+	argv = margv;
+    }
+    cmd = *argv;
+    --argc; ++argv;
+    while (argc) {
+	if (strcmp(*argv, "help") == 0 || isprefix(*argv, "?"))
+	    goto usage;
+	if (strcmp(*argv, "-l") == 0) {
+	    --argc; ++argv;
+	    if (argc == 0)
+		goto usage;
+	    user = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (strcmp(*argv, "-a") == 0) {
+	    --argc; ++argv;
+	    autologin = 1;
+	    continue;
+	}
+	if (strcmp(*argv, "-s") == 0) {
+	    --argc; ++argv;
+	    if (argc == 0)
+		goto usage;
+	    src_addr = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (hostp == 0) {
+	    hostp = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (portp == 0) {
+	    portp = *argv++;
+	    --argc;
+	    continue;
+	}
+    usage:
+	printf("usage: %s [-l user] [-a] [-s src_addr] host-name [port]\n", cmd);
+	setuid(getuid());
+	return 0;
+    }
+    if (hostp == 0)
+	goto usage;
+
+    if (src_addr != NULL) {
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_NUMERICHOST;
+	hints.ai_family = family;
+	hints.ai_socktype = SOCK_STREAM;
+	error = getaddrinfo(src_addr, 0, &hints, &src_res);
+	if (error == EAI_NODATA) {
+		hints.ai_flags = 0;
+		error = getaddrinfo(src_addr, 0, &hints, &src_res);
+	}
+	if (error != 0) {
+		fprintf(stderr, "%s: %s\n", src_addr, gai_strerror(error));
+		if (error == EAI_SYSTEM)
+			fprintf(stderr, "%s: %s\n", src_addr, strerror(errno));
+		setuid(getuid());
+		return 0;
+	}
+	src_res0 = src_res;
+    }
+    if (hostp[0] == '@' || hostp[0] == '!') {
+	if (
+#ifdef INET6
+	    family == AF_INET6 ||
+#endif
+	    (hostname = strrchr(hostp, ':')) == NULL)
+	    hostname = strrchr(hostp, '@');
+	hostname++;
+	srcroute = 1;
+    } else
+        hostname = hostp;
+    if (!portp) {
+      telnetport = 1;
+      portp = "telnet";
+    } else if (*portp == '-') {
+      portp++;
+      telnetport = 1;
+    } else
+      telnetport = 0;
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_NUMERICHOST;
+    hints.ai_family = family;
+    hints.ai_socktype = SOCK_STREAM;
+    error = getaddrinfo(hostname, portp, &hints, &res);
+    if (error) {
+        hints.ai_flags = AI_CANONNAME;
+	error = getaddrinfo(hostname, portp, &hints, &res);
+    }
+    if (error != 0) {
+	fprintf(stderr, "%s: %s\n", hostname, gai_strerror(error));
+	if (error == EAI_SYSTEM)
+	    fprintf(stderr, "%s: %s\n", hostname, strerror(errno));
+	setuid(getuid());
+	goto fail;
+    }
+    if (hints.ai_flags == AI_NUMERICHOST) {
+	/* hostname has numeric */
+        int gni_err = 1;
+
+	if (doaddrlookup)
+	    gni_err = getnameinfo(res->ai_addr, res->ai_addr->sa_len,
+				  _hostname, sizeof(_hostname) - 1, NULL, 0,
+				  NI_NAMEREQD);
+	if (gni_err != 0)
+	    (void) strncpy(_hostname, hostp, sizeof(_hostname) - 1);
+	_hostname[sizeof(_hostname)-1] = '\0';
+	hostname = _hostname;
+    } else {
+	/* hostname has FQDN */
+	if (srcroute != 0)
+	    (void) strncpy(_hostname, hostname, sizeof(_hostname) - 1);
+	else if (res->ai_canonname != NULL)
+	  strcpy(_hostname, res->ai_canonname);
+	else
+	  (void) strncpy(_hostname, hostp, sizeof(_hostname) - 1);
+	_hostname[sizeof(_hostname)-1] = '\0';
+	hostname = _hostname;
+    }
+    res0 = res;
+ af_again:
+    if (srcroute != 0) {
+        static char hostbuf[BUFSIZ];
+
+	if (af_error == 0) { /* save intermediate hostnames for retry */
+		strncpy(hostbuf, hostp, BUFSIZ - 1);
+		hostbuf[BUFSIZ - 1] = '\0';
+	} else
+		hostp = hostbuf;
+	srp = 0;
+	result = sourceroute(res, hostp, &srp, &srlen, &proto, &opt);
+	if (result == 0) {
+#ifdef INET6
+	    if (family == AF_UNSPEC && af_error == 0 &&
+		switch_af(&res) == 1) {
+	        af_error = 1;
+		goto af_again;
+	    }
+#endif
+	    setuid(getuid());
+	    goto fail;
+	} else if (result == -1) {
+	    printf("Bad source route option: %s\n", hostp);
+	    setuid(getuid());
+	    goto fail;
+	}
+    }
+    do {
+        printf("Trying %s...\n", sockaddr_ntop(res->ai_addr));
+	net = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+	setuid(getuid());
+	if (net < 0) {
+#ifdef INET6
+	    if (family == AF_UNSPEC && af_error == 0 &&
+		switch_af(&res) == 1) {
+	        af_error = 1;
+		goto af_again;
+	    }
+#endif
+	    perror("telnet: socket");
+	    goto fail;
+	}
+	if (srp && setsockopt(net, proto, opt, (char *)srp, srlen) < 0)
+		perror("setsockopt (source route)");
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	if (res->ai_family == PF_INET) {
+# if	defined(HAS_GETTOS)
+	    struct tosent *tp;
+	    if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+		tos = tp->t_tos;
+# endif
+	    if (tos < 0)
+		tos = 020;	/* Low Delay bit */
+	    if (tos
+		&& (setsockopt(net, IPPROTO_IP, IP_TOS,
+		    (char *)&tos, sizeof(int)) < 0)
+		&& (errno != ENOPROTOOPT))
+		    perror("telnet: setsockopt (IP_TOS) (ignored)");
+	}
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+	if (debug && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0) {
+		perror("setsockopt (SO_DEBUG)");
+	}
+
+	if (src_addr != NULL) {
+	    for (src_res = src_res0; src_res != 0; src_res = src_res->ai_next)
+	        if (src_res->ai_family == res->ai_family)
+		    break;
+	    if (src_res == NULL)
+		src_res = src_res0;
+	    if (bind(net, src_res->ai_addr, src_res->ai_addrlen) == -1) {
+#ifdef INET6
+	        if (family == AF_UNSPEC && af_error == 0 &&
+		    switch_af(&res) == 1) {
+		    af_error = 1;
+		    (void) NetClose(net);
+		    goto af_again;
+		}
+#endif
+		perror("bind");
+		(void) NetClose(net);
+		goto fail;
+	    }
+	}
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+	if (setpolicy(net, res, ipsec_policy_in) < 0) {
+		(void) NetClose(net);
+		goto fail;
+	}
+	if (setpolicy(net, res, ipsec_policy_out) < 0) {
+		(void) NetClose(net);
+		goto fail;
+	}
+#endif
+
+	if (connect(net, res->ai_addr, res->ai_addrlen) < 0) {
+	    struct addrinfo *next;
+
+	    next = res->ai_next;
+	    /* If already an af failed, only try same af. */
+	    if (af_error != 0)
+		while (next != NULL && next->ai_family != res->ai_family)
+		    next = next->ai_next;
+	    warn("connect to address %s", sockaddr_ntop(res->ai_addr));
+	    if (next != NULL) {
+		res = next;
+		(void) NetClose(net);
+		continue;
+	    }
+	    warnx("Unable to connect to remote host");
+	    (void) NetClose(net);
+	    goto fail;
+	}
+	connected++;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
+    } while (connected == 0);
+    freeaddrinfo(res0);
+    if (src_res0 != NULL)
+        freeaddrinfo(src_res0);
+    cmdrc(hostp, hostname);
+    if (autologin && user == NULL) {
+	struct passwd *pw;
+
+	user = getenv("USER");
+	if (user == NULL ||
+	    ((pw = getpwnam(user)) && pw->pw_uid != getuid())) {
+		if ((pw = getpwuid(getuid())))
+			user = pw->pw_name;
+		else
+			user = NULL;
+	}
+    }
+    if (user) {
+	env_define((unsigned char *)"USER", (unsigned char *)user);
+	env_export((unsigned char *)"USER");
+    }
+    (void) call(status, "status", "notmuch", 0);
+    if (setjmp(peerdied) == 0)
+	telnet(user);
+    (void) NetClose(net);
+    ExitString("Connection closed by foreign host.\n",1);
+    /*NOTREACHED*/
+ fail:
+    if (res0 != NULL)
+        freeaddrinfo(res0);
+    if (src_res0 != NULL)
+        freeaddrinfo(src_res0);
+    return 0;
+}
+
+#define HELPINDENT (sizeof ("connect"))
+
+static char
+	openhelp[] =	"connect to a site",
+	closehelp[] =	"close current connection",
+	logouthelp[] =	"forcibly logout remote user and close the connection",
+	quithelp[] =	"exit telnet",
+	statushelp[] =	"print status information",
+	helphelp[] =	"print help information",
+	sendhelp[] =	"transmit special characters ('send ?' for more)",
+	sethelp[] = 	"set operating parameters ('set ?' for more)",
+	unsethelp[] = 	"unset operating parameters ('unset ?' for more)",
+	togglestring[] ="toggle operating parameters ('toggle ?' for more)",
+	slchelp[] =	"change state of special charaters ('slc ?' for more)",
+	displayhelp[] =	"display operating parameters",
+#if	defined(TN3270) && defined(unix)
+	transcomhelp[] = "specify Unix command for transparent mode pipe",
+#endif	/* defined(TN3270) && defined(unix) */
+#if	defined(AUTHENTICATION)
+	authhelp[] =	"turn on (off) authentication ('auth ?' for more)",
+#endif
+#ifdef	ENCRYPTION
+	encrypthelp[] =	"turn on (off) encryption ('encrypt ?' for more)",
+#endif	/* ENCRYPTION */
+#if	defined(unix)
+	zhelp[] =	"suspend telnet",
+#endif	/* defined(unix) */
+#if	defined(SKEY)
+	skeyhelp[] =    "compute response to s/key challenge",
+#endif
+	shellhelp[] =	"invoke a subshell",
+	envhelp[] =	"change environment variables ('environ ?' for more)",
+	modestring[] = "try to enter line or character mode ('mode ?' for more)";
+
+static Command cmdtab[] = {
+	{ "close",	closehelp,	bye,		1 },
+	{ "logout",	logouthelp,	logout,		1 },
+	{ "display",	displayhelp,	display,	0 },
+	{ "mode",	modestring,	modecmd,	0 },
+	{ "open",	openhelp,	tn,		0 },
+	{ "quit",	quithelp,	quit,		0 },
+	{ "send",	sendhelp,	sendcmd,	0 },
+	{ "set",	sethelp,	setcmd,		0 },
+	{ "unset",	unsethelp,	unsetcmd,	0 },
+	{ "status",	statushelp,	status,		0 },
+	{ "toggle",	togglestring,	toggle,		0 },
+	{ "slc",	slchelp,	slccmd,		0 },
+#if	defined(TN3270) && defined(unix)
+	{ "transcom",	transcomhelp,	settranscom,	0 },
+#endif	/* defined(TN3270) && defined(unix) */
+#if	defined(AUTHENTICATION)
+	{ "auth",	authhelp,	auth_cmd,	0 },
+#endif
+#ifdef	ENCRYPTION
+	{ "encrypt",	encrypthelp,	encrypt_cmd,	0 },
+#endif	/* ENCRYPTION */
+#if	defined(unix)
+	{ "z",		zhelp,		suspend,	0 },
+#endif	/* defined(unix) */
+#if	defined(TN3270)
+	{ "!",		shellhelp,	shell,		1 },
+#else
+	{ "!",		shellhelp,	shell,		0 },
+#endif
+	{ "environ",	envhelp,	env_cmd,	0 },
+	{ "?",		helphelp,	help,		0 },
+#if	defined(SKEY)
+	{ "skey",       skeyhelp,       skey_calc,      0 },
+#endif		
+	{ 0, 0, 0, 0 }
+};
+
+static char	crmodhelp[] =	"deprecated command -- use 'toggle crmod' instead";
+static char	escapehelp[] =	"deprecated command -- use 'set escape' instead";
+
+static Command cmdtab2[] = {
+	{ "help",	0,		help,		0 },
+	{ "escape",	escapehelp,	setescape,	0 },
+	{ "crmod",	crmodhelp,	togcrmod,	0 },
+	{ 0, 0, 0, 0 }
+};
+
+
+/*
+ * Call routine with argc, argv set from args (terminated by 0).
+ */
+
+    /*VARARGS1*/
+    static int
+call(va_alist)
+    va_dcl
+{
+    va_list ap;
+    typedef int (*intrtn_t)();
+    intrtn_t routine;
+    char *args[100];
+    int argno = 0;
+
+    va_start(ap);
+    routine = (va_arg(ap, intrtn_t));
+    while ((args[argno++] = va_arg(ap, char *)) != 0) {
+	;
+    }
+    va_end(ap);
+    return (*routine)(argno-1, args);
+}
+
+
+    static Command *
+getcmd(name)
+    char *name;
+{
+    Command *cm;
+
+    if ((cm = (Command *) genget(name, (char **) cmdtab, sizeof(Command))))
+	return cm;
+    return (Command *) genget(name, (char **) cmdtab2, sizeof(Command));
+}
+
+    void
+command(top, tbuf, cnt)
+    int top;
+    char *tbuf;
+    int cnt;
+{
+    register Command *c;
+
+    setcommandmode();
+    if (!top) {
+	putchar('\n');
+#if	defined(unix)
+    } else {
+	(void) signal(SIGINT, SIG_DFL);
+	(void) signal(SIGQUIT, SIG_DFL);
+#endif	/* defined(unix) */
+    }
+    for (;;) {
+	if (rlogin == _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	if (tbuf) {
+	    register char *cp;
+	    cp = line;
+	    while (cnt > 0 && (*cp++ = *tbuf++) != '\n')
+		cnt--;
+	    tbuf = 0;
+	    if (cp == line || *--cp != '\n' || cp == line)
+		goto getline;
+	    *cp = '\0';
+	    if (rlogin == _POSIX_VDISABLE)
+		printf("%s\n", line);
+	} else {
+	getline:
+	    if (rlogin != _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	    if (fgets(line, sizeof(line), stdin) == NULL) {
+		if (feof(stdin) || ferror(stdin)) {
+		    (void) quit();
+		    /*NOTREACHED*/
+		}
+		break;
+	    }
+	}
+	if (line[0] == 0)
+	    break;
+	makeargv();
+	if (margv[0] == 0) {
+	    break;
+	}
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\n");
+	    continue;
+	}
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first.\n");
+	    continue;
+	}
+	if ((*c->handler)(margc, margv)) {
+	    break;
+	}
+    }
+    if (!top) {
+	if (!connected) {
+	    longjmp(toplevel, 1);
+	    /*NOTREACHED*/
+	}
+#if	defined(TN3270)
+	if (shell_active == 0) {
+	    setconnmode(0);
+	}
+#else	/* defined(TN3270) */
+	setconnmode(0);
+#endif	/* defined(TN3270) */
+    }
+}
+
+/*
+ * Help command.
+ */
+	static int
+help(argc, argv)
+	int argc;
+	char *argv[];
+{
+	register Command *c;
+
+	if (argc == 1) {
+		printf("Commands may be abbreviated.  Commands are:\n\n");
+		for (c = cmdtab; c->name; c++)
+			if (c->help) {
+				printf("%-*s\t%s\n", HELPINDENT, c->name,
+								    c->help);
+			}
+	}
+	else while (--argc > 0) {
+		register char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (Ambiguous(c))
+			printf("?Ambiguous help command %s\n", arg);
+		else if (c == (Command *)0)
+			printf("?Invalid help command %s\n", arg);
+		else
+			printf("%s\n", c->help);
+	}
+	return(0);
+}
+
+static char *rcname = 0;
+static char rcbuf[128];
+
+	void
+cmdrc(m1, m2)
+	char *m1, *m2;
+{
+    register Command *c;
+    FILE *rcfile;
+    int gotmachine = 0;
+    int l1 = strlen(m1);
+    int l2 = strlen(m2);
+    char m1save[64];
+
+    if (skiprc)
+	return;
+
+    strcpy(m1save, m1);
+    m1 = m1save;
+
+    if (rcname == 0) {
+	rcname = getenv("HOME");
+	if (rcname && (strlen(rcname) + 10) < sizeof(rcbuf))
+	    strcpy(rcbuf, rcname);
+	else
+	    rcbuf[0] = '\0';
+	strcat(rcbuf, "/.telnetrc");
+	rcname = rcbuf;
+    }
+
+    if ((rcfile = fopen(rcname, "r")) == 0) {
+	return;
+    }
+
+    for (;;) {
+	if (fgets(line, sizeof(line), rcfile) == NULL)
+	    break;
+	if (line[0] == 0)
+	    break;
+	if (line[0] == '#')
+	    continue;
+	if (gotmachine) {
+	    if (!isspace(line[0]))
+		gotmachine = 0;
+	}
+	if (gotmachine == 0) {
+	    if (isspace(line[0]))
+		continue;
+	    if (strncasecmp(line, m1, l1) == 0)
+		strncpy(line, &line[l1], sizeof(line) - l1);
+	    else if (strncasecmp(line, m2, l2) == 0)
+		strncpy(line, &line[l2], sizeof(line) - l2);
+	    else if (strncasecmp(line, "DEFAULT", 7) == 0)
+		strncpy(line, &line[7], sizeof(line) - 7);
+	    else
+		continue;
+	    if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
+		continue;
+	    gotmachine = 1;
+	}
+	makeargv();
+	if (margv[0] == 0)
+	    continue;
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command: %s\n", margv[0]);
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command: %s\n", margv[0]);
+	    continue;
+	}
+	/*
+	 * This should never happen...
+	 */
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first for %s.\n", margv[0]);
+	    continue;
+	}
+	(*c->handler)(margc, margv);
+    }
+    fclose(rcfile);
+}
+
+/*
+ * Source route is handed in as
+ *	[!]@hop1@hop2...[@|:]dst
+ * If the leading ! is present, it is a
+ * strict source route, otherwise it is
+ * assmed to be a loose source route.
+ *
+ * We fill in the source route option as
+ *	hop1,hop2,hop3...dest
+ * and return a pointer to hop1, which will
+ * be the address to connect() to.
+ *
+ * Arguments:
+ *
+ *	res:	ponter to addrinfo structure which contains sockaddr to
+ *		the host to connect to.
+ *
+ *	arg:	pointer to route list to decipher
+ *
+ *	cpp: 	If *cpp is not equal to NULL, this is a
+ *		pointer to a pointer to a character array
+ *		that should be filled in with the option.
+ *
+ *	lenp:	pointer to an integer that contains the
+ *		length of *cpp if *cpp != NULL.
+ *
+ *	protop:	pointer to an integer that should be filled in with
+ *		appropriate protocol for setsockopt, as socket 
+ *		protocol family.
+ *
+ *	optp:	pointer to an integer that should be filled in with
+ *		appropriate option for setsockopt, as socket protocol
+ *		family.
+ *
+ * Return values:
+ *
+ *	If the return value is 1, then all operations are
+ *	successful. If the
+ *	return value is -1, there was a syntax error in the
+ *	option, either unknown characters, or too many hosts.
+ *	If the return value is 0, one of the hostnames in the
+ *	path is unknown, and *cpp is set to point to the bad
+ *	hostname.
+ *
+ *	*cpp:	If *cpp was equal to NULL, it will be filled
+ *		in with a pointer to our static area that has
+ *		the option filled in.  This will be 32bit aligned.
+ *
+ *	*lenp:	This will be filled in with how long the option
+ *		pointed to by *cpp is.
+ *
+ *	*protop: This will be filled in with appropriate protocol for
+ *		 setsockopt, as socket protocol family.
+ *
+ *	*optp:	This will be filled in with appropriate option for
+ *		setsockopt, as socket protocol family.
+ */
+int
+sourceroute(ai, arg, cpp, lenp, protop, optp)
+	struct addrinfo *ai;
+	char	*arg;
+	char	**cpp;
+	int	*lenp;
+	int	*protop;
+	int	*optp;
+{
+	static char buf[1024 + ALIGNBYTES];	/*XXX*/
+	struct cmsghdr *cmsg;
+#ifdef	sysV88
+	static IOPTN ipopt;
+#endif
+	char *cp, *cp2, *lsrp, *ep;
+	register int tmp;
+	struct sockaddr_in *sin;
+	struct sockaddr_in6 *sin6;
+	struct addrinfo hints, *res;
+	int error;
+	register char c;
+
+	/*
+	 * Verify the arguments, and make sure we have
+	 * at least 7 bytes for the option.
+	 */
+	if (cpp == NULL || lenp == NULL)
+		return -1;
+	if (*cpp != NULL) {
+		switch (res->ai_family) {
+		case AF_INET:
+			if (*lenp < 7)
+				return -1;
+			break;
+#ifdef INET6
+		case AF_INET6:
+			if (*lenp < CMSG_SPACE(sizeof(struct ip6_rthdr) +
+				               sizeof(struct in6_addr)))
+				return -1;
+			break;
+#endif
+		}
+	}
+	/*
+	 * Decide whether we have a buffer passed to us,
+	 * or if we need to use our own static buffer.
+	 */
+	if (*cpp) {
+		lsrp = *cpp;
+		ep = lsrp + *lenp;
+	} else {
+		*cpp = lsrp = (char *)ALIGN(buf);
+		ep = lsrp + 1024;
+	}
+
+	cp = arg;
+
+#ifdef INET6
+	if (ai->ai_family == AF_INET6) {
+		cmsg = inet6_rthdr_init(*cpp, IPV6_RTHDR_TYPE_0);
+		if (*cp != '@')
+			return -1;
+		*protop = IPPROTO_IPV6;
+		*optp = IPV6_PKTOPTIONS;
+	} else
+#endif
+      {
+	/*
+	 * Next, decide whether we have a loose source
+	 * route or a strict source route, and fill in
+	 * the begining of the option.
+	 */
+#ifndef	sysV88
+	if (*cp == '!') {
+		cp++;
+		*lsrp++ = IPOPT_SSRR;
+	} else
+		*lsrp++ = IPOPT_LSRR;
+#else
+	if (*cp == '!') {
+		cp++;
+		ipopt.io_type = IPOPT_SSRR;
+	} else
+		ipopt.io_type = IPOPT_LSRR;
+#endif
+
+	if (*cp != '@')
+		return -1;
+
+#ifndef	sysV88
+	lsrp++;		/* skip over length, we'll fill it in later */
+	*lsrp++ = 4;
+#endif
+	*protop = IPPROTO_IP;
+	*optp = IP_OPTIONS;
+      }
+
+	cp++;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = ai->ai_family;
+	hints.ai_socktype = SOCK_STREAM;
+	for (c = 0;;) {
+		if (
+#ifdef INET6
+		    ai->ai_family != AF_INET6 &&
+#endif
+		    c == ':')
+			cp2 = 0;
+		else for (cp2 = cp; (c = *cp2); cp2++) {
+			if (c == ',') {
+				*cp2++ = '\0';
+				if (*cp2 == '@')
+					cp2++;
+			} else if (c == '@') {
+				*cp2++ = '\0';
+			} else if (
+#ifdef INET6
+				   ai->ai_family != AF_INET6 &&
+#endif
+				   c == ':') {
+				*cp2++ = '\0';
+			} else
+				continue;
+			break;
+		}
+		if (!c)
+			cp2 = 0;
+
+		hints.ai_flags = AI_NUMERICHOST;
+ 		error = getaddrinfo(cp, NULL, &hints, &res);
+		if (error == EAI_NODATA) {
+			hints.ai_flags = 0;
+			error = getaddrinfo(cp, NULL, &hints, &res);
+		}
+		if (error != 0) {
+			fprintf(stderr, "%s: %s\n", cp, gai_strerror(error));
+			if (error == EAI_SYSTEM)
+				fprintf(stderr, "%s: %s\n", cp,
+					strerror(errno));
+			*cpp = cp;
+			return(0);
+		}
+#ifdef INET6
+		if (res->ai_family == AF_INET6) {
+			sin6 = (struct sockaddr_in6 *)res->ai_addr;
+			inet6_rthdr_add(cmsg, &sin6->sin6_addr,
+					IPV6_RTHDR_LOOSE);
+		} else
+#endif
+	      {
+		sin = (struct sockaddr_in *)res->ai_addr;
+		memcpy(lsrp, (char *)&sin->sin_addr, 4);
+		lsrp += 4;
+	      }
+		if (cp2)
+			cp = cp2;
+		else
+			break;
+		/*
+		 * Check to make sure there is space for next address
+		 */
+#ifdef INET6
+		if (res->ai_family == AF_INET6) {
+			if (((char *)CMSG_DATA(cmsg) +
+			     sizeof(struct ip6_rthdr) +
+			     ((inet6_rthdr_segments(cmsg) + 1) *
+			      sizeof(struct in6_addr))) > ep)
+			return -1;
+		} else
+#endif
+		if (lsrp + 4 > ep)
+			return -1;
+		freeaddrinfo(res);
+	}
+#ifdef INET6
+	if (res->ai_family == AF_INET6) {
+		inet6_rthdr_lasthop(cmsg, IPV6_RTHDR_LOOSE);
+		*lenp = cmsg->cmsg_len;
+	} else
+#endif
+      {
+#ifndef	sysV88
+	if ((*(*cpp+IPOPT_OLEN) = lsrp - *cpp) <= 7) {
+		*cpp = 0;
+		*lenp = 0;
+		return -1;
+	}
+	*lsrp++ = IPOPT_NOP; /* 32 bit word align it */
+	*lenp = lsrp - *cpp;
+#else
+	ipopt.io_len = lsrp - *cpp;
+	if (ipopt.io_len <= 5) {		/* Is 3 better ? */
+		*cpp = 0;
+		*lenp = 0;
+		return -1;
+	}
+	*lenp = sizeof(ipopt);
+	*cpp = (char *) &ipopt;
+#endif
+      }
+	freeaddrinfo(res);
+	return 1;
+}
+
+
+
diff --git a/crypto/telnet/telnet/defines.h b/crypto/telnet/telnet/defines.h
new file mode 100644
index 0000000..0978173
--- /dev/null
+++ b/crypto/telnet/telnet/defines.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defines.h	8.1 (Berkeley) 6/6/93
+ */
+
+#define	settimer(x)	clocks.x = clocks.system++
+
+#if	!defined(TN3270)
+
+#define	SetIn3270()
+
+#endif	/* !defined(TN3270) */
+
+#define	NETADD(c)	{ *netoring.supply = c; ring_supplied(&netoring, 1); }
+#define	NET2ADD(c1,c2)	{ NETADD(c1); NETADD(c2); }
+#define	NETBYTES()	(ring_full_count(&netoring))
+#define	NETROOM()	(ring_empty_count(&netoring))
+
+#define	TTYADD(c)	if (!(SYNCHing||flushout)) { \
+				*ttyoring.supply = c; \
+				ring_supplied(&ttyoring, 1); \
+			}
+#define	TTYBYTES()	(ring_full_count(&ttyoring))
+#define	TTYROOM()	(ring_empty_count(&ttyoring))
+
+/*	Various modes */
+#define	MODE_LOCAL_CHARS(m)	((m)&(MODE_EDIT|MODE_TRAPSIG))
+#define	MODE_LOCAL_ECHO(m)	((m)&MODE_ECHO)
+#define	MODE_COMMAND_LINE(m)	((m)==-1)
+
+#define	CONTROL(x)	((x)&0x1f)		/* CTRL(x) is not portable */
diff --git a/crypto/telnet/telnet/externs.h b/crypto/telnet/telnet/externs.h
new file mode 100644
index 0000000..46253d9
--- /dev/null
+++ b/crypto/telnet/telnet/externs.h
@@ -0,0 +1,502 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)externs.h	8.3 (Berkeley) 5/30/95
+ *	$FreeBSD$
+ */
+
+#ifndef	BSD
+# define BSD 43
+#endif
+
+/*
+ * ucb stdio.h defines BSD as something wierd
+ */
+#if defined(sun) && defined(__svr4__)
+#define BSD 43
+#endif
+
+#ifndef	USE_TERMIO
+# if BSD > 43 || defined(SYSV_TERMIO)
+#  define USE_TERMIO
+# endif
+#endif
+
+#include <stdio.h>
+#include <setjmp.h>
+#if defined(CRAY) && !defined(NO_BSD_SETJMP)
+#include <bsdsetjmp.h>
+#endif
+#ifndef	FILIO_H
+#include <sys/ioctl.h>
+#else
+#include <sys/filio.h>
+#endif
+#ifdef CRAY
+# include <errno.h>
+#endif /* CRAY */
+#ifdef	USE_TERMIO
+# ifndef	VINTR
+#  ifdef SYSV_TERMIO
+#   include <sys/termio.h>
+#  else
+#   include <sys/termios.h>
+#   define termio termios
+#  endif
+# endif
+#endif
+#if defined(NO_CC_T) || !defined(USE_TERMIO)
+# if !defined(USE_TERMIO)
+typedef char cc_t;
+# else
+typedef unsigned char cc_t;
+# endif
+#endif
+
+#ifndef	NO_STRING_H
+#include <string.h>
+#else
+#include <strings.h>
+#endif
+
+#if defined(IPSEC)
+#include <netinet6/ipsec.h>
+#if defined(IPSEC_POLICY_IPSEC)
+extern char *ipsec_policy_in;
+extern char *ipsec_policy_out;
+#endif
+#endif
+
+#ifndef	_POSIX_VDISABLE
+# ifdef sun
+#  include <sys/param.h>	/* pick up VDISABLE definition, mayby */
+# endif
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((cc_t)'\377')
+# endif
+#endif
+
+#define	SUBBUFSIZE	256
+
+#ifndef CRAY
+extern int errno;		/* outside this world */
+#endif /* !CRAY */
+
+#if	!defined(P)
+# ifdef	__STDC__
+#  define	P(x)	x
+# else
+#  define	P(x)	()
+# endif
+#endif
+
+extern int
+    autologin,		/* Autologin enabled */
+    skiprc,		/* Don't process the ~/.telnetrc file */
+    eight,		/* use eight bit mode (binary in and/or out */
+    family,		/* address family of peer */
+    flushout,		/* flush output */
+    connected,		/* Are we connected to the other side? */
+    globalmode,		/* Mode tty should be in */
+    In3270,		/* Are we in 3270 mode? */
+    telnetport,		/* Are we connected to the telnet port? */
+    localflow,		/* Flow control handled locally */
+    restartany,		/* If flow control, restart output on any character */
+    localchars,		/* we recognize interrupt/quit */
+    donelclchars,	/* the user has set "localchars" */
+    showoptions,
+    net,		/* Network file descriptor */
+    tin,		/* Terminal input file descriptor */
+    tout,		/* Terminal output file descriptor */
+    crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+    autoflush,		/* flush output when interrupting? */
+    autosynch,		/* send interrupt characters with SYNCH? */
+    SYNCHing,		/* Is the stream in telnet SYNCH mode? */
+    donebinarytoggle,	/* the user has put us in binary */
+    dontlecho,		/* do we suppress local echoing right now? */
+    crmod,
+    netdata,		/* Print out network data flow */
+    prettydump,		/* Print "netdata" output in user readable format */
+#if	defined(unix)
+#if	defined(TN3270)
+    cursesdata,		/* Print out curses data flow */
+    apitrace,		/* Trace API transactions */
+#endif	/* defined(TN3270) */
+    termdata,		/* Print out terminal data flow */
+#endif	/* defined(unix) */
+    debug,		/* Debug level */
+    doaddrlookup,	/* do a reverse lookup? */
+    clienteof;		/* Client received EOF */
+
+extern cc_t escape;	/* Escape to command mode */
+extern cc_t rlogin;	/* Rlogin mode escape character */
+#ifdef	KLUDGELINEMODE
+extern cc_t echoc;	/* Toggle local echoing */
+#endif
+
+extern char
+    *prompt;		/* Prompt for command. */
+
+extern char
+    doopt[],
+    dont[],
+    will[],
+    wont[],
+    options[],		/* All the little options */
+    *hostname;		/* Who are we connected to? */
+#ifdef	ENCRYPTION
+extern void (*encrypt_output) P((unsigned char *, int));
+extern int (*decrypt_input) P((int));
+#endif	/* ENCRYPTION */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		{options[opt] |= MY_STATE_DO;}
+#define	set_my_state_will(opt)		{options[opt] |= MY_STATE_WILL;}
+#define	set_my_want_state_do(opt)	{options[opt] |= MY_WANT_STATE_DO;}
+#define	set_my_want_state_will(opt)	{options[opt] |= MY_WANT_STATE_WILL;}
+
+#define	set_my_state_dont(opt)		{options[opt] &= ~MY_STATE_DO;}
+#define	set_my_state_wont(opt)		{options[opt] &= ~MY_STATE_WILL;}
+#define	set_my_want_state_dont(opt)	{options[opt] &= ~MY_WANT_STATE_DO;}
+#define	set_my_want_state_wont(opt)	{options[opt] &= ~MY_WANT_STATE_WILL;}
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+
+extern FILE
+    *NetTrace;		/* Where debugging output goes */
+extern unsigned char
+    NetTraceFile[];	/* Name of file where debugging output goes */
+extern void
+    SetNetTrace P((char *));	/* Function to change where debugging goes */
+
+extern jmp_buf
+    peerdied,
+    toplevel;		/* For error conditions. */
+
+extern void
+    command P((int, char *, int)),
+    Dump P((int, unsigned char *, int)),
+    ExitString P((char *, int)),
+    init_3270 P((void)),
+    printoption P((char *, int, int)),
+    printsub P((int, unsigned char *, int)),
+    sendnaws P((void)),
+    setconnmode P((int)),
+    setcommandmode P((void)),
+    setneturg P((void)),
+    sys_telnet_init P((void)),
+    telnet P((char *)),
+    tel_enter_binary P((int)),
+    TerminalFlushOutput P((void)),
+    TerminalNewMode P((int)),
+    TerminalRestoreState P((void)),
+    TerminalSaveState P((void)),
+    tninit P((void)),
+    upcase P((char *)),
+    willoption P((int)),
+    wontoption P((int));
+
+extern void
+    send_do P((int, int)),
+    send_dont P((int, int)),
+    send_will P((int, int)),
+    send_wont P((int, int));
+
+extern void
+    lm_will P((unsigned char *, int)),
+    lm_wont P((unsigned char *, int)),
+    lm_do P((unsigned char *, int)),
+    lm_dont P((unsigned char *, int)),
+    lm_mode P((unsigned char *, int, int));
+
+extern void
+    slc_init P((void)),
+    slcstate P((void)),
+    slc_mode_export P((void)),
+    slc_mode_import P((int)),
+    slc_import P((int)),
+    slc_export P((void)),
+    slc P((unsigned char *, int)),
+    slc_check P((void)),
+    slc_start_reply P((void)),
+    slc_add_reply P((int, int, int)),
+    slc_end_reply P((void));
+extern int
+    NetClose P((int)),
+    netflush P((void)),
+    SetSockOpt P((int, int, int, int)),
+    slc_update P((void)),
+    telrcv P((void)),
+    TerminalWrite P((char *, int)),
+    TerminalAutoFlush P((void)),
+    ttyflush P((int));
+
+extern void
+    env_opt P((unsigned char *, int)),
+    env_opt_start P((void)),
+    env_opt_start_info P((void)),
+    env_opt_add P((unsigned char *)),
+    env_opt_end P((int));
+
+extern unsigned char
+    *env_default P((int, int)),
+    *env_getvalue P((unsigned char *));
+
+extern int
+    get_status P((void)),
+    dosynch P((void));
+
+extern cc_t
+    *tcval P((int));
+
+#ifndef	USE_TERMIO
+
+extern struct	tchars ntc;
+extern struct	ltchars nltc;
+extern struct	sgttyb nttyb;
+
+# define termEofChar		ntc.t_eofc
+# define termEraseChar		nttyb.sg_erase
+# define termFlushChar		nltc.t_flushc
+# define termIntChar		ntc.t_intrc
+# define termKillChar		nttyb.sg_kill
+# define termLiteralNextChar	nltc.t_lnextc
+# define termQuitChar		ntc.t_quitc
+# define termSuspChar		nltc.t_suspc
+# define termRprntChar		nltc.t_rprntc
+# define termWerasChar		nltc.t_werasc
+# define termStartChar		ntc.t_startc
+# define termStopChar		ntc.t_stopc
+# define termForw1Char		ntc.t_brkc
+extern cc_t termForw2Char;
+extern cc_t termAytChar;
+
+# define termEofCharp		(cc_t *)&ntc.t_eofc
+# define termEraseCharp		(cc_t *)&nttyb.sg_erase
+# define termFlushCharp		(cc_t *)&nltc.t_flushc
+# define termIntCharp		(cc_t *)&ntc.t_intrc
+# define termKillCharp		(cc_t *)&nttyb.sg_kill
+# define termLiteralNextCharp	(cc_t *)&nltc.t_lnextc
+# define termQuitCharp		(cc_t *)&ntc.t_quitc
+# define termSuspCharp		(cc_t *)&nltc.t_suspc
+# define termRprntCharp		(cc_t *)&nltc.t_rprntc
+# define termWerasCharp		(cc_t *)&nltc.t_werasc
+# define termStartCharp		(cc_t *)&ntc.t_startc
+# define termStopCharp		(cc_t *)&ntc.t_stopc
+# define termForw1Charp		(cc_t *)&ntc.t_brkc
+# define termForw2Charp		(cc_t *)&termForw2Char
+# define termAytCharp		(cc_t *)&termAytChar
+
+# else
+
+extern struct	termio new_tc;
+
+# define termEofChar		new_tc.c_cc[VEOF]
+# define termEraseChar		new_tc.c_cc[VERASE]
+# define termIntChar		new_tc.c_cc[VINTR]
+# define termKillChar		new_tc.c_cc[VKILL]
+# define termQuitChar		new_tc.c_cc[VQUIT]
+
+# ifndef	VSUSP
+extern cc_t termSuspChar;
+# else
+#  define termSuspChar		new_tc.c_cc[VSUSP]
+# endif
+# if	defined(VFLUSHO) && !defined(VDISCARD)
+#  define VDISCARD VFLUSHO
+# endif
+# ifndef	VDISCARD
+extern cc_t termFlushChar;
+# else
+#  define termFlushChar		new_tc.c_cc[VDISCARD]
+# endif
+# ifndef VWERASE
+extern cc_t termWerasChar;
+# else
+#  define termWerasChar		new_tc.c_cc[VWERASE]
+# endif
+# ifndef	VREPRINT
+extern cc_t termRprntChar;
+# else
+#  define termRprntChar		new_tc.c_cc[VREPRINT]
+# endif
+# ifndef	VLNEXT
+extern cc_t termLiteralNextChar;
+# else
+#  define termLiteralNextChar	new_tc.c_cc[VLNEXT]
+# endif
+# ifndef	VSTART
+extern cc_t termStartChar;
+# else
+#  define termStartChar		new_tc.c_cc[VSTART]
+# endif
+# ifndef	VSTOP
+extern cc_t termStopChar;
+# else
+#  define termStopChar		new_tc.c_cc[VSTOP]
+# endif
+# ifndef	VEOL
+extern cc_t termForw1Char;
+# else
+#  define termForw1Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VEOL2
+extern cc_t termForw2Char;
+# else
+#  define termForw2Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VSTATUS
+extern cc_t termAytChar;
+#else
+#  define termAytChar		new_tc.c_cc[VSTATUS]
+#endif
+
+# if !defined(CRAY) || defined(__STDC__)
+#  define termEofCharp		&termEofChar
+#  define termEraseCharp	&termEraseChar
+#  define termIntCharp		&termIntChar
+#  define termKillCharp		&termKillChar
+#  define termQuitCharp		&termQuitChar
+#  define termSuspCharp		&termSuspChar
+#  define termFlushCharp	&termFlushChar
+#  define termWerasCharp	&termWerasChar
+#  define termRprntCharp	&termRprntChar
+#  define termLiteralNextCharp	&termLiteralNextChar
+#  define termStartCharp	&termStartChar
+#  define termStopCharp		&termStopChar
+#  define termForw1Charp	&termForw1Char
+#  define termForw2Charp	&termForw2Char
+#  define termAytCharp		&termAytChar
+# else
+	/* Work around a compiler bug */
+#  define termEofCharp		0
+#  define termEraseCharp	0
+#  define termIntCharp		0
+#  define termKillCharp		0
+#  define termQuitCharp		0
+#  define termSuspCharp		0
+#  define termFlushCharp	0
+#  define termWerasCharp	0
+#  define termRprntCharp	0
+#  define termLiteralNextCharp	0
+#  define termStartCharp	0
+#  define termStopCharp		0
+#  define termForw1Charp	0
+#  define termForw2Charp	0
+#  define termAytCharp		0
+# endif
+#endif
+
+
+/* Ring buffer structures which are shared */
+
+extern Ring
+    netoring,
+    netiring,
+    ttyoring,
+    ttyiring;
+
+/* Tn3270 section */
+#if	defined(TN3270)
+
+extern int
+    HaveInput,		/* Whether an asynchronous I/O indication came in */
+    noasynchtty,	/* Don't do signals on I/O (SIGURG, SIGIO) */
+    noasynchnet,	/* Don't do signals on I/O (SIGURG, SIGIO) */
+    sigiocount,		/* Count of SIGIO receptions */
+    shell_active;	/* Subshell is active */
+
+extern char
+    *Ibackp,		/* Oldest byte of 3270 data */
+    Ibuf[],		/* 3270 buffer */
+    *Ifrontp,		/* Where next 3270 byte goes */
+    tline[],
+    *transcom;		/* Transparent command */
+
+extern int
+    settranscom P((int, char**));
+
+extern void
+    inputAvailable P((int));
+#endif	/* defined(TN3270) */
diff --git a/crypto/telnet/telnet/fdset.h b/crypto/telnet/telnet/fdset.h
new file mode 100644
index 0000000..045bb72
--- /dev/null
+++ b/crypto/telnet/telnet/fdset.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)fdset.h	8.1 (Berkeley) 6/6/93
+ */
+
+/*
+ * The following is defined just in case someone should want to run
+ * this telnet on a 4.2 system.
+ *
+ */
+
+#ifndef	FD_SETSIZE
+
+#define	FD_SET(n, p)	((p)->fds_bits[0] |= (1<<(n)))
+#define	FD_CLR(n, p)	((p)->fds_bits[0] &= ~(1<<(n)))
+#define	FD_ISSET(n, p)	((p)->fds_bits[0] & (1<<(n)))
+#define FD_ZERO(p)	((p)->fds_bits[0] = 0)
+
+#endif
diff --git a/crypto/telnet/telnet/general.h b/crypto/telnet/telnet/general.h
new file mode 100644
index 0000000..4efa951
--- /dev/null
+++ b/crypto/telnet/telnet/general.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)general.h	8.1 (Berkeley) 6/6/93
+ */
+
+/*
+ * Some general definitions.
+ */
+
+
+#define	numberof(x)	(sizeof x/sizeof x[0])
+#define	highestof(x)	(numberof(x)-1)
+
+#define	ClearElement(x)		memset((char *)&x, 0, sizeof x)
+#define	ClearArray(x)		memset((char *)x, 0, sizeof x)
diff --git a/crypto/telnet/telnet/main.c b/crypto/telnet/telnet/main.c
new file mode 100644
index 0000000..c3d0f5d
--- /dev/null
+++ b/crypto/telnet/telnet/main.c
@@ -0,0 +1,389 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#ifndef lint
+static const char copyright[] =
+"@(#) Copyright (c) 1988, 1990, 1993\n\
+	The Regents of the University of California.  All rights reserved.\n";
+#endif /* not lint */
+
+#ifndef lint
+static const char sccsid[] = "@(#)main.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdlib.h>
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+/* These values need to be the same as defined in libtelnet/kerberos5.c */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+#if 0
+#define FORWARD
+#endif
+
+void init_terminal(void);
+void init_network(void);
+void init_telnet(void);
+void init_sys(void);
+void init_3270(void);
+
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+char *ipsec_policy_in = NULL;
+char *ipsec_policy_out = NULL;
+#endif
+
+int family = AF_UNSPEC;
+
+/*
+ * Initialize variables.
+ */
+    void
+tninit()
+{
+    init_terminal();
+
+    init_network();
+
+    init_telnet();
+
+    init_sys();
+
+#if defined(TN3270)
+    init_3270();
+#endif
+}
+
+	void
+usage()
+{
+	fprintf(stderr, "Usage: %s %s%s%s%s\n",
+	    prompt,
+#ifdef	AUTHENTICATION
+	    "[-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-a] [-c] [-d]",
+	    "\n\t[-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] ",
+#else
+	    "[-4] [-6] [-8] [-E] [-L] [-N] [-S tos] [-a] [-c] [-d] [-e char] [-l user]",
+	    "\n\t[-n tracefile] ",
+#endif
+#if defined(TN3270) && defined(unix)
+# ifdef AUTHENTICATION
+	    "[-noasynch] [-noasynctty]\n\t"
+	    "[-noasyncnet] [-r] [-s src_addr] [-t transcom] ",
+# else
+	    "[-noasynch] [-noasynctty] [-noasyncnet] [-r]\n\t"
+	    "[-s src_addr] [-t transcom]",
+# endif
+#else
+	    "[-r] [-s src_addr] ",
+#endif
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+	    "[-P policy]"
+#endif
+#ifdef	ENCRYPTION
+	    "[-x] [host-name [port]]"
+#else	/* ENCRYPTION */
+	    "[host-name [port]]"
+#endif	/* ENCRYPTION */
+	);
+	exit(1);
+}
+
+/*
+ * main.  Parse arguments, invoke the protocol or command parser.
+ */
+
+	int
+main(argc, argv)
+	int argc;
+	char *argv[];
+{
+	extern char *optarg;
+	extern int optind;
+	int ch;
+	char *user, *strrchr();
+	char *src_addr = NULL;
+#ifdef	FORWARD
+	extern int forward_flags;
+#endif	/* FORWARD */
+
+	tninit();		/* Clear out things */
+#if	defined(CRAY) && !defined(__STDC__)
+	_setlist_init();	/* Work around compiler bug */
+#endif
+
+	TerminalSaveState();
+
+	if ((prompt = strrchr(argv[0], '/')))
+		++prompt;
+	else
+		prompt = argv[0];
+
+	user = NULL;
+
+	rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
+	autologin = -1;
+
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+#define IPSECOPT	"P:"
+#else
+#define IPSECOPT
+#endif
+	while ((ch = getopt(argc, argv,
+			    "468EKLNS:X:acde:fFk:l:n:rs:t:x" IPSECOPT)) != -1)
+#undef IPSECOPT
+	{
+		switch(ch) {
+		case '4':
+			family = AF_INET;
+			break;
+#ifdef INET6
+		case '6':
+			family = AF_INET6;
+			break;
+#endif
+		case '8':
+			eight = 3;	/* binary output and input */
+			break;
+		case 'E':
+			rlogin = escape = _POSIX_VDISABLE;
+			break;
+		case 'K':
+#ifdef	AUTHENTICATION
+			autologin = 0;
+#endif
+			break;
+		case 'L':
+			eight |= 2;	/* binary output only */
+			break;
+		case 'N':
+			doaddrlookup = 0;
+			break;
+		case 'S':
+		    {
+#ifdef	HAS_GETTOS
+			extern int tos;
+
+			if ((tos = parsetos(optarg, "tcp")) < 0)
+				fprintf(stderr, "%s%s%s%s\n",
+					prompt, ": Bad TOS argument '",
+					optarg,
+					"; will try to use default TOS");
+#else
+			fprintf(stderr,
+			   "%s: Warning: -S ignored, no parsetos() support.\n",
+								prompt);
+#endif
+		    }
+			break;
+		case 'X':
+#ifdef	AUTHENTICATION
+			auth_disable_name(optarg);
+#endif
+			break;
+		case 'a':
+			autologin = 1;
+			break;
+		case 'c':
+			skiprc = 1;
+			break;
+		case 'd':
+			debug = 1;
+			break;
+		case 'e':
+			set_escape_char(optarg);
+			break;
+		case 'f':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if (forward_flags & OPTS_FORWARD_CREDS) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -f ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'F':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if (forward_flags & OPTS_FORWARD_CREDS) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+			forward_flags |= OPTS_FORWARDABLE_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -F ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'k':
+#if defined(AUTHENTICATION) && defined(KRB4)
+		    {
+			extern char *dest_realm, dst_realm_buf[], dst_realm_sz;
+			dest_realm = dst_realm_buf;
+			(void)strncpy(dest_realm, optarg, dst_realm_sz);
+		    }
+#else
+			fprintf(stderr,
+			   "%s: Warning: -k ignored, no Kerberos V4 support.\n",
+								prompt);
+#endif
+			break;
+		case 'l':
+			autologin = 1;
+			user = optarg;
+			break;
+		case 'n':
+#if defined(TN3270) && defined(unix)
+			/* distinguish between "-n oasynch" and "-noasynch" */
+			if (argv[optind - 1][0] == '-' && argv[optind - 1][1]
+			    == 'n' && argv[optind - 1][2] == 'o') {
+				if (!strcmp(optarg, "oasynch")) {
+					noasynchtty = 1;
+					noasynchnet = 1;
+				} else if (!strcmp(optarg, "oasynchtty"))
+					noasynchtty = 1;
+				else if (!strcmp(optarg, "oasynchnet"))
+					noasynchnet = 1;
+			} else
+#endif	/* defined(TN3270) && defined(unix) */
+				SetNetTrace(optarg);
+			break;
+		case 'r':
+			rlogin = '~';
+			break;
+		case 's':
+			src_addr = optarg;
+			break;
+		case 't':
+#if defined(TN3270) && defined(unix)
+			transcom = tline;
+			(void)strcpy(transcom, optarg);
+#else
+			fprintf(stderr,
+			   "%s: Warning: -t ignored, no TN3270 support.\n",
+								prompt);
+#endif
+			break;
+		case 'x':
+#ifdef	ENCRYPTION
+			encrypt_auto(1);
+			decrypt_auto(1);
+#else	/* ENCRYPTION */
+			fprintf(stderr,
+			    "%s: Warning: -x ignored, no ENCRYPT support.\n",
+								prompt);
+#endif	/* ENCRYPTION */
+			break;
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+		case 'P':
+			if (!strncmp("in", optarg, 2))
+				ipsec_policy_in = strdup(optarg);
+			else if (!strncmp("out", optarg, 3))
+				ipsec_policy_out = strdup(optarg);
+			else
+				usage();
+			break;
+#endif
+		case '?':
+		default:
+			usage();
+			/* NOTREACHED */
+		}
+	}
+	if (autologin == -1)
+		autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc) {
+		char *args[9], **argp = args;
+
+		if (argc > 2)
+			usage();
+		*argp++ = prompt;
+		if (user) {
+			*argp++ = "-l";
+			*argp++ = user;
+		}
+		if (src_addr) {
+			*argp++ = "-s";
+			*argp++ = src_addr;
+		}
+		*argp++ = argv[0];		/* host */
+		if (argc > 1)
+			*argp++ = argv[1];	/* port */
+		*argp = 0;
+
+		if (setjmp(toplevel) != 0)
+			Exit(0);
+		if (tn(argp - args, args) == 1)
+			return (0);
+		else
+			return (1);
+	}
+	(void)setjmp(toplevel);
+	for (;;) {
+#ifdef TN3270
+		if (shell_active)
+			shell_continue();
+		else
+#endif
+			command(1, 0, 0);
+	}
+	return 0;
+}
diff --git a/crypto/telnet/telnet/network.c b/crypto/telnet/telnet/network.c
new file mode 100644
index 0000000..17fff47
--- /dev/null
+++ b/crypto/telnet/telnet/network.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)network.c	8.2 (Berkeley) 12/15/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <errno.h>
+
+#include <arpa/telnet.h>
+#include <unistd.h>
+
+#include "ring.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "fdset.h"
+
+Ring		netoring, netiring;
+unsigned char	netobuf[2*BUFSIZ], netibuf[BUFSIZ];
+
+/*
+ * Initialize internal network data structures.
+ */
+
+    void
+init_network()
+{
+    if (ring_init(&netoring, netobuf, sizeof netobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&netiring, netibuf, sizeof netibuf) != 1) {
+	exit(1);
+    }
+    NetTrace = stdout;
+}
+
+
+/*
+ * Check to see if any out-of-band data exists on a socket (for
+ * Telnet "synch" processing).
+ */
+
+    int
+stilloob()
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(net, &excepts);
+	value = select(net+1, (fd_set *)0, (fd_set *)0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	perror("select");
+	(void) quit();
+	/* NOTREACHED */
+    }
+    if (FD_ISSET(net, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+
+/*
+ *  setneturg()
+ *
+ *	Sets "neturg" to the current location.
+ */
+
+    void
+setneturg()
+{
+    ring_mark(&netoring);
+}
+
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ *
+ *		The return value indicates whether we did any
+ *	useful work.
+ */
+
+
+    int
+netflush()
+{
+    register int n, n1;
+
+#ifdef	ENCRYPTION
+    if (encrypt_output)
+	ring_encrypt(&netoring, encrypt_output);
+#endif	/* ENCRYPTION */
+    if ((n1 = n = ring_full_consecutive(&netoring)) > 0) {
+	if (!ring_at_mark(&netoring)) {
+	    n = send(net, (char *)netoring.consume, n, 0); /* normal write */
+	} else {
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    n = send(net, (char *)netoring.consume, 1, MSG_OOB);/* URGENT data */
+	}
+    }
+    if (n < 0) {
+	if (errno != ENOBUFS && errno != EWOULDBLOCK) {
+	    setcommandmode();
+	    perror(hostname);
+	    (void)NetClose(net);
+	    ring_clear_mark(&netoring);
+	    longjmp(peerdied, -1);
+	    /*NOTREACHED*/
+	}
+	n = 0;
+    }
+    if (netdata && n) {
+	Dump('>', netoring.consume, n);
+    }
+    if (n) {
+	ring_consumed(&netoring, n);
+	/*
+	 * If we sent all, and more to send, then recurse to pick
+	 * up the other half.
+	 */
+	if ((n1 == n) && ring_full_consecutive(&netoring)) {
+	    (void) netflush();
+	}
+	return 1;
+    } else {
+	return 0;
+    }
+}
diff --git a/crypto/telnet/telnet/ring.c b/crypto/telnet/telnet/ring.c
new file mode 100644
index 0000000..268a418
--- /dev/null
+++ b/crypto/telnet/telnet/ring.c
@@ -0,0 +1,369 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)ring.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+
+#include	<stdio.h>
+#include	<errno.h>
+#include	<string.h>
+
+#ifdef	size_t
+#undef	size_t
+#endif
+
+#include	<sys/types.h>
+#ifndef	FILIO_H
+#include	<sys/ioctl.h>
+#endif
+#include	<sys/socket.h>
+
+#include	"ring.h"
+#include	"general.h"
+
+/* Internal macros */
+
+#if	!defined(MIN)
+#define	MIN(a,b)	(((a)<(b))? (a):(b))
+#endif	/* !defined(MIN) */
+
+#define	ring_subtract(d,a,b)	(((a)-(b) >= 0)? \
+					(a)-(b): (((a)-(b))+(d)->size))
+
+#define	ring_increment(d,a,c)	(((a)+(c) < (d)->top)? \
+					(a)+(c) : (((a)+(c))-(d)->size))
+
+#define	ring_decrement(d,a,c)	(((a)-(c) >= (d)->bottom)? \
+					(a)-(c) : (((a)-(c))-(d)->size))
+
+
+/*
+ * The following is a clock, used to determine full, empty, etc.
+ *
+ * There is some trickiness here.  Since the ring buffers are initialized
+ * to ZERO on allocation, we need to make sure, when interpreting the
+ * clock, that when the times are EQUAL, then the buffer is FULL.
+ */
+static u_long ring_clock = 0;
+
+
+#define	ring_empty(d) (((d)->consume == (d)->supply) && \
+				((d)->consumetime >= (d)->supplytime))
+#define	ring_full(d) (((d)->supply == (d)->consume) && \
+				((d)->supplytime > (d)->consumetime))
+
+
+
+
+
+/* Buffer state transition routines */
+
+	int
+    ring_init(ring, buffer, count)
+Ring *ring;
+    unsigned char *buffer;
+    int count;
+{
+    memset((char *)ring, 0, sizeof *ring);
+
+    ring->size = count;
+
+    ring->supply = ring->consume = ring->bottom = buffer;
+
+    ring->top = ring->bottom+ring->size;
+
+#ifdef	ENCRYPTION
+    ring->clearto = 0;
+#endif	/* ENCRYPTION */
+
+    return 1;
+}
+
+/* Mark routines */
+
+/*
+ * Mark the most recently supplied byte.
+ */
+
+    void
+ring_mark(ring)
+    Ring *ring;
+{
+    ring->mark = ring_decrement(ring, ring->supply, 1);
+}
+
+/*
+ * Is the ring pointing to the mark?
+ */
+
+    int
+ring_at_mark(ring)
+    Ring *ring;
+{
+    if (ring->mark == ring->consume) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+/*
+ * Clear any mark set on the ring.
+ */
+
+    void
+ring_clear_mark(ring)
+    Ring *ring;
+{
+    ring->mark = 0;
+}
+
+/*
+ * Add characters from current segment to ring buffer.
+ */
+    void
+ring_supplied(ring, count)
+    Ring *ring;
+    int count;
+{
+    ring->supply = ring_increment(ring, ring->supply, count);
+    ring->supplytime = ++ring_clock;
+}
+
+/*
+ * We have just consumed "c" bytes.
+ */
+    void
+ring_consumed(ring, count)
+    Ring *ring;
+    int count;
+{
+    if (count == 0)	/* don't update anything */
+	return;
+
+    if (ring->mark &&
+		(ring_subtract(ring, ring->mark, ring->consume) < count)) {
+	ring->mark = 0;
+    }
+#ifdef	ENCRYPTION
+    if (ring->consume < ring->clearto &&
+		ring->clearto <= ring->consume + count)
+	ring->clearto = 0;
+    else if (ring->consume + count > ring->top &&
+		ring->bottom <= ring->clearto &&
+		ring->bottom + ((ring->consume + count) - ring->top))
+	ring->clearto = 0;
+#endif	/* ENCRYPTION */
+    ring->consume = ring_increment(ring, ring->consume, count);
+    ring->consumetime = ++ring_clock;
+    /*
+     * Try to encourage "ring_empty_consecutive()" to be large.
+     */
+    if (ring_empty(ring)) {
+	ring->consume = ring->supply = ring->bottom;
+    }
+}
+
+
+
+/* Buffer state query routines */
+
+
+/* Number of bytes that may be supplied */
+    int
+ring_empty_count(ring)
+    Ring *ring;
+{
+    if (ring_empty(ring)) {	/* if empty */
+	    return ring->size;
+    } else {
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* number of CONSECUTIVE bytes that may be supplied */
+    int
+ring_empty_consecutive(ring)
+    Ring *ring;
+{
+    if ((ring->consume < ring->supply) || ring_empty(ring)) {
+			    /*
+			     * if consume is "below" supply, or empty, then
+			     * return distance to the top
+			     */
+	return ring_subtract(ring, ring->top, ring->supply);
+    } else {
+				    /*
+				     * else, return what we may.
+				     */
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* Return the number of bytes that are available for consuming
+ * (but don't give more than enough to get to cross over set mark)
+ */
+
+    int
+ring_full_count(ring)
+    Ring *ring;
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if (ring_full(ring)) {
+	    return ring->size;	/* nothing consumed, but full */
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	return ring_subtract(ring, ring->mark, ring->consume);
+    }
+}
+
+/*
+ * Return the number of CONSECUTIVE bytes available for consuming.
+ * However, don't return more than enough to cross over set mark.
+ */
+    int
+ring_full_consecutive(ring)
+    Ring *ring;
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if ((ring->supply < ring->consume) || ring_full(ring)) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	if (ring->mark < ring->consume) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {	/* Else, distance to mark */
+	    return ring_subtract(ring, ring->mark, ring->consume);
+	}
+    }
+}
+
+/*
+ * Move data into the "supply" portion of of the ring buffer.
+ */
+    void
+ring_supply_data(ring, buffer, count)
+    Ring *ring;
+    unsigned char *buffer;
+    int count;
+{
+    int i;
+
+    while (count) {
+	i = MIN(count, ring_empty_consecutive(ring));
+	memmove(ring->supply, buffer, i);
+	ring_supplied(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+
+#ifdef notdef
+
+/*
+ * Move data from the "consume" portion of the ring buffer
+ */
+    void
+ring_consume_data(ring, buffer, count)
+    Ring *ring;
+    unsigned char *buffer;
+    int count;
+{
+    int i;
+
+    while (count) {
+	i = MIN(count, ring_full_consecutive(ring));
+	memmove(buffer, ring->consume, i);
+	ring_consumed(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+#endif
+
+#ifdef	ENCRYPTION
+    void
+ring_encrypt(ring, encryptor)
+    Ring *ring;
+    void (*encryptor)();
+{
+    unsigned char *s, *c;
+
+    if (ring_empty(ring) || ring->clearto == ring->supply)
+	return;
+
+    if (!(c = ring->clearto))
+	c = ring->consume;
+
+    s = ring->supply;
+
+    if (s <= c) {
+	(*encryptor)(c, ring->top - c);
+	(*encryptor)(ring->bottom, s - ring->bottom);
+    } else
+	(*encryptor)(c, s - c);
+
+    ring->clearto = ring->supply;
+}
+
+    void
+ring_clearto(ring)
+    Ring *ring;
+{
+    if (!ring_empty(ring))
+	ring->clearto = ring->supply;
+    else
+	ring->clearto = 0;
+}
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/telnet/ring.h b/crypto/telnet/telnet/ring.h
new file mode 100644
index 0000000..2a36781
--- /dev/null
+++ b/crypto/telnet/telnet/ring.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ring.h	8.1 (Berkeley) 6/6/93
+ */
+
+#if defined(P)
+# undef P
+#endif
+
+#if defined(__STDC__) || defined(LINT_ARGS)
+# define	P(x)	x
+#else
+# define	P(x)	()
+#endif
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+typedef struct {
+    unsigned char	*consume,	/* where data comes out of */
+			*supply,	/* where data comes in to */
+			*bottom,	/* lowest address in buffer */
+			*top,		/* highest address+1 in buffer */
+			*mark;		/* marker (user defined) */
+#ifdef	ENCRYPTION
+    unsigned char	*clearto;	/* Data to this point is clear text */
+    unsigned char	*encryyptedto;	/* Data is encrypted to here */
+#endif	/* ENCRYPTION */
+    int		size;		/* size in bytes of buffer */
+    u_long	consumetime,	/* help us keep straight full, empty, etc. */
+		supplytime;
+} Ring;
+
+/* Here are some functions and macros to deal with the ring buffer */
+
+/* Initialization routine */
+extern int
+	ring_init P((Ring *ring, unsigned char *buffer, int count));
+
+/* Data movement routines */
+extern void
+	ring_supply_data P((Ring *ring, unsigned char *buffer, int count));
+#ifdef notdef
+extern void
+	ring_consume_data P((Ring *ring, unsigned char *buffer, int count));
+#endif
+
+/* Buffer state transition routines */
+extern void
+	ring_supplied P((Ring *ring, int count)),
+	ring_consumed P((Ring *ring, int count));
+
+/* Buffer state query routines */
+extern int
+	ring_empty_count P((Ring *ring)),
+	ring_empty_consecutive P((Ring *ring)),
+	ring_full_count P((Ring *ring)),
+	ring_full_consecutive P((Ring *ring));
+
+#ifdef	ENCRYPTION
+extern void
+	ring_encrypt P((Ring *ring, void (*func)())),
+	ring_clearto P((Ring *ring));
+#endif	/* ENCRYPTION */
+
+extern void
+    ring_clear_mark(),
+    ring_mark();
diff --git a/crypto/telnet/telnet/sys_bsd.c b/crypto/telnet/telnet/sys_bsd.c
new file mode 100644
index 0000000..aac7c6a
--- /dev/null
+++ b/crypto/telnet/telnet/sys_bsd.c
@@ -0,0 +1,1226 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)sys_bsd.c	8.4 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+/*
+ * The following routines try to encapsulate what is system dependent
+ * (at least between 4.x and dos) which is used in telnet.c.
+ */
+
+
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <signal.h>
+#include <errno.h>
+#include <arpa/telnet.h>
+#include <unistd.h>
+
+#include "ring.h"
+
+#include "fdset.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+
+#if	defined(CRAY) || (defined(USE_TERMIO) && !defined(SYSV_TERMIO))
+#define	SIG_FUNC_RET	void
+#else
+#define	SIG_FUNC_RET	int
+#endif
+
+#ifdef	SIGINFO
+extern SIG_FUNC_RET ayt_status();
+#endif
+
+int
+	tout,			/* Output file descriptor */
+	tin,			/* Input file descriptor */
+	net;
+
+#ifndef	USE_TERMIO
+struct	tchars otc = { 0 }, ntc = { 0 };
+struct	ltchars oltc = { 0 }, nltc = { 0 };
+struct	sgttyb ottyb = { 0 }, nttyb = { 0 };
+int	olmode = 0;
+# define cfgetispeed(ptr)	(ptr)->sg_ispeed
+# define cfgetospeed(ptr)	(ptr)->sg_ospeed
+# define old_tc ottyb
+
+#else	/* USE_TERMIO */
+struct	termio old_tc = { 0 };
+extern struct termio new_tc;
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t) ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t) ioctl(f, a, (char *)t)
+#  define	cfgetospeed(ptr)	((ptr)->c_cflag&CBAUD)
+#  ifdef CIBAUD
+#   define	cfgetispeed(ptr)	(((ptr)->c_cflag&CIBAUD) >> IBSHIFT)
+#  else
+#   define	cfgetispeed(ptr)	cfgetospeed(ptr)
+#  endif
+# endif /* TCSANOW */
+# ifdef	sysV88
+# define TIOCFLUSH TC_PX_DRAIN
+# endif
+#endif	/* USE_TERMIO */
+
+static fd_set ibits, obits, xbits;
+
+
+    void
+init_sys()
+{
+    tout = fileno(stdout);
+    tin = fileno(stdin);
+    FD_ZERO(&ibits);
+    FD_ZERO(&obits);
+    FD_ZERO(&xbits);
+
+    errno = 0;
+}
+
+
+    int
+TerminalWrite(buf, n)
+    char *buf;
+    int  n;
+{
+    return write(tout, buf, n);
+}
+
+    int
+TerminalRead(buf, n)
+    char *buf;
+    int  n;
+{
+    return read(tin, buf, n);
+}
+
+/*
+ *
+ */
+
+    int
+TerminalAutoFlush()
+{
+#if	defined(LNOFLSH)
+    int flush;
+
+    ioctl(0, TIOCLGET, (char *)&flush);
+    return !(flush&LNOFLSH);	/* if LNOFLSH, no autoflush */
+#else	/* LNOFLSH */
+    return 1;
+#endif	/* LNOFLSH */
+}
+
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
+/*
+ * TerminalSpecialChars()
+ *
+ * Look at an input character to see if it is a special character
+ * and decide what to do.
+ *
+ * Output:
+ *
+ *	0	Don't add this character.
+ *	1	Do add this character
+ */
+
+extern void xmitAO(), xmitEL(), xmitEC(), intp(), sendbrk();
+
+    int
+TerminalSpecialChars(c)
+    int	c;
+{
+    if (c == termIntChar) {
+	intp();
+	return 0;
+    } else if (c == termQuitChar) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return 0;
+    } else if (c == termEofChar) {
+	if (my_want_state_is_will(TELOPT_LINEMODE)) {
+	    sendeof();
+	    return 0;
+	}
+	return 1;
+    } else if (c == termSuspChar) {
+	sendsusp();
+	return(0);
+    } else if (c == termFlushChar) {
+	xmitAO();		/* Transmit Abort Output */
+	return 0;
+    } else if (!MODE_LOCAL_CHARS(globalmode)) {
+	if (c == termKillChar) {
+	    xmitEL();
+	    return 0;
+	} else if (c == termEraseChar) {
+	    xmitEC();		/* Transmit Erase Character */
+	    return 0;
+	}
+    }
+    return 1;
+}
+
+
+/*
+ * Flush output to the terminal
+ */
+
+    void
+TerminalFlushOutput()
+{
+#ifdef	TIOCFLUSH
+    (void) ioctl(fileno(stdout), TIOCFLUSH, (char *) 0);
+#else
+    (void) ioctl(fileno(stdout), TCFLSH, (char *) 0);
+#endif
+}
+
+    void
+TerminalSaveState()
+{
+#ifndef	USE_TERMIO
+    ioctl(0, TIOCGETP, (char *)&ottyb);
+    ioctl(0, TIOCGETC, (char *)&otc);
+    ioctl(0, TIOCGLTC, (char *)&oltc);
+    ioctl(0, TIOCLGET, (char *)&olmode);
+
+    ntc = otc;
+    nltc = oltc;
+    nttyb = ottyb;
+
+#else	/* USE_TERMIO */
+    tcgetattr(0, &old_tc);
+
+    new_tc = old_tc;
+
+#ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef	VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef	VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+#endif	/* USE_TERMIO */
+}
+
+    cc_t *
+tcval(func)
+    register int func;
+{
+    switch(func) {
+    case SLC_IP:	return(&termIntChar);
+    case SLC_ABORT:	return(&termQuitChar);
+    case SLC_EOF:	return(&termEofChar);
+    case SLC_EC:	return(&termEraseChar);
+    case SLC_EL:	return(&termKillChar);
+    case SLC_XON:	return(&termStartChar);
+    case SLC_XOFF:	return(&termStopChar);
+    case SLC_FORW1:	return(&termForw1Char);
+#ifdef	USE_TERMIO
+    case SLC_FORW2:	return(&termForw2Char);
+# ifdef	VDISCARD
+    case SLC_AO:	return(&termFlushChar);
+# endif
+# ifdef	VSUSP
+    case SLC_SUSP:	return(&termSuspChar);
+# endif
+# ifdef	VWERASE
+    case SLC_EW:	return(&termWerasChar);
+# endif
+# ifdef	VREPRINT
+    case SLC_RP:	return(&termRprntChar);
+# endif
+# ifdef	VLNEXT
+    case SLC_LNEXT:	return(&termLiteralNextChar);
+# endif
+# ifdef	VSTATUS
+    case SLC_AYT:	return(&termAytChar);
+# endif
+#endif
+
+    case SLC_SYNCH:
+    case SLC_BRK:
+    case SLC_EOR:
+    default:
+	return((cc_t *)0);
+    }
+}
+
+    void
+TerminalDefaultChars()
+{
+#ifndef	USE_TERMIO
+    ntc = otc;
+    nltc = oltc;
+    nttyb.sg_kill = ottyb.sg_kill;
+    nttyb.sg_erase = ottyb.sg_erase;
+#else	/* USE_TERMIO */
+    memmove(new_tc.c_cc, old_tc.c_cc, sizeof(old_tc.c_cc));
+# ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+# endif
+# ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+# endif
+# ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+# endif
+# ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+# endif
+# ifndef	VSTART
+    termStartChar = CONTROL('Q');
+# endif
+# ifndef	VSTOP
+    termStopChar = CONTROL('S');
+# endif
+# ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+# endif
+#endif	/* USE_TERMIO */
+}
+
+#ifdef notdef
+void
+TerminalRestoreState()
+{
+}
+#endif
+
+/*
+ * TerminalNewMode - set up terminal to a specific mode.
+ *	MODE_ECHO: do local terminal echo
+ *	MODE_FLOW: do local flow control
+ *	MODE_TRAPSIG: do local mapping to TELNET IAC sequences
+ *	MODE_EDIT: do local line editing
+ *
+ *	Command mode:
+ *		MODE_ECHO|MODE_EDIT|MODE_FLOW|MODE_TRAPSIG
+ *		local echo
+ *		local editing
+ *		local xon/xoff
+ *		local signal mapping
+ *
+ *	Linemode:
+ *		local/no editing
+ *	Both Linemode and Single Character mode:
+ *		local/remote echo
+ *		local/no xon/xoff
+ *		local/no signal mapping
+ */
+
+
+    void
+TerminalNewMode(f)
+    register int f;
+{
+    static int prevmode = 0;
+#ifndef	USE_TERMIO
+    struct tchars tc;
+    struct ltchars ltc;
+    struct sgttyb sb;
+    int lmode;
+#else	/* USE_TERMIO */
+    struct termio tmp_tc;
+#endif	/* USE_TERMIO */
+    int onoff;
+    int old;
+    cc_t esc;
+
+    globalmode = f&~MODE_FORCE;
+    if (prevmode == f)
+	return;
+
+    /*
+     * Write any outstanding data before switching modes
+     * ttyflush() returns 0 only when there is no more data
+     * left to write out, it returns -1 if it couldn't do
+     * anything at all, otherwise it returns 1 + the number
+     * of characters left to write.
+#ifndef	USE_TERMIO
+     * We would really like ask the kernel to wait for the output
+     * to drain, like we can do with the TCSADRAIN, but we don't have
+     * that option.  The only ioctl that waits for the output to
+     * drain, TIOCSETP, also flushes the input queue, which is NOT
+     * what we want (TIOCSETP is like TCSADFLUSH).
+#endif
+     */
+    old = ttyflush(SYNCHing|flushout);
+    if (old < 0 || old > 1) {
+#ifdef	USE_TERMIO
+	tcgetattr(tin, &tmp_tc);
+#endif	/* USE_TERMIO */
+	do {
+	    /*
+	     * Wait for data to drain, then flush again.
+	     */
+#ifdef	USE_TERMIO
+	    tcsetattr(tin, TCSADRAIN, &tmp_tc);
+#endif	/* USE_TERMIO */
+	    old = ttyflush(SYNCHing|flushout);
+	} while (old < 0 || old > 1);
+    }
+
+    old = prevmode;
+    prevmode = f&~MODE_FORCE;
+#ifndef	USE_TERMIO
+    sb = nttyb;
+    tc = ntc;
+    ltc = nltc;
+    lmode = olmode;
+#else
+    tmp_tc = new_tc;
+#endif
+
+    if (f&MODE_ECHO) {
+#ifndef	USE_TERMIO
+	sb.sg_flags |= ECHO;
+#else
+	tmp_tc.c_lflag |= ECHO;
+	tmp_tc.c_oflag |= ONLCR;
+	if (crlf)
+		tmp_tc.c_iflag |= ICRNL;
+#endif
+    } else {
+#ifndef	USE_TERMIO
+	sb.sg_flags &= ~ECHO;
+#else
+	tmp_tc.c_lflag &= ~ECHO;
+	tmp_tc.c_oflag &= ~ONLCR;
+# ifdef notdef
+	if (crlf)
+		tmp_tc.c_iflag &= ~ICRNL;
+# endif
+#endif
+    }
+
+    if ((f&MODE_FLOW) == 0) {
+#ifndef	USE_TERMIO
+	tc.t_startc = _POSIX_VDISABLE;
+	tc.t_stopc = _POSIX_VDISABLE;
+#else
+	tmp_tc.c_iflag &= ~(IXOFF|IXON);	/* Leave the IXANY bit alone */
+    } else {
+	if (restartany < 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON;	/* Leave the IXANY bit alone */
+	} else if (restartany > 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON|IXANY;
+	} else {
+		tmp_tc.c_iflag |= IXOFF|IXON;
+		tmp_tc.c_iflag &= ~IXANY;
+	}
+#endif
+    }
+
+    if ((f&MODE_TRAPSIG) == 0) {
+#ifndef	USE_TERMIO
+	tc.t_intrc = _POSIX_VDISABLE;
+	tc.t_quitc = _POSIX_VDISABLE;
+	tc.t_eofc = _POSIX_VDISABLE;
+	ltc.t_suspc = _POSIX_VDISABLE;
+	ltc.t_dsuspc = _POSIX_VDISABLE;
+#else
+	tmp_tc.c_lflag &= ~ISIG;
+#endif
+	localchars = 0;
+    } else {
+#ifdef	USE_TERMIO
+	tmp_tc.c_lflag |= ISIG;
+#endif
+	localchars = 1;
+    }
+
+    if (f&MODE_EDIT) {
+#ifndef	USE_TERMIO
+	sb.sg_flags &= ~CBREAK;
+	sb.sg_flags |= CRMOD;
+#else
+	tmp_tc.c_lflag |= ICANON;
+#endif
+    } else {
+#ifndef	USE_TERMIO
+	sb.sg_flags |= CBREAK;
+	if (f&MODE_ECHO)
+	    sb.sg_flags |= CRMOD;
+	else
+	    sb.sg_flags &= ~CRMOD;
+#else
+	tmp_tc.c_lflag &= ~ICANON;
+	tmp_tc.c_iflag &= ~ICRNL;
+	tmp_tc.c_cc[VMIN] = 1;
+	tmp_tc.c_cc[VTIME] = 0;
+#endif
+    }
+
+    if ((f&(MODE_EDIT|MODE_TRAPSIG)) == 0) {
+#ifndef	USE_TERMIO
+	ltc.t_lnextc = _POSIX_VDISABLE;
+#else
+# ifdef VLNEXT
+	tmp_tc.c_cc[VLNEXT] = (cc_t)(_POSIX_VDISABLE);
+# endif
+#endif
+    }
+
+    if (f&MODE_SOFT_TAB) {
+#ifndef USE_TERMIO
+	sb.sg_flags |= XTABS;
+#else
+# ifdef	OXTABS
+	tmp_tc.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+	tmp_tc.c_oflag |= TAB3;
+# endif
+#endif
+    } else {
+#ifndef USE_TERMIO
+	sb.sg_flags &= ~XTABS;
+#else
+# ifdef	OXTABS
+	tmp_tc.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+# endif
+#endif
+    }
+
+    if (f&MODE_LIT_ECHO) {
+#ifndef USE_TERMIO
+	lmode &= ~LCTLECH;
+#else
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag &= ~ECHOCTL;
+# endif
+#endif
+    } else {
+#ifndef USE_TERMIO
+	lmode |= LCTLECH;
+#else
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag |= ECHOCTL;
+# endif
+#endif
+    }
+
+    if (f == -1) {
+	onoff = 0;
+    } else {
+#ifndef	USE_TERMIO
+	if (f & MODE_OUTBIN)
+		lmode |= LLITOUT;
+	else
+		lmode &= ~LLITOUT;
+
+	if (f & MODE_INBIN)
+		lmode |= LPASS8;
+	else
+		lmode &= ~LPASS8;
+#else
+	if (f & MODE_INBIN)
+		tmp_tc.c_iflag &= ~ISTRIP;
+	else
+		tmp_tc.c_iflag |= ISTRIP;
+	if (f & MODE_OUTBIN) {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= CS8;
+		tmp_tc.c_oflag &= ~OPOST;
+	} else {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= old_tc.c_cflag & (CSIZE|PARENB);
+		tmp_tc.c_oflag |= OPOST;
+	}
+#endif
+	onoff = 1;
+    }
+
+    if (f != -1) {
+#ifdef	SIGTSTP
+	SIG_FUNC_RET susp();
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+	SIG_FUNC_RET ayt();
+#endif
+
+#ifdef	SIGTSTP
+	(void) signal(SIGTSTP, susp);
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+	(void) signal(SIGINFO, ayt);
+#endif
+#if	defined(USE_TERMIO) && defined(NOKERNINFO)
+	tmp_tc.c_lflag |= NOKERNINFO;
+#endif
+	/*
+	 * We don't want to process ^Y here.  It's just another
+	 * character that we'll pass on to the back end.  It has
+	 * to process it because it will be processed when the
+	 * user attempts to read it, not when we send it.
+	 */
+#ifndef	USE_TERMIO
+	ltc.t_dsuspc = _POSIX_VDISABLE;
+#else
+# ifdef	VDSUSP
+	tmp_tc.c_cc[VDSUSP] = (cc_t)(_POSIX_VDISABLE);
+# endif
+#endif
+#ifdef	USE_TERMIO
+	/*
+	 * If the VEOL character is already set, then use VEOL2,
+	 * otherwise use VEOL.
+	 */
+	esc = (rlogin != _POSIX_VDISABLE) ? rlogin : escape;
+	if ((tmp_tc.c_cc[VEOL] != esc)
+# ifdef	VEOL2
+	    && (tmp_tc.c_cc[VEOL2] != esc)
+# endif
+	    ) {
+		if (tmp_tc.c_cc[VEOL] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL] = esc;
+# ifdef	VEOL2
+		else if (tmp_tc.c_cc[VEOL2] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL2] = esc;
+# endif
+	}
+#else
+	if (tc.t_brkc == (cc_t)(_POSIX_VDISABLE))
+		tc.t_brkc = esc;
+#endif
+    } else {
+#ifdef	SIGINFO
+	SIG_FUNC_RET ayt_status();
+
+	(void) signal(SIGINFO, ayt_status);
+#endif
+#ifdef	SIGTSTP
+	(void) signal(SIGTSTP, SIG_DFL);
+# ifndef SOLARIS
+	(void) sigsetmask(sigblock(0) & ~(1<<(SIGTSTP-1)));
+# else	SOLARIS
+	(void) sigrelse(SIGTSTP);
+# endif	SOLARIS
+#endif	/* SIGTSTP */
+#ifndef USE_TERMIO
+	ltc = oltc;
+	tc = otc;
+	sb = ottyb;
+	lmode = olmode;
+#else
+	tmp_tc = old_tc;
+#endif
+    }
+#ifndef USE_TERMIO
+    ioctl(tin, TIOCLSET, (char *)&lmode);
+    ioctl(tin, TIOCSLTC, (char *)&ltc);
+    ioctl(tin, TIOCSETC, (char *)&tc);
+    ioctl(tin, TIOCSETN, (char *)&sb);
+#else
+    if (tcsetattr(tin, TCSADRAIN, &tmp_tc) < 0)
+	tcsetattr(tin, TCSANOW, &tmp_tc);
+#endif
+
+#if	(!defined(TN3270)) || ((!defined(NOT43)) || defined(PUTCHAR))
+# if	!defined(sysV88)
+    ioctl(tin, FIONBIO, (char *)&onoff);
+    ioctl(tout, FIONBIO, (char *)&onoff);
+# endif
+#endif	/* (!defined(TN3270)) || ((!defined(NOT43)) || defined(PUTCHAR)) */
+#if	defined(TN3270)
+    if (noasynchtty == 0) {
+	ioctl(tin, FIOASYNC, (char *)&onoff);
+    }
+#endif	/* defined(TN3270) */
+
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+#ifndef	B7200
+#define B7200   B4800
+#endif
+
+#ifndef	B14400
+#define B14400  B9600
+#endif
+
+#ifndef	B19200
+# define B19200 B14400
+#endif
+
+#ifndef	B28800
+#define B28800  B19200
+#endif
+
+#ifndef	B38400
+# define B38400 B28800
+#endif
+
+#ifndef B57600
+#define B57600  B38400
+#endif
+
+#ifndef B76800
+#define B76800  B57600
+#endif
+
+#ifndef B115200
+#define B115200 B76800
+#endif
+
+#ifndef B230400
+#define B230400 B115200
+#endif
+
+
+/*
+ * This code assumes that the values B0, B50, B75...
+ * are in ascending order.  They do not have to be
+ * contiguous.
+ */
+struct termspeeds {
+	long speed;
+	long value;
+} termspeeds[] = {
+	{ 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+	{ 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+	{ 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+	{ 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+	{ 4800,   B4800 },   { 7200,  B7200 },  { 9600,   B9600 },
+	{ 14400,  B14400 },  { 19200, B19200 }, { 28800,  B28800 },
+	{ 38400,  B38400 },  { 57600, B57600 }, { 115200, B115200 },
+	{ 230400, B230400 }, { -1,    B230400 }
+};
+#endif	/* DECODE_BAUD */
+
+    void
+TerminalSpeeds(ispeed, ospeed)
+    long *ispeed;
+    long *ospeed;
+{
+#ifdef	DECODE_BAUD
+    register struct termspeeds *tp;
+#endif	/* DECODE_BAUD */
+    register long in, out;
+
+    out = cfgetospeed(&old_tc);
+    in = cfgetispeed(&old_tc);
+    if (in == 0)
+	in = out;
+
+#ifdef	DECODE_BAUD
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < in))
+	tp++;
+    *ispeed = tp->speed;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < out))
+	tp++;
+    *ospeed = tp->speed;
+#else	/* DECODE_BAUD */
+	*ispeed = in;
+	*ospeed = out;
+#endif	/* DECODE_BAUD */
+}
+
+    int
+TerminalWindowSize(rows, cols)
+    long *rows, *cols;
+{
+#ifdef	TIOCGWINSZ
+    struct winsize ws;
+
+    if (ioctl(fileno(stdin), TIOCGWINSZ, (char *)&ws) >= 0) {
+	*rows = ws.ws_row;
+	*cols = ws.ws_col;
+	return 1;
+    }
+#endif	/* TIOCGWINSZ */
+    return 0;
+}
+
+    int
+NetClose(fd)
+    int	fd;
+{
+    return close(fd);
+}
+
+
+    void
+NetNonblockingIO(fd, onoff)
+    int fd;
+    int onoff;
+{
+    ioctl(fd, FIONBIO, (char *)&onoff);
+}
+
+#if	defined(TN3270)
+    void
+NetSigIO(fd, onoff)
+    int fd;
+    int onoff;
+{
+    ioctl(fd, FIOASYNC, (char *)&onoff);	/* hear about input */
+}
+
+    void
+NetSetPgrp(fd)
+    int fd;
+{
+    int myPid;
+
+    myPid = getpid();
+    fcntl(fd, F_SETOWN, myPid);
+}
+#endif	/*defined(TN3270)*/
+
+/*
+ * Various signal handling routines.
+ */
+
+    /* ARGSUSED */
+    SIG_FUNC_RET
+deadpeer(sig)
+    int sig;
+{
+	setcommandmode();
+	longjmp(peerdied, -1);
+}
+
+    /* ARGSUSED */
+    SIG_FUNC_RET
+intr(sig)
+    int sig;
+{
+    if (localchars) {
+	intp();
+	return;
+    }
+    setcommandmode();
+    longjmp(toplevel, -1);
+}
+
+    /* ARGSUSED */
+    SIG_FUNC_RET
+intr2(sig)
+    int sig;
+{
+    if (localchars) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return;
+    }
+}
+
+#ifdef	SIGTSTP
+    /* ARGSUSED */
+    SIG_FUNC_RET
+susp(sig)
+    int sig;
+{
+    if ((rlogin != _POSIX_VDISABLE) && rlogin_susp())
+	return;
+    if (localchars)
+	sendsusp();
+}
+#endif
+
+#ifdef	SIGWINCH
+    /* ARGSUSED */
+    SIG_FUNC_RET
+sendwin(sig)
+    int sig;
+{
+    if (connected) {
+	sendnaws();
+    }
+}
+#endif
+
+#ifdef	SIGINFO
+    /* ARGSUSED */
+    SIG_FUNC_RET
+ayt(sig)
+    int sig;
+{
+    if (connected)
+	sendayt();
+    else
+	ayt_status();
+}
+#endif
+
+
+    void
+sys_telnet_init()
+{
+    (void) signal(SIGINT, intr);
+    (void) signal(SIGQUIT, intr2);
+    (void) signal(SIGPIPE, deadpeer);
+#ifdef	SIGWINCH
+    (void) signal(SIGWINCH, sendwin);
+#endif
+#ifdef	SIGTSTP
+    (void) signal(SIGTSTP, susp);
+#endif
+#ifdef	SIGINFO
+    (void) signal(SIGINFO, ayt);
+#endif
+
+    setconnmode(0);
+
+    NetNonblockingIO(net, 1);
+
+#if	defined(TN3270)
+    if (noasynchnet == 0) {			/* DBX can't handle! */
+	NetSigIO(net, 1);
+	NetSetPgrp(net);
+    }
+#endif	/* defined(TN3270) */
+
+#if	defined(SO_OOBINLINE)
+    if (SetSockOpt(net, SOL_SOCKET, SO_OOBINLINE, 1) == -1) {
+	perror("SetSockOpt");
+    }
+#endif	/* defined(SO_OOBINLINE) */
+}
+
+/*
+ * Process rings -
+ *
+ *	This routine tries to fill up/empty our various rings.
+ *
+ *	The parameter specifies whether this is a poll operation,
+ *	or a block-until-something-happens operation.
+ *
+ *	The return value is 1 if something happened, 0 if not.
+ */
+
+    int
+process_rings(netin, netout, netex, ttyin, ttyout, poll)
+    int poll;		/* If 0, then block until something to do */
+{
+    register int c;
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue = 0;
+    static struct timeval TimeValue = { 0 };
+
+    if (netout) {
+	FD_SET(net, &obits);
+    }
+    if (ttyout) {
+	FD_SET(tout, &obits);
+    }
+#if	defined(TN3270)
+    if (ttyin) {
+	FD_SET(tin, &ibits);
+    }
+#else	/* defined(TN3270) */
+    if (ttyin) {
+	FD_SET(tin, &ibits);
+    }
+#endif	/* defined(TN3270) */
+#if	defined(TN3270)
+    if (netin) {
+	FD_SET(net, &ibits);
+    }
+#   else /* !defined(TN3270) */
+    if (netin) {
+	FD_SET(net, &ibits);
+    }
+#   endif /* !defined(TN3270) */
+    if (netex) {
+	FD_SET(net, &xbits);
+    }
+    if ((c = select(16, &ibits, &obits, &xbits,
+			(poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
+	if (c == -1) {
+		    /*
+		     * we can get EINTR if we are in line mode,
+		     * and the user does an escape (TSTP), or
+		     * some other signal generator.
+		     */
+	    if (errno == EINTR) {
+		return 0;
+	    }
+#	    if defined(TN3270)
+		    /*
+		     * we can get EBADF if we were in transparent
+		     * mode, and the transcom process died.
+		    */
+	    if (errno == EBADF) {
+			/*
+			 * zero the bits (even though kernel does it)
+			 * to make sure we are selecting on the right
+			 * ones.
+			*/
+		FD_ZERO(&ibits);
+		FD_ZERO(&obits);
+		FD_ZERO(&xbits);
+		return 0;
+	    }
+#	    endif /* defined(TN3270) */
+		    /* I don't like this, does it ever happen? */
+	    printf("sleep(5) from telnet, after select: %s\r\n", strerror(errno));
+	    sleep(5);
+	}
+	return 0;
+    }
+
+    /*
+     * Any urgent data?
+     */
+    if (FD_ISSET(net, &xbits)) {
+	FD_CLR(net, &xbits);
+	SYNCHing = 1;
+	(void) ttyflush(1);	/* flush already enqueued data */
+    }
+
+    /*
+     * Something to read from the network...
+     */
+    if (FD_ISSET(net, &ibits)) {
+	int canread;
+
+	FD_CLR(net, &ibits);
+	canread = ring_empty_consecutive(&netiring);
+#if	!defined(SO_OOBINLINE)
+	    /*
+	     * In 4.2 (and some early 4.3) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	if (SYNCHing) {
+	    int atmark;
+	    static int bogus_oob = 0, first = 1;
+
+	    ioctl(net, SIOCATMARK, (char *)&atmark);
+	    if (atmark) {
+		c = recv(net, netiring.supply, canread, MSG_OOB);
+		if ((c == -1) && (errno == EINVAL)) {
+		    c = recv(net, netiring.supply, canread, 0);
+		    if (clocks.didnetreceive < clocks.gotDM) {
+			SYNCHing = stilloob(net);
+		    }
+		} else if (first && c > 0) {
+		    /*
+		     * Bogosity check.  Systems based on 4.2BSD
+		     * do not return an error if you do a second
+		     * recv(MSG_OOB).  So, we do one.  If it
+		     * succeeds and returns exactly the same
+		     * data, then assume that we are running
+		     * on a broken system and set the bogus_oob
+		     * flag.  (If the data was different, then
+		     * we probably got some valid new data, so
+		     * increment the count...)
+		     */
+		    int i;
+		    i = recv(net, netiring.supply + c, canread - c, MSG_OOB);
+		    if (i == c &&
+			 memcmp(netiring.supply, netiring.supply + c, i) == 0) {
+			bogus_oob = 1;
+			first = 0;
+		    } else if (i < 0) {
+			bogus_oob = 0;
+			first = 0;
+		    } else
+			c += i;
+		}
+		if (bogus_oob && c > 0) {
+		    int i;
+		    /*
+		     * Bogosity.  We have to do the read
+		     * to clear the atmark to get out of
+		     * an infinate loop.
+		     */
+		    i = read(net, netiring.supply + c, canread - c);
+		    if (i > 0)
+			c += i;
+		}
+	    } else {
+		c = recv(net, netiring.supply, canread, 0);
+	    }
+	} else {
+	    c = recv(net, netiring.supply, canread, 0);
+	}
+	settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE) */
+	c = recv(net, (char *)netiring.supply, canread, 0);
+#endif	/* !defined(SO_OOBINLINE) */
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else if (c <= 0) {
+	    return -1;
+	}
+	if (netdata) {
+	    Dump('<', netiring.supply, c);
+	}
+	if (c)
+	    ring_supplied(&netiring, c);
+	returnValue = 1;
+    }
+
+    /*
+     * Something to read from the tty...
+     */
+    if (FD_ISSET(tin, &ibits)) {
+	FD_CLR(tin, &ibits);
+	c = TerminalRead(ttyiring.supply, ring_empty_consecutive(&ttyiring));
+	if (c < 0 && errno == EIO)
+	    c = 0;
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else {
+	    /* EOF detection for line mode!!!! */
+	    if ((c == 0) && MODE_LOCAL_CHARS(globalmode) && isatty(tin)) {
+			/* must be an EOF... */
+		*ttyiring.supply = termEofChar;
+		c = 1;
+	    }
+	    if (c <= 0) {
+		return -1;
+	    }
+	    if (termdata) {
+		Dump('<', ttyiring.supply, c);
+	    }
+	    ring_supplied(&ttyiring, c);
+	}
+	returnValue = 1;		/* did something useful */
+    }
+
+    if (FD_ISSET(net, &obits)) {
+	FD_CLR(net, &obits);
+	returnValue |= netflush();
+    }
+    if (FD_ISSET(tout, &obits)) {
+	FD_CLR(tout, &obits);
+	returnValue |= (ttyflush(SYNCHing|flushout) > 0);
+    }
+
+    return returnValue;
+}
diff --git a/crypto/telnet/telnet/telnet.1 b/crypto/telnet/telnet/telnet.1
new file mode 100644
index 0000000..3378d3a
--- /dev/null
+++ b/crypto/telnet/telnet/telnet.1
@@ -0,0 +1,1384 @@
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnet.1	8.6 (Berkeley) 6/1/94
+.\" $FreeBSD$
+.\"
+.Dd January 27, 2000
+.Dt TELNET 1
+.Os BSD 4.2
+.Sh NAME
+.Nm telnet
+.Nd user interface to the 
+.Tn TELNET
+protocol
+.Sh SYNOPSIS
+.Nm telnet
+.Op Fl 8EFKLNacdfrx
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl e Ar escapechar
+.Op Fl k Ar realm
+.Op Fl l Ar user
+.Op Fl n Ar tracefile
+.Op Fl s Ar src_addr
+.Oo
+.Ar host
+.Op port
+.Oc
+.Sh DESCRIPTION
+The
+.Nm telnet
+command
+is used to communicate with another host using the 
+.Tn TELNET
+protocol.
+If
+.Nm telnet
+is invoked without the
+.Ar host
+argument, it enters command mode,
+indicated by its prompt
+.Pq Nm telnet\&> .
+In this mode, it accepts and executes the commands listed below.
+If it is invoked with arguments, it performs an
+.Ic open
+command with those arguments.
+.Pp
+Options:
+.Bl -tag -width indent
+.It Fl 8
+Specifies an 8-bit data path.  This causes an attempt to
+negotiate the
+.Dv TELNET BINARY
+option on both input and output.
+.It Fl E
+Stops any character from being recognized as an escape character.
+.It Fl F
+If Kerberos V5 authentication is being used, the
+.Fl F
+option allows the local credentials to be forwarded
+to the remote system, including any credentials that
+have already been forwarded into the local environment.
+.It Fl K
+Specifies no automatic login to the remote system.
+.It Fl L
+Specifies an 8-bit data path on output.  This causes the
+BINARY option to be negotiated on output.
+.It Fl N
+Prevents IP address to name lookup when destination host is given
+as an IP address.
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos,
+which can be a numeric TOS value
+or, on systems that support it, a symbolic
+TOS name found in the /etc/iptos file.
+.It Fl X Ar atype 
+Disables the
+.Ar atype
+type of authentication.
+.It Fl a
+Attempt automatic login.
+Currently, this sends the user name via the
+.Ev USER
+variable
+of the
+.Ev ENVIRON
+option if supported by the remote system.
+The name used is that of the current user as returned by
+.Xr getlogin 2
+if it agrees with the current user ID,
+otherwise it is the name associated with the user ID.
+.It Fl c
+Disables the reading of the user's
+.Pa \&.telnetrc
+file.  (See the
+.Ic toggle skiprc
+command on this man page.)
+.It Fl d
+Sets the initial value of the
+.Ic debug
+toggle to
+.Dv TRUE
+.It Fl e Ar escape char 
+Sets the initial
+.Nm
+.Nm telnet
+escape character to
+.Ar escape char.
+If
+.Ar escape char
+is omitted, then
+there will be no escape character.
+.It Fl f
+If Kerberos V5 authentication is being used, the
+.Fl f
+option allows the local credentials to be forwarded to the remote system.
+.ne 1i
+.It Fl k Ar realm
+If Kerberos authentication is being used, the
+.Fl k
+option requests that telnet obtain tickets for the remote host in
+realm realm instead of the remote host's realm, as determined
+by
+.Xr krb_realmofhost 3 .
+.It Fl l Ar user 
+When connecting to the remote system, if the remote system
+understands the
+.Ev ENVIRON
+option, then
+.Ar user
+will be sent to the remote system as the value for the variable USER.
+This option implies the
+.Fl a
+option.
+This option may also be used with the
+.Ic open
+command.
+.It Fl n Ar tracefile 
+Opens
+.Ar tracefile
+for recording trace information.
+See the
+.Ic set tracefile
+command below.
+.It Fl r
+Specifies a user interface similar to
+.Xr rlogin 1 .
+In this
+mode, the escape character is set to the tilde (~) character,
+unless modified by the -e option.
+.It Fl s Ar src_addr
+Set the source IP address for the
+.Nm
+connection to
+.Ar src_addr ,
+which can be an IP address or a host name.
+.It Fl x
+Turns on encryption of the data stream if possible.  This
+option is not available outside of the United States and
+Canada.
+.It Ar host
+Indicates the official name, an alias, or the Internet address
+of a remote host.
+.It Ar port
+Indicates a port number (address of an application).  If a number is
+not specified, the default
+.Nm telnet
+port is used.
+.El
+.Pp
+When in rlogin mode, a line of the form ~.  disconnects from the
+remote host; ~ is the telnet escape character.
+Similarly, the line ~^Z suspends the telnet session.
+The line ~^] escapes to the normal telnet escape prompt.
+.Pp
+Once a connection has been opened,
+.Nm telnet
+will attempt to enable the
+.Dv TELNET LINEMODE
+option.
+If this fails, then
+.Nm telnet
+will revert to one of two input modes:
+either \*(Lqcharacter at a time\*(Rq
+or \*(Lqold line by line\*(Rq
+depending on what the remote system supports.
+.Pp
+When 
+.Dv LINEMODE
+is enabled, character processing is done on the
+local system, under the control of the remote system.  When input
+editing or character echoing is to be disabled, the remote system
+will relay that information.  The remote system will also relay
+changes to any special characters that happen on the remote
+system, so that they can take effect on the local system.
+.Pp
+In \*(Lqcharacter at a time\*(Rq mode, most
+text typed is immediately sent to the remote host for processing.
+.Pp
+In \*(Lqold line by line\*(Rq mode, all text is echoed locally,
+and (normally) only completed lines are sent to the remote host.
+The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used
+to turn off and on the local echo
+(this would mostly be used to enter passwords
+without the password being echoed).
+.Pp
+If the 
+.Dv LINEMODE
+option is enabled, or if the
+.Ic localchars
+toggle is
+.Dv TRUE
+(the default for \*(Lqold line by line\*(Lq; see below),
+the user's
+.Ic quit  ,
+.Ic intr ,
+and
+.Ic flush
+characters are trapped locally, and sent as
+.Tn TELNET
+protocol sequences to the remote side.
+If 
+.Dv LINEMODE
+has ever been enabled, then the user's
+.Ic susp
+and
+.Ic eof
+are also sent as
+.Tn TELNET
+protocol sequences,
+and
+.Ic quit
+is sent as a 
+.Dv TELNET ABORT
+instead of 
+.Dv BREAK
+There are options (see
+.Ic toggle
+.Ic autoflush
+and
+.Ic toggle
+.Ic autosynch
+below)
+which cause this action to flush subsequent output to the terminal
+(until the remote host acknowledges the
+.Tn TELNET
+sequence) and flush previous terminal input
+(in the case of
+.Ic quit
+and
+.Ic intr  ) .
+.Pp
+While connected to a remote host,
+.Nm telnet
+command mode may be entered by typing the
+.Nm telnet
+\*(Lqescape character\*(Rq (initially \*(Lq^]\*(Rq).
+When in command mode, the normal terminal editing conventions are available.
+.Pp
+The following
+.Nm telnet
+commands are available.
+Only enough of each command to uniquely identify it need be typed
+(this is also true for arguments to the
+.Ic mode  ,
+.Ic set ,
+.Ic toggle  ,
+.Ic unset ,
+.Ic slc  ,
+.Ic environ ,
+and
+.Ic display
+commands).
+.Pp
+.Bl -tag -width "mode type"
+.It Ic auth Ar argument ... 
+The auth command manipulates the information sent through the
+.Dv TELNET AUTHENTICATE
+option.  Valid arguments for the
+auth command are as follows:
+.Bl -tag -width "disable type"
+.It Ic disable Ar type
+Disables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth disable \&?
+command.
+.It Ic enable Ar type
+Enables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth enable \&?
+command.
+.It Ic status
+Lists the current status of the various types of
+authentication.
+.El
+.It Ic close
+Close a
+.Tn TELNET
+session and return to command mode.
+.It Ic display Ar argument ... 
+Displays all, or some, of the
+.Ic set
+and
+.Ic toggle
+values (see below).
+.It Ic encrypt Ar argument ...
+The encrypt command manipulates the information sent through the
+.Dv TELNET ENCRYPT
+option.
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside of the United States and Canada.
+.Pp
+Valid arguments for the encrypt command are as follows:
+.Bl -tag -width Ar
+.It Ic disable Ar type Ic [input|output]
+Disables the specified type of encryption.  If you
+omit the input and output, both input and output
+are disabled.  To obtain a list of available
+types, use the
+.Ic encrypt disable \&?
+command.
+.It Ic enable Ar type Ic [input|output]
+Enables the specified type of encryption.  If you
+omit input and output, both input and output are
+enabled.  To obtain a list of available types, use the
+.Ic encrypt enable \&?
+command.
+.It Ic input
+This is the same as the
+.Ic encrypt start input
+command.
+.It Ic -input
+This is the same as the
+.Ic encrypt stop input
+command.
+.It Ic output
+This is the same as the
+.Ic encrypt start output
+command.
+.It Ic -output
+This is the same as the
+.Ic encrypt stop output
+command.
+.It Ic start Ic [input|output]
+Attempts to start encryption.  If you omit
+.Ic input
+and
+.Ic output,
+both input and output are enabled.  To
+obtain a list of available types, use the
+.Ic encrypt enable \&?
+command.
+.It Ic status
+Lists the current status of encryption.
+.It Ic stop Ic [input|output]
+Stops encryption.  If you omit input and output,
+encryption is on both input and output.
+.It Ic type Ar type
+Sets the default type of encryption to be used
+with later
+.Ic encrypt start
+or
+.Ic encrypt stop
+commands.
+.El
+.It Ic environ Ar arguments... 
+The
+.Ic environ
+command is used to manipulate the
+the variables that my be sent through the
+.Dv TELNET ENVIRON
+option.
+The initial set of variables is taken from the users
+environment, with only the
+.Ev DISPLAY
+and
+.Ev PRINTER
+variables being exported by default.
+The
+.Ev USER
+variable is also exported if the
+.Fl a
+or
+.Fl l
+options are used.
+.br
+Valid arguments for the
+.Ic environ
+command are:
+.Bl -tag -width Fl
+.It Ic define Ar variable value 
+Define the variable
+.Ar variable
+to have a value of
+.Ar value.
+Any variables defined by this command are automatically exported.
+The
+.Ar value
+may be enclosed in single or double quotes so
+that tabs and spaces may be included.
+.It Ic undefine Ar variable 
+Remove
+.Ar variable
+from the list of environment variables.
+.It Ic export Ar variable 
+Mark the variable
+.Ar variable
+to be exported to the remote side.
+.It Ic unexport Ar variable 
+Mark the variable
+.Ar variable
+to not be exported unless
+explicitly asked for by the remote side.
+.It Ic list
+List the current set of environment variables.
+Those marked with a
+.Cm *
+will be sent automatically,
+other variables will only be sent if explicitly requested.
+.It Ic \&?
+Prints out help information for the
+.Ic environ
+command.
+.El
+.It Ic logout
+Sends the
+.Dv TELNET LOGOUT
+option to the remote side.
+This command is similar to a
+.Ic close
+command; however, if the remote side does not support the
+.Dv LOGOUT
+option, nothing happens.
+If, however, the remote side does support the
+.Dv LOGOUT
+option, this command should cause the remote side to close the
+.Tn TELNET
+connection.
+If the remote side also supports the concept of
+suspending a user's session for later reattachment,
+the logout argument indicates that you
+should terminate the session immediately.
+.It Ic mode Ar type 
+.Ar Type
+is one of several options, depending on the state of the
+.Tn TELNET
+session.
+The remote host is asked for permission to go into the requested mode.
+If the remote host is capable of entering that mode, the requested
+mode will be entered.
+.Bl -tag -width Ar
+.It Ic character
+Disable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then enter \*(Lqcharacter at a time\*(Lq mode.
+.It Ic line
+Enable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then attempt to enter \*(Lqold-line-by-line\*(Lq mode.
+.It Ic isig Pq Ic \-isig 
+Attempt to enable (disable) the 
+.Dv TRAPSIG
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic edit Pq Ic \-edit 
+Attempt to enable (disable) the 
+.Dv EDIT
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic softtabs Pq Ic \-softtabs 
+Attempt to enable (disable) the 
+.Dv SOFT_TAB
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.ne 1i
+.It Ic litecho Pq Ic \-litecho 
+Attempt to enable (disable) the 
+.Dv LIT_ECHO
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic \&?
+Prints out help information for the
+.Ic mode
+command.
+.El
+.It Xo
+.Ic open Ar host
+.Oo Op Fl l
+.Ar user
+.Oc Ns Oo Fl
+.Ar port Oc
+.Xc
+Open a connection to the named host.
+If no port number
+is specified,
+.Nm telnet
+will attempt to contact a
+.Tn TELNET
+server at the default port.
+The host specification may be either a host name (see
+.Xr hosts  5  ) ,
+an Internet address specified in the \*(Lqdot notation\*(Rq (see
+.Xr inet 3 ) ,
+or IPv6 host name or IPv6 coloned-hexadecimal addreess.
+The
+.Op Fl l
+option may be used to specify the user name
+to be passed to the remote system via the
+.Ev ENVIRON
+option.
+When connecting to a non-standard port,
+.Nm telnet
+omits any automatic initiation of
+.Tn TELNET
+options.  When the port number is preceded by a minus sign,
+the initial option negotiation is done.
+After establishing a connection, the file
+.Pa \&.telnetrc
+in the
+users home directory is opened.  Lines beginning with a # are
+comment lines.  Blank lines are ignored.  Lines that begin
+without white space are the start of a machine entry.  The
+first thing on the line is the name of the machine that is
+being connected to.  The rest of the line, and successive
+lines that begin with white space are assumed to be
+.Nm telnet
+commands and are processed as if they had been typed
+in manually to the
+.Nm telnet
+command prompt.
+.It Ic quit
+Close any open
+.Tn TELNET
+session and exit
+.Nm telnet  .
+An end of file (in command mode) will also close a session and exit.
+.It Ic send Ar arguments 
+Sends one or more special character sequences to the remote host.
+The following are the arguments which may be specified
+(more than one argument may be specified at a time):
+.Pp
+.Bl -tag -width escape
+.It Ic abort
+Sends the
+.Dv TELNET ABORT
+(Abort
+processes)
+sequence.
+.It Ic ao
+Sends the
+.Dv TELNET AO
+(Abort Output) sequence, which should cause the remote system to flush
+all output
+.Em from
+the remote system
+.Em to
+the user's terminal.
+.It Ic ayt
+Sends the
+.Dv TELNET AYT
+(Are You There)
+sequence, to which the remote system may or may not choose to respond.
+.It Ic brk
+Sends the
+.Dv TELNET BRK
+(Break) sequence, which may have significance to the remote
+system.
+.It Ic ec
+Sends the
+.Dv TELNET EC
+(Erase Character)
+sequence, which should cause the remote system to erase the last character
+entered.
+.It Ic el
+Sends the
+.Dv TELNET EL
+(Erase Line)
+sequence, which should cause the remote system to erase the line currently
+being entered.
+.It Ic eof
+Sends the
+.Dv TELNET EOF
+(End Of File)
+sequence.
+.It Ic eor
+Sends the
+.Dv TELNET EOR
+(End of Record)
+sequence.
+.It Ic escape
+Sends the current
+.Nm telnet
+escape character (initially \*(Lq^\*(Rq).
+.It Ic ga
+Sends the
+.Dv TELNET GA
+(Go Ahead)
+sequence, which likely has no significance to the remote system.
+.It Ic getstatus
+If the remote side supports the
+.Dv TELNET STATUS
+command,
+.Ic getstatus
+will send the subnegotiation to request that the server send
+its current option status.
+.ne 1i
+.It Ic ip
+Sends the
+.Dv TELNET IP
+(Interrupt Process) sequence, which should cause the remote
+system to abort the currently running process.
+.It Ic nop
+Sends the
+.Dv TELNET NOP
+(No OPeration)
+sequence.
+.It Ic susp
+Sends the
+.Dv TELNET SUSP
+(SUSPend process)
+sequence.
+.It Ic synch
+Sends the
+.Dv TELNET SYNCH
+sequence.
+This sequence causes the remote system to discard all previously typed
+(but not yet read) input.
+This sequence is sent as
+.Tn TCP
+urgent
+data (and may not work if the remote system is a
+.Bx 4.2
+system -- if
+it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal).
+.It Ic do Ar cmd
+.It Ic dont Ar cmd
+.It Ic will Ar cmd
+.It Ic wont Ar cmd
+Sends the
+.Dv TELNET DO
+.Ar cmd
+sequence.
+.Ar Cmd
+can be either a decimal number between 0 and 255,
+or a symbolic name for a specific
+.Dv TELNET
+command.
+.Ar Cmd
+can also be either
+.Ic help
+or
+.Ic \&?
+to print out help information, including
+a list of known symbolic names.
+.It Ic \&?
+Prints out help information for the
+.Ic send
+command.
+.El
+.It Ic set Ar argument value 
+.It Ic unset Ar argument value 
+The
+.Ic set
+command will set any one of a number of
+.Nm telnet
+variables to a specific value or to
+.Dv TRUE .
+The special value
+.Ic off
+turns off the function associated with
+the variable, this is equivalent to using the
+.Ic unset
+command.
+The
+.Ic unset
+command will disable or set to
+.Dv FALSE
+any of the specified functions.
+The values of variables may be interrogated with the
+.Ic display
+command.
+The variables which may be set or unset, but not toggled, are
+listed here.  In addition, any of the variables for the
+.Ic toggle
+command may be explicitly set or unset using
+the
+.Ic set
+and
+.Ic unset
+commands.
+.Bl -tag -width escape
+.It Ic ayt
+If
+.Tn TELNET
+is in localchars mode, or
+.Dv LINEMODE
+is enabled, and the status character is typed, a
+.Dv TELNET AYT
+sequence (see
+.Ic send ayt
+preceding) is sent to the
+remote host.  The initial value for the "Are You There"
+character is the terminal's status character.
+.It Ic echo
+This is the value (initially \*(Lq^E\*(Rq) which, when in
+\*(Lqline by line\*(Rq mode, toggles between doing local echoing
+of entered characters (for normal processing), and suppressing
+echoing of entered characters (for entering, say, a password).
+.It Ic eof
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, entering this character
+as the first character on a line will cause this character to be
+sent to the remote system.
+The initial value of the eof character is taken to be the terminal's
+.Ic eof
+character.
+.It Ic erase
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Sy and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EC
+sequence (see
+.Ic send
+.Ic ec
+above)
+is sent to the remote system.
+The initial value for the erase character is taken to be
+the terminal's
+.Ic erase
+character.
+.It Ic escape
+This is the
+.Nm telnet
+escape character (initially \*(Lq^[\*(Rq) which causes entry
+into
+.Nm telnet
+command mode (when connected to a remote system).
+.It Ic flushoutput
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic flushoutput
+character is typed, a
+.Dv TELNET AO
+sequence (see
+.Ic send
+.Ic ao
+above)
+is sent to the remote host.
+The initial value for the flush character is taken to be
+the terminal's
+.Ic flush
+character.
+.It Ic forw1
+.It Ic forw2
+If
+.Tn TELNET
+is operating in
+.Dv LINEMODE ,
+these are the
+characters that, when typed, cause partial lines to be
+forwarded to the remote system.  The initial value for
+the forwarding characters are taken from the terminal's
+eol and eol2 characters.
+.It Ic interrupt
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic interrupt
+character is typed, a
+.Dv TELNET IP
+sequence (see
+.Ic send
+.Ic ip
+above)
+is sent to the remote host.
+The initial value for the interrupt character is taken to be
+the terminal's
+.Ic intr
+character.
+.It Ic kill
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Ic and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EL
+sequence (see
+.Ic send
+.Ic el
+above)
+is sent to the remote system.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic kill
+character.
+.It Ic lnext
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic lnext
+character.
+The initial value for the lnext character is taken to be
+the terminal's
+.Ic lnext
+character.
+.It Ic quit
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic quit
+character is typed, a
+.Dv TELNET BRK
+sequence (see
+.Ic send
+.Ic brk
+above)
+is sent to the remote host.
+The initial value for the quit character is taken to be
+the terminal's
+.Ic quit
+character.
+.It Ic reprint
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic reprint
+character.
+The initial value for the reprint character is taken to be
+the terminal's
+.Ic reprint
+character.
+.It Ic rlogin
+This is the rlogin escape character.
+If set, the normal
+.Tn TELNET
+escape character is ignored unless it is
+preceded by this character at the beginning of a line.
+This character, at the beginning of a line followed by
+a "."  closes the connection; when followed by a ^Z it
+suspends the telnet command.  The initial state is to
+disable the rlogin escape character.
+.It Ic start
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic start
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic start
+character.
+.It Ic stop
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic stop
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic stop
+character.
+.It Ic susp
+If
+.Nm telnet
+is in
+.Ic localchars
+mode, or
+.Dv LINEMODE
+is enabled, and the
+.Ic suspend
+character is typed, a
+.Dv TELNET SUSP
+sequence (see
+.Ic send
+.Ic susp
+above)
+is sent to the remote host.
+The initial value for the suspend character is taken to be
+the terminal's
+.Ic suspend
+character.
+.ne 1i
+.It Ic tracefile
+This is the file to which the output, caused by
+.Ic netdata
+or
+.Ic option
+tracing being
+.Dv TRUE ,
+will be written.  If it is set to
+.Dq Fl ,
+then tracing information will be written to standard output (the default).
+.It Ic worderase
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic worderase
+character.
+The initial value for the worderase character is taken to be
+the terminal's
+.Ic worderase
+character.
+.It Ic \&?
+Displays the legal
+.Ic set
+.Pq Ic unset
+commands.
+.El
+.It Ic skey Ar sequence challenge
+The
+.Ic skey
+command computes a response to the S/Key challenge.
+.It Ic slc Ar state 
+The
+.Ic slc
+command (Set Local Characters) is used to set
+or change the state of the the special
+characters when the 
+.Dv TELNET LINEMODE
+option has
+been enabled.  Special characters are characters that get
+mapped to 
+.Tn TELNET
+commands sequences (like
+.Ic ip
+or
+.Ic quit  )
+or line editing characters (like
+.Ic erase
+and
+.Ic kill  ) .
+By default, the local special characters are exported.
+.Bl -tag -width Fl
+.It Ic check
+Verify the current settings for the current special characters.
+The remote side is requested to send all the current special
+character settings, and if there are any discrepancies with
+the local side, the local side will switch to the remote value.
+.It Ic export
+Switch to the local defaults for the special characters.  The
+local default characters are those of the local terminal at
+the time when
+.Nm telnet
+was started.
+.It Ic import
+Switch to the remote defaults for the special characters.
+The remote default characters are those of the remote system
+at the time when the 
+.Tn TELNET
+connection was established.
+.It Ic \&?
+Prints out help information for the
+.Ic slc
+command.
+.El
+.It Ic status
+Show the current status of
+.Nm telnet  .
+This includes the peer one is connected to, as well
+as the current mode.
+.It Ic toggle Ar arguments ... 
+Toggle (between
+.Dv TRUE
+and
+.Dv FALSE )
+various flags that control how
+.Nm telnet
+responds to events.
+These flags may be set explicitly to
+.Dv TRUE
+or
+.Dv FALSE
+using the
+.Ic set
+and
+.Ic unset
+commands listed above.
+More than one argument may be specified.
+The state of these flags may be interrogated with the
+.Ic display
+command.
+Valid arguments are:
+.Bl -tag -width Ar
+.It Ic authdebug
+Turns on debugging information for the authentication code.
+.It Ic autoflush
+If
+.Ic autoflush
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when the
+.Ic ao  ,
+or
+.Ic quit
+characters are recognized (and transformed into
+.Tn TELNET
+sequences; see
+.Ic set
+above for details),
+.Nm telnet
+refuses to display any data on the user's terminal
+until the remote system acknowledges (via a
+.Dv TELNET TIMING MARK
+option)
+that it has processed those
+.Tn TELNET
+sequences.
+The initial value for this toggle is
+.Dv TRUE
+if the terminal user had not
+done an "stty noflsh", otherwise
+.Dv FALSE
+(see
+.Xr stty  1  ) .
+.It Ic autodecrypt
+When the
+.Dv TELNET ENCRYPT
+option is negotiated, by
+default the actual encryption (decryption) of the data
+stream does not start automatically.  The autoencrypt
+(autodecrypt) command states that encryption of the
+output (input) stream should be enabled as soon as
+possible.
+.sp
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside the United States and Canada.
+.It Ic autologin
+If the remote side supports the
+.Dv TELNET AUTHENTICATION
+option
+.Tn TELNET
+attempts to use it to perform automatic authentication.  If the
+.Dv AUTHENTICATION
+option is not supported, the user's login
+name are propagated through the
+.Dv TELNET ENVIRON
+option.
+This command is the same as specifying
+.Ar a
+option on the
+.Ic open
+command.
+.It Ic autosynch
+If
+.Ic autosynch
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when either the
+.Ic intr
+or
+.Ic quit
+characters is typed (see
+.Ic set
+above for descriptions of the
+.Ic intr
+and
+.Ic quit
+characters), the resulting
+.Tn TELNET
+sequence sent is followed by the
+.Dv TELNET SYNCH
+sequence.
+This procedure
+.Ic should
+cause the remote system to begin throwing away all previously
+typed input until both of the
+.Tn TELNET
+sequences have been read and acted upon.
+The initial value of this toggle is
+.Dv FALSE .
+.It Ic binary
+Enable or disable the
+.Dv TELNET BINARY
+option on both input and output.
+.It Ic inbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on input.
+.It Ic outbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on output.
+.It Ic crlf
+If this is
+.Dv TRUE ,
+then carriage returns will be sent as
+.Li <CR><LF> .
+If this is
+.Dv FALSE ,
+then carriage returns will be send as
+.Li <CR><NUL> .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic crmod
+Toggle carriage return mode.
+When this mode is enabled, most carriage return characters received from
+the remote host will be mapped into a carriage return followed by
+a line feed.
+This mode does not affect those characters typed by the user, only
+those received from the remote host.
+This mode is not very useful unless the remote host
+only sends carriage return, but never line feed.
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic debug
+Toggles socket level debugging (useful only to the
+.Ic super user  ) .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic encdebug
+Turns on debugging information for the encryption code.
+.It Ic localchars
+If this is
+.Dv TRUE ,
+then the
+.Ic flush  ,
+.Ic interrupt ,
+.Ic quit  ,
+.Ic erase ,
+and
+.Ic kill
+characters (see
+.Ic set
+above) are recognized locally, and transformed into (hopefully) appropriate
+.Tn TELNET
+control sequences
+(respectively
+.Ic ao  ,
+.Ic ip ,
+.Ic brk  ,
+.Ic ec ,
+and
+.Ic el  ;
+see
+.Ic send
+above).
+The initial value for this toggle is
+.Dv TRUE
+in \*(Lqold line by line\*(Rq mode,
+and
+.Dv FALSE
+in \*(Lqcharacter at a time\*(Rq mode.
+When the
+.Dv LINEMODE
+option is enabled, the value of
+.Ic localchars
+is ignored, and assumed to always be
+.Dv TRUE .
+If
+.Dv LINEMODE
+has ever been enabled, then
+.Ic quit
+is sent as
+.Ic abort  ,
+and
+.Ic eof and
+.B suspend
+are sent as
+.Ic eof and
+.Ic susp ,
+see
+.Ic send
+above).
+.It Ic netdata
+Toggles the display of all network data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic options
+Toggles the display of some internal
+.Nm telnet
+protocol processing (having to do with
+.Tn TELNET
+options).
+The initial value for this toggle is
+.Dv FALSE .
+.ne 1i
+.It Ic prettydump
+When the
+.Ic netdata
+toggle is enabled, if
+.Ic prettydump
+is enabled the output from the
+.Ic netdata
+command will be formatted in a more user readable format.
+Spaces are put between each character in the output, and the
+beginning of any
+.Tn TELNET
+escape sequence is preceded by a '*' to aid in locating them.
+.It Ic skiprc
+When the skiprc toggle is
+.Dv TRUE ,
+.Tn TELNET
+skips the reading of the
+.Pa \&.telnetrc
+file in the users home
+directory when connections are opened.  The initial
+value for this toggle is
+.Dv FALSE.
+.It Ic termdata
+Toggles the display of all terminal data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic verbose_encrypt
+When the
+.Ic verbose_encrypt
+toggle is
+.Dv TRUE ,
+.Tn TELNET
+prints out a message each time encryption is enabled or
+disabled.  The initial value for this toggle is
+.Dv FALSE.
+Note:  Because of export controls, data encryption
+is not supported outside of the United States and Canada.
+.It Ic \&?
+Displays the legal
+.Ic toggle
+commands.
+.El
+.It Ic z
+Suspend
+.Nm telnet  .
+This command only works when the user is using the
+.Xr csh  1  .
+.It Ic \&! Op Ar command 
+Execute a single command in a subshell on the local
+system.  If
+.Ic command
+is omitted, then an interactive
+subshell is invoked.
+.It Ic \&? Op Ar command 
+Get help.  With no arguments,
+.Nm telnet
+prints a help summary.
+If a command is specified,
+.Nm telnet
+will print the help information for just that command.
+.El
+.Sh ENVIRONMENT
+.Nm Telnet
+uses at least the
+.Ev HOME ,
+.Ev SHELL ,
+.Ev DISPLAY ,
+and
+.Ev TERM
+environment variables.
+Other environment variables may be propagated
+to the other side via the
+.Dv TELNET ENVIRON
+option.
+.Sh FILES
+.Bl -tag -width ~/.telnetrc -compact
+.It Pa ~/.telnetrc
+user customized telnet startup values
+.El
+.Sh HISTORY
+The
+.Nm Telnet
+command appeared in
+.Bx 4.2 .
+.Pp
+IPv6 support was added by WIDE/KAME project.
+.Sh NOTES
+.Pp
+On some remote systems, echo has to be turned off manually when in
+\*(Lqold line by line\*(Rq mode.
+.Pp
+In \*(Lqold line by line\*(Rq mode or 
+.Dv LINEMODE
+the terminal's
+.Ic eof
+character is only recognized (and sent to the remote system)
+when it is the first character on a line.
diff --git a/crypto/telnet/telnet/telnet.c b/crypto/telnet/telnet/telnet.c
new file mode 100644
index 0000000..63fb9d7
--- /dev/null
+++ b/crypto/telnet/telnet/telnet.c
@@ -0,0 +1,2667 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)telnet.c	8.4 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <sys/types.h>
+
+#if	defined(unix)
+#include <signal.h>
+/* By the way, we need to include curses.h before telnet.h since,
+ * among other things, telnet.h #defines 'DO', which is a variable
+ * declared in curses.h.
+ */
+#endif	/* defined(unix) */
+
+#include <arpa/telnet.h>
+
+#include <ctype.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "ring.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "general.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+#include <libtelnet/misc.h>
+
+#define	strip(x) ((my_want_state_is_wont(TELOPT_BINARY)) ? ((x)&0x7f) : (x))
+
+static unsigned char	subbuffer[SUBBUFSIZE],
+			*subpointer, *subend;	 /* buffer for sub-options */
+#define	SB_CLEAR()	subpointer = subbuffer;
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+				*subpointer++ = (c); \
+			}
+
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_PEEK()	((*subpointer)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+char	options[256];		/* The combined options */
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+
+int
+	eight = 0,
+	autologin = 0,	/* Autologin anyone? */
+	skiprc = 0,
+	connected,
+	showoptions,
+	In3270,		/* Are we in 3270 mode? */
+	ISend,		/* trying to send network data in */
+	debug = 0,
+	crmod,
+	netdata,	/* Print out network data flow */
+	crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+#if	defined(TN3270)
+	noasynchtty = 0,/* User specified "-noasynch" on command line */
+	noasynchnet = 0,/* User specified "-noasynch" on command line */
+	askedSGA = 0,	/* We have talked about suppress go ahead */
+#endif	/* defined(TN3270) */
+	telnetport,
+	SYNCHing,	/* we are in TELNET SYNCH mode */
+	flushout,	/* flush output */
+	autoflush = 0,	/* flush output when interrupting? */
+	autosynch,	/* send interrupt characters with SYNCH? */
+	localflow,	/* we handle flow control locally */
+	restartany,	/* if flow control enabled, restart on any character */
+	localchars,	/* we recognize interrupt/quit */
+	donelclchars,	/* the user has set "localchars" */
+	donebinarytoggle,	/* the user has put us in binary */
+	dontlecho,	/* do we suppress local echoing right now? */
+	globalmode,
+	doaddrlookup = 1, /* do a reverse address lookup? */
+	clienteof = 0;
+
+char *prompt = 0;
+
+cc_t escape;
+cc_t rlogin;
+#ifdef	KLUDGELINEMODE
+cc_t echoc;
+#endif
+
+/*
+ * Telnet receiver states for fsm
+ */
+#define	TS_DATA		0
+#define	TS_IAC		1
+#define	TS_WILL		2
+#define	TS_WONT		3
+#define	TS_DO		4
+#define	TS_DONT		5
+#define	TS_CR		6
+#define	TS_SB		7		/* sub-option collection */
+#define	TS_SE		8		/* looking for sub-option end */
+
+static int	telrcv_state;
+#ifdef	OLD_ENVIRON
+unsigned char telopt_environ = TELOPT_NEW_ENVIRON;
+#else
+# define telopt_environ TELOPT_NEW_ENVIRON
+#endif
+
+jmp_buf	toplevel = { 0 };
+jmp_buf	peerdied;
+
+int	flushline;
+int	linemode;
+
+#ifdef	KLUDGELINEMODE
+int	kludgelinemode = 1;
+#endif
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+Clocks clocks;
+
+#ifdef	notdef
+Modelist modelist[] = {
+	{ "telnet command mode", COMMAND_LINE },
+	{ "character-at-a-time mode", 0 },
+	{ "character-at-a-time mode (local echo)", LOCAL_ECHO|LOCAL_CHARS },
+	{ "line-by-line mode (remote echo)", LINE | LOCAL_CHARS },
+	{ "line-by-line mode", LINE | LOCAL_ECHO | LOCAL_CHARS },
+	{ "line-by-line mode (local echoing suppressed)", LINE | LOCAL_CHARS },
+	{ "3270 mode", 0 },
+};
+#endif
+
+
+/*
+ * Initialize telnet environment.
+ */
+
+    void
+init_telnet()
+{
+    env_init();
+
+    SB_CLEAR();
+    ClearArray(options);
+
+    connected = In3270 = ISend = localflow = donebinarytoggle = 0;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
+    restartany = -1;
+
+    SYNCHing = 0;
+
+    /* Don't change NetTrace */
+
+    escape = CONTROL(']');
+    rlogin = _POSIX_VDISABLE;
+#ifdef	KLUDGELINEMODE
+    echoc = CONTROL('E');
+#endif
+
+    flushline = 1;
+    telrcv_state = TS_DATA;
+}
+
+
+#ifdef	notdef
+#include <varargs.h>
+
+    /*VARARGS*/
+    static void
+printring(va_alist)
+    va_dcl
+{
+    va_list ap;
+    char buffer[100];		/* where things go */
+    char *ptr;
+    char *format;
+    char *string;
+    Ring *ring;
+    int i;
+
+    va_start(ap);
+
+    ring = va_arg(ap, Ring *);
+    format = va_arg(ap, char *);
+    ptr = buffer;
+
+    while ((i = *format++) != 0) {
+	if (i == '%') {
+	    i = *format++;
+	    switch (i) {
+	    case 'c':
+		*ptr++ = va_arg(ap, int);
+		break;
+	    case 's':
+		string = va_arg(ap, char *);
+		ring_supply_data(ring, buffer, ptr-buffer);
+		ring_supply_data(ring, string, strlen(string));
+		ptr = buffer;
+		break;
+	    case 0:
+		ExitString("printring: trailing %%.\n", 1);
+		/*NOTREACHED*/
+	    default:
+		ExitString("printring: unknown format character.\n", 1);
+		/*NOTREACHED*/
+	    }
+	} else {
+	    *ptr++ = i;
+	}
+    }
+    ring_supply_data(ring, buffer, ptr-buffer);
+}
+#endif
+
+/*
+ * These routines are in charge of sending option negotiations
+ * to the other side.
+ *
+ * The basic idea is that we send the negotiation if either side
+ * is in disagreement as to what the current state should be.
+ */
+
+    void
+send_do(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_do(c)) ||
+				my_want_state_is_do(c))
+	    return;
+	set_my_want_state_do(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DO);
+    NETADD(c);
+    printoption("SENT", DO, c);
+}
+
+    void
+send_dont(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_dont(c)) ||
+				my_want_state_is_dont(c))
+	    return;
+	set_my_want_state_dont(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DONT);
+    NETADD(c);
+    printoption("SENT", DONT, c);
+}
+
+    void
+send_will(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_will(c)) ||
+				my_want_state_is_will(c))
+	    return;
+	set_my_want_state_will(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WILL);
+    NETADD(c);
+    printoption("SENT", WILL, c);
+}
+
+    void
+send_wont(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_wont(c)) ||
+				my_want_state_is_wont(c))
+	    return;
+	set_my_want_state_wont(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WONT);
+    NETADD(c);
+    printoption("SENT", WONT, c);
+}
+
+
+	void
+willoption(option)
+	int option;
+{
+	int new_state_ok = 0;
+
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_do(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_dont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_ECHO:
+#	    if defined(TN3270)
+		/*
+		 * The following is a pain in the rear-end.
+		 * Various IBM servers (some versions of Wiscnet,
+		 * possibly Fibronics/Spartacus, and who knows who
+		 * else) will NOT allow us to send "DO SGA" too early
+		 * in the setup proceedings.  On the other hand,
+		 * 4.2 servers (telnetd) won't set SGA correctly.
+		 * So, we are stuck.  Empirically (but, based on
+		 * a VERY small sample), the IBM servers don't send
+		 * out anything about ECHO, so we postpone our sending
+		 * "DO SGA" until we see "WILL ECHO" (which 4.2 servers
+		 * DO send).
+		  */
+		{
+		    if (askedSGA == 0) {
+			askedSGA = 1;
+			if (my_want_state_is_dont(TELOPT_SGA))
+			    send_do(TELOPT_SGA, 1);
+		    }
+		}
+		    /* Fall through */
+	    case TELOPT_EOR:
+#endif	    /* defined(TN3270) */
+	    case TELOPT_BINARY:
+	    case TELOPT_SGA:
+		settimer(modenegotiated);
+		/* FALL THROUGH */
+	    case TELOPT_STATUS:
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+#endif
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+#endif /* ENCRYPTION */
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		/*
+		 * Special case for TM.  If we get back a WILL,
+		 * pretend we got back a WONT.
+		 */
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;			/* Never reply to TM will's/wont's */
+
+	    case TELOPT_LINEMODE:
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_do(option);
+		send_do(option, 0);
+		setconnmode(0);		/* possibly set new tty mode */
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	}
+	set_my_state_do(option);
+#ifdef	ENCRYPTION
+	if (option == TELOPT_ENCRYPT)
+		encrypt_send_support();
+#endif	/* ENCRYPTION */
+}
+
+	void
+wontoption(option)
+	int option;
+{
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_dont(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_do(option)) {
+
+	    switch (option) {
+
+#ifdef	KLUDGELINEMODE
+	    case TELOPT_SGA:
+		if (!kludgelinemode)
+		    break;
+		/* FALL THROUGH */
+#endif
+	    case TELOPT_ECHO:
+		settimer(modenegotiated);
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;		/* Never reply to TM will's/wont's */
+
+	    default:
+		break;
+	    }
+	    set_my_want_state_dont(option);
+	    if (my_state_is_do(option))
+		send_dont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	} else if (option == TELOPT_TM) {
+	    /*
+	     * Special case for TM.
+	     */
+	    if (flushout)
+		flushout = 0;
+	    set_my_want_state_dont(option);
+	}
+	set_my_state_dont(option);
+}
+
+	static void
+dooption(option)
+	int option;
+{
+	int new_state_ok = 0;
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_will(option))
+		--will_wont_resp[option];
+	}
+
+	if (will_wont_resp[option] == 0) {
+	  if (my_want_state_is_wont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_TM:
+		/*
+		 * Special case for TM.  We send a WILL, but pretend
+		 * we sent WONT.
+		 */
+		send_will(option, 0);
+		set_my_want_state_wont(TELOPT_TM);
+		set_my_state_wont(TELOPT_TM);
+		return;
+
+#	if defined(TN3270)
+	    case TELOPT_EOR:		/* end of record */
+#	endif	/* defined(TN3270) */
+	    case TELOPT_BINARY:		/* binary mode */
+	    case TELOPT_NAWS:		/* window size */
+	    case TELOPT_TSPEED:		/* terminal speed */
+	    case TELOPT_LFLOW:		/* local flow control */
+	    case TELOPT_TTYPE:		/* terminal type option */
+	    case TELOPT_SGA:		/* no big deal */
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:	/* encryption variable option */
+#endif	/* ENCRYPTION */
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_NEW_ENVIRON:	/* New environment variable option */
+#ifdef	OLD_ENVIRON
+		if (my_state_is_will(TELOPT_OLD_ENVIRON))
+			send_wont(TELOPT_OLD_ENVIRON, 1); /* turn off the old */
+		goto env_common;
+	    case TELOPT_OLD_ENVIRON:	/* Old environment variable option */
+		if (my_state_is_will(TELOPT_NEW_ENVIRON))
+			break;		/* Don't enable if new one is in use! */
+	    env_common:
+		telopt_environ = option;
+#endif
+		new_state_ok = 1;
+		break;
+
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+		if (autologin)
+			new_state_ok = 1;
+		break;
+#endif
+
+	    case TELOPT_XDISPLOC:	/* X Display location */
+		if (env_getvalue((unsigned char *)"DISPLAY"))
+		    new_state_ok = 1;
+		break;
+
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_want_state_will(TELOPT_LINEMODE);
+		send_will(option, 0);
+		set_my_state_will(TELOPT_LINEMODE);
+		slc_init();
+		return;
+
+	    case TELOPT_ECHO:		/* We're never going to echo... */
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_will(option);
+		send_will(option, 0);
+		setconnmode(0);			/* Set new tty mode */
+	    } else {
+		will_wont_resp[option]++;
+		send_wont(option, 0);
+	    }
+	  } else {
+	    /*
+	     * Handle options that need more things done after the
+	     * other side has acknowledged the option.
+	     */
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_state_will(option);
+		slc_init();
+		send_do(TELOPT_SGA, 0);
+		return;
+	    }
+	  }
+	}
+	set_my_state_will(option);
+}
+
+	static void
+dontoption(option)
+	int option;
+{
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_wont(option))
+		--will_wont_resp[option];
+	}
+
+	if ((will_wont_resp[option] == 0) && my_want_state_is_will(option)) {
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+		linemode = 0;	/* put us back to the default state */
+		break;
+#ifdef	OLD_ENVIRON
+	    case TELOPT_NEW_ENVIRON:
+		/*
+		 * The new environ option wasn't recognized, try
+		 * the old one.
+		 */
+		send_will(TELOPT_OLD_ENVIRON, 1);
+		telopt_environ = TELOPT_OLD_ENVIRON;
+		break;
+#endif
+	    }
+	    /* we always accept a DONT */
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	}
+	set_my_state_wont(option);
+}
+
+/*
+ * Given a buffer returned by tgetent(), this routine will turn
+ * the pipe seperated list of names in the buffer into an array
+ * of pointers to null terminated names.  We toss out any bad,
+ * duplicate, or verbose names (names with spaces).
+ */
+
+static char *name_unknown = "UNKNOWN";
+static char *unknown[] = { 0, 0 };
+
+	char **
+mklist(buf, name)
+	char *buf, *name;
+{
+	register int n;
+	register char c, *cp, **argvp, *cp2, **argv, **avt;
+
+	if (name) {
+		if ((int)strlen(name) > 40) {
+			name = 0;
+			unknown[0] = name_unknown;
+		} else {
+			unknown[0] = name;
+			upcase(name);
+		}
+	} else
+		unknown[0] = name_unknown;
+	/*
+	 * Count up the number of names.
+	 */
+	for (n = 1, cp = buf; *cp && *cp != ':'; cp++) {
+		if (*cp == '|')
+			n++;
+	}
+	/*
+	 * Allocate an array to put the name pointers into
+	 */
+	argv = (char **)malloc((n+3)*sizeof(char *));
+	if (argv == 0)
+		return(unknown);
+
+	/*
+	 * Fill up the array of pointers to names.
+	 */
+	*argv = 0;
+	argvp = argv+1;
+	n = 0;
+	for (cp = cp2 = buf; (c = *cp);  cp++) {
+		if (c == '|' || c == ':') {
+			*cp++ = '\0';
+			/*
+			 * Skip entries that have spaces or are over 40
+			 * characters long.  If this is our environment
+			 * name, then put it up front.  Otherwise, as
+			 * long as this is not a duplicate name (case
+			 * insensitive) add it to the list.
+			 */
+			if (n || (cp - cp2 > 41))
+				;
+			else if (name && (strncasecmp(name, cp2, cp-cp2) == 0))
+				*argv = cp2;
+			else if (is_unique(cp2, argv+1, argvp))
+				*argvp++ = cp2;
+			if (c == ':')
+				break;
+			/*
+			 * Skip multiple delimiters. Reset cp2 to
+			 * the beginning of the next name. Reset n,
+			 * the flag for names with spaces.
+			 */
+			while ((c = *cp) == '|')
+				cp++;
+			cp2 = cp;
+			n = 0;
+		}
+		/*
+		 * Skip entries with spaces or non-ascii values.
+		 * Convert lower case letters to upper case.
+		 */
+		if ((c == ' ') || !isascii(c))
+			n = 1;
+		else if (islower(c))
+			*cp = toupper(c);
+	}
+
+	/*
+	 * Check for an old V6 2 character name.  If the second
+	 * name points to the beginning of the buffer, and is
+	 * only 2 characters long, move it to the end of the array.
+	 */
+	if ((argv[1] == buf) && (strlen(argv[1]) == 2)) {
+		--argvp;
+		for (avt = &argv[1]; avt < argvp; avt++)
+			*avt = *(avt+1);
+		*argvp++ = buf;
+	}
+
+	/*
+	 * Duplicate last name, for TTYPE option, and null
+	 * terminate the array.  If we didn't find a match on
+	 * our terminal name, put that name at the beginning.
+	 */
+	cp = *(argvp-1);
+	*argvp++ = cp;
+	*argvp = 0;
+
+	if (*argv == 0) {
+		if (name)
+			*argv = name;
+		else {
+			--argvp;
+			for (avt = argv; avt < argvp; avt++)
+				*avt = *(avt+1);
+		}
+	}
+	if (*argv)
+		return(argv);
+	else
+		return(unknown);
+}
+
+	int
+is_unique(name, as, ae)
+	register char *name, **as, **ae;
+{
+	register char **ap;
+	register int n;
+
+	n = strlen(name) + 1;
+	for (ap = as; ap < ae; ap++)
+		if (strncasecmp(*ap, name, n) == 0)
+			return(0);
+	return (1);
+}
+
+#ifdef	TERMCAP
+char termbuf[1024];
+
+	/*ARGSUSED*/
+	int
+setupterm(tname, fd, errp)
+	char *tname;
+	int fd, *errp;
+{
+	if (tgetent(termbuf, tname) == 1) {
+		termbuf[1023] = '\0';
+		if (errp)
+			*errp = 1;
+		return(0);
+	}
+	if (errp)
+		*errp = 0;
+	return(-1);
+}
+#else
+#define	termbuf	ttytype
+extern char ttytype[];
+#endif
+
+int resettermname = 1;
+
+	char *
+gettermname()
+{
+	char *tname;
+	static char **tnamep = 0;
+	static char **next;
+	int err;
+
+	if (resettermname) {
+		resettermname = 0;
+		if (tnamep && tnamep != unknown)
+			free(tnamep);
+		if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+				(setupterm(tname, 1, &err) == 0)) {
+			tnamep = mklist(termbuf, tname);
+		} else {
+			if (tname && ((int)strlen(tname) <= 40)) {
+				unknown[0] = tname;
+				upcase(tname);
+			} else
+				unknown[0] = name_unknown;
+			tnamep = unknown;
+		}
+		next = tnamep;
+	}
+	if (*next == 0)
+		next = tnamep;
+	return(*next++);
+}
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *		Terminal type, send request.
+ *		Terminal speed (send request).
+ *		Local flow control (is request).
+ *		Linemode
+ */
+
+    static void
+suboption()
+{
+    unsigned char subchar;
+
+    printsub('<', subbuffer, SB_LEN()+2);
+    switch (subchar = SB_GET()) {
+    case TELOPT_TTYPE:
+	if (my_want_state_is_wont(TELOPT_TTYPE))
+	    return;
+	if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
+	    return;
+	} else {
+	    char *name;
+	    unsigned char temp[50];
+	    int len;
+
+#if	defined(TN3270)
+	    if (tn3270_ttype()) {
+		return;
+	    }
+#endif	/* defined(TN3270) */
+	    name = gettermname();
+	    len = strlen(name) + 4 + 2;
+	    if (len < NETROOM()) {
+		sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+				TELQUAL_IS, name, IAC, SE);
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', &temp[2], len-2);
+	    } else {
+		ExitString("No room in buffer for terminal type.\n", 1);
+		/*NOTREACHED*/
+	    }
+	}
+	break;
+    case TELOPT_TSPEED:
+	if (my_want_state_is_wont(TELOPT_TSPEED))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    long ospeed, ispeed;
+	    unsigned char temp[50];
+	    int len;
+
+	    TerminalSpeeds(&ispeed, &ospeed);
+
+	    sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
+		    TELQUAL_IS, ospeed, ispeed, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+    case TELOPT_LFLOW:
+	if (my_want_state_is_wont(TELOPT_LFLOW))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch(SB_GET()) {
+	case LFLOW_RESTART_ANY:
+	    restartany = 1;
+	    break;
+	case LFLOW_RESTART_XON:
+	    restartany = 0;
+	    break;
+	case LFLOW_ON:
+	    localflow = 1;
+	    break;
+	case LFLOW_OFF:
+	    localflow = 0;
+	    break;
+	default:
+	    return;
+	}
+	setcommandmode();
+	setconnmode(0);
+	break;
+
+    case TELOPT_LINEMODE:
+	if (my_want_state_is_wont(TELOPT_LINEMODE))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch (SB_GET()) {
+	case WILL:
+	    lm_will(subpointer, SB_LEN());
+	    break;
+	case WONT:
+	    lm_wont(subpointer, SB_LEN());
+	    break;
+	case DO:
+	    lm_do(subpointer, SB_LEN());
+	    break;
+	case DONT:
+	    lm_dont(subpointer, SB_LEN());
+	    break;
+	case LM_SLC:
+	    slc(subpointer, SB_LEN());
+	    break;
+	case LM_MODE:
+	    lm_mode(subpointer, SB_LEN(), 0);
+	    break;
+	default:
+	    break;
+	}
+	break;
+
+#ifdef	OLD_ENVIRON
+    case TELOPT_OLD_ENVIRON:
+#endif
+    case TELOPT_NEW_ENVIRON:
+	if (SB_EOF())
+	    return;
+	switch(SB_PEEK()) {
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+	    if (my_want_state_is_dont(subchar))
+		return;
+	    break;
+	case TELQUAL_SEND:
+	    if (my_want_state_is_wont(subchar)) {
+		return;
+	    }
+	    break;
+	default:
+	    return;
+	}
+	env_opt(subpointer, SB_LEN());
+	break;
+
+    case TELOPT_XDISPLOC:
+	if (my_want_state_is_wont(TELOPT_XDISPLOC))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    unsigned char temp[50], *dp;
+	    int len;
+
+	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+		/*
+		 * Something happened, we no longer have a DISPLAY
+		 * variable.  So, turn off the option.
+		 */
+		send_wont(TELOPT_XDISPLOC, 1);
+		break;
+	    }
+	    sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
+		    TELQUAL_IS, dp, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION: {
+		if (!autologin)
+			break;
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case TELQUAL_IS:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_is(subpointer, SB_LEN());
+			break;
+		case TELQUAL_SEND:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_send(subpointer, SB_LEN());
+			break;
+		case TELQUAL_REPLY:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_reply(subpointer, SB_LEN());
+			break;
+		case TELQUAL_NAME:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_name(subpointer, SB_LEN());
+			break;
+		}
+	}
+	break;
+#endif
+#ifdef	ENCRYPTION
+	case TELOPT_ENCRYPT:
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case ENCRYPT_START:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_END:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_end();
+			break;
+		case ENCRYPT_SUPPORT:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_support(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQSTART:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_request_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQEND:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			/*
+			 * We can always send an REQEND so that we cannot
+			 * get stuck encrypting.  We should only get this
+			 * if we have been able to get in the correct mode
+			 * anyhow.
+			 */
+			encrypt_request_end();
+			break;
+		case ENCRYPT_IS:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_is(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REPLY:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_reply(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_ENC_KEYID:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_enc_keyid(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_DEC_KEYID:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_dec_keyid(subpointer, SB_LEN());
+			break;
+		default:
+			break;
+		}
+		break;
+#endif	/* ENCRYPTION */
+    default:
+	break;
+    }
+}
+
+static unsigned char str_lm[] = { IAC, SB, TELOPT_LINEMODE, 0, 0, IAC, SE };
+
+    void
+lm_will(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_will: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	str_lm[3] = DONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_will: not enough room in buffer\n");
+	break;
+    }
+}
+
+    void
+lm_wont(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_wont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	/* We are always DONT, so don't respond */
+	return;
+    }
+}
+
+    void
+lm_do(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_do: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	str_lm[3] = WONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_do: not enough room in buffer\n");
+	break;
+    }
+}
+
+    void
+lm_dont(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_dont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	/* we are always WONT, so don't respond */
+	break;
+    }
+}
+
+static unsigned char str_lm_mode[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_MODE, 0, IAC, SE
+};
+
+	void
+lm_mode(cmd, len, init)
+	unsigned char *cmd;
+	int len, init;
+{
+	if (len != 1)
+		return;
+	if ((linemode&MODE_MASK&~MODE_ACK) == *cmd)
+		return;
+	if (*cmd&MODE_ACK)
+		return;
+	linemode = *cmd&(MODE_MASK&~MODE_ACK);
+	str_lm_mode[4] = linemode;
+	if (!init)
+	    str_lm_mode[4] |= MODE_ACK;
+	if (NETROOM() > sizeof(str_lm_mode)) {
+	    ring_supply_data(&netoring, str_lm_mode, sizeof(str_lm_mode));
+	    printsub('>', &str_lm_mode[2], sizeof(str_lm_mode)-2);
+	}
+/*@*/	else printf("lm_mode: not enough room in buffer\n");
+	setconnmode(0);	/* set changed mode */
+}
+
+
+
+/*
+ * slc()
+ * Handle special character suboption of LINEMODE.
+ */
+
+struct spc {
+	cc_t val;
+	cc_t *valp;
+	char flags;	/* Current flags & level */
+	char mylevel;	/* Maximum level & flags */
+} spc_data[NSLC+1];
+
+#define SLC_IMPORT	0
+#define	SLC_EXPORT	1
+#define SLC_RVALUE	2
+static int slc_mode = SLC_EXPORT;
+
+	void
+slc_init()
+{
+	register struct spc *spcp;
+
+	localchars = 1;
+	for (spcp = spc_data; spcp < &spc_data[NSLC+1]; spcp++) {
+		spcp->val = 0;
+		spcp->valp = 0;
+		spcp->flags = spcp->mylevel = SLC_NOSUPPORT;
+	}
+
+#define	initfunc(func, flags) { \
+					spcp = &spc_data[func]; \
+					if ((spcp->valp = tcval(func))) { \
+					    spcp->val = *spcp->valp; \
+					    spcp->mylevel = SLC_VARIABLE|flags; \
+					} else { \
+					    spcp->val = 0; \
+					    spcp->mylevel = SLC_DEFAULT; \
+					} \
+				    }
+
+	initfunc(SLC_SYNCH, 0);
+	/* No BRK */
+	initfunc(SLC_AO, 0);
+	initfunc(SLC_AYT, 0);
+	/* No EOR */
+	initfunc(SLC_ABORT, SLC_FLUSHIN|SLC_FLUSHOUT);
+	initfunc(SLC_EOF, 0);
+#ifndef	SYSV_TERMIO
+	initfunc(SLC_SUSP, SLC_FLUSHIN);
+#endif
+	initfunc(SLC_EC, 0);
+	initfunc(SLC_EL, 0);
+#ifndef	SYSV_TERMIO
+	initfunc(SLC_EW, 0);
+	initfunc(SLC_RP, 0);
+	initfunc(SLC_LNEXT, 0);
+#endif
+	initfunc(SLC_XON, 0);
+	initfunc(SLC_XOFF, 0);
+#ifdef	SYSV_TERMIO
+	spc_data[SLC_XON].mylevel = SLC_CANTCHANGE;
+	spc_data[SLC_XOFF].mylevel = SLC_CANTCHANGE;
+#endif
+	initfunc(SLC_FORW1, 0);
+#ifdef	USE_TERMIO
+	initfunc(SLC_FORW2, 0);
+	/* No FORW2 */
+#endif
+
+	initfunc(SLC_IP, SLC_FLUSHIN|SLC_FLUSHOUT);
+#undef	initfunc
+
+	if (slc_mode == SLC_EXPORT)
+		slc_export();
+	else
+		slc_import(1);
+
+}
+
+    void
+slcstate()
+{
+    printf("Special characters are %s values\n",
+		slc_mode == SLC_IMPORT ? "remote default" :
+		slc_mode == SLC_EXPORT ? "local" :
+					 "remote");
+}
+
+    void
+slc_mode_export()
+{
+    slc_mode = SLC_EXPORT;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_export();
+}
+
+    void
+slc_mode_import(def)
+    int def;
+{
+    slc_mode = def ? SLC_IMPORT : SLC_RVALUE;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_import(def);
+}
+
+unsigned char slc_import_val[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_VARIABLE, 0, IAC, SE
+};
+unsigned char slc_import_def[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_DEFAULT, 0, IAC, SE
+};
+
+    void
+slc_import(def)
+    int def;
+{
+    if (NETROOM() > sizeof(slc_import_val)) {
+	if (def) {
+	    ring_supply_data(&netoring, slc_import_def, sizeof(slc_import_def));
+	    printsub('>', &slc_import_def[2], sizeof(slc_import_def)-2);
+	} else {
+	    ring_supply_data(&netoring, slc_import_val, sizeof(slc_import_val));
+	    printsub('>', &slc_import_val[2], sizeof(slc_import_val)-2);
+	}
+    }
+/*@*/ else printf("slc_import: not enough room\n");
+}
+
+    void
+slc_export()
+{
+    register struct spc *spcp;
+
+    TerminalDefaultChars();
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->mylevel != SLC_NOSUPPORT) {
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    if (spcp->valp)
+		spcp->val = *spcp->valp;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    (void)slc_update();
+    setconnmode(1);	/* Make sure the character values are set */
+}
+
+	void
+slc(cp, len)
+	register unsigned char *cp;
+	int len;
+{
+	register struct spc *spcp;
+	register int func,level;
+
+	slc_start_reply();
+
+	for (; len >= 3; len -=3, cp +=3) {
+
+		func = cp[SLC_FUNC];
+
+		if (func == 0) {
+			/*
+			 * Client side: always ignore 0 function.
+			 */
+			continue;
+		}
+		if (func > NSLC) {
+			if ((cp[SLC_FLAGS] & SLC_LEVELBITS) != SLC_NOSUPPORT)
+				slc_add_reply(func, SLC_NOSUPPORT, 0);
+			continue;
+		}
+
+		spcp = &spc_data[func];
+
+		level = cp[SLC_FLAGS]&(SLC_LEVELBITS|SLC_ACK);
+
+		if ((cp[SLC_VALUE] == (unsigned char)spcp->val) &&
+		    ((level&SLC_LEVELBITS) == (spcp->flags&SLC_LEVELBITS))) {
+			continue;
+		}
+
+		if (level == (SLC_DEFAULT|SLC_ACK)) {
+			/*
+			 * This is an error condition, the SLC_ACK
+			 * bit should never be set for the SLC_DEFAULT
+			 * level.  Our best guess to recover is to
+			 * ignore the SLC_ACK bit.
+			 */
+			cp[SLC_FLAGS] &= ~SLC_ACK;
+		}
+
+		if (level == ((spcp->flags&SLC_LEVELBITS)|SLC_ACK)) {
+			spcp->val = (cc_t)cp[SLC_VALUE];
+			spcp->flags = cp[SLC_FLAGS];	/* include SLC_ACK */
+			continue;
+		}
+
+		level &= ~SLC_ACK;
+
+		if (level <= (spcp->mylevel&SLC_LEVELBITS)) {
+			spcp->flags = cp[SLC_FLAGS]|SLC_ACK;
+			spcp->val = (cc_t)cp[SLC_VALUE];
+		}
+		if (level == SLC_DEFAULT) {
+			if ((spcp->mylevel&SLC_LEVELBITS) != SLC_DEFAULT)
+				spcp->flags = spcp->mylevel;
+			else
+				spcp->flags = SLC_NOSUPPORT;
+		}
+		slc_add_reply(func, spcp->flags, spcp->val);
+	}
+	slc_end_reply();
+	if (slc_update())
+		setconnmode(1);	/* set the  new character values */
+}
+
+    void
+slc_check()
+{
+    register struct spc *spcp;
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->valp && spcp->val != *spcp->valp) {
+	    spcp->val = *spcp->valp;
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    setconnmode(1);
+}
+
+
+unsigned char slc_reply[128];
+unsigned char *slc_replyp;
+
+	void
+slc_start_reply()
+{
+	slc_replyp = slc_reply;
+	*slc_replyp++ = IAC;
+	*slc_replyp++ = SB;
+	*slc_replyp++ = TELOPT_LINEMODE;
+	*slc_replyp++ = LM_SLC;
+}
+
+	void
+slc_add_reply(func, flags, value)
+	unsigned char func;
+	unsigned char flags;
+	cc_t value;
+{
+	if ((*slc_replyp++ = func) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = flags) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = (unsigned char)value) == IAC)
+		*slc_replyp++ = IAC;
+}
+
+    void
+slc_end_reply()
+{
+    register int len;
+
+    *slc_replyp++ = IAC;
+    *slc_replyp++ = SE;
+    len = slc_replyp - slc_reply;
+    if (len <= 6)
+	return;
+    if (NETROOM() > len) {
+	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+    }
+/*@*/else printf("slc_end_reply: not enough room\n");
+}
+
+	int
+slc_update()
+{
+	register struct spc *spcp;
+	int need_update = 0;
+
+	for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+		if (!(spcp->flags&SLC_ACK))
+			continue;
+		spcp->flags &= ~SLC_ACK;
+		if (spcp->valp && (*spcp->valp != spcp->val)) {
+			*spcp->valp = spcp->val;
+			need_update = 1;
+		}
+	}
+	return(need_update);
+}
+
+#ifdef	OLD_ENVIRON
+# ifdef	ENV_HACK
+/*
+ * Earlier version of telnet/telnetd from the BSD code had
+ * the definitions of VALUE and VAR reversed.  To ensure
+ * maximum interoperability, we assume that the server is
+ * an older BSD server, until proven otherwise.  The newer
+ * BSD servers should be able to handle either definition,
+ * so it is better to use the wrong values if we don't
+ * know what type of server it is.
+ */
+int env_auto = 1;
+int old_env_var = OLD_ENV_VAR;
+int old_env_value = OLD_ENV_VALUE;
+# else
+#  define old_env_var OLD_ENV_VAR
+#  define old_env_value OLD_ENV_VALUE
+# endif
+#endif
+
+	void
+env_opt(buf, len)
+	register unsigned char *buf;
+	register int len;
+{
+	register unsigned char *ep = 0, *epc = 0;
+	register int i;
+
+	switch(buf[0]&0xff) {
+	case TELQUAL_SEND:
+		env_opt_start();
+		if (len == 1) {
+			env_opt_add(NULL);
+		} else for (i = 1; i < len; i++) {
+			switch (buf[i]&0xff) {
+#ifdef	OLD_ENVIRON
+			case OLD_ENV_VAR:
+# ifdef	ENV_HACK
+				if (telopt_environ == TELOPT_OLD_ENVIRON
+				    && env_auto) {
+					/* Server has the same definitions */
+					old_env_var = OLD_ENV_VAR;
+					old_env_value = OLD_ENV_VALUE;
+				}
+				/* FALL THROUGH */
+# endif
+			case OLD_ENV_VALUE:
+				/*
+				 * Although OLD_ENV_VALUE is not legal, we will
+				 * still recognize it, just in case it is an
+				 * old server that has VAR & VALUE mixed up...
+				 */
+				/* FALL THROUGH */
+#else
+			case NEW_ENV_VAR:
+#endif
+			case ENV_USERVAR:
+				if (ep) {
+					*epc = 0;
+					env_opt_add(ep);
+				}
+				ep = epc = &buf[i+1];
+				break;
+			case ENV_ESC:
+				i++;
+				/*FALL THROUGH*/
+			default:
+				if (epc)
+					*epc++ = buf[i];
+				break;
+			}
+		}
+		if (ep) {
+			*epc = 0;
+			env_opt_add(ep);
+		}
+		env_opt_end(1);
+		break;
+
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+		/* Ignore for now.  We shouldn't get it anyway. */
+		break;
+
+	default:
+		break;
+	}
+}
+
+#define	OPT_REPLY_SIZE	256
+unsigned char *opt_reply;
+unsigned char *opt_replyp;
+unsigned char *opt_replyend;
+
+	void
+env_opt_start()
+{
+	if (opt_reply)
+		opt_reply = (unsigned char *)realloc(opt_reply, OPT_REPLY_SIZE);
+	else
+		opt_reply = (unsigned char *)malloc(OPT_REPLY_SIZE);
+	if (opt_reply == NULL) {
+/*@*/		printf("env_opt_start: malloc()/realloc() failed!!!\n");
+		opt_reply = opt_replyp = opt_replyend = NULL;
+		return;
+	}
+	opt_replyp = opt_reply;
+	opt_replyend = opt_reply + OPT_REPLY_SIZE;
+	*opt_replyp++ = IAC;
+	*opt_replyp++ = SB;
+	*opt_replyp++ = telopt_environ;
+	*opt_replyp++ = TELQUAL_IS;
+}
+
+	void
+env_opt_start_info()
+{
+	env_opt_start();
+	if (opt_replyp)
+	    opt_replyp[-1] = TELQUAL_INFO;
+}
+
+	void
+env_opt_add(ep)
+	register unsigned char *ep;
+{
+	register unsigned char *vp, c;
+
+	if (opt_reply == NULL)		/*XXX*/
+		return;			/*XXX*/
+
+	if (ep == NULL || *ep == '\0') {
+		/* Send user defined variables first. */
+		env_default(1, 0);
+		while ((ep = env_default(0, 0)))
+			env_opt_add(ep);
+
+		/* Now add the list of well know variables.  */
+		env_default(1, 1);
+		while ((ep = env_default(0, 1)))
+			env_opt_add(ep);
+		return;
+	}
+	vp = env_getvalue(ep);
+	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+				strlen((char *)ep) + 6 > opt_replyend)
+	{
+		register int len;
+		opt_replyend += OPT_REPLY_SIZE;
+		len = opt_replyend - opt_reply;
+		opt_reply = (unsigned char *)realloc(opt_reply, len);
+		if (opt_reply == NULL) {
+/*@*/			printf("env_opt_add: realloc() failed!!!\n");
+			opt_reply = opt_replyp = opt_replyend = NULL;
+			return;
+		}
+		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+		opt_replyend = opt_reply + len;
+	}
+	if (opt_welldefined(ep))
+#ifdef	OLD_ENVIRON
+		if (telopt_environ == TELOPT_OLD_ENVIRON)
+			*opt_replyp++ = old_env_var;
+		else
+#endif
+			*opt_replyp++ = NEW_ENV_VAR;
+	else
+		*opt_replyp++ = ENV_USERVAR;
+	for (;;) {
+		while ((c = *ep++)) {
+			switch(c&0xff) {
+			case IAC:
+				*opt_replyp++ = IAC;
+				break;
+			case NEW_ENV_VAR:
+			case NEW_ENV_VALUE:
+			case ENV_ESC:
+			case ENV_USERVAR:
+				*opt_replyp++ = ENV_ESC;
+				break;
+			}
+			*opt_replyp++ = c;
+		}
+		if ((ep = vp)) {
+#ifdef	OLD_ENVIRON
+			if (telopt_environ == TELOPT_OLD_ENVIRON)
+				*opt_replyp++ = old_env_value;
+			else
+#endif
+				*opt_replyp++ = NEW_ENV_VALUE;
+			vp = NULL;
+		} else
+			break;
+	}
+}
+
+	int
+opt_welldefined(ep)
+	char *ep;
+{
+	if ((strcmp(ep, "USER") == 0) ||
+	    (strcmp(ep, "DISPLAY") == 0) ||
+	    (strcmp(ep, "PRINTER") == 0) ||
+	    (strcmp(ep, "SYSTEMTYPE") == 0) ||
+	    (strcmp(ep, "JOB") == 0) ||
+	    (strcmp(ep, "ACCT") == 0))
+		return(1);
+	return(0);
+}
+	void
+env_opt_end(emptyok)
+	register int emptyok;
+{
+	register int len;
+
+	len = opt_replyp - opt_reply + 2;
+	if (emptyok || len > 6) {
+		*opt_replyp++ = IAC;
+		*opt_replyp++ = SE;
+		if (NETROOM() > len) {
+			ring_supply_data(&netoring, opt_reply, len);
+			printsub('>', &opt_reply[2], len - 2);
+		}
+/*@*/		else printf("slc_end_reply: not enough room\n");
+	}
+	if (opt_reply) {
+		free(opt_reply);
+		opt_reply = opt_replyp = opt_replyend = NULL;
+	}
+}
+
+
+
+    int
+telrcv()
+{
+    register int c;
+    register int scc;
+    register unsigned char *sbp;
+    int count;
+    int returnValue = 0;
+
+    scc = 0;
+    count = 0;
+    while (TTYROOM() > 2) {
+	if (scc == 0) {
+	    if (count) {
+		ring_consumed(&netiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    sbp = netiring.consume;
+	    scc = ring_full_consecutive(&netiring);
+	    if (scc == 0) {
+		/* No more data coming in */
+		break;
+	    }
+	}
+
+	c = *sbp++ & 0xff, scc--; count++;
+#ifdef	ENCRYPTION
+	if (decrypt_input)
+		c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+
+	switch (telrcv_state) {
+
+	case TS_CR:
+	    telrcv_state = TS_DATA;
+	    if (c == '\0') {
+		break;	/* Ignore \0 after CR */
+	    }
+	    else if ((c == '\n') && my_want_state_is_dont(TELOPT_ECHO) && !crmod) {
+		TTYADD(c);
+		break;
+	    }
+	    /* Else, fall through */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		telrcv_state = TS_IAC;
+		break;
+	    }
+#	    if defined(TN3270)
+	    if (In3270) {
+		*Ifrontp++ = c;
+		while (scc > 0) {
+		    c = *sbp++ & 0377, scc--; count++;
+#ifdef	ENCRYPTION
+		    if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+		    if (c == IAC) {
+			telrcv_state = TS_IAC;
+			break;
+		    }
+		    *Ifrontp++ = c;
+		}
+	    } else
+#	    endif /* defined(TN3270) */
+		    /*
+		     * The 'crmod' hack (see following) is needed
+		     * since we can't * set CRMOD on output only.
+		     * Machines like MULTICS like to send \r without
+		     * \n; since we must turn off CRMOD to get proper
+		     * input, the mapping is done here (sigh).
+		     */
+	    if ((c == '\r') && my_want_state_is_dont(TELOPT_BINARY)) {
+		if (scc > 0) {
+		    c = *sbp&0xff;
+#ifdef	ENCRYPTION
+		    if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+		    if (c == 0) {
+			sbp++, scc--; count++;
+			/* a "true" CR */
+			TTYADD('\r');
+		    } else if (my_want_state_is_dont(TELOPT_ECHO) &&
+					(c == '\n')) {
+			sbp++, scc--; count++;
+			TTYADD('\n');
+		    } else {
+#ifdef	ENCRYPTION
+			if (decrypt_input)
+			    (*decrypt_input)(-1);
+#endif	/* ENCRYPTION */
+
+			TTYADD('\r');
+			if (crmod) {
+				TTYADD('\n');
+			}
+		    }
+		} else {
+		    telrcv_state = TS_CR;
+		    TTYADD('\r');
+		    if (crmod) {
+			    TTYADD('\n');
+		    }
+		}
+	    } else {
+		TTYADD(c);
+	    }
+	    continue;
+
+	case TS_IAC:
+process_iac:
+	    switch (c) {
+
+	    case WILL:
+		telrcv_state = TS_WILL;
+		continue;
+
+	    case WONT:
+		telrcv_state = TS_WONT;
+		continue;
+
+	    case DO:
+		telrcv_state = TS_DO;
+		continue;
+
+	    case DONT:
+		telrcv_state = TS_DONT;
+		continue;
+
+	    case DM:
+		    /*
+		     * We may have missed an urgent notification,
+		     * so make sure we flush whatever is in the
+		     * buffer currently.
+		     */
+		printoption("RCVD", IAC, DM);
+		SYNCHing = 1;
+		(void) ttyflush(1);
+		SYNCHing = stilloob();
+		settimer(gotDM);
+		break;
+
+	    case SB:
+		SB_CLEAR();
+		telrcv_state = TS_SB;
+		continue;
+
+#	    if defined(TN3270)
+	    case EOR:
+		if (In3270) {
+		    if (Ibackp == Ifrontp) {
+			Ibackp = Ifrontp = Ibuf;
+			ISend = 0;	/* should have been! */
+		    } else {
+			Ibackp += DataFromNetwork(Ibackp, Ifrontp-Ibackp, 1);
+			ISend = 1;
+		    }
+		}
+		printoption("RCVD", IAC, EOR);
+		break;
+#	    endif /* defined(TN3270) */
+
+	    case IAC:
+#	    if !defined(TN3270)
+		TTYADD(IAC);
+#	    else /* !defined(TN3270) */
+		if (In3270) {
+		    *Ifrontp++ = IAC;
+		} else {
+		    TTYADD(IAC);
+		}
+#	    endif /* !defined(TN3270) */
+		break;
+
+	    case NOP:
+	    case GA:
+	    default:
+		printoption("RCVD", IAC, c);
+		break;
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WILL:
+	    printoption("RCVD", WILL, c);
+	    willoption(c);
+	    SetIn3270();
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    printoption("RCVD", WONT, c);
+	    wontoption(c);
+	    SetIn3270();
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    printoption("RCVD", DO, c);
+	    dooption(c);
+	    SetIn3270();
+	    if (c == TELOPT_NAWS) {
+		sendnaws();
+	    } else if (c == TELOPT_LFLOW) {
+		localflow = 1;
+		setcommandmode();
+		setconnmode(0);
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    printoption("RCVD", DONT, c);
+	    dontoption(c);
+	    flushline = 1;
+	    setconnmode(0);	/* set new tty mode (maybe) */
+	    SetIn3270();
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_SB:
+	    if (c == IAC) {
+		telrcv_state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    continue;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * This is an error.  We only expect to get
+		     * "IAC IAC" or "IAC SE".  Several things may
+		     * have happend.  An IAC was not doubled, the
+		     * IAC SE was left off, or another option got
+		     * inserted into the suboption are all possibilities.
+		     * If we assume that the IAC was not doubled,
+		     * and really the IAC SE was left off, we could
+		     * get into an infinate loop here.  So, instead,
+		     * we terminate the suboption, and process the
+		     * partial suboption if we can.
+		     */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+		    SB_TERM();
+
+		    printoption("In SUBOPTION processing, RCVD", IAC, c);
+		    suboption();	/* handle sub-option */
+		    SetIn3270();
+		    telrcv_state = TS_IAC;
+		    goto process_iac;
+		}
+		SB_ACCUM(c);
+		telrcv_state = TS_SB;
+	    } else {
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		SetIn3270();
+		telrcv_state = TS_DATA;
+	    }
+	}
+    }
+    if (count)
+	ring_consumed(&netiring, count);
+    return returnValue||count;
+}
+
+static int bol = 1, local = 0;
+
+    int
+rlogin_susp()
+{
+    if (local) {
+	local = 0;
+	bol = 1;
+	command(0, "z\n", 2);
+	return(1);
+    }
+    return(0);
+}
+
+    static int
+telsnd()
+{
+    int tcc;
+    int count;
+    int returnValue = 0;
+    unsigned char *tbp;
+
+    tcc = 0;
+    count = 0;
+    while (NETROOM() > 2) {
+	register int sc;
+	register int c;
+
+	if (tcc == 0) {
+	    if (count) {
+		ring_consumed(&ttyiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    tbp = ttyiring.consume;
+	    tcc = ring_full_consecutive(&ttyiring);
+	    if (tcc == 0) {
+		break;
+	    }
+	}
+	c = *tbp++ & 0xff, sc = strip(c), tcc--; count++;
+	if (rlogin != _POSIX_VDISABLE) {
+		if (bol) {
+			bol = 0;
+			if (sc == rlogin) {
+				local = 1;
+				continue;
+			}
+		} else if (local) {
+			local = 0;
+			if (sc == '.' || c == termEofChar) {
+				bol = 1;
+				command(0, "close\n", 6);
+				continue;
+			}
+			if (sc == termSuspChar) {
+				bol = 1;
+				command(0, "z\n", 2);
+				continue;
+			}
+			if (sc == escape) {
+				command(0, (char *)tbp, tcc);
+				bol = 1;
+				count += tcc;
+				tcc = 0;
+				flushline = 1;
+				break;
+			}
+			if (sc != rlogin) {
+				++tcc;
+				--tbp;
+				--count;
+				c = sc = rlogin;
+			}
+		}
+		if ((sc == '\n') || (sc == '\r'))
+			bol = 1;
+	} else if (escape != _POSIX_VDISABLE && sc == escape) {
+	    /*
+	     * Double escape is a pass through of a single escape character.
+	     */
+	    if (tcc && strip(*tbp) == escape) {
+		tbp++;
+		tcc--;
+		count++;
+		bol = 0;
+	    } else {
+		command(0, (char *)tbp, tcc);
+		bol = 1;
+		count += tcc;
+		tcc = 0;
+		flushline = 1;
+		break;
+	    }
+	} else
+	    bol = 0;
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode && (globalmode&MODE_EDIT) && (sc == echoc)) {
+	    if (tcc > 0 && strip(*tbp) == echoc) {
+		tcc--; tbp++; count++;
+	    } else {
+		dontlecho = !dontlecho;
+		settimer(echotoggle);
+		setconnmode(0);
+		flushline = 1;
+		break;
+	    }
+	}
+#endif
+	if (MODE_LOCAL_CHARS(globalmode)) {
+	    if (TerminalSpecialChars(sc) == 0) {
+		bol = 1;
+		break;
+	    }
+	}
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    switch (c) {
+	    case '\n':
+		    /*
+		     * If we are in CRMOD mode (\r ==> \n)
+		     * on our local machine, then probably
+		     * a newline (unix) is CRLF (TELNET).
+		     */
+		if (MODE_LOCAL_CHARS(globalmode)) {
+		    NETADD('\r');
+		}
+		NETADD('\n');
+		bol = flushline = 1;
+		break;
+	    case '\r':
+		if (!crlf) {
+		    NET2ADD('\r', '\0');
+		} else {
+		    NET2ADD('\r', '\n');
+		}
+		bol = flushline = 1;
+		break;
+	    case IAC:
+		NET2ADD(IAC, IAC);
+		break;
+	    default:
+		NETADD(c);
+		break;
+	    }
+	} else if (c == IAC) {
+	    NET2ADD(IAC, IAC);
+	} else {
+	    NETADD(c);
+	}
+    }
+    if (count)
+	ring_consumed(&ttyiring, count);
+    return returnValue||count;		/* Non-zero if we did anything */
+}
+
+/*
+ * Scheduler()
+ *
+ * Try to do something.
+ *
+ * If we do something useful, return 1; else return 0.
+ *
+ */
+
+
+    int
+Scheduler(block)
+    int	block;			/* should we block in the select ? */
+{
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue;
+    int netin, netout, netex, ttyin, ttyout;
+
+    /* Decide which rings should be processed */
+
+    netout = ring_full_count(&netoring) &&
+	    (flushline ||
+		(my_want_state_is_wont(TELOPT_LINEMODE)
+#ifdef	KLUDGELINEMODE
+			&& (!kludgelinemode || my_want_state_is_do(TELOPT_SGA))
+#endif
+		) ||
+			my_want_state_is_will(TELOPT_BINARY));
+    ttyout = ring_full_count(&ttyoring);
+
+#if	defined(TN3270)
+    ttyin = ring_empty_count(&ttyiring) && (clienteof == 0) && (shell_active == 0);
+#else	/* defined(TN3270) */
+    ttyin = ring_empty_count(&ttyiring) && (clienteof == 0);
+#endif	/* defined(TN3270) */
+
+#if	defined(TN3270)
+    netin = ring_empty_count(&netiring);
+#   else /* !defined(TN3270) */
+    netin = !ISend && ring_empty_count(&netiring);
+#   endif /* !defined(TN3270) */
+
+    netex = !SYNCHing;
+
+    /* If we have seen a signal recently, reset things */
+#   if defined(TN3270) && defined(unix)
+    if (HaveInput) {
+	HaveInput = 0;
+	(void) signal(SIGIO, inputAvailable);
+    }
+#endif	/* defined(TN3270) && defined(unix) */
+
+    /* Call to system code to process rings */
+
+    returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
+
+    /* Now, look at the input rings, looking for work to do. */
+
+    if (ring_full_count(&ttyiring)) {
+#   if defined(TN3270)
+	if (In3270) {
+	    int c;
+
+	    c = DataFromTerminal(ttyiring.consume,
+					ring_full_consecutive(&ttyiring));
+	    if (c) {
+		returnValue = 1;
+		ring_consumed(&ttyiring, c);
+	    }
+	} else {
+#   endif /* defined(TN3270) */
+	    returnValue |= telsnd();
+#   if defined(TN3270)
+	}
+#   endif /* defined(TN3270) */
+    }
+
+    if (ring_full_count(&netiring)) {
+#	if !defined(TN3270)
+	returnValue |= telrcv();
+#	else /* !defined(TN3270) */
+	returnValue = Push3270();
+#	endif /* !defined(TN3270) */
+    }
+    return returnValue;
+}
+
+/*
+ * Select from tty and network...
+ */
+    void
+telnet(user)
+    char *user;
+{
+    sys_telnet_init();
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    {
+	static char local_host[256] = { 0 };
+
+	if (!local_host[0]) {
+		gethostname(local_host, sizeof(local_host));
+		local_host[sizeof(local_host)-1] = 0;
+	}
+	auth_encrypt_init(local_host, hostname, "TELNET", 0);
+	auth_encrypt_user(user);
+    }
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
+#   if !defined(TN3270)
+    if (telnetport) {
+#if	defined(AUTHENTICATION)
+	if (autologin)
+		send_will(TELOPT_AUTHENTICATION, 1);
+#endif
+#ifdef	ENCRYPTION
+	send_do(TELOPT_ENCRYPT, 1);
+	send_will(TELOPT_ENCRYPT, 1);
+#endif	/* ENCRYPTION */
+	send_do(TELOPT_SGA, 1);
+	send_will(TELOPT_TTYPE, 1);
+	send_will(TELOPT_NAWS, 1);
+	send_will(TELOPT_TSPEED, 1);
+	send_will(TELOPT_LFLOW, 1);
+	send_will(TELOPT_LINEMODE, 1);
+	send_will(TELOPT_NEW_ENVIRON, 1);
+	send_do(TELOPT_STATUS, 1);
+	if (env_getvalue((unsigned char *)"DISPLAY"))
+	    send_will(TELOPT_XDISPLOC, 1);
+	if (eight)
+	    tel_enter_binary(eight);
+    }
+#   endif /* !defined(TN3270) */
+
+#   if !defined(TN3270)
+    for (;;) {
+	int schedValue;
+
+	while ((schedValue = Scheduler(0)) != 0) {
+	    if (schedValue == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+
+	if (Scheduler(1) == -1) {
+	    setcommandmode();
+	    return;
+	}
+    }
+#   else /* !defined(TN3270) */
+    for (;;) {
+	int schedValue;
+
+	while (!In3270 && !shell_active) {
+	    if (Scheduler(1) == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+
+	while ((schedValue = Scheduler(0)) != 0) {
+	    if (schedValue == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+		/* If there is data waiting to go out to terminal, don't
+		 * schedule any more data for the terminal.
+		 */
+	if (ring_full_count(&ttyoring)) {
+	    schedValue = 1;
+	} else {
+	    if (shell_active) {
+		if (shell_continue() == 0) {
+		    ConnectScreen();
+		}
+	    } else if (In3270) {
+		schedValue = DoTerminalOutput();
+	    }
+	}
+	if (schedValue && (shell_active == 0)) {
+	    if (Scheduler(1) == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+    }
+#   endif /* !defined(TN3270) */
+}
+
+#if	0	/* XXX - this not being in is a bug */
+/*
+ * nextitem()
+ *
+ *	Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+
+    static char *
+nextitem(current)
+    char *current;
+{
+    if ((*current&0xff) != IAC) {
+	return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+	return current+3;
+    case SB:		/* loop forever looking for the SE */
+	{
+	    register char *look = current+2;
+
+	    for (;;) {
+		if ((*look++&0xff) == IAC) {
+		    if ((*look++&0xff) == SE) {
+			return look;
+		    }
+		}
+	    }
+	}
+    default:
+	return current+2;
+    }
+}
+#endif	/* 0 */
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+
+    static void
+netclear()
+{
+#if	0	/* XXX */
+    register char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+    thisitem = netobuf;
+
+    while ((next = nextitem(thisitem)) <= netobuf.send) {
+	thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+    good = netobuf;	/* where the good bytes go */
+
+    while (netoring.add > thisitem) {
+	if (wewant(thisitem)) {
+	    int length;
+
+	    next = thisitem;
+	    do {
+		next = nextitem(next);
+	    } while (wewant(next) && (nfrontp > next));
+	    length = next-thisitem;
+	    memmove(good, thisitem, length);
+	    good += length;
+	    thisitem = next;
+	} else {
+	    thisitem = nextitem(thisitem);
+	}
+    }
+
+#endif	/* 0 */
+}
+
+/*
+ * These routines add various telnet commands to the data stream.
+ */
+
+    static void
+doflush()
+{
+    NET2ADD(IAC, DO);
+    NETADD(TELOPT_TM);
+    flushline = 1;
+    flushout = 1;
+    (void) ttyflush(1);			/* Flush/drop output */
+    /* do printoption AFTER flush, otherwise the output gets tossed... */
+    printoption("SENT", DO, TELOPT_TM);
+}
+
+    void
+xmitAO()
+{
+    NET2ADD(IAC, AO);
+    printoption("SENT", IAC, AO);
+    if (autoflush) {
+	doflush();
+    }
+}
+
+
+    void
+xmitEL()
+{
+    NET2ADD(IAC, EL);
+    printoption("SENT", IAC, EL);
+}
+
+    void
+xmitEC()
+{
+    NET2ADD(IAC, EC);
+    printoption("SENT", IAC, EC);
+}
+
+
+    int
+dosynch()
+{
+    netclear();			/* clear the path to the network */
+    NETADD(IAC);
+    setneturg();
+    NETADD(DM);
+    printoption("SENT", IAC, DM);
+    return 1;
+}
+
+int want_status_response = 0;
+
+    int
+get_status()
+{
+    unsigned char tmp[16];
+    register unsigned char *cp;
+
+    if (my_want_state_is_dont(TELOPT_STATUS)) {
+	printf("Remote side does not support STATUS option\n");
+	return 0;
+    }
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_STATUS;
+    *cp++ = TELQUAL_SEND;
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+    ++want_status_response;
+    return 1;
+}
+
+    void
+intp()
+{
+    NET2ADD(IAC, IP);
+    printoption("SENT", IAC, IP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendbrk()
+{
+    NET2ADD(IAC, BREAK);
+    printoption("SENT", IAC, BREAK);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendabort()
+{
+    NET2ADD(IAC, ABORT);
+    printoption("SENT", IAC, ABORT);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendsusp()
+{
+    NET2ADD(IAC, SUSP);
+    printoption("SENT", IAC, SUSP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendeof()
+{
+    NET2ADD(IAC, xEOF);
+    printoption("SENT", IAC, xEOF);
+}
+
+    void
+sendayt()
+{
+    NET2ADD(IAC, AYT);
+    printoption("SENT", IAC, AYT);
+}
+
+/*
+ * Send a window size update to the remote system.
+ */
+
+    void
+sendnaws()
+{
+    long rows, cols;
+    unsigned char tmp[16];
+    register unsigned char *cp;
+
+    if (my_state_is_wont(TELOPT_NAWS))
+	return;
+
+#define	PUTSHORT(cp, x) { if ((*cp++ = ((x)>>8)&0xff) == IAC) *cp++ = IAC; \
+			    if ((*cp++ = ((x))&0xff) == IAC) *cp++ = IAC; }
+
+    if (TerminalWindowSize(&rows, &cols) == 0) {	/* Failed */
+	return;
+    }
+
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_NAWS;
+    PUTSHORT(cp, cols);
+    PUTSHORT(cp, rows);
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+}
+
+    void
+tel_enter_binary(rw)
+    int rw;
+{
+    if (rw&1)
+	send_do(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_will(TELOPT_BINARY, 1);
+}
+
+    void
+tel_leave_binary(rw)
+    int rw;
+{
+    if (rw&1)
+	send_dont(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_wont(TELOPT_BINARY, 1);
+}
diff --git a/crypto/telnet/telnet/terminal.c b/crypto/telnet/telnet/terminal.c
new file mode 100644
index 0000000..2069396
--- /dev/null
+++ b/crypto/telnet/telnet/terminal.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)terminal.c	8.2 (Berkeley) 2/16/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <arpa/telnet.h>
+#include <sys/types.h>
+
+#include "ring.h"
+
+#include "externs.h"
+#include "types.h"
+
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+Ring		ttyoring, ttyiring;
+unsigned char	ttyobuf[2*BUFSIZ], ttyibuf[BUFSIZ];
+
+int termdata;			/* Debugging flag */
+
+#ifdef	USE_TERMIO
+# ifndef VDISCARD
+cc_t termFlushChar;
+# endif
+# ifndef VLNEXT
+cc_t termLiteralNextChar;
+# endif
+# ifndef VSUSP
+cc_t termSuspChar;
+# endif
+# ifndef VWERASE
+cc_t termWerasChar;
+# endif
+# ifndef VREPRINT
+cc_t termRprntChar;
+# endif
+# ifndef VSTART
+cc_t termStartChar;
+# endif
+# ifndef VSTOP
+cc_t termStopChar;
+# endif
+# ifndef VEOL
+cc_t termForw1Char;
+# endif
+# ifndef VEOL2
+cc_t termForw2Char;
+# endif
+# ifndef VSTATUS
+cc_t termAytChar;
+# endif
+#else
+cc_t termForw2Char;
+cc_t termAytChar;
+#endif
+
+/*
+ * initialize the terminal data structures.
+ */
+
+    void
+init_terminal()
+{
+    if (ring_init(&ttyoring, ttyobuf, sizeof ttyobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&ttyiring, ttyibuf, sizeof ttyibuf) != 1) {
+	exit(1);
+    }
+    autoflush = TerminalAutoFlush();
+}
+
+
+/*
+ *		Send as much data as possible to the terminal.
+ *
+ *		Return value:
+ *			-1: No useful work done, data waiting to go out.
+ *			 0: No data was waiting, so nothing was done.
+ *			 1: All waiting data was written out.
+ *			 n: All data - n was written out.
+ */
+
+
+    int
+ttyflush(drop)
+    int drop;
+{
+    register int n, n0, n1;
+
+    n0 = ring_full_count(&ttyoring);
+    if ((n1 = n = ring_full_consecutive(&ttyoring)) > 0) {
+	if (drop) {
+	    TerminalFlushOutput();
+	    /* we leave 'n' alone! */
+	} else {
+	    n = TerminalWrite(ttyoring.consume, n);
+	}
+    }
+    if (n > 0) {
+	if (termdata && n) {
+	    Dump('>', ttyoring.consume, n);
+	}
+	/*
+	 * If we wrote everything, and the full count is
+	 * larger than what we wrote, then write the
+	 * rest of the buffer.
+	 */
+	if (n1 == n && n0 > n) {
+		n1 = n0 - n;
+		if (!drop)
+			n1 = TerminalWrite(ttyoring.bottom, n1);
+		if (n1 > 0)
+			n += n1;
+	}
+	ring_consumed(&ttyoring, n);
+    }
+    if (n < 0)
+	return -1;
+    if (n == n0) {
+	if (n0)
+	    return -1;
+	return 0;
+    }
+    return n0 - n + 1;
+}
+
+
+/*
+ * These routines decides on what the mode should be (based on the values
+ * of various global variables).
+ */
+
+
+    int
+getconnmode()
+{
+    extern int linemode;
+    int mode = 0;
+#ifdef	KLUDGELINEMODE
+    extern int kludgelinemode;
+#endif
+
+    if (In3270)
+	return(MODE_FLOW);
+
+    if (my_want_state_is_dont(TELOPT_ECHO))
+	mode |= MODE_ECHO;
+
+    if (localflow)
+	mode |= MODE_FLOW;
+
+    if (my_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_INBIN;
+
+    if (his_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_OUTBIN;
+
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode) {
+	if (my_want_state_is_dont(TELOPT_SGA)) {
+	    mode |= (MODE_TRAPSIG|MODE_EDIT);
+	    if (dontlecho && (clocks.echotoggle > clocks.modenegotiated)) {
+		mode &= ~MODE_ECHO;
+	    }
+	}
+	return(mode);
+    }
+#endif
+    if (my_want_state_is_will(TELOPT_LINEMODE))
+	mode |= linemode;
+    return(mode);
+}
+
+    void
+setconnmode(force)
+    int force;
+{
+#ifdef	ENCRYPTION
+    static int enc_passwd = 0;
+#endif	/* ENCRYPTION */
+    register int newmode;
+
+    newmode = getconnmode()|(force?MODE_FORCE:0);
+
+    TerminalNewMode(newmode);
+
+#ifdef  ENCRYPTION
+    if ((newmode & (MODE_ECHO|MODE_EDIT)) == MODE_EDIT) {
+	if (my_want_state_is_will(TELOPT_ENCRYPT)
+				&& (enc_passwd == 0) && !encrypt_output) {
+	    encrypt_request_start(0, 0);
+	    enc_passwd = 1;
+	}
+    } else {
+	if (enc_passwd) {
+	    encrypt_request_end();
+	    enc_passwd = 0;
+	}
+    }
+#endif	/* ENCRYPTION */
+
+}
+
+
+    void
+setcommandmode()
+{
+    TerminalNewMode(-1);
+}
diff --git a/crypto/telnet/telnet/tn3270.c b/crypto/telnet/telnet/tn3270.c
new file mode 100644
index 0000000..92219b7
--- /dev/null
+++ b/crypto/telnet/telnet/tn3270.c
@@ -0,0 +1,416 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)tn3270.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+
+#include "general.h"
+
+#include "defines.h"
+#include "ring.h"
+#include "externs.h"
+#include "fdset.h"
+
+#if	defined(TN3270)
+
+#include "../ctlr/screen.h"
+#include "../general/globals.h"
+
+#include "../sys_curses/telextrn.h"
+#include "../ctlr/externs.h"
+
+#if	defined(unix)
+int
+	HaveInput,		/* There is input available to scan */
+	cursesdata,		/* Do we dump curses data? */
+	sigiocount;		/* Number of times we got a SIGIO */
+
+char	tline[200];
+char	*transcom = 0;	/* transparent mode command (default: none) */
+#endif	/* defined(unix) */
+
+char	Ibuf[8*BUFSIZ], *Ifrontp, *Ibackp;
+
+static char	sb_terminal[] = { IAC, SB,
+			TELOPT_TTYPE, TELQUAL_IS,
+			'I', 'B', 'M', '-', '3', '2', '7', '8', '-', '2',
+			IAC, SE };
+#define	SBTERMMODEL	13
+
+static int
+	Sent3270TerminalType;	/* Have we said we are a 3270? */
+
+#endif	/* defined(TN3270) */
+
+
+    void
+init_3270()
+{
+#if	defined(TN3270)
+#if	defined(unix)
+    HaveInput = 0;
+    sigiocount = 0;
+#endif	/* defined(unix) */
+    Sent3270TerminalType = 0;
+    Ifrontp = Ibackp = Ibuf;
+    init_ctlr();		/* Initialize some things */
+    init_keyboard();
+    init_screen();
+    init_system();
+#endif	/* defined(TN3270) */
+}
+
+
+#if	defined(TN3270)
+
+/*
+ * DataToNetwork - queue up some data to go to network.  If "done" is set,
+ * then when last byte is queued, we add on an IAC EOR sequence (so,
+ * don't call us with "done" until you want that done...)
+ *
+ * We actually do send all the data to the network buffer, since our
+ * only client needs for us to do that.
+ */
+
+    int
+DataToNetwork(buffer, count, done)
+    register char *buffer;	/* where the data is */
+    register int  count;	/* how much to send */
+    int		  done;		/* is this the last of a logical block */
+{
+    register int loop, c;
+    int origCount;
+
+    origCount = count;
+
+    while (count) {
+	/* If not enough room for EORs, IACs, etc., wait */
+	if (NETROOM() < 6) {
+	    fd_set o;
+
+	    FD_ZERO(&o);
+	    netflush();
+	    while (NETROOM() < 6) {
+		FD_SET(net, &o);
+		(void) select(net+1, (fd_set *) 0, &o, (fd_set *) 0,
+						(struct timeval *) 0);
+		netflush();
+	    }
+	}
+	c = ring_empty_count(&netoring);
+	if (c > count) {
+	    c = count;
+	}
+	loop = c;
+	while (loop) {
+	    if (((unsigned char)*buffer) == IAC) {
+		break;
+	    }
+	    buffer++;
+	    loop--;
+	}
+	if ((c = c-loop)) {
+	    ring_supply_data(&netoring, buffer-c, c);
+	    count -= c;
+	}
+	if (loop) {
+	    NET2ADD(IAC, IAC);
+	    count--;
+	    buffer++;
+	}
+    }
+
+    if (done) {
+	NET2ADD(IAC, EOR);
+	netflush();		/* try to move along as quickly as ... */
+    }
+    return(origCount - count);
+}
+
+
+#if	defined(unix)
+    void
+inputAvailable(signo)
+	int signo;
+{
+    HaveInput = 1;
+    sigiocount++;
+}
+#endif	/* defined(unix) */
+
+    void
+outputPurge()
+{
+    (void) ttyflush(1);
+}
+
+
+/*
+ * The following routines are places where the various tn3270
+ * routines make calls into telnet.c.
+ */
+
+/*
+ * DataToTerminal - queue up some data to go to terminal.
+ *
+ * Note: there are people who call us and depend on our processing
+ * *all* the data at one time (thus the select).
+ */
+
+    int
+DataToTerminal(buffer, count)
+    register char	*buffer;		/* where the data is */
+    register int	count;			/* how much to send */
+{
+    register int c;
+    int origCount;
+
+    origCount = count;
+
+    while (count) {
+	if (TTYROOM() == 0) {
+#if	defined(unix)
+	    fd_set o;
+
+	    FD_ZERO(&o);
+#endif	/* defined(unix) */
+	    (void) ttyflush(0);
+	    while (TTYROOM() == 0) {
+#if	defined(unix)
+		FD_SET(tout, &o);
+		(void) select(tout+1, (fd_set *) 0, &o, (fd_set *) 0,
+						(struct timeval *) 0);
+#endif	/* defined(unix) */
+		(void) ttyflush(0);
+	    }
+	}
+	c = TTYROOM();
+	if (c > count) {
+	    c = count;
+	}
+	ring_supply_data(&ttyoring, buffer, c);
+	count -= c;
+	buffer += c;
+    }
+    return(origCount);
+}
+
+
+/*
+ * Push3270 - Try to send data along the 3270 output (to screen) direction.
+ */
+
+    int
+Push3270()
+{
+    int save = ring_full_count(&netiring);
+
+    if (save) {
+	if (Ifrontp+save > Ibuf+sizeof Ibuf) {
+	    if (Ibackp != Ibuf) {
+		memmove(Ibuf, Ibackp, Ifrontp-Ibackp);
+		Ifrontp -= (Ibackp-Ibuf);
+		Ibackp = Ibuf;
+	    }
+	}
+	if (Ifrontp+save < Ibuf+sizeof Ibuf) {
+	    (void)telrcv();
+	}
+    }
+    return save != ring_full_count(&netiring);
+}
+
+
+/*
+ * Finish3270 - get the last dregs of 3270 data out to the terminal
+ *		before quitting.
+ */
+
+    void
+Finish3270()
+{
+    while (Push3270() || !DoTerminalOutput()) {
+#if	defined(unix)
+	HaveInput = 0;
+#endif	/* defined(unix) */
+	;
+    }
+}
+
+
+/* StringToTerminal - output a null terminated string to the terminal */
+
+    void
+StringToTerminal(s)
+    char *s;
+{
+    int count;
+
+    count = strlen(s);
+    if (count) {
+	(void) DataToTerminal(s, count);	/* we know it always goes... */
+    }
+}
+
+
+#if	((!defined(NOT43)) || defined(PUTCHAR))
+/* _putchar - output a single character to the terminal.  This name is so that
+ *	curses(3x) can call us to send out data.
+ */
+
+    void
+_putchar(c)
+    char c;
+{
+#if	defined(sun)		/* SunOS 4.0 bug */
+    c &= 0x7f;
+#endif	/* defined(sun) */
+    if (cursesdata) {
+	Dump('>', &c, 1);
+    }
+    if (!TTYROOM()) {
+	(void) DataToTerminal(&c, 1);
+    } else {
+	TTYADD(c);
+    }
+}
+#endif	/* ((!defined(NOT43)) || defined(PUTCHAR)) */
+
+    void
+SetIn3270()
+{
+    if (Sent3270TerminalType && my_want_state_is_will(TELOPT_BINARY)
+		&& my_want_state_is_do(TELOPT_BINARY) && !donebinarytoggle) {
+	if (!In3270) {
+	    In3270 = 1;
+	    Init3270();		/* Initialize 3270 functions */
+	    /* initialize terminal key mapping */
+	    InitTerminal();	/* Start terminal going */
+	    setconnmode(0);
+	}
+    } else {
+	if (In3270) {
+	    StopScreen(1);
+	    In3270 = 0;
+	    Stop3270();		/* Tell 3270 we aren't here anymore */
+	    setconnmode(0);
+	}
+    }
+}
+
+/*
+ * tn3270_ttype()
+ *
+ *	Send a response to a terminal type negotiation.
+ *
+ *	Return '0' if no more responses to send; '1' if a response sent.
+ */
+
+    int
+tn3270_ttype()
+{
+    /*
+     * Try to send a 3270 type terminal name.  Decide which one based
+     * on the format of our screen, and (in the future) color
+     * capaiblities.
+     */
+    InitTerminal();		/* Sets MaxNumberColumns, MaxNumberLines */
+    if ((MaxNumberLines >= 24) && (MaxNumberColumns >= 80)) {
+	Sent3270TerminalType = 1;
+	if ((MaxNumberLines >= 27) && (MaxNumberColumns >= 132)) {
+	    MaxNumberLines = 27;
+	    MaxNumberColumns = 132;
+	    sb_terminal[SBTERMMODEL] = '5';
+	} else if (MaxNumberLines >= 43) {
+	    MaxNumberLines = 43;
+	    MaxNumberColumns = 80;
+	    sb_terminal[SBTERMMODEL] = '4';
+	} else if (MaxNumberLines >= 32) {
+	    MaxNumberLines = 32;
+	    MaxNumberColumns = 80;
+	    sb_terminal[SBTERMMODEL] = '3';
+	} else {
+	    MaxNumberLines = 24;
+	    MaxNumberColumns = 80;
+	    sb_terminal[SBTERMMODEL] = '2';
+	}
+	NumberLines = 24;		/* before we start out... */
+	NumberColumns = 80;
+	ScreenSize = NumberLines*NumberColumns;
+	if ((MaxNumberLines*MaxNumberColumns) > MAXSCREENSIZE) {
+	    ExitString("Programming error:  MAXSCREENSIZE too small.\n",
+								1);
+	    /*NOTREACHED*/
+	}
+	printsub('>', sb_terminal+2, sizeof sb_terminal-2);
+	ring_supply_data(&netoring, sb_terminal, sizeof sb_terminal);
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+#if	defined(unix)
+	int
+settranscom(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int i;
+
+	if (argc == 1 && transcom) {
+	   transcom = 0;
+	}
+	if (argc == 1) {
+	   return 1;
+	}
+	transcom = tline;
+	(void) strcpy(transcom, argv[1]);
+	for (i = 2; i < argc; ++i) {
+	    (void) strcat(transcom, " ");
+	    (void) strcat(transcom, argv[i]);
+	}
+	return 1;
+}
+#endif	/* defined(unix) */
+
+#endif	/* defined(TN3270) */
diff --git a/crypto/telnet/telnet/types.h b/crypto/telnet/telnet/types.h
new file mode 100644
index 0000000..191d311
--- /dev/null
+++ b/crypto/telnet/telnet/types.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)types.h	8.1 (Berkeley) 6/6/93
+ */
+
+typedef struct {
+    char *modedescriptions;
+    char modetype;
+} Modelist;
+
+extern Modelist modelist[];
+
+typedef struct {
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	gotDM;			/* when did we last see a data mark */
+} Clocks;
+
+extern Clocks clocks;
diff --git a/crypto/telnet/telnet/utilities.c b/crypto/telnet/telnet/utilities.c
new file mode 100644
index 0000000..fd9f5c9
--- /dev/null
+++ b/crypto/telnet/telnet/utilities.c
@@ -0,0 +1,951 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)utilities.c	8.3 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#define	TELOPTS
+#define	TELCMDS
+#define	SLC_NAMES
+#include <arpa/telnet.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+#include <ctype.h>
+
+#include "general.h"
+
+#include "fdset.h"
+
+#include "ring.h"
+
+#include "defines.h"
+
+#include "externs.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+FILE	*NetTrace = 0;		/* Not in bss, since needs to stay */
+int	prettydump;
+
+/*
+ * upcase()
+ *
+ *	Upcase (in place) the argument.
+ */
+
+    void
+upcase(argument)
+    register char *argument;
+{
+    register int c;
+
+    while ((c = *argument) != 0) {
+	if (islower(c)) {
+	    *argument = toupper(c);
+	}
+	argument++;
+    }
+}
+
+/*
+ * SetSockOpt()
+ *
+ * Compensate for differences in 4.2 and 4.3 systems.
+ */
+
+    int
+SetSockOpt(fd, level, option, yesno)
+    int fd, level, option, yesno;
+{
+#ifndef	NOT43
+    return setsockopt(fd, level, option,
+				(char *)&yesno, sizeof yesno);
+#else	/* NOT43 */
+    if (yesno == 0) {		/* Can't do that in 4.2! */
+	fprintf(stderr, "Error: attempt to turn off an option 0x%x.\n",
+				option);
+	return -1;
+    }
+    return setsockopt(fd, level, option, 0, 0);
+#endif	/* NOT43 */
+}
+
+/*
+ * The following are routines used to print out debugging information.
+ */
+
+unsigned char NetTraceFile[256] = "(standard output)";
+
+    void
+SetNetTrace(file)
+    register char *file;
+{
+    if (NetTrace && NetTrace != stdout)
+	fclose(NetTrace);
+    if (file  && (strcmp(file, "-") != 0)) {
+	NetTrace = fopen(file, "w");
+	if (NetTrace) {
+	    strcpy((char *)NetTraceFile, file);
+	    return;
+	}
+	fprintf(stderr, "Cannot open %s.\n", file);
+    }
+    NetTrace = stdout;
+    strcpy((char *)NetTraceFile, "(standard output)");
+}
+
+    void
+Dump(direction, buffer, length)
+    char direction;
+    unsigned char *buffer;
+    int length;
+{
+#   define BYTES_PER_LINE	32
+#   define min(x,y)	((x<y)? x:y)
+    unsigned char *pThis;
+    int offset;
+
+    offset = 0;
+
+    while (length) {
+	/* print one line */
+	fprintf(NetTrace, "%c 0x%x\t", direction, offset);
+	pThis = buffer;
+	if (prettydump) {
+	    buffer = buffer + min(length, BYTES_PER_LINE/2);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%c%.2x",
+		    (((*pThis)&0xff) == 0xff) ? '*' : ' ',
+		    (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE/2;
+	    offset += BYTES_PER_LINE/2;
+	} else {
+	    buffer = buffer + min(length, BYTES_PER_LINE);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%.2x", (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE;
+	    offset += BYTES_PER_LINE;
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	if (length < 0) {
+	    fflush(NetTrace);
+	    return;
+	}
+	/* find next unique line */
+    }
+    fflush(NetTrace);
+}
+
+
+	void
+printoption(direction, cmd, option)
+	char *direction;
+	int cmd, option;
+{
+	if (!showoptions)
+		return;
+	if (cmd == IAC) {
+		if (TELCMD_OK(option))
+		    fprintf(NetTrace, "%s IAC %s", direction, TELCMD(option));
+		else
+		    fprintf(NetTrace, "%s IAC %d", direction, option);
+	} else {
+		register char *fmt;
+		fmt = (cmd == WILL) ? "WILL" : (cmd == WONT) ? "WONT" :
+			(cmd == DO) ? "DO" : (cmd == DONT) ? "DONT" : 0;
+		if (fmt) {
+		    fprintf(NetTrace, "%s %s ", direction, fmt);
+		    if (TELOPT_OK(option))
+			fprintf(NetTrace, "%s", TELOPT(option));
+		    else if (option == TELOPT_EXOPL)
+			fprintf(NetTrace, "EXOPL");
+		    else
+			fprintf(NetTrace, "%d", option);
+		} else
+		    fprintf(NetTrace, "%s %d %d", direction, cmd, option);
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	    fflush(NetTrace);
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	return;
+}
+
+    void
+optionstatus()
+{
+    register int i;
+    extern char will_wont_resp[], do_dont_resp[];
+
+    for (i = 0; i < 256; i++) {
+	if (do_dont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELOPT(i), do_dont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELCMD(i), do_dont_resp[i]);
+	    else
+		printf("resp DO_DONT %d: %d\n", i,
+				do_dont_resp[i]);
+	    if (my_want_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("want DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DO   %s\n", TELCMD(i));
+		else
+		    printf("want DO   %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want DONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DONT %s\n", TELCMD(i));
+		else
+		    printf("want DONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("     DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     DO   %s\n", TELCMD(i));
+		else
+		    printf("     DO   %d\n", i);
+	    }
+	}
+	if (will_wont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELOPT(i), will_wont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELCMD(i), will_wont_resp[i]);
+	    else
+		printf("resp WILL_WONT %d: %d\n",
+				i, will_wont_resp[i]);
+	    if (my_want_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("want WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WILL %s\n", TELCMD(i));
+		else
+		    printf("want WILL %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want WONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WONT %s\n", TELCMD(i));
+		else
+		    printf("want WONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("     WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     WILL %s\n", TELCMD(i));
+		else
+		    printf("     WILL %d\n", i);
+	    }
+	}
+    }
+
+}
+
+    void
+printsub(direction, pointer, length)
+    char direction;	/* '<' or '>' */
+    unsigned char *pointer;	/* where suboption data sits */
+    int		  length;	/* length of suboption data */
+{
+    register int i;
+    char buf[512];
+    extern int want_status_response;
+
+    if (showoptions || direction == 0 ||
+	(want_status_response && (pointer[0] == TELOPT_STATUS))) {
+	if (direction) {
+	    fprintf(NetTrace, "%s IAC SB ",
+				(direction == '<')? "RCVD":"SENT");
+	    if (length >= 3) {
+		register int j;
+
+		i = pointer[length-2];
+		j = pointer[length-1];
+
+		if (i != IAC || j != SE) {
+		    fprintf(NetTrace, "(terminated by ");
+		    if (TELOPT_OK(i))
+			fprintf(NetTrace, "%s ", TELOPT(i));
+		    else if (TELCMD_OK(i))
+			fprintf(NetTrace, "%s ", TELCMD(i));
+		    else
+			fprintf(NetTrace, "%d ", i);
+		    if (TELOPT_OK(j))
+			fprintf(NetTrace, "%s", TELOPT(j));
+		    else if (TELCMD_OK(j))
+			fprintf(NetTrace, "%s", TELCMD(j));
+		    else
+			fprintf(NetTrace, "%d", j);
+		    fprintf(NetTrace, ", not IAC SE!) ");
+		}
+	    }
+	    length -= 2;
+	}
+	if (length < 1) {
+	    fprintf(NetTrace, "(Empty suboption??\?)");
+	    if (NetTrace == stdout)
+		fflush(NetTrace);
+	    return;
+	}
+	switch (pointer[0]) {
+	case TELOPT_TTYPE:
+	    fprintf(NetTrace, "TERMINAL-TYPE ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace,
+				"- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+	case TELOPT_TSPEED:
+	    fprintf(NetTrace, "TERMINAL-SPEED");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " IS ");
+		fprintf(NetTrace, "%.*s", length-2, (char *)pointer+2);
+		break;
+	    default:
+		if (pointer[1] == 1)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    }
+	    break;
+
+	case TELOPT_LFLOW:
+	    fprintf(NetTrace, "TOGGLE-FLOW-CONTROL");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case LFLOW_OFF:
+		fprintf(NetTrace, " OFF"); break;
+	    case LFLOW_ON:
+		fprintf(NetTrace, " ON"); break;
+	    case LFLOW_RESTART_ANY:
+		fprintf(NetTrace, " RESTART-ANY"); break;
+	    case LFLOW_RESTART_XON:
+		fprintf(NetTrace, " RESTART-XON"); break;
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    }
+	    for (i = 2; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+	case TELOPT_NAWS:
+	    fprintf(NetTrace, "NAWS");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    if (length == 2) {
+		fprintf(NetTrace, " ?%d?", pointer[1]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[1], pointer[2],
+		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+	    if (length == 4) {
+		fprintf(NetTrace, " ?%d?", pointer[3]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[3], pointer[4],
+		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+	    for (i = 5; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION:
+	    fprintf(NetTrace, "AUTHENTICATION");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_REPLY:
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " %s ", (pointer[1] == TELQUAL_IS) ?
+							"IS" : "REPLY");
+		if (AUTHTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, "%d ", pointer[2]);
+		if (length < 3) {
+		    fprintf(NetTrace, "(partial suboption??\?)");
+		    break;
+		}
+		fprintf(NetTrace, "%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case TELQUAL_SEND:
+		i = 2;
+		fprintf(NetTrace, " SEND ");
+		while (i < length) {
+		    if (AUTHTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    if (++i >= length) {
+			fprintf(NetTrace, "(partial suboption??\?)");
+			break;
+		    }
+		    fprintf(NetTrace, "%s|%s ",
+			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+							"CLIENT" : "SERVER",
+			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+							"MUTUAL" : "ONE-WAY");
+		    ++i;
+		}
+		break;
+
+	    case TELQUAL_NAME:
+		i = 2;
+		fprintf(NetTrace, " NAME \"");
+		while (i < length)
+		    putc(pointer[i++], NetTrace);
+		putc('"', NetTrace);
+		break;
+
+	    default:
+		    for (i = 2; i < length; i++)
+			fprintf(NetTrace, " ?%d?", pointer[i]);
+		    break;
+	    }
+	    break;
+#endif
+
+#ifdef	ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    fprintf(NetTrace, "ENCRYPT");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		fprintf(NetTrace, " START");
+		break;
+
+	    case ENCRYPT_END:
+		fprintf(NetTrace, " END");
+		break;
+
+	    case ENCRYPT_REQSTART:
+		fprintf(NetTrace, " REQUEST-START");
+		break;
+
+	    case ENCRYPT_REQEND:
+		fprintf(NetTrace, " REQUEST-END");
+		break;
+
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		fprintf(NetTrace, " %s ", (pointer[1] == ENCRYPT_IS) ?
+							"IS" : "REPLY");
+		if (length < 3) {
+		    fprintf(NetTrace, " (partial suboption??\?)");
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[2]);
+
+		encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		fprintf(NetTrace, " SUPPORT ");
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    i++;
+		}
+		break;
+
+	    case ENCRYPT_ENC_KEYID:
+		fprintf(NetTrace, " ENC_KEYID ");
+		goto encommon;
+
+	    case ENCRYPT_DEC_KEYID:
+		fprintf(NetTrace, " DEC_KEYID ");
+		goto encommon;
+
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    encommon:
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+		break;
+	    }
+	    break;
+#endif	/* ENCRYPTION */
+
+	case TELOPT_LINEMODE:
+	    fprintf(NetTrace, "LINEMODE ");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case WILL:
+		fprintf(NetTrace, "WILL ");
+		goto common;
+	    case WONT:
+		fprintf(NetTrace, "WONT ");
+		goto common;
+	    case DO:
+		fprintf(NetTrace, "DO ");
+		goto common;
+	    case DONT:
+		fprintf(NetTrace, "DONT ");
+	    common:
+		if (length < 3) {
+		    fprintf(NetTrace, "(no option??\?)");
+		    break;
+		}
+		switch (pointer[2]) {
+		case LM_FORWARDMASK:
+		    fprintf(NetTrace, "Forward Mask");
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %x", pointer[i]);
+		    break;
+		default:
+		    fprintf(NetTrace, "%d (unknown)", pointer[2]);
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %d", pointer[i]);
+		    break;
+		}
+		break;
+
+	    case LM_SLC:
+		fprintf(NetTrace, "SLC");
+		for (i = 2; i < length - 2; i += 3) {
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+			fprintf(NetTrace, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+		    else
+			fprintf(NetTrace, " %d", pointer[i+SLC_FUNC]);
+		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		    case SLC_NOSUPPORT:
+			fprintf(NetTrace, " NOSUPPORT"); break;
+		    case SLC_CANTCHANGE:
+			fprintf(NetTrace, " CANTCHANGE"); break;
+		    case SLC_VARIABLE:
+			fprintf(NetTrace, " VARIABLE"); break;
+		    case SLC_DEFAULT:
+			fprintf(NetTrace, " DEFAULT"); break;
+		    }
+		    fprintf(NetTrace, "%s%s%s",
+			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+						SLC_FLUSHOUT| SLC_LEVELBITS))
+			fprintf(NetTrace, "(0x%x)", pointer[i+SLC_FLAGS]);
+		    fprintf(NetTrace, " %d;", pointer[i+SLC_VALUE]);
+		    if ((pointer[i+SLC_VALUE] == IAC) &&
+			(pointer[i+SLC_VALUE+1] == IAC))
+				i++;
+		}
+		for (; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+
+	    case LM_MODE:
+		fprintf(NetTrace, "MODE ");
+		if (length < 3) {
+		    fprintf(NetTrace, "(no mode??\?)");
+		    break;
+		}
+		{
+		    char tbuf[64];
+		    sprintf(tbuf, "%s%s%s%s%s",
+			pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			pointer[2]&MODE_ACK ? "|ACK" : "");
+		    fprintf(NetTrace, "%s", tbuf[1] ? &tbuf[1] : "0");
+		}
+		if (pointer[2]&~(MODE_MASK))
+		    fprintf(NetTrace, " (0x%x)", pointer[2]);
+		for (i = 3; i < length; i++)
+		    fprintf(NetTrace, " ?0x%x?", pointer[i]);
+		break;
+	    default:
+		fprintf(NetTrace, "%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+	    }
+	    break;
+
+	case TELOPT_STATUS: {
+	    register char *cp;
+	    register int j, k;
+
+	    fprintf(NetTrace, "STATUS");
+
+	    switch (pointer[1]) {
+	    default:
+		if (pointer[1] == TELQUAL_SEND)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    case TELQUAL_IS:
+		if (--want_status_response < 0)
+		    want_status_response = 0;
+		if (NetTrace == stdout)
+		    fprintf(NetTrace, " IS\r\n");
+		else
+		    fprintf(NetTrace, " IS\n");
+
+		for (i = 2; i < length; i++) {
+		    switch(pointer[i]) {
+		    case DO:	cp = "DO"; goto common2;
+		    case DONT:	cp = "DONT"; goto common2;
+		    case WILL:	cp = "WILL"; goto common2;
+		    case WONT:	cp = "WONT"; goto common2;
+		    common2:
+			i++;
+			if (TELOPT_OK((int)pointer[i]))
+			    fprintf(NetTrace, " %s %s", cp, TELOPT(pointer[i]));
+			else
+			    fprintf(NetTrace, " %s %d", cp, pointer[i]);
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+			break;
+
+		    case SB:
+			fprintf(NetTrace, " SB ");
+			i++;
+			j = k = i;
+			while (j < length) {
+			    if (pointer[j] == SE) {
+				if (j+1 == length)
+				    break;
+				if (pointer[j+1] == SE)
+				    j++;
+				else
+				    break;
+			    }
+			    pointer[k++] = pointer[j++];
+			}
+			printsub(0, &pointer[i], k - i);
+			if (i < length) {
+			    fprintf(NetTrace, " SE");
+			    i = j;
+			} else
+			    i = j - 1;
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+
+			break;
+
+		    default:
+			fprintf(NetTrace, " %d", pointer[i]);
+			break;
+		    }
+		}
+		break;
+	    }
+	    break;
+	  }
+
+	case TELOPT_XDISPLOC:
+	    fprintf(NetTrace, "X-DISPLAY-LOCATION ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace, "- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+
+	case TELOPT_NEW_ENVIRON:
+	    fprintf(NetTrace, "NEW-ENVIRON ");
+#ifdef	OLD_ENVIRON
+	    goto env_common1;
+	case TELOPT_OLD_ENVIRON:
+	    fprintf(NetTrace, "OLD-ENVIRON");
+	env_common1:
+#endif
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS ");
+		goto env_common;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND ");
+		goto env_common;
+	    case TELQUAL_INFO:
+		fprintf(NetTrace, "INFO ");
+	    env_common:
+		{
+		    register int noquote = 2;
+#if defined(ENV_HACK) && defined(OLD_ENVIRON)
+		    extern int old_env_var, old_env_value;
+#endif
+		    for (i = 2; i < length; i++ ) {
+			switch (pointer[i]) {
+			case NEW_ENV_VALUE:
+#ifdef OLD_ENVIRON
+		     /*	case NEW_ENV_OVAR: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+# ifdef	ENV_HACK
+				if (old_env_var == OLD_ENV_VALUE)
+				    fprintf(NetTrace, "\" (VALUE) " + noquote);
+				else
+# endif
+				    fprintf(NetTrace, "\" VAR " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VALUE " + noquote);
+			    noquote = 2;
+			    break;
+
+			case NEW_ENV_VAR:
+#ifdef OLD_ENVIRON
+		     /* case OLD_ENV_VALUE: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+# ifdef	ENV_HACK
+				if (old_env_value == OLD_ENV_VAR)
+				    fprintf(NetTrace, "\" (VAR) " + noquote);
+				else
+# endif
+				    fprintf(NetTrace, "\" VALUE " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_ESC:
+			    fprintf(NetTrace, "\" ESC " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_USERVAR:
+			    fprintf(NetTrace, "\" USERVAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			default:
+			    if (isprint(pointer[i]) && pointer[i] != '"') {
+				if (noquote) {
+				    putc('"', NetTrace);
+				    noquote = 0;
+				}
+				putc(pointer[i], NetTrace);
+			    } else {
+				fprintf(NetTrace, "\" %03o " + noquote,
+							pointer[i]);
+				noquote = 2;
+			    }
+			    break;
+			}
+		    }
+		    if (!noquote)
+			putc('"', NetTrace);
+		    break;
+		}
+	    }
+	    break;
+
+	default:
+	    if (TELOPT_OK(pointer[0]))
+		fprintf(NetTrace, "%s (unknown)", TELOPT(pointer[0]));
+	    else
+		fprintf(NetTrace, "%d (unknown)", pointer[0]);
+	    for (i = 1; i < length; i++)
+		fprintf(NetTrace, " %d", pointer[i]);
+	    break;
+	}
+	if (direction) {
+	    if (NetTrace == stdout)
+		fprintf(NetTrace, "\r\n");
+	    else
+		fprintf(NetTrace, "\n");
+	}
+	if (NetTrace == stdout)
+	    fflush(NetTrace);
+    }
+}
+
+/* EmptyTerminal - called to make sure that the terminal buffer is empty.
+ *			Note that we consider the buffer to run all the
+ *			way to the kernel (thus the select).
+ */
+
+    void
+EmptyTerminal()
+{
+#if	defined(unix)
+    fd_set	o;
+
+    FD_ZERO(&o);
+#endif	/* defined(unix) */
+
+    if (TTYBYTES() == 0) {
+#if	defined(unix)
+	FD_SET(tout, &o);
+	(void) select(tout+1, (fd_set *) 0, &o, (fd_set *) 0,
+			(struct timeval *) 0);	/* wait for TTLOWAT */
+#endif	/* defined(unix) */
+    } else {
+	while (TTYBYTES()) {
+	    (void) ttyflush(0);
+#if	defined(unix)
+	    FD_SET(tout, &o);
+	    (void) select(tout+1, (fd_set *) 0, &o, (fd_set *) 0,
+				(struct timeval *) 0);	/* wait for TTLOWAT */
+#endif	/* defined(unix) */
+	}
+    }
+}
+
+    void
+SetForExit()
+{
+    setconnmode(0);
+#if	defined(TN3270)
+    if (In3270) {
+	Finish3270();
+    }
+#else	/* defined(TN3270) */
+    do {
+	(void)telrcv();			/* Process any incoming data */
+	EmptyTerminal();
+    } while (ring_full_count(&netiring));	/* While there is any */
+#endif	/* defined(TN3270) */
+    setcommandmode();
+    fflush(stdout);
+    fflush(stderr);
+#if	defined(TN3270)
+    if (In3270) {
+	StopScreen(1);
+    }
+#endif	/* defined(TN3270) */
+    setconnmode(0);
+    EmptyTerminal();			/* Flush the path to the tty */
+    setcommandmode();
+}
+
+    void
+Exit(returnCode)
+    int returnCode;
+{
+    SetForExit();
+    exit(returnCode);
+}
+
+    void
+ExitString(string, returnCode)
+    char *string;
+    int returnCode;
+{
+    SetForExit();
+    fwrite(string, 1, strlen(string), stderr);
+    exit(returnCode);
+}
diff --git a/crypto/telnet/telnetd/authenc.c b/crypto/telnet/telnetd/authenc.c
new file mode 100644
index 0000000..39a38d4
--- /dev/null
+++ b/crypto/telnet/telnetd/authenc.c
@@ -0,0 +1,94 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)authenc.c	8.2 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+#include "telnetd.h"
+#include <libtelnet/misc.h>
+
+	int
+net_write(str, len)
+	unsigned char *str;
+	int len;
+{
+	if (nfrontp + len < netobuf + BUFSIZ) {
+		memmove((void *)nfrontp, (void *)str, len);
+		nfrontp += len;
+		return(len);
+	}
+	return(0);
+}
+
+	void
+net_encrypt()
+{
+#ifdef	ENCRYPTION
+	char *s = (nclearto > nbackp) ? nclearto : nbackp;
+	if (s < nfrontp && encrypt_output) {
+		(*encrypt_output)((unsigned char *)s, nfrontp - s);
+	}
+	nclearto = nfrontp;
+#endif /* ENCRYPTION */
+}
+
+	int
+telnet_spin()
+{
+	ttloop();
+	return(0);
+}
+
+	char *
+telnet_getenv(val)
+	char *val;
+{
+	return(getenv(val));
+}
+
+	char *
+telnet_gets(prompt, result, length, echo)
+	char *prompt;
+	char *result;
+	int length;
+	int echo;
+{
+	return((char *)0);
+}
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
diff --git a/crypto/telnet/telnetd/defs.h b/crypto/telnet/telnetd/defs.h
new file mode 100644
index 0000000..a73d4a6
--- /dev/null
+++ b/crypto/telnet/telnetd/defs.h
@@ -0,0 +1,296 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defs.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Telnet server defines
+ */
+#include <sys/types.h>
+#include <sys/param.h>
+
+#ifndef	BSD
+# define	BSD 43
+#endif
+
+#if	defined(CRAY) && !defined(LINEMODE)
+# define SYSV_TERMIO
+# define LINEMODE
+# define KLUDGELINEMODE
+# define DIAGNOSTICS
+# if defined(UNICOS50) && !defined(UNICOS5)
+#  define UNICOS5
+# endif
+# if !defined(UNICOS5)
+#  define BFTPDAEMON
+#  define HAS_IP_TOS
+# endif
+#endif /* CRAY */
+#if defined(UNICOS5) && !defined(NO_SETSID)
+# define NO_SETSID
+#endif
+
+#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
+#define TELOPTS
+#define TELCMDS
+#define	SLC_NAMES
+#endif
+
+#if	defined(SYSV_TERMIO) && !defined(USE_TERMIO)
+# define	USE_TERMIO
+#endif
+
+#include <sys/socket.h>
+#ifndef	CRAY
+#include <sys/wait.h>
+#endif	/* CRAY */
+#include <fcntl.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#ifndef	FILIO_H
+#include <sys/ioctl.h>
+#else
+#include <sys/filio.h>
+#endif
+
+#include <netinet/in.h>
+
+#include <arpa/telnet.h>
+
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#include <signal.h>
+#include <errno.h>
+#include <netdb.h>
+#include <syslog.h>
+#ifndef	LOG_DAEMON
+#define	LOG_DAEMON	0
+#endif
+#ifndef	LOG_ODELAY
+#define	LOG_ODELAY	0
+#endif
+#include <ctype.h>
+#ifndef NO_STRING_H
+#include <string.h>
+#else
+#include <strings.h>
+#endif
+
+#ifndef	USE_TERMIO
+#include <sgtty.h>
+#else
+# ifdef	SYSV_TERMIO
+# include <termio.h>
+# else
+# include <termios.h>
+# endif
+#endif
+#if !defined(USE_TERMIO) || defined(NO_CC_T)
+typedef unsigned char cc_t;
+#endif
+
+#ifdef	__STDC__
+#include <unistd.h>
+#endif
+
+#ifndef _POSIX_VDISABLE
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((unsigned char)'\377')
+# endif
+#endif
+
+
+#ifdef	CRAY
+# ifdef	CRAY1
+# include <sys/pty.h>
+#  ifndef FD_ZERO
+# include <sys/select.h>
+#  endif /* FD_ZERO */
+# endif	/* CRAY1 */
+
+#include <memory.h>
+#endif	/* CRAY */
+
+#ifdef __hpux
+#include <sys/ptyio.h>
+#endif
+
+#if	!defined(TIOCSCTTY) && defined(TCSETCTTY)
+# define	TIOCSCTTY TCSETCTTY
+#endif
+
+#ifndef	FD_SET
+#ifndef	HAVE_fd_set
+typedef struct fd_set { int fds_bits[1]; } fd_set;
+#endif
+
+#define	FD_SET(n, p)	((p)->fds_bits[0] |= (1<<(n)))
+#define	FD_CLR(n, p)	((p)->fds_bits[0] &= ~(1<<(n)))
+#define	FD_ISSET(n, p)	((p)->fds_bits[0] & (1<<(n)))
+#define FD_ZERO(p)	((p)->fds_bits[0] = 0)
+#endif	/* FD_SET */
+
+/*
+ * I/O data buffers defines
+ */
+#define	NETSLOP	64
+#ifdef CRAY
+#undef BUFSIZ
+#define BUFSIZ  2048
+#endif
+
+#define	NIACCUM(c)	{   *netip++ = c; \
+			    ncc++; \
+			}
+
+/* clock manipulations */
+#define	settimer(x)	(clocks.x = ++clocks.system)
+#define	sequenceIs(x,y)	(clocks.x < clocks.y)
+
+/*
+ * Linemode support states, in decreasing order of importance
+ */
+#define REAL_LINEMODE	0x04
+#define KLUDGE_OK	0x03
+#define	NO_AUTOKLUDGE	0x02
+#define KLUDGE_LINEMODE	0x01
+#define NO_LINEMODE	0x00
+
+/*
+ * Structures of information for each special character function.
+ */
+typedef struct {
+	unsigned char	flag;		/* the flags for this function */
+	cc_t		val;		/* the value of the special character */
+} slcent, *Slcent;
+
+typedef struct {
+	slcent		defset;		/* the default settings */
+	slcent		current;	/* the current settings */
+	cc_t		*sptr;		/* a pointer to the char in */
+					/* system data structures */
+} slcfun, *Slcfun;
+
+#ifdef DIAGNOSTICS
+/*
+ * Diagnostics capabilities
+ */
+#define	TD_REPORT	0x01	/* Report operations to client */
+#define TD_EXERCISE	0x02	/* Exercise client's implementation */
+#define TD_NETDATA	0x04	/* Display received data stream */
+#define TD_PTYDATA	0x08	/* Display data passed to pty */
+#define	TD_OPTIONS	0x10	/* Report just telnet options */
+#endif /* DIAGNOSTICS */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		(options[opt] |= MY_STATE_DO)
+#define	set_my_state_will(opt)		(options[opt] |= MY_STATE_WILL)
+#define	set_my_want_state_do(opt)	(options[opt] |= MY_WANT_STATE_DO)
+#define	set_my_want_state_will(opt)	(options[opt] |= MY_WANT_STATE_WILL)
+
+#define	set_my_state_dont(opt)		(options[opt] &= ~MY_STATE_DO)
+#define	set_my_state_wont(opt)		(options[opt] &= ~MY_STATE_WILL)
+#define	set_my_want_state_dont(opt)	(options[opt] &= ~MY_WANT_STATE_DO)
+#define	set_my_want_state_wont(opt)	(options[opt] &= ~MY_WANT_STATE_WILL)
+
+/*
+ * Tricky code here.  What we want to know is if the MY_STATE_WILL
+ * and MY_WANT_STATE_WILL bits have the same value.  Since the two
+ * bits are adjacent, a little arithmatic will show that by adding
+ * in the lower bit, the upper bit will be set if the two bits were
+ * different, and clear if they were the same.
+ */
+#define my_will_wont_is_changing(opt) \
+			((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL)
+
+#define my_do_dont_is_changing(opt) \
+			((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO)
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+#define his_will_wont_is_changing	my_do_dont_is_changing
+#define his_do_dont_is_changing		my_will_wont_is_changing
diff --git a/crypto/telnet/telnetd/ext.h b/crypto/telnet/telnetd/ext.h
new file mode 100644
index 0000000..b84cee4
--- /dev/null
+++ b/crypto/telnet/telnetd/ext.h
@@ -0,0 +1,243 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ext.h	8.2 (Berkeley) 12/15/93
+ * $FreeBSD$
+ */
+
+/*
+ * Telnet server variable declarations
+ */
+extern char	options[256];
+extern char	do_dont_resp[256];
+extern char	will_wont_resp[256];
+extern int	linemode;	/* linemode on/off */
+#ifdef	LINEMODE
+extern int	uselinemode;	/* what linemode to use (on/off) */
+extern int	editmode;	/* edit modes in use */
+extern int	useeditmode;	/* edit modes to use */
+extern int	alwayslinemode;	/* command line option */
+extern int	lmodetype;	/* Client support for linemode */
+#endif	/* LINEMODE */
+extern int	flowmode;	/* current flow control state */
+extern int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+extern int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+#ifdef BFTPDAEMON
+extern int	bftpd;		/* behave as bftp daemon */
+#endif /* BFTPDAEMON */
+#if	defined(SecurID)
+extern int	require_SecurID;
+#endif
+#if	defined(AUTHENTICATION)
+extern int	auth_level;
+#endif
+
+extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+extern char	netibuf[BUFSIZ], *netip;
+
+extern char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char	*neturg;		/* one past last bye of urgent data */
+
+extern int	pcc, ncc;
+
+#if defined(CRAY2) && defined(UNICOS5)
+extern int unpcc;  /* characters left unprocessed by CRAY-2 terminal routine */
+extern char *unptyip;  /* pointer to remaining characters in buffer */
+#endif
+
+extern int	pty, net;
+extern char	*line;
+extern int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+#ifndef	P
+# ifdef	__STDC__
+#  define P(x)	x
+# else
+#  define P(x)	()
+# endif
+#endif
+
+extern void
+	_termstat P((void)),
+	add_slc P((int, int, int)),
+	check_slc P((void)),
+	change_slc P((int, int, int)),
+	cleanup P((int)),
+	clientstat P((int, int, int)),
+	copy_termbuf P((char *, int)),
+	deferslc P((void)),
+	defer_terminit P((void)),
+	do_opt_slc P((unsigned char *, int)),
+	doeof P((void)),
+	dooption P((int)),
+	dontoption P((int)),
+	edithost P((char *, char *)),
+	fatal P((int, char *)),
+	fatalperror P((int, char *)),
+	get_slc_defaults P((void)),
+	init_env P((void)),
+	init_termbuf P((void)),
+	interrupt P((void)),
+	localstat P((void)),
+	flowstat P((void)),
+	netclear P((void)),
+	netflush P((void)),
+#ifdef DIAGNOSTICS
+	printoption P((char *, int)),
+	printdata P((char *, char *, int)),
+	printsub P((int, unsigned char *, int)),
+#endif
+	ptyflush P((void)),
+	putchr P((int)),
+	putf P((char *, char *)),
+	recv_ayt P((void)),
+	send_do P((int, int)),
+	send_dont P((int, int)),
+	send_slc P((void)),
+	send_status P((void)),
+	send_will P((int, int)),
+	send_wont P((int, int)),
+	sendbrk P((void)),
+	sendsusp P((void)),
+	set_termbuf P((void)),
+	start_login P((char *, int, char *)),
+	start_slc P((int)),
+#if	defined(AUTHENTICATION)
+	start_slave P((char *)),
+#else
+	start_slave P((char *, int, char *)),
+#endif
+	suboption P((void)),
+	telrcv P((void)),
+	ttloop P((void)),
+	tty_binaryin P((int)),
+	tty_binaryout P((int));
+
+extern int
+	end_slc P((unsigned char **)),
+	getnpty P((void)),
+#ifndef convex
+	getpty P((int *)),
+#endif
+	login_tty P((int)),
+	spcset P((int, cc_t *, cc_t **)),
+	stilloob P((int)),
+	terminit P((void)),
+	termstat P((void)),
+	tty_flowmode P((void)),
+	tty_restartany P((void)),
+	tty_isbinaryin P((void)),
+	tty_isbinaryout P((void)),
+	tty_iscrnl P((void)),
+	tty_isecho P((void)),
+	tty_isediting P((void)),
+	tty_islitecho P((void)),
+	tty_isnewmap P((void)),
+	tty_israw P((void)),
+	tty_issofttab P((void)),
+	tty_istrapsig P((void)),
+	tty_linemode P((void));
+
+extern void
+	tty_rspeed P((int)),
+	tty_setecho P((int)),
+	tty_setedit P((int)),
+	tty_setlinemode P((int)),
+	tty_setlitecho P((int)),
+	tty_setsig P((int)),
+	tty_setsofttab P((int)),
+	tty_tspeed P((int)),
+	willoption P((int)),
+	wontoption P((int)),
+	writenet P((unsigned char *, int));
+
+#ifdef	ENCRYPTION
+extern void	(*encrypt_output) P((unsigned char *, int));
+extern int	(*decrypt_input) P((int));
+extern char	*nclearto;
+#endif	/* ENCRYPTION */
+
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+extern struct {
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	ttypesubopt,		/* ttype subopt is received */
+	tspeedsubopt,		/* tspeed subopt is received */
+	environsubopt,		/* environ subopt is received */
+	oenvironsubopt,		/* old environ subopt is received */
+	xdisplocsubopt,		/* xdisploc subopt is received */
+	baseline,		/* time started to do timed action */
+	gotDM;			/* when did we last see a data mark */
+} clocks;
+
+
+#if	defined(CRAY2) && defined(UNICOS5)
+extern int	needtermstat;
+#endif
+
+#ifndef	DEFAULT_IM
+# ifdef CRAY
+#  define DEFAULT_IM	"\r\n\r\nCray UNICOS (%h) (%t)\r\n\r\r\n\r"
+# else
+#  ifdef sun
+#   define DEFAULT_IM	"\r\n\r\nSunOS UNIX (%h) (%t)\r\n\r\r\n\r"
+#  else
+#   ifdef ultrix
+#    define DEFAULT_IM	"\r\n\r\nULTRIX (%h) (%t)\r\n\r\r\n\r"
+#   else
+#    ifdef __FreeBSD__
+#     define DEFAULT_IM  "\r\n\r\nFreeBSD (%h) (%t)\r\n\r\r\n\r"
+#    else
+#    define DEFAULT_IM	"\r\n\r\n4.4 BSD UNIX (%h) (%t)\r\n\r\r\n\r"
+#    endif
+#   endif
+#  endif
+# endif
+#endif
diff --git a/crypto/telnet/telnetd/global.c b/crypto/telnet/telnetd/global.c
new file mode 100644
index 0000000..0cf95db
--- /dev/null
+++ b/crypto/telnet/telnetd/global.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)global.c	8.1 (Berkeley) 6/4/93";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+/*
+ * Allocate global variables.  We do this
+ * by including the header file that defines
+ * them all as externs, but first we define
+ * the keyword "extern" to be nothing, so that
+ * we will actually allocate the space.
+ */
+
+#include "defs.h"
+#define extern
+#include "ext.h"
diff --git a/crypto/telnet/telnetd/pathnames.h b/crypto/telnet/telnetd/pathnames.h
new file mode 100644
index 0000000..c8b0806
--- /dev/null
+++ b/crypto/telnet/telnetd/pathnames.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/4/93
+ */
+
+#if BSD > 43
+
+# include <paths.h>
+
+# ifndef _PATH_LOGIN
+#  define	_PATH_LOGIN	"/usr/bin/login"
+# endif
+
+#else
+ 
+# define	_PATH_TTY	"/dev/tty"
+# ifndef _PATH_LOGIN
+#  define	_PATH_LOGIN	"/bin/login"
+# endif
+
+#endif
+
+#ifdef BFTPDAEMON
+#define		BFTPPATH	"/usr/ucb/bftp"
+#endif  /* BFTPDAEMON */
diff --git a/crypto/telnet/telnetd/slc.c b/crypto/telnet/telnetd/slc.c
new file mode 100644
index 0000000..65dc689
--- /dev/null
+++ b/crypto/telnet/telnetd/slc.c
@@ -0,0 +1,495 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)slc.c	8.2 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+
+#ifdef	LINEMODE
+/*
+ * local variables
+ */
+static unsigned char	*def_slcbuf = (unsigned char *)0;
+static int		def_slclen = 0;
+static int		slcchange;	/* change to slc is requested */
+static unsigned char	*slcptr;	/* pointer into slc buffer */
+static unsigned char	slcbuf[NSLC*6];	/* buffer for slc negotiation */
+
+/*
+ * send_slc
+ *
+ * Write out the current special characters to the client.
+ */
+	void
+send_slc()
+{
+	register int i;
+
+	/*
+	 * Send out list of triplets of special characters
+	 * to client.  We only send info on the characters
+	 * that are currently supported.
+	 */
+	for (i = 1; i <= NSLC; i++) {
+		if ((slctab[i].defset.flag & SLC_LEVELBITS) == SLC_NOSUPPORT)
+			continue;
+		add_slc((unsigned char)i, slctab[i].current.flag,
+							slctab[i].current.val);
+	}
+
+}  /* end of send_slc */
+
+/*
+ * default_slc
+ *
+ * Set pty special characters to all the defaults.
+ */
+	void
+default_slc()
+{
+	register int i;
+
+	for (i = 1; i <= NSLC; i++) {
+		slctab[i].current.val = slctab[i].defset.val;
+		if (slctab[i].current.val == (cc_t)(_POSIX_VDISABLE))
+			slctab[i].current.flag = SLC_NOSUPPORT;
+		else
+			slctab[i].current.flag = slctab[i].defset.flag;
+		if (slctab[i].sptr) {
+			*(slctab[i].sptr) = slctab[i].defset.val;
+		}
+	}
+	slcchange = 1;
+
+}  /* end of default_slc */
+#endif	/* LINEMODE */
+
+/*
+ * get_slc_defaults
+ *
+ * Initialize the slc mapping table.
+ */
+	void
+get_slc_defaults()
+{
+	register int i;
+
+	init_termbuf();
+
+	for (i = 1; i <= NSLC; i++) {
+		slctab[i].defset.flag =
+			spcset(i, &slctab[i].defset.val, &slctab[i].sptr);
+		slctab[i].current.flag = SLC_NOSUPPORT;
+		slctab[i].current.val = 0;
+	}
+
+}  /* end of get_slc_defaults */
+
+#ifdef	LINEMODE
+/*
+ * add_slc
+ *
+ * Add an slc triplet to the slc buffer.
+ */
+	void
+add_slc(func, flag, val)
+	register char func, flag;
+	register cc_t val;
+{
+
+	if ((*slcptr++ = (unsigned char)func) == 0xff)
+		*slcptr++ = 0xff;
+
+	if ((*slcptr++ = (unsigned char)flag) == 0xff)
+		*slcptr++ = 0xff;
+
+	if ((*slcptr++ = (unsigned char)val) == 0xff)
+		*slcptr++ = 0xff;
+
+}  /* end of add_slc */
+
+/*
+ * start_slc
+ *
+ * Get ready to process incoming slc's and respond to them.
+ *
+ * The parameter getit is non-zero if it is necessary to grab a copy
+ * of the terminal control structures.
+ */
+	void
+start_slc(getit)
+	register int getit;
+{
+
+	slcchange = 0;
+	if (getit)
+		init_termbuf();
+	(void) sprintf((char *)slcbuf, "%c%c%c%c",
+					IAC, SB, TELOPT_LINEMODE, LM_SLC);
+	slcptr = slcbuf + 4;
+
+}  /* end of start_slc */
+
+/*
+ * end_slc
+ *
+ * Finish up the slc negotiation.  If something to send, then send it.
+ */
+	int
+end_slc(bufp)
+	register unsigned char **bufp;
+{
+	register int len;
+	void netflush();
+
+	/*
+	 * If a change has occured, store the new terminal control
+	 * structures back to the terminal driver.
+	 */
+	if (slcchange) {
+		set_termbuf();
+	}
+
+	/*
+	 * If the pty state has not yet been fully processed and there is a
+	 * deferred slc request from the client, then do not send any
+	 * sort of slc negotiation now.  We will respond to the client's
+	 * request very soon.
+	 */
+	if (def_slcbuf && (terminit() == 0)) {
+		return(0);
+	}
+
+	if (slcptr > (slcbuf + 4)) {
+		if (bufp) {
+			*bufp = &slcbuf[4];
+			return(slcptr - slcbuf - 4);
+		} else {
+			(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
+			slcptr += 2;
+			len = slcptr - slcbuf;
+			writenet(slcbuf, len);
+			netflush();  /* force it out immediately */
+			DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
+		}
+	}
+	return (0);
+
+}  /* end of end_slc */
+
+/*
+ * process_slc
+ *
+ * Figure out what to do about the client's slc
+ */
+	void
+process_slc(func, flag, val)
+	register unsigned char func, flag;
+	register cc_t val;
+{
+	register int hislevel, mylevel, ack;
+
+	/*
+	 * Ensure that we know something about this function
+	 */
+	if (func > NSLC) {
+		add_slc(func, SLC_NOSUPPORT, 0);
+		return;
+	}
+
+	/*
+	 * Process the special case requests of 0 SLC_DEFAULT 0
+	 * and 0 SLC_VARIABLE 0.  Be a little forgiving here, don't
+	 * worry about whether the value is actually 0 or not.
+	 */
+	if (func == 0) {
+		if ((flag = flag & SLC_LEVELBITS) == SLC_DEFAULT) {
+			default_slc();
+			send_slc();
+		} else if (flag == SLC_VARIABLE) {
+			send_slc();
+		}
+		return;
+	}
+
+	/*
+	 * Appears to be a function that we know something about.  So
+	 * get on with it and see what we know.
+	 */
+
+	hislevel = flag & SLC_LEVELBITS;
+	mylevel = slctab[func].current.flag & SLC_LEVELBITS;
+	ack = flag & SLC_ACK;
+	/*
+	 * ignore the command if:
+	 * the function value and level are the same as what we already have;
+	 * or the level is the same and the ack bit is set
+	 */
+	if (hislevel == mylevel && (val == slctab[func].current.val || ack)) {
+		return;
+	} else if (ack) {
+		/*
+		 * If we get here, we got an ack, but the levels don't match.
+		 * This shouldn't happen.  If it does, it is probably because
+		 * we have sent two requests to set a variable without getting
+		 * a response between them, and this is the first response.
+		 * So, ignore it, and wait for the next response.
+		 */
+		return;
+	} else {
+		change_slc(func, flag, val);
+	}
+
+}  /* end of process_slc */
+
+/*
+ * change_slc
+ *
+ * Process a request to change one of our special characters.
+ * Compare client's request with what we are capable of supporting.
+ */
+	void
+change_slc(func, flag, val)
+	register char func, flag;
+	register cc_t val;
+{
+	register int hislevel, mylevel;
+
+	hislevel = flag & SLC_LEVELBITS;
+	mylevel = slctab[(int)func].defset.flag & SLC_LEVELBITS;
+	/*
+	 * If client is setting a function to NOSUPPORT
+	 * or DEFAULT, then we can easily and directly
+	 * accomodate the request.
+	 */
+	if (hislevel == SLC_NOSUPPORT) {
+		slctab[(int)func].current.flag = flag;
+		slctab[(int)func].current.val = (cc_t)_POSIX_VDISABLE;
+		flag |= SLC_ACK;
+		add_slc(func, flag, val);
+		return;
+	}
+	if (hislevel == SLC_DEFAULT) {
+		/*
+		 * Special case here.  If client tells us to use
+		 * the default on a function we don't support, then
+		 * return NOSUPPORT instead of what we may have as a
+		 * default level of DEFAULT.
+		 */
+		if (mylevel == SLC_DEFAULT) {
+			slctab[(int)func].current.flag = SLC_NOSUPPORT;
+		} else {
+			slctab[(int)func].current.flag = slctab[(int)func].defset.flag;
+		}
+		slctab[(int)func].current.val = slctab[(int)func].defset.val;
+		add_slc(func, slctab[(int)func].current.flag,
+						slctab[(int)func].current.val);
+		return;
+	}
+
+	/*
+	 * Client wants us to change to a new value or he
+	 * is telling us that he can't change to our value.
+	 * Some of the slc's we support and can change,
+	 * some we do support but can't change,
+	 * and others we don't support at all.
+	 * If we can change it then we have a pointer to
+	 * the place to put the new value, so change it,
+	 * otherwise, continue the negotiation.
+	 */
+	if (slctab[(int)func].sptr) {
+		/*
+		 * We can change this one.
+		 */
+		slctab[(int)func].current.val = val;
+		*(slctab[(int)func].sptr) = val;
+		slctab[(int)func].current.flag = flag;
+		flag |= SLC_ACK;
+		slcchange = 1;
+		add_slc(func, flag, val);
+	} else {
+		/*
+		* It is not possible for us to support this
+		* request as he asks.
+		*
+		* If our level is DEFAULT, then just ack whatever was
+		* sent.
+		*
+		* If he can't change and we can't change,
+		* then degenerate to NOSUPPORT.
+		*
+		* Otherwise we send our level back to him, (CANTCHANGE
+		* or NOSUPPORT) and if CANTCHANGE, send
+		* our value as well.
+		*/
+		if (mylevel == SLC_DEFAULT) {
+			slctab[(int)func].current.flag = flag;
+			slctab[(int)func].current.val = val;
+			flag |= SLC_ACK;
+		} else if (hislevel == SLC_CANTCHANGE &&
+				    mylevel == SLC_CANTCHANGE) {
+			flag &= ~SLC_LEVELBITS;
+			flag |= SLC_NOSUPPORT;
+			slctab[(int)func].current.flag = flag;
+		} else {
+			flag &= ~SLC_LEVELBITS;
+			flag |= mylevel;
+			slctab[(int)func].current.flag = flag;
+			if (mylevel == SLC_CANTCHANGE) {
+				slctab[(int)func].current.val =
+					slctab[(int)func].defset.val;
+				val = slctab[(int)func].current.val;
+			}
+		}
+		add_slc(func, flag, val);
+	}
+
+}  /* end of change_slc */
+
+#if	defined(USE_TERMIO) && (VEOF == VMIN)
+cc_t oldeofc = '\004';
+#endif
+
+/*
+ * check_slc
+ *
+ * Check the special characters in use and notify the client if any have
+ * changed.  Only those characters that are capable of being changed are
+ * likely to have changed.  If a local change occurs, kick the support level
+ * and flags up to the defaults.
+ */
+	void
+check_slc()
+{
+	register int i;
+
+	for (i = 1; i <= NSLC; i++) {
+#if	defined(USE_TERMIO) && (VEOF == VMIN)
+		/*
+		 * In a perfect world this would be a neat little
+		 * function.  But in this world, we should not notify
+		 * client of changes to the VEOF char when
+		 * ICANON is off, because it is not representing
+		 * a special character.
+		 */
+		if (i == SLC_EOF) {
+			if (!tty_isediting())
+				continue;
+			else if (slctab[i].sptr)
+				oldeofc = *(slctab[i].sptr);
+		}
+#endif	/* defined(USE_TERMIO) && defined(SYSV_TERMIO) */
+		if (slctab[i].sptr &&
+				(*(slctab[i].sptr) != slctab[i].current.val)) {
+			slctab[i].current.val = *(slctab[i].sptr);
+			if (*(slctab[i].sptr) == (cc_t)_POSIX_VDISABLE)
+				slctab[i].current.flag = SLC_NOSUPPORT;
+			else
+				slctab[i].current.flag = slctab[i].defset.flag;
+			add_slc((unsigned char)i, slctab[i].current.flag,
+						slctab[i].current.val);
+		}
+	}
+}  /* check_slc */
+
+/*
+ * do_opt_slc
+ *
+ * Process an slc option buffer.  Defer processing of incoming slc's
+ * until after the terminal state has been processed.  Save the first slc
+ * request that comes along, but discard all others.
+ *
+ * ptr points to the beginning of the buffer, len is the length.
+ */
+	void
+do_opt_slc(ptr, len)
+	register unsigned char *ptr;
+	register int len;
+{
+	register unsigned char func, flag;
+	cc_t val;
+	register unsigned char *end = ptr + len;
+
+	if (terminit()) {  /* go ahead */
+		while (ptr < end) {
+			func = *ptr++;
+			if (ptr >= end) break;
+			flag = *ptr++;
+			if (ptr >= end) break;
+			val = (cc_t)*ptr++;
+
+			process_slc(func, flag, val);
+
+		}
+	} else {
+		/*
+		 * save this slc buffer if it is the first, otherwise dump
+		 * it.
+		 */
+		if (def_slcbuf == (unsigned char *)0) {
+			def_slclen = len;
+			def_slcbuf = (unsigned char *)malloc((unsigned)len);
+			if (def_slcbuf == (unsigned char *)0)
+				return;  /* too bad */
+			memmove(def_slcbuf, ptr, len);
+		}
+	}
+
+}  /* end of do_opt_slc */
+
+/*
+ * deferslc
+ *
+ * Do slc stuff that was deferred.
+ */
+	void
+deferslc()
+{
+	if (def_slcbuf) {
+		start_slc(1);
+		do_opt_slc(def_slcbuf, def_slclen);
+		(void) end_slc(0);
+		free(def_slcbuf);
+		def_slcbuf = (unsigned char *)0;
+		def_slclen = 0;
+	}
+
+}  /* end of deferslc */
+
+#endif	/* LINEMODE */
diff --git a/crypto/telnet/telnetd/state.c b/crypto/telnet/telnetd/state.c
new file mode 100644
index 0000000..4a066b7
--- /dev/null
+++ b/crypto/telnet/telnetd/state.c
@@ -0,0 +1,1619 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)state.c	8.5 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+unsigned char	doopt[] = { IAC, DO, '%', 'c', 0 };
+unsigned char	dont[] = { IAC, DONT, '%', 'c', 0 };
+unsigned char	will[] = { IAC, WILL, '%', 'c', 0 };
+unsigned char	wont[] = { IAC, WONT, '%', 'c', 0 };
+int	not42 = 1;
+
+/*
+ * Buffer for sub-options, and macros
+ * for suboptions buffer manipulations
+ */
+unsigned char subbuffer[512], *subpointer= subbuffer, *subend= subbuffer;
+
+#define	SB_CLEAR()	subpointer = subbuffer
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+				*subpointer++ = (c); \
+			}
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+#ifdef	ENV_HACK
+unsigned char *subsave;
+#define SB_SAVE()	subsave = subpointer;
+#define	SB_RESTORE()	subpointer = subsave;
+#endif
+
+
+/*
+ * State for recv fsm
+ */
+#define	TS_DATA		0	/* base state */
+#define	TS_IAC		1	/* look for double IAC's */
+#define	TS_CR		2	/* CR-LF ->'s CR */
+#define	TS_SB		3	/* throw away begin's... */
+#define	TS_SE		4	/* ...end's (suboption negotiation) */
+#define	TS_WILL		5	/* will option negotiation */
+#define	TS_WONT		6	/* wont " */
+#define	TS_DO		7	/* do " */
+#define	TS_DONT		8	/* dont " */
+
+	void
+telrcv()
+{
+	register int c;
+	static int state = TS_DATA;
+#if	defined(CRAY2) && defined(UNICOS5)
+	char *opfrontp = pfrontp;
+#endif
+
+	while (ncc > 0) {
+		if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
+			break;
+		c = *netip++ & 0377, ncc--;
+#ifdef	ENCRYPTION
+		if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+		switch (state) {
+
+		case TS_CR:
+			state = TS_DATA;
+			/* Strip off \n or \0 after a \r */
+			if ((c == 0) || (c == '\n')) {
+				break;
+			}
+			/* FALL THROUGH */
+
+		case TS_DATA:
+			if (c == IAC) {
+				state = TS_IAC;
+				break;
+			}
+			/*
+			 * We now map \r\n ==> \r for pragmatic reasons.
+			 * Many client implementations send \r\n when
+			 * the user hits the CarriageReturn key.
+			 *
+			 * We USED to map \r\n ==> \n, since \r\n says
+			 * that we want to be in column 1 of the next
+			 * printable line, and \n is the standard
+			 * unix way of saying that (\r is only good
+			 * if CRMOD is set, which it normally is).
+			 */
+			if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) {
+				int nc = *netip;
+#ifdef	ENCRYPTION
+				if (decrypt_input)
+					nc = (*decrypt_input)(nc & 0xff);
+#endif	/* ENCRYPTION */
+#ifdef	LINEMODE
+				/*
+				 * If we are operating in linemode,
+				 * convert to local end-of-line.
+				 */
+				if (linemode && (ncc > 0) && (('\n' == nc) ||
+					 ((0 == nc) && tty_iscrnl())) ) {
+					netip++; ncc--;
+					c = '\n';
+				} else
+#endif
+				{
+#ifdef	ENCRYPTION
+					if (decrypt_input)
+						(void)(*decrypt_input)(-1);
+#endif	/* ENCRYPTION */
+					state = TS_CR;
+				}
+			}
+			*pfrontp++ = c;
+			break;
+
+		case TS_IAC:
+gotiac:			switch (c) {
+
+			/*
+			 * Send the process on the pty side an
+			 * interrupt.  Do this with a NULL or
+			 * interrupt char; depending on the tty mode.
+			 */
+			case IP:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				interrupt();
+				break;
+
+			case BREAK:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				sendbrk();
+				break;
+
+			/*
+			 * Are You There?
+			 */
+			case AYT:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				recv_ayt();
+				break;
+
+			/*
+			 * Abort Output
+			 */
+			case AO:
+			    {
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				ptyflush();	/* half-hearted */
+				init_termbuf();
+
+				if (slctab[SLC_AO].sptr &&
+				    *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) {
+				    *pfrontp++ =
+					(unsigned char)*slctab[SLC_AO].sptr;
+				}
+
+				netclear();	/* clear buffer back */
+				*nfrontp++ = IAC;
+				*nfrontp++ = DM;
+				neturg = nfrontp-1; /* off by one XXX */
+				DIAG(TD_OPTIONS,
+					printoption("td: send IAC", DM));
+				break;
+			    }
+
+			/*
+			 * Erase Character and
+			 * Erase Line
+			 */
+			case EC:
+			case EL:
+			    {
+				cc_t ch;
+
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				ptyflush();	/* half-hearted */
+				init_termbuf();
+				if (c == EC)
+					ch = *slctab[SLC_EC].sptr;
+				else
+					ch = *slctab[SLC_EL].sptr;
+				if (ch != (cc_t)(_POSIX_VDISABLE))
+					*pfrontp++ = (unsigned char)ch;
+				break;
+			    }
+
+			/*
+			 * Check for urgent data...
+			 */
+			case DM:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				SYNCHing = stilloob(net);
+				settimer(gotDM);
+				break;
+
+
+			/*
+			 * Begin option subnegotiation...
+			 */
+			case SB:
+				state = TS_SB;
+				SB_CLEAR();
+				continue;
+
+			case WILL:
+				state = TS_WILL;
+				continue;
+
+			case WONT:
+				state = TS_WONT;
+				continue;
+
+			case DO:
+				state = TS_DO;
+				continue;
+
+			case DONT:
+				state = TS_DONT;
+				continue;
+			case EOR:
+				if (his_state_is_will(TELOPT_EOR))
+					doeof();
+				break;
+
+			/*
+			 * Handle RFC 10xx Telnet linemode option additions
+			 * to command stream (EOF, SUSP, ABORT).
+			 */
+			case xEOF:
+				doeof();
+				break;
+
+			case SUSP:
+				sendsusp();
+				break;
+
+			case ABORT:
+				sendbrk();
+				break;
+
+			case IAC:
+				*pfrontp++ = c;
+				break;
+			}
+			state = TS_DATA;
+			break;
+
+		case TS_SB:
+			if (c == IAC) {
+				state = TS_SE;
+			} else {
+				SB_ACCUM(c);
+			}
+			break;
+
+		case TS_SE:
+			if (c != SE) {
+				if (c != IAC) {
+					/*
+					 * bad form of suboption negotiation.
+					 * handle it in such a way as to avoid
+					 * damage to local state.  Parse
+					 * suboption buffer found so far,
+					 * then treat remaining stream as
+					 * another command sequence.
+					 */
+
+					/* for DIAGNOSTICS */
+					SB_ACCUM(IAC);
+					SB_ACCUM(c);
+					subpointer -= 2;
+
+					SB_TERM();
+					suboption();
+					state = TS_IAC;
+					goto gotiac;
+				}
+				SB_ACCUM(c);
+				state = TS_SB;
+			} else {
+				/* for DIAGNOSTICS */
+				SB_ACCUM(IAC);
+				SB_ACCUM(SE);
+				subpointer -= 2;
+
+				SB_TERM();
+				suboption();	/* handle sub-option */
+				state = TS_DATA;
+			}
+			break;
+
+		case TS_WILL:
+			willoption(c);
+			state = TS_DATA;
+			continue;
+
+		case TS_WONT:
+			wontoption(c);
+			state = TS_DATA;
+			continue;
+
+		case TS_DO:
+			dooption(c);
+			state = TS_DATA;
+			continue;
+
+		case TS_DONT:
+			dontoption(c);
+			state = TS_DATA;
+			continue;
+
+		default:
+			syslog(LOG_ERR, "panic state=%d", state);
+			printf("telnetd: panic state=%d\n", state);
+			exit(1);
+		}
+	}
+#if	defined(CRAY2) && defined(UNICOS5)
+	if (!linemode) {
+		char	xptyobuf[BUFSIZ+NETSLOP];
+		char	xbuf2[BUFSIZ];
+		register char *cp;
+		int n = pfrontp - opfrontp, oc;
+		memmove(xptyobuf, opfrontp, n);
+		pfrontp = opfrontp;
+		pfrontp += term_input(xptyobuf, pfrontp, n, BUFSIZ+NETSLOP,
+					xbuf2, &oc, BUFSIZ);
+		for (cp = xbuf2; oc > 0; --oc)
+			if ((*nfrontp++ = *cp++) == IAC)
+				*nfrontp++ = IAC;
+	}
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+}  /* end of telrcv */
+
+/*
+ * The will/wont/do/dont state machines are based on Dave Borman's
+ * Telnet option processing state machine.
+ *
+ * These correspond to the following states:
+ *	my_state = the last negotiated state
+ *	want_state = what I want the state to go to
+ *	want_resp = how many requests I have sent
+ * All state defaults are negative, and resp defaults to 0.
+ *
+ * When initiating a request to change state to new_state:
+ *
+ * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) {
+ *	do nothing;
+ * } else {
+ *	want_state = new_state;
+ *	send new_state;
+ *	want_resp++;
+ * }
+ *
+ * When receiving new_state:
+ *
+ * if (want_resp) {
+ *	want_resp--;
+ *	if (want_resp && (new_state == my_state))
+ *		want_resp--;
+ * }
+ * if ((want_resp == 0) && (new_state != want_state)) {
+ *	if (ok_to_switch_to new_state)
+ *		want_state = new_state;
+ *	else
+ *		want_resp++;
+ *	send want_state;
+ * }
+ * my_state = new_state;
+ *
+ * Note that new_state is implied in these functions by the function itself.
+ * will and do imply positive new_state, wont and dont imply negative.
+ *
+ * Finally, there is one catch.  If we send a negative response to a
+ * positive request, my_state will be the positive while want_state will
+ * remain negative.  my_state will revert to negative when the negative
+ * acknowlegment arrives from the peer.  Thus, my_state generally tells
+ * us not only the last negotiated state, but also tells us what the peer
+ * wants to be doing as well.  It is important to understand this difference
+ * as we may wish to be processing data streams based on our desired state
+ * (want_state) or based on what the peer thinks the state is (my_state).
+ *
+ * This all works fine because if the peer sends a positive request, the data
+ * that we receive prior to negative acknowlegment will probably be affected
+ * by the positive state, and we can process it as such (if we can; if we
+ * can't then it really doesn't matter).  If it is that important, then the
+ * peer probably should be buffering until this option state negotiation
+ * is complete.
+ *
+ */
+	void
+send_do(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((do_dont_resp[option] == 0 && his_state_is_will(option)) ||
+		    his_want_state_is_will(option))
+			return;
+		/*
+		 * Special case for TELOPT_TM:  We send a DO, but pretend
+		 * that we sent a DONT, so that we can send more DOs if
+		 * we want to.
+		 */
+		if (option == TELOPT_TM)
+			set_his_want_state_wont(option);
+		else
+			set_his_want_state_will(option);
+		do_dont_resp[option]++;
+	}
+	(void) sprintf(nfrontp, (char *)doopt, option);
+	nfrontp += sizeof (dont) - 2;
+
+	DIAG(TD_OPTIONS, printoption("td: send do", option));
+}
+
+#ifdef	AUTHENTICATION
+extern void auth_request();
+#endif
+#ifdef	LINEMODE
+extern void doclientstat();
+#endif
+#ifdef	ENCRYPTION
+extern void encrypt_send_support();
+#endif	/* ENCRYPTION */
+
+	void
+willoption(option)
+	int option;
+{
+	int changeok = 0;
+	void (*func)() = 0;
+
+	/*
+	 * process input from peer.
+	 */
+
+	DIAG(TD_OPTIONS, printoption("td: recv will", option));
+
+	if (do_dont_resp[option]) {
+		do_dont_resp[option]--;
+		if (do_dont_resp[option] && his_state_is_will(option))
+			do_dont_resp[option]--;
+	}
+	if (do_dont_resp[option] == 0) {
+	    if (his_want_state_is_wont(option)) {
+		switch (option) {
+
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryin(1);
+			set_termbuf();
+			changeok++;
+			break;
+
+		case TELOPT_ECHO:
+			/*
+			 * See comments below for more info.
+			 */
+			not42 = 0;	/* looks like a 4.2 system */
+			break;
+
+		case TELOPT_TM:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			/*
+			 * This telnetd implementation does not really
+			 * support timing marks, it just uses them to
+			 * support the kludge linemode stuff.  If we
+			 * receive a will or wont TM in response to our
+			 * do TM request that may have been sent to
+			 * determine kludge linemode support, process
+			 * it, otherwise TM should get a negative
+			 * response back.
+			 */
+			/*
+			 * Handle the linemode kludge stuff.
+			 * If we are not currently supporting any
+			 * linemode at all, then we assume that this
+			 * is the client telling us to use kludge
+			 * linemode in response to our query.  Set the
+			 * linemode type that is to be supported, note
+			 * that the client wishes to use linemode, and
+			 * eat the will TM as though it never arrived.
+			 */
+			if (lmodetype < KLUDGE_LINEMODE) {
+				lmodetype = KLUDGE_LINEMODE;
+				clientstat(TELOPT_LINEMODE, WILL, 0);
+				send_wont(TELOPT_SGA, 1);
+			} else if (lmodetype == NO_AUTOKLUDGE) {
+				lmodetype = KLUDGE_OK;
+			}
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			/*
+			 * We never respond to a WILL TM, and
+			 * we leave the state WONT.
+			 */
+			return;
+
+		case TELOPT_LFLOW:
+			/*
+			 * If we are going to support flow control
+			 * option, then don't worry peer that we can't
+			 * change the flow control characters.
+			 */
+			slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XON].defset.flag |= SLC_DEFAULT;
+			slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT;
+		case TELOPT_TTYPE:
+		case TELOPT_SGA:
+		case TELOPT_NAWS:
+		case TELOPT_TSPEED:
+		case TELOPT_XDISPLOC:
+		case TELOPT_NEW_ENVIRON:
+		case TELOPT_OLD_ENVIRON:
+			changeok++;
+			break;
+
+#ifdef	LINEMODE
+		case TELOPT_LINEMODE:
+# ifdef	KLUDGELINEMODE
+			/*
+			 * Note client's desire to use linemode.
+			 */
+			lmodetype = REAL_LINEMODE;
+# endif	/* KLUDGELINEMODE */
+			func = doclientstat;
+			changeok++;
+			break;
+#endif	/* LINEMODE */
+
+#ifdef	AUTHENTICATION
+		case TELOPT_AUTHENTICATION:
+			func = auth_request;
+			changeok++;
+			break;
+#endif
+
+#ifdef	ENCRYPTION
+		case TELOPT_ENCRYPT:
+			func = encrypt_send_support;
+			changeok++;
+			break;
+#endif	/* ENCRYPTION */
+
+		default:
+			break;
+		}
+		if (changeok) {
+			set_his_want_state_will(option);
+			send_do(option, 0);
+		} else {
+			do_dont_resp[option]++;
+			send_dont(option, 0);
+		}
+	    } else {
+		/*
+		 * Option processing that should happen when
+		 * we receive conformation of a change in
+		 * state that we had requested.
+		 */
+		switch (option) {
+		case TELOPT_ECHO:
+			not42 = 0;	/* looks like a 4.2 system */
+			/*
+			 * Egads, he responded "WILL ECHO".  Turn
+			 * it off right now!
+			 */
+			send_dont(option, 1);
+			/*
+			 * "WILL ECHO".  Kludge upon kludge!
+			 * A 4.2 client is now echoing user input at
+			 * the tty.  This is probably undesireable and
+			 * it should be stopped.  The client will
+			 * respond WONT TM to the DO TM that we send to
+			 * check for kludge linemode.  When the WONT TM
+			 * arrives, linemode will be turned off and a
+			 * change propogated to the pty.  This change
+			 * will cause us to process the new pty state
+			 * in localstat(), which will notice that
+			 * linemode is off and send a WILL ECHO
+			 * so that we are properly in character mode and
+			 * all is well.
+			 */
+			break;
+#ifdef	LINEMODE
+		case TELOPT_LINEMODE:
+# ifdef	KLUDGELINEMODE
+			/*
+			 * Note client's desire to use linemode.
+			 */
+			lmodetype = REAL_LINEMODE;
+# endif	/* KLUDGELINEMODE */
+			func = doclientstat;
+			break;
+#endif	/* LINEMODE */
+
+#ifdef	AUTHENTICATION
+		case TELOPT_AUTHENTICATION:
+			func = auth_request;
+			break;
+#endif
+
+#ifdef	ENCRYPTION
+		case TELOPT_ENCRYPT:
+			func = encrypt_send_support;
+			break;
+#endif	/* ENCRYPTION */
+		case TELOPT_LFLOW:
+			func = flowstat;
+			break;
+		}
+	    }
+	}
+	set_his_state_will(option);
+	if (func)
+		(*func)();
+}  /* end of willoption */
+
+	void
+send_dont(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) ||
+		    his_want_state_is_wont(option))
+			return;
+		set_his_want_state_wont(option);
+		do_dont_resp[option]++;
+	}
+	(void) sprintf(nfrontp, (char *)dont, option);
+	nfrontp += sizeof (doopt) - 2;
+
+	DIAG(TD_OPTIONS, printoption("td: send dont", option));
+}
+
+	void
+wontoption(option)
+	int option;
+{
+	/*
+	 * Process client input.
+	 */
+
+	DIAG(TD_OPTIONS, printoption("td: recv wont", option));
+
+	if (do_dont_resp[option]) {
+		do_dont_resp[option]--;
+		if (do_dont_resp[option] && his_state_is_wont(option))
+			do_dont_resp[option]--;
+	}
+	if (do_dont_resp[option] == 0) {
+	    if (his_want_state_is_will(option)) {
+		/* it is always ok to change to negative state */
+		switch (option) {
+		case TELOPT_ECHO:
+			not42 = 1; /* doesn't seem to be a 4.2 system */
+			break;
+
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryin(0);
+			set_termbuf();
+			break;
+
+#ifdef	LINEMODE
+		case TELOPT_LINEMODE:
+# ifdef	KLUDGELINEMODE
+			/*
+			 * If real linemode is supported, then client is
+			 * asking to turn linemode off.
+			 */
+			if (lmodetype != REAL_LINEMODE)
+				break;
+# endif	/* KLUDGELINEMODE */
+			clientstat(TELOPT_LINEMODE, WONT, 0);
+			break;
+#endif	/* LINEMODE */
+
+		case TELOPT_TM:
+			/*
+			 * If we get a WONT TM, and had sent a DO TM,
+			 * don't respond with a DONT TM, just leave it
+			 * as is.  Short circut the state machine to
+			 * achive this.
+			 */
+			set_his_want_state_wont(TELOPT_TM);
+			return;
+
+		case TELOPT_LFLOW:
+			/*
+			 * If we are not going to support flow control
+			 * option, then let peer know that we can't
+			 * change the flow control characters.
+			 */
+			slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE;
+			slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE;
+			break;
+
+#if	defined(AUTHENTICATION)
+		case TELOPT_AUTHENTICATION:
+			auth_finished(0, AUTH_REJECT);
+			break;
+#endif
+
+		/*
+		 * For options that we might spin waiting for
+		 * sub-negotiation, if the client turns off the
+		 * option rather than responding to the request,
+		 * we have to treat it here as if we got a response
+		 * to the sub-negotiation, (by updating the timers)
+		 * so that we'll break out of the loop.
+		 */
+		case TELOPT_TTYPE:
+			settimer(ttypesubopt);
+			break;
+
+		case TELOPT_TSPEED:
+			settimer(tspeedsubopt);
+			break;
+
+		case TELOPT_XDISPLOC:
+			settimer(xdisplocsubopt);
+			break;
+
+		case TELOPT_OLD_ENVIRON:
+			settimer(oenvironsubopt);
+			break;
+
+		case TELOPT_NEW_ENVIRON:
+			settimer(environsubopt);
+			break;
+
+		default:
+			break;
+		}
+		set_his_want_state_wont(option);
+		if (his_state_is_will(option))
+			send_dont(option, 0);
+	    } else {
+		switch (option) {
+		case TELOPT_TM:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			if (lmodetype < NO_AUTOKLUDGE) {
+				lmodetype = NO_LINEMODE;
+				clientstat(TELOPT_LINEMODE, WONT, 0);
+				send_will(TELOPT_SGA, 1);
+				send_will(TELOPT_ECHO, 1);
+			}
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			break;
+
+#if	defined(AUTHENTICATION)
+		case TELOPT_AUTHENTICATION:
+			auth_finished(0, AUTH_REJECT);
+			break;
+#endif
+		default:
+			break;
+		}
+	    }
+	}
+	set_his_state_wont(option);
+
+}  /* end of wontoption */
+
+	void
+send_will(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((will_wont_resp[option] == 0 && my_state_is_will(option))||
+		    my_want_state_is_will(option))
+			return;
+		set_my_want_state_will(option);
+		will_wont_resp[option]++;
+	}
+	(void) sprintf(nfrontp, (char *)will, option);
+	nfrontp += sizeof (doopt) - 2;
+
+	DIAG(TD_OPTIONS, printoption("td: send will", option));
+}
+
+#if	!defined(LINEMODE) || !defined(KLUDGELINEMODE)
+/*
+ * When we get a DONT SGA, we will try once to turn it
+ * back on.  If the other side responds DONT SGA, we
+ * leave it at that.  This is so that when we talk to
+ * clients that understand KLUDGELINEMODE but not LINEMODE,
+ * we'll keep them in char-at-a-time mode.
+ */
+int turn_on_sga = 0;
+#endif
+
+	void
+dooption(option)
+	int option;
+{
+	int changeok = 0;
+
+	/*
+	 * Process client input.
+	 */
+
+	DIAG(TD_OPTIONS, printoption("td: recv do", option));
+
+	if (will_wont_resp[option]) {
+		will_wont_resp[option]--;
+		if (will_wont_resp[option] && my_state_is_will(option))
+			will_wont_resp[option]--;
+	}
+	if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) {
+		switch (option) {
+		case TELOPT_ECHO:
+#ifdef	LINEMODE
+# ifdef	KLUDGELINEMODE
+			if (lmodetype == NO_LINEMODE)
+# else
+			if (his_state_is_wont(TELOPT_LINEMODE))
+# endif
+#endif
+			{
+				init_termbuf();
+				tty_setecho(1);
+				set_termbuf();
+			}
+			changeok++;
+			break;
+
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryout(1);
+			set_termbuf();
+			changeok++;
+			break;
+
+		case TELOPT_SGA:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			/*
+			 * If kludge linemode is in use, then we must
+			 * process an incoming do SGA for linemode
+			 * purposes.
+			 */
+			if (lmodetype == KLUDGE_LINEMODE) {
+				/*
+				 * Receipt of "do SGA" in kludge
+				 * linemode is the peer asking us to
+				 * turn off linemode.  Make note of
+				 * the request.
+				 */
+				clientstat(TELOPT_LINEMODE, WONT, 0);
+				/*
+				 * If linemode did not get turned off
+				 * then don't tell peer that we did.
+				 * Breaking here forces a wont SGA to
+				 * be returned.
+				 */
+				if (linemode)
+					break;
+			}
+#else
+			turn_on_sga = 0;
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			changeok++;
+			break;
+
+		case TELOPT_STATUS:
+			changeok++;
+			break;
+
+		case TELOPT_TM:
+			/*
+			 * Special case for TM.  We send a WILL, but
+			 * pretend we sent a WONT.
+			 */
+			send_will(option, 0);
+			set_my_want_state_wont(option);
+			set_my_state_wont(option);
+			return;
+
+		case TELOPT_LOGOUT:
+			/*
+			 * When we get a LOGOUT option, respond
+			 * with a WILL LOGOUT, make sure that
+			 * it gets written out to the network,
+			 * and then just go away...
+			 */
+			set_my_want_state_will(TELOPT_LOGOUT);
+			send_will(TELOPT_LOGOUT, 0);
+			set_my_state_will(TELOPT_LOGOUT);
+			(void)netflush();
+			cleanup(0);
+			/* NOT REACHED */
+			break;
+
+#ifdef	ENCRYPTION
+		case TELOPT_ENCRYPT:
+			changeok++;
+			break;
+#endif	/* ENCRYPTION */
+		case TELOPT_LINEMODE:
+		case TELOPT_TTYPE:
+		case TELOPT_NAWS:
+		case TELOPT_TSPEED:
+		case TELOPT_LFLOW:
+		case TELOPT_XDISPLOC:
+#ifdef	TELOPT_ENVIRON
+		case TELOPT_NEW_ENVIRON:
+#endif
+		case TELOPT_OLD_ENVIRON:
+		default:
+			break;
+		}
+		if (changeok) {
+			set_my_want_state_will(option);
+			send_will(option, 0);
+		} else {
+			will_wont_resp[option]++;
+			send_wont(option, 0);
+		}
+	}
+	set_my_state_will(option);
+
+}  /* end of dooption */
+
+	void
+send_wont(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) ||
+		    my_want_state_is_wont(option))
+			return;
+		set_my_want_state_wont(option);
+		will_wont_resp[option]++;
+	}
+	(void) sprintf(nfrontp, (char *)wont, option);
+	nfrontp += sizeof (wont) - 2;
+
+	DIAG(TD_OPTIONS, printoption("td: send wont", option));
+}
+
+	void
+dontoption(option)
+	int option;
+{
+	/*
+	 * Process client input.
+	 */
+
+
+	DIAG(TD_OPTIONS, printoption("td: recv dont", option));
+
+	if (will_wont_resp[option]) {
+		will_wont_resp[option]--;
+		if (will_wont_resp[option] && my_state_is_wont(option))
+			will_wont_resp[option]--;
+	}
+	if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) {
+		switch (option) {
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryout(0);
+			set_termbuf();
+			break;
+
+		case TELOPT_ECHO:	/* we should stop echoing */
+#ifdef	LINEMODE
+# ifdef	KLUDGELINEMODE
+			if ((lmodetype != REAL_LINEMODE) &&
+			    (lmodetype != KLUDGE_LINEMODE))
+# else
+			if (his_state_is_wont(TELOPT_LINEMODE))
+# endif
+#endif
+			{
+				init_termbuf();
+				tty_setecho(0);
+				set_termbuf();
+			}
+			break;
+
+		case TELOPT_SGA:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			/*
+			 * If kludge linemode is in use, then we
+			 * must process an incoming do SGA for
+			 * linemode purposes.
+			 */
+			if ((lmodetype == KLUDGE_LINEMODE) ||
+			    (lmodetype == KLUDGE_OK)) {
+				/*
+				 * The client is asking us to turn
+				 * linemode on.
+				 */
+				lmodetype = KLUDGE_LINEMODE;
+				clientstat(TELOPT_LINEMODE, WILL, 0);
+				/*
+				 * If we did not turn line mode on,
+				 * then what do we say?  Will SGA?
+				 * This violates design of telnet.
+				 * Gross.  Very Gross.
+				 */
+			}
+			break;
+#else
+			set_my_want_state_wont(option);
+			if (my_state_is_will(option))
+				send_wont(option, 0);
+			set_my_state_wont(option);
+			if (turn_on_sga ^= 1)
+				send_will(option, 1);
+			return;
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+
+		default:
+			break;
+		}
+
+		set_my_want_state_wont(option);
+		if (my_state_is_will(option))
+			send_wont(option, 0);
+	}
+	set_my_state_wont(option);
+
+}  /* end of dontoption */
+
+#ifdef	ENV_HACK
+int env_ovar = -1;
+int env_ovalue = -1;
+#else	/* ENV_HACK */
+# define env_ovar OLD_ENV_VAR
+# define env_ovalue OLD_ENV_VALUE
+#endif	/* ENV_HACK */
+
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *	Terminal type is
+ *	Linemode
+ *	Window size
+ *	Terminal speed
+ */
+	void
+suboption()
+{
+    register int subchar;
+
+    DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);});
+
+    subchar = SB_GET();
+    switch (subchar) {
+    case TELOPT_TSPEED: {
+	register int xspeed, rspeed;
+
+	if (his_state_is_wont(TELOPT_TSPEED))	/* Ignore if option disabled */
+		break;
+
+	settimer(tspeedsubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+		return;
+
+	xspeed = atoi((char *)subpointer);
+
+	while (SB_GET() != ',' && !SB_EOF());
+	if (SB_EOF())
+		return;
+
+	rspeed = atoi((char *)subpointer);
+	clientstat(TELOPT_TSPEED, xspeed, rspeed);
+
+	break;
+
+    }  /* end of case TELOPT_TSPEED */
+
+    case TELOPT_TTYPE: {		/* Yaaaay! */
+	static char terminalname[41];
+
+	if (his_state_is_wont(TELOPT_TTYPE))	/* Ignore if option disabled */
+		break;
+	settimer(ttypesubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS) {
+	    return;		/* ??? XXX but, this is the most robust */
+	}
+
+	terminaltype = terminalname;
+
+	while ((terminaltype < (terminalname + sizeof terminalname-1)) &&
+								    !SB_EOF()) {
+	    register int c;
+
+	    c = SB_GET();
+	    if (isupper(c)) {
+		c = tolower(c);
+	    }
+	    *terminaltype++ = c;    /* accumulate name */
+	}
+	*terminaltype = 0;
+	terminaltype = terminalname;
+	break;
+    }  /* end of case TELOPT_TTYPE */
+
+    case TELOPT_NAWS: {
+	register int xwinsize, ywinsize;
+
+	if (his_state_is_wont(TELOPT_NAWS))	/* Ignore if option disabled */
+		break;
+
+	if (SB_EOF())
+		return;
+	xwinsize = SB_GET() << 8;
+	if (SB_EOF())
+		return;
+	xwinsize |= SB_GET();
+	if (SB_EOF())
+		return;
+	ywinsize = SB_GET() << 8;
+	if (SB_EOF())
+		return;
+	ywinsize |= SB_GET();
+	clientstat(TELOPT_NAWS, xwinsize, ywinsize);
+
+	break;
+
+    }  /* end of case TELOPT_NAWS */
+
+#ifdef	LINEMODE
+    case TELOPT_LINEMODE: {
+	register int request;
+
+	if (his_state_is_wont(TELOPT_LINEMODE))	/* Ignore if option disabled */
+		break;
+	/*
+	 * Process linemode suboptions.
+	 */
+	if (SB_EOF())
+	    break;		/* garbage was sent */
+	request = SB_GET();	/* get will/wont */
+
+	if (SB_EOF())
+	    break;		/* another garbage check */
+
+	if (request == LM_SLC) {  /* SLC is not preceeded by WILL or WONT */
+		/*
+		 * Process suboption buffer of slc's
+		 */
+		start_slc(1);
+		do_opt_slc(subpointer, subend - subpointer);
+		(void) end_slc(0);
+		break;
+	} else if (request == LM_MODE) {
+		if (SB_EOF())
+		    return;
+		useeditmode = SB_GET();  /* get mode flag */
+		clientstat(LM_MODE, 0, 0);
+		break;
+	}
+
+	if (SB_EOF())
+	    break;
+	switch (SB_GET()) {  /* what suboption? */
+	case LM_FORWARDMASK:
+		/*
+		 * According to spec, only server can send request for
+		 * forwardmask, and client can only return a positive response.
+		 * So don't worry about it.
+		 */
+
+	default:
+		break;
+	}
+	break;
+    }  /* end of case TELOPT_LINEMODE */
+#endif
+    case TELOPT_STATUS: {
+	int mode;
+
+	if (SB_EOF())
+	    break;
+	mode = SB_GET();
+	switch (mode) {
+	case TELQUAL_SEND:
+	    if (my_state_is_will(TELOPT_STATUS))
+		send_status();
+	    break;
+
+	case TELQUAL_IS:
+	    break;
+
+	default:
+	    break;
+	}
+	break;
+    }  /* end of case TELOPT_STATUS */
+
+    case TELOPT_XDISPLOC: {
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+		return;
+	settimer(xdisplocsubopt);
+	subpointer[SB_LEN()] = '\0';
+	(void)setenv("DISPLAY", (char *)subpointer, 1);
+	break;
+    }  /* end of case TELOPT_XDISPLOC */
+
+#ifdef	TELOPT_NEW_ENVIRON
+    case TELOPT_NEW_ENVIRON:
+#endif
+    case TELOPT_OLD_ENVIRON: {
+	register int c;
+	register char *cp, *varp, *valp;
+
+	if (SB_EOF())
+		return;
+	c = SB_GET();
+	if (c == TELQUAL_IS) {
+		if (subchar == TELOPT_OLD_ENVIRON)
+			settimer(oenvironsubopt);
+		else
+			settimer(environsubopt);
+	} else if (c != TELQUAL_INFO) {
+		return;
+	}
+
+#ifdef	TELOPT_NEW_ENVIRON
+	if (subchar == TELOPT_NEW_ENVIRON) {
+	    while (!SB_EOF()) {
+		c = SB_GET();
+		if ((c == NEW_ENV_VAR) || (c == ENV_USERVAR))
+			break;
+	    }
+	} else
+#endif
+	{
+#ifdef	ENV_HACK
+	    /*
+	     * We only want to do this if we haven't already decided
+	     * whether or not the other side has its VALUE and VAR
+	     * reversed.
+	     */
+	    if (env_ovar < 0) {
+		register int last = -1;		/* invalid value */
+		int empty = 0;
+		int got_var = 0, got_value = 0, got_uservar = 0;
+
+		/*
+		 * The other side might have its VALUE and VAR values
+		 * reversed.  To be interoperable, we need to determine
+		 * which way it is.  If the first recognized character
+		 * is a VAR or VALUE, then that will tell us what
+		 * type of client it is.  If the fist recognized
+		 * character is a USERVAR, then we continue scanning
+		 * the suboption looking for two consecutive
+		 * VAR or VALUE fields.  We should not get two
+		 * consecutive VALUE fields, so finding two
+		 * consecutive VALUE or VAR fields will tell us
+		 * what the client is.
+		 */
+		SB_SAVE();
+		while (!SB_EOF()) {
+			c = SB_GET();
+			switch(c) {
+			case OLD_ENV_VAR:
+				if (last < 0 || last == OLD_ENV_VAR
+				    || (empty && (last == OLD_ENV_VALUE)))
+					goto env_ovar_ok;
+				got_var++;
+				last = OLD_ENV_VAR;
+				break;
+			case OLD_ENV_VALUE:
+				if (last < 0 || last == OLD_ENV_VALUE
+				    || (empty && (last == OLD_ENV_VAR)))
+					goto env_ovar_wrong;
+				got_value++;
+				last = OLD_ENV_VALUE;
+				break;
+			case ENV_USERVAR:
+				/* count strings of USERVAR as one */
+				if (last != ENV_USERVAR)
+					got_uservar++;
+				if (empty) {
+					if (last == OLD_ENV_VALUE)
+						goto env_ovar_ok;
+					if (last == OLD_ENV_VAR)
+						goto env_ovar_wrong;
+				}
+				last = ENV_USERVAR;
+				break;
+			case ENV_ESC:
+				if (!SB_EOF())
+					c = SB_GET();
+				/* FALL THROUGH */
+			default:
+				empty = 0;
+				continue;
+			}
+			empty = 1;
+		}
+		if (empty) {
+			if (last == OLD_ENV_VALUE)
+				goto env_ovar_ok;
+			if (last == OLD_ENV_VAR)
+				goto env_ovar_wrong;
+		}
+		/*
+		 * Ok, the first thing was a USERVAR, and there
+		 * are not two consecutive VAR or VALUE commands,
+		 * and none of the VAR or VALUE commands are empty.
+		 * If the client has sent us a well-formed option,
+		 * then the number of VALUEs received should always
+		 * be less than or equal to the number of VARs and
+		 * USERVARs received.
+		 *
+		 * If we got exactly as many VALUEs as VARs and
+		 * USERVARs, the client has the same definitions.
+		 *
+		 * If we got exactly as many VARs as VALUEs and
+		 * USERVARS, the client has reversed definitions.
+		 */
+		if (got_uservar + got_var == got_value) {
+	    env_ovar_ok:
+			env_ovar = OLD_ENV_VAR;
+			env_ovalue = OLD_ENV_VALUE;
+		} else if (got_uservar + got_value == got_var) {
+	    env_ovar_wrong:
+			env_ovar = OLD_ENV_VALUE;
+			env_ovalue = OLD_ENV_VAR;
+			DIAG(TD_OPTIONS, {sprintf(nfrontp,
+				"ENVIRON VALUE and VAR are reversed!\r\n");
+				nfrontp += strlen(nfrontp);});
+
+		}
+	    }
+	    SB_RESTORE();
+#endif
+
+	    while (!SB_EOF()) {
+		c = SB_GET();
+		if ((c == env_ovar) || (c == ENV_USERVAR))
+			break;
+	    }
+	}
+
+	if (SB_EOF())
+		return;
+
+	cp = varp = (char *)subpointer;
+	valp = 0;
+
+	while (!SB_EOF()) {
+		c = SB_GET();
+		if (subchar == TELOPT_OLD_ENVIRON) {
+			if (c == env_ovar)
+				c = NEW_ENV_VAR;
+			else if (c == env_ovalue)
+				c = NEW_ENV_VALUE;
+		}
+		switch (c) {
+
+		case NEW_ENV_VALUE:
+			*cp = '\0';
+			cp = valp = (char *)subpointer;
+			break;
+
+		case NEW_ENV_VAR:
+		case ENV_USERVAR:
+			*cp = '\0';
+			if (valp)
+				(void)setenv(varp, valp, 1);
+			else
+				unsetenv(varp);
+			cp = varp = (char *)subpointer;
+			valp = 0;
+			break;
+
+		case ENV_ESC:
+			if (SB_EOF())
+				break;
+			c = SB_GET();
+			/* FALL THROUGH */
+		default:
+			*cp++ = c;
+			break;
+		}
+	}
+	*cp = '\0';
+	if (valp)
+		(void)setenv(varp, valp, 1);
+	else
+		unsetenv(varp);
+	break;
+    }  /* end of case TELOPT_NEW_ENVIRON */
+#if	defined(AUTHENTICATION)
+    case TELOPT_AUTHENTICATION:
+	if (SB_EOF())
+		break;
+	switch(SB_GET()) {
+	case TELQUAL_SEND:
+	case TELQUAL_REPLY:
+		/*
+		 * These are sent by us and cannot be sent by
+		 * the client.
+		 */
+		break;
+	case TELQUAL_IS:
+		auth_is(subpointer, SB_LEN());
+		break;
+	case TELQUAL_NAME:
+		auth_name(subpointer, SB_LEN());
+		break;
+	}
+	break;
+#endif
+#ifdef	ENCRYPTION
+    case TELOPT_ENCRYPT:
+	if (SB_EOF())
+		break;
+	switch(SB_GET()) {
+	case ENCRYPT_SUPPORT:
+		encrypt_support(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_IS:
+		encrypt_is(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_REPLY:
+		encrypt_reply(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_START:
+		encrypt_start(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_END:
+		encrypt_end();
+		break;
+	case ENCRYPT_REQSTART:
+		encrypt_request_start(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_REQEND:
+		/*
+		 * We can always send an REQEND so that we cannot
+		 * get stuck encrypting.  We should only get this
+		 * if we have been able to get in the correct mode
+		 * anyhow.
+		 */
+		encrypt_request_end();
+		break;
+	case ENCRYPT_ENC_KEYID:
+		encrypt_enc_keyid(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_DEC_KEYID:
+		encrypt_dec_keyid(subpointer, SB_LEN());
+		break;
+	default:
+		break;
+	}
+	break;
+#endif	/* ENCRYPTION */
+
+    default:
+	break;
+    }  /* end of switch */
+
+}  /* end of suboption */
+
+	void
+doclientstat()
+{
+	clientstat(TELOPT_LINEMODE, WILL, 0);
+}
+
+#define	ADD(c)	 *ncp++ = c
+#define	ADD_DATA(c) { *ncp++ = c; if (c == SE || c == IAC) *ncp++ = c; }
+	void
+send_status()
+{
+	unsigned char statusbuf[256];
+	register unsigned char *ncp;
+	register unsigned char i;
+
+	ncp = statusbuf;
+
+	netflush();	/* get rid of anything waiting to go out */
+
+	ADD(IAC);
+	ADD(SB);
+	ADD(TELOPT_STATUS);
+	ADD(TELQUAL_IS);
+
+	/*
+	 * We check the want_state rather than the current state,
+	 * because if we received a DO/WILL for an option that we
+	 * don't support, and the other side didn't send a DONT/WONT
+	 * in response to our WONT/DONT, then the "state" will be
+	 * WILL/DO, and the "want_state" will be WONT/DONT.  We
+	 * need to go by the latter.
+	 */
+	for (i = 0; i < (unsigned char)NTELOPTS; i++) {
+		if (my_want_state_is_will(i)) {
+			ADD(WILL);
+			ADD_DATA(i);
+		}
+		if (his_want_state_is_will(i)) {
+			ADD(DO);
+			ADD_DATA(i);
+		}
+	}
+
+	if (his_want_state_is_will(TELOPT_LFLOW)) {
+		ADD(SB);
+		ADD(TELOPT_LFLOW);
+		if (flowmode) {
+			ADD(LFLOW_ON);
+		} else {
+			ADD(LFLOW_OFF);
+		}
+		ADD(SE);
+
+		if (restartany >= 0) {
+			ADD(SB);
+			ADD(TELOPT_LFLOW);
+			if (restartany) {
+				ADD(LFLOW_RESTART_ANY);
+			} else {
+				ADD(LFLOW_RESTART_XON);
+			}
+			ADD(SE);
+		}
+	}
+
+#ifdef	LINEMODE
+	if (his_want_state_is_will(TELOPT_LINEMODE)) {
+		unsigned char *cp, *cpe;
+		int len;
+
+		ADD(SB);
+		ADD(TELOPT_LINEMODE);
+		ADD(LM_MODE);
+		ADD_DATA(editmode);
+		ADD(SE);
+
+		ADD(SB);
+		ADD(TELOPT_LINEMODE);
+		ADD(LM_SLC);
+		start_slc(0);
+		send_slc();
+		len = end_slc(&cp);
+		for (cpe = cp + len; cp < cpe; cp++)
+			ADD_DATA(*cp);
+		ADD(SE);
+	}
+#endif	/* LINEMODE */
+
+	ADD(IAC);
+	ADD(SE);
+
+	writenet(statusbuf, ncp - statusbuf);
+	netflush();	/* Send it on its way */
+
+	DIAG(TD_OPTIONS,
+		{printsub('>', statusbuf, ncp - statusbuf); netflush();});
+}
diff --git a/crypto/telnet/telnetd/sys_term.c b/crypto/telnet/telnetd/sys_term.c
new file mode 100644
index 0000000..235e409
--- /dev/null
+++ b/crypto/telnet/telnetd/sys_term.c
@@ -0,0 +1,2333 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)sys_term.c	8.4+1 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+#include "pathnames.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+
+extern char *altlogin;
+int cleanopen(char *line);
+void scrub_env(void);
+
+#if defined(CRAY) || defined(__hpux)
+# define PARENT_DOES_UTMP
+#endif
+
+#ifdef	NEWINIT
+#include <initreq.h>
+#else	/* NEWINIT*/
+# ifdef	UTMPX
+# include <utmpx.h>
+struct	utmpx wtmp;
+# else
+# include <utmp.h>
+struct	utmp wtmp;
+# endif /* UTMPX */
+
+# ifndef PARENT_DOES_UTMP
+#ifdef _PATH_WTMP
+char    wtmpf[] = _PATH_WTMP;
+#else
+char	wtmpf[]	= "/usr/adm/wtmp";
+#endif
+#ifdef _PATH_UTMP
+char    utmpf[] = _PATH_UTMP;
+#else
+char	utmpf[] = "/etc/utmp";
+#endif
+# else /* PARENT_DOES_UTMP */
+char	wtmpf[]	= "/etc/wtmp";
+# endif /* PARENT_DOES_UTMP */
+
+#include <libutil.h>
+
+# ifdef CRAY
+#include <tmpdir.h>
+#include <sys/wait.h>
+#  if (UNICOS_LVL == '7.0') || (UNICOS_LVL == '7.1')
+#   define UNICOS7x
+#  endif
+
+#  ifdef UNICOS7x
+#include <sys/sysv.h>
+#include <sys/secstat.h>
+extern int secflag;
+extern struct sysv sysv;
+#  endif /* UNICOS7x */
+# endif	/* CRAY */
+#endif	/* NEWINIT */
+
+#ifdef	STREAMSPTY
+#include <sac.h>
+#include <sys/stropts.h>
+#endif
+
+#define SCPYN(a, b)	(void) strncpy(a, b, sizeof(a))
+#define SCMPN(a, b)	strncmp(a, b, sizeof(a))
+
+#ifdef	STREAMS
+#include <sys/stream.h>
+#endif
+#ifdef __hpux
+#include <sys/resource.h>
+#include <sys/proc.h>
+#endif
+#include <sys/tty.h>
+#ifdef	t_erase
+#undef	t_erase
+#undef	t_kill
+#undef	t_intrc
+#undef	t_quitc
+#undef	t_startc
+#undef	t_stopc
+#undef	t_eofc
+#undef	t_brkc
+#undef	t_suspc
+#undef	t_dsuspc
+#undef	t_rprntc
+#undef	t_flushc
+#undef	t_werasc
+#undef	t_lnextc
+#endif
+
+#if defined(UNICOS5) && defined(CRAY2) && !defined(EXTPROC)
+# define EXTPROC 0400
+#endif
+
+#ifndef	USE_TERMIO
+struct termbuf {
+	struct sgttyb sg;
+	struct tchars tc;
+	struct ltchars ltc;
+	int state;
+	int lflags;
+} termbuf, termbuf2;
+# define	cfsetospeed(tp, val)	(tp)->sg.sg_ospeed = (val)
+# define	cfsetispeed(tp, val)	(tp)->sg.sg_ispeed = (val)
+# define	cfgetospeed(tp)		(tp)->sg.sg_ospeed
+# define	cfgetispeed(tp)		(tp)->sg.sg_ispeed
+#else	/* USE_TERMIO */
+# ifdef	SYSV_TERMIO
+#	define termios termio
+# endif
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t)	ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t)	ioctl(f, a, t)
+#  define	cfsetospeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+					(tp)->c_cflag |= (val)
+#  define	cfgetospeed(tp)		((tp)->c_cflag & CBAUD)
+#  ifdef CIBAUD
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CIBAUD; \
+					(tp)->c_cflag |= ((val)<<IBSHIFT)
+#   define	cfgetispeed(tp)		(((tp)->c_cflag & CIBAUD)>>IBSHIFT)
+#  else
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+					(tp)->c_cflag |= (val)
+#   define	cfgetispeed(tp)		((tp)->c_cflag & CBAUD)
+#  endif
+# endif /* TCSANOW */
+struct termios termbuf, termbuf2;	/* pty control structure */
+# ifdef  STREAMSPTY
+int ttyfd = -1;
+# endif
+#endif	/* USE_TERMIO */
+
+#include <sys/types.h>
+#include <libutil.h>
+
+int cleanopen __P((char *));
+void scrub_env __P((void));
+
+/*
+ * init_termbuf()
+ * copy_termbuf(cp)
+ * set_termbuf()
+ *
+ * These three routines are used to get and set the "termbuf" structure
+ * to and from the kernel.  init_termbuf() gets the current settings.
+ * copy_termbuf() hands in a new "termbuf" to write to the kernel, and
+ * set_termbuf() writes the structure into the kernel.
+ */
+
+	void
+init_termbuf()
+{
+#ifndef	USE_TERMIO
+	(void) ioctl(pty, TIOCGETP, (char *)&termbuf.sg);
+	(void) ioctl(pty, TIOCGETC, (char *)&termbuf.tc);
+	(void) ioctl(pty, TIOCGLTC, (char *)&termbuf.ltc);
+# ifdef	TIOCGSTATE
+	(void) ioctl(pty, TIOCGSTATE, (char *)&termbuf.state);
+# endif
+#else
+# ifdef  STREAMSPTY
+	(void) tcgetattr(ttyfd, &termbuf);
+# else
+	(void) tcgetattr(pty, &termbuf);
+# endif
+#endif
+	termbuf2 = termbuf;
+}
+
+#if	defined(LINEMODE) && defined(TIOCPKT_IOCTL)
+	void
+copy_termbuf(cp, len)
+	char *cp;
+	int len;
+{
+	if (len > sizeof(termbuf))
+		len = sizeof(termbuf);
+	memmove((char *)&termbuf, cp, len);
+	termbuf2 = termbuf;
+}
+#endif	/* defined(LINEMODE) && defined(TIOCPKT_IOCTL) */
+
+	void
+set_termbuf()
+{
+	/*
+	 * Only make the necessary changes.
+	 */
+#ifndef	USE_TERMIO
+	if (memcmp((char *)&termbuf.sg, (char *)&termbuf2.sg,
+							sizeof(termbuf.sg)))
+		(void) ioctl(pty, TIOCSETN, (char *)&termbuf.sg);
+	if (memcmp((char *)&termbuf.tc, (char *)&termbuf2.tc,
+							sizeof(termbuf.tc)))
+		(void) ioctl(pty, TIOCSETC, (char *)&termbuf.tc);
+	if (memcmp((char *)&termbuf.ltc, (char *)&termbuf2.ltc,
+							sizeof(termbuf.ltc)))
+		(void) ioctl(pty, TIOCSLTC, (char *)&termbuf.ltc);
+	if (termbuf.lflags != termbuf2.lflags)
+		(void) ioctl(pty, TIOCLSET, (char *)&termbuf.lflags);
+#else	/* USE_TERMIO */
+	if (memcmp((char *)&termbuf, (char *)&termbuf2, sizeof(termbuf)))
+# ifdef  STREAMSPTY
+		(void) tcsetattr(ttyfd, TCSANOW, &termbuf);
+# else
+		(void) tcsetattr(pty, TCSANOW, &termbuf);
+# endif
+# if	defined(CRAY2) && defined(UNICOS5)
+	needtermstat = 1;
+# endif
+#endif	/* USE_TERMIO */
+}
+
+
+/*
+ * spcset(func, valp, valpp)
+ *
+ * This function takes various special characters (func), and
+ * sets *valp to the current value of that character, and
+ * *valpp to point to where in the "termbuf" structure that
+ * value is kept.
+ *
+ * It returns the SLC_ level of support for this function.
+ */
+
+#ifndef	USE_TERMIO
+	int
+spcset(func, valp, valpp)
+	int func;
+	cc_t *valp;
+	cc_t **valpp;
+{
+	switch(func) {
+	case SLC_EOF:
+		*valp = termbuf.tc.t_eofc;
+		*valpp = (cc_t *)&termbuf.tc.t_eofc;
+		return(SLC_VARIABLE);
+	case SLC_EC:
+		*valp = termbuf.sg.sg_erase;
+		*valpp = (cc_t *)&termbuf.sg.sg_erase;
+		return(SLC_VARIABLE);
+	case SLC_EL:
+		*valp = termbuf.sg.sg_kill;
+		*valpp = (cc_t *)&termbuf.sg.sg_kill;
+		return(SLC_VARIABLE);
+	case SLC_IP:
+		*valp = termbuf.tc.t_intrc;
+		*valpp = (cc_t *)&termbuf.tc.t_intrc;
+		return(SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_ABORT:
+		*valp = termbuf.tc.t_quitc;
+		*valpp = (cc_t *)&termbuf.tc.t_quitc;
+		return(SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_XON:
+		*valp = termbuf.tc.t_startc;
+		*valpp = (cc_t *)&termbuf.tc.t_startc;
+		return(SLC_VARIABLE);
+	case SLC_XOFF:
+		*valp = termbuf.tc.t_stopc;
+		*valpp = (cc_t *)&termbuf.tc.t_stopc;
+		return(SLC_VARIABLE);
+	case SLC_AO:
+		*valp = termbuf.ltc.t_flushc;
+		*valpp = (cc_t *)&termbuf.ltc.t_flushc;
+		return(SLC_VARIABLE);
+	case SLC_SUSP:
+		*valp = termbuf.ltc.t_suspc;
+		*valpp = (cc_t *)&termbuf.ltc.t_suspc;
+		return(SLC_VARIABLE);
+	case SLC_EW:
+		*valp = termbuf.ltc.t_werasc;
+		*valpp = (cc_t *)&termbuf.ltc.t_werasc;
+		return(SLC_VARIABLE);
+	case SLC_RP:
+		*valp = termbuf.ltc.t_rprntc;
+		*valpp = (cc_t *)&termbuf.ltc.t_rprntc;
+		return(SLC_VARIABLE);
+	case SLC_LNEXT:
+		*valp = termbuf.ltc.t_lnextc;
+		*valpp = (cc_t *)&termbuf.ltc.t_lnextc;
+		return(SLC_VARIABLE);
+	case SLC_FORW1:
+		*valp = termbuf.tc.t_brkc;
+		*valpp = (cc_t *)&termbuf.ltc.t_lnextc;
+		return(SLC_VARIABLE);
+	case SLC_BRK:
+	case SLC_SYNCH:
+	case SLC_AYT:
+	case SLC_EOR:
+		*valp = (cc_t)0;
+		*valpp = (cc_t *)0;
+		return(SLC_DEFAULT);
+	default:
+		*valp = (cc_t)0;
+		*valpp = (cc_t *)0;
+		return(SLC_NOSUPPORT);
+	}
+}
+
+#else	/* USE_TERMIO */
+
+	int
+spcset(func, valp, valpp)
+	int func;
+	cc_t *valp;
+	cc_t **valpp;
+{
+
+#define	setval(a, b)	*valp = termbuf.c_cc[a]; \
+			*valpp = &termbuf.c_cc[a]; \
+			return(b);
+#define	defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT);
+
+	switch(func) {
+	case SLC_EOF:
+		setval(VEOF, SLC_VARIABLE);
+	case SLC_EC:
+		setval(VERASE, SLC_VARIABLE);
+	case SLC_EL:
+		setval(VKILL, SLC_VARIABLE);
+	case SLC_IP:
+		setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_ABORT:
+		setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_XON:
+#ifdef	VSTART
+		setval(VSTART, SLC_VARIABLE);
+#else
+		defval(0x13);
+#endif
+	case SLC_XOFF:
+#ifdef	VSTOP
+		setval(VSTOP, SLC_VARIABLE);
+#else
+		defval(0x11);
+#endif
+	case SLC_EW:
+#ifdef	VWERASE
+		setval(VWERASE, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+	case SLC_RP:
+#ifdef	VREPRINT
+		setval(VREPRINT, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+	case SLC_LNEXT:
+#ifdef	VLNEXT
+		setval(VLNEXT, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+	case SLC_AO:
+#if	!defined(VDISCARD) && defined(VFLUSHO)
+# define VDISCARD VFLUSHO
+#endif
+#ifdef	VDISCARD
+		setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT);
+#else
+		defval(0);
+#endif
+	case SLC_SUSP:
+#ifdef	VSUSP
+		setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN);
+#else
+		defval(0);
+#endif
+#ifdef	VEOL
+	case SLC_FORW1:
+		setval(VEOL, SLC_VARIABLE);
+#endif
+#ifdef	VEOL2
+	case SLC_FORW2:
+		setval(VEOL2, SLC_VARIABLE);
+#endif
+	case SLC_AYT:
+#ifdef	VSTATUS
+		setval(VSTATUS, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+
+	case SLC_BRK:
+	case SLC_SYNCH:
+	case SLC_EOR:
+		defval(0);
+
+	default:
+		*valp = 0;
+		*valpp = 0;
+		return(SLC_NOSUPPORT);
+	}
+}
+#endif	/* USE_TERMIO */
+
+#ifdef CRAY
+/*
+ * getnpty()
+ *
+ * Return the number of pty's configured into the system.
+ */
+	int
+getnpty()
+{
+#ifdef _SC_CRAY_NPTY
+	int numptys;
+
+	if ((numptys = sysconf(_SC_CRAY_NPTY)) != -1)
+		return numptys;
+	else
+#endif /* _SC_CRAY_NPTY */
+		return 128;
+}
+#endif /* CRAY */
+
+#ifndef	convex
+/*
+ * getpty()
+ *
+ * Allocate a pty.  As a side effect, the external character
+ * array "line" contains the name of the slave side.
+ *
+ * Returns the file descriptor of the opened pty.
+ */
+#ifndef	__GNUC__
+char *line = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+#else
+static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *line = Xline;
+#endif
+#ifdef	CRAY
+char *myline = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+#endif	/* CRAY */
+
+	int
+getpty(ptynum)
+int *ptynum;
+{
+	register int p;
+#ifdef	STREAMSPTY
+	int t;
+	char *ptsname();
+
+	p = open("/dev/ptmx", 2);
+	if (p > 0) {
+		grantpt(p);
+		unlockpt(p);
+		strcpy(line, ptsname(p));
+		return(p);
+	}
+
+#else	/* ! STREAMSPTY */
+#ifndef CRAY
+	register char *cp, *p1, *p2;
+	register int i;
+#if defined(sun) && defined(TIOCGPGRP) && BSD < 199207
+	int dummy;
+#endif
+
+#ifndef	__hpux
+	(void) strcpy(line, "/dev/ptyXX");
+	p1 = &line[8];
+	p2 = &line[9];
+#else
+	(void) strcpy(line, "/dev/ptym/ptyXX");
+	p1 = &line[13];
+	p2 = &line[14];
+#endif
+
+	for (cp = "pqrsPQRS"; *cp; cp++) {
+		struct stat stb;
+
+		*p1 = *cp;
+		*p2 = '0';
+		/*
+		 * This stat() check is just to keep us from
+		 * looping through all 256 combinations if there
+		 * aren't that many ptys available.
+		 */
+		if (stat(line, &stb) < 0)
+			break;
+		for (i = 0; i < 32; i++) {
+			*p2 = "0123456789abcdefghijklmnopqrstuv"[i];
+			p = open(line, 2);
+			if (p > 0) {
+#ifndef	__hpux
+				line[5] = 't';
+#else
+				for (p1 = &line[8]; *p1; p1++)
+					*p1 = *(p1+1);
+				line[9] = 't';
+#endif
+				chown(line, 0, 0);
+				chmod(line, 0600);
+#if defined(sun) && defined(TIOCGPGRP) && BSD < 199207
+				if (ioctl(p, TIOCGPGRP, &dummy) == 0
+				    || errno != EIO) {
+					chmod(line, 0666);
+					close(p);
+					line[5] = 'p';
+				} else
+#endif /* defined(sun) && defined(TIOCGPGRP) && BSD < 199207 */
+					return(p);
+			}
+		}
+	}
+#else	/* CRAY */
+	extern lowpty, highpty;
+	struct stat sb;
+
+	for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) {
+		(void) sprintf(myline, "/dev/pty/%03d", *ptynum);
+		p = open(myline, 2);
+		if (p < 0)
+			continue;
+		(void) sprintf(line, "/dev/ttyp%03d", *ptynum);
+		/*
+		 * Here are some shenanigans to make sure that there
+		 * are no listeners lurking on the line.
+		 */
+		if(stat(line, &sb) < 0) {
+			(void) close(p);
+			continue;
+		}
+		if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
+			chown(line, 0, 0);
+			chmod(line, 0600);
+			(void)close(p);
+			p = open(myline, 2);
+			if (p < 0)
+				continue;
+		}
+		/*
+		 * Now it should be safe...check for accessability.
+		 */
+		if (access(line, 6) == 0)
+			return(p);
+		else {
+			/* no tty side to pty so skip it */
+			(void) close(p);
+		}
+	}
+#endif	/* CRAY */
+#endif	/* STREAMSPTY */
+	return(-1);
+}
+#endif	/* convex */
+
+#ifdef	LINEMODE
+/*
+ * tty_flowmode()	Find out if flow control is enabled or disabled.
+ * tty_linemode()	Find out if linemode (external processing) is enabled.
+ * tty_setlinemod(on)	Turn on/off linemode.
+ * tty_isecho()		Find out if echoing is turned on.
+ * tty_setecho(on)	Enable/disable character echoing.
+ * tty_israw()		Find out if terminal is in RAW mode.
+ * tty_binaryin(on)	Turn on/off BINARY on input.
+ * tty_binaryout(on)	Turn on/off BINARY on output.
+ * tty_isediting()	Find out if line editing is enabled.
+ * tty_istrapsig()	Find out if signal trapping is enabled.
+ * tty_setedit(on)	Turn on/off line editing.
+ * tty_setsig(on)	Turn on/off signal trapping.
+ * tty_issofttab()	Find out if tab expansion is enabled.
+ * tty_setsofttab(on)	Turn on/off soft tab expansion.
+ * tty_islitecho()	Find out if typed control chars are echoed literally
+ * tty_setlitecho()	Turn on/off literal echo of control chars
+ * tty_tspeed(val)	Set transmit speed to val.
+ * tty_rspeed(val)	Set receive speed to val.
+ */
+
+#ifdef convex
+static int linestate;
+#endif
+
+	int
+tty_linemode()
+{
+#ifndef convex
+#ifndef	USE_TERMIO
+	return(termbuf.state & TS_EXTPROC);
+#else
+	return(termbuf.c_lflag & EXTPROC);
+#endif
+#else
+	return(linestate);
+#endif
+}
+
+	void
+tty_setlinemode(on)
+	int on;
+{
+#ifdef	TIOCEXT
+# ifndef convex
+	set_termbuf();
+# else
+	linestate = on;
+# endif
+	(void) ioctl(pty, TIOCEXT, (char *)&on);
+# ifndef convex
+	init_termbuf();
+# endif
+#else	/* !TIOCEXT */
+# ifdef	EXTPROC
+	if (on)
+		termbuf.c_lflag |= EXTPROC;
+	else
+		termbuf.c_lflag &= ~EXTPROC;
+# endif
+#endif	/* TIOCEXT */
+}
+#endif	/* LINEMODE */
+
+	int
+tty_isecho()
+{
+#ifndef USE_TERMIO
+	return (termbuf.sg.sg_flags & ECHO);
+#else
+	return (termbuf.c_lflag & ECHO);
+#endif
+}
+
+	int
+tty_flowmode()
+{
+#ifndef USE_TERMIO
+	return(((termbuf.tc.t_startc) > 0 && (termbuf.tc.t_stopc) > 0) ? 1 : 0);
+#else
+	return((termbuf.c_iflag & IXON) ? 1 : 0);
+#endif
+}
+
+	int
+tty_restartany()
+{
+#ifndef USE_TERMIO
+# ifdef	DECCTQ
+	return((termbuf.lflags & DECCTQ) ? 0 : 1);
+# else
+	return(-1);
+# endif
+#else
+	return((termbuf.c_iflag & IXANY) ? 1 : 0);
+#endif
+}
+
+	void
+tty_setecho(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags |= ECHO|CRMOD;
+	else
+		termbuf.sg.sg_flags &= ~(ECHO|CRMOD);
+#else
+	if (on)
+		termbuf.c_lflag |= ECHO;
+	else
+		termbuf.c_lflag &= ~ECHO;
+#endif
+}
+
+	int
+tty_israw()
+{
+#ifndef USE_TERMIO
+	return(termbuf.sg.sg_flags & RAW);
+#else
+	return(!(termbuf.c_lflag & ICANON));
+#endif
+}
+
+#if	defined (AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	int
+tty_setraw(on)
+{
+#  ifndef USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags |= RAW;
+	else
+		termbuf.sg.sg_flags &= ~RAW;
+#  else
+	if (on)
+		termbuf.c_lflag &= ~ICANON;
+	else
+		termbuf.c_lflag |= ICANON;
+#  endif
+}
+#endif
+
+	void
+tty_binaryin(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.lflags |= LPASS8;
+	else
+		termbuf.lflags &= ~LPASS8;
+#else
+	if (on) {
+		termbuf.c_iflag &= ~ISTRIP;
+	} else {
+		termbuf.c_iflag |= ISTRIP;
+	}
+#endif
+}
+
+	void
+tty_binaryout(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.lflags |= LLITOUT;
+	else
+		termbuf.lflags &= ~LLITOUT;
+#else
+	if (on) {
+		termbuf.c_cflag &= ~(CSIZE|PARENB);
+		termbuf.c_cflag |= CS8;
+		termbuf.c_oflag &= ~OPOST;
+	} else {
+		termbuf.c_cflag &= ~CSIZE;
+		termbuf.c_cflag |= CS7|PARENB;
+		termbuf.c_oflag |= OPOST;
+	}
+#endif
+}
+
+	int
+tty_isbinaryin()
+{
+#ifndef	USE_TERMIO
+	return(termbuf.lflags & LPASS8);
+#else
+	return(!(termbuf.c_iflag & ISTRIP));
+#endif
+}
+
+	int
+tty_isbinaryout()
+{
+#ifndef	USE_TERMIO
+	return(termbuf.lflags & LLITOUT);
+#else
+	return(!(termbuf.c_oflag&OPOST));
+#endif
+}
+
+#ifdef	LINEMODE
+	int
+tty_isediting()
+{
+#ifndef USE_TERMIO
+	return(!(termbuf.sg.sg_flags & (CBREAK|RAW)));
+#else
+	return(termbuf.c_lflag & ICANON);
+#endif
+}
+
+	int
+tty_istrapsig()
+{
+#ifndef USE_TERMIO
+	return(!(termbuf.sg.sg_flags&RAW));
+#else
+	return(termbuf.c_lflag & ISIG);
+#endif
+}
+
+	void
+tty_setedit(on)
+	int on;
+{
+#ifndef USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags &= ~CBREAK;
+	else
+		termbuf.sg.sg_flags |= CBREAK;
+#else
+	if (on)
+		termbuf.c_lflag |= ICANON;
+	else
+		termbuf.c_lflag &= ~ICANON;
+#endif
+}
+
+	void
+tty_setsig(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		;
+#else
+	if (on)
+		termbuf.c_lflag |= ISIG;
+	else
+		termbuf.c_lflag &= ~ISIG;
+#endif
+}
+#endif	/* LINEMODE */
+
+	int
+tty_issofttab()
+{
+#ifndef	USE_TERMIO
+	return (termbuf.sg.sg_flags & XTABS);
+#else
+# ifdef	OXTABS
+	return (termbuf.c_oflag & OXTABS);
+# endif
+# ifdef	TABDLY
+	return ((termbuf.c_oflag & TABDLY) == TAB3);
+# endif
+#endif
+}
+
+	void
+tty_setsofttab(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags |= XTABS;
+	else
+		termbuf.sg.sg_flags &= ~XTABS;
+#else
+	if (on) {
+# ifdef	OXTABS
+		termbuf.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+		termbuf.c_oflag &= ~TABDLY;
+		termbuf.c_oflag |= TAB3;
+# endif
+	} else {
+# ifdef	OXTABS
+		termbuf.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+		termbuf.c_oflag &= ~TABDLY;
+		termbuf.c_oflag |= TAB0;
+# endif
+	}
+#endif
+}
+
+	int
+tty_islitecho()
+{
+#ifndef	USE_TERMIO
+	return (!(termbuf.lflags & LCTLECH));
+#else
+# ifdef	ECHOCTL
+	return (!(termbuf.c_lflag & ECHOCTL));
+# endif
+# ifdef	TCTLECH
+	return (!(termbuf.c_lflag & TCTLECH));
+# endif
+# if	!defined(ECHOCTL) && !defined(TCTLECH)
+	return (0);	/* assumes ctl chars are echoed '^x' */
+# endif
+#endif
+}
+
+	void
+tty_setlitecho(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.lflags &= ~LCTLECH;
+	else
+		termbuf.lflags |= LCTLECH;
+#else
+# ifdef	ECHOCTL
+	if (on)
+		termbuf.c_lflag &= ~ECHOCTL;
+	else
+		termbuf.c_lflag |= ECHOCTL;
+# endif
+# ifdef	TCTLECH
+	if (on)
+		termbuf.c_lflag &= ~TCTLECH;
+	else
+		termbuf.c_lflag |= TCTLECH;
+# endif
+#endif
+}
+
+	int
+tty_iscrnl()
+{
+#ifndef	USE_TERMIO
+	return (termbuf.sg.sg_flags & CRMOD);
+#else
+	return (termbuf.c_iflag & ICRNL);
+#endif
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+
+/*
+ * A table of available terminal speeds
+ */
+struct termspeeds {
+	int	speed;
+	int	value;
+} termspeeds[] = {
+	{ 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+	{ 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+	{ 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+	{ 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+	{ 4800,   B4800 },
+#ifdef	B7200
+	{ 7200,  B7200 },
+#endif
+	{ 9600,   B9600 },
+#ifdef	B14400
+	{ 14400,  B14400 },
+#endif
+#ifdef	B19200
+	{ 19200,  B19200 },
+#endif
+#ifdef	B28800
+	{ 28800,  B28800 },
+#endif
+#ifdef	B38400
+	{ 38400,  B38400 },
+#endif
+#ifdef	B57600
+	{ 57600,  B57600 },
+#endif
+#ifdef	B115200
+	{ 115200, B115200 },
+#endif
+#ifdef	B230400
+	{ 230400, B230400 },
+#endif
+	{ -1,     0 }
+};
+#endif	/* DECODE_BAUD */
+
+	void
+tty_tspeed(val)
+	int val;
+{
+#ifdef	DECODE_BAUD
+	register struct termspeeds *tp;
+
+	for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+		;
+	if (tp->speed == -1)	/* back up to last valid value */
+		--tp;
+	cfsetospeed(&termbuf, tp->value);
+#else	/* DECODE_BAUD */
+	cfsetospeed(&termbuf, val);
+#endif	/* DECODE_BAUD */
+}
+
+	void
+tty_rspeed(val)
+	int val;
+{
+#ifdef	DECODE_BAUD
+	register struct termspeeds *tp;
+
+	for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+		;
+	if (tp->speed == -1)	/* back up to last valid value */
+		--tp;
+	cfsetispeed(&termbuf, tp->value);
+#else	/* DECODE_BAUD */
+	cfsetispeed(&termbuf, val);
+#endif	/* DECODE_BAUD */
+}
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	int
+tty_isnewmap()
+{
+	return((termbuf.c_oflag & OPOST) && (termbuf.c_oflag & ONLCR) &&
+			!(termbuf.c_oflag & ONLRET));
+}
+#endif
+
+#ifdef PARENT_DOES_UTMP
+# ifndef NEWINIT
+extern	struct utmp wtmp;
+extern char wtmpf[];
+# else	/* NEWINIT */
+int	gotalarm;
+
+	/* ARGSUSED */
+	void
+nologinproc(sig)
+	int sig;
+{
+	gotalarm++;
+}
+# endif	/* NEWINIT */
+#endif /* PARENT_DOES_UTMP */
+
+#ifndef	NEWINIT
+# ifdef PARENT_DOES_UTMP
+extern void utmp_sig_init P((void));
+extern void utmp_sig_reset P((void));
+extern void utmp_sig_wait P((void));
+extern void utmp_sig_notify P((int));
+# endif /* PARENT_DOES_UTMP */
+#endif
+
+/*
+ * getptyslave()
+ *
+ * Open the slave side of the pty, and do any initialization
+ * that is necessary.
+ */
+	void
+getptyslave()
+{
+	register int t = -1;
+	char erase;
+
+#if	!defined(CRAY) || !defined(NEWINIT)
+# ifdef	LINEMODE
+	int waslm;
+# endif
+# ifdef	TIOCGWINSZ
+	struct winsize ws;
+	extern int def_row, def_col;
+# endif
+	extern int def_tspeed, def_rspeed;
+	/*
+	 * Opening the slave side may cause initilization of the
+	 * kernel tty structure.  We need remember the state of
+	 * 	if linemode was turned on
+	 *	terminal window size
+	 *	terminal speed
+	 *	erase character
+	 * so that we can re-set them if we need to.
+	 */
+# ifdef	LINEMODE
+	waslm = tty_linemode();
+# endif
+	erase = termbuf.c_cc[VERASE];
+
+	/*
+	 * Make sure that we don't have a controlling tty, and
+	 * that we are the session (process group) leader.
+	 */
+# ifdef	TIOCNOTTY
+	t = open(_PATH_TTY, O_RDWR);
+	if (t >= 0) {
+		(void) ioctl(t, TIOCNOTTY, (char *)0);
+		(void) close(t);
+	}
+# endif
+
+
+# ifdef PARENT_DOES_UTMP
+	/*
+	 * Wait for our parent to get the utmp stuff to get done.
+	 */
+	utmp_sig_wait();
+# endif
+
+	t = cleanopen(line);
+	if (t < 0)
+		fatalperror(net, line);
+
+#ifdef  STREAMSPTY
+#ifdef	USE_TERMIO
+	ttyfd = t;
+#endif
+	if (ioctl(t, I_PUSH, "ptem") < 0)
+		fatal(net, "I_PUSH ptem");
+	if (ioctl(t, I_PUSH, "ldterm") < 0)
+		fatal(net, "I_PUSH ldterm");
+	if (ioctl(t, I_PUSH, "ttcompat") < 0)
+		fatal(net, "I_PUSH ttcompat");
+	if (ioctl(pty, I_PUSH, "pckt") < 0)
+		fatal(net, "I_PUSH pckt");
+#endif
+
+	/*
+	 * set up the tty modes as we like them to be.
+	 */
+	init_termbuf();
+# ifdef	TIOCGWINSZ
+	if (def_row || def_col) {
+		memset((char *)&ws, 0, sizeof(ws));
+		ws.ws_col = def_col;
+		ws.ws_row = def_row;
+		(void)ioctl(t, TIOCSWINSZ, (char *)&ws);
+	}
+# endif
+
+	/*
+	 * Settings for sgtty based systems
+	 */
+# ifndef	USE_TERMIO
+	termbuf.sg.sg_flags |= CRMOD|ANYP|ECHO|XTABS;
+# endif	/* USE_TERMIO */
+
+	/*
+	 * Settings for UNICOS (and HPUX)
+	 */
+# if defined(CRAY) || defined(__hpux)
+	termbuf.c_oflag = OPOST|ONLCR|TAB3;
+	termbuf.c_iflag = IGNPAR|ISTRIP|ICRNL|IXON;
+	termbuf.c_lflag = ISIG|ICANON|ECHO|ECHOE|ECHOK;
+	termbuf.c_cflag = EXTB|HUPCL|CS8;
+# endif
+
+	/*
+	 * Settings for all other termios/termio based
+	 * systems, other than 4.4BSD.  In 4.4BSD the
+	 * kernel does the initial terminal setup.
+	 */
+# if defined(USE_TERMIO) && !(defined(CRAY) || defined(__hpux)) && (BSD <= 43)
+#  ifndef	OXTABS
+#   define OXTABS	0
+#  endif
+	termbuf.c_lflag |= ECHO;
+	termbuf.c_oflag |= ONLCR|OXTABS;
+	termbuf.c_iflag |= ICRNL;
+	termbuf.c_iflag &= ~IXOFF;
+# endif /* defined(USE_TERMIO) && !defined(CRAY) && (BSD <= 43) */
+	tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600);
+	tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600);
+	if (erase)
+		termbuf.c_cc[VERASE] = erase;
+# ifdef	LINEMODE
+	if (waslm)
+		tty_setlinemode(1);
+# endif	/* LINEMODE */
+
+	/*
+	 * Set the tty modes, and make this our controlling tty.
+	 */
+	set_termbuf();
+	if (login_tty(t) == -1)
+		fatalperror(net, "login_tty");
+#endif	/* !defined(CRAY) || !defined(NEWINIT) */
+	if (net > 2)
+		(void) close(net);
+#if	defined(AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	/*
+	 * Leave the pty open so that we can write out the rlogin
+	 * protocol for /bin/login, if the authentication works.
+	 */
+#else
+	if (pty > 2) {
+		(void) close(pty);
+		pty = -1;
+	}
+#endif
+}
+
+#if	!defined(CRAY) || !defined(NEWINIT)
+#ifndef	O_NOCTTY
+#define	O_NOCTTY	0
+#endif
+/*
+ * Open the specified slave side of the pty,
+ * making sure that we have a clean tty.
+ */
+	int
+cleanopen(line)
+	char *line;
+{
+	register int t;
+#ifdef	UNICOS7x
+	struct secstat secbuf;
+#endif	/* UNICOS7x */
+
+#ifndef STREAMSPTY
+	/*
+	 * Make sure that other people can't open the
+	 * slave side of the connection.
+	 */
+	(void) chown(line, 0, 0);
+	(void) chmod(line, 0600);
+#endif
+
+# if !defined(CRAY) && (BSD > 43)
+	(void) revoke(line);
+# endif
+#ifdef	UNICOS7x
+	if (secflag) {
+		if (secstat(line, &secbuf) < 0)
+			return(-1);
+		if (setulvl(secbuf.st_slevel) < 0)
+			return(-1);
+		if (setucmp(secbuf.st_compart) < 0)
+			return(-1);
+	}
+#endif	/* UNICOS7x */
+
+	t = open(line, O_RDWR|O_NOCTTY);
+
+#ifdef	UNICOS7x
+	if (secflag) {
+		if (setulvl(sysv.sy_minlvl) < 0)
+			return(-1);
+		if (setucmp(0) < 0)
+			return(-1);
+	}
+#endif	/* UNICOS7x */
+
+	if (t < 0)
+		return(-1);
+
+	/*
+	 * Hangup anybody else using this ttyp, then reopen it for
+	 * ourselves.
+	 */
+# if !(defined(CRAY) || defined(__hpux)) && (BSD <= 43) && !defined(STREAMSPTY)
+	(void) signal(SIGHUP, SIG_IGN);
+	vhangup();
+	(void) signal(SIGHUP, SIG_DFL);
+	t = open(line, O_RDWR|O_NOCTTY);
+	if (t < 0)
+		return(-1);
+# endif
+# if	defined(CRAY) && defined(TCVHUP)
+	{
+		register int i;
+		(void) signal(SIGHUP, SIG_IGN);
+		(void) ioctl(t, TCVHUP, (char *)0);
+		(void) signal(SIGHUP, SIG_DFL);
+
+#ifdef	UNICOS7x
+		if (secflag) {
+			if (secstat(line, &secbuf) < 0)
+				return(-1);
+			if (setulvl(secbuf.st_slevel) < 0)
+				return(-1);
+			if (setucmp(secbuf.st_compart) < 0)
+				return(-1);
+		}
+#endif	/* UNICOS7x */
+
+		i = open(line, O_RDWR);
+
+#ifdef	UNICOS7x
+		if (secflag) {
+			if (setulvl(sysv.sy_minlvl) < 0)
+				return(-1);
+			if (setucmp(0) < 0)
+				return(-1);
+		}
+#endif	/* UNICOS7x */
+
+		if (i < 0)
+			return(-1);
+		(void) close(t);
+		t = i;
+	}
+# endif	/* defined(CRAY) && defined(TCVHUP) */
+	return(t);
+}
+#endif	/* !defined(CRAY) || !defined(NEWINIT) */
+
+#if BSD <= 43
+
+	int
+login_tty(t)
+	int t;
+{
+	if (setsid() < 0) {
+#ifdef ultrix
+		/*
+		 * The setsid() may have failed because we
+		 * already have a pgrp == pid.  Zero out
+		 * our pgrp and try again...
+		 */
+		if ((setpgrp(0, 0) < 0) || (setsid() < 0))
+#endif
+			fatalperror(net, "setsid()");
+	}
+# ifdef	TIOCSCTTY
+	if (ioctl(t, TIOCSCTTY, (char *)0) < 0)
+		fatalperror(net, "ioctl(sctty)");
+#  if defined(CRAY)
+	/*
+	 * Close the hard fd to /dev/ttypXXX, and re-open through
+	 * the indirect /dev/tty interface.
+	 */
+	close(t);
+	if ((t = open("/dev/tty", O_RDWR)) < 0)
+		fatalperror(net, "open(/dev/tty)");
+#  endif
+# else
+	/*
+	 * We get our controlling tty assigned as a side-effect
+	 * of opening up a tty device.  But on BSD based systems,
+	 * this only happens if our process group is zero.  The
+	 * setsid() call above may have set our pgrp, so clear
+	 * it out before opening the tty...
+	 */
+#  ifndef SOLARIS
+	(void) setpgrp(0, 0);
+#  else
+	(void) setpgrp();
+#  endif
+	close(open(line, O_RDWR));
+# endif
+	if (t != 0)
+		(void) dup2(t, 0);
+	if (t != 1)
+		(void) dup2(t, 1);
+	if (t != 2)
+		(void) dup2(t, 2);
+	if (t > 2)
+		close(t);
+	return(0);
+}
+#endif	/* BSD <= 43 */
+
+#ifdef	NEWINIT
+char *gen_id = "fe";
+#endif
+
+/*
+ * startslave(host)
+ *
+ * Given a hostname, do whatever
+ * is necessary to startup the login process on the slave side of the pty.
+ */
+
+/* ARGSUSED */
+	void
+startslave(host, autologin, autoname)
+	char *host;
+	int autologin;
+	char *autoname;
+{
+	register int i;
+#ifdef	NEWINIT
+	extern char *ptyip;
+	struct init_request request;
+	void nologinproc();
+	register int n;
+#endif	/* NEWINIT */
+
+#if	defined(AUTHENTICATION)
+	if (!autoname || !autoname[0])
+		autologin = 0;
+
+	if (autologin < auth_level) {
+		fatal(net, "Authorization failed");
+		exit(1);
+	}
+#endif
+
+#ifndef	NEWINIT
+# ifdef	PARENT_DOES_UTMP
+	utmp_sig_init();
+# endif	/* PARENT_DOES_UTMP */
+
+	if ((i = fork()) < 0)
+		fatalperror(net, "fork");
+	if (i) {
+# ifdef PARENT_DOES_UTMP
+		/*
+		 * Cray parent will create utmp entry for child and send
+		 * signal to child to tell when done.  Child waits for signal
+		 * before doing anything important.
+		 */
+		register int pid = i;
+		void sigjob P((int));
+
+		setpgrp();
+		utmp_sig_reset();		/* reset handler to default */
+		/*
+		 * Create utmp entry for child
+		 */
+		(void) time(&wtmp.ut_time);
+		wtmp.ut_type = LOGIN_PROCESS;
+		wtmp.ut_pid = pid;
+		SCPYN(wtmp.ut_user, "LOGIN");
+		SCPYN(wtmp.ut_host, host);
+		SCPYN(wtmp.ut_line, line + sizeof("/dev/") - 1);
+#ifndef	__hpux
+		SCPYN(wtmp.ut_id, wtmp.ut_line+3);
+#else
+		SCPYN(wtmp.ut_id, wtmp.ut_line+7);
+#endif
+		pututline(&wtmp);
+		endutent();
+		if ((i = open(wtmpf, O_WRONLY|O_APPEND)) >= 0) {
+			(void) write(i, (char *)&wtmp, sizeof(struct utmp));
+			(void) close(i);
+		}
+#ifdef	CRAY
+		(void) signal(WJSIGNAL, sigjob);
+#endif
+		utmp_sig_notify(pid);
+# endif	/* PARENT_DOES_UTMP */
+	} else {
+		getptyslave(autologin);
+		start_login(host, autologin, autoname);
+		/*NOTREACHED*/
+	}
+#else	/* NEWINIT */
+
+	/*
+	 * Init will start up login process if we ask nicely.  We only wait
+	 * for it to start up and begin normal telnet operation.
+	 */
+	if ((i = open(INIT_FIFO, O_WRONLY)) < 0) {
+		char tbuf[128];
+		(void) snprintf(tbuf, sizeof(tbuf), "Can't open %s\n", INIT_FIFO);
+		fatalperror(net, tbuf);
+	}
+	memset((char *)&request, 0, sizeof(request));
+	request.magic = INIT_MAGIC;
+	SCPYN(request.gen_id, gen_id);
+	SCPYN(request.tty_id, &line[8]);
+	SCPYN(request.host, host);
+	SCPYN(request.term_type, terminaltype ? terminaltype : "network");
+#if	!defined(UNICOS5)
+	request.signal = SIGCLD;
+	request.pid = getpid();
+#endif
+#ifdef BFTPDAEMON
+	/*
+	 * Are we working as the bftp daemon?
+	 */
+	if (bftpd) {
+		SCPYN(request.exec_name, BFTPPATH);
+	}
+#endif /* BFTPDAEMON */
+	if (write(i, (char *)&request, sizeof(request)) < 0) {
+		char tbuf[128];
+		(void) snprintf(tbuf, sizeof(tbuf), "Can't write to %s\n", INIT_FIFO);
+		fatalperror(net, tbuf);
+	}
+	(void) close(i);
+	(void) signal(SIGALRM, nologinproc);
+	for (i = 0; ; i++) {
+		char tbuf[128];
+		alarm(15);
+		n = read(pty, ptyip, BUFSIZ);
+		if (i == 3 || n >= 0 || !gotalarm)
+			break;
+		gotalarm = 0;
+		snprintf(tbuf, sizeof(tbuf), "telnetd: waiting for /etc/init to start login process on %s\r\n", line);
+		(void) write(net, tbuf, strlen(tbuf));
+	}
+	if (n < 0 && gotalarm)
+		fatal(net, "/etc/init didn't start login process");
+	pcc += n;
+	alarm(0);
+	(void) signal(SIGALRM, SIG_DFL);
+
+	return;
+#endif	/* NEWINIT */
+}
+
+char	*envinit[3];
+extern char **environ;
+
+	void
+init_env()
+{
+	extern char *getenv();
+	char **envp;
+
+	envp = envinit;
+	if ((*envp = getenv("TZ")))
+		*envp++ -= 3;
+#if	defined(CRAY) || defined(__hpux)
+	else
+		*envp++ = "TZ=GMT0";
+#endif
+	*envp = 0;
+	environ = envinit;
+}
+
+#ifndef	NEWINIT
+
+/*
+ * start_login(host)
+ *
+ * Assuming that we are now running as a child processes, this
+ * function will turn us into the login process.
+ */
+
+	void
+start_login(host, autologin, name)
+	char *host;
+	int autologin;
+	char *name;
+{
+	register char **argv;
+	char **addarg(), *user;
+	extern char *getenv();
+#ifdef	UTMPX
+	register int pid = getpid();
+	struct utmpx utmpx;
+#endif
+#ifdef SOLARIS
+	char *term;
+	char termbuf[64];
+#endif
+
+#ifdef	UTMPX
+	/*
+	 * Create utmp entry for child
+	 */
+
+	memset(&utmpx, 0, sizeof(utmpx));
+	SCPYN(utmpx.ut_user, ".telnet");
+	SCPYN(utmpx.ut_line, line + sizeof("/dev/") - 1);
+	utmpx.ut_pid = pid;
+	utmpx.ut_id[0] = 't';
+	utmpx.ut_id[1] = 'n';
+	utmpx.ut_id[2] = SC_WILDC;
+	utmpx.ut_id[3] = SC_WILDC;
+	utmpx.ut_type = LOGIN_PROCESS;
+	(void) time(&utmpx.ut_tv.tv_sec);
+	if (makeutx(&utmpx) == NULL)
+		fatal(net, "makeutx failed");
+#endif
+
+	scrub_env();
+
+	/*
+	 * -h : pass on name of host.
+	 *		WARNING:  -h is accepted by login if and only if
+	 *			getuid() == 0.
+	 * -p : don't clobber the environment (so terminal type stays set).
+	 *
+	 * -f : force this login, he has already been authenticated
+	 */
+	argv = addarg(0, "login");
+
+#if	!defined(NO_LOGIN_H)
+
+# if	defined (AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	/*
+	 * Don't add the "-h host" option if we are going
+	 * to be adding the "-r host" option down below...
+	 */
+	if ((auth_level < 0) || (autologin != AUTH_VALID))
+# endif
+	{
+		argv = addarg(argv, "-h");
+		argv = addarg(argv, host);
+#ifdef	SOLARIS
+		/*
+		 * SVR4 version of -h takes TERM= as second arg, or -
+		 */
+		term = getenv("TERM");
+		if (term == NULL || term[0] == 0) {
+			term = "-";
+		} else {
+			strcpy(termbuf, "TERM=");
+			strncat(termbuf, term, sizeof(termbuf) - 6);
+			term = termbuf;
+		}
+		argv = addarg(argv, term);
+#endif
+	}
+#endif
+#if	!defined(NO_LOGIN_P)
+	argv = addarg(argv, "-p");
+#endif
+#ifdef	LINEMODE
+	/*
+	 * Set the environment variable "LINEMODE" to either
+	 * "real" or "kludge" if we are operating in either
+	 * real or kludge linemode.
+	 */
+	if (lmodetype == REAL_LINEMODE)
+		setenv("LINEMODE", "real", 1);
+# ifdef KLUDGELINEMODE
+	else if (lmodetype == KLUDGE_LINEMODE || lmodetype == KLUDGE_OK)
+		setenv("LINEMODE", "kludge", 1);
+# endif
+#endif
+#ifdef	BFTPDAEMON
+	/*
+	 * Are we working as the bftp daemon?  If so, then ask login
+	 * to start bftp instead of shell.
+	 */
+	if (bftpd) {
+		argv = addarg(argv, "-e");
+		argv = addarg(argv, BFTPPATH);
+	} else
+#endif
+#if	defined (SecurID)
+	/*
+	 * don't worry about the -f that might get sent.
+	 * A -s is supposed to override it anyhow.
+	 */
+	if (require_SecurID)
+		argv = addarg(argv, "-s");
+#endif
+#if	defined (AUTHENTICATION)
+	if (auth_level >= 0 && autologin == AUTH_VALID) {
+# if	!defined(NO_LOGIN_F)
+		argv = addarg(argv, "-f");
+		argv = addarg(argv, "--");
+		argv = addarg(argv, name);
+# else
+#  if defined(LOGIN_R)
+		/*
+		 * We don't have support for "login -f", but we
+		 * can fool /bin/login into thinking that we are
+		 * rlogind, and allow us to log in without a
+		 * password.  The rlogin protocol expects
+		 *	local-user\0remote-user\0term/speed\0
+		 */
+
+		if (pty > 2) {
+			register char *cp;
+			char speed[128];
+			int isecho, israw, xpty, len;
+			extern int def_rspeed;
+#  ifndef LOGIN_HOST
+			/*
+			 * Tell login that we are coming from "localhost".
+			 * If we passed in the real host name, then the
+			 * user would have to allow .rhost access from
+			 * every machine that they want authenticated
+			 * access to work from, which sort of defeats
+			 * the purpose of an authenticated login...
+			 * So, we tell login that the session is coming
+			 * from "localhost", and the user will only have
+			 * to have "localhost" in their .rhost file.
+			 */
+#			define LOGIN_HOST "localhost"
+#  endif
+			argv = addarg(argv, "-r");
+			argv = addarg(argv, LOGIN_HOST);
+
+			xpty = pty;
+# ifndef  STREAMSPTY
+			pty = 0;
+# else
+			ttyfd = 0;
+# endif
+			init_termbuf();
+			isecho = tty_isecho();
+			israw = tty_israw();
+			if (isecho || !israw) {
+				tty_setecho(0);		/* Turn off echo */
+				tty_setraw(1);		/* Turn on raw */
+				set_termbuf();
+			}
+			len = strlen(name)+1;
+			write(xpty, name, len);
+			write(xpty, name, len);
+			snprintf(speed, sizeof(speed),
+				"%s/%d", (cp = getenv("TERM")) ? cp : "",
+				(def_rspeed > 0) ? def_rspeed : 9600);
+			len = strlen(speed)+1;
+			write(xpty, speed, len);
+
+			if (isecho || !israw) {
+				init_termbuf();
+				tty_setecho(isecho);
+				tty_setraw(israw);
+				set_termbuf();
+				if (!israw) {
+					/*
+					 * Write a newline to ensure
+					 * that login will be able to
+					 * read the line...
+					 */
+					write(xpty, "\n", 1);
+				}
+			}
+			pty = xpty;
+		}
+#  else
+		argv = addarg(argv, "--");
+		argv = addarg(argv, name);
+#  endif
+# endif
+	} else
+#endif
+	if (getenv("USER")) {
+ 		argv = addarg(argv, "--");
+		argv = addarg(argv, getenv("USER"));
+#if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+		{
+			register char **cpp;
+			for (cpp = environ; *cpp; cpp++)
+				argv = addarg(argv, *cpp);
+		}
+#endif
+		/*
+		 * Assume that login will set the USER variable
+		 * correctly.  For SysV systems, this means that
+		 * USER will no longer be set, just LOGNAME by
+		 * login.  (The problem is that if the auto-login
+		 * fails, and the user then specifies a different
+		 * account name, he can get logged in with both
+		 * LOGNAME and USER in his environment, but the
+		 * USER value will be wrong.
+		 */
+		unsetenv("USER");
+	}
+#ifdef	SOLARIS
+	else {
+		char **p;
+
+		argv = addarg(argv, "");	/* no login name */
+		for (p = environ; *p; p++) {
+			argv = addarg(argv, *p);
+		}
+	}
+#endif	/* SOLARIS */
+#if	defined(AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	if (pty > 2)
+		close(pty);
+#endif
+	closelog();
+
+	if (altlogin == NULL) {
+		altlogin = _PATH_LOGIN;
+	}
+	execv(altlogin, argv);
+
+	syslog(LOG_ERR, "%s: %m", altlogin);
+	fatalperror(net, altlogin);
+	/*NOTREACHED*/
+}
+
+	char **
+addarg(argv, val)
+	register char **argv;
+	register char *val;
+{
+	register char **cpp;
+
+	if (argv == NULL) {
+		/*
+		 * 10 entries, a leading length, and a null
+		 */
+		argv = (char **)malloc(sizeof(*argv) * 12);
+		if (argv == NULL)
+			return(NULL);
+		*argv++ = (char *)10;
+		*argv = (char *)0;
+	}
+	for (cpp = argv; *cpp; cpp++)
+		;
+	if (cpp == &argv[(int)argv[-1]]) {
+		--argv;
+		*argv = (char *)((int)(*argv) + 10);
+		argv = (char **)realloc(argv, sizeof(*argv)*((int)(*argv) + 2));
+		if (argv == NULL)
+			return(NULL);
+		argv++;
+		cpp = &argv[(int)argv[-1] - 10];
+	}
+	*cpp++ = val;
+	*cpp = 0;
+	return(argv);
+}
+#endif	/* NEWINIT */
+
+/*
+ * scrub_env()
+ *
+ * Remove a few things from the environment that
+ * don't need to be there.
+ */
+	void
+scrub_env()
+{
+	register char **cpp, **cpp2;
+
+	for (cpp2 = cpp = environ; *cpp; cpp++) {
+#ifdef __FreeBSD__
+		if (strncmp(*cpp, "LD_LIBRARY_PATH=", 16) &&
+		    strncmp(*cpp, "LD_PRELOAD=", 11) &&
+#else
+		if (strncmp(*cpp, "LD_", 3) &&
+		    strncmp(*cpp, "_RLD_", 5) &&
+		    strncmp(*cpp, "LIBPATH=", 8) &&
+#endif
+		    strncmp(*cpp, "IFS=", 4))
+			*cpp2++ = *cpp;
+	}
+	*cpp2 = 0;
+}
+
+/*
+ * cleanup()
+ *
+ * This is the routine to call when we are all through, to
+ * clean up anything that needs to be cleaned up.
+ */
+	/* ARGSUSED */
+	void
+cleanup(sig)
+	int sig;
+{
+#ifndef	PARENT_DOES_UTMP
+# if (BSD > 43) || defined(convex)
+	char *p;
+
+	p = line + sizeof("/dev/") - 1;
+	if (logout(p))
+		logwtmp(p, "", "");
+	(void)chmod(line, 0666);
+	(void)chown(line, 0, 0);
+	*p = 'p';
+	(void)chmod(line, 0666);
+	(void)chown(line, 0, 0);
+	(void) shutdown(net, 2);
+	exit(1);
+# else
+	void rmut();
+
+	rmut();
+	vhangup();	/* XXX */
+	(void) shutdown(net, 2);
+	exit(1);
+# endif
+#else	/* PARENT_DOES_UTMP */
+# ifdef	NEWINIT
+	(void) shutdown(net, 2);
+	exit(1);
+# else	/* NEWINIT */
+#  ifdef CRAY
+	static int incleanup = 0;
+	register int t;
+	int child_status; /* status of child process as returned by waitpid */
+	int flags = WNOHANG|WUNTRACED;
+
+	/*
+	 * 1: Pick up the zombie, if we are being called
+	 *    as the signal handler.
+	 * 2: If we are a nested cleanup(), return.
+	 * 3: Try to clean up TMPDIR.
+	 * 4: Fill in utmp with shutdown of process.
+	 * 5: Close down the network and pty connections.
+	 * 6: Finish up the TMPDIR cleanup, if needed.
+	 */
+	if (sig == SIGCHLD) {
+		while (waitpid(-1, &child_status, flags) > 0)
+			;	/* VOID */
+		/* Check if the child process was stopped
+		 * rather than exited.  We want cleanup only if
+		 * the child has died.
+		 */
+		if (WIFSTOPPED(child_status)) {
+			return;
+		}
+	}
+	t = sigblock(sigmask(SIGCHLD));
+	if (incleanup) {
+		sigsetmask(t);
+		return;
+	}
+	incleanup = 1;
+	sigsetmask(t);
+#ifdef	UNICOS7x
+	if (secflag) {
+		/*
+		 *	We need to set ourselves back to a null
+		 *	label to clean up.
+		 */
+
+		setulvl(sysv.sy_minlvl);
+		setucmp((long)0);
+	}
+#endif	/* UNICOS7x */
+
+	t = cleantmp(&wtmp);
+	setutent();	/* just to make sure */
+#  endif /* CRAY */
+	rmut(line);
+	close(pty);
+	(void) shutdown(net, 2);
+#  ifdef CRAY
+	if (t == 0)
+		cleantmp(&wtmp);
+#  endif /* CRAY */
+	exit(1);
+# endif	/* NEWINT */
+#endif	/* PARENT_DOES_UTMP */
+}
+
+#if defined(PARENT_DOES_UTMP) && !defined(NEWINIT)
+/*
+ * _utmp_sig_rcv
+ * utmp_sig_init
+ * utmp_sig_wait
+ *	These three functions are used to coordinate the handling of
+ *	the utmp file between the server and the soon-to-be-login shell.
+ *	The server actually creates the utmp structure, the child calls
+ *	utmp_sig_wait(), until the server calls utmp_sig_notify() and
+ *	signals the future-login shell to proceed.
+ */
+static int caught=0;		/* NZ when signal intercepted */
+static void (*func)();		/* address of previous handler */
+
+	void
+_utmp_sig_rcv(sig)
+	int sig;
+{
+	caught = 1;
+	(void) signal(SIGUSR1, func);
+}
+
+	void
+utmp_sig_init()
+{
+	/*
+	 * register signal handler for UTMP creation
+	 */
+	if ((int)(func = signal(SIGUSR1, _utmp_sig_rcv)) == -1)
+		fatalperror(net, "telnetd/signal");
+}
+
+	void
+utmp_sig_reset()
+{
+	(void) signal(SIGUSR1, func);	/* reset handler to default */
+}
+
+# ifdef __hpux
+# define sigoff() /* do nothing */
+# define sigon() /* do nothing */
+# endif
+
+	void
+utmp_sig_wait()
+{
+	/*
+	 * Wait for parent to write our utmp entry.
+	 */
+	sigoff();
+	while (caught == 0) {
+		pause();	/* wait until we get a signal (sigon) */
+		sigoff();	/* turn off signals while we check caught */
+	}
+	sigon();		/* turn on signals again */
+}
+
+	void
+utmp_sig_notify(pid)
+{
+	kill(pid, SIGUSR1);
+}
+
+# ifdef CRAY
+static int gotsigjob = 0;
+
+	/*ARGSUSED*/
+	void
+sigjob(sig)
+	int sig;
+{
+	register int jid;
+	register struct jobtemp *jp;
+
+	while ((jid = waitjob(NULL)) != -1) {
+		if (jid == 0) {
+			return;
+		}
+		gotsigjob++;
+		jobend(jid, NULL, NULL);
+	}
+}
+
+/*
+ *	jid_getutid:
+ *		called by jobend() before calling cleantmp()
+ *		to find the correct $TMPDIR to cleanup.
+ */
+
+	struct utmp *
+jid_getutid(jid)
+	int jid;
+{
+	struct utmp *cur = NULL;
+
+	setutent();	/* just to make sure */
+	while (cur = getutent()) {
+		if ( (cur->ut_type != NULL) && (jid == cur->ut_jid) ) {
+			return(cur);
+		}
+	}
+
+	return(0);
+}
+
+/*
+ * Clean up the TMPDIR that login created.
+ * The first time this is called we pick up the info
+ * from the utmp.  If the job has already gone away,
+ * then we'll clean up and be done.  If not, then
+ * when this is called the second time it will wait
+ * for the signal that the job is done.
+ */
+	int
+cleantmp(wtp)
+	register struct utmp *wtp;
+{
+	struct utmp *utp;
+	static int first = 1;
+	register int mask, omask, ret;
+	extern struct utmp *getutid P((const struct utmp *_Id));
+
+
+	mask = sigmask(WJSIGNAL);
+
+	if (first == 0) {
+		omask = sigblock(mask);
+		while (gotsigjob == 0)
+			sigpause(omask);
+		return(1);
+	}
+	first = 0;
+	setutent();	/* just to make sure */
+
+	utp = getutid(wtp);
+	if (utp == 0) {
+		syslog(LOG_ERR, "can't get /etc/utmp entry to clean TMPDIR");
+		return(-1);
+	}
+	/*
+	 * Nothing to clean up if the user shell was never started.
+	 */
+	if (utp->ut_type != USER_PROCESS || utp->ut_jid == 0)
+		return(1);
+
+	/*
+	 * Block the WJSIGNAL while we are in jobend().
+	 */
+	omask = sigblock(mask);
+	ret = jobend(utp->ut_jid, utp->ut_tpath, utp->ut_user);
+	sigsetmask(omask);
+	return(ret);
+}
+
+	int
+jobend(jid, path, user)
+	register int jid;
+	register char *path;
+	register char *user;
+{
+	static int saved_jid = 0;
+	static int pty_saved_jid = 0;
+	static char saved_path[sizeof(wtmp.ut_tpath)+1];
+	static char saved_user[sizeof(wtmp.ut_user)+1];
+
+	/*
+	 * this little piece of code comes into play
+	 * only when ptyreconnect is used to reconnect
+	 * to an previous session.
+	 *
+	 * this is the only time when the
+	 * "saved_jid != jid" code is executed.
+	 */
+
+	if ( saved_jid && saved_jid != jid ) {
+		if (!path) {	/* called from signal handler */
+			pty_saved_jid = jid;
+		} else {
+			pty_saved_jid = saved_jid;
+		}
+	}
+
+	if (path) {
+		strncpy(saved_path, path, sizeof(wtmp.ut_tpath));
+		strncpy(saved_user, user, sizeof(wtmp.ut_user));
+		saved_path[sizeof(saved_path)] = '\0';
+		saved_user[sizeof(saved_user)] = '\0';
+	}
+	if (saved_jid == 0) {
+		saved_jid = jid;
+		return(0);
+	}
+
+	/* if the jid has changed, get the correct entry from the utmp file */
+
+	if ( saved_jid != jid ) {
+		struct utmp *utp = NULL;
+		struct utmp *jid_getutid();
+
+		utp = jid_getutid(pty_saved_jid);
+
+		if (utp == 0) {
+			syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+			return(-1);
+		}
+
+		cleantmpdir(jid, utp->ut_tpath, utp->ut_user);
+		return(1);
+	}
+
+	cleantmpdir(jid, saved_path, saved_user);
+	return(1);
+}
+
+/*
+ * Fork a child process to clean up the TMPDIR
+ */
+cleantmpdir(jid, tpath, user)
+	register int jid;
+	register char *tpath;
+	register char *user;
+{
+	switch(fork()) {
+	case -1:
+		syslog(LOG_ERR, "TMPDIR cleanup(%s): fork() failed: %m",
+							tpath);
+		break;
+	case 0:
+		execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, 0);
+		syslog(LOG_ERR, "TMPDIR cleanup(%s): execl(%s) failed: %m",
+							tpath, CLEANTMPCMD);
+		exit(1);
+	default:
+		/*
+		 * Forget about child.  We will exit, and
+		 * /etc/init will pick it up.
+		 */
+		break;
+	}
+}
+# endif /* CRAY */
+#endif	/* defined(PARENT_DOES_UTMP) && !defined(NEWINIT) */
+
+/*
+ * rmut()
+ *
+ * This is the function called by cleanup() to
+ * remove the utmp entry for this person.
+ */
+
+#ifdef	UTMPX
+	void
+rmut()
+{
+	register f;
+	int found = 0;
+	struct utmp *u, *utmp;
+	int nutmp;
+	struct stat statbf;
+
+	struct utmpx *utxp, utmpx;
+
+	/*
+	 * This updates the utmpx and utmp entries and make a wtmp/x entry
+	 */
+
+	SCPYN(utmpx.ut_line, line + sizeof("/dev/") - 1);
+	utxp = getutxline(&utmpx);
+	if (utxp) {
+		utxp->ut_type = DEAD_PROCESS;
+		utxp->ut_exit.e_termination = 0;
+		utxp->ut_exit.e_exit = 0;
+		(void) time(&utmpx.ut_tv.tv_sec);
+		utmpx.ut_tv.tv_usec = 0;
+		modutx(utxp);
+	}
+	endutxent();
+}  /* end of rmut */
+#endif
+
+#if	!defined(UTMPX) && !(defined(CRAY) || defined(__hpux)) && BSD <= 43
+	void
+rmut()
+{
+	register f;
+	int found = 0;
+	struct utmp *u, *utmp;
+	int nutmp;
+	struct stat statbf;
+
+	f = open(utmpf, O_RDWR);
+	if (f >= 0) {
+		(void) fstat(f, &statbf);
+		utmp = (struct utmp *)malloc((unsigned)statbf.st_size);
+		if (!utmp)
+			syslog(LOG_ERR, "utmp malloc failed");
+		if (statbf.st_size && utmp) {
+			nutmp = read(f, (char *)utmp, (int)statbf.st_size);
+			nutmp /= sizeof(struct utmp);
+
+			for (u = utmp ; u < &utmp[nutmp] ; u++) {
+				if (SCMPN(u->ut_line, line+5) ||
+				    u->ut_name[0]==0)
+					continue;
+				(void) lseek(f, ((long)u)-((long)utmp), L_SET);
+				SCPYN(u->ut_name, "");
+				SCPYN(u->ut_host, "");
+				(void) time(&u->ut_time);
+				(void) write(f, (char *)u, sizeof(wtmp));
+				found++;
+			}
+		}
+		(void) close(f);
+	}
+	if (found) {
+		f = open(wtmpf, O_WRONLY|O_APPEND);
+		if (f >= 0) {
+			SCPYN(wtmp.ut_line, line+5);
+			SCPYN(wtmp.ut_name, "");
+			SCPYN(wtmp.ut_host, "");
+			(void) time(&wtmp.ut_time);
+			(void) write(f, (char *)&wtmp, sizeof(wtmp));
+			(void) close(f);
+		}
+	}
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+	line[strlen("/dev/")] = 'p';
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+}  /* end of rmut */
+#endif	/* CRAY */
+
+#ifdef __hpux
+rmut (line)
+char *line;
+{
+	struct utmp utmp;
+	struct utmp *utptr;
+	int fd;			/* for /etc/wtmp */
+
+	utmp.ut_type = USER_PROCESS;
+	(void) strncpy(utmp.ut_id, line+12, sizeof(utmp.ut_id));
+	(void) setutent();
+	utptr = getutid(&utmp);
+	/* write it out only if it exists */
+	if (utptr) {
+		utptr->ut_type = DEAD_PROCESS;
+		utptr->ut_time = time((long *) 0);
+		(void) pututline(utptr);
+		/* set wtmp entry if wtmp file exists */
+		if ((fd = open(wtmpf, O_WRONLY | O_APPEND)) >= 0) {
+			(void) write(fd, utptr, sizeof(utmp));
+			(void) close(fd);
+		}
+	}
+	(void) endutent();
+
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+	line[14] = line[13];
+	line[13] = line[12];
+	line[8] = 'm';
+	line[9] = '/';
+	line[10] = 'p';
+	line[11] = 't';
+	line[12] = 'y';
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+}
+#endif
diff --git a/crypto/telnet/telnetd/telnetd.8 b/crypto/telnet/telnetd/telnetd.8
new file mode 100644
index 0000000..5835c7d
--- /dev/null
+++ b/crypto/telnet/telnetd/telnetd.8
@@ -0,0 +1,615 @@
+.\" Copyright (c) 1983, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
+.\" $FreeBSD$
+.\"
+.Dd January 27, 2000
+.Dt TELNETD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm telnetd
+.Nd DARPA
+.Tn TELNET
+protocol server
+.Sh SYNOPSIS
+.Nm /usr/libexec/telnetd
+.Op Fl BUhlkns
+.Op Fl D Ar debugmode
+.Op Fl I Ns Ar initid
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl a Ar authmode
+.Op Fl edebug
+.Op Fl p Ar loginprog
+.Op Fl r Ns Ar lowpty-highpty
+.Op Fl u Ar len
+.Op Fl debug Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+command is a server which supports the
+.Tn DARPA
+standard
+.Tn TELNET
+virtual terminal protocol.
+.Nm Telnetd
+is normally invoked by the internet server (see
+.Xr inetd 8 )
+for requests to connect to the
+.Tn TELNET
+port as indicated by the
+.Pa /etc/services
+file (see
+.Xr services 5 ).
+The
+.Fl debug
+option may be used to start up
+.Nm
+manually, instead of through
+.Xr inetd 8 .
+If started up this way, 
+.Ar port
+may be specified to run
+.Nm
+on an alternate
+.Tn TCP
+port number.
+.Pp
+The
+.Nm
+command accepts the following options:
+.Bl -tag -width indent
+.It Fl a Ar authmode
+This option may be used for specifying what mode should
+be used for authentication.
+Note that this option is only useful if
+.Nm
+has been compiled with support for the
+.Dv AUTHENTICATION
+option.
+There are several valid values for
+.Ar authmode :
+.Bl -tag -width debug
+.It Cm debug
+Turn on authentication debugging code.
+.It Cm user
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user,
+and is allowed access to the specified account
+without providing a password.
+.It Cm valid
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user.
+The
+.Xr login 1
+command will provide any additional user verification
+needed if the remote user is not allowed automatic
+access to the specified account.
+.It Cm other
+Only allow connections that supply some authentication information.
+This option is currently not supported
+by any of the existing authentication mechanisms,
+and is thus the same as specifying
+.Fl a
+.Cm valid .
+.It Cm none
+This is the default state.
+Authentication information is not required.
+If no or insufficient authentication information
+is provided, then the
+.Xr login 1
+program will provide the necessary user
+verification.
+.It Cm off
+Disable the authentication code.
+All user verification will happen through the
+.Xr login 1
+program.
+.El
+.It Fl B
+Specify bftp server mode.  In this mode,
+.Nm
+causes login to start a
+.Xr bftp 1
+session rather than the user's
+normal shell.  In bftp daemon mode normal
+logins are not supported, and it must be used
+on a port other than the normal
+.Tn TELNET
+port.
+.It Fl D Ar debugmode
+This option may be used for debugging purposes.
+This allows
+.Nm
+to print out debugging information
+to the connection, allowing the user to see what
+.Nm
+is doing.
+There are several possible values for 
+.Ar debugmode :
+.Bl -tag -width exercise
+.It Cm options
+Print information about the negotiation of
+.Tn TELNET
+options.
+.It Cm report
+Print the 
+.Cm options
+information, plus some additional information
+about what processing is going on.
+.It Cm netdata
+Display the data stream received by
+.Nm Ns .
+.It Cm ptydata
+Display data written to the pty.
+.It Cm exercise
+Has not been implemented yet.
+.El
+.It Fl debug
+Enable debugging on each socket created by
+.Nm
+(see
+.Dv SO_DEBUG
+in
+.Xr socket 2 ) .
+.It Fl edebug
+If
+.Nm
+has been compiled with support for data encryption, then the
+.Fl edebug
+option may be used to enable encryption debugging code.
+.It Fl p Ar loginprog
+Specify an alternate
+.Xr login 1
+command to run to complete the login.  The alternate command must
+understand the same command arguments as the standard login.
+.It Fl h
+Disable the printing of host-specific information before
+login has been completed.
+.It Fl I Ar initid
+This option is only applicable to
+.Tn UNICOS
+systems prior to 7.0.
+It specifies the
+.Dv ID
+from
+.Pa /etc/inittab
+to use when init starts login sessions.  The default
+.Dv ID
+is
+.Dv fe.
+.It Fl k
+This option is only useful if
+.Nm
+has been compiled with both linemode and kludge linemode
+support.  If the
+.Fl k
+option is specified, then if the remote client does not
+support the
+.Dv LINEMODE
+option, then
+.Nm
+will operate in character at a time mode.
+It will still support kludge linemode, but will only
+go into kludge linemode if the remote client requests
+it.
+(This is done by the client sending
+.Dv DONT SUPPRESS-GO-AHEAD
+and
+.Dv DONT ECHO . )
+The
+.Fl k
+option is most useful when there are remote clients
+that do not support kludge linemode, but pass the heuristic
+(if they respond with
+.Dv WILL TIMING-MARK
+in response to a
+.Dv DO TIMING-MARK)
+for kludge linemode support.
+.It Fl l
+Specify line mode. Try to force clients to use line-
+at-a-time mode.
+If the
+.Dv LINEMODE
+option is not supported, it will go
+into kludge linemode.
+.It Fl n
+Disable
+.Dv TCP
+keep-alives.  Normally
+.Nm
+enables the
+.Tn TCP
+keep-alive mechanism to probe connections that
+have been idle for some period of time to determine
+if the client is still there, so that idle connections
+from machines that have crashed or can no longer
+be reached may be cleaned up.
+.It Fl r Ar lowpty-highpty
+This option is only enabled when
+.Nm
+is compiled for
+.Dv UNICOS.
+It specifies an inclusive range of pseudo-terminal devices to
+use.  If the system has sysconf variable
+.Dv _SC_CRAY_NPTY
+configured, the default pty search range is 0 to
+.Dv _SC_CRAY_NPTY;
+otherwise, the default range is 0 to 128.  Either
+.Ar lowpty
+or
+.Ar highpty
+may be omitted to allow changing
+either end of the search range.  If
+.Ar lowpty
+is omitted, the - character is still required so that
+.Nm
+can differentiate
+.Ar highpty
+from
+.Ar lowpty .
+.It Fl s
+This option is only enabled if
+.Nm
+is compiled with support for
+.Tn SecurID
+cards.
+It causes the
+.Fl s
+option to be passed on to
+.Xr login 1 ,
+and thus is only useful if
+.Xr login 1
+supports the
+.Fl s
+flag to indicate that only
+.Tn SecurID
+validated logins are allowed, and is
+usually useful for controlling remote logins
+from outside of a firewall.
+.It Fl S Ar tos
+.It Fl u Ar len
+This option is used to specify the size of the field
+in the
+.Dv utmp
+structure that holds the remote host name.
+If the resolved host name is longer than
+.Ar len ,
+the dotted decimal value will be used instead.
+This allows hosts with very long host names that
+overflow this field to still be uniquely identified.
+Specifying
+.Fl u0
+indicates that only dotted decimal addresses
+should be put into the
+.Pa utmp
+file.
+.ne 1i
+.It Fl U
+This option causes
+.Nm
+to refuse connections from addresses that
+cannot be mapped back into a symbolic name
+via the
+.Xr gethostbyaddr 3
+routine.
+.It Fl X Ar authtype
+This option is only valid if
+.Nm
+has been built with support for the authentication option.
+It disables the use of
+.Ar authtype
+authentication, and
+can be used to temporarily disable
+a specific authentication type without having to recompile
+.Nm Ns .
+.El
+.Pp
+.Nm Telnetd
+operates by allocating a pseudo-terminal device (see
+.Xr pty 4 )
+for a client, then creating a login process which has
+the slave side of the pseudo-terminal as 
+.Dv stdin ,
+.Dv stdout
+and
+.Dv stderr .
+.Nm Telnetd
+manipulates the master side of the pseudo-terminal,
+implementing the
+.Tn TELNET
+protocol and passing characters
+between the remote client and the login process.
+.Pp
+When a
+.Tn TELNET
+session is started up, 
+.Nm
+sends
+.Tn TELNET
+options to the client side indicating
+a willingness to do the
+following
+.Tn TELNET
+options, which are described in more detail below:
+.Bd -literal -offset indent
+DO AUTHENTICATION
+WILL ENCRYPT
+DO TERMINAL TYPE
+DO TSPEED
+DO XDISPLOC
+DO NEW-ENVIRON
+DO ENVIRON
+WILL SUPPRESS GO AHEAD
+DO ECHO
+DO LINEMODE
+DO NAWS
+WILL STATUS
+DO LFLOW
+DO TIMING-MARK
+.Ed
+.Pp
+The pseudo-terminal allocated to the client is configured
+to operate in \*(lqcooked\*(rq mode, and with
+.Dv XTABS and
+.Dv CRMOD
+enabled (see
+.Xr tty 4 ) .
+.Pp
+.Nm Telnetd
+has support for enabling locally the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "WILL ECHO"
+When the
+.Dv LINEMODE
+option is enabled, a
+.Dv WILL ECHO
+or
+.Dv WONT ECHO
+will be sent to the client to indicate the
+current state of terminal echoing.
+When terminal echo is not desired, a
+.Dv WILL ECHO
+is sent to indicate that
+.Nm
+will take care of echoing any data that needs to be
+echoed to the terminal, and then nothing is echoed.
+When terminal echo is desired, a
+.Dv WONT ECHO
+is sent to indicate that
+.Nm
+will not be doing any terminal echoing, so the
+client should do any terminal echoing that is needed.
+.It "WILL BINARY"
+Indicate that the client is willing to send a
+8 bits of data, rather than the normal 7 bits
+of the Network Virtual Terminal.
+.It "WILL SGA"
+Indicate that it will not be sending
+.Dv IAC GA,
+go ahead, commands.
+.It "WILL STATUS"
+Indicate a willingness to send the client, upon
+request, of the current status of all
+.Tn TELNET
+options.
+.It "WILL TIMING-MARK"
+Whenever a
+.Dv DO TIMING-MARK
+command is received, it is always responded
+to with a
+.Dv WILL TIMING-MARK
+.ne 1i
+.It "WILL LOGOUT"
+When a
+.Dv DO LOGOUT
+is received, a
+.Dv WILL LOGOUT
+is sent in response, and the
+.Tn TELNET
+session is shut down.
+.It "WILL ENCRYPT"
+Only sent if
+.Nm
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Pp
+.Nm Telnetd
+has support for enabling remotely the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "DO BINARY"
+Sent to indicate that
+.Nm
+is willing to receive an 8 bit data stream.
+.It "DO LFLOW"
+Requests that the client handle flow control
+characters remotely.
+.It "DO ECHO"
+This is not really supported, but is sent to identify a 4.2BSD
+.Xr telnet 1
+client, which will improperly respond with
+.Dv WILL ECHO.
+If a
+.Dv WILL ECHO
+is received, a
+.Dv DONT ECHO
+will be sent in response.
+.It "DO TERMINAL-TYPE"
+Indicate a desire to be able to request the
+name of the type of terminal that is attached
+to the client side of the connection.
+.It "DO SGA"
+Indicate that it does not need to receive
+.Dv IAC GA,
+the go ahead command.
+.It "DO NAWS"
+Requests that the client inform the server when
+the window (display) size changes.
+.It "DO TERMINAL-SPEED"
+Indicate a desire to be able to request information
+about the speed of the serial line to which
+the client is attached.
+.It "DO XDISPLOC"
+Indicate a desire to be able to request the name
+of the X Window System display that is associated with
+the telnet client.
+.It "DO NEW-ENVIRON"
+Indicate a desire to be able to request environment
+variable information, as described in RFC 1572.
+.It "DO ENVIRON"
+Indicate a desire to be able to request environment
+variable information, as described in RFC 1408.
+.It "DO LINEMODE"
+Only sent if
+.Nm
+is compiled with support for linemode, and
+requests that the client do line by line processing.
+.It "DO TIMING-MARK"
+Only sent if
+.Nm
+is compiled with support for both linemode and
+kludge linemode, and the client responded with
+.Dv WONT LINEMODE.
+If the client responds with
+.Dv WILL TM,
+the it is assumed that the client supports
+kludge linemode.
+Note that the
+.Op Fl k
+option can be used to disable this.
+.It "DO AUTHENTICATION"
+Only sent if
+.Nm
+is compiled with support for authentication, and
+indicates a willingness to receive authentication
+information for automatic login.
+.It "DO ENCRYPT"
+Only sent if
+.Nm
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width /usr/ucb/bftp -compact
+.It Pa /etc/services
+.It Pa /etc/inittab
+(UNICOS systems only)
+.It Pa /etc/iptos
+(if supported)
+.It Pa /usr/ucb/bftp
+(if supported)
+.El
+.Sh "SEE ALSO"
+.Xr bftp 1 ,
+.Xr login 1 ,
+.Xr telnet 1
+(if supported)
+.Sh STANDARDS
+.Bl -tag -compact -width RFC-1572
+.It Cm RFC-854
+.Tn TELNET
+PROTOCOL SPECIFICATION
+.It Cm RFC-855
+TELNET OPTION SPECIFICATIONS
+.It Cm RFC-856
+TELNET BINARY TRANSMISSION
+.It Cm RFC-857
+TELNET ECHO OPTION
+.It Cm RFC-858
+TELNET SUPPRESS GO AHEAD OPTION
+.It Cm RFC-859
+TELNET STATUS OPTION
+.It Cm RFC-860
+TELNET TIMING MARK OPTION
+.It Cm RFC-861
+TELNET EXTENDED OPTIONS - LIST OPTION
+.It Cm RFC-885
+TELNET END OF RECORD OPTION
+.It Cm RFC-1073
+Telnet Window Size Option
+.It Cm RFC-1079
+Telnet Terminal Speed Option
+.It Cm RFC-1091
+Telnet Terminal-Type Option
+.It Cm RFC-1096
+Telnet X Display Location Option
+.It Cm RFC-1123
+Requirements for Internet Hosts -- Application and Support
+.It Cm RFC-1184
+Telnet Linemode Option
+.It Cm RFC-1372
+Telnet Remote Flow Control Option
+.It Cm RFC-1416
+Telnet Authentication Option
+.It Cm RFC-1411
+Telnet Authentication: Kerberos Version 4
+.It Cm RFC-1412
+Telnet Authentication: SPX
+.It Cm RFC-1571
+Telnet Environment Option Interoperability Issues
+.It Cm RFC-1572
+Telnet Environment Option
+.Sh BUGS
+Some
+.Tn TELNET
+commands are only partially implemented.
+.Pp
+Because of bugs in the original 4.2 BSD
+.Xr telnet 1 ,
+.Nm
+performs some dubious protocol exchanges to try to discover if the remote
+client is, in fact, a 4.2 BSD
+.Xr telnet 1 .
+.Pp
+Binary mode
+has no common interpretation except between similar operating systems
+(Unix in this case).
+.Pp
+The terminal type name received from the remote client is converted to
+lower case.
+.Pp
+.Nm Telnetd
+never sends
+.Tn TELNET
+.Dv IAC GA
+(go ahead) commands.
+.Sh HISTORY
+IPv6 support was added by WIDE/KAME project.
diff --git a/crypto/telnet/telnetd/telnetd.c b/crypto/telnet/telnetd/telnetd.c
new file mode 100644
index 0000000..6d7bcde
--- /dev/null
+++ b/crypto/telnet/telnetd/telnetd.c
@@ -0,0 +1,1634 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static const char copyright[] =
+"@(#) Copyright (c) 1989, 1993\n\
+	The Regents of the University of California.  All rights reserved.\n";
+#endif /* not lint */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)telnetd.c	8.4 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+#include "pathnames.h"
+
+#if	defined(_SC_CRAY_SECURE_SYS) && !defined(SCM_SECURITY)
+/*
+ * UNICOS 6.0/6.1 do not have SCM_SECURITY defined, so we can
+ * use it to tell us to turn off all the socket security code,
+ * since that is only used in UNICOS 7.0 and later.
+ */
+# undef _SC_CRAY_SECURE_SYS
+#endif
+
+#include <err.h>
+#include <arpa/inet.h>
+
+#include <libutil.h>
+#include <utmp.h>
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+#include <sys/sysv.h>
+#include <sys/secdev.h>
+# ifdef SO_SEC_MULTI		/* 8.0 code */
+#include <sys/secparm.h>
+#include <sys/usrv.h>
+# endif /* SO_SEC_MULTI */
+
+/* wrapper for KAME-special getnameinfo() */
+#ifndef NI_WITHSCOPEID
+#define	NI_WITHSCOPEID	0
+#endif
+
+int	secflag;
+char	tty_dev[16];
+struct	secdev dv;
+struct	sysv sysv;
+# ifdef SO_SEC_MULTI		/* 8.0 code */
+struct	socksec ss;
+# else /* SO_SEC_MULTI */	/* 7.0 code */
+struct	socket_security ss;
+# endif /* SO_SEC_MULTI */
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+int	auth_level = 0;
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+#include <libtelnet/misc.h>
+#if	defined(SecurID)
+int	require_SecurID = 0;
+#endif
+
+char	remote_hostname[MAXHOSTNAMELEN];
+int	utmp_len = sizeof(remote_hostname) - 1;
+int	registerd_host_only = 0;
+
+#ifdef	STREAMSPTY
+# include <stropts.h>
+# include <termio.h>
+/* make sure we don't get the bsd version */
+# include "/usr/include/sys/tty.h"
+# include <sys/ptyvar.h>
+
+/*
+ * Because of the way ptyibuf is used with streams messages, we need
+ * ptyibuf+1 to be on a full-word boundary.  The following wierdness
+ * is simply to make that happen.
+ */
+long	ptyibufbuf[BUFSIZ/sizeof(long)+1];
+char	*ptyibuf = ((char *)&ptyibufbuf[1])-1;
+char	*ptyip = ((char *)&ptyibufbuf[1])-1;
+char	ptyibuf2[BUFSIZ];
+unsigned char ctlbuf[BUFSIZ];
+struct	strbuf strbufc, strbufd;
+
+#else	/* ! STREAMPTY */
+
+/*
+ * I/O data buffers,
+ * pointers, and counters.
+ */
+char	ptyibuf[BUFSIZ], *ptyip = ptyibuf;
+char	ptyibuf2[BUFSIZ];
+
+# include <termcap.h>
+
+int readstream(int p, char *ibuf, int bufsize);
+void doit(struct sockaddr *who);
+int terminaltypeok(char *s);
+void startslave(char *host, int autologin, char *autoname);
+
+#endif /* ! STREAMPTY */
+
+int	hostinfo = 1;			/* do we print login banner? */
+
+#ifdef	CRAY
+extern int      newmap; /* nonzero if \n maps to ^M^J */
+int	lowpty = 0, highpty;	/* low, high pty numbers */
+#endif /* CRAY */
+
+int debug = 0;
+int keepalive = 1;
+char *altlogin;
+
+void doit __P((struct sockaddr *));
+int terminaltypeok __P((char *));
+void startslave __P((char *, int, char *));
+extern void usage P((void));
+
+/*
+ * The string to pass to getopt().  We do it this way so
+ * that only the actual options that we support will be
+ * passed off to getopt().
+ */
+char valid_opts[] = {
+	'd', ':', 'h', 'k', 'n', 'p', ':', 'S', ':', 'u', ':', 'U',
+	'4', '6',
+#ifdef	AUTHENTICATION
+	'a', ':', 'X', ':',
+#endif
+#ifdef BFTPDAEMON
+	'B',
+#endif
+#ifdef DIAGNOSTICS
+	'D', ':',
+#endif
+#ifdef	ENCRYPTION
+	'e', ':',
+#endif
+#if	defined(CRAY) && defined(NEWINIT)
+	'I', ':',
+#endif
+#ifdef	LINEMODE
+	'l',
+#endif
+#ifdef CRAY
+	'r', ':',
+#endif
+#ifdef	SecurID
+	's',
+#endif
+	'\0'
+};
+
+int family = AF_INET;
+
+int
+main(argc, argv)
+	char *argv[];
+{
+	struct sockaddr_storage from;
+	int on = 1, fromlen;
+	register int ch;
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	int tos = -1;
+#endif
+
+	pfrontp = pbackp = ptyobuf;
+	netip = netibuf;
+	nfrontp = nbackp = netobuf;
+#ifdef	ENCRYPTION
+	nclearto = 0;
+#endif	/* ENCRYPTION */
+
+	/*
+	 * This initialization causes linemode to default to a configuration
+	 * that works on all telnet clients, including the FreeBSD client.
+	 * This is not quite the same as the telnet client issuing a "mode
+	 * character" command, but has most of the same benefits, and is
+	 * preferable since some clients (like usofts) don't have the
+	 * mode character command anyway and linemode breaks things.
+	 * The most notable symptom of fix is that csh "set filec" operations
+	 * like <ESC> (filename completion) and ^D (choices) keys now work
+	 * in telnet sessions and can be used more than once on the same line.
+	 * CR/LF handling is also corrected in some termio modes.  This 
+	 * change resolves problem reports bin/771 and bin/1037.
+	 */
+
+	linemode=1;	/*Default to mode that works on bulk of clients*/
+
+#ifdef CRAY
+	/*
+	 * Get number of pty's before trying to process options,
+	 * which may include changing pty range.
+	 */
+	highpty = getnpty();
+#endif /* CRAY */
+
+	while ((ch = getopt(argc, argv, valid_opts)) != -1) {
+		switch(ch) {
+
+#ifdef	AUTHENTICATION
+		case 'a':
+			/*
+			 * Check for required authentication level
+			 */
+			if (strcmp(optarg, "debug") == 0) {
+				extern int auth_debug_mode;
+				auth_debug_mode = 1;
+			} else if (strcasecmp(optarg, "none") == 0) {
+				auth_level = 0;
+			} else if (strcasecmp(optarg, "other") == 0) {
+				auth_level = AUTH_OTHER;
+			} else if (strcasecmp(optarg, "user") == 0) {
+				auth_level = AUTH_USER;
+			} else if (strcasecmp(optarg, "valid") == 0) {
+				auth_level = AUTH_VALID;
+			} else if (strcasecmp(optarg, "off") == 0) {
+				/*
+				 * This hack turns off authentication
+				 */
+				auth_level = -1;
+			} else {
+				warnx("unknown authorization level for -a");
+			}
+			break;
+#endif	/* AUTHENTICATION */
+
+#ifdef BFTPDAEMON
+		case 'B':
+			bftpd++;
+			break;
+#endif /* BFTPDAEMON */
+
+		case 'd':
+			if (strcmp(optarg, "ebug") == 0) {
+				debug++;
+				break;
+			}
+			usage();
+			/* NOTREACHED */
+			break;
+
+#ifdef DIAGNOSTICS
+		case 'D':
+			/*
+			 * Check for desired diagnostics capabilities.
+			 */
+			if (!strcmp(optarg, "report")) {
+				diagnostic |= TD_REPORT|TD_OPTIONS;
+			} else if (!strcmp(optarg, "exercise")) {
+				diagnostic |= TD_EXERCISE;
+			} else if (!strcmp(optarg, "netdata")) {
+				diagnostic |= TD_NETDATA;
+			} else if (!strcmp(optarg, "ptydata")) {
+				diagnostic |= TD_PTYDATA;
+			} else if (!strcmp(optarg, "options")) {
+				diagnostic |= TD_OPTIONS;
+			} else {
+				usage();
+				/* NOT REACHED */
+			}
+			break;
+#endif /* DIAGNOSTICS */
+
+#ifdef	ENCRYPTION
+		case 'e':
+			if (strcmp(optarg, "debug") == 0) {
+				extern int encrypt_debug_mode;
+				encrypt_debug_mode = 1;
+				break;
+			}
+			usage();
+			/* NOTREACHED */
+			break;
+#endif	/* ENCRYPTION */
+
+		case 'h':
+			hostinfo = 0;
+			break;
+
+#if	defined(CRAY) && defined(NEWINIT)
+		case 'I':
+		    {
+			extern char *gen_id;
+			gen_id = optarg;
+			break;
+		    }
+#endif	/* defined(CRAY) && defined(NEWINIT) */
+
+#ifdef	LINEMODE
+		case 'l':
+			alwayslinemode = 1;
+			break;
+#endif	/* LINEMODE */
+
+		case 'k':
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			lmodetype = NO_AUTOKLUDGE;
+#else
+			/* ignore -k option if built without kludge linemode */
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			break;
+
+		case 'n':
+			keepalive = 0;
+			break;
+
+		case 'p':
+			altlogin = optarg;
+			break;
+
+#ifdef CRAY
+		case 'r':
+		    {
+			char *strchr();
+			char *c;
+
+			/*
+			 * Allow the specification of alterations
+			 * to the pty search range.  It is legal to
+			 * specify only one, and not change the
+			 * other from its default.
+			 */
+			c = strchr(optarg, '-');
+			if (c) {
+				*c++ = '\0';
+				highpty = atoi(c);
+			}
+			if (*optarg != '\0')
+				lowpty = atoi(optarg);
+			if ((lowpty > highpty) || (lowpty < 0) ||
+							(highpty > 32767)) {
+				usage();
+				/* NOT REACHED */
+			}
+			break;
+		    }
+#endif	/* CRAY */
+
+#ifdef	SecurID
+		case 's':
+			/* SecurID required */
+			require_SecurID = 1;
+			break;
+#endif	/* SecurID */
+		case 'S':
+#ifdef	HAS_GETTOS
+			if ((tos = parsetos(optarg, "tcp")) < 0)
+				warnx("%s%s%s",
+					"bad TOS argument '", optarg,
+					"'; will try to use default TOS");
+#else
+			warnx("TOS option unavailable; -S flag not supported");
+#endif
+			break;
+
+		case 'u':
+			utmp_len = atoi(optarg);
+			if (utmp_len < 0)
+				utmp_len = -utmp_len;
+			if (utmp_len >= sizeof(remote_hostname))
+				utmp_len = sizeof(remote_hostname) - 1;
+			break;
+
+		case 'U':
+			registerd_host_only = 1;
+			break;
+
+#ifdef	AUTHENTICATION
+		case 'X':
+			/*
+			 * Check for invalid authentication types
+			 */
+			auth_disable_name(optarg);
+			break;
+#endif	/* AUTHENTICATION */
+
+		case '4':
+			family = AF_INET;
+			break;
+
+#ifdef INET6
+		case '6':
+			family = AF_INET6;
+			break;
+#endif
+
+		default:
+			warnx("%c: unknown option", ch);
+			/* FALLTHROUGH */
+		case '?':
+			usage();
+			/* NOTREACHED */
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	if (debug) {
+	    int s, ns, foo, error;
+	    char *service = "telnet";
+	    struct addrinfo hints, *res;
+
+	    if (argc > 1) {
+		usage();
+		/* NOT REACHED */
+	    } else if (argc == 1)
+		service = *argv;
+
+	    memset(&hints, 0, sizeof(hints));
+	    hints.ai_flags = AI_PASSIVE;
+	    hints.ai_family = family;
+	    hints.ai_socktype = SOCK_STREAM;
+	    hints.ai_protocol = 0;
+	    error = getaddrinfo(NULL, service, &hints, &res);
+
+	    if (error) {
+		errx(1, "tcp/%s: %s\n", service, gai_strerror(error));
+		if (error == EAI_SYSTEM)
+		    errx(1, "tcp/%s: %s\n", service, strerror(errno));
+		usage();
+	    }
+
+	    s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+	    if (s < 0)
+		    err(1, "socket");
+	    (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+				(char *)&on, sizeof(on));
+	    if (bind(s, res->ai_addr, res->ai_addrlen) < 0)
+		err(1, "bind");
+	    if (listen(s, 1) < 0)
+		err(1, "listen");
+	    foo = res->ai_addrlen;
+	    ns = accept(s, res->ai_addr, &foo);
+	    if (ns < 0)
+		err(1, "accept");
+	    (void) dup2(ns, 0);
+	    (void) close(ns);
+	    (void) close(s);
+#ifdef convex
+	} else if (argc == 1) {
+		; /* VOID*/		/* Just ignore the host/port name */
+#endif
+	} else if (argc > 0) {
+		usage();
+		/* NOT REACHED */
+	}
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+	secflag = sysconf(_SC_CRAY_SECURE_SYS);
+
+	/*
+	 *	Get socket's security label
+	 */
+	if (secflag)  {
+		int szss = sizeof(ss);
+#ifdef SO_SEC_MULTI			/* 8.0 code */
+		int sock_multi;
+		int szi = sizeof(int);
+#endif /* SO_SEC_MULTI */
+
+		memset((char *)&dv, 0, sizeof(dv));
+
+		if (getsysv(&sysv, sizeof(struct sysv)) != 0)
+			err(1, "getsysv");
+
+		/*
+		 *	Get socket security label and set device values
+		 *	   {security label to be set on ttyp device}
+		 */
+#ifdef SO_SEC_MULTI			/* 8.0 code */
+		if ((getsockopt(0, SOL_SOCKET, SO_SECURITY,
+			       (char *)&ss, &szss) < 0) ||
+		    (getsockopt(0, SOL_SOCKET, SO_SEC_MULTI,
+				(char *)&sock_multi, &szi) < 0)) {
+			err(1, "getsockopt");
+		} else {
+			dv.dv_actlvl = ss.ss_actlabel.lt_level;
+			dv.dv_actcmp = ss.ss_actlabel.lt_compart;
+			if (!sock_multi) {
+				dv.dv_minlvl = dv.dv_maxlvl = dv.dv_actlvl;
+				dv.dv_valcmp = dv.dv_actcmp;
+			} else {
+				dv.dv_minlvl = ss.ss_minlabel.lt_level;
+				dv.dv_maxlvl = ss.ss_maxlabel.lt_level;
+				dv.dv_valcmp = ss.ss_maxlabel.lt_compart;
+			}
+			dv.dv_devflg = 0;
+		}
+#else /* SO_SEC_MULTI */		/* 7.0 code */
+		if (getsockopt(0, SOL_SOCKET, SO_SECURITY,
+				(char *)&ss, &szss) >= 0) {
+			dv.dv_actlvl = ss.ss_slevel;
+			dv.dv_actcmp = ss.ss_compart;
+			dv.dv_minlvl = ss.ss_minlvl;
+			dv.dv_maxlvl = ss.ss_maxlvl;
+			dv.dv_valcmp = ss.ss_maxcmp;
+		}
+#endif /* SO_SEC_MULTI */
+	}
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+	openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+	fromlen = sizeof (from);
+	if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
+		warn("getpeername");
+		_exit(1);
+	}
+	if (keepalive &&
+	    setsockopt(0, SOL_SOCKET, SO_KEEPALIVE,
+			(char *)&on, sizeof (on)) < 0) {
+		syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+	}
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	if (from.ss_family == AF_INET) {
+# if	defined(HAS_GETTOS)
+		struct tosent *tp;
+		if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+			tos = tp->t_tos;
+# endif
+		if (tos < 0)
+			tos = 020;	/* Low Delay bit */
+		if (tos
+		   && (setsockopt(0, IPPROTO_IP, IP_TOS,
+				  (char *)&tos, sizeof(tos)) < 0)
+		   && (errno != ENOPROTOOPT) )
+			syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+	}
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+	net = 0;
+	doit((struct sockaddr *)&from);
+	/* NOTREACHED */
+	return(0);
+}  /* end of main */
+
+	void
+usage()
+{
+	fprintf(stderr, "usage: telnetd");
+#ifdef	AUTHENTICATION
+	fprintf(stderr, " [-a (debug|other|user|valid|off|none)]\n\t");
+#endif
+#ifdef BFTPDAEMON
+	fprintf(stderr, " [-B]");
+#endif
+	fprintf(stderr, " [-debug]");
+#ifdef DIAGNOSTICS
+	fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t");
+#endif
+#ifdef	AUTHENTICATION
+	fprintf(stderr, " [-edebug]");
+#endif
+	fprintf(stderr, " [-h]");
+#if	defined(CRAY) && defined(NEWINIT)
+	fprintf(stderr, " [-Iinitid]");
+#endif
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+	fprintf(stderr, " [-k]");
+#endif
+#ifdef LINEMODE
+	fprintf(stderr, " [-l]");
+#endif
+	fprintf(stderr, " [-n]");
+#ifdef	CRAY
+	fprintf(stderr, " [-r[lowpty]-[highpty]]");
+#endif
+	fprintf(stderr, "\n\t");
+#ifdef	SecurID
+	fprintf(stderr, " [-s]");
+#endif
+#ifdef	HAS_GETTOS
+	fprintf(stderr, " [-S tos]");
+#endif
+#ifdef	AUTHENTICATION
+	fprintf(stderr, " [-X auth-type]");
+#endif
+	fprintf(stderr, " [-u utmp_hostname_length] [-U]");
+	fprintf(stderr, " [port]\n");
+	exit(1);
+}
+
+/*
+ * getterminaltype
+ *
+ *	Ask the other end to send along its terminal type and speed.
+ * Output is the variable terminaltype filled in.
+ */
+static unsigned char ttytype_sbbuf[] = {
+	IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE
+};
+
+    int
+getterminaltype(name)
+    char *name;
+{
+    int retval = -1;
+    void _gettermname();
+
+    settimer(baseline);
+#if	defined(AUTHENTICATION)
+    /*
+     * Handle the Authentication option before we do anything else.
+     */
+    send_do(TELOPT_AUTHENTICATION, 1);
+    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+	ttloop();
+    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+	retval = auth_wait(name);
+    }
+#endif
+
+#ifdef	ENCRYPTION
+    send_will(TELOPT_ENCRYPT, 1);
+#endif	/* ENCRYPTION */
+    send_do(TELOPT_TTYPE, 1);
+    send_do(TELOPT_TSPEED, 1);
+    send_do(TELOPT_XDISPLOC, 1);
+    send_do(TELOPT_NEW_ENVIRON, 1);
+    send_do(TELOPT_OLD_ENVIRON, 1);
+    while (
+#ifdef	ENCRYPTION
+	   his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif	/* ENCRYPTION */
+	   his_will_wont_is_changing(TELOPT_TTYPE) ||
+	   his_will_wont_is_changing(TELOPT_TSPEED) ||
+	   his_will_wont_is_changing(TELOPT_XDISPLOC) ||
+	   his_will_wont_is_changing(TELOPT_NEW_ENVIRON) ||
+	   his_will_wont_is_changing(TELOPT_OLD_ENVIRON)) {
+	ttloop();
+    }
+#ifdef	ENCRYPTION
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+	encrypt_wait();
+    }
+#endif	/* ENCRYPTION */
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
+
+	memmove(nfrontp, sb, sizeof sb);
+	nfrontp += sizeof sb;
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE };
+
+	memmove(nfrontp, sb, sizeof sb);
+	nfrontp += sizeof sb;
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	memmove(nfrontp, sb, sizeof sb);
+	nfrontp += sizeof sb;
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    else if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_OLD_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	memmove(nfrontp, sb, sizeof sb);
+	nfrontp += sizeof sb;
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+
+	memmove(nfrontp, ttytype_sbbuf, sizeof ttytype_sbbuf);
+	nfrontp += sizeof ttytype_sbbuf;
+	DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+					sizeof ttytype_sbbuf - 2););
+    }
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	while (sequenceIs(tspeedsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	while (sequenceIs(xdisplocsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	while (sequenceIs(environsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	while (sequenceIs(oenvironsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+	char first[256], last[256];
+
+	while (sequenceIs(ttypesubopt, baseline))
+	    ttloop();
+
+	/*
+	 * If the other side has already disabled the option, then
+	 * we have to just go with what we (might) have already gotten.
+	 */
+	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
+	    (void) strncpy(first, terminaltype, sizeof(first)-1);
+	    first[sizeof(first)-1] = '\0';
+	    for(;;) {
+		/*
+		 * Save the unknown name, and request the next name.
+		 */
+		(void) strncpy(last, terminaltype, sizeof(last)-1);
+		last[sizeof(last)-1] = '\0';
+		_gettermname();
+		if (terminaltypeok(terminaltype))
+		    break;
+		if ((strncmp(last, terminaltype, sizeof(last)) == 0) ||
+		    his_state_is_wont(TELOPT_TTYPE)) {
+		    /*
+		     * We've hit the end.  If this is the same as
+		     * the first name, just go with it.
+		     */
+		    if (strncmp(first, terminaltype, sizeof(first)) == 0)
+			break;
+		    /*
+		     * Get the terminal name one more time, so that
+		     * RFC1091 compliant telnets will cycle back to
+		     * the start of the list.
+		     */
+		     _gettermname();
+		    if (strncmp(first, terminaltype, sizeof(first)) != 0) {
+			(void) strncpy(terminaltype, first, sizeof(terminaltype)-1);
+			terminaltype[sizeof(terminaltype)-1] = '\0';
+		    }
+		    break;
+		}
+	    }
+	}
+    }
+    return(retval);
+}  /* end of getterminaltype */
+
+    void
+_gettermname()
+{
+    /*
+     * If the client turned off the option,
+     * we can't send another request, so we
+     * just return.
+     */
+    if (his_state_is_wont(TELOPT_TTYPE))
+	return;
+    settimer(baseline);
+    memmove(nfrontp, ttytype_sbbuf, sizeof ttytype_sbbuf);
+    nfrontp += sizeof ttytype_sbbuf;
+    DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+					sizeof ttytype_sbbuf - 2););
+    while (sequenceIs(ttypesubopt, baseline))
+	ttloop();
+}
+
+    int
+terminaltypeok(s)
+    char *s;
+{
+    char buf[1024];
+
+    if (terminaltype == NULL)
+	return(1);
+
+    /*
+     * tgetent() will return 1 if the type is known, and
+     * 0 if it is not known.  If it returns -1, it couldn't
+     * open the database.  But if we can't open the database,
+     * it won't help to say we failed, because we won't be
+     * able to verify anything else.  So, we treat -1 like 1.
+     */
+    if (tgetent(buf, s) == 0)
+	return(0);
+    return(1);
+}
+
+#ifndef	MAXHOSTNAMELEN
+#define	MAXHOSTNAMELEN 64
+#endif	/* MAXHOSTNAMELEN */
+
+char *hostname;
+char host_name[MAXHOSTNAMELEN];
+
+extern void telnet P((int, int, char *));
+
+int level;
+char user_name[256];
+/*
+ * Get a pty, scan input lines.
+ */
+	void
+doit(who)
+	struct sockaddr *who;
+{
+	int err;
+	int ptynum;
+
+	/*
+	 * Find an available pty to use.
+	 */
+#ifndef	convex
+	pty = getpty(&ptynum);
+	if (pty < 0)
+		fatal(net, "All network ports in use");
+#else
+	for (;;) {
+		char *lp;
+		extern char *line, *getpty();
+
+		if ((lp = getpty()) == NULL)
+			fatal(net, "Out of ptys");
+
+		if ((pty = open(lp, 2)) >= 0) {
+			strcpy(line,lp);
+			line[5] = 't';
+			break;
+		}
+	}
+#endif
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+	/*
+	 *	set ttyp line security label
+	 */
+	if (secflag) {
+		char slave_dev[16];
+
+		sprintf(tty_dev, "/dev/pty/%03d", ptynum);
+		if (setdevs(tty_dev, &dv) < 0)
+		 	fatal(net, "cannot set pty security");
+		sprintf(slave_dev, "/dev/ttyp%03d", ptynum);
+		if (setdevs(slave_dev, &dv) < 0)
+		 	fatal(net, "cannot set tty security");
+	}
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+	/* get name of connected client */
+	if (realhostname_sa(remote_hostname, sizeof(remote_hostname) - 1,
+	    who, who->sa_len) == HOSTNAME_INVALIDADDR && registerd_host_only)
+		fatal(net, "Couldn't resolve your address into a host name.\r\n\
+	 Please contact your net administrator");
+	remote_hostname[sizeof(remote_hostname) - 1] = '\0';
+
+	trimdomain(remote_hostname, UT_HOSTSIZE);
+	if (!isdigit(remote_hostname[0]) && strlen(remote_hostname) > utmp_len)
+		err = getnameinfo(who, who->sa_len, remote_hostname,
+				  sizeof(remote_hostname), NULL, 0,
+				  NI_NUMERICHOST|NI_WITHSCOPEID);
+		/* XXX: do 'err' check */
+
+	(void) gethostname(host_name, sizeof(host_name) - 1);
+	host_name[sizeof(host_name) - 1] = '\0';
+	hostname = host_name;
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_init(hostname, remote_hostname, "TELNETD", 1);
+#endif
+
+	init_env();
+	/*
+	 * get terminal type.
+	 */
+	*user_name = 0;
+	level = getterminaltype(user_name);
+	setenv("TERM", terminaltype ? terminaltype : "network", 1);
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+	if (secflag) {
+		if (setulvl(dv.dv_actlvl) < 0)
+			fatal(net,"cannot setulvl()");
+		if (setucmp(dv.dv_actcmp) < 0)
+			fatal(net, "cannot setucmp()");
+	}
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+	telnet(net, pty, remote_hostname);	/* begin server process */
+
+	/*NOTREACHED*/
+}  /* end of doit */
+
+#if	defined(CRAY2) && defined(UNICOS5) && defined(UNICOS50)
+	int
+Xterm_output(ibufp, obuf, icountp, ocount)
+	char **ibufp, *obuf;
+	int *icountp, ocount;
+{
+	int ret;
+	ret = term_output(*ibufp, obuf, *icountp, ocount);
+	*ibufp += *icountp;
+	*icountp = 0;
+	return(ret);
+}
+#define	term_output	Xterm_output
+#endif	/* defined(CRAY2) && defined(UNICOS5) && defined(UNICOS50) */
+
+/*
+ * Main loop.  Select from pty and network, and
+ * hand data to telnet receiver finite state machine.
+ */
+	void
+telnet(f, p, host)
+	int f, p;
+	char *host;
+{
+	int on = 1;
+#define	TABBUFSIZ	512
+	char	defent[TABBUFSIZ];
+	char	defstrs[TABBUFSIZ];
+#undef	TABBUFSIZ
+	char *HE;
+	char *HN;
+	char *IM;
+	void netflush();
+	int nfd;
+
+	/*
+	 * Initialize the slc mapping table.
+	 */
+	get_slc_defaults();
+
+	/*
+	 * Do some tests where it is desireable to wait for a response.
+	 * Rather than doing them slowly, one at a time, do them all
+	 * at once.
+	 */
+	if (my_state_is_wont(TELOPT_SGA))
+		send_will(TELOPT_SGA, 1);
+	/*
+	 * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
+	 * because 4.2 clients are unable to deal with TCP urgent data.
+	 *
+	 * To find out, we send out a "DO ECHO".  If the remote system
+	 * answers "WILL ECHO" it is probably a 4.2 client, and we note
+	 * that fact ("WILL ECHO" ==> that the client will echo what
+	 * WE, the server, sends it; it does NOT mean that the client will
+	 * echo the terminal input).
+	 */
+	send_do(TELOPT_ECHO, 1);
+
+#ifdef	LINEMODE
+	if (his_state_is_wont(TELOPT_LINEMODE)) {
+		/* Query the peer for linemode support by trying to negotiate
+		 * the linemode option.
+		 */
+		linemode = 0;
+		editmode = 0;
+		send_do(TELOPT_LINEMODE, 1);  /* send do linemode */
+	}
+#endif	/* LINEMODE */
+
+	/*
+	 * Send along a couple of other options that we wish to negotiate.
+	 */
+	send_do(TELOPT_NAWS, 1);
+	send_will(TELOPT_STATUS, 1);
+	flowmode = 1;		/* default flow control state */
+	restartany = -1;	/* uninitialized... */
+	send_do(TELOPT_LFLOW, 1);
+
+	/*
+	 * Spin, waiting for a response from the DO ECHO.  However,
+	 * some REALLY DUMB telnets out there might not respond
+	 * to the DO ECHO.  So, we spin looking for NAWS, (most dumb
+	 * telnets so far seem to respond with WONT for a DO that
+	 * they don't understand...) because by the time we get the
+	 * response, it will already have processed the DO ECHO.
+	 * Kludge upon kludge.
+	 */
+	while (his_will_wont_is_changing(TELOPT_NAWS))
+		ttloop();
+
+	/*
+	 * But...
+	 * The client might have sent a WILL NAWS as part of its
+	 * startup code; if so, we'll be here before we get the
+	 * response to the DO ECHO.  We'll make the assumption
+	 * that any implementation that understands about NAWS
+	 * is a modern enough implementation that it will respond
+	 * to our DO ECHO request; hence we'll do another spin
+	 * waiting for the ECHO option to settle down, which is
+	 * what we wanted to do in the first place...
+	 */
+	if (his_want_state_is_will(TELOPT_ECHO) &&
+	    his_state_is_will(TELOPT_NAWS)) {
+		while (his_will_wont_is_changing(TELOPT_ECHO))
+			ttloop();
+	}
+	/*
+	 * On the off chance that the telnet client is broken and does not
+	 * respond to the DO ECHO we sent, (after all, we did send the
+	 * DO NAWS negotiation after the DO ECHO, and we won't get here
+	 * until a response to the DO NAWS comes back) simulate the
+	 * receipt of a will echo.  This will also send a WONT ECHO
+	 * to the client, since we assume that the client failed to
+	 * respond because it believes that it is already in DO ECHO
+	 * mode, which we do not want.
+	 */
+	if (his_want_state_is_will(TELOPT_ECHO)) {
+		DIAG(TD_OPTIONS,
+			{sprintf(nfrontp, "td: simulating recv\r\n");
+			 nfrontp += strlen(nfrontp);});
+		willoption(TELOPT_ECHO);
+	}
+
+	/*
+	 * Finally, to clean things up, we turn on our echo.  This
+	 * will break stupid 4.2 telnets out of local terminal echo.
+	 */
+
+	if (my_state_is_wont(TELOPT_ECHO))
+		send_will(TELOPT_ECHO, 1);
+
+#ifndef	STREAMSPTY
+	/*
+	 * Turn on packet mode
+	 */
+	(void) ioctl(p, TIOCPKT, (char *)&on);
+#endif
+
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+	/*
+	 * Continuing line mode support.  If client does not support
+	 * real linemode, attempt to negotiate kludge linemode by sending
+	 * the do timing mark sequence.
+	 */
+	if (lmodetype < REAL_LINEMODE)
+		send_do(TELOPT_TM, 1);
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+
+	/*
+	 * Call telrcv() once to pick up anything received during
+	 * terminal type negotiation, 4.2/4.3 determination, and
+	 * linemode negotiation.
+	 */
+	telrcv();
+
+	(void) ioctl(f, FIONBIO, (char *)&on);
+	(void) ioctl(p, FIONBIO, (char *)&on);
+#if	defined(CRAY2) && defined(UNICOS5)
+	init_termdriver(f, p, interrupt, sendbrk);
+#endif
+
+#if	defined(SO_OOBINLINE)
+	(void) setsockopt(net, SOL_SOCKET, SO_OOBINLINE,
+				(char *)&on, sizeof on);
+#endif	/* defined(SO_OOBINLINE) */
+
+#ifdef	SIGTSTP
+	(void) signal(SIGTSTP, SIG_IGN);
+#endif
+#ifdef	SIGTTOU
+	/*
+	 * Ignoring SIGTTOU keeps the kernel from blocking us
+	 * in ttioct() in /sys/tty.c.
+	 */
+	(void) signal(SIGTTOU, SIG_IGN);
+#endif
+
+	(void) signal(SIGCHLD, cleanup);
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	/*
+	 * Cray-2 will send a signal when pty modes are changed by slave
+	 * side.  Set up signal handler now.
+	 */
+	if ((int)signal(SIGUSR1, termstat) < 0)
+		warn("signal");
+	else if (ioctl(p, TCSIGME, (char *)SIGUSR1) < 0)
+		warn("ioctl:TCSIGME");
+	/*
+	 * Make processing loop check terminal characteristics early on.
+	 */
+	termstat();
+#endif
+
+#ifdef  TIOCNOTTY
+	{
+		register int t;
+		t = open(_PATH_TTY, O_RDWR);
+		if (t >= 0) {
+			(void) ioctl(t, TIOCNOTTY, (char *)0);
+			(void) close(t);
+		}
+	}
+#endif
+
+#if	defined(CRAY) && defined(NEWINIT) && defined(TIOCSCTTY)
+	(void) setsid();
+	ioctl(p, TIOCSCTTY, 0);
+#endif
+
+	/*
+	 * Show banner that getty never gave.
+	 *
+	 * We put the banner in the pty input buffer.  This way, it
+	 * gets carriage return null processing, etc., just like all
+	 * other pty --> client data.
+	 */
+
+#if	!defined(CRAY) || !defined(NEWINIT)
+	if (getenv("USER"))
+		hostinfo = 0;
+#endif
+
+	if (getent(defent, "default") == 1) {
+		char *Getstr();
+		char *cp=defstrs;
+
+		HE = Getstr("he", &cp);
+		HN = Getstr("hn", &cp);
+		IM = Getstr("im", &cp);
+		if (HN && *HN)
+			(void) strcpy(host_name, HN);
+		if (IM == 0)
+			IM = "";
+	} else {
+		IM = DEFAULT_IM;
+		HE = 0;
+	}
+	edithost(HE, host_name);
+	if (hostinfo && *IM)
+		putf(IM, ptyibuf2);
+
+	if (pcc)
+		(void) strncat(ptyibuf2, ptyip, pcc+1);
+	ptyip = ptyibuf2;
+	pcc = strlen(ptyip);
+#ifdef	LINEMODE
+	/*
+	 * Last check to make sure all our states are correct.
+	 */
+	init_termbuf();
+	localstat();
+#endif	/* LINEMODE */
+
+	DIAG(TD_REPORT,
+		{sprintf(nfrontp, "td: Entering processing loop\r\n");
+		 nfrontp += strlen(nfrontp);});
+
+	/*
+	 * Startup the login process on the slave side of the terminal
+	 * now.  We delay this until here to insure option negotiation
+	 * is complete.
+	 */
+	startslave(host, level, user_name);
+
+	nfd = ((f > p) ? f : p) + 1;
+	for (;;) {
+		fd_set ibits, obits, xbits;
+		register int c;
+
+		if (ncc < 0 && pcc < 0)
+			break;
+
+#if	defined(CRAY2) && defined(UNICOS5)
+		if (needtermstat)
+			_termstat();
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+		FD_ZERO(&ibits);
+		FD_ZERO(&obits);
+		FD_ZERO(&xbits);
+		/*
+		 * Never look for input if there's still
+		 * stuff in the corresponding output buffer
+		 */
+		if (nfrontp - nbackp || pcc > 0) {
+			FD_SET(f, &obits);
+		} else {
+			FD_SET(p, &ibits);
+		}
+		if (pfrontp - pbackp || ncc > 0) {
+			FD_SET(p, &obits);
+		} else {
+			FD_SET(f, &ibits);
+		}
+		if (!SYNCHing) {
+			FD_SET(f, &xbits);
+		}
+		if ((c = select(nfd, &ibits, &obits, &xbits,
+						(struct timeval *)0)) < 1) {
+			if (c == -1) {
+				if (errno == EINTR) {
+					continue;
+				}
+			}
+			sleep(5);
+			continue;
+		}
+
+		/*
+		 * Any urgent data?
+		 */
+		if (FD_ISSET(net, &xbits)) {
+		    SYNCHing = 1;
+		}
+
+		/*
+		 * Something to read from the network...
+		 */
+		if (FD_ISSET(net, &ibits)) {
+#if	!defined(SO_OOBINLINE)
+			/*
+			 * In 4.2 (and 4.3 beta) systems, the
+			 * OOB indication and data handling in the kernel
+			 * is such that if two separate TCP Urgent requests
+			 * come in, one byte of TCP data will be overlaid.
+			 * This is fatal for Telnet, but we try to live
+			 * with it.
+			 *
+			 * In addition, in 4.2 (and...), a special protocol
+			 * is needed to pick up the TCP Urgent data in
+			 * the correct sequence.
+			 *
+			 * What we do is:  if we think we are in urgent
+			 * mode, we look to see if we are "at the mark".
+			 * If we are, we do an OOB receive.  If we run
+			 * this twice, we will do the OOB receive twice,
+			 * but the second will fail, since the second
+			 * time we were "at the mark", but there wasn't
+			 * any data there (the kernel doesn't reset
+			 * "at the mark" until we do a normal read).
+			 * Once we've read the OOB data, we go ahead
+			 * and do normal reads.
+			 *
+			 * There is also another problem, which is that
+			 * since the OOB byte we read doesn't put us
+			 * out of OOB state, and since that byte is most
+			 * likely the TELNET DM (data mark), we would
+			 * stay in the TELNET SYNCH (SYNCHing) state.
+			 * So, clocks to the rescue.  If we've "just"
+			 * received a DM, then we test for the
+			 * presence of OOB data when the receive OOB
+			 * fails (and AFTER we did the normal mode read
+			 * to clear "at the mark").
+			 */
+		    if (SYNCHing) {
+			int atmark;
+
+			(void) ioctl(net, SIOCATMARK, (char *)&atmark);
+			if (atmark) {
+			    ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB);
+			    if ((ncc == -1) && (errno == EINVAL)) {
+				ncc = read(net, netibuf, sizeof (netibuf));
+				if (sequenceIs(didnetreceive, gotDM)) {
+				    SYNCHing = stilloob(net);
+				}
+			    }
+			} else {
+			    ncc = read(net, netibuf, sizeof (netibuf));
+			}
+		    } else {
+			ncc = read(net, netibuf, sizeof (netibuf));
+		    }
+		    settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE)) */
+		    ncc = read(net, netibuf, sizeof (netibuf));
+#endif	/* !defined(SO_OOBINLINE)) */
+		    if (ncc < 0 && errno == EWOULDBLOCK)
+			ncc = 0;
+		    else {
+			if (ncc <= 0) {
+			    break;
+			}
+			netip = netibuf;
+		    }
+		    DIAG((TD_REPORT | TD_NETDATA),
+			    {sprintf(nfrontp, "td: netread %d chars\r\n", ncc);
+			     nfrontp += strlen(nfrontp);});
+		    DIAG(TD_NETDATA, printdata("nd", netip, ncc));
+		}
+
+		/*
+		 * Something to read from the pty...
+		 */
+		if (FD_ISSET(p, &ibits)) {
+#ifndef	STREAMSPTY
+			pcc = read(p, ptyibuf, BUFSIZ);
+#else
+			pcc = readstream(p, ptyibuf, BUFSIZ);
+#endif
+			/*
+			 * On some systems, if we try to read something
+			 * off the master side before the slave side is
+			 * opened, we get EIO.
+			 */
+			if (pcc < 0 && (errno == EWOULDBLOCK ||
+#ifdef	EAGAIN
+					errno == EAGAIN ||
+#endif
+					errno == EIO)) {
+				pcc = 0;
+			} else {
+				if (pcc <= 0)
+					break;
+#if	!defined(CRAY2) || !defined(UNICOS5)
+#ifdef	LINEMODE
+				/*
+				 * If ioctl from pty, pass it through net
+				 */
+				if (ptyibuf[0] & TIOCPKT_IOCTL) {
+					copy_termbuf(ptyibuf+1, pcc-1);
+					localstat();
+					pcc = 1;
+				}
+#endif	/* LINEMODE */
+				if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) {
+					netclear();	/* clear buffer back */
+#ifndef	NO_URGENT
+					/*
+					 * There are client telnets on some
+					 * operating systems get screwed up
+					 * royally if we send them urgent
+					 * mode data.
+					 */
+					*nfrontp++ = IAC;
+					*nfrontp++ = DM;
+					neturg = nfrontp-1; /* off by one XXX */
+					DIAG(TD_OPTIONS,
+					    printoption("td: send IAC", DM));
+
+#endif
+				}
+				if (his_state_is_will(TELOPT_LFLOW) &&
+				    (ptyibuf[0] &
+				     (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) {
+					int newflow =
+					    ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0;
+					if (newflow != flowmode) {
+						flowmode = newflow;
+						(void) sprintf(nfrontp,
+							"%c%c%c%c%c%c",
+							IAC, SB, TELOPT_LFLOW,
+							flowmode ? LFLOW_ON
+								 : LFLOW_OFF,
+							IAC, SE);
+						nfrontp += 6;
+						DIAG(TD_OPTIONS, printsub('>',
+						    (unsigned char *)nfrontp-4,
+						    4););
+					}
+				}
+				pcc--;
+				ptyip = ptyibuf+1;
+#else	/* defined(CRAY2) && defined(UNICOS5) */
+				if (!uselinemode) {
+					unpcc = pcc;
+					unptyip = ptyibuf;
+					pcc = term_output(&unptyip, ptyibuf2,
+								&unpcc, BUFSIZ);
+					ptyip = ptyibuf2;
+				} else
+					ptyip = ptyibuf;
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+			}
+		}
+
+		while (pcc > 0) {
+			if ((&netobuf[BUFSIZ] - nfrontp) < 2)
+				break;
+			c = *ptyip++ & 0377, pcc--;
+			if (c == IAC)
+				*nfrontp++ = c;
+#if	defined(CRAY2) && defined(UNICOS5)
+			else if (c == '\n' &&
+				     my_state_is_wont(TELOPT_BINARY) && newmap)
+				*nfrontp++ = '\r';
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+			*nfrontp++ = c;
+			if ((c == '\r') && (my_state_is_wont(TELOPT_BINARY))) {
+				if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
+					*nfrontp++ = *ptyip++ & 0377;
+					pcc--;
+				} else
+					*nfrontp++ = '\0';
+			}
+		}
+#if	defined(CRAY2) && defined(UNICOS5)
+		/*
+		 * If chars were left over from the terminal driver,
+		 * note their existence.
+		 */
+		if (!uselinemode && unpcc) {
+			pcc = unpcc;
+			unpcc = 0;
+			ptyip = unptyip;
+		}
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+		if (FD_ISSET(f, &obits) && (nfrontp - nbackp) > 0)
+			netflush();
+		if (ncc > 0)
+			telrcv();
+		if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0)
+			ptyflush();
+	}
+	cleanup(0);
+}  /* end of telnet */
+
+#ifndef	TCSIG
+# ifdef	TIOCSIG
+#  define TCSIG TIOCSIG
+# endif
+#endif
+
+#ifdef	STREAMSPTY
+
+int flowison = -1;  /* current state of flow: -1 is unknown */
+
+int readstream(p, ibuf, bufsize)
+	int p;
+	char *ibuf;
+	int bufsize;
+{
+	int flags = 0;
+	int ret = 0;
+	struct termios *tsp;
+	struct termio *tp;
+	struct iocblk *ip;
+	char vstop, vstart;
+	int ixon;
+	int newflow;
+
+	strbufc.maxlen = BUFSIZ;
+	strbufc.buf = (char *)ctlbuf;
+	strbufd.maxlen = bufsize-1;
+	strbufd.len = 0;
+	strbufd.buf = ibuf+1;
+	ibuf[0] = 0;
+
+	ret = getmsg(p, &strbufc, &strbufd, &flags);
+	if (ret < 0)  /* error of some sort -- probably EAGAIN */
+		return(-1);
+
+	if (strbufc.len <= 0 || ctlbuf[0] == M_DATA) {
+		/* data message */
+		if (strbufd.len > 0) {			/* real data */
+			return(strbufd.len + 1);	/* count header char */
+		} else {
+			/* nothing there */
+			errno = EAGAIN;
+			return(-1);
+		}
+	}
+
+	/*
+	 * It's a control message.  Return 1, to look at the flag we set
+	 */
+
+	switch (ctlbuf[0]) {
+	case M_FLUSH:
+		if (ibuf[1] & FLUSHW)
+			ibuf[0] = TIOCPKT_FLUSHWRITE;
+		return(1);
+
+	case M_IOCTL:
+		ip = (struct iocblk *) (ibuf+1);
+
+		switch (ip->ioc_cmd) {
+		case TCSETS:
+		case TCSETSW:
+		case TCSETSF:
+			tsp = (struct termios *)
+					(ibuf+1 + sizeof(struct iocblk));
+			vstop = tsp->c_cc[VSTOP];
+			vstart = tsp->c_cc[VSTART];
+			ixon = tsp->c_iflag & IXON;
+			break;
+		case TCSETA:
+		case TCSETAW:
+		case TCSETAF:
+			tp = (struct termio *) (ibuf+1 + sizeof(struct iocblk));
+			vstop = tp->c_cc[VSTOP];
+			vstart = tp->c_cc[VSTART];
+			ixon = tp->c_iflag & IXON;
+			break;
+		default:
+			errno = EAGAIN;
+			return(-1);
+		}
+
+		newflow =  (ixon && (vstart == 021) && (vstop == 023)) ? 1 : 0;
+		if (newflow != flowison) {  /* it's a change */
+			flowison = newflow;
+			ibuf[0] = newflow ? TIOCPKT_DOSTOP : TIOCPKT_NOSTOP;
+			return(1);
+		}
+	}
+
+	/* nothing worth doing anything about */
+	errno = EAGAIN;
+	return(-1);
+}
+#endif /* STREAMSPTY */
+
+/*
+ * Send interrupt to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write intr char.
+ */
+	void
+interrupt()
+{
+	ptyflush();	/* half-hearted */
+
+#if defined(STREAMSPTY) && defined(TIOCSIGNAL)
+	/* Streams PTY style ioctl to post a signal */
+	{
+		int sig = SIGINT;
+		(void) ioctl(pty, TIOCSIGNAL, &sig);
+		(void) ioctl(pty, I_FLUSH, FLUSHR);
+	}
+#else
+#ifdef	TCSIG
+	(void) ioctl(pty, TCSIG, (char *)SIGINT);
+#else	/* TCSIG */
+	init_termbuf();
+	*pfrontp++ = slctab[SLC_IP].sptr ?
+			(unsigned char)*slctab[SLC_IP].sptr : '\177';
+#endif	/* TCSIG */
+#endif
+}
+
+/*
+ * Send quit to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write quit char.
+ */
+	void
+sendbrk()
+{
+	ptyflush();	/* half-hearted */
+#ifdef	TCSIG
+	(void) ioctl(pty, TCSIG, (char *)SIGQUIT);
+#else	/* TCSIG */
+	init_termbuf();
+	*pfrontp++ = slctab[SLC_ABORT].sptr ?
+			(unsigned char)*slctab[SLC_ABORT].sptr : '\034';
+#endif	/* TCSIG */
+}
+
+	void
+sendsusp()
+{
+#ifdef	SIGTSTP
+	ptyflush();	/* half-hearted */
+# ifdef	TCSIG
+	(void) ioctl(pty, TCSIG, (char *)SIGTSTP);
+# else	/* TCSIG */
+	*pfrontp++ = slctab[SLC_SUSP].sptr ?
+			(unsigned char)*slctab[SLC_SUSP].sptr : '\032';
+# endif	/* TCSIG */
+#endif	/* SIGTSTP */
+}
+
+/*
+ * When we get an AYT, if ^T is enabled, use that.  Otherwise,
+ * just send back "[Yes]".
+ */
+	void
+recv_ayt()
+{
+#if	defined(SIGINFO) && defined(TCSIG)
+	if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) {
+		(void) ioctl(pty, TCSIG, (char *)SIGINFO);
+		return;
+	}
+#endif
+	(void) strcpy(nfrontp, "\r\n[Yes]\r\n");
+	nfrontp += 9;
+}
+
+	void
+doeof()
+{
+	init_termbuf();
+
+#if	defined(LINEMODE) && defined(USE_TERMIO) && (VEOF == VMIN)
+	if (!tty_isediting()) {
+		extern char oldeofc;
+		*pfrontp++ = oldeofc;
+		return;
+	}
+#endif
+	*pfrontp++ = slctab[SLC_EOF].sptr ?
+			(unsigned char)*slctab[SLC_EOF].sptr : '\004';
+}
diff --git a/crypto/telnet/telnetd/telnetd.h b/crypto/telnet/telnetd/telnetd.h
new file mode 100644
index 0000000..234b973
--- /dev/null
+++ b/crypto/telnet/telnetd/telnetd.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnetd.h	8.1 (Berkeley) 6/4/93
+ */
+
+
+#include "defs.h"
+#include "ext.h"
+
+#ifdef	DIAGNOSTICS
+#define	DIAG(a,b)	if (diagnostic & (a)) b
+#else
+#define	DIAG(a,b)
+#endif
+
+/* other external variables */
+extern	char **environ;
+extern	int errno;
+
diff --git a/crypto/telnet/telnetd/termstat.c b/crypto/telnet/telnetd/termstat.c
new file mode 100644
index 0000000..46b20ff
--- /dev/null
+++ b/crypto/telnet/telnetd/termstat.c
@@ -0,0 +1,677 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)termstat.c	8.2 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+/*
+ * local variables
+ */
+int def_tspeed = -1, def_rspeed = -1;
+#ifdef	TIOCSWINSZ
+int def_row = 0, def_col = 0;
+#endif
+#ifdef	LINEMODE
+static int _terminit = 0;
+#endif	/* LINEMODE */
+
+#if	defined(CRAY2) && defined(UNICOS5)
+int	newmap = 1;	/* nonzero if \n maps to ^M^J */
+#endif
+
+#ifdef	LINEMODE
+/*
+ * localstat
+ *
+ * This function handles all management of linemode.
+ *
+ * Linemode allows the client to do the local editing of data
+ * and send only complete lines to the server.  Linemode state is
+ * based on the state of the pty driver.  If the pty is set for
+ * external processing, then we can use linemode.  Further, if we
+ * can use real linemode, then we can look at the edit control bits
+ * in the pty to determine what editing the client should do.
+ *
+ * Linemode support uses the following state flags to keep track of
+ * current and desired linemode state.
+ *	alwayslinemode : true if -l was specified on the telnetd
+ * 	command line.  It means to have linemode on as much as
+ *	possible.
+ *
+ * 	lmodetype: signifies whether the client can
+ *	handle real linemode, or if use of kludgeomatic linemode
+ *	is preferred.  It will be set to one of the following:
+ *		REAL_LINEMODE : use linemode option
+ *		NO_KLUDGE : don't initiate kludge linemode.
+ *		KLUDGE_LINEMODE : use kludge linemode
+ *		NO_LINEMODE : client is ignorant of linemode
+ *
+ *	linemode, uselinemode : linemode is true if linemode
+ *	is currently on, uselinemode is the state that we wish
+ *	to be in.  If another function wishes to turn linemode
+ *	on or off, it sets or clears uselinemode.
+ *
+ *	editmode, useeditmode : like linemode/uselinemode, but
+ *	these contain the edit mode states (edit and trapsig).
+ *
+ * The state variables correspond to some of the state information
+ * in the pty.
+ *	linemode:
+ *		In real linemode, this corresponds to whether the pty
+ *		expects external processing of incoming data.
+ *		In kludge linemode, this more closely corresponds to the
+ *		whether normal processing is on or not.  (ICANON in
+ *		system V, or COOKED mode in BSD.)
+ *		If the -l option was specified (alwayslinemode), then
+ *		an attempt is made to force external processing on at
+ *		all times.
+ *
+ * The following heuristics are applied to determine linemode
+ * handling within the server.
+ *	1) Early on in starting up the server, an attempt is made
+ *	   to negotiate the linemode option.  If this succeeds
+ *	   then lmodetype is set to REAL_LINEMODE and all linemode
+ *	   processing occurs in the context of the linemode option.
+ *	2) If the attempt to negotiate the linemode option failed,
+ *	   and the "-k" (don't initiate kludge linemode) isn't set,
+ *	   then we try to use kludge linemode.  We test for this
+ *	   capability by sending "do Timing Mark".  If a positive
+ *	   response comes back, then we assume that the client
+ *	   understands kludge linemode (ech!) and the
+ *	   lmodetype flag is set to KLUDGE_LINEMODE.
+ *	3) Otherwise, linemode is not supported at all and
+ *	   lmodetype remains set to NO_LINEMODE (which happens
+ *	   to be 0 for convenience).
+ *	4) At any time a command arrives that implies a higher
+ *	   state of linemode support in the client, we move to that
+ *	   linemode support.
+ *
+ * A short explanation of kludge linemode is in order here.
+ *	1) The heuristic to determine support for kludge linemode
+ *	   is to send a do timing mark.  We assume that a client
+ *	   that supports timing marks also supports kludge linemode.
+ *	   A risky proposition at best.
+ *	2) Further negotiation of linemode is done by changing the
+ *	   the server's state regarding SGA.  If server will SGA,
+ *	   then linemode is off, if server won't SGA, then linemode
+ *	   is on.
+ */
+	void
+localstat()
+{
+	void netflush();
+	int need_will_echo = 0;
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	/*
+	 * Keep track of that ol' CR/NL mapping while we're in the
+	 * neighborhood.
+	 */
+	newmap = tty_isnewmap();
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+	/*
+	 * Check for changes to flow control if client supports it.
+	 */
+	flowstat();
+
+	/*
+	 * Check linemode on/off state
+	 */
+	uselinemode = tty_linemode();
+
+	/*
+	 * If alwayslinemode is on, and pty is changing to turn it off, then
+	 * force linemode back on.
+	 */
+	if (alwayslinemode && linemode && !uselinemode) {
+		uselinemode = 1;
+		tty_setlinemode(uselinemode);
+	}
+
+	if (uselinemode) {
+		/*
+	 * Check for state of BINARY options.
+		 *
+		 * We only need to do the binary dance if we are actually going
+		 * to use linemode.  As this confuses some telnet clients
+		 * that don't support linemode, and doesn't gain us
+		 * anything, we don't do it unless we're doing linemode.
+		 * -Crh (henrich@msu.edu)
+	 */
+
+	if (tty_isbinaryin()) {
+		if (his_want_state_is_wont(TELOPT_BINARY))
+			send_do(TELOPT_BINARY, 1);
+	} else {
+		if (his_want_state_is_will(TELOPT_BINARY))
+			send_dont(TELOPT_BINARY, 1);
+	}
+
+	if (tty_isbinaryout()) {
+		if (my_want_state_is_wont(TELOPT_BINARY))
+			send_will(TELOPT_BINARY, 1);
+	} else {
+		if (my_want_state_is_will(TELOPT_BINARY))
+			send_wont(TELOPT_BINARY, 1);
+	}
+	}
+
+#ifdef	ENCRYPTION
+	/*
+	 * If the terminal is not echoing, but editing is enabled,
+	 * something like password input is going to happen, so
+	 * if we the other side is not currently sending encrypted
+	 * data, ask the other side to start encrypting.
+	 */
+	if (his_state_is_will(TELOPT_ENCRYPT)) {
+		static int enc_passwd = 0;
+		if (uselinemode && !tty_isecho() && tty_isediting()
+		    && (enc_passwd == 0) && !decrypt_input) {
+			encrypt_send_request_start();
+			enc_passwd = 1;
+		} else if (enc_passwd) {
+			encrypt_send_request_end();
+			enc_passwd = 0;
+		}
+	}
+#endif	/* ENCRYPTION */
+
+	/*
+	 * Do echo mode handling as soon as we know what the
+	 * linemode is going to be.
+	 * If the pty has echo turned off, then tell the client that
+	 * the server will echo.  If echo is on, then the server
+	 * will echo if in character mode, but in linemode the
+	 * client should do local echoing.  The state machine will
+	 * not send anything if it is unnecessary, so don't worry
+	 * about that here.
+	 *
+	 * If we need to send the WILL ECHO (because echo is off),
+	 * then delay that until after we have changed the MODE.
+	 * This way, when the user is turning off both editing
+	 * and echo, the client will get editing turned off first.
+	 * This keeps the client from going into encryption mode
+	 * and then right back out if it is doing auto-encryption
+	 * when passwords are being typed.
+	 */
+	if (uselinemode) {
+		if (tty_isecho())
+			send_wont(TELOPT_ECHO, 1);
+		else
+			need_will_echo = 1;
+#ifdef	KLUDGELINEMODE
+		if (lmodetype == KLUDGE_OK)
+			lmodetype = KLUDGE_LINEMODE;
+#endif
+	}
+
+	/*
+	 * If linemode is being turned off, send appropriate
+	 * command and then we're all done.
+	 */
+	 if (!uselinemode && linemode) {
+# ifdef	KLUDGELINEMODE
+		if (lmodetype == REAL_LINEMODE) {
+# endif	/* KLUDGELINEMODE */
+			send_dont(TELOPT_LINEMODE, 1);
+# ifdef	KLUDGELINEMODE
+		} else if (lmodetype == KLUDGE_LINEMODE)
+			send_will(TELOPT_SGA, 1);
+# endif	/* KLUDGELINEMODE */
+		send_will(TELOPT_ECHO, 1);
+		linemode = uselinemode;
+		goto done;
+	}
+
+# ifdef	KLUDGELINEMODE
+	/*
+	 * If using real linemode check edit modes for possible later use.
+	 * If we are in kludge linemode, do the SGA negotiation.
+	 */
+	if (lmodetype == REAL_LINEMODE) {
+# endif	/* KLUDGELINEMODE */
+		useeditmode = 0;
+		if (tty_isediting())
+			useeditmode |= MODE_EDIT;
+		if (tty_istrapsig())
+			useeditmode |= MODE_TRAPSIG;
+		if (tty_issofttab())
+			useeditmode |= MODE_SOFT_TAB;
+		if (tty_islitecho())
+			useeditmode |= MODE_LIT_ECHO;
+# ifdef	KLUDGELINEMODE
+	} else if (lmodetype == KLUDGE_LINEMODE) {
+		if (tty_isediting() && uselinemode)
+			send_wont(TELOPT_SGA, 1);
+		else
+			send_will(TELOPT_SGA, 1);
+	}
+# endif	/* KLUDGELINEMODE */
+
+	/*
+	 * Negotiate linemode on if pty state has changed to turn it on.
+	 * Send appropriate command and send along edit mode, then all done.
+	 */
+	if (uselinemode && !linemode) {
+# ifdef	KLUDGELINEMODE
+		if (lmodetype == KLUDGE_LINEMODE) {
+			send_wont(TELOPT_SGA, 1);
+		} else if (lmodetype == REAL_LINEMODE) {
+# endif	/* KLUDGELINEMODE */
+			send_do(TELOPT_LINEMODE, 1);
+			/* send along edit modes */
+			(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC, SB,
+				TELOPT_LINEMODE, LM_MODE, useeditmode,
+				IAC, SE);
+			nfrontp += 7;
+			editmode = useeditmode;
+# ifdef	KLUDGELINEMODE
+		}
+# endif	/* KLUDGELINEMODE */
+		linemode = uselinemode;
+		goto done;
+	}
+
+# ifdef	KLUDGELINEMODE
+	/*
+	 * None of what follows is of any value if not using
+	 * real linemode.
+	 */
+	if (lmodetype < REAL_LINEMODE)
+		goto done;
+# endif	/* KLUDGELINEMODE */
+
+	if (linemode && his_state_is_will(TELOPT_LINEMODE)) {
+		/*
+		 * If edit mode changed, send edit mode.
+		 */
+		 if (useeditmode != editmode) {
+			/*
+			 * Send along appropriate edit mode mask.
+			 */
+			(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC, SB,
+				TELOPT_LINEMODE, LM_MODE, useeditmode,
+				IAC, SE);
+			nfrontp += 7;
+			editmode = useeditmode;
+		}
+
+
+		/*
+		 * Check for changes to special characters in use.
+		 */
+		start_slc(0);
+		check_slc();
+		(void) end_slc(0);
+	}
+
+done:
+	if (need_will_echo)
+		send_will(TELOPT_ECHO, 1);
+	/*
+	 * Some things should be deferred until after the pty state has
+	 * been set by the local process.  Do those things that have been
+	 * deferred now.  This only happens once.
+	 */
+	if (_terminit == 0) {
+		_terminit = 1;
+		defer_terminit();
+	}
+
+	netflush();
+	set_termbuf();
+	return;
+
+}  /* end of localstat */
+#endif	/* LINEMODE */
+
+/*
+ * flowstat
+ *
+ * Check for changes to flow control
+ */
+	void
+flowstat()
+{
+	if (his_state_is_will(TELOPT_LFLOW)) {
+		if (tty_flowmode() != flowmode) {
+			flowmode = tty_flowmode();
+			(void) sprintf(nfrontp, "%c%c%c%c%c%c",
+					IAC, SB, TELOPT_LFLOW,
+					flowmode ? LFLOW_ON : LFLOW_OFF,
+					IAC, SE);
+			nfrontp += 6;
+		}
+		if (tty_restartany() != restartany) {
+			restartany = tty_restartany();
+			(void) sprintf(nfrontp, "%c%c%c%c%c%c",
+					IAC, SB, TELOPT_LFLOW,
+					restartany ? LFLOW_RESTART_ANY
+						   : LFLOW_RESTART_XON,
+					IAC, SE);
+			nfrontp += 6;
+		}
+	}
+}
+
+/*
+ * clientstat
+ *
+ * Process linemode related requests from the client.
+ * Client can request a change to only one of linemode, editmode or slc's
+ * at a time, and if using kludge linemode, then only linemode may be
+ * affected.
+ */
+	void
+clientstat(code, parm1, parm2)
+	register int code, parm1, parm2;
+{
+	void netflush();
+
+	/*
+	 * Get a copy of terminal characteristics.
+	 */
+	init_termbuf();
+
+	/*
+	 * Process request from client. code tells what it is.
+	 */
+	switch (code) {
+#ifdef	LINEMODE
+	case TELOPT_LINEMODE:
+		/*
+		 * Don't do anything unless client is asking us to change
+		 * modes.
+		 */
+		uselinemode = (parm1 == WILL);
+		if (uselinemode != linemode) {
+# ifdef	KLUDGELINEMODE
+			/*
+			 * If using kludge linemode, make sure that
+			 * we can do what the client asks.
+			 * We can not turn off linemode if alwayslinemode
+			 * and the ICANON bit is set.
+			 */
+			if (lmodetype == KLUDGE_LINEMODE) {
+				if (alwayslinemode && tty_isediting()) {
+					uselinemode = 1;
+				}
+			}
+
+			/*
+			 * Quit now if we can't do it.
+			 */
+			if (uselinemode == linemode)
+				return;
+
+			/*
+			 * If using real linemode and linemode is being
+			 * turned on, send along the edit mode mask.
+			 */
+			if (lmodetype == REAL_LINEMODE && uselinemode)
+# else	/* KLUDGELINEMODE */
+			if (uselinemode)
+# endif	/* KLUDGELINEMODE */
+			{
+				useeditmode = 0;
+				if (tty_isediting())
+					useeditmode |= MODE_EDIT;
+				if (tty_istrapsig)
+					useeditmode |= MODE_TRAPSIG;
+				if (tty_issofttab())
+					useeditmode |= MODE_SOFT_TAB;
+				if (tty_islitecho())
+					useeditmode |= MODE_LIT_ECHO;
+				(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC,
+					SB, TELOPT_LINEMODE, LM_MODE,
+							useeditmode, IAC, SE);
+				nfrontp += 7;
+				editmode = useeditmode;
+			}
+
+
+			tty_setlinemode(uselinemode);
+
+			linemode = uselinemode;
+
+			if (!linemode)
+				send_will(TELOPT_ECHO, 1);
+		}
+		break;
+
+	case LM_MODE:
+	    {
+		register int ack, changed;
+
+		/*
+		 * Client has sent along a mode mask.  If it agrees with
+		 * what we are currently doing, ignore it; if not, it could
+		 * be viewed as a request to change.  Note that the server
+		 * will change to the modes in an ack if it is different from
+		 * what we currently have, but we will not ack the ack.
+		 */
+		 useeditmode &= MODE_MASK;
+		 ack = (useeditmode & MODE_ACK);
+		 useeditmode &= ~MODE_ACK;
+
+		 if ((changed = (useeditmode ^ editmode))) {
+			/*
+			 * This check is for a timing problem.  If the
+			 * state of the tty has changed (due to the user
+			 * application) we need to process that info
+			 * before we write in the state contained in the
+			 * ack!!!  This gets out the new MODE request,
+			 * and when the ack to that command comes back
+			 * we'll set it and be in the right mode.
+			 */
+			if (ack)
+				localstat();
+			if (changed & MODE_EDIT)
+				tty_setedit(useeditmode & MODE_EDIT);
+
+			if (changed & MODE_TRAPSIG)
+				tty_setsig(useeditmode & MODE_TRAPSIG);
+
+			if (changed & MODE_SOFT_TAB)
+				tty_setsofttab(useeditmode & MODE_SOFT_TAB);
+
+			if (changed & MODE_LIT_ECHO)
+				tty_setlitecho(useeditmode & MODE_LIT_ECHO);
+
+			set_termbuf();
+
+ 			if (!ack) {
+ 				(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC,
+					SB, TELOPT_LINEMODE, LM_MODE,
+ 					useeditmode|MODE_ACK,
+ 					IAC, SE);
+ 				nfrontp += 7;
+ 			}
+
+			editmode = useeditmode;
+		}
+
+		break;
+
+	    }  /* end of case LM_MODE */
+#endif	/* LINEMODE */
+
+	case TELOPT_NAWS:
+#ifdef	TIOCSWINSZ
+	    {
+		struct winsize ws;
+
+		def_col = parm1;
+		def_row = parm2;
+#ifdef	LINEMODE
+		/*
+		 * Defer changing window size until after terminal is
+		 * initialized.
+		 */
+		if (terminit() == 0)
+			return;
+#endif	/* LINEMODE */
+
+		/*
+		 * Change window size as requested by client.
+		 */
+
+		ws.ws_col = parm1;
+		ws.ws_row = parm2;
+		(void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+	    }
+#endif	/* TIOCSWINSZ */
+
+		break;
+
+	case TELOPT_TSPEED:
+	    {
+		def_tspeed = parm1;
+		def_rspeed = parm2;
+#ifdef	LINEMODE
+		/*
+		 * Defer changing the terminal speed.
+		 */
+		if (terminit() == 0)
+			return;
+#endif	/* LINEMODE */
+		/*
+		 * Change terminal speed as requested by client.
+		 * We set the receive speed first, so that if we can't
+		 * store seperate receive and transmit speeds, the transmit
+		 * speed will take precedence.
+		 */
+		tty_rspeed(parm2);
+		tty_tspeed(parm1);
+		set_termbuf();
+
+		break;
+
+	    }  /* end of case TELOPT_TSPEED */
+
+	default:
+		/* What? */
+		break;
+	}  /* end of switch */
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	/*
+	 * Just in case of the likely event that we changed the pty state.
+	 */
+	rcv_ioctl();
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+	netflush();
+
+}  /* end of clientstat */
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	void
+termstat()
+{
+	needtermstat = 1;
+}
+
+	void
+_termstat()
+{
+	needtermstat = 0;
+	init_termbuf();
+	localstat();
+	rcv_ioctl();
+}
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+#ifdef	LINEMODE
+/*
+ * defer_terminit
+ *
+ * Some things should not be done until after the login process has started
+ * and all the pty modes are set to what they are supposed to be.  This
+ * function is called when the pty state has been processed for the first time.
+ * It calls other functions that do things that were deferred in each module.
+ */
+	void
+defer_terminit()
+{
+
+	/*
+	 * local stuff that got deferred.
+	 */
+	if (def_tspeed != -1) {
+		clientstat(TELOPT_TSPEED, def_tspeed, def_rspeed);
+		def_tspeed = def_rspeed = 0;
+	}
+
+#ifdef	TIOCSWINSZ
+	if (def_col || def_row) {
+		struct winsize ws;
+
+		memset((char *)&ws, 0, sizeof(ws));
+		ws.ws_col = def_col;
+		ws.ws_row = def_row;
+		(void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+	}
+#endif
+
+	/*
+	 * The only other module that currently defers anything.
+	 */
+	deferslc();
+
+}  /* end of defer_terminit */
+
+/*
+ * terminit
+ *
+ * Returns true if the pty state has been processed yet.
+ */
+	int
+terminit()
+{
+	return(_terminit);
+
+}  /* end of terminit */
+#endif	/* LINEMODE */
diff --git a/crypto/telnet/telnetd/utility.c b/crypto/telnet/telnetd/utility.c
new file mode 100644
index 0000000..dc695fa
--- /dev/null
+++ b/crypto/telnet/telnetd/utility.c
@@ -0,0 +1,1246 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)utility.c	8.4 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#ifdef __FreeBSD__
+#include <locale.h>
+#include <sys/utsname.h>
+#endif
+#define PRINTOPTIONS
+#include "telnetd.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+/*
+ * utility functions performing io related tasks
+ */
+
+/*
+ * ttloop
+ *
+ *	A small subroutine to flush the network output buffer, get some data
+ * from the network, and pass it through the telnet state machine.  We
+ * also flush the pty input buffer (by dropping its data) if it becomes
+ * too full.
+ */
+
+    void
+ttloop()
+{
+    void netflush();
+
+    DIAG(TD_REPORT, {sprintf(nfrontp, "td: ttloop\r\n");
+		     nfrontp += strlen(nfrontp);});
+    if (nfrontp-nbackp) {
+	netflush();
+    }
+    ncc = read(net, netibuf, sizeof netibuf);
+    if (ncc < 0) {
+	syslog(LOG_INFO, "ttloop:  read: %m");
+	exit(1);
+    } else if (ncc == 0) {
+	syslog(LOG_INFO, "ttloop:  peer died: %m");
+	exit(1);
+    }
+    DIAG(TD_REPORT, {sprintf(nfrontp, "td: ttloop read %d chars\r\n", ncc);
+		     nfrontp += strlen(nfrontp);});
+    netip = netibuf;
+    telrcv();			/* state machine */
+    if (ncc > 0) {
+	pfrontp = pbackp = ptyobuf;
+	telrcv();
+    }
+}  /* end of ttloop */
+
+/*
+ * Check a descriptor to see if out of band data exists on it.
+ */
+    int
+stilloob(s)
+    int	s;		/* socket number */
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(s, &excepts);
+	memset((char *)&timeout, 0, sizeof timeout);
+	value = select(s+1, (fd_set *)0, (fd_set *)0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	fatalperror(pty, "select");
+    }
+    if (FD_ISSET(s, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+	void
+ptyflush()
+{
+	int n;
+
+	if ((n = pfrontp - pbackp) > 0) {
+		DIAG((TD_REPORT | TD_PTYDATA),
+			{ sprintf(nfrontp, "td: ptyflush %d chars\r\n", n);
+			  nfrontp += strlen(nfrontp); });
+		DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
+		n = write(pty, pbackp, n);
+	}
+	if (n < 0) {
+		if (errno == EWOULDBLOCK || errno == EINTR)
+			return;
+		cleanup(0);
+	}
+	pbackp += n;
+	if (pbackp == pfrontp)
+		pbackp = pfrontp = ptyobuf;
+}
+
+/*
+ * nextitem()
+ *
+ *	Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+    char *
+nextitem(current)
+    char	*current;
+{
+    if ((*current&0xff) != IAC) {
+	return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+	return current+3;
+    case SB:		/* loop forever looking for the SE */
+	{
+	    register char *look = current+2;
+
+	    for (;;) {
+		if ((*look++&0xff) == IAC) {
+		    if ((*look++&0xff) == SE) {
+			return look;
+		    }
+		}
+	    }
+	}
+    default:
+	return current+2;
+    }
+}  /* end of nextitem */
+
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+    void
+netclear()
+{
+    register char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+#ifdef	ENCRYPTION
+    thisitem = nclearto > netobuf ? nclearto : netobuf;
+#else	/* ENCRYPTION */
+    thisitem = netobuf;
+#endif	/* ENCRYPTION */
+
+    while ((next = nextitem(thisitem)) <= nbackp) {
+	thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+#ifdef	ENCRYPTION
+    good = nclearto > netobuf ? nclearto : netobuf;
+#else	/* ENCRYPTION */
+    good = netobuf;	/* where the good bytes go */
+#endif	/* ENCRYPTION */
+
+    while (nfrontp > thisitem) {
+	if (wewant(thisitem)) {
+	    int length;
+
+	    next = thisitem;
+	    do {
+		next = nextitem(next);
+	    } while (wewant(next) && (nfrontp > next));
+	    length = next-thisitem;
+	    memmove(good, thisitem, length);
+	    good += length;
+	    thisitem = next;
+	} else {
+	    thisitem = nextitem(thisitem);
+	}
+    }
+
+    nbackp = netobuf;
+    nfrontp = good;		/* next byte to be sent */
+    neturg = 0;
+}  /* end of netclear */
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ */
+    void
+netflush()
+{
+    int n;
+    extern int not42;
+
+    if ((n = nfrontp - nbackp) > 0) {
+	DIAG(TD_REPORT,
+	    { sprintf(nfrontp, "td: netflush %d chars\r\n", n);
+	      n += strlen(nfrontp);  /* get count first */
+	      nfrontp += strlen(nfrontp);  /* then move pointer */
+	    });
+#ifdef	ENCRYPTION
+	if (encrypt_output) {
+		char *s = nclearto ? nclearto : nbackp;
+		if (nfrontp - s > 0) {
+			(*encrypt_output)((unsigned char *)s, nfrontp-s);
+			nclearto = nfrontp;
+		}
+	}
+#endif	/* ENCRYPTION */
+	/*
+	 * if no urgent data, or if the other side appears to be an
+	 * old 4.2 client (and thus unable to survive TCP urgent data),
+	 * write the entire buffer in non-OOB mode.
+	 */
+	if ((neturg == 0) || (not42 == 0)) {
+	    n = write(net, nbackp, n);	/* normal write */
+	} else {
+	    n = neturg - nbackp;
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    if (n > 1) {
+		n = send(net, nbackp, n-1, 0);	/* send URGENT all by itself */
+	    } else {
+		n = send(net, nbackp, n, MSG_OOB);	/* URGENT data */
+	    }
+	}
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+		return;
+	cleanup(0);
+    }
+    nbackp += n;
+#ifdef	ENCRYPTION
+    if (nbackp > nclearto)
+	nclearto = 0;
+#endif	/* ENCRYPTION */
+    if (nbackp >= neturg) {
+	neturg = 0;
+    }
+    if (nbackp == nfrontp) {
+	nbackp = nfrontp = netobuf;
+#ifdef	ENCRYPTION
+	nclearto = 0;
+#endif	/* ENCRYPTION */
+    }
+    return;
+}  /* end of netflush */
+
+
+/*
+ * writenet
+ *
+ * Just a handy little function to write a bit of raw data to the net.
+ * It will force a transmit of the buffer if necessary
+ *
+ * arguments
+ *    ptr - A pointer to a character string to write
+ *    len - How many bytes to write
+ */
+	void
+writenet(ptr, len)
+	register unsigned char *ptr;
+	register int len;
+{
+	/* flush buffer if no room for new data) */
+	if ((&netobuf[BUFSIZ] - nfrontp) < len) {
+		/* if this fails, don't worry, buffer is a little big */
+		netflush();
+	}
+
+	memmove(nfrontp, ptr, len);
+	nfrontp += len;
+
+}  /* end of writenet */
+
+
+/*
+ * miscellaneous functions doing a variety of little jobs follow ...
+ */
+
+
+	void
+fatal(f, msg)
+	int f;
+	char *msg;
+{
+	char buf[BUFSIZ];
+
+	(void) sprintf(buf, "telnetd: %s.\r\n", msg);
+#ifdef	ENCRYPTION
+	if (encrypt_output) {
+		/*
+		 * Better turn off encryption first....
+		 * Hope it flushes...
+		 */
+		encrypt_send_end();
+		netflush();
+	}
+#endif	/* ENCRYPTION */
+	(void) write(f, buf, (int)strlen(buf));
+	sleep(1);	/*XXX*/
+	exit(1);
+}
+
+	void
+fatalperror(f, msg)
+	int f;
+	char *msg;
+{
+	char buf[BUFSIZ], *strerror();
+
+	(void) sprintf(buf, "%s: %s", msg, strerror(errno));
+	fatal(f, buf);
+}
+
+char editedhost[32];
+
+	void
+edithost(pat, host)
+	register char *pat;
+	register char *host;
+{
+	register char *res = editedhost;
+
+	if (!pat)
+		pat = "";
+	while (*pat) {
+		switch (*pat) {
+
+		case '#':
+			if (*host)
+				host++;
+			break;
+
+		case '@':
+			if (*host)
+				*res++ = *host++;
+			break;
+
+		default:
+			*res++ = *pat;
+			break;
+		}
+		if (res == &editedhost[sizeof editedhost - 1]) {
+			*res = '\0';
+			return;
+		}
+		pat++;
+	}
+	if (*host)
+		(void) strncpy(res, host,
+				sizeof editedhost - (res - editedhost) -1);
+	else
+		*res = '\0';
+	editedhost[sizeof editedhost - 1] = '\0';
+}
+
+static char *putlocation;
+
+	void
+putstr(s)
+	register char *s;
+{
+
+	while (*s)
+		putchr(*s++);
+}
+
+	void
+putchr(cc)
+	int cc;
+{
+	*putlocation++ = cc;
+}
+
+#ifdef __FreeBSD__
+static char fmtstr[] = { "%+" };
+#else
+/*
+ * This is split on two lines so that SCCS will not see the M
+ * between two % signs and expand it...
+ */
+static char fmtstr[] = { "%l:%M\
+%P on %A, %d %B %Y" };
+#endif
+
+	void
+putf(cp, where)
+	register char *cp;
+	char *where;
+{
+	char *slash;
+	time_t t;
+	char db[100];
+#ifdef	STREAMSPTY
+	extern char *strchr();
+#else
+	extern char *strrchr();
+#endif
+#ifdef __FreeBSD__
+	static struct utsname kerninfo;
+
+	if (!*kerninfo.sysname)
+		uname(&kerninfo);
+#endif
+
+	putlocation = where;
+
+	while (*cp) {
+		if (*cp =='\n') {
+			putstr("\r\n");
+			cp++;
+			continue;
+		} else if (*cp != '%') {
+			putchr(*cp++);
+			continue;
+		}
+		switch (*++cp) {
+
+		case 't':
+#ifdef	STREAMSPTY
+			/* names are like /dev/pts/2 -- we want pts/2 */
+			slash = strchr(line+1, '/');
+#else
+			slash = strrchr(line, '/');
+#endif
+			if (slash == (char *) 0)
+				putstr(line);
+			else
+				putstr(&slash[1]);
+			break;
+
+		case 'h':
+			putstr(editedhost);
+			break;
+
+		case 'd':
+#ifdef __FreeBSD__
+			setlocale(LC_TIME, "");
+#endif
+			(void)time(&t);
+			(void)strftime(db, sizeof(db), fmtstr, localtime(&t));
+			putstr(db);
+			break;
+
+#ifdef __FreeBSD__
+		case 's':
+			putstr(kerninfo.sysname);
+			break;
+
+		case 'm':
+			putstr(kerninfo.machine);
+			break;
+
+		case 'r':
+			putstr(kerninfo.release);
+			break;
+
+		case 'v':
+			putstr(kerninfo.version);
+			break;
+#endif
+
+		case '%':
+			putchr('%');
+			break;
+		}
+		cp++;
+	}
+}
+
+#ifdef DIAGNOSTICS
+/*
+ * Print telnet options and commands in plain text, if possible.
+ */
+	void
+printoption(fmt, option)
+	register char *fmt;
+	register int option;
+{
+	if (TELOPT_OK(option))
+		sprintf(nfrontp, "%s %s\r\n", fmt, TELOPT(option));
+	else if (TELCMD_OK(option))
+		sprintf(nfrontp, "%s %s\r\n", fmt, TELCMD(option));
+	else
+		sprintf(nfrontp, "%s %d\r\n", fmt, option);
+	nfrontp += strlen(nfrontp);
+	return;
+}
+
+    void
+printsub(direction, pointer, length)
+    char		direction;	/* '<' or '>' */
+    unsigned char	*pointer;	/* where suboption data sits */
+    int			length;		/* length of suboption data */
+{
+    register int i = 0;
+
+	if (!(diagnostic & TD_OPTIONS))
+		return;
+
+	if (direction) {
+	    sprintf(nfrontp, "td: %s suboption ",
+					direction == '<' ? "recv" : "send");
+	    nfrontp += strlen(nfrontp);
+	    if (length >= 3) {
+		register int j;
+
+		i = pointer[length-2];
+		j = pointer[length-1];
+
+		if (i != IAC || j != SE) {
+		    sprintf(nfrontp, "(terminated by ");
+		    nfrontp += strlen(nfrontp);
+		    if (TELOPT_OK(i))
+			sprintf(nfrontp, "%s ", TELOPT(i));
+		    else if (TELCMD_OK(i))
+			sprintf(nfrontp, "%s ", TELCMD(i));
+		    else
+			sprintf(nfrontp, "%d ", i);
+		    nfrontp += strlen(nfrontp);
+		    if (TELOPT_OK(j))
+			sprintf(nfrontp, "%s", TELOPT(j));
+		    else if (TELCMD_OK(j))
+			sprintf(nfrontp, "%s", TELCMD(j));
+		    else
+			sprintf(nfrontp, "%d", j);
+		    nfrontp += strlen(nfrontp);
+		    sprintf(nfrontp, ", not IAC SE!) ");
+		    nfrontp += strlen(nfrontp);
+		}
+	    }
+	    length -= 2;
+	}
+	if (length < 1) {
+	    sprintf(nfrontp, "(Empty suboption??\?)");
+	    nfrontp += strlen(nfrontp);
+	    return;
+	}
+	switch (pointer[0]) {
+	case TELOPT_TTYPE:
+	    sprintf(nfrontp, "TERMINAL-TYPE ");
+	    nfrontp += strlen(nfrontp);
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		sprintf(nfrontp, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		sprintf(nfrontp, "SEND");
+		break;
+	    default:
+		sprintf(nfrontp,
+				"- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    nfrontp += strlen(nfrontp);
+	    break;
+	case TELOPT_TSPEED:
+	    sprintf(nfrontp, "TERMINAL-SPEED");
+	    nfrontp += strlen(nfrontp);
+	    if (length < 2) {
+		sprintf(nfrontp, " (empty suboption??\?)");
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		sprintf(nfrontp, " IS %.*s", length-2, (char *)pointer+2);
+		nfrontp += strlen(nfrontp);
+		break;
+	    default:
+		if (pointer[1] == 1)
+		    sprintf(nfrontp, " SEND");
+		else
+		    sprintf(nfrontp, " %d (unknown)", pointer[1]);
+		nfrontp += strlen(nfrontp);
+		for (i = 2; i < length; i++) {
+		    sprintf(nfrontp, " ?%d?", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		}
+		break;
+	    }
+	    break;
+
+	case TELOPT_LFLOW:
+	    sprintf(nfrontp, "TOGGLE-FLOW-CONTROL");
+	    nfrontp += strlen(nfrontp);
+	    if (length < 2) {
+		sprintf(nfrontp, " (empty suboption??\?)");
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case LFLOW_OFF:
+		sprintf(nfrontp, " OFF"); break;
+	    case LFLOW_ON:
+		sprintf(nfrontp, " ON"); break;
+	    case LFLOW_RESTART_ANY:
+		sprintf(nfrontp, " RESTART-ANY"); break;
+	    case LFLOW_RESTART_XON:
+		sprintf(nfrontp, " RESTART-XON"); break;
+	    default:
+		sprintf(nfrontp, " %d (unknown)", pointer[1]);
+	    }
+	    nfrontp += strlen(nfrontp);
+	    for (i = 2; i < length; i++) {
+		sprintf(nfrontp, " ?%d?", pointer[i]);
+		nfrontp += strlen(nfrontp);
+	    }
+	    break;
+
+	case TELOPT_NAWS:
+	    sprintf(nfrontp, "NAWS");
+	    nfrontp += strlen(nfrontp);
+	    if (length < 2) {
+		sprintf(nfrontp, " (empty suboption??\?)");
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    if (length == 2) {
+		sprintf(nfrontp, " ?%d?", pointer[1]);
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    sprintf(nfrontp, " %d %d (%d)",
+		pointer[1], pointer[2],
+		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+	    nfrontp += strlen(nfrontp);
+	    if (length == 4) {
+		sprintf(nfrontp, " ?%d?", pointer[3]);
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    sprintf(nfrontp, " %d %d (%d)",
+		pointer[3], pointer[4],
+		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+	    nfrontp += strlen(nfrontp);
+	    for (i = 5; i < length; i++) {
+		sprintf(nfrontp, " ?%d?", pointer[i]);
+		nfrontp += strlen(nfrontp);
+	    }
+	    break;
+
+	case TELOPT_LINEMODE:
+	    sprintf(nfrontp, "LINEMODE ");
+	    nfrontp += strlen(nfrontp);
+	    if (length < 2) {
+		sprintf(nfrontp, " (empty suboption??\?)");
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case WILL:
+		sprintf(nfrontp, "WILL ");
+		goto common;
+	    case WONT:
+		sprintf(nfrontp, "WONT ");
+		goto common;
+	    case DO:
+		sprintf(nfrontp, "DO ");
+		goto common;
+	    case DONT:
+		sprintf(nfrontp, "DONT ");
+	    common:
+		nfrontp += strlen(nfrontp);
+		if (length < 3) {
+		    sprintf(nfrontp, "(no option??\?)");
+		    nfrontp += strlen(nfrontp);
+		    break;
+		}
+		switch (pointer[2]) {
+		case LM_FORWARDMASK:
+		    sprintf(nfrontp, "Forward Mask");
+		    nfrontp += strlen(nfrontp);
+		    for (i = 3; i < length; i++) {
+			sprintf(nfrontp, " %x", pointer[i]);
+			nfrontp += strlen(nfrontp);
+		    }
+		    break;
+		default:
+		    sprintf(nfrontp, "%d (unknown)", pointer[2]);
+		    nfrontp += strlen(nfrontp);
+		    for (i = 3; i < length; i++) {
+			sprintf(nfrontp, " %d", pointer[i]);
+			nfrontp += strlen(nfrontp);
+		    }
+		    break;
+		}
+		break;
+
+	    case LM_SLC:
+		sprintf(nfrontp, "SLC");
+		nfrontp += strlen(nfrontp);
+		for (i = 2; i < length - 2; i += 3) {
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+			sprintf(nfrontp, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+		    else
+			sprintf(nfrontp, " %d", pointer[i+SLC_FUNC]);
+		    nfrontp += strlen(nfrontp);
+		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		    case SLC_NOSUPPORT:
+			sprintf(nfrontp, " NOSUPPORT"); break;
+		    case SLC_CANTCHANGE:
+			sprintf(nfrontp, " CANTCHANGE"); break;
+		    case SLC_VARIABLE:
+			sprintf(nfrontp, " VARIABLE"); break;
+		    case SLC_DEFAULT:
+			sprintf(nfrontp, " DEFAULT"); break;
+		    }
+		    nfrontp += strlen(nfrontp);
+		    sprintf(nfrontp, "%s%s%s",
+			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		    nfrontp += strlen(nfrontp);
+		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+						SLC_FLUSHOUT| SLC_LEVELBITS)) {
+			sprintf(nfrontp, "(0x%x)", pointer[i+SLC_FLAGS]);
+			nfrontp += strlen(nfrontp);
+		    }
+		    sprintf(nfrontp, " %d;", pointer[i+SLC_VALUE]);
+		    nfrontp += strlen(nfrontp);
+		    if ((pointer[i+SLC_VALUE] == IAC) &&
+			(pointer[i+SLC_VALUE+1] == IAC))
+				i++;
+		}
+		for (; i < length; i++) {
+		    sprintf(nfrontp, " ?%d?", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		}
+		break;
+
+	    case LM_MODE:
+		sprintf(nfrontp, "MODE ");
+		nfrontp += strlen(nfrontp);
+		if (length < 3) {
+		    sprintf(nfrontp, "(no mode??\?)");
+		    nfrontp += strlen(nfrontp);
+		    break;
+		}
+		{
+		    char tbuf[32];
+		    sprintf(tbuf, "%s%s%s%s%s",
+			pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			pointer[2]&MODE_ACK ? "|ACK" : "");
+		    sprintf(nfrontp, "%s", tbuf[1] ? &tbuf[1] : "0");
+		    nfrontp += strlen(nfrontp);
+		}
+		if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
+		    sprintf(nfrontp, " (0x%x)", pointer[2]);
+		    nfrontp += strlen(nfrontp);
+		}
+		for (i = 3; i < length; i++) {
+		    sprintf(nfrontp, " ?0x%x?", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		}
+		break;
+	    default:
+		sprintf(nfrontp, "%d (unknown)", pointer[1]);
+		nfrontp += strlen(nfrontp);
+		for (i = 2; i < length; i++) {
+		    sprintf(nfrontp, " %d", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		}
+	    }
+	    break;
+
+	case TELOPT_STATUS: {
+	    register char *cp;
+	    register int j, k;
+
+	    sprintf(nfrontp, "STATUS");
+	    nfrontp += strlen(nfrontp);
+
+	    switch (pointer[1]) {
+	    default:
+		if (pointer[1] == TELQUAL_SEND)
+		    sprintf(nfrontp, " SEND");
+		else
+		    sprintf(nfrontp, " %d (unknown)", pointer[1]);
+		nfrontp += strlen(nfrontp);
+		for (i = 2; i < length; i++) {
+		    sprintf(nfrontp, " ?%d?", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		}
+		break;
+	    case TELQUAL_IS:
+		sprintf(nfrontp, " IS\r\n");
+		nfrontp += strlen(nfrontp);
+
+		for (i = 2; i < length; i++) {
+		    switch(pointer[i]) {
+		    case DO:	cp = "DO"; goto common2;
+		    case DONT:	cp = "DONT"; goto common2;
+		    case WILL:	cp = "WILL"; goto common2;
+		    case WONT:	cp = "WONT"; goto common2;
+		    common2:
+			i++;
+			if (TELOPT_OK(pointer[i]))
+			    sprintf(nfrontp, " %s %s", cp, TELOPT(pointer[i]));
+			else
+			    sprintf(nfrontp, " %s %d", cp, pointer[i]);
+			nfrontp += strlen(nfrontp);
+
+			sprintf(nfrontp, "\r\n");
+			nfrontp += strlen(nfrontp);
+			break;
+
+		    case SB:
+			sprintf(nfrontp, " SB ");
+			nfrontp += strlen(nfrontp);
+			i++;
+			j = k = i;
+			while (j < length) {
+			    if (pointer[j] == SE) {
+				if (j+1 == length)
+				    break;
+				if (pointer[j+1] == SE)
+				    j++;
+				else
+				    break;
+			    }
+			    pointer[k++] = pointer[j++];
+			}
+			printsub(0, &pointer[i], k - i);
+			if (i < length) {
+			    sprintf(nfrontp, " SE");
+			    nfrontp += strlen(nfrontp);
+			    i = j;
+			} else
+			    i = j - 1;
+
+			sprintf(nfrontp, "\r\n");
+			nfrontp += strlen(nfrontp);
+
+			break;
+
+		    default:
+			sprintf(nfrontp, " %d", pointer[i]);
+			nfrontp += strlen(nfrontp);
+			break;
+		    }
+		}
+		break;
+	    }
+	    break;
+	  }
+
+	case TELOPT_XDISPLOC:
+	    sprintf(nfrontp, "X-DISPLAY-LOCATION ");
+	    nfrontp += strlen(nfrontp);
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		sprintf(nfrontp, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		sprintf(nfrontp, "SEND");
+		break;
+	    default:
+		sprintf(nfrontp, "- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    nfrontp += strlen(nfrontp);
+	    break;
+
+	case TELOPT_NEW_ENVIRON:
+	    sprintf(nfrontp, "NEW-ENVIRON ");
+	    goto env_common1;
+	case TELOPT_OLD_ENVIRON:
+	    sprintf(nfrontp, "OLD-ENVIRON");
+	env_common1:
+	    nfrontp += strlen(nfrontp);
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		sprintf(nfrontp, "IS ");
+		goto env_common;
+	    case TELQUAL_SEND:
+		sprintf(nfrontp, "SEND ");
+		goto env_common;
+	    case TELQUAL_INFO:
+		sprintf(nfrontp, "INFO ");
+	    env_common:
+		nfrontp += strlen(nfrontp);
+		{
+		    register int noquote = 2;
+		    for (i = 2; i < length; i++ ) {
+			switch (pointer[i]) {
+			case NEW_ENV_VAR:
+			    sprintf(nfrontp, "\" VAR " + noquote);
+			    nfrontp += strlen(nfrontp);
+			    noquote = 2;
+			    break;
+
+			case NEW_ENV_VALUE:
+			    sprintf(nfrontp, "\" VALUE " + noquote);
+			    nfrontp += strlen(nfrontp);
+			    noquote = 2;
+			    break;
+
+			case ENV_ESC:
+			    sprintf(nfrontp, "\" ESC " + noquote);
+			    nfrontp += strlen(nfrontp);
+			    noquote = 2;
+			    break;
+
+			case ENV_USERVAR:
+			    sprintf(nfrontp, "\" USERVAR " + noquote);
+			    nfrontp += strlen(nfrontp);
+			    noquote = 2;
+			    break;
+
+			default:
+			    if (isprint(pointer[i]) && pointer[i] != '"') {
+				if (noquote) {
+				    *nfrontp++ = '"';
+				    noquote = 0;
+				}
+				*nfrontp++ = pointer[i];
+			    } else {
+				sprintf(nfrontp, "\" %03o " + noquote,
+							pointer[i]);
+				nfrontp += strlen(nfrontp);
+				noquote = 2;
+			    }
+			    break;
+			}
+		    }
+		    if (!noquote)
+			*nfrontp++ = '"';
+		    break;
+		}
+	    }
+	    break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION:
+	    sprintf(nfrontp, "AUTHENTICATION");
+	    nfrontp += strlen(nfrontp);
+
+	    if (length < 2) {
+		sprintf(nfrontp, " (empty suboption??\?)");
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_REPLY:
+	    case TELQUAL_IS:
+		sprintf(nfrontp, " %s ", (pointer[1] == TELQUAL_IS) ?
+							"IS" : "REPLY");
+		nfrontp += strlen(nfrontp);
+		if (AUTHTYPE_NAME_OK(pointer[2]))
+		    sprintf(nfrontp, "%s ", AUTHTYPE_NAME(pointer[2]));
+		else
+		    sprintf(nfrontp, "%d ", pointer[2]);
+		nfrontp += strlen(nfrontp);
+		if (length < 3) {
+		    sprintf(nfrontp, "(partial suboption??\?)");
+		    nfrontp += strlen(nfrontp);
+		    break;
+		}
+		sprintf(nfrontp, "%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+		nfrontp += strlen(nfrontp);
+
+    		{
+		    char buf[512];
+		    auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		    sprintf(nfrontp, "%s", buf);
+		}
+		nfrontp += strlen(nfrontp);
+		break;
+
+	    case TELQUAL_SEND:
+		i = 2;
+		sprintf(nfrontp, " SEND ");
+		nfrontp += strlen(nfrontp);
+		while (i < length) {
+		    if (AUTHTYPE_NAME_OK(pointer[i]))
+			sprintf(nfrontp, "%s ", AUTHTYPE_NAME(pointer[i]));
+		    else
+			sprintf(nfrontp, "%d ", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		    if (++i >= length) {
+			sprintf(nfrontp, "(partial suboption??\?)");
+			nfrontp += strlen(nfrontp);
+			break;
+		    }
+		    sprintf(nfrontp, "%s|%s ",
+			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+							"CLIENT" : "SERVER",
+			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+							"MUTUAL" : "ONE-WAY");
+		    nfrontp += strlen(nfrontp);
+		    ++i;
+		}
+		break;
+
+	    case TELQUAL_NAME:
+		i = 2;
+		sprintf(nfrontp, " NAME \"");
+		nfrontp += strlen(nfrontp);
+		while (i < length)
+		    *nfrontp += pointer[i++];
+		*nfrontp += '"';
+		break;
+
+	    default:
+		    for (i = 2; i < length; i++) {
+			sprintf(nfrontp, " ?%d?", pointer[i]);
+			nfrontp += strlen(nfrontp);
+		    }
+		    break;
+	    }
+	    break;
+#endif
+
+#ifdef	ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    sprintf(nfrontp, "ENCRYPT");
+	    nfrontp += strlen(nfrontp);
+	    if (length < 2) {
+		sprintf(nfrontp, " (empty suboption??\?)");
+		nfrontp += strlen(nfrontp);
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		sprintf(nfrontp, " START");
+		nfrontp += strlen(nfrontp);
+		break;
+
+	    case ENCRYPT_END:
+		sprintf(nfrontp, " END");
+		nfrontp += strlen(nfrontp);
+		break;
+
+	    case ENCRYPT_REQSTART:
+		sprintf(nfrontp, " REQUEST-START");
+		nfrontp += strlen(nfrontp);
+		break;
+
+	    case ENCRYPT_REQEND:
+		sprintf(nfrontp, " REQUEST-END");
+		nfrontp += strlen(nfrontp);
+		break;
+
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		sprintf(nfrontp, " %s ", (pointer[1] == ENCRYPT_IS) ?
+							"IS" : "REPLY");
+		nfrontp += strlen(nfrontp);
+		if (length < 3) {
+		    sprintf(nfrontp, " (partial suboption??\?)");
+		    nfrontp += strlen(nfrontp);
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    sprintf(nfrontp, "%s ", ENCTYPE_NAME(pointer[2]));
+		else
+		    sprintf(nfrontp, " %d (unknown)", pointer[2]);
+		nfrontp += strlen(nfrontp);
+
+		{
+		    char buf[512];
+		    encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		    sprintf(nfrontp, "%s", buf);
+		}
+		nfrontp += strlen(nfrontp);
+		break;
+
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		sprintf(nfrontp, " SUPPORT ");
+		nfrontp += strlen(nfrontp);
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			sprintf(nfrontp, "%s ", ENCTYPE_NAME(pointer[i]));
+		    else
+			sprintf(nfrontp, "%d ", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		    i++;
+		}
+		break;
+
+	    case ENCRYPT_ENC_KEYID:
+		sprintf(nfrontp, " ENC_KEYID");
+		nfrontp += strlen(nfrontp);
+		goto encommon;
+
+	    case ENCRYPT_DEC_KEYID:
+		sprintf(nfrontp, " DEC_KEYID");
+		nfrontp += strlen(nfrontp);
+		goto encommon;
+
+	    default:
+		sprintf(nfrontp, " %d (unknown)", pointer[1]);
+		nfrontp += strlen(nfrontp);
+	    encommon:
+		for (i = 2; i < length; i++) {
+		    sprintf(nfrontp, " %d", pointer[i]);
+		    nfrontp += strlen(nfrontp);
+		}
+		break;
+	    }
+	    break;
+#endif	/* ENCRYPTION */
+
+	default:
+	    if (TELOPT_OK(pointer[0]))
+		sprintf(nfrontp, "%s (unknown)", TELOPT(pointer[0]));
+	    else
+		sprintf(nfrontp, "%d (unknown)", pointer[i]);
+	    nfrontp += strlen(nfrontp);
+	    for (i = 1; i < length; i++) {
+		sprintf(nfrontp, " %d", pointer[i]);
+		nfrontp += strlen(nfrontp);
+	    }
+	    break;
+	}
+	sprintf(nfrontp, "\r\n");
+	nfrontp += strlen(nfrontp);
+}
+
+/*
+ * Dump a data buffer in hex and ascii to the output data stream.
+ */
+	void
+printdata(tag, ptr, cnt)
+	register char *tag;
+	register char *ptr;
+	register int cnt;
+{
+	register int i;
+	char xbuf[30];
+
+	while (cnt) {
+		/* flush net output buffer if no room for new data) */
+		if ((&netobuf[BUFSIZ] - nfrontp) < 80) {
+			netflush();
+		}
+
+		/* add a line of output */
+		sprintf(nfrontp, "%s: ", tag);
+		nfrontp += strlen(nfrontp);
+		for (i = 0; i < 20 && cnt; i++) {
+			sprintf(nfrontp, "%02x", *ptr);
+			nfrontp += strlen(nfrontp);
+			if (isprint(*ptr)) {
+				xbuf[i] = *ptr;
+			} else {
+				xbuf[i] = '.';
+			}
+			if (i % 2) {
+				*nfrontp = ' ';
+				nfrontp++;
+			}
+			cnt--;
+			ptr++;
+		}
+		xbuf[i] = '\0';
+		sprintf(nfrontp, " %s\r\n", xbuf );
+		nfrontp += strlen(nfrontp);
+	}
+}
+#endif /* DIAGNOSTICS */